In the random oracle model and under the semantic security of the symmetric encryption scheme, assume that an IND-sMID-CCA adversary A has a non-negligible

We now prove that the proposed scheme is IND-sMID-CCA secure in the random oracle model [36, 37] under the hardness of the Gap-BDH problem [31, 35] defined in Section 2.2 and the semantic security of the symmetric encryption scheme [41].

Theorem 1. In the random oracle model and under the semantic security of the symmetric encryption scheme, assume that an IND-sMID-CCA adversary A has a non-negligible advantage against the proposed scheme within running time and asking q_i queries to the random oracles H_i (i=0, 1, 2, 3), q_e queries to the key extract oracle, and q_d queries to the decryption oracle. Then, the Gap-BDH problem can be solved with a non-negligible advantage

q q_d

'

within running time

' +(q0+qe)O( 1) + (tq1+ q1qd)O(1),

where 1 is the time to perform a scalar multiplication in G1, t is the number of multiple identities and qg tq1+ q1qd is the number of queries to the BDDH oracle.

Proof. Suppose that an algorithm B receives a random instance (P, aP, bP, cP) of the Gap-BDH problem, in which P, aP, bP, cP G₁ for unknown a, b, c Z_q^*. Meanwhile, algorithm B may make at most qg queries to the BDDH oracle of the Gap-BDH problem.

The task of the algorithm B is to compute ê(P, P)^abc by interacting with the adversary A as the IND-sMID-CCA game presented in Definition 5. B plays the challenger in the IND-sMID-CCA game. The challenger B can execute and answer each phase of the IND-sMID-CCA game as follows:

- Phase 1. Assume that the adversary A outputs target multiple identities (ID1, ID2, …, IDt), where t is a positive integer.

- Setup. The challenger B sets Q= aP and Ppub= bP. Then B selects secure symmetric encryption and decryption functions denoted by Esk() and Dsk(), where sk is a symmetric key [39]. The challenger B gives Params {G1, G2, ê, P, Ppub, H0, H1, H2, H3, E, D} to the adversary A. In which, the hash functions Hi (i=0, 1, 2, 3) are random oracles controlled by the challenger B. For the adversary A’s hash queries, the challenger B uses lists Li (i=0, 1, 2, 3) to record the results of the hash functions Hi (i=0, 1, 2, 3), respectively.

• H0 query. Upon receiving this query with IDj, the challenger B first scans the list L0 to check whether this input was already defined in L₀. If it was, the previously defined value is returned to A. Otherwise, B performs the following tasks:

(1) Select a random value u_j Z_q^*.

(2) If IDj = IDi for some i {1,…, t}, then compute QIDj= uj·Q G1; otherwise compute QIDj= uj·P G1.

(3) Insert the tuple (IDj, uj, QIDj) into the list L0. Then, the challenger B returns QIDj to A.

• H₁ query. Upon receiving this query with X_j G₂ for some j [1, q₁] , the challenger B first scans the list L1 to check whether the input was already defined in L1. If it was, the previously defined value is returned to A. B checks whether (P, QIDi, P_pub, cP, X_j) using the BDDH oracle for i=1, 2,…, t, in which QID_i =u_i·Q G₁ is obtained by issuing H0 query. If it is, the challenger B returns ⁽Xj^{)ui 1} and terminates the game because B has obtained the value ê(P, P)^abc. Otherwise, B selects a value x_j Z_q^* and inserts the tuple (X_j, x_j) into the list L₁. Then, B returns x_j to the adversary A.

• H₂ query. When an element k_j in Z_q^* is submitted to the H₂ oracle for some j [1, q₂] , the challenger B first scans the list L2 to check whether the input was already defined in L2. If it was, the previously defined value is returned to A. Otherwise, B randomly picks a bit string wj {0,1}^w and inserts the tuple (kj, wj) into the list L2. Then, B returns wj to the adversary A.

• H3 query. When a tuple < mj, kj, cj,0, cj,1,…, cj,t-1, Uj, Vj > is submitted to the H3

oracle for some j [1, q3] , B scans the list L3 to check whether the tuple was already defined in L3. If it was, the previously defined value is returned to A.

Otherwise, B selects a value j Z_q^* at random and inserts the tuple < m_j, k_j, c_j,0, cj,1,…, cj,t-1, Uj, Vj, j > into the list L3. Then, B returns j to the adversary A.

- Phase 2. In this phase, the adversary A makes a number of key extract and decryption

• Key extract query. Upon receiving this query with ID_j ID_i for i {1, 2, …, t}, the challenger B first scans the list L0 to check whether the tuple (IDj, uj, QIDj) was already defined in L₀. If it was, B computes DIDj = u_j·P_pub. Otherwise, B randomly selects a value u_j Z_q^*, and computes QID_j=u_j·P as well as DID_j = u_j·P_pub. Meanwhile, B inserts the tuple (IDj, uj, QIDj) into the list L0. Finally, B returns DIDj to the adversary A.

• Decryption query. The adversary A issues decryption queries for target identities, denoted by (Cj, IDi) for some i {1, 2, …, t}, where Cj=<(cj,0, cj,1,…, cj,t-1), Uj, Vj,

j>. Note that the return values of the used hash functions here are obtained from hash queries in the previous phase. Upon receiving the decryption query, the challenger B performs the following tasks:

(1) Use <(c_j,0, c_j,1,…, c_j,t-1), U_j, V_j, _j> to scan the list L₃. If it was not found, B returns “failure” and halts. Otherwise, B may get (mj, k_j) from L₃.

(2) Set the polynomial f(x) with degree t as f(x) c_j,0 c_j,1x ... c_{j,t 1}x^{t 1} x^t. (3) Use IDi to pick the tuple (IDi, ui, QIDi) from the list L0 to get ui and QIDi. (4) For l=1,…, q1, do the following:

(i) Pick the tuple (Xl, xl) from the list L1.

(ii) Check whether (P, QID_i, P_pub, U_j, X_l) using the BDDH oracle.

(5) If some l of the checks above is true, compute k_l= f(x_l) and m_l= _{( )}( )

2k j

H V

D l . (6) Test whether ml=mj. If it holds, return mj to the adversary A. Otherwise, return

“failure” and halts. This case means that the adversary A did not follow the proposed scheme to generate a valid ciphertext.

- Challenge. The adversary A outputs a target plaintext pair (m0, m1). Upon receiving (m0, m1), the challenger B randomly chooses {0, 1} and performs the following tasks. Note that the return values of the used hash functions here are obtained from

hash queries in the previous phase.

- Phase 3. The adversary A makes a number of key extract queries and decryption queries as in Phase 2. A restriction here is that the adversary A is not allowed to issue the target ciphertext C* as a decryption query.

- Guess. The adversary A outputs its guess {0, 1} and wins the game if = .

As the simulation above, the challenger B successfully simulates the hash functions Hi (i=0, 1, 2, 3) by random oracles. Meanwhile, the secret key DIDj associated to each IDj IDi created in the key extract query is identically distributed as the key in the real attack environment because of DIDj = uj·Ppub= uj·s·P= s·uj· P= s·H0(IDj). Thus, it is obvious that B perfectly simulates the key extract query in Phases 2 and 3.

In the following, we assess the challenger B’s advantage. For handling the decryption query, if <(cj,0, cj,1,…, cj,t-1), Uj, Vj, j> cannot be found in L3, B returns “failure” and halts. Thus, it means that the adversary A can guess a right output value of the hash function H3. In this case, there are qd queries to the decryption oracle, so the failure probability of B is at most

q q_d

. If the adversary A with a non-negligible advantage wins the IND-sMID-CCA game, it denotes that the challenger B with a non-negligible

advantage has received H1 queries with some Xj as input, in which one of the BDDH oracle queries with (P, QID_i, P_pub, cP, X_j) for i=1,…, t, will return 1. As in H₁ queries, the challenger B may obtain ⁽Xj^{)ui 1}=ê(P, P)^abc, in which (IDi, ui, QIDi) is obtained from L0. Hence, assume that the IND-sMID-CCA adversary A has a non-negligible advantage against the proposed scheme. Then, the Gap-BDH problem can be solved with a non-negligible advantage

q q_d

' .

Finally, for answering queries in the simulation game above, the required computation time is ' +(q0+qe)O( 1) + (tq1+ q1qd)O(1), where 1 is the time to perform a scalar multiplication in G₁, t is the number of multiple identities and q_g tq₁+ q₁q_d is the maximum number of queries to the BDDH oracle.

5.2 Receiver anonymity

Under the hardness of the Gap-BDH problem [31, 35] and the semantic security of the symmetric encryption scheme [41], we prove that the proposed scheme is ANON-IND-sID-CCA secure in the random oracle model [36, 37].

Theorem 2. In the random oracle model and under the semantic security of the symmetric