1.1  Our Contribution

In this paper, we propose a generic construction of outsider anonymous BEKS from anonymous and weakly robust 3-level hierarchical identity-based encryption (HIBE) and one-time signatures. Informally, outsider anonymity in the BEKS context means that no information about receivers is revealed from ciphertexts when an adversary is allowed to obtain secret keys of outsiders who belong to neither \(S^\ast_0\) nor \(S^\ast_1\), and is allowed to obtain trapdoors of all receivers with the restriction that if the receivers belong to \(S^\ast_0\cup S^\ast_1\), then \(kw\not\in\{kw^\ast_0,kw^\ast_1\}\) where \(kw^\ast_0\) and \(kw^\ast_1\) are challenge keywords. Moreover, the proposed construction considers security against chosen-ciphertext attack (CCA) where an adversary is allowed to access a test oracle. The proposed generic construction provides sublinear-size ciphertext in terms of the number of receivers. Technically, our generic construction can be seen as an extension to the Fazio-Perera generic construction of anonymous broadcast encryption from anonymous and weakly robust IBE [15] and the Boneh et al. generic construction of PEKS from anonymous IBE [1], where we run the Fazio-Perera construction employs on the first-level identity and run the Boneh et al. generic construction on the second-level identity, i.e., a keyword is regarded as a second-level identity. The third level is used for the Canetti-Halevi-Katz (CHK) transformation [30] for providing CCA security. We also introduce weak robustness in the HIBE setting, and demonstrate that the Abdalla et al. generic transformation for providing weak robustness to IBE [31], [32] works for HIBE with an appropriate parameter setting.

Instantiations. We can employ any anonymous HIBE schemes, e.g., HIBE from parings [33]-[35], [41], [42] or from lattices [36], [43]-[45] with a suitable one-time signature scheme. We convert HIBEs to provide weak robustness via the generic construction [31], [32] which is explained in Sect. 3. We explicitly give attractive concrete instantiations of the proposed generic construction from pairings and lattices, respectively, and give comparisons in Table 1.

Table 1  Comparison among multi-receiver variants of PEKS. Auth. stands for Authenticity where a sender secret key is required for encryption as in PAEKS. Let \(U\) be the set of all receivers and \(S\subseteq U\) be a set of receivers specified in the encryption algorithm. We denote \(N=|U|\), \(|S|=N^\prime\leq N\), and \(R=|U|-|S|\). CT, ROM, and STD stand for ciphertext, random oracle model, and standard model, respectively. BDHSE, DLIN, BDHE, DDHI, MSE-DDH, DBDH, BDH, CODH, SXDH, LWE, and NCRHF stand for Bilinear Diffie-Hellman Summation Exponent, Decision LINear, Bilinear Diffie-Hellman Exponentiation, Decisional Diffie-Hellman Inverse, Multi-Sequence of Exponents Diffie-Hellman, Decisional Bilinear Diffie-Hellman, Bilinear Diffie-Hellman, Computational Oracle Diffie-Hellman, Symmetric eXternal Diffie-Hellman, Learning With Errors, and Near-Collision Resistant Hash Functions, respectively. CCA stands for chosen-ciphertext attack in the searchable encryption context where an adversary is allowed to access a test oracle. We omit complexity assumptions for one-time signatures.

For comparison, we instantiated the generic construction of BAEKS [28] from the Qin-Cui-Zheng-Zheng (QCZZ) PAEKS scheme [21] and the Mukherjee PAEKS scheme (i.e., the Mukherjee BAEKS scheme [27] with the single receiver setting) as specified in [28], as pairing-based BAEKS instantiations. We remark that no lattice-based instantiation was given because the Cheng-Meng lattice-based PAEKS scheme [22] was not proven to provide ciphertext anonymity⁷, and thus it was not stated as the building block. Though Yao et al. [26] proposed a lattice-based PAEKS scheme, they did not define consistency which is mandatory to instantiate the generic construction of BAEKS. Thus, we do not consider the Yao et al. scheme as a building block.

CPA Security. Though we focus on CCA security in this paper, BEKS providing outsider CPA anonymity, where no test oracle is defined, can be constructed generically from 2-level anonymous and weakly robust HIBE. Then, we can still employ the Asano et al. HIBE schemes by eliminating the third-level for lattice-based instantiations.

2.1  One-Time Signatures

An one-time signature scheme \({\sf OTS}\) consists of \(({\sf OTS.KeyGen},{\sf OTS.Sign},{\sf OTS.Verify})\). The key generation algorithm \({\sf OTS.KeyGen}\) takes a security parameter \(\lambda\) as input, and outputs a verification key and a signing key \(({\sf vk},{\sf sigk})\). The signing algorithm \({\sf OTS.Sign}\) takes \({\sf sigk}\) and a message \(M\in {\sf SigMspace}\) as input, where \({\sf SigMspace}\) is a signed message space, and outputs a signature \(\sigma\). The verification algorithm \({\sf OTS.Verify}\) takes \({\sf vk}\), \(\sigma\), and \(M\) as input, and outputs 0 or 1. We require the correctness holds where for any \(\lambda\), \(({\sf vk},{\sf sigk})\leftarrow{\sf OTS.KeyGen}(1^\lambda)\), and \(M\in{\sf SigMspace}\), \({\sf OTS.Verify}({\sf vk},{\sf OTS.Sign}({\sf sigk},M),M)=1\) holds. Moreover, we require the strong existential unforgeability against adaptive chosen message attack (sEUF-CMA) holds: Let \({\mathcal A}\) be probabilistic polynomial-time (PPT) adversaries. Here, \(({\sf vk},{\sf sigk})\leftarrow{\sf OTS.KeyGen}(1^\lambda)\), \((\sigma^\ast,M^\ast)\leftarrow{\mathcal A}^{{\sf OTS.Sign}(\cdot)}({\sf vk})\), and \({\mathcal A}\) is allowed to send a message \(M\) to the signing oracle \({\sf OTS.Sign}\) just once that returns \(\sigma\leftarrow{\sf OTS.Sign}({\sf sigk},M)\). We say that \({\sf OTS}\) is sEUF-CMA secure if the advantage \({\sf Adv}_{{\sf OTS},{\mathcal A}}^{\sf sEUF\text{-}CMA}(\lambda) :=\Pr[{\sf OTS.Verify}({\sf vk},\sigma^\ast,M^\ast)=1\wedge (\sigma^\ast,M^\ast)\neq (\sigma,M)]\) is negligible in the security parameter.

2.2  Anonymous 3-Level Hierarchical Identity-Based Encryption

Definition 1. [Syntax of 3-level HIBE]  An HIBE scheme \({\sf HIBE}\) consists of the following five algorithms \(({\sf HIBE.Setup}, {\sf HIBE.KeyGen}, {\sf HIBE.KeyDer}, {\sf HIBE.Enc}, {\sf HIBE.Dec})\) defined as follows. Here, \({\sf Mspace}\) is a message space and \({\sf IDspace}\) is an identity space. A hierarchical identity is denoted as \(({\sf ID},{\sf ID}^\prime,{\sf ID}^{\prime\prime})\in{\sf IDspace}\times{\sf IDspace}\times{\sf IDspace}\), and we consider the three-dimension identity only. In our purpose, it is sufficient that the \({\sf HIBE.KeyGen}\) algorithm generates a secret key for a first-level identity \({\sf ID}\) and the \({\sf IBE.Enc}\) algorithm takes a hierarchical identity \(({\sf ID},{\sf ID}^\prime,{\sf ID}^{\prime\prime})\) as input.

Correctness. For any security parameter \(\lambda\), \(({\sf MPK},{\sf MSK})\leftarrow{\sf HIBE.Setup}(1^\lambda)\), \({\sf ID},{\sf ID}^\prime,{\sf ID}^{\prime\prime}\in{\sf IDspace}\), and \(M\in{\sf Mspace}\), \({\sf HIBE.Dec}({\sf MPK},{\sf ct_{HIBE}},{\sf sk}_{{\sf ID},{\sf ID}^\prime,{\sf ID}^{\prime\prime}})=M\) holds where \({\sf ct_{HIBE}}\leftarrow{\sf HIBE.Enc}({\sf MPK},({\sf ID},{\sf ID}^\prime,{\sf ID}^{\prime\prime}), M)\), \({\sf sk}_{\sf ID}\leftarrow{\sf HIBE.KeyGen}({\sf MPK},{\sf MSK},{\sf ID})\), \({\sf sk}_{{\sf ID},{\sf ID}^\prime}\) \(\leftarrow\) \({\sf HIBE.KeyDer}({\sf MPK}, {\sf MSK}, {\sf sk}_{\sf ID}, {\sf ID}^\prime)\), and \({\sf sk}_{{\sf ID},{\sf ID}^\prime,{\sf ID}^{\prime\prime}}\leftarrow{\sf HIBE.KeyDer}({\sf MPK},{\sf MSK}, {\sf sk}_{{\sf ID},{\sf ID}^\prime},{\sf ID}^{\prime\prime})\).

Anonymity. Briefly, anonymity means that no information about \(({\sf ID},{\sf ID}^\prime,{\sf ID}^{\prime\prime})\) is revealed from a ciphertext \({\sf ct_{HIBE}}\leftarrow{\sf HIBE.Enc}({\sf MPK},({\sf ID},{\sf ID}^\prime,{\sf ID}^{\prime\prime}),M)\). The formal definition is as follows. We employ a CPA notion here.

Definition 2 (Anonymity).  We define the following experiment.

The key extraction oracle \({\sf HIBE.KeyGen}\) for the first-level identity takes \({\sf ID}\in{\sf IDspace}\) as input, returns \({\sf sk}_{{\sf ID}}\leftarrow{\sf HIBE.KeyGen}({\sf MSK},{\sf ID})\), and updates \(V_1\leftarrow V_1\cup\{{\sf ID}\}\). The key extraction oracle \({\sf HIBE.KeyGen}\) for the two-dimensional hierarchical identities takes \(({\sf ID},{\sf ID}^\prime)\in{\sf IDspace}\times{\sf IDspace}\) as input, computes \({\sf sk}_{{\sf ID}}\leftarrow{\sf HIBE.KeyGen}({\sf MSK},{\sf ID})\), returns \({\sf sk}_{{\sf ID},{\sf ID}^\prime}\leftarrow{\sf HIBE.KeyDer}({\sf MSK},{\sf sk}_{\sf ID},{\sf ID}^\prime)\), and updates \(V_2\leftarrow V_2\cup\{({\sf ID},{\sf ID}^\prime)\}\). The key extraction oracle \({\sf HIBE.KeyGen}\) for the three-dimensional hierarchical identities takes \(({\sf ID},{\sf ID}^\prime,{\sf ID}^{\prime\prime})\in{\sf IDspace}\times{\sf IDspace}\times{\sf IDspace}\) as input, computes \({\sf sk}_{{\sf ID}}\leftarrow{\sf HIBE.KeyGen}({\sf MSK},{\sf ID})\), \({\sf sk}_{{\sf ID},{\sf ID}^\prime}\leftarrow{\sf HIBE.KeyDer}({\sf MSK},{\sf sk}_{\sf ID},{\sf ID}^\prime)\), returns \({\sf sk}_{{\sf ID},{\sf ID}^\prime,{\sf ID}^{\prime\prime}}\leftarrow{\sf HIBE.KeyDer}({\sf MSK},{\sf sk}_{{\sf ID},{\sf ID}^\prime},{\sf ID}^{\prime\prime})\), and updates \(V_3\leftarrow V_3\cup\{({\sf ID},{\sf ID}^\prime,{\sf ID}^{\prime\prime})\}\). In the post-challenge phase, the oracle returns \(\bot\) if any prefix of \(({\sf ID}_0,{\sf ID}^\prime_0,{\sf ID}^{\prime\prime}_0)\) or \(({\sf ID}_1,{\sf ID}^\prime_1,{\sf ID}^{\prime\prime}_1)\) is queried. We say that a HIBE scheme \({\sf HIBE}\) is Anon-CPA secure if the advantage \({\sf Adv}_{{\sf HIBE},{\mathcal A}}^{\sf Anon\text{-}CPA}(\lambda) :=|\Pr[{\sf Exp}_{{\sf HIBE},{\mathcal A}}^{{\sf Anon\text{-}CPA}\text{-}0}(\lambda)=1]-\Pr[{\sf Exp}_{{\sf HIBE},{\mathcal A}}^{{\sf Anon\text{-}CPA}\text{-}1}(\lambda)=1]|\) is negligible for all PPT adversaries \({\mathcal A}\) in the security parameter \(\lambda\).

2.3  Complete Subtree Method

We introduce the complete subtree (CS) method [29]. Let \({\sf BT}\) be a binary tree with \(N\) leaves. For a leaf node \(i\), let \({\sf Path}(i)\) be the set of nodes from the leaf to the root. Let \({\sf RSet}\) be the set of revoked leaves and \(R=|{\sf RSet}|\). For non leaf node \(x\), let \(x_{\sf left}\) be the left child of \(x\) and \(x_{\sf right}\) be the right child of \(x\).

We denote \({\sf cover}\leftarrow {\sf CompSubTree}({\sf BT},{\sf RSet})\). \(|{\sf cover}|\) is estimated as \(O(R\log(N/R))\)⁸.

2.4  Previous Generic Constructions

We briefly revisit previous generic constructions as follows.

The Abdalla et al. Generic Construction [52]. Abdalla et al. demonstrated that anonymous IBE implies PEKS. Briefly, a receiver runs \(({\sf MPK},{\sf MSK})\leftarrow {\sf IBE.Setup}(1^\lambda)\) and sets \({\sf MPK}\) as a public key and \({\sf MSK}\) as a secret key. To encrypt a keyword \(kw\), a random plaintext \(R\) is encrypted using a keyword \(kw\) as the identity such that \({\sf ct_{IBE}}\leftarrow{\sf IBE.Enc}({\sf MPK},kw,R)\) and \(({\sf ct_{IBE}},R)\) is a PEKS ciphertext. A trapdoor is a secret key \({\sf td}_{kw}\leftarrow{\sf IBE.KeyGen}({\sf MSK},kw)\). The test algorithm, that takes \(({\sf ct_{IBE}},R)\) and \({\sf td}_{kw}\) as input, outputs 1 if \(R={\sf IBE.Dec}({\sf MPK},{\sf ct_{IBE}},{\sf td}_{kw})\) and 0 otherwise. No information about \(kw\) is revealed from \(({\sf ct_{IBE}},R)\) if the underlying IBE scheme is anonymous. Moreover, if there exists \(kw^\prime\) where \(kw\neq kw^\prime\) and the test algorithm outputs 1 for \({\sf td}_{kw^\prime}\leftarrow{\sf IBE.KeyGen}({\sf MSK},kw^\prime)\) and \(({\sf ct_{IBE}},R)\) where \({\sf ct_{IBE}}\leftarrow{\sf IBE.Enc}({\sf MPK}, kw,R)\) (i.e., no consistency holds), then an algorithm can be constructed that breaks the IND-CPA security of the underlying IBE scheme. That is, the generic construction provides computational consistency.

The Boneh et al. Generic Construction [1]. The Boneh et al. generic construction is almost the same as the Abdalla et al. generic construction, except that \(R\) is fixed as \(0^\lambda\) where \(\lambda\in\mathbb{N}\) is a security parameter. \({\sf ct_{IBE}}\) can be directly regarded as a PEKS ciphertext that reduces the ciphertext size compared to that of the Abdalla et al. generic construction. Abdalla et al. [52] showed that there is an IBE scheme that is anonymous and provides IND-CPA security, but the PEKS scheme obtained via the Boneh et al. generic construction does not provide consistency. Abdalla et al. also demonstrated that the Boneh et al. generic construction provides consistency if the underlying anonymous IBE is weakly robust [31], [32]. Briefly, robustness means that the decryption algorithm outputs \(\bot\) if the corresponding decryption key is not used (See Sect. 3 for details). Abdalla et al. also mentioned that if the underlying IBE scheme is CCA secure in addition to provide weak robustness, then the PEKS scheme converted via the Boneh et al. generic construction is also CCA secure where an adversary is allowed to issue a test query.

The Fazio-Perera Generic Construction [15]. Fazio and Perera proposed a generic construction of anonymous broadcast encryption from anonymous IBE. Because the decryption algorithm does not take the set of receivers \(S\) as input, the underlying anonymous IBE scheme is required to be weakly robust. Let \(U\) be the set of all receivers and \(S\subseteq U\) be a set of receivers specified in the encryption algorithm. We denote \(N=|U|\), \(R=|U|-|S|\), and \(L=\lfloor R\log(N/R) \rfloor\). Moreover, let \(\ell=|{\sf cover}|\) where \({\sf cover}=\{x_1,\ldots,x_\ell\}\) is the set of nodes determined by the CS method. A ciphertext is a set of IBE ciphertexts: \({{\sf ct}_{{\sf IBE},j}}\leftarrow{\sf IBE.Enc}({\sf MPK},x_j,M)\) for \(j=1,2,\ldots,\ell\), and \({{\sf ct}_{{\sf IBE},j}}\leftarrow{\sf IBE.Enc}({\sf MPK},{\sf dummy},\tilde{M})\) for \(j=\ell+1,\ldots,L\) where \(\tilde{M}\xleftarrow{＄}\{0,1\}^{|M|}\) and \({\sf dummy}\) is a dummy identity. The order of ciphertexts is randomized via a random permutation. A receiver decrypts the ciphertext to find an IBE ciphertext whose decryption result is non-\(\bot\). Due to the robustness of the underlying IBE scheme, a receiver can find such a ciphertext if the receiver belongs to the set \(S\) specified in the encryption algorithm. Due to the anonymity of the underlying IBE scheme, no information about identity is revealed from ciphertext in the sense of outsider anonymity. For providing CCA security, CCA secure anonymous IBE and one-time signatures are employed. A verification key \({\sf vk}\) is contained such that \({{\sf ct}_{{\sf IBE},j}}\leftarrow{\sf IBE.Enc}({\sf MPK},x_j,M||{\sf vk})\) for \(j=1,2,\ldots,\ell\), and \({{\sf ct}_{{\sf IBE},j}}\leftarrow{\sf IBE.Enc}({\sf MPK},{\sf dummy},\tilde{M})\) for \(j=\ell+1,\ldots,L\) where \(\tilde{M}\xleftarrow{＄}\{0,1\}^{|M|+|{\sf vk}|}\). A signature \(\sigma\) is generated on \({\sf vk}||\{{{\sf ct}_{{\sf IBE},j}}\}_{j\in[1,L]}\) and \((\sigma,{\sf vk},\{{{\sf ct}_{{\sf IBE},j}}\}_{j\in[1,L]})\) is a ciphertext.

• \({\sf BEKS.Setup}\): The setup algorithm takes a security parameter \(\lambda\) and the maximum number of receivers \(N\) as input, and outputs a master public key \({\sf MPK}\) and secret keys \(\{{\sf sk}_{{\sf R}[i]}\}_{i\in[1,N]}\). Here, \({\sf R}\) stands for receiver and \({\sf sk}_{{\sf R}[i]}\) is a secret key of the \(i\)-th receiver.

• \({\sf BEKS.Enc}\): The keyword encryption algorithm takes \({\sf MPK}\), a set of receivers \(S\subseteq U\) where \(|S|=N^\prime\leq N\), and a keyword \(kw\in {\sf KWspace}\) as input, and outputs a ciphertext \({\sf ct_{BEKS}}\).

• \({\sf BEKS.Trapdoor}\): The trapdoor algorithm takes \({\sf MPK}\), \({\sf sk_{R}}\), and a keyword \(kw^\prime\in {\sf KWspace}\) as input, and outputs a trapdoor \({\sf td}_{{\sf R},kw^\prime}\).

• \({\sf BEKS.Test}\): The test algorithm takes \({\sf MPK}\), \({\sf ct_{BEKS}}\) and \({\sf td}_{{\sf R},kw^\prime}\) as input, and outputs 1 or 0.

5.1  A Trivial Construction from IBE and Its Limitation

Before giving the proposed construction, we consider to directly employ the Boneh et al. generic construction of PEKS and discuss its limitation. For the sake of simplicity, we consider CPA security here where no test oracle is defined. Let \({\sf IBE}=({\sf IBE.Setup}, {\sf IBE.KeyGen}, {\sf IBE.Enc}, {\sf IBE.Dec})\) be an IBE scheme. In the Boneh et al. construction, a receiver runs \(({\sf MPK},{\sf MSK})\leftarrow{\sf IBE.Setup}(1^\lambda)\) and \({\sf MSK}\) is used for generating a trapdoor by spesifying a keyword as the identity. Thus, a direct construction is described as follows. The \({\sf BEKS.Setup}\) algorithm runs \(({\sf MPK}_j,{\sf MSK}_j)\leftarrow{\sf IBE.Setup}(1^\lambda)\) for \(j=1,\ldots,N\), and outputs \({\sf MPK}=\{{\sf MPK}_j\}_{j\in[1,N]}\) and \(\{{\sf sk}_{{\sf R}[j]}={\sf MSK}_j\}_{j\in[1,N]}\). The \({\sf BEKS.Enc}\) algorithm, that takes \(S\subseteq U\) where \(|S|=N^\prime\), specifies \({\sf RSet}:=U\setminus S\) and runs \({\sf cover}\leftarrow {\sf CompSubTree}({\sf BT},{\sf RSet})\) where \({\sf cover}=\{x_1,\ldots,x_\ell\}\). Then, the algorithm runs \({{\sf ct}_{{\sf IBE},j}}\leftarrow{\sf IBE.Enc}({\sf MPK}_j,x_j||kw,0^\lambda)\) for \(j=1,2,\ldots,\ell\), runs \({{\sf ct}_{{\sf IBE},j}}\leftarrow{\sf IBE.Enc}({\sf MPK}_j,{\sf dummy},\tilde{M})\) for \(j=\ell+1,\ldots,L\) where \(\tilde{M}\xleftarrow{＄}\{0,1\}^\lambda\), and outputs \({\sf ct_{BEKS}}=\{{{\sf ct}_{{\sf IBE},\pi(j)}}\}_{j\in[1,L]}\) where \(\pi:\{1,\ldots,L\}\rightarrow \{1,\ldots,L\}\) is a random permutation. The \({\sf BEKS.Trapdoor}\) algorithm runs \({\sf sk}_{k}\leftarrow{\sf IBE.KeyGen}({\sf MSK}_i,x^\prime_k||kw^\prime)\) for \(k=1,\ldots,h\) where the receiver \(i\) is assigned to the leaf node \(i\) and \({\sf Path}(i)=\{x^\prime_1,\ldots,x^\prime_h\}\). Output \({\sf td}_{{\sf R},kw^\prime}=(i,\{{\sf sk}_k\}_{k\in[1,h]})\). Then, the \({\sf BEKS.Test}\) algorithm, that takes \({\sf MPK}=\{{\sf MPK}_j\}_{j\in[1,N]}\), \({\sf ct_{BEKS}}=\{{{\sf ct}_{{\sf IBE},j}}\}_{j\in[1,L]}\), and \({\sf td}_{{\sf R},kw^\prime}=(i,\{{\sf sk}_k\}_{k\in[1,h]})\), runs:

If \(i\in S\), then \({\sf cover}\cap {\sf Path}(i)\neq \emptyset\) due to the CS method. Let \(x_j\in {\sf cover}\cap {\sf Path}(i)\). If \(kw=kw^\prime\), then for \({\sf ct_{BEKS}}\ni{\sf ct_{IBE}}\leftarrow{\sf IBE.Enc}({\sf MPK}_i,x_j||kw,0^\lambda)\) and \({\sf td}_{{\sf R},kw^\prime}\ni\{{\sf sk}_k\}_{k\in[1,h]}\ni {\sf sk}\leftarrow{\sf IBE.KeyGen}({\sf sk}_{{\sf R}[i]},x_j||kw^\prime)\), \(0^\lambda\leftarrow {\sf IBE.Dec}({\sf MPK}_i, {\sf ct_{IBE}},{\sf sk})\) holds. Thus, correctness directly holds due to the correctness of the underlying IBE scheme. Since the construction is almost the same as the Fazio-Perera construction, except that a keyword is appended to each node, the construction provides outsider anonymity. Moreover, due to the anonymity of the underlying IBE scheme, no information about keyword is revealed. However, to provide consistency, this construction requires the following robustness: for \({\sf ct_{IBE}}\leftarrow{\sf IBE.Enc}({\sf MPK}_i,{\sf ID},M)\) and \({\sf sk}_{{\sf ID}^\prime}\leftarrow{\sf IBE.KeyGen}({\sf MPK}_j,{\sf MSK}_j,{\sf ID}^\prime)\), \({\sf IBE.Dec}({\sf MPK}_j,{\sf ct_{IBE}},{\sf sk}_{{\sf ID}^\prime})=\bot\) holds if not only the case \({\sf ID}\neq {\sf ID}^\prime\) but also the case \({\sf MPK}_i\neq {\sf MPK}_j\). This robustness across the different master public keys is not directly provided even if the underlying IBE scheme is robust.

5.2  Our Construction

Next, we give the proposed generic construction. To employ a single master public key, we employ \({\sf HIBE}\) in the proposed construction where a keyword is regarded as a second-level identity and a trapdoor is generated by using the key derivation algorithm of the underlying HIBE scheme.

For Providing CCA Security. As mentioned in Sect. 2.4, the Fazio-Perera generic construction provides CCA security (in the broadcast encryption context) if the underlying IBE scheme is CCA secure. Note that they employ a one-time signature scheme in addition to employ IBE because a set of IBE ciphertexts \(\{{{\sf ct}_{{\sf IBE},j}}\}_{j\in[1,L]}\) is malleable (e.g., by a simple permutation) even if an IBE ciphertext \({{\sf ct}_{{\sf IBE},j}}\) is non-malleable due to the CCA security. That is, a verification key \({\sf vk}\) is contained as \({{\sf ct}_{{\sf IBE},j}}\leftarrow{\sf IBE.Enc}({\sf MPK},x_j,M||{\sf vk})\) for \(j=1,2,\ldots,\ell\), and \({{\sf ct}_{{\sf IBE},j}}\leftarrow{\sf IBE.Enc}({\sf MPK},{\sf dummy},\tilde{M})\) for \(j=\ell+1,\ldots,L\) where \(\tilde{M}\xleftarrow{＄}\{0,1\}^{|M|+|{\sf vk}|}\). A signature \(\sigma\) is generated on \({\sf vk}||\{{{\sf ct}_{{\sf IBE},j}}\}_{j\in[1,L]}\) and \((\sigma,{\sf vk},\{{{\sf ct}_{{\sf IBE},j}}\}_{j\in[1,L]})\) is a ciphertext.

By using the Fazio-Perera methodology, one direct BEKS construction is: (1) construct a CCA secure 2-level HIBE from 3-level HIBE and one-time signatures via the CHK transformation, (2) convert the 2-level HIBE to be weakly robust, and (3) construct a CCA secure BEKS from the 2-level HIBE and one-time signatures via the Fazio-Perera methodology. However, one-time signatures are employed twice for providing CCA security for HIBE and for BEKS, respectively. For providing more efficient construction, we employ 3-level CPA secure HIBE and one-time signatures and directly construct BEKS that employs one-time signatures once.

The Proposed Generic Construction

If \(i\in S\), then \({\sf cover}\cap {\sf Path}(i)\neq \emptyset\) due to the CS method. Let \(x_j\in {\sf cover}\cap {\sf Path}(i)\). If \(kw=kw^\prime\), then for \({\sf ct_{HIBE}}\leftarrow{\sf HIBE.Enc}({\sf MPK}^\prime,(x_j,kw,{\sf vk}),0^\lambda)\) contained in \({\sf ct_{BEKS}}\) and \({\sf sk}\leftarrow{\sf HIBE.KeyGen}({\sf MPK}^\prime, {\sf MSK},x_j)\), \({\sf td}_{{\sf R},kw}\ni{\sf sk}_{kw}\leftarrow{\sf HIBE.KeyDer}({\sf MPK}^\prime,{\sf sk},kw)\), and \({\sf sk}_{kw,{\sf vk}}\leftarrow{\sf HIBE.KeyDer}({\sf MPK}^\prime,{\sf sk}_{kw},{\sf vk})\), \(0^\lambda\leftarrow {\sf HIBE.Dec}({\sf MPK}^\prime,{\sf ct_{HIBE}},{\sf sk}_{kw,{\sf vk}})\) holds. Thus, correctness directly holds due to the correctness of the underlying IBE scheme and one-time signature scheme. We remark that one may require that there exists only one \({{\sf ct}_{{\sf HIBE},j}}\) such that \(0^\lambda\leftarrow {\sf HIBE.Dec}({\sf MPK}^\prime,{{\sf ct}_{{\sf HIBE},j}},{\sf sk}_{k,kw^\prime,{\sf vk}})\) holds for some \(k\in[1,h]\). For example, let a content be also encrypted and the ciphertext be preserved together with \({{\sf ct}_{{\sf HIBE},j}}\). The cloud server returns the \(j\)-th content ciphertext if the test algorithm finds \(j\) where \(0^\lambda\leftarrow {\sf HIBE.Dec}({\sf MPK}^\prime,{{\sf ct}_{{\sf HIBE},j}},{\sf sk}_{k,kw^\prime,{\sf vk}})\) holds. If a different content is chosen according to the receiver, then finding the unique \(j\) is mandatory, and then the \({\sf BEKS.Trapdoor}\) algorithm outputs \(0\) if there exist two or more ciphertexts that the decryption results are \(0^\lambda\). Actually, the proposed construction provides the correctness in this stronger notion when the underlying HIBE scheme is weakly robust. Note that we need to introduce computational correctness in this case.

• For \(j=1,\ldots,\ell_0\): Run \({{\sf ct}_{{\sf HIBE},j}}\leftarrow{\sf HIBE.Enc}({\sf MPK}^\prime,(x^{(0)}_j,kw^\ast_0,{\sf vk}^\ast),0^\lambda)\).

• For \(j=\ell_0+1,\ldots,L^\ast\): Run \({{\sf ct}_{{\sf HIBE},j}}\leftarrow{\sf HIBE.Enc}({\sf MPK}^\prime,({\sf dummy},{\sf dummy}^\prime,{\sf vk}^\ast),\tilde{M})\).

• \({\sf Game}^{0}_{t}\) \((t=0,1,\ldots,\ell_0)\): The challenge ciphertext \({\sf ct}^\ast_{\sf BEKS}\) is generated as follows. Set \(\tilde{M}\xleftarrow{＄}\{0,1\}^{\lambda}\). Run \(({\sf vk}^\ast,{\sf sigk}^\ast)\leftarrow{\sf OTS.KeyGen}(1^\lambda)\).
  

  • For \(j=1,\ldots,\ell_0-t\): Run \({{\sf ct}_{{\sf HIBE},j}}\leftarrow{\sf HIBE.Enc}({\sf MPK}^\prime,(x^{(0)}_j,kw^\ast_0,{\sf vk}^\ast), 0^\lambda)\).

  • For \(j=\ell_0-t+1,\ldots,L^\ast\): Run \({{\sf ct}_{{\sf HIBE},j}}\leftarrow{\sf HIBE.Enc}({\sf MPK}^\prime,({\sf dummy},{\sf dummy}^\prime,{\sf vk}^\ast),\tilde{M})\).

  
  Run \(\sigma^\ast\leftarrow{\sf OTS.Sign}({\sf sigk}^\ast,\{{{\sf ct}_{{\sf HIBE},\pi(j)}}\}_{j\in[1,L^\ast]})\) and set \({\sf ct}^\ast_{\sf BEKS}=({\sf vk}^\ast,\sigma^\ast,\{{{\sf ct}_{{\sf HIBE},\pi(j)}}\}_{j\in[1,L^\ast]})\).

• \({\sf Game}^{1}_{\ell_1}\): This is the same as \({\sf Game}^{0}_{\ell_0}\). In this game, all HIBE ciphertexts are \({{\sf ct}_{{\sf HIBE},j}}\leftarrow{\sf HIBE.Enc}({\sf MPK}^\prime,({\sf dummy},{\sf dummy}^\prime,{\sf vk}^\ast),\tilde{M})\) for all \(j=1,2,\ldots,L^\ast\).

• \({\sf Game}^{1}_{t^\prime}\) \((t^\prime=\ell_1-1,\ldots,1,0)\): The challenge ciphertext \({\sf ct}^\ast_{\sf BEKS}\) is generated as follows. Set \(\tilde{M}\xleftarrow{＄}\{0,1\}^{\lambda}\). Run \(({\sf vk}^\ast,{\sf sigk}^\ast)\leftarrow{\sf OTS.KeyGen}(1^\lambda)\).
  

  • For \(j=1,\ldots,\ell_1-t^\prime\): Run \({{\sf ct}_{{\sf HIBE},j}}\leftarrow{\sf HIBE.Enc}({\sf MPK}^\prime,(x^{(1)}_j,kw^\ast_1,{\sf vk}^\ast), 0^\lambda)\).

  • For \(j=\ell_1+t^\prime+1,\ldots,L^\ast\): Run \({{\sf ct}_{{\sf HIBE},j}}\leftarrow{\sf HIBE.Enc}({\sf MPK}^\prime,({\sf dummy},{\sf dummy}^\prime, {\sf vk}^\ast),\tilde{M})\).

  
  Run \(\sigma^\ast\leftarrow{\sf OTS.Sign}({\sf sigk}^\ast,\{{{\sf ct}_{{\sf HIBE},\pi(j)}}\}_{j\in[1,L^\ast]})\) and set \({\sf ct}^\ast_{\sf BEKS}=({\sf vk}^\ast,\sigma^\ast, \{{{\sf ct}_{{\sf HIBE},\pi(j)}}\}_{j\in[1,L^\ast]})\).

• When \({\mathcal A}\) issues a trapdoor query \((i,kw)\), \({\mathcal B}^\prime_t\) sets \({\sf Path}(i)=\{x^\prime_1,\ldots, x^\prime_h\}\). For \(j=1,\ldots,h\), \({\mathcal B}^\prime_t\) sends \((x^\prime_j,kw)\) to \({\mathcal C}\) as a key extraction query. \({\mathcal C}\) runs \({\sf sk}_{j}\leftarrow{\sf HIBE.KeyGen}({\sf MSK}, x^\prime_j)\) and \({\sf sk}^{(i)}_{j,kw}\leftarrow{\sf HIBE.KeyDer}({\sf MPK}^\prime,{\sf sk}_{j},kw)\), and sends \({\sf sk}^{(i)}_{j,kw}\) to \({\mathcal B}^\prime_t\). \({\mathcal B}^\prime_t\) returns \({\sf td}_{{\sf R},kw}=\{{\sf sk}^{(i)}_{j,kw}\}_{j\in[1,h]}\) to \({\mathcal A}\).

• When \({\mathcal A}\) issues a corruption query \(i\), \({\mathcal B}^\prime_t\) sets \({\sf Path}(i)=\{x^\prime_1,\ldots, x^\prime_h\}\). For \(j=1,\ldots,h\), \({\mathcal B}^\prime_t\) sends \(x^\prime_j\) to \({\mathcal C}\) as a key extraction query. \({\mathcal C}\) runs \({\sf sk}_{j}\leftarrow{\sf HIBE.KeyGen}({\sf MSK}, x^\prime_j)\) and sends \({\sf sk}_{j}\) to \({\mathcal B}^\prime_t\). \({\mathcal B}\) returns \({\sf sk}_{{\sf R}[j]}=\{{\sf sk}^{(j)}_{k}\}_{k\in[1,h]}\) to \({\mathcal A}\).

• When \({\mathcal A}\) issues a test query \((i,kw,{\sf ct_{BEKS}})\) such that \({\sf ct_{BEKS}}=({\sf vk},\sigma,\{{{\sf ct}_{{\sf HIBE},\pi(j)}}\}_{j\in[1,L]})\) and \({\sf vk}\neq {\sf vk}^\ast\), \({\mathcal B}^\prime_t\) returns \(0\) if \({\sf OTS.Verify}({\sf vk},\sigma,\{{{\sf ct}_{{\sf HIBE},\pi(j)}}\}_{j\in[1,L]})=0\). Otherwise, \({\mathcal B}^\prime_t\) sets \({\sf Path}(i)=\{x^\prime_1,\ldots, x^\prime_h\}\), and for \(k=1,\ldots,h\), \({\mathcal B}^\prime_t\) sends \((x^\prime_k,kw,{\sf vk})\) to \({\mathcal C}\) as a key extraction query. \({\mathcal C}\) runs \({\sf sk}_{k}\leftarrow{\sf HIBE.KeyGen}({\sf MSK}, x^\prime_k)\), \({\sf sk}^{(i)}_{k,kw}\leftarrow{\sf HIBE.KeyDer}({\sf MPK}^\prime,{\sf sk}_{k},kw)\), and \({\sf sk}^{(i)}_{k,kw,{\sf vk}}\leftarrow{\sf HIBE.KeyDer}({\sf MPK}^\prime,{\sf sk}_{k,kw},{\sf vk})\), and sends \({\sf sk}^{(i)}_{k,kw,{\sf vk}}\) to \({\mathcal B}^\prime_t\). \({\mathcal B}^\prime_t\) responds the test query as follows.

  • For \(k=1\) to \(h\) 

    • ＊  For \(j=1\) to \(L\) 

      • Run \(M\leftarrow {\sf HIBE.Dec}({\sf MPK}^\prime,{{\sf ct}_{{\sf HIBE},j}}, {\sf sk}_{k,kw,{\sf vk}})\).

      • If \(M=0^\lambda\), then return 1. Otherwise, if \(j=L\), break the loop. Otherwise, \(j\leftarrow j+1\).

    • ＊  If \(k=h\), return \(0\). Otherwise, \(k\leftarrow k+1\).

• For \(j=1,\ldots,\ell_0-t\): Run \({{\sf ct}_{{\sf HIBE},j}}\leftarrow{\sf HIBE.Enc}({\sf MPK}^\prime,(x^{(0)}_j,kw^\ast_0,{\sf vk}^\ast),0^\lambda)\).

• For \(j=\ell_0-t+1\), \({\mathcal B}^\prime_t\) sets \(({\sf ID}_0,{\sf ID}^\prime_0,{\sf ID}^{\prime\prime}_0)=(x^{(0)}_j,kw^\ast_0,{\sf vk}^\ast)\), \(({\sf ID}_1,{\sf ID}^\prime_1,{\sf ID}^{\prime\prime}_1)=({\sf dummy},{\sf dummy}^\prime, {\sf vk}^\ast)\), \(M_0^\ast=0^\lambda\), and \(M^\ast_1=\tilde{M}\), and sends \((({\sf ID}_0,{\sf ID}^\prime_0,{\sf ID}^{\prime\prime}_0),({\sf ID}_1,{\sf ID}^\prime_1,{\sf ID}^{\prime\prime}_1),M_0^\ast,M^\ast_1)\) to \({\mathcal C}\) as the challenge query. \({\mathcal C}\) generates \({\sf ct^\ast_{HIBE}}\leftarrow {\sf HIBE.Enc}({\sf MPK}^\prime,({\sf ID}_b,{\sf ID}^\prime_b,{\sf vk}^\ast),M^\ast_b)\) and sends \({\sf ct^\ast_{HIBE}}\) to \({\mathcal B}^\prime_t\). \({\mathcal B}^\prime_t\) sets \({{\sf ct}_{{\sf HIBE},j}}={\sf ct^\ast_{HIBE}}\).

• For \(j=\ell_0-t+2,\ldots,L^\ast\): Run \({{\sf ct}_{{\sf HIBE},j}}\leftarrow{\sf HIBE.Enc}({\sf MPK}^\prime,({\sf dummy},{\sf dummy}^\prime,{\sf vk}^\ast),\tilde{M})\).

• When \({\mathcal A}\) issues a trapdoor query \((i,kw)\), \({\mathcal B}^\prime_t\) returns \(\bot\) if \(i\in S^\ast_0\cup S^\ast_1\) and \(kw\in\{kw^\ast_0,kw^\ast_1\}\). Otherwise, \({\mathcal B}^\prime_t\) proceeds as in the pre-challenge phase.

• When \({\mathcal A}\) issues a corruption query \(i\), \({\mathcal B}^\prime_t\) returns \(\bot\) if \(i\in S^\ast_0\cup S^\ast_1\). Otherwise, \({\mathcal B}\) proceeds as in the pre-challenge phase.

• When \({\mathcal A}\) issues a test query \((i,kw,{\sf ct_{BEKS}})\) such that \({\sf ct_{BEKS}}=({\sf vk},\sigma,\{{{\sf ct}^\prime_{{\sf HIBE},\pi(j)}}\}_{j\in[1,L]})\), \({\mathcal B}^\prime_t\) returns \(\bot\) if \(i\in S^\ast_0\cup S^\ast_1\) and \({\sf ct_{BEKS}}={\sf ct}^\ast_{\sf BEKS}\). Otherwise, \({\mathcal B}\) proceeds as in the pre-challenge phase.