IDENTITY-BASED KEY AGGREGATE CRYPTOSYSTEM FROM MULTILINEAR MAPS

. A key-aggregate cryptosystem (KAC) is the dual of the well-known notion of broadcast encryption (BE). In KAC, each plaintext message is en- crypted with respect to some identity, and a single aggregate key can be generated for any arbitrary subset S of identities, such that any ciphertext des- ignated for any identity in S can be decrypted using this aggregate key. A KAC scheme is said to be eﬃcient if all public parameters, ciphertexts and ag- gregate keys have polynomial overhead, and can be generated using poly-time algorithms.AKAC scheme is said to be identity-based if remains eﬃcient even when the number of unique identities supported by the system is exponential in the security parameter λ . Unfortunately, existing KAC constructions do not satisfy this property. In particular, adopting these constructions to the identity-based setting leads to public parameters with exponential overhead. In this paper, we propose new identity-based KAC constructions using mul- tilinear maps that are secure in the generic multilinear map model, and are fully collusion resistant against any number of colluding parties. Our ﬁrst construction is based on asymmetric multilinear maps, with a poly-logarithmic overhead for the public parameters, and a constant overhead for the ciphertexts and aggregate keys. Our second construction is based on the more generalized symmetric multilinear maps, and oﬀers tighter security bounds in the generic multilinear map model. This construction has a poly-logarithmic overhead for the public parameters and the ciphertexts, while the overhead for the aggregate keys is still constant.


Introduction
A key-aggregate cryptosystem (KAC), introduced by Chu et al. in [7] and studied subsequently in [17,18], is the dual of the well-known cryptographic notion of broadcast encryption (BE) [2]. KAC schemes have a number of different real-life applications, most notably in the context of selectively sharing encrypted data among multiple recipients in a cloud-based environment.
In BE, a broadcaster encrypts a single message for some subset S of users who are listening on a broadcast channel. Each user is associated with a unique identity, and can use his private key to decrypt the broadcast ciphertext. However, even if all users outside of S collude, they can obtain no information about the contents of the broadcast. Such a BE scheme is said to be collusion resistant.
In KAC, each plaintext message is encrypted with respect to an individual identity, and a single aggregate key can be generated for any arbitrary subset S of identities, such that any ciphertext designated for any identity in S can be decrypted using this aggregate key. The notion of collusion-resistance in the context of KAC is defined as follows: consider any collection of decryptors that have access to decryption keys for all identities outside S, but not for any identity in S; a KAC scheme is said to be collusion-resistant if such a collection of decryptors can obtain no information about the message underlying any ciphertext designated for any identity in S.
Identity-Based KAC. A KAC scheme is said to be efficient if all public parameters, ciphertexts and aggregate keys have polynomial overhead, and can be generated using poly-time algorithms. A KAC scheme is said to be identity-based if remains efficient even when the number N of unique identities is exponential in the security parameter λ.
Unfortunately, existing KAC constructions [7,17,18] do not satisfy this property. In particular, these constructions have public parameters with overhead linear in the number of supported identities N . In other words, adopting these constructions to the identity-based setting leads to public parameters woth exponential overhead. This motivates us to design new constructions for KAC that are identity-based.
Our Contributions. In this paper, we propose two new identity-based KAC constructions using multilinear maps with at most poly-logarithmic overhead (in the number of identities N ) for all system parameters, ciphertexts and aggregate keys.
1. Our first KAC construction uses an asymmetric O(log N ) multilinear map to support N = 2 m − 1 identities. The scheme has a public parameter overhead of O(log N ) group elements, and produces short ciphertexts and aggregate keys comprising of O(1) group elements. The scheme is adaptively secure in the generic multilinear group model and is fully collusion resistant against any number of colluding parties. 2. Our second KAC construction is based on the more generalized symmetric multilinear maps, and provides tighter bounds on the group size parameters for adaptive security in the generic multilinear map model as compared to the first construction. There exists a trade-off in the form of a blow-up of the ciphertext size, which is O(log N ) group elements instead of O (1). The rest of the parameters have the same overhead as in the first construction. The second construction is again identity-based, since the overall system overhead still remains poly-logarithmic. In addition, the second construction is fully collusion resistant against any number of colluding parties.
Technically, our constructions are inspired by the identity-based BE schemes from multilinear maps proposed by Boneh, Waters and Zhandry in [4]. The original work of Chu et al. [7] presents a framework to extend a BE scheme supporting polynomially many identities (more specifically, the bilinear map-based BE scheme of Boneh, Gentry and Waters [2]) to a KAC scheme supporting polynomially many identities. In this paper, we follow a similar strategy to build identity-based KAC schemes.

Preliminaries
In this section, we recall the formal definition of a key-aggregate cryptosystem (KAC) from [7].
2.1. Key-aggregate cryptosystem: The basic framework. A KAC scheme consists of four probabilistic polynomial-time algorithms that are described next: -SetUp(1 λ , ID): The setup algorithm takes as input the security parameter λ and an identity space ID, and outputs the public parameter param and the master secret key msk. -Encrypt(param, i, M): Takes as input the public parameter param, an identity i ∈ ID and the plaintext message M. Outputs the corresponding ciphertext C. -Extract(param, msk, S): Takes as input the public parameter param, the master secret key msk and a polynomial-size subset of identities S ⊆ ID.
Computes the aggregate decryption key K S for the subset S. -Decrypt(param, C, K S ): Takes as input the public parameter param, a ciphertext C corresponding to an identity i ∈ S and an aggregate key K S . Outputs either a message M or ⊥. Correctness. A KAC scheme is said to be correct if for any valid identity space ID, any set S ⊆ ID, any identity i ∈ S, and any plaintext message M, we must have P r[Decrypt(param, C, K S ) = M|E] = 1 where E is the event described as the conjunction of the following atomic events: 2.2. Security definitions. We now recall the formal framework for proving active chosen ciphertext security of KAC. We begin by introducing a game between a non-adaptive attack algorithm A and a challenger B, both of whom are given ID as input. The game proceeds through the following stages.
SetUp. : Challenger B sets up the KAC system. In particular, B generates the public parameter param and provides the same to A.
Aggregate Key Query Phase 1. : Algorithm A adaptively issues aggregate key queries for any subsetS ⊆ ID. B responds with the aggregate key KS .
Decryption Query Phase 1. : Algorithm A adaptively issues decryption queries q 1 , · · · , q w . Here a decryption query comprises of the tuple (C, v), where v ∈ ID is the identity associated with C. The challenger has to respond with a valid decryption of the ciphertext.
Commit. : A adaptively commits to an identity i ∈ ID, subject to the constraint that i / ∈S for all subsetsS queried in the aggregate key query phase 1.
Challenge. : A picks at random two messages M 0 and M 1 from the set of possible plaintext messages and provides them to B. To generate the challenge, B randomly picks b ∈ {0, 1}, and sets the challenge to A as C * = Encrypt(param, i, M b ).
Aggregate Key Query Phase 2. : Algorithm A continues to adaptively issue aggregate key queries for any subsetS ⊆ ID such that i / ∈S. B responds with the aggregate key KS .
Decryption Query Phase 2. : A continues to adaptively issue decryption queries q w+1 , · · · , q Q D where a decryption query comprises of the tuple (C, v), but is now subject to the restriction C = C * . B responds as in decryption query phase 1.
Guess. : A outputs a guess b of b. If b = b, A wins the game.
The game above models an attack in the real world setting where users who do not have authorized access to the subset S collude to try and expose a message in this subset. We now formally define the security notions for KAC. Let Adv A,|ID| denote the probability that A wins the game.
Definition 2.1. A KAC construction is ( , ID, Q D ) adaptively secure under a chosen ciphertext attack (that is, adaptively CCA-secure) if, for all adaptive probabilistic poly-time algorithms A that can make a total of Q D decryption queries, we have that |Adv A,|ID| − 1 2 | < . Definition 2.2. A KAC construction is ( , ID) adaptively secure under a chosen plaintext attack (that is, adaptively CPA-secure) if it is ( , ID, 0) adaptively CCA secure.
We also define two weaker notions of security in the non-adaptive setting. In particular, non-adaptive security is achieved in the scenario when A is required to commit to the identity i before seeing the public parameters. We refer to such an adversary as a non-adaptive adversary. This leads to the following definitions. Definition 2.3. A KAC construction is ( , ID, Q D ) non-adaptively secure under a chosen ciphertext attack (that is, non-adaptively CCA-secure) if, for all nonadaptive probabilistic poly-time algorithms A that can make a total of Q D decryption queries, we have that |Adv A,|ID| − 1 2 | < . Definition 2.4. A KAC construction is ( , ID) non-adaptively secure under a chosen plaintext attack (that is, non-adaptively CPA-secure) if it is ( , ID, 0) nonadaptively CCA secure.

Multilinear maps.
In this section, we provide a brief overview of multilinear maps. Our description of multilinear maps is based on the graded encoding scheme used in popular candidate multilinear map constructions [11].
2.3.1. Symmetric multilinear maps. A standard symmetric multilinear map consists of the following pair of algorithms.
SetUp (1 λ , m): Sets up an m-linear map by outputting an m-tuple of groups < G 1 , G 2 , · · · , G m > of prime order q (where q is a λ bit prime), along with the respective generator g i ∈ G i for 1 ≤ i ≤ m. In standard notation, G 1 is the source group, G m is the target group, and G 2 , · · · , G m−1 are the intermediate groups.
e i,j (h 1 , h 2 ): Takes as input h 1 ∈ G i and h 2 ∈ G j , and outputs h 3 ∈ G i+j such that In this paper, we follow the standard notation used in the literature to omit the subscripts and simply refer to this multilinear map as e. Further, e may be generalized to multiple inputs as e(h 1 , · · · , h k ) = e(h 1 , e(h 2 , · · · , h k )). Note that g a i is sometimes referred to as the level-i encoding of a. The scalar a itself may therefore be referred to as the level 0 encoding of itself. Although symmetric multilinear maps are simple to understand, there currently exist no reported candidate constructions for the same. Almost all candidate constructions [11,9] realize asymmetric multilinear maps, which we describe next.

2.3.2.
Asymmetric multilinear maps. We adopt the same definition of asymmetric multilinear maps presented in [11]. According to this definition, in asymmetric multilinear maps, the groups are indexed by integer vectors. Formally, a standard asymmetric multilinear map consists of the following algorithms.
SetUp (1 λ , n): Takes as input a vector n ∈ Z l . Sets up an n-linear map by outputting an n-tuple of groups < G 1 , G 2 , · · · , G n > of prime order q (where q is a λ bit prime), along with the respective generators g v ∈ G v for 1 ≤ v ≤ n(comparison is defined component-wise). Further, let x i be the ith standard basis vector (with 1 at position i and 0 at each other position). In standard notation, G xi is the ith source group, G v is the target group, and the rest are the intermediate groups.
e v1,v2 (h 1 , h 2 ): Takes as input h 1 ∈ G v1 and h 2 ∈ G v2 , and outputs h 3 ∈ G i+j such that Again, we omit the subscripts and simply refer to this multilinear map as e, which may be generalized to multiple inputs as e(h 1 , · · · , h k ) = e(h 1 , e(h 2 , · · · , h k )).
2.4. Some hardness assumptions related to multilinear maps. In this section, we introduce two hardness assumptions that are relevant to our discussions.
The Hybrid Diffie-Hellman Exponent Assumption. Let param is generated by SetUp (1 λ , 2m), where m is the m + 1 length vector consisting of all ones and λ is the adequate group size parameter for achieving λ bit security. Choose α ∈ Z q at random (where q is a λ -bit prime), and let X j = g α (2 j ) . Choose a random t ∈ Z q , and let V = g t m . The decisional m-Hybrid Diffie Hellman Exponent (HDHE) problem as defined as follows. Given the tuple (param , {X j } j∈{0,··· ,m} , V, Z), distinguish if Z is g tα (2 m ) 2m or a random element of G 2m .
2.5. Multilinear map requirements. In this paper, we present our KAC constructions assuming that the ideal multilinear maps based on the graded encoding scheme described above exist and are efficiently computable. We only do this to make the analysis simple and easy to follow. In general, the KAC constructions presented in this paper can be instantiated using multilinear maps with the properties listed below: -The representation of an element should be statistically independent of the group and multilinear operations that led to that element. -It is possible to extract a canonical representation of an element in the target group given any representation of that element using the zero-test parameter. -The party setting up the multilinear map has sufficient trapdoor information to compute g α x for a non-random α and exponentially large x. -It is possible to generate asymmetric multilinear maps for any positive integer vector n ∈ Z l . -It should be possible to design the parameters of our system such that the noise growth during the execution of our scheme does not lead to erroneous computations.
The two foremost candidate multilinear map constructions [11,9] possess the aforementioned properties. Unfortunately, both these constructions, as well as attempted fixes for them [13,5] have been cryptanalyzed either in parts or completely [6,10]. A more recent proposition by Gentry et al. is the graph-induced multilinear map based on non-ideal lattices [12], which naturally gives rise to asymmetric multilinear maps. Even this construction has been broken by Coron et al. [8], who demonstrate how to recover an equivalent private key for this scheme (even in the presence of safeguards).
2.6. The generic multilinear map model. Given the extensive cryptanalysis [6,10] of the existing multilinear map constructions [11,9,13,5,12], most of the intractable problems related to multilinear maps are currently secure only in the generic multilinear map model. Just as multilinear maps are an extension of bilinear maps, the generic multilinear map model is an extension of the generic bilinear map model [1]. We describe the generic multilinear map model here for completeness.
In the generic multilinear map model [4], the group G v (where v ∈ Z l ) is represented by a random injective function ξ : Z q × Z l → {0, 1} n that maps pairs of elements from the additive group Z q and the vector space Z l to random strings of sufficiently large length. The random string output by ξ(α, v) for α ∈ Z q and v ∈ Z l is thus essentially a randomized representation in the generic model, corresponding to the group element g α v in the standard multilinear map definition. For example, suppose that the target vector in a generic multilinear map construction is denoted by m ∈ Z l . Any algorithm in the generic multilinear map model is said to interact with the map using the tuple of algorithms (Encode, Mult, Pair) described below.
Encode(x, v): Takes as input a non-negative integer vector v ≤ m and outputs ξ(x, v).
Pair(ξ 1 , ξ 2 ): Takes as input Note that if the inputs are not valid, each of the above algorithms returns ⊥. Also, Mult and Pair here are assumed to be oracles to compute the induced group multiplication and multilinear map operations. Finally, note that in this paper, we mostly consider binary vectors in the group Z l , and hence choose to denote them by their corresponding integer representations for ease of representation.

KAC using asymmetric multilinear maps
In this section, we present the first construction of identity-based KAC based on asymmetric multilinear maps. Our goal in this scheme is to support N = 2 m − 1 identities, where m is polynomially large in the security parameter λ, while ensuring that the size of the public parameter is O(log N ) group elements, while the ciphertext and the aggregate key comprise of O(1) group elements.
3.1. The basic idea. The core idea of our construction is inspired by techniques presented in [4]. Let N = 2 m − 1 for some integer m, and let m be the m + 1 length vector consisting of all ones. We use an asymmetric multilinear map with the target group G 2m . Note that if we pair two elements in the group G m , we get an element in G 2m by the definition of asymmetric multilinear maps. Let Y i = g α i m , where α ∈ Z q . Recall from Section 2.3.2 that x j is the jth standard basis vector (with 1 at position j and 0 at each of the other positions) and G xj is the jth source group with generator g xj . Also, let . We recall the following claims from [4].
We now make the following important observation: Given the set of parameters (X 0 , · · · , X m ) and without the knowl- This follows trivially from the fact that 2 m cannot be expressed as the sum of other lower powers of 2.
Thus we successfully embed the parameter set (Y 1 , · · · , Y N , Y N +2 , · · · , Y 2N ) comprising of O(N ) group elements into another parameter set (X 0 , · · · , X m ) comprising of O(log N ) group elements, without compromising the value of the secret Y N +1 . Protecting the value of Y N +1 from possible leakage is paramount to the security of our identity-based KAC construction, will become evident from an actual description of the construction presented next.

3.2.
Our first identity-based KAC construction. We present our first identity-based KAC construction that supports N = 2 m − 1 identities, where m is polynomially large in the security parameter λ. Assume that SetUp (1 λ , m) is the setup algorithm for an asymmetric multilinear map, where groups have prime order q (where q is a λ bit prime) and G m is the target group. The construction is as follows.
SetUp(1 λ , m): Take as input the length m of identities and the group order parameter λ. Set ID = {0, 1} m \{0} m as the identity space. Let m be the m + 1 length vector consisting of all ones. Run SetUp on m and 2m to obtain the public parameters param and param for multilinear maps with target groups G m and xm . Next, randomly pick γ ∈ Z q , and output the public parameter param and the master secret key msk as and can be computed as per the formulation in Claim 3.1 for 1 ≤ i ≤ N using the multilinear map with target group G m . Output the ciphertext C as is computed as e (Y N , Y 1 ) t using the multilinear map with target group G 2m .
Extract(param, msk = γ, S): The aggregate key for the set of identities S is computed as: Again, note that Y 2 m −v can be computed as per the formulation in Claim 3.1 for each v ∈ S.
. Output the decrypted message as: where the computation uses the multilinear map with target group G 2m . In the above KAC construction, we have assumed by default that all plaintext messages M may be efficiently embedded as elements in the target group of the multilinear map. However, a workaround may be readily proposed. We first note that in any ciphertext output by Encrypt, the message M is essentially multiplied with a random secret group element ρ. Rather than embedding M as a group element, we propose hashing ρ using a collision resistant hash function H, and then outputting M H(ρ) in the ciphertext (here denotes an appropriate operator).

Correctness.
To see that the scheme is correct, that is, . Then we havê . Security (standard model). The above KAC construction is selectively CPA-secure in the standard model under the decisional m-HDHE assumption. More specifically, we state and prove the following theorem.
Theorem 3.1. Let SetUp' be the setup algorithm for an asymmetric multilinear map, and let the decisional m-Hybrid Diffie-Hellman Exponent assumption holds for SetUp . Then our proposed identity-based KAC scheme is non-adaptively CPA secure.
Proof. Let A be a poly-time adversary such that |Adv A,N − 1 2 | > for the proposed KAC system parameterized with an identity space ID of size N = 2 m − 1. Here is a non-negligible positive constant. We build an algorithm B that has advantage at least in solving the decisional m-HDHE problem for SetUp' . B takes as input a random m-HDHE challenge (param , {X j } j∈{0,··· ,m} , V, Z) where: param ←SetUp (1 λ , 2m) (λ is the adequate group size parameter for achieving λ bit security) or a random element of G 2m B then proceeds as follows.
Commit: B runs A and receives the set S of data classes that A wishes to be challenged on. B then randomly chooses a data class i ∈ S and provides it to A.
SetUp: B should generate the public param the public key P K and the aggregate key K S , and provide them to A. They are generated as follows.
-P K is set as g u m /Y i where u is chosen uniformly at random from Z q and Y i is computed as mentioned in Claim 3.1. Note that this is equivalent to setting msk = (u − α i ).
-B then computes , and hence has all the resources to compute K S .
Since the g m , α, u and t values are chosen uniformly at random, all the parameters and the keys have an identical distribution to that in the actual construction.
We claim that when Z = g tα (2 m ) 2m (i.e. the input to B is a valid m-HDHE tuple), then (C, M 0 , M 1 ) is a valid challenge to A as in a real attack. To see this, observe that ). Otherwise, it outputs 1 (indicating that Z is a random element in G 2m ).
We conclude that B has the same advantage as A, which must therefore be negligible, as desired. This completes the proof of Theorem 3.4.

3.5.
Security (generic group model). We note, however, that in the absence of any secure multilinear map realizations, the HDHE assumption only holds in the generic group model. In this subsection, we present a direct proof of security for our KAC construction in the generic multilinear map model. In particular, we state the following theorem.
Theorem 3.2. Any generic adversary A that can make at most a polynomial number of queries to (Encode,Mult,Pair) has negligible advantage in breaking the adaptive security against chosen plaintext attacks of the KAC construction presented in Section 3.2, provided that 1/q 1/2 is negligible in the security parameter λ.
Proof. Let ξ : Z q × Z l → {0, 1} n be the random injective function for modeling the different groups in the generic multilinear map model, as described in Section 2.6. In particular, recall that ξ maps pairs of elements from the additive group Z q and the vector space Z l to random strings of sufficiently large length. Also, let A be an adaptive adversary under the generic model and let B be a challenger that plays the following game with A SetUp. Challenger B sets up the system for the identity-space ID consisting of all m bit identities supported by the KAC construction described above. B generates random α, γ ∈ Z q . A receives the following: Oracle Query Phase. A adaptively issues queries to (Encode, Mult, Pair).
Aggregate Key Query Phase 1. Algorithm A adaptively issues aggregate key queries for any subsetS ⊆ ID. B responds with the aggregate key KS , computed as: A adaptively commits to an identity i ∈ ID, subject to the constraint that i / ∈S for all subsetsS queried in the aggregate key query phase 1.
Challenge. To make a challenge query, A choosesm 0 ,m 1 ∈ Z q and makes Encode queries for the same to receive ξ m 0 , 2 m+2 − 2 and ξ m 1 , 2 m+2 − 2 , respectively. It then provides these as the challenge messages to B. B in turn randomly chooses t ∈ Z q and a randomb ∈ {0, 1}, and sets c 0 = ξ t, 2 m+1 − 1 Aggregate Key Query Phase 2. Algorithm A continues to adaptively issues= aggregate key queries for any subsetS ⊆ ID such that i / ∈S = φ. B responds with the aggregate key KS as in the aggregate key query phase 1.
Guess: A outputs a guessb ofb. Ifb =b, A wins the game.
-A is allowed at most a polynomial number of (Encode,Mult,Pair) queries to which B responds as follows: -Encode(x, l): If x / ∈ Z q or i / ∈ {1, · · · , 2 m+2 −2}, B returns ⊥. Otherwise, B looks for a tuple (p x , l, ξ) ∈ L, where p x is a constant polynomial equal to x. If such a tuple exists, B returns ξ. Otherwise, B generates a random ξ ∈ {0, 1} n . The tuple (p x , l, ξ) is added to L and B responds with ξ.
-Mult(ξ k0 , ξ k1 , b): B searches in L for the pair of tuples (p k0 , l k0 , ξ k0 ) and (p k1 , l k1 , ξ k1 ). Unless both of them exist, B returns ⊥. Also, if both tuples are available but l k0 = l k1 , B returns ⊥. Otherwise, B searches in L for a tuple of the form (p k , l k , ξ k ), where p k = p k0 +(−1) b p k1 and l k ≡ l k0 ≡ l k1 . If such a tuple is found, B responds with ξ k . If not, B generates a random ξ k ∈ {0, 1} n , augments L by adding the tuple (p k , l k , ξ k ) and returns ξ k . -Pair(ξ k0 , ξ k1 ): B searches in L for the pair of tuples (p k0 , l k0 , ξ k0 ) and (p k1 , l k1 , ξ k1 ). Unless both of them exist, B returns ⊥. Also, if both tuples are available but l k0 + l k1 > 2 m+2 − 2, B returns ⊥. Otherwise, B searches in L for a tuple of the form (p k , l k , ξ k ), where p k = p k0 .p k1 and l k ≡ l k0 + l k1 . If such a tuple is found, B responds with ξ k . If not, B generates a random ξ k ∈ {0, 1} n , augments L by adding the tuple (p k , l k , ξ k ) and returns ξ k . We stress the fact that in each query to any of the three algorithms, at most one new tuple is added to L, and no tuple can have index j > 2 m+2 − 2. Note that B can make the string responses ξ to A arbitrarily long, and thus, hard to guess. Hence, without loss of generality, we assume that all Mult and Pair queries made by A are precisely on strings furnished by B.
-Algorithm A is allowed to adaptively issue aggregate key queries for any subset S ⊆ ID. In response, B adds the tuple for a randomly generated ξ ∈ {0, 1} n . The same ξ is given as response to A. -A adaptively commits to an identity i ∈ ID, subject to the constraint that i / ∈S for all subsetsS queried in the aggregate key query phase 1. -A makes a single encryption query on the identity i ∈ S. B creates a new formal variables t,m,m 0 ,m 1 and adds the following tuples to its list L: Once again ξ * j for j ∈ {0, · · · , 4} are randomly generated strings in {0, 1} n that are provided to A as the challenge vector.
-A may continue to issue adaptive oracle queries and aggregate key queries. B responds as above. -A outputs a randomb ∈ {0, 1}.
-At this point, B chooses random values for the variables α, γ, t and asks A for two random message inputs m 0 and m 1 , to setm 0 = m 0 , andm 1 = m 1 . B also randomly choosesb ∈ {0, 1} and setsm = mb. We now look at the probability that A wins the game. We denote by Υ a false polynomial equality event where, for two random tuples (p, l, ξ) and (p , l , ξ ) in the list L such that l = l , we have p(α j,b , · · · ) = p (α j,b , · · · ) even though p ≡ p . In case an instance of Υ occurs, B fails to simulate the oracle perfectly. We say that A wins the game if eitherb =b or an instance of the event Υ occurs.
We now look at the probability that a random choice of values for the formal variables (α, γ, t, m 0 , m 1 ) ∈ Z (5) q and a random choice ofb ∈ {0, 1} results in the event Υ. First, we make the following straightforward observations.
Observation 2. The maximum degree of any polynomial in L is at most 2 m+1 . It follows from the Swartz-Zippel lemma [15] that the probability that a randomly chosen pair of polynomials in L evaluate to the same value for a random choice of variable values, is upper bounded by (2 m+1 )/q. Next, assume that A makes Q E queries to Encode, Q M queries to Mult and Q P queries to Pair during Oracle Query Phase, and a total of Q K queries in Aggregate Key Query Phase 1 and Aggregate Key Query Phase 2. Table 1 summarizes the maximum possible contributions to |L| by the tuples added by B at different query stages. Note that |L| is upper bounded by (Q E + Q M + Q P + 3m + 8). It easily follows that the probability of a false polynomial equality event Υ is upper bounded If the event Υ does not occur, B simulates the oracle in response to A's queries perfectly and, from A's view,b is independent as it was chosen after the simulation. Hence we have P r[b =b | Υ] = 1/2 This in turn gives us the following relations: 2 From this, it is straightforward to conclude that the advantage of the generic adversary A may be upper bounded as (Q E + Q M + Q P + Q K + m + 7) 2 2 m+1 /4q. For Q E , Q M , Q P , Q K , m polynomial in the security parameter λ, this quantity is negligible provided that 1/q 1/2 is negligible, or in particular, q ≈ 2 2λ . This completes the proof of Theorem 3.5.

KAC using symmetric multilinear maps with tighter security bounds
We have demonstrated that the KAC construction described in Section 3 is secure in the generic multilinear map model. However, the presence of high degree exponents such as α 2 m in this construction means that the adversary can construct polynomials with degree as high as ≈ 2 m in the secret α. Hence, the aforementioned constructions require the group order parameter λ ≈ 2λ (instead of the normal λ) or q = 2 3λ to achieve λ-bit security.
This motivates us to present a second KAC construction that is adaptively secure in the generic multilinear map model for q = 2 λ . This construction is inspired by techniques from [4]. It uses symmetric multilinear maps, as opposed to asymmetric multilinear maps used in the first construction.
4.1. The basic idea. Our second construction uses a set of public parameters that are not derived from a single scalar α. Instead, each parameter is derived from a separate random scalar, to avoid the high degree exponents in the previous constructions. The trick of embedding linearly many group elements in a logarithmic size public parameter is still used. However, the presence of multiple scalars implies that we cannot use the same embedding technique used in the first construction.
Instead, we adopt a strategy presented in [4] of using a Naor-Reingold-style PRF [16]. The ciphertext in this construction cannot consist of O(1) group elements, since that would make decryption impossible. At the same time, we cannot allow the ciphertext size to exceed polylogarithmic, since that would render the KAC construction inefficient.
To achieve this, we ensure that the necessary ciphertext components for decryption are the outputs of another Naor-Reingold-style PRF, and the decryptor can generate precisely these outputs by puncturing the PRF at suitable points, similar to as described in [3] and [4]. Setup (1 λ , m) be the setup algorithm for an m-linear map with groups of prime order q (q being a λ bit prime) and the target group G m . Our second identity-based KAC consists of the following algorithms.

The construction. Let
SetUp(1 λ , m): Set up the KAC system for ID consisting of all m bit identities. Let param ← SetU p (1 λ , m + 1) be the public parameters for a symmetric multilinear map, with G m+1 being the target group. For j = 0, · · · , m−1 and b = 0, 1, generate random α j,b ∈ Z q and let X j,b = g α j,b 1 . Finally, pick γ ∈ Z q , and output the public parameter param and the master secret key msk as:  where i j is the j-th bit in the binary representation of i.
Encrypt(param, i, M): Randomly choose t, x ∈ Z q and set Note that i j denotes the j th bit in the binary representatio of i. Finally, output the ciphertext as C = ({c j } j∈{0,··· ,m+2} ) Extract(param, msk = γ, S): The aggregate key for the subset S is computed as: Decrypt(param, C, K S ): If i / ∈ S, output ⊥. Otherwise, use the result from Claim 4.2 to compute Y t v for each v ∈ S \ {i}, and set We argue that a S can be computed by making the following claim.
Claim 4.2. For any identity v = i, one can compute Y t v given C. Proof. Let C = (c 0 , · · · , c m+2 ). Since v = i, there exists a bit position j ∈ {0, · · · , m − 1} such that v j = 1 − i j . This allows one to compute Note that for a given i, each Y t v for v = i and random t is also the output of a Naor-Reingold style PRF. Moreover, the PRF is punctured at i to generate Y t v for v = i without the knowledge of Y t i .
Let C = (c 0 , · · · , c m+1 , c m+2 ) and K S = (K 1 , K 2 ). Output the decrypted message asM Once again,we have assumed by default that the ciphertext C embeds the information about the identity i it corresponds to, and K S embed the information about the subset S it corresponds to. Observe that in this construction, no high-degree terms are generated hence the system is secure for a group size parameter q = 2 λ instead of 2 2λ in the first construction (λ being the security parameter). Also, the total multilinearity in handling 2 λ identities is λ + 1, as compared to 2λ in the previous construction. On the flip side, the ciphertext size for this construction is O(log N ) group elements, as compared to O(1) group elements in the previous constructions.

4.2.1.
Correctness. The correctness of this scheme may be easily shown as follows: Security. The above KAC construction is provably secure in the generic multilinear map model in the adaptive setting, with tighter bounds on the group order parameters as compared to the previous constructions. In particular, we state the following theorem.
Theorem 4.1. Any generic adversary A that can make at most a polynomial number of queries to (Encode,Mult,Pair) has negligible advantage in breaking the adaptive security of the KAC construction presented in Section 4.2, provided that 1/q is negligible, for q ≈ 2 λ , where λ is the security parameter.
Proof. Let ξ : Z q × Z l → {0, 1} n be the random injective function for modeling the different groups in the generic multilinear map model, as described in Section 2.6.
In particular, recall that ξ maps pairs of elements from the additive group Z q and the vector space Z l to random strings of sufficiently large length. Also, let A be an adaptive adversary under the generic model and let B be a challenger that plays the following game with A: SetUp: Challenger B sets up the system for the identity-space ID consisting of all m bit identities supported by the KAC construction described above. B generates random α j,b ∈ Z q for j = 0, · · · , m − 1, and b = 0, 1. B also generates random γ, x ∈ Z q . A receives the following: -X j,b = ξ(α j,b , 1) for j = 0, · · · , m − 1, and b = 0, 1 -X m = (ξ(γ, m)) Oracle Query Phase. A adaptively issues queries to (Encode, Mult, Pair).
Aggregate Key Query Phase 1. Algorithm A adaptively issues aggregate key queries for any subsetS ⊆ ID. B responds with the aggregate key KS , computed as: A adaptively commits to an identity i ∈ ID, subject to the constraint that i / ∈S for all subsetsS queried in the aggregate key query phase 1.
-A is allowed at most a polynomial number of (Encode,Mult,Pair) queries to which B responds as follows: -Encode(x, l): If x / ∈ Z q or i / ∈ {1, · · · , m + 1}, B returns ⊥. Otherwise, B looks for a tuple (p x , l, ξ) ∈ L, where p x is a constant polynomial equal to x. If such a tuple exists, B returns ξ. Otherwise, B generates a random ξ ∈ {0, 1} n . The tuple (p x , l, ξ) is added to L and B responds with ξ.
-Mult(ξ k0 , ξ k1 , b): B searches in L for the pair of tuples (p k0 , l k0 , ξ k0 ) and (p k1 , l k1 , ξ k1 ). Unless both of them exist, B returns ⊥. Also, if both tuples are available but l k0 = l k1 , B returns ⊥. Otherwise, B searches in L for a tuple of the form (p k , l k , ξ k ), where p k = p k0 +(−1) b p k1 and l k ≡ l k0 ≡ l k1 . If such a tuple is found, B responds with ξ k . If not, B generates a random ξ k ∈ {0, 1} n , augments L by adding the tuple (p k , l k , ξ k ) and returns ξ k .
-Pair(ξ k0 , ξ k1 ): B searches in L for the pair of tuples (p k0 , l k0 , ξ k0 ) and (p k1 , l k1 , ξ k1 ). Unless both of them exist, B returns ⊥. Also, if both tuples are available but l k0 + l k1 > m + 1, B returns ⊥. Otherwise, B searches in L for a tuple of the form (p k , l k , ξ k ), where p k = p k0 .p k1 and l k ≡ l k0 + l k1 . If such a tuple is found, B responds with ξ k . If not, B generates a random ξ k ∈ {0, 1} n , augments L by adding the tuple (p k , l k , ξ k ) and returns ξ k . We stress the fact that in each query to any of the three algorithms, at most one new tuple is added to L, and no tuple can have index j > m + 1. Note that B can make the string responses ξ to A arbitrarily long, and thus, hard to guess. Hence, without loss of generality, we assume that all Mult and Pair queries made by A are precisely on strings furnished by B.
-Algorithm A is allowed to adaptively issue broadcast aggregate key queries for any subsetS ⊆ ID 1  for randomly generated ξ 1 , ξ 2 ∈ {0, 1} n . The same ξ 1 and ξ 2 are given as response to A. -A commits to a set S such that S ∩S = φ for all subsetsS queried in the first aggregate key query phase. B chooses i ∈ S and communicates the same to A. -A makes a single encryption query on the identity i ∈ S. B creates a new formal variables t,m,m 0 ,m 1 and adds the following tuples to its list L: Once again ξ * and ξ * j , j ∈ {0, · · · , m + 3} are randomly generated strings in {0, 1} n that are provided to A as response.
-A may continue to issue adaptive oracle queries and aggregate key queries. B responds as above. -A outputs a randomb ∈ {0, 1}.
-At this point, B chooses random values for α j,b , γ, x, t and asks A for two random input messages m 0 and m 1 to setm 0 = m 0 , andm 1 = m 1 . B also randomly choosesb ∈ {0, 1} and setsm = mb. Recall that we denoted by Υ a false polynomial equality event where, for two random tuples (p, l, ξ) and (p , l , ξ ) in the list L such that l = l , we have p(α j,b , · · · ) = p (α j,b , · · · ) even though p ≡ p . In case an instance of Υ occurs, B fails to simulate the oracle perfectly. We say that A wins the game ifb =b or an instance of the event Υ occurs.
We now look at the probability that a random choice of values for the formal variables (α j,b , γ, x, t, m 0 , m 1 ) ∈ Z (2m+5) q and a random choice ofb ∈ {0, 1} results in the event Υ. We make the following straightforward observations. Observation 4. The maximum degree of any polynomial in L is at most m + 1.
Observation 5. Substituting the formal variablem 0 with m 0 ,m 1 with m 1 , and m with mb results in an instance of the false polynomial equality event Υ with negligible probability.
It follows from the Swartz-Zippel lemma [15] that the probability that a randomly chosen pair of polynomials in L evaluate to the same value for a random choice of variable values, is upper bounded by (m + 1)/q. Next, assume that A makes Q E queries to Encode, Q M queries to Mult and Q P queries to Pair during Oracle Query Phase, and a total of Q K queries in Aggregate Key Query Phase 1 and Aggregate Key Query Phase 2. Table 2 summarizes the maximum possible contributions to |L| by the tuples added by B at different query stages. Note that |L| is upper bounded by (Q E + Q M + Q P + 2Q K + 3m + 6). It easily follows that the probability of a false polynomial equality event Υ is upper bounded as P r(Υ) ≤ (Q E + Q M + Q P + 3m + 8) 2 (m + 1) /2q If the event Υ does not occur, B simulates the oracle in response to A's queries perfectly and, from A's view,b is independent as it was chosen after the simulation. Hence, using a similar analysis as in the proof of Theorem 1, it is straightforward to conclude that the advantage of the generic adversary A may be upper bounded as (Q E + Q M + Q P + 2Q K + 3m + 6) 2 (m + 1) /4q. For Q E , Q M , Q P , Q K , m polynomial in the security parameter λ, this quantity is negligible provided that 1/q is negligible, or in particular, q ≈ 2 λ , as desired. This completes the proof of Theorem 4.3.

Conclusion
In this paper, we presented the first identity-based constructions for the keyaggregate cryptosystem (KAC) using multilinear maps. Our constructions achieve poly-logarithmic upper bounds on the overhead for the system parameters and the ciphertexts, and constant upper bounds on the size of the aggregate key. The crux of our constructions lies in the use of multilinear maps to embed polynomially many parameter elements in the target multilinear group, using only logarithmically many elements in the source multilinear groups. This in turn allows us to only publish the logarithmic-size parameter set, making the constructions identity-based.
Our first construction uses asymmetric multilinear maps, and is secure in the generic multilinear map model with full collusion resistance against any number of colluding parties. Our second construction uses symmetric multilinear maps, and affords tighter bounds on the group size parameters for security in the generic multilinear map model, as compared to the first construction. It also has a lesser requirement in the degree of multilinearity. The trade-off is in the size of the ciphertext, which is logarithmic in the second construction, as opposed to constant in the first. To the best of our knowledge, these are the first identity-based KAC constructions in the cryptographic literature.