Keywords

1 Introduction

Identity-Based Encryption (IBE) was presented by Shamir [1]. In an IBE system, user’s public key is his identity. The first practical IBE scheme was presented almost twenty years later by Boneh and Franklin by applying pairing technique in 2001 [2]. Since then, a host of IBE schemes was proposed, starting with the early constructions of selective security [3, 4], to more recent constructions of full security [5, 6]. The selective security model is a useful intermediary step, but cannot reflect the real situation comprehensively, since the adversary is required to announce the challenge identity before he receives the public parameters.

Dual system encryption [5] is a powerful tool for building fully secure IBE scheme. There are two forms of ciphertext and secret keys in dual system encryption: normal and semi-functional. Classical dual system encryption utilizes a series of games to prove the security. The real security game is followed by a game that the ciphertext becomes semi-functional. After that, the secret keys become semi-functional one after another, ultimately arrive at the final game, every key and ciphertext becomes semi-functional, which proving security becomes apparent. Each transition is reduce to its underlying security: subgroup or statical indistinguishability. Thus, all the previous works based on dual system encryption except [7, 8] results in \(\mathcal {O}(q)\) loss for security reduction, where q is the total number of key requests.

The IBE of [7, 8] employ two different techniques to achieve the tighter reduction. Chen and Wee [7] choosed an appropriate pseudorandom function with security loss L as a building block. And then, they get an IBE with the security loss \(\mathcal {O}(L)\) owing to similar algebraic structure between the IBE and pseudorandom function. The IBE of [7] can work both in composite order and prime order groups. The technique of [8] is based on the following fact: when a specific key is changed from normal to semi-functional in Phase 2, the simulator has learned the challenge identity \(ID^{*}\) before defining the semi-functional parameters, so it can program the parameter using \(ID^{*}\). This is considerably similar to the requirement of selective security, which is called \(delayed \ parameters\) in [9]. By using the technique of \(delayed \ parameters\), scheme [8] organized all the challenge keys in Phase 2 into the correlated distribution, and modified them from normal to semi-functional all at once, which results in tighter reduction, \(\mathcal {O} (q_{1})\).

Although [8] achieves a tighter reduction, it is built on a composite order bilinear group setting. Compared with prime order bilinear groups, composite order bilinear groups are at a disadvantage both in efficiency and security. In the first place, supersingular curves, which most composite order bilinear groups are based upon, is the main obstacle that affects the efficiency of composite order bilinear groups [10, 11]. There is one more point that the security of schemes based upon composite order bilinear groups crucially depend on the difficulty of factoring N. In order to guarantee the scheme’s security, the system has to increase the size of the underlying groups, which makes condition much worse for calculating speed. Further more, according to the recent results [12, 13], discrete logarithms in supersingular curves may be not as hard as we thought. For these reasons, many research [14, 15] have examined how to simulate composite order bilinear groups by using prime order bilinear groups.

In this article, we present IBE with tighter security reduction that enjoys \(\mathcal {O}(q_{1})\) in prime order bilinear groups. Our scheme is fully secure. The security is rely on the decisional linear and three party Diffie-Hellman assumption. Our construction have a similar structure of scheme [8]. We utilize the techniques developed in [15], taking advantage of the dual pairing vector space as a substitute for the subgroups in the composite order bilinear groups. Likewise, we substitute the subspace assumption for the subgroup decision assumption in the security proof. In addition, we take a 2 dimensional matrix to program the parameters in phase 2 of key queries. We embed \(g^{xy}\) to the semi-functional space, so as to obtain the target element \(g^{xyz}\) in G when combining with r. As we can re-randomize r by multiplying a random values \(r' \in \mathbb {Z}_{p}\) in the prime order setting, we do not need to simulate the additional element u, which is used as a randomizer in [8].

Next, we present the preliminaries that includes the security model and definition of IBE, an overview of dual pairing vector space, and complexity assumptions in Sect. 2. Our IBE scheme is presented in Sect. 3. Finally, we conclude in Sect. 4.

2 Preliminaries

2.1 Identity-Based Encryption Definition

Setup \((\lambda )\rightarrow PP,MSK.\) This algorithm takes as input a security parameter \(\lambda \), outputs the master key MSK and the public parameters PP.

KeyGen \((MSK,ID)\rightarrow SK_{ID}.\) This algorithm takes as input an identity \(ID\in \{0,1\}^{*}\), MSK, and returns a private key \(SK_{ID}\).

Encrypt \((PP,ID,M)\rightarrow CT.\) This algorithm takes as input PP, an identity ID, and a message M, and outputs a ciphertext CT.

Decrypt \((PP,SK_{ID})\rightarrow M.\) This algorithm takes as input \(SK_{ID}\) and CT. If the identity of the private key and ciphertext is identical, it returns the message M.

2.2 Security Model

Setup. The challenger \(\mathcal {B}\) executes the setup algorithm. It gives the public parameters to the adversary \(\mathcal {A}\).

Phase 1. When receives a query for private key of identity \(ID_{i}\) that makes by \(\mathcal {A}\), \(\mathcal {B}\) executes KeyGen algorithm to obtain the private key \(SK_{ID_{i}}\). It sends \(SK_{ID_{i}}\) to \(\mathcal {A}\), where \(i=1,\ldots ,q_{1}\).

Challenge. \(\mathcal {A}\) submits an challenge identity \(ID^{*}\) along with two messages \(M_{0}\) and \(M_{1}\), where the length of \(M_{0}\) and \(M_{1}\) are the same. The only constraint is that \(\mathcal {A}\) never queried \(ID^{*}\) in Phase 1. \(\mathcal {B}\) randomly encrypts \(M_{b}\) (\(b \in \{0,1\}\)) and sends it to \(\mathcal {A}\).

Phase 2. \(\mathcal {A}\) continually queries the private keys of identities \(ID_{q_{1}+1},\ldots ,ID_{q}\), with the constraint that \(ID^{*}\) can not be queried. \(\mathcal {B}\) responds as the same as Phase 1.

Guess. \(\mathcal {A}\) outputs a guess \(b'\) for b.

The adversary’s advantage is defined to be \(Pr[b'=b]-1/2\).

Definition 1

An Identity-based Encryption scheme is fully secure, if for all polynomial time adversaries, the advantage is negligible in the security game.

2.3 Dual Pairing Vector Spaces

Dual pairing vector spaces [16] is a useful tool. It works as follows. Given \((p,G,G_{T},g,g_{T},e)\), G and \(G_{T}\) are cyclic multiplicative groups of order p (where p is a prime), g is a generator of G, \(e:G \times G \rightarrow G_{T}\) is an effective computable non-degenerate bilinear pairing, \(i.e., e(g^{a},g^{b})=e(g,g)^{ab}\) and \(g_{T}=e(g,g)\ne 1\).

We let \(\varvec{v}\) denote the vector \((v_{1},\ldots ,v_{n})\in \mathbb {Z}^{n}_{p}\), and \(g^{\varvec{v}}:=(g^{v_{1}},\ldots ,g^{v_{n}})\). For \(\varvec{v},\varvec{w} \in \mathbb {Z}_{p}^{n}\) and \(a \in \mathbb {Z}_{p}\), we let \(g^{a\varvec{v}}:=(g^{av_{1}},\ldots ,g^{av_{n}}),g^{\varvec{v}+\varvec{w}}:=(g^{v_{1}+w_{1}},\ldots ,g^{v_{n}+w_{n}})\).

We define \(e(g^{\varvec{v}},g^{\varvec{w}}):=\prod _{i=1}^{n}e(g^{v_{i}},g^{w_{i}})=e(g,g)^{\varvec{v}\cdot \varvec{w}}\), where \(\varvec{v}\cdot \varvec{w}=v_{1}w_{1}+\cdots +v_{n}w_{n}\) (mod p).

The following lemma from [17] is required in our proof of security.

Lemma 1

(Statistical Indistinguishable). Let \(C:=\{(\varvec{x},\varvec{v})|\varvec{x} \cdot \varvec{v} \ne 0\}\subset V \times V^{*}\), where V is a n-dimensional vector space, and \(V^{*}\) is its dual. For all \((\varvec{x},\varvec{v}) \in C\), for all \((\varvec{r},\varvec{w}) \in C, \rho ,\tau \leftarrow \mathbb {Z}_{p}\), and \(A\xleftarrow {R}\mathbb {Z}_{p}^{n\times n}\),

$$\begin{aligned} Pr[\varvec{x}(\rho A^{-1})=\varvec{r}\wedge \varvec{v}(\tau A^{t})=\varvec{w}]=\frac{1}{ \# C}, \end{aligned}$$

where \(\# C=(p^{n}-1)(p^{n}-p^{n-1})\).

2.4 Complexity Assumption

Definition 2

(Three Party Diffie-Hellman Assumption). Given a group generator \(\mathcal {G}\), we define the following distribution:

$$\begin{aligned}&\mathbb {G}:=(p,G,G_{T},e)\xleftarrow {R}\mathcal {G}, \\&g\xleftarrow {R}G, \tau ,x,y,z\xleftarrow {R}\mathbb {Z}_{p},\\&D:=(\mathbb {G},g,g^{x},g^{y},g^{z}). \end{aligned}$$

The advantage of algorithm \(\mathcal {A}\) in breaking this assumption is defined as follows:

$$\begin{aligned} Adv^{3DH}_{\mathcal {A}}(\lambda ):=|Pr[\mathcal {A}(D,g^{xyz})=1]-Pr[\mathcal {A}(D,g^{\tau +xyz})=1]|. \end{aligned}$$

We say that the Three Party Diffie-Hellman Assumption is hard if \(Adv^{3DH}_{\mathcal {A}}(\lambda )\) is negligible.

Definition 3

(Decisional Linear Assumption). Given a group generator \(\mathcal {G}\), we define the following distribution:

$$\begin{aligned}&\mathbb {G}:=(p,G,G_{T},e)\xleftarrow {R}\mathcal {G}, \\&g,f,v\xleftarrow {R}G, c_{1},c_{2},w\xleftarrow {R}\mathbb {Z}_{p}, \\&D:=(\mathbb {G},g,f,v,f^{c_{1}},v^{c_{2}}). \end{aligned}$$

The advantage of algorithm \(\mathcal {A}\) in breaking this assumption is defined as follows:

$$\begin{aligned} Adv^{DL}_{\mathcal {A}}(\lambda ):=|Pr[\mathcal {A}(D,g^{c_{1}+c_{2}})=1]-Pr[\mathcal {A}(D,g^{c_{1}+c_{2}+w})=1]|. \end{aligned}$$

We say that the Decisional Linear Assumption is hard if \(Adv^{DL}_{\mathcal {A}}(\lambda )\) is negligible.

Definition 4

(Subspace Assumption). Given a group generator \(\mathcal {G}\), we define the following distribution \((n\ge 3, k\le \frac{n}{3})\):

$$\begin{aligned}&\mathbb {G}:=(p,G,G_{T},e)\xleftarrow {R}\mathcal {G},\ (\mathbb {B},\mathbb {B^{*}})\xleftarrow {R}Dual(\mathbb {Z}_{p}^{n}),\\&g\xleftarrow {R}G, \eta ,\beta ,\tau _{1},\tau _{2},\mu _{1},\mu _{2},\mu _{3}\xleftarrow {R}\mathbb {Z}_{p},\\&U_{1}=g^{\mu _{1}\varvec{b}_{1}+\mu _{2}\varvec{b}_{k+1}+\mu _{3}\varvec{b}_{2k+1}},\ldots ,U_{k}=g^{\mu _{1}\varvec{b}_{k}+\mu _{2}\varvec{b}_{2k}+\mu _{3}\varvec{b}_{3k}},\\&V_{1}=g^{\tau _{1}\eta \varvec{b}_{1}^{*}+\tau _{2}\beta \varvec{b}_{k+1}^{*}},\ldots ,V_{k}=g^{\tau _{1}\eta \varvec{b}_{k}^{*}+\tau _{2}\beta \varvec{b}_{2k}^{*}},\\&W_{1}=g^{\tau _{1}\eta \varvec{b}_{1}^{*}+\tau _{2}\beta \varvec{b}_{k+1}^{*}+\tau _{3}\varvec{b}_{2k+1}^{*}},\ldots ,W_{k}=g^{\tau _{1}\eta \varvec{b}_{k}^{*}+\tau _{2}\beta \varvec{b}_{2k}^{*}+\tau _{3}\varvec{b}_{3k}^{*}},\\&D:=(g^{\varvec{b}_{1}},g^{\varvec{b}_{2}},\ldots ,g^{\varvec{b}_{2k}},g^{\varvec{b}_{3k+1}},\ldots ,g^{\varvec{b}_{n}},g^{\eta \varvec{b}_{1}^{*}},\ldots ,g^{\eta \varvec{b}_{k}^{*}},\\&\qquad g^{\beta \varvec{b}_{k+1}^{*}},\ldots ,g^{\beta \varvec{b}_{2k}^{*}},g^{\beta \varvec{b}_{2k+1}^{*}},\ldots ,g^{\beta \varvec{b}_{n}^{*}},U_{1},U_{2},\ldots ,U_{k},\mu _{3}). \end{aligned}$$

The advantage of an algorithm \(\mathcal {A}\) in breaking this assumption is defined as follows:

$$\begin{aligned} Adv^{SD}_{\mathcal {A}}(\lambda ):=|Pr[\mathcal {A}(D,V_{1},\ldots ,V_{k})=1]-Pr[\mathcal {A}(D,W_{1},\ldots ,W_{k})=1]|. \end{aligned}$$

We say that the Subspace Assumption is hard if \(Adv^{SD}_{\mathcal {A}}(\lambda )\) is negligible.

Lemma 2

[15] If \(\mathcal {G}\) satisfies decisional linear assumption, then \(\mathcal {G}\) also satisfies the subspace assumption.

3 Identity-Based Encryption

3.1 Our Construction

Setup \((\lambda )\rightarrow PP,MSK.\) First, it selects a bilinear group \(\mathbf {G}\) of prime order p along with a generetor g. Then, a couple of dual orthonormal bases \((\mathbb {D},\mathbb {D^{*}})\) of dimension 6 is chosen randomly. The elements of \(\mathbb {D}\) is denoted by \(\varvec{d_{1}},\ldots ,\varvec{d_{6}}\), and the elements of \(\mathbb {D^{*}}\) is denoted by \(\varvec{d^{*}_{1}},\ldots ,\varvec{d^{*}_{6}}\). What’s more, \(\varvec{d}_{i }\cdot \varvec{d}^{*}_{i } = \psi ,\) for i = 1,...,6. It also chooses two random values \(\alpha _{1},\alpha _{2}\in \mathbb {Z_{p }}\). It publishes the public parameters:

$$\begin{aligned} PP := \{\mathbf {G},p ,e(g ,g )^{\alpha _{1}\psi },e(g ,g )^{\alpha _{2}\psi },g ^{\varvec{d_{1}}},\ldots ,g ^{\varvec{d_{4}}}\}, \end{aligned}$$

and keeps the master secret key:

$$\begin{aligned} MSK := \{g ^{\alpha _{1}\varvec{d^{*}_{1}}},g ^{\alpha _{2}\varvec{d^{*}_{3}}},g ^{\varvec{d^{*}_{1}}},\ldots ,g ^{\varvec{d^{*}_{4}}}\}. \end{aligned}$$

KeyGen(MSK, ID) \(\rightarrow SK_{ID}.\) This algorithm picks random values \(r_{1},r_{2}\in \mathbb {Z_{p }}\), and computes:

$$\begin{aligned} SK_{ID} := g ^{(\alpha _{1}+r_{1}ID)\varvec{d^{*}_{1}}-r_{1}\varvec{d^{*}_{2}}+(\alpha _{2}+r_{2}ID)\varvec{d^{*}_{3}}-r_{2}\varvec{d^{*}_{4}}}. \end{aligned}$$

Encrypt(PP, ID, M) \(\rightarrow CT.\) This algorithm picks up two random values \(s_{1},s_{2}\in \mathbb {Z_{p }}\), and computes as follows:

$$\begin{aligned} CT := \{C_{0} := M\cdot e(g ,g )^{\alpha _{1}s_{1}\psi +\alpha _{2}s_{2}\psi },\quad C_{1} := g ^{s_{1}\varvec{d_{1}}+s_{1}ID\varvec{d_{2}}+s_{2}\varvec{d_{3}}+s_{2}ID\varvec{d_{4}}}\}. \end{aligned}$$

Decrypt(\(CT,SK_{ID}\)) \(\rightarrow M.\) This algorithm is executed as follows:

$$\begin{aligned} M :=C_{0}/e(C_{1},SK_{ID}). \end{aligned}$$

3.2 Correctness

Observe that

$$\begin{aligned} e(C_{1},SK_{ID})&= e(g ,g )^{s_{1}(\alpha _{1}+r_{1}ID)\psi -r_{1}s_{1}ID\psi +s_{2}(\alpha _{2}+r_{2}ID)\psi -r_{2}s_{2}ID\psi }\\&= e(g ,g )^{\alpha _{1}s_{1}\psi +\alpha _{2}s_{2}\psi }, \end{aligned}$$

Thus,

$$\begin{aligned} C_{0}/e(C_{1},SK_{ID}) = M\cdot e(g ,g )^{\alpha _{1}s_{1}\psi +\alpha _{2}s_{2}\psi }/e(g ,g )^{\alpha _{1}s_{1}\psi +\alpha _{2}s_{2}\psi } = M. \end{aligned}$$

3.3 Proof of Security

Theorem 1

The IBE scheme can be proven fully secure based on the three party Diffie-Hellman and decisional linear assumption. Or rather, for any PPT adversary \(\mathcal {A}\), there exist a PPT algorithm \(\mathcal {B}\) with the same running time, such that

$$\begin{aligned} \texttt {Adv}^{\texttt {IBE}}_{\mathcal {A}}(\lambda ) \le (q_{1}+4)\texttt {Adv}^{\texttt {DLin}}_{\mathcal {B}}(\lambda )+\texttt {Adv}^{\texttt {3DH}}_{\mathcal {B}}(\lambda )+q_{1}/p, \end{aligned}$$

where \(q_{1}\) is the number of quereies in phase 1.

We describe our semi-functional algorithms as follows.

EncryptSF. There are two forms of semi-functional ciphertext. Type-1 semi-functional ciphertext can be generated as follows. The algorithm picks random values \(s_{1},s_{2},s_{3} \in \mathbb {Z}_{p }\). Then:

$$\begin{aligned} C_{0} := M\cdot e(g ,g )^{\alpha _{1}s_{1}\psi +\alpha _{2}s_{2}\psi }, \quad C_{1} := g ^{s_{1}\varvec{d_{1}}+s_{1}ID\varvec{d_{2}}+s_{2}\varvec{d_{3}}+s_{2}ID\varvec{d_{4}}+s_{3}\varvec{d_{5}}+s_{3}ID\varvec{d_{6}}}. \end{aligned}$$

A semi-functional ciphertext of type-2 is as same as type-1 except that the coefficients of \(\varvec{d_{5}},\varvec{d_{6}}\) are two random values. The algorithm picks \(s_{1},s_{2},z_{5},z_{6}\in \mathbb {Z}_{p }\) randomly. Then:

$$\begin{aligned} C_{0} := M\cdot e(g ,g )^{\alpha _{1}s_{1}\psi +\alpha _{2}s_{2}\psi },\quad C_{1} := g ^{s_{1}\varvec{d_{1}}+s_{1}ID\varvec{d_{2}}+s_{2}\varvec{d_{3}}+s_{2}ID\varvec{d_{4}}+z_{5}\varvec{d_{5}}+z_{6}\varvec{d_{6}}}. \end{aligned}$$

KeyGenSF. There are two types of semi-functional keys. Type-1 semi-functional key can be generated as follows. The algorithm picks random values \(r_{1},r_{2},r_{3} \in \mathbb {Z}_{p }\). Then:

$$\begin{aligned} SK_{ID} := g ^{(\alpha _{1}+r_{1}ID)\varvec{d^{*}_{1}}-r_{1}\varvec{d^{*}_{2}}+(\alpha _{2}+r_{2}ID)\varvec{d^{*}_{3}}-r_{2}\varvec{d^{*}_{4}}+r_{3}ID\varvec{d^{*}_{5}}-r_{3}\varvec{d^{*}_{6}}}. \end{aligned}$$

A semi-functional key of type-2 is as same as type-1 except that the coefficients of \(\varvec{d^{*}_{5}},\varvec{d^{*}_{6}}\) are two random values. The algorithm picks \(r_{1},r_{2},r_{5},r_{6}\in \mathbb {Z}_{p }\) randomly. Then:

$$\begin{aligned} SK_{ID} := g ^{(\alpha _{1}+r_{1}ID)\varvec{d^{*}_{1}}-r_{1}\varvec{d^{*}_{2}}+(\alpha _{2}+r_{2}ID)\varvec{d^{*}_{3}}-r_{2}\varvec{d^{*}_{4}}+r_{5}\varvec{d^{*}_{5}}+r_{6}\varvec{d^{*}_{6}}}. \end{aligned}$$

Game Sequence. We let \(\texttt {Adv}^{\texttt {Game}_{X}}_{\mathcal {A}}\) denote an adversary \(\mathcal {A}^{'}s\) advantage in \(\texttt {Game}_{X}\).

  • \(\texttt {Game}_{\texttt {Real}}\): the real security game.

  • \(\texttt {Game}_{\texttt {0}}\): there is no difference the with \(\texttt {Game}_{\texttt {Real}}\) except that challenge ciphertext becomes type-1 semi-functional ciphertext.

  • \(\texttt {Game}_{\texttt {1}}\): there is no difference the with \(\texttt {Game}_{\texttt {0}}\) except that the challenge ciphertext becomes type-2 semi-functional ciphertext.

  • \(\texttt {Game}_{\texttt {2,i }}\) for i = 0,...,\(q_{1}\) : there is no difference the with \(\texttt {Game}_{\texttt {1}}\) except that the first i keys become type-2 semi-functional keys. We let \(\texttt {Game}_{\texttt {2,0}}\) denote \(\texttt {Game}_{\texttt {1}}\), and \(\texttt {Game}_{\texttt {2},\texttt {q}_{1}}\) denote \(\texttt {Game}_{\texttt {2}}\).

  • \(\texttt {Game}_{\texttt {3}}\): there is no difference the with \(\texttt {Game}_{\texttt {2}}\) except that the challenge ciphertext becomes type-1 semi-functional ciphertext.

  • \(\texttt {Game}_{\texttt {4}}\): there is no difference the with \(\texttt {Game}_{\texttt {3}}\) except that the last \(q_{2}\) keys are all type-1 semi-functional keys.

  • \(\texttt {Game}_{\texttt {5}}\): there is no difference the with \(\texttt {Game}_{\texttt {4}}\) except that the last \(q_{2}\) keys are all type-2 semi-functional keys.

  • \(\texttt {Game}_{\texttt {Final}}\): there is no difference the with \(\texttt {Game}_{\texttt {5}}\) except that we encrypt a random message \(M'\in \mathbf {G}_{T}\) as the challenge ciphertext.

From \(\texttt {Game}_{\texttt {1}}\) to \(\texttt {Game}_{\texttt {2},q_{1}}\), we convert the first \(q_{1}\) keys from normal to semi-functional type-2 one after another, which requires \(\mathcal {O}(q_{1})\) steps. However, as to the last \(q_{2}\) keys, we can modify them from semi-functional type-1 to type-2 all at once. Hence, we can get a tighter reduction, \(\mathcal {O}(q_{1})\).

Theorem 1 is accomplished in the following lemmas.

Lemma 3

Suppose that there is an adversary \(\mathcal {A}\) can break our scheme in polynomial-time, then we can construct an algorithm \(\mathcal {B}\) with the same running time, to break the subspace assumption with \(k=2, n=6\).

Lemma 4

For any adversary \(\mathcal {A}\), \(\texttt {Adv}^{\texttt {Game}_{\texttt {0}}}_{\mathcal {A}}(\lambda )\) = \(\texttt {Adv}^{\texttt {Game}_{\texttt {1}}}_{\mathcal {A}}(\lambda )\).

Lemma 5

Suppose that there is an adversary \(\mathcal {A}\) can break our scheme in polynomial-time, then we can construct an algorithm \(\mathcal {B}\) with the same running time, to break the subspace assumption with \(k=2, n=6\).

Lemma 6

For any adversary \(\mathcal {A}\), \(\texttt {Adv}^{\texttt {Game}_{\texttt {2}}}_{\mathcal {A}}(\lambda )\) = \(\texttt {Adv}^{\texttt {Game}_{\texttt {3}}}_{\mathcal {A}}(\lambda )\).

Lemma 7

Suppose that there is an adversary \(\mathcal {A}\) can break our scheme in polynomial-time, then we can construct an algorithm \(\mathcal {B}\) with the same running time, to break the subspace assumption with \(k=2, n=6\).

Lemma 8

Suppose that there is an adversary \(\mathcal {A}\) can break our scheme in polynomial-time, then we can construct an algorithm \(\mathcal {B}\) with the same running time, to break the three party Diffie-Hellman assumption.

Lemma 9

Suppose that there is an adversary \(\mathcal {A}\) can break our scheme in polynomial-time, then we can construct an algorithm \(\mathcal {B}\) with the same running time, to break the subspace assumption with \(k=2, n=6\).

The proofs of Lemmas 3–9 are given in full version.

4 Conclusions

We have presented a fully secure IBE with tighter security in prime order bilinear groups. The full security of our scheme has been proven under DLIN and 3-DH assumption by extending dual system encryption over dual pairing vector space. We used the technique of delayed parameters to achieve the tighter reduction. What’s more, it would be interesting to apply this technique to obtain more advanced functional encryption [18] such as inner product encryption [19].