Pownie
/
shit_papers_project
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

A whole lot more

This commit is contained in:
= 2019-12-18 02:26:02 +01:00
parent a96217d24e
commit cf066d4e3e
5 changed files with 294 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
papers/2014_01.pdf Normal file
View File

Binary file not shown.

BIN
papers/318.pdf Normal file
View File

Binary file not shown.

BIN
papers/bilinear-maps.pdf Normal file
View File

Binary file not shown.

46
refs.bib
View File

@ -13,6 +13,16 @@ link={https://www.oxfordlearnersdictionaries.com/definition/english/encrypt}
year = 1998
}
@misc{BMDef,
author = {John Bethencourt},
title = {Intro to Bilinear Maps},
howpublished = {CS Deparment at Carnegie Mellon University},
email = {bethenco@cs.cmu.edu},
year = 2015,
url = {https://people.csail.mit.edu/alinush/6.857-spring-2015/papers/bilinear-maps.pdf}
}
@InProceedings{WeilIBE,
author="Boneh, Dan
and Franklin, Matt",
@ -69,3 +79,39 @@ pages="171--188",
abstract="We present new techniques for achieving adaptive security in broadcast encryption systems. Previous work on fully collusion resistant broadcast encryption systems with very short ciphertexts was limited to considering only static security.",
isbn="978-3-642-01001-9"
}
@inproceedings{AHBE,
author = {Wu, Qianhong and Qin, Bo and Zhang, Lei and Domingo-Ferrer, Josep},
title = {Ad Hoc Broadcast Encryption},
booktitle = {Proceedings of the 17th ACM Conference on Computer and Communications Security},
series = {CCS '10},
year = {2010},
isbn = {978-1-4503-0245-6},
location = {Chicago, Illinois, USA},
pages = {741--743},
numpages = {3},
url = {http://doi.acm.org/10.1145/1866307.1866416},
doi = {10.1145/1866307.1866416},
acmid = {1866416},
publisher = {ACM},
address = {New York, NY, USA},
keywords = {ad hoc broadcast, asymmetric group key agreement, broadcast encryption},
}
@InProceedings{BESecDef,
author="Kim, Jongkil
and Susilo, Willy
and Au, Man Ho
and Seberry, Jennifer",
editor="Cao, Zhenfu
and Zhang, Fangguo",
title="Efficient Semi-static Secure Broadcast Encryption Scheme",
booktitle="Pairing-Based Cryptography -- Pairing 2013",
year="2014",
publisher="Springer International Publishing",
address="Cham",
pages="62--76",
abstract="In this paper, we propose a semi-static secure broadcast encryption scheme with constant-sized private keys and ciphertexts. Our result improves the semi-static secure broadcast encryption scheme introduced by Gentry and Waters. Specifically, we reduce the private key and ciphertext size by half. By applying the generic transformation proposed by Gentry and Waters, our scheme also achieves adaptive security. Finally, we present an improved implementation idea which can reduce the ciphertext size in the aforementioned generic transformation.",
isbn="978-3-319-04873-4"
}

261
report.tex
View File

@ -1,4 +1,5 @@
\documentclass{article}
\usepackage{amsthm}
\usepackage{bm}
\usepackage{amsmath}
\usepackage{graphicx}
@ -9,6 +10,11 @@
\usepackage[autostyle]{csquotes}
\usepackage{xspace}
\usepackage[margin=1.25in]{geometry}
\usepackage{wasysym}
\newtheorem{definition}{Definition}
\newtheorem{theorem}{Theorem}
\newcommand{\horrule}[1]{\rule{\linewidth}{#1}} % Create horizontal rule command with 1 argument of height
\newcommand{\ID}{\texttt{ID}\xspace}
@ -20,6 +26,13 @@
\newcommand{\Z}{\mathbb{Z}}
\newcommand{\Gm}{\mathbb{G}}
\newcommand{\Gmp}[1]{\mathbb{G}#1}
\newcommand{\la}{\leftarrow}
\newcommand{\ra}{\rightarrow}
\newcommand{\U}{\mathcal{U}}
\newcommand{\CH}{$\mathcal{C}\mathcal{H}$\xspace}
\newcommand{\hdr}{\text{Hdr}}
\author{Alexander Munch-Hansen \\ 201505956}
@ -35,6 +48,8 @@
\date{\today}
\begin{document}
\maketitle
\tableofcontents
\newpage
\section{Introduction}
By definition, \emph{Encryption} is the process of converting information into a \emph{code} with the purpose of preventing unauthorized access \cite{oxford}. Traditionally, the way this was accomplished was via some a priori established secret key $k$, which could then be used both for \emph{encryption}, but also for \emph{decryption}. This concept was then challenged by the concept of \emph{Public Key Cryptography}, which allows two parties to communicate with each other in a secure and private fashion, without having already shared the aforementioned secret key. This allowed each party to have a \emph{Public Key} and a \emph{Secret Key}, which could then be used to encrypt and decrypt, respectively. This works well and is used in many applications, such as \emph{SSH} and \emph{SSL}. It does however have one caveat. \emph{Public Key Encryption} is notoriusly slow, compared to the \emph{Symmetrical}-scheme with only a single key, but if you wish to send to several people you will need to encrypt whatever you wish to send several times, once for each party and furthermore, public key encryption is very \emph{all-or-nothing}. Either a single party can decrypt what you send and see everything, or she will not be able to decrypt and thus see nothing.
@ -49,6 +64,22 @@ Full blown functional encryption is however quite a mouthful to implement in an
\section{Syntax and preliminaries}
\subsection{Bilinear Maps}
Let $p$ be a large prime number. Let $\mathbb{G}_1, \mathbb{G}_2$ be two groups of order $p$ and let $\mathbb{G}_T$ also be a group of order $p$. Let $g_1$ be a generator of $\mathbb{G}_1$ and let $g_2$ be a generator of $\mathbb{G}_2$. $e : \mathbb{G}_1 \times \mathbb{G}_2 \ra \mathbb{G}_T$ is then a bilinear map satisfying the following properties \cite{BMDef}:
\begin{itemize}
\item \emph{Bilinearity}: For all $u \in \mathbb{G}_1$, $v \in \mathbb{G}_2$ and $a,b \in \mathbb{Z}$; $e(u^a, v^b) = e(u,v)^{ab}$
\item \emph{Non-degeneracy}: $e(g_1,g_2) \neq $The identity of $\mathbb{G}_T$
\item \emph{Computability}: For all $u \in \mathbb{G}_1$, $v \in \mathbb{G}_2$, $e(u,v)$ should be efficiently computable.
\end{itemize}
\subsection{Mathmatical Assumptions}
All of the following mathmatical assumptions will be derived from the \emph{Diffie-Hellman} assumption. The reader is assumed to be familiar with this.
\subsubsection{The BDHE Assumption}
This is defined for a specific $m$ which could for instance be taken as a parameter. Let \G and \Gp{_T} be groups of order $p$ with a bilinear map $e: \Gm \times \Gm \rightarrow \Gmp{_T}$ and let $g \in G$ be a generator. Set $a,s \in_R \Z^*_p$ and $b \in_R \{0,1\}$. If $b=0$, then set $Z = e(g,g)^{a^{m+1} \cdot s}$; $Z \in_R \Gm_T$ otherwise. The problem is then, given $g^s, Z, \{g^{a^i}: i \in [0,m] \cup [m+2, 2m]\}$, what is the value of $b$?
\subsection{Identity-Based Encryption}
\textbf{Identity-Based Encryption.} \quad An Identity-Based encryption scheme is specified by four different algorithms, all containing some sort of randomness: \texttt{Setup, Extract, Encrypt, Decrypt}: \vspace{3mm} \\
\-\hspace{5mm}\textbf{Setup:}\quad Takes some security parameter $k$ and returns the system parameters and a master-key. These system parameters include a description of a finite message space $\mathcal{M}$ as well as a description of a finite ciphertext space $\mathcal{C}$. These parameters are known publicly, wherre the master-key is known only to the trusted authority, the so called Private Key Generator (\texttt{PKF}). \vspace{3mm} \\
@ -80,19 +111,41 @@ An Identity-Based Encryption scheme is semantically secure against an adaptive c
This definition closely resembles the standard definition of \texttt{IND-CPA} but extended with the addition of extraction queries and that the challenger is now challenged on an \ID picked by the adversary. The addition of the extraction queries is supported by \cite{ExtractionDef}, when the scheme is to support multiple users, which is likely the case for any IBE scheme. Furthermore, the weaker notion of security known as \emph{Semantic Security} (\texttt{IND-ID-CPA}) can be defined based on \texttt{IND-ID-CCA}, except now the adversary is not allowed to issue any decryption queries, i.e. he is only allowed extraction queries.
\subsection{Broadcast Encryption}
\subsubsection{security defintions}
\label{sec:BESec}
We define three levels of security, \emph{Static, Semi-Static} and \emph{Adaptive}. For the sake of simplicity, we will explain Semi-static and then emphasise the differences. Note that Semi-static security is stronger than Static security, but weaker than Adaptive. The definition of Semi-Static is due to Gentry and Waters \cite{BESecDef, GentryWaters}. \vsp{4mm}
\hsp{5mm}\textbf{Initialisation:}\quad The adversary \adv{A} first commits to a \emph{potential} set of receivers which he wishes to attack, $\tilde{S}$, and outputs this. \vsp{3mm}
\hsp{5mm}\textbf{Setup:}\quad The challenger \CH runs the $BSetup(n, \ell)$ algorithm of the BE scheme, obtaining a public key PK. \CH gives this PK to \adv{A}. \vsp{3mm}
\hsp{5mm}\textbf{Key Extraction Phase:}\quad The adversary \adv{A} is allowed to issue private key queries for indices $i \in [n] \setminus \tilde{S}$, i.e. he is allowed to ask for the private keys of any user not in the set of potential receivers. \vsp{3mm}
\hsp{5mm}\textbf{Challenge:}\quad Once the adversary \adv{A} has extracted all desired keys, he specifies an attack set $S^* \subseteq \tilde{S}$, on which he wants to be challenged. The challenger \CH then sets $(\hdr^*, k_0) \leftarrow BEnc(S^*, PK)$ and $k_1 \in_R \mathcal{K}$. Then $b \in_R \{0,1\}$ and \CH sends $(\hdr^*, k_b)$ to \adv{A}. \vsp{3mm}
\hsp{5mm}\textbf{Guess:}\quad Adversary \adv{A} outputs a guess $b' \in \{0,1\}$ and he wins if $b' = b$. \\ \\
\noindent
The advantage of \adv{A} is then defined as: $$Adv_{SS,BE,n,\ell}(\lambda) = |Pr(b'=b) - \frac{1}{2}|$$
Static security is the least strongest type and it requires the adversary to commit to a set of which he wants to be challenged on, in the initialisation phase, rather than the potential set the Semi-static adversary has to commit to. Adaptive security is arguably the most desired and correct type, as it enforces nothing in regards to the attack set $S^*$. The adversary is allowed to see the PK and ask for several private keys, before choosing which set he wishes to attack. We note here, that due to Gentry and Waters \cite{GentryWaters}, we can transform a Semi-statically secure BE scheme to an Adaptively secure BE scheme.
\subsection{Ad-Hoc Broadcast Encryption}
An \emph{Ad-Hoc Broadcast Encryption} system is defined to be \textbf{correct} if any user within the receiver set $S$ can decrypt a valid header. In an adaptively secure ad-hoc broadcast encryption system, the adversary is allowed access to all the public keys of the receivers and to ask for several secret keys before choosing the set of indices that the adversary wishes to attack.
\subsubsection{Security Definition of Adaptive Security in AHBE}
Both the Challenger and an adversary \adv{A} are both given the security parameter $\lambda$. \vsp{3mm}
\hsp{5mm}\textbf{Setup:}\quad The Challenger runs $KeyGen(i, n, N)$ to obtain the users' public key. These public keys and the public parameters are given to the adversary \adv{A}. \vsp{3mm}
\hsp{5mm}\textbf{Corruption:}\quad Adversary \adv{A} is allowed to adaptively issue private key queries for \emph{some} indices $i \in [N]$. \vsp{3mm}
\hsp{5mm}\textbf{Challenge:}\quad \adv{A} specifies some challenge set $S^* \subseteq [N]$ s.t. \adv{A} has corrupted none of the users $i$ within $S^*$. The challenger sets $(\text{Hdr}^*, k_0) \leftarrow \texttt{AHBEnc}(S^*, (pk_i)_{S^*})$ and $k_1 \in_R \mathbb{K}$. The challenger sets $b \in_R \{0,1\}$. It gives $(\text{Hdr}^*, k_b)$ to the adversary \adv{A}. \vsp{3mm}
\hsp{5mm}\textbf{Guess:}\quad The adversary \adv{A} will output a bit $b' \in \{0,1\}$ as an attempt to guess the bit $b$. \adv{A} wins if $b' = b$. \\ \\
\noindent
The advantage of \adv{A} is as expected; $Adv^{\texttt{AHBE}}_{\mathcal{A},n,N}(1^\lambda) = |Pr(b = b') - \frac{1}{2}|$.
% TODO: Write security definitions of BE
% TODO: Finish this section on the security definition of IBE as well as Bilinear Maps and BDH
% TODO: Write up all of the mathematical assumptions
% TODO: Write of the Threshold Public Key Encryption Scheme; https://www.di.ens.fr/david.pointcheval/Documents/Papers/2008_crypto.pdf
% TODO: Write up the different security definitions for BE systems, Static, Semi-Static and Adaptive
\subsection{Mathmatical Assumptions}
All of the following mathmatical assumptions will be derived from the \emph{Diffie-Hellman} assumption. The reader is assumed to be familiar with this.
\subsubsection{The BDHE Assumption}
This is defined for a specific $m$ which could for instance be taken as a parameter. Let \G and \Gp{_T} be groups of order $p$ with a bilinear map $e: \Gm \times \Gm \rightarrow \Gmp{_T}$ and let $g \in G$ be a generator. Set $a,s \in_R \Z^*_p$ and $b \in_R \{0,1\}$. If $b=0$, then set $Z = e(g,g)^{a^{m+1} \cdot s}$; $Z \in_R \Gm_T$ otherwise. The problem is then, given $g^s, Z, \{g^{a^i}: i \in [0,m] \cup [m+2, 2m]\}$, what is the value of $b$?
\section{Broadcast Encryption}
\label{sec:BE}
Broadcast Encryption systems \cite{BEDef} in a nutshell, allows one sender to send to a subset $S \subseteq [n]$ of users with a single message. Traditionally, the user would have to encrypt this message once per user in a horribly inefficient manner. This is fixed, by defining the encryption key in such a way to allow for any user within the $S$ to decrypt the message, while not allowing anyone outside of $S$ to do so. It is preferable for this kind of schem to be \emph{public key based}, rather than symmetric. This allows any user to encrypt. It should allow \emph{stateless receivers} s.t. users won't need to keep any state such as updating a private key, and the system should be \emph{fully collusion resistant}, i.e. not allow decryption even if everybody outside of the set $S$ cooperated.
In a sense, Broadcast Encryption Systems can be related to notion of \emph{Threshold Public Key Encryption Systems} (\texttt{TPKE}) if we define the authorized set of the \texttt{TPKE} system to be equal to $S$ and the threshold parameter $t$ is set to be $1$. This is only true however, for the specific value of $t=1$, thus, specialized systems can be designed for the purpose of being broadcast encryption systems. In this paper we will focus on a scheme due to Gentry and Waters \cite{GentryWaters}.
@ -100,17 +153,17 @@ In a sense, Broadcast Encryption Systems can be related to notion of \emph{Thres
% TODO, maybe new page this
\subsection{Their construction}
\label{GentryWatersConst}
\label{sec:GentryWatersConst}
Let $GroupGen(\lambda,n)$ be an algorithm which generates a group \G and \Gp{_T} of prime order $p = poly(\lambda, n) > n$ with a bilinear map $e : \mathbb{G} \times \mathbb{G} \rightarrow \mathbb{G}_T$, based on a security parameter $\lambda$. \vsp{5mm}
\-\hspace{5mm}\textbf{Setup$(n,n)$:}\quad Run $(\mathbb{G}, \mathbb{G}_T, e) \xleftarrow{R} GroupGen(\lambda, n)$. Set $\alpha \in_R \Z_p$ and $g,h_1,\dots,h_n \in_R \mathbb{G}^{n+1}$. Finally, set $PK = (\mathbb{G}, \mathbb{G}_T, e), g, e(g,g)^\alpha, h_1, \dots, h_n$. The secret key is $SK = g^\alpha$. The result is the pair $(PK, SK)$. \vspace{3mm} \\
\-\hspace{5mm}\textbf{Setup$(\lambda,n)$:}\quad Run $(\mathbb{G}, \mathbb{G}_T, e) \xleftarrow{R} GroupGen(\lambda, n)$. Set $\alpha \in_R \Z_p$ and $g,h_1,\dots,h_n \in_R \mathbb{G}^{n+1}$. Finally, set $PK = (\mathbb{G}, \mathbb{G}_T, e), g, e(g,g)^\alpha, h_1, \dots, h_n$. The secret key is $SK = g^\alpha$. The result is the pair $(PK, SK)$. \vspace{3mm} \\
\-\hspace{5mm}\textbf{KeyGen$(i, SK)$:}\quad Set $r_i \in_R \Z_p$ and output; $$d_i \leftarrow (d_{i,0},\dots,d_{i,n}) \quad \text{ where } \quad d_{i,0} = g^{-r_i}, \quad d_{i,i} = g^\alpha h^{r_i}_i, \quad d_{i,j \text{ for } i\neq j} h^{r_i}_j$$ \vspace{3mm} \\
\-\hspace{5mm}\textbf{Encrypt$(S, PK)$:}\quad Set $t \in_R \Z_p$ and $$Hdr = (C_1,C_2), \quad \text{ where }\quad C_1 = g^t, \quad C_2 = (\prod_{i \in S}h_i)^t $$ Finally, set $K = e(g,g)^{t\cdot \alpha}$. Output $(K, Hdr)$. \vspace{3mm} \\
\-\hspace{5mm}\textbf{Decrypt$(S,i,d_i,\text{Hdr}, PK)$:}\quad Check if $i \in S$, if so; let $d_i = (d_{i,0},\dots,d_{i,n})$, Hdr$=(C_1,C_2)$, output $$k =e(d_{i,i} \cdot \prod_{j \in S \setminus \{i\}} d_{i,j}, C_1) \cdot e(d_{i,0}, C_2)$$ \vsp{3mm}
\-\hspace{5mm}\textbf{Decrypt}$(S,i,d_i,\text{Hdr}, PK)$\textbf{:}\quad Check if $i \in S$, if so; let $d_i = (d_{i,0},\dots,d_{i,n})$, Hdr$=(C_1,C_2)$, output $$k =e(d_{i,i} \cdot \prod_{j \in S \setminus \{i\}} d_{i,j}, C_1) \cdot e(d_{i,0}, C_2)$$ \vsp{3mm}
\hsp{5mm} \textbf{Correctness:}\quad Correctness is given by;
\begin{align*}
K &= e(d_{i,i} \cdot \prod_{j \in S \setminus \{i\}} d_{i,j}, C_1) \cdot e(d_{i,0}, C_2) \\
&= e(g^{\alpha}h^{r_i}_i \cdot (\prod_{j \in S \setminus \{i\}} h_j)^{r_i}, g^t) \cdot e(g^{-r_i}, (\prod_{i \in S}h_i)^t) \\
&= e(g^{\alpha}h^{r_i}_i \cdot (\prod_{j \in S} h_j)^{r_i}, g^t) \cdot e(g^{-r_i}, (\prod_{i \in S}h_i)^t) \\
&= e(g^{\alpha}h^{r_i}_i \cdot (\prod_{j \in S \setminus \{i\}} h_j)^{r_i}, g^t) \cdot e(g^{-r_i}, (\prod_{j \in S}h_j)^t) \\
&= e(g^{\alpha} \cdot (\prod_{j \in S} h_j)^{r_i}, g^t) \cdot e(g^{-r_i}, (\prod_{j \in S}h_j)^t) \\
&= e(g,g)^{t \cdot \alpha}
\end{align*}
@ -128,8 +181,190 @@ h_i =
g^{y_i + a^{i}} & \text{ for } i \in [1,n] \setminus \tilde{S}
\end{cases}
$$
\adv{B} then sets $\alpha = y_0 \cdot a^{n+1}$. $PK$ is then defined as the scheme dictates where the only oddity is $e(g,g)^\alpha$, which can be computed as $e(g^a,g^{a^{n}})^{y_0}$ due to the definition of $\alpha$. $PK$ is sent to \adv{A}.
% TODO: Finish this proof
\adv{B} then sets $\alpha = y_0 \cdot a^{n+1}$. $PK$ is then defined as the scheme dictates where the only oddity is $e(g,g)^\alpha$, which can be computed as $e(g^a,g^{a^{n}})^{y_0}$ due to the definition of $\alpha$. $PK$ is sent to \adv{A}. \vsp{3mm}
\hsp{5mm} \textbf{Private Key Queries:}\quad \adv{A} is allowed to query private keys for indices $i \in [n] \setminus \tilde{S}$. Intuitively, you should not be allowed to query the indices of which you wish to be challenged. To answer a query, \adv{B} will generate a $z_i \in_R \Z_p$ and set $r_i = z_i - y_0 \cdot a^{n+1-i}$. \adv{B} then outputs
$$ d_i = (d_{i,0},\dots,d_{i,n})\quad \text{ where } \quad d_{i,0} = g^{-r_i},\quad d_{i,i} = g^\alpha h^{r_i}_i, \quad d_{i,j \text{ where } i\neq j}h^{r_i}_j $$
\hsp{5mm} \textbf{Challenge:}\quad \adv{A} will then choose a subset $S^* \subseteq \tilde{S}$ to which \adv{B} sets:
$$\text{Hdr} = (C_1, C_2) \quad \text{ where } C_1 = g^s, \quad C_2 = (\prod_{j \in S^*}h_j)^s$$
Note that $g^s$ comes from the original challenge and due to the construction of the $h_j$ values, $C_2$ is computable, as \adv{B} knows the discrete log of each of them, specifically $h_j = g^{y_j}$, as long as $j \in \tilde{S}$.
\adv{B} sets $K = Z^{y_0}$ (The original; $K = Z$) and sends $(\text{Hdr},K)$ to \adv{A}. \vsp{3mm}
\hsp{5mm} \textbf{Guess:}\quad \adv{A} will output a guess $b'$. \adv{B} forwards this bit to the Challenger. \vsp{3mm}
\hsp{5mm} \textbf{Security:}\quad This simulation intuitively works, as if \adv{A} returns $b' = 0$ then the pair $(\text{Hdr}, K)$ is generated according to the same distribution as in the real world, according to \adv{A}. This is also true for \adv{B}'s simulation, as for $b=0$, $K = e(g,g)^{\alpha \cdot s} = e(g,g)^{(a^{n+1} \cdot s) \cdot y_0} = Z^{y_0}$, so it's a valid ciphertext under randomness $s$. When $b=1$, the $K$ is however picked randomly from $\mathcal{K}$, resulting in a correctly header Hdr with randomness $s$, but the ciphertext is random. \\ \\
\noindent
This construction we'll be the foundation of the \emph{Ad-Hoc Broadcast Encryption} which we will explore shortly and likewise will this proof be brought up when exploring possible proofs of security of said \emph{Ad-Hoc Broadcast Encryption} scheme.
% TODO: Fix those [1,n]. I want [n] everywhere, instead. Also mention that [n] is shorthand for it
% TODO: The dynamic threshold encryption scheme
% TODO: Discuss DBDH assumption
\section{Ad-Hoc Broadcast Encryption}
The scheme presented in \ref{sec:BE} requires a \emph{trusted dealer} to perform its \emph{setup} and \emph{keygen}. It goes for a lot of \emph{Broadcast Encryption} systems, that they require a trusted entity to generate and distribute secret keys to all users. This tends to make the system very rigid and not applicable to ad hoc networks or peer-to-peer networks. A \emph{potential} solution to this is presented by \cite{AHBE}. They present a solution to the fully dynamic case of broadcast encryption. This has significant ties to the \emph{Dynamic Threshold Encryption} scheme in which users could freely join and leave, however they did not quite get rid of the trusted dealer. This is accomplished here. Keep in mind that broadcast encryption is simply threshold encryption for the threshold of $t=1$.
In an Ad-Hoc Broadcast Encryption (\textbf{AHBE}) scheme all users possess a public key and by only seeing the public keys of users, a sender can securely broadcast to \emph{any} subset of the users. Only users within the picked subset can decrypt the message. To accomplish this, the authors create a generic transformation from any \emph{key homomorphic} BE scheme to an \emph{AHBE} scheme. It turns out that the scheme of Gentry and Waters presented in \ref{sec:BE} is just this and the transformation will be performed on this.
% TODO: All shorthand things such as AHBE and KEM should be in texttt rather than textbf
% TODO: All recipient sets should be S, not R.
% TODO: It's always (Hdr, K), not (K, Hdr)
\subsection{Modelling AHBE systems}
As an AHBE system eliminate the trusted dealer, the \emph{setup} and \emph{keygen} step morph together, as there is no global \emph{setup} step required, but merely something each user should locally run. As all other schemes defined in this paper, this too is defined to be a \emph{Key Encapsulation Method} (\texttt{KEM}). \vsp{4mm}
\hsp{5mm}\textbf{KeyGen$(i,n,N)$:}\quad Let $N$ be defined as the number of potential receivers of the scheme and let $n \leq N$ be defined as the maximum number of receivers of an ad-hoc broadcast recipient group. The \emph{KeyGen} (this) algorithm is run by each user $i \in [N]$ to create her own public/secret key pair. A user takes $n, N$ as well as her own index $i \in [N]$. It's not mentioned how the user receives this index in practice, without simply having a central authority giving them, but one could imagine the users being aware of how many recipients there are in total and simply increment this to get their own index, if one disregards the issues of people joining the peer-to-peer network at the same time. The \emph{KeyGen} algorithm outputs the users public/secret key pair $(pk_i,sk_i)$. We define a shorthand for several users key pairs; $\{(pk_i, sk_i) | i \in S \subseteq [N] $ as $(pk_i,sk_i)_{S}$ and likewise only for the public keys; $(pk_i)_{S}$. All of this depends on a security parameter $\lambda$, which is implicitly given to the algorithm. \vsp{3mm}
\hsp{5mm}\textbf{AHBEnc$(\mathbb{R}, (pk_i)_{S})$:}\quad This is run by any sender who may or may not be in $[N]$, as long as the sender knows the public keys of the receivers. It takes the recipient set $S \subseteq [N]$ and the public keys for $i \in S$; $(pk_i)_{S}$. Given that $|S| \leq n$, the algorithm returns a pair $(\text{Hdr}, K)$ where Hdr is the header, the encapsulated key, and $K$ is the message encryption key. \vsp{3mm}
\hsp{5mm}\textbf{AHBDec$(\mathbb{R}, j, sk_j,$}$ \text{Hdr}, (pk_i)_{S})$\textbf{:}\quad This allows each recipient $i \in S$ to decrypt the message encryption key which is hidden in the header. If $|S| \leq n, j \in S$, then the algorithm returns the message encryption key $k$.
\subsection{Key Homomorphism}
As mentioned, the authors present a transformation for any key homomorphic BE scheme. As such, we'll quickly define this.
% Reference the AHBE article
\begin{definition}[Key Homomorphism]
\normalfont Let $\oplus : \Gamma \times \Gamma \rightarrow \Gamma$, $\odot : \Omega \times \Omega \rightarrow \Omega$ and $\ocircle : \mathbb{K} \times \mathbb{K} \rightarrow \mathbb{K}$ be efficient operations in the public key space $\Gamma$, the decryption key space $\Omega$ and the message encryption key space $\mathbb{K}$, respectively. A BE scheme is then said to be homomorpic if the following conditions hold for all $S \subseteq [N]$ for $|S| \leq n$ and all $i \in S$:
\begin{enumerate}
\item If $(PK_1, SK_1) \leftarrow $\texttt{BSetup}$(n,N)$, where BSetup is the setup algorithm for the BE scheme, \vsp{2mm}
$(PK_2, SK_2) \leftarrow $\texttt{BSetup}$(n,N)$, \vsp{2mm}
$(d_1(i) \la $ \texttt{BKeyGen}$(i, SK_1)$, \vsp{2mm}
$(d_2(i) \la $ \texttt{BKeyGen}$(i, SK_2)$, \vsp{2mm}
$(\text{Hdr}, k) \la $\texttt{BEnc}$(\mathbb{R}, PK_1 \oplus PK_2)$, \vsp{2mm}
then \texttt{BDec}$(\mathbb{R}, i, d_1(i) \odot d_2(i), \text{Hdr}, PK_1 \oplus PK_2) = k$.
\item \text{If Hdr is a header of} $k_1$ under $(\mathbb{R}, PK_1)$ and also a header of some $k_2$ under $(\mathbb{R}, PK_2)$, then it also a header of $k_1 \ocircle k_2$ under $(\mathbb{R}, PK_1 \oplus PK_2)$.
\end{enumerate}
\end{definition}
\subsection{Transforming KHBE to AHBE}
The main idea behind their proposed transformation is to use the homomorphic property of the keys of the underlying KHBE scheme, as illustrated in Figure \ref{fig:KHBEMatrix}, where a question mark (?) indicates that, that specific key is not published, i.e. $d_i(i)$ for $i = 1,\dots,n$, thus, every other key is published as a part of the different public keys.
\begin{figure}
\[
\begin{pmatrix}
\U_1 & \U_2 & \U_3 & \dots & \U_n & \texttt{sender} \vsp{3mm}
? & d_1(2) & d_1(3) & \dots & d_1(n) & PK_1 \vsp{2mm}
d_2(1) & ? & d_2(3) & \dots & d_2(n) & PK_2 \vsp{2mm}
d_3(1) & d_3(2) & ? & \dots & d_3(n) & PK_3 \vsp{2mm}
\vdots & \vdots & \vdots & \ddots & \vdots & \vdots \vsp{2mm}
d_n(1) & d_n(2) & d_n(3) & \dots & ? & PK_n
\end{pmatrix}
\]
\caption{Matrix explaining the connection between the different keys of the different users}
\label{fig:KHBEMatrix}
\end{figure}
Within Figure \ref{fig:KHBEMatrix}, the $PK_i$ is the public key of the BE instance specifically generated by user $i$. A decryption key $d_i(j)$ is generated by user $i$ for user $j$, in the underlying scheme. Each row is then published ($PK_i$) by the corresponding member of the group of broadcast receivers, $U_i$, but their own specific decryption key , $d_i(i)$ is not published. The key homomorphism then allow for an arbitrary receiver set $S$, as all of the public keys for $i \in S$ can be easily aggregated; $\oplus_{i \in S} PK_i = PK_{AHBE}$ into a new public key of a new instance of the underlying BE scheme, such that the $j$'th column $\{d_i(j)\}^n_{i=1}$ can be aggregated into a decryption key for this instance; $d(j) = \odot_{i \in S}d_i(j)$, i.e. a decryption key for the public key $PK_{AHBE}$. Since the diagonal of the matrix is not published, only user $\U_i$ knows $d_i(i)$ and is thus the only one who can compute $d(i)$. This results in a system where a sender can choose any receiver set $S \subseteq[N]$ and broadcast to this set under the key $PK_{AHBE} = \oplus_{i \in S} PK_i$ and only users $\U_i$ for $i \in S$ can decrypt using their decryption key $d(i)$. As $PK_{AHBE}$ functions like a public key for a regular BE scheme where all users have decryption keys, if $j \not\in S$, user $\U_j$ won't be able use her decryption key $d(j) = \odot_{i \in S}d_i(j)$, as only users in the intended recipient set can decrypt in the new scheme. Note that it is a requirement of the scheme, that all $PK_i$ should be computationally independent and \emph{different}. Intuiviely, if they are not different such that $d_1(1) = d_2(1)$, it's trivial to compute the decryption key of user $\U_1$, by simply looking at the data published by $\U_2$.
% TODO: Be very consistent in what you call the public keys of the AHBE scheme!
\subsubsection{Formal Conversion from KHBE to AHBE}
% TODO: Perhaps mention that anything with B infront of it, is something belonging to a broadcast scheme
As discussed, an AHBE scheme consist of three algorithms; \texttt{KeyGen, AHBEnc, AHBDec}. \vsp{4mm}
\hsp{5mm}\textbf{KeyGen:}\quad Let the potential receivers be a set $\{1,\dots,N\}$. Let $n \leq N$ be the maximum number of recipients within a single broadcast. For simplicity, we assume that $n = N$. Generate an instance $\pi$ of a KHBE scheme and let this be a system parameter. The KeyGen algorithm then does the following:
\begin{itemize}
\item For receiver $i \in [n]$, invoke the setup algorithm of the BE Scheme used by the underlying KHBE scheme; \texttt{BSetup}, to generate a public/private key pair $(PK_i, SK_i)$ for the KHBE scheme.
\item Receiver $i$ runs \texttt{BKeyGen} and obtains $d_i(j) \leftarrow \text{BKeyGen}(j,SK_i)$ for $j = 1,\dots,n$. The public key of the specific receiver $i$ in the AHBE scheme is then:
$$PK_{AHBE} = \{d_i(j) | 1 \leq i \neq j \leq n\} \cup \{PK_i\}$$ Where $PK_i$ came from the BSetup call.
\item The private key of receiver $i$ is then set to be the \emph{unpublished} $d_i(i)$.
\end{itemize} \vspace{3mm}
\hsp{5mm}\textbf{AHBEnc:}\quad Computes the header and key for a receiver set $S$ in the following way:
\begin{itemize}
\item Pick receiver set $S \subseteq [n]$
\item Compute the public key of the broadcast:
$$PK_{AHBE} = \oplus_{i \in S} PK_i$$
\item Invoke the underlying KHBE encryption algorithm BEnc$(\cdot)$ in order to compute the header of the key:
$$(Hdr, k) \la BEnc(S, PK_{AHBE})$$
and send $(S, Hdr)$ to the receiver set.
\end{itemize} \vspace{3mm}
\hsp{5mm}\textbf{AHBDec:}\quad Due to the underlying KHBE scheme, the receiver $i \in S$ can compute a decryption key for the AHBE public key $PK_{AHBE}$ by computing:
$$d(i) = d_i(i) \odot\{\odot_{j \in S}^{j \neq i} d_j(i)\} = \odot_{j \in S} d_j(i)$$
As only user $\U_i$ knows $d_i(i)$ only she can compute $d(i)$. Due to the homomorphism of the KHBE scheme, $d(i)$ is a valid decryption key for the public key $PK_{AHBE}$, as long as $i \in S$. To perform this decryption, each user $\U_i$ for $i \in S$, invokes the KHBE decryption algorithm BDec$(\cdot)$;
$$k = BDec(S, i, d(i), Hdr, K) $$
\subsection{Proof of security}
The security of the AHBE scheme is proven by a reduction to the underlying KHBE scheme. As such, if the underlying KHBE scheme is presumed to be secure, so should the AHBE scheme. Furthermore, the AHBE scheme has semi-static security, if the KHBE scheme has adaptive security.
\begin{theorem}
The generic AHBE scheme has semi-static security if the underlying KHBE scheme has adaptive security. Do note that something is wrong within this proof, which we will point out in a leter section.
\end{theorem}
\begin{proof}
We wish to construct an adversary \adv{B} who can break the security of the underlying KHBE scheme, by utilising the adversary \adv{A} who is assumed to be able to break the security of the AHBE scheme. In the initialisation phase, \adv{A} will commit to a set $\tilde{S} \subseteq [n]$. Keep in mind that \adv{A} is a semi-static adversary, so he has to commit to a set of which he wishes to attack a subset of.
In the setup phase, \adv{B} picks a user at randomly from within $\tilde{S}$; $i* \in_R \tilde{S}$. \adv{B} then sets up the \emph{adaptive} game with the KHBE challenger \CH. \CH returns the system parameters and the KHBE public key, denoted by $PK_{i^*}$. \adv{B} then queries for the secret key $d_{i^*}(j)$ for each index $j \not\in \tilde{S}$.
For $i \in [n] \setminus \{i^*\}$, \adv{B} can generate the KHBE public/private key pair $(PK_i, SK_i)$, as it's not the target of \adv{B}, as it is \emph{adaptive}. This allows \adv{B} to generate the corresponding decryption keys $d_i(j)$ for each index $j \in \{1,n\} \setminus \{i\}$. Then, for $i = 1,\dots,n$, \adv{B} generate $K_i = \{d_i(j) | 1 \leq i \neq j \leq n\} \cup \{PK_i\}$, such that all users' public keys can be provided to the adversary \adv{A}, as a part of the setup phase for the AHBE scheme.
In the corruption phase, \adv{A} may corrupt any user $i \in \{1,\dots,n\} \setminus \tilde{S}$. These users are all however fabricated by the \adv{B}, so \adv{B} has the public/private key pairs for any user outside of $\tilde{S}$, thus it is no issue to yield the decryption key $d_i(i)$ and answer the query correctly.
In the challenge phase, the adversary \adv{A} decides upon an attack set $S^* \subset \tilde{S}$. This is given to \adv{B} who then has two options. Either $i^* \not\in S^*$ and \adv{B} reports failure, as the answer from the AHBE adversary \adv{A} will not be of any help to \adv{B} in breaking the underlying KHBE scheme. On the other hand, if $i^* \in S^*$, \adv{B} simply forwards the set $S^*$ to the challenger \CH and requests for a KHBE header and key from \CH. \adv{B} receives a pair $(\hdr^*, k_b)$ under $(S^*, PK_{i^*})$. \adv{B} then has to convert this into a wellformed challenge header for $(S^*, \oplus_{j \in S^*} PK_j)$ meant for the adversary \adv{A}. To this end, we note that the underlying scheme is a KHBE, thus, the header $\hdr^*$ will always be for a correct key, but the question is whether it is the key $k_b$. Furthermore, as we know all of the public/private key pairs, we can compute $BDec(S^*, i^*, d_i(i^*), \hdr^*, PK_i) = k_{b,i}$ for $i \in S^* \setminus \{i^*\}$, noting that, due to the second property of the key homomorphism, we have for all $j \in S^*$; $BDec(S^*, j, d_i(j), \hdr^*, PK_i) = k_{b,i}$. \adv{B} then sets $k^*_b = k_b \ocircle \{\ocircle_{i \in S^* \setminus \{i^*\}} k_{b,i}\}$ and then send $(\hdr^*, k^*_b)$ as a challenge to \adv{A}. Due to the homomorphic properties, if $\hdr^*$ hides the key $k_b$ under $(S^*, PK_{i^*})$, then it also hides the key $k^*_b$ under $(S^*, \oplus_{i \in S^*} PK_i)$, else the key $k_b$ is picked uniformly from the keyspace, so the aggregation of keys $k_b \ocircle \ocircle_{i \in S^* \setminus \{i^*\}} k_{b,i}$ still makes sense and will have the correct distribution, it will just be independent on $\hdr^*$.
Finally, when \adv{A} guesses bit $b'$, this is forwarded by \adv{B} to the KHBE challenger \CH. Intuitively, \adv{B} will guess correct, if adversary \adv{A} guesses correct. Thus, if we assume adversary \adv{A} has advantage $\epsilon$, then the advantage of \adv{B} is $\frac{1}{n} \epsilon$, due to \adv{B} aborting in the case of $i^* \not\in S^*$, thus incurring a factor $\frac{1}{n}$.
\end{proof}
% TODO: Fix (?) proof
\subsection{Issues with the proof}
- How can B get the keys $d_{i^*}(j)$ for $j \in \tilde{S}$, which B will need for the public keys he has to present in the beginning to A? The only key which is supposed to be private in the AHBE scheme is $d_{i^*}(i^*)$. Specifically:
\begin{figure}
\[
\begin{pmatrix}
\U_1 & \U_2 & \U_3 & \dots & \U_n & \texttt{sender} \vsp{3mm}
? & \underline{d_1(2)} & \underline{d_1(3)} & \underline{\dots} & \underline{d_1(n)} & PK_1 \vsp{2mm}
d_2(1) & ? & d_2(3) & \dots & d_2(n) & PK_2 \vsp{2mm}
d_3(1) & d_3(2) & ? & \dots & d_3(n) & PK_3 \vsp{2mm}
\vdots & \vdots & \vdots & \ddots & \vdots & \vdots \vsp{2mm}
d_n(1) & d_n(2) & d_n(3) & \dots & ? & PK_n
\end{pmatrix}
\]
\caption{The missing keys are underlined}
\label{fig:UnderlinedKHBEMatrix}
\end{figure}
If we consider the user $i^*$ to be $\U_1$ and $\tilde{S}$ to simply be all $n$ recipients, then the algorithm \adv{B} is missing all the underlined keys, in the proof, as he is not allowed to query these keys, since he at some point want to attack the set $S^* \subseteq \tilde{S}$, which is against the rules of the adaptive game for the (KH)BE scheme, as defined in Section \ref{sec:BESec}.
Things we considered; Adding another homomorphic property such that we can safely ONLY use $\{i^*\}$ as the recipient set we sent to \CH. This transformation would have to be both randomised and OTP, as otherwise if we sent a header encrypting some key, it should not be allowed to transform this header into another one, then decrypting it for the key and then recovering the old key from this. This goal seems quite difficult to achieve and we argue that this breaks the underlying security.
\subsection{An AHBE Implementation}
To end up with a Semi-statically secure AHBE scheme, we first need to produce an adaptively secure BE scheme which is key homomorphic. To this end, we use the scheme defined in \ref{sec:BE} coupled with the generic transformation from Semi-static to Adaptive by Gentry and Waters \cite{GentryWaters}. Note that $g, h_{i,s} \text{ for } i \in [1,n], s \in \{0,1\}$ be independent generators of a group $\mathbb{G}$ of prime order $p$, with a bilinear map $e : \Gm \times Gm \ra \Gm_{T}$. \vsp{5mm}
\-\hspace{5mm}\textbf{BSetup$(\lambda,n)$:}\quad Let $\alpha \in_R \mathbb{Z}_p$ and compute $g^\alpha, e(g,g)^\alpha$. The BE public key PK is then; $PK = e(g,g)^\alpha$ and the private key is $SK = g^\alpha$. \vspace{3mm} \\
\-\hspace{5mm}\textbf{BKeyGen$(i, SK)$:}\quad Set $r_i \in_R \mathbb{Z}_p$, $s_i \in_R \{0,1\}$. Output decryption key for user $i$; $d_i = (d_{i,0},\dots,d_{i,n})$:
$$d_i \leftarrow (d_{i,0},\dots,d_{i,n}) \quad \text{ where } \quad d_{i,0} = g^{-r_i}, \quad d_{i,i} = g^\alpha h^{r_i}_{i,s_i}, \quad d_{i,j \text{ for } i\neq j} h^{r_i}_{j,s_i}$$ \vspace{3mm} \\
\-\hspace{5mm}\textbf{BEnc$(S, PK)$:}\quad Set $t \in_R \Z_p$ and $$Hdr = (C_1,C_2, C_3), \quad \text{ where }\quad C_1 = g^t, \quad C_2 = (\prod_{i \in S}h_{i,0})^t,\quad C_3 = (\prod_{i \in S}h_{i,1})^t $$ Finally, set $K = e(g,g)^{t\cdot \alpha}$. Output $(K, Hdr)$. Send $(S, \hdr)$ to the receivers. \vspace{3mm} \\
\-\hspace{5mm}\textbf{BDec}$(S,i,d_i,\text{Hdr}, PK)$\textbf{:}\quad Check if $i \in S$, if so; let $d_i = (d_{i,0},\dots,d_{i,n})$, Hdr$=(C_1,C_2,C_3)$, output $$k =e(d_{i,i} \cdot \prod_{j \in S \setminus \{i\}} d_{i,j}, C_1) \cdot e(d_{i,0}, C_2)$$ \vsp{3mm}
The correctness is the exact same as defined in Section \ref{sec:GentryWatersConst}.
As we desire a key homomorphic scheme, we define the aggregations like so; $PK_1 \oplus PK_2 = PK_1PK_2$, $d_{1_i} \odot d_{2_i} = (d_{1_{i,0}}, d_{2_{i,0}}, \dots, d_{1_{i,n}}, d_{2_{i,n}})$ and $k_1 \ocircle k_2 = k_1k_2$. Finally we instantiate the AHBE scheme: \vsp{4mm}
\hsp{5mm}\textbf{KeyGen:}\quad Let the potential receivers be a set $\{1,\dots,N\}$. Let $n \leq N$ be the maximum number of recipients within a single broadcast. For simplicity, we assume that $n = N$. Generate an instance $\pi$ of a KHBE scheme and let this be a system parameter. The KeyGen algorithm then does the following:
\begin{itemize}
\item For receiver $i \in [n]$, invoke the \texttt{BSetup}, to generate a public/private key pair $(PK_i, SK_i) = e(g,g)^{\alpha_i}, g^{\alpha_i}$ for the KHBE scheme..
\item Receiver $i$ runs \texttt{BKeyGen} and obtains $d_i(j) \leftarrow \text{BKeyGen}(j,SK_i)$ for $i,l,j = 1,\dots,n$ where $d_i(j) = (d_{i,0,j}, \dots, d_{i,n,j})$ such that: \\
$$d_{i,0,j} = g^{-r_{i,j}},\quad d_{i,j,j} = g^{\alpha_i}h^{r_{i,j}}_{j,s_i}, \quad d_{i,l,j} = h^{r_{i,j}}_{l,s_i},$$ \\
For $r_{i,j} \in_R \mathbb{Z}_p$, $s_i \in_R \{0,1\}$. Receiver $i$'s private key is then $d_i(i)$. \\
\item The public key of the specific receiver $i$ in the AHBE scheme is then: \\
$$PK_{AHBE_i} = \{d_i(j) | 1 \leq i \neq j \leq n\} \cup \{PK_i\}$$ Where $PK_i$ came from the BSetup call.
\end{itemize} \vspace{3mm}
\hsp{5mm}\textbf{AHBEnc:}\quad Computes the header and key for a receiver set $S$ in the following way:
\begin{itemize}
\item Pick receiver set $S \subseteq [1,n]$
\item Compute the public key of the broadcast:
$$PK_{AHBE} = \oplus_{i \in S} PK_i = \prod_{i \in S} PK_i = e(g,g)^{\sum_{i \in S} \alpha_i}$$
Note that the $PK_i$'s used here are in fact the ones from the original \texttt{BSetup} call, so it is contained within $PK_{AHBE_i}$.
\item Invoke the underlying KHBE encryption algorithm BEnc$(\cdot)$ in order to compute the header of the key $\hdr = BEnc(S, PK_{AHBE}) = (C_1,C_2,C_3)$ for:
$$C_1 = g^t, \quad C_2 = (\prod_{i \in S}h_{i,0})^t,\quad C_3 = (\prod_{i \in S}h_{i,1})^t$$
and for the secret key:
$$k = PK_{AHBE} = e(g,g)^{t \cdot \sum_{i \in S} \alpha_i}$$
for $t \in_R \mathbb{Z}_p$
and send $(S, \hdr)$ to the receiver set.
\end{itemize} \vspace{3mm}
\hsp{5mm}\textbf{AHBDec:}\quad Due to the underlying KHBE scheme, the receiver $i \in S$ can compute a decryption key for the AHBE public key $PK_{AHBE}$ by computing:
\begin{align*}
d(i) &= d_i(i) \odot\{\odot_{j \in S}^{j \neq i} d_j(i)\} = \odot_{j \in S} d_j(i) \\
&= (\prod_{j \in S} d_{j,0,i}, \dots, \prod_{j \in S} d_{j,n,i})
\end{align*}
As only user $\U_i$ knows $d_i(i)$ only she can compute $d(i)$. Due to the homomorphism of the KHBE scheme, $d(i)$ is a valid decryption key for the public key $PK_{AHBE}$, as long as $i \in S$. To perform this decryption, each user $\U_i$ for $i \in S$, invokes the KHBE decryption algorithm BDec$(\cdot)$;
$$k = BDec(S, i, d(i), Hdr, K) $$
\subsection{Attempt at reducing the AHBE instantion to BDHE-problem}
Seeing that the reduction had some non-salveable issues regarding the decryption keys of the target set $S^*$, we attempted to reduce their instantiation directly to the BDHE problem, which the original scheme due to Gentry and Waters was originally reduced to, to prove its Semi-static security. We recall why the original reduction worked: The values $h_1, \dots, h_n$ are originally picked completely at random from the target group of the bilinear map, $\Gm_T$, which allowed the original reduction to sample $y_1, \dots, y_n$ and lift the generator of the group $\Gm$, $g$, to specific values of $y_i$, whenever we needed to know the discrete log of $h_i$, specifically when $i \in \tilde{S}$, i.e. the set of potential receivers, $h_i = g^{y_i}$. Furthermore, for the rest of the users, $i \not\in \tilde{S}$, they generated the values of $h_i = g^{y_i + a^i}$ meaning that the adversary \adv{B} could in fact not compute the discrete log and would thus not have a chance of computing the header information, if the adversary \adv{A} decided to attack this user. Due to the semi-static nature however, this is not something they have to worry of, as \adv{A} has already commited to $\tilde{S}$. The definition of the $h_i$ for $i \not\in \tilde{S}$, means that \adv{B} can properly answer the extraction queries for these users, as \adv{B} defines the values $r_i$ in such a way, that the exponents cancels out in $d_{i,i} = g^{\alpha}h^{r_i}_i$ and we do not have to bother trying to compute the discrete log of $g^\alpha$, specically the $a^{n+1}$ part of $\alpha = y_0 \cdot a^{n+1}$. The issues then arise, as all the $h_i$ values are required for the AHBE scheme, essentially meaning we can not fake some and define some in a very specific way, as they are \emph{all} used for the different keys, regardless of the user $i$ being in the attack set $i \in \tilde{S}$, as all the users are using the same underlying KHBE scheme. This results in the algorthim \adv{B} not being capable of answering extraction queries for any user i outside of the attack set, $i \not\in \tilde{S}$, as \adv{B} also has to generate all the $h$ values in such a way that he can compute the discrete log.
\section{Implementation of Schemes}
\subsection{Identity-Based Encryption}