Mergeable and Revocable Identity-Based Encryption

Abstract

Identity-based encryption (IBE) has been extensively studied and widely used in various applications since Boneh and Franklin proposed the first practical scheme based on pairing. In that seminal work, it has also been pointed out that providing an efficient revocation mechanism for IBE is essential. Hence, revocable identity-based encryption (RIBE) has been proposed in the literature to offer an efficient revocation mechanism. In contrast to revocation, another issue that will also occur in practice is to combine two or multiple IBE systems into one system, e.g., due to the merge of the departments or companies. However, this issue has not been formally studied in the literature and the naive solution of creating a completely new system is inefficient. In order to efficiently address this problem, in this paper we propose the notion of mergeable and revocable identity-based encryption (MRIBE). Our scheme provides the first solution to efficiently revoke users and merge multiple IBE systems into a single system. The proposed scheme also has several nice features: when two systems are merged, there is no secure channel needed for the purpose of updating user private keys; and the size of the user private key remains unchanged when multiple systems are merged. We also propose a new security model for MRIBE, which is an extension of the security model for RIBE, and prove that the proposed scheme is semantically secure without random oracles.

A Security Proof

Proof

The proof is similar to that of [1], except we meed to handle multiple systems and the mergeable algorithms. We construct an adversary \(\mathcal {B}\) for the DBDH problem associated with \(\mathcal {G}\). \(\mathcal {B}\) gets \((k,\mathbb {G},p,g,X,Y,Z,W)\) as input and it has to return a bit d. It is going to use \(\mathcal {A}\). For answering oracles, we define the following four functions. For \(i,j,l,r\in \mathbb {Z}_p, S=\{0,j\}\) define

$$\begin{aligned}&F_1(g_2,h_1,h_2,h_3,i,l,r)\mathop {=}\limits ^\mathrm{def}g_2^l H_{g_2,h_1,h_2,h_3}(i)^{r}, \quad F_2(r)\mathop {=}\limits ^\mathrm{def}g^r,\\&F_3(g_1,g_2,i,j,l,r)\mathop {=}\limits ^\mathrm{def}g_2^{l\varDelta _{j,S}(i)}\left( g_1^{\frac{-f(i)}{i^2+u(i)}}\left( g_2^{i^2+u(i)}g^{f(i)} \right) ^{r} \right) ^{\varDelta _{0,S}(i)},\\&F_4(g_1,g_2,i,r)\mathop {=}\limits ^\mathrm{def}\left( g_1^{\frac{-1}{i^2+u(i)}}g^{r} \right) ^{\varDelta _{0,S}(i)}. \end{aligned}$$

Setup: \(\mathcal {B}\) receives the challenging message \((k,\mathbb {G},p,g,X,Y,Z,W)\) and sets the system parameters as follows.

• \(\mathcal {B}\) chooses the \(N,N_S\in \mathbb {N}\) and sends the security parameter \((k,N,N_S)\) to \(\mathcal {A}\). \(\mathcal {A}\) generates the challenging identity \(\omega ^*\), the challenging time \(t^*\), the subscript of challenging public key \(i^*\) and the state for some related information about \((\omega ^*,t^*,i^*)\), then sends \((\omega ^*,t^*,i^*,state)\) to \(\mathcal {B}\).

• \(\mathcal {B}\) chooses a random bit \(b\leftarrow \{0,1\}\) and initializes the database \(\mathcal {D},\mathcal {D_{SK}},\) \(\mathcal {D_{MSK}}\) \(\leftarrow \emptyset \), where \(\mathcal {D}\) is used to record the historical information of the challenging identity \(\omega ^*\), and \(\mathcal {D_{SK}},\mathcal {D_{MSK}}\) records information of the challenging identity \(\omega ^*\) to verify whether to abort.

• \(\mathcal {B}\) simulates the system parameters for all \(N_S\) systems. \(\mathcal {B}\) sets public parameter \(pp=(\mathbb {G},p,g)\) and randomly picks a value \(i_r\leftarrow \{1,2,...,N_S\}\), where the challenging identity \(\omega ^*\) is initialized in the system with public key \(pk_{i_r}\). Then, \(\mathcal {B}\) updates the database \(\mathcal {D}\leftarrow (\vec {pk_{\omega ^*}},\omega ^*)\), where \(\vec {pk_{\omega ^*}}\leftarrow \vec {pk_{\omega ^*}}\cup \{pk_{i_r}\}\). \(\forall j\in \{1,2,...,N_S\}\) then:

  1. 1.

     Randomly pick and store \(r_j,r_{1,j}, r_{2,j}\leftarrow \mathbb {Z}_p^*\) in the system j and generate the parameters \(g_{1,j}\) and \(g_{2,j}\).

     $$\begin{aligned} g_{1,j}\leftarrow X^{r_{1,j}}, g_{2,j}\leftarrow Y^{r_{2,j}}. \end{aligned}$$
  2. 2.

     Pick random second-degree polynomials f(x), u(x) with coefficients in \(\mathbb {Z}_p\) s.t. \(u(x)=-x^2\) for \(x=\omega ^*,t^*\), o.w. \(u(x)\ne -x^2\). \(\forall i=\{1,2,3\}\) then: set \(h_{i,j}\leftarrow g_{2,j}^{u(i)}g^{f(i)}\).

  3. 3.

     Set the public key \(pk_j\leftarrow (g,g_{1,j},g_{2,j},h_{1,j},h_{2,j},h_{3,j})\).

• \(\mathcal {B}\) sends the public parameter pp and public keys \(\{pk_i\}_{i\in \{1,2,...,N_S\}}\) to \(\mathcal {A}\).

• \(\mathcal {B}\) simulates the revocation list and the binary tree. \(\forall j=\{1,2,...,N_S\}\) then: let \(rl_j\) be an empty set and \(\mathsf{T}_j\) be a binary tree with at least N leaf nodes. \(\mathcal {B}\) picks a leaf node \(v^*\) from \(\mathsf{T}_{i_r}\), where the challenging identity \(\omega ^*\) is assigned to the leaf \(v^*\), and chooses a random bit \(rev\leftarrow \{0,1\}\), where 0 means \(\omega ^*\) is a non-revoked user, otherwise, he is a revoked user.

\(\mathcal {O_{SK}}(pk_i,\omega )\): \(\mathcal {A}\) issues up to \(q_p\) private key generation queries. \(\mathcal {B}\) responds to a query on message \((pk_i,\omega )\) as follows.

• If \(\omega =\omega ^*\), \(\mathcal {B}\) simulates the private key \(sk_{\omega ,i}\) for the challenging identity \(\omega ^*\).

  1. 1.

     If \(rev=0\), set \(\mathcal {D_{SK}}\leftarrow \mathcal {D_{SK}}\cup \{pk_i\}\) and abort if \(\mathcal {A}\) is able to obtain the secret key \(sk_{\omega ^*,i^*}\) by checking the transactions in database \(\mathcal {D_{SK}}\) and \(\mathcal {D_{MSK}}\) in Fig. 1.

  2. 2.

     Else set \(v\leftarrow v^*\). \(\forall x\in \mathsf{Path}(v)\) then:

     1. (a)

        Set \(r_x\leftarrow \mathsf{F}_{r_i}(\omega ^*\Vert x)\), where \(msk_i=(a_i,r_i)\).

     2. (b)

        If \(\not \exists l_x\) then randomly choose \(l_x\leftarrow \mathbb {Z}_p\) and store \(l_x\) in node x.

     3. (c)

        Set \((D_x,d_x)\) and update private key \(sk_{\omega ^*,i}\leftarrow sk_{\omega ^*,i}\cup (x,D_x,d_x)\).

        $$\begin{aligned} D_x\leftarrow F_1(g_{2,i},h_{1,i},h_{2,i},h_{3,i},\omega ^*,l_x,r_x), d_x\leftarrow F_2(r_x). \end{aligned}$$

• If \(\omega \ne \omega ^*\), \(\mathcal {B}\) simulates the private key \(sk_{\omega ,i}\) for the identity \(\omega \). \(\forall x\in \mathsf{Path}(v)\) then:

  1. 1.

     Set \(r_x\leftarrow \mathsf{F}_{r_i}(\omega \Vert x)\), where \(msk_i=(a_i,r_i)\).

  2. 2.

     If \(\not \exists l_x\) then randomly choose \(l_x\leftarrow \mathbb {Z}_p\) and store \(l_x\) in node x.

  3. 3.

     If \(rev=0\), set \((D_x,d_x)\) and update private key \(sk_{\omega ,i}\leftarrow sk_{\omega ,i}\cup (x,D_x,d_x)\).

     $$\begin{aligned} D_x\leftarrow F_3(g_{1,i},g_{2,i},\omega ,t^*,l_x,r_x), d_x\leftarrow F_4(g_{1,i},g_{2,i},\omega ,r_x). \end{aligned}$$
  4. 4.

     If \(rev=1\), simulate the private key \(sk_{\omega ,i}\) depends on the \(\mathsf{Path}(v)\) and \(\mathsf{Path}(v^*)\).

     1. (a)

        \(\forall x\in (\mathsf{Path}(v)\setminus \mathsf{Path}(v^*))\) then: set \((D_x,d_x)\) and update private key \(sk_{\omega ,i}\leftarrow sk_{\omega ,i}\cup (x,D_x,d_x)\).

        $$\begin{aligned} D_x\leftarrow F_3(g_{1,i},g_{2,i},\omega ,t^*,l_x,r_x), d_x\leftarrow F_4(g_{1,i},g_{2,i},\omega ,r_x). \end{aligned}$$
     2. (b)

        \(\forall x\in (\mathsf{Path}(v)\cap \mathsf{Path}(v^*))\) then: set \((D_x,d_x)\) and update private key \(sk_{\omega ,i}\leftarrow sk_{\omega ,i}\cup (x,D_x,d_x)\).

        $$\begin{aligned} D_x\leftarrow F_3(g_{1,i},g_{2,i},\omega ,\omega ^*,l_x,r_x), d_x\leftarrow F_4(g_{1,i},g_{2,i},\omega ,r_x). \end{aligned}$$

• Return the private key \(sk_{\omega ,i}=\{(x,D_x,d_x)\}_{x\in \mathsf{Path}(v)}\).

\(\mathcal {O_R}(\omega ,t)\): \(\mathcal {A}\) issues up to \(q_r\) revocation queries. \(\mathcal {B}\) responds to a query on message \((\omega ,t)\) as follows. If \((\cdot ,\omega )\in \mathcal {D}\), for all leaf nodes v associated with identity \(\omega \) add (v, t) to revocation list \(rl_i\leftarrow rl_i\cup (v,t)\), then return \(rl_i\) else return \(\bot \).

\(\mathcal {O_{KU}}(pk_i,t)\): \(\mathcal {A}\) issues up to \(q_k\) key update generation queries. \(\mathcal {B}\) responds to a query on message \((pk_i,t)\) as follows.

• If \(t\ne t^*\), \(\mathcal {B}\) simulates the key update \(ku_{t,i}\) for the system i.

  1. 1.

     If \(rev=0\), \(\forall x\in \mathsf{KUNodes}(\mathsf{T},rl,t)\) then: \({r_x}\leftarrow \mathbb {Z}_p^*\), set \(E_x\) and \(d_x\) and update \(ku_{t,i}\leftarrow ku_{t,i}\cup (x,E_x,e_x)\).

     $$\begin{aligned} E_x\leftarrow F_3(g_{1,i},g_{2,i},t,t^*,l_x,r_x), e_x\leftarrow F_4(g_{1,i},g_{2,i},t,r_x). \end{aligned}$$
  2. 2.

     If \(rev=1\), simulate the key \(ku_t\) depends on the \(\mathsf{Path}(v)\) and \(\mathsf{Path}(v^*)\).

     1. (a)

        \(\forall x\in (\mathsf{KUNodes}(\mathsf{T},rl,t)\setminus \mathsf{Path}(v^*))\) then: \({r_x}\leftarrow \mathbb {Z}_p^*\), set \(E_x\) and \(d_x\) and update \(ku_{t,i}\leftarrow ku_{t,i}\cup (x,E_x,e_x)\).

        $$\begin{aligned} E_x\leftarrow F_3(g_{1,i},g_{2,i},t,t^*,l_x,r_x), e_x\leftarrow F_4(g_{1,i},g_{2,i},t,r_x). \end{aligned}$$
     2. (b)

        \(\forall x\in (\mathsf{KNodes}(\mathsf{T},rl,t)\cap \mathsf{Path}(v^*))\) then: \({r_x}\leftarrow \mathbb {Z}_p^*\), set \(E_x\) and \(d_x\) and update \(ku_{t,i}\leftarrow ku_{t,i}\cup (x,E_x,e_x)\).

        $$\begin{aligned} E_x\leftarrow F_3(g_{1,i},g_{2,i},t,\omega ^*,l_x,r_x), e_x\leftarrow F_4(g_{1,i},g_{2,i},t,r_x). \end{aligned}$$

• If \(t=t^*\), \(\mathcal {B}\) simulates the key update \(ku_{t,i}\) in the challenging time \(t^*\) for the system i.

  1. 1.

     If \(rev=1\) and \(\forall t\le t^*\) we have that \((\omega ^*,t)\not \in rl_{i^*}\) then abort since challenging identity \(\omega ^*\) must be revoked when \(rev=1\).

  2. 2.

     Else, \(\forall x\in \mathsf{KUNodes}(\mathsf{T},rl,t)\) then: \({r_x}\leftarrow \mathbb {Z}_p^*\), set \(E_x\) and \(d_x\) and update \(ku_{t,i}\leftarrow ku_{t,i}\cup (x,E_x,e_x)\).

     $$\begin{aligned} E_x\leftarrow F_1(g_{2,i},h_{1,i},h_{2,i},h_{3,i},t^*,l_x,r_x), e_x\leftarrow F_2(r_x). \end{aligned}$$

• Return the key update \(ku_{t,i}=\{(x,E_x,e_x)\}_{x\in \mathsf{KUNodes}(\mathsf{T},rl,t)}\).

\(\mathcal {O_{MP}}(pk_\alpha ,pk_\beta )\): \(\mathcal {A}\) issues up to \(q_m\) merge parameter generation queries. \(\mathcal {B}\) responds to a query on message \((pk_\alpha ,pk_\beta )\) by updating the revocation list \(rl_\beta \), state \(st_\beta \) and the database \(\mathcal {D}\) as follows.

• Update the revocation list and state \(rl_\beta \leftarrow rl_\alpha \cup rl_\beta , st_\beta \leftarrow st_\beta \cup st_\alpha \setminus \mathsf{T}_{\alpha }\).

• If \(\omega ^*\) is involved in the system with \(pk_\alpha \), then updating the database \(\mathcal {D}\). then set , if \(pk[len]=pk_\alpha \), .

• Return the updated revocation list \(rl_\beta \) and state \(st_\beta \).

\(\mathcal {O_{MSK}}(\omega ,pk_\alpha ,pk_\beta )\): \(\mathcal {A}\) issues up to \(q_{mp}\) merge private key generation queries. \(\mathcal {B}\) responds to a query on message \((\omega ,pk_\alpha ,pk_\beta )\).

• If \(\omega =\omega ^*\), \(\mathcal {B}\) simulates the private key \(sk_{\omega ,\alpha ,\beta }\) for challenging identity \(\omega \).

  1. 1.

     If \(rev=0\), set \(\mathcal {D_{MSK}}\leftarrow \mathcal {D_{MSK}}\cup \{(pk_\alpha ,pk_\beta )\}\) and abort if \(\mathcal {A}\) is able to obtain the secret key \(sk_{\omega ^*,i^*}\) by checking the transactions in database \(\mathcal {D_{SK}}\) and \(\mathcal {D_{MSK}}\) in Fig. 1.

  2. 2.

     Else set \(v\leftarrow v^*\). \(\forall x\in \mathsf{Path}(v)\) then:

     1. (a)

        Set \(r_{x,\alpha }\leftarrow G_{r_\alpha }(\omega \Vert x)\) and \(r_{x,\beta }\leftarrow \mathsf{F}_{r_\beta }(\omega \Vert x)\).

     2. (b)

        Set \((D_{x,\alpha ,\beta },d_{x,\alpha ,\beta })\) and update private key \(sk_{\omega ,\alpha ,\beta }\leftarrow sk_{\omega ,\alpha ,\beta }\cup (x,D_{x,\alpha ,\beta },d_{x,\alpha ,\beta })\), where the union symbol is used to combine the secret keys since this algorithm will return secret keys belong to \(\mathsf{Path}(v)\).

        $$\begin{aligned} D_{x,\alpha ,\beta }=\frac{F_1(g_{2,\beta },h_{1,\beta },h_{2,\beta },h_{3,\beta },\omega ,l_{x,\beta },r_{x,\beta })}{F_1(g_{2,\alpha },h_{1,\alpha },h_{2,\alpha },h_{3,\alpha },\omega ,l_{x,\alpha },r_{x,\alpha })},d_{x,\alpha ,\beta }=\frac{F_2(r_{x,\beta })}{F_2(r_{x,\alpha })}. \end{aligned}$$

• If \(\omega \ne \omega ^*\), \(\mathcal {B}\) simulates the private key \(sk_{\omega ,\alpha ,\beta }\) for the identity \(\omega \). \(\forall x\in \mathsf{Path}(v)\) then:

  1. 1.

     Set \(r_{x,\alpha }\leftarrow G_{r_\alpha }(\omega \Vert x)\) and \(r_{x,\beta }\leftarrow G_{r_\beta }(\omega \Vert x)\).

  2. 2.

     If \(rev=0\), set \((D_x,d_x)\) and update private key \(sk_\omega \leftarrow sk_\omega \cup (x,D_x,d_x)\), where the union symbol is used for the same reason in previous section.

     $$\begin{aligned} D_{x,\alpha ,\beta }=\frac{F_3(g_{1,\beta },g_{2,\beta },\omega ,t^*,l_{x,\beta },r_{x,\beta })}{F_3(g_{1,\alpha },g_{2,\alpha },\omega ,t^*,l_{x,\alpha },r_{x,\alpha })}, d_{x,\alpha ,\beta }=\frac{F_4(g_{1,\beta },g_{2,\beta },\omega ,r_{x,\beta })}{F_4(g_{1,\alpha },g_{2,\alpha },\omega ,r_{x,\alpha })}. \end{aligned}$$
  3. 3.

     If \(rev=1\), simulate the private key \(sk_\omega \) depends on the \(\mathsf{Path}(v)\) and \(\mathsf{Path}(v^*)\).

     1. (a)

        \(\forall x\in (\mathsf{Path}(v)\setminus \mathsf{Path}(v^*))\) then: set \((D_x,d_x)\) and update private key \(sk_\omega \leftarrow sk_\omega \cup (x,D_x,d_x)\).

        $$\begin{aligned} D_{x,\alpha ,\beta }=\frac{F_3(g_{1,\beta },g_{2,\beta },\omega ,t^*,l_{x,\beta },r_{x,\beta })}{F_3(g_{1,\alpha },g_{2,\alpha },\omega ,t^*,l_{x,\alpha },r_{x,\alpha })}, d_{x,\alpha ,\beta }\!=\!\frac{F_4(g_{1,\beta },g_{2,\beta },\omega ,r_{x,\beta })}{F_4(g_{1,\alpha },g_{2,\alpha },\omega ,r_{x,\alpha })}. \end{aligned}$$
     2. (b)

        \(\forall x\in (\mathsf{Path}(v)\cap \mathsf{Path}(v^*))\) then: set \((D_x,d_x)\) and update private key \(sk_\omega \leftarrow sk_\omega \cup (x,D_x,d_x)\).

        $$\begin{aligned} D_{x,\alpha ,\beta }=\frac{F_3(g_{1,\beta },g_{2,\beta },\omega ,\omega ^*,l_{x,\beta },r_{x,\beta })}{F_3(g_{1,\alpha },g_{2,\alpha },\omega ,\omega ^*,l_{x,\alpha },r_{x,\alpha })}, d_{x,\alpha ,\beta }\!=\!\frac{F_4(g_{1,\beta },g_{2,\beta },\omega ,r_{x,\beta })}{F_4(g_{1,\alpha },g_{2,\alpha },\omega ,r_{x,\alpha })}. \end{aligned}$$
  4. 4.

     Return the private key \(sk_{\omega ,\alpha ,\beta }=\{(x,D_{x,\alpha ,\beta },d_{x,\alpha ,\beta })\}_{x\in \mathsf{Path}(v)}\).

Output: \(\mathcal {A}\) outputs two message \(m_0\) and \(m_1\). \(\mathcal {B}\) picks a random bit \(b\leftarrow \{0,1\}\) and generates the challenging ciphertext \(c^*=(c_1^*,c_2^*,c_{\omega ^*},c_{t^*})\) and then sends \(c^*\) to \(\mathcal {A}\). \(\mathcal {A}\) outputs a bit d. If \(b=d\), \(\mathcal {B}\) outputs 1 else output 0.

$$\begin{aligned} c_1^*=m_b\cdot W^{r_{1,{\omega ^*}}\cdot r_{2,{\omega ^*}}}, c_2^*=Z, c_{\omega ^*}=Z^{f(\omega ^*)}, c_{t^*}=Z^{f(t^*)}. \end{aligned}$$

If any oracles abort, \(\mathcal {B}\) outputs 1.

1.1 A.1  Analysis

Let \(\mathsf{sreal, srand}\) denote the events that none of the oracles abort in \(\mathsf{Exp}_{\mathcal {G,B}}^{dbdh-real}(k)\), \(\mathsf{Exp}_{\mathcal {G,B}}^{dbdh-rand}(k)\) respectively. Then

$$\begin{aligned} \Pr [\mathsf{sreal}]=\Pr [\mathsf{srand}]\ge 1/2. \end{aligned}$$

The probability that \(\mathcal {O_{SK}}(pk_i,\omega )\), \(\mathcal {O_{MSK}}(\omega ,pk_\alpha ,pk_\beta )\) and \(\mathcal {O_{KU}}(pk_i,t)\) oracles abort depends on the bit rev which are chosen independently from whether \(\mathcal {B}\) is in \(\mathsf{Exp}_{\mathcal {G,B}}^{dbdh-real}(k)\) or \(\mathsf{Exp}_{\mathcal {G,B}}^{dbdh-rand}(k)\). So, \(\Pr [\mathsf{sreal}]=\Pr [\mathsf{srand}]\).

\(\mathcal {O_{SK}}(pk_i,\omega )\) and \(\mathcal {O_{MSK}}(\cdot ,\cdot ,\omega ^*)\) oracles can be queried on \(\omega ^*\) without constrain only if \(\mathcal {O_R}(\omega ,t)\) oracle was queried on \((\omega ^*,t)\) for any \(t\le t^*\). Thus, we have

$$\begin{aligned}&\Pr [\omega =\omega ^*]\le \Pr [(\omega ^*,t)\in rl_{\omega ^*}, \forall t\le t^* ]\\\Rightarrow & {} 1-\Pr [\omega =\omega ^*]\ge \Pr [(\omega ^*,t)\not \in rl_{\omega ^*},\forall t\le t^*]\\\Rightarrow & {} 1-\Pr [\omega =\omega ^*]\ge \Pr [(t=t^*)\wedge (\omega ^*,t)\not \in rl_{\omega ^*},\forall t\le t^*]\\ \end{aligned}$$

We see that \(\mathcal {O_{SK}}(pk_i,\omega )\) oracles abort if \(\omega =\omega ^*\) and \(\mathcal {O_{KU}}(t)\) oracle aborts if \(rev=1, t=t^*\) and \(\exists t\le t^*\ (\omega ^*,t)\not \in rl_{\omega ^*}\). Thus,

$$\begin{aligned} \Pr [\overline{\mathsf{sreal}}]= & {} \Pr [(rev=0)\wedge (\omega =\omega ^*)]\\&+\,\Pr [(rev=1)\wedge (t=t^*)\wedge ((\omega ^*,t)\not \in rl_{\omega ^*},\forall t\le t^*)]\\= & {} \Pr [rev=0]\cdot \Pr [\omega =\omega ^*]\\&+\,\Pr [rev=1]\cdot \Pr [(t=t^*)\wedge ((\omega ^*,t)\not \in rl_{\omega ^*},\forall t\le t^*)]\\\le & {} 1/2 \cdot \Pr [\omega =\omega ^*]+\frac{1}{2}(1-\Pr [\omega =\omega ^*]) \le 1/2 \end{aligned}$$

\(\mathcal {B}\) simulates the exact experiment \(\mathsf{Exp}_{\mathcal {MRIBE,A},N,N_S}^{smrid-cpa}(k)\) for \(\mathcal {A}\) when \(\mathcal {B}\) is in \(\mathsf{Exp}_{\mathcal {G,B}}^{dbdh-real}(k)\) and none of the oracles abort. So,

$$\begin{aligned} \Pr \left[ \mathsf{Exp}_{\mathcal {G,B}}^{dbdh-real}(k)=1|\mathsf{sreal}\right] \ge \Pr \left[ \mathsf{Exp}_{\mathcal {MRIBE,A},N,N_S}^{smrid-cpa}(k)=1\right] . \end{aligned}$$

When \(\mathcal {B}\) is \(\mathsf{Exp}_{\mathcal {G,B}}^{dbdh-rand}(k)\) and none of the oracles abort then as explained earlier bit b is information-theoretically hidden from \(\mathcal {A}\). So,

$$\begin{aligned} \Pr \left[ \mathsf{Exp}_{\mathcal {G,B}}^{dbdh-rand}(k)=1|\mathsf{srand} \right] \le 1/2. \end{aligned}$$

Also, since \(\mathcal {B}\) outputs 1 when either of the oracles aborts, so

$$\begin{aligned} \Pr \left[ \mathsf{Exp}_{\mathcal {G,B}}^{dbdh-real}(k)=1|\overline{\mathsf{sreal}}\right] =1,\\ \Pr \left[ \mathsf{Exp}_{\mathcal {G,B}}^{dbdh-rand}(k)=1|\overline{\mathsf{srand}}\right] =1.\\ \end{aligned}$$

Thus,

$$\begin{aligned} \mathsf{Adv}_{\mathcal {G,B}}^{dbdh}(k)= & {} \Pr \left[ \mathsf{Exp}_\mathcal {G,B}^{dbdh-real}(k)=1\right] -\Pr \left[ \mathsf{Exp}_{\mathcal {G,B}}^{dbdh-rand}(k)=1\right] \\\ge & {} 1/2\cdot \left( \Pr \left[ \mathsf{Exp}_\mathcal {G,B}^{dbdh-real}(k)=1|\mathsf{sreal}\right] - \frac{1}{2} \right) \\\ge & {} 1/2\cdot \frac{1}{2}\cdot \left( 2\cdot \Pr \left[ \mathsf{Exp}_\mathcal {G,B}^{dbdh-real}(k)=1|\mathsf{sreal}\right] - 1 \right) \\\ge & {} 1/2\cdot \mathsf{Adv}_{\mathcal {MRIBE,A},N,N_S}^{smrid-cpa}(k). \end{aligned}$$