Provable Security Analysis on Unbounded Hierarchical Identity-Based Encryption and Attribute-Based Encryption

In order to improve the communication cost, in Eurocrypt'11, Lewko and Waters proposed a unbounded hierarchical identity-based encryption scheme (UHIBE) and an unbounded attribute-based encryption scheme (UABE) that support "unbounded depth" of identities and attributes, which means that the public parameters do not impose the predetermined maximum delegation hierarchy in HIBE or number of attributes in ABE. In this work, we show that the Lewko-Waters unbounded HIBE and ABE are insecure, which do not obtain the security against chosen-plaintext attacks that they declared. Explicitly, we indicate that an attacker can succeed in forging a well-formed secret key after s/he queries the related non-match key. The main weakness of their schemes is that the schemes rely on the secret sharing of the master key, however, the secret sharing scheme holds the commutative law, but identity string in HIBE and access structure in ABE do not hold the commutative property since the identity string and access structure are tree-based data structure models.