Normal ： Simi-fuctional ：

Normal ： Simi-fuctional ：

Game real : Real security game restrictedGame restricted : Real security game except that the attacker cannot ask for keys for identities which are equal to the challenge identity modulo p 2. Game k : This is like the restricted security game, except that the ciphertext given to the attacker is semi-functional and the first k keys are semi-functional. The rest of the keys are normal. Game final : same as Game q except that the ciphertext is a semi-functional encryption of a random message, not one of the two messages requested by the attacker.

restrictedGame real Game restricted CB A g, X 1 X 2, X 3, Y 2 Y 3, T PK = {N,u=g a,g,h=g b,e(g,g) α } K 1 =g r X 3 t K 2 =g α (u ID h) r X 3 t ` ID (M 0,M 1,ID*) C 0 =M β e(g,g) αs, C 1 =((u ID* h) s ), C 2 =g s

restricted0Game restricted Game 0 CB A g, X 3, T PK = {N,u=g a,g,h=g b,e(g,g) α } K 1 =g r X 3 t K 2 =g α (u ID h) r X 3 t ` ID (M 0,M 1,ID*) C 0 =M β e(T,g) αs, C 1 =T aID*+b, C 2 =T β` b`

k-1Game k-1 Game k CB A g, X 1 X 2, X 3, Y 2 Y 3, T PK = {N,u=g a,g,h=g b,e(g,g) α } if i>k K 1 =g ri X 3 ti K 2 =g α (u IDi h) ri X 3 ti ` ID i (M 0,M 1,ID*) C 0 =M β e(X 1 X 2,g) αs, C 1 =(X 1 X 2 ) aID*+b, C 2 =X 1 X 2 β` b` if i>k K 1 =g ri (Y 2 Y 3 ) ti K 2 =g α (u IDi h) ri (Y 2 Y 3 ) ti ` if i=k K 1 =T K 2 =g α T aIDk+b X 3 ti `

finalGame q Game final CB A g, g α X 2, X 3, g s Y 2, Z 2, T PK = {N,u=g a,g,h=g b,e(g,g) α =e(g α X 2,g)} K 1 =g r Z 2 θ X 3 t K 2 =g α (u ID h) r Z 2 θ` X 3 t ` ID (M 0,M 1,ID*) C 0 =M β T, C 1 =(g s Y 2 ) aID*+b, C 2 =g s Y 2