With the rapid development and popularization of cloud computing, people are willing to upload their own data to the cloud to enjoy the services. However, some personal and private data are not suitable for uploading directly to the cloud. Therefore, these data must be encrypted before uploading to the cloud to ensure the confidentiality. To achieve the confidentiality of data and enjoy cloud services, a notion of identity-based encryption with equality test (IBEET) was proposed. Using IBEET, two ciphertexts encrypted under different public keys can be tested to confirm whether they contain the same plaintext. The equality test can be applied to the wireless body area network system in which the cloud can utilize ciphertexts from patients and medical institutions to perform equality tests to determine whether which patient’s status is abnormal. Indeed, revoking illegal or expired users on any cryptosystem is an important issue. To the best of our knowledge, there is little research on the design mechanism of user revocation in the IBEET. In this paper, we propose a novel notion of revocable identity-based encryption with an equality test, called RIBEET. Based on the notion, we present the first RIBEET scheme. Meanwhile, the proposed scheme will be proven to be secure under the bilinear Diffie-Hellman (BDH) assumption.

1. Introduction

With the rapid development and popularization of cloud computing, people are willing to upload their own data to the cloud to enjoy the services. However, some personal and private data are not suitable for uploading directly to the cloud. To ensure the confidentiality of data, several encryption mechanisms [1–4] have been applied to cloud computing. Identity-based encryption (IBE) [5] is one of the encryption mechanisms of public key systems. The system of an IBE contains two roles: the private key generator (PKG) and users (including senders and receivers). Each user utilizes his own identity (e.g., e-mail address, name, or social security number) to register with the PKG to obtain a private key. Senders can regard the identity of the receiver as a public key to encrypt private data. After receiving the encrypted message (ciphertext), the receiver can decrypt it with her/his own private key.

To achieve the confidentiality of data and enjoy cloud services, the first identity-based encryption with equality test (IBEET) was proposed by Ma [6]. Using IBEET, two ciphertexts encrypted under different public keys can be tested to confirm whether they contain the same plaintext. Ma [6] also gave an application of IBEET used to classify encrypted e-mails. Each encrypted e-mail can be attached with a tag for classification, while the tag can be encrypted under different public keys in the IBEET system. An e-mail server in the cloud can test the equality of any two encrypted tags to classify encrypted e-mails. Subsequently, many studies on IBEET have been published in the literature [7–11].

The equality test can be applied to the wireless body area network (WBAN) system [12–17] in which the cloud can utilize ciphertexts from patients and medical institutions to perform equality tests to determine whether the patient’s status is abnormal. Figure 1 shows the architecture of WBANs. A patient is equipped with wearable sensors to collect her/his health record data from sensors of electroencephalogram (EEG), electrocardiogram (ECG), blood pressure, pulse oximeter, insulin pump, electromyogram (EMG), and motion. These health record data are encrypted through the mobile device and uploaded to the cloud server. On the other hand, the medical institution also uploads the patient’s encrypted health data to the cloud server. The ciphertexts can be tested for equality without knowing the health data of the patient by the cloud server. If the patient’s health data are different from the medical institution’s health data, it means that the patient’s health data are abnormal.

Details are in the caption following the image — **Figure 1**
Open in figure viewer PowerPoint

The architecture of WBAN.

Indeed, revoking illegal or expired users on any cryptosystem is an important issue. In the traditional public key cryptosystem (PKC), public key infrastructures (PKI) must be established to manage each user’s certificate which links the user’s identity and public key. In addition, the certificate revocation list [18] is also included in the PKI to revoke illegal or expired users. In identity-based public key cryptosystems (ID-PKC), the first IBE was presented by Boneh and Franklin [5] in which a user can be revoked by the PKG, who sends new private keys for all nonrevoked users at each period, if the user did not receive the new private key. So far, many literatures related to revocable IBE [19–26] have been published. To the best of our knowledge, there is little research on design mechanism of user revocation in the IBEET. In this paper, we propose a novel notion of revocable identity-based encryption with equality test, called RIBEET. Based on the notion, we present the first RIBEET scheme. Meanwhile, the scheme will be proven to be secure under the bilinear Diffie-Hellman (BDH) assumption.

1.1. Related Work

In the era of advanced network communication, cloud computing is an indispensable part. The terminal devices on the user side usually do not have high-performance computing power. However, users can entrust large computing tasks to the cloud. Then, the cloud will return the corresponding results to users after finishing the tasks. Indeed, the cloud can assist each user in performing tasks that require a lot of computation, but it also means that the cloud can know each user’s data if the data is not encrypted. Typically, users will encrypt data to the cloud if the data is sensitive or private. In addition, encrypted data also needs to be quickly retrieved from the cloud. To achieve this function, several schemes [3, 4, 27, 28] related to public key encryption with a keyword search were proposed. Although these schemes can retrieve encrypted data, only data encrypted under the same public key can be retrieved.

To support searchable encrypted data under different public keys, Yang et al. [29] proposed a comparison mechanism of two ciphertexts encrypted under different public keys in the traditional public key cryptosystem, called public key encryption with equality test (PKEET). However, the traditional public key cryptosystem must rely on the public key infrastructure to manage each user’s certificate which links the user’s identity and her/his public key. To avoid the use of public key infrastructure and certificates, Shamir [30] introduced a new concept of ID-PKC in which a user’s public key is her/his identity such as name, e-mail, or telephone number. In this way, certificates will no longer be needed in the ID-PKC since the public key is meaningful and can represent the user’s identity. Combining the concepts of PKEET and ID-PKC, Ma [6] proposed the first identity-based encryption with equality test, called IBEET. To consider more types of authorizations, Li et al. [31] proposed the IBEET scheme with four types of authorizations. Unfortunately, the proposed scheme of Li et al. [31] is not suitable for the IoT environment because the performance of the scheme is not good. Immediately, Elhabob et al. [10] proposed another IBEET scheme with four types of authorizations which has higher performance.

For the issue of user revocation in the ID-PKC, Boneh and Franklin [5] suggested that the new private keys should be resent to users who have not been revoked at different periods. As a result, secure channels will be established to send these private keys, and the PKG’s workload will also increase. To reduce the PKG’s workload, Boldyreva et al. [19] hired a binary tree to propose an IBE scheme with user revocation, named revocable IBE (RIBE). However, Boldyreva et al.’s scheme [19] only satisfied the selective-ID security. Later, Libert and Vergnaud [20] proposed another RIBE scheme which meets the adaptive-ID security. A mechanism for revoking users through public channels was proposed by Tseng and Tsai [21], in which each user’s full private key is divided into two parts: a fixed key and a time updated key. The fixed key is delivered to the user through secure channels only once, while the time updated key is delivered to the user through public channels at different periods. Users can be revoked if they do not receive the new time updated keys. For the security of decryption key exposure, Seo and Emura [22] proposed a new RIBE scheme to enhance the security. To reduce the length of public parameters and meet the security of decryption key exposure resistance, Watanabe et al. [23] presented another RIBE scheme. In addition, several lattice-based RIBE schemes [24–26] were proposed to resist quantum attacks.

1.2. Motivation

As mentioned earlier, revoking illegal or expired users on any cryptosystem is still an important issue. In the traditional PKC, the PKEET [29] can hire the certificate revocation list [18] to revoke illegal or expired users. However, the IBE [5] cannot effectively revoke illegal or expired users in the ID-PKC, so the RIBE [21] was proposed. To the best of our knowledge, there is little research on the design mechanism of user revocation in the IBEET [6]. Table 1 shows the comparisons between the PKEET [29], the IBE [5], the RIBE [21], the IBEET [6], and our RIBEET in terms of public key setting, avoiding the use of certificates, supporting the equality test of ciphertexts, and providing user revocation. Hence, we attempt to propose the first revocable identity-based encryption with equality test, called RIBEET.

Table 1. Comparisons between the existing schemes and our RIBEET scheme.

Schemes	Public key setting	Avoiding the use of certificates	Supporting equality test of ciphertexts	Providing user revocation
PKEET [29]	PKI-based	No	Yes	Yes
IBE [5]	ID-based	Yes	No	No
RIBE [21]	ID-based	Yes	No	Yes
IBEET [6]	ID-based	Yes	Yes	No
Our RIBEET	ID-based	Yes	Yes	Yes

1.3. Contribution and Organization

Although the existing RIBE schemes [21–26] provide a mechanism to revoke users, they do not extend to support the equality test for ciphertexts. On the other hand, the existing IBEET schemes [6, 10, 31] do not support to revoke users. To the best of our knowledge, there is little research on the design mechanism of user revocation in the IBEET. In this paper, we propose a novel notion of revocable identity-based encryption with equality test, called RIBEET. In the following, we list specific contributions.

(i)
Based on the existing syntax and security notions of IBEET, we consider the property of user revocation to define a new syntax and security notions of RIBEET
(ii)
Following the syntax of RIBEET, a concrete RIBEET scheme is proposed
(iii)
In the security notions of RIBEET, the proposed scheme is proven to be secure under the bilinear Diffie-Hellman (BDH) assumption
(iv)
We compare the proposed scheme with the previous RIBE scheme and IBEET scheme. We demonstrate that the proposed scheme not only provides user revocation but also supports the equality test for ciphertexts

The rest of the article includes six sections. Preliminaries are given in Section 2. Section 3 presents the syntax and security notions of RIBEET. A concrete RIBEET scheme is proposed in Section 4. The security analysis of the RIBEET scheme is shown in Section 5. We compare the RIBEET scheme with other existing schemes in Section 6. The last section gives the conclusion.

2. Preliminaries

In this section, we introduce two definitions related to a mathematical tool and security assumption. We hire the bilinear pairings [5] as a mathematical tool to construct our RIBEET scheme. To prove the security of the proposed scheme, we consider the bilinear Diffie-Hellman (BDH) problem and then give a BDH assumption [6]. The definition of the bilinear pairings is given as follows.

Definition 1. Let G₁, G₂, and G_T be three multiplicative cyclic groups of a prime order q. Assume that a mapping is an asymmetric bilinear map. Then, the map satisfies the following properties.

(1)
Bilinearity: for g₁ ∈ G₁, g₂ ∈ G₂, and
(2)
Nondegeneracy: for some g₁ ∈ G₁ and g₂ ∈ G₂
(3)
Computability: can be efficiently computed for g₁ ∈ G₁, g₂ ∈ G₂

For the asymmetric bilinear map, the BDH problem is to compute by given a tuple . We define the BDH assumption as follows.

Definition 2. On inputting a tuple , we say that the BDH problem holds if no algorithm has nonnegligible advantage in computing . The advantage can be denoted as .

3. Syntax and Security Notions

3.1. Syntax of RIBEET

Based on the syntax of IBEET schemes [6], we employ the revocation technique [21] to present a new syntax of RIBEET depicted in Figure 2 which consists of three roles and seven algorithms, namely Setup, InitialKey, TimeKey, Encryption, Decryption, Trapdoor, and Test. The first role is the private key generator (PKG) who is responsible for executing the first three algorithms, and the second role is the users who can, respectively, utilize Encryption, Decryption, and Trapdoor algorithms for encryption, decryption, and authorization. The last role is the cloud server (CS) who runs the Test algorithm to compare the two ciphertexts. For the user revocation, we use Figure 3 to illustrate how users are revoked by the PKG. If the PKG stops sending the time key to a user, it means that the user has been revoked since both initial key and time key are required to execute Decryption and Trapdoor algorithms. Here, we arrange some notations used in these algorithms in Table 2. The algorithms of RIBEET are described in detail as follows.

(i)
Setup: this algorithm is performed by the PKG who takes a security parameter k and a time period t as input to produce the public system parameters PSP, the system life time SLT, and the master private key mpk
(ii)
InitialKey: this algorithm is performed by the PKG who takes the public system parameter PSP, the master private key mpk, and a user’s identity ID ∈ {0, 1}^∗ as input to produce user initial key IK_ID
(iii)
TimeKey: this algorithm is performed by the PKG who takes the public system parameter PSP, the master private key mpk, a user’s identity ID ∈ {0, 1}^∗, and a period T ∈ SLT as input to produce user time key TK_ID
(iv)
Encryption: this algorithm is performed by a user (sender) who takes the public system parameter PSP, a user’s identity ID ∈ {0, 1}^∗, a period T ∈ SLT, and a message M ∈ {0, 1}^λ as input to produce a ciphertext CT
(v)
Decryption: this algorithm is performed by a user (receiver) who takes the public system parameter PSP, the receiver’s initial key IK_ID, the receiver’s time key TK_ID, and the ciphertext CT as input to produce the message M
(vi)
Trapdoor: this algorithm is performed by a user who takes her/his initial key IK_ID and time key TK_ID as input to produce the trapdoor TD_ID
(vii)
Test: this algorithm is performed by the CS who takes the public system parameters PSP and two ciphertext-trapdoor pairs (CT_ζ, TD_ζ) and (CT_η, TD_η) from any two users U_ζ and U_η as input to produce 1 or 0

Table 2. Notations.

Notations	Meaning
PSP	The public system parameters
SLT	The system life time
mpk	The master private key
ID	The user’s identity
IK_ID	The user initial key
TK_ID	The user time key
M	The message
CT	The ciphertext
TD_ID	The trapdoor
(CT_ζ, TD_ζ)	The ciphertext-trapdoor pair of the user U_ζ
(CT_η, TD_η)	The ciphertext-trapdoor pair of the user U_η

3.2. Security Notions of RIBEET

In this section, we define the security notions of RIBEET which includes four types of adversaries. Two of these types are the same as the security notions of IBEET [6]. Considering the revoked users from RIBEET, we need to add two types of adversaries in the security notions. These four types of adversaries are presented as follows.

(1)
Type I adversary: such an adversary can obtain all information (including time key TK_ID) transmitted through public channels. The adversary can be regarded as an outside attacker
(2)
Type II adversary: such an adversary owns her/his initial key IK_ID, but he does not have the current time key TK_ID. The adversary can be regarded as a revoked user
(3)
Type III adversary: this adversary is identical to the type I adversary, except that she/he possesses the trapdoor TD
(4)
Type IV adversary: this adversary is identical to the type II adversary, except that she/he possesses the trapdoor TD

Following the security notions of IBEET [6], we consider revoked users to define the new security notions of RIBEET. Definitions 3 and 4, respectively, are given to state IND-ID-CCA and OW-ID-CCA security of an RIBEET scheme.

Definition 3 (IND-ID-CCA). Let be a type I or type II adversary for an RIBEET scheme and be a challenger in the following game. The scheme is IND-ID-CCA secure if the advantage that wins the game is negligible.

(1)
Setup. The challenger takes a security parameter k and a time period t as input to produce the public system parameters PSP, the system life time SLT, and the master private key mpk. The public system parameters PSP and the system life time SLT are sent to the adversary
(2)
Phase 1. Several queries below can be issued by the adversary

(a)
InitialKey query(ID): given an identity ID, the challenger generates an initial key IK_ID as the response by running the InitialKey algorithm of the RIBEET scheme
(b)
TimeKey query(ID, T): given an identity ID and a period T, the challenger generates a time key TK_ID as the response by running the TimeKey algorithm of the RIBEET scheme
(c)
Decryption query(ID, T, CT): given an identity ID, a period T, and a ciphertext CT, the challenger generates the resulting message M as the response by running the Decryption of the RIBEET scheme
(d)
Trapdoor query(ID, T): given an identity ID and a period T, the challenger generates a trapdoor TD_ID as the response by running the Trapdoor of the RIBEET scheme

(3)
Challenge. Two messages , , an identity ID^∗, and a period T^∗ are submitted by the adversary . The challenger chooses from these two messages, where is a random coin. The challenger then generates a ciphertext CT^∗ as the challenge one by running the Encryption of the RIBEET scheme with . Here, the following restrictions must be satisfied
- (i)
  The adversary cannot issue the Trapdoor query with ID^∗
- (ii)
  The adversary cannot issue the InitialKey query with ID^∗ if it is the type I adversary
- (iii)
  The adversary cannot issue the TimeKey query with (ID^∗, T^∗) if it is the type II adversary
(4)
Phase 2. Under the above restrictions, can execute the same tasks as in phase 1
(5)
Guess. The adversary outputs a guess and wins the game if . The advantage that wins the game can be denoted as

Definition 4 (OW-ID-CCA). Let be a type III or type IV adversary for an RIBEET scheme and be a challenger in the following game. The scheme is OW-ID-CCA secure if the advantage that wins the game is negligible.

(1)
Setup. The challenger takes a security parameter k and a time period t as input to produce the public system parameters PSP, the system life time SLT, and the master private key mpk. The public system parameters PSP and the system life time SLT are sent to the adversary
(2)
Phase 1. Several queries below can be issued by the adversary

(a)
InitialKey query(ID): given an identity ID, the challenger generates an initial key IK_ID as the response by running the InitialKey algorithm of the RIBEET scheme
(b)
TimeKey query(ID, T): given an identity ID and a period T, the challenger generates a time key TK_ID as the response by running the TimeKey algorithm of the RIBEET scheme
(c)
Decryption query(ID, T, CT): given an identity ID, a period T, and a ciphertext CT, the challenger generates the resulting message M as the response by running the Decryption of the RIBEET scheme
(d)
Trapdoor query(ID, T): given an identity ID and a period T, the challenger generates a trapdoor TD_ID as the response by running the Trapdoor of the RIBEET scheme

(3)
Challenge. An identity ID^∗ and a period T^∗ are submitted by the adversary . The challenger randomly chooses M^∗ and then generates a ciphertext CT^∗ as the challenge one by running the Encryption of the RIBEET scheme with (ID^∗, T^∗, M^∗). Here, the following restrictions must be satisfied

(a)
The adversary cannot issue the InitialKey query with ID^∗ if it is the type III adversary
(b)
The adversary cannot issue the TimeKey query with (ID^∗, T^∗) if it is the type IV adversary

(4)
Phase 2. Under the above restrictions, can execute the same tasks as in phase 1
(5)
Guess. The adversary outputs a guess M^′ and wins the game if M^∗ = M^′. The advantage that wins the game can be denoted as .

4. Concrete RIBEET Scheme

A revocable identity-based encryption with equality test scheme, which we denote by RIBEET, consists of algorithms Setup, InitialKey, TimeKey, Encryption, Decryption, Trapdoor, and Test. Each of the algorithms is described as follows.

(1)
Setup: this algorithm is performed by the PKG who takes a security parameter k and a time period t as input to produce an asymmetric bilinear map and a system life time SLT = {T₀, T₁, ⋯, T_t}, where G₁, G₂, and G_T are multiplicative cyclic groups of prime order q. The PKG first chooses two arbitrary generators g₁ ∈ G₁ and g₂ ∈ G₂ and picks eight cryptographic one-way hash functions H₁ : {0, 1}^∗⟶G₂, H₂ : {0, 1}^∗⟶G₂, H₃ : {0, 1}^∗⟶G₂, H₄ : {0, 1}^∗⟶G₂, H₅ : G_T × G₁ × G₁⟶{0, 1}^λ+l, H₆ : {0, 1}^λ⟶G₂, , and H₈ : G_T⟶G₂, where λ and l are fixed lengths. Then, a random value is chosen, and is computed. The public system parameters are , the system life time is SLT = {T₀, T₁, ⋯, T_t}, and the master private key is mpk = s
(2)
InitialKey: this algorithm is performed by the PKG who takes the public system parameter PSP, the master private key mpk, and a user’s identity ID ∈ {0, 1}^∗ as input to produce user initial key
(1)

Here, the procedure of this algorithm is depicted in Figure 4.

(3)
TimeKey: this algorithm is performed by the PKG who takes the public system parameter PSP, the master private key mpk, a user’s identity ID ∈ {0, 1}^∗, and a period T ∈ SLT as input to produce user time key
(2)

Here, the procedure of this algorithm is depicted in Figure 5.

(4)
Encryption: this algorithm is performed by a sender who takes the public system parameter PSP, a user’s identity ID ∈ {0, 1}^∗, a period T ∈ SLT, and a message M ∈ {0, 1}^λ as input to produce ciphertexts CT = (CT₁, CT₂, CT₃, CT₄) which are shown as follows

Here, r = H₇(M, V) and the two values V ∈ {0, 1}^l and

are chosen in random.

(5)
Decryption: this algorithm is performed by a receiver who takes the public system parameter PSP, the receiver’s initial key IK_ID = (IK_ID1, IK_ID2), the receiver’s time key TK_ID = (TK_ID1, TK_ID2), and the ciphertext CT = (CT₁, CT₂, CT₃, CT₄) as input to produce the message M. The detailed process is shown as follows:

(a)
Compute to obtain M^′||V^′
(b)
Compute r^′ = H₇(M^′, V^′)
(c)
Produce the message M^′ as M if and both hold

The correctness of obtaining M^′||V^′ can be demonstrated as follows.

(3)

(6)
Trapdoor: this algorithm is performed by a user who takes her/his initial key IK_ID = (IK_ID1, IK_ID2) and time key TK_ID = (TK_ID1, TK_ID2) as input to produce the trapdoor TD_ID = IK_ID2 · TK_ID2 = H₂(ID)^s · H₄(ID, T)^s
(7)
Test: this algorithm is performed by the CS who takes the public system parameters PSP and two ciphertext-trapdoor pairs (CT_ζ, TD_ζ) and (CT_η, TD_η), where CT_ζ = (CT_ζ1, CT_ζ2, CT_ζ3, CT_ζ4) and CT_η = (CT_η1, CT_η2, CT_η3, CT_η4), from any two users U_ζ and U_η as input to produce 1 or 0 according to the following steps

(a)
Compute R_ζ and R_η as follows:

(i)
(ii)

(b)
Compute and

(i)
(ii)

In the following, we present the details of [leftmargin = 0em]

(i)
(ii)

5. Security Analysis

In this section, we give four theorems to show that the proposed scheme has the IND-ID-CCA security for type I and II adversaries and the OW-ID-CCA security for type III and IV adversaries.

Theorem 5. If the BDH assumption holds, the proposed RIBEET scheme satisfies the IND-ID-CCA security in the security game. More precisely, suppose that is a PPT type 1 adversary who has at least ε advantage to break the RIBEET scheme. Then, there exists an algorithm to solve the BDH problem with the advantage

(4)

where

, q_IK, q_T, q_D, and e, respectively, are the number of queries to random oracle H₅, random oracle H₈, Initialkey query, Trapdoor query, Decryption query, and Euler’s number.

Proof. An algorithm is constructed to solve the BDH problem. The algorithm is given a BDH tuple which is defined in Section 2. The algorithm can be seen as a challenger to find the answer of the BDH problem. The answer A = can be found by interacting with the PPT type I adversary in the following security game.

(1)
Setup: the challenger utilizes the BDH tuple to set and then generates the public system parameters , where H_i is a random oracle for i = 1, 2, ⋯, 8. In addition, the system life time SLT = {T₀, T₁, ⋯, T_t} can be generated by the challenger . Then, gives the public system parameters PSP and system life time SLT. Here, the adversary can issue queries to each random oracle as follows
- (a)
  H₁query(ID): can utilize ID to obtain a response to the random oracle H₁ from the challenger . To obtain the response, maintains a list, called ListH₁ which is composed of tuples, and the format of the tuple is 〈ID, U_ID, u, rb〉. The response is acquired from the ListH₁ which is initially empty and can be updated by the following steps
  - (i)
    returns U_ID as the response if ID exists in a tuple 〈ID, U_ID, u, rb〉 from the ListH₁

(ii)
Otherwise, picks a random value and a random bit rb ∈ {0, 1} to compute

(5)

where Pr[rb = 0] = δ and Pr[rb = 1] = 1 − δ (which will be discussed later). Then,

adds the tuple 〈ID, U_ID, u, rb〉 to the ListH₁ and returns U_ID to

(b)
H₂query(ID): can utilize ID to obtain a response to the random oracle H₂ from the challenger . To obtain the response, maintains a list, called ListH₂ which is composed of tuples, and the format of the tuple is 〈ID, V_ID, v, rb〉. The response is acquired from the ListH₂ which is initially empty and can be updated by the following steps:
(a)
returns V_ID as the response if ID exists in a tuple 〈ID, V_ID, v, rb〉 from the ListH₂
(b)
Otherwise, picks a random value and utilizes ID to find rb in the ListH₂. Then, computes

(6)

and adds the tuple 〈ID, V_ID, v, rb〉 to ListH₂.

returns V_ID to

(c)
H₃query(ID, T): can utilize (ID, T) to obtain a response to the random oracle H₃ from the challenger . To obtain the response, maintains a list, called ListH₃ which is composed of tuples, and the format of the tuple is 〈ID, T, U_IDT, η〉. The response is acquired from the ListH₃ which is initially empty and can be updated by the following steps

(i)
returns U_IDT as the response if (ID, T) exists in a tuple 〈ID, T, U_IDT, η〉 from the ListH₃
(ii)
Otherwise, picks a random value to compute . Then, adds the tuple 〈ID, T, U_IDT, η〉 to the ListH₃ and returns U_IDT to

(d)
H₄query(ID, T): can utilize (ID, T) to obtain a response to the random oracle H₄ from the challenger . To obtain the response, maintains a list, called ListH₄ which is composed of tuples, and the format of the tuple is 〈ID, T, V_IDT, ζ〉. The response is acquired from the ListH₄ which is initially empty and can be updated by the following steps

(i)
returns V_IDT as the response if (ID, T) exists in a tuple 〈ID, T, V_IDT, ζ〉 from the ListH₄
(ii)
Otherwise, picks a random value to compute . Then, adds the tuple 〈ID, T, V_IDT, ζ〉 to the ListH₄ and returns V_IDT to

(e)
H₅query(W, CT₁, CT₂): can utilize (W, CT₁, CT₂) to obtain a response to the random oracle H₅ from the challenger . To obtain the response, maintains a list, called ListH₅ which is composed of tuples, and the format of the tuple is 〈W, CT₁, CT₂, ω〉. The response is acquired from the ListH₅ which is initially empty and can be updated by the following steps

(i)
returns ω as the response if (W, CT₁, CT₂) exists in a tuple 〈W, CT₁, CT₂, ω〉 from the ListH₅
(ii)
Otherwise, picks a random value ω ∈ {0, 1}^λ+l and adds the tuple 〈W, CT₁, CT₂, ω〉 to the ListH₅. Then, returns ω to

(f)
H₆query(M): can utilize M to obtain a response to the random oracle H₆ from the challenger . To obtain the response, maintains a list, called ListH₆ which is composed of tuples, and the format of the tuple is 〈M, Q〉. The response is acquired from the ListH₆ which is initially empty and can be updated by the following steps

(i)
returns Q as the response if M exists in a tuple 〈M, Q〉 from the ListH₆
(ii)
Otherwise, picks a random point Q ∈ G₂ and adds the tuple 〈M, Q〉 to the ListH₆. Then, returns Q to

(g)
H₇query(M, V): can utilize (M, V) to obtain a response to the random oracle H₇ from the challenger . To obtain the response, maintains a list, called ListH₇ which is composed of tuples, and the format of the tuple is 〈M, V, γ〉. The response is acquired from the ListH₇ which is initially empty and can be updated by the following steps

(i)
returns γ as the response if (M, V) exists in a tuple 〈M, V, γ〉 from the ListH₇
(ii)
Otherwise, picks a random value and adds the tuple 〈M, V, γ〉 to the ListH₇. Then, returns γ to

(h)
H₈query(N): can utilize N to obtain a response to the random oracle H₈ from the challenger . To obtain the response, maintains a list, called ListH₈ which is composed of tuples, and the format of the tuple is 〈N, S〉. The response is acquired from the ListH₈ which is initially empty and can be updated by the following steps

(i)
returns S as the response if N exists in a tuple 〈N, S〉 from the ListH₈
(ii)
Otherwise, picks a random point S ∈ G₂ and adds the tuple 〈N, S〉 to the ListH₈. Then, returns S to

(2)
Phase 1: the adversary can, respectively, utilize ID, (ID, T), (ID, T, CT) and (ID, T) to issue the InitialKey query, Timekey query, Decryption query, and Trapdoor query. The response to each query can be obtained as follows

(a)
InitialKey query(ID): utilizes ID to issue the query, while , respectively, finds the corresponding tuples 〈ID, U_ID, u, rb〉 and 〈ID, V_ID, v, rb〉 from the ListH₁ and the ListH₂ according to ID. If rb = 1, interrupts this game. If rb = 0, use u and v to define . Then returns IK_ID as the user initial key to
(b)
Timekey query(ID, T): utilizes (ID, T) to issue the query, while , respectively, finds the corresponding tuples 〈ID, T, U_IDT, η〉 and 〈ID, T, V_IDT, ζ〉 from the ListH₃ and the ListH₄ according to (ID, T). use η and ζ to define . Then, returns TK_ID as the user time key to
(c)
Decryption query(ID, T, CT): utilizes (ID, T, CT) to issue the query, while , respectively, finds the corresponding tuples 〈ID, U_ID, u, rb〉, 〈ID, V_ID, v, rb〉, 〈ID, T, U_IDT, η〉, and 〈ID, T, V_IDT, ζ〉 from the ListH₁, ListH₂, ListH₃, and the ListH₄ according to ID and T. The response of this query is acquired from these lists by performing the following tasks

(i)
If rb = 0, , respectively, uses ID and (ID, T) to run InitialKeyquery and Timekey query to obtain IK_ID and TK_ID. Then, utilizes IK_ID, TK_ID, and CT to run the Decryption algorithm to produce the message M which is sent to
(ii)
If rb = 1, utilizes CT₁ and CT₂, which are from CT = (CT₁, CT₂, CT₃, CT₄), to find the corresponding tuple 〈W, CT₁, CT₂, ω〉 from the ListH₅. Then, M^′||V^′ = CT₃ ⊕ ω can be computed by using CT₃ and ω. Further, utilizes M^′ and V^′ to find the corresponding tuples 〈M, V, γ〉 from the ListH₇ and 〈M, Q〉 from the ListH₆. Obviously, γ and Q can be obtained. If S can be found in the corresponding tuple 〈N, S〉 from the ListH₈ such that CT₄ = Q^γ · S holds, will confirm whether holds. If , the message M^′ is sent to

(d)
Trapdoor query(ID, T): utilizes (ID, T) to issue the query, while , respectively, uses ID and (ID, T) to run InitialKey query and Timekey query to obtain IK_ID = (IK_ID1, IK_ID2) and TK_ID = (TK_ID1, TK_ID2). Then, utilizes IK_ID2 and TK_ID2 to produce the trapdoor TD_ID = IK_ID2 · TK_ID2 which is sent to

(3)
Challenge: when the phase 1 is over, outputs a tuple as the target of the challenge. utilizes ID^∗ to find the corresponding tuples 〈ID, U_ID, u, rb〉 from the ListH₁. If rb = 0, interrupts this game. If rb = 1, randomly selects and V ∈ {0, 1}^l to run H₇ query with and V. Then, γ can be obtained. utilizes γ to set . In addition, sets , while a random value CT₃ ∈ {0, 1}^λ+l and a random point are chosen. Finally, the challenge ciphertext is sent to
(4)
Phase 2: can issue the same query as phase 1, but it must be under the condition of ID ≠ ID^∗ and CT ≠ CT^∗
(5)
Guess: responds to with a guess . If , responds with failure and terminates. Otherwise, wins the game. Then, randomly selects a tuple from the ListH₅ and calculates , where . Hence, can output the BDH solution due to

Analysis. Let us start with two cases, namely, the simulation of H_i query for i = 1, 2, ⋯, 8 and the simulation of decryption query. For the H₁, H₂, H₃, H₄, H₆, and H₇ queries, it is obvious that the simulations are perfect because there exists no relationship between the constructions of these queries and the solution of the BDH problem. For the H₅ and H₈ queries, we consider two events and which, respectively, issues the H₅ query with and the H₈ query with . We say that the simulations of H₅ and H₈ queries are perfect if and do not happen. For the decryption query, we consider an event E_DecErr where the challenger cannot decrypt the ciphertext. Assume that q_D is the number of decryption query. Then, we obtain Pr[E_DecErr] ≤ q_D/q

Next, we discuss an event E which states that the simulation of this security game will not be interrupted. Here, we can obtain

, where E_Abort is defined as the event that the challenger

interrupts this security game. Since

guesses

with the advantage ≤1/2, the

can be obtained if E does not occur. Further, we have

(7)

According to above inequality,

and

, we have

(8)

Moreover, we obtain

(9)

Since

, we can gain Pr[¬E_Abort] ≥ 1/e(q_IK + q_T + 1) when δ = 1 − (1/(q_IK + q_T + 1)). Then, we have

(10)

Here, the adversary

can distinguish the target ciphertext CT^∗ is the real one when

occurs. In addition, the tuple

has been added in the ListH₅. If the challenger

picks the correct tuple from the ListH₅,

wins this security game. Meanwhile, the advantage of solving the BDH problem is

(11)

Theorem 6. If the BDH assumption holds, the proposed RIBEET scheme satisfies the IND-ID-CCA security in the security game. More precisely, suppose that is a PPT type 2 adversary who has at least ε advantage to break the RIBEET scheme. Then, there exists an algorithm to solve the BDH problem with the advantage

(12)

where

, q_TK, q_T, q_D, and e, respectively, are the number of queries to random oracle H₅, random oracle H₈, Timekey query, Trapdoor query, Decryption query, and Euler’s number.

Proof. An algorithm is constructed to solve the BDH problem. The algorithm is given a BDH tuple which is defined in Section 2. The algorithm can be seen as a challenger to find the answer of the BDH problem. The answer can be found by interacting with the PPT type II adversary in the following security game.

(1)
Setup: the challenger utilizes the BDH tuple to set and then generates the public system parameters , where H_i is a random oracle for i = 1, 2, ⋯, 8. In addition, the system life time SLT = {T₀, T₁, ⋯, T_t} can be generated by the challenger . Then, gives the public system parameters PSP and system life time SLT. Here, the adversary can issue queries to each random oracle as follows

(a)
H₁query(ID): can utilize ID to obtain a response to the random oracle H₁ from the challenger . To obtain the response, maintains a list, called ListH₁ which is composed of tuples, and the format of the tuple is 〈ID, U_ID, u〉. The response is acquired from the ListH₁ which is initially empty and can be updated by the following steps

(i)
returns U_ID as the response if ID exists in a tuple 〈ID, U_ID, u〉 from the ListH₁
(ii)
Otherwise, picks a random value to compute . Then, adds the tuple 〈ID, U_ID, u〉 to the ListH₁ and returns U_ID to

(b)
H₂query(ID): can utilize ID to obtain a response to the random oracle H₂ from the challenger . To obtain the response, maintains a list, called ListH₂ which is composed of tuples, and the format of the tuple is 〈ID, V_ID, v〉. The response is acquired from the ListH₂ which is initially empty and can be updated by the following steps

(i)
returns V_ID as the response if ID exists in a tuple 〈ID, V_ID, v〉 from the ListH₂
(ii)
Otherwise, picks a random value to compute . Then, adds the tuple 〈ID, V_ID, v〉 to the ListH₂ and returns V_ID to

(c)
H₃query(ID, T): can utilize (ID, T) to obtain a response to the random oracle H₃ from the challenger . To obtain the response, maintains a list, called ListH₃ which is composed of tuples, and the format of the tuple is 〈ID, T, U_IDT, η, rb〉. The response is acquired from the ListH₃ which is initially empty and can be updated by the following steps

(i)
returns U_IDT as the response if (ID, T) exists in a tuple 〈ID, T, U_IDT, η, rb〉 from the ListH₃
(ii)
Otherwise, picks a random value and a random bit rb ∈ {0, 1} to compute
(13)

where Pr[rb = 0] = δ and Pr[rb = 1] = 1 − δ (which will be discussed later). Then,

adds the tuple 〈ID, T, U_IDT, η, rb〉 to the ListH₃ and returns U_IDT to

(d)
H₄query(ID, T): can utilize (ID, T) to obtain a response to the random oracle H₄ from the challenger . To obtain the response, maintains a list, called ListH₄ which is composed of tuples, and the format of the tuple is 〈ID, T, V_IDT, ζ, rb〉. The response is acquired from the ListH₄ which is initially empty and can be updated by the following steps

(i)
returns V_IDT as the response if (ID, T) exists in a tuple 〈ID, T, V_IDT, ζ, rb〉 from the ListH₄
(ii)
Otherwise, picks a random value and utilizes (ID, T) to find rb in the ListH₄. Then, computes
(14)

and add the tuple 〈ID, T, V_IDT, ζ, rb〉 to ListH₄.

returns V_IDT to

(e)
H₅query(W, CT₁, CT₂): can utilize (W, CT₁, CT₂) to obtain a response to the random oracle H₅ from the challenger . To obtain the response, maintains a list, called ListH₅ which is composed of tuples, and the format of the tuple is 〈W, CT₁, CT₂, ω〉. The response is acquired from the ListH₅ which is initially empty and can be updated by the following steps

(i)
returns ω as the response if (W, CT₁, CT₂) exists in a tuple 〈W, CT₁, CT₂, ω〉 from the ListH₅
(ii)
Otherwise, picks a random value ω ∈ {0, 1}^λ+l and adds the tuple 〈W, CT₁, CT₂, ω〉 to the ListH₅. Then, returns ω to

(f)
H₆query(M): can utilize M to obtain a response to the random oracle H₆ from the challenger . To obtain the response, maintains a list, called ListH₆ which is composed of tuples, and the format of the tuple is 〈M, Q〉. The response is acquired from the ListH₆ which is initially empty and can be updated by the following steps

(i)
returns Q as the response if M exists in a tuple 〈M, Q〉 from the ListH₆
(ii)
Otherwise, picks a random point Q ∈ G₂ and adds the tuple 〈M, Q〉 to the ListH₆. Then, returns Q to

(g)
H₇query(M, V): can utilize (M, V) to obtain a response to the random oracle H₇ from the challenger . To obtain the response, maintains a list, called ListH₇ which is composed of tuples, and the format of the tuple is 〈M, V, γ〉. The response is acquired from the ListH₇ which is initially empty and can be updated by the following steps

(i)
returns γ as the response if (M, V) exists in a tuple 〈M, V, γ〉 from the ListH₇
(ii)
Otherwise, picks a random value and adds the tuple 〈M, V, γ〉 to the ListH₇. Then, returns γ to

(h)
H₈query(N): can utilize N to obtain a response to the random oracle H₈ from the challenger . To obtain the response, maintains a list, called ListH₈ which is composed of tuples, and the format of the tuple is 〈N, S〉. The response is acquired from the ListH₈ which is initially empty and can be updated by the following steps

(i)
returns S as the response if N exists in a tuple 〈N, S〉 from the ListH₈
(ii)
Otherwise, picks a random point S ∈ G₂ and adds the tuple 〈N, S〉 to the ListH₈. Then, returns S to

(2)
Phase 1: the adversary can, respectively, utilize ID, (ID, T), (ID, T, CT), and (ID, T) to issue the InitialKey query, Timekey query, Decryption query, and Trapdoor query. The response to each query can be obtained as follows

(a)
InitialKey query(ID): utilizes ID to issue the query, while , respectively, finds the corresponding tuples 〈ID, U_ID, u〉 and 〈ID, V_ID, v〉 from the ListH₁ and the ListH₂ according to ID. use u and v to define . Then, returns IK_ID as the user initial key to
(b)
Timekey query(ID, T): utilizes (ID, T) to issue the query, while , respectively, finds the corresponding tuples 〈ID, T, U_IDT, η, rb〉 and 〈ID, T, V_IDT, ζ, rb〉 from the ListH₃ and the ListH₄ according to (ID, T). If rb = 1, interrupts this game. If rb = 0, use η and ζ to define . Then, returns TK_ID as the user time key to
(c)
Decryption query(ID, T, CT): utilizes (ID, T, CT) to issue the query, while , respectively, finds the corresponding tuples 〈ID, U_ID, u〉, 〈ID, V_ID, v〉, 〈ID, T, U_IDT, η, rb〉, and 〈ID, T, V_IDT, ζ, rb〉 from the ListH₁, ListH₂, ListH₃, and ListH₄ according to ID and T. The response of this query is acquired from these lists by performing the following tasks

(i)
If rb = 0, , respectively, uses ID and (ID, T) to run InitialKeyquery and Timekey query to obtain IK_ID and TK_ID. Then, utilizes IK_ID, TK_ID, and CT to run the Decryption algorithm to produce the message M which is sent to
(ii)
If rb = 1, utilizes CT₁ and CT₂, which are from CT = (CT₁, CT₂, CT₃, CT₄), to find the corresponding tuple 〈W, CT₁, CT₂, ω〉 from the ListH₅. Then, M^′||V^′ = CT₃ ⊕ ω can be computed by using CT₃ and ω. Further, utilizes M^′ and V^′ to find the corresponding tuples 〈M, V, γ〉 from the ListH₇ and 〈M, Q〉 from the ListH₆. Obviously, γ and Q can be obtained. If S can be found in the corresponding tuple 〈N, S〉 from the ListH₈ such that CT₄ = Q^γ · S holds, will confirm whether holds. If , the message M^′ is sent to

(1)
Trapdoor query(ID, T): utilizes (ID, T) to issue the query, while , respectively, uses ID and (ID, T) to run InitialKey query and Timekey query to obtain IK_ID = (IK_ID1, IK_ID2) and TK_ID = (TK_ID1, TK_ID2). Then, utilizes IK_ID2 and TK_ID2 to produce the trapdoor TD_ID = IK_ID2 · TK_ID2 which is sent to
(3)
Challenge: when phase 1 is over, outputs a tuple as the target of the challenge. utilizes (ID^∗, T^∗) to find the corresponding tuples 〈ID, T, U_IDT, η, rb〉 from the ListH₃. If rb = 0, interrupts this game. If rb = 1, randomly selects and V ∈ {0, 1}^l to run H₇ query with and V. Then, γ can be obtained. utilizes γ to set . In addition, sets , while a random value CT₃ ∈ {0, 1}^λ+l and a random point are chosen. Finally, the challenge ciphertext is sent to
(2)
Phase 2: can issue the same query as phase 1, but it must be under the condition of ID ≠ ID^∗ and CT ≠ CT^∗
(3)
Guess: responds to with a guess . If , responds with failure and terminates. Otherwise, wins the game. Then, randomly selects a tuple from the ListH₅ and outputs the BDH solution due to

The security analysis is similar to Theorem 5. We obtain that ’s advantage to solve the BDH problem is

Theorem 7. If the BDH assumption holds, the proposed RIBEET scheme satisfies the OW-ID-CCA security in the security game. More precisely, suppose that is a PPT type 3 adversary who has at least ε advantage to break the RIBEET scheme. Then, there exists an algorithm to solve the BDH problem with the advantage

(15)

where

, q_IK, q_D, and e, respectively, are the number of queries to random oracle H₅, Initialkey query, Decryption query, and Euler’s number.

Proof. An algorithm is constructed to solve the BDH problem. The algorithm is given a BDH tuple which is defined in Section 2. The algorithm can be seen as a challenger to find the answer of the BDH problem. The answer can be found by interacting with the PPT type III adversary in the following security game.

(i)
Setup: The challenger utilizes the BDH tuple to set , and then generates the public system parameters , where H_i is a random oracle for i = 1, 2, ⋯, 8. In addition, the system life time SLT = {T₀, T₁, ⋯, T_t} can be generated by the challenger . Then gives the public system parameters PSP and system life time SLT. Here, the adversary can issue queries to each random oracle as below

(a)
H₁query(ID): answers in the same form as the proof of Theorem 5
(b)
H₂query(ID): can utilize ID to obtain a response to the random oracle H₂ from the challenger . To obtain the response, maintains a list, called ListH₂ which is composed of tuples, and the format of the tuple is 〈ID, V_ID, v, rb〉. The response is acquired from the ListH₂ which is initially empty and can be updated by the following steps

(i)
returns V_ID as the response if ID exists in a tuple 〈ID, V_ID, v, rb〉 from the ListH₂
(ii)
Otherwise, picks a random value and utilizes ID to find rb in the ListH₂. Then computes and adds the tuple 〈ID, V_ID, v, rb〉 to ListH₂. returns V_ID to

(ii)
Phase 1: The adversary can, respectively, utilize ID, (ID, T), (ID, T, CT) and (ID, T) to issue the InitialKey query, Timekey query, Decryption query and Trapdoor query. The response to each query can be obtained as follows

(1)
InitialKey query (ID): answers in the same form as the proof of Theorem 5
(2)
Timekey query (ID, T): answers in the same form as the proof of Theorem 5
(3)
Decryption query (ID, T, CT): utilizes (ID, T, CT) to issue the query, while , respectively, finds the corresponding tuples 〈ID, U_ID, u, rb〉, 〈ID, V_ID, v, rb〉, 〈ID, T, U_IDT, η〉 and 〈ID, T, V_IDT, ζ〉 from the ListH₁, ListH₂, ListH₃ and the ListH₄ according to ID and T. The response of this query is acquired from these lists by performing the following tasks

(i)
If rb = 0, , respectively, uses ID and (ID, T) to run InitialKeyquery and Timekey query to obtain IK_ID and TK_ID. Then utilizes IK_ID, TK_ID and CT to run Decryption algorithm to produce the message M which is sent to
(ii)
If rb = 1, utilizes CT₁ and CT₂, which are from CT = (CT₁, CT₂, CT₃, CT₄), to find the corresponding tuple 〈W, CT₁, CT₂, ω〉 from the ListH₅. Then M^′||V^′ = CT₃ ⊕ ω can be computed by using CT₃ and ω. Further, utilizes M^′ and V^′ to find the corresponding tuples 〈M, V, γ〉 from the ListH₇ and 〈M, Q〉 from the ListH₆. Obviously, γ and Q can be obtained. After that, utilizes ID and (ID, T) to run InitialKey query and Timekey query to obtain IK_ID2 and TK_ID2 and computes . If S can be found in the corresponding tuple from the ListH₈ such that CT₄ = Q^γ · S holds, will confirm whether holds. If , the message M^′ is sent to

(d)
Trapdoor query (ID, T): utilizes (ID, T) to issue the query, while , respectively, uses ID and (ID, T) to run InitialKey query and Timekey query to obtain IK_ID = (IK_ID1, IK_ID2) and TK_ID = (TK_ID1, TK_ID2). Then utilizes IK_ID2 and TK_ID2 to produce the trapdoor TD_ID = IK_ID2 · TK_ID2 which is sent to
(e)
Challenge: When the phase 1 is over, outputs a tuple 〈ID^∗, T^∗, M^∗〉 as the target of the challenge. utilizes ID^∗ to find the corresponding tuples 〈ID, U_ID, u, rb〉 from the ListH₁ If rb = 0, interrupts this game. If rb = 1, randomly selects V ∈ {0, 1}^l to run H₇ query with M^∗ and V. Then γ can be obtained. utilizes γ to set and find and to get Q and S such that . In addition, sets , while a random value CT₃ ∈ {0, 1}^λ+l is chosen. Finally, the challenge ciphertext is sent to
(f)
Phase 2: can issue the same query as the phase 1, but it must be under the condition of ID ≠ ID^∗ and CT ≠ CT^∗
(g)
Guess: responds to with a guess M^′ ∈ {0, 1}^λ. If M^′ ≠ M, responds with failure and terminates. Otherwise, wins the game. Then randomly selects a tuple from the ListH₅, and outputs the BDH solution A = due to

The security analysis is similar to Theorem 5. We obtain that ’s advantage to solve the BDH problem is .

Theorem 8. If the BDH assumption holds, the proposed RIBEET scheme satisfies the OW-ID-CCA security in the security game. More precisely, suppose that is a PPT type 4 adversary who has at least ε advantage to break the RIBEET scheme. Then, there exists an algorithm to solve the BDH problem with the advantage.

(16)

where

, q_TK, q_D, and e, respectively, are the number of queries to random oracle H₅, Timekey query, Decryption query, and Euler’s number.

Proof. An algorithm is constructed to solve the BDH problem. The algorithm is given a BDH tuple which is defined in Section 2. The algorithm can be seen as a challenger to find the answer of the BDH problem. The answer can be found by interacting with the PPT type IV adversary in the following security game.

(i)
Setup: The challenger utilizes the BDH tuple to set , and then generates the public system parameters , where H_i is a random oracle for i = 1, 2, ⋯, 8. In addition, the system life time SLT = {T₀, T₁, ⋯, T_t} can be generated by the challenger . Then gives the public system parameters PSP and system life time SLT. Here, the adversary can issue queries to each random oracle as below

(a)
H₁ − H₃ queries: answers in the same form as the proof of Theorem 6
(b)
H₄ − H₈ queries: answers in the same form as the proof of Theorem 5

(ii)
Phase 1: The adversary can, respectively, utilize ID, (ID, T), (ID, T, CT) and (ID, T) to issue the InitialKey query, Timekey query, Decryption query and Trapdoor query. The response to each query can be obtained as follows

(a)
InitialKey query (ID): answers in the same form as the proof of Theorem 6
(b)
Timekey query (ID, T): answers in the same form as the proof of Theorem 6
(c)
Decryption query (ID, T, CT): answers in the same form as the proof of Theorem 7
(d)
Trapdoor query (ID, T): answers in the same form as the proof of Theorem 7

(1)
Challenge: When the phase 1 is over, outputs a tuple 〈ID^∗, T^∗, M^∗〉 as the target of the challenge. utilizes (ID^∗, T^∗) to find the corresponding tuples 〈ID, T, U_IDT, η, rb〉 from the ListH₃ If rb = 0, interrupts this game. If rb = 1, randomly selects V ∈ {0, 1}^l to run H₇ query with M^∗ and V. Then γ can be obtained. utilizes γ to set and find and to get Q and S such that . In addition, sets , while a random value CT₃ ∈ {0, 1}^λ+l is chosen. Finally, the challenge ciphertext is sent to
(2)
Phase 2: can issue the same query as the phase 1, but it must be under the condition of ID ≠ ID^∗ and CT ≠ CT^∗
(3)
Guess: responds to with a guess M^′ ∈ {0, 1}^λ. If M^′ ≠ M, responds with failure and terminates. Otherwise, wins the game. Then randomly selects a tuple from the ListH₅, and outputs the BDH solution A = due to

The security analysis is similar to Theorem 5. We obtain that ’s advantage to solve the BDH problem is .

Theorem 9. The proposed RIBEET scheme is secure for brute force attacks if the discrete logarithm problem is hard.

Proof. As mentioned in the concrete RIBEET scheme, the public system parameters are PSP = {q, G₁, G₂, G_T, , g₁, g₂, P_pub, H₁, H₂, H₃, H₄, H₅, H₆, H₇, H₈}, the system life time is SLT = {T₀, T₁,⋯, T_t} and the master private key is mpk = s. Based on the discrete logarithm problem, we ensure that the adversary cannot recover the master private key mpk = s form P_pub = . In addition, the security of the user initial key IK_ID and user time key TK_ID is also based on the discrete logarithm problem due to IK_ID = (IK_ID1, IK_ID2) = (H₁(ID)^mpk, H₂(ID)^mpk) = (H₁(ID)^s, H₂(ID)^s) and TK_ID = (TK_ID1, TK_ID2) = (H₃(ID, T)^mpk, H₄(ID, T)^mpk) = (H₃(ID, T)^s, H₄(ID, T)^s). Hence, the proposed RIBEET scheme can resist brute force attacks.

6. Comparison

In this section, we compare the proposed RIBEET scheme with the previous RIBE scheme [21] and IBEET scheme [6]. In order to analyze the cost of performing encryption, decryption and equality test, we first define two notations as follows.

(1)
Pair: time to perform a bilinear pairing
(2)
Exp: time to perform an exponentiation in G₁, G₂ or G_T

We gain Pair = 7.8351 ms and Exp = 0.4746 ms from the literature [32]. These two execution times are obtained under the hardware device with Intel Core i7-8550U 1.80 GHz processor. Meanwhile, the prime number q selected in the cryptosystem setting phase is 256-bit. In addition, three multiplicative cyclic groups G₁, G₂, and G_T of the prime order q are chosen in the simulation.

In Table 3, we list the comparisons of our proposed RIBEET scheme with the RIBE scheme [21] and several IBEET schemes [6, 10, 11] in terms of the cost of performing encryption, decryption and equality test, and two properties related to user revocation and equality test of ciphertexts. For the cost of performing encryption and decryption, Tseng and Tsai’s RIBE scheme [21] has better performance than the other two schemes. However, Tseng and Tsai’s RIBE scheme does not support equality test of ciphertexts. Although the existing IBEET schemes [6, 10, 11] and our proposed RIBEET scheme support equality test of ciphertexts, the IBEET schemes does not have a mechanism to revoke users. Conversely, our proposed RIBEET scheme not only provides user revocation, but also retains the cost of encryption, decryption and equality test with the existing IBEET schemes. Additionally, Table 4 compares our RIBEET scheme with the RIBE scheme [21] and several IBEET schemes [6, 10, 11] in terms of |PK|, |CT|, and |TD| which are, respectively, denoted as the bit length of user public key, ciphertext and trapdoor. We observed that the communication cost of our RIBEET scheme is similar to that of other schemes.

Table 3. Comparisons of the proposed RIBEET with the existing RIBE and several IBEET.

Schemes	The cost of performing encryption	The cost of performing decryption	The cost of performing equality test	Supporting equality test of ciphertexts	Providing user revocation
RIBE [21]	1 · Pair + 2 · Exp	1 · Pair	—	No	Yes
RIBE [21]	(8.7843 ms)	(7.8351 ms)	—	No	Yes
IBEET [6]	2 · Pair + 6 · Exp	2 · Pair + 2 · Exp	4 · Pair	Yes	No
IBEET [6]	(18.5178 ms)	(16.6194 ms)	(31.3404 ms)	Yes	No
IBEET [10]	2 · Pair + 4 · Exp	2 · Pair + 1 · Exp	2 · Pair + 2 · Exp	Yes	No
IBEET [10]	(17.5686 ms)	(16.1448 ms)	(16.6194 ms)	Yes	No
IBEET [11]	2 · Pair + 9 · Exp	2 · Pair + 2 · Exp	2 · Pair + 2 · Exp	Yes	No
IBEET [11]	(19.9416 ms)	(16.6194 ms)	(16.6194 ms)	Yes	No
Our RIBEET	2 · Pair + 5 · Exp	2 · Pair + 2 · Exp	4 · Pair	Yes	Yes
Our RIBEET	(18.0432 ms)	(16.6194 ms)	(31.3404 ms)	Yes	Yes

Table 4. Comparison of communication cost.

Schemes	\|PK\|	\|CT\|	\|TD\|
RIBE [21]	2\|G₁\|	\|G₁\| + \|Z_q\|	—
IBEET [6]	\|G₁\|	4\|G₁\| + \|Z_q\|	\|G₁\|
IBEET [10]	\|G₁\|	2\|G₁\| + 2\|Z_q\|	\|G₁\|
IBEET [11]	\|G₁\| + \|Z_q\|	3\|G₁\| + \|Z_q\|	4\|G₁\|
Our RIBEET	2\|G₂\|	3\|G₁\| + \|Z_q\|	\|G₂\|

As mentioned in Section 1, the data collected from sensors on the patients is finally encrypted by the mobile device and then transmitted to the cloud. For the analysis of energy cost, we employ the “ampere” app to measure the voltage and current on the mobile device. After running this app, we obtain 14.28 V and 2856 mA on the mobile device. Table 5 lists the energy cost of performing encryption on the mobile device by using the formula W = U · I · t, where W, U, I, and t, respectively, are watt, voltage, current, and time.

Table 5. Comparison of energy cost.

Energy cost	RIBE [21]	IBE_ET [6]	IBEET [10]	IBEET [11]	Our RIBEET
Performing encryption	358.256 μJ	755.224 μJ	716.508 μJ	813.292 μJ	735.868 μJ

7. Conclusions

We considered the existing syntax of IBEET and the property of user revocation to present the new syntax of RIBEET. Under the new syntax, we proposed a concrete RIBEET scheme. Meanwhile, we demonstrated that the proposed scheme has the IND-ID-CCA security for type I and II adversaries and the OW-ID-CCA security for type III and IV adversaries. We compared the proposed scheme with the previous RIBE scheme and IBEET scheme. We showed that the proposed scheme not only supports equality test for ciphertexts but also provides user revocation.

Conflicts of Interest

The authors declare no conflicts of interest.

Acknowledgments

This research was partially supported by the Ministry of Science and Technology, Taiwan, under contract nos. MOST 110-2222-E-019-001-MY2 and MOST 110-2221-E-019-041-MY3.

Open Research

Data Availability

The data used to support the findings of this study are included within the article.

References

1 Dodis Y., Goldwasser S., Kalai Y. T., Peikert C., and Vaikuntanathan V., Public-key encryption schemes with auxiliary inputs, Theory of Cryptography, 2010, Springer, Berlin, Heidelberg, 361–381, https://doi.org/10.1007/978-3-642-11799-2_22, 2-s2.0-77949580684.
10.1007/978-3-642-11799-2_22
Google Scholar
2 Hofheinz D. and Jager T., Tightly secure signatures and public-key encryption, Advances in Cryptology-CRYPTO 2012, 2012, Springer, Berlin, Heidelberg, 590–607.
10.1007/978-3-642-32009-5_35
Google Scholar
3 Chen R., Mu Y., Yang G., Guo F., and Wang X., Server-aided public key encryption with keyword search, IEEE Transactions on Information Forensics and Security. (2016) 11, no. 12, 2833–2842, https://doi.org/10.1109/TIFS.2016.2599293, 2-s2.0-84994891036.
10.1109/TIFS.2016.2599293
Web of Science® Google Scholar
4 Xu P., He S., Wang W., Susilo W., and Jin H., Lightweight searchable public-key encryption for cloud-assisted wireless sensor networks, IEEE Transactions on Industrial Informatics. (2018) 14, no. 8, 3712–3723, https://doi.org/10.1109/TII.2017.2784395, 2-s2.0-85040044027.
10.1109/TII.2017.2784395
Web of Science® Google Scholar
5 Boneh D. and Franklin M., Identity-based encryption from the Weil pairing, Advances in Cryptology–CRYPTO 2001, 2001, Springer, Berlin, Heidelberg, 213–229.
10.1007/3-540-44647-8_13
Google Scholar
6 Ma S., Identity-based encryption with outsourced equality test in cloud computing, Information Sciences. (2016) 328, 389–402, https://doi.org/10.1016/j.ins.2015.08.053, 2-s2.0-84945552541.
10.1016/j.ins.2015.08.053
Web of Science® Google Scholar
7 Lin X. J., Sun L., and Qu H., Generic construction of public key encryption, identity-based encryption and signcryption with equality test, Information Sciences. (2018) 453, 111–126, https://doi.org/10.1016/j.ins.2018.04.035, 2-s2.0-85045430554.
10.1016/j.ins.2018.04.035
Web of Science® Google Scholar
8 Lee H. T., Wang H., and Zhang K., Security analysis and modification of ID-based encryption with equality test from ACISP, Information Security and Privacy, 2018, Springer, Cham, 780–786, https://doi.org/10.1007/978-3-319-93638-3_46, 2-s2.0-85049771855.
10.1007/978-3-319-93638-3_46
Google Scholar
9 Dung D. H., Le H. Q., Roy P. S., and Susilo W., Lattice-based IBE with equality test in standard model, Provable Security, 2019, Springer, Cham, 19–40, https://doi.org/10.1007/978-3-030-31919-9_2.
10.1007/978-3-030-31919-9_2
Google Scholar
10 Elhabob R., Zhao Y., Eltayieb N., Abdelgader A. M., and Xiong H., Identity-based encryption with authorized equivalence test for cloud-assisted IoT, Cluster Computing. (2020) 23, no. 2, 1085–1101, https://doi.org/10.1007/s10586-019-02979-1, 2-s2.0-85072030083.
10.1007/s10586-019-02979-1
Web of Science® Google Scholar
11 Lin X. J., Wang Q., Sun L., and Qu H., Identity-based encryption with equality test and datestamp-based authorization mechanism, Theoretical Computer Science. (2021) 861, 117–132, https://doi.org/10.1016/j.tcs.2021.02.015.
10.1016/j.tcs.2021.02.015
Google Scholar
12 Alemdar H. and Ersoy C., Wireless sensor networks for healthcare: a survey, Computer Networks. (2010) 54, no. 15, 2688–2710, https://doi.org/10.1016/j.comnet.2010.05.003, 2-s2.0-77956882701.
10.1016/j.comnet.2010.05.003
Web of Science® Google Scholar
13 Latr B., Braem B., Moerman I., Blondia C., and Demeester P., A survey on wireless body area networks, Wireless Networks. (2011) 17, no. 1, 1–8, https://doi.org/10.1007/s11276-010-0252-4, 2-s2.0-79951723271.
10.1007/s11276-010-0252-4
Google Scholar
14 Zhang J., Nian H., Ye X., Ji X., and Heg Y., A spatial correlation based partial coverage scheduling scheme in wireless sensor networks, Journal of Network Intelligence. (2020) 5, no. 2, 34–43.
Google Scholar
15 Hsieh C. H., Lin J., Yu C. M., Hung M. H., and Huang F., A TSP-over-LEACH protocol for energy-efficient wireless sensor networks, Journal of Network Intelligence. (2021) 6, no. 4, 835–846.
Google Scholar
16 Chen C. M., Li Z., Chaudhry S. A., and Li L., Attacks and solutions for a two-factor authentication protocol for wireless body area networks, Security and Communication Networks. (2021) 2021, 12, https://doi.org/10.1155/2021/3116593.
10.1155/2021/3116593
Google Scholar
17 Xiong H., Hou Y., Huang X., Zhao Y., and Chen C. M., Heterogeneous signcryption scheme from IBC to PKI with equality test for WBANs, IEEE Systems Journal. (2021) 16, no. 2, 2391–2400.
10.1109/JSYST.2020.3048972
Web of Science® Google Scholar
18 Housley R., Polk W., Ford W., and Solo D., Internet X.509 public key infrastructure certificate and certificate revocation list (CRL) profile, 2002, IETF RFC 3280.
Google Scholar
19 Boldyreva A., Goyal V., and Kumar V., Identity-based encryption with efficient revocation, Proceedings of the 15th ACM conference on Computer and communications security (CCS ‘08), 2008, Alexandria, Virginia, USA, 417–426.
Google Scholar
20 Libert B. and Vergnaud D., Adaptive-ID secure revocable identity-based encryption, Topics in Cryptology–CT-RSA 2009, 2009, Springer, Berlin, Heidelberg, 1–15.
10.1007/978-3-642-00862-7_1
Google Scholar
21 Tseng Y. M. and Tsai T. T., Efficient revocable ID-based encryption with a public channel, Computer Journal. (2012) 55, no. 4, 475–486, https://doi.org/10.1093/comjnl/bxr098, 2-s2.0-84859342049.
10.1093/comjnl/bxr098
Web of Science® Google Scholar
22 Seo J. H. and Emura K., Revocable identity-based encryption revisited: security model and construction, Public-Key Cryptography–PKC 2013, 2013, Springer, Berlin, Heidelberg, 216–234.
10.1007/978-3-642-36362-7_14
Google Scholar
23 Watanabe Y., Emura K., and Seo J. H., New revocable IBE in prime-order groups: adaptively secure, decryption key exposure resistant, and with short public parameters, Topics in Cryptology–CT-RSA 2017, 2017, Springer, Cham, 432–449.
10.1007/978-3-319-52153-4_25
Google Scholar
24 Takayasu A. and Watanabe Y., Lattice-based revocable identity-based encryption with bounded decryption key exposure resistance, Information Security and Privacy, 2017, Springer, Cham, 184–204, https://doi.org/10.1007/978-3-319-60055-0_10, 2-s2.0-85020648367.
10.1007/978-3-319-60055-0_10
Google Scholar
25 Katsumata S., Matsuda T., and Takayasu A., Lattice-based revocable (hierarchical) IBE with decryption key exposure resistance, Public-Key Cryptography–PKC 2019, 2019, Springer, Cham, 441–471.
10.1007/978-3-030-17259-6_15
Google Scholar
26 Takayasu A., Adaptively secure lattice-based revocable IBE in the QROM: compact parameters, tight security, and anonymity, Designs, Codes and Cryptography. (2021) 89, no. 8, 1965–1992, https://doi.org/10.1007/s10623-021-00895-3.
10.1007/s10623-021-00895-3
Google Scholar
27 Baek J., Safavi-Naini R., and Susilo W., Public key encryption with keyword search revisited, Computational Science and Its Applications–ICCSA 2008, 2008, Springer, Berlin, Heidelberg, 1249–1259.
10.1007/978-3-540-69839-5_96
Google Scholar
28 Hsu S. T., Yang C. C., and Hwang M. S., A study of public key encryption with keyword search, International Journal of Network Security. (2013) 15, no. 2, 71–79.
Google Scholar
29 Yang G., Tan C. H., Huang Q., and Wong D. S., Probabilistic public key encryption with equality test, Topics in Cryptology–CT-RSA 2010, 2010, Springer, Berlin, Heidelberg, 119–131.
10.1007/978-3-642-11925-5_9
Web of Science® Google Scholar
30 Shamir A., Identity-based cryptosystems and signature schemes, Advances in Cryptology, 1985, Springer, Berlin, Heidelberg, 47–53.
10.1007/3-540-39568-7_5
Google Scholar
31 Li H., Huang Q., Ma S., Shen J., and Susilo W., Authorized equality test on identity-based ciphertexts for secret data sharing via cloud storage, IEEE Access. (2019) 7, 25409–25421, https://doi.org/10.1109/ACCESS.2019.2899680, 2-s2.0-85062685225.
10.1109/ACCESS.2019.2899680
Web of Science® Google Scholar
32 Li Y., Cheng Q., Liu X., and Li X., A secure anonymous identity-based scheme in new authentication architecture for mobile edge computing, IEEE Systems Journal. (2021) 15, no. 1, 935–946, https://doi.org/10.1109/JSYST.2020.2979006.
10.1109/JSYST.2020.2979006
Google Scholar

Citing Literature

All articles

Schemes	\|PK\|	\|CT\|	\|TD\|
RIBE [21]	2\|G₁\|	\|G₁\| + \|Z_q\|	—
IBEET [6]	\|G₁\|	4\|G₁\| + \|Z_q\|	\|G₁\|
IBEET [10]	\|G₁\|	2\|G₁\| + 2\|Z_q\|	\|G₁\|
IBEET [11]	\|G₁\| + \|Z_q\|	3\|G₁\| + \|Z_q\|	4\|G₁\|
Our RIBEET	2\|G₂\|	3\|G₁\| + \|Z_q\|	\|G₂\|

An Efficient Revocable Identity-Based Encryption with Equality Test Scheme for the Wireless Body Area Network

Abstract

1. Introduction

1.1. Related Work

1.2. Motivation

1.3. Contribution and Organization

2. Preliminaries

3. Syntax and Security Notions

3.1. Syntax of RIBEET

3.2. Security Notions of RIBEET

4. Concrete RIBEET Scheme

5. Security Analysis

6. Comparison

7. Conclusions

Conflicts of Interest

Acknowledgments

Open Research

Data Availability

References

Citing Literature

Figures

References

Information

About Wiley Online Library

Help & Support

Opportunities

Connect with Wiley