Efficient Equality Test on Identity-Based Ciphertexts Supporting Flexible Authorization

Abstract

In the cloud, uploading encrypted data is the most effective way to ensure that the data are not leaked. However, data access control is still an open problem in cloud storage systems. To provide an authorization mechanism to limit the comparison of a user’s ciphertexts with those of another, public key encryption supporting the equality test with four flexible authorizations (PKEET-FA) is presented. Subsequently, more functional identity-based encryption supporting the equality test (IBEET-FA) further combines identity-based encryption with flexible authorization. The bilinear pairing has always been intended to be replaced due to the high computational cost. Hence, in this paper, we use general trapdoor discrete log groups to construct a new and secure IBEET-FA scheme, which is more efficient. The computational cost for the encryption algorithm in our scheme was reduced to 43% of that of the scheme of Li et al. In Type 2 and 3 authorization algorithms, the computational cost of both was reduced to 40% of that of the scheme of Li et al. Furthermore, we give proof that our scheme is secure against one-wayness under the chosen identity and chosen ciphertext attacks (OW-ID-CCA), and indistinguishable against chosen identity and chosen ciphertext attacks (IND-ID-CCA).

1. Introduction

With the application of the Internet increasingly spreading, people have more extensive storage and computing requirements for cloud servers. Users make full use of cloud servers, allowing cloud servers to help them in storing and processing data, reducing the user’s storage burden and computing overhead. Users in different regions can upload data onto and download data from a server, which provides convenience for users to share data. However, servers are also vulnerable to some attacks. If users store their data unencrypted in the cloud server, attackers or malicious internal administrators may access the data stored by users. The solution is for every user to upload encrypted data onto the cloud server. Previous classical encryption schemes cannot realize direct searches or calculations in the ciphertext.In a searchable encryption scheme [1], the ciphertext and trapdoor for retrieval need to be obtained with the same public and private key pair.

A novel PKEET scheme [2] was first proposed by Yang et al. in 2010. In this scheme, users can test whether ciphertexts encrypted by different public keys contain the same plaintext without decrypting the ciphertext, which avoids the previous limitations of searchable encryption. However, in the scheme, anyone can test the encrypted data, which can lead to data leakage. Taking into account better meeting practical applications, Tang proposed a fine-grained equality test scheme [3] that can achieve fine-grained authorization by sending tokens to a proxy. The equality test of flexible authorization for more scenarios was proposed in [4], in which there were different authorizations to meet the different needs of users, and different authorization types corresponded to different test permissions. It can not only perform the equivalence testing of ciphertext that was encrypted without the same public key, but also designate testers, which better protects the privacy of the data. On this basis, to avoid the public key infrastructure (PKI), a functional and efficient IBEET-FA scheme [5] is proposed as a new concept, replacing PKE with IBE. The first IBE scheme [6] replaced the public key with user-related identity information, and the private key is calculated and provided by a trusted third party. No need for a public key means that the difficulty of key management is eliminated. A new IBE scheme [7] using the general trapdoor discrete logarithm group was proposed that reduces the computational cost compared to that when using bilinear pairs. IBEET-FA [5] is based on bilinear pairing.

1.1. Our Contribution

Bilinear pairing is computationally expensive, and to reduce the computational cost, we have attempted to replace pairing with discrete logarithms. We reconstructed an existing concept with a different tool, namely, reconstructing the IBEET-FA scheme with discrete logarithms. This can achieve more efficient searches in ciphertexts encrypted by different public keys, and maintain the nature of flexible authorization in which different authorizations correspond to different permissions. A public key infrastructure is not required.

We first defined the scheme and its correctness. Subsequently, a specific scheme IBEET-FA without paring was constructed, and the scheme was proven to be correct. Our scheme is communicationally efficient, and it has a small public key and ciphertext. The scheme is computationally efficient, as the Aut-1, Aut-2, and Aut-3 authorization algorithms and testing algorithms in it all have a small computational overhead.

We then define two security models for the scheme, and two types of adversaries, Adv-I and Adv-II. Our IBEET-FA without a pairing scheme achieved OW-ID-CCA security for Aut-$\gamma$ ($\gamma$ = 1, 2, 3) against Adv-I on the basis of the CDH assumption in the random oracle model. The IBEET-FA without a pairing scheme achieved IND-ID-CCA security for Aut-$\gamma$ ($\gamma$ = 1, 2, 3) against Adv-II on the basis of the DDH assumption.

1.2. Related Works

A new concept of public key encryption with keyword search (PEKS) was proposed by Boneh et al. [1] in 2004 that allows for direct keyword searches in ciphertext without decrypting the ciphertext. A user can generate the corresponding trapdoor of some keyword by using its private key and perform a keyword search in the ciphertexts with the trapdoor. Subsequently, many related variants were proposed [8,9,10]. Bellare et al. [11] proposed a deterministic PKE scheme. Yang et al. [2] devised a ciphertext-based equality test scheme using bilinear groups for searchable and classified encrypted data. However, in that scheme, anyone could perform the test, so it is easy for it to cause data leakage, which is not conducive to data privacy. Tang [3] presented a new method where two users could authorize a proxy to execute equality calculation on their encrypted message by issuing tokens. Tang [12] gave a new PKE in a two-proxy model supporting fine-grained authorization (FG-PKEET) in which the two proxies were required to cooperate to complete the equality test. Subsequently, Tang [13] proposed the construction of an all-or-nothing PKEET (AoN-PKEET).

A new scheme of PKE with a delegated equality test (PKE-DET) was proposed by Ma et al. in [14]; in a multiuser model, only the delegated party can perform the equality test. Wu et al. [15] introduced a new equality test concept that could achieve security against insider attacks. Ma [16] proposed a variant of PKEET in which a cloud server could directly execute the equality test on the ciphertexts of the specified user, realizing the security of the cloud database application. In [17], PKE-AET offered a new idea regarding two different kinds of warrants, namely, receiver warrants and cipher warrants. After a tester receives a receiver warrant from some receiver, the tester can perform the equality test on any of the receiver’s ciphertext; in the second case, after a tester receives a cipher warrant associated with some ciphertext from some receiver, the tester can just execute an equality test on that ciphertext. Huang et al. [18] presented a ciphertext-binded authority (CBA) PKEET scheme. CBAs are only valid for specific ciphertexts, and they are invalid for other ciphertexts encrypted by the same public key. The concept of the filtered equality test (FET) was proposed by Huang et al. [19] where the receiver selects a set of messages and generates the corresponding warrant. After a user receives the warrant, if the plaintext corresponding to the ciphertext is in the message set, they can perform an equality test on the recipient’s ciphertext. Huang et al. [20] proposed a PKE-FET scheme in which FET was also applied to construct searchable encryption. The key policy-attribute-based encryption with an equality test scheme was proposed by Zhu et al. in [21]. After the flexible scheme, a ciphertext policy-attribute-based encryption scheme was presented by Wang et al. [22] that also supported the function of the equality test.

A new authorization mechanism for efficient PKEET-FA was proposed by Ma et al. [4], which can more effectively achieve user privacy protection. The scheme was based on bilinear pairing, Lin et al. [23] made improvements on this basis and proposed a novel PKEET-FA scheme, Bilinear pairings were not used in this scheme. This protocol used a quadratic curve to do the equality test, Zhu et al. [24] used a simpler straight line for the equality test. A new concept of IBEET by combining two existing concepts PKEET and IBE was given by Ma et al. [25]. A new IBEET-FA scheme was proposed in [5]. Users can directly execute equality tests on the ciphertext, eliminating the need for complex key management.

Duong et al. [26] proposed a new PKEET scheme based on ideal lattices and a scheme based on integer lattices, both schemes can achieve CCA2-security. Ref. [27] introduced the trends in multimedia forensics, and many deep-learning-based techniques. In [28], lSusilo et al. presented a novel concept of public key encryption with multi-ciphertext equality test (PKE-MET), which enables the cloud server to perform equality tests among multiple ciphertexts. A new primitive of identity-based encryption with equality test and datestamp-based authorization mechanism (IBEET-DBA) was proposed by Lin et al. [29], in which the data owner could control the valid period of trapdoor by using datestamp. Deverajan et al. [30] presented public key encryption with equality test based on discrete logarithm problem (DLP). Considering the possible attacks on trapdoors given to cloud servers and the different computing power of the entities, Vaanchig et al. [31] introduced a notion of secure-channel-free IBEET (SCF-IBEET).

1.3. Organization

We organize the remainder of the paper as follows. The definitions of Trapdoor Discrete Log Groups and Decision Diffie–Hellman Problem are given in Section 2. Then, we give the system model, the definitions of IBEET-FA and the security model in Section 3. In Section 4, we propose a new IBEET-FA scheme without pairing. In Section 5, the security analysis of our scheme will be given. In Section 6, we will show the complexity comparison of our scheme and other related schemes. In the last section, some conclusions will be given.

2. Preliminaries

2.1. Trapdoor Discrete Log (TDL) Groups

Definition 1.

A TDL group generator consists of algorithms TDLGen and SolveDL:

• $TDLGen(k)$: Given security parameter k as the input, the algorithm returns a tuple $(T,q,g,G)$ where T is used to denote the trapdoor, q is used to denote the prime order, g is used to denote a random generator, and G is used to denote a group.
• $SolveDL(k,(T,q,g,G),h)$: Given the inputs of a security parameter k, $(T,q,g,G)$ denoting a tuple and h denoting a group element, the algorithm outputs $\alpha \in Z_q$, and $h=g^{\alpha }$ holds.

2.2. Computational Diffie–Hellman (CDH) Problem

Definition 2.

Let q be the prime order of group G, generator g is gotten from the running result of algorithm $TDLGen$ in the $Definition1$, let $(g,g^a,g^b)$ be a tuple in G, for $a,b\in Z_q$. It is intractable to compute $g^{ab}$. $\mathcal{A}$ is an adversary, in probability polynomial time, the advantage of adversary $\mathcal{A}$ to solve the CDH problem is

$$\begin{array}{c}\hfill Ad{v}_{\mathcal{A},G}^{CDH}(k)=P(\mathcal{A}(g,g^a,g^b)=g^{ab},G)\end{array}$$

2.3. Decision Diffie–Hellman (DDH) Problem

Definition 3.

Let q be the prime order of group G, generator g is gotten from the running result of algorithm $TDLGen$ in the $Definition1$, let $(g,g^a,g^b,g^c)$, $(g,g^a,g^b,g^{ab})$ be two tuples in G, for $a,b,c\in Z_q$. It is difficult to distinguish the two tuples in this computational relationship. $\mathcal{A}$ is an adversary, in probability polynomial time, the advantage of $\mathcal{A}$ to solve the DDH problem is

$$\begin{array}{c}\hfill Ad{v}_{\mathcal{A},G}^{DDH}(k)=|P(\mathcal{A}(g,g^a,g^b,g^{ab})=1,G)-P(\mathcal{A}(g,g^a,g^b,g^c)=1,G)|\end{array}$$

3. System Model and Definition

In Section 3.1 and Section 3.2, we give the system model and the definition of IBEET-FA, similarly in [5]. In Section 3.3, we give the security model of IBEET-FA.

3.1. System Model

In our defined IBEET-FA scheme, we give four entities: a cloud server, a trusted third party, and two users labeled as i and j. The trusted third party generates system parameters for users and cloud service. User i and user j encrypt their data with their public key, and store ciphertext in the cloud server, and the cloud server is authorized to do equality tests on stored ciphertext, but the server does not have the ability to decrypt them. We present the IBEET-FA system model in Figure 1.

3.2. Definition of IBEET-FA

Definition 4.

Our IBEET-FA scheme consists of four algorithms:

• $Setup(k)$: Taken security parameter k as the input, the public parameter $pp$ and the master secret key $msk$ will be gotten from the running result of the algorithm.
• $KeyGen(i,msk,pp)$: Given label i, master secret key $msk$, and public parameter $pp$ as input, the algorithm returns the secret key $SK=({\alpha }_i,{\beta }_i)$.
• $Encrypt(i,M,pp)$: Given the inputs of user i, a message M and public parameter $pp$, the algorithm returns the ciphertext $CT$.
• $Decrypt(i,{\alpha }_i,CT,pp)$: Given label i, a private key ${\alpha }_i$, a ciphertext $CT$ and public parameter $pp$ as inputs, a message M will be gotten from the running result of the algorithm, or returns an error symbol ⊥.

User i has the public-secret key pair $(i,SK)$, corresponding encrypted data is $CT$, User j has the public-secret key pair $(j,S{K}^{{}^{\prime }})$, corresponding encrypted data is $C{T}^{{}^{\prime }}$. They have four types of authorization, corresponding to four different $Aut$ algorithms and four different $Test$ algorithms. $Aut$ algorithm is used to generate trapdoors for users, and the cloud service runs $Test$ procedure to test whether or not two different encrypted data contain the same message.

Aut-1:

• $Au{t}_1(i,SK)$: Given user i and i’s secret key $SK$ as inputs, the authorization procedure returns a trapdoor $T{D}_1$.
• $Tes{t}_1(CT,C{T}^{{}^{\prime }},T{D}_1,T{D}_1^{{}^{\prime }})$: Given the inputs of i’ciphertext $CT$, i’trapdoor $T{D}_1$, j’ciphertext $C{T}^{{}^{\prime }}$ and j’trapdoor $T{D}_1^{{}^{\prime }}$, the test procedure returns 1 if two ciphertexts contain the same message, otherwise returns 0.

Aut-2:

• $Au{t}_2(SK,CT)$: Given the inputs of user i’private key $SK$ and a ciphertext $CT$, the authorization procedure outputs a trapdoor $T{D}_2$.
• $Tes{t}_2(CT,C{T}^{{}^{\prime }},T{D}_2,T{D}_2^{{}^{\prime }})$: Given the inputs of i’ciphertext $CT$, i’trapdoor $T{D}_2$, j’ciphertext $C{T}^{{}^{\prime }}$ and j’trapdoor $T{D}_2^{{}^{\prime }}$, the test procedure returns 1 if two ciphertexts contain the same plaintext, otherwise returns 0.

Aut-3:

• $Au{t}_3(SK,CT,C{T}^{{}^{\prime }})$: Given the inputs of user i’private key $SK$, i’ciphertext $CT$, and j’ciphertext $C{T}^{{}^{\prime }}$, the authorization procedure outputs a trapdoor $T{D}_3$.
• $Tes{t}_3(CT,C{T}^{{}^{\prime }},T{D}_3,T{D}_3^{{}^{\prime }})$: Given the inputs of i’ciphertext $CT$, i’trapdoor $T{D}_3$, j’ciphertext $C{T}^{{}^{\prime }}$ and j’trapdoor $T{D}_3^{{}^{\prime }}$, the test procedure returns 1 if two ciphertexts contain the same plaintext, otherwise returns 0.

Aut-4:

• $Au{t}_4(SK,CT)$: Given the inputs of user i’private key $SK$ and ciphertext $CT$, the authorization procedure returns a trapdoor $T{D}_4$.
• $Au{t}_4(j,S{K}^{{}^{\prime }})$: Given user j and j’s secret key $S{K}^{{}^{\prime }}$ as inputs, the authorization procedure returns a trapdoor $T{D}_4^{{}^{\prime }}$.
• $Tes{t}_4(CT,C{T}^{{}^{\prime }},T{D}_4,T{D}_4^{{}^{\prime }})$: Given the inputs of i’ciphertext $CT$, i’trapdoor $T{D}_4$, j’ciphertext $C{T}^{{}^{\prime }}$ and j’trapdoor $T{D}_4^{{}^{\prime }}$, the test procedure returns 1 if two ciphertexts contain the same message, otherwise returns 0.

Definition 5.

(Correctness): If for any $(msk,pp)\leftarrow Setup(k)$, $({\alpha }_i,{\beta }_i)\leftarrow KeyGen(msk,pp,i)$, $({\alpha }_j,{\beta }_j)\leftarrow KeyGen(msk,pp,j)$, the following conditions can be satisfied, we say an IBEET-FA scheme is correct.

• For any possible plaintext M in the plaintext space, $Decrypt(Encrypt(M,i,pp),pp,{\alpha }_i,i)=M$, all equations hold.
• For any possible ciphertext $CT$ of user i and any possible ciphertext $C{T}^{{}^{\prime }}$ of user j, if Decrypt$(i,{\alpha }_i,CT,pp)=Decrypt(j,{\alpha }_j,C{T}^{{}^{\prime }},pp)\ne \perp$:
  Aut-1: For two trapdoors of $Au{t}_1(i,SK)=T{D}_1$, $Au{t}_1(j,S{K}^{{}^{\prime }})=T{D}_1^{{}^{\prime }}$, the following equality always holds that

  $$\begin{array}{c}\hfill Tes{t}_1(CT,T{D}_1,C{T}^{{}^{\prime }},T{D}_1^{{}^{\prime }})=1.\end{array}$$
  Aut-2: For two trapdoors of $Au{t}_2(SK,CT)=T{D}_2$, $Au{t}_2(S{K}^{{}^{\prime }},C{T}^{{}^{\prime }})=T{D}_2^{{}^{\prime }}$, the following equality always holds that

  $$\begin{array}{c}\hfill Tes{t}_2(CT,T{D}_2,C{T}^{{}^{\prime }},T{D}_2^{{}^{\prime }})=1.\end{array}$$
  Aut-3: For two trapdoors of $Au{t}_3(SK,CT,C{T}^{{}^{\prime }})=T{D}_3$, $Au{t}_3(S{K}^{{}^{\prime }},C{T}^{{}^{\prime }},CT)=T{D}_3^{{}^{\prime }}$, the following equality always holds that

  $$\begin{array}{c}\hfill Tes{t}_3(CT,T{D}_3,C{T}^{{}^{\prime }},T{D}_3^{{}^{\prime }})=1.\end{array}$$
  Aut-4: For two trapdoors of $Au{t}_4(SK,CT)=T{D}_4$, $Au{t}_4(j,S{K}^{{}^{\prime }})=T{D}_4^{{}^{\prime }}$, the following equality always holds that

  $$\begin{array}{c}\hfill Tes{t}_4(CT,T{D}_4,C{T}^{{}^{\prime }},T{D}_4^{{}^{\prime }})=1.\end{array}$$
• For any possible ciphertext $CT$ of user i and any possible ciphertext $C{T}^{{}^{\prime }}$ of user j, if Decrypt$(i,{\alpha }_i,CT,mpk)\ne Decrypt(j,{\alpha }_j,C{T}^{{}^{\prime }},mpk)$, where $ϵ(·)$ be a negligible function about k:
  Aut-1: For two trapdoors of $Au{t}_1(i,SK)=T{D}_1$, $Au{t}_1(j,S{K}^{{}^{\prime }})=T{D}_1^{{}^{\prime }}$, the following equality always holds that

  $$\begin{array}{c}\hfill P[Tes{t}_1(CT,T{D}_1,C{T}^{{}^{\prime }},T{D}_1^{{}^{\prime }})=1]\le ϵ(k).\end{array}$$
  Aut-2: For two trapdoors of $Au{t}_2(SK,CT)=T{D}_2$, $Au{t}_2(S{K}^{{}^{\prime }},C{T}^{{}^{\prime }})=T{D}_2^{{}^{\prime }}$, the following equality always holds that

  $$\begin{array}{c}\hfill P[Tes{t}_2(CT,T{D}_2,C{T}^{{}^{\prime }},T{D}_2^{{}^{\prime }})=1]\le ϵ(k).\end{array}$$
  Aut-3: For two trapdoors of $Au{t}_3(SK,CT,C{T}^{{}^{\prime }})=T{D}_3$, $Au{t}_3(S{K}^{{}^{\prime }},C{T}^{{}^{\prime }},CT)=T{D}_3^{{}^{\prime }}$, the following equality always holds that

  $$\begin{array}{c}\hfill P[Tes{t}_3(CT,T{D}_3,C{T}^{{}^{\prime }},T{D}_3^{{}^{\prime }})=1]\le ϵ(k).\end{array}$$
  Aut-4: For two trapdoors of $Au{t}_4(SK,CT)=T{D}_4$, $Au{t}_4(j,S{K}^{{}^{\prime }})=T{D}_4^{{}^{\prime }}$, the following equality always holds that

  $$\begin{array}{c}\hfill P[Tes{t}_4(CT,T{D}_4,C{T}^{{}^{\prime }},T{D}_4^{{}^{\prime }})=1]\le ϵ(k).\end{array}$$

3.3. Security Model

According to the nature of our scheme, we use the IBEET-FA security models defined in [5]. Since Aut-4 is a combination of one user authorization way in Aut-1 and one user authorization way in Aut-2, we omit Aut-4 authorization queries for simplicity. Adversaries are only allowed to query for Aut-$\gamma$ ($\gamma$ = 1, 2, 3). We define two kinds of adversaries for the security model of our IBEET-FA scheme:

• Adv-I: For Aut-$\gamma$ ($\gamma$ = 1, 2, 3), with Aut-$\gamma$ trapdoor information, the adversary can not get the plaintext from the challenge ciphertext.
• Adv-II: For Aut-$\gamma$ ($\gamma$ = 1, 2, 3), without Aut-$\gamma$ trapdoor information, the adversary can not know the challenge ciphertext is from which plaintext.

Under chosen ciphertext and chosen identity attacks, We now define the one-wayness security (OW-ID-CCA) against Adv-I for Aut-$\gamma$ ($\gamma$ = 1, 2, 3) as follows:

$GameI$: Let the receiver have index t ($1\le t\le n$), and assume ${\mathcal{A}}_1$ is a Adv-I. Between the challenger ${\mathcal{C}}_1$ and the adversary ${\mathcal{A}}_1$, the game goes as follows:

• $Setup$: Challenger ${\mathcal{C}}_1$ firstly picks k as a security parameter, then gets public parameter $pp$ by calling $Setup$ algorithm, sends $pp$ to ${\mathcal{A}}_1$.
• $Phase1$: Allows ${\mathcal{A}}_1$ to query for polynomially many times as follows.
  • Key retrieve queries: ${\mathcal{C}}_1$ calls $KeyGen(i,pp,msk)$ algorithm and sends $SK$ to ${\mathcal{A}}_1$. call the algorithm and send the result to A
  • Decryption queries: ${\mathcal{C}}_1$ runs $Decrypt(pp,CT,{\alpha }_i,i)$ algorithm and returns M(which might be ⊥) to ${\mathcal{A}}_1$.
  • Authorization queries: For three types of authorization Aut-$\gamma$ ($\gamma$ = 1, 2, 3),

    (a)

    i as input, ${\mathcal{C}}_1$ sends $T{D}_1$ to ${\mathcal{A}}_1$.

    (b)

    $(i,CT)$ as input, ${\mathcal{C}}_1$ sends $T{D}_2$ to ${\mathcal{A}}_1$.

    (c)

    $(i,CT,j,C{T}^{{}^{\prime }})$ as input, ${\mathcal{C}}_1$ sends $T{D}_3$ to ${\mathcal{A}}_1$.

• $Challenge$: Adversary ${\mathcal{A}}_1$ picks a target identity t which has not been queried in extract queries, and sends it to ${\mathcal{C}}_1$. Then ${\mathcal{C}}_1$ chooses a message $M_t$ randomly, gets $C_t^{*}=Encrypt(M_t,t,pp)$ as the challenge ciphertext and sends it to ${\mathcal{A}}_1$.
• $Phase2$: ${\mathcal{A}}_1$ continues issuing the same query as Phase 1. However, t can not be queried in this phase and $(t,C_t^{*})$ can not be queried in a decryption query.
• $Guess$: ${\mathcal{A}}_1$ returns a message $M^{\prime }$, if $M^{\prime }=M_t$ means ${\mathcal{A}}_1$ wins the game.

We give the advantage definition of ${\mathcal{A}}_1$ in the Game I as

$$\begin{array}{c}\hfill Ad{v}_{IBEET-FA,{\mathcal{A}}_1}^{OW-ID-CCA,Aut-\gamma }(k)=P[M^{\prime }=M_t](\gamma =1,2,3).\end{array}$$

Definition 6.

If the advantage $Ad{v}_{IBEET-FA,{\mathcal{A}}_1}^{OW-ID-CCA,Aut-\gamma }(k)$ is negligible for any probabilistic polynomial-time Adv-I ${\mathcal{A}}_1$, We say the IBEET-FA scheme is OW-ID-CCA secure for three types of authorization Aut-γ (γ = 1, 2, 3).

$GameII$: Let the recipient’s identity be t ($1\le t\le n$), and Sets ${\mathcal{A}}_2$ as an Adv-II adversary. Between the challenger ${\mathcal{C}}_2$ and the adversary ${\mathcal{A}}_2$ the game goes as follows:

• $Setup$: Challenger ${\mathcal{C}}_2$ firstly picks k as a security parameter, then gets public parameter $pp$ by calling $Setup$ algorithm, and sends $pp$ to ${\mathcal{A}}_2$.
• $Phase1$: Allows ${\mathcal{A}}_2$ to issue polynomially times queries as in Game I.
• $Challenge$: Adversary ${\mathcal{A}}_2$ sends to Challenger ${\mathcal{C}}_2$ two messages $M_0$, $M_1$, and a target identity t, t can not be allowed to appear in extract query or Aut-1 authorization query phase. ${\mathcal{C}}_2$ picks a bit $b\in \{0,1\}$ randomly, uses encryption algorithm to get challenge ciphertext $C^{*}=Encrypt(M_b,t,pp)$, then sends $C^{*}$ to ${\mathcal{A}}_2$.
• $Phase2$: Allows ${\mathcal{A}}_2$ to continue issuing queries as Phase 1, but there are some restrictions as follows:
  • i can not be queried in the Key retrieve query or Aut-1 authorizations queries;
  • $(i,C^{*})$ can not be queried in the decryption query;
  • $(i,C^{*})$ can not be queried in the authorizations query.
• $Guess$: ${\mathcal{A}}_2$ returns a bit $b^{\prime }$, when $b^{\prime }=b$ holds, ${\mathcal{A}}_2$ wins in the game.

In Game II, the advantage definition of ${\mathcal{A}}_2$ is

$$\begin{array}{c}\hfill Ad{v}_{IBEET-FA,{\mathcal{A}}_2}^{IND-ID-CCA,Aut-\gamma }(k)=|P[b^{\prime }-b]-\frac{1}{2}|(\gamma =1,2,3).\end{array}$$

Definition 7.

If the advantage $Ad{v}_{IBEET-FA,{\mathcal{A}}_2}^{IND-ID-CCA,Aut-\gamma }(k)$ is negligible for any probabilistic polynomial-time Adv-II ${\mathcal{A}}_2$, We say the IBEET-FA scheme is IND-ID-CCA secure for three types of authorization Aut-γ (γ = 1, 2, 3).

4. Our Proposed IBEET-FA Scheme

In our IBEET-FA scheme, we use the advantages of the PKEET-FA scheme and IBE without pairing scheme.

4.1. The Proposed Scheme

• $Setup(k)$: Here k is a security parameter, and it is the size of plaintext messages, the algorithm works as follows:
  • This algorithm calls the TDLGen algorithm of the TDL generator, then gets a tuple $(T,G,g,q)$ where T is the trapdoor, G is a group, g is a random generator, and q is the prime order.
  • Picks some secure hash functions: $H,H_1:{\{0,1\}}^{*}\to G$, $H_2:G\to {\{0,1\}}^k$, $H_3,H_4:{\{0,1\}}^k\to Z_q$, and $H_5:G^3\to {Z_q}^2$.
    Gets the master secret key $msk=T$, the public parameter $pp=\{H,H_1,H_2,H_3,H_4,H_5,G,g,q,k\}$.
• $KeyGen(i,pp,msk)$: Choosing label i, the public parameter $pp$ and master secret key $msk$ as input, then calls SolveDL algorithm. $H(i)$ as input, get a value ${\alpha }_i\in Z_q$ such that $g^{{\alpha }_i}=H(i)$. Furthermore, calls SolveDL algorithm again taking $H_1(i)$ as input to get a value ${\beta }_i\in Z_q$ such that $g^{{\beta }_i}=H_1(i)$. Then outputs the secret key $s{k}_i=({\alpha }_i,{\beta }_i)$.
• $Encrypt(M,i,pp)$: Taking a plaintext M, public parameter $pp$ and user i as input, the algorithm works as follows:
  • Compute one point $P=(H_3(M),H_4(M))$.
  • O is the origin, use point P, O to construct a ray $f(x)$ with O as the endpoint.
  • Choose a non zero point $x_i\in {\{0,1\}}^l$, then compute $y_i=f(x_i)$.
  • Choose at random $r\in {Z_q}^{*}$, then compute

    $$\begin{array}{cc}\hfill C{T}_1& =g^r,\hfill \\ \hfill C{T}_2& =M\oplus H_2(H{(i)}^r),\hfill \\ \hfill C{T}_3& =(x_i\parallel y_i)\oplus H_5(H_1{(i)}^r,C{T}_1,C{T}_2).\hfill \end{array}$$
    Output the ciphertext $CT=(C{T}_1,C{T}_2,C{T}_3)$.
• $Decrypt(i,CT,SK,pp)$: Taking label i, a ciphertext $CT$, private key $SK$ and public parameter $pp$ as input, this algorithm computes $M=C{T}_2\oplus H_2(C{T}_1^{{\alpha }_i})$ and $x_i\parallel y_i=C{T}_3\oplus H_5(C{T}_1^{{\beta }_i},C{T}_1,C{T}_2)$. Obtain point P as in $Encrypt$ algorithm and obtain $f(x)$ with P, O as in $Encrypt$ algorithm. if $y_i=f(x_i)$ hold, then returns M; and returns an error symbol ⊥ otherwise.

Two users are represented as $u_i$ and $u_j$, selecting $r_i$ and $r_j$ as the randomness used in computing $CT$ and $C{T}^{{}^{\prime }}$. Correspondingly, compute ciphertext $CT=(C{T}_1,C{T}_2,C{T}_3)$ and ciphertext $C{T}^{{}^{\prime }}=(C{T}_1^{{}^{\prime }},C{T}_2^{{}^{\prime }},C{T}_3^{{}^{\prime }}$) of $u_i$ and $u_j$.

Aut-1:

• $Au{t}_1(i,SK)$: This authorization procedure returns a trapdoor $T{D}_1={\beta }_i$.
• $Tes{t}_1(CT,C{T}^{{}^{\prime }},T{D}_1,T{D}_1^{{}^{\prime }})$: The test procedure performs the following calculations

  $$\begin{array}{cc}\hfill x_i\parallel y_i& =C{T}_3\oplus H_5({C{T}_1}^{T{D}_1},C{T}_1,C{T}_2),\hfill \\ \hfill x_j\parallel y_j& =C{T}_3^{{}^{\prime }}\oplus H_5({C{T}_1^{{}^{\prime }}}^{T{D}_1^{{}^{\prime }}},C{T}_1^{{}^{\prime }},C{T}_2^{{}^{\prime }}).\hfill \end{array}$$
  It returns 1 if $\frac{y_i}{x_i}=\frac{y_j}{x_j}$, or returns 0 otherwise.

Aut-2:

• $Au{t}_2(SK,CT)$: This authorization procedure outputs a trapdoor $T{D}_2=H_5({C{T}_1}^{{\beta }_i},C{T}_1,C{T}_2)$.
• $Tes{t}_2(CT,C{T}^{{}^{\prime }},T{D}_2,T{D}_2^{{}^{\prime }})$: This test procedure computes

  $$\begin{array}{cc}\hfill x_i\parallel y_i& =C{T}_3\oplus T{D}_2,\hfill \\ \hfill x_j\parallel y_j& =C{T}_3^{{}^{\prime }}\oplus T{D}_2^{{}^{\prime }}.\hfill \end{array}$$
  It returns 1 if $\frac{y_i}{x_i}=\frac{y_j}{x_j}$, or returns 0 otherwise.

Aut-3:

• $Au{t}_3(SK,CT,C{T}^{{}^{\prime }})$: This authorization procedure recovers $y_i$ with $SK$, then outputs a trapdoor

  $$\begin{array}{cc}\hfill T{D}_3& =(T{D}_{i,1},T{D}_{i,2})\hfill \\ \hfill & =({[H_2({C{T}_1}^{{\beta }_i},C{T}_1,C{T}_2)]}_0^{l-1},{(C{T}_{1}C{T}_1^{{}^{\prime }})}^{y_i}).\hfill \end{array}$$
• $Tes{t}_3(CT,C{T}^{{}^{\prime }},T{D}_3,T{D}_3^{{}^{\prime }})$: This test procedure computes

  $$\begin{array}{cc}\hfill x_i& ={[C{T}_1]}_0^{l-1}\oplus T{D}_{i,1},\hfill \\ \hfill x_j& ={[C{T}_1^{{}^{\prime }}]}_0^{l-1}\oplus T{D}_{j,1}.\hfill \end{array}$$
  It returns 1 if ${T{D}_{i,2}}^{\frac{1}{x_i}}={T{D}_{j,2}}^{\frac{1}{x_j}}$, or returns 0 otherwise.

Aut-4:

• $Au{t}_4(SK,CT)$: This authorization procedure returns a trapdoor $T{D}_4=T{D}_2=H_5({C{T}_1}^{{\beta }_i},C{T}_1,C{T}_2)$.
• $Au{t}_4(j,S{K}^{{}^{\prime }})$: This authorization procedure returns a trapdoor $T{D}_4^{{}^{\prime }}=T{D}_1^{{}^{\prime }}={\beta }_j$.
• $Tes{t}_4(CT,C{T}^{{}^{\prime }},T{D}_4,T{D}_4^{{}^{\prime }})$: This test procedure computes

  $$\begin{array}{cc}\hfill x_i\parallel y_i& =C{T}_3\oplus T{D}_4,\hfill \\ \hfill x_j\parallel y_j& =C{T}_3^{{}^{\prime }}\oplus H_5({C{T}_1^{{}^{\prime }}}^{T{D}_4^{{}^{\prime }}},C{T}_1^{{}^{\prime }},C{T}_2^{{}^{\prime }}).\hfill \end{array}$$
  It returns 1 if $\frac{y_i}{x_i}=\frac{y_j}{x_j}$, or returns 0.

4.2. Correctness

Theorem 1.

By definition 2, the correctness of the above IBEET-FA scheme is proven.

Proof of Theorem 1.

We now prove our IBEET-FA scheme meets all correctness requirements.

• The first requirement is satisfied obviously.
• According to the second requirement, for any $({\alpha }_i,{\beta }_i)\leftarrow KeyGen(msk,pp,i)$, $({\alpha }_j,{\beta }_j)\leftarrow KeyGen(msk,pp,j)$, $CT=(C{T}_1,C{T}_2,C{T}_3)=Encrypt(M_i,i,pp)$, $C{T}^{{}^{\prime }}=(C{T}_1^{{}^{\prime }},C{T}_2^{{}^{\prime }},C{T}_3^{{}^{\prime }})=Encrypt(M_j,j,pp)$, all the following equations hold.
  • Aut-1: Given $T{D}_1={\beta }_i$, $T{D}_1^{{}^{\prime }}={\beta }_j$, get the following:

    $$\begin{array}{cc}\hfill x_i\parallel y_i& =C{T}_3\oplus H_5({C{T}_1}^{T{D}_1},C{T}_1,C{T}_2),\hfill \\ \hfill x_j\parallel y_j& =C{T}_3^{{}^{\prime }}\oplus H_5({C{T}_1^{{}^{\prime }}}^{T{D}_1^{{}^{\prime }}},C{T}_1^{{}^{\prime }},C{T}_2^{{}^{\prime }}).\hfill \end{array}$$
    Because point $(x_i,y_i)$ is taken from the ray corresponding to $M_i$, point $(x_j,y_j)$ is taken from the ray corresponding to $M_j$, if $M_i=M_j$ means $(x_i,y_i)$ and $(x_j,y_j)$ are taken from the same ray. So $\frac{y_i}{x_i}=\frac{y_j}{x_j}$ holds if $M_i=M_j$.
  • Aut-2: Given

    $$\begin{array}{c}\hfill T{D}_2=H_5({C{T}_1}^{{\beta }_i},C{T}_1,C{T}_2)\end{array}$$

    and

    $$\begin{array}{c}\hfill T{D}_2^{{}^{\prime }}=H_5({C{T}_1^{{}^{\prime }}}^{{\beta }_j},C{T}_1^{{}^{\prime }},C{T}_2^{{}^{\prime }})\end{array}$$

    get the following:

    $$\begin{array}{cc}\hfill x_i\parallel y_i& =C{T}_3\oplus T{D}_2,\hfill \\ \hfill x_j\parallel y_j& =C{T}_3^{{}^{\prime }}\oplus T{D}_2^{{}^{\prime }}.\hfill \end{array}$$
    Because point $(x_i,y_i)$ is taken from the ray corresponding to $M_i$, point $(x_j,y_j)$ is taken from the ray corresponding to $M_j$, if $M_i=M_j$ means $(x_i,y_i)$ and $(x_j,y_j)$ are taken from the same ray. So $\frac{y_i}{x_i}=\frac{y_j}{x_j}$ holds if $M_i=M_j$.
  • Aut-3: Given

    $$\begin{array}{c}\hfill T{D}_3=(T{D}_{i,1},T{D}_{i,2})=({[H_2({C{T}_1}^{{\beta }_i},C{T}_1,C{T}_2)]}_0^{l-1},{(C{T}_{1}C{T}_1^{{}^{\prime }})}^{y_i})\end{array}$$

    and

    $$\begin{array}{c}\hfill T{D}_3^{{}^{\prime }}=(T{D}_{j,1},T{D}_{j,2})=({[H_2({C{T}_1^{{}^{\prime }}}^{{\beta }_j},C{T}_1^{{}^{\prime }},C{T}_2^{{}^{\prime }})]}_0^{l-1},{(C{T}_1^{{}^{\prime }}C{T}_1)}^{y_j}),\end{array}$$

    get the following:

    $$\begin{array}{cc}\hfill x_i& ={[C_{i,3}]}_0^{l-1}\oplus T{D}_{i,1},\hfill \\ \hfill x_j& ={[C_{j,3}]}_0^{l-1}\oplus T{D}_{j,1},\hfill \\ \hfill {T{D}_{i,2}}^{\frac{1}{x_i}}& ={({(C_{i,1}{C}_{j,1})}^{y_i})}^{\frac{1}{x_i}}={(C_{i,1}{C}_{j,1})}^{\frac{y_i}{x_i}},\hfill \\ \hfill {T{D}_{j,2}}^{\frac{1}{x_j}}& ={({(C_{j,1}{C}_{i,1})}^{y_j})}^{\frac{1}{x_j}}={(C_{j,1}{C}_{i,1})}^{\frac{y_j}{x_j}}.\hfill \end{array}$$
    Because point $(x_i,y_i)$ is taken from the ray corresponding to $M_i$, point $(x_j,y_j)$ is taken from the ray corresponding to $M_j$, if $M_i=M_j$ means $(x_i,y_i)$ and $(x_j,y_j)$ are taken from the same ray. So ${T{D}_{i,2}}^{\frac{1}{x_i}}={T{D}_{j,2}}^{\frac{1}{x_j}}$, i.e., $\frac{y_i}{x_i}=\frac{y_j}{x_j}$ holds if $M_i=M_j$.
  • Aut-4: Given $T{D}_4=T{D}_2=H_5({C{T}_1}^{{\beta }_i},C{T}_1,C{T}_2)$, $T{D}_4^{{}^{\prime }}=T{D}_1^{{}^{\prime }}={\beta }_j$, get the following:

    $$\begin{array}{cc}\hfill x_i\parallel y_i& =C{T}_3\oplus T{D}_4,\hfill \\ \hfill x_j\parallel y_j& =C{T}_3^{{}^{\prime }}\oplus H_5({C{T}_1^{{}^{\prime }}}^{T{D}_4^{{}^{\prime }}},C{T}_1^{{}^{\prime }},C{T}_2^{{}^{\prime }}).\hfill \end{array}$$
    Because point $(x_i,y_i)$ is taken from the ray corresponding to $M_i$, point $(x_j,y_j)$ is taken from the ray corresponding to $M_j$, if $M_i=M_j$ means $(x_i,y_i)$ and $(x_j,y_j)$ are taken from the same ray. So $\frac{y_i}{x_i}=\frac{y_j}{x_j}$ holds if $M_i=M_j$.
• Now we prove the third condition holds.
  $F_i(x)$ is a ray passing through point $P_i=(H_3(M_i),H_4(M_i))$ with O as its endpoint, $f_j(x)$ is a ray passing through $P_j=(H_3(M_j),H_4(M_j))$ with O as its endpoint. Point $(x_i,y_i)$ is taken from the ray $f_i(x)$, and point $(x_j,y_j)$ is taken from the ray $f_j(x)$.
  • Aut-1: If $Tes{t}_1(CT,C{T}^{{}^{\prime }},T{D}_1,T{D}_1^{{}^{\prime }})=1$, we can get that $\frac{y_i}{x_i}=\frac{y_j}{x_j}$, that is, point $(x_i,y_i)$ and point $(x_j,y_j)$ are taken from the same ray with O as the end point. For $M_i\ne M_j$, $P[\frac{H_4(M_i)}{H_3(M_i)}=\frac{H_4(M_j)}{H_3(M_j)}]$ is negligible, then we get that $P[Tes{t}_1(CT,C{T}^{{}^{\prime }},T{D}_1,T{D}_1^{{}^{\prime }})=1]$ is also negligible for $M_i\ne M_j$.
  • Aut-2: If $Tes{t}_2(CT,C{T}^{{}^{\prime }},T{D}_2,T{D}_2^{{}^{\prime }})=1$, we can get that $\frac{y_i}{x_i}=\frac{y_j}{x_j}$, that is, point $(x_i,y_i)$ and point $(x_j,y_j)$ are taken from the same ray with O as the end point. For $M_i\ne M_j$, $P[\frac{H_4(M_i)}{H_3(M_i)}=\frac{H_4(M_j)}{H_3(M_j)}]$ is negligible, then we get that $P[Tes{t}_2(CT,C{T}^{{}^{\prime }},T{D}_2,T{D}_2^{{}^{\prime }})=1]$ is also negligible.
  • Aut-3: If $Tes{t}_3(CT,C{T}^{{}^{\prime }},T{D}_3,T{D}_3^{{}^{\prime }})=1$, we can get that ${T{D}_{i,2}}^{\frac{1}{x_i}}={T{D}_{j,2}}^{\frac{1}{x_j}}$, that is, ${(C_{i,1}{C}_{j,1})}^{\frac{y_i}{x_i}}={(C_{j,1}{C}_{i,1})}^{\frac{y_j}{x_j}}$. For $M_i\ne M_j$, $P[\frac{H_4(M_i)}{H_3(M_i)}=\frac{H_4(M_j)}{H_3(M_j)}]$ is negligible, we get that $P[Tes{t}_3(CT,C{T}^{{}^{\prime }},T{D}_3,T{D}_3^{{}^{\prime }})=1]$ is also negligible for $M_i\ne M_j$.
  • Aut-4: If $Tes{t}_4(CT,C{T}^{{}^{\prime }},T{D}_4,T{D}_4^{{}^{\prime }})=1$, we can get that $\frac{y_i}{x_i}=\frac{y_j}{x_j}$, that is, point $(x_i,y_i)$ and point $(x_j,y_j)$ are taken from the same ray with O as the end point. For $M_i\ne M_j$, $P[\frac{H_4(M_i)}{H_3(M_i)}=\frac{H_4(M_j)}{H_3(M_j)}]$ is negligible, we get that $P[Tes{t}_4(CT,C{T}^{{}^{\prime }},T{D}_4,T{D}_4^{{}^{\prime }})=1]$ is also negligible for $M_i\ne M_j$.

□

5. Security Analysis

We will prove two kinds of security against different adversaries in this section. For this purpose, we design several related games to connect the scheme security and the hardness problems. Suppose $\mathcal{A}$ is a polynomial-time adversary, allowing $\mathcal{A}$ to do at most $q_H$, $q_{H_1}$, $q_{H_2}$, $q_{H_3}$, $q_{H_4}$, $q_{H_5}$ times of queries to hash oracles ${\mathcal{O}}_H$, ${\mathcal{O}}_{H_1}$, ${\mathcal{O}}_{H_2}$, ${\mathcal{O}}_{H_3}$, ${\mathcal{O}}_{H_4}$, ${\mathcal{O}}_{H_5}$,respectively, $q_K$ times key generation queries, $q_D$ times decryption queries, $q_T$ times trapdoor queries. Challenger $\mathcal{C}$ controls oracles and answers the queries of adversaries. $L_H$, $L_{H_1}$, $L_{H_2}$, $L_{H_3}$, $L_{H_4}$, $L_{H_5}$ stand for hash lists.

5.1. OW-ID-CCA Security Against Adv-I

Theorem 2.

Based on CDH assumption, in the random oracle model our presented IBEET-FA scheme is OW-ID-CCA secure against Adv-I for Aut-γ (γ = 1, 2, 3) authorization.

Proof of Theorem 2.

We design several related games to prove OW-ID-CCA security against Adv-I ${\mathcal{A}}_1$. Let P[$Gam{e}_i$] present the probability of breaking game i, where $i\in \{1,2,3\}$.

Game1: 

 

• $Setup$: The challenger ${\mathcal{C}}_1$ outputs public parameter $\{G,g,q,k\}$, the master secret key $msk=T$.
• $Phase1$: Allows ${\mathcal{A}}_1$ to do the following queries.

  1.

  Hash queries: Suppose ${\mathcal{A}}_1$ queries at most $q_H$, $q_{H_1}$, $q_{H_2}$, $q_{H_3}$, $q_{H_4}$, $q_{H_5}$ times to hash oracles ${\mathcal{O}}_H$, ${\mathcal{O}}_{H_1}$, ${\mathcal{O}}_{H_2}$, ${\mathcal{O}}_{H_3}$, ${\mathcal{O}}_{H_4}$, ${\mathcal{O}}_{H_5}$, respectively.

  (a)

  ${\mathcal{O}}_H$, ${\mathcal{O}}_{H_1}$: Set original empty lists $L_H$(resp.$L_{H_1}$). For an identity i, the oracle picks $r_{i_1}\leftarrow {\mathbb{Z}}_q$(resp.$r_{i_2}\leftarrow {\mathbb{Z}}_q$) randomly, computes $H(i)=g^{r_{i_1}}$(resp.$H_1(i)=g^{r_{i_2}}$) and records the tuple $(i,r_{i_1},g^{r_{i_1}})$(resp.$(i,r_{i_2},g^{r_{i_2}})$) on hash list $L_H$(resp.$L_{H_1}$). $H(i)$(resp.$H_1(i)$) is returned to ${\mathcal{A}}_1$.

  (b)

  ${\mathcal{O}}_{H_2}$: Set original empty lists $L_{H_2}$. For an input $U_i$, the oracle picks a string $S_i\in {\{0,1\}}^k$ randomly and records the tuple $(U_i,S_i)$ on hash list $L_{H_2}$. $H_2(U_i)=S_i$ is returned to ${\mathcal{A}}_1$.

  (c)

  ${\mathcal{O}}_{H_3}$, ${\mathcal{O}}_{H_4}$: Set original empty lists $L_{H_3}$. For an input $S_i$, the oracle picks $r_i\leftarrow {\mathbb{Z}}_q$ randomly and records the tuple $(S_i,r_i)$ on hash list $L_{H_3}$. $H_3(S_i)=r_i$ is returned to ${\mathcal{A}}_1$.

  (d)

  ${\mathcal{O}}_{H_5}$: Set original empty lists $L_{H_5}$. For an input $U_i$, the oracle picks a string $S_i\in {\{0,1\}}^{2l}$ randomly and records the tuple $(U_i,S_i)$ on hash list $L_{H_5}$. $H_5(U_i)=S_i$ is returned to ${\mathcal{A}}_1$.

  2.

  Key retrieve queries: For an identity i, challenger ${\mathcal{C}}_1$ invokes hash oracles ${\mathcal{O}}_H$, ${\mathcal{O}}_{H_1}$ to get hash values $H(i)$, $H_1(i)$, then runs $KeyGen(msk,pp,i)$ algorithm to get the secret key $s{k}_i=({\alpha }_i,{\beta }_i)$. It returns $s{k}_i$ to ${\mathcal{A}}_1$.

  3.

  Decryption queries: For an identity i, ciphertext $C_i$, challenger ${\mathcal{C}}_1$ invokes key retrieve queries to obtain the secret key $s{k}_i=({\alpha }_i,{\beta }_i)$, then uses $s{k}_i$ to call $Decrypt(pp,C_i,{\alpha }_i,i)$ algorithm to obtain the message $M_i$(which might be ⊥). It returns $M_i$ (or ⊥) to ${\mathcal{A}}_1$.

  4.

  Authorization queries: For Aut-$\gamma$ ($\gamma$ = 1, 2, 3),

  (a)

  $\gamma =1$: i as the input, ${\mathcal{C}}_1$ runs $Au{t}_1$ algorithm with $SK$, then returns $T{D}_1={\beta }_i$ to ${\mathcal{A}}_1$.

  (b)

  $\gamma =2$: $(i,CT)$ as the input, ${\mathcal{C}}_1$ runs $Au{t}_2$ algorithm with $SK$, then returns $T{D}_2=H_5({C{T}_1}^{{\beta }_i},C{T}_1,C{T}_2)$ to ${\mathcal{A}}_1$.

  (c)

  $\gamma =3$: $(i,CT,j,C{T}^{{}^{\prime }})$ as the input, ${\mathcal{C}}_1$ runs $Au{t}_3$ algorithm with $SK$, then returns $T{D}_3=({[H_2({C{T}_1}^{{\beta }_i},C{T}_1,C{T}_2)]}_0^{l-1},{(C{T}_{1}C{T}_1^{{}^{\prime }})}^{y_i})$ to ${\mathcal{A}}_1$.

• $Challenge$: Adversary ${\mathcal{A}}_1$ submits to ${\mathcal{C}}_1$ an identity t, and t has not been queried in previous extract query, ${\mathcal{C}}_1$ randomly selects a message $M_t$, and gets $C_t^{*}=(C_{t,1}^{*},C_{t,2}^{*},C_{t,3}^{*})$ with the following equations.

  $$\begin{array}{cc}\hfill C_{t,1}^{*}& =g^{r_t},\hfill \\ \hfill C_{t,2}^{*}& =M_t\oplus H_2(H{(t)}^{r_t}),\hfill \\ \hfill C_{t,3}^{*}& =(x_t\parallel y_t)\oplus H_5(H_1{(t)}^{r_t},C_{t,1}^{*},C_{t,2}^{*}),\hfill \end{array}$$

  where the point $(x_t,y_t)$ is randomly taken from the ray passing through the point $(H_3(M_t),H_4(M_t))$, and $r_t\in {Z_q}^{*}$. Then, the challenge ciphertext $C_t^{*}$ is sent to ${\mathcal{A}}_1$.
• $Phase2$: Allows ${\mathcal{A}}_1$ to issue the same type query as in Phase 1. However, in the key retrieve queries, t can not be allowed to query; and in the decryption queries, $(t,C_t^{*})$ can not be queried.
• $Guess$: ${\mathcal{A}}_1$ returns a message $M^{\prime }$, if $M^{\prime }=M_t$, means in the game ${\mathcal{A}}_1$ wins. The probability of adversary ${\mathcal{A}}_1$ winning the game is:

  $$\begin{array}{c}\hfill Ad{v}_{IBEET-FA,{\mathcal{A}}_1}^{OW-ID-CCA,Aut-\gamma }(k)=P[Gam{e}_1](\gamma =1,2,3).\end{array}$$

Game2: 

It is almost equivalent to Game 1, the modified parts are as follows:

$$\begin{array}{cc}\hfill C_{i,1}& =g^r,\hfill \\ \hfill C_{i,2}& =M\oplus R,\hfill \\ \hfill C_{i,3}& =(x_i\parallel y_i)\oplus H_5(H_1{(i)}^r,C_{i,1}^{*},C_{i,2}^{*}).\hfill \end{array}$$

The change is that $H_2(H{(t)}^{r_t})$ is replaced by a random R. We can see that $H_2(H{(t)}^{r_t})$ is random in $Game1$. If $H{(t)}^{r_t}$ has been queried in $Game2$, we call it event E. If $H{(t)}^{r_t}$ has not been queried, it is difficult for ${\mathcal{A}}_1$ to separate $Game1$ and $Game2$. We get that

$$\begin{array}{c}\hfill |P[Game1]-P[Game2]|\le P[E],\end{array}$$

then have

$$\begin{array}{c}\hfill P[Game1]\le P[Game2]+P[E].\end{array}$$

Obviously, $P[E]$ is ignorable if the CDH problem is difficult.

Game3: 

It is almost equivalent to Game2, the modified parts are as follows:

$$\begin{array}{cc}\hfill C_{i,1}& =g^r,\hfill \\ \hfill C_{i,2}& =R_1,\hfill \\ \hfill C_{i,3}& =(x_i\parallel y_i)\oplus H_5(H_1{(i)}^r,C_{i,1}^{*},C_{i,2}^{*}).\hfill \end{array}$$

Compared to $Game2$, $M\oplus R$ in $Game3$ is changed by random $R_1$. R is a random string, we can konw that $M\oplus R$ is also a random string. So it is difficult for ${\mathcal{A}}_1$ to separate $Game2$ and $Game3$. We have that

$$\begin{array}{c}\hfill P[Game2]=P[Game3]\end{array}$$

Similarly, if CDH problem is difficult, $P[Game3]$ is ignorable.

From all the formulas obtained above, we derive the following formula

$$\begin{array}{c}\hfill P[Game1]\le P[Game2]+P[E]\le P[Game3]+P[E]\end{array}$$

We can get a conclusion: when the CDH problem is intractable, our new IBEET-FA scheme can achieve IND-ID-CCA security against Adv-I. □

5.2. IND-ID-CCA Security Against Adv-II

Theorem 3.

Based on DDH assumption, in the random oracle model our presented IBEET-FA scheme is IND-ID-CCA secure against Adv-II for Aut-γ (γ = 1, 2, 3) authorization.

Proof 

(Proof of Theorem 3). If such an adversary ${\mathcal{A}}_2$ exists who could attack the IND-ID-CCA security of this scheme, we then can get an algorithm to solve the DDH problem in polynomial time with not negligible advantage. For Adv-II ${\mathcal{A}}_2$, we design the following game to prove the IND-ID-CCA security. The probability of winning the game is expressed as $P[Game]$.

For $a,b,c\in Z_q$, given two tuples $(g,g^a,g^b,g^{ab}),(g,g^a,g^b,g^c)\in G$, ${\mathcal{C}}_2$ computes system parameters and sends to ${\mathcal{A}}_2$. For the queries of ${\mathcal{A}}_2$, ${\mathcal{C}}_2$ replies as following.

• $Setup$: For $i\in [1,n]$, algorithm ${\mathcal{C}}_2$ generates n key pairs $(s{k}_i,p{k}_i)$, where sets $(s{k}_i,p{k}_i)=(({\alpha }_i,{\beta }_i),(g^{{\alpha }_i},g^{{\beta }_i}))({\alpha }_i,{\beta }_i\in Z_q)$.
• $Phase1$: Allows algorithm ${\mathcal{C}}_2$ to issue four types of queries as follows.

  1.

  Hash queries:

  (a)

  ${\mathcal{O}}_H$, ${\mathcal{O}}_{H_1}$: Work in the same way as in $Game1$.

  (b)

  ${\mathcal{O}}_{H_2}$: Works in the same way as in $Game1$.

  (c)

  ${\mathcal{O}}_{H_3}$, ${\mathcal{O}}_{H_4}$: Works in the same way as in $Game1$.

  (d)

  ${\mathcal{O}}_{H_5}$: Works in the same way as in $Game1$.

  2.

  Key retrieve queries: Given an identity i, ${\mathcal{C}}_2$ searches tuple $(i,r_{i_1},g^{r_{i_1}})$ and tuple $(i,r_{i_2},g^{r_{i_2}})$ in list $L_H$ and list $L_{H_1}$, sends $(r_{i_1},r_{i_2})$ to ${\mathcal{A}}_2$ when $i\ne t$ holds. Otherwise, ${\mathcal{C}}_2$ returns ⊥ to ${\mathcal{A}}_2$.

  3.

  Decryption queries: For identity i and a query ciphertext $C_i$, challenger ${\mathcal{C}}_2$ searches tuple $(U,S)$ in list $L_{H_2}$, and computes $M\Vert R=C_2+S$. If exists R, making equation $C_1=g^R$ true, ${\mathcal{C}}_2$ returns M to ${\mathcal{A}}_2$. Otherwise, ${\mathcal{C}}_2$ returns ⊥ to ${\mathcal{A}}_2$.

  4.

  Authorization queries: For Aut-$\gamma$ ($\gamma$ = 1, 2, 3),

  (a)

  $\gamma =1$: i as the input, challenger ${\mathcal{C}}_2$ calls $Au{t}_1$ algorithm with $SK$, then sends $T{D}_1={\beta }_i$ to ${\mathcal{A}}_2$.

  (b)

  $\gamma =2$: $(i,CT)$ as the input, challenger ${\mathcal{C}}_2$ calls $Au{t}_2$ algorithm with $SK$, then sends $T{D}_2=H_5({C{T}_1}^{{\beta }_i},C{T}_1,C{T}_2)$ to ${\mathcal{A}}_2$.

  (c)

  $\gamma =3$: given $(i,CT,j,C{T}^{{}^{\prime }})$ as input, challenger ${\mathcal{C}}_2$ calls $Au{t}_3$ algorithm with $SK$, then sends $T{D}_3=({[H_2({C{T}_1}^{{\beta }_i},C{T}_1,C{T}_2)]}_0^{l-1},{(C{T}_{1}C{T}_1^{{}^{\prime }})}^{y_i})$ to ${\mathcal{A}}_2$.

• $Challenge$: Adversary ${\mathcal{A}}_2$ chooses two plaintext $M_0$, $M_1$ and an identity t, there is a contraint that t can not be queried in extract queriy phase or Aut-1 authorization query phase. ${\mathcal{C}}_2$ picks a bit $b\in \{0,1\}$ randomly, then encrypts $M_b$:

  $$\begin{array}{cc}\hfill C_{t,1}^{*}& =g^x,\hfill \\ \hfill C_{t,2}^{*}& =M_b\oplus H_2(g^z),\hfill \\ \hfill C_{t,3}^{*}& =(x_t\parallel y_t)\oplus H_5(H_1{(t)}^{r_t},C_{t,1}^{*},C_{t,2}^{*}),\hfill \end{array}$$

  challenger ${\mathcal{C}}_2$ sends the obtained challenge ciphertext $C^{*}=(C_{t,1}^{*},C_{t,2}^{*},C_{t,3}^{*})$ to the adversary ${\mathcal{A}}_2$.
• $Phase2$: ${\mathcal{A}}_2$ issues the same type query as in Phase 1, and there are two following restrictions:

  1.

  In the key retrieve query phase or Aut-1 authorizations query phase, i could not be allowed to query;

  2.

  In the decryption query phase or the authorization query phase, $(i,C^{*})$ could not be queried.

• $Guess$: ${\mathcal{A}}_2$ returns a bit $b^{\prime }$. If $b^{\prime }=b$ holds, it means that ${\mathcal{A}}_2$ wins the game, then ${\mathcal{C}}_2$ outputs 1.

□

6. Efficiency Analysis

In

Table 1. Communication complexity.

	Public Key	Secret Key	Ciphertext
PKEET-FA [4]	$3\left|G\right|$	$3|Z_p|$	$5\left|G\right|+|Z_p|$
PKEET-FA [23]	$2\left|G\right|$	$2|Z_p|$	$2\left|G\right|+6|Z_p|$
PKEET-FA [24]	$2\left|G\right|$	$2|Z_p|$	$\left|G\right|+5|Z_p|$
IBEET-FA [5]	$|G_1|$	$2|G_1|$	$5|G_1|+|G_T|+2|Z_p|$
Our IBEET-FA	$|G_1|$	$2|G_1|$	$|G_1|+3|Z_p|$

, we describe the communication complexity of our scheme, and compare it with other schemes [4,5,23,24]. $|Z_p|$, $\left|G\right|$, $|G_1|$ and $|G_T|$ are used to represent the size of elements in $Z_p$, G, $G_1$ and $G_T$, the second column represents the size of the public key, the third column represents the size of a private key, the four columns represent the size of ciphertext. We can see that our scheme has a smaller size than [4,23,24] in public key and ciphertext, and has a smaller size than [5] in the ciphertext.

In

Table 2. Computation complexity.

	Encryption	Decryption	Authorization	Test	ID-Based	Pairings-Based
PKEET-FA [4] Aut-1	6E	5E	0	2P + 2E	NO	YES
PKEET-FA [4] Aut-2	6E	5E	2E	2P + 2E	NO	YES
PKEET-FA [4] Aut-3	6E	5E	2P + 2E	2P + 2E	NO	YES
PKEET-FA [23] Aut-1	4E + 6I	3E + 6I	0	2E + 6I	NO	NO
PKEET-FA [23] Aut-3	4E + 6I	3E + 6I	4E	6E + 6I	NO	NO
PKEET-FA [24] Aut-1	3E + I	2E + I	0	2E + 2I	NO	NO
PKEET-FA [24] Aut-2	3E + I	2E + I	E	2I	NO	NO
PKEET-FA [24] Aut-3	3E + I	2E + I	3E	4E + 4I	NO	NO
IBEET-FA [5] Aut-1	7E	3P + 2E	0	4P	YES	YES
IBEET-FA [5] Aut-2	7E	3P + 2E	P	2P	YES	YES
IBEET-FA [5] Aut-3	7E	3P + 2E	2P	2P	YES	YES
Our IBEET-FA Aut-1	3E	2E	0	2E + 2I	YES	NO
Our IBEET-FA Aut-2	3E	2E	2E	2I	YES	NO
Our IBEET-FA Aut-3	3E	2E	4E	2E + 2I	YES	NO

, we show the comparison of encryption, decryption, authorization, and test in computation complexity. We use “I”, “E”, and “P” to represent the inversion operation, exponentiation operation and pairing operation, respectively, and represent the comparison of the encryption process, decryption process, authorization process, and test process in computation complexity from the second to fifth columns. In the sixth column, we represent whether the scheme is identity-based, and represents whether the scheme is pairing-based in the last column. Our scheme and [5] have four authorization algorithms. Since Aut-4 is a combination of Aut-1 and Aut-2, we omit Aut-4 for simplicity. In Table 2 and Figure 2, we list the three authorization algorithms of our scheme and [5] for comparison. In the encryption algorithm, Ref. [5] requires seven exponential operations, while our scheme only requires three exponential operations. In the Aut-2 authorization algorithm, Ref. [5] requires one pairing operation, and our scheme only requires two exponential operations. In Aut-3 authorization algorithm, Ref. [5] requires two pairing operations, and our scheme only requires four exponential operations. For the two authorization processes, our scheme reduces the computation costs by 60%, respectively. Reducing the use of pairings is key to reducing computational costs. Compared with [4,23,24], our scheme and [5] are based on identity encryption. The user’s public key can be a string related to the user’s identity information, which avoids complicated public key certificate management and public key storage. However, Refs. [4,23,24] use public key encryption, which requires a large amount of storage and complex management. Among all the schemes we list, our scheme is the only one that can achieve both ID-based and no pairing.

From the comparison results in Figure 2, it can be seen that the calculation costs of the authorization algorithms of the three authorization methods in our scheme are significantly lower than that of the corresponding three authorization algorithms in Li et al.’s scheme [5]. Compared with other schemes [4,5,23,24], our scheme is more flexible and efficient. In cloud computing, our scheme is applicable to more application scenarios and has high practical significance.

7. Conclusions

In this paper, we propose a new IBE scheme without pairing, which supports the ciphertext equality test. Our scheme introduces the authorization mechanism proposed in the scheme [4], four types of authorization policies providing better flexibility. Compared with works [4,23,24], our scheme is in IBE settings, which means do not need to suffer from complex key store and distribution problems. Compared with works [5], we replaced pairing with discrete logarithms, which helps reduce the computation cost. Specifically, compared to Li et al.’s work, about 57% = (100$\%-43\%$) time cost is saved for the encryption process, and about 60% = (100$\%-40\%$) time costs are saved for the type-2 authorization process and type-3 authorization process. Based on mathematical assumptions, we define the security models of our scheme and prove the security of the scheme.

Our proposed approach can be applied to equality tests over ciphertexts encrypted with different public keys, which increases the application range of cloud computing. Furthermore, our scheme is in IBE settings, avoiding complex key management issues. However, there are security channel key distribution and private key escrow issues in IBE. In the future, we will try to combine the advantages of IBE and PKE to propose more secure and efficient equality test schemes.