Certificateless Public Key Encryption with Equality Test

Download PDF
1 downloads 0 Views 2MB Size Report
Comment
Feb 17, 2018 - Replace public key(IDi,PKi): Upon receiving a receiver's identity IDi ... scheme is IND-CCA secure against Type-1 adversary if for any PPT ad-.
Certificateless Public Key Encryption with Equality Test Haipeng Qua , Zhen Yana , Xi-Jun Lina,∗, Qi Zhanga , Lin Sunb a Department

of Computer Science and Technology, Ocean University of China, Qingdao, China b College of Liberal Arts, Qingdao University, Qingdao, China

Abstract In this paper, we present the concept of certificateless public key encryption with equality test (CLPKEET), which integrates certificateless public key cryptography (CL-PKC) into public key encryption with equality test (PKEET) to solve the key escrow problem of identity-based encryption with equality test (IBEET). In the CL-PKEET scheme, the receiver first computes his private key with the receiver’s secret value and the partial private key generated by the key generation center (KGC). The trapdoor is generated with this private key. Then, using the trapdoor, the receiver authorizes the cloud server to test the equivalence between his ciphertexts and others’ ciphertexts. We formalize the system model and definition of CL-PKEET, propose the security models by considering four types of adversaries, and then present a concrete CL-PKEET scheme. Our proposal achieves the IND-CCA security against adversaries without trapdoor, and the OW-CCA security against adversaries with trapdoor. Furthermore, compared with IBEET and PKEET, our proposal which has the features of CL-PKC solves certificate management and key escrow problems simultaneously. Keywords: authorization, certificateless public key encryption, key escrow, equality test

1. Introduction In the cloud era, plenty of cloud services offer a broad set of global computation, analytics, storage, deployment, and application services to help organizations run faster and lower IT costs. Considering the potential risks of privacy disclosure, cryptosystems are introduced to encrypt the private data. In order to preserve users’ privacy and meanwhile support searching on the encrypted data, the notion of searchable encryption (SE) was proposed [16]. Based on SE, the well-known public key encryption with keyword search (PEKS) [2, 9] was presented as a solution to support keyword searching over ciphertexts without retrieving messages by using the corresponding trapdoors [3]. However, the PEKS is not suitable for the scenarios participated by multiple users in cloud computing since the ciphertexts are encrypted under the identical public key. A new notion, called public key encryption with equality test (PKEET), was conceived by Yang et al. [24] to support comparing on the encrypted data with respect to different public keys. This primitive can be used to test whether ciphertexts are generated on the same message in outsourced database. Equality test can be defined like that: let C, C 0 be two ciphertexts encrypted under two different public keys, where C = Encrypt(M, P K) and C 0 = Encrypt(M 0 , P K 0 ), this algorithm can determine if M = M 0 holds only via comparing C and C 0 . If it is the case, the algorithm returns 1, or 0 otherwise. Even if the private data are encrypted under different public keys, anyone is able to search data by using the PKEET test function. In some specific scenarios, PKEET, which trivially supports the traditional functionality of PEKS, is an extension of PEKS. PKEET has many interesting applications, for example, partitioning encrypted email [13] and constructing internet-based personal health record (PHR)[18, 21]. In an email system, the encrypted emails can be classified into different partitions according to the emails’ encrypted keywords. And in a PHR system, the service provider can permit patients to match their encrypted data with those of others. Then the patients with the same illness can get help by exchanging their treatment experiences and mental processes. As all mentioned applications above, the server can check the equality of the provided ciphertexts but learn nothing about the real contents. ∗ Corresponding

author Email address: [email protected] (Xi-Jun Lin)

Preprint submitted to Elsevier

February 17, 2018

However, anyone is able to verify the equality of ciphertexts without any authorization in Yang et al.’s scheme, which violates the data owners’ privacy. Hence, several PKEET schemes with authorization mechanism were proposed. Recently, Ma [13] proposed identity-based encryption with equality test (IBEET), which simplifies the certificate management problem of PKEET and supports user-level authorization. 1.1. Related Work

50

IBE/CL-PKC. Deriving the receiver’s public key from his identity, formalized by Shamir [17] as identity-based cryptography, is a solution for the certificate management problem of the traditional public key encryption. Based on identity-based cryptography, an important primitive called identitybased encryption (IBE) was presented. Then Boneh and Franklin [4] presented the first practical IBE scheme based on bilinear pairings. Cocks [7] presented a typical IBE scheme based on quadratic residues. IBE is immune to the certificate management problem, such as storage, distribution, verification and revocation. However, it introduces key escrow problem since the receivers’ private keys are generated by the key generation center (KGC). Obviously, IBEET exists the key escrow problem as well. To deal with this problem, an important notion, called certificateless public key cryptography (CL-PKC), was presented by Al-Riyami and Paterson [1]. Public key encryption with equality test. Yang et al. [24] first presented the concept of PKEET and their cryptosystem can be used to determine if two messages in outsourced database is equal by checking the corresponding ciphertexts. Then Tang [22] presented a PKEET scheme supporting fine-grained authorization (FG-PKEET), which introduces authorization mechanism for the first time. Tang [21] proposed a notion, called all-or-nothing PKEET (AoN-PKEET), to support user-level authorization by specifying who can independently test the equivalence between two ciphertexts. Tang [23] proposed a two-proxy scheme extended from FG-PKEET to resist the offline message recovery attacks. Later, Ma et al. [15] introduced a significant primitive called public key encryption with delegated equality test (PKE-DET). This primitive allows only the delegated party to verify the equality of ciphertexts in the scenarios participated by multiple users. Huang et al. [10] proposed a public key encryption scheme with authorized equality test (PKE-AET), which strengthens the privacy protection with user-level warrants and cipher-level warrants. Their construction was broken and fixed by Lee et al. [11]. A notion, called public key encryption with equality test supporting flexible authorization (PKEET-FA), was presented by Ma et al. [14] to support four different types of authorization mechanisms. Recently, Ma [13] proposed the concept of IBEET by combining PKEET and IBE [17] to solve the certificate management problem of PKEET. However, the scheme only achieves the OW-ID-CCA security. Lee et al. [12] proposed a semi-generic construction of PKEET, and proposed the first IBEET achieving the IND-ID-CCA security. 1.2. Our Contribution We stress here again that the traditional PKEET exists the certificate management problem and IBEET exists the key escrow problem. We believe that a primitive which has the features of CL-PKC and PKEET could solve both problems simultaneously. Hence, we propose a new primitive, called certificateless public key encryption with equality test (CL-PKEET). In the CL-PKEET scheme, the receiver first computes his private key with the secret value picked by himself and the partial private key obtained from the KGC. The receiver’s trapdoor is generated with his private key. Then, using the trapdoor, the receiver authorizes the cloud server to test his ciphertexts. It is obvious that the key escrow problem of IBEET could be solved in CL-PKEET. The equality testing procedure in CL-PKEET can be briefly described as follows: let CA and tdA be receiver A’s ciphertext and trapdoor, and CB and tdB receiver B’s ciphertext and trapdoor, respectively. Given (CA , tdA ) and (CB , tdB ), the cloud server can check whether or not MA = MB holds. Meanwhile, the server learns nothing about the messages MA and MB . The contribution in this paper is listed below: 1. We present the concept of CL-PKEET, which integrates the notion of CL-PKC into PKEET to solve the key escrow problem of IBEET and support user-level authorization. 2. We give the system model and formal definition of CL-PKEET. Moreover, we formalize the security models for CL-PKEET by considering four types of adversaries. 3. We devise a concrete CL-PKEET scheme, which achieves IND-CCA security against adversaries without trapdoor and OW-CCA security against adversaries with trapdoor.

2

1.3. Organization In Section 2, we recall the definition of asymmetric bilinear groups and BDH assumption. The system model, the definition and the security models of CL-PKEET are given in Section 3. The proposed scheme is shown in Section 4. And in Section 5, we prove its security. In Section 6, we compare our proposal with related schemes, which is followed by the last section to conclude our work. 2. Preliminaries 2.1. Asymmetric Bilinear Groups Given three cyclic groups G1 , G2 , GT of prime order q and two random generators g1 ∈ G1 , g2 ∈ G2 , the properties of the asymmetric bilinear map e : G1 × G2 → GT are as follows: • Bilinear: ∀a ∈ G1 , ∀b ∈ G2 and ∀u, v ∈ Z∗q , e(au , bv ) = e(a, b)uv . • Non-degenerate: ∃g1 ∈ G1 and ∃g2 ∈ G2 such that e(g1 , g2 ) 6= 1. Note that the asymmetric bilinear map e and all the group operations are efficiently computable, but there are no efficiently computable isomorphisms in the bilinear groups G1 , G2 and GT if no efficiently computable isomorphisms between G1 and G2 are found [19, 8]. 2.2. Bilinear Diffie-Hellman (BDH) Assumption in Asymmetric Bilinear Groups The BDH assumption was first presented by Boneh and Franklin [4] in the symmetric bilinear groups. Then it was extended to the asymmetric bilinear groups [5, 6, 19]. In this paper, we consider the BDH assumption generalized by Boyen et.al [5] in the asymmetric bilinear groups as follows: BDH problem: G = (q, G1 , G2 , GT , e) is defined as in Section 2.1. Given (g1 , g1a , g1c , g2 , g2a , g2b ) ∈ G31 ×G32 with random generators g1 ∈ G1 , g2 ∈ G2 and random numbers a, b, c ∈ Z∗q , output e(g1 , g2 )abc ∈ GT . The BDH assumption is defined as follows: given an instance of BDH problem, there exists no PPT adversary A with non-negligible probability, when computing e(g1 , g2 )abc . The advantage of A is defined as Pr[A(g1 , g1a , g1c , g2 , g2a , g2b ) = e(g1 , g2 )abc ], 100

where the probability is taken over the random choice of a, b, c ∈ Z∗q and g1 ∈ G1 , g2 ∈ G2 , and the random bits used by A. 3. Definition of CL-PKEET Here, we formalize the system model and definition of CL-PKEET, and then define the security models by considering four types of adversaries. The system model is illustrated in Figure 1. In CL-PKEET, there are five types of entities: • Message sender: an entity which generates and uploads the ciphertexts to the cloud server. • Receiver: an entity, which downloads the ciphertexts sent by the message senders from the cloud server, can allow the cloud server to test his ciphertexts. • KGC: an entity which generates and distributes the partial private keys for the receivers secretly. • Cloud server: an entity, which stores the ciphertexts, can perform the equality test with the receivers’ authorizations. • Public key server: an entity, which stores the receivers’ public keys, can be accessed by anyone. The workflow is presented as follows: 1. The KGC computes the partial private key with the receiver’s identity, and then transmits it to the receiver secretly. 2. By using the partial private key obtained from the KGC and a secret value chosen by the receiver himself, the receiver computes his (full) private key. Moreover, the receiver generates his public key and stores it in the public key server. 3

Figure 1: The system model of CL-PKEET

3. Message sender generates the ciphertexts with the receiver’s public key obtained from the public key server, and then uploads it to the cloud server. 4. To test his ciphertexts, the receiver (e.g. Alice or Bob) generates the trapdoor with his (full) private key, and then transmits it to the cloud server. 5. With the receivers’ trapdoors, the cloud server is able to test their ciphertexts without learning the messages. 3.1. Definition Let M and C denote the message space and the ciphertext space, respectively. A CL-PKEET scheme consists of nine algorithms: • Setup(λ): This algorithm, run by the KGC, takes the security parameter λ as input, and outputs the system public parameter P P and the master key msk. • Extract Partial Private Key(P P, msk, ID): This algorithm, run by the KGC, takes the public parameter P P , the master key msk and a receiver’s identity ID ∈ {0, 1}∗ as input, and outputs the receiver’s partial private key D. • Extract Secret Value(P P ): This algorithm, run by a receiver, takes the public parameter P P as input, and outputs the receiver’s secret value x. • Extract Private Key(P P, D, x): This algorithm, run by a receiver, takes the public parameter P P , the receiver’s partial private key D and the secret value x as input, and outputs the receiver’s (full) private key SK. • Extract Public Key(P P, x): This algorithm, run by a receiver, takes the public parameter P P and the receiver’s secret value x as input, and outputs the receiver’s public key P K. • Encryption(P P, M, P K, ID): This algorithm, run by a message sender, takes the public parameter P P , a message M ∈ M, a receiver’s public key P K and identity ID as input, and outputs the ciphertext C ∈ C or a symbol ⊥ to denote encryption failure. • Decryption(P P, C, SK): This algorithm, run by a receiver, takes the public parameter P P , a ciphertext C ∈ C and the receiver’s private key SK as input, and outputs the corresponding message M ∈ M or a symbol ⊥ to denote decryption failure.

4

• Authorization(P P, SK): This algorithm, run by a receiver, takes the public parameter P P and the receiver’s private key SK as input, and outputs the receiver’s trapdoor td.

150

• Test(P P, CA , tdA , CB , tdB ): Let CA and tdA be the receiver A’s ciphertext and trapdoor, and CB and tdB the receiver B’s ciphertext and trapdoor, respectively. This algorithm, run by the cloud server, takes the public parameter P P , two ciphertext/trapdoor pairs (CA , tdA ) and (CB , tdB ) as input, and then outputs 1 if CA and CB are generated on the same message; or 0 otherwise. As for the consistency, the following conditions must be satisfied: 1. M = Decryption(P P, Encryption(P P, M, P K, ID), SK), where P K and SK are public key and private key with respect to ID respectively. 2. Let CA = Encryption(P P, MA , P KA , IDA ), CB = Encryption(P P, MB , P KB , IDB ), tdA = Authorization(P P, SKA ) and tdB = Authorization(P P, SKB ). If MA = MB , T est(CA , tdA , CB , tdB ) = 1; otherwise, Pr[T est(CA , tdA , CB , tdB ) = 1] is negligible. 3.2. Security Models By the security models of PKEET and CL-PKC, there are four types of adversaries to be taken into account for the security of CL-PKEET: • Type-1 adversary: The master key cannot be accessed by this type of adversary, but the adversary can replace the receiver’s public key. Moreover, without the trapdoor, he cannot decide the ciphertext is computed on which message. We define the IND-CCA security model with respect to this type of adversary. • Type-2 adversary: The master key can be accessed by this type of adversary, but the adversary cannot replace the receiver’s public key. Moreover, without the trapdoor, he cannot decide the ciphertext is computed on which message. We define the IND-CCA security model with respect to this type of adversary. • Type-3 adversary: The master key cannot be accessed by this type of adversary, but the adversary can replace the receiver’s public key. Moreover, with the trapdoor, he cannot reveal the message from the challenge ciphertext. We define the OW-CCA security model with respect to this type of adversary. • Type-4 adversary: The master key can be accessed by this type of adversary, but the adversary cannot replace the receiver’s public key. Moreover, with the trapdoor, he cannot reveal the message from the challenge ciphertext. We define the OW-CCA security model with respect to this type of adversary. 3.2.1. IND-CCA Security against Type-1 Adversary The formal definition of IND-CCA security against Type-1 adversary is defined below: Game 1. Let A1 be a Type-1 adversary. The challenger C and A1 play the following game: 1. Setup: Suppose that the security parameter is λ. The public parameter P P and the master key msk are generated by the challenger C by running the algorithm Setup. msk is kept by C itself, and P P is given to A1 . 2. Phase 1: The following queries can be issued by A1 for polynomially many times. • Partial private key query(IDi ): Upon receiving a receiver’s identity IDi , C responds with the corresponding partial private key Di . • Private key query(IDi ): Upon receiving a receiver’s identity IDi , C responds with the corresponding private key SKi . • Public key query(IDi ): Upon receiving a receiver’s identity IDi , C responds with the corresponding public key P Ki . • Replace public key(IDi ,P Ki0 ): Upon receiving a receiver’s identity IDi and a public key P Ki0 , C replaces the corresponding public key with P Ki0 .

5

• Decryption query(IDi ,C): Upon receiving a receiver’s identity IDi and a ciphertext C, C responds with the output of the algorithm Decryption(P P, C, SKi ), where SKi is the private key with respect to the identity IDi . • Authorization query(IDi ): Upon receiving a receiver’s identity IDi , C responds with the corresponding trapdoor tdi .

200

3. Challenge: A1 randomly selects an identity ID∗ and equal-length messages M0∗ ,M1∗ which are submitted to C for challenge. C picks ρ ∈ {0, 1} randomly, and then computes C ∗ = Encryption(P P, Mρ∗ , P K ∗ , ID∗ ) as the challenge ciphertext, where P K ∗ is the public key with respect to ID∗ . If the encryption procedure outputs ⊥, A1 loses the game. Otherwise, C returns C ∗ to A1 . 4. Phase 2: A1 issues queries as done in P hase 1. 5. Guess: A1 outputs ρ0 ∈ {0, 1}. If ρ = ρ0 , A1 wins this game. The advantage of A1 is defined as IN D−CCA,T ype−1 AdvCL−P (λ) = |Pr[ρ = ρ0 ] − 21 |. KEET,A1 There are some constraints: • ID∗ should not appear in the P rivate key query, P artial private key query and Authorization query. • If a public key has been replaced, the corresponding identity ID should not appear in the P rivate key query. • (ID∗ , C ∗ ) should not appear in the Decryption query. Definition 1. A CL-PKEET scheme is IND-CCA secure against Type-1 adversary if for any PPT adIN D−CCA,T ype−1 versary A1 , its advantage AdvCL−P (λ) is negligible. KEET,A1 3.2.2. IND-CCA Security against Type-2 Adversary The formal definition of IND-CCA security against Type-2 adversary is defined below: Game 2. Let A2 be a Type-2 adversary. The challenger C and A2 play the following game: 1. Setup: Suppose that the security parameter is λ. The public parameter P P and the master key msk are generated by the challenger C by running the algorithm Setup. msk and P P are given to A2 . 2. Phase 1: The following queries can be issued by A2 for polynomially many times. • Private key query(IDi ): Upon receiving a receiver’s identity IDi , C responds with the corresponding private key SKi . • Public key query(IDi ): Upon receiving a receiver’s identity IDi , C responds with the corresponding public key P Ki . • Decryption query(IDi ,C): Upon receiving a receiver’s identity IDi and a ciphertext C, C responds with the output of the algorithm Decryption(P P, C, SKi ), where SKi is the private key with respect to the identity IDi . • Authorization query(IDi ): Upon receiving a receiver’s identity IDi , C responds with the corresponding trapdoor tdi . 3. Challenge: A2 randomly selects an identity ID∗ and equal-length messages M0∗ ,M1∗ which are submitted to C for challenge. C picks ρ ∈ {0, 1} randomly, and then returns C ∗ = Encryption(P P, Mρ∗ , P K ∗ , ID∗ ) as the challenge ciphertext, where P K ∗ is the public key with respect to ID∗ . If the encryption procedure outputs ⊥ , A2 loses the game. Otherwise, C returns C ∗ to A2 . 4. Phase 2: A2 issues queries as done in P hase 1. 5. Guess: A2 outputs ρ0 ∈ {0, 1}. If ρ = ρ0 , A2 wins this game. The advantage of A2 is defined as IN D−CCA,T ype−2 AdvCL−P (λ) = |Pr[ρ = ρ0 ] − 21 |. KEET,A2 There are some constraints: • ID∗ should not appear in the P rivate key query and Authorization query. • (ID∗ , C ∗ ) should not appear in the Decryption query. Definition 2. A CL-PKEET scheme is IND-CCA secure against Type-2 adversary if for any PPT adIN D−CCA,T ype−2 versary A2 , its advantage AdvCL−P (λ) is negligible. KEET,A2 6

3.2.3. OW-CCA Security against Type-3 Adversary The formal definition of OW-CCA security against Type-3 adversary is defined below: Game 3. Let A3 be a Type-3 adversary. The challenger C and A3 play the following game: 1. Setup: Suppose that the security parameter is λ. The public parameter P P and the master key msk are generated by the challenger C by running the algorithm Setup. msk is kept by C itself, and P P is given to A3 . 2. Phase 1: The following queries can be issued by A3 for polynomially many times. • Partial private key query(IDi ): Upon receiving a receiver’s identity IDi , C responds with the corresponding partial private key Di . 250

• Private key query(IDi ): Upon receiving a receiver’s identity IDi , C responds with the corresponding private key SKi . • Public key query(IDi ): Upon receiving a receiver’s identity IDi , C responds with the corresponding public key P Ki . • Replace public key(IDi ,P Ki0 ): Upon receiving a receiver’s identity IDi and a public key P Ki0 , C replaces the corresponding public key of the receiver with P Ki0 . • Decryption query(IDi ,C): Upon receiving a receiver’s identity IDi and a ciphertext C, C responds with the output of the algorithm Decryption(P P, C, SKi ), where SKi is the private key with respect to the identity IDi . • Authorization query(IDi ): Upon receiving a receiver’s identity IDi , C responds with the corresponding trapdoor tdi . 3. Challenge: A3 submits an identity ID∗ for challenge. C selects a message M ∗ randomly, and then sends the challenge ciphertext C ∗ = Encryption(P P, M ∗ , P K ∗ , ID∗ ) to A3 , where P K ∗ is the public key with respect to ID∗ . 4. Phase 2: A3 issues queries as done in P hase 1. 5. Guess: A3 outputs M 0 . If M ∗ = M 0 , A3 wins this game. The advantage of A3 is defined as 0 OW −CCA,T ype−3 ∗ AdvCL−P KEET,A3 (λ) = Pr[M = M ]. There are some constraints: • ID∗ should not appear in the P rivate key query and P artial private key query. • If a public key has been replaced, the corresponding identity ID should not appear in the P rivate key query. • (ID∗ , C ∗ ) should not appear in the Decryption query. Definition 3. A CL-PKEET scheme is OW-CCA secure against Type-3 adversary if for any PPT adOW −CCA,T ype−3 versary A3 , its advantage AdvCL−P KEET,A3 (λ) is negligible. 3.2.4. OW-CCA Security against Type-4 Adversary The formal definition of OW-CCA security against Type-4 adversary is defined below: Game 4. Let A4 be a Type-4 adversary. The challenger C and A4 play the following game: 1. Setup: Suppose that the security parameter is λ. The public parameter P P and the master key msk are generated by the challenger C by running the algorithm Setup. msk and P P are given to A4 . 2. Phase 1: The following queries can be issued by A4 for polynomially many times. • Private key query(IDi ): Upon receiving a receiver’s identity IDi , C responds with the corresponding private key SKi . • Public key query(IDi ): Upon receiving a receiver’s identity IDi , C responds with the corresponding public key P Ki .

7

• Decryption query(IDi ,C): Upon receiving a receiver’s identity IDi and a ciphertext C, C responds with the output of the algorithm Decryption(P P, C, SKi ), where SKi is the private key with respect to the identity IDi . • Authorization query(IDi ): Upon receiving a receiver’s identity IDi , C responds with the corresponding trapdoor tdi . 3. Challenge: A4 submits an identity ID∗ for challenge. C selects a message M ∗ randomly, and then sends the challenge ciphertext C ∗ = Encryption(P P, M ∗ , P K ∗ , ID∗ ) to A4 , where P K ∗ is the public key with respect to ID∗ . 4. Phase 2: A4 issues queries as done in P hase 1. 5. Guess: A4 outputs M 0 . If M ∗ = M 0 , A4 wins this game. The advantage of A4 is defined as 0 OW −CCA,T ype−4 ∗ AdvCL−P KEET,A4 (λ) = Pr[M = M ]. There are some constraints: • ID∗ should not appear in the P rivate key query. • (ID∗ , C ∗ ) should not appear in the Decryption query. Definition 4. A CL-PKEET scheme is OW-CCA secure against Type-4 adversary if for any PPT adOW −CCA,T ype−4 versary A4 , its advantage AdvCL−P KEET,A4 (λ) is negligible. 300

4. The Proposed CL-PKEET Scheme 4.1. The Idea behind Our Construction Define P P = (G, g1 , g2 , g1s , H1 , H2 , H3 , H4 , H5 , H6 ) as the public parameter, where G = (q, G1 , G2 , GT , e), s is the master key, Hi (1 ≤ i ≤ 6) are hash functions and g1 ∈ G1 ,g2 ∈ G2 are random generators. Let x be the receiver’s secret value and ID the receiver’s identity. The receiver’s public key is s s P K = (X, Y ) = (g1 sx , g2 x ) and the partial private key is D = (D1 , D2 ) = (H1 (ID) , H2 (ID) ). Let M be a  message, α and k two random numbers. The corresponding ciphertext is as follows: H (M,k) C1 = g1 5    C = g α 2 1 α  C = H 3 3 (e(X, H1 (ID)) , C1 , C2 ) ⊕ (M k k)    α C4 = H4 (M )H5 (M,k) · H6 (e(X, H2 (ID)) ). Note that an adversary has to compute e(X, H1 (ID))α = e(g1 , H1 (ID))sxα to reveal the message sx M . Moreover, without the trapdoor td = H2 (ID) , the adversary cannot compute e(X, H2 (ID))α = sxα H5 (M,k) e(g1 , H2 (ID)) to obtain H4 (M ) which will be used for equality test. As for the security, we have the following facts due to the BDH assumption: • Suppose that the master key cannot be accessed by the adversary, but he can replace the public key. The adversary cannot compute e(g1 , H1 (ID))sα . • Suppose that the master key can be accessed by the adversary, but he cannot replace the public key. The adversary cannot compute e(g1 , H1 (ID))xα . • Suppose that the master key cannot be accessed by the adversary, but he can replace the public key. The adversary cannot compute e(g1 , H2 (ID))sα . • Suppose that the master key can be accessed by the adversary, but he cannot replace the public key. The adversary cannot compute e(g1 , H2 (ID))xα . Hence, the IND-CCA security and the OW-CCA security can be captured and the equality test cannot be performed without the trapdoor. The equality test procedure in our construction is defined as follows: given two ciphertext/trapdoor pairs (CA , tdA ) and (CB , tdB ), where tdA = H2 (IDA )sxA and tdB = H2 (IDB )sxB , the cloud server first computes KA =

CA,4 = H4 (MA )H5 (MA ,kA ) H6 (e(CA,2 , tdA )) 8

KB =

CB,4 = H4 (MB )H5 (MB ,kB ) H6 (e(CB,2 , tdB ))

and then checks whether e(CA,1 , KB ) = e(CB,1 , KA ) holds. If it is the case, then MA = MB holds; otherwise, we have that MA 6= MB . The correctness is as follows: H (MA ,kA )

e(CA,1 , KB ) = e(g1 5

H (MB ,kB )

e(CB,1 , KA ) = e(g1 5

, H4 (MB )H5 (MB ,kB ) ) = e(g1 , H4 (MB ))H5 (MA ,kA )·H5 (MB ,kB )

, H4 (MA )H5 (MA ,kA ) ) = e(g1 , H4 (MA ))H5 (MA ,kA )·H5 (MB ,kB ) .

If MA = MB , then e(CA,1 , KB ) = e(CB,1 , KA ) holds; otherwise, Pr[e(CA,1 , KB ) = e(CB,1 , KA )] is negligible. 4.2. The Proposed Scheme Here, we present a concrete CL-PKEET scheme, which consists of nine algorithms: • Setup(λ): This algorithm performs as follows: Generate an asymmetric bilinear groups ensemble G = (q, G1 , G2 , GT , e). Pick a random master key s ∈ Z∗q and two random generators g1 ∈ G1 , g2 ∈ G2 . Set gˆ1 = g1s . Select collision-resistant hash functions: H1 : {0, 1}∗ → G2 , H2 : {0, 1}∗ → G2 , H3 : GT × G21 → {0, 1}λ+l , H4 : {0, 1}λ → G2 , H5 : {0, 1}λ+l → Z∗q and H6 : GT → G2 . 5. Output the public parameter

1. 2. 3. 4.

P P = (G, g1 , g2 , gˆ1 , H1 , H2 , H3 , H4 , H5 , H6 ). • Extract Partial Private Key(P P, s, ID): This algorithm returns a receiver’s partial private key s s D = (D1 , D2 ), where D1 = H1 (ID) and D2 = H2 (ID) . • Extract Secret Value(P P ): This algorithm returns a receiver’s secret value x, where x ∈ Z∗q is picked randomly. • Extract Private Key(P P, D, x): Let D = (D1 , D2 ). This algorithm returns a receiver’s private key SK = (S1 , S2 ), where S1 = D1 x and S2 = D2 x . • Extract Public Key(P P, x): This algorithm returns a receiver’s public key P K = (X, Y ), where X = gˆ1 x and Y = g2 x . • Encryption(P P, M, P K, ID): Let M ∈ {0, 1}λ 1 and P K = (X, Y ). This algorithm generates a ciphertext C = (C1 , C2 , C3 , C4 ) as follows:

350

1. Check whether e(X, g2 ) = e(gˆ1 , Y ) holds. If it is not the case, return ⊥ and abort with failure. Note that this step is once for all. 2. Pick two random numbers k ∈ {0, 1}l and α ∈ Z∗q , compute R = H5 (M, k). 3. Compute the following numbers  C1 = g1R ,   C = g α , 2 1 α  C = H 3 3 (e(X, H1 (ID)) , C1 , C2 ) ⊕ (M k k),    α R C4 = H4 (M ) · H6 (e(X, H2 (ID)) ). • Decryption(P P, C, SK): Let C = (C1 , C2 , C3 , C4 ) and SK = (S1 , S2 ). This algorithm performs as follows: 1 Similarly

to the existing work, to guarantee the onewayness for Type-3 and 4 adversaries, we assume that the message space of the proposed scheme is exponential in the security parameter and the min-entropy of the message distribution is sufficiently larger than the security parameter.

9

1. Recover M 0 k k 0 by computing C3 ⊕ H3 (e(C2 , S1 ), C1 , C2 ). 2. Compute R0 = H5 (M 0 , k 0 ). 0 0 3. If C1 = g1R and C4 = H4 (M 0 )R · H6 (e(C2 , S2 )) both hold, output M 0 ; otherwise, output ⊥. • Authorization(P P, SK): Let SK = (S1 , S2 ). This algorithm outputs the trapdoor td = S2 . • Test(P P, CA , tdA , CB , tdB ): Let CA = (CA,1 , CA,2 , CA,3 , CA,4 ) and CB = (CB,1 , CB,2 , CB,3 , CB,4 ). This algorithm computes CA,4 KA = H6 (e(CA,2 , tdA )) KB =

CB,4 H6 (e(CB,2 , tdB ))

and then checks whether e(CA,1 , KB ) = e(CB,1 , KA ) holds. If it is the case, it returns 1; or 0 otherwise. The above CL-PKEET scheme satisfies the consistency property which is proven as follows: 1. As for the first condition, it holds naturally: C3 ⊕ H3 (e(C2 , S1 ), C1 , C2 ) = H3 (e(X, H1 (ID))α , C1 , C2 ) ⊕ (M k k) ⊕ H3 (e(C2 , S1 ), C1 , C2 ) = H3 (e(gˆ1 x , H1 (ID))α , C1 , C2 ) ⊕ (M k k) ⊕ H3 (e(g1α , D1x ), C1 , C2 ) = H3 (e(g1sx , H1 (ID))α , C1 , C2 ) ⊕ (M k k) ⊕ H3 (e(g1α , H1 (ID)sx ), C1 , C2 ) = M k k. 2. As for the second condition, we have the following fact: sx H4 (MA )RA ·H6 (e(g1 A ,H2 (IDA ))αA ) CA,4 H4 (MA )RA ·H6 (e(XA ,H2 (IDA ))αA ) = = = H4 (MA )RA , KA = H6 (e(CA,2 αA ,tdA )) H6 (e(CA,2 ,tdA )) H (e(g ,H (ID )sxA )) 6

1

2

sx

A

H (M )RB ·H (e(g B ,H (ID ))αB ) CB,4 H4 (MB )RB ·H6 (e(XB ,H2 (IDB ))αB ) KB = H6 (e(CB,2 = 4 BH (e(gα6B ,H 1(ID )2sxB ))B ,tdB )) = H6 (e(CB,2 ,tdB )) 6 2 B 1 e(CA,1 , KB ) = e(g1RA , H4 (MB )RB ) = e(g1 , H4 (MB ))RA RB , e(CB,1 , KA ) = e(g1RB , H4 (MA )RA ) = e(g1 , H4 (MA ))RA RB .

= H4 (MB )RB ,

If MA = MB , then e(CA,1 , KB ) = e(CB,1 , KA ) holds, so T est(CA , tdA , CB , tdB ) outputs 1; otherwise, Pr[T est(CA , tdA , CB , tdB ) = 1] is negligible due to the hash function H4 is collision-resistant. 5. Security Analysis Our CL-PKEET scheme is secure due to the hardness of the BDH problem. To prove the security, we use the proof method in [20]. Theorem 1. For any PPT Type-1 adversary, our proposed scheme is IND-CCA secure based on the BDH assumption in the random oracles. More in details, let A1 be a Type-1 adversary which has advantage  against our proposal in time t. Suppose A1 makes qpar partial private key queries, qprv private key queries, qpub public key queries, qrep replace public key queries, qD decryption queries, qAuth authorization queries and qHi (1 ≤ i ≤ 6) random oracle queries to Hi . We constructs a PPT algorithm B whose advantage is 0 ≥

1  qD qH ( − − 6) qH3 e(qpar + qprv + qAuth + 1) q q

to solve the BDH problem in time t0 = t+(qH3 +qH4 +qH5 +qH6 )O(1)+(qH1 +qH2 +6qpub +3qD +qAuth )Te + (2qrep + qD )Tp , where e is the base of the natural logarithm, Te denotes the time cost of exponentiation operations in group G1 or group G2 , and Tp denotes the time cost of bilinear pairing operations. Proof: Let (G, g1 , g1a , g1c , g2 , g2a , g2b ) be an instance of BDH problem for challenge. B’s task is to compute e(g1 , g2 )abc by running A1 as a subroutine. B and A1 play the following game. 1. Setup: B generates the public parameter P P = (G, g1 , g2 , gˆ1 , H1 , H2 , H3 , H4 , H5 , H6 ), where gˆ1 = g1a and H1 , · · · , H6 are random oracles. P P is sent to A1 . Lists LH1 , LH2 , LH3 , LH4 , LH5 and LH6 , which are initial empty, are maintained by B to answer the random oracle queries. List LKey , which is initial empty, is maintained by B to answer the Public key query. 10

2. Phase 1: B replies to A1 ’s queries as below: • H1 -query(IDi ): B first executes an emulation algorithm, where IDi is taken as input to issue Public key query. Note that there is an item [IDi , ui , cn] where cn ∈ {0, 1} in LH1 in this case. Then, B performs the following steps. – If cn = 0, return g2ui as the answer. – Otherwise, return g2bui as the answer. • H2 -query(IDi ): B first executes an emulation algorithm, where IDi is taken as input to issue Public key query. Note that there is an item [IDi , vi , cn] where cn ∈ {0, 1} in LH2 in this case. Then, B performs the following steps. – If cn = 0, return g2vi as the answer. – Otherwise, return g2bvi as the answer. 400

• H3 -query(σ, C1 , C2 ): B picks θ ∈ {0, 1}λ+l randomly, stores a new item [σ, C1 , C2 , θ] into LH3 , and then returns θ as the answer. • H4 -query(M ): B picks h4 ∈ G2 randomly, stores a new item [M, h4 ] into LH4 , and then returns h4 as the answer. • H5 -query(M, k): B picks R ∈ Z∗q randomly, stores a new item [M, k, R] into LH5 , and then returns R as the answer. • H6 -query(η): B picks h6 ∈ G2 randomly, stores a new item [η, h6 ] into LH6 , and then returns h6 as the answer. • Public key query(IDi ): B picks ui , vi ∈ Z∗q randomly, selects cn ∈ {0, 1} with Pr[cn = 0] = τ , and then stores [IDi , ui , cn] into LH1 and [IDi , vi , cn] into LH2 . – If cn = 0, B computes the corresponding secret value xi by running Extract Secret xi xi V alue(P P ), computes Di = (Di,1 , Di,2 ) = (g2 aui , g2avi ), SKi = (Si,1 , Si,2 ) = (Di,1 , Di,2 ) xi xi and P Ki = (Xi , Yi ) = (gˆ1 , g2 ), stores an item [IDi , xi , Di , SKi , P Ki , 0] into LKey , and then sends P Ki to A1 as the answer. – Otherwise, B computes the corresponding secret value xi by running Extract Secret V alue(P P ), computes P Ki = (Xi , Yi ) = (gˆ1 xi , g2xi ), stores an item [IDi , xi , −, −, P Ki , 1] into LKey , and then sends P Ki to A1 as the answer. • Partial private key query(IDi ): B first executes an emulation algorithm, where IDi is taken as input to issue Public key query. – If cn = 0, B searches the corresponding item [IDi , xi , Di , SKi , P Ki , 0] in the LKey , and then returns Di as the answer. – Otherwise, B aborts with failure. • Private key query(IDi ): B first executes an emulation algorithm, where IDi is taken as input to issue Public key query. – If cn = 0, B searches the corresponding item [IDi , xi , Di , SKi , P Ki , 0] in the LKey , and then sends SKi to A1 as the answer. – Otherwise, B aborts with failure. • Replace public key(IDi , P Ki0 ): Let P Ki0 = (Xi0 , Yi0 ). B checks whether e(Xi0 , g2 ) = e(gˆ1 , Yi0 ) holds. If it is the case, B replaces the current public key with respect to IDi with P Ki0 ; otherwise, B returns ⊥ to A1 . • Decryption query(IDi , C): Let C = (C1 , C2 , C3 , C4 ). B first executes an emulation algorithm, where IDi is taken as input to issue Public key query. – If cn = 0 and A1 has never replaced the public key, B searches the corresponding item [IDi , xi , Di , SKi , P Ki , 0] in the LKey , and then returns the output of the algorithm Decryption(P P, C, SKi ) to A1 as the answer. – Otherwise, B searches the corresponding item [IDi , xi , −, −, P Ki , 1] in the LKey , and then for each item [σ, C1 , C2 , θ] in LH3 , B performs as follows. (a) Compute M 0 k k 0 = C3 ⊕ θ. (b) Compute R0 = H5 (M 0 , k 0 ).

11

0

0

(c) If C1 = g1R and there exists an item [η, h6 ] in LH6 such that C4 = H4 (M 0 )R · h6 holds, return M 0 to A1 as the answer. If there exists no such item in LH3 , return ⊥ to A1 . • Authorization query(IDi ): B first executes an emulation algorithm, where IDi is taken as input to issue Public key query. – If cn = 0, B searches the corresponding item [IDi , xi , Di , SKi , P Ki , cn] in the LKey , and then returns Si,2 to A1 as the answer, where SKi = (Si,1 , Si,2 ). – Otherwise, B aborts with failure. 3. Challenge: Upon receiving an challenge identity ID∗ and equal-length messages M0∗ ,M1∗ ∈ {0, 1}λ , B executes an emulation algorithm, where ID∗ is taken as input to issue Public key query, and retrieves the corresponding item [ID∗ , x∗ , D∗ , SK ∗ , P K ∗ , cn] in the LKey . Then B performs as follows: 450

• If cn = 0, abort with failure. • Otherwise, perform as follows: (a) Pick ρ ∈ {0, 1}, k ∈ {0, 1}l , C3∗ ∈ {0, 1}λ+l and C4∗ ∈ G2 randomly. (b) Set C1∗ = g1R and C2∗ = g1c , where R = H5 (Mρ∗ , k). (c) Send C ∗ = (C1∗ , C2∗ , C3∗ , C4∗ ) to A1 as the challenge ciphertext. According to the above construction, H3 (e(g1 , g2 )abcu H6 (e(g1 , g2 )abcv



x



)=

C4∗ H4 (Mρ∗ )R





x∗

, C1∗ , C2∗ ) = (Mρ∗ k k) ⊕ C3∗ and ∗

, where g2bu = H1 (ID∗ ) and g2bv = H2 (ID∗ ).

4. Phase 2: A1 issues as done in P hase 1. 5. Guess: A1 outputs its guess bit ρ0 ∈ {0, 1}. B picks an item [σ ∗ , C1∗ , C2∗ , θ∗ ] from LH3 randomly, ∗ ∗ −1 and outputs σ ∗(u x ) (= e(g1 , g2 )abc ) as the solution for the BDH instance.  Analysis. The emulation of the random oracles should be first assessed. Note that the emulations of H1 , H2 , H4 and H5 are perfect due to their constructions. Let AskH3∗ be the event that A1 queries ∗ ∗ H3 (e(g1 , g2 )abcu x , C1∗ , C2∗ ) during the emulation. If AskH3∗ does not occur, the emulation of H3 is ∗ ∗ perfect. Let AskH6∗ be the event that A1 queries H6 (e(g1 , g2 )abcv x ) during the emulation. If AskH6∗ does not occur, the emulation of H6 is perfect. With respect to the emulation of the decryption oracle, DecErr is defined as the event that B fails to decrypt a valid ciphertext during the emulation, we obtain Pr[DecErr] ≤ qqD . W ∗ ∗ W Then Abort is defined as the event that B aborts during the emulation. We define E =1(AskH3 AskH6 DecErr)|¬Abort. If E does not happen, B will not gain any advantage greater than 2 to guess ρ since H3 and H6 are random oracles. That is, Pr[ρ = ρ0 |¬E] ≤ 12 . Hence, we have Pr[ρ = ρ0 ] = Pr[ρ = ρ0 |E]Pr[E] + Pr[ρ = ρ0 |¬E]Pr[¬E] 1 ≤ Pr[E] + Pr[¬E] 2 1 1 = Pr[E] + . 2 2 qpar +qprv +qAuth As a corollary, Pr[¬Abort] = τ (1 − τ ) and it takes the maximum value at τ = 1 − 1 1 qpar +qprv +qAuth +1 . We obtain Pr[¬Abort] ≥ e(qpar +qprv +qAuth +1) in which e is the base of the natural logarithm. Based on the meaning of , we obtain  ≤ Pr[ρ = ρ0 ] −

1 2

≤ Pr[E] ≤

Pr[AskH3∗ ] + Pr[AskH6∗ ] + Pr[DecErr] . Pr[¬Abort]

Furthermore, we have: Pr[AskH3∗ ] ≥ Pr[¬Abort] − Pr[DecErr] − Pr[AskH6∗ ]  qD qH ≥ − − 6. e(qpar + qprv + qAuth + 1) q q 12

If AskH3∗ happens, then A1 will be able to distinguish the simulation from the real one. A1 can ∗ ∗ tell that the challenge ciphertext C ∗ by the simulation is invalid. H3 (e(g1 , g2 )abcu x , C1∗ , C2∗ ) has been recorded in the LH3 . Then, B wins if it chooses the correct element from the LH3 . It follows that B can solve the BDH problem with advantage 1 Pr[AskH3∗ ] qH3 1  qD qH − − 6) ≥ ( qH3 e(qpar + qprv + qAuth + 1) q q

0 ≥

in time t0 = t + (qH3 + qH4 + qH5 + qH6 )O(1) + (qH1 + qH2 + 6qpub + 3qD + qAuth )Te + (2qrep + qD )Tp . Theorem 2. For any PPT Type-2 adversary, our proposed scheme is IND-CCA secure based on the BDH assumption in the random oracles. More in details, let A2 be a Type-2 adversary which has advantage  against our proposal in time t. Suppose A2 makes qprv private key queries, qpub public key queries, qD decryption queries, qAuth authorization queries and qHi (1 ≤ i ≤ 6) random oracle queries to Hi . We constructs a PPT algorithm B whose advantage is qD qH  1 − − 6) ( 0 ≥ qH3 e(qprv + qAuth + 1) q q to solve the BDH problem in time t0 = t + (qH3 + qH4 + qH5 + qH6 )O(1) + (qH1 + qH2 + 6qpub + 3qD + qAuth )Te + qD Tp , where e is the base of the natural logarithm, Te denotes the time cost of exponentiation operations in group G1 or group G2 , and Tp denotes the time cost of bilinear pairing operations. Proof: Let (G, g1 , g1a , g1c , g2 , g2a , g2b ) be an instance of BDH problem for challenge. B’s task is to compute e(g1 , g2 )abc by running A2 as a subroutine. B and A2 play the following game. 1. Setup: B generates the public parameter P P = (G, g1 , g2 , gˆ1 , H1 , H2 , H3 , H4 , H5 , H6 ) and the master key s, where s ∈ Z∗q is picked randomly, gˆ1 = g1s and H1 , · · · , H6 are random oracles. P P and s are sent to A2 . Lists LH1 , LH2 , LH3 , LH4 , LH5 and LH6 , which are initial empty, are maintained by B to answer the random oracle queries. List LKey , which is initial empty, is maintained by B to answer the Public key query. 2. Phase 1: B replies to A2 ’s queries as below: • Hi -query (1 ≤ i ≤ 6): B performs as done in the proof of T heorem 1. • Public key query(IDi ): B picks ui , vi ∈ Z∗q randomly, selects cn ∈ {0, 1} with Pr[cn = 0] = τ , and then stores [IDi , ui , cn] into LH1 and [IDi , vi , cn] into LH2 . – If cn = 0, B computes the corresponding secret value xi by running Extract Secret xi xi V alue(P P ), computes Di = (Di,1 , Di,2 ) = (g2 sui , g2svi ), SKi = (Si,1 , Si,2 ) = (Di,1 , Di,2 ) xi xi and P Ki = (Xi , Yi ) = (gˆ1 , g2 ), stores an item [IDi , xi , Di , SKi , P Ki , 0] into LKey , and then sends P Ki to A2 as the answer. – Otherwise, B picks x0i ∈ Z∗q randomly, computes Di = (Di,1 , Di,2 ) = (g2 bsui , g2bsvi ) and asx0

500

ax0

P Ki = (Xi , Yi ) = (g1 i , g2 i ), stores an item [IDi , x0i , Di , −, P Ki , 1] into LKey , and then sends P Ki to A2 as the answer. Here, we define xi = ax0i implicitly. • Private key query(IDi ): B first executes an emulation algorithm, where IDi is taken as input to issue Public key query. – If cn = 0, B searches the corresponding item [IDi , xi , Di , SKi , P Ki , 0] in the LKey , and then sends SKi to A2 as the answer. – Otherwise, B aborts with failure. • Decryption query(IDi , C): Let C = (C1 , C2 , C3 , C4 ). B first executes an emulation algorithm, where IDi is taken as input to issue Public key query. – If cn = 0, B searches the corresponding item [IDi , xi , Di , SKi , P Ki , 0] in the LKey , and then returns the output of the algorithm Decryption(P P, C, SKi ) to A2 as the answer. – Otherwise, B searches the corresponding item [IDi , x0i , Di , −, P Ki , 1] in the LKey , and then for each item [σ, C1 , C2 , θ] in LH3 , B performs as follows. (a) Compute M 0 k k 0 = C3 ⊕ θ. 13

0 (b) Compute R = H5 (M 0 , k 0 ). 0 R0 (c) If C1 = g1 and there exists an item [η, h6 ] in LH6 such that C4 = H4 (M 0 )R · h6 holds, return M 0 to A2 as the answer. If there exists no such item in LH3 , return ⊥ to A2 .

• Authorization query(IDi ): B first executes an emulation algorithm, where IDi is taken as input to issue Public key query. – If cn = 0, B searches the corresponding item [IDi , xi , Di , SKi , P Ki , 0] in the LKey , and then returns Si,2 to A2 as the answer, where SKi = (Si,1 , Si,2 ). – Otherwise, B aborts with failure. 3. Challenge: Upon receiving an challenge identity ID∗ and equal-length messages M0∗ ,M1∗ ∈ {0, 1}λ , B executes an emulation algorithm, where ID∗ is taken as input to issue Public key query, and retrieves the corresponding item [ID∗ , x∗ , D∗ , SK ∗ , P K ∗ , cn] in the LKey . Then B performs as follows: • If cn = 0, abort with failure. • Otherwise, perform as follows: (a) Pick ρ ∈ {0, 1}, k ∈ {0, 1}l , C3∗ ∈ {0, 1}λ+l and C4∗ ∈ G2 randomly. (b) Set C1∗ = g1R and C2∗ = g1c , where R = H5 (Mρ∗ , k). (c) Send C ∗ = (C1∗ , C2∗ , C3∗ , C4∗ ) to A2 as the challenge ciphertext. According to the above construction, H3 (e(g1 , g2 )abcu abcv ∗ x∗ s

H6 (e(g1 , g2 )

)=

C4∗ H4 (Mρ∗ )R

, where

∗ g2bu



x∗ s

, C1∗ , C2∗ ) = (Mρ∗ k k) ⊕ C3∗ and





= H1 (ID ) and g2bv = H2 (ID∗ ).

4. Phase 2: A2 issues as done in P hase 1. 5. Guess: A2 outputs its guess bit ρ0 ∈ {0, 1}. B picks an item [σ ∗ , C1∗ , C2∗ , θ∗ ] from LH3 randomly, ∗ ∗ −1 and outputs σ ∗(u x s) (= e(g1 , g2 )abc ) as the solution for the BDH instance.  Analysis. The emulation of the random oracles should be first assessed. Note that the emulations of H1 , H2 , H4 and H5 are perfect due to their constructions. Let AskH3∗ be the event that A2 queries ∗ ∗ H3 (e(g1 , g2 )abcu x s , C1∗ , C2∗ ) during the emulation. If AskH3∗ does not happen, the emulation of H3 is ∗ ∗ perfect. Let AskH6∗ be the event that A2 queries H6 (e(g1 , g2 )abcv x s ) during the emulation. If AskH6∗ does not occur, the emulation of H6 is perfect. With respect to the emulation of the decryption oracle, DecErr is defined as the event that B fails to decrypt a valid ciphertext during the emulation, we obtain Pr[DecErr] ≤ qqD . W ∗ ∗ W Then Abort is defined as the event that B aborts during the emulation. We define E =1(AskH3 AskH6 DecErr)|¬Abort. If E does not happen, B will not gain any advantage greater than 2 to guess ρ since H3 and H6 are random oracles. That is, Pr[ρ = ρ0 |¬E] ≤ 12 . Hence, we have Pr[ρ = ρ0 ] = Pr[ρ = ρ0 |E]Pr[E] + Pr[ρ = ρ0 |¬E]Pr[¬E] 1 ≤ Pr[E] + Pr[¬E] 2 1 1 = Pr[E] + . 2 2 As a corollary, Pr[¬Abort] = τ qprv +qAuth (1−τ ) and it takes the maximum value at τ = 1− qprv +q1Auth +1 . We obtain Pr[¬Abort] ≥ e(qprv +q1Auth +1) in which e is the base of the natural logarithm. Based on the meaning of , we obtain  ≤ Pr[ρ = ρ0 ] −

1 2

≤ Pr[E] ≤

Pr[AskH3∗ ] + Pr[AskH6∗ ] + Pr[DecErr] . Pr[¬Abort]

Furthermore, we have: Pr[AskH3∗ ] ≥ Pr[¬Abort] − Pr[DecErr] − Pr[AskH6∗ ]  qD qH ≥ − − 6. e(qprv + qAuth + 1) q q 14

550

If AskH3∗ happens, then A2 will be able to distinguish the simulation from the real one. A2 can ∗ ∗ tell that the challenge ciphertext C ∗ by the simulation is invalid. H3 (e(g1 , g2 )abcu x , C1∗ , C2∗ ) has been recorded in the LH3 . Then, B wins if it chooses the correct element from the LH3 . It follows that B can solve the BDH problem with advantage 1 Pr[AskH3∗ ] qH3 1  qD qH − − 6) ≥ ( qH3 e(qprv + qAuth + 1) q q

0 ≥

in time t0 = t + (qH3 + qH4 + qH5 + qH6 )O(1) + (qH1 + qH2 + 6qpub + 3qD + qAuth )Te + qD Tp . Theorem 3. For any PPT Type-3 adversary, our proposed scheme is OW-CCA secure based on the BDH assumption in the random oracles. More in details, let A3 be a Type-3 adversary which has advantage  against our proposal in time t. Suppose A3 makes qpar partial private key queries, qprv private key queries, qpub public key queries, qrep replace public key queries, qD decryption queries, qAuth authorization queries and qHi (1 ≤ i ≤ 6) random oracle queries to Hi . We constructs a PPT algorithm B whose advantage is 0 ≥

1 qH3

(

 − 21λ qD − ) e(qpar + qprv + 1) q

to solve the BDH problem in time t0 = t+(qH3 +qH4 +qH5 +qH6 )O(1)+(qH1 +qH2 +6qpub +3qD +qAuth )Te + (2qrep + qD )Tp , where e is the base of the natural logarithm, Te denotes the time cost of exponentiation operations in group G1 or group G2 , and Tp denotes the time cost of bilinear pairing operations. Proof: Let (G, g1 , g1a , g1c , g2 , g2a , g2b ) be an instance of BDH problem for challenge. B’s task is to compute e(g1 , g2 )abc by running A3 as a subroutine. B and A3 play the following game. 1. Setup: B generates the public parameter P P = (G, g1 , g2 , gˆ1 , H1 , H2 , H3 , H4 , H5 , H6 ), where gˆ1 = g1a and H1 , · · · , H6 are random oracles. P P is sent to A3 . Lists LH1 , LH2 , LH3 , LH4 , LH5 and LH6 , which are initial empty, are maintained by B to answer the random oracle queries. List LKey , which is initial empty, is maintained by B to answer the Public key query. 2. Phase 1: B replies to A3 ’s queries as below: • H1 -query(IDi ): B first executes an emulation algorithm, where IDi is taken as input to issue Public key query. Note that there is an item [IDi , ui , cn] where cn ∈ {0, 1} in LH1 in this case. Then, B performs the following steps. – If cn = 0, return g2ui as the answer. – Otherwise, return g2bui as the answer. • H2 -query(IDi ): B picks vi ∈ Z∗q randomly, stores a new item [IDi , vi ] into LH2 and then returns g2vi as the answer. • H3 -query(σ, C1 , C2 ): B picks θ ∈ {0, 1}λ+l randomly, stores a new item [σ, C1 , C2 , θ] into LH3 , and then returns θ as the answer. • H4 -query(M ): B picks h4 ∈ G2 randomly, stores a new item [M, h4 ] into LH4 , and then returns h4 as the answer. • H5 -query(M, k): B picks R ∈ Z∗q randomly, stores a new item [M, k, R] into LH5 , and then returns R as the answer. • H6 -query(η): B picks h6 ∈ G2 randomly, stores a new item [η, h6 ] into LH6 , and then returns h6 as the answer. • Public key query(IDi ): B picks ui ∈ Z∗q randomly, selects cn ∈ {0, 1} with Pr[cn = 0] = τ , and then stores [IDi , ui , cn] into LH1 . – If cn = 0, B retrieves vi from LH2 by making H2 -query(IDi ), computes the corresponding secret value xi by running Extract Secret V alue(P P ), computes Di = (Di,1 , Di,2 ) = xi xi (g2 aui , g2avi ), SKi = (Si,1 , Si,2 ) = (Di,1 , Di,2 ) and P Ki = (Xi , Yi ) = (gˆ1 xi , g2xi ), stores an item [IDi , xi , Di , SKi , P Ki , 0] into LKey , and then sends P Ki to A3 as the answer.

15

– Otherwise, B computes the corresponding secret value xi by running Extract Secret V alue(P P ), computes P Ki = (Xi , Yi ) = (gˆ1 xi , g2xi ), stores an item [IDi , xi , −, −, P Ki , cn] into LKey , and then sends P Ki to A3 as the answer. • Partial private key query(IDi ): B first executes an emulation algorithm, where IDi is taken as input to issue Public key query. – If cn = 0, B searches the corresponding item [IDi , xi , Di , SKi , P Ki , 0] in the LKey , and then returns Di as the answer. – Otherwise, B aborts with failure. • Private key query(IDi ): B first executes an emulation algorithm, where IDi is taken as input to issue Public key query. – If cn = 0, B searches the corresponding item [IDi , xi , Di , SKi , P Ki , 0] in the LKey , and then sends SKi to A3 as the answer. – Otherwise, B aborts with failure. 600

• Replace public key(IDi , P Ki0 ): Let P Ki0 = (Xi0 , Yi0 ). B checks whether e(Xi0 , g2 ) = e(gˆ1 , Yi0 ) holds. If it is the case, B replaces the current public key with respect to IDi with P Ki0 ; otherwise, B returns ⊥ to A3 . • Decryption query(IDi , C): Let C = (C1 , C2 , C3 , C4 ). B first executes an emulation algorithm, where IDi is taken as input to issue Public key query. – If cn = 0 and A3 has never replaced the public key, B searches the corresponding item [IDi , xi , Di , SKi , P Ki , 0] in the LKey , and then returns the output of the algorithm Decryption(P P, C, SKi ) to A3 as the answer. – Otherwise, B searches the corresponding item [IDi , xi , −, −, P Ki , 1] in the LKey , and then for each item [σ, C1 , C2 , θ] in LH3 , B performs as follows. (a) Compute M 0 k k 0 = C3 ⊕ θ. (b) Compute R0 = H5 (M 0 , k 0 ). (c) Retrieve vi from LH2 by making H2 -query(IDi ), and then compute Si,2 = g2avi xi . 0 0 (d) If C1 = g1R and C4 = H4 (M 0 )R · H6 (e(C2 , Si,2 )) both hold, return M 0 to A3 as the answer. If there exists no such item in LH3 , return ⊥ to A3 . • Authorization query(IDi ): B first executes an emulation algorithm, where IDi is taken as input to issue Public key query. – If cn = 0, B searches the corresponding item [IDi , xi , Di , SKi , P Ki , 0] in the LKey , and then returns Si,2 to A3 as the answer, where SKi = (Si,1 , Si,2 ). – Otherwise, B searches the corresponding item [IDi , xi , −, −, P Ki , 1] in the LKey , retrieves vi from LH2 by making H2 -query(IDi ), computes Si,2 = g2avi xi , and then returns Si,2 to A3 as the answer. 3. Challenge: Upon receiving an challenge identity ID∗ , B executes an emulation algorithm, where ID∗ is taken as input to issue Public key query, and retrieves the corresponding item [ID∗ , x∗ , D∗ , SK ∗ , P K ∗ , cn] in the LKey and picks a message M ∗ ∈ {0, 1}λ randomly. Then B performs as follows: • If cn = 0, abort with failure. • Otherwise, perform as follows: (a) Pick k ∈ {0, 1}l and C3∗ ∈ {0, 1}λ+l randomly. ∗ ∗ (b) Set C1∗ = g1R , C2∗ = g1c and C4∗ = H4 (M ∗ )R · H6 (e(g1c , g2av x )), where R = H5 (M ∗ , k) and v∗ ∗ g2 = H2 (ID ). (c) Send C ∗ = (C1∗ , C2∗ , C3∗ , C4∗ ) to A3 as the challenge ciphertext. According to the above construction, H3 (e(g1 , g2 )abcu ∗ g2bu = H1 (ID∗ ).



x∗

, C1∗ , C2∗ ) = (M ∗ k k) ⊕ C3∗ , where

4. Phase 2: A3 issues as done in P hase 1. ∗ ∗ −1 5. Guess: A3 outputs M 0 . B picks an item [σ ∗ , C1∗ , C2∗ , θ∗ ] from LH3 randomly, and outputs σ ∗(u x ) abc (= e(g1 , g2 ) ) as the solution for the BDH instance. 

16

Analysis. The emulation of the random oracles should be first assessed. Note that the emulations of H1 , H2 , H4 , H5 and H6 are perfect due to their constructions. Let AskH3∗ be the event that A3 queries ∗ ∗ H3 (e(g1 , g2 )abcu x , C1∗ , C2∗ ) during the emulation. If AskH3∗ does not happen, the emulation of H3 is perfect. With respect to the emulation of the decryption oracle, DecErr is defined as the event that B fails to decrypt a valid ciphertext during the emulation, we obtain Pr[DecErr] ≤ qqD . ∗ W Then Abort is defined as the event that B aborts during the emulation. We define 1E = (AskH3 DecErr)|¬Abort. If E does not happen, B will not gain any advantage greater than 2λ to guess M since H3 is random oracle. That is, Pr[M = M 0 |¬E] ≤ 21λ . Hence, we have Pr[M = M 0 ] = Pr[M = M 0 |¬E]Pr[¬E] + Pr[M = M 0 |E]Pr[E] 1 ≤ λ Pr[¬E] + Pr[E] 2 1 1 = λ + (1 − λ )Pr[E]. 2 2 As a corollary, Pr[¬Abort] = τ qpar +qprv (1 − τ ) and it takes the maximum value at τ = 1 − qpar +q1prv +1 . 1 in which e is the base of the natural logarithm. We obtain Pr[¬Abort] ≥ e(qpar +q prv +1) Based on the meaning of , we obtain  ≤ Pr[M = M 0 ] 1 1 ≤ λ + (1 − λ )Pr[E] 2 2 1 1 Pr[AskH3∗ ] + Pr[DecErr] ≤ λ + (1 − λ ) . 2 2 Pr[¬Abort] Furthermore, we have: Pr[AskH3∗ ] ≥ ≥

 − 21λ Pr[¬Abort] − Pr[DecErr] 1 − 21λ  − 21λ qD − . e(qpar + qprv + 1) q

If AskH3∗ happens, then A3 will be able to distinguish the simulation from the real one. A3 can ∗ ∗ tell that the challenge ciphertext C ∗ by the simulation is invalid. H3 (e(g1 , g2 )abcu x , C1∗ , C2∗ ) has been recorded in the LH3 . Then, B wins if it chooses the correct element from the LH3 . It follows that B can solve the BDH problem with advantage 1 Pr[AskH3∗ ] qH3  − 21λ 1 qD − ) ≥ ( qH3 e(qpar + qprv + 1) q

0 ≥

650

in time t0 = t + (qH3 + qH4 + qH5 + qH6 )O(1) + (qH1 + qH2 + 6qpub + 3qD + qAuth )Te + (2qrep + qD )Tp . Theorem 4. For any PPT Type-4 adversary, our proposed scheme is OW-CCA secure based on the BDH assumption in the random oracles. More in details, let A4 be a Type-4 adversary which has advantage  against our proposal in time t. Suppose A4 makes qprv private key queries, qpub public key queries, qD decryption queries, qAuth authorization queries and qHi (1 ≤ i ≤ 6) random oracle queries to Hi . We constructs a PPT algorithm B whose advantage is  − 21λ 1 qD 0 ≥ ( − ) qH3 e(qprv + 1) q to solve the BDH problem in time t0 = t + (qH3 + qH4 + qH5 + qH6 )O(1) + (qH1 + qH2 + 6qpub + 3qD + qAuth )Te + qD Tp , where e is the base of the natural logarithm, Te denotes the time cost of exponentiation operations in group G1 or group G2 , and Tp denotes the time cost of bilinear pairing operations. Proof: Let (G, g1 , g1a , g1c , g2 , g2a , g2b ) be an instance of BDH problem for challenge. B’s task is to compute e(g1 , g2 )abc by running A4 as a subroutine. B and A4 play the following game. 17

1. Setup: B generates the public parameter P P = (G, g1 , g2 , gˆ1 , H1 , H2 , H3 , H4 , H5 , H6 ) and the master key s, where s ∈ Z∗q is picked randomly, gˆ1 = g1s and H1 , · · · , H6 are random oracles. P P and s are sent to A4 . Lists LH1 , LH2 , LH3 , LH4 , LH5 and LH6 , which are initial empty, are maintained by B to answer the random oracle queries. List LKey , which is initial empty, is maintained by B to answer the Public key query. 2. Phase 1: B replies to A4 ’s queries as below: • Hi -query (1 ≤ i ≤ 6): B performs as done in the proof of T heorem 3. • Public key query(IDi ): B picks ui ∈ Z∗q randomly, selects cn ∈ {0, 1} with Pr[cn = 0] = τ , and then stores [IDi , ui , cn] into LH1 . – If cn = 0, B retrieves vi from LH2 by making H2 -query(IDi ), computes the corresponding secret value xi by running Extract Secret V alue(P P ), computes Di = (Di,1 , Di,2 ) = xi xi ) and P Ki = (Xi , Yi ) = (gˆ1 xi , g2xi ), stores an , Di,2 (g2 sui , g2svi ), SKi = (Si,1 , Si,2 ) = (Di,1 item [IDi , xi , Di , SKi , P Ki , 0] into LKey , and then sends P Ki to A4 as the answer. – Otherwise, B retrieves vi from LH2 by making H2 -query(IDi ), picks x0i ∈ Z∗q randomly, asx0

ax0

computes Di = (Di,1 , Di,2 ) = (g2 bsui , g2svi ) and P Ki = (Xi , Yi ) = (g1 i , g2 i ), stores an item [IDi , x0i , Di , −, P Ki , 1] into LKey , and then sends P Ki to A4 as the answer. Here, we define xi = ax0i implicitly. • Private key query(IDi ): B first executes an emulation algorithm, where IDi is taken as input to issue Public key query. – If cn = 0, B searches the corresponding item [IDi , xi , Di , SKi , P Ki , 0] in the LKey , and then sends SKi to A4 as the answer. – Otherwise, B aborts with failure. • Decryption query(IDi , C): Let C = (C1 , C2 , C3 , C4 ). B first executes an emulation algorithm, where IDi is taken as input to issue Public key query. – If cn = 0, B searches the corresponding item [IDi , xi , Di , SKi , P Ki , 0] in the LKey , and then returns the output of the algorithm Decryption(P P, C, SKi ) to A4 as the answer. – Otherwise, B searches the corresponding item [IDi , x0i , Di , −, P Ki , 1] in the LKey , and then for each item [σ, C1 , C2 , θ] in LH3 , B performs as follows. (a) Compute M 0 k k 0 = C3 ⊕ θ. (b) Compute R0 = H5 (M 0 , k 0 ). av x0 s (c) Retrieve vi from LH2 by making H2 -query(IDi ), and then compute Si,2 = g2 i i . 0 0 (d) If C1 = g1R and C4 = H4 (M 0 )R · H6 (e(C2 , Si,2 )) both hold, return M 0 to A4 as the answer. If there exists no such item in LH3 , return ⊥ to A4 . • Authorization query(IDi ): B first executes an emulation algorithm, where IDi is taken as input to issue Public key query. – If cn = 0, B searches the corresponding item [IDi , xi , Di , SKi , P Ki , 0] in the LKey , and then returns Si,2 to A4 as the answer, where SKi = (Si,1 , Si,2 ). – Otherwise, B searches the corresponding item [IDi , x0i , Di , −, P Ki , 1] in the LKey , retrieves avi x0i s

vi from LH2 by making H2 -query(IDi ), computes Si,2 = g2 A4 as the answer. 700

, and then returns Si,2 to

3. Challenge: Upon receiving an challenge identity ID∗ , B executes an emulation algorithm, where ID∗ is taken as input to issue Public key query, and retrieves the corresponding item [ID∗ , x∗ , D∗ , SK ∗ , P K ∗ , cn] in the LKey and picks a message M ∗ ∈ {0, 1}λ randomly. Then B performs as follows: • If cn = 0, abort with failure. • Otherwise, perform as follows: (a) Pick k ∈ {0, 1}l and C3∗ ∈ {0, 1}λ+l randomly. ∗ ∗ (b) Set C1∗ = g1R , C2∗ = g1c and C4∗ = H4 (M ∗ )R · H6 (e(g1c , g2av x s )), where R = H5 (M ∗ , k) and v∗ ∗ g2 = H2 (ID ). (c) Send C ∗ = (C1∗ , C2∗ , C3∗ , C4∗ ) to A4 as the challenge ciphertext.

18



According to the above construction, H3 (e(g1 , g2 )abcu ∗ g2bu = H1 (ID∗ ).

x∗ s

, C1∗ , C2∗ ) = (M ∗ k k) ⊕ C3∗ , where

4. Phase 2: A4 issues as done in P hase 1. ∗ ∗ −1 5. Guess: A4 outputs M 0 . B picks an item [σ ∗ , C1∗ , C2∗ , θ∗ ] from LH3 randomly, and outputs σ ∗(u x s) (= e(g1 , g2 )abc ) as the solution for the BDH instance.  Analysis. The emulation of the random oracles should be first assessed. Note that the emulations of H1 , H2 , H4 , H5 and H6 are perfect due to their constructions. Let AskH3∗ be the event that A4 queries ∗ ∗ H3 (e(g1 , g2 )abcu x s , C1∗ , C2∗ ) during the emulation. If AskH3∗ does not happen, the emulation of H3 is perfect. With respect to the emulation of the decryption oracle, DecErr is defined as the event that B fails to decrypt a valid ciphertext during the emulation, we obtain Pr[DecErr] ≤ qqD . ∗ W Then Abort is defined as the event that B aborts during the emulation. We define 1E = (AskH3 DecErr)|¬Abort. If E does not happen, B will not gain any advantage greater than 2λ to guess M since H3 is random oracle. That is, Pr[M = M 0 |¬E] ≤ 21λ . Hence, we have Pr[M = M 0 ] = Pr[M = M 0 |¬E]Pr[¬E] + Pr[M = M 0 |E]Pr[E] 1 ≤ λ Pr[¬E] + Pr[E] 2 1 1 = λ + (1 − λ )Pr[E]. 2 2 As a corollary, Pr[¬Abort] = τ qprv (1 − τ ) and it takes the maximum value at τ = 1 − 1 obtain Pr[¬Abort] ≥ e(qprv +1) in which e is the base of the natural logarithm. Based on the meaning of , we obtain

1 qprv +1 .

We

 ≤ Pr[M = M 0 ] 1 1 ≤ λ + (1 − λ )Pr[E] 2 2 1 1 Pr[AskH3∗ ] + Pr[DecErr] ≤ λ + (1 − λ ) . 2 2 Pr[¬Abort] Furthermore, we have: Pr[AskH3∗ ] ≥ ≥

 − 21λ Pr[¬Abort] − Pr[DecErr] 1 − 21λ  − 21λ qD − . e(qprv + 1) q

If AskH3∗ happens, then A4 will be able to distinguish the simulation from the real one. A4 can ∗ ∗ tell that the challenge ciphertext C ∗ by the simulation is invalid. H3 (e(g1 , g2 )abcu x s , C1∗ , C2∗ ) has been recorded in the LH3 . Then, B wins if it chooses the correct element from the LH3 . It follows that B can solve the BDH problem with advantage 0 ≥ ≥

1 qH3 1 qH3

Pr[AskH3∗ ] (

 − 21λ qD − ) e(qprv + 1) q

in time t0 = t + (qH3 + qH4 + qH5 + qH6 )O(1) + (qH1 + qH2 + 6qpub + 3qD + qAuth )Te + qD Tp . 6. Efficiency In this section, we compare our proposal with the schemes in [12, 13, 14], which is shown in Table 1. In conclusion, our proposal solves both certificate management and key escrow problems simultaneously without sacrificing much efficiency in terms of encryption, decryption and equality test.

19

Table 1 Comparison.

[14](Type-1) Comp of

Security Problems

Enc Dec Test with Aut w/o Aut CM KE

6Exp 5Exp 2Pairing+2Exp OW-CCA IND-CCA Yes No

[13]

[12](with BF-IBE)

2Pairing+6Exp 2Pairing+2Exp 4Pairing OW-ID-CCA IND-ID-CPA No Yes

3Pairing+6Exp 3Pairing+2Exp 2Pairing+2Exp OW-ID-CCA IND-ID-CCA No Yes

Ours 4Pairing+5Exp 2Pairing+2Exp 4Pairing OW-CCA IND-CCA No No

Legends: BF-IBE: Boneh and Franklin’s identity-based encryption, Comp: computation complexity, Enc: encryption algorithm, Dec: decryption algorithm, Test: test algorithm, with Aut: cipher with authorization, w/o Aut: cipher without authorization, CM: certificate management problem, KE: key escrow problem, Exp: an exponentiation computation, Pairing: a pairing computation.

7. Conclusion In this paper, we presented the notion of CL-PKEET to solve the certificate management problem in PKEET and the key escrow problem in IBEET simultaneously. More in details, we formalized the system model and definition of CL-PKEET and defined the security models by considering four types of adversaries. Finally, we presented a concrete CL-PKEET scheme based on BDH assumption in asymmetric bilinear groups, which achievs IND-CCA security against adversaries without trapdoor and OW-CCA security against adversaries with trapdoor.

Acknowledgment This work was supported by Shandong Special Project of Education Enrollment Examination (No.ZK1 437B005), Chinese Ministry of Education, Humanities and Social Sciences Research Project (No.14YJCZH 136) and Philosophy and Social Sciences Planning Project of Qingdao (No.QDSKL1701086). References [1] S. S. Al-Riyami and K. G. Paterson. Certificateless public key cryptography. In Advances in Cryptology - ASIACRYPT 2003, volume 2894 of LNCS, pages 452–473, Taipei, Taiwan, 2003. Springer Berlin Heidelberg. [2] J. Baek, R. Safavi-Naini, and W. Susilo. Public key encryption with keyword search revisited. In Computational Science and Its Applications - ICCSA 2008, volume 5072 of LNCS, pages 1249–1259, Perugia, Italy, 2008. Springer Berlin Heidelberg.

750

[3] D. Boneh, G. Di Crescenzo, R. Ostrovsky, and G. Persiano. Public key encryption with keyword search. In Advances in Cryptology - EUROCRYPT 2004, volume 3027 of LNCS, pages 506–522, Interlaken, Switzerland, 2004. Springer Berlin Heidelberg. [4] D. Boneh and M. Franklin. Identity-based encryption from the weil pairing. In Advances in Cryptology — CRYPTO 2001, volume 2139 of LNCS, pages 213–229, Santa Barbara, California, USA, 2001. Springer Berlin Heidelberg. [5] X. Boyen, Q. Mei, and B. Waters. Direct chosen ciphertext security from identity-based techniques. In Proceedings of the 12th ACM Conference on Computer and Communications Security, CCS’05, pages 320–329, New York, NY, USA, 2005. ACM. [6] S. Chatterjee and A. Menezes. On cryptographic protocols employing asymmetric pairings-the role of revisited. Discrete Applied Mathematics, 159(13):1311–1322, 2011.

20

[7] C. Cocks. An identity based encryption scheme based on quadratic residues. In Cryptography and Coding 2011, volume 2260 of LNCS, pages 360–363, Cirencester, UK, 2001. Springer Berlin Heidelberg. [8] S. D. Galbraith, K. G. Paterson, and N. P. Smart. Pairings for cryptographers. Discrete Applied Mathematics, 156(16):3113–3121, 2008. [9] S. T. Hsu, C. C. Yang, and M. S. Hwang. A study of public key encryption with keyword search. International Journal of Network Security, 15(2):71–79, 2013. [10] K. Huang, R. Tso, Y. C. Chen, S. M. M. Rahman, A. Almogren, and A. Alamri. PKE-AET: Public key encryption with authorized equality test. Computer Journal, 58(10):2686–2697, 2015. [11] H. T. Lee, S. Ling, J. H. Seo, and H. Wang. CCA2 attack and modification of huang et al.’s public key encryption with authorized equality test. Computer Journal, 59(11):1689–1694, 2016. [12] H. T. Lee, S. Ling, J. H. Seo, and H. Wang. Semi-generic construction of public key encryption and identity-based encryption with equality test. Information Sciences, 373:419–440, 2016. [13] S. Ma. Identity-based encryption with outsourced equality test in cloud computing. Information Sciences, 328:389–402, 2016. [14] S. Ma, Q. Huang, M. Zhang, and B. Yang. Efficient public key encryption with equality test supporting flexible authorization. IEEE Transactions on Information Forensics and Security, 10(3):458–470, 2015. [15] S. Ma, M. Zhang, Q. Huang, and B. Yang. Public key encryption with delegated equality test in a multi-user setting. Computer Journal, 58(4):986–1002, 2015. [16] Y. Ohtaki. Constructing a searchable encrypted log using encrypted inverted indexes. In Proceedings of the 2005 International Conference on Cyberworlds, CW’05, pages 130–138, Washington, DC, USA, 2005. IEEE Computer Society. [17] A. Shamir. Identity-based cryptosystems and signature schemes. In Advances in Cryptology - CRYPTO 1984, volume 196 of LNCS, pages 47–53, Santa Barbara, CA, USA, 1984. Springer Berlin Heidelberg. [18] D. F. Sittig. Personal health records on the internet: a snapshot of the pioneers at the end of the 20th century. International Journal of Medical Informatics, 65(1):1–6, 2002. [19] N. P. Smart and F. Vercauteren. On computable isomorphisms in efficient asymmetric pairing-based systems. Discrete Applied Mathematics, 155(4):538–547, 2007. [20] Y. Sun, F. Zhang, and J. Baek. Strongly secure certificateless public key encryption without pairing. In Cryptology and Network Security, CANS 2007, volume 4856 of LNCS, pages 194–208, Singapore, 2007. Springer Berlin Heidelberg. [21] Q. Tang. Public key encryption supporting plaintext equality test and user-specified authorization. Security and Communication Networks, 5(12):1351–1362, 2011. [22] Q. Tang. Towards public key encryption scheme supporting equality test with fine-grained authorization. In Information Security and Privacy - ACISP 2011, volume 6812 of LNCS, pages 389–406, Melbourne, Australia, 2011. Springer Berlin Heidelberg. [23] Q. Tang. Public key encryption schemes supporting equality test with authorisation of different granularity. International Journal of Applied Cryptography, 2(4):304–321, 2012. 800

[24] G. Yang, C. H. Tan, Q. Huang, and D. S. Wong. Probabilistic public key encryption with equality test. In Topics in Cryptology - CT-RSA 2010, volume 5985 of LNCS, pages 119–131, San Francisco, CA, USA, 2010. Springer Berlin Heidelberg.

21