Scientific Research

An Academic Publisher

**Parallel Key Insulated ID-Based Public Key Cryptographic Primitive with Outsourced Equality Test** ()

^{1}, Mustapha Adamu Mohammed

^{1,2}, Bright Anibrika Selorm Kodzo

^{1}, Pious Akwasi Sarpong

^{3}, Michael Asante

^{2}

Share and Cite:

*Journal of Computer and Communications*,

**8**, 197-213. doi: 10.4236/jcc.2020.812018.

1. Introduction

Due to the rapid growth of cloud computing [1], storing a user data in the cloud such as photos, moving pictures and other instant electronic messages has attracted the attention of individuals and organizations. However, cloud servers cannot be fully trusted in providing confidentiality and privacy of users data outsourced to the cloud. In this era of traffic analytics and privacy concerns, it is advisable to outsource user’s data to the cloud encrypted. Public key cryptosystem has proven to be suitable for encrypting such data. But it may be unrealistic for data owners to access all the data from the cloud via download whenever there is a need to access their files. Therefore, it is desirable to design a scheme that supports the search function on the ciphertext in the cloud server without the need to divulge any information related to these ciphertexts.

Boneh and Franklin *et al.* [2] proposed the first public key cryptographic primitive using keyword search (PKE-KS). In their scheme, the user could encrypt the keyword and corresponding data under a specific user’s identity, meanwhile, each user is allowed to create a target keyword trapdoor by using their secret key and then outsource it to the cloud. Nonetheless, outsourced servers can only then do comparison of keywords with trapdoors under similar public key. This has become the bottleneck for the development of keyword search because there is the need to do keyword search with different public keys. To forestall this problem, [3] proposed a public key cryptographic primitive with equality test based on the pairing bilinearity. Compared to PKE-KS, the equality or equivalent test of PKE-ET can be performed among two encrypted data (ciphertexts) with the similar public key, and with different public keys.

Following the construction of Yang *et al.* [3] scheme, some proposed schemes with equivalent test have been constructed [4] [5] [6] [7]. Recently, Ma [8] notion of a cryptographic primitive with equality test (IBE-ET) outsourced to the cloud is the first to blend identity-based cryptographic primitive with public key cryptosystem with equivalent test and this inherited the gains of such schemes. Thus, the problem caused by key exposure could not be avoided in their scheme. Undoubtably, key exposure will lead to a destructive consequence. In view of that, Dodis *et al.* [9] proposed the primitive of key-insulated cryptographic scheme. In their scheme, secret keys consist of two parts namely, secret user key and helper key. The purpose of the secret key adoption is to change frequently so as to prevent the likelihood of key exposure whereas the helper is adopted to help update the secret keys to reduce the exposure of secret decryption keys. Constructing a key-insulated scheme with helper keys that supports public key cryptosystem with equality test is still an open problem. Therefore, a scheme needed to be devised that satisfies both equality test and key-insulation in public key cryptography.

2. Related Work

2.1. Parallel Key-Insulated Cryptosystem

It is of importance to lessen the destructive effect generated by key exposure. Dodis *et al.* [9] first designed the key-insulation cryptosystem. However, in their scheme, the total time period number is determined in advance. Later, [10] proposed new key-insulated crytographic scheme. In their scheme, the total time period number does not need to be given in advance. Since then, many research results about key-insulated encryption have been propounded. By introducing the concept of proxy cryptographic re-encryption scheme, Wang *et al.* [11] constructed a key-insulated proxy cryptographic re-encryption scheme (KIPRE). He *et al.* [12] combined key-insulated encryption with certificateless public key encryption (CL-PKE) and designed a new paradigm of certificateless key-insulated cryptographic encryption scheme (CLKIE). Hanaoka *et al.* [13] combined identity based cryptographic scheme with key-insulation and constructed a novel identity based key-insulation cryptosystem with a single helper. Benot *et al.* [14] also constructed another identity based key-insulation scheme without the adoption of the random oracles.

Introduction of a helper in key-insulated encryption schemes helps to curtail the problem of decryption keys exposure. Thus, temporal secret keys are maintained by users and are refreshed via a mutual interaction between the user and helper. In key-insulated cryptosystems, it is required to often update the keys to reduce the risk of temporal decryption key exposure. This phenomenom requires frequent increase of helper connection during secret key updates in an insecure environment, hence makes the helper key prone to key exposure attacks. To curtail the tendency of helper keys exposure, Hanoaka *et al.* [15] constructed parallel key-insulation encryption (PKIE) to avoid the problem of helper exposure. Their scheme ensured that two distinct helpers alternatively update the secret key. This avoided or curtailed the exposure of a single helper. Therefore, securing the helper has become a major concern in PKIE. Most PKIE schemes [14] [15] [16] [17] adopted the helper approach to avoid the exposure of temporal secret keys and helper keys. Recently, Ren *et al.* [18] proposed multiple helper keys to reduce the risk of using one or two helpers for key updates. A secured helper in key-insulated public key encryption (KIPE) plays a vital role in users secret key updates.

2.2. Equality Test

The first public key cryptograhic scheme with keyword search was announced by Boneh *et al.* [19]. In their construction, users are able to test the equivalance between two encrypted data which are ciphertext with the same public key. Later, some well-designed PKE-KS schemes were constructed [20] [21] with search functions on ciphertexts with different public keys. To solve this problem, [3] constructed encryption scheme with equality test. Their scheme allowed users to search the ciphertexts in different public keys. After that, a large amount of schemes corresponding to PKE-ET have been propounded [19] [22] [23] [24]. Although PKE-ET has excellent performance, there are some inherent problems with key certificate management, that put serious constraints with regards to efficiency and practice. To solve this problem, Ma [18] combined PKE-ET and identity-based scheme (IBE) [2] [25] and reported the first identity-based cryptographic scheme with equality test (IBE-ET). Different from the public key cryptosystem with equality test, identity based cryptosystem solved the problem of key certificate management in public key cryptosystem with equality test. Recently, there have been other applications of identity based cryptographic primitive to detect and prevent malware in encrypted traffic [26]. Also, [27] constructed a dual server identity based cryptosystem which can resist the inner keywords guessing attack so as to prevent an attack on keyword search in public key cryptosystems. In order to provide a scheme that achieves indistiguishable identity chosen ciphertext attack (IND-ID-CCA) security, Lee *et al.* [28] constructed a semi-generic cryptosystem with equality test. Unfortunately, their scheme could not prevent the damage that emanate from private key exposure. So far, there has not been any scheme that can solve private key exposure and helper keys exposure problem in identity (ID) based cryptosystem with equality test.

2.3. Our Contribution

To address these challenges, we propose parallel key insulated ID-based public key encryption with outsourced equality test (PKI-IBPKE-ET). In summary, our contributions to this work consist of three points: 1) We first incoporate the idea of identity-based (ID) parallel key-insulated cryptosystem with multiple helper keys into IBE-ET to construct PKI-IBPKE-ET scheme. Specifically, PKI-IBPKE-ET enables the cloud server to perform equivalence test on ciphertext. Meanwhile, PKI-IBPKE-ET can resist helper key exposure and private decryption key exposure; 2) Our scheme achieves Weak-IND-ID-CCA (W-IND-ID-CCA) security, which also prevents an insider attack [29]; 3) Finally, we give the experimental simulation and theoretical analysis which shows the feasibility and practicability of our novel scheme.

2.4. Paper Organization

The rest of this work is organized as follows; In Section 3, our scheme outlines preliminaries for the construction and the definitions of PKI-IBPKE-ET. In Section 4, the security model is outlined, Section 5 outlines our construction of PKI-IBPKE-ET and proof the security in Section 6. Section 7 compares our work with existing schemes. Section 8 gives a conclusion remark.

3. Scheme Preliminaries

3.1. Bilinear Map

Let *G* and *G _{T}* be two multiplicative cyclic groups of prime order

*p*. We assume that

*g*is a generator of

*G*. A bilinear map $e\mathrm{:}G\times G\to {G}_{T}$ satisfies the following properties:

1) Bilinearity: For any
$g\in G$, *a* and
$b\in {Z}_{p}$,
$e\left({g}^{a}\mathrm{,}{g}^{b}\right)=e{\left(g\mathrm{,}g\right)}^{ab}$.

2) Non-Degenerate: $e\left(g\mathrm{,}g\right)\ne 1$.

3) Computable: There is an efficient algorithm to compute $e\left(g\mathrm{,}g\right)$ for any $g\in G$.

3.2. Bilinear Diffie-Hellman (BDH) Problem

Let *G* and *G _{T}* be two groups of prime order

*p*. Let $e\mathrm{:}G\times G\to {G}_{T}$ be an admissible bilinear map and let

*g*be a generator of

*G*. The BDH problem in $\left[p\mathrm{,}G\mathrm{,}{G}_{T}\mathrm{,}e\right]$ is as follows: Given $\left[g\mathrm{,}{g}^{a}\mathrm{,}{g}^{b}\mathrm{,}{g}^{c}\right]$ for random $a\mathrm{,}b\mathrm{,}c\in {Z}_{p}^{\ast}$ for any randomized algorithm

*A*computes value $e{\left(g\mathrm{,}g\right)}^{abc}$ with advantage:

$AD{V}_{A}^{BDH}=Pr\left[A\left(g\mathrm{,}{g}^{a}\mathrm{,}{g}^{b}\mathrm{,}{g}^{c}\right)=e{\left(g\mathrm{,}g\right)}^{abc}\right]\mathrm{.}$ (1)

The *BDH* assumption holds if for all polynomial-time algorithm *A*, its advantage
$AD{V}_{A}^{BDH}$ is negligible.

3.3. Definitions

This section gives formal definitions of our proposed scheme. A parallel key-insulated with a multiple helper keys [18] were adopted in our model to do away with the exposure of a single or double helpers and to increase the security of user secret keys. The system model is sketched in Figure 1. Our method achieves weak chosen ciphertext security (*i.e.* W-IND-ID-CCA) under a specified security construction model.

In parallel key-insulated ID-based public key encryption with equality test (PKI-IBPKE-ET), we specify nine algorithms: Setup, Extract, UserKeyGeneration, BaseKeyUpdate, UserTempKeyUpdate, PKITrapdoor, PKIEncrypt, PKIDecrypt, Test, *M* and *CT* are the plaintext space and ciphertext space, respectively:

Figure 1. System model of PKI-IBPKE-ET.

1) Setup
$\left(\u22cb,N,Q\right)$ : It input a secured parameter
$\u22cb$, total time period *N*, numbr of helper keys *Q* and returns the public parameter *K*, helper keys
$\left(b{k}_{0}\mathrm{,}\cdots \mathrm{,}b{k}_{Q-1}\right)$ and the temporal master key *MSK*.

2) Extract
$\left(MSK\mathrm{,}K\mathrm{,}ID\right)$ : On input *MSK*, arbitrary
$ID\in {\left\{\mathrm{0,1}\right\}}^{\ast}$, system parameter *K* and returns a secret key
$md{k}_{I{D}_{0}}$ to the user with a corresponding identity *ID*. The PKG also performs such algorithm. Subsequently, PKG send to the user with a corresponding identity *ID* via a dedicated secure channel.

3) UserKeyGeneration
$\left(K\mathrm{,}N\mathrm{,}md{k}_{ID}\right)$ : The user generation algorithm on input the received secret key
$md{k}_{ID}$, public paramter *K*, time period *N* and *ID*. The algorithm output helper key
$B{K}_{0}$.

4) BaseKeyUpdate
$\left(B{K}_{0}\mathrm{,}b{k}_{j}\mathrm{,}t\right)$ : On input the helper key
$B{K}_{0}$ at a span
$b{k}_{j}$ and index time span *t*. The algorithm output update key
$U{K}_{t}$.

5) UserKeyUpdate
$\left(md{k}_{I{D}_{t-1}}\mathrm{,}t\mathrm{,}U{K}_{t}\right)$ : On input
$md{k}_{I{D}_{t-1}}$, index *t* of the next span and update key
$U{K}_{t}$. It output the secret key
$md{k}_{I{D}_{t}}$ for the next span *t* corresponding to the user *ID*.

6) PKIEncrypt
$\left(K\mathrm{,}t\mathrm{,}ID\mathrm{,}{M}_{1}\right)$ : It input *K*, the index span *t* of the current time period, an identity
$ID\in {\left\{\mathrm{0,1}\right\}}^{\ast}$ and plaintext
${M}_{1}\in M$, and return the ciphertext
$C{T}_{t}$ as
$C{T}_{t}=\left(t\mathrm{,}C{T}_{1}\right)$, where
$C{T}_{t}\in CT$.

7) PKIDecryption $\left(md{k}_{I{D}_{t}}\mathrm{,}t\mathrm{,}C{T}_{t}\right)$ : It takes a current private secret key $md{k}_{I{D}_{t}}$ and ciphertext $C{T}_{t}$ as input and return plaintext ${M}_{1}\in M$ or a symbol $\perp $ if the corresponding ciphertext is valid.

8) Test
$\left(C{T}_{{t}_{A}}\mathrm{,}C{T}_{{t}_{B}}\right)$ : It takes ciphertext
$C{T}_{{t}_{A}}$ and
$C{T}_{{t}_{B}}$ outputted by user *A* and user *B* respectively. It output 1 if the corresponding message cooresponding to
$C{T}_{{t}_{A}}$ and
$C{T}_{{t}_{B}}$ are equal. It output 0, otherwise
$\perp $.

Correctness:

1) When
$md{k}_{I{D}_{t}}$ the updated secret decryption key is generated with multiple helper. The BaseKeyUpdate algorithm on input *ID* as the public key, then;

$\forall {M}_{1}\in M\mathrm{:}Decrypt\left(CT\mathrm{,}md{k}_{I{D}_{t}}\right)={M}_{1}$,

where $CT=Encrypt\left(ID\mathrm{,}{M}_{1}\right)$ and $C{T}_{t}=\left(t\mathrm{,}CT\right)$.

2) Supposedly, $td{r}_{A}$ and $td{r}_{B}$ are trapdoors generated by the trapdoor algorithm given $I{D}_{A}$ and $I{D}_{B}$ as the public keys, then;

$\forall {M}_{1}\in M\mathrm{:}Test\left(C{T}_{A}\mathrm{,}t{d}_{A}\mathrm{,}C{T}_{B}\mathrm{,}t{d}_{B}\right)=1$,

where $C{T}_{A}=Encrypt\left(I{D}_{A}\mathrm{,}{M}_{1}\right)$ and $C{T}_{B}=Encrypt\left(I{D}_{B}\mathrm{,}{M}_{1}\right)$.

3) The $td{r}_{A}$ and $td{r}_{B}$ are supposedly trapdoors generated by the trapdoor algorithm given $I{D}_{A}$ and $I{D}_{B}$ as the public keys, then:

$\forall {M}_{1}\mathrm{,}{{M}^{\prime}}_{1}\in M$ and ${M}_{1}\ne {M}_{1}^{\ast}$. $Pr\left[Test\left(C{T}_{A}\mathrm{,}t{d}_{A}\mathrm{,}C{T}_{B}\mathrm{,}t{d}_{B}\right)=1\right]$

is negligible where $C{T}_{A}=Encrypt\left(I{D}_{A}\mathrm{,}{M}_{1}\right)$ and $C{T}_{B}=Encrypt\left(I{D}_{B}\mathrm{,}{{M}^{\prime}}_{1}\right)$.

4. Security Models

1) Setup
$(\u22cb)$ : The challenger on input a security parameter
$\u22cb$ executes the setup algorithm. It gives the system parameters *K* to the adversary *A* and keep the master key *MSK* to himself.

2) Phase 1-Private secret decryption key queries
$\left(I{D}_{A}\right)$ : The challenger runs the extract algorithm to generate the private decryption key
$md{k}_{{t}_{a}}$ corresponding to the user with public key
$I{D}_{a}$. It forwards
$md{k}_{{t}_{a}}$ to *A*.

3) Trapdoor Queries
$\left(I{D}_{a}\right)$ : The challenger executes the above private decryption key queries on
$I{D}_{a}$ to obtain
$md{k}_{I{D}_{a}}$ and subsequently generate the trapdoor
$td{r}_{a}$ using
$md{k}_{I{D}_{a}}$ via trapdoor algorithm. Finally, the algorithm forwards
$t{d}_{a}$ to *A*.

4) Decryption Queries
$\left(I{D}_{a}\mathrm{,}\left(t\mathrm{,}C{T}_{a}\right)\right)$ : The challenger executes decryption algorithm to decrypt the ciphertext
$\left(t\mathrm{,}C{T}_{a}\right)$ by executing extract algorithm to obtain the private secret key
$md{k}_{I{D}_{{t}_{a}}}$ relating to the public key
$I{D}_{a}$. Finally, it forwards plaintext
${M}_{1}$ to *A*.

5) Challenge: *A* submits an identity
$I{D}_{ch}$ to which a challenge will be posed. The only constraints is that
$I{D}_{ch}$ was not seen in private decryption key queries in phase 1 but
$I{D}_{ch}$ may show in trapdoor queries in phase 1 or in decryption query
$I{D}_{ch}$. The challenger then randomly chooses plaintext
${M}_{ch}\in M$ and sets
$C{T}^{\ast}=Encrypt\left(I{D}_{ch}\mathrm{,}{M}_{ch}\mathrm{,}to{k}_{ID}^{\ast}\right)$. Finally, it forwards
$C{T}^{\ast}$ to *A* as its challenge ciphertext.

6) Phase 2-Private decryption key queries $I{D}_{a}$ : Whereby $I{D}_{a}\ne I{D}_{ch}$. The challenger respond similar to that of phase 1.

7) Trapdoor Queries $\left(I{D}_{a}\mathrm{,}C{T}_{i}\right)\ne \left(I{D}_{ch}\mathrm{,}C{T}^{\ast}\right)$ : The challenger then responds similar to phase 1.

8) Decryption Queries $\left(I{D}_{a}\mathrm{,}C{T}_{i}\right)\ne \left(I{D}_{ch}\mathrm{,}C{T}^{\ast}\right)$ : The challenger respond similar to phase 1.

9) Guess: *A* submits a guess
${{M}^{\prime}}_{1}\in M$

The scheme is W-ID-CCA secure if for all W-IND-CCA adversaries,

$AD{V}_{PKI\text{-}IBPKE\text{-}E{T}_{A}}^{W\text{-}ID\text{-}CCA}\left(K\right)=Pr\left[{M}_{1}={M}_{1}^{\ast}\right]$ (2)

is negligible.

5. Construction

The detailed construction for the PKI-IBPKE-ET in this section includes:

1) Setup:
$\left(\u22cb\mathrm{,}Q\mathrm{,}N\right)$ The system input a secured parameter
$\u22cb$, number of helper key *Q*, a time period *N* as input and return public system parameter *K*. The initial master secret key is *MSK* and multiple helper keys are
$\left(b{k}_{0}\mathrm{,}\cdots \mathrm{,}b{k}_{Q-1}\right)$.

● The system generates two multiplicative groups *G* and *G _{T}* with the same prime order

*p*of $\u22cb$ length bits and a bilinear map $e\mathrm{:}G\times G\to {G}_{T}$. The system selects an arbitrary generator $g\in G$.

● The algorithm exploits a keyed permutation
$F\mathrm{:}{\left\{\mathrm{0,1}\right\}}^{k}\times {\left\{\mathrm{0,1}\right\}}^{n}\to {Z}_{p}^{\ast}$ for a positive integers
$K=k(\u22cb)$ and
$L=\left(n(\u22cb)\right)$. Set a random value
${k}_{1}$ from
${\left\{\mathrm{0,1}\right\}}^{L}$. Generate a MAC scheme
$MAC=GSV$, where *G* is generate, *S* is sign and *V* verify. It obtain
${k}_{2}$ by running
$G(\u22cb)$. Set the master token key
$MTK=\left({k}_{1}\mathrm{,}{k}_{2}\right)$.

● The system chooses three hash functions:
${H}_{1}\mathrm{:}{\left\{\mathrm{0,1}\right\}}^{p}\to {Z}_{p}^{\ast}$,
${H}_{2}\mathrm{:}{\left\{\mathrm{0,1}\right\}}^{\ast}\to G$,
${H}_{3}\mathrm{:}T\times {G}_{T}\to {\left\{\mathrm{0,1}\right\}}^{p+l}$ where *l* is the length of random numbers, whereas *p* is the message length. The algorithm randomly picks
$\left(\alpha \mathrm{,}\beta \right)\in {Z}_{p}^{2}$ and set
${g}_{1}={g}^{\alpha}$,
${g}_{2}={g}^{\beta}$. It publishes public parameter
$K=\left(T\mathrm{,}p\mathrm{,}G\mathrm{,}{G}_{T}\mathrm{,}e\mathrm{,}g\mathrm{,}{g}_{1}\mathrm{,}{g}_{2}\mathrm{,}b{k}_{Q}\mathrm{,}MAC\mathrm{,}{H}_{1}\mathrm{,}{H}_{2}\mathrm{,}{H}_{3}\right)$ and
$MSK=\left(\alpha \mathrm{,}\beta \right)$. *T* is referred to as MAC tag.

2) Extract
$\left(K\mathrm{,}MSK\mathrm{,}ID\right)$ : For a given string
$ID\in {\left\{\mathrm{0,1}\right\}}^{\ast}$, public parameter *K* and *MSK*. The algorithm compute
${h}_{ID}={H}_{2}\left(ID\right)\in G$, set temporal master decryption key
$md{k}_{I{D}_{t}}=\left({h}_{I{D}_{t}}^{\alpha}\mathrm{,}{h}_{I{D}_{t}}^{\beta}\right)$ where
$\left(\alpha \mathrm{,}\beta \right)$ are the master secret key and the intial time index period at *t*.

3) UserKeyGeneration $\left(K\mathrm{,}md{k}_{I{D}_{t}}\mathrm{,}I{D}_{t}\right)$ : On input $md{k}_{I{D}_{t}}$, the algorithm randomly chooses $b{k}_{Q-1}\in {\left\{\mathrm{0,1}\right\}}^{p}$ and set:

$B{K}_{0}={g}^{b{k}_{Q-1}},\text{\hspace{1em}}{g}_{3}={g}^{\alpha}\left({\displaystyle \underset{i=1-Q}{\overset{0}{\prod}}}{\left({g}^{{H}_{1}\left(b{k}_{j}\left(i\right)\right)}\right)}^{{r}_{1}}\right),\text{\hspace{1em}}{g}_{4}=\left({\displaystyle \underset{i=1-Q}{\overset{0}{\prod}}}\right),$ (3)

where ${r}_{1}=F\left(b{k}_{j}\mathrm{,}i\right)$ and $j=\left(1\mathrm{mod}Q\right)$.

The function *F* is assumed as a pseudorandom permutation.

The initial secret helper keys $B{K}_{0}=\left({g}_{3}\mathrm{,}{g}_{4}\right)$ and number of helper set to $\left(b{k}_{0}\mathrm{,}\cdots \mathrm{,}b{k}_{Q-1}\right)$.

4) BaseKeyUpdate
$\left(b{k}_{j}\mathrm{,}t\right)$ : On input helper key at
$b{k}_{j}$ and a period index *t*. The helper key updater computes the *j*th helper base as:

$U{K}_{t}=\left({g}_{3}^{{H}_{1}\left(b{k}_{j}\left(t-Q\right)\right)}\mathrm{,}{g}^{{r}_{t}-Q}\right)\mathrm{,}$ (4)

where ${r}_{t}=F\left(b{k}_{j}\mathrm{,}t-Q\right)$ and $j=\left(t\mathrm{mod}Q\right)$.

5) UserKeyUpdate
$\left(t\mathrm{,}U{K}_{t}\mathrm{,}md{k}_{0}\mathrm{,}ID\right)$ : On input the period *t*, updated key at time *t* and a master decryption key with
$ID\in {\left\{\mathrm{0,1}\right\}}^{\ast}$. The algorithm parse:

$U{K}_{t}=\left({H}_{{1}_{t}},{{H}^{\prime}}_{{1}_{t}}\right)$ and set $UTK{U}_{t-1}=\left({g}_{{3}_{t}},{g}_{{4}_{t}}\right)$,

${g}_{{4}_{t-1}}={g}_{{4}_{t-1}}\cdot {H}_{{1}_{t}}$, ${g}_{{3}_{t-1}}={g}_{{3}_{t-1}}\cdot {{H}^{\prime}}_{{1}_{t}}$.

Hence $UTK{U}_{t}=\left({g}_{I{D}_{{4}_{t}}},{g}_{I{D}_{{3}_{t}}}\right)$. Thus, ${g}_{3}={g}^{\alpha}\left({\displaystyle \underset{i=1-Q}{\overset{t}{\prod}}}{\left({g}^{{H}_{1}\left(b{k}_{j}\left(i\right)\right)}\right)}^{{r}_{1}}\right)$ and $j=\left(i\mathrm{mod}Q\right)$, ${g}_{4}=\left({\left({\displaystyle \underset{i=1-Q}{\overset{0}{\prod}}}\text{\hspace{0.05em}}\text{\hspace{0.05em}}{g}^{{r}_{1}}\right)}^{\beta}\right)$, where ${r}_{1}=F\left(b{k}_{j}\mathrm{,}i\right)$.

The algorithm parse the current index period secret decryption key as:

$md{k}_{I{D}_{t}}=\left({h}_{I{D}_{t}}^{\alpha}\mathrm{,}{h}_{I{D}_{t}}^{\beta}\right)\mathrm{,}$ (5)

where ${g}_{3}={h}_{ID}^{\alpha \left(t\right)}$ and ${g}_{4}={h}_{ID}^{\beta \left(t\right)}$.

6) PKITrapdoor
$\left(ID\mathrm{,}MSK\mathrm{,}t\right)$ : For a given string
$ID\in {\left\{\mathrm{0,1}\right\}}^{\ast}$, *MSK* and index time *t* the algorithm computes
${h}_{ID}={H}_{2}\left(ID\right)\in G$ and set the trapdoor
$t{d}_{ID}={h}_{ID}^{\beta}$,
$t{d}_{ID}$ is the second element of
$mdk$, where
$md{k}_{I{D}_{t}}$,
$t{d}_{ID}$ and
$to{k}_{ID}$ are distributed via a secured channel.

7) PKIEncrypt
$\left(K\mathrm{,}ID\mathrm{,}{M}_{1}\right)$ : To encrypt
${M}_{1}$ with a public identity *ID*, the algorithm selects two random numbers
$\left({r}_{1}\mathrm{,}{r}_{2}\right)\in {Z}_{p}^{\ast}$. Then it computes:

$C{T}_{1}={g}^{{r}_{1}}$, $C{T}_{2}={Q}_{1}^{{r}_{1}}\cdot {H}_{2}\left(e{\left({g}_{4},{h}_{ID}\right)}^{{r}_{1}}\right)$

where

${Q}_{1}=\left(\left({\displaystyle \underset{i=1-Q}{\overset{t}{\prod}}}\text{\hspace{0.05em}}\text{\hspace{0.05em}}B{K}_{j}^{{H}_{1}\left(i\right)}\right)\cdot {M}_{1}\right)$, $C{T}_{3}={g}^{{r}_{2}}$,

$C{T}_{4}=\left({M}_{1}\mathrm{\left|\right|}{r}_{1}\right)\oplus {H}_{3}\left(C{T}_{1}\mathrm{\left|\right|}C{T}_{2}\mathrm{\left|\right|}P\mathrm{\left|\right|}e{\left({g}_{3}\mathrm{,}{h}_{ID}\right)}^{{r}_{2}}\right)$.

Finally, it returns

$CT=\left(C{T}_{1}\mathrm{,}C{T}_{2}\mathrm{,}C{T}_{3}\mathrm{,}C{T}_{4}\right)$.

where
$P\leftarrow S\left({k}_{2}\mathrm{,}C{T}_{3}\right)$ for signing algorithm *S* of the employed MAC, the corresponding tag *P* is used to verify
$C{T}_{3}$. The function *F* is assumed to be a strong pseudorandom permutation and MAC is existentially unforgeable under chosen message attack.

8) PKIDecrypt
$\left(CT\mathrm{,}md{k}_{ID}\mathrm{,}to{k}_{ID}\right)$ : On input the ciphertext *CT*, updated secret key
$md{k}_{ID}$ and a token
$token=\left({k}_{1}\mathrm{,}{k}_{2}\right)$ subsequantly, it computes:

${m}^{\prime}\mathrm{\left|\right|}{r}^{\prime}=C{T}_{4}\oplus {H}_{3}\left(C{T}_{1}\mathrm{\left|\right|}C{T}_{2}\mathrm{\left|\right|}P\mathrm{\left|\right|}e\left(C{T}_{3}\mathrm{,}md{k}_{I{D}_{t}}^{\alpha}\right)\right)$,

${m}^{\prime}\mathrm{\left|\right|}{r}^{\prime}={H}_{3}\left(e\left(C{T}_{3}\mathrm{,}md{k}_{I{D}_{t}}^{\alpha}\right)\right)$.

Given $P\leftarrow S\left({k}_{2}\mathrm{,}C{T}_{3}\right)$ where $P=MA{C}_{{k}_{2}}\left(C{T}_{3}\right)$, the algorithm veriifies if: ${B}^{\prime}=MA{C}_{{k}_{2}}\left(C{T}_{3}\right)$ if ${B}^{\prime}=P$. Then it checks whether $C{T}_{1}={g}^{{{r}^{\prime}}_{1}}$ and

$C{T}_{2}={Q}_{1}^{{{r}^{\prime}}_{1}}\cdot {H}_{2}\left(e\left(C{T}_{1},{h}_{I{D}_{t}}^{\beta}\right)\right)$. Where ${Q}_{1}=\left({\displaystyle \underset{i=1-Q}{\overset{t}{\prod}}}\text{\hspace{0.05em}}\text{\hspace{0.05em}}B{K}_{j}^{{H}_{1}\left(i\right)}\right)\cdot {{M}^{\prime}}_{1}$.

If both hold, the algorithm returns ${{M}^{\prime}}_{1}$, otherwise return $\perp $.

9) Test $\left(C{T}_{A}\mathrm{,}t{d}_{I{D}_{A}}\mathrm{,}C{T}_{B}\mathrm{,}t{d}_{I{D}_{B}}\right)$ : On input the ciphertext $C{T}_{A}$, trapdoor $t{d}_{A}$ and a given senders ciphertext $C{T}_{B}$. The algorithm test whether ${M}_{{1}_{A}}={M}_{{1}_{B}}$ by computing:

${T}_{A}=\frac{C{T}_{{2}_{A}}}{{H}_{2}\left(e\left(C{T}_{{1}_{A}},t{d}_{I{D}_{A}}\right)\right)},\text{\hspace{1em}}{T}_{B}=\frac{C{T}_{{2}_{B}}}{{H}_{2}\left(e\left(C{T}_{{1}_{B}},t{d}_{I{D}_{B}}\right)\right)}.$ (6)

The algorithm output 1 if the above corresponding equation holds, it output 0 otherwise.

Correctness:

The requirement for the above definition is shown below:

1) The first point is verifiable and straightforward as shown above.

2) With a well-formed ciphertext for $I{D}_{A}$ and $I{D}_{B}$. Given the following:

${T}_{A}=\frac{C{T}_{{2}_{A}}}{{H}_{2}\left(C{T}_{{1}_{A}},t{d}_{I{D}_{A}}\right)}$, ${T}_{B}=\frac{C{T}_{{2}_{B}}}{{H}_{2}\left(C{T}_{{1}_{B}},t{d}_{I{D}_{B}}\right)}$

${T}_{A}=\frac{{Q}_{{1}_{A}}^{{r}_{{1}_{A}}}\cdot {H}_{2}\left(e\left({g}_{A}^{{r}_{1}},{h}_{I{D}_{A}}^{\beta \left(t\right)}\right)\right)}{{H}_{2}\left(e\left({g}_{A}^{{r}_{1}},{h}_{I{D}_{A}}^{\beta \left(t\right)}\right)\right)}$, ${T}_{B}=\frac{{Q}_{{1}_{B}}^{{r}_{{1}_{B}}}\cdot {H}_{2}\left(e\left({g}_{B}^{{r}_{1}},{h}_{I{D}_{B}}^{\beta \left(t\right)}\right)\right)}{{H}_{2}\left(e\left({g}_{B}^{{r}_{1}},{h}_{I{D}_{B}}^{\beta \left(t\right)}\right)\right)}$

${T}_{A}={Q}_{{1}_{A}}^{{r}_{{1}_{A}}}$ and ${T}_{B}={Q}_{{1}_{B}}^{{r}_{{1}_{B}}}$.

The algorithm output 1 if the following corresponding equation holds. Otherwise, it output 0.

$e\left(C{T}_{{1}_{A}},{T}_{B}\right)=e\left(C{T}_{{1}_{B}},{T}_{A}\right)$.

Therefore:

$\left(C{T}_{{1}_{A}},{T}_{B}\right)=e\left({g}^{{r}_{{1}_{A}}},{Q}_{{1}_{B}}^{{r}_{{1}_{B}}}\right)=e{\left(g,{Q}_{{1}_{B}}\right)}^{{r}_{{1}_{A}}{r}_{{1}_{B}}}$

$e\left(C{T}_{{1}_{B}},{T}_{A}\right)=e\left({g}^{{r}_{{1}_{B}}},{Q}_{{1}_{A}}^{{r}_{{1}_{A}}}\right)=e{\left(g,{Q}_{{1}_{A}}\right)}^{{r}_{{1}_{A}}{r}_{{1}_{B}}}$.

where

${Q}_{{1}_{A}}=\left(\left({\displaystyle \underset{i=1-Q}{\overset{t}{\prod}}}\text{\hspace{0.05em}}\text{\hspace{0.05em}}B{K}_{j}^{{H}_{1}\left(i\right)}\right)\cdot {M}_{{1}_{A}}\right)$ and ${Q}_{{1}_{B}}=\left(\left({\displaystyle \underset{i=1-Q}{\overset{t}{\prod}}}\text{\hspace{0.05em}}\text{\hspace{0.05em}}B{K}_{j}^{{H}_{1}\left(i\right)}\right)\cdot {M}_{{1}_{B}}\right)$.

Given the token $to{k}_{ID}={k}_{1}$, the function output ${M}_{A}$ and ${M}_{B}$

If ${Q}_{{1}_{A}}={Q}_{{1}_{B}}$, then: $e\left(C{T}_{{1}_{A}}\mathrm{,}{T}_{B}\right)=e\left(C{T}_{{1}_{B}}\mathrm{,}{T}_{A}\right)$.

Test $\left(C{T}_{A}\mathrm{,}t{d}_{I{D}_{A}}\mathrm{,}C{T}_{B}\mathrm{,}t{d}_{I{D}_{B}}\right)$ output 1.

3) For any ${M}_{A}\ne {M}_{B}$, Test $\left(C{T}_{A},t{d}_{I{D}_{A}},C{T}_{B},t{d}_{I{D}_{B}}\right)=1$. This implies that:

$e{\left(g,{Q}_{{1}_{A}}\right)}^{{r}_{{1}_{A}}}=e{\left(g,{Q}_{{1}_{B}}\right)}^{{r}_{{1}_{B}}}$.

Hence,

$Pr\left[e\left(g\mathrm{,}{Q}_{{1}_{A}}\right)=\left(g\mathrm{,}{Q}_{{1}_{B}}\right)\right]=\frac{1}{2}$.

Therefore, we assume:

$Pr\left[Test\left(C{T}_{A}\mathrm{,}t{d}_{I{D}_{A}}\mathrm{,}C{T}_{B}\mathrm{,}t{d}_{I{D}_{B}}\right)=1\right]$

is negligible.

6. Security Analysis

The PKI-IBPKE-ET scheme is W-IND-ID-CCA secure using the random oracle model assuming Bilinear Diffie-Helman Problem (BDHP) is negligible.

Proof Theory: It is assumed
$\mathbb{A}$ is a probabilistic polynomial time (PPT) adversary attacking the W-IND-CCA security of our scheme. Supposedly,
$\mathbb{A}$ executes in time *T* and issues hash queries (*q _{H}*) and decryption queries (

*q*). Let $Ad{v}_{A}^{W\text{-}IND\text{-}CCA}\left(t\mathrm{,}{q}_{H}\mathrm{,}{q}_{D}\right)$ depicts the benefit of $\mathbb{A}$ in W-IND-ID-CCA experiment.

_{H}Our proof of security is similar to [3]. The preliminaries of the original game are outlined as follows:

1) Game *G*_{0}

● $\alpha \leftarrow {Z}_{p}^{\mathrm{*}}$, ${g}_{1}={g}^{\alpha}$, $T=N$, $BK=\left\{b{k}_{0}\mathrm{,}\cdots \mathrm{,}b{k}_{Q-1}\right\}$, $R=\varnothing $.

● ${M}_{1}\leftarrow G$, ${r}_{0}\leftarrow {Z}_{p}^{\mathrm{*}}$, ${U}_{0}^{\mathrm{*}}={g}^{r}$, ${V}_{0}^{\mathrm{*}}={M}_{1}^{r}$, ${W}_{0}^{\mathrm{*}}=H\left(T\mathrm{,}{\left(b{k}_{Q-1}\right)}^{\ast}\mathrm{,}{U}_{0}^{\mathrm{*}}\mathrm{,}{V}_{0}^{\mathrm{*}}\mathrm{,}{g}_{1}^{r}\right)\oplus \left({M}_{1}\parallel r\right)$.

● ${M}_{1}\leftarrow {\mathbb{A}}^{{o}^{{}_{H}\mathrm{,}{o}_{2}}}\left(T\mathrm{,}{\left(b{k}_{Q-1}\right)}^{\ast}\mathrm{,}{U}_{0}^{\mathrm{*}}\mathrm{,}{V}_{0}^{\mathrm{*}}\mathrm{,}{W}_{0}^{\mathrm{*}}\right)$, where the oracle works as follows:

● ${O}_{H}$ : On the tuple: $\left(T\mathrm{,}\left(b{k}_{Q-1}\right)\mathrm{,}{U}_{0}\mathrm{,}{V}_{0}\mathrm{,}{Y}_{0}\right)\in {G}^{4}$, where a same random value is returned, the same input could be asked multiple times but the same answer will be responded to.

●
${O}_{2}$ : On input a ciphertext
$\left(T\mathrm{,}\left(b{k}_{Q-1}\right)\mathrm{,}{U}_{0}\mathrm{,}{V}_{0}\mathrm{,}{W}_{0}\right)$, it returns the decryption algorithm to decrypt it using the secret key
$\alpha $ given within an index time *N* and a helper key *Q*.

Let ${X}_{o}$ be the event that ${{M}^{\prime}}_{1}={M}_{1}$ in Game ${G}_{0}$. However the probability in Game ${G}_{0}$ is $Pr\left[{S}_{o}\right]$. Hence, we modify Game ${G}_{0}$ and obtain the proceeding game.

2) Game *G*_{1}

● $\alpha \leftarrow {Z}_{p}^{\mathrm{*}}$, ${g}_{1}={g}^{\alpha}$, $T=N$, $BK=\left\{b{k}_{0}\mathrm{,}\cdots \mathrm{,}b{k}_{Q-1}\right\}$, $R=\varnothing $.

● ${M}_{1}\leftarrow G$, ${r}_{0}\leftarrow {Z}_{p}^{\mathrm{*}}$, ${U}_{0}^{*}={g}^{r}$, ${V}_{0}^{*}={M}_{1}^{r}$, ${R}_{0}^{\mathrm{*}}\to {\left[\mathrm{0,1}\right]}^{p+i}$, ${W}_{0}^{\mathrm{*}}=H\left(T\mathrm{,}{\left(b{k}_{Q-1}\right)}^{\ast}\mathrm{,}{U}_{0}^{\mathrm{*}}\mathrm{,}{V}_{0}^{\mathrm{*}}\mathrm{,}{g}_{1}^{r}\right)\oplus \left({M}_{1}\parallel r\right)$, ${R}_{0}={R}_{0}\cup \left(T\mathrm{,}{\left(b{k}_{Q-1}\right)}^{\ast}\mathrm{,}{U}_{0}^{\mathrm{*}}\mathrm{,}{V}_{0}^{\mathrm{*}}{\left({U}_{0}^{\mathrm{*}}\right)}^{\alpha}\mathrm{,}{R}_{0}^{\mathrm{*}}\right)$.

● ${M}_{1}\leftarrow {A}^{{O}_{H}\mathrm{,}{O}_{2}}\left({g}_{1}\mathrm{,}{\left(b{k}_{Q-1}\right)}^{\ast}\mathrm{,}T\mathrm{,}{U}_{0}^{\mathrm{*}}\mathrm{,}{V}_{0}^{\mathrm{*}}\mathrm{,}{W}_{0}^{\mathrm{*}}\right)$, where the oracle works as:

●
${O}_{H}$ : On input a triple
$\left(T\mathrm{,}\left(b{k}_{Q-1}\right)\mathrm{,}{U}_{0}\mathrm{,}{V}_{0}\mathrm{,}{Y}_{0}\right)\in {G}^{4}$ where if there is an entry
$\left(T\mathrm{,}\left(b{k}_{Q-1}\right)\mathrm{,}{U}_{0}\mathrm{,}{V}_{0}\mathrm{,}{Y}_{0}\mathrm{,}h\right)$ in the hash table *R*, *h* is returned, otherwise a random value *h* is selected and returned.

$\left(T\mathrm{,}\left(b{k}_{Q-1}\right)\mathrm{,}{U}_{0}\mathrm{,}{V}_{0}\mathrm{,}{Y}_{0}\mathrm{,}h\right)$ is added to *R*.

● ${O}_{2}$ : On input a ciphertext $\left(T\mathrm{,}\left(b{k}_{Q-1}\right)\mathrm{,}{U}_{0}\mathrm{,}{V}_{0}\mathrm{,}{W}_{0}\right)$, a hash query on $\left(T\mathrm{,}b{k}_{Q-1}\mathrm{,}{U}_{0}\mathrm{,}{V}_{0}\mathrm{,}{U}_{0}^{\alpha}\right)$ is issued. Assuming the answer is $h\in {\left[\mathrm{0,1}\right]}^{p+i}$, then ${M}_{1}\parallel r$ is computed as $h\oplus W$, then a validity check on whether ${U}_{0}={g}^{r}$ and ${V}_{0}={M}_{1}^{r}$ is executed. If it fails, $\perp $ is returned: otherwise, ${M}_{1}$ is returned.

The event that Game ${G}_{1}$ occurs is denoted by ${S}_{1}$. However its observed that ${G}_{0}={G}_{1}$, hence we deduce the probability of the random oracle as:

$Pr\left[{S}_{1}\right]=Pr\left[{S}_{0}\right]$.

We subsequently modify the next game simulation in an indistinguishable way:

3) Game ${G}_{2}$

● $\alpha \leftarrow {Z}_{p}^{\mathrm{*}}$, ${g}_{1}={g}^{\alpha}$, $T=N$, $BK=\left\{b{k}_{0}\mathrm{,}\cdots \mathrm{,}b{k}_{Q-1}\right\}$, $R=\varnothing $.

● ${M}_{1}\leftarrow G$, ${r}_{0}\leftarrow {Z}_{p}^{\mathrm{*}}$, ${U}_{0}^{*}={g}^{r}$, ${V}_{0}^{*}={M}_{1}^{r}$, ${W}_{0}^{\mathrm{*}}\to {\left[\mathrm{0,1}\right]}^{p+i}$, ${R}^{\mathrm{*}}\to {\left[\mathrm{0,1}\right]}^{p+i}$, ${W}_{0}^{\mathrm{*}}=H\left(T\mathrm{,}{\left(b{k}_{Q-1}\right)}^{\ast}\mathrm{,}{U}_{0}^{\mathrm{*}}\mathrm{,}{V}_{0}^{\mathrm{*}}\mathrm{,}{g}_{1}^{r}\right)\oplus \left({M}_{1}\parallel r\right)$, ${R}_{0}={R}_{0}\cup \left(t\mathrm{,}{\left(b{k}_{Q-1}\right)}^{\ast}\mathrm{,}{U}_{0}^{\mathrm{*}}\mathrm{,}{V}_{0}^{\mathrm{*}}{\left({U}_{0}^{\mathrm{*}}\right)}^{\alpha}\mathrm{,}{W}_{0}^{\mathrm{*}}\right)$.

● ${M}_{1}\leftarrow {A}^{{O}_{H}\mathrm{,}{O}_{2}}\left({g}_{1}\mathrm{,}T\mathrm{,}\left(b{k}_{Q-1}\right)\mathrm{,}{U}_{0}^{\mathrm{*}}\mathrm{,}{V}_{0}^{\mathrm{*}}\mathrm{,}{W}_{0}^{\mathrm{*}}\right)$.

The oracle response to queries as follows:

● ${O}_{H}$ : Game ${G}_{2}$ is identical to Game ${G}_{2}$. However if adversary queries for $\left({U}_{0}^{\mathrm{*}}\mathrm{,.,}{\left({U}_{0}^{\mathrm{*}}\right)}^{\alpha}\right)$, then the game is abrogated. $\epsilon $ represents this event.

● This is also the same as Game ${G}_{1}$, however if adversary ask for decryption of $\left({U}_{0}^{\mathrm{*}}\mathrm{,}{V}_{0}^{\mathrm{*}}{W}_{0}\right)$, where ${{W}^{\prime}}_{0}\ne {W}_{0}^{\mathrm{*}}$, $\perp $ is returned.

Chosen Ciphertext security (CCA) secure is paramount in this game because ${W}_{0}^{\mathrm{*}}$ is a random value in both Games, however the random oracle responds are unique and probabilistic because ${W}_{0}^{\mathrm{*}}$ is dependent on ${U}_{0}$ and ${V}_{0}^{\mathrm{*}}$. The probability of $\perp $ occurring is negligible.

We modify the simulation game in index time period with multiple helper or base key indistinguishable way in the proceeding game.

4) Game *G*_{3}

● $\alpha \leftarrow {Z}_{p}^{\mathrm{*}}$, ${g}_{1}={g}^{\alpha}$, $T=N$, $BK=\left\{b{k}_{0}\mathrm{,}\cdots \mathrm{,}b{k}_{Q-1}\right\}$, $R=\varnothing $, $t\in N$.

● ${M}_{1}\leftarrow G$, ${r}_{0}\leftarrow {Z}_{p}^{\mathrm{*}}$, ${U}_{0}^{*}={g}^{r}$, ${V}_{0}^{*}={M}_{1}^{r}$, ${W}_{0}^{\mathrm{*}}\to {\left[\mathrm{0,1}\right]}^{p+i}$, ${R}_{0}={R}_{0}\cup \left(t\mathrm{,}{\left(b{k}_{Q-1}\right)}^{\ast}\mathrm{,}{U}_{0}^{\mathrm{*}}\mathrm{,}{V}_{0}^{\mathrm{*}}{\left({U}_{0}^{\mathrm{*}}\right)}^{\alpha}\mathrm{,}{W}_{0}^{\mathrm{*}}\right)$.

● ${M}_{1}\leftarrow {\mathbb{A}}^{{O}_{H}\mathrm{,}{O}_{2}}\left({g}_{1}\mathrm{,}T\mathrm{,}\left(b{k}_{j}\right)\mathrm{,}{U}_{0}^{\mathrm{*}}\mathrm{,}{V}_{0}^{\mathrm{*}}\mathrm{,}{W}_{0}^{\mathrm{*}}\right)$.

● ${O}_{H}$ : Game ${G}_{3}$ is identical to Game ${G}_{2}$. However if adversary queries for $\left({U}_{0}^{\mathrm{*}}\mathrm{,}T\mathrm{,}b{k}_{j}\mathrm{,}{U}_{0}^{\mathrm{*}}\mathrm{,.,}{\left({U}_{0}^{\mathrm{*}}\right)}^{\alpha}\right)$, then the game is abrogated. Let ${\epsilon}_{1}$ be this event.

● This is also the same as Game ${G}_{2}$, however if adversary ask for decryption of $\left({U}_{0}^{\mathrm{*}}\mathrm{,}b{k}_{j}\mathrm{,}{V}_{0}^{\mathrm{*}}\mathrm{,}t\right)$ where $b{{k}^{\prime}}_{j}\ne b{k}_{j}$, $\perp $ is returned.

The timestamp and the base key
$\left(b{k}_{j}\right)$ at a period *j* associated with the ciphertext improve the security of this game. *t* is a timestamp value associated with the ciphertext in both Games, however the random oracle response are unique and probabilistic because decryption queries are dependent on
$T\mathrm{,}{U}_{0}^{\mathrm{*}}\mathrm{,}{V}_{0}^{\mathrm{*}}$ and
$\left(b{k}_{j}\right)$. The probability of
$\perp $ occurring is negligible.

In this game, the challenge ciphertext identically distributed in Game
${G}_{2}$ and
${G}_{3}$ as
${W}_{0}^{\mathrm{*}}$ is a chosen random value in both Game
${G}_{2}$ and Game
${G}_{3}$. The simulation of
${O}_{2}$ is secure since
${W}_{0}^{\mathrm{*}}$ is uniquely determined by
${U}_{0}^{\mathrm{*}}$ and
${V}_{0}^{\mathrm{*}}$ in Game
${G}_{2}$ and
${U}_{0}^{\mathrm{*}}$,
${V}_{0}^{\mathrm{*}}$, *T* and
$b{k}_{j}$ in Game
${G}_{3}$. Therefore, if event
${\epsilon}_{1}$ does not occur, Game
${G}_{3}$ is identical to Game
${G}_{1}$. However, it is observed below that event
${\epsilon}_{1}$ occurs with negligible probability.

We further simulates decryption queries in indistinquishable way from Game ${G}_{3}$. The decryption queries are separated into two types, which includes:

● Type 1: $\left(T\mathrm{,}{U}_{0}\mathrm{,}{V}_{0}\mathrm{,}{U}_{0}^{\alpha}\right)$ is queried to ${O}_{H}$ before a decryption query $\left(T\mathrm{,}{U}_{0}\mathrm{,}{V}_{0}\mathrm{,}{W}_{0}\right)$ is issued.

In this case, ${W}_{0}$ is determined after $\left(T\mathrm{,}{U}_{0}\mathrm{,}{V}_{0}\mathrm{,}{U}_{0}^{\alpha}\right)$ is queried to ${O}_{H}$. So the decryption oracle is perfectly simulated.

● Type 2: $\left({U}_{0}\mathrm{,}{V}_{0}\mathrm{,}{U}_{0}^{\alpha}\right)$ is not queried to ${O}_{H}$ when a decryption query $\left({U}_{0}\mathrm{,}{V}_{0}\mathrm{,}{W}_{0}\mathrm{,}BK\right)$ was issued. Subsequently, $\perp $ is returned by the decryption oracle. The simulation will fail if $\left({U}_{0}\mathrm{,}{V}_{0}\mathrm{,}{W}_{0}\mathrm{,}BK\right)$ is valid. Therefore, this happens with negligible probability.

7. Comparison

The efficiency of algorithms and time consumption of our scheme is compared with: Ma’s [8] scheme, which combined the public key cryptosystem with equality test and identity-based cryptographic primitive: Wu *et al.*’s [29] scheme, which proposed a scheme to resist the insider attack: and Li *et al.* [30] scheme. Our scheme unveils a parallel key-insulation cryptosystem with multiple helper to minimize the exposure of the helper keys and decryption keys. The comparative results on the efficiency of our method is shown in Table 1 and communication cost in Table 2. The above comparison shows that our scheme can resist IA with key-insulation, whereas others’ don’t have this ability. In addition, the schemes [8] [29] as well as our scheme implement chosen ciphertext security, which is stronger than chosen plaintext security [16] [30] and other related identity based parallel key-insulated primitive [16] via the random oracle model. To evaluate computation efficiency of these schemes, pairing-based cryptography (PBC) library [31] was used to quantify the time consumption of encryption, decryption and test operations. We examine the computational efficiency in these schemes, the Pairing-Based Cryptography (PBC) Library [30] is used to quantify the time consumption of encryption, decryption and test operations. We use the code of a program in VC++ 6.0 and executed on a computer (Windows 10 Pro, operating system), Capacity of Intel(R) Core (TM) i5-4460 CPU with 3.20 GHZ and 4Gb RAM. The code was executed several times and average time of execution extracted. With respect to the scheme and other pairing-based constructions with a security level of 1024-bit RSA, a supersingular curve
${z}^{2}={x}^{3}+x$ with an embedded degree of 2 is adopted. Also,
$q={2}^{159}+{2}^{17}+1$ noted as a 160-bit Solinas prime with
$p=12qr-1$ noted as a 512-bit prime. With regards to ECC-based schemes, an equivalent security level of Koblitz elliptic

Table 1. Efficiency comparison of algorithm of variant PKE-ETs.

Legends: In this table, “SCH”: scheme, “Exp_{1}” and “Exp_{2}”: exponent computation in group 1 and group 2, “P”: pairing computation, “PKI”: parallel key-insulated, “IA”: insider attack, “R”: random oracle model, “TD”: trapdoor, “ET”: equality test, “Y”: “Yes” as a supportive remark, “N” refers to “No” as not supportive, “I”: IND, “C_{A}”: CPA, “C”: CCA.

Table 2. Communication cost comparison.

Legends: In this table,
$P{K}_{size}$ ; size of public key,
$S{K}_{size}$ ; size of secret key,
$C{T}_{size}$ ; size of ciphertext,
$De{l}_{Auth}$ : authorization, BDH; bilinear Diffie-Hellman,
${G}_{0}$ : group *G*,
${Z}_{{p}_{0}}$ ;
${Z}_{p}$, ROM: random oracle model. W-IND-ID-CCA refers to weak indistinguishable chosen ciphertext attack against identity, OW-ID-CCA refers to one-way chosen ciphertext attack against identity and IND-ID-CPA refers to indistinguishable chosen plaintext attack against identity.

curve of $y={x}^{3}+a{x}^{2}+b$ defined on a ${F}_{{2}^{163}}$ is used to provide the same security level in the ECC group. The computational units are in millisecond (ms) and bytes respectively. The execution times of each respective algorithm were calculated and Matlab program was used to generate Figure2. The Figure(see Figure2) depicts the computation cost of decryption and test of our scheme comparable with other existing works, whereas our encryption computational cost seems higher. This is reasonable due to the additional computational overheads required to prevent helper keys exposure with the adoption of multiple helpers, which, however, is not the case in other works. In the aspect of the computation cost of decryption and test, our scheme is better than schemes in [29] [30]. Although time consumption of encryption and decryption operations of our scheme is higher than scheme proposed in [29], our scheme provides additional security to helper exposure.

Furthermore, our computational overhead cost results do not make our scheme superior to other related schemes in terms of computational cost analysis. However, this is pardonable due to the fact that additional computational cost values added to our scheme increases the computational variables. In this way, the computational cost in encryption and decryption are higher than the related scheme due to the extra multiple helper computation added to our scheme. However, the test computational cost is comparable to [8], but the other related scheme has a high computational test results. Therefore, our scheme is an improvement on the related public key cryptosystem with key-insulation. However, our scheme adds additional primitives on previous schemes such as equality test and the adoption of multiple helper to improve on the use of single or double helper in protecting decryption keys. In this way, our scheme is secure against the use of single helper in updating users decryption keys in key-insulated cryptosystems. Therefore, the superiority of our scheme is achieved in the lower pairing computations, insider attack resistant with delegated equality test, and a symmetric cryptographic primitive (MAC) addition to public key cryptosystem to construct our scheme.

Figure 2. Computational overhead of related schemes.

8. Conclusion

This paper introduced a scheme to solve the problem caused by private decryption

key exposure and helper key in identity based cryptosystem with equality test. Our scheme delegates equality test to the cloud server and also thwarts the insider attack phenomenon in public key encryption. Inspired by the notion of scheme in [8] and the use of a single helper with key-insulation [32], we put forward parallel key insulated ID-based public key cryptographic primitive with outsourced equality test (PKI-IBPKE-ET). The mechanism of parallel key-insulated with multiple helper was used to reduce the damage to helper keys and private key exposure. Besides, our scheme also has the ability to resist insider attack from semi-trusted cloud server, which makes it practical and suitable in cloud computing. Our scheme is proven secured in random oracle model. Theoretical analysis and experiment simulation both demonstrate that our scheme is secure and efficient.

Acknowledgements

Sincere thanks to the anonymous reviewers for their kind consideration and a special thanks to managing editor *Hellen** XU* for a rare attitude of high quality.

Conflicts of Interest

The authors declare no conflicts of interest regarding the publication of this paper.

[1] |
Cao, X., Li, H., Dang, L. and Lin, Y. (2017) A Two-Party Privacy Preserving Set Intersection Protocol against Malicious Users in Cloud Computing. Computer Standards and Interfaces, 54, 41-45. https://doi.org/10.1016/j.csi.2016.08.004 |

[2] |
Boneh, D. and Franklin, M. (2001) Identity-Based Encryption from the Weil Pairing. In: Annual International Cryptology Conference, Springer, Berlin, 213-229. https://doi.org/10.1007/3-540-44647-8_13 |

[3] |
Yang, G., Tan, C.H., Huang, Q. and Wong, D.S. (2010) Probabilistic Public Key Encryption with Equality Test. In: Cryptographers’ Track at the RSA Conference, Springer, Berlin, 119-131. https://doi.org/10.1007/978-3-642-11925-5_9 |

[4] |
Lipmaa, H. (2003) Verifiable Homomorphic Oblivious Transfer and Private Equality Test. In: International Conference on the Theory and Application of Cryptology and Information Security, Springer, Berlin, 416-433. https://doi.org/10.1007/978-3-540-40061-5_27 |

[5] |
Tang, Q. (2012) Public Key Encryption Schemes Supporting Equality Test with Authorisation of Different Granularity. International Journal of Applied Cryptography, 2, 304-321. https://doi.org/10.1504/IJACT.2012.048079 |

[6] |
Wu, L., Zhang, Y., Choo, K.K.R. and He, D. (2017) Efficient Identity-Based Encryption Scheme with Equality Test in Smart City. IEEE Transactions on Sustainable Computing, 3, 44-55. https://doi.org/10.1109/TSUSC.2017.2734110 |

[7] |
Lee, H.T., Wang, H. and Zhang, K. (2018) Security Analysis and Modification of ID-Based Encryption with Equality Test from ACISP 2017. In: Australasian Conference on Information Security and Privacy, Springer, Cham, 780-786. https://doi.org/10.1007/978-3-319-93638-3_46 |

[8] |
Ma, S. (2016) Identity-Based Encryption with Outsourced Equality Test in Cloud Computing. Information Sciences, 328, 389-402. https://doi.org/10.1016/j.ins.2015.08.053 |

[9] |
Dodis, Y., Katz, J., Xu, S. and Yung, M. (2002) Key-Insulated Public Key Cryptosystems. In: International Conference on the Theory and Applications of Cryptographic Techniques, Springer, Berlin, 65-82. https://doi.org/10.1007/3-540-46035-7_5 |

[10] |
Bellare, M. and Palacio, A. (2006) Protecting against Key-Exposure: Strongly Key-Insulated Encryption with Optimal Threshold. Applicable Algebra in Engineering, Communication and Computing, 16, 379-396. https://doi.org/10.1007/s00200-005-0183-y |

[11] | Wang, Y., Yan, D., Li, F. and Xiong, H. (2017) A Key-Insulated Proxy Re-Encryption Scheme for Data Sharing in a Cloud Environment. IJ Network Security, 19, 623-630. |

[12] | He, L., Yuan, C., Xiong, H. and Qin, Z. (2017) An Efficient and Provably Secure Certificateless Key Insulated Encryption with Applications to Mobile Internet. IJ Network Security, 19, 940-949. |

[13] |
Hanaoka, Y., Hanaoka, G., Shikata, J. and Imai, H. (2005) Identity-Based Hierarchical Strongly Key-Insulated Encryption and Its Application. In: International Conference on the Theory and Application of Cryptology and Information Security, Springer, Berlin, 495-514. https://doi.org/10.1007/11593447_27 |

[14] |
Libert, B., Quisquater, J.J. and Yung, M. (2007) Parallel Key-Insulated Public Key Encryption without Random Oracles. In: International Workshop on Public Key Cryptography, Springer, Berlin, 298-314. https://doi.org/10.1007/978-3-540-71677-8_20 |

[15] |
Hanaoka, G., Hanaoka, Y. and Imai, H. (2006) Parallel Key-Insulated Public Key Encryption. In: International Workshop on Public Key Cryptography, Springer, Berlin, 105-122. https://doi.org/10.1007/11745853_8 |

[16] |
Weng, J., Liu, S., Chen, K. and Ma, C. (2006) Identity-Based Parallel Key-Insulated Encryption without Random Oracles: Security Notions and Construction. In: International Conference on Cryptology in India, Springer, Berlin, 409-423. https://doi.org/10.1007/11941378_29 |

[17] |
Ren, Y. and Gu, D. (2010) CCA2 Secure (Hierarchical) Identity-Based Parallel Key-Insulated Encryption without Random Oracles. Journal of Systems and Software, 83, 153-162. https://doi.org/10.1016/j.jss.2009.07.046 |

[18] |
Ren, Y., Wang, S. and Zhang, X. (2013) Practical Parallel Key-Insulated Encryption with Multiple Helper Keys. Computers and Mathematics with Applications, 65, 1403-1412. https://doi.org/10.1016/j.camwa.2012.01.032 |

[19] |
Boneh, D., Di Crescenzo, G., Ostrovsky, R. and Persiano, G. (2004) Public Key Encryption with Keyword Search. In: International Conference on the Theory and Applications of Cryptographic Techniques, Springer, Berlin, 506-522. https://doi.org/10.1007/978-3-540-24676-3_30 |

[20] |
Xu, P., Jin, H., Wu, Q. and Wang, W. (2012) Public-Key Encryption with Fuzzy Keyword Search: A Provably Secure Scheme under Keyword Guessing Attack. IEEE Transactions on Computers, 62, 2266-2277. https://doi.org/10.1109/TC.2012.215 |

[21] |
Yu, Y., Ni, J., Yang, H., Mu, Y. and Susilo, W. (2014) Efficient Public Key Encryption with Revocable Keyword Search. Security and Communication Networks, 7, 466-472. https://doi.org/10.1002/sec.790 |

[22] |
Qu, H., Yan, Z., Lin, X. J., Zhang, Q. and Sun, L. (2018) Certificateless Public Key Encryption with Equality Test. Information Sciences, 462, 76-92. https://doi.org/10.1016/j.ins.2018.06.025 |

[23] |
Zhang, K., Chen, J., Lee, H.T., Qian, H. and Wang, H. (2019) Efficient Public Key Encryption with Equality Test in the Standard Model. Theoretical Computer Science, 755, 65-80. https://doi.org/10.1016/j.tcs.2018.06.048 |

[24] |
Lin, X.J., Sun, L. and Qu, H. (2018) Generic Construction of Public Key Encryption, Identity-Based Encryption and Signcryption with Equality Test. Information Sciences, 453, 111-126. https://doi.org/10.1016/j.ins.2018.04.035 |

[25] |
Waters, B. (2005) Efficient Identity-Based Encryption without Random Oracles. In: Annual International Conference on the Theory and Applications of Cryptographic Techniques, Springer, Berlin, 114-127. https://doi.org/10.1007/11426639_7 |

[26] |
Alornyo, S., Asante, M., Hu, X. and Mireku, K.K. (2018) Encrypted Traffic Analytic Using Identity Based Encryption with Equality Test for Cloud Computing. 2018 IEEE 7th International Conference on Adaptive Science and Technology, Ghana, 22-24 August 2018, 1-4. https://doi.org/10.1109/ICASTECH.2018.8507063 |

[27] |
Wu, L., Zhang, Y., Choo, K.K.R. and He, D. (2017) Efficient and Secure Identity-Based Encryption Scheme with Equality Test in Cloud Computing. Future Generation Computer Systems, 73, 22-31. https://doi.org/10.1016/j.future.2017.03.007 |

[28] |
Lee, H.T., Ling, S., Seo, J.H. and Wang, H. (2016) Semi-Generic Construction of Public Key Encryption and Identity-Based Encryption with Equality Test. Information Sciences, 373, 419-440. https://doi.org/10.1016/j.ins.2016.09.013 |

[29] |
Wu, T., Ma, S., Mu, Y. and Zeng, S. (2017) ID-Based Encryption with Equality Test against Insider Attack. In: Australasian Conference on Information Security and Privacy, Springer, Cham, 168-183. https://doi.org/10.1007/978-3-319-60055-0_9 |

[30] |
Li, J., Zhang, F. and Wang, Y. (2006) A Strong Identity Based Key-Insulated Cryptosystem. In: International Conference on Embedded and Ubiquitous Computing, Springer, Berlin, 352-361. https://doi.org/10.1007/11807964_36 |

[31] |
Lynn, B. (2013) PBC Library. https://crypto.stanford.edu/pbc/ |

[32] | Alornyo, S., Zhao, Y., Zhu, G. and Xiong, H. (2020) Identity Based Key-Insulated Encryption with Outsourced Equality Test. IJ Network Security, 22, 257-264. |

Copyright © 2020 by authors and Scientific Research Publishing Inc.

This work and the related PDF file are licensed under a Creative Commons Attribution 4.0 International License.