Parallel key-insulation allows the use of multiple helper keys to protect private decryption keys during secret decryption key updates. This approach prevents decryption key leakage or exposure in insecure environment. We combined parallel key-insulated encryption (PKIE) with multiple helper keys and identity-based encryption with the equality test (IBE-ET) to obtain parallel key insulated ID-based public key encryption with outsourced equivalent test (PKI-IBPKE-ET). The scheme inherits the advantages of identity-based encryption (IBE), which simplifies certificate management for public key encryption. Furthermore, the parallel key-insulation with multiple helper mechanism was introduced in our scheme, which perfectly reduced the possibility of helper key exposure. Our scheme will enable the protection and periodic update of decryption keys in insecure environment. Our scheme achieves a weak indistinguishable identity chosen ciphertext (W-IND-ID-CCA) security in the random oracle model. Ultimately, it is observed that our scheme is feasible and practical through the experimental simulation and theoretical analysis.
Due to the rapid growth of cloud computing [
Boneh and Franklin et al. [
Following the construction of Yang et al. [
It is of importance to lessen the destructive effect generated by key exposure. Dodis et al. [
Introduction of a helper in key-insulated encryption schemes helps to curtail the problem of decryption keys exposure. Thus, temporal secret keys are maintained by users and are refreshed via a mutual interaction between the user and helper. In key-insulated cryptosystems, it is required to often update the keys to reduce the risk of temporal decryption key exposure. This phenomenom requires frequent increase of helper connection during secret key updates in an insecure environment, hence makes the helper key prone to key exposure attacks. To curtail the tendency of helper keys exposure, Hanoaka et al. [
The first public key cryptograhic scheme with keyword search was announced by Boneh et al. [
To address these challenges, we propose parallel key insulated ID-based public key encryption with outsourced equality test (PKI-IBPKE-ET). In summary, our contributions to this work consist of three points: 1) We first incoporate the idea of identity-based (ID) parallel key-insulated cryptosystem with multiple helper keys into IBE-ET to construct PKI-IBPKE-ET scheme. Specifically, PKI-IBPKE-ET enables the cloud server to perform equivalence test on ciphertext. Meanwhile, PKI-IBPKE-ET can resist helper key exposure and private decryption key exposure; 2) Our scheme achieves Weak-IND-ID-CCA (W-IND-ID-CCA) security, which also prevents an insider attack [
The rest of this work is organized as follows; In Section 3, our scheme outlines preliminaries for the construction and the definitions of PKI-IBPKE-ET. In Section 4, the security model is outlined, Section 5 outlines our construction of PKI-IBPKE-ET and proof the security in Section 6. Section 7 compares our work with existing schemes. Section 8 gives a conclusion remark.
Let G and GT be two multiplicative cyclic groups of prime order p. We assume that g is a generator of G. A bilinear map e : G × G → G T satisfies the following properties:
1) Bilinearity: For any g ∈ G , a and b ∈ Z p , e ( g a , g b ) = e ( g , g ) a b .
2) Non-Degenerate: e ( g , g ) ≠ 1 .
3) Computable: There is an efficient algorithm to compute e ( g , g ) for any g ∈ G .
Let G and GT be two groups of prime order p. Let e : G × G → G T be an admissible bilinear map and let g be a generator of G. The BDH problem in [ p , G , G T , e ] is as follows: Given [ g , g a , g b , g c ] for random a , b , c ∈ Z p ∗ for any randomized algorithm A computes value e ( g , g ) a b c with advantage:
A D V A B D H = P r [ A ( g , g a , g b , g c ) = e ( g , g ) a b c ] . (1)
The BDH assumption holds if for all polynomial-time algorithm A, its advantage A D V A B D H is negligible.
This section gives formal definitions of our proposed scheme. A parallel key-insulated with a multiple helper keys [
In parallel key-insulated ID-based public key encryption with equality test (PKI-IBPKE-ET), we specify nine algorithms: Setup, Extract, UserKeyGeneration, BaseKeyUpdate, UserTempKeyUpdate, PKITrapdoor, PKIEncrypt, PKIDecrypt, Test, M and CT are the plaintext space and ciphertext space, respectively:
1) Setup ( ⋋ , N , Q ) : It input a secured parameter ⋋ , total time period N, numbr of helper keys Q and returns the public parameter K, helper keys ( b k 0 , ⋯ , b k Q − 1 ) and the temporal master key MSK.
2) Extract ( M S K , K , I D ) : On input MSK, arbitrary I D ∈ { 0,1 } ∗ , system parameter K and returns a secret key m d k I D 0 to the user with a corresponding identity ID. The PKG also performs such algorithm. Subsequently, PKG send to the user with a corresponding identity ID via a dedicated secure channel.
3) UserKeyGeneration ( K , N , m d k I D ) : The user generation algorithm on input the received secret key m d k I D , public paramter K, time period N and ID. The algorithm output helper key B K 0 .
4) BaseKeyUpdate ( B K 0 , b k j , t ) : On input the helper key B K 0 at a span b k j and index time span t. The algorithm output update key U K t .
5) UserKeyUpdate ( m d k I D t − 1 , t , U K t ) : On input m d k I D t − 1 , index t of the next span and update key U K t . It output the secret key m d k I D t for the next span t corresponding to the user ID.
6) PKIEncrypt ( K , t , I D , M 1 ) : It input K, the index span t of the current time period, an identity I D ∈ { 0,1 } ∗ and plaintext M 1 ∈ M , and return the ciphertext C T t as C T t = ( t , C T 1 ) , where C T t ∈ C T .
7) PKIDecryption ( m d k I D t , t , C T t ) : It takes a current private secret key m d k I D t and ciphertext C T t as input and return plaintext M 1 ∈ M or a symbol ⊥ if the corresponding ciphertext is valid.
8) Test ( C T t A , C T t B ) : It takes ciphertext C T t A and C T t B outputted by user A and user B respectively. It output 1 if the corresponding message cooresponding to C T t A and C T t B are equal. It output 0, otherwise ⊥ .
Correctness:
1) When m d k I D t the updated secret decryption key is generated with multiple helper. The BaseKeyUpdate algorithm on input ID as the public key, then;
∀ M 1 ∈ M : D e c r y p t ( C T , m d k I D t ) = M 1 ,
where C T = E n c r y p t ( I D , M 1 ) and C T t = ( t , C T ) .
2) Supposedly, t d r A and t d r B are trapdoors generated by the trapdoor algorithm given I D A and I D B as the public keys, then;
∀ M 1 ∈ M : T e s t ( C T A , t d A , C T B , t d B ) = 1 ,
where C T A = E n c r y p t ( I D A , M 1 ) and C T B = E n c r y p t ( I D B , M 1 ) .
3) The t d r A and t d r B are supposedly trapdoors generated by the trapdoor algorithm given I D A and I D B as the public keys, then:
∀ M 1 , M ′ 1 ∈ M and M 1 ≠ M 1 ∗ . P r [ T e s t ( C T A , t d A , C T B , t d B ) = 1 ]
is negligible where C T A = E n c r y p t ( I D A , M 1 ) and C T B = E n c r y p t ( I D B , M ′ 1 ) .
1) Setup ( ⋋ ) : The challenger on input a security parameter ⋋ executes the setup algorithm. It gives the system parameters K to the adversary A and keep the master key MSK to himself.
2) Phase 1-Private secret decryption key queries ( I D A ) : The challenger runs the extract algorithm to generate the private decryption key m d k t a corresponding to the user with public key I D a . It forwards m d k t a to A.
3) Trapdoor Queries ( I D a ) : The challenger executes the above private decryption key queries on I D a to obtain m d k I D a and subsequently generate the trapdoor t d r a using m d k I D a via trapdoor algorithm. Finally, the algorithm forwards t d a to A.
4) Decryption Queries ( I D a , ( t , C T a ) ) : The challenger executes decryption algorithm to decrypt the ciphertext ( t , C T a ) by executing extract algorithm to obtain the private secret key m d k I D t a relating to the public key I D a . Finally, it forwards plaintext M 1 to A.
5) Challenge: A submits an identity I D c h to which a challenge will be posed. The only constraints is that I D c h was not seen in private decryption key queries in phase 1 but I D c h may show in trapdoor queries in phase 1 or in decryption query I D c h . The challenger then randomly chooses plaintext M c h ∈ M and sets C T ∗ = E n c r y p t ( I D c h , M c h , t o k I D ∗ ) . Finally, it forwards C T ∗ to A as its challenge ciphertext.
6) Phase 2-Private decryption key queries I D a : Whereby I D a ≠ I D c h . The challenger respond similar to that of phase 1.
7) Trapdoor Queries ( I D a , C T i ) ≠ ( I D c h , C T ∗ ) : The challenger then responds similar to phase 1.
8) Decryption Queries ( I D a , C T i ) ≠ ( I D c h , C T ∗ ) : The challenger respond similar to phase 1.
9) Guess: A submits a guess M ′ 1 ∈ M
The scheme is W-ID-CCA secure if for all W-IND-CCA adversaries,
A D V P K I - I B P K E - E T A W - I D - C C A ( K ) = P r [ M 1 = M 1 ∗ ] (2)
is negligible.
The detailed construction for the PKI-IBPKE-ET in this section includes:
1) Setup: ( ⋋ , Q , N ) The system input a secured parameter ⋋ , number of helper key Q, a time period N as input and return public system parameter K. The initial master secret key is MSK and multiple helper keys are ( b k 0 , ⋯ , b k Q − 1 ) .
● The system generates two multiplicative groups G and GT with the same prime order p of ⋋ length bits and a bilinear map e : G × G → G T . The system selects an arbitrary generator g ∈ G .
● The algorithm exploits a keyed permutation F : { 0,1 } k × { 0,1 } n → Z p ∗ for a positive integers K = k ( ⋋ ) and L = ( n ( ⋋ ) ) . Set a random value k 1 from { 0,1 } L . Generate a MAC scheme M A C = G S V , where G is generate, S is sign and V verify. It obtain k 2 by running G ( ⋋ ) . Set the master token key M T K = ( k 1 , k 2 ) .
● The system chooses three hash functions: H 1 : { 0,1 } p → Z p ∗ , H 2 : { 0,1 } ∗ → G , H 3 : T × G T → { 0,1 } p + l where l is the length of random numbers, whereas p is the message length. The algorithm randomly picks ( α , β ) ∈ Z p 2 and set g 1 = g α , g 2 = g β . It publishes public parameter K = ( T , p , G , G T , e , g , g 1 , g 2 , b k Q , M A C , H 1 , H 2 , H 3 ) and M S K = ( α , β ) . T is referred to as MAC tag.
2) Extract ( K , M S K , I D ) : For a given string I D ∈ { 0,1 } ∗ , public parameter K and MSK. The algorithm compute h I D = H 2 ( I D ) ∈ G , set temporal master decryption key m d k I D t = ( h I D t α , h I D t β ) where ( α , β ) are the master secret key and the intial time index period at t.
3) UserKeyGeneration ( K , m d k I D t , I D t ) : On input m d k I D t , the algorithm randomly chooses b k Q − 1 ∈ { 0,1 } p and set:
B K 0 = g b k Q − 1 , g 3 = g α ( ∏ i = 1 − Q 0 ( g H 1 ( b k j ( i ) ) ) r 1 ) , g 4 = ( ∏ i = 1 − Q 0 ) , (3)
where r 1 = F ( b k j , i ) and j = ( 1 mod Q ) .
The function F is assumed as a pseudorandom permutation.
The initial secret helper keys B K 0 = ( g 3 , g 4 ) and number of helper set to ( b k 0 , ⋯ , b k Q − 1 ) .
4) BaseKeyUpdate ( b k j , t ) : On input helper key at b k j and a period index t. The helper key updater computes the jth helper base as:
U K t = ( g 3 H 1 ( b k j ( t − Q ) ) , g r t − Q ) , (4)
where r t = F ( b k j , t − Q ) and j = ( t mod Q ) .
5) UserKeyUpdate ( t , U K t , m d k 0 , I D ) : On input the period t, updated key at time t and a master decryption key with I D ∈ { 0,1 } ∗ . The algorithm parse:
U K t = ( H 1 t , H ′ 1 t ) and set U T K U t − 1 = ( g 3 t , g 4 t ) ,
g 4 t − 1 = g 4 t − 1 ⋅ H 1 t , g 3 t − 1 = g 3 t − 1 ⋅ H ′ 1 t .
Hence U T K U t = ( g I D 4 t , g I D 3 t ) . Thus, g 3 = g α ( ∏ i = 1 − Q t ( g H 1 ( b k j ( i ) ) ) r 1 ) and j = ( i mod Q ) , g 4 = ( ( ∏ i = 1 − Q 0 g r 1 ) β ) , where r 1 = F ( b k j , i ) .
The algorithm parse the current index period secret decryption key as:
m d k I D t = ( h I D t α , h I D t β ) , (5)
where g 3 = h I D α ( t ) and g 4 = h I D β ( t ) .
6) PKITrapdoor ( I D , M S K , t ) : For a given string I D ∈ { 0,1 } ∗ , MSK and index time t the algorithm computes h I D = H 2 ( I D ) ∈ G and set the trapdoor t d I D = h I D β , t d I D is the second element of m d k , where m d k I D t , t d I D and t o k I D are distributed via a secured channel.
7) PKIEncrypt ( K , I D , M 1 ) : To encrypt M 1 with a public identity ID, the algorithm selects two random numbers ( r 1 , r 2 ) ∈ Z p ∗ . Then it computes:
C T 1 = g r 1 , C T 2 = Q 1 r 1 ⋅ H 2 ( e ( g 4 , h I D ) r 1 )
where
Q 1 = ( ( ∏ i = 1 − Q t B K j H 1 ( i ) ) ⋅ M 1 ) , C T 3 = g r 2 ,
C T 4 = ( M 1 | | r 1 ) ⊕ H 3 ( C T 1 | | C T 2 | | P | | e ( g 3 , h I D ) r 2 ) .
Finally, it returns
C T = ( C T 1 , C T 2 , C T 3 , C T 4 ) .
where P ← S ( k 2 , C T 3 ) for signing algorithm S of the employed MAC, the corresponding tag P is used to verify C T 3 . The function F is assumed to be a strong pseudorandom permutation and MAC is existentially unforgeable under chosen message attack.
8) PKIDecrypt ( C T , m d k I D , t o k I D ) : On input the ciphertext CT, updated secret key m d k I D and a token t o k e n = ( k 1 , k 2 ) subsequantly, it computes:
m ′ | | r ′ = C T 4 ⊕ H 3 ( C T 1 | | C T 2 | | P | | e ( C T 3 , m d k I D t α ) ) ,
m ′ | | r ′ = H 3 ( e ( C T 3 , m d k I D t α ) ) .
Given P ← S ( k 2 , C T 3 ) where P = M A C k 2 ( C T 3 ) , the algorithm veriifies if: B ′ = M A C k 2 ( C T 3 ) if B ′ = P . Then it checks whether C T 1 = g r ′ 1 and
C T 2 = Q 1 r ′ 1 ⋅ H 2 ( e ( C T 1 , h I D t β ) ) . Where Q 1 = ( ∏ i = 1 − Q t B K j H 1 ( i ) ) ⋅ M ′ 1 .
If both hold, the algorithm returns M ′ 1 , otherwise return ⊥ .
9) Test ( C T A , t d I D A , C T B , t d I D B ) : On input the ciphertext C T A , trapdoor t d A and a given senders ciphertext C T B . The algorithm test whether M 1 A = M 1 B by computing:
T A = C T 2 A H 2 ( e ( C T 1 A , t d I D A ) ) , T B = C T 2 B H 2 ( e ( C T 1 B , t d I D B ) ) . (6)
The algorithm output 1 if the above corresponding equation holds, it output 0 otherwise.
Correctness:
The requirement for the above definition is shown below:
1) The first point is verifiable and straightforward as shown above.
2) With a well-formed ciphertext for I D A and I D B . Given the following:
T A = C T 2 A H 2 ( C T 1 A , t d I D A ) , T B = C T 2 B H 2 ( C T 1 B , t d I D B )
T A = Q 1 A r 1 A ⋅ H 2 ( e ( g A r 1 , h I D A β ( t ) ) ) H 2 ( e ( g A r 1 , h I D A β ( t ) ) ) , T B = Q 1 B r 1 B ⋅ H 2 ( e ( g B r 1 , h I D B β ( t ) ) ) H 2 ( e ( g B r 1 , h I D B β ( t ) ) )
T A = Q 1 A r 1 A and T B = Q 1 B r 1 B .
The algorithm output 1 if the following corresponding equation holds. Otherwise, it output 0.
e ( C T 1 A , T B ) = e ( C T 1 B , T A ) .
Therefore:
( C T 1 A , T B ) = e ( g r 1 A , Q 1 B r 1 B ) = e ( g , Q 1 B ) r 1 A r 1 B
e ( C T 1 B , T A ) = e ( g r 1 B , Q 1 A r 1 A ) = e ( g , Q 1 A ) r 1 A r 1 B .
where
Q 1 A = ( ( ∏ i = 1 − Q t B K j H 1 ( i ) ) ⋅ M 1 A ) and Q 1 B = ( ( ∏ i = 1 − Q t B K j H 1 ( i ) ) ⋅ M 1 B ) .
Given the token t o k I D = k 1 , the function output M A and M B
If Q 1 A = Q 1 B , then: e ( C T 1 A , T B ) = e ( C T 1 B , T A ) .
Test ( C T A , t d I D A , C T B , t d I D B ) output 1.
3) For any M A ≠ M B , Test ( C T A , t d I D A , C T B , t d I D B ) = 1 . This implies that:
e ( g , Q 1 A ) r 1 A = e ( g , Q 1 B ) r 1 B .
Hence,
P r [ e ( g , Q 1 A ) = ( g , Q 1 B ) ] = 1 2 .
Therefore, we assume:
P r [ T e s t ( C T A , t d I D A , C T B , t d I D B ) = 1 ]
is negligible.
The PKI-IBPKE-ET scheme is W-IND-ID-CCA secure using the random oracle model assuming Bilinear Diffie-Helman Problem (BDHP) is negligible.
Proof Theory: It is assumed A is a probabilistic polynomial time (PPT) adversary attacking the W-IND-CCA security of our scheme. Supposedly, A executes in time T and issues hash queries (qH) and decryption queries (qH). Let A d v A W - I N D - C C A ( t , q H , q D ) depicts the benefit of A in W-IND-ID-CCA experiment.
Our proof of security is similar to [
1) Game G0
● α ← Z p * , g 1 = g α , T = N , B K = { b k 0 , ⋯ , b k Q − 1 } , R = ∅ .
● M 1 ← G , r 0 ← Z p * , U 0 * = g r , V 0 * = M 1 r , W 0 * = H ( T , ( b k Q − 1 ) ∗ , U 0 * , V 0 * , g 1 r ) ⊕ ( M 1 ∥ r ) .
● M 1 ← A o H , o 2 ( T , ( b k Q − 1 ) ∗ , U 0 * , V 0 * , W 0 * ) , where the oracle works as follows:
● O H : On the tuple: ( T , ( b k Q − 1 ) , U 0 , V 0 , Y 0 ) ∈ G 4 , where a same random value is returned, the same input could be asked multiple times but the same answer will be responded to.
● O 2 : On input a ciphertext ( T , ( b k Q − 1 ) , U 0 , V 0 , W 0 ) , it returns the decryption algorithm to decrypt it using the secret key α given within an index time N and a helper key Q.
Let X o be the event that M ′ 1 = M 1 in Game G 0 . However the probability in Game G 0 is P r [ S o ] . Hence, we modify Game G 0 and obtain the proceeding game.
2) Game G1
● α ← Z p * , g 1 = g α , T = N , B K = { b k 0 , ⋯ , b k Q − 1 } , R = ∅ .
● M 1 ← G , r 0 ← Z p * , U 0 * = g r , V 0 * = M 1 r , R 0 * → [ 0,1 ] p + i , W 0 * = H ( T , ( b k Q − 1 ) ∗ , U 0 * , V 0 * , g 1 r ) ⊕ ( M 1 ∥ r ) , R 0 = R 0 ∪ ( T , ( b k Q − 1 ) ∗ , U 0 * , V 0 * ( U 0 * ) α , R 0 * ) .
● M 1 ← A O H , O 2 ( g 1 , ( b k Q − 1 ) ∗ , T , U 0 * , V 0 * , W 0 * ) , where the oracle works as:
● O H : On input a triple ( T , ( b k Q − 1 ) , U 0 , V 0 , Y 0 ) ∈ G 4 where if there is an entry ( T , ( b k Q − 1 ) , U 0 , V 0 , Y 0 , h ) in the hash table R, h is returned, otherwise a random value h is selected and returned.
( T , ( b k Q − 1 ) , U 0 , V 0 , Y 0 , h ) is added to R.
● O 2 : On input a ciphertext ( T , ( b k Q − 1 ) , U 0 , V 0 , W 0 ) , a hash query on ( T , b k Q − 1 , U 0 , V 0 , U 0 α ) is issued. Assuming the answer is h ∈ [ 0,1 ] p + i , then M 1 ∥ r is computed as h ⊕ W , then a validity check on whether U 0 = g r and V 0 = M 1 r is executed. If it fails, ⊥ is returned: otherwise, M 1 is returned.
The event that Game G 1 occurs is denoted by S 1 . However its observed that G 0 = G 1 , hence we deduce the probability of the random oracle as:
P r [ S 1 ] = P r [ S 0 ] .
We subsequently modify the next game simulation in an indistinguishable way:
3) Game G 2
● α ← Z p * , g 1 = g α , T = N , B K = { b k 0 , ⋯ , b k Q − 1 } , R = ∅ .
● M 1 ← G , r 0 ← Z p * , U 0 * = g r , V 0 * = M 1 r , W 0 * → [ 0,1 ] p + i , R * → [ 0,1 ] p + i , W 0 * = H ( T , ( b k Q − 1 ) ∗ , U 0 * , V 0 * , g 1 r ) ⊕ ( M 1 ∥ r ) , R 0 = R 0 ∪ ( t , ( b k Q − 1 ) ∗ , U 0 * , V 0 * ( U 0 * ) α , W 0 * ) .
● M 1 ← A O H , O 2 ( g 1 , T , ( b k Q − 1 ) , U 0 * , V 0 * , W 0 * ) .
The oracle response to queries as follows:
● O H : Game G 2 is identical to Game G 2 . However if adversary queries for ( U 0 * ,., ( U 0 * ) α ) , then the game is abrogated. ε represents this event.
● This is also the same as Game G 1 , however if adversary ask for decryption of ( U 0 * , V 0 * W 0 ) , where W ′ 0 ≠ W 0 * , ⊥ is returned.
Chosen Ciphertext security (CCA) secure is paramount in this game because W 0 * is a random value in both Games, however the random oracle responds are unique and probabilistic because W 0 * is dependent on U 0 and V 0 * . The probability of ⊥ occurring is negligible.
We modify the simulation game in index time period with multiple helper or base key indistinguishable way in the proceeding game.
4) Game G3
● α ← Z p * , g 1 = g α , T = N , B K = { b k 0 , ⋯ , b k Q − 1 } , R = ∅ , t ∈ N .
● M 1 ← G , r 0 ← Z p * , U 0 * = g r , V 0 * = M 1 r , W 0 * → [ 0,1 ] p + i , R 0 = R 0 ∪ ( t , ( b k Q − 1 ) ∗ , U 0 * , V 0 * ( U 0 * ) α , W 0 * ) .
● M 1 ← A O H , O 2 ( g 1 , T , ( b k j ) , U 0 * , V 0 * , W 0 * ) .
● O H : Game G 3 is identical to Game G 2 . However if adversary queries for ( U 0 * , T , b k j , U 0 * ,., ( U 0 * ) α ) , then the game is abrogated. Let ε 1 be this event.
● This is also the same as Game G 2 , however if adversary ask for decryption of ( U 0 * , b k j , V 0 * , t ) where b k ′ j ≠ b k j , ⊥ is returned.
The timestamp and the base key ( b k j ) at a period j associated with the ciphertext improve the security of this game. t is a timestamp value associated with the ciphertext in both Games, however the random oracle response are unique and probabilistic because decryption queries are dependent on T , U 0 * , V 0 * and ( b k j ) . The probability of ⊥ occurring is negligible.
In this game, the challenge ciphertext identically distributed in Game G 2 and G 3 as W 0 * is a chosen random value in both Game G 2 and Game G 3 . The simulation of O 2 is secure since W 0 * is uniquely determined by U 0 * and V 0 * in Game G 2 and U 0 * , V 0 * , T and b k j in Game G 3 . Therefore, if event ε 1 does not occur, Game G 3 is identical to Game G 1 . However, it is observed below that event ε 1 occurs with negligible probability.
We further simulates decryption queries in indistinquishable way from Game G 3 . The decryption queries are separated into two types, which includes:
● Type 1: ( T , U 0 , V 0 , U 0 α ) is queried to O H before a decryption query ( T , U 0 , V 0 , W 0 ) is issued.
In this case, W 0 is determined after ( T , U 0 , V 0 , U 0 α ) is queried to O H . So the decryption oracle is perfectly simulated.
● Type 2: ( U 0 , V 0 , U 0 α ) is not queried to O H when a decryption query ( U 0 , V 0 , W 0 , B K ) was issued. Subsequently, ⊥ is returned by the decryption oracle. The simulation will fail if ( U 0 , V 0 , W 0 , B K ) is valid. Therefore, this happens with negligible probability.
The efficiency of algorithms and time consumption of our scheme is compared with: Ma’s [
SCH | PKI | IA | Encryption | Decryption | Test | Security | R | TD | ET |
---|---|---|---|---|---|---|---|---|---|
[ | N | N | 4Exp1 + 2Exp2 | 2P + 2Exp1 | 4P | OW-ID-C | Y | Y | Y |
[ | N | Y | 1P + 4Exp1 + 2Exp2 | 1P + 2Exp1 | 2P | W-I-ID-C | Y | N | Y |
[ | N | N | 1P + 4Exp1 + 1Exp2 | 3P | 4P | I-ID-C | Y | N | N |
Ours | Y | Y | 2P + 2Exp1 + 2Exp2 | 2P + 2Exp1 | 2P | W-I-ID-C | Y | Y | Y |
Legends: In this table, “SCH”: scheme, “Exp1” and “Exp2”: exponent computation in group 1 and group 2, “P”: pairing computation, “PKI”: parallel key-insulated, “IA”: insider attack, “R”: random oracle model, “TD”: trapdoor, “ET”: equality test, “Y”: “Yes” as a supportive remark, “N” refers to “No” as not supportive, “I”: IND, “CA”: CPA, “C”: CCA.
SCHEME | P K s i z e | S K s i z e | C T s i z e | D e l A u t h | ROM | Assumption |
---|---|---|---|---|---|---|
[ | 2 G 0 | 2 Z p 0 | 4 G 0 + Z p 0 | Yes | Yes | BDH |
[ | 2 G 0 | 3 Z p 0 | 4 G 0 + Z p 0 | No | Yes | BDH |
[ | 2 G 0 | 2 Z p 0 | 2 G 0 + Z p 0 | No | Yes | BDH |
Ours | 2 G p 0 | 2 Z p 0 | 2 G 0 + Z p 0 | Yes | Yes | BDH |
Legends: In this table, P K s i z e ; size of public key, S K s i z e ; size of secret key, C T s i z e ; size of ciphertext, D e l A u t h : authorization, BDH; bilinear Diffie-Hellman, G 0 : group G, Z p 0 ; Z p , ROM: random oracle model. W-IND-ID-CCA refers to weak indistinguishable chosen ciphertext attack against identity, OW-ID-CCA refers to one-way chosen ciphertext attack against identity and IND-ID-CPA refers to indistinguishable chosen plaintext attack against identity.
curve of y = x 3 + a x 2 + b defined on a F 2 163 is used to provide the same security level in the ECC group. The computational units are in millisecond (ms) and bytes respectively. The execution times of each respective algorithm were calculated and Matlab program was used to generate Figure2. The Figure(see Figure2) depicts the computation cost of decryption and test of our scheme comparable with other existing works, whereas our encryption computational cost seems higher. This is reasonable due to the additional computational overheads required to prevent helper keys exposure with the adoption of multiple helpers, which, however, is not the case in other works. In the aspect of the computation cost of decryption and test, our scheme is better than schemes in [
Furthermore, our computational overhead cost results do not make our scheme superior to other related schemes in terms of computational cost analysis. However, this is pardonable due to the fact that additional computational cost values added to our scheme increases the computational variables. In this way, the computational cost in encryption and decryption are higher than the related scheme due to the extra multiple helper computation added to our scheme. However, the test computational cost is comparable to [
This paper introduced a scheme to solve the problem caused by private decryption
key exposure and helper key in identity based cryptosystem with equality test. Our scheme delegates equality test to the cloud server and also thwarts the insider attack phenomenon in public key encryption. Inspired by the notion of scheme in [
Sincere thanks to the anonymous reviewers for their kind consideration and a special thanks to managing editor Hellen XU for a rare attitude of high quality.
The authors declare no conflicts of interest regarding the publication of this paper.
Alornyo, S., Mohammed, M.A., Kodzo, B.A.S., Sarpong, P.A. and Asante, M. (2020) Parallel Key Insulated ID-Based Public Key Cryptographic Primitive with Outsourced Equality Test. Journal of Computer and Communications, 8, 197-213. https://doi.org/10.4236/jcc.2020.812018