1. Introduction
Rapid elasticity with high computing services that sustain lowered costs have propagated cloud computing into a sought-after paradigm, due to the standardization, commercialization, and application [1][2][3]. With the massive growth of data, the scope of data storage has augmented. These on-demand attributes have resulted in making available capabilities for the storage of these tremendous amounts of data. Cloud computing offers a virtualized resource pool that uses distributed storage, where the immense data can be accessed with virtual applications over the internet on user demand. However, the knowledge that the cloud server is many times regarded as untrusted raises concerns by users [4][5]. It would be difficult for users to consider storing data that is sensitive to the cloud server. This is because the data accessed by these users is replicated onto specific devices and the requisite to ensure data confidentiality and authentication arises [6][7]. Storing data on a single virtual pool results to difficulty in achieving the same amount of security for this data as compared to the physical network [8]. Hence, the public key infrastructure (PKI) is introduced to enable secure and trusted data sharing on the cloud. The PKI is therefore considered when sensitive data that has to be uploaded to the server, is encrypted using the public key of a receiver and then sent to the cloud server. This ensures the sharing of data is secured, authenticated, and verified in such a way that the authorized user uses his/her secret key to decrypt the secured data. Incase encrypted data in massive amounts have been stored in the cloud, the search over these encrypted data is required because it is impractical for the users to download all data from cloud server each time s/he needs the encrypted data. Therefore, public key encryption with search functionality is required to search the encrypted data stored in the cloud server without affecting the privacy of the user.
With this in consideration, to ensure that a user’s information is not disclosed whenever their data is searched; search functionality is supported in the ciphertexts that are stored in the cloud server. This allows for the ability to search the ciphertexts, with no information related to the plaintexts being exposed. This idea was first proposed by Boneh et al. [9], where the keyword search function was incorporated into public key cryptography and is known as PKE-KS. However, PKE-KS being able to support search functionality still experiences a drawback where the search function only works for ciphertexts encrypted under the same public key.
To handle this drawback, Yang et al. [10] presented a scheme known as public key encryption with equality test (PKE-ET). In PKE-ET scheme the equality test can not only be performed on the ciphertexts which are encrypted under the same public key but also under different public keys. Consequently a lot of work has been put into improving the equality test scheme such as [11][12][13][14][15]. However, considering that PKE-ET is founded on public key infrastructure (PKI) system, certificate management becomes an issue since the systems overhead drastically increase. To solve this problem, Ma [16] proposed the notion of identity-based encryption with outsourced equality test (abbreviated as IBE-ET). The IBE-ET scheme is constructed under the IBC cryptosystem. In IBE-ET scheme, the cloud server can perform the equivalence test amid two messages, which have been encrypted under the same identity as well as different identities. Moreover, much effort has been put to improve the idea of IBE-ET such as [17][18][19]. However, IBE-ET schemes still experience difficulties as a result of the key escrow problem. The key escrow problem happens when the user needs to obtain a decryption key, he/she first contacts the private key generator (PKG). The PKG makes use of its master secret key (msk) to generate a decryption key of a user and sends it back to the user.
Fig. 1. Application scenario for PKE-ET-HS scheme.
Here the PKG has access to the users' encrypted data because it has their decryption keys. To fix this problem, Al-Riyami et al. [20] proposed the notion of certificateless public key encryption (CL-PKE). In this notion, users own decryption keys which are in two parts. The user produces the first part of the key, while the other part is produced by the key generation center (KGC). Therefore, the key generation center (KGC) has partial access to a user's decryption key, ensuring it does not have access to a user's data. By incorporating the idea of PKE-ET and the certificateless public key encryption (CL-PKE), Qu et al. [21] proposed the notion of certificateless public key encryption with equality test (CL-PKE-ET). The CL-PKE-ET scheme is constructed under the CLC cryptosystem.
An observation into the above-mentioned schemes indicates their homogeneous nature. Namely, the cloud server can only execute the equality test between two ciphertexts encrypted under the same cryptosystem. Therefore, if we need to delegate the cloud server to perform the equivalence test between ciphertexts encrypted under the different cryptosystems, we should construct a cryptographic scheme that provides a heterogeneous equivalence test. In other words, we should construct a secure scheme that allows the cloud server to perform the equality test between ciphertexts encrypted under the different cryptosystems.
A typical scenario for a heterogeneous systems equality test is shown in Fig. 1. In this scenario, we have a hospital that has many branches distributed in different countries. We assume that these countries have different network providers. In the sense that, each country has different security techniques. For example, the branch in the first country uses CLC cryptosystem to protect the security of its network, while the branch in the other country uses IBC cryptosystem. However, all of these branches receive data from their patients, encrypted under the branches' public key and stored in the cloud server of this hospital. Consequently, if the hospital statistics department needs to produce a statistical report to figure out the number of patients in the branch A with the same disease in the branch B, an SQL statement should be written as follows:
Considering that the tables of a patient in branch A and branch B are denoted by Branch A. patient and BranchB.patient, respectively, and these two tables contain the same column (e.g., Pid, Pname, disease-name). It is noticeable that, in the "where clause" the cloud server needs to perform the equality test between the ciphertext encrypted under the CLC cryptosystem and the ciphertext encrypted under the IBC cryptosystem. Therefore, branch A and B should send their trapdoors to the cloud server, whereby it performs the equality test and returns the result.
1.1 Our contribution
A novel public key encryption with equality test for heterogeneous systems (PKE-ET-HS) is presented in this paper to deal with the practical needs in the cloud server. In our proposed scheme, we can designate the cloud server to perform equivalence test between the ciphertext encrypted under the CLC cryptosystem with the ciphertext encrypted under the IBC cryptosystem. The contribution made in this paper can be briefly outlined as follows:
1. With the integration between IBE-ET and CLE-ET, the formalized definition and the security model of PKE-ET-HS scheme is presented.
2. Based on the bilinear pairing, our PKE-ET-HS scheme is proposed. In the random oracle model (ROM), the security of our suggested scheme has been proved under the BDH assumption.
3. Finally, in terms of computation and communication costs incurred through storage size, encryption, decryption and testing phases, our scheme is compared with alternative works. The outcome illustrates that our proposed scheme outperforms the existing work.
1. 2 Organization
The other parts of this paper will be as follows; the related works and the preliminaries in Section 2 and 3, respectively. Section 4 will show the definitions. Section 5 will be our presentation of the PKE-ET-HS scheme while the security analysis and performance shall be discussed in section 6 and 7, respectively. We finalize our paper in section 8.
2. Related Work
Boneh et al. [9] proposed a way of searching the public key encryption scheme by adopting keywords known as public key encryption with keyword search (PKE-KS). The ciphertexts in this scheme would be run through an equivalence test to determine if the keywords are the same. This is done by a third-party that is considered semi-trusted. Abdalla et al. [22] put forth a scheme based on PKE-KS that would adopt the advantages of both IBE and PKEschemes. This scheme was known as identity-based encryption with keyword search (IBE-KS) and supported ciphertexts that were encrypted under the same identity. However, the above-mentioned searchable encryption schemes only support the ciphertexts which are encrypted by the same public key. Yang et al. [10] found a solution to this limitation by proposing an encryption scheme that incorporated equality test, not only on ciphertexts encrypted with the same public keys but also with different public keys. This scheme was known as public key encryption with equality test (PKE-ET). The advantage in this scheme is that, it is quite flexible since an authorized cloud server has the search functionality hence can search messages to ascertain whether two ciphertexts encrypted with same or different public keys are equivalent. Consequently, Tang et al. [23] found a way which would ensure PKE-ET has authorization enforced which he referred to as fine-grained authorization public key encryption with equality test (FG-PKE-ET). This scheme made provision for only two users to perform equality test. The users, would, however have the assistance of a third-party entity. He further proposed an improvement on the FG-PKE-ET by incorporating two proxy setting [24] into the scheme. The two proxies would cooperate and ensure that the equality test is accomplished. Additionally, Tang proposed a scheme known as all-or-nothing PKE-ET[11]. This scheme was a more refined one and it could choose who would have the right to perform equality test on a coarser granularity manner. Nevertheless, there were situations where delegated parties were the only ones required to finish work in practical multi-user settings. Ma et al. [12] introduced the notion of PKE incorporating delegated equality test (PKE-DET). Subsequently, Huang et al. [13] proposed a scheme that involved authorized equality test i.e. PKE-AET. Here the given users have the chance of testing equivalence between two ciphertexts or rather two specified ciphertexts. Ma et al. [14] improved the PKE-AET by proposing a scheme that supported flexible authorization known as PKE-ET-FA. The urge to keep improving these schemes by researches resulted in the introduction of the PKE-ET into the 5G networks field by Xu et al. [15]. This scheme provides users with providence to check if a specified cloud server has correctly performed the equality test on the given ciphertexts. A closer investigation on the above-mentioned schemes, we realize that all of these schemes have their basis on the public key infrastructure (PKI). Unfortunately, the PKI has proved to be unreliable when it comes to scalability since the distribution of public keys is unmanageable. New research areas on identity-based encryption have hence sprouted as shown by [16][17][19]. These encryption schemes have considered the outsourcing of equality tests in order to make the process more flexible when it comes to certificates management. And despite this encryption suffering from key escrow, Qu et al. [21] proposed the certificateless public key encryption with equality test (CL-PKE-ET) scheme by integrating the notion of CL-PKE with PKE-ET. As of now we recognize, the equality test for heterogeneous systems has not been brought to literature yet.
3. Preliminaries
We depict the basic definition and properties of the bilinear pairings and Bilinear Diffie-Hellman (BDH) assumption in this section.
3.1 Bilinear map
Let \( \mathbb{G}_{1}\) and \( \mathbb{G}_{2}\) be two multiplicative cyclic groups of prime order \(p\). Suppose that \(g\) is a generator of \( \mathbb{G}_{1}\). A bilinear map \(e: \mathbb{G}_{1} \times \mathbb{G}_{1} \rightarrow \mathbb{G}_{2}\) satisfies the following properties:
1. Bilinearity: For all \(g, h \in \mathbb{G}_{1},\) for all \(x, y \in \mathbb{Z}_{p}^{*}, e\left(g^{x}, h^{y}\right)=e(g, h)^{x y}\).
2. Non-degeneracy: For all \(g, h \in \mathbb{G}_{1}, e(g, h) \neq 1_{\mathrm{G} 1}\).
3. Computability: An efficient algorithm to compute \(e(g, h)\) is realizable.
3. 2 Bilinear Diffie-Hellman (BDH) assumption
Let \( \mathbb{G}_{1}\) and \( \mathbb{G}_{2}\) be two multiplicative cyclic groups with a large prime order \(p\). Let \(e: \mathbb{G}_{1} \times \mathbb{G}_{1} \rightarrow \mathbb{G}_{2}\) be an admissible bilinear map and let \(g\) be a generator of \( \mathbb{G}_{1}\). The BDH problem in \(\) is as follows: Given \(\) for random \(a, b, c \in \mathbb{Z}_{p}^{*}\), any randomized algorithm \(\mathcal{A}\) computes \(S=e(g, g)^{a b c} \in \mathbb{G}_{2}\) with an advantage:
\(\mathbf{A d v}_{A}^{B D H}=\operatorname{Pr}\left[\mathcal{A}\left(g, g^{a}, g^{b}, g^{c}\right)=S\right].\)
We say that the BDH assumption holds in \(\) if for any polynomial-time algorithm \(\mathcal{A}\), its advantage \(\mathbf{A} \mathbf{d} \mathbf{v}_{\mathcal{A}}^{B D H}\) is negligible.
4. Definitions
The system model and the security model of public key encryption with equality test for heterogeneous systems (PKE-ET-HS) scheme are presented in this section.
4. 1 System model
Fig. 2 illustrates the system model of PKE-ET-HS. The PKE-ET-HS model is made up of four entities: the cloud server, the key generation center (KGC), user A and user B. User A belongs to the CLC cryptosystem while User B to the IBC cryptosystem. Under the CLC cryptosystem, User A sends his/her identity to the KGC, and the KGC generates a corresponding partial secret key (D) and delivers it back to User A. Thereupon, User B found in the IBC cryptosystem sends his/her identity to the KGC which in return sends back a corresponding secret key. Both User A and B then use their secret keys to compute their individual trapdoors denoted by \(t d_{C L C}\) and \(t d_{I B C}\) respectively. User A then uses his/her own public key to encrypt data and then outsources the data together with the trapdoor to the cloud server for storage. Consequently, User B uses his/her own ID to encrypt the data and then outsource it together with the trapdoor to cloud server. Since the cloud server has now acquired both \(t d_{C L C}\) and \(t d_{I B C}\), it can now perform an equivalence test between the CLC cryptosystem and IBC cryptosystem.
Fig. 2. System Model of PKE-ET-HS.
4. 2 Definition of PKE-ET-HS
A heterogeneous CLC and IBC equality test scheme is made up of the following algorithms.
1. Setup: The algorithm uses as input a security parameter \(\lambda\), and outputs the system parameters, containing the public parameters PubP and a master secret key msk.
2. CLC-PKG: To prompt the secret key of CLC cryptosystem, this algorithm functions as follows:
• Generate partial secret key : The key generation center (KGC) runs this algorithm. It uses PubP, msk, and a public identity of a user \(I D \in\{0,1\}^{*}\) as input, and returns a partial private key \(D\) .
• Assign secret value: The user runs this algorithm. It uses PubP and ID as inputs, and conveys the user's secret value \(x\).
• Assign secret key: The user runs this algorithm. It uses PubP, \(D\), and \(x\) as inputs, and returns the user's secret key \(s k_{C L C}\).
• Assign public key: The user runs this algorithm. It uses as inputs PubP and \(sk\) and returns the user's public key \(pk\).
3. CLC-Trapdoor: This is a trapdoor algorithm for CLC users. It uses as input \(s k_{C L C}\) of the user in CLC cryptosystem, and returns a trapdoor \(t d_{C L C}\).
4. IBC-PKG: This is an algorithm that generates the private key for IBC users. The user sends an identity ID to its PKG where it computes a corresponding secret key \(s k_{I B C}\) and sends it to the user.
5. IBC-Trapdoor: This is a trapdoor algorithm for IBC users. It takes as input \(s k_{I B C}\) of the user in IBC cryptosystem, and returns a trapdoor \(td_{I B C}\).
6. CLC-Encrypt: The CLC users run this algorithm. It utilizes the PubP, a message M, and public key \(p k_{C L C}\) as inputs. The algorithm returns a ciphertext \(C_{C L C}\).
7. CLC-Decrypt: The CLC users run this algorithm. It utilizes a ciphertext C and a user's secret key \(s k_{C L C}\) as inputs, and outputs the plaintext M.
8. IBC-Encrypt: The IBC users run this algorithm. It takes as inputs a message M and an identity ID, then it outputs a ciphertext \(C_{I B C}\).
9. IBC-Decrypt: The IBC users run this algorithm. It takes as inputs a ciphertext C and a secret key \(sk_{I B C}\), then it outputs the plaintext M.
10. Test: The cloud server runs this algorithm. It uses as inputs a ciphertext \(C_{I B C}\) and a trapdoor \(td_{I B C}\) for the user in the IBC cryptosystem. Furthermore, it uses as inputs a ciphertext \(C_{C L C}\) and a trapdoor \(td_{C L C}\) for the user in the CLC cryptosystem. Then, the Test algorithm returns 1 if \(C_{I B C}\) and \(C_{C L C}\) consist of the same message. Otherwise, it returns 0.
4. 3 Security models
According to [16], one-way chosen-ciphertext attack (OW-CCA) security against the adversary in PKE-ET-HS is defined. For simplicity, PKE-ET-HS-CLC to denote the situation that users belong to the CLC cryptosystem, and PKE-ET-HS-IBC to denote the situation that users belong to the IBC cryptosystem are used.
Definition 1. For the security of PKE-ET-HS-CLC, we consider adversaries of two kinds. Type-1 adversary \(\mathcal{A}_{1}\) cannot retrieve the system's master secret key, but has the ability to replace any user's public key. Type-2 adversary \(\mathcal{A}_{2}\) has no ability to replace a user's public key, but can retrieve the system's master secret key. PKE-ET-HS-CLC's security model is expounded by the following two games:
Game 1: Given a security parameter \(\lambda\), The game between \(\mathcal{A}_{1}\) and the challenger is illustrated as follows:
1. Setup: The challenger creates the public parameters PubP and the master secret key msk. Finally, the challenger returns PubP.
2. Phase 1: The \(\mathcal{A}_{1}\) is permitted to issue the following queries:
• Partial secret key queries \(\left\langle I D_{i}\right\rangle\): The challenger sends \(D_{i}\) to \(\mathcal{A}_{1}\).
• Secret key queries \(\left\langle I D_{i}\right\rangle\): The challenger sends \(s k_{C L C_{i}}\) to \(\mathcal{A}_{1}\).
• Public key queries \(\left\langle I D_{i}\right\rangle\): The challenger sends \(pk_{C L C_{i}}\) to \(\mathcal{A}_{1}\).
• Replace public key queries \(\left\langle I D_{i}, p k_{C L C_{i}}^{\prime}\right\rangle\): The challenger replaces the public key \(p k_{C L C}\) of the corresponding user with \(p k_{C L C_{i}}^{\prime}\).
• Decryption queries \(\left\langle I D_{i}, C_{i}\right\rangle\): This algorithm is run by the challenger in CLC-Decrypt\(\left(C_{i}, s k_{C L C_{i}}\right)\), where \(s k_{C L C_{i}}\) is the secret key corresponding to \(I D_{i}\). Finally, the challenger gives \(M_{i}\) to \(\mathcal{A}_{1}\).
• Trapdoor queries: The challenger creates the trapdoors \(t d_{C L C_{i}}\) and \(t d_{IBC_{i}}\) by using CLC-Trapdoor and IBC-Trapdoor algorithms, respectively. Finally, the challenger gives \(t d_{C L C_{i}}\) and \(t d_{IBC_{i}}\) to \(\mathcal{A}_{1}\).
3. Challenge: The challenger then chooses the plaintext \(M \in \mathbb{G}_{1}^{*}\) randomly and computes \(C^{\prime}=\text { CLC-Encrypt }\left(I D_{c h}, M\right)\). Finally, the challenger sends \(C^{\prime}\) to \(\mathcal{A}_{1}\) as its challenge ciphertext.
4. Phase 2: The challenger's response to \(\mathcal{A}_{1}\) is similar to that in Phase 1 on the grounds that:
• \(I D_{c h}\) is not queried in the Secret key queries.
• If the public key associated with \(I D_{c h}\) is replaced, the \(I D_{c h}\) should not be queried in the Partial secret key queries.
• If the public key of the user is replaced, the corresponding identity \(I D_{i}\) should not be queried in the Secret key queries.
• \(\left(I D_{c h}, C^{\prime}\right)\) is not queried in the Decryption queries.
5. Guess: \(\mathcal{A}_{1}\) outputs \(M^{\prime}\), and wins if \(M^{\prime}=M\). The advantage of \(\mathcal{A}_{1}\) in the game above is defined as follows:
\(\operatorname{Adv}_{P K E-E T-H S, \mathcal{A}_{1}}^{O W-C C A, \text { PKE } \mathrm{ET}-\mathrm{HS}-\mathrm{CLC}}(\lambda)=\operatorname{Pr}\left[M=M^{\prime}\right].\)
Game 2: Provided with a security parameter \(\lambda\), The game between \(\mathcal{A}_{2}\) and the challenge is expounded as follows:
1. Setup: The challenger creates the public parameters PubP and the master secret key msk. Finally, the challenger gives PubP and the msk to \(\mathcal{A}_{2}\).
2. Phase 1: \(\mathcal{A}_{2}\) issues queries as in Game 1, except the Partial secret key queries and the Replace public key queries should not be issued in this game.
3. Challenge: The challenger randomly picks the plaintext \(M \in \mathbb{G}_{1}^{*}\) and computes \(C^{\prime}=\text { CLC-Encrypt }\left(I D_{c h}, M\right)\). Finally, the challenger gives \(C^{\prime}\) to \(\mathcal{A}_{2}\) as its challenge ciphertext.
4. Phase 2: The challenger's response to \(\mathcal{A}_{2}\) is similar to that in Phase 1 on grounds that:
• \(I D_{c h}\) is not queried in the Secret key queries.
• \(\left(I D_{c h}, C^{*}\right)\) is not queried in the Decryption queries.
5. Guess: \(\mathcal{A}_{2}\) outputs \(M^{\prime}\), and wins if \(M^{\prime}=M\). Therefore, the advantage \(\mathcal{A}_{2}\) has in the game is:
\(\text { Ad } v_{P K E-E T-H S, A_{2}}^{O W-C C A, \mathrm{PKE}-\mathrm{ET}-\mathrm{HS}-\mathrm{CLC}}(\lambda)=\operatorname{Pr}\left[M=M^{\prime}\right].\)
Definition 2. A PKE-ET-HS-IBC scheme possesses the OW-CCA property if no polynomial bounded adversary \(\mathcal{A}\) has a non-negligible advantage in the following game.
1. Setup: The challenger takes as input a security parameter \(\lambda\), and executes the Setup algorithm. Then, challenger delivers the system parameters to \(\mathcal{A}\) and keeps the msk secret.
2. Phase 1: \(\mathcal{A}\) has the permission to administer the following queries.
• Key generation query \(\left\langle I D_{i}\right\rangle\): The challenger runs IBC-PKG and sends \(s k_{I B C}\) to \(\mathcal{A}\).
• Decryption query \(\left\langle I D_{i}, C_{i}\right\rangle\): The challenger runs IBC-Decrypt\(\left(C_{i}, s k_{I B C_{i}}\right)\) algorithm and sends the result M to \(\mathcal{A}\).
• Trapdoor query \(\left\langle I D_{i}\right\rangle\): The challenger generates the trapdoors \(t d_{I B C_{i}}\) and \(t d_{C L C_{i}}\) by using IBC-Trapdoor and CLC-Trapdoor algorithms, respectively. Finally, the challenger sends \(t d_{I B C_{i}}\) and \(t d_{C L C_{i}}\) to \(\mathcal{A}\).
3. Challenge: When \(\mathcal{A}\) decides the Phase 1 is finished. A challenger randomly chooses a plaintext \(M \in \mathbb{G}_{1}\), the challenger then sets \(C^{*}=\text { IBC-Encrypt }\left(I D^{*}, M\right)\). Furthermore, the challenger generates a trapdoor \(t d_{I B C}\) associated with \(s k_{I B C}\) by using IBC-Trapdoor algorithm. Finally, the challenger sends \(\left(C^{*}, t d_{I B C}\right)\) to \(\mathcal{A}\).
4. Phase 2: In this phase, the response of the challenger to \(\mathcal{A}\) is similar of that one obtained in Phase 1. The following constraints are considered.
• \(\left\langle I D^{*}\right\rangle\) is not queried in the key generation query.
• \(\left\langle I D^{*}, C^{*}\right\rangle\) is not queried in the Decryption query.
5. Guess: \(\mathcal{A}\) outputs \(M^{\prime} \in \mathbb{G}_{1}^{*}\), and wins if \(M=M^{\prime}\). The advantage that \(\mathcal{A}\) has in the game above is defined as follows:
\(\operatorname{Adv}_{P K E-E T-H S, A}^{O W-C C A, \operatorname{PKE}_{-}-\mathrm{HS}-\mathrm{IBC}}(\lambda)=\operatorname{Pr}\left[M=M^{\prime}\right].\)
5. Construction
The concrete constructions of heterogeneous systems public key encryption with equality test is instituted in this section.
1. Setup: Provided a security parameter \(\lambda\), the algorithm runs as follows:
• Generate the pairing parameters: two groups \(\mathbb{G}_{1}\), \(\mathbb{G}_{2}\) of prime order \(p\), and an admissible bilinear map \(e: \mathbb{G}_{1} \times \mathbb{G}_{1} \rightarrow \mathbb{G}_{2}\). Then choose a random generator \(g \in \mathbb{G}_{1}\).
• Determine cryptographic hash functions: \(H_{1}:\{0,1\}^{*} \rightarrow \mathbb{G}_{1}\), \(H_{2}: \mathbb{G}_{2} \rightarrow \mathbb{G}_{1}, H_{3}: \mathbb{G}_{2} \rightarrow\{0,1\}^{n_{1}+n_{2}}\), where \(n_{1}=\left|\mathbb{G}_{1}\right|\) and \(n_{2}=\left|\mathbb{Z}_{p}^{*}\right|\).
• Randomly choose \(\left(s_{1}, s_{2}\right) \in \mathbb{Z}_{p}^{*}\), then set \(g_{1}=g^{s_{1}}\) and \(g_{2}=g^{s_{2}}\). The CLC-PKG publishes system parameters \(\left\langle p, \mathbb{G}_{1}, \mathbb{G}_{2}, e, g, g_{1}, g_{2}, H_{1}, H_{2}, H_{3}\right\rangle\) and keeps the master secret key \(\left(s_{1}, s_{2}\right)\) secret.
2. CLC-PKG: This algorithm generates public and secret key, and functions as follows:
• Generate partial secret key: Given a string \(\text { ID } \in\{0,1\}^{*}\):
o Compute \(h_{I D}=H_{1}(I D) \in \mathbb{G}_{1}\).
o Compute partial secret key \(D=\left(D_{1}, D_{2}\right)=\left(h_{I D}^{s_{1}}, h_{I D}^{s_{2}}\right)\), where \(\left(S_{1}, S_{2}\right)\) is the master secret key.
• Assign secret value: The algorithm uses as inputs PubP and D. It chooses \(x \in \mathbb{Z}_{p}^{*}\) randomly then returns \(x\) as a secret value.
• Assign secret key: The algorithm uses as inputs PubP, D, and \(x\). It computes\(s k_{C L C}=\left(s k_{1}, s k_{2}\right)=\left(D_{1}^{x}, D_{2}^{x}\right)\).
• Assign public key: The algorithm uses as inputs PubP and a secret value \(x\).
It returns public key \(p k_{C L C}=\left(X, p k_{1}, p k_{2}\right)=\left(g^{x}, g_{1}^{x}, g_{2}^{x}\right)\).
3. CLC-Trapdoor: This algorithm takes as input \(sk\) of a user in the CLC cryptosystem and outputs a trapdoor \(t d_{C L C}=s k_{1}=D_{1}^{x}\).
4. IBC-PKG: A user in the IBC cryptosystem sends its identity ID to its IBC-PKG. The IBC-PKG computes \(h_{I D}=H_{1}(I D)\) and then computes a secret key \(s k_{I B C}=\left(s k_{1}, s k_{2}\right)=\left(h_{I D}^{s_{1}}, h_{I D}^{s_{2}}\right)\).
5. IBC-Trapdoor: It takes as input of a user in the IBC cryptosystem and outputs a trapdoor \(t d_{I B C}=s k_{1}=h_{I D}^{s_{1}}\).
6. CLC-Encrypt: This algorithm proceeds as follows:
• Take the message \(M \in \mathbb{G}_{1}^{*}\), the identity ID, and the public key \(p k=\left(X, p k_{1}, p k_{2}\right)\) as inputs.
• Verify that if \(p k=\left(X, p k_{1}, p k_{2}\right) \in \mathbb{G}_{1}^{*}\), \(e\left(X, g_{1}\right)=e\left(p k_{1}, g\right)\), and \(e\left(X, g_{2}\right)=e\left(p k_{2}, g\right)\). If these verifications pass, perform the encryption. Otherwise, terminate the encryption.
• Compute \(h_{I D}=H_{1}(I D) \in \mathbb{G}_{1}^{*}\).
• Pick two random numbers \(\left(r_{1}, r_{2}\right) \in \mathbb{Z}_{p}^{*}\).
• Compute \(C=\left(C_{1}, C_{2}, C_{3}, C_{4}\right)\), where \(C_{1}=g^{r_{1}}, C_{2}=g^{r_{2}}\), \(C_{3}=M^{r_{1}} \cdot H_{2}\left(e\left(h_{I D}, p k_{1}\right)^{r_{1}}\right)\), and \(C_{4}=\left(M \| r_{1}\right) \oplus H_{3}\left(e\left(h_{I D}, p k_{2}\right)^{r_{2}}\right)\)
7. CLC-Decrypt: The algorithm uses as inputs a ciphertext \(C\) and a secret key \(sk\) and conveys the plaintext \(M\) by functioning as follows:
• Compute\(C_{4} \oplus H_{3}\left(e\left(s k_{2}, C_{2}\right)\right)=C_{4} \oplus H_{3}\left(e\left(D_{2}^{x_{I D}}, g^{r_{2}}\right)\right)=C_{4} \oplus H_{3}\left(e\left(h_{I D}, g_{2}^{x_{I D}}\right)^{r_{2}}\right)=\left(M \| r_{1}\right)\).
• Verify if \(C_{1}=g^{r_{1}} \text { and } \frac{C_{3}}{M^{r_{1}}}=H_{2}\left(e\left(s k_{1}, C_{1}\right)\right)\).
• If both verifications pass, return \(M\). Otherwise, return the symbol \(\perp\).
8. IBC-Encrypt: This algorithm uses as inputs a message \(M \in \mathbb{G}_{1}\) and the identity ID of a user in the IBC cryptosystem. It then selects two random numbers \(\left(r_{1}, r_{2}\right) \in \mathbb{Z}_{p}^{*}\) and computes \(C=\left(C_{1}, C_{2}, C_{3}, C_{4}\right)\), where \(C_{1}=g^{r_{1}}, C_{2}=g^{r_{2}}\), \(C_{3}=M^{r_{1}} \cdot H_{2}\left(e\left(h_{I D}, g_{1}\right)^{r_{1}}\right)\), and \(C_{4}=\left(M|| r_{1}\right) \oplus H_{3}\left(e\left(h_{I D}, g_{2}\right)^{r_{2}}\right)\).
9. IBC-Decrypt: This algorithm uses as inputs a ciphertext \(C\) and a secret key \(s k_{C L C}\) of a user in the IBC cryptosystem. Then, it returns the plaintext M by computing \(M \| r_{1} \leftarrow C_{4} \oplus H_{3}\left(e\left(d k_{2}, C_{2}\right)\right)\), and then verifies both \(C_{1}=g^{r_{1}}\) and \(\frac{C_{3}}{M^{r_{1}}}=H_{2}\left(e\left(s k_{1}, C_{1}\right)\right)\). If both verifications pass, it returns M. Otherwise, it returns the symbol \(\perp\).
10. Test\(\left(C_{i}, t d_{C L C}, C_{j}, t d_{I B C}\right)\) : Let \(U_{i}\) and \(U_{j}\) be two users of a heterogeneous systems. Let \(U_{i}\) be a user in the CLC cryptosystem and \(U_{j}\) be a user in the IBC cryptosystem. Let \(C_{i}=\left(C_{i, 1}, C_{i, 2}, C_{i, 3}, C_{i, 4}\right)\) and \(C_{j}=\left(C_{j, 1}, C_{j, 2}, C_{j, 3}, C_{j, 4}\right)\) be the ciphertexts of \(U_{i}\) and \(U_{j}\), respectively. The Test algorithm for heterogeneous systems works as follows:
\(\begin{aligned} Q_{i} &=\frac{C_{i, 3}}{H_{2}\left(e\left(t d_{C L C}, C_{i, 1}\right)\right)} \\ &=\frac{M_{i}^{r_{i, 1}} \cdot H_{2}\left(e\left(h_{I D, i}, p k_{i, 1}\right)^{r_{i, 1}}\right.}{H_{2}\left(e\left(s k_{i, 1}, C_{i, 1}\right)\right)} \\ &=\frac{M_{i}^{r_{i, 1}} \cdot H_{2}\left(e\left(h_{I D, i}, g_{1}^{x_{i}}\right)^{r_{i, 1}}\right)}{H_{2}\left(e\left(D_{i, 1}^{x_{i}}, g^{r_{i, 1}}\right)\right)} \\ &=\frac{M_{i}^{r_{i, 1}} \cdot H_{2}\left(e\left(h_{I D, i}, g_{1}^{x_{i}}\right)^{r_{i, 1}}\right)}{H_{2}\left(e\left(h_{I D, i}, g_{1}^{x_{i}}\right)^{r_{i, 1}}\right)} \\ &=M_{i}^{r_{i, 1}} \end{aligned}\)
\(\begin{aligned} Q_{j} &=\frac{C_{j, 3}}{H_{2}\left(e\left(t d_{I B C}, C_{j, 1}\right)\right)} \\ &=\frac{M_{j}^{r_{j, 1}} \cdot H_{2}\left(e\left(h_{I D, j}, g_{1}\right)^{r_{j, 1}}\right.}{H_{2}\left(e\left(s k_{j, 1}, C_{j, 1}\right)\right)} \\ &=\frac{M_{j}^{r_{j, 1}} \cdot H_{2}\left(e\left(h_{I D, j}, g_{1}\right)^{r_{j, 1}}\right)}{H_{2}\left(e\left(h_{I D, j}, g_{1}\right)^{r_{j, 1}}\right)} \\ &=M_{j}^{r_{j, 1}} \end{aligned}\)
The Test algorithm returns 1 if \(e\left(C_{i, 1}, Q_{j}\right)=e\left(C_{j, 1}, Q_{i}\right)\). Otherwise, it returns the symbol \(\perp\).
6. Security analysis
In this section, the security of the PKE-ET-HS scheme is presented. The basic notion of security proof is alike the scheme in [20] and [25].
6. 1 PKE-ET-HS-CLC
Theorem 6.1.1: Presuming that \(H_{1}, H_{2}, H_{3}\) are random oracles and assume that the BDH problem is hard. Therefore, our PKE-ET-HS-CLC is OW-CCA secure. Significantly, assume there is a Type-1 adversary \(\mathcal{A}_{1}\) that has advantages \(\epsilon_{1}(\lambda)\) against the PKE-ET-HS-CLC. Assume that \(\mathcal{A}_{1}\) makes \(q_{p k}\) public key queries, \(q_{s k}\) secret key queries, \(q_{p s k}\) partial secret key queries, \(q_{t}\) trapdoor queries, \(q_{r p k}\) replace public key queries, \(q_{d e c}\) decryption queries, \(q_{H_{2}}\) hash queries to \(H_{2}\), and hash queries to \(H_{3}\). Thus, we have an algorithm \(\mathcal{B}_{1}\) which breaks BDH problem with advantage at least \(\epsilon_{1}(\lambda) / e\left(q_{s k}+q_{p s k}+q_{t}+1\right) \cdot q_{H_{3}}\).
Proof: Presimung that \(\mathcal{B}_{1}\) is given as inputs the BDH parameters \(\left\langle p, \mathbb{G}_{1}, \mathbb{G}_{2}, e\right\rangle\) and arbitrary instance \(\) of the BDH problem, where \(g\) is a random generator of \(\mathbb{G}_{1}\) and \(a, b, c \in_{R} \mathbb{Z}_{p}^{*}\). Suppose that \(e(g, g)^{a b c} \in \mathbb{G}_{2}\) is the solution of BDH problem.
Then, we demonstrate how an algorithm \(\mathcal{B}_{1}\) obtains \(e(g, g)^{a b c}\) by reacting with \(\mathcal{A}_{1}\) as follows:
1. Setup: The algorithm \(\mathcal{B}_{1}\) gives \(\mathcal{A}_{1}\) the public parameters \(P u b P=\left\langle p, \mathbb{G}_{1}, \mathbb{G}_{2}, e, g, g_{1}, g_{2}, H_{1}, H_{2}, H_{3}\right\rangle\), where \(g_{1}=g_{2}=g^{a}\).
2. Phase 1: At any time \(\mathcal{A}_{1}\) can make queries to \(q_{p k}, q_{s k}, q_{p s k}, q_{t}, q_{r p k}, q_{d e c}, q_{H_{2}}\) , or \(q H_{3}\). To respond to these queries works \(\mathcal{B}_{1}\) as follows:
• \(H_{1} \text { -queries }\left(I D_{i}\right)\): \(\mathcal{B}_{1}\) creates a list of tuples \(\) denoted by \(H_{1}^{l i s t}\). Here, \(c_{i} \in\{0,1\}\), where 1 represents the probability of \(\delta\) and 0 represents the probability of \(1-\delta\). If \(c_i= 0\), \(\mathcal{B}_{1}\) returns \(d_{i}=\left(g_{1}^{z_{i}}, g_{2}^{z_{i}}\right)\). Otherwise, if \(c_{i}=1\), \(\mathcal{B}_{1}\)returns \(d_{i}=\left(g_{1}^{b z_{i}}, g_{2}^{b z_{i}}\right)\).
• \(H_{2} \text { -queries }\left(w_{i}\right)\): \(\mathcal{B}_{1}\) creates a list of tuples \(\) denoted by \(H_{2}^{\text {list}}\). If $w_i$ is already stored in \(\$ \mathrm{H}_{-} 2^{\wedge}\{\text { list }\}\$\), \(\$ \text {\mathcal }\{\mathrm{B}\}_{-} 1 \$\) responds with \(H_{2}\left(w_{i}\right)=l_{i}\). Otherwise, \(\mathcal{B}_{1}\) chooses \(l_{i} \in_{R} \mathbb{G}_{1}\) and records item \(\left[w_{i}, l_{i}\right]\) in \(H_{2}^{l i s t}\). Then, \(\mathcal{B}_{1}\) returns \(l_{i}\) to \(\mathcal{A}_{1}\).
• \(H_{3} \text { -queries }\left(v_{i}\right)\): \(\mathcal{B}_{1}\) creates a list of tuples \(\) denoted by \(H_{3}^{l i s t}\). If \(v_i\) is already stored in \(H_{3}^{l i s t}\), \(\mathcal{B}_{1}\) responds with \(H_{3}\left(v_{i}\right)=h_{i}\). Otherwise, \(\mathcal{B}_{1}\) chooses \(h_{i} \in_{R}\{0,\}^{n_{1}+n_{2}}\) and records item \(\left[v_{i}, h_{i}\right]\) in \(H_{3}^{l i s t}\). Then, \(\mathcal{B}_{1}\) returns \(h_{i}\) to \(\mathcal{A}_{1}\).
• \(\text{Public key queries} \left(I D_{i}\right)\): Algorithm \(\mathcal{B}_{1}\) prepares a list of tuples \(\) denoted by \(P S K^{l i s t}\) and responds as follows:
o Check the \(H_{1}^{l i s t}\), if \(c_{i}=0\) , \(\mathcal{B}_{1}\) executes the Assign Secret Value algorithm to compute \(x_i\), then calculates \(D_{i}=\left(D_{i, 1}, D_{i, 2}\right)=\left(g_{1}^{z_{i}}, g_{2}^{z_{i}}\right)\), \(s k_{i}=\left(s k_{i, 1}, s k_{i, 2}\right)=\left(D_{i, 1}^{x_{i}}, D_{i, 2}^{x_{i}}\right)\), and \(p k_{i}=\left(X_{i}, p k_{i, 1}, p k_{i, 2}\right)=\left(g^{x_{i}}, g_{1}^{x_{i}}, g_{2}^{x_{i}}\right)\) by executing Extract partial secret key, Assign secret key, and Assign public key algorithms, respectively. Finally, \(\mathcal{B}_{1}\) records item \(\left[I D_{i}, x_{i}, D_{i}, p k_{i}, s k_{i}, 0\right]\) into \(P S K^{l i s t}\) and responds to \(\mathcal{A}_{1}\) with \(p k_{i}\).
o Otherwise, if \(c_{i}=1\), \(\mathcal{B}_{1}\) executes the Assign Secret Value algorithm to compute \(x_i\), calculates \(p k_{i}=\left(X_{i}, p k_{i, 1}, p k_{i, 2}\right)=\left(g^{x_{i}}, g_{1}^{x_{i}}, g_{2}^{x_{i}}\right)\) by executing Assign public key algorithm, and records item \(\left[I D_{i}, x_{i}, *, p k_{i}, *, 1\right]\) into \(P S K^{l i s t}\) and responds to \(\mathcal{A}_{1}\) with \(p k_{i}\).
• \(\text{Partial secret key queries}\left(I D_{i}\right)\): If \(c_{i}=0\), \(\mathcal{B}_{1}\) returns \(D_{i}\) associated with \(I D_{i}\) from \(P S K^{l i s t}\). Otherwise, If \(c_{i}=1\), \(\mathcal{B}_{1}\) aborts and fails.
• \(\text{Secret key queries}\left(I D_{i}\right)\): If \(c_{i}=0\), \(\mathcal{B}_{1}\) returns \(sk_i\) associated with \(I D_{i}\) from \(P S K^{l i s t}\). Otherwise, If \(c_{i}=1\), \(\mathcal{B}_{1}\) aborts and fails.
• \(\text{replace public key queries}\left(I D_{i}, p k_{i}^{\prime}\right)\): Suppose that \(p k_{i}^{\prime}=\left(X_{i}^{\prime}, p k_{i, 1}^{\prime}, p k_{i, 2}^{\prime}\right)\). Algorithm \(\mathcal{B}_{1}\) verifies if \(p k_{i}^{\prime}=\left(X_{i}^{\prime}, p k_{i, 1}^{\prime}, p k_{i, 2}^{\prime}\right) \in \mathbb{G}_{1}^{*}\) and \(e\left(X_{i}^{\prime}, g_{1}\right)=e\left(p k_{i, 1}^{\prime}, g\right)\) and \(e\left(X^{\prime}, g_{2}\right)=e\left(p k_{i, 2}^{\prime}, g\right)\). If these verifications pass, \(\mathcal{B}_{1}\) replaces \(p k_{i}\) with \(p k_{i}^{\prime}\) Otherwise, \(\mathcal{B}_{1}\) returns the symbol \(\perp\) to \(\mathcal{A}_{1}\).
• \(\text{Decryption queries}\left(I D_{i}, C_{i}\right)\): Let \(C_{i}=\left(C_{i, 1}, C_{i, 2}, C_{i, 3}, C_{i, 4}\right)\). \(\mathcal{B}_{1}\)
searches on the \(P S K^{l i s t}\) and reacts as follows:
o If \(c_{i}=0\) and public key is not replaced, \(\mathcal{B}_{1}\) executes CLC-Decrypt\(\left(C_{i}, s k_{i}\right)\) and returns \(M_{i}\) to \(\mathcal{A}_{1}\).
o Otherwise, for each item in \(H_{3}^{l i s t}\). \(\mathcal{B}_{1}\) responds as follows:
Calculate \(M_{i} \| r_{i, 1}=C_{i, 4} \oplus h_{i}\).
Verify if \(C_{i, 1}=g^{r_{i, 1}}\) and \(\frac{C_{i, 3}}{M_{i}^{r_{i, 1}}}=H_{2}\left(e\left(s k_{i, 1}, C_{i, 1}\right)\right)\).
If both verifications pass, return \(M_i\). Otherwise, return the symbol \(\perp\).
• \(\text{Trapdoor queries}\): The Algorithm \(\mathcal{B}_{1}\)'s response to the queries is illustrated as follows:
o In case of PKE-ET-HS-CLC, \(\mathcal{B}_{1}\) searches on \(P S K^{l i s t}\) with respect to the \(I D_{i}\) to get \(s k_{C L C_{i}}=\left(g_{1}^{z_{i} x_{i}}, g_{2}^{z_{i} x_{i}}\right)\) and responds to \(\mathcal{A}_{1}\)with \(t d_{C L C_{i}}=g_{1}^{z_{i} x_{i}}\).
o In case of PKE-ET-HS-IBC, \(\mathcal{B}_{1}\) uses \(s k_{I B C_{i}}\) to run IBC-Trapdoor algorithm, and then sends \(t d_{I B C_{i}}=t d_{I B C} \text { to } \mathcal{A}_{1}.\)
3. Challenge: When \(\mathcal{A}_{1}\) decides Phase 1 is finished. It outputs identity \(I D_{c h}\) on which it intends to be challenged on. The algorithm \(\mathcal{B}_{1}\) chooses \(M^{\prime} \in_{R} \mathbb{G}_{1}^{*}\), then searches on \(P S K^{l i s t}\) and reacts as follows:
• If \(C_{i}=0\), terminate with failure.
• Else, the following steps are performed:
o Choose \(C_{4} \in_{R}\{0,1\}^{n_{1}+n_{2}}\) and set \(C_{2}=g^{c}\).
o Generate \(C^{\prime}=\left(C_{1}, C_{2}, C_{3}, C_{4}\right)\) and send to \(\mathcal{A}_{1}\) as a challenge ciphertext.
• The decryption of \(C^{\prime}\) will then be:
\(\begin{aligned} M^{*} \| r &=C_{4} \oplus H_{3}\left(e\left(s k_{i, 2}, C_{2}\right)\right) \\ &=C_{4} \oplus H_{3}\left(e\left(g_{2}^{b z_{i} x_{i}}, g^{c}\right)\right) \\ &=C_{4} \oplus H_{3}\left(e\left(g^{a b z_{i} x_{i}}, g^{c}\right)\right) \\ &=C_{4} \oplus H_{3}\left(e(g, g)^{a b c z_{i} x_{i}}\right). \end{aligned}\)
4. Phase 2: In this phase, the response of the challenger to \(\mathcal{A}_{1}\) is similar to that one obtained in Phase 1. The following grounds are considered.
• \(I D_{c h}\) is not queried in the Secret key queries.
• If the public key corresponding to \(I D_{c h}\) is replaced, the \(I D_{c h}\) should not be queried in the Partial secret key queries.
• If the public key of the user is replaced, the corresponding identity \(I D_{i}\) is not queried in the Secret key queries.
• \(\left(I D_{c h}, C^{\prime}\right)\) should not be queried in the Decryption queries.
5. Guess: \(\mathcal{A}_{1}\) returns \(M^{\prime}\) for \(M^{*}\). \(\mathcal{B}_{1}\)\(\) picks item \(\left[v_{i}, h_{i}\right] \in_{R} H_{3}^{l i s t}\) and returns \(h_{i}^{(z x)^{-1}}=e(g, g)^{a b c}\) as the solution of BDH problem.
Claim: If \(\mathcal{B}_{1}\) holds in the simulation, then \(\mathcal{A}_{1}\) is viewed similar to real attack. Thus, the \(\operatorname{Pr}\left[M^{*}=M^{\prime}\right] \geq \epsilon_{1}\).
Proof: \(H_{1} -queries\) responds as in the real attack. All replies to secret key queries \(q_{s k}\), partial secret key queries \(q_{psk}\), trapdoor queries \(q_{t}\) are valid. Then, the probability of \(\mathcal{A}_{1}\) is \(\operatorname{Pr}\left[M=M^{\prime}\right] \geq \epsilon_{1}\). Then, we compute the probability of \(\mathcal{B}_{1}\)'s failure in the simulation as follows:
1. The probability \(\mathcal{B}_{1}\) that holds in Phase 1 or Phase 2 is equal to \(\delta^{q_{s k}+q_{p s k}+q_{t}}\).
2. The probability \(\mathcal{B}_{1}\) that holds in Challenge phase is equal to \(1-\delta\).
3. The combination of both gives the probability of \(\mathcal{B}_{1}\) holds in the simulation is equal to \(\delta^{q_{s k}+q_{p s k}+q_{t}}(1-\delta)\).
4. The maximum of this probability is equal to \(\delta_{o p t}=1-1 /\left(q_{s k}+q_{p s k}+q_{t}+1\right)\).
5. By using \(\delta_{o p t}\), the probability that \(\mathcal{B}_{1}\) holds is at least \(1 / e\left(q_{s k}+q_{p s k}+q_{t}+1\right)\).
According to above analysis, the advantage of \(\mathcal{B}_{1}\) is at least:
\(\epsilon_{1}(\lambda) / e\left(q_{s k}+q_{p s k}+q_{t}+1\right)\) (1)
In addition, the algorithm \(\mathcal{B}_{1}\) is emulating the real attack environment to \(\mathcal{A}_{1}\). Thus, \(\mathcal{B}_{1}\) returns \(e(g, g)^{a b c}\) with probability at least:
\(\epsilon_{1}(\lambda) / q_{H_{3}}.\) (2)
By combining Equations (1) and (2), we have
\(\epsilon_{1}(\lambda) / e\left(q_{s k}+q_{p s k}+q_{t}+1\right) \cdot q_{H_{3}}.\)
The proof of Theorem 6.1.1 is completed.
Theorem 6.1.2: Presuming that \(H_{1}, H_{2}, H_{3}\) are random oracles and assume that the BDH problem is hard. Therefore, our PKE-ET-HS-CLC is OW-CCA secure. Significantly, assume there is a Type-2 adversary \(\mathcal{A}_{2}\) that has advantages \(\epsilon_{2}(\lambda)\) against the PKE-ET-HS-CLC. Assume that \(\mathcal{A}_{2}\) makes \(q_{pk}\) public key queries, \(q_{sk}\)secret key queries, \(q_{t}\) trapdoor queries, \(q_{dec}\) decryption queries, \(q_{H_{2}}\) hash queries to \(H_{2}\), and \(q_{H_{3}}\) hash queries to \(H_{3}\). Thus, we have an algorithm \(\mathcal{B}_{2}\) which breaks BDH problem with advantage at least \(\epsilon_{2}(\lambda) / e\left(q_{s k}+q_{t}+1\right) \cdot q_{H_{3}}\).
Proof: Presuming that \(\mathcal{B}_{2}\) utilizes as inputs the BDH parameters \(\left\langle p, \mathbb{G}_{1}, \mathbb{G}_{2}, e\right\rangle\) and arbitrary instance \(\) of the BDH problem, where \(g\) is a random generator of \(\mathbb{G}_{1}\) and \(a, b, c \in_{R} \mathbb{Z}_{p}^{*}\). Suppose that \(e(g, g)^{a b c} \in \mathbb{G}_{2}\) is the solution of BDH problem.
Then, we demonstrate how an algorithm \(\mathcal{B}_{2}\) obtains \(e(g, g)^{a b c}\) by reacting with \(\mathcal{A}_{2}\) as follows:
1. Setup: The algorithm \(\mathcal{B}_{2}\) gives \(\mathcal{A}_{2}\) the public parameters \(P u b P=\left\langle p, \mathbb{G}_{1}, \mathbb{G}_{2}, e, g, g_{1}, g_{2}, H_{1}, H_{2}, H_{3}\right\rangle\)where \(g_{1}=g^{s_{1}}, g_{2}=g^{s_{2}}\). Then, \(\mathcal{B}_{2}\) gives PubP and the master secret key \(m s k=\left(s_{1}, s_{2}\right) \text { to } \mathcal{A}_{2}\).
2. Phase 1: At any time \(\mathcal{A}_{2}\) can make queries to \(q_{p k}, q_{s k}, q_{t}, q_{d e c}, q_{H_{2}}, \text { or } q_{H_{3}}\). To respond to these queries \(\mathcal{B}_{2}\) works as follows:
• \(H_{1}\text{-queries}, H_{2}\text{-queries}\), and \(H_{3}\text{-queries}\) are same as in Phase 1 for proof of Theorem 6.1.1.
• \(\text{Public key queries}\left(I D_{i}\right)\): Algorithm \(\mathcal{B}_{2}\) prepares a list of tuples \(\) denoted by \(P S K^{l i s t}\) and responds as follows:
o Check the \(H_{1}^{l i s t}\), if \(c_{i}=0\), \(\mathcal{B}_{2}\) executes the Assign secret value algorithm to compute \(x_i\), then calculates \(D_{i}=\left(D_{i, 1}, D_{i, 2}\right)=\left(g_{1}^{z_{i}}\right.,\left.g_{2}^{z_{i}}\right), s k_{i}=\left(s k_{i, 1}, s k_{i, 2}\right)=\left(D_{i, 1}^{x_{i}}, D_{i, 2}^{x_{i}}\right)\), and \(p k_{i}=\left(X_{i}, p k_{i, 1}\right.,\left.p k_{i, 2}\right)=\left(g^{x_{i}}, g_{1}^{x_{i}}, g_{2}^{x_{i}}\right)\) by executing Extract partial secret key, Assign secret key, and Assign public key algorithms, respectively. Finally, \(\mathcal{B}_{2}\) records item \(\left[I D_{i}, x_{i}, D_{i}, p k_{i}, s k_{i}, 0\right]\) into \(P S K^{l i s t}\) and responds to \(\mathcal{A}_{2}\) with \(pk_i\).
o Otherwise, if \(c_{i}=1\), \(\mathcal{B}_{2}\) executes the Extract partial secret key algorithm to compute \(D_{i}=\left(D_{i, 1}, D_{i, 2}\right)=\left(g_{1}^{z_{i}}, g_{2}^{z_{i}}\right)\), then calculates \(p k_{i}=\left(X_{i}, p k_{i, 1}, p k_{i, 2}\right)=\left(g^{a}, g_{1}^{a}, g_{2}^{a}\right)\) by executing Set public key algorithm, and records item \(\left[I D_{i}, D_{i}, *, p k_{i}, *, 1\right]\) into \(P S K^{l i s t}\) and responds to \(\mathcal{A}_{2}\) with \(pk_i\).
• \(\text{Secret key queries}\left(I D_{i}\right)\): If \(c_{i}=0\), \(\mathcal{B}_{2}\) returns \(sk_i\) associated with \(ID_i\) from \(P S K^{l i s t}\). Otherwise, if \(c_{i}=1\), \(\mathcal{B}_{2}\) aborts and fails.
• \(\text{Decryption queries}\left(I D_{i}, C_{i}\right)\): Let \(C_{i}=\left(C_{i, 1}, C_{i, 2}, C_{i, 3}, C_{i, 4}\right)\). \(\mathcal{B}_{2}\) searches on the \(P S K^{l i s t}\) and reacts as follows:
o If \(c_{i}=0\), \(\mathcal{B}_{2}\) executes CLC-Decrypt\(\left(C_{i}, s k_{i}\right)\) and returns \(M_i\) to \(\mathcal{A}_{2}\).
o Otherwise, for each item in \(H_{3}^{l i s t}\). \(\mathcal{B}_{2}\) responds as follows:
Calculate \(M_{i} \| r_{i, 1}=C_{i, 4} \oplus h_{i}\).
Verify if \(C_{i, 1}=g^{r_{i, 1}}\) and \(\frac{C_{i, 3}}{M_{i}^{r_{i, 1}}}=H_{2}\left(e\left(s k_{i, 1}, C_{i, 1}\right)\right)\).
If both verifications pass, return \(M_i\). Otherwise, return the symbol \(\perp\).
• \(\text{Trapdoor queries}\left(I D_{i}\right)\): \(\mathcal{B}_{2}\) searches on \(P S K^{l i s t}\) with respect to the \(ID_i\) and responds as follows:
o If \(c_{i}=0\):
In case of PKE-ET-HS-CLC, \(\mathcal{B}_{2}\) responds to the \(\mathcal{A}_{2}\) with \(t d_{C L C_{i}}=g_{1}^{z_{i} x_{i}}\).
In case of PKE-ET-HS-IBC, \(\mathcal{B}_{2}\) responds to the \(\mathcal{A}_{2}\) with \(t d_{I B C_{i}}=t d_{I B C}\).
o Else, if :
In case of PKE-ET-HS-CLC, \(\mathcal{B}_{2}\) responds to the \(\mathcal{A}_{2}\) with \(t d_{C L C_{i}}=g_{1}^{a z_{i}}\).
In case of PKE-ET-HS-IBC, \(\mathcal{B}_{2}\) responds to the \(\mathcal{A}_{2}\) with \(t d_{I B C_{i}}=t d_{I B C}\).
3. Challenge: When \(\mathcal{A}_{2}\) decides Phase 1 is finished. It outputs identity \(I D_{c h}\) on which it intends to be challenged on. The algorithm \(\mathcal{B}_{2}\) chooses \(M^{\prime} \in_{R} \mathbb{G}_{1}^{*}\), then searches on \(P S K^{l i s t}\) and reacts as follows:
• If \(C_{i}=0\), terminate with failure.
• Else, the following steps are performed:
o Choose \(C_{4} \in_{R}\{0,1\}^{n_{1}+n_{2}} \text { and set } C_{2}=g^{c}\).
o Generate \(C^{\prime}=\left(C_{1}, C_{2}, C_{3}, C_{4}\right)\) and send to \(\mathcal{A}_{2}\) as a challenge ciphertext.
• The decryption of \(C^{\prime}\) will then be:
\(\begin{aligned} M^{*} \| r &=C_{4} \oplus H_{3}\left(e\left(s k_{i, 2}, C_{2}\right)\right) \\ &=C_{4} \oplus H_{3}\left(e\left(g_{2}^{b z_{i} x_{i}}, g^{c}\right)\right) \\ =& C_{4} \oplus H_{3}\left(e\left(g^{a b z_{i} x_{i}}, g^{c}\right)\right) \\ =& C_{4} \oplus H_{3}\left(e(g, g)^{a b c z_{i} x_{i}}\right). \end{aligned}\)
4. Phase 2: In this phase, the response of the challenger to \(\mathcal{A}_{2}\) is similar to the one obtained in Phase 1 on grounds that:
• \(I D_{c h}\) is not queried in the Secret key queries.
• \(\left(I D_{c h}, C^{*}\right)\) is not queried in the Decryption queries.
5. Guess: \(\mathcal{A}_{2}\) returns \(M^{\prime}\) for \(M^{*}\). \(\mathcal{B}_{2}\) picks item \(\left[v_{i}, h_{i}\right] \in_{R} H_{3}^{l i s t}\) and returns \(h_{i}^{\left(z s_{2}\right)^{-1}}=e(g, g)^{a b c}\) as the solution of BDH problem.
Claim: If \(\mathcal{B}_{2}\) holds in the simulation, then \(\mathcal{A}_{2}\) is viewed similar to real attack. Thus, the \(\operatorname{Pr}\left[M^{*}=M^{\prime}\right] \geq \epsilon_{2}\).
Proof: \(H_{1} \text{-queries}\) responds as in the real attack. All replies to secret key queries \(q_{s k}\), trapdoor queries \(q_{t}\) are valid. Then, the probability of \(\mathcal{A}_{1}\) is \(\operatorname{Pr}\left[M=M^{\prime}\right] \geq \epsilon_{2}\). Then, we compute the probability of \(\mathcal{B}_{2}\)'s failure in the simulation as follows:
1. The probability that \(\mathcal{B}_{2}\) holds in Phase 1 or Phase 2 is equal to \(\delta q_{s k}+q_{p s k}+q_{t}\).
2. The probability that \(\mathcal{B}_{2}\) holds in Challenge phase is equal to \(1-\delta\).
3. The combination of both gives the probability of \(\mathcal{B}_{2}\) holds in the simulation is equal to \(\delta^{q_{s k}+q_{p s k}+q_{t}}(1-\delta)\).
4. The maximum of this probability is equal to \(\delta_{o p t}=1-1 /\left(q_{s k}+q_{t}+1\right)\).
5. By using \(\delta_{o p t}\), the probability that \(\mathcal{B}_{2}\) holds is at least \(1 / e\left(q_{s k}+q_{t}+1\right)\).
According to above analysis, the advantage of \(\mathcal{B}_{1}\) is at least:
\(\epsilon_{2}(\lambda) / e\left(q_{s k}+q_{t}+1\right)\) (3)
In addition, the algorithm \(\mathcal{B}_{1}\) is emulating the real attack environment to \(\mathcal{A}_{1}\). Thus, \(\mathcal{B}_{1}\) returns \(e(g, g)^{a b c}\) with probability at least:
\(\epsilon_{2}(\lambda) / q_{H_{3}}.\) (4)
By combining Equations (3) and (4), we have The proof of Theorem 6.1.2 is completed.
6. 2 PKE-ET-HS-IBC
Theorem 6.2.1: Presuming that \(H_{1}, H_{2}, H_{3}\) are random oracles and assume that the BDH problem is hard. Therefore, the PKE-ET-HS-IBC is OW-ID-CCA secure. Significantly, assume there is an OW-ID-CCA adversary that has advantages \(\epsilon(\lambda)\) against the PKE-ET-HS-IBC. Assume that \(\mathcal{A}\) makes \(q_{E}\) key generation queries, \(q_{t d}\) trapdoor queries, and \(q \mathrm{H_3}\) hash queries to \(H_{3}\). Hence, we have an algorithm \(\mathcal{B}\) which breaks BDH problem with advantage at minimum \(\epsilon(\lambda) / e\left(q_{E}+q_{t d}+1\right) \cdot q_{H_{3}}\).
Proof: To prove Theorem 6.2.1, we need to define the related public key encryption scheme PubIB, which will be used as tools in our proof. The PubIB is presented by three algorithms as follows:
1. KeyGen: By giving a security parameter \(\lambda\), the algorithm performs as follows:
• Create two groups \(\mathbb{G}_{1}, \mathbb{G}_{2}\) with prime order p, and a bilinear map \(e: \mathbb{G}_{1} \times \mathbb{G}_{1} \rightarrow \mathbb{G}_{2}\). Then, pick a random generator \(g \in \mathbb{G}_{1}\).
• Pick two hash functions \(H_{2}: \mathbb{G}_{2} \rightarrow \mathbb{G}_{1}\) and \(H_{3}: \mathbb{G}_{2} \rightarrow\{0,1\}^{n_{1}+n_{2}}\).
• Randomly choose \(\left(s_{1}, s_{2}\right) \in \mathbb{Z}_{p}^{*}\), then set \(g_{1}=g^{s_{1}} \text { and } g_{2}=g^{s_{2}}\). Choose a random \(h_{I D} \in \mathbb{G}_{1}\).
• The \(\left\langle p, \mathbb{G}_{1}, \mathbb{G}_{2}, e, g, g_{1}, g_{2}, h_{I D}, H_{2}, H_{3}\right\rangle\) is a public key. The secret key \(s k=\left(s k_{1}, s k_{2}\right)=\left(h_{I D}^{s_{1}}, h_{I D}^{s_{2}}\right) \in \mathbb{G}_{1}\).
2. Encryption: It takes the plaintext \(M \in \mathbb{G}_{1}\) and the public key \(\left\langle p, \mathbb{G}_{1}, \mathbb{G}_{2}, e, g, g_{1}, g_{2}, h_{I D}, H_{2}, H_{3}\right\rangle\) as inputs. Then, it picks two numbers \(\left(r_{1}, r_{2}\right) \in_{R} \mathbb{Z}_{p}^{*}\) and computes \(C=\left(C_{1}, C_{2}, C_{3}, C_{4}\right)\), where \(C_{1}=g^{r_{1}}, C_{2}=g^{r_{2}}\), \(C_{3}=M^{r_{1}} \cdot H_{2}\left(e\left(h_{I D}, g_{1}\right)^{r_{1}}\right)\), and \(C_{4}=\left(M|| r_{1}\right) \oplus H_{3}\left(e\left(h_{I D}, g_{2}\right)^{r_{2}}\right)\).
3. Decryption: It takes the secret key \(s k_{I B C}\) and the ciphertext C as inputs. Then, it returns the plaintext M by computing \(M \| r_{1} \leftarrow C_{4} \oplus H_{3}\left(e\left(s k_{2}, C_{2}\right)\right)\), and then verifies both \(C_{1}=g^{r_{1}} \text { and } \frac{C_{3}}{M^{r_{1}}}=H_{2}\left(e\left(s k_{1}, C_{1}\right)\right)\). If both verifications pass, it returns M. Otherwise, it returns the symbol \(\perp\).
After defining PubIB, we prove Theorem.2.1 by using Lemma 6.2.2 and Lemma 6.2.3, respectively as follows:
Lemma 6.2.2: Presuming that \(H_{1}\) is a random oracle. Suppose that the advantage of \(\mathcal{A}\) against PKE-ET-HS-IBC is \(\epsilon(\lambda)\). Assume that \(\mathcal{A}\) makes \(q_{E}\) key generation queries, \(q_{t d}\) trapdoor queries. There is an OW-CCA adversary \(\mathcal{B}\) that has advantage \(\epsilon(\lambda) / e\left(q_{E}+q_{t d}+1\right)\) against PubIB.
Proof: We demonstrate the way of constructing an OW-CCA adversary \(\mathcal{B}\) that utilizes \(\mathcal{A}\) to get advantages \(\epsilon(\lambda) / e\left(q_{E}+q_{t d}+1\right)\) against PubIB. Initially, \(\mathcal{B}\) execute KeyGen algorithm to create the \(K_{p u b}=\left\langle p, \mathbb{G}_{1}, \mathbb{G}_{2}, e, g, g_{1}, g_{2}, h_{I D}, \mathcal{H}_{2}, \mathcal{H}_{3}\right\rangle\) and a secret key \(s k=\left(h_{I D}^{s_{1}}, h_{I D}^{s_{2}}\right)\). Finally, \(\mathcal{B}\) sends \(K_{p u b}\) to \(\mathcal{A}\). In the following, the algorithm \(\mathcal{B}\) interacts with \(\mathcal{A}\) in the OW-ID-CCA game.
1. Setup: The algorithm \(\mathcal{B}\) gives \(\mathcal{A}\) the PubIB public parameters \(\left\langle p, \mathbb{G}_{1}, \mathbb{G}_{2}, e, g, g_{1}, g_{2}, H_{1}, H_{2}, H_{3}\right\rangle\). Here, we take \(p, \mathbb{G}_{1}, \mathbb{G}_{2}, e, g, g_{1}, g_{2}, H_{2}, H_{3}\) from \(K_{P u b}\) and \(H_{1}\) is a random oracle dominated by \(\mathcal{B}\) as follows:
\(H_{1}\text{-queries}\): \(\mathcal{A}\) can query to \(H_{1}\) at any time. The list of tuples \(\left\langle I D_{i}, d_{i}, x_{i}, c_{i}\right\rangle\) denoted by \(H_{1}^{l i s t}\) is prepared by \(\mathcal{B}\) to respond to these queries. Initially, the \(H_{1}^{l i s t}\) is blank. When \(\mathcal{A}\) queries to \(H_{1}\) with identity \(I D_{i}\), \(\mathcal{B}\) reacts as follows:
• If the \(I D_{i}\) exists in the \(H_{1}^{l i s t}\), the algorithm\(\mathcal{B}\) returns \(d_{i}=H_{1}\left(I D_{i}\right) \in \mathbb{G}_{1}\).
• Else, \(\mathcal{B}\) generates the random coin \(c_{i}=\{0,1\}\), where 1 represents the probability of \(\delta\) and 0 represents the probability of \(1-\delta\).
• \(\mathcal{B}\) chooses a random number \(x_{i} \in \mathbb{Z}_{p}^{*}\). If \(c_{i}=0\), \(\mathcal{B}\) computes \(d_{i}=g^{x_{i}}\). If \(c_{i}=1\) , \(\mathcal{B}\) computes \(d_{i}=h_{I D}^{x_{i}} \in \mathbb{G}_{1}\).
• \(\mathcal{B}\) adds tuples \(\left\langle I D_{i}, d_{i}, x_{i}, c_{i}\right\rangle\) and responds to \(\mathcal{A}\) with \(d_{i} \in \mathbb{G}_{1}\).
2. Phase 1:
• \(\text{Key generation queries}\left\langle I D_{i}\right\rangle\) : Algorithm \(\mathcal{B}\) responds to this query as follows:
o The above algorithm is run in response to \(H_1\)-queries in order to get \(d_{i} \in \mathbb{G}_{1}\).
o Let \(\left\langle I D_{i}, d_{i}, x_{i}, c_{i}\right\rangle\) are the compatible tuples of the \(H_{1}^{l i s t}\). If \(c_{i}=1\), \(\mathcal{B}\) aborts with failure. If \(c_{i}=0\), \(d_{i}=g^{x_{i}}\), we define \(s k_{i}=\left(g_{1}^{x_{i}}, g_{2}^{x_{i}}\right) \in \mathbb{G}_{1}\). Observe that \(sk_{i}=\left(\left(g^{s_{1}}\right)^{x_{i}},\left(g^{s_{2}}\right)^{x_{i}}\right)\) and therefore \(sk_{i}\) is the secret key associated with \(I D_{i}\). The algorithm\(\mathcal{B}\) responds to \(\mathcal{A}\) with \(sk_{i}\).
• \(\text{Trapdoor query}\): Algorithm \(\mathcal{B}\) responds to this query as follows:
o In case of PKE-ET-HS-IBC, \(\mathcal{B}\) responds to \(\mathcal{A}\) with \(t d_{I B C_{i}}=g_{1}^{x_{i}}\).
o In case of PKE-ET-HS-CLC, \(\mathcal{B}\) responds to\(\mathcal{A}\) with \(t d_{C L C_{i}}\).
3. Challenge: When the algorithm \(\mathcal{A}\) decides Phase 1 is finished. It returns \(I D^{*}\) as the identity on which it wishes to be challenged. The algorithm \(\mathcal{B}\) reacts as follows:
• \(\mathcal{B}\) runs the above algorithm in order to respond to the queries issued by \(H_{1}\) to get \(d \in \mathbb{G}_{1}\), where \(\left\langle I D^{*}, d, x, c\right\rangle\) are the compatible tuples of the \(H_{1}^{l i s t}\).
• If \(c=0\) then \(\mathcal{B}\) aborts with failure. The attack on PubIB fails.
• If \(c=1\), thus \(d=h_{I}^{x}\). Remember that once \(C=\left(C_{1}, C_{2}, C_{3}, C_{4}\right)\), we have \(\left(C_{1}, C_{2}\right) \in \mathbb{G}_{1}^{*}\). Set \(C^{*}=\left(C_{1}^{x^{-1}}, C_{2}^{x^{-1}}, C_{3}, C_{4}\right)\), where \(x^{-1}\) is the inverse of \(x\) mod \(p\). \(\mathcal{B}\) returns \(C^{*}\) to \(\mathcal{A}\) as the challenge ciphertext, where \(C^{*}\) is the result of the plaintext encryption M under the challenge identity \(I D^{*}\). The ciphertext is legal because \(H_{1}\left(I D^{*}\right)=d\), the decryption key associated with \(I D^{*}\) is \(s k_{I B C}^{*}=\left(s k_{1}^{*}, s k_{2}^{*}\right)=\left(\left(h_{I D}^{x}\right)^{s_{1}},\left(h_{I D}^{x}\right)^{s_{2}}\right)\).
\(\begin{array}{l} e\left(s k_{c h, 1}, C_{1}^{x-1}\right)=e\left(\left(h_{I D}^{x}\right)^{s_{1}}, C_{1}^{x^{-1}}\right)=e\left(h_{I D}^{s_{1}}, C_{1}\right). \\ e\left(s k_{c h, 2}, C_{2}^{x^{-1}}\right)=e\left(\left(h_{I D}^{x}\right)^{s_{2}}, C_{2}^{x^{-1}}\right)=e\left(h_{I D}^{s_{2}}, C_{2}\right). \end{array}\)
• Thus, the PKE-ET-HS-IBC decryption of \(C^{*}\) using \(s k_{I B C}^{*}\) is identical to the PubIB decryption of C using \(s k_{I B C_{i}}\).
4. Phase 2:
• \(\text{Key generation queries}\left\langle I D_{i}\right\rangle\): If \(I D_{i} \neq I D^{*}\), \(\mathcal{B}\) responds similar to Phase 1. Otherwise, \(\mathcal{B}\) aborts with failure
.• \(\text{Decryption queries}\left\langle I D_{i}, C_{i}\right\rangle\) : If \(C_{i} \neq C^{*}\), \(\mathcal{B}\) responds the same way as in Phase 1. Otherwise, Otherwise, \(\mathcal{B}\) aborts with failure.
• \(\text{Trapdoor queries}\): \(\mathcal{B}\) responds the same way as in Phase 1.
5. Guess: Finally, \(\mathcal{A}\) outputs a guess \(M^{\prime}\) for \(M\). \(\mathcal{B}\) outputs a guess \(M^{\prime}\) as its guess for M.
Claim: If \(\mathcal{B}\) holds in the simulation, then \(\mathcal{A}\) is viewed similar to real attack. Thus, the \(\operatorname{Pr}\left[M=M^{\prime}\right] \geq \epsilon\).
Proof: \(H_1\)-queries responds as in the real attack. All replies to key generation queries \(q_{E}\) and trapdoor queries \(q_{td}\) are valid. Then, the probability of \(\mathcal{A}\) is \(\operatorname{Pr}\left[M=M^{\prime}\right] \geq \epsilon\). To finalize the proof of Lemma 6.2.2, we compute the possibility of \(\mathcal{B}\)'s failure in the simulation as follows: (1) The possibility of \(\mathcal{B}\) holds in Phase 1 or Phase 2 is equal to \(\delta^{q_{E}+q_{t d}}\),(2) The possibility of \(\mathcal{B}\) holds in Challenge phase is equal to \(1-\delta\). (3) The combination of both gives the possibility of \(\mathcal{B}\) holds in the simulation is equal to \(\delta^{q_{E}+q_{t d}}(1-\delta)\). (4) The maximum of this possibility is equal to \(\delta_{o p t}=1-1 /\left(q_{E}+q_{t d}+1\right)\). By using \(\delta_{o p t}\), the possibility of \(\mathcal{B}\) holds is at minimum \(1 / e\left(q_{E}+q_{t d}+1\right)\). This result shows that the advantage of \(\mathcal{B}\) is at minimum:
\(\epsilon(\lambda) / e\left(q_{E}+q_{t d}+1\right).\) (1)
Lemma 5.2.3: Assume that \(H_3\) is a random oracle \(H_{3}: \mathbb{G}_{2} \rightarrow\{0,1\}^{n_{1}+n_{2}}\). Assume that the adversary \(\mathcal{P}\) is an OW-CCA adversary with advantage \(\epsilon(\lambda)\) against PubIB. Assume that \(\mathcal{P}\) makes at most \(q_{H_{3}}\) hash queries of \(H_3\). Thus, the algorithm \(\mathcal{F}\) solves the BDH assumption with advantage at minimum \(\epsilon(\lambda) / q_{H_{3}}\).
Proof: Algorithm \(\mathcal{F}\) takes BDH parameters \(\left\langle p, \mathbb{G}_{1}, \mathbb{G}_{2}, e\right\rangle\) and the tuple \(\left\langle g_{0}, g_{0}^{a}, g_{0}^{b}, g_{0}^{c}\right\rangle=\left\langle g_{0}, V, W, R\right\rangle\), where \(g_0\) is the generator of \(\mathbb{G}_{1}\) and \(a, b, c \in_{R} Z_{p}^{*}\) as inputs. Let \(S=e\left(g_{0}, g_{0}\right)^{a b c} \in \mathbb{G}_{2}\) be the solution of BDH. In the following, we show how the algorithm \(\mathcal{F}\) finds\(\mathcal{S}\) by interacting with \(\mathcal{P}\).
Setup: \(\mathcal{F}\) gives \(\mathcal{P}\) the PubIB's public parameters \(K_{p u b}=\left\langle p, \mathbb{G}_{1}, \mathbb{G}_{2}, e, g,\right.\left.g_{1}, g_{2}, h_{I D}, H_{2}, H_{3}\right\rangle\). Then \(\mathcal{F}\) sets \(g_{2}=V \text { and } h_{I D}=W\). Here \(H_3\) is the random oracle dominated by \(\mathcal{F}\). Observe that a decryption key related to \(K_{pub}\) is \(s k_{i}=h_{I D}^{a}=g_{0}^{a b}\).
\(H_{1}\text{-queries}\): At any time \(\mathcal{P}\) can query to \(H_3\). \(\mathcal{F}\) prepares the list \(\left\langle X_{i}, H_{i}\right\rangle\) denoted by \(H_{3}^{l i s t}\) to respond these quries. Initially, the \(H_{3}^{l i s t}\) is blank. When the \(\mathcal{P}\) query to \(H_3\), \(\mathcal{F}\) responds as follows:
1. If \(X_i\) appears in the \(H_{3}^{l i s t}\), the \(\mathcal{F}\) returns \(H_{3}\left(X_{i}\right)=H_{i}\).
2. Else, \(\mathcal{F}\) chooses \(H_{i} \in_{R}\{0,1\}^{n_{1}+n_{2}}\) and records it in \(H_{3}^{l i s t}\). Finally, \(\mathcal{F}\) returns \(H_{3}\left(X_{i}\right)=H_{i}\) to \(\mathcal{P}\).
Challenge: \(\mathcal{P}\) sends the identity \(I D^{*}\) on which it wishes to be challenged. \(\mathcal{F}\) chooses \(L \in_{R}\{0,1\}^{n_{1}+n_{2}}\) and generates \(C^{*}\) as a challenge ciphertext \(C^{*}=\left(C_{1}, R, C_{3}, L\right)\). \(\mathcal{F}\) sends \(C^{*}\) to \(\mathcal{P}\). Observe that the decryption of \(C^{*}\) is \(L \oplus H_{3}\left(e\left(s k_{i}, R\right)\right)=L \oplus H_{3}(S)\).
Guess: \(\mathcal{P}\) outputs a guess \(M^{\prime}\) for \(M\). Algorithm \(\mathcal{F}\) chooses \(\left\langle X_{j}, H_{j}\right\rangle\) from the \(H_{3}^{l i s t}\) randomly and returns \(X_{j}\) as the solution of the given BDH parameters. The algorithm \(\mathcal{F}\) is emulating the real attack environment to \(\mathcal{P}\). Therefore, \(\mathcal{F}\) returns \(\mathcal{S}\) with probability at minimum:
\(\epsilon(\lambda) / q_{H_{3}}\). (5)
By combining Equations (5) and (6), we have
\(\epsilon(\lambda) / e\left(q_{E}+q_{t d}+1\right) \cdot q_{H_{3}}\). (6)
The proof of Theorem 6.2.1 is completed.
7. Performance analysis
Within this segment, the computation and communication costs of the proposed PKE-ET-HS scheme and the schemes in [14][16], and [21] are compared.
Table 1. Comparison.
Legends: Enc, Dec, and Test: the computation complexity of encryption, decryption, and test algorithms; PK, SK, and CT: the size of public key, the size of secret key, and the size of ciphertext, respectively; BDH: bilinear Diffie-Hellman assumption; CDH: computational Diffie-Hellman assumption; Exp: an exponentiation operation; Pair: pairing operation; heterogeneous (ET): the scheme that provides heterogeneous equality test; CMP: certificate management problems; ⨉: this property is not considered in the corresponding scheme; \(\sqrt{ }\) : this property is considered in the corresponding scheme.
1. Size and storage space:
• Public key: Our scheme has the same size as [16] and [21]. It's smaller than [14]-Type 1.
• Secret key: Our scheme has the same size as [16] and [21]. It's smaller than [14]-Type 1.
• Ciphertext: Our scheme has the smallest ciphertext size.
2. Computation complexity:
• Encryption algorithm: Our scheme has less computational cost than [16] and [21]. It's larger than [14]-Type 1.
•Decryption algorithm: Our scheme has same computational cost with [16] and [21]. It’s larger than [14]-Type 1.
• Test algorithm: Our scheme has same computational cost with [16] and [21]. It's larger than [14]-Type 1.
3. Security: Our scheme and the scheme in [16][21] are proved under the BDH problem. Besides, the scheme in [10] is proved under the CDH problem.
4. Assumption: Our scheme achieves OW-ID-CCA and OW-CCA security. Besides, the scheme in [14][21] are secure in OW-CCA and the scheme in [16] achieves OW-ID-CCA security.
5. Heterogeneous (ET): Only our schemes provide heterogeneous equality test between CLC cryptosystem and IBC cryptosystem. Beside, all of others provide homogenous equality test.
6. Certificate management problems: Our scheme and the schemes in [16][21] are solved the certificate management problems.
To intuitively evaluate theoretical analysis illustrated above, based on cpabe toolkit and Pairing-Based Cryptography (PBC) library [26], our scheme and the schemes in [14][16][21] are implemented. Particularly, these experiments are carried out on an Intel(R) Core(TM) i7-7700 CPU @3.60 GHz @3.60 GHz and 8 GB RAM. We used the Windows 10 operating system and VC++ 6.0 for our experiments to run on. We implemented the 160-bit elliptic curve group and constructed it on the super-singular curve \(z^{2}=x^{3}+x\) over a 512-bit finite field, to attain a 1024-bit security level. For the cost of computation and communication overhead, we had milliseconds (ms) and byte, respectively. In our experimental simulation, the time of the pairing operation and the exponentiation operation are 10.749 ms and 5.530 ms, respectively. Besides, we have the size of each element in \(\mathbb{Z}_{p}\), \(\mathbb{G}_{1}, \mathbb{G}_{2}\) are 20 bytes, 128 bytes, 128 bytes, respectively.
Based on the results we obtained during the experimental process, Fig. 3 demonstrates that the computation cost of our nominated scheme is moderate as contrasted to the schemes in [16][21] and it's higher than the schemes in [14]. Furthermore, Fig. 4 demonstrates that our proposed scheme has a moderate communication cost in contrast to schemes in [14][16][21].
Fig. 3. Computation costs for Encryption, Decryption, and Test algorithms
Fig. 4. Comparison of the communication cost
8. Conclusion
In this paper, we propose a novel public key encryption with equality test in heterogeneous systems. This scheme is aimed at dealing with the cloud server practical needs. We have come up with a mechanism to allow a cloud server execute a search between ciphertexts encrypted amidst the CLC cryptosystem and IBC cryptosystem. Our scheme has its security proof reduced to Bilinear Diffie-Hellman assumption. We base this scheme on the random oracle model. According to the analysis and simulations we undertook, our experiments reveal that our scheme is feasible and sufficient in correlation to other works. Forthcoming works include making provision for the cloud server to be delegated with rights to execute authorization tests.
Acknowledgments
This work was supported in part by the 13th Five-Year Plan of National Cryptography Development Fund for Cryptographic Theory of China under Grant MMJJ20170204, in part by the Fundamental Research Funds for the Central Universities under Grant ZYGX2016J091, the Guangxi Colleges and Universities Key Laboratory of Cloud Computing and Complex Systems, and in part by the Natural Science Foundation of China under Grants U1401257, 61472064 and 61602096.
References
- N. Fernando, S. W. Loke, W. Rahayu, "Mobile cloud computing: A survey," Future generation computer systems, 29 (1), 84-106, 2013. https://doi.org/10.1016/j.future.2012.05.023
- A. Botta, W. De Donato, V. Persico, A. Pescape, "Integration of cloud computing and internet of things: a survey," Future Generation Computer Systems, 56, 684-700, 2016. https://doi.org/10.1016/j.future.2015.09.021
- Q. Yan, F. R. Yu, Q. Gong, J. Li, "Software-defined networking (sdn) and distributed denial of service (ddos) attacks in cloud computing environments: A survey some research issues, and challenges," IEEE Communications Surveys & Tutorials, 18(1), 602-622, 2016. https://doi.org/10.1109/COMST.2015.2487361
- H. Takabi, J. B. Joshi, G.-J. Ahn, "Security and privacy challenges in cloud computing environments," IEEE Security & Privacy, 8(6), 24-31, 2010. https://doi.org/10.1109/MSP.2010.186
- H. Hong, Z. Sun, "Sharing your privileges securely: a key-insulated attribute based proxy re-encryption scheme for iot," World Wide Web, 21(3), 595-607, 2018. https://doi.org/10.1007/s11280-017-0475-8
- H. Hong, Z. Sun, "Achieving secure data access control and efficient key updating in mobile multimedia sensor networks," Multimedia Tools and Applications, 77(4), 4477-4490, 2018. https://doi.org/10.1007/s11042-017-4804-9
- H. Hong, Z. Sun, "A key-insulated ciphertext policy attribute based signcryption for mobile networks," Wireless Personal Communications, 95(2), 1215-1228, 2017. https://doi.org/10.1007/s11277-016-3825-4
- H. Hong, X. Liu, Z. Sun, "A fine-grained attribute based data retrieval with proxy re-encryption scheme for data outsourcing systems," Mobile Networks and Applications, 1-6, 2018.
- D. Boneh, G. Di Crescenzo, R. Ostrovsky, G. Persiano, "Public key encryption with keyword search," in Proc. of International Conference on the Theory and Applications of Cryptographic Techniques, Springer, pp. 506-522, 2004.
- G. Yang, C. H. Tan, Q. Huang, D. S. Wong, "Probabilistic public key encryption with equality test," in Proc. of Cryptographers Track at the RSA Conference, Springer, pp. 119-131, 2010.
- Q. Tang, "Public key encryption supporting plaintext equality test and user-specified authorization," Security and Communication Networks, 5(12), 1351-1362, 2012. https://doi.org/10.1002/sec.418
- S. Ma, M. Zhang, Q. Huang, B. Yang, "Public key encryption with delegated equality test in a multi-user setting," The Computer Journal, 58(4), 986-1002, 2014. https://doi.org/10.1093/comjnl/bxu026
- K. Huang, R. Tso, Y.-C. Chen, S. M. M. Rahman, A. Almogren, A. Alamri, "Pke-aet: public key encryption with authorized equality test," The Computer Journal, 58(10), 2686-2697, 2015. https://doi.org/10.1093/comjnl/bxv025
- S. Ma, Q. Huang, M. Zhang, B. Yang, "Efficient public key encryption with equality test supporting flexible authorization," IEEE Transactions on Information Forensics and Security, 10(3), 458-470, 2015. https://doi.org/10.1109/TIFS.2014.2378592
- Y. Xu, M. Wang, H. Zhong, J. Cui, L. Liu, V. N. Franqueira, "Verifiable public key encryption scheme with equality test in 5g networks," IEEE Access 5, 12702-12713, 2017. https://doi.org/10.1109/ACCESS.2017.2716971
- S. Ma, "Identity-based encryption with outsourced equality test in cloud computing," Information Sciences, 328, 389-402, 2016. https://doi.org/10.1016/j.ins.2015.08.053
- H. T. Lee, S. Ling, J. H. Seo, H. Wang, "Semi-generic construction of public key encryption and identity-based encryption with equality test," Information Sciences, 373, 419-440, 2016. https://doi.org/10.1016/j.ins.2016.09.013
- L. Wu, Y. Zhang, K.-K. R. Choo, D. He, "Efficient and secure identity-based encryption scheme with equality test in cloud computing," Future Generation Computer Systems, 73, 22-31, 2017. https://doi.org/10.1016/j.future.2017.03.007
- L. Wu, Y. Zhang, K.-K. R. Choo, D. He, "Efficient identity-based encryption scheme with equality test in smart city," IEEE Transactions on Sustainable Computing, 3(1), 44-55, 2018. https://doi.org/10.1109/TSUSC.2017.2734110
- S. S. Al-Riyami, K. G. Paterson, "Certificateless public key cryptography," Asiacrypt, Springer, Vol. 2894, pp. 452-473, 2003.
- H. Qu, Z. Yan, X.-J. Lin, Q. Zhang, L. Sun, "Certificateless public key encryption with equality test," Information Sciences, 462, 76-92, 2018. https://doi.org/10.1016/j.ins.2018.06.025
- M. Abdalla, M. Bellare, D. Catalano, E. Kiltz, T. Kohno, T. Lange, J. Malone-Lee, G. Neven, P. Paillier, H. Shi, "Searchable encryption revisited: Consistency properties, relation to anonymous ibe, and extensions," Crypto, Springer, 2(3), 350-391, 2008.
- Q. Tang, "Towards public key encryption scheme supporting equality test with fine-grained authorization," in Proc. of Australasian Conference on Information Security and Privacy, Springer, pp. 389-406, 2011.
- Q. Tang, "Public key encryption schemes supporting equality test with authorization of different granularity," International journal of applied cryptography, 2(4), 304-321, 2012. https://doi.org/10.1504/IJACT.2012.048079
- D. Boneh, M. Franklin, "Identity-based encryption from the weil pairing," in Proc. of Annual International Cryptology Conference, Springer, pp. 213-229, 2001.
- B. Lynn et al., "The pairing-based cryptography library," 2006. [Online]. Available: crypto.stanford.edu/pbc/[Mar. 27, 2013]