An Efficient Revocable Identity-Based Encryption with Equality Test Scheme for the Wireless Body Area Network

Tsai, Tung-Tso; Lin, Han-Yu; Chang, Hsiao-Chieh

doi:https://doi.org/10.1155/2022/1628344

Journal of Sensors

On this page

Abstract Introduction Preliminaries Conclusions Data Availability Conflicts of Interest Acknowledgments References Copyright Related Articles

Special Issue

Achieving Green Internet of Things

View this Special Issue

Research Article | Open Access

Volume 2022 | Article ID 1628344 | https://doi.org/10.1155/2022/1628344

An Efficient Revocable Identity-Based Encryption with Equality Test Scheme for the Wireless Body Area Network

Tung-Tso Tsai,¹Han-Yu Lin,¹and Hsiao-Chieh Chang¹

Academic Editor: Tsu-Yang Wu

Received16 Jun 2022

Revised18 Jul 2022

Accepted01 Aug 2022

Published13 Aug 2022

Abstract

With the rapid development and popularization of cloud computing, people are willing to upload their own data to the cloud to enjoy the services. However, some personal and private data are not suitable for uploading directly to the cloud. Therefore, these data must be encrypted before uploading to the cloud to ensure the confidentiality. To achieve the confidentiality of data and enjoy cloud services, a notion of identity-based encryption with equality test (IBEET) was proposed. Using IBEET, two ciphertexts encrypted under different public keys can be tested to confirm whether they contain the same plaintext. The equality test can be applied to the wireless body area network system in which the cloud can utilize ciphertexts from patients and medical institutions to perform equality tests to determine whether which patient’s status is abnormal. Indeed, revoking illegal or expired users on any cryptosystem is an important issue. To the best of our knowledge, there is little research on the design mechanism of user revocation in the IBEET. In this paper, we propose a novel notion of revocable identity-based encryption with an equality test, called RIBEET. Based on the notion, we present the first RIBEET scheme. Meanwhile, the proposed scheme will be proven to be secure under the bilinear Diffie-Hellman (BDH) assumption.

1. Introduction

With the rapid development and popularization of cloud computing, people are willing to upload their own data to the cloud to enjoy the services. However, some personal and private data are not suitable for uploading directly to the cloud. To ensure the confidentiality of data, several encryption mechanisms [1–4] have been applied to cloud computing. Identity-based encryption (IBE) [5] is one of the encryption mechanisms of public key systems. The system of an IBE contains two roles: the private key generator (PKG) and users (including senders and receivers). Each user utilizes his own identity (e.g., e-mail address, name, or social security number) to register with the PKG to obtain a private key. Senders can regard the identity of the receiver as a public key to encrypt private data. After receiving the encrypted message (ciphertext), the receiver can decrypt it with her/his own private key.

To achieve the confidentiality of data and enjoy cloud services, the first identity-based encryption with equality test (IBEET) was proposed by Ma [6]. Using IBEET, two ciphertexts encrypted under different public keys can be tested to confirm whether they contain the same plaintext. Ma [6] also gave an application of IBEET used to classify encrypted e-mails. Each encrypted e-mail can be attached with a tag for classification, while the tag can be encrypted under different public keys in the IBEET system. An e-mail server in the cloud can test the equality of any two encrypted tags to classify encrypted e-mails. Subsequently, many studies on IBEET have been published in the literature [7–11].

The equality test can be applied to the wireless body area network (WBAN) system [12–17] in which the cloud can utilize ciphertexts from patients and medical institutions to perform equality tests to determine whether the patient’s status is abnormal. Figure 1 shows the architecture of WBANs. A patient is equipped with wearable sensors to collect her/his health record data from sensors of electroencephalogram (EEG), electrocardiogram (ECG), blood pressure, pulse oximeter, insulin pump, electromyogram (EMG), and motion. These health record data are encrypted through the mobile device and uploaded to the cloud server. On the other hand, the medical institution also uploads the patient’s encrypted health data to the cloud server. The ciphertexts can be tested for equality without knowing the health data of the patient by the cloud server. If the patient’s health data are different from the medical institution’s health data, it means that the patient’s health data are abnormal.

Indeed, revoking illegal or expired users on any cryptosystem is an important issue. In the traditional public key cryptosystem (PKC), public key infrastructures (PKI) must be established to manage each user’s certificate which links the user’s identity and public key. In addition, the certificate revocation list [18] is also included in the PKI to revoke illegal or expired users. In identity-based public key cryptosystems (ID-PKC), the first IBE was presented by Boneh and Franklin [5] in which a user can be revoked by the PKG, who sends new private keys for all nonrevoked users at each period, if the user did not receive the new private key. So far, many literatures related to revocable IBE [19–26] have been published. To the best of our knowledge, there is little research on design mechanism of user revocation in the IBEET. In this paper, we propose a novel notion of revocable identity-based encryption with equality test, called RIBEET. Based on the notion, we present the first RIBEET scheme. Meanwhile, the scheme will be proven to be secure under the bilinear Diffie-Hellman (BDH) assumption.

1.1. Related Work

In the era of advanced network communication, cloud computing is an indispensable part. The terminal devices on the user side usually do not have high-performance computing power. However, users can entrust large computing tasks to the cloud. Then, the cloud will return the corresponding results to users after finishing the tasks. Indeed, the cloud can assist each user in performing tasks that require a lot of computation, but it also means that the cloud can know each user’s data if the data is not encrypted. Typically, users will encrypt data to the cloud if the data is sensitive or private. In addition, encrypted data also needs to be quickly retrieved from the cloud. To achieve this function, several schemes [3, 4, 27, 28] related to public key encryption with a keyword search were proposed. Although these schemes can retrieve encrypted data, only data encrypted under the same public key can be retrieved.

To support searchable encrypted data under different public keys, Yang et al. [29] proposed a comparison mechanism of two ciphertexts encrypted under different public keys in the traditional public key cryptosystem, called public key encryption with equality test (PKEET). However, the traditional public key cryptosystem must rely on the public key infrastructure to manage each user’s certificate which links the user’s identity and her/his public key. To avoid the use of public key infrastructure and certificates, Shamir [30] introduced a new concept of ID-PKC in which a user’s public key is her/his identity such as name, e-mail, or telephone number. In this way, certificates will no longer be needed in the ID-PKC since the public key is meaningful and can represent the user’s identity. Combining the concepts of PKEET and ID-PKC, Ma [6] proposed the first identity-based encryption with equality test, called IBEET. To consider more types of authorizations, Li et al. [31] proposed the IBEET scheme with four types of authorizations. Unfortunately, the proposed scheme of Li et al. [31] is not suitable for the IoT environment because the performance of the scheme is not good. Immediately, Elhabob et al. [10] proposed another IBEET scheme with four types of authorizations which has higher performance.

For the issue of user revocation in the ID-PKC, Boneh and Franklin [5] suggested that the new private keys should be resent to users who have not been revoked at different periods. As a result, secure channels will be established to send these private keys, and the PKG’s workload will also increase. To reduce the PKG’s workload, Boldyreva et al. [19] hired a binary tree to propose an IBE scheme with user revocation, named revocable IBE (RIBE). However, Boldyreva et al.’s scheme [19] only satisfied the selective-ID security. Later, Libert and Vergnaud [20] proposed another RIBE scheme which meets the adaptive-ID security. A mechanism for revoking users through public channels was proposed by Tseng and Tsai [21], in which each user’s full private key is divided into two parts: a fixed key and a time updated key. The fixed key is delivered to the user through secure channels only once, while the time updated key is delivered to the user through public channels at different periods. Users can be revoked if they do not receive the new time updated keys. For the security of decryption key exposure, Seo and Emura [22] proposed a new RIBE scheme to enhance the security. To reduce the length of public parameters and meet the security of decryption key exposure resistance, Watanabe et al. [23] presented another RIBE scheme. In addition, several lattice-based RIBE schemes [24–26] were proposed to resist quantum attacks.

1.2. Motivation

As mentioned earlier, revoking illegal or expired users on any cryptosystem is still an important issue. In the traditional PKC, the PKEET [29] can hire the certificate revocation list [18] to revoke illegal or expired users. However, the IBE [5] cannot effectively revoke illegal or expired users in the ID-PKC, so the RIBE [21] was proposed. To the best of our knowledge, there is little research on the design mechanism of user revocation in the IBEET [6]. Table 1 shows the comparisons between the PKEET [29], the IBE [5], the RIBE [21], the IBEET [6], and our RIBEET in terms of public key setting, avoiding the use of certificates, supporting the equality test of ciphertexts, and providing user revocation. Hence, we attempt to propose the first revocable identity-based encryption with equality test, called RIBEET.

1.3. Contribution and Organization

Although the existing RIBE schemes [21–26] provide a mechanism to revoke users, they do not extend to support the equality test for ciphertexts. On the other hand, the existing IBEET schemes [6, 10, 31] do not support to revoke users. To the best of our knowledge, there is little research on the design mechanism of user revocation in the IBEET. In this paper, we propose a novel notion of revocable identity-based encryption with equality test, called RIBEET. In the following, we list specific contributions. (i)Based on the existing syntax and security notions of IBEET, we consider the property of user revocation to define a new syntax and security notions of RIBEET(ii)Following the syntax of RIBEET, a concrete RIBEET scheme is proposed(iii)In the security notions of RIBEET, the proposed scheme is proven to be secure under the bilinear Diffie-Hellman (BDH) assumption(iv)We compare the proposed scheme with the previous RIBE scheme and IBEET scheme. We demonstrate that the proposed scheme not only provides user revocation but also supports the equality test for ciphertexts

The rest of the article includes six sections. Preliminaries are given in Section 2. Section 3 presents the syntax and security notions of RIBEET. A concrete RIBEET scheme is proposed in Section 4. The security analysis of the RIBEET scheme is shown in Section 5. We compare the RIBEET scheme with other existing schemes in Section 6. The last section gives the conclusion.

2. Preliminaries

In this section, we introduce two definitions related to a mathematical tool and security assumption. We hire the bilinear pairings [5] as a mathematical tool to construct our RIBEET scheme. To prove the security of the proposed scheme, we consider the bilinear Diffie-Hellman (BDH) problem and then give a BDH assumption [6]. The definition of the bilinear pairings is given as follows.

Definition 1. Let , , and be three multiplicative cyclic groups of a prime order . Assume that a mapping is an asymmetric bilinear map. Then, the map satisfies the following properties. (1)Bilinearity: for , , and (2)Nondegeneracy: for some and (3)Computability: can be efficiently computed for

For the asymmetric bilinear map, the BDH problem is to compute by given a tuple . We define the BDH assumption as follows.

Definition 2. On inputting a tuple , we say that the BDH problem holds if no algorithm has nonnegligible advantage in computing . The advantage can be denoted as .

3. Syntax and Security Notions

3.1. Syntax of RIBEET

Based on the syntax of IBEET schemes [6], we employ the revocation technique [21] to present a new syntax of RIBEET depicted in Figure 2 which consists of three roles and seven algorithms, namely Setup, InitialKey, TimeKey, Encryption, Decryption, Trapdoor, and Test. The first role is the private key generator (PKG) who is responsible for executing the first three algorithms, and the second role is the users who can, respectively, utilize Encryption, Decryption, and Trapdoor algorithms for encryption, decryption, and authorization. The last role is the cloud server (CS) who runs the Test algorithm to compare the two ciphertexts. For the user revocation, we use Figure 3 to illustrate how users are revoked by the PKG. If the PKG stops sending the time key to a user, it means that the user has been revoked since both initial key and time key are required to execute Decryption and Trapdoor algorithms. Here, we arrange some notations used in these algorithms in Table 2. The algorithms of RIBEET are described in detail as follows. (i)Setup: this algorithm is performed by the PKG who takes a security parameter and a time period as input to produce the public system parameters , the system life time , and the master private key (ii)InitialKey: this algorithm is performed by the PKG who takes the public system parameter , the master private key , and a user’s identity as input to produce user initial key (iii)TimeKey: this algorithm is performed by the PKG who takes the public system parameter , the master private key , a user’s identity , and a period as input to produce user time key (iv)Encryption: this algorithm is performed by a user (sender) who takes the public system parameter , a user’s identity , a period , and a message as input to produce a ciphertext (v)Decryption: this algorithm is performed by a user (receiver) who takes the public system parameter , the receiver’s initial key , the receiver’s time key , and the ciphertext as input to produce the message (vi)Trapdoor: this algorithm is performed by a user who takes her/his initial key and time key as input to produce the trapdoor (vii)Test: this algorithm is performed by the CS who takes the public system parameters and two ciphertext-trapdoor pairs and from any two users and as input to produce 1 or 0

3.2. Security Notions of RIBEET

In this section, we define the security notions of RIBEET which includes four types of adversaries. Two of these types are the same as the security notions of IBEET [6]. Considering the revoked users from RIBEET, we need to add two types of adversaries in the security notions. These four types of adversaries are presented as follows. (1)Type I adversary: such an adversary can obtain all information (including time key ) transmitted through public channels. The adversary can be regarded as an outside attacker(2)Type II adversary: such an adversary owns her/his initial key , but he does not have the current time key . The adversary can be regarded as a revoked user(3)Type III adversary: this adversary is identical to the type I adversary, except that she/he possesses the trapdoor (4)Type IV adversary: this adversary is identical to the type II adversary, except that she/he possesses the trapdoor

Following the security notions of IBEET [6], we consider revoked users to define the new security notions of RIBEET. Definitions 3 and 4, respectively, are given to state IND-ID-CCA and OW-ID-CCA security of an RIBEET scheme.

Definition 3 (IND-ID-CCA). Let be a type I or type II adversary for an RIBEET scheme and be a challenger in the following game. The scheme is IND-ID-CCA secure if the advantage that wins the game is negligible. (1)Setup. The challenger takes a security parameter and a time period as input to produce the public system parameters , the system life time , and the master private key . The public system parameters and the system life time are sent to the adversary (2)Phase 1. Several queries below can be issued by the adversary (a)InitialKey : given an identity , the challenger generates an initial key as the response by running the InitialKey algorithm of the RIBEET scheme(b)TimeKey : given an identity and a period , the challenger generates a time key as the response by running the TimeKey algorithm of the RIBEET scheme(c)Decryption : given an identity , a period , and a ciphertext , the challenger generates the resulting message as the response by running the Decryption of the RIBEET scheme(d)Trapdoor : given an identity and a period , the challenger generates a trapdoor as the response by running the Trapdoor of the RIBEET scheme(3)Challenge. Two messages , , an identity , and a period are submitted by the adversary . The challenger chooses from these two messages, where is a random coin. The challenger then generates a ciphertext as the challenge one by running the Encryption of the RIBEET scheme with . Here, the following restrictions must be satisfied (i)The adversary cannot issue the Trapdoor query with (ii)The adversary cannot issue the InitialKey query with if it is the type I adversary(iii)The adversary cannot issue the TimeKey query with if it is the type II adversary(4)Phase 2. Under the above restrictions, can execute the same tasks as in phase 1(5)Guess. The adversary outputs a guess and wins the game if . The advantage that wins the game can be denoted as

Definition 4 (OW-ID-CCA). Let be a type III or type IV adversary for an RIBEET scheme and be a challenger in the following game. The scheme is OW-ID-CCA secure if the advantage that wins the game is negligible. (1)Setup. The challenger takes a security parameter and a time period as input to produce the public system parameters , the system life time , and the master private key . The public system parameters and the system life time are sent to the adversary (2)Phase 1. Several queries below can be issued by the adversary (a)InitialKey : given an identity , the challenger generates an initial key as the response by running the InitialKey algorithm of the RIBEET scheme(b)TimeKey : given an identity and a period , the challenger generates a time key as the response by running the TimeKey algorithm of the RIBEET scheme(c)Decryption : given an identity , a period , and a ciphertext , the challenger generates the resulting message as the response by running the Decryption of the RIBEET scheme(d)Trapdoor : given an identity and a period , the challenger generates a trapdoor as the response by running the Trapdoor of the RIBEET scheme(3)Challenge. An identity and a period are submitted by the adversary . The challenger randomly chooses and then generates a ciphertext as the challenge one by running the Encryption of the RIBEET scheme with . Here, the following restrictions must be satisfied(a)The adversary cannot issue the InitialKey query with if it is the type III adversary(b)The adversary cannot issue the TimeKey query with if it is the type IV adversary(4)Phase 2. Under the above restrictions, can execute the same tasks as in phase 1(5)Guess. The adversary outputs a guess and wins the game if . The advantage that wins the game can be denoted as .

4. Concrete RIBEET Scheme

A revocable identity-based encryption with equality test scheme, which we denote by RIBEET, consists of algorithms Setup, InitialKey, TimeKey, Encryption, Decryption, Trapdoor, and Test. Each of the algorithms is described as follows. (1)Setup: this algorithm is performed by the PKG who takes a security parameter and a time period as input to produce an asymmetric bilinear map and a system life time , where , , and are multiplicative cyclic groups of prime order . The PKG first chooses two arbitrary generators and and picks eight cryptographic one-way hash functions , , , , , , , and , where and are fixed lengths. Then, a random value is chosen, and is computed. The public system parameters are , the system life time is , and the master private key is (2)InitialKey: this algorithm is performed by the PKG who takes the public system parameter , the master private key , and a user’s identity as input to produce user initial key

Here, the procedure of this algorithm is depicted in Figure 4. (3)TimeKey: this algorithm is performed by the PKG who takes the public system parameter , the master private key , a user’s identity , and a period as input to produce user time key

Here, the procedure of this algorithm is depicted in Figure 5. (4)Encryption: this algorithm is performed by a sender who takes the public system parameter , a user’s identity , a period , and a message as input to produce ciphertexts which are shown as follows(a)(b)(c)(d)

Here, and the two values and are chosen in random. (5)Decryption: this algorithm is performed by a receiver who takes the public system parameter , the receiver’s initial key , the receiver’s time key , and the ciphertext as input to produce the message . The detailed process is shown as follows:(a)Compute to obtain (b)Compute (c)Produce the message as if and both hold

The correctness of obtaining can be demonstrated as follows. (6)Trapdoor: this algorithm is performed by a user who takes her/his initial key and time key as input to produce the trapdoor (7)Test: this algorithm is performed by the CS who takes the public system parameters and two ciphertext-trapdoor pairs and , where and , from any two users and as input to produce 1 or 0 according to the following steps(a)Compute and as follows:(i)(ii)(b)Compute and (i)(ii)(c)Return 1 if . Otherwise, return 0

In the following, we present the details of (i)(ii)

5. Security Analysis

In this section, we give four theorems to show that the proposed scheme has the IND-ID-CCA security for type I and II adversaries and the OW-ID-CCA security for type III and IV adversaries.

Theorem 5. If the BDH assumption holds, the proposed RIBEET scheme satisfies the IND-ID-CCA security in the security game. More precisely, suppose that is a PPT type 1 adversary who has at least advantage to break the RIBEET scheme. Then, there exists an algorithm to solve the BDH problem with the advantage where , , , , , and , respectively, are the number of queries to random oracle , random oracle , Initialkey query, Trapdoor query, Decryption query, and Euler’s number.

Proof. An algorithm is constructed to solve the BDH problem. The algorithm is given a BDH tuple which is defined in Section 2. The algorithm can be seen as a challenger to find the answer of the BDH problem. The answer can be found by interacting with the PPT type I adversary in the following security game. (1)Setup: the challenger utilizes the BDH tuple to set and then generates the public system parameters , where is a random oracle for . In addition, the system life time can be generated by the challenger . Then, gives the public system parameters and system life time . Here, the adversary can issue queries to each random oracle as follows (a) : can utilize to obtain a response to the random oracle from the challenger . To obtain the response, maintains a list, called which is composed of tuples, and the format of the tuple is . The response is acquired from the which is initially empty and can be updated by the following steps (i) returns as the response if exists in a tuple from the (ii)Otherwise, picks a random value and a random bit to computewhere and (which will be discussed later). Then, adds the tuple to the and returns to (b) : can utilize to obtain a response to the random oracle from the challenger . To obtain the response, maintains a list, called which is composed of tuples, and the format of the tuple is . The response is acquired from the which is initially empty and can be updated by the following steps:(a) returns as the response if exists in a tuple from the (b)Otherwise, picks a random value and utilizes to find in the . Then, computesand adds the tuple to . returns to (c) : can utilize to obtain a response to the random oracle from the challenger . To obtain the response, maintains a list, called which is composed of tuples, and the format of the tuple is . The response is acquired from the which is initially empty and can be updated by the following steps(i) returns as the response if exists in a tuple from the (ii)Otherwise, picks a random value to compute . Then, adds the tuple to the and returns to (d) : can utilize to obtain a response to the random oracle from the challenger . To obtain the response, maintains a list, called which is composed of tuples, and the format of the tuple is . The response is acquired from the which is initially empty and can be updated by the following steps(i) returns as the response if exists in a tuple from the (ii)Otherwise, picks a random value to compute . Then, adds the tuple to the and returns to (e) : can utilize to obtain a response to the random oracle from the challenger . To obtain the response, maintains a list, called which is composed of tuples, and the format of the tuple is . The response is acquired from the which is initially empty and can be updated by the following steps(i) returns as the response if exists in a tuple from the (ii)Otherwise, picks a random value and adds the tuple to the . Then, returns to (f) : can utilize to obtain a response to the random oracle from the challenger . To obtain the response, maintains a list, called which is composed of tuples, and the format of the tuple is . The response is acquired from the which is initially empty and can be updated by the following steps(i) returns as the response if exists in a tuple from the (ii)Otherwise, picks a random point and adds the tuple to the . Then, returns to (g) : can utilize to obtain a response to the random oracle from the challenger . To obtain the response, maintains a list, called which is composed of tuples, and the format of the tuple is . The response is acquired from the which is initially empty and can be updated by the following steps(i) returns as the response if exists in a tuple from the (ii)Otherwise, picks a random value and adds the tuple to the . Then, returns to (h) : can utilize to obtain a response to the random oracle from the challenger . To obtain the response, maintains a list, called which is composed of tuples, and the format of the tuple is . The response is acquired from the which is initially empty and can be updated by the following steps(i) returns as the response if exists in a tuple from the (ii)Otherwise, picks a random point and adds the tuple to the . Then, returns to (2)Phase 1: the adversary can, respectively, utilize , , and to issue the , , , and . The response to each query can be obtained as follows(a)InitialKey query: utilizes to issue the query, while , respectively, finds the corresponding tuples and from the and the according to . If , interrupts this game. If , use and to define . Then returns as the user initial key to (b): utilizes to issue the query, while , respectively, finds the corresponding tuples and from the and the according to . use and to define . Then, returns as the user time key to (c)Decryption query: utilizes to issue the query, while , respectively, finds the corresponding tuples , , , and from the , , , and the according to and . The response of this query is acquired from these lists by performing the following tasks(i)If , , respectively, uses and to run and to obtain and . Then, utilizes , , and to run the algorithm to produce the message which is sent to (ii)If , utilizes and , which are from , to find the corresponding tuple from the . Then, can be computed by using and . Further, utilizes and to find the corresponding tuples from the and from the . Obviously, and can be obtained. If can be found in the corresponding tuple from the such that holds, will confirm whether holds. If , the message is sent to (d)Trapdoor query: utilizes to issue the query, while , respectively, uses and to run and to obtain and . Then, utilizes and to produce the trapdoor which is sent to (3)Challenge: when the phase 1 is over, outputs a tuple as the target of the challenge. utilizes to find the corresponding tuples from the . If , interrupts this game. If , randomly selects and to run with and . Then, can be obtained. utilizes to set . In addition, sets , while a random value and a random point are chosen. Finally, the challenge ciphertext is sent to (4)Phase 2: can issue the same query as phase 1, but it must be under the condition of and (5)Guess: responds to with a guess . If , responds with failure and terminates. Otherwise, wins the game. Then, randomly selects a tuple from the and calculates , where . Hence, can output the BDH solution due to

Analysis. Let us start with two cases, namely, the simulation of for and the simulation of . For the and , it is obvious that the simulations are perfect because there exists no relationship between the constructions of these queries and the solution of the BDH problem. For the and , we consider two events and which, respectively, issues the with and the with . We say that the simulations of and are perfect if and do not happen. For the , we consider an event where the challenger cannot decrypt the ciphertext. Assume that is the number of . Then, we obtain Pr

Next, we discuss an event which states that the simulation of this security game will not be interrupted. Here, we can obtain , where is defined as the event that the challenger interrupts this security game. Since guesses with the advantage , the can be obtained if does not occur. Further, we have

According to above inequality, and , we have

Moreover, we obtain

Since , we can gain when . Then, we have

Here, the adversary can distinguish the target ciphertext is the real one when occurs. In addition, the tuple has been added in the . If the challenger picks the correct tuple from the , wins this security game. Meanwhile, the advantage of solving the BDH problem is

Theorem 6. If the BDH assumption holds, the proposed RIBEET scheme satisfies the IND-ID-CCA security in the security game. More precisely, suppose that is a PPT type 2 adversary who has at least advantage to break the RIBEET scheme. Then, there exists an algorithm to solve the BDH problem with the advantage where , , , , , and , respectively, are the number of queries to random oracle , random oracle , Timekey query, Trapdoor query, Decryption query, and Euler’s number.

Proof. An algorithm is constructed to solve the BDH problem. The algorithm is given a BDH tuple which is defined in Section 2. The algorithm can be seen as a challenger to find the answer of the BDH problem. The answer can be found by interacting with the PPT type II adversary in the following security game. (1)Setup: the challenger utilizes the BDH tuple to set and then generates the public system parameters , where is a random oracle for . In addition, the system life time can be generated by the challenger . Then, gives the public system parameters and system life time . Here, the adversary can issue queries to each random oracle as follows(a) : can utilize to obtain a response to the random oracle from the challenger . To obtain the response, maintains a list, called which is composed of tuples, and the format of the tuple is . The response is acquired from the which is initially empty and can be updated by the following steps(i) returns as the response if exists in a tuple from the (ii)Otherwise, picks a random value to compute . Then, adds the tuple to the and returns to (b) : can utilize to obtain a response to the random oracle from the challenger . To obtain the response, maintains a list, called which is composed of tuples, and the format of the tuple is . The response is acquired from the which is initially empty and can be updated by the following steps(i) returns as the response if exists in a tuple from the (ii)Otherwise, picks a random value to compute . Then, adds the tuple to the and returns to (c) : can utilize to obtain a response to the random oracle from the challenger . To obtain the response, maintains a list, called which is composed of tuples, and the format of the tuple is . The response is acquired from the which is initially empty and can be updated by the following steps(i) returns as the response if exists in a tuple from the (ii)Otherwise, picks a random value and a random bit to compute where and (which will be discussed later). Then, adds the tuple to the and returns to (d) : can utilize to obtain a response to the random oracle from the challenger . To obtain the response, maintains a list, called which is composed of tuples, and the format of the tuple is . The response is acquired from the which is initially empty and can be updated by the following steps(i) returns as the response if exists in a tuple from the (ii)Otherwise, picks a random value and utilizes to find in the . Then, computes and add the tuple to . returns to (e) : can utilize to obtain a response to the random oracle from the challenger . To obtain the response, maintains a list, called which is composed of tuples, and the format of the tuple is . The response is acquired from the which is initially empty and can be updated by the following steps(i) returns as the response if exists in a tuple from the (ii)Otherwise, picks a random value and adds the tuple to the . Then, returns to (f) : can utilize to obtain a response to the random oracle from the challenger . To obtain the response, maintains a list, called which is composed of tuples, and the format of the tuple is . The response is acquired from the which is initially empty and can be updated by the following steps(i) returns as the response if exists in a tuple from the (ii)Otherwise, picks a random point and adds the tuple to the . Then, returns to (g) : can utilize to obtain a response to the random oracle from the challenger . To obtain the response, maintains a list, called which is composed of tuples, and the format of the tuple is . The response is acquired from the which is initially empty and can be updated by the following steps(i) returns as the response if exists in a tuple from the (ii)Otherwise, picks a random value and adds the tuple to the . Then, returns to (h) : can utilize to obtain a response to the random oracle from the challenger . To obtain the response, maintains a list, called which is composed of tuples, and the format of the tuple is . The response is acquired from the which is initially empty and can be updated by the following steps(i) returns as the response if exists in a tuple from the (ii)Otherwise, picks a random point and adds the tuple to the . Then, returns to (2)Phase 1: the adversary can, respectively, utilize , , , and to issue the , , , and . The response to each query can be obtained as follows(a)InitialKey query: utilizes to issue the query, while , respectively, finds the corresponding tuples and from the and the according to . use and to define . Then, returns as the user initial key to (b)Timekey query: utilizes to issue the query, while , respectively, finds the corresponding tuples and from the and the according to . If , interrupts this game. If , use and to define . Then, returns as the user time key to (c)Decryption query: utilizes to issue the query, while , respectively, finds the corresponding tuples , , , and from the , , , and according to and . The response of this query is acquired from these lists by performing the following tasks(i)If , , respectively, uses and to run and to obtain and . Then, utilizes , , and to run the algorithm to produce the message which is sent to (ii)If , utilizes and , which are from , to find the corresponding tuple from the . Then, can be computed by using and . Further, utilizes and to find the corresponding tuples from the and from the . Obviously, and can be obtained. If can be found in the corresponding tuple from the such that holds, will confirm whether holds. If , the message is sent to (1)Trapdoor query: utilizes to issue the query, while , respectively, uses and to run and to obtain and . Then, utilizes and to produce the trapdoor which is sent to (3)Challenge: when phase 1 is over, outputs a tuple as the target of the challenge. utilizes to find the corresponding tuples from the . If , interrupts this game. If , randomly selects and to run with and . Then, can be obtained. utilizes to set . In addition, sets , while a random value and a random point are chosen. Finally, the challenge ciphertext is sent to (2)Phase 2: can issue the same query as phase 1, but it must be under the condition of and (3)Guess: responds to with a guess . If , responds with failure and terminates. Otherwise, wins the game. Then, randomly selects a tuple from the and outputs the BDH solution due to The security analysis is similar to Theorem 5. We obtain that ’s advantage to solve the BDH problem is

Theorem 7. If the BDH assumption holds, the proposed RIBEET scheme satisfies the OW-ID-CCA security in the security game. More precisely, suppose that is a PPT type 3 adversary who has at least advantage to break the RIBEET scheme. Then, there exists an algorithm to solve the BDH problem with the advantage where , , , and , respectively, are the number of queries to random oracle , Initialkey query, Decryption query, and Euler’s number.

Proof. An algorithm is constructed to solve the BDH problem. The algorithm is given a BDH tuple which is defined in Section 2. The algorithm can be seen as a challenger to find the answer of the BDH problem. The answer can be found by interacting with the PPT type III adversary in the following security game. (i)Setup: The challenger utilizes the BDH tuple to set , and then generates the public system parameters , where is a random oracle for . In addition, the system life time can be generated by the challenger . Then gives the public system parameters and system life time . Here, the adversary can issue queries to each random oracle as below(a) : answers in the same form as the proof of Theorem 5(b) : can utilize to obtain a response to the random oracle from the challenger . To obtain the response, maintains a list, called which is composed of tuples, and the format of the tuple is . The response is acquired from the which is initially empty and can be updated by the following steps(i) returns as the response if exists in a tuple from the (ii)Otherwise, picks a random value and utilizes to find in the . Then computes and adds the tuple to . returns to (c)queries: answers in the same form as the proof of Theorem 5(ii)Phase 1: The adversary can, respectively, utilize , , and to issue the , , and . The response to each query can be obtained as follows(1)InitialKey query: answers in the same form as the proof of Theorem 5(2)Timekey query: answers in the same form as the proof of Theorem 5(3)Decryption query: utilizes to issue the query, while , respectively, finds the corresponding tuples , , and from the , , and the according to and . The response of this query is acquired from these lists by performing the following tasks(i)If , , respectively, uses and to run and to obtain and . Then utilizes , and to run algorithm to produce the message which is sent to (ii)If , utilizes and , which are from , to find the corresponding tuple from the . Then can be computed by using and . Further, utilizes and to find the corresponding tuples from the and from the . Obviously, and can be obtained. After that, utilizes and to run and to obtain and and computes . If can be found in the corresponding tuple from the such that holds, will confirm whether holds. If , the message is sent to (d)Trapdoor query: utilizes to issue the query, while , respectively, uses and to run and to obtain and . Then utilizes and to produce the trapdoor which is sent to (e)Challenge: When the phase 1 is over, outputs a tuple as the target of the challenge. utilizes to find the corresponding tuples from the If , interrupts this game. If , randomly selects to run with and . Then can be obtained. utilizes to set and find and to get and such that . In addition, sets , while a random value is chosen. Finally, the challenge ciphertext is sent to (f)Phase 2: can issue the same query as the phase 1, but it must be under the condition of and (g)Guess: responds to with a guess . If , responds with failure and terminates. Otherwise, wins the game. Then randomly selects a tuple from the , and outputs the BDH solution A = due to The security analysis is similar to Theorem 5. We obtain that ’s advantage to solve the BDH problem is .

Theorem 8. If the BDH assumption holds, the proposed RIBEET scheme satisfies the OW-ID-CCA security in the security game. More precisely, suppose that is a PPT type 4 adversary who has at least advantage to break the RIBEET scheme. Then, there exists an algorithm to solve the BDH problem with the advantage. where , , and , respectively, are the number of queries to random oracle , Timekey query, Decryption query, and Euler’s number.

Proof. An algorithm is constructed to solve the BDH problem. The algorithm is given a BDH tuple which is defined in Section 2. The algorithm can be seen as a challenger to find the answer of the BDH problem. The answer can be found by interacting with the PPT type IV adversary in the following security game. (i)Setup: The challenger utilizes the BDH tuple to set , and then generates the public system parameters , where is a random oracle for . In addition, the system life time can be generated by the challenger . Then gives the public system parameters and system life time . Here, the adversary can issue queries to each random oracle as below(a)queries: answers in the same form as the proof of Theorem 6(b)queries: answers in the same form as the proof of Theorem 5(ii)Phase 1: The adversary can, respectively, utilize , , and to issue the , , and . The response to each query can be obtained as follows(a)InitialKey query: answers in the same form as the proof of Theorem 6(b)Timekey query: answers in the same form as the proof of Theorem 6(c)Decryption query: answers in the same form as the proof of Theorem 7(d)Trapdoor query: answers in the same form as the proof of Theorem 7(1)Challenge: When the phase 1 is over, outputs a tuple as the target of the challenge. utilizes to find the corresponding tuples from the If , interrupts this game. If , randomly selects to run with and . Then can be obtained. utilizes to set and find and to get and such that . In addition, sets , while a random value is chosen. Finally, the challenge ciphertext is sent to (2)Phase 2: can issue the same query as the phase 1, but it must be under the condition of and (3)Guess: responds to with a guess . If , responds with failure and terminates. Otherwise, wins the game. Then randomly selects a tuple from the , and outputs the BDH solution A = due to The security analysis is similar to Theorem 5. We obtain that ’s advantage to solve the BDH problem is .

Theorem 9. The proposed RIBEET scheme is secure for brute force attacks if the discrete logarithm problem is hard.

Proof. As mentioned in the concrete RIBEET scheme, the public system parameters are = {, , , , , , , , , , , , , , , }, the system life time is = {, ,, } and the master private key is = . Based on the discrete logarithm problem, we ensure that the adversary cannot recover the master private key = form = . In addition, the security of the user initial key and user time key is also based on the discrete logarithm problem due to = (, ) = (, ) = (, ) and = () = (, ) = (, ). Hence, the proposed RIBEET scheme can resist brute force attacks.

6. Comparison

In this section, we compare the proposed RIBEET scheme with the previous RIBE scheme [21] and IBEET scheme [6]. In order to analyze the cost of performing encryption, decryption and equality test, we first define two notations as follows. (1): time to perform a bilinear pairing (2): time to perform an exponentiation in , or

We gain ms and ms from the literature [32]. These two execution times are obtained under the hardware device with Intel Core i7-8550U 1.80 GHz processor. Meanwhile, the prime number selected in the cryptosystem setting phase is 256-bit. In addition, three multiplicative cyclic groups , , and of the prime order are chosen in the simulation.

In Table 3, we list the comparisons of our proposed RIBEET scheme with the RIBE scheme [21] and several IBEET schemes [6, 10, 11] in terms of the cost of performing encryption, decryption and equality test, and two properties related to user revocation and equality test of ciphertexts. For the cost of performing encryption and decryption, Tseng and Tsai’s RIBE scheme [21] has better performance than the other two schemes. However, Tseng and Tsai’s RIBE scheme does not support equality test of ciphertexts. Although the existing IBEET schemes [6, 10, 11] and our proposed RIBEET scheme support equality test of ciphertexts, the IBEET schemes does not have a mechanism to revoke users. Conversely, our proposed RIBEET scheme not only provides user revocation, but also retains the cost of encryption, decryption and equality test with the existing IBEET schemes. Additionally, Table 4 compares our RIBEET scheme with the RIBE scheme [21] and several IBEET schemes [6, 10, 11] in terms of , , and which are, respectively, denoted as the bit length of user public key, ciphertext and trapdoor. We observed that the communication cost of our RIBEET scheme is similar to that of other schemes.

As mentioned in Section 1, the data collected from sensors on the patients is finally encrypted by the mobile device and then transmitted to the cloud. For the analysis of energy cost, we employ the “ampere” app to measure the voltage and current on the mobile device. After running this app, we obtain 14.28 V and 2856 mA on the mobile device. Table 5 lists the energy cost of performing encryption on the mobile device by using the formula , where , , , and , respectively, are watt, voltage, current, and time.

7. Conclusions

We considered the existing syntax of IBEET and the property of user revocation to present the new syntax of RIBEET. Under the new syntax, we proposed a concrete RIBEET scheme. Meanwhile, we demonstrated that the proposed scheme has the IND-ID-CCA security for type I and II adversaries and the OW-ID-CCA security for type III and IV adversaries. We compared the proposed scheme with the previous RIBE scheme and IBEET scheme. We showed that the proposed scheme not only supports equality test for ciphertexts but also provides user revocation.

Data Availability

The data used to support the findings of this study are included within the article.

Conflicts of Interest

The authors declare no conflicts of interest.

Acknowledgments

This research was partially supported by the Ministry of Science and Technology, Taiwan, under contract nos. MOST 110-2222-E-019-001-MY2 and MOST 110-2221-E-019-041-MY3.

References

Y. Dodis, S. Goldwasser, Y. T. Kalai, C. Peikert, and V. Vaikuntanathan, “Public-key encryption schemes with auxiliary inputs,” Theory of Cryptography, Springer, Berlin, Heidelberg, pp. 361–381, 2010.
View at: Publisher Site | Google Scholar
D. Hofheinz and T. Jager, “Tightly secure signatures and public-key encryption,” Advances in Cryptology-CRYPTO 2012, Springer, Berlin, Heidelberg, pp. 590–607, 2012.
View at: Google Scholar
R. Chen, Y. Mu, G. Yang, F. Guo, and X. Wang, “Server-aided public key encryption with keyword search,” IEEE Transactions on Information Forensics and Security, vol. 11, no. 12, pp. 2833–2842, 2016.
View at: Publisher Site | Google Scholar
P. Xu, S. He, W. Wang, W. Susilo, and H. Jin, “Lightweight searchable public-key encryption for cloud-assisted wireless sensor networks,” IEEE Transactions on Industrial Informatics, vol. 14, no. 8, pp. 3712–3723, 2018.
View at: Publisher Site | Google Scholar
D. Boneh and M. Franklin, “Identity-based encryption from the Weil pairing,” Advances in Cryptology–CRYPTO 2001, Springer, Berlin, Heidelberg, pp. 213–229, 2001.
View at: Google Scholar
S. Ma, “Identity-based encryption with outsourced equality test in cloud computing,” Information Sciences, vol. 328, pp. 389–402, 2016.
View at: Publisher Site | Google Scholar
X. J. Lin, L. Sun, and H. Qu, “Generic construction of public key encryption, identity-based encryption and signcryption with equality test,” Information Sciences, vol. 453, pp. 111–126, 2018.
View at: Publisher Site | Google Scholar
H. T. Lee, H. Wang, and K. Zhang, “Security analysis and modification of ID-based encryption with equality test from ACISP,” Information Security and Privacy, Springer, Cham, pp. 780–786, 2018.
View at: Publisher Site | Google Scholar
D. H. Dung, H. Q. Le, P. S. Roy, and W. Susilo, “Lattice-based IBE with equality test in standard model,” Provable Security, Springer, Cham, pp. 19–40, 2019.
View at: Publisher Site | Google Scholar
R. Elhabob, Y. Zhao, N. Eltayieb, A. M. Abdelgader, and H. Xiong, “Identity-based encryption with authorized equivalence test for cloud-assisted IoT,” Cluster Computing, vol. 23, no. 2, pp. 1085–1101, 2020.
View at: Publisher Site | Google Scholar
X. J. Lin, Q. Wang, L. Sun, and H. Qu, “Identity-based encryption with equality test and datestamp-based authorization mechanism,” Theoretical Computer Science, vol. 861, pp. 117–132, 2021.
View at: Publisher Site | Google Scholar
H. Alemdar and C. Ersoy, “Wireless sensor networks for healthcare: a survey,” Computer Networks, vol. 54, no. 15, pp. 2688–2710, 2010.
View at: Publisher Site | Google Scholar
B. Latr, B. Braem, I. Moerman, C. Blondia, and P. Demeester, “A survey on wireless body area networks,” Wireless Networks, vol. 17, no. 1, pp. 1–8, 2011.
View at: Publisher Site | Google Scholar
J. Zhang, H. Nian, X. Ye, X. Ji, and Y. Heg, “A spatial correlation based partial coverage scheduling scheme in wireless sensor networks,” Journal of Network Intelligence, vol. 5, no. 2, pp. 34–43, 2020.
View at: Google Scholar
C. H. Hsieh, J. Lin, C. M. Yu, M. H. Hung, and F. Huang, “A TSP-over-LEACH protocol for energy-efficient wireless sensor networks,” Journal of Network Intelligence, vol. 6, no. 4, pp. 835–846, 2021.
View at: Google Scholar
C. M. Chen, Z. Li, S. A. Chaudhry, and L. Li, “Attacks and solutions for a two-factor authentication protocol for wireless body area networks,” Security and Communication Networks, vol. 2021, 12 pages, 2021.
View at: Publisher Site | Google Scholar
H. Xiong, Y. Hou, X. Huang, Y. Zhao, and C. M. Chen, “Heterogeneous signcryption scheme from IBC to PKI with equality test for WBANs,” IEEE Systems Journal, vol. 16, no. 2, pp. 2391–2400, 2021.
View at: Google Scholar
R. Housley, W. Polk, W. Ford, and D. Solo, “Internet X.509 public key infrastructure certificate and certificate revocation list (CRL) profile,” 2002, IETF RFC 3280.
View at: Google Scholar
A. Boldyreva, V. Goyal, and V. Kumar, “Identity-based encryption with efficient revocation,” in Proceedings of the 15th ACM conference on Computer and communications security (CCS ‘08), pp. 417–426, Alexandria, Virginia, USA, 2008.
View at: Google Scholar
B. Libert and D. Vergnaud, “Adaptive-ID secure revocable identity-based encryption,” Topics in Cryptology–CT-RSA 2009, Springer, Berlin, Heidelberg, pp. 1–15, 2009.
View at: Google Scholar
Y. M. Tseng and T. T. Tsai, “Efficient revocable ID-based encryption with a public channel,” Computer Journal, vol. 55, no. 4, pp. 475–486, 2012.
View at: Publisher Site | Google Scholar
J. H. Seo and K. Emura, “Revocable identity-based encryption revisited: security model and construction,” Public-Key Cryptography–PKC 2013, Springer, Berlin, Heidelberg, pp. 216–234, 2013.
View at: Google Scholar
Y. Watanabe, K. Emura, and J. H. Seo, “New revocable IBE in prime-order groups: adaptively secure, decryption key exposure resistant, and with short public parameters,” Topics in Cryptology–CT-RSA 2017, Springer, Cham, pp. 432–449, 2017.
View at: Google Scholar
A. Takayasu and Y. Watanabe, “Lattice-based revocable identity-based encryption with bounded decryption key exposure resistance,” Information Security and Privacy, Springer, Cham, pp. 184–204, 2017.
View at: Publisher Site | Google Scholar
S. Katsumata, T. Matsuda, and A. Takayasu, “Lattice-based revocable (hierarchical) IBE with decryption key exposure resistance,” Public-Key Cryptography–PKC 2019, Springer, Cham, pp. 441–471, 2019.
View at: Google Scholar
A. Takayasu, “Adaptively secure lattice-based revocable IBE in the QROM: compact parameters, tight security, and anonymity,” Designs, Codes and Cryptography, vol. 89, no. 8, pp. 1965–1992, 2021.
View at: Publisher Site | Google Scholar
J. Baek, R. Safavi-Naini, and W. Susilo, “Public key encryption with keyword search revisited,” Computational Science and Its Applications–ICCSA 2008, Springer, Berlin, Heidelberg, pp. 1249–1259, 2008.
View at: Google Scholar
S. T. Hsu, C. C. Yang, and M. S. Hwang, “A study of public key encryption with keyword search,” International Journal of Network Security, vol. 15, no. 2, pp. 71–79, 2013.
View at: Google Scholar
G. Yang, C. H. Tan, Q. Huang, and D. S. Wong, “Probabilistic public key encryption with equality test,” Topics in Cryptology–CT-RSA 2010, Springer, Berlin, Heidelberg, pp. 119–131, 2010.
View at: Google Scholar
A. Shamir, “Identity-based cryptosystems and signature schemes,” Advances in Cryptology, Springer, Berlin, Heidelberg, pp. 47–53, 1985.
View at: Google Scholar
H. Li, Q. Huang, S. Ma, J. Shen, and W. Susilo, “Authorized equality test on identity-based ciphertexts for secret data sharing via cloud storage,” IEEE Access, vol. 7, pp. 25409–25421, 2019.
View at: Publisher Site | Google Scholar
Y. Li, Q. Cheng, X. Liu, and X. Li, “A secure anonymous identity-based scheme in new authentication architecture for mobile edge computing,” IEEE Systems Journal, vol. 15, no. 1, pp. 935–946, 2021.
View at: Publisher Site | Google Scholar

Copyright

Copyright © 2022 Tung-Tso Tsai et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

270

Downloads

328

Citations