Identity-Based Matchmaking Encryption with Equality Test

Abstract

The identity-based encryption with equality test (IBEET) has become a hot research topic in cloud computing as it provides an equality test for ciphertexts generated under different identities while preserving the confidentiality. Subsequently, for the sake of the confidentiality and authenticity of the data, the identity-based signcryption with equality test (IBSC-ET) has been put forward. Nevertheless, the existing schemes do not consider the anonymity of the sender and the receiver, which leads to the potential leakage of sensitive personal information. How to ensure confidentiality, authenticity, and anonymity in the IBEET setting remains a significant challenge. In this paper, we put forward the concept of the identity-based matchmaking encryption with equality test (IBME-ET) to address this issue. We formalized the system model, the definition, and the security models of the IBME-ET and, then, put forward a concrete scheme. Furthermore, our scheme was confirmed to be secure and practical by proving its security and evaluating its performance.

1. Introduction

The swift progress in cloud computing featured by the outsourcing of data to the cloud has given rise to a growing trend among organizations and individuals, enabling entities to benefit from the ultra-large capacity and calculating services provided by cloud providers. The maintenance of data confidentiality is a fundamental security requirement of cloud storage, which is generally achieved by employing existing cryptographic mechanisms. Nonetheless, how to perform efficient searches on ciphertexts is a practical problem. In order to protect data confidentiality and, meanwhile, support privacy-preserving keyword searching on ciphertexts, public key encryption with keyword search (PEKS) has been presented [1]. Nevertheless, PEKS is limited to searching on ciphertexts generated under a single public key, rendering it unsuitable for cloud storage scenarios involving multiple users.

To provide privacy-preserving equality searching on ciphertexts encrypted under distinct public keys without losing the data confidentiality, Yang et al. [2] put forward an extension of PEKS known as the public key encryption with equality test (PKEET). However, in Yang et al.’s construction, anyone can conduct the equality test without authorization, which infringes on the data owner’s privacy. Hence, the authorization mechanism was introduced into the PKEET to guarantee that no one except the data owner can enable the cloud server to test its ciphertexts with the others’.

Subsequently, Ma [3] proposed the identity-based encryption with equality test (IBEET) to eliminate the certificate management problem of the PKEET. In this primitive, the identities of the sender and receiver were exploited to denote the public keys, eliminating the need for certificate management. Owing to the equality test function, the IBEET has been applied in various practical applications, such as personal health record (PHR) systems [4,5] and Internet of Vehicles (IoV) road monitoring [6].

Ensuring the authenticity of data is another fundamental security requirement of cloud storage. For the sake of the confidentiality and authenticity of data while supporting the privacy-preserving equality test for ciphertexts generated from different identities, Xiong et al. [7] presented the identity-based signcryption with equality test (IBSC-ET). Afterwards, several related signcryption schemes supporting the equality test have been conceived of. Nevertheless, the existing studies have not considered the anonymity of the sender and the receiver, which leads to the potential leakage of sensitive personal information.

1.1. Motivation

As depicted in Figure 1, in a PHR system, the patients’ PHRs contain as much relevant health data as possible from various healthcare providers over their lifetime. To ensure patients’ privacy, it is essential to store the health data in the cloud in ciphertext form. To find patients having similar illnesses, a patient (e.g., Alice or Bob) can authorize the cloud server to compare his/her ciphertexts sent by a specified healthcare provider with the others’ ciphertexts, so that the patients can help each other by sharing their experiences or mental processes.

However, by employing the existing signcryption schemes with equality test (to guarantee the confidentiality and authenticity of health data while supporting the privacy-preserving equality test on ciphertexts), the patients are unable to prevent sensitive personal information from being leaked to the cloud server. That is because the existing schemes do not consider the anonymity of the sender and receiver of the ciphertext. Consequently, the cloud server can know the healthcare provider of the ciphertext, e.g., MD Anderson Cancer Center. Likewise, from the ciphertext and the authorization trapdoor, the cloud server can learn whose identity the ciphertext is encrypted under, namely who is the receiver of the ciphertext, in this way to identify the patient associated with the ciphertext. Obviously, this seriously infringes upon the patient’s privacy.

Hence, during the equality testing procedure, there are three security aspects that should be guaranteed against the cloud server:

• Confidentiality: The cloud server has no knowledge about the health data concealed in the ciphertext.
• Authenticity: The cloud server is unable to fake any legitimate ciphertext pertaining to the sender and the receiver.
• Anonymity: The cloud server has no knowledge about the identities of the sender and the receiver concealed in the ciphertext.

Therefore, we propose a new primitive, which not only offers the confidentiality, authenticity, and anonymity of data stored in the cloud, but also provides equality test functionality for ciphertexts generated under different identities without losing the confidentiality, authenticity, and anonymity of the data.

1.2. Related Works

Search on ciphertexts: Searchable encryption (SE) [8] was put forward to offer secure search functionality over ciphertexts encrypted under single public key. There are two categories of SE: public key encryption with keyword search (PEKS) [1,9,10] and symmetric searchable encryption (SSE) [11,12]. PEKS was conceived of by Boneh et al. [1] to support keyword searching over ciphertexts in public key settings by using the corresponding trapdoors without retrieving messages. After that, a variety of PEKS schemes have been presented for enhanced functionalities and different application requirements [9,10]. However, SE cannot offer equality test functionality for ciphertexts generated under different identities, which differs from our proposal.

Equality test on ciphertexts: The primitive of the PKEET was put forward to verify whether the identical message is concealed in two ciphertexts, where the ciphertexts may be encrypted under distinct public keys [2]. Then, the authorization mechanisms were introduced into the PKEET, and a series of PKEET schemes supporting various authorizations were proposed [13,14]. Ma [3] first introduced the primitive of the IBEET, to eliminate the certificate management problem of the traditional PKEET. A semi-generic IBEET scheme was conceived of by Lee et al. [15] to achieve CCA security. Then, several IBEET schemes supporting various authorizations were introduced [16,17]. Although the above schemes offer equality test functionality while preserving the confidentiality, the data authenticity is not guaranteed. To address this challenge, Xiong et al. [7] established the notion of the IBSC-ET by combining identity-based signcryption (IBSC) [18] and the IBEET. Afterwards, several signcryption schemes with equality test functionality for heterogeneous systems were proposed [19,20,21]. However, the existing studies have not considered the anonymity of the sender and the receiver, which leads to the potential leakage of sensitive personal information, which differs from our proposal.

Identity-based matchmaking encryption: In CRYPTO 2019, Ateniese et al. [22] put forward the primitive of identity-based matching encryption (IB-ME) to logically ensure the confidentiality, authenticity, and anonymity of data in one step. The guarantee of IB-ME is as follows: the recipient obtains the message when the match happens (both parties’ identities match the identity specified by the other party); in case the match does not happen, no information is disclosed other than the fact of the mismatch. Then, by extending IB-ME, a secure access control scheme was conceived of by Xu et al. [23] for cloud–fog computing, and a secure access control scheme was suggested by Sun et al. [24] for cloud-enabled industrial IoT healthcare systems. Chen et al. [25] suggested an IB-ME scheme on the basis of standard assumptions. Wu et al. [26] conceived of a Fuzzy IB-ME scheme. Yan et al. [27] conceived of an IB-ME scheme supporting proxy decryption. Sun et al. [28] suggested an IB-ME scheme supporting a broadcast mechanism. However, although IB-ME can ensure the confidentiality, authenticity, and anonymity of data, all of these related schemes cannot offer equality test functionality for ciphertexts without losing the confidentiality, authenticity, and anonymity of the data, which differs from our proposal.

1.3. Contributions

We emphasize here again that the existing cryptographic schemes with the equality test do not consider the anonymity of the sender and the receiver, which leads to the potential leakage problem of sensitive personal information. Hence, we put forward a novel primitive, called the identity-based matchmaking encryption with equality test (IBME-ET), by combining IB-ME and the IBEET. This primitive not only offers the confidentiality, authenticity, and anonymity of data stored in the cloud, but also provides equality test functionality for ciphertexts generated under different identities without losing the confidentiality, authenticity, and anonymity of the data.

Our proposed IBME-ET can advance the anonymity of existing applications. For example, in a PHR system [4,5], the patient can permit the cloud server to compare his/her encrypted health data sent by a specified healthcare provider with the others’, in this way to make friends with the patients having a similar illness. Our proposal can simplify the leakage problem of the real identities of the healthcare provider and the patient, which exists in current cryptographic schemes with the equality test, thereby guaranteeing the confidentiality, authenticity, and anonymity of the patients’ health data.

The equality testing process in the IBME-ET can be succinctly outlined as follows: Let $C_{({\sigma }_A,{rcv}_A)}$ denote a ciphertext generated on $(e{k}_{{\sigma }_A},{rcv}_A,m_A)$ and $C_{({\sigma }_B,{rcv}_B)}$ denote a ciphertext generated on $(e{k}_{{\sigma }_B},{rcv}_B,m_B)$, where $e{k}_{{\sigma }_A}$ and $e{k}_{{\sigma }_B}$ are the encryption keys of the senders with identities ${\sigma }_A$ and ${\sigma }_B$ and $rc{v}_A$ and $rc{v}_B$ are the identities of the specified receivers, respectively. Furthermore, let $t{d}_{(sn{d}_A,{\rho }_A)}$ be a trapdoor generated on $(sn{d}_A,d{k}_{{\rho }_A})$ and $t{d}_{(sn{d}_B,{\rho }_B)}$ be a trapdoor generated on $(sn{d}_B,d{k}_{{\rho }_B})$, where $sn{d}_A$ and $sn{d}_B$ are the identities of the specified senders and $d{k}_{{\rho }_A}$ and $d{k}_{{\rho }_B}$ are the decryption keys of the receivers with identities ${\rho }_A$ and ${\rho }_B$, respectively. Given $(C_{({\sigma }_A,{rcv}_A)},t{d}_{(sn{d}_A,{\rho }_A)})$ and $(C_{({\sigma }_B,{rcv}_B)},t{d}_{(sn{d}_B,{\rho }_B)})$, two conditions are involved:

• Match (i.e., ${\sigma }_A={snd}_A\wedge {rcv}_A={\rho }_A\wedge {\sigma }_B={snd}_B\wedge {rcv}_B={\rho }_B\wedge m_A=m_B$): the cloud server returns 1, and no further information is revealed other than the fact that the match happened, that is the cloud server learns neither the messages $m_A=m_B$ nor the identities ${\sigma }_A={snd}_A$, ${rcv}_A={\rho }_A$, ${\sigma }_B={snd}_B$, ${rcv}_B={\rho }_B$.
• Mismatch (i.e., ${\sigma }_A\ne {snd}_A\vee {rcv}_A\ne {\rho }_A\vee {\sigma }_B\ne {snd}_B\vee {rcv}_B\ne {\rho }_B\vee m_A\ne m_B$): the cloud server returns 0, and no further information is revealed other than the fact of the mismatch, that is the cloud server learns neither the messages $m_A$, $m_B$ nor the identities ${\sigma }_A$, ${snd}_A$, ${rcv}_A$, ${\rho }_A$, ${\sigma }_B$, ${snd}_B$, ${rcv}_B$, ${\rho }_B$.

The principal contributions can be succinctly outlined as follows:

• We present the notion of the IBME-ET, which not only offers the confidentiality, authenticity, and anonymity of data stored in the cloud, but also provides equality test functionality for ciphertexts generated under different identities without losing the confidentiality, authenticity, and anonymity of the data.
• We put forward the system model and definition of the IBME-ET. With respect to the confidentiality, authenticity, and anonymity, we formulated four security models for the IBME-ET by taking four types of adversaries into account.
• We constructed a concrete IBME-ET scheme on the basis of the BDH assumption and the Gap-BDH assumption. Our scheme was confirmed to be secure and practical by proving its security and evaluating its performance.

1.4. Organization

In general: Section 2 introduces the preliminaries while Section 3 presents IBME-ET by displaying its system, definition and four security models. Section 4 and Section 5, respectively, focus on the detailed scheme and analysis of security. Then, Section 6 focuses on performance evaluation, Section 7 arrives at a conclusion.

2. Preliminaries

2.1. Asymmetric Bilinear Groups

$\mathbb{G},\widehat{\mathbb{G}}$, and ${\mathbb{G}}_T$ indicate three multiplicative cyclic groups with prime order q. g and $\widehat{g}$ are the generators of $\mathbb{G}$ and $\widehat{\mathbb{G}}$, respectively. An asymmetric bilinear map $e:\mathbb{G}\times \widehat{\mathbb{G}}\to {\mathbb{G}}_T$ includes the following characteristics:

• Bilinearity:$\forall x\in \mathbb{G}$, $\forall y\in \widehat{\mathbb{G}}$ and $\forall u,v\in {\mathbb{Z}}_q^{*}$, $e(x^u,y^v)=$$e{(x,y)}^{uv}$.
• Non-degeneracy:$\exists g\in \mathbb{G}$, $\widehat{g}\in \widehat{\mathbb{G}}$, $e(g,\widehat{g})\ne 1$.

Note that the group operations and asymmetric bilinear map e can be computed efficiently. However, if no efficiently computable isomorphisms are found between $\mathbb{G}$ and $\widehat{\mathbb{G}}$, then $\mathbb{G},\widehat{\mathbb{G}}$ and ${\mathbb{G}}_T$ do not possess efficiently computable isomorphisms.

2.2. Assumptions

• Bilinear Diffie–Hellman (BDH) assumption: When a tuple $(g,g^a,g^c,\widehat{g},$ ${\widehat{g}}^a,{\widehat{g}}^b)\in {\mathbb{G}}^3\times {\widehat{\mathbb{G}}}^3$ is given, no PPT algorithm $\mathcal{A}$ calculates $e{(g,\widehat{g})}^{abc}\in {\mathbb{G}}_T$ with non-negligible advantage. Define $\mathcal{A}$’s advantage as

  $$Ad{v}_{BDH}^{\mathcal{A}}\left(\lambda \right)=\mathrm{Pr}[\mathcal{A}(g,g^a,g^c,\widehat{g},{\widehat{g}}^a,{\widehat{g}}^b)=e{(g,\widehat{g})}^{abc}].$$
• Gap-bilinear Diffie–Hellman (Gap-BDH) assumption: When a tuple $(g,g^a,g^c,\widehat{g},{\widehat{g}}^a,{\widehat{g}}^b)\in {\mathbb{G}}^3\times {\widehat{\mathbb{G}}}^3$ is given, even with the decision BDH oracle ${\mathcal{O}}_{\mathcal{DBDH}}$, no PPT algorithm $\mathcal{A}$ calculates $e{(g,\widehat{g})}^{abc}\in$${\mathbb{G}}_T$ with non-negligible advantage [29]. Tuples of the form $(g,g^a,g^c,$ $\widehat{g},{\widehat{g}}^a,{\widehat{g}}^b,e{(g,\widehat{g})}^{abc})$ are known as “BDH tuples”. With $(g,g^a,$$g^c,\widehat{g},{\widehat{g}}^a,{\widehat{g}}^b,T)$, ${\mathcal{O}}_{\mathcal{DBDH}}$ is able to check $T=e{(g,\widehat{g})}^{abc}$ or not. ${\mathcal{O}}_{\mathcal{DBDH}}$ outputs 1 when $T=e{(g,\widehat{g})}^{abc}$; otherwise, ${\mathcal{O}}_{\mathcal{DBDH}}$ outputs 0. Define $\mathcal{A}$’s advantage as

  $$Ad{v}_{Gap-BDH}^{\mathcal{A}}\left(\lambda \right)=\mathrm{Pr}[\mathcal{A}(g,g^a,g^c,\widehat{g},{\widehat{g}}^a,{\widehat{g}}^b,{\mathcal{O}}_{\mathcal{DBDH}})=e{(g,\widehat{g})}^{abc}].$$

3. Definitions of IBME-ET

3.1. System Model

In Figure 2, our proposed IBME-ET comprises four distinct entities.

• KGC: This entity’s responsibility is to securely generate and distribute encryption keys and decryption keys.
• Sender: This entity’s responsibility is to generate ciphertexts, ensuring the confidentiality, authenticity, and anonymity of the data.
• Receiver: This entity is responsible for collecting and outsourcing ciphertexts from potential senders secretly. It permits the cloud server to test ciphertexts sent by a specific sender without compromising the confidentiality, authenticity, and anonymity of the data.
• Cloud server: This entity’s responsibility is to store the ciphertexts and perform equality tests based on the receivers’ authorizations.

Our workflow is succinctly outlined as follows:

• The KGC utilizes the algorithm SKGen to calculate the encryption key $e{k}_{\sigma }$ in accordance with the identity of the sender $\sigma$ and securely delivers this to the sender. Similarly, the KGC utilizes the algorithm RKGen to calculate the decryption key $d{k}_{\rho }$ in accordance with the identity of the receiver $\rho$ and securely delivers this to the receiver.
• A sender identified as $\sigma$ executes the algorithm Enc to conceal the message m using encryption key $e{k}_{\sigma }$ along with a target receiver’s identity $rcv$, delivering it to the receiver with the ciphertext $C_{(\sigma ,rcv)}$.
• A receiver identified as $\rho$ executes the algorithm Decc to decrypt the ciphertexts by employing the receiver’s decryption key $d{k}_{\rho }$ and the identity of the target sender $snd$, delivering the desirable ciphertexts to the cloud server. Specifically, given $C_{(\sigma ,rcv)}$, $d{k}_{\rho }$, and $snd$, the guarantee in the decryption procedure is as follows:
  • Match (i.e., $\sigma =snd\wedge \rho =rcv$): the message m is obtained by the receiver.
  • Mismatch (i.e., $\sigma \ne snd\vee \rho \ne rcv$): the receiver obtains neither the message m nor the identities $\sigma$, $rcv$.
• To test the ciphertexts offered by a target sender, the receiver identified as $\rho$ executes the algorithm Auth to calculate a trapdoor $t{d}_{(snd,\rho )}$ with the identity of the target sender $snd$ and its decryption key $d{k}_{\rho }$ and delivers the trapdoor to the cloud server.
• Utilizing the receivers’ trapdoors, the cloud server executes the algorithm Test to test the ciphertexts sent by the specified senders without learning the messages and identities. Specifically, given $(C_{({\sigma }_A,{rcv}_A)},t{d}_{(sn{d}_A,{\rho }_A)})$ and $(C_{({\sigma }_B,{rcv}_B)},t{d}_{(sn{d}_B,{\rho }_B)})$, the guarantee in equality testing procedure is as follows:
  • Match (i.e., ${\sigma }_A={snd}_A\wedge {rcv}_A={\rho }_A\wedge {\sigma }_B={snd}_B\wedge {rcv}_B={\rho }_B\wedge m_A=m_B$): the cloud server returns 1, and the cloud server learns neither the messages $m_A=m_B$ nor the identities ${\sigma }_A={snd}_A$, ${rcv}_A={\rho }_A$, ${\sigma }_B={snd}_B$, ${rcv}_B={\rho }_B$.
  • Mismatch (i.e., ${\sigma }_A\ne {snd}_A\vee {rcv}_A\ne {\rho }_A\vee {\sigma }_B\ne {snd}_B\vee {rcv}_B\ne {\rho }_B\vee m_A\ne m_B$): the cloud server returns 0, and the cloud server learns neither the messages $m_A$, $m_B$ nor the identities ${\sigma }_A$, ${snd}_A$, ${rcv}_A$, ${\rho }_A$, ${\sigma }_B$, ${snd}_B$, ${rcv}_B$, ${\rho }_B$.

3.2. IBME-ET Definition

An IBME-ET scheme comprises the subsequent algorithms:

• $Setup\left(\lambda \right)\to (pp,mk)$: The system parameters $pp$ along with the master key $mk$ are answered.
• $SKGen(pp,mk,\sigma )\to e{k}_{\sigma }$: The encryption key $e{k}_{\sigma }$ for the sender identified as $\sigma$ is answered.
• $RKGen(pp,mk,\rho )\to d{k}_{\rho }$: The decryption key $d{k}_{\rho }$ for the receiver identified as $\rho$ is answered.
• $Enc(pp,e{k}_{\sigma },rcv,m)\to C$: Given the system parameters $pp$, an encryption key of the sender $e{k}_{\sigma }$, and an identity of the target receiver $rcv$ along with the message m, the corresponding ciphertext C is answered.
• $Dec(pp,d{k}_{\rho },snd,C)\to m/\perp$: Given the system parameters $pp$, a decryption key of the receiver $d{k}_{\rho }$, and an identity of the target sender $snd$ along with the ciphertext C, the corresponding message m is answered or the symbol ⊥ to signal the failure of the decryption is answered.
• $Auth(pp,snd,d{k}_{\rho })\to t{d}_{(snd,\rho )}$: Given the system parameters $pp$ and an identity of the target sender $snd$ along with a decryption key of the receiver $d{k}_{\rho }$, the corresponding trapdoor $t{d}_{(snd,\rho )}$ is answered.
• $Test(pp,C_{({\sigma }_A,{rcv}_A)},t{d}_{({snd}_A,{\rho }_A)},C_{({\sigma }_B,{rcv}_B)},t{d}_{({snd}_B,{\rho }_B)})\to 0/1$: Given the system parameters $pp$, two pairs of ciphertext/trapdoors $(C_{({\sigma }_A,{rcv}_A)},t{d}_{({snd}_A,{\rho }_A)})$ and $(C_{({\sigma }_B,{rcv}_B)},t{d}_{({snd}_B,{\rho }_B)})$, if ${\sigma }_A={snd}_A\wedge {rcv}_A={\rho }_A\wedge {\sigma }_B={snd}_B\wedge {rcv}_B={\rho }_B\wedge C_{({\sigma }_A,{rcv}_A)}$ and $C_{({\sigma }_B,{rcv}_B)}$ are generated using the identical message, it answers 1. Otherwise, it answers 0.

Correctness: An IBME-ET scheme is correct when the subsequent conditions are met:

• When $\sigma =snd$$\wedge \rho =rcv$, $Dec(pp,d{k}_{\rho },snd,Enc(pp,$ $e{k}_{\sigma },rcv,m\left)\right)=m$ always holds.
• Let $C_{({\sigma }_A,{rcv}_A)}=Enc(pp,e{k}_{{\sigma }_A},{rcv}_A,m_A)$, $C_{({\sigma }_B,{rcv}_B)}=Enc(pp,e{k}_{{\sigma }_B},{rcv}_B,m_B)$, $t{d}_{(sn{d}_A,{\rho }_A)}=Auth(pp,sn{d}_A,d{k}_{{\rho }_A})$, and $t{d}_{(sn{d}_B,{\rho }_B)}=Auth(pp,sn{d}_B,d{k}_{{\rho }_B})$. If ${\sigma }_A={snd}_A\wedge {rcv}_A={\rho }_A$$\wedge {\sigma }_B={snd}_B\wedge {rcv}_B={\rho }_B$$\wedge m_A=m_B$, $Test(pp,C_{({\sigma }_A,{rcv}_A)}$, $t{d}_{(sn{d}_A,{\rho }_A)},C_{({\sigma }_B,{rcv}_B)},t{d}_{(sn{d}_B,{\rho }_B)})=1;$ otherwise, $\mathrm{Pr}\left[Test\right(pp,C_{({\sigma }_A,{rcv}_A)},t{d}_{(sn{d}_A,{\rho }_A)}$, $C_{({\sigma }_B,{rcv}_B)},t{d}_{(sn{d}_B,{\rho }_B)})=1]$ is negligible.

3.3. Security Definitions

With respect to the confidentiality, authenticity, and anonymity of the IBME-ET, it is crucial to consider four distinct types of adversaries:

• Type-I adversary ${\mathcal{A}}_1$: Without the trapdoor and decryption key of the receiver, ${\mathcal{A}}_1$ is unable to determine which message the challenge ciphertext is computed from. For ${\mathcal{A}}_1$, define the security model IND-ID-CCA.
• Type-II adversary ${\mathcal{A}}_2$: Without the decryption key of the receiver, ${\mathcal{A}}_2$ is unable to obtain the message concealed in the challenge ciphertext. For ${\mathcal{A}}_2$, define the security model OW-ID-CCA.
• Type-III adversary ${\mathcal{A}}_3$: Without the decryption key of the receiver and the encryption key of the sender, ${\mathcal{A}}_3$ is unable to determine the corresponding sender and receiver, even if ${\mathcal{A}}_3$ has the trapdoor. For ${\mathcal{A}}_3$, define the security model ANON-ID-CCA.
• Type-IV adversary ${\mathcal{A}}_4$: Without the decryption key of the receiver and the encryption key of the sender, ${\mathcal{A}}_4$ is unable to fake any legitimate ciphertext delivered by the sender to the receiver, even if ${\mathcal{A}}_4$ has the trapdoor. For ${\mathcal{A}}_4$, define the security model sUF-ID-CMA.

Let $\mathcal{C}$ be the challenger. We have the following oracles:

• ${\mathcal{O}}_{SKGen}\left({\sigma }_i\right)$: Once the identity of the sender ${\sigma }_i$ is received, $\mathcal{C}$ answers the encryption key $e{k}_{{\sigma }_i}$.
• ${\mathcal{O}}_{RKGen}\left({\rho }_j\right)$: Once the identity of the receiver ${\rho }_j$ is received, $\mathcal{C}$ answers the decryption key $d{k}_{{\rho }_j}$.
• ${\mathcal{O}}_{Enc}({\sigma }_i,rcv,m)$: Once the identity of the sender ${\sigma }_i$, the identity of the target receiver $rcv$, and a message m are received, $\mathcal{C}$ answers the result of $Enc(pp,e{k}_{{\sigma }_i},rcv,m)$.
• ${\mathcal{O}}_{Dec}({\rho }_j,snd,C)$: Once the identity of the receiver ${\rho }_j$, the identity of the target sender $snd$, and a ciphertext C are received, $\mathcal{C}$ answers the result of $Dec(pp,d{k}_{{\rho }_j},snd,C)$.
• ${\mathcal{O}}_{Auth}(snd,{\rho }_j)$: Once the identity of the target sender $snd$ and the identity of the receiver ${\rho }_j$ are received, $\mathcal{C}$ answers the corresponding trapdoor $t{d}_{(snd,{\rho }_j)}=Auth(pp,snd,d{k}_{{\rho }_j})$.

Definition 1

(IND-ID-CCA). Regarding ${\mathcal{A}}_1$, the IBME-ET scheme meets IND-ID-CCA security when no PPT ${\mathcal{A}}_1$ is winning the game below with a non-negligible advantage:

1.

Setup: $\mathcal{C}$ utilizes the algorithm $Setup$ to calculate the master key $mk$ and the system parameters $pp$ and delivers $pp$ to ${\mathcal{A}}_1$.

2.

Phase 1: ${\mathcal{A}}_1$ can issue queries to the oracles: ${\mathcal{O}}_{SKGen}$, ${\mathcal{O}}_{RKGen}$, ${\mathcal{O}}_{Auth}$, ${\mathcal{O}}_{Dec}$.

3.

Challenge: ${\mathcal{A}}_1$ sends identities ${\sigma }^{*},{rcv}^{*}$ and equal-length messages $m_0^{*},m_1^{*}$ to $\mathcal{C}$. Subsequently, $\mathcal{C}$ randomly selects $x\in \{0,1\}$ and answers ${\mathcal{A}}_1$ with the challenge ciphertext $C^{*}=Enc(pp,e{k}_{{\sigma }^{*}},{rcv}^{*},m_x^{*})$.

4.

Phase 2: ${\mathcal{A}}_1$ makes queries like in $Phase$ 1.

5.

Guess: ${\mathcal{A}}_1$ answers a guess $x^{\prime }\in \{0,1\}$ and is winning when $x=x^{\prime }$. ${\mathcal{A}}_1$’s advantage is defined as $Ad{v}_{IBME-ET,{\mathcal{A}}_1}^{IND-ID-CCA}\left(\lambda \right)=|$Pr$[x=x^{\prime }]-\frac{1}{2}|.$

In the above game, the constraint is that ${\mathcal{A}}_1$ cannot ask the following queries: ${\mathcal{O}}_{RKGen}\left({rcv}^{*}\right)$, ${\mathcal{O}}_{Auth}({\sigma }^{*},{rcv}^{*})$, ${\mathcal{O}}_{Dec}({rcv}^{*},{\sigma }^{*},C^{*})$.

Definition 2

(OW-ID-CCA). Regarding ${\mathcal{A}}_2$, the IBME-ET scheme meets OW-ID-CCA security when no PPT ${\mathcal{A}}_2$ is winning the game below with a non-negligible advantage:

1.

Setup: Same as Definition 1.

2.

Phase 1: ${\mathcal{A}}_2$ can issue queries to the oracles: ${\mathcal{O}}_{SKGen}$, ${\mathcal{O}}_{RKGen}$, ${\mathcal{O}}_{Auth}$, ${\mathcal{O}}_{Dec}$.

3.

Challenge: ${\mathcal{A}}_2$ sends identities ${\sigma }^{*},{rcv}^{*}$ to $\mathcal{C}$. Subsequently, $\mathcal{C}$ randomly chooses a message $m^{*}\in {\{0,1\}}^{\lambda }$ and answers to ${\mathcal{A}}_2$ with the challenge ciphertext $C^{*}=Enc(pp,e{k}_{{\sigma }^{*}},{rcv}^{*},m^{*})$.

4.

Phase 2: ${\mathcal{A}}_2$ makes queries like in $Phase$ 1.

5.

Guess: ${\mathcal{A}}_2$ answers a guess $m^{\prime }$ and is winning when $m^{*}=m^{\prime }$. ${\mathcal{A}}_2$’s advantage is defined as $Ad{v}_{IBME-ET,{\mathcal{A}}_2}^{OW-ID-CCA}\left(\lambda \right)=$Pr$[m^{*}=m^{\prime }].$

In the above game, the constraints is that ${\mathcal{A}}_2$ cannot ask the following queries: ${\mathcal{O}}_{RKGen}\left({rcv}^{*}\right)$, ${\mathcal{O}}_{Dec}({rcv}^{*},{\sigma }^{*},C^{*})$.

Definition 3

(ANON-ID-CCA). Regarding ${\mathcal{A}}_3$, the IBME-ET scheme meets ANON-ID-CCA security when no PPT ${\mathcal{A}}_3$ is winning the game below with a non-negligible advantage:

1.

Setup: Same as Definition 1.

2.

Phase 1: ${\mathcal{A}}_3$ can issue queries to the oracles: ${\mathcal{O}}_{SKGen}$, ${\mathcal{O}}_{RKGen}$, ${\mathcal{O}}_{Auth}$, ${\mathcal{O}}_{Enc}$, ${\mathcal{O}}_{Dec}$.

3.

Challenge: ${\mathcal{A}}_3$ sends identities $({snd}_0^{*},{\rho }_0^{*})$, $({snd}_1^{*},{\rho }_1^{*})$ and a message $m^{*}$ to $\mathcal{C}$. Subsequently, $\mathcal{C}$ randomly chooses $x\in \{0,1\}$ and answers to ${\mathcal{A}}_3$ with the challenge ciphertext $C^{*}=Enc(pp,e{k}_{{snd}_x^{*}},{\rho }_x^{*},m^{*})$ and the challenge trapdoor $t{d}_{({snd}_x^{*},{\rho }_x^{*})}=Auth(pp,{snd}_x^{*},d{k}_{{\rho }_x^{*}})$.

4.

Phase 2: ${\mathcal{A}}_3$ makes queries like in $Phase$ 1.

5.

Guess: ${\mathcal{A}}_3$ answers a guess $x^{\prime }\in \{0,1\}$ and is winning when $x=x^{\prime }$. ${\mathcal{A}}_3$’s advantage is defined as $Ad{v}_{IBME-ET,{\mathcal{A}}_3}^{ANON-ID-CCA}\left(\lambda \right)=|$Pr$[x=x^{\prime }]-\frac{1}{2}|.$

In the above game, the constraint is that ${\mathcal{A}}_3$ cannot ask the following queries:

• ${\mathcal{O}}_{SKGen}\left({snd}_0^{*}\right)$, ${\mathcal{O}}_{SKGen}\left({snd}_1^{*}\right)$, ${\mathcal{O}}_{Enc}({snd}_0^{*},{\rho }_0^{*},\ast )$ and ${\mathcal{O}}_{Enc}({snd}_1^{*},{\rho }_1^{*},\ast )$.
• ${\mathcal{O}}_{RKGen}\left({\rho }_0^{*}\right)$, ${\mathcal{O}}_{RKGen}\left({\rho }_1^{*}\right)$, ${\mathcal{O}}_{Auth}({snd}_0^{*},{\rho }_0^{*})$ and ${\mathcal{O}}_{Auth}({snd}_1^{*},{\rho }_1^{*})$.
• ${\mathcal{O}}_{Dec}({\rho }_0^{*},{snd}_0^{*},C^{*})$, ${\mathcal{O}}_{Dec}({\rho }_1^{*},{snd}_1^{*},C^{*})$.

Definition 4

(sUF-ID-CMA). Regarding ${\mathcal{A}}_4$, the IBME-ET scheme meets sUF-ID-CMA security when no PPT ${\mathcal{A}}_4$ is winning the game below with a non-negligible advantage:

1.

Setup: Same as Definition 1.

2.

Queries: ${\mathcal{A}}_4$ can issue queries to the oracles: ${\mathcal{O}}_{SKGen}$, ${\mathcal{O}}_{RKGen}$, ${\mathcal{O}}_{Auth}$, ${\mathcal{O}}_{Enc}$, ${\mathcal{O}}_{Dec}$.

3.

Forgery: ${\mathcal{A}}_4$ answers a triple $({snd}^{*},{\rho }^{*},C^{*})$. ${\mathcal{A}}_4$ is winning when $m^{*}=Dec(pp,d{k}_{{\rho }^{*}}$, ${snd}^{*},C^{*})\ne \perp$. ${\mathcal{A}}_4$’s advantage is defined as $Ad{v}_{IBME-ET,{\mathcal{A}}_4}^{sUF-ID-CMA}\left(\lambda \right)=$Pr$[{\mathcal{A}}_4$ wins].

In the above game, the constraint is that ${\mathcal{A}}_4$ cannot make the following queries: ${\mathcal{O}}_{SKGen}\left({snd}^{*}\right)$ and ${\mathcal{O}}_{RKGen}\left({\rho }^{*}\right)$. Furthermore, $C^{*}$ cannot be an output of ${\mathcal{O}}_{Enc}({snd}^{*},{\rho }^{*},*)$.

4. Our Construction

The IBME-ET scheme is concretely constructed as below:

• Setup($\lambda$): The following steps are taken:
  • Randomly select the generators $g\in \mathbb{G}$ along with $\widehat{g}\in \widehat{\mathbb{G}}$.
  • Randomly select numbers $s,\alpha ,{\beta }_0,{\beta }_1\in {\mathbb{Z}}_q^{*}$, and set $g_1=g^{\alpha }$, $f=g^{{\beta }_0}$, $\widehat{f}={\widehat{g}}^{{\beta }_0}$, $h=g^{{\beta }_1}$, $\widehat{h}={\widehat{g}}^{{\beta }_1}$.
  • Secure hash functions are defined: $H:{\mathbb{G}}_T\to {\mathbb{Z}}_q^{*}$, $H_1:{\{0,1\}}^{*}\to \mathbb{G}$, $H_2:{\{0,1\}}^{*}\to \widehat{\mathbb{G}}$, $H_3:{\{0,1\}}^{*}\to \widehat{\mathbb{G}}$, $H_4:{\mathbb{G}}_T\to {\mathbb{Z}}_q^{*}$, $H_5:{\{0,1\}}^{\lambda +l}\to {\mathbb{Z}}_q^{*}$, $H_6:{\mathbb{G}}_T^2\times {\mathbb{G}}^3\to {\{0,1\}}^{\lambda +l}$, $H_7:{\{0,1\}}^{\lambda }\to \widehat{\mathbb{G}}$, and $H_8:{\mathbb{G}}_T\to \widehat{\mathbb{G}}$.
  • Return the master key $mk$ along with the system parameters $pp$, where

    $$mk=(s,\alpha ),$$

    $$pp=(\mathcal{G},g,\widehat{g},g_1,f,h,\widehat{f},\widehat{h},H,H_1,H_2,H_3,H_4,H_5,H_6,H_7,H_8).$$
• SKGen($pp,mk,\sigma$): Let $mk=(s,\alpha )$. This algorithm produces the encryption key $e{k}_{\sigma }={H_1\left(\sigma \right)}^s.$
• RKGen($pp,mk,\rho$): Let $mk=(s,\alpha )$. This algorithm produces the decryption key $d{k}_{\rho }=(d_1,d_2,d_3)=({H_3\left(\rho \right)}^s,{H_2\left(\rho \right)}^{\alpha },{H_3\left(\rho \right)}^{\alpha })$.
• Enc($pp,e{k}_{\sigma },rcv,m$): Let $rcv=\rho$ and $m\in {\{0,1\}}^{\lambda }$. The ciphertext $C=(C_0,C_1,C_2,C_3,C_4)$ is calculated as below:
  • Randomly select $r\in {\mathbb{Z}}_q^{*}$ and $k\in {\{0,1\}}^l$, and calculate $R=H_5(m,k)$.
  • Calculate $\eta =e(e{k}_{\sigma },H_3\left(\rho \right))$, ${\omega }_1={e(g_1,H_2\left(\rho \right))}^{r·H_4\left(\eta \right)}$ and ${\omega }_2={e(g_1,H_3\left(\rho \right))}^{r·H_4\left(\eta \right)}$.
  • Calculate the following numbers:

    $$\begin{array}{c}\left\{\begin{array}{c}{C}_0=g^R,\hfill \\ C_1=g^r,\hfill \\ C_2={\left(f{h}^{H\left(\eta \right)}\right)}^r,\hfill \\ C_3=(m\Vert k)\oplus H_6({\omega }_1,\eta ,C_0,C_1,C_2),\hfill \\ C_4=H_7{\left(m\right)}^R·H_8\left({\omega }_2\right).\hfill \end{array}\right.\hfill \end{array}$$
• $Dec$($pp,d{k}_{\rho },snd,C$): Let $d{k}_{\rho }=(d_1,d_2,d_3)$, $snd=\sigma$. The following steps are taken:
  • Calculate $\eta =e\left(H_1(\sigma \right),d_1),{\omega }_1=e(C_1,d_2^{H_4\left(\eta \right)})$ and ${\omega }_2=e(C_1,d_3^{H_4\left(\eta \right)})$.
  • Obtain $m^{\prime }\Vert k^{\prime }$ by computing $C_3\oplus H_6({\omega }_1,\eta ,C_0,C_1,C_2)$.
  • Calculate $R^{\prime }=H_5(m^{\prime },k^{\prime })$.
  • If $C_0=g^{R^{\prime }}$ and $C_4=H_7{\left(m^{\prime }\right)}^{R^{\prime }}·H_8\left({\omega }_2\right)$ hold, answer $m^{\prime }$; otherwise, answer ⊥.
• Auth($pp,snd,d{k}_{\rho }$): Let $d{k}_{\rho }=(d_1,d_2,d_3)$ and $snd=\sigma$. The following steps are taken:
  • Randomly select $y\in {\mathbb{Z}}_q^{*}$, and calculate $\eta =e\left(H_1(\sigma \right),d_1)$.
  • Return the trapdoor $t{d}_{(snd,\rho )}=(y_1,y_2)=(d_3^{H_4\left(\eta \right)}{\left(\widehat{f}{\widehat{h}}^{H\left(\eta \right)}\right)}^y,{\widehat{g}}^y)$.
• Test($pp,C_{({\sigma }_A,{rcv}_A)},t{d}_{({snd}_A,{\rho }_A)},C_{({\sigma }_B,{rcv}_B)},t{d}_{({snd}_B,{\rho }_B)}$): Let $C_{({\sigma }_A,{rcv}_A)}=(C_{{\sigma }_A,{rcv}_A,0},$$C_{{\sigma }_A,{rcv}_A,1}$, $C_{{\sigma }_A,{rcv}_A,2},$$C_{{\sigma }_A,{rcv}_A,3},C_{{\sigma }_A,{rcv}_A,4})$, $t{d}_{({snd}_A,{\rho }_A)}=(y_{{snd}_A,{\rho }_A,1},$$y_{{snd}_A,{\rho }_A,2})$, $C_{({\sigma }_B,{rcv}_B)}=(C_{{\sigma }_B,{rcv}_B,0}$, $C_{{\sigma }_B,{rcv}_B,1},C_{{\sigma }_B,{rcv}_B,2},$$C_{{\sigma }_B,{rcv}_B,3},C_{{\sigma }_B,{rcv}_B,4})$ and $t{d}_{({snd}_B,{\rho }_B)})=(y_{{snd}_B,{\rho }_B,1},y_{{snd}_B,{\rho }_B,2})$. The following steps are taken:
  • Calculate

    $${\omega }_{A,2}=e(C_{{\sigma }_A,{rcv}_A,1},y_{sn{d}_A,{\rho }_A,1})/e(C_{{\sigma }_A,{rcv}_A,2},y_{sn{d}_A,{\rho }_A,2}),$$

    $${\omega }_{B,2}=e(C_{{\sigma }_B,{rcv}_B,1},y_{sn{d}_B,{\rho }_B,1})/e(C_{{\sigma }_B,{rcv}_B,2},y_{sn{d}_B,{\rho }_B,2}).$$
  • Calculate

    $$K_A=C_{{\sigma }_A,{rcv}_A,4}/H_8\left({\omega }_{A,2}\right),$$

    $$K_B=C_{{\sigma }_B,{rcv}_B,4}/H_8\left({\omega }_{B,2}\right).$$
  • Check whether $e(C_{{\sigma }_A,{rcv}_A,0},K_B)=e(C_{{\sigma }_B,{rcv}_B,0},K_A)$ holds. When it holds, answer 1 or 0 otherwise.

Correctness: The proposed scheme is correct in accordance with the correctness definition:

• Regarding Condition 1, when $\sigma =snd$ and $\rho =rcv$, we have

  $$\begin{array}{cc}& \eta =e(e{k}_{\sigma },H_3\left(\rho \right))=e(H_1\left(\sigma \right),H_3{\left(\rho \right))}^s=e\left(H_1(\sigma \right),d_1),\hfill \\ & {\omega }_1={e(g_1,H_2\left(\rho \right))}^{r·H_4\left(\eta \right)}=e{(g,H_2\left(\rho \right))}^{r\alpha ·H_4\left(\eta \right)}=e(C_1,d_2^{H_4\left(\eta \right)}),\hfill \\ & C_3\oplus H_6({\omega }_1,\eta ,C_0,C_1,C_2)=(m\Vert k)\oplus H_6({\omega }_1,\eta ,C_0,C_1,C_2)\oplus H_6({\omega }_1,\eta ,C_0,C_1,C_2)=m\Vert k.\hfill \end{array}$$
  Thus, when $\sigma =snd$ and $\rho =rcv$, $Dec(pp,d{k}_{\rho },snd,Enc(pp,e{k}_{\sigma },rcv,m))=m$ always holds.
• Regarding Condition 2, if ${\sigma }_A={snd}_A\wedge {rcv}_A={\rho }_A$$\wedge {\sigma }_B={snd}_B\wedge {rcv}_B={\rho }_B$$\wedge m_A=m_B$, we have

  $$\begin{array}{cc}\hfill \frac{e(C_{{\sigma }_A,{\rho }_A,1},y_{{\sigma }_A,{\rho }_A,1})}{e(C_{{\sigma }_A,{\rho }_A,2},y_{{\sigma }_A,{\rho }_A,2})}& =\frac{e(g^{r_A},d_{A,3}^{H_4\left({\eta }_A\right)}{\left(\widehat{f}{\widehat{h}}^{H\left({\eta }_A\right)}\right)}^{y_A})}{e({\left(f{h}^{H\left({\eta }_A\right)}\right)}^{r_A},{\widehat{g}}^{y_A})}=\frac{e(g^{r_A},d_{A,3}^{H_4\left({\eta }_A\right)})·e{(g,\widehat{f}{\widehat{h}}^{H\left({\eta }_A\right)})}^{r_A{y}_A}}{e{(f{h}^{H\left({\eta }_A\right)},\widehat{g})}^{r_A{y}_A}}\hfill \\ & =\frac{e(g^{r_A},d_{A,3}^{H_4\left({\eta }_A\right)})·e{(g,{\widehat{g}}^{{\beta }_0+{\beta }_{1}H\left({\eta }_A\right)})}^{r_A{y}_A}}{e{(g^{{\beta }_0+{\beta }_{1}H\left({\eta }_A\right)},\widehat{g})}^{r_A{y}_A}}=e(g^{r_A},d_{A,3}^{H_4\left({\eta }_A\right)})\hfill \\ & =e{(g,H_3\left({\rho }_A\right))}^{r_A\alpha ·H_4\left({\eta }_A\right)}={e(g_1,H_3\left({\rho }_A\right))}^{r_A·H_4\left({\eta }_A\right)}={\omega }_{A,2},\hfill \\ \hfill \frac{e(C_{{\sigma }_B,{\rho }_B,1},y_{{\sigma }_B,{\rho }_B,1})}{e(C_{{\sigma }_B,{\rho }_B,2},y_{{\sigma }_B,{\rho }_B,2})}& =\frac{e(g^{r_B},d_{B,3}^{H_4\left({\eta }_B\right)}{\left(\widehat{f}{\widehat{h}}^{H\left({\eta }_B\right)}\right)}^{y_B})}{e({\left(f{h}^{H\left({\eta }_B\right)}\right)}^{r_B},{\widehat{g}}^{y_B})}=\frac{e(g^{r_B},d_{B,3}^{H_4\left({\eta }_B\right)})·e{(g,\widehat{f}{\widehat{h}}^{H\left({\eta }_B\right)})}^{r_B{y}_B}}{e{(f{h}^{H\left({\eta }_B\right)},\widehat{g})}^{r_B{y}_B}}\hfill \\ & =\frac{e(g^{r_B},d_{B,3}^{H_4\left({\eta }_B\right)})·e{(g,{\widehat{g}}^{{\beta }_0+{\beta }_{1}H\left({\eta }_B\right)})}^{r_B{y}_B}}{e{(g^{{\beta }_0+{\beta }_{1}H\left({\eta }_B\right)},\widehat{g})}^{r_B{y}_B}}=e(g^{r_B},d_{B,3}^{H_4\left({\eta }_B\right)})\hfill \\ & =e{(g,H_3\left({\rho }_B\right))}^{r_B\alpha ·H_4\left({\eta }_B\right)}={e(g_1,H_3\left({\rho }_B\right))}^{r_B·H_4\left({\eta }_B\right)}={\omega }_{B,2}.\hfill \end{array}$$

  $$\begin{array}{cc}\hfill & K_A=\frac{C_{{\sigma }_A,{\rho }_A,4}}{H_8\left({\omega }_{A,2}\right)}=\frac{H_7{\left(m_A\right)}^{R_A}·H_8\left({\omega }_{A,2}\right)}{H_8\left({\omega }_{A,2}\right)}=H_7{\left(m_A\right)}^{R_A},\hfill \\ \hfill & K_B=\frac{C_{{\sigma }_B,{\rho }_B,4}}{H_8\left({\omega }_{B,2}\right)}=\frac{H_7{\left(m_B\right)}^{R_B}·H_8\left({\omega }_{B,2}\right)}{H_8\left({\omega }_{B,2}\right)}=H_7{\left(m_B\right)}^{R_B},\hfill \\ \hfill & e(C_{{\sigma }_A,{\rho }_A,0},K_B)=e(g^{R_A},H_7{\left(M_B\right)}^{R_B})=e{(g,H_7\left(M_B\right))}^{R_A{R}_B},\hfill \\ \hfill & e(C_{{\sigma }_B,{\rho }_B,0},K_A)=e(g^{R_B},H_7{\left(M_A\right)}^{R_A})=e{(g,H_7\left(M_A\right))}^{R_A{R}_B}.\hfill \end{array}$$
  If ${\sigma }_A={snd}_A\wedge {rcv}_A={\rho }_A$$\wedge {\sigma }_B={snd}_B\wedge {rcv}_B={\rho }_B$$\wedge m_A=m_B$, then $e(C_{{\sigma }_A,{\rho }_A,0},K_B)=e(C_{{\sigma }_B,{\rho }_B,0},K_A)$, so $Test(pp,C_{({\sigma }_A,{rcv}_A)},t{d}_{(sn{d}_A,{\rho }_A)},C_{({\sigma }_B,{rcv}_B)},t{d}_{(sn{d}_B,{\rho }_B)})=1;$ otherwise, $\mathrm{Pr}\left[Test\right(pp,$$C_{({\sigma }_A,{rcv}_A)},t{d}_{(sn{d}_A,{\rho }_A)},C_{({\sigma }_B,{rcv}_B)},t{d}_{(sn{d}_B,{\rho }_B)})=1]$ is negligible due to the hash functions $H_7$ and $H_8$ being collision-resistant.

5. Security Analysis

In the random oracle model, we used the method of proof by contradiction to show that if the BDH assumption and Gap-BDH assumption introduced in the preliminaries (see Section 2) hold, and our proposed IBME-ET scheme can meet confidentiality, authenticity, and anonymity in cryptography [30,31,32].

According to our IBME-ET scheme, given the ciphertext C, we have the following observations:

• To reveal the message m, it is necessary to calculate ${\omega }_1={e(g_1,H_2\left(\rho \right))}^{r·H_4\left(\eta \right)}$.
• To obtain $H_7{\left(m\right)}^R$, which is used for the equality test, it is necessary to calculate ${\omega }_2={e(g_1,H_3\left(\rho \right))}^{r·H_4\left(\eta \right)}$.
• To distinguish the identities of the sender and the receiver concealed in the ciphertext, it is necessary to calculate $\eta =e(e{k}_{\sigma },H_3\left(\rho \right))=e(H_1\left(\sigma \right),H_3{\left(\rho \right))}^s$.
• To fake any legitimate ciphertext pertaining to the sender $\sigma$ and the receiver $\rho$, it is necessary to calculate $\eta =e(e{k}_{\sigma },H_3\left(\rho \right))=e(H_1\left(\sigma \right),H_3{\left(\rho \right))}^s$.

Note that, regarding to the confidentiality, anonymity, and authenticity of the IBME-ET, four security models are defined by considering four distinct types of adversaries (see Section 3.3). The security proof of our scheme can be outlined as follows:

As for the confidentiality, we first used the BDH assumption to prove that our proposal meets IND-ID-CCA security regarding the Type-I adversary ${\mathcal{A}}_1$. Given a BDH assumption instance $(g,g^a,g^c,\widehat{g},{\widehat{g}}^a,{\widehat{g}}^b)$, we generated a simulated scheme $\mathcal{B}$ and interacted with ${\mathcal{A}}_1$ by following the IND-ID-CCA security model defined in Section 3.3. $\mathcal{B}$ simulates the oracles ${\mathcal{O}}_{SKGen}$, ${\mathcal{O}}_{RKGen}$, ${\mathcal{O}}_{Auth}$, and ${\mathcal{O}}_{Dec}$ to answer ${\mathcal{A}}_1$’s queries and preserves the $L_H$ and $L_{H_i}(i=1,2,3,5,6,7,8)$ lists to simulate the random oracles ${\mathcal{O}}_H$ and ${\mathcal{O}}_{H_i}(i=1,2,3,5,6,7,8)$. In the challenge phase, ${\mathcal{A}}_1$ sends identities ${\sigma }^{*},{rcv}^{*}$ and equal-length messages $m_0^{*},m_1^{*}$ to $\mathcal{B}$. Let ${rcv}^{*}={\rho }^{*}$. $\mathcal{B}$ randomly selects $x\in \{0,1\}$ and answers the challenge ciphertext $C^{*}=(C_0^{*},C_1^{*},C_2^{*},C_3^{*},C_4^{*})=Enc(pp,e{k}_{{\sigma }^{*}},{\rho }^{*},m_x^{*})$ to ${\mathcal{A}}_1$. In the simulation, the challenge ciphertext implicitly sets ${\omega }_1^{*}=e{(g,\widehat{g})}^{abc{v}^{*}·H_4\left({\eta }^{*}\right)}$, ${\omega }_2^{*}=e{(g,\widehat{g})}^{abc{t}^{*}·H_4\left({\eta }^{*}\right)}$, $H_6({\omega }_1^{*},{\eta }^{*},C_0^{*},$$C_1^{*},C_2^{*})=(m_x\Vert k)\oplus C_3^{*}$, $H_8\left({\omega }_2^{*}\right)$$=\frac{C_4^{*}}{H_7{\left(m_x\right)}^R}$, where $g_1=g^a$, $H_2\left({\rho }^{*}\right)={\widehat{g}}^{b{v}^{*}}$, $H_3\left({\rho }^{*}\right)={\widehat{g}}^{b{t}^{*}}$, $H_1\left({\sigma }^{*}\right)=g^{u^{*}}$, $e{k}_{{\sigma }^{*}}=g^{s{u}^{*}}$, ${\eta }^{*}=e{(g,\widehat{g})}^{bs{u}^{*}{t}^{*}}$, $C_0^{*}=g^R$, $C_1^{*}=g^c$, and $C_2^{*}=g^{{\beta }_0^{\prime }c}$. Finally, in the guess phase, ${\mathcal{A}}_1$ outputs a guess $x^{\prime }\in \{0,1\}$. The advantage of ${\mathcal{A}}_1$ for breaking our proposal is defined as $ϵ=|$Pr$[x=x^{\prime }]-\frac{1}{2}|.$ If $ϵ$ is non-negligible, then the tuple $[{\omega }_1^{*},{\eta }^{*},C_0^{*},C_1^{*},C_2^{*},{\delta }^{*}]$ is documented in $L_{H_6}$ with non-negligible probability. If $\mathcal{B}$ selects the right tuple from $L_{H_6}$, $\mathcal{B}$ can return the BDH instance solution ${{\omega }_1^{*}}^{{\left(v^{*}{H}_4\left({\eta }^{*}\right)\right)}^{-1}}$$(=e{(g,\widehat{g})}^{abc})$. As a result, the BDH assumption can be addressed by $\mathcal{B}$ with non-negligible advantage if ${\mathcal{A}}_1$ is able to break our proposal with non-negligible advantage.

Subsequently, as for the confidentiality, we used the BDH assumption to prove that our proposal meets OW-ID-CCA security regarding the Type-II adversary ${\mathcal{A}}_2$. Given a BDH assumption instance $(g,g^a,g^c,$ $\widehat{g},{\widehat{g}}^a,{\widehat{g}}^b)$, we generated a simulated scheme $\mathcal{B}$ and interacted with ${\mathcal{A}}_2$ by following the OW-ID-CCA security model defined in Section 3.3. $\mathcal{B}$ simulates the oracles ${\mathcal{O}}_{SKGen}$, ${\mathcal{O}}_{RKGen}$, ${\mathcal{O}}_{Auth}$, and ${\mathcal{O}}_{Dec}$ to answer ${\mathcal{A}}_2$’s queries and preserves the $L_H$ and $L_{H_i}(i=1,2,3,5,6,7,8)$ lists to simulate the random oracles ${\mathcal{O}}_H$ and ${\mathcal{O}}_{H_i}(i=1,2,3,5,6,7,8)$. In the challenge phase, ${\mathcal{A}}_2$ sends identities ${\sigma }^{*},{rcv}^{*}$ to $\mathcal{B}$. Let ${rcv}^{*}={\rho }^{*}$. $\mathcal{B}$ randomly chooses a message $m^{*}\in {\{0,1\}}^{\lambda }$ and answers the challenge ciphertext $C^{*}=(C_0^{*},C_1^{*},C_2^{*},C_3^{*},C_4^{*})=Enc(pp,e{k}_{{\sigma }^{*}},{\rho }^{*},m^{*})$ to ${\mathcal{A}}_2$. In the simulation, the challenge ciphertext implicitly sets ${\omega }_1^{*}=e{(g,\widehat{g})}^{abc{v}^{*}·H_4\left({\eta }^{*}\right)}$, $H_6({\omega }_1^{*},{\eta }^{*},C_0^{*},C_1^{*},C_2^{*})$$=(m^{*}\Vert k)\oplus C_3^{*}$, where $g_1=g^a$, $H_2\left({\rho }^{*}\right)={\widehat{g}}^{b{v}^{*}}$, $H_3\left({\rho }^{*}\right)={\widehat{g}}^{t^{*}}$, $H_1\left({\sigma }^{*}\right)=g^{u^{*}}$, $e{k}_{{\sigma }^{*}}=g^{s{u}^{*}}$, ${\eta }^{*}=e{(g,\widehat{g})}^{bs{u}^{*}{t}^{*}}$, $C_0^{*}=g^R$, $C_1^{*}=g^c$, $C_2^{*}=g^{{\beta }_0^{\prime }c}$, and $C_4^{*}={H_7\left(m^{*}\right)}^R·H_8\left(e(g^c,{\widehat{g}}^{a{t}^{*}·H_4\left({\eta }^{*}\right)})\right)$. Finally, in the guess phase, ${\mathcal{A}}_2$ outputs a guess $m^{\prime }$. The advantage of ${\mathcal{A}}_2$ for breaking our proposal is defined as $ϵ=|$Pr$[m^{*}=m^{\prime }]|$. If $ϵ$ is non-negligible, then the tuple $[{\omega }_1^{*},{\eta }^{*},C_0^{*},C_1^{*},C_2^{*},{\delta }^{*}]$ is documented in $L_{H_6}$ with non-negligible probability. If $\mathcal{B}$ selects the right tuple from $L_{H_6}$, $\mathcal{B}$ can return the BDH instance solution ${{\omega }_1^{*}}^{{\left(v^{*}{H}_4\left({\eta }^{*}\right)\right)}^{-1}}(=e{(g,\widehat{g})}^{abc})$. As a result, the BDH assumption can be addressed by $\mathcal{B}$ with non-negligible advantage if ${\mathcal{A}}_2$ is able to break our proposal with non-negligible advantage.

As for the anonymity, we used the Gap-BDH assumption to prove that our proposal meets ANON-ID-CCA security regarding the Type-III adversary ${\mathcal{A}}_3$. Given a Gap-BDH assumption instance $(g,g^a,g^c,\widehat{g},{\widehat{g}}^a,{\widehat{g}}^b,$ ${\mathcal{O}}_{\mathcal{DBDH}})$, we generated a simulated scheme $\mathcal{B}$ and interacted with ${\mathcal{A}}_3$ by following the ANON-ID-CCA security model defined in Section 3.3. $\mathcal{B}$ simulates the oracles ${\mathcal{O}}_H$, ${\mathcal{O}}_{H_i}(i=1,2,3,4,5,6,7,8)$, ${\mathcal{O}}_{SKGen}$, ${\mathcal{O}}_{RKGen}$, ${\mathcal{O}}_{Auth}$, ${\mathcal{O}}_{Enc}$, and ${\mathcal{O}}_{Dec}$ to answer ${\mathcal{A}}_3$’s queries. In the challenge phase, ${\mathcal{A}}_3$ sends identities $({snd}_0^{*},{\rho }_0^{*})$, $({snd}_1^{*},{\rho }_1^{*})$ and a message $m^{*}$ to $\mathcal{B}$. Let ${snd}_0^{*}={\sigma }_0^{*}$, ${snd}_1^{*}={\sigma }_1^{*}$. $\mathcal{B}$ randomly chooses $x\in \{0,1\}$ and answers the challenge ciphertext $C^{*}=(C_0^{*},C_1^{*},C_2^{*},C_3^{*},C_4^{*})=Enc(pp,e{k}_{{\sigma }_x^{*}},{\rho }_x^{*},m^{*})$ and the challenge trapdoor $t{d}_{({\sigma }_x^{*},{\rho }_x^{*})}=(y_1,y_2)=Auth(pp,{\sigma }_x^{*},d{k}_{{\rho }_x^{*}})$ to ${\mathcal{A}}_3$. In the simulation, the challenge ciphertext implicitly sets ${\eta }^{*}=e{(g,\widehat{g})}^{abc{u}_x^{*}{t}_x^{*}}$, ${\omega }_1^{*}=e{(g^{a{\alpha }^{\prime }},{\widehat{g}}^b)}^{r\Omega v_x^{*}}$, $C_3^{*}=(m^{*}\Vert k)\oplus H_6({\omega }_1^{*},{\eta }^{*},C_0^{*},C_1^{*},C_2^{*})$, where $g_1=g^{a{\alpha }^{\prime }}$, $H_1\left({\sigma }_0^{*}\right)=g^{c{u}_{i_x^{*}}}$, $H_2\left({\rho }_x^{*}\right)={\widehat{g}}^{b{v}_{j_t^{*}}}$, $H_3\left({\rho }_x^{*}\right)={\widehat{g}}^{b{v}_{t_x^{*}}}$, ${\omega }_2^{*}=e{(g^{a{\alpha }^{\prime }},{\widehat{g}}^b)}^{r{\tilde{\Omega }}_{xx}}$, $H\left({\eta }^{*}\right)=I=I_{xx}$, $H_4\left({\eta }^{*}\right)=\Omega =\frac{{\tilde{\Omega }}_{xx}}{t_x^{*}}$, $C_0^{*}=g^R$, $C_1^{*}=g^r$, $C_2^{*}={\left(f{h}^I\right)}^r$, and $C_4^{*}=H_7{\left(m^{*}\right)}^R·H_8\left({\omega }_2^{*}\right)$ Furthermore, the challenge trapdoor implicitly sets $y=\tilde{y}-bz$, where $z=\frac{t_x{\alpha }^{\prime }\Omega }{{\beta }_{1}I}=\frac{{\alpha }^{\prime }{\tilde{\Omega }}_{xx}}{{\beta }_{1}I}$, $y_1={\widehat{g}}^{{\beta }_0(\tilde{y}-bz)}{\widehat{g}}^{a{\beta }_{1}I\tilde{y}}$, $y_2={\widehat{g}}^{\tilde{y}-bz}$. Finally, in the guess phase, ${\mathcal{A}}_3$ outputs a guess $x^{\prime }\in \{0,1\}$. The advantage of ${\mathcal{A}}_3$ for breaking our proposal is defined as $ϵ=|$Pr$[x=x^{\prime }]-\frac{1}{2}|.$ If $ϵ$ is non-negligible, ${\eta }^{*}=e{(g,\widehat{g})}^{abc{u}_x^{*}{t}_x^{*}}$ has been queried to ${\mathcal{O}}_H$ with non-negligible probability. With ${\mathcal{O}}_{\mathcal{DBDH}}(g,g^a,g^c,\widehat{g},$ ${\widehat{g}}^a,{\widehat{g}}^b,{{\eta }^{*}}^{{\left(u_{i_x^{*}}{t}_{j_x^{*}}\right)}^{-1}})=1$, $\mathcal{B}$ can return the Gap-BDH instance solution ${{\eta }^{*}}^{{\left(u_{i_x^{*}}{t}_{j_x^{*}}\right)}^{-1}}(=e{(g,\widehat{g})}^{abc})$. As a result, the Gap-BDH assumption can be addressed by $\mathcal{B}$ with non-negligible advantage if ${\mathcal{A}}_3$ is able to break our proposal with non-negligible advantage.

As for the authenticity, we used the Gap-BDH assumption to prove that our proposal meets sUF-ID-CMA security regarding the Type-IV adversary ${\mathcal{A}}_4$. Given a Gap-BDH assumption instance $(g,g^a,g^c,\widehat{g},{\widehat{g}}^a,{\widehat{g}}^b,$ ${\mathcal{O}}_{\mathcal{DBDH}})$, we generated a simulated scheme $\mathcal{B}$ and interacted with ${\mathcal{A}}_4$ by following the sUF-ID-CMA security model defined in Section 3.3. $\mathcal{B}$ simulates the oracles ${\mathcal{O}}_H$, ${\mathcal{O}}_{H_i}(i=1,2,3,4,5,6,7,8)$, ${\mathcal{O}}_{SKGen}$, ${\mathcal{O}}_{RKGen}$, ${\mathcal{O}}_{Auth}$, ${\mathcal{O}}_{Enc}$, and ${\mathcal{O}}_{Dec}$ to answer ${\mathcal{A}}_4$’s queries. In the simulation, the following numbers are implicitly set ${\eta }^{*}=e{(g,\widehat{g})}^{abc}$, where $H_1\left({\sigma }^{*}\right)=g^c$, $H_3\left({\rho }^{*}\right)={\widehat{g}}^b$, $H\left({\eta }^{*}\right)=I^{*}$, $H_4\left({\eta }^{*}\right)={\Omega }^{*}$. In the forgery phase, ${\mathcal{A}}_4$ outputs a triple $(sn{d}^{*},{\rho }^{*},C^{*})$, where $sn{d}^{*}={\sigma }^{*}$ and $C^{*}=(C_0^{*},C_1^{*},C_2^{*},C_3^{*},C_4^{*})$. If $m^{*}=Dec(pp,d{k}_{{\rho }^{*}},{\sigma }^{*},C^{*})\ne \perp$, ${\mathcal{A}}_4$ wins. The advantage of ${\mathcal{A}}_4$ for breaking our proposal is defined as $ϵ=$Pr$\left[{\mathcal{A}}_4\mathrm{wins}\right]$. With $ϵ$ and the lemma on the relationship between the chosen-identity attack and given identity attack [33], if $ϵ$ is non-negligible, ${\eta }^{*}=e{(g,\widehat{g})}^{abc}$ has been queried to ${\mathcal{O}}_H$ with non-negligible probability. Then, ${\mathcal{O}}_{\mathcal{DBDH}}(g,g^a,g^c,\widehat{g},$${\widehat{g}}^a,{\widehat{g}}^b,{\eta }^{*})=1$, $\mathcal{B}$ can return the Gap-BDH instance solution ${\eta }^{*}(=e{(g,\widehat{g})}^{abc})$. As a result, the Gap-BDH assumption can be addressed by $\mathcal{B}$ with non-negligible advantage if ${\mathcal{A}}_4$ is able to break our proposal with non-negligible advantage.

Theorem 1.

For any ${\mathcal{A}}_1$, our IBME-ET scheme meets IND-ID-CCA security on the basis of the BDH assumption.

More precisely, if ${\mathcal{A}}_1$ is able to break our proposal with the advantage ϵ, we can conceive of a PPT algorithm $\mathcal{B}$ to address the BDH assumption with the advantage ${ϵ}^{\prime }\ge \frac{1}{q_{H_6}}(\frac{ϵ}{q_{H_1}{q}_{H_2}}-\frac{q_D}{2^{\lambda +l}}-\frac{q_{H_8}}{q}),$ where $q_{H_i}(i=1,2,6,8)$ and $q_D$ denote the numbers of different queries to ${\mathcal{O}}_{H_i}(i=1,2,6,8)$ and ${\mathcal{O}}_{Dec}$, respectively.

Proof. 

Given a BDH assumption instance $(g,g^a,g^c,\widehat{g},{\widehat{g}}^a,{\widehat{g}}^b)$, the task of $\mathcal{B}$ is to calculate $e{(g,\widehat{g})}^{abc}$ by interacting with ${\mathcal{A}}_1$ as below:

(1)

Setup: $\mathcal{B}$ randomly selects $i^{*}\in \{1,2,\cdots ,q_{H_1}\}$, $j^{*}\in \{1,2,\cdots ,q_{H_2}\}$. $\mathcal{B}$ randomly chooses $I^{*},s,{\beta }_0^{\prime },{\beta }_1^{\prime }\in {\mathbb{Z}}_q^{*}$, calculates $g_1=g^a$, $f=g^{{\beta }_0^{\prime }-a{\beta }_1^{\prime }{I}^{*}}$, $h=g^{a{\beta }_1^{\prime }}$, $\widehat{f}={\widehat{g}}^{{\beta }_0^{\prime }-a{\beta }_1^{\prime }{I}^{*}}$, and $\widehat{h}={\widehat{g}}^{a{\beta }_1^{\prime }}$, sets $pp=(\mathcal{G},g,\widehat{g},g_1,f,h,\widehat{f},\widehat{h},$$H,H_i(i=1,2,3,4,5,6,7,8))$, and delivers this to ${\mathcal{A}}_1$ with $pp$. $\mathcal{B}$ implicitly sets $mk=(s,a)$, because $\mathcal{B}$ has no knowledge about a. $\mathcal{B}$ preserves the $L_H$ and $L_{H_i}(i=1,2,3,5,6,7,8)$ lists to simulate ${\mathcal{O}}_H$ and ${\mathcal{O}}_{H_i}(i=1,2,3,5,6,7,8)$. Afterwards, $\mathcal{B}$ randomly selects $u^{*},v^{*},t^{*}\in {\mathbb{Z}}_q^{*}$.

(2)

Phase1: $\mathcal{B}$ answers ${\mathcal{A}}_1$’s queries.

• ${\mathcal{O}}_H\left(\eta \right)$: When $\eta \ne e{(g,\widehat{g})}^{bs{u}^{*}{t}^{*}}$, $\mathcal{B}$ randomly selects $I\in {\mathbb{Z}}_q^{*}$, inserts a tuple $[\eta ,I]$ into $L_H$, and answers I. Otherwise, $\mathcal{B}$ answers $I^{*}$.
• ${\mathcal{O}}_{H_1}\left({\sigma }_i\right)$: Suppose ${\sigma }_i$ as the i-th different query. When $i\ne i^{*}$, $\mathcal{B}$ randomly selects $u_i\in {\mathbb{Z}}_q^{*}$, inserts a tuple $[{\sigma }_i,u_i]$ into $L_{H_1}$, and returns $g^{u_i}$. Otherwise, $\mathcal{B}$ has $u_{i^{*}}=u^{*}$, inserts a tuple $[{\sigma }_{i^{*}},u_{i^{*}}]$ into $L_{H_1}$, and returns $g^{u_{i^{*}}}$.
• ${\mathcal{O}}_{H_2}\left({\rho }_j\right)$: Suppose ${\rho }_j$ as the j-th different query. When $j\ne j^{*}$, $\mathcal{B}$ randomly selects $v_j\in {\mathbb{Z}}_q^{*}$, inserts a tuple $[{\rho }_j,v_j]$ into $L_{H_2}$, and returns ${\widehat{g}}^{v_j}$. Otherwise, $\mathcal{B}$ has $v_{j^{*}}=v^{*}$, inserts a tuple $[{\rho }_{j^{*}},v_{j^{*}}]$ into $L_{H_2}$, and returns ${\widehat{g}}^{b{v}_{j^{*}}}$.
• ${\mathcal{O}}_{H_3}\left({\rho }_j\right)$: $\mathcal{B}$ performs a simulation algorithm to query ${\mathcal{O}}_{H_2}\left({\rho }_j\right)$. Subsequently, $\mathcal{B}$ searches the tuple $[{\rho }_j,v_j]$ in $L_{H_2}$. When $j\ne j^{*}$, $\mathcal{B}$ selects $t_j\in {\mathbb{Z}}_q^{*}$ randomly, inserts a tuple $[{\rho }_j,t_j]$ into $L_{H_3}$, and returns ${\widehat{g}}^{t_j}$. Otherwise, $\mathcal{B}$ has $t_{j^{*}}=t^{*}$, inserts a tuple $[{\rho }_{j^{*}},t_{j^{*}}]$ into $L_{H_3}$, and returns ${\widehat{g}}^{b{t}_{j^{*}}}$.
• ${\mathcal{O}}_{H_5}(m,k)$: $\mathcal{B}$ randomly chooses $R\in {\mathbb{Z}}_q^{*}$, inserts a tuple $[m,k,R]$ into $L_{H_5}$, and answers R.
• ${\mathcal{O}}_{H_6}({\omega }_1,\eta ,C_0,C_1,C_2)$: $\mathcal{B}$ randomly chooses $\delta \in {\{0,1\}}^{\lambda +l}$, inserts a tuple $[{\omega }_1,\eta ,C_0,C_1,C_2,\delta ]$ into $L_{H_6}$, and answers $\delta$.
• ${\mathcal{O}}_{H_7}\left(m\right)$: $\mathcal{B}$ randomly selects $h_7\in \widehat{\mathbb{G}}$, inserts a tuple $[m,h_7]$ into $L_{H_7}$, and returns $h_7$.
• ${\mathcal{O}}_{H_8}\left({\omega }_2\right)$: $\mathcal{B}$ randomly selects $\pi \in \widehat{\mathbb{G}}$, inserts a tuple $[{\omega }_2,\pi ]$ into $L_{H_8}$, and returns $\pi$.
• ${\mathcal{O}}_{SKGen}\left({\sigma }_i\right)$: $\mathcal{B}$ performs a simulation algorithm to query ${\mathcal{O}}_{H_1}\left({\sigma }_i\right)$. There is a tuple $[{\sigma }_i,u_i]$ in $L_{H_1}$. Next, $\mathcal{B}$ returns $e{k}_{{\sigma }_i}=g^{s{u}_i}$.
• ${\mathcal{O}}_{RKGen}\left({\rho }_j\right)$: $\mathcal{B}$ performs a simulation algorithm to query ${\mathcal{O}}_{H_3}\left({\rho }_j\right)$. There are a tuple $[{\rho }_j,v_j]$ in $L_{H_2}$ and a tuple $[{\rho }_j,t_j]$ in $L_{H_3}$. When $j\ne j^{*}$, $\mathcal{B}$ returns $d{k}_{{\rho }_j}=(d_1,d_2,d_3)=({\widehat{g}}^{s{t}_j},{\widehat{g}}^{a{v}_j},{\widehat{g}}^{a{t}_j})$. Otherwise, $\mathcal{B}$ is aborted by failure.
• ${\mathcal{O}}_{Dec}({\rho }_j,snd,C)$: Let $snd={\sigma }_i$. $\mathcal{B}$ performs a simulation algorithm to query ${\mathcal{O}}_{H_3}\left({\rho }_j\right)$ and ${\mathcal{O}}_{H_1}\left({\sigma }_i\right)$.

  -

  When $j\ne j^{*}$, $\mathcal{B}$ can query ${\mathcal{O}}_{RKGen}\left({\rho }_j\right)$ to obtain $d{k}_{{\rho }_j}$ and returns the outcome of the algorithm $Dec(pp,d{k}_{{\rho }_j},{\sigma }_i,C)$.

  -

  Otherwise, $\mathcal{B}$ can query ${\mathcal{O}}_{SKGen}\left({\sigma }_i\right)$ to obtain $e{k}_{{\sigma }_i}$ and calculates $\eta =e(e{k}_{{\sigma }_i},$$H_3\left({\rho }_j\right))$. For each tuple $[{\omega }_1,\eta ,C_0,C_1,C_2,\delta ]$ in $L_{H_6}$, $\mathcal{B}$ calculates $m^{\prime }\Vert k^{\prime }=C_3\oplus \delta$ and calculates $R^{\prime }=H_5(m^{\prime },k^{\prime })$. If $C_0=g^{R^{\prime }}$ and there exists a tuple $[{\omega }_2,\pi ]$ in $L_{H_8}$ such that $C_4=H_7{\left(m^{\prime }\right)}^{R^{\prime }}·\pi$ holds, it outputs $m^{\prime }$. Once $L_{H_8}$ has no such tuple, $\mathcal{B}$ outputs ⊥.

• ${\mathcal{O}}_{Auth}(snd,{\rho }_j)$: Let $snd={\sigma }_i$. $\mathcal{B}$ performs a simulation algorithm to query ${\mathcal{O}}_{H_3}\left({\rho }_j\right)$ and ${\mathcal{O}}_{H_1}\left({\sigma }_i\right)$. When $j\ne j^{*}$, $\mathcal{B}$ can query ${\mathcal{O}}_{RKGen}\left({\rho }_j\right)$ to obtain $d{k}_{{\rho }_j}$, returns $t{d}_{({\sigma }_i,{\rho }_j)}=Auth(pp,{\sigma }_i,d{k}_{{\rho }_j})$. Otherwise, $\mathcal{B}$ executes the following operations:

  -

  When $(i,j)=(i^{*},j^{*})$, $\mathcal{B}$ is aborted by failure.

  -

  Otherwise, $L_{H_2}$ has a tuple $[{\rho }_{j^{*}},v_{j^{*}}]$ and $L_{H_3}$ has a tuple $[{\rho }_{j^{*}},t_{j^{*}}]$, and $\mathcal{B}$ can query ${\mathcal{O}}_{SKGen}\left({\sigma }_i\right)$ to obtain $e{k}_{{\sigma }_i}$, calculates $\eta =e(e{k}_{{\sigma }_i},H_3\left({\rho }_j\right))$, $I=H\left(\eta \right)$ and $\Omega =H_4\left(\eta \right)$, randomly selects $\tilde{y}\in {\mathbb{Z}}_q^{*}$, calculates $z=\frac{t_{j^{*}}\Omega }{{\beta }_1^{\prime }(I-I^{*})}$, implicitly sets $y=\tilde{y}-bz$, and returns $t{d}_{({\sigma }_i,{\rho }_{j^{*}})}=$$(y_1,y_2)=({\widehat{g}}^{{\beta }_0^{\prime }(\tilde{y}-bz)}{\widehat{g}}^{a{\beta }_1^{\prime }(I-I^{*})\tilde{y}},$${\widehat{g}}^{\tilde{y}-bz})$. $t{d}_{({\sigma }_i,{\rho }_{j^{*}})}=(y_1,y_2)$ is a valid random trapdoor according to ${\rho }_{j^{*}}$ and ${\sigma }_i$, where

  $$\begin{array}{cc}\hfill y_1& ={\widehat{g}}^{{\beta }_0^{\prime }(\tilde{y}-bz)}{\widehat{g}}^{a{\beta }_1^{\prime }(I-I^{*})\tilde{y}}={\widehat{g}}^{ab{t}_{j^{*}}·\Omega }{\widehat{g}}^{{\beta }_0^{\prime }y}{\widehat{g}}^{a{\beta }_1^{\prime }(I-I^{*})y}=d_3^{\Omega }{\widehat{g}}^{({\beta }_0^{\prime }-a{\beta }_1{I}^{*}+a{\beta }_1^{\prime }I)y}=d_3^{\Omega }{\left(\widehat{f}{\widehat{h}}^I\right)}^y,\hfill \\ \hfill y_2& ={\widehat{g}}^{\tilde{y}-bz}={\widehat{g}}^y.\hfill \end{array}$$

(3)

Challenge: ${\mathcal{A}}_1$ offers equal-length messages $m_0^{*},m_1^{*}\in {\{0,1\}}^{\lambda }$ along with the pair of sender/receiver identities (${\sigma }^{*},{rcv}^{*}$) to $\mathcal{B}$. Let ${rcv}^{*}={\rho }^{*}$. Afterwards, $\mathcal{B}$ utilizes a simulation algorithm to query ${\mathcal{O}}_{H_1}\left({\sigma }^{*}\right)$ and ${\mathcal{O}}_{H_3}\left({\rho }^{*}\right)$.

-

When the $i^{*}$-th tuple in $L_{H_1}$ is $[{\sigma }^{*},u^{*}]$ and the $j^{*}$-th tuple in $L_{H_2}$ is $[{\rho }^{*},v^{*}]$, $\mathcal{B}$ randomly selects $x\in \{0,1\}$, $C_3^{*}\in {\{0,1\}}^{\lambda +l}$, $C_4^{*}\in \widehat{\mathbb{G}}$ and $k\in {\{0,1\}}^l$, calculates $e{k}_{{\sigma }^{*}}=g^{s{u}^{*}}$, ${\eta }^{*}=e{(g,\widehat{g})}^{bs{u}^{*}{t}^{*}}$, $R=H_5(m_x,k)$, $C_0^{*}=g^R$, $C_1^{*}=g^c$, and $C_2^{*}=g^{{\beta }_0^{\prime }c}$, and then, sends the challenge ciphertext $C^{*}=(C_0^{*},C_1^{*},C_2^{*},C_3^{*},C_4^{*})$ to ${\mathcal{A}}_1$.

The above construction implicitly sets ${\omega }_1^{*}=e{(g,\widehat{g})}^{abc{v}^{*}·H_4\left({\eta }^{*}\right)}$, ${\omega }_2^{*}=$$e{(g,\widehat{g})}^{abc{t}^{*}·H_4\left({\eta }^{*}\right)}$, $H_6({\omega }_1^{*},{\eta }^{*},C_0^{*},$$C_1^{*},C_2^{*})=(m_x\Vert k)\oplus C_3^{*}$, $H_8\left({\omega }_2^{*}\right)$$=\frac{C_4^{*}}{H_7{\left(m_x\right)}^R}$, where $g^{u^{*}}=H_1\left({\sigma }^{*}\right)$, ${\widehat{g}}^{b{v}^{*}}=H_2\left({\rho }^{*}\right)$, ${\widehat{g}}^{b{t}^{*}}=H_3\left({\rho }^{*}\right)$.

-

Otherwise, $\mathcal{B}$ is aborted by failure.

(4)

Phase2: ${\mathcal{A}}_1$ makes queries like in $Phase$ 1.

(5)

Guess: ${\mathcal{A}}_1$ answers a guess $x^{\prime }\in \{0,1\}$. $\mathcal{B}$ randomly selects a tuple $[{\omega }_1^{*},{\eta }^{*},C_0^{*},C_1^{*},C_2^{*},{\delta }^{*}]$ from $L_{H_6}$ and returns the BDH instance solution ${{\omega }_1^{*}}^{{\left(v^{*}{H}_4\left({\eta }^{*}\right)\right)}^{-1}}(=e{(g,\widehat{g})}^{abc})$.

□

Analysis: It is obvious that the simulations of ${\mathcal{O}}_H$, ${\mathcal{O}}_{H_1}$, ${\mathcal{O}}_{H_2}$, ${\mathcal{O}}_{H_3}$, ${\mathcal{O}}_{H_5}$, and ${\mathcal{O}}_{H_7}$ are perfect. Denote the query ${\mathcal{O}}_{H_6}(e{(g,\widehat{g})}^{abc{v}^{*}·H_4\left({\eta }^{*}\right)},{\eta }^{*},C_0^{*},C_1^{*},C_2^{*})$ as the event $Ask{H}_6^{*}$. Denote the query ${\mathcal{O}}_{H_8}\left(e{(g,\widehat{g})}^{abc{t}^{*}·H_4\left({\eta }^{*}\right)}\right)$ as the event $Ask{H}_8^{*}$. Denote the failure of $\mathcal{B}$ to decrypt the legitimate ciphertext in ${\mathcal{O}}_{Dec}$ as the event $Derr$. Thus, $\mathrm{Pr}\left[Derr\right]\le \frac{q_D}{2^{\lambda +l}}$. Let ${rcv}^{*}={\rho }^{*}$. Suppose $AbortRK$ as the event in which $\mathcal{B}$ terminates upon the query ${\mathcal{O}}_{RKGen}\left({\rho }^{*}\right)$ being issued, $AbortAuth$ as the event in which $\mathcal{B}$ terminates upon the query ${\mathcal{O}}_{Auth}({\sigma }^{*},{\rho }^{*})$ being issued, and $AbortCh$ as the event in which $\mathcal{B}$ terminates in the challenge phase. Clearly, $\neg AbortCh$ implies $\neg AbortRK$ and $\neg AbortAuth$, because the queries ${\mathcal{O}}_{RKGen}\left({\rho }^{*}\right)$ and ${\mathcal{O}}_{Auth}({\sigma }^{*},{\rho }^{*})$ cannot be issued. We obtain $\mathrm{Pr}[\neg AbortCh]\ge \frac{1}{q_{H_1}{q}_{H_2}}$.

Define $E=(Ask{H}_6^{*}\vee Ask{H}_8^{*}\vee Derr)|\neg AbortCh$. There is no greater over $\frac{1}{2}$ advantage that ${\mathcal{A}}_1$ will gain in guessing x when E does not happen because ${\mathcal{O}}_{H_6}$ and ${\mathcal{O}}_{H_8}$ are random oracles. $\mathrm{Pr}[x=x^{\prime }|\neg E]=\frac{1}{2}$. Hence,

$$\begin{array}{cc}\hfill \mathrm{Pr}[x=x^{\prime }]& =\mathrm{Pr}[x=x^{\prime }|\neg E]\mathrm{Pr}[\neg E]+\mathrm{Pr}[x=x^{\prime }|E]\mathrm{Pr}\left[E\right]\le \frac{1}{2}\mathrm{Pr}[\neg E]+\mathrm{Pr}\left[E\right]=\frac{1}{2}+\frac{1}{2}\mathrm{Pr}\left[E\right].\hfill \end{array}$$

With $ϵ$, we obtain

$$\begin{array}{cc}\hfill ϵ& =|\mathrm{Pr}[x=x^{\prime }]-\frac{1}{2}|\le \mathrm{Pr}\left[E\right]\le \frac{\mathrm{Pr}\left[Ask{H}_6^{*}\right]+\mathrm{Pr}\left[Ask{H}_8^{*}\right]+\mathrm{Pr}\left[Derr\right]}{\mathrm{Pr}[\neg AbortCh]}.\hfill \end{array}$$

Subsequently, we obtain

$$\begin{array}{cc}\hfill \mathrm{Pr}\left[Ask{H}_6^{*}\right]& \ge ϵ\mathrm{Pr}[\neg AbortCh]-\mathrm{Pr}\left[Derr\right]-\mathrm{Pr}\left[Ask{H}_8^{*}\right]\ge \frac{ϵ}{q_{H_1}{q}_{H_2}}-\frac{q_D}{2^{\lambda +l}}-\frac{q_{H_8}}{q}.\hfill \end{array}$$

When $Ask{H}_6^{*}$ happens, ${\mathcal{A}}_1$ can distinguish the simulation of the challenge ciphertext $C^{*}$. Because ${\mathcal{O}}_{H_6}(e{(g,\widehat{g})}^{abc{v}^{*}·H_4\left({\eta }^{*}\right)},{\eta }^{*},C_0^{*},C_1^{*},C_2^{*})$ has been documented in $L_{H_6}$ with non-negligible probability, $\mathcal{B}$ is winning when the right element is selected from $L_{H_6}$. Thus, the BDH assumption can be addressed by $\mathcal{B}$ with advantage ${ϵ}^{\prime }\ge \frac{1}{q_{H_6}}\mathrm{Pr}\left[Ask{H}_6^{*}\right]\ge \frac{1}{q_{H_6}}(\frac{ϵ}{q_{H_1}{q}_{H_2}}-\frac{q_D}{2^{\lambda +l}}-\frac{q_{H_8}}{q}).$

Theorem 2.

For any ${\mathcal{A}}_2$, our IBME-ET scheme meets OW-ID-CCA security on the basis of the BDH assumption.

More precisely, if ${\mathcal{A}}_2$ is able to break our proposal with the advantage ϵ, we are able to conceive of a PPT algorithm $\mathcal{B}$ to address the BDH assumption with the advantage ${ϵ}^{\prime }\ge \frac{1}{q_{H_6}}(\frac{ϵ-\frac{1}{2^{\lambda }}}{q_{H_1}{q}_{H_2}}-\frac{q_D}{2^{\lambda +l}}),$ where $q_{H_i}(i=1,2,6)$ and $q_D$ denote the numbers of different queries to ${\mathcal{O}}_{H_i}(i=1,2,6)$ and ${\mathcal{O}}_{Dec}$, respectively.

Proof. 

Given a BDH assumption instance $(g,g^a,g^c,\widehat{g},{\widehat{g}}^a,{\widehat{g}}^b)$, the task of $\mathcal{B}$ is to calculate $e{(g,\widehat{g})}^{abc}$ by interacting with ${\mathcal{A}}_2$ as below:

(1)

Setup: $\mathcal{B}$ executes like in the proof of Theorem 1.

(2)

Phase1: $\mathcal{B}$ answers ${\mathcal{A}}_2$’s queries.

• For ${\mathcal{O}}_H\left(\eta \right)$, ${\mathcal{O}}_{H_1}\left({\sigma }_i\right)$, ${\mathcal{O}}_{H_2}\left({\rho }_j\right)$, ${\mathcal{O}}_{H_5}(m,k)$, ${\mathcal{O}}_{H_6}({\omega }_1,\eta ,C_0,C_1,C_2)$, ${\mathcal{O}}_{H_7}\left(m\right)$, and ${\mathcal{O}}_{H_8}\left({\omega }_2\right)$, $\mathcal{B}$ executes like in the proof of Theorem 1.
• ${\mathcal{O}}_{H_3}\left({\rho }_j\right)$: $\mathcal{B}$ performs a simulation algorithm to query ${\mathcal{O}}_{H_2}\left({\rho }_j\right)$. Subsequently, $\mathcal{B}$ searches the tuple $[{\rho }_j,v_j]$ in $L_{H_2}$. When $j\ne j^{*}$, $\mathcal{B}$ randomly selects $t_j\in {\mathbb{Z}}_q^{*}$, inserts a tuple $[{\rho }_j,t_j]$ into $L_{H_3}$, and returns ${\widehat{g}}^{t_j}$. Otherwise, $\mathcal{B}$ sets $t_{j^{*}}=t^{*}$, inserts a tuple $[{\rho }_{j^{*}},t_{j^{*}}]$ into $L_{H_3}$, and returns ${\widehat{g}}^{t_{j^{*}}}$.
• ${\mathcal{O}}_{SKGen}\left({\sigma }_i\right)$: $\mathcal{B}$ performs a simulation algorithm to query ${\mathcal{O}}_{H_1}\left({\sigma }_i\right)$. There is a tuple $[{\sigma }_i,u_i]$ in $L_{H_1}$. Next, $\mathcal{B}$ returns $e{k}_{{\sigma }_i}=g^{s{u}_i}$.
• ${\mathcal{O}}_{RKGen}\left({\rho }_j\right)$: $\mathcal{B}$ performs a simulation algorithm to query ${\mathcal{O}}_{H_3}\left({\rho }_j\right)$. There are a tuple $[{\rho }_j,v_j]$ in $L_{H_2}$ and a tuple $[{\rho }_j,t_j]$ in $L_{H_3}$. When $j\ne j^{*}$, $\mathcal{B}$ returns $d{k}_{{\rho }_j}=(d_1,d_2,d_3)=({\widehat{g}}^{s{t}_j},{\widehat{g}}^{a{v}_j},{\widehat{g}}^{a{t}_j})$. Otherwise, $\mathcal{B}$ is aborted by failure.
• ${\mathcal{O}}_{Dec}({\rho }_j,snd,C)$: Let $snd={\sigma }_i$. $\mathcal{B}$ performs a simulation algorithm to query ${\mathcal{O}}_{H_3}\left({\rho }_j\right)$ and ${\mathcal{O}}_{H_1}\left({\sigma }_i\right)$.

  -

  When $j\ne j^{*}$, $\mathcal{B}$ can query ${\mathcal{O}}_{RKGen}\left({\rho }_j\right)$ to obtain $d{k}_{{\rho }_j}$ and returns the outcome of the algorithm $Dec(pp,d{k}_{{\rho }_j},{\sigma }_i,C)$.

  -

  Otherwise, $\mathcal{B}$ can query ${\mathcal{O}}_{SKGen}\left({\sigma }_i\right)$ to obtain $e{k}_{{\sigma }_i}$ and calculates $\eta =e(e{k}_{{\sigma }_i},H_3\left({\rho }_j\right))$. For each tuple $[{\omega }_1,\eta ,C_0,C_1,C_2,\delta ]$ in $L_{H_6}$, $\mathcal{B}$ calculates $m^{\prime }\Vert k^{\prime }=C_3\oplus \delta$ and calculates $R^{\prime }=H_5(m^{\prime },k^{\prime })$. If $C_0=g^{R^{\prime }}$ and there exists a tuple $[{\omega }_2,\pi ]$ in $L_{H_8}$ such that $C_4=H_7{\left(m^{\prime }\right)}^{R^{\prime }}·\pi$ holds, it outputs $m^{\prime }$. When $L_{H_8}$ has no such tuple, $\mathcal{B}$ outputs ⊥.

• ${\mathcal{O}}_{Auth}(snd,{\rho }_j)$: Let $snd={\sigma }_i$. $\mathcal{B}$ performs a simulation algorithm to query ${\mathcal{O}}_{H_3}\left({\rho }_j\right)$ and ${\mathcal{O}}_{H_1}\left({\sigma }_i\right)$.

  -

  When $j\ne j^{*}$, $\mathcal{B}$ can query ${\mathcal{O}}_{RKGen}\left({\rho }_j\right)$ to obtain $d{k}_{{\rho }_j}$ and returns $t{d}_{({\sigma }_i,{\rho }_j)}=Auth(pp,{\sigma }_i,d{k}_{{\rho }_j})$.

  -

  Otherwise, there are a tuple $[{\rho }_{j^{*}},v_{j^{*}}]$ in $L_{H_2}$ and a tuple $[{\rho }_{j^{*}},t_{j^{*}}]$ in $L_{H_3}$, and $\mathcal{B}$ can query ${\mathcal{O}}_{SKGen}\left({\sigma }_i\right)$ to obtain $e{k}_{{\sigma }_i}$, calculates $\eta =e(e{k}_{{\sigma }_i},H_3\left({\rho }_j\right))$, $I=H\left(\eta \right)$, $\Omega =H_4\left(\eta \right)$, and $d_3=H_3{\left({\rho }_{j^{*}}\right)}^a={\widehat{g}}^{a{v}_{j^{*}}}$, randomly selects $y\in {\mathbb{Z}}_q^{*}$, and returns $t{d}_{({\sigma }_i,{\rho }_{j^{*}})}=$$(y_1,y_2)=(d_3^{\Omega }{\left(\widehat{f}{\widehat{h}}^I\right)}^y,{\widehat{g}}^y)$.

(3)

Challenge: ${\mathcal{A}}_2$ submits a pair of sender/receiver identities (${\sigma }^{*},{rcv}^{*}$) to $\mathcal{B}$. Let ${rcv}^{*}={\rho }^{*}$. Afterwards, $\mathcal{B}$ chooses a message $m^{*}\in {\{0,1\}}^{\lambda }$ randomly and executes a simulation algorithm to query ${\mathcal{O}}_{H_1}\left({\sigma }^{*}\right)$ and ${\mathcal{O}}_{H_3}\left({\rho }^{*}\right)$.

-

When the $i^{*}$-th tuple in $L_{H_1}$ is $[{\sigma }^{*},u^{*}]$ and the $j^{*}$-th tuple in $L_{H_2}$ is $[{\rho }^{*},v^{*}]$, $\mathcal{B}$ randomly selects $k\in {\{0,1\}}^l$, $C_3^{*}\in {\{0,1\}}^{\lambda +l}$, calculates $e{k}_{{\sigma }^{*}}=g^{s{u}^{*}}$, ${\eta }^{*}=e{(g,\widehat{g})}^{bs{u}^{*}{t}^{*}}$, $R=H_5(m_x,k)$, $C_0^{*}=g^R$, $C_1^{*}=g^c$, $C_2^{*}=g^{{\beta }_0^{\prime }c}$, and $C_4^{*}={H_7\left(m^{*}\right)}^R·H_8\left(e(g^c,{\widehat{g}}^{a{t}^{*}·H_4\left({\eta }^{*}\right)})\right)$, and delivers this to ${\mathcal{A}}_2$ with the challenge ciphertext $C^{*}=(C_0^{*},C_1^{*},C_2^{*},C_3^{*},C_4^{*})$.

The above construction implicitly sets ${\omega }_1^{*}=e{(g,\widehat{g})}^{abc{v}^{*}·H_4\left({\eta }^{*}\right)}$, $H_6({\omega }_1^{*},{\eta }^{*},C_0^{*},C_1^{*},C_2^{*})$$=(m^{*}\Vert k)\oplus C_3^{*}$, where $g^{u^{*}}=H_1\left({\sigma }^{*}\right)$, ${\widehat{g}}^{b{v}^{*}}=H_2\left({\rho }^{*}\right)$, ${\widehat{g}}^{t^{*}}=H_3\left({\rho }^{*}\right)$.

-

Otherwise, $\mathcal{B}$ is aborted by failure.

(4)

Phase2: ${\mathcal{A}}_2$ makes issues like in Phase1.

(5)

Guess: ${\mathcal{A}}_2$ answers a guess $m^{\prime }$. $\mathcal{B}$ randomly chooses a tuple $[{\omega }_1^{*},{\eta }^{*},C_0^{*},C_1^{*},C_2^{*},{\delta }^{*}]$ from $L_{H_6}$ and answers the BDH instance solution ${{\omega }_1^{*}}^{{\left(v^{*}{H}_4\left({\eta }^{*}\right)\right)}^{-1}}(=e{(g,\widehat{g})}^{abc})$.

□

Analysis: It is obvious that the simulations of ${\mathcal{O}}_H$, ${\mathcal{O}}_{H_1}$, ${\mathcal{O}}_{H_2}$, ${\mathcal{O}}_{H_3}$, ${\mathcal{O}}_{H_5}$, ${\mathcal{O}}_{H_7}$, and ${\mathcal{O}}_{H_8}$ are perfect. Denote the query ${\mathcal{O}}_{H_6}(e{(g,\widehat{g})}^{abc{v}^{*}·H_4\left({\eta }^{*}\right)},{\eta }^{*},C_0^{*},C_1^{*},C_2^{*})$ as the event $Ask{H}_6^{*}$. Denote the failure of $\mathcal{B}$ to decrypt the legitimate ciphertext in ${\mathcal{O}}_{Dec}$ as the event $Derr$. Hence, we have, $\mathrm{Pr}\left[Derr\right]\le \frac{q_D}{2^{\lambda +l}}$. Let ${rcv}^{*}={\rho }^{*}$. Suppose $AbortRK$ as the event in which $\mathcal{B}$ terminates upon the query ${\mathcal{O}}_{RKGen}\left({\rho }^{*}\right)$ being issued and $AbortCh$ the event in which $\mathcal{B}$ terminates in the challenge phase. Clearly, $\neg AbortCh$ implies $\neg AbortRK$, because the query ${\mathcal{O}}_{RKGen}\left({\rho }^{*}\right)$ cannot be issued. We obtain $\mathrm{Pr}[\neg AbortCh]\ge \frac{1}{q_{H_1}{q}_{H_2}}$.

Define $E=(Ask{H}_6^{*}\vee Derr)|\neg AbortCh$. There is no greater over $\frac{1}{2^{\lambda }}$ advantage that ${\mathcal{A}}_2$ will gain in guessing m when E does not happen, because ${\mathcal{O}}_{H_6}$ is a random oracle. $\mathrm{Pr}[m=m^{\prime }|\neg E]\le \frac{1}{2^{\lambda }}$. Hence,

$$\begin{array}{cc}\hfill \mathrm{Pr}[m=m^{\prime }]& =\mathrm{Pr}[m=m^{\prime }|\neg E]\mathrm{Pr}[\neg E]+\mathrm{Pr}[m=m^{\prime }|E]\mathrm{Pr}\left[E\right]\hfill \\ \hfill & \le \frac{1}{2^{\lambda }}\mathrm{Pr}[\neg E]+\mathrm{Pr}\left[E\right]=\frac{1}{2^{\lambda }}+\frac{1}{2}\mathrm{Pr}\left[E\right]\hfill \\ \hfill & =(1-\frac{1}{2^{\lambda }})\mathrm{Pr}\left[E\right]+\frac{1}{2^{\lambda }}.\hfill \end{array}$$

With $ϵ$, we obtain

$$\begin{array}{cc}\hfill ϵ& =|\mathrm{Pr}[m=m^{\prime }]|\le (1-\frac{1}{2^{\lambda }})\mathrm{Pr}\left[E\right]+\frac{1}{2^{\lambda }}\le (1-\frac{1}{2^{\lambda }})\frac{\mathrm{Pr}\left[Ask{H}_6^{*}\right]+\mathrm{Pr}\left[Derr\right]}{\mathrm{Pr}[\neg AbortCh]}+\frac{1}{2^{\lambda }}.\hfill \end{array}$$

Subsequently, we obtain

$$\begin{array}{cc}\hfill \mathrm{Pr}\left[Ask{H}_6^{*}\right]& \ge \frac{ϵ-\frac{1}{2^{\lambda }}}{1-\frac{1}{2^{\lambda }}}\mathrm{Pr}[\neg AbortCh]-\mathrm{Pr}\left[Derr\right]\ge \frac{ϵ-\frac{1}{2^{\lambda }}}{q_{H_1}{q}_{H_2}}-\frac{q_D}{2^{\lambda +l}}.\hfill \end{array}$$

When $Ask{H}_6^{*}$ happens, ${\mathcal{A}}_2$ can distinguish the simulation of the challenge ciphertext $C^{*}$. Because $[e{(g,\widehat{g})}^{abc{v}^{*}·H_4\left({\eta }^{*}\right)},{\eta }^{*},C_0^{*},C_1^{*},C_2^{*},{\delta }^{*}]$ has been documented in $L_{H_6}$ with non-negligible probability, $\mathcal{B}$ is winning when the right element is selected from $L_{H_6}$. Thus, the BDH assumption can be addressed by $\mathcal{B}$ with advantage ${ϵ}^{\prime }\ge \frac{1}{q_{H_6}}\mathrm{Pr}\left[Ask{H}_6^{*}\right]\ge \frac{1}{q_{H_6}}(\frac{ϵ-\frac{1}{2^{\lambda }}}{q_{H_1}{q}_{H_2}}-\frac{q_D}{2^{\lambda +l}}).$

Theorem 3.

For any ${\mathcal{A}}_3$, our IBME-ET scheme meets ANON-ID-CCA security on the basis of the Gap-BDH assumption.

More precisely, if ${\mathcal{A}}_3$ is able to break our proposal with the advantage ϵ, we are able to conceive of a PPT algorithm $\mathcal{B}$ to address the Gap-BDH assumption with the advantage ${ϵ}^{\prime }\ge \frac{ϵ}{q_{H_1}^2{q}_{H_2}^2}-\frac{q_D}{2^{\lambda +l}},$ where $q_{H_i}(i=1,2)$ and $q_D$ denote the numbers of different queries to ${\mathcal{O}}_{H_i}(i=1,2)$ and ${\mathcal{O}}_{Dec}$, respectively.

Proof. 

Given a Gap-BDH assumption instance $(g,g^a,g^c,\widehat{g},{\widehat{g}}^a,{\widehat{g}}^b,{\mathcal{O}}_{\mathcal{DBDH}})$, the task of $\mathcal{B}$ is to calculate $e{(g,\widehat{g})}^{abc}$ by interacting with ${\mathcal{A}}_3$ as below:

(1)

Setup: $\mathcal{B}$ randomly selects $i_0^{*},i_1^{*}\in \{1,2,\cdots ,q_{H_1}\}$ and $j_0^{*},j_1^{*}\in \{1,2,\cdots ,q_{H_2}\}$. $\mathcal{B}$ randomly selects ${\alpha }^{\prime },{\beta }_0,{\beta }_1\in {\mathbb{Z}}_q^{*}$, calculates $g_1=g^{a{\alpha }^{\prime }}$, $f=g^{{\beta }_0}$, $h=g^{a{\beta }_1}$, $\widehat{f}={\widehat{g}}^{{\beta }_0}$ and $\widehat{h}={\widehat{g}}^{a{\beta }_1}$, sets $pp=(\mathcal{G},g,\widehat{g},g_1,f,h,\widehat{f},\widehat{h},H,H_i(i=1,2,3,4,5,6,7,8))$, and delivers this to ${\mathcal{A}}_3$ with $pp$. $\mathcal{B}$ implicitly sets $mk=(s,\alpha )=(a,a{\alpha }^{\prime })$, because $\mathcal{B}$ has no knowledge about a. $\mathcal{B}$ preserves the $L_H$, $L_{H_i}(i=1,2,3,4,5,6,7,8)$, and $L_A$ lists to simulate ${\mathcal{O}}_H$, ${\mathcal{O}}_{H_i}(i=1,2,3,4,5,6,7,8)$, and ${\mathcal{O}}_{Auth}$. Afterwards, $\mathcal{B}$ randomly selects $u_{i_0^{*}},u_{i_1^{*}},v_{j_0^{*}},v_{j_1^{*}},t_{j_0^{*}},t_{j_1^{*}}\in {\mathbb{Z}}_q^{*}$ and randomly chooses ${\tilde{\Omega }}_{00},{\tilde{\Omega }}_{01},{\tilde{\Omega }}_{11},{\tilde{\Omega }}_{10},I_{00},I_{01},I_{11},I_{10}\in {\mathbb{Z}}_q^{*}$.

(2)

Phase1: $\mathcal{B}$ answers ${\mathcal{A}}_3$’s queries.

• ${\mathcal{O}}_H\left(\eta \right)$: $\mathcal{B}$ executes the following operations.

  -

  When ${\mathcal{O}}_{\mathcal{DBDH}}(g,g^a,g^c,\widehat{g},$ ${\widehat{g}}^a,{\widehat{g}}^b,{\eta }^{{\left(u_{i_0^{*}}{t}_{j_0^{*}}\right)}^{-1}})=1$, $\mathcal{B}$ returns the Gap-BDH instance solution ${\eta }^{{\left(u_{i_0^{*}}{t}_{j_0^{*}}\right)}^{-1}}(=e{(g,\widehat{g})}^{abc})$ and defines $\Omega =\frac{{\tilde{\Omega }}_{00}}{t_{j_0^{*}}}$ and $I=I_{00}$.

  -

  When ${\mathcal{O}}_{\mathcal{DBDH}}(g,g^a,g^c,\widehat{g},$ ${\widehat{g}}^a,{\widehat{g}}^b,{\eta }^{{\left(u_{i_1^{*}}{t}_{j_1^{*}}\right)}^{-1}})=1$, $\mathcal{B}$ returns the Gap-BDH instance solution ${\eta }^{{\left(u_{i_1^{*}}{t}_{j_1^{*}}\right)}^{-1}}(=e{(g,\widehat{g})}^{abc})$ and defines $\Omega =\frac{{\tilde{\Omega }}_{11}}{t_{j_1^{*}}}$ and $I=I_{11}$.

  -

  When ${\mathcal{O}}_{\mathcal{DBDH}}(g,g^a,g^c,\widehat{g},$ ${\widehat{g}}^a,{\widehat{g}}^b,{\eta }^{{\left(u_{i_0^{*}}{t}_{j_1^{*}}\right)}^{-1}})=1$, $\mathcal{B}$ returns the Gap-BDH instance solution ${\eta }^{{\left(u_{i_0^{*}}{t}_{j_1^{*}}\right)}^{-1}}(=e{(g,\widehat{g})}^{abc})$ and defines $\Omega =\frac{{\tilde{\Omega }}_{01}}{t_{j_1^{*}}}$ and $I=I_{01}$.

  -

  When ${\mathcal{O}}_{\mathcal{DBDH}}(g,g^a,g^c,\widehat{g},$ ${\widehat{g}}^a,{\widehat{g}}^b,{\eta }^{{\left(u_{i_1^{*}}{t}_{j_0^{*}}\right)}^{-1}})=1$, $\mathcal{B}$ returns the Gap-BDH instance solution ${\eta }^{{\left(u_{i_1^{*}}{t}_{j_0^{*}}\right)}^{-1}}(=e{(g,\widehat{g})}^{abc})$ and defines $\Omega =\frac{{\tilde{\Omega }}_{10}}{t_{j_0^{*}}}$ and $I=I_{10}$.

  -

  Otherwise, $\mathcal{B}$ randomly selects $I,\Omega \in {\mathbb{Z}}_q^{*}$.

  Subsequently, $\mathcal{B}$ inserts $[\eta ,\Omega ]$ into $L_{H_4}$ and $[\eta ,I]$ into $L_H$ and answers I.
• ${\mathcal{O}}_{H_1}\left({\sigma }_i\right)$: Suppose ${\sigma }_i$ as the i-th different query. When $i=i_0^{*}$, $\mathcal{B}$ inserts a tuple $[{\sigma }_{i_0^{*}},u_{i_0^{*}}]$ into $L_{H_1}$ and returns $g^{c{u}_{i_0^{*}}}$. When $i=i_1^{*}$, $\mathcal{B}$ inserts a tuple $[{\sigma }_{i_1^{*}},u_{i_1^{*}}]$ into $L_{H_1}$ and returns $g^{c{u}_{i_1^{*}}}$. Otherwise, $\mathcal{B}$ randomly selects $u_i\in {\mathbb{Z}}_q^{*}$, inserts a tuple $[{\sigma }_i,u_i]$ into $L_{H_1}$, and returns $g^{u_i}$.
• ${\mathcal{O}}_{H_2}\left({\rho }_j\right)$: Suppose ${\rho }_j$ as the j-th different query. When $j=j_0^{*}$, $\mathcal{B}$ inserts a tuple $[{\rho }_{j_0^{*}},v_{j_0^{*}}]$ into $L_{H_2}$ and returns ${\widehat{g}}^{b{v}_{j_0^{*}}}$. When $j=j_1^{*}$, $\mathcal{B}$ inserts a tuple $[{\rho }_{j_1^{*}},v_{j_1^{*}}]$ into $L_{H_2}$ and returns ${\widehat{g}}^{b{v}_{j_1^{*}}}$. Otherwise, $\mathcal{B}$ randomly selects $v_j\in {\mathbb{Z}}_q^{*}$, inserts a tuple $[{\rho }_j,v_j]$ into $L_{H_2}$, and returns ${\widehat{g}}^{v_j}$.
• ${\mathcal{O}}_{H_3}\left({\rho }_j\right)$: $\mathcal{B}$ performs a simulation algorithm to query ${\mathcal{O}}_{H_2}\left({\rho }_j\right)$. Subsequently, $\mathcal{B}$ searches the tuple $[{\rho }_j,v_j]$ in $L_{H_2}$. When $j=j_0^{*}$, $\mathcal{B}$ inserts a tuple $[{\rho }_{j_0^{*}},t_{j_0^{*}}]$ into $L_{H_3}$ and returns ${\widehat{g}}^{b{t}_{j_0^{*}}}$. When $j=j_1^{*}$, $\mathcal{B}$ inserts a tuple $[{\rho }_{j_1^{*}},t_{j_1^{*}}]$ into $L_{H_3}$ and returns ${\widehat{g}}^{b{t}_{j_1^{*}}}$. Otherwise, $\mathcal{B}$ randomly selects $t_j\in {\mathbb{Z}}_q^{*}$, inserts a tuple $[{\rho }_j,t_j]$ into $L_{H_3}$, and returns ${\widehat{g}}^{t_j}$.
• ${\mathcal{O}}_{H_4}\left(\eta \right)$: $\mathcal{B}$ performs a simulation algorithm to query ${\mathcal{O}}_H\left(\eta \right)$. Subsequently, $\mathcal{B}$ searches for the tuple $[\eta ,\Omega ]$ in $L_{H_4}$ and returns $\Omega$.
• ${\mathcal{O}}_{H_5}(m,k)$: $\mathcal{B}$ randomly chooses $R\in {\mathbb{Z}}_q^{*}$, inserts a tuple $[m,k,R]$ into $L_{H_5}$, and answers R.
• ${\mathcal{O}}_{H_6}({\omega }_1,\eta ,C_0,C_1,C_2)$: $\mathcal{B}$ performs a simulation algorithm to query ${\mathcal{O}}_H\left(\eta \right)$. Subsequently, $\mathcal{B}$ randomly selects $\delta \in {\{0,1\}}^{\lambda +l}$, inserts a tuple $[{\omega }_1,-,\eta ,C_0,C_1,C_2,\delta ]$ into $L_{H_6}$, and returns $\delta$.
• ${\mathcal{O}}_{H_7}\left(m\right)$: $\mathcal{B}$ randomly selects $h_7\in \widehat{\mathbb{G}}$, inserts a tuple $[m,h_7]$ into $L_{H_7}$, and returns $h_7$.
• ${\mathcal{O}}_{H_8}\left({\omega }_2\right)$: $\mathcal{B}$ randomly selects $\pi \in \widehat{\mathbb{G}}$, inserts a tuple $[{\omega }_2,\pi ]$ into $L_{H_8}$, and returns $\pi$.
• ${\mathcal{O}}_{SKGen}\left({\sigma }_i\right)$: $\mathcal{B}$ performs a simulation algorithm to query ${\mathcal{O}}_{H_1}\left({\sigma }_i\right)$. There is a tuple $[{\sigma }_i,u_i]$ in $L_{H_1}$. When $i\ne i_0^{*}$ and $i\ne i_1^{*}$, $\mathcal{B}$ answers $e{k}_{{\sigma }_i}=g^{a{u}_i}$. Otherwise, $\mathcal{B}$ is aborted by failure.
• ${\mathcal{O}}_{RKGen}\left({\rho }_j\right)$: $\mathcal{B}$ performs a simulation algorithm to query ${\mathcal{O}}_{H_3}\left({\rho }_j\right)$. There are a tuple $[{\rho }_j,v_j]$ in $L_{H_2}$ and a tuple $[{\rho }_j,t_j]$ in $L_{H_3}$. When $j\ne j_0^{*}$ and $j\ne j_1^{*}$, $\mathcal{B}$ answers $d{k}_{{\rho }_j}=(d_1,d_2,d_3)=({\widehat{g}}^{a{t}_j},{\widehat{g}}^{a{\alpha }^{\prime }{v}_j},{\widehat{g}}^{a{\alpha }^{\prime }{t}_j})$. Otherwise, $\mathcal{B}$ is aborted by failure.
• ${\mathcal{O}}_{Enc}({\sigma }_i,rcv,m)$: Let $rcv={\rho }_j$. $\mathcal{B}$ performs a simulation algorithm to query ${\mathcal{O}}_{H_1}\left({\sigma }_i\right)$ and ${\mathcal{O}}_{H_3}\left({\rho }_j\right)$. When $i\ne i_0^{*}$ and $i\ne i_1^{*}$, $\mathcal{B}$ can query ${\mathcal{O}}_{SKGen}\left({\sigma }_i\right)$ to obtain $e{k}_{{\sigma }_i}$ and returns $C=Enc(pp,e{k}_{{\sigma }_i},{\rho }_j,$$m)$. Otherwise, $\mathcal{B}$ executes as below:

  -

  When $(i,j)=(i_0^{*},j_0^{*})$ or $(i,j)=(i_1^{*},j_1^{*})$, $\mathcal{B}$ is aborted by failure.

  -

  When $(i,j)=(i_0^{*},j_1^{*})$ or $(i,j)=(i_1^{*},j_0^{*})$, $\mathcal{B}$ executes a simulation algorithm to query ${\mathcal{O}}_{Auth}({\sigma }_i,{\rho }_j)$. There is a tuple $[{\sigma }_i,{\rho }_j,I, \Omega ,$${td}_{({\sigma }_i,{\rho }_j)}]$ in $L_A$. Afterwards, $\mathcal{B}$ randomly selects $r\in {\mathbb{Z}}_q^{*}$, $\delta \in {\{0,1\}}^{\lambda +l}$, $k\in {\{0,1\}}^l$, calculates ${\omega }_1=e(g_1,H_2{\left({\rho }_j\right))}^{r·\Omega }$, ${\omega }_2=e(g_1,H_3{\left({\rho }_j\right))}^{r·\Omega }$ and $R=H_5(m,k)$, inserts a tuple $[{\omega }_1,(i,j),-,C_0,C_1,C_2,\delta ]$ into $L_{H_6}$, and returns $C=(C_0,C_1,C_2,C_3,C_4)$, where $C_0=g^R$, $C_1=g^r$, $C_2={\left(f{h}^I\right)}^r$, $C_3=(m\Vert k)\oplus \delta$, $C_4=H_7{\left(m\right)}^R·H_8\left({\omega }_2\right)$.

  -

  Otherwise, $\mathcal{B}$ can query ${\mathcal{O}}_{RKGen}\left({\rho }_j\right)$ to get $d{k}_{{\rho }_j}=(d_1,d_2,d_3)$, selects $k\in {\{0,1\}}^l$, $r\in {\mathbb{Z}}_q^{*}$ randomly, calculates $\eta =e(H_1\left({\sigma }_i\right),d_1)$, ${\omega }_1=e(g_1,H_2{\left({\rho }_j\right))}^{r·H_4\left(\eta \right)}$, ${\omega }_2=e(g_1,H_3{\left({\rho }_j\right))}^{r·H_4\left(\eta \right)}$ and $R=H_5(m,k)$, and returns $C=(C_0,C_1,C_2,C_3,C_4)$, where $C_0=g^R$, $C_1=g^r$, $C_2={\left(f{h}^{H\left(\eta \right)}\right)}^r$, $C_3=(m\Vert k)\oplus H_6({\omega }_1,\eta ,C_0,C_1,C_2)$, $C_4=H_7{\left(m\right)}^R·H_8\left({\omega }_2\right)$.

• ${\mathcal{O}}_{Dec}({\rho }_j,snd,C)$: Let $snd={\sigma }_i$. $\mathcal{B}$ performs a simulation algorithm to query ${\mathcal{O}}_{H_2}\left({\rho }_j\right)$ and ${\mathcal{O}}_{H_1}\left({\sigma }_i\right)$. When $j\ne j_0^{*}$ and $j\ne j_1^{*}$, $\mathcal{B}$ can query ${\mathcal{O}}_{RKGen}\left({\rho }_j\right)$ to obtain $d{k}_{{\rho }_j}$ and returns the outcome of $Dec(pp,d{k}_{\left({\rho }_j\right)},{\sigma }_i,C)$. Otherwise, $\mathcal{B}$ executes the following operations:

  -

  When $(i,j)=(i_0^{*},j_0^{*})$, or $(i,j)=(i_1^{*},j_1^{*})$m or $(i,j)=(i_0^{*},j_1^{*})$, or $(i,j)=(i_1^{*},j_0^{*})$, $\mathcal{B}$ searches for the tuple $[{\sigma }_i,{\rho }_j,I,\Omega ,$${td}_{({\sigma }_i,{\rho }_j)}]$ in $L_A$. When $L_A$ has no such tuple, $\mathcal{B}$ executes as below.

  When $(i,j)=(i_0^{*},j_0^{*})$, $\Omega =\frac{{\tilde{\Omega }}_{00}}{t_j}$, $I=I_{00}$. When $(i,j)=(i_1^{*},j_1^{*})$, $\Omega =\frac{{\tilde{\Omega }}_{11}}{t_j}$, $I=I_{11}$. When $(i,j)=(i_0^{*},j_1^{*})$, $\Omega =\frac{{\tilde{\Omega }}_{01}}{t_j}$, $I=I_{01}$. When $(i,j)=(i_1^{*},j_0^{*})$, $\Omega =\frac{{\tilde{\Omega }}_{10}}{t_j}$, $I=I_{10}$. Afterwards, $\mathcal{B}$ randomly selects $\tilde{y}\in {\mathbb{Z}}_q^{*}$, calculates $z=\frac{t_j{\alpha }^{\prime }\Omega }{{\beta }_{1}I}$, implicitly sets $y=\tilde{y}-bz$, sets $t{d}_{({\sigma }_i,{\rho }_j)}=(y_1,y_2)=({\widehat{g}}^{{\beta }_0(\tilde{y}-bz)}{\widehat{g}}^{a{\beta }_{1}I\tilde{y}},{\widehat{g}}^{\tilde{y}-bz})$, and stores $[{\rho }_j,{\sigma }_i,I,\Omega ,{td}_{({\sigma }_i,{\rho }_j)}]$ in $L_A$. $t{d}_{({\sigma }_i,{\rho }_j)}=(y_1,y_2)$ is a valid random trapdoor according to ${\rho }_j$ and ${\sigma }_i$, where

  $$\begin{array}{cc}\hfill y_1& ={\widehat{g}}^{{\beta }_0(\tilde{y}-bz)}{\widehat{g}}^{a{\beta }_{1}I\tilde{y}}={\widehat{g}}^{a{\alpha }^{\prime }b{t}_j·\Omega }{\widehat{g}}^{{\beta }_{0}y}{\widehat{g}}^{a{\beta }_{1}Iy}=d_3^{\Omega }{\widehat{g}}^{({\beta }_0+a{\beta }_{1}I)y}=d_3^{\Omega }{\left(\widehat{f}{\widehat{h}}^I\right)}^y,\hfill \\ \hfill y_2& ={\widehat{g}}^{\tilde{y}-bz}={\widehat{g}}^y.\hfill \end{array}$$

  Next, $\mathcal{B}$ calculates ${\omega }_2=\frac{e(C_1,y_1)}{e(C_2,y_2)}$. For each tuple $[{\omega }_1,(i,j),-,$$C_0,C_1,C_2,\delta ]$ in $L_{H_6}$, $\mathcal{B}$ calculates $m\Vert k=C_3\oplus \delta$ and $R=H_5(m,k)$. If both $C_0=g^R$ and $C_4=H_7{\left(m\right)}^R·H_8\left({\omega }_2\right)$ hold, $\mathcal{B}$ returns m; otherwise, $\mathcal{B}$ returns ⊥.

  -

  Otherwise, $\mathcal{B}$ can query ${\mathcal{O}}_{Auth}({\sigma }_i,{\rho }_j)$ to obtain $t{d}_{({\sigma }_i,{\rho }_j)}=(y_1,y_2)$ and calculates ${\omega }_2=\frac{e(C_1,y_1)}{e(C_2,y_2)}$. For each tuple $[{\omega }_1,(i,j),-,$$C_0,C_1,C_2,\delta ]$ in $L_{H_6}$, $\mathcal{B}$ calculates $m\Vert k=C_3\oplus \delta$ and $R=H_5(m,k)$. If both $C_0=g^R$ and $C_4=H_7{\left(m\right)}^R·H_8\left({\omega }_2\right)$ hold, $\mathcal{B}$ returns m; otherwise, $\mathcal{B}$ returns ⊥.

• ${\mathcal{O}}_{Auth}(snd,{\rho }_j)$: Let $snd={\sigma }_i$. $\mathcal{B}$ performs a simulation algorithm to query ${\mathcal{O}}_{H_3}\left({\rho }_j\right)$ and ${\mathcal{O}}_{H_1}\left({\sigma }_i\right)$. There is a tuple $[{\rho }_j,v_j]$ in $L_{H_2}$. When $j\ne j_0^{*}$ and $j\ne j_1^{*}$, $\mathcal{B}$ can query ${\mathcal{O}}_{RKGen}\left({\rho }_j\right)$ to obtain $d{k}_{{\rho }_j}=(d_1,d_2,d_3)$, calculates $\eta =e(H_1\left({\sigma }_i\right),d_1)$, $I=H\left(\eta \right)$, $\Omega =H_3\left(\eta \right)$, returns $t{d}_{({\sigma }_i,{\rho }_j)}=Auth(pp,{\sigma }_i,d{k}_{{\rho }_j})$, and stores $[{\sigma }_i,{\rho }_j,I,\Omega ,t{d}_{({\sigma }_i,{\rho }_j)}]$ into $L_A$. Otherwise, $\mathcal{B}$ executes as below:

  -

  When $(i,j)=(i_0^{*},j_0^{*})$ or $(i,j)=(i_1^{*},j_1^{*})$, $\mathcal{B}$ is aborted by failure.

  -

  When $(i,j)=(i_0^{*},j_1^{*})$, $\Omega =\frac{{\tilde{\Omega }}_{01}}{t_j}$, $I=I_{01}$.

  -

  When $(i,j)=(i_1^{*},j_0^{*})$, $\Omega =\frac{{\tilde{\Omega }}_{10}}{t_j}$, $I=I_{10}$.

  -

  Otherwise, $\mathcal{B}$ can query ${\mathcal{O}}_{SKGen}\left({\sigma }_i\right)$ to obtain $e{k}_{{\sigma }_i}$ and calculates $\eta =e(e{k}_{{\sigma }_i},$$H_3\left({\rho }_j\right))$, $\Omega =H_4\left(\eta \right)$. $I=H\left(\eta \right)$

  Subsequently, $\mathcal{B}$ randomly selects $\tilde{y}\in {\mathbb{Z}}_q^{*}$, calculates $z=\frac{t_j{\alpha }^{\prime }\Omega }{I{\beta }_1}$, implicitly sets $y=\tilde{y}-bz$, returns $t{d}_{({\sigma }_i,{\rho }_j)}=(y_1,y_2)=({\widehat{g}}^{{\beta }_0(\tilde{y}-bz)}{\widehat{g}}^{a{\beta }_{1}I\tilde{y}},{\widehat{g}}^{\tilde{y}-bz})$, and then, stores $[{\sigma }_i,{\rho }_j,I,$$\Omega ,{td}_{({\sigma }_i,{\rho }_j)}]$ in $L_A$. ${td}_{({\sigma }_i,{\rho }_j)}=(y_1,y_2)$ is a valid random trapdoor according to ${\rho }_j$ and ${\sigma }_i$, where

  $$\begin{array}{cc}\hfill y_1& ={\widehat{g}}^{{\beta }_0(\tilde{y}-bz)}{\widehat{g}}^{a{\beta }_{1}I\tilde{y}}={\widehat{g}}^{a{\alpha }^{\prime }b{t}_j·\Omega }{\widehat{g}}^{{\beta }_{0}y}{\widehat{g}}^{a{\beta }_{1}Iy}=d_3^{\Omega }{\widehat{g}}^{({\beta }_0+a{\beta }_{1}I)y}=d_3^{\Omega }{\left(\widehat{f}{\widehat{h}}^I\right)}^y,\hfill \\ \hfill y_2& ={\widehat{g}}^{\tilde{y}-bz}={\widehat{g}}^y.\hfill \end{array}$$

(3)

Challenge: ${\mathcal{A}}_3$ offers a message $m^{*}\in {\{0,1\}}^{\lambda }$ and two pairs of sender/receiver identities (${snd}_0^{*},{\rho }_0^{*}$), (${snd}_1^{*},{\rho }_1^{*}$) to $\mathcal{B}$. Set ${snd}_0^{*}={\sigma }_0^{*}$, ${snd}_1^{*}={\sigma }_1^{*}$. Afterwards, $\mathcal{B}$ utilizes a simulation algorithm to query ${\mathcal{O}}_{H_1}\left({\sigma }_0^{*}\right)$, ${\mathcal{O}}_{H_1}\left({\sigma }_1^{*}\right)$, ${\mathcal{O}}_{H_3}\left({\rho }_0^{*}\right)$, and ${\mathcal{O}}_{H_3}\left({\rho }_1^{*}\right)$:

-

When the $i_0^{*}$-th tuple in $L_{H_1}$ is $[{\sigma }_0^{*},u_0^{*}]$, the $i_1^{*}$-th tuple in $L_{H_1}$ is $[{\sigma }_1^{*},u_1^{*}]$, the $j_0^{*}$-th tuple in $L_{H_2}$ is $[{\rho }_0^{*},v_0^{*}]$, and the $j_1^{*}$-th tuple in $L_{H_2}$ is $[{\rho }_1^{*},v_1^{*}]$, $\mathcal{B}$ executes the following operations:

Firstly, $\mathcal{B}$ randomly selects $x\in \{0,1\}$ and searches for the tuple $[{\sigma }_x^{*},{\rho }_x^{*},I,\Omega ,t{d}_{({\sigma }_x^{*},{\rho }_x^{*})}]$ in $L_A$. When $L_A$ has no such tuple, $\mathcal{B}$ sets $\Omega =\frac{{\tilde{\Omega }}_{xx}}{t_x^{*}}$ and $I=I_{xx}$. Subsequently, $\mathcal{B}$ randomly selects $\tilde{y}\in {\mathbb{Z}}_q^{*}$, calculates $z=\frac{t_x{\alpha }^{\prime }\Omega }{{\beta }_{1}I}=\frac{{\alpha }^{\prime }{\tilde{\Omega }}_{xx}}{{\beta }_{1}I}$, implicitly sets $y=\tilde{y}-bz$, obtains $t{d}_{({\sigma }_x^{*},{\rho }_x^{*})}=(y_1,y_2)=({\widehat{g}}^{{\beta }_0(\tilde{y}-bz)}{\widehat{g}}^{a{\beta }_{1}I\tilde{y}},{\widehat{g}}^{\tilde{y}-bz})$, and then, inserts a tuple $[{\sigma }_x^{*},{\rho }_x^{*},I,\Omega ,{td}_{({\sigma }_x^{*},{\rho }_x^{*})}]$ in $L_A$. $t{d}_{({\sigma }_x^{*},{\rho }_x^{*})}=(y_1,y_2)$ is a valid random trapdoor according to ${\sigma }_x^{*}$ and ${\rho }_x^{*}$, where

$$\begin{array}{cc}\hfill y_1& ={\widehat{g}}^{{\beta }_0(\tilde{y}-bz)}{\widehat{g}}^{a{\beta }_{1}I\tilde{y}}={\widehat{g}}^{ab{\alpha }^{\prime }·{\tilde{\Omega }}_{xx}}{\widehat{g}}^{{\beta }_{0}y}{\widehat{g}}^{a{\beta }_{1}Iy}={\widehat{g}}^{a{\alpha }^{\prime }b{t}_x·\Omega }{\widehat{g}}^{{\beta }_{0}y}{\widehat{g}}^{a{\beta }_{1}Iy}=d_3^{\Omega }{\left(\widehat{f}{\widehat{h}}^I\right)}^y,\hfill \\ \hfill y_2& ={\widehat{g}}^{\tilde{y}-bz}={\widehat{g}}^y.\hfill \end{array}$$

Secondly, $\mathcal{B}$ randomly selects $r\in {\mathbb{Z}}_q^{*}$, $C_3^{*}\in {\{0,1\}}^{\lambda +l}$, $k\in {\{0,1\}}^l$, calculates ${\omega }_2^{*}=e{(g^{a{\alpha }^{\prime }},{\widehat{g}}^b)}^{r{\tilde{\Omega }}_{xx}}$, $R=H_5(m^{*},k)$, $C_0^{*}=g^R$, $C_1^{*}=g^r$, $C_2^{*}={\left(f{h}^I\right)}^r$, and $C_4^{*}=H_7{\left(m^{*}\right)}^R·H_8\left({\omega }_2^{*}\right)$.

The above construction implicitly sets $C_3^{*}=(m^{*}\Vert k)\oplus H_6({\omega }_1^{*},{\eta }^{*},C_0^{*},C_1^{*},C_2^{*})$, where ${\omega }_1^{*}=e{(g^{a{\alpha }^{\prime }},{\widehat{g}}^b)}^{r\Omega v_x^{*}}$, ${\eta }^{*}=e{(g,\widehat{g})}^{abc{u}_x^{*}{t}_x^{*}}$. $C_x^{*}=(C_0^{*},C_1^{*},C_2^{*},C_3^{*},C_4^{*})$ is the encryption of $m^{*}$ according to ${\sigma }_x^{*}$ and ${\rho }_x^{*}$, where

$$\begin{array}{cc}\hfill {\omega }_2^{*}& =e{(g^{a{\alpha }^{\prime }},{\widehat{g}}^b)}^{r{\tilde{\Omega }}_{xx}}=e{(g_1,{\widehat{g}}^b)}^{r{t}_x^{*}\Omega }=e(g_1,{\widehat{g}}^{b{t}_x^{*}{)}^{r·\Omega }}={e(g_1,H_3\left({\rho }_x^{*}\right))}^{r·\Omega }.\hfill \end{array}$$

Eventually, $\mathcal{B}$ returns the corresponding challenge ciphertext $C_x^{*}=(C_0^{*},C_1^{*},C_2^{*},C_3^{*},C_4^{*})$ and challenge trapdoor $t{d}_{({\sigma }_x^{*},{\rho }_x^{*})}=(y_1,y_2)$ to ${\mathcal{A}}_3$.

-

Otherwise, $\mathcal{B}$ is aborted by failure.

(4)

Phase2: ${\mathcal{A}}_3$ makes issues like in Phase1.

(5)

Guess: ${\mathcal{A}}_3$ answers a guess $x^{\prime }\in \{0,1\}$.

□

Analysis: It is obvious that the simulations of ${\mathcal{O}}_{H_1}$, ${\mathcal{O}}_{H_2}$, ${\mathcal{O}}_{H_3}$, ${\mathcal{O}}_{H_5}$, ${\mathcal{O}}_{H_7}$, and ${\mathcal{O}}_{H_8}$ are perfect. Define ${\eta }_{(0,0)}=e{(g,\widehat{g})}^{abc{u}_{i_0^{*}}{t}_{j_0^{*}}}$, ${\eta }_{(1,1)}=e{(g,\widehat{g})}^{abc{u}_{i_1^{*}}{t}_{j_0^{*}}}$, ${\eta }_{(1,0)}=e{(g,\widehat{g})}^{abc{u}_{i_1^{*}}{t}_{j_0^{*}}}$, ${\eta }_{(0,1)}=e{(g,\widehat{g})}^{abc{u}_{i_0^{*}}{t}_{j_1^{*}}}$. Let ${snd}_0^{*}={\sigma }_0^{*}$ and ${snd}_1^{*}={\sigma }_1^{*}$. Denote the queries ${\mathcal{O}}_H\left({\eta }_{(0,0)}\right)$, ${\mathcal{O}}_H\left({\eta }_{(0,1)}\right)$, ${\mathcal{O}}_H\left({\eta }_{(1,0)}\right)$, and ${\mathcal{O}}_H\left({\eta }_{(1,1)}\right)$ as the event $AskH$. Suppose $AbortSK$ as the event in which $\mathcal{B}$ terminates upon the queries ${\mathcal{O}}_{SKGen}\left({\sigma }_0^{*}\right)$ and ${\mathcal{O}}_{SKGen}\left({\sigma }_1^{*}\right)$ being issued, $AbortRK$ as the event in which $\mathcal{B}$ terminates upon the queries ${\mathcal{O}}_{RKGen}\left({\rho }_0^{*}\right)$ and ${\mathcal{O}}_{RKGen}\left({\rho }_1^{*}\right)$ being issued, $AbortAuth$ as the event in which $\mathcal{B}$ terminates upon the queries ${\mathcal{O}}_{Auth}({\sigma }_0^{*},{\rho }_0^{*})$ and ${\mathcal{O}}_{Auth}({\sigma }_1^{*},{\rho }_1^{*})$ being issued, $AbortEnc$ as the event in which $\mathcal{B}$ terminates upon the queries ${\mathcal{O}}_{Enc}({\sigma }_0^{*},{\rho }_0^{*},\ast )$ and ${\mathcal{O}}_{Enc}({\sigma }_1^{*},{\rho }_1^{*},\ast )$ being issued, and $AbortCh$ as the event in which $\mathcal{B}$ terminates in the challenge phase. Clearly, $\neg AbortCh$ implies $\neg AbortSK$, $\neg AbortRK$, $\neg AbortAuth$, and $\neg AbortEnc$, because the queries ${\mathcal{O}}_{SKGen}\left({\sigma }_0^{*}\right)$ and ${\mathcal{O}}_{SKGen}\left({\sigma }_1^{*}\right)$ cannot be issued, the queries ${\mathcal{O}}_{RKGen}\left({\rho }_0^{*}\right)$ and ${\mathcal{O}}_{RKGen}\left({\rho }_1^{*}\right)$ are unable to be issued, $({\sigma }_0^{*},{\rho }_0^{*})$ and the queries ${\mathcal{O}}_{Auth}({\sigma }_0^{*},{\rho }_0^{*})$ and ${\mathcal{O}}_{Auth}({\sigma }_1^{*},{\rho }_1^{*})$ are unable to be issued, and the queries ${\mathcal{O}}_{Enc}({\sigma }_0^{*},{\rho }_0^{*},\ast )$ and ${\mathcal{O}}_{Enc}({\sigma }_1^{*},{\rho }_1^{*},\ast )$ are unable to be issued. Thus, we obtain $\mathrm{Pr}[\neg AbortCh]\ge \frac{1}{q_{H_1}^2}·\frac{1}{q_{H_2}^2}$.

Denote the failure of $\mathcal{B}$ to decrypt the legitimate ciphertext in ${\mathcal{O}}_{Dec}$ as the event $Derr$. Thus, $\mathrm{Pr}\left[Derr\right]\le \frac{q_D}{2^{\lambda +l}}$.

Define $E_0=(AskH\vee Derr)|\neg AbortCh$. There is no greater over $\frac{1}{2}$ advantage that ${\mathcal{A}}_3$ will gain in guessing x when $E_0$ does not happen because ${\mathcal{O}}_H$, ${\mathcal{O}}_{H_4}$, and ${\mathcal{O}}_{H_6}$ are random oracles. Hence, $\mathrm{Pr}[x=x^{\prime }|\neg E_0]=\frac{1}{2}$. We obtain

$$\begin{array}{cc}\hfill \mathrm{Pr}[x=x^{\prime }]& =\mathrm{Pr}[x=x^{\prime }|\neg E_0]\mathrm{Pr}[\neg E_0]+\mathrm{Pr}[x=x^{\prime }|E_0]\mathrm{Pr}\left[E_0\right]\le \frac{1}{2}\mathrm{Pr}[\neg E_0]+\mathrm{Pr}\left[E_0\right]=\frac{1}{2}+\frac{1}{2}\mathrm{Pr}\left[E_0\right].\hfill \end{array}$$

With $ϵ$, we obtain

$$\begin{array}{cc}\hfill ϵ& =|\mathrm{Pr}[x=x^{\prime }]-\frac{1}{2}|\le \mathrm{Pr}\left[E_0\right]\le \frac{\mathrm{Pr}\left[AskH\right]+\mathrm{Pr}\left[Derr\right]}{\mathrm{Pr}[\neg AbortCh]}.\hfill \end{array}$$

Subsequently, we obtain

$$\begin{array}{cc}\hfill \mathrm{Pr}\left[AskH\right]& \ge ϵ\mathrm{Pr}[\neg AbortCh]-\mathrm{Pr}\left[Derr\right]\ge \frac{ϵ}{q_{H_1}^2{q}_{H_2}^2}-\frac{q_D}{2^{\lambda +l}}.\hfill \end{array}$$

Obviously, when $AskH$ occurs, the Gap-BDH assumption can certainly be addressed by $\mathcal{B}$. $\mathcal{B}$ addresses the Gap-BDH assumption with advantage ${ϵ}^{\prime }=\mathrm{Pr}\left[\mathcal{B}success\right]=\mathrm{Pr}\left[AskH\right]\ge \frac{ϵ}{q_{H_1}^2{q}_{H_2}^2}-\frac{q_D}{2^{\lambda +l}}.$

Theorem 4.

For any ${\mathcal{A}}_4$, our IBME-ET scheme meets sUF-ID-CMA security on the basis of the Gap-BDH assumption.

More precisely, if ${\mathcal{A}}_4$ is able to break our proposal with the advantage ϵ, we are able to conceive of a PPT algorithm $\mathcal{B}$ to address the Gap-BDH assumption with the advantage ${ϵ}^{\prime }\ge ϵ(1-\frac{1}{q})\frac{1}{q_{H_1}{q}_{H_3}}-\frac{1+q_D}{2^{\lambda }},$ where $q_{H_i}(i=1,3)$ and $q_D$ denote the numbers of different queries to ${\mathcal{O}}_{H_i}(i=1,3)$ and ${\mathcal{O}}_{Dec}$, respectively.

Proof. 

Given a Gap-BDH assumption instance $(g,g^a,g^c,\widehat{g},{\widehat{g}}^a,{\widehat{g}}^b,{\mathcal{O}}_{\mathcal{DBDH}})$, the task of $\mathcal{B}$ is to calculate $e{(g,\widehat{g})}^{abc}$ by interacting with ${\mathcal{A}}_4$ as below:

(1)

Setup: $\mathcal{B}$ randomly chooses $i^{*}\in \{1,2,\cdots ,q_{H_1}\}$, $j^{*}\in \{1,2,\cdots ,q_{H_3}\}$. $\mathcal{B}$ randomly selects $\alpha ,{\beta }_0,{\beta }_1\in {\mathbb{Z}}_q^{*}$, calculates $g_1=g^{\alpha }$, $f=g^{{\beta }_0}$, $h=g^{{\beta }_1}$, $\widehat{f}={\widehat{g}}^{{\beta }_0}$ and $\widehat{h}={\widehat{g}}^{{\beta }_1}$, sets $pp=(\mathcal{G},g,\widehat{g},g_1,f,h,\widehat{f},\widehat{h},H,$$H_i(i=1,2,3,4,5,6,7,8))$, and delivers this to ${\mathcal{A}}_4$ with $pp$. $\mathcal{B}$ implicitly sets $mk=(a,\alpha )$, because $\mathcal{B}$ has no knowledge about a. $\mathcal{B}$ preserves the $L_H$ and $L_{H_i}(i=1,2,3,4,5,6,7,8)$ lists to simulate ${\mathcal{O}}_H$ and ${\mathcal{O}}_{H_i}(i=1,2,3,4,5,6,7,8)$. Afterwards, $\mathcal{B}$ randomly selects $I^{*},{\Omega }^{*}\in {\mathbb{Z}}_q^{*}$.

(2)

Queries: $\mathcal{B}$ answers ${\mathcal{A}}_4$’s queries as below:

• ${\mathcal{O}}_H\left(\eta \right)$: When ${\mathcal{O}}_{\mathcal{DBDH}}(g,g^a,g^c,\widehat{g},{\widehat{g}}^a,{\widehat{g}}^b,\eta )\ne 1$, $\mathcal{B}$ randomly selects $\Omega ,I\in {\mathbb{Z}}_q^{*}$, inserts $[\eta ,\Omega ]$ into $L_{H_4}$ and $[\eta ,I]$ into $L_H$, and answers I. Otherwise, $\mathcal{B}$ answers the Gap-BDH solution $\eta (=e{(g,\widehat{g})}^{abc})$, defines $\Omega ={\Omega }^{*}$ and $I=I^{*}$, inserts $[\eta ,\Omega ]$ into $L_{H_4}$ and $[\eta ,I]$ into $L_H$, and answers I.
• ${\mathcal{O}}_{H_1}\left({\sigma }_i\right)$: Suppose ${\sigma }_i$ as the i-th different query. When $i\ne i^{*}$, $\mathcal{B}$ randomly selects $u_i\in {\mathbb{Z}}_q^{*}$, inserts a tuple $[{\sigma }_i,u_i]$ into $L_{H_1}$, returns $g^{u_i}$. Otherwise, $\mathcal{B}$ inserts a tuple $[{\sigma }_i,-]$ into $L_{H_1}$ and returns $g^c$.
• ${\mathcal{O}}_{H_2}\left({\rho }_j\right)$: $\mathcal{B}$ performs a simulation algorithm to query ${\mathcal{O}}_{H_3}\left({\rho }_j\right)$. Subsequently, $\mathcal{B}$ randomly selects $v_j\in {\mathbb{Z}}_q^{*}$, inserts a tuple $[{\rho }_j,v_j]$ into $L_{H_2}$, and returns ${\widehat{g}}^{v_j}$.
• ${\mathcal{O}}_{H_3}\left({\rho }_j\right)$: Suppose ${\rho }_j$ as the j-th different query. When $j\ne j^{*}$, $\mathcal{B}$ randomly selects $t_j\in {\mathbb{Z}}_q^{*}$, inserts a tuple $[{\rho }_j,t_j]$ into $L_{H_3}$, and returns ${\widehat{g}}^{t_j}$. Otherwise, $\mathcal{B}$ inserts a tuple $[{\rho }_j,-]$ into $L_{H_3}$ and returns ${\widehat{g}}^b$.
• ${\mathcal{O}}_{H_4}\left(\eta \right)$: $\mathcal{B}$ performs a simulation algorithm to query ${\mathcal{O}}_H\left(\eta \right)$. Subsequently, $\mathcal{B}$ searches for the tuple $[\eta ,\Omega ]$ in $L_{H_4}$ and answers $\Omega$.
• ${\mathcal{O}}_{H_5}(m,k)$: $\mathcal{B}$ randomly chooses $R\in {\mathbb{Z}}_q^{*}$, inserts a tuple $[m,k,R]$ into $L_{H_5}$, and answers R.
• ${\mathcal{O}}_{H_6}({\omega }_1,\eta ,C_0,C_1,C_2)$: $\mathcal{B}$ performs a simulation algorithm to query ${\mathcal{O}}_H\left(\eta \right)$. Subsequently, $\mathcal{B}$ randomly selects $\delta \in {\{0,1\}}^{\lambda +l}$, inserts a tuple $[{\omega }_1,-,\eta ,C_0,C_1,C_2,\delta ]$ into $L_{H_6}$, and returns $\delta$.
• ${\mathcal{O}}_{H_7}\left(m\right)$: $\mathcal{B}$ randomly selects $h_7\in \widehat{\mathbb{G}}$, inserts a tuple $[m,h_7]$ into $L_{H_7}$, and returns $h_7$.
• ${\mathcal{O}}_{H_8}\left({\omega }_2\right)$: $\mathcal{B}$ randomly selects $\pi \in \widehat{\mathbb{G}}$, inserts a tuple $[{\omega }_2,\pi ]$ into $L_{H_8}$, and returns $\pi$.
• ${\mathcal{O}}_{SKGen}\left({\sigma }_i\right)$: $\mathcal{B}$ performs a simulation algorithm to query ${\mathcal{O}}_{H_1}\left({\sigma }_i\right)$. There is a tuple $[{\sigma }_i,u_i]$ in $L_{H_1}$. If $i\ne i^{*}$, $\mathcal{B}$ returns $e{k}_{{\sigma }_i}=g^{a{u}_i}$. Otherwise, $\mathcal{B}$ is aborted by failure.
• ${\mathcal{O}}_{RKGen}\left({\rho }_j\right)$: $\mathcal{B}$ performs a simulation algorithm to query ${\mathcal{O}}_{H_2}\left({\rho }_j\right)$. There is a tuple $[{\rho }_j,v_j]$ in $L_{H_2}$. If $j\ne j^{*}$, $\mathcal{B}$ returns $d{k}_{{\rho }_j}=(d_1,d_2,d_3)$$=({\widehat{g}}^{a{t}_j},{\widehat{g}}^{\alpha v_j},{\widehat{g}}^{\alpha t_j})$. Otherwise, $\mathcal{B}$ is aborted by failure.
• ${\mathcal{O}}_{Auth}(snd,{\rho }_j)$: Let $snd={\sigma }_i$. $\mathcal{B}$ performs a simulation algorithm to query ${\mathcal{O}}_{H_2}\left({\rho }_j\right)$ and ${\mathcal{O}}_{H_1}\left({\sigma }_i\right)$. There is a tuple $[{\rho }_j,t_j]$ in $L_{H_3}$. When $j\ne j^{*}$, $\mathcal{B}$ can query ${\mathcal{O}}_{RKGen}\left({\rho }_j\right)$ to obtain $d{k}_{{\rho }_j}=(d_1,d_2,d_3)$, calculates $\eta =e(H_1\left({\sigma }_i\right),d_1)$, $\Omega =H_4\left(\eta \right)$ and $I=H\left(\eta \right)$, and answers $t{d}_{({\sigma }_i,{\rho }_j)}=Auth(pp,{\sigma }_i,d{k}_{{\rho }_j})$. Otherwise, $\mathcal{B}$ executes the following operations:

  -

  When $(i,j)\ne (i^{*},j^{*})$, $\mathcal{B}$ can query ${\mathcal{O}}_{SKGen}\left({\sigma }_i\right)$ to obtain $e{k}_{{\sigma }_i}$, calculates $\eta =e(e{k}_{{\sigma }_i},H_2\left({\rho }_j\right))$, $I=H\left(\eta \right)$, and $\Omega =H_4\left(\eta \right)$, calculates $d_3={\widehat{g}}^{\alpha t_j}$, randomly selects $y\in {\mathbb{Z}}_q^{*}$, and returns $t{d}_{({\sigma }_i,{\rho }_j)}=$$(y_1,y_2)=(d_3^{H_4\left(\eta \right)}{\left(\widehat{f}{\widehat{h}}^{H\left(\eta \right)}\right)}^y,{\widehat{g}}^y)$.

  -

  Otherwise, $\mathcal{B}$ defines $\Omega ={\Omega }^{*}$, $I=I^{*}$, calculates $d_3={\widehat{g}}^{b\alpha }$, randomly selects $y\in {\mathbb{Z}}_q^{*}$, and returns $t{d}_{({\sigma }_i,{\rho }_j)}=(y_1,y_2)=(d_3^{\Omega }{\left(\widehat{f}{\widehat{h}}^I\right)}^y,{\widehat{g}}^y)$.

• ${\mathcal{O}}_{Enc}({\sigma }_i,rcv,m)$: Let $rcv={\rho }_j$. $\mathcal{B}$ performs a simulation algorithm to query ${\mathcal{O}}_{H_1}\left({\sigma }_i\right)$ and ${\mathcal{O}}_{H_2}\left({\rho }_j\right)$. When $i\ne i^{*}$, $\mathcal{B}$ can query ${\mathcal{O}}_{SKGen}\left({\sigma }_i\right)$ to obtain $e{k}_{{\sigma }_i}$ and returns $C=Enc(pp,e{k}_{{\sigma }_i},{\rho }_j,m)$. Otherwise, $\mathcal{B}$ executes the following operations:

  -

  When $(i,j)\ne (i^{*},j^{*})$, $\mathcal{B}$ can query ${\mathcal{O}}_{RKGen}\left({\rho }_j\right)$ to obtain $d{k}_{{\rho }_j}=(d_1,d_2,d_3)$, randomly selects $r\in {\mathbb{Z}}_q^{*}$, $k\in {\{0,1\}}^l$, calculates $R=H_5(m,k)$, $\eta =e(H_1\left({\sigma }_i\right),d_1)$, $\Omega =H_4\left(\eta \right)$, ${\omega }_1=e(g_1,H_2{\left({\rho }_j\right))}^{r·\Omega }$ and ${\omega }_2=e(g_1,H_3{\left({\rho }_j\right))}^{r·\Omega }$, and then, returns $C=(C_0,C_1,C_2,C_3,C_4)$, where $C_0=g^R$, $C_1=g^r$, $C_2={\left(f{h}^I\right)}^r$, $C_3=(m\Vert k)\oplus H_6\left({\omega }_1\right)$, $C_4=H_7{\left(m\right)}^R·H_8\left({\omega }_2\right)$.

  -

  Otherwise, $\mathcal{B}$ defines $\Omega ={\Omega }^{*}$, $I=I^{*}$, randomly picks $r\in {\mathbb{Z}}_q^{*}$, $\delta \in {\{0,1\}}^{\lambda +l}$, $k\in {\{0,1\}}^l$, calculates $R=H_5(m,k)$, ${\omega }_1=e(g_1,H_2{\left({\rho }_j\right))}^{r·\Omega }$ and ${\omega }_2=e(g_1,H_3{\left({\rho }_j\right))}^{r·\Omega }$, inserts a tuple $[{\omega }_1,(i,j),-,C_0,C_1,C_2,\delta ]$ into $L_{H_6}$, and then, returns $C=(C_0,C_1,C_2,C_3,C_4)$, where $C_0=g^R$, $C_1=g^r$, $C_2={\left(f{h}^I\right)}^r$, $C_3=(m\Vert k)\oplus \delta$, and $C_4=H_7{\left(m\right)}^R·H_8\left({\omega }_2\right)$.

• ${\mathcal{O}}_{Dec}({\rho }_j,snd,C)$: Let $snd={\sigma }_i$. $\mathcal{B}$ performs a simulation algorithm to query ${\mathcal{O}}_{H_2}\left({\rho }_j\right)$ and ${\mathcal{O}}_{H_1}\left({\sigma }_i\right)$. When $j\ne j^{*}$, $\mathcal{B}$ can query ${\mathcal{O}}_{RKGen}\left({\rho }_j\right)$ to obtain $d{k}_{{\rho }_j}$ and returns the outcome of the algorithm $Dec(pp,d{k}_{{\rho }_j},$${\sigma }_i,C)$. Otherwise, $\mathcal{B}$ executes the following operations:

  -

  When $(i,j)\ne (i^{*},j^{*})$, $\mathcal{B}$ can query ${\mathcal{O}}_{Auth}({\sigma }_i,{\rho }_j)$ to obtain ${td}_{({\sigma }_i,{\rho }_j)}=(y_1,y_2)$, calculates ${\omega }_2=\frac{e(C_1,y_1)}{e(C_2,y_2)}$, obtains $e{k}_{{\sigma }_i}$ by querying ${\mathcal{O}}_{SKGen}\left({\sigma }_i\right)$, calculates $\eta =e(e{k}_{{\sigma }_i},H_3\left({\rho }_j\right))$, $\Omega =H_4\left(\eta \right)$, $d_2=H_2{\left({\rho }_j\right)}^{\alpha }$, ${\omega }_1=e(C_1,d_2^{\Omega })$, recovers $m\Vert k$ by computing $C_3\oplus H_6({\omega }_1,\eta ,C_0,C_1,C_2)$, calculates $R=H_5(m,k)$. If $C_0=g^R$ and $C_4=H_7{\left(m\right)}^R·H_8\left({\omega }_2\right)$ hold, $\mathcal{B}$ answers m; otherwise, $\mathcal{B}$ answers ⊥.

  -

  Otherwise, $\mathcal{B}$ defines $\Omega ={\Omega }^{*}$, $I=I^{*}$, calculates ${\omega }_1={e(C_1,{\widehat{g}}^{v_j})}^{\Omega }$, obtains ${td}_{({\sigma }_i,{\rho }_j)}=(y_1,y_2)$ by querying ${\mathcal{O}}_{Auth}({\sigma }_i,{\rho }_j)$, calculates ${\omega }_2=\frac{e(C_1,y_1)}{e(C_2,y_2)}$, and searches for the corresponding tuple $[{\omega }_1,(i,j),-,$$C_0,C_1,C_2,\delta ]$ in $L_{H_6}$. If there exists no such tuple in $L_{H_6}$, $\mathcal{B}$ randomly selects $\delta \in {\{0,1\}}^{\lambda +l}$ and inserts $[{\omega }_1,(i,j),-,$$C_0,C_1,C_2,\delta ]$ into $L_{H_6}$. Afterwards, $\mathcal{B}$ recovers $m\Vert k$ by computing $C_3\oplus \delta$ and calculates $R=H_5(m,k)$. If $C_0=g^R$ and $C_4=H_7{\left(m\right)}^R·H_8\left({\omega }_2\right)$ hold, $\mathcal{B}$ answers m; otherwise, $\mathcal{B}$ answers ⊥.

(3)

Forgery: ${\mathcal{A}}_4$ outputs a triple $(sn{d}^{*},{\rho }^{*},C^{*})$, where $sn{d}^{*}={\sigma }^{*}$ and $C^{*}=(C_0^{*},C_1^{*},C_2^{*},C_3^{*},C_4^{*})$.

□

Analysis: It is obvious that the simulations of ${\mathcal{O}}_{H_1}$, ${\mathcal{O}}_{H_2}$, ${\mathcal{O}}_{H_3}$, ${\mathcal{O}}_{H_5}$, ${\mathcal{O}}_{H_7}$, and ${\mathcal{O}}_{H_8}$ are perfect. Define ${\eta }^{*}=e{(g,\widehat{g})}^{abc}$. Denote the query ${\mathcal{O}}_H\left({\eta }^{*}\right)$ as the event $AskH$. Denote the failure of $\mathcal{B}$ to decrypt the legitimate ciphertext in ${\mathcal{O}}_{Dec}$ as the event $Derr$. Thus, $\mathrm{Pr}\left[Derr\right]\le \frac{q_D}{2^{\lambda +l}}$.

Suppose E as the event for which ${\sigma }^{*}={\sigma }_{i^{*}}$, ${\rho }^{*}={\rho }_{j^{*}}$, and $({\sigma }^{*},{\rho }^{*},C^{*})$ are legitimate. With $ϵ$ and the lemma on the relationship between the chosen-identity attack and given identity attack [33], we obtain $\mathrm{Pr}\left[E\right]\ge ϵ(1-\frac{1}{q})\frac{1}{q_{H_1}{q}_{H_3}}$.

Define $E_0=AskH\vee Derr$. There is no greater over $\frac{1}{2^{\lambda }}$ advantage that ${\mathcal{A}}_4$ will forge a valid $({\sigma }_{i^{*}},{\rho }_{j^{*}},C^{*})$ when $E_0$ does not happen because ${\mathcal{O}}_H$, ${\mathcal{O}}_{H_4}$, and ${\mathcal{O}}_{H_6}$ are random oracles. Hence, $\mathrm{Pr}\left[E\right|\neg E_0]=\frac{1}{2^{\lambda }}$. We obtain

$$\begin{array}{cc}\hfill \mathrm{Pr}\left[E\right]& \le \mathrm{Pr}\left[E\right|\neg E_0]\mathrm{Pr}[\neg E_0]+\mathrm{Pr}\left[E_0\right]\le \frac{1}{2^{\lambda }}(1-\mathrm{Pr}\left[E_0\right])+\mathrm{Pr}\left[E_0\right]=\frac{1}{2^{\lambda }}+(1-\frac{1}{2^{\lambda }})\mathrm{Pr}\left[E_0\right]\le \frac{1}{2^{\lambda }}+\mathrm{Pr}\left[E_0\right].\hfill \end{array}$$

Therefore, we obtain

$$\begin{array}{cc}\hfill \mathrm{Pr}\left[E_0\right]& =\mathrm{Pr}[AskH\vee Derr]=\mathrm{Pr}\left[AskH\right]+\mathrm{Pr}\left[Derr\right]\ge \mathrm{Pr}\left[E\right]-\frac{1}{2^{\lambda }}.\hfill \end{array}$$

Subsequently, we obtain

$$\begin{array}{cc}\hfill \mathrm{Pr}\left[AskH\right]& \ge ϵ(1-\frac{1}{q})\frac{1}{q_{H_1}{q}_{H_3}}-\frac{1}{2^{\lambda }}-\mathrm{Pr}\left[Derr\right]\ge ϵ(1-\frac{1}{q})\frac{1}{q_{H_1}{q}_{H_3}}-\frac{1+q_D}{2^{\lambda }}.\hfill \end{array}$$

Obviously, when $AskH$ occurs, the Gap-BDH assumption can certainly be addressed by $\mathcal{B}$. $\mathcal{B}$ addresses the Gap-BDH assumption with advantage ${ϵ}^{\prime }=\mathrm{Pr}\left[\mathcal{B}success\right]=\mathrm{Pr}\left[AskH\right]\ge ϵ(1-\frac{1}{q})\frac{1}{q_{H_1}{q}_{H_3}}-\frac{1+q_D}{2^{\lambda }}.$

6. Performance Evaluation

We first give the functionality and security comparisons, then give the comparisons of the computational overhead and communication overhead.

In

Table 1. Comparison of functionality and security.

	Equality Test	Confidentiality	Authenticity	Anonymity
				Sender	Receiver
[22]	✗	CPA	✓	✓	✓
[3]	✓	CPA	✗	✗	✗
[15]	✓	CCA	✗	✗	✗
[7]	✓	CCA	✓	✗	✗
Ours	✓	CCA	✓	✓	✓

, we compare our proposed IBME-ET with the related schemes (i.e., IB-ME [22], IBEET [3,15], and IBSC-ET [7]) in terms of functionality and security. It can be seen that the IB-ME scheme in [22] ensures the confidentiality, authenticity, and anonymity of data stored in the cloud, but does not achieve CCA security nor provide equality test functionality without losing the confidentiality, authenticity, and anonymity of the data. The IBEET schemes in [3,15] ensure the confidentiality of the data, but neither offer the authenticity and anonymity of data, nor provide equality test functionality without losing the confidentiality, authenticity, and anonymity of the data. Moreover, although the scheme in [3] was the first proposed IBEET scheme, it fails to achieve CCA security. Hence, the IBEET scheme that achieves CCA security was proposed in [15]. The IBSC-ET scheme in [7] ensures the confidentiality and authenticity the data and achieves CCA security, but neither ensures the anonymity of data, nor provides the equality test functionality without losing the confidentiality, authenticity, and anonymity of the data. As a result, only our proposed IBME-ET can realize all the functionality and security, which not only ensures the confidentiality, authenticity, and anonymity of the data stored in the cloud and achieves CCA security, but also provides equality test functionality for ciphertexts generated under different identities without losing the confidentiality, authenticity, and anonymity of the data.

Note that the IB-ME scheme in [22] implements only CPA security. This means that the ciphertexts are malleable. When a valid plaintext/ciphertext pair of the sender and receiver is given, an attacker can utilize it to fake a valid ciphertext of any message, in this way to break the authenticity of the ciphertext stored in the cloud. Moreover, the IB-ME scheme in [22] cannot provide equality test functionality for ciphertexts. Obviously, the IB-ME scheme in [22] is not applicable to cloud storage application scenarios. In addition, it was proven in [15] that the computational overhead and communication overhead of the IBEET scheme in [15] are comparable to those of the IBEET scheme in [3]; however, the IBEET scheme in [15] achieves stricter CCA security while the IBEET scheme in [3] only achieves CPA security. Therefore, we only compared our proposed IBME-ET with the most-related schemes (i.e., IBEET [15] and IBSC-ET [7]) in terms of computational overhead and communication overhead.

Table 2. Comparison of computational overhead.

	SKGen	RKGen	Enc	Dec	Auth	Test
[15]	-	$3\widehat{h}+3\widehat{e}$	$3\widehat{h}+3p+6e$	$3p+2e$	0	$2p+2e$
[7]	$2h+2e$	$2\widehat{h}+2\widehat{e}$	$2\widehat{h}+2p+5e+\widehat{e}$	$2h+5p+2e+\widehat{e}$	0	$4p$
Ours	$h+e$	$2\widehat{h}+3\widehat{e}$	$2\widehat{h}+3p+5e+\widehat{e}$	$h+3p+2e+\widehat{e}$	$h+p+4\widehat{e}$	$6p$

$e,\widehat{e}$ are exponentiation operations in $\mathbb{G}$ and $\widehat{\mathbb{G}}$, respectively. $h,\widehat{h}$ are hash-to-point operations in $\mathbb{G}$ and $\widehat{\mathbb{G}}$, respectively. p is the pairing operation.

shows the computational overhead comparison, which theoretically analyzes the computational cost of our proposed scheme and the comparative schemes with regard to encryption key generation (indicated as SKGen ), decryption key generation (indicated as RKGen), encryption (indicated as Enc), decryption (indicated as Dec), authorization (indicated as Auth), and the equality test (indicated as Test). For the analysis, we concentrated on the operations that consumed the most time, including hash-to-point, bilinear pairing, and exponentiation. Notably, the authorization algorithms of the schemes in [7,15] have no computational cost. This is because both schemes directly use the partial decryption private key as the trapdoor regardless of anonymity. The communication overhead comparison is given in

Table 3. Comparison of communication overhead.

	Encryption Key	Decryption Key	Trapdoor	Ciphertext
[15]	-	$3|\widehat{\mathbb{G}}|$	$|\widehat{\mathbb{G}}|$	$4\left|\mathbb{G}\right|+5\lambda$
[7]	$2\left|\mathbb{G}\right|$	$2|\widehat{\mathbb{G}}|$	$|\widehat{\mathbb{G}}|$	$3\left|\mathbb{G}\right|+|\widehat{\mathbb{G}}|+|{\mathbb{Z}}_q|+\lambda$
Ours	$\left|\mathbb{G}\right|$	$3|\widehat{\mathbb{G}}|$	$2|\widehat{\mathbb{G}}|$	$3\left|\mathbb{G}\right|+|\widehat{\mathbb{G}}|+|{\mathbb{Z}}_q|+\lambda$

$\left|\mathbb{G}\right|,|\widehat{\mathbb{G}}|$ are the sizes of the elements in groups $\mathbb{G}$ and $\widehat{\mathbb{G}}$, respectively. $|{\mathbb{Z}}_q|$ is the size of the elements in ${\mathbb{Z}}_q$, and $\lambda$ is the security level.

, which theoretically analyzes the communication cost of our proposed scheme and the comparative schemes with regard to the encryption private key, decryption private key, trapdoor, and ciphertext.

In order to compare the computational and communication overhead of our proposed scheme with the comparative schemes more intuitively, we used Charm 0.50 in Python 3.6.9 to implement these schemes. The experimental environment was configured as follows: Intel(R) Xeon(R) Platinum 8124M CPU @ 2.70 GHz (Intel Corporation, Santa Clara, CA, USA), 16 GB memory, and Ubuntu 18.03 LTS. The experiments were instantiated using the MNT224 curve in Charm and employed the Python module $timeit$ for the time measurements. Figure 3 shows the experimental computational overheads of these schemes, and Figure 4 shows the experimental communication overheads of these schemes.

From Table 1, Table 2 and Table 3 and Figure 3 and Figure 4, we can conclude that, with a small sacrifice in computational and communication efficiency, our IBME-ET scheme not only offers the confidentiality, authenticity, and anonymity of the data and achieves CCA security, but also provides equality test functionality for ciphertexts generated under different identities without losing the confidentiality, authenticity, and anonymity of the data. Other related schemes cannot support this feature.

7. Conclusions

In this paper, we presented the primitive of the IBME-ET, which not only offers the confidentiality, authenticity, and anonymity of data and achieves CCA security, but also provides equality test functionality for ciphertexts generated under different identities without losing the confidentiality, authenticity, and anonymity of the data. More precisely, we introduced the system model and definition of the IBME-ET. With respect to the confidentiality, authenticity, and anonymity, we formalized the security models for the IBME-ET. Finally, we proposed a concrete IBME-ET scheme, and our scheme was confirmed to be secure and practical by proving its security and evaluating its performance.