Traceable Scheme of Public Key Encryption with Equality Test

Public key encryption supporting equality test (PKEwET) schemes, because of their special function, have good applications in many fields, such as in cloud computing services, blockchain, and the Internet of Things. The original PKEwET has no authorization function. Subsequently, many PKEwET schemes have been proposed with the ability to perform authorization against various application scenarios. However, these schemes are incapable of traceability to the ciphertexts. In this paper, the ability of tracing to the ciphertexts is introduced into a PKEwET scheme. For the ciphertexts, the presented scheme supports not only the equality test, but also has the function of traceability. Meanwhile, the security of the proposed scheme is revealed by a game between an adversary and a simulator, and it achieves a desirable level of security. Depending on the attacker’s privileges, it can resist OW-CCA security against an adversary with a trapdoor, and can resist IND-CCA security against an adversary without a trapdoor. Finally, the performance of the presented scheme is discussed.


Introduction
With the continuous development of the Internet of Things (IoT), the security of data has gotten more attention. In order to ensure the security of data, data are stored on a server by encryption. However, it is inconvenient for effective application when the data are encrypted, making it impossible to search within encrypted data. Therefore, searchable encryption (SE) is presented [1]. The aim of SE is to produce a tag related to ciphertext, and to classify the ciphertexts. Since this primitive approach was proposed, many cryptographers have studied it extensively and deeply [2][3][4][5][6]. However, the same ciphertext cannot be classified and stored by SE schemes. A new cryptographic primitive approach emerged as the times required, namely the public key encryption supporting equality test (PKEwET) [7]. In this paper, traceability is introduced into the PKEwET scheme.

Related Work
The PKEwET scheme resolves the problem of data matching in many application environments, such as in cloud computing, health service systems, and IoT. It can compare the consistency of the ciphertexts without the secret key. Recently, the research scope of PKEwET has focused on the three aspects of authorization, security scheme, and efficiency of the PKEwET scheme. Some progress in PKEwET is reviewed as follows: For the authorization, Tang et al. and Huang et al. proposed PKEwET schemes supporting authorization from the user and ciphertext, respectively [8][9][10][11][12][13]. Then, Ma et al. extended the authorization mechanism to multi-user environments [14]. For more convenient application, Ma et al. proposed four types of authorization policies, namely user level, ciphertext level, user-specific ciphertext level, and ciphertext-to-user level authorization [15]. To simplify the maintenance of public key certificates, Ma et al. introduced the equality test algorithm into an identity-based encryption scheme [16]. For more convenient application to smart cities, Yang et al. proposed a filtered equality test scheme [17]. Later, Wang et al. combined signcryption and an equality test [18]. Recently, Duong et al. presented new lattice-based PKEwET schemes [19].
For the security, in 2016, Lee et al. improved the scheme of Ma, and proposed a new scheme that achieved IND-CCA security [20], and presented an equality test scheme based on the standard model for the first time [21]. In 2017, Wang et al. and Huang et al. proposed a PKEwET scheme from the ciphertext level, and presented the proof of security under the standard model [22,23]. Subsequently, some other PKEwET schemes based on the standard model have been proposed [24,25].
For the efficiency of the PKEwET schemes, Lin et al. and Zhu et al. proposed pairingfree equality test schemes [26,27]. The scheme of Tang was improved upon by Wu et al. [28,29], where the efficiency of computing increased by 36.7% in encryption and by 39.24% in the test algorithm. In 2018, Qu et al. introduced a certificate-less PKEwET scheme [30]. This scheme was improved upon by Elhabob et al. [31,32].  [33]. In the same year, Lee et al. proposed a new PKEwET scheme, from generic assumptions in the random oracle model [34]. To reduce the cost of computing and communication, Ling et al. introduced the group mechanism into a PKEwET algorithm [35].
Driven by interests, some users may disclose their own secret keys to non-group users intentionally or unintentionally. However, it is difficult for the malicious user to be tracked down by the system. The problem of key abuse brings great security risks to PKEwET systems. To solve this problem, we introduce a tracking function into a PKEwET system.

Contributions
In this paper, traceability is introduced into a group ID-based encryption (GIBE) scheme. The motivation is to make a GIBE supporting traceability and an equality test function to the ciphertexts. The key contributions can be listed as follows: • We show that the GIBE algorithm is unable to compare ciphertexts, and has no equality test function without the secret key sk. To overcome these limitations, we combine the GIBE and PKEwET algorithms. Additionally, all of PKEwET algorithms are untraceable to the encrypted ciphertexts, the idea of traceability is introduced into the PKEwET algorithm, and we propose the traceable GIBE with an equality test scheme (T-GIBEwET). • Two types of adversaries are described, and the security of the proposed scheme is proved in details from two types of adversaries. The presented scheme achieves a desirable security. With a trapdoor, the T-GIBEwET scheme can resist OW-CCA security. Without a trapdoor, the T-GIBEwET scheme can resist IND-CCA security. • The performance of the T-GIBEwET scheme is discussed. Compared to existing equality test schemes, it is more efficient and more practical in many scenarios.

Outline of This Paper
The rest of the proposal is organized as follows: some preliminaries, some basic definitions, assumptions and the security model are presented in Section 2. The details of the T-GIBEwET scheme are presented in Section 3. The security of the T-GIBEwET scheme is discussed in Section 4. In Section 5, the performance analysis of the T-GIBEwET scheme is represented. Finally, the concluding remarks of this paper are summarized in Section 6.

Preliminaries
In this section, we present the safety objectives, cryptographic assumptions and security models used in this paper.

Decisional Bilinear Diffie-Hellman Assumption
The proposed scheme is secure under the decisional bilinear Diffie-Hellman assumption. In this algorithm, the challenger S picks a, b, c, z ∈ Z * p and flips coin coin ∈ {0, 1} randomly.

•
If coin = 0, S outputs (g, g a , g b , g c , e(g, g) z ). • Otherwise, S outputs (g, g a , g b , g c , e(g, g) abc ). Then, the adversary A gives a guess of coin.

Definition of PKEwET
The PKEwET scheme contains four algorithms [7]: (1) KeyGen (1 l ): This procedure randomly selects x ∈ Z * q , and outputs the public/secret key pair (pk = g x , sk = x), where g is a generator of G.
(2) Encrypt (M, pk): This procedure selects the numbers r ∈ Z * q randomly. Then, it outputs the ciphertext CT as follows: Use r to compute: Output the ciphertext CT = (C 1 , C 2 , C 3 ). (3) Decrypt (CT, sk): Given sk and a ciphertext CT, the procedure runs as follows: If C 1 = g r and C 2 = M r , output M; otherwise, return ⊥. (4) Test (CT i , CT j ): Given CT i = (C i,1 , C i,2 , C i,3 ), CT j = (C j,1 , C j,2 , C j,3 the procedure runs as follows: Then, check whether T 1 = T 2 holds. If yes, it means that M i = M j and output 1.
Otherwise, it means that M i = M j and output 0.

Group ID-Based Encryption
A group ID-based encryption scheme consists of the following six algorithms [42]: (1) Setup (l): With the security parameter l, this procedure exports system public parameters sp and msk. (2) KeyGengroup (sp): With system public parameters sp, this procedure exports the public key and secret key gsk of group users. (3) Extract (msk, sp, ID): With a user's identity ID ∈ {0, 1} * , this procedure outputs the public key and secret key dk of users. (4) Join (gsk, h ID ): This algorithm is an interactive protocol between the group manager and the prospective user; it takes the group user's ID as inputs, and outputs the group public key gpk. (5) Encrypt (M, sp, gpk i , dk ID i , ID j ): This algorithm takes the public keys sp, gpk i of the group manager, dk ID i of the user i, and the receiver's public key ID j and the message M as inputs, and outputs a ciphertext CT.
(6) Decrypt (CT, gpk, dk ID j ): This algorithm is run by the receiver; it takes the group public key gpk, the receiver's secret key dk ID j , and the ciphertext CT as inputs, and outputs the message M or an error symbol ⊥. Figure 1 illustrates the system model of T-GIBEwET. The system has four roles: the group manger, the users, the tester, and a trusted third party. The trusted third party generates the private key dk for users. The group manger generates the group public key and group secret key for the group users. The group users encrypt and send the private data to the tester. The tester is authorized and gains a trapdoor gtd.     public key gpk, the receiver's secret key dk ID j , and the ciphertext CT as inputs, and outputs the message M or an error symbol ⊥. secret key gsk, h ID i , gpk, and a ciphertext CT as inputs, and outputs the user's ID.  CT i , CT j and gtd as inputs, and outputs 1 or 0.

Security Models
According to different permissions, we show two kinds of adversaries in our proposal.
• Type − α 1 adversary: With a trapdoor, the adversary cannot recover the plaintext after receiving the challenge ciphertext. • Type − α 2 adversary: Without a trapdoor, the adversary cannot tell by which message is CT * encrypted.

OW-CCA security in T-GIBEwET.
Type − α 1 adversary A 1 and simulator S's game is played as in Figure 2.
The advantage of A 1 in the aforementioned game is defined as follows:

IND-CCA security in T-GIBEwET.
Type − α 2 adversary A 2 and simulator S's game is played as in Figure 3.
The advantage of A 2 in the aforementioned game is defined as follows: and gtd ← Auth(gsk), the following conditions must be satisfied: (

Symbols
In this paragraph, we summarize some symbols used in the proposed scheme. These symbols will assist readers to read and understand the following sections. These symbols are listed in Table 1. Table 1. Symbols used in the proposed scheme.

Symbol
Description The generator of G M The plaintext CT The ciphertext The master key (keep it as a secret) ID A user's identity gsk The group secret key (kept as a secret by group manager) gpk The group public key (share to all users in the group) dk ID A user's secret key (keep it as a secret) A The adversary S The simulator

Our Constructions
This section provides the proposed T-GIBEwET scheme as follows.
(1) Setup (l): With the security parameter l, this procedure exports the system public parameters sp = (g, G, G T , e, g s , H 1 , H 2 , H 3 , H 4 , H 5 ). Choose hash functions: here l 1 means the length of elements in Z q . The master key msk is s. (2) KeyGengroup (sp): This procedure randomly selects s 1 , s 2 ∈ Z * q , and outputs the group secret key gsk = (s 1 , s 2 ).
(3) Extract (msk, sp): With a string ID ∈ {0, 1} * , this procedure outputs the public key and secret key as follows: • Outputs a public key Outputs a secret key dk ID = h s ID . (4) Join (gsk, h ID ): This procedure outputs the group public key gpk = (h s 1 ID , g s 1 , g s 1 s 2 ) for user ID.
This procedure selects numbers r 1 , r 2 ∈ Z * q randomly. Then, it outputs the ciphertext CT as follows: Use r 1 , r 2 to compute: Given dk ID j and a ciphertext CT, the procedure runs as follows: Given dk ID i , sp and a ciphertext CT, the procedure runs as follows:

) The algorithm from the authorization function and test function:
Suppose CT i (resp. CT j ) is a ciphertext of ID i (resp. ID j ).
This procedure takes the inputs CT i , CT j and gtd and exports as follows: ). If yes, output 1, which means M i = M j . Otherwise, export 0, which means M i = M j . Theorem 1. According to Definition 3, the above T-GIBEwET scheme is correct.
Proof. We show in turn that the three conditions of Definition 3 are all satisfied.
(1) The first condition is easy to verify.
(2) Considering the second condition, for any sp ← Setup(l), gsk ← KeyGengroup(sp), dk ← Extract(msk, sp, ID), gpk ← Join(gsk, h ID ), CT j ← Encrypt(M, sp, gpk i , dk ID i , ID j ), CT i ← Encrypt(M, sp, gpk j , dk ID j , ID i ), the following equalities hold. Given a group trapdoor gtd = s 2 and two ciphertexts CT i = Encrypt (M i , sp, gpk j , dk ID j , ID i ) and CT j = Encrypt(M j , sp, gpk i , dk ID i , ID j ), we can compute as follows: (3) As for the third condition, we have the following fact: As in the above calculation, for any message

Security Analysis
This section analyzes the security of the scheme and authorization.
Theorem 2. For a type-1 adversary, under the random oracle model, the presented T-GIBEwET scheme is OW-CCA secure.
Proof. Let A 1 be T ype-1 adversary breaking the T-GIBEwET scheme in polynomial time.
q Key > 0 key retrieve queries, q Enc > 0 encryption queries, and q Dec > 0 decryption queries. We give CT * to the simulator S. The aim of S is to recover the plaintext of CT * with a non-negligible advantage. The game between A 1 and S is described as follows: Game G 1.0 Setup: S runs the algorithm Setup(1 l ) to create the system parameters sp = (g, G, G T , g s , e, H 1 , H 2 , H 3 , H 4 , H 5 ), runs the algorithm KeyGengroup(sp) to create a group private key gsk = (s 1 , s 2 ), runs the algorithm Join(gsk, h ID ) to create a group public key gpk = (h s 1 ID , g s 1 , g s 1 s 2 ) for user ID, and runs Auth(gsk) to create a group trapdoor gtd = s 2 . Then, S randomly selects ID 1 , ID 2 as a challenger sender and a challenger receiver, respectively. Then, S gives the public key and ID 1 , ID 2 to A 1 .
Moreover, the challenger S prepares the five hash lists H 1 , H 2 , H 3 , H 4 , H 5 to record all hash queries and answer the random oracle queries, where all hash lists are empty at the beginning. If the same input is asked multiple times, the same answer will be returned.
Phase 1: S responds to the queries made by A 1 in the following ways: • H 1 -query: S maintains a list of 3-tuples (ID i , α i , x i , coin i ) in H 1 . When A 1 , ask for ID i queries, and S runs as follows: -If the query ID i already in the H 1 list in the form of (ID i , α i , x i , coin i ), S outputs Otherwise, S generates coin i ∈ {0, 1} randomly. Then, it outputs as follows: * If coin i = 0, S chooses a random number x i ∈ Z * q and computes α i = g x i to A 1 . * Otherwise, S computes α i = h x i ID 2 to A 1 . Challenge: S chooses M * ⊂ M and r * 1 , r * 2 ∈ {0, 1} l 1 . It then outputs CT * as follows: The ciphertext CT * = (C * 1 , C * 2 , C * 3 , C * 4 , C * 5 , C * 6 , C * 7 , C * 8 ) is output, where: U 1 = e(h s ID 1 , g s 1 s 2 ) U 2 = e(h ID 2 , g s ) Finally, it sends CT * to A 1 as the challenge ciphertext. Phase 2: A 1 performs the same queries as in Phase 1; the constraint is that CT * does not appear in the decryption queries.
Guess: A 1 outputs M ⊂ M. Let E 1.0 be the event that M = M * in Game G 1.0 . Then, the advantage is: Setup: S runs the algorithm Setup(1 l ) to create the system parameters sp = (g, G, G T , g s , e, H 1 , H 2 , H 3 , H 4 , H 5 ), runs the algorithm KeyGengroup(sp) to create a group private key gsk = (s 1 , s 2 ), runs the algorithm Join(gsk, h ID ) to create group public key gpk = (h s 1 ID , g s 1 , g s 1 s 2 ) for user ID, and runs Auth(gsk) to create the group trapdoor gtd = s 2 . Then, S randomly selects ID 1 , ID 2 as a challenger sender and a challenger receiver, respectively. Then, S gives the public key and ID 1 , ID 2 to A 1 .
Moreover, the challenger S prepares the five hash lists H 1 , H 2 , H 3 , H 4 , H 5 to record all hash queries and answer the random oracle queries, where all hash lists are empty at the beginning. If the same input is asked multiple times, the same answer will be returned. Encryption Query: S outputs CT to A 1 as follows: S chooses r 1 , r 2 ∈ {0, 1} l 1 randomly, and performs the H 1 -query(ID i ), H 1 -query(ID j ) to obtain α i , α j , the H 2query(e(C 1 , g s ) s 2 ) to obtain ϑ i , the H 3 -query(e(α j , g s ) r 1 ) to obtain ν i , the H 5 -query(C 1 C 2 C 3 C 4 C 5 C 6 h s ID i ) to obtain ϕ i . and the H 4 -query(C 1 C 2 C 3 C 4 C 5 C 6 C 7 M r 1 ) to obtain ξ i .
S adds (e(C 1 , g s ) s 2 , ϑ i ) to the H 2 list, adds (e(α j , g s ) r 1 , ν i ) to the H 3 list, adds (C 1 C 2 C 3 C 4 C 5 C 6 C 7 M r 1 , ξ i ) to the H 4 list, and adds ( Decryption queries: With the CT to the decryption query, S returns M = Decrypt(CT, dk j ) to A 1 as follows: S performs the H 3 (e(α j , g s ) r 1 ) to obtain answer ν i , and performs the H 4 -query(C 1 C 2 C 3 C 4 C 5 C 6 C 7 M r 1 ) to obtain answer ξ i . Then, S performs M r 1 = C 6 ⊕ ν i .
Then, it verifies C 1 = α s 1 r 1 i and C 8 = ξ i . If the verification fails, it returns ⊥. Otherwise, S outputs M to A 1 . • Authorization Query: Same as in Game G 1.0 .
Finally, it sends CT * to A 1 as the challenge ciphertext. Phase 2: A 1 performs the same queries as in Phase 1, where the constraint is that CT * does not appear in the decryption queries.

Guess: A 1 outputs M ⊂ M.
Let E 1.1 be the event that M = M * in Game G 1.1 . Then, the advantage is: Game G 1.2 Setup: S runs the algorithm Setup(1 l ) to create the system parameters sp = (g, G, G T , g s , e, H 1 , H 2 , H 3 , H 4 , H 5 ), runs the algorithm KeyGengroup(sp) to create a group private key gsk = (s 1 , s 2 ), runs the algorithm Join(gsk, h ID ) to create the group public key gpk = (h s 1 ID , g s 1 , g s 1 s 2 ) for user ID, and runs Auth(gsk) to create the group trapdoor gtd = s 2 . Then, S randomly select ID 1 , ID 2 as a challenger sender and a challenger receiver, respectively. Then, S gives the public key and ID 1 , ID 2 to A 1 .
Moreover, the challenger S prepares the five hash lists H 1 , H 2 , H 3 , H 4 , , H 5 to record all hash queries and answer the random oracle queries, where all hash lists are empty at the beginning. If the same input is asked multiple times, the same answer will be returned.
Finally, it sends CT * to A 1 as the challenge ciphertext. Phase 2: A 1 performs the same queries as in Phase 1, whereqthe constraint is that CT * does not appear in the decryption Queries, and if A 1 asks for the decryption of CT * = (C * 1 , C * 2 , C * 3 , C * 4 , C * 5 , C 6 , C * 7 , C * 8 ), where C 6 = C * 6 , S outputs ⊥. Guess: A 1 outputs M ⊂ M.
Let E 1.2 be the event that M = M * in Game G 1.2 . Because C 6 is a random value in Game G 1.1 and Game G 1.2 , the challenge ciphertexts generated in Game G 1.1 and Game G 1.2 follow the same distribution. Therefore, if the event E 1 does not occur, Game G 1.2 is identical to Game G 1.1 , and we can figure out Next, we show that the probability of event E 1 occurring in Game G 1.2 is negligible. Lemma 1. When the C-BDH problem is intractable, there is a negligible probability that the event E 1 happens in Game G 1.2 .
Proof. Suppose that Pr[E 1 ] is non-negligible; we can construct a simulator S to break the C-BDH assumption by using A 1 's attacks. With the tuple (e, G, G T , g, g a , g c , g d ), the aim is to obtain e(g, g) acd .
Setup: S randomly selects ID 1 , ID 2 as a challenger sender and a challenger receiver, respectively. Then, S gives the public key and ID 1 , ID 2 to A 1 . S runs the algorithm Setup(1 l ) to create the system parameters sp = (g, G, G T , g s , e, H 1 , H 2 , H 3 , H 4 , H 5 ), runs the algorithm KeyGengroup(sp) to create a group private key gsk = (s 1 , s 2 ), runs the algorithm Join(gsk, h ID ) to create the group public key gpk = (h s 1 ID , g s 1 , g s 1 s 2 ) for user ID, and runs Auth(gsk) to create the group trapdoor gtd = s 2 .
Phase 1: S responds to the queries made by A 1 in the following ways: • H 1 -query(ID), H 2 -query(θ i ), H 5 -query(φ i ), and H 4 -query(ρ i ) are same as in Game Extract Query(ID): Same as in Game G 1.1 . • Encryption Query: Same as in Game G 1.1 , except that for the query (ID 2 , * , * ), S selects r 1 , r 2 ∈ {0, 1} l 1 randomly and outputs a ciphertext CT = (C 1 , C 2 , C 3 , C 4 , C 5 , C 6 , C 7 , C 8 ) as follows: S performs the H 1 -query(ID i ) and H 1 -query(ID j ) to obtain α i and α j , respectively, the H 2 -query(e(C 1 , g s ) s 2 ) to obtain ϑ i , the H 3 -query(e(α j , g s ) r 1 ) to obtain ν i , the H 5query(C 1 C 2 C 3 C 4 C 5 C 6 h ID s i ) to obtain ϕ i , and the H 4 -query(C 1 C 2 C 3 C 4 C 5 C 6 C 7 M r 1 ) to obtain ξ i .
S adds (e(C 1 , g s ) s 2 , ϑ i ) to the H 2 list, adds (e(α j , g s ) r 1 , ν i ) to the H 3 list, and adds Decryption queries: Same as in Game G 1.1 . • Authorization Query: Same as in Game G 1.1 .
Finally, it sends CT * to A 1 as the challenge ciphertext. Phase 2: A 1 performs the same queries as in Phase 1; the constraint is that CT * does not appear in the decryption queries, and if A 1 asks for the decryption of CT * = (C * 1 , C * 2 , C * 3 , C * 4 , C * 5 , C 6 , C * 7 , C * 8 ), where C 6 = C * 6 , S outputs ⊥. Guess: A 1 outputs M ⊂ M. Proof. Let A 2 be a type-2 adversary breaking the T-GIBEwET scheme in polynomial time. A 2 makes at most q H 1 > 0 H 1 -queries, q H 2 > 0 H 2 -queries, q H 3 > 0 H 3 -queries, q H 4 > 0 H 4 -queries, q H 5 > 0 H 5 -queries, q Key > 0 key retrieve queries, q Enc > 0 encryption queries, and q Dec > 0 decryption queries. We give CT * to the simulator S. The aim of S is to recover the plaintext of CT * with a non-negligible advantage.
The game between A 2 and S is described as follows: Game G 2.0 Setup: S runs the algorithm Setup(1 l ) to create the system parameters sp = (g, G, G T , g s , e, H 1 , H 2 , H 3 , H 4 , H 5 ), runs the algorithm KeyGengroup(sp) to create a group private key gsk = (s 1 , s 2 ), runs the algorithm Join(gsk, h ID ) to create the group public key gpk = (h s 1 ID , g s 1 , g s 1 s 2 ) for user ID, and runs Auth(gsk) to create the group trapdoor gtd = s 2 . Then, S randomly selects ID 1 , ID 2 as a challenger sender and a challenger receiver, respectively. Then, S gives the public key and ID 1 , ID 2 to A 2 .
Moreover, the challenger S prepares the five hash lists H 1 , H 2 , H 3 , H 4 , H 5 to record all hash queries and answer the random oracle queries, where all hash lists are empty at the beginning. If the same input is asked multiple times, the same answer will be returned.
Phase 1: S responds to the queries made by A 2 in the following ways: • H 1 -query: S maintains a list of 3-tuples (ID i , α i , x i , coin i ) in H 1 . When A 2 asks for ID i queries, S runs as follows: -If the query ID i is already in the H 1 list in the form of (ID i , α i , x i , coin i ), S outputs Otherwise, S generates coin i ∈ {0, 1} randomly. Then, it outputs as follows: * If coin i = 0, S chooses a random number x i ∈ Z * q and computes α i = g x i to -If coin i = 0, S uses the private key and outputs the decryption query to A 2 .
-Otherwise, S outputs ⊥ to A 2 . • Authorization Query: It is not allowed.
Challenge: A 2 chooses M 0 , M 1 ⊂ M randomly and sends them to S. Then, S takes b ∈ {0, 1} and r * 1 , r * 2 ∈ {0, 1} l 1 . It then outputs CT * as follows: Finally, it sends CT * to A 2 as the challenge ciphertext. Phase 2: A 2 performs the same queries as in Phase 1, where the constraint are as follows: • CT * does not appear in the decryption queries. • In the authorization query, all of the group users cannot be authorized.
Guess: A 2 outputs b * ∈ {0, 1}. Let E 2.0 be the event that b = b * in Game G 2.0 . Then, the advantage is: Adv OW−CCA T−GPKE−ET,A 2 (q H 1 , q H 2 , q H 3 , q H 4 , q H 5 , q Extr , q Enc , q Dec ) = Pr[E 2.0 ] Game G 2.1 Setup: S runs the algorithm Setup(1 l ) to create the system parameters sp = (g, G, G T , g s , e, H 1 , H 2 , H 3 , H 4 ), runs the algorithm KeyGengroup(sp) to create a group private key gsk = (s 1 , s 2 ), runs the algorithm Join(gsk, h ID ) to create the group public key gpk = (h s 1 ID , g s 1 , g s 1 s 2 ) for user ID, and runs Auth(gsk) to create the group trapdoor gtd = s 2 . Then, S randomly selects ID 1 , ID 2 as a challenger sender and a challenger receiver, respectively. Then, S gives the public key and ID 1 , ID 2 to A 2 .
Moreover, the challenger S prepares the four hash lists H 1 , H 2 , H 3 , H 4 to record all hash queries and answer the random oracle queries, where all hash list are empty at the beginning. If the same input is asked multiple times, the same answer will be returned.
Phase 1: S responds to the queries made by A 2 in the following ways: • H 1 -query(ID), H 2 -query(θ i ), H 3 -query(µ i ), H 5 -query(φ i ), and H 4 -query(ρ i ) are the same as in Game G 2.0 . • Extract Query(ID): Same as in Game G 2.0 . • Encryption Query: S outputs CT to A 2 as follows: S chooses r 1 , r 2 ∈ {0, 1} l 1 randomly, and performs the H 1 -query(ID i ) and H 1 -query(ID j ) to obtain α i and α j , respectively, the H 2 -query(e(C 1 , g s ) s 2 ) to obtain ϑ i , the H 3query(e(α j , g s ) r 1 ) to obtain ν i , the H 5 -query(C 1 C 2 C 3 C 4 C 5 C 6 h s ID i ) to obtain ϕ i , and the H 4 -query(C 1 S adds (e(C 1 , g s ) s 2 , ϑ i ) to the H 2 list, adds (e(α j , g s ) r 1 , ν i ) to the H 3 list, adds (C 1 C 2 C 3 C 4 C 5 C 6 C 7 M r 1 , ξ i ) to the H 4 list, and adds ( Decryption queries: With the CT to the decryption query, S returns M = Decrypt(CT, sk j ) to A 2 as follows: S performs the H 3 (e(α j , g s ) r 1 ) to obtain answer ν i , and performs the H 4 -query(C 1 C 2 C 3 C 4 C 5 C 6 C 7 M r 1 ) to obtain answer ξ i . Then, S performs M r 1 = C 6 ⊕ ν i .
Then, C 1 = α s 1 r 1 i and C 8 = ξ i are verified. If the verification fails, it returns ⊥. Otherwise, S outputs M to A 2 . • Authorization Query: It is not allowed.
Challenge: A 2 chooses M 0 , M 1 ⊂ M randomly and sends them to S. Then, S takes b ∈ {0, 1} , W ∈ {0, 1} l+l 1 and r * 1 , r * 2 ∈ {0, 1} l 1 . It then outputs CT * as follows: Finally, it sends CT * to A 2 as the challenge ciphertext. Phase 2: A 2 performs the same queries as in Phase 1; the constraint are as follows: • CT * does not appear in the decryption queries. • In the authorization query, all of the group users cannot be authorized.
Guess: A 2 outputs b * ∈ {0, 1}. Let E 2.1 be the event that b = b * in Game G 2.1 . Then, the advantage is Game G 2.2 Setup: S runs the algorithm Setup(1 l ) to create the system parameters sp = (g, G, G T , g s , e, H 1 , H 2 , H 3 , H 4 , H 5 ), runs the algorithm KeyGengroup(sp) to create a group private key gsk = (s 1 , s 2 ), runs the algorithm Join(gsk, h ID ) to create the group public key gpk = (h s 1 ID , g s 1 , g s 1 s 2 ) for user ID, and runs Auth(gsk) to create the group trap-door gtd = s 2 . Then, S randomly selects ID 1 , ID 2 as a challenger sender and a challenger receiver, respectively. Then, S gives the public key and ID 1 , ID 2 to A 2 . Moreover, the challenger S prepares the five hash lists H 1 , H 2 , H 3 , H 4 , H 5 to record all hash queries and answers the random oracle queries, where all hash list are empty at the beginning. If the same input is asked multiple times, the same answer will be returned.
Let E 2.2 be the event that b = b * in Game G 2.2 . Because C 6 is a random value in Game G 2.1 and Game G 2.2 , the challenge ciphertexts generated in Game G 2.1 and Game G 2.2 follow the same distribution. Therefore, if the event E 2 does not occur, Game G 2.2 is identical to Game G 2.1 . And we can figure out that Next, we show that the probability of event E 2 occurring in Game G 2.2 is negligible.

Lemma 2.
When the C-BDH problem is intractable, there is negligible probability that the event E 2 will happen in Game G 2.2 .
Proof. Suppose that Pr[E 2 ] is non-negligible; we can construct a simulator S to break the C-BDH assumption by using the A 2 's attacks. With the tuple (e, G, G T , g, g a , g c , g d ), the aim is to obtain e(g, g) acd .
Setup: S randomly select ID 1 , ID 2 as a challenger sender and a challenger receiver, respectively. Then, S gives the public key and ID 1 , ID 2 to A 2 . S runs the algorithm Setup(1 l ) to create the system parameters sp = (g, G, G T , g s , e, H 1 , H 2 , H 3 , H 4 , H 5 ), runs the algorithm KeyGengroup(sp) to create a group private key gsk = (s 1 , s 2 ), runs the algorithm Join(gsk, h ID ) to create the group public key gpk = (h s 1 ID , g s 1 , g s 1 s 2 ) for user ID, and runs Auth(gsk) to create the group trapdoor gtd = s 2 .
Phase 1: S responds to the queries made by A 2 in the following ways: • H 1 -query(ID), H 2 -query(θ i ), H 5 -query(φ i ), and H 4 -query(ρ i ) are the same as in Game G 2.1 . • H 3 -query(µ i ) is the same as in Game G 2.1 , except that A 2 asks for e(C 3 , h s ID 2 ). • Extract Query (ID): Same as in Game G 2.1 . • Encryption Query: Same as in Game G 2.1 , except that for the query (ID 2 , * , * ), S selects r 1 , r 2 ∈ {0, 1} l 1 randomly and outputs a ciphertext CT = (C 1 , C 2 , C 3 , C 4 , C 5 , C 6 , C 7 , C 8 ) as follows: S performs the H 1 -query(ID i ) and H 1 -query(ID j ) to obtain α i and α j , respectively, the H 2 -query(e(C 1 , g s ) s 2 ) to obtain ϑ i , the H 3 -query(e(α j , g s ) r 1 ) to obtain ν i , the H 5query(C 1 C 2 C 3 C 4 C 5 C 6 h s ID i ) to obtain ϕ i , and the H 4 -query(C 1 C 2 C 3 C 4 C 5 C 6 C 7 M r 1 ) to obtain ξ i .
S adds (e(C 1 , g s ) s 2 , ϑ i ) to the H 2 list, adds (e(α j , g s ) r 1 , ν i ) to the H 3 list, adds (C 1 C 2 C 3 C 4 C 5 C 6 C 7 M r 1 , ξ i ) to the H 4 list, and adds (C 1 C 2 C 3 C 4 C 5 C 6 h s ID i , ϕ i ) to the H 5 list. • Decryption Queries: Same as in Game G 2.1 .

Performance Comparison
In this section, a performance comparison between the presented T-GIBEwET scheme and other related schemes is discussed. As illustrated in Table 2, our proposal supports the traceability function and others do not. In Table 3, the comparison of efficiency with PKEwET variants is shown. The second to sixth columns reveal the computational efficiency for the algorithms of encryption, decryption, authorization, testing, and tracing. Compared to [7,16,17,35], the proposed T-GIBEwET scheme is more efficient than [7,16,17] in the decryption algorithm and more efficient than [17] in the authorization algorithm. Both authorization and tracking are supported in this paper. √ √ - [17] √ √ - [35] √ √ -T-GIBEwET √ √ √

Conclusions
In this paper we analyzed the PKEwET scheme, pointed out that the PKEwET algorithm is unable to keep track of ciphertexts in the cloud sever, and proposed the a traceable group ID-based encryption with an equality test scheme (T-GIBEwET). The T-GIBEwET algorithm is endowed with a special function: the users who are authorized by a trapdoor can test the ciphertexts in the cloud sever. Moreover, the proposed scheme supports the traceability function.
To simplify the public key management mechanism, the proposed scheme was designed with ID-based encryption. According to the competence of different users, the proposal can resist OW-CCA and IND-CCA security. Additionally, the T-GIBEwET scheme can resist a plaintext space attack.
Compared with other existing works, our proposal is more practical for use in cloud computing services.

Informed Consent Statement: Not applicable.
Data Availability Statement: Not applicable.

Conflicts of Interest:
The authors declare no conflict of interest.

Abbreviations
The following abbreviations are used in this manuscript:

IoT
Internet of Things SE Searchable Encryption IBEwET ID-Based Encryption with Equality Test GIBE Group ID-Based Encryption T-GIBEwET Traceable GIBE with Equality Test Scheme