Identity-Based Matchmaking Encryption with Equality Test

The identity-based encryption with equality test (IBEET) has become a hot research topic in cloud computing as it provides an equality test for ciphertexts generated under different identities while preserving the confidentiality. Subsequently, for the sake of the confidentiality and authenticity of the data, the identity-based signcryption with equality test (IBSC-ET) has been put forward. Nevertheless, the existing schemes do not consider the anonymity of the sender and the receiver, which leads to the potential leakage of sensitive personal information. How to ensure confidentiality, authenticity, and anonymity in the IBEET setting remains a significant challenge. In this paper, we put forward the concept of the identity-based matchmaking encryption with equality test (IBME-ET) to address this issue. We formalized the system model, the definition, and the security models of the IBME-ET and, then, put forward a concrete scheme. Furthermore, our scheme was confirmed to be secure and practical by proving its security and evaluating its performance.


Introduction
The swift progress in cloud computing featured by the outsourcing of data to the cloud has given rise to a growing trend among organizations and individuals, enabling entities to benefit from the ultra-large capacity and calculating services provided by cloud providers.The maintenance of data confidentiality is a fundamental security requirement of cloud storage, which is generally achieved by employing existing cryptographic mechanisms.Nonetheless, how to perform efficient searches on ciphertexts is a practical problem.In order to protect data confidentiality and, meanwhile, support privacy-preserving keyword searching on ciphertexts, public key encryption with keyword search (PEKS) has been presented [1].Nevertheless, PEKS is limited to searching on ciphertexts generated under a single public key, rendering it unsuitable for cloud storage scenarios involving multiple users.
To provide privacy-preserving equality searching on ciphertexts encrypted under distinct public keys without losing the data confidentiality, Yang et al. [2] put forward an extension of PEKS known as the public key encryption with equality test (PKEET).However, in Yang et al.'s construction, anyone can conduct the equality test without authorization, which infringes on the data owner's privacy.Hence, the authorization mechanism was introduced into the PKEET to guarantee that no one except the data owner can enable the cloud server to test its ciphertexts with the others'.Subsequently, Ma [3] proposed the identity-based encryption with equality test (IBEET) to eliminate the certificate management problem of the PKEET.In this primitive, the identities of the sender and receiver were exploited to denote the public keys, eliminating the need for certificate management.Owing to the equality test function, the IBEET has been applied in various practical applications, such as personal health record (PHR) systems [4,5] and Internet of Vehicles (IoV) road monitoring [6].
Ensuring the authenticity of data is another fundamental security requirement of cloud storage.For the sake of the confidentiality and authenticity of data while supporting the privacy-preserving equality test for ciphertexts generated from different identities, Xiong et al. [7] presented the identity-based signcryption with equality test (IBSC-ET).Afterwards, several related signcryption schemes supporting the equality test have been conceived of.Nevertheless, the existing studies have not considered the anonymity of the sender and the receiver, which leads to the potential leakage of sensitive personal information.

Motivation
As depicted in Figure 1, in a PHR system, the patients' PHRs contain as much relevant health data as possible from various healthcare providers over their lifetime.To ensure patients' privacy, it is essential to store the health data in the cloud in ciphertext form.To find patients having similar illnesses, a patient (e.g., Alice or Bob) can authorize the cloud server to compare his/her ciphertexts sent by a specified healthcare provider with the others' ciphertexts, so that the patients can help each other by sharing their experiences or mental processes.However, by employing the existing signcryption schemes with equality test (to guarantee the confidentiality and authenticity of health data while supporting the privacypreserving equality test on ciphertexts), the patients are unable to prevent sensitive personal information from being leaked to the cloud server.That is because the existing schemes do not consider the anonymity of the sender and receiver of the ciphertext.Consequently, the cloud server can know the healthcare provider of the ciphertext, e.g., MD Anderson Cancer Center.Likewise, from the ciphertext and the authorization trapdoor, the cloud server can learn whose identity the ciphertext is encrypted under, namely who is the receiver of the ciphertext, in this way to identify the patient associated with the ciphertext.Obviously, this seriously infringes upon the patient's privacy.
Hence, during the equality testing procedure, there are three security aspects that should be guaranteed against the cloud server: 1.

Confidentiality:
The cloud server has no knowledge about the health data concealed in the ciphertext.

2.
Authenticity: The cloud server is unable to fake any legitimate ciphertext pertaining to the sender and the receiver.

3.
Anonymity: The cloud server has no knowledge about the identities of the sender and the receiver concealed in the ciphertext.
Therefore, we propose a new primitive, which not only offers the confidentiality, authenticity, and anonymity of data stored in the cloud, but also provides equality test functionality for ciphertexts generated under different identities without losing the confidentiality, authenticity, and anonymity of the data.

Related Works
Search on ciphertexts: Searchable encryption (SE) [8] was put forward to offer secure search functionality over ciphertexts encrypted under single public key.There are two categories of SE: public key encryption with keyword search (PEKS) [1,9,10] and symmetric searchable encryption (SSE) [11,12].PEKS was conceived of by Boneh et al. [1] to support keyword searching over ciphertexts in public key settings by using the corresponding trapdoors without retrieving messages.After that, a variety of PEKS schemes have been presented for enhanced functionalities and different application requirements [9,10].However, SE cannot offer equality test functionality for ciphertexts generated under different identities, which differs from our proposal.
Equality test on ciphertexts: The primitive of the PKEET was put forward to verify whether the identical message is concealed in two ciphertexts, where the ciphertexts may be encrypted under distinct public keys [2].Then, the authorization mechanisms were introduced into the PKEET, and a series of PKEET schemes supporting various authorizations were proposed [13,14].Ma [3] first introduced the primitive of the IBEET, to eliminate the certificate management problem of the traditional PKEET.A semi-generic IBEET scheme was conceived of by Lee et al. [15] to achieve CCA security.Then, several IBEET schemes supporting various authorizations were introduced [16,17].Although the above schemes offer equality test functionality while preserving the confidentiality, the data authenticity is not guaranteed.To address this challenge, Xiong et al. [7] established the notion of the IBSC-ET by combining identity-based signcryption (IBSC) [18] and the IBEET.Afterwards, several signcryption schemes with equality test functionality for heterogeneous systems were proposed [19][20][21].However, the existing studies have not considered the anonymity of the sender and the receiver, which leads to the potential leakage of sensitive personal information, which differs from our proposal.
Identity-based matchmaking encryption: In CRYPTO 2019, Ateniese et al. [22] put forward the primitive of identity-based matching encryption (IB-ME) to logically ensure the confidentiality, authenticity, and anonymity of data in one step.The guarantee of IB-ME is as follows: the recipient obtains the message when the match happens (both parties' identities match the identity specified by the other party); in case the match does not happen, no information is disclosed other than the fact of the mismatch.Then, by extending IB-ME, a secure access control scheme was conceived of by Xu et al. [23] for cloud-fog computing, and a secure access control scheme was suggested by Sun et al. [24] for cloud-enabled industrial IoT healthcare systems.Chen et al. [25] suggested an IB-ME scheme on the basis of standard assumptions.Wu et al. [26] conceived of a Fuzzy IB-ME scheme.Yan et al. [27] conceived of an IB-ME scheme supporting proxy decryption.Sun et al. [28] suggested an IB-ME scheme supporting a broadcast mechanism.However, although IB-ME can ensure the confidentiality, authenticity, and anonymity of data, all of these related schemes cannot offer equality test functionality for ciphertexts without losing the confidentiality, authenticity, and anonymity of the data, which differs from our proposal.

Contributions
We emphasize here again that the existing cryptographic schemes with the equality test do not consider the anonymity of the sender and the receiver, which leads to the potential leakage problem of sensitive personal information.Hence, we put forward a novel primitive, called the identity-based matchmaking encryption with equality test (IBME-ET), by combining IB-ME and the IBEET.This primitive not only offers the confidentiality, authenticity, and anonymity of data stored in the cloud, but also provides equality test functionality for ciphertexts generated under different identities without losing the confidentiality, authenticity, and anonymity of the data.
Our proposed IBME-ET can advance the anonymity of existing applications.For example, in a PHR system [4,5], the patient can permit the cloud server to compare his/her encrypted health data sent by a specified healthcare provider with the others', in this way to make friends with the patients having a similar illness.Our proposal can simplify the leakage problem of the real identities of the healthcare provider and the patient, which exists in current cryptographic schemes with the equality test, thereby guaranteeing the confidentiality, authenticity, and anonymity of the patients' health data.
The equality testing process in the IBME-ET can be succinctly outlined as follows: Let C (σ A ,rcv A ) denote a ciphertext generated on (ek σ A , rcv A , m A ) and C (σ B ,rcv B ) denote a ciphertext generated on (ek σ B , rcv B , m B ), where ek σ A and ek σ B are the encryption keys of the senders with identities σ A and σ B and rcv A and rcv B are the identities of the specified receivers, respectively.Furthermore, let td (snd A ,ρ A ) be a trapdoor generated on (snd A , dk ρ A ) and td (snd B ,ρ B ) be a trapdoor generated on (snd B , dk ρ B ), where snd A and snd B are the identities of the specified senders and dk ρ A and dk ρ B are the decryption keys of the receivers with identities ρ A and ρ B , respectively.Given (C (σ A ,rcv A ) , td (snd A ,ρ A ) ) and (C (σ B ,rcv B ) , td (snd B ,ρ B ) ), two conditions are involved: : the cloud server returns 1, and no further information is revealed other than the fact that the match happened, that is the cloud server learns neither the messages the cloud server returns 0, and no further information is revealed other than the fact of the mismatch, that is the cloud server learns neither the messages m A , m B nor the The principal contributions can be succinctly outlined as follows: 1.
We present the notion of the IBME-ET, which not only offers the confidentiality, authenticity, and anonymity of data stored in the cloud, but also provides equality test functionality for ciphertexts generated under different identities without losing the confidentiality, authenticity, and anonymity of the data.

2.
We put forward the system model and definition of the IBME-ET.With respect to the confidentiality, authenticity, and anonymity, we formulated four security models for the IBME-ET by taking four types of adversaries into account.

3.
We constructed a concrete IBME-ET scheme on the basis of the BDH assumption and the Gap-BDH assumption.Our scheme was confirmed to be secure and practical by proving its security and evaluating its performance.

Organization
In general: Section 2 introduces the preliminaries while Section 3 presents IBME-ET by displaying its system, definition and four security models.Sections 4 and 5, respectively, focus on the detailed scheme and analysis of security.Then, Section 6 focuses on performance evaluation, Section 7 arrives at a conclusion.

Preliminaries 2.1. Asymmetric Bilinear Groups
G, Ĝ, and G T indicate three multiplicative cyclic groups with prime order q.g and ĝ are the generators of G and Ĝ, respectively.An asymmetric bilinear map e : G × Ĝ → G T includes the following characteristics: 1.
Note that the group operations and asymmetric bilinear map e can be computed efficiently.However, if no efficiently computable isomorphisms are found between G and Ĝ, then G, Ĝ and G T do not possess efficiently computable isomorphisms.

System Model
In Figure 2, our proposed IBME-ET comprises four distinct entities.Our workflow is succinctly outlined as follows: 1.
The KGC utilizes the algorithm SKGen to calculate the encryption key ek σ in accordance with the identity of the sender σ and securely delivers this to the sender.Similarly, the KGC utilizes the algorithm RKGen to calculate the decryption key dk ρ in accordance with the identity of the receiver ρ and securely delivers this to the receiver.

2.
A sender identified as σ executes the algorithm Enc to conceal the message m using encryption key ek σ along with a target receiver's identity rcv, delivering it to the receiver with the ciphertext C (σ,rcv) .

3.
A receiver identified as ρ executes the algorithm Decc to decrypt the ciphertexts by employing the receiver's decryption key dk ρ and the identity of the target sender snd, delivering the desirable ciphertexts to the cloud server.Specifically, given C (σ,rcv) , dk ρ , and snd, the guarantee in the decryption procedure is as follows: • Match (i.e., σ = snd ∧ ρ = rcv): the message m is obtained by the receiver.• Mismatch (i.e.,σ ̸ = snd ∨ ρ ̸ = rcv): the receiver obtains neither the message m nor the identities σ, rcv.

4.
To test the ciphertexts offered by a target sender, the receiver identified as ρ executes the algorithm Auth to calculate a trapdoor td (snd,ρ) with the identity of the target sender snd and its decryption key dk ρ and delivers the trapdoor to the cloud server.5.
Utilizing the receivers' trapdoors, the cloud server executes the algorithm Test to test the ciphertexts sent by the specified senders without learning the messages and identities.Specifically, given (C (σ A ,rcv A ) , td (snd A ,ρ A ) ) and (C (σ B ,rcv B ) , td (snd B ,ρ B ) ), the guarantee in equality testing procedure is as follows: • Match (i.e., σ the cloud server returns 1, and the cloud server learns neither the messages the cloud server returns 0, and the cloud server learns neither the messages m A , m B nor the identities σ A , snd A , rcv A , ρ A , σ B , snd B , rcv B , ρ B .

IBME-ET Definition
An IBME-ET scheme comprises the subsequent algorithms: • Setup(λ) → (pp, mk): The system parameters pp along with the master key mk are answered.• SKGen(pp, mk, σ) → ek σ : The encryption key ek σ for the sender identified as σ is answered.• RKGen(pp, mk, ρ) → dk ρ : The decryption key dk ρ for the receiver identified as ρ is answered.• Enc(pp, ek σ , rcv, m) → C: Given the system parameters pp, an encryption key of the sender ek σ , and an identity of the target receiver rcv along with the message m, the corresponding ciphertext C is answered.• Dec(pp, dk ρ , snd, C) → m/⊥: Given the system parameters pp, a decryption key of the receiver dk ρ , and an identity of the target sender snd along with the ciphertext C, the corresponding message m is answered or the symbol ⊥ to signal the failure of the decryption is answered.• Auth(pp, snd, dk ρ ) → td (snd,ρ) : Given the system parameters pp and an identity of the target sender snd along with a decryption key of the receiver dk ρ , the corresponding trapdoor td (snd,ρ) is answered.
and C (σ B ,rcv B ) are generated using the identical message, it answers 1.Otherwise, it answers 0.
Correctness: An IBME-ET scheme is correct when the subsequent conditions are met:

Security Definitions
With respect to the confidentiality, authenticity, and anonymity of the IBME-ET, it is crucial to consider four distinct types of adversaries: • Type-I adversary A 1 : Without the trapdoor and decryption key of the receiver, A 1 is unable to determine which message the challenge ciphertext is computed from.For A 1 , define the security model IND-ID-CCA.

•
Type-II adversary A 2 : Without the decryption key of the receiver, A 2 is unable to obtain the message concealed in the challenge ciphertext.For A 2 , define the security model OW-ID-CCA.

•
Type-III adversary A 3 : Without the decryption key of the receiver and the encryption key of the sender, A 3 is unable to determine the corresponding sender and receiver, even if A 3 has the trapdoor.For A 3 , define the security model ANON-ID-CCA.• Type-IV adversary A 4 : Without the decryption key of the receiver and the encryption key of the sender, A 4 is unable to fake any legitimate ciphertext delivered by the sender to the receiver, even if A 4 has the trapdoor.For A 4 , define the security model sUF-ID-CMA.
Let C be the challenger.We have the following oracles: Once the identity of the sender σ i is received, C answers the encryption key ek σ i .

•
O RKGen (ρ j ): Once the identity of the receiver ρ j is received, C answers the decryption key dk ρ j .

•
O Enc (σ i , rcv, m): Once the identity of the sender σ i , the identity of the target receiver rcv, and a message m are received, C answers the result of Enc(pp, ek σ i , rcv, m).

•
O Dec (ρ j , snd, C): Once the identity of the receiver ρ j , the identity of the target sender snd, and a ciphertext C are received, C answers the result of Dec(pp, dk ρ j , snd, C).

•
O Auth (snd, ρ j ): Once the identity of the target sender snd and the identity of the receiver ρ j are received, C answers the corresponding trapdoor td (snd,ρ j ) = Auth(pp, snd, dk ρ j ).

Definition 1 (IND-ID-CCA).
Regarding A 1 , the IBME-ET scheme meets IND-ID-CCA security when no PPT A 1 is winning the game below with a non-negligible advantage: 1.
Setup: C utilizes the algorithm Setup to calculate the master key mk and the system parameters pp and delivers pp to A 1 .

5.
Guess: A 1 answers a guess x ′ ∈ {0, 1} and is winning when In the above game, the constraint is that A 1 cannot ask the following queries: Definition 2 (OW-ID-CCA).Regarding A 2 , the IBME-ET scheme meets OW-ID-CCA security when no PPT A 2 is winning the game below with a non-negligible advantage: 1.
Setup: Same as Definition 1.

5.
Guess: A 2 answers a guess m ′ and is winning when m * = m ′ .A 2 's advantage is defined as In the above game, the constraints is that A 2 cannot ask the following queries: O RKGen (rcv * ), O Dec (rcv * , σ * , C * ).
Definition 3 (ANON-ID-CCA).Regarding A 3 , the IBME-ET scheme meets ANON-ID-CCA security when no PPT A 3 is winning the game below with a non-negligible advantage: 1.
Setup: Same as Definition 1.

3.
Challenge: and a message m * to C. Subsequently, C randomly chooses x ∈ {0, 1} and answers to A 3 with the challenge ciphertext C * = Enc(pp, ek snd * x , ρ * x , m * ) and the challenge trapdoor td Phase 2: A 3 makes queries like in Phase 1.

5.
Guess: A 3 answers a guess x ′ ∈ {0, 1} and is winning when In the above game, the constraint is that A 3 cannot ask the following queries: Definition 4 (sUF-ID-CMA).Regarding A 4 , the IBME-ET scheme meets sUF-ID-CMA security when no PPT A 4 is winning the game below with a non-negligible advantage: 1.
Setup: Same as Definition 1.

2.
Queries: In the above game, the constraint is that A 4 cannot make the following queries: O SKGen (snd * ) and O RKGen (ρ * ).Furthermore, C * cannot be an output of O Enc (snd * , ρ * , * ).

Our Construction
The IBME-ET scheme is concretely constructed as below:
Randomly select the generators g ∈ G along with ĝ ∈ Ĝ.

Correctness:
The proposed scheme is correct in accordance with the correctness definition: 1.

Regarding Condition 2, if σ
) • e(g, ) • e(g, is negligible due to the hash functions H 7 and H 8 being collision-resistant.

Security Analysis
In the random oracle model, we used the method of proof by contradiction to show that if the BDH assumption and Gap-BDH assumption introduced in the preliminaries (see Section 2) hold, and our proposed IBME-ET scheme can meet confidentiality, authenticity, and anonymity in cryptography [30][31][32].
According to our IBME-ET scheme, given the ciphertext C, we have the following observations:

•
To reveal the message m, it is necessary to calculate To obtain H 7 (m) R , which is used for the equality test, it is necessary to calculate To distinguish the identities of the sender and the receiver concealed in the ciphertext, it is necessary to calculate η = e(ek σ , To fake any legitimate ciphertext pertaining to the sender σ and the receiver ρ, it is necessary to calculate η = e(ek σ , Note that, regarding to the confidentiality, anonymity, and authenticity of the IBME-ET, four security models are defined by considering four distinct types of adversaries (see Section 3.3).The security proof of our scheme can be outlined as follows: As for the confidentiality, we first used the BDH assumption to prove that our proposal meets IND-ID-CCA security regarding the Type-I adversary A 1 .Given a BDH assumption instance (g, g a , g c , ĝ, ĝa , ĝb ), we generated a simulated scheme B and interacted with A 1 by following the IND-ID-CCA security model defined in Section 3.3.B simulates the oracles O SKGen , O RKGen , O Auth , and O Dec to answer A 1 's queries and preserves the L H and L H i (i = 1, 2, 3, 5, 6, 7, 8) lists to simulate the random oracles O H and O H i (i = 1, 2, 3, 5, 6, 7, 8).In the challenge phase, A 1 sends identities σ * , rcv * and equal-length messages m * 0 , m * 1 to B. Let rcv * = ρ * .B randomly selects x ∈ {0, 1} and answers the challenge ciphertext In the simulation, the challenge ciphertext implicitly sets ω * 1 = e(g, ĝ) . Finally, in the guess phase, A 1 outputs a guess x ′ ∈ {0, 1}.The advantage of A 1 for breaking our proposal is defined as ϵ (= e(g, ĝ) abc ).As a result, the BDH assumption can be addressed by B with non-negligible advantage if A 1 is able to break our proposal with non-negligible advantage.Subsequently, as for the confidentiality, we used the BDH assumption to prove that our proposal meets OW-ID-CCA security regarding the Type-II adversary A 2 .Given a BDH assumption instance (g, g a , g c , ĝ, ĝa , ĝb ), we generated a simulated scheme B and interacted with A 2 by following the OW-ID-CCA security model defined in Section 3.
In the simulation, the challenge ciphertext implicitly sets , and ).Finally, in the guess phase, A 2 outputs a guess m ′ .The advantage of A 2 for breaking our proposal is defined as (= e(g, ĝ) abc ).As a result, the BDH assumption can be addressed by B with non-negligible advantage if A 2 is able to break our proposal with non-negligible advantage.
As for the anonymity, we used the Gap-BDH assumption to prove that our proposal meets ANON-ID-CCA security regarding the Type-III adversary A 3 .Given a Gap-BDH assumption instance (g, g a , g c , ĝ, ĝa , ĝb , O DBDH ), we generated a simulated scheme B and interacted with A 3 by following the ANON-ID-CCA security model defined in Section 3.
x , dk ρ * x ) to A 3 .In the simulation, the challenge ciphertext implicitly sets η * = e(g, ĝ) abcu * Finally, in the guess phase, A 3 outputs a guess x ′ ∈ {0, 1}.The advantage of A 3 for breaking our proposal is defined as ϵ x has been queried to O H with non-negligible probability.With O DBDH (g, g a , g c , ĝ, ĝa , ĝb , η * (u i * x t j * x B can return the Gap-BDH instance solution η * (u i * x t j * x ) −1 (= e(g, ĝ) abc ).As a result, the Gap-BDH assumption can be addressed by B with non-negligible advantage if A 3 is able to break our proposal with non-negligible advantage.
As for the authenticity, we used the Gap-BDH assumption to prove that our proposal meets sUF-ID-CMA security regarding the Type-IV adversary A 4 .Given a Gap-BDH assumption instance (g, g a , g c , ĝ, ĝa , ĝb , O DBDH ), we generated a simulated scheme B and interacted with A 4 by following the sUF-ID-CMA security model defined in Section 3. O Dec to answer A 4 's queries.In the simulation, the following numbers are implicitly set η * = e(g, ĝ) abc , where H 1 (σ * ) = g c , H 3 (ρ * ) = ĝb , H(η * ) = I * , H 4 (η * ) = Ω * .In the forgery phase, A 4 outputs a triple (snd * , ρ * , C * ), where snd * = σ * and C wins.The advantage of A 4 for breaking our proposal is defined as ϵ = Pr[A 4 wins].With ϵ and the lemma on the relationship between the chosenidentity attack and given identity attack [33], if ϵ is non-negligible, η * = e(g, ĝ) abc has been queried to O H with non-negligible probability.Then, O DBDH (g, g a , g c , ĝ, ĝa , ĝb , η * ) = 1, B can return the Gap-BDH instance solution η * (= e(g, ĝ) abc ).As a result, the Gap-BDH assumption can be addressed by B with non-negligible advantage if A 4 is able to break our proposal with non-negligible advantage.
Theorem 1.For any A 1 , our IBME-ET scheme meets IND-ID-CCA security on the basis of the BDH assumption.
More precisely, if A 1 is able to break our proposal with the advantage ϵ, we can conceive of a PPT algorithm B to address the BDH assumption with the advantage ϵ ′ ≥ 1 , where q H i (i = 1, 2, 6, 8) and q D denote the numbers of different queries to O H i (i = 1, 2, 6, 8) and O Dec , respectively.
-When the i * -th tuple in L H 1 is [σ * , u * ] and the j * -th tuple in -Otherwise, B is aborted by failure.
Subsequently, we obtain When AskH * 6 happens, A 1 can distinguish the simulation of the challenge ciphertext has been documented in L H 6 with non-negligible probability, B is winning when the right element is selected from L H 6 .Thus, the BDH assumption can be addressed by B with advantage Theorem 2. For any A 2 , our IBME-ET scheme meets OW-ID-CCA security on the basis of the BDH assumption.More precisely, if A 2 is able to break our proposal with the advantage ϵ, we are able to conceive of a PPT algorithm B to address the BDH assumption with the advantage , where q H i (i = 1, 2, 6) and q D denote the numbers of different queries to O H i (i = 1, 2, 6) and O Dec , respectively.
Proof.Given a BDH assumption instance (g, g a , g c , ĝ, ĝa , ĝb ), the task of B is to calculate e(g, ĝ) abc by interacting with A 2 as below: (1) Setup: B executes like in the proof of Theorem 1.

•
For and O H 8 (ω 2 ), B executes like in the proof of Theorem 1.

•
O H 3 (ρ j ): B performs a simulation algorithm to query O H 2 (ρ j ).Subsequently, B searches the tuple [ρ j , v j ] in L H 2 .When j ̸ = j * , B randomly selects t j ∈ Z * q , inserts a tuple [ρ j , t j ] into L H 3 , and returns ĝt j .Otherwise, B sets t j * = t * , inserts a tuple [ρ j * , t j * ] into L H 3 , and returns ĝt j * .
-When j ̸ = j * , B can query O RKGen (ρ j ) to obtain dk ρ j and returns the outcome of the algorithm Dec(pp, dk When L H 8 has no such tuple, B outputs ⊥. • O Auth (snd, ρ j ): Let snd = σ i .B performs a simulation algorithm to query O H 3 (ρ j ) and O H 1 (σ i ).
and O H 8 are perfect.Denote the query O H 6 (e(g, ĝ) as the event AskH * 6 .Denote the failure of B to decrypt the legitimate ciphertext in O Dec as the event Derr.Hence, we have, Pr[Derr] ≤ q D 2 λ+l .Let rcv * = ρ * .Suppose AbortRK as the event in which B terminates upon the query O RKGen (ρ * ) being issued and AbortCh the event in which B terminates in the challenge phase.Clearly, ¬AbortCh implies ¬AbortRK, because the query O RKGen (ρ * ) cannot be issued.We obtain Pr[¬AbortCh] ≥ 1 There is no greater over 1 2 λ advantage that A 2 will gain in guessing m when E does not happen, because O H 6 is a random oracle.
Define E 0 = AskH ∨ Derr.There is no greater over  Table 2 shows the computational overhead comparison, which theoretically analyzes the computational cost of our proposed scheme and the comparative schemes with regard to encryption key generation (indicated as SKGen ), decryption key generation (indicated as RKGen), encryption (indicated as Enc), decryption (indicated as Dec), authorization (indicated as Auth), and the equality test (indicated as Test).For the analysis, we concentrated on the operations that consumed the most time, including hash-to-point, bilinear pairing, and exponentiation.Notably, the authorization algorithms of the schemes in [7,15] have no computational cost.This is because both schemes directly use the partial decryption private key as the trapdoor regardless of anonymity.The communication overhead comparison is given in Table 3, which theoretically analyzes the communication cost of our proposed scheme and the comparative schemes with regard to the encryption private key, decryption private key, trapdoor, and ciphertext.
In order to compare the computational and communication overhead of our proposed scheme with the comparative schemes more intuitively, we used Charm 0.50 in Python 3.6.9 to implement these schemes.The experimental environment was configured as follows: Intel(R) Xeon(R) Platinum 8124M CPU @ 2.70 GHz (Intel Corporation, Santa Clara, CA, USA), 16 GB memory, and Ubuntu 18.03 LTS.The experiments were instantiated using the MNT224 curve in Charm and employed the Python module timeit for the time measurements.Figure 3 shows the experimental computational overheads of these schemes, and Figure 4 shows the experimental communication overheads of these schemes.
From Tables 1-3 and Figures 3 and 4, we can conclude that, with a small sacrifice in computational and communication efficiency, our IBME-ET scheme not only offers the confidentiality, authenticity, and anonymity of the data and achieves CCA security, but also provides equality test functionality for ciphertexts generated under different identities without losing the confidentiality, authenticity, and anonymity of the data.Other related schemes cannot support this feature.

Conclusions
In this paper, we presented the primitive of the IBME-ET, which not only offers the confidentiality, authenticity, and anonymity of data and achieves CCA security, but also provides equality test functionality for ciphertexts generated under different identities without losing the confidentiality, authenticity, and anonymity of the data.More precisely, we introduced the system model and definition of the IBME-ET.With respect to the confidentiality, authenticity, and anonymity, we formalized the security models for the IBME-ET.Finally, we proposed a concrete IBME-ET scheme, and our scheme was confirmed to be secure and practical by proving its security and evaluating its performance.

Figure 2 .
Figure 2. IBME-ET system model.• KGC: This entity's responsibility is to securely generate and distribute encryption keys and decryption keys.• Sender: This entity's responsibility is to generate ciphertexts, ensuring the confidentiality, authenticity, and anonymity of the data.• Receiver: This entity is responsible for collecting and outsourcing ciphertexts from potential senders secretly.It permits the cloud server to test ciphertexts sent by a specific sender without compromising the confidentiality, authenticity, and anonymity of the data.• Cloud server: This entity's responsibility is to store the ciphertexts and perform equality tests based on the receivers' authorizations.

Table 2 .
Comparison of computational overhead.