Identity-Based Encryption with Filtered Equality Test for Smart City Applications

Abstract

With the growth of the urban population, the rapid development of smart cities has become the focus of urban regional development. Smart medical care is an indispensable part of smart city construction, which promotes the development of the medical industry. However, the security of data and timely service are the current problems faced by intelligent medical systems. Based on the public key encryption with filtered equality test and identity-based cryptography, an identity-based encryption with the filtered equality test (IBE-FET) is proposed for smart healthcare, in which a data receiver can use the private key and the message set to generate a warrant and send it to the cloud server. A cloud server can verify the equality between ciphertexts without decryption and check whether the encrypted message belongs to the same message set. Furthermore, the security analysis shows that the proposed scheme satisfies one-way security against the chosen identity and ciphertext attack in the random oracle model under the computational bilinear Diffie-Hellman assumption. The performance comparison shows that the scheme is feasible and practical in real life.

1. Introduction

The concept of the smart city (SC) [1] emerges in the context in which the current global power supply and consumption trends are socially, environmentally and economically unsustainable. It refers to an urban transformation which, with the use of the latest information and communications technologies (ICT), improves cities’ efficiency. Currently, more and more people live in cities and every person uses more than five devices to access the Internet. Thus, the various embedded devices are integrated with urban infrastructure to optimize daily life of citizens.

Recently, with the rapid development of the Internet of Things (IoT) [2] and ICT, the applications of the smart city [3] are on the rise, which can enhance the life quality of citizens. Representative smart city applications are given in Figure 1, which benefit the city and people in a variety of aspects: economy, education, healthcare, and living. Meanwhile, the smart city has a new, complete level of effectiveness, sustainability and efficiency.

Figure 1. Representative smart city applications.

The main goal of the smart city is to greatly improve quality of life. Nevertheless, the security and privacy problems are of great importance to the users in the smart city [4,5,6]. Progress in the IoT and cloud computing technology is driving the development of smart systems to support and improve healthcare system. However, the current healthcare system is faced with a series of challenges in providing low cost health care services. Besides, it is difficult for patients in some areas to obtain a timely healthcare services due to poor medical conditions. As a result, smart healthcare [7,8] has emerged recently as the key component of a new generation healthcare network. The so-called smart healthcare is to improve the efficiency of biomedical systems and healthcare infrastructures through various entities and technologies, including smart sensors, wearable devices, ICT and more [9].

In the smart healthcare system, patients are paying more and more attention to the security of private information. Zhang et al. [10,11,12,13] has done in-depth research and proposed privacy-preserving access control systems by adopting attribute-based encryption techniques to improve the security of smart healthcare. However, the techniques are complex and unfeasible in practice. To save storage space and protect the user’s privacy, the sensitive information must be stored in the untrusted healthcare cloud servers in an encrypted form. However, given some ciphertexts, no one can distinguish the relationships among the ciphertexts without decryption. Searchable encryption (SE) [14,15,16] is a practical and promising solution to this problem. To provide the capability for searching in the ciphertexts, the public key encryption with keyword search (PKE-KS) schemes [17,18,19,20,21,22] were proposed, which is one practical implementation of SE. However, the PKE-KS schemes have one weakness that the ciphertexts are generated by the same public keys and therefore it is not applicable to some scenarios. To solve this problem, the public key encryption with equality test (PKE-ET) schemes [23,24,25,26,27,28,29,30,31] were put forward, which allowed equality tests made on the ciphertexts by different public keys as well as the same public keys. To alleviate the storage cost of certificates, identity-based encryption with equality test (IBE-ET) schemes [32,33] were proposed. Along with research, to make fine-grained authorization more flexible and inspired by the idea of attribute-based encryption, the attribute-based encryption with equality test (ABE-ET) schemes [34,35,36,37] were presented.

To provide more flexible equality testing to satisfy different requirements, Huang et al. presented the public key encryption with filtered equality test (PKE-FET) schemes [38,39], in which only a few selected message sets can be equality tested. An authorized user can determine not only whether two ciphertexts contain the same plaintext (without decryption) but also whether the plaintext belongs to the message set.

In this paper, we integrate the identity-based cryptography [40] into PKE-FET to propose a new concept of identity-based encryption with the filtered equality test (IBE-FET) for smart healthcare. A practical application scenario using IBE-FET is shown in Figure 2.

Figure 2. A practical application scenario of identity-based encryption with filtered equality test (IBE-FET).

In the smart healthcare system, there are three parties: doctors, the healthcare cloud server (HCS) and patients, where the patients are distributed in different areas. To ensure the privacy of patients, the sensitive data is encrypted during transmission. It is desired that the healthcare providers optimize the distribution of family doctors, and thus they need to search for the encrypted information. With the assumption that patients A and B with the same symptoms belong to area 1, A encrypts his privacy information (symptom and area) under the identity $I{D}_A$ and the doctor’s identity $I{D}_D$, and transmits the tuple $\{I{D}_A,\text{IBE-FET}(I{D}_D,I{D}_A,\mathrm{symptom},\mathrm{area}1)\}$ to HCS. Additionally, A generates a warrant $w_A$ and transmits to HCS. B transmits $\{I{D}_B,\text{IBE-FET}(I{D}_D,I{D}_B,\mathrm{symptom},\mathrm{area}1)\}$ and $w_B$ to HCS in the same way. Upon obtaining these data, the HCS could determine and search whether A and B are distributed in the same areas and have the same symptom. However, there is no knowledge what the real areas and symptom are. Then, the HCS sends the search result to the patients A and B, respectively, which allows them to share their medical experience with each other. Most important of all, the HCS can investigate the cause of the disease and arrange family doctors reasonably to improve the efficiency of healthcare. The above scenario can be extended to multi-user scenarios. For instance, more patients can get the warrant and send it to the HCS along with the requests and obtain feedback, indicating whether there are any patients belonging to the same area who have the same symptom features.

Besides, the IBE-FET scheme can also be applied to the smart grid system [41,42], which contains electricity suppliers, a power system cloud server and users. To protect the privacy and enhance the power quality of users, the privacy information (e.g., power consumers and location) is generally transmitted in encrypted form. Based on IBE-FET, the power system cloud server can determine and search whether there are any users belonging to the same area that have the same feature (e.g., power flow and peak loading). Then, they send the search result to the electricity suppliers for improvement of the power distribution and optimization of the power flow.

1.1. Our Contributions

This paper proposes an identity-based encryption with the filtered equality test (IBE-FET). The main contributions are summarized as follows:

• Based on secret sharing and bilinear pairing, an IBE-FET scheme is proposed, which does not use the certificate verification to solve the problems of certificate management.
• The security analysis indicates that the IBE-FET scheme is one-way secure against the chosen identity and ciphertext attack (OW-ID-CCA) based on the computational bilinear Diffie-Hellman assumption in the random oracle model.
• The performance analysis shows that the IBE-FET scheme achieves the function of a filtered equality test and a higher efficiency in terms of communication cost than the related scheme [39], and therefore the proposed scheme is more suitable for smart healthcare systems.

1.2. Organization

The organization of this paper is as follows: We will briefly discuss related work in Section 2 and review some preliminaries in Section 3; in Section 4, we introduce the framework of IBE-FET; a concrete IBE-FET scheme is put forward in Section 5; Section 6 proposes a formal security proof; comparison and performance evaluations are described in Section 7; and Section 8 concludes this paper.

2. Related Works

The concept of public key encryption with the keyword search (PKE-KS) was first put forward by Boneh et al. [17]. In PKE-KS, each user can use their private key to generate a token for a keyword and send the token to the tester. Upon receiving the token, the tester can determine the equality of ciphertexts. Then, some interesting extension schemes [18,19,20,21,22] were proposed to satisfy various requirements.

PKE-KS aims at testing the keyword’s equality using a given trapdoor. However, it is not suitable for an equality test on ciphertexts by different public keys. In order to solve this problem, Yang et al. [23] proposed public key encryption with the equality test (PKE-ET). The so-called “equality test (ET)” refers to an authorized user who can verify the equality of two ciphertexts encrypted by different public keys, while the decryption keeps unavailable. However, in the PKE-ET scheme, anyone has the ability to execute the equality test without any authorization. As a fundamental security service, the authorization mechanism becomes increasingly important in modern smart system. The hierarchical key assignment techniques [43,44,45,46] were presented, which can provide fine-grained authentication and access control for the user. In order to mitigate the potential vulnerabilities and protect the user’s privacy, Tang et al. [24] integrated the fine-grained authorization mechanism into PKE-ET. In this scheme, two users require cooperation to generate the token by running the authorization algorithm and send this token to the tester, with the tester authorized to verify the equality between the ciphertexts. In addition, Tang et al. [25] introduced the concept of coarse-grained authorization scheme, in this system, every user independently generates the token by running the authorization algorithm and sends it to the tester, who executes the equality test from their ciphertexts. In 2012, Tang [26] expanded [24] to a two-proxy agents setting, where two proxies require cooperation to perform the equality test. Lu et al. [27] introduced a stronger security model for PKE-ET to meet the different demands. In 2015, the public key encryption with the delegated equality test scheme (PKE-DET) was proposed by Ma et al. [28] and in this scheme every user can generate the delegation token independently for the cloud server. Different from PKE-DET, Huang et al. [29] introduced an efficient public key encryption with the authorized equality test (PKE-AET), a provision of two kinds of warrants (recipient warrants and ciphertext warrants) and allowance of the authorized users to use warrants to execute the equality test on two ciphertexts encrypted by different public keys. To satisfy various requirements, the public key encryption supporting equality test and flexible authorization (PKE-ET-FA) was proposed by Ma et al. [30]. In this scheme, four types of authorization were presented to strengthen the user privacy protection. However, it is inefficient due to using bilinear pairings. In 2016, Lin et al. [31] proposed an efficient PKE-ET-FA scheme without using bilinear pairing, which was more suitable for practice. In order to solve the certificate management problem, the identity-based encryption with equality test (IBE-ET) [32,33] was presented. To determine the equality of two ciphertexts encrypted under different access policies, the attribute-based encryption with equality test schemes (ABE-ET) [34,35,36,37] were put forward.

For making the equality test more flexible, based on bilinear pairing and secret sharing, Huang et al. [38,39] proposed the public key encryption with the filtered equality test (PKE-FET). In these schemes, the receiver selects n messages as a set $\Omega$, and then the receiver can use a private key and $\Omega$ to generate the warrant w and sends this warrant to someone, who can execute the equality test without decryption.

The PKE-FET scheme needs certification authority to ensure the authenticity of public keys; however, it is worth noting that the problems of certificate management arise. Accordingly, inspired by the concept of identity-based cryptography [40,47,48], we presented an identity-based encryption with the filtered equality test scheme (IBE-FET), simplifying the certificate management of PKE-FET.

3. Preliminaries

This section introduces some preliminaries, including bilinear pairing, secret sharing and security assumption.

3.1. Bilinear Pairing

Let ${\mathbb{G}}_1$, ${\mathbb{G}}_T$ be two cyclic groups of prime order q, and g is a generator of ${\mathbb{G}}_1$. $e:{\mathbb{G}}_1\times {\mathbb{G}}_1\to {\mathbb{G}}_T$ is a bilinear pairing if the following three properties hold:

• Bilinearity: For all $u,v\in {\mathbb{G}}_1$ and $a,b\in {\mathbb{Z}}_q^{*}$, where $e(u^a,v^b)=e{(u,v)}^{ab}$.
• Non-degeneracy: $e(g,g)\ne 1$.
• Computability: It is an efficient algorithm to compute $e(u,v)$ for all $u,v\in {\mathbb{G}}_1$.

3.2. Secret Sharing

The idea of secret sharing is introduced in [49], with a secret value k assigned to n users. A trusted party holds k and randomly picks $t-1$ numbers $r_1,r_2,···,r_{t-1}$ form t points on a 2-dimensional plane, which are $\{(0,k),(1,r_1),···,(t-1,r_{t-1})\}$. According to these points, there is only one polynomial function $\psi$ with $t-1$ degree determined. Then, the trusted party computes the points $(i,\psi (i\left)\right)$ for user $i\in [t,n]$, in which all the points satisfy $y_i=\psi \left(i\right)$. By distributing these points, it formalizes a t-out-of-n secret sharing scheme. Therefore, as for any t or more than t users, it can reconstruct the polynomial function $\psi$ and obtain the secret value k by computing $k=\psi \left(0\right)$, but if less than t users, it cannot rebuild the secret value k.

3.3. Assumption

Computational Bilinear Diffie-Hellman (CBDH) Problem: Let g be the generator of ${\mathbb{G}}_1$ and $a,b,c\in {\mathbb{Z}}_q^{*}$ be chosen at randomly. Given a tuple $(g,g^a,g^b,g^c)\in {\mathbb{G}}_1$, the task of CBDH problem is to compute $e{(g,g)}^{abc}\in {\mathbb{G}}_T$.

The probability of the algorithm $\mathcal{A}$ in solving the CBDH problem is defined as

$$Ad{v}_{\mathcal{A}}^{CBDH}=Pr[\mathcal{A}(g,g^a,g^b,g^c)=e{(g,g)}^{abc}]⩽\epsilon .$$

Computational Bilinear Diffie-Hellman (CBDH) Assumption: The CBDH assumption holds if for any polynomial-time algorithm $\mathcal{A}$ solves the CBDH problem with the negligible probability.

4. Framework of IBE-FET

The system model, syntax and security model are described in the following sections.

4.1. System Model

The system model of IBE-FET includes four parts: private key generator (PKG), sender (patient), receiver (doctor) and the cloud server, as illustrated in Figure 3. All ciphertexts are generated by the senders under the receiver’s identity and stored in the cloud server. The PKG’s task is to generate the private keys for the users (senders and receivers) secretly. To compare the ciphertexts, the receiver generates the corresponding warrant using its private key and the message set, sending it to the cloud server; wherein the warrant denotes the trapdoor of authentication. As a result, with the warrant, the cloud server is able to verify the equality between the ciphertexts without decryption and check whether the message belongs to the message set. The work of each part is described in more details below:

Figure 3. System model for IBE-FET.

• PKG: It is responsible for generating the master key $msk$ and the private key $s{k}_{ID}$, and then keeps $msk$ by itself and sends $s{k}_{ID}$ to the sender and receiver through a secure way.
• Sender (patient): The sender encrypts their private date under the receiver’s identity $I{D}_R$ to generate the ciphertext C and stores it in the cloud server.
• Receiver (doctor): Upon receiving the private key $s{k}_{I{D}_R}$ from PKG, the receiver generates the warrant w and sends it to the cloud server. It is noted that the receiver can use the private key to decrypt the ciphertext at any time.
• Cloud server: With the warrant, the cloud server is in charge of executing the filtered equality test and returns a query result.

The detail data flow of the filtered equality test (FET) is described in Figure 4.

Figure 4. Flow chart of FET.

4.2. Syntax

The IBE-FET scheme consists of the following six algorithms: setup, extract, encrypt, decrypt, authorization and filtered equality test. Let $\Delta$ denote message space and $\Omega \subseteq \Delta$ denote the message set.

Setup: Taking a security parameter k as input, this algorithm outputs the master key $msk$ and the system parameters $PP$.

Extract: Taking the master key $msk$ and the identity $ID$ as input, this algorithm outputs the private key $s{k}_{ID}$.

Encrypt: Taking the system parameters $PP$, the plaintext $m\in \Delta$ and the identity $ID$ as input, this algorithm outputs the ciphertext C.

Decrypt: Taking the system parameters $PP$, the ciphertext C and the private key $s{k}_{ID}$ as input, this algorithm outputs the corresponding plaintext m.

Authorization: Taking the system parameters $PP$, the identity $ID$, the private key $s{k}_{ID}$ and the message set $\Omega$ as input, this algorithm outputs the warrant $w_{ID}$.

Filtered equality test: Taking the system parameters $PP$, the ciphertexts $C_A$ and $C_B$, the warrants $w_{I{D}_A}$ and $w_{I{D}_B}$ as input, this algorithm returns 1 if $m_A\in \Omega$, $m_B\in \Omega$ and $m_A=m_B$. Otherwise, it returns 0.

For the property of consistency, the following conditions must be satisfied.

Correctness: When $s{k}_{ID}$ is generated by the Extract algorithm given $ID$, then, for all $m\in \Delta$, $Pr[\mathrm{Decrypt}(\mathrm{Encrypt}(ID,m),s{k}_{ID})=m]=1$.

Perfect consistency: When $w_{I{D}_A}$ and $w_{I{D}_B}$ are generated by the Authorization algorithm given $I{D}_A$, $I{D}_B$ and $\Omega$, then, for all $m_A\in \Omega$, $m_B\in \Omega$ and $m_A=m_B$, the filtered equality test algorithm must return 1.

Computational soundness: When $w_{I{D}_A}$ and $w_{I{D}_B}$ are generated by the Authorization algorithm given $I{D}_A$, $I{D}_B$ and $\Omega$, then, for all $m_A\in \Omega$, $m_B\in \Omega$ and $m_A\ne m_B$, the probability that the filtered equality test algorithm returns 1 is negligible.

4.3. Security Model

The security of IBE-FET needs to satisfy one-way security against the chosen identity and ciphertext attack (OW-ID-CCA), which is defined by an interactive game between a challenger $\mathcal{C}$ and an adversary $\mathcal{A}$.

Setup: $\mathcal{C}$ generates the master key $msk$ and the system parameters $P{P}_{IBE-FET}$ by running the Setup algorithm. Then $\mathcal{C}$ sends $P{P}_{IBE-FET}$ to $\mathcal{A}$ and keeps $msk$ by itself.

Phase 1: $\mathcal{A}$ makes the following queries for polynomial number of times.

• Hash H queries: $\mathcal{A}$ submits a query, then $\mathcal{C}$ returns a random value to $\mathcal{A}$.
• Private key queries: $\mathcal{A}$ submits the identity $I{D}_j$ to $\mathcal{C}$, then $\mathcal{C}$ runs the Extract algorithm and returns the private key $s{k}_{I{D}_j}$ to $\mathcal{A}$.
• Decryption queries: $\mathcal{A}$ submits the identity $I{D}_j$ and the ciphertext $C_j$ to $\mathcal{C}$, then $\mathcal{C}$ runs the Extract algorithm to obtain $s{k}_{I{D}_j}$ and runs the Decrypt algorithm to return the plaintext $m_j$ to $\mathcal{A}$.
• Authorization queries: $\mathcal{A}$ submits the identity $I{D}_j$ and the message set ${\Omega }_j$ to $\mathcal{C}$, then $\mathcal{C}$ runs the Extract algorithm to obtain $s{k}_{I{D}_j}$ and runs the Authorization algorithm to return the warrant $w_{I{D}_j}$ to $\mathcal{A}$.

Challenge: $\mathcal{A}$ submits a challenge identity $I{D}^{*}$ to $\mathcal{C}$, where $I{D}^{*}$ does not appear in private key queries in Phase 1. $\mathcal{C}$ randomly chooses a plaintext $m^{*}\in \Delta$ and sets $C^{*}$ be the challenge ciphertext. Finally, $\mathcal{C}$ sends $C^{*}$ to $\mathcal{A}$.

Phase 2: Similar to Phase 1.

• Hash H queries: $\mathcal{C}$ responds as in Phase 1.
• Private key queries: If $I{D}_j\ne I{D}^{*}$, $\mathcal{C}$ responds as in Phase 1. Otherwise, $\mathcal{C}$ returns ⊥.
• Decryption queries: If $(I{D}_j,C_j)\ne (I{D}^{*},C^{*})$, $\mathcal{C}$ responds as in Phase 1. Otherwise, $\mathcal{C}$ returns ⊥.
• Authorization queries: $\mathcal{C}$ responds as in Phase 1.

Guess: $\mathcal{A}$ outputs a guess $m^{\prime }$ and wins the above game if $m^{\prime }=m^{*}$.

The advantage of $\mathcal{A}$ winning the above game is defined as

$$Ad{v}_{IBE-FET,\mathcal{A}}^{OW-ID-CCA}=Pr[m^{\prime }=m^{*}].$$

Definition 1.

The IBE-FET scheme is OW-ID-CCA security if for any adversaries $\mathcal{A}$, $Ad{v}_{IBE-FET,\mathcal{A}}^{OW-ID-CCA}$ is negligible.

Next, the security of the public key encryption (PKE) scheme (which will be mentioned later) needs to satisfy one-way security against the chosen ciphertext attack (OW-CCA), which is defined by an interactive game between a challenger $\mathcal{C}$ and an adversary $\mathcal{A}$.

Setup: $\mathcal{C}$ generates the private key $sk$ and the system parameters $P{P}_{PKE}$ by running the Setup algorithm. Then $\mathcal{C}$ sends $P{P}_{PKE}$ to $\mathcal{A}$ and keeps $sk$ by itself.

Phase 1: $\mathcal{A}$ makes the following queries for polynomial number of times.

• Hash H queries: $\mathcal{A}$ submits a query, then $\mathcal{C}$ returns a random value to $\mathcal{A}$.
• Decryption queries: $\mathcal{A}$ submits the ciphertext $C_i$ to $\mathcal{C}$, then $\mathcal{C}$ runs the Decrypt algorithm and returns the plaintext $m_i$ to $\mathcal{A}$.

Challenge: $\mathcal{C}$ randomly chooses a challenge plaintext $m^{*}\in \Delta$ and runs the Encrypt algorithm to obtain the challenge ciphertext $C^{*}$. Finally, $\mathcal{C}$ sends $C^{*}$ to $\mathcal{A}$.

Phase 2: Similar to Phase 1.

• Hash H queries: $\mathcal{C}$ responds as in Phase 1.
• Decryption queries: If $C_i\ne C^{*}$, $\mathcal{C}$ responds as in Phase 1. Otherwise, $\mathcal{C}$ returns ⊥.

Guess: $\mathcal{A}$ outputs a guess $m^{\prime }$ and wins the above game if $m^{\prime }=m^{*}$.

The advantage of $\mathcal{A}$ wining the above game is defined as

$$Ad{v}_{PKE,\mathcal{A}}^{OW-CCA}=Pr[m^{\prime }=m^{*}].$$

Definition 2.

The PKE scheme is OW-CCA security if, for any adversaries $\mathcal{A}$, $Ad{v}_{PKE,\mathcal{A}}^{OW-CCA}$ is negligible.

5. The Proposed Scheme

In this section, a detailed construction of IBE-FET is proposed.

• Setup: Given a security parameter k, the PKG executes as follows:

  (1)

  Chooses a bilinear pairing: $e:{\mathbb{G}}_1\times {\mathbb{G}}_1\to {\mathbb{G}}_T$, where ${\mathbb{G}}_1$ and ${\mathbb{G}}_T$ are two cyclic groups with prime order q, g is a generator of ${\mathbb{G}}_1$.

  (2)

  Randomly picks $u,s_0,s_1,···,s_n\in {\mathbb{Z}}_q^{*}$ and computes $U=g^u$, $S_0=g^{s_0}$, $S_1=g^{s_1}$, $···$, $S_n=g^{s_n}$.

  (3)

  Chooses four one-way hash functions $H_1:{\{0,1\}}^{*}\to {\mathbb{G}}_1$, $H_2:{\{0,1\}}^{l_1}\to {\mathbb{Z}}_q^{*}$, $H_3:{\mathbb{G}}_T\to {\{0,1\}}^{l_1+l_2}$, $H_4:{\{0,1\}}^{l_1}\to {\mathbb{G}}_T$, where $l_1$ is the length of the message and $l_2$ is the length of ${\mathbb{Z}}_q^{*}$.

  The system parameters are $P{P}_{IBE-FET}=\{e,q,{\mathbb{G}}_1,{\mathbb{G}}_T,g,U,S_0,S_1,···,S_n,H_1,H_2,H_3,H_4\}$ and the master key are $msk=\{u,s_0,s_1,···,s_n\}$.
• Extract: Given the identity $ID$ and the master key $u,s_0,s_1,···,s_n$, PKG computes $h_{ID}=H_1\left(ID\right)$ and the private key $s{k}_{ID}=\{h_{ID}^u,h_{ID}^{s_0},h_{ID}^{s_1},···,h_{ID}^{s_n}\}$.
• Encrypt: Given the message m and the identity $ID$, the sender executes as follows:

  (1)

  Randomly chooses $r,t\in {\mathbb{Z}}_q^{*}$.

  (2)

  Computes $h_{ID}=H_1\left(ID\right)$, $h=H_2\left(m\right)$, $S={\displaystyle \prod _{i=0}^n}{S}_i^{r{h}^i}$,

  $C_1=\{C_{1,0}=g^r,C_{1,1}=g^{rh},···,C_{1,n}=g^{r{h}^n}\}$,

  $C_2=g^t$,

  $C_3=\left(m\right|\left|r\right)\oplus H_3\left(e{(h_{ID},U)}^t\right)$,

  $C_4=e(h_{ID},S)·H_4\left(m\right)$.

  The ciphertext is $C=\{C_1,C_2,C_3,C_4\}$, where $C_1=(C_{1,0},C_{1,1},···,C_{1,n})$.
• Decrypt: Given the ciphertext C and the private key $s{k}_{ID}$, the receiver executes as follows:

  (1)

  Computes $C_3\oplus H_3\left(e(h_{ID}^u,C_2)\right)=m\left|\right|r$ and $h=H_2\left(m\right)$.

  (2)

  Verifies

  $$C_{1,i}=g^{r{h}^i} \mathrm{and} C_4={\displaystyle \prod _{i=0}^n}e(h_{ID}^{s_i},C_{1,i})·H_4\left(m\right)$$

  for all $i\in [0,n]$. If holds, it outputs m. Otherwise, it outputs ⊥.

• Authorization: Given the message set $\Omega =\{m_1,m_2,···,m_n\}$ and the private key $s{k}_{ID}=\{h_{ID}^{s_0},h_{ID}^{s_1},···,h_{ID}^{s_n}\}$, the receiver performs the following steps:

  (1)

  Computes a n-degree polynomial function $f\left(x\right)={\displaystyle \prod _{i=1}^n}(x-H_2\left(m_i\right))={\displaystyle \sum _{i=0}^n}{a}_i{x}^i$ and obtains the coefficient $a_0,a_1,···,a_n$.

  (2)

  Computes $w_{ID,i}=h_{ID}^{s_i}·h_{ID}^{a_i}$ for all $i\in [0,n]$ and sends the warrant $w_{ID}=\{w_{ID,0},w_{ID,1},···,w_{ID,n}\}$ to the cloud server.

• Filtered equality test: Given two ciphertexts $C_A=\{C_{A,1}=(C_{A,1,0},C_{A,1,1},···,C_{A,1,n}),C_{A,2},C_{A,3},C_{A,4}\}$ and $C_B=\{C_{B,1}=(C_{B,1,0},C_{B,1,1},···,C_{B,1,n}),C_{B,2},C_{B,3},C_{B,4}\}$, two warrants $w_{I{D}_A}=\{w_{I{D}_A,0},w_{I{D}_A,1},···,w_{I{D}_A,n}\}$ and $w_{I{D}_B}=\{w_{I{D}_B,0},w_{I{D}_B,1},···,w_{I{D}_B,n}\}$, the cloud server executes as follows:

  (1)

  Computes $z_A=\frac{C_{A,4}}{{\displaystyle \prod _{i=0}^n}e(C_{A,1,i},w_{I{D}_A,i})}$ and $z_B=\frac{C_{B,4}}{{\displaystyle \prod _{i=0}^n}e(C_{B,1,i},w_{I{D}_B,i})}$.

  (2)

  Checks whether $z_A=z_B$ or not. It outputs 1 if $z_A=z_B$, which means $m_A\in \Omega$, $m_B\in \Omega$ and $m_A=m_B$. Otherwise, it outputs 0.

Correctness: The decryption algorithm computes

$$\begin{array}{c}{C}_3\oplus H_3\left(e(h_{ID}^u,C_2)\right)\hfill \\ =\left(m\right|\left|r\right)\oplus H_3\left(e{(h_{ID},U)}^t\right)\oplus H_3\left(e(h_{ID}^u,g^t)\right)\hfill \\ =\left(m\right|\left|r\right)\oplus H_3\left(e{(h_{ID},g^u)}^t\right)\oplus H_3\left(e(h_{ID}^u,g^t)\right)\hfill \\ =m\left|\right|r\hfill \end{array}$$

Then, let $h=H_2\left(m\right)$, it checks both $C_{1,i}=g^{r{h}^i}$ and $C_4={\displaystyle \prod _{i=0}^n}e(h_{ID}^{s_i},C_{1,i})·H_4\left(m\right)={\displaystyle \prod _{i=0}^n}e(h_{ID}^{s_i},g^{r{h}^i})·H_4\left(m\right)=e{(h_{ID},g)}^{r{\displaystyle \sum _{i=0}^n}{s}_i{h}^i}·H_4\left(m\right)=e(h_{ID},S)·H_4\left(m\right)$ for all $i\in [0,n]$. It is straightforward that the correctness holds along with the decryption algorithm.

Perfect consistency: On input $(C_A,w_{I{D}_A})$ and $(C_B,w_{I{D}_B})$, the filtered equality test algorithm obtains $z_A$ by computing

$$\begin{array}{cc}\hfill z_A& =\frac{C_{A,4}}{{\displaystyle \prod _{i=0}^n}e(C_{A,1,i},w_{I{D}_A,i})}=\frac{{\displaystyle \prod _{i=0}^n}e{(h_{I{D}_A},S_i)}^{r{h}^i}·H_4\left(m_A\right)}{{\displaystyle \prod _{i=0}^n}e(g^{r{h}^i},h_{I{D}_A}^{(s_i+a_i)})}\hfill \\ & =\frac{e{(h_{I{D}_A},g)}^{r{\displaystyle \sum _{i=0}^n}{s}_i{h}^i}·H_4\left(m_A\right)}{e{(g,h_{I{D}_A})}^{r{\displaystyle \sum _{i=0}^n}(s_i{h}^i+a_i{h}^i)}}=\frac{e{(h_{I{D}_A},g)}^{r{\displaystyle \sum _{i=0}^n}{s}_i{h}^i}·H_4\left(m_A\right)}{e{(g,h_{I{D}_A})}^{r{\displaystyle \sum _{i=0}^n}{s}_i{h}^i+rf\left(H_2\left(m_A\right)\right)}}.\hfill \end{array}$$

If $m_A\in \Omega$, we have $f\left(H_2\left(m_A\right)\right)={\displaystyle \sum _{i=0}^n}{a}_i{H}_2{\left(m_A\right)}^i=0$, therefore $z_A=\frac{e{(h_{I{D}_A},g)}^{r{\displaystyle \sum _{i=0}^n}{s}_i{h}^i}·H_4\left(m_A\right)}{e{(g,h_{I{D}_A})}^{r{\displaystyle \sum _{i=0}^n}{s}_i{h}^i}}=H_4\left(m_A\right)$. Similarly, if $m_B\in \Omega$, we can obtain $z_B=H_4\left(m_B\right)$. If $m_A=m_B$, then $z_A=z_B$. The filtered equality test algorithm outputs 1.

Computational soundness: For any $m_A\in \Omega$ and $m_B\in \Omega$, by the inference of consistency, $z_A$ and $z_B$ will be computed as $z_A=H_4\left(m_A\right)$ and $z_B=H_4\left(m_B\right)$, respectively. If $m_A\ne m_B$, then $z_A\ne z_B$, this is because $H_4\left(m\right)$ is a collision resistant function. Hence the probability that the filtered equality test algorithm returns 1 is negligible. The computational soundness holds.

6. Security Proof

In this section, based on CBDH assumption, the proposed IBE-FET scheme is proved to be OW-ID-CCA security in the random oracle model. The detail of security proof is shown in Figure 5. Using the same method [32,33,40], we prove the security of the proposed scheme in two steps. We first show that an OW-ID-CCA attack on IBE-FET can be converted to an OW-CCA attack on PKE, then, we show that PKE is OW-CCA secure if the DBDH assumption holds.

Figure 5. The security proof of IBE-FET.

Theorem 1.

Supposing there is an OW-ID-CCA adversary $\mathcal{A}$ that is able to break the proposed scheme with a non-negligible probability ε, then there exists an algorithm $\mathcal{B}$ that solves the CBDH problem with the probability at least ${\epsilon }^{\prime }=\frac{\epsilon }{e(q_{sk}+q_{aut}+q_d+1)(q_{H_3}+1)}-\frac{q_{H_3}·q_d}{2^{l_1+l_2}(q_{H_3}+1)}$, where $q_{sk}$ is the number of the private key queries, $q_{aut}$ is the number of the authorization queries, $q_d$ is the number of the decryption queries and $q_{H_3}$ is the number of $H_3$ queries, $l_1$ is the length of the message and $l_2$ is the length of ${\mathbb{Z}}_q^{*}$.

Proof. 

Theorem 1 is proved based on the following Theorem 2 and Theorem 3.  □

To prove Theorem 1, we must convert the OW-ID-CCA attack on an IBE-FET scheme to an OW-CCA attack on a PKE scheme. A related PKE scheme is described below.

• Setup: Given a security parameter k, the system executes as follows:

  (1)

  Chooses a bilinear pairing: $e:{\mathbb{G}}_1\times {\mathbb{G}}_1\to {\mathbb{G}}_T$, where ${\mathbb{G}}_1$ and ${\mathbb{G}}_T$ are two cyclic groups with prime order q, g is a generator of ${\mathbb{G}}_1$.

  (2)

  Randomly picks $h_{ID}\in {\mathbb{G}}_1$, $u,s_0,s_1,···,s_n\in {\mathbb{Z}}_q^{*}$ and computes $U=g^u$, $S_0=g^{s_0}$, $S_1=g^{s_1}$, $···$, $S_n=g^{s_n}$.

  (3)

  Chooses three one-way hash functions: $H_2:{\{0,1\}}^{l_1}\to {\mathbb{Z}}_q^{*}$, $H_3:{\mathbb{G}}_T\to {\{0,1\}}^{l_1+l_2}$, $H_4:{\{0,1\}}^{l_1}\to {\mathbb{G}}_T$, where $l_1$ is the length of the message and $l_2$ is the length of ${\mathbb{Z}}_q^{*}$.

  The system parameters are $P{P}_{PKE}=\{e,{\mathbb{G}}_1,{\mathbb{G}}_T,q,g,U,S_0,S_1,···,S_n,h_{ID},H_2,H_3,H_4\}$ and the pravate key are $s{k}_{ID}=\{h_{ID}^u,h_{ID}^{s_0},h_{ID}^{s_1},···,h_{ID}^{s_n}\}$.
• Encrypt: Given the message m, the sender executes as follows:

  (1)

  Randomly chooses $r,t\in {\mathbb{Z}}_q^{*}$.

  (2)

  Computes $h=H_2\left(m\right)$, $S={\displaystyle \prod _{i=0}^n}{S}_i^{r{h}^i}$, $C_1=\{C_{1,0}=g^r,C_{1,1}=g^{rh},···,C_{1,n}=g^{r{h}^n}\}$, $C_2=g^t$, $C_3=\left(m\right|\left|r\right)\oplus H_3\left(e{(h_{ID},U)}^t\right)$, $C_4=e(h_{ID},S)·H_4\left(m\right)$.

  The ciphertext is $C=\{C_1,C_2,C_3,C_4\}$, where $C_1=(C_{1,0},C_{1,1},···,C_{1,n})$.
• Decrypt: Given the ciphertexts C and the private key $s{k}_{ID}$, the receiver works as follows:

  (1)

  Computes $C_3\oplus H_3\left(e(h_{ID}^u,C_2)\right)=m\left|\right|r$ and $h=H_2\left(m\right)$.

  (2)

  Verifies

  $$C_{1,i}=g^{r{h}^i} \mathrm{and} C_4={\displaystyle \prod _{i=0}^n}e(h_{ID}^{s_i},C_{1,i})·H_4\left(m\right)$$

  for all $i\in [0,n]$. If holds, it outputs m. Otherwise, it outputs ⊥.

Theorem 2.

Supposing there is an OW-ID-CCA adversary ${\mathcal{A}}_1$ that is able to break the proposed IBE-FET scheme with a non-negligible probability ${\epsilon }_1$, then there exists an OW-CCA adversary ${\mathcal{B}}_1$ that can break the PKE scheme with the probability at least ${\epsilon }_1^{\prime }=\frac{{\epsilon }_1}{e(q_{sk}+q_{aut}+q_d+1)}$, where $q_{sk}$ is the number of the private key queries, $q_{aut}$ is the number of the authorization queries and $q_d$ is the number of the decryption queries.

Proof. 

In order to convert an OW-ID-CCA attack on IBE-FET to an OW-CCA attack on PKE, we can construct a simulator ${\mathcal{C}}_1$ to execute the game between ${\mathcal{A}}_1$ and ${\mathcal{B}}_1$.  □

Initialization: ${\mathcal{C}}_1$ runs the Setup algorithm of PKE and returns the system parameters $P{P}_{PKE}=\{q,e,{\mathbb{G}}_1,{\mathbb{G}}_T,g,U,S_0,S_1,···,S_n,h_{ID},H_2,H_3,H_4\}$ to ${\mathcal{B}}_1$. ${\mathcal{A}}_1$ interacts with ${\mathcal{B}}_1$ as follows.

Setup: ${\mathcal{B}}_1$ chooses a hash function $H_1$ and returns the system parameters $P{P}_{IBE-FET}=\{q,e,{\mathbb{G}}_1,{\mathbb{G}}_T,g,U,S_0,S_1,···,S_n,H_1,H_2,H_3,H_4\}$ to ${\mathcal{A}}_1$. For the quickly respond and consistency, ${\mathcal{B}}_1$ maintains an initially empty list $H_1^{list}$ of tuples $(I{D}_j,h_{1,j},x_j,c_j)$.

Phase 1: ${\mathcal{A}}_1$ makes the following queries.

• Hash $H_1$ queries: ${\mathcal{A}}_1$ submits a query on $I{D}_j$, ${\mathcal{B}}_1$ checks the list $H_1^{list}$ and performs as below:

  -

  If $H_1^{list}$ contains $(I{D}_j,h_{1,j},x_j,c_j)$, ${\mathcal{B}}_1$ responds with previous value $h_{1,j}$ to ${\mathcal{A}}_1$.

  -

  If $H_1^{list}$ doesn’t contain $(I{D}_j,h_{1,j},x_j,c_j)$, based on the Coron’s technology [50], ${\mathcal{B}}_1$ tosses a coin $c_j\in \{0,1\}$ that yield 0 with probability $\delta$ and 1 with probability $1-\delta$. ${\mathcal{B}}_1$ randomly chooses $x_j\in {\mathbb{Z}}_q^{*}$. If $c_j=0$, ${\mathcal{B}}_1$ computes $h_{1,j}=g^{x_j}$. If $c_j=1$, ${\mathcal{B}}_1$ computes $h_{1,j}=h_{ID}^{x_j}$. Finally, ${\mathcal{B}}_1$ adds the tuple $(I{D}_j,h_{1,j},x_j,c_j)$ to the list $H_1^{list}$ and returns $h_{1,j}$ to ${\mathcal{A}}_1$.

• Private key queries: ${\mathcal{A}}_1$ submits a private key query on $I{D}_j$, ${\mathcal{B}}_1$ makes the hash $H_1$ query on $I{D}_j$ to obtain the corresponding tuple $(I{D}_j,h_{1,j},x_j,c_j)$.

  -

  If $c_j=0$, ${\mathcal{B}}_1$ returns $s{k}_{I{D}_j}=\{U^{x_j},S_0^{x_j},S_1^{x_j},···,S_n^{x_j}\}$ to ${\mathcal{A}}_1$.

  -

  If $c_j=1$, ${\mathcal{B}}_1$ returns ⊥.

• Decryption queries: ${\mathcal{A}}_1$ submits a decryption query on $I{D}_j$ and $C=\{C_1,C_2,C_3,C_4\}$, ${\mathcal{B}}_1$ makes the hash $H_1$ query on $I{D}_j$ to obtain the corresponding tuple $(I{D}_j,h_{1,j},x_j,c_j)$.

  -

  If $c_j=0$, ${\mathcal{B}}_1$ obtains $s{k}_{I{D}_j}=\{U^{x_j},S_0^{x_j},···,S_n^{x_j}\}$ and decrypts C using $s{k}_{I{D}_j}$.

  -

  If $c_j=1$, ${\mathcal{B}}_1$ obtains $h_{1,j}=h_{ID}^{x_j}$ and computes $s{k}_{I{D}_j}=\{{\left(h_{ID}^{x_j}\right)}^u,{\left(h_{ID}^{x_j}\right)}^{s_0},{\left(h_{ID}^{x_j}\right)}^{s_1},···,{\left(h_{ID}^{x_j}\right)}^{s_n}\}$. Then ${\mathcal{B}}_1$ sets $C^{\prime }=\{C_1^{x_j}=(C_{1,0}^{x_j},C_{1,1}^{x_j},···,C_{1,n}^{x_j}),C_2^{x_j},C_3,C_4\}$. Note that the IBE-FET decryption of C using $s{k}_{I{D}_j}=\{{\left(h_{ID}^{x_j}\right)}^u,{\left(h_{ID}^{x_j}\right)}^{s_0},{\left(h_{ID}^{x_j}\right)}^{s_1},···,{\left(h_{ID}^{x_j}\right)}^{s_n}\}$ is the same as the PKE decryption of $C^{\prime }$ using $s{k}_{I{D}_j}=\{h_{ID}^u,h_{ID}^{s_0},h_{ID}^{s_1},···,h_{ID}^{s_n}\}$ because $e({\left(h_{ID}^{x_j}\right)}^u,C_2)=e(h_{ID}^u,C_2^{x_j})$ and $e({\left(h_{ID}^{x_j}\right)}^{s_i},C_{1,i})=e(h_{ID}^{s_i},C_{1,i}^{x_j})$ for any $i\in [0,n]$. ${\mathcal{B}}_1$ makes the decryption query on $C^{\prime }$ to ${\mathcal{C}}_1$ and returns the response of ${\mathcal{C}}_1$ to ${\mathcal{A}}_1$.

• Authorization queries: ${\mathcal{A}}_1$ submits an authorization query on $I{D}_j$ and the message set ${\Omega }_j$, ${\mathcal{B}}_1$ makes the private key query on $I{D}_j$ to obtain $s{k}_{I{D}_j}$. Then ${\mathcal{B}}_1$ runs the authorization algorithm and returns the warrant $w_{I{D}_j}$ to ${\mathcal{A}}_1$.

Challenge: ${\mathcal{A}}_1$ chooses the challenge identity $I{D}^{*}$ and returns it to ${\mathcal{B}}_1$. Here, $I{D}^{*}$ does not appear in the private key queries of Phase 1. Then ${\mathcal{B}}_1$ makes the hash $H_1$ query on $I{D}^{*}$ to get the tuple $(I{D}^{*},h_{1,j}^{*},x_j^{*},c_j^{*})$ and executes as follows:

• If $c_j^{*}=0$, ${\mathcal{B}}_1$ returns ⊥.
• If $c_j^{*}=1$, ${\mathcal{C}}_1$ randomly chooses $m^{*}$ and returns a PKE challenge ciphertext $C^{\prime *}=\{C_1^{\prime *}=(C_{1,0}^{\prime *},C_{1,1}^{\prime *},···,C_{1,n}^{\prime *}),C_2^{\prime *},C_3^{\prime *},C_4^{\prime *}\}$ on $m^{*}$ to ${\mathcal{B}}_1$. Then ${\mathcal{B}}_1$ returns $C^{*}=\{{C_1^{\prime *}}^{{\left(x_j^{*}\right)}^{-1}}=({C_{1,0}^{\prime *}}^{{\left(x_j^{*}\right)}^{-1}},{C_{1,1}^{\prime *}}^{{\left(x_j^{*}\right)}^{-1}}···,{C_{1,n}^{\prime *}}^{{\left(x_j^{*}\right)}^{-1}}),{C_2^{\prime *}}^{{\left(x_j^{*}\right)}^{-1}},C_3^{\prime *},C_4^{\prime *}\}$ to ${\mathcal{A}}_1$.

Phase 2: ${\mathcal{A}}_1$ makes queries as done in Phase 1.

• Private key queries: If $I{D}^{*}\ne I{D}_j$, ${\mathcal{B}}_1$ responds as in Phase 1. Otherwise, ${\mathcal{B}}_1$ returns ⊥.
• Decryption queries: If $(I{D}^{*},C^{*})\ne (I{D}_j,C_j)$, ${\mathcal{B}}_1$ responds as in Phase 1. Otherwise, ${\mathcal{B}}_1$ returns ⊥.
• Authorization queries: ${\mathcal{B}}_1$ responds as in Phase 1.

Guess: ${\mathcal{A}}_1$ outputs a guess $m^{\prime }$ for $m^{*}$. ${\mathcal{B}}_1$ outputs a guess $m^{\prime }$ for $m^{*}$.

We define the following three events:

• ${\zeta }_1$ : ${\mathcal{B}}_1$ aborts in the private key query during Phase 1 or Phase 2.
• ${\zeta }_2$ : ${\mathcal{B}}_1$ aborts in the challenge phase.
• ${\zeta }_3$ : ${\mathcal{B}}_1$ aborts in the decryption query in Phase 2.

Thus, we have

$$Pr[\neg {\zeta }_1\wedge \neg {\zeta }_2\wedge \neg {\zeta }_3]⩾(1-\delta ){\delta }^{(q_{sk}+q_{aut}+q_d)}.$$

Clearly, $(1-\delta ){\delta }^{(q_{sk}+q_{aut}+q_d)}$ can obtain the maximized when $\delta =1-\frac{1}{(q_{sk}+q_{aut}+q_d+1)}$. The probability that ${\mathcal{B}}_1$ does not abort is at least $\frac{1}{(q_{sk}+q_{aut}+q_d+1)}$. Therefore, the advantage of ${\mathcal{B}}_1$ is at least $\frac{{\epsilon }_1}{e(q_{sk}+q_{aut}+q_d+1)}$.

Theorem 3.

Supposing there is an OW-CCA adversary ${\mathcal{A}}_2$ that is able to break the PKE scheme with a non-negligible probability ${\epsilon }_2$, then there exists an algorithm ${\mathcal{B}}_2$ that solves the CBDH problem with the probability at least ${\epsilon }_2^{\prime }=\frac{{\epsilon }_2}{q_{H_3}+1}-\frac{q_{H_3}·q_d}{(q_{H_3}+1)·2^{l_1+l_2}}$, where $q_{H_3}$ is the number of $H_3$ queries and $q_d$ is the number of the decryption queries, $l_1$ is the length of the message and $l_2$ is the length of ${\mathbb{Z}}_q^{*}$.

Proof. 

Let ${\epsilon }_2=Ad{v}_{PKE,{\mathcal{A}}_2}^{OW-CCA}$ represent the advantage of ${\mathcal{A}}_2$ in the OW-CCA security game. According to schemes [23,24,25,26,27,28,29,30,31], this theorem is proved by performing a series of games. Let $Q_i$ denote the event that $m^{\prime }=m^{*}$ in Game i $(i=0,1,2)$. We define the Game 0 to be the real security game against the adversary in Definition 2. Then, we can modify the last game in an indistinguishable way to obtain the next game. The adversary has no advantage unconditionally in last game, thus he can make the queries many times, then the event will happen in the next game. Since each game is indistinguishable from the next, to prove the real security game, we can show that the probability of an event is negligible if the DBDH assumption holds. The detailed process is shown as follows.  □

Game 0:

1. Initial phase: ${\mathcal{B}}_2$ generates $u,s_0,s_1,···,s_n\in {\mathbb{Z}}_q^{*}$ and $h_{ID}\in {\mathbb{G}}_1$ by running the Setup algorithm, then computes $U=g^u,S_0=g^{s_0},S_1=g^{s_1},···,S_n=g^{s_n}$. Finally, ${\mathcal{B}}_2$ returns the system parameters $P{P}_{PKE}=\{q,e,{\mathbb{G}}_1,{\mathbb{G}}_T,g,U,S_0,S_1,···,S_n,h_{ID},H_2,H_3,H_4\}$ to ${\mathcal{A}}_2$. For the quickly respond and consistency, ${\mathcal{B}}_2$ maintains an initially empty list $H_3^{list}$ of tuples $({\Phi }_i,h_{3,i})$.

2. Query phase: ${\mathcal{B}}_2$ works as follows:

• Hash $H_3$ queries: ${\mathcal{A}}_2$ makes a hash $H_3$ query on ${\Phi }_i$, ${\mathcal{B}}_2$ checks the list $H_3^{list}$ and performs as follows.

  -

  If $H_3^{list}$ includes $({\Phi }_i,h_{3,i})$, ${\mathcal{B}}_2$ returns $h_{3,i}$ to ${\mathcal{A}}_2$.

  -

  If $H_3^{list}$ doesn’t include $({\Phi }_i,h_{3,i})$, ${\mathcal{B}}_2$ selects a random sting $h_{3,i}\in {\{0,1\}}^{l_1+l_2}$ and returns $h_{3,i}$ to ${\mathcal{A}}_2$.

• Decryption queries: ${\mathcal{A}}_2$ makes a decryption query on C, ${\mathcal{B}}_2$ returns m to ${\mathcal{A}}_2$ by running the decryption algorithm using the private key.

3. Challenge phase: For any $m^{*}$, ${\mathcal{B}}_2$ randomly chooses $r,t\in {\mathbb{Z}}_q^{*}$ and computes $h=H_2\left(m^{*}\right)$, $S={\displaystyle \prod _{i=0}^n}{S}_i^{r{h}^i}$ and defines the challenge ciphertexts

$$C^{*}=\{C_1^{*}=(C_{1,0}^{*},C_{1,1}^{*},···,C_{1,n}^{*}),C_2^{*},C_3^{*},C_4^{*}\}$$

as follows:

$C_1^{*}=\{C_{1,0}^{*}=g^r,C_{1,1}^{*}=g^{rh},···,C_{1,n}^{*}=g^{r{h}^n}\}$,

$C_2^{*}=g^t$,

$C_3^{*}=(m^{*}\left|\right|r)\oplus H_3\left(e{(h_{ID},U)}^t\right)$,

$C_4^{*}=e(h_{ID},S)·H_4\left(m^{*}\right)$.

4. Output phase: ${\mathcal{A}}_2$ outputs a guess $m^{\prime }$ for $m^{*}$.

Thus, the advantage of ${\mathcal{A}}_2$ winning in Game 0 is

$$\begin{array}{c}\hfill Ad{v}_{PKE,{\mathcal{A}}_2}^{OW-CCA}=Pr\left[Q_0\right].\end{array}$$

(1)

Game 1:

1. Initial phase: ${\mathcal{B}}_2$ responds as in Game 0.

2. Query phase: ${\mathcal{B}}_2$ works as follows:

• Hash $H_3$ queries: ${\mathcal{A}}_2$ makes a hash $H_3$ query on ${\Phi }_i$, ${\mathcal{B}}_2$ checks the list $H_3^{list}$ and performs as follows.

  -

  If $H_3^{list}$ includes $({\Phi }_i,h_{3,i})$. When ${\Phi }_i=e{(h_{ID},U)}^t$, ${\mathcal{B}}_2$ defines ${\omega }_1^{*}=H_3\left(e{(h_{ID},U)}^t\right)$ as $h_{3,i}$ and returns ${\omega }_1^{*}$ to ${\mathcal{A}}_2$; otherwise, ${\mathcal{B}}_2$ returns $h_{3,i}$ to ${\mathcal{A}}_2$.

  -

  If $H_3^{list}$ doesn’t include $({\Phi }_i,h_{3,i})$, ${\mathcal{B}}_2$ selects a random sting $h_{3,i}\in {\{0,1\}}^{l_1+l_2}$ and returns $h_{3,i}$ to ${\mathcal{A}}_2$.

• Decryption queries: ${\mathcal{B}}_2$ responds a decryption query as in Game 0.

3. Challenge phase: For any $m^{*}$, ${\mathcal{B}}_2$ randomly chooses $r,t\in {\mathbb{Z}}_q^{*}$, ${\omega }_1^{*}\in {\{0,1\}}^{l_1+l_2}$ and computes $h=H_2\left(m^{*}\right)$, $S={\displaystyle \prod _{i=0}^n}{S}_i^{{}^{r{h}^i}}$ and defines the challenge ciphertexts

$$C^{*}=\{C_1^{*}=(C_{1,0}^{*},C_{1,1}^{*},···,C_{1,n}^{*}),C_2^{*},C_3^{*},C_4^{*}\}$$

as follows:

$C_1^{*}=\{C_{1,0}^{*}=g^r,C_{1,1}^{*}=g^{rh},···,C_{1,n}^{*}=g^{r{h}^n}\}$,

$C_2^{*}=g^t$,

$C_3^{*}=(m^{*}\left|\right|r)\oplus {\omega }_1^{*}$,

$C_4^{*}=e(h_{ID},S)·H_4\left(m^{*}\right)$.

4. Update phase: ${\mathcal{B}}_2$ adds the tuple $(e{(h_{ID},U)}^t,{\omega }_1^{*})$ to the list $H_3^{list}$.

5. Output phase: ${\mathcal{A}}_2$ outputs a guess $m^{\prime }$ for $m^{*}$.

Compared to Game 0, the value of $H_3$ is replaced by a random value ${\omega }_1^{*}$ in Game 1. According to the random oracle model, the advantage of ${\mathcal{A}}_2$ winning in Game 1 is identical to Game 0. Thus

$$\begin{array}{c}\hfill Ad{v}_{PKE,{\mathcal{A}}_2}^{OW-CCA}=Pr\left[Q_0\right]=Pr\left[Q_1\right].\end{array}$$

(2)

Game 2:

1. Initial phase: ${\mathcal{B}}_2$ responds as in Game 1.

2. Query phase: ${\mathcal{B}}_2$ works as follows:

• Hash $H_3$ queries: ${\mathcal{A}}_2$ makes a hash $H_3$ query on ${\Phi }_i$, ${\mathcal{B}}_2$ checks the list $H_3^{list}$ and performs as follows.

  -

  If $H_3^{list}$ includes $({\Phi }_i,h_{3,i})$. When ${\Phi }_i=e{(h_{ID},U)}^t$, ${\mathcal{B}}_2$ returns ⊥. Define this event as $E_1$; otherwise, ${\mathcal{B}}_2$ returns $h_{3,i}$ to ${\mathcal{A}}_2$.

  -

  If $H_3^{list}$ does not include $({\Phi }_i,h_{3,i})$, ${\mathcal{B}}_2$ selects a random sting $h_{3,i}\in {\{0,1\}}^{l_1+l_2}$ and returns $h_{3,i}$ to ${\mathcal{A}}_2$.

• Decryption queries: ${\mathcal{A}}_2$ makes a decryption query on C. If C is equal to the challenge ciphertext $C^{*}$ except $C_3$, ${\mathcal{B}}_2$ returns ⊥. Otherwise, ${\mathcal{B}}_2$ responds as in Game 1.

3. Challenge phase: For any $m^{*}$, ${\mathcal{B}}_2$ randomly chooses $r,t\in {\mathbb{Z}}_q^{*}$, ${\omega }_2^{*}\in {\{0,1\}}^{l_1+l_2}$ and computes $h=H_2\left(m^{*}\right)$, $S={\displaystyle \prod _{i=0}^n}{S}_i^{r{h}^i}$ and defines the challenge ciphertexts

$$C^{*}=\{C_1^{*}=(C_{1,0}^{*},C_{1,1}^{*},···,C_{1,n}^{*}),C_2^{*},C_3^{*},C_4^{*}\}$$

as follows:

$C_1^{*}=\{C_{1,0}^{*}=g^r,C_{1,1}^{*}=g^{rh},···,C_{1,n}^{*}=g^{r{h}^n}\}$,

$C_2^{*}=g^t$,

$C_3^{*}={\omega }_2^{*}$,

$C_4^{*}=e(h_{ID},S)·H_4\left(m^{*}\right)$.

4. Update phase: ${\mathcal{B}}_2$ adds the tuple $(e{(h_{ID},U)}^t,{\omega }_2^{*}\oplus (m^{*}\left|\right|r\left)\right)$ to the list $H_3^{list}$.

5. Output phase: ${\mathcal{A}}_2$ outputs a guess $m^{\prime }$ for $m^{*}$.

Compared to Game 1, the value of $C_3^{*}$ is replaced by a random value ${\omega }_2^{*}$ in Game 2. According to the random oracle model, if the event $E_1$ does not occur, Game 2 is the same as Game 1. Therefore

$$\begin{array}{c}\hfill |Pr\left[Q_2\right]|-|Pr\left[Q_1\right]|⩽Pr\left[E_1\right].\end{array}$$

(3)

Now, we proof the event $E_1$ occurs with negligible probability

$$\begin{array}{c}\hfill Pr\left[E_1\right]⩽Ad{v}_{P_1}^{CBDH}·q_{H_3}+\frac{q_d·q_{H_3}}{2^{l_1+l_2}}.\end{array}$$

(4)

Claim 1.

Event $E_1$ occurs with negligible probability $Pr\left[E_1\right]$ in Game 2 if the CBDH problem is intractable.

Proof. 

Assume the event $E_1$ occurs in Game 2 with a non-negligible probability $Pr\left[E_1\right]$, we can construct an algorithm $P_1$ that can compute $e{(g,g)}^{xyz}$ with a non-negligible probability when receiving a random CBDH problem instance $(g,g^x,g^y,g^z)$.  □

$P_1$ randomly selects $r,s_0,s_1,···,s_n\in {\mathbb{Z}}_q^{*}$, $m^{*}\in \Delta$, ${\nu }_1^{*}\in {\{0,1\}}^{l_1+l_2}$ and computes $h=H_2\left(m^{*}\right)$. The system parameters are {$h_{ID}=g^x,U=g^y,S_0=g^{s_0},S_1=g^{s_1},···,S_n=g^{s_n},S={\displaystyle \prod _{i=0}^n}{S}_i^{r{h}^i}=g^{r{\displaystyle \sum _{i=0}^n}{s}_i{h}^i}$}. Then, $P_1$ calculates $C_1^{*}=\{C_{1,0}^{*}=g^r,C_{1,1}^{*}=g^{rh},···,C_{1,n}^{*}=g^{r{h}^n}\}$, $C_2^{*}=g^z$, $C_3^{*}={\nu }_1^{*}$ and $C_4^{*}=e(h_{ID},S)·H_4\left(m^{*}\right)$ as the challenge ciphertexts and adds $(\perp ,{\nu }_1^{*}\oplus (m^{*}\left|\right|r\left)\right)$ into the list $H_3^{list}$. Finally, $P_1$ returns $P{P}_{PKE}=\{q,e,{\mathbb{G}}_1,{\mathbb{G}}_T,g,U,S_0,S_1,···,S_n,S,h_{ID},H_2,H_3,H_4\}$ and the challenge ciphertexts $C^{*}=\{C_1^{*},C_2^{*},C_3^{*},C_4^{*}\}$ to ${\mathcal{A}}_2$. ${\mathcal{A}}_2$ makes the following queries:

• Hash $H_3$ queries: $P_1$ responds as in Game 2.
• Decryption queries: ${\mathcal{A}}_2$ makes a decryption query on C. If $C_1=C_1^{*}$, $C_2=C_2^{*}$, $C_3\ne C_3^{*}$, $C_4=C_4^{*}$, $P_1$ returns ⊥. Otherwise, $P_1$ searches the list $H_3^{list}$ to get $h_{3,i}$ and computes $m^{*}\left|\right|r=h_{3,i}\oplus C_3^{*}$, $h=H_2\left(m^{*}\right)$. If $C_{1,i}^{*}=g^{r{h}^i}$ and $C_4^{*}={\displaystyle \prod _{i=0}^n}e{(h_{ID},C_{1,i}^{*})}^{s_i}·H_4\left(m^{*}\right)$ are hold for all $i\in [0,n]$, $P_1$ returns $m^{*}$ to ${\mathcal{A}}_2$.

If the following two cases holds, $P_1$ can solve the CBDH problem:

• ${\mathcal{A}}_2$ has never made a hash $H_3$ query on $e{(h_{ID},C_2)}^y$ before a decryption query on $C=\{C_1,C_2,C_3,C_4\}$. In this case, $P_1$ returns ⊥. If C is a valid ciphertext, it means ${\mathcal{A}}_2$ guesses the value of $h_{3,i}$ correctly. Thus the probability is $\frac{1}{2^{l_1+l_2}}$.
• The event $E_1$ occurs in the hash $H_3$ queries. It means that the list $H_3^{list}$ includes the tuple $(e{(h_{ID},C_2)}^y,\perp )$. The probability is $\frac{Pr\left[E_1\right]}{q_{H_3}}$.

Let $X_1$ to be event that the ciphertext is valid when $P_1$ returns ⊥ in the case 1. Then we have

$$\begin{array}{c}\hfill Pr\left[X_1\right]⩽\frac{q_d}{2^{l_1+l_2}}.\end{array}$$

(5)

Let $X_2$ to be event in case 2 that $P_1$ obtains $e{(g,g)}^{xyz}$ as a solution of the CBDH problem. If $X_1$ does not occur and $(e{(h_{ID},C_2)}^y,\perp )$ appears in the list $H_3^{list}$ with the probability at least $Pr\left[E_1\right]$. So

$$\begin{array}{c}\hfill Pr\left[X_2\left|\neg X_1\right.\right]=\frac{Pr\left[E_1\right]}{q_{H_3}}.\end{array}$$

(6)

Then

$$\begin{array}{cc}\hfill Pr\left[X_2\right]& =Pr\left[X_2\left|X_1\right.\right]Pr\left[X_1\right]+Pr\left[X_2\left|\neg X_1\right.\right]Pr[\neg X_1]\hfill \\ & ⩾Pr\left[X_2\left|\neg X_1\right.\right]Pr[\neg X_1]\hfill \\ & =Pr\left[X_2\left|\neg X_1\right.\right](1-Pr\left[X_1\right])\hfill \\ & =Pr\left[X_2\left|\neg X_1\right.\right]-Pr\left[X_2\left|\neg X_1\right.\right]Pr\left[X_1\right]\hfill \\ & ⩾Pr\left[X_2\left|\neg X_1\right.\right]-Pr\left[X_1\right]\hfill \\ & =\frac{Pr\left[X_1\right]}{q_{H_3}}-\frac{q_d}{2^{l_1+l_2}}.\hfill \end{array}$$

So, we obtain

$$\begin{array}{c}\hfill Ad{v}_{P_1}^{CBDH}⩾\frac{Pr\left[E_1\right]}{q_{H_3}}-\frac{q_d}{2^{l_1+l_2}}.\end{array}$$

(7)

According to the assumption, if $Pr\left[E_1\right]$ is non-negligible, the advantage $Ad{v}_{P_1}^{CBDH}$ is non-negligible. The proof of Claim 1 is completed.

Claim 2.

Event $Q_2$ occurs with negligible probability $Pr\left[Q_2\right]$ in Game 2 if the CBDH problem is intractable.

Proof. 

Assume the event $Q_2$ occurs in Game 2 with a non-negligible probability $Pr\left[Q_2\right]$, we can construct an algorithm $P_2$ that can compute $e{(g,g)}^{xyz}$ with a non-negligible probability when receiving a random CBDH problem instance $(g,g^x,g^y,g^z)$.  □

$P_2$ randomly selects $t,s_1,s_2,···,s_n\in {\mathbb{Z}}_q^{*}$, ${\nu }_1^{*}\in {\{0,1\}}^{l_1+l_2}$, ${\nu }_2^{*}\in {\mathbb{G}}_T$, $m^{*}\in \Delta$ and computes $h=H_2\left(m^{*}\right)$. The system parameters are {$h_{ID}=g^x,S_0=g^y,S_1=g^{s_1},S_2=g^{s_2},···,S_n=g^{s_n}$}. Then, $P_2$ calculates $C_1^{*}=\{C_{1,0}^{*}=g^z,C_{1,1}^{*}=g^{zh},C_{1,2}^{*}=g^{z{h}^2},···,C_{1,n}^{*}=g^{z{h}^n}$, $C_2^{*}=g^t$, $C_3^{*}={\nu }_1^{*}$ and $C_4^{*}={\nu }_2^{*}·H_4\left(m^{*}\right)$ as the challenge ciphertexts and adds $(\perp ,{\nu }_1^{*}\oplus (m^{*}\left|\right|r\left)\right)$ into the list $H_3^{list}$. And $P_2$ returns $P{P}_{PKE}=\{q,e,{\mathbb{G}}_1,{\mathbb{G}}_T,g,U,S_0,S_1,S_2,···,S_n,h_{ID},H_2,H_3,H_4\}$ and the challenge ciphertexts $C^{*}=\{C_1^{*},C_2^{*},C_3^{*},C_4^{*}\}$ to ${\mathcal{A}}_2$.

${\mathcal{A}}_2$ interacts with $P_2$ as Game 2.

Finally, $P_2$ obtains $e{(g,g)}^{xyz}$ by computing

$$e{(h_{ID},C_{1,0}^{*})}^y=\frac{C_4^{*}}{H_4\left(m^{*}\right)·{\displaystyle \prod _{i=1}^n}e{(h_{ID},C_{1,i}^{*})}^{s_i}}.$$

Therefore, we have

$$\begin{array}{c}\hfill Pr\left[Q_2\right]⩽Ad{v}_{P_2}^{CBDH}.\end{array}$$

(8)

According to the assumption, if $Pr\left[Q_2\right]$ is non-negligible, the advantage $Ad{v}_{P_2}^{CBDH}$ is non-negligible. The proof of Claim 2 is completed.

Owing to the Equations (1)–(8), we can claim that

$$\begin{array}{cc}\hfill Ad{v}_{PKE,{\mathcal{A}}_2}^{OW-CCA}& =Pr\left[Q_0\right]\hfill \\ & =Pr\left[Q_1\right]\hfill \\ & ⩽Pr\left[Q_2\right]+Ad{v}^{CBDH}·q_{H_3}+\frac{q_{H_3}·q_d}{2^{l_1+l_2}}\hfill \\ & ⩽(q_{H_3}+1)·Ad{v}^{CBDH}+\frac{q_{H_3}·q_d}{2^{l_1+l_2}}.\hfill \end{array}$$

So, Theorem 3 has been proved.

According to Theorem 2 and Theorem 3, we can show that the proposed IBE-FET scheme satisfies OW-ID-CCA security. Assume an OW-ID-CCA adversary $\mathcal{A}$ is able to against IBE-FET with the probability $\epsilon$, then there the algorithm $\mathcal{B}$ can solve the CBDH problem with the probability at least ${\epsilon }^{\prime }=\frac{\epsilon }{e(q_{dk}+q_{Aut}+q_d+1)(q_{H_3}+1)}-\frac{q_{H_3}·q_d}{\left(2^{l_1+l_2}\right)(q_{H_3}+1)}.$

7. Comparison and Performance Evaluation

In this section, we present the comparisons between the proposed IBE-FET scheme and the existing related schemes [23,24,25,30,32,33,39].

7.1. Comparison

The comparison for the proposed IBE-FET scheme and the related schemes [23,24,25,30,32,33,39] is given in Table 1. Let ET be the quality test, FET be the filtered quality test, ID be the identity-based and ROM be the random oracle model. Let ✓ denote “satisfy” and ✗ denote “not satisfy”.

Table 1. Comparison.

Schemes	ET	FET	ID	ROM	Security	Assumption
[23]	✓	✗	✗	✓	OW-CCA	CDH
[24]	✓	✗	✗	✓	OW-CCA,IND-CCA	CDH,DDH
[25]	✓	✗	✗	✓	OW-CCA,IND-CCA	CDH
[30]	✓	✗	✗	✓	OW-CCA,IND-CCA	CONF,CDH
[32]	✓	✗	✓	✓	OW-ID-CCA	CDH
[33]	✓	✗	✓	✓	OW-ID-CCA	CBDH
[39]	✓	✓	✗	✗	IND-CCA	SXDH
The proposed scheme	✓	✓	✓	✓	OW-ID-CCA	CBDH

From Table 1, it is clearly observed that scheme [39] and the proposed scheme support the filtered equality test while other schemes only provide the equality test. Schemes [32,33] and the proposed scheme adopt the identity-based cryptography which can avoid the certificate management problem, while other schemes adopt public key cryptography. With regard to security, all schemes are provably secure based on basic assumptions in the random oracle except scheme [39]. However, none of the schemes [23,24,25,30,32,33,39] could satisfy both the properties of the filtered equality test and of the identity-based one, only our scheme can do it.

7.2. Computation Cost

For computation complexity estimation, the time cost for performing the cryptographic operations is defined as follows. Let $T_E$ and $T_P$ denote the time of a scale multiplication operation and a bilinear pairing operation, respectively. The time of a map-to-point hash function operation is denoted as $T_H$. Other lightweight operations (point addition, one way hash function operation) are not taken into account.

To offer the security level of 80-bit, we adopt the symmetric bilinear pairing $e:{\mathbb{G}}_1\times {\mathbb{G}}_1\to {\mathbb{G}}_T$, here ${\mathbb{G}}_1$ is the cyclic group generated by a generator g with the order q on a super singular elliptic curve $E:y^2=x^3+xmodp$ with embedding degree 2. p is 512-bit prime number and q is 160-bit Solinas prime number, which satisfy $q·12·r=p+1$. Using the MIRACL Crypto SDK [51], the running time of the cryptographic operations are quantified. The experiment is run on an Intel Core i5-4590, 3.3GHz CPU, 8 gigabytes memory with Windows 7 environment. Table 2 lists the average execution times of cryptographic operations $T_E$, $T_P$, and $T_H$.

Table 2. Execution time of cryptographic operation.

Cryptographic Operation	Execution Time
Scalar multiplication $T_E$	3.7770
Bilinear pairing $T_P$	9.0791
Map-to-point hash function $T_H$	9.7052

Based on the experimental results, the computation cost of the proposed IBE-FET scheme and the related schemes [23,24,25,30,32,33,39] are summarized in Table 3.

Table 3. Computation costs.

Schemes	Encryption	Decryption	Authorization	Equality Test
[23]	$3T_E$	$3T_E$	⊥	$2T_P$
[24]	$4T_E$	$2T_E$	$3T_E$	$4T_P$
[25]	$5T_E$	$2T_E$	⊥	$4T_P$
[30]	$6T_E$	$5T_E$	⊥	$2T_E+2T_P$
[32]	$6T_E+2T_P+2T_H$	$2T_E+2T_P+1T_H$	$1T_E$	$4T_P+2T_H$
[33]	$2T_E+1T_H$	$2T_P+1T_H$	$1T_H$	$2T_E+4T_P+2T_H$
[39]	$(n+4)T_E+1T_H$	$(n+3)T_E+1T_P+1T_H$	$(n+1)T_E$	$(n+1)T_P$
The proposed scheme	$(n+3)T_E+2T_H+2T_P$	$(n+1)T_E+1T_H+(n+2)T_P$	$(n+1)T_E$	$(n+1)T_P$

In the encryption phase, the proposed scheme needs to execute $n+3$ scalar multiplication operations, two bilinear pairing operations and two map-to-point hash operations; therefore, the total encryption time is $(n+3)T_E+2T_P+2T_H=3.7770n+48.8996$ ms. In the decryption phase, the proposed scheme needs to execute $n+1$ scalar multiplication operations, $n+2$ bilinear pairing operations and one map-to-point hash operation; therefore, the total decryption time is $(n+1)T_E+(n+2)T_P+1T_H=12.8561n+31.6404$ ms. In the authorization phase, the proposed scheme needs to execute $n+1$ scalar multiplication operations; therefore, the total authorization time is $(n+1)T_E=3.7770n+3.7770$ ms. In the test phase, the proposed scheme needs to execute $n+1$ bilinear pairing operations; therefore, the total test time is $(n+1)T_P=9.0791n+9.0791$ ms. From Table 3, we can arrive at the fact that the computational cost of the proposed scheme is higher than those of other schemes [23,24,25,30,32,33,39] in both encryption and decryption phases. In terms of authorization and test phases, the proposed scheme has the same computational cost as scheme [39], which is more than those of other schemes [23,24,25,30,32,33,39].

Figure 6 describes the relationship between the computational cost of the proposed scheme and the number of message n. As shown in Figure 6, the total computational cost increases linearly with the number of message in all phases. The computational cost is equal to 67.7496, 95.9209, 22.6270 and 54.4746 ms when $n=5$, that is equal to 162.2096, 417.3234, 117.0870 and 281.4521 ms when $n=30$, in encryption, decryption, authorization, and equation test phase of the proposed scheme, respectively. Based on the above analysis, the computational cost of the proposed scheme is feasible.

Figure 6. Computational cost with different number of messages.

7.3. Communication Cost

We compare the communication cost of the proposed IBE-FET and those of the related schemes [23,24,25,30,32,33,39] in this section. The communication cost is represented by the size of message transmitted. The sender transmits the ciphertext to the cloud server for storing and a warrant is transmitted from the receiver to the cloud server in order to perform the filter equality test. Therefore, the communication cost is generated as a result of the communication between the sender and the cloud server and between the receiver and the cloud server. Let $\left|PK\right|$, $\left|CT\right|$, $\left|WT\right|$ denote the sizes of the public key, ciphertext and warrant, respectively. Let $|{\mathbb{G}}_1|$ be the length of the element in group ${\mathbb{G}}_1$, $|{\mathbb{G}}_T|$ be the length of the element in group ${\mathbb{G}}_T$, $|{\mathbb{Z}}_q|$ be the element’s length of ${\mathbb{Z}}_q$. Since the size of q is 512 bits (64 bytes), therefore the sizes of the elements in group ${\mathbb{G}}_1$ and ${\mathbb{G}}_T$ are 512 bits (64 bytes) and 3072 bits (384 bytes) respectively. The length of ${\mathbb{Z}}_q$ is 512 bits (64 bytes). Based on the above analysis, in the proposed scheme, the ciphertext $C=\{C_1=(C_{1,0},C_{1,1},···,C_{1,n}),C_2,C_3,C_4\}$ is sent from the sender to the cloud server, where $C_{1,i}\in {\mathbb{G}}_1$, $C_2\in {\mathbb{G}}_1$, $C_3\in {\mathbb{G}}_T$, $C_4\in {\mathbb{Z}}_q$. Therefore, the communication cost is $(n+2)\left|{\mathbb{G}}_1\right|+\left|{\mathbb{G}}_T\right|+\left|{\mathbb{Z}}_q\right|=64n+576bytes$. The warrant $w_{ID}=\{w_{ID,0},w_{ID,1},···,w_{ID,n}\}$ is sent from the receiver to the cloud server, where $w_{ID,i}\in {\mathbb{G}}_1$. Therefore, the communication cost is $(n+1)\left|{\mathbb{G}}_1\right|=64n+64bytes$. The results of the comparison are listed in Table 4.

Table 4. Communication costs.

Schemes	$\left|\mathit{PK}\right|$	$\left|\mathit{CT}\right|$	$\left|\mathit{WT}\right|$
[23]	$1|{\mathbb{G}}_1|=64$ bytes	$3|{\mathbb{G}}_1|+1|{\mathbb{Z}}_q|=256$ bytes	⊥
[24]	$2|{\mathbb{G}}_1|=128$ bytes	$3|{\mathbb{G}}_1|+1|{\mathbb{Z}}_q|=256$ bytes	$3|G_1|=192$ bytes
[25]	$2|{\mathbb{G}}_1|=128$ bytes	$3|{\mathbb{G}}_1|+1|{\mathbb{Z}}_q|=256$ bytes	1$|Z_q|=64$ bytes
[30]	$2|{\mathbb{G}}_1|=128$ bytes	$5|{\mathbb{G}}_1|+1|{\mathbb{Z}}_q|=384$ bytes	⊥
[32]	$2|{\mathbb{G}}_1|=128$ bytes	$5|{\mathbb{G}}_1|+1|{\mathbb{Z}}_q|=384$ bytes	1$|{\mathbb{G}}_1|=64$ bytes
[33]	$2|{\mathbb{G}}_1|=128$ bytes	$2|{\mathbb{G}}_1|+2|{\mathbb{Z}}_q|=256$ bytes	1$|{\mathbb{G}}_1|=64$ bytes
[39]	$(n+2)|{\mathbb{G}}_1|+1|{\mathbb{G}}_T|=64n+512$ bytes	$(n+2)|{\mathbb{G}}_1|+1|{\mathbb{G}}_T|=64n+576$ bytes	$(n+1)|{\mathbb{G}}_1|=64n+64$ bytes
The proposed scheme	$(n+2)|{\mathbb{G}}_1|=64n+128$ bytes	$(n+2)|{\mathbb{G}}_1|+1|{\mathbb{G}}_T|+1|{\mathbb{Z}}_q|=64n+576$ bytes	$(n+1)|{\mathbb{G}}_1|=64n+64$ bytes

From Table 4, we can see that the communication cost of schemes [23,24,25,30,32,33,39] is a fixed value, while that of the proposed scheme and scheme [39] increases linearly with the number of message n. From the above analysis, we find that when the message n is constant, the public key’s size of the proposed scheme is smaller than those of scheme [39]. As for the size of ciphertext and warrant, the communication cost of the proposed scheme is equal to that of scheme [39]. Thus, the communication cost of the proposed IBE-FET scheme is lower than that of scheme [39].

8. Conclusions

In this paper, based on bilinear pairing and secret sharing, we have presented an identity-based encryption with the filtered equality test (IBE-FET) scheme. The security analysis demonstrated that the proposed IBE-FET is OW-ID-CCA secure under the CBDH assumptions in the random oracle model. The performance evaluation and comparison indicate that the proposed IBE-FET achieves greater functionality than most previous schemes and adopts identity-based cryptography which avoids the certificate management issue effectively. In addition, the total computational cost increases linearly with the number of message n in all phases. Besides, in terms of communication cost, the proposed scheme is efficient. Therefore, the proposed IBE-FET scheme is more practical.