Identity-Based Encryption with Filtered Equality Test for Smart City Applications

With the growth of the urban population, the rapid development of smart cities has become the focus of urban regional development. Smart medical care is an indispensable part of smart city construction, which promotes the development of the medical industry. However, the security of data and timely service are the current problems faced by intelligent medical systems. Based on the public key encryption with filtered equality test and identity-based cryptography, an identity-based encryption with the filtered equality test (IBE-FET) is proposed for smart healthcare, in which a data receiver can use the private key and the message set to generate a warrant and send it to the cloud server. A cloud server can verify the equality between ciphertexts without decryption and check whether the encrypted message belongs to the same message set. Furthermore, the security analysis shows that the proposed scheme satisfies one-way security against the chosen identity and ciphertext attack in the random oracle model under the computational bilinear Diffie-Hellman assumption. The performance comparison shows that the scheme is feasible and practical in real life.


Introduction
The concept of the smart city (SC) [1] emerges in the context in which the current global power supply and consumption trends are socially, environmentally and economically unsustainable. It refers to an urban transformation which, with the use of the latest information and communications technologies (ICT), improves cities' efficiency. Currently, more and more people live in cities and every person uses more than five devices to access the Internet. Thus, the various embedded devices are integrated with urban infrastructure to optimize daily life of citizens.
Recently, with the rapid development of the Internet of Things (IoT) [2] and ICT, the applications of the smart city [3] are on the rise, which can enhance the life quality of citizens. Representative smart city applications are given in Figure 1, which benefit the city and people in a variety of aspects: economy, education, healthcare, and living. Meanwhile, the smart city has a new, complete level of effectiveness, sustainability and efficiency.
The main goal of the smart city is to greatly improve quality of life. Nevertheless, the security and privacy problems are of great importance to the users in the smart city [4][5][6]. Progress in the IoT and cloud computing technology is driving the development of smart systems to support and improve healthcare system. However, the current healthcare system is faced with a series of challenges in providing low cost health care services. Besides, it is difficult for patients in some areas to obtain a timely healthcare services due to poor medical conditions. As a result, smart healthcare [7,8] has emerged recently as the key component of a new generation healthcare network. The so-called smart healthcare is to improve the efficiency of biomedical systems and healthcare infrastructures through various entities and technologies, including smart sensors, wearable devices, ICT and more [9]. In the smart healthcare system, patients are paying more and more attention to the security of private information. Zhang et al. [10][11][12][13] has done in-depth research and proposed privacy-preserving access control systems by adopting attribute-based encryption techniques to improve the security of smart healthcare. However, the techniques are complex and unfeasible in practice. To save storage space and protect the user's privacy, the sensitive information must be stored in the untrusted healthcare cloud servers in an encrypted form. However, given some ciphertexts, no one can distinguish the relationships among the ciphertexts without decryption. Searchable encryption (SE) [14][15][16] is a practical and promising solution to this problem. To provide the capability for searching in the ciphertexts, the public key encryption with keyword search (PKE-KS) schemes [17][18][19][20][21][22] were proposed, which is one practical implementation of SE. However, the PKE-KS schemes have one weakness that the ciphertexts are generated by the same public keys and therefore it is not applicable to some scenarios. To solve this problem, the public key encryption with equality test (PKE-ET) schemes [23][24][25][26][27][28][29][30][31] were put forward, which allowed equality tests made on the ciphertexts by different public keys as well as the same public keys. To alleviate the storage cost of certificates, identity-based encryption with equality test (IBE-ET) schemes [32,33] were proposed. Along with research, to make fine-grained authorization more flexible and inspired by the idea of attribute-based encryption, the attribute-based encryption with equality test (ABE-ET) schemes [34][35][36][37] were presented.
To provide more flexible equality testing to satisfy different requirements, Huang et al. presented the public key encryption with filtered equality test (PKE-FET) schemes [38,39], in which only a few selected message sets can be equality tested. An authorized user can determine not only whether two ciphertexts contain the same plaintext (without decryption) but also whether the plaintext belongs to the message set.
In this paper, we integrate the identity-based cryptography [40] into PKE-FET to propose a new concept of identity-based encryption with the filtered equality test (IBE-FET) for smart healthcare. A practical application scenario using IBE-FET is shown in Figure 2. In the smart healthcare system, there are three parties: doctors, the healthcare cloud server (HCS) and patients, where the patients are distributed in different areas. To ensure the privacy of patients, the sensitive data is encrypted during transmission. It is desired that the healthcare providers optimize the distribution of family doctors, and thus they need to search for the encrypted information. With the assumption that patients A and B with the same symptoms belong to area 1, A encrypts his privacy information (symptom and area) under the identity ID A and the doctor's identity ID D , and transmits the tuple {ID A , IBE-FET(ID D , ID A , symptom, area 1)} to HCS. Additionally, A generates a warrant w A and transmits to HCS. B transmits {ID B , IBE-FET(ID D , ID B , symptom, area 1)} and w B to HCS in the same way. Upon obtaining these data, the HCS could determine and search whether A and B are distributed in the same areas and have the same symptom. However, there is no knowledge what the real areas and symptom are. Then, the HCS sends the search result to the patients A and B, respectively, which allows them to share their medical experience with each other. Most important of all, the HCS can investigate the cause of the disease and arrange family doctors reasonably to improve the efficiency of healthcare. The above scenario can be extended to multi-user scenarios. For instance, more patients can get the warrant and send it to the HCS along with the requests and obtain feedback, indicating whether there are any patients belonging to the same area who have the same symptom features.
Besides, the IBE-FET scheme can also be applied to the smart grid system [41,42], which contains electricity suppliers, a power system cloud server and users. To protect the privacy and enhance the power quality of users, the privacy information (e.g., power consumers and location) is generally transmitted in encrypted form. Based on IBE-FET, the power system cloud server can determine and search whether there are any users belonging to the same area that have the same feature (e.g., power flow and peak loading). Then, they send the search result to the electricity suppliers for improvement of the power distribution and optimization of the power flow.

Our Contributions
This paper proposes an identity-based encryption with the filtered equality test (IBE-FET). The main contributions are summarized as follows: • Based on secret sharing and bilinear pairing, an IBE-FET scheme is proposed, which does not use the certificate verification to solve the problems of certificate management.

•
The security analysis indicates that the IBE-FET scheme is one-way secure against the chosen identity and ciphertext attack (OW-ID-CCA) based on the computational bilinear Diffie-Hellman assumption in the random oracle model.

•
The performance analysis shows that the IBE-FET scheme achieves the function of a filtered equality test and a higher efficiency in terms of communication cost than the related scheme [39], and therefore the proposed scheme is more suitable for smart healthcare systems.

Organization
The organization of this paper is as follows: We will briefly discuss related work in Section 2 and review some preliminaries in Section 3; in Section 4, we introduce the framework of IBE-FET; a concrete IBE-FET scheme is put forward in Section 5; Section 6 proposes a formal security proof; comparison and performance evaluations are described in Section 7; and Section 8 concludes this paper.

Related Works
The concept of public key encryption with the keyword search (PKE-KS) was first put forward by Boneh et al. [17]. In PKE-KS, each user can use their private key to generate a token for a keyword and send the token to the tester. Upon receiving the token, the tester can determine the equality of ciphertexts. Then, some interesting extension schemes [18][19][20][21][22] were proposed to satisfy various requirements.
PKE-KS aims at testing the keyword's equality using a given trapdoor. However, it is not suitable for an equality test on ciphertexts by different public keys. In order to solve this problem, Yang et al. [23] proposed public key encryption with the equality test (PKE-ET). The so-called "equality test (ET)" refers to an authorized user who can verify the equality of two ciphertexts encrypted by different public keys, while the decryption keeps unavailable. However, in the PKE-ET scheme, anyone has the ability to execute the equality test without any authorization. As a fundamental security service, the authorization mechanism becomes increasingly important in modern smart system. The hierarchical key assignment techniques [43][44][45][46] were presented, which can provide fine-grained authentication and access control for the user. In order to mitigate the potential vulnerabilities and protect the user's privacy, Tang et al. [24] integrated the fine-grained authorization mechanism into PKE-ET. In this scheme, two users require cooperation to generate the token by running the authorization algorithm and send this token to the tester, with the tester authorized to verify the equality between the ciphertexts. In addition, Tang et al. [25] introduced the concept of coarse-grained authorization scheme, in this system, every user independently generates the token by running the authorization algorithm and sends it to the tester, who executes the equality test from their ciphertexts. In 2012, Tang [26] expanded [24] to a two-proxy agents setting, where two proxies require cooperation to perform the equality test. Lu et al. [27] introduced a stronger security model for PKE-ET to meet the different demands. In 2015, the public key encryption with the delegated equality test scheme (PKE-DET) was proposed by Ma et al. [28] and in this scheme every user can generate the delegation token independently for the cloud server. Different from PKE-DET, Huang et al. [29] introduced an efficient public key encryption with the authorized equality test (PKE-AET), a provision of two kinds of warrants (recipient warrants and ciphertext warrants) and allowance of the authorized users to use warrants to execute the equality test on two ciphertexts encrypted by different public keys. To satisfy various requirements, the public key encryption supporting equality test and flexible authorization (PKE-ET-FA) was proposed by Ma et al. [30]. In this scheme, four types of authorization were presented to strengthen the user privacy protection. However, it is inefficient due to using bilinear pairings. In 2016, Lin et al. [31] proposed an efficient PKE-ET-FA scheme without using bilinear pairing, which was more suitable for practice. In order to solve the certificate management problem, the identity-based encryption with equality test (IBE-ET) [32,33] was presented. To determine the equality of two ciphertexts encrypted under different access policies, the attribute-based encryption with equality test schemes (ABE-ET) [34][35][36][37] were put forward.
For making the equality test more flexible, based on bilinear pairing and secret sharing, Huang et al. [38,39] proposed the public key encryption with the filtered equality test (PKE-FET). In these schemes, the receiver selects n messages as a set Ω, and then the receiver can use a private key and Ω to generate the warrant w and sends this warrant to someone, who can execute the equality test without decryption.
The PKE-FET scheme needs certification authority to ensure the authenticity of public keys; however, it is worth noting that the problems of certificate management arise. Accordingly, inspired by the concept of identity-based cryptography [40,47,48], we presented an identity-based encryption with the filtered equality test scheme (IBE-FET), simplifying the certificate management of PKE-FET.

Preliminaries
This section introduces some preliminaries, including bilinear pairing, secret sharing and security assumption.

Bilinear Pairing
Let G 1 , G T be two cyclic groups of prime order q, and g is a generator of G 1 . e : G 1 × G 1 → G T is a bilinear pairing if the following three properties hold: • Bilinearity: For all u, v ∈ G 1 and a, b ∈ Z * q , where e(u a , v b ) = e(u, v) ab . • Non-degeneracy: e(g, g) = 1. • Computability: It is an efficient algorithm to compute e(u, v) for all u, v ∈ G 1 .

Secret Sharing
The idea of secret sharing is introduced in [49], with a secret value k assigned to n users. A trusted party holds k and randomly picks t − 1 numbers r 1 , r 2 , · · ·, r t−1 form t points on a 2-dimensional plane, which are {(0, k), (1, r 1 ), · · ·, (t − 1, r t−1 )}. According to these points, there is only one polynomial function ψ with t − 1 degree determined. Then, the trusted party computes the points (i, ψ(i)) for user i ∈ [t, n], in which all the points satisfy y i = ψ(i). By distributing these points, it formalizes a t-out-of-n secret sharing scheme. Therefore, as for any t or more than t users, it can reconstruct the polynomial function ψ and obtain the secret value k by computing k = ψ(0), but if less than t users, it cannot rebuild the secret value k.

Assumption
Computational Bilinear Diffie-Hellman (CBDH) Problem: Let g be the generator of G 1 and a, b, c ∈ Z * q be chosen at randomly. Given a tuple (g, g a , g b , g c ) ∈ G 1 , the task of CBDH problem is to compute e(g, g) abc ∈ G T .
The probability of the algorithm A in solving the CBDH problem is defined as

Computational Bilinear Diffie-Hellman (CBDH) Assumption:
The CBDH assumption holds if for any polynomial-time algorithm A solves the CBDH problem with the negligible probability.

Framework of IBE-FET
The system model, syntax and security model are described in the following sections.

System Model
The system model of IBE-FET includes four parts: private key generator (PKG), sender (patient), receiver (doctor) and the cloud server, as illustrated in Figure 3. All ciphertexts are generated by the senders under the receiver's identity and stored in the cloud server. The PKG's task is to generate the private keys for the users (senders and receivers) secretly. To compare the ciphertexts, the receiver generates the corresponding warrant using its private key and the message set, sending it to the cloud server; wherein the warrant denotes the trapdoor of authentication. As a result, with the warrant, the cloud server is able to verify the equality between the ciphertexts without decryption and check whether the message belongs to the message set. The work of each part is described in more details below: • PKG: It is responsible for generating the master key msk and the private key sk ID , and then keeps msk by itself and sends sk ID to the sender and receiver through a secure way. • Sender (patient): The sender encrypts their private date under the receiver's identity ID R to generate the ciphertext C and stores it in the cloud server. • Receiver (doctor): Upon receiving the private key sk ID R from PKG, the receiver generates the warrant w and sends it to the cloud server. It is noted that the receiver can use the private key to decrypt the ciphertext at any time.

•
Cloud server: With the warrant, the cloud server is in charge of executing the filtered equality test and returns a query result.

Cloud server
Results  The detail data flow of the filtered equality test (FET) is described in Figure 4.

Syntax
The IBE-FET scheme consists of the following six algorithms: setup, extract, encrypt, decrypt, authorization and filtered equality test. Let ∆ denote message space and Ω ⊆ ∆ denote the message set.
Setup: Taking a security parameter k as input, this algorithm outputs the master key msk and the system parameters PP.
Extract: Taking the master key msk and the identity ID as input, this algorithm outputs the private key sk ID .
Encrypt: Taking the system parameters PP, the plaintext m ∈ ∆ and the identity ID as input, this algorithm outputs the ciphertext C.
Decrypt: Taking the system parameters PP, the ciphertext C and the private key sk ID as input, this algorithm outputs the corresponding plaintext m.
Authorization: Taking the system parameters PP, the identity ID, the private key sk ID and the message set Ω as input, this algorithm outputs the warrant w ID .
Filtered equality test: Taking the system parameters PP, the ciphertexts C A and C B , the warrants w ID A and w ID B as input, this algorithm returns 1 if m A ∈ Ω, m B ∈ Ω and m A = m B . Otherwise, it returns 0.
For the property of consistency, the following conditions must be satisfied. Correctness: When sk ID is generated by the Extract algorithm given ID, then, for all m ∈ ∆, Perfect consistency: When w ID A and w ID B are generated by the Authorization algorithm given ID A , ID B and Ω, then, for all m A ∈ Ω, m B ∈ Ω and m A = m B , the filtered equality test algorithm must return 1.
Computational soundness: When w ID A and w ID B are generated by the Authorization algorithm given ID A , ID B and Ω, then, for all m A ∈ Ω, m B ∈ Ω and m A = m B , the probability that the filtered equality test algorithm returns 1 is negligible.

Security Model
The security of IBE-FET needs to satisfy one-way security against the chosen identity and ciphertext attack (OW-ID-CCA), which is defined by an interactive game between a challenger C and an adversary A.
Setup: C generates the master key msk and the system parameters PP IBE−FET by running the Setup algorithm. Then C sends PP IBE−FET to A and keeps msk by itself.
Phase 1: A makes the following queries for polynomial number of times.
• Hash H queries: A submits a query, then C returns a random value to A. • Private key queries: A submits the identity ID j to C, then C runs the Extract algorithm and returns the private key sk ID j to A. • Decryption queries: A submits the identity ID j and the ciphertext C j to C, then C runs the Extract algorithm to obtain sk ID j and runs the Decrypt algorithm to return the plaintext m j to A. • Authorization queries: A submits the identity ID j and the message set Ω j to C, then C runs the Extract algorithm to obtain sk ID j and runs the Authorization algorithm to return the warrant w ID j to A.
Challenge: A submits a challenge identity ID * to C, where ID * does not appear in private key queries in Phase 1. C randomly chooses a plaintext m * ∈ ∆ and sets C * be the challenge ciphertext. Finally, C sends C * to A.
• Hash H queries: C responds as in Phase 1.
• Authorization queries: C responds as in Phase 1.
Guess: A outputs a guess m and wins the above game if m = m * . The advantage of A winning the above game is defined as Next, the security of the public key encryption (PKE) scheme (which will be mentioned later) needs to satisfy one-way security against the chosen ciphertext attack (OW-CCA), which is defined by an interactive game between a challenger C and an adversary A.
Setup: C generates the private key sk and the system parameters PP PKE by running the Setup algorithm. Then C sends PP PKE to A and keeps sk by itself.
Phase 1: A makes the following queries for polynomial number of times.
• Hash H queries: A submits a query, then C returns a random value to A. • Decryption queries: A submits the ciphertext C i to C, then C runs the Decrypt algorithm and returns the plaintext m i to A.
Challenge: C randomly chooses a challenge plaintext m * ∈ ∆ and runs the Encrypt algorithm to obtain the challenge ciphertext C * . Finally, C sends C * to A. Phase 2: Similar to Phase 1.
• Hash H queries: C responds as in Phase 1.

The Proposed Scheme
In this section, a detailed construction of IBE-FET is proposed.
• Setup: Given a security parameter k, the PKG executes as follows: (1) Chooses a bilinear pairing: e : G 1 × G 1 → G T , where G 1 and G T are two cyclic groups with prime order q, g is a generator of G 1 .
Chooses four one-way hash functions where l 1 is the length of the message and l 2 is the length of Z * q .
The system parameters are PP IBE−FET = {e, q, G 1 , G T , g, U, S 0 , S 1 , · · ·, S n , H 1 , H 2 , H 3 , H 4 } and the master key are msk = {u, s 0 , s 1 , · · ·, s n }. • Extract: Given the identity ID and the master key u, s 0 , s 1 , · · ·, s n , PKG computes h ID = H 1 (ID) and the private key Encrypt: Given the message m and the identity ID, the sender executes as follows: (1) Randomly chooses r, t ∈ Z * q . (2) The ciphertext is Given the ciphertext C and the private key sk ID , the receiver executes as follows: Verifies for all i ∈ [0, n]. If holds, it outputs m. Otherwise, it outputs ⊥.
• Authorization: Given the message set Ω = {m 1 , m 2 , · · ·, m n } and the private key sk ID = {h s 0 ID , h s 1 ID , · · ·, h s n ID }, the receiver performs the following steps: (1) Computes a n-degree polynomial function a i x i and obtains the coefficient a 0 , a 1 , · · ·, a n .
Computes w ID,i = h s i ID · h a i ID for all i ∈ [0, n] and sends the warrant w ID = {w ID, 0 , w ID, 1 , · · ·, w ID,n } to the cloud server.
(2) Checks whether z A = z B or not. It outputs 1 if z A = z B , which means m A ∈ Ω, m B ∈ Ω and m A = m B . Otherwise, it outputs 0.

Correctness:
The decryption algorithm computes It is straightforward that the correctness holds along with the decryption algorithm.
Perfect consistency: On input (C A , w ID A ) and (C B , w ID B ), the filtered equality test algorithm obtains z A by computing The filtered equality test algorithm outputs 1.
Computational soundness: For any m A ∈ Ω and m B ∈ Ω, by the inference of consistency, z A and z B will be computed as z A = H 4 (m A ) and z B = H 4 (m B ), respectively. If m A = m B , then z A = z B , this is because H 4 (m) is a collision resistant function. Hence the probability that the filtered equality test algorithm returns 1 is negligible. The computational soundness holds.

IBE FET T n PP q e G G g U S S S H H H H
1,0 1,  , where q sk is the number of the private key queries, q aut is the number of the authorization queries, q d is the number of the decryption queries and q H 3 is the number of H 3 queries, l 1 is the length of the message and l 2 is the length of Z * q .
Proof. Theorem 1 is proved based on the following Theorem 2 and Theorem 3.
To prove Theorem 1, we must convert the OW-ID-CCA attack on an IBE-FET scheme to an OW-CCA attack on a PKE scheme. A related PKE scheme is described below.
• Setup: Given a security parameter k, the system executes as follows: (1) Chooses a bilinear pairing: e : G 1 × G 1 → G T , where G 1 and G T are two cyclic groups with prime order q, g is a generator of G 1 .

Theorem 2.
Supposing there is an OW-ID-CCA adversary A 1 that is able to break the proposed IBE-FET scheme with a non-negligible probability ε 1 , then there exists an OW-CCA adversary B 1 that can break the PKE scheme with the probability at least ε 1 = ε 1 e(q sk +q aut +q d +1) , where q sk is the number of the private key queries, q aut is the number of the authorization queries and q d is the number of the decryption queries.
Proof. In order to convert an OW-ID-CCA attack on IBE-FET to an OW-CCA attack on PKE, we can construct a simulator C 1 to execute the game between A 1 and B 1 .
Initialization: C 1 runs the Setup algorithm of PKE and returns the system parameters PP PKE = {q, e, G 1 , G T , g, U, S 0 , S 1 , · · ·, S n , h ID , H 2 , H 3 , H 4 } to B 1 . A 1 interacts with B 1 as follows.
Setup: B 1 chooses a hash function H 1 and returns the system parameters PP IBE−FET = {q, e, G 1 , G T , g, U, S 0 , S 1 , · · ·, S n , H 1 , H 2 , H 3 , H 4 } to A 1 . For the quickly respond and consistency, B 1 maintains an initially empty list H list 1 of tuples (ID j , h 1,j , x j , c j ). Phase 1: A 1 makes the following queries.

•
Hash H 1 queries: A 1 submits a query on ID j , B 1 checks the list H list 1 and performs as below: -If H list 1 contains (ID j , h 1,j , x j , c j ), B 1 responds with previous value h 1,j to A 1 .

-
If H list 1 doesn't contain (ID j , h 1,j , x j , c j ), based on the Coron's technology [50], B 1 tosses a coin c j ∈ {0, 1} that yield 0 with probability δ and 1 with probability 1 − δ. B 1 randomly chooses x j ∈ Z * q . If c j = 0, B 1 computes h 1,j = g x j . If c j = 1, B 1 computes h 1,j = h x j ID . Finally, B 1 adds the tuple (ID j , h 1,j , x j , c j ) to the list H list 1 and returns h 1,j to A 1 .

•
Private key queries: A 1 submits a private key query on ID j , B 1 makes the hash H 1 query on ID j to obtain the corresponding tuple (ID j , h 1,j , x j , c j ). - • Decryption queries: A 1 submits a decryption query on ID j and C = {C 1 , C 2 , C 3 , C 4 }, B 1 makes the hash H 1 query on ID j to obtain the corresponding tuple (ID j , h 1,j , x j , c j ). - . B 1 makes the decryption query on C to C 1 and returns the response of C 1 to A 1 .

•
Authorization queries: A 1 submits an authorization query on ID j and the message set Ω j , B 1 makes the private key query on ID j to obtain sk ID j . Then B 1 runs the authorization algorithm and returns the warrant w ID j to A 1 .
Challenge: A 1 chooses the challenge identity ID * and returns it to B 1 . Here, ID * does not appear in the private key queries of Phase 1. Then B 1 makes the hash H 1 query on ID * to get the tuple (ID * , h * 1,j , x * j , c * j ) and executes as follows: • If c * j = 0, B 1 returns ⊥.
Phase 2: A 1 makes queries as done in Phase 1. We define the following three events: • ζ 1 : B 1 aborts in the private key query during Phase 1 or Phase 2. Thus, we have Clearly, (1 − δ)δ (q sk +q aut +q d ) can obtain the maximized when δ = 1 − 1 (q sk +q aut +q d +1) . The probability that B 1 does not abort is at least 1 (q sk +q aut +q d +1) . Therefore, the advantage of B 1 is at least ε 1 e(q sk +q aut +q d +1) .

Theorem 3.
Supposing there is an OW-CCA adversary A 2 that is able to break the PKE scheme with a non-negligible probability ε 2 , then there exists an algorithm B 2 that solves the CBDH problem with the probability at least where q H 3 is the number of H 3 queries and q d is the number of the decryption queries, l 1 is the length of the message and l 2 is the length of Z * q .
Proof. Let ε 2 = Adv OW−CCA PKE, A 2 represent the advantage of A 2 in the OW-CCA security game. According to schemes [23][24][25][26][27][28][29][30][31], this theorem is proved by performing a series of games. Let Q i denote the event that m = m * in Game i (i = 0, 1, 2). We define the Game 0 to be the real security game against the adversary in Definition 2. Then, we can modify the last game in an indistinguishable way to obtain the next game. The adversary has no advantage unconditionally in last game, thus he can make the queries many times, then the event will happen in the next game. Since each game is indistinguishable from the next, to prove the real security game, we can show that the probability of an event is negligible if the DBDH assumption holds. The detailed process is shown as follows.

•
Hash H 3 queries: A 2 makes a hash H 3 query on Φ i , B 2 checks the list H list 3 and performs as follows. - , B 2 selects a random sting h 3,i ∈ {0, 1} l 1 +l 2 and returns h 3,i to A 2 .

•
Decryption queries: A 2 makes a decryption query on C, B 2 returns m to A 2 by running the decryption algorithm using the private key.

•
Decryption queries: B 2 responds a decryption query as in Game 0.

Challenge phase:
For any m * , B 2 randomly chooses r, t ∈ Z * q , ω * 1 ∈ {0, 1} l 1 +l 2 and computes h = H 2 (m * ), S = n ∏ i=0 S rh i i and defines the challenge ciphertexts as follows: Update phase: B 2 adds the tuple (e(h ID , U) t , ω * 1 ) to the list H list 3 . 5. Output phase: A 2 outputs a guess m for m * . Compared to Game 0, the value of H 3 is replaced by a random value ω * 1 in Game 1. According to the random oracle model, the advantage of A 2 winning in Game 1 is identical to Game 0. Thus (2) and performs as follows.

•
Decryption queries: A 2 makes a decryption query on C. If C is equal to the challenge ciphertext C * except C 3 , B 2 returns ⊥. Otherwise, B 2 responds as in Game 1.
If the following two cases holds, P 1 can solve the CBDH problem:

1.
A 2 has never made a hash H 3 query on e(h ID , C 2 ) y before a decryption query on C = {C 1 , C 2 , C 3 , C 4 }. In this case, P 1 returns ⊥. If C is a valid ciphertext, it means A 2 guesses the value of h 3,i correctly. Thus the probability is 1 2 l 1 +l 2 . 2.
The event E 1 occurs in the hash H 3 queries. It means that the list H list Let X 1 to be event that the ciphertext is valid when P 1 returns ⊥ in the case 1. Then we have Let X 2 to be event in case 2 that P 1 obtains e(g, g) xyz as a solution of the CBDH problem. If X 1 does not occur and (e(h ID , C 2 ) y , ⊥) appears in the list H list 3 with the probability at least So, we obtain Adv CBDH According to the assumption, if Pr[E 1 ] is non-negligible, the advantage Adv CBDH P 1 is non-negligible. The proof of Claim 1 is completed.

Claim 2. Event Q 2 occurs with negligible probability Pr[Q 2 ] in Game 2 if the CBDH problem is intractable.
Proof. Assume the event Q 2 occurs in Game 2 with a non-negligible probability Pr[Q 2 ], we can construct an algorithm P 2 that can compute e(g, g) xyz with a non-negligible probability when receiving a random CBDH problem instance (g, g x , g y , g z ).
Owing to the Equations (1)-(8), we can claim that So, Theorem 3 has been proved.
According to Theorem 2 and Theorem 3, we can show that the proposed IBE-FET scheme satisfies OW-ID-CCA security. Assume an OW-ID-CCA adversary A is able to against IBE-FET with the probability ε, then there the algorithm B can solve the CBDH problem with the probability at least ε = ε e(q dk +q Aut +q d +1)(q H 3 +1) − q H 3 ·q d (2 l 1 +l 2 )(q H 3 +1) .

Comparison
The comparison for the proposed IBE-FET scheme and the related schemes [23][24][25]30,32,33,39] is given in Table 1. Let ET be the quality test, FET be the filtered quality test, ID be the identity-based and ROM be the random oracle model. Let denote "satisfy" and denote "not satisfy".

Schemes
ET FET ID ROM Security Assumption [23] OW-CCA CDH [24] OW-CCA,IND-CCA CDH,DDH [25] OW-CCA,IND-CCA CDH [30] OW-CCA,IND-CCA CONF,CDH [32] OW-ID-CCA CDH [33] OW-ID-CCA CBDH [39] IND-CCA SXDH The proposed scheme OW-ID-CCA CBDH From Table 1, it is clearly observed that scheme [39] and the proposed scheme support the filtered equality test while other schemes only provide the equality test. Schemes [32,33] and the proposed scheme adopt the identity-based cryptography which can avoid the certificate management problem, while other schemes adopt public key cryptography. With regard to security, all schemes are provably secure based on basic assumptions in the random oracle except scheme [39]. However, none of the schemes [23][24][25]30,32,33,39] could satisfy both the properties of the filtered equality test and of the identity-based one, only our scheme can do it.

Computation Cost
For computation complexity estimation, the time cost for performing the cryptographic operations is defined as follows. Let T E and T P denote the time of a scale multiplication operation and a bilinear pairing operation, respectively. The time of a map-to-point hash function operation is denoted as T H . Other lightweight operations (point addition, one way hash function operation) are not taken into account.
To offer the security level of 80-bit, we adopt the symmetric bilinear pairing e : G 1 × G 1 → G T , here G 1 is the cyclic group generated by a generator g with the order q on a super singular elliptic curve E : y 2 = x 3 + x mod p with embedding degree 2. p is 512-bit prime number and q is 160-bit Solinas prime number, which satisfy q · 12 · r = p + 1. Using the MIRACL Crypto SDK [51], the running time of the cryptographic operations are quantified. The experiment is run on an Intel Core i5-4590, 3.3GHz CPU, 8 gigabytes memory with Windows 7 environment. Table 2 lists the average execution times of cryptographic operations T E , T P , and T H . Based on the experimental results, the computation cost of the proposed IBE-FET scheme and the related schemes [23][24][25]30,32,33,39] are summarized in Table 3. Table 3. Computation costs.

Schemes
Encryption Decryption Authorization Equality Test In the encryption phase, the proposed scheme needs to execute n + 3 scalar multiplication operations, two bilinear pairing operations and two map-to-point hash operations; therefore, the total encryption time is (n + 3)T E + 2T P + 2T H = 3.7770n + 48.8996 ms. In the decryption phase, the proposed scheme needs to execute n + 1 scalar multiplication operations, n + 2 bilinear pairing operations and one map-to-point hash operation; therefore, the total decryption time is (n + 1)T E + (n + 2)T P + 1T H = 12.8561n + 31.6404 ms. In the authorization phase, the proposed scheme needs to execute n + 1 scalar multiplication operations; therefore, the total authorization time is (n + 1)T E = 3.7770n + 3.7770 ms. In the test phase, the proposed scheme needs to execute n + 1 bilinear pairing operations; therefore, the total test time is (n + 1)T P = 9.0791n + 9.0791 ms. From Table 3, we can arrive at the fact that the computational cost of the proposed scheme is higher than those of other schemes [23][24][25]30,32,33,39] in both encryption and decryption phases. In terms of authorization and test phases, the proposed scheme has the same computational cost as scheme [39], which is more than those of other schemes [23][24][25]30,32,33,39]. Figure 6 describes the relationship between the computational cost of the proposed scheme and the number of message n. As shown in Figure 6, the total computational cost increases linearly with the number of message in all phases. The computational cost is equal to 67.7496, 95.9209, 22.6270 and 54.4746 ms when n = 5, that is equal to 162.2096, 417.3234, 117.0870 and 281.4521 ms when n = 30, in encryption, decryption, authorization, and equation test phase of the proposed scheme, respectively. Based on the above analysis, the computational cost of the proposed scheme is feasible.

Communication Cost
We compare the communication cost of the proposed IBE-FET and those of the related schemes [23][24][25]30,32,33,39] in this section. The communication cost is represented by the size of message transmitted. The sender transmits the ciphertext to the cloud server for storing and a warrant is transmitted from the receiver to the cloud server in order to perform the filter equality test. Therefore, the communication cost is generated as a result of the communication between the sender and the cloud server and between the receiver and the cloud server. Let |PK|, |CT|, |WT| denote the sizes of the public key, ciphertext and warrant, respectively. Let |G 1 | be the length of the element in group G 1 , |G T | be the length of the element in group G T , |Z q | be the element's length of Z q . Since the size of q is 512 bits (64 bytes), therefore the sizes of the elements in group G 1 and G T are 512 bits (64 bytes) and 3072 bits (384 bytes) respectively. The length of Z q is 512 bits (64 bytes).

Conclusions
In this paper, based on bilinear pairing and secret sharing, we have presented an identity-based encryption with the filtered equality test (IBE-FET) scheme. The security analysis demonstrated that the proposed IBE-FET is OW-ID-CCA secure under the CBDH assumptions in the random oracle model. The performance evaluation and comparison indicate that the proposed IBE-FET achieves greater functionality than most previous schemes and adopts identity-based cryptography which avoids the certificate management issue effectively. In addition, the total computational cost increases linearly with the number of message n in all phases. Besides, in terms of communication cost, the proposed scheme is efficient. Therefore, the proposed IBE-FET scheme is more practical.
Author Contributions: Y.M. and E.W. conceived of the work, designed the concrete scheme and wrote the paper.