Anonymous Revocable Identity-Based Encryption Supporting Anonymous Revocation

Abstract

Anonymous identity-based encryption (AIBE) is an extension of identity-based encryption (IBE) that enhances the privacy of a ciphertext by providing ciphertext anonymity. In this paper, we introduce the concept of revocable IBE with anonymous revocation (RIBE-AR), which can issue an update key and hide the revoked set of the update key that efficiently revokes private keys of AIBE. We first define the security models of RIBE-AR and propose an efficient RIBE-AR scheme in bilinear groups. Our RIBE-AR scheme is similar to the existing RIBE scheme in terms of efficiency, but it is the first RIBE scheme to provide additional ciphertext anonymity and revocation privacy. We show that our RIBE-AR scheme provides selective message privacy, selective identity privacy, and selective revocation privacy.

1. Introduction

An anonymous identity-based encryption (AIBE) scheme that provides ciphertext anonymity is an extension of an identity-based encryption (IBE) scheme that uses an identity string as a public key and strengthens the privacy of a ciphertext by providing anonymity for the recipient’s identity, which is included in the ciphertext. The first IBE scheme was proposed by Boneh and Franklin using pairing [1], and their IBE scheme was later found to provide anonymity [2]. Because an AIBE scheme can provide ciphertext anonymity in communication between users, it can be a very useful tool in fully private communication environments [2,3]. In addition, an AIBE scheme can also be used for a searchable public-key encryption scheme, which is a new type of public key encryption that allows searching keywords in encrypted data [4,5].

How to effectively revoke the private key is a very important issue when managing the private key of a user in a public-key system. One way to handle the revocation of private keys in an AIBE scheme is to periodically issue an update key similar to a revocable IBE (RIBE) scheme, which efficiently revokes the private key of an IBE scheme [6]. In the RIBE scheme, each user who has a private key $SK$ periodically obtains an update key $UK$ issued by a trusted center. When a sender creates a ciphertext $CT$ associated with a receiver identity $ID$ and current time T for a receiver, the receiver can decrypt the ciphertext by combining his private key with an update key at that time. If the private key of the receiver is not revoked in the update key, the receiver can derive a valid decryption key $DK$ to decrypt the ciphertext. However, in this revocation method, since the update key exposes the revoked set R of users, there is a problem in that the anonymity of the ciphertext can be breached by using this revoked set in the update key since the receiver identity of the ciphertext will not belong to the revoked set.

In this paper, we would like to solve the problem of designing an RIBE scheme that supports the efficient revocation of user private keys in an AIBE scheme, which provides anonymity of ciphertext, while not revealing additional revoked information of users in an update key.

1.1. Our Contributions

We first introduce RIBE with revocation privacy (RIBE-AR), which provides ciphertext anonymity and revocation privacy, and define three security models of RIBE-AR. The syntax of RIBE-AR is almost identical to the syntax of RIBE. In other words, a ciphertext is associated with an identity $ID$ and time T, a private key is associated with an identity $ID$, and an update key is associated with a revocation set R and time T. As for the security model, the existing RIBE defines only message privacy, which is indistinguishability against chosen-plaintext attacks (IND-CPA), but the RIBE-AR defines three security models: message privacy (IND-CPA), identity privacy (anonymity against chosen-plaintext attacks, ANO-CPA), and revocation privacy (REV-PRV). The IND-CPA security guarantees that the message M of a ciphertext is hidden as before, and the ANO-CPA security model guarantees that the identity $ID$ of a ciphertext is hidden. Lastly, the REV-PRV security model guarantees that the revocation set R of an update key is hidden.

Next, we propose an RIBE-AR scheme that provides ciphertext anonymity and revocation privacy in asymmetric bilinear groups and prove the security of our scheme. In order to devise an RIBE-AR scheme that provides ciphertext anonymity only, we first constructed a basic RIBE scheme by combining an AIBE scheme, an IBE scheme, and a tree-based broadcast encryption scheme. However, this basic RIBE scheme derived in this way does not hide the revocation set of an update key. To provide revocation privacy, we additionally encrypt all node update keys in the update key by using a symmetric-key encryption scheme and provide hint values to quickly search for matching nodes. Compared with the existing RIBE scheme, our RIBE-AR scheme has similar efficiency in terms of private key size and update key size, but it requires slightly increased computation in the decryption key derivation. The detailed comparison of RIBE schemes is given in Table 1. Finally, we show that our RIBE-AR scheme satisfies the selective IND-CPA security, the selective ANO-CPA security, and the selective REV-PRV security.

Table 1. Comparison of RIBE schemes in bilinear groups.

Scheme	PP Size	SK Size	UK Size	CT Size	ANO	RP	DKER
BF [1]	$O\left(1\right)$	$O\left(1\right)$	$O(N-r)$	$O\left(1\right)$	Yes	No	Yes
BGK [6]	$O\left(1\right)$	$O(logN)$	$O(rlog{\displaystyle \frac{N}{r}})$	$O\left(1\right)$	No	No	No
LV [7]	$O\left(\lambda \right)$	$O(logN)$	$O(rlog{\displaystyle \frac{N}{r}})$	$O\left(1\right)$	No	No	No
SE [8]	$O\left(\lambda \right)$	$O(logN)$	$O(rlog{\displaystyle \frac{N}{r}})$	$O\left(1\right)$	No	No	Yes
LLP [9]	$O\left(1\right)$	$O\left({log}^{2}N\right)$	$O\left(r\right)$	$O\left(1\right)$	No	No	Yes
WES [10]	$O\left(1\right)$	$O(logN)$	$O(rlog{\displaystyle \frac{N}{r}})$	$O\left(1\right)$	No	No	Yes
Ours	$O\left(1\right)$	$O(logN)$	$O\left(\lceil rlog{\displaystyle \frac{N}{r}}\rceil \right)$	$O\left(1\right)$	Yes	Yes	Yes

Let $\lambda$ be a security parameter, N be the number of all users, and r be the number of revoked users. We count the number of group elements to measure the size. We use symbols ANO for ciphertext anonymity, RP for revocation privacy, and DKER for decryption key exposure resistance.

1.2. Our Techniques

The well-known method of designing an RIBE scheme using IBE schemes is to combine two IBE schemes and the complete subtree (CS) method [6]. At this time, the private key $SK$ of the RIBE scheme is composed of IBE private keys corresponding to the path nodes of a binary tree, and the update key $UK$ of the RIBE scheme is composed of IBE private keys corresponding to the cover nodes that include non-revoked leaf nodes in the binary tree. The main advantages of this approach to build an RIBE scheme are that a sender can create a ciphertext $CT$ without knowing revoked users, and the size of an update key $UK$ periodically issued by a center does not increase linearly with the number of non-revoked users.

Our RIBE-AR scheme also employs this methodology to design the existing RIBE scheme. At this time, we combine an AIBE scheme, an IBE scheme, and the CS method to provide ciphertext anonymity. We modify the AHIBE scheme proposed by Ducas [11] as the underlying AIBE scheme to allow private key randomization and use the IBE scheme of Boneh and Boyen [12] as the underlying IBE scheme. However, this basic RIBE scheme, which simply combines AIBE and IBE schemes with the CS method, does not provide revocation privacy. The reason is that since an update key is publicly known, if we check which update key node is used for decryption in the process of deriving a decryption key by combining the update key and a private key, we can derive a matching node in the update key, which can be used to distinguish revocation sets.

To ensure revocation privacy, we encrypt each node update key in an update key by using symmetric key encryption. To do this, we set each node $v_i$ in a binary tree to have a symmetric key ${\kappa }_i$ and encrypt the corresponding node update key $NU{K}_i$ with the key ${\kappa }_i$. We also randomly mix all node update keys included in the update key so that additional information of tree nodes is not exposed. In order to decrypt the encrypted node update key, we set each node private key $NS{K}_i$ associated with a node $v_i$ in a private key to have a symmetric key ${\kappa }_i$. If the node private key $NS{K}_i$ of $SK$ and the node update key $NU{K}_i$ of $UK$ relate to the same node $v_i$, then we can decrypt the encrypted $NU{K}_i$ with ${\kappa }_i$ included in $NS{K}_i$ and check the correctness of the decryption. However, this method has the disadvantage of being too slow in deriving a decryption key because all possible combinations of all node private keys and all node update keys should be attempted.

In order to quickly derive a decryption key, we include hint values that allow checking for matching nodes in each node update key. For reference, this method of using hints has already been used in anonymous broadcast encryption schemes [13,14]. To use hint values, the node private key of a private key includes a random ${\omega }_i$ associated with a node $v_i$, and the node update key of an update key also includes a hint element $Y_i=V^{{\omega }_i}$ associated with a node $v_i$ where the element V is a unique random element for each update key. In this case, a receiver who owns a private key has exponent values $({\omega }_1,\dots ,{\omega }_n)$ corresponding to the path nodes of a binary tree, and uses the element V of the update key to derive elements $(V^{{\omega }_1},\dots ,V^{{\omega }_n})$. Afterwards, the receiver can quickly find a matching node by comparing these derived elements with the hint values $(Y_1,\dots ,Y_m)$ included in node update keys of an update key. Note that an attacker who has access to only a limited set of revoked private keys will not be able to distinguish revoked sets even if he obtains hint values.

1.3. Related Work

IBE and AIBE. An identity-based encryption (IBE) scheme was first proposed by Boneh and Franklin in bilinear groups [1], and the security of their scheme was proven under the BDH assumption. The BF-IBE scheme is also the first anonymous IBE (AIBE) scheme that provides ciphertext anonymity by hiding the identity of a ciphertext [2]. Boyen proposed an identity-based sign/encryption (IBSE) scheme with ciphertext anonymity by modifying the BF-IBE scheme [15]. An AIBE scheme can be used for the construction of a public-key encryption with keyword search (PEKS) scheme that supports keyword searches on encrypted data [4,5]. The first AIBE and anonymous HIBE schemes without random oracles were proposed by Boyen and Waters under the decision linear assumption [3]. Gentry also proposed an AIBE scheme without random oracles using a strong q-type assumption [16]. Ducas proposed AIBE and anonymous HIBE schemes using asymmetric bilinear groups [11]. The first lattice-based IBE scheme proposed by Gentry et al. is also an AIBE scheme because it provides anonymity [17]. Both hidden-vector encryption and inner-product encryption schemes, which are extensions of IBE, can be easily converted to AIBE schemes through simple conversion [18,19].

Revocable IBE. Boneh and Franklin first noticed the private key revocation problem of IBE and proposed a revocation method of periodically reissuing private keys [1]. However, this method has the disadvantage that the private key reissuing increases in proportion to the number of users because each individual user must be issued a new private key periodically. Boldyreva et al. proposed a different method in which a trusted center periodically generates an update key and broadcasts it for non-revoked users [6]. This method has the advantage that the update key size does not proportionally increase depending on the number of users because it uses a tree-based broadcast encryption scheme. Seo and Emura updated the previous security model of RIBE schemes by allowing the decryption key queries of an adversary [8]. Lee et al. proposed an efficient RIBE scheme with an improved update key size by using the subset difference method instead of the previous complete subtree method [9]. Many additional studies have been conducted to improve the security or efficiency of RIBE schemes [7,10,20,21]. Another research direction is being conducted on RHIBE schemes that can efficiently handle the revocation of the private key in HIBE schemes by using similar methods of the RIBE scheme [22,23,24]. Recently, generic conversion methods of designing RIBE or RHIBE schemes using IBE or HIBE schemes in a black-box way have been proposed [25,26,27], but these approaches are somewhat inefficient compared with direct design approaches.

2. Preliminaries

In this section, we review pseudo-random functions, symmetric-key encryption, and the complete subtree method, which is one instance of the subset cover framework.

2.1. Pseudo-Random Function

A pseudo-random function (PRF) is an efficiently computable function $F:\mathcal{K}\times \mathcal{X}\to \mathcal{Y}$ where $\mathcal{K}$ is the key space, $\mathcal{X}$ is the domain, and $\mathcal{Y}$ is the range. Let $F(k,·)$ be an oracle for a uniformly chosen $k\in \mathcal{K}$ and $f(·)$ be an oracle for a uniformly chosen function $f:\mathcal{X}\to \mathcal{Y}$. We say that a PRF is secure if for all probabilistic polynomial-time adversaries $\mathcal{A}$ the advantage $Ad{v}_{\mathcal{A}}^{PRF}\left(\lambda \right)=|Pr[{\mathcal{A}}^{F(k,·)}=1]-Pr[{\mathcal{A}}^{f(·)}=1]|$ is negligible.

2.2. Symmetric-Key Encryption

Symmetric-key encryption (SKE) is an encryption method in which the sender and receiver use the same symmetric key for encryption and decryption. The syntax of SKE is defined as follows.

Definition 1

(Symmetric-Key Encryption, SKE). A symmetric-key encryption (SKE) scheme consists of three algorithms GenKey, Encrypt, and Decrypt, which are defined as follows:

• GenKey($1^{\lambda }$). The key generation algorithm takes as input a security parameter λ. It outputs a symmetric key K.
• Encrypt($K,M$). The encryption algorithm takes as input a message $M\in \mathcal{M}$ and the symmetric key K. It outputs a ciphertext C.
• Decrypt($K,C$). The decryption algorithm takes as input a ciphertext $CT$ and the symmetric key K. It outputs a message M or a symbol ⊥.

The correctness of the SKE scheme is defined as follows: For all K generated by GenKey and any message $M\in \mathcal{M}$, it is required that $\mathit{Decrypt}(K,\mathit{Encrypt}(K,M\left)\right)=M$.

In general, the indistinguishability against chosen-plaintext attacks (IND-CPA) security model of the SKE scheme allows multiple challenge ciphertext queries, but we use a simple security model that allows only one challenge ciphertext query. Note that an SKE scheme, which is IND-CPA secure for the model that allows multiple challenge ciphertext queries, is naturally guaranteed to be IND-CPA secure, even for the simple model that allows one challenge ciphertext query.

Definition 2

(Message Privacy, IND-CPA). The IND-CPA security of SKE is defined in the following experiment ${\mathit{EXP}}_{\mathcal{A}}^{IND-CPA}\left(1^{\lambda }\right)$ between a challenger $\mathcal{C}$ and a PPT adversary $\mathcal{A}$:

• Setup: $\mathcal{C}$ generates a symmetric key K by running $\mathit{GenKey}\left(1^{\lambda }\right)$. It keeps K to itself.
• Phase 1: $\mathcal{A}$ adaptively request a polynomial number of encryption queries. For each encryption query for a message M, $\mathcal{C}$ generates a ciphertext $CT$ by running $\mathit{Encrypt}(K,M)$ and gives $CT$ to $\mathcal{A}$.
• Challenge: $\mathcal{A}$ submits challenge messages $M_0^{*},M_1^{*}$ where $|M_0^{*}|=|M_1^{*}|$. $\mathcal{C}$ flips a random coin $\mu \in \{0,1\}$ and gives a challenge ciphertext $C{T}^{*}$ to $\mathcal{A}$ by running $\mathit{Encrypt}(K,M_{\mu }^{*})$.
• Phase 2: $\mathcal{A}$ may continues to request additional encryption queries and $\mathcal{C}$ handles these queries as the same as the phase 1.
• Guess: $\mathcal{A}$ outputs a guess ${\mu }^{\prime }\in \{0,1\}$ of μ. $\mathcal{C}$ outputs 1 if $\mu ={\mu }^{\prime }$ or 0 otherwise.

The advantage of $\mathcal{A}$ is defined as $Ad{v}_{SKE,\mathcal{A}}^{IND-CPA}\left(\lambda \right)=|Pr[{\mathit{EXP}}_{\mathcal{A}}^{IND-CPA}\left(1^{\lambda }\right)=1]-{\displaystyle \frac{1}{2}}|$. An SKE scheme is IND-CPA secure if for all PPT adversary $\mathcal{A}$, the advantage of $\mathcal{A}$ is negligible in the security parameter λ.

The key privacy (KEY-PRV) security model of SKE is that an attacker cannot distinguish which of the two symmetric keys $K_0$ and $K_1$ is used for encryption. We use a simple security model that allows one challenge ciphertext query by modifying the definition of Bellare et al. [28] for PKE into the definition for SKE.

Definition 3

(Key Privacy, KEY-PRV [28]). The KEY-PRV security of SKE is defined in the following experiment ${\mathit{EXP}}_{\mathcal{A}}^{KEY-PRV}\left(1^{\lambda }\right)$ between a challenger $\mathcal{C}$ and a PPT adversary $\mathcal{A}$:

• Setup: $\mathcal{C}$ generates symmetric keys $K_0,K_1$ by running $\mathit{GenKey}\left(1^{\lambda }\right)$. It keeps $K_0,K_1$ to itself.
• Phase 1: $\mathcal{A}$ adaptively request a polynomial number of encryption queries. For each encryption query for a message M and a choice $b\in \{0,1\}$, $\mathcal{C}$ generates a ciphertext $CT$ by running $\mathit{Encrypt}(K_b,M)$ and gives $CT$ to $\mathcal{A}$.
• Challenge: $\mathcal{A}$ submits a challenge message $M^{*}$. $\mathcal{C}$ flips a random coin $\mu \in \{0,1\}$ and gives a challenge ciphertext $C{T}^{*}$ to $\mathcal{A}$ by running $\mathit{Encrypt}(K_{\mu },M^{*})$.
• Phase 2: $\mathcal{A}$ may continues to request additional encryption queries and $\mathcal{C}$ handles these queries as the same as the phase 1.
• Guess: $\mathcal{A}$ outputs a guess ${\mu }^{\prime }\in \{0,1\}$ of μ. $\mathcal{C}$ outputs 1 if $\mu ={\mu }^{\prime }$ or 0 otherwise.

The advantage of $\mathcal{A}$ is defined as $Ad{v}_{SKE,\mathcal{A}}^{KEY-PRV}\left(\lambda \right)=|Pr[{\mathit{EXP}}_{\mathcal{A}}^{KEY-PRV}\left(1^{\lambda }\right)=1]-{\displaystyle \frac{1}{2}}|$. An SKE scheme is KEY-PRV secure if for all PPT adversary $\mathcal{A}$, the advantage of $\mathcal{A}$ is negligible in the security parameter λ.

2.3. The Complete Subtree Method

The complete subtree (CS) method is one instance of the subset cover revocation framework of Naor et al. [29]. The simplified CS method is given as follows:

$\mathbf{CS.Setup}\left(N\right)$:

Let N be the number of all users where $N=2^n$ for simplicity. It sets a perfect binary tree $\mathcal{BT}$ of depth n. Each user is assigned to a different leaf node in $\mathcal{BT}$. It outputs the binary tree $\mathcal{BT}$.

$\mathbf{CS.Assign}(\mathcal{BT},v)$:

Let v be a leaf node assigned to a user. Let $(v_{k_0},v_{k_1},\dots ,v_{k_n})$ be the path from the root node $v_{k_0}=v_0$ to the leaf node $v_{k_n}=v$. It initializes a private set $PV=\varnothing$. For all $j\in \{k_0,\dots ,k_n\}$, it adds $v_j$ into $PV$. It outputs the private set $PV=\left\{v_j\right\}$.

$\mathbf{CS.Cover}(\mathcal{BT},R)$:

Let R be a set of revoked users which consists of leaf nodes. It computes the Steiner tree ${\mathcal{ST}}_R$. Let ${\mathcal{T}}_{k_1},\dots {\mathcal{T}}_{k_m}$ be all the subtrees of $\mathcal{BT}$ that hang off ${\mathcal{ST}}_R$, that is all subtrees whose roots $v_{k_1},\dots v_{k_m}$ are not in ${\mathcal{ST}}_R$ but adjacent to nodes of outdegree 1 in ${\mathcal{ST}}_R$. It initializes a cover set $CV=\varnothing$. For all $i\in \{k_1,\dots ,k_m\}$, it adds $v_i$ into $CV$. It outputs the cover set $CV=\left\{v_i\right\}$.

$\mathbf{CS.Match}(CV,PV)$:

It finds a common node $v_k$ with $v_k\in CV$ and $v_k\in PV$. If there exists a common node, it outputs $(v_k,v_k)$. Otherwise, it outputs ⊥.

The correctness of the CS scheme requires that if $v\notin R$, then $\mathbf{CS.Match}(CV,PV)=(v_k,v_k)$ for the same $v_k$ where $CV$ and $PV$ are associated with R and v, respectively.

3. Anonymous RIBE with Anonymous Revocation

In this section, we define the syntax and security models of RIBE-AR that provides message privacy, identity privacy, and revocation privacy.

3.1. Definition

Revocable IBE with anonymous revocation (RIBE-AR) is an extension of IBE and supports the revocation of user private keys through the issuance of update keys [6]. In an RIBE-AR scheme, a trusted center creates a user’s private key using the master key and status information and maintains a revocation list. If the private key of a user is revealed or expires, then the trusted center updates the revocation list by including the identity of the revoked user. And the trusted center periodically issues an update key using the revocation list and broadcasts it for non-revoked users. A sender creates a ciphertext by specifying the identity of a recipient and current time. A receiver can derive a decryption key by combining his private key with the update key if his private key is not revoked in the update key. By using the decryption key, the recipient can decrypt the corresponding ciphertext. The more detailed syntax of RIBE is given as follows.

Definition 4

(RIBE with Anonymous Revocation, RIBE-AR). An RIBE-AR scheme consists of seven algorithms Setup, GenKey, UpdateKey, DeriveKeyEncrypt, Decrypt, and Revoke, which are defined as follows:

• $\mathit{Setup}(1^{\lambda },N)$: The setup algorithm takes as input a security parameter $1^{\lambda }$ and the maximum number of users N. It outputs a master key $MK$, an (empty) revocation list $RL$, and public parameters $PP$.
• $\mathit{GenKey}(ID,MK,ST,PP)$: The private key generation algorithm takes as input an identity $ID\in \mathcal{I}$, the master key $MK$, and public parameters $PP$. It outputs a private key $S{K}_{ID}$.
• $\mathit{UpdateKey}(T,RL,MK,ST,PP)$: The update key generation algorithm takes as input update time $T\in \mathcal{T}$, the revocation list $RL$, the master key $MK$, and public parameters $PP$. It outputs an update key $U{K}_T$.
• $\mathit{DeriveKey}(S{K}_{ID},U{K}_T,PP)$: The decryption key derivation algorithm takes as input a private key $S{K}_{ID}$, an update key $U{K}_T$, and public parameters $PP$. It outputs a decryption key $D{K}_{ID,T}$.
• $\mathit{Encrypt}(ID,T,M,PP)$: The encryption algorithm takes as input an identity $ID\in \mathcal{I}$, time T, a message $M\in \mathcal{M}$, and public parameters $PP$. It outputs a ciphertext $CT$.
• $\mathit{Decrypt}(CT,D{K}_{I{D}^{\prime },T^{\prime }},PP)$: The decryption algorithm takes as input a ciphertext $CT$, a decryption key $D{K}_{I{D}^{\prime },T^{\prime }}$, and public parameters $PP$. It outputs a message M.
• $\mathit{Revoke}(ID,T,RL)$: The revocation algorithm takes as input an identity $ID$ to be revoked and revocation time T, and a revocation list $RL$. It outputs an updated revocation list $RL$.

The correctness of RIBE-AR is defined as follows: For all $MK$, $RL$, and $PP$ generated by $\mathit{Setup}{1}^{\lambda },\left(N\right)$, $S{K}_{ID}$ generated by $\mathit{GenKey}(ID,MK,PP)$ for any $ID$, $U{K}_T$ generated by $\mathit{UpdateKey}(T,RL,MK,PP)$ for any T and $RL$ such that $(ID,T_j)\notin RL$ for all $T_j\le T$, $CT$ generated by $\mathit{Encrypt}(ID,T,M,PP)$ for $ID$, T, and M, it is required that

• $\mathit{Decrypt}(CT,\mathit{DeriveKey}(S{K}_{ID},U{K}_T,PP),PP)=M$.

3.2. Security Model

The selective IND-CPA security model of RIBE-AR is an extension of the selective IND-CPA security model of IBE that allows the revocation of private keys [6,8]. In this model, an attacker first submits the challenge identity $I{D}^{*}$ and challenge time $T^{*}$ and receives public parameters. Afterwards, the attacker can request private key, update key, decryption key, and revocation queries that satisfy some restrictions to prevent trivial attacks. In the challenge phase, the attacker submits challenge messages $M_0^{*},M_1^{*}$ and receives a challenge ciphertext for $I{D}^{*}$ and $T^{*}$ that encrypts $M_0^{*}$ or $M_1^{*}$. The attacker can then make additional queries and succeed if he correctly guesses the challenge ciphertext message. The detailed definition of this security model is given as follows:

Definition 5

(Message Privacy, SE-IND-CPA). The selective IND-CPA (SE-IND-CPA) security of RIBE-AR is defined in terms of the following experiment ${\mathit{EXP}}_{\mathcal{A}}^{SE-IND-CPA}\left(1^{\lambda }\right)$ between a challenger $\mathcal{C}$ and a PPT adversary $\mathcal{A}$:

• Init: $\mathcal{A}$ submits a challenge identity $I{D}^{*}$ and challenge time $T^{*}$.
• Setup: $\mathcal{C}$ generates a master key $MK$, a revocation list $RL$, a state $ST$, and public parameters $PP$ by running $\mathit{Setup}(1^{\lambda },N)$. It initializes a current time period $T_c=1$ and gives $PP$ to $\mathcal{A}$.
• Phase 1: $\mathcal{A}$ adaptively request a polynomial number of queries. $\mathcal{C}$ handles these queries as follows:
  • Private key query for an identity $ID$: It checks that if $ID=I{D}^{*}$, then $(I{D}^{*},T)\in RL$ for some $T\le T^{*}$. It generates $S{K}_{ID}$ by running $\mathit{GenKey}(ID,MK,PP)$ and gives $S{K}_{ID}$ to $\mathcal{A}$.
  • Update key query: It generates $U{K}_{T_c}$ by running $\mathit{UpdateKey}(T_c,RL,MK,PP)$, sets $T_c=T_c+1$, and gives $U{K}_{T_c}$ to $\mathcal{A}$.
  • Decryption key query for an identity $ID$ and time T: It checks that $(ID,T)\ne (I{D}^{*},T^{*})$ and $1\le T<T_c$. It generates $D{K}_{ID,T}$ by running $\mathit{DeriveKey}(S{K}_{ID},U{K}_T,PP)$ and gives $D{K}_{ID,T}$ to $\mathcal{A}$.
  • Revocation query for an identity $ID$: It updates $RL$ by running $\mathit{Revoke}(ID,T_c,RL)$.
• Challenge: $\mathcal{A}$ submits two challenge messages $M_0^{*},M_1^{*}$ with equal length. $\mathcal{C}$ flips random $\mu \in \{0,1\}$. It obtains a challenge ciphertext $C{T}^{*}$ by running $\mathit{Encrypt}(I{D}_{\mu }^{*},T^{*},M_{\mu }^{*},PP)$ and gives $C{T}^{*}$ to $\mathcal{A}$.
• Phase 2: $\mathcal{A}$ may continue to request additional queries. $\mathcal{B}$ handles these queries as the same as the phase 1.
• Guess: Finally, $\mathcal{A}$ outputs a guess ${\mu }^{\prime }\in \{0,1\}$, and wins the game if $\mu ={\mu }^{\prime }$.

The advantage of $\mathcal{A}$ is defined as $Ad{v}_{RIBE-AR,\mathcal{A}}^{SE-IND-CPA}\left(\lambda \right)=|Pr[{\mathit{EXP}}_{\mathcal{A}}^{SE-IND-CPA}\left(1^{\lambda }\right)=1]-{\displaystyle \frac{1}{2}}|$ where the probability is taken over all the randomness of the experiment. An RIBE-AR scheme is SE-IND-CPA secure if for all PPT adversary $\mathcal{A}$, the advantage of $\mathcal{A}$ is negligible in the security parameter λ.

The selective ANO-CPA security model of RIBE-AR is an extension of the selective ANO-CPA security model of AIBE to allow the revocation of private keys. In this model, an attacker first submits challenge identities $I{D}_0^{*},I{D}_1^{*}$ and challenge time $T^{*}$ and receives public parameters. Afterwards, the attacker can request private key, update key, decryption key, and revocation queries that satisfy some restrictions to prevent trivial attacks. In the challenge phase, the attacker submits a challenge message $M^{*}$ and receives a challenge ciphertext encrypted with $I{D}_0^{*}$ or $I{D}_1^{*}$ for $T^{*}$ and $M^{*}$. The attacker can then make additional queries and succeed by correctly guessing the challenge identity in the challenge ciphertext. The detailed definition of this security model is given as follows:

Definition 6

(Identity Privacy, SE-ANO-CPA). The selective ANO-CPA (SE-ANO-CPA) security of RIBE-AR is defined in terms of the following experiment ${\mathit{EXP}}_{\mathcal{A}}^{SE-ANO-PRV}\left(1^{\lambda }\right)$ between a challenger $\mathcal{C}$ and a PPT adversary $\mathcal{A}$:

• Init: $\mathcal{A}$ submits two challenge identities $I{D}_0^{*},I{D}_1^{*}$ and challenge time $T^{*}$.
• Setup: $\mathcal{C}$ generates a master key $MK$, a revocation list $RL$, a state $ST$, and public parameters $PP$ by running $\mathit{Setup}(1^{\lambda },N)$. It initializes a current time period $T_c=1$ and gives $PP$ to $\mathcal{A}$.
• Phase 1: $\mathcal{A}$ adaptively request a polynomial number of queries. $\mathcal{C}$ handles these queries as follows:
  • Private key query for an identity $ID$: It checks that if $ID=I{D}_b^{*}$ for some $b\in \{0,1\}$, then $(I{D}_b^{*},T)\in RL$ for some $T\le T^{*}$. It generates $S{K}_{ID}$ by running $\mathit{GenKey}(ID,MK,PP)$ and gives $S{K}_{ID}$ to $\mathcal{A}$.
  • Update key query: It generates $U{K}_{T_c}$ by running $\mathit{UpdateKey}(T_c,RL,MK,PP)$, sets $T_c=T_c+1$, and gives $U{K}_{T_c}$ to $\mathcal{A}$.
  • Decryption key query for an identity $ID$ and time T: It checks that $(ID,T)\ne (I{D}_b^{*},T^{*})$ for all $b\in \{0,1\}$ and $1\le T<T_c$. It generates $D{K}_{ID,T}$ by running $\mathit{DeriveKey}(S{K}_{ID},U{K}_T,PP)$ and gives $D{K}_{ID,T}$ to $\mathcal{A}$.
  • Revocation query for an identity $ID$: It updates $RL$ by running $\mathit{Revoke}(ID,T_c,RL)$.
• Challenge: $\mathcal{A}$ submits a challenge message $M^{*}$. $\mathcal{C}$ flips random $\mu \in \{0,1\}$. It obtains a challenge ciphertext $C{T}^{*}$ by running $\mathit{Encrypt}(I{D}_{\mu }^{*},T^{*},M^{*},PP)$ and gives $C{T}^{*}$ to $\mathcal{A}$.
• Phase 2: $\mathcal{A}$ may continue to request additional queries. $\mathcal{B}$ handles these queries as the same as the phase 1.
• Guess: Finally, $\mathcal{A}$ outputs a guess ${\mu }^{\prime }\in \{0,1\}$, and wins the game if $\mu ={\mu }^{\prime }$.

The advantage of $\mathcal{A}$ is defined as $Ad{v}_{RIBE-AR,\mathcal{A}}^{SE-ANO-CPA}\left(\lambda \right)=|Pr[{\mathit{EXP}}_{\mathcal{A}}^{SE-ANO-PRV}\left(1^{\lambda }\right)=1]-{\displaystyle \frac{1}{2}}|$ where the probability is taken over all the randomness of the experiment. An RIBE-AR scheme is SE-ANO-CPA secure if for all PPT adversary $\mathcal{A}$, the advantage of $\mathcal{A}$ is negligible in the security parameter λ.

The selective REV-PRV security of RIBE-AR models ensures that external users who only have revoked private keys cannot obtain revocation information from update keys. In this model, an attacker first submits challenge revocation sets $R_0^{*},R_1^{*}$ and challenge time $T^{*}$ and receives public parameters. Afterwards, the attacker can request private key, update key, decryption key, and revocation queries that satisfy some restrictions. One restriction is that an attacker can only query private keys belonging to $R_0^{*}\cap R_1^{*}$. In the challenge phase, the attacker receives a challenge update key for $R_0^{*}$ or $R_1^{*}$. Afterwards, the attacker can make additional queries and finally succeed if he can guess the revoked set of the challenge update key. The detailed definition of this security model is given as follows:

Definition 7

(Revocation Privacy, SE-REV-PRV). The selective REV-PRV (SE-REV-PRV) security of RIBE-AR is defined in terms of the following experiment ${\mathit{EXP}}_{\mathcal{A}}^{SE-REV-PRV}\left(1^{\lambda }\right)$ between a challenger $\mathcal{C}$ and a PPT adversary $\mathcal{A}$:

• Init: $\mathcal{A}$ submits two challenge revoked sets $R_0^{*},R_1^{*}$ and challenge time $T^{*}$ such that $|R_0^{*}| = |R_1^{*}|$.
• Setup: $\mathcal{C}$ generates a master key $MK$, a revocation list $RL$, a state $ST$, and public parameters $PP$ by running $\mathit{Setup}(1^{\lambda },N)$. It initializes a current time period $T_c=1$ and gives $PP$ to $\mathcal{A}$.
• Phase 1: $\mathcal{A}$ adaptively request a polynomial number of queries. $\mathcal{C}$ handles these queries as follows:
  • Private key query for an identity $ID$: It checks that $ID\in R_0^{*}\cap R_1^{*}$. It generates $S{K}_{ID}$ by running $\mathit{GenKey}(ID,MK,PP)$ and gives $S{K}_{ID}$ to $\mathcal{A}$.
  • Update key query: It checks that $T_c\ne T^{*}$. It generates $U{K}_{T_c}$ by running $\mathit{UpdateKey}(T_c,RL,MK,PP)$, sets $T_c=T_c+1$, and gives $U{K}_{T_c}$ to $\mathcal{A}$.
  • Decryption key query for an identity $ID$ and time T: It checks that $1\le T<T_c$. It generates $D{K}_{ID,T}$ by running $\mathit{DeriveKey}(S{K}_{ID},U{K}_T,PP)$ and gives $D{K}_{ID,T}$ to $\mathcal{A}$.
  • Revocation query for an identity $ID$: It updates $RL$ by running $\mathit{Revoke}(ID,T_c,RL)$.
• Challenge: $\mathcal{C}$ flips random $\mu \in \{0,1\}$ and proceeds as follows:

  (a) 

  For each $ID\in R_{\mu }^{*}$, it updates $RL$ by adding $(ID,T^{*})$ if $(ID,T)\notin RL$ for some $T<T^{*}$.

  (b) 

  It obtains a challenge update key $U{K}^{*}$ by running $\mathit{UpdateKey}(T^{*},RL,MK,PP)$. It sets $T_c=T^{*}+1$ and gives $U{K}^{*}$ to $\mathcal{A}$.

• Phase 2: $\mathcal{A}$ may continue to request additional queries. $\mathcal{B}$ handles these queries as the same as the phase 1.
• Guess: Finally, $\mathcal{A}$ outputs a guess ${\mu }^{\prime }\in \{0,1\}$, and wins the game if $\mu ={\mu }^{\prime }$.

The advantage of $\mathcal{A}$ is defined as $Ad{v}_{RIBE-AR,\mathcal{A}}^{SE-REV-PRV}\left(\lambda \right)=|Pr[{\mathit{EXP}}_{\mathcal{A}}^{SE-REV-PRV}\left(1^{\lambda }\right)=1]-{\displaystyle \frac{1}{2}}|$ where the probability is taken over all the randomness of the experiment. An RIBE-AR scheme is SE-REV-PRV secure if for all PPT adversary $\mathcal{A}$, the advantage of $\mathcal{A}$ is negligible in the security parameter λ.

Remark 1.

The selective REV-PRV security model we defined is a weak security model because it considers outsider attackers that only query private keys belonging to $R_0^{*}\cap R_1^{*}$ (private keys of revoked users). A stronger security model is to consider inside attackers that can query private keys belonging to $(\mathcal{U}\setminus R_0^{*})\cap (\mathcal{U}\setminus R_1^{*})$ (private keys of non-revoked users) as well as $R_0^{*}\cap R_1^{*}$ (private keys of revoked users) where $\mathcal{U}$ is the set of all users. However, our RIBE-AR scheme in this paper only satisfies this weak security model.

4. Construction from Bilinear Maps

In this section, we propose an anonymous RIBE-AR scheme that provides revocation privacy in bilinear groups.

4.1. Bilinear Groups

A bilinear group generator $\mathcal{G}$ takes as input a security parameter $\lambda$ and outputs a tuple $(p,\mathbb{G},\widehat{\mathbb{G}},{\mathbb{G}}_T,e)$ where p is a random prime and $\mathbb{G},\widehat{\mathbb{G}}$, and ${\mathbb{G}}_T$ be three cyclic groups of prime order p. Let g and $\widehat{g}$ be generators of $\mathbb{G}$ and $\widehat{\mathbb{G}}$, respectively. The bilinear map $e:\mathbb{G}\times \widehat{\mathbb{G}}\to {\mathbb{G}}_T$ has the following properties:

• Bilinearity: $\forall u\in \mathbb{G},\forall \widehat{v}\in \widehat{\mathbb{G}}$ and $\forall a,b\in {\mathbb{Z}}_p$, $e(u^a,{\widehat{v}}^b)=e{(u,\widehat{v})}^{ab}$.
• Non-degeneracy: $\exists g\in \mathbb{G},\widehat{g}\in \widehat{\mathbb{G}}$ such that $e(g,\widehat{g})$ has order p in ${\mathbb{G}}_T$.

We say that $\mathbb{G},\widehat{\mathbb{G}},{\mathbb{G}}_T$ are asymmetric bilinear groups with no efficiently computable isomorphisms if the group operations in $\mathbb{G},\widehat{\mathbb{G}}$, and ${\mathbb{G}}_T$ as well as the bilinear map e are all efficiently computable, but there are no efficiently computable isomorphisms between $\mathbb{G}$ and $\widehat{\mathbb{G}}$.

4.2. Complexity Assumptions

In this section, we introduce complexity assumptions for the security proof of our RIBE scheme.

Assumption 1

(Decisional Bilinear Diffie–Hellman, DBDH [3]). Let $(p,\mathbb{G},\widehat{\mathbb{G}},{\mathbb{G}}_T,e)$ be an asymmetric bilinear group generated by $\mathcal{G}\left(1^{\lambda }\right)$. Let $g,\widehat{g}$ be random generators of $\mathbb{G},\widehat{\mathbb{G}}$, respectively. The decisional bilinear Diffie–Hellman (DBDH) assumption is that if the challenge tuple

$$D=\left((p,\mathbb{G},\widehat{\mathbb{G}},{\mathbb{G}}_T,e),g,g^a,g^c,\widehat{g},{\widehat{g}}^a,{\widehat{g}}^b\right) and Z$$

are given, no PPT algorithm $\mathcal{A}$ can distinguish $Z=Z_0=e{(g,\widehat{g})}^{abc}$ from $Z=Z_1=e{(g,\widehat{g})}^d$ with more than a negligible advantage. The advantage of $\mathcal{A}$ is defined as $Ad{v}_{\mathcal{A}}^{DBDH}\left(\lambda \right)=|Pr[\mathcal{A}(D,Z_0)=0]-Pr[\mathcal{A}(D,Z_1)=0]|$ where the probability is taken over random choices of $a,b,c,d\in {\mathbb{Z}}_p$.

Assumption 2

(Decisional eXternal Diffie–Hellman, XDH). Let $(p,\mathbb{G},\widehat{\mathbb{G}},{\mathbb{G}}_T,e)$ be an asymmetric bilinear group generated by $\mathcal{G}\left(1^{\lambda }\right)$. Let $g,\widehat{g}$ be random generators of $\mathbb{G},\widehat{\mathbb{G}}$, respectively. The decisional XDH assumption in $\widehat{\mathbb{G}}$ is that if the challenge tuple

$$D=\left((p,\mathbb{G},\widehat{\mathbb{G}},{\mathbb{G}}_T,e),g,\widehat{g},{\widehat{g}}^a,{\widehat{g}}^b\right) and Z$$

are given, no PPT algorithm $\mathcal{A}$ can distinguish $Z=Z_0={\widehat{g}}^{ab}$ from $Z=Z_1={\widehat{g}}^c$ with more than a negligible advantage. The advantage of $\mathcal{A}$ is defined as $Ad{v}_{\mathcal{A}}^{XDH}\left(\lambda \right)=|Pr[\mathcal{A}(D,Z_0)=0]-Pr[\mathcal{A}(D,Z_1)=0]|$ where the probability is taken over random choices of $a,b,c\in {\mathbb{Z}}_p$.

Assumption 3

(Decisional P-Bilinear Diffie–Hellman, PBDH, [11]). Let $(p,\mathbb{G},\widehat{\mathbb{G}},{\mathbb{G}}_T,e)$ be an asymmetric bilinear group generated by $\mathcal{G}\left(1^{\lambda }\right)$. Let $g,\widehat{g}$ be random generators of $\mathbb{G},\widehat{\mathbb{G}}$, respectively. The decisional PBDH assumption is that if the challenge tuple

$$D=\left((p,\mathbb{G},\widehat{\mathbb{G}},{\mathbb{G}}_T,e),g,g^a,g^{ab},g^c,\widehat{g},{\widehat{g}}^a,{\widehat{g}}^b\right) and Z$$

are given, no PPT algorithm $\mathcal{A}$ can distinguish $Z=Z_0=g^{abc}$ from $Z=Z_1=g^d$ with more than a negligible advantage. The advantage of $\mathcal{A}$ is defined as $Ad{v}_{\mathcal{A}}^{PBDH}\left(\lambda \right)=|Pr[\mathcal{A}(D,Z_0)=0]-Pr[\mathcal{A}(D,Z_1)=0]|$ where the probability is taken over random choices of $a,b,c,d\in {\mathbb{Z}}_p$.

4.3. AIBE and IBE Schemes

We describe AIBE and IBE schemes, which are the basis for the design of our RIBE-AR scheme. The underlying AIBE scheme we describe is a modified key encapsulation mechanism (KEM) version of the AHIBE scheme proposed by Ducas that supports private key re-randomization [11]. And the underlying IBE scheme we described is a modified KEM version of the IBE scheme of Boneh and Boyen [12]. In addition, we added RandKey and ChangeKey algorithms to the existing AIBE and IBE schemes to enable private key randomization and master-key part randomization in private keys. Using this modification, our RIBE-AR scheme can be simply described by using the AIBE and IBE schemes in a modular way.

The AIBE scheme for $\mathcal{I}={\mathbb{Z}}_p$ from the AHIBE scheme of Ducas is described as follows:

$\mathbf{AIBE.Setup}\left(GDS\right)$:

Let $GDS=((p,\mathbb{G},\widehat{\mathbb{G}},{\mathbb{G}}_T,e),g,\widehat{g})$ be the description of a bilinear group with generators $g\in \mathbb{G},\widehat{g}\in \widehat{\mathbb{G}}$. It selects random exponents $u_1^{\prime },h_1^{\prime },w_1^{\prime }\in {\mathbb{Z}}_p$ and sets $u_1=g^{u_1^{\prime }},h_1=g^{h_1^{\prime }},w=g^{w_1^{\prime }},{\widehat{u}}_1={\widehat{g}}^{u_1^{\prime }},{\widehat{h}}_1={\widehat{g}}^{h_1^{\prime }},\widehat{w}={\widehat{g}}^{w_1^{\prime }}$. It chooses a random exponent $\gamma \in {\mathbb{Z}}_p$ and outputs a master key $MK={\widehat{g}}^{\gamma }$, master parameters $MP=({\widehat{u}}_1,{\widehat{h}}_1,\widehat{w})$, and public parameters $PP=\left(GDS,u_1,h_1,w,\mathsf{\Lambda }=e{(g,\widehat{g})}^{\gamma }\right)$.

$\mathbf{AIBE.GenKey}(ID,MK,MP,PP)$:

It chooses random exponents $r_1,\dots ,r_6\in {\mathbb{Z}}_p$ and outputs a private key $S{K}_{ID}=\left(K_0=MK{\left({\widehat{u}}_1^{ID}{\widehat{h}}_1\right)}^{r_1}{\widehat{w}}^{r_2},K_1={\widehat{g}}^{-r_1},K_2={\widehat{g}}^{-r_2}\right)$ with a rand key $R{K}_{ID}=\left(L_{0,1}={\left({\widehat{u}}_1^{ID}{\widehat{h}}_1\right)}^{r_3}{\widehat{w}}^{r_4},L_{1,1}={\widehat{g}}^{-r_3},L_{2,1}={\widehat{g}}^{-r_4},L_{0,2}={\left({\widehat{u}}_1^{ID}{\widehat{h}}_1\right)}^{r_5}{\widehat{w}}^{r_6},L_{1,2}={\widehat{g}}^{-r_5},L_{2,2}={\widehat{g}}^{-r_6}\right)$.

$\mathbf{AIBE.RandKey}(S{K}_{ID},R{K}_{ID},PP)$:

Let $S{K}_{ID}=(K_0^{\prime },K_1^{\prime },K_2^{\prime })$ and $R{K}_{ID}=(L_{0,1},L_{1,1},L_{2,1},$$L_{0,2},L_{1,2},L_{2,2})$. It chooses random exponents $r_1,r_2\in {\mathbb{Z}}_p$ and outputs a new private key $S{K}_{ID}=\left(K_0=K_0^{\prime }·L_{0,1}^{r_1}{L}_{0,2}^{r_2},K_1=K_1^{\prime }·L_{1,1}^{-r_1}{L}_{1,2}^{-r_2},K_2=K_2^{\prime }·L_{2,1}^{-r_1}{L}_{2,2}^{-r_2}\right)$.

$\mathbf{AIBE.ChangeKey}(S{K}_{ID},\delta ,R{K}_{ID},PP)$:

Let $S{K}_{ID}=(K_0^{\prime },K_1^{\prime },K_2^{\prime })$. It sets $TK=(K_0=K_0^{\prime }·{\widehat{g}}^{\delta },K_1=K_1^{\prime },K_2=K_2^{\prime })$. It outputs a new private key $S{K}_{ID}$ by running $\mathbf{AIBE.RandKey}(TK,R{K}_{ID},PP)$.

$\mathbf{AIBE.Encaps}(ID,t,PP)$:

It outputs a ciphertext header $CH=\left(C_0=g^t,C_1={\left(u_1^{ID}{h}_1\right)}^t,C_2=w^t\right)$ and a session key $EK={\mathsf{\Lambda }}^t$.

$\mathbf{AIBE.Decaps}(CH,S{K}_{ID},PP)$:

Let $CH=(C_0,C_1,C_2)$ and $S{K}_{ID}=(K_0,K_1,K_2)$. It outputs a session key $EK$ by calculating $EK={\prod }_{i=0}^{2}e(C_i,K_i)$.

The IBE scheme for $\mathcal{I}={\mathbb{Z}}_p$ from the IBE scheme of Boneh and Boyen is described as follows:

$\mathbf{IBE.Setup}\left(GDS\right)$:

Let $GDS=((p,\mathbb{G},\widehat{\mathbb{G}},{\mathbb{G}}_T,e),g,\widehat{g})$ be the group description string of a bilinear group with a generator $g\in \mathbb{G}$. It selects random exponents $u_2^{\prime },h_2^{\prime }\in {\mathbb{Z}}_p$ and sets $u_2=g^{u_2^{\prime }},h_2=g^{h_2^{\prime }},{\widehat{u}}_2={\widehat{g}}^{u_2^{\prime }},{\widehat{h}}_2={\widehat{g}}^{h_2^{\prime }}$. It chooses a random exponent $\beta \in {\mathbb{Z}}_p$ and outputs a master key $MK={\widehat{g}}^{\beta }$ and public parameters $PP=\left(GDS,u_2,h_2,{\widehat{u}}_2,{\widehat{h}}_2,\mathsf{\Lambda }=e{(g,\widehat{g})}^{\beta }\right)$.

$\mathbf{IBE.GenKey}(T,MK,PP)$:

It chooses a random exponent $r\in {\mathbb{Z}}_p$ and outputs a private key $S{K}_T=\left(U_0=MK{\left({\widehat{u}}_2^T{\widehat{h}}_2\right)}^r,U_1={\widehat{g}}^{-r}\right)$.

$\mathbf{IBE.RandKey}(S{K}_T,PP)$:

Let $S{K}_T=(U_0^{\prime },U_1^{\prime })$. It chooses a random exponent $r\in {\mathbb{Z}}_p$ and outputs a randomized private key $S{K}_T=\left(U_0=U_0^{\prime }·{\left({\widehat{u}}_2^T{\widehat{h}}_2\right)}^r,U_1=U_1^{\prime }·{\widehat{g}}^{-r}\right)$.

$\mathbf{IBE.ChangeKey}(S{K}_T,\delta ,PP)$:

Let $S{K}_T=(U_0^{\prime },U_1^{\prime })$. It sets $TK=(U_0=U_0^{\prime }·{\widehat{g}}^{\delta },U_1=U_1^{\prime })$. It outputs a new private key $S{K}_T$ by running $\mathbf{IBE.RandKey}(TK,PP)$.

$\mathbf{IBE.Encaps}(T,t,PP)$:

Let t be a random exponent in ${\mathbb{Z}}_p$. It outputs a ciphertext header $C{H}_T=\left(C_0=g^t,C_1={\left(u_2^T{h}_2\right)}^t\right)$ and a session key $EK={\mathsf{\Lambda }}^t$.

$\mathbf{IBE.Decaps}(C{H}_T,S{K}_{T^{\prime }},PP)$:

Let $C{H}_T=(C_0,C_1)$ and $S{K}_{T^{\prime }}=(U_0,U_1)$. If $T=T^{\prime }$, then it outputs a session key $EK$ by computing $EK=e(C_0,U_0)·e(C_1,U_1)$. Otherwise, it outputs ⊥.

4.4. RIBE-AR Construction

The basic idea of designing our RIBE-AR scheme is to follow the existing design method of combining two IBE schemes and a tree-based revocation system [6,8]. For ciphertext anonymity, we use an AIBE scheme instead of the first IBE scheme. For revocation privacy, we encrypt each node update key in an RIBE-AR update key by using an SKE scheme. At this time, a symmetric key used for the encryption of the node update key is uniquely associated with each node of a binary tree, and an RIBE-AR private key has symmetric keys corresponding to the path nodes of the binary tree. In this case, if a common node is associated with the path node in the private key and the cover nodes in the update key exist, it is possible to decrypt the node update key by using the common symmetric key associated with the common node. However, the algorithm for deriving a decryption key has the problem of being slow since it is needed to try all tree nodes included in the update key. To overcome this, we use an efficient method that can quickly find the matching node by providing hint information in an update key, which was devised for anonymous broadcast encryption [13,14]. Additionally, we randomly mix all node update keys in the update key.

Let PRF be a pseudo-random function for $\mathcal{K}={\{0,1\}}^{\lambda }$, $\mathcal{X}={\{0,1\}}^{*}$, and $\mathcal{Y}={\mathbb{Z}}_p^2\times {\{0,1\}}^{\lambda }$. Let Label be a function that uniquely maps a leaf node $v_i$ to a bit string in ${\{0,1\}}^{*}$. Our RIBE-AR scheme for $\mathcal{I}={\mathbb{Z}}_p$, $\mathcal{T}={\mathbb{Z}}_p$, and $\mathcal{M}\in {\mathbb{G}}_T$ is described as follows:

$\mathbf{RIBE-AR.Setup}(1^{\lambda },N)$:

Let $\lambda$ be a security parameter and N be the maximum number of users.

• It generates asymmetric bilinear groups $\mathbb{G},\widehat{\mathbb{G}},{\mathbb{G}}_T$ of prime order p with two random generators $g,\widehat{g}$ of $\mathbb{G},\widehat{\mathbb{G}}$, respectively. It sets $GDS=((p,\mathbb{G},\widehat{\mathbb{G}},{\mathbb{G}}_T,e),g,\widehat{g})$.
• It obtains $M{K}_{AIBE},M{P}_{AIBE}$, and $P{P}_{AIBE}$ by running $\mathbf{AIBE.Setup}\left(GDS\right)$. It also obtains $M{K}_{IBE}$ and $P{P}_{IBE}$ by running $\mathbf{IBE.Setup}\left(GDS\right)$. It obtains $\mathcal{BT}$ by running $\mathbf{CS.Setup}\left(N\right)$ and selects a random PRF key z.
• Finally, it chooses a random exponent $\alpha \in {\mathbb{Z}}_p$ and outputs a master key $MK=(M{K}_{AIBE},M{P}_{AIBE},M{K}_{IBE},\alpha )$, an empty revocation list $RL$, a state $ST=(\mathcal{BT},z)$, and public parameters $PP=\left(P{P}_{AIBE},P{P}_{IBE},\mathsf{\Omega }=e{(g,\widehat{g})}^{\alpha }\right)$.

$\mathbf{RIBE-AR.GenKey}(ID,MK,ST,PP)$:

Let $MK=(M{K}_{AIBE},M{P}_{AIBE},M{K}_{IBE},\alpha )$ and $ST=(\mathcal{BT},z)$.

• It assigns $ID$ to a random leaf node $v\in \mathcal{BT}$ and obtains a private set $PV=\{v_0,\dots ,v_n\}$ by running $\mathbf{CS.Assign}(\mathcal{BT},v)$.
• For $0\le j\le n$, it computes $({\gamma }_j,{\omega }_j,{\kappa }_j)=\mathbf{PRF}(z,\mathbf{Label}\left(v_j\right))$ and proceeds as follows: It obtains $S{K}_{AIBE,j}$ and $R{K}_{AIBE,j}$ by running $\mathbf{AIBE.GenKey}(ID,{\widehat{g}}^{{\gamma }_j},M{P}_{AIBE},P{P}_{AIBE})$. It creates a node private key $NS{K}_j=\left(S{K}_{AIBE,j},{\omega }_j,{\kappa }_j\right)$.
• Finally, it sets $R{K}_{ID}=R{K}_{AIBE,0}$ and outputs a private key $S{K}_{ID}=\left(NS{K}_0,\dots ,NS{K}_n,R{K}_{ID}\right)$.

$\mathbf{RIBE-AR.UpdateKey}(T,RL,MK,ST,PP)$:

Let $MK=(M{K}_{AIBE},M{P}_{AIBE},M{K}_{AIBE},\alpha )$ and $ST=(\mathcal{BT},z)$.

• It derives a revoked set R on time T from $RL$ and obtains a cover set $CV=\{v_1,\dots ,v_{\ell }\}$ by running $\mathbf{CS.Cover}(\mathcal{BT},R)$. Let $r=\left|R\right|$, $\ell =\left|CV\right|$, and ${\ell }_m=\lceil rlog(N/r)\rceil$. It selects a random exponent $s\in {\mathbb{Z}}_p$ and sets $V={\widehat{g}}^s$.
• For $1\le i\le \ell$, it computes $({\gamma }_i,{\omega }_i,{\kappa }_i)=\mathbf{PRF}(z,\mathbf{Label}\left(v_i\right))$ and proceeds as follows: It obtains $S{K}_{IBE,i}$ by running $\mathbf{IBE.GenKey}(T,{\widehat{g}}^{\alpha -{\gamma }_i},P{P}_{IBE})$. It computes $C{U}_i=\mathbf{SKE}.\mathbf{Encrypt}({\kappa }_i,S{K}_{IBE,i})$. It creates a node update key $NU{K}_i=\left(C{U}_i,Y_i\right)$ by setting a hint value $Y_i=V^{{\omega }_i}$.
• For $\ell +1\le i\le {\ell }_m$, it proceeds as follows: It sets a random ${\widetilde{SK}}_{IBE,i}=({\tilde{U}}_{i,0},{\tilde{U}}_{i,1})$ by selecting random ${\tilde{U}}_{i,0},{\tilde{U}}_{i,1}\in \widehat{\mathbb{G}}$. It computes $C{U}_i=\mathbf{SKE}.\mathbf{Encrypt}({\tilde{\kappa }}_i,{\widetilde{SK}}_{IBE,i})$ by using a random ${\tilde{\kappa }}_i$. It creates a node update key $NU{K}_i=\left(C{U}_i,{\tilde{Y}}_i\right)$ by selecting a random ${\tilde{Y}}_i\in \widehat{\mathbb{G}}$.
• Finally, it selects a random permutation $\pi :\{1,\dots ,{\ell }_m\}\to \{1,\dots ,{\ell }_m\}$ and outputs an update key $U{K}_T=\left(NU{K}_{\pi \left(1\right)},\dots ,NU{K}_{\pi \left({\ell }_m\right)},V\right)$.

$\mathbf{RIBE-AR.DeriveKey}(ID,T,S{K}_{ID},U{K}_T,PP)$:

Let $S{K}_{ID}=(NS{K}_0,\dots ,NS{K}_n,R{K}_{ID})$ and $U{K}_T=(NU{K}_1,\dots ,NU{K}_{{\ell }_m},V)$.

• It retrieves ${\omega }_j$ from $NS{K}_j$ for all $j\in \{0,\dots ,n\}$ and sets a list $(Y_0^{\prime }=V^{{\omega }_0},\dots ,Y_n^{\prime }=V^{{\omega }_n})$. It also retrieves $Y_i$ from $NU{K}_i$ for all $i\in \{1,\dots ,{\ell }_m\}$ and sets a list $(Y_1,\dots ,Y_{{\ell }_m})$.
• It finds two indexes $j\in \{0,\dots ,n\}$ and $i\in \{1,\dots ,{\ell }_m\}$ such that $Y_j^{\prime }=Y_i$ in the lists, then it retrieves the corresponding $NS{K}_j=(S{K}_{AIBE,j},{\omega }_j,{\kappa }_j)$ and $NU{K}_i=(C{U}_i,Y_i)$. Next, it computes $S{K}_{IBE,i}=\mathbf{SKE}.\mathbf{Decrypt}({\kappa }_j,C{U}_i)$.
• It selects a random exponent $\delta \in {\mathbb{Z}}_p$. It obtains $S{K}_{AIBE}$ by running $\mathbf{AIBE.ChangeKey}(S{K}_{AIBE,j},\delta ,R{K}_{ID},P{P}_{AIBE})$. It also obtains $S{K}_{IBE}$ by running $\mathbf{IBE.ChangeKey}(S{K}_{IBE,i},-\delta ,P{P}_{IBE})$. Finally, it outputs a decryption key $D{K}_{ID,T}=\left(S{K}_{AIBE},S{K}_{IBE}\right)$.

$\mathbf{RIBE-AR.Encrypt}(ID,T,M,PP)$:

It chooses a random exponent $t\in {\mathbb{Z}}_p$. It obtains $C{H}_{AIBE}$ and $E{K}_{AIBE}$ by running $\mathbf{AIBE.Encaps}(ID,t,P{P}_{AIBE})$. Next it obtains $C{H}_{IBE}$ and $E{K}_{IBE}$ by running $\mathbf{IBE.Encaps}(T,t,P{P}_{IBE})$. It outputs a ciphertext $CT=\left(C{H}_{AIBE},C{H}_{IBE},C={\mathsf{\Omega }}^t·M\right)$.

$\mathbf{RIBE-AR.Decrypt}(CT,D{K}_{ID,T},PP)$:

Let $CT=(C{H}_{AIBE},C{H}_{IBE},C)$ and $D{K}_{ID,T}=(S{K}_{AIBE},S{K}_{IBE})$. It derives $E{K}_{AIBE}$ and $E{K}_{IBE}$ by running $\mathbf{AIBE.Decaps}(C{H}_{AIBE},S{K}_{AIBE},P{P}_{AIBE})$ and $\mathbf{IBE.Decaps}(C{H}_{IBE},S{K}_{IBE},P{P}_{IBE})$, respectively. It outputs a decrypted message $M=C·{\left(E{K}_{AIBE}·E{K}_{IBE}\right)}^{-1}$.

$\mathbf{RIBE-AR.Revoke}(ID,T,RL)$:

If $ID$ is not assigned in $\mathcal{BT}$, then it outputs ⊥. Otherwise, it updates $RL$ by adding $(ID,T)$ to $RL$.

4.5. Correctness

To show the correctness of the above RIBE-AR scheme, we first show that a decryption key $D{K}_{ID,T}$ is correctly derived from a private key $S{K}_{ID}$ and an update key $U{K}_T$. Let $S{K}_{ID}=(NS{K}_0,\dots ,NS{K}_n,R{K}_{ID})$ for $PV$ and $U{K}_T=(NU{K}_1,\dots ,NU{K}_{{\ell }_m},V)$ for $CV$ where $NS{K}_j=(S{K}_{AIBE,j},{\omega }_j,{\kappa }_j)$ and $NU{K}_i=(C{U}_i,Y_i=V^{{\omega }_i})$. If $ID\notin R$, then $PV\cap CV\ne \varnothing$. Thus, there exists a node $v_k\in PV$ and $v_k\in CV$ such that $V^{{\omega }_k}=Y_k$ where ${\omega }_k\in NS{K}_k=(S{K}_{AIBE,k},{\omega }_k,{\kappa }_k)$ and $Y_k\in NU{K}_k=(C{U}_k,Y_k)$. By decrypting $C{U}_k$ with a valid key ${\kappa }_k$, $S{K}_{IBE,k}$ is derived. From the RIBE-AR.GenKey and RIBE-AR.UpdateKey algorithms, the master key parts of $S{K}_{AIBE,k}$ and $S{K}_{IBE,k}$ are associated with ${\gamma }_k$ and $\alpha -{\gamma }_k$, respectively. The master key part of $S{K}_{AIBE}$ derived from AIBE.ChangeKey still associated with ${\gamma }_k+\delta$ and the master key part of $S{K}_{IBE}$ derived from IBE.ChangeKey still associated with $\alpha -{\gamma }_k-\delta$. Thus the RIBE-AR.DeriveKey algorithm is correct since we have $\alpha$ if we add two master key parts of the decryption key.

Next, we show that a message is correctly decrypted by the decryption algorithm. The correctness of the RIBE-AR.Decrypt algorithm can be shown by the correctness of the AIBE.Decaps and IBE.Decaps. That is, we have $e{(g,g)}^{({\gamma }_k+\delta )t}$ from the correctness of AIBE and $e{(g,g)}^{(\alpha -{\gamma }_k-\delta )t}$ from the correctness of IBE. Thus, the message M can be easily obtained by using these session keys.

4.6. Discussion

Efficiency Analysis. The public parameters, private key, update key, and ciphertext sizes of our RIBE-AR scheme are almost like those of existing efficient RIBE schemes, as shown in Table 1. Our RIBE-AR scheme differs in the computational complexity of its decryption key derivation algorithm compared with existing RIBE schemes. Because the DeriveKey algorithm of our RIBE-AR scheme hides the update key nodes, it requires n additional exponentiation operations and $O(l_m·n)$ additional comparison operations to find the matching node where $n=logN$, $l_m=rlogN$, and N is the maximum number of users. To improve the efficiency of finding a matching node, merge sorting can be used instead of simple comparison operations, allowing the matching node to be found with $O((l_m+n)log(l_m+n))$ comparison operations. Note that finding the matching node can be very fast because it only requires comparison operations.

Adaptive Security. Our RIBE-AR scheme is proven secure under the selective model. A better security model than the selective security model is the adaptive security model, where an adversary can select a target at the challenge step. A common approach to converting a selectively secure RIBE-AR scheme into an adaptively secure scheme is for a simulator to predict the attack of the attacker during the initial phase. While this approach can transform a selectively secure scheme into an adaptive one, it suffers from the disadvantage of exponentially degrading the reduction efficiency due to the low probability of the simulator’s guess being successful.

Construction from Lattices. It is possible to design an RIBE-AR scheme that provides revocation privacy based on lattices. A lattice-based RIBE-AR scheme was previously proposed [30,31], but revocation privacy was not provided. To provide revocation privacy, a similar method to our pairing-based RIBE-AR scheme that uses symmetric key encryption to hide node update keys can be used. And to quickly search for tree nodes that match in a private key and an update key, a hint system based on the LWR assumption that does not include noise can be used. A detailed description of the lattice-based RIBE-AR scheme is provided in Appendix A.

5. Security Analysis

In this section, we prove the three security features that our RIBE-AR scheme must satisfy: message privacy, identity privacy, and revocation privacy.

5.1. AIBE and IBE Security

The underlying AIBE scheme in this paper is an AIBE scheme capable of private key re-randomization by modifying the AHIBE scheme of Ducas [11]. For reference, Ducas also described the AIBE scheme, but it is not suitable for the RIBE-AR scheme, which requires decryption key derivation since this AIBE scheme does not support private key re-randomization. The AHIBE scheme of Ducas provides selective IND-CPA security under the DBDH assumption and selective ANO-CPA security under the PBDH assumption.

Theorem 1

([11]). The above AIBE scheme is selectively IND-CPA secure if the DBDH assumption holds.

Theorem 2

([11]). The above AIBE scheme is selectively ANO-CPA secure if the PBDH assumption holds.

The underlying IBE scheme in this paper is a KEM version of the IBE scheme of Boneh and Boyen [12], which provides selective IND-CPA security under the DBDH assumption.

Theorem 3

([12]). The above IBE scheme is selectively IND-CPA secure if the DBDH assumption holds.

5.2. IND-CPA Security

The IND-CPA security proof of our RIBE-AR scheme is almost similar to the IND-CPA security proof of the existing RIBE scheme. In other words, the simulator of the security proof divides attackers into two types: one that does not query the private key corresponding to the challenge identity $I{D}^{*}$ and another that queries the private key for $I{D}^{*}$. And then the simulator handles the simulation of private keys and update keys differently for each type of attacker. To simplify the simulation of the RIBE-AR security proof, we use simulators of the AIBE and IBE schemes as sub-simulators.

Theorem 4.

The above RIBE-AR scheme is SE-IND-CPA secure if the PRF scheme is secure and the DBDH assumption holds.

Proof. 

Let $I{D}^{*}$ be the challenge identity submitted by an adversary. To prove the SE-IND-CPA security of our RIBE-AR scheme, we classify the type of adversaries into two types.

Type-1. 

An adversary is Type-1 if it does not request a private key for $I{D}^{*}$.

Type-2. 

An adversary is Type-2 if it requests a private key for $I{D}^{*}$.

Suppose that an adversary is $\tau$-type. The security proof for the $\tau$-type adversary $\mathcal{A}$ consists of the sequence of hybrid games. We define the games as follows:

Game ${\mathbf{G}}_0$.

This game is the original security game. That is, a simulator $\mathcal{B}$ obtains $({\gamma }_i,{\omega }_i,{\kappa }_i)$ for a node $v_i$ by running PRF.

Game ${\mathbf{G}}_1$.

This game ${\mathbf{G}}_1$ is similar to the game ${\mathbf{G}}_0$ except that the PRF is replaced by a truly random function. That is, $\mathcal{B}$ selects fixed random $({\gamma }_i,{\omega }_i,{\kappa }_i)$ for a node $v_i$ if $v_i$ is used for the generation of a private key (or an update key).

Game ${\mathbf{G}}_2$.

This final game ${\mathbf{G}}_2$ is similar to the game ${\mathbf{G}}_1$ except the generation of the challenge ciphertext $C{T}^{*}$. Let $C{T}^{*}=(C{H}_{AIBE}^{*},C{H}_{IBE}^{*},C^{*})$ be the challenge ciphertext. In this game ${\mathbf{G}}_2$, $C^{*}$ is replaced by a random element in ${\mathbb{G}}_T$. Note that the advantage of $\mathcal{A}$ in this game is zero since the challenge ciphertext is not related to $\mu$.

Let $Ad{v}_{\mathcal{A}}^{G_i}$ be the advantage of $\mathcal{A}$ in a game ${\mathbf{G}}_i$. Let $E_{\tau }$ be the event that the adversary behaves like $\tau$-type. From the Lemmas 1 and 2, we obtain the following equation

$$\begin{array}{cc}\hfill Ad{v}_{\mathcal{A}}^{G_0}& \le \sum _{\tau =1}^{2}Pr\left[E_{\tau }\right]·|Ad{v}_{\mathcal{A}}^{G_0}-Ad{v}_{\mathcal{A}}^{G_2}|\le 2Ad{v}_{\mathcal{B}}^{PRF}\left(\lambda \right)+2Ad{v}_{\mathcal{B}}^{DBDH}\left(\lambda \right).\hfill \end{array}$$

This completes our proof. □

Lemma 1.

If the PRF scheme is secure, then no PPT type-τ adversary can distinguish between ${\mathit{G}}_0$ and ${\mathit{G}}_1$ with a non-negligible advantage.

Proof. 

The proof is relatively straightforward if a simulator that distinguishes whether an oracle is PRF or not simply generates the master key $MK$ of RIBE-AR by himself. We omit the details of this proof. □

Lemma 2.

If the DBDH assumption holds, then no PPT type-τ adversary can distinguish between ${\mathit{G}}_1$ and ${\mathit{G}}_2$ with a non-negligible advantage.

Proof. 

Suppose there exists an adversary $\mathcal{A}$ that attacks the above RIBE-AR scheme with a non-negligible advantage. A meta-simulator $\mathcal{B}$ that solves the DBDH assumption using $\mathcal{A}$ is given: a challenge tuple $D=(g,g^a,g^b,g^c,\widehat{g},{\widehat{g}}^a,{\widehat{g}}^b)$ and Z where $Z=Z_0=e{(g,\widehat{g})}^{abc}$ or $Z=Z_1=e{(g,\widehat{g})}^d$. Let ${\mathcal{B}}_{AIBE}$ be the simulator for AIBE and ${\mathcal{B}}_{IBE}$ be the simulator for IBE. Then $\mathcal{B}$ that interacts with $\mathcal{A}$ is described as follows:

• Init: $\mathcal{A}$ initially submits a challenge identity $I{D}^{*}$ and challenge time $T^{*}$. $\mathcal{B}$ runs ${\mathcal{B}}_{AIBE}$ by giving D and Z, and runs ${\mathcal{B}}_{IBE}$ by giving D and Z.
• Setup: $\mathcal{B}$ proceeds as follows:

• It submits $I{D}^{*}$ to ${\mathcal{B}}_{AIBE}$ and receives $P{P}_{AIBE}$. It also submits $T^{*}$ to ${\mathcal{B}}_{IBE}$ and receives $P{P}_{IBE}$.
• It obtains $\mathcal{BT}$ by running $\mathbf{CS.Setup}\left(N\right)$. It sets $RL$ as an empty one and sets $ST=\left(\mathcal{BT}\right)$. It fixes a random leaf node $v^{*}\in \mathcal{BT}$ that will be assigned to $I{D}^{*}$.
• If $\tau =1$, it sets $\mathbf{ChalPath}=\varnothing$. Otherwise $(\tau =2)$, it sets $\mathbf{ChalPath}=\mathbf{Path}\left(v^{*}\right)$.
• It publishes public parameters $PP=\left(P{P}_{AIBE},P{P}_{IBE},\mathsf{\Omega }=e(g^a,{\widehat{g}}^b)\right)$.

• Phase 1: $\mathcal{A}$ adaptively requests a polynomial number of private key, update key, and decryption key queries.
• If this is a private key query for an identity $ID$, then $\mathcal{B}$ proceeds as follows:

• Case $\tau =1$: In this case, we have $ID\ne I{D}^{*}$ and $\mathbf{ChalPath}=\varnothing$.
  • It queries an AIBE private key for $ID\ne I{D}^{*}$ to ${\mathcal{B}}_{AIBE}$ and receives $S{K}_{AIBE,ID}$ and $R{K}_{AIBE,ID}$.
  • It assigns $ID$ to a new leaf node $v\ne v^{*}$ and obtains $PV=\{v_0,\dots ,v_n\}$ by running $\mathbf{CS.Assign}(\mathcal{BT},v)$.
  • For $0\le j\le n$, it retrieves $({\gamma }_j,{\omega }_j,{\kappa }_j)$ of the node $v_j$ and performs the steps: It obtains $S{K}_{AIBE,j}$ by running $\mathbf{AIBE.ChangeKey}(S{K}_{AIBE,ID},-{\gamma }_j,R{K}_{AIBE,ID},P{P}_{AIBE})$. It sets $NS{K}_j=(S{K}_{AIBE,j},{\omega }_j,{\kappa }_j)$.
  • It creates $S{K}_{ID}=\left(NS{K}_0,\dots ,NS{K}_n,R{K}_{AIBE,ID}\right)$.
• Case $\tau =2\wedge ID\ne I{D}^{*}$: In this case, we have $PV\cap \mathbf{ChalPath}\ne \varnothing$.
  • It queries an AIBE private key for $ID\ne I{D}^{*}$ to ${\mathcal{B}}_{AIBE}$ and receives $S{K}_{AIBE,ID}$ and $R{K}_{AIBE,ID}$.
  • It assigns $ID$ to a new leaf node $v\ne v^{*}$ and obtains $PV=\{v_0,\dots ,v_n\}$ by running $\mathbf{CS.Assign}(\mathcal{BT},v)$.
  • For $0\le j\le n$, it retrieves $({\gamma }_j,{\omega }_j,{\kappa }_j)$ of the node $v_j$ and performs the steps:

    (a)

    If $v_j\in \mathbf{ChalPath}$, then it obtains $S{K}_{AIBE,j}$ and $R{K}_{AIBE,j}$ by running $\mathbf{AIBE}.\mathbf{GenKey}(ID,{\widehat{g}}^{{\gamma }_j},M{P}_{AIBE},P{P}_{AIBE})$.

    (b)

    Otherwise ($v_j\notin \mathbf{ChalPath}$), it obtains $S{K}_{AIBE,j}$ by running

    $\mathbf{AIBE}.\mathbf{ChangeKey}(S{K}_{AIBE,ID},-{\gamma }_j,R{K}_{AIBE,ID},P{P}_{AIBE})$.

    (c)

    It sets $NS{K}_j=(S{K}_{AIBE,j},{\omega }_j,{\kappa }_j)$.

  • It creates $S{K}_{ID}=\left(NS{K}_0,\dots ,NS{K}_n,R{K}_{AIBE,ID}\right)$.
• Case $\tau =2\wedge ID=I{D}^{*}$: In this case, we have $PV=\mathbf{ChalPath}$.
  • It retrieves the leaf node $v^{*}$ and obtains $PV=\{v_0,\dots ,v_n\}$ by running $\mathbf{CS.Assign}(\mathcal{BT},v^{*})$.
  • For $0\le j\le n$, it retrieves $({\gamma }_j,{\omega }_j,{\kappa }_j)$ of the node $v_j$ and performs the steps: It obtains $S{K}_{AIBE,j}$ and $R{K}_{AIBE,j}$ by running $\mathbf{AIBE.GenKey}(ID,{\widehat{g}}^{{\gamma }_j},M{P}_{AIBE},P{P}_{AIBE})$. It sets $NS{K}_j=(S{K}_{AIBE,j},{\omega }_j,{\kappa }_j)$.
  • It creates $S{K}_{ID}=\left(NS{K}_0,\dots ,NS{K}_n,R{K}_{AIBE,0}\right)$.

If this is an update key query for time T, then $\mathcal{B}$ proceeds as follows:

• Case $\tau =1$: In this case, we have $\mathbf{ChalPath}=\varnothing$.
  • It defines a revoked set R on time T from $RL$ and obtains $CV=\{v_1,\dots ,v_{\ell }\}$ by running $\mathbf{CS.Cover}(\mathcal{BT},R)$. Let $r=\left|R\right|$, $\ell =\left|CV\right|$, and ${\ell }_m=\lceil rlog(N/r)\rceil$. It sets $V={\widehat{g}}^s$ by selecting a random $s\in {\mathbb{Z}}_p$.
  • For $1\le i\le \ell$, it retrieves $({\gamma }_i,{\omega }_i,{\kappa }_i)$ of the node $v_i$ and performs the steps: It obtains $S{K}_{IBE,i}$ by running $\mathbf{IBE.GenKey}(T,{\widehat{g}}^{{\gamma }_i},P{P}_{IBE})$. It computes $C{U}_i=\mathbf{SKE}.\mathbf{Encrypt}({\kappa }_i,S{K}_{IBE,i})$ and sets $NU{K}_i=(C{U}_i,Y_i=V^{{\omega }_i})$.
  • For $\ell +1\le i\le {\ell }_m$, it performs the steps: It sets a random ${\widetilde{SK}}_{IBE,i}$ by selecting random elements and computes $C{U}_i=\mathbf{SKE}.\mathbf{Encrypt}({\tilde{\kappa }}_i,{\widetilde{SK}}_{IBE,i})$ by using a random key ${\tilde{\kappa }}_i$. It selects a random ${\tilde{Y}}_i$ and creates $NU{K}_i=(C{U}_i,{\tilde{Y}}_i)$.
  • It creates $U{K}_T=\left(NU{K}_{\pi \left(1\right)},\dots ,NU{K}_{\pi \left({\ell }_m\right)},V\right)$ where $\pi$ is a random permutation.
• Case $\tau =2$ and $T\ne T^{*}$: In this case, we have $CV\cap \mathbf{ChalPath}\ne \varnothing$.
  • It queries an IBE private key for $T\ne T^{*}$ to ${\mathcal{B}}_{IBE}$ and receives $S{K}_{IBE,T}$.
  • It defines a revoked set R on time T from $RL$ obtains $CV=\{v_1,\dots ,v_{\ell }\}$ by running $\mathbf{CS.Cover}(\mathcal{BT},R)$. Let $r=\left|R\right|$, $\ell =\left|CV\right|$, and ${\ell }_m=\lceil rlog(N/r)\rceil$. It sets $V={\widehat{g}}^s$ by selecting a random $s\in {\mathbb{Z}}_p$.
  • For $1\le i\le \ell$, it retrieves $({\gamma }_i,{\omega }_i,{\kappa }_i)$ of the node $v_i$ and performs the steps:

    (a)

    If $v_i\in \mathbf{ChalPath}$, then it obtains $S{K}_{IBE,i}$ by running $\mathbf{IBE.ChangeKey}(S{K}_{IBE,T},{\widehat{g}}^{-{\gamma }_i},P{P}_{IBE})$.

    (b)

    Otherwise ($v_i\notin \mathbf{ChalPath}$), it obtains $S{K}_{IBE,i}$ by running $\mathbf{IBE.GenKey}(T,{\widehat{g}}^{{\gamma }_i},P{P}_{IBE})$.

    (c)

    It computes $C{U}_i=\mathbf{SKE}.\mathbf{Encrypt}({\kappa }_i,S{K}_{IBE,i})$ and sets $NU{K}_i=(C{U}_i,Y_i=V^{{\omega }_i})$.

  • For $\ell +1\le i\le {\ell }_m$, it performs the steps: It sets a random ${\widetilde{SK}}_{IBE,i}$ by selecting random elements and computes $C{U}_i=\mathbf{SKE}.\mathbf{Encrypt}({\tilde{\kappa }}_i,{\widetilde{SK}}_{IBE,i})$ by using a random key ${\tilde{\kappa }}_i$. It selects a random ${\tilde{Y}}_i$ and creates $NU{K}_i=(C{U}_i,{\tilde{Y}}_i)$.
  • It creates $U{K}_T=\left(NU{K}_{\pi \left(1\right)},\dots ,NU{K}_{\pi \left({\ell }_m\right)},V\right)$ where $\pi$ is a random permutation.
• Case $\tau =2$ and $T=T^{*}$: In this case, we have $CV\cap \mathbf{ChalPath}=\varnothing$ since $I{D}^{*}$ is revoked on time $T^{*}$.
  • It defines a revoked set $R^{*}$ on time $T^{*}$ from $RL$ and obtains $CV=\{v_1,\dots ,v_{\ell }\}$ by running $\mathbf{CS.Cover}(\mathcal{BT},R^{*})$. Let $r=\left|R\right|$, $\ell =\left|CV\right|$, and ${\ell }_m=\lceil rlog(N/r)\rceil$. It sets $V={\widehat{g}}^s$ by selecting a random $s\in {\mathbb{Z}}_p$.
  • For $1\le i\le \ell$, it retrieves $({\gamma }_i,{\omega }_i,{\kappa }_i)$ of the node $v_i$ and performs the steps: It obtains $S{K}_{IBE,i}$ by running $\mathbf{IBE.GenKey}(T,{\widehat{g}}^{{\gamma }_i},P{P}_{IBE})$. It computes $C{U}_i=\mathbf{SKE}.\mathbf{Encrypt}({\kappa }_i,S{K}_{IBE,i})$ and sets $NU{K}_i=(C{U}_i,Y_i=V^{{\omega }_i})$.
  • For $\ell +1\le i\le {\ell }_m$, it performs the steps: It sets a random ${\widetilde{SK}}_{IBE,i}$ by selecting random elements and computes $C{U}_i=\mathbf{SKE}.\mathbf{Encrypt}({\tilde{\kappa }}_i,{\widetilde{SK}}_{IBE,i})$ by using a random key ${\tilde{\kappa }}_i$. It selects a random ${\tilde{Y}}_i$ and creates $NU{K}_i=(C{U}_i,{\tilde{Y}}_i)$.
  • It creates $U{K}_T=\left(NU{K}_{\pi \left(1\right)},\dots ,NU{K}_{\pi \left({\ell }_m\right)},V\right)$ where $\pi$ is a random permutation.

If this is a decryption key query for an identity $ID$ and time T, then $\mathcal{B}$ proceeds as follows:

• Case $ID\ne I{D}^{*}$: It queries an AIBE private key for $ID\ne I{D}^{*}$ to ${\mathcal{B}}_{AIBE}$ and receives $S{K}_{AIBE,ID}$ and $R{K}_{AIBE,ID}$. It selects a random exponent $\delta \in {\mathbb{Z}}_p$. It obtains $S{K}_{AIBE}$ by running $\mathbf{AIBE.ChangeKey}(S{K}_{AIBE,ID},-\delta ,R{K}_{AIBE,ID},P{P}_{AIBE})$. It obtains $S{K}_{IBE}$ by running $\mathbf{IBE.GenKey}(T,{\widehat{g}}^{\delta },P{P}_{IBE})$. It creates $D{K}_{ID,T}=(S{K}_{AIBE},S{K}_{IBE})$.
• Case $ID=I{D}^{*}$ and $T\ne T^{*}$: It queries an IBE private key for $T\ne T^{*}$ to ${\mathcal{B}}_{IBE}$ and receives $S{K}_{IBE,T}$. It selects a random exponent $\delta \in {\mathbb{Z}}_p$. It obtains $S{K}_{AIBE}$ and $R{K}_{AIBE}$ by running $\mathbf{AIBE.GenKey}(ID,{\widehat{g}}^{\delta },M{P}_{AIBE},P{P}_{AIBE})$. It obtains $S{K}_{IBE}$ by running $\mathbf{IBE.ChangeKey}(S{K}_{IBE,T},-\delta ,P{P}_{IBE})$. It creates $D{K}_{ID,T}=(S{K}_{AIBE},S{K}_{IBE})$.

• If this is a revocation query for an identity $ID$ and time T, then $\mathcal{B}$ updates $RL$ by running $\mathbf{RIBE-AR.Revoke}(ID,T,RL,ST)$.
• Challenge: $\mathcal{A}$ submits two challenge messages $M_0^{*},M_1^{*}$. $\mathcal{B}$ flips a random bit $\mu \in \{0,1\}$ and proceeds as follows:

• It submits $M_0^{*},M_1^{*}$ to ${\mathcal{B}}_{AIBE}$ and receives a challenge $C{H}_{AIBE}^{*}$ and $E{K}_{AIBE}^{*}$. It also submits $M_0^{*},M_1^{*}$ to ${\mathcal{B}}_{IBE}$ and receives a challenge $C{H}_{IBE}^{*}$ and $E{K}_{IBE}^{*}$.
• It creates $C{T}^{*}=\left(C{H}_{AIBE}^{*},C{H}_{IBE}^{*},Z·M_{\mu }^{*}\right)$ and gives it to $\mathcal{A}$.

• Phase 2: Same as Phase 1.
• Guess: Finally, $\mathcal{A}$ outputs a guess ${\mu }^{\prime }\in \{0,1\}$. $\mathcal{B}$ outputs 0 if $\mu ={\mu }^{\prime }$ or 1 otherwise. This completes our proof. □

5.3. ANO-CPA Security

In order to argue the selective ANO-CPA security proof of our RIBE-AR scheme, we first classify attackers into four types. And we use the simulators of AIBE and IBE schemes as sub-simulators to configure an RIBE-AR simulator to easily handle private keys and update keys for individual types of attackers. Then, we play hybrid games that change the elements of an AIBE ciphertext header into random elements, showing that the challenge identity $I{D}_{\mu }^{*}$ is not revealed in the ciphertext.

Theorem 5.

The above RIBE-AR scheme is SE-ANO-CPA secure if the PRF scheme is secure and the PBDH assumption holds.

Proof. 

Let $I{D}_0^{*},I{D}_1^{*}$ be the challenge identities submitted by an adversary. To prove the SE-ANO-CPA security of our RIBE-AR scheme, we classify the type of adversaries into four types.

Type-1. 

An adversary is Type-1 if it does not request a private key for $I{D}_0^{*}$ and $I{D}_1^{*}$.

Type-2. 

An adversary is Type-2 if it does not request a private key for $I{D}_0^{*}$, but it requests a private key for $I{D}_1^{*}$.

Type-3. 

An adversary is Type-3 if it requests a private key for $I{D}_0^{*}$, but it does not request a private key for $I{D}_1^{*}$.

Type-4. 

An adversary is Type-4 if it requests private keys for $I{D}_0^{*}$ and $I{D}_1^{*}$.

Suppose that an adversary is type-$\tau$. The security proof for the type-$\tau$ adversary $\mathcal{A}$ consists of the sequence of hybrid games. We define the games as follows:

Game ${\mathbf{G}}_0$.

This game is the original security game. That is, a simulator $\mathcal{B}$ obtains $({\gamma }_i,{\omega }_i,{\kappa }_i)$ for a node $v_i$ by running PRF.

Game ${\mathbf{G}}_1$.

This game ${\mathbf{G}}_1$ is similar to the game ${\mathbf{G}}_0$ except that the PRF is replaced by a truly random function. That is, $\mathcal{B}$ selects fixed random $({\gamma }_i,{\omega }_i,{\kappa }_i)$ for a node $v_i$ if $v_i$ is used for the generation of a private key (or an update key).

Game ${\mathbf{G}}_2$.

This game ${\mathbf{G}}_2$ is similar to the game ${\mathbf{G}}_1$ except the generation of the challenge ciphertext $C{T}^{*}$. Let $C{T}^{*}=(C{H}_{AIBE}^{*},C{H}_{IBE}^{*},C^{*})$ be the challenge ciphertext. In this game ${\mathbf{G}}_2$, $C^{*}$ is replaced by a random element in ${\mathbb{G}}_T$.

Game ${\mathbf{G}}_3$.

This final game ${\mathbf{G}}_3$ is similar to the game ${\mathbf{G}}_2$ except the generation of the challenge AIBE ciphertext header $C{H}_{AIBE}^{*}$. Let $C{H}_{AIBE}^{*}=(C_0^{*},C_1^{*},C_2^{*})$ be the challenge AIBE ciphertext header. In this game, $C_1^{*}$ and $C_2^{*}$ are replaced by random elements in $\mathbb{G}$. Note that the advantage of $\mathcal{A}$ in this game is zero since the challenge ciphertext is not related to $\mu$.

Let $Ad{v}_{\mathcal{A}}^{G_i}$ be the advantage of $\mathcal{A}$ in a game ${\mathbf{G}}_i$. Let $E_{\tau }$ be the event that the adversary behaves like type-$\tau$. From the Lemmas 3–5, we obtain the following equation

$$\begin{array}{cc}\hfill Ad{v}_{\mathcal{A}}^{G_0}& \le \sum _{\tau =1}^{4}Pr\left[E_{\tau }\right]·|Ad{v}_{{\mathcal{A}}_{\tau }}^{G_0}-Ad{v}_{{\mathcal{A}}_{\tau }}^{G_2}|\le 4Ad{v}_{\mathcal{B}}^{PRF}\left(\lambda \right)+4Ad{v}_{\mathcal{B}}^{DBDH}\left(\lambda \right)+4Ad{v}_{\mathcal{B}}^{A3DH}\left(\lambda \right).\hfill \end{array}$$

This completes our proof. □

Lemma 3.

If the PRF scheme is secure, then no PPT type-τ adversary can distinguish between ${\mathit{G}}_0$ and ${\mathit{G}}_1$ with a non-negligible advantage.

We omit the proof of this lemma since it is the same as Lemma 1.

Lemma 4.

If the DBDH assumption holds, then no PPT type-τ adversary can distinguish between ${\mathit{G}}_1$ and ${\mathit{G}}_2$ with a non-negligible advantage.

We omit the proof of this lemma since it is the same as Lemma 2.

Lemma 5.

If the PBDH assumption holds, then no PPT type-τ adversary can distinguish between ${\mathit{G}}_2$ and ${\mathit{G}}_3$ with a non-negligible advantage.

Proof. 

Suppose there exists an adversary $\mathcal{A}$ that attacks the above RIBE-AR scheme with a non-negligible advantage. A meta-simulator $\mathcal{B}$ that solves the A3DH assumption using $\mathcal{A}$ is given: a challenge tuple $D=(g,g^a,g^{ab},g^c,\widehat{g},{\widehat{g}}^a,{\widehat{g}}^b)$ and Z where $Z=Z_0=e{(g,\widehat{g})}^{abc}$ or $Z=Z_1=e{(g,\widehat{g})}^d$. Note that a challenge tuple $D_{DBDH}=(g,g^a,g^c,\widehat{g},{\widehat{g}}^a,{\widehat{g}}^b)$ for the DBDH assumption can be derived from the given D. Let ${\mathcal{B}}_{AIBE}$ be the simulator for AIBE and ${\mathcal{B}}_{IBE}$ be the simulator for IBE. Then, $\mathcal{B}$ that interacts with $\mathcal{A}$ is described as follows:

• Init: $\mathcal{A}$ initially submits challenge identities $I{D}_0^{*},I{D}_1^{*}$ and challenge time $T^{*}$. $\mathcal{B}$ runs ${\mathcal{B}}_{AIBE}$ by giving $D_{PBDH}$ and Z, and runs ${\mathcal{B}}_{IBE}$ by giving $D_{DBDH}$ and Z.
• Setup: $\mathcal{B}$ proceeds as follows:

• It submits $I{D}_0^{*},I{D}_1^{*}$ to ${\mathcal{B}}_{AIBE}$ and receives $P{P}_{AIBE}$. It also submits $T^{*}$ to ${\mathcal{B}}_{IBE}$ and receives $P{P}_{IBE}$.
• It obtains $\mathcal{BT}$ by running $\mathbf{CS.Setup}\left(N\right)$. It initializes $UL$ as an empty one. It sets $RL$ as an empty one and sets $ST=(\mathcal{BT},UL)$. It fixes random leaf nodes $v_0^{*},v_1^{*}\in \mathcal{BT}$ that will be assigned to $I{D}_0^{*},I{D}_1^{*}$, respectively.
• If $\tau =1$, it sets $\mathbf{ChalPath}=\varnothing$. If $\tau =2$, it sets $\mathbf{ChalPath}=\mathbf{Path}\left(v_1^{*}\right)$. If $\tau =3$, it sets $\mathbf{ChalPath}=\mathbf{Path}\left(v_0^{*}\right)$. If $\tau =4$, it sets $\mathbf{ChalPath}=\mathbf{Path}\left(v_0^{*}\right)\cup \mathbf{Path}\left(v_1^{*}\right)$.
• It publishes public parameters $PP=\left(P{P}_{AIBE},P{P}_{IBE},\mathsf{\Omega }=e(g^a,{\widehat{g}}^b)\right)$.

Phase 1: $\mathcal{A}$ adaptively requests a polynomial number of private key, update key, and decryption key queries.

If this is a private key query for an identity $ID$, then $\mathcal{B}$ proceeds as follows:

• Case $\tau =1$: In this case, we have $ID\ne I{D}_b^{*}$ for any $b\in \{0,1\}$ and $\mathbf{ChalPath}=\varnothing$.
  • It queries an AIBE private key for $ID\ne I{D}_b^{*}$ to ${\mathcal{B}}_{AIBE}$ and receives $S{K}_{AIBE,ID}$ and $R{K}_{AIBE,ID}$.
  • It assigns $ID$ to a new leaf node $v\ne v^{*}$ and obtains $PV=\{v_0,\dots ,v_n\}$ by running $\mathbf{CS.Assign}(\mathcal{BT},v)$.
  • For $0\le j\le n$, it retrieves $({\gamma }_j,{\omega }_j,{\kappa }_j)$ of the node $v_j$ and performs the steps: It obtains $S{K}_{AIBE,j}$ by running $\mathbf{AIBE.ChangeKey}(S{K}_{AIBE,ID},-{\gamma }_j,R{K}_{AIBE,ID},P{P}_{AIBE})$. It sets $NS{K}_j=(S{K}_{AIBE,j},{\omega }_j,{\kappa }_j)$.
  • It creates $S{K}_{ID}=\left(NS{K}_0,\dots ,NS{K}_n,R{K}_{AIBE,ID}\right)$.
• Case $(\tau =2\wedge ID\ne I{D}_1^{*})\vee (\tau =3\wedge ID\ne I{D}_0^{*})\vee (\tau =4\wedge ID\ne I{D}_0^{*})$: In this case, we have $ID\ne I{D}_b^{*}$ for any $b\in \{0,1\}$ and $PV\cap \mathbf{ChalPath}\ne \varnothing$.
  • It queries an AIBE private key for $ID\ne I{D}_b^{*}$ to ${\mathcal{B}}_{AIBE}$ and receives $S{K}_{AIBE,ID}$ and $R{K}_{AIBE,ID}$.
  • It assigns $ID$ to a new leaf node $v\ne v_b^{*}$ and obtains $PV=\{v_0,\dots ,v_n\}$ by running $\mathbf{CS.Assign}(\mathcal{BT},v)$.
  • For $0\le j\le n$, it retrieves $({\gamma }_j,{\omega }_j,{\kappa }_j)$ of the node $v_j$ and performs the steps:

    (a)

    If $v_j\in \mathbf{ChalPath}$, then it obtains $S{K}_{AIBE,j}$ by running $\mathbf{AIBE}.\mathbf{GenKey}(ID,{\widehat{g}}^{{\gamma }_j},M{P}_{AIBE},P{P}_{AIBE})$.

    (b)

    Otherwise ($v_j\notin \mathbf{ChalPath}$), it obtains $S{K}_{AIBE,j}$ by running $\mathbf{AIBE}.\mathbf{ChangeKey}(S{K}_{AIBE,ID},-{\gamma }_j,R{K}_{AIBE,ID},P{P}_{AIBE})$.

    (c)

    It sets $NS{K}_j=(S{K}_{AIBE,j},{\omega }_j,{\kappa }_j)$.

  • It creates $S{K}_{ID}=\left(NS{K}_0,\dots ,NS{K}_n,R{K}_{AIBE,ID}\right)$.
• Case $(\tau =2\wedge ID=I{D}_1^{*})$ or $(\tau =3\wedge ID=I{D}_0^{*})$ or $(\tau =4\wedge (ID=I{D}_0^{*}\vee ID=I{D}_1^{*}))$: In this case, we have $PV\subseteq \mathbf{ChalPath}$.
  • It retrieves the leaf node $v_b^{*}$ of $ID$ and obtains $PV=\{v_0,\dots ,v_n\}$ by running $\mathbf{CS.Assign}(\mathcal{BT},v_b^{*})$.
  • For $0\le j\le n$, it retrieves $({\gamma }_j,{\omega }_j,{\kappa }_j)$ of the node $v_j$ and performs the steps: It obtains $S{K}_{AIBE,j}$ and $R{K}_{AIBE,j}$ by running $\mathbf{AIBE.GenKey}(ID,{\widehat{g}}^{{\gamma }_j},M{P}_{AIBE},P{P}_{AIBE})$. It sets $NS{K}_j=(S{K}_{AIBE,j},{\omega }_j,{\kappa }_j)$.
  • It creates $S{K}_{ID}=\left(NS{K}_0,\dots ,NS{K}_n,R{K}_{AIBE,0}\right)$.

If this is an update key query for time T, then $\mathcal{B}$ proceeds as follows:

• Case $\tau =1$: In this case, we have $CV\cap \mathbf{ChalPath}=\varnothing$ since $\mathbf{ChalPath}=\varnothing$.
  • It defines a revoked set R on time T from $RL$ and obtains $CV=\{v_1,\dots ,v_{\ell }\}$ by running $\mathbf{CS.Cover}(\mathcal{BT},R)$. Let $r=\left|R\right|$, $\ell =\left|CV\right|$, and ${\ell }_m=\lceil rlog(N/r)\rceil$. It sets $V={\widehat{g}}^s$ by selecting a random $s\in {\mathbb{Z}}_p$.
  • For $1\le i\le \ell$, it retrieves $({\gamma }_i,{\omega }_i,{\kappa }_i)$ of the node $v_i$ and performs the steps: It obtains $S{K}_{IBE,i}$ by running $\mathbf{IBE.GenKey}(T,{\widehat{g}}^{{\gamma }_i},P{P}_{IBE})$. It computes $C{U}_i=\mathbf{SKE}.\mathbf{Encrypt}({\kappa }_i,S{K}_{IBE,i})$ and sets $NU{K}_i=(C{U}_i,Y_i=V^{{\omega }_i})$.
  • For $\ell +1\le i\le {\ell }_m$, it performs the steps: It sets a random ${\widetilde{SK}}_{IBE,i}$ by selecting random elements and computes $C{U}_i=\mathbf{SKE}.\mathbf{Encrypt}({\tilde{\kappa }}_i,{\widetilde{SK}}_{IBE,i})$ by using a random key ${\tilde{\kappa }}_i$. It selects a random ${\tilde{Y}}_i$ and creates $NU{K}_i=(C{U}_i,{\tilde{Y}}_i)$.
  • It creates $U{K}_T=\left(NU{K}_{\pi \left(1\right)},\dots ,NU{K}_{\pi \left({\ell }_m\right)},V\right)$ where $\pi$ is a random permutation.
• Case $(\tau =2\wedge T\ne T^{*})\vee (\tau =3\wedge T\ne T^{*})\vee (\tau =4\wedge T\ne T^{*})$: In this case, we have $CV\cap \mathbf{ChalPath}\ne \varnothing$ and $CV\neg \subseteq \mathbf{ChalPath}$.
  • It queries an IBE private key for $T\ne T^{*}$ to ${\mathcal{B}}_{IBE}$ and receives $S{K}_{IBE,T}$.
  • It defines a revoked set R on time T from $RL$ and obtains $CV=\{v_1,\dots ,v_{\ell }\}$ by running $\mathbf{CS.Cover}(\mathcal{BT},R)$. Let $r=\left|R\right|$, $\ell =\left|CV\right|$, and ${\ell }_m=\lceil rlog(N/r)\rceil$. It sets $V={\widehat{g}}^s$ by selecting a random $s\in {\mathbb{Z}}_p$.
  • For $1\le i\le \ell$, it retrieves $({\gamma }_i,{\omega }_i,{\kappa }_i)$ of the node $v_i$ and performs the steps:

    (a)

    If $v_i\in \mathbf{ChalPath}$, then it obtains $S{K}_{IBE,i}$ by running $\mathbf{IBE.ChangeKey}(S{K}_{IBE,T},{\widehat{g}}^{-{\gamma }_i},P{P}_{IBE})$.

    (b)

    Otherwise ($v_i\notin \mathbf{ChalPath}$), it obtains $S{K}_{IBE,i}$ by running $\mathbf{IBE.GenKey}(T,{\widehat{g}}^{{\gamma }_i},P{P}_{IBE})$.

    (c)

    It computes $C{U}_i=\mathbf{SKE}.\mathbf{Encrypt}({\kappa }_i,S{K}_{IBE,i})$ and sets $NU{K}_i=(C{U}_i,Y_i=V^{{\omega }_i})$.

  • For $\ell +1\le i\le {\ell }_m$, it performs the steps: It sets a random ${\widetilde{SK}}_{IBE,i}$ by selecting random elements and computes $C{U}_i=\mathbf{SKE}.\mathbf{Encrypt}({\tilde{\kappa }}_i,{\widetilde{SK}}_{IBE,i})$ by using a random key ${\tilde{\kappa }}_i$. It selects a random ${\tilde{Y}}_i$ and creates $NU{K}_i=(C{U}_i,{\tilde{Y}}_i)$.
  • It creates $U{K}_T=\left(NU{K}_{\pi \left(1\right)},\dots ,NU{K}_{\pi \left({\ell }_m\right)},V\right)$ where $\pi$ is a random permutation.
• Case $(\tau =2\wedge T=T^{*})\vee (\tau =3\wedge T=T^{*})\vee (\tau =4\wedge T=T^{*})$: In this case, we have $CV\cap \mathbf{ChalPath}=\varnothing$ since $I{D}_b^{*}$ is revoked on time $T^{*}$.
  • It defines a revoked set $R^{*}$ on time $T^{*}$ from $RL$ and obtains $CV=\{v_1,\dots ,v_{\ell }\}$ by running $\mathbf{CS.Cover}(\mathcal{BT},R^{*})$. Let $r=\left|R\right|$, $\ell =\left|CV\right|$, and ${\ell }_m=\lceil rlog(N/r)\rceil$. It sets $V={\widehat{g}}^s$ by selecting a random $s\in {\mathbb{Z}}_p$.
  • For $1\le i\le \ell$, it retrieves $({\gamma }_i,{\omega }_i,{\kappa }_i)$ of the node $v_i$ and performs the steps: It obtains $S{K}_{IBE,i}$ by running $\mathbf{IBE.GenKey}(T,{\widehat{g}}^{{\gamma }_i},P{P}_{IBE})$. It computes $C{U}_i=\mathbf{SKE}.\mathbf{Encrypt}({\kappa }_i,S{K}_{IBE,i})$ and sets $NU{K}_i=(C{U}_i,Y_i=V^{{\omega }_i})$.
  • For $\ell +1\le i\le {\ell }_m$, it performs the steps: It sets a random ${\widetilde{SK}}_{IBE,i}$ by selecting random elements and computes $C{U}_i=\mathbf{SKE}.\mathbf{Encrypt}({\tilde{\kappa }}_i,{\widetilde{SK}}_{IBE,i})$ by using a random key ${\tilde{\kappa }}_i$. It selects a random ${\tilde{Y}}_i$ and creates $NU{K}_i=(C{U}_i,{\tilde{Y}}_i)$.
  • It creates $U{K}_T=\left(NU{K}_{\pi \left(1\right)},\dots ,NU{K}_{\pi \left({\ell }_m\right)},V\right)$ where $\pi$ is a random permutation.

If this is a decryption key query for an identity $ID$ and time T, then $\mathcal{B}$ proceeds as follows:

• Case $ID\ne I{D}^{*}$: It queries an AIBE private key for $ID\ne I{D}^{*}$ to ${\mathcal{B}}_{AIBE}$ and receives $S{K}_{AIBE,ID}$ and $R{K}_{AIBE,ID}$. It selects a random exponent $\delta \in {\mathbb{Z}}_p$. It obtains $S{K}_{AIBE}$ by running $\mathbf{AIBE.ChangeKey}(S{K}_{AIBE,ID},-\delta ,R{K}_{AIBE,ID},P{P}_{AIBE})$. It obtains $S{K}_{IBE}$ by running $\mathbf{IBE.GenKey}(T,{\widehat{g}}^{\delta },P{P}_{IBE})$. It creates $D{K}_{ID,T}=(S{K}_{AIBE},S{K}_{IBE})$.
• Case $ID=I{D}^{*}$ and $T\ne T^{*}$: It queries an IBE private key for $T\ne T^{*}$ to ${\mathcal{B}}_{IBE}$ and receives $S{K}_{IBE,T}$. It selects a random exponent $\delta \in {\mathbb{Z}}_p$. It obtains $S{K}_{AIBE}$ and $R{K}_{AIBE}$ by running $\mathbf{AIBE.GenKey}(ID,{\widehat{g}}^{\delta },M{P}_{AIBE},P{P}_{AIBE})$. It obtains $S{K}_{IBE}$ by running $\mathbf{IBE.ChangeKey}(S{K}_{IBE,T},-\delta ,P{P}_{IBE})$. It creates $D{K}_{ID,T}=(S{K}_{AIBE},S{K}_{IBE})$.

• If this is a revocation query for an identity $ID$ and time T, then $\mathcal{B}$ updates $RL$ by running $\mathbf{RIBE-AR.Revoke}(ID,T,RL,ST)$.
• Challenge: $\mathcal{A}$ submits a challenge message $M^{*}$. $\mathcal{B}$ proceeds as follows:

• It submits $M^{*}$ to ${\mathcal{B}}_{AIBE}$ and receives a challenge $C{H}_{AIBE}^{*}$ and $E{K}_{AIBE}^{*}$. It also submits $M^{*}$ to ${\mathcal{B}}_{IBE}$ and receives a challenge $C{H}_{IBE}^{*}$ and $E{K}_{IBE}^{*}$.
• It creates $C{T}^{*}=\left(C{H}_{AIBE}^{*},C{H}_{IBE}^{*},e{(g,\widehat{g})}^d·M^{*}\right)$ by selecting a random d and gives it to $\mathcal{A}$.

• Phase 2: Same as Phase 1.
• Guess: Finally, $\mathcal{A}$ outputs a guess ${\mu }^{\prime }\in \{0,1\}$. $\mathcal{B}$ also outputs ${\mu }^{\prime }$. This completes our proof. □

5.4. REV-PRV Security

In order to prove the selective REV-PRV security of our RIBE-AR scheme, we construct hybrid games that change all challenge node update keys included in the challenge update key $U{K}^{*}$ to random elements one by one. In this way, if all challenge node update keys are changed to random elements, an attacker will not be able to distinguish the challenge update key because the challenge-revoked set $R_{\mu }^{*}$ is not exposed. The reason why all elements of the challenge update key can be converted into random elements is because the security model does not allow querying a private key that can be derived to a correct decryption key in combination with the challenge update key.

Theorem 6.

The above RIBE-AR scheme is SE-REV-PRV secure if the PRF is secure, the SKE scheme is IND-CPA and KEY-PRV secure, and the XDH assumption holds.

Proof. 

The security proof consists of a sequence of hybrid games ${\mathbf{G}}_0,{\mathbf{G}}_1,{\mathbf{G}}_2$. The first game will be the original security game, and the last one will be a game in which an adversary has no advantage. We define the games as follows:

Game ${\mathbf{G}}_0$.

This game is the original security game. That is, a simulator $\mathcal{B}$ obtains $({\gamma }_i,{\omega }_i,{\kappa }_i)$ for a node $v_i$ by running PRF.

Game ${\mathbf{G}}_1$.

This game ${\mathbf{G}}_1$ is similar to the game ${\mathbf{G}}_0$ except that the PRF is replaced by a truly random function. That is, $\mathcal{B}$ selects fixed random $({\gamma }_i,{\omega }_i,{\kappa }_i)$ for a node $v_i$ if $v_i$ is used for the generation of a private key (or an update key).

Game ${\mathbf{G}}_2$.

This final game ${\mathbf{G}}_2$ is similar to the game ${\mathbf{G}}_1$ except that generation of the challenge update key $U{K}^{*}$. Let $U{K}^{*}=(NU{K}_1^{*},\dots ,NU{K}_{{\ell }_m}^{*},V^{*})$ be the challenge update key where $NU{K}_i^{*}=(C{U}_i,Y_i)$ is the challenge node update key. In this game, each $NU{K}_i$ is replaced by random. That is, $C{U}_i$ is replaced by SKE encryption of a random message with a random key and $Y_i$ is replaced by a random element in $\widehat{\mathbb{G}}$. Note that the advantage of $\mathcal{A}$ in this game is zero since the challenge update key is not related to $\mu$.

To argue that the adversary cannot distinguish ${\mathbf{G}}_1$ from ${\mathbf{G}}_2$, we also define a sequence of hybrid games ${\mathbf{G}}_{1,0}={\mathbf{G}}_0,\dots ,{\mathbf{G}}_{1,k},\dots ,{\mathbf{G}}_{1,\ell }={\mathbf{G}}_2$ which are defined as follows:

Game ${\mathbf{G}}_{1,0}$.

This game is equal to the game ${\mathbf{G}}_1$. That is, all challenge node update keys in the challenge update key are generated normally.

Game ${\mathbf{G}}_{1,k}$.

In this game ${\mathbf{G}}_{1,k}$, each challenge node update key $NU{K}_i^{*}$ for $1\le i\le k$ is generated randomly, but each challenge node update key $NU{K}_i^{*}$ for $k+1\le i$ is generated normally.

Game ${\mathbf{G}}_{1,\ell }$.

This game ${\mathbf{G}}_{1,\ell }$ is equal to the game ${\mathbf{G}}_2$. That is, all challenge node update keys in the challenge update key are generated randomly.

To argue the indistinguishability of ${\mathbf{G}}_{1,k-1}$ and ${\mathbf{G}}_{1,k}$, we additionally define a sequence of hybrid games ${\mathbf{H}}_{k,0},{\mathbf{H}}_{k,1},{\mathbf{H}}_{k,2},{\mathbf{H}}_{k,3}$. Let $NU{K}_k^{*}=(C{U}_k,Y_k)$ be the challenge node update key of the node $v_k\in C{V}^{*}$. Through these hybrid games, we change the generation of this node update key. We define the games as follows:

Game ${\mathbf{H}}_{k,0}$.

This game is equal to the game ${\mathbf{G}}_{1,k-1}$. That is, $C{U}_k$ and $Y_k$ are generated normally.

Game ${\mathbf{H}}_{k,1}$.

In this game ${\mathbf{H}}_{k,1}$, $C{U}_k$ is generated by encrypting random elements with a valid key, but $Y_k$ is generated normally. That is, $C{U}_k=\mathbf{SKE}.\mathbf{Encrypt}({\kappa }_k,({\tilde{U}}_{k,0},{\tilde{U}}_{k,1}))$ by selecting random ${\tilde{U}}_{k,0},{\tilde{U}}_{k,1}$.

Game ${\mathbf{H}}_{k,2}$.

In this game ${\mathbf{H}}_{k,2}$, $C{U}_k$ is generated by encrypting random elements with a random key, but $Y_k$ is generated normally. That is, $C{U}_k=\mathbf{SKE}.\mathbf{Encrypt}({\tilde{\kappa }}_k,({\tilde{U}}_{k,0},{\tilde{U}}_{k,1}))$ by selecting random ${\tilde{U}}_{k,0},{\tilde{U}}_{k,1}$ and a random key ${\tilde{\kappa }}_k$.

Game ${\mathbf{H}}_{k,3}$.

This game ${\mathbf{H}}_{k,3}$ is equal to the game ${\mathbf{G}}_{1,k}$. In this game, $C{U}_k$ is generated by encrypting random elements with a random key and $Y_k$ is also generated randomly. That is, $Y_k$ is replaced by a random element ${\tilde{Y}}_k$.

Let $Ad{v}_{\mathcal{A}}^{G_j}$ be the advantage of $\mathcal{A}$ in the game ${\mathbf{G}}_j$. We have that $Ad{v}_{RIBE-AR,\mathcal{A}}^{SE-REV-PRV}\left(\lambda \right)=Ad{v}_{\mathcal{A}}^{G_0}$ and $Ad{v}_{\mathcal{A}}^{G_2}=0$. From the following Lemmas 6, 7, 8, and 9, we obtain the equation

$$\begin{array}{cc}\hfill Ad{v}_{\mathcal{A}}^{G_0}\left(\lambda \right)& \le \sum _{j=1}^2|Ad{v}_{\mathcal{A}}^{G_{j-1}}-Ad{v}_{\mathcal{A}}^{G_j}|+Ad{v}_{\mathcal{A}}^{G_2}\hfill \\ \hfill & \le |Ad{v}_{\mathcal{A}}^{G_0}-Ad{v}_{\mathcal{A}}^{G_1}|+\sum _{k=1}^{\ell }|Ad{v}_{\mathcal{A}}^{G_{1,k-1}}-Ad{v}_{\mathcal{A}}^{G_{1,k}}|\hfill \\ \hfill & \le |Ad{v}_{\mathcal{A}}^{G_0}-Ad{v}_{\mathcal{A}}^{G_1}|+\sum _{k=1}^{\ell }\sum _{j=1}^3|Ad{v}_{\mathcal{A}}^{H_{k,j-1}}-Ad{v}_{\mathcal{A}}^{H_{k,j}}|\hfill \\ \hfill & \le Ad{v}_{\mathcal{B}}^{PRF}\left(\lambda \right)+rlogN\left(Ad{v}_{SKE,\mathcal{B}}^{IND-CPA}\left(\lambda \right)+Ad{v}_{SKE,\mathcal{B}}^{KEY-PRV}\left(\lambda \right)+Ad{v}_{\mathcal{B}}^{XDH}\left(\lambda \right)\right)\hfill \end{array}$$

where r is the maximum number of revoked users in an update key. This completes the proof. □

Lemma 6.

If the PRF is secure, then no PPT adversary can distinguish ${\mathit{G}}_0$ from ${\mathit{G}}_1$ with a non-negligible advantage.

The proof of this lemma is the same as Lemma 1.

Lemma 7.

If the SKE scheme is IND-CPA secure, then no PPT adversary can distinguish ${\mathit{H}}_{k,0}$ from ${\mathit{H}}_{k,1}$ with a non-negligible advantage.

Proof. 

Suppose there exists an adversary $\mathcal{A}$ that attacks the above RIBE-AR scheme with a non-negligible advantage. A simulator $\mathcal{B}$ that breaks the IND-CPA security of an SKE scheme using $\mathcal{A}$ is described as follows:

• Init: $\mathcal{A}$ initially submits challenge revoked sets $R_0^{*},R_1^{*}$ and challenge time $T^{*}$. $\mathcal{B}$ chooses a random bit $\mu \in \{0,1\}$ and obtains a challenge cover set $C{V}^{*}=\{v_1,\dots ,v_k,\dots ,v_{\ell }\}$ by running $\mathbf{CS.Cover}(\mathcal{BT},R_{\mu }^{*})$. Let $r=|R_{\mu }^{*}|$, $\ell =|C{V}^{*}|$, and ${\ell }_m=\lceil rlog(N/r)\rceil$.
• Setup: $\mathcal{B}$ obtains $MK,RL,ST$ by running $\mathbf{RIBE-AR.Setup}(1^{\lambda },N)$. Note that the random ${\kappa }_k$ of the node $v_k\in C{V}^{*}$ is unknown to $\mathcal{B}$ since ${\kappa }_k$ is implicitly associated with the encryption key of the SKE scheme.
• Phase 1: $\mathcal{B}$ handles private key, update key, and decryption key queries as follows: It can create a private key $S{K}_{ID}$ by using $MK$ and $ST$ although ${\kappa }_k$ of the node $v_k$ is unknown since $PV\cap C{V}^{*}=\varnothing$ by the restriction of the security model. It can create an update key $U{K}_T$ by using $MK$ and $ST$ by using the encryption oracle of the SKE scheme for the node $v_k$. It can also easily create a decryption key $DK$ by using $MK$.
• Challenge: $\mathcal{B}$ creates a challenge update key $U{K}^{*}$ as follows:

• It selects a random exponent $s\in {\mathbb{Z}}_p$ and sets $V^{*}={\widehat{g}}^s$.
• For $1\le i\le k-1$, it retrieves $({\gamma }_i,{\omega }_i,{\kappa }_i)$ of the node $v_i$ and proceeds as follows: It sets a random ${\widetilde{SK}}_{IBE,i}$ by selecting random ${\tilde{U}}_{i,0},{\tilde{U}}_{i,1}$. It computes $C{U}_i=\mathbf{SKE}.\mathbf{Encrypt}({\kappa }_i,{\widetilde{SK}}_{IBE,i})$. It creates $NU{K}_i^{*}=\left(C{U}_i,Y_i={\left(V^{*}\right)}^{{\omega }_i}\right)$.
• For $i=k$, it retrieves $({\gamma }_k,{\omega }_k,-)$ of the node $v_k$ and proceeds as follows:

  (a)

  It sets a random ${\widetilde{SK}}_{IBE,k}$ by selecting random ${\tilde{U}}_{k,0},{\tilde{U}}_{k,1}$. It obtains a normal $S{K}_{IBE,k}$ by running $\mathbf{IBE.GenKey}(T,{\widehat{g}}^{\alpha -{\gamma }_k},P{P}_{IBE})$.

  (b)

  It submits challenge messages $M_0^{*}={\widetilde{SK}}_{IBE,k},M_1^{*}=S{K}_{IBE,k}$ to the challenge oracle of the SKE scheme and obtains a challenge ciphertext $C{T}^{*}$ from the challenge oracle of SKE.

  (c)

  It creates $NU{K}_k^{*}=\left(C{U}_k=C{T}^{*},Y_k={\left(V^{*}\right)}^{{\omega }_k}\right)$.

• For $k+1\le i\le \ell$, it retrieves $({\gamma }_i,{\omega }_i,{\kappa }_i)$ of the node $v_i$ and proceeds as follows: It obtains a normal $S{K}_{IBE,i}$ by running $\mathbf{IBE.GenKey}(T,{\widehat{g}}^{\alpha -{\gamma }_i},P{P}_{IBE})$. It computes $C{U}_i=\mathbf{SKE}.\mathbf{Encrypt}({\kappa }_i,S{K}_{IBE,i})$. It creates a normal $NU{K}_i^{*}=\left(C{U}_i,Y_i={\left(V^{*}\right)}^{{\omega }_i}\right)$.
• For $\ell +1\le i\le {\ell }_m$, it proceeds as follows: It sets a random ${\widetilde{SK}}_{IBE,i}$ by selecting random ${\tilde{U}}_{i,0},{\tilde{U}}_{i,1}$. It computes $C{U}_i=\mathbf{SKE}.\mathbf{Encrypt}({\tilde{\kappa }}_i,{\widetilde{SK}}_{IBE,i})$ by using a random key ${\tilde{\kappa }}_i$. It creates a random $NU{K}_i^{*}=\left(C{U}_i,{\tilde{Y}}_i\right)$ by selecting a random ${\tilde{Y}}_i$.
• It creates $U{K}^{*}=\left(NU{K}_{\pi \left(1\right)}^{*},\dots ,NU{K}_{\pi \left({\ell }_m\right)}^{*},V^{*}\right)$ where $\pi$ is a random permutation.

• Phase 2: Same as Phase 1.
• Guess: Finally, $\mathcal{A}$ outputs a guess ${\mu }^{\prime }\in \{0,1\}$. $\mathcal{B}$ also outputs ${\mu }^{\prime }$.

If a right message $M_1^{*}$ is encrypted in the IND-CPA game, then $C{U}_k=\mathbf{SKE}.\mathbf{Encrypt}({\kappa }_k,S{K}_{IBE,k})$ which is equal to the game ${\mathbf{H}}_{k,0}$. Otherwise (a left message $M_0^{*}$ is encrypted), $C{U}_k=\mathbf{SKE}.\mathbf{Encrypt}({\kappa }_k,{\widetilde{SK}}_{IBE,k})$ which is equal to the game ${\mathbf{H}}_{k,1}$. This completes our proof. □

Lemma 8.

If the SKE scheme is KEY-PRV secure, then no PPT adversary can distinguish ${\mathit{H}}_{k,1}$ from ${\mathit{H}}_{k,2}$ with a non-negligible advantage.

Proof. 

The proof of this lemma is almost similar to that of Lemma 7 except the generation of $C{U}_k$ in $NU{K}_k^{*}$. Let $\mathcal{A}$ be an adversary that attacks the above RIBE-AR scheme with a non-negligible advantage and $\mathcal{B}$ be a simulator that breaks the KEY-PRV security of an SKE scheme using $\mathcal{A}$. The generation of private keys, update keys, and decryption keys is the same since the encryption oracle of the SKE scheme is given. The generation of $NU{K}_i^{*}$ in a challenge update key $U{K}^{*}$ is also similar except the generation of $NU{K}_k^{*}$. The k-th node update key $NU{K}_k^{*}$ is generated as follows:

• For $i=k$, it retrieves $({\gamma }_k,{\omega }_k,-)$ of the node $v_k$ and proceeds as follows:
  • It sets a random ${\widetilde{SK}}_{IBE,k}$ by selecting random ${\tilde{U}}_{k,0},{\tilde{U}}_{k,1}$.
  • It submits a challenge message $M^{*}={\widetilde{SK}}_{IBE,k}$ to the challenge oracle of the SKE scheme and receives a challenge ciphertext $C{T}^{*}$ from the challenge oracle of SKE.
  • It creates $NU{K}_k^{*}=\left(C{U}_k=C{T}^{*},Y_k={\left(V^{*}\right)}^{{\omega }_k}\right)$.

If a valid encryption key ${\kappa }_k$ is used in the KEY-PRV game, then $C{U}_k=\mathbf{SKE}.\mathbf{Encrypt}({\kappa }_k,{\widetilde{SK}}_{IBE,k})$ which is equal to the game ${\mathbf{H}}_{k,1}$. Otherwise (a random encryption key ${\tilde{\kappa }}_k$ is used), $C{U}_k=\mathbf{SKE}.\mathbf{Encrypt}({\tilde{\kappa }}_k,{\widetilde{SK}}_{IBE,k})$ which is equal to the game ${\mathbf{H}}_{k,2}$. This completes our proof. □

Lemma 9.

If the XDH assumption holds, then no PPT adversary can distinguish ${\mathit{H}}_{k,2}$ from ${\mathit{H}}_{k,3}$ with a non-negligible advantage.

Proof. 

Suppose there exists an adversary $\mathcal{A}$ that attacks the above RIBE-AR scheme with a non-negligible advantage. A simulator $\mathcal{B}$ that solves the XDH assumption using $\mathcal{A}$ is given: a challenge tuple $D=((p,\mathbb{G},\widehat{\mathbb{G}},{\mathbb{G}}_T,e),g,\widehat{g},{\widehat{g}}^a,{\widehat{g}}^b)$ and Z where $Z=Z_0={\widehat{g}}^{ab}$ or $Z=Z_1{\in }_R\widehat{\mathbb{G}}$. Then $\mathcal{B}$ that interacts with $\mathcal{A}$ is described as follows:

• Init: $\mathcal{A}$ initially submits challenge revoked sets $R_0^{*},R_1^{*}$ and challenge time $T^{*}$. $\mathcal{B}$ chooses a random bit $\mu \in \{0,1\}$ and obtains a challenge cover set $C{V}^{*}=\{v_1,\dots ,v_k,\dots ,v_{\ell }\}$ by running $\mathbf{CS.Cover}(\mathcal{BT},R_{\mu }^{*})$. Let $r=|R_{\mu }^{*}|$, $\ell =|C{V}^{*}|$, and ${\ell }_m=\lceil rlog(N/r)\rceil$.
• Setup: $\mathcal{B}$ obtains $MK,RL,ST$ by running $\mathbf{RIBE-AR.Setup}(1^{\lambda },N)$. Note that the random ${\omega }_k$ of the node $v_k\in C{V}^{*}$ is unknown to $\mathcal{B}$ since ${\omega }_k$ is implicitly associated with $\mathrm{dlog}\left({\widehat{g}}^b\right)$ of the XDH assumption.
• Phase 1: $\mathcal{B}$ handles private key, update key, and decryption key queries as follows: It can create a private key $S{K}_{ID}$ by using $MK$ and $ST$ although ${\omega }_k$ of the node $v_k$ is unknown since $PV\cap C{V}^{*}=\varnothing$ by the restriction of the security model. It can create an update key $U{K}_T$ by using $MK$ and $ST$ by using ${\widehat{g}}^{{\omega }_k}={\widehat{g}}^b$ for the node $v_k$ and selecting a random exponent s.
• Challenge: Let $U{K}^{*}$ be the challenge update key that should be created in this step. $\mathcal{B}$ sets $V^{*}={\widehat{g}}^a$ by implicitly setting $s=a$ and creates all $C{U}_i$ in $U{K}^{*}$ randomly. Next it creates the hint values of $U{K}^{*}$ as follows:

• For $1\le i\le k-1$, it retrieves $({\gamma }_i,{\omega }_i,{\kappa }_i)$ of the node $v_i$ and sets a random $Y_i$.
• For $i=k$, it retrieves $({\gamma }_k,-,{\kappa }_k)$ of the node $v_k$ and sets $Y_k=Z$ by implicitly setting ${\omega }_k=b$.
• For $k+1\le i\le \ell$, it retrieves $({\gamma }_i,{\omega }_i,{\kappa }_i)$ of the node $v_i$ and sets $Y_i={\left({\widehat{g}}^a\right)}^{{\omega }_i}$.
• For $\ell +1\le i\le {\ell }_m$, it retrieves $({\gamma }_i,{\omega }_i,{\kappa }_i)$ of the node $v_i$ and sets a random $Y_i$.

• Phase 2: Same as Phase 1.
• Guess: Finally, $\mathcal{A}$ outputs a guess ${\mu }^{\prime }\in \{0,1\}$. $\mathcal{B}$ also outputs ${\mu }^{\prime }$.

If a valid $Z=g^{ab}$ is given, then a valid hint $Y_k={\widehat{g}}^{ab}={\left({\widehat{g}}^{{\omega }_k}\right)}^s$ is created like in the game ${\mathbf{H}}_{k,1}$. Otherwise (a random $Z=g^c$ is given), a random hint $Y_k={\widehat{g}}^c$ is created like in the game ${\mathbf{H}}_{k,2}$. This completes our proof. □

6. Conclusions

In this paper, we introduced the concept of RIBE-AR that provides ciphertext anonymity with revocation privacy and proposed an efficient RIBE-AR scheme by combining AIBE and IBE schemes with the CS method in bilinear groups. Our RIBE-AR scheme has similar private key size, update key size, and ciphertext size compared with the previous efficient RIBE schemes, despite the revocation set of an update key is hidden. We proved the selective IND-CPA, selective ANO-CPA, and selective REV-PRV security of our RIBE-AR scheme under complexity assumptions in bilinear groups with the security of underlying PRF and SKE schemes. Since our RIBE-AR scheme can provide the weak revocation privacy that hides revocation set against outsider attackers who can only obtain revoked private keys, it is an interesting problem to design an RIBE-AR scheme that provides strong revocation privacy that hides the revoked set against internal attackers who have access to private keys that were not revoked.

Appendix A.1. Lattices

Lemma A1.

Let $n,m,\tilde{m},q$ be positive integers with $m\ge 2nlogq$ and q prime. There are polynomial time algorithms for generating short basis of lattices as follows:

• $\mathit{GenTrap}(1^n,1^m,q)$: It is a randomized algorithm that outputs a full rank matrix $\mathbf{A}\in {\mathbb{Z}}_q^{n\times m}$ and a trapdoor basis ${\mathbf{T}}_{\mathbf{A}}\in {\mathbb{Z}}^{m\times m}$ for ${\mathsf{\Lambda }}_q^{\perp }\left(\mathbf{A}\right)$ such that A is statistically close to uniform and $\parallel {\mathbf{T}}_{\mathbf{A}}{\parallel }_{GS}=O\left(\sqrt{nlogq}\right)$ with overwhelming probability in n [32,33,34].
• $\mathit{ExtendRandLeft}(\mathbf{A},\mathbf{F},{\mathbf{T}}_{\mathbf{A}},q)$: It is a randomized algorithm that, given as input matrices $\mathbf{A}\in {\mathbb{Z}}_q^{n\times m}$, $\mathbf{F}\in {\mathbb{Z}}_q^{n\times \tilde{m}}$, a basis ${\mathbf{T}}_{\mathbf{A}}$ of ${\mathsf{\Lambda }}_q^{\perp }\left(\mathbf{A}\right)$, and a Gaussian parameter $\sigma \ge \parallel {\mathbf{T}}_{\mathbf{A}}{\parallel }_{GS}·\omega \left(\sqrt{logn}\right)$, outputs a matrix ${\mathbf{T}}_{\left[\mathbf{A}\right|\mathbf{F}]}\in {\mathbb{Z}}^{(m+\tilde{m})\times (m+\tilde{m})}$ distributed statistically close to D [35].
• $\mathit{ExtendRandRight}(\mathbf{A},\mathbf{G},\mathbf{R},{\mathbf{T}}_{\mathbf{G}},\sigma )$: It is a randomized algorithm that, given as input a full rank matrix $\mathbf{A},\mathbf{G}\in {\mathbb{Z}}_q^{n\times m}$, a matrix $\mathbf{R}\in {\mathbb{Z}}^{m\times m}$, a basis ${\mathbf{T}}_{\mathbf{G}}$ of ${\mathsf{\Lambda }}_q^{\perp }\left(\mathbf{G}\right)$, and a Gaussian parameter $\sigma \ge {\parallel \mathbf{R}\parallel }_2·{\parallel {\mathbf{T}}_{\mathbf{G}}\parallel }_2·\omega \left(\sqrt{logn}\right)$, outputs a matrix ${\mathbf{T}}_{\left[\mathbf{A}\right|\mathbf{A}\mathbf{R}+\mathbf{G}]}\in {\mathbb{Z}}^{2m\times 2m}$ distributed statistically close to D [36].
• There exists a fixed full rank matrix $\mathbf{G}\in {\mathbb{Z}}_q^{n\times m}$ such that the lattice ${\mathsf{\Lambda }}_q^{\perp }\left(\mathbf{G}\right)$ has a publicly known basis ${\mathbf{T}}_{\mathbf{G}}$ with $\parallel {\mathbf{T}}_{\mathbf{G}}{\parallel }_{GS}\le \sqrt{5}$ [34].

Lemma A2.

There are polynomial time algorithms for sampling a short vector as follows:

• $\mathit{SampleLeft}(\mathbf{A},\mathbf{F},{\mathbf{T}}_{\mathbf{A}},\mathit{u},\sigma )$: It is a randomized algorithm that, given as input a full rank matrix $\mathbf{A}\in {\mathbb{Z}}_q^{n\times m}$, a matrix $\mathbf{F}\in {\mathbb{Z}}_q^{n\times m}$, a basis ${\mathbf{T}}_{\mathbf{A}}\in {\mathbb{Z}}^{m\times m}$ of ${\mathsf{\Lambda }}_q^{\perp }\left(\mathbf{A}\right)$, a vector $\mathbf{u}\in {\mathbb{Z}}_q^n$, and a Gaussian parameter $\sigma \ge \parallel {\mathbf{T}}_{\mathbf{A}}{\parallel }_{GS}·\omega \left(\sqrt{logn}\right)$, outputs a vector $\mathbf{e}\in {\mathbb{Z}}^{m+\tilde{m}}$ sampled from a distribution statistically close to ${\mathcal{D}}_{{\mathsf{\Lambda }}_q^u\left(\left[\mathbf{A}\right|\mathbf{F}]\right),\sigma }$ [34,36].

Assumption A1

(Learning with Errors, LWE [37]). The LWE problem is to distinguish the following distributions:

$$(\mathbf{A},{\mathbf{A}}^{\top }\mathbf{s}+\mathbf{x})\mathit{and}(\mathbf{A},\mathbf{u})$$

where $\mathbf{A}\in {\mathbb{Z}}_q^{n\times m}$, $\mathbf{s}\in {\mathbb{Z}}_q^n$, $\mathbf{x}\in \mathcal{D}$, $\mathbf{u}\in {\mathbb{Z}}_q^m$ are independently sampled. The advantage of LWE is defined as $Ad{v}_{\mathcal{A}}^{LWE}=|Pr[\mathcal{A}(\mathbf{A},{\mathbf{A}}^{\top }\mathbf{s}+\mathbf{x})=1]-Pr[\mathcal{A}(\mathbf{A},\mathbf{u})=1]|$. We say that the LWE assumption holds if the above advantage is negligible for all PPT adversaries.

Assumption A2

(Learning with Rounding, LWR [38]). The LWR problem is to distinguish the following distributions:

$$(\mathbf{A},{\lfloor {\mathbf{A}}^{\top }\mathbf{s}\rceil }_p)\mathit{and}(\mathbf{A},\mathbf{v})$$

where $\mathbf{A}\in {\mathbb{Z}}_q^{n\times m}$, $\mathbf{s}\in {\mathbb{Z}}_q^n$, $\mathbf{x}\in \mathcal{D}$, $\mathbf{v}\in {\mathbb{Z}}_p^m$ are independently sampled. The advantage of LWR is defined as $Ad{v}_{\mathcal{A}}^{LWR}=|Pr[\mathcal{A}(\mathbf{A},{\lfloor {\mathbf{A}}^{\top }\mathbf{s}\rceil }_p)=1]-Pr[\mathcal{A}(\mathbf{A},\mathbf{v})=1]|$. We say that the LWR assumption holds if the above advantage is negligible for all PPT adversaries.

Appendix A.2. Construction

Let PRF be a pseudo-random function for $\mathcal{K}={\{0,1\}}^{\lambda }$, $\mathcal{X}={\{0,1\}}^{*}$, and $\mathcal{Y}={\mathbb{Z}}_p$. Our RIBE-AR scheme for $\mathcal{I}={\{0,1\}}^n$, $\mathcal{T}={\{0,1\}}^n$, and $\mathcal{M}\in \{0,1\}$ is described as follows:

$\mathbf{RIBE-AR.Setup}(1^{\lambda },N)$:

Let $\lambda$ be a security parameter and N be the maximum number of users. Let $n=\lambda$.

• It obtains $({\mathbf{A}}_1,{\mathbf{T}}_{{\mathbf{A}}_1})$ and $({\mathbf{A}}_2,{\mathbf{T}}_{{\mathbf{A}}_2})$ by running $\mathbf{GenTrap}(1^n,1^m,q)$ and $\mathbf{GenTrap}(1^n,1^m,q)$, respectively. It also samples uniformly random matrix $\mathbf{B}\leftarrow {\mathbb{Z}}_q^{n\times m}$ and vector $\mathbf{u}\leftarrow {\mathbb{Z}}_q^n$.
• It generates two PRF keys $z_1,z_2$ and obtains $\mathcal{BT}$ by running $\mathbf{CS.Setup}\left(N\right)$.
• Finally, it outputs a master key $MK=({\mathbf{T}}_{{\mathbf{A}}_1},{\mathbf{T}}_{{\mathbf{A}}_2},z_1,z_2)$, a revocation list $RL=\varnothing$, a state $ST=\left(\mathcal{BT}\right)$, and public parameters $PP=\left({\mathbf{A}}_1,{\mathbf{A}}_2,\mathbf{B},\mathbf{u}\right)$.

$\mathbf{RIBE-AR.GenKey}(ID,MK,ST,PP)$:

Let $MK=({\mathbf{T}}_{{\mathbf{A}}_1},{\mathbf{T}}_{{\mathbf{A}}_2},z_1,z_2)$ and $ST=\left(\mathcal{BT}\right)$.

• It assigns $ID$ to a random leaf node $v\in \mathcal{BT}$ and obtains a private set $PV=\{S_0,\dots ,S_n\}$ by running $\mathbf{CS.Assign}(\mathcal{BT},v)$.
• For $j=0$ to $j=n$, it proceeds as follows: Let $L_j=\mathrm{Label}\left(S_j\right)$ be a label string. It computes $({\mathbf{u}}_j,{\mathbf{w}}_j)={\mathbf{PRF}}_1(z_1,L_j)$ and ${\kappa }_j={\mathbf{PRF}}_2(z_2,L_j)$ where ${\mathbf{u}}_j,{\mathbf{w}}_j\in {\mathbb{Z}}_q^n$. It samples a vector ${\mathbf{e}}_j$ by running $\mathbf{SampleLeft}({\mathbf{A}}_1,\mathbf{E}\left(ID\right),{\mathbf{u}}_j,{\mathbf{T}}_{{\mathbf{A}}_1},\sigma )$ such that

  $${\left[{\mathbf{A}}_1\right|\mathbf{E}\left(ID\right)]}^{\top }{\mathbf{e}}_j={\mathbf{u}}_j.$$
  Next, it creates a node private key $NS{K}_j=({\mathbf{e}}_j,{\mathbf{w}}_j,{\kappa }_j)$.
• It obtains an extended basis ${\mathbf{T}}_{\left[{\mathbf{A}}_2\right|\mathbf{E}\left(ID\right)]}$ by running $\mathbf{ExtendRandLeft}({\mathbf{A}}_2,\mathbf{E}\left(ID\right),{\mathbf{T}}_{{\mathbf{A}}_2},\sigma )$.
• Finally, it outputs a private key $S{K}_{ID}=\left(NS{K}_0,\dots ,NS{K}_n,{\mathbf{T}}_{\left[{\mathbf{A}}_2\right|E\left(ID\right)]}\right)$.

$\mathbf{RIBE-AR.UpdateKey}(T,RL,MK,ST,PP)$:

Let $MK=({\mathbf{T}}_{{\mathbf{A}}_1},{\mathbf{T}}_{{\mathbf{A}}_2},z_1,z_2)$ and $ST=\left(\mathcal{BT}\right)$.

• It derives a revoked set R on time T from $RL$ and obtains a cover set $CV=\{S_1,\dots ,S_{\ell }\}$ by running $\mathbf{CS.Cover}(\mathcal{BT},R)$. Let $r=\left|R\right|$, $\ell =\left|CV\right|$, and ${\ell }_m=\lceil rlog(N/r)\rceil$.
• It selects a uniformly random matrix $\mathbf{V}\in {\mathbb{Z}}_q^{n\times n}$.
• For $1\le i\le \ell$, it proceeds as follows: Let $L_i=\mathrm{Label}\left(S_i\right)$ be a label string. It computes $({\mathbf{u}}_j,{\mathbf{w}}_j)={\mathbf{PRF}}_1(z_1,L_j)$ and ${\kappa }_j={\mathbf{PRF}}_2(z_2,L_j)$ where ${\mathbf{u}}_j,{\mathbf{w}}_j\in {\mathbb{Z}}_q^n$. It samples a vector ${\mathbf{f}}_i$ by running $\mathbf{SampleLeft}({\mathbf{A}}_1,\mathbf{F}\left(T\right),\mathbf{u}-{\mathbf{u}}_i,{\mathbf{T}}_{{\mathbf{A}}_1},\sigma )$ such that

  $${\left[{\mathbf{A}}_1\right|\mathbf{F}\left(T\right)]}^{\top }{\mathbf{f}}_i=\mathbf{u}-{\mathbf{u}}_i.$$
  It obtains a ciphertext $C{U}_i=\mathbf{SKE}.\mathbf{Encrypt}({\kappa }_i,{\mathbf{f}}_i)$. Next, it sets a hint vector ${\mathbf{y}}_i={\lfloor {\mathbf{V}}^{\top }{\mathbf{w}}_i\rceil }_p$ and creates a node update key $NU{K}_i=\left(C{U}_i,y_i\right)$.
• For $\ell +1\le i\le {\ell }_m$, it proceeds as follows: It selects random $f_i$ and obtains $C{U}_i=\mathbf{SKE}.\mathbf{Encrypt}({\kappa }_i,f_i)$ by using a random key ${\kappa }_i$. It creates a node update key $NU{K}_i=\left(C{U}_i,y_i\right)$.
• Finally, it selects a random permutation $\pi :\{1,\dots ,{\ell }_m\}\to \{1,\dots ,{\ell }_m\}$ and outputs an update key $U{K}_T=\left(NU{K}_{\pi \left(1\right)},\dots ,NU{K}_{\pi \left({\ell }_m\right)},\mathbf{V}\right)$.

$\mathbf{RIBE-AR.DeriveKey}(ID,T,S{K}_{ID},U{K}_T,PP)$:

Let $S{K}_{ID}=(NS{K}_0,\dots ,NS{K}_n,{\mathbf{T}}_{\left[A_2\right|E\left(ID\right)]})$ and $U{K}_T=(NU{K}_1,\dots ,NU{K}_{{\ell }_m},\mathbf{V})$.

• It retrieves ${\mathbf{w}}_j$ from $NS{K}_j$ for all $j\in \{0,\dots ,n\}$ and sets a list $({\mathbf{y}}_0^{\prime }={\lfloor {\mathbf{V}}^{\top }{\mathbf{w}}_0\rceil }_p,\dots ,{\mathbf{y}}_n^{\prime }={\lfloor {\mathbf{V}}^{\top }{\mathbf{w}}_n\rceil }_p)$. It also retrieves ${\mathbf{y}}_i$ from $NU{K}_i$ for all $i\in \{1,\dots ,{\ell }_m\}$ and sets a list $({\mathbf{y}}_1,\dots ,{\mathbf{y}}_{{\ell }_m})$.
• It finds two indexes $j\in \{0,\dots ,n\}$ and $i\in \{1,\dots ,{\ell }_m\}$ such that ${\mathbf{y}}_j^{\prime }={\mathbf{y}}_i$ in the lists, then it retrieves the corresponding $NS{K}_j=({\mathbf{e}}_j,{\mathbf{w}}_j,{\kappa }_j)$ and $NU{K}_i=(C{U}_i,{\mathbf{y}}_i)$. Next, it decrypts ${\mathbf{f}}_i=\mathbf{SKE}.\mathbf{Decrypt}({\kappa }_j,C{U}_i)$.
• It parses ${\mathbf{e}}_j=\left[{\mathbf{e}}_{j,L}\right|{\mathbf{e}}_{j,R}]$ and ${\mathbf{f}}_i=\left[{\mathbf{f}}_{i,L}\right|{\mathbf{f}}_{i,R}]$ where ${\mathbf{e}}_{j,L},{\mathbf{f}}_{i,L},{\mathbf{e}}_{j,R},{\mathbf{f}}_{i,R}\in {\mathbb{Z}}^m$. Then, it computes ${\mathbf{d}}_1=[{\mathbf{e}}_{j,L}+{\mathbf{f}}_{i,L}|{\mathbf{e}}_{j,R}\left|{\mathbf{f}}_{i,R}\right]$ such that

  $$[{\mathbf{A}}_1{\left|\mathbf{E}\left(ID\right)\right|\mathbf{F}\left(T\right)]}^{\top }{\mathbf{d}}_1=\mathbf{u}.$$
• It also samples ${\mathbf{d}}_2$ by running $\mathbf{SampleLeft}(\left[{\mathbf{A}}_2\right|\mathbf{E}\left(ID\right)],\mathbf{F}\left(T\right),\mathbf{u},{\mathbf{T}}_{\left[A_2\right|\mathbf{E}\left(ID\right)]},\sigma )$ such that

  $$[{\mathbf{A}}_2{\left|\mathbf{E}\left(ID\right)\right|\mathbf{F}\left(T\right)]}^{\top }{\mathbf{d}}_2=\mathbf{u}.$$
• Finally, it outputs a decryption key $D{K}_{ID,T}=\left({\mathbf{d}}_1,{\mathbf{d}}_2\right)$.

$\mathbf{RIBE-AR.Encrypt}(ID,T,M,PP)$:

It first samples uniformly random vectors ${\mathbf{s}}_1,{\mathbf{s}}_2\in {\mathbb{Z}}_q^n$. It also samples $x\leftarrow D_{\mathbb{Z},\alpha q}$, ${\mathbf{x}}_1,{\mathbf{x}}_2\leftarrow D_{{\mathbb{Z}}^{3m},{\alpha }^{\prime }q}$ and sets

$$\begin{array}{cc}\hfill c_0& ={\mathbf{u}}^{\top }({\mathbf{s}}_1+{\mathbf{s}}_2)+x+M\lfloor q/2\rfloor ,\hfill \\ \hfill {\mathbf{c}}_1& =[{\mathbf{A}}_1{\left|\mathbf{E}\left(ID\right)\right|\mathbf{F}\left(T\right)]}^{\top }{\mathbf{s}}_1+{\mathbf{x}}_1,\hfill \\ \hfill {\mathbf{c}}_2& =[{\mathbf{A}}_2{\left|\mathbf{E}\left(ID\right)\right|\mathbf{F}\left(T\right)]}^{\top }{\mathbf{s}}_2+{\mathbf{x}}_2.\hfill \end{array}$$

Finally, it outputs a ciphertext $CT=\left(c_0,{\mathbf{c}}_1,{\mathbf{c}}_2\right)$.

$\mathbf{RIBE-AR.Decrypt}(CT,D{K}_{ID,T},PP)$:

Let $CT=(c_0,{\mathbf{c}}_1,{\mathbf{c}}_2)$ and $D{K}_{ID,T}=({\mathbf{d}}_1,{\mathbf{d}}_2)$. From the ciphertext and the decryption key, it computes

$$\begin{array}{c}\hfill c^{\prime }=c_0-{\mathbf{c}}_1^{\top }{\mathbf{d}}_1-{\mathbf{c}}_2^{\top }{\mathbf{d}}_2.\end{array}$$

It outputs 1 if $|c^{\prime }-\lfloor q/2\rfloor |<\lfloor q/4\rfloor$ and 0 otherwise.

$\mathbf{RIBE-AR.Revoke}(ID,T,RL)$:

If $ID$ is not assigned in $\mathcal{BT}$, then it outputs ⊥. Otherwise, it updates $RL$ by adding $(ID,T)$ to $RL$.