Revocable Identity-Based Encryption and Server-Aided Revocable IBE from the Computational Diffie-Hellman Assumption †

: An Identity-based encryption (IBE) simpliﬁes key management by taking users’ identities as public keys. However, how to dynamically revoke users in an IBE scheme is not a trivial problem. To solve this problem, IBE scheme with revocation (namely revocable IBE scheme) has been proposed. Apart from those lattice-based IBE, most of the existing schemes are based on decisional assumptions over pairing-groups. In this paper, we propose a revocable IBE scheme based on a weaker assumption, namely Computational Difﬁe-Hellman (CDH) assumption over non-pairing groups. Our revocable IBE scheme is inspired by the IBE scheme proposed by Döttling and Garg in Crypto2017. Like Döttling and Garg’s IBE scheme, the key authority maintains a complete binary tree where every user is assigned to a leaf node. To adapt such an IBE scheme to a revocable IBE, we update the nodes along the paths of the revoked users in each time slot. Upon this updating, all revoked users are forced to be equipped with new encryption keys but without decryption keys, thus they are unable to perform decryption any more. We prove that our revocable IBE is adaptive IND-ID-CPA secure in the standard model. Our scheme serves as the ﬁrst revocable IBE scheme from the CDH assumption. Moreover, we extend our scheme to support Decryption Key Exposure Resistance (DKER) and also propose a server-aided revocable IBE to decrease the decryption workload of the receiver. In our schemes, the size of updating key in each time slot is only related to the number of newly revoked users in the past time slot.


Introduction
The concept of Identity-Based Encryption (IBE) was proposed by Shamir [1] in 1984.In an IBE scheme, the public key of a user can simply be the identity id of the user, like name, email address, etc.An IBE scheme considers three parties: key authority, sender and receiver.The key authority is in charge of generating secret key sk id for user id.A sender simply encrypts plaintexts under the receiver's identity id and the receiver uses his own secret key sk id for decryption.With IBE, there is no need for senders to ask for authenticated public keys from Public-Key Infrastructures, hence key management is greatly simplified.
Over the years, there have been many IBE schemes proposed from various assumptions in the standard model.Most of the assumptions are decisional ones, like the bilinear Diffie-Hellman assumption [2][3][4] over pairing-groups, or the decisional learning-with-errors (LWE) assumption from lattices [5][6][7].Most recently, a breakthrough work was done by Döttling and Garg [8], who proposed the first IBE scheme based solely on the Computational Diffie-Hellman (CDH) assumption over groups free of pairings.
Though IBE enjoys the advantage of easy key management, how to revoke users in an IBE system is a non-trivial problem.It was Boneh and Franklin [9] who first proposed revocable IBE (RIBE) to solve the problem.Later, Boldyreva et al. [10] formalized the definition of selective-ID security and constructed a more efficient RIBE scheme based on a fuzzy IBE scheme [11].Then Libert and Vergnaud proposed the first adaptive-ID secure revocable IBE scheme [12].In [13], Seo and Emura strengthened the security model by introducing an additional important security notion, called Decryption Key Exposure Resistance (DKER).They also constructed a revocable IBE scheme in the strengthened model, and the security of this scheme is from the Decisional Bilinear Diffie-Hellman (DBDH) assumption.Since then, most of the revocable IBE schemes constructed from pairing groups achieved DKER.For example, in the strengthened security model, Lee et al. [14] constructed a revocable IBE scheme via subset difference methods to reduce the size of key updating based on the DBDH assumption, and Watanabe et al. [15] introduced a new revocable IBE with short public parameters based on both the Decisional Diffie-Hellman (DDH) assumption and the Augmented Decisional Diffie-Hellman (ADDH) assumption over pairing-friendly group.Furthermore, Park et al. [16] constructed a revocable IBE whose key update cost is only O(1), but the scheme relied on multilinear maps.Without pairing, it seems difficult to achieve DKER.In [17], Chen et al. proposed the first selective-ID secure revocable IBE scheme from the LWE assumption over lattices in the traditional security model (without DKER).Later, Takayasu and Watanabe [18] designed a lattice-based revocable IBE with bounded DKER.Meanwhile, to improve the decryption efficiency for the receiver, Qin et al. [19] provided a new model named Server-Aided Revocable Identity-Based Encryption (SR-IBE) which used a server as an intermediary to help the receiver to decrypt part of the ciphertext.In fact, the revocable property is so important that it is studied not only in IBE but also in Identity-Based Proxy Re-encryption [20], Fine-Grained Encryption of Cloud Data [21,22] and Attribute-Based Encryption [23].It should be noted that bilinear pairings are essential techniques in these schemes [20][21][22][23].
Please Please note that all the existing RIBE schemes are based on assumptions over pairing-friendly groups or the LWE assumption over lattices.On the other hand, Döttling and Garg's IBE scheme [8] is based on the CDH assumption over non-pairing group, but it does not consider user revocation.In this paper, we aim to fill the gap by designing RIBE from the CDH assumption without use of pairings.

Our Contributions
In this paper, we propose the first revocable IBE (RIBE) schemes and server-aided revocable IBE (SR-IBE) based on the Computational Diffie-Hellman (CDH) assumption over groups free of pairings.The corner stone of this scheme is the IBE scheme proposed by Döttling and Garg [8].Our RIBE schemes enjoy the following features.

1.
Weaker security assumption.The securities of our RIBE and SR-IBE schemes can be reduced to the CDH assumption.Hence our schemes serve as the first RIBE/SR-IBE schemes from the CDH assumption over non-pairing groups.More precisely, our first RIBE scheme can achieve adaptive-IND-ID-CPA security but without the property of decryption key exposure resistance(DKER).Our second RIBE scheme obtains decryption key exposure resistance but with selective-IND-ID-CPA security.Our SR-IBE scheme is selective-SR-ID-CPA secure.The securities of the three schemes can be reduced to the CDH assumption.

2.
Smaller size of key updating.When a time slot begins, the key updating algorithm of our RIBE/SR-IBE will issue updating keys whose size is only linear to the number of newly revoked users in the past time slot.In comparison, most of the existing RIBE/SR-IBE schemes have to update keys whose number is related to the number of all revoked users across all the previous time slots.
In Table 1, we compare our RIBE scheme with some existing RIBE schemes.Remark 1. Döttling and Garg's IBE makes use of garbled circuits to implement the underlying cryptographic primitives.Hence it is prohibitive in terms of efficiency.Our RIBE inherits their idea, hence the efficiency of our RIBE scheme is also incomparable to the RIBE schemes from bilinear maps.However, since no RIBE scheme is available from the CDH assumption over non-pairing groups, our scheme serves as a theoretical exploration in the field of RIBE.

Paper Organization
In Section 2, we collect notations and some basic definitions used in the paper and present the framework.We illustrate our idea of RIBE in Section 3. In Section 4, we construct a revocable IBE scheme (without DKER) based on the CDH assumption and present the correctness and security analysis of the scheme.Then we show how to make our RIBE to obtain DKER in Section 5.In Section 6, we provide a SR-IBE scheme from the CDH assumption.In Section 7, we illustrate the key updating complexity analysis of our scheme.

Notations
The security parameter is denoted by λ. "probabilistic polynomial-time" is abbreviated by "PPT".Let n, a and b be integers.Denote by [n] the set of bit-strings of arbitrary length, and by {0, 1} ≤ the set of bit-strings of length at most .Let ε be an empty string.and |v| be the bit-length of string v. Obviously, |ε| = 0. Denote by x||y the concatenation of two bit-strings x and y, by x i the i-th bit of x, by x $ ← S the process of sampling the element x from the set S uniformly at random, and by a ← X the process of sampling the element a over the distribution X .By a ← f (•) we mean that a is the output of a function f .A function negl : N → R is negligible if for any polynomial p(λ) it holds that negl(λ) < 1/p(λ) for all sufficiently large λ ∈ N.

Pseudorandom Functions
Let PRF: K × X → Y be an efficiently computable function.For an adversary A, define its advantage function as where RF : X → Y is a truly random function.PRF is a pseudorandom function (PRF) if the above advantage function Adv PRF A (1 λ ) is negligible for any PPT A.

•
Setup: The setup algorithm RIBE.Setup is run by the key authority.The input of the algorithm is a security parameter λ and n, where the maximal number of users is 2 n .The output of this algorithm consists of a pair of key (mpk, msk), an initial state st = (KL, PL, RL,KU), where KL is the key list, PL is the list of public information, RL is the list of revoked users and KU is the update key list.In formula, (mpk, msk, st) ← RIBE.Setup(1 λ , 1 n ).∈ RL(i.e., id is not revoked at time t) and PL ∈ st .Now we explain how a revocable IBE system works.To setup the system, the key authority invokes RIBE.Setup to generate master public key mpk, master secret key msk and the state st.Then it publishes the public key mpk.When a user registers in the system with identity id, the key authority invokes RIBE.KG(msk, id, st) to generate the private key sk id for user id.If a user id needs to be revoked during time slot t, the key authority invokes RIBE.R(id, t, st).Next it updates the state st.At the beginning of each time slot t, the key authority might invoke RIBE.KU(msk, t, st) to update keys by updating set KU. Then it publishes some information about the updated set KU. Meanwhile it may also publish some public information PL.During time slot t, when a user wants to send a message m to another user id, he/she invokes RIBE.Enc(mpk, id, t, m, PL) to encrypt m to obtain the ciphertext ct, then sends (t, ct) to user id.To decrypt a ciphertext ct encrypted at time t, the receiver id first invokes RIBE.DK(mpk, sk id , KU, t) to generate its own decryption key sk  Remark.In the definition of our RIBE, KL is the key list which stores the essential information used to generate the update key.PL is a public information list which is used in the encryption algorithm.In the traditional definition of RIBE in other works, no PL is defined.However, in our construction, PL will serve as an essential input to the encryption algorithm and that is the reason we define it.Nevertheless, our definition can be regarded as a general one, while the traditional definition of RIBE can be seen as a special case of PL = ∅.
Security.Now we formalize the security of a revocable IBE.We first consider four oracles: private key generation oracle KG(•), key update oracle KU, decryption key generation oracle DK(•, •) and revocation oracle RVK(•, •) which are shown in Table 2.The security of adaptive-IND-ID-CPA defines as follows.
The experiment has the following requirements for A.
Remark 2. The security definition without DKER is similarly defined with changing the experiment so that an adversary A is not allowed to make any decryption key reveal query, i.e., A cannot query for the oracle DK(•, •).
Next we define selective-IND-ID-CPA security for RIBE, where the adversary has to determine the target identity id * , target time slot t * at the beginning of the experiment.Clearly, selective-IND-ID-CPA security is weaker than adaptive-IND-ID-CPA security.Definition 2. Let RIBE = (RIBE.Setup, RIBE.KG, RIBE.KU, RIBE.DK, RIBE.Enc, RIBE.Dec, RIBE.R) be a revocable IBE scheme.Below describes an experiment played between a challenger C and a PPT adversary A.
The requirements for A in this experiment are the same as the requirements in EXP adaptive-IND-ID-CPA A

(λ).
A revocable IBE scheme is selective-IND-ID-CPA secure (with DKER) if for all PPT adversary A, the following advantage is negligible in the security parameter λ, i.e., Selective-IND-ID-CPA security without DKER is defined can be similarly defined by changing the experiment so that an adversary A is not allowed to query for the oracle DK(•, •).

Server-Aided Revocable Identity-Based Encryption
In a server-aided revocable identity-based encryption scheme [19], there are four parities and they work as follows (as shown in Figure 1): • Key Authority generates a public key and a secret key for every registered user and issues the secret key to the user and the public key to the server.In each time slot, the key authority delivers a update key list (to revoke users) to the server.

•
Sender encrypts a message for an identity and a time slot and sends the ciphertext to the server.

•
Sever combines the update key list and the stored users' public keys to generate the transformation keys in every time slot for all users.When receiving a ciphertext, the server transforms it to a partially decrypted ciphertext using the transformation key corresponding to the receiver's identity and the corresponding time slot.Then it sends the partially decrypted ciphertext to the receiver.

•
Receiver recovers the sender's message from the partially decrypted ciphertext using a decryption key which can be generated by his/her own secret key and the corresponding time slot.Now, we formally define Server-Aided Revocable Identity Based Encryption (SR-IBE) which was first proposed by Qin et al. [19].A SR-IBE scheme consists of ten PPT algorithms Σ = (Setup, PubKG, KU, TranKG, PrivKG, DK, Enc, Transform, Dec, R).Let Σ.M denote the message space, Σ.I D the identity space and Σ.T the space of time slots.

•
Setup: The setup algorithm Setup is run by the key authority.The input of the algorithm is a security parameter λ and a parameter n, which indicates that the maximal number of users is 2 n .The output of this algorithm consists of a pair of key (msk, mpk) and an initial state st = (KL, PL, RL, KU), where KL is the key list, PL is the list of public information, RL is the list of revoked users and KU is the update key list.In formula, (msk, mpk, st Public Key Generation: The public key generation algorithm PubKG is run by the key authority. It takes as input a master secret key msk, an identity id ∈ {0, 1} n and a state st.The output of this algorithm is the public key pk id on identity id.In formula, pk id ← PubKG(msk, id, st).

• Key Update Generation:
The key update generation algorithm KU is run by the key authority.
It takes as input a master secret key msk, an update time t and a state st.The output of this algorithm is an update key list KU (t) and an updated state st .In formula, (KU (t) , st ) ← KU(msk, t, st).

•
Transformation Key Generation: The transformation key generation algorithm TranKG is run by the server.It takes as input the master public key mpk, the public key pk id and an update key list KU (t) .The output of this algorithm is the transformation key tk id ← TranKG(mpk, pk id , KU (t) ).
• Private Key Generation: The private key generation algorithm PrivKG is run by the key authority.It takes the master secret key msk and an identity id ∈ {0, 1} n as input.The output of this algorithm is the private key sk id on identity id.In formula, sk id ← PrivKG(msk, id).

•
Decryption Key Generation: The decryption key generation algorithm DK is run by the receiver.It takes the secret key sk id and a slot t as input.The output of this algorithm is the decryption key id .In formula, Dk id ← DK(sk id , t).

• Encryption:
The encryption algorithm Enc is run by the sender.It takes the master public key mpk, an identity id, a time plot t, a plaintext message m and a public list PL as the input.The output of this algorithm is the ciphertext ct.In formula, ct ← Enc(mpk, id, t, m, PL).

•
Transformation: The transformation algorithm transform is run by the server.It takes the master public key mpk, the transformation key tk id and the ciphertext ct as the input.The output of this algorithm is the partially decrypted ciphertext ct .In formula, ct ← Transform(mpk, tk The decryption algorithm Dec is run by the receiver.The input of this algorithm consists of the master public key mpk, the decryption key Dk id and the partially decrypted ciphertext ct .The output of this algorithm is the plaintext m.In formula, m ← Dec(mpk, Dk The revocation algorithm R is run by the key authority.The input of this algorithm consists of an identity id, a time plot t and a state st.The output of this algorithm is the updated state st .In formula, st ← R(id, t, st).

Correctness.
The correctness requires that for all message m, if the receiver is not revoked at time period t and all parties follow the algorithms above, then we have m ← Dec(mpk, Dk Security.Now we formalize the security of SR-IBE.We first consider five oracles: public key generation oracle PUBKG(•), key update oracle KU, private key generation oracle PRIVKG(•), decryption key generation oracle DK(•, •) and revocation oracle RVK(•, •) which are shown in Table 3.The selective-SR-ID-CPA security is defined as follows.Definition 3. Let Σ = (Setup, PubKG, KU, TranKG, PrivKG, DK, Enc, Transform, Dec, R) be a server-aided revocable IBE scheme.Below describes an experiment played between a challenger C and a PPT adversary A.
The experiment has the following requirements for A.

•
The two plaintexts submitted by A have the same length, i.e., |m The time slot t submitted to KU and RVK(•, •) by A is in ascending order.

•
If the challenger has published KU at time t, then it is not allowed to query oracle RVK(•, t ) with t < t.

•
If A has queried id * to oracle PRIVKG(•), then there must exist a query (id * , t) to oracle RVK(•) satisfying t < t * , i.e., id * must has been revoked before time t * .
A server-aided revocable IBE scheme is selective-SR-ID-CPA secure (with DKER) if for all PPT adversary A, the following advantage is negligible in the security parameter λ, i.e.,

Garbled Circuits
A garbled circuits scheme consists of two PPT algorithms (GCircuit, Eval).Correctness.In a garbled circuit scheme, for any circuit C and an input x ∈ {0, 1} , it holds that Security.In a garbled circuit scheme, the security means that there is a PPT simulator Sim such that for any C, x and for any PPT adversary A, the following advantage of A is negligible in the security parameter λ: where ( C, {lab w,b } w∈inp(C),b∈{0,1} ) ← GCircuit(1 λ , C).

Computational Diffie-Hellman Assumption
Let (G, g, p) ← GGen(1 λ ) be a group generation algorithm which outputs a cyclic group G of order p and a generator of G.

Definition 4. [CDH Assumption]
The computational Diffie-Hellman (CDH) assumption holds w.r.t.GGen, if for any PPT algorithm A its advantage in solving computational Diffie-Hellman (CDH) assumption in G is negligible.In formula, Pr A(g,

•
HGen: The algorithm HGen takes the security parameter λ and a message-length n as input.This algorithm outputs a key k and a trapdoor t.

• H:
The algorithm H takes the key k, a message x ∈ {0, 1} n and a randomness r as input.This algorithm outputs a hash value h and the length of h is λ.
Security.For a PPT adversary A against a chameleon encryption, consider the following experiment: The security of a chameleon encryption defines as follows: For any PPT adversary A, the advantage of A in experiment In [8], such a chameleon encryption was constructed from the CDH assumption.

Idea of the DG Scheme
In the IBE scheme [8] proposed by Döttling and Garg, say the DG scheme, each id is an n-bit binary string.In other words, each user can be regarded as a leaf of a complete binary tree of depth n, which is the length of a user's identity id.For each level j ∈ [n] in the tree, the key authority generates a pair of chameleon encryption key and trapdoor (k j , td j ).As shown in Figure 2, a leaf v is attached with a key pair (ek v , dk v ), which is the public/secret key of an IND-CPA secure public-key encryption scheme PKE=(G, E, D), i.e., (ek v , dk v ) ← G(1 λ ).In addition, a non-leaf node v in the tree is attached with four values: the hash value h v of this node, the hash value h v||0 of the left child node, the hash value h v||1 of the right child node, a randomness r such that The master public key of IBE is given by the hash keys (k 0 , . . ., k n−1 ) and the hash value h ε of the root.The master secret key is the seed of a pseudorandom function to generate r v and the trapdoors of the chameleon encryption.Key Generation.Each user is assigned to a leaf in the tree according to id.The secret key is just all the values attached to those nodes on the path from the root to the leaf.For example, in Figure 2, if id = 010, then the secret key is sk 010 = ({h ε , h 0 , h 1 , r ε }, {h 0 , h 00 , h 01 , r 0 }, {h 01 , ek 010 , ek 011 , r 01 }, dk 010 ).
Encryption.As for encryption, two kinds of circuits are defined.Decryption.The decryption goes from the top to bottom.It will invoke the evaluation algorithm Eval of the garbled circuits to obtain chameleon encryption of labels, and uses the secret key of chameleon encryption scheme to recover the corresponding label.For the leaf, it will use the decryption algorithm of PKE to recover the message m.

Idea of Our Revoked IBE Scheme
Our revocable IBE is based on the original DG scheme.An important observation of the DG scheme is that among all the elements in the secret key sk id = ({h v , h v||0 , h v||1 , r v } v∈V , dk id ) of user id, dk id is the most critical element.Recall that V = {ε, id [1], id [12], . . ., id[12 . . .n − 1]} and dk id is the decryption key of the underlying building block PKE.The sibling of leaf id knows everything about sk id except dk id .This gives us a hint for revocation.To revoke user id, we can change the decryption key dk id in sk id into a new one dk id and this fresh decryption key will not issued to the revoked user id.As long as the essential element dk id is missing, user id will not be able to decrypt anything.Now we outline how the revocable IBE works.
The tree is updated according to the revoked users.
• If a leaf v id is revoked during time period t, then a new public/secret key pair will generated with (ek id , dk id ) ← G(1 λ ) for this leaf.As a result, h v id = ek id is replaced with a fresh value h v id := ek id .This fresh value will not consistent to what the father node of v id has.Therefore, we have to change the attachments of all nodes along the path from the revoked leaf v id to root bottom upward.

•
For i from n − 1 down to 0 v ); Here h v||b is not defined, where b ∈ {0, 1}.
In this way, a new tree is built with root attached with new value (h ε ).Please Please note that the hash keys (k 0 , . . ., k n−1 ) remain unchanged.
When revocation happens, what a sender does is updating the new hash value h ε , then invoking the encryption algorithm for encryption.
For decryption to go smoothly, the IBE system has to issue updating keys to users.The updating key includes all the information of the nodes on the paths from revoked leaves to the root, but the new dk (t) id is not issued.In Figure 3, for example, two users, namely 000 and 010, are revoked and determine two paths.Then all the nodes along the two paths are marked with cross.
All the nodes are updated with new attachments, but leaf 000 is only attached with a new ek    Any legal user is able to update his secret key sk id with the new attachments of nodes along the path from his leaf to the root.For example, the updated secret key sk (t) 001 of user 001 is now {ε, (h In this way, any legal user is able to decrypt ciphertexts since he knows the secret key corresponding to the new tree.Any revoked user id is unable to implement decryption anymore, since the new dk (t) id is missing.

Revocable IBE Scheme
In this section, we present our construction of revocable IBE scheme from chameleon encryption (without DKER).Let PRF: {0, 1} λ × {0, 1} ≤ +n ∪ {ε} → {0, 1} λ be a pseudorandom function.Let CE = (HGen, H, H −1 , HEnc, HDec) be a chameleon encryption scheme and PKE = (G, E, D) be an IND-CPA secure public-key encryption scheme.We denote by id[i] the i-th bit of id and by id[1 We first introduce five subroutines which will be used repeatedly in our scheme (as shown in Table 4).All of these five subroutines are run by the key authority.The subroutines NodeGen and LeafGen are invoked by the key authority in setup algorithm, where NodeGen is used to generate non-leaf nodes and LeafGen to generate leaves and their parents.Just like [8], given all chameleon keys, trapdoors, a randomness s, a node v and a length parameter , the NodeGen subroutine generates four values stored in node v: the hash value of the node h v , the hash value of it left-child node h v||0 , the hash value of it right-child node h v||1 , and the randomness of this node r v .Given all chameleon keys k n−1 and trapdoors td n−1 of the n − 1-th level, a randomness s, a node v in the n − 1-th level and a length parameter , the LeafGen subroutine generates two pairs of public/secret keys (ek v||0 , dk v||0 ), (ek v||1 , dk v||1 ) of the PKE scheme, and generates the hash value h v and the randomness r v of the node v.The children of v are two leaves associated by ek v||0 and ek v||1 .Each user can be uniquely represented by a leaf node.The subroutine FindNodes, subroutine NodeChange and subroutine LeafChange are invoked by the key authority in key update algorithm.Given a revocation list RL, a time t and the global key list KL, subroutine FindNodes(RL, t, KL) outputs all leaves which are revoked at time t and all their ancestor nodes.Given a chameleon key, a chameleon trapdoor, a node v, two hash values (h v||0 , h v||0 ) of the two children of node v and a randomness s, subroutine NodeChange outputs a new hash value and a new randomness for node v. Given a leaf node v, a time t, a randomness s, subroutine LeafChange outputs a fresh public key by invoking the key generation algorithm G of PKE.Table 4. Five subroutines run by the key authority.
• Setup RIBE.Setup(1 λ , 1 n ): given a security parameter λ, an integer n where 2 n is the maximal number of users that the scheme supports.Define identity space as ID = {0, 1} n and time space as T = {0, 1} , and do the following.
}, where ε is the empty string.

5.
For all node v ∈ Y such that |v| = n: // deal with all leaves in Y (ek For i = n − 1 to 0: // generate new attachments for all non-leaf nodes in Y For all node v ∈ Y and |v| = i: v||b := h v||b , Break;
Output st.
Figure 6.The illustration of the Decryption Key Generation for user "011" when users "000" and "010" have been revoked at time slot t.For i from 1 to t, the node values along the path from "011" to "ε" in the tree will be replaced by the corresponding node values in KU (i) .The decryption key sk (t) 011 of user "011" collects all the updated node values along the path from "011" to "ε" in the tree.1.

4.
For each ( t, KU ( t) ) ∈ Ω with t in ascending order, does the following:  We describe two circuits that will be garbled during the encryption procedure.Encryption proceeds as follows: 1.
Retrieve the last item ( t, h

5.
Output ct := lab j,h id , ct) where ε is the empty string.
Output st.id as the input instead of sk id and generates the decryption key with lower computational cost.The algorithm proceeds as follows:

6.
For each ( t, KU ( t) ) ∈ Ω with t in ascending order, does the following: Output sk v } v∈W , dk id ).

Correctness
We first show that our revocable IBE is correct.During the time slot t, the key updating algorithm RIBE.KU (together with the key generation algorithm RIBE.KG) uniquely determines a fresh tree of time t.The root of the fresh tree has attachment (h where ε is the empty string.Please Please note that each id uniquely determines a path (from the root of the tree to the leaf of id).W records all non-leaf nodes on the path.For all nodes v ∈ W, we have id is exactly the the secret key of id in the tree (of time t).As long as the h ε ), the decryption RIBE.Dec can always recover the plaintext due to the correctness of the DG scheme.
Below we show the details of the correctness (this analysis is similar to that in [8]).For all nodes v ∈ W, we have the following facts.

2.
Due to the correctness of the chameleon encryption, we know that given (h by decrypting {c j,h is the label for the next garbled circuit P(|v|+1) .

3.
When |v| = n − 1, we obtain the set of labels lab j,ek id,j j∈ [λ] .Recall that {lab j,b } j∈[λ],b∈{0,1} and selected by ek id .Thus, Due to the correctness of PKE = (G, E, D), given decryption key dk id , one can always recover the original message m correctly with m ← D(dk id , f ).

Security
In this subsection, we prove that our revocable IBE scheme is IND-ID-CPA secure.Assume q is a polynomial upper bound for the running-time of an adversary A, and it is also an upper bound for the number of A's queries (which contains private key queries, key update queries, and revocation queries).
Theorem 1. Assume that t max is the size of the time space and 2 n be the maximal number of users.If PRF is a pseudorandomn function, the garbled circuit scheme is secure, the chameleon encryption scheme CE is secure and PKE = (G, E, D) is IND-CPA secure, the above proposed revocable IBE scheme is adaptive-IND-ID-CPA secure (without decryption key exposure resistance) More specificly, for any PPT adversary A issuing at most q queries, there exist PPT adversaries B 1 , B 2 , B 3 and B 4 such that Proof.The full proof of Theorem 1 is in Appendix B.1.

Revocable IBE Scheme with DKER
In this section, we present the construction of revocable IBE scheme with decryption key exposure resistance from the CDH assumption.In [24], Katsumata et al. provided a generic construction of RIBE scheme with DKER from a hierarchal IBE (HIBE) scheme (the formal definition of HIBE is provided in Appendix A) and a RIBE scheme without DKER.Following this idea, based on the previous RIBE scheme RIBE = (RIBE.Setup, RIBE.KG, RIBE.KU, RIBE.DK, RIBE.Enc, RIBE.Dec, RIBE.R) in Section 4 and a HIBE scheme HIBE = (HIBE.Setup, RIBE.KG, HIBE.Enc, HIBE.Dec) in [8], both of which are based on the CDH assumption, we can construct a revocable IBE scheme Π with DKER from the CDH assumption.
Obviously, the correctness of scheme Π follows from the correctness of the underlying RIBE scheme and HIBE scheme.The security of scheme Π is guaranteed by the following theorem.• Key Update: If a user has been revoked in RIBE Π, the updating information in the leaf node corresponding to the user will not be issued.In other words, all the key updating information only occurs in the upper part of the tree excluding the leaves.Therefore, in SR-IBE Σ the key authority can issue the key updating list to the server and the server is in charge of updating keys for users.

•
Decryption: Recall that in the RIBE scheme Π with DKER in Section 5, the ciphertext consists of two parts: the ciphertext of the RIBE scheme RIBE.ct and the ciphertext of the HIBE scheme HIBE.ct.To decrypt RIBE.ct in SR-IBE Σ, the decryption is implemented from the top to the bottom along the path in the tree.The server will decrypt the upper non-leaf part while the user will decrypt the leaf part.Meanwhile, the user is alway able to use HIBE.skid and time slot t to compute HIBE.sk id||t and decrypt HIBE.ct with it.The process is shown in Figure 8. Construction of SR-IBE.Now we describe our server-aided revocable IBE scheme Σ = (Setup, PubKG, KU, TranKG, PrivKG, DK, Enc, Transform, Dec, R).
• Setup(1 λ , 1 n ): given a security parameter λ, an integer n where 2 n is the maximal number of users that the scheme supports.Define identity space as Σ.I D = {0, 1} n and time space as Σ.T = {0, 1} , and do the following.
Output (pk id , st).// This algorithm is almost the same as the Private Key Generation algorithm in Section 4 except that there is no dk id in pk id .

5.
For all node v ∈ Y such that |v| = n: (ek For i = n − 1 to 0: For all node v ∈ Y and |v| = i: v||b := h v||b , Break;
// This algorithm is identical to the Key Update Generation algorithm in Section 4.

3.
From KU retrieve a set

4.
For each ( t, KU ( t) ) ∈ Ω with t in ascending order, does the following: Output tk v } v∈W ) // This algorithm is almost the same as the Decryption Key Generation algorithm in Section 4 except that all update operations do not involve leaf nodes, i.e., dk id .
Output sk id .

7.
Output ct := ( f , HIBE.ct) // This algorithm is almost the same as the Decryption algorithm in Section 4 except that this algorithm omits the last step, i.e., it does not recover RIBE.m from f .
Output st.
Obviously, the correctness of this scheme Σ follows from the correctness of the RIBE scheme described in Section 4 and the HIBE scheme used as the building block.The security of scheme Σ is guaranteed by the following theorem.Theorem 3. If HIBE is the hierarchal IBE constructed in [8], the above server-aided revocable IBE scheme Σ is selective-SR-ID-CPA secure (with decryption key exposure resistance ) based on the CDH assumption.
Proof.The full proof of Theorem 3 is in Appendix B.2.

Analysis of Key Updating Size
In this section, we analyze the key updating efficiency of our revocable IBE scheme.Different from an IBE scheme, a revocable IBE scheme has enormous cost on the publishing updating keys at each time slot.In our RIBE, the number of updating keys is linear to the number of updated nodes.Therefore, we focus on the number of updated nodes for the performance.The advantage of our RIBE lies in the fact that the nodes that needs to updated is only related to the number ∆r of newly revoked users in the past time slot.More precisely, in all the three schemes proposed in this paper, the number of nodes needs to be updated in each time plot is at most ∆r(log N − log(∆r)).Thus the key updating size of our scheme is at most O(∆r(log N − log(∆r))).If there is no new users revoked in the previous time slot, then key updating is not necessary at all.
Recall that in the most of RIBE schemes, the size of updating keys is closely related to the total number r of all the revoked users across all the past slots.For example, in [10] the size of updated key during each time slot is of order O(r log (N/r)), where N is the number of users.In addition, in [14], the size of updated key during each time slot is of order O(r).
For simulation, we use Poisson distribution to simulate the number of revoked users at each time period, where α denotes the expected number of revoked users in each time slot.At a time slot t, we sample a random number ∆r t following the Poisson distribution parameterized by α, and ∆r t denotes the number of revoked users at time slot t.The total number r t of the revoked users up to time slot t is given by ∑ t t=0 ∆r t .We evaluate the key updating sizes in our RIBE, the RIBE in [10] and the RIBE in [14].Since all the our three schemes share the same updating complexity in each time plot, we only simulate our RIBE scheme without DKER and compare the results with the RIBE scheme in [10] and the RIBE scheme in [14].The simulation results for N = 2 20 In hybrid H γ , C invokes the simulator Sim provided by the garbled circuit scheme to generate the first γ garbled circuits { P0 , • • • , Pγ−1 }.Meanwhile, for i ∈ [0, γ − 1], the input of the Sim is the 2λ chameleon encryption ciphertexts {HEnc(k i , (h )} j∈[λ],b∈{0,1} .We stress that the 2λ labels satisfy lab j,0 = . Please note that Sim needs the hash value h Then C invokes sim to generate { P0 , • • • , Pγ−1 }, and invokes GCircuit to generate the rest circuits.Below is the detailed description of the generation of the challenge ciphertext by C. Assume A's challenge query as (id * , t * , M 0 , M 1 ).C first chooses a random bit θ, and encrypts M θ under id * in t * as follows: 1.
Define  ) in H (i−1) γ HEnc(k γ , (h If there is a PPT adversary A who can distinguish H i−1 γ,2 and H i γ,2 with a advantage for i ∈ [λ], we can construct a PPT distinguisher B 3 can use this adversary to break the security of the chameleon encryption scheme with the same advantage .B 3 simulates H i−1 γ,2 (H i γ,2 ) for A as follows: 1. B 3 receives a hash key k * from it own challenger C IND-CE of the chameleon encryption scheme.2.

3.
B 3 can perfectly simulates all oracles for A since these oracles do not need the trapdoor td γ anymore.4.
When receiving the challenge query (id * , t * , M * 0 , M * 1 ), B 3 sets x * = h   , where id of time t.The receiver id invokes RIBE.Dec(mpk, sk (t)id , ct) to decrypt the ciphertext and recover the plaintext.

Figure 1 .
Figure 1.System model of a server-aided revocable IBE.
1} ): The algorithm GCircuit takes a security parameter λ and a circuit C as input.This algorithm outputs a garbled circuit C and labels {lab w,b } w∈inp(C),b∈{0,1} where each lab w,b ∈ {0, 1} λ .Here inp(C) represents the set [ ] where is the bit-length of the input of the circuit C. • Eval( C, {lab w,x w } w∈inp(C) ) → y: The algorithm Eval takes as input a garbled circuit C and a set of label {lab w,x w } w∈inp(C) , and it outputs y.

Figure 5 .
Figure5.The illustration of KU (t) when users "000" and "010" have been revoked at time slot t.

Theorem 2 .
(Theorem 1 in [24]) If the underlying RIBE scheme in the above RIBE scheme Π is selective-IND-ID-CPA secure but without decryption key exposure resistance (DKER), and the underlying

Figure 7 .
Figure 7. Separation of Π.sk 111 to the server and the user "111" in SR-IBE Σ, where pk 111 is the public key and sk 111 is the private key of user "111".

Figure 8 .
Figure 8.The process of the SR-IBE scheme.
and N = 2 25 are shown in Figures 9 and 10 respectively.

Table 1 .
Comparison with RIBE schemes (in the standard model).Here N is the total number of users, r is the number of all revoked users and ∆r is the number of newly revoked users the past time slot.DKER means decryption key exposure resistance.
CDH Selective-IND-ID-CPA O(∆r(log N − log(∆r))) Our SR-IBE CDH Selective-IND-ID-CPA O(∆r(log N − log(∆r))) This algorithm RIBE.KG is run by the key authority which takes as input the key pair (mpk, msk), an identity id and the state st.The output of this algorithm is a private key sk In formula, m/⊥ ← RIBE.Dec(mpk, sk • Private Key Generation: id and an updated state st .In formula, (sk id , st ) ← RIBE.KG(mpk, msk, id, st).• Key Update Generation: This algorithm RIBE.KU is run by the authority.Given the key pair (mpk, msk), an update time t, and a state st, this algorithm updates the update key list KU and the the list of public information PL.In formula, st ← RIBE.KU(mpk, msk, t, st).• Decryption key generation: This algorithm RIBE.DK is run by the receiver.Given the master public key mpk, a private key sk id , the update key list KU and the time slot t, this algorithm outputs a decryption key sk (t) id for time slot t.In formula, sk (t) id ← RIBE.DK(mpk, sk id , KU, t).• Encryption: This algorithm RIBE.Enc is run by the sender.Given the public key mpk, a public list PL, an identity id, a time slot t and a message m, this algorithm outputs a ciphertext ct.In formula, ct ← RIBE.Enc(mpk, id, t, m, PL).• Decryption: This algorithm RIBE.Enc is run by the receiver.The algorithm takes as input the master public key mpk, the decryption key sk (t) id and the ciphertext ct, and outputs a message m or a failure symbol ⊥. id , ct).• Revocation: This algorithm RIBE.R is run by the key authority.Given a revoked identity id and the time slot t during which id is revoked and a state st = (KL, PL, RL, KU), this algorithm updates the revocation list RL with RL ← RL ∪ {(id, t)}.It outputs a new state st = (KL, PL, RL, KU).Correctness.For all (mpk, msk, st) ← RIBE.Setup(1 λ , N), all m ∈ M, all identity id ∈ ID, all time slot t ∈ T , and revocation list RL, for all (sk id , st ) ← RIBE.KG(msk, id, st), st ← RIBE.KU(msk, t, st), and sk (t) id ← RIBE.DK(mpk, sk id , KU, t), we have RIBE.Dec(mpk, sk (t) id , RIBE.Enc(mpk, id, t, m, PL)) = m if (id, t) /

Table 2 .
Three oracles that the adversary can query.Let RIBE = (RIBE.Setup, RIBE.KG, RIBE.KU, RIBE.DK, RIBE.Enc, RIBE.Dec, RIBE.R) be a revocable IBE scheme.Below describes an experiment played between a challenger C and a PPT adversary A.

•
The two plaintexts submitted by A have the same length, i.e., |M 0 | = |M 1 |.• The time slot t submitted to KU and RVK(•, •) by A is in ascending order.• If the challenger has published KU at time t, then it is not allowed to query oracle RVK(•, t ) with t < t. • If A has queried id * to oracle KG(•), then there must be query (id * , t) to oracle RVK(•) satisfies t < t * , i.e., id * must has been revoked before time t * .• If id * is not revoked at time t * , DK(•, •) cannot be queried on (id * , t * ).

3 .
Revocation oracle RVK(id, t).Upon receiving A's query an id and a t, C invokes st ← RIBE.R(id, t, st) and parses st = (KL, PL, RL, KU).It returns RL to A. H 0 : In this hybrid, we change how the challenger C answers oracle KG(id) and oracle KU(t).Recall that in H −1 , the subroutines NodeGen and LeafGen are involved in RIBE.KG when answering queries to the oracle KG, and the subroutines NodeChange and LeafChange are involved in RIBE.KU when answering queries to the oracle KU.A pseudo-random subroutine PRF(s, •) is invoked in all the four subroutines.Now in H 0 , this PRF(s, •) will be replaces by a truly subroutine RF(•).Note that C can efficiently implement the truly subroutine RF(•): Given a fresh input x, C chooses a random element R in {0, 1} λ as the output of RF(•).C records (x, R) locally.If x is not fresh, C retrieves R from its records.Any difference between H −1 and H 0 will lead to a distinguisher B 1 , who can distinguish PRF from RF. Hence • 1, • • • , n}: In this hybrid, challenger C changes the generation of the challenge ciphertext.Recall that the challenge ciphertext ct := lab ek id * ) which are the values attached to all nodes on the path from the root to id * .