Revocable Identity-Based Encryption and Server-Aided Revocable IBE from the Computational Diffie-Hellman Assumption ^†

Abstract

An Identity-based encryption (IBE) simplifies key management by taking users’ identities as public keys. However, how to dynamically revoke users in an IBE scheme is not a trivial problem. To solve this problem, IBE scheme with revocation (namely revocable IBE scheme) has been proposed. Apart from those lattice-based IBE, most of the existing schemes are based on decisional assumptions over pairing-groups. In this paper, we propose a revocable IBE scheme based on a weaker assumption, namely Computational Diffie-Hellman (CDH) assumption over non-pairing groups. Our revocable IBE scheme is inspired by the IBE scheme proposed by Döttling and Garg in Crypto2017. Like Döttling and Garg’s IBE scheme, the key authority maintains a complete binary tree where every user is assigned to a leaf node. To adapt such an IBE scheme to a revocable IBE, we update the nodes along the paths of the revoked users in each time slot. Upon this updating, all revoked users are forced to be equipped with new encryption keys but without decryption keys, thus they are unable to perform decryption any more. We prove that our revocable IBE is adaptive IND-ID-CPA secure in the standard model. Our scheme serves as the first revocable IBE scheme from the CDH assumption. Moreover, we extend our scheme to support Decryption Key Exposure Resistance (DKER) and also propose a server-aided revocable IBE to decrease the decryption workload of the receiver. In our schemes, the size of updating key in each time slot is only related to the number of newly revoked users in the past time slot.

1. Introduction

The concept of Identity-Based Encryption (IBE) was proposed by Shamir [1] in 1984. In an IBE scheme, the public key of a user can simply be the identity $\mathsf{id}$ of the user, like name, email address, etc. An IBE scheme considers three parties: key authority, sender and receiver. The key authority is in charge of generating secret key ${\mathsf{sk}}_{\mathsf{id}}$ for user $\mathsf{id}$. A sender simply encrypts plaintexts under the receiver’s identity $\mathsf{id}$ and the receiver uses his own secret key ${\mathsf{sk}}_{\mathsf{id}}$ for decryption. With IBE, there is no need for senders to ask for authenticated public keys from Public-Key Infrastructures, hence key management is greatly simplified.

Over the years, there have been many IBE schemes proposed from various assumptions in the standard model. Most of the assumptions are decisional ones, like the bilinear Diffie-Hellman assumption [2,3,4] over pairing-groups, or the decisional learning-with-errors (LWE) assumption from lattices [5,6,7]. Most recently, a breakthrough work was done by Döttling and Garg [8], who proposed the first IBE scheme based solely on the Computational Diffie-Hellman (CDH) assumption over groups free of pairings.

Though IBE enjoys the advantage of easy key management, how to revoke users in an IBE system is a non-trivial problem. It was Boneh and Franklin [9] who first proposed revocable IBE (RIBE) to solve the problem. Later, Boldyreva et al. [10] formalized the definition of selective-ID security and constructed a more efficient RIBE scheme based on a fuzzy IBE scheme [11]. Then Libert and Vergnaud proposed the first adaptive-ID secure revocable IBE scheme [12]. In [13], Seo and Emura strengthened the security model by introducing an additional important security notion, called Decryption Key Exposure Resistance (DKER). They also constructed a revocable IBE scheme in the strengthened model, and the security of this scheme is from the Decisional Bilinear Diffie-Hellman (DBDH) assumption. Since then, most of the revocable IBE schemes constructed from pairing groups achieved DKER. For example, in the strengthened security model, Lee et al. [14] constructed a revocable IBE scheme via subset difference methods to reduce the size of key updating based on the DBDH assumption, and Watanabe et al. [15] introduced a new revocable IBE with short public parameters based on both the Decisional Diffie-Hellman (DDH) assumption and the Augmented Decisional Diffie-Hellman (ADDH) assumption over pairing-friendly group. Furthermore, Park et al. [16] constructed a revocable IBE whose key update cost is only $O(1)$, but the scheme relied on multilinear maps. Without pairing, it seems difficult to achieve DKER. In [17], Chen et al. proposed the first selective-ID secure revocable IBE scheme from the LWE assumption over lattices in the traditional security model (without DKER). Later, Takayasu and Watanabe [18] designed a lattice-based revocable IBE with bounded DKER. Meanwhile, to improve the decryption efficiency for the receiver, Qin et al. [19] provided a new model named Server-Aided Revocable Identity-Based Encryption (SR-IBE) which used a server as an intermediary to help the receiver to decrypt part of the ciphertext. In fact, the revocable property is so important that it is studied not only in IBE but also in Identity-Based Proxy Re-encryption [20], Fine-Grained Encryption of Cloud Data [21,22] and Attribute-Based Encryption [23]. It should be noted that bilinear pairings are essential techniques in these schemes [20,21,22,23].

Please Please note that all the existing RIBE schemes are based on assumptions over pairing-friendly groups or the LWE assumption over lattices. On the other hand, Döttling and Garg’s IBE scheme [8] is based on the CDH assumption over non-pairing group, but it does not consider user revocation. In this paper, we aim to fill the gap by designing RIBE from the CDH assumption without use of pairings.

1.1. Our Contributions

In this paper, we propose the first revocable IBE (RIBE) schemes and server-aided revocable IBE (SR-IBE) based on the Computational Diffie-Hellman (CDH) assumption over groups free of pairings. The corner stone of this scheme is the IBE scheme proposed by Döttling and Garg [8]. Our RIBE schemes enjoy the following features.

• Weaker security assumption. The securities of our RIBE and SR-IBE schemes can be reduced to the CDH assumption. Hence our schemes serve as the first RIBE/SR-IBE schemes from the CDH assumption over non-pairing groups. More precisely, our first RIBE scheme can achieve adaptive-IND-ID-CPA security but without the property of decryption key exposure resistance(DKER). Our second RIBE scheme obtains decryption key exposure resistance but with selective-IND-ID-CPA security. Our SR-IBE scheme is selective-SR-ID-CPA secure. The securities of the three schemes can be reduced to the CDH assumption.
• Smaller size of key updating. When a time slot begins, the key updating algorithm of our RIBE/SR-IBE will issue updating keys whose size is only linear to the number of newly revoked users in the past time slot. In comparison, most of the existing RIBE/SR-IBE schemes have to update keys whose number is related to the number of all revoked users across all the previous time slots.

In Table 1, we compare our RIBE scheme with some existing RIBE schemes.

Table 1. Comparison with RIBE schemes (in the standard model). Here N is the total number of users, r is the number of all revoked users and $\Delta r$ is the number of newly revoked users the past time slot. DKER means decryption key exposure resistance.

IBE	Security Assumption	Pairing Free	Security Model	Key Updating Size	DKER
[17]	LWE	✓	Selective-IND-ID-CPA	$O(r\log (N/r))$	×
[18]	LWE	✓	Selective-IND-ID-CPA	$O(r\log (N/r))$	Bounded
[10]	DBDH	×	Selective-IND-ID-CPA	$O(r\log (N/r))$	×
[12]	DBDH	×	Adaptive-IND-ID-CPA	$O(r\log (N/r))$	×
[13]	DBDH	×	Adaptive-IND-ID-CPA	$O(r\log (N/r))$	✓
[14]	DBDH	×	Adaptive-IND-ID-CPA	$O(r)$	✓
[15]	DDH and ADDH	×	Adaptive-IND-ID-CPA	$O(r\log (N/r))$	✓
[16]	Multilinear	×	Selective-IND-ID-CPA	$O(1)$	✓
Our RIBE 1	CDH	✓	Adaptive-IND-ID-CPA	$O(\Delta r(\log N-\log (\Delta r)))$	×
Our RIBE 2	CDH	✓	Selective-IND-ID-CPA	$O(\Delta r(\log N-\log (\Delta r)))$	✓
Our SR-IBE	CDH	✓	Selective-IND-ID-CPA	$O(\Delta r(\log N-\log (\Delta r)))$	✓

Remark 1.

Döttling and Garg’s IBE makes use of garbled circuits to implement the underlying cryptographic primitives. Hence it is prohibitive in terms of efficiency. Our RIBE inherits their idea, hence the efficiency of our RIBE scheme is also incomparable to the RIBE schemes from bilinear maps. However, since no RIBE scheme is available from the CDH assumption over non-pairing groups, our scheme serves as a theoretical exploration in the field of RIBE.

1.2. Paper Organization

In Section 2, we collect notations and some basic definitions used in the paper and present the framework. We illustrate our idea of RIBE in Section 3. In Section 4, we construct a revocable IBE scheme (without DKER) based on the CDH assumption and present the correctness and security analysis of the scheme. Then we show how to make our RIBE to obtain DKER in Section 5. In Section 6, we provide a SR-IBE scheme from the CDH assumption. In Section 7, we illustrate the key updating complexity analysis of our scheme.

2. Preliminaries

2.1. Notations

The security parameter is denoted by $\lambda$. “probabilistic polynomial-time” is abbreviated by “PPT”. Let $n,a$ and b be integers. Denote by $\left[n\right]$ the set $\{1,\cdots ,n\}$, by $[a,b]$ the set $\{a,a+1,\cdots ,b\}$, by ${\{0,1\}}^{*}$ the set of bit-strings of arbitrary length, and by ${\{0,1\}}^{\le \ell }$ the set of bit-strings of length at most ℓ. Let $\epsilon$ be an empty string. and $\left|v\right|$ be the bit-length of string v. Obviously, $\left|\epsilon \right|=0$. Denote by $x\left|\right|y$ the concatenation of two bit-strings x and y, by $x_i$ the i-th bit of x, by $x\stackrel{\$}{\leftarrow }\mathcal{S}$ the process of sampling the element x from the set $\mathcal{S}$ uniformly at random, and by $a\leftarrow \mathcal{X}$ the process of sampling the element a over the distribution $\mathcal{X}$. By $a\leftarrow f(·)$ we mean that a is the output of a function f. A function $\mathsf{negl}:\mathbb{N}\to \mathbb{R}$ is negligible if for any polynomial $p(\lambda )$ it holds that $\mathsf{negl}(\lambda )<1/p(\lambda )$ for all sufficiently large $\lambda \in \mathbb{N}$.

2.2. Pseudorandom Functions

Let PRF: $\mathcal{K}\times \mathcal{X}\to \mathcal{Y}$ be an efficiently computable function. For an adversary $\mathcal{A}$, define its advantage function as

$${\mathrm{Adv}}_{\mathcal{A}}^{\mathrm{PRF}}(1^{\lambda }):=|\mathrm{Pr}[b=1|k\stackrel{\$}{\leftarrow }\mathcal{K};b\leftarrow {\mathcal{A}}^{\mathsf{PRF}(k,·)}]-\mathrm{Pr}[b=1|b\leftarrow {\mathcal{A}}^{\mathsf{RF}(·)}\left]\right|,$$

where $\mathsf{RF}:\mathcal{X}\to \mathcal{Y}$ is a truly random function. PRF is a pseudorandom function (PRF) if the above advantage function Adv${}_{\mathcal{A}}^{\mathrm{PRF}}(1^{\lambda })$ is negligible for any PPT $\mathcal{A}$.

2.3. Revocable Identity-Based Encryption

A revocable IBE (RIBE) consists of seven PPT algorithms $\mathsf{RIBE}=(\mathsf{RIBE}.\mathsf{Setup},$$\mathsf{RIBE}.\mathsf{KG},\mathsf{RIBE}.\mathsf{KU},$$\mathsf{RIBE}.\mathsf{KU},\mathsf{RIBE}.\mathsf{Enc},\mathsf{RIBE}.\mathsf{Enc},\mathsf{RIBE}.\mathsf{R})$. Let $\mathcal{M}$ denote the message space, $\mathcal{ID}$ the identity space and $\mathcal{T}$ the space of time slots.

• Setup: The setup algorithm $\mathsf{RIBE}.\mathsf{Setup}$ is run by the key authority. The input of the algorithm is a security parameter $\lambda$ and n, where the maximal number of users is $2^n$. The output of this algorithm consists of a pair of key $(\mathsf{mpk},\mathsf{msk})$, an initial state st = (KL, PL, RL, KU), where KL is the key list, PL is the list of public information, RL is the list of revoked users and KU is the update key list. In formula, $(\mathsf{mpk},\mathsf{msk},\mathsf{st})\leftarrow \mathsf{RIBE}.\mathsf{Setup}(1^{\lambda },1^n).$
• Private Key Generation: This algorithm $\mathsf{RIBE}.\mathsf{KG}$ is run by the key authority which takes as input the key pair $(\mathsf{mpk},\mathsf{msk})$, an identity $\mathsf{id}$ and the state st. The output of this algorithm is a private key ${\mathsf{sk}}_{\mathsf{id}}$ and an updated state ${\mathsf{st}}^{\prime }$. In formula, $({\mathsf{sk}}_{\mathsf{id}},{\mathsf{st}}^{\prime })\leftarrow \mathsf{RIBE}.\mathsf{KG}(\mathsf{mpk},\mathsf{msk},\mathsf{id},\mathsf{st})$.
• Key Update Generation: This algorithm $\mathsf{RIBE}.\mathsf{KU}$ is run by the authority. Given the key pair $(\mathsf{mpk},\mathsf{msk})$, an update time $\mathsf{t}$, and a state st, this algorithm updates the update key list $\mathsf{KU}$ and the the list of public information $\mathsf{PL}$. In formula, ${\mathsf{st}}^{\prime }\leftarrow \mathsf{RIBE}.\mathsf{KU}(\mathsf{mpk},\mathsf{msk},\mathsf{t},\mathsf{st})$.
• Decryption key generation: This algorithm $\mathsf{RIBE}.\mathsf{DK}$ is run by the receiver. Given the master public key $\mathsf{mpk}$, a private key ${\mathsf{sk}}_{\mathsf{id}}$, the update key list $\mathsf{KU}$ and the time slot $\mathsf{t}$, this algorithm outputs a decryption key ${\mathsf{sk}}_{\mathsf{id}}^{(\mathsf{t})}$ for time slot $\mathsf{t}$. In formula, ${\mathsf{sk}}_{\mathsf{id}}^{(\mathsf{t})}\leftarrow \mathsf{RIBE}.\mathsf{DK}(\mathsf{mpk},{\mathsf{sk}}_{\mathsf{id}},\mathsf{KU},\mathsf{t}).$
• Encryption: This algorithm $\mathsf{RIBE}.\mathsf{Enc}$ is run by the sender. Given the public key $\mathsf{mpk}$, a public list PL, an identity id, a time slot $\mathsf{t}$ and a message m, this algorithm outputs a ciphertext $\mathsf{ct}$. In formula, $\mathsf{ct}\leftarrow \mathsf{RIBE}.\mathsf{Enc}(\mathsf{mpk},\mathsf{id},\mathsf{t},m,\mathsf{PL})$.
• Decryption: This algorithm $\mathsf{RIBE}.\mathsf{Enc}$ is run by the receiver. The algorithm takes as input the master public key $\mathsf{mpk}$, the decryption key ${\mathsf{sk}}_{\mathsf{id}}^{(\mathsf{t})}$ and the ciphertext $\mathsf{ct}$, and outputs a message m or a failure symbol ⊥. In formula, $m/\perp \leftarrow \mathsf{RIBE}.\mathsf{Dec}(\mathsf{mpk},{\mathsf{sk}}_{\mathsf{id}}^{(\mathsf{t})},\mathsf{ct})$.
• Revocation: This algorithm $\mathsf{RIBE}.\mathsf{R}$ is run by the key authority. Given a revoked identity $\mathsf{id}$ and the time slot $\mathsf{t}$ during which $\mathsf{id}$ is revoked and a state $\mathsf{st}=(\mathsf{KL},\mathsf{PL},\mathsf{RL},\mathsf{KU})$, this algorithm updates the revocation list $\mathsf{RL}$ with $\mathsf{RL}\leftarrow \mathsf{RL}\cup \{(\mathsf{id},\mathsf{t})\}$. It outputs a new state ${\mathsf{st}}^{\prime }=(\mathsf{KL},\mathsf{PL},\mathsf{RL},\mathsf{KU})$.

Correctness. 

For all $(\mathsf{mpk},\mathsf{msk},\mathsf{st})\leftarrow \mathsf{RIBE}.\mathsf{Setup}(1^{\lambda },N),$ all $m\in \mathcal{M}$, all identity $\mathsf{id}\in \mathcal{ID}$, all time slot $\mathsf{t}\in \mathcal{T}$, and revocation list $\mathsf{RL}$, for all $({\mathsf{sk}}_{\mathsf{id}},{\mathsf{st}}^{\prime })\leftarrow \mathsf{RIBE}.\mathsf{KG}(\mathsf{msk},\mathsf{id},\mathsf{st})$, ${\mathsf{st}}^{″}\leftarrow \mathsf{RIBE}.\mathsf{KU}(\mathsf{msk},\mathsf{t},\mathsf{st})$, and ${\mathsf{sk}}_{\mathsf{id}}^{(\mathsf{t})}\leftarrow \mathsf{RIBE}.\mathsf{DK}(\mathsf{mpk},{\mathsf{sk}}_{\mathsf{id}},$$\mathsf{KU},\mathsf{t}),$ we have $\mathsf{RIBE}.\mathsf{Dec}(\mathsf{mpk},{\mathsf{sk}}_{\mathsf{id}}^{(\mathsf{t})},\mathsf{RIBE}.\mathsf{Enc}(\mathsf{mpk},\mathsf{id},\mathsf{t},m,\mathsf{PL}))=m$ if $(\mathsf{id},\mathsf{t})\notin \mathsf{RL}$(i.e., $\mathsf{id}$ is not revoked at time t) and $\mathsf{PL}\in {\mathsf{st}}^{″}$.

Now we explain how a revocable IBE system works. To setup the system, the key authority invokes $\mathsf{RIBE}.\mathsf{Setup}$ to generate master public key $\mathsf{mpk}$, master secret key $\mathsf{msk}$ and the state $\mathsf{st}$. Then it publishes the public key $\mathsf{mpk}$. When a user registers in the system with identity $\mathsf{id}$, the key authority invokes $\mathsf{RIBE}.\mathsf{KG}(\mathsf{msk},\mathsf{id},\mathsf{st})$ to generate the private key ${\mathsf{sk}}_{\mathsf{id}}$ for user $\mathsf{id}$. If a user $\mathsf{id}$ needs to be revoked during time slot $\mathsf{t}$, the key authority invokes $\mathsf{RIBE}.\mathsf{R}(\mathsf{id},\mathsf{t},\mathsf{st})$. Next it updates the state $\mathsf{st}$. At the beginning of each time slot $\mathsf{t}$, the key authority might invoke $\mathsf{RIBE}.\mathsf{KU}(\mathsf{msk},\mathsf{t},\mathsf{st})$ to update keys by updating set $\mathsf{KU}$. Then it publishes some information about the updated set $\mathsf{KU}$. Meanwhile it may also publish some public information $\mathsf{PL}$. During time slot $\mathsf{t}$, when a user wants to send a message m to another user $\mathsf{id}$, he/she invokes $\mathsf{RIBE}.\mathsf{Enc}(\mathsf{mpk},\mathsf{id},\mathsf{t},m,\mathsf{PL})$ to encrypt m to obtain the ciphertext $\mathsf{ct}$, then sends $(\mathsf{t},\mathsf{ct})$ to user $\mathsf{id}$. To decrypt a ciphertext $\mathsf{ct}$ encrypted at time $\mathsf{t}$, the receiver $\mathsf{id}$ first invokes $\mathsf{RIBE}.\mathsf{DK}(\mathsf{mpk},{\mathsf{sk}}_{\mathsf{id}},$$\mathsf{KU},\mathsf{t})$ to generate its own decryption key ${\mathsf{sk}}_{\mathsf{id}}^{(\mathsf{t})}$ of time t. The receiver $\mathsf{id}$ invokes $\mathsf{RIBE}.\mathsf{Dec}(\mathsf{mpk},{\mathsf{sk}}_{\mathsf{id}}^{(\mathsf{t})},\mathsf{ct})$ to decrypt the ciphertext and recover the plaintext.

Remark. 

In the definition of our RIBE, KL is the key list which stores the essential information used to generate the update key. PL is a public information list which is used in the encryption algorithm. In the traditional definition of RIBE in other works, no PL is defined. However, in our construction, PL will serve as an essential input to the encryption algorithm and that is the reason we define it. Nevertheless, our definition can be regarded as a general one, while the traditional definition of RIBE can be seen as a special case of $\mathsf{PL}=\varnothing$.

Security. 

Now we formalize the security of a revocable IBE. We first consider four oracles: private key generation oracle $\mathrm{KG}(·)$, key update oracle $\mathrm{KU}$, decryption key generation oracle $\mathrm{DK}(·,·)$ and revocation oracle $\mathrm{Rvk}(·,·)$ which are shown in Table 2. The security of adaptive-IND-ID-CPA defines as follows.

Table 2. Three oracles that the adversary can query.

$\underline{\mathsf{KG}(\mathsf{id}):}$	$\underline{\mathsf{KU}:}$
$({\mathsf{sk}}_{\mathsf{id}},{\mathsf{st}}^{\prime })\leftarrow \mathsf{RIBE}.\mathsf{KG}(\mathsf{msk},\mathsf{id},\mathsf{st})$	${\mathsf{st}}^{\prime }\leftarrow \mathsf{RIBE}.\mathsf{KU}(\mathsf{msk},\mathsf{t},\mathsf{st})$
	$\mathsf{st}:={\mathsf{st}}^{\prime }$.
	Parse $\mathsf{st}=(\mathsf{KL},\mathsf{PL},\mathsf{RL},\mathsf{KU})$
Output ${\mathsf{sk}}_{\mathsf{id}}$.	Output $(\mathsf{KU}$, $\mathsf{PL})$.
$\underline{\mathrm{Rvk}(\mathsf{id},\mathsf{t}):}$	$\underline{\mathrm{DK}(\mathsf{id},\mathsf{t}):}$
${\mathsf{st}}^{\prime }\leftarrow \mathsf{RIBE}.\mathsf{R}(\mathsf{id},\mathsf{t},\mathsf{st})$	$({\mathsf{sk}}_{\mathsf{id}},{\mathsf{st}}^{\prime })\leftarrow \mathsf{RIBE}.\mathsf{KG}(\mathsf{msk},\mathsf{id},\mathsf{st})$
${\mathsf{st}}^{\prime }:=(\mathsf{KL},\mathsf{PL},\mathsf{RL},\mathsf{KU})$	${\mathsf{sk}}_{\mathsf{id}}^{(\mathsf{t})}\leftarrow \mathsf{RIBE}.\mathsf{DK}(\mathsf{mpk},{\mathsf{sk}}_{\mathsf{id}},\mathsf{KU},\mathsf{t})$
Output $\mathsf{RL}$.	Output ${\mathsf{sk}}_{\mathsf{id}}^{(\mathsf{t})}$.

Definition 1.

Let $\mathit{RIBE}=(\mathit{RIBE}.\mathit{Setup},\mathit{RIBE}.\mathit{KG},$$\mathit{RIBE}.\mathit{KU},\mathit{RIBE}.\mathit{DK},$$\mathit{RIBE}.\mathit{Enc},$$\mathit{RIBE}.\mathit{Dec},\mathit{RIBE}.R)$ be a revocable IBE scheme. Below describes an experiment played between a challenger $\mathcal{C}$ and a PPT adversary $\mathcal{A}$.

$\begin{array}{l}{\mathit{EXP}}_{\mathcal{A}}^{\mathit{adaptive}-\mathit{IND}-\mathit{ID}-\mathit{CPA}}(\lambda ):\\ (\mathit{mpk},\mathit{msk},\mathit{st})\leftarrow \mathit{RIBE}.\mathit{Setup}(1^{\lambda },1^n);\\ \mathit{Parse}\mathit{st}=(\mathit{KL},\mathit{PL},\mathit{RL},\mathit{KU});\\ (M_0,M_1,{\mathit{id}}^{*},t^{*},\overline{{\mathrm{st}}_{\mathcal{A}}})\leftarrow {\mathcal{A}}^{\mathrm{KG}(·),\mathrm{KU},\mathrm{Rvk}(·,·)}(\mathit{mpk});\\ \theta \stackrel{\$}{\leftarrow }\{0,1\};\\ {\mathit{ct}}^{*}\leftarrow \mathit{RIBE}.\mathit{Enc}(\mathit{mpk},{\mathit{id}}^{*},t^{*},M_{\theta },\mathit{PL})\\ {\theta }^{\prime }\leftarrow {\mathcal{A}}^{\mathrm{KG}(·),\mathrm{KU},\mathrm{DK}(·,·),\mathrm{Rvk}(·,·)}({\mathit{ct}}^{*},\overline{{\mathit{st}}_{\mathcal{A}}})\\ \mathit{If}\theta ={\theta }^{\prime }\mathit{Return}1;\mathit{If}\theta \ne {\theta }^{\prime }\mathit{Return}0.\end{array}$

The experiment has the following requirements for $\mathcal{A}$.

• The two plaintexts submitted by $\mathcal{A}$ have the same length, i.e., $|M_0|=|M_1|$.
• The time slot $t$ submitted to $\mathrm{KU}$ and $\mathrm{Rvk}(·,·)$ by $\mathcal{A}$ is in ascending order.
• If the challenger has published $\mathrm{KU}$ at time $t$, then it is not allowed to query oracle $\mathrm{Rvk}(·,t^{\prime })$ with $t^{\prime }<t$.
• If $\mathcal{A}$ has queried ${\mathit{id}}^{*}$ to oracle $\mathrm{KG}(·)$, then there must be query $({\mathit{id}}^{*},t)$ to oracle $\mathrm{Rvk}(·)$ satisfies $t<t^{*}$, i.e., ${\mathit{id}}^{*}$ must has been revoked before time $t^{*}$.
• If ${\mathit{id}}^{*}$ is not revoked at time $t^{*}$, $\mathrm{DK}(·,·)$ cannot be queried on $({\mathit{id}}^{*},t^{*})$.

A revocable IBE scheme is adaptive-IND-ID-CPA secure (with DKER) if for all PPT adversary $\mathcal{A}$, the following advantage is negligible in the security parameter λ, i.e.,

$${\mathbf{Adv}}_{\mathit{RIBE},\mathcal{A}}^{\mathit{adaptive}-\mathit{IND}-\mathit{ID}-\mathit{CPA}}(\lambda )=|\mathrm{Pr}[{\mathit{EXP}}_{\mathcal{A}}^{\mathit{adaptive}-\mathit{IND}-\mathit{ID}-\mathit{CPA}}(\lambda )=1]-1/2|=\mathit{negl}(\lambda ).$$

Remark 2.

The security definition without DKER is similarly defined with changing the experiment so that an adversary $\mathcal{A}$ is not allowed to make any decryption key reveal query, i.e., $\mathcal{A}$ cannot query for the oracle $\mathrm{DK}(·,·)$.Next we define selective-IND-ID-CPA security for RIBE, where the adversary has to determine the target identity ${\mathit{id}}^{*}$, target time slot $t^{*}$ at the beginning of the experiment. Clearly, selective-IND-ID-CPA security is weaker than adaptive-IND-ID-CPA security.

Definition 2.

Let $\mathit{RIBE}=(\mathit{RIBE}.\mathit{Setup},\mathit{RIBE}.\mathit{KG},$$\mathit{RIBE}.\mathit{KU},\mathit{RIBE}.\mathit{DK},$$\mathit{RIBE}.\mathit{Enc},$$\mathit{RIBE}.\mathit{Dec},\mathit{RIBE}.R)$ be a revocable IBE scheme. Below describes an experiment played between a challenger $\mathcal{C}$ and a PPT adversary $\mathcal{A}$.

$\begin{array}{l}{\mathit{EXP}}_{\mathcal{A}}^{\mathit{selective}-\mathit{IND}-\mathit{ID}-\mathit{CPA}}(\lambda ):\\ ({\mathit{id}}^{*},t^{*})\leftarrow \mathcal{A}\\ (\mathit{mpk},\mathit{msk},\mathit{st})\leftarrow \mathit{RIBE}.\mathit{Setup}(1^{\lambda },1^n);\\ \mathit{Parse}\mathit{st}=(\mathit{KL},\mathit{PL},\mathit{RL},\mathit{KU});\\ (M_0,M_1,\overline{{\mathit{st}}_{\mathcal{A}}})\leftarrow {\mathcal{A}}^{\mathrm{KG}(·),\mathrm{KU},\mathrm{Rvk}(·,·)}(\mathit{mpk});\\ \theta \stackrel{\$}{\leftarrow }\{0,1\};\\ {\mathit{ct}}^{*}\leftarrow \mathit{RIBE}.\mathit{Enc}(\mathit{mpk},{\mathit{id}}^{*},t^{*},M_{\theta },\mathit{PL})\\ {\theta }^{\prime }\leftarrow {\mathcal{A}}^{\mathrm{KG}(·),\mathrm{KU},\mathrm{DK}(·,·),\mathrm{Rvk}(·,·)}({\mathit{ct}}^{*},\overline{{\mathit{st}}_{\mathcal{A}}})\\ \mathit{If}\theta ={\theta }^{\prime }\mathit{Return}1;\mathit{If}\theta \ne {\theta }^{\prime }\mathit{Return}0\end{array}$.

The requirements for $\mathcal{A}$ in this experiment are the same as the requirements in ${\mathit{EXP}}_{\mathcal{A}}^{\mathit{adaptive}-\mathit{IND}-\mathit{ID}-\mathit{CPA}}(\lambda )$. A revocable IBE scheme is selective-IND-ID-CPA secure (with DKER) if for all PPT adversary $\mathcal{A}$, the following advantage is negligible in the security parameter λ, i.e.,

$${\mathbf{Adv}}_{\mathit{RIBE},\mathcal{A}}^{\mathit{selective}-\mathit{IND}-\mathit{ID}-\mathit{CPA}}(\lambda )=|\mathrm{Pr}[{\mathit{EXP}}_{\mathcal{A}}^{\mathit{selective}-\mathit{IND}-\mathit{ID}-\mathit{CPA}}(\lambda )=1]-1/2|=\mathit{negl}(\lambda ).$$

Selective-IND-ID-CPA security without DKER is defined can be similarly defined by changing the experiment so that an adversary $\mathcal{A}$ is not allowed to query for the oracle $\mathrm{DK}(·,·)$.

2.4. Server-Aided Revocable Identity-Based Encryption

In a server-aided revocable identity-based encryption scheme [19], there are four parities and they work as follows (as shown in Figure 1):

Figure 1. System model of a server-aided revocable IBE.

• Key Authority generates a public key and a secret key for every registered user and issues the secret key to the user and the public key to the server. In each time slot, the key authority delivers a update key list (to revoke users) to the server.
• Sender encrypts a message for an identity and a time slot and sends the ciphertext to the server.
• Sever combines the update key list and the stored users’ public keys to generate the transformation keys in every time slot for all users. When receiving a ciphertext, the server transforms it to a partially decrypted ciphertext using the transformation key corresponding to the receiver’s identity and the corresponding time slot. Then it sends the partially decrypted ciphertext to the receiver.
• Receiver recovers the sender’s message from the partially decrypted ciphertext using a decryption key which can be generated by his/her own secret key and the corresponding time slot.

Now, we formally define Server-Aided Revocable Identity Based Encryption (SR-IBE) which was first proposed by Qin et al. [19]. A SR-IBE scheme consists of ten PPT algorithms $\Sigma =(\mathrm{Setup},\mathrm{PubKG},$$\mathrm{KU},\mathrm{TranKG},\mathrm{PrivKG},\mathrm{DK},$$\mathrm{Enc},\mathrm{Transform},\mathrm{Dec},\mathrm{R})$. Let $\Sigma .\mathcal{M}$ denote the message space, $\Sigma .\mathcal{ID}$ the identity space and $\Sigma .\mathcal{T}$ the space of time slots.

• Setup: The setup algorithm $\mathsf{Setup}$ is run by the key authority. The input of the algorithm is a security parameter $\lambda$ and a parameter n, which indicates that the maximal number of users is $2^n$. The output of this algorithm consists of a pair of key $(\mathsf{msk},\mathsf{mpk})$ and an initial state $\mathsf{st}=(\mathsf{KL},\mathsf{PL},\mathsf{RL},\mathsf{KU})$, where $\mathsf{KL}$ is the key list, $\mathsf{PL}$ is the list of public information, $\mathsf{RL}$ is the list of revoked users and $\mathsf{KU}$ is the update key list. In formula, $(\mathsf{msk},\mathsf{mpk},\mathsf{st})\leftarrow \mathsf{Setup}(1^{\lambda },1^n).$
• Public Key Generation: The public key generation algorithm $\mathsf{PubKG}$ is run by the key authority. It takes as input a master secret key $\mathsf{msk}$, an identity $\mathrm{id}\in {\{0,1\}}^n$ and a state $\mathsf{st}$. The output of this algorithm is the public key ${\mathsf{pk}}_{\mathsf{id}}$ on identity $\mathsf{id}$. In formula, ${\mathsf{pk}}_{\mathsf{id}}\leftarrow \mathsf{PubKG}(\mathsf{msk},\mathsf{id},\mathsf{st})$.
• Key Update Generation: The key update generation algorithm $\mathsf{KU}$ is run by the key authority. It takes as input a master secret key $\mathsf{msk}$, an update time $\mathsf{t}$ and a state $\mathsf{st}$. The output of this algorithm is an update key list ${\mathsf{KU}}^{(\mathsf{t})}$ and an updated state ${\mathsf{st}}^{\prime }$. In formula, $({\mathsf{KU}}^{(\mathsf{t})},{\mathsf{st}}^{\prime })\leftarrow \mathsf{KU}(\mathsf{msk},\mathsf{t},\mathsf{st})$.
• Transformation Key Generation: The transformation key generation algorithm $\mathsf{TranKG}$ is run by the server. It takes as input the master public key $\mathsf{mpk}$, the public key ${\mathsf{pk}}_{\mathsf{id}}$ and an update key list ${\mathsf{KU}}^{(\mathsf{t})}$. The output of this algorithm is the transformation key ${\mathsf{tk}}_{\mathsf{id}}^{(\mathsf{t})}$. In formula, ${\mathsf{tk}}_{\mathsf{id}}^{(\mathsf{t})}\leftarrow \mathsf{TranKG}(\mathsf{mpk},{\mathsf{pk}}_{\mathsf{id}},{\mathsf{KU}}^{(\mathsf{t})})$.
• Private Key Generation: The private key generation algorithm $\mathsf{PrivKG}$ is run by the key authority. It takes the master secret key $\mathsf{msk}$ and an identity $\mathsf{id}\in {\{0,1\}}^n$ as input. The output of this algorithm is the private key ${\mathsf{sk}}_{\mathsf{id}}$ on identity $\mathsf{id}$. In formula, ${\mathsf{sk}}_{\mathsf{id}}\leftarrow \mathsf{PrivKG}(\mathsf{msk},\mathsf{id})$.
• Decryption Key Generation: The decryption key generation algorithm $\mathsf{DK}$ is run by the receiver. It takes the secret key ${\mathsf{sk}}_{\mathsf{id}}$ and a slot $\mathsf{t}$ as input. The output of this algorithm is the decryption key ${\mathsf{Dk}}_{\mathsf{id}}^{(\mathsf{t})}$. In formula, ${\mathsf{Dk}}_{\mathsf{id}}^{(\mathsf{t})}\leftarrow \mathsf{DK}({\mathsf{sk}}_{\mathsf{id}},\mathsf{t})$.
• Encryption: The encryption algorithm $\mathsf{Enc}$ is run by the sender. It takes the master public key $\mathsf{mpk}$, an identity $\mathsf{id}$, a time plot $\mathsf{t}$, a plaintext message $\mathsf{m}$ and a public list $\mathsf{PL}$ as the input. The output of this algorithm is the ciphertext $\mathsf{ct}$. In formula, $\mathsf{ct}\leftarrow \mathsf{Enc}(\mathsf{mpk},\mathsf{id},\mathsf{t},m,\mathsf{PL})$.
• Transformation: The transformation algorithm $\mathsf{transform}$ is run by the server. It takes the master public key $\mathsf{mpk}$, the transformation key ${\mathsf{tk}}_{\mathsf{id}}^{(\mathsf{t})}$ and the ciphertext $\mathsf{ct}$ as the input. The output of this algorithm is the partially decrypted ciphertext ${\mathsf{ct}}^{\prime }$. In formula, ${\mathsf{ct}}^{\prime }\leftarrow \mathsf{Transform}(\mathsf{mpk},$${\mathsf{tk}}_{\mathsf{id}}^{(\mathsf{t})},\mathsf{ct})$.
• Decryption: The decryption algorithm $\mathsf{Dec}$ is run by the receiver. The input of this algorithm consists of the master public key $\mathsf{mpk}$, the decryption key ${\mathsf{Dk}}_{\mathsf{id}}^{(\mathsf{t})}$ and the partially decrypted ciphertext ${\mathsf{ct}}^{\prime }$. The output of this algorithm is the plaintext $\mathsf{m}$. In formula, $\mathrm{m}\leftarrow \mathsf{Dec}(\mathsf{mpk},{\mathsf{Dk}}_{\mathsf{id}}^{(\mathsf{t})},{\mathsf{ct}}^{\prime })$.
• Revocation: The revocation algorithm $\mathsf{R}$ is run by the key authority. The input of this algorithm consists of an identity $\mathsf{id}$, a time plot $\mathsf{t}$ and a state $\mathsf{st}$. The output of this algorithm is the updated state ${\mathsf{st}}^{\prime }$. In formula, ${\mathsf{st}}^{\prime }\leftarrow \mathsf{R}(\mathsf{id},\mathsf{t},\mathsf{st})$.

Correctness. 

The correctness requires that for all message $\mathsf{m}$, if the receiver is not revoked at time period $\mathsf{t}$ and all parties follow the algorithms above, then we have $\mathsf{m}\leftarrow \mathsf{Dec}(\mathsf{mpk},{\mathsf{Dk}}_{\mathsf{id}}^{(\mathsf{t})},\mathsf{Transform}(\mathsf{mpk},{\mathsf{tk}}_{\mathsf{id}}^{(\mathsf{t})},\mathsf{ct}))$.

Security. 

Now we formalize the security of SR-IBE. We first consider five oracles: public key generation oracle $\mathrm{PubKG}(·)$, key update oracle $\mathrm{KU}$, private key generation oracle $\mathrm{PrivKG}(·)$, decryption key generation oracle $\mathrm{DK}(·,·)$ and revocation oracle $\mathrm{Rvk}(·,·)$ which are shown in Table 3. The selective-SR-ID-CPA security is defined as follows.

Table 3. Five oracles that the adversary of a SR-IBE scheme can query.

$\underline{\mathrm{PubKG}(\mathsf{id}):}$	$\underline{\mathrm{KU}:}$
${\mathsf{pk}}_{\mathsf{id}}\leftarrow \mathsf{PubKG}(\mathsf{msk},\mathsf{id},\mathsf{st})$	${\mathsf{st}}^{\prime }\leftarrow \mathsf{KU}(\mathsf{msk},\mathsf{t},\mathsf{st})$
Output ${\mathsf{pk}}_{\mathsf{id}}$.	$\mathsf{st}:={\mathsf{st}}^{\prime }$.
$\underline{\mathrm{PrivKG}(\mathsf{id}):}$	Parse $\mathsf{st}=(\mathsf{KL},\mathsf{PL},\mathsf{RL},\mathsf{KU})$
${\mathsf{sk}}_{\mathsf{id}}\leftarrow \mathsf{PrivKG}(\mathsf{msk},\mathsf{id})$	Output $(\mathsf{KU}$, $\mathsf{PL})$.
Output ${\mathsf{sk}}_{\mathsf{id}}$.
$\underline{\mathrm{Rvk}(\mathsf{id},\mathsf{t}):}$	$\underline{\mathrm{DK}(\mathsf{id},\mathsf{t}):}$
${\mathsf{st}}^{\prime }\leftarrow \mathsf{R}(\mathsf{id},\mathsf{t},\mathsf{st})$	${\mathsf{sk}}_{\mathsf{id}}\leftarrow \mathsf{PrivKG}(\mathsf{msk},\mathsf{id})$
${\mathsf{st}}^{\prime }:=(\mathsf{KL},\mathsf{PL},\mathsf{RL},\mathsf{KU})$	${\mathsf{Dk}}_{\mathsf{id}}^{(\mathsf{t})}\leftarrow \mathsf{DK}({\mathsf{sk}}_{\mathsf{id}},\mathsf{t})$
Output $\mathsf{RL}$.	Output ${\mathsf{Dk}}_{\mathsf{id}}^{(\mathsf{t})}$.

Definition 3.

Let $\Sigma =(\mathit{Setup},\mathit{PubKG},$$\mathit{KU},\mathit{TranKG},\mathit{PrivKG},\mathit{DK},$$\mathit{Enc},\mathit{Transform},\mathit{Dec},R)$ be a server-aided revocable IBE scheme. Below describes an experiment played between a challenger $\mathcal{C}$ and a PPT adversary $\mathcal{A}$.

$\begin{array}{l}{\mathit{EXP}}_{\mathcal{A}}^{\mathit{selective}-\mathit{SR}-\mathit{ID}-\mathit{CPA}}(\lambda ):\\ ({\mathit{id}}^{*},t^{*})\leftarrow \mathcal{A};\\ (\mathit{mpk},\mathit{msk},\mathit{st})\leftarrow \mathit{Setup}(1^{\lambda },1^n);\\ \mathit{Parse}\mathit{st}=(\mathit{KL},\mathit{PL},\mathit{RL},\mathit{KU});\\ (m_0,m_1,{\mathit{st}}_{\mathcal{A}})\leftarrow {\mathcal{A}}^{\mathrm{PubKG}(·),\mathrm{KU},\mathrm{PrivKG}(·),\mathrm{DK}(·,·),\mathrm{Rvk}(·,·)}(\mathit{mpk});\\ \theta \stackrel{\$}{\leftarrow }\{0,1\};\\ {\mathit{ct}}^{*}\leftarrow \mathit{Enc}(\mathit{mpk},{\mathit{id}}^{*},t^{*},m,\mathit{PL}));\\ {\theta }^{\prime }\leftarrow {\mathcal{A}}^{\mathrm{PubKG}(·),\mathrm{KU},\mathrm{PrivKG}(·),\mathrm{DK}(·,·),\mathrm{Rvk}(·,·)}(\mathit{mpk},{\mathit{ct}}^{*},{\mathit{st}}_{\mathcal{A}});\\ \mathit{If}\theta ={\theta }^{\prime }\mathit{Return}1;\mathit{If}\theta \ne {\theta }^{\prime }\mathit{Return}0\end{array}$.

The experiment has the following requirements for $\mathcal{A}$.

• The two plaintexts submitted by $\mathcal{A}$ have the same length, i.e., $|m_0|=|m_1|$.
• The time slot $t$ submitted to $\mathrm{KU}$ and $\mathrm{Rvk}(·,·)$ by $\mathcal{A}$ is in ascending order.
• If the challenger has published $\mathrm{KU}$ at time $t$, then it is not allowed to query oracle $\mathrm{Rvk}(·,t^{\prime })$ with $t^{\prime }<t$.
• If $\mathcal{A}$ has queried ${\mathit{id}}^{*}$ to oracle $\mathrm{PrivKG}(·)$, then there must exist a query $({\mathit{id}}^{*},t)$ to oracle $\mathrm{Rvk}(·)$ satisfying $t<t^{*}$, i.e., ${\mathit{id}}^{*}$ must has been revoked before time $t^{*}$.
• If ${\mathit{id}}^{*}$ is not revoked at time $t^{*}$, $\mathrm{DK}(·,·)$ cannot be queried on $({\mathit{id}}^{*},t^{*})$.

A server-aided revocable IBE scheme is selective-SR-ID-CPA secure (with DKER) if for all PPT adversary $\mathcal{A}$, the following advantage is negligible in the security parameter λ, i.e.,

$${\mathbf{Adv}}_{\mathit{SR}-\mathit{IBE},\mathcal{A}}^{\mathit{selective}-\mathit{SR}-\mathit{ID}-\mathit{CPA}}(\lambda )=|\mathrm{Pr}[{\mathbf{EXP}}_{\mathcal{A}}^{\mathit{selective}-\mathit{SR}-\mathit{ID}-\mathit{CPA}}(\lambda )=1]-1/2|=\mathit{negl}(\lambda ).$$

2.5. Garbled Circuits

A garbled circuits scheme consists of two PPT algorithms $(\mathsf{GCircuit},\mathsf{Eval})$.

• $\mathsf{GCircuit}(\lambda ,\mathsf{C})\to (\tilde{\mathsf{C}},{\left\{{\mathsf{lab}}_{w,b}\right\}}_{w\in \mathsf{inp}(\mathsf{C}),b\in \{0,1\}})$: The algorithm $\mathsf{GCircuit}$ takes a security parameter $\lambda$ and a circuit $\mathsf{C}$ as input. This algorithm outputs a garbled circuit $\tilde{\mathsf{C}}$ and labels ${\left\{{\mathsf{lab}}_{w,b}\right\}}_{w\in \mathsf{inp}(\mathsf{C}),b\in \{0,1\}}$ where each ${\mathsf{lab}}_{w,b}\in {\{0,1\}}^{\lambda }$. Here $\mathsf{inp}(\mathsf{C})$ represents the set [ℓ] where ℓ is the bit-length of the input of the circuit $\mathsf{C}$.
• $\mathsf{Eval}(\tilde{\mathsf{C}},{\left\{{\mathsf{lab}}_{w,x_w}\right\}}_{w\in \mathsf{inp}(\mathsf{C})})\to y$: The algorithm $\mathsf{Eval}$ takes as input a garbled circuit $\tilde{\mathsf{C}}$ and a set of label ${\left\{{\mathsf{lab}}_{w,x_w}\right\}}_{w\in \mathsf{inp}(\mathsf{C})}$, and it outputs y.

Correctness. 

In a garbled circuit scheme, for any circuit $\mathsf{C}$ and an input $x\in {\{0,1\}}^{\ell }$, it holds that

$$\mathrm{Pr}[\mathsf{C}(x)=\mathsf{Eval}(\tilde{\mathsf{C}},\left\{{\mathsf{lab}}_{w,x_w}\right\}{}_{w\in \mathsf{inp}(\mathsf{C})})]=1$$

where $(\tilde{\mathsf{C}},\left\{{\mathsf{lab}}_{w,b}\right\}{}_{w\in \mathsf{inp}(\mathsf{C}),b\in \{0,1\}})\leftarrow \mathsf{GCircuit}(1^{\lambda },\mathsf{C})$.

Security. 

In a garbled circuit scheme, the security means that there is a PPT simulator $\mathsf{Sim}$ such that for any $\mathsf{C},x$ and for any PPT adversary $\mathcal{A}$, the following advantage of $\mathcal{A}$ is negligible in the security parameter $\lambda$:

$${\mathbf{Adv}}_{\mathcal{A}}^{GC}(\lambda )=|\mathrm{Pr}[\mathcal{A}(\tilde{\mathsf{C}},\left\{{\mathsf{lab}}_{w,x_w}\right\}{}_{w\in \mathsf{inp}(\mathsf{C})})=1]-\mathrm{Pr}[\mathcal{A}(\mathsf{Sim}(1^{\lambda },\mathsf{C}(\mathsf{x})))=1]|=\mathsf{negl}(\lambda ),$$

where $(\tilde{\mathsf{C}},\left\{{\mathsf{lab}}_{w,b}\right\}{}_{w\in \mathsf{inp}(\mathsf{C}),b\in \{0,1\}})\leftarrow \mathsf{GCircuit}(1^{\lambda },\mathsf{C})$.

2.6. Computational Diffie-Hellman Assumption

Let $(\mathbb{G},g,p)\leftarrow \mathsf{GGen}(1^{\lambda })$ be a group generation algorithm which outputs a cyclic group $\mathbb{G}$ of order p and a generator of $\mathbb{G}$.

Definition 4.

[CDH Assumption]The computational Diffie-Hellman (CDH) assumption holds w.r.t. GGen, if for any PPT algorithm $\mathcal{A}$ its advantage ϵ in solving computational Diffie-Hellman (CDH) assumption in $\mathbb{G}$ is negligible. In formula, $Pr\left[\mathcal{A}(g,g^a,g^b)=g^{ab}|(\mathbb{G},g,p)\leftarrow \mathit{GGen}(1^{\lambda });a,b\leftarrow {\mathbb{Z}}_p\right]=\mathit{negl}(\lambda )$.

2.7. Chameleon Encryption

A chameleon encryption scheme has five PPT algorithms $\mathsf{CE}=(\mathsf{HGen},\mathsf{H},{\mathsf{H}}^{-1},$$\mathsf{HEnc},\mathsf{HDec})$.

• HGen: The algorithm $\mathsf{HGen}$ takes the security parameter $\lambda$ and a message-length n as input. This algorithm outputs a key k and a trapdoor t.
• H: The algorithm $\mathsf{H}$ takes the key k, a message $x\in {\{0,1\}}^n$ and a randomness r as input. This algorithm outputs a hash value h and the length of h is $\lambda$.
• ${\mathsf{H}}^{-1}$: The algorithm ${\mathsf{H}}^{-1}$ takes a trapdoor t, a previously used message $x\in {\{0,1\}}^n$, random coins r and a message $x^{\prime }\in {\{0,1\}}^n$ as input. It outputs $r^{\prime }$.
• HEnc: The algorithm $\mathsf{HEnc}$ takes a key k, a hash value h, an index $i\in \left[n\right]$, a bit $b\in \{0,1\}$, and a message $m\in {\{0,1\}}^{*}$ as input. It outputs a ciphertext $ct$.
• HDec: The algorithm $\mathsf{HDec}$ takes a key k, a message $x\in {\{0,1\}}^n$, a randomness r and a ciphertext $ct$ as input. It outputs a value m or ⊥.

The chameleon encryption scheme enjoys the following properties:

• Uniformity. For all $x,x^{\prime }\in {\{0,1\}}^n$,if both r and $r^{\prime }$ are chosen uniformly at random, the two distribution $\mathsf{H}(k,x;r)$ and $\mathsf{H}(k,x^{\prime };r^{\prime })$ are statistically indistinguishable.
• Trapdoor Collisions. For any $x,x^{\prime }\in {\{0,1\}}^n$ and r, if $(k,t)\leftarrow \mathsf{HGen}(1^{\lambda },n)$ and $r^{\prime }\leftarrow {\mathsf{H}}^{-1}(t,(x,r),x^{\prime })$, then it holds that $\mathsf{H}(k,x;r)=\mathsf{H}(k,x^{\prime };r^{\prime }).$ Moreover, if r is chosen uniformly and randomly, $r^{\prime }$ is statistically close to uniform.
• Correctness. For all $x\in {\{0,1\}}^n$, randomness r, index $i\in \left[n\right]$ and message m, if $(k,t)\leftarrow \mathsf{HGen}(1^{\lambda },n)$, $h\leftarrow \mathsf{H}(k,x;r)$ and $ct\leftarrow \mathsf{HEnc}(k,(h,i,x_i),m)$, then $\mathsf{HDec}(k,ct,(x,r))=m$
• Security. For a PPT adversary $\mathcal{A}$ against a chameleon encryption, consider the following experiment:

  $\begin{array}{l}{\mathbf{EXP}}_{\mathcal{A}}^{\mathrm{IND}-\mathrm{CE}}(\lambda ):\\ (k,t)\leftarrow \mathsf{HGen}(1^{\lambda },n).\\ (x,r,i,m_0,m_1)\leftarrow \mathcal{A}(k).\\ b\stackrel{\$}{\leftarrow }\{0,1\}.\\ ct\leftarrow \mathsf{HEnc}(k,(\mathsf{H}(k,x;r),i,1-x_i),m_b).\\ b^{\prime }\leftarrow \mathcal{A}(k,ct,(x,r)).\\ \mathrm{Output} 1 \mathrm{if} b=b^{\prime } \mathrm{and} 0 \mathrm{otherwise}.\end{array}$

  The security of a chameleon encryption defines as follows: For any PPT adversary $\mathcal{A}$, the advantage of $\mathcal{A}$ in experiment ${\mathbf{EXP}}_{\mathcal{A}}^{\mathrm{IND}-\mathrm{CE}}(\lambda )$ satisfies $|\mathrm{Pr}[{\mathbf{Adv}}_{\mathcal{A}}^{\mathrm{IND}-\mathrm{CE}}(\lambda )=1]-1/2|=\mathsf{negl}.$

In [8], such a chameleon encryption was constructed from the CDH assumption.

3. Idea of Our Revocable IBE Scheme

3.1. Idea of the DG Scheme

In the IBE scheme [8] proposed by Döttling and Garg, say the DG scheme, each $\mathrm{id}$ is an n-bit binary string. In other words, each user can be regarded as a leaf of a complete binary tree of depth n, which is the length of a user’s identity id. For each level $j\in \left[n\right]$ in the tree, the key authority generates a pair of chameleon encryption key and trapdoor $(k_j,t{d}_j)$. As shown in Figure 2, a leaf v is attached with a key pair $({\mathsf{ek}}_v,{\mathsf{dk}}_v)$, which is the public/secret key of an IND-CPA secure public-key encryption scheme PKE=(G, E, D), i.e., $({\mathsf{ek}}_v,{\mathsf{dk}}_v)\leftarrow \mathsf{G}(1^{\lambda })$. In addition, a non-leaf node v in the tree is attached with four values: the hash value $h_v$ of this node, the hash value $h_{v\left|\right|0}$ of the left child node, the hash value $h_{v\left|\right|1}$ of the right child node, a randomness r such that $h_v=\mathsf{H}(k_{\left|v\right|},h_{v\left|\right|0}\left|\right|h_{v\left|\right|1};r_v).$ epecially for $\left|v\right|=n-1$, $(h_{v\left|\right|0},h_{v\left|\right|1}):=({\mathsf{ek}}_{v\left|\right|0},{\mathsf{ek}}_{v\left|\right|1})$. The master public key of IBE is given by the hash keys $(k_0,\dots ,k_{n-1})$ and the hash value $h_{\epsilon }$ of the root. The master secret key is the seed of a pseudorandom function to generate $r_v$ and the trapdoors of the chameleon encryption.

Figure 2. The IBE tree of depth $n=3$.

Key Generation. 

Each user is assigned to a leaf in the tree according to $\mathsf{id}$. The secret key is just all the values attached to those nodes on the path from the root to the leaf. For example, in Figure 2, if $\mathsf{id}=010$, then the secret key is ${\mathsf{sk}}_{010}=(\{h_{\epsilon },h_0,h_1,r_{\epsilon }\},\{h_0,h_{00},h_{01},r_0\},$$\{h_{01},{\mathsf{ek}}_{010},{\mathsf{ek}}_{011},r_{01}\},{\mathsf{dk}}_{010})$.

Encryption. 

As for encryption, two kinds of circuits are defined.

(1)

$Q\left[m\right](\mathsf{ek})$ is a circuit with m hardwired and its input is $\mathsf{ek}$. It computes and outputs the $\mathsf{PKE}$ ciphertext of message m under the public-key $\mathsf{ek}$.

(2)

$\mathsf{P}[\beta \in \{0,1\},k,\overline{\mathsf{lab}}](h)$ is a circuit which hardwires bit $\beta$, key k and a serial of labels $\overline{\mathsf{lab}}$. It computes and outputs ${\left\{\mathsf{HEnc}(k,(h,j+\beta ·\lambda ,b),{\mathsf{lab}}_{j,b})\right\}}_{j\in \left[\lambda \right],b\in \{0,1\}}$, where $\overline{\mathsf{lab}}$ is the short for ${\left\{{\mathsf{lab}}_{j,b}\right\}}_{j\in \left[\lambda \right],b\in \{0,1\}}$.

To encrypt a message m under $\mathsf{id}$, the sender generates a series of garbled circuits from the bottom to the top. Specifically, for level n, it generates $\tilde{Q}$, the garbled circuit of $Q\left[m\right]$, and the corresponding label $\overline{\mathsf{lab}}$, i.e., $(\tilde{Q},\overline{\mathsf{lab}})\leftarrow \mathsf{GCircuit}(1^{\lambda },\mathsf{T}\left[m\right]).$

Then, ${\mathsf{id}}_n$, $k_{n-1}$ and $\overline{\mathsf{lab}}$ are hardwired into circuit $P^{n-1}[{\mathsf{id}}_n,k_{n-1},\overline{\mathsf{lab}}]$. Next, invoke the garbled circuit $({\tilde{P}}^{n-1},{\overline{\mathsf{lab}}}^{\prime })\leftarrow \mathsf{GCircuit}(1^{\lambda },P^{n-1}[{\mathsf{id}}_n,k_{n-1},\overline{\mathsf{lab}}]).$

Let $\overline{\mathsf{lab}}:={\overline{\mathsf{lab}}}^{\prime }.$ Invoke $({\tilde{P}}^{n-2},{\overline{\mathsf{lab}}}^{\prime })\leftarrow \mathsf{GCircuit}(1^{\lambda },P^{n-2}[{\mathsf{id}}_{n-1},k_{n-2},\overline{\mathsf{lab}}])$. Repeat this procedure and we have $({\tilde{P}}^0,{\overline{\mathsf{lab}}}^{\prime })\leftarrow \mathsf{GCircuit}(1^{\lambda },P^0[{\mathsf{id}}_1,k_0,\overline{\mathsf{lab}}])$. Recall that ${\overline{\mathsf{lab}}}^{\prime }={\left\{{\mathsf{lab}}_{j,b}\right\}}_{j\in \left[\lambda \right],b\in \{0,1\}}$. Choose $\lambda$ labels from ${\overline{\mathsf{lab}}}^{\prime }$ according to the $\lambda$ bits of $h_{ϵ}$.

The final ciphertext is $\mathsf{ct}=({\left\{{\mathsf{lab}}_{j,{h_{ϵ}}_j}\right\}}_{j\in \left[\lambda \right]},{\tilde{P}}^0,\dots ,{\tilde{P}}^{n-1},\tilde{\mathsf{T}})$.

Decryption. 

The decryption goes from the top to bottom. It will invoke the evaluation algorithm $\mathsf{Eval}$ of the garbled circuits to obtain chameleon encryption of labels, and uses the secret key of chameleon encryption scheme to recover the corresponding label. For the leaf, it will use the decryption algorithm of PKE to recover the message m.

3.2. Idea of Our Revoked IBE Scheme

Our revocable IBE is based on the original DG scheme. An important observation of the DG scheme is that among all the elements in the secret key ${\mathsf{sk}}_{\mathsf{id}}=({\{h_{\mathsf{v}},h_{\mathsf{v}\left|\right|0},h_{\mathsf{v}\left|\right|1},r_{\mathsf{v}}\}}_{v\in \mathcal{V}},{\mathsf{dk}}_{\mathsf{id}})$ of user $\mathsf{id}$, ${\mathsf{dk}}_{\mathsf{id}}$ is the most critical element. Recall that $\mathcal{V}=\{\epsilon ,\mathsf{id}[1],\mathsf{id}[12],\dots ,\mathsf{id}[12\dots n-1\left]\right\}$ and ${\mathsf{dk}}_{\mathsf{id}}$ is the decryption key of the underlying building block PKE. The sibling of leaf $\mathsf{id}$ knows everything about ${\mathsf{sk}}_{\mathsf{id}}$ except ${\mathsf{dk}}_{\mathsf{id}}$. This gives us a hint for revocation. To revoke user $\mathsf{id}$, we can change the decryption key ${\mathsf{dk}}_{\mathsf{id}}$ in ${\mathsf{sk}}_{\mathsf{id}}$ into a new one ${\mathsf{dk}}_{\mathsf{id}}^{\prime }$ and this fresh decryption key will not issued to the revoked user $\mathsf{id}$. As long as the essential element ${\mathsf{dk}}_{\mathsf{id}}^{\prime }$ is missing, user $\mathsf{id}$ will not be able to decrypt anything. Now we outline how the revocable IBE works.

The tree is updated according to the revoked users.

• If a leaf $v_{\mathsf{id}}$ is revoked during time period $\mathsf{t}$, then a new public/secret key pair will generated with $({\mathsf{ek}}_{\mathsf{id}}^{\prime },{\mathsf{dk}}_{\mathsf{id}}^{\prime })\leftarrow \mathsf{G}(1^{\lambda })$ for this leaf. As a result, $h_{v_{\mathsf{id}}}={\mathsf{ek}}_{\mathsf{id}}$ is replaced with a fresh value $h_{v_{\mathsf{id}}}^{(\mathsf{t})}:={\mathsf{ek}}_{\mathsf{id}}^{\prime }$. This fresh value will not consistent to what the father node of $v_{\mathsf{id}}$ has. Therefore, we have to change the attachments of all nodes along the path from the revoked leaf $v_{\mathsf{id}}$ to root bottom upward.
• For i from $n-1$ down to 0
  Let $v:=v_{\mathsf{id}[12\dots i]}$. Choose random coins $r_v^{(\mathsf{t})}$; $h_v^{(\mathsf{t})}:=\mathsf{H}(h_{v\left|\right|0}^{(\mathsf{t})},h_{v\left|\right|1}^{(\mathsf{t})},r_v^{(\mathsf{t})})$;
  Here $h_{v\left|\right|b}^{(\mathsf{t})}:=h_{v\left|\right|b}$ if $h_{v\left|\right|b}^{(\mathsf{t})}$ is not defined, where $b\in \{0,1\}$.

In this way, a new tree is built with root attached with new value $(h_{\epsilon }^{(\mathsf{t})},h_0^{(\mathsf{t})},h_1^{(\mathsf{t})},r_{\epsilon }^{(\mathsf{t})})$. Please Please note that the hash keys $(k_0,\dots ,k_{n-1})$ remain unchanged.

When revocation happens, what a sender does is updating the new hash value $h_{\epsilon }^{(\mathsf{t})}$, then invoking the encryption algorithm for encryption.

For decryption to go smoothly, the IBE system has to issue updating keys to users. The updating key includes all the information of the nodes on the paths from revoked leaves to the root, but the new ${\mathsf{dk}}_{\mathsf{id}}^{(\mathsf{t})}$ is not issued. In Figure 3, for example, two users, namely 000 and 010, are revoked and determine two paths. Then all the nodes along the two paths are marked with cross. All the nodes are updated with new attachments, but leaf 000 is only attached with a new ${\mathsf{ek}}_{000}^{(\mathsf{t})}$ (without ${\mathsf{dk}}_{000}^{(\mathsf{t})}$) and leaf 010 is only attached with a new ${\mathsf{ek}}_{010}^{(\mathsf{t})}$ (without ${\mathsf{dk}}_{010}^{(\mathsf{t})}$). The updating key are $\{\epsilon ,(h_{\epsilon }^{(\mathsf{t})},h_0^{(\mathsf{t})},h_1^{(\mathsf{t})},r_{\epsilon }^{(\mathsf{t})}),$$0,(h_0^{(\mathsf{t})},h_{00}^{(\mathsf{t})},h_{01}^{(\mathsf{t})},r_0^{(\mathsf{t})})$, $00,(h_{00}^{(\mathsf{t})},h_{000}^{(\mathsf{t})},h_{001}^{(\mathsf{t})},r_{00}^{(\mathsf{t})}),$$01,(h_{01}^{(\mathsf{t})},h_{010}^{(\mathsf{t})},h_{011}^{(\mathsf{t})},r_{01}^{(\mathsf{t})}),$ $000,(h_{000}^{(\mathsf{t})}={\mathsf{ek}}_{000}^{(\mathsf{t})},\perp ),010,$$(h_{010}^{(\mathsf{t})}$ $={\mathsf{ek}}_{010}^{(\mathsf{t})},\perp )\}$.

Figure 3. The IBE tree of depth $n=3$ when users “000” and “010” have been revoked.

Any legal user is able to update his secret key ${\mathsf{sk}}_{\mathsf{id}}$ with the new attachments of nodes along the path from his leaf to the root. For example, the updated secret key ${\mathsf{sk}}_{001}^{(\mathsf{t})}$ of user 001 is now $\{\epsilon ,(h_{\epsilon }^{(\mathsf{t})},h_0^{(\mathsf{t})},h_1^{(\mathsf{t})},r_{\epsilon }^{(\mathsf{t})}),$$0,(h_0^{(\mathsf{t})},h_{00}^{(\mathsf{t})},h_{01}^{(\mathsf{t})},r_0^{(\mathsf{t})})$, $00,(h_{00}^{(\mathsf{t})},h_{000}^{(\mathsf{t})},h_{001}^{(\mathsf{t})},r_{00}^{(\mathsf{t})}),$$001,(h_{001}={\mathsf{ek}}_{001},{\mathsf{dk}}_{001})\}$. The updated secret key ${\mathsf{sk}}_{111}^{(\mathsf{t})}$ of user 111 is now $\{\epsilon ,(h_{\epsilon }^{(\mathsf{t})},h_0^{(\mathsf{t})},h_1^{(\mathsf{t})},r_{\epsilon }^{(\mathsf{t})}),$$1,(h_1,h_{10},h_{11},r_1)$, $11,(h_{11},h_{110},h_{111},$$r_{11}),111,(h_{111}={\mathsf{ek}}_{001},{\mathsf{dk}}_{111})\}$.

In this way, any legal user is able to decrypt ciphertexts since he knows the secret key corresponding to the new tree. Any revoked user $\mathsf{id}$ is unable to implement decryption anymore, since the new ${\mathsf{dk}}_{\mathsf{id}}^{(\mathsf{t})}$ is missing.

4. Revocable IBE Scheme

In this section, we present our construction of revocable IBE scheme from chameleon encryption (without DKER). Let PRF: ${\{0,1\}}^{\lambda }\times {\{0,1\}}^{\le \ell +n}\cup \left\{\epsilon \right\}\to {\{0,1\}}^{\lambda }$ be a pseudorandom function. Let $\mathsf{CE}=(\mathsf{HGen},\mathsf{H},{\mathsf{H}}^{-1},\mathsf{HEnc},\mathsf{HDec})$ be a chameleon encryption scheme and $\mathsf{PKE}=(\mathsf{G},\mathsf{E},\mathsf{D})$ be an IND-CPA secure public-key encryption scheme. We denote by $\mathsf{id}\left[i\right]$ the i-th bit of $\mathsf{id}$ and by $\mathsf{id}[1\cdots i]$ the first i bits of $\mathsf{id}$. Define $\mathsf{id}[1\cdots 0]:=\epsilon$. We first introduce five subroutines which will be used repeatedly in our scheme (as shown in Table 4). All of these five subroutines are run by the key authority. The subroutines NodeGen and LeafGen are invoked by the key authority in setup algorithm, where NodeGen is used to generate non-leaf nodes and LeafGen to generate leaves and their parents. Just like [8], given all chameleon keys, trapdoors, a randomness s, a node v and a length parameter ℓ, the NodeGen subroutine generates four values stored in node v: the hash value of the node $h_v$, the hash value of it left-child node $h_{v\left|\right|0}$, the hash value of it right-child node $h_{v\left|\right|1}$, and the randomness of this node $r_v$. Given all chameleon keys $k_{n-1}$ and trapdoors $\mathsf{t}{d}_{n-1}$ of the $n-1$-th level, a randomness s, a node v in the $n-1$-th level and a length parameter ℓ, the LeafGen subroutine generates two pairs of public/secret keys $({\mathsf{ek}}_{v\left|\right|0},{\mathsf{dk}}_{v\left|\right|0})$, $({\mathsf{ek}}_{v\left|\right|1},{\mathsf{dk}}_{v\left|\right|1})$ of the $\mathsf{PKE}$ scheme, and generates the hash value $h_v$ and the randomness $r_v$ of the node v. The children of v are two leaves associated by ${\mathsf{ek}}_{v\left|\right|0}$ and ${\mathsf{ek}}_{v\left|\right|1}$. Each user can be uniquely represented by a leaf node. The subroutine FindNodes, subroutine NodeChange and subroutine LeafChange are invoked by the key authority in key update algorithm. Given a revocation list $\mathsf{RL}$, a time $\mathsf{t}$ and the global key list $\mathsf{KL}$, subroutine FindNodes$(\mathsf{RL},\mathsf{t},\mathsf{KL})$ outputs all leaves which are revoked at time $\mathsf{t}$ and all their ancestor nodes. Given a chameleon key, a chameleon trapdoor, a node v, two hash values $(h_{v\left|\right|0},h_{v\left|\right|0})$ of the two children of node v and a randomness s, subroutine NodeChange outputs a new hash value and a new randomness for node v. Given a leaf node v, a time $\mathsf{t}$, a randomness s, subroutine LeafChange outputs a fresh public key by invoking the key generation algorithm $\mathsf{G}$ of $\mathsf{PKE}$.

Table 4. Five subroutines run by the key authority.

NodeGen$((k_0,\cdots ,k_n),(t{d}_0,\cdots ,t{d}_n,s),v\in {\{0,1\}}^{\le n-1}\cup \left\{\epsilon \right\},\ell )$:	FindNodes$(\mathsf{RL},\mathsf{t},\mathsf{KL})$:
Let $i:=\left|v\right|$	$\mathsf{Y}\leftarrow \varnothing$
$h_v\leftarrow \mathsf{H}(k_i,0^{2\lambda };\mathsf{PRF}(s,0^{\ell }\left|\right|v))$,	$\forall (\mathsf{id},{\mathsf{t}}_i)\in \mathsf{RL}$
$h_{v\left|\right|0}\leftarrow \mathsf{H}(k_{i+1},0^{2\lambda };\mathsf{PRF}(s,0^{\ell }\left|\right|v\left|\right|0))$,	$\mathrm{If}$${\mathsf{t}}_i=\mathsf{t}$, then add $\mathsf{id}$ to $\mathsf{Y}$.
$h_{v\left|\right|1}\leftarrow \mathsf{H}(k_{i+1},0^{2\lambda };\mathsf{PRF}(s,0^{\ell }\left|\right|v\left|\right|1))$.	For $i=n-1$ to 0:         $\backslash \backslash$ find the ancestors of $\mathsf{id}\in \mathsf{Y}$.
$r_v\leftarrow {\mathsf{H}}^{-1}(t{d}_i,(0^{2\lambda },\mathsf{PRF}(s,0^{\ell }\left|\right|v)),h_{v\left|\right|0}\left|\right|h_{v\left|\right|1})$.	$\forall (v,·,·)\in \mathsf{KL}$ with $\left|v\right|=i$:
Output $(h_v,h_{v\left|\right|0},h_{v\left|\right|1},r_v)$.	$\mathrm{If}$$(v||0\in \mathsf{Y})\vee (v||1\in \mathsf{Y})$, add v to $\mathsf{Y}$.
	Output $\mathsf{Y}$.
LeafGen$(k_{n-1},(\mathsf{t}{d}_{n-1},s),v\in {\{0,1\}}^{n-1},\ell )$:	NodeChange$(k,td,v\in {\{0,1\}}^{\le n-1}\cup \left\{\epsilon \right\},h_{v\left|\right|0},h_{v\left|\right|1},\mathsf{t},s)$:
	$h_v^{(\mathsf{t})}\leftarrow \mathsf{H}(k,0^{2\lambda };\mathsf{PRF}(s,\mathsf{t}||v))$,
$h_v\leftarrow \mathsf{H}(k_n,0^{2\lambda };\mathsf{PRF}(s,0^{\ell }\left|\right|v))$,	$r_v^{(\mathsf{t})}\leftarrow {\mathsf{H}}^{-1}(td,(0^{2\lambda },\mathsf{PRF}(s,\mathsf{t}||v));h_{v\left|\right|0}\left|\right|h_{v\left|\right|1})$.
$({\mathsf{ek}}_{v\left|\right|0},{\mathsf{dk}}_{v\left|\right|0})\leftarrow \mathsf{G}(1^{\lambda },\mathsf{PRF}(s,0^{\ell }\left|\right|v\left|\right|0))$,	Output $(h_v^{(\mathsf{t})},h_{v\left|\right|0},h_{v\left|\right|1},r_v^{(\mathsf{t})})$.
$({\mathsf{ek}}_{v\left|\right|1},{\mathsf{dk}}_{v\left|\right|1})\leftarrow \mathsf{G}(1^{\lambda },\mathsf{PRF}(s,0^{\ell }\left|\right|v\left|\right|1))$,	LeafChange$(v\in {\{0,1\}}^n,\mathsf{t},s)$:
$r_v\leftarrow {\mathsf{H}}^{-1}(\mathsf{t}{d}_{n-1},(0^{2\lambda },\mathsf{PRF}(s,0^{\ell }\left|\right|v)),{\mathsf{ek}}_{v\left|\right|0}\left|\right|{\mathsf{ek}}_{v\left|\right|1})$.	$({\mathsf{ek}}_v^{(\mathsf{t})},{\mathsf{dk}}_v^{(\mathsf{t})})\leftarrow \mathsf{G}(1^{\lambda },\mathsf{PRF}(s,\mathsf{t}||v))$.
Output $((h_v,{\mathsf{ek}}_{v\left|\right|0},{\mathsf{ek}}_{v\left|\right|1},r_v),{\mathsf{dk}}_{v\left|\right|0},{\mathsf{dk}}_{v\left|\right|1})$.	Output $({\mathsf{ek}}_v^{(\mathsf{t})},\perp )$.

Construction of RIBE. 

Now we describe our revocable IBE scheme $(\mathsf{RIBE}.\mathsf{Setup},$$\mathsf{RIBE}.\mathsf{KG},\mathsf{RIBE}.\mathsf{KU},$$\mathsf{RIBE}.\mathsf{DK},\mathsf{RIBE}.\mathsf{Enc},\mathsf{RIBE}.\mathsf{Dec},\mathsf{RIBE}.\mathsf{R})$.

• Setup$\mathsf{RIBE}.\mathsf{Setup}(1^{\lambda },1^n)$: given a security parameter $\lambda$, an integer n where $2^n$ is the maximal number of users that the scheme supports. Define identity space as $\mathcal{ID}={\{0,1\}}^n$ and time space as $\mathcal{T}={\{0,1\}}^{\ell }$, and do the following.
  • Sample $s\stackrel{\$}{\leftarrow }{\{0,1\}}^{\lambda }$.
  • For each $i\in \left[n\right]$, invoke $(k_i,\mathsf{t}{d}_i)\stackrel{\$}{\leftarrow }\mathsf{HGen}(1^{\lambda },2\lambda )$.
  • Initialize key list $\mathsf{KL}:=\varnothing$, public list $\mathsf{PL}=\varnothing$, key update list $\mathsf{KU}=\varnothing$ and revocation list $\mathsf{RL}:=\varnothing$.
  • $\mathsf{mpk}:=(k_0,\cdots ,k_{n-1},\ell )$; $\mathsf{st}:=\{\mathsf{KL},\mathsf{PL},\mathsf{RL},\mathsf{KU}\}$; $\mathsf{msk}:=(\mathsf{mpk},t{d}_0,\cdots ,$$t{d}_{n-1},s)$.
  • Output $(\mathsf{mpk},\mathsf{msk},\mathsf{st})$.
• Private Key Generation$\mathsf{RIBE}.\mathsf{KG}(\mathsf{msk},\mathsf{id}\in {\{0,1\}}^n,\mathsf{st}):$ See Figure 4 for illustrations.
  

  Figure 4. The illustration of Private Key Generation for user “110”. The private key ${\mathrm{sk}}_{110}$ of user “110” collects all the node values along the path from “110” to “$\epsilon$” in the tree.
  • Parse $\mathsf{msk}=(\mathsf{mpk},\mathsf{t}{d}_0,\cdots ,\mathsf{t}{d}_{n-1},s)$ and $\mathsf{mpk}=(k_0,\cdots ,k_{n-1},\ell )$.
  • $\mathsf{W}:=\{\epsilon ,\mathsf{id}[1],\cdots ,\mathsf{id}[1\cdots n-1\left]\right\}$, where $\epsilon$ is the empty string.
  • For all $v\in \mathsf{W}\backslash \left\{\mathsf{id}\right[1\cdots n-1\left]\right\}$:
    $(h_v,h_{v\left|\right|0},h_{v\left|\right|1},r_v)\leftarrow \mathsf{NodeGen}((k_0,\cdots ,k_{n-1}),(\mathsf{t}{d}_0,\cdots ,\mathsf{t}{d}_{n-1},s),v,\ell )$,
    $\mathsf{KL}:=\mathsf{KL}\cup \left\{(v,h_v,h_{v\left|\right|0},h_{v\left|\right|1},r_v)\right\}$,
    ${\mathsf{lk}}_v:=(h_v,h_{v\left|\right|0},h_{v\left|\right|1},r_v)$.
  • For $v=\mathsf{id}[1\cdots n-1]$:
    $(h_v,h_{v\left|\right|0}={\mathsf{ek}}_{v\left|\right|0},h_{v\left|\right|1}={\mathsf{ek}}_{v\left|\right|1},r_v,{\mathsf{dk}}_{v\left|\right|0},{\mathsf{dk}}_{v\left|\right|1})\leftarrow \mathsf{LeafGen}(k_{n-1},$$(\mathsf{t}{d}_{n-1},s),v,\ell )$,
    $\mathsf{KL}:=\mathsf{KL}\cup \{(v,h_v,{\mathsf{ek}}_{v\left|\right|0},{\mathsf{ek}}_{v\left|\right|1},r_v),(v||0,{\mathsf{ek}}_{v\left|\right|0},\perp ),(v\left|\right|1,{\mathsf{ek}}_{v\left|\right|1},\perp )\}$,
    ${\mathsf{lk}}_v:=(h_v,{\mathsf{ek}}_{v\left|\right|0},{\mathsf{ek}}_{v\left|\right|1},r_v)$.
  • $\mathsf{st}=\{\mathsf{KL},\mathsf{PL},\mathsf{RL},\mathsf{KU}\}$ and ${\mathsf{sk}}_{\mathsf{id}}:=(\mathsf{t}=0,\mathsf{id},{\left\{{\mathsf{lk}}_v\right\}}_{v\in \mathsf{W}},{\mathsf{dk}}_{\mathsf{id}})$.
  • Output $({\mathsf{sk}}_{\mathsf{id}},\mathsf{st})$.
• Key Update Generation$\mathsf{RIBE}.\mathsf{KU}(\mathsf{msk},\mathsf{t},\mathsf{st})$: See Figure 5 for illustrations.
  

  Figure 5. The illustration of ${\mathsf{KU}}^{(\mathsf{t})}$ when users “000” and “010” have been revoked at time slot $\mathsf{t}$.
  • Parse $\mathsf{msk}=(\mathsf{mpk},\mathsf{t}{d}_0,\cdots ,\mathsf{t}{d}_{n-1},s)$, $\mathsf{st}=\{\mathsf{KL},\mathsf{PL},\mathsf{RL},\mathsf{KU}\}$ and $\mathsf{mpk}=(k_0,\cdots ,k_{n-1},\ell )$.
  • $\mathsf{Y}\leftarrow \mathsf{FindNodes}(\mathsf{RL},\mathsf{t},\mathsf{KL})$. // $\mathsf{Y}$ stores all revoked leaves and their ancestors
  • If $\mathsf{Y}=\varnothing$, Output($\mathsf{KU},\mathsf{PL}$) //stay unchanged.
  • Set key update list ${\mathsf{KU}}^{(\mathsf{t})}:=\varnothing$.
  • For all node $v\in \mathsf{Y}$ such that $\left|v\right|=n$: // deal with all leaves in Y
    $({\mathsf{ek}}_v^{(\mathsf{t})},\perp )\leftarrow \mathsf{LeafChange}(v,\mathsf{t},s)$,
    ${\mathsf{KU}}^{(\mathsf{t})}:={\mathsf{KU}}^{(\mathsf{t})}\cup \left\{(v,{\mathsf{ek}}_v^{(\mathsf{t})},\perp )\right\}$. // new attachments for all leaves in Y
    $h_v^{(\mathsf{t})}:={\mathsf{ek}}_v^{(\mathsf{t})}$.
  • For $i=n-1$ to 0: // generate new attachments for all non-leaf nodes in Y
    $\mathrm{For}$ all node $v\in \mathsf{Y}$ and $\left|v\right|=i$:
    $\mathrm{Set}$$j:=\mathsf{t}$, ${\mathsf{KU}}^{(0)}:=\mathsf{KL}$.
    $\mathrm{While}$($j\ge 0$)
    $\mathrm{If}$$\exists v\left|\right|b$ s.t. $(v||b,h_{v\left|\right|b},·,·,·)\in {\mathsf{KU}}^{(j)},$
    $h_{v\left|\right|b}^{(\mathsf{t})}:=h_{v\left|\right|b}$,
    $\mathrm{Break}$;
    $j:=j-1.$
    $(h_v^{(\mathsf{t})},h_{v\left|\right|0}^{(\mathsf{t})},h_{v\left|\right|1}^{(\mathsf{t})},r_v^{(\mathsf{t})})\leftarrow \mathsf{NodeChange}(k_i,\mathsf{t}{d}_i,v,h_{v\left|\right|0}^{(\mathsf{t})},h_{v\left|\right|1}^{(\mathsf{t})},\mathsf{t},s)$.
    ${\mathsf{KU}}^{(\mathsf{t})}:={\mathsf{KU}}^{(\mathsf{t})}\cup \left\{(v,h_v^{(\mathsf{t})},h_{v\left|\right|0}^{(\mathsf{t})},h_{v\left|\right|1}^{(\mathsf{t})},r_v^{(\mathsf{t})})\right\}$.
  • $\mathsf{KU}:=\mathsf{KU}\cup \left\{(\mathsf{t},{\mathsf{KU}}^{(\mathsf{t})})\right\}$ and $\mathsf{PL}:=\mathsf{PL}\cup \left\{(\mathsf{t},h_{\epsilon }^{(\mathsf{t})})\right\}$.
  • $\mathsf{st}:=\{\mathsf{KL},\mathsf{PL},\mathsf{RL},\mathsf{KU}\}$
  • Output $\mathsf{st}$.
• Decryption Key Generation$\mathsf{RIBE}.\mathsf{DK}(\mathsf{mpk},{\mathsf{sk}}_{\mathsf{id}},\mathsf{KU},\mathsf{t})$: See Figure 6 for illustrations.
  

  Figure 6. The illustration of the Decryption Key Generation for user “011” when users “000” and “010” have been revoked at time slot t. For i from 1 to $t$, the node values along the path from “011” to “$\epsilon$” in the tree will be replaced by the corresponding node values in ${\mathit{KU}}^{(i)}$. The decryption key ${\mathit{sk}}_{011}^{(t)}$ of user “011” collects all the updated node values along the path from “011” to “$\epsilon$” in the tree.
  • $\mathsf{W}:=\{\epsilon ,\mathsf{id}[1],\cdots ,\mathsf{id}[1\cdots n-1\left]\right\}$, where $\epsilon$ is the empty string.
  • Parse mpk$=(k_0,\cdots ,k_{n-1},\ell )$ and ${\mathsf{sk}}_{\mathsf{id}}=(0,\mathsf{id},{\{h_v,h_{v\left|\right|0},h_{v\left|\right|1},r_v\}}_{v\in \mathsf{W}},{\mathsf{dk}}_{\mathsf{id}})$.
  • From $\mathsf{KU}$ retrieve a set $\Omega :=\left\{(\tilde{\mathsf{t}},{\mathsf{KU}}^{(\tilde{\mathsf{t}})})\right|(\tilde{\mathsf{t}},{\mathsf{KU}}^{(\tilde{\mathsf{t}})})\in \mathsf{KU},0\le \tilde{\mathsf{t}}<\mathsf{t}\}$.
  • For each $(\tilde{\mathsf{t}},{\mathsf{KU}}^{(\tilde{\mathsf{t}})})\in \Omega$ with $\tilde{\mathsf{t}}$ in ascending order, does the following:
    $\mathrm{For}$$i=0$ to $n-1$:
    $v:=\mathsf{id}[1\cdots i]$ (Recall $\mathsf{id}[1\cdots 0]=\epsilon$).
    $\mathrm{If}$$\exists (v,h_v^{(\tilde{\mathsf{t}})},h_{v\left|\right|0}^{(\tilde{\mathsf{t}})},h_{v\left|\right|1}^{(\tilde{\mathsf{t}})},r_v^{(\tilde{\mathsf{t}})})\in {\mathsf{KU}}^{(\tilde{\mathsf{t}})}$:
    ${\mathsf{lk}}_v^{(\mathsf{t})}:=(h_v^{(\tilde{\mathsf{t}})},h_{v\left|\right|0}^{(\tilde{\mathsf{t}})},h_{v\left|\right|1}^{(\tilde{\mathsf{t}})},r_v^{(\tilde{\mathsf{t}})})$.
  • If $\exists (\tilde{\mathsf{t}},{\mathsf{KU}}^{(\tilde{\mathsf{t}})})\in \mathsf{KU}$ s.t. $(\mathsf{id},{\mathsf{ek}}_v^{(\tilde{\mathsf{t}})},\perp )\in {\mathsf{KU}}^{(\tilde{\mathsf{t}})}$: $\backslash \backslash \mathsf{id}$ is revoked at $\tilde{\mathsf{t}}$
    $\mathrm{Output}$${\mathsf{sk}}_{\mathsf{id}}^{(\mathsf{t})}:=(\mathsf{t},\mathsf{id},{\left\{{\mathsf{lk}}_v^{(\mathsf{t})}\right\}}_{v\in \mathsf{W}},\perp )$.
  • Output ${\mathsf{sk}}_{\mathsf{id}}^{(\mathsf{t})}:=(\mathsf{t},\mathsf{id},{\left\{{\mathsf{lk}}_v^{(\mathsf{t})}\right\}}_{v\in \mathsf{W}},{\mathsf{dk}}_{\mathsf{id}})$
• Encryption$\mathsf{RIBE}.\mathsf{Enc}(\mathsf{mpk},\mathsf{id},\mathsf{t},m,\mathsf{PL}))$:
  We describe two circuits that will be garbled during the encryption procedure.

  -

  $\mathsf{Q}\left[m\right](ek):$ Compute and output $\mathsf{E}(ek,m)$.

  -

  $\mathsf{P}[\beta \in \{0,1\},k,\overline{\mathsf{lab}}](h)$: Compute and output $\{\mathsf{HEnc}(k,(h,j+\beta ·\lambda ,b),$${\mathsf{lab}}_{j,b}{)\}}_{j\in \left[\lambda \right],b\in \{0,1\}}$, where $\overline{\mathsf{lab}}$ is the short for ${\left\{{\mathsf{lab}}_{j,b}\right\}}_{j\in \left[\lambda \right],b\in \{0,1\}}$.

  Encryption proceeds as follows:
  • Retrieve the last item $(\overline{\mathsf{t}},h_{ϵ}^{(\overline{\mathsf{t}})})$ from $\mathsf{PL}$. If $\mathsf{t}<\overline{\mathsf{t}}$, output ⊥; otherwise $h_{ϵ}^{(\mathsf{t})}:=h_{ϵ}^{(\overline{\mathsf{t}})}$.
  • Parse mpk$=(k_0,\cdots ,k_{n-1},\ell )$.
  • $(\tilde{Q},\overline{\mathsf{lab}})\stackrel{\$}{\leftarrow }\mathsf{GCircuit}(1^{\lambda },\mathsf{Q}\left[m\right])$.
  • For $i=n-1$ to 0,
    $({\tilde{P}}^i,{\overline{\mathsf{lab}}}^{\prime })\stackrel{\$}{\leftarrow }\mathsf{GCircuit}(1^{\lambda },\mathsf{P}[\mathsf{id}[i+1],k_i,\overline{\mathsf{lab}}])$ and set $\overline{\mathsf{lab}}:={\overline{\mathsf{lab}}}^{\prime }$.
  • Output $\mathsf{ct}:=\left({\left\{{\mathsf{lab}}_{j,h_{\epsilon ,j}^{(\mathsf{t})}}\right\}}_{j\in \left[\lambda \right]},\{{\tilde{P}}^0,\cdots ,{\tilde{P}}^{n-1},\tilde{Q}\}\right)$, where $h_{\epsilon ,j}^{(\mathsf{t})}$ is the $j^{\mathrm{th}}$ bit of $h_{\epsilon }^{(\mathsf{t})}$.
• Decryption$\mathsf{RIBE}.\mathsf{Dec}(\mathsf{mpk},{\mathsf{sk}}_{\mathsf{id}}^{(\mathsf{t})},\mathsf{ct})$
  • $\mathsf{W}:=\{\epsilon ,\mathsf{id}[1],\cdots ,\mathsf{id}[1\cdots n-1\left]\right\}$, where $\epsilon$ is the empty string.
  • Parse mpk$=(k_0,\cdots ,k_{n-1},\ell )$ and ${\mathsf{sk}}_{\mathsf{id}}^{(\mathsf{t})}=(\mathsf{id},{\left\{{\mathsf{lk}}_v^{(\mathsf{t})}\right\}}_{v\in \mathsf{W}},{\mathsf{dk}}_{\mathsf{id}})$, where ${\mathsf{lk}}_v^{(\mathsf{t})}=(h_v^{(\mathsf{t})},h_{v\left|\right|0}^{(\mathsf{t})},h_{v\left|\right|1}^{(\mathsf{t})},r_v^{(\mathsf{t})})$.
  • Parse $\mathsf{ct}:=\left({\left\{{\mathsf{lab}}_{j,h_{\epsilon ,j}^{(\mathsf{t})}}\right\}}_{j\in \left[\lambda \right]},\{{\tilde{P}}^0,\cdots ,{\tilde{P}}^{n-1},\tilde{Q}\}\right)$
  • Set $y:=h_{\epsilon }^{(\mathsf{t})}$.
  • For $i=0$ to $n-1$:
    $\mathrm{Set}$$v:=\mathsf{id}[1\cdots i]$ (Recall $\mathsf{id}[1\cdots 0]=\epsilon )$;
    ${\left\{c_{j,b}\right\}}_{j\in \left[\lambda \right],b\in \{0,1\}}\leftarrow \mathsf{Eval}({\tilde{P}}^i,{\left\{{\mathsf{lab}}_{j,y_j}\right\}}_{j\in \left[\lambda \right]});$
    $\mathrm{If}$$i\ne n-1$, set $v^{\prime }:=\mathsf{id}[1\cdots i+1]$ and $y:=h_{v^{\prime }}^{(\mathsf{t})}$, and for each $j\in \left[\lambda \right]$,

    $${\left\{{\mathsf{lab}}_{j,y_j}\right\}}_{j\in \left[\lambda \right]}\leftarrow \mathsf{HDec}(k_i,c_{j,y_j},(h_{v\left|\right|0}^{(\mathsf{t})}\left|\right|h_{v\left|\right|1}^{(\mathsf{t})}),r_v^{(\mathsf{t})}).$$
    $\mathrm{If}$$i=n-1$, set $y:={\mathsf{ek}}_{\mathsf{id}}$ and for each $j\in \left[\lambda \right]$, compute

    $${\left\{{\mathsf{lab}}_{j,y_j}\right\}}_{j\in \left[\lambda \right]}\leftarrow \mathsf{HDec}(k_i,c_{j,y_j},({\mathsf{ek}}_{v\left|\right|0}\left|\right|{\mathsf{ek}}_{v\left|\right|1})=(h_{v\left|\right|0}^{(\mathsf{t})}\left|\right|h_{v\left|\right|1}^{(\mathsf{t})}),r_v^{(\mathsf{t})}).$$
  • Compute $f\leftarrow \mathsf{Eval}(\tilde{Q},{\left\{{\mathsf{lab}}_{j,y_j}\right\}}_{j\in \left[\lambda \right]})$.
  • Output $m\leftarrow \mathsf{D}({\mathsf{dk}}_{\mathsf{id}},f)$.
• Revocation$\mathsf{RIBE}.\mathsf{R}(\mathsf{id},\mathsf{t},\mathsf{st})$:
  • Parse $\mathsf{st}:=\{\mathsf{KL},\mathsf{PL},\mathsf{RL},\mathsf{KU}\}$.
  • Update the revocation list by $\mathsf{RL}:=\mathsf{RL}\cup \{(\mathsf{id},\mathsf{t})\}$.
  • $\mathsf{st}:=\{\mathsf{KL},\mathsf{PL},\mathsf{RL},\mathsf{KU}\}$.
  • Output $\mathsf{st}$.

Remark. 

It is possible for us to reduce the cost of users’ key updating in our construction. Now we provide a more efficient variant of decryption key generation algorithm $\mathsf{RIBE}.{\mathsf{DK}}^{\prime }$. With this variant algorithm, if a user has already generated a key ${\mathsf{sk}}_{\mathsf{id}}^{({\mathsf{t}}^{\prime })}$ at time period ${\mathsf{t}}^{\prime }$ where ${\mathsf{t}}^{\prime }\le \mathsf{t}$, he or she can use ${\mathsf{sk}}_{\mathsf{id}}^{({\mathsf{t}}^{\prime })}$ as the input instead of ${\mathsf{sk}}_{\mathsf{id}}$ and generates the decryption key with lower computational cost. The algorithm proceeds as follows:

Decryption Key Generation$\mathsf{RIBE}.{\mathsf{DK}}^{\prime }(\mathsf{mpk},{\mathsf{sk}}_{\mathsf{id}}^{({\mathsf{t}}^{\prime })},\mathsf{KU},\mathsf{t})$:

• $\mathsf{W}:=\{\epsilon ,\mathsf{id}[1],\cdots ,\mathsf{id}[1\cdots n-1\left]\right\}$, where $\epsilon$ is the empty string.
• Parse mpk$=(k_0,\cdots ,k_{n-1},\ell )$ and ${\mathsf{sk}}_{\mathsf{id}}^{({\mathsf{t}}^{\prime })}=({\mathsf{t}}^{\prime },\mathsf{id},{\{h_v,h_{v\left|\right|0},h_{v\left|\right|1},r_v\}}_{v\in \mathsf{W}},{\mathsf{dk}}_{\mathsf{id}})$.
• If ${\mathsf{t}}^{\prime }>\mathsf{t}$, Output ⊥.
• If ${\mathsf{t}}^{\prime }=\mathsf{t}$, Output ${\mathsf{sk}}_{\mathsf{id}}^{({\mathsf{t}}^{\prime })}$.
• From $\mathsf{KU}$ retrieve a set $\Omega :=\left\{(\tilde{\mathsf{t}},{\mathsf{KU}}^{(\tilde{\mathsf{t}})})\right|(\tilde{\mathsf{t}},{\mathsf{KU}}^{(\tilde{\mathsf{t}})})\in \mathsf{KU},{\mathsf{t}}^{\prime }\le \tilde{\mathsf{t}}<\mathsf{t}\}$.
• For each $(\tilde{\mathsf{t}},{\mathsf{KU}}^{(\tilde{\mathsf{t}})})\in \Omega$ with $\tilde{\mathsf{t}}$ in ascending order, does the following:
  $\mathrm{For}$$i=0$ to $n-1$:
  $v:=\mathsf{id}[1\cdots i]$ (Recall $\mathsf{id}[1\cdots 0]=\epsilon$).
  $\mathrm{If}$$\exists (v,h_v^{(\tilde{\mathsf{t}})},h_{v\left|\right|0}^{(\tilde{\mathsf{t}})},h_{v\left|\right|1}^{(\tilde{\mathsf{t}})},r_v^{(\tilde{\mathsf{t}})})\in {\mathsf{KU}}^{(\tilde{\mathsf{t}})}$:
  ${\mathsf{lk}}_v^{(\mathsf{t})}:=(h_v^{(\tilde{\mathsf{t}})},h_{v\left|\right|0}^{(\tilde{\mathsf{t}})},h_{v\left|\right|1}^{(\tilde{\mathsf{t}})},r_v^{(\tilde{\mathsf{t}})})$.
• If $\exists (\tilde{\mathsf{t}},{\mathsf{KU}}^{(\tilde{\mathsf{t}})})\in \mathsf{KU}$ s.t. $(\mathsf{id},{\mathsf{ek}}_v^{(\tilde{\mathsf{t}})},\perp )\in {\mathsf{KU}}^{(\tilde{\mathsf{t}})}$: $\backslash \backslash \mathsf{id}$ is revoked at $\tilde{\mathsf{t}}$
  $\mathrm{Output}$${\mathit{sk}}_{\mathsf{id}}^{(\mathsf{t})}:=(\mathsf{t},\mathsf{id},{\left\{{\mathsf{lk}}_v^{(\mathsf{t})}\right\}}_{v\in \mathsf{W}},\perp )$.
• Output ${\mathsf{sk}}_{\mathsf{id}}^{(\mathsf{t})}:=(\mathsf{t},\mathsf{id},{\left\{{\mathsf{lk}}_v^{(\mathsf{t})}\right\}}_{v\in \mathsf{W}},{\mathsf{dk}}_{\mathsf{id}})$.

4.1. Correctness

We first show that our revocable IBE is correct. During the time slot $\mathsf{t}$, the key updating algorithm $\mathsf{RIBE}.\mathsf{KU}$ (together with the key generation algorithm $\mathsf{RIBE}.\mathsf{KG}$) uniquely determines a fresh tree of time $\mathsf{t}$. The root of the fresh tree has attachment $(h_{\epsilon }^{(\mathsf{t})},h_0^{(\mathsf{t})},h_1^{(\mathsf{t})},r_{\epsilon }^{(\mathsf{t})})$. Set $\mathsf{W}:=\{\epsilon ,\mathsf{id}[1],\cdots ,\mathsf{id}[1\cdots n-1\left]\right\}$, where $\epsilon$ is the empty string. Please Please note that each $\mathsf{id}$ uniquely determines a path (from the root of the tree to the leaf of $\mathsf{id}$). $\mathsf{W}$ records all non-leaf nodes on the path. For all nodes $v\in \mathsf{W}$, we have $\mathsf{H}(k_{\left|v\right|},h_{v\left|\right|0}^{(\mathsf{t})}\left|\right|h_{v\left|\right|1}^{(\mathsf{t})};r_v^{(\mathsf{t})})=h_v^{(\mathsf{t})}$, and $(h_{v\left|\right|0}^{(\mathsf{t})},h_{v\left|\right|1}^{(\mathsf{t})}):=({\mathsf{ek}}_{v\left|\right|0},{\mathsf{ek}}_{v\left|\right|1})$ if $\left|v\right|=n-1$.

Consider the ciphertext $\mathsf{ct}=\left({\left\{{\mathsf{lab}}_{\ell ,h_{\epsilon ,\ell }^{(\mathsf{t})}}\right\}}_{\ell \in \left[\lambda \right]},\{{\tilde{P}}^0,\cdots ,{\tilde{P}}^n,\tilde{Q}\}\right)$, which is the output of $\mathsf{RIBE}.\mathsf{Enc}(\mathsf{mpk},$$\mathsf{id},\mathsf{t},m,\mathsf{PL})$. Consider the secret key ${\mathsf{sk}}_{\mathsf{id}}^{(\mathsf{t})}:=(\mathsf{id},$${\left\{{\mathsf{lk}}_v^{(\mathsf{t})}\right\}}_{v\in \mathsf{W}},{\mathsf{dk}}_{\mathsf{id}})$, which is the output $\mathsf{RIBE}.\mathsf{DK}$. Obviously, ${\mathsf{sk}}_{\mathsf{id}}^{(\mathsf{t})}$ is exactly the the secret key of $\mathsf{id}$ in the tree (of time $\mathsf{t}$). As long as the $h_{ϵ}^{(\mathsf{t})}$ used in $\mathsf{RIBE}.\mathsf{Enc}$ to generate $\mathsf{ct}$ is identical to the $h_{\epsilon }^{(\mathsf{t})}$ in ${\mathsf{lk}}_{\epsilon }^{(\mathsf{t})}=(h_{\epsilon }^{(\mathsf{t})},h_0^{(\mathsf{t})},h_1^{(\mathsf{t})},r_{\epsilon }^{(\mathsf{t})})$, the decryption $\mathsf{RIBE}.\mathsf{Dec}$ can always recover the plaintext due to the correctness of the DG scheme.

Below we show the details of the correctness (this analysis is similar to that in [8]). For all nodes $v\in \mathsf{W}$, we have the following facts.

• ${\left\{c_{j,b}\right\}}_{j\in \left[\lambda \right],b\in \{0,1\}}:=\mathsf{Eval}\left({\tilde{P}}^{\left|v\right|},{\left\{{\mathsf{lab}}_{j,h_{v,j}^{(\mathsf{t})}}\right\}}_{j\in \left[\lambda \right]}\right)=P\left[\mathsf{id}\right[\left|v\right|+1],k_{\left|v\right|},$
  ${\left\{{\mathsf{lab}}_{j,b}^{\prime }\right\}}_{j\in \left[\lambda \right],b}](h_v^{(\mathsf{t})})=\{\mathsf{HEnc}(k_{\left|v\right|},$$(h_v^{(\mathsf{t})},j+\mathsf{id}\left[\right|v|+1]·\lambda ,b),{\mathsf{lab}}_{j,b}^{\prime }{)\}}_{j\in \left[\lambda \right],b\in \{0,1\}}.$ Recall that $\overline{{\mathsf{lab}}^{\prime }}:={\left\{{\mathsf{lab}}_{j,b}^{\prime }\right\}}_{j\in \left[\lambda \right],b\in \{0,1\}}$ and $(\overline{{\mathsf{lab}}^{\prime }},{\tilde{P}}^{(|v|+1)})$ are the output of $\mathsf{GCircuit}(1^{\lambda },\mathsf{P}\left[\mathsf{id}\right[\left|v\right|+2],k_{\left|v\right|+1},\overline{{\mathsf{lab}}^{″}}])$.
• Due to the correctness of the chameleon encryption, we know that given $(h_{v\left|\right|0}^{(\mathsf{t})},h_{v\left|\right|1}^{(\mathsf{t})},r_v^{(\mathsf{t})})$ one can recover ${\left\{{\mathsf{lab}}_{\ell ,h_{v\left|\right|\mathsf{id}\left[\right|v|+1],\ell }^{(\mathsf{t})}}^{\prime }\right\}}_{\ell \in \left[\lambda \right]}$ by decrypting
  ${\left\{c_{j,h_{v\left|\right|\mathsf{id}\left[\right|v|+1],j}^{(\mathsf{t})}}\right\}}_{j\in \left[\lambda \right]}$. And ${\left\{{\mathsf{lab}}_{\ell ,h_{v\left|\right|\mathsf{id}\left[\right|v|+1],\ell }^{(\mathsf{t})}}^{\prime }\right\}}_{\ell \in \left[\lambda \right]}$ is the label for the next garbled circuit ${\tilde{P}}^{(|v|+1)}$.
• When $\left|v\right|=n-1$, we obtain the set of labels ${\left\{{\mathsf{lab}}_{j,{\mathsf{ek}}_{\mathsf{id},j}}\right\}}_{j\in \left[\lambda \right]}$. Recall that ${\left\{{\mathsf{lab}}_{j,b}\right\}}_{j\in \left[\lambda \right],b\in \{0,1\}}$ and $\tilde{Q}$ are the output of $\mathsf{GCircuit}(1^{\lambda },Q\left[m\right])$. And ${\left\{{\mathsf{lab}}_{j,{\mathsf{ek}}_{\mathsf{id},j}}\right\}}_{j\in \left[\lambda \right]}$ is the result of ${\left\{{\mathsf{lab}}_{j,b}\right\}}_{j\in \left[\lambda \right],b\in \{0,1\}}$ selected by ${\mathsf{ek}}_{\mathsf{id}}$. Thus,

  $$f:=\mathsf{Eval}\left(\tilde{Q},{\left\{{\mathsf{lab}}_{j,{\mathsf{ek}}_{\mathsf{id},j}}\right\}}_{j\in \left[\lambda \right]}\right)=Q\left[m\right]({\mathsf{ek}}_{\mathsf{id}})=\mathsf{E}({\mathsf{ek}}_{\mathsf{id}},m).$$
  Due to the correctness of $\mathsf{PKE}=(\mathsf{G},\mathsf{E},\mathsf{D})$, given decryption key ${\mathsf{dk}}_{\mathsf{id}}$, one can always recover the original message m correctly with $m\leftarrow \mathsf{D}({\mathsf{dk}}_{\mathsf{id}},f)$.

4.2. Security

In this subsection, we prove that our revocable IBE scheme is IND-ID-CPA secure. Assume q is a polynomial upper bound for the running-time of an adversary $\mathcal{A}$, and it is also an upper bound for the number of $\mathcal{A}$’s queries (which contains private key queries, key update queries, and revocation queries).

Theorem 1.

Assume that $t_{\mathit{max}}$ is the size of the time space and $2^n$ be the maximal number of users. If $\mathit{PRF}$ is a pseudorandomn function, the garbled circuit scheme is secure, the chameleon encryption scheme $\mathit{CE}$ is secure and $\mathit{PKE}=(G,E,D)$ is IND-CPA secure, the above proposed revocable IBE scheme is adaptive-IND-ID-CPA secure (without decryption key exposure resistance) More specificly, for any PPT adversary $\mathcal{A}$ issuing at most q queries, there exist PPT adversaries ${\mathcal{B}}_1$, ${\mathcal{B}}_2$, ${\mathcal{B}}_3$ and ${\mathcal{B}}_4$ such that

$$\begin{array}{ccc}\hfill {\mathit{Adv}}_{\mathcal{A}}^{\mathit{IND}-\mathit{ID}-\mathit{CPA}}(\lambda )& \le & {\mathit{Adv}}_{{\mathcal{B}}_1}^{PRF}(\lambda )+(n+1)·{\mathit{Adv}}_{{\mathcal{B}}_2}^{GC}(\lambda )+n·\lambda ·{\mathit{Adv}}_{{\mathcal{B}}_3}^{CE}(\lambda )\hfill \\ & & +(2q+1)·{\mathit{Adv}}_{{\mathcal{B}}_4}^{PKE}(\lambda ).\hfill \end{array}$$

(1)

Proof. 

The full proof of Theorem 1 is in Appendix B.1. □

5. Revocable IBE Scheme with DKER

In this section, we present the construction of revocable IBE scheme with decryption key exposure resistance from the CDH assumption. In [24], Katsumata et al. provided a generic construction of RIBE scheme with DKER from a hierarchal IBE (HIBE) scheme (the formal definition of HIBE is provided in Appendix A) and a RIBE scheme without DKER. Following this idea, based on the previous RIBE scheme $\mathsf{RIBE}=(\mathsf{RIBE}.\mathsf{Setup},$$\mathsf{RIBE}.\mathsf{KG},\mathsf{RIBE}.\mathsf{KU},$$\mathsf{RIBE}.\mathsf{DK},\mathsf{RIBE}.\mathsf{Enc},$$\mathsf{RIBE}.\mathsf{Dec},\mathsf{RIBE}.\mathsf{R})$ in Section 4 and a HIBE scheme $\mathsf{HIBE}=(\mathsf{HIBE}.\mathsf{Setup},$$\mathsf{RIBE}.\mathsf{KG},$$\mathsf{HIBE}.\mathsf{Enc},\mathsf{HIBE}.\mathsf{Dec})$ in [8], both of which are based on the CDH assumption, we can construct a revocable IBE scheme $\mathsf{\Pi }$ with DKER from the CDH assumption.

Let $\mathcal{ID}$, $\mathcal{T}$ and $\mathcal{M}$ denote identity space, time period space and plaintext space respectively. We assume $\mathsf{\Pi }.\mathcal{ID}=\mathsf{RIBE}.\mathcal{ID}$ and $\mathsf{\Pi }.\mathcal{T}=\mathsf{RIBE}.\mathcal{T}$. $\forall \mathsf{id}\in \mathsf{RIBE}.\mathcal{ID}$ and $\forall t\in \mathsf{RIBE}.\mathcal{T}$, $(\mathsf{id}||t)\in \mathsf{HIBE}.\mathcal{ID}$. In addition, we assume $\mathsf{\Pi }.\mathcal{M}=\mathsf{RIBE}.\mathcal{M}=\mathsf{HIBE}.\mathcal{M}$.

Construction of RIBE with DKER. 

Now we describe our revocable IBE scheme $\mathsf{\Pi }=(\mathsf{Setup},$$\mathsf{KG},\mathsf{KU},$$\mathsf{DK},\mathsf{Enc},\mathsf{Dec},R)$ with DKER following [24].

• $\mathsf{Setup}(1^{\lambda },1^n)$: given a security parameter $\lambda$, an integer n where $2^n$ is the maximal number of users that the scheme supports, i.e., $\mathsf{\Pi }.\mathcal{ID}={\{0,1\}}^n$. Define the time space as $\mathsf{\Pi }.\mathcal{T}={\{0,1\}}^{\ell }$.
  • Run $(\mathsf{RIBE}.\mathsf{mpk},\mathsf{RIBE}.\mathsf{msk},\mathsf{RIBE}.\mathsf{st})\leftarrow \mathsf{RIBE}.\mathsf{Setup}(1^{\lambda },1^n)$.
  • Parse $\mathsf{RIBE}.\mathsf{st}:=\{\mathsf{KL},\mathsf{PL},\mathsf{RL},\mathsf{KU}\}$.
  • Run $(\mathsf{HIBE}.\mathsf{mpk},\mathsf{HIBE}.\mathsf{msk})\leftarrow \mathsf{HIBE}.\mathsf{Setup}(1^{\lambda })$.
  • Output $(\mathsf{mpk}:=(\mathsf{RIBE}.\mathsf{mpk},\mathsf{HIBE}.\mathsf{mpk}),$$\mathsf{msk}:=(\mathsf{RIBE}.\mathsf{msk},\mathsf{HIBE}.\mathsf{msk}),$$\mathsf{st}:=\mathsf{RIBE}.\mathsf{st})$.
• $\mathsf{KG}(\mathsf{msk},\mathsf{id}\in {\{0,1\}}^n,\mathsf{st})$:
  • Parse $\mathsf{msk}:=(\mathsf{RIBE}.\mathsf{msk},\mathsf{HIBE}.\mathsf{msk})$ and $\mathsf{st}:=\mathsf{RIBE}.\mathsf{st}$.
  • Run $(\mathsf{RIBE}.{\mathsf{sk}}_{\mathsf{id}},\mathsf{RIBE}.\mathsf{st})\leftarrow \mathsf{RIBE}.\mathsf{KG}(\mathsf{RIBE}.\mathsf{msk},\mathsf{id}\in {\{0,1\}}^n,\mathsf{RIBE}.\mathsf{st})$.
  • Run $\mathsf{HIBE}.{\mathsf{sk}}_{\mathsf{id}}\leftarrow \mathsf{HIBE}.\mathsf{KG}(\mathsf{HIBE}.\mathsf{msk},\mathsf{id}\in {\{0,1\}}^n)$.
  • Output $({\mathsf{sk}}_{\mathsf{id}}:=(\mathsf{RIBE}.{\mathsf{sk}}_{\mathsf{id}},\mathsf{HIBE}.{\mathsf{sk}}_{\mathsf{id}}),\mathsf{st}:=\mathsf{RIBE}.\mathsf{st})$.
• $\mathsf{KU}(\mathsf{msk},\mathsf{t},\mathsf{st})$:
  • Parse $\mathsf{msk}:=(\mathsf{RIBE}.\mathsf{msk},\mathsf{HIBE}.\mathsf{msk})$ and $\mathsf{st}:=\mathsf{RIBE}.\mathsf{st}$.
  • Run $\mathsf{RIBE}.\mathsf{st}\leftarrow \mathsf{RIBE}.\mathsf{KU}(\mathsf{RIBE}.\mathsf{msk},\mathsf{t},\mathsf{RIBE}.\mathsf{st})$.
  • Output ($\mathsf{st}:=\mathsf{RIBE}.\mathsf{st}$).
• $\mathsf{DK}(\mathsf{mpk},{\mathsf{sk}}_{\mathsf{id}},\mathsf{KU},\mathsf{t})$:
  • Parse $\mathsf{mpk}:=(\mathsf{RIBE}.\mathsf{mpk},\mathsf{HIBE}.\mathsf{mpk})$ and ${\mathsf{sk}}_{\mathsf{id}}:=(\mathsf{RIBE}.{\mathsf{sk}}_{\mathsf{id}},\mathsf{HIBE}.{\mathsf{sk}}_{\mathsf{id}})$.
  • Run $\mathsf{RIBE}.{\mathsf{sk}}_{\mathsf{id}}^{(\mathsf{t})}\leftarrow \mathsf{RIBE}.\mathsf{DK}(\mathsf{RIBE}.\mathsf{mpk},\mathsf{RIBE}.{\mathsf{sk}}_{\mathsf{id}},\mathsf{KU},\mathsf{t})$.
  • Run $\mathsf{HIBE}.{\mathsf{sk}}_{\mathsf{id}\left|\right|\mathsf{t}}\leftarrow \mathsf{HIBE}.\mathsf{KG}(\mathsf{HIBE}.{\mathsf{sk}}_{\mathsf{id}},\mathsf{t}\in {\{0,1\}}^{\ell })$.
  • Output ${\mathsf{sk}}_{\mathsf{id}}^{(\mathsf{t})}:=(\mathsf{RIBE}.{\mathsf{sk}}_{\mathsf{id}}^{(\mathsf{t})},\mathsf{HIBE}.{\mathsf{sk}}_{\mathsf{id}\left|\right|\mathsf{t}})$.
• $\mathsf{Enc}(\mathsf{mpk},\mathsf{id},\mathsf{t},m,\mathsf{PL}))$:
  • Parse $\mathsf{mpk}:=(\mathsf{RIBE}.\mathsf{mpk},\mathsf{HIBE}.\mathsf{mpk})$.
  • Sample a pair $(\mathsf{RIBE}.m,\mathsf{HIBE}.m)\in {\mathcal{M}}^2$ uniformly at random, subject to $\mathsf{RIBE}.m+\mathsf{HIBE}.m=m$.
  • Run $\mathsf{RIBE}.\mathsf{ct}\leftarrow \mathsf{RIBE}.\mathsf{Enc}(\mathsf{RIBE}.\mathsf{mpk},\mathsf{id},\mathsf{t},\mathsf{RIBE}.m,\mathsf{PL})$.
  • Run $\mathsf{HIBE}.\mathsf{ct}\leftarrow \mathsf{HIBE}.\mathsf{Enc}(\mathsf{HIBE}.\mathsf{mpk},(\mathsf{id}\left|\right|\mathsf{t}),\mathsf{HIBE}.m)$.
  • Output $\mathsf{ct}:=(\mathsf{RIBE}.\mathsf{ct},\mathsf{HIBE}.\mathsf{ct})$.
• $\mathsf{Dec}(\mathsf{mpk},{\mathsf{sk}}_{\mathsf{id}}^{(\mathsf{t})},\mathsf{ct})$:
  • Parse $\mathsf{mpk}:=(\mathsf{RIBE}.\mathsf{mpk},\mathsf{HIBE}.\mathsf{mpk})$ and ${\mathsf{sk}}_{\mathsf{id}}^{(\mathsf{t})}:=(\mathsf{RIBE}.{\mathsf{sk}}_{\mathsf{id}}^{(\mathsf{t})},\mathsf{HIBE}.{\mathsf{sk}}_{\mathsf{id}\left|\right|\mathsf{t}})$.
  • Run $\mathsf{RIBE}.\mathrm{m}\leftarrow \mathsf{RIBE}.\mathsf{Dec}(\mathsf{RIBE}.\mathsf{mpk},\mathsf{RIBE}.{\mathsf{sk}}_{\mathsf{id}}^{(\mathsf{t})},\mathsf{RIBE}.\mathsf{ct})$.
  • Run $\mathsf{HIBE}.\mathrm{m}\leftarrow \mathsf{HIBE}.\mathsf{Dec}(\mathsf{HIBE}.\mathsf{mpk},\mathsf{HIBE}.{\mathsf{sk}}_{\mathsf{id}\left|\right|\mathsf{t}},\mathsf{HIBE}.\mathsf{ct},)$.
  • Output $m:=\mathsf{RIBE}.\mathrm{m}+\mathsf{HIBE}.\mathrm{m}$.
• $\mathsf{R}(\mathsf{id},\mathsf{t},\mathsf{st})$:
  • Run $\mathsf{RIBE}.\mathsf{st}\leftarrow \mathsf{RIBE}.R(\mathsf{id},\mathsf{t},\mathsf{st})$.
  • Output $\mathsf{st}:=\mathsf{RIBE}.\mathsf{st}$.

Obviously, the correctness of scheme $\mathsf{\Pi }$ follows from the correctness of the underlying RIBE scheme and HIBE scheme. The security of scheme $\mathsf{\Pi }$ is guaranteed by the following theorem.

Theorem 2.

(Theorem 1 in [24]) If the underlying RIBE scheme in the above RIBE scheme Π is selective-IND-ID-CPA secure but without decryption key exposure resistance (DKER), and the underlying HIBE scheme in Π is selective-IND-ID-CPA secure, then the resulting RIBE scheme Π is selective-IND-ID-CPA secure with DKER.

Please note that our RIBE scheme $\mathsf{RIBE}$ in Section 4 is adaptive-IND-ID-CPA secure without DKER and the hierarchal IBE $\mathsf{HIBE}$ constructed in [8] is selective-IND-ID-CPA secure. Both of $\mathsf{RIBE}$ and $\mathsf{HIBE}$ are based on the CDH assumption. Following Theorem 2, the constructed RIBE scheme $\mathsf{\Pi }$ will be selective-IND-ID-CPA secure with DKER based on the CDH assumption.

Corollary 1.

When instantiating the building blocks with our RIBE scheme $\mathit{RIBE}$ in Section 4 and the hierarchal IBE $\mathit{HIBE}$ in [8], the RIBE scheme Π is selective-IND-ID-CPA secure with DKER based on the CDH assumption.

6. Server-Aided Revocable IBE Scheme

In this section, we present a server-aided version of our revocable IBE scheme. Following the ideas in Section 4 and Section 5, we use a standard HIBE scheme $\mathsf{HIBE}=(\mathsf{HIBE}.\mathsf{Setup},$$\mathsf{HIBE}.\mathsf{KG},\mathsf{HIBE}.\mathsf{Enc},$$\mathsf{HIBE}.\mathsf{Dec})$ in [8] as a building block to construct such a SR-IBE $\Sigma$, so that $\Sigma$ can obtain DKER. To describe our server-aided revocable IBE scheme $\Sigma$, we make use of these five subroutines (NodeGen, LeafGen, FindNodes, NodeChange, LeafChange) as defined in Section 4.

Let $\Sigma .\mathcal{ID}$, $\Sigma .\mathcal{T}$ and $\Sigma .\mathcal{M}$ denote the identity space, the time period space and the plaintext space of scheme $\Sigma$ respectively. Let $\mathsf{HIBE}.\mathcal{ID}$ and $\mathsf{HIBE}.\mathcal{M}$ denote the identity space and the plaintext space of scheme $\mathsf{HIBE}$ respectively. For all $\mathsf{id}\in \Sigma .\mathcal{ID}$ and all $\mathsf{t}\in \Sigma .\mathcal{T}$, we assume $(\mathsf{id}||\mathsf{t})\in \mathsf{HIBE}.\mathcal{ID}$. In addition, we assume $\Sigma .\mathcal{M}=\mathsf{HIBE}.\mathcal{M}$.

Idea. To convert the RIBE scheme $\mathsf{\Pi }$ with DKER in Section 5 to the SR-IBE scheme $\Sigma$, the problem is how to divide the decryption ability between the server and the users.

• Key Generation: Recall that in RIBE $\mathsf{\Pi }$ the secret key of a user is $(\mathsf{\Pi }.{\mathsf{sk}}_{\mathsf{id}}:=(\mathsf{RIBE}.{\mathsf{sk}}_{\mathsf{id}},\mathsf{HIBE}.{\mathsf{sk}}_{\mathsf{id}})$. Moreover, as shown in Figure 2, the RIBE private key $\mathsf{RIBE}.{\mathsf{sk}}_{\mathsf{id}}$ can be treated as a path from the root to the leaf corresponding to $\mathsf{id}$ in a tree. Now for SR-IBE $\Sigma$, we divide the RIBE private key $\mathsf{RIBE}.{\mathsf{sk}}_{\mathsf{id}}$ into two parts, the non-leaf part and the leaf part. The non-leaf part (we name it ${\mathsf{pk}}_{\mathsf{id}}$) is assigned to the server and the leaf part (${\mathsf{ek}}_{\mathsf{id}},{\mathsf{dk}}_{\mathsf{id}}$) (in fact ${\mathsf{dk}}_{\mathsf{id}}$ is enough) to user $\mathsf{id}$. Besides, user $\mathsf{id}$ is also assigned with the HIBE private key $\mathsf{HIBE}.{\mathsf{sk}}_{\mathsf{id}}$. This is shown in Figure 7.
  

  Figure 7. Separation of $\mathsf{\Pi }.{\mathsf{sk}}_{111}$ to the server and the user “111” in SR-IBE $\Sigma$, where ${\mathsf{pk}}_{111}$ is the public key and ${\mathsf{sk}}_{111}$ is the private key of user “111”.
• Key Update: If a user has been revoked in RIBE $\mathsf{\Pi }$, the updating information in the leaf node corresponding to the user will not be issued. In other words, all the key updating information only occurs in the upper part of the tree excluding the leaves. Therefore, in SR-IBE $\Sigma$ the key authority can issue the key updating list to the server and the server is in charge of updating keys for users.
• Decryption: Recall that in the RIBE scheme $\mathsf{\Pi }$ with DKER in Section 5, the ciphertext consists of two parts: the ciphertext of the RIBE scheme $\mathsf{RIBE}.\mathsf{ct}$ and the ciphertext of the HIBE scheme $\mathsf{HIBE}.\mathsf{ct}$. To decrypt $\mathsf{RIBE}.\mathsf{ct}$ in SR-IBE $\Sigma$, the decryption is implemented from the top to the bottom along the path in the tree. The server will decrypt the upper non-leaf part while the user will decrypt the leaf part. Meanwhile, the user is alway able to use $\mathsf{HIBE}.{\mathsf{sk}}_{\mathsf{id}}$ and time slot $\mathsf{t}$ to compute $\mathsf{HIBE}.{\mathsf{sk}}_{\mathsf{id}\left|\right|\mathsf{t}}$ and decrypt $\mathsf{HIBE}.\mathsf{ct}$ with it. The process is shown in Figure 8.
  

  Figure 8. The process of the SR-IBE scheme.

Construction of SR-IBE. 

Now we describe our server-aided revocable IBE scheme $\Sigma =(\mathsf{Setup},\mathsf{PubKG},\mathsf{KU},\mathsf{TranKG},\mathsf{PrivKG},\mathsf{DK},\mathsf{Enc},\mathsf{Transform},\mathsf{Dec},\mathsf{R})$.

• $\mathsf{Setup}(1^{\lambda },1^n)$: given a security parameter $\lambda$, an integer n where $2^n$ is the maximal number of users that the scheme supports. Define identity space as $\Sigma .\mathcal{ID}={\{0,1\}}^n$ and time space as $\Sigma .\mathcal{T}={\{0,1\}}^{\ell }$, and do the following.
  • Sample $s\stackrel{\$}{\leftarrow }{\{0,1\}}^{\lambda }$.
  • For each $i\in \left[n\right]$, invoke $(k_i,t{d}_i)\stackrel{\$}{\leftarrow }\mathsf{HGen}(1^{\lambda },2\lambda )$.
  • Initialize key list $\mathsf{KL}:=\varnothing$, public list $\mathsf{PL}=\varnothing$, key update list $\mathsf{KU}=\varnothing$ and revocation list $\mathsf{RL}:=\varnothing$.
  • Run $(\mathsf{HIBE}.\mathsf{mpk},\mathsf{HIBE}.\mathsf{msk})\leftarrow \mathsf{HIBE}.\mathsf{Setup}(1^{\lambda })$.
  • $\mathsf{mpk}:=(k_0,\cdots ,k_{n-1},\ell ,\mathsf{HIBE}.\mathsf{mpk})$; $\mathsf{st}:=\{\mathsf{KL},\mathsf{PL},\mathsf{RL},\mathsf{KU}\}$; $\mathsf{msk}:=(\mathsf{mpk},t{d}_0,\cdots ,$$t{d}_{n-1},s,\mathsf{HIBE}.\mathsf{msk})$.
  • Output $(\mathsf{mpk},\mathsf{msk},\mathsf{st})$.
• $\mathsf{PubKG}(\mathsf{msk},\mathsf{id}\in {\{0,1\}}^n,\mathsf{st})$
  • Parse $\mathsf{msk}=(\mathsf{mpk},t{d}_0,\cdots ,t{d}_{n-1},s,\mathsf{HIBE}.\mathsf{msk})$, $\mathsf{st}=\{\mathsf{KL},\mathsf{PL},\mathsf{RL},\mathsf{KU}\}$ and $\mathsf{mpk}=(k_0,\cdots ,$$k_{n-1},$$\ell ,\mathsf{HIBE}.\mathsf{mpk})$.
  • $\mathsf{W}:=\{\epsilon ,\mathsf{id}[1],\cdots ,\mathsf{id}[1\cdots n-1\left]\right\}$, where $\epsilon$ is the empty string.
  • For all $v\in \mathsf{W}\backslash \left\{\mathsf{id}\right[1\cdots n-1\left]\right\}$:
    $(h_v,h_{v\left|\right|0},h_{v\left|\right|1},r_v)\leftarrow \mathsf{NodeGen}((k_0,\cdots ,k_{n-1}),(t{d}_0,\cdots ,t{d}_{n-1},s),v,\ell )$,
    $\mathsf{KL}:=\mathsf{KL}\cup \left\{(v,h_v,h_{v\left|\right|0},h_{v\left|\right|1},r_v)\right\}$,
    ${\mathsf{lk}}_v:=(h_v,h_{v\left|\right|0},h_{v\left|\right|1},r_v)$.
  • For $v=\mathsf{id}[1\cdots n-1]$:
    $(h_v,h_{v\left|\right|0}={\mathsf{ek}}_{v\left|\right|0},h_{v\left|\right|1}={\mathsf{ek}}_{v\left|\right|1},r_v,{\mathsf{dk}}_{v\left|\right|0},{\mathsf{dk}}_{v\left|\right|1})\leftarrow \mathsf{LeafGen}(k_{n-1},$$(t{d}_{n-1},s),v,\ell )$,
    $\mathsf{KL}:=\mathsf{KL}\cup \{(v,h_v,{\mathsf{ek}}_{v\left|\right|0},{\mathsf{ek}}_{v\left|\right|1},r_v),(v||0,{\mathsf{ek}}_{v\left|\right|0},\perp ),(v\left|\right|1,{\mathsf{ek}}_{v\left|\right|1},\perp )\}$,
    ${\mathsf{lk}}_v:=(h_v,{\mathsf{ek}}_{v\left|\right|0},{\mathsf{ek}}_{v\left|\right|1},r_v)$.
  • $\mathsf{st}=\{\mathsf{KL},\mathsf{PL},\mathsf{RL},\mathsf{KU}\}$ and ${\mathsf{pk}}_{\mathsf{id}}:=(t=0,\mathsf{id},{\left\{{\mathsf{lk}}_v\right\}}_{v\in \mathsf{W}})$.
  • Output $({\mathsf{pk}}_{\mathsf{id}},\mathsf{st})$.
    // This algorithm is almost the same as the Private Key Generation algorithm in Section 4 except that there is no ${\mathsf{dk}}_{\mathsf{id}}$ in ${\mathsf{pk}}_{\mathsf{id}}$.
• $\mathsf{KU}(\mathsf{msk},t,\mathsf{st})$:
  • Parse $\mathsf{msk}=(\mathsf{mpk},t{d}_0,\cdots ,t{d}_{n-1},s,\mathsf{HIBE}.\mathsf{msk})$, $\mathsf{st}=\{\mathsf{KL},\mathsf{PL},\mathsf{RL},\mathsf{KU}\}$ and $\mathsf{mpk}=(k_0,\cdots ,$$k_{n-1},\ell ,\mathsf{HIBE}.\mathsf{mpk})$.
  • $\mathsf{Y}\leftarrow \mathsf{FindNodes}(\mathsf{RL},t,\mathsf{KL})$. // $\mathsf{Y}$ stores all revoked leaves and their ancestors
  • If $\mathsf{Y}=\varnothing$, Output($\mathsf{KU},\mathsf{PL}$)
  • Set key update list ${\mathsf{KU}}^{(\mathsf{t})}:=\varnothing$.
  • For all node $v\in \mathsf{Y}$ such that $\left|v\right|=n$: $({\mathsf{ek}}_v^{(\mathsf{t})},\perp )\leftarrow \mathsf{LeafChange}(v,\mathsf{t},s)$,
    ${\mathsf{KU}}^{(\mathsf{t})}:={\mathsf{KU}}^{(\mathsf{t})}\cup \left\{(v,{\mathsf{ek}}_v^{(\mathsf{t})},\perp )\right\}$. $h_v^{(\mathsf{t})}:={\mathsf{ek}}_v^{(\mathsf{t})}$.
  • For $i=n-1$ to 0: $\mathrm{For}$ all node $v\in \mathsf{Y}$ and $\left|v\right|=i$:
    $\mathrm{Set}$$j:=\mathsf{t}$, ${\mathsf{KU}}^{(0)}:=\mathsf{KL}$.
    $\mathrm{While}$($j\ge 0$)
    $\mathrm{If}$$\exists v\left|\right|b$ s.t. $(v||b,h_{v\left|\right|b},·,·,·)\in {\mathsf{KU}}^{(j)},$
    $h_{v\left|\right|b}^{(\mathsf{t})}:=h_{v\left|\right|b}$,
    $\mathrm{Break}$;
    $j:=j-1.$
    $(h_v^{(\mathsf{t})},h_{v\left|\right|0}^{(\mathsf{t})},h_{v\left|\right|1}^{(\mathsf{t})},r_v^{(\mathsf{t})})\leftarrow \mathsf{NodeChange}(k_i,\mathsf{t}{d}_i,v,h_{v\left|\right|0}^{(\mathsf{t})},h_{v\left|\right|1}^{(\mathsf{t})},\mathsf{t},s)$.
    ${\mathsf{KU}}^{(\mathsf{t})}:={\mathsf{KU}}^{(\mathsf{t})}\cup \left\{(v,h_v^{(\mathsf{t})},h_{v\left|\right|0}^{(\mathsf{t})},h_{v\left|\right|1}^{(\mathsf{t})},r_v^{(\mathsf{t})})\right\}$.
  • $\mathsf{KU}:=\mathsf{KU}\cup \left\{(\mathsf{t},{\mathsf{KU}}^{(\mathsf{t})})\right\}$ and $\mathsf{PL}:=\mathsf{PL}\cup \left\{(\mathsf{t},h_{\epsilon }^{(\mathsf{t})})\right\}$.
  • $\mathsf{st}:=\{\mathsf{KL},\mathsf{PL},\mathsf{RL},\mathsf{KU}\}$
  • Output $(\mathsf{st})$.
    // This algorithm is identical to the Key Update Generation algorithm in Section 4.
• $\mathsf{TranKG}(\mathsf{mpk},{\mathsf{pk}}_{\mathsf{id}},\mathsf{KU})$:
  • $\mathsf{W}:=\{\epsilon ,\mathsf{id}[1],\cdots ,\mathsf{id}[1\cdots n-1\left]\right\}$, where $\epsilon$ is the empty string.
  • Parse $\mathsf{mpk}=(k_0,\cdots ,k_{n-1},\ell ,\mathsf{HIBE}.\mathsf{mpk})$ and ${\mathsf{pk}}_{\mathsf{id}}=(0,\mathsf{id},\{h_v,h_{v\left|\right|0},$$h_{v\left|\right|1},$$r_v{\}}_{v\in \mathsf{W}})$.
  • From $\mathsf{KU}$ retrieve a set $\Omega :=\left\{(\tilde{\mathsf{t}},{\mathsf{KU}}^{(\tilde{\mathsf{t}})})\right|(\tilde{\mathsf{t}},{\mathsf{KU}}^{(\tilde{\mathsf{t}})})\in \mathsf{KU},0\le \tilde{\mathsf{t}}<\mathsf{t}\}$.
  • For each $(\tilde{\mathsf{t}},{\mathsf{KU}}^{(\tilde{\mathsf{t}})})\in \Omega$ with $\tilde{\mathsf{t}}$ in ascending order, does the following:
    $\mathrm{For}$$i=0$ to $n-1$:
    $v:=\mathsf{id}[1\cdots i]$ (Recall $\mathsf{id}[1\cdots 0]=\epsilon$).
    $\mathrm{If}$$\exists (v,h_v^{(\tilde{\mathsf{t}})},h_{v\left|\right|0}^{(\tilde{\mathsf{t}})},h_{v\left|\right|1}^{(\tilde{\mathsf{t}})},r_v^{(\tilde{\mathsf{t}})})\in {\mathsf{KU}}^{(\tilde{\mathsf{t}})}$:
    ${\mathsf{lk}}_v^{(\mathsf{t})}:=(h_v^{(\tilde{\mathsf{t}})},h_{v\left|\right|0}^{(\tilde{\mathsf{t}})},h_{v\left|\right|1}^{(\tilde{\mathsf{t}})},r_v^{(\tilde{\mathsf{t}})})$.
  • Output ${\mathsf{tk}}_{\mathsf{id}}^{(\mathsf{t})}:=(\mathsf{t},\mathsf{id},{\left\{{\mathsf{lk}}_v^{(\mathsf{t})}\right\}}_{v\in \mathsf{W}})$
    // This algorithm is almost the same as the Decryption Key Generation algorithm in Section 4 except that all update operations do not involve leaf nodes, i.e., ${\mathsf{dk}}_{\mathsf{id}}$.
• $\mathsf{PrivKG}(\mathsf{msk},\mathsf{id}\in {\{0,1\}}^n)$
  • Parse $\mathsf{msk}=(\mathsf{mpk},t{d}_0,\cdots ,t{d}_{n-1},s,\mathsf{HIBE}.\mathsf{msk})$ and $\mathsf{mpk}=(k_0,$$\cdots ,k_{n-1},\ell ,\mathsf{HIBE}.\mathsf{mpk})$.
  • $({\mathsf{ek}}_{\mathsf{id}},{\mathsf{dk}}_{\mathsf{id}})\leftarrow \mathsf{G}(1^{\lambda },\mathsf{PRF}(s,0^{\ell }\left|\right|\mathsf{id}))$
  • Run $\mathsf{HIBE}.{\mathsf{sk}}_{\mathsf{id}}\leftarrow \mathsf{HIBE}.\mathsf{KG}(\mathsf{HIBE}.\mathsf{msk},\mathsf{id})$.
  • ${\mathsf{sk}}_{\mathsf{id}}:=({\mathsf{dk}}_{\mathsf{id}},\mathsf{HIBE}.{\mathsf{sk}}_{\mathsf{id}})$.
  • Output ${\mathsf{sk}}_{\mathsf{id}}$.
• $\mathsf{DK}({\mathsf{sk}}_{\mathsf{id}},\mathsf{t})$
  • Parse ${\mathsf{sk}}_{\mathsf{id}}=({\mathsf{dk}}_{\mathsf{id}},\mathsf{HIBE}.{\mathsf{sk}}_{\mathsf{id}})$.
  • Run $\mathsf{HIBE}.{\mathsf{sk}}_{\mathsf{id}\left|\right|\mathsf{t}}\leftarrow \mathsf{HIBE}.\mathsf{KG}(\mathsf{HIBE}.{\mathsf{sk}}_{\mathsf{id}},\mathsf{t})$.
  • ${\mathsf{dk}}_{\mathsf{id}}^{(\mathsf{t})}:=({\mathsf{dk}}_{\mathsf{id}},\mathsf{HIBE}.{\mathsf{sk}}_{\mathsf{id}\left|\right|\mathsf{t}})$.
  • Output ${\mathsf{dk}}_{\mathsf{id}}^{(\mathsf{t})}$.
• $\mathsf{Enc}(\mathsf{mpk},\mathsf{id},\mathsf{t},m,\mathsf{PL}))$:
  Same to the encryption algorithm in Section 4, we use these two circuits that will be garbled during the encryption procedure.

  -

  $\mathsf{Q}\left[m\right](ek):$ Compute and output $\mathsf{E}(ek,m)$.

  -

  $\mathsf{P}[\beta \in \{0,1\},k,\overline{\mathsf{lab}}](h)$: Compute and output $\{\mathsf{HEnc}(k,(h,j+\beta ·\lambda ,b),$${\mathsf{lab}}_{j,b}{)\}}_{j\in \left[\lambda \right],b\in \{0,1\}}$, where $\overline{\mathsf{lab}}$ is the short for ${\left\{{\mathsf{lab}}_{j,b}\right\}}_{j\in \left[\lambda \right],b\in \{0,1\}}$.

  Encryption proceeds as follows:
  • Retrieve the last item $(\overline{\mathsf{t}},h_{ϵ}^{(\overline{\mathsf{t}})})$ from $\mathsf{PL}$. If $\mathsf{t}<\overline{\mathsf{t}}$, output ⊥; otherwise $h_{ϵ}^{(\mathsf{t})}:=h_{ϵ}^{(\overline{\mathsf{t}})}$.
  • Parse $\mathsf{mpk}=(k_0,\cdots ,k_{n-1},\ell ,\mathsf{HIBE}.\mathsf{mpk})$.
  • Sample a pair $(\mathsf{RIBE}.m,\mathsf{HIBE}.m)\in {\mathcal{M}}^2$ uniformly at random, subject to $\mathsf{RIBE}.m+\mathsf{HIBE}.m=m$.
  • Run $\mathsf{HIBE}.\mathsf{ct}\leftarrow \mathsf{HIBE}.\mathsf{Enc}(\mathsf{HIBE}.\mathsf{mpk},(\mathsf{id}||\mathsf{t}),\mathsf{HIBE}.m)$.
  • $(\tilde{Q},\overline{\mathsf{lab}})\stackrel{\$}{\leftarrow }\mathsf{GCircuit}(1^{\lambda },\mathsf{Q}[\mathsf{RIBE}.m])$.
  • For $i=n-1$ to 0,
    $({\tilde{P}}^i,{\overline{\mathsf{lab}}}^{\prime })\stackrel{\$}{\leftarrow }\mathsf{GCircuit}(1^{\lambda },\mathsf{P}[\mathsf{id}[i+1],k_i,\overline{\mathsf{lab}}])$ and set $\overline{\mathsf{lab}}:={\overline{\mathsf{lab}}}^{\prime }$.
  • Output $\mathsf{RIBE}.\mathsf{ct}:=\left({\left\{{\mathsf{lab}}_{j,h_{\epsilon ,j}^{(\mathsf{t})}}\right\}}_{j\in \left[\lambda \right]},\{{\tilde{P}}^0,\cdots ,{\tilde{P}}^{n-1},\tilde{Q}\}\right)$, where $h_{\epsilon ,j}^{(\mathsf{t})}$ is the $j^{\mathrm{th}}$ bit of $h_{\epsilon }^{(\mathsf{t})}$.
  • Output $\mathsf{ct}:=(\mathsf{RIBE}.\mathsf{ct},\mathsf{HIBE}.\mathsf{ct})$.
• $\mathsf{Transform}(\mathsf{mpk},{\mathsf{tk}}_{\mathsf{id}}^{(\mathsf{t})},\mathsf{ct})$
  • $\mathsf{W}:=\{\epsilon ,\mathsf{id}[1],\cdots ,\mathsf{id}[1\cdots n-1\left]\right\}$, where $\epsilon$ is the empty string.
  • Parse $\mathsf{mpk}=(k_0,\cdots ,k_{n-1},\ell ,\mathsf{HIBE}.\mathsf{mpk})$, $\mathsf{ct}=(\mathsf{RIBE}.\mathsf{ct},\mathsf{HIBE}.\mathsf{ct})$ and ${\mathsf{sk}}_{\mathsf{id}}^{(\mathsf{t})}=(\mathsf{t},\mathsf{id},{\left\{{\mathsf{lk}}_v^{(\mathsf{t})}\right\}}_{v\in \mathsf{W}})$, where ${\mathsf{lk}}_v^{(\mathsf{t})}=(h_v^{(\mathsf{t})},h_{v\left|\right|0}^{(\mathsf{t})},h_{v\left|\right|1}^{(\mathsf{t})},r_v^{(\mathsf{t})})$.
  • Parse $\mathsf{RIBE}.\mathsf{ct}:=\left({\left\{{\mathsf{lab}}_{j,h_{\epsilon ,j}^{(\mathsf{t})}}\right\}}_{j\in \left[\lambda \right]},\{{\tilde{P}}^0,\cdots ,{\tilde{P}}^{n-1},\tilde{Q}\}\right)$
  • Set $y:=h_{\epsilon }^{(\mathsf{t})}$.
  • For $i=0$ to $n-1$:
    $\mathrm{Set}$$v:=\mathsf{id}[1\cdots i]$ (Recall $\mathsf{id}[1\cdots 0]=\epsilon )$;
    ${\left\{c_{j,b}\right\}}_{j\in \left[\lambda \right],b\in \{0,1\}}\leftarrow \mathsf{Eval}({\tilde{P}}^i,{\left\{{\mathsf{lab}}_{j,y_j}\right\}}_{j\in \left[\lambda \right]});$
    $\mathrm{If}$$i\ne n-1$, set $v^{\prime }:=\mathsf{id}[1\cdots i+1]$ and $y:=h_{v^{\prime }}^{(\mathsf{t})}$, and for each $j\in \left[\lambda \right]$,

    $${\left\{{\mathsf{lab}}_{j,y_j}\right\}}_{j\in \left[\lambda \right]}\leftarrow \mathsf{HDec}(k_i,c_{j,y_j},(h_{v\left|\right|0}^{(\mathsf{t})}\left|\right|h_{v\left|\right|1}^{(\mathsf{t})}),r_v^{(\mathsf{t})}).$$
    $\mathrm{If}$$i=n-1$, set $y:={\mathsf{ek}}_{\mathsf{id}}$ and for each $j\in \left[\lambda \right]$, compute

    $${\left\{{\mathsf{lab}}_{j,y_j}\right\}}_{j\in \left[\lambda \right]}\leftarrow \mathsf{HDec}(k_i,c_{j,y_j},({\mathsf{ek}}_{v\left|\right|0}\left|\right|{\mathsf{ek}}_{v\left|\right|1})=(h_{v\left|\right|0}^{(\mathsf{t})}\left|\right|h_{v\left|\right|1}^{(\mathsf{t})}),r_v^{(\mathsf{t})}).$$
  • Compute $f\leftarrow \mathsf{Eval}(\tilde{Q},{\left\{{\mathsf{lab}}_{j,y_j}\right\}}_{j\in \left[\lambda \right]})$.
  • Output ${\mathsf{ct}}^{\prime }:=(f,\mathsf{HIBE}.\mathsf{ct})$
    // This algorithm is almost the same as the Decryption algorithm in Section 4 except that this algorithm omits the last step, i.e., it does not recover $\mathsf{RIBE}.\mathrm{m}$ from f.
• $\mathsf{Dec}(\mathsf{mpk},{\mathsf{dk}}_{\mathsf{id}}^{(\mathsf{t})},{\mathsf{ct}}^{\prime })$
  • Parse $\mathsf{mpk}=(k_0,\cdots ,k_{n-1},\ell ,\mathsf{HIBE}.\mathsf{mpk})$, ${\mathsf{dk}}_{\mathsf{id}}^{(\mathsf{t})}=({\mathsf{dk}}_{\mathsf{id}},\mathsf{HIBE}.{\mathsf{sk}}_{\mathsf{id}\left|\right|\mathsf{t}})$ and ${\mathsf{ct}}^{\prime }=(f,\mathsf{HIBE}.\mathsf{ct})$.
  • Run $\mathsf{HIBE}.\mathrm{m}\leftarrow \mathsf{HIBE}.\mathsf{Dec}(\mathsf{HIBE}.\mathsf{mpk},\mathsf{HIBE}.{\mathsf{sk}}_{\mathsf{id}\left|\right|\mathsf{t}},\mathsf{HIBE}.ct,)$.
  • Run $\mathsf{RIBE}.\mathrm{m}\leftarrow \mathsf{D}({\mathsf{dk}}_{\mathsf{id}},f)$.
  • Output $m:=\mathsf{RIBE}.\mathrm{m}+\mathsf{HIBE}.\mathrm{m}$
• $\mathsf{R}(\mathsf{id},\mathsf{t},\mathsf{st})$:
  • Parse $\mathsf{st}:=\{\mathsf{KL},\mathsf{PL},\mathsf{RL},\mathsf{KU}\}$.
  • Update the revocation list by $\mathsf{RL}:=\mathsf{RL}\cup \{(\mathsf{id},\mathsf{t})\}$.
  • $\mathsf{st}:=\{\mathsf{KL},\mathsf{PL},\mathsf{RL},\mathsf{KU}\}$.
  • Output $\mathsf{st}$.

Obviously, the correctness of this scheme $\Sigma$ follows from the correctness of the RIBE scheme described in Section 4 and the HIBE scheme used as the building block. The security of scheme $\Sigma$ is guaranteed by the following theorem.

Theorem 3.

If $\mathit{HIBE}$ is the hierarchal IBE constructed in [8], the above server-aided revocable IBE scheme Σ is selective-SR-ID-CPA secure (with decryption key exposure resistance ) based on the CDH assumption.

Proof. 

The full proof of Theorem 3 is in Appendix B.2. □

7. Analysis of Key Updating Size

In this section, we analyze the key updating efficiency of our revocable IBE scheme. Different from an IBE scheme, a revocable IBE scheme has enormous cost on the publishing updating keys at each time slot. In our RIBE, the number of updating keys is linear to the number of updated nodes. Therefore, we focus on the number of updated nodes for the performance. The advantage of our RIBE lies in the fact that the nodes that needs to updated is only related to the number $\Delta r$ of newly revoked users in the past time slot. More precisely, in all the three schemes proposed in this paper, the number of nodes needs to be updated in each time plot is at most $\Delta r(\log N-\log (\Delta r))$. Thus the key updating size of our scheme is at most $O(\Delta r(\log N-\log (\Delta r)))$. If there is no new users revoked in the previous time slot, then key updating is not necessary at all.

Recall that in the most of RIBE schemes, the size of updating keys is closely related to the total number r of all the revoked users across all the past slots. For example, in [10] the size of updated key during each time slot is of order $O(r\log (N/r))$, where N is the number of users. In addition, in [14], the size of updated key during each time slot is of order $O(r)$.

For simulation, we use Poisson distribution to simulate the number of revoked users at each time period, where $\alpha$ denotes the expected number of revoked users in each time slot. At a time slot $\mathsf{t}$, we sample a random number $\Delta r_{\mathsf{t}}$ following the Poisson distribution parameterized by $\alpha$, and $\Delta r_{\mathsf{t}}$ denotes the number of revoked users at time slot t. The total number $r_{{\mathsf{t}}^{\prime }}$ of the revoked users up to time slot ${\mathsf{t}}^{\prime }$ is given by ${\sum }_{t=0}^{{\mathsf{t}}^{\prime }}\Delta r_{\mathsf{t}}$. We evaluate the key updating sizes in our RIBE, the RIBE in [10] and the RIBE in [14]. Since all the our three schemes share the same updating complexity in each time plot, we only simulate our RIBE scheme without DKER and compare the results with the RIBE scheme in [10] and the RIBE scheme in [14]. The simulation results for $N=2^{20}$ and $N=2^{25}$ are shown in Figure 9 and Figure 10 respectively.

Figure 9. N = 20.

Figure 10. N = 25.

Appendix B.1. Proof of Theorem 1

Proof. 

The proof consists of $5n+4$ hybrids, ${\mathcal{H}}_{-1}$, {${\mathcal{H}}_0$, ${\mathcal{H}}_{0,1}$, ${\mathcal{H}}_{0,2}$, ${\mathcal{H}}_{0,3}$, ${\mathcal{H}}_{0,4}$}, ⋯, $\{{\mathcal{H}}_{n-1},{\mathcal{H}}_{n-1,1},$${\mathcal{H}}_{n-1,2},{\mathcal{H}}_{n-1,3},{\mathcal{H}}_{n-1,4}\},{\mathcal{H}}_n,{\mathcal{H}}_{n+1},{\mathcal{H}}_{n+2}$, and we will show that adjacent hybrids are computational indistinguishable. Compared with ${\mathcal{H}}_i$, hybrid ${\mathcal{H}}_{i+1}$ has small changes in how the oracle queries are answered and/or the challenge ciphertext is generated. Denote by ${\mathcal{H}}_i\Rightarrow 1$ the event that the hybrid outputs 1.

• ${\mathcal{H}}_{-1}$: This hybrid is just the original experiment ${\mathrm{EXP}}_{\mathcal{A}}^{\mathsf{IND}-\mathsf{ID}-\mathsf{CPA}}(\lambda )$ (without oracle $\mathrm{DK}(·,·)$) as shown in Definition 1. Thus

  $${\mathbf{Adv}}_{\mathcal{A}}^{\mathsf{IND}-\mathsf{ID}-\mathsf{CPA}}(\lambda )=|\mathrm{Pr}[{\mathcal{H}}_{-1}\Rightarrow 1]-1/2\left]\right|.$$

  (A1)
  Specifically, in this hybrid, the challenger $\mathcal{C}$ will first invoke $\mathsf{RIBE}.\mathsf{Setup}(1^{\lambda },1^n)$ to obtain $(\mathsf{mpk},\mathsf{msk},\mathsf{st})$ where $\mathsf{st}=(\mathsf{KL},\mathsf{PL},\mathsf{RL})$. $\mathcal{C}$ sends $\mathsf{mpk}$ to the adversary $\mathcal{A}$ and answers oracle queries as follows.
  • Private key generation oracle $\mathrm{KG}(\mathsf{id})$. Upon receiving $\mathcal{A}$’s query $\mathsf{id}$, the challenger invokes $({\mathsf{sk}}_{\mathsf{id}},{\mathsf{st}}^{\prime })\leftarrow \mathsf{RIBE}.\mathsf{KG}(\mathsf{msk},\mathsf{id},\mathsf{KL},\mathsf{st})$ and returns ${\mathsf{sk}}_{\mathsf{id}}$ to $\mathcal{A}$.
  • Key update oracle $\mathrm{KU}(\mathsf{t})$. Upon receiving $\mathcal{A}$’s query $\mathsf{t}$, $\mathcal{C}$ does as follows:
    For ${\mathsf{t}}_i$ from 1 to $\mathsf{t}$:
    ${\mathsf{st}}^{\prime }\leftarrow \mathsf{RIBE}.\mathsf{KU}(\mathsf{msk},{\mathsf{t}}_i,\mathsf{st})$
    $\mathsf{st}:={\mathsf{st}}^{\prime }$.
    Parse $\mathsf{st}=(\mathsf{KL},\mathsf{PL},\mathsf{RL},\mathsf{KU})$
    Returns $(\mathsf{KU},\mathsf{PL})$ to $\mathcal{A}$.
  • Revocation oracle $\mathsf{R}\mathsf{v}\mathsf{k}(\mathsf{id},\mathsf{t})$. Upon receiving $\mathcal{A}$’s query an $\mathsf{id}$ and a $\mathsf{t}$, $\mathcal{C}$ invokes ${\mathsf{st}}^{\prime }\leftarrow \mathsf{RIBE}.R(\mathsf{id},\mathsf{t},\mathsf{st})$ and parses ${\mathsf{st}}^{\prime }=(\mathsf{KL},\mathsf{PL},\mathsf{RL},\mathsf{KU})$. It returns $\mathsf{RL}$ to $\mathcal{A}$.
• ${\mathcal{H}}_0$: In this hybrid, we change how the challenger $\mathcal{C}$ answers oracle $\mathrm{KG}(\mathsf{id})$ and oracle $\mathrm{KU}(\mathsf{t})$. Recall that in ${\mathcal{H}}_{-1}$, the subroutines NodeGen and LeafGen are involved in RIBE.KG when answering queries to the oracle $KG$, and the subroutines NodeChange and LeafChange are involved in RIBE.KU when answering queries to the oracle $\mathrm{KU}.$ A pseudo-random subroutine $\mathsf{PRF}(s,·)$ is invoked in all the four subroutines. Now in ${\mathcal{H}}_0$, this $\mathsf{PRF}(s,·)$ will be replaces by a truly subroutine $\mathsf{RF}(·)$. Note that $\mathcal{C}$ can efficiently implement the truly subroutine $\mathsf{RF}(·)$: Given a fresh input x, $\mathcal{C}$ chooses a random element R in ${\{0,1\}}^{\lambda }$ as the output of $\mathsf{RF}(·)$. $\mathcal{C}$ records $(x,R)$ locally. If x is not fresh, $\mathcal{C}$ retrieves R from its records.
  Any difference between ${\mathcal{H}}_{-1}$ and ${\mathcal{H}}_0$ will lead to a distinguisher ${\mathcal{B}}_1$, who can distinguish $\mathsf{PRF}$ from $\mathsf{RF}$. Hence

  $$|\mathrm{Pr}[{\mathcal{H}}_{-1}\Rightarrow 1]-\mathrm{Pr}[{\mathcal{H}}_0\Rightarrow 1]|\le {\mathbf{Adv}}_{{\mathcal{B}}_1}^{PRF}(\lambda ).$$

  (A2)
• ${\mathcal{H}}_{\gamma }$ for $\gamma \in \{0,1,\cdots ,n\}$: In this hybrid, challenger $\mathcal{C}$ changes the generation of the challenge ciphertext. Recall that the challenge ciphertext $\mathsf{ct}:=\left({\left\{{\mathsf{lab}}_{j,h_{\epsilon ,j}^{(\mathsf{t})}}\right\}}_{j\in \left[\lambda \right]},\{{\tilde{P}}^0,\cdots ,{\tilde{P}}^{n-1},\tilde{Q}\}\right)$. In hybrid ${\mathcal{H}}_{\gamma }$, $\mathcal{C}$ invokes the simulator $\mathsf{Sim}$ provided by the garbled circuit scheme to generate the first $\gamma$ garbled circuits $\{{\tilde{P}}^0,\cdots ,{\tilde{P}}^{\gamma -1}\}$. Meanwhile, for $i\in [0,\gamma -1]$, the input of the $\mathsf{Sim}$ is the $2\lambda$ chameleon encryption ciphertexts
  ${\left\{\mathsf{HEnc}(k_i,(h_{{\mathsf{id}}^{*}[1\cdots i]}^{({\mathsf{t}}^{*})},j,b),{\mathsf{lab}}_{j,h_{{\mathsf{id}}^{*}[1\cdots i+1],j}^{({\mathsf{t}}^{*})}})\right\}}_{j\in \left[\lambda \right],b\in \{0,1\}}$. We stress that the $2\lambda$ labels satisfy ${\mathsf{lab}}_{j,0}={\mathsf{lab}}_{j,1}={\mathsf{lab}}_{j,h_{{\mathsf{id}}^{*}[1\cdots i+1],j}^{({\mathsf{t}}^{*})}}$. Please note that $\mathsf{Sim}$ needs the hash value $h_{{\mathsf{id}}^{*}[1\cdots i]}^{({\mathsf{t}}^{*})}$ with $i\in [0,\gamma ]$. Therefore the challenger $\mathcal{C}$ has to determine $h_{{\mathsf{id}}^{*}[1\cdots i]}^{({\mathsf{t}}^{*})}$ first with $i\in [0,\gamma ]$. Then $\mathcal{C}$ invokes $\mathsf{sim}$ to generate $\{{\tilde{P}}^0,\cdots ,{\tilde{P}}^{\gamma -1}\}$, and invokes $\mathsf{GCircuit}$ to generate the rest circuits. Below is the detailed description of the generation of the challenge ciphertext by $\mathcal{C}$.
  Assume $\mathcal{A}$’s challenge query as $({\mathsf{id}}^{*},{\mathsf{t}}^{*},M_0,M_1)$. $\mathcal{C}$ first chooses a random bit $\theta$, and encrypts $M_{\theta }$ under ${\mathsf{id}}^{*}$ in ${\mathsf{t}}^{*}$ as follows:
  • Define ${\mathsf{W}}^{*}:=\{\epsilon ,{\mathsf{id}}^{*}\left[1\right],\cdots ,{\mathsf{id}}^{*}[1\cdots n-1]\}$, where $\epsilon$ is the empty string. Determine the values $(h_{\epsilon },h_{{\mathsf{id}}^{*}\left[1\right]},\cdots ,h_{{\mathsf{id}}^{*}[1\cdots n-1]},{\mathsf{ek}}_{{\mathsf{id}}^{*}})$ which are the values attached to all nodes on the path from the root to ${\mathsf{id}}^{*}$.

    -

    ${\mathsf{sk}}_{{\mathsf{id}}^{*}}\leftarrow \mathsf{RIBE}.\mathsf{KG}(\mathsf{msk},{\mathsf{id}}^{*})$.

    -

    ${\mathsf{st}}^{\prime }\leftarrow \mathsf{RIBE}.\mathsf{KU}(\mathsf{msk},{\mathsf{t}}^{*},\mathsf{st})$.

    $\mathsf{st}:={\mathsf{st}}^{\prime }=(\mathsf{KL},\mathsf{PL},\mathsf{RL},\mathsf{KU})$

    Retrieve $({\mathsf{t}}^{*},h_{\epsilon }^{({\mathsf{t}}^{*})})$ from $\mathsf{PL}$.

    -

    ${\mathsf{sk}}_{{\mathsf{id}}^{*}}^{({\mathsf{t}}^{*})}\leftarrow \mathsf{RIBE}.\mathsf{DK}(\mathsf{mpk},{\mathsf{sk}}_{{\mathsf{id}}^{*}},\mathsf{KU},{\mathsf{t}}^{*})$.

    Parse ${\mathsf{sk}}_{{\mathsf{id}}^{*}}^{({\mathsf{t}}^{*})}=({\mathsf{id}}^{*},\{(h_v^{({\mathsf{t}}^{*})},h_{v\left|\right|0}^{({\mathsf{t}}^{*})},h_{v\left|\right|1}^{({\mathsf{t}}^{*})},$$r_v^{({\mathsf{t}}^{*})}{)\}}_{v\in {\mathsf{W}}^{*}},{\mathsf{dk}}_{{\mathsf{id}}^{*}})$, where

    $(h_{{\mathsf{id}}^{*}[1\cdots n-1]\left|\right|0}^{({\mathsf{t}}^{*})},h_{{\mathsf{id}}^{*}[1\cdots n-1]\left|\right|1}^{({\mathsf{t}}^{*})})=({\mathsf{ek}}_{{\mathsf{id}}^{*}[1\cdots n-1]\left|\right|0},{\mathsf{ek}}_{{\mathsf{id}}^{*}[1\cdots n-1]\left|\right|1})$. Please note that ${\mathsf{dk}}_{{\mathsf{id}}^{*}}=\perp$ if ${\mathsf{id}}^{*}$ has been revoked before ${\mathsf{t}}^{*}$.

  • $(\tilde{Q},\overline{\mathsf{lab}})\stackrel{\$}{\leftarrow }\mathsf{GCircuit}(1^{\lambda },\mathsf{Q}\left[M_{\theta }\right])$, where $\overline{\mathsf{lab}}={\left\{{\mathsf{lab}}_{j,b}\right\}}_{i\in \left[\lambda \right],b\in \{0,1\}}$.
  • For $i=n-1$ to $\gamma$,

    $$({\tilde{P}}^i,{\overline{\mathsf{lab}}}^{\prime })\stackrel{\$}{\leftarrow }\mathsf{GCircuit}(1^{\lambda },\mathsf{P}[{\mathsf{id}}^{*}[i+1],k_i,\overline{\mathsf{lab}}]).$$

    (A3)
    Set $\overline{\mathsf{lab}}:={\overline{\mathsf{lab}}}^{\prime }$.
  • For $i=\gamma -1$ to 0, set $v={\mathsf{id}}^{*}[1\cdots i]$, where $v=\epsilon$ if $i=0$.

    $$({\tilde{P}}^i,{\left\{{\mathsf{lab}}_{j,h_{v,j}^{({\mathsf{t}}^{*})}}^{\prime }\right\}}_{j\in \left[\lambda \right]})\stackrel{\$}{\leftarrow }\mathsf{Sim}(1^{\lambda },{\left\{\mathsf{HEnc}(k_i,(h_v^{({\mathsf{t}}^{*})},j,b),{\mathsf{lab}}_{j,h_{{\mathsf{id}}^{*}[1\cdots i+1],j}^{({\mathsf{t}}^{*})}})\right\}}_{j\in \left[\lambda \right],b\in \{0,1\}})$$

    (A4)

    and set $\overline{\mathsf{lab}}:={\{{\mathsf{lab}}_{j,h_{v,j}^{({\mathsf{t}}^{*})}}^{\prime },{\mathsf{lab}}_{j,h_{v,j}^{({\mathsf{t}}^{*})}}^{\prime }\}}_{j\in \left[\lambda \right]}$.
  • Output ${\mathsf{ct}}^{*}:=\left({\left\{{\mathsf{lab}}_{\ell ,h_{\epsilon ,\ell }^{({\mathsf{t}}^{*})}}\right\}}_{\ell \in \left[\lambda \right]},\{{\tilde{P}}^0,\cdots ,{\tilde{P}}^{n-1},\tilde{Q}\}\right)$, where $h_{\epsilon ,\ell }^{({\mathsf{t}}^{*})}$ is the ${\ell }^{\mathrm{th}}$ bit of $h_{\epsilon }^{({\mathsf{t}}^{*})}$.
  Please note that the randomnesses in $\mathsf{RIBE}.\mathsf{KG}$ and $\mathsf{RIBE}.\mathsf{KU}$ are generated by random subroutines instead of the $\mathsf{PRF}$.
• ${\mathcal{H}}_{\gamma ,1}$ for $\gamma \in \{0,1,\cdots ,n-1\}$: This hybrid is the same as ${\mathcal{H}}_{\gamma }$ except that the challenger $\mathcal{C}$ changes the way of generating $h_v$ and $r_v$ when answering private key queries and the way of generating $h_v^{(\mathsf{t})}$ and $r_v^{(\mathsf{t})}$ when answering key update queries for $v\in {\{0,1\}}^{\gamma }$. For $\gamma =n-1$, set $(h_{v\left|\right|0},h_{v\left|\right|1}):=({\mathsf{ek}}_{v\left|\right|0},{\mathsf{ek}}_{v\left|\right|1})$. In addition, set

  $$h_{v\left|\right|b}^{(\mathsf{t})}:=\left\{\begin{array}{c}{\mathsf{ek}}_{v\left|\right|b}\mathrm{if}v\mathrm{is}\mathrm{not}\mathrm{revoked},\hfill \\ {\mathsf{ek}}_{v\left|\right|b}^{\prime }\mathrm{if}v\mathrm{is}\mathrm{revoked},\hfill \end{array}\right.$$

  where $({\mathsf{ek}}_v^{\prime },{\mathsf{dk}}_v^{\prime })\leftarrow \mathsf{G}(1^{\lambda })$ and $b\in \{0,1\}$. Specifically, $\mathcal{C}$ changes the generation process of $(h_v,r_v)$ from

  $$\begin{array}{ccc}\hfill h_v& :=& \mathsf{H}(k_{\gamma },0^{2\lambda };\mathsf{RF}(v))\hfill \\ \hfill r_v& :=& {\mathsf{H}}^{-1}(t{d}_{\gamma },(0^{2\lambda },\mathsf{RF}(v)),h_{v\left|\right|0}\left|\right|h_{v\left|\right|1})\hfill \end{array}$$

  to

  $$\begin{array}{ccc}\hfill r_v& \stackrel{\$}{\leftarrow }& {\mathbb{Z}}_p\hfill \\ \hfill h_v& :=& \mathsf{H}(k_{\gamma },h_{v\left|\right|0}||h_{v\left|\right|1};r_v)\hfill \end{array}$$
  $\mathcal{C}$ uses the same way to generate $(h_v^{(\mathsf{t})},r_v^{(\mathsf{t})})$, i.e., $r_v^{(\mathsf{t})}$ is chosen randomly, and $h_v^{(\mathsf{t})}:=\mathsf{H}(k_{\gamma },h_{v\left|\right|0}^{(\mathsf{t})}\left|\right|h_{v\left|\right|1}^{(\mathsf{t})};r_v^{(\mathsf{t})})$.
  Due to uniformity properties of the chameleon hash, hybrids ${\mathcal{H}}_{\gamma }$ and ${\mathcal{H}}_{\gamma ,1}$ are statistical indistinguishable. So

  $$|\mathrm{Pr}[{\mathcal{H}}_{\gamma }\Rightarrow 1]-\mathrm{Pr}[{\mathcal{H}}_{\gamma ,1}\Rightarrow 1]|=\mathsf{negl}.$$

  (A5)
• ${\mathcal{H}}_{\gamma ,2}$ for $\gamma \in \{0,1,\cdots ,n-1\}$: This hybrid is the same as ${\mathcal{H}}_{\gamma ,1}$ except step 3 (as shown in ${\mathcal{H}}_{\gamma }$ in detail). Specifically, set $v:=\mathsf{id}[0\cdots \gamma ]$. $\mathcal{C}$ changes the generation process of garbled circuits ${\tilde{P}}^{\gamma }$ from

  $$({\tilde{P}}^{\gamma },{\overline{\mathsf{lab}}}^{\prime })\stackrel{\$}{\leftarrow }\mathsf{GCircuit}(1^{\lambda },\mathsf{P}[{\mathsf{id}}^{*}[\gamma +1],k_{\gamma },\overline{\mathsf{lab}}])$$

  and setting $\overline{\mathsf{lab}}:={\overline{\mathsf{lab}}}^{\prime }$ to

  $$({\tilde{P}}^{\gamma },{\left\{{\mathsf{lab}}_{j,h_{v,j}^{({\mathsf{t}}^{*})}}^{\prime }\right\}}_{j\in \left[\lambda \right]})\stackrel{\$}{\leftarrow }\mathsf{Sim}(1^{\lambda },{\left\{\mathsf{HEnc}(k_{\gamma },(h_v^{(t^{*})},j,b),{\mathsf{lab}}_{j,b})\right\}}_{j\in \left[\lambda \right],b\in \{0,1\}})$$

  and setting $\overline{\mathsf{lab}}:={\{{\mathsf{lab}}_{j,h_{v,j}^{({\mathsf{t}}^{*})}}^{\prime },{\mathsf{lab}}_{j,h_{v,j}^{({\mathsf{t}}^{*})}}^{\prime }\}}_{j\in \left[\lambda \right]}$.
  Since ${\left\{\mathsf{HEnc}(k_{\gamma },(h_v^{({\mathsf{t}}^{*})},j,b),{\mathsf{lab}}_{j,b})\right\}}_{j\in \left[\lambda \right],b\in \{0,1\}}$ is exactly the output of $\mathsf{P}[{\mathsf{id}}^{*}[\gamma +1],k_{\gamma },\overline{\mathsf{lab}}](h_v^{({\mathsf{t}}^{*})})$, the indistinguishability of ${\mathcal{H}}_{\gamma ,1}$ and ${\mathcal{H}}_{\gamma ,2}$ directly follows from the security of the garbled circuit scheme. If there is a PPT adversary $\mathcal{A}$ who can distinguish ${\mathcal{H}}_{\gamma ,1}$ and ${\mathcal{H}}_{\gamma ,2}$ with advantage $ϵ$, then we can construct a PPT algorithm ${\mathcal{B}}_2$ who can break the security of the garbled circuit scheme with same advantage $ϵ$. Please note that ${\mathcal{B}}_2$ can generate $\mathsf{msk}$ itself and simulate all the oracles for $\mathcal{A}$ perfectly. ${\mathcal{B}}_2$ embeds its own challenge to $({\tilde{P}}^{\gamma },\overline{\mathsf{lab}})$. If $({\tilde{P}}^{\gamma },\overline{\mathsf{lab}})$ is generated by $\mathsf{GCircuit}$, ${\mathcal{B}}_2$ perfectly simulates ${\mathcal{H}}_{\gamma ,1}$. If $({\tilde{P}}^{\gamma },\overline{\mathsf{lab}})$ is generated by $\mathsf{Sim}$, ${\mathcal{B}}_2$ perfectly simulates ${\mathcal{H}}_{\gamma ,2}$. Hence

  $$|\mathrm{Pr}[{\mathcal{H}}_{\gamma ,1}\Rightarrow 1]-\mathrm{Pr}[{\mathcal{H}}_{\gamma ,2}\Rightarrow 1]|\le {\mathbf{Adv}}_{{\mathcal{B}}_2}^{GC}(\lambda ).$$

  (A6)
• ${\mathcal{H}}_{\gamma ,3}$ for $\gamma \in [0,n-1]$: This hybrid is the same as ${\mathcal{H}}_{\gamma ,2}$ except step 4 (as shown in ${\mathcal{H}}_{\gamma }$). Challenger $\mathcal{C}$ changes

  $$({\tilde{P}}^{\gamma },{\left\{{\mathsf{lab}}_{j,h_{v,j}^{({\mathsf{t}}^{*})}}^{\prime }\right\}}_{j\in \left[\lambda \right]})\stackrel{\$}{\leftarrow }\mathsf{Sim}(1^{\lambda },{\left\{\mathsf{HEnc}(k_{\gamma },(h_v^{({\mathsf{t}}^{*})},j,b),{\mathsf{lab}}_{j,b})\right\}}_{j\in \left[\lambda \right],b\in \{0,1\}})$$

  to

  $$({\tilde{P}}^{\gamma },{\left\{{\mathsf{lab}}_{j,h_{v,j}^{({\mathsf{t}}^{*})}}^{\prime }\right\}}_{j\in \left[\lambda \right]})\stackrel{\$}{\leftarrow }\mathsf{Sim}(1^{\lambda },{\left\{\mathsf{HEnc}(k_{\gamma },(h_v^{({\mathsf{t}}^{*})},j,b),{\mathsf{lab}}_{j,h_{{\mathsf{id}}^{*}[1\cdots \gamma +1],j}^{({\mathsf{t}}^{*})}})\right\}}_{j\in \left[\lambda \right],b\in \{0,1\}}).$$
  Please note that $t{d}_{\gamma }$ is not used any more, the indistinguishability between ${\mathcal{H}}_{\gamma ,2}$ and ${\mathcal{H}}_{\gamma ,3}$ can be reduced to the security of the chameleon encryption scheme defined in Section 2.7. We need $\lambda$ hybrids, $\{{\mathcal{H}}_{\gamma ,2}^0,{\mathcal{H}}_{\gamma ,2}^1,\cdots ,{\mathcal{H}}_{\gamma ,2}^{\lambda }\}$, to prove this, where ${\mathcal{H}}_{\gamma ,2}^i,i\in [0,\lambda ]$ is the same as ${\mathcal{H}}_{\gamma ,2}$ except the generation of ${\tilde{P}}^{\gamma }$. Set

  $$c{t}_{j,b}:=\left\{\begin{array}{ccc}\mathsf{HEnc}(k_{\gamma },(h_v^{({\mathsf{t}}^{*})},j,b),{\mathsf{lab}}_{j,b})\hfill & \mathrm{if}\hfill & j>i\hfill \\ \mathsf{HEnc}(k_{\gamma },(h_v^{({\mathsf{t}}^{*})},j,b),{\mathsf{lab}}_{j,h_{{\mathsf{id}}^{*}[1\cdots \gamma +1],j}^{({\mathsf{t}}^{*})}})\hfill & \mathrm{if}\hfill & j\le i\hfill \end{array}\right.$$
  In ${\mathcal{H}}_{\gamma ,2}^i$,

  $$({\tilde{P}}^{\gamma },{\left\{{\mathsf{lab}}_{j,h_{v,j}^{({\mathsf{t}}^{*})}}^{\prime }\right\}}_{j\in \left[\lambda \right]})\stackrel{\$}{\leftarrow }\mathsf{Sim}(1^{\lambda },{\left\{c{t}_{j,b}\right\}}_{j\in \left[\lambda \right],b\in \{0,1\}}).$$

  (A7)
  Obviously, ${\mathcal{H}}_{\gamma ,2}^0$ is the same as ${\mathcal{H}}_{\gamma ,2}$ and ${\mathcal{H}}_{\gamma ,2}^{\lambda }$ is the same as ${\mathcal{H}}_{\gamma ,3}$. Please note that the only difference between ${\mathcal{H}}_{\gamma ,2}^{i-1}$ and ${\mathcal{H}}_{\gamma ,2}^i$ is $c{t}_{i,1-h_{{\mathsf{id}}^{*}[1\cdots \gamma +1],i}^{({\mathsf{t}}^{*})}}$, where

  $$c{t}_{i,1-h_{{\mathsf{id}}^{*}[1\cdots \gamma +1],i}^{({\mathsf{t}}^{*})}}:=\left\{\begin{array}{ccc}\mathsf{HEnc}(k_{\gamma },(h_v^{({\mathsf{t}}^{*})},i,1-h_{{\mathsf{id}}^{*}[1\cdots \gamma +1],i}^{({\mathsf{t}}^{*})}),{\mathsf{lab}}_{i,1-h_{{\mathsf{id}}^{*}[1\cdots \gamma +1],i}^{({\mathsf{t}}^{*})}})\hfill & \mathrm{in}\hfill & {\mathcal{H}}_{\gamma }^{(i-1)}\hfill \\ \mathsf{HEnc}(k_{\gamma },(h_v^{({\mathsf{t}}^{*})},i,1-h_{{\mathsf{id}}^{*}[1\cdots \gamma +1],i}^{({\mathsf{t}}^{*})}),{\mathsf{lab}}_{i,h_{{\mathsf{id}}^{*}[1\cdots \gamma +1],i}^{({\mathsf{t}}^{*})}})\hfill & \mathrm{in}\hfill & {\mathcal{H}}_{\gamma }^{(i)}\hfill \end{array}\right..$$
  If there is a PPT adversary $\mathcal{A}$ who can distinguish ${\mathcal{H}}_{\gamma ,2}^{i-1}$ and ${\mathcal{H}}_{\gamma ,2}^i$ with a advantage $ϵ$ for $i\in \left[\lambda \right]$, we can construct a PPT distinguisher ${\mathcal{B}}_3$ can use this adversary to break the security of the chameleon encryption scheme with the same advantage $ϵ$. ${\mathcal{B}}_3$ simulates ${\mathcal{H}}_{\gamma ,2}^{i-1}$ (${\mathcal{H}}_{\gamma ,2}^i$) for $\mathcal{A}$ as follows:
  • ${\mathcal{B}}_3$ receives a hash key $k^{*}$ from it own challenger ${\mathcal{C}}^{\mathsf{IND}-\mathrm{CE}}$ of the chameleon encryption scheme.
  • ${\mathcal{B}}_3$ generates $(\mathsf{mpk},\mathsf{msk},\mathsf{st})\leftarrow \mathsf{RIBE}.\mathsf{Setup}(1^{\lambda },n)\}$. ${\mathcal{B}}_3$ resets $k_{\gamma }:=k^{*}$. Now ${\mathcal{B}}_3$ does not know the corresponding chameleon hash trapdoor $t{d}_{\gamma }$. Then ${\mathcal{B}}_3$ sends $\mathsf{mpk}$ to $\mathcal{A}$.
  • ${\mathcal{B}}_3$ can perfectly simulates all oracles for $\mathcal{A}$ since these oracles do not need the trapdoor $t{d}_{\gamma }$ anymore.
  • When receiving the challenge query $({\mathsf{id}}^{*},{\mathsf{t}}^{*},M_0^{*},M_1^{*})$, ${\mathcal{B}}_3$ sets
    $x^{*}=h_{{\mathsf{id}}^{*}[1\cdots \gamma ]\left|\right|0}^{({\mathsf{t}}^{*})}\left|\right|h_{{\mathsf{id}}^{*}[1\cdots \gamma ]\left|\right|1}^{({\mathsf{t}}^{*})}$, $r^{*}:=r_{{\mathsf{id}}^{*}[1\cdots \gamma ]}^{({\mathsf{t}}^{*})}$(Please note that $r_{{\mathsf{id}}^{*}[1\cdots \gamma ]}^{({\mathsf{t}}^{*})}$ is chosen randomly).

    -

    ${\mathcal{B}}_3$ generates $\{\tilde{Q},{\tilde{P}}^{n-1},\cdots ,{\tilde{P}}^{\gamma +1}\}$ according to (A3), just like ${\mathcal{H}}_{\gamma ,2}^{i-1}$ (${\mathcal{H}}_{\gamma ,2}^i$).

    -

    To generate ${\tilde{P}}^{\gamma }$, ${\mathcal{B}}_3$ does the following. It computes ${\left\{c{t}_{j,b}\right\}}_{j\in \left[\lambda \right],b\in \{0,1\}}$ but leaves $c{t}_{i,1-h_{{\mathsf{id}}^{*}[1\cdots \gamma +1],i}^{({\mathsf{t}}^{*})}}$ undefined. Set $m_0^{*}:={\mathsf{lab}}_{i,h_{{\mathsf{id}}^{*}[1\cdots \gamma +1],i}^{({\mathsf{t}}^{*})}}$ and $m_1^{*}:={\mathsf{lab}}_{i,1-h_{{\mathsf{id}}^{*}[1\cdots \gamma +1],i}^{({\mathsf{t}}^{*})}}$, where $({\tilde{P}}^{\gamma +1},{\left\{{\mathsf{lab}}_{j,b}\right\}}_{j\in \left[\lambda \right],b\in \{0,1\}})$$\stackrel{\$}{\leftarrow }$$\mathsf{GCircuit}(1^{\lambda },\mathsf{P}$$[{\mathsf{id}}^{*}[\gamma +2],k_{\gamma +1},{\overline{\mathsf{lab}}}^{″}])$. ${\mathcal{B}}_3$ sets its own challenge query as $(x^{*},r^{*},i,m_0^{*},m_1^{*})$. Then the challenger of ${\mathcal{B}}_3$ generates a challenge ciphertext $c{t}^{*}$ and sends it to ${\mathcal{B}}_3$. ${\mathcal{B}}_3$ sets $c{t}_{i,1-h_{{\mathsf{id}}^{*}[1\cdots \gamma +1],i}^{({\mathsf{t}}^{*})}}:=c{t}^{*}$. In addition, it computes ${\tilde{P}}^{\gamma }$ as (A7).

    -

    ${\mathcal{B}}_3$ generates $\{{\tilde{P}}^{\gamma -1},\cdots ,{\tilde{P}}^0\}$ according to (A4), just like ${\mathcal{H}}_{\gamma ,2}^{i-1}$ (${\mathcal{H}}_{\gamma ,2}^i$).

    -

    ${\mathcal{B}}_3$ sends $\mathcal{A}$ the challenge ciphertext

    $\mathsf{ct}:=\left({\left\{{\mathsf{lab}}_{\ell ,h_{\epsilon ,\ell }^{({\mathsf{t}}^{*})}}\right\}}_{\ell \in \left[\lambda \right]},\{{\tilde{P}}^0,\cdots ,{\tilde{P}}^{n-1},\tilde{Q}\}\right)$.

  • If $\mathcal{A}$ returns a guessing bit ${\theta }^{\prime }$ to ${\mathcal{B}}_3$, ${\mathcal{B}}_3$ returns ${\theta }^{\prime }$ to its own challenger.
  If $c{t}^{*}$ is the chameleon encryption of $m_0^{*}$, ${\mathcal{B}}_3$ simulates ${\mathcal{H}}_{\gamma ,2}^i$ perfectly for $\mathcal{A}$. If $c{t}^{*}$ is the chameleon encryption of $m_1^{*}$, ${\mathcal{B}}_3$ simulates ${\mathcal{H}}_{\gamma ,2}^{i-1}$ perfectly for $\mathcal{A}$. If $\mathcal{A}$ can distinguish these two hybrids with advantage $ϵ$, ${\mathcal{B}}_3$ can break the security of the multi-bit chameleon encryption with the same advantage $ϵ$. Therefore,

  $$|\mathrm{Pr}[{\mathcal{H}}_{\gamma ,2}^{i-1}\Rightarrow 1]-\mathrm{Pr}[{\mathcal{H}}_{\gamma ,2}^i\Rightarrow 1]|\le {\mathbf{Adv}}_{{\mathcal{B}}_3}^{CE}(\lambda )\mathrm{and}$$

  $$|\mathrm{Pr}[{\mathcal{H}}_{\gamma ,2}^0\Rightarrow 1]-\mathrm{Pr}[{\mathcal{H}}_{\gamma ,2}^{\lambda }\Rightarrow 1]|\le \lambda ·{\mathbf{Adv}}_{{\mathcal{B}}_3}^{CE}(\lambda ).$$
  Recall that ${\mathcal{H}}_{\gamma ,2}^0$ is the same as ${\mathcal{H}}_{\gamma ,2}$ and ${\mathcal{H}}_{\gamma ,2}^{\lambda }$ is the same as ${\mathcal{H}}_{\gamma ,3}$. We have

  $$|\mathrm{Pr}[{\mathcal{H}}_{\gamma ,2}\Rightarrow 1]-\mathrm{Pr}[{\mathcal{H}}_{\gamma ,3}\Rightarrow 1]|\le \lambda ·{\mathbf{Adv}}_{{\mathcal{B}}_3}^{CE}(\lambda ).$$

  (A8)
• ${\mathcal{H}}_{\gamma ,4}$ for $\gamma \in \{0,1,\cdots ,n-1\}$: In this hybrid, challenger $\mathcal{C}$ undoes the changes made from ${\mathcal{H}}_{\gamma }$ and ${\mathcal{H}}_{\gamma ,1}$. It is obvious that the computational indistinguishability between ${\mathcal{H}}_{\gamma ,3}$ and ${\mathcal{H}}_{\gamma ,4}$ also follows from uniformity properties of the chameleon hash. Please note that ${\mathcal{H}}_{\gamma ,4}$ is the same as ${\mathcal{H}}_{\gamma +1}$. We have

  $$|\mathrm{Pr}[{\mathcal{H}}_{\gamma ,3}\Rightarrow 1]-\mathrm{Pr}[{\mathcal{H}}_{\gamma ,4}\Rightarrow 1]|=\mathsf{negl}.$$

  (A9)
  Therefore, from Equations (A5), (A6), (A8) and (A9) and the fact that ${\mathcal{H}}_{\gamma ,4}$ is the same to ${\mathcal{H}}_{\gamma +1}$, it holds

  $$\begin{array}{c}|\mathrm{Pr}[{\mathcal{H}}_{\gamma }\Rightarrow 1]-\mathrm{Pr}[{\mathcal{H}}_{\gamma +1}\Rightarrow 1]|=\mathsf{negl}+{\mathbf{Adv}}_{{\mathcal{B}}_2}^{GC}(\lambda )+\lambda ·{\mathbf{Adv}}_{{\mathcal{B}}_3}^{CE}(\lambda ).\hfill \end{array}$$

  (A10)

  $$\begin{array}{c}|\mathrm{Pr}[{\mathcal{H}}_0\Rightarrow 1]-\mathrm{Pr}[{\mathcal{H}}_n\Rightarrow 1]|=\mathsf{negl}+n·{\mathbf{Adv}}_{{\mathcal{B}}_2}^{GC}(\lambda )+n·\lambda ·{\mathbf{Adv}}_{{\mathcal{B}}_3}^{CE}(\lambda ).\hfill \end{array}$$

  (A11)
• ${\mathcal{H}}_{n+1}$: This hybrid is the same as ${\mathcal{H}}_n$ except that the challenger $\mathcal{C}$ changes the way of generating $\tilde{Q}$. More Formally, $\mathcal{C}$ changes the generation process of garbled circuits $\tilde{Q}$ from

  $$(\tilde{Q},\overline{\mathsf{lab}})\leftarrow \mathsf{GCircuit}(1^{\lambda },\mathsf{Q}\left[M_{b^{\prime }}\right])$$

  to

  $$(\tilde{Q},\left\{{\mathsf{lab}}_{j,h_{{\mathsf{id}}^{*},j}^{({\mathsf{t}}^{*})}}\right\})\leftarrow \mathsf{Sim}(1^{\lambda },{\mathsf{E}}_{h_{{\mathsf{id}}^{*}}^{({\mathsf{t}}^{*})}}(M_{\theta }))$$
  This indistinguishability between ${\mathcal{H}}_n$ and ${\mathcal{H}}_{n+1}$ follows by the security of the garble circuit scheme. The proof is similar to the indistinguishability between ${\mathcal{H}}_{\gamma ,1}$ and ${\mathcal{H}}_{\gamma ,2}$.Hence,

  $$|\mathrm{Pr}[{\mathcal{H}}_n\Rightarrow 1]-\mathrm{Pr}[{\mathcal{H}}_{n+1}\Rightarrow 1]|\le {\mathbf{Adv}}_{{\mathcal{B}}_2}^{GC}(\lambda ).$$

  (A12)
• ${\mathcal{H}}_{n+2}$: This hybrid is the same as ${\mathcal{H}}_{n+1}$ except that the challenger $\mathcal{C}$ replaces the ciphertext ${\mathsf{E}}_{h_{{\mathsf{id}}^{*}\left|\right|0}^{({\mathsf{t}}^{*})}}(M_{\theta })$ hard-coded in the circuit $\tilde{Q}$ with ${\mathsf{E}}_{h_{{\mathsf{id}}^{*}\left|\right|0}^{({\mathsf{t}}^{*})}}(0)$.
  If there is a PPT adversary $\mathcal{A}$ who can distinguish between ${\mathcal{H}}_{n+1}$ and ${\mathcal{H}}_{n+2}$ with advantage $ϵ$, there is a PPT distinguisher ${\mathcal{B}}_4$ who can break the IND-CPA security of $\mathsf{PKE}=(\mathsf{G},\mathsf{E},\mathsf{D})$ with advantage $ϵ/(2q+1)$. First of all, We consider two kinds of adversaries:

  Type-I 

  : ${\mathcal{A}}_I$ never queries ${\mathsf{id}}^{*}$ to key generation oracle $\mathrm{KG}(·)$ for ${\mathsf{sk}}_{{\mathsf{id}}^{*}}$.

  Type-II 

  : ${\mathcal{A}}_{II}$ queries ${\mathsf{id}}^{*}$ to $\mathrm{KG}(·)$ and obtains ${\mathsf{sk}}_{{\mathsf{id}}^{*}}$. In this case ${\mathsf{id}}^{*}$ should be revoked before $t^{*}$.

  $$\begin{array}{cc}& |\mathrm{Pr}[{\mathcal{H}}_{n+1}\Rightarrow 1]-\mathrm{Pr}[{\mathcal{H}}_{n+2}\Rightarrow 1]|\hfill \\ =& |\mathrm{Pr}[{\mathcal{H}}_{n+1}\Rightarrow 1|\mathcal{A}={\mathcal{A}}_I]-\mathrm{Pr}[{\mathcal{H}}_{n+2}\Rightarrow 1|\mathcal{A}={\mathcal{A}}_I]|·\mathrm{Pr}[\mathcal{A}={\mathcal{A}}_I]\hfill \\ & +|\mathrm{Pr}[{\mathcal{H}}_{n+1}\Rightarrow 1|\mathcal{A}={\mathcal{A}}_{II}]-\mathrm{Pr}[{\mathcal{H}}_{n+2}\Rightarrow 1|\mathcal{A}={\mathcal{A}}_{II}]|·\mathrm{Pr}[\mathcal{A}={\mathcal{A}}_{II}]\hfill \\ \le & |\mathrm{Pr}[{\mathcal{H}}_{n+1}\Rightarrow 1|\mathcal{A}={\mathcal{A}}_I]-\mathrm{Pr}[{\mathcal{H}}_{n+2}\Rightarrow 1|\mathcal{A}={\mathcal{A}}_I]|\hfill \\ & +|\mathrm{Pr}[{\mathcal{H}}_{n+1}\Rightarrow 1|\mathcal{A}={\mathcal{A}}_{II}]-\mathrm{Pr}[{\mathcal{H}}_{n+2}\Rightarrow 1|\mathcal{A}={\mathcal{A}}_{II}]|\hfill \end{array}$$

  (A13)

Claim 1

$|\mathrm{Pr}[{\mathcal{H}}_{n+1}\Rightarrow 1|\mathcal{A}={\mathcal{A}}_I]-\mathrm{Pr}[{\mathcal{H}}_{n+2}\Rightarrow 1|\mathcal{A}={\mathcal{A}}_I]|\le (q+1)·{\mathit{Adv}}_{{\mathcal{B}}_4}^{PKE}(\lambda )$.

Proof. 

Suppose that ${\mathcal{A}}_I$ issues $q_K$ queries to oracle $KG(·)$, and let ${\mathsf{id}}^{(j)}$ be ${\mathcal{A}}_I$’s j-th query to $KG(·)$. For each PPT ${\mathcal{A}}_I$ such that $|\mathrm{Pr}[{\mathcal{H}}_{n+1}\Rightarrow 1|\mathcal{A}={\mathcal{A}}_I]-\mathrm{Pr}[{\mathcal{H}}_{n+2}\Rightarrow 1|\mathcal{A}={\mathcal{A}}_I]|=ϵ$, we build a PPT algorithm ${\mathcal{B}}_4$ breaking the IND-CPA security of $\mathsf{PKE}$ with the advantage $q_K·ϵ$. ${\mathcal{B}}_4$ simulates ${\mathcal{H}}_{n+1}$ (${\mathcal{H}}_{n+2}$) to ${\mathcal{A}}_I$ as follows:

• ${\mathcal{B}}_4$ generates $(\mathsf{mpk},\mathsf{msk},\mathsf{st})\leftarrow \mathsf{RIBE}.\mathsf{Setup}(1^{\lambda },n)$. ${\mathcal{B}}_4$ sends $\mathsf{mpk}$ to ${\mathcal{A}}_I$.
• ${\mathcal{B}}_4$ receives encryption key ${\mathsf{ek}}^{*}$ from its own challenger.
• ${\mathcal{B}}_4$ chooses $j\stackrel{\$}{\leftarrow }[0,q_K]$.
• If $j\ne 0$, since ${\mathcal{B}}_4$ has $\mathsf{msk}$, ${\mathcal{B}}_4$ can perfectly simulate all oracles for ${\mathcal{A}}_{II}$ as in ${\mathcal{H}}_{n+1}$ (${\mathcal{H}}_{n+2}$). ${\mathcal{B}}_4$ embeds ${\mathsf{ek}}^{*}$ in the private key generation of identity ${\mathsf{id}}^{(j)}$ (the output of $KG$(${\mathsf{id}}^{(j)}$)). More specifically, ${\mathcal{B}}_4$ invokes $\mathsf{RIBE}.\mathsf{KG}(\mathsf{msk},{\mathsf{id}}^{(j)},\mathsf{st})$ with a little change (framed parts are added) in the fourth step of the algorithm as follows:

  -

  For $v={\mathsf{id}}^{(j)}[1\cdots n-1]$:

  $h_v\leftarrow \mathsf{H}(k_n,0^{2\lambda };w_v)$, where $w_r\leftarrow \mathsf{RF}$.

  $({\mathsf{ek}}_{v\left|\right|{\mathsf{id}}^{(j)}\left[n\right]},{\mathsf{dk}}_{v\left|\right|{\mathsf{id}}^{(j)}\left[n\right]})\leftarrow \mathsf{G}(1^{\lambda })$,

  $(h_v,{\mathsf{ek}}_{v\left|\right|0},{\mathsf{ek}}_{v\left|\right|1},r_v,{\mathsf{dk}}_{v\left|\right|0},{\mathsf{dk}}_{v\left|\right|1})\leftarrow \mathsf{LeafGen}(k_{n-1},(t{d}_{n-1},s),v,\ell )$

  ${\mathsf{ek}}_{v\left|\right|(1-{\mathsf{id}}^{(j)}\left[n\right])}:={\mathsf{ek}}^{*}$.

  $r_v\leftarrow {\mathsf{H}}^{-1}(t{d}_{n-1},(0^{2\lambda },w_v),{\mathsf{ek}}_{v\left|\right|0}\left|\right|{\mathsf{ek}}_{v\left|\right|1})$.

  $\mathsf{KL}:=\mathsf{KL}\cup \{(v,h_v,{\mathsf{ek}}_{v\left|\right|0},{\mathsf{ek}}_{v\left|\right|1},r_v),(v||0,{\mathsf{ek}}_{v\left|\right|0},\perp ),(v\left|\right|1,{\mathsf{ek}}_{v\left|\right|1},\perp )\}$,

  ${\mathsf{lk}}_v:=(h_v,{\mathsf{ek}}_{v\left|\right|0},{\mathsf{ek}}_{v\left|\right|1},r_v)$.

  Recall that ${\mathsf{ek}}_{v\left|\right|(1-{\mathsf{id}}^{(j)}\left[n\right])}$ is generated by

  $({\mathsf{ek}}_{v\left|\right|(1-{\mathsf{id}}^{(j)}\left[n\right])},{\mathsf{dk}}_{v\left|\right|(1-{\mathsf{id}}^{(j)}\left[n\right])})\leftarrow \mathsf{G}(1^{\lambda })$ in LeafGen algorithm, hence ${\mathsf{ek}}_{v\left|\right|(1-{\mathsf{id}}^{(j)}\left[n\right])}$ has identical distribution with ${\mathsf{ek}}^{*}$. As a result, ${\mathcal{B}}_4$ perfectly simulates the oracle $KG$ on for ${\mathcal{A}}_I$ just like ${\mathcal{H}}_{n+1}$ (${\mathcal{H}}_{n+2}$).

• ${\mathcal{B}}_4$ receives the challenge query $({\mathsf{id}}^{*},{\mathsf{t}}^{*},M_0,M_1)$ from ${\mathcal{A}}_I$.
  If $j\ne 0$ and ${\mathsf{id}}^{*}\ne {\mathsf{id}}^{(j)}[1\cdots n-1]\left|\right|(1-{\mathsf{id}}^{(j)}\left[n\right])$, ${\mathcal{B}}_4$ aborts the game.
  If $j=0$ and there exists $i\in \left[q_K\right]$ such that ${\mathsf{id}}^{*}={\mathsf{id}}^{(i)}[1\cdots n-1]\left|\right|(1-{\mathsf{id}}^{(i)}\left[n\right])$, ${\mathcal{B}}_4$ aborts the game.
  Otherwise:
  ${\mathcal{B}}_4$ chooses $\theta \stackrel{\$}{\leftarrow }\{0,1\}$.
  ${\mathcal{B}}_4$ sets its own challenge query as $m_0^{*}:=0$ and $m_1^{*}=M_{\theta }$.
  $\mathrm{After}$ receiving the challenge ciphertext $c{t}^{*}$ from its own challenger, ${\mathcal{B}}_4$ computes $(\tilde{Q},\left\{{\mathsf{lab}}_{j,{\mathsf{ek}}_{{\mathsf{id}}^{\prime *},j}}\right\})\leftarrow \mathsf{Sim}(1^{\lambda },c{t}^{*})$, and continues to generate $\{{\tilde{P}}^{n-1},\cdots ,{\tilde{P}}^0\}$ according to (A4), just like ${\mathcal{H}}_{n+1}$$({\mathcal{H}}_{n+2})$.
  ${\mathcal{B}}_4$ sends the challenge ciphertext $\mathsf{ct}:=\left({\left\{{\mathsf{lab}}_{\ell ,h_{\epsilon ,\ell }^{({\mathsf{t}}^{*})}}\right\}}_{\ell \in \left[\lambda \right]},\{{\tilde{P}}^0,\cdots ,{\tilde{P}}^{n-1},\tilde{Q}\}\right)$ to ${\mathcal{A}}_{II}$.
• Finally, ${\mathcal{B}}_4$ outputs what ${\mathcal{A}}_I$ outputs.

As long as ${\mathcal{B}}_4$ does not abort the game, it simulates ${\mathcal{H}}_{n+1}$ when $c{t}^{*}$ is the encryption of $M_{b^{″}}$ and ${\mathcal{B}}_4$ simulates ${\mathcal{H}}_{n+2}$ when $c{t}^{*}$ is the encryption of 0. Therefore, we have

$$\begin{array}{ccc}\hfill {\mathbf{Adv}}_{{\mathcal{B}}_4}^{PKE}(\lambda )& =& |\mathrm{Pr}[\neg \mathrm{abort}\wedge {\mathcal{H}}_{n+1}\Rightarrow 1|\mathcal{A}={\mathcal{A}}_I]-\mathrm{Pr}[\neg \mathrm{abort}\wedge {\mathcal{H}}_{n+2}\Rightarrow 1|\mathcal{A}={\mathcal{A}}_I]|\hfill \\ & =& |\mathrm{Pr}[{\mathcal{H}}_{n+1}\Rightarrow 1|\mathcal{A}={\mathcal{A}}_I]-\mathrm{Pr}[{\mathcal{H}}_{n+2}\Rightarrow 1|\mathcal{A}={\mathcal{A}}_I]|·\mathrm{Pr}[\neg \mathrm{abort}]\hfill \end{array}$$

(A14)

$$\begin{array}{ccc}& =& 1/(q_K+1)·|\mathrm{Pr}[{\mathcal{H}}_{n+1}\Rightarrow 1|\mathcal{A}={\mathcal{A}}_I]-\mathrm{Pr}[{\mathcal{H}}_{n+2}\Rightarrow 1|\mathcal{A}={\mathcal{A}}_I]|\hfill \\ & \ge & 1/(q+1)·|\mathrm{Pr}[{\mathcal{H}}_{n+1}\Rightarrow 1|\mathcal{A}={\mathcal{A}}_{II}]-\mathrm{Pr}[{\mathcal{H}}_{n+2}\Rightarrow 1|\mathcal{A}={\mathcal{A}}_{II}]|.\hfill \end{array}$$

(A15)

(A14) holds due to the fact that $j\leftarrow [0,q_K]$ is independently chosen while (A15) holds due to $q_K\le q$. □

Claim 2$|\mathrm{Pr}[{\mathcal{H}}_{n+1}\Rightarrow 1|\mathcal{A}={\mathcal{A}}_{II}]-\mathrm{Pr}[{\mathcal{H}}_{n+2}\Rightarrow 1|\mathcal{A}={\mathcal{A}}_{II}]|\le q·{\mathbf{Adv}}_{{\mathcal{B}}_4}^{PKE}(\lambda )$.

Proof. 

Suppose that ${\mathcal{A}}_{II}$ issues $q_R$ queries to oracle $\mathsf{R}\mathsf{v}\mathsf{k}(·)$, and let (${\mathsf{id}}^{(j)},{\mathsf{t}}^{(j)}$) be ${\mathcal{A}}_{II}$’s j-th query to $\mathsf{R}\mathsf{v}\mathsf{k}(·)$. For each PPT ${\mathcal{A}}_{II}$ such that $|\mathrm{Pr}[{\mathcal{H}}_{n+1}\Rightarrow 1|\mathcal{A}={\mathcal{A}}_{II}]-\mathrm{Pr}[{\mathcal{H}}_{n+2}\Rightarrow 1|\mathcal{A}={\mathcal{A}}_{II}]|=ϵ$, we build a PPT algorithm ${\mathcal{B}}_4$ breaking the IND-CPA security of $\mathsf{PKE}$ with the advantage $q_R·ϵ$. ${\mathcal{B}}_4$ simulates ${\mathcal{H}}_{n+1}$ (${\mathcal{H}}_{n+2}$) to ${\mathcal{A}}_{II}$ as follows:

• ${\mathcal{B}}_4$ generates $(\mathsf{mpk},\mathsf{msk},\mathsf{st})\leftarrow \mathsf{RIBE}.\mathsf{Setup}(1^{\lambda },n)\}$. ${\mathcal{B}}_4$ sends $\mathsf{mpk}$ to ${\mathcal{A}}_{II}$.
• ${\mathcal{B}}_4$ receives encryption key ${\mathsf{ek}}^{*}$ from its own challenger.
• ${\mathcal{B}}_4$ chooses $j\stackrel{\$}{\leftarrow }\left[q_R\right]$.
• Since ${\mathcal{B}}_4$ has $\mathsf{msk}$, ${\mathcal{B}}_4$ can perfectly simulate all oracles for ${\mathcal{A}}_{II}$ as in ${\mathcal{H}}_{n+1}$ (${\mathcal{H}}_{n+2}$). ${\mathcal{B}}_4$ embeds ${\mathsf{ek}}^{*}$ in the key update generation (the output of $\mathsf{K}\mathsf{U}$) of time ${\mathsf{t}}^{(j)}$. More specifically, ${\mathcal{B}}_4$ invokes $\mathsf{RIBE}.\mathsf{KU}(\mathsf{msk},{\mathsf{t}}^{(j)},\mathsf{st})$ with a little change (a framed part is added) in the fifth step of the algorithm as follows:

  -

  For all node $v\in \mathsf{Y}$ such that $\left|v\right|=n$: $({\mathsf{ek}}_v^{t^{(j)}},\perp )\leftarrow \mathsf{LeafChange}(v,t^{(j)},s)$,

  If $v={\mathsf{id}}^{(j)}$, ${\mathsf{ek}}_v^{{\mathsf{t}}^{(j)}}:={\mathsf{ek}}^{*}$.

  ${\mathsf{KU}}^{{\mathsf{t}}^{(j)}}:={\mathsf{KU}}^{{\mathsf{t}}^{(j)}}\cup \left\{(v,{\mathsf{ek}}_v^{{\mathsf{t}}^{(j)}},\perp )\right\}$.

  $h_v^{{\mathsf{t}}^{(j)}}:={\mathsf{ek}}_v^{{\mathsf{t}}^{(j)}}$.

  Recall that ${\mathsf{ek}}_v^{(j)}$ is generated by $({\mathsf{ek}}_v^{(j)},{\mathsf{dk}}_v^{(j)})\leftarrow \mathsf{G}(1^{\lambda })$ in LeafChange algorithm, hence ${\mathsf{ek}}_v^{(j)}$ has an identical distribution with ${\mathsf{ek}}^{*}$. As a result, ${\mathcal{B}}_4$ perfectly simulates the oracle $KU$ for ${\mathcal{A}}_{II}$ just like ${\mathcal{H}}_{n+1}$ (${\mathcal{H}}_{n+2}$).

• ${\mathcal{B}}_4$ receives the challenge query parsed as $({\mathsf{id}}^{*},{\mathsf{t}}^{*},M_0,M_1)$ from ${\mathcal{A}}_{II}$.
  If ${\mathsf{id}}^{*}\ne {\mathsf{id}}^{(j)}$, $\mathcal{B}$ aborts the game.
  Else:
  ${\mathcal{B}}_4$ chooses $\theta \stackrel{\$}{\leftarrow }\{0,1\}$.
  ${\mathcal{B}}_4$ sets its own challenge query as $m_0^{*}:=0$ and $m_1^{*}=M_{\theta }$.
  $\mathrm{After}$ receiving the challenge ciphertext $c{t}^{*}$ from its own challenger, ${\mathcal{B}}_4$ computes $(\tilde{Q},\left\{{\mathsf{lab}}_{j,{\mathsf{ek}}_{{\mathsf{id}}^{\prime *},j}}\right\})\leftarrow \mathsf{Sim}(1^{\lambda },c{t}^{*})$, and continues to generate $\{{\tilde{P}}^{n-1},\cdots ,{\tilde{P}}^0\}$ according to (A4), just like ${\mathcal{H}}_{n+1}$$({\mathcal{H}}_{n+2})$.
  ${\mathcal{B}}_4$ sends the challenge ciphertext $\mathsf{ct}:=\left({\left\{{\mathsf{lab}}_{\ell ,h_{\epsilon ,\ell }^{({\mathsf{t}}^{*})}}\right\}}_{\ell \in \left[\lambda \right]},\{{\tilde{P}}^0,\cdots ,{\tilde{P}}^{n-1},\tilde{Q}\}\right)$ to ${\mathcal{A}}_{II}$.
• Finally, ${\mathcal{B}}_4$ outputs what ${\mathcal{A}}_{II}$ outputs.
  Given that ${\mathsf{id}}^{*}={\mathsf{id}}^{(j)}$, ${\mathcal{B}}_4$ simulates ${\mathcal{H}}_{n+1}$ when $c{t}^{*}$ is the encryption of $M_{b^{\prime \prime }}$ and ${\mathcal{B}}_4$ simulates ${\mathcal{H}}_{n+2}$ when $c{t}^{*}$ is the encryption of 0. Therefore, we have

  $$\begin{array}{ccc}\hfill {\mathbf{Adv}}_{{\mathcal{B}}_4}^{PKE}(\lambda )& =& |\mathrm{Pr}[{\mathsf{id}}^{*}={\mathsf{id}}^{(j)}\wedge {\mathcal{H}}_{n+1}\Rightarrow 1|\mathcal{A}={\mathcal{A}}_{II}]-\mathrm{Pr}[{\mathsf{id}}^{*}={\mathsf{id}}^{(j)}\wedge {\mathcal{H}}_{n+2}\Rightarrow 1|\mathcal{A}={\mathcal{A}}_{II}]|\hfill \\ & =& |\mathrm{Pr}[{\mathcal{H}}_{n+1}\Rightarrow 1|\mathcal{A}={\mathcal{A}}_{II}]-\mathrm{Pr}[{\mathcal{H}}_{n+2}\Rightarrow 1|\mathcal{A}={\mathcal{A}}_{II}]|·\mathrm{Pr}\left[{\mathsf{id}}^{*}={\mathsf{id}}^{(j)}\right]\hfill \end{array}$$

  (A16)

  $$\begin{array}{ccc}\hfill & =& 1/q_R·|\mathrm{Pr}[{\mathcal{H}}_{n+1}\Rightarrow 1|\mathcal{A}={\mathcal{A}}_{II}]-\mathrm{Pr}[{\mathcal{H}}_{n+2}\Rightarrow 1|\mathcal{A}={\mathcal{A}}_{II}]|\hfill \\ & \ge & 1/q·|\mathrm{Pr}[{\mathcal{H}}_{n+1}\Rightarrow 1|\mathcal{A}={\mathcal{A}}_{II}]-\mathrm{Pr}[{\mathcal{H}}_{n+2}\Rightarrow 1|\mathcal{A}={\mathcal{A}}_{II}]|.\hfill \end{array}$$

  (A17)

  (A16) holds due to the fact that $j\leftarrow \left[q_R\right]$ is independently chosen while (A17) holds due to $q_R\le q$.

 □

According to (A13), Claim 1 and Claim 2, we have

$$|\mathrm{Pr}[{\mathcal{H}}_{n+1}\Rightarrow 1]-\mathrm{Pr}[{\mathcal{H}}_{n+2}\Rightarrow 1]|\le (2q+1)·{\mathbf{Adv}}_{{\mathcal{B}}_4}^{PKE}(\lambda ).$$

(A18)

• Please note that in ${\mathcal{H}}_{n+2}$, the challenge ciphertext is information theoretically independent of the plaintexts submitted by $\mathcal{A}$. So we have

  $$\mathrm{Pr}[{\mathcal{H}}_{n+2}\Rightarrow 1]=1/2.$$

  (A19)
  Combining (A1), (A2), (A11), (A12), (A18) and (A19), we have

  $${\mathbf{Adv}}_{\mathcal{A}}^{\mathsf{IND}-\mathsf{ID}-\mathsf{CPA}}(\lambda )\le {\mathbf{Adv}}_{{\mathcal{B}}_1}^{PRF}(\lambda )+(n+1)·{\mathbf{Adv}}_{{\mathcal{B}}_2}^{GC}(\lambda )+n·\lambda ·{\mathbf{Adv}}_{{\mathcal{B}}_3}^{CE}(\lambda )+(2q+1)·{\mathbf{Adv}}_{{\mathcal{B}}_4}^{PKE}(\lambda ).$$

 □

Appendix B.2. Proof of Theorem 3

Proof. 

This theorem can be derived from Corollary 1. For any PPT adversary $\mathcal{A}$ in the selective-SR-ID-CPA security game of SR-IBE $\Sigma$, we can construct a PPT algorithm $\mathcal{B}$ breaking the selective-IND-ID-CPA security of RIBE $\mathsf{\Pi }$ such that

$${\mathbf{Adv}}_{\Sigma ,\mathcal{A}}^{\mathrm{selective}-\mathrm{SR}-\mathsf{ID}-\mathsf{CPA}}(\lambda )={\mathbf{Adv}}_{\mathsf{\Pi },\mathcal{B}}^{\mathrm{selective}-\mathsf{IND}-\mathsf{ID}-\mathsf{CPA}}(\lambda ).$$

$\mathcal{B}$ simulates ${\mathbf{EXP}}_{\mathcal{A}}^{\mathrm{selective}-\mathrm{SR}-\mathsf{ID}-\mathsf{CPA}}(\lambda )$ as follows:

• $\mathcal{A}$ generates the challenge identity ${\mathsf{id}}^{*}$ and time slot ${\mathsf{t}}^{*}$ to $\mathcal{B}$. Then $\mathcal{B}$ sends the same challenge pair $({\mathsf{id}}^{*},{\mathsf{t}}^{*})$ to its own challenger.
• $\mathcal{B}$ receives $\mathsf{\Pi }.\mathsf{mpk}$ from its own challenger and sets $\Sigma .\mathsf{mpk}:=\mathsf{\Pi }.\mathsf{mpk}$. Then $\mathcal{B}$ sends $\Sigma .\mathsf{mpk}$ to $\mathcal{A}$.
• When $\mathcal{A}$ queries for the oracle PubKG with an identity $\mathsf{id}$, $\mathcal{B}$ queries for his oracle KG with the same identity $\mathsf{id}$ to its own challenger. Set $\mathsf{W}:=\{\epsilon ,\mathsf{id}[1],\cdots ,\mathsf{id}[1\cdots n-1\left]\right\}$, where $\epsilon$ is the empty string. Upon receiving the $\mathsf{\Pi }.{\mathsf{sk}}_{\mathsf{id}}$, $\mathcal{B}$ parses $\mathsf{\Pi }.{\mathsf{sk}}_{\mathsf{id}}:=(\Sigma .{\mathsf{pk}}_{\mathsf{id}},\Sigma .{\mathsf{sk}}_{\mathsf{id}})$, where $\Sigma .{\mathsf{pk}}_{\mathsf{id}}:=(t=0,\mathsf{id},{\left\{{\mathsf{lk}}_v\right\}}_{v\in \mathsf{W}})$ and $\Sigma .{\mathsf{sk}}_{\mathsf{id}}:=({\mathsf{dk}}_{\mathsf{id}},$$\mathsf{HIBE}.{\mathsf{sk}}_{\mathsf{id}})$. $\mathcal{B}$ sends $\Sigma .{\mathsf{pk}}_{\mathsf{id}}$ to $\mathcal{A}$.
• When $\mathcal{A}$ queries for the oracle PrivKG with an identity $\mathsf{id}$, $\mathcal{B}$ queries for his oracle KG with the same identity $\mathsf{id}$ to its own challenger. Set $\mathsf{W}:=\{\epsilon ,\mathsf{id}[1],\cdots ,\mathsf{id}[1\cdots n-1\left]\right\}$, where $\epsilon$ is the empty string. Upon receiving the $\mathsf{\Pi }.{\mathsf{sk}}_{\mathsf{id}}$, $\mathcal{B}$ parses $\mathsf{\Pi }.{\mathsf{sk}}_{\mathsf{id}}:=(\Sigma .{\mathsf{pk}}_{\mathsf{id}},\Sigma .{\mathsf{sk}}_{\mathsf{id}})$, where $\Sigma .{\mathsf{pk}}_{\mathsf{id}}:=(t=0,\mathsf{id},{\left\{{\mathsf{lk}}_v\right\}}_{v\in \mathsf{W}})$ and $\Sigma .{\mathsf{sk}}_{\mathsf{id}}:=({\mathsf{dk}}_{\mathsf{id}},$$\mathsf{HIBE}.{\mathsf{sk}}_{\mathsf{id}})$. $\mathcal{B}$ sends $\Sigma .{\mathsf{sk}}_{\mathsf{id}}$ to $\mathcal{A}$.
• When $\mathcal{A}$ queries for the oracle KU, $\mathcal{B}$ queries for the oracle KU to its own challenger. Upon receiving the $(\mathsf{KU},\mathsf{PL})$, $\mathcal{B}$ sends $(\mathsf{KU},\mathsf{PL})$ to $\mathcal{A}$.
• When $\mathcal{A}$ queries for the oracle DK with an identity $\mathsf{id}$ and a time slot $\mathsf{t}$, $\mathcal{B}$ queries for his oracle DK with the same pair ($\mathsf{id},\mathsf{t}$) to its own challenger. Set $\mathsf{W}:=\{\epsilon ,\mathsf{id}[1],\cdots ,$$\mathsf{id}[1\cdots n-1]\}$, where $\epsilon$ is the empty string. Upon receiving the $\mathsf{\Pi }.{\mathsf{sk}}_{\mathsf{id}}^{(\mathsf{t})}$, $\mathcal{B}$ parses $\mathsf{\Pi }.{\mathsf{sk}}_{\mathsf{id}}^{(\mathsf{t})}:=(\mathsf{t},\mathsf{id},{\left\{{\mathsf{lk}}_v\right\}}_{v\in \mathsf{W}},{\mathsf{dk}}_{\mathsf{id}},\mathsf{HIBE}.{\mathsf{sk}}_{\mathsf{id}\left|\right|\mathsf{t}})$. $\mathcal{B}$ sends $\Sigma .{\mathsf{dk}}_{\mathsf{id}}^{(t)}:=({\mathsf{dk}}_{\mathsf{id}},\mathsf{HIBE}.{\mathsf{sk}}_{\mathsf{id}\left|\right|\mathsf{t}})$ to $\mathcal{A}$.
• When $\mathcal{A}$ queries for the oracle Rvk with an identity $\mathsf{id}$ and a time slot $\mathsf{t}$, $\mathcal{B}$ queries for his oracle Rvk with the same pair ($\mathsf{id},\mathsf{t}$) to its own challenger.
• When $\mathcal{A}$ submits the challenge query $({\mathrm{m}}_0,{\mathrm{m}}_1)$, $\mathcal{B}$ sends the same challenge query $({\mathrm{m}}_0,{\mathrm{m}}_1)$ to its own challenger. Upon receiving the challenge ciphertext $\mathsf{\Pi }.{\mathsf{ct}}_{\theta }^{*}$, $\mathcal{B}$ sends $\Sigma .{\mathsf{ct}}_{\theta }^{*}:=\mathsf{\Pi }.{\mathsf{ct}}_{\theta }^{*}$ to $\mathcal{A}$.
• Finally, $\mathcal{B}$ outputs what $\mathcal{A}$ outputs.

Since ${\mathbf{EXP}}_{\mathcal{B}}^{\mathrm{selective}-\mathsf{IND}-\mathsf{ID}-\mathsf{CPA}}(\lambda )$ has the same requirements as ${\mathbf{EXP}}_{\mathcal{A}}^{\mathrm{selective}-\mathrm{SR}-\mathsf{ID}-\mathsf{CPA}}(\lambda )$, $\mathcal{B}$ simulates ${\mathbf{EXP}}_{\mathcal{A}}^{\mathrm{selective}-\mathrm{SR}-\mathsf{ID}-\mathsf{CPA}}(\lambda )$ to $\mathcal{A}$ perfectly. Therefore, we have

$${\mathbf{Adv}}_{\Sigma ,\mathcal{A}}^{\mathrm{selective}-\mathrm{SR}-\mathsf{ID}-\mathsf{CPA}}(\lambda )={\mathbf{Adv}}_{\mathsf{\Pi },\mathcal{B}}^{\mathrm{selective}-\mathsf{IND}-\mathsf{ID}-\mathsf{CPA}}(\lambda ).$$

(A20)

According to Corollary 1, we have that for PPT adversary $\mathcal{B}$, the advantage is negligible:

$${\mathbf{Adv}}_{\mathsf{\Pi },\mathcal{B}}^{\mathrm{selective}-\mathsf{IND}-\mathsf{ID}-\mathsf{CPA}}(\lambda )=\mathsf{negl}(\lambda ).$$

(A21)

Combining (A20) and (A21), for any PPT adversary $\mathcal{A}$, we have

$${\mathbf{Adv}}_{\Sigma ,\mathcal{A}}^{\mathrm{selective}-\mathrm{SR}-\mathsf{ID}-\mathsf{CPA}}(\lambda )=\mathsf{negl}(\lambda ).$$

Thus we finish the proof. □