Traceable Scheme of Public Key Encryption with Equality Test

Abstract

Public key encryption supporting equality test (PKEwET) schemes, because of their special function, have good applications in many fields, such as in cloud computing services, blockchain, and the Internet of Things. The original PKEwET has no authorization function. Subsequently, many PKEwET schemes have been proposed with the ability to perform authorization against various application scenarios. However, these schemes are incapable of traceability to the ciphertexts. In this paper, the ability of tracing to the ciphertexts is introduced into a PKEwET scheme. For the ciphertexts, the presented scheme supports not only the equality test, but also has the function of traceability. Meanwhile, the security of the proposed scheme is revealed by a game between an adversary and a simulator, and it achieves a desirable level of security. Depending on the attacker’s privileges, it can resist OW-CCA security against an adversary with a trapdoor, and can resist IND-CCA security against an adversary without a trapdoor. Finally, the performance of the presented scheme is discussed.

1. Introduction

With the continuous development of the Internet of Things (IoT), the security of data has gotten more attention. In order to ensure the security of data, data are stored on a server by encryption. However, it is inconvenient for effective application when the data are encrypted, making it impossible to search within encrypted data. Therefore, searchable encryption (SE) is presented [1]. The aim of SE is to produce a tag related to ciphertext, and to classify the ciphertexts. Since this primitive approach was proposed, many cryptographers have studied it extensively and deeply [2,3,4,5,6]. However, the same ciphertext cannot be classified and stored by SE schemes. A new cryptographic primitive approach emerged as the times required, namely the public key encryption supporting equality test (PKEwET) [7]. In this paper, traceability is introduced into the PKEwET scheme.

1.1. Related Work

The PKEwET scheme resolves the problem of data matching in many application environments, such as in cloud computing, health service systems, and IoT. It can compare the consistency of the ciphertexts without the secret key. Recently, the research scope of PKEwET has focused on the three aspects of authorization, security scheme, and efficiency of the PKEwET scheme. Some progress in PKEwET is reviewed as follows:

For the authorization, Tang et al. and Huang et al. proposed PKEwET schemes supporting authorization from the user and ciphertext, respectively [8,9,10,11,12,13]. Then, Ma et al. extended the authorization mechanism to multi-user environments [14]. For more convenient application, Ma et al. proposed four types of authorization policies, namely user level, ciphertext level, user-specific ciphertext level, and ciphertext-to-user level authorization [15]. To simplify the maintenance of public key certificates, Ma et al. introduced the equality test algorithm into an identity-based encryption scheme [16]. For more convenient application to smart cities, Yang et al. proposed a filtered equality test scheme [17]. Later, Wang et al. combined signcryption and an equality test [18]. Recently, Duong et al. presented new lattice-based PKEwET schemes [19].

For the security, in 2016, Lee et al. improved the scheme of Ma, and proposed a new scheme that achieved IND-CCA security [20], and presented an equality test scheme based on the standard model for the first time [21]. In 2017, Wang et al. and Huang et al. proposed a PKEwET scheme from the ciphertext level, and presented the proof of security under the standard model [22,23]. Subsequently, some other PKEwET schemes based on the standard model have been proposed [24,25].

For the efficiency of the PKEwET schemes, Lin et al. and Zhu et al. proposed pairing-free equality test schemes [26,27]. The scheme of Tang was improved upon by Wu et al. [28,29], where the efficiency of computing increased by 36.7% in encryption and by 39.24% in the test algorithm. In 2018, Qu et al. introduced a certificate-less PKEwET scheme [30]. This scheme was improved upon by Elhabob et al. [31,32]. In 2019, Wu et al. combined Zhu et al.’s and Ma et al.’s schemes, and proposed the pairing-free scheme based identity [33]. In the same year, Lee et al. proposed a new PKEwET scheme, from generic assumptions in the random oracle model [34]. To reduce the cost of computing and communication, Ling et al. introduced the group mechanism into a PKEwET algorithm [35].

For convenience in cloud computing of the PKEwET scheme, key-policy attribute-based encryption was introduced by Zhu et al. [36]. In 2018, ciphertext-policy attribute-based encryption was introduced into a PKEwET scheme by Wang et al. [37]. Subsequently, some improvement schemes were put forward [38,39,40,41].

Driven by interests, some users may disclose their own secret keys to non-group users intentionally or unintentionally. However, it is difficult for the malicious user to be tracked down by the system. The problem of key abuse brings great security risks to PKEwET systems. To solve this problem, we introduce a tracking function into a PKEwET system.

1.2. Contributions

In this paper, traceability is introduced into a group ID-based encryption (GIBE) scheme. The motivation is to make a GIBE supporting traceability and an equality test function to the ciphertexts. The key contributions can be listed as follows:

• We show that the GIBE algorithm is unable to compare ciphertexts, and has no equality test function without the secret key $sk$. To overcome these limitations, we combine the GIBE and PKEwET algorithms. Additionally, all of PKEwET algorithms are untraceable to the encrypted ciphertexts, the idea of traceability is introduced into the PKEwET algorithm, and we propose the traceable GIBE with an equality test scheme (T-GIBEwET).
• Two types of adversaries are described, and the security of the proposed scheme is proved in details from two types of adversaries. The presented scheme achieves a desirable security. With a trapdoor, the T-GIBEwET scheme can resist OW-CCA security. Without a trapdoor, the T-GIBEwET scheme can resist IND-CCA security.
• The performance of the T-GIBEwET scheme is discussed. Compared to existing equality test schemes, it is more efficient and more practical in many scenarios.

1.3. Outline of This Paper

The rest of the proposal is organized as follows: some preliminaries, some basic definitions, assumptions and the security model are presented in Section 2. The details of the T-GIBEwET scheme are presented in Section 3. The security of the T-GIBEwET scheme is discussed in Section 4. In Section 5, the performance analysis of the T-GIBEwET scheme is represented. Finally, the concluding remarks of this paper are summarized in Section 6.

2. Preliminaries

In this section, we present the safety objectives, cryptographic assumptions and security models used in this paper.

2.1. Decisional Bilinear Diffie–Hellman Assumption

The proposed scheme is secure under the decisional bilinear Diffie–Hellman assumption.

In this algorithm, the challenger $\mathcal{S}$ picks $a,b,c,z\in Z_p^{*}$ and flips coin $coin\in \{0,1\}$ randomly.

• If $coin=0$, $\mathcal{S}$ outputs $(g,g^a,g^b,g^c,e{(g,g)}^z)$.
• Otherwise, $\mathcal{S}$ outputs $(g,g^a,g^b,g^c,e{(g,g)}^{abc})$.

Then, the adversary $\mathcal{A}$ gives a guess of $coin$.

2.2. Definition of PKEwET

The PKEwET scheme contains four algorithms [7]:

(1)

KeyGen ($1^l$): This procedure randomly selects $x\in Z_q^{*}$, and outputs the public/secret key pair $(pk=g^x,sk=x)$, where g is a generator of G.

(2)

Encrypt ($M,pk$): This procedure selects the numbers $r\in Z_q^{*}$ randomly. Then, it outputs the ciphertext $CT$ as follows:

Use r to compute:

$$C_1=g^r$$

$$C_2=M^r$$

$$C_3=Hash(C_1,C_2,g^{xr})\oplus (M\Vert r)$$

Output the ciphertext $CT=(C_1,C_2,C_3)$.

(3)

Decrypt($CT,sk$): Given $sk$ and a ciphertext $CT$, the procedure runs as follows:

$$M\Vert r=C_3\oplus Hash(C_1,C_2,C_1^x)$$

If $C_1=g^r$ and $C_2=M^r$, output M; otherwise, return ⊥.

(4)

Test($C{T}_i,C{T}_j$): Given $C{T}_i=(C_{i,1},C_{i,2},C_{i,3}),C{T}_j=(C_{j,1},C_{j,2},C_{j,3}$ the procedure runs as follows:

$$T_1=e(C_{i,1},C_{j,2})$$

$$T_2=e(C_{j,1},C_{i,2})$$

Then, check whether $T_1=T_2$ holds. If yes, it means that $M_i=M_j$ and output 1. Otherwise, it means that $M_i\ne M_j$ and output 0.

2.3. Group ID-Based Encryption

A group ID-based encryption scheme consists of the following six algorithms [42]:

(1)

Setup (l): With the security parameter l, this procedure exports system public parameters $sp$ and $msk$.

(2)

KeyGengroup ($sp$): With system public parameters $sp$, this procedure exports the public key and secret key $gsk$ of group users.

(3)

Extract ($msk,sp,ID$): With a user’s identity $ID\in {\{0,1\}}^{*}$, this procedure outputs the public key and secret key $dk$ of users.

(4)

Join ($gsk,h_{ID}$): This algorithm is an interactive protocol between the group manager and the prospective user; it takes the group user’s $ID$ as inputs, and outputs the group public key $gpk$.

(5)

Encrypt ($M,sp,gp{k}_i,d{k}_{I{D}_i},I{D}_j$): This algorithm takes the public keys $sp$, $gp{k}_i$ of the group manager, $d{k}_{I{D}_i}$ of the user i, and the receiver’s public key $I{D}_j$ and the message M as inputs, and outputs a ciphertext $CT$.

(6)

Decrypt ($CT,gpk,d{k}_{I{D}_j}$): This algorithm is run by the receiver; it takes the group public key $gpk$, the receiver’s secret key $d{k}_{I{D}_j}$, and the ciphertext $CT$ as inputs, and outputs the message M or an error symbol ⊥.

2.4. System Models

Figure 1 illustrates the system model of T-GIBEwET. The system has four roles: the group manger, the users, the tester, and a trusted third party. The trusted third party generates the private key $dk$ for users. The group manger generates the group public key and group secret key for the group users. The group users encrypt and send the private data to the tester. The tester is authorized and gains a trapdoor $gtd$.

Figure 1. System Model.

An integrated T-GIBEwET scheme consists of nine algorithms: Setup, KeyGengroup, Extract, Join, Encrypt, Decrypt, Trace, Auth, and Test.

(1)

Setup (l): With the security parameter l, this procedure exports the system public parameters $sp$ and $msk$.

(2)

KeyGengroup ($sp$): With system public parameters $sp$, this procedure exports the public key and secret key $gsk$ of group users.

(3)

Extract ($msk,sp,ID$): With a user’s identity $ID\in {\{0,1\}}^{*}$, this procedure outputs the public key and secret key $dk$ of users.

(4)

Join ($gsk,h_{ID}$): This algorithm is an interactive protocol between the group manager and the prospective user; it takes the group user’s $ID$ as inputs, and outputs the group public key $gpk$.

(5)

Encrypt ($M,sp,gp{k}_i,d{k}_{I{D}_i},I{D}_j$): This algorithm takes the public keys $sp$ and $gp{k}_i$ of the group manager, $d{k}_{I{D}_i}$ of the user i, the receiver’s public key $I{D}_j$, and the message M as inputs, and outputs a ciphertext $CT$.

(6)

Decrypt ($CT,gpk,d{k}_{I{D}_j}$): This algorithm is run by the receiver, it takes the group public key $gpk$, the receiver’s secret key $d{k}_{I{D}_j}$, and the ciphertext $CT$ as inputs, and outputs the message M or an error symbol ⊥.

(7)

Trace ($CT,gsk,h_{I{D}_i},gpk$): This algorithm is run by the group manger; it takes group secret key $gsk$, $h_{I{D}_i}$, $gpk$, and a ciphertext $CT$ as inputs, and outputs the user’s $ID$.

(8)

Auth ($gsk$): This algorithm is run by the group manger, and outputs the group trapdoor $gtd$.

(9)

Test ($C{T}_i,C{T}_j,gtd$): This algorithm is run by the tester; it takes the two ciphertexts $C{T}_i,C{T}_j$ and $gtd$ as inputs, and outputs 1 or 0.

2.5. Security Models

According to different permissions, we show two kinds of adversaries in our proposal.

• $Type-{\alpha }_1$ adversary: With a trapdoor, the adversary cannot recover the plaintext after receiving the challenge ciphertext.
• $Type-{\alpha }_2$ adversary: Without a trapdoor, the adversary cannot tell by which message is $C{T}^{*}$ encrypted.

OW-CCA security in T-GIBEwET.

$Type-{\alpha }_1$ adversary ${\mathcal{A}}_1$ and simulator $\mathcal{S}$’s game is played as in Figure 2.

Figure 2. OW-CCA security model.

In Figure 2, ${\mathcal{O}}_1$ represents the $H_1$, $H_2$, $H_3$, $H_4$, and $H_5$ queries. ${\mathcal{O}}_2(ID)\stackrel{△}{=}\mathbf{Extract}(msk,ID)$, ${\mathcal{O}}_3(M,I{D}_j,gpk,sp,d{k}_{I{D}_i})\stackrel{△}{=}\mathbf{Encrypt}(M,I{D}_j,gpk,sp,d{k}_{I{D}_i})$, ${\mathcal{O}}_4(ID,CT)\stackrel{△}{=}\mathbf{Decrypt}$$(d{k}_{ID},CT)$, ${\mathcal{O}}_5(gtd,·)\stackrel{△}{=}\mathbf{Auth}(gtd,·)$, ${\mathcal{O}}_6={\mathcal{O}}_1$, ${\mathcal{O}}_8(M,I{D}_j,gpk,sp,d{k}_{I{D}_i})=$${\mathcal{O}}_3(M,I{D}_j,gpk,sp,d{k}_{I{D}_i})\stackrel{△}{=}\mathbf{Encrypt}(M,I{D}_j,gpk,sp,d{k}_{I{D}_i})$, ${\mathcal{O}}_{10}(gtd,·)={\mathcal{O}}_5(gtd,·)\stackrel{△}{=}\mathbf{Auth}(gtd,·)$, but

$${\mathcal{O}}_7(i)=\left\{\begin{array}{ccc}\hfill {\mathcal{O}}_2(i)& & i\ne t\hfill \\ \hfill \perp & & otherwise\hfill \end{array}\right.$$

and

$${\mathcal{O}}_9(i,C{T}_i)=\left\{\begin{array}{ccc}\hfill {\mathcal{O}}_4(i,C{T}_i)& & C{T}_i\ne C{T}^{*}\hfill \\ \hfill \perp & & otherwise\hfill \end{array}\right.$$

The advantage of ${\mathcal{A}}_1$ in the aforementioned game is defined as follows:

$$Ad{v}_{PKEwET-FA,{\mathcal{A}}_1}^{OW-CCA}(k)=\mathrm{Pr}[M_t=M_t^{*}]$$

As described in Figure 2, ${\mathcal{A}}_1$ enjoys ${\mathcal{O}}_1$, ${\mathcal{O}}_2$, ${\mathcal{O}}_3$, ${\mathcal{O}}_4$, and ${\mathcal{O}}_5$ queries in Phase 1, and $\mathcal{S}$ answers all queries truthfully. When ${\mathcal{A}}_1$ decides to discontinue queries, $\mathcal{S}$ selects a challenge message M and generates the challenge ciphertext $C{T}^{*}$. Then, ${\mathcal{A}}_1$ enjoys ${\mathcal{O}}_6$, ${\mathcal{O}}_7$, ${\mathcal{O}}_8$, ${\mathcal{O}}_9$, and ${\mathcal{O}}_{10}$ queries as Phase 1, but the condition is that $C{T}^{*}$ does not appear in ${\mathcal{O}}_9$. When ${\mathcal{A}}_1$ decides to discontinue queries, ${\mathcal{A}}_1$ guesses $M^{{}^{\prime }}$ to $\mathcal{S}$.

Definition 1.

The T-GIBEwET scheme is OW-CCA security, if all polynomial time and the advantage of ${\mathcal{A}}_1$ ($Ad{v}_{T-GIBEwET,{\mathcal{A}}_1}^{OW-CCA}(l)=$ Pr$[M=M^{{}^{\prime }}]$) is negligible in the above game.

IND-CCA security in T-GIBEwET.

$Type-{\alpha }_2$ adversary ${\mathcal{A}}_2$ and simulator $\mathcal{S}$’s game is played as in Figure 3.

Figure 3. IND-CCA Security Model.

In Figure 3, ${\mathcal{O}}_1$ represents $H_1$, $H_2$, $H_3$, $H_4$, and $H_5$ queries. ${\mathcal{O}}_2(ID)\stackrel{△}{=}\mathbf{Extract}(msk,ID)$, ${\mathcal{O}}_3(M,I{D}_j,gpk,sp,d{k}_{I{D}_i})\stackrel{△}{=}\mathbf{Encrypt}(M,I{D}_j,gpk,sp,d{k}_{I{D}_i})$, ${\mathcal{O}}_4(ID,CT)\stackrel{△}{=}\mathbf{Decrypt}$$(d{k}_{ID},CT)$, ${\mathcal{O}}_5={\mathcal{O}}_1$, ${\mathcal{O}}_7(M,I{D}_j,gpk,sp,d{k}_{I{D}_i})={\mathcal{O}}_3(M,I{D}_j,gpk,sp,d{k}_{I{D}_i})\stackrel{△}{=}\mathbf{Encrypt}$$(M,I{D}_j,gpk,sp,d{k}_{I{D}_i})$, but

$${\mathcal{O}}_6(i)=\left\{\begin{array}{ccc}\hfill {\mathcal{O}}_2(i)& & i\ne t\hfill \\ \hfill \perp & & otherwise\hfill \end{array}\right.$$

and

$${\mathcal{O}}_8(i,C{T}_i)=\left\{\begin{array}{ccc}\hfill {\mathcal{O}}_4(i,C{T}_i)& & C{T}_i\ne C{T}^{*}\hfill \\ \hfill \perp & & otherwise\hfill \end{array}\right.$$

The advantage of ${\mathcal{A}}_2$ in the aforementioned game is defined as follows:

$$Ad{v}_{PKEwET-FA,{\mathcal{A}}_2}^{IND-CCA}(k)=\left|\mathrm{Pr}\right[b=b^{*}]-1/2|)$$

As described in Figure 3, ${\mathcal{A}}_2$ enjoys ${\mathcal{O}}_1$, ${\mathcal{O}}_2$, ${\mathcal{O}}_3$, and ${\mathcal{O}}_4$ queries in Phase 1, and $\mathcal{S}$ answers all queries truthfully. When ${\mathcal{A}}_2$ decides to discontinue queries, ${\mathcal{A}}_2$ selects the two challenge messages $M_0$, $M_1$. Given $M_0$ and $M_1$, $\mathcal{S}$ outputs $C{T}^{*}$ based on a random selection of $M_0$ and $M_1$. Then, ${\mathcal{A}}_2$ enjoys ${\mathcal{O}}_5$, ${\mathcal{O}}_6$, ${\mathcal{O}}_7$, and ${\mathcal{O}}_8$ queries as Phase 1, but the condition is that $C{T}^{*}$ does not appear in ${\mathcal{O}}_8$. When ${\mathcal{A}}_2$ decides to discontinue queries, ${\mathcal{A}}_2$ guesses $b^{{}^{\prime }}$ to $\mathcal{S}$.

Definition 2.

The T-GIBEwET scheme is IND-CCA security, if all polynomial time and the advantage of ${\mathcal{A}}_2$ ($Ad{v}_{T-GIBEwET,{\mathcal{A}}_2}^{IND-CCA}(l)=|$ Pr$[b=b^{{}^{\prime }}]-1/2|)$ is negligible in the above game.

Definition 3

(Correctness). If a $T-GIBEwET$ scheme is correct, for any $sp\leftarrow \mathit{Setup}(l)$, $gsk\leftarrow \mathit{KeyGengroup}(sp)$, $dk\leftarrow \mathit{Extract}(msk,sp,ID)$, $gpk\leftarrow \mathit{Join}(gsk,h_{ID})$, $C{T}_j\leftarrow \mathit{Encrypt}$$(M,sp,gp{k}_i,d{k}_{I{D}_i},I{D}_j)$, $C{T}_i\leftarrow \mathit{Encrypt}(M,sp,gp{k}_j,d{k}_{I{D}_j},I{D}_i)$ and $gtd\leftarrow \mathit{Auth}(gsk)$, the following conditions must be satisfied:

(1) 

For any $M\in \mathcal{M}$, Decrypt(Encrypt$(M,sp,gp{k}_j,d{k}_{I{D}_j},I{D}_i),d{k}_{I{D}_i})=M$ always holds.

(2) 

For any ciphertexts $C{T}_i$ and $C{T}_j$, if $Decrypt(C{T}_i,d{k}_{I{D}_i})=Decrypt(C{T}_j,dkI{D}_j)\ne \perp$, it holds that

$$Test(C{T}_i,C{T}_j,gtd)=1.$$

(3) 

For any ciphertexts $C{T}_i$ and $C{T}_j$, if $Decrypt(C{T}_i,d{k}_{I{D}_i})\ne Decrypt(C{T}_j,dkI{D}_j)\ne \perp$, it holds that

$$Test(C{T}_i,C{T}_j,gtd)=0.$$

2.6. Symbols

In this paragraph, we summarize some symbols used in the proposed scheme. These symbols will assist readers to read and understand the following sections. These symbols are listed in Table 1.

Table 1. Symbols used in the proposed scheme.

Symbol	Description
l	A security parameter
G	A cyclic group
g	The generator of G
M	The plaintext
$CT$	The ciphertext
$C{T}^{*}$	The challenge ciphertext
$\mathcal{M}$	The message space
Z	Set of integers
H	A hash function
s	The master key (keep it as a secret)
$ID$	A user’s identity
$gsk$	The group secret key (kept as a secret by group manager)
$gpk$	The group public key (share to all users in the group)
$d{k}_{ID}$	A user’s secret key (keep it as a secret)
$\mathcal{A}$	The adversary
$\mathcal{S}$	The simulator

3. Our Constructions

This section provides the proposed T-GIBEwET scheme as follows.

(1)

Setup(l): With the security parameter l, this procedure exports the system public parameters $sp=(g,G,G_T,e,g^s,H_1,H_2,H_3,H_4,H_5)$. Choose hash functions: $H_1:{\{0,1\}}^{*}\to G^{*}$, $H_2:G_T\to G$, $H_3:G_T\to {\{0,1\}}^{l+l_1}$, $H_4,H_5:{\{0,1\}}^{*}\to {\{0,1\}}^l$; here $l_1$ means the length of elements in $Z_q$. The master key $msk$ is s.

(2)

KeyGengroup($sp$): This procedure randomly selects $s_1,s_2\in Z_q^{*}$, and outputs the group secret key $gsk=(s_1,s_2)$.

(3)

Extract($msk,sp$): With a string $ID\in {\{0,1\}}^{*}$, this procedure outputs the public key and secret key as follows:

• Outputs a public key $h_{ID}=H_1(ID)\in G^{*}$.
• Outputs a secret key $d{k}_{ID}=h_{ID}^s$.

(4)

Join($gsk,h_{ID}$): This procedure outputs the group public key $gpk=(h_{ID}^{s_1},g^{s_1},g^{s_1{s}_2})$ for user $ID$.

(5)

Encrypt($M,sp,gp{k}_i,d{k}_{I{D}_i},I{D}_j$): This procedure selects numbers $r_1,r_2\in Z_q^{*}$ randomly. Then, it outputs the ciphertext $CT$ as follows:

Use $r_1,r_2$ to compute:

$$C_1=h_{I{D}_i}^{s_1{r}_1}$$

$$C_2=M^{r_2}{H}_2(U_1^{r_1})$$

$$C_3=g^{r_1}$$

$$C_4=g^{s{r}_2}$$

$$C_5=h_{I{D}_i}^{s{r}_1}$$

$$C_6=H_3(U_2^{r_1})\oplus (M\Vert r_1)$$

$$C_7=H_5(C_1\Vert C_2\Vert C_3\Vert C_4\Vert C_5\Vert C_6\Vert h_{I{D}_i}^s)$$

$$C_8=H_4(C_1\Vert C_2\Vert C_3\Vert C_4\Vert C_5\Vert C_6\Vert C_7\Vert M\Vert r_1).$$

Output the ciphertext $CT=(C_1,C_2,C_3,C_4,C_5,C_6,C_7,C_8)$ ,where:

$U_1=e(h_{I{D}_i}^s,g^{s_1{s}_2})$

$U_2=e(h_{I{D}_j},g^s)$

(6)

Decrypt($CT,d{k}_{I{D}_j}$): Given $d{k}_{I{D}_j}$ and a ciphertext $CT$, the procedure runs as follows:

$$M\Vert r_1=C_6\oplus H_3(e(C_3,h_{I{D}_j}^s))$$

If $C_1=h_{I{D}_i}^{s_1{r}_1}$ and $C_8=H_4(C_1\Vert C_2\Vert C_3\Vert C_4\Vert C_5\Vert C_6\Vert C_7\Vert M\Vert r_1)$, output M; otherwise, return ⊥.

(7)

Trace($CT,d{k}_{I{D}_i},sp$): Given $d{k}_{I{D}_i}$, $sp$ and a ciphertext $CT$, the procedure runs as follows:

$$D_1=e(g,C_5)$$

$$D_2=e(h_{I{D}_i}^s,C_3)$$

Then, check whether $C_7=H_5(C_1\Vert C_2\Vert C_3\Vert C_4\Vert C_5\Vert C_6\Vert h_{I{D}_i}^s)$ and $D_1=D_2$ holds. If yes, it means that $CT$ is encrypted by $I{D}_i$.

(8)

The algorithm from the authorization function and test function:

Suppose $C{T}_i$ (resp. $C{T}_j$) is a ciphertext of $I{D}_i$ (resp. $I{D}_j$).

• Auth($gsk$): Outputs the group trapdoor $gtd=s_2$.
• Test($C{T}_i,C{T}_j,gtd$):
  This procedure takes the inputs $C{T}_i,C{T}_j$ and $gtd$ and exports as follows:

  $$M_i^{r_{i,2}}=C_{i,2}/e{(C_{i,1},g^s)}^{s_2}$$

  $$M_j^{r_{j,2}}=C_{j,2}/e{(C_{j,1},g^s)}^{s_2}$$
  Use $M_i^{r_{i,2}}$ and $M_j^{r_{j,2}}$ to decide whether $e(M_i^{r_{i,2}},C_{j,4})=e(M_j^{r_{j,2}},C_{i,4})$. If yes, output 1, which means $M_i=M_j$. Otherwise, export 0, which means $M_i\ne M_j$.

Theorem 1.

According to Definition 3, the above T-$GIBEwET$ scheme is correct.

Proof. 

We show in turn that the three conditions of Definition 3 are all satisfied.

(1)

The first condition is easy to verify.

(2)

Considering the second condition, for any $sp\leftarrow \mathbf{Setup}(l)$, $gsk\leftarrow \mathbf{KeyGengroup}(sp)$, $dk\leftarrow \mathbf{Extract}(msk,sp,ID)$, $gpk\leftarrow \mathbf{Join}(gsk,h_{ID})$, $C{T}_j\leftarrow \mathbf{Encrypt}(M,sp,gp{k}_i,d{k}_{I{D}_i},I{D}_j)$, $C{T}_i\leftarrow \mathbf{Encrypt}(M,sp,gp{k}_j,d{k}_{I{D}_j},I{D}_i)$, the following equalities hold.

Given a group trapdoor $gtd=s_2$ and two ciphertexts $C{T}_i=\mathbf{Encrypt}$$(M_i,sp,gp{k}_j,d{k}_{I{D}_j},I{D}_i)$ and $C{T}_j=\mathbf{Encrypt}(M_j,sp,gp{k}_i,d{k}_{I{D}_i},I{D}_j)$, we can compute as follows:

$$C_{i,2}/e{(C_{i,1},g^s)}^{s_2}=M_i^{r_{i,2}}{H}_2(e{(h_{I{D}_i}^s,g^{s_1{s}_2})}^{r_{i,1}})/e{(h_{I{D}_i}^{s_1{r}_{i,1}},g^s)}^{s_2}$$

$$=M_i^{r_{i,2}}{H}_2(e{(h_{I{D}_i},g)}^{s{s}_1{s}_2{r}_{i,1}})/e{(h_{I{D}_i},g)}^{s{s}_1{s}_2{r}_{i,1}}=M_i^{r_{i,2}}$$

$$C_{j,2}/e{(C_{j,1},g^s)}^{s_2}=M_j^{r_{j,2}}{H}_2(e{(h_{I{D}_j}^s,g^{s_1{s}_2})}^{r_{j,1}})/e{(h_{I{D}_j}^{s_1{r}_{j,1}},g^s)}^{s_2}$$

$$=M_j^{r_{j,2}}{H}_2(e{(h_{I{D}_j},g)}^{s{s}_1{s}_2{r}_{j,1}})/e{(h_{I{D}_j},g)}^{s{s}_1{s}_2{r}_{j,1}}=M_j^{r_{j,2}}$$

Use $M_i^{r_{i,2}}$ to compute $e(M_i^{r_{i,2}},C_{j,4})=e(M_i^{r_{i,2}},g^{s{r}_{j,2}})=e{(M_i,g)}^{s{r}_{j,2}{r}_{i,2}}$.

Use $M_j^{r_{j,2}}$ to compute $e(M_j^{r_{j,2}},C_{i,4})=e(M_j^{r_{j,2}},g^{s{r}_{i,2}})=e{(M_j,g)}^{s{r}_{i,2}{r}_{j,2}}$. If $M_i=M_j$, then $e(M_i^{r_{i,2}},C_{j,4})=e(M_j^{r_{j,2}},C_{i,4})$, which means $Test(C{T}_i,C{T}_j,gtd)=1.$

(3)

As for the third condition, we have the following fact:

As in the above calculation, for any message $M_i(resp.M_j)$, if $M_i\ne M_j$, which means $e{(M_i,g)}^{s{r}_{j,2}{r}_{i,2}}\ne e{(M_j,g)}^{s{r}_{i,2}{r}_{j,2}}$. Then, $Test(C{T}_i,C{T}_j,gtd)=0$ holds.

□

4. Security Analysis

This section analyzes the security of the scheme and authorization.

Theorem 2.

For a type-1 adversary, under the random oracle model, the presented T-GIBEwET scheme is OW-CCA secure.

Proof. 

Let ${\mathcal{A}}_1$ be Type-1 adversary breaking the T-GIBEwET scheme in polynomial time. ${\mathcal{A}}_1$ makes at most $q_{H_1}>0$$H_1$-queries, $q_{H_2}>0$$H_2$-queries, $q_{H_3}>0$$H_3$-queries, $q_{H_4}>0$$H_4$-queries, $q_{H_5}>0$$H_5$-queries, $q_{Key}>0$ key retrieve queries, $q_{Enc}>0$ encryption queries, and $q_{Dec}>0$ decryption queries. We give $C{T}^{*}$ to the simulator $\mathcal{S}$. The aim of $\mathcal{S}$ is to recover the plaintext of $C{T}^{*}$ with a non-negligible advantage.

The game between ${\mathcal{A}}_1$ and $\mathcal{S}$ is described as follows:

Game $G_{1.0}$

Setup:$\mathcal{S}$ runs the algorithm Setup($1^l$) to create the system parameters $sp=(g,G,G_T,g^s,e,H_1,H_2,$ $H_3,H_4,H_5)$, runs the algorithm KeyGengroup($sp$) to create a group private key $gsk=(s_1,s_2)$, runs the algorithm Join($gsk,h_{ID}$) to create a group public key $gpk=(h_{ID}^{s_1},g^{s_1},g^{s_1{s}_2})$ for user $ID$, and runs Auth($gsk$) to create a group trapdoor $gtd=s_2$. Then, $\mathcal{S}$ randomly selects $I{D}_1,I{D}_2$ as a challenger sender and a challenger receiver, respectively. Then, $\mathcal{S}$ gives the public key and $I{D}_1,I{D}_2$ to ${\mathcal{A}}_1$.

Moreover, the challenger $\mathcal{S}$ prepares the five hash lists $H_1,H_2,H_3,H_4,H_5$ to record all hash queries and answer the random oracle queries, where all hash lists are empty at the beginning. If the same input is asked multiple times, the same answer will be returned.

Phase 1:$\mathcal{S}$ responds to the queries made by ${\mathcal{A}}_1$ in the following ways:

• $H_1$-query: $\mathcal{S}$ maintains a list of 3-tuples $(I{D}_i,{\alpha }_i,x_i,coi{n}_i)$ in $H_1$. When ${\mathcal{A}}_1$, ask for $I{D}_i$ queries, and $\mathcal{S}$ runs as follows:

  -

  If the query $I{D}_i$ already in the $H_1$ list in the form of $(I{D}_i,{\alpha }_i,x_i,coi{n}_i)$, $\mathcal{S}$ outputs $H_1(I{D}_i)={\alpha }_i\in G^{*}$ to ${\mathcal{A}}_1$.

  -

  Otherwise, $\mathcal{S}$ generates $coi{n}_i\in \{0,1\}$ randomly. Then, it outputs as follows:

  ∗

  If $coi{n}_i=0$, $\mathcal{S}$ chooses a random number $x_i\in Z_q^{*}$ and computes ${\alpha }_i=g^{x_i}$ to ${\mathcal{A}}_1$.

  ∗

  Otherwise, $\mathcal{S}$ computes ${\alpha }_i=h_{I{D}_2}^{x_i}$ to ${\mathcal{A}}_1$.

  -

  $\mathcal{S}$ adds the tuple $(I{D}_i,{\alpha }_i,x_i,coi{n}_i)$ into the $H_1$ list.

• $H_2$-query: $\mathcal{S}$ maintains a list of 2-tuples $({\theta }_i,{\vartheta }_i)$ in $H_2$. $\mathcal{S}$ chooses ${\vartheta }_i\in G$ randomly, returns ${\vartheta }_i$ to ${\mathcal{A}}_1$, and adds the tuple $({\theta }_i,{\vartheta }_i)$ to the $H_2$ list.
• $H_3$-query: $\mathcal{S}$ maintains a list of 2-tuples $({\mu }_i,{\nu }_i)$ in $H_3$. $\mathcal{S}$ chooses ${\nu }_i{\{0,1\}}^{l+l_1}$ randomly, returns ${\mu }_i$ to ${\mathcal{A}}_1$, and adds the tuple $({\mu }_i,{\nu }_i)$ to the $H_3$ list.
• $H_4$-query: $\mathcal{S}$ maintains a list of 2-tuples $({\rho }_i,{\xi }_i)$ in $H_4$. $\mathcal{S}$ chooses ${\xi }_i{\{0,1\}}^l$ randomly, returns ${\rho }_i$ to ${\mathcal{A}}_1$, and adds the tuple $({\rho }_i,{\xi }_i)$ to the $H_4$ list.
• $H_5$-query: $\mathcal{S}$ maintains a list of 2-tuples $({\varphi }_i,{\phi }_i)$ in $H_4$. $\mathcal{S}$ chooses ${\phi }_i{\{0,1\}}^l$ randomly, returns ${\varphi }_i$ to ${\mathcal{A}}_1$, and adds the tuple $({\varphi }_i,{\phi }_i)$ to the $H_5$ list.
• Extract Query($ID$): When inputting $I{D}_i$, $\mathcal{S}$ sends $d{k}_{I{D}_i}={\alpha }_i$ to ${\mathcal{A}}_1$. If $coi{n}_i=1$, it means that $ID\ne I{D}_2$. Then, $\mathcal{S}$ sends ⊥ to ${\mathcal{A}}_1$.
• Encryption Query: $\mathcal{S}$ runs an encryption algorithm and outputs $CT=\mathbf{Encrypt}$$(M,ID,gpk,sp,dk)$.
• Decryption queries: With the $CT$ to the decryption query, $\mathcal{S}$ returns $M=\mathbf{Decrypt}(CT,d{k}_j)$ to ${\mathcal{A}}_1$ as follows:

  -

  If $coi{n}_i=0$, $\mathcal{S}$ uses the private key and outputs the decryption query to ${\mathcal{A}}_1$.

  -

  Otherwise, $\mathcal{S}$ outputs ⊥ to ${\mathcal{A}}_1$.

• Authorization Query: $\mathcal{S}$ outputs the group trapdoor $s_2$ to ${\mathcal{A}}_1$.

Challenge:$\mathcal{S}$ chooses $M^{*}\subset \mathcal{M}$ and $r_1^{*},r_2^{*}\in {\{0,1\}}^{l_1}$. It then outputs $C{T}^{*}$ as follows:

$$C_1^{*}=h_{I{D}_1}^{s_1{r}_1}$$

$$C_2^{*}=M^{*r_2}{H}_2(U_1^{r_1})$$

$$C_3^{*}=g^{r_1}$$

$$C_4^{*}=g^{s{r}_2}$$

$$C_5^{*}=h_{I{D}_1}^{s{r}_1}$$

$$C_6^{*}=H_3(U_2^{r_1})\oplus (M^{*}\Vert r_1)$$

$$C_7^{*}=H_4(C_1^{*}\Vert C_2^{*}\Vert C_3^{*}\Vert C_4^{*}\Vert C_5^{*}\Vert C_6^{*}\Vert h_{I{D}_1}^s)$$

$$C_8^{*}=H_4(C_1^{*}\Vert C_2^{*}\Vert C_3^{*}\Vert C_4^{*}\Vert C_5^{*}\Vert C_6^{*}\Vert C_7^{*}\Vert M^{*}\Vert r_1).$$

The ciphertext $C{T}^{*}=(C_1^{*},C_2^{*},C_3^{*},C_4^{*},C_5^{*},C_6^{*},C_7^{*},C_8^{*})$ is output, where:

$U_1=e(h_{I{D}_1}^s,g^{s_1{s}_2})$

$U_2=e(h_{I{D}_2},g^s)$

Finally, it sends $C{T}^{*}$ to ${\mathcal{A}}_1$ as the challenge ciphertext.

Phase 2:${\mathcal{A}}_1$ performs the same queries as in Phase 1; the constraint is that $C{T}^{*}$ does not appear in the decryption queries.

Guess:${\mathcal{A}}_1$ outputs $M^{{}^{\prime }}\subset \mathcal{M}$.

Let $E_{1.0}$ be the event that $M^{{}^{\prime }}=M^{*}$ in Game $G_{1.0}$. Then, the advantage is:

$$Ad{v}_{T-GPKE-ET,{\mathcal{A}}_1}^{OW-CCA}(q_{H_1},q_{H_2},q_{H_3},q_{H_4},q_{H_5},q_{Extr},q_{Enc},q_{Dec})=Pr\left[E_{1.0}\right]$$

Game $G_{1.1}$

Setup:$\mathcal{S}$ runs the algorithm Setup($1^l$) to create the system parameters $sp=(g,G,G_T,g^s,e,H_1,H_2,$ $H_3,H_4,H_5)$, runs the algorithm KeyGengroup($sp$) to create a group private key $gsk=(s_1,s_2)$, runs the algorithm Join($gsk,h_{ID}$) to create group public key $gpk=(h_{ID}^{s_1},g^{s_1},g^{s_1{s}_2})$ for user $ID$, and runs Auth($gsk$) to create the group trapdoor $gtd=s_2$. Then, $\mathcal{S}$ randomly selects $I{D}_1,I{D}_2$ as a challenger sender and a challenger receiver, respectively. Then, $\mathcal{S}$ gives the public key and $I{D}_1,I{D}_2$ to ${\mathcal{A}}_1$.

Moreover, the challenger $\mathcal{S}$ prepares the five hash lists $H_1,H_2,H_3,H_4,H_5$ to record all hash queries and answer the random oracle queries, where all hash lists are empty at the beginning. If the same input is asked multiple times, the same answer will be returned.

Phase 1:$\mathcal{S}$ responds to the queries made by ${\mathcal{A}}_1$ in the following ways:

• $H_1$-query ($ID$), $H_2$-query (${\theta }_i$), $H_3$-query (${\mu }_i$), $H_4$-query (${\rho }_i$), and $H_5$-query (${\varphi }_i$) are the same as in Game $G_{1.0}$.
• Extract Query($ID$): Same as in Game $G_{1.0}$.
• Encryption Query: $\mathcal{S}$ outputs $CT$ to ${\mathcal{A}}_1$ as follows: $\mathcal{S}$ chooses $r_1,r_2\in {\{0,1\}}^{l_1}$ randomly, and performs the $H_1$-query($I{D}_i$), $H_1$-query($I{D}_j$) to obtain ${\alpha }_i$, ${\alpha }_j$, the $H_2$-query($e{(C_1,g^s)}^{s_2}$) to obtain ${\vartheta }_i$, the $H_3$-query($e{({\alpha }_j,g^s)}^{r_1}$) to obtain ${\nu }_i$, the $H_5$-query($C_1\Vert C_2\Vert C_3\Vert C_4\Vert C_5\Vert C_6\Vert h_{I{D}_i}^s$) to obtain ${\phi }_i$. and the $H_4$-query($C_1\Vert C_2\Vert C_3\Vert C_4\Vert C_5\Vert C_6\Vert C_7\Vert M\Vert r_1$) to obtain ${\xi }_i$.

  $$C_1={\alpha }_i^{s_1{r}_1}$$

  $$C_2=M^{r_2}{\vartheta }_i$$

  $$C_3=g^{r_2}$$

  $$C_4=g^{s{r}_2}$$

  $$C_5={\alpha }_j^{s{r}_1}$$

  $$C_6={\nu }_i\oplus (M\Vert r_1)$$

  $$C_7={\phi }_i.$$

  $$C_8={\xi }_i.$$
  $\mathcal{S}$ adds $(e{(C_1,g^s)}^{s_2},{\vartheta }_i)$ to the $H_2$ list, adds $(e{({\alpha }_j,g^s)}^{r_1},{\nu }_i)$ to the $H_3$ list, adds ($C_1\Vert C_2\Vert C_3\Vert C_4\Vert C_5\Vert C_6\Vert C_7\Vert M\Vert r_1,{\xi }_i$) to the $H_4$ list, and adds ($C_1\Vert C_2\Vert C_3\Vert C_4\Vert C_5\Vert C_6\Vert h_{I{D}_i}^s,{\phi }_i$) to the $H_5$ list.
• Decryption queries: With the $CT$ to the decryption query, $\mathcal{S}$ returns $M=\mathbf{Decrypt}(CT,d{k}_j)$ to ${\mathcal{A}}_1$ as follows: $\mathcal{S}$ performs the $H_3(e{({\alpha }_j,g^s)}^{r_1})$ to obtain answer ${\nu }_i$, and performs the $H_4$-query($C_1\Vert C_2\Vert C_3\Vert C_4\Vert C_5\Vert C_6\Vert C_7\Vert M\Vert r_1$) to obtain answer ${\xi }_i$. Then, $\mathcal{S}$ performs

  $$M\Vert r_1=C_6\oplus {\nu }_i.$$
  Then, it verifies $C_1={\alpha }_i^{s_1{r}_1}$ and $C_8={\xi }_i$. If the verification fails, it returns ⊥. Otherwise, $\mathcal{S}$ outputs M to ${\mathcal{A}}_1$.
• Authorization Query: Same as in Game $G_{1.0}$.

Challenge:$\mathcal{S}$ chooses $M^{*}\subset \mathcal{M}$, $W\in {\{0,1\}}^{l+l_1}$ and $r_1,r_2\in {\{0,1\}}^{l_1}$. Then, it outputs $C{T}^{*}$ as follows:

$$C_1^{*}=h_{I{D}_1}^{s_1{r}_1}$$

$$C_2^{*}=M^{*r_2}{H}_2(U_1^{r_1})$$

$$C_3^{*}=g^{r_1}$$

$$C_4^{*}=g^{s{r}_2}$$

$$C_5^{*}=h_{I{D}_1}^{s{r}_1}$$

$$C_6^{*}=W\oplus (M^{*}\Vert r_1)$$

$$C_7^{*}=H_5(C_1^{*}\Vert C_2^{*}\Vert C_3^{*}\Vert C_4^{*}\Vert C_5^{*}\Vert C_6^{*}\Vert h_{I{D}_i}^s)$$

$$C_8^{*}=H_4(C_1^{*}\Vert C_2^{*}\Vert C_3^{*}\Vert C_4^{*}\Vert C_5^{*}\Vert C_6^{*}\Vert C_7^{*}\Vert M^{*}\Vert r_1)$$

where $U_1=e(h_{I{D}_1}^s,g^{s_1{s}_2})$. It outputs the ciphertext $C{T}^{*}=(C_1^{*},C_2^{*},C_3^{*},C_4^{*},C_5^{*},C_6^{*},C_7^{*},C_8^{*})$, and adds $(e{(h_{I{D}_2},g^s)}^{r_1},W)$ into $H_3$.

Finally, it sends $C{T}^{*}$ to ${\mathcal{A}}_1$ as the challenge ciphertext.

Phase 2:${\mathcal{A}}_1$ performs the same queries as in Phase 1, where the constraint is that $C{T}^{*}$ does not appear in the decryption queries.

Guess:${\mathcal{A}}_1$ outputs $M^{{}^{\prime }}\subset \mathcal{M}$.

Let $E_{1.1}$ be the event that $M^{{}^{\prime }}=M^{*}$ in Game $G_{1.1}$. Then, the advantage is:

$$Pr\left[E_{1.1}\right]=Pr\left[E_{1.0}\right].$$

Game $G_{1.2}$

Setup:$\mathcal{S}$ runs the algorithm Setup($1^l$) to create the system parameters $sp=(g,G,G_T,g^s,e,H_1,H_2,$ $H_3,H_4,H_5)$, runs the algorithm KeyGengroup($sp$) to create a group private key $gsk=(s_1,s_2)$, runs the algorithm Join($gsk,h_{ID}$) to create the group public key $gpk=(h_{ID}^{s_1},g^{s_1},g^{s_1{s}_2})$ for user $ID$, and runs Auth($gsk$) to create the group trapdoor $gtd=s_2$. Then, $\mathcal{S}$ randomly select $I{D}_1,I{D}_2$ as a challenger sender and a challenger receiver, respectively. Then, $\mathcal{S}$ gives the public key and $I{D}_1,I{D}_2$ to ${\mathcal{A}}_1$.

Moreover, the challenger $\mathcal{S}$ prepares the five hash lists $H_1,H_2,H_3,H_4,,H_5$ to record all hash queries and answer the random oracle queries, where all hash lists are empty at the beginning. If the same input is asked multiple times, the same answer will be returned.

Phase 1:$\mathcal{S}$ responds to the queries made by ${\mathcal{A}}_1$ in the following ways:

• The $H_1$-query($ID$), $H_2$-query(${\theta }_i$), $H_5$-query(${\varphi }_i$), and $H_4$-query(${\rho }_i$) are the same as in Game $G_{1.1}$.
• The $H_3$-query(${\mu }_i$) is the same as in Game $G_{1.1}$, except that ${\mathcal{A}}_1$ asks $e(C_3,h_{I{D}_2}^s)$.
• Extract Query($ID$): Same as in Game $G_{1.1}$.
• Encryption Query: Same as in Game $G_{1.1}$.
• Decryption Queries: Same as in Game $G_{1.1}$.
• Authorization Query: Same as in Game $G_{1.1}$.

Challenge:$\mathcal{S}$ chooses $M^{*}\subset \mathcal{M}$, $W^{*}\in {\{0,1\}}^{l+l_1}$ and $r_1,r_2\in {\{0,1\}}^{l_1}$. Then, it outputs $C{T}^{*}$ as follows:

$$C_1^{*}=h_{I{D}_1}^{s_1{r}_1}$$

$$C_2^{*}=M^{*r_2}{H}_2(U_1^{r_1})$$

$$C_3^{*}=g^{r_1}$$

$$C_4^{*}=g^{s{r}_2}$$

$$C_5^{*}=h_{I{D}_1}^{s{r}_1}$$

$$C_6^{*}=W^{*}$$

$$C_7^{*}=H_5(C_1^{*}\Vert C_2^{*}\Vert C_3^{*}\Vert C_4^{*}\Vert C_5^{*}\Vert C_6^{*}\Vert h_{I{D}_i}^s).$$

$$C_8^{*}=H_4(C_1^{*}\Vert C_2^{*}\Vert C_3^{*}\Vert C_4^{*}\Vert C_5^{*}\Vert C_6^{*}\Vert C_7^{*}\Vert M^{*}\Vert r_1).$$

where $U_1=e(h_{I{D}_1}^s,g^{s_1{s}_2})$. It outputs the ciphertext $C{T}^{*}=(C_1^{*},C_2^{*},C_3^{*},C_4^{*},C_5^{*},C_6^{*},C_7^{*},C_8^{*})$, and adds $(e{(h_{I{D}_2},g^s)}^{r_1},W^{*}\oplus (M^{*}\Vert r_1))$ into $H_3$.

Finally, it sends $C{T}^{*}$ to ${\mathcal{A}}_1$ as the challenge ciphertext.

Phase 2:${\mathcal{A}}_1$ performs the same queries as in Phase 1, whereqthe constraint is that $C{T}^{*}$ does not appear in the decryption Queries, and if ${\mathcal{A}}_1$ asks for the decryption of $C{T}^{*}=(C_1^{*},C_2^{*},C_3^{*},C_4^{*},C_5^{*},C_6^{{}^{\prime }},C_7^{*},C_8^{*})$, where $C_6^{{}^{\prime }}\ne C_6^{*}$, $\mathcal{S}$ outputs ⊥.

Guess:${\mathcal{A}}_1$ outputs $M^{{}^{\prime }}\subset \mathcal{M}$. □

Let $E_{1.2}$ be the event that $M^{{}^{\prime }}=M^{*}$ in Game $G_{1.2}$.

Because $C_6^{{}^{\prime }}$ is a random value in Game $G_{1.1}$ and Game $G_{1.2}$, the challenge ciphertexts generated in Game $G_{1.1}$ and Game $G_{1.2}$ follow the same distribution. Therefore, if the event $E_1$ does not occur, Game $G_{1.2}$ is identical to Game $G_{1.1}$, and we can figure out

$$|Pr\left[E_{1.2}\right]-Pr\left[E_{1.1}\right]|\le Pr\left[E_1\right].$$

Next, we show that the probability of event $E_1$ occurring in Game $G_{1.2}$ is negligible.

Lemma 1.

When the C-BDH problem is intractable, there is a negligible probability that the event $E_1$ happens in Game$G_{1.2}$.

Proof. 

Suppose that $Pr\left[E_1\right]$ is non-negligible; we can construct a simulator $\mathcal{S}$ to break the C-BDH assumption by using ${\mathcal{A}}_1$’s attacks. With the tuple $(e,G,G_T,g,g^a,g^c,g^d)$, the aim is to obtain $e{(g,g)}^{acd}$.

Setup:$\mathcal{S}$ randomly selects $I{D}_1,I{D}_2$ as a challenger sender and a challenger receiver, respectively. Then, $\mathcal{S}$ gives the public key and $I{D}_1,I{D}_2$ to ${\mathcal{A}}_1$. $\mathcal{S}$ runs the algorithm Setup($1^l$) to create the system parameters $sp=(g,G,G_T,g^s,e,H_1,H_2,$ $H_3,H_4,H_5)$, runs the algorithm KeyGengroup($sp$) to create a group private key $gsk=(s_1,s_2)$, runs the algorithm Join($gsk,h_{ID}$) to create the group public key $gpk=(h_{ID}^{s_1},g^{s_1},g^{s_1{s}_2})$ for user $ID$, and runs Auth($gsk$) to create the group trapdoor $gtd=s_2$.

Phase 1:$\mathcal{S}$ responds to the queries made by ${\mathcal{A}}_1$ in the following ways:

• $H_1$-query($ID$), $H_2$-query(${\theta }_i$), $H_5$-query(${\varphi }_i$), and $H_4$-query(${\rho }_i$) are same as in Game $G_{1.1}$.
• $H_3$-query(${\mu }_i$) is same as in Game $G_{1.1}$, except that ${\mathcal{A}}_1$ asks $e(C_3,h_{I{D}_2}^s)$
• Extract Query($ID$): Same as in Game $G_{1.1}$.
• Encryption Query: Same as in Game $G_{1.1}$, except that for the query $(I{D}_2,\ast ,\ast )$, $\mathcal{S}$ selects $r_1,r_2\in {\{0,1\}}^{l_1}$ randomly and outputs a ciphertext $CT=(C_1,C_2,C_3,C_4,C_5,C_6,C_7,C_8)$ as follows:
  $\mathcal{S}$ performs the $H_1$-query($I{D}_i$) and $H_1$-query($I{D}_j$) to obtain ${\alpha }_i$ and ${\alpha }_j$, respectively, the $H_2$-query($e{(C_1,g^s)}^{s_2}$) to obtain ${\vartheta }_i$, the $H_3$-query($e{({\alpha }_j,g^s)}^{r_1}$) to obtain ${\nu }_i$, the $H_5$-query($C_1\Vert C_2\Vert C_3\Vert C_4\Vert C_5\Vert C_6\Vert h_{I{D}_i^s}$) to obtain ${\phi }_i$, and the $H_4$-query($C_1\Vert C_2\Vert C_3\Vert C_4\Vert C_5\Vert C_6\Vert C_7\Vert M\Vert r_1$) to obtain ${\xi }_i$.

  $$C_1={\alpha }_i^{s_1{r}_1}$$

  $$C_2=M^{r_2}{\vartheta }_i$$

  $$C_3=g^{r_2}$$

  $$C_4=g^{s{r}_2}$$

  $$C_5={\alpha }_j^{s{r}_2}$$

  $$C_6={\nu }_i\oplus (M\Vert r_1)$$

  $$C_7={\phi }_i.$$

  $$C_8={\xi }_i.$$
  $\mathcal{S}$ adds $(e{(C_1,g^s)}^{s_2},{\vartheta }_i)$ to the $H_2$ list, adds $(e{({\alpha }_j,g^s)}^{r_1},{\nu }_i)$ to the $H_3$ list, and adds ($C_1\Vert C_2\Vert C_3\Vert C_4\Vert C_5\Vert C_6\Vert C_7\Vert M\Vert r_1,{\xi }_i$) to the $H_4$ list.
• Decryption queries: Same as in Game $G_{1.1}$.
• Authorization Query: Same as in Game $G_{1.1}$.

Challenge:$\mathcal{S}$ chooses $M^{*}\subset \mathcal{M}$, $W^{*}\in {\{0,1\}}^{l+l_1}$ and $r_1,r_2\in {\{0,1\}}^{l_1}$. Then, it outputs $C{T}^{*}$ as follows:

$$C_1^{*}=h_{I{D}_1}^{s_1{r}_1}$$

$$C_2^{*}=M^{*r_2}{H}_2(U_1^{r_1})$$

$$C_3^{*}=g^{r_1}$$

$$C_4^{*}=g^{s{r}_2}$$

$$C_5^{*}=h_{I{D}_1}^{s{r}_1}$$

$$C_6^{*}=W^{*}$$

$$C_7^{*}=H_5(C_1^{*}\Vert C_2^{*}\Vert C_3^{*}\Vert C_4^{*}\Vert C_5^{*}\Vert C_6^{*}\Vert h_{I{D}_1}^s).$$

$$C_8^{*}=H_4(C_1^{*}\Vert C_2^{*}\Vert C_3^{*}\Vert C_4^{*}\Vert C_5^{*}\Vert C_6^{*}\Vert C_7^{*}\Vert M^{*}\Vert r_1).$$

where $U_1=e(h_{I{D}_1}^s,g^{s_1{s}_2})$. It outputs the ciphertext $C{T}^{*}=(C_1^{*},C_2^{*},C_3^{*},C_4^{*},C_5^{*},C_6^{*},C_7^{*},C_8^{*})$, and adds $(e{(h_{I{D}_2},g^s)}^{r_1},W^{*}\oplus (M^{*}\Vert r_1))$ into $H_3$.

Finally, it sends $C{T}^{*}$ to ${\mathcal{A}}_1$ as the challenge ciphertext.

Phase 2:${\mathcal{A}}_1$ performs the same queries as in Phase 1; the constraint is that $C{T}^{*}$ does not appear in the decryption queries, and if ${\mathcal{A}}_1$ asks for the decryption of $C{T}^{*}=(C_1^{*},C_2^{*},C_3^{*},C_4^{*},C_5^{*},C_6^{{}^{\prime }},C_7^{*},C_8^{*})$, where $C_6^{{}^{\prime }}\ne C_6^{*}$, $\mathcal{S}$ outputs ⊥.

Guess:${\mathcal{A}}_1$ outputs $M^{{}^{\prime }}\subset \mathcal{M}$. □

Theorem 3.

Under the random oracle model, the proposed T-GIBEwET scheme is IND-CCA secure against a type-2 adversary.

Proof. 

Let ${\mathcal{A}}_2$ be a type-2 adversary breaking the T-GIBEwET scheme in polynomial time. ${\mathcal{A}}_2$ makes at most $q_{H_1}>0$$H_1$-queries, $q_{H_2}>0$$H_2$-queries, $q_{H_3}>0$$H_3$-queries, $q_{H_4}>0$$H_4$-queries, $q_{H_5}>0$$H_5$-queries, $q_{Key}>0$ key retrieve queries, $q_{Enc}>0$ encryption queries, and $q_{Dec}>0$ decryption queries. We give $C{T}^{*}$ to the simulator $\mathcal{S}$. The aim of $\mathcal{S}$ is to recover the plaintext of $C{T}^{*}$ with a non-negligible advantage.

The game between ${\mathcal{A}}_2$ and $\mathcal{S}$ is described as follows:

Game $G_{2.0}$

Setup:$\mathcal{S}$ runs the algorithm Setup($1^l$) to create the system parameters $sp=(g,G,G_T,g^s,e,H_1,H_2,$ $H_3,H_4,H_5)$, runs the algorithm KeyGengroup($sp$) to create a group private key $gsk=(s_1,s_2)$, runs the algorithm Join($gsk,h_{ID}$) to create the group public key $gpk=(h_{ID}^{s_1},g^{s_1},g^{s_1{s}_2})$ for user $ID$, and runs Auth($gsk$) to create the group trapdoor $gtd=s_2$. Then, $\mathcal{S}$ randomly selects $I{D}_1,I{D}_2$ as a challenger sender and a challenger receiver, respectively. Then, $\mathcal{S}$ gives the public key and $I{D}_1,I{D}_2$ to ${\mathcal{A}}_2$.

Moreover, the challenger $\mathcal{S}$ prepares the five hash lists $H_1,H_2,H_3,H_4,H_5$ to record all hash queries and answer the random oracle queries, where all hash lists are empty at the beginning. If the same input is asked multiple times, the same answer will be returned.

Phase 1:$\mathcal{S}$ responds to the queries made by ${\mathcal{A}}_2$ in the following ways:

• $H_1$-query: $\mathcal{S}$ maintains a list of 3-tuples $(I{D}_i,{\alpha }_i,x_i,coi{n}_i)$ in $H_1$. When ${\mathcal{A}}_2$ asks for $I{D}_i$ queries, $\mathcal{S}$ runs as follows:

  -

  If the query $I{D}_i$ is already in the $H_1$ list in the form of $(I{D}_i,{\alpha }_i,x_i,coi{n}_i)$, $\mathcal{S}$ outputs $H_1(I{D}_i)={\alpha }_i\in G^{*}$ to ${\mathcal{A}}_2$.

  -

  Otherwise, $\mathcal{S}$ generates $coi{n}_i\in \{0,1\}$ randomly. Then, it outputs as follows:

  ∗

  If $coi{n}_i=0$, $\mathcal{S}$ chooses a random number $x_i\in Z_q^{*}$ and computes ${\alpha }_i=g^{x_i}$ to ${\mathcal{A}}_2$.

  ∗

  Otherwise, $\mathcal{S}$ computes ${\alpha }_i=h_{I{D}_2}^{x_i}$ to ${\mathcal{A}}_2$.

  -

  $\mathcal{S}$ adds the tuple $(I{D}_i,{\alpha }_i,x_i,coi{n}_i)$ into the $H_1$ list.

• $H_2$-query: $\mathcal{S}$ maintains a list of 2-tuples $({\theta }_i,{\vartheta }_i)$ in $H_2$. $\mathcal{S}$ chooses ${\vartheta }_i\in G$ randomly, puts out ${\vartheta }_i$ to ${\mathcal{A}}_2$ and adds the tuple $({\theta }_i,{\vartheta }_i)$ to the $H_2$ list.
• $H_3$-query: $\mathcal{S}$ maintains a list of 2-tuples $({\mu }_i,{\nu }_i)$ in $H_3$. $\mathcal{S}$ chooses ${\nu }_i{\{0,1\}}^{l+l_1}$ randomly, puts out ${\mu }_i$ to ${\mathcal{A}}_2$ and adds the tuple $({\mu }_i,{\nu }_i)$ to the $H_3$ list.
• $H_4$-query: $\mathcal{S}$ maintains a list of 2-tuples $({\rho }_i,{\xi }_i)$ in $H_4$. $\mathcal{S}$ chooses ${\xi }_i{\{0,1\}}^l$ randomly, puts out ${\rho }_i$ to ${\mathcal{A}}_2$ and adds the tuple $({\rho }_i,{\xi }_i)$ to the $H_4$ list.
• $H_5$-query: $\mathcal{S}$ maintains a list of 2-tuples $({\varphi }_i,{\phi }_i)$ in $H_4$. $\mathcal{S}$ chooses ${\phi }_i{\{0,1\}}^l$ randomly, returns ${\varphi }_i$ to ${\mathcal{A}}_1$ and adds the tuple $({\varphi }_i,{\phi }_i)$ to the $H_5$ list.
• Extract Query($ID$): On input of the $I{D}_i$, $\mathcal{S}$ sends $d{k}_{I{D}_i}={\alpha }_i$ to ${\mathcal{A}}_2$. If $coi{n}_i=1$, which means $ID\ne I{D}_2$, then $\mathcal{S}$ sends ⊥ to ${\mathcal{A}}_2$.
• Encryption Query: $\mathcal{S}$ runs the encryption algorithm and outputs $CT=\mathbf{Encrypt}(M,gpk,dk,sp)$.
• Decryption queries: With the $CT$ in the decryption query, $\mathcal{S}$ returns $M=\mathbf{Decrypt}(CT,d{k}_j)$ to ${\mathcal{A}}_2$ as follows:

  -

  If $coi{n}_i=0$, $\mathcal{S}$ uses the private key and outputs the decryption query to ${\mathcal{A}}_2$.

  -

  Otherwise, $\mathcal{S}$ outputs ⊥ to ${\mathcal{A}}_2$.

• Authorization Query: It is not allowed.

Challenge:${\mathcal{A}}_2$ chooses $M_0,M_1\subset \mathcal{M}$ randomly and sends them to $\mathcal{S}$. Then, $\mathcal{S}$ takes $b\in \{0,1\}$ and $r_1^{*},r_2^{*}\in {\{0,1\}}^{l_1}$. It then outputs $C{T}^{*}$ as follows:

$$C_1^{*}=h_{I{D}_1}^{s_1{r}_1}$$

$$C_2^{*}=M_b^{r_2}{H}_2(U_1^{r_1})$$

$$C_3^{*}=g^{r_1}$$

$$C_4^{*}=g^{s{r}_2}$$

$$C_5^{*}=h_{I{D}_1}^{s{r}_1}$$

$$C_6^{*}=H_3(U_2^{r_1})\oplus (M_b\Vert r_1)$$

$$C_7^{*}=H_5(C_1^{*}\Vert C_2^{*}\Vert C_3^{*}\Vert C_4^{*}\Vert C_5^{*}\Vert C_6^{*}\Vert h_{I{D}_1}^s).$$

$$C_8^{*}=H_4(C_1^{*}\Vert C_2^{*}\Vert C_3^{*}\Vert C_4^{*}\Vert C_5^{*}\Vert C_6^{*}\Vert C_7^{*}\Vert M_b\Vert r_1).$$

Output the ciphertext $C{T}^{*}=(C_1^{*},C_2^{*},C_3^{*},C_4^{*},C_5^{*},C_6^{*},C_7^{*},C_8^{*})$, where:

$U_1=e(h_{I{D}_1}^s,g^{s_1{s}_2})$

$U_2=e(h_{I{D}_2},g^s)$

Finally, it sends $C{T}^{*}$ to ${\mathcal{A}}_2$ as the challenge ciphertext.

Phase 2:${\mathcal{A}}_2$ performs the same queries as in Phase 1, where the constraint are as follows:

• $C{T}^{*}$ does not appear in the decryption queries.
• In the authorization query, all of the group users cannot be authorized.

Guess:${\mathcal{A}}_2$ outputs $b^{*}\in \{0,1\}$.

Let $E_{2.0}$ be the event that $b=b^{*}$ in Game $G_{2.0}$. Then, the advantage is:

$$Ad{v}_{T-GPKE-ET,{\mathcal{A}}_2}^{OW-CCA}(q_{H_1},q_{H_2},q_{H_3},q_{H_4},q_{H_5},q_{Extr},q_{Enc},q_{Dec})=Pr\left[E_{2.0}\right]$$

Game $G_{2.1}$

Setup:$\mathcal{S}$ runs the algorithm Setup($1^l$) to create the system parameters $sp=(g,G,G_T,g^s,e,H_1,H_2,$ $H_3,H_4)$, runs the algorithm KeyGengroup($sp$) to create a group private key $gsk=(s_1,s_2)$, runs the algorithm Join($gsk,h_{ID}$) to create the group public key $gpk=(h_{ID}^{s_1},g^{s_1},g^{s_1{s}_2})$ for user $ID$, and runs Auth($gsk$) to create the group trapdoor $gtd=s_2$. Then, $\mathcal{S}$ randomly selects $I{D}_1,I{D}_2$ as a challenger sender and a challenger receiver, respectively. Then, $\mathcal{S}$ gives the public key and $I{D}_1,I{D}_2$ to ${\mathcal{A}}_2$.

Moreover, the challenger $\mathcal{S}$ prepares the four hash lists $H_1,H_2,H_3,H_4$ to record all hash queries and answer the random oracle queries, where all hash list are empty at the beginning. If the same input is asked multiple times, the same answer will be returned.

Phase 1:$\mathcal{S}$ responds to the queries made by ${\mathcal{A}}_2$ in the following ways:

• $H_1$-query($ID$), $H_2$-query(${\theta }_i$), $H_3$-query(${\mu }_i$), $H_5$-query(${\varphi }_i$), and $H_4$-query(${\rho }_i$) are the same as in Game $G_{2.0}$.
• Extract Query($ID$): Same as in Game $G_{2.0}$.
• Encryption Query: $\mathcal{S}$ outputs $CT$ to ${\mathcal{A}}_2$ as follows:
  $\mathcal{S}$ chooses $r_1,r_2\in {\{0,1\}}^{l_1}$ randomly, and performs the $H_1$-query($I{D}_i$) and $H_1$-query($I{D}_j$) to obtain ${\alpha }_i$ and ${\alpha }_j$, respectively, the $H_2$-query($e{(C_1,g^s)}^{s_2}$) to obtain ${\vartheta }_i$, the $H_3$- query($e{({\alpha }_j,g^s)}^{r_1}$) to obtain ${\nu }_i$, the $H_5$-query($C_1\Vert C_2\Vert C_3\Vert C_4\Vert C_5\Vert C_6\Vert h_{I{D}_i}^s$) to obtain ${\phi }_i$, and the $H_4$-query($C_1\Vert C_2\Vert C_3\Vert C_4\Vert C_5\Vert C_6\Vert C_7\Vert M\Vert r_1$) to obtain ${\xi }_i$.

  $$C_1={\alpha }_i^{s_1{r}_1}$$

  $$C_2=M^{r_2}{\vartheta }_i$$

  $$C_3=g^{r_2}$$

  $$C_4=g^{s{r}_2}$$

  $$C_5={\alpha }_j^{s{r}_1}$$

  $$C_6={\nu }_i\oplus (M\Vert r_1)$$

  $$C_7={\phi }_i$$

  $$C_8={\xi }_i.$$
  $\mathcal{S}$ adds $(e{(C_1,g^s)}^{s_2},{\vartheta }_i)$ to the $H_2$ list, adds $(e{({\alpha }_j,g^s)}^{r_1},{\nu }_i)$ to the $H_3$ list, adds ($C_1\Vert C_2\Vert C_3\Vert C_4\Vert C_5\Vert C_6\Vert C_7\Vert M\Vert r_1,{\xi }_i$) to the $H_4$ list, and adds ($C_1\Vert C_2\Vert C_3\Vert C_4\Vert C_5\Vert C_6\Vert h_{I{D}_i}^s,{\phi }_i$) to the $H_5$ list.
• Decryption queries: With the $CT$ to the decryption query, $\mathcal{S}$ returns $M=\mathbf{Decrypt}(CT,s{k}_j)$ to ${\mathcal{A}}_2$ as follows: $\mathcal{S}$ performs the $H_3(e{({\alpha }_j,g^s)}^{r_1})$ to obtain answer ${\nu }_i$, and performs the $H_4$-query($C_1\Vert C_2\Vert C_3\Vert C_4\Vert C_5\Vert C_6\Vert C_7\Vert M\Vert r_1$) to obtain answer ${\xi }_i$. Then, $\mathcal{S}$ performs

  $$M\Vert r_1=C_6\oplus {\nu }_i.$$
  Then, $C_1={\alpha }_i^{s_1{r}_1}$ and $C_8={\xi }_i$ are verified. If the verification fails, it returns ⊥. Otherwise, $\mathcal{S}$ outputs M to ${\mathcal{A}}_2$.
• Authorization Query: It is not allowed.

Challenge:${\mathcal{A}}_2$ chooses $M_0,M_1\subset \mathcal{M}$ randomly and sends them to $\mathcal{S}$. Then, $\mathcal{S}$ takes $b\in \{0,1\}$, $W\in {\{0,1\}}^{l+l_1}$ and $r_1^{*},r_2^{*}\in {\{0,1\}}^{l_1}$. It then outputs $C{T}^{*}$ as follows:

$$C_1^{*}=h_{I{D}_1}^{s_1{r}_1}$$

$$C_2^{*}=M_b^{r_2}{H}_2(U_1^{r_1})$$

$$C_3^{*}=g^{r_1}$$

$$C_4^{*}=g^{s{r}_2}$$

$$C_5^{*}=h_{I{D}_1}^{s{r}_1}$$

$$C_6^{*}=W\oplus (M_b\Vert r_1)$$

$$C_7^{*}=H_5(C_1^{*}\Vert C_2^{*}\Vert C_3^{*}\Vert C_4^{*}\Vert C_5^{*}\Vert C_6^{*}\Vert h_{I{D}_1}^s)$$

$$C_8^{*}=H_4(C_1^{*}\Vert C_2^{*}\Vert C_3^{*}\Vert C_4^{*}\Vert C_5^{*}\Vert C_6^{*}\Vert C_7^{*}\Vert M_b\Vert r_1)$$

where $U_1=e(h_{I{D}_1}^s,g^{s_1{s}_2})$. It outputs the ciphertext $C{T}^{*}=(C_1^{*},C_2^{*},C_3^{*},C_4^{*},C_5^{*},C_6^{*},C_7^{*},C_8^{*})$, and adds $(e{(h_{I{D}_2},g^s)}^{r_1},W)$ into $H_3$.

Finally, it sends $C{T}^{*}$ to ${\mathcal{A}}_2$ as the challenge ciphertext.

Phase 2:${\mathcal{A}}_2$ performs the same queries as in Phase 1; the constraint are as follows:

• $C{T}^{*}$ does not appear in the decryption queries.
• In the authorization query, all of the group users cannot be authorized.

Guess:${\mathcal{A}}_2$ outputs $b^{*}\in \{0,1\}$.

Let $E_{2.1}$ be the event that $b=b^{*}$ in Game $G_{2.1}$. Then, the advantage is

$$Pr\left[E_{2.1}\right]=Pr\left[E_{2.0}\right].$$

Game $G_{2.2}$

Setup:$\mathcal{S}$ runs the algorithm Setup($1^l$) to create the system parameters $sp=(g,G,G_T,g^s,e,H_1,H_2,$ $H_3,H_4,H_5)$, runs the algorithm KeyGengroup($sp$) to create a group private key $gsk=(s_1,s_2)$, runs the algorithm Join($gsk,h_{ID}$) to create the group public key $gpk=(h_{ID}^{s_1},g^{s_1},g^{s_1{s}_2})$ for user $ID$, and runs Auth($gsk$) to create the group trapdoor $gtd=s_2$. Then, $\mathcal{S}$ randomly selects $I{D}_1,I{D}_2$ as a challenger sender and a challenger receiver, respectively. Then, $\mathcal{S}$ gives the public key and $I{D}_1,I{D}_2$ to ${\mathcal{A}}_2$.

Moreover, the challenger $\mathcal{S}$ prepares the five hash lists $H_1,H_2,H_3,H_4,H_5$ to record all hash queries and answers the random oracle queries, where all hash list are empty at the beginning. If the same input is asked multiple times, the same answer will be returned.

Phase 1:$\mathcal{S}$ responds to the queries made by ${\mathcal{A}}_2$ in the following ways:

• $H_1$-query($ID$), $H_2$-query(${\theta }_i$), $H_5$-query(${\varphi }_i$), and $H_4$-query(${\rho }_i$) are the same as in Game $G_{2.1}$.
• $H_3$-query(${\mu }_i$) is the same as in Game $G_{2.1}$, except that ${\mathcal{A}}_2$ asks $e(C_3,h_{I{D}_2}^s)$.
• Extract Query($ID$): Same as in Game $G_{2.1}$.
• Encryption Query: Same as in Game $G_{2.1}$.
• Decryption Queries: Same as in Game $G_{2.1}$.
• Authorization Query: Same as in Game $G_{2.1}$.

Challenge:${\mathcal{A}}_2$ chooses $M_0,M_1\subset \mathcal{M}$ randomly and sends them to $\mathcal{S}$. Then, $\mathcal{S}$ takes $b\in \{0,1\}$, $W^{*}\in {\{0,1\}}^{l+l_1}$ and $r_1,r_2\in {\{0,1\}}^{l_1}$. It then outputs $C{T}^{*}$ as follows:

$$C_1^{*}=h_{I{D}_1}^{s_1{r}_1}$$

$$C_2^{*}=M_b^{r_2}{H}_2(U_1^{r_1})$$

$$C_3^{*}=g^{r_1}$$

$$C_4^{*}=g^{s{r}_2}$$

$$C_5^{*}=h_{I{D}_1}^{s{r}_2}$$

$$C_6^{*}=W^{*}$$

$$C_7^{*}=H_5(C_1^{*}\Vert C_2^{*}\Vert C_3^{*}\Vert C_4^{*}\Vert C_5^{*}\Vert C_6^{*}\Vert h_{I{D}_1}^s).$$

$$C_8^{*}=H_4(C_1^{*}\Vert C_2^{*}\Vert C_3^{*}\Vert C_4^{*}\Vert C_5^{*}\Vert C_6^{*}\Vert C_7^{*}\Vert M_b\Vert r_1)$$

where $U_1=e(h_{I{D}_1}^s,g^{s_1{s}_2})$. It outputs the ciphertext $C{T}^{*}=(C_1^{*},C_2^{*},C_3^{*},C_4^{*},C_5^{*},C_6^{*},C_7^{*},C_8^{*})$, and adds $(e{(h_{I{D}_2},g^s)}^{r_1},W^{*}\oplus (M^{*}\Vert r_1))$ into $H_3$.

Finally, it sends $C{T}^{*}$ to ${\mathcal{A}}_2$ as the challenge ciphertext.

Phase 2:${\mathcal{A}}_2$ performs the same queries as in Phase 1, where the constraint is that $C{T}^{*}$ does not appear in the decryption queries, and if ${\mathcal{A}}_2$ asks for the decryption of $C{T}^{*}=(C_1^{*},C_2^{*},C_3^{*},C_4^{*},C_5^{*},C_6^{{}^{\prime }},C_7^{*},C_8^{*})$, where $C_6^{{}^{\prime }}\ne C_6^{*}$, $\mathcal{S}$ outputs ⊥.

Guess:${\mathcal{A}}_2$ outputs $b^{*}\in \{0,1\}$. □

Let $E_{2.2}$ be the event that $b=b^{*}$ in Game $G_{2.2}$.

Because $C_6^{{}^{\prime }}$ is a random value in Game $G_{2.1}$ and Game $G_{2.2}$, the challenge ciphertexts generated in Game $G_{2.1}$ and Game $G_{2.2}$ follow the same distribution. Therefore, if the event $E_2$ does not occur, Game $G_{2.2}$ is identical to Game $G_{2.1}$. And we can figure out that

$$|Pr\left[E_{2.2}\right]-Pr\left[E_{2.1}\right]|\le Pr\left[E_2\right].$$

Next, we show that the probability of event $E_2$ occurring in Game $G_{2.2}$ is negligible.

Lemma 2.

When the C-BDH problem is intractable, there is negligible probability that the event $E_2$ will happen inGame$G_{2.2}$.

Proof. 

Suppose that $Pr\left[E_2\right]$ is non-negligible; we can construct a simulator $\mathcal{S}$ to break the C-BDH assumption by using the ${\mathcal{A}}_2$’s attacks. With the tuple $(e,G,G_T,g,g^a,g^c,g^d)$, the aim is to obtain $e{(g,g)}^{acd}$.

Setup:$\mathcal{S}$ randomly select $I{D}_1,I{D}_2$ as a challenger sender and a challenger receiver, respectively. Then, $\mathcal{S}$ gives the public key and $I{D}_1,I{D}_2$ to ${\mathcal{A}}_2$. $\mathcal{S}$ runs the algorithm Setup($1^l$) to create the system parameters $sp=(g,G,G_T,g^s,e,H_1,H_2,$ $H_3,H_4,H_5)$, runs the algorithm KeyGengroup($sp$) to create a group private key $gsk=(s_1,s_2)$, runs the algorithm Join($gsk,h_{ID}$) to create the group public key $gpk=(h_{ID}^{s_1},g^{s_1},g^{s_1{s}_2})$ for user $ID$, and runs Auth($gsk$) to create the group trapdoor $gtd=s_2$.

Phase 1:$\mathcal{S}$ responds to the queries made by ${\mathcal{A}}_2$ in the following ways:

• $H_1$-query($ID$), $H_2$-query(${\theta }_i$), $H_5$-query(${\varphi }_i$), and $H_4$-query(${\rho }_i$) are the same as in Game $G_{2.1}$.
• $H_3$-query(${\mu }_i$) is the same as in Game $G_{2.1}$, except that ${\mathcal{A}}_2$ asks for $e(C_3,h_{I{D}_2}^s)$.
• Extract Query($ID$): Same as in Game $G_{2.1}$.
• Encryption Query: Same as in Game $G_{2.1}$, except that for the query $(I{D}_2,\ast ,\ast )$, $\mathcal{S}$ selects $r_1,r_2\in {\{0,1\}}^{l_1}$ randomly and outputs a ciphertext $CT=(C_1,C_2,C_3,C_4,C_5,C_6,C_7,C_8)$ as follows:
  $\mathcal{S}$ performs the $H_1$-query($I{D}_i$) and $H_1$-query($I{D}_j$) to obtain ${\alpha }_i$ and ${\alpha }_j$, respectively, the $H_2$-query($e{(C_1,g^s)}^{s_2}$) to obtain ${\vartheta }_i$, the $H_3$-query($e{({\alpha }_j,g^s)}^{r_1}$) to obtain ${\nu }_i$, the $H_5$-query($C_1\Vert C_2\Vert C_3\Vert C_4\Vert C_5\Vert C_6\Vert h_{I{D}_i}^s$) to obtain ${\phi }_i$, and the $H_4$-query($C_1\Vert C_2\Vert C_3\Vert C_4\Vert C_5\Vert C_6\Vert C_7\Vert M\Vert r_1$) to obtain ${\xi }_i$.

  $$C_1={\alpha }_i^{s_1{r}_1}$$

  $$C_2=M^{r_2}{\vartheta }_i$$

  $$C_3=g^{r_2}$$

  $$C_4=g^{s{r}_2}$$

  $$C_5={\alpha }_j^{s{r}_1}$$

  $$C_6={\nu }_i\oplus (M\Vert r_1)$$

  $$C_7={\phi }_i$$

  $$C_8={\xi }_i.$$
  $\mathcal{S}$ adds $(e{(C_1,g^s)}^{s_2},{\vartheta }_i)$ to the $H_2$ list, adds $(e{({\alpha }_j,g^s)}^{r_1},{\nu }_i)$ to the $H_3$ list, adds ($C_1\Vert C_2\Vert C_3\Vert C_4\Vert C_5\Vert C_6\Vert C_7\Vert M\Vert r_1,{\xi }_i$) to the $H_4$ list, and adds ($C_1\Vert C_2\Vert C_3\Vert C_4\Vert C_5\Vert C_6\Vert h_{I{D}_i}^s,{\phi }_i$) to the $H_5$ list.
• Decryption Queries: Same as in Game $G_{2.1}$.

Challenge:${\mathcal{A}}_2$ chooses $M_0,M_1\subset \mathcal{M}$ randomly and sends them to $\mathcal{S}$. Then, $\mathcal{S}$ takes $b\in \{0,1\}$, $W^{*}\in {\{0,1\}}^{l+l_1}$, and $r_1,r_2\in {\{0,1\}}^{l_1}$. Then, it outputs $C{T}^{*}$ as follows:

$$C_1^{*}=h_{I{D}_1}^{s_1{r}_1}$$

$$C_2^{*}=M_b^{r_2}{H}_2(U_1^{r_1})$$

$$C_3^{*}=g^{r_1}$$

$$C_4^{*}=g^{s{r}_2}$$

$$C_5^{*}=h_{I{D}_1}^{s{r}_1}$$

$$C_6^{*}=W^{*}$$

$$C_7^{*}=H_5(C_1^{*}\Vert C_2^{*}\Vert C_3^{*}\Vert C_4^{*}\Vert C_5^{*}\Vert C_6^{*}\Vert h_{I{D}_1}^s).$$

$$C_8^{*}=H_4(C_1^{*}\Vert C_2^{*}\Vert C_3^{*}\Vert C_4^{*}\Vert C_5^{*}\Vert C_6^{*}\Vert C_7^{*}\Vert M_b\Vert r_1)$$

where $U_1=e(h_{I{D}_1}^s,g^{s_1{s}_2})$. It outputs the ciphertext $C{T}^{*}=(C_1^{*},C_2^{*},C_3^{*},C_4^{*},C_5^{*},C_6^{*},C_7^{*},C_8^{*})$, and adds $(e{(h_{I{D}_2},g^s)}^{r_1},W^{*}\oplus (M_b\Vert r_1))$ into $H_3$.

Finally, it sends $C{T}^{*}$ to ${\mathcal{A}}_2$ as the challenge ciphertext.

Phase 2:${\mathcal{A}}_2$ performs the same queries as in Phase 1, where the constraint is that $C{T}^{*}$ does not appear in the decryption queries, and if ${\mathcal{A}}_2$ asks for the decryption of $C{T}^{*}=(C_1^{*},C_2^{*},C_3^{*},C_4^{*},C_5^{*},C_6^{{}^{\prime }},C_7^{*},C_8^{*})$, where $C_6^{{}^{\prime }}\ne C_6^{*}$, $\mathcal{S}$ outputs ⊥.

Guess:${\mathcal{A}}_2$ outputs $b^{*}\in \{0,1\}$. □

5. Performance Comparison

In this section, a performance comparison between the presented T-GIBEwET scheme and other related schemes is discussed. As illustrated in Table 2, our proposal supports the traceability function and others do not. In Table 3, the comparison of efficiency with PKEwET variants is shown. The second to sixth columns reveal the computational efficiency for the algorithms of encryption, decryption, authorization, testing, and tracing. Compared to [7,16,17,35], the proposed T-GIBEwET scheme is more efficient than [7,16,17] in the decryption algorithm and more efficient than [17] in the authorization algorithm. Both authorization and tracking are supported in this paper.

Table 2. Comparison with other schemes.

Scheme	Authorized	Ciphertext Test	Traceable
[7]	-	√	-
[16]	√	√	-
[17]	√	√	-
[35]	√	√	-
T-GIBEwET	√	√	√

Table 3. Comparison of efficiency with other schemes.

Scheme	${\mathit{C}}_{\mathbf{Enc}}$	${\mathit{C}}_{\mathbf{Dec}}$	${\mathit{C}}_{\mathbf{Auth}}$	${\mathit{C}}_{\mathbf{Test}}$	${\mathit{C}}_{\mathbf{Trac}}$
[7]	3E	3E	-	2P	-
[16]	5E+2P	2E+2P	0	4P	-
[17]	(n+2)E+2P	(n+1)P+E	nE	nP	-
[35]	5E	2E	0	2E+2P	-
[34]	4E	2E	0	2E	-
T-GIBEwET	7E+2P	E+P	0	2E+4P	2P

E and P are the exponentiation operation and the the pairing operation, respectively, in group G.

6. Conclusions

In this paper we analyzed the PKEwET scheme, pointed out that the PKEwET algorithm is unable to keep track of ciphertexts in the cloud sever, and proposed the a traceable group ID-based encryption with an equality test scheme (T-GIBEwET). The T-GIBEwET algorithm is endowed with a special function: the users who are authorized by a trapdoor can test the ciphertexts in the cloud sever. Moreover, the proposed scheme supports the traceability function.

To simplify the public key management mechanism, the proposed scheme was designed with ID-based encryption. According to the competence of different users, the proposal can resist OW-CCA and IND-CCA security. Additionally, the T-GIBEwET scheme can resist a plaintext space attack.

Compared with other existing works, our proposal is more practical for use in cloud computing services.