Certificateless Encryption Supporting Multi-Ciphertext Equality Test with Proxy-Assisted Authorization

Abstract

Public key encryption with equality test (PKEET) is a cryptographic primitive that enables a tester to determine, without decryption, whether two ciphertexts encrypted with different public keys generate from the same message. In previous research, public key encryption with equality test (PKEET) was extended to include identity-based encryption with equality test (IBEET), thereby broadening the application of PKEET. Subsequently, certificateless encryption with equality test (CLEET) was introduced to address the key escrow problem in IBEET. However, existing CLEET schemes suffer from inefficiency and potential information leakage when dealing with multiple ciphertexts due to the need for pairwise equality tests. To address this issue, we propose a concept of certificateless encryption supporting multi-ciphertext equality test with proxy-assisted authorization (CLE-MET-PA). CLE-MET-PA incorporates the functionality of the multi-ciphertext equality test into CLEET, enabling a tester to perform a single equality test on multiple ciphertexts to determine whether the underlying plaintexts are equal, without revealing any additional information. This enhances the security of our scheme while significantly reducing the computational overhead compared to multiple pairwise equality tests, making our scheme more efficient. Additionally, our approach integrates proxy-assisted authorization, allowing users to delegate a proxy to grant authorizations for equality tests on their behalf when offline. Importantly, the proxy token used in our scheme does not include any portion of the user’s private key, providing enhanced protection compared to traditional PKEET schemes in which the user token is often part of the user’s private key. We construct a concrete CLE-MET-PA scheme and prove that it achieves CPA security and attains CCA security through an FO transformation.

1. Introduction

Cloud computing provides an efficient solution for transferring the storage and computation burdens from users to cloud servers. In recent decades, the continuous improvement in network bandwidth, the emergence of big data, the Internet of Things, and artificial intelligence have led to the rapid development of cloud technology and its applications [1,2,3,4]. Cloud storage, in comparison to traditional local storage, offers several advantages including low cost, high scalability, easy management, and maintenance. With cloud technology, users can select the appropriate storage capacity and service types based on their specific requirements and perform various data operations such as uploading, downloading, backup, archiving, and sharing. As a result, more and more individuals and organizations are utilizing cloud servers to process and store their data. However, due to the sensitive nature of their data and the need for privacy protection, it is common practice to encrypt the data on cloud servers using various cryptosystems. Nevertheless, there is a growing demand for cryptographic technologies that enable processing operations, such as searching, deduplication, classification, and data segmentation, while preserving the confidentiality of the encrypted data.

In the realm of processing encrypted data, researchers have proposed various cryptographic primitives, including searchable encryption [5,6] and fully homomorphic encryption [7]. Expanding upon searchable encryption, Boneh et al. [8] introduced public key encryption with keyword search (PEKS) in 2004. The scheme allows a server to verify, without decryption, whether a ciphertext C is generated from a message M as long as it is in possession of the corresponding tag $T_M$ for that ciphertext and the public key used for message encryption. This property renders it suitable for applications such as the classification of public key ciphertexts.

This scheme, however, has a limitation in that it only allows ciphertext management for a single user, restricting comparison and search to ciphertexts under the same public key. To enable ciphertext equality tests across different public keys, additional primitives are necessary. In 2010, Yang et al. [9] proposed the concept of public-key encryption with equality test (PKEET). In their work, the authors introduced a special public key encryption scheme where an entity can determine whether two ciphertexts correspond to identical plaintexts using an equality test algorithm on two ciphertexts encrypted under different public keys.

1.1. Related Work

In the first PKEET scheme proposed by Yang et al. [9], there is a concern regarding the protection of data privacy for the data owner, as there is no restriction on who can perform an equality test. Consequently, the initial advancements in PKEET schemes were predominantly directed towards achieving fine-grained control over tester authorizations. These efforts [10,11,12,13,14] concentrated on devising methods to authorize testers and defining which ciphertexts they could perform equality tests on once granted authorization. The work proposed by Ma et al. [14] extensively examines and provides a comprehensive overview of diverse authorization mechanisms.

In 2016, Ma [15] and Lee et al. [16] introduced the identity-based encryption (IBE) primitive into PKEET, presenting their respective IBEET schemes. These schemes adopt the benefits of identity-based encryption (IBE) cryptosystems, which allow users to generate public and private key pairs using their identity information without the need for digital certificates, therefore addressing the key management problem in public key encryption cryptosystems. This novel approach sparked significant subsequent research on IBEET [17,18,19,20,21,22,23,24,25,26,27,28].

Certificateless public key encryption with equality test (CL-PKEET). When it comes to solving the key management problem, identity-based encryption (IBE) relies on a central authority, typically the key generation center (KGC), to generate private keys for users based on their identities. However, this reliance on a central authority means that the KGC has the ability to decrypt messages intended for any user. If the KGC is compromised, coerced, or misused, it can result in unauthorized access to users’ encrypted data, which is known as the key escrow problem. To address this issue, Al-Riyami et al. [29] proposed certificateless encryption (CLE). In CLE, the KGC generates partial private keys for users, enabling them to generate their own private and public keys. This approach effectively addresses the key escrow problem. Similarly, IBEET also faces the key escrow problem. In order to tackle this problem in IBEET, Qu et al. [30] introduced CLE into PKEET, creating the initial certificateless public key encryption with equality test (CL-PKEET, referred to as CLEET in this paper for brevity) scheme.

Public key encryption with multi-ciphertext equality test (PKE-MET). Before the introduction of PKE-MET by Susilo et al. [31], all PKEET and IBEET schemes only supported pairwise equality tests. Consider a scenario where a tester receives n ciphertexts from n different users. With a conventional PKEET scheme, the tester would be required to perform a minimum of $n-1$ equality tests between pairs of ciphertexts to determine the equality of the n ciphertexts. However, in the PKE-MET scheme, a specific parameter s is designated, enabling the tester to test the equality of s ciphertexts in a single equality test. Moreover, this feature of multi-ciphertext comparison significantly reduces additional information leakage in equality tests. For example, when conducting an equality test on ciphertexts from three different users to determine whether the plaintexts corresponding to user A, B, and C’s ciphertexts are equal, traditional PKEET test algorithms would inevitably reveal additional information, such as the equality of the underlying plaintexts between user A and user B. By exploiting our multi-ciphertext test feature, the leakage of additional information in equality tests can be greatly mitigated. This improvement leads to better efficiency, heightened security, and reduced computational costs for the tester.

Proxy-assisted authorization. One authorization method employed in our scheme is consistent with the majority of PKEET schemes, known as user authorization. In this method, a user generates a token (also referred to as a trapdoor), and sends it to the tester, enabling the tester to conduct equality tests on the user’s ciphertexts. Additionally, we introduce a proxy-assisted authorization method, whereby the user can engage with a proxy through a secure and efficient key exchange algorithm to create a proxy token. This token is then securely stored by the proxy and possesses the same authorization capabilities as the user token. There are two primary advantages to this approach. Firstly, it liberates the user from having to be constantly online to authorize a tester, enhancing the practical application value of the scheme. Secondly, unlike the user token, the proxy token does not compromise any part of the user’s private key, thus reducing the risk of privacy exposure.

1.2. Our Contribution

We propose a CLE-MET-PA scheme in this paper, and the contributions of this paper are as follows:

• We introduce the multi-ciphertext equality test into CLEET. Our proposal associates each ciphertext with a designated number s, making it possible to perform equality tests on multiple ciphertexts simultaneously in a single test without revealing any additional information, all while retaining the fundamental attributes of certificateless encryption.
• We incorporate the concept of a proxy into our framework. Users have the flexibility to choose and disclose proxies along with their public keys on the public key server. This enables users to delegate authorization to proxies, allowing them to go offline, which effectively improves the practical application value. Moreover, the use of proxy tokens eliminates the exposure of the user’s private key, thus enhancing the security of our scheme. Additionally, our encryption process does not involve proxy information. Hence, when users choose a new proxy, there is no need to reconfigure previous ciphertexts. The disclosed proxy information is only utilized in the equality test, resulting in a more flexible scheme. Furthermore, the key generation algorithm for proxies is identical to that of users, meaning that any user can act as a proxy. This enhances the flexibility and efficiency of our scheme.
• We establish formal security models for our concrete CLE-MET-PA scheme, including five different types of adversaries. Subsequently, our work achieves IND-CPA security against adversaries with the trapdoor of the challenge ciphertext and OW-CPA security against adversaries without the trapdoor of the challenge ciphertext. In the extension section, we employ the Fujisaki–Okamoto (FO) transformation [32,33] to modify the encryption and decryption processes, thereby attaining CCA security for our scheme (i.e., IND-CCA security against adversaries with the trapdoor of the challenge ciphertext and OW-CCA security against adversaries without the trapdoor of the challenge ciphertext).

1.3. Organization

In Section 2, we reviewed the concepts of asymmetric bilinear groups and the BDH assumption; in Section 3, we introduced the system model, definitions and security models of CLE-MET-PA; in Section 4, we presented the concrete construction of CLE-MET-PA and verified its correctness; In Section 5, we proved the security of the scheme; in Section 6, we conducted a performance analysis and discussed the security extension of the scheme; in Section 7, we summarized our work.

2. Preliminary

2.1. Asymmetric Bilinear Groups

Let $\mathcal{G}=(p,{\mathbb{G}}_1,{\mathbb{G}}_2,{\mathbb{G}}_T,e)$ be a bilinear groups ensemble, where ${\mathbb{G}}_1$, ${\mathbb{G}}_2$, and ${\mathbb{G}}_T$ are three multiplicative cyclic groups of order p. $g_1\in {\mathbb{G}}_1$, $g_2\in {\mathbb{G}}_2$ are two generators. A bilinear map $e:{\mathbb{G}}_1\times {\mathbb{G}}_2\to {\mathbb{G}}_T$ has the following properties:

1.

Bilinear: For any $g_1\in {\mathbb{G}}_1$, $g_2\in {\mathbb{G}}_2$ and $a,b\in {\mathbb{Z}}_p$, $e(g_1^a,g_2^b)=e{(g_1,g_2)}^{ab}$.

2.

Non-degenerate:$e(g_1,g_2)\ne 1$.

3.

Computable: For any $g_1\in {\mathbb{G}}_1$ and $g_2\in {\mathbb{G}}_2$, there is an efficient algorithm to compute $e(g_1,g_2)$.

Since ${\mathbb{G}}_1\ne {\mathbb{G}}_2$, this is an asymmetric bilinear map. In the asymmetric setting, if there exists an efficient computable isomorphism $\psi :{\mathbb{G}}_1\to {\mathbb{G}}_2$, the pairing e is referred to as a Type 2 pairing. Conversely, if no such isomorphism exists, e is categorized as a Type 3 pairing [34,35,36,37].

2.2. Bilinear Diffie–Hellman (BDH) Assumption in Asymmetric Bilinear Groups

The bilinear Diffie–Hellman (BDH) assumption was initially proposed by Boneh et al. [38] in the context of symmetric bilinear groups. Later, Boyen et al. [39] expanded this assumption to asymmetric bilinear settings.

The BDH problem can be defined as follows: consider a set of bilinear groups in Section 2.1, denoted by $\mathcal{G}=\{p,{\mathbb{G}}_1,{\mathbb{G}}_2,{\mathbb{G}}_T,e\}$. Let $g_1\in {\mathbb{G}}_1$ and $g_2\in {\mathbb{G}}_2$ be two generators. Given an instance $(g_1,g_1^a,g_1^c,g_2,g_2^a,g_2^b)\in {\mathbb{G}}_1^3\times {\mathbb{G}}_2^3$ where a, b, and c are uniformly random choices from ${\mathbb{Z}}_p^{*}$, the task is to compute $e{(g_1,g_2)}^{abc}\in {\mathbb{G}}_T$.

The BDH assumption is defined as follows: Given an instance of the aforementioned BDH problem, no probabilistic polynomial-time (PPT) adversary, denoted by $\mathcal{A}$, can compute the value of $e{(g_1,g_2)}^{abc}$ with non-negligible probability. The advantage of $\mathcal{A}$ is defined as:

$$Adv\left(\mathcal{A}\right)=Pr[\mathcal{A}(g_1,g_1^a,g_1^c,g_2,g_2^a,g_2^b)=e{(g_1,g_2)}^{abc}].$$

3. System Model, Definitions, and Security Models

We present the system model of our certificateless encryption supporting multi-ciphertext equality test with proxy-assisted authorization (CLE-MET-PA) scheme, followed by its formal definition and security models.

3.1. System Model of CLE-MET-PA

The system model of our CLE-MET-PA scheme is depicted in Figure 1. The model comprises seven types of entities as follows:

1.

Key generation center (KGC): This entity is responsible for system setup, safeguarding the master secret key, and issuing partial private keys to users based on their identities.

2.

Message sender: This entity generates ciphertexts using the public key of the target user and uploads them to the cloud server.

3.

Message receiver: This entity, often referred to as the user in this paper, can download ciphertexts for decryption, grant authorization to testers for equality tests, and delegate proxies to provide authorizations on its behalf.

4.

Cloud server: This entity stores the ciphertexts generated by message senders and allows message receivers to download them. The cloud server often serves as the tester. To ensure generality, we established a separate entity for test purposes.

5.

Proxy: This entity can interact with a message receiver to create a proxy token, granting authorization for equality tests on the message receiver’s ciphertexts.

6.

Public key server: This entity stores public keys issued by message receivers and proxies. Additionally, it keeps track of the message receiver’s choice of proxy and publishes its proxy information.

7.

Tester: This entity can perform an equality test on a set of s ciphertexts. To conduct the test, the tester must receive s ciphertexts along with the tokens issued by their respective message receivers or proxies. Each ciphertext is designated with the number s.

Figure 1. System model of CLE-MET-PA.

Figure 1. System model of CLE-MET-PA.

The workflow of our proposed CLE-MET-PA scheme is also depicted in Figure 1. The message sender queries the public key server for the necessary public key, encrypts the message using it to obtain the ciphertext, and uploads it to the cloud server. The message receiver can then download the ciphertext from the cloud server, and decrypt it to obtain the message. A message receiver can authorize a tester directly or by a delegated proxy, enabling the tester to perform an equality test on its ciphertexts.

A notable feature of CLE-MET-PA is its multi-ciphertext equality test, illustrated in Figure 2. A tester can conduct a single-test algorithm upon receiving s ciphertexts, each with the designated number s, along with s trapdoors (whether authorized by the user or authorized through user-delegated proxy authorization). The test algorithm outputs 1 if all underlying plaintexts to the ciphertexts are equal, and 0 if at least one underlying plaintext differs from the rest.

3.2. Certificateless Encryption Supporting Multi-Ciphertext Equality Test with Proxy-Assisted Authorization

A CLE-MET-PA system consists of eleven algorithms as described below:

• Setup$\left(1^{\lambda }\right)$: This algorithm takes the security parameter $\lambda$ as input and outputs the system parameter $pp$ and the system master secret key $msk$.
• Partial-Private-Key-Extract$(pp,msk,ID)$: Given the system parameter $pp$, a master key $msk$, and an identifier $ID$, this algorithm outputs the partial private key D.
• Set-Secret-Value $(pp,ID)$: Given the system parameter $pp$ and an identifier $ID$, this algorithm outputs a secret value x at random.
• Set-Private-Key $(pp,D,x)$: Given the system parameter $pp$, a partial private key D, and a secret value x, this algorithm outputs a private key $sk$.
• Set-Public-Key $(pp,x)$: Given the system parameter $pp$ and a secret value x, this algorithm outputs a public key $pk$.
• Set-Proxy-Key $(pp,I{D}_P)$: Given the system parameter $pp$ and a proxy identifier $I{D}_P$, this algorithm outputs a proxy public key $p{k}_P$ and its secret value $x_P$.
• Enc$(pp,pk,M,s)$: This algorithm outputs a ciphertext $CT$ of a message M, with a designated number s, such that an equality test on $CT$ must be performed with $s-1$ other ciphertexts with the same s.
• Dec$(CT,sk)$: This algorithm outputs the message M or ⊥.
• Aut$\left(sk\right)$: This algorithm outputs a token $tk$ that authorizes the tester to perform an equality test on the ciphertexts of users who own $sk$.
• Proxy-Aut $(pp,sk,s{k}_P)$: This protocol outputs a token $\widehat{tk}$ issued by the proxy who owns $s{k}_P$ to the tester, enabling the latter to perform an equality test on the ciphertexts of the users who own $sk$.
• Test$(C{T}_1,\cdots ,C{T}_t,{\widehat{tk}}_1,\cdots ,\widehat{tk}j,t{k}_1,\cdots ,t{k}_{t-j}$: Given t ciphertexts $CT$ and t tokens, including tokens issued by users and the proxy, this algorithm checks whether $t=s_1=s_2=\cdots =s_t$, where $s_i$ is the designated number of $C{T}_i$. If not, it outputs ⊥ and aborts. Otherwise, it outputs 1, implying that the underlying messages of $C{T}_1,C{T}_2,\cdots ,C{T}_t$ are equal, or 0, implying that the messages are not equal.

Correctness: We can say that a CLE-MET-PA scheme is correct if the following conditions hold.

(1) For any security parameter $\lambda$, any message $M\in \mathcal{M}$, and any number $s\in {\mathbb{Z}}_p$, we have

$$Pr\left[\begin{array}{l}\mathsf{Dec}(sk,CT)=M\end{array}\left|\begin{array}{l}pp\leftarrow \mathsf{Setup}\left(\lambda \right)\\ D\leftarrow \mathsf{Partial}-\mathsf{Private}-\mathsf{Key}-\mathsf{Extract}(pp,msk,ID)\\ x\leftarrow \mathsf{Set}-\mathsf{Secret}-\mathsf{Value}(pp,ID)\\ sk\leftarrow \mathsf{Set}-\mathsf{Private}-\mathsf{Key}(pp,D,x)\\ pk\leftarrow \mathsf{Set}-\mathsf{Public}-\mathsf{Key}(pp,x)\\ (p{k}_P,x_P)\leftarrow \mathsf{Set}-\mathsf{Proxy}-\mathsf{Key}(pp,I{D}_P)\\ CT\leftarrow \mathsf{Enc}(pp,pk,M,s)\end{array}\right.\right]=1.$$

(2) For any security parameter $\lambda$, any message $M\in \mathcal{M}$, any number $t\in {\mathbb{Z}}_p$, and $i\in \{1,\cdots ,t\}$, we have

$$Pr\left[\begin{array}{l}\mathsf{Test}(C{T}_1,\cdots ,C{T}_t,{\widehat{tk}}_1,\cdots ,\\ {\widehat{tk}}_j,t{k}_1,\cdots ,t{k}_{t-j})=1\end{array}\left|\begin{array}{l}pp\leftarrow \mathsf{Setup}\left(\lambda \right)\\ D_i\leftarrow \mathsf{Partial}-\mathsf{Private}-\mathsf{Key}-\mathsf{Extract}(pp,msk,I{D}_i)\\ x_i\leftarrow \mathsf{Set}-\mathsf{Secret}-\mathsf{Value}(pp,I{D}_i)\\ s{k}_i\leftarrow \mathsf{Set}-\mathsf{Private}-\mathsf{Key}(pp,D_I,x_i)\\ p{k}_i\leftarrow \mathsf{Set}-\mathsf{Public}-\mathsf{Key}(pp,x_i)\\ (p{k}_P,x_P)\leftarrow \mathsf{Set}-\mathsf{Proxy}-\mathsf{Key}(pp,I{D}_{P_i})\\ C{T}_i\leftarrow \mathsf{Enc}(pp,p{k}_i,p{k}_{P_i},M_i,t)\\ t{k}_i\leftarrow \mathsf{Aut}\left(s{k}_i\right)\\ {\widehat{tk}}_i\leftarrow \mathsf{Proxy}-\mathsf{Aut}\left(s{k}_i\right)\end{array}\right.\right]$$

is overwhelming.

3.3. Security Models of CLE-MET-PA

We consider five types of adversaries in CLE-MET-PA. Type-I ∼ Type-IV exist in CL-PKEET and Type-V in PKE-MET. In CLE, users generate their own pairs of public and private keys. The absence of a certificate in the public key introduces a vulnerability to tampering. We define Type-I and Type-II adversaries as outsiders who possess the capability to replace legitimate public keys. In the context of CLE, where the KGC is not fully trusted, we define Type-III and Type-IV adversaries as curious KGCs who possess the system master secret key $msk$. For the discussion on the impact of trapdoors needed by the equality tests on system security, we define that Type-II and Type-IV adversaries can acquire all trapdoors in the system, including the trapdoor of the challenge ciphertext. Finally, considering the characteristics of PKE-MET, we define a Type-V adversary. The detailed descriptions are provided below:

• Type-I Adversary: This type of adversary can replace the public key of a user but cannot access the master key. Without the trapdoor of the challenge ciphertext, we define the IND-CPA security model regarding this type of adversary.
• Type-II Adversary: This type of adversary can replace the public key of a user but cannot access the master key. With the trapdoor of the challenge ciphertext, we define the OW-CPA security model regarding this type of adversary.
• Type-III Adversary: This type of adversary cannot replace the public key of a user but can access the master key. Without the trapdoor of the challenge ciphertext, we define the IND-CPA security model regarding this type of adversary.
• Type-IV Adversary: This type of adversary cannot replace the public key of a user but can access the master key. With the trapdoor of the challenge ciphertext, we define the OW-CPA security model regarding this type of adversary.
• Type-V Adversary: This type of adversary attempts to perform an equality test on t ciphertexts $C{T}_1,\cdots ,C{T}_t$, where all the designated numbers of these ciphertexts are $s_i$, with $s_i>t$.

We define five games for these five types of adversaries.

Game 1: IND-CPA Game

$pp\leftarrow \mathsf{Setup}\left(1^{\lambda }\right);$

$D_i\leftarrow \mathsf{Partial}-\mathsf{Private}-\mathsf{Key}-\mathsf{Extract}(pp,msk,I{D}_i)$ for $1\le i\le N;$

$x_i\leftarrow \mathsf{Set}-\mathsf{Secret}-\mathsf{Value}(pp,I{D}_i)$

$s{k}_i\leftarrow \mathsf{Set}-\mathsf{Private}-\mathsf{Key}(pp,D_i,x_i)$

$p{k}_i\leftarrow \mathsf{Set}-\mathsf{Public}-\mathsf{Key}(pp,x_i)$

$(p{k}_{P_i},x_{P_i})\leftarrow \mathsf{Set}-\mathsf{Proxy}-\mathsf{Key}(pp,I{D}_{P_i})$

$(s^{*},p{k}^{*},M_0^{*},M_1^{*})\leftarrow {\mathcal{A}}^{{\mathcal{O}}^{\mathsf{par}-\mathsf{key}}(·),{\mathcal{O}}^{\mathsf{priv}-\mathsf{key}}(·),{\mathcal{O}}^{\mathsf{pub}-\mathsf{key}}(·),{\mathcal{O}}^{\mathsf{pub}-\mathsf{rep}}(·),{\mathcal{O}}^{\mathsf{p}-\mathsf{key}}(·),{\mathcal{O}}^{\mathsf{token}}(·),{\mathcal{O}}^{\mathsf{p}-\mathsf{token}}(·)}\left({\{p{k}_i,p{k}_{P_i}\}}_{i=1}^N\right)$;

$C{T}^{*}\leftarrow \mathsf{Enc}(p{k}^{*},M_b^{*},s^{*})$ for $b\in \{0,1\},\mathrm{random}{s}^{*}$;

$b^{\prime }\leftarrow {\mathcal{A}}^{{\mathcal{O}}^{\mathsf{par}-\mathsf{key}}(·),{\mathcal{O}}^{\mathsf{priv}-\mathsf{key}}(·),{\mathcal{O}}^{\mathsf{pub}-\mathsf{key}}(·),{\mathcal{O}}^{\mathsf{pub}-\mathsf{rep}}(·),{\mathcal{O}}^{\mathsf{p}-\mathsf{key}}(·),{\mathcal{O}}^{\mathsf{token}}(·),{\mathcal{O}}^{\mathsf{p}-\mathsf{token}}(·)}\left({\{p{k}_i,p{k}_{P_i}\}}_{i=1}^N\right)$.

In Game 1, ${\mathcal{O}}^{\mathsf{par}-\mathsf{key}}(·),$${\mathcal{O}}^{\mathsf{priv}-\mathsf{key}}(·),$${\mathcal{O}}^{\mathsf{pub}-\mathsf{key}}(·),$${\mathcal{O}}^{\mathsf{pub}-\mathsf{rep}}(·),$${\mathcal{O}}^{\mathsf{p}-\mathsf{key}}(·),$${\mathcal{O}}^{\mathsf{token}}(·),$ and ${\mathcal{O}}^{\mathsf{p}-\mathsf{token}}(·),$ denote the partial key oracle, the private key oracle, the public key oracle, the public key replace oracle, the proxy key oracle, the token oracle, and the proxy token oracle, respectively. The adversary is not allowed to make private key query, token query, or proxy token query on $p{k}^{*}$. We define the advantage of adversary in winning this game as

$${\mathsf{Adv}}_{\mathsf{CLE}-\mathsf{MET}-\mathsf{PA}}^{\mathsf{IND}-\mathsf{CPA},\mathsf{Type}-\mathsf{I}}\left(\lambda \right)=Pr[b^{\prime }=b]-1/2.$$

Game 2: OW-CPA Game

$pp\leftarrow \mathsf{Setup}\left(1^{\lambda }\right);$

$D_i\leftarrow \mathsf{Partial}-\mathsf{Private}-\mathsf{Key}-\mathsf{Extract}(pp,msk,I{D}_i)$ for $1\le i\le N;$

$x_i\leftarrow \mathsf{Set}-\mathsf{Secret}-\mathsf{Value}(pp,I{D}_i)$

$s{k}_i\leftarrow \mathsf{Set}-\mathsf{Private}-\mathsf{Key}(pp,D_i,x_i)$

$p{k}_i\leftarrow \mathsf{Set}-\mathsf{Public}-\mathsf{Key}(pp,x_i)$

$(p{k}_{P_i},x_{P_i})\leftarrow \mathsf{Set}-\mathsf{Proxy}-\mathsf{Key}(pp,I{D}_{P_i})$

$(s^{*},p{k}^{*})\leftarrow {\mathcal{A}}^{{\mathcal{O}}^{\mathsf{par}-\mathsf{key}}(·),{\mathcal{O}}^{\mathsf{priv}-\mathsf{key}}(·),{\mathcal{O}}^{\mathsf{pub}-\mathsf{key}}(·),{\mathcal{O}}^{\mathsf{pub}-\mathsf{rep}}(·),{\mathcal{O}}^{\mathsf{p}-\mathsf{key}}(·),{\mathcal{O}}^{\mathsf{token}}(·),{\mathcal{O}}^{\mathsf{p}-\mathsf{token}}(·)}\left({\{p{k}_i,p{k}_{P_i}\}}_{i=1}^N\right)$;

$C{T}^{*}\leftarrow \mathsf{Enc}(p{k}^{*},M^{*},s^{*})$ for random $M^{*},s^{*}$;

$M^{\prime }\leftarrow {\mathcal{A}}^{{\mathcal{O}}^{\mathsf{par}-\mathsf{key}}(·),{\mathcal{O}}^{\mathsf{priv}-\mathsf{key}}(·),{\mathcal{O}}^{\mathsf{pub}-\mathsf{key}}(·),{\mathcal{O}}^{\mathsf{pub}-\mathsf{rep}}(·),{\mathcal{O}}^{\mathsf{p}-\mathsf{key}}(·),{\mathcal{O}}^{\mathsf{token}}(·),{\mathcal{O}}^{\mathsf{p}-\mathsf{token}}(·)}\left({\{p{k}_i,p{k}_{P_i}\}}_{i=1}^N\right)$.

In Game 2, the adversary is restricted to making a private key query on $p{k}^{*}$. We define the advantage of the adversary in winning this game as

$${\mathsf{Adv}}_{\mathsf{CLE}-\mathsf{MET}-\mathsf{PA}}^{\mathsf{OW}-\mathsf{CPA},\mathsf{Type}-\mathsf{II}}\left(\lambda \right)=Pr[M^{\prime }=M^{*}].$$

Game 3: IND-CPA Game

$pp\leftarrow \mathsf{Setup}\left(1^{\lambda }\right);$

$D_i\leftarrow \mathsf{Partial}-\mathsf{Private}-\mathsf{Key}-\mathsf{Extract}(pp,msk,I{D}_i)$ for $1\le i\le N;$

$x_i\leftarrow \mathsf{Set}-\mathsf{Secret}-\mathsf{Value}(pp,I{D}_i)$

$s{k}_i\leftarrow \mathsf{Set}-\mathsf{Private}-\mathsf{Key}(pp,D_i,x_i)$

$p{k}_i\leftarrow \mathsf{Set}-\mathsf{Public}-\mathsf{Key}(pp,x_i)$

$(p{k}_{P_i},x_{P_i})\leftarrow \mathsf{Set}-\mathsf{Proxy}-\mathsf{Key}(pp,I{D}_{P_i})$

$(s^{*},p{k}^{*},M_0^{*},M_1^{*})\leftarrow {\mathcal{A}}^{{\mathcal{O}}^{\mathsf{msk}}(·),{\mathcal{O}}^{\mathsf{par}-\mathsf{key}}(·),{\mathcal{O}}^{\mathsf{priv}-\mathsf{key}}(·),{\mathcal{O}}^{\mathsf{pub}-\mathsf{key}}(·),{\mathcal{O}}^{\mathsf{p}-\mathsf{key}}(·),{\mathcal{O}}^{\mathsf{token}}(·),{\mathcal{O}}^{\mathsf{p}-\mathsf{token}}(·)}\left({\{p{k}_i,p{k}_{P_i}\}}_{i=1}^N\right)$;

$C{T}^{*}\leftarrow \mathsf{Enc}(p{k}^{*},M_b^{*},s^{*})$ for $b\in \{0,1\},\mathrm{random}{s}^{*}$;

$b^{\prime }\leftarrow {\mathcal{A}}^{{\mathcal{O}}^{\mathsf{msk}}(·),{\mathcal{O}}^{\mathsf{par}-\mathsf{key}}(·),{\mathcal{O}}^{\mathsf{priv}-\mathsf{key}}(·),{\mathcal{O}}^{\mathsf{pub}-\mathsf{key}}(·),{\mathcal{O}}^{\mathsf{p}-\mathsf{key}}(·),{\mathcal{O}}^{\mathsf{token}}(·),{\mathcal{O}}^{\mathsf{p}-\mathsf{token}}(·)}\left({\{p{k}_i,p{k}_{P_i}\}}_{i=1}^N\right)$.

In Game 3, the adversary can access the master secret key oracle ${\mathcal{O}}^{\mathsf{msk}}(·)$, but can no longer access the public key replace oracle. The adversary cannot make a private key, token query, or proxy token query on $p{k}^{*}$. We define the advantage of the adversary in winning this game as

$${\mathsf{Adv}}_{\mathsf{CLE}-\mathsf{MET}-\mathsf{PA}}^{\mathsf{IND}-\mathsf{CPA},\mathsf{Type}-\mathsf{III}}\left(\lambda \right)=Pr[b^{\prime }=b]-1/2.$$

Game 4: OW-CPA Game

$pp\leftarrow \mathsf{Setup}\left(1^{\lambda }\right);$

$D_i\leftarrow \mathsf{Partial}-\mathsf{Private}-\mathsf{Key}-\mathsf{Extract}(pp,msk,I{D}_i)$ for $1\le i\le N;$

$x_i\leftarrow \mathsf{Set}-\mathsf{Secret}-\mathsf{Value}(pp,I{D}_i)$

$s{k}_i\leftarrow \mathsf{Set}-\mathsf{Private}-\mathsf{Key}(pp,D_i,x_i)$

$p{k}_i\leftarrow \mathsf{Set}-\mathsf{Public}-\mathsf{Key}(pp,x_i)$

$(p{k}_{P_i},x_{P_i})\leftarrow \mathsf{Set}-\mathsf{Proxy}-\mathsf{Key}(pp,I{D}_{P_i})$

$(s^{*},p{k}^{*})\leftarrow {\mathcal{A}}^{{\mathcal{O}}^{\mathsf{msk}}(·),{\mathcal{O}}^{\mathsf{par}-\mathsf{key}}(·),{\mathcal{O}}^{\mathsf{priv}-\mathsf{key}}(·),{\mathcal{O}}^{\mathsf{pub}-\mathsf{key}}(·),{\mathcal{O}}^{\mathsf{p}-\mathsf{key}}(·),{\mathcal{O}}^{\mathsf{token}}(·),{\mathcal{O}}^{\mathsf{p}-\mathsf{token}}(·)}\left({\{p{k}_i,p{k}_{P_i}\}}_{i=1}^N\right)$;

$C{T}^{*}\leftarrow \mathsf{Enc}(p{k}^{*},M^{*},s^{*})$ for random $M^{*},s^{*}$;

$M^{\prime }\leftarrow {\mathcal{A}}^{{\mathcal{O}}^{\mathsf{msk}}(·),{\mathcal{O}}^{\mathsf{par}-\mathsf{key}}(·),{\mathcal{O}}^{\mathsf{priv}-\mathsf{key}}(·),{\mathcal{O}}^{\mathsf{pub}-\mathsf{key}}(·),{\mathcal{O}}^{\mathsf{p}-\mathsf{key}}(·),{\mathcal{O}}^{\mathsf{token}}(·),{\mathcal{O}}^{\mathsf{p}-\mathsf{token}}(·)}\left({\{p{k}_i,p{k}_{P_i}\}}_{i=1}^N\right)$.

In Game 4, the adversary can access the master secret key oracle ${\mathcal{O}}^{\mathsf{msk}}(·)$, but can no longer access the public key replace oracle. The adversary cannot make a private key query on $p{k}^{*}$. We define the advantage of the adversary in winning this game as

$${\mathsf{Adv}}_{\mathsf{CLE}-\mathsf{MET}-\mathsf{PA}}^{\mathsf{OW}-\mathsf{CPA},\mathsf{Type}-\mathsf{IV}}\left(\lambda \right)=Pr[M^{\prime }=M^{*}].$$

Game 5: Number Game

$pp\leftarrow \mathsf{Setup}\left(1^{\lambda }\right)$;

$D_i\leftarrow \mathsf{Partial}-\mathsf{Private}-\mathsf{Key}-\mathsf{Extract}(pp,msk,I{D}_i)$ for $1\le i\le N;$

$x_i\leftarrow \mathsf{Set}-\mathsf{Secret}-\mathsf{Value}(pp,I{D}_i)$

$s{k}_i\leftarrow \mathsf{Set}-\mathsf{Private}-\mathsf{Key}(pp,D_i,x_i)$

$p{k}_i\leftarrow \mathsf{Set}-\mathsf{Public}-\mathsf{Key}(pp,x_i)$

$(p{k}_{P_i},x_{P_i})\leftarrow \mathsf{Set}-\mathsf{Proxy}-\mathsf{Key}(pp,I{D}_{P_i})$

$(s^{*},t^{*},p{k}_1^{*},\cdots ,p{k}_t^{*})\leftarrow {\mathcal{A}}^{{\mathcal{O}}^{\mathsf{par}-\mathsf{key}}(·),{\mathcal{O}}^{\mathsf{priv}-\mathsf{key}}(·),{\mathcal{O}}^{\mathsf{pub}-\mathsf{key}}(·),{\mathcal{O}}^{\mathsf{p}-\mathsf{key}}(·),{\mathcal{O}}^{\mathsf{token}}(·),{\mathcal{O}}^{\mathsf{p}-\mathsf{token}}(·)}\left({\{p{k}_i,p{k}_{P_i}\}}_{i=1}^N\right),t^{*}<s^{*}$;

$(C{T}_1^{*},\cdots ,C{T}_j^{*},\cdots ,C{T}_{t^{*}}^{*})\leftarrow \mathsf{Enc}((M_0^{*},p{k}_1^{*},s^{*}),$$\cdots ,$$(M_0^{*},p{k}_{j-1}^{*},s^{*}),$$(M_b^{*},p{k}_j^{*},s^{*}),$$(M_0^{*},p{k}_{j+1}^{*},s^{*}),$$\cdots ,$$(M_0^{*},p{k}_t^{*},s^{*}))$

for random messages $M_0^{*},M_1^{*}$ and number $b\in \{0,1\}$;

$b^{\prime }\leftarrow {\mathcal{A}}^{{\mathcal{O}}^{\mathsf{par}-\mathsf{key}}(·),{\mathcal{O}}^{\mathsf{priv}-\mathsf{key}}(·),{\mathcal{O}}^{\mathsf{pub}-\mathsf{key}}(·),{\mathcal{O}}^{\mathsf{p}-\mathsf{key}}(·),{\mathcal{O}}^{\mathsf{token}}(·),{\mathcal{O}}^{\mathsf{p}-\mathsf{token}}(·)}\left({\{p{k}_i,p{k}_{P_i}\}}_{i=1}^N\right)$.

In Game 5, the adversary cannot make private key queries on $p{k}_1^{*},\cdots ,p{k}_{t^{*}}^{*}$. We define the advantage of the adversary in winning this game as

$${\mathsf{Adv}}_{\mathsf{CLE}-\mathsf{MET}-\mathsf{PA}}^{\mathsf{Number},\mathsf{Type}-\mathsf{V}}\left(\lambda \right)=Pr[b^{\prime }=b]-1/2.$$

4. The Proposed CLE-MET-PA Scheme

In certificateless encryption supporting multi-ciphertext equality test with proxy-assisted authorization (CLE-MET-PA), each ciphertext $CT$ can designate a number s. With this designation, an authorized cloud server is enabled to perform an equality test on s ciphertexts, but only if all the designated numbers of these s ciphertexts are equal to s.

4.1. Our Construction

• Setup$\left(1^{\lambda }\right)$: Taking as input a security parameter $\lambda$, the setup algorithm generates a bilinear groups ensemble $\mathcal{G}=(p,{\mathbb{G}}_1,{\mathbb{G}}_2,{\mathbb{G}}_T,e)$, generators $g_1\in {\mathbb{G}}_1$, $g_2\in {\mathbb{G}}_2$ and five cryptographic hash functions $H_1:{\{0,1\}}^{*}\to {\mathbb{G}}_2,$$H_2:{\{0,1\}}^{*}\to {\mathbb{G}}_2,$$H_3:{\{0,1\}}^{*}\to {\mathbb{Z}}_p,$$H_4:{\{0,1\}}^{*}\to {\{0,1\}}^{2l},$$H_5:{\{0,1\}}^{*}\to {\{0,1\}}^{\lambda },$ where l is the bit length of a group element in ${\mathbb{Z}}_p$. Pick a random $\alpha \in {\mathbb{Z}}_p^{*}$, $\overline{g}=g_1^{\alpha }$. It sets the system parameter as

  $$pp=\{\mathcal{G},g_1,g_2,\overline{g},H_1,H_2,H_3,H_4,H_5\},$$

  and the master secret key

  $$msk=\alpha .$$
• Partial private key extract $(pp,msk,ID)$: Taking as input the system parameter $pp$, the master key $msk$, and the identifier $ID$. The key generation algorithm computes and outputs the partial private key pair

  $$D=(D_1,D_2)=\left(H_1{\left(ID\right)}^{\alpha },H_2{\left(ID\right)}^{\alpha }\right).$$
• Set-Secret-Value $(pp,ID)$: Taking as input the system parameter $pp$ and an identifier $ID$. The algorithm picks a value $x\in {\mathbb{Z}}_q^{*}$ at random. A proxy secret value corresponding to $I{D}_P$ is denoted as $x_P$.
• Set-Private-Key $(pp,D,x)$: Taking as input the system parameter $pp$, a partial private key pair and an secret value x. The algorithm computes the private key pair $sk$, where

  $$sk=(s{k}_1,s{k}_2)=(D_1^x,D_2^x)=\left(H_1{\left(ID\right)}^{\alpha x},H_2{\left(ID\right)}^{\alpha x}\right).$$
• Set-Public-Key $(pp,x)$: Taking as input the system parameter $pp$ and a secret value x, the algorithm outputs the public key pair

  $$pk=(X={\overline{g}}^x,Y=g_2^x,Z=g_1^x)=(g_1^{\alpha x},g_2^x,g_1^x).$$
• Set-Proxy-Key $(pp,I{D}_P)$: The proxy can be any user. A proxy generates the secret value and public key by running Set-Secret-Value $(pp,I{D}_P)$ and Set-Public-Key $(pp,x_P)$. Output the secret key $x_P$, and the public key pair

  $$p{k}_P=(X_P={\overline{g}}^{x_P},Y_P=g_2^{x_P},Z_P=g_1^{x_P})=(g_1^{\alpha x_P},g_2^{x_P},g_1^{x_P}).$$
• Enc$(pp,pk,M,s)$: Taking as input the system parameter $pp$, a user public key $pk$, check whether $e(X,g_2)=e(\overline{g},Y)$ and $e(Z,g_2)=e(g_1,Y)$ holds; if not, output ⊥ and abort. Then, taking as input a message $M\in {\mathbb{Z}}_p$, and a number $s\in {\mathbb{Z}}_p$, the encryption algorithm iteratively computes

  $$\begin{array}{l}{f}_0=H_3\left(M\right|\left|s\right),f_1=H_3\left(M\right|\left|s\right||f_0),\cdots ,\\ f_{s-1}=H_3\left(M\right|\left|s\right||f_0\left|\right|\cdots \left|\right|f_{s-2})\end{array}$$

  as illustrated in Figure 3 with $i=s$. Let

  $$f\left(x\right)=f_0+f_{1}x+f_2{x}^2+\cdots +f_{s-1}{x}^{s-1}.$$

It randomly chooses $A,r_1,r_2\in {\mathbb{Z}}_p$, and outputs the ciphertext $CT=(s,C_1,C_2,C_3,C_4,$ $C_5,C_6)$ as

$$\begin{array}{ll}{C}_1& =g_1^{r_1},C_2=H_4\left(e{(X,H_1\left(ID\right))}^{r_1}\right)\oplus \left(M\right||r_1),\\ \hfill C_3& =g_1^{r_2},C_4=Z^{r_2},\\ \hfill C_5& =H_4\left(e{(X,H_2\left(ID\right))}^{r_2}\right)\oplus \left(A\right|\left|f\left(A\right)\right),\\ \hfill C_6& =H_5\left(s\right||C_1\left|\right|C_2\left|\right|C_3\left|\right|C_4\left|\right|C_5\left|\right|e{\left(X,H_2\left(ID\right)\right)}^{r_2}\left|\right|f_0\left|\right|f_1\left|\right|\cdots \left|\right|f_{s-1}).\end{array}$$

Note that the equality of this ciphertext $CT$ can only be performed as an equality test with other $s-1$ ciphertexts in which all the designated numbers are s.

Dec$(CT,sk)$: Taking as input a ciphertext $CT=(s,C_1,C_2,C_3,C_4,C_5,C_6)$ and a secret key $sk=\left(H_1{\left(ID\right)}^{\alpha x},H_2{\left(ID\right)}^{\alpha x}\right)$, the decrypt algorithm computes

$$M^{\prime }\left|\right|r_1^{\prime }=C_2\oplus H_4\left(e(C_1,s{k}_1)\right)$$

It then computes

$$\begin{array}{ll}& f_0^{\prime }=H_3(M^{\prime }\left|\right|s),f_1^{\prime }=H_3(M^{\prime }\left|\right|s\left|\right|f_0^{\prime }),\cdots ,\\ & f_{s-1}^{\prime }=H_3(M^{\prime }\left|\right|s\left|\right|f_0^{\prime }\left|\right|\cdots \left|\right|f_{s-2}^{\prime })\end{array}$$

and checks whether the following equations hold or not

$$\begin{array}{ll}& C_1=g_1^{r_1^{\prime }},\\ & f^{\prime }\left(A^{\prime }\right)=f_0^{\prime }+f_1^{\prime }{A}^{\prime }+\cdots +f_{s-1}^{\prime }{A^{\prime }}^{s-1},\\ & C_6=H_5\left(s\right||C_1\left|\right|C_2\left|\right|C_3\left|\right|C_4\left|\right|C_5\left|\right|e(C_3,s{k}_2)\left|\right|f_0^{\prime }\left|\right|f_1^{\prime }\left|\right|\cdots \left|\right|f_{s-1}^{\prime }),\end{array}$$

where $A^{\prime }\left|\right|f^{\prime }\left(A^{\prime }\right)=C_5\oplus H_4\left(e(C_3,s{k}_2)\right)$. If all the equations hold, it returns

$$M=M^{\prime }.$$

Otherwise, it returns ⊥.

• Aut$\left(sk\right)$: Taking as input a secret key $sk=(s{k}_1,s{k}_2)=\left(H_1{\left(ID\right)}^{\alpha x},H_2{\left(ID\right)}^{\alpha x}\right)$, the authorization algorithm returns the token as

  $$tk=s{k}_2=H_2{\left(ID\right)}^{\alpha x}.$$
• Proxy-Aut $(pp,sk,s{k}_P)$: Following the algorithm depicted in

  Table 1. Key exchange protocol between the user and proxy.

  Key Exchange Protocol
  The user checks whether $e(X_P,g_2)=e(\overline{g},Y_P)$ and $e(Z_P,g_2)=e(g_1,Y_P)$ holds,
  if not, output ⊥ and abort.
  User $\stackrel{\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}{H}_2{\left(ID\right)}^{x_P}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}}{\leftarrow }$ Proxy
  The user checks whether $e(Z_P,H_2\left(ID\right))=e(g_1,H_2{\left(ID\right)}^{x_P})$ holds, if not, abort and output ⊥.
  Otherwise, the user outputs proxy information $PI=H_2{\left(ID\right)}^{x_P}$,
  computes $\widehat{tk}=s{k}_2·{\left(PI\right)}^x=H_2{\left(ID\right)}^{\alpha x+x·x_P}$.
  User $\stackrel{\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\widehat{tk}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}}{\to }$ Proxy
  The proxy receives the proxy token $\widehat{tk}$ without revealing $x_P$ and knowing part of $sk$.

  , the user receives and publishes $H_2{\left(ID\right)}^{x_P}$ as the proxy information $PI$,

  $$PI=H_2{\left(ID\right)}^{x_P},$$

  and the algorithm returns the proxy token as

  $$\widehat{tk}=H_2{\left(ID\right)}^{\alpha x+x·x_P}.$$
• Test$(C{T}_1,\cdots ,C{T}_t,{\widehat{tk}}_1,\cdots ,{\widehat{tk}}_j,t{k}_1,\cdots ,t{k}_{t-j})$: Taking as input t ciphertexts $C{T}_1,\cdots ,$$C{T}_t$ where $C{T}_i=(s_i,C_{i,1},C_{i,2},C_{i,3},C_{i,4},C_{i,5},C_{i,6})$ and t corresponding tokens including the proxy token and user token: ${\widehat{tk}}_1,\cdots ,{\widehat{tk}}_j,t{k}_1,\cdots ,t{k}_{t-j}$, the test algorithm aborts if the equation $s_1=\cdots =s_t=t$ does not hold. Otherwise, for each $i\in \{1,\cdots ,j\}$:
  • With the token authorized by the user, it computes

    $$A_i\left|\right|f_i\left(A_i\right)=C_{i,5}\oplus H_4\left(e(C_{i,3},t{k}_i)\right),$$
  • With the proxy token authorized by the proxy, it computes

    $$A_i\left|\right|f_i\left(A_i\right)=C_{i,5}\oplus H_4\left(e(C_{i,3},{\widehat{tk}}_i)/e(C_{i,4},P{I}_i)\right),$$
  where

  $$f_i\left(A_i\right)=f_{i,0}+f_{i,1}{A}_i+f_{i,2}{A}_i^2+\cdots +f_{i,t-1}{A}_i^{t-1}.$$

With $A_i$ and $f_i\left(A_i\right)$ for $i\in \{1,\cdots ,t\}$, we have an equation set as

$$\left\{\begin{array}{ll}{f}_1\left(A_1\right)& =f_{1,0}+f_{1,1}{A}_1+\cdots +f_{1,t-1}{A}_1^{t-1}\\ \hfill f_2\left(A_2\right)& =f_{2,0}+f_{2,1}{A}_2+\cdots +f_{2,t-1}{A}_2^{t-1}\\ & ⋮\\ f_t\left(A_t\right)& =f_{t,0}+f_{t,1}{A}_t+\cdots +f_{t,t-1}{A}_t^{t-1}\end{array}\right..$$

Implicitly setting $f_{i,k}=f_{j,k}$ for $i,j\in \{1,2,\cdots ,t\}$ and $k\in \{0,1,\cdots ,t-1\}$, it solves the equation set and obtains a unique solution $f_{i,0},f_{i,1},\cdots ,f_{i,t-1}$. It checks whether the following equations hold or not for each $i\in \{1,2,\cdots ,j\}$.

$$C_{i,6}=H_5\left(t\right||C_{i,1}\left|\right|\cdots \left|\right|C_{i,5}\left|\right|e(C_{i,3},{\widehat{tk}}_i)/e(C_{i,4},P{I}_i)\left|\right|f_{i,0}\left|\right|\cdots \left|\right|f_{i,t-1}),$$

and for each $i\in \{1,2,\cdots ,t-j\}$.

$$C_{i,6}=H_5\left(t\right||C_{i,1}\left|\right|\cdots \left|\right|C_{i,5}\left|\right|e(C_{i,3},t{k}_i)\left|\right|f_{i,0}\left|\right|\cdots \left|\right|f_{i,t-1}).$$

• If all the equations hold, it returns 1, implying that $M_1=M_2=\cdots =M_t$.
• Otherwise, it returns 0, implying that the equation $M_1=M_2=\cdots =M_t$ does not hold.

4.2. Correctness of CLE-MET-PA

We analyze the correctness of the proposed CLE-MET-PA construction as below.

(1) In the decryption algorithm, denoted by Dec, the decryption process computes the following:

$$\begin{array}{ll}& C_2\oplus H_4(s{k}_1,C_1)\\ =& H_4\left(e{(X,H_1\left(ID\right))}^{r_1}\right)\oplus \left(M\right||r_1)\oplus H_4\left(e(s{k}_1,C_1)\right)\\ =& H_4\left(e{(g_1^{\alpha x},H_1\left(ID\right))}^{r_1}\right)\oplus \left(M\right||r_1)\oplus H_4\left(e(H_1{\left(ID\right)}^{\alpha x},g_1^{r_1})\right)\\ =& M\left|\right|r_1\end{array}$$

The output M and $r_1$ satisfy the three listed equations. Subsequently, the decryption algorithm will recover the message M, implying that

$$Pr\left[\mathsf{Dec}(sk,CT)=M\right]=1.$$

(2) In the test algorithm, denoted by Test, after implicitly setting $f_{i,k}=f_{j,k}$ for $i,j\in 1,2,\cdots ,t$ and $k\in 0,1,\cdots ,t-1$, we obtain an equation set comprising t equations for t unknown variables. We can then represent the coefficients of this equation set as the following Vandermonde matrix:

$$V=\left[\begin{array}{cccccccccc}& 1& & A_1& & A_1^2& & \cdots & & A_1^{t-1}\\ & 1& & A_2& & A_2^2& & \cdots & & A_2^{t-1}\\ & ⋮& & ⋮& & ⋮& & ⋮& & ⋮\\ & 1& & A_t& & A_t^2& & \cdots & & A_t^{t-1}\end{array}\right].$$

Thanks to the properties of the Vandermonde matrix, the equation set possesses a unique solution when the determinant of this matrix, denoted by $det\left(V\right)$, satisfies $det\left(V\right)\ne 0$. This determinant is defined as:

$$det\left(V\right)=\prod _{1\le i<j\le t}(A_i-A_j).$$

Since the values of $A_i$ for $i\in 1,\cdots ,t$ are randomly chosen from the set ${\mathbb{Z}}_p$, we can conclude that

$$det\left(V\right)\ne 0$$

holds with overwhelming probability, specifically $\frac{p(p-1)\cdots (p-t+1)}{p^t}$.

Consequently, we obtain a unique solution for the variables $f_{1,0},f_{1,1},\cdots ,f_{1,t-1}$. Given that $M_1=\cdots =M_t$, it follows that $f_{i,k}=f_{j,k}$ for $i,j\in 1,2,\cdots ,t$ and $k\in 0,1,\cdots ,t-1$. Thus, the unique solution will satisfy the following equations for $1\le i\le j\le t.$

$$\begin{array}{ll}& C_{i,6}=H_5\left(s\right||C_{i,1}\left|\right|\cdots \left|\right|C_{i,5}\left|\right|e(C_{i,3},{\widehat{tk}}_i)/e(C_{i,4},P{I}_i)\left|\right|f_{1,0}\left|\right|\cdots \left|\right|f_{1,j})\\ & C_{i,6}=H_5\left(s\right||C_{i,1}\left|\right|\cdots \left|\right|C_{i,5}\left|\right|e(C_{i,3},t{k}_i)\left|\right|f_{1,0}\left|\right|\cdots \left|\right|f_{1,t-j+1})\end{array}$$

Then, we have

$$\mathsf{Test}(C{T}_1,\cdots ,C{T}_{,}{\widehat{tk}}_1,\cdots ,{\widehat{tk}}_j,t{k}_1,\cdots ,t{k}_{t-j})=1$$

will hold with overwhelming probability.

(3) Similarly to the previous step (2), we can obtain a unique solution from the equation set. However, since the equation $M_1=\cdots =M_t$ does not hold, without a loss of generality, assume that $M_1\ne M_2=M_3=\cdots =M_t$. In this scenario, we then have $f_{1,k}\ne f_{i,k}=f_{j,k}$ for $i,j\in 2,\cdots ,t,k\in 0,\cdots ,t-1$. Nevertheless, it is evident that the solution cannot simultaneously satisfy the two following equations.

$$\begin{array}{cc}& C_{1,6}=H_5\left(t\right||C_{1,1}\left|\right|\cdots \left|\right|C_{1,4}\left|\right|e(C_{1,3},{\widehat{tk}}_1)/e(C_{1,4},P{I}_1)\left|\right|f_{1,0}^{\prime }\left|\right|\cdots \left|\right|f_{1,j}^{\prime })\\ & C_{2,6}=H_5\left(t\right||C_{2,1}\left|\right|\cdots \left|\right|C_{2,4}\left|\right|e(C_{2,3},{\widehat{tk}}_2)/e(C_{1,4},P{I}_2)\left|\right|f_{1,0}^{\prime }\left|\right|\cdots \left|\right|f_{1,j}^{\prime })\end{array}$$

Therefore, the test algorithm will output 0. We have

$$\mathsf{Test}(C{T}_1,\cdots ,C{T}_{,}{\widehat{tk}}_1,\cdots ,{\widehat{tk}}_j,t{k}_1,\cdots ,t{k}_{t-j})=0$$

will hold with overwhelming probability.

5. Security Proof

Our CLE-MET-PA construction is secure due to the hardness of the BDH assumption.

Theorem 1.

For any PPT Type-I adversary, our CLE-MET-PA scheme is IND-CPA-secure based on the BDH assumption in the random oracle model.

Proof of Theorem 1.

Assume there exists an adversary ${\mathcal{A}}_1$ who can break the IND-CPA security of our scheme with a non-negligible advantage $ϵ$, we can construct a simulator $\mathcal{B}$ to break the BDH assumption. Given an instance as $(\mathcal{G},g_1,g_1^a,g_1^c,g_2,g_2^a,g_2^b)$, $\mathcal{B}$ is to compute $e{(g_1,g_2)}^{abc}$ by running ${\mathcal{A}}_1$ as a subroutine. $\mathcal{B}$ and ${\mathcal{A}}_1$ play the following game.

1.

Setup:$\mathcal{B}$ randomly picks a cryptographic hash function $H_3:{\{0,1\}}^{*}\to {\{0,1\}}^{\lambda }$ and sets the public parameter $pp=\{\mathcal{G},g_1,g_2,\overline{g},H_1,H_2,H_3,H_4,H_5\},$ where $\overline{g}=g_1^a$ and $H_1,H_2,H_4,H_5$ are random oracles. $pp$ is sent to ${\mathcal{A}}_1$. Lists $L_{H_1},L_{H_2},L_{H_4},L_{H_5},\mathrm{and} L_s$ are initially empty. Assume that ${\mathcal{A}}_1$ can make $q_{H_1},q_{H_2},q_{H_4},q_{H_5}$ hash queries to $H_1,H_2,H_4,\mathrm{and} H_5$, respectively.

2.

Phase 1: Assume there are n users with identities $I{D}_1,\cdots ,I{D}_n$ in the system. $\mathcal{B}$ randomly chooses $i^{*}\in [1,n]$ and performs the following steps.

• $H_1$-query ($I{D}_i$): For i-th query $I{D}_i$, $\mathcal{B}$ searches $L_{H_1}$. If there exists the related item of $I{D}_i$ as $(u_i,I{D}_i,H_1\left(I{D}_i\right))$, $\mathcal{B}$ returns $H_1\left(I{D}_i\right)$ to ${\mathcal{A}}_1$. Otherwise, $\mathcal{B}$ randomly chooses $u_i$ and sets

  $$H_1\left(I{D}_i\right)=\left\{\begin{array}{ll}{g}_2^{u_i},& ifi\ne i^{*},\\ g_2^{b{u}_i},& ifi=i^{*}.\end{array}\right.$$
  $\mathcal{B}$ stores $(u_i,I{D}_i,H_1\left(I{D}_i\right))$ into $L_{H_1}$ and returns $H_1\left(I{D}_i\right)$ to ${\mathcal{A}}_1$.
• $H_2$-query ($I{D}_i$): For the i-th query $I{D}_i$, $\mathcal{B}$ searches $L_{H_2}$. If there exists the related item of $I{D}_i$ as $(v_i,I{D}_i,H_2\left(I{D}_i\right))$, $\mathcal{B}$ returns $H_2\left(I{D}_i\right)$ to ${\mathcal{A}}_1$. Otherwise, $\mathcal{B}$ randomly chooses $v_i$ and sets

  $$H_2\left(I{D}_i\right)=\left\{\begin{array}{cc}{g}_2^{v_i},& ifi\ne i^{*},\\ g_2^{b{v}_i},& ifi=i^{*}.\end{array}\right.$$
  $\mathcal{B}$ stores $(v_i,I{D}_i,H_2\left(I{D}_i\right))$ into $L_{H_2}$ and returns $H_2\left(I{D}_i\right)$ to ${\mathcal{A}}_1$.
• $H_4$-query ($Q_i$): For i-th query $Q_i$, $\mathcal{B}$ randomly picks ${\eta }_i\in {\{0,1\}}^{2l}$, sets $H_4\left(Q_i\right)={\eta }_i$, stores a new item $(Q_i,H_4\left(Q_i\right)={\eta }_i)$ into $L_{H_4}$, and then returns $H_4\left(Q_i\right)$ to ${\mathcal{A}}_1$.
• $H_5$-query ($W_i$): For the i-th query $W_i$, $\mathcal{B}$ randomly picks ${\sigma }_i\in {\{0,1\}}^{\lambda }$, sets $H_5\left(W_i\right)={\sigma }_i$, stores a new item $(W_i,H_5\left(W_i\right)={\sigma }_i)$ into $L_{H_5}$, and then returns $H_5\left(W_i\right)$ to ${\mathcal{A}}_1$.
• Partial private key query ($I{D}_i$): For i-th queried identity $I{D}_i$, if $I{D}_i=I{D}_{i^{*}}$, $\mathcal{B}$ aborts. Otherwise, if $I{D}_i$ has not been queried to $H_1$, $\mathcal{B}$ randomly chooses $u_i$, sets

  $$H_1\left(I{D}_i\right)=g_2^{u_i},$$

  and stores $(u_i,I{D}_i,H_1\left(I{D}_i\right))$ into $L_{H_1}$. If $I{D}_i$ has not been queried to $H_2$, $\mathcal{B}$ randomly chooses $v_i$, sets

  $$H_2\left(I{D}_i\right)=g_2^{v_i},$$

  and stores $(v_i,I{D}_i,H_2\left(I{D}_i\right))$ into $L_{H_2}$. $\mathcal{B}$ searches $L_{H_1}$ and $L_{H_2}$ to find the related items of $I{D}_i$ as $(u_i,I{D}_i,H_1\left(I{D}_i\right))$ and $(v_i,I{D}_i,H_2\left(I{D}_i\right))$. $\mathcal{B}$ then computes

  $$D_i=(D_{i,1},D_{i,2})=\left(H_1^{\alpha }\left(ID\right),H_2^{\alpha }\left(ID\right)\right)=\left(g_2^{a{u}_i},g_2^{a{v}_i}\right),$$

  which can be computed with a known $g_2^a,u_i,v_i$. $\mathcal{B}$ returns $D_i$ to ${\mathcal{A}}_1$.
• Secret key query ($I{D}_i$): For the i-th queried identity $I{D}_i$, $\mathcal{B}$ randomly picks $x_i\in {\mathbb{Z}}_p$, stores $(I{D}_i,x_i,-,-)$ into $L_s$, and returns $x_i$ to ${\mathcal{A}}_1$.
• Private key query ($I{D}_i$): For i-th queried identity $I{D}_i$, if $I{D}_i=I{D}_{i^{*}}$, $\mathcal{B}$ aborts. Otherwise, if $I{D}_i$ has not been queried to $H_1$, $\mathcal{B}$ randomly chooses $u_i$, sets

  $$H_1\left(I{D}_i\right)=g_2^{u_i},$$

  and stores $(u_i,I{D}_i,H_1\left(I{D}_i\right))$ into $L_{H_1}$. If $I{D}_i$ has not been queried to $H_2$, $\mathcal{B}$ randomly chooses $v_i$, sets

  $$H_2\left(I{D}_i\right)=g_2^{v_i},$$

  and stores $(v_i,I{D}_i,H_2\left(I{D}_i\right))$ into $L_{H_2}$. $\mathcal{B}$ searches $L_{H_1}$ and $L_{H_2}$ to find the related items of $I{D}_i$ as $(u_i,I{D}_i,H_1\left(I{D}_i\right))$ and $(v_i,I{D}_i,H_2\left(I{D}_i\right))$. $\mathcal{B}$ searches $L_s$ and finds the related item of $I{D}_i$ as $(I{D}_i,x_i,-,-)$. If the related item of $I{D}_i$ does exist, $\mathcal{B}$ randomly picks $x_i\in {\mathbb{Z}}_p$ and computes

  $$s{k}_i=(s{k}_{i,1},s{k}_{i,2})=\left(D_1^{x_i},D_2^{x_i}\right)=\left(g_2^{a{x}_i{u}_i},g_2^{a{x}_i{v}_i}\right),$$

  which can be computed with known $g_2^a,x_i,u_i,v_i$. It then stores $(I{D}_i,x_i,s{k}_i,-)$ into $L_s$ and returns $s{k}_i$ to ${\mathcal{A}}_1$.
• Public key query ($I{D}_i$): For i-th queried identity $I{D}_i$, $\mathcal{B}$ searches $L_s$, and finds the related item of $I{D}_i$ as $(I{D}_i,x_i,-,-)$. If the related item does not exist, $\mathcal{B}$ randomly picks $x_i\in {\mathbb{Z}}_p$ and computes

  $$p{k}_i=(X_i,Y_i,Z_i)=\left(g_1^{a{x}_i},g_2^{x_i},g_1^{x_i}\right),$$

  which can be computed with known $g_1,g_1^a,g_2,x_i$. It then stores $(I{D}_i,x_i,-,p{k}_i)$ into $L_s$ and returns $p{k}_i$ to ${\mathcal{A}}_1$.
• Proxy key query ($I{D}_{P_i}$): For a proxy with the related item in $L_s$ as $(I{D}_{P_i},x_{P_i})$, $\mathcal{B}$ performs as Public key query step and obtains

  $$p{k}_{P_i}=(X_{P_i},Y_{P_i},Z_{P_i})=\left(g_1^{a{x}_{P_i}},g_2^{x_{P_i}},g_1^{x_{P_i}}\right).$$

  which can be computed with known $g_1,g_1^a,g_2,x_{P_i}$. $\mathcal{B}$ then returns $p{k}_{P_i}$ and $s{k}_{P_i}$ to ${\mathcal{A}}_1$.
• Public key replace query ($I{D}_i,p{k}^{\prime }$):$\mathcal{B}$ changes the public key $p{k}_i$ corresponding to $I{D}_i$ to $p{k}^{\prime }=(X^{\prime },Y^{\prime },Z^{\prime })$ while receiving $(I{D}_i,p{k}^{\prime })$ if $e(X_i^{\prime },g_2)=e({\overline{g}}_1,Y_i^{\prime })$ and $e(Z_i^{\prime },g_2)=e(g_1,Y_i^{\prime })$ holds.
• Token query ($I{D}_i$): For a queried $I{D}_i$, if $I{D}_i=I{D}_{i^{*}}$, $\mathcal{B}$ aborts. Otherwise, $\mathcal{B}$ searches $L_s$ to find the related item of $I{D}_i$ as $(I{D}_i,x_i,s{k}_i)$, where $s{k}_i=(s{k}_1,s{k}_2)$. If the related item does not exist, $\mathcal{B}$ performs as follows. If $I{D}_i$ has not been queried to $H_1$, $\mathcal{B}$ randomly chooses $u_i$, sets

  $$H_1\left(I{D}_i\right)=g_2^{u_i},$$

  and stores $(u_i,I{D}_i,H_1\left(I{D}_i\right))$ into $L_{H_1}$. If $I{D}_i$ has not been queried to $H_2$, $\mathcal{B}$ randomly chooses $v_i$, sets

  $$H_2\left(I{D}_i\right)=g_2^{v_i},$$

  and stores $(v_i,I{D}_i,H_2\left(I{D}_i\right))$ into $L_{H_2}$. $\mathcal{B}$ searches $L_{H_1}$ and $L_{H_2}$ to find the related items of $I{D}_i$ as $(u_i,I{D}_i,H_1\left(I{D}_i\right))$ and $(v_i,I{D}_i,H_2\left(I{D}_i\right))$. $\mathcal{B}$ searches $L_s$ and finds the related item of $I{D}_i$ as $(I{D}_i,x_i,-,-)$. If the related item of $I{D}_i$ does not exist, $\mathcal{B}$ randomly picks $x_i\in {\mathbb{Z}}_p$ and computes

  $$s{k}_i=(s{k}_{i,1},s{k}_{i,2})=\left(D_1^{x_i},D_2^{x_i}\right)=\left(g_2^{a{x}_i{u}_i},g_2^{a{x}_i{v}_i}\right),$$

  which can be computed with known $g_2^a,x_i,u_i,v_i$. It then stores $(I{D}_i,x_i,s{k}_i)$ into $L_s$. $\mathcal{B}$ returns $s{k}_2$ to ${\mathcal{A}}_1$.
• Proxy token query ($I{D}_i$, $I{D}_{P_i}$): For a queried $I{D}_i$, if $I{D}_i=I{D}_{i^{*}}$, $\mathcal{B}$ aborts. Otherwise, $\mathcal{B}$ performs as Aut step except that $\mathcal{B}$ computes $P{I}_i=H_2{\left(I{D}_i\right)}^{x_{P_i}}=g_2^{a{v}_i{x}_i{x}_{P_i}}$, and the proxy token

  $${\widehat{tk}}_i=H_2{\left(ID\right)}^{\alpha x+x·x_P}=g_2^{a{v}_i{x}_i+x_i{x}_{P_i}}$$

  with known $g_2,g_2^a,v_i,x_i,x_{P_i}$. $\mathcal{B}$ returns ${\widehat{tk}}_i$ to ${\mathcal{A}}_1$.

3.

Challenge:${\mathcal{A}}_1$ sends $(s^{*},I{D}^{*},M_0^{*},M_1^{*})$ to $\mathcal{B}$, where $s^{*}$ represents the designated challenge number, $I{D}^{*}$ stands for the challenge identity, and two plaintexts $M_0^{*}$ and $M_1^{*}$ are selected from ${\{0,1\}}^{\lambda }$ with equal lengths. If $I{D}^{*}\ne I{D}_{i^{*}}$, $\mathcal{B}$ aborts. Otherwise, it randomly picks $w_1,w_2\in {\mathbb{Z}}_p,R_1,R_2\in {\{0,1\}}^{2l},R_3\in {\{0,1\}}^{\lambda }$ and implicitly sets $r_1=w_{1}c,r_2=w_{2}c$. It then computes the challenge ciphertext as

$$\begin{array}{ll}{C}_1& =g_1^{r_1}=g_1^{c{w}_1},\\ C_2& =R_1,\\ C_3& =g_1^{r_2}=g_1^{c{w}_2},\\ C_4& =g_1^{x_{i^{*}}{r}_2}=g_1^{c{x}_{i^{*}}{w}_2},\\ C_5& =R_2,\\ C_6& =R_3.\end{array}$$

4.

Phase 2:$\mathcal{B}$ interacts with ${\mathcal{A}}_1$ as Phase 1 with the limitation that $I{D}_{i^{*}}$ cannot be queried in partial private key query, secret key query, private key query, token query, and proxy token query.

5.

Guess: ${\mathcal{A}}_1$ outputs its guess bit ${\rho }^{\prime }\in \{0,1\}$.

6.

Solve:$\mathcal{B}$ randomly chooses an item $(Q_i,H_4\left(Q_i\right)={\eta }_i)$ from $L_{H_4}$ and sets

$$e{(g_1,g_2)}^{abc}=Q_i^{\frac{1}{x_{i^{*}}{u}_{i^{*}}{w}_1}}$$

as the solution to the BDH instance.

7.

Analysis: To successfully perform the reduction, the simulation should be indistinguishable from the real attack from the point of view of the adversary. As we can see, if the adversary chooses $I{D}_{i^{*}}$ as the challenge identity, the simulation will not abort, which means that the simulation is indistinguishable from the real attack. The corresponding probability is $1/n$. Upon the case that the simulation is indistinguishable to the adversary, we have the following analysis. Since the adversary is assumed to break the security with the advantage $ϵ$, we have that it issues the hash query $e{(X_{i^{*}},H_1\left(I{D}_{i^{*}}\right))}^{r_1}=e{(g_1^{a{x}_{i^{*}}},g_2^{b{u}_{i^{*}}})}^{c{w}_1}=e{(g_1,g_2)}^{abc·x_{i^{*}}{u}_{i^{*}}{w}_1}$ with probability $ϵ$. Thus, $\mathcal{B}$ can finally obtain the true solution to the given BDH instance as $e{(g_1,g_2)}^{abc}=Q_i^{\frac{1}{x_{i^{*}}{u}_{i^{*}}{w}_1}}$ with a probability of $\frac{ϵ}{q_{H_4}}$. In conclusion, $\mathcal{B}$ can successfully break the BDH assumption with the probability of

$$Pr\left[\mathcal{B}choosesthecorrecthashquery\right|thesimulationisindistinguishable]=\frac{ϵ}{n·q_{H_4}}.$$

  □

Theorem 2.

For any PPT Type-II adversary, our CLE-MET-PA scheme is OW-CPA secure based on the BDH assumption in the random oracle model.

Proof of Theorem 2.

Assume there exists an adversary ${\mathcal{A}}_2$ who can break the OW-CPA security of our scheme with non-negligible advantage $ϵ$; then, we can construct a simulator $\mathcal{B}$ to break the BDH assumption. Given an instance as $(\mathcal{G},g_1,g_1^a,g_1^c,g_2,g_2^a,g_2^b)$, $\mathcal{B}$ is to compute $e{(g_1,g_2)}^{abc}$ by running ${\mathcal{A}}_2$ as a subroutine. $\mathcal{B}$ and ${\mathcal{A}}_2$ play the following game.

1.

Setup:$\mathcal{B}$ randomly picks a cryptographic hash function $H_3:{\{0,1\}}^{*}\to {\{0,1\}}^{\lambda }$ and sets the public parameter $pp=\{\mathcal{G},g_1,g_2,\overline{g},H_1,H_2,H_3,H_4,H_5\},$ where $\overline{g}=g_1^a$ and $H_1,H_2,H_4,H_5$ are random oracles. $pp$ is sent to ${\mathcal{A}}_2$. Lists $L_{H_1},L_{H_2},L_{H_4},L_{H_5},L_s$ are initially empty. Assume that ${\mathcal{A}}_2$ can make $q_{H_1},q_{H_2},q_{H_4},q_{H_5}$ hash queries to $H_1,H_2,H_4,H_5$, respectively.

2.

Phase 1: Assume there are n users with identities $I{D}_1,\cdots ,I{D}_n$ in the system. $\mathcal{B}$ randomly chooses $i^{*}\in [1,n]$ and performs the following steps.

• $H_1$-query ($I{D}_i$): For i-th query $I{D}_i$, $\mathcal{B}$ searches $L_{H_1}$. If there exists the related item of $I{D}_i$ as $(u_i,I{D}_i,H_1\left(I{D}_i\right))$, $\mathcal{B}$ returns $H_1\left(I{D}_i\right)$ to ${\mathcal{A}}_2$. Otherwise, $\mathcal{B}$ randomly chooses $u_i$ and sets

  $$H_1\left(I{D}_i\right)=\left\{\begin{array}{cc}{g}_2^{u_i},& ifi\ne i^{*},\\ g_2^{b{u}_i},& ifi=i^{*}.\end{array}\right.$$
  $\mathcal{B}$ stores $(u_i,I{D}_i,H_1\left(I{D}_i\right))$ into $L_{H_1}$ and returns $H_1\left(I{D}_i\right)$ to ${\mathcal{A}}_2$.
• $H_2$-query ($I{D}_i$): For i-th query $I{D}_i$, $\mathcal{B}$ searches $L_{H_2}$. If there exists the related item of $I{D}_i$ as $(v_i,I{D}_i,H_2\left(I{D}_i\right))$, $\mathcal{B}$ returns $H_2\left(I{D}_i\right)$ to ${\mathcal{A}}_2$. Otherwise, $\mathcal{B}$ randomly chooses $v_i$ and sets

  $$H_2\left(I{D}_i\right)=g_2^{v_i}$$
  $\mathcal{B}$ stores $(v_i,I{D}_i,H_2\left(I{D}_i\right))$ into $L_{H_2}$ and returns $H_2\left(I{D}_i\right)$ to ${\mathcal{A}}_2$.
• $H_4$-query ($Q_i$): For the i-th query $Q_i$, $\mathcal{B}$ picks ${\eta }_i\in {\{0,1\}}^{2l}$ randomly, sets $H_4\left(Q_i\right)={\eta }_i$, stores a new item $(Q_i,H_4\left(Q_i\right)={\eta }_i)$ into $L_{H_4}$, and then returns $H_4\left(Q_i\right)$ to ${\mathcal{A}}_2$.
• $H_5$-query ($W_i$): For the i-th query $W_i$, $\mathcal{B}$ randomly picks ${\sigma }_i\in {\{0,1\}}^{\lambda }$, sets $H_5\left(W_i\right)={\sigma }_i$, stores a new item $(W_i,H_5\left(W_i\right)={\sigma }_i)$ into $L_{H_5}$, and then returns $H_5\left(W_i\right)$ to ${\mathcal{A}}_2$.
• Partial private key query ($I{D}_i$): For the i-th queried identity $I{D}_i$, if $I{D}_i=I{D}_{i^{*}}$, $\mathcal{B}$ aborts. Otherwise, if $I{D}_i$ has not been queried to $H_1$, $\mathcal{B}$ randomly chooses $u_i$, sets

  $$H_1\left(I{D}_i\right)=g_2^{u_i},$$

  and stores $(u_i,I{D}_i,H_1\left(I{D}_i\right))$ into $L_{H_1}$. If $I{D}_i$ has not been queried to $H_2$, $\mathcal{B}$ randomly chooses $v_i$, sets

  $$H_2\left(I{D}_i\right)=g_2^{v_i},$$

  and stores $(v_i,I{D}_i,H_2\left(I{D}_i\right))$ into $L_{H_2}$. $\mathcal{B}$ searches $L_{H_1}$ and $L_{H_2}$ to find the related items of $I{D}_i$ as $(u_i,I{D}_i,H_1\left(I{D}_i\right))$ and $(v_i,I{D}_i,H_2\left(I{D}_i\right))$. $\mathcal{B}$ then computes

  $$D_i=(D_{i,1},D_{i,2})=\left(H_1^{\alpha }\left(ID\right),H_2^{\alpha }\left(ID\right)\right)=\left(g_2^{a{u}_i},g_2^{a{v}_i}\right),$$

  which can be computed with known $g_2^a,u_i,v_i$. $\mathcal{B}$ returns $D_i$ to ${\mathcal{A}}_2$.
• Secret key query ($I{D}_i$): For the i-th queried identity $I{D}_i$, $\mathcal{B}$ randomly picks $x_i\in {\mathbb{Z}}_p$, stores $(I{D}_i,x_i,-,-)$ into $L_s$, and returns $x_i$ to ${\mathcal{A}}_2$.
• Private key query ($I{D}_i$): For the i-th queried identity $I{D}_i$, if $I{D}_i=I{D}_{i^{*}}$, $\mathcal{B}$ aborts. Otherwise, if $I{D}_i$ has not been queried to $H_1$, $\mathcal{B}$ randomly chooses $u_i$, sets

  $$H_1\left(I{D}_i\right)=g_2^{u_i},$$

  and stores $(u_i,I{D}_i,H_1\left(I{D}_i\right))$ into $L_{H_1}$. If $I{D}_i$ has not been queried to $H_2$, $\mathcal{B}$ randomly chooses $v_i$, sets

  $$H_2\left(I{D}_i\right)=g_2^{v_i},$$

  and stores $(v_i,I{D}_i,H_2\left(I{D}_i\right))$ into $L_{H_2}$. $\mathcal{B}$ searches $L_{H_1}$ and $L_{H_2}$ to find the related items of $I{D}_i$ as $(u_i,I{D}_i,H_1\left(I{D}_i\right))$ and $(v_i,I{D}_i,H_2\left(I{D}_i\right))$. $\mathcal{B}$ searches $L_s$ and finds the related item of $I{D}_i$ as $(I{D}_i,x_i,-,-)$. If the related item of $I{D}_i$ does not exist, $\mathcal{B}$ randomly picks $x_i\in {\mathbb{Z}}_p$ and computes

  $$s{k}_i=(s{k}_{i,1},s{k}_{i,2})=\left(D_1^{x_i},D_2^{x_i}\right)=\left(g_2^{a{x}_i{u}_i},g_2^{a{x}_i{v}_i}\right),$$

  which can be computed with known $g_2^a,x_i,u_i,v_i$. It then stores $(I{D}_i,x_i,s{k}_i,-)$ into $L_s$ and returns $s{k}_i$ to ${\mathcal{A}}_2$.
• Public key query ($I{D}_i$): For the i-th queried identity $I{D}_i$, $\mathcal{B}$ searches $L_s$ and finds the related item of $I{D}_i$ as $(I{D}_i,x_i,-,-)$. If the related item does not exist, $\mathcal{B}$ randomly picks $x_i\in {\mathbb{Z}}_p$ and computes

  $$p{k}_i=(X_i,Y_i,Z_i)=\left(g_1^{a{x}_i},g_2^{x_i},g_1^{x_i}\right),$$

  which can be computed with a known $g_1,g_1^a,g_2,x_i$. It then stores $(I{D}_i,x_i,-,p{k}_i)$ into $L_s$ and returns $p{k}_i$ to ${\mathcal{A}}_2$.
• Proxy key query ($I{D}_{P_i}$): For a proxy with the related item in $L_s$ as $(I{D}_{P_i},x_{P_i})$, $\mathcal{B}$ performs as the public key query step and obtains

  $$p{k}_{P_i}=(X_{P_i},Y_{P_i},Z_{P_i})=\left(g_1^{a{x}_{P_i}},g_2^{x_{P_i}},g_1^{x_{P_i}}\right).$$

  which can be computed with known $g_1,g_1^a,g_2,x_{P_i}$. $\mathcal{B}$ then returns $p{k}_{P_i}$ and $s{k}_{P_i}$ to ${\mathcal{A}}_2$.
• Public key replace query ($I{D}_i,p{k}^{\prime }$):$\mathcal{B}$ changes the public key $p{k}_i$ corresponding to $I{D}_i$ to $p{k}^{\prime }=(X^{\prime },Y^{\prime },Z^{\prime })$ while receiving $(I{D}_i,p{k}^{\prime })$ if $e(X_i^{\prime },g_2)=e({\overline{g}}_1,Y_i^{\prime })$ and $e(Z_i^{\prime },g_2)=e(g_1,Y_i^{\prime })$ holds.
• Token query ($I{D}_i$): For a queried $I{D}_i$, $\mathcal{B}$ searches $L_s$ to find the related item of $I{D}_i$ as $(I{D}_i,x_i,s{k}_i)$, where $s{k}_i=(s{k}_1,s{k}_2)$. If the related item does not exist, $\mathcal{B}$ performs as follows. If $I{D}_i$ has not been queried to $H_1$, $\mathcal{B}$ randomly chooses $u_i$, sets

  $$H_1\left(I{D}_i\right)=g_2^{u_i},$$

  and stores $(u_i,I{D}_i,H_1\left(I{D}_i\right))$ into $L_{H_1}$. If $I{D}_i$ has not been queried to $H_2$, $\mathcal{B}$ randomly chooses $v_i$, sets

  $$H_2\left(I{D}_i\right)=g_2^{v_i},$$

  and stores $(v_i,I{D}_i,H_2\left(I{D}_i\right))$ into $L_{H_2}$. $\mathcal{B}$ searches $L_{H_1}$ and $L_{H_2}$ to find the related items of $I{D}_i$ as $(u_i,I{D}_i,H_1\left(I{D}_i\right))$ and $(v_i,I{D}_i,H_2\left(I{D}_i\right))$. $\mathcal{B}$ searches $L_s$ and finds the related item of $I{D}_i$ as $(I{D}_i,x_i,-,-)$. If the related item of $I{D}_i$ does not exist, $\mathcal{B}$ randomly picks $x_i\in {\mathbb{Z}}_p$ and computes

  $$s{k}_i=(s{k}_{i,1},s{k}_{i,2})=\left(D_1^{x_i},D_2^{x_i}\right)=\left(g_2^{a{x}_i{u}_i},g_2^{a{x}_i{v}_i}\right),$$

  which can be computed with known $g_2^a,x,u_i,v_i$. It then stores $(I{D}_i,x_i,s{k}_i)$ into $L_s$. $\mathcal{B}$ returns $s{k}_2$ to ${\mathcal{A}}_2$.
• Proxy token query ($I{D}_i$, $I{D}_{P_i}$): For a queried $I{D}_i$, $\mathcal{B}$ performs as Aut step except that $\mathcal{B}$ computes $P{I}_i=H_2{\left(I{D}_i\right)}^{x_{P_i}}=g_2^{a{v}_i{x}_i{x}_{P_i}}$, and the proxy token

  $${\widehat{tk}}_i=H_2{\left(ID\right)}^{\alpha x+x·x_P}=g_2^{a{v}_i{x}_i+x_i{x}_{P_i}}$$

  with known $g_2,g_2^a,v_i,x_i,x_{P_i}$. $\mathcal{B}$ returns ${\widehat{tk}}_i$ to ${\mathcal{A}}_2$.

3.

Challenge:${\mathcal{A}}_2$ sends $(s^{*},I{D}^{*})$ to $\mathcal{B}$, where $s^{*}$ represents the designated challenge number, and $I{D}^{*}$ stands for the challenge identity. If $I{D}^{*}\ne I{D}_{i^{*}}$, $\mathcal{B}$ aborts. Otherwise, it chooses to randomly pick $M^{*}\in {\{0,1\}}^{\lambda },w_1,w_2\in {\mathbb{Z}}_p,R_1\in {\{0,1\}}^{2l},$ and implicitly sets $r_1=w_{1}c,r_2=w_{2}c$. Taking as input $M^{*},s^{*}$, it then iteratively computes $(f_0,f_1,\cdots ,f_{s^{*}-1})$ and $f\left(x\right)$ same as Enc$(pp,pk,M,s)$ in Section 4.1. Then, it randomly picks $A\in {\mathbb{Z}}_p$, computes $f\left(A\right)$, then outputs the challenge ciphertext as follows:

$$\begin{array}{ll}{C}_1\hfill & =g_1^{r_1}=g_1^{c{w}_1},\\ C_2\hfill & =R_1,\\ C_3\hfill & =g_1^{r_2}=g_1^{c{w}_2},\\ C_4\hfill & =g_1^{x_{i^{*}}{r}_2}=g_1^{c{x}_{i^{*}}{w}_2},\\ C_5\hfill & =H_4\left(e(g_1^{c{w}_1},g_2^{a{v}_{i^{*}}{x}_{i^{*}}})\right)\oplus \left(A\right|\left|f\left(A\right)\right),\\ C_6\hfill & =H_5\left(s^{*}\left|\right|C_1^{*}\left|\right|C_2^{*}\left|\right|C_3^{*}\left|\right|C_4^{*}\left|\right|C_5^{*}\left|\right|e(g_1^{c{w}_1},g_2^{a{v}_{i^{*}}{x}_{i^{*}}})\left|\right|f_0\left|\right|f_1\left|\right|\cdots \left|\right|f_{s^{*}-1}\right).\end{array}$$

4.

Phase 2:$\mathcal{B}$ interacts with ${\mathcal{A}}_2$ as Phase 1 with the limitation that $I{D}_{i^{*}}$ cannot be queried in partial private key query, secret key query, and private key query.

5.

Guess: ${\mathcal{A}}_2$ outputs its guess $M^{\prime }\in {\{0,1\}}^{\lambda }$.

6.

Solve:$\mathcal{B}$ randomly chooses an item $(Q_i,H_4\left(Q_i\right)={\eta }_i)$ from $L_{H_4}$ and sets

$$e{(g_1,g_2)}^{abc}=Q_i^{\frac{1}{x_{i^{*}}{u}_{i^{*}}{w}_1}}$$

as the solution to the BDH instance.

7.

Analysis: To successfully perform the reduction, the simulation should be indistinguishable from the real attack from the point of view of the adversary. As we can see, if the adversary chooses $I{D}_{i^{*}}$ as the challenge identity, the simulation will not abort, which means the simulation is indistinguishable from the real attack. The corresponding probability is $1/n$. Upon the case that the simulation is indistinguishable to the adversary, we have the following analysis. Since the adversary is assumed to break the security with advantage $ϵ$, we have that it issues the hash query $e{(X_{i^{*}},H_1\left(I{D}_{i^{*}}\right))}^{r_1}=e{(g_1^{a{x}_{i^{*}}},g_2^{b{u}_{i^{*}}})}^{c{w}_1}=e{(g_1,g_2)}^{abc·x_{i^{*}}{u}_{i^{*}}{w}_1}$ with probability $ϵ$. Thus, $\mathcal{B}$ finally can obtain the true solution to the given BDH instance as $e{(g_1,g_2)}^{abc}=Q_i^{\frac{1}{x_{i^{*}}{u}_{i^{*}}{w}_1}}$ with probability $\frac{ϵ}{q_{H_4}}$. In conclusion, $\mathcal{B}$ can successfully break the BDH assumption with probability

$$Pr\left[\mathcal{B}choosesthecorrecthashquery\right|thesimulationisindistinguishable]=\frac{ϵ}{n·q_{H_4}}.$$

  □

Theorem 3.

For any PPT Type-III adversary, our CLE-MET-PA scheme is IND-CPA secure based on the BDH assumption in the random oracle model.

Proof of Theorem 3.

Assume that there exists an adversary ${\mathcal{A}}_3$ who can break the IND-CPA security of our scheme with the non-negligible advantage $ϵ$, we can construct a simulator $\mathcal{B}$ to break the BDH assumption. Given an instance as $(\mathcal{G},g_1,g_1^a,g_1^c,g_2,g_2^a,g_2^b)$, $\mathcal{B}$ is to compute $e{(g_1,g_2)}^{abc}$ by running ${\mathcal{A}}_3$ as a subroutine. $\mathcal{B}$ and ${\mathcal{A}}_3$ play the following game.

1.

Setup:$\mathcal{B}$ randomly picks a cryptographic hash function $H_3:{\{0,1\}}^{*}\to {\{0,1\}}^{\lambda }$, randomly picks $\alpha \in {\mathbb{Z}}_p^{*}$, and sets the public parameter $pp$. $pp=\{\mathcal{G},g_1,g_2,\overline{g},H_1,H_2,H_3,$$H_4,H_5\},$ where $\overline{g}=g_1^{\alpha }$, $H_1,H_2,H_4,H_5$ are random oracles. $pp$ is sent to ${\mathcal{A}}_3$. Lists $L_{H_1},L_{H_2},L_{H_4},L_{H_5},L_s$ are initially empty. Assume that ${\mathcal{A}}_3$ can make $q_{H_1},q_{H_2},q_{H_4},q_{H_5}$ hash queries to $H_1,H_2,H_4,H_5$, respectively.

2.

Phase 1: Assume there are n users with identities $I{D}_1,\cdots ,I{D}_n$ in the system. $\mathcal{B}$ randomly chooses $i^{*}\in [1,n]$ and performs the following steps.

• $H_i$-query ($I{D}_i$) $(i=1,2,4,5)$:$\mathcal{B}$ performs as in the Proof of Theorem 1.
• Master secret key query ($1^{\lambda }$):$\mathcal{B}$ returns $\alpha$ to ${\mathcal{A}}_3$.
• Partial private key query ($I{D}_i$): For i-th queried identity $I{D}_i$, if $I{D}_i=I{D}_{i^{*}}$, $\mathcal{B}$ aborts. Otherwise, if $I{D}_i$ has not been queried to $H_1$, $\mathcal{B}$ randomly chooses $u_i$, sets

  $$H_1\left(I{D}_i\right)=g_2^{u_i},$$

  and stores $(u_i,I{D}_i,H_1\left(I{D}_i\right))$ into $L_{H_1}$. If $I{D}_i$ has not been queried to $H_2$, $\mathcal{B}$ randomly chooses $v_i$, sets

  $$H_2\left(I{D}_i\right)=g_2^{v_i},$$

  and stores $(v_i,I{D}_i,H_2\left(I{D}_i\right))$ into $L_{H_2}$. $\mathcal{B}$ searches $L_{H_1}$ and $L_{H_2}$ to find the related items of $I{D}_i$ as $(u_i,I{D}_i,H_1\left(I{D}_i\right))$ and $(v_i,I{D}_i,H_2\left(I{D}_i\right))$. $\mathcal{B}$ then computes

  $$D_i=(D_{i,1},D_{i,2})=\left(H_1^{\alpha }\left(ID\right),H_2^{\alpha }\left(ID\right)\right)=\left(g_2^{\alpha u_i},g_2^{\alpha v_i}\right),$$

  which can be computed with known $g_2,\alpha ,u_i,v_i$. $\mathcal{B}$ returns $D_i$ to ${\mathcal{A}}_3$.
• Secret key query ($I{D}_i$): For i-th queried identity $I{D}_i$, if $I{D}_i=I{D}_{i^{*}}$, $\mathcal{B}$ aborts. Otherwise, $\mathcal{B}$ randomly picks $x_i\in {\mathbb{Z}}_p$, stores $(I{D}_i,x_i,-,-)$ into $L_s$, and returns $x_i$ to ${\mathcal{A}}_3$.
• Private key query ($I{D}_i$): For the i-th queried identity $I{D}_i$, if $I{D}_i=I{D}_{i^{*}}$, $\mathcal{B}$ aborts. Otherwise, if $I{D}_i$ was not queried to $H_1$, $\mathcal{B}$ randomly chooses $u_i$, sets

  $$H_1\left(I{D}_i\right)=g_2^{u_i},$$

  and stores $(u_i,I{D}_i,H_1\left(I{D}_i\right))$ into $L_{H_1}$. If $I{D}_i$ has not been queried to $H_2$, $\mathcal{B}$ randomly chooses $v_i$, sets

  $$H_2\left(I{D}_i\right)=g_2^{v_i},$$

  and stores $(v_i,I{D}_i,H_2\left(I{D}_i\right))$ into $L_{H_2}$. $\mathcal{B}$ searches $L_{H_1}$ and $L_{H_2}$ to find the related items of $I{D}_i$ as $(u_i,I{D}_i,H_1\left(I{D}_i\right))$ and $(v_i,I{D}_i,H_2\left(I{D}_i\right))$. $\mathcal{B}$ searches $L_s$ and finds the related item of $I{D}_i$ as $(I{D}_i,x_i,-,-)$. If the related item of $I{D}_i$ does not exist, $\mathcal{B}$ randomly picks $x_i\in {\mathbb{Z}}_p$ and computes

  $$s{k}_i=(s{k}_{i,1},s{k}_{i,2})=\left(D_1^{x_i},D_2^{x_i}\right)=\left(g_2^{\alpha x_i{u}_i},g_2^{\alpha x_i{v}_i}\right),$$

  which can be computed with known $g_2,\alpha ,x_i,u_i,v_i$. It then stores $(I{D}_i,x_i,s{k}_i,-)$ into $L_s$ and returns $s{k}_i$ to ${\mathcal{A}}_3$.
• Public key query ($I{D}_i$): For the i-th queried identity $I{D}_i$, if $I{D}_i\ne I{D}_{i^{*}}$, $\mathcal{B}$ searches $L_s$ and finds the related item of $I{D}_i$ as $(I{D}_i,x_i,-,-)$. If the related item does not exist, $\mathcal{B}$ randomly picks $x_i\in {\mathbb{Z}}_p$ and computes

  $$p{k}_i=(X_i,Y_i,Z_i)=\left(g_1^{\alpha x_i},g_2^{x_i},g_1^{x_i}\right),$$
  It then stores $(I{D}_i,x_i,-,p{k}_i)$ into $L_s$ and returns $p{k}_i$ to ${\mathcal{A}}_3$;
  If $I{D}_i\ne I{D}_{i^{*}}$, $\mathcal{B}$ randomly picks $x_i^{\prime }\in {\mathbb{Z}}_p$, implicitly sets $x_i=a{x}_i^{\prime }$, computes

  $$p{k}_i=(X_i,Y_i,Z_i)=\left(g_1^{\alpha a{x}_i^{\prime }},g_2^{a{x}_i^{\prime }},g_1^{a{x}_i^{\prime }}\right),$$

  which can be computed with known $g_1^a,g_2^a,\alpha ,x_i^{\prime }$. It then stores $(I{D}_i,x_i^{\prime },-,p{k}_i)$ into $L_s$ and returns $p{k}_i$ to ${\mathcal{A}}_3$.
• Proxy key query ($I{D}_{P_i}$): For a proxy with the related item in $L_s$ as $(I{D}_{P_i},x_{P_i})$, $\mathcal{B}$ performs as a public key query step and obtains

  $$p{k}_{P_i}=(X_{P_i},Y_{P_i},Z_{P_i})=\left(g_1^{\alpha x_{P_i}},g_2^{x_{P_i}},g_1^{x_{P_i}}\right).$$

  which can be computed with known $g_1,\alpha ,g_2,x_{P_i}$. $\mathcal{B}$ then returns $p{k}_{P_i}$ and $s{k}_{P_i}$ to ${\mathcal{A}}_3$.
• Token query ($I{D}_i$): For a queried $I{D}_i$, if $I{D}_i=I{D}_{i^{*}}$, $\mathcal{B}$ aborts. Otherwise, $\mathcal{B}$ searches $L_s$ to find the related item of $I{D}_i$ as $(I{D}_i,x_i,s{k}_i)$, where $s{k}_i=(s{k}_1,s{k}_2)$. If the related item does not exist, $\mathcal{B}$ performs as follows. If $I{D}_i$ has not been queried to $H_1$, $\mathcal{B}$ randomly chooses $u_i$, sets

  $$H_1\left(I{D}_i\right)=g_2^{u_i},$$

  and stores $(u_i,I{D}_i,H_1\left(I{D}_i\right))$ into $L_{H_1}$. If $I{D}_i$ has not been queried to $H_2$, $\mathcal{B}$ randomly chooses $v_i$, sets

  $$H_2\left(I{D}_i\right)=g_2^{v_i},$$

  and stores $(v_i,I{D}_i,H_2\left(I{D}_i\right))$ into $L_{H_2}$. $\mathcal{B}$ searches $L_{H_1}$ and $L_{H_2}$ to find the related items of $I{D}_i$ as $(u_i,I{D}_i,H_1\left(I{D}_i\right))$ and $(v_i,I{D}_i,H_2\left(I{D}_i\right))$. $\mathcal{B}$ searches $L_s$ and finds the related item of $I{D}_i$ as $(I{D}_i,x_i,-,-)$. If the related item of $I{D}_i$ does not exist, $\mathcal{B}$ randomly picks $x_i\in {\mathbb{Z}}_p$ and computes

  $$s{k}_i=(s{k}_{i,1},s{k}_{i,2})=\left(D_1^{x_i},D_2^{x_i}\right)=\left(g_2^{\alpha x_i{u}_i},g_2^{\alpha x_i{v}_i}\right),$$

  which can be computed with known $g_2^a,x,u_i,v_i$. It then stores $(I{D}_i,x_i,s{k}_i)$ into $L_s$. $\mathcal{B}$ returns $s{k}_2$ to ${\mathcal{A}}_3$.
• Proxy token query ($I{D}_i$, $I{D}_{P_i}$): For a queried $I{D}_i$, if $I{D}_i=I{D}_{i^{*}}$, $\mathcal{B}$ aborts. Otherwise, $\mathcal{B}$ performs as Aut step except that $\mathcal{B}$ computes $P{I}_i=H_2{\left(I{D}_i\right)}^{x_{P_i}}=g_2^{\alpha v_i{x}_i{x}_{P_i}}$, and the proxy token

  $${\widehat{tk}}_i=H_2{\left(ID\right)}^{\alpha x+x·x_P}=g_2^{\alpha v_i{x}_i+x_i{x}_{P_i}}$$

  with known $g_2,\alpha ,v_i,x_i,x_{P_i}$. $\mathcal{B}$ returns ${\widehat{tk}}_i$ to ${\mathcal{A}}_3$.

3.

Challenge:${\mathcal{A}}_3$ sends $(s^{*},I{D}^{*},M_0^{*},M_1^{*})$ to $\mathcal{B}$, where $s^{*}$ represents the designated challenge number, $I{D}^{*}$ stands for the challenge identity, and two plaintexts $M_0^{*}$ and $M_1^{*}$ are selected from ${\{0,1\}}^{\lambda }$ with equal lengths. If $I{D}^{*}\ne I{D}_{i^{*}}$, $\mathcal{B}$ aborts. Otherwise, it randomly picks $w_1,w_2\in {\mathbb{Z}}_p,R_1,R_2\in {\{0,1\}}^{2l},R_3\in {\{0,1\}}^{\lambda }$ and implicitly sets $r_1=w_{1}c,r_2=w_{2}c$. It then computes the challenge ciphertext as

$$\begin{array}{ll}{C}_1& =g_1^{r_1}=g_1^{c{w}_1},\\ C_2& =R_1,\\ C_3& =g_1^{r_2}=g_1^{c{w}_2},\\ C_4& =g_1^{x_{i^{*}}{r}_2}=g_1^{c{x}_{i^{*}}{w}_2},\\ C_5& =R_2,\\ C_6& =R_3.\end{array}$$

4.

Phase 2:$\mathcal{B}$ interacts with ${\mathcal{A}}_3$ as Phase 1 with the limitation that $I{D}_{i^{*}}$ cannot be queried in partial private key query, secret key query, private key query, token query, and proxy token query.

5.

Guess: ${\mathcal{A}}_3$ outputs its guess bit ${\rho }^{\prime }\in \{0,1\}$.

6.

Solve:$\mathcal{B}$ randomly chooses an item $(Q_i,H_4\left(Q_i\right)={\eta }_i)$ from $L_{H_4}$ and sets

$$e{(g_1,g_2)}^{abc}=Q_i^{\frac{1}{x_{i^{*}}^{\prime }{u}_{i^{*}}{w}_1\alpha }}$$

as the solution to the BDH instance.

7.

Analysis: To successfully perform the reduction, the simulation should be indistinguishable from the real attack from the point of view of the adversary. As we can see, if the adversary chooses $I{D}_{i^{*}}$ as the challenge identity, the simulation will not abort, which means that the simulation is indistinguishable from the real attack. The corresponding probability is $1/n$. Upon the case that the simulation is indistinguishable to the adversary, we have the following analysis. Since the adversary is assumed to break the security with advantage $ϵ$, we have that it issues the hash query $e{(X_{i^{*}},H_1\left(I{D}_{i^{*}}\right))}^{r_1}=e{(g_1^{\alpha a{x}_{i^{*}}^{\prime }},g_2^{b{u}_{i^{*}}})}^{c{w}_1}=e{(g_1,g_2)}^{abc·x_{i^{*}}^{\prime }{u}_{i^{*}}{w}_1\alpha }$ with probability $ϵ$. Thus, $\mathcal{B}$ finally can obtain the true solution to the given BDH instance as $e{(g_1,g_2)}^{abc}=Q_i^{\frac{1}{x_{i^{*}}^{\prime }{u}_{i^{*}}{w}_1\alpha }}$ with probability $\frac{ϵ}{q_{H_4}}$. In conclusion, $\mathcal{B}$ can successfully break the BDH assumption with probability

$$Pr\left[\mathcal{B}choosesthecorrecthashquery\right|thesimulationisindistinguishable]=\frac{ϵ}{n·q_{H_4}}.$$

  □

Theorem 4.

For any PPT Type-IV adversary, our CLE-MET-PA scheme is OW-CPA secure based on the BDH assumption in the random oracle model.

Proof of Theorem 4.

Assume there exists an adversary ${\mathcal{A}}_4$ who can break the IND-CPA security of our scheme with a non-negligible advantage $ϵ$; we can construct a simulator $\mathcal{B}$ to break the BDH assumption. Given an instance as $(\mathcal{G},g_1,g_1^a,g_1^c,g_2,g_2^a,g_2^b)$, $\mathcal{B}$ is to compute $e{(g_1,g_2)}^{abc}$ by running ${\mathcal{A}}_4$ as a subroutine. $\mathcal{B}$ and ${\mathcal{A}}_4$ play the following game.

1.

Setup:$\mathcal{B}$ randomly picks a cryptographic hash function $H_3:{\{0,1\}}^{*}\to {\{0,1\}}^{\lambda }$, randomly picks $\alpha \in {\mathbb{Z}}_p^{*}$, and sets the public parameter $pp$. $pp=\{\mathcal{G},g_1,g_2,\overline{g},H_1,H_2,H_3,$$H_4,H_5\},$ where $\overline{g}=g_1^{\alpha }$, $H_1,H_2,H_4,H_5$ are random oracles. $pp$ is sent to ${\mathcal{A}}_4$. Lists $L_{H_1},L_{H_2},L_{H_4},L_{H_5},L_s$ are initially empty. Assume that ${\mathcal{A}}_4$ can make $q_{H_1},q_{H_2},q_{H_4},q_{H_5}$ hash queries to $H_1,H_2,H_4,H_5$, respectively.

2.

Phase 1: Assume there are n users with identities $I{D}_1,\cdots ,I{D}_n$ in the system. $\mathcal{B}$ randomly chooses $i^{*}\in [1,n]$ and performs the following steps.

• $H_i$-query ($I{D}_i$) $(i=1,2,4,5)$:$\mathcal{B}$ performs as in the Proof of Theorem 2.
• Master secret key query ($1^{\lambda }$):$\mathcal{B}$ returns $\alpha$ to ${\mathcal{A}}_4$.
• Partial private key query ($I{D}_i$): For i-th queried identity $I{D}_i$, if $I{D}_i=I{D}_{i^{*}}$, $\mathcal{B}$ aborts. Otherwise, if $I{D}_i$ has not been queried to $H_1$, $\mathcal{B}$ randomly chooses $u_i$, sets

  $$H_1\left(I{D}_i\right)=g_2^{u_i},$$

  and stores $(u_i,I{D}_i,H_1\left(I{D}_i\right))$ into $L_{H_1}$. If $I{D}_i$ has not been queried to $H_2$, $\mathcal{B}$ randomly chooses $v_i$, sets

  $$H_2\left(I{D}_i\right)=g_2^{v_i},$$

  and stores $(v_i,I{D}_i,H_2\left(I{D}_i\right))$ into $L_{H_2}$. $\mathcal{B}$ searches $L_{H_1}$ and $L_{H_2}$ to find the related items of $I{D}_i$ as $(u_i,I{D}_i,H_1\left(I{D}_i\right))$ and $(v_i,I{D}_i,H_2\left(I{D}_i\right))$. $\mathcal{B}$ then computes

  $$D_i=(D_{i,1},D_{i,2})=\left(H_1^{\alpha }\left(ID\right),H_2^{\alpha }\left(ID\right)\right)=\left(g_2^{\alpha u_i},g_2^{\alpha v_i}\right),$$

  which can be computed with known $g_2,\alpha ,u_i,v_i$. $\mathcal{B}$ returns $D_i$ to ${\mathcal{A}}_4$.
• Secret key query ($I{D}_i$): For i-th queried identity $I{D}_i$, if $I{D}_i=I{D}_{i^{*}}$, $\mathcal{B}$ aborts. Otherwise, $\mathcal{B}$ randomly picks $x_i\in {\mathbb{Z}}_p$, stores $(I{D}_i,x_i,-,-)$ into $L_s$, and returns $x_i$ to ${\mathcal{A}}_4$.
• Private key query ($I{D}_i$): For the i-th queried identity $I{D}_i$, if $I{D}_i=I{D}_{i^{*}}$, $\mathcal{B}$ aborts. Otherwise, if $I{D}_i$ has not been queried to $H_1$, $\mathcal{B}$ randomly chooses $u_i$, sets

  $$H_1\left(I{D}_i\right)=g_2^{u_i},$$

  and stores $(u_i,I{D}_i,H_1\left(I{D}_i\right))$ into $L_{H_1}$. If $I{D}_i$ has not been queried to $H_2$, $\mathcal{B}$ randomly chooses $v_i$, sets

  $$H_2\left(I{D}_i\right)=g_2^{v_i},$$

  and stores $(v_i,I{D}_i,H_2\left(I{D}_i\right))$ into $L_{H_2}$. $\mathcal{B}$ searches $L_{H_1}$ and $L_{H_2}$ to find the related items of $I{D}_i$ as $(u_i,I{D}_i,H_1\left(I{D}_i\right))$ and $(v_i,I{D}_i,H_2\left(I{D}_i\right))$. $\mathcal{B}$ searches $L_s$ and finds the related item of $I{D}_i$ as $(I{D}_i,x_i,-,-)$. If the related item of $I{D}_i$ does not exist, $\mathcal{B}$ randomly picks $x_i\in {\mathbb{Z}}_p$ and computes

  $$s{k}_i=(s{k}_{i,1},s{k}_{i,2})=\left(D_1^{x_i},D_2^{x_i}\right)=\left(g_2^{\alpha x_i{u}_i},g_2^{\alpha x_i{v}_i}\right),$$

  which can be computed with known $g_2,\alpha ,x_i,u_i,v_i$. It then stores $(I{D}_i,x_i,s{k}_i,-)$ into $L_s$ and returns $s{k}_i$ to ${\mathcal{A}}_4$.
• Public key query ($I{D}_i$): For i-th queried identity $I{D}_i$, if $I{D}_i\ne I{D}_{i^{*}}$, $\mathcal{B}$ searches $L_s$ and finds the related item of $I{D}_i$ as $(I{D}_i,x_i,-,-)$. If the related item does not exist, $\mathcal{B}$ randomly picks $x_i\in {\mathbb{Z}}_p$ and computes

  $$p{k}_i=(X_i,Y_i,Z_i)=\left(g_1^{\alpha x_i},g_2^{x_i},g_1^{x_i}\right),$$
  It then stores $(I{D}_i,x_i,-,p{k}_i)$ into $L_s$ and returns $p{k}_i$ to ${\mathcal{A}}_4$;
  If $I{D}_i\ne I{D}_{i^{*}}$, $\mathcal{B}$ randomly picks $x_i^{\prime }\in {\mathbb{Z}}_p$, implicitly sets $x_i=a{x}_i^{\prime }$, and computes

  $$p{k}_i=(X_i,Y_i,Z_i)=\left(g_1^{\alpha a{x}_i^{\prime }},g_2^{a{x}_i^{\prime }},g_1^{a{x}_i^{\prime }}\right),$$

  which can be computed with known $g_1^a,g_2^a,\alpha ,x_i^{\prime }$. It then stores $(I{D}_i,x_i^{\prime },-,p{k}_i)$ into $L_s$ and returns $p{k}_i$ to ${\mathcal{A}}_4$.
• Proxy key query ($I{D}_{P_i}$): For a proxy with the related item in $L_s$ as $(I{D}_{P_i},x_{P_i})$, $\mathcal{B}$ performs as public key query step and obtains

  $$p{k}_{P_i}=(X_{P_i},Y_{P_i},Z_{P_i})=\left(g_1^{\alpha x_{P_i}},g_2^{x_{P_i}},g_1^{x_{P_i}}\right).$$

  which can be computed with known $g_1,\alpha ,g_2,x_{P_i}$. $\mathcal{B}$ then returns $p{k}_{P_i}$ and $s{k}_{P_i}$ to ${\mathcal{A}}_4$.
• Token query ($I{D}_i$): For a queried $I{D}_i$, if $I{D}_i\ne I{D}_{i^{*}}$, $\mathcal{B}$ searches $L_s$ to find the related item of $I{D}_i$ as $(I{D}_i,x_i,s{k}_i)$, where $s{k}_i=(s{k}_1,s{k}_2)$. If the related item does not exist, $\mathcal{B}$ performs as follows. If $I{D}_i$ has not been queried to $H_1$, $\mathcal{B}$ randomly chooses $u_i$, sets

  $$H_1\left(I{D}_i\right)=g_2^{u_i},$$

  and stores $(u_i,I{D}_i,H_1\left(I{D}_i\right))$ into $L_{H_1}$. If $I{D}_i$ has not been queried to $H_2$, $\mathcal{B}$ randomly chooses $v_i$, sets

  $$H_2\left(I{D}_i\right)=g_2^{v_i},$$

  and stores $(v_i,I{D}_i,H_2\left(I{D}_i\right))$ into $L_{H_2}$. $\mathcal{B}$ searches $L_{H_1}$ and $L_{H_2}$ to find the related items of $I{D}_i$ as $(u_i,I{D}_i,H_1\left(I{D}_i\right))$ and $(v_i,I{D}_i,H_2\left(I{D}_i\right))$. $\mathcal{B}$ searches $L_s$ and finds the related item of $I{D}_i$ as $(I{D}_i,x_i,-,-)$. If the related item of $I{D}_i$ does not exist, $\mathcal{B}$ randomly picks $x_i\in {\mathbb{Z}}_p$ and computes

  $$s{k}_i=(s{k}_{i,1},s{k}_{i,2})=\left(D_1^{x_i},D_2^{x_i}\right)=\left(g_2^{\alpha x_i{u}_i},g_2^{\alpha x_i{v}_i}\right),$$

  which can be computed with known $g_2,\alpha ,x_i,u_i,v_i$. It then stores $(I{D}_i,x_i,s{k}_i)$ into $L_s$. $\mathcal{B}$ returns $s{k}_2$ to ${\mathcal{A}}_4$.
  If $I{D}_i=I{D}_{i^{*}}$, $\mathcal{B}$ searches $L_s$ to find the related item of $I{D}_i$ as $(I{D}_i,x_i^{\prime },-,-)$ and $(v_i,I{D}_i,H_2\left(I{D}_i\right))$. If the related item of $I{D}_i$ does not exist, $\mathcal{B}$ randomly picks $x_i^{\prime }\in {\mathbb{Z}}_p$ and computes

  $$s{k}_2=g_2^{\alpha a{v}_i{x}_i^{\prime }},$$

  which can be computed with the known $g_2^a,\alpha ,v_i,x_i^{\prime }$, $\mathcal{B}$ returns $s{k}_2$ to ${\mathcal{A}}_4$.
• Proxy token query ($I{D}_i$, $I{D}_{P_i}$): For a queried $I{D}_i$, $\mathcal{B}$ performs as Aut step except that $\mathcal{B}$ computes

  $$P{I}_i=H_2{\left(I{D}_i\right)}^{x_{P_i}}=\left\{\begin{array}{ll}{g}_2^{\alpha v_i{x}_i{x}_{P_i}},& ifi\ne i^{*},\\ g_2^{\alpha a{v}_i{x}_i^{\prime }{x}_{P_i}},& ifi=i^{*}.\end{array}\right.$$

  $$\widehat{tk}=H_2{\left(ID\right)}^{\alpha x+x·x_P}=\left\{\begin{array}{ll}{g}_2^{\alpha v_i{x}_i+x_i{x}_{P_i}},& ifi\ne i^{*},\\ g_2^{\alpha a{v}_i{x}_i^{\prime }+a{x}_i^{\prime }{x}_{P_i}},& ifi=i^{*}.\end{array}\right.$$

  with known $g_2,\alpha ,v_i,x_i,x_i^{\prime },x_{P_i}$.

3.

Challenge:${\mathcal{A}}_4$ sends $(s^{*},I{D}^{*})$ to $\mathcal{B}$, where $s^{*}$ represents the designated challenge number, and $I{D}^{*}$ stands for the challenge identity. If $I{D}^{*}\ne I{D}_{i^{*}}$, $\mathcal{B}$ aborts. Otherwise, it chooses to randomly pick $M^{*}\in {\{0,1\}}^{\lambda },w_1,w_2\in {\mathbb{Z}}_p,R_1\in {\{0,1\}}^{2l},$ and implicitly sets $r_1=w_{1}c,r_2=w_{2}c$. Taking as input $M^{*},s^{*}$, it then iteratively computes $(f_0,f_1,\cdots ,f_{s^{*}-1})$ and $f\left(x\right)$ same as Enc$(pp,pk,p{k}_P,M,s)$ in Section 4.1. Then, it randomly picks $A\in {\mathbb{Z}}_p$, computes $f\left(A\right)$, before outputting the challenge ciphertext as follows:

$$\begin{array}{ll}{C}_1\hfill & =g_1^{r_1}=g_1^{c{w}_1},\\ C_2\hfill & =R_1,\\ C_3\hfill & =g_1^{r_2}=g_1^{c{w}_2},\\ C_4\hfill & =g_1^{x_{i^{*}}^{\prime }{r}_2}=g_1^{c{x}_{i^{*}}^{\prime }{w}_2},\\ C_5\hfill & =H_4\left(e(g_1^{c{w}_1},g_2^{\alpha a{v}_{i^{*}}{x}_{i^{*}}^{\prime }})\right)\oplus \left(A\right|\left|f\left(A\right)\right),\\ C_6\hfill & =H_5\left(s^{*}\left|\right|C_1^{*}\left|\right|C_2^{*}\left|\right|C_3^{*}\left|\right|C_4^{*}\left|\right|C_5^{*}\left|\right|e(g_1^{c{w}_1},g_2^{\alpha a{v}_{i^{*}}{x}_{i^{*}}^{\prime }})\left|\right|f_0\left|\right|f_1\left|\right|\cdots \left|\right|f_{s^{*}-1}\right).\end{array}$$

4.

Phase 2:$\mathcal{B}$ interacts with ${\mathcal{A}}_4$ as Phase 1 with the limitation that $I{D}_{i^{*}}$ cannot be queried in partial private key query, secret key query, and private key query.

5.

Guess: ${\mathcal{A}}_4$ outputs its guess $M^{\prime }\in {\{0,1\}}^{\lambda }$.

6.

Solve:$\mathcal{B}$ randomly chooses an item $(Q_i,H_4\left(Q_i\right)={\eta }_i)$ from $L_{H_4}$ and sets

$$e{(g_1,g_2)}^{abc}=Q_i^{\frac{1}{x_{i^{*}}^{\prime }{u}_{i^{*}}{w}_1\alpha }}$$

as the solution to the BDH instance.

7.

Analysis: To successfully perform the reduction, the simulation should be indistinguishable from the real attack from the point of view of the adversary. As we can see, if the adversary chooses $I{D}_{i^{*}}$ as the challenge identity, the simulation will not abort, which means the simulation is indistinguishable from the real attack. The corresponding probability is $1/n$. Upon the case that the simulation is indistinguishable to the adversary, we have the following analysis. Since the adversary is assumed to break the security with advantage $ϵ$, we have that it issues the hash query $e{(X_{i^{*}},H_1\left(I{D}_{i^{*}}\right))}^{r_1}=e{(g_1^{\alpha a{x}_{i^{*}}^{\prime }},g_2^{b{u}_{i^{*}}})}^{c{w}_1}=e{(g_1,g_2)}^{abc·x_{i^{*}}^{\prime }{u}_{i^{*}}{w}_1\alpha }$ with probability $ϵ$. Thus, $\mathcal{B}$ can finally obtain the true solution to the given BDH instance as $e{(g_1,g_2)}^{abc}=Q_i^{\frac{1}{x_{i^{*}}^{\prime }{u}_{i^{*}}{w}_1\alpha }}$ with probability $\frac{ϵ}{q_{H_4}}$. In conclusion, $\mathcal{B}$ can successfully break the BDH assumption with probability

$$Pr\left[\mathcal{B}choosesthecorrecthashquery\right|thesimulationisindistinguishable]=\frac{ϵ}{n·q_{H_4}}.$$

  □

Theorem 5

(Number Security of CLE-MET-PA). In the information theoretical sense, no probabilistic polynomial-time adversary has a non-negligible advantage in breaking the number security of our CLE-MET-PA scheme.

Proof of Theorem 5.

In this game of number security, the adversary ${\mathcal{A}}_5$ tries to determine whether the underlying messages of $t^{*}$ challenging ciphertexts $C{T}_1^{*},\cdots ,C{T}_{t^{*}}^{*}$ are equal or not with all the designated numbers of these ciphertexts, which are $s^{*}$ and $s^{*}>t^{*}$. And, the underlying messages are chosen by $\mathcal{B}$ and they are unknown to ${\mathcal{A}}_5$. From the setting of our scheme, we have that ${\mathcal{A}}_5$ has two ways to check whether the underlying messages are equal or not, i.e., extracting $M_i$ or $f_{i,j}$ of $C{T}_i$ for some $j\in \{0,\cdots ,t^{*}-1\}$, for each $i\in \{1,\cdots ,t^{*}\}$.

In line with the OW-CPA security proof, ${\mathcal{A}}_5$ has only a negligible advantage in obtaining the underlying message from the ciphertext under the BDH assumption. To extract a $f_{i,j}$ from the ciphertext $C{T}_i=(s,C_{i,1},C_{i,2},C_{i,3},C_{i,4},C_{i,5},C_{i,6})$, ${\mathcal{A}}_5$ can make a token query or a Proxy token query on $p{k}_i$ and obtain the corresponding token $t{k}_i=s{k}_{i,2}$ or ${\widehat{tk}}_i=s{k}_{i,2}{H}_2{\left(I{D}_i\right)}^{x_i{x}_{P_i}}$ such that it is able to obtain the $A_i\left|\right|f_i\left(A_i\right)=C_{i,5}\oplus H_4\left(e(C_{i,3},t{k}_i)\right)$ or $A_i\left|\right|f_i\left(A_i\right)=C_{i,5}\oplus H_4\left(e(C_{i,3},{\widehat{tk}}_i)/e(C_{i,4},P{I}_i)\right)$, where

$$f_i\left(A_i\right)=f_{i,0}+f_{i,1}{A}_i+\cdots +f_{i,t^{*}-1}{A}_i^{t^{*}-1}$$

and

$$f_{i,j}=H_3(M_i\left|\right|s\left|\right|f_{i,0}\left|\right|\cdots \left|\right|f_{i,j-1}),j\in \{0,\cdots ,t^{*}-1\}.$$

Obtaining $A_i\left|\right|f_i\left(A_i\right)$ for each $i\in \{1,\cdots ,t^{*}\}$, ${\mathcal{A}}_5$ has an equation set as

$$\left\{\begin{array}{ll}& f_1\left(A_1\right)=f_{1,0}+f_{1,1}{A}_1+\cdots +f_{1,t^{*}-1}{A}_1^{t^{*}-1}\\ & f_2\left(A_2\right)=f_{2,0}+f_{2,1}{A}_2+\cdots +f_{2,t^{*}-1}{A}_2^{t^{*}-1}\\ & ⋮\\ & f_{t^{*}}\left(A_{t^{*}}\right)=f_{t^{*},0}+f_{t^{*},1}{A}_{t^{*}}+\cdots +f_{t^{*},t^{*}-1}{A}_{t^{*}}^{t^{*}-1}\end{array}\right.,$$

where $A_i$ for $i\in \{1,\cdots ,t^{*}-1\}$ are randomly chosen by $\mathcal{C}$. Therefore, after implicitly setting that $f_{i,k}=f_{j,k}$ for $i\in \{1,\cdots ,t^{*}-1\},j\in \{0,\cdots ,t^{*}-1\}$, these $t^{*}-1$ equations are nonlinearly correlated with each other by an overwhelming probability such that there are infinite solutions for ${\left\{f_{i,j}\right\}}_{1\le i\le t^{*},0\le j\le t^{*}-1}$. In addition, ${\mathcal{A}}_5$ has no other information to further ensure whether the underlying messages are equal or not. It can only randomly guess $b^{\prime }$. In conclusion, the adversary has a negligible advantage in breaking the number security of the proposed CLE-MET-PA scheme.  □

6. Performance Analysis and Extension

6.1. Performance Analysis of CLE-MET-PA

We conducted a visual comparison between our scheme and several existing schemes [15,30,31,40], and the results are presented in

Table 2. Comparison among several equality test schemes.

Schemes	[15]	[30]	[40]	[31]	Ours
Enc	6E+3H+2P	5E+4H+4P	2E+3H+3P	$(s+2)$E+$(s+3)$H	$(s+3)$E+$(s+5)$H+6P
Dec	4E+3H+2P	2E+4H+2P	1E+2H+3P	$(s+1)$E+$(s+2)$H	$(s-1)$E+$(s+3)$H+2P
Test	$(s-1)$(2E+4P)	$(s-1)$(2H+4P)	$(s-1)$(4H+4P)	sE+ $2s$H+SE	$2s$H+$(s+j)$P+SE
$\left|CT\right|$	$5\left|\mathbb{G}\right|+|{\mathbb{Z}}_p|$	$3\left|\mathbb{G}\right|+|{\mathbb{Z}}_p{|+\{0,1\}}^{\lambda }$	$3\left|\mathbb{G}\right|+|{\mathbb{Z}}_p|$	$2\left|\mathbb{G}\right|+5|{\mathbb{Z}}_p{|+\{0,1\}}^{\lambda }$	$3\left|\mathbb{G}\right|+5|{\mathbb{Z}}_p{|+\{0,1\}}^{\lambda }$
AntiKM	✓	✓	✓	×	✓
AntiKE	×	✓	✓	✓	✓
PA	×	×	×	×	✓

E, H, P, and SE represent the computation cost of an exponential operation, hash operation, pairing operation, and solving an equation set, respectively. $\left|{\mathbb{Z}}_p\right|$, $\left|\mathbb{G}\right|$ represent the bit length of a group element in ${\mathbb{Z}}_p$, $\mathbb{G}$, respectively. j: number of proxy tokens, (0 ≤ j ≤ s). s: number of ciphertexts to be verified. AntiKM, AntiKE, and PA represent anti-key management feature, anti-key escrow feature and proxy-assisted authorization feature, respectively. The presence of a checkmark indicates that the feature has been included, while a cross indicates that the feature has not been included.

. Among them, Refs. [15,30,40] only support pairwise equality tests. Therefore, in scenarios where we need to test the equality of s ciphertexts, these three schemes require $s-1$ executions of their test algorithms.

We adopted the commonly used approach for the performance analysis of most PKEET schemes, which involves calculating the complexity of significant algorithms, ciphertext size, and scheme-specific functionalities. This method allows us to evaluate different algorithms using the same standard across various platforms. Initially, we evaluated the complexity of encryption, decryption, and test algorithms, primarily focusing on three metrics: the number of exponential operations, hash operations, and bilinear pairings, denoted by E, H, and P, respectively. We excluded efficient operations such as addition, multiplication, and XOR. Next, we considered additional metrics such as ciphertext size and three functionalities: the anti-key management feature, the anti-key escrow feature, and support for proxy-assisted authorization.

As shown in Table 2, our scheme demonstrates significant advantages in terms of the multi-ciphertext equality test algorithm. In comparison to traditional schemes that support pairwise equality tests, our multi-ciphertext equality test exhibits lower computational complexity than conducting multiple pairwise equality tests. Specifically, even in extreme situations where all tokens are proxy tokens, we only require $2s$ of the most computationally expensive bilinear pairings. This is notably lower than other schemes that support pairwise equality tests. Furthermore, our scheme inherently possesses certificateless encryption properties, effectively addressing the key management problem in PKEET and the key escrow problem in IBEET. This makes our scheme more suitable in scenarios where certificate management is challenging or where anonymous communication is required. Additionally, we introduced the feature of proxy-assisted authorization, enabling users to delegate proxy authorization while they are offline and better protect their private keys. These characteristics make our CLE-MET-PA scheme more competitive for practical use.

6.2. Extension

As mentioned before in this paper, our CLE-MET-PA scheme achieves IND-CPA security against adversaries without a trapdoor and OW-CPA security against adversaries with a trapdoor. We extend our scheme to CCA security with FO transformation [32,33] by simple modifications. The improved version of CLE-MET-PA is as follows.

• Setup$\left(1^{\lambda }\right)$: Almost the same as Setup$\left(1^{\lambda }\right)$ in Section 4.1. The difference is that while generating $pp$ and $msk$, additionally generate a cryptographic hash function $H_6:{\{0,1\}}^{*}\to {\{0,1\}}^l,$ and add it in $pp$.
• Partial-Private-Key-Extract $(pp,msk,ID)$: Same as Partial-Private-Key-Extract$(pp,msk,ID)$ in Section 4.1.
• Set-Secret-Value $(pp,ID)$: Same as Set-Secret-Value $(pp,ID)$ in Section 4.1.
• Set-Private-Key $(pp,D,x)$: Same as Set-Private-Key $(pp,D,x)$ in Section 4.1.
• Set-Public-Key $(pp,x)$: Same as Set-Public-Key $(pp,x)$ in Section 4.1.
• Set-Proxy-Key $(pp,I{D}_P)$: Same as Set-Proxy-Key $(pp,I{D}_P)$ in Section 4.1.
• Enc$(pp,pk,M,s)$: Taking as input the system parameter $pp$, a user public key $pk$, and a proxy public key $p{k}_P$, check whether $e(X,g_2)=e(\overline{g},Y)$ holds; if not, output ⊥ and abort. Then, taking as input a message $M\in {\mathbb{Z}}_p$, and a number $s\in {\mathbb{Z}}_p$, iteratively compute $(f_0,f_1,\cdots ,f_{s-1})$ and $f\left(x\right)$ same as Enc$(pp,pk,M,s)$ in Section 4.1.

It randomly chooses $A,r_1,r_2\in {\mathbb{Z}}_p$, computes $C_3=H_4\left(r_1\right)\oplus \left(M\right||r_1)$, $R=H_3(r_1\left|\right|M$$\left|\right|C_3)$, and outputs the ciphertext $CT=(s,C_1,C_2,C_3,C_4,C_5,C_6,C_7)$ as

$$\begin{array}{ll}{C}_1& =g_1^R,C_2=H_6\left(e{(X,H_1\left(ID\right))}^R\right)\oplus r_1,\\ C_3& =H_4\left(r_1\right)\oplus \left(M\right||r_1),\\ C_4& =g_1^{r_2},C_5=Z^{r_2},\\ C_6& =H_4\left(e{(X,H_2\left(ID\right))}^{r_2}\right)\oplus \left(A\right|\left|f\left(A\right)\right),\\ C_7& =H_5\left(s\right||C_1\left|\right|C_2\left|\right|C_3\left|\right|C_4\left|\right|C_5\left|\right|C_6\left|\right|e{\left(X,H_2\left(ID\right)\right)}^{r_2}\left|\right|f_0\left|\right|f_1\left|\right|\cdots \left|\right|f_{s-1}).\end{array}$$

• Dec$(CT,sk)$: Taking as input a ciphertext $CT=(s,C_1,C_2,C_3,C_4,C_5,C_6,C_7)$ and a secret key $sk=\left(H_1{\left(ID\right)}^{\alpha x},H_2{\left(ID\right)}^{\alpha x}\right)$, the decrypt algorithm computes

  $$r_1^{\prime }=C_2\oplus H_6\left(e(s{k}_1,C_1)\right),M^{\prime }\left|\right|r_1^{\prime }=C_3\oplus H_4\left(r_1^{\prime }\right),R^{\prime }=H_3(r_1^{\prime }\left|\right|M^{\prime }\left|\right|C_3).$$

It then computes

$$\begin{array}{l}{f}_0^{\prime }=H_3(M^{\prime }\left|\right|s),f_1^{\prime }=H_3(M^{\prime }\left|\right|s\left|\right|f_0^{\prime }),\cdots ,\\ f_{s-1}^{\prime }=H_3(M^{\prime }\left|\right|s\left|\right|f_0^{\prime }\left|\right|\cdots \left|\right|f_{s-2}^{\prime })\end{array}$$

and checks whether the following equations hold or not

$$\begin{array}{l}{C}_1=g_1^{R^{\prime }},\\ f^{\prime }\left(A^{\prime }\right)=f_0^{\prime }+f_1^{\prime }{A}^{\prime }+\cdots +f_{s-1}^{\prime }{A^{\prime }}^{s-1},\\ C_7=H_5\left(s\right||C_1\left|\right|C_2\left|\right|C_3\left|\right|C_4\left|\right|C_5\left|\right|C_6\left|\right|e(s{k}_2,C_4)\left|\right|f_0^{\prime }\left|\right|f_1^{\prime }\left|\right|\cdots \left|\right|f_{s-1}^{\prime }),\end{array}$$

where $A^{\prime }\left|\right|f^{\prime }\left(A^{\prime }\right)=C_5\oplus H_4\left(e(s{k}_2,C_4)\right)$. If all the equations hold, it returns

$$M=M^{\prime }.$$

Otherwise, it returns ⊥.

The structures of the subsequent Aut, Proxy-Aut, and Test algorithms are essentially the same as the relevant algorithms in Section 4.1. Since these algorithms do not affect the security of the scheme, we will not elaborate further.

It is important to highlight that the enhanced scheme offers improved security, albeit with a slight increase in system parameter size, cipher size, and computation for encryption and decryption algorithms. In particular, the system parameters ($pp$) now incorporate an additional hash function. Furthermore, the cipher size increased by $2|{\mathbb{Z}}_p|$, and both the encryption and decryption algorithms entail two additional hash operations (denoted by 2H). By definition of FO transformation, our improved CLE-MET-PA scheme achieves IND-CCA security against adversaries without the trapdoor of the challenge ciphertext and OW-CCA security against adversaries with trapdoor of the challenge ciphertext.

7. Conclusions

In this work, we presented the notion of CLE-MET-PA, which integrates the characteristics of solving the key management problem in the public key encryption cryptosystem and addressing the key escrow problem in the IBE cryptosystem. It combines the feature of the multi-ciphertext equality test and supports proxy-assisted authorization, enhancing the practical use of the scheme. We formalized the system model and five security models for CLE-MET-PA, and proved that our scheme achieves OW-CPA/IND-CPA security. Finally, through an FO transformation, we obtained the improved version of CLE-MET-PA, which achieves OW-CCA/IND-CCA security.