5.2. Security
In this section, the proposed scheme is proven to be secure with respect to each of the three types of adversaries, and thus it follows that the constructed RCL-PKE scheme is IND-CPA secure.
Theorem 2. Let , then the above RCL-PKE scheme is IND-CPA secure under the LWE assumption.
Proof. . The game is the same as the secure game.
. The game is the same as , except that is generated differently. In , randomly select to replace the original .
Since possesses a master private key , can generate his/her own partial private key and the time update key . However, cannot access the secret value of . Under the LWE assumption, is computationally indistinguishable from , so is indistinguishable from .
. The game is the same as , except that the challenge ciphertexts are generated in different ways, randomly selecting , , . Compute the challenge ciphertext and are the same as .
From the leftover hash lemma, we see that is statistically indistinguishable from , is statistically indistinguishable from , and thus is indistinguishable from , because is a random uniform distribution on , and is independent of other ciphertext elements. Therefore, the adversary’s advantage in winning is negligible. Finally, the theorem holds. □
Theorem 3. Let , then the above RCL-PKE scheme is IND-CPA secure under the LWE assumption.
Proof. . The game is the same as the secure game.
. The game is the same as except that are generated differently. In , selects , computes , , and retains .
From the leftover hash lemma, the advantage of in distinguishing between and is negligible.
. The game is the same as , except that is generated differently. In , randomly selects . Since does not possess the trapdoor , and needs to simulate the items generated by in , such as and , where , .
Since , if , can use and algorithms to obtain , then it can use algorithms to obtain .
. This game is the same as
, except that the ciphertexts are generated in different ways. In
,
selects
,
. Let
, and computes
Output the ciphertext
The advantage of the adversary in distinguishing between and is negligible.
. The game is the same as , except that the ciphertext is generated differently. In , selects , . Let , , and are the same as .
From LWE, the advantage of the adversary in distinguishing between and is negligible. Since is a random uniform distribution on , and is independent of other ciphertext elements. Therefore, the adversary’s advantage of winning is negligible. Finally, the theorem holds. □
Theorem 4. Let , then the above RCL-PKE scheme is IND-CPA secure under the LWE assumption.
Proof. . The game is the same as the secure game. . The game is the same as , except that are generated differently. In , randomly selects , and lets .
From the leftover hash lemma, is indistinguishable from .
. The game is the same as , except that the binary tree is generated differently and the leaf nodes are selected differently. The challenger creates an empty binary tree , then chooses a random leaf node to place , and finally sends to .
Because the creation of is only a conceptual manner, and the storage leaf position of is hidden from , so cannot distinguish between and .
. The game is the same as , except that the storage generation of in for some nodes V is different. Since , accesses the private key of , must be revoked before the time of . It is known that , where , . When initiates a (or ) query, selects (or ), and computes (or ). The corresponding is stored in the node v and retains ().
From Lemma 3, is indistinguishable from .
. The game is the same as , except that A is generated differently. In , randomly select , so does not possess . When initiates and queries, if or , return stored in .
If ,there is , utilizing to run the algorithm to get , and then using the algorithm to get .
Similarly, if , there is , using to run the algorithm to get .
From Lemma 3, is indistinguishable from .
. The game is the same as
, except that the ciphertext is generated differently. In
,
selects
,
. Let
, and compute
Output the ciphertext .
Because in
From the leftover hash lemma, the advantage of an adversary in distinguishing between and is negligible.
. The game is the same as , except that the ciphertext is generated differently. In , selects , . Let , , and are the same as .
The advantage of the adversary in distinguishing between and is negligible using the LWE assumption. Since is a random uniform distribution on and is independent of other ciphertext elements. Therefore, the adversary’s advantage of winning is negligible. Finally, the theorem holds. □
Remark 4. Since the ciphertext of user is not only associated with its public key , but also related to a specific time t, if the user wants to decrypt the ciphertext , user must obtain the decryption key corresponding to the time t. The decryption key is generated using the user’s private key and the time update key at time t. Only when the user is not revoked at time t can he obtain the time update key at time t, generate the decryption key , and decrypt the ciphertext . In our security model, the adversary may access the decryption key reveal oracle, so the scheme has the DKER property, which guarantees that even if the user’s decryption key is disclosed at a certain time, the user’s private key cannot be calculated from it. Therefore, the decryption key of the other time cannot be calculated; that is, the security of the ciphertext encrypted in the other time cannot be affected. Therefore, our scheme ensures both forward and backward security: even if the adversary obtains the private key of the user at time t, he cannot decrypt the ciphertext before (backward secure) or after (forward secure) time t.