Revocable Identity-Based Matchmaking Encryption with Equality Test for Smart Healthcare

Abstract

Smart healthcare establishes a safe, reliable, and efficient medical information system for the public with the help of the Internet of Things, cloud storage, and other Internet technologies. To enable secure data sharing and case-matching functions in smart healthcare, we construct a revocable identity-based matchmaking encryption with an equality test (RIBME-ET) scheme for smart healthcare. Our scheme not only ensures the confidentiality and authenticity of messages and protects the privacy of users, but also enables a cloud server to perform equality tests on encrypted ciphertexts from different identities to determine whether they contain the same plaintext and protects the confidentiality of data in the system through a user revocation mechanism. Compared with the existing identity-based encryption with equality test (IBEET) and identity-based matchmaking encryption with equality test (IBME-ET) schemes, we have improved the efficiency of the scheme and reduced communication overhead. In addition, the scheme’s security is proven in the random oracle model under the computational bilinear Diffie–Hellman (CBDH) assumption. Finally, the feasibility and effectiveness of the proposed scheme are verified by performance analysis.

1. Introduction

Smart healthcare [1,2,3] is a new medical model that uses cloud storage, cloud computing, big data, and other information technologies to improve people’s health. It provides complete data support for patients and doctors and enables telemedicine, intelligent monitoring, data analysis, and other medical services. The purpose of smart healthcare is to use the user’s medical data to complete relevant medical operations and to provide more intelligent services.

Smart healthcare can effectively achieve optimal allocation of resources and can improve the medical level of local hospitals, but under the smart healthcare system, sensitive medical data transmission is involved. This poses a challenge to how smart healthcare can be used to store and manage data more effectively. Smart healthcare systems face several security issues, such as data origin and integrity verification; data confidentiality and user privacy protection; and key leakage issues. The complexity of security issues facing smart healthcare makes it crucial to design a secure and efficient data encryption scheme. Especially in systems where there may be users who do not want sensitive medical data to be leaked to other unrelated personnel, there is a need to achieve user privacy protection while securing medical data.

The most common method for securing data is encryption, which ensures the confidentiality of the data. We aim to achieve secure sharing of medical data and matching of patient cases to help patients communicate better. Lin et al. provided a diversified butterfly attractors of memristive Hopfield neural network (HNN) with two memristive systems, which can successfully realize the privacy protection of medical data [4]. Ding et al. proposed a novel chaotic memristive neural network (MNN) that integrates two memristors into a traditional Hopfield neural network [5]; the secure algorithm was then successfully applied in a remote sensing system to protect image data privacy. Although chaotic encryption protects data privacy, public key encryption is more suitable for implementing fine-grained access control, data sharing, and case matching of users in smart healthcare. Yang et al. [6] proposed public key encryption with equality test (PKEET) for use in Internet-based systems for private health records (PHRs) [7,8,9], which enables the cloud server to perform an equality test of two encrypted ciphertexts to confirm whether they contain the same plaintext, and the cloud server helps the patient to match the their data with that of others. When uploading data in a smart healthcare system, it is important to ensure the authenticity of the user’s data during data uploading to prevent other malicious users from posting malicious or false medical information.

In recent years, several scholars have shifted their research focus to identity-based encryption with equality test schemes (IBEET). IBEET eliminates certificate management issues in the PKEET, and IBEET is used in several applications, such as in smart healthcare and Internet of Vehicles (IoV) road monitoring. However, there are some security issues with IBEET, since the current IBEET [10,11] does not consider the anonymity of both the sender and the receiver, which may lead to the disclosure of identity information. The identity-based matchmaking encryption (IBME) scheme investigated by Ateniese et al. [12] provides an enhanced privacy protection mechanism for user matching in smart healthcare. IBME provides a bilateral access control function, which allows the sender and receiver to specify each other’s respective identities at the same time. The IBME scheme prevents the leakage of identity privacy, and when there is a mismatch, except for decryption failures, the receiver cannot access arbitrary information. In addition, user revocation [13,14,15] is also an issue that needs to be considered in intelligent medical systems; when the user’s key is leaked or lost, an attacker can obtain the user’s key and decrypt the ciphertext sent by the sender to obtain the corresponding medical information, leading to the leakage of the user’s private information.

In smart healthcare, the user can issue a query request to the server to help contact other users with the same disease, for example, two patients with different doctors but the same symptoms wanting to seek each other’s experience and help. One question here is how bilateral access control can be realized [16] to better protect the privacy of both parties. The doctor and patient designate each other; the doctor encrypts the data for a patient, and only the patient can successfully decrypt it. When the two parties do not match, there is no information leakage except for decryption failure. However, the traditional IBEET scheme does not solve this problem.

To address the challenges of protecting sender and receiver privacy, enabling bilateral access control, preserving data authenticity, and mitigating key loss and disclosure risks, we propose a revocable identity-based matchmaking encryption with equality test (RIBME-ET) scheme. This solution integrates identity-based matchmaking encryption (IBME) with an equality test mechanism. Our scheme achieves user revocation and uses less time in the decryption, trapdoor generation, and equality test phases compared to the existing identity-based matchmaking encryption with equality test scheme (IBME-ET) [17]. Compared to the existing IBEET [10,18] scheme, our scheme enables user revocation, achieves finer-grained access control, and further enhances user privacy. The main contributions of this paper are as follows:

• We establish the first formal definition and security model for RIBME-ET, along with its concrete construction. The scheme implements a privacy-enhanced bilateral access control mechanism tailored to user matching in smart healthcare systems, ensuring both medical data authenticity and user privacy preservation.

• Cloud servers leverage the equality test functionality to compare ciphertexts in smart healthcare scenarios, enabling patients to seek mutual assistance and share experiences securely. Our design incorporates user revocation, safeguarding encrypted medical data from decryption even if keys are compromised or lost. Comprehensive security proofs and performance evaluations validate the scheme’s robustness and efficiency.

Organization of the paper: Here, we outline the structure of the rest of the paper. Section 2 introduces some related works. Preliminaries and definitions are described in Section 3 and Section 4, and we propose a security model for our scheme. In Section 5, we construct a RIBME-ET scheme. In Section 6, we prove the security of our scheme. Performance evaluations are presented in Section 7. Finally, we conclude this paper in Section 8.

2. Related Work

In smart healthcare, to ensure data confidentiality, patients encrypt their medical data and store it in an encrypted form on cloud servers. When one of these patients, Alice, wants to find other patients with the same condition as her to share their experiences, Alice will commission a third party to help her find such patients. At the same time, considering privacy, Alice will not directly disclose her disease information to the third party but will encrypt her disease information and send it to the third party. When another patient, Bob, also wants the third party to help him find other patients with the same condition, Bob similarly encrypts his medical information and sends it to the third party. Subsequently, the third party performs equivalence testing on the encrypted disease information without decrypting it. If Alice’s encrypted message and Bob’s encrypted message are both encrypted from the same disease information, the third party will notify Alice and Bob. It is important to note that the third party does not obtain this disease information. Traditional identity-based encryption and searchable encryption cannot meet the specific requirements of this application scenario. Encryption schemes encrypt information, and without the decryption key, it is impossible to perform computational processing on the ciphertext and therefore impossible to distinguish the relationships between these ciphertexts. In searchable encryption schemes, the ciphertext used for retrieval and the trapdoor sent by the user must be generated using the same public–private key pair. If the ciphertext and trapdoor used for retrieval are encrypted using different public–private key pairs, the ciphertext cannot be identified.

Yang et al. proposed a public key encryption scheme supporting equality testing (PKEET), which allows anyone to determine whether two ciphertexts generated under different public keys contain the same message [6]. This scheme provided a solution for case matching and user classification in smart healthcare. Tang et al. proposed a fine-grained authorization PKEET scheme that allows an authorized equality test to be conducted on ciphertexts by two users [19]. The scheme effectively improves PKEET authorization. Then Tang proposed the all-or-nothing PKEET scheme (AON-PKEET) [20], which specifies who can perform an equality test on ciphertexts. Moreover, Tang proposed the PKEET scheme with authorization of different granularity (ADG-PKEET) [21]. This scheme is an extension of FG-PKEET, which protects against offline message recovery attacks (OMRAs) through the dual-server mechanism.

Ma et al. proposed an equality test scheme with flexible authorization (PKEET-FA). This cryptographic scheme provides authorization based on four different scenarios [22], and the security of these cryptosystems is based on the difficult assumption of bilinear pairs. Huang et al. proposed public key encryption with an authorized equality test (PKE-AET), which employs cipher-level authorization and user-level authorization to enhance privacy protection [23], and this scheme allows for a comparison of specific users’ ciphertexts or all ciphertexts. Hassan et al. proposed an efficient certificateless public key encryption scheme with authorized equality tests in healthcare environments [24]. Susilo et al. proposed public key encryption with a multi-ciphertext equality test in cloud computing [25]. Ma et al. proposed efficient public key encryption with an outsourced equality test for cloud-based IoT environments [26].

An increase in users in the cloud environment may lead to an increase in certificate management burden. To better enable PKEET to be better applied to the cloud environment, Ma et al. combined identity-based encryption and an equality test [18] and proposed, for the first time, an identity-based encryption scheme with an equality test function (IBEET). Lee et al. proposed a semi-generic construction of public key encryption and identity-based encryption with equality test [10]. Xiong et al. constructed the notion of identity-based signcryption with equality test (IBSC-ET) by combining signcryption and an equality test scheme [27]. Yang et al. proposed an efficient identity-based encryption with an equality test in cloud computing [28].

Ateniese et al. proposed a new encryption scheme termed identity-based matchmaking encryption (IBME) [12]. This scheme enables both senders and receivers to specify the identity conditions that the other party must satisfy to decrypt the message. The main security guarantee is privacy-preserving identity matching: during the decryption process, when the sender and receiver do not match each other, no information will be revealed. IBME opens up new ways of secretly communicating and enables several new applications. IBME ensures message confidentiality and authenticity in a non-interactive manner and provides the functionality required for bilateral access control of identities. Therefore, IBME offers users a more convenient and secure communication approach.

Chen et al. proposed an IBME from standard assumptions in the standard model [29]. Jiang et al. proposed a revocable IBME in the standard model, whose security is reduced to the hardness of the decisional bilinear Diffie–Hellman problem and computational Diffie–Hellman problem [30]. Wu et al. proposed a fuzzy IBME and implemented it [31]. Yan et al. proposed an IBME-ET and proved its security under the random oracle [17].

As shown in Table 1, except for the IBME scheme, all other schemes achieved CCA security. The traditional PKEET [6] scheme implements a ciphertext equality test but does not consider user revocation and finer-grained access control features. The IBEET [10] scheme accomplishes identity substitution via public keys as opposed to the PKEET scheme but does not consider user revocation and bilateral access control. Recent IBME [12] schemes have achieved finer-grained access control from the sender to the receiver but have not implemented the ciphertext equality test. In contrast, the IBME-ET [17] scheme implements the ciphertext equality test and bilateral access control and does not consider key revocation. Compared with the above schemes, our scheme not only improves the efficiency of decryption and trap generation but also considers user revocation, so it is better able to protect data in smart healthcare.

Table 1.

Comparison of functionality.

Schemes	Equality Test	User Revocation	Bilateral Access Control	Security Model
PKEET [6]	✓ 1	× 2	×	CCA
IBEET [10]	✓	×	×	CCA
IBME [12]	×	×	✓	CPA
IBME-ET [17]	✓	×	✓	CCA

¹ ✓: Supports the functionality. ² ×: Does not support the functionality.

3. Preliminaries

In this section, we review preliminaries including notations, bilinear maps, and the computational bilinear Diffie–Hellman (CBDH) assumption.

3.1. Bilinear Map

Given two cyclic groups $G_1$ and $G_2$ of prime order p, let g be a generator of $G_1$ and an admissible bilinear mapping e: $G_1$×$G_1$→$G_2$ is expected to satisfy the following properties:

• Bilinearity: $e({g_1}^x,{g_2}^y)=e{(g_1,g_2)}^{xy}$ for ∀$g_1,g_2\in G_1$, and $x,y\in Z_p^{*}$.

• Non-degeneracy: $e(g,g)\ne 1$.

We say that $G_1$ is a bilinear group if the group operation in $G_1$ and the bilinear map e: $G_1$×$G_1$→$G_2$ are both efficiently computable.

3.2. Computational Bilinear Diffie–Hellman Assumption

Given a random tuple $(g,g^a,g^b,g^c)$ of a CBDH problem, where g is the generator of group $G_1$ and $a,b,$ and c are randomly chosen from $Z_p^{*}$, its solution is $e{(g,g)}^{abc}$. Formally, the CBDH problem is hard in $(G_1,G_2,e)$ if, for every PPT adversary A,

$Pr[A(q,G_1,G_2,e,g,g^a,g^b,g^c)=e{(g,g)}^{abc}]\le negl\left(\lambda \right)$.

We say that the CBDH assumption holds in $(g,G_1,G_2,e)$ if no PPT algorithm can compute $e{(g,g)}^{abc}$ with a non-negligible advantage.

4. Definition

In this section, we formalize the syntax and security of the RIBME-ET scheme.

4.1. System Model

The system model is shown in Figure 1. The system model consists of the following four entities, namely the sender, receiver, key generation center (KGC), and cloud server, as listed below:

• Sender: The sender encrypts the messages with the encryption key and the specified receiver’s identity and then sends the resulting ciphertexts to the receiver.

• Receiver: The receiver can decrypt the ciphertexts, generate trapdoors, and upload both the ciphertexts and computed trapdoors to the cloud server.

• KGC: KGC is responsible for managing users in the system and generating encryption and decryption keys for senders and receivers. For user revocation, the KGC manages the distribution of the key; if the KGC stops sending the decryption key to the receiver, it means that the user has been revoked. Decryption algorithms and trapdoor algorithms require a decryption key that is related to the time period t.

• Cloud server: This entity is responsible for storing ciphertexts and providing equality tests.

Figure 1.

System model.

4.2. Syntax of RIBME-ET

RIBME-ET is composed of the following polynomial algorithm:

• Setup$\left(1^{\lambda }\right)\to (mpk,msk)$: Input the security parameter $\lambda$, and the algorithm outputs a time period t as input to produce the system’s master public key $mpk$ and master secret key $msk$. Then the $mpk$ is used as an implicit input for the following algorithms.

• SKGen$(msk,I{D}_{Snd})\to e{k}_{I{D}_{Snd}}$: After inputting the master secret key $msk$ and the sender’s identity $I{D}_{Snd}$, the algorithm outputs the encryption key $e{k}_{I{D}_{Snd}}$.

• RKGen$(msk,t,I{D}_{Rev})\to e{k}_{I{D}_{Rev}}$: After inputting the master secret key $msk$ and the receiver identity $I{D}_{Rev}$, during time period t, the algorithm outputs the decryption key $d{k}_{I{D}_{Rev}}$, which is associated with the time.

• Enc$(e{k}_{I{D}_{Snd}},t,I{D}_{Rev},m)\to C$: Given $mpk$, the encryption key $e{k}_{I{D}_{Snd}}$, a period time t, a receiver identity $I{D}_{Rev}$, and the message m, the algorithm outputs the ciphertext C.

• Dec$(d{k}_{I{D}_{Rec}},I{D}_{Snd},C)\to m$: Given $mpk$, the decryption key $d{k}_{I{D}_{Rev}}$, a sender identity $I{D}_{Snd}$, and the ciphertext C, the algorithm outputs m.

• Trap$\left(d{k}_{I{D}_{Rev}}\right)\to t{d}_{ID}$: It takes as input a portion of the receiver’s private key to compute the trapdoor corresponding to the ciphertext.

• Test$(C_{I{D}_i},t{d}_{I{D}_i},C_{I{D}_j},t{d}_{I{D}_j})\to result$: This algorithm takes a receiver’s ciphertext with trapdoor $t{d}_{I{D}_i}$ and another receiver’s ciphertext with trapdoor $t{d}_{I{D}_j}$ as inputs and outputs a result of 0 or 1.

Correctness of RIBME-ET scheme: RIBME-ET $\Pi$ = (Setup, SKGen, RKGen, Enc, Dec, Trap, Test) is correct if $\forall \lambda \in N$, $(mpk,msk)\leftarrow$ Setup($1^{\lambda })$, Pr[Dec$(d{k}_{I{D}_{Rev}}$, $snd$, Enc$(e{k}_{I{D}_{Snd}},t,rcv,m))=m]$≥$1-negl(\lambda$), and Test$(C_{I{D}_i},t{d}_{I{D}_i},C_{I{D}_j},t{d}_{I{D}_j})$ = 0 or 1, where $e{k}_{I{D}_{Snd}},d{k}_{I{D}_{Rev}},$ and $t{d}_{ID}$ are generated by SKGen($msk,I{D}_{Snd}$), RKGen($msk,t,I{D}_{Rev}$), and Trap$\left(d{k}_{I{D}_{Rev}}\right)$.

4.3. Security Definitions of RIBME-ET

We analyze the security model of the RIBME-ET scheme and define three types of adversaries under our system model:

• Type-I adversary: A Type-I adversary $A_1$, who possesses a trapdoor, attempts to recover the plaintext m from a ciphertext. Security against $A_1$ is defined as one-wayness under chosen identity and chosen ciphertext attacks (OW-ID-CCA).

• Type-II adversary: A Type-II adversary $A_2$, who has no trapdoor, attempts to determine which plaintext corresponds to a given ciphertext. Security against $A_2$ requires indistinguishability under chosen identity and chosen ciphertext attacks (IND-ID-CCA).

• Type-III adversary: A Type-III adversary $A_3$ tries to forge a ciphertext C corresponding to the sender’s identity. The forgery $(C,Rev,Snd)$ is considered valid if for all encryption keys $e{k}_{I{D}_{Snd}}$ obtained by the adversary $A_3$ it holds that $I{D}_{Snd}=Snd$ and the identity $Rev$ is not held by the adversary $A_3$. Security against Type-III adversary is existential unforgeability against identity under chosen message attacks (EU-ID-CMA).

Definition 1

(OW-ID-CCA). Regarding $A_1$, the RIBME-ET scheme meets OW-ID-CCA security when no PPT $A_1$ is winning the game below with a non-negligible advantage.

1. Setup: Challenger C takes the security parameter $\lambda$ as input, runs RIBME-ET.Setup($1^{\lambda })\to$$mpk$, and sends the master public key $mpk$ to $A_1$.

2. Phase 1: $A_1$ may query the following oracles polynomially many times adaptively and in any order: $O_{SKGen},O_{RKGen},O_{Dec}$, and $O_{Trap}$.

   • $O_{SKGen}$: Given the identity of the sender $Snd$ is received, $A_1^{\prime }$ answers the encryption key $e{k}_{Snd}$.

   • $O_{RKGen}$: Given the identity of the receiver $Rev$ is received, $A_1^{\prime }$ answers the decryption key $d{k}_{Rev}$.

   • $O_{Dec}$: Given the identity of the receiver $Rev$, the identity of the target sender $snd$, and the ciphertext C are received, C answers the result of $Dec(mpk,d{k}_{Rev},Snd,C)$.

   • $O_{Trap}$: Given the identity of the target sender $Snd$ and the identity of the receiver $Rev$ are received, C answers the corresponding trapdoor $td(Snd,Rev)$.

3. Challenge: $A_1$ sends identities $Sn{d}^{*}$ and $Re{v}^{*}$ to C. Subsequently, C randomly chooses a message $m^{*}\in {\left\{0,1\right\}}^n$ in answer to $A_1$ with the challenge ciphertext C = $Enc(mpk,e{k}_{Sn{d}^{*}},Re{v}^{*},t^{*},m^{*})$.

4. Phase 2: $A_1$ makes queries like in Phase 1.

5. Guess: $A_1$ answers a guess $m^{\prime }$.

We say that the adversary $A_1$ wins if $m^{\prime }=m^{*}$ in the above game, and the advantage of $A_1$ is defined as $ad{v}_{RIBME-ET,A_1}^{OW-ID-CCA}\left(\lambda \right)=Pr(m^{\prime }=m^{*})$.

In the above game, $A_1$ cannot ask the following queries:

$O_{RKGen}\left(Re{v}^{*}\right)$ and $O_{Dec}(Re{v}^{*},Sn{d}^{*},C^{*})$.

Definition 2

(IND-ID-CCA). We say that a RIBME-ET scheme is IND-ID-CCA-secure against Type-II adversaries if for any PPT adversary $A_2$, the advantage of $A_2$ in the following game with the challenger C is negligible in terms of the security parameter λ.

1. Setup: This step is the same as that of the OW-ID-CCA security game in Definition 1.

2. Phase 1: This step is the same as that of the OW-ID-CCA security game in Definition 1 except for $O_{Trap}$.

3. Challenge: $A_2$ sends $sn{d}^{*}$ and $rc{v}^{*}$ and selected messages $m_0^{*},m_1^{*}\in {\left\{0,1\right\}}^n$ of the same length to C. C selects a random bit $b\in$$\left\{0,1\right\}$, runs $RIBME-ET.Enc(e{k}_{I{D}_{Snd}},t,I{D}_{Rev},m_b)\to C_b$, and sends $C_b$ to $A_2$.

4. Phase 2: C responds to $A_2$’s queries as in Phase 1.

5. Guess: $A_2$ outputs $b^{\prime }\in$$\left\{0,1\right\}$.

We say that the adversary $A_2$ wins if $b^{\prime }=b$ in the above game, and the advantage of $A_2$ is defined as $ad{v}_{RIBME-ET,A_2}^{IND-ID-CCA}\left(\lambda \right)=|Pr(b^{\prime }=b)-{\displaystyle \frac{1}{2}}|$.

In the above game, $A_2$ cannot ask the following queries: $O_{RKGen}\left(Re{v}^{*}\right),O_{Trap}(Sn{d}^{*},$

$Re{v}^{*}),$ and $O_{Dec}(Re{v}^{*},Sn{d}^{*},C^{*})$.

Definition 3

(EU-ID-CMA). We say that a RIBME-ET scheme is EU-ID-CMA-secure against Type-III adversaries if for any PPT adversary $A_3$, the advantage of $A_3$ in the following game with the challenger C is negligible in terms of the security parameter λ.

1. Setup: This step is the same as that of the OW-ID-CCA security game in Definition 1.

2. Phase 1: This step is the same as that of the OW-ID-CCA security game in Definition 1 except for $O_{Dec}$ and $O_{Trap}$.

3. Forgery: $A_3$ outputs a forged ciphertext $C=(C,I{D}_{Rev},I{D}_{Snd})$ to C, C runs the ReceiverKey generation to obtain $d{k}_{Rev}$, C uses $d{k}_{Rev}$ to decrypt ciphertext C, and C outputs m. If $Snd$∀$Q_{O_{SKGen}}$, $Snd\ne I{D}_{Snd}$∧$Rev\notin Q_{O_{RKGen}}$∧$m\ne \perp$, the adversary $A_3$ wins and C returns 1. Else, if the adversary $A_3$ fails, C returns 0.

We say that the adversary $A_3$ wins if C outputs m and returns 1 in the above game; the advantage of $A_3$ is defined as $ad{v}_{RIBME-ET,A_3}^{EU-ID-CMA}\left(\lambda \right)=Pr\left[A_{3}wins\right]$.

5. Construction of RIBME-ET

In this section, we provide a RIBME-ET construction, and the scheme coincides with our system model. The concrete scheme is as follows:

• Setup: When the security parameter $\lambda$ is input, the algorithm outputs a time period t$\in {\left\{0,1\right\}}^{*}$ and a bilinear group $(p,e,G_1,G_2)$ with a generator $g\in G_1$, where the order of $G_1$ and $G_2$ is p. Then it randomly selects seven cryptographic hash functions $H_0:{\left\{0,1\right\}}^{*}\times {\left\{0,1\right\}}^{*}\to G_1$, $H_1:{\left\{0,1\right\}}^{*}\to G_1$, $H_2:G_2\to {\left\{0,1\right\}}^l$, $H_3:{\left\{0,1\right\}}^{n+\gamma }\to Z_p^{*}$, $H_4:G_2\to G_1$, $H_5:{\left\{0,1\right\}}^n\to G_1$, and $H_6:G_1\to {\left\{0,1\right\}}^l$, modeled as random oracles, and a polynomial-time computable padding function $\phi$:${\left\{0,1\right\}}^n$→${\left\{0,1\right\}}^l$. We require that for all m∈${\left\{0,1\right\}}^n$, one can verify in polynomial time if m has been padded correctly and that $\phi \left(\mathit{m}\right)$ is efficiently invertible. In addition, it also selects two random numbers r, s∈$Z_p^{*}$ and computes $g_0=g^r$. Finally, the master public key and master secret key are $mpk=(g,g_0,p,e,G_1,G_2,H_0,H_1,H_2,H_3,H_4,H_5,H_6,\phi )$ and $msk=(r,s)$.

• Sender Key generation: Given the master key pair $(mpk,msk)$ and a sender’s identity $I{D}_{snd}$→${\left\{0,1\right\}}^{*}$, the algorithm outputs the sender’s encryption key $e{k}_{I{D}_{Snd}}$ = $H_1{\left(I{D}_{Snd}\right)}^s$.

• Receiver Key generation: Given the master key pair $(mpk,msk)$ and a receiver’s identity $I{D}_{Rev}$→${\left\{0,1\right\}}^{*}$, with a period of time t, the algorithm outputs the receiver’s decryption key $d{k}_{I{D}_{Rev}}=(d{k}_{I{D}_{Rev}}^1$, $d{k}_{I{D}_{Rev}}^2$, $d{k}_{I{D}_{Rev}}^3$)=($H_0{(I{D}_{Rev},t)}^r$, $H_0{(I{D}_{Rev},t)}^s$, $H_0(I{D}_{Rev},t)$).

• Encryption: Given the master public key $mpk$, the encryption key $e{k}_{I{D}_{Snd}}$, a time period t, the receiver’s identity $I{D}_{Rev}$, and a message m∈${\left\{0,1\right\}}^n$, the algorithm proceeds as follows:

  1. Sample random a, b ∈$Z_p^{*}$, and $z\in {\left\{0,1\right\}}^{\gamma }$.

  2. Compute $C_0=g^b$ and $C_1=g^a$.

  3. Compute $k_1$ = $e(H_0(I{D}_{Rev},t),g_0^a)$ and $k_2$ = $e(H_0(I{D}_{Rev},t),C_0·e{k}_{I{D}_{Snd}})$.

  4. Compute $C_2=g^{H_3(m,z)}$ and $C_3$ = $\phi \left(\mathit{m}\right)$⊕$H_2\left(k_1\right)$⊕$H_2\left(k_2\right)$⊕$H_6\left(C_2\right)$.

  5. Compute $C_4=H_5{\left(m\right)}^{H_3(m,z)}·H_4\left(e(g,H_1\left(I{D}_{Snd}\right)·H_0(I{D}_{Rev},t))\right)$.

  6. Output ciphertext $C=(C_0,C_1,C_2,C_3,C_4)$.

• Decryption: Given the master public key $mpk$, a decryption key $d{k}_{I{D}_{Rev}}$, a target identity $I{D}_{Snd}=Snd$, and ciphertext $C=(C_0,C_1,C_2,C_3,C_4)$, the algorithm proceeds as follows:

  1. Parse $C=(C_0,C_1,C_2,C_3,C_4)$.

  2. Compute $k_1$ = $e(d{k}_{I{D}_{Rev}}^1,C_1)$ and $k_2$ = $e(d{k}_{I{D}_{Rev}}^2,H_1\left(I{D}_{Snd}\right))·e(d{k}_{I{D}_{Rev}}^3,C_0)$.

  3. Compute $\phi \left(\mathit{m}\right)$ = $C_3\oplus H_2\left(k_1\right)\oplus H_2\left(k_2\right)\oplus H_6\left(C_2\right)$.

  4. If the padding is valid, return m. Otherwise, return ⊥.

• Trapdoor: The algorithm is performed by a receiver who takes $H_1\left(I{D}_{Snd}\right)$ and $d{k}_{I{D}_{Rev}}$ as input to produce the trapdoor. $t{d}_{Rev}$ = $H_1\left(I{D}_{Snd}\right)·d{k}_{I{D}_{Rev}}^3$= $H_1\left(I{D}_{Snd}\right)·H_0(I{D}_{Rev},t)$. The scheme uses the decryption key of the receiver in the trapdoor generation phase, and the decryption key is divided into three components. The trapdoor generation phase uses one of the components to generate the trapdoor, which is not associated with the $msk$. Even if $d{k}_{I{D}_{Rev}}^3$ is leaked, it is not possible to compute the decryption key as a whole, and thus the use of a part of the decryption key has no effect on the security of the scheme.

• Test: This algorithm is performed by the cloud server, which takes two ciphertext–trapdoor pairs $(C_A,t{d}_A)$ and $(C_B,t{d}_B)$.

  $C_A=(C_{0A},C_{1A},C_{2A},C_{3A},C_{4A})$,

  $C_B=(C_{0B},C_{1B},C_{2B},C_{3B},C_{4B})$.

  1. Compute ${\eta }_A$ and ${\eta }_B$ as follows:

     ${\eta }_A$ = ${\displaystyle \frac{C_{4A}}{H_4\left(e(g,t{d}_A)\right)}}$,

     ${\eta }_B$ = ${\displaystyle \frac{C_{4B}}{H_4\left(e(g,t{d}_B)\right)}}$.

  2. Compute $e(C_{2A},{\eta }_B)$ and $e(C_{2B},{\eta }_A)$ as follows:

  Check whether $e(C_{2A},{\eta }_B)=e(C_{2B},{\eta }_A)$ holds. If it holds, output 1; otherwise, output 0.

Correctness:

1. For decryption, if $I{D}_{Snd}=Snd$, $I{D}_{Rev}=Rev$, and $Snd$ matches $Rev$, the receiver will be able to decrypt the ciphertext. For a ciphertext $C=(C_0,C_1,C_2,C_3,C_4)$ under an encryption of a message m, let $k_1^{\prime }$ and $k_2^{\prime }$ be the keys computed by the decryption algorithm.

   Compute $k_1$ = $e(d{k}_{I{D}_{Rev}}^1,C_1)$ = $e(H_0{(I{D}_{Rev},t)}^r,g^a)$ = $e(H_0(I{D}_{Rev},t),g^{ra})$ = $e(H_0(I{D}_{Rev},t),{g_0}^a)$ = $k_1^{\prime }$.

   Compute $k_2$ = $e(d{k}_{I{D}_{Rev}}^2,H_1\left(I{D}_{Snd}\right))·e(d{k}_{I{D}_{Rev}}^3,C_0)$ = $e(H_0{(I{D}_{Rev},t)}^s,H_1\left(I{D}_{Snd}\right))·e(H_0(I{D}_{Rev},t),g^b)$ = $e(H_0(I{D}_{Rev},t),g^b·H_1{\left(I{D}_{Snd}\right)}^s)$ = $k_2^{\prime }$.

   $\phi \left(\mathit{m}\right)$ = $C_3\oplus H_2\left(k_1\right)\oplus H_2\left(k_2\right)\oplus H_6\left(C_2\right)$. Then return m.

2. For the equality test, if $I{D}_{Snd}=Sn{d}_A\wedge I{D}_{Rev}=Re{v}_A\wedge I{D}_{Snd}=Sn{d}_B\wedge I{D}_{Rev}=Re{v}_B$, $Sn{d}_A$ matches $Re{v}_A$, and $Sn{d}_B$ matches $Re{v}_B$, only receivers A and B can compute their respective trapdoors. For the ciphertext $C_A$ encrypted by message $m_A$ and the ciphertext $C_B$ encrypted by message $m_B$, we check the following:

   $${\eta }_A={\displaystyle \frac{C_{4A}}{H_4\left(e(g,t{d}_A)\right)}}=H_5{\left(m_A\right)}^{H_3(m_A,z_A)},$$

   $${\eta }_B={\displaystyle \frac{C_{4B}}{H_4\left(e(g,t{d}_B)\right)}}=H_5{\left(m_B\right)}^{H_3(m_B,z_B)},$$

   $$\begin{array}{cc}\hfill e(C_{2A},{\eta }_B)& =e(g^{H_3(m_A,z_A)},H_5{\left(m_B\right)}^{H_3(m_B,z_B)})\hfill \\ \hfill & =e(g,{H_5\left(m_B\right))}^{H_3(m_A,z_A)H_3(m_B,z_B)},\hfill \end{array}$$

   $$\begin{array}{cc}\hfill e(C_{2B},{\eta }_A)& =e(g^{H_3(m_B,z_B)},H_5{\left(m_A\right)}^{H_3(m_A,z_A)})\hfill \\ \hfill & =e(g,{H_5\left(m_A\right))}^{H_3(m_B,z_B)H_3(m_A,z_A)}.\hfill \end{array}$$

   If $m_A=m_B$, then $e(C_{2A},{\eta }_B)=e(C_{2B},{\eta }_A)$, and it outputs 1; otherwise, it outputs 0.

6. Security Analysis of RIBME-ET

In this section, we demonstrate that our RIBME-ET construction is OW-ID-CCA-secure against a PPT Type-I adversary, IND-ID-CCA-secure against a PPT Type-II adversary, and EU-ID-CMA-secure against a PPT Type-III adversary.

6.1. OW-ID-CCA Security Against Type-I Adversary

As for confidentiality, we first look into the OW-ID-CCA security of our construction against a Type-I adversary. We change the Boneh–Franklin CCA-secure IBE’s proof method; our method of proof is similar to that of the IBME scheme. We prove that RIBME-ET is OW-ID-CCA-secure under the CBDH assumption. First, we define BPub⁺, a variant of BasicPub that is more suitable for our needs. BPub⁺ is composed of the following algorithms:

• Setup($1^{\lambda }$): Generate a symmetric pairing e: $G_1$×$G_1$→$G_2$, with $G_1$ and $G_2$ of an order p that depends on $\lambda$. Choose a random generator g of $G_1$. Sample a random $s\in Z_q^{*}$ and set $g_0=g^s$. Choose three hash functions: $H_0:G_2\to {\left\{0,1\right\}}^n$, $H_1:{\left\{0,1\right\}}^n\times {\left\{0,1\right\}}^n\to Z_p^{*}$, and $H_2:{\left\{0,1\right\}}^n\to {\left\{0,1\right\}}^n$, with $mpk=(p,e,n,g,g_0,G_1,G_2,H_0,H_1,H_2)$ and $msk=s$.

• KGen($mpk,msk$): Choose a random $G\in G_1$. The public key is $pk=G$. The private key is $sk=G^s$.

• Enc($mpk,pk,m$): To encrypt a message m under the public key $pk=G$, choose a random $\mu \in {\left\{0,1\right\}}^n$, set $y=H_1(\mu ,m)$, and output $C=(C_0,C_1,C_2)$= $(g^y,\mu \oplus H_0\left(e{(G,g_0)}^y\right)),m\oplus H_2\left(\mu \right))$.

• Dec($mpk,sk,C$): Let $C=(C_0,C_1,C_2)$ be a ciphertext for the public key $pk$. To decrypt C using the private key $sk$, compute the following:

  1. $C_1\oplus H_0\left(e(sk,C_0)\right)=\mu$.

  2. $C_2\oplus H_2\left(\mu \right)=m$.

  3. Set $y=H_1(\mu ,m)$. Test that $C_0=g^y$. If not, reject the ciphertext.

  4. Output m as the decryption of C.

We show that if BPub⁺ is OW-CCA-secure, then our scheme is OW-ID-CCA-secure.

Theorem 1.

Let the hash functions $H_i(i=0,1,2,3,4,5,6)$ be random oracles. Our construction is OW-ID-CCA-secure against a PPT Type-I adversary under the basis of the BDH assumption. More precisely, if $A_1$ can break our proposal with the advantage ε, suppose that $A_1$ makes at most $q_S$ sender key extraction queries, at most $q_R$ receiver key queries, at most $q_D$ decryption key queries, and at most $q_T$ trapdoor queries. We can conceive of a PPT algorithm $A_1^{\prime }$ to address the CBDH assumption with the advantage ${\epsilon }^{\prime }\ge 512\epsilon /e^4{(q_R+q_S+q_D+q_T+4)}^4{q}_{H_2}.$

Proof of Theorem 1.

Given a CBDH assumption instance $(g,g^a,g^b,g^c)$, where $a,b,c\in Z_p^{*}$, the task of $A_1^{\prime }$ is to calculate $D=e{(g,g)}^{abc}$ by interacting with $A_1$ as shown below:

1. Setup: $A_1^{\prime }$ first performs the setup algorithm to generate $mpk=(g,g_0,p,e,G_1,G_2,H_0,H_1,H_2,H_3,H_4,H_5,H_6,\phi )$, randomly selects $x,y\in Z_p^{*}$, and gives the $mpk$ to $A_1$. $A_1^{\prime }$ then implicitly sets $msk=(x,y)$, $g_0=g^x$, and $A_1^{\prime }$ has no knowledge about x and y. $A_1^{\prime }$ preserves the $L_{H_i}(i=0,1,2,3,4,5,6)$ lists to simulate the oracle $H_i$-query.

2. Phase 1: $A_1^{\prime }$ answers $A_1$’s queries.

   • $H_0$-query: On receiving this query with identity $I{D}_{Rev}$, if the query $I{D}_{Rev}$ is in a tuple $(I{D}_{Rev},Q,\beta ,b)\in L_{H_0}$, then Q is returned. Otherwise, $A_1^{\prime }$ randomly picks $\beta \in Z_p^{*}$ and inserts the new tuple $(I{D}_{Rev},Q,\beta ,b)$ into $L_{H_0}$, with a random coin $b\in \left\{0,1\right\}$, so that $Pr[b=0]=\xi$. If $b=0$, $A_1^{\prime }$ sets $Q=g^{\beta }$; otherwise, $A_1^{\prime }$ sets $Q=g^{c\beta }$. Finally, $(I{D}_{Rev},Q,\beta ,b)$ is added to $L_{H_0}$, and $A_1^{\prime }$ sends Q to $A_1$.

   • $H_1$-query: On receiving this query with identity $I{D}_{Snd}$, if the query $I{D}_{Snd}$ is in a tuple $(I{D}_{Snd},Q,\beta ,b)\in L_{H_1}$, then Q is returned. Otherwise, $A_1^{\prime }$ randomly picks $\beta \in Z_p^{*}$ and inserts the new tuple $(I{D}_{Snd},Q,\beta ,b)$ into $L_{H_1}$, with a random coin $b\in \left\{0,1\right\}$, so that $Pr[b=0]=\xi$. If $b=0$, $A_1^{\prime }$ sets $Q=g^{\beta }$; otherwise, $A_1^{\prime }$ sets $Q=g^{a\beta }$. Finally, $(I{D}_{Snd},Q,\beta ,b)$ is added to $L_{H_0}$, and $A_1^{\prime }$ sends Q to $A_1$.

   • $H_2$-query: $A_1^{\prime }$ maintains a list $L_{H_2}$ that stores tuples of the form $(X,h_2)$ with the history of calls to $L_{H_2}$. If the query X has already been completed, the challenger returns the value $h_2$. If not, it samples a random $h_2\in {\left\{0,1\right\}}^n$, adds $(X,h_2)$ to the list $L_{H_2}$, and returns $h_2$.

   • $H_3$-query: $A_1^{\prime }$ maintains a list $L_{H_3}$ that stores tuples of the form $(m,u,h_3)$ with the history of calls to $L_{H_3}$. If the queries m and u have already been completed, the challenger returns the value $h_3$. If not, it randomly picks m∈${\left\{0,1\right\}}^n$, u∈${\left\{0,1\right\}}^n$, and $h_3\in {\left\{0,1\right\}}^{\gamma }$ and inserts the new tuple $(m,u,h_3)$ into $L_{H_3}$. Subsequently, $A_1^{\prime }$ sends $h_3$ to $A_1$.

   • $H_4$-query: $A_1^{\prime }$ maintains a list $L_{H_4}$ that stores tuples of the form $(g_{h_4},h_4)$ with the history of calls to $L_{H_4}$. If the query $g_{h_4}$ has already been completed, the challenger returns the value $g_{H_4}$. If not, it randomly picks $g_{h_4}\in G_2$ and $h_4\in G_1$ and inserts the new tuple $(g_{h_4},h_4)$ into $L_{H_4}$. Subsequently, $A_1^{\prime }$ sends $h_4$ to $A_1$.

   • $H_5$-query: $A_1^{\prime }$ maintains a list $L_{H_5}$ that stores tuples of the form $(m,h_5)$ with the history of calls to $L_{H_5}$. If the query m has already been completed, the challenger returns the value $h_5$. If not, it randomly picks m∈${\left\{0,1\right\}}^n$ and $h_5\in G_1$ and inserts the new tuple $(m,h_5)$ into $L_{H_5}$. Finally, $A_1^{\prime }$ sends $h_5$ to $A_1$.

   • $H_6$-query: $A_1^{\prime }$ maintains a list $L_{H_6}$ that stores tuples of the form $(g_{H6},h_6)$ with the history of calls to $L_{H_6}$. If the query $g_{H6}$ has already been completed, the challenger returns the value $h_6$. If not, it randomly picks $g_{H6}\in G_1$ and $h_6\in {\left\{0,1\right\}}^l$ and inserts the new tuple $(g_{H6},h_6)$ into $L_{H_6}$. Finally, $A_1^{\prime }$ sends $h_6$ to $A_1$.

   • $O_{SKGen}$: $A_1^{\prime }$ performs a simulation algorithm with the $H_1$-query. Let $I{D}_{Snd}$ be the input of $O_{SKGen}$. $A_1^{\prime }$ obtains $H_1\left(Snd\right)=Q$. There is a tuple $(I{D}_{Snd},Q,\beta ,b)$ in $L_{H_1}$. If $b=1$, $A_1^{\prime }$ aborts; otherwise, it returns $e{k}_{Snd}=g^{y\beta }$.

   • $O_{RKGen}$: $A_1^{\prime }$ performs a simulation algorithm with the $H_0$-query. Let $I{D}_{Rev}$ be the input of $O_{RKGen}$. $A_1^{\prime }$ obtains $H_0(Rev,t)=Q$. There is a tuple $(I{D}_{Rev},Q,\beta ,b)$ in $L_{H_0}$. If $b=1$, $A_1^{\prime }$ aborts; otherwise, it returns $d{k}_{Rev}=(g^{x\beta },g^{y\beta },Q=g^{\beta })$.

   • $O_{Dec}$: Let $I{D}_{Snd}=Snd$. $A_1^{\prime }$ performs a simulation algorithm to query the $H_0$-query and $H_1$-query. $A_1^{\prime }$ obtains the ciphertexts $C=(C_0,C_1,C_2,C_3,C_4)$. $A_1^{\prime }$ sends the output of $Dec(mpk,d{k}_{Rev},Snd,C)$ to $A_1$.

     When $rev\ne Re{v}^{*}$, $A_1^{\prime }$ can query $O_{RKGen}$ to obtain $d{k}_{Rev}$ and returns the outcome $Dec(mpk,d{k}_{Rev},snd,C)$.

     Otherwise, $A_1^{\prime }$ can query $O_{SKGen}$ to obtain $e{k}_{Snd}$ and compute $k_2$ = $e(Q^{\prime },C_0·e{k}_{Snd})$. For each tuple $(X,h_2)$ in $L_{H_2}$ and $(g_{H6},h_6)$ in $L_{H_6}$, $A_1^{\prime }$ computes $\phi \left(m^{\prime }\right)$ = $C_3\oplus h_2\oplus h_6$ and $H_3(m^{\prime },u^{\prime })$. If $C_2=g^{H_3(m^{\prime },u^{\prime })}$ and there exists a tuple $(g_{h_4},h_4)$ in $L_{H_4}$ such that $C_4=H_5{\left(m^{\prime }\right)}^{H_3(m^{\prime },u^{\prime })}·h_4$ is valid, it returns $m^{\prime }$. When $L_{H_4}$ has no such tuple, it returns ⊥.

   • $O_{Trap}$: Let $snd=Sn{d}_i$. $A_1^{\prime }$ performs a simulation algorithm to query $H_0$ and $H_1$. $A_1^{\prime }$ runs the receiver key queries on the ID to obtain $d{k}_{Rev}=(d{k}_{Rev}^1$, $d{k}_{Rev}^2$, $d{k}_{Rev}^3$)$=(g^{x\beta },g^{y\beta },Q=g^{\beta })$ and responds to $A_1$ with $t{d}_{id}$. When $Snd=Sn{d}^{*}$ or $Rev=Re{v}^{*}$, $A_1^{\prime }$ fails. Otherwise, $A_1^{\prime }$ sends $t{d}_{id}$ to $A_1$.

3. Challenge: Algorithm $A_1$ outputs a pair of sender and receiver identities $(Sn{d}^{*},Re{v}^{*})$ to $A_1^{\prime }$. $A_1^{\prime }$ randomly select a message $m^{*}\in {\left\{0,1\right\}}^n$ and utilizes a simulation algorithm to query oracles $H_0$ and $H_1$. The challenge pair of sender and receiver identities do not appear in the receiver key queries of Phase 1. Now $A_1^{\prime }$ performs the following steps:

   • (1)Compute $H_0(rev,t)=Q$ and $H_1\left(snd\right)=Q^{\prime }$. If both the tuples $(Rev,Q,\beta ,b)\in L_{H_0}$ and $(Snd,Q^{\prime },{\beta }^{\prime },b^{\prime })\in L_{H_1}$ do not have coins b and $b^{\prime }$ equal to 1, $A_1^{\prime }$ aborts. If not, we know that $d{k}_{Rev}^2=g^{cy\beta }$ and $H_1\left(Snd\right)=g^{x\beta }$. Hence, $H_2\left(k_2\right)$ = $H_2(e(d{k}_{I{D}_{Rev}}^2,H_1\left(I{D}_{Snd}\right))·e(d{k}_{I{D}_{Rev}}^3,C_0))$, where $e(d{k}_{I{D}_{Rev}}^2,H_1\left(I{D}_{Snd}\right))$ = $e(g^{cy\beta },g^{x{\beta }^{\prime }})$ = $D^{\beta {\beta }^{\prime }}$, and $Q=d{k}_{Rev}^3$.
   • (2)Parse $C=(C_0,C_1,C_2,C_3,C_4)$, compute $L=1/\left(\beta {\beta }^{\prime }\right)$, and take a random tuple $(X,h_2)$. Return $D^{\prime }={(X·e{(Q,C_0)}^{-1})}^L$.

4. Phase 2: $A_1$ makes queries like in Phase 1.

5. Guess: $A_1$ answers with a guess $m^{\prime }$ for $m^{*}$. $A_1^{\prime }$ answers with a CBDH solution $D^{\prime }$.

Analysis: First of all, note that the simulation is perfect since in the above game we require that the challenge $(C,Rev,Snd)$ satisfies the condition that $Rev$ disappears in $O_{RKGen}$, $Rnd$ disappears in $O_{SKGen}$, and the challenge C disappears in $O_{Dec}$. Assuming that the adversary makes at most $q_R,q_S,q_D,$ and $q_T$ queries for $O_{RKGen},O_{SKGen},O_{Dec},$ and $O_{Trap}$, the probability that $A_1^{\prime }$ does not abort for any of these calls is ${\delta }^{q_R+q_S+q_D+q_T}$. Similarly, the probability that $A_1^{\prime }$ does not abort overall is ${\delta }^{q_R+q_S+q_D+q_T}{(1-\delta )}^4$, which is maximized at ${\delta }_{opt}=(q_R+q_S+q_D+q_T)/(q_R+q_S+q_D+q_T+4)$. If we use ${\delta }_{opt}$ as the probability of obtaining coins $b=0$ in the $H_0$ and $H_1$ queries, we have that the probability of $A_1^{\prime }$ not aborting is at least $256/e^4{(q_R+q_S+q_D+q_T+4)}^4$.

If $A_1^{\prime }$ does not abort, it outputs the correct solution $D^{\prime }$ with a probability of at least $2\epsilon /q_{H_2}$. Hence, $A_1^{\prime }$ solves the CBDH problem with an advantage of $512\epsilon /e^4{(q_R+q_S+q_D+q_T+4)}^4{q}_{H_2}$. □

6.2. IND-ID-CCA Security Against Type-II Adversary

As for privacy, we look into the IND-ID-CCA security of our construction against a Type-II adversary.

Theorem 2.

Let the hash functions $H_i(i=0,1,2,3,4,5,6)$ be random oracles. Our construction is IND-ID-CCA-secure against a PPT Type-II adversary under the basis of the CBDH assumption. More precisely, if $A_2$ can break our proposal with the advantage ε, suppose that $A_2$ makes at most $q_S$ sender key extraction queries, at most $q_R$ receiver key queries, and at most $q_D$ decryption key queries. We can conceive of a PPT algorithm $A_2^{\prime }$ to address the CBDH assumption with the advantage ${\epsilon }^{\prime }\ge 54\epsilon /e^3{(q_R+q_S+q_D+3)}^3{q}_{H_2}.$

Proof of Theorem 2.

Given a CBDH assumption instance $(g,g^a,g^b,g^c)$, where $a,b,c\in Z_p^{*}$, the task of $A_2^{\prime }$ is to calculate $D=e{(g,g)}^{abc}$ by interacting with $A_2$ as shown below:

1. Setup: $A_2^{\prime }$ first performs the setup algorithm to generate $mpk=(g,g_0,p,e,G_1,G_2,H_0,H_1,H_2,H_3,H_4,H_5,H_6,\phi )$, randomly selects $x,r\in Z_p^{*}$, and sends the $mpk$ to $A_2$. $A_2^{\prime }$ implicitly sets $msk=x$ and $g_0=g^x$, and $A_2^{\prime }$ has no knowledge about x. $A_2^{\prime }$ preserves the $L_{H_i}(i=0,1,2,3,4,5,6)$ lists to simulate the oracle $H_i$-query.

2. Phase 1: $A_2^{\prime }$ answers $A_2$’s queries.

   • $H_0$-query: On receiving this query with identity $I{D}_{Rev}$, if query $I{D}_{Rev}$ is in a tuple $(I{D}_{Rev},Q,\beta ,b)\in L_{H_0}$, then Q is returned. Otherwise, $A_2^{\prime }$ randomly picks $\beta \in Z_p^{*}$ and inserts the new tuple $(I{D}_{Rev},Q,\beta ,b)$ into $L_{H_0}$, with a random coin $b\in \left\{0,1\right\}$, so that $Pr[b=0]=\xi$. If $b=0$, $A_2^{\prime }$ sets $Q=g^{\beta }$; otherwise, $A_2^{\prime }$ sets $Q=g^{c\beta }$. Finally, $(I{D}_{Rev},Q,\beta ,b)$ is added to $L_{H_0}$, and $A_2^{\prime }$ sends Q to $A_2$.

   • $H_1$-query: $A_2^{\prime }$ maintains a list $L_{H_2}$ that stores tuples of the form $(Sn{d}_i,Y_i)$ with the history of calls to $L_{H_2}$. If the query $Sn{d}_i$ has already been completed, the challenger returns the value $Y_i$. If not, it samples a random $Y_i\in G_1$, adds $(Sn{d}_i,Y_i)$ to the list, and returns $Y_i$.

   • $H_2$-query: $A_2^{\prime }$ maintains a list $L_{H_2}$ that stores tuples of the form $(X,h_2)$ with the history of calls to $L_{H_2}$. If the query X has already been completed, the challenger returns the value $h_2$. If not, it samples a random $h_2\in {\left\{0,1\right\}}^n$, adds $(X,h_2)$ to the list $L_{H_2}$, and returns $h_2$.

   • $H_3$-query: $A_2^{\prime }$ maintains a list $L_{H_3}$ that stores tuples of the form $(m,u,h_3)$ with the history of calls to $L_{H_3}$. If the queries m and u have already been, the challenger returns the value $h_3$. If not, it randomly picks m∈${\left\{0,1\right\}}^n$, u∈${\left\{0,1\right\}}^n$, and $h_3\in {\left\{0,1\right\}}^{\gamma }$ and inserts the new tuple $(m,u,h_3)$ into $L_{H_3}$. Subsequently, $A_2^{\prime }$ sends $h_3$ to $A_2$.

   • $H_4$-query: $A_2^{\prime }$ maintains a list $L_{H_4}$ that stores tuples of the form $(g_{h_4},h_4)$ with the history of calls to $L_{H_4}$. If the query $g_{h_4}$ has already been completed, the challenger returns the value $g_{H_4}$. If not, it randomly picks $g_{h_4}\in G_2$ and $h_4\in G_1$ and inserts the new tuple $(g_{h_4},h_4)$ into $L_{H_4}$. Subsequently, $A_2^{\prime }$ sends $h_4$ to $A_2$.

   • $H_5$-query: $A_2^{\prime }$ maintains a list $L_{H_5}$ that stores tuples of the form $(m,h_5)$ with the history of calls to $L_{H_5}$. If the query m has already been completed, the challenger returns the value $h_5$. If not, it randomly picks m∈${\left\{0,1\right\}}^n$ and $h_5\in G_1$ and inserts the new tuple $(m,h_5)$ into $L_{H_5}$. Finally, $A_2^{\prime }$ sends $h_5$ to $A_2$.

   • $H_6$-query: $A_2^{\prime }$ maintains a list $L_{H_6}$ that stores tuples of the form $(g_{H6},h_6)$ with the history of calls to $L_{H_6}$. If the query $g_{H6}$ has already been completed, the challenger returns the value $h_6$. If not, it randomly picks $g_{H6}\in G_1$ and $h_6\in {\left\{0,1\right\}}^l$ and inserts the new tuple $(g_{H6},h_6)$ into $L_{H_6}$, finally, $A_2^{\prime }$ sends $h_6$ to $A_2$.

   • $O_{SKGen}$: $A_2^{\prime }$ performs a simulation algorithm with the $H_1$-query. Let $I{D}_{Snd}$ be the input of $O_{SKGen}$. $A_2^{\prime }$ obtains $H_1\left(Snd\right)=Y$. There is a tuple $(Sn{d}_i,Y_i)$ in $L_{H_1}$, and it returns $Y_i^r$.

   • $O_{RKGen}$: $A_2^{\prime }$ performs a simulation algorithm with the $H_0$-query. Let $I{D}_{Rev}$ be the input of $O_{RKGen}$. $A_2^{\prime }$ obtains $H_0(Rev,t)=Q$. There is a tuple $(I{D}_{Rev},Q,\beta ,b)$ in $L_{H_0}$. If b = 1, $A_2^{\prime }$ aborts; otherwise, it returns $d{k}_{Rev}=(g_0^{\beta },Q^r,Q=g^{\beta })$.

   • $O_{Dec}$: Let $I{D}_{Snd}=Snd$. $A_2^{\prime }$ performs a simulation algorithm to query the $H_0$-query and $H_1$-query. $A_2^{\prime }$ obtains the ciphertexts $C=(C_0,C_1,C_2,C_3,C_4)$. $A_2^{\prime }$ sends the output of $Dec(mpk,d{k}_{Rev},Snd,C)$ to $A_2$.

     When $Rev\ne Re{v}^{*}$, $A_1^{\prime }$ can query $O_{RKGen}$ to obtain $d{k}_{Rev}$ and returns the outcome $Dec(mpk,d{k}_{Rev},Snd,C)$.

     Otherwise, $A_2^{\prime }$ can query $O_{SKGen}$ to obtain $e{k}_{Snd}$ and compute $k_2$ = $e(Q^{\prime },C_0·e{k}_{Snd})$. For each tuple $(X,h_2)$ in $L_{H_2}$ and $(g_{H6},h_6)$ in $L_{H_6}$, $A_2^{\prime }$ computes $\phi \left(m^{\prime }\right)$ = $C_3\oplus h_2\oplus h_6$ and $H_3(m^{\prime },u^{\prime })$. If $C_2=g^{H_3(m^{\prime },u^{\prime })}$ and there exists a tuple $(g_{h_4},h_4)$ in $L_{H_4}$ such that $C_4=H_5{\left(m^{\prime }\right)}^{H_3(m^{\prime },u^{\prime })}·h_4$ is valid, $m^{\prime }$ is returned. When $L_{H_4}$ has no such tuple, ⊥ is returned.

3. Challenge: Algorithm $A_2$ outputs equal-length messages $m_0,m_1\in {\left\{0,1\right\}}^n$ along with the two pairs of sender and receiver identities $(Sn{d}_0,Re{v}_0,Sn{d}_1,Re{v}_0)$ to $A_2^{\prime }$. The pairs of sender and receiver identities do not appear in the receiver key queries of Phase 1. Afterwards, $A_2^{\prime }$ utilizes a simulation algorithm to query the oracles $H_0$ and $H_1$. $A_2^{\prime }$ performs the following steps:

   • (1)After selecting $Re{v}_0$ and $Re{v}_1$, $A_2^{\prime }$ queries $H_0\left(Re{v}_0\right)=Q_0$ and $H_0\left(Re{v}_1\right)=Q_1$. If the tuples $(I{D}_{Re{v}_0},Q_0,{\beta }_0,1)$ and $(I{D}_{Re{v}_1},Q_1,{\beta }_1,1)$ do not belong to $L_{H_0}$, $A_2^{\prime }$ aborts. Otherwise, we know that $b_0$ = 0 and $b_1$ = 1, which means that $Q_0=e{k}_0$ and $Q_1=e{k}_1$.
   • (2)$A_2^{\prime }$ computes $C_0=g^d$ for a random $d\in Z_p^{*}$ and queries $H_1\left(Sn{d}_0\right)=Y_0$ and $H_1\left(Sn{d}_1\right)=Y_1$. It uses them to obtain $\phi \left(m_0^{\prime }\right)$ = $C_3\oplus H_2(Q_0,C_0·Y_1^r)\oplus H_6\left(g_{H6}\right)$ and $\phi \left(m_1^{\prime }\right)$ = $C_3\oplus H_2(Q_1,C_0·Y_1^r)\oplus H_6\left(g_{H6}\right)$. Note that $e{k}_{Snd}=Y_i^r$.
   • (3)$A_2^{\prime }$ sends $m_0^{\prime },m_1^{\prime },Q_0,$ and $Q_1$ to its challenger and receives $C=(C_1,C_2,C_3,C_4)$ as a response.
   • (4)$A_2^{\prime }$ computes $C^{\prime }=(C_0,C_1,C_2,C_3,C_4)$ and sends it to $A_2$. This is a proper encryption of $m_b$ under the condition $I{D}_{Re{v}_b}=Re{v}_b$ and sender’s identity $Sn{d}_b$.

4. Phase 2: $A_2^{\prime }$ makes queries like in Phase 1.

5. Guess: $A_2$ answers with a guess $b^{\prime }\in \left\{0,1\right\}$. $A_2$ responds to its challenger with the same guess.

Analysis: Note that the simulation is perfect since in the above game we require that the challenge $(m_0,m_1,Re{v}_0,Sn{d}_0,Re{v}_1,Sn{d}_1)$ satisfies the condition that $Re{v}_b$ disappears in $O_{RKGen}$ and $Sn{d}_b$ disappears in $O_{SKGen}$; meanwhile, the encrypted challenge ciphertext cannot access $O_{Dec}$. Assuming that the adversary makes at most $q_R,q_S,$ and $q_D$ queries for $O_{RKGen},O_{SKGen},$ and $O_{Dec}$, the probability that $A_2^{\prime }$ does not abort for any of these calls is ${\delta }^{q_R+q_S+q_D}$. Similarly, the probability that $A_2^{\prime }$ does not abort overall is ${\delta }^{q_R+q_S+q_D}{(1-\delta )}^3$, which is maximized at ${\delta }_{opt}=(q_R+q_S+q_D)/(q_R+q_S+q_D+3)$. If we use ${\delta }_{opt}$ as the probability of obtaining coins $b=0$ in the $H_0$ and $H_1$ queries, we have that the probability of $A_2^{\prime }$ not aborting is at least $27/e^3{(q_R+q_S+q_D+3)}^3$.

If $A_2^{\prime }$ does not abort, it outputs the correct solution D with a probability of at least $2\epsilon /q_{H_2}$. Hence, $A_2^{\prime }$ solves the CBDH problem with an advantage of $54\epsilon /e^3{(q_R+q_S+q_D+3)}^3{q}_{H_2}$. □

6.3. EU-ID-CMA Security Against Type-III Adversary

As for the authenticity, we look into the EU-ID-CMA security of our construction against a Type-III adversary.

Theorem 3.

Let the hash functions $H_i(i=0,1,2,3,4,5,6)$ be random oracles. Our construction is EU-ID-CMA-secure against a PPT Type-III adversary on the basis of the CBDH assumption. More precisely, if $A_3$ can break our proposal with the advantage ε, suppose that $A_3$ makes at most $q_S$ sender key extraction queries and at most $q_R$ receiver key queries. We can conceive of a PPT algorithm $A_3^{\prime }$ to address the CBDH assumption with the advantage ${\epsilon }^{\prime }\ge 8\epsilon /e^2{(q_R+q_S+2)}^2{q}_{H_2}.$

The proof of this theorem is very similar with that of Theorem 1, which demonstrates the OW-ID-CCA security of our RIBME-ET scheme. Similarly to the proof of Theorem 1, we can prove the EU-ID-CMA security of our scheme. We provide the full proof of this theorem in Appendix A.

7. Performance Evaluation

In this section, we will evaluate the performance of our proposed scheme through theoretical comparisons and experimental evaluations to show its effectiveness and practicality.

7.1. Functionality and Security Comparisons

Table 2 shows the functionality and security comparisons between our RIBME-ET scheme and similar schemes. It is obvious that the IBME [12] scheme ensures the authenticity of data and privacy of users but does not provide equality test functionality or achieve CCA security. Since IBME [12] only implements CPA security, with valid plaintext and ciphertext pairs at the sender and receiver, an attacker can use it to forge any message, thus threatening the authenticity of the ciphertext in cloud storage.

Table 2.

Comparison of functionality and security.

Schemes	Security	Equality Test	Authenticity	Privacy	User Revocation	Bilateral Access Control
IBEET [10]	CCA	✓ 1	×2	×	×	×
IBME [12]	CPA	×	✓	✓	×	✓
IBEET [18]	CCA	✓	×	×	×	×
IBME-ET [17]	CCA	✓	✓	✓	×	✓
Ours	CCA	✓	✓	✓	✓	✓

¹ ✓: Supports the functionality. ² ×: Does not support the functionality.

The IBEET [10,18] scheme ensures data confidentiality but provides neither bilateral access control nor user revocation. The IBME-ET [17] scheme does not support user revocation. In the later comparison of the experimental analysis, our scheme is found to be more efficient than theirs. By comparing different schemes, our proposed RIBME-ET scheme can be found to realize all the functionality and security required, which not only ensures the confidentiality of data, privacy of users, user revocation, and bilateral access control and achieves CCA security but also provides equality test functionality for ciphertexts generated under different identities in smart healthcare.

Table 3 shows the computational cost comparison of our scheme with other schemes in terms of encryption key generation, decryption key generation, encryption, decryption, trapdoor generation, and equality testing. In Table 3, $Exp$ is the exponentiation, p is the pairing, H and $H^{\prime }$ are hash-to-point operations in $G_1$ and $G_2$, and the symbol − indicates that the scheme does not have this phase. Our scheme has a lower computational cost compared to the IBME-ET [17] scheme in the decryption key generation, decryption, trapdoor generation, and equality test phases. Table 4 gives a comparison of the communication overhead of our scheme with that of other schemes, showing the results for encryption key, decryption key, trapdoor, and ciphertext comparisons. In Table 4, $|G_1|$ and $|G_2|$ are the sizes of the elements in groups $G_1$ and $G_2$, respectively. $|Z_p|$ is the size of the elements in $Z_p$, and $\lambda$ is the security level. Our scheme has a lower communication cost in the trapdoor and ciphertext generation phases compared to the IBME-ET [17] scheme.

Table 3.

Comparison of computation costs.

Schemes	SKGen	RKGen	Enc	Dec	Trap	Test
IBEET [10]	−	$3H^{\prime }+3Exp$	$3H^{\prime }+3p+6Exp$	$3p+2Exp$	0	$2p+2Exp$
IBEET [18]	H	$H+2Exp$	$2H^{\prime }+6Exp$	$2p+2Exp$	$H+Exp$	$4p$
IBME-ET [17]	$H+Exp$	$2H^{\prime }+3Exp$	$2H^{\prime }+2p+6Exp$	$H+3p+3Exp$	$H^{\prime }+p+4Exp$	$6p$
Ours	$H+Exp$	$H^{\prime }+3Exp$	$2H^{\prime }+3p+5Exp$	$3p$	H	$4p$

Table 4.

Comparison of communication costs.

Schemes	Encryption Key	Decryption Key	Trapdoor	Ciphertext
IBEET [10]	−	$3|G_2|$	$|G_2|$	$4|G_1|+5\lambda$
IBEET [18]	$|G_1|$	$2|G_1|$	$|G_1|$	$4|G_1|+|Z_p|$
IBME-ET [17]	$|G_1|$	$3|G_2|$	$2|G_2|$	$3|G_1|+|G_2|+|Z_p|+\lambda$
Ours	$|G_1|$	$3|G_2|$	$|G_2|$	$4|G_1|+|Z_p|$

7.2. Experimental Analysis

We evaluated the performance of our schemes by conducting extensive experiments. The tests were performed on a PC with the following specifications: Windows 10 Professional operating system, AMD Ryzen 5 5600 @ 3.5 GHz processor, and 32 GB RAM. The code was implemented in Java using the Java Pairing-Based Cryptography Library (JPBC) and tested on a 160-bit elliptic curve group constructed by the equation $y^2=x^3+x$ over a 512-bit field. We implemented the proposed scheme and compared it with IBEET [10,18] and IBME-ET [17]. The experimental results are shown in Figure 2 and Figure 3, which illustrate the computation costs and communication costs of these schemes, respectively.

Figure 2.

Computation cost of each scheme. (a) Encryption. (b) Decryption. (c) Trapdoor. (d) Test. These schemes: Lee2016 [10], Ma2016 [18], Yan2024 [17].

Figure 3.

Communication cost of each scheme. (a) Encryption key. (b) Decryption key. (c) Trapdoor. (d) Ciphertext. These schemes: Lee2016 [10], Ma2016 [18], Yan2024 [17].

Figure 2 shows the computational cost of each scheme. Our scheme has an advantage in the decryption and trapdoor generation phases, as it takes less time compared to the IBEET [10,18] and IBME-ET [17] schemes. In the equality test phase, our scheme takes the same amount of time as IBEET [18] and less time compared to IBEET [10] and IBME-ET [17]. Figure 3 shows the communication cost of each scheme and the communication cost used by our scheme in the trapdoor phase. Additionally, the ciphertext is the same as that of the IBME-ET scheme [18], which has a lower communication cost compared to the IBEET [10] and IBME-ET [17] schemes.

From Table 2, Table 3 and Table 4 and Figure 2 and Figure 3, we can conclude that, with a small sacrifice in computational and communication efficiency, our RIBME-ET scheme not only ensures the authenticity and confidentiality of data, the privacy of users, user revocation, and CCA security but also provides equality test functionality for ciphertexts generated under different identities in smart healthcare. Other related schemes cannot support this feature.

8. Conclusions and Future Work

In this paper, we introduce a new primitive RIBME-ET scheme, which not only ensures the privacy of users, the authenticity and confidentiality of data, and user revocation but also supports privacy-enhanced bilateral access control and provides equality test functionality for ciphertexts generated under different identities in smart healthcare. We proved the security of the scheme under random oracles. A comprehensive performance analysis shows the efficiency of our scheme. The limitation of our solution is that it is one-to-one for both the sender and the receiver. Considering specific smart healthcare scenarios, there may be a need for one-to-many data sharing and case matching between the sender and the receiver. Regarding future research, on the one hand, we can extend the scheme in the future to the case of fuzzy matching to further enhance the privacy of identities, as well as to mitigate key escrow and create an efficient infrastructure for key management and key revocation. On the other hand, we could consider increasing support for multi-user data sharing and case matching, extending the scheme to post-quantum security, and improving large-scale smart healthcare data integration.

Appendix A. Proof of Theorem 3

The proof of Theorem 3 is very similar as that of Theorem 1. Let $A_3$ be a PPT Type-III adversary who breaks our proposal with the advantage $\epsilon$. Suppose $A_3$ makes at most $q_S$ sender key extraction queries and at most $q_R$ receiver key queries. Then we can construct a PPT algorithm $A_3^{\prime }$ to address the CBDH assumption with the advantage ${\epsilon }^{\prime }\ge 8\epsilon /e^2{(q_R+q_S+2)}^2{q}_{H_2}.$

Proof of Theorem 3.

Given a CBDH assumption instance $(g,g^a,g^b,g^c)$, where $a,b,c\in Z_p^{*}$, the task of $A_3^{\prime }$ is to calculate $D=e{(g,g)}^{abc}$ by interacting with $A_3$ as shown below:

1. Setup: $A_3^{\prime }$ gives $A_3$ the public parameters $(g,g_0=g^a,p,e,G_1,G_2,H_0,H_1,H_2,H_3,H_4,H_5,H_6,\phi )$, where $H_i(i=0,1,2,3,4,5,6)$ are random oracles controlled by $A_3^{\prime }$.

2. Phase 1: $A_3^{\prime }$ answers $A_3$’s queries.

   • $H_0$-query: On receiving this query with identity $I{D}_{Rev}$, if the query $I{D}_{Rev}$ is in a tuple $(I{D}_{Rev},Q,\beta ,b)\in L_{H_0}$, then it returns Q. Otherwise, $A_3^{\prime }$ randomly picks $\beta \in Z_p^{*}$ and inserts the new tuple $(I{D}_{Rev},Q,\beta ,b)$ into $L_{H_0}$, with a random coin $b\in \left\{0,1\right\}$, so that $Pr[b=0]=\xi$. If b = 0, $A_3^{\prime }$ sets $Q=g^{\beta }$; otherwise, $A_3^{\prime }$ sets $Q=g^{c\beta }$. Finally, $(I{D}_{Rev},Q,\beta ,b)$ is added to $L_{H_0}$, and $A_3^{\prime }$ sends Q to $A_3$.

   • $H_1$-query: On receiving this query with identity $I{D}_{Snd}$, if the query $I{D}_{Snd}$ is in a tuple $(I{D}_{Snd},Q,\beta ,b)\in L_{H_1}$, then it returns Q. Otherwise, $A_3^{\prime }$ randomly picks $\beta \in Z_p^{*}$ and inserts the new tuple $(I{D}_{Snd},Q,\beta ,b)$ into $L_{H_1}$, with a random coin $b\in \left\{0,1\right\}$, so that $Pr[b=0]=\xi$. If b = 0, $A_3^{\prime }$ sets $Q=g^{\beta }$; otherwise, $A_3^{\prime }$ sets $Q=g^{a\beta }$. Finally, $(I{D}_{Snd},Q,\beta ,b)$ is added to $L_{H_0}$, and $A_3^{\prime }$ sends Q to $A_3$.

   • $H_2$-query: $A_3^{\prime }$ maintains a list $L_{H_2}$ that stores tuples of the form $(X,h_2)$ with the history of calls to $L_{H_2}$. If the query X has already been completed, the challenger returns the value $h_2$. If not, it samples a random $h_2\in {\left\{0,1\right\}}^n$, adds $(X,h_2)$ to the list $L_{H_2}$, and returns $h_2$.

   • $H_3$-query: $A_3^{\prime }$ maintains a list $L_{H_3}$ that stores tuples of the form $(m,u,h_3)$ with the history of calls to $L_{H_3}$. If the queries m and u have already been completed, the challenger returns the value $h_3$. If not, it randomly picks m∈${\left\{0,1\right\}}^n$, u∈${\left\{0,1\right\}}^n$, and $h_3\in {\left\{0,1\right\}}^{\gamma }$ and inserts the new tuple $(m,u,h_3)$ into $L_{H_3}$. Subsequently, $A_3^{\prime }$ sends $h_3$ to $A_3$.

   • $H_4$-query: $A_3^{\prime }$ maintains a list $L_{H_4}$ that stores tuples of the form $(g_{h_4},h_4)$ with the history of calls to $L_{H_4}$. If the query $g_{h_4}$ has already been completed, the challenger returns the value $g_{H_4}$. If not, it randomly picks $g_{h_4}\in G_2$ and $h_4\in G_1$ and inserts the new tuple $(g_{h_4},h_4)$ into $L_{H_4}$. Subsequently, $A_3^{\prime }$ sends $h_4$ to $A_3$.

   • $H_5$-query: $A_3^{\prime }$ maintains a list $L_{H_5}$ that stores tuples of the form $(m,h_5)$ with the history of calls to $L_{H_5}$. If the query m has already been completed, the challenger returns the value $h_5$. If not, it randomly picks m∈${\left\{0,1\right\}}^n$ and $h_5\in G_1$ and inserts the new tuple $(m,h_5)$ into $L_{H_5}$. Finally, $A_3^{\prime }$ sends $h_5$ to $A_3$.

   • $H_6$-query: $A_3^{\prime }$ maintains a list $L_{H_6}$ that stores tuples of the form $(g_{H6},h_6)$ with the history of calls to $L_{H_6}$. If the query $g_{H6}$ has already been completed, the challenger returns the value $h_6$. If not, it randomly picks $g_{H6}\in G_1$ and $h_6\in {\left\{0,1\right\}}^l$ and inserts the new tuple $(g_{H6},h_6)$ into $L_{H_6}$. Finally, $A_3^{\prime }$ sends $h_6$ to $A_3$.

   • $O_{SKGen}$: $A_3^{\prime }$ performs a simulation algorithm with the $H_1$-query. Let $I{D}_{Snd}$ be the input of $O_{SKGen}$. $A_3^{\prime }$ obtains $H_1\left(Snd\right)=Q$. There is a tuple $(I{D}_{Snd},Q,\beta ,b)$ in $L_{H_1}$. If b = 1, $A_3^{\prime }$ aborts; otherwise, it returns $e{k}_{Snd}=g^{y\beta }$.

   • $O_{RKGen}$: $A_3^{\prime }$ performs a simulation algorithm with the $H_0$-query. Let $I{D}_{Rev}$ be the input of $O_{RKGen}$. $A_3^{\prime }$ obtains $H_0(Rev,t)=Q$. There is a tuple $(I{D}_{Rev},Q,\beta ,b)$ in $L_{H_0}$. If b = 1, $A_3^{\prime }$ aborts; otherwise, it returns $d{k}_{Rev}=(g^{x\beta },g^{y\beta },Q=g^{\beta })$.

3. Forgery: Now $A_3$ sends $(C,Rev,Snd)$ to $A_3^{\prime }$. Let $I{D}_{Snd}=Snd$. $A_3^{\prime }$ performs the following steps:

   • (1)Compute $H_0(rev,t)=Q$ and $H_1\left(snd\right)=Q^{\prime }$. If both the tuples $(Rev,Q,\beta ,b)\in L_{H_0}$ and $(Snd,Q^{\prime },{\beta }^{\prime },b^{\prime })\in L_{H_1}$ do not have coins b and $b^{\prime }$ equal to 1, $A_1^{\prime }$ aborts. If not, we know that $d{k}_{Rev}^2=g^{cy\beta }$ and $H_1\left(Snd\right)=g^{x\beta }$. Hence, $H_2\left(k_2\right)$ = $H_2(e(d{k}_{I{D}_{Rev}}^2,H_1\left(I{D}_{Snd}\right))·e(d{k}_{I{D}_{Rev}}^3,C_0))$, where $e(d{k}_{I{D}_{Rev}}^2,H_1\left(I{D}_{Snd}\right))$ = $e(g^{cy\beta },g^{x{\beta }^{\prime }})$ = $D^{\beta {\beta }^{\prime }}$, and $Q=d{k}_{Rev}^3$.
   • (2)Parse $C=(C_0,C_1,C_2,C_3,C_4)$, compute $L=1/\left(\beta {\beta }^{\prime }\right)$, and take a random tuple $(X,h_2)$. Return $D^{\prime }={(X·e{(Q,C_0)}^{-1})}^L$.

Analysis: Note that the simulation is perfect since in the above game we require that the challenge $(C,Rev,Snd=I{D}_{Snd})$ satisfies the conditions that $Rev$ disappears in $O_{RKGen}$, $Snd$ disappears in $O_{SKGen}$, and the challenge C disappears in $O_{Dec}$. Assuming that the adversary makes at most $q_R$ and $q_S$ queries for $O_{RKGen}$ and $O_{SKGen}$, the probability that $A_3^{\prime }$ does not abort for any of these calls is ${\delta }^{q_R+q_S}$. Similarly, the probability that $A_3^{\prime }$ does not abort at all is ${\delta }^{q_R+q_S}{(1-\delta )}^2$, which is maximized at ${\delta }_{opt}=(q_R+q_S)/(q_R+q_S+2)$. If we use ${\delta }_{opt}$ as the probability of obtaining coins $b=0$ in the $H_0$ and $H_1$ queries, we have that the probability of $A_3^{\prime }$ not aborting is at least $4/e^2{(q_R+q_S+2)}^2$.

If $A_3^{\prime }$ does not abort, it outputs the correct solution $D^{\prime }$ with a probability of at least $2\epsilon /q_{H_2}$. Hence, $A_3^{\prime }$ solves the CBDH problem with an advantage of $8\epsilon /e^2{(q_R+q_S+2)}^2{q}_{H_2}$. □

Author Contributions

Formal analysis, writing—original draft preparation, X.Z.; writing—review and editing, D.Z. and Y.Z. All authors have read and agreed to the published version of the manuscript.

Institutional Review Board Statement

Not applicable.

Informed Consent Statement

Not applicable.

Data Availability Statement

The data used to support the findings of this study are included within the article.

Conflicts of Interest

The authors declare no conflicts of interest.

Funding Statement

This research was funded in part by the National Cryptologic Science Fund of China (No.2025NCSF02037), in part by the National Natural Science Foundation of China (62072369, 62072371), in part by the Youth Innovation Team of Shaanxi Universities (23JP160), in part by the Shaanxi Special Support Program Youth Top-notch Talent Program, in part by the Technology Innovation Leading Program of Shaanxi (2023-YD-CGZH-31), and in part by the Technology Innovation Guidance Special Fund of Shaanxi Province (2024QY-SZX-17).