Journals & Magazines >IEEE Access >Volume: 11

New Constructions of Equality Test Scheme Without Random Oracles

The paper introduces equality test to Waters's scheme. More precisely, the scheme can resist one-way against chosen-ciphertext attack selective-ID (OW-ID-CCA) security. W...

Abstract:

The proliferation of big data has brought exponential amount of increase in data that is being remotely stored around the globe. Thus, making it imperative to secure the ...Show More

Metadata

Abstract:

The proliferation of big data has brought exponential amount of increase in data that is being remotely stored around the globe. Thus, making it imperative to secure the remote data through some encryption mechanism to ensure privacy preservation. However, it often becomes difficult to perform operations over the encrypted data. In order to solve this problem, the equality test function based public key encryption (PKEwET) is proposed. PKEwET approach basically allows secure comparison over encrypted data without revealing the underlying data. This work aims to improve Water’s scheme while introducing a new functionality. More precisly, equality test is being introduced to Water’s scheme so that the encrypted data may be compared without decryption process. To achieve this, an authorization mechanism is being included in which the authorized party uses the trapdoor to test the ciphertext. The scheme is designed under standard model. The security of the proposed scheme is proved with two types of adversaries under the standard model. Finally, the superiority of the proposed scheme in terms of performance is also discussed.

The paper introduces equality test to Waters's scheme. More precisely, the scheme can resist one-way against chosen-ciphertext attack selective-ID (OW-ID-CCA) security. W...

Published in: IEEE Access ( Volume: 11)

Page(s): 49519 - 49529

Date of Publication: 16 May 2023

Electronic ISSN: 2169-3536

DOI: 10.1109/ACCESS.2023.3276446

Funding Agency:

Contents

SECTION I.

Introduction

The intensive release of data over the Internet has made it impossible for the people to store and process information in traditional ways. Such tasks are now being performed on remote servers. This dive has raised concerns to ensure security and privacy of remotely stored data. Such concerns are being addressed while presenting cryptographic protocols. However, with the advent of quantum computing and due to its high speed computations, some of the current cryptographic protocols are at the verge of breach. Thus, it is imperative to put forward more secure and privacy preservation techniques. With this aim, this paper presents a bilinear pairing based solution with the equality test in the standard model.

SECTION II.

Related Work

The method of equality test was first proposed by Yang et al [1]. It is a public key encryption (PKE) scheme that allows the performance of equality tests on the encrypted data using different public keys. In 2016, Hyung Tae Lee et al. introduced the computational Diffie Hellman problem (CDH) in the stochastic prediction stochastic model [2]. The chosen ciphertext attacks (CCA) security is implemented by adding message related values as input to the hash function of the encryption algorithm. In the same year, Majid Nateghizad et al. proposed a novel and efficient equality test method [3]. More precisely, by introducing algorithm mutation and an efficient exponential subroutine, data encapsulation is deployed. In 2017, Wang et al. proposed an encryption scheme for authorized equality test on ciphertexts (SEET) [4]. This scheme allows the data owner to authorize the testing stakeholder to compare the ciphertext without understanding the ciphertext data. In 2018, Sun et al. proposed the concept of attribute hidden predicate encryption equation test (AH-PE-ET) by introducing the concepts of attribute-based and equality test [5]. This inherits the advantages of predicate encryption and allows universal access control. Thus, the ciphertext and key are associated with the descriptive attribute $x$ and the Boolean function $f$ respectively. The ciphertext can be decrypted only when $x$ returns true. Nabeil Eltayieb et al. proposed a fine-grained attribute-based encryption supporting equality test (FGABEET) [6]. The scheme allows the cloud server to execute two ciphertext encrypts of the same message encrypted with the same access policy or with different access policies. In addition, cloud servers may also perform equivalent test operations. Thus, the user don’t need to know anything about messages encrypted under any access policy. Lin et al. proposed a general public key encryption with equality test (PKEETP) construction method [7]. This method can be easily extended to identity based settings. In addition, the authors also proposed a new protocol language, called signcryption with equality test (SCET). Compared with traditional PKEET, SCET provides both confidentiality and authentication.

In 2019, Zhang et al. proposed an identity based encryption approach and used it to design an efficient CCA2 security PKE scheme [8]. The scheme proposed by Wang et al. enables the sender to encrypt and sign messages simultaneously [9]. The proposed scheme specifies a testing stakeholder to perform equality tests on ciphertext. Wu et al. proposed pairing-free identity-based encryption scheme with authorized equality test [10]. Li et al. proposed an identity-based encryption with equality test supporting flexible authorization(IBEE-FA) [11]. In addition, it supports testing whether two ciphertext encrypted under different keys encapsulate the same messages or not. Hyung Tae Lee et al. employed an identity-based two-tier hierarchical encryption scheme for their universal construction [12]. The scheme can selectively resist the chosen plaintext attack. Ling et al. introduced group mechanism into PKEET for the first time and proposed a new primitive, group public key encryption with equality testing [13]. PKEET can resist attacks where a tester can guess a message offline and recover it from the given ciphertext.

In 2020, Wang et al. removed authorized duplicate data by flexibly removing encrypted data [14]. More precisely, the users can optimize their storage space by delegating their equality tests. This may enable the constrained users and mobile devices to be more efficient. Abdelrhman Hassan et al. proposed a certificateless PKE with authorized equality test (CLPKEAET) [15]. In details, the CLPKEAET scheme, authorizes cloud servers to check the equivalence of two different passwords composed of the same message. In the random oracle model (ROM), the construction of bilinear pairing is incorporated in the underlying scheme. The scheme is proved to be safe under the improved bilinear Diffie-Hellman assumption. In 2021, Lin et al. proposed a scheme of identity based encryption with equality test and date stamp-based authorization mechanism (IBEET-DBA) [16]. In the primitive, the data owner can control the effectiveness of the trap by embedding a date stamp in the trap. Cloud servers can only get correct equivalents on ciphertext generated during the trap door validity period. In 2022, Shen et al. proposed an efficient and verifiable group public key encryption algorithm with an equality test structure without bilinear pairs [17]. The scheme is based on the basic observation that two points determine a straight line. In 2023, Hanshu Hong and Zhixin Sun propose the paradigm of Conditional Public Key Encryption and Equality Testing (CPKEET) [26]. This paradigm allows a user to perform ciphertext testing only if he holds a valid certificate generated by the specified issuer server.

A. Our Contributions

Though the Water’s scheme is classical and practical, but it may be improved for more recent applications while introducing equality test [insert citation of Water’s scheme here]. To bridge this gap, an improved scheme is proposed in this paper. The improved scheme may be incorporated in various scenarios including Internet of Things, Cloud Services and Internet of Vehicles etc. The major contributions of this work are summarized as follows:

In order to make it more practicle, the paper introduces equality test to Waters’s scheme. More precisely, the paper proposes Identity-based encryption with equality test based on standard model. (IBEwET-S).
To prove the security of IBEwEST scheme, two types of attackers are introduced that have different permissions.
More precisely, for first type of attacker with the trapdoor, the scheme can resist one-way against chosen-ciphertext attack selective-ID (OW-ID-CCA) security. While for the attacker without trapdoor option, the scheme can resist indistinguishable against chosen-ciphertext attack selective-ID (IND-ID-CCA) security.
Through theoretical deduction, performance of the IBEwET-S scheme is verified. Our scheme is more efficient and practical as compared to other schemes supporting equality test based on standard model.

B. Outline of This Paper

The rest of this article is structured as follows: In Section III, the preliminary knowledge is introduced. The system models and the security models are discussed in Section IV and V, respectively. Section VI describes the details of the proposed algorithm. Section VII provides security proof of the proposed scheme. In Section VIII, the efficiency of the algorithm is evaluated experimentally. Finally, we summarize the work in Section IX.

SECTION III.

Preliminaries

A. Bilinear Map

Let $\mathbb {G}_{1}$ and $\mathbb {G}_{2}$ be two multiplicative cyclic groups of prime order $p$ . Suppose that $g$ is a generator of $\mathbb {G}_{1}$ . A bilinear map $e$ : $\mathbb {G}_{1} \times \mathbb {G}_{1} \rightarrow \mathbb {G}_{2}$ satisfies the following properties:

Bilinear: For any $g \in \mathbb {G}_{1}$ and $a, b \in \mathbb {Z}_{p}, e(g^{a}, g^{b}) = e(g, g)^{ab}$ .

Non-degenerate: $e(g, g) \neq 1$ .

Computable: There is an efficient algorithm to compute $e(g, g)$ for any $g \in \mathbb {G}_{1}$ .

B. Decisional Bilinear DIFFIE-HELLMAN(DBDH) Assumption

In this algorithm, the challenger picks $a,b,c,z \in Z_{p}^{\ast}$ and flips coin $coin\in \{0,1\}$ randomly.

If $coin=0$ , $\mathcal {S}$ outputs $(g, g^{a},g^{b},g^{c},e(g,g)^{z})$ .
Otherwise, $\mathcal {S}$ outputs $(g, g^{a},g^{b},g^{c},e(g,g)^{abc})$ .

Then, the adversary $\mathcal {A}$ gives a guess of $coin$ .

C. Consistency

For the consistency property, these algorithms must satisfy the following three conditions:

When $d$ is the private key generated by Key Generation algorithm and $v$ is given as the public key, then
$\begin{equation*} \forall M \in \mathcal {M}:\text {Decrypt}(CT, d) = M,\end{equation*}$ View Source where $\begin{equation*} CT = \text {Encrypt}(v, M).\end{equation*}$ View Source
When $td_{A}$ and $td_{B}$ are trapdoors generated by Trapdoor algorithm and, $v_{A}$ and $v_{B}$ are given as the public keys, then
$\begin{equation*} \forall M \in \mathcal {M}: \text {Test}(CT_{A}, td_{A}, CT_{B}, td_{B}) = 1,\end{equation*}$ View Source where, $\begin{equation*} CT_{A} = \text {Encrypt}(v_{A}, M)\end{equation*}$ View Source and $\begin{equation*} CT_{B} =\text {Encrypt}(v_{B}, M).\end{equation*}$ View Source
When $td_{A}$ and $td_{B}$ are trapdoors generated by Trapdoor algorithm and, $v_{A}$ and $v_{B}$ are given as the public keys, then $\forall M \in \mathcal {M}$ and $\quad M \neq M^{\prime }:$
$\begin{equation*} \text {Pr}[\text {Test}(CT_{A}, td_{A}, CT_{B}, td_{B}) = 1]\end{equation*}$ View Source is negligible, where $\begin{equation*} CT_{A} = \text {Encrypt}(v_{A}, M)\end{equation*}$ View Source and $\begin{equation*} CT_{B} =\text {Encrypt}(v_{B}, M^{\prime }).\end{equation*}$ View Source Here $M\neq M^{\prime }$ holds.

D. Definitions

In this subsection, we present definitions of PKE security and correctness.

One-way against chosen-ciphertext attack (OW-ID-CCA) security: The attacker can decrypt queries at any time except for the target ciphertext $CT^{\ast}$ , and the corresponding message $M$ cannot be obtained from the public key and $CT^{\ast}$ .

Indistinguishable against chosen ciphertext attacks (IND-ID-CCA) security: The attacker can decrypt queries at any time except for the target ciphertext $CT^{\ast}$ , and selects $M_{0}$ and $M_{1}$ , then the challenger randomly selects $b\in \{0,1\}$ and generates the target ciphertext $CT^{\ast}$ by $M_{b}$ . The attacker cannot guess the value of $b$ by using ciphertext $CT^{\ast}$ .

SECTION IV.

System Models

The proposed scheme is comprised of four entities, the tester, the trusted third party and two user users. Detailed description is shown in Fig.3. The scheme is comprised of six algorithms: Setup, Extract, Trapdoor, Encrypt, Decrypt, Test, where $\mathcal {M}$ and $\mathcal {C}$ are its plaintext space and ciphertext space. The details of these are briefed as follows:

FIGURE 1.

OW-ID-CCA security model.

Show All

FIGURE 2.

IND-ID-CCA security model.

Show All

FIGURE 3.

System model.

Show All

Setup( $k$ ): It takes a security parameter and the public system parameter $p$ as inputs and returns the master key $msk$ .

Extract( $msk,v$ ): It takes $msk$ and an arbitrary identity $v \in \{0, 1\}^{\ast }$ as inputs and returns a private key $d$ for that identity.

Trapdoor( $msk,v$ ): It takes $msk$ and an arbitrary identity $v \in \{0, 1\}^{\ast }$ as inputs and returns a trapdoor $td$ for that identity.

Encrypt( $v,M$ ): It takes an identity $v \in \{0, 1\}^{\ast }$ and a plaintext $M \in \mathcal {M}$ as inputs and returns a ciphertext $CT \in \mathcal {C}$ .

Decrypt( $CT,d$ ): It takes a ciphertext $CT \in \mathcal {C}$ and a private decryption key $d$ as inputs and returns a plaintext $M \in \mathcal {M}$ .

Test( $CT_{A},d_{A}',CT_{B},d_{B}'$ ): It takes a ciphertext $CT_{A} \in \mathcal {C}$ of a receiver with $v_{A}$ , a trapdoor $td_{A}$ for the receiver with $v_{A}$ , a ciphertext $CT_{B}$ of a receiver with $v_{B}$ and a trapdoor $td_{B}$ for the receiver with $v_{B}$ as inputs and returns 1 if $CT_{A}$ and $CT_{B}$ contain the same message; Otherwise returns 0.

SECTION V.

Security Models

We describe two different types of adversaries based on the adversarial permissions as follows:

Type-1 adversary: We allow this adversary a trapdoor. So this type of adversary cannot recover the plaintext with the challenge ciphertext $CT^{\ast}$ .
Type-2 adversary: To this adversary, we do not allow the trapdoor. So this type of adversary cannot decide that the $CT^{\ast }$ is encrypted on which message.

First, we define OW-ID-CCA security to the Type-1 adversary in IBEwET-S scheme. The specific details are depicted in Fig.1,

Definition 1:

The IBEwET-S scheme is OW-ID-CCA sec- ure if for all OW-ID-CCA adversaries, $Adv^{OW-ID-CCA}_{IBEwET-S,\mathcal {A}}(k)$ = $\text {Pr}[M =M^{\prime }]$ is negligible.

Next, we define the IND-ID-CCA security to the Type-2 adversary in IBEwET-S. The specific details are depicted in Fig.2,

Definition 2:

The IBEwET-S scheme is IND-ID-CCA sec- ure if for all IND-ID-CCA adversaries, $Adv^{IND-ID-CCA} _{IBEwET-S,\mathcal {A}} (k) = |\text {Pr}[b =b^{\prime }] - \frac {1}{2}|$ is negligible.

SECTION VI.

Proposed Scheme

In this section, we provide a detailed construction for the IBEwET-S scheme as follows:

Setup( $k$ ) Given a security parameter $k\in \mathbb {Z}^{+}$ , the algorithm works as follows:

Step 1:
Let identities composed of bitstrings of arbitrary length $n$ be the output length of a collision-resistant hash function, $H:\{0,1\}^{\ast}\rightarrow \{0,1\}^{n}$ .
Step 2:
Generate the pairing parameters including two groups $\mathbb {G}_{1}, \mathbb {G}_{2}$ of prime order $p$ , and an admissible bilinear map $e:\mathbb {G}_{1}\times \mathbb {G}_{1}\rightarrow \mathbb {G}_{2}$ . A secret $\alpha \in \mathbb {Z}_{p}$ is chosen at random. We choose a random generator $g \in \mathbb {G}_{1}$ and set the value $g_{1}=g^{\alpha }$ and select $g_{2}$ randomly in $\mathbb {G}_{1}$ . Additionally, the authority chooses a random value $u^{\prime } \in \mathbb {G}_{1}$ and a random $n$ -length vector $U=(u_{i})$ , whose elements are chosen at random from $\mathbb {G}_{1}$ . The algorithm outputs the public key $pk=\langle g,g_{1},g_{2},u^{\prime },U\rangle$ . The master secret are $g_{1}^{\alpha }$ and $g_{2}^{\alpha }$ .

Key Generation( $pk,msk$ ) Let $v$ be an $n$ bitstring representing an identity, $v_{i}$ denotes the $i$ th bit of $v$ , and $\nu \subseteq \{1,\ldots,n\}$ be the set of all $i$ for which $v_{i}$ = 1. (That is $V$ is the set of $f$ indices for which the bit string $v$ is set to 1.) Secret key $sk=(d,d^{\prime })$ . First, choose two numbers $(s,s^{\prime })\in \mathbb {Z}^{2}_{p}$ . Then the secret key is constructed as follows:

$\begin{equation*} d^{\prime }=\left({g^{\alpha }_{1}\left({u^{\prime }\prod _{i\in \nu }u_{i}}\right)^{s},g^{s}}\right) \qquad d=\left({g^{\alpha }_{2}\left({u^{\prime }\prod _{i\in \nu }u_{i}}\right)^{s^{\prime }},g^{s^{\prime }}}\right)\end{equation*}$ View Source

Let

$d^{\prime }=(d_{1}^{\prime },d_{2}^{\prime }),d=(d_{1}, d_{2})$

Encrypt( $pk,M$ ) The message $M\in \mathbb {G}_{1}$ is encrypted for an identity $v$ as follows. Three numbers $(r_{1},r_{2},r_{3})\in \mathbb {Z}^{3}_{p}$ are selected as random. Set the ciphertext $CT=(C_{1},C_{2},C_{3})$ to be

$\begin{align*} C_{1}=&g^{r_{1}}\qquad C_{2}=\left({M^{r_{1}}e(g_{1},g_{2})^{r_{2}},g^{r_{2}},\left({u^{\prime }\prod _{i\in \nu }u_{i}}\right)^{r_{2}}}\right)\\ C_{3}=&\left({(M||r_{1})e(g_{1},g_{2})^{r_{3}},g^{r_{3}},\left({u^{\prime }\prod _{i\in \nu }u_{i}}\right)^{r_{3}}}\right)\end{align*}$ View Source

Decrypt( $CT,sk$ ) Let $C_{2}=(C^{1}_{2},C^{2}_{2},C^{3}_{2})$ and $C_{3}=(C^{1}_{3},C^{2}_{3},C^{3}_{3})$ . To decrypt $C$ using the secret key $sk=(d^{\prime },d)$ ,

$\begin{align*}&\hspace {-2pc}C^{1}_{3}\frac {e(d_{2},C^{3}_{3})}{e(d_{1},C^{2}_{3})} \\=&\big ((M||r_{1})e(g_{1},g_{2})^{r_{3}}\big)\frac {e\left({g^{s^{\prime }}, \left({u^{\prime }\prod _{i\in \nu }u_{i}}\right)^{r_{3}}}\right)}{e\left({g^{\alpha }_{2} \left({u^{\prime }\prod _{i\in \nu }u_{i}}\right)^{s^{\prime }},g^{r_{3}}}\right)} \\=&\big ((M||r_{1})e(g_{1},g_{2})^{r_{3}}\big)\frac {e\left({g^{s^{\prime }}, \left({u^{\prime }\prod _{i\in \nu }u_{i}}\right)^{r_{3}}}\right)}{e(g_{1},g_{2})^{r_{3}}e\left({g^{s^{\prime }}, \left({u^{\prime }\prod _{i\in \nu }u_{i}}\right)^{r_{3}}}\right)} \\=&M||r_{1} \tag{1}\end{align*}$ View Source

and it outputs

$M$

if the following equalities hold.

$\begin{equation*} C_{1}=g^{r_{1}}\qquad \qquad C^{1}_{2}\frac {e(d_{2}^{\prime },C^{3}_{2})}{e(d_{1}^{\prime },C^{2}_{2})}=M^{r_{1}}\end{equation*}$

View Source

The authorization and test algorithm:

To decide whether $M_{A}=M_{B}$ assume A and B as two user in the system. $CT_{A}=(C_{1A},C_{2A},C_{3A})=Encrypt(M_{A},pk_{A})$ is ciphertext from A and $C_{2A}=(C_{2A}^{1},C_{2A}^{2},C_{2A}^{3})$ , $CT_{B}=(C_{1B},C_{2B},C_{3B})=Encrypt(M_{B},pk_{B})$ is ciphertext from B and $C_{2B}=(C_{2B}^{1},C_{2B}^{2},C_{2B}^{3})$ .

Authorization algorithm(Auth):
For A, the trapdoor is $td_{A}=(d_{1A}^{\prime },d_{2A}^{\prime })$ ;
For B, the trapdoor is $td_{B}=(d_{1B}^{\prime },d_{2B}^{\prime })$ ;
Test algorithm(Test):
The algorithm computes:
$\begin{align*} X_{A}=&C^{1}_{2A}\frac {e(d_{2A}^{\prime },C^{3}_{2A})}{e(d_{1A}^{\prime },C^{2}_{2A})}\\ X_{B}=&C^{1}_{2B}\frac {e(d_{2B}^{\prime },C^{3}_{2B})}{e(d_{1B}^{\prime },C^{2}_{2B})}\end{align*}$
While $X_{A}$ , $C_{1A}$ and $X_{B}$ , $C_{1B}$ are used to check the following:
$\begin{equation*} e(C_{1B},X_{A})=e(C_{1A},X_{B}).\end{equation*}$ View Source

If $M_{A}=M_{B}$ then it outputs 1, otherwise 0.

Theorem 1:

The above IBEwET-S scheme satisfies the consistency property.

Proof:

We now show that the three conditions are satisfied.

For the first condition, it is straightforward to be verified.
For the second condition, assuming the ciphertexts are well-formed for $v_{A}$ and $v_{B}$ :
$\begin{align*} e(C_{1,A},X_{B})=&e(g^{r_{1,A}},M_{B}^{r_{1,B}})=e(g,M_{B})^{r_{1,A}r_{1,B}}\\ e(C_{1,B},X_{A})=&e(g^{r_{1,B}},M_{A}^{r_{1,A}})=e(g,M_{A})^{r_{1,B}r_{1,A}}\end{align*}$ View Source If $M_{A}=M_{B}$ , then $e(C_{1,A},X_{B})=e(C_{1,B},X_{A})$ . So the test algorithm outputs 1 as desired.
For the third condition, for any $M_{A}\neq M_{B}$ , it means that $e(g,M_{B})^{r_{1,A}r_{1,B}}\neq e(g,M_{A})^{r_{1,A}r_{1,B}}$ . Then, Test $(CT_{A},td_{vA},CT_{B},td_{vB})=0$ , we claim that $\text {Pr}[\text {Test}(CT_{A},td_{vA},CT_{B},td_{vB})=1]$ is negligible.

SECTION VII.

Security Analysis

Now, we prove the security of the proposed scheme.

Theorem 2:

The proposed scheme is OW-ID-CCA secure, assuming the DBDH assumption holds to the Type-1 adversary.

Proof:

Suppose there exists an adversary, $A_{1}$ , against our scheme. We construct a simulator, $\mathcal {B}$ , to play the DBDH game. The simulator takes DBDH challenge( $g,A=g^{a},B=g^{b},C=g^{c},Z$ ) and outputs a guess, $M'$ , as to whether the challenge is a DBDH tuple.

The simulator runs the game executing the following steps.

The setup algorithm is shown in Fig.4. The simulator outputs $pk$ to $A_{1}$ .
The Phase 1 queries are shown in Fig.5. $A_{1}$ can perform the following queries, such as the $sk$ of $v$ , decryption, trapdoor queries.
The challenge is shown in Fig.6. After phase 1, $A_{1}$ picks $v^{\ast}$ randomly to the simulator, and the simulator outputs $CT^{\ast}$ to $A_{1}$ .
This step is similar to phase 1, in Phase 2, just some restrictions as shown in Fig.7. Here, $v\neq v^{\ast}$ and $CT\neq CT^{\ast}$ .
Finally, $A_{1}$ outputs a guess $M'$ as in Fig.8.

FIGURE 4.

Setup of Game 1.

Show All

FIGURE 5.

Phase 1 of Game 1.

Show All

FIGURE 6.

Challenge of Game 1.

Show All

FIGURE 7.

Phase 2 of Game 1.

Show All

FIGURE 8.

Guess of Game 1.

Show All

Theorem 3:

Our scheme is IND-ID-CCA secure, assuming the DBDH assumption holds to the Type-2 adversary.

Proof:

Suppose there exists an adversary, $A_{2}$ , against our scheme. We construct a simulator, $\mathcal {B}$ , to play the DBDH game. The simulator takes DBDH challenge( $g,A=g^{a},B=g^{b},C=g^{c},Z$ ) and outputs a guess, $b'$ , as to whether the challenge is a DBDH tuple.

The simulator runs the game executing the following steps.

The setup algorithm is shown in Fig.9. The simulator outputs $pk$ to $A_{2}$ .
The phase 1 queries are shown in Fig.10. $A_{2}$ can perform the following queries, such as the $sk$ of $v$ , decryption, trapdoor queries.
The challenge is shown in Fig.11. After phase 1, $A_{2}$ picks $v^{\ast}$ and $M_{0},M_{1}\in \mathbb {G}_{1}$ randomly to the simulator, and the simulator outputs $CT^{\ast}$ to $A_{2}$ .
This step is similar to phase 1, just some restrictions as shown in Fig.12. Here, $v\neq v^{\ast}$ in key and trapdoor queries, in decryption queries $CT\neq CT^{\ast}$ .
Finally, $A_{2}$ outputs a guess $b'$ as in Fig.13.

FIGURE 9.

Setup of Game 2.

Show All

FIGURE 10.

Phase 1 of Game 2.

Show All

FIGURE 11.

Challenge of Game 2.

Show All

FIGURE 12.

Phase 2 of Game 2.

Show All

FIGURE 13.

Guess of Game 2.

Show All

Theorem 4:

If the simulator takes $O(\epsilon ^{-2}ln(\epsilon ^{-1})\lambda ^{-1}\,\,ln(\lambda ^{-1}))$ samples when computing the estimate $\eta ^{\prime }$ , then $\left({\frac {1}{2}+\epsilon }\right)\text {Pr}[\overline {\text {abort}}|\gamma ^{\prime }=\gamma]-\left({\frac {1}{2}-\epsilon }\right)\text {Pr}[\overline {\text {abort}}|\gamma ^{\prime }=\gamma]\geq \frac {3}{2}\lambda \epsilon$ (a lower bound $\lambda = \left.\frac {1}{8(n+1)q}\right)$ .

Detailed proof of Theorem 4 is in reference [22].

SECTION VIII.

Performance Analysis

In Table 1, the comparison of IBEwET-S scheme with some related schemes is detailed. The comparison is performed with respect to 8 aspects including encryption algorithm, decryption algorithm, test algorithm, supporting test algorithm, two types of security levels, random oracle and standard models. The number of operations are counted from exponential and bilinear pairing operations in encryption, decryption and test algorithms. The first column depicts the references of comparison schemes (including ours). The second to fourth columns show the computational costs in terms of encryption, decryption and testing algorithms. The fifth column indicates whether the scheme supports the test algorithm, and the sixth to seventh columns indicate the security level that the scheme achieves. The eighth and ninth columns show that the schemes are safe under the random oracle model or standard model.

TABLE 1 The Comparison of Computational Complexity

SECTION IX.

Conclusion

In this paper, we propose a new scheme of IBEwET-S based on the IBEET scheme which is proven secure in standard model. The comparison depict that the proposed sheme has a higher security profile. More precisely, the proposed scheme combines the test algorithms to enable flexible authorization equality testing in ciphertext. The scheme achieves security level of OW/IND-ID-CCA, which can be directional if the adversary is given a trapdoor, and indistinguishable if the adversary does not get a trapdoor. Currently, several schemes have proved to be secured and offer testing algorithms in the standard model, however, fewer schemes are applied to practice. We claim that the proposed scheme is more practical as proved by comparative anlysis, hence, it can be applied to more scenarios.

References is not available for this document.

New Constructions of Equality Test Scheme Without Random Oracles

Abstract:

Metadata

Abstract:

Funding Agency:

Introduction