Revocable Certificateless Public Key Encryption With Outsourced Semi-Trusted Cloud Revocation Agent

Certificateless public key cryptography (CL-PKC) not only eliminates the need for certificates in traditional certificate-based PKC but also solves the inherent key escrow problem in identity-based PKC. However, an unsolved but critical issue in CL-PKC is how to revoke a misbehaving user. Some revocable certificateless public key encryption (RCL-PKE) schemes have been proposed, but these schemes have two main drawbacks: 1) public key uniqueness is not guaranteed, thus allowing the existence of multiple copies of each initial secret key. 2) The existing outsourced RCL-PKE schemes place excessive trust in the cloud server, which may continue to update decryption keys stealthily for misbehaving users. In this paper, we address these issues by proposing a novel RCL-PKE with semi-trusted cloud revocation agents (s-CRAs). We describe the framework and the security model for the RCL-PKE with s-CRA and prove that the proposed scheme is semantically secure against adaptive chosen-ciphertext attacks under the bilinear Diffie-Hellman assumption in the random oracle model. Furthermore, we compare the proposed scheme with previous RCL-PKE schemes in terms of performance and robustness. The evaluation results show that the proposed scheme achieves public key uniqueness and reliable revocation flexibility at low computational and communication costs.


I. INTRODUCTION
In traditional public key infrastructure (PKI), certificates are used to bind the public keys to the identities of the holders of the corresponding private keys and provide an assurance of these relationships by signing the certificates by a Certification Authority (CA). However, senders must verify the validity of the certificates before encrypting messages by the receiver's public key, and the management of the certificates raises a number of issues. First, it is challenging to handle a large number of certificates in the case of large distributed systems, especially the verification of certificate chains signed by intermediate CAs. Second, certificate The associate editor coordinating the review of this manuscript and approving it for publication was Ana Lucila Sandoval Orozco. management operations, such as revoking misbehaving users, lead to too much overhead. Efficient revocation has been well studied in traditional PKI [7], [8], [19]- [24], and some mechanisms, such as the certificate revocation list (CRL) and online certificate status protocol (OCSP), have been introduced to PKI to revoke users. Therefore, the system robustness is enhanced by introducing these methods but lead to large computational and communication costs.
To eliminate the need for certificate, Shamir [25] proposed identity-based public key cryptography (ID-PKC) in which the user's public key is its identity information. Thereafter, Boneh and Franklin [1] proposed the first practical identity-based encryption (IBE) scheme by using Weil pairing on elliptic curves. Subsequently, many identity-based public key schemes have been proposed [2], [3], [5], [6], VOLUME 8, 2020 This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/ [8]- [12], [16], [17], [26], [27], [42], [43]. In ID-PKC, private keys are generated for entities by a trusted third party called private key generator (PKG). However, the dependence on PKG, which uses a system-wide master key to generate private keys, inevitably introduces key escrow problem to ID-PKC systems in the sense that the PKG can decrypt any ciphertext for any user or forge any entity's signatures [32].
To address the built-in key escrow feature of ID-PKC, certificateless public key cryptography (CL-PKC) was proposed by Al-Riyami and Paterson [33]. The core concept of the scheme to eliminate the need for a certificate is that the user's public key is implicitly bound to user identity (that is to say, the ciphertext corresponds to both the public key and the user's identity). Meanwhile, the user's private key consists of two components, a partial private key and a secret value, which are dominated by the PKG and the user, respectively. Hence, CL-PKC avoids the key escrow problem in ID-PKC and does not suffer the overhead of certificate management operations, which makes it a promising public key paradigm. Since then, CL-PKC has attracted much attention, and many studies have been published [4], [13], [14], [18], [30]- [41].

A. RELATED WORK
Due to the security threats posed by expired or misbehaving users, the public key system (PKS) must provide a revocation mechanism to revoke them. However, CRL and OCSP are not suitable for CL-PKC, and there is little work in the literature about the revocation mechanism in CL-PKC. Since the revocation mechanism of CL-PKC is essentially identical to ID-PKC, we discuss a few recently proposed revocable schemes of both paradigms.
Boneh and Franklin [1] suggested a trivial revocation mechanism in which the public key is composed of user identity and the current time period, and users update their private keys periodically. Unfortunately, PKG must generate keys and send them securely for all non-revoked users. Boneh et al. [2] and Libert et al. [3] presented another way to revoke users where each ciphertext is decrypted with the help of a semi-trusted third party called a mediator who holds shares of all users' private keys. The revocation is achieved when the mediator simply stops issuing the secret shares of revoked users. This method was developed by Ju et al. [4] to construct a mediated certificateless public key encryption scheme (mCL-PKE). However, the mediator must remain online and remains the bottleneck of the network.
To mitigate the workload of the PKG for key updates and enable non-revoked users to decrypt ciphertext of their own, Boldyreva et al. [5] proposed the first revocable IBE (RIBE) scheme proved in the selective-revocable-ID (sRID) model. The idea of their RIBE is based on the Fuzzy IBE [6] and decreases the total number of participants of key updates from linear to logarithmic by introducing a binary complete subtree [7], [8]. Nevertheless, their scheme suffers from significant computational and communication overhead: 1) The scheme requires 12 exponentiations to encrypt a message and 4 pairing computations to decrypt a message. 2) Each user needs to store up to 3 log n elliptic curve elements as secret keys, where n is the number of users. These drawbacks make the scheme unacceptable for resource-constrained environments. Thereafter, Libert and Vergnaud [9] enhanced the security notions and proposed an adaptive-ID secure RIBE scheme. In consideration of the delegation of both key generation and revocation functionalities, Seo and Emura [10] proposed the revocable hierarchical IBE (RHIBE). Then, the authors reviewed their implements and presented a new method of history-free update construction [11].
To remove the secure channel between each user and the PKG to securely transmit the user's periodic private keys, Tseng and Tsai [12] proposed an RIBE scheme with a public channel. Furthermore, they transplanted this concept to CL-PKC and proposed the first revocable certificateless public key encryption (RCL-PKE) [13]. The authors provided an efficient revocation method to divide the user private key into an identity-related initial key and a time-related time update key. The identity key is associated with user identity and is fixed, which is securely transmitted to the user. The time update key is associated with the current time period and each user's identity. The PKG periodically generates current time update keys for non-revoked users and publishes them through a public channel. Shen et al. [14] proposed an efficient CCA2-secure RCL-PKE scheme in the standard model based on the decisional truncated q-ABDHE assumption and decisional bilinear Diffie-Hellman (DBDH) assumption. However, Shen et al.'s scheme was later shown to be insecure [15].
With the rapid development of cloud computing, some schemes outsource complicated computing tasks (i.e. key updates) to the powerful cloud server. By introducing a key update cloud service provider (KU-CSP) to IBE, Li et al. [16] proposed an outsourced cloud-aided revocable IBE scheme. They used a similar technique adopted in [12] and migrated the load to the cloud server to mitigate the load of the PKG. Hereafter, Tseng et al. [17] took advantage of [16] to propose another cloud-aided RIBE with cloud revocation authority (CRA), which overcomes the shortcomings in [16] that KU-CSP must keep a time key for each user and consequently unscalability. Recently, Tseng and Tsai [18] further proposed a delegated RCL-PKE scheme in the standard model to reduce the workload of the PKG.

B. MOTIVATIONS
To the best of our knowledge, the revocation mechanism in CL-PKC has not received much attention. The proposed RCL-PKE schemes have two main drawbacks.
First, the public key uniqueness is not guaranteed since the public key is not bound to the initial secret key in [13], [14], [18] (i.e., the initial secret key in [13], [18] and the initial partial private key in [14]); the public key generation algorithm in these works allows users to create more than one public key for the same initial secret key. Conversely, the PKG may replace the public key to impersonate legal users.
Second, the efficient outsourced schemes [12], [16], [18] placed excessive trust in the cloud server. In other words, the cloud server in these schemes is regarded as a secure, wellresourced and patulous PKG. In fact, we cannot expect the cloud to be exactly honest with the PKG. Although a curious cloud server cannot decrypt messages of certain users, it can still generate time update keys for revoked users secretively to obtain illegal income, especially when multiple cloud servers are deployed in the system and share the common master time key.

C. OUR CONTRIBUTIONS
In this paper, we propose a novel revocable certificateless public key encryption scheme with outsourced semi-trusted cloud revocation agent (s-CRA) to address the multiple public key and dishonest cloud server problems mentioned before. We investigate the security notions for RCL-PKE [13], [14], [18], [29], [30] and enhance our scheme to resist new possible threats, i.e., the greedy cloud server. In our new RCL-PKE security model, we consider four types of adversaries: the Type-I adversary (the revoked user), Type-II adversary (outside attacker), Type-III adversary (the curious PKG) and Type-IV adversary (the greedy cloud revocation agent). We describe our proposed scheme in detail and analyze its security under the bilinear Diffie-Hellman (BDH) assumption. We prove that our scheme is semantically secure against adaptive CCA in the random oracle model. We also provide performance evaluation of our proposed scheme and comparison with other RCL-PKE schemes.

D. ORGANIZATION
The rest of the paper is organized as follows. Section II provides preliminary information, including the definition of bilinear pairing and computational assumptions. Section III describes the framework of an RCL-PKE scheme with outsourced semi-trusted cloud revocation agent and its security model. Section IV describes our proposed RCL-PKE scheme in detail. We analyze the security of our scheme in section V. Section VI presents the performance evaluation and comparisons of our scheme. Finally, the conclusions are offered in Section VII.

II. PRELIMINARIES
In this section, we introduce the concept of bilinear pairings and computational assumptions required in this paper.

A. BILINEAR PAIRINGS
Let G be an additive cyclic group, whose order is a large prime q. P is a generator of G. G T is a multiplicative cyclic group of the same order q. A bilinear pairing is defined to be a mapê : G × G → G T if it satisfies: 1) Bilinearity:ê (xP, yQ) =ê (P, Q) xy for all P, Q ∈ G, x, y ∈ Z * q . 2) Non-degeneracy: there exists P, Q ∈ G such that e (P, Q) =1 G T .
3) Computability: there exists polynomial time algorithm to computeê (P, Q) for all P, Q ∈ G.

B. COMPUTATIONAL ASSUMPTIONS
Bilinear Diffie-Hellman (BDH) problem. Given P, aP, bP, cP ∈ G for unknown a, b, c ∈ Z * q , computingê (P, P) abc ∈ G T . Definition 1 (BDH Assumption): Given P, aP, bP, cP ∈ G for some a, b, c ∈ Z * q , there is no probabilistic polynomial time (PPT) algorithm that can solve BDH problem. The advantage of adversary A is Adv A = Pr A ( P, aP, bP, cP ) =ê (P, P) abc .

III. SYSTEM FRAMEWORK AND SECURITY MODEL
In this section, we describe the system framework of RCL-PKE with outsourced s-CRA and its security model.

A. SYSTEM FRAMEWORK
The proposed scheme involves three parties: the PKG, the s-CRAs and the users. At the beginning of the system initialization stage, the PKG generates and publishes system parameters and sends a secret master time key share to each s-CRA. Then, the user selects a secret value and inputs the system parameters to output its public key. The PKG then issues the partial identity key for each user with its master secret key, the user's identity and the user's public key. Each s-CRA issues and updates the user's time update key share with its own master time key share according to the revocation list. If a user is revoked, the honest s-CRA refuses to generate the time update key share for it. If a user receives t time update key shares from n s-CRAs, where n is the number of s-CRAs and t is the threshold, the user can recover its own time update key and decrypt messages. The system framework is presented in Fig. 1.  1) System setup. The PKG takes a security parameter λ, the number of s-CRAs n, the threshold t, and the total number of time periods I as inputs. The algorithm outputs a master secret VOLUME 8, 2020 key α, a master time key β, the partitions of master time key β j (j = 1 . . . n), and public parameters params. params are published to all users in the system.
2) Set public key. The user with identity ID runs this algorithm, takes params and the randomly selected secret value s ID as inputs and outputs its public key P ID .
3) Partial identity key extract. The PKG takes the master secret key α, user identity ID and user public key P ID as inputs. The algorithm outputs the user's partial identity key D ID and sends it via a secure channel. 4) Identity key extract. The user with identity ID runs this algorithm, takes partial identity key D ID and its secret value s ID as inputs and outputs the user's identity key IK ID . 5) Time key update. For a time period i, each s-CRA takes its own time update key share β j and a user's identity ID as inputs. The algorithm outputs the set of user's time update key shares T ID,i,j corresponding to the time update key T ID,i . 6) Encryption. For a time period i, the algorithm takes a user's identity ID, user's public key P ID , and a message M as inputs. The algorithm outputs a ciphertext C. 7) Decryption. The algorithm takes a ciphertext C, the user's identity key IK ID , and the user's time update key T ID,i as inputs. The algorithm outputs a plaintext M or outputs ⊥ indicating a decryption failure.

B. SECURITY MODEL
We modify the security notions for RCL-PKE [13], [14], [18], [29] to enhance our scheme to resist new possible threats, i.e., the greedy cloud server. The RCL-PKE is semantically secure against an adaptive RCL indistinguishability CCA (RCL-IND-CCA) adversary if no PPT adversary A has a nonnegligible advantage against challenger B in the RCL-IND-CCA game. We first consider the following four types of adversaries.

1) TYPE-I ADVERSARY A I (A REVOKED USER)
This adversary is defined as a revoked user with identity ID * who used to be a legal user and has been revoked by the PKG at some time period i * . Such an adversary tries to obtain valuable information from ciphertext encrypted at or after period i * and may collude with others. Therefore, such a Type-I adversary is allowed to obtain the identity key of every user and is able to obtain the time update key of all the users at arbitrary periods, except the target time update key of identity ID * at period i * .

2) TYPE-II ADVERSARY A II (AN OUTSIDE ATTACKER)
This adversary is defined as an outside attacker who aims to obtain valuable information from the ciphertext of the target identity ID * . Since the time update keys are published via a public channel, the attacker can obtain the time update key for the target identity. Therefore, such a Type-II adversary can obtain all of the time update keys and the identity key of any user, except the target identity ID * .

3) TYPE-III ADVERSARY A III (A CURIOUS PKG)
This adversary is defined as a curious PKG who does have access to the master secret key α and master time key β. Such a Type-III adversary can compute partial identity keys and generate a time update key for self-use. The adversary can also request public keys and make identity key extraction queries and decryption queries of its choice.

4) TYPE-IV ADVERSARY A IV (A GREEDY s-CRA)
This adversary is defined as a greedy s-CRA who does have access to its own time update key share β j and stealthily issues the time key update for illegal users. Although the greedy s-CRA cannot decrypt the ciphertext of the target user ID * , the agent helps the target user obtain the plaintext. That is, the adversary is allowed to obtain the identity key of every user and is able to obtain the numbered time update key shares of the target user.
We define the security model of an RCL-PKE with outsourced s-CRA through the following game between a challenger and one of the above adversaries.

Definition 3 (RCL-IND-CCA):
We say that an RCL-PKE is semantically secure against an adaptive RCL indistinguishability CCA (RCL-IND-CCA) adversary if no PPT adversary A has a nonnegligible advantage against the challenger B in following the RCL-IND-CCA game.
System setup. The challenger B runs the system setup algorithm to output G, G T ,ê , and outputs a group generator P ∈ G, the master secret key α, the master time key β, the partitions of master time key β j (j = 1 . . . n), and the public parameters params. Then, it forwards params to the adversary A. Meanwhile, B gives master secret key α to A if A is the Type-III adversary, or B gives at most t master time key shares β j (j = 1 . . . t, t < n) to A if A is the Type-IV adversary. Otherwise, B keeps α and β secret. Phase 1.
The adversary A is allowed to issue the following queries in an adaptive manner.
Public key request query (ID). Upon receiving such a query for identity ID ∈ {0, 1} * , B runs the public key extract algorithm to generate a proper public key P ID and sends back to A.
Public key replace query (ID, P ID ). The adversary A is allowed to replace the public key associates with identity ID to P ID of its choice. The challenger B uses the current value of an entity's public key in any computations (e.g. preparing a challenge ciphertext) or responses to A's requests (e.g. replying to a request for the public key). Note that A cannot both replace the public key for the challenge identity ID * before the challenge phase and extract the partial identity key for ID * in some phase.
Partial identity key extract query (ID, P ID ). When A issues such a query with (ID, P ID ), B runs the partial identity key extract algorithm to generate the partial identity key D ID and sends back to A.

Secret value extract query (ID).
Upon receiving such a query for identity ID ∈ {0, 1} * , B returns the associated secret value s ID to A. The restriction is that A cannot extract the secret value s ID * of ID * which has been queried the public key replace query.
Time key update query (ID, i). When A issues such a query for identity ID ∈ {0, 1} * and a period i * , B runs the time key update algorithm to generate the proper time update key T ID,i and sends back to A.
Decryption query (C, ID, i). While receiving the query along with the ciphertext C, the identity ID ∈ {0, 1} * and the period i, B runs the key extract algorithm and the time key update algorithm to obtain the private key pair (IK ID , T ID,i ). Then, the challenger B runs the decryption algorithm to decrypt the ciphertext C and returns the plaintext M to A.
Challenge. Adversary A generates two different plaintexts (M 0 , M 1 ) of the same bitlength, then A sends a target identity ID * , a target period i * and (M 0 , M 1 ) to the challenger B. The challenger B flips a random coin γ ∈ (0, 1) and computes the ciphertext C * = E ID * , P ID * , i * , M γ and returns C * to A. The restrictions for different types of adversaries are as follows.
1) If A is the Type-I adversary, we require that A cannot issue the time key update query with (ID * , i * ) in Phase 1.
2) If A is the Type-II adversary, we require that A cannot issue the partial identity key extract query with ID * in Phase 1.
3) If A is the Type-III adversary, we require that A cannot simultaneously issue the secret value extract query and public key replace query with ID * in Phase 1.

4) If
A is a Type-IV adversary, it is partially identical to the Type-I adversary.
Phase 2. The adversary adaptively issues more queries as in phase 1 with the restriction that A cannot issue the decryption query with (ID * , i * , C * ). Other restrictions are the same with those in Phase 1 and the Challenge phase.
The advantage of adversary A in attacking the RCL-IND-CCA scheme is defined as Adv A (λ) = Pr γ = γ − 1/2.

IV. PROPOSED RCL-PKE SCHEME
In this section, we describe our proposed RCL-PKE with outsourced s-CRA scheme. As defined in section III, our scheme is specified by seven algorithms: System setup, Set public key, Partial identity key extract, Identity key extract, Time key update, Encryption and Decryption algorithms.
System setup: 1. The PKG takes a security parameter λ to generate G, G T ,ê where G is an additive cyclic group and G T is a multiplicative cyclic group of prime order q > 2 λ , and e : G × G → G T is a bilinear map.
2. The PKG chooses an arbitrary generator P ∈ G.
3. The PKG takes a maximal period number I as input and randomly chooses two secret values α, β ∈ Z * q and sets P 0 = α · P, the cloud public key C pub = β · P. α and β are the master secret key and the master time key, respectively.

the PKG selects four cryptographic hash functions
Here, l will be the bit-length of plaintexts.
5. The PKG takes the threshold t and randomly generates a t − 1 degree polynomial f (x) = β + a 1 x + · · · + a t−1 x t−1 . Then, the PKG evaluates the master time key share β j = f (j) (j = 1, . . . n), where n is the number of s-CRAs.
Thereafter, the PKG securely transmits the master time key share β j to s-CRA j . The system parameters are params = G, G T ,ê, P, Set public key: This algorithm takes params and the user's randomly selected secret value s ID ∈ Z * q as inputs and outputs the public key as P ID = X ID Y ID , where X ID = s ID P and Y ID = s ID P 0 = s ID αP.
Partial identity key extract: Upon receiving the public key P ID of an authorized user with identity ID ∈ {0, 1} * , the PKG uses the master secret key α to compute the corresponding partial identity key D ID by following steps: 1. Computes Q ID = H 1 (ID, P ID ) ∈ G.
2. Outputs the partial identity key D ID = α · Q ID and sends it to the user in a secure channel.
Notice that user can verify the correctness of the partial identity key D ID by checkingê (D ID , P) =ê (Q ID , P 0 ).
Identity key extract: The algorithm takes params, the user's partial identity key D ID and the user's secret value s ID ∈ Z * q as inputs. Then, computes the identity key IK ID = s ID · D ID = s ID αQ ID ∈ G.
Time key update: To generate the time update key periodically, each s−CRA j uses its own master time key share β j to compute the time update key share T ID,i,j at period i for the user with identity ID ∈ {0, 1} * by following steps: 1. Computes R ID,i = H 2 (ID, i) ∈ G.
2. Outputs the time update key share T ID,i,j = β j ·R ID,i . Finally, each s-CRA j sends the time update key share T ID,i,j to the user via a public channel. By interpolating t time update key shares, the valid user can recover the time update key T ID,i .
To encrypt a message M ∈ M for a receiver with identity ID and the public key P ID = X ID Y ID at period i, the sender performs the following steps: 1. Checks X ID , Y ID ∈ G and the equalityê (X ID , P 0 ) = e (Y ID , P), i.e. P ID is a correct public key. Otherwise, outputs ⊥ and aborts.
3. Chooses a random value r ∈ Z * q and computes U = r ·P. 4. Computes and outputs the ciphertext:

Decrypt:
To decrypt a ciphertext C = (U , V , W ) for identity ID and the public key P ID = X ID Y ID at period i, the receiver uses its identity key IK ID and time update key T ID,i as follows: Otherwise, outputs ⊥ and rejects the ciphertext.

V. CORRECTNESS AND SECURITY ANALYSIS
In this section, we present the correctness and security analysis of our proposed scheme.
1) The correctness of the decrypt algorithm due to the fact that: 2) The security analysis consists of four lemmas against Type I, II, III and IV adversaries. Then, we conclude that the proposed revocable certificateless public key encryption scheme with outsourced semi-trusted cloud revocation agent scheme is secure in the sense of RCL-IND-CCA adversary. For simplicity but without loss of generality, we replace the master time key shares β j to master time key β in the proof of the first three lemmas and prove its correctness in lemma 4.
Lemma 1: In the random oracle model, assume that a Type-I adversary A I in attacking the proposed revocable certificateless encryption in the sense of RCL-IND-CCA security. We will build a simulator B I to solve the BDH problem with a non-negligible probability.
Proof: Suppose that there exists a Type-I adversary A I with advantage I who can break the proposed Revocable Certificateless Encryption. We will build a simulator B I to solve the BDH problem with advantage I . The simulator B I inputs BDH parameters G, G T ,ê and P, aP, bP, cP with uniformly random choices of a, b, c ∈ Z * q where P is a generator of group G. We say the simulator B I can solve the BDH problem if B I has a non-negligible advantage to computeê (P, P) abc .
System setup. The challenger B I first chooses the random master secret key α ∈ Z * q and set C pub = aP. Then B I provides A I with params = G, G T ,ê, P, P o , C pub , H 1 , H 2 , H 3 , H 4 . A I is allowed to issue queries in the following types controlled by B I . Public key request query (ID). To respond to such a query, the challenger B I maintains a list L PK of ID, P ID , s ID . B I first accesses the list L PK , if ID already appears in the L PK , then B I responds with P ID . Otherwise, B I randomly selects s ID ∈ Z * q and computes P ID = s ID · P. After storing ID, P ID , s ID in L PK , B I returns P ID to A I .
Public key replace query (ID, P ID ). Upon receiving such a query with (ID, P ID ), B I replaces the tuple ID, P ID , s ID in L PK list to ID, P ID , ⊥ .
Partial identity key extract query (ID, P ID ). To respond to such a query, the challenger B I first accesses the list L 1 to obtain u. Then, B I sets the partial identity key as D ID = α·Q ID = α · u · P which is a valid partial identity key. B I returns the partial identity key D ID to A I .

Secret value extract query (ID).
To respond to such a query, the challenger B I first accesses the list L PK to obtain s ID associates with identity ID. If ID does not appear in L PK , 148162 VOLUME 8, 2020 B I issues public key request query with ID first. B I returns the secret value s ID to A I .
Time key update query (ID, i). To respond to such a query, the challenger B I first accesses the list L 2 to obtain v and coin. If coin = 1, the simulation failures and aborts. Otherwise, B I sets the time key as T ID,i = v · C pub = v · aP = a · vP = a · R ID which is a valid Time update key. B I returns the Time update key T ID,i to A I .
Decryption query (C = U, V , W , ID, i). To respond to such a query, the challenger B I first accesses the list L 4 to obtain M corresponding to U , V , −, ID, i, W . If M was not found, the simulation failures and aborts. Otherwise, B I returns M to A I .
Challenge. At some point, A I decides to end Phase 1 and picks a target identity ID * and a target period i * , then it issues two messages M 0 , M 1 to be challenged. We assume that A I did not issue H 2 query to obtain the target time update key. B I uses (ID * , i * ) to scan the list L 2 = ID, i, R ID , v, coin . If coin = 0, then the simulation failures and aborts. If coin = 1, B I flips a random coin γ ∈ (0, 1) and computes . Then, B I randomly selects a string w ∈ {0, 1} l and adds U = cP, V = M γ ⊕ Y * , M γ , ID * , i * , w in L 4 . Finally, B I returns the target ciphertext C * = (U , V , W = w) to A I . Phase 2. B I continues to respond to requests in the same way as it did in Phase 1. We restrict A I cannot issue the time key update query with (ID * , i * ) and the decryption query with (ID * , i * , C * ). Guess. A I will make a guess γ for γ . The advantage I of an IND-ID-CCA adversary A I to attack the proposed revocable certificateless encryption scheme is evaluated by Adv A I = Pr γ = γ − 1 2 . If the adversary A I who breaks the proposed scheme with a non-negligible advantage I , then the challenger B I can solve the BDH problem with a nonnegligible advantage I .
The probability that B I does not abort during the simulation is analyzed as follows. In Phase 1 and 2, if coin = 1, the simulation failures and aborts since challenger B I cannot answer the correct time update query. Otherwise, the simulation continues. Let δ denotes the probability that coin = 0. Since the adversary A I makes at most q u and q d queries to time update queries and decryption queries in Phase 1 and 2, respectively, the probability that the simulation does not abort is δ q u . In the challenge phase, if coin = 1, the simulation continues, which means the probability that the simulation does not abort is 1 − δ. Thus, the total probability that the simulation does not abort is δ q u · (1 − δ) in Game 1. By using the similar technique to Coron's analysis of the full domain hash signature scheme [44], the value is maximized at δ = 1 − 1 (q u + 1) and the probability that B I does not abort is at least 1 e (1 + q u ). Furthermore, the probability to guess the correct answer D in the real attack is at least 2 I q 3 [1]. To respond to the decryption query, B I scans the list L 4 to obtain M . Since the simulation would success if U , V , −, ID, i, W appears in list L 4 and there are at most q d decryption queries, the probability the simulation aborts is q d q. In summary, B I can solve the BDH problem with a non-negligible advantage I = 2 I e (1 + q u ) q 3 − q d q. Lemma 2: In the random oracle model, assume that an Type-II adversary A II in attacking the proposed revocable certificateless encryption in the sense of RCL-IND-CCA security. We will build a simulator B II to solve the BDH problem with a non-negligible probability.
Proof: Suppose that there exists a Type-II adversary A II with advantage II who can break the proposed Revocable Certificateless Encryption. We will build a simulator B II to solve the BDHP problem with advantage II . The simulator B II inputs BDHP parameters G, G T ,ê and P, aP, bP, cP with uniformly random choices of a, b, c ∈ Z * q where P is a generator of group G. We say the simulator B II can solve the BDHP if B II has a non-negligible advantage to computê e (P, P) abc .
System setup. The challenger B II first chooses the random master time key β ∈ Z * q and set C pub = βP. Then B II provides A II with params = G, G T ,ê, P, P o , C pub , H 1 , H 2 , H 3 , H 4 . A II is allowed to issue queries in the following types controlled by B II .
H 1 -queries: B II maintains a list L 1 of ID, P ID , Q ID , u, coin to store the answers to the hash oracle H 1 . Upon receiving the H 1 -query along with ID, B II performs a check on L 1 . If (ID, P ID ) appears in L 1 , then B II responds with H 1 (ID, P ID ) = Q ID . Otherwise, B II randomly selects u ∈ Z * q , then B II flips a random coin ∈ {0, 1} and sets Q ID = u · P if coin = 0 and Q ID = u · bP if coin = 1. After storing ID, P ID , Q ID , u, coin in L 1 , B II returns H 1 (ID, P ID ) = Q ID to A II .
H 2 -queries: B II maintains a list L 2 of ID, i, R ID,i , v to store the answers to the hash oracle H 2 . Upon receiving the H 2 -query along with ID, i , B II performs a check on L 2 . If ID, i appears in L 2 , then B II responds with H 2 (ID, i) = R ID,i . Otherwise, B II randomly selects v ∈ Z * q and computes R ID,i = v · P. After storing ID, i, R ID,i H 3 -queries: B II maintains a list L 3 of X , Y to store the answers to the hash oracle H 3 . Upon receiving the H 3 -query along with X , B II performs a check on L 3 . If X appears in L 3 , Public key request query (ID). To respond to such a query, the challenger B II maintains a list L PK of ID, P ID , s ID . B II first accesses the list L PK , if ID already appears in the L PK , then B II responds with P ID . Otherwise, B II randomly selects s ID ∈ Z * q and computes P ID = s ID · P. After storing ID, P ID , s ID in L PK , B II returns P ID to A II .
Public key replace query (ID, P ID ). Upon receiving such a query with (ID, P ID ), B II replaces the tuple ID, P ID , s ID in L PK list to ID, P ID , ⊥ .
Partial identity key extract query (ID, P ID ). To respond to such a query, the challenger B II first accesses the list L 1 to obtain u and coin. If coin = 1, the simulation failures and aborts. Otherwise, B II sets the partial identity key as D ID = u·aP = a·Q ID which is a valid partial identity key. B II returns the partial identity key D ID to A II .
Secret value extract query (ID). To respond to such a query, the challenger B II first accesses the list L PK to obtain s ID associates with identity ID. If ID does not appear in L PK , B II issues public key request query with ID first. B II returns the secret value s ID to A II .
Time key update query (ID, i). To respond to such a query, the challenger B II first accesses the list L 2 to obtain v. Then, B II sets the time key as T ID,i = v · C pub = v · βP = β · vP = β · R ID which is a valid Time update key. B II returns the Time update key T ID,i to A II .
Decryption query (C = U, V , W , ID, i). To respond to such a query, the challenger B II first accesses the list L 4 to obtain M corresponding to U , V , −, ID, P ID , i, W . If M was not found, the simulation failures and aborts. Otherwise, Challenge. At some point, A II decides to end Phase 1 and picks a target identity ID * and a target period i * , then it issues two messages M 0 , M 1 to be challenged. We assume that A II did not issue H 1 query to obtain the target partial identity key. B II uses ID * to scan the list L 1 = ID, Q ID , u, coin . If coin = 0, then the simulation failures and aborts. If coin = 1, B II flips a random coin γ ∈ (0, 1) and computes V = M γ ⊕ Y * , where Y * = H 3 ê (s ID · u · aP, bP) ·ê R ID,i , β · cP = H 3 (D). Then, B II randomly selects a string w ∈ {0, 1} l and adds U = cP, V = M γ ⊕ Y * , M γ , ID * , i * , w in L 4 . Finally, B II returns the target ciphertext C * = (U , V , W = w) to A II . Phase 2. B II continues to respond to requests in the same way as it did in Phase 1. We restrict A II cannot issue the partial identity key extract with ID * and the decryption query with (ID * , i * , C * ). Guess. A II will make a guess γ for γ . The advantage II of an IND-ID-CCA adversary A II to attack the proposed revocable certificateless encryption scheme is evaluated by If the adversary A II who breaks the proposed scheme with a non-negligible advantage II , then the challenger B II can solve the BDH problem with a non-negligible advantage II .
The probability that B II does not abort during the simulation is analyzed as follows. In Phase 1 and 2, if coin = 1, the simulation failures and aborts since challenger B II cannot answer the correct partial identity key extract query. Otherwise, the simulation continues. Let δ denotes the probability that coin = 0. Suppose the adversary A II makes at most q p and q d queries to partial identity key extract queries and decryption queries in Phase 1 and 2, respectively, the probability that the simulation does not abort is δ q p . In the challenge phase, if coin = 1, the simulation continues, which means the probability that the simulation does not abort is 1 − δ. Thus, the total probability that the simulation does not abort is p (δ) = δ q p · (1 − δ) in Game 2. By using the similar technique to Coron's analysis of the full domain hash signature scheme [44], the value is maximized at δ = 1 − 1 q p + 1 and the probability that B II does not abort is at least 1 e 1 + q p . Furthermore, the probability to guess the correct answer D in the real attack is at least 2 II q 3 [1]. To respond to the decryption query, B II scans the list L 4 to obtain M . Since the simulation would success if U , V , −, ID, i, W appears in list L 4 and there are at most q d decryption queries, the probability the simulation aborts is q d q. In summary, B II can solve the BDH problem with a non-negligible advantage II = 2 II e 1 + q p q 3 − q d q.
Lemma 3: In the random oracle model, assume that an Type-III adversary A III in attacking the proposed revocable certificateless encryption in the sense of RCL-IND-CCA security. We will build a simulator B III to solve the BDH problem with a non-negligible probability.
Proof: Suppose that there exists a Type-III adversary A III with advantage III who can break the proposed Revocable Certificateless Encryption. We will build a simulator B III to solve the BDHP problem with advantage III . The simulator B III inputs BDHP parameters G, G T ,ê and P, aP, bP, cP with uniformly random choices of a, b, c ∈ Z * q where P is a generator of group G. We say the simulator B III can solve the BDHP if B III has a non-negligible advantage to computê e (P, P) abc .
System setup. The challenger B III first chooses the random master secret key and a random master time key α, β ∈ Z * q respectively and set C pub = βP. Then B III provides A III with params = G, G T ,ê, P, P o , C pub , H 1 , H 2 , H 3 , H 4 . A III is allowed to issue queries in the following types controlled by B III .
H 1 -queries: B III maintains a list L 1 of ID, P ID , Q ID , u to store the answers to the hash oracle H 1 . Upon receiving the H 1 -query along with ID, B III performs a check on L 1 . If ID appears in L 1 , then B III responds with H 1 (ID, P ID ) = Q ID . Otherwise, B III randomly selects u ∈ Z * q and computes Q ID = u·P. After storing ID, P ID , Q ID , u in L 1 , B III returns H 1 (ID, P ID ) = Q ID to A III . Public key request query (ID). To respond to such a query, the challenger B III maintains a list L PK of ID, P ID , s ID , coin . B III first accesses the list L PK , if ID already appears in the L PK , then B III responds with P ID . Otherwise, B III randomly selects s ID ∈ Z * q , then B III flips a random coin ∈ {0, 1} and set P ID = s ID · P if coin = 0 and P ID = s ID · aP if coin = 1. After storing ID, P ID , s ID , coin in L PK , B III returns P ID to A III .
Public key replace query (ID, P ID ). Upon receiving such a query with (ID, P ID ), B III replaces the tuple ID, P ID , s ID in L PK list to ID, P ID , ⊥ .
Partial identity key extract query (ID, P ID ). To respond to such a query, the challenger B III first accesses the list L 1 to obtain u. Then, B III sets the partial identity key as D ID = α·Q ID = α · u · P which is a valid partial identity key. B III returns the partial identity key D ID to A III .

Secret value extract query (ID).
To respond to such a query, the challenger B III first accesses the list L PK to obtain s ID and coin. If ID does not appear in L PK , then B III issues public key request query with ID first. If coin = 1, the simulation failures and aborts. Otherwise, B III returns the secret value s ID to A III .
Time key update query (ID, i). To respond to such a query, the challenger B III first accesses the list L 2 to obtain v. Then, B III set the time key as T ID,i = v · C pub = v · βP = β · vP = β · R ID which is a valid Time update key. B III returns the Time update key T ID,i to A III .
Decryption query (C = U, V , W , ID, i). To respond to such a query, the challenger B III first accesses the list L 4 to obtain M corresponding to U , V , −, ID, i, W . If M was not found, the simulation failures and aborts. Otherwise, B III returns M to A III .
Challenge. At some point, A III decides to end Phase 1 and picks a target identity ID * and a target period i * , then it issues two messages M 0 , M 1 to be challenged. We assume that A III did not issue secret value extract query to obtain the target secret value of ID * . B III uses ID * to scan the list L PK = ID, P ID , s ID , coin . If coin = 0, then the simulation failures and aborts. If coin = 1, B III flips a random coin γ ∈ (0, 1) and computes V = M γ ⊕ Y * , where Y * = H 3 ê (α · u · s ID · aP, bP) ·ê R ID,i , β · cP . Then, B III randomly selects a string w ∈ {0, 1} l and adds U = cP, V = M γ ⊕ Y * , M γ , ID * , , P ID , i * , w in L 4 . Finally, B III returns the target ciphertext C * = (U , V , W = w) to A III . Phase 2: B III continues to respond to requests in the same way as it did in Phase 1. We restrict A III cannot issue the secret value extract query and public key replace query with ID * , and the decryption query with (ID * , i * , C * ). Guess. A III will make a guess γ for γ . The advantage III of an IND-ID-CCA adversary A III to attack the proposed revocable certificateless encryption scheme is evaluated by If the adversary A III who breaks the proposed scheme with a non-negligible advantage III , then the challenger B III can solve the BDHP problem with a non-negligible advantage III .
The probability that B III does not abort during the simulation is analyzed as follows. In Phase 1 and 2, if coin = 1, the simulation failures and aborts since challenger B III cannot answer the correct secret value extract query. Otherwise, the simulation continues. Let δ denotes the probability that coin = 0. Since the adversary A I makes at most q s and q d queries to secret value extract query and decryption queries in Phase 1 and 2, respectively, the probability that the simulation does not abort is δ q s . In the challenge phase, if coin = 1, the simulation continues, which means the probability that the simulation does not abort is 1 − δ. Thus, the total probability that the simulation does not abort is δ q u · (1 − δ) in Game 3. By using the similar technique to Coron's analysis of the full domain hash signature scheme [44], the value is maximized at δ = 1 − 1 (q s + 1) and the probability that B III does not abort is at least 1 e (1 + q s ). Furthermore, the probability to guess the correct answer D in the real attack is at least 2 III q 3 [1]. To respond to the decryption query, B III scans the list L 4 to obtain M . Since the simulation would success if U , V , −, ID, i, W appears in list L 4 and there are at most q d decryption queries, the probability the simulation aborts is q d q. In summary, B I can solve the BDH problem with a non-negligible advantage III = 2 III e (1 + q s ) q 3 − q d q. Lemma 4: In the random oracle model, assume that an adversary A IV who obtains at most t − 1 time update key shares from t − 1 greedy s-CRAs among a total of n s-CRAs in attacking the proposed revocable certificateless encryption in the sense of RCL-IND-CCA security for Type-IV adversary. Then, there exists a PPT adversary A I can attack the proposed scheme and hence solves the BDH problem with a non-negligible probability.
Proof: First, we assume that there are no more than t − 1 greedy s-CRAs in the proposed (t, n) system. According to the construction of Shamir's [45] (t, n) threshold scheme, the invalid user who obtains at most t − 1 time update key shares T ID,i,j cannot interpolate the coefficients of the secret t − 1 degree polynomial f (x) generated by the PKG and thus cannot obtain the right time update key T ID,i . Therefore, in this situation, the adversary A IV is identical to adversary A I in the proof of lemma 1.
Theorem 1: In the random oracle model, the proposed RCL-PKE with outsourced s-CRA is semantically secure against adaptive chosen-ciphertext attack (RCL-IND-CCA) under the BDH assumption.

VI. PERFORMANCE EVALUATION AND COMPARISONS
In this section, we present the performance evaluation of the proposed scheme. Previous implementations [12], [13], [18], [27], [30] have shown that the non-negligible related computation costs include bilinear pairing map, scalar multiplication, map-to-point hash and modular exponentiation operations. Table 1 lists the notations used to describe the computational costs of the related operations.
We evaluate the costs of the above operations using Pairing-Based Cryptography (PBC) library [46] on an Inter Core-i7 computer. We choose the PBC built-in type-A pairingê : G × G → G T on the elliptic curve over a finite field E F p , where G, G T are groups of prime order q. For the considerations of security and efficiency, p and q are large prime numbers of 512 bits and 160 bits. The operating system of the computer is CentOS 7.0 for 64-bit with Intel(R) Core (TM) i7-4710MQ CPU @ 2.50GHz and 8GB RAM. The average computational times for related operations are measured one thousand times and listed in Table 2.
In Table 3, we demonstrate the comparisons between the proposed RCL-PKE with the outsourced semi-trusted CRA scheme and the previously proposed RCL-PKE schemes [13], [14], [18] in terms of the size of each private key, computational and communication costs, revocation flexibility and other criteria, where l = 256 bits is the bit-length of plaintexts, n is the number of s-CRAs, and t is the trust threshold.  minimum T h + T m time consumption to update a user, while in our proposed scheme, n s-CRAs require n(T h + T m ) in total and a user needs tT m to compose its time update key. Note that the total computational and communication costs of n s-CRAs can be reduced by optimizing their deployment pattern.
Furthermore, we evaluated our encryption and decryption operations on the test platform to determine the actual performance of the proposed scheme. The average computational times for encryption and decryption are measured one thousand times and are close to the theoretical value.
Note that our scheme provides enhanced revocation flexibility compared to other schemes. The DRA in Tsai et al. [18]'s scheme is fully honest and trusted to execute instructions from the PKG. In our proposed scheme, s-CRA cannot provide time update key alone and stealthily, which ensures that our scheme is effective against the greedy s-CRA attacker. Meanwhile, rather than taking user identity ID as the input of the initial secret key extract in [13], [14], [18], in the proposed scheme, we take user identity ID along with public key P ID as the input of the partial identity key extract. This modification guarantees the PKG only generates partial identity key with the specified public key. Thus, by binding the user's initial secret key to its public key, our scheme guarantees the public key uniqueness, while the other schemes do not.

VII. CONCLUSION
In this paper, we propose a secure RCL-PKE scheme with outsourced semi-trusted cloud revocation agent based on bilinear pairings. We present the framework and formalize the security model. Under the BDH assumption, we have demonstrated that the proposed scheme is CCA secure against the four kinds of adversaries in the random oracle model. In our proposed scheme, s-CRA cannot provide time update key alone and stealthily, which ensures that our scheme is effective against the greedy s-CRA attacker. By composing enough pieces of time update key share from semi-trusted s-CRAs, legal users can decrypt ciphertext with small computational cost. Meanwhile, our scheme guarantees the public key uniqueness to prohibit the multiple copying of each initial secret key.