Sage Journals: Discover world-class research

Abstract

To resolve both certificate management and key escrow problems, a certificateless public-key system (CLPKS) has been proposed. However, a CLPKS setting must provide a revocation mechanism to revoke compromised users. Thus, a revocable certificateless public-key system (RCLPKS) was presented to address the revocation issue and, in such a system, the key generation centre (KGC) is responsible to run this revocation functionality. Furthermore, a RCLPKS setting with an outsourced revocation authority (ORA), named RCLPKS-ORA setting, was proposed to employ the ORA to alleviate the KGC’s computational burden. Very recently it was noticed that adversaries may adopt side-channel attacks to threaten these existing conventional public-key systems (including CLPKS, RCLPKS and RCLPKS-ORA). Fortunately, leakage-resilient cryptography offers a solution to resist such attacks. In this article, the first leakage-resilient revocable certificateless encryption scheme with an ORA, termed LR-RCLE-ORA scheme, is proposed. The proposed scheme is formally shown to be semantically secure against three types of adversaries in the RCLPKS and RCLPKS-ORA settings while resisting side-channel attacks. In the proposed scheme, adversaries are allowed to continually extract partial ingredients of secret keys participated in various computational algorithms of the proposed scheme while retaining its security.

Keywords

leakage-resilience certificateless encryption revocation key encapsulation

1 Introduction

To eliminate the management of both public keys and their associated certificates in the traditional public-key systems (PKS), an identity (ID)-based public-key system (IDPKS) was proposed (Boneh and Franklin, 2001). In an IDPKS setting, a private key generator (PKG) is responsible to generate all participants’ secret keys. Hence, the IDPKS setting has an inborn disadvantage, namely, the key escrow problem in the sense that the PKG can decrypt any ciphertexts of all participants and sign any messages on behalf of all participants. To resolve both certificate management and key escrow problems, Al-Riyami and Paterson (2003) proposed the certificateless public-key system (CLPKS). In which, there are two kinds of participants, namely, a key generation center (KGC) and users. The KGC is responsible to generate all users’ identity secret keys. In the meantime, each user chooses a personal secret key and sets the associated public key. Therefore, each user has two secret keys, namely, identity secret key and personal secret key. Obviously, the CLPKS setting can solve both the key escrow and certificate management problems.

Under some situations, a user’s ID or public key has to be revoked before expiration. Although the certificate revocation list (CRL) (Housley et al., 2002) is a well-known revocation method, it is unsuitable for IDPKS and CLPKS settings because no certificate is required. Therefore, an IDPKS or CLPKS setting must provide a revocation mechanism to revoke compromised users. Tseng and Tsai (2012) has presented a revocable IDPKS setting. By this revocable concept of Tseng and Tsai, revocable CLPKS (RCLPKS) settings (Shen et al., 2014; Tsai and Tseng, 2015; Hung et al., 2016) were presented to address the revocation issue and the key generation center (KGC) is also responsible to run this revocation functionality. Furthermore, a RCLPKS setting with an outsourced revocation authority (ORA), named RCLPKS-ORA setting (Tsai et al., 2015; Du et al., 2018), was presented to employ the ORA to alleviate the KGC’s computational burden.

Typically, all public-key systems mentioned above have a nature assumption that secret (or private) keys are completely hidden to adversaries. However, a new type of attacks, called “side-channel attacks”, has threatened these existing public-key systems. An adversary may employ side-channel attacks, such as power analysis (Kocher et al., 1999) and timing attack (Kocher, 1996; Brumley and Boneh, 2005) to continually obtain partial ingredients of a participant’s secret (or private) keys so that the associated cryptographic schemes/protocols could be broken. Ways to withstand side-channel attacks on cryptographic schemes/protocols have received significant attention of researchers. Fortunately, leakage-resilient cryptography offers a solution to resist such attacks. Up to date, little research addresses leakage-resilient certificateless public-key systems. In this paper, our aim is to propose the first leakage-resilient revocable certificateless encryption (LR-RCLE) scheme with an outsourced revocation authority (ORA), termed LR-RCLE-ORA scheme.

1.1 Related Work

In leakage-resilient cryptography, a cryptographic scheme/protocol remains secure even though partial ingredients of a participant’s secret (or private) keys in this scheme/protocol is leaked to adversaries. For leakage property, there are two leakage models, namely, bounded and continual. In the bounded leakage model (Katz and Vaikuntanathan, 2009; Alwen et al., 2009), total leaked bit sizes of secret keys for a cryptographic scheme/protocol are limited during its life cycle. Obviously, this limitation is impractical. In contrast, in the continual leakage model, adversaries may continually get leaked information of secret keys for each invocation of cryptographic scheme/protocol. Indeed, the continual leakage model is more accredited (Galindo and Virek, 2013; Wu et al., 2019, 2020; Tseng et al., 2020; Hsieh et al., 2020; Tsai et al., 2021) and it consists of four properties as follows:

•
Only computation leakage: An adversary can extract partial ingredients of secret keys involved in the current computation round.
•
Bounded leakage of single computational algorithm: A cryptographic scheme/protocol typically includes several computation rounds. In each computation round, an adversary can extract partial ingredients of secret keys. Namely, an adversary can select a leakage function f for each computation round and obtain the leaked information $f (SK)$ , where $SK$ denotes the involved secret keys and $f (SK)$ is bounded to λ bits.
•
Independent leakage: Any two leaked partial ingredients of secret keys in various computation rounds are mutually independent. For achieving this property, a secret key must be updated before (or after) running each computation round.
•
Overall unbounded leakage: The total amount of leaked information is overall unbounded. Indeed, by the independent leakage property, the total leakage amount of secret keys is unlimited.

According to the usage of secret key or public key, there are two kinds of encryption schemes, namely, symmetric encryption and asymmetric encryption based on various public-key systems. For a symmetric encryption scheme, a pre-shared secret key between a sender and a receiver is used to encrypt and decrypt procedures. A symmetric encryption scheme is typically employed to encrypt a large size of message and have high-throughput efficiency. On the contrary, for an asymmetric encryption scheme, a sender uses a designated receiver’s public key to encrypt message while the receiver uses her/his private key to decrypt it. Generally, an asymmetric encryption scheme is employed to encrypt a short size of message (e.g. a session key) or authenticate identity/message so that the throughput of encryption/decryption procedure is not their priority. Also, for considering leakage-resilient property, there are two kinds of leakage-resilient encryption schemes, namely, leakage-resilient symmetric encryption and leakage-resilient asymmetric encryption based on various public-key systems.

Here, let’s introduce the evolution of leakage-resilient symmetric encryption schemes. The first generic construction of leakage-resilient symmetric encryption based on minimal assumptions has been proposed by Hazay et al. (2013). However, the efficiency of Hazay et al.’s scheme is not good so that Abdalla et al. (2013) improved their scheme to propose an efficient leakage-resilient symmetric encryption scheme using the AES block cipher without constructing a leakage resilient block cipher. Recently, for enhancing the efficiency, several leakage-resilient authenticated symmetric encryption schemes based on hardware AES coprocessors (Unterstein et al., 2020; Bronchain et al., 2021) have been proposed.

In the following, several leakage-resilient asymmetric encryption (or key encapsulation) schemes based on traditional PKS, IDPKS and CLPKS settings are reviewed. Based on a traditional PKS setting, the first leakage-resilient encryption (LRE) scheme was presented by Akavia et al. (2009). Subsequently, several LRE schemes (Naor and Segev, 2009, 2012; Liu et al., 2013; Li et al., 2013) were proposed to improve security and performance of Akavia et al.’s scheme. However, all these LRE schemes above are secure only in the bounded leakage model. Moreover, Kiltz and Pietrzak (2010) presented the first LRE scheme under the continual leakage model. Furthermore, Galindo et al. (2016) presented an efficient ElGamal-like LRE scheme under the continual leakage model. Based on an IDPKS setting, Brakerski et al. (2010) proposed the first leakage-resilient ID-based encryption (LR-IBE) scheme under the continual leakage model. Subsequently, several LR-IBE schemes (Yuen et al., 2012; Li et al., 2016) were also proposed to improve security and performance of Brakerski et al.’s scheme.

Up to date, little research addresses leakage-resilient certificateless public-key systems. In 2013, the first leakage-resilient certificateless encryption (LR-CLE) scheme was presented by Xiong et al. (2013). To improve the security and performance of Xiong et al.’s scheme, Zhou et al. (2016) proposed a new leakage-resilient certificateless signcryption scheme. However, both Zhou et al.’s and Xiong et al.’s schemes are secure only under the bounded leakage model. In 2018, Wu et al. (2018) proposed the first LR-CLE scheme under the continual leakage model. In the generic bilinear group (GBG) model (Boneh et al.), Wu et al.’s LR-CLE scheme is semantically secure against chosen ciphertext attacks for two adversaries, namely, outsider and honest-but-curious KGC.
1.2 Contribution and Organization

As mentioned earlier, a RCLPKS setting with an outsourced revocation authority (ORA), named RCLPKS-ORA setting, can revoke compromised users and alleviate the KGC’s revocation computation burden. However, up to date, there are no leakage-resilient revocable certificateless encryption (LR-RCLE) or leakage-resilient revocable certificateless key encapsulation scheme. In this article, the first leakage-resilient revocable certificateless encryption scheme with an ORA, termed LR-RCLE-ORA scheme, is proposed. By extending the adversary models of the revocable certificateless encryption (RCLE) (Tsai and Tseng, 2015) and leakage resilience certificateless encryption (LR-CLE) schemes (Xiong et al., 2013; Wu et al., 2018), a new adversary model of LR-RCLE-ORA schemes is presented. Under this new adversary model, the proposed scheme is formally shown to be semantically secure against three types of adversaries, namely, outsider, revoked user and honest-but-curious KGC. Finally, comparisons with previously proposed schemes (Tsai and Tseng, 2015; Xiong et al., 2013; Wu et al., 2018), the proposed scheme has the following merits. (1) It can resist side-channel attacks and has leakage resilience properties. (2) The revocation functionality is outsourced to an ORA to alleviate the computational load of the KGC. (3) It permits adversaries to continually extract partial ingredient of secret keys and offers the overall unbounded leakage property.

The remaining paper is organized as below. Several preliminaries are presented in Section 2. In Section 3, the syntax (framework) and adversary model (security notions) of LR-RCLE-ORA schemes are defined. The proposed LR-RCLE-ORA scheme is presented in Section 4. In Section 5, the security of the proposed scheme is formally established. The comparisons of the proposed scheme with some RCLE and LR-CLE schemes are given in Section 6. Conclusions are drawn in Section 7.

2 Preliminaries

2.1 Bilinear Groups

Let $G_{1}$ be an additive group of a prime order p and Q be a generator of $G_{1}$ . Let $G_{2}$ be a multiplicative group of the same order p. A bilinear admissible pairing $\hat{e} : G_{1} \times G_{1} \to G_{2}$ possesses the following properties:

–
Bilinear: for $r, s \in Z_{p}^{*}$ , $\hat{e} (r \cdot Q, s \cdot Q) = \hat{e} {(Q, Q)}^{r s}$ ;
–
Non-degenerate: $\hat{e} (Q, Q) \neq 1$ ;
–
Efficiently computable: for $R, S \in G_{1}, \hat{e} (R, S)$ is efficiently computed.

We say that ${G_{1}, G_{2}, p, Q, \hat{e}}$ are the bilinear group parameters. A reader may refer to Boneh and Franklin (2001), Scott (2011) for detailed definitions of bilinear groups.
2.2 Generic Bilinear Group Model

In 2005, Boneh et al. (2005) defined the generic bilinear group (GBG) model, which is a technique of proving the security of some cryptographic schemes. In the GBG model, the discrete logarithm problems on groups of a large order would be solved if collisions of the groups were found by adversaries after finishing the security games of the cryptographic scheme.

In the GBG model, as mentioned in Section 2.1, let ${G_{1}, G_{2}, p, Q, \hat{e}}$ be the bilinear group parameters and let each element in two groups $G_{1}$ and $G_{2}$ be represented by distinct bit-strings. In such a case, a random injective mapping $Φ_{1} : Z_{p}^{*} \to ξ G_{1}$ is used to encode all elements of $G_{1}$ , where $ξ G_{1}$ denotes the set of the encoded bit-strings of $G_{1}$ . By the same reason, the other random injective mapping $Φ_{2} : Z_{p}^{*} \to ξ G_{2}$ is employed to encode all elements of $G_{2}$ , where $ξ G_{2}$ denotes the set of the encoded bit-strings of $G_{2}$ . Two sets $ξ G_{1}$ and $ξ G_{2}$ satisfy $| ξ G_{1} | = | ξ G_{2} | = p$ and $ξ G_{1} \cap ξ G_{2} = ϕ$ . In addition, let three operations $O_{1}$ , $O_{2}$ and $O_{p}$ , respectively, denote the addition of $G_{1}$ , the multiplication of $G_{2}$ and the bilinear pairing $\hat{e}$ . To perform these group operations, an adversary must request the associated operations (oracles) $O_{1}$ , $O_{2}$ and $O_{p}$ which are defined as below:

–
$O_{1} (Φ_{1} (r), Φ_{1} (s)) \to Φ_{1} (r + s mod p)$ ;
–
$O_{2} (Φ_{2} (r), Φ_{2} (s)) \to Φ_{2} (r + s mod p)$ ;
–
$O_{p} (Φ_{1} (r), Φ_{1} (s)) \to Φ_{2} (r s mod p)$ .
Note that $r, s \in Z_{p}^{}$ , $Q = Φ_{1} (1)$ and $\hat{e} (Q, Q) = Φ_{2} (1)$ .

After finishing the security games in the GBG model of a cryptographic scheme, the discrete logarithm problem on $G_{1}$ or $G_{2}$ would be resolved if adversaries discovered a collision on $G_{1}$ or $G_{2}$ . The discrete logarithm problem and assumption are presented as below: –
Discrete logarithm (DL) problem and assumption: Let ${G_{1}, G_{2}, p, Q, \hat{e}}$ be the bilinear group parameters. Given a group element $r \cdot Q \in G_{1}$ or $\hat{e} {(Q, Q)}^{r} \in G_{2}$ for unknown $r \in Z_{p}^{}$ , the DL problem is to find r from $r \cdot Q$ or $\hat{e} {(Q, Q)}^{r}$ . The DL assumption is that no polynomial time algorithm A with non-negligible probability can discover r.

2.3 The Security Measure of Leaked Information

To measure the security influence incurred by leaked information of secret keys (finite random variables) involved in a cryptographic scheme, we first introduce the concept of entropy. The entropy of a random variable is employed to denote its uncertainty for guessing this random variable. Let R be a finite random variable and let $Pr [R = r]$ denote the associated probability of $R = r$ . In the following, we present two kinds of min-entropies:

1.
Min-entropy of R: $\begin{matrix} H_{\infty} (R) = - {log}_{2} (max_{r} Pr [R = r]); \end{matrix}$
2.
Average conditional min-entropy of R under the condition $S = s$ : $\begin{matrix} {\tilde{H}}_{\infty} (R | S = s) = - {log}_{2} (E_{s \leftarrow S} [max_{r} Pr [R = r | S = s]]) . \end{matrix}$

In 2008, Dodis et al. (2008) inferred the following consequence related to the security influence incurred by leaked information of a secret key (finite random variable).
Lemma 1.
Let λ denote the maximal bit-length of leaked information of a secret key (a finite random variable) R. Let $f : R \to {0, 1}^{λ}$ denote the associated leakage function of R. Under the condition $f (R)$ , the average conditional min-entropy on R is ${\tilde{H}}_{\infty} (R | f (R)) ≧ H_{\infty} (R) - λ$ .

Galindo and Virek (2013) further presented the following consequences related to multiple secret keys (finite random variables). Lemma 2.
Let $R_{1}, R_{2}, \dots, R_{n}$ be n random variables. Let $F \in Z_{p} [R_{1}, R_{2}, \dots, R_{n}]$ be a polynomial with at most degree d. Let $P_{k}$ denote a probability distribution on $Z_{p}$ such that $H_{\infty} (P_{k}) ≧ log p - λ$ and $0 ≦ λ ≦ log p$ , for $k = 1, 2, \dots, n$ . If all $R_{k} = r_{k} \leftarrow Z_{p}$ with probability distribution $P_{k}$ are mutually independent, we have $Pr [F (R_{1} = r_{1}, R_{2} = r_{2}, \dots, R_{n} = r_{n}) = 0] ≦ (d / p) 2^{λ}$ .
Corollary 1.
$Pr [F (R_{1} = r_{1}, R_{2} = r_{2}, \dots, R_{n} = r_{n}) = 0]$ is negligible if $λ < (1 - ϵ) log p$ , where ϵ is a positive value.

3 Syntax and Adversary Model

Fig. 1

The system architecture of a LR-RCLE-ORA scheme.

The syntax (framework) and adversary model (security notions) of LR-RCLE-ORA schemes are presented as follows.

3.1 Syntax of LR-RCLE-ORA schemes

Here, let us present the system architecture of an LR-RCLE-ORA scheme as depicted in Fig. 1. An LR-RCLE-ORA scheme consists of three roles, namely, a key generation centre (KGC), an outsourced revocation authority (ORA) and users (senders and receivers). Each user with an identity $ID$ randomly selects a personal secret key ${PSK}_{ID}$ by herself/himself. For each user with $ID$ , the KGC with a secret key KSK is responsible to generate and securely send an identity secret key ${ISK}_{ID}$ to the user. For each non-revoked user with $ID$ at each period $T_{s}$ , the ORA with a time secret key $TSK$ is responsible to generate and publicly send a time update key ${TUK}_{ID, s}$ to the user. For compromised or revoked users, the ORA will not generate any associated time update keys. At period $T_{s}$ , when a sender would like to encrypt a plaintext $msg$ to a receiver with $ID$ , the sender uses the receiver’s $ID$ and associated public keys to encrypt $msg$ to generate a ciphertext tuple $(ID, T_{s}, θ)$ while sending $(ID, T_{s}, θ)$ to the receiver. The receiver then uses her/his ${PSK}_{ID}$ , ${ISK}_{ID}$ and ${TUK}_{ID, s}$ to decrypt $(ID, T_{s}, θ)$ to obtain $msg$ .

In the following, we summarize some notations used in the whole paper:

•
$KSK$ : the KGC’s secret key;
•
$KPK$ : the KGC’s public key;
•
$TSK$ : the time secret key;
•
$TPK$ : the time public key;
•
$ID$ : a user’s identity;
•
${PSK}_{ID}$ : a user $ID$ ’s personal secret key;
•
${PPK}_{ID}$ : a user $ID$ ’s personal public key;
•
${ISK}_{ID}$ : a user $ID$ ’s identity secret key;
•
${IPK}_{ID}$ : a user $ID$ ’s identity public key;
•
$T_{s}$ : a period $T_{s} \in {0, 1}^{}$ , for $s = 1, \dots, t$ , where t denotes the period length;
•
${TUK}_{ID, s}$ : a user $ID$ ’s time update key at period $T_{s}$ ;
•
${TUPK}_{ID, s}$ : a user $ID$ ’s time update public key at period $T_{s}$ ;
•
$msg$ : a message;
•
θ: a ciphertext.

Fig. 2
The algorithm architecture of the proposed LR-RCLE-ORA scheme.

Based on the syntax (framework) in (Tsai and Tseng, 2015; Xiong et al., 2013; Wu et al., 2018), the syntax of LR-RCLE-ORA schemes is defined as follows. An LR-RCLE-ORA scheme consists of three roles, namely, a key generation centre (KGC), an outsourced revocation authority (ORA) and users (senders and receivers) while including eight algorithms: (1) System setup; (2) Personal secret key setting; (3) Identity secret key extract; (4) Time update key extract; (5) Private key setting; (6) Public key setting; (7) Encrypting; (8) Decrypting. Fig. 2 depicts the algorithm architecture, interactions and their inputs/outputs of the proposed LR-RCLE-ORA scheme. Eight algorithms of the LR-RCLE-ORA scheme are presented in Definition 1 as below:
Definition 1.
An LR-RCLE-ORA scheme consists of three roles, namely, a key generation centre (KGC), an outsourced revocation authority (ORA) and users (senders and receivers). Eight algorithms of the LR-RCLE-ORA scheme are presented as below: –
System setup: By taking as input a security parameter κ and a period number t, the KGC generates the KGC’s secret key $KSK = ({KSK}_{0, 1}, {KSK}_{0, 2})$ and associated public key KPK, the time secret key $TSK = ({TSK}_{0, 1}, {TSK}_{0, 2})$ , and time public key TPK. The KGC then securely sends TSK to the ORA. Finally, the KGC publishes t periods $T_{1}, T_{2}, \dots, T_{t}$ and public system parameters PSP.
–
Personal secret key setting: Each user with an identity ID randomly selects a personal secret key ${PSK}_{ID} = ({PSK}_{ID, 0, 1}, {PSK}_{ID, 0, 2})$ and generates the associated personal public key ${PPK}_{ID}$ .
–
Identity secret key extract: In this algorithm’s i-th round, by taking as input a user ID and $({KSK}_{i - 1, 1}$ , ${KSK}_{i - 1, 2})$ , the KGC first carries out two sub-algorithms ISKExtract-1 $(ID, {KSK}_{i - 1, 1})$ and ISKExtract-2 $({KSK}_{i - 1, 2})$ to set the new KGC’s secret key $({KSK}_{i, 1}, {KSK}_{i, 2})$ , and generate the user’s identity secret key ${ISK}_{ID}$ and associated identity public key ${IPK}_{ID}$ . Finally, the KGC securely sends ${IPK}_{ID}$ and ${ISK}_{ID}$ to the user.
–
Time update key extract: In this algorithm’s j-th round, by taking as input a user ID, a period $T_{s}$ and $({TSK}_{j - 1, 1}, {TSK}_{j - 1, 2})$ , the ORA carries out two sub-algorithms TUKExtract-1 $(ID, T_{s}, {TSK}_{j - 1, 1})$ and TUKExtract-2 $({TSK}_{j - 1, 2})$ to set the new time secret key $({TSK}_{j, 1}, {TSK}_{j, 2})$ , and generate the user’s time update key ${TUK}_{ID, s}$ and associated time update public key ${TUPK}_{ID, s}$ at period $T_{s}$ . Finally, the ORA sends ${TUK}_{ID, s}$ and ${TUPK}_{ID, s}$ to the user.
–
Private key setting: At period $T_{s}$ , a user $ID$ ’s private key tuple includes three parts, namely, ${PSK}_{ID}$ , ${ISK}_{ID}$ , and ${TUK}_{ID, s}$ . The user also sets ${PSK}_{ID} = ({PSK}_{ID, 0, 1}, {PSK}_{ID, 0, 2})$ and ${ISK}_{ID} = ({ISK}_{ID, 0, 1}, {ISK}_{ID, 0, 2})$ .
–
Public key setting: At period $T_{s}$ , a user $ID$ ’s public key tuple includes three parts, namely, ${PPK}_{ID}$ , ${IPK}_{ID}$ , and ${TUPK}_{ID, s}$ .
–
Encrypting: At period $T_{s}$ , by taking as input a plaintext msg and a receiver ID with public key tuple $({PPK}_{ID}, {IPK}_{ID}, {TUPK}_{ID, s}$ ), the sender generates a ciphertext tuple $(ID, T_{s}, θ = (C, CT = E_{EK} (m s g)))$ , where $E_{EK} (\cdot)$ is a symmetric encryption function and $EK$ is an encryption key encrypted to generate C. Finally, the sender returns the ciphertext tuple $(ID, T_{s}, θ = (C, CT))$ .
–
Decrypting*: In this algorithm’s k-th round, by taking as input $(ID, T_{s}, θ = (C, CT))$ , a receiver with ID uses her/his private key tuple $({PSK}_{ID} = ({PSK}_{ID, k - 1, 1}, {PSK}_{ID, k - 1, 2})$ , ${ISK}_{ID} = ({ISK}_{ID, k - 1, 1}, {ISK}_{ID, k - 1, 2})$ , ${TUK}_{ID, s})$ to carry out two sub-algorithms DEC-1 $({PSK}_{ID, k - 1, 1}, {ISK}_{ID, k - 1, 1})$ and DEC-2 $({PSK}_{ID, k - 1, 2}, {ISK}_{ID, k - 1, 2}, {TUK}_{ID, s}, T_{s}, θ = (C, CT))$ to set new private key tuple $({PSK}_{ID} = ({PSK}_{ID, k, 1}, {PSK}_{ID, k, 2}), {ISK}_{ID} = ({ISK}_{ID, k, 1}, {ISK}_{ID, k, 2}), {TUK}_{ID, s})$ , compute the encryption key EK from C, and decrypt $m s g = D_{EK} (CT)$ , where $D_{EK} (\cdot)$ is the corresponding symmetric decryption function of $E_{EK} (\cdot)$ .

3.2 Adversary Model of LR-RCLE-ORA Schemes

By the entropy concept of secret keys mentioned in Section 2.3, six leakage functions $f_{ISKE, i}$ , $h_{ISKE, i}$ , $f_{TUKE, j}$ , $h_{TUKE, j}$ , $f_{DEC, k}$ and $h_{DEC, k}$ are employed to present capabilities of adversaries obtaining leaked information of secrets keys. Both $f_{ISKE, i}$ and $h_{ISKE, i}$ are employed to obtain leaked information of the KGC’s secret key $({KSK}_{i, 1}$ , ${KSK}_{i, 2})$ used in the Identity secret key extract algorithm’s i-th round. Both $f_{TUKE, j}$ and $h_{TUKE, j}$ are employed to obtain leaked information of the time secret key $({TSK}_{j, 1}$ , ${TSK}_{j, 2})$ used in the Time update key extract algorithm’s j-th round. Furthermore, both $f_{DEC, k}$ and $h_{DEC, k}$ are employed to obtain leaked information of a receiver’s private key tuple $({PSK}_{ID} = ({PSK}_{ID, k, 1}, {PSK}_{ID, k, 2}), {ISK}_{ID} = ({ISK}_{ID, k, 1}, {ISK}_{ID, k, 2}), {TUK}_{ID, s})$ used in the Decrypting algorithm’s k-th round of a user $ID$ . An adversary can obtain at most λ bits of secret keys used in each associated algorithm, where λ is related to the security parameter selected in the System setup algorithm. Namely, $| f_{ISKE, i} |$ , $| h_{ISKE, i} |$ , $| f_{TUKE, j} |$ , $| h_{TUKE, j} |$ , $| f_{DEC, k} |$ , $| h_{DEC, k} |$ ≦ λ, where $| \cdot |$ denotes the output bit-length of a function. The leaked information of a leakage function f is denoted by $Λ f$ . In the sequel, leaked information of the six leakage functions are denoted as below:

–
$Λ f_{ISKE, i} = f_{ISKE, i} ({KSK}_{i, 1})$ ;
–
$Λ h_{ISKE, i} = h_{ISKE, i} ({KSK}_{i, 2})$ ;
–
$Λ f_{TUKE, j} = f_{TUKE, j} ({TSK}_{j, 1})$ ;
–
$Λ h_{TUKE, j} = h_{TUKE, j} ({TSK}_{j, 2})$ ;
–
$Λ f_{DEC, k} = f_{DEC, k} ({PSK}_{ID, k, 1}, {ISK}_{ID, k, 1})$ ;
–
$Λ h_{DEC, k} = h_{DEC, k} ({PSK}_{ID, k, 2}, {ISK}_{ID, k, 2}, {TUK}_{ID, k, 2})$ .

By extending the adversary model (security notions) in Tsai and Tseng (2015), Xiong et al. (2013), Wu et al. (2018), the adversary model of LR-RCLE-ORA schemes consists of three types of adversaries, namely, outsider (Type I, $A_{I}$ ), revoked user (Type II, $A_{II}$ ) and honest-but-curious KGC (Type III, $A_{III}$ ).
–
Outsider ( $A_{I}$ ): Although $A_{I}$ is not a legal user of the LR-RCLE-ORA scheme, it may obtain the time update key ${TUK}_{ID, s}$ of any user $ID$ at any period $T_{s}$ from public channels. Also, $A_{I}$ may get the personal secret key ${PSK}_{ID}$ and the identity secret key ${ISK}_{ID}$ of any user $ID$ , but it is disallowed to get the identity secret key ${ISK}_{{ID}^{}}$ of the target user ${ID}^{}$ . For leakage resilient property, $A_{I}$ can obtain leaked information of both the target user’s ${ISK}_{{ID}^{}} = ({ISK}_{{ID}^{}, k, 1}, {ISK}_{{ID}^{}, k, 2})$ used in the Decrypting* algorithm’s k-th round of the target user and the KGC’s secret key $({KSK}_{i, 1}, {KSK}_{i, 2})$ used in the Identity secret key extract algorithm’s i-th round.
–
Revoked user $(A_{II})$ : When $A_{II}$ is a legal user of the LR-RCLE-ORA scheme who has been revoked, it knows the personal secret key ${PSK}_{ID}$ and the identity secret key ${ISK}_{ID}$ of any user $ID$ . Also, $A_{II}$ may get the time update key ${TUK}_{ID, s}$ of any user $ID$ at any period $T_{s}$ , except ${TUK}_{{ID}^{}, s^{}}$ of the target user ${ID}^{}$ at target period $T_{s^{}}$ . For leakage resilient property, $A_{II}$ can obtain leaked information of the time secret key ( ${TSK}_{j, 1}$ , ${TSK}_{j, 2}$ ) used in the Time update key extract algorithm’s j-th round.
–
Honest-but-curious KGC $(A_{III})$ : Since $A_{III}$ knows the KGC’s secret key $KSK$ and time secret key $TSK$ , it can get the identity secret key ${ISK}_{ID}$ and time update key ${TUK}_{ID, s}$ of any user $ID$ at any period $T_{s}$ . Also, $A_{III}$ may get the personal secret key ${PSK}_{ID}$ of any user $ID$ , except ${PSK}_{{ID}^{}}$ of the target user ${ID}^{}$ . For leakage resilient property, $A_{III}$ can obtain leaked information of the target user’s ${PSK}_{{ID}^{}} = ({PSK}_{{ID}^{}, k, 1}, {PSK}_{{ID}^{}, k, 2})$ used in the Decrypting* algorithm’s k-th round of the target user.

In the continual model of leakage resilient property, the adversary model of LR-RCLE-ORA schemes is defined by the following security game $G_{LR-RCLE-ORA}$ played by both an adversary ( $A_{I}$ , $A_{II}$ or $A_{III}$ ) and a challenger B. Definition 2.
In the continual leakage model, an LR-RCLE-ORA scheme is semantically secure against chosen cipher-text attacks if no adversary $(A_{I}, A_{II} or A_{III})$ with non-negligible advantage wins the security game $G_{LR-RCLE-ORA}$ in polynomial time. This security game $G_{LR-RCLE-ORA}$ consists of three phases: –
Setup phase: By taking as input a security parameter κ and a period number t, a challenger B carries out the System setup algorithm of the LR-RCLE-ORA scheme to generate the KGC’s secret key $KSK = ({KSK}_{0, 1}, {KSK}_{0, 2})$ , the KGC’s public key KPK, the time secret key $TSK = ({TSK}_{0, 1}, {TSK}_{0, 2})$ , and the time public key TPK. Also, B sets t periods $T_{1}, T_{2}, \dots, T_{t}$ and publishes public system parameters PSP. Additionally, B sends messages to the adversary of various types by the following rules:
•
If the adversary is of $A_{I}$ , B sends out TSK;
•
If the adversary is of $A_{II}$ , B sends out KSK;
•
If the adversary is of $A_{III}$ , B sends out KSK and TSK.
–
Query phase: In the phase, the adversary may request the following queries to B adaptively.
•
Identity secret key query $(ID)$ : For this query’s i-th round, B sets the new KGC’s secret key $({KSK}_{i, 1}, {KSK}_{i, 2})$ by using $({KSK}_{i - 1, 1}, {KSK}_{i - 1, 2})$ . Also, B uses $({KSK}_{i, 1}, {KSK}_{i, 2})$ to generate and return the associated identity secret key ${ISK}_{ID}$ and identity public key ${IPK}_{ID}$ .
•
Identity secret key leak query $(f_{ISKE, i}, h_{ISKE, i}, i)$ : In the Identity secret key query’s i-th round, this query is allowed to be requested only once. B returns leaked information $(Λ f_{ISKE, i}, Λ h_{ISKE, i})$ .
•
Time update key query $(ID, T_{s})$ : In this query’s j-th round, B sets the new time secret key $({TSK}_{j, 1}$ , ${TSK}_{j, 2})$ by using $({TSK}_{j - 1, 1}, {TSK}_{j - 1, 2})$ . Also, B uses $({TSK}_{j, 1}, {TSK}_{j, 2})$ , ID and $T_{s}$ to generate and return the associated time update key ${TUK}_{ID, s}$ and the time update public key ${TUPK}_{ID, s}$ .
•
Time update key leak query $(f_{TUKE, j}, h_{TUKE, j}, j)$ : In the Time update key query’s j-th round, this query is allowed to be requested only once. B returns leaked information $(Λ f_{TUKE, j}, Λ h_{TUKE, j}$ ).
•
Public key retrieve query $(ID, T_{s})$ : B returns the associated public key tuple $({PPK}_{ID}, {IPK}_{ID}, {TUPK}_{ID, s})$ .
•
Public key replace query $(ID, T_{s}, ({PPK}_{ID}^{'}, {IPK}_{ID}^{'}, {TUPK}_{ID, s}^{'}))$ : B sets the new public key tuple $({PPK}_{ID}^{'}, {IPK}_{ID}^{'}, {TUPK}_{ID, s}^{'})$ of the user ID at period $T_{s}$ .
•
Personal secret key corrupt query $(ID)$ : If the Public key replace query $(ID)$ has never been requested, B returns the associated personal secret key ${PSK}_{ID}$ .
•
Decrypting query $(ID, T_{s}, θ = (C, CT))$ : In this query’s k-th round, B sets the user ID’s new private key tuple $({PSK}_{ID} = ({PSK}_{ID, k, 1}, {PSK}_{ID, k, 2}), {ISK}_{ID} = ({ISK}_{ID, k, 1}, {ISK}_{ID, k, 2}), {TUK}_{ID, s})$ by using $({PSK}_{ID} = ({PSK}_{ID, k - 1, 1}, {PSK}_{ID, k - 1, 2}), ISKID = ({ISK}_{ID, k - 1, 1}, {ISK}_{ID, k - 1, 2})$ , ${TUK}_{ID, s})$ . Also, B uses the new private key tuple to compute the encryption key $EK$ from C, and decrypt $m s g = D_{EK} (CT)$ . B returns $msg$ .
•
Decrypting leak query $(ID, T_{s}, f_{DEC, k}, h_{DEC, k}, k)$ : In the Decrypting query’s k-th round of the user $ID$ at period $T_{s}$ , this query is allowed to be requested only once. B returns leaked information $(Λ f_{DEC, k}, Λ h_{DEC, k})$ .
–
Challenge phase. The adversary sends a target identity ${ID}^{}$ , a target period $T_{s^{}}$ and a plaintext pair $(m s g_{0}^{}, m s g_{1}^{})$ to B. B chooses an unbiased random bit $b \in {0, 1}$ and carries out the Encrypting algorithm with $({ID}^{}, T_{s^{}}, ({PPK}_{{ID}^{}}, {IPK}_{{ID}^{}}, {TUPK}_{{ID}^{}, s^{}}), m s g_{b}^{})$ to generate $C^{}$ , ${EK}^{}$ and ${CT}^{} = E_{{EK}^{}} (m s g_{b}^{})$ . Finally, B returns the ciphertext tuple $({ID}^{}$ , $T_{s^{}}$ , $θ = (C^{}, {CT}^{}))$ to the adversary. Additionally, the associated conditions must be satisfied according to various types of adversaries:
1.
If the adversary is of $A_{I}$ , the Identity secret key query $({ID}^{})$ has never been requested;
2.
If the adversary is of $A_{II}$ , the Time update key query $({ID}^{}$ , $T_{s}^{})$ has never been requested;
3.
If the adversary is of $A_{III}$ , both the Personal secret key corrupt query $({ID}^{})$ and the Public key replace query $({ID}^{}, T_{s}^{}, ({PPK}_{{ID}^{}}^{'}, {IPK}_{{ID}^{}}^{'}, {TUPK}_{{ID}^{}, s^{}}^{'}))$ has never been requested.
–
Guess phase. In this phase, the adversary must output a bit $b^{'} \in {0, 1}$ . If $b^{'} = b$ , we say that it wins the game $G_{LR-RCLE-ORA}$ and its advantage is $| Pr [b^{'} = b] - 1 / 2 |$ .

4 The Proposed LR-RCLE-ORA Scheme

The proposed LR-RCLE-ORA scheme consists of eight algorithms as follows:

–
System setup: By taking as input a security parameter κ and a period number t, the KGC chooses the bilinear group parameters ${G_{1}, G_{2}, p, Q, \hat{e}}$ , picks a symmetric encryption function $E (\cdot)$ and its associated decryption function $D (\cdot)$ , and sets a period set $T = {T_{0}, T_{1}, T_{2}, \dots, T_{t}}$ . The KGC carries out the following procedures:
(1)
Randomly select an integer $α \in Z_{p}^{}$ , and generate the KGC’s secret key $KSK = α \cdot Q$ and public key $KPK = \hat{e} (Q, KSK)$ . Additionally, the KGC randomly selects an integer $x_{0} \in Z_{p}^{}$ and generates the KGC’s current secret key $({KSK}_{0, 1}, {KSK}_{0, 2}) = (x_{0} \cdot Q, KSK + (- x_{0}) \cdot Q)$ .
(2)
Randomly select an integer $β \in Z_{p}^{}$ , and generate the time secret key $TSK = β \cdot Q$ and time public key $TPK = \hat{e} (Q, TSK)$ . Additionally, the KGC securely sends $TSK$ to the ORA. The ORA then selects a random integer $y_{0} \in Z_{p}^{}$ and generates the current time secret key $({TSK}_{0, 1}, {TSK}_{0, 2}) = (y_{0} \cdot Q, TSK + (- y_{0}) \cdot Q)$ .
(3)
Randomly select four integers $m, n, r, s \in Z_{p}^{}$ , and compute $M = m \cdot Q$ , $N = n \cdot Q$ , $R = r \cdot Q$ and $S = s \cdot Q$ .
(4)
Publish public system parameters $PSP = {G_{1}, G_{2}, p, Q, \hat{e}, KPK, TPK, T, D (), E (), M, N, R, S}$ .
–
Personal secret key setting: Each user with an identity $ID$ randomly selects an integer $γ \in Z_{p}^{}$ and generates personal secret key ${PSK}_{ID} = γ \cdot Q$ and the associated personal public key ${PPK}_{ID} = \hat{e} (Q, {PSK}_{ID})$ .
–
Identity secret key extract: In this algorithm’s i-th round, by taking as input a user’s $ID$ and $({KSK}_{i - 1, 1}, {KSK}_{i - 1, 2})$ , the KGC carries out two sub-algorithms $ISKExtract-1 (ID, {KSK}_{i - 1, 1})$ and $ISKExtract-2 ({KSK}_{i - 1, 2})$ as below:
•
$ISKExtract-1 (ID, {KSK}_{i - 1, 1})$ :
(1)
Randomly select an integer $x_{i} \in Z_{p}^{}$ , and compute ${KSK}_{i, 1} = {KSK}_{i - 1, 1} + x_{i} \cdot Q$ .
(2)
Randomly select an integer $u \in Z_{p}^{}$ , and compute ${IPK}_{ID} = u \cdot Q$ and temporary value ${TV}_{ISKE} = {KSK}_{i, 1} + u \cdot (M + ID \cdot N)$ .
•
$ISKExtract-2 ({KSK}_{i - 1, 2})$ :
(1)
Compute ${KSK}_{i, 2} = {KSK}_{i - 1, 2} + (- x_{i}) \cdot Q$ and ${ISK}_{ID} = {KSK}_{i, 2} + {TV}_{ISKE}$ .
(2)
Send the user’s identity secret key ${ISK}_{ID}$ and associated identity public key ${IPK}_{ID}$ to the user using a secure channel.
–
Time update key extract: In this algorithm’s j-th round, by taking as input a user’s $ID$ , a period $T_{s}$ and $({TSK}_{j - 1, 1}, {TSK}_{j - 1, 2})$ , the ORA carries out two sub-algorithms $TUKExtract-1 (ID, T_{s}, {TSK}_{j - 1, 1})$ and $TUKExtract-2 ({TSK}_{j - 1, 2})$ as below:
•
$TUKExtract-1 (ID, T_{s}, {TSK}_{j - 1, 1})$ :
(1)
Randomly select an integer $y_{j} \in Z_{p}^{}$ , and compute ${TSK}_{j, 1} = {TSK}_{j - 1, 1} + y_{j} \cdot Q$ .
(2)
Randomly select an integer $v \in Z_{p}^{}$ , and compute ${TUPK}_{ID, s} = v \cdot Q$ and temporary value ${TV}_{TUKE} = {TSK}_{j, 1} + v \cdot (R + (ID | | T_{s}) \cdot S)$ .
•
$TUKExtract-2 ({TSK}_{j - 1, 2})$ :
(1)
Compute ${TSK}_{j, 2} = {TSK}_{j - 1, 2} + (- y_{j}) \cdot Q$ and ${TUK}_{ID, s} = {TSK}_{j, 2} + {TV}_{TUKE}$ .
(2)
Send the user’s time update key ${TUK}_{ID, s}$ and associated time update public key ${TUPK}_{ID, s}$ to the user.
–
Private key setting: At period $T_{s}$ , a user $ID$ ’s private key tuple includes three parts, namely, ${PSK}_{ID}$ , ${ISK}_{ID}$ , and ${TUK}_{ID, s}$ . The user carries out the following procedures:
(1)
Randomly select an integer $z_{0} \in Z_{p}^{}$ and compute the current personal secret key $({PSK}_{ID, 0, 1}, {PSK}_{ID, 0, 2}) = (z_{0} \cdot Q, {PSK}_{ID} + (- z_{0}) \cdot Q)$ .
(2)
Randomly select an integer $w_{0} \in Z_{p}^{}$ and compute the current identity secret key $({ISK}_{ID, 0, 1}, {ISK}_{ID, 0, 2}) = (w_{0} \cdot Q, {ISK}_{ID} + (- w_{0}) \cdot Q)$ .
(3)
Set the user’s private key tuple $({PSK}_{ID} = ({SK}_{ID, 0, 1}, {SK}_{ID, 0, 2}), {ISK}_{ID} = ({ISK}_{ID, 0, 1}, {ISK}_{ID, 0, 2}), {TUK}_{ID, s})$ .
–
Public key setting: At period $T_{s}$ , a user $ID$ sets her/his public key tuple $({PPK}_{ID}, {IPK}_{ID}, {TUPK}_{ID, s})$ .
–
Encrypting: At period $T_{s}$ , by taking as input a plaintext $msg$ and a receiver $ID$ with public key tuple $({PPK}_{ID}, {IPK}_{ID}, {TUPK}_{ID, s})$ , the sender carries out the following procedures:
(1)
Randomly select an integer $e k \in Z_{p}^{}$ .
(2)
Compute $C = e k \cdot Q$ , $K_{1} = {({PPK}_{ID})}^{e k}$ , $K_{2} = {(KPK \cdot \hat{e} ({IPK}_{ID}, M + ID \cdot N))}^{e k}$ and $K_{3} = {(TPK \cdot \hat{e} ({TUPK}_{ID, s}, R + (ID | | T_{s}) \cdot S))}^{e k}$ .
(3)
Set the encryption key $EK = K_{1} \oplus K_{2} \oplus K_{3}$ .
(4)
Compute $CT = E_{EK} (m s g)$ and return the ciphertext tuple $(ID, T_{s}, θ = (C, CT))$ .
–
Decrypting: In this algorithm’s k-th round, by taking as input $(ID, T_{s}, θ = (C, CT))$ , a receiver $ID$ uses her/his private key tuple $({PSK}_{ID} = ({PSK}_{ID, k - 1, 1}, {PSK}_{ID, k - 1, 2}), {ISK}_{ID} = ({ISK}_{ID, k - 1, 1}, {ISK}_{ID, k - 1, 2}), {TUK}_{ID, s})$ to carry out two sub-algorithms $DEC-1 ({PSK}_{ID, k - 1, 1}, {ISK}_{ID, k - 1, 1})$ and $DEC-2 ({PSK}_{ID, k - 1, 2}, {ISK}_{ID, k - 1, 2}, {TUK}_{ID, s}, T_{s}, θ = (C, CT))$ as below:
•
$DEC-1 ({PSK}_{ID, k - 1, 1}, {ISK}_{ID, k - 1, 1})$
(1)
Randomly select an integer $z_{k} \in Z_{p}^{}$ , and compute ${PSK}_{ID, k, 1} = {PSK}_{ID, k - 1, 1} + z_{k} \cdot Q$ .
(2)
Randomly select an integer $w_{k} \in Z_{p}^{*}$ , and compute ${ISK}_{ID, k, 1} = {ISK}_{ID, k - 1, 1} + w_{k} \cdot Q$ .
(3)
Compute two temporary values ${TV}_{1} = \hat{e} (C, {PSK}_{ID, k, 1})$ and ${TV}_{2} = \hat{e} (C, {ISK}_{ID, k, 1})$ .
•
$DEC-2 ({PSK}_{ID, k - 1, 2}, {ISK}_{ID, k - 1, 2}, {TUK}_{ID, s}, T_{s}, θ = (C, CT))$ (1)
Compute ${PSK}_{ID, k, 2} = {PSK}_{ID, k - 1, 2} + (- z_{k}) \cdot Q$ and ${ISK}_{ID, k, 2} = {ISK}_{ID, k - 1, 2} + (- w_{k}) \cdot Q$ .
(2)
Compute $K_{1}^{'} = {TV}_{1} \cdot \hat{e} (C, {PSK}_{ID, k, 2})$ , $K_{2}^{'} = {TV}_{2} \cdot \hat{e} (C, {ISK}_{ID, k, 2})$ and $K_{3}^{'} = \hat{e} (C, {TUK}_{ID, s})$ .
(3)
Compute the encryption key ${EK}^{'} = K_{1}^{'} \oplus K_{2}^{'} \oplus K_{3}^{'}$ .
(4)
Decrypt the plaintext $m s g = D_{{EK}^{'}} (CT)$ .
In the following, by the key refreshing technique, we have $\begin{aligned} KSK = {KSK}_{0, 1} + {KSK}_{0, 2} = {KSK}_{1, 1} + {KSK}_{1, 2} = \dots = {KSK}_{i, 1} + {KSK}_{i, 2}; \\ TSK = {TSK}_{0, 1} + {TSK}_{0, 2} = {TSK}_{1, 1} + {TSK}_{1, 2} = \dots = {TSK}_{j, 1} + {TSK}_{j, 2}; \\ {PSK}_{ID} = {PSK}_{ID, 0, 1} + {PSK}_{ID, 0, 2} = {PSK}_{ID, 1, 1} + {PSK}_{ID, 1, 2} \\ = \dots = {PSK}_{ID, k, 1} + {PSK}_{ID, k, 2}; \\ {ISK}_{ID} = {ISK}_{ID, 0, 1} + {ISK}_{ID, 0, 2} = {ISK}_{ID, 1, 1} + {ISK}_{ID, 1, 2} \\ = \dots = {ISK}_{ID, k, 1} + {ISK}_{ID, k, 2} . \end{aligned}$

In the following, we show the correctness of $EK = K_{1} \oplus K_{2} \oplus K_{3} = K_{1}^{'} \oplus K_{2}^{'} \oplus K_{3}^{'} = {EK}^{'}$ . $\begin{aligned} EK & = K_{1} \oplus K_{2} \oplus K_{3} \\ = {({PPK}_{ID})}^{e k} \oplus {(KPK \cdot \hat{e} ({IPK}_{ID}, M + ID \cdot N))}^{e k} \\ \oplus {(TPK \cdot \hat{e} ({TUPK}_{ID, s}, R + (ID | | T_{s}) \cdot S))}^{e k} \\ = \hat{e} {(Q, {PSK}_{ID})}^{e k} \oplus {(\hat{e} (Q, KSK) \cdot \hat{e} (u \cdot Q, M + ID \cdot N))}^{e k} \\ \oplus {(\hat{e} (Q, TSK) \cdot \hat{e} (v \cdot Q, R + (ID | | T_{s}) \cdot S))}^{e k} \\ = \hat{e} {(Q, {PSK}_{ID})}^{e k} \oplus {(\hat{e} (Q, KSK) \cdot \hat{e} (Q, u \cdot (M + ID \cdot N)))}^{e k} \\ \oplus {(\hat{e} (Q, TSK) \cdot \hat{e} (Q, v \cdot (R + (ID | | T_{s}) \cdot S)))}^{e k} \\ = \hat{e} {(Q, {PSK}_{ID})}^{e k} \oplus {(\hat{e} (Q, KSK + u \cdot (M + ID \cdot N)))}^{e k} \\ \oplus {(\hat{e} (Q, TSK + v \cdot (R + (ID | | T_{s}) \cdot S)))}^{e k} \\ = \hat{e} (e k \cdot Q, {PSK}_{ID}) \oplus \hat{e} (e k \cdot Q, KSK + u \cdot (M + ID \cdot N)) \\ \oplus \hat{e} (e k \cdot Q, TSK + v \cdot (R + (ID | | T_{s}) \cdot S)) \\ = \hat{e} (C, {PSK}_{ID}) \oplus \hat{e} (C, KSK + u \cdot (M + ID \cdot N)) \\ \oplus \hat{e} (C, TSK + v \cdot (R + (ID | | T_{s}) \cdot S)) \\ = \hat{e} (C, {PSK}_{ID}) \oplus \hat{e} (C, {KSK}_{i, 1} + {KSK}_{i, 2} + u \cdot (M + ID \cdot N)) \\ \oplus \hat{e} (C, {TSK}_{j, 1} + {TSK}_{j, 2} + v \cdot (R + (ID | | T_{s}) \cdot S)) \\ = \hat{e} (C, {PSK}_{ID}) \oplus \hat{e} (C, {KSK}_{i, 2} + {TV}_{ISKE}) \oplus \hat{e} (C, {TSK}_{j, 2} + {TV}_{TUKE}) \\ = \hat{e} (C, {PSK}_{ID}) \oplus \hat{e} (C, {ISK}_{ID}) \oplus \hat{e} (C, {TUK}_{ID, s}) \\ = \hat{e} (C, {PSK}_{ID, k, 1} + {PSK}_{ID, k, 2}) \oplus \hat{e} (C, {ISK}_{ID, k, 1} + {ISK}_{ID, k, 2}) \oplus \hat{e} (C, {TUK}_{ID, s}) \\ = (\hat{e} (C, {PSK}_{ID, k, 1}) \cdot \hat{e} (C, {PSK}_{ID, k, 2})) \\ \oplus (\hat{e} (C, {ISK}_{ID, k, 1}) \cdot \hat{e} (C, {ISK}_{ID, k, 2})) \oplus \hat{e} (C, {TUK}_{ID, s}) \\ = ({TV}_{1} \cdot \hat{e} (C, {PSK}_{ID, k, 2})) \oplus ({TV}_{2} \cdot \hat{e} (C, {ISK}_{ID, k, 2})) \oplus \hat{e} (C, {TUK}_{ID, s}) \\ = K_{1}^{'} \oplus K_{2}^{'} \oplus K_{3}^{'} = {EK}^{'} . \end{aligned}$
5 Security Analysis

As the security game $G_{LR-RCLE-ORA}$ presented in Definition 2, the adversary model consists of three types of adversaries, namely, outsider (Type I, $A_{I}$ ), revoked user (Type II, $A_{II}$ ) and honest-but-curious KGC (Type III, $A_{III}$ ). Under the GBG model presented in Section 2, we employ three theorems to demonstrate that the proposed LR-RCLE-ORA scheme is semantically secure against chosen cipher-text attacks against three types of adversaries, respectively. The relationship and robustness of security analysis are depicted in Fig. 3. In Theorem 1, we first discuss the advantage (denoted by ${Adv}_{A - I - W}$ ) of an outsider ( $A_{I}$ ) without requesting any leak queries and then evaluate the advantage (denoted by ${Adv}_{A - I}$ ) of an outsider ( $A_{I}$ ) with requesting Identity secret key leak and Decrypting leak queries. Indeed, by Corollary 1, ${Adv}_{A - I}$ is negligible based on the DL assumption. For Theorems 2 and 3, by similar arguments as in Theorem 1, the advantages (denoted by ${Adv}_{A - II}$ and ${Adv}_{A - III}$ ) of a revoked user ( $A_{II}$ ) and an honest-but-curious KGC ( $A_{III}$ ) are also negligible based on the DL assumption.

Fig. 3

The relationship and robustness of security analysis for the proposed scheme.

Theorem 1.

In the GBG model, the proposed LR-RCLE-ORA scheme is semantically secure against chosen cipher-text attacks against an outsider $(A_{I})$ in the security game $G_{LR-RCLE-ORA}$ .

Proof.

Let $A_{I}$ be an outsider of the security game $G_{LR-RCLE-ORA}$ played with a challenger B. In the GBG model, $A_{I}$ may request three queries (oracles) $O_{1}$ , $O_{2}$ and $O_{p}$ to perform three corresponding group operations. In the security game $G_{LR-RCLE-ORA}$ , four phases are presented as below: –

Setup phase: By taking as input a security parameter κ and a period number t, B carries out the System setup algorithm of the LR-RCLE-ORA scheme to generate the KGC’s secret key $KSK = ({KSK}_{0, 1}, {KSK}_{0, 2})$ , the KGC’s public key $KPK$ , the time secret key $TSK$ , and the time pubic key $TPK$ . Also, B sets a period set $T = {T_{0}, T_{1}, T_{2}, \dots, T_{t}}$ and publishes public system parameters $PSP = {G_{1}, G_{2}, p, Q, \hat{e}, KPK, TPK, T, D (), E (), M, N, R, S}$ . Additionally, B sends $TSK$ to $A_{I}$ since $A_{I}$ is an outsider. To respond the queries requested by $A_{I}$ , five initially empty lists $L_{1}$ , $L_{2}$ , $L_{ISK}$ , $L_{TUK}$ and $L_{PSK}$ are constructed as below: •

$L_{1}$ and $L_{2}$ are used to encode elements of groups $G_{1}$ and $G_{2}$ , respectively. (1)

$L_{1}$ includes pairs of $(Ξ G_{1, t, u, v}$ , $Θ G_{1, t, u, v})$ . An element in $G_{1}$ is represented by a multivariate polynomial $Ξ G_{1, t, u, v}$ and $Θ G_{1, t, u, v}$ is the corresponding encoded bit-string, where t, u and v, respectively, denote the query type t, the u-th query and the v-th element in $G_{1}$ . B initially adds seven pairs $(Ξ Q, Θ G_{1, I, 0, 1})$ , $(Ξ KSK, Θ G_{1, I, 0, 2})$ , $(Ξ TSK, Θ G_{1, I, 0, 3})$ , $(Ξ M, Θ G_{1, I, 0, 4})$ , $(Ξ N, Θ G_{1, I, 0, 5})$ , $(Ξ R, Θ G_{1, I, 0, 6})$ and $(Ξ S, Θ G_{1, I, 0, 7})$ in $L_{1}$ .

(2)

$L_{2}$ includes pairs of $(Ξ G_{2, t, u, v}, Θ G_{2, t, u, v})$ . An element in $G_{2}$ is represented by a multivariate polynomial $Ξ G_{2, t, u, v}$ and $Θ G_{2, t, u, v}$ is the corresponding encoded bit-string, where t, u and v have the same meanings with those indices in $L_{1}$ . B initially adds two pairs $(Ξ KPK, Θ G_{2, I, 0, 1})$ and $(Ξ TPK, Θ G_{2, I, 0, 2})$ in $L_{2}$ , where $Ξ KPK = Ξ Q \cdot Ξ KSK$ and $Ξ TPK = Ξ Q \cdot Ξ TSK$ .

It is worth mentioning the two transforming rules defined below.

(1)

By taking as input a polynomial $Ξ G_{1, t, u, v} / Ξ G_{2, t, u, v}$ , B looks for $(Ξ G_{1, t, u, v}, Θ G_{1, t, u, v}) / (Ξ G_{2, t, u, v}, Θ G_{2, t, u, v})$ in $L_{1} / L_{2}$ . If it is found, B returns the encoded bit-string $Θ G_{1, t, u, v} / Θ G_{2, t, u, v}$ . Otherwise, B randomly chooses and returns a distinct encoded bit-string $Θ G_{1, t, u, v} / Θ G_{2, t, u, v}$ . In addition, B adds $(Ξ G_{1, t, u, v}$ , $Θ G_{1, t, u, v}) / (Ξ G_{2, t, u, v}$ , $Θ G_{2, t, u, v})$ in $L_{1} / L_{2}$ .

(2)

By taking as input an encoded bit-string $Θ G_{1, t, u, v} / Θ G_{2, t, u, v}$ , B looks for $(Ξ G_{1, t, u, v}, Θ G_{1, t, u, v}) / (Ξ G_{2, t, u, v}, Θ G_{2, t, u, v})$ in $L_{1} / L_{2}$ . If it is found, B returns the associated multivariate polynomial $Ξ G_{1, t, u, v} / Ξ G_{2, t, u, v}$ . Otherwise, B terminates the game.

•

$L_{ISK}$ includes tuples of $(ID, Ξ {ISK}_{ID}, Ξ {IPK}_{ID})$ , where $Ξ {ISK}_{ID}$ and $Ξ {IPK}_{ID}$ , respectively, represent the user’s ${ISK}_{ID}$ and ${IPK}_{ID}$ .

•

$L_{PSK}$ includes tuples of $(ID, Ξ {PSK}_{ID}, Ξ {PPK}_{ID})$ , where $Ξ {PSK}_{ID}$ and $Ξ {PPK}_{ID}$ , respectively, denote the user’s ${PSK}_{ID}$ and ${PPK}_{ID}$ .

•

$L_{TUK}$ includes tuples of $(ID, T_{s}, Ξ {TUK}_{ID, s}, Ξ {TUPK}_{ID, s})$ , where $Ξ {TUK}_{ID, s}$ and $Ξ {TUPK}_{ID, s}$ , respectively, denote the user’s ${TUK}_{ID, s}$ and ${TUPK}_{ID, s}$ .

Finally, these public system parameters

Ξ Q

Ξ M

Ξ N

Ξ R

Ξ S

Ξ KPK

and

Ξ TPK

are sent to

A_{I}

. Also, B sends the time secret key

Ξ TSK

A_{I}

–

Query phase: $A_{I}$ can adaptively request various queries to B at most q times. Note that $A_{I}$ does not need to request the Time update key leak query and Public key replace query, since $A_{I}$ may get the time update key ${TUK}_{ID, s}$ of any user $ID$ at any period $T_{s}$ from public channels.

•

$O_{1}$ query $(Θ G_{1, Q, l, 1}, Θ G_{1, Q, l, 2}, OP)$ : In this query’s l-th round, B carries out the following steps:

(1)

Get a pair of polynomials $(Ξ G_{1, Q, l, 1}, Ξ G_{1, Q, l, 2})$ by transforming a pair of bit-strings $(Θ G_{1, Q, l, 1}, Θ G_{1, Q, l, 2})$ in $L_{1}$ .

(2)

Compute the polynomial $Ξ G_{1, Q, l, 3} = Ξ G_{1, Q, l, 1} + Ξ G_{1, Q, l, 2}$ if $OP$ = “addition”, and $Ξ G_{1, Q, l, 3} = Ξ G_{1, Q, l, 1} - Ξ G_{1, Q, l, 2}$ if $OP$ = “subtraction”.

(3)

Return the encoded bit-string $Θ G_{1, Q, l, 3}$ by transforming $Ξ G_{1, Q, l, 3}$ in $L_{1}$ .

•

$O_{2}$ query $(Θ G_{2, Q, l, 1}, Θ G_{2, Q, l, 2}, OP)$ : In this query’s l-th round, B carries out the following steps:

(1)

Get a pair of polynomials $(Ξ G_{2, Q, l, 1}, Ξ G_{2, Q, l, 2})$ by transforming a pair of bit-strings $(Θ G_{2, Q, l, 1}, Θ G_{2, Q, l, 2})$ in $L_{2}$ .

(2)

Compute the polynomial $Ξ G_{2, Q, l, 3} = Ξ G_{2, Q, l, 1} + Ξ G_{2, Q, l, 2}$ if $OP$ = “multiplication”, and $Ξ G_{2, Q, l, 3} = Ξ G_{2, Q, l, 1} - Ξ G_{2, Q, l, 2}$ if $OP$ = “division”.

(3)

Return the encoded bit-string $Θ G_{2, Q, l, 3}$ by transforming $Ξ G_{2, Q, l, 3}$ in $L_{2}$ .

•

$O_{p}$ query $(Θ G_{1, P, l, 1}, Θ G_{1, P, l, 2})$ : In this query’s l-th round, B carries out the following steps:

(1)

Get a pair of polynomials $(Ξ G_{1, P, l, 1}, Ξ G_{1, P, l, 2})$ by transforming a pair of bit-strings $(Θ G_{1, P, l, 1}, Θ G_{1, P, l, 2})$ in $L_{1}$ .

(2)

Compute the polynomial $Ξ G_{2, P, l, 1} = Ξ G_{1, P, l, 1} \cdot Ξ G_{1, P, l, 2}$ .

(3)

Return the encoded bit-string $Θ G_{2, P, l, 1}$ by transforming $Ξ G_{2, P, l, 1}$ in $L_{2}$ .

•

Identity secret key query $(ID)$ : In this query’s i-th round, B searches ( $ID$ , $Ξ {ISK}_{ID}$ , $Ξ {IPK}_{ID}$ ) in $L_{ISK}$ . If it is found, B transforms $(Ξ {ISK}_{ID}$ , $Ξ {IPK}_{ID})$ to send two encoded bit-strings $(Θ {ISK}_{ID}$ , $Θ {IPK}_{ID})$ to $A_{I}$ . Otherwise, B carries out the following steps:

(1)

Choose a new variate $Ξ {TG}_{I S K, i, 1}$ in $G_{1}$ .

(2)

Set two polynomials $Ξ {IPK}_{ID} = Ξ {TG}_{ISK, i, 1}$ and $Ξ TID = ID$ .

(3)

Set the user’s identity secret key $Ξ {ISK}_{ID} = Ξ KSK + Ξ {TG}_{ISK, i, 1} \cdot (Ξ M + Ξ N \cdot Ξ TID)$ while adding $(ID, Ξ {ISK}_{ID}, Ξ {IPK}_{ID})$ in $L_{ISK}$ .

(4)

Transform $(Ξ {ISK}_{ID}, Ξ {IPK}_{ID})$ to send two encoded bit-strings $(Θ {ISK}_{ID}, Θ {IPK}_{ID})$ to $A_{I}$ .

•

Identity secret key leak query ( $f_{ISKE, i}, h_{ISKE, i}, i)$ : In the Identity secret key query’s i-th round, this query is allowed to be requested only once. B returns leaked information $(Λ f_{ISKE, i}, Λ h_{ISKE, i})$ , where $Λ f_{ISKE, i} = f_{ISKE, i} ({KSK}_{i, 1})$ and $Λ h_{ISKE, i} = h_{ISKE, i} ({KSK}_{i, 2})$ .

•

Time update key query $(ID, T_{s})$ : In this query’s j-th round, B searches ( $ID$ , $T_{s}$ , $Ξ {TUK}_{ID, s}$ , $Ξ {TUPK}_{ID, s}$ ) in $L_{TUK}$ . If it is found, B transforms $(Ξ {TUK}_{ID, s}, Ξ {TUPK}_{ID, s})$ to return two encoded bit-strings $(Θ {TUK}_{ID, s}, Θ {TUPK}_{ID, s})$ . Otherwise, B carries out the following steps:

(1)

Choose a new variate $Ξ {TG}_{TUK, ID, j, 1}$ in $G_{1}$ .

(2)

Set a polynomial $Ξ {TUPK}_{ID, s} = Ξ {TG}_{TUK, ID, j, 1}$ and $Ξ TTD = ID | | T_{s}$ .

(3)

Set the user’s time update key $Ξ {TUK}_{ID, t} = Ξ TSK + Ξ {TG}_{TUK, ID, j, 1} \cdot (Ξ R + Ξ S \cdot Ξ TTD)$ while adding $(ID, T_{s}, Ξ {TUK}_{ID, s}, Ξ {TUPK}_{ID, s})$ in $L_{TUK}$ .

(4)

Transform $(Ξ {TUK}_{ID, s}, Ξ {TUPK}_{ID, s})$ to return two encoded bit-strings $(Θ {TUK}_{ID, s}, Θ {TUPK}_{ID, s})$ .

•

Time update key leak query $(f_{TUKE, j}, h_{TUKE, j}, j)$ : In the Time update key query’s j-th round, this query is allowed to be requested only once. B returns leaked information $(Λ f_{TUKE, j}, Λ h_{TUKE, j})$ , where $Λ f_{TUKE, j} = f_{TUKE, j} ({TSK}_{j, 1})$ and $Λ h_{TUKE, j} = h_{TUKE, j} ({TSK}_{j, 2})$ .

•

Public key retrieve query $(ID, T_{s})$ : B applies $ID$ and $T_{s}$ to search $L_{ISK}$ , $L_{PSK}$ and $L_{TUK}$ to get the associated public key tuple $(Ξ {PPK}_{ID}, Ξ {IPK}_{ID}, Ξ {TUPK}_{ID, s})$ . B returns the corresponding tuple $(Θ {PPK}_{ID}, Θ {IPK}_{ID}, Θ {TUPK}_{ID, s})$ .

•

Public key replace query $(ID, T_{s}, (Θ {PPK}_{ID}^{'}, Θ {IPK}_{ID}^{'}, Θ {TUPK}_{ID, s}^{'}))$ : B first transforms a tuple of bit-strings $(Θ {PPK}_{ID}^{'}, Θ {IPK}_{ID}^{'}, Θ {TUPK}_{ID, s}^{'})$ to get the corresponding tuple of polynomials $(Ξ {PPK}_{ID}^{'}, Ξ {IPK}_{ID}^{'}, Ξ {TUPK}_{ID, s}^{'})$ . B replaces the related tuples with $(ID, -, Ξ {PPK}_{ID}^{'})$ in $L_{PSK}, (ID, -, {IPK}_{ID}^{'})$ in $L_{ISK}$ , and $(ID, T_{s}, -, Ξ {TUPK}_{ID, s}^{'})$ in $L_{TUK}$ .

•

Personal secret key corrupt query $(ID)$ : If the Public key replace query $(ID)$ has never been requested, B uses $ID$ to search ( $ID$ , $Ξ {PSK}_{ID}$ , $Ξ {PPK}_{ID}$ ) in $L_{PSK}$ . If it is found, B transforms ( $Ξ {PSK}_{ID}$ , $Ξ {PPK}_{ID}$ ) to return two encoded bit-strings ( $Θ {PSK}_{ID}$ , $Θ {PPK}_{ID}$ ). Otherwise, B carries out the following steps:

(1)

Choose a new variate $Ξ T G_{PSK, ID, 1}$ in $G_{1}$ .

(2)

Set two polynomials $Ξ {PSK}_{ID} = Ξ T G_{PSK, ID, 1}$ and $Ξ {PPK}_{ID} = Ξ Q \cdot Ξ {PSK}_{ID}$ , and add $(ID, Ξ {PSK}_{ID}, Ξ {PPK}_{ID})$ in $L_{PSK}$ .

(3)

Transform $(Ξ {PSK}_{ID}, Ξ {PPK}_{ID})$ to return two encoded bit-strings $(Θ {PSK}_{ID}, Θ {PPK}_{ID})$ .

•

Decrypting query $(ID, T_{s}, θ = (C, CT))$ : In this query’s k-th round, B carries out the following steps:

(1)

By $ID$ and $T_{s}$ , B finds the associated private key tuple $(Ξ {PSK}_{ID}, Ξ {ISK}_{ID}, Ξ {TUK}_{ID, s})$ in $L_{PSK}$ , $L_{ISK}$ and $L_{TUK}$ .

(2)

B transforms the ciphertext C to the polynomial $Ξ C$ in $L_{1}$ and sets three polynomials $Ξ K_{1} = Ξ {PSK}_{ID} \cdot Ξ C$ , $Ξ K_{2} = Ξ {ISK}_{ID} \cdot Ξ C$ and $Ξ K_{3} = Ξ {TUK}_{ID, s} \cdot Ξ C$ . Moreover, B transforms $Ξ K_{1}$ , $Ξ K_{2}$ and $Ξ K_{3}$ to obtain bit-strings $Θ K_{1}$ , $Θ K_{2}$ and $Θ K_{3}$ , respectively. Hence, B can gain the encryption key $Θ EK = Θ K_{1} \oplus Θ K_{2} \oplus Θ K_{3}$ . Finally, B returns the encryption key $Θ EK$ and the plaintext $m s g = D_{Θ E K} (CT)$ .

•

Decrypting leak query $(ID, T_{s}, f_{DEC, k}, h_{DEC, k}, k)$ : In the Decrypting query’s k-th round of the user $ID$ at period $T_{s}$ , this query is allowed to be requested only once. B returns leaked information ( $Λ f_{DEC, k}$ , $Λ h_{DEC, k}$ ), where $Λ f_{DEC, k} = f_{DEC, k} ({PSK}_{ID, k, 1}, {ISK}_{ID, k, 1})$ and $Λ h_{DEC, k} = h_{DEC, k} ({PSK}_{ID, k, 2}, {ISK}_{ID, k, 2}, {TUK}_{ID, s})$ .

–

Challenge phase. $A_{I}$ sends a target identity ${ID}^{*}$ , a target period $T_{s^{*}}$ and a plaintext pair ( $m s g_{0}^{*}$ , $m s g_{1}^{*}$ ) to B. Here the Identity secret key query ( ${ID}^{*}$ ) must have never been requested by $A_{I}$ . B chooses an unbiased random bit $b \in {0, 1}$ and carries out the $E n c r y p t i n g$ algorithm with $({ID}^{*}, T_{s^{*}}, ({PPK}_{{ID}^{*}}, {IPK}_{{ID}^{*}}, {TUPK}_{{ID}^{*}, s^{*}}), m s g_{b}^{*})$ to generate $C^{*}$ , ${EK}^{*}$ and ${CT}^{*} = E_{{EK}^{*}} (m s g_{b}^{*})$ . Finally, B returns the ciphertext tuple $({ID}^{*}, T_{s^{*}}, θ = (C^{*}, {CT}^{*}))$ to the adversary.

–

Guess phase. In this phase, $A_{I}$ must output a bit $b^{'} \in {0, 1}$ . If $b^{'} = b$ , we say that it wins the game $G_{LR-RCLE-ORA}$ and its advantage is $| \Pr [b^{'} = b] - 1 / 2 |$ .

To evaluate the advantage that $A_{I}$ wins the game $G_{LR-RCLE-ORA}$ , we count the total number of elements in both $L_{1}$ and $L_{2}$ . Subsequently, we count the maximal degrees of polynomials in $L_{1}$ and $L_{2}$ , respectively. ■

The total number of elements in both L ₁ and L ₂ : •

7 and 2 elements are increased in $L_{1}$ and $L_{2}$ , respectively, in the Setup phase.

•

For each $O_{1}$ , $O_{2}$ or $O_{p}$ query, at most 3 elements are increased in $L_{1}$ or $L_{2}$ .

•

For each Identity secret key query, at most 3 elements are increased in $L_{1}$ .

•

For each Time update key query, at most 3 elements are increased in $L_{1}$ .

•

For each Decrypting query, at most 4 elements are increased in $L_{1}$ .

Let

q_{O}

denote the total number of

O_{1}

O_{2}

and

O_{p}

queries. Let

q_{I}

q_{T}

and

q_{D}

, respectively, be the query numbers of the Identity secret key query, Time update key query and Decrypting query. Since

A_{I}

is allowed to request all queries at most q times, we have

\begin{matrix} | L_{1} | + | L_{2} | ≦ 9 + 3 q_{O} + 3 q_{I} + 3 q_{T} + 4 q_{D} ≦ 4 q . \end{matrix}

■

The maximal degrees of polynomials in L ₁ and L ₂ :

(1)

The maximal degree of polynomials in $L_{1}$ is 3 due to the following facts:

•

In the Setup phase, 7 new variates (polynomials) $Ξ Q$ , $Ξ KSK$ , $Ξ TSK$ , $Ξ M$ , $Ξ N$ , $Ξ R$ and $Ξ S$ are initially increased in $L_{1}$ . All these polynomials have degree 1.

•

For the $O_{1}$ query, $Ξ G_{1, Q, l, 3}$ has the maximal degree of $Ξ G_{1, Q, l, 1}$ and $Ξ G_{1, Q, l, 2}$ .

•

For the Identity secret key query, $Ξ {TG}_{ISK, i, 1}$ , $Ξ TID$ and $Ξ {ISK}_{ID}$ have degrees 1, 1 and 3, respectively.

•

For the Time update key query, $Ξ {TG}_{TUK, ID, j, 1}$ , $Ξ TTD$ and $Ξ {TUK}_{ID, t}$ have degrees 1, 1 and 3, respectively.

(2)

The maximal degree of polynomials in $L_{2}$ is 6 by the following facts:

•

In the Setup phase, $Ξ KPK$ and $Ξ TPK$ have degree 2.

•

For the $O_{2}$ query, $Ξ G_{2, Q, l, 3}$ has the maximal degree of $Ξ G_{2, Q, l, 1}$ and $Ξ G_{2, Q, l, 2}$ .

•

For the $O_{p}$ query, $Ξ G_{2, P, l, 1}$ has degree at most 6 because $Ξ G_{2, P, l, 1} = Ξ G_{1, P, l, 1} \cdot Ξ G_{1, P, l, 2}$ , and both $Ξ G_{1, P, l, 1}$ and $Ξ G_{1, P, l, 2}$ belong to $L_{1}$ .

•

For the Decrypting query, all $Ξ K_{1}$ , $Ξ K_{2}$ and $Ξ K_{3}$ have degrees 2.

In the following, let us first evaluate the advantage that $A_{I}$ wins $G_{LR-RCLE-ORA}$ without requesting any leak query. Subsequently, the advantage of $A_{I}$ is evaluated when it is allowed to request two kinds of leak queries (Identity secret key leak query and Decrypting leak query). ■

The advantage of $A_{I}$ without requesting any leak query: If either of the following two cases occurs, $A_{I}$ wins the game. Case 1:

$A_{I}$ discovers a collision of two elements in $L_{1}$ or $L_{2}$ . Let us first evaluate the collision probability in $L_{1}$ . Let n be the number of all variates in $L_{1}$ and B selects n random values $v_{l} \in Z_{p}^{*}$ for $l = 1, 2, \dots, n$ . Let $Ξ G_{1, i}$ and $Ξ G_{1, j}$ be any two distinct polynomials in $L_{1}$ . B then computes $Ξ G_{1, C} (v_{1}, v_{2}, \dots, v_{n}) = Ξ G_{1, i} - Ξ G_{1, j}$ . If $Ξ G_{1, C} (v_{1}, v_{2}, \dots, v_{n}) = 0$ , it is said that the collision occurs. By Lemma 2, the probability of $Ξ G_{1, C} (v_{1}, v_{2}, \dots, v_{n}) = 0$ is at most $3 / p$ because the maximal polynomial degree in $L_{1}$ is 3 and no information $(λ = 0)$ is leaked. Since there are $(\binom{| L_{1} |}{2})$ distinct pairs $(Ξ G_{1, i}, Ξ G_{1, j})$ in $L_{1}$ , the collision probability is $(3 / p) (\binom{| L_{1} |}{2})$ . Similarly, the collision probability in $L_{2}$ is $(6 / p) (\binom{| L_{2} |}{2})$ . As mentioned earlier, we have $| L_{1} | + | L_{2} | ≦ 4 q$ . Let the probability of Case 1 be denoted by Pr[Case 1]. Then we have $\begin{matrix} Pr [Case 1] ≦ (3 / p) (\binom{| L_{1} |}{2}) + (6 / p) (\binom{| L_{2} |}{2}) ≦ (6 / p) {(| L_{1} | + | L_{2} |)}^{2} ≦ 96 q^{2} / p . \end{matrix}$

Case 2:

If Case 1 does not occur and $A_{I}$ gets no leaked information, the success probability of $b^{'} = b$ is $1 / 2$ in the Guess phase. Let Pr[Case 2] denote the success probability that Case 2 occurs. Then we have $Pr [Case 2] ≦ 1 / 2$ .

Let

{Pr}_{A - I - W}

and

{Adv}_{A - I - W}

be the probability and advantage, respectively, that

A_{I}

wins the game without requesting any leak query. By Pr[Case 1] and Pr[Case 2], we have

\begin{aligned} {Pr}_{A - I - W} ≦ Pr [Case 1] + Pr [Case 2] ≦ 96 q^{2} / p + (1 / 2), \\ {Adv}_{A - I - W} ≦ | 96 q^{2} / p + (1 / 2) - (1 / 2) | = 96 q^{2} / p = O (q^{2} / p) . \end{aligned}

Hence,

{Adv}_{A - I - W}

is negligible if

q = poly (log p)

■

The advantage of $A_{I}$ with requesting two kinds of leak queries: $A_{I}$ can obtain leaked information of related secret keys by the Identity secret key leak query and Decrypting leak query. $(1)$

Identity secret key leak query $(f_{ISKE, i}, h_{ISKE, i}, i)$ : By this query, $A_{I}$ may derive leaked information $(Λ f_{ISKE, i}, Λ h_{ISKE, i})$ such that $| f_{ISKE, i} |$ , $| h_{ISKE, i} | ≦ λ$ , where $Λ f_{ISKE, i} = f_{ISKE, i} ({KSK}_{i, 1})$ and $Λ h_{ISKE, i} = h_{ISKE, i} ({KSK}_{i, 2})$ that are discussed as below:

•

$({KSK}_{i, 1}, {KSK}_{i, 2})$ : Indeed, the KGC’s secret key $KSK$ has the property in the sense that $KSK = {KSK}_{0, 1} + {KSK}_{0, 2} = {KSK}_{1, 1} + {KSK}_{1, 2} = \dots = {KSK}_{i, 1} + {KSK}_{i, 2}$ . By the refreshing technique, leaked information of ${KSK}_{i - 1, 1} / {KSK}_{i - 1, 2}$ is independent of that of ${KSK}_{i, 1} / {KSK}_{i, 2}$ . Thus, $A_{I}$ may derive at most $2 λ$ bits of KSK.

(2)

Decrypting leak query $(ID, T_{s}, f_{DEC, k}, h_{DEC, k}, k)$ : As mentioned earlier, $A_{I}$ is not a legal user of the LR-RCLE-ORA scheme, but it may get the time update key ${TUK}_{ID, s}$ of any user $ID$ at any period $T_{s}$ from public channels. Also, $A_{I}$ may get the personal secret key ${PSK}_{ID}$ and the identity secret key ${ISK}_{ID}$ of any user $ID$ , but it is disallowed to get the identity secret key ${ISK}_{{ID}^{*}}$ of the target user ${ID}^{*}$ . Therefore, by this query, $A_{I}$ may derive leaked information $(Λ f_{DEC, k}, Λ h_{DEC, k})$ , where $Λ f_{DEC, k} = f_{DEC, k} ({ISK}_{{ID}^{*}, k, 1})$ and $Λ h_{DEC, k} = h_{DEC, k} ({ISK}_{{ID}^{*}, k, 2})$ that are discussed as below:

•

$({ISK}_{{ID}^{*}, k, 1}, {ISK}_{{ID}^{*}, k - 1, 2})$ : Indeed, the identity secret key ${ISK}_{{ID}^{*}}$ satisfies ${ISK}_{{ID}^{*}} = {ISK}_{{ID}^{*}, 0, 1} + {ISK}_{{ID}^{*}, 0, 2} = {ISK}_{{ID}^{*}, 1, 1} + {ISK}_{{ID}^{*}, 1, 2} = \dots = {ISK}_{{ID}^{*}, k, 1} + {ISK}_{{ID}^{*}, k, 2}$ . Bythe refreshing technique, leaked information of ${ISK}_{{ID}^{*}, k - 1, 1} / {ISK}_{{ID}^{*}, k - 1, 2}$ is independent of that of ${ISK}_{{ID}^{*}, k, 1} / {ISK}_{{ID}^{*}, k, 2}$ . Thus, $A_{I}$ may derive at most $2 λ$ bits of ${ISK}_{{ID}^{*}}$ .

Let

{Pr}_{A - I}

and

{Adv}_{A - I}

be the probability and advantage, respectively, that

A_{I}

wins

G_{LR-RCLE-ORA}

with requesting the Identity secret key leak query and Decrypting leak query. If

A_{I}

can obtain the KGC’s secret key

KSK

or the target user’s identity key

{ISK}_{{ID}^{*}}

A_{I}

may decrypt the message. Three events are defined as below:

(1)

Let $EKSK$ denote the event that $A_{I}$ gets the $KSK$ by $Λ f_{ISKE, i}$ and $Λ h_{ISKE, i}$ . Additionally, $\overline{EKSK}$ is the complement event of $EKSK$ .

(2)

Let $EISK$ that $A_{I}$ gets the ${ISK}_{{ID}^{*}}$ by $Λ f_{DEC, k}$ and $Λ h_{DEC, k}$ . Additionally, $\overline{EISK}$ is the complement event of $EISK$ .

(3)

Let $ECB$ denote the event that $A_{I}$ outputs a correct $b^{'}$ .

Hence, the advantage

{Pr}_{A - I}

is Pr[

ECB

] and the following inequality holds:

\begin{aligned} {Pr}_{A - I} & = Pr [ECB] \\ = Pr [ECB \land (EKSK \lor EISK)] + Pr [ECB \land (\overline{EKSK} \land \overline{EISK})] \\ ≦ Pr [(EKSK \lor EISK)] + Pr [ECB \land (\overline{EKSK} \land \overline{EISK})] . \end{aligned}

For the event

(\overline{EKSK} \land \overline{EISK})

A_{I}

can’t obtain the useful information to output a correct bit

b^{'}

A_{I}

has probability 1/2 to guess the correct bit, so

Pr [ECB \land (\overline{EKSK} \land \overline{EISK})]

is still 1/2 on average. Thus, we have:

\begin{aligned} {Pr}_{A - I} ≦ Pr [(EKSK \lor EISK)] + 1 / 2, \\ {Adv}_{A - I} ≦ | {Pr}_{A - I} - 1 / 2 | = Pr [(EKSK \lor EISK)] . \end{aligned}

Because

{Adv}_{A - I - W} ≦ O (q^{2} / p)

and

A_{I}

can learn at most

2 λ

bits of

KSK

and

{ISK}_{{ID}^{*}}

by the Identity secret key leak query and Decrypting leak query, we have

\begin{matrix} {Adv}_{A - I} ≦ {Adv}_{A - I - W} \cdot 2^{2 λ} ≦ O ((q^{2} / p) \cdot 2^{2 λ}) . \end{matrix}

By Corollary 1,

{Adv}_{A - I}

is negligible if

λ < (1 - ε) log p

. □

Theorem 2.

In the GBG model, the proposed LR-RCLE-ORA scheme is semantically secure against chosen cipher-text attacks against a revoked user $(A_{II})$ in the security game $G_{LR-RCLE-ORA}$ .

Proof.

Let $A_{II}$ be a revoked user of the security game $G_{LR-RCLE-ORA}$ played with a challenger B. $A_{II}$ may issue various queries to B at most q times in the game. This game consists of four phases as follows: –

Setup phase: The phase is the same as that in the proof in Theorem 1. Additionally, B sends the time secret key $TSK$ to $A_{II}$ since it is a revoked user.

–

Query phase: In this phase, $A_{II}$ can adaptively issue various queries to B at most q times. $A_{l l}$ queries are identical to those queries in the proof of Theorem 1. Note that $A_{II}$ knows the personal secret key ${PSK}_{ID}$ and the identity secret key ${ISK}_{ID}$ of any user $ID$ . Also, $A_{II}$ may get the time update key ${TUK}_{ID, s}$ of any user $ID$ at any period $T_{s}$ , except ${TUK}_{{ID}^{*}, s^{*}}$ of the target user ${ID}^{*}$ at target period $T_{s^{*}}$ .

–

Challenge phase: $A_{II}$ sends a target identity ${ID}^{*}$ , a target period $T_{s^{*}}$ and a plaintext pair ( $m s g_{0}^{*}, m s g_{1}^{*}$ ) to B. Here the Time update key query ( ${ID}^{*}, T_{s}^{*}$ ) must have never been requested by $A_{II}$ . B chooses a unbiased random bit $b \in {0, 1}$ and carries out the Encrypting algorithm with $({ID}^{*}, T_{s}^{*}, ({PPK}_{{ID}^{*}}, {IPK}_{{ID}^{*}}, {TUPK}_{{ID}^{*}, s^{*}}), m s g_{b}^{*})$ to generate $C^{*}$ , ${EK}^{*}$ and ${CT}^{*} = E_{{EK}^{*}} (m s g_{b}^{*})$ . Finally, B returns the ciphertext tuple $({ID}^{*}, T_{s}^{*}, θ = (C^{*}, {CT}^{*}))$ to $A_{II}$ .

–

Guess phase: In this phase, $A_{II}$ must output a bit $b^{'} \in {0, 1}$ . If $b^{'} = b$ , we say that it wins the game $G_{LR-RCLE-ORA}$ and its advantage is $| Pr [b^{'} = b] - 1 / 2 |$ .

In the following, let us first evaluate the advantage that $A_{II}$ wins $G_{LR-RCLE-ORA}$ without requesting any leak query. Subsequently, the advantage of $A_{II}$ is evaluated when it is allowed to request the Time update key leak query. ■

The advantage of $A_{II}$ without requesting any leak query: Let ${Adv}_{A - II - W}$ be the advantage that $A_{II}$ wins the game without requesting the Time update key leak query. By the similar evaluations as in the proof of Theorem 1, we have ${Adv}_{A - II - W} = O (q^{2} / p)$ .

■

The advantage of $A_{II}$ with requesting the Time update key leak query: By the Time update key leak query ( $f_{TUKE, j}, h_{TUKE, j}$ , j), $A_{II}$ may derive leaked information ( $Λ f_{TUKE, j}, Λ h_{TUKE, j}$ ) such that $| f_{TUKE, j} |$ , $| h_{TUKE, j} | ≦ λ$ , where $Λ f_{TUKE, j} = f_{TUKE, j} ({TSK}_{j, 1})$ and $Λ h_{TUKE, j} = h_{TUKE, j} ({TSK}_{j, 2})$ . Indeed, the time secret key $TSK$ has the property in the sense that $TSK = {TSK}_{0, 1} + {TSK}_{0, 2} = {TSK}_{1, 1} + {TSK}_{1, 2} = \dots = {TSK}_{i, 1} + {TSK}_{i, 2}$ . By the refreshing technique, leaked information of ${TSK}_{i - 1, 1} / {TSK}_{i - 1, 2}$ is independent of that of ${TSK}_{i, 1} / {TSK}_{i, 2}$ . Thus, $A_{II}$ may derive at most $2 λ$ bits of $TSK$ .

Let ${Pr}_{A - II}$ and ${Adv}_{A - II}$ be the probability and advantage, respectively, that $A_{II}$ wins $G_{LR-RCLE-ORA}$ with requesting the Time update key leak query. Two events are defined as below: (1)

Let $ETSK$ denote the event that $A_{II}$ gets the time secret key $TSK$ by $f_{TUKE, j}$ and $h_{TUKE, j}$ . Additionally, $\overline{ETSK}$ is the complement event of $ETSK$ .

(2)

Let $ECB$ denote the event that $A_{II}$ outputs a correct $b^{'}$ .

Hence, the advantage

{Pr}_{A - II}

is Pr[

ECB

] and the following inequality holds:

\begin{aligned} {Pr}_{A - II} & = Pr [ECB] \\ = Pr [ECB \land ETSK] + Pr [ECB \land \overline{ETSK}] \\ ≦ Pr [ETSK] + Pr [ECB \land \overline{ETSK}] . \end{aligned}

For the event

\overline{ETSK}

A_{II}

can’t obtain the useful information to output a correct bit

b^{'}

A_{II}

has probability

1 / 2

to guess the correct bit, so

Pr [ECB \land \overline{ETSK}]

is still

1 / 2

on average. Thus, we have

\begin{aligned} {Pr}_{A - II} ≦ Pr [ETSK] + 1 / 2, \\ {Adv}_{A - II} ≦ | {Pr}_{A - II} - 1 / 2 | = Pr [ETSK] . \end{aligned}

Because

{Adv}_{A - II - W} ≦ O (q^{2} / p)

and

A_{II}

can learn at most

2 λ

bits of

TSK

by the Time update key leak query, we have

\begin{matrix} {Adv}_{A - II} ≦ {Adv}_{A - II - W} \cdot 2^{2 λ} ≦ O ((q^{2} / p) \cdot 2^{2 λ}) . \end{matrix}

By Corollary 1,

{Adv}_{A - II}

is negligible if

λ < (1 - ε) log p

. □

Theorem 3.

In the GBG model, the proposed LR-RCLE-ORA scheme is semantically secure against chosen cipher-text attacks against an honest-but-curious KGC $(A_{III})$ in the security game $G_{LR-RCLE-ORA}$ .

Proof.

Let $A_{III}$ be an honest-but-curious KGC of the security game $G_{LR-RCLE-ORA}$ played with a challenger B. $A_{III}$ may issue various queries to B at most q times in the game. This game consists of four phases as follows: –

Setup phase: The phase is the same as that in the proof in Theorem 1. Additionally, B sends the KGC’s secret key $KSK$ and time secret key $TSK$ to $A_{III}$ since it is an honest-but-curious KGC.

–

Query phase: In this phase, $A_{III}$ can adaptively issue various queries to B at most q times. All queries are identical to those queries in the proof of Theorem 1. Note that $A_{III}$ knows the KGC’s secret key $KSK$ and time secret key $TSK$ so that it can get the identity secret key ${ISK}_{ID}$ and time update key ${TUK}_{ID, s}$ of any user $ID$ for any period $T_{s}$ . Also, $A_{III}$ may get the personal secret key ${PSK}_{ID}$ of any user $ID$ , except ${PSK}_{{ID}^{*}}$ of the target user ${ID}^{*}$ .

–

Challenge phase: $A_{III}$ sends a target identity ${ID}^{*}$ , a target period $T_{s^{*}}$ and a plaintext pair ( $m s g_{0}^{*}, m s g_{1}^{*}$ ) to B. Here both the Personal secret key corrupt query ( ${ID}^{*}$ ) and the Public key replace query $({ID}^{*}, T_{s *}, ({PPK}_{{ID}^{*}}^{'}, {IPK}_{{ID}^{*}}^{'}, {TUPK}_{{ID}^{*}, s^{*}}^{'}))$ must have never been requested by $A_{III}$ . B chooses an unbiased random bit $b \in {0, 1}$ and carries out the Encrypting algorithm with $({ID}^{*}, T_{s}^{*}, ({PPK}_{{ID}^{*}}, {IPK}_{{ID}^{*}}, {TUPK}_{{ID}^{*}, s^{*}}), m s g_{b}^{*})$ to generate $C^{*}$ , ${EK}^{*}$ and ${CT}^{*} = E_{{EK}^{*}} (m s g_{b}^{*})$ . Finally, B returns the ciphertext tuple $({ID}^{*}, T_{s}^{*}, θ = (C^{*}, {CT}^{*}))$ to $A_{III}$ .

–

Guess phase: In this phase, $A_{III}$ must output a bit $b^{'} \in {0, 1}$ . If $b^{'} = b$ , we say that it wins the game $G_{LR-RCLE-ORA}$ and its advantage is $| Pr [b^{'} = b] - 1 / 2 |$ .

In the following, let us first evaluate the advantage that

A_{III}

wins

G_{LR-RCLE-ORA}

without requesting any leak query. Subsequently, the advantage of

A_{III}

is evaluated when it is allowed to request the Decrypting leak query

(ID, T_{s}, f_{DEC, k}, h_{DEC, k}, k)

■

The advantage of $A_{III}$ without requesting any leak query: Let ${Adv}_{A - III - W}$ be the advantage that $A_{III}$ wins the game without requesting the Decrypting leak query. By the similar evaluations as in the proof of Theorem 1, we have ${Adv}_{A - III - W} = O (q^{2} / p)$ .

■

The advantage of $A_{III}$ with requesting the Decrypting leak query: By the Decrypting leak query $(ID, T_{s}, f_{DEC, k}, h_{DEC, k}, k)$ , $A_{III}$ may derive leaked information $(Λ f_{DEC, k}, Λ h_{DEC, k})$ such that $| f_{DEC, k} |, | h_{DEC, k} | ≦ λ$ , where $Λ f_{DEC, k} = f_{DEC, k} ({PSK}_{ID, k, 1})$ and $Λ h_{DEC, k} = h_{DEC, k} ({PSK}_{ID, k, 2})$ . Note that $A_{III}$ may get the personal secret key ${PSK}_{ID}$ of any user $ID$ , except ${PSK}_{{ID}^{*}}$ of the target user ${ID}^{*}$ . For leakage resilient property, $A_{III}$ can obtain leaked information of the target user’s ${PSK}_{{ID}^{*}} = ({PSK}_{{ID}^{*}, k, 1}, {PSK}_{{ID}^{*}, k, 2})$ used in the Decrypting algorithm’s k-th round of the target user. Indeed, the personal secret key ${PSK}_{ID}$ has the property in the sense that ${PSK}_{{ID}^{*}} = {PSK}_{{ID}^{*}, 0, 1} + {PSK}_{{ID}^{*}, 0, 2} = {PSK}_{{ID}^{*}, 1, 1} + {PSK}_{{ID}^{*}, 1, 2} = \dots = {PSK}_{{ID}^{*}, k, 1} + {PSK}_{{ID}^{*}, k, 2}$ . By the refreshing technique, leaked information of ${PSK}_{{ID}^{*}, k - 1, 1} / {PSK}_{{ID}^{*}, k - 1, 2}$ is independent of that of ${PSK}_{{ID}^{*}, k, 1} / {PSK}_{{ID}^{*}, k, 2}$ . Thus, $A_{III}$ may derive at most $2 λ$ bits of ${PSK}_{{ID}^{*}}$ .

Let ${Pr}_{A - III}$ and ${Adv}_{A - III}$ be the probability and advantage, respectively, that $A_{III}$ wins $G_{LR-RCLE-ORA}$ with requesting the Decrypting leak query. Two events are defined as below: (1)

Let $EPSK$ denote the event that $A_{III}$ gets the personal secret key ${PSK}_{{ID}^{*}}$ by $f_{DEC, k}$ and $h_{DEC, k}$ . Additionally, $\overline{EPSK}$ is the complement event of $EPSK$ .

(2)

Let $ECB$ denote the event that $A_{III}$ outputs a correct $b^{'}$ .

Hence, the advantage

{Pr}_{A - III}

is Pr[

ECB

] and the following inequality holds.

\begin{aligned} {Pr}_{A - III} & = Pr [ECB] \\ = Pr [ECB \land EPSK] + Pr [ECB \land \overline{EPSK}] \\ ≦ Pr [EPSK] + Pr [ECB \land \overline{EPSK}] . \end{aligned}

For the event

\overline{EPSK}

A_{III}

can’t obtain the useful information to output a correct bit

b^{'}

A_{III}

has probability 1/2 to guess the correct bit, so

Pr [ECB \land \overline{EPSK}]

is still 1/2 on average. Thus, we have

\begin{aligned} {Pr}_{A - III} ≦ Pr [EPSK] + 1 / 2, \\ {Adv}_{A - III} ≦ | {Pr}_{A - III} - 1 / 2 | = Pr [EPSK] . \end{aligned}

Because

{Adv}_{A - III - W} ≦ O (q^{2} / p)

and

A_{III}

can learn at most

2 λ

bits of

PSK

by the Decrypting leak query, we have

\begin{matrix} {Adv}_{A - III} ≦ {Adv}_{A - III - W} \cdot 2^{2 λ} ≦ O ((q^{2} / p) \cdot 2^{2 λ}) . \end{matrix}

By Corollary 1,

{Adv}_{A - III}

is negligible if

λ < (1 - ε) log p

. □

6 Comparisons

Here, let’s first present the computation notations of several operations in bilinear groups. By employing the simulation experiences in Li et al. (2021), Table 1 lists two kinds of time-consuming operations and their computational time (in milliseconds). The environment of simulation experiences is a platform with the Intel Core i7-8550U CPU 1.80 GHz processor. The selection of security parameters are $F_{p}$ , $G_{1}$ and $G_{2}$ . Here, $F_{p}$ is a finite field which consists of the set of integers ${0, 1, \dots, p - 1}$ , where p is a 256-bit prime number. And, $G_{1}$ and $G_{2}$ are groups with 224-bit prime order over the finite field $F_{p}$ . It is worth mentioning that the computation of a one-way hash function, an addition on an additive group $G_{1}$ and a multiplication on a multiplicative group $G_{2}$ are omitted because their computational costs are small and negligible.

Table 1
Computational time (in millisecond) of two time-consuming operations.

Notation Operation Computational time

$T_{p}$ a bilinear pairing $\hat{e} : G_{1} \times G_{1} \to G_{2}$ 7.84 ms

a scalar multiplication on an additive group $G_{1}$

$T_{m e}$ or 0.48 ms

an exponentiation on a multiplicative group $G_{2}$

Notation	Operation	Computational time
$T_{p}$	a bilinear pairing $\hat{e} : G_{1} \times G_{1} \to G_{2}$	7.84 ms
	a scalar multiplication on an additive group $G_{1}$
$T_{m e}$	or	0.48 ms
	an exponentiation on a multiplicative group $G_{2}$

Table 2 lists the comparisons of our LR-RCLE-ORA scheme with several RCLE and LR-CLE schemes (Tsai and Tseng, 2015; Xiong et al., 2013; Wu et al., 2018) in terms of encryption cost (time), decryption cost (time), security proof model, revocation property, outsourced revocation, resisting side-channel attacks and leakage resilience model. Note that a user’s private key in Xiong et al.’s LR-CLE scheme (2013) is a vector with $n ≧ 2$ elements (here, let $n = 2$ ). As compared to the bounded leakage property of Xiong et al.’s LR-CLE scheme (2013), Wu et al.’s scheme and ours possess continual leakage property and are practical for applications. To resist side-channel attacks, our scheme requires some extra computation costs than the RCLE scheme in Tsai and Tseng (2015). As compared with the LR-CLE scheme (Wu et al., 2018), our scheme requires one $T_{p}$ for encryption cost and decryption cost, respectively, but our scheme offers outsourced revocation functionality to reduce the computational burden of the KGC for generating all non-revoked users’ time update keys. By Table 2, even though the computational cost of our scheme is worse than the other schemes, our scheme possesses four complete properties, namely, revocation property, outsourced revocation, resisting side-channel attacks and continual leakage property. We emphasize that our scheme is the first LR-RCLE-ORA scheme resisting side-channel attacks while possessing continual leakage property.

Table 2

Comparisons between our scheme and the previously proposed schemes.

	Tsai and Tseng’s RCLE scheme (Tsai and Tseng, 2015)	Xiong et al.’s LR-CLE scheme (Xiong et al., 2013)	Wu et al.’s LR-CLE scheme (Wu et al., 2018)	Our LR-RCLE-ORA scheme
Encryption cost	$3 T_{m e} + T_{p}$	$6 T_{m e}$	$4 T_{m e} + T_{p}$	$4 T_{m e} + 2 T_{p}$
	(9.28 ms)	(2.88 ms)	(9.76 ms)	(17.6 ms)
Decryption cost	$2 T_{m e} + T_{p}$	$4 T_{p}$	$4 T_{m e} + 4 T_{p}$	$4 T_{m e} + 5 T_{p}$
	(8.8 ms)	(31.36 ms)	(33.28 ms)	(41.12 ms)
Security proof model	Random oracle model	Standard model (Dual system)	GBG model	GBG model
Revocation property	Yes	No	No	Yes
Outsourced revocation	No	No	No	Yes
Resisting side-channel attacks	No	Yes	Yes	Yes
Leakage resilience model	No	Bounded	Continual	Continual

7 Conclusions

In this paper, the first leakage-resilient revocable certificateless encryption scheme with an outsourced revocation authority (LR-RCLE-ORA) was proposed. As compared to previous RCLE and LR-CLE schemes, our scheme possesses several merits. (1) It can resist side-channel attacks and has leakage resilience properties. (2) The revocation functionality is outsourced to the ORA to alleviate the computational load of the KGC. (3) It permits adversaries to continually extract partial ingredients of secret keys and offers the overall unbounded leakage property. By extending the adversary models of RCLE and LR-CLE schemes, a new adversary model was defined while three kinds of leak queries are added, namely, Identity secret key leak query, Time update key leak query and decrypting leak query. In the GBG model, the security of the proposed scheme is shown to be semantically secure against chosen cipher-text attacks for three kinds of adversaries, namely, outsider, revoked user and honest-but-curious KGC.

References

Abdalla

Belaid

Fouque

(2013). Leakage-resilient symmetric encryption via re-keying. In: CHES’13, LNCS , Vol. 8086, pp. 471–488.

Akavia

Goldwasser

Vaikuntanathan

(2009). Simultaneous hardcore bits and cryptography against memory attacks. In: TCC’09, LNCS , Vol. 5444, pp. 474–495.

Al-Riyami

S.S.

Paterson

K.G.

(2003). Certificateless public key cryptography. In: ASIACRYPT’03, LNCS , Vol. 2894, pp. 452–473.

Alwen

Dodis

Wichs

(2009). Leakage-resilient public-key cryptography in the bounded-retrieval model. In: CRYPTO’09, LNCS , Vol. 5677, pp. 36–54.

Boneh

Franklin

(2001). Identity-based encryption from the Weil pairing. In: CRYPTO’01, LNCS , Vol. 2139, pp. 213–229.

Boneh

Boyen

Goh

E.J.

(2005). Hierarchical identity-based encryption with constant size ciphertext. In: EUROCRYPT, LNCS , Vol. 3494, pp. 440–456.

Brakerski

Kalai

Y.T.

Katz

Vaikuntanathan

(2010). Cryptography resilient to continual memory leakage. In: 51st Annual IEEE Symposium on Foundations of Computer Science. IEEE Press, pp. 501–510.

Bronchain

Momin

Peters

Standaert

(2021). Improved leakage-resistant authenticated encryption based on hardware AES coprocessors. IACR Transactions on Cryptographic Hardware and Embedded Systems, 2021(3), 641–676.

Brumley

Boneh

(2005). Remote timing attacks are practical. Computer Networks, 48(5), 701–716.

10.

Dodis

Ostrovsky

Reyzin

Smith

(2008). Fuzzy extractors: How to generate strong keys from biometrics and other noisy data. SIAM Journal on Computing, 38(1), 97–139.

11.

Wen

Zhang

(2018). A provably-secure outsourced revocable certificateless signature scheme without bilinear pairings. IEEE Access, 6, 73846–73855.

12.

Galindo

Virek

(2013). A practical leakage-resilient signature scheme in the generic group model. In: SAC’12, LNCS , Vol. 7707, pp. 50–65.

13.

Galindo

Grobschadl

Liu

Vadnala

P.K.

Vivek

(2016). Implementation of a leakage-resilient ElGamal key encapsulation mechanism. Journal of Cryptographic Engineering, 6(3), 229–238.

14.

Hazay

López-Alt

Wee

Wichs

(2013). Leakage-resilient cryptography from minimal assumptions. In: EUROCRYPT’13, LNCS , Vol. 7881, pp. 160–176.

15.

Housley

Polk

Ford

Solo

(2002). Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile. IETF, RFC 3280.

16.

Hsieh

T.-C.

Tseng

Y.-M.

Huang

S.-S.

(2020). A leakage-resilient certificateless authenticated key exchange protocol withstanding side-channel attacks. IEEE Access, 8, 121795–121810.

17.

Hung

Y.-H.

Tseng

Y.-M.

Huang

S.S.

(2016). A revocable certificateless short signature scheme and its authentication application. Informatica, 27(3), 549–572.

18.

Katz

Vaikuntanathan

(2009). Signature schemes with bounded leakage resilience. In: ASIACRYPT’09, LNCS , Vol. 5912, pp. 703–720.

19.

Kiltz

Pietrzak

(2010). Leakage resilient elgamal encryption. In: ASIACRYPT’10, LNCS , Vol. 6477, pp. 595–612.

20.

Kocher

P.C.

(1996). Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other systems. In: CRYPTO’96, LNCS , Vol. 1163, pp. 104–113.

21.

Kocher

Jaffe

Jun

(1999). Differential power analysis. In: CRYPTO’99, LNCS , Vol. 1666, pp. 388–397.

22.

Cheng

Liu

(2021). A secure anonymous identity-based scheme in new authentication architecture for mobile edge computing. IEEE Systems Journal, 15(1), 935–946.

23.

Guo

Zhang

(2016). Provably secure identity based encryption resilient to post-challenge continuous auxiliary input leakage. Security and Communication Network, 9(10), 1016–1024.

24.

Zhang

Sun

Shen

(2013). Efficient leakage-resilient public key encryption from DDH assumption. Cluster Computing, 16(4), 797–806.

25.

Liu

Weng

Zhao

(2013). Efficient public key cryptosystem resilient to key leakage chosen ciphertext attacks. In: CTRSA’13, LNCS , Vol. 7779, pp. 84–100.

26.

Naor

Segev

(2009). Public-key cryptosystems resilient to key leakage. In: CRYPTO’09, LNCS , Vol. 5677, pp. 18–35.

27.

Naor

Segev

(2012). Public-key cryptosystems resilient to key leakage. SIAM Journal on Computing, 41(4), 772–814.

28.

Scott

(2011). On the efficient implementation of pairing-based protocols. In: Cryptography and Coding, LNCS , Vol. 7089, pp. 296–308.

29.

Shen

Zhang

Sun

(2014). Efficient revocable certificateless encryption secure in the standard model. Computer Journal, 57(4), 592–601.

30.

Tsai

T.-T.

Tseng

Y.-M.

(2015). Revocable certificateless public key encryption. IEEE Systems Journal, 9(3), 824–833.

31.

Tsai

T.-T.

Tseng

Y.-M.

Huang

S.-S.

(2015). Efficient revocable certificateless public key encryption with a delegated revocation authority. Security and Communication Networks, 8(18), 3713–3725.

32.

Tsai

T.-T.

Chuang

Y.-H.

Tseng

Y.-M.

Huang

S.-S.

Hung

Y.-H.

(2021). A leakage-resilient ID-based authenticated key exchange protocol with a revocation mechanism. IEEE Access, 9, 128633–128647.

33.

Tseng

Y.-M.

Tsai

T.-T.

(2012). Efficient revocable ID-based encryption with a public channel. Computer Journal, 55(4), 475–486.

34.

Tseng

Y.-M.

J.-D.

Huang

S.-S.

Tsai

T.-T.

(2020). Leakage-resilient outsourced revocable certificateless signature with a cloud revocation server. Information Technology and Control, 49(4), 464–481.

35.

Unterstein

Schink

Schamberger

Tebelmann

Ilg

Heyszl

(2020). Retrofitting leakage resilient authenticated encryption to microcontrollers. IACR Transactions on Cryptographic Hardware and Embedded Systems, 2020(4), 365–388.

36.

J.-D.

Tseng

Y.-M.

Huang

S.-S.

Chou

W.-C.

(2018). Leakage-resilient certificateless key encapsulation scheme. Informatica, 29(1), 125–155.

37.

J.-D.

Tseng

Y.-M.

Huang

S.-S.

(2019). An identity-based authenticated key exchange protocol resilient to continuous key leakage. IEEE Systems Journal, 13(4), 3968–3979.

38.

J.-D.

Tseng

Y.-M.

Huang

S.-S.

Tsai

T.-T.

(2020). Leakage-resilient revocable identity-based signature with cloud revocation authority. Informatica, 31(3), 597–620.

39.

Xiong

Yuen

T.-H.

Zhang

Yiu

S.-M.

Y.-J.

(2013). Leakage-resilient certificateless public key encryption. In: The first ACM workshop on Asia Public-Key Cryptography. ACM Press, pp. 13–22.

40.

Yuen

T.-H.

Chow

S.S.M.

Zhang

Yiu

S.-M.

(2012). Identity-based encryption resilient to continual auxiliary leakage. In: EUROCRYPT’12, LNCS , Vol. 7237, pp. 117–134.

41.

Zhou

Yang

Zhang

(2016). Provably secure and efficient leakage-resilient certificateless signcryption scheme without bilinear pairing. Discrete Applied Mathematics, 204, 185–202.

Leakage-Resilient Revocable Certificateless Encryption with an Outsourced Revocation Authority

Abstract

Keywords

1 Introduction

1.1 Related Work

2 Preliminaries

2.1 Bilinear Groups

Table 1 Computational time (in millisecond) of two time-consuming operations. Notation Operation Computational time T p a bilinear pairing e ˆ : G 1 × G 1 → G 2 7.84 ms a scalar multiplication on an additive group G 1 T m e or 0.48 ms an exponentiation on a multiplicative group G 2

References