Recipient Revocable Broadcast Encryption Schemes Without Random Oracles

Abstract

Public key broadcast encryption system is a fundamental cryptographic primitive that enables a broadcaster to transmit encrypted content to a set of users allowing only a privileged subset of users to decrypt the content. Traditionally, it is not possible to remove any receiver from the encrypted content without decryption. Recipient revocable broadcast encryption (RRBE) is an useful cryptographic primitive whereby a trusted third party can revoke a set of users from the encrypted content without having the ability to decrypt it. This property is not achievable in traditional broadcast encryption (BE) schemes. However, the currently existing RRBE schemes are secure only in the random oracle model. In this paper, we propose two new constructions for RRBE with constant number of pairing, linear exponentiation operations and analyze their security in the standard model. Our first construction achieves adaptive security in the standard model with constant communication cost as opposed to the existing adaptively secure RRBE schemes all of which use random oracles and have linear communication cost. The storage and computation complexity are linear to the total number of users and the number of subscribed users respectively.

Our second construction attains selective security in the standard model with constant size public parameter and secret key. The communication and computation overhead are linear to the number of revoked users. We emphasize that, this scheme is flexible in a sense that constant size public parameter allows to encrypt any number of users in the system.

The proposed constructions are highly comparable with the existing similar schemes, exhibits better performance over them and practically more efficient.

Appendices

Appendix

A Correctness and Security of RRBE-I

1.1 A.1 Correctness:

Let \(\mathsf{{ID}}_i\in G\). Now if \(|G|>1\), we have

$$\begin{aligned}&\Big [e(C_1,d_{1,i})e\Big (\widehat{C}_1,(h_ig^{d_{2,i}})^{A_{i,G,\alpha }}\Big )\Big ]^{\Big \{\frac{1}{\prod \limits _{\begin{array}{c} \mathsf{{ID}}_j\in G,\\ j\ne i \end{array}}\mathsf{{ID}}_j}\Big \}}\\&=\Big [{e(g,h_ig^{r_i})}^{{s\big \{\prod \limits _{\begin{array}{c} \mathsf{{ID}}_j\in G,\\ j\ne i \end{array}} (\alpha +\mathsf{{ID}}_j)\big \}}}\times e(g,h_ig^{r_i})^{{-s\big \{\prod \limits _{\begin{array}{c} \mathsf{{ID}}_j\in G,\\ j\ne i \end{array}} (\alpha +\mathsf{{ID}}_j)-\prod \limits _{\begin{array}{c} \mathsf{{ID}}_j\in G,\\ j\ne i \end{array}} \mathsf{{ID}}_j\big \}}}\Big ]^{\Big \{\frac{1}{\prod \limits _{\begin{array}{c} \mathsf{{ID}}_j\in G,\\ j\ne i \end{array}}\mathsf{{ID}}_j}\Big \}}\\&={\Big [e(g,h_ig^{r_i})^{s{\prod \limits _{\begin{array}{c} \mathsf{{ID}}_j\in G,\\ j\ne i \end{array}}\mathsf{{ID}}_j}}\Big ]}^{\Big \{\frac{1}{\prod \limits _{\mathsf{{ID}}_j\in G,j\ne i} \mathsf{{ID}}_j}\Big \}}=e(g,h_ig^{r_i})^{s}, \end{aligned}$$

and if \(|G|=1,\) i.e., all but 1 user revoked, we have

$$\begin{aligned}&e(C_1,d_{1,i})=e\Big (g^{s \alpha \beta (\alpha +\mathsf{{ID}}_i) },(h_ig^{r_i})^\frac{1}{\alpha \beta (\alpha +\mathsf{{ID}}_i)}\Big ) =e(g,h_ig^{r_i})^{s}. \end{aligned}$$

Consequently,     \(e(g,h_ig^{r_i})^{s}C_2^{d_{2,i}}=e(g,h_ig^{r_i})^se(g,g)^{-sr_i}=e(g,h_i)^{s}.\)

Similarly, \(\Big [e(C_1,d_{3,i})e\Big (\widehat{C}_1,(h_il_0^{d_{2,i}})^{B_{G,\alpha }}\Big )\Big ]^{\Big \{\frac{1}{\prod \limits _{\mathsf{{ID}}_j\in G} \mathsf{{ID}}_j}\Big \}}=e(g,h_il_0^{r_i})^{s},\)

and, \(\Big \{\frac{e(g,h_il_0^{r_i})^s}{e(g,h_i)^s}\Big \}^\frac{1}{d_{2,i}}=\Big \{\frac{e(g,h_i)^se(g,l_0^{r_i})^s}{e(g,h_i)^s}\Big \}^\frac{1}{r_i}=e(g,l_0)^s=K.\)

The message is then recovered by computing \(\frac{C_M}{K}= \frac{M\cdot e(g,l_0)^s}{e(g,l_0)^s}=M.\)

1.2 A.2 Security

Theorem 1. Our proposed scheme RRBE-I described in Sect. 3.1 achieves adaptive semantic (indistinguishability against CPA) security as per the message indistinguishability security game of Sect. 2.2 under the q-wDABDHE \((q\ge 2N)\) assumption.

Proof

Assume that there is a PPT adversary \(\mathcal {A}\) that breaks the adaptive semantic security of our proposed RRBE-I scheme with a non-negligible advantage. We construct a PPT distinguisher \(\mathcal {C}\) that attempts to solve the q-wDABDHE problem using \(\mathcal {A}\) as a subroutine. Let \(\mathcal {C}\) be given a q-wDABDHE \((q\ge 2N)\) instance \(\big <Z,K\big>\) with \(Z=(\mathbb {S},\hat{g},\hat{g}^{\alpha ^{q+2}},\ldots ,\hat{g}^{\alpha ^{2q}},g,g^\alpha ,\ldots ,g^{\alpha ^q}),\) where \(\mathbb {S}=(p,\mathbb {G},\mathbb {G}_1,e\)) is a prime order bilinear group system, g is generator of group \(\mathbb {G}\), \(\hat{g} \in _R \mathbb {G}, \alpha \in _R \mathbb {Z}_p,\) K is either \(e(\hat{g},g)^{\alpha ^{q+1}}\) or a random element X of \(\mathbb {G}_1.\) We describe below the interaction of \(\mathcal {A}\) with the distinguisher \(\mathcal { C}\) who attempts to output 0 if \(K=e(\hat{g},g)^{\alpha ^{q+1}}\) and 1 otherwise.

Setup: The challenger \(\mathcal {C}\) generates the public parameter PP and master key MK as follows:

• Chooses \( b_{0,j} \in _R\mathbb { Z}_p, j\in [0,N-1]\) and sets the polynomials \(P^{0}(x),Q^{0}(x)\) as

  $$\begin{aligned} P^{0}(x)=\sum \limits _{j=0}^{N-1} b_{0,j} x^j, Q^{0}(x)=xP^{0}(x)+1. \end{aligned}$$

• Using \(g,{g^{\alpha }},\ldots ,{g^{\alpha ^q}}\) sets \(l_0^{\alpha ^i}=g^{\alpha ^i}\prod \limits _{j=0}^{N-1} {(g^{\alpha ^{j+i+1}})}^{b_{0,j}}={g^{\alpha ^i Q^{0}(\alpha )}},\) \(i\in [0,N]\).

• Picks \(\beta \in _R \mathbb {Z}_p\) and sets \(\mathsf{{MK}}=(\alpha ,\beta )\), where \(\alpha \) is not known to \(\mathcal { C}\) explicitly.

• Sets \(\mathsf{{PP}}=(\mathbb {S}, l_0,l_0^{\alpha },\ldots ,l_0^{\alpha ^N},g,g^{\alpha },\ldots ,g^{\alpha ^N},g^{\alpha \beta },\ldots ,g^{\alpha ^{N+1}\beta },e(g,g),e(g,l_0)),\) and sends it to the adversary \(\mathcal {A}\).

As \(Q^{0}(x),\beta \) are random, the distribution of the public parameter PP is identical to that in the original scheme.

Phase 1: The adversary \(\mathcal {A}\) issues m key generation queries on \(\{\mathsf{{ID}}_{i_j}\}_{j=1}^m.\) The challenger \(\mathcal {C}\) generates the private key \(sk_i\) for \(i\in \{i_1,\ldots ,i_m\} \) as follows:

• Chooses \(b_i,b_{i,j} \in _R\mathbb { Z}_p, j\in [0,N-2]\) and sets

  $$\begin{aligned} P^{i}(x)=\sum \limits _{j=0}^{N-2} b_{i,j} x^j, Q^{i}(x)=x(x+\mathsf{{ID}}_i)P^{i}(x)+b_i. \end{aligned}$$

• Computes \(d_{1,i}=\Big (\prod \limits _{j=0}^{N-2} {(g^{\alpha ^j})}^{b_{i,j}}\Big )^{\frac{1}{\beta }} =\Big (g^{\sum \limits _{j=0}^{N-2} b_{i,j}\alpha ^j}\Big )^{\frac{1}{\beta }}={g^{\frac{P^{i}(\alpha )}{\beta }}},\)

  $$\begin{aligned} d_{2,i}&=- Q^{i}(-\mathsf{{ID}}_i) =\mathsf{{ID}}_i(-\mathsf{{ID}}_i+\mathsf{{ID}}_i)P^i(-\mathsf{{ID}}_i)-b_i=-b_i,\\ d_{3,i}&= \Big (\prod \limits _{j=0}^{N-1} {(g^{\alpha ^j})}^{-b_ib_{0,j}}\prod \limits _{j=0}^{N-2} \{{{(g^{\alpha ^{j+1}})}^{b_{i,j}}}{(g^{\alpha ^j})} ^{b_{i,j}\mathsf{{ID}}_i}\}\Big )^{\frac{1}{\beta }}\\&=\Big ( g^{-b_i\sum \limits _{j=0}^{N-1}b_{0,j}\alpha ^j} g^{\{(\alpha +ID_i)\sum \limits _{j=0}^{N-2}b_{i,j}\alpha ^j\}}\Big )^{\frac{1}{\beta }} =\Big (g^{-b_iP^{0}(\alpha )+(\alpha +\mathsf{{ID}}_i)P^{i}(\alpha )}\Big )^{\frac{1}{\beta }},\\ h_i^{\alpha ^k}&={(g^{\alpha ^k})}^{b_i}\prod \limits _{j=0}^{N-2}\{{(g^{\alpha ^{k+j+2}})}^{b_{i,j}}{(g^{\alpha ^{k+j+1}})}^{b_{i,j}\mathsf{{ID}}_i}\}\\&=g^{\alpha ^k\Big (\alpha (\alpha +\mathsf{{ID}}_i)P^{i}(\alpha )+b_i\Big )}=g^{\alpha ^kQ^{i}(\alpha )}. \end{aligned}$$

• Sets \(\mathsf{{label}}_i=(h_i^{\alpha ^k},k\in [0,N])\) and \(sk_i=(d_{1,i},d_{2,i},d_{3,i},\mathsf{{label}}_i)\). Sends \(sk_i\) for \(i\in \{i_1,\ldots ,i_m\} \) to the adversary \(\mathcal {A}\). As \(b_i,Q^{i}(x)\) are random, \(d_{2,i},\mathsf{{label}}_i\) have identical distribution to those in the original scheme. It is left to show that \(d_{1,i},d_{3,i}\) follow the original distribution.

  $$\begin{aligned} d_{1,i}={g^{\frac{P^{i}(\alpha )}{\beta }}}={g}^\frac{Q^{i}(\alpha )-b_i}{\alpha \beta (\alpha +ID_i)}={{(g^{Q_i(\alpha )}g^{d_{2,i}})}}^\frac{1}{\alpha \beta (\alpha +\mathsf{{ID}}_i)}={{(h_ig^{d_{2,i}})}}^\frac{1}{\alpha \beta (\alpha +\mathsf{{ID}}_i)}, \end{aligned}$$
  $$\begin{aligned} {\text {Now, }}&{-b_iP^{0}(\alpha )+(\alpha +\mathsf{{ID}}_i)P^{i}(\alpha )}=\frac{1}{\alpha }\Big \{-b_i\alpha P^{0}(\alpha )+Q^{i}(\alpha )-b_i\Big \}\\&=\frac{1}{\alpha }{\Big \{-b_i (Q^{0}(\alpha )-1)+Q^{i}(\alpha )-b_i\Big \}}=\frac{1}{\alpha }\Big \{-b_iQ^{0}(\alpha )+Q^{i}(\alpha )\Big \}\\ \Rightarrow d_{3,i}&=\Big (g^{-b_iP^{0}(\alpha )+(\alpha +\mathsf{{ID}}_i)P^{i}(\alpha )}\Big )^{\frac{1}{\beta }}=g^{\frac{1}{\alpha \beta }\Big \{-b_iQ^{0}(\alpha )+Q^{i}(\alpha )\Big \}}={{(h_il_0^{d_{2,i}})}}^\frac{1}{\alpha \beta }. \end{aligned}$$

  Thus \(d_{1,i},d_{3,i}\) are identical to original scheme.

Challenge: The adversary \(\mathcal {A}\) sends a set of user identities G to \(\mathcal {C}\), where identities of G have not been queried before. It also sends two equal length messages \(M_0,M_1\), and a revocation identity set R to the challenger \(\mathcal {C}\) where no identity in the set R lies in G. The challenger \(\mathcal {C}\) does the following:

• Computes \(\prod \limits _{i=0}^{N-1} (g^{{\alpha }^i})^{b_{0,i} } =g^{\sum \limits _{i=0}^{N-1} b_{0,i}\alpha ^i}=g^{P^{0}(\alpha )}\) by extracting \(g^{\alpha ^i}\) values from the given instance \(\big <Z,K\big>\).

• Selects \(M_{\mu }, \mu \in _R\{0,1\}\) and sets \(C_{M_{\mu }}\) as, \(C_{M_{\mu }} =M_{\mu }\cdot K \cdot e(\hat{g}^{\alpha ^{q+2}},g^{P^{0}(\alpha )}),\) where K is extracted from the given instance \(\big <Z,K\big>\). Here K is either \(e(\hat{g},g)^{\alpha ^{q+1}}\) or a random element of \(\mathbb {G}_1\). If \(K\) \(=e(\hat{g},g)^{\alpha ^{q+1}}\) then the simulated \(C_{M_{\mu }}(=c_{M_{\mu }})\) has the same distribution as in the original scheme as

  $$\begin{aligned} C_{M_{\mu }}&=M_{\mu }\cdot K \cdot e(\hat{g}^{\alpha ^{q+2}},g^{P^{0}(\alpha )})=M_{\mu }\cdot {{e(\hat{g},g)^{\alpha ^{q+1}}}} e(\hat{g}^{\alpha ^{q+2}},g^{P^{0}(\alpha )})\\&=M_{\mu }\cdot e(\hat{g}^{\alpha ^{q+1}},g^{\alpha P^{0}(\alpha )+1}) =M_{\mu }\cdot e(g^s,l_0)=M_{\mu }\cdot e(g,l_0)^s \end{aligned}$$

  where s is implicitly set as \(s={\alpha }^{q+1}\log _g\hat{g}\).

• Sets \(\varGamma (x)=\prod \limits _{\mathsf{{ID}}_j\in G}(x+\mathsf{{ID}}_j)=\sum \limits _{i=0}^{|G|} \varGamma _ix^i\), where \(\varGamma _i\) are function of \(\mathsf{{ID}}_j\in G\).

• Computes \(\prod \limits _{i=0}^{|G|} (\hat{g}^{\alpha ^{q+2+i}\beta })^{\varGamma _i}=(\hat{g}^{\alpha ^{q+2}\beta })^{ \sum \limits _{i=0}^{|G|} \varGamma _i\alpha ^i}=(\hat{g}^{\alpha ^{q+2}\beta })^{ \prod \limits _{\mathsf{{ID}}_i\in G} (\alpha +\mathsf{{ID}}_i)}.\) Note that \(\hat{g}^{\alpha ^{i}}, i\in [q+2,2q], q\ge 2N\) are available to \(\mathcal {C}\) through \(\big <Z,K\big>\).

• If \(R\ne \phi \), sets the challenge ciphertext \(\textsf {CT}^*\) as,

  $$\begin{aligned} \textsf {CT}^*=\Big ((\hat{g}^{\alpha ^{q+2}\beta })^{ \prod \limits _{\mathsf{{ID}}_i\in G} (\alpha +\mathsf{{ID}}_i)},K^{-1},\hat{g}^{-\alpha ^{q+2}},C_{M_{\mu }}\Big )=(C_1,C_2,\widehat{C}_1,C_{M_{\mu }}). \end{aligned}$$

  else if \(R=\phi \) (i.e. \(G=S\)), sets \(\mathsf{{CT}}^*\) as

  $$\begin{aligned} \textsf {CT}^*&=\Big ((\hat{g}^{\alpha ^{q+2}\beta })^{ \prod \limits _{\mathsf{{ID}}_i\in G} (\alpha +\mathsf{{ID}}_i)},K^{-1},\hat{g}^{-\alpha ^{q+2}}, \hat{g}^{\alpha ^{q+3}},\ldots , \hat{g}^{\alpha ^{q+k+1}}, C_{M_{\mu }}\Big )\\&=(c_1,c_2,\hat{c}_1,\hat{c}_2,\ldots ,\hat{c}_{k+1},c_{M_{\mu }}). \end{aligned}$$

  If \(K=e(\hat{g},g)^{\alpha ^{q+1}}\), then as s is implicitly set to be \(s={\alpha }^{q+1}\log _g\hat{g}\), we have

  $$\begin{aligned} C_1&=c_1=(\hat{g}^{\alpha ^{q+2}\beta })^{ \prod \limits _{\mathsf{{ID}}_i\in G} (\alpha +\mathsf{{ID}}_i)}={(g^{\beta \log _g\hat{g}^{\alpha ^{q+2}}})}^{ \prod \limits _{\mathsf{{ID}}_i\in G} (\alpha +\mathsf{{ID}}_i)}\\&=(g^{{\beta \alpha \alpha ^{q+1}}\log _g {\hat{g}}})^{ \prod \limits _{\mathsf{{ID}}_i\in G} (\alpha +\mathsf{{ID}}_i)}=(g^{\alpha \beta })^{ s\prod \limits _{\mathsf{{ID}}_i\in G} (\alpha +\mathsf{{ID}}_i)},\\ C_2&=c_2=K^{-1}=e(g^{\log _g\hat{g}},g)^{-\alpha ^{q+1}} =e(g,g)^{-\alpha ^{q+1}\log _g{\hat{g}}}=e(g,g)^{-s},\\ \widehat{C}_1&=\hat{c}_1=\hat{g}^{-\alpha ^{q+2}}=g^{{-}(\log _g {\hat{g}})\alpha ^{q+2}} =g^{{-\alpha \alpha ^{q+1}}\log _g {\hat{g}}}=g^{-\alpha s},\\ \hat{c}_i&=\hat{g}^{\alpha ^{q+1+i}}=g^{{\alpha ^i\alpha ^{q+1}}\log _g {\hat{g}}}=g^{\alpha ^i s},2\le i\le k. \end{aligned}$$

  Consequently, distribution of \(\textsf {CT}^*\) is similar to our real construction from \(\mathcal {A}\)’s point of view.

• Returns \(\mathsf{{CT}}^*\) to \(\mathcal {A}\).

Note that in our RRBE-I (see Sect. 3.1), components \(c_1,c_2,\hat{c}_1,c_{M}\) generated for message M in Encrypt are identical to \(C_1, C_2,\widehat{C}_1,C_{M}\) of Revoke respectively except randomness. Therefore in this Challenge phase, from adversary \(\mathcal {A}\)’s point of view there is no difference between \((c_1,c_2,\hat{c}_1,c_{M_{\mu }})\) and \((C_1,C_2,\widehat{C}_1,C_{M_{\mu }})\). Consequently we can take \(C_1=c_1,C_2=c_2,\widehat{C}_1=\hat{c}_1,C_{M_{\mu }}=c_{M_{\mu }}\) as challenge ciphertext in \(R\ne \phi \) case.

Phase 2: This is similar to Phase 1 key generation queries. The adversary \(\mathcal {A}\) sends key generation queries for \(\{\mathsf{{ID}}_{i_{m+1}},\ldots ,\mathsf{{ID}}_{i_t}\}\) with a restriction that \(\mathsf{{ID}}_{i_j}\notin G\) and receives back secret keys \(\{sk_{i_j}\}_{j=m+1}^{t}\) simulated in the same manner by \(\mathcal {C}\) as in Phase 1.

Guess: Finally, \(\mathcal {A}\) outputs a guess \(\mu {'}\in \{0,1\}\) of \(\mu \) to \(\mathcal {C}\) and wins if \(\mu '=\mu \).

If \(\mu '=\mu \), \(\mathcal {C }\) outputs 0, indicating that \(K=e(\hat{g},g)^{\alpha ^{q+1}}\); otherwise, it outputs 1, indicating that K is a random element of \(\mathbb {G}_1\).

The simulation of \(\mathcal {C}\) is perfect when \(K=e(\hat{g},g)^{\alpha ^{q+1}}\). Therefore, we have \(Pr[\mathcal {C}(Z,K=e(\hat{g},g)^{\alpha ^{q+1}})=0]=\frac{1}{2}+Adv^\mathsf{{IND-aCPA}}_{\mathcal {A},\mathsf{{RRBE-I}}},\) where \(Adv^\mathsf{{IND-aCPA}}_{\mathcal {A},\mathsf{{RRBE-I}}}\) is the advantage of the adversary \(\mathcal {A}\) in the above indistinguishability game. On the other hand, \(M_{\mu }\) is completely hidden from the adversary \(\mathcal {A}\) when \(K=X\) is random, thereby \(Pr[\mathcal {C}(Z,K=X)=0]=\frac{1}{2}.\) Hence, the advantage of the challenger \(\mathcal {C}\) in solving q-wDABDHE is

$$\begin{aligned} Adv_{\mathcal {C}}^{q-\mathsf{{wDABDHE}}}&=|Pr[\mathcal {C}(Z,K=e(\hat{g},g)^{\alpha ^{q+1}})=0]-Pr[\mathcal {C}(Z,K=X)=0]|\\&=\frac{1}{2}+Adv^\mathsf{{IND-aCPA}}_{\mathcal {A},\mathsf{{RRBE-I}}}-\frac{1}{2}=Adv^\mathsf{{IND-aCPA}}_{\mathcal {A},\mathsf{{RRBE-I}}}. \end{aligned}$$

Therefore, if \(\mathcal {A}\) has non-negligible advantage in correctly guessing \(\mu '\), then \(\mathcal {C}\) predicts \(K\) \(=e(\hat{g},g)^{\alpha ^{q+1}}\) or random element of \(\mathbb {G}_1\) (i.e., solves q-wDABDHE \((q\ge 2N)\) instance given to \(\mathcal {C}\)) with non-negligible advantage. Hence the theorem.

B Correctness and Security of RRBE-II

1.1 B.1 Correctness:

The correctness of RRBE-II follows from the argument below:

If \(\mathsf{{ID}}_u\in G\), then

$$\begin{aligned}&\dfrac{e(C_{0}, d_{0})}{e\big (d_{1}, \displaystyle \prod _{i\in I_{R}}C_{i,1}^{\big \{\frac{1}{\mathsf{{ID}}_u-\mathsf{{ID}}_{i}}\big \}}\big )\cdot e\big (d_{2}, \prod _{i\in I_{R}}C_{i,2}^{\big \{\frac{1}{\mathsf{{ID}}_u-\mathsf{{ID}}_{i}}\big \}}\big )}\\&= \dfrac{e(g^{\rho }, g^\alpha g^{b^2t})}{{\displaystyle \prod _{i\in I_{R}}\Big \{e\big ({(g^{b\mathsf{{ID}}_u}h)}^t, g^{bs_i}\big )\cdot e\big (g^{-t}, (g^{b^2\mathsf{{ID}}_i}h^b)^{s_i}\big )}\Big \}^{\big \{\frac{1}{\mathsf{{ID}}_u-\mathsf{{ID}}_{i}}\big \}}}\\&= \dfrac{e(g,g)^{\alpha {\rho }}e(g,g)^{{\rho }b^2t}}{{\displaystyle \prod _{i\in I_{R}}\Big \{e(g,g)^{b^2\mathsf{{ID}}_us_it}\cdot e(g,g)^{-b^2\mathsf{{ID}}_is_it}\Big \}}^{\big \{\frac{1}{\mathsf{{ID}}_u-\mathsf{{ID}}_{i}}\big \}}}\\&= \dfrac{e(g,g)^{\alpha {\rho }}e(g,g)^{{\rho }b^2t}}{\displaystyle \prod _{i\in I_{R}}e(g,g)^{s_ib^2t}}=e(g,g)^{\alpha {\rho }}, \end{aligned}$$

and consequently, \(\frac{C_M}{e(g,g)^{\alpha {\rho }}}=\frac{M\cdot e(g,g)^{\alpha {\rho }}}{e(g,g)^{\alpha {\rho }}}=M.\)

1.2 B.2 Security

Theorem 2. Our proposed scheme RRBE-II described in Sect. 4.1 achieves selective semantic (indistinguishability against CPA) security as per the message indistinguishability security game of Sect. 2.2 under the q-DMEBDH \((q\ge r)\) assumption where r is the number of revoked users.

Proof

Assume that there is a PPT adversary \(\mathcal {A}\) that breaks the selective semantic security of our proposed RRBE-II scheme with a non-negligible advantage. We construct a PPT distinguisher \(\mathcal {C}\) that attempts to solve the q-DMEBDH problem using \(\mathcal {A}\) as a subroutine. Let \(\mathcal {C}\) be given a q-DMEBDH \((q\ge r)\) instance \(\big <Z,K\big>\)

$$\begin{aligned} \text {with} ~~~~~~~~~~~~~~~~~~~~~Z= \left. {\left\{ \begin{array}{ll} \mathbb {S},g, g^{s}, e(g, g)^{\alpha }, &{} ~ \\ g^{a_{i}}, g^{a_{i}s}, g^{a_{i}a_{j}}, g^{\alpha /a_{i}^{2}}, &{} \forall 1\le i, j\le q\\ g^{a_{i}a_{j}s}, g^{\alpha a_{j}/a_{i}^{2}}, g^{\alpha a_{i}a_{j}/a_{k}^{2}}, g^{\alpha a_{i}^{2}/a_{j}^{2}}, &{}\forall 1 \le i, j, k\le q, i\ne j \end{array}\right. } \right\} \end{aligned}$$

where \(\mathbb {S}=(p,\mathbb {G},\mathbb {G}_1,e\)) is a prime order bilinear group system, g is a generator of the group \(\mathbb {G}\), \(\alpha ,a_i \in _R \mathbb {Z}_p,\) and K is either \(e({g},g)^{\alpha s}\) or a random element X of \(\mathbb {G}_1.\) We describe below the interaction of \(\mathcal {A}\) with the distinguisher \(\mathcal { C}\) who attempts to output 0 if \(K=e({g},g)^{\alpha s}\) and 1 otherwise. Both adversary \(\mathcal {A}\) and challenger \(\mathcal {C}\) knows the universal set of users \(\mathcal {U}\).

Initialization: The adversary \(\mathcal {A}\) selects a target identity set G of subscribed users. Let \(R=\mathcal {U}\backslash G= \{\mathsf{{ID}}_{i_1},\ldots ,\mathsf{{ID}}_{i_r}\}\) and \(I_R=\{i_1,\ldots ,i_r\}\) be index set for R.

Setup: The challenger \(\mathcal {C}\) generates the public parameter PP using \(\big <Z,K\big>\) as:

• Selects \(y\in _R \mathbb {Z}_p\) and implicitly sets \(b=a_{i_1}+a_{i_2}+\ldots +a_{i_r}\).

• Computes \(g^b=\displaystyle \prod _{i\in I_{R}} g^{a_i}, g^{b^2}=\displaystyle \prod _{i,j\in I_{R}} g^{a_ia_j}.\)

• Sets \(h,h^b\) as \(h=\displaystyle \prod _{i\in I_{R}} {(g^{a_i})}^{-\mathsf{{ID}}_i}g^y, h^b=\displaystyle \prod _{i,j\in I_{R}} {(g^{a_ia_j})}^{-\mathsf{{ID}}_i}g^{a_jy}.\) Since \(\alpha , b\) are not known to \(\mathcal { C}\), master key \(\mathsf{{MK}}\) is explicitly implicitly set as \(\mathsf{{MK}}=(\alpha ,b)\).

• Sends \(\mathsf{{PP}}=(\mathbb {S},g,g^b,g^{b^2},h^b,e(g,g)^{\alpha })\) to the adversary \(\mathcal {A}\).

Note that as \(b, \alpha \) are random and therefore, \(\mathsf{{PP}}\) has the same distribution as in the original RRBE-II.

Phase 1: The adversary \(\mathcal {A}\) issues m key generation queries on \(\{\mathsf{{ID}}_{i_j}\}_{j=1}^m\), where \(\mathsf{{ID}}_j\notin G\). Receiving key generation query for \(\mathsf{{ID}}_i\), the challenger \(\mathcal {C}\) does the followings:

• Selects \(z_i\in _R\mathbb { Z}_p\) and using y chosen randomly from \(\mathbb { Z}_p\) in Setup phase, it sets

  $$\begin{aligned} d_{0}&=\Big (\prod _{\begin{array}{c} {j,k\in I_{R}}\text { such that} \\ \text {if } j=k \text { then } j,k\ne i \end{array}} g^{-\alpha a_ja_k/a_i^2}\Big )\prod _{j,k\in I_{R}} (g^{a_ja_k})^{z_i}\\&=g^{\alpha }\prod _{\begin{array}{c} {j,k\in I_{R}} \end{array}} g^{-\alpha a_ja_k/a_i^2}\prod _{{j,k\in I_{R}}} (g^{a_ja_k})^{z_i} =g^{\alpha }g^{b^2t_i}, ~\text {where}~t_i=z_i{-\alpha / {a_i^2}} ,\\ d_{1}&=\Big (\prod _{\begin{array}{c} {j\in I_{R}} \\ j\ne i \end{array}} (g^{-\alpha a_j/ a_i^2})^{(\mathsf{{ID}}_i-\mathsf{{ID}}_j)}(g^{(\mathsf{{ID}}_i-\mathsf{{ID}}_j)a_j})^{z_i}\Big )(g^{-\alpha /a_i^2})^yg^{yz_i}\\&=\Big (\prod _{\begin{array}{c} {j\in I_{R}} \\ j\ne i \end{array}} (g^{(\mathsf{{ID}}_i-\mathsf{{ID}}_j)a_jt_i})\Big )g^{yt_i} =g^{b\mathsf{{ID}}_it_i}\Big (\prod _{\begin{array}{c} {j\in I_{R}} \end{array}} (g^{-\mathsf{{ID}}_ja_jt_i})g^{yt_i}\Big )=g^{b\mathsf{{ID}}_it_i}h^{t_i},\\ d_{2}&=g^{\alpha / {a_i^2}}g^{-z_i}=g^{-t_i}. \end{aligned}$$

• Sets \(sk_i=(d_0,d_1,d_{2})\) and sends \(sk_i\) to the adversary \(\mathcal {A}\).

Note that \(d_0,d_1,d_{2}\) have similar distributions as in the original scheme RRBE-II.

Challenge: The adversary \(\mathcal {A}\) sends two equal length messages \(M_0,M_1\) to the challenger \(\mathcal {C}\) together with a set of revoked user identities \(R_2~ (\subseteq R)\) which will be revoked in the revocation phase. The challenger \(\mathcal {C}\) does the following:

• Selects \(s'\in _R \mathbb {Z}_p\) and split it into \(r=|R|\) components \(s_{i_1}',s_{i_2}',\ldots , s_{i_r}' \in \mathbb {Z}_p\) such that \(s'=s_{i_1}'+s_{i_2}'+\ldots +s_{i_r}'\).

• Sets \(C_{0}=g^sg^{s'}\) and \(u_i=g^{b^2\mathsf{{ID}}_i}h^b\) for each \({i\in I_{R}}.\)

• Selects \(\mu \in _R\{0,1\}\) and computes \(C_{M_{\mu }}=M_{\mu }\cdot K \cdot e(g,g)^{\alpha s'}\). Also for each \({i\in I_{R}}\), computes the followings

  \(C_{i,1}=g^{sa_i}(\prod _{j\in I_R} g^{a_j})^{s_i'}, C_{i,2}=\prod _{\begin{array}{c} {j\in I_{R}} \\ j\ne i \end{array}} (g^{sa_ia_j})^{(\mathsf{{ID}}_i-\mathsf{{ID}}_j)}(g^{a_is})^yu_i^{s_i'},\)

• If \(R_2=\phi \) (i.e., \(G=S\)), then sends the challenge ciphertext \({\textsf {CT}}^*={\textsf {CT}}'=(C_0,\{{C_{i,1}}\}_{i\in I_{R_1}}, \{C_{i,2}\}_{i\in I_{R_1}},C_{M_{\mu }})\) to \(\mathcal {A}\).

• If \(R_2\ne \phi \), then sends the challenge ciphertext \({\textsf {CT}}^*={\textsf {CT}}=(C_0,\{{C}_{i,1}\}_{i\in I_{R}},\{C_{i,2}\}_{i\in I_{R}},C_{M_{\mu }})\) to \(\mathcal {A}\).

Let us set implicitly \(\rho =s+s'\) and split \(\rho \) as \(\rho =\sum _{i\in I_R} {\rho }_i\) with \(\rho _i=\frac{a_i s}{b}+s_i'\) (implicitly). If \(K=e(g,g)^{\alpha s}\), then these ciphertexts have distribution identical to those in the original protocol as follows:

$$\begin{aligned} C_{0}&=g^sg^{s'}=g^{\rho },~~ C_{i,1}=g^{sa_i}(\prod _{_{j\in I_{R}}} g^{a_j})^{s_i'}=g^{sa_i}g^{bs_i'}=g^{b{\rho }_i},\\ C_{i,2}&=\prod _{\begin{array}{c} {j\in I_{R}} \\ j\ne i \end{array}} (g^{sa_ia_j})^{(\mathsf{{ID}}_i-\mathsf{{ID}}_j)}(g^{a_is})^yu_i^{s_i'} =\prod _{\begin{array}{c} {j\in I_{R}} \end{array}} \frac{(g^{sa_ia_j})^{(\mathsf{{ID}}_i-\mathsf{{ID}}_j)}}{g^{sa_ia_i(\mathsf{{ID}}_i-\mathsf{{ID}}_i)}}{g^y}^{sa_i}u_i^{s_i'}\\&=g^{b\mathsf{{ID}}_isa_i}\prod _{{j\in I_{R}}} {g^{-sa_ia_j\mathsf{{ID}}_j}}g ^{sa_iy}u_i^{s_i'} =(g^{b\mathsf{{ID}}_i}h)^{sa_i+bs_i'}=(g^{b^2\mathsf{{ID}}_i}h^b)^{{\rho }_i}.\\ C_M&=M_{\mu }\cdot K\cdot e(g,g)^{\alpha s'}=M_{\mu }\cdot e(g,g)^{\alpha s}\cdot e(g,g)^{\alpha s'}=M_{\mu }\cdot e(g,g)^{\alpha \rho }. \end{aligned}$$

Note that in our RRBE-II, the ciphertext components \((c_0,\{{c}_{i,1}\}_{i\in I_{R_1}},\{c_{i,2}\}_{i\in I_{R_1}},c_M)\) generated for a message M by working Encrypt are identical to \((C_0,\{{C}_{i,1}\}_{i\in I_{R}}, \{C_{i,2}\}_{i\in I_{R}},C_M)\) generated by executing Encrypt followed by Revoke except from number of components. Therefore, if \(R_2= \phi \), the adversary will consider the challenge ciphertext \(\mathsf{{CT}}^*\) as an output of Encrypt \((G,\mathsf{{PP}},M_{\mu })\) and if \(R_2\ne \phi \) it will be considered as an output of Encrypt \((S,\mathsf{{PP}},M_{\mu })\), Revoke \((\mathsf{{PP}},\mathsf{{CT}}',S,R_2)\).

Phase 2: This is similar to Phase 1 key generation queries. The adversary \(\mathcal {A}\) sends key generation queries for \(\{\mathsf{{ID}}_{i_{m+1}},\ldots ,\mathsf{{ID}}_{i_t}\}\) with a restriction that \(i_j\notin G\) and receives back secret keys \(\{sk_{i_j}\}_{j=m+1}^{t}\) simulated in the same manner by \(\mathcal {C}\) as in Phase 1.

Guess: Finally, \(\mathcal {A}\) outputs a guess \(\mu {'}\in \{0,1\}\) of \(\mu \) to \(\mathcal {C}\) and wins if \(\mu '=\mu \). If \(\mu '=\mu \), \(\mathcal {C }\) outputs 0, indicating that \(K=e({g},g)^{\alpha s}\); otherwise, it outputs 1, indicating that K is a random element of \(\mathbb {G}_1\).

The simulation of \(\mathcal {C}\) is perfect when \(K=e({g},g)^{\alpha s}\). Therefore, we have \(Pr[\mathcal {C}(Z,K=e({g},g)^{\alpha s})=0]=\frac{1}{2}+Adv^\mathsf{{IND-sCPA}}_{\mathcal {A},\mathsf{{RRBE-II}}},\) where \(Adv^\mathsf{{IND-sCPA}}_{\mathcal {A},\mathsf{{RRBE-II}}}\) is the advantage of the adversary \(\mathcal {A}\) in the above indistinguishability game. On the other hand, \(M_{\mu }\) is completely hidden from the adversary \(\mathcal {A}\) when \(K=X\) is random, thereby \(Pr[\mathcal {C}(Z,K=X)=0]=\frac{1}{2}.\) Hence, the advantage of the challenger \(\mathcal {C}\) in solving q-DMEBDH is \(Adv_{\mathcal {C}}^{q-\mathsf{{DMEBDH}}}=|Pr[\mathcal {C}(Z,K=e({g},g)^{\alpha s})=0]-Pr[\mathcal {C}(Z,K=X)=0]| =\frac{1}{2}+Adv^\mathsf{{IND-sCPA}}_{\mathcal {A},\mathsf{{RRBE-II}}}-\frac{1}{2}=Adv^\mathsf{{IND-sCPA}}_{\mathcal {A},\mathsf{{RRBE-II}}}.\)

Therefore, if \(\mathcal {A}\) has non-negligible advantage in correctly guessing \(\mu '\), then \(\mathcal {C}\) predicts \(K=e({g},g)^{\alpha s}\) or random element of \(\mathbb {G}_1\) (i.e., solves q-DMEBDH \((q\ge r)\) instance given to \(\mathcal {C}\)) with non-negligible advantage. Hence the theorem follows.