Server-aided immediate and robust user revocation mechanism for SM9

As the only approved Identity-Based Encryption scheme in China that is also standardized by ISO, SM9-IBE has been widely adopted in many real-world applications. However, similar to other IBE standard algorithms, SM9-IBE currently lacks revocation mechanism, which is vital for a real system. Worse still, we find that existing revocable techniques may not be suitable and efficient when applying to SM9-IBE. Given the widespread use of SM9-IBE, an efficient and robust user revocation mechanism becomes an urgent issue.In this work, we propose a dedicated server-aided revocation mechanism, which for the first time achieves the secure, immediate and robust user revocation for SM9-IBE. Provided with a compact system model, the proposed method leverages an existing server to perform all heavy workloads during user revocation, thus leaving no communication and computation costs for the key generation center and users. Moreover, the mechanism supports key-exposure resistance, meaning the user revocation mechanism is robust even if the revocation key leaks. We then formally define and prove the security. At last, we present theoretical comparisons and an implementation in terms of computational latency and throughput. The results indicate the efficiency and practicability of the proposed mechanism.

Identity-Based Encryption (IBE) is a special kind of public key encryption, where a user utilizes a unique string (e.g., an email address or a phone number) as the public key. Data senders do not have to obtain receivers’ public key certificates, thus eliminating the Public Key Infrastructure (PKI). In the past decades, IBE has been thoroughly studied and many practical IBE schemes have been proposed, e.g., (Boneh and Franklin 2001; Cocks 2001; Canetti et al. 2004; Boneh and Boyen 2004a; 2004b; Waters 2005). Further, some of the proposed schemes were standardized in a number of globally recognized standards (Boyen and Martin 2007; Martin et al. 2009; Martin and Schertler 2009; IEEE 2013; Iso/iec 2015).

SM9 (Gm/t 2016a) is a Chinese national cryptography standard for Identity-Based Cryptography, which consists of 3 cryptographic primitives: a digital signature scheme, a key agreement scheme and an encryption scheme. The SM9 encryption scheme (denoted as SM9-IBE) is also standardized in ISO 18033-5 (Iso/iec 2015). After its standardization, SM9-IBE has been extensively applied in many scenarios, including encrypted emails, electronic government systems and commercial products.

Though SM9-IBE is proposed as a standard algorithm, it does not specify any user revocation mechanisms in the standards (Iso/iec 2015) and (Gm/t 2016a). However, since SM9-IBE is practice-oriented, it is desirable to deal with the realistic problem of user revocation. On the other hand, although a large body of the previous work (Boldyreva et al. 2008; Libert and Vergnaud 2009; Seo and Emura 2013; Li et al. 2013; Qin et al. 2015; Ge and Wei 2019) has been done for efficient IBE user revocation, all these known techniques are not generic, namely, they cannot be applied to SM9-IBE. The major technical challenge is that SM9-IBE has a different mathematical structure compared with the existing revocable IBE schemes, which were construed with certain IBE schemes and relied on their concrete mathematical structures, thus adopting these solutions will face with the difficulties in both the construction and the security proof.

As a result, the problem of efficient SM9-IBE user revocation is still open. As a national and international standard for IBE, it is desirable to have a practical user revocation mechanism for SM9-IBE.

Our Contributions. Aiming at solving the revocation problem of SM9-IBE, we propose a dedicated Server-Aided Immediate and Robust Revocable Identity-Based Encryption scheme (denoted as SA-IR-RIBE), which can be effortlessly integrated into the existing systems. Remarkably, our methodology achieves direct user revocation by performing simple operations in the server. Our results lie in the following aspects:

• A Compact System with Revocation. In this paper, we present a practical revocation mechanism for SM9-IBE. To the best of our knowledge, this is the first specific solution to the revocation problem for SM9-IBE. By introducing a helping server, the proposed mechanism has a compact system model and does not introduce additional entities. The heavy workloads of user revocation are all performed by the server, leaving no communication and computation costs for both the key generation center (KGC) and users.

• Efficient and Immediate Revocation. Unlike most of the existing revocable IBE schemes, our scheme enjoys instant revocation, in the sense that a user cannot decrypt ciphertexts at the same moment when he is revoked. In our scheme, all ciphertexts have to be partially decrypted by the server before it is decrypted by a user. Therefore, a user can be immediately revoked from the system by taking simple operations on the server side.

• Server Side Key-Exposure Resistance. In an ordinary scheme, once the server secret key is revealed, the revocation mechanism no longer works. Our mechanism achieves robustness for such key-exposure: Even if the server secret key is leaked, a revoked user still cannot decrypt any data. In particular, the server secret key and ciphertexts are updated periodically or in emergency situations, e.g. when the server secret key is stolen by hackers.

• Provable Security. The proposed scheme does not affect the security of SM9-IBE, which is provably secure against adaptive-ID Chosen Ciphertext Attacks. Furthermore, for the security of revocation, we formally define a concrete security property called user revocation validity where a revoked user cannot decrypt any ciphertexts without the help of the server.

• Performance Evaluation. We conduct theoretical comparison between the proposed mechanism and related works, showing the advantage and efficiency of SA-IR-RIBE. Moreover, we present comprehensive experimental evaluations by implementing the proposed mechanism. We benchmark our implementations on a high concurrency scenario, where tens of thousands users upload and download data from the server simultaneously. The obtained results indicate that the proposed mechanism is practical for real-world application scenarios.

Limitation. The proposed method deals with the problem of user revocation. It does not directly support key revocation. However, key revocation can be achieved in the cost of changing identities. Specifically, in our system, when a user lost his key, he/she informs the key generation center to revoke his/her key and applies for a new key under a new identity.

Numerous revocation techniques have been developed in the IBE setting. In this section, we review some existing solutions and identify the problems when they are applied to SM9-IBE.

Generic Time-Concatenated Solution. The first revocable IBE scheme is proposed by Boneh and Franklin (2001) (BF-IBE). At each time period t, KGC issues secret keys \(\phantom {\dot {i}\!}{\sf SK}_{{\sf ID}_{i} || {\sf t}}\) to all non-revoked users for identities ID_i||t. The data owners encrypt messages under the new concatenated identities ID_i||t. Thus, if a user is revoked in time period t, he/she cannot access the messages encrypted in t. However, this mechanism does not scale well, since KGC must re-generate a large number of secret keys and re-distribute them to users at the beginning of each time period. The complexity of KGC is linear in the number of non-revoked users.

Tree-Based Solutions. Boldyreva, Goyal and Kumar (2008) (BGK-RIBE) gave their security notion for revocable IBE (RIBE), and constructed an efficient revocable IBE scheme from the fuzzy IBE scheme (Sahai and Waters 2005) with binary tree structure (Naor et al. 2001) in the selective-ID security model. In the BGK method, each user has a tuple of long term secret keys. KGC publicly broadcasts a small set of key updates in each time period, so that only non-revoked users can construct new decryption keys from their long term secret keys and the key updates. BGK-RIBE significantly reduces the total size of key updates from linear to logarithmic in the number of non-revoked users. Following work by Libert and Vergnaud (2009) proposed an adaptive secure revocable IBE scheme based on the variant of Waters IBE (Waters 2005) and Gentry IBE (Gentry 2006). Recently, Seo and Emura (2013) revisited the security notation of RIBE by presenting the decryption key exposure attack, and proposed a notable scheme based on Libert and Vergnaud (2009). However, above approaches have two limitations: (1) all non-revoked users have to download public key updates from KGC periodically; and (2) the sizes of both users’ secret keys and public key updates grow logarithmically in the number of non-revoked users.

Server-Aided Solutions. Several works adopted a third party to achieve revocation in the IBE setting. Boneh et al. (2001); Libert and Quisquater (2003) employed a trusted party called mediator that holds all users’ secret keys and helps users to decrypt all ciphertexts. If a user is revoked, the mediator stops helping the user. This model is impractical since users have to fully trust the mediator and they need to communicate with it for each decryption. The work (Li et al. 2013) showed how to outsource workload of the KGC to a semi-trusted server, which they referred as outsourced KGC. In their approach, a secret key is split into two shares held by a user and the server. For a revoked user, the server refuses to collaborate. A disadvantage of (Li et al. 2013) is that the sever needs to maintain all users’ secret key shares. Another work (Qin et al. 2015) adapted the scheme of Seo and Emura (2013) to delegate public key update workload from KGC to an untrusted server. Each user keeps one short secret key and does not communicate with the KGC or the server during key updating. Their scheme is provably secure against adaptive-ID chosen ciphertext attacks under the DBDH assumption in the standard model.

Broadcast Encryption. Identity-Based Broadcast Encryption (IBBE) (Delerablée 2007) is a natural generalization of broadcast encryption (BE) in the IBE setting. While adopting BE schemes to support user revocation has been well studied (Naor et al. 2001; Kogan et al. 2006), the IBBE primitive itself does not imply a solution for the user revocation problem. Until very recently, Ge and Wei (2019) formally studied scalable revocation methodology for IBBE schemes. Following the binary tree data structure in Boldyreva et al. (2008), they gave a concrete revocable IBBE scheme, which is semi-adaptively secure under Chosen Plaintext Attacks (CPA) in the standard model. However, the size of the secret keys is linear in the number of maximum size of the recipients in one encryption.

Limitations when Applying These Approaches to SM9-IBE. According to Boyen (2007), known constructions of pairing-based IBE schemes can be classified into 3 families: “Full Domain Hash” IBE (e.g., BF-IBE), “Exponent Inversion” IBE (e.g., SK-IBE (Sakai and Kasahara 2003)) and “Commutative Blinding” IBE (e.g., Waters IBE). A fact must be noted is that all above revocation mechanisms are construed using “Full Domain Hash” IBE or “Commutative Blinding” IBE schemes. While the time-concatenated solution (i.e., BF-IBE) is a generic technique that can be applied to all above 3 families of IBE, other revocation mechanisms (Boldyreva et al. 2008; Libert and Vergnaud 2009; Seo and Emura 2013; Li et al. 2013; Qin et al. 2015; Ge and Wei 2019) relied on the concrete structure of the underlying IBE schemes more or less. However, SM9-IBE is actually an “Exponent Inversion”-like IBE scheme. Therefore, all mentioned revocation mechanisms (except BF-IBE) cannot be trivially adopted for SM9-IBE. As for BF-IBE, it has an unaffordable burden for both KGC and users.

We note that all the above-mentioned revocation mechanisms only achieve indirect user revocation, which means that the revocation needs time to take effect. In such a situation, hackers may have downloaded and decrypted all data during the time period.

Notations. Let || and ⊕ denote bitwise operations concatenation and XOR, respectively. We call a function negl negligible in λ, if for every positive polynomial poly(·) there exists an N such that for all λ>N,negl(λ)<1/poly(λ). A probabilistic polynomial-time (PPT) algorithm A is an algorithm that on input x, computes A(x) using randomness and its running time is bounded by poly(λ). Following primitives are used in both the SM9 and this work. One may refer to ISO/IEC 18033-2 (Shoup 2006) and (Cheng 2017) for detailed definitions.

• BITS(m): Count the bit length of a bit string m.

• EC2OSP(P): Convert an elliptic curve point P to an octet string.

• FE2OSP(W): Convert a field element W to an octet string.

• KDF2 (H_v,m,l): Given a hash function H_v with v-bit output, a bit string m and a non-negative integer l, the algorithm derives a l-bit key string.

• H2RF _i(H_v,m,n): Given a hash function H_v with v-bit output, a bit string m, a non-negative integer n and a non-negative integer i, the algorithm outputs an integer h_i where 1≤h_i≤n−1.

Bilinear Pairing. Let \(\mathcal {BP}\) be an algorithm that takes as input a security parameter λ and outputs a tuple \((\mathbb {G}_{1}, \mathbb {G}_{2}, \mathbb {G}_{T}, p, e)\), where \(\mathbb {G}_{1}, \mathbb {G}_{2}\) and \(\mathbb {G}_{T}\) are multiplicative cyclic groups of prime order p, and \(e: \mathbb {G}_{1} \times \mathbb {G}_{2} \rightarrow \mathbb {G}_{T}\) is an admissible bilinear map if: 1) Bilinearity: for all \(g_{1} \in \mathbb {G}_{1}, g_{2} \in \mathbb {G}_{2}\) and \(a, b \in \mathbb {Z}_{p}^{*}\), we have \(e(g_{1}^{a}, g_{2}^{b}) = e(g_{1}, g_{2})^{ab}\). 2) Non-Degeneracy: e(g₁,g₂)≠1 whenever \(g_{1} \neq 1_{\mathbb {G}_{1}}\) and \(g_{2} \neq 1_{\mathbb {G}_{2}}\).

Gap-τ-Bilinear Collision Attack Assumption (Gap-τ-BCAA1_i,j) (Cheng 2017). For a bilinear pairing \((\mathbb {G}_{1}, \mathbb {G}_{2}, \mathbb {G}_{T}, p, e), \alpha \in \mathbb {Z}_{p}^{*}, g_{1} \in \mathbb {G}_{1}\) and \(g_{2} \in \mathbb {G}_{2}\), given \((g_{1}, g_{2}, g_{i}^{\alpha }, h_{0}, (h_{1}, g_{j}^{\frac {\alpha }{h_{1} + \alpha }}),\ldots, (h_{p}, g_{j}^{\frac {\alpha }{h_{\tau } + \alpha }}))\) for some values i,j∈{1,2} where \(h_{i} \in \mathbb {Z}_{p}^{*}\) and different from each other for 0≤i≤τ, computing \(e(g_{1}, g_{2})^{\frac {\gamma }{h_{0} + \gamma }}\) is hard.

The SM9 identity-based encryption

The SM9 encryption (SM9-IBE) (Gm/t 2016a;Cheng 2017) is a hybrid encryption scheme that follows the Key/Data Encapsulation Mechanism (KEM/DEM) paradigm (Shoup 2001) in the IBE setting (Bentahar et al. 2008). We first introduce the SM9 key encapsulation mechanism (SM9-KEM), and then present the hybrid encryption scheme. There are four algorithms in SM9-KEM:

Setup_SM9-KEM (λ)→(MPK_SM9,MSK_SM9). On input a security parameter λ, the algorithm runs as follows:

1. 1

   Choose \(\mathcal {G} = (\mathbb {G}_{1}, \mathbb {G}_{2}, \mathbb {G}_{T}, p, e) \leftarrow \mathcal {BP}(\lambda)\). Pick random generators \(g \in \mathbb {G}_{1}, h \in \mathbb {G}_{2}\). Pick a random \(\gamma \in \mathbb {Z}_{p}^{*}\), compute w=g^γ and u=e(g,h)^γ.

2. 2

   Let F(ID_i)=H2RF₁(H_v,ID_i||hid,p), where hid=3 and H_v is a cryptographic hash function with v-bit output.

3. 3

   Output \({\sf MPK_{SM9}} = (\mathcal {G}, g, h, u, w, F)\) and MSK_SM9=γ.

Extract_SM9-KEM\(\phantom {\dot {i}\!}({\sf MPK_{SM9}, MSK_{SM9}}, {\sf ID}_{i}) \rightarrow {\sf SK}_{{\sf ID}_{i}}\). On input a master public key MPK_SM9, a master secret key MSK_SM9 and an identity ID_i, the algorithm outputs a secret key \(\phantom {\dot {i}\!}{\sf SK}_{{\sf ID}_{i}} = h^{\frac {\gamma }{\gamma + F({\sf ID}_{i})}}\).

Encap_SM9-KEM\(\phantom {\dot {i}\!}({\sf MPK_{SM9}}, {\sf ID}_{i}) \rightarrow ({\sf CT}_{{\sf ID}_{i}}, K)\). On input a master public key MPK_SM9, an identity ID_i and a message m, the algorithm runs as follows:

1. 1

   Select a random \(z \in \mathbb {Z}_{p}^{*}\). Compute \(Q = w \cdot g^{F({\sf ID}_{i})} = g^{\gamma + F({\sf ID}_{i})}, C_{1} = Q^{z}, t = u^{z}\).

2. 2

   Derive a session key K=KDF2(H_v,EC2OSP(C₁)||FE2OSP(t)||ID_i,k) where k is the key length of the DEM part.

3. 3

   Output \(\phantom {\dot {i}\!}({\sf CT}_{{\sf ID}_{i}} = C_{1}, K)\).

Decap_SM9-KEM\(\phantom {\dot {i}\!}({\sf MPK_{SM9}}, {\sf SK}_{{\sf ID}_{i}}, {\sf CT}_{{\sf ID}_{i}}) \rightarrow K\). On input a master public key MPK_SM9, a secret key \(\phantom {\dot {i}\!}{\sf SK}_{{\sf ID}_{i}}\) and a ciphertext \(\phantom {\dot {i}\!}{\sf CT}_{{\sf ID}_{i}}\), the algorithm runs as follows:

1. 1

   Compute \(\phantom {\dot {i}\!}t = e({\sf CT}_{{\sf ID}_{i}}, {\sf SK}_{{\sf ID}_{i}}) = u^{z}\).

2. 2

   Derive the encapsulated key \(\phantom {\dot {i}\!}K = \text {KDF2}(H_{v}, \text {EC2OSP}({\sf CT}_{{\sf ID}_{i}})||\text {FE2OSP}(t)||{\sf ID}_{i}, k)\).

3. 3

   Output the key K.

Let \(\sf {\mathcal {E}}_{sym} = (Enc_{sym}, Dec_{sym})\) denote a symmetric encryption scheme that consists of an encryption algorithm Enc_sym and a decryption algorithm Dec_sym, where: (1) Enc_sym takes input a key and a message, and outputs a ciphertext; and (2) Dec_sym takes input a key and a ciphertext, and outputs a message. The full SM9-IBE encryption scheme is constructed as follows:

Setup_SM9 (λ)→(MPK_SM9,MSK_SM9). It is the same as the algorithm Setup_SM9-KEM in SM9-KEM.

Extract_SM9\(\phantom {\dot {i}\!}({\sf MPK_{SM9}, MSK_{SM9}}, {\sf ID}_{i}) \rightarrow {\sf SK}_{{\sf ID}_{i}}\). It is the same as the algorithm Extract_SM9-KEM in SM9-KEM.

Enc_SM9\(\phantom {\dot {i}\!}({\sf MPK_{SM9}}, {\sf ID}_{i}, m) \rightarrow {\sf CT}_{{\sf ID}_{i}}\). On input a master public key MPK_SM9, an identity ID_i and a message m, the algorithm runs Encap_SM9-KEM(MPK_SM9,ID_i) to obtain (C₁,K). Further, the message is encrypted using the symmetric encryption algorithm: C₂=Enc_sym(K,m). The algorithm outputs \(\phantom {\dot {i}\!}{\sf CT}_{{\sf ID}_{i}} = (C_{1}, C_{2})\).

Dec_SM9\(\phantom {\dot {i}\!}({\sf MPK_{SM9}}, {\sf SK}_{{\sf ID}_{i}}, {\sf CT}_{{\sf ID}_{i}}) \rightarrow m\). On input a master public key MPK_SM9, a secret key \(\phantom {\dot {i}\!}{\sf SK}_{{\sf ID}_{i}}\) and a ciphertext \(\phantom {\dot {i}\!}{\sf CT}_{{\sf ID}_{i}} = (C_{1}, C_{2})\), the algorithm runs \(\phantom {\dot {i}\!}{\sf Decap}_{\sf SM9\text {-}KEM}({\sf MPK_{SM9}}, {\sf SK}_{{\sf ID}_{i}}, C_{1})\) to obtain the encapsulated K. The DEM part is decrypted using the symmetric decryption algorithm: m=Dec_sym(K,C₂). The algorithm outputs the message m.

Chosen Ciphertext Security of SM9-IBE. In the identity-based hybrid encryption setting, Bentahar et al. (2008) proved that a hybrid IBE scheme is secure against adaptive-ID Chosen Ciphertext Attacks (ID-IND-CCA), if the underlying KEM part is ID-IND-CCA secure and the DEM part is a one-time symmetric encryption scheme that can resistant Find-Guess (FG) Chosen Ciphertext Attacks (FG-CCA) (cf. Theorem 1 in Bentahar et al. (2008)). Following this framework, (Cheng 2017) first proved that SM9-KEM is ID-IND-CCA secure with the Gap-p-BCAA1_1,2 assumption in the random oracle model, and then stated that SM9-IBE is IND-ID-CCA secure giving an FG-CCA secure DEM.

In this section, we present the system model and the security definitions.

System model

In the proposed mechanism, there are four parties involved: a key generation center (KGC), a server, data owners and data receivers. The compact system model is illustrated in Fig. 1. All acronyms used in this paper are listed in Table 1.

System model of the proposed server-aided revocation mechanism

Full size image

KGC is responsible for generating and distributing system parameters to other entities, including the master public key, the master secret key, the server secret key and users’ secret keys. Besides, it maintains a revocation list for realizing user revocation. The server provides computing and storage resources for users. It gets ciphertexts from data owners and pushes the ciphertexts to data receivers. Most importantly, the server accomplish the user revocation functionality according to the revocation list that provided by KGC. We note that an existing server can be adopted to play the role of the server in our system, e.g., a SMTP server in an email system. Data owners encrypt messages under data receivers’ identities and uploads ciphertexts to the server. Data receivers obtain ciphertexts from the server and decrypt them with their secret keys.

The Server-Aided Immediate and Robust Revocable Identity-Based Encryption (SA-IR-RIBE) scheme consists of 9 algorithms:

• Setup\((\lambda) \rightarrow ({\sf MPK}, {\sf MSK}, {\sf SSK}_{\sf ctr}, \mathbb {L})\). On input a security parameter λ, the algorithm (run by KGC) outputs a master public key MPK, a master secret key MSK, an initial server secret key SSK_ctr and a revocation list \(\mathbb {L}\).

• Extract\(\phantom {\dot {i}\!}({\sf MPK}, {\sf MSK}, {\sf ID}_{i}) \rightarrow {\sf SK}_{{\sf ID}_{i}}\). On input a master public key MPK, a master secret key MSK, and an identity ID_i, the algorithm (run by KGC) outputs a secret key \(\phantom {\dot {i}\!}{\sf SK}_{{\sf ID}_{i}}\).

• Enc\(\phantom {\dot {i}\!}({\sf MPK}, {\sf ID}_{i}, m) \rightarrow {\sf CT}_{{\sf ID}_{i}}\). On input a master public key MPK, an identity ID_i and a message m, the algorithm (run by a data owner) outputs a ciphertext \(\phantom {\dot {i}\!}{\sf CT}_{{\sf ID}_{i}}\).

• CTInit\(\phantom {\dot {i}\!}({\sf MPK}, {\sf CT}_{{\sf ID}_{i}}, {\sf SSK}_{\sf ctr}) \rightarrow {\sf CT}_{{\sf ID}_{i}, {\sf ctr}}\). On input a master public key MPK, a ciphertext \(\phantom {\dot {i}\!}{\sf CT}_{{\sf ID}_{i}}\) and a server secret key SSK_ctr, the algorithm (run by the server) outputs an updated \(\phantom {\dot {i}\!}{\sf CT}_{{\sf ID}_{i}, {\sf ctr}}\).

• SSKUpdate\(\phantom {\dot {i}\!}({\sf MPK}, {\sf SSK_{ctr}}) \rightarrow {\sf SSK_{ctr'}}\). On input a master public key MPK and a server secret key SSK_ctr, the algorithm (run by the server) outputs an updated server secret key \(\phantom {\dot {i}\!}\sf SSK_{ctr'}\).

• CTUpdate\(\phantom {\dot {i}\!}({\sf MPK}, {\sf CT}_{{\sf ID}_{i}, {\sf ctr}}, {\sf SSK_{ctr}}, {\sf SSK_{ctr'}}) \rightarrow {\sf CT}_{{\sf ID}_{i}, {\sf ctr'}}\). On input a master public key MPK, a ciphertext \(\phantom {\dot {i}\!}{\sf CT}_{{\sf ID}_{i}, {\sf ctr}}\), and two server secret keys \(\phantom {\dot {i}\!}\sf SSK_{ctr}, SSK_{ctr'}\), the algorithm (run by the server) outputs an updated ciphertext \(\phantom {\dot {i}\!}{\sf CT}_{{\sf ID}_{i}, {\sf ctr'}}\).

• Transform\(\phantom {\dot {i}\!}({\sf MPK}, {\sf CT}_{{\sf ID}_{i}, {\sf ctr}}, {\sf SSK_{ctr}}, \mathbb {L}) \rightarrow {\sf TCT}_{{\sf ID}_{i}}\). On input a master public key MPK, a ciphertext \(\phantom {\dot {i}\!}{\sf CT}_{{\sf ID}_{i}, {\sf ctr}}\), a server key SSK_ctr and a list \(\mathbb {L}\), the algorithm (run by the server) outputs a transformed ciphertext \(\phantom {\dot {i}\!}{\sf TCT}_{{\sf ID}_{i}}\).

• Dec\(\phantom {\dot {i}\!}({\sf MPK}, {\sf TCT}_{{\sf ID}_{i}}, {\sf SK}_{{\sf ID}_{i}}) \rightarrow m\). On input a master public key MPK, a transformed ciphertext \(\phantom {\dot {i}\!}{\sf TCT}_{{\sf ID}_{i}}\), and a secret key \(\phantom {\dot {i}\!}{\sf SK}_{{\sf ID}_{i}}\), the algorithm (run by a data receiver) outputs a message m.

• Revoke\(({\sf ID}_{i}, \mathbb {L}) \rightarrow \mathbb {L}'\). On input an identity ID_i and a revocation list \(\mathbb {L}\), the algorithm (run by KGC) outputs an updated revocation list \(\mathbb {L}'\). The new list \(\mathbb {L}'\) is further distributed to the server.

The players in the system may conduct the following interactions (cf. Fig. 1):

System initialization: PKG runs the algorithms Setup and Extract to generate system parameters and all users’ secret keys. It then distributes MPK to all other parties, SSK_ctr and \(\mathbb {L}\) to the server and \(\phantom {\dot {i}\!}{\sf SK}_{{\sf ID}_{i}}\) to users. Initially, the user revocation list \(\mathbb {L}\) is empty.

Message encryption: A data owner runs the algorithm Enc to encrypt a message under an identity ID_i, and obtains a ciphertext \(\phantom {\dot {i}\!}{\sf CT}_{{\sf ID}_{i}}\). The ciphertext \(\phantom {\dot {i}\!}{\sf CT}_{{\sf ID}_{i}}\) is uploaded to the server and then concealed by the server with the algorithm CTInit using the server secret key SSK_ctr.

Server key evolution: To resist exposure of the server secret key, the server updates the server secret key SSK_ctr and all stored ciphertexts periodically or when the server secret key leaks. When the server secret key SSK_ctr is demands to be updated, a new server secret key \(\phantom {\dot {i}\!}\sf SSK_{ctr'}\) is randomly sampled by calling the algorithm SSKUpdate. Meanwhile, all stored ciphertext are updated with the algorithm CTUpdate using the two server secret keys \(\phantom {\dot {i}\!}\sf SSK_{ctr}, \sf SSK_{ctr'}\), i.e., \(\phantom {\dot {i}\!}{\sf CT}_{{\sf ID}_{i}, {\sf ctr}}\) is updated to \(\phantom {\dot {i}\!}{\sf CT}_{{\sf ID}_{i}, {\sf ctr'}}\). Once all ciphertexts have been updated, \(\phantom {\dot {i}\!}\sf SSK_{ctr'}\) becomes the current server secret key. Meanwhile, all ciphertexts in time ctr and SSK_ctr are erased from the server’s storage.

Message decryption: Before pushing a stored ciphertext to a data receiver, the server runs Transform to obtain a transformed ciphertext \(\phantom {\dot {i}\!}{\sf TCT}_{{\sf ID}_{i}}\). On receiving \(\phantom {\dot {i}\!}{\sf TCT}_{{\sf ID}_{i}}\), the receiver decrypts it with the algorithm Dec using his/her secret key. Note that the algorithm Transform takes the revocation list \(\mathbb {L}\) as its input, thus the ciphertext \(\phantom {\dot {i}\!}{\sf TCT}_{{\sf ID}_{i}}\) is computed in a manner that only non-revoked receivers can decrypt the ciphertext successfully.

User revocation: When a user is required to be revoked, KGC updates the list \(\mathbb {L}\) by running the algorithm Revoke and sends the updated list \(\mathbb {L}\) to the server.

Security definition

Adversarial Model. KGC generates user secret keys, and are assumed to be honest. Data owners are trusted and we do not consider the data they own as correct or incorrect. The server is honest-but-curious (Li et al. 2012), meaning that it will honestly follow the protocol but try to learn as much information as possible. This assumption is realistic, since the server will be a service provider that cares its reputation and thus restricted by user contrast. While most of data receivers are trusted, some of them are corrupt and share their secret keys in the collusion. This collusion may gives the adversary more power.

Chosen Ciphertext Security. We give the semantic security against adaptively chosen-ID and Chosen Ciphertext Attacks for server-aided revocable IBE scheme (in short, SA-IND-ID-CCA).

The adversary is able to obtain a set of corrupted users’ secret keys \(\phantom {\dot {i}\!}\{{\sf SK}_{{\sf ID}_{1}}, {\sf SK}_{{\sf ID}_{2}},\allowbreak \ldots \}\) (except the target), and all the server secret keys, i.e., SSK₁,SSK₂,…,SSK_ctr. The security is defined with the following game:

Setup: The challenger \(\mathcal {C}\) takes a security parameter λ and runs Setup algorithm. It gives MPK,SSK_ctr to the adversary \(\mathcal {A}\) and keeps MSK to itself. The current time counter ctr is set to 1. \(\mathcal {C}\) periodically updates the counter to ctr^′ and sends the new server secret key \(\phantom {\dot {i}\!}\sf SSK_{ctr'}\) to \(\mathcal {A}\).

Phase 1:\(\mathcal {A}\) adaptively issues queries to following three oracles:

• \({\mathcal {O}}_{\sf Extract}({\sf ID}_{i})\): \(\mathcal {C}\) sends a secret key \(\phantom {\dot {i}\!}{\sf SK}_{{\sf ID}_{i}}\) to \(\mathcal {A}\), where \(\phantom {\dot {i}\!}{\sf SK}_{{\sf ID}_{i}}\) is generated with the algorithm Extract.

• \(\phantom {\dot {i}\!}{\mathcal {O}}_{\sf Dec}({\sf ID}_{i}, {\sf CT}_{{\sf ID}_{i}, {\sf ctr}})\): \(\mathcal {C}\) obtains \(\phantom {\dot {i}\!}{\sf SK}_{{\sf ID}_{i}}\) by running algorithm Extract. It then decrypts \(\phantom {\dot {i}\!}{\sf CT}_{{\sf ID}_{i}, {\sf ctr}}\) by running algorithms Transform and Dec to obtain the plaintext m. \(\mathcal {C}\) outputs m to \(\mathcal {A}\).

• \({\mathcal {O}}_{\sf SSK}({\sf ctr}_{i})\): If the server secret key \(\phantom {\dot {i}\!}{\sf SSK}_{{\sf ctr}_{i}}\) has not been generated, \(\mathcal {C}\) randomly samples \(\phantom {\dot {i}\!}{\sf SSK}_{{\sf ctr}_{i}}\) and stores \(\phantom {\dot {i}\!}{\sf SSK}_{{\sf ctr}_{i}}\). Otherwise, \(\mathcal {C}\) recalls \(\phantom {\dot {i}\!}{\sf SSK}_{{\sf ctr}_{i}}\) from its storage. \(\mathcal {C}\) outputs \(\phantom {\dot {i}\!}{\sf SSK}_{{\sf ctr}_{i}}\) to \(\mathcal {A}\).

Challenge: Once \(\mathcal {A}\) decides that Phase 1 is over, it outputs a challenge identity ID^∗, a challenge time counter ctr^∗ and two equal length messages m₀,m₁. Note that ID^∗ did not appear in the previous queries to \({\mathcal {O}}_{\sf Extract}\). If \(\phantom {\dot {i}\!}\sf SSK_{ctr^{*}}\) has not been generated, \(\mathcal {B}\) randomly samples \(\phantom {\dot {i}\!}\sf SSK_{ctr^{*}}\). The challenger \(\mathcal {C}\) chooses a fair coin μ∈{0,1} and runs algorithm Enc (MPK,ID^∗,m_μ) to obtain \({\sf CT}^{*}_{{\sf ID}^{*}}\). Further, it runs \(\phantom {\dot {i}\!}{\sf CTInit(MPK,} {\sf CT}^{*}_{{\sf ID}^{*}}, {\sf SSK_{ctr^{*}}})\) to obtain \({\sf CT}^{*}_{{\sf ID}^{*}, {\sf ctr}^{*}}\). The challenger returns \({\sf CT}^{*}_{{\sf ID}^{*}, {\sf ctr}^{*}}\) as the challenge ciphertext to the adversary \(\mathcal {A}\).

Phase 2:\(\mathcal {A}\) adaptively issues more queries to the three oracles:

• \({\mathcal {O}}_{\sf Extract}({\sf ID}_{i})\) where ID_i≠ID^∗: The challenger responds as in Phase 1.

• \(\phantom {\dot {i}\!}{\mathcal {O}}_{\sf Dec}({\sf ID}_{i}, {\sf CT}_{{\sf ID}_{i}, {\sf ctr}})\) where \(\phantom {\dot {i}\!}({\sf ID}_{i}, {\sf CT}_{{\sf ID}_{i}, {\sf ctr}}) \neq ({\sf ID}^{*}, {\sf CT}^{*}_{{\sf ID}^{*}, {\sf ctr}^{*}})\): The challenger responds as in Phase 1.

• \({\mathcal {O}}_{\sf SSK}({\sf ctr}_{i})\): The challenger responds as in Phase 1.

Guess: Finally, the adversary \(\mathcal {A}\) outputs a guess μ^′∈{0,1} and wins the game if μ=μ^′.

Definition 1

(SA-IND-ID-CCA Security) We say that a SA-IR-RIBE scheme is SA-IND-ID-CCA secure if for any PPT adversary \(\mathcal {A}\) the function \(Adv_{\mathcal {A}}\) is negligible:

User Revocation Validity. An important security property of a SA-IR-RIBE scheme is user revocation validity. Namely, if a user is revoked in time ctr^∗, he/she cannot decrypt all ciphertexts that encrypted to his/her identity. In this situation, the adversary is the revoked user with the challenge identity ID^∗, and holds the corresponding secret key \({\sf SK}_{{\sf ID}^{*}}\). Meanwhile, the adversary is allowed to obtain a set of corrupted users’ secret keys, i.e., \(\phantom {\dot {i}\!}\{{\sf SK}_{{\sf ID}_{1}}, {\sf SK}_{{\sf ID}_{2}}, \ldots \}\). Besides, in time ctr^∗, the server may discard all previous server secret keys, i.e., \({\sf SSK}_{1}, {\sf SSK}_{2}, \ldots, {\sf SSK}_{{\sf ctr}^{*}-1}\) and only protect its current secret key \(\phantom {\dot {i}\!}\sf SSK_{ctr^{*}}\). Thus, the adversary may obtain all previous server secret keys except the one in the challenge time counter, i.e., \(\phantom {\dot {i}\!}\sf SSK_{ctr^{*}}\). We remark that this assumption gives the adversary maximum power to attack the system. Semantic security against adaptive-ID Chosen Plaintext Attacks (CPA) for User Revocation Validity is defined with the following game:

Setup: The challenger \(\mathcal {C}\) takes a security parameter λ and runs Setup algorithm. It gives MPK to the adversary \(\mathcal {A}\) and keeps SSK_ctr and MSK to itself. The current time counter ctr is set to 1. \(\mathcal {C}\) periodically updates the counter to ctr^′ and keeps \(\phantom {\dot {i}\!}\sf SSK_{ctr'}\) to itself.

Phase 1:\(\mathcal {A}\) adaptively issues queries to following two oracles:

• \({\mathcal {O}}_{\sf Extract}({\sf ID}_{i})\): \(\mathcal {C}\) sends a secret key \(\phantom {\dot {i}\!}{\sf SK}_{{\sf ID}_{i}}\) to \(\mathcal {A}\), where \(\phantom {\dot {i}\!}{\sf SK}_{{\sf ID}_{i}}\) is generated with algorithm Extract.

• \({\mathcal {O}}_{\sf SSK}({\sf ctr}_{i})\): If the server secret key \(\phantom {\dot {i}\!}{\sf SSK}_{{\sf ctr}_{i}}\) has not been generated, \(\mathcal {C}\) randomly samples \(\phantom {\dot {i}\!}{\sf SSK}_{{\sf ctr}_{i}}\) and stores \(\phantom {\dot {i}\!}{\sf SSK}_{{\sf ctr}_{i}}\). Otherwise, \(\mathcal {C}\) recalls \(\phantom {\dot {i}\!}{\sf SSK}_{{\sf ctr}_{i}}\) from its storage. \(\mathcal {C}\) outputs \(\phantom {\dot {i}\!}{\sf SSK}_{{\sf ctr}_{i}}\) to \(\mathcal {A}\).

Challenge: Once \(\mathcal {A}\) decides that Phase 1 is over, it outputs a challenge identity ID^∗, a challenge time counter ctr^∗ and two equal length messages m₀,m₁. Note that two constraints must be satisfied: (1) ID^∗ cannot appear in previous queries to \({\mathcal {O}}_{\sf Extract}\); and (2) ctr^∗ cannot appear in previous queries to \({\mathcal {O}}_{\sf SSK}\). If the server secret key \(\phantom {\dot {i}\!}\sf SSK_{ctr^{*}}\) has not been generated, \(\mathcal {C}\) randomly samples \(\phantom {\dot {i}\!}\sf SSK_{ctr^{*}}\) and keeps the key to itself. \(\mathcal {C}\) chooses a fair coin μ∈{0,1}, runs algorithm Enc (MPK,ID^∗,m_μ) to obtain \({\sf CT}^{*}_{{\sf ID}^{*}}\). Further, it runs \(\phantom {\dot {i}\!}{\sf CTInit(MPK}, {\sf CT}^{*}_{{\sf ID}^{*}}, {\sf SSK_{ctr^{*}}})\) to obtain \({\sf CT}^{*}_{{\sf ID}^{*}, {\sf ctr}^{*}}\). The challenger returns \({\sf CT}^{*}_{{\sf ID}^{*}, {\sf ctr}^{*}}\) as the challenge ciphertext to the adversary \(\mathcal {A}\).

Phase 2:\(\mathcal {A}\) adaptively issues more queries to the three oracles:

• \({\mathcal {O}}_{\sf Extract}({\sf ID}_{i})\): The challenger responds as in Phase 1.

• \({\mathcal {O}}_{\sf SSK}({\sf ctr}_{i})\) where ctr_i≠ctr^∗: The challenger responds as in Phase 1.

Guess: Finally, the adversary \(\mathcal {A}\) outputs a guess μ^′∈{0,1} and wins the game if μ=μ^′.

Definition 2

(User Revocation Validity) We say that a SA-IR-RIBE scheme is adaptive-ID CPA-secure for User Revocation Validity if for any PPT adversary \(\mathcal {A}\) the function \(Adv_{\mathcal {A}}\) is negligible:

In this section, we present the proposed revocation mechanism, which is illustrated in Figs. 2 and 3.

Overview of the proposed server-aided revocation mechanism

Full size image

Overview of the server key evolution and ciphertext update

Full size image

A data owner encrypts data under an identity ID_i, and obtains a ciphertext \(\phantom {\dot {i}\!}{\sf CT}_{{\sf ID}_{i}} = (C_{1}, C_{2})\). The encryption algorithm works in the KEM/DEM setting, where C₁ is the KEM part and C₂ is the DEM part. On receiving the ciphertext \(\phantom {\dot {i}\!}{\sf CT}_{{\sf ID}_{i}}\), the server takes the following actions: (1) derives a mask Δ from SSK_ctr and C₂ using a pseudo-random function PRF, (2) masks C₁ to C1′ using Δ, and (3) stores (C1′,C₂) as \(\phantom {\dot {i}\!}{\sf CT}_{{\sf ID}_{i}, {\sf ctr}}\). Note that the server does not store the original ciphertext \(\phantom {\dot {i}\!}{\sf CT}_{{\sf ID}_{i}}\). When updated to a new server secret key \(\phantom {\dot {i}\!}\sf SSK_{ctr'}\), all stored ciphertext are updated using the two server secret keys \(\phantom {\dot {i}\!}\sf SSK_{ctr}, \sf SSK_{ctr'}\). On pushing ciphertext to a data receiver, if the receiver is not revoked, the server transforms ciphertext \(\phantom {\dot {i}\!}{\sf CT}_{{\sf ID}_{i}, {\sf ctr'}}\) to \(\phantom {\dot {i}\!}{\sf TCT}_{{\sf ID}_{i}}\) using \(\phantom {\dot {i}\!}\sf SSK_{ctr'}\) and outputs \(\phantom {\dot {i}\!}{\sf TCT}_{{\sf ID}_{i}}\) thus the receiver can decrypt \(\phantom {\dot {i}\!}{\sf TCT}_{{\sf ID}_{i}}\) to get the plaintext; otherwise, the server returns the concealed ciphertext \(\phantom {\dot {i}\!}{\sf CT}_{{\sf ID}_{i}, {\sf ctr'}}\).

The identity space, message space, and ciphertext space are {0,1}^∗,{0,1}^∗ and \((\mathbb {G}_{T}\times \{0,1\}^{*})\), respectively. The proposed SA-IR-RIBE scheme consists of the following algorithms:

Setup\((\lambda) \rightarrow ({\sf MPK}, {\sf MSK}, {\sf SSK}_{\sf ctr}, \mathbb {L})\). On input a security parameter λ, the algorithm does the following:

1. 1

   Choose \(\mathcal {G} = (\mathbb {G}_{1}, \mathbb {G}_{2}, \mathbb {G}_{T}, p, e) \leftarrow \mathcal {BP}(\lambda)\). Choose random generators \(g \in \mathbb {G}_{1}, h \in \mathbb {G}_{2}\) and random elements \(\gamma \in \mathbb {Z}_{p}^{*}\). Set u=e(g,h)^γ and w=g^γ.

2. 2

   Let F(ID_i)=H2RF₁(H_v,ID_i||hid,p), where hid=3, and H_v is a cryptographic hash function of v-bit output. Choose a collision resistant hash function \(H: \{0,1\}^{*} \rightarrow \{0,1\}^{l_{2}}\). Choose a pseudo-random function PRF: \(\{0,1\}^{l_{1}} \times \{0,1\}^{l_{2}} \rightarrow \mathbb {Z}_{p}^{*}\).

3. 3

   Choose an FG-CCA secure one-time symmetric encryption scheme \({\mathcal {E}}_{\sf sym} = ({\sf Enc}_{\sf Sym}, {\sf Dec}_{\sf Sym})\). The key length of \(\mathcal {E}_{\sf sym}\) is k.

4. 4

   Choose a random \({\sf SSK}_{1} \in \{0,1\}^{l_{1}}\) and set the counter ctr=1.

5. 5

   Return \({\sf MPK} = (\mathcal {G}, g, h, u, w, F, H, \text {PRF}, {\mathcal {E}}_{\sf Sym}), {\sf MSK} = \gamma, {\sf SSK}_{\sf ctr} = ({\sf ssk}_{1}, {\sf ctr})\) and \(\mathbb {L} = \emptyset \).

Extract\(\phantom {\dot {i}\!}({\sf MPK}, {\sf MSK}, {\sf ID}_{i}) \rightarrow {\sf SK}_{{\sf ID}_{i}}\). On input a master public key MPK, a master secret key MSK, and an identity ID_i, the algorithm outputs a secret key \(\phantom {\dot {i}\!}{\sf SK}_{{\sf ID}_{i}} = h^{\frac {\gamma }{\gamma + F({\sf ID}_{i})}}.\)

Enc\(\phantom {\dot {i}\!}({\sf MPK}, {\sf ID}_{i}, m) \rightarrow {\sf CT}_{{\sf ID}_{i}}\). On input a master public key MPK, an identity ID_i and a message m, the algorithm does the following:

1. 1

   Choose a random \(z \in \mathbb {Z}_{p}^{*}\). Compute \(Q = w \cdot g^{F({\sf ID}_{i})} = g^{\gamma + F({\sf ID}_{i})}, C_{1} = Q^{z}, t = u^{z}\).

2. 2

   Derive a symmetric key K=KDF2(H_v,EC2OSP(C₁)||FE2OSP(t)||ID_i,k).

3. 3

   Compute C₂=Enc_sym(K,m).

The algorithm outputs \(\phantom {\dot {i}\!}{\sf CT}_{{\sf ID}_{i}} = (C_{1}, C_{2})\).

CTInit\(\phantom {\dot {i}\!}({\sf MPK}, {\sf CT}_{{\sf ID}_{i}}, {\sf SSK}_{\sf ctr}) \rightarrow {\sf CT}_{{\sf ID}_{i}, {\sf ctr}}\). On input a master public key MPK, a ciphertext \(\phantom {\dot {i}\!}{\sf CT}_{{\sf ID}_{i}} = (C_{1}, C_{2})\) and a server secret key SSK_ctr=(ssk_ctr,ctr), the algorithm outputs \(\phantom {\dot {i}\!}{\sf CT}_{{\sf ID}_{i}, {\sf ctr}} = (C_{1}', C_{2})\), where:

SSKUpdate\(\phantom {\dot {i}\!}({\sf MPK}, {\sf SSK_{ctr}}) \rightarrow {\sf SSK_{ctr'}}\). On input a master public key MPK and a server secret key SSK_ctr=(ssk_ctr,ctr), the algorithm sets a new counter ctr^′=ctr+1 and chooses a random \(\phantom {\dot {i}\!}{\sf ssk_{ctr'}} \in \{0,1\}^{l_{1}}\). The algorithm outputs an updated secret key \(\phantom {\dot {i}\!}\sf SSK_{ctr'} = (ssk_{ctr'}, ctr')\).

CTUpdate\(\phantom {\dot {i}\!}({\sf MPK}, {\sf CT}_{{\sf ID}_{i}, {\sf ctr}}, {\sf SSK_{ctr}}, {\sf SSK_{ctr'}}) \rightarrow {\sf CT}_{{\sf ID}_{i}, {\sf ctr}'}\). On input a master public key MPK, a ciphertext \(\phantom {\dot {i}\!}{\sf CT}_{{\sf ID}_{i}, {\sf ctr}} = (C_{1}, C_{2})\), and two server secret keys \(\phantom {\dot {i}\!}\sf SSK_{ctr} = (ssk_{ctr}, ctr), SSK_{ctr'} = (ssk_{ctr'}, ctr')\), the algorithm computes:

The algorithm outputs an updated ciphertext \(\phantom {\dot {i}\!}{\sf CT}_{{\sf ID}_{i}, {\sf ctr}'} = (C_{1}', C_{2})\).

Transform\(\phantom {\dot {i}\!}({\sf MPK}, {\sf CT}_{{\sf ID}_{i}, {\sf ctr}}, {\sf SSK_{ctr}}, \mathbb {L}) \rightarrow {\sf TCT}_{{\sf ID}_{i}}\). On input a master public key MPK, a ciphertext \(\phantom {\dot {i}\!}{\sf CT}_{{\sf ID}_{i}, {\sf ctr}} \allowbreak = (C_{1}, C_{2})\), a server secret key SSK_ctr=(ssk_ctr,ctr) and a revocation list \(\mathbb {L}\), if \({\sf ID}_{i} \in \mathbb {L}\), the algorithm returns \(\phantom {\dot {i}\!}{\sf CT}_{{\sf ID}_{i}, {\sf ctr}}\) as \(\phantom {\dot {i}\!}{\sf TCT}_{{\sf ID}_{i}}\); otherwise it computes:

The algorithm outputs a transformed ciphertext \(\phantom {\dot {i}\!}{\sf TCT}_{{\sf ID}_{i}} = (C_{1}', C_{2})\).

Dec\(\phantom {\dot {i}\!}({\sf MPK}, {\sf TCT}_{{\sf ID}_{i}}, {\sf SK}_{{\sf ID}_{i}}) \rightarrow m\). On input a master public key MPK, a ciphertext \(\phantom {\dot {i}\!}{\sf TCT}_{{\sf ID}_{i}} = (C_{1}, C_{2})\), and a secret key \(\phantom {\dot {i}\!}{\sf SK}_{{\sf ID}_{i}}\), the algorithm computes \(\phantom {\dot {i}\!}t = e(C_{1}, {\sf SK}_{{\sf ID}_{i}}) = e(g, h)^{\gamma z} = u^{z}.\) The encapsulated key is K=KDF2(H_v,EC2OSP(C₁)||FE2OSP(t)||ID_i,k). The ciphertext C₂ is decrypted to m with the symmetric decryption algorithm: m=Dec_sym(K,C₂).

Revoke\(({\sf ID}_{i}, \mathbb {L}) \rightarrow \mathbb {L}'\). On input an identity ID_i and a revocation list \(\mathbb {L}\), the algorithm outputs an updated revocation list \(\mathbb {L}' = \mathbb {L} \cup \{{\sf ID}_{i}\}\).

Theorem 1

The proposed server-aided Identity-Based Encryption scheme achieves SA-IND-ID-CCA security with respect to Definition 1, if the SM9-IBE scheme is IND-ID-CCA secure.

Proof

Suppose the adversary \(\mathcal {A}\) can break the proposed SA-IR-RIBE scheme with a non-negligible advantage, we build a simulator \(\mathcal {B}\) to break the security of the SM9-IBE scheme with a non-negligible advantage. \(\mathcal {B}\) interacts with \(\mathcal {A}\) as the challenger. Let \(\mathcal {C}\) be the challenger in the IND-ID-CCA secure game of the SM9-IBE scheme. It provides two oracles to \(\mathcal {B}\):

• \({\mathcal {O}}_{\sf Extract}^{\sf SM9}({\sf ID}_{i})\): \(\mathcal {C}\) runs Extract_SM9(ID_i) and returns the secret key \(\phantom {\dot {i}\!}{\sf SK}_{{\sf ID}_{i}}\).

• \(\phantom {\dot {i}\!}{\mathcal {O}}_{\sf Dec}^{\sf SM9}({\sf ID}_{i}, {\sf CT}_{{\sf ID}_{i}})\): \(\mathcal {C}\) runs Extract_SM9(ID_i) to obtain \(\phantom {\dot {i}\!}{\sf SK}_{{\sf ID}_{i}}\). It then runs \(\phantom {\dot {i}\!}{\sf Dec}_{\sf SM9}({\sf MPK}, {\sf SK}_{{\sf ID}_{i}}, {\sf CT}_{{\sf ID}_{i}})\) to decrypt \(\phantom {\dot {i}\!}{\sf CT}_{{\sf ID}_{i}}\). The resulting plaintext is sent to \(\mathcal {B}\).

The simulator \(\mathcal {B}\) works by interacting with the challenger \(\mathcal {C}\) and the adversary \(\mathcal {A}\) as follows:

Setup.\(\mathcal {C}\) sends \({\sf MPK_{SM9}} = (\mathcal {G}, g, h, u, w, F, {\mathcal {E}}_{\sf sym})\) to \(\mathcal {B}\). The unknown master secret key MSK_SM9 is γ. \(\mathcal {B}\) selects a collision resistant hash function H and a pseudo-random function PRF. Further, \(\mathcal {B}\) chooses a random \({\sf SSK}_{1} \in \{0,1\}^{l_{1}}\) and sets SSK₁=(ssk₁,ctr=1). Finally, \(\mathcal {B}\) sends the master public key \({\sf MPK} = (\mathcal {G}, g, h, u, w, F, H, \text {PRF}, {\mathcal {E}}_{\sf sym})\), and the initial server secret key SSK₁ to \(\mathcal {A}\). The simulator \(\mathcal {B}\) updates the server secret key periodically and it will send all updated server secret keys to \(\mathcal {A}\).

Phase 1:\(\mathcal {A}\) adaptively issues queries to following three oracles:

• \({\mathcal {O}}_{\sf Extract}({\sf ID}_{i})\): \(\mathcal {B}\) sends the query to \({\mathcal {O}}_{\sf Extract}^{\sf SM9}({\sf ID}_{i})\) and forwards the obtained secret key \(\phantom {\dot {i}\!}{\sf SK}_{{\sf ID}_{i}}\) to \(\mathcal {A}\).

• \(\phantom {\dot {i}\!}{\mathcal {O}}_{\sf Dec}({\sf ID}_{i}, {\sf CT}_{{\sf ID}_{i}, {\sf ctr}})\): \(\mathcal {B}\) runs \(\phantom {\dot {i}\!}{\sf Transform}({\sf MPK}, {\sf CT}_{{\sf ID}_{i}, {\sf ctr}}, {\sf SSK}_{\sf ctr}, \emptyset)\) to obtain \(\phantom {\dot {i}\!}{\sf TCT}_{{\sf ID}_{i}}\). It then issues a query to \({\mathcal {O}}_{\sf Dec}^{\sf SM9}\) on \(\phantom {\dot {i}\!}({\sf ID}_{i}, {\sf TCT}_{{\sf ID}_{i}})\). \(\mathcal {C}\) returns a plaintext. \(\mathcal {B}\) forwards the plaintext to \(\mathcal {A}\).

• \({\mathcal {O}}_{\sf SSK}({\sf ctr}_{i})\): If the server secret key \(\phantom {\dot {i}\!}{\sf SSK}_{{\sf ctr}_{i}}\) has not been generated, \(\mathcal {B}\) randomly samples \(\phantom {\dot {i}\!}{\sf SSK}_{{\sf ctr}_{i}} \in \{0,1\}^{l_{1}}\) and stores \(\phantom {\dot {i}\!}{\sf SSK}_{{\sf ctr}_{i}}\). Otherwise, \(\mathcal {C}\) recalls \(\phantom {\dot {i}\!}{\sf SSK}_{{\sf ctr}_{i}}\) from its storage. \(\mathcal {B}\) outputs \(\phantom {\dot {i}\!}{\sf SSK}_{{\sf ctr}_{i}}\) to \(\mathcal {A}\).

Challenge:\(\mathcal {A}\) outputs a challenge identity ID^∗, a challenge time counter ctr^∗ and two equal length messages m₀,m₁∈{0,1}^∗. Note that ID^∗ cannot appear in previous queries to \({\mathcal {O}}_{\sf Extract}\). If \(\phantom {\dot {i}\!}\sf SSK_{ctr^{*}}\) has not been generated, \(\mathcal {B}\) randomly samples \(\phantom {\dot {i}\!}\sf SSK_{ctr^{*}}\). \(\mathcal {B}\) forwards ID^∗ and m₀,m₁ to \(\mathcal {C}\). On receiving the challenge, \(\mathcal {C}\) chooses a fair coin μ∈{0,1}, runs Enc_SM9(MPK_SM9,ID_i,m_μ) to obtain \({\sf CT}_{{\sf ID}^{*}}^{*}\) and sends \({\sf CT}_{{\sf ID}^{*}}^{*}\) to \(\mathcal {B}\). Finally, \(\mathcal {B}\) runs \(\phantom {\dot {i}\!}{\sf CTInit}({\sf MPK}, {\sf CT}_{{\sf ID}^{*}}^{*}, {\sf SSK_{ctr^{*}}})\) to obtain \({\sf CT}_{{\sf ID^{*}}, {\sf ctr^{*}}}^{*}\), and sends \({\sf CT}_{{\sf ID^{*}}, {\sf ctr^{*}}}^{*}\) to \(\mathcal {A}\).

Phase 2:\(\mathcal {A}\) adaptively issues more queries to following three oracles:

• \({\mathcal {O}}_{\sf Extract}({\sf ID}_{i})\) where ID_i≠ID^∗: \(\mathcal {B}\) responds as in Phase 1.

• \(\phantom {\dot {i}\!}{\mathcal {O}}_{\sf Dec}({\sf ID}_{i}, {\sf CT}_{{\sf ID}_{i}, {\sf ctr}})\) where \(\phantom {\dot {i}\!}({\sf ID}_{i}, {\sf CT}_{{\sf ID}_{i}, {\sf ctr}}) \neq ({\sf ID}^{*}, {\sf CT}_{{\sf ID^{*}}, {\sf ctr^{*}}}^{*})\): \(\mathcal {B}\) responds as in Phase 1.

• \({\mathcal {O}}_{\sf SSK}({\sf ctr}_{i})\): \(\mathcal {B}\) responds as in Phase 1.

Guess:\(\mathcal {A}\) outputs a guess μ^′ of μ. \(\mathcal {B}\) forwards μ^′ to \(\mathcal {C}\).

As shown above, the master public key, the server secret key, secret keys and ciphertexts generated by \(\mathcal {B}\) is of identical distribution to those of the proposed SA-IR-RIBE scheme. If \(\mathcal {A}\) successfully guesses which message is encrypted in the challenge ciphertext, \(\mathcal {B}\) also outputs the right guess. Therefore, if \(\mathcal {A}\) can break the proposed SA-IR-RIBE scheme with probability \(\epsilon (\lambda), \mathcal {B}\) can break SM9-IBE with the same probability. This completes the proof of Theorem 1. □

Theorem 2

The proposed server-aided Identity-Based Encryption scheme is adaptive-ID CPA-secure for User Revocation Validity with respect to Definition 2.

The Theorem 2 is proved briefly as follows.

Proof

Let ID^∗ be the identity of the revoked user. Let ctr^∗ be the challenge time counter and \({\sf CT}^{*}_{{\sf ID}^{*}, {\sf ctr}^{*}}\) be the challenge ciphertext. The adversary \(\mathcal {A}\) (the revoked user) holds the secret key \({\sf SK}_{{\sf ID}^{*}}\), and queries on \({\mathcal {O}}_{\sf Extract}({\sf ID}_{i})\) and \({\mathcal {O}}_{\sf SSK}({\sf ctr}_{i})\) with the constraint that ctr_i≠ctr^∗.

In the Challenge phase, \(\mathcal {A}\) receives the challenge ciphertext \({\sf CT}_{\sf ID^{*}, ctr^{*}}^{*} = ((C_{1}^{*})^{\Delta }, C_{2}^{*})\) where \(\Delta = \text {PRF}({\sf SSK}_{\sf ctr^{*}}, H(C_{2}^{*}))\). In this case, \(e({\sf SK}_{{\sf ID}^{*}}, (C_{1}^{*})^{\Delta }) = e(g, h)^{\gamma z\Delta }\). Let t=e(g,h)^γz, which is required to derive the encapsulated key K. Provided that Δ is randomly generated by the PRF, (e(g,h)^γzΔ,t) can be viewed as an ElGamal KEM instance (u^zΔ,u^z), where u=e(g,h)^γ. Therefore, if the adversary \(\mathcal {A}\) can break the User Revocation Validity security of the proposed scheme, we can build a simulator \(\mathcal {B}\) to break the security of ElGamal KEM. Thus, Theorem 2 is proved. □

In this section, we give thorough performance analyses of the proposed scheme.

Theoretical Analysis. As shown in Table 2, we compare our revocation mechanism with many existing works (Boneh and Franklin 2001;Boldyreva et al. 2008;Libert and Vergnaud 2009;Seo and Emura 2013;Li et al. 2013;Qin et al. 2015) in terms of functionality, security model, communication costs and computation costs. Note that we do not include schemes with impractical assumptions, e.g., (Boneh et al. 2001;Libert and Quisquater 2003). The comparison is performed on the symmetric pairing setting: \(\mathbb {G}\times \mathbb {G} \rightarrow \mathbb {G}_{T}\). Meanwhile, only operations of the KEM part are measured.

The works (Boneh and Franklin 2001;Boldyreva et al. 2008;Libert and Vergnaud 2009;Seo and Emura 2013;Qin et al. 2015) provide indirect revocation of users’ secret keys meaning that the revocation needs a period of time to take effect. Our scheme and (Li et al. 2013) achieve direct user revocation by adopting a semi-trusted server. In our proposed SA-IR-RIBE scheme, the sizes of master public key, secret key and ciphertext are all constant, i.e., O(1).Libert and Vergnaud (2009);Seo and Emura (2013);Qin et al. (2015) adopted Waters IBE (Waters 2005) as the underlying IBE scheme thus had long master public keys, i.e., O(logN). (Boldyreva et al. 2008;Libert and Vergnaud 2009;Seo and Emura 2013) followed the BGK approach (Boldyreva et al. 2008) resulting long secret keys, i.e., O(logN). Compared with all listed schemes (Boneh and Franklin 2001;Boldyreva et al. 2008;Libert and Vergnaud 2009;Seo and Emura 2013;Li et al. 2013;Qin et al. 2015), the key generation, encryption, and decryption algorithms in our scheme are efficient. The key generation algorithm takes only 1 exponentiation, which is better than (Boldyreva et al. 2008;Libert and Vergnaud 2009;Seo and Emura 2013;Li et al. 2013;Qin et al. 2015) and equal with (Boneh and Franklin 2001). The encryption algorithm takes 3 exponentiations, which is better than (Boneh and Franklin 2001;Boldyreva et al. 2008;Libert and Vergnaud 2009;Seo and Emura 2013;Qin et al. 2015) and equal with (Li et al. 2013). The decryption algorithm costs only 1 pairing, which is better than all listed works (Boneh and Franklin 2001;Boldyreva et al. 2008;Libert and Vergnaud 2009;Seo and Emura 2013;Li et al. 2013;Qin et al. 2015). When a user is revoked, (Boneh and Franklin 2001;Boldyreva et al. 2008;Libert and Vergnaud 2009;Seo and Emura 2013;Li et al. 2013;Qin et al. 2015) had large communication costs and computation costs for key update. In contrast, our scheme does not have communication costs and only performs ciphertext updates on the server side. Above theoretical discussions show the advantage and efficiency of the proposed scheme.

Experimental Analysis. To validate the reality of our ideas, we instantiate and implement the proposed scheme following the standard (Gm/t 2016b). The primitives EC2OSP, FE2OSP, KDF2 and H2RF_i are constructed asShoup (2006);Cheng (2017). The bilinear pairing is the standard 256-bit BN curve as specified in Gm/t (2016b). The hash functions H_v and H are implemented using the SM3 hash algorithm (Wang and Yu 2016), which takes input a message m of length l (l<2⁶⁴), and outputs a 256-bit hash. Thus, l₁=l₂=v=256. The PRF is instantiated as follows:

where ipad is the byte 0x36 repeated 64 times and opad is the byte 0x5C repeated 64 times. For the symmetric encryption primitive \({\mathcal {E}}_{\sf Sym}\), we use the DEM construction in Gm/t (2016b), where the message is encrypted using XOR encryption. Concretely, the DEM part is computed as follows:

We implement the proposed SA-IR-RIBE scheme on top of the GmSSL library ^{Footnote 1}. We conduct comprehensive benchmark on one core of an Intel Xeon CPU E5-2609 v4 @1.70 GHz and 128GB RAM running Ubuntu 16.04 LTS 64-bit. Since the network speed changes according to the user, only the running time of each algorithm is measured. The size of the message is set to 75 KB, which is a typical size of an email file^{Footnote 2}. Each algorithm is executed 100 times. The average running results are taken as the final results. The detailed result is shown in Table 3. It takes 405.68 ms and 351.34 ms for user-side message encryption and decryption, while algorithms CTInit, SSKUpdate, CTUpdate running on the server only cost 1.73 ms, 6.45×10⁻⁵ ms and 3.36 ms, respectively.

As our revocation scheme adds additional overhead on the server side, we further measure performance of the server with the following procedures: 1) On time ctr₁, N users in the system encrypt their messages and send the encrypted payloads to the server. Upon receiving a user’s upload request, the server runs the algorithm CTInit with its server secret key \(\phantom {\dot {i}\!}{\sf SSK}_{{\sf ctr}_{1}}\) to generate the new ciphertext \(\phantom {\dot {i}\!}{\sf CT}_{{\sf ID}_{i}, {\sf ctr}_{1}}\), and stores it on the disk. 2) When updated to time ctr₂, the server first updates its server secret key \(\phantom {\dot {i}\!}{\sf SSK}_{{\sf ctr}_{1}}\) to \(\phantom {\dot {i}\!}{\sf SSK}_{{\sf ctr}_{2}}\) with algorithm SSKUpdate, then runs CTUpdate to update all stored ciphertexts. 3) N valid users send download requests to the server, the server runs Transform with \(\phantom {\dot {i}\!}{\sf SSK}_{{\sf ctr}_{2}}\) and sends the transformed ciphertexts to the users. Note that for simplicity, we do not consider network latency and disk I/O time in this benchmark, so only the server processing time is measured. We set the message size sent by each user to 75 KB, and increase N from 0 to 10,000. To fully leverage server’s computational power, we integrate OpenMP (Dagum and Menon 1998) to support parallel executions and compare with non-parallel ones.

In Fig. 4 and Table 4, we present the experiment result. The integration of OpenMP has significantly reduced latency and improved throughput of the server. With OpenMP disabled, the processing time is about tens of seconds. The algorithm CTInit takes 18.43 seconds to initialize 10,000 users’ uploaded messages. The algorithm CTUpdate takes 35.57 seconds to update all the stored ciphertexts. The algorithm Transform costs 19.56 seconds to transform the stored ciphertexts for 10,000 users’ requests. With OpenMP enabled, the obtained performance is satisfactory. CTInit only takes 2.91 seconds to initialize 10,000 users’ uploaded messages. CTUpdate takes 4.85 seconds to update all the stored ciphertexts. Transform costs 2.68 seconds to transform the stored ciphertexts for 10,000 users’ requests. During the experiment, algorithms CTInit, SSKUpdate, CTUpdate reach throughput of 269 MB/s, 151 MB/s and 277 MB/s respectively. The statistics show that the proposed scheme is practical for real-world systems.

Performance evaluation of the server

Full size image

In this paper, focusing on the problem of SM9-IBE revocation, we proposed a server-aided revocation mechanism. Our model has three desirable properties: (1) Compact system model: an existing server is adopted to perform all heavy workloads during user revocation; (2) Efficient and immediate revocation: the revocation takes effect immediately by taking simple operations in the server; and (3) Key-exposure resistance: even if the server secret key is leaked, a revoked user still cannot decrypt any data. We further prove that the proposed mechanism is adaptive-ID chosen ciphertext secure. Finally, we present both theoretical and experimental analyses showing that the proposed mechanism is practical and efficient.

Not applicable.

1. ¹http://gmssl.org/

2. ²https://www.lifewire.com/what-is-the-average-size-of-an-email-message-1171208

The authors would like to thank the anonymous reviewers for their valuable comments.

This work was partially supported by National Natural Science Foundation of China (Nos. 61772520, 61802392, 61972094, 61472416, 61632020), Key Research and Development Project of Zhejiang Province (Nos. 2017C01062, 2020C01078), Beijing Municipal Science & Technology Commission (Project Number. Z191100007119007, Z191100007119002).

Authors and Affiliations

1. State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing, 100093, China

   Shuzhou Sun, Hui Ma, Rui Zhang & Wenhan Xu

2. School of Cyber Security, University of Chinese Academy of Sciences, Beijing, 100049, China

   Shuzhou Sun, Rui Zhang & Wenhan Xu

Contributions

Shuzhou Sun and Hui Ma proposed the revocation mechanism for SM9, and drafted the manuscript. Rui Zhang participated in problem discussions and improvements of the manuscript. Wenhan Xu implemented and benchmarked the proposed scheme. All authors read and approved the final manuscript.

Corresponding author

Correspondence to Hui Ma.

Competing interests

The authors declare that they have no competing interests.

Publisher’s Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article’s Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article’s Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.

Reprints and permissions