Server-aided immediate and robust user revocation mechanism for SM9

As the only approved Identity-Based Encryption scheme in China that is also standardized by ISO, SM9-IBE has been widely adopted in many real-world applications. However, similar to other IBE standard algorithms, SM9-IBE currently lacks revocation mechanism, which is vital for a real system. Worse still, we find that existing revocable techniques may not be suitable and efficient when applying to SM9-IBE. Given the widespread use of SM9-IBE, an efficient and robust user revocation mechanism becomes an urgent issue.In this work, we propose a dedicated server-aided revocation mechanism, which for the first time achieves the secure, immediate and robust user revocation for SM9-IBE. Provided with a compact system model, the proposed method leverages an existing server to perform all heavy workloads during user revocation, thus leaving no communication and computation costs for the key generation center and users. Moreover, the mechanism supports key-exposure resistance, meaning the user revocation mechanism is robust even if the revocation key leaks. We then formally define and prove the security. At last, we present theoretical comparisons and an implementation in terms of computational latency and throughput. The results indicate the efficiency and practicability of the proposed mechanism.


Introduction
Identity-Based Encryption (IBE) is a special kind of public key encryption, where a user utilizes a unique string (e.g., an email address or a phone number) as the public key. Data senders do not have to obtain receivers' public key certificates, thus eliminating the Public Key Infrastructure (PKI). In the past decades, IBE has been thoroughly studied and many practical IBE schemes have been proposed, e.g., (Boneh and Franklin 2001;Cocks 2001;Canetti et al. 2004;Boneh and Boyen 2004a;2004b;Waters 2005). Further, some of the proposed schemes were standardized in a number of globally recognized standards (Boyen and Martin 2007;IEEE 2013;Iso/iec 2015). SM9 (Gm/t 2016a) is a Chinese national cryptography standard for Identity-Based Cryptography, which consists challenge is that SM9-IBE has a different mathematical structure compared with the existing revocable IBE schemes, which were construed with certain IBE schemes and relied on their concrete mathematical structures, thus adopting these solutions will face with the difficulties in both the construction and the security proof.
As a result, the problem of efficient SM9-IBE user revocation is still open. As a national and international standard for IBE, it is desirable to have a practical user revocation mechanism for SM9-IBE.
Our Contributions. Aiming at solving the revocation problem of SM9-IBE, we propose a dedicated Server-Aided Immediate and Robust Revocable Identity-Based Encryption scheme (denoted as SA-IR-RIBE), which can be effortlessly integrated into the existing systems. Remarkably, our methodology achieves direct user revocation by performing simple operations in the server. Our results lie in the following aspects: • A Compact System with Revocation. In this paper, we present a practical revocation mechanism for SM9-IBE. To the best of our knowledge, this is the first specific solution to the revocation problem for SM9-IBE. By introducing a helping server, the proposed mechanism has a compact system model and does not introduce additional entities. The heavy workloads of user revocation are all performed by the server, leaving no communication and computation costs for both the key generation center (KGC) and users. • Efficient and Immediate Revocation. Unlike most of the existing revocable IBE schemes, our scheme enjoys instant revocation, in the sense that a user cannot decrypt ciphertexts at the same moment when he is revoked. In our scheme, all ciphertexts have to be partially decrypted by the server before it is decrypted by a user. Therefore, a user can be immediately revoked from the system by taking simple operations on the server side. • Server Side Key-Exposure Resistance. In an ordinary scheme, once the server secret key is revealed, the revocation mechanism no longer works. Our mechanism achieves robustness for such key-exposure: Even if the server secret key is leaked, a revoked user still cannot decrypt any data. In particular, the server secret key and ciphertexts are updated periodically or in emergency situations, e.g. when the server secret key is stolen by hackers. • Provable Security. The proposed scheme does not affect the security of SM9-IBE, which is provably secure against adaptive-ID Chosen Ciphertext Attacks. Furthermore, for the security of revocation, we formally define a concrete security property called user revocation validity where a revoked user cannot decrypt any ciphertexts without the help of the server. • Performance Evaluation. We conduct theoretical comparison between the proposed mechanism and related works, showing the advantage and efficiency of SA-IR-RIBE. Moreover, we present comprehensive experimental evaluations by implementing the proposed mechanism. We benchmark our implementations on a high concurrency scenario, where tens of thousands users upload and download data from the server simultaneously. The obtained results indicate that the proposed mechanism is practical for real-world application scenarios.
Limitation. The proposed method deals with the problem of user revocation. It does not directly support key revocation. However, key revocation can be achieved in the cost of changing identities. Specifically, in our system, when a user lost his key, he/she informs the key generation center to revoke his/her key and applies for a new key under a new identity.

Related work
Numerous revocation techniques have been developed in the IBE setting. In this section, we review some existing solutions and identify the problems when they are applied to SM9-IBE.
Generic Time-Concatenated Solution. The first revocable IBE scheme is proposed by Boneh and Franklin (2001) (BF-IBE). At each time period t, KGC issues secret keys SK ID i ||t to all non-revoked users for identities ID i ||t. The data owners encrypt messages under the new concatenated identities ID i ||t. Thus, if a user is revoked in time period t, he/she cannot access the messages encrypted in t. However, this mechanism does not scale well, since KGC must re-generate a large number of secret keys and re-distribute them to users at the beginning of each time period. The complexity of KGC is linear in the number of non-revoked users.
Tree-Based Solutions. Boldyreva, Goyal and Kumar (2008) (BGK-RIBE) gave their security notion for revocable IBE (RIBE), and constructed an efficient revocable IBE scheme from the fuzzy IBE scheme (Sahai and Waters 2005) with binary tree structure (Naor et al. 2001) in the selective-ID security model. In the BGK method, each user has a tuple of long term secret keys. KGC publicly broadcasts a small set of key updates in each time period, so that only non-revoked users can construct new decryption keys from their long term secret keys and the key updates. BGK-RIBE significantly reduces the total size of key updates from linear to logarithmic in the number of non-revoked users. Following work by Libert and Vergnaud (2009) proposed an adaptive secure revocable IBE scheme based on the variant of Waters IBE (Waters 2005) and Gentry IBE (Gentry 2006). Recently, Seo and Emura (2013) revisited the security notation of RIBE by presenting the decryption key exposure attack, and proposed a notable scheme based on Libert and Vergnaud (2009). However, above approaches have two limitations: (1) all non-revoked users have to download public key updates from KGC periodically; and (2) the sizes of both users' secret keys and public key updates grow logarithmically in the number of non-revoked users.
Server-Aided Solutions. Several works adopted a third party to achieve revocation in the IBE setting. ; Libert and Quisquater (2003) employed a trusted party called mediator that holds all users' secret keys and helps users to decrypt all ciphertexts. If a user is revoked, the mediator stops helping the user. This model is impractical since users have to fully trust the mediator and they need to communicate with it for each decryption. The work (Li et al. 2013) showed how to outsource workload of the KGC to a semi-trusted server, which they referred as outsourced KGC. In their approach, a secret key is split into two shares held by a user and the server. For a revoked user, the server refuses to collaborate. A disadvantage of (Li et al. 2013) is that the sever needs to maintain all users' secret key shares. Another work (Qin et al. 2015) adapted the scheme of Seo and Emura (2013) to delegate public key update workload from KGC to an untrusted server. Each user keeps one short secret key and does not communicate with the KGC or the server during key updating. Their scheme is provably secure against adaptive-ID chosen ciphertext attacks under the DBDH assumption in the standard model.
Broadcast Encryption. Identity-Based Broadcast Encryption (IBBE) (Delerablée 2007) is a natural generalization of broadcast encryption (BE) in the IBE setting. While adopting BE schemes to support user revocation has been well studied (Naor et al. 2001;Kogan et al. 2006), the IBBE primitive itself does not imply a solution for the user revocation problem. Until very recently, Ge and Wei (2019) formally studied scalable revocation methodology for IBBE schemes. Following the binary tree data structure in Boldyreva et al. (2008), they gave a concrete revocable IBBE scheme, which is semi-adaptively secure under Chosen Plaintext Attacks (CPA) in the standard model. However, the size of the secret keys is linear in the number of maximum size of the recipients in one encryption.
Limitations when Applying These Approaches to SM9-IBE. According to Boyen (2007), known constructions of pairing-based IBE schemes can be classified into 3 families: "Full Domain Hash" IBE (e.g., BF-IBE), "Exponent Inversion" IBE (e.g., SK-IBE (Sakai and Kasahara 2003)) and "Commutative Blinding" IBE (e.g., Waters IBE). A fact must be noted is that all above revocation mechanisms are construed using "Full Domain Hash" IBE or "Commutative Blinding" IBE schemes. While the timeconcatenated solution (i.e., BF-IBE) is a generic technique that can be applied to all above 3 families of IBE, other revocation mechanisms (Boldyreva et al. 2008;Libert and Vergnaud 2009;Seo and Emura 2013;Li et al. 2013;Qin et al. 2015; Ge and Wei 2019) relied on the concrete structure of the underlying IBE schemes more or less. However, SM9-IBE is actually an "Exponent Inversion"-like IBE scheme. Therefore, all mentioned revocation mechanisms (except BF-IBE) cannot be trivially adopted for SM9-IBE. As for BF-IBE, it has an unaffordable burden for both KGC and users.
We note that all the above-mentioned revocation mechanisms only achieve indirect user revocation, which means that the revocation needs time to take effect. In such a situation, hackers may have downloaded and decrypted all data during the time period.

Preliminary
Notations. Let || and ⊕ denote bitwise operations concatenation and XOR, respectively. We call a function negl negligible in λ, if for every positive polynomial poly(·) there exists an N such that for all λ > N, negl(λ) < 1/poly(λ). A probabilistic polynomial-time (PPT) algorithm A is an algorithm that on input x, computes A(x) using randomness and its running time is bounded by poly(λ). Following primitives are used in both the SM9 and this work. One may refer to ISO/IEC 18033-2 (Shoup 2006) and (Cheng 2017) for detailed definitions. Bilinear Pairing. Let BP be an algorithm that takes as input a security parameter λ and outputs a tuple (G 1 , G 2 , G T , p, e), where G 1 , G 2 and G T are multiplicative cyclic groups of prime order p, and e : G 1 ×G 2 → G T is an admissible bilinear map if: 1) Bilinearity: for all g 1 ∈ G 1 , g 2 ∈ G 2 and a, b ∈ Z * p , we have e(g a 1 , g b 2 ) = e(g 1 , g 2 ) ab . 2) Non-Degeneracy: e(g 1 , g 2 ) = 1 whenever g 1 = 1 G 1 and g 2 = 1 G 2 .

The SM9 identity-based encryption
The SM9 encryption (SM9-IBE) (Gm/t 2016a; Cheng 2017) is a hybrid encryption scheme that follows the Key/Data Encapsulation Mechanism (KEM/DEM) paradigm (Shoup 2001) in the IBE setting (Bentahar et al. 2008). We first introduce the SM9 key encapsulation mechanism (SM9-KEM), and then present the hybrid encryption scheme. There are four algorithms in SM9-KEM: On input a security parameter λ, the algorithm runs as follows: On input a master public key MPK SM9 , a master secret key MSK SM9 and an identity ID i , the algorithm outputs a secret key On input a master public key MPK SM9 , an identity ID i and a message m, the algorithm runs as follows: On input a master public key MPK SM9 , a secret key SK ID i and a ciphertext CT ID i , the algorithm runs as follows: Let E sym = (Enc sym , Dec sym ) denote a symmetric encryption scheme that consists of an encryption algorithm Enc sym and a decryption algorithm Dec sym , where: (1) Enc sym takes input a key and a message, and outputs a ciphertext; and (2) Dec sym takes input a key and a ciphertext, and outputs a message. The full SM9-IBE encryption scheme is constructed as follows: On input a master public key MPK SM9 , an identity ID i and a message m, the algorithm runs Encap SM9-KEM (MPK SM9 , ID i ) to obtain (C 1 , K). Further, the message is encrypted using the symmetric encryption algorithm: On input a master public key MPK SM9 , a secret key SK ID i and a ciphertext CT ID i = (C 1 , C 2 ), the algorithm runs Decap SM9-KEM (MPK SM9 , SK ID i , C 1 ) to obtain the encapsulated K. The DEM part is decrypted using the symmetric decryption algorithm: m = Dec sym (K, C 2 ). The algorithm outputs the message m.
Chosen Ciphertext Security of SM9-IBE. In the identity-based hybrid encryption setting, Bentahar et al. (2008) proved that a hybrid IBE scheme is secure against adaptive-ID Chosen Ciphertext Attacks (ID-IND-CCA), if the underlying KEM part is ID-IND-CCA secure and the DEM part is a one-time symmetric encryption scheme that can resistant Find-Guess (FG) Chosen Ciphertext Attacks (FG-CCA) (cf. Theorem 1 in Bentahar et al. (2008)). Following this framework, (Cheng 2017) first proved that SM9-KEM is ID-IND-CCA secure with the Gap-p-BCAA1 1,2 assumption in the random oracle model, and then stated that SM9-IBE is IND-ID-CCA secure giving an FG-CCA secure DEM.

The model of SA-IR-RIBE
In this section, we present the system model and the security definitions.

System model
In the proposed mechanism, there are four parties involved: a key generation center (KGC), a server, data owners and data receivers. The compact system model is illustrated in Fig. 1. All acronyms used in this paper are listed in Table 1. KGC is responsible for generating and distributing system parameters to other entities, including the master public key, the master secret key, the server secret key and users' secret keys. Besides, it maintains a revocation list for realizing user revocation. The server provides computing and storage resources for users. It gets ciphertexts from data owners and pushes the ciphertexts to data receivers. Most importantly, the server accomplish the user revocation functionality according to the revocation list that provided by KGC. We note that an existing server can be adopted to play the role of the server in our system, e.g., a SMTP server in an email system. Data owners encrypt messages under data receivers' identities and uploads ciphertexts to the server. Data receivers obtain ciphertexts from the server and decrypt them with their secret keys.
The Server-Aided Immediate and Robust Revocable Identity-Based Encryption (SA-IR-RIBE) scheme consists of 9 algorithms: • Setup(λ) → (MPK, MSK, SSK ctr , L). On input a security parameter λ, the algorithm (run by KGC) outputs a master public key MPK, a master secret key MSK, an initial server secret key SSK ctr and a revocation list L. • Extract(MPK, MSK, ID i ) → SK ID i . On input a master public key MPK, a master secret key MSK, and an identity ID i , the algorithm (run by KGC) outputs a secret key SK ID i . • Enc(MPK, ID i , m) → CT ID i . On input a master public key MPK, an identity ID i and a message m, the algorithm (run by a data owner) outputs a ciphertext On input a master public key MPK, a ciphertext CT ID i and a server secret key SSK ctr , the algorithm (run by the server) outputs an updated CT ID i ,ctr .
• SSKUpdate(MPK, SSK ctr ) → SSK ctr . On input a master public key MPK and a server secret key SSK ctr , the algorithm (run by the server) outputs an updated server secret key SSK ctr .
On input a master public key MPK, a ciphertext CT ID i ,ctr , and two server secret keys SSK ctr , SSK ctr , the algorithm (run by the server) outputs an updated ciphertext CT ID i ,ctr . • Transform(MPK, CT ID i ,ctr , SSK ctr , L) → TCT ID i . On input a master public key MPK, a ciphertext CT ID i ,ctr , a server key SSK ctr and a list L, the algorithm (run by the server) outputs a transformed ciphertext TCT ID i .
public key MPK, a transformed ciphertext TCT ID i , and a secret key SK ID i , the algorithm (run by a data receiver) outputs a message m. • Revoke(ID i , L) → L . On input an identity ID i and a revocation list L, the algorithm (run by KGC) outputs an updated revocation list L . The new list L is further distributed to the server.
The players in the system may conduct the following interactions (cf. Fig. 1):  System initialization: PKG runs the algorithms Setup and Extract to generate system parameters and all users' secret keys. It then distributes MPK to all other parties, SSK ctr and L to the server and SK ID i to users. Initially, the user revocation list L is empty.
Message encryption: A data owner runs the algorithm Enc to encrypt a message under an identity ID i , and obtains a ciphertext CT ID i . The ciphertext CT ID i is uploaded to the server and then concealed by the server with the algorithm CTInit using the server secret key SSK ctr .
Server key evolution: To resist exposure of the server secret key, the server updates the server secret key SSK ctr and all stored ciphertexts periodically or when the server secret key leaks. When the server secret key SSK ctr is demands to be updated, a new server secret key SSK ctr is randomly sampled by calling the algorithm SSKUpdate. Meanwhile, all stored ciphertext are updated with the algorithm CTUpdate using the two server secret keys SSK ctr , SSK ctr , i.e., CT ID i ,ctr is updated to CT ID i ,ctr . Once all ciphertexts have been updated, SSK ctr becomes the current server secret key. Meanwhile, all ciphertexts in time ctr and SSK ctr are erased from the server's storage.
Message decryption: Before pushing a stored ciphertext to a data receiver, the server runs Transform to obtain a transformed ciphertext TCT ID i . On receiving TCT ID i , the receiver decrypts it with the algorithm Dec using his/her secret key. Note that the algorithm Transform takes the revocation list L as its input, thus the ciphertext TCT ID i is computed in a manner that only non-revoked receivers can decrypt the ciphertext successfully.
User revocation: When a user is required to be revoked, KGC updates the list L by running the algorithm Revoke and sends the updated list L to the server.

Security definition
Adversarial Model. KGC generates user secret keys, and are assumed to be honest. Data owners are trusted and we do not consider the data they own as correct or incorrect. The server is honest-but-curious (Li et al. 2012), meaning that it will honestly follow the protocol but try to learn as much information as possible. This assumption is realistic, since the server will be a service provider that cares its reputation and thus restricted by user contrast. While most of data receivers are trusted, some of them are corrupt and share their secret keys in the collusion. This collusion may gives the adversary more power.
Chosen Ciphertext Security. We give the semantic security against adaptively chosen-ID and Chosen Ciphertext Attacks for server-aided revocable IBE scheme (in short, SA-IND-ID-CCA).
The adversary is able to obtain a set of corrupted users' secret keys {SK ID 1 , SK ID 2 , . . .} (except the target), and all the server secret keys, i.e., SSK 1 , SSK 2 , . . . , SSK ctr . The security is defined with the following game: Setup: The challenger C takes a security parameter λ and runs Setup algorithm. It gives MPK, SSK ctr to the adversary A and keeps MSK to itself. The current time counter ctr is set to 1. C periodically updates the counter to ctr and sends the new server secret key SSK ctr to A.
Phase 1: A adaptively issues queries to following three oracles: • O Extract (ID i ): C sends a secret key SK ID i to A, where SK ID i is generated with the algorithm Extract. • O Dec (ID i , CT ID i ,ctr ): C obtains SK ID i by running algorithm Extract. It then decrypts CT ID i ,ctr by running algorithms Transform and Dec to obtain the plaintext m. C outputs m to A. • O SSK (ctr i ): If the server secret key SSK ctr i has not been generated, C randomly samples SSK ctr i and stores SSK ctr i . Otherwise, C recalls SSK ctr i from its storage. C outputs SSK ctr i to A.
Challenge: Once A decides that Phase 1 is over, it outputs a challenge identity ID * , a challenge time counter ctr * and two equal length messages m 0 , m 1 . Note that ID * did not appear in the previous queries to O Extract . If SSK ctr * has not been generated, B randomly samples SSK ctr * . The challenger C chooses a fair coin μ ∈ {0, 1} and runs algorithm Enc(MPK, ID * , m μ ) to obtain CT * ID * . Further, it runs CTInit(MPK,CT * ID * , SSK ctr * ) to obtain CT * ID * ,ctr * . The challenger returns CT * ID * ,ctr * as the challenge ciphertext to the adversary A.
Phase 2: A adaptively issues more queries to the three oracles: • O Extract (ID i ) where ID i = ID * : The challenger responds as in Phase 1.
User Revocation Validity. An important security property of a SA-IR-RIBE scheme is user revocation validity. Namely, if a user is revoked in time ctr * , he/she cannot decrypt all ciphertexts that encrypted to his/her identity. In this situation, the adversary is the revoked user with the challenge identity ID * , and holds the corresponding secret key SK ID * . Meanwhile, the adversary is allowed to obtain a set of corrupted users' secret keys, i.e., {SK ID 1 , SK ID 2 , . . .}. Besides, in time ctr * , the server may discard all previous server secret keys, i.e., SSK 1 , SSK 2 , . . . , SSK ctr * −1 and only protect its current secret key SSK ctr * . Thus, the adversary may obtain all previous server secret keys except the one in the challenge time counter, i.e., SSK ctr * . We remark that this assumption gives the adversary maximum power to attack the system. Semantic security against adaptive-ID Chosen Plaintext Attacks (CPA) for User Revocation Validity is defined with the following game: Setup: The challenger C takes a security parameter λ and runs Setup algorithm. It gives MPK to the adversary A and keeps SSK ctr and MSK to itself. The current time counter ctr is set to 1. C periodically updates the counter to ctr and keeps SSK ctr to itself.
Phase 1: A adaptively issues queries to following two oracles: If the server secret key SSK ctr i has not been generated, C randomly samples SSK ctr i and stores SSK ctr i . Otherwise, C recalls SSK ctr i from its storage. C outputs SSK ctr i to A.
Challenge: Once A decides that Phase 1 is over, it outputs a challenge identity ID * , a challenge time counter ctr * and two equal length messages m 0 , m 1 . Note that two constraints must be satisfied: (1) ID * cannot appear in previous queries to O Extract ; and (2) ctr * cannot appear in previous queries to O SSK . If the server secret key SSK ctr * has not been generated, C randomly samples SSK ctr * and keeps the key to itself. C chooses a fair coin μ ∈ {0, 1}, runs algorithm Enc(MPK, ID * , m μ ) to obtain CT * ID * . Further, it runs CTInit(MPK, CT * ID * , SSK ctr * ) to obtain CT * ID * ,ctr * . The challenger returns CT * ID * ,ctr * as the challenge ciphertext to the adversary A.
Phase 2: A adaptively issues more queries to the three oracles: The challenger responds as in Phase 1.
• O SSK (ctr i ) where ctr i = ctr * : The challenger responds as in Phase 1.

Server-aided immediate and robust revocation for SM9-IBE
In this section, we present the proposed revocation mechanism, which is illustrated in Figs. 2 and 3. A data owner encrypts data under an identity ID i , and obtains a ciphertext CT ID i = (C 1 , C 2 ). The encryption algorithm works in the KEM/DEM setting, where C 1 is the KEM part and C 2 is the DEM part. On receiving the ciphertext CT ID i , the server takes the following actions: (1) derives a mask from SSK ctr and C 2 using a pseudorandom function PRF, (2) masks C 1 to C 1 using , and (3) stores (C 1 , C 2 ) as CT ID i ,ctr . Note that the server does not store the original ciphertext CT ID i . When updated to a new server secret key SSK ctr , all stored ciphertext are updated using the two server secret keys SSK ctr , SSK ctr . On pushing ciphertext to a data receiver, if the receiver is not revoked, the server transforms ciphertext CT ID i ,ctr to TCT ID i using SSK ctr and outputs TCT ID i thus the receiver can decrypt TCT ID i to get the plaintext; otherwise, the server returns the concealed ciphertext CT ID i ,ctr .
The identity space, message space, and ciphertext space are {0, 1} * , {0, 1} * and (G T × {0, 1} * ), respectively. The proposed SA-IR-RIBE scheme consists of the following algorithms: Setup(λ) → (MPK, MSK, SSK ctr , L). On input a security parameter λ, the algorithm does the following: 1 Choose G = (G 1 , G 2 , G T , p, e) ← BP(λ). Choose random generators g ∈ G 1 , h ∈ G 2 and random elements γ ∈ Z * p . Set u = e(g, h) γ and w = g γ .  Extract(MPK, MSK, ID i ) → SK ID i . On input a master public key MPK, a master secret key MSK, and an identity ID i , the algorithm outputs a secret key On input a master public key MPK, an identity ID i and a message m, the algorithm does the following: The algorithm outputs CT ID i = (C 1 , C 2 ).
CTInit(MPK, CT ID i , SSK ctr ) → CT ID i ,ctr . On input a master public key MPK, a ciphertext CT ID i = (C 1 , C 2 ) and a server secret key SSK ctr = (ssk ctr , ctr), the algorithm outputs CT ID i ,ctr = (C 1 , C 2 ), where: SSKUpdate(MPK, SSK ctr ) → SSK ctr . On input a master public key MPK and a server secret key SSK ctr = (ssk ctr , ctr), the algorithm sets a new counter ctr = ctr + 1 and chooses a random ssk ctr ∈ {0, 1} l 1 . The algorithm outputs an updated secret key SSK ctr = (ssk ctr , ctr ).
Transform(MPK, CT ID i ,ctr , SSK ctr , L) → TCT ID i . On input a master public key MPK, a ciphertext CT ID i ,ctr = (C 1 , C 2 ), a server secret key SSK ctr = (ssk ctr , ctr) and a revocation list L, if ID i ∈ L, the algorithm returns CT ID i ,ctr as TCT ID i ; otherwise it computes:

The algorithm outputs a transformed ciphertext TCT ID
On input a master public key MPK, a ciphertext TCT ID i = (C 1 , C 2 ), and a secret key SK ID i , the algorithm computes t = e(C 1 , SK ID i ) = e(g, h) γ z = u z . The encapsulated key is K = KDF2(H v , EC2OSP(C 1 )||FE2OSP(t)||ID i , k). The ciphertext C 2 is decrypted to m with the symmetric decryption algorithm: m = Dec sym (K, C 2 ).
Revoke(ID i , L) → L . On input an identity ID i and a revocation list L, the algorithm outputs an updated revocation list L = L ∪ {ID i }.

Security proof
Theorem 1 The proposed server-aided Identity-Based Encryption scheme achieves SA-IND-ID-CCA security with respect to Definition 1, if the SM9-IBE scheme is IND-ID-CCA secure.
Proof Suppose the adversary A can break the proposed SA-IR-RIBE scheme with a non-negligible advantage, we build a simulator B to break the security of the SM9-IBE scheme with a non-negligible advantage. B interacts with A as the challenger. Let C be the challenger in the IND-ID-CCA secure game of the SM9-IBE scheme. It provides two oracles to B: Extract (ID i ): C runs Extract SM9 (ID i ) and returns the secret key SK ID i .
Dec (ID i , CT ID i ): C runs Extract SM9 (ID i ) to obtain SK ID i . It then runs Dec SM9 (MPK, SK ID i , CT ID i ) to decrypt CT ID i . The resulting plaintext is sent to B.
The simulator B works by interacting with the challenger C and the adversary A as follows: Setup. C sends MPK SM9 = (G, g, h, u, w, F, E sym ) to B. The unknown master secret key MSK SM9 is γ . B selects a collision resistant hash function H and a pseudo-random function PRF. Further, B chooses a random ssk 1 ∈ {0, 1} l 1 and sets SSK 1 = (ssk 1 , ctr = 1). Finally, B sends the master public key MPK = (G, g, h, u, w, F, H, PRF, E sym ), and the initial server secret key SSK 1 to A. The simulator B updates the server secret key periodically and it will send all updated server secret keys to A.
Phase 1: A adaptively issues queries to following three oracles: Extract (ID i ) and forwards the obtained secret key SK ID i to A.
Transform(MPK, CT ID i ,ctr , SSK ctr , ∅) to obtain TCT ID i . It then issues a query to O SM9 Dec on (ID i , TCT ID i ). C returns a plaintext. B forwards the plaintext to A.
• O SSK (ctr i ): If the server secret key SSK ctr i has not been generated, B randomly samples SSK ctr i ∈ {0, 1} l 1 and stores SSK ctr i . Otherwise, C recalls SSK ctr i from its storage. B outputs SSK ctr i to A.
Challenge: A outputs a challenge identity ID * , a challenge time counter ctr * and two equal length messages m 0 , m 1 ∈ {0, 1} * . Note that ID * cannot appear in previous queries to O Extract . If SSK ctr * has not been generated, B randomly samples SSK ctr * . B forwards ID * and m 0 , m 1 to C. On receiving the challenge, C chooses a fair coin μ ∈ {0, 1}, runs Enc SM9 (MPK SM9 , ID i , m μ ) to obtain CT * ID * and sends CT * ID * to B. Finally, B runs CTInit(MPK, CT * ID * , SSK ctr * ) to obtain CT * ID * ,ctr * , and sends CT * ID * ,ctr * to A. Phase 2: A adaptively issues more queries to following three oracles: Guess: A outputs a guess μ of μ. B forwards μ to C. As shown above, the master public key, the server secret key, secret keys and ciphertexts generated by B is of identical distribution to those of the proposed SA-IR-RIBE scheme. If A successfully guesses which message is encrypted in the challenge ciphertext, B also outputs the right guess. Therefore, if A can break the proposed SA-IR-RIBE scheme with probability (λ), B can break SM9-IBE with the same probability. This completes the proof of Theorem 1.

Theorem 2 The proposed server-aided Identity-Based Encryption scheme is adaptive-ID CPA-secure for User Revocation Validity with respect to Definition 2.
The Theorem 2 is proved briefly as follows.
Proof Let ID * be the identity of the revoked user. Let ctr * be the challenge time counter and CT * ID * ,ctr * be the challenge ciphertext. The adversary A (the revoked user) holds the secret key SK ID * , and queries on O Extract (ID i ) and O SSK (ctr i ) with the constraint that ctr i = ctr * .
In the Challenge phase, A receives the challenge ciphertext CT * ). In this case, e(SK ID * , (C * 1 ) ) = e(g, h) γ z . Let t = e(g, h) γ z , which is required to derive the encapsulated key K. Provided that is randomly generated by the PRF, (e(g, h) γ z , t) can be viewed as an ElGamal KEM instance (u z , u z ), where u = e(g, h) γ . Therefore, if the adversary A can break the User Revocation Validity security of the proposed scheme, we can build a simulator B to break the security of ElGamal KEM. Thus, Theorem 2 is proved.

Performance evaluation
In this section, we give thorough performance analyses of the proposed scheme.
Theoretical Analysis. As shown in Table 2, we compare our revocation mechanism with many existing works (Boneh and Franklin 2001;Boldyreva et al. 2008;Libert and Vergnaud 2009;Seo and Emura 2013;Li et al. 2013;Qin et al. 2015) in terms of functionality, security model, communication costs and computation costs. Note that we do not include schemes with impractical assumptions, e.g., Libert and Quisquater 2003). The comparison is performed on the symmetric pairing setting: G × G → G T . Meanwhile, only operations of the KEM part are measured.
The works (Boneh and Franklin 2001;Boldyreva et al. 2008;Libert and Vergnaud 2009;Seo and Emura 2013;Qin et al. 2015) provide indirect revocation of users' secret keys meaning that the revocation needs a period of time to take effect. Our scheme and (Li et al. 2013) achieve direct user revocation by adopting a semi-trusted server. In our proposed SA-IR-RIBE scheme, the sizes of master public key, secret key and ciphertext are all constant, i.e., O(1). Libert and Vergnaud (2009) ;Seo and Emura (2013); Qin et al. (2015) adopted Waters IBE (Waters 2005) as the underlying IBE scheme thus had long master public keys, i.e., O(log N). (Boldyreva et al. 2008;Libert and Vergnaud 2009;Seo and Emura 2013) followed the BGK approach (Boldyreva et al. 2008) resulting long secret keys, i.e., O(log N). Compared with all listed schemes (Boneh and Franklin 2001;Boldyreva et al. 2008;Libert and Vergnaud Li et al. 2013;Qin et al. 2015), the key generation, encryption, and decryption algorithms in our scheme are efficient. The key generation algorithm takes only 1 exponentiation, which is better than (Boldyreva et al. 2008;Libert and Vergnaud 2009;Seo and Emura 2013;Li et al. 2013;Qin et al. 2015) and equal with (Boneh and Franklin 2001). The encryption algorithm takes 3 exponentiations, which is better than (Boneh and Franklin 2001;Boldyreva et al. 2008;Libert and Vergnaud 2009;Seo and Emura 2013;Qin et al. 2015) and equal with (Li et al. 2013). The decryption algorithm costs only 1 pairing, which is better than all listed works (Boneh and Franklin 2001;Boldyreva et al. 2008;Libert and Vergnaud 2009;Seo and Emura 2013;Li et al. 2013;Qin et al. 2015). When a user is revoked, (Boneh and Franklin 2001;Boldyreva et al. 2008;Libert and Vergnaud 2009;Seo and Emura 2013;Li et al. 2013;Qin et al. 2015) had large communication costs and computation costs for key update. In contrast, our scheme does not have communication costs and only performs ciphertext updates on the server side. Above theoretical discussions show the advantage and efficiency of the proposed scheme.
Experimental Analysis. To validate the reality of our ideas, we instantiate and implement the proposed scheme following the standard (Gm/t 2016b). The primitives EC2OSP, FE2OSP, KDF2 and H2RF i are constructed as Shoup (2006); Cheng (2017). The bilinear pairing is the standard 256-bit BN curve as specified in Gm/t (2016b). The hash functions H v and H are implemented using the SM3 hash algorithm (Wang and Yu 2016), which takes input a message m of length l (l < 2 64 ), and outputs a 256bit hash. Thus, l 1 = l 2 = v = 256. The PRF is instantiated as follows: where ipad is the byte 0x36 repeated 64 times and opad is the byte 0x5C repeated 64 times. For the symmetric encryption primitive E Sym , we use the DEM construction in Gm/t (2016b), where the message is encrypted using XOR encryption. Concretely, the DEM part is computed as follows: We implement the proposed SA-IR-RIBE scheme on top of the GmSSL library 1 . We conduct comprehensive benchmark on one core of an Intel Xeon CPU E5-2609 v4 @1.70 GHz and 128GB RAM running Ubuntu 16.04 LTS 64-bit. Since the network speed changes according to the user, only the running time of each algorithm is measured. The size of the message is set to 75 KB, which is a typical size of an email file 2 . Each algorithm is executed 100 times. The average running results are taken as the final results. The detailed result is shown in Table 3. It takes 405.68 ms and 351.34 ms for user-side message encryption and decryption, while algorithms CTInit, SSKUpdate, CTUpdate running on the server only cost 1.73 ms, 6.45 × 10 −5 ms and 3.36 ms, respectively. As our revocation scheme adds additional overhead on the server side, we further measure performance of the server with the following procedures: 1) On time ctr 1 , N users in the system encrypt their messages and send the encrypted payloads to the server. Upon receiving a user's upload request, the server runs the algorithm CTInit with its server secret key SSK ctr 1 to generate the new ciphertext CT ID i ,ctr 1 , and stores it on the disk. 2) When updated to time ctr 2 , the server first updates its server secret key SSK ctr 1 to SSK ctr 2 with algorithm SSKUpdate, then runs CTUpdate to update all stored ciphertexts. 3) N valid users send download requests to the server, the server runs Transform with SSK ctr 2 and sends the transformed ciphertexts to the users. Note that for simplicity, we do not consider network latency and disk I/O time in this benchmark, so only the server processing time is measured. We set the message size sent by each user to 75 KB, and increase N from 0 to 10,000. To fully leverage server's computational power, we integrate OpenMP (Dagum and Menon 1998) to support parallel executions and compare with non-parallel ones.
In Fig. 4 and Table 4, we present the experiment result. The integration of OpenMP has significantly reduced latency and improved throughput of the server. With OpenMP disabled, the processing time is about tens of seconds. The algorithm CTInit takes 18.43 seconds to initialize 10,000 users' uploaded messages. The algorithm CTUpdate takes 35.57 seconds to update all the stored ciphertexts. The algorithm Transform costs 19.56 seconds to transform the stored ciphertexts for 10,000 users' requests. With OpenMP enabled, the obtained performance is satisfactory. CTInit only takes 2.91 seconds to initialize 10,000 users' uploaded messages. CTUpdate takes 4.85 seconds to update all the stored ciphertexts. Transform costs 2.68 seconds to transform the stored ciphertexts for 10,000 users' requests. During the experiment, algorithms CTInit, SSKUpdate, CTUpdate reach throughput of 269 MB/s, 151 MB/s and 277 MB/s respectively. The statistics show that the proposed scheme is practical for real-world systems.

Conclusion
In this paper, focusing on the problem of SM9-IBE revocation, we proposed a server-aided revocation mechanism. Our model has three desirable properties: (1) Compact system model: an existing server is adopted to perform all heavy workloads during user revocation; (2) Efficient and immediate revocation: the revocation takes effect immediately by taking simple operations in the server; and (3) Key-exposure resistance: even if the server secret key is leaked, a revoked user still cannot decrypt any data. We  Note that time in the table above is given in seconds (s). Throughputs are measured by evaluating the average size of data (in megabytes) processed per second (MB/s) * In this column, Y means OpenMP is enabled where N means OpenMP is not enabled further prove that the proposed mechanism is adaptive-ID chosen ciphertext secure. Finally, we present both theoretical and experimental analyses showing that the proposed mechanism is practical and efficient.