Keywords

1 Introduction

The concept of identity-based public key cryptography (ID-PKC) was originally introduced by Shamir [1] to avoid cumbersome certificate management. In an identity-based crypto-system, users do not need to pre-compute public key and private key pairs and obtain certificates for their public keys. Instead, users’ identifiers information such as email addresses, telephone numbers or social security numbers can be used as users’ public keys, while private keys are derived at any time by a trusted third party, called private key generator (PKG), upon request by the designated users. Since Boneh and Franklin [2] proposed the first practical and provable secure identity-based encryption (IBE) scheme in 2001, research on ID-PKC has become a hot topic in cryptography [36].

Revocation capability is indispensable to IBE systems from a practical point of view [2]. Suppose that a user Alice whose private key is compromised or stolen, or she has left the organization, the PKG should revoke Alice’s private key in time to mitigate the damage that an adversary with Alice’s compromised private key to access confidential data encrypted under her identity. Note that revocable IBE only assures that revoked users cannot decrypt ciphertexts generated after revocation, however, it cannot prevent a revoked user from accessing ciphertexts which were created before the revocation, since the old private key of the revoked user is enough to decrypt these ciphertexts. Thus, ciphertext update or re-encryption is necessary and crucial to IBE systems [7].

Several solutions to offer efficient revocation functionality or ciphertext update functionality for IBE systems have been proposed in the literatures [816]. However, how to achieve both key revocation and ciphertext update functionalities simultaneously in IBE systems is still an open problem. Recently, Liang et al. [17] introduce the notion of cloud-based revocable identity-based proxy re-encryption (CR-IB-PRE) scheme with the aim to achieve both ciphertext update and revocation functionalities for IBE systems. In a CR-IB-PRE scheme, ciphertexts are encrypted under a certain identity and time period and stored in the cloud. At the end of a given time period, the cloud service provider (CSP), acting as a semi-trust proxy, will re-encrypt all ciphertexts of the user under the current time period to the next time period, no matter a user is revoked or not. If a user Alice is revoked in the forthcoming time period, she cannot decrypt the ciphertexts by using her expired private key anymore.

In this paper, we first showed that Liang et al.’s scheme has serious security pitfalls such as re-encryption key forgery and collusion attack, which lead to revoked users can decrypt any ciphertext regarding their identities at any time period. Then, we refined the syntax definition and security model for CR-IB-PRE scheme. The refined syntax for CR-IB-PRE scheme is similar to that of self-updatable encryption scheme recently proposed by Lee [18], where the CSP can update stored ciphertexts without any interaction with data owners as long as the revocation event happens. In our refined security model for CR-IB-PRE scheme, an adversary can choose an original ciphertext or a re-encrypted ciphertext as the challenge ciphertext. In particular, we consider the decryption key exposure attack [10], which means an adversary can obtain long-term private keys and decryption keys corresponding to identities and some time periods of his choice. Next, we proposed an improved CR-IB-PRE scheme from bilinear pairings. The improved scheme not only achieves collusion resistance, but also takes lower decryption computation and achieves constant size re-encrypted ciphtertext. Finally, we proved the improved CR-IB-PRE scheme is adaptively secure in the standard model under DBDH assumption.

2 Preliminaries

We denote by \(x \overset{\$}{\leftarrow } \mathbf {S}\) the operation of picking an element x uniformly at random from the set \(\mathbf {S}\), by \({\text {Enc}}(k, m)\) and \({\text {Dec}}(k, c)\) the operation of encrypting and decrypting with respect to a semantically secure symmetric cipher \(\varGamma \) under the session key k, respectively.

A bilinear group generator \(\mathcal {G}\) is an algorithm that takes as input a security parameter \(\kappa \) and outputs a bilinear group \((q, \mathbf {G}, \mathbf {G}_T, \hat{e}, g)\), where \(\mathbf {G}\) and \(\mathbf {G}_T\) are cyclic groups of prime order q, g is a generator of \(\mathbf {G}\), and \(\hat{e}\): \(\mathbf {G} \times \mathbf {G} \rightarrow \mathbf {G}_T\) is a bilinear map with the following properties:

  • Bilinearity: \(\hat{e}(g_{1}^{a}, g_{2}^{b}) = \hat{e}(g_1, g_2)^{ab}\) for \(g_1, g_2 \overset{\$}{\leftarrow } \mathbf {G}\) and \(a, b \overset{\$}{\leftarrow } \mathbf {Z}_{q}^{*}\).

  • Non-degeneracy: There exists \(g_1, g_2 \in \mathbf {G}\) such that \(\hat{e}(g_1, g_2) \ne 1\).

  • Computability: There is an efficient algorithm to compute \(\hat{e}(g_1, g_2)\) for all \(g_1, g_2 \in \mathbf {G}\).

The Decisional Bilinear Diffie-Hellman (DBDH) assumption in a prime order bilinear group \((q, \mathbf {G}, \mathbf {G}_T, \hat{e}, g)\) states that, given \((g, g^a, g^b, g^c, \hat{e}(g, g)^{z})\), it is computationally intractable to determine whether \(\hat{e}(g, g)^z = \hat{e}(g, g)^{abc}\), where \(a, b, c, z \overset{\$}{\leftarrow } \mathbf {Z}^{*}_q\).

To achieve efficient revocation for IBE schemes, Boldyreva et al. [8] introduced the KUNode algorithm, which is described in Algorithm 1. Denote by root the root node of the tree \(\mathbb {T}\), by \(\mathrm {Path}(\eta )\) the set of nodes on the path from \(\eta \) to root for a leaf node \(\eta \), by \(\zeta _L\) and \(\zeta _R\) the left and right child of a non-leaf node \(\zeta \), respectively. The KUNode algorithm determines the smallest subset \(\mathbf {Y}\) of nodes that contains an ancestor of all leaves corresponding to non-revoked users at each time period.

figure a

Upon registration, the PKG assigns a leaf node \(\eta \) of a complete binary tree \(\mathbb {T}\) to the user, and provides the user with a set of distinct private keys, wherein each private key is associated with a node on \(\mathrm {Path}(\eta )\). At time period T, the PKG broadcasts key updates for a set \(\mathbf {Y} \subset \mathbb {T}\) of nodes which contains no ancestors of revoked users and precisely one ancestor of any non-revoked user.

3 Security Analysis of Liang et al.’s CR-IB-PRE Scheme

Denote Waters’ identity hash function \(F_{\text {Wat}}(\mathsf {id}) = u_0 \prod _{i=1}^{n} u_i^{\mathsf {id}_i}\) [6], where \(\mathsf {id} = \{\mathsf {id}_i\}_{i=1}^{n} \in \{0, 1\}^{n}\), and \(u_0, u_1, \cdots , u_n \in \mathbf {G}\). Denote Boneh and Boyen’s hash function \(F_{\text {BB}}(T) = v_1v_2^{T}\) [19], where \(v_1, v_2 \in \mathbf {G}\). Liang et al.’s CR-IB-PRE scheme [17] is described as follows.

  • \(\mathbf{Setup }(1^\kappa , N)\): The PKG generates \((q, \mathbf {G}, \mathbf {G}_T, \hat{e}, g)\), chooses \(\gamma , \alpha , \hat{\alpha }, \beta \overset{\$}{\leftarrow } \mathbf {Z}_{q}^{*}\), \(g_2, g_3, v_1, v_2, u_0, u_1, \ldots , u_n \overset{\$}{\leftarrow } \mathbf {G}\), two target collision resistant (TCR) hash functions \(\mathrm {TCR}_1: \mathbf {G} \rightarrow \mathbf {Z}_{q}^{*}\) and \(\mathrm {TCR}_2: \mathbf {G}_T \rightarrow \{0,1\}^{\kappa }\). Then, the PKG sets \(g_1 = g^\alpha \), \(v_0 = g^{\gamma }\), \(\mathbf {RL} = \emptyset \) and \(\mathbf {ST} = \mathbf {DB}\). Finally, the PKG publishes system parameter \(mpk = (g, g_1, g_2, g_3, v_0, v_1, v_2, u_0, u_1, \cdots , u_n, \mathrm {TCR}_1, \mathrm {TCR}_2, \varGamma )\), and keeps the master secret key \(msk = (\gamma , \hat{\alpha }, g^\alpha _2, g^\beta _3)\) secret.

  • \(\mathbf{KeyGen }(msk, \mathsf {id})\): The PKG chooses \(r_{\mathsf {id}} \overset{\$}{\leftarrow } \mathbf {Z}_{q}^{*}\), computes \(sk_{\mathsf {id}_1} = g^\beta _3 F_{\text {Wat}}(\mathsf {id})^{r_{\mathsf {id}}}\), \(sk_{\mathsf {id}_2} = g^{r_{\mathsf {id}}}\) and \(sk_{\mathsf {id}_3} = g^{\gamma }_z\). Then, the PKG sets additional public parameters \(g_z = g^{\hat{\alpha }^z}\), \(g_{z+1} = g^{\hat{\alpha }^{z+1}}\), \(g_{\lambda + 1 - z} = g^{\hat{\alpha }^{\lambda + 1 -z}}\), \(g_{\lambda + 1 + z} = g^{\hat{\alpha }^{\lambda + 1 + z}}\) for user \(\mathsf {id}\), where z is the index for identity \(\mathsf {id}\) and \(\lambda = N + 1\). Finally, the PKG sets the partial private key \(sk_{\mathsf {id}} = (sk_{\mathsf {id}_1}, sk_{\mathsf {id}_2}, sk_{\mathsf {id}_3})\).

  • \(\mathbf{TokenUp }(msk, \mathbf {\mathsf {id}}, T_i, \mathbf {RL}, \mathbf {ST} )\): The PKG chooses \(r_{T_i}, \hat{t} \overset{\$}{\leftarrow } \mathbf {Z}_{q}^{*}\), \(K \overset{\$}{\leftarrow } \mathbf {G}_T\), sets \(E^{(1)}_{\tau _i} = (\mathcal {T}_1, \mathcal {T}_2, \mathcal {T}_3)\) and \(E^{(2)}_{\tau _i} = {\text {Enc}}(k, \tau _{i,1}\Vert \tau _{i,2})\), where i is the index for the time period, \(\mathbf {\mathsf {id}}\) is a set of identities, and

    $$\begin{aligned}&\mathcal {T}_1 = K \cdot \hat{e}(g_{\lambda +1}, g)^{\hat{t}}, \quad \mathcal {T}_2 = g^{\hat{t}}, \quad \mathcal {T}_3 = (v_0 \prod _{\omega \in \mathbf {\mathsf {id}}}g_{\lambda +1-\omega })^{\hat{t}}, \\&\tau _{i,1} = (g^\alpha _2 / g^\beta _3)F_{\text {BB}}(T_i)^{r_{T_i}}, \quad \tau _{i,2} = g^{r_{T_i}}, \quad k = \mathrm {TCR}_2(K) \end{aligned}$$

    Finally, the PKG uploads the token \(\tau _i = (E^{(1)}_{\tau _i}, E^{(2)}_{\tau _i})\) for a set \(\mathbf {\mathsf {id}}\) of identities to the CSP.

  • \(\mathbf{DeKeyGen }(sk_{\mathsf {id}}, \tau _i)\): A user \(\mathsf {id}\) chooses \(\tilde{r}, r_1, r_2 \overset{\$}{\leftarrow } \mathbf {Z}_{q}^{*}\), computes

    $$\begin{aligned}&K = \mathcal {T}_1 / (\hat{e}(\mathcal {T}_3, g_z)/\hat{e}(sk_{\mathsf {id}_3}\prod _{\omega \in \mathbf {\mathsf {id}} \backslash \{z\}}g_{\lambda +1-\omega + z}, \mathcal {T}_2)), \quad k = \mathrm {TCR}_2(K)\\&{\text {Dec}}(k, E^{(2)}_{\tau _{i}}) = (\tau _{i, 1}, \tau _{i, 2}), \quad \tau _{i,1} \leftarrow \tau _{i,1} F_{BB}(T_i)^{\tilde{r}}, \quad \tau _{i, 2} \leftarrow \tau _{i, 2} g^{\tilde{r}}\\&dk_{\mathsf {id}|i,1} = sk_{\mathsf {id}_1} \tau _{i,1} F_{\mathrm {Wat}}(\mathsf {id})^{r_1} F_{\mathrm {BB}}(T_i)^{r_2} = g^\alpha _2 F_{\mathrm {Wat}}(\mathsf {id})^{\hat{r}_1} F_{\mathrm {BB}}(T_i)^{\hat{r}_2},\\&dk_{\mathsf {id}|i,2} = sk_{\mathsf {id}_2} g^{r_1} = g^{\hat{r}_1}, \quad dk_{\mathsf {id}|i,3} = \tau _{i,2}g^{r_2} = g^{\hat{r}_2}, \end{aligned}$$

    where \(\hat{r}_1 = r_{id} + r_1\) and \(\hat{r}_2 = r_{T_i} + \tilde{r} + r_2\). Finally, the user sets the updated secret key \(dk_{\mathsf {id}|i} = (dk_{\mathsf {id}|i,1}, dk_{\mathsf {id}|i,2}, dk_{\mathsf {id}|i,3})\) for identity \(\mathsf {id}\) and time period \(T_i\). Note that the user will share \(r_1, r_2, \tilde{r}\) with the PKG such that the PKG can store \((\mathsf {id}|i, \hat{r}_1, \hat{r}_2)\) in a list \(\mathbf {List}^{dk_{\mathsf {id}|i}}\) for further use.

  • \(\mathbf{ReKeyToken }(msk, T_i, T_{i^{'}})\): If a user with identity \(\mathsf {id}\) is allowed to update his key to another time period \(T_{i^{'}}\), the PKG chooses \(\xi \overset{\$}{\leftarrow } \mathbf {G}_T\), computes \(\varphi ^{(1)}_{i \rightarrow i^{'}} = F_{\mathrm {BB}}(T_{i'})^{\mathrm {TCR}_1(\xi )} / F_{\mathrm {BB}}(T_i)^{\hat{r}_2}\), \(\varphi ^{(2)}_{i \rightarrow i^{'}} = (\hat{C}_0, \hat{C}_1, \hat{C}_2, \hat{C}_3) \leftarrow \mathbf{IBEnc }(\mathsf {id}, T_{i^{'}}, \xi )\), where \(\hat{r}_2\) is recovered from \((\mathsf {id}|i^{'}, \hat{r}_1, \hat{r}_2)\) which is stored the \(\mathbf {List}^{dk_{\mathsf {id}|i}}\). Finally, the PKG sets the re-encryption key token \(\varphi _{i \rightarrow i^{'}} = (\varphi ^{(1)}_{i \rightarrow i^{'}}, \varphi ^{(2)}_{i \rightarrow i^{'}})\).

  • \(\mathbf{ReKey }(dk_{\mathsf {id}|i}, \varphi _{i \rightarrow i^{'}})\): After receiving \(\varphi _{i \rightarrow i^{'}}\) from the PKG, a user with identity \(\mathsf {id}\) chooses \(\rho \overset{\$}{\leftarrow } \mathbf {Z}_{q}^{*}\), sets \(rk_1 = dk_{\mathsf {id}|i,1} \varphi ^{(1)}_{i \rightarrow i^{'}}F_{\mathrm {Wat}}(\mathsf {id})^{\rho }\), \(rk_2 = dk_{\mathsf {id}|i,2} g^\rho \), and \(rk_3 = \varphi ^{(2)}_{i \rightarrow i^{'}}\). Finally, the user outputs the re-encryption key \(rk_{\mathsf {id}|i \rightarrow i^{'}} = (rk_1, rk_2, rk_3)\).

  • \(\mathbf{IBEnc }(\mathsf {id}, T_i, m)\): Given an identity \(\mathsf {id}\), a time period \(T_i\), and a message \(m \in \mathbf {G}_T\), a sender chooses \(t \overset{\$}{\leftarrow } \mathbf {Z}_{q}^{*}\), computes \(C_0 = m \cdot \hat{e}(g_1, g_2)^t\), \(C_1 = g^t\), \(C_2 = F_{\mathrm {Wat}}(\mathsf {id})^t\) and \(C_3 = F_{\mathrm {BB}}(T_i)^t\). The sender then sets the ciphertext \(C_{\mathsf {id}\Vert T_i} = (C_0, C_1, C_2, C_3)\). We assume that the identity \(\mathsf {id}\) and the time period \(T_i\) are implicitly included in the ciphertext.

  • \(\mathbf{ReEnc }(rk_{\mathsf {id}|i \rightarrow i^{'}}, C_{\mathsf {id}\Vert T_i})\): The CSP first parses \(C_{\mathsf {id}\Vert T_i} = (C_0, C_1, C_2, C_3)\) and \(rk_{\mathsf {id}|i \rightarrow i^{'}} = (rk_1, rk_2, rk_3)\), then sets the re-encrypted ciphertext \(C_{\mathsf {id}\Vert T_{i'}}=(C_0, C_1, C_4, rk_3)\), where

    $$\begin{aligned} C_4 = \frac{\hat{e}(C_1, rk_1)}{\hat{e}(C_2, rk_2)} = \hat{e}(g^t, g^\alpha _2 F_{\mathrm {BB}}(T_{i'})^{\mathrm {TCR}_1(\xi )}), \end{aligned}$$

    Note if \(C_{\mathsf {id}\Vert T_{i'}}\) needs to be further re-encrypted to the time period \(T_{i^{''}}\) with a given re-encrypt key \(rk_{\mathsf {id}|i^{'} \rightarrow i^{''}} = (rk^{'}_1, rk^{'}_2, rk^{'}_3)\), the CSP first parses \(rk_3\) as \((\hat{C}_0, \hat{C}_1, \hat{C}_2, \hat{C}_3)\), then sets the ciphertext \(C_{\mathsf {id}\Vert T_{i''}} = (C_0, C_1, C_4, \hat{C}_0, \hat{C}_1, \hat{C}_4, rk^{'}_3)\), where

    $$\begin{aligned} C^{'}_4 = \frac{\hat{e}(\hat{C}_1, rk^{'}_1)}{\hat{e}(\hat{C}_2, rk^{'}_2)}, \end{aligned}$$

  • \(\mathbf{IBDec }(dk_{\mathsf {id}|i}, C_{\mathsf {id}\Vert T_i})\): The decryptor responses as follows with respect to the following three cases:

    • Case 1: For the original ciphertext \(C_{\mathsf {id}\Vert T_i} = (C_0, C_1, C_2, C_3)\), the decryptor can recover message by computing

      $$\begin{aligned} \frac{\hat{e}(C_1, dk_{\mathsf {id}|i,1})}{\hat{e}(C_2, dk_{\mathsf {id}|i,2}) \hat{e}(C_3, dk_{\mathsf {id}|i,3})} = \hat{e}(g_1, g_2)^t \Rightarrow m = \frac{C_0}{ \hat{e}(g_1, g_2)^t} \end{aligned}$$

    • Case 2: For the re-encrypted ciphertext \(C_{\mathsf {id}\Vert T_i}\) and it is re-encrypted only once, i.e., \(C_{\mathsf {id}\Vert T_i} = (C_0, C_1, C_4, rk_3 = (\hat{C}_0, \hat{C}_1, \hat{C}_2, \hat{C}_3))\), the decryptor recover message by computing

      $$\begin{aligned} \hat{C}_0 \frac{\hat{e}(\hat{C}_2, dk_{\mathsf {id}|i,2}) \cdot \hat{e}(\hat{C}_3, dk_{\mathsf {id}|i,3})}{\hat{e}(C_1, dk_{\mathsf {id}|i,1})} = \xi \Rightarrow m = C_0 \frac{\hat{e}(C_1, F_{\mathrm {BB}}(T_i)^{\mathrm {TCR}_1(\xi )})}{C_4}. \end{aligned}$$

    • Case 3: For the re-encrypted ciphertext \(C_{\mathsf {id}\Vert T_i}\) and it is re-encrypted \(\ell \) times from period \(T_1\) to \(T_{\ell +1}\). Denote by \(C^{(\ell +1)} = (C^{(1)}_0, C^{(1)}_1, C^{(1)}_4, \ldots , C^{(\ell )}_0, C^{(\ell )}_1, C^{(\ell )}_4, rk^{(\ell +1)})\) the re-encrypted ciphertext, where \(C^{(1)}_0\) and \(C^{(1)}_1\) are the components of original ciphertext under \((\mathsf {id}, T_1)\). For \(1 \le i \le \ell \), \(r^{(i+1)}_3 = (C^{(i+1)}_0, C^{(i+1)}_1, C^{(i+1)}_2, C^{(i+1)}_3)\) is the ciphertext under \((\mathsf {id}, T_{i+1})\). The decryptor first sets

      $$\begin{aligned} C_0^{(\ell +1)} \frac{\hat{e}(C_2^{(\ell +1)}, dk_{\mathsf {id}|\ell +1,2}) \hat{e}(C_3^{(\ell +1)}, dk_{\mathsf {id}|\ell +1,3})}{\hat{e}(C_1^{(\ell +1)}, dk_{\mathsf {id}|\ell +1,1})} = \tilde{m}^{(\ell )}. \end{aligned}$$

      Then the decryptor sets

      $$\begin{aligned} C_0^{(i)} \frac{\hat{e}(C_1^{(1)}, F_{\mathrm {BB}}(T_{i+1})^{\mathrm {TCR}_1(\tilde{m}^{(i)})})}{C_4^{(i)}} = \tilde{m}^{(i-1)}, \text{ for } i= \ell , \ell -1, \cdots , 2 \end{aligned}$$

      Finally, the decryptor recovers the message by computing

      $$\begin{aligned} m = C_0^{(1)} \frac{\hat{e}(C_1^{(1)}, F_{\mathrm {BB}}(T_2)^{\mathrm {TCR}_1(\tilde{m}^{(1)})})}{C_4^{(1)}}. \end{aligned}$$

  • \(\mathbf{Revoke }(\mathsf {id}, T_i, \mathbf {RL}, \mathbf {ST} )\): The PKG updates the revocation list by \(\mathbf {RL} \leftarrow \mathbf {RL} \cup \{\mathsf {id}, T_i\}\) and returns the updated revocation list.

Theorem 1

A revoked user Alice can decrypt any ciphertext regarding her identity at any time period in Liang et al.’s CR-IB-PRE scheme.

Proof

A revoked user Alice with identity \(\mathsf {id}\) can decrypt any ciphertext regarding her identity at any time period as follows.

  • Re-encryption key forgery attack: Suppose Alice was not revoked at the time period \(T_i\), but she is revoked at the current time period \(T_{i'}\). We denote Alice’s decryption key at the time period \(T_i\) by

    $$\begin{aligned} dk_{\mathsf {id}|i}=(dk_{\mathsf {id}|i, 1}, dk_{\mathsf {id}|i, 2}, dk_{\mathsf {id}|i, 3})=(g_2^\alpha F_{\text {Wat}}(\mathsf {id})^{\hat{r}_1} F_{\text {BB}}(T_i)^{\hat{r}_2}, g^{\hat{r}_1}, g^{\hat{r}_2}) \end{aligned}$$

    Assume that there is an original ciphertext \(C= (C_0, C_1, C_2, C_3)\), which is encrypted under \((\mathsf {id}, T_i)\). Alice chooses \(\epsilon _R\) at random from the plaintext space, and sends the re-encryption key \(rk_{\mathsf {id}|i \rightarrow i'}\) from \(T_i\) to \(T_{i'}\) to the CSP, where

    $$\begin{aligned} rk_{\mathsf {id}|i \rightarrow i'}= & {} (rk_1, rk_2, rk_3), \; rk_1 = dk_{\mathsf {id}|i, 1}=g_2^\alpha F_{\text {Wat}}(\mathsf {id})^{\hat{r}_1}F_{\text {BB}}(T_i)^{\hat{r}_2}, \\ rk_2= & {} dk_{\mathsf {id}|i, 2}=g^{\hat{r}_1}, \; rk_3 = \mathbf{IBEnc }(\mathsf {id}, T_{i'}, \epsilon _R) \end{aligned}$$

    Upon receiving the re-encryption key from Alice, the CSP re-encrypts the original ciphertext C and obtains \(C'=(C_0, C_1, C_4, rk_3)\), where

    $$\begin{aligned} C_4 =\frac{\hat{e}(C_1, rk_1)}{\hat{e}(C_2, rk_2)}=\frac{\hat{e}(g^t, g_2^\alpha F_{\text {Wat}}(\mathsf {id})^{\hat{r}_1}F_{\text {BB}}(T_i)^{\hat{r}_2})}{\hat{e}(F_{\text {Wat}}(\mathsf {id})^t, g^{\hat{r}_1})} =\hat{e}(g_1, g_2)^t \cdot \hat{e}(g^t, F_{\text {BB}}(T_i)^{\hat{r}_2}) \end{aligned}$$

    Note that Alice knows \(C_3=F_{\text {BB}}(T_i)^t\) and \(dk_{\mathsf {id}|i, 3}=g^{\hat{r}_2}\). Thus, Alice can recover m by computing

    $$\begin{aligned} \frac{C_4}{\hat{e}(C_3, dk_{\mathsf {id}|i, 3})} = \frac{\hat{e}(g_1, g_2)^t \cdot \hat{e}(g^t, F_{\text {BB}}(T_i)^{\hat{r}_2})}{\hat{e}(F_{\text {BB}}(T_i)^t, g^{\hat{r}_2} )} = \hat{e}(g_1, g_2)^t, \; m = \frac{C_0}{\hat{e}(g_1, g_2)^t}. \end{aligned}$$

    The re-encryption key forgery attack holds because the CSP cannot verify re-encryption key submitted by the user. A legal re-encryption key generated by Alice can be described as \(rk_1= g_2^{\alpha } F_{\text {Wat}}(\mathsf {id})^{\hat{r}_1 + \rho } F_{\text {BB}}(T_{i'})^{\text {TCR}_1(\epsilon )}\), \(rk_2 = g^{\hat{r}_1 + \rho }\), \(rk_3=\mathbf{IBEnc }(\mathsf {id}, T_{i'}, \epsilon )\), while a malicious re-encryption key generated by Alice can be described as \(rk_1=g_2^\alpha F_{\text {Wat}}(\mathsf {id})^{\hat{r}_1}F_{\text {BB}}(T_i)^{\hat{r}_2}\), \(sk_2=g^{\hat{r}_1}\), \(rk_3=\mathbf{IBEnc }(\mathsf {id}, T_{i'}, \epsilon _R)\) where \(\epsilon _R\) is independent of \(\epsilon \). The CSP can not distinguish \(\mathbf{IBEnc }(\mathsf {id}, T_{i'}, \epsilon _R)\) from \(\mathbf{IBEnc }(\mathsf {id}, T_{i'}, \epsilon )\) because the underlying SE-RIBE scheme [10] is proved to be IND-CPA secure in the standard model.

  • Collusion attack: Suppose Alice is a revoked user and Bob is a non-revoked user at the current time period \(T_i\). The PKG generates and broadcasts the update token \(\tau _i = (E^{(1)}_{\tau _i}, E^{(2)}_{\tau _i})\) corresponding to a set of identities \(\mathbf {\mathsf {id}}\) and time period \(T_i\). Bob can perform the DeKeyGen algorithm and obtain \((\tau _{i,1}, \tau _{i,2})\) corresponding to \(T_i\). If Bob colludes with Alice, he sends \((\tau _{i,1}, \tau _{i,2})\) to Alice. Then Alice performs the DeKeyGen algorithm as Bob does. Finally, Alice obtains her valid decryption key in the time period \(T_i\). Thus, Alice can decrypt any ciphertext regarding her identity at any time period by using her valid decryption key. The collusion attack holds because the update token \(\tau _i = (E^{(1)}_{\tau _i}, E^{(2)}_{\tau _i})\) corresponding to a set of identities \(\mathbf {\mathsf {id}}\) and time period \(T_i\) consists of two independent components, where \(E^{(1)}_{\tau _i}\) only depends on \(\mathbf {\mathsf {id}}\) and \(E^{(2)}_{\tau _i}\) only depends on \(T_i\).

This ends the proof.

4 Syntax and Security Definition for CR-IB-PRE Scheme

Let \(\mathbf {ID}\), \(\mathbf {T}\), \(\mathbf {M}\) and \(\mathbf {C}\) be identity space, time space, plaintext space and ciphtertext space, respectively. A CR-IB-PRE scheme \(\varPi \) can be defined by the following eight polynomial-time algorithms:

  • Setup: The probabilistic setup algorithm is run by the PKG. It inputs a security parameter \(\kappa \) and a maximal number of users N. It outputs the public system parameters mpk, the master key msk, an empty revocation list \(\mathbf {RL}\) and initial state \(\mathbf {ST}\).

  • IBKeyGen: The probabilistic identity-based private key generation algorithm is run by the PKG. It inputs the public parameters mpk, the master key msk, an identity \(\mathsf {id} \in \mathbf {ID}\). It outputs the corresponding identity-based initial private key \(sk_{\mathsf {id}}\) and an update state \(\mathbf {ST}\).

  • TokenUp: The probabilistic token update algorithm is run by the PKG. It inputs the public parameters mpk, the master key msk, the key update time period \(T_i \in \mathbf {T}\), the current revocation list \(\mathbf {RL}\) and state \(\mathbf {ST}\). It outputs the key update token \(\tau _{i}\) corresponding to the key update time period \(T_i\).

  • DeKeyGen: The probabilistic decryption key generation algorithm is run by a user. It inputs the public parameters mpk, the user’s initial private key \(sk_{\mathsf {id}}\), and the key update token \(\tau _{i}\). It outputs decryption key \(dk_{\mathsf {id}|i}\) for the user with identity \(\mathsf {id}\) under time period \(T_i\).

  • IBEnc: The probabilistic identity-based encryption algorithm is run by a sender. It inputs the public parameters mpk, the receiver’s identity \(\mathsf {id} \in \mathbf {ID}\), the time period \(T_i \in \mathbf {T}\) and a message \(m \in \mathbf {M}\). It outputs an original ciphertext \(C_{{\textsf {id}}|i}\) under \((\mathsf {id}, T_i)\) which can be further re-encrypted.

  • ReEnc: The probabilistic re-encryption algorithm is run by the CSP. It inputs the public parameters mpk, the receiver’s identity \(\mathsf {id} \in \mathbf {ID}\), an original ciphertext \(C_{{\textsf {id}}|i} \in \mathbf {C}\) or a re-encrypted ciphertext \(C_{{\textsf {id}}|i \rightarrow k} \in \mathbf {C}\) that is re-encrypted from the original ciphertext \(C_{{\textsf {id}}|i}\), and a time period \(T_j\). It outputs a re-encrypted ciphertext \(C_{{\textsf {id}}|i \rightarrow j}\).

  • IBDec: The deterministic identity-based decryption algorithm is run by a receiver. It inputs the public parameters mpk, an original ciphertext \(C_{{\textsf {id}}|i}\) or a re-encrypted ciphertext \(C_{\textsf {id}|i \rightarrow j}\), the receiver’s decryption key \(dk_{\textsf {id}|i}\) for time period \(T_i\) or the receiver’s decryption keys for time period \(T_i\) and \(T_j\), i.e., \(dk_{\textsf {id}|i}\) and \(dk_{\textsf {id}|j}\). It outputs the message m if decryption keys are valid. Otherwise, it outputs a reject symbol \(\perp \).

  • Revoke: The deterministic revocation algorithm is run by the PKG. It inputs the public parameters mpk, a set \(\mathbf {\textsf {id}}\) of identity to be revoked, the revocation time period T, the current revocation lists \(\mathbf {RL}\) and state \(\mathbf {ST}\). It outputs the updated revocation lists \(\mathbf {RL}'\).

We define indistinguishability against adaptive chosen identity and plaintext attack (IND-ID-CPA) experiment for CR-IB-PRE scheme as follows.

$$\begin{aligned}&\mathrm {Exp}_{\varPi , \mathcal {A}}^{\text {IND-ID-CPA}}(1^\kappa , N). \\&\qquad (mpk, msk, \mathbf {RL}, \mathbf {ST} ) \leftarrow \mathbf {Setup}(1^\kappa , N). \\&\qquad (m_0, m_1, \mathsf {id}^{*}, \mathbf {T}^*, \mathbf {ST} ) \leftarrow \mathcal {A}^{\mathcal {O}}(\text {Find}, mpk) \text{ such } \text{ that } |m_{0}| = |m_{1}|, \\&\qquad \text{ where } \mathbf {T}^* \text{ is } \text{ a } \text{ time } \text{ period } \text{ vector } \text{ of } (T_{i^{*}}) \text{ or } (T_{i^{*}}, T_{j^{*}}) \text{ with } T_{j^{*}} > T_{i^{*}}. \\&\qquad b \overset{\$}{\leftarrow } \{0, 1\}. \\&\qquad \text{ If } \mathbf {T}^*=(T_{i^{*}}), \text{ then } C^{*} \leftarrow \mathbf{IBEnc }(mpk, \mathsf {id}^{*}, T_{i^*}, m_b); \\&\qquad \text{ If } \mathbf {T}^*=(T_{i^{*}}, T_{j^{*}}), \text{ then } C^{*} \leftarrow \mathbf{ReEnc }(mpk, \mathsf {id}^{*}, T_{j^{*}},\\&\qquad \qquad \qquad \mathbf{IBEnc }(mpk, \mathsf {id}^{*}, T_{i^*}, m_b)), \\&\qquad b' \leftarrow \mathcal {A}^{\mathcal {O}}(\text {Guess}, C^{*}, \mathbf {ST} ). \\&\qquad \text{ Return } 1 \text{ if } b' =b \text{ and } 0 \text{ otherwise }. \end{aligned}$$

In the above experiment, \(\mathcal {O}\) is a set of oracles defined as follows.

  • IBKeyGen Oracle: For \(\mathsf {id} \in \mathbf {I}\), it returns \(sk_\mathsf {id}\) and update state \(\mathbf {ST}\) by running \(\mathbf {IBKeyGen}(mpk, msk, \mathsf {id}, \mathbf {ST} ) \rightarrow (sk_\mathsf {id}, \mathbf {ST} )\).

  • TokenUp Oracle: For \(T_i \in \mathbf {T}\), it returns update token \(\tau _i\) by running \(\mathbf {TokenUp}(mpk, msk, T_i, \mathbf {RL}, \mathbf {ST} ) \rightarrow \tau _i\).

  • DKeyGen Oracle: For \(\mathsf {id} \in \mathbf {I}\) and \(T_i \in \mathbf {T}\), it returns decryption key \(dk_{\mathsf {id}|i}\) under \((\mathsf {id}, T_i)\) by running \(\mathbf{DeKeyGen }(mpk, sk_\mathsf {id}, \tau _i, \mathbf {ST} ) \rightarrow dk_{\mathsf {id}|i}\).

  • ReEnc Oracle: For an original ciphertext \(C_{\mathsf {id}|i} \in \mathbf {C}\), \(\mathsf {id} \in \mathbf {I}\) and \(T_j \in \mathbf {T}\) with \(T_j > T_i\), it returns a re-encrypted ciphertext \(C_{\mathsf {id}|i \rightarrow j}\) of \(C_{\mathsf {id}|i}\) by running \(\mathbf{ReEnc }(mpk, \mathsf {id}, T_j, C_{\mathsf {id}|i})\). For a re-encrypted ciphertext \(C_{\mathsf {id}|i \rightarrow k} \in \mathbf {C}\), \(\mathsf {id} \in \mathbf {I}\) and \(T_j \in \mathbf {T}\) with \(T_j > T_k > T_i\), it returns a re-encrypted ciphertext \(C_{\mathsf {id}|i \rightarrow j}\) of \(C_{\mathsf {id}|i \rightarrow k}\) by running \(\mathbf{ReEnc }(mpk, \mathsf {id}, T_j, C_{\mathsf {id}|i \rightarrow k})\).

  • Revoke Oracle: For \(\mathsf {id} \in \mathbf {I}\) and \(T_i \in \mathbf {T}\), it returns an updated revocation list \(\mathbf {RL}'\) by running \(\mathbf{Revoke }(mpk, \mathsf {id}, T_i, \mathbf {RL}, \mathbf {ST} ) \rightarrow \mathbf {RL}'\).

The above oracles can be queried by \(\mathcal {A}\) with the following restrictions:

  • \(\mathcal {A}\) is only allowed to query TokenUp Oracle and Revoke Oracle in non-decreasing order of time.

  • \(\mathcal {A}\) is not allowed to query Revoke Oracle on time \(T_i\) if TokenUp Oracle was queried on \(T_i\).

  • \(\mathcal {A}\) is not allowed to query DeKeyGen Oracle on time \(T_i\) before TokenUp Oracle was queried on \(T_i\).

  • For \(\mathcal {A}\)’s queries corresponding to vector of challenge time period \(\mathbf {T}^*\) = \((T_{i^*})\) or \(\mathbf {T}^*\) = \((T_{i^*}, T_{j^*})\), \(\mathbf{DeKeyGen }(\mathsf {id}^{*}, T_{i^{*}})\) cannot be queried; If \(\mathbf{IBKeyGen }(\mathsf {id}^{*})\) was queried, then \(\mathbf{Revoke }(\mathsf {id}^{*}, T_i)\) must be queried for \(T_i \le T_{i^{*}}\).

A CR-IB-PRE scheme is said to be IND-ID-CPA if for any PPT adversary \(\mathcal {A}\), the following advantage is negligible in the security parameter \(\kappa \).

$$\begin{aligned} \text {Adv}^{\text {IND-ID-CPA}}_{\varPi , \mathcal {A}}(1^\kappa , N) = \left| \Pr [\text {Exp}^{\text {IND-ID-CPA}}_{\varPi , \mathcal {A}}(1^\kappa , N)=1] - \frac{1}{2}\right| . \end{aligned}$$

5 Our Improved CR-IB-PRE Scheme

Our improved CR-IB-PRE scheme is described as follows.

  • \(\mathbf{Setup }(1^\kappa , N)\): The PKG generates \((q, \mathbf {G}, \mathbf {G}_T, \hat{e}, g)\), chooses \(\alpha \overset{\$}{\leftarrow } \mathbf {Z}_q^{*}\) and \(g_2, u_0, u_1,\cdots , u_n, v_0, v \overset{\$}{\leftarrow } \mathbf {G}\), sets \(g_1 = g^\alpha \), \(\mathbf {RL} = \emptyset \) and \(\mathbf {ST} = \mathbb {T}\), where \(\mathbb {T}\) is a binary tree. Finally, the PKG publishes \(mpk = \{g, g_1, g_2, u_0, u_1, \cdots , u_n, v_0, v\}\), while keeps \(msk =\{g_2^{\alpha } \}\) secret.

  • \(\mathbf{IBKeyGen }(mpk, msk, \mathsf {id}, \mathbf {ST} )\): The PKG chooses an unassigned leaf node \(\eta \) from \(\mathbb {T}\), stores \(\mathsf {id}\) in the node \(\eta \). For each node \(\theta \in {\text {Path}}(\eta )\), the PKG performs as follows.

    1. 1.

      Recall \(g_\theta \) if it is defined. Otherwise, \(g_\theta \overset{\$}{\leftarrow } \mathbf {G}\) and store \((g_\theta , \tilde{g}_\theta = g_2 / g_\theta )\) in node \(\theta \).

    2. 2.

      Choose \(r_\theta \overset{\$}{\leftarrow } \mathbf {Z}_q^*\).

    3. 3.

      Compute \((D_{\theta ,0}, D_{\theta ,1}) = (g^\alpha _\theta F_{\text {Wat}}(\mathsf {id})^{r_\theta }, g^{r_\theta })\).

    Finally, the PKG sends \(sk_{\mathsf {id}} = \{(\theta , D_{\theta ,0}, D_{\theta ,1})\}_{\theta \in {\text {Path}}(\eta )}\) back to the user.

  • \(\mathbf{TokenUp }(mpk, msk, T_i, \mathbf {RL}, \mathbf {ST} )\) The PKG parses \(\mathbf {ST} = \mathbb {T}\). For each node \(\theta \in \mathbf{KUNode }(\mathbb {T}, \mathbf {RL}, T_i)\), the PKG performs as follows.

    1. 1.

      Retrieve \(\tilde{g}_\theta \). Note that \(\tilde{g}_\theta \) is always pre-defined in the IBKeyGen algorithm.

    2. 2.

      Choose \(s_\theta \overset{\$}{\leftarrow } \mathbf {Z}_q^{*}\).

    3. 3.

      Compute \((\tilde{D}_{\theta ,0}, \tilde{D}_{\theta ,1}) = (\tilde{g}^\alpha _\theta F_{\text {BB}}(T_i)^{s_\theta }, g^{s_\theta })\).

    Finally, the PKG returns \(\tau _i = \{(\theta , \tilde{D}_{\theta ,0}, \tilde{D}_{\theta ,1})\}_{\theta \in \mathbf{KUNode }(\mathbb {BT}, \mathbf {RL}, T_i)}\).

  • \(\mathbf{DeKeyGen }(mpk, sk_{\mathsf {id}}, \tau _i)\): The user first parses \(sk_{\mathsf {id}} = \{(\theta , D_{\theta ,0}, D_{\theta ,1})\}_{\theta \in \mathbf {I}}\) and \(\tau _i = \{(\theta , \tilde{D}_{\theta ,0}, \tilde{D}_{\theta ,1})\}_{\theta \in \mathbf {J}}\). If \(\mathbf {I} \cap \mathbf {J} = \emptyset \), then returns \(\perp \). Otherwise, the user chooses \(\theta \in \mathbf {I} \cap \mathbf {J}\), \(r, s \overset{\$}{\leftarrow } \mathbf {Z}_q\) and computes \(dk_{\mathsf {id}|i,1} = D_{\theta ,0} \cdot \tilde{D}_{\theta ,0} \cdot F_{\text {Wat}}(\mathsf {id})^{r} \cdot F_{\mathrm {BB}}(T_i)^s = g^\alpha _2 \cdot F_{\text {Wat}}(\mathsf {id})^{\hat{r}} \cdot F_{\text {BB}}(T_i)^{\hat{s}}\), \(dk_{\mathsf {id}|i,2} = D_{\theta ,1} \cdot g^r = g^{\hat{r}}\) and \(dk_{\mathsf {id}|i,3} = \tilde{D}_{\theta ,1} \cdot g^s = g^{\hat{s}}\), where \(\hat{r} = r_\theta + r, \hat{s} = s_\theta + s\). Finally, the user sets \(dk_{\mathsf {id}|i} = (dk_{\mathsf {id}|i,1}, dk_{\mathsf {id}|i,2}, dk_{\mathsf {id}|i,3})\).

  • \(\mathbf{IBEnc }(mpk, \mathsf {id}, T_i, m)\): The sender chooses \(t \overset{\$}{\leftarrow } \mathbf {Z}_q^{*}\), computes

    $$\begin{aligned} C_0 = m \cdot \hat{e}(g_1, g_2)^t, \quad C_1 = g^t, \quad C_2 = F_{\text {Wat}}(\mathsf {id})^t, \quad C_3 = F_{\text {BB}}(T_i)^t. \end{aligned}$$

    Finally, the sender sets the original ciphertext \(C_{\mathsf {id}|i} =(C_0, C_1, C_2, C_3)\).

  • \(\mathbf{ReEnc }(mpk, \mathsf {id}, C, T_j)\): There are two cases according to C. If C is an original ciphertext, i.e., \(C=C_{\mathsf {id}|i} =(C_0, C_1, C_2, C_3) = (C_{(0,0)}, C_{(0, 1)}, C_{(0, 2)}, C_{(0, 3)})\), then the CSP chooses \(t_1 \overset{\$}{\leftarrow } \mathbf {Z}_q^{*}\), and computes \(C_{(1, 0)} = C_{(0,0)} \cdot \hat{e}(g_1, g_2)^{t_1}\), \(C_{(1, 1)} = g^{t_1}\), \(C_{(1, 2)} = F_{\text {Wat}}(\mathsf {id})^{t_1}\) and \(C_{(1, 3)} = F_{\text {BB}}(T_j)^{t_1}\). Finally, the CSP sets the one time re-encrypted ciphertext \(C_{\mathsf {id}|i \rightarrow j}\) associated with time period \(T_i\) and \(T_j\) as

    $$\begin{aligned} C_{\mathsf {id}|i \rightarrow j}=(C_{(1, 0)}, C_{(0, 1)}, C_{(0, 2)}, C_{(0, 3)}, C_{(1, 1)}, C_{(1, 2)}, C_{(1, 3)}). \end{aligned}$$

    If C is an \(\ell -1\) times re-encrypted ciphertext, i.e.,

    $$\begin{aligned} C = C_{\mathsf {id}|i \rightarrow k} = (C_{(\ell -1, 0)}, C_{(0, 1)}, C_{(0, 2)}, C_{(0, 3)}, C_{(\ell -1, 1)}, C_{(\ell -1, 2)}, C_{(\ell -1, 3)}), \end{aligned}$$

    then the CSP chooses \(t_{\ell } \overset{\$}{\leftarrow } \mathbf {Z}_q^{*}\), and computes \(C_{(\ell , 0)}= C_{(\ell -1, 0)} \cdot \hat{e}(g_1, g_2)^{t_\ell - t_{\ell -1}}\), \(C_{(\ell , 1)} = g^{t_{\ell }}\), \(C_{(\ell , 2)} = F_{\text {Wat}}(\mathsf {id})^{t_{\ell }}\) and \(C_{(\ell , 3)} = F_{\text {BB}}(T_j)^{t_{\ell }}\), where \(\ell \ge 2\), \(T_i < T_k < T_j\), and \(t_{\ell -1}\) was chosen by the CSP at the time period \(T_k\). Finally, the CSP returns the new re-encrypted ciphertext \( C_{\mathsf {id}|i \rightarrow j}\) associated with time period \(T_i\) and \(T_j\), where \(=(C_{(\ell , 0)}, C_{(0, 1)}, C_{(0, 2)}, C_{(0, 3)}, C_{(\ell , 1)}, C_{(\ell , 2)}, C_{(\ell , 3)})\).

  • \(\mathbf{IBDec }(mpk, C, dk_{\mathsf {id}|i}, dk_{\mathsf {id}|j})\): Note that the current time period is \(T_j\) where \(T_i \le T_j\). \(dk_{\mathsf {id}|i}\) and \(dk_{\mathsf {id}|j}\) are the decryption keys of \(T_i\) and \(T_j\), respectively. There are two cases according to C.

    1. 1.

      If \(C = C_{\mathsf {id}|i} = (C_0, C_1, C_2, C_3)\) is an original ciphertext, i.e., \(T_i = T_j\) and \(dk_{\mathsf {id}|i} = dk_{\mathsf {id}|j}\), the decryptor can recover the plaintext m by computing

      $$\begin{aligned} C_0 \cdot \frac{\hat{e}(C_2, dk_{\mathsf {id}|i, 2})\hat{e}(C_3, dk_{\mathsf {id}|i, 3})}{\hat{e}(C_1, dk_{\mathsf {id}|i, 1})} = m \cdot \hat{e}(g_1, g_2)^t \cdot \frac{1}{\hat{e}(g_1, g_2)^t} = m. \end{aligned}$$
    2. 2.

      If \(C = C_{\mathsf {id}|i \rightarrow j} = (C_{(\ell , 0)}, C_{(0, 1)}, C_{(0, 2)}, C_{(0, 3)}, C_{(\ell , 1)}, C_{(\ell , 2)}, C_{(\ell , 3)})\) is re-encrypted \(\ell \) times, i.e., \(T_i < T_j\) and \(\ell \ge 1\), the decryptor can recover the plaintext m by computing

      $$\begin{aligned}&C_{(\ell , 0)} \cdot \frac{\hat{e}(C_{(\ell , 2)}, dk_{\mathsf {id}|j, 2})\hat{e}(C_{(\ell , 3)}, dk_{\mathsf {id}|j, 3})}{\hat{e}(C_{(\ell , 1)}, dk_{\mathsf {id}|j, 1})} \cdot \frac{\hat{e}(C_{(0, 2)}, dk_{\mathsf {id}|i, 2})\hat{e}(C_{(0, 3)}, dk_{\mathsf {id}|i, 3})}{\hat{e}(C_{(0, 1)}, dk_{\mathsf {id}|i, 1})} \\&\qquad = m \cdot \hat{e}(g_1,g_2)^{t+t_{\ell }} \cdot \frac{1}{\hat{e}(g_1, g_2)^{t_{\ell }} \cdot \hat{e}(g_1,g_2)^{t}} = m. \end{aligned}$$

  • \(\mathbf{Revoke}(mpk, \mathsf {id}, T_i, \mathbf {RL}, \mathbf {ST} )\): The PKG updates the revocation list by \(\mathbf {RL} \leftarrow \mathbf {RL} \cup \{(\mathsf {id}, T_i)\}\) and return the updated revocation list.

Table 1. Computation cost comparison
Full size table

6 Security and Efficiency Analysis

Theorem 2

If there exists an adversary \(\mathcal {A}\) attacking IND-ID-CPA security of the improved CR-IB-PRE scheme, then there exists another adversary \(\mathcal {B}\) breaking IND-RID-CPA security of the SE-RIBE scheme.

Proof

We will give the security proof in the extended version.

We compare our improved CR-IB-PRE scheme with Liang et al.’s CR-IB-PRE scheme in terms of the computation cost of re-encryption algorithm and decryption algorithm, and the size of re-encrypted ciphertext. The results are illustrated in Table 1, where ciphertext is re-encrypted \(\ell \) times. We use big O notation and denote by \(p(\cdot )\) some polynomial, \(|\mathbf {T}|\) the bit-length of an element in time space \(\mathbf {T}\), \(|\mathbf {G}|\) the bit-length of an element in group \(\mathbf {G}\), \(|\mathbf {Z}_q^{*}|\) the bit-length of an element in \(\mathbf {Z}_q^{*}\), and \(|\mathbf {G}_T|\) the bit-length of an element in group \(\mathbf {G}_T\), respectively. We denote by \(t_{\hat{e}}\), \(t_{\mathbf {G}}\) and \(t_{\mathbf {G}_T}\) the computation cost of a bilinear pairing \(\hat{e}(\mathbf {G}, \mathbf {G}) \rightarrow \mathbf {G}_T\), an exponentiation in group \(\mathbf {G}\) and in group \(\mathbf {G}_T\), respectively.

7 Conclusion

In this paper, we first showed that there are several security pitfalls in Liang et al.’s cloud-based revocable identity-based proxy re-encryption scheme. Then, we refined the syntax and security model for cloud-based revocable identity-based proxy re-encryption scheme. Finally, we proposed an improved cloud-based revocable identity-based proxy re-encryption scheme, which not only achieves collusion resistance, but also achieves constant size re-encrypted ciphtertext. It is interesting to construct a cloud-based revocable hierarchical identity-based proxy re-encryption scheme.