Accountable mobile E-commerce scheme in intelligent cloud system transactions

Abstract

The vivid and rapid development of the Internet motivates cloud-based intelligent information systems to be applied. Mobile e-commerce, as a new business model based on cloud computing in intelligent service, has become the mainstream of mobile applications. It not only provides efficient computation services for both trading parties, but also gives a secure and reliable data storage center. However, privacy and accountability have become one of users’ crucial concerns in mobile e-commerce transactions. In this paper, we present a practical and efficient accountable mobile e-commerce scheme that is based on cloud platform to address the fundamental transaction requirement. We propose the concrete construction and demonstrate that the proposed scheme can provide effective security in the transaction process, and also give the practical deployment in cloud computing systems to provide the intelligent information services. We also give the performance analysis and show it is efficient and practical compared with related methods in terms of computation complexity and communication costs.

1 Introduction

1.1 Background

Nowadays, cloud computing has become one of hottest focuses in academia, enterprise and even the government, which provides a dynamic, scalable, virtualized computing model over the Internet for intelligent information services. It is also through network to obtain the necessary resources, which contains core content of one is to achieve resource scheduling and management, and the other is to provide services on-demand (Buyya et al. 2008; Shen et al. 2017). Cloud computing grows fast and has quite extensive application fields (for example, the e-commerce). E-commerce, as a new type of transaction, brings enterprise, logistic and consumer into a comprehensive network economy era. Consumers can expediently complete a variety of complex e-commerce activities, such as bank account withdrawal, transaction information inquiry and commodity trading service. In traditional transaction mode, dramatic increase of server traffic within a certain period of time will inevitably lead to server paralysis. However, with the support of cloud computing services, e-commerce platform can effectively cope with the rapid increase of traffic, thus provide users with good quality of service (Yang and Liu 2010).

Fig. 1

Interaction between mobile client and intelligent cloud server

Traditional e-commerce system relies on fixed location like the workstations or desktops (Yang and Zheng 2012), which is the limitation of e-commerce. The rise of intelligent terminal device has promoted the renewal of modern business model. With the widespread use of 4G mobile network (Varshney and Jain 2001; Han and Choi 2013; Hwang et al. 2015; Shen et al. 2016) and Wi-Fi (Duarte et al. 2012; Kim et al. 2015; Torres-Sospedra et al. 2015; Brown et al. 2012; Zhu and Yang 2015; Zhang and Mu 2016), mobile e-commerce takes advantage of wireless terminal such as mobile phone, PAD, notebook for e-commerce activities (Seo and Emura 2014), enabling users to access the Internet and conduct transactions anytime and anywhere. In terms of user scale, mobile e-commerce will gradually replace the traditional e-commerce sooner or later. A typical interaction mode between mobile client and cloud server is illustrated in Fig. 1.

The interaction between intelligent mobile client and cloud data center can be performed on the Internet. Cloud computing deploys the business resources in the data center, providing a series of services to users. In this way, it is not only to reduce the operation load of terminal, improve the efficiency of the cloud data center, but also provides efficient computing services for both parties. The payment service is the most important link in the whole transaction, and the mobile payment is widely used recently (Ye and Xiao 2013). The mobile payments bind mobile terminal to bank card, and the users can conduct transaction anytime and anywhere only with mobile phone. Also, the third-party payment has become the most popular usage mode in its industrial structure. When the users require to make a payment, the payment service in data center will issue a transaction application to third-party payment, which will return payment result to the users.

1.2 Related work

Even though intelligent mobile e-commerce on the cloud computing has enough advantages, it still exists some new security and privacy concerns (Ghosh and Swaminatha 2001; Tang and Wu 2008; Jo et al. 2014; Biswas and Vidyasankar 2014; Fu et al. 2016; Xia et al. 2015; Kolodziej and Xhafa 2011) that greatly influence user’s reliance. If we order a service or personal belongings which are private and unwilling to be seen by other users beyond the vendor. Our order record needs to be encrypted. On the other hand, there might also be a consideration that a dishonest user (buyer or vendor) could lead to transaction failure. For example, we often encounter the situation that vendor provides wrong goods or service unintentional, resulting in dispute. Hence, how to protect users’ privacy and resolve dispute is a problem. Han et al. (2016) proposed a mobile e-commerce scheme to combine identity-based plaintext-checkable encryption (IBPCE) with IBS. However, Han et al.’s scheme is inefficient. To improve the efficiency of Han et al., we propose a new IBPCE scheme instead of Paterson et al. IBS scheme (Paterson and Schuldt 2006). The initial idea of identity-based encryption system was proposed by Shamir (1984) in order not to using the public-key certificates. It is defined as a special type of public-key encryption where an user’s public key may be arbitrary string that has its own meaning to an user’s identity, such as a telephone number or an e-mail address. Boneh and Franklin (2001) first designed a secure and truly practical IBE system using bilinear maps and proved its security in the random oracle model. Subsequently, plenty of work (Park and Lee 2016; Wang 2007; Waters 2005; Ma 2016; Seo and Emura 2014; Gentry 2006) has been devoted to constructing pairing-based IBE systems and are provable secure in the different models. Among the previous IBE systems, Waters (2005) and Gentry (2006) proposed two efficient and practical IBE schemes which are fully secure in the standard model, respectively. In traditional public-key encryption scheme, checking whether a ciphertext is the encryption of a plaintext under the public key is difficult when the secret key is unknown. To solve this problem, Canard et al. (2012) proposed and studied a new cryptographic primitive called plaintext-checkable encryption with additional functionality that anyone can test whether a ciphertext is the encryption of a given plaintext under the public key. For instance, a dishonest sender who does not know the receiver’s secret key can be identified if he sends an incorrect ciphertext to the receiver. Therefore, a PCE scheme can provide not only confidentiality but also accountability Han et al. (2016). The concept of Identity-based Plaintext-checkable Encryption (IBPCE) was first proposed by Han et al. (2016) in 2016, which is derived from Gentry’s IBE scheme (Gentry 2006) and Canard et al.’s PCE scheme (Canard et al. 2012), whose security is proved in the standard model.

1.3 Our Contribution

We first propose an IBPCE scheme combined with Paterson’s IBS scheme (Paterson and Schuldt 2006), which can be applied to E-commerce scenario and result in an accountable mobile e-commerce (AMEC) transaction. Our contribution is described as follows:

1. 1.

   We propose a new IBPCE scheme for mobile e-commerce using bilinear pairing, and prove it to be secure based on the decisional q-ABDHE assumption in the standard mode. Besides, compared with related IBPCE scheme, our scheme can better meet the efficiency requirement of mobile transaction by reducing computation costs and improving communication efficiency.

2. 2.

   We combine our IBPCE scheme with identity-based signature and incorporate into the mobile transaction scenario to present a new AMEC scheme based on cloud computing environments. In this scheme, the transactions between buyer and vendor are encrypted. Meanwhile, an offline adjudicator will be added in case of dispute between buyer and vendor. It is worth mentioning that the IBS scheme we use is derived from the Paterson et al.’s IBS scheme which is combined with Han et al’s IBPCE scheme. The former is proved to be more secure and efficient. Therefore, our incorporative AMEC scheme has a greater improvement compared with Han et al’s.

3. 3.

   Finally, we give the user interaction process protocol, and analyze the results of the mobile e-commerce system in cloud computing environment, and also provide the protocol performance in theoretical analysis and simulated benchmark experiment.

1.4 Organization

The rest of this paper is organized as follows. The preliminaries which are used throughout this paper are presented in Sect. 2. In Sect. 3, we give the proposed IBPCE scheme, followed by its security analysis and comparison with related schemes. In Sect. 4, the proposed IBPCE scheme is applied in mobile e-commerce scenario which results in an accountable mobile e-commerce scheme. We give details of its performance evaluation in Sect. 5. Finally, Sect. 6 concludes this paper.

2 Preliminaries

In this section, we briefly review some preliminaries such as bilinear maps, complexity assumptions, formal definition and security model of IBPCE, and the IBS framework, respectively.

Let \(p\in \mathcal {Z}^+\), we denote \(\mathcal {Z}_p\) by \(\{1,2,\ldots ,p-1\}\). A function is negligible in parameter \(\lambda \) (denoted \(\epsilon (\lambda )\)) if it is smaller than the inverse of any polynomial, for all large enough value of \(\lambda \). We use the notation \(\mathcal {A},\mathcal {B}\) and \(\mathcal {C}\) to denote an adversary, a simulator and a challenger in our system.

2.1 Bilinear group and complexity assumption

We first review bilinear maps, using the following standard notation Let \(\mathbb {G}\) and \(\mathbb {G}_\tau \) are two multiplicative cyclic groups with prime order p, and g is a generator of \(\mathbb {G}\).

A function map \(\textit{e}:\mathbb {G}\times \mathbb {G}\rightarrow \mathbb {G}_\tau \) is called a bilinear map which satisfies the following three properties: (1)Bilinearity: for \(\forall g\in \mathbb {G}\) and \(a,b\in \mathcal {Z}_p\), the equality \(\textit{e}(g^a,g^b)= \textit{e}(g,g)^{ab}\) holds; (2)Non-degeneracy: in the sense that \(\textit{e}(g,g)\ne 1\) for any \(g\in \mathbb {G}\); (3)Computability: For \(\forall g\in G\), there exists an efficient algorithm to evaluate \(\textit{e}(g,g)\).

We say that \(\mathbb {G}\) and \(\mathbb {G}_\tau \) are bilinear groups if the group operations in \(\mathbb {G}\) and \(\mathbb {G}_\tau \) as well as the bilinear map \(\textit{e}\) above are all efficiently computable. Namely, the bilinear groups can be efficiently constructed by Weil pairing or Tate pairing.

The security of our scheme is based on a complexity assumption that called the decisional q-augmented bilinear Diffie-Hellman exponent (decisional q-ABDHE) assumption (Gentry 2006), where q is (roughly) the anticipated number of private key generation queries.

Definition 1

(q-ABDHE assumption) Let bilinear group generating \(\mathcal {G}(1^\lambda )\rightarrow (\mathbb {G},\mathbb {G}_\tau ,\textit{e},p)\) and \(g,g'\) be generators of \(\mathbb {G}\). The decisional q-ABDHE problem: Given a vector of elements in group \(\mathbb {G}\), i.e.,

$$\begin{aligned} (g',g'^{a^{q+2}},g,g^\alpha ,g^{\alpha ^2},\ldots ,g^{\alpha ^q},g^{\alpha ^{q+2}},\ldots ,g^{\alpha ^{2q}})\in \mathbb {G}^{2q+2} \end{aligned}$$

as input, and to decide whether \(R= \textit{e}(g,g')^{\alpha ^{q+1}}\) or not is hard.

2.2 Formal definition and security model

Definition 2

(Identity-based Plaintext-checkable Encryption, IBPCE) An IBPCE scheme consists of five algorithms: IBPCE= (\(\textsf {Setup}\), \(\textsf {Extract}\), \(\textsf {Encrypt}\), \(\textsf {Decrypt}\), \(\textsf {Check}\)), whose functionalities are described as:

• \(\textsf {Setup}(1^\lambda )\rightarrow (\textsf {pp},\textsf {msk})\): taking a security parameter \(\lambda \) as input, the algorithm returns the public parameters \(\textsf {pp}\) and a master private key \(\textsf {msk}\).

• \(\textsf {Extract}(\textsf {msk},\textsf {pp},\textsf {id})\rightarrow \textsf {pdk}_\textsf {id}\): using the master key \(\textsf {msk}\) and an identity \(\textsf {id}\), the algorithm returns a private decryption key for identity \(\textsf {id}\).

• \(\textsf {Encrypt}(\textsf {pp},\textsf {id},M)\rightarrow \textsf {ct}\): taking an identity \(\textsf {id}\), the public parameter \(\textsf {pp}\) and a plaintext M as inputs, the algorithm returns the corresponding ciphertext \(\textsf {ct}\).

• \(\textsf {Decrypt}(\textsf {ct},\textsf {pdk}_\textsf {id})\rightarrow M\): using a private decryption key \(\textsf {pdk}_\textsf {id}\) to decrypt ciphertext \(\textsf {ct}\), the algorithm returns the corresponding plaintext M.

• \(\textsf {Check}(\textsf {pp},\textsf {ct},\textsf {id},M)\rightarrow 1/0\): taking an identity \(\textsf {id}\), a ciphertext \(\textsf {ct}\) and a plaintext M as inputs, the algorithm returns 1 if ciphertext \(\textsf {ct}\) is the encryption of plaintext M under the identity \(\textsf {id}\). Otherwise, it returns 0.

The security model of IBPCE scheme is similar to that in (Canard et al. 2012). It is defined by the following game executed between a challenger \(\mathcal {C}\) and an adversary \(\mathcal {A}= (\mathcal {A}_1,\mathcal {A}_2)\), where \(\mathcal {A}_1\) and \(\mathcal {A}_2\) represent the find and guess stage, respectively. It is assumed that \(\mathcal {A}_1\) and \(\mathcal {A}_2\) share neither coin nor state.

1. 1.

   \(\textsf {Setup}\): The challenger \(\mathcal {C}\) runs \(\textsf {Setup}\) algorithm, and sends the public parameter \(\textsf {pp}\) to adversary \(\mathcal {A}\).

2. 2.

   \(\textsf {Phase} 1\): \(\mathcal {A}_1\) can adaptively query the key generation oracle with an identity \(\textsf {id}\). The challenger \(\mathcal {C}\) runs \(\textsf {Extract}\) algorithm on \(\textsf {id}\) and forwards the resulting private decryption key \(\textsf {pdk}_\textsf {id}\) to the adversary \(\mathcal {A}_1\). This query can be performed multiple times.

3. 3.

   \(\textsf {Challenge}\): \(\mathcal {A}_1\) submits a challenge identity \(\textsf {id}'\) and two plaintexts \((M_0,M_1)\) with the same length. Note that \(\textsf {id}'\) must not have appeared in any key generation query of \(\textsf {phase}\) 1. The challenger \(\mathcal {C}\) flips an unbiased coin with \(\{0,1\}\), and obtains a bit b. Then, challenger \(\mathcal {C}\) sets \(\textsf {Encrypt}(\textsf {pp},\textsf {id},M_b)\rightarrow \textsf {ct}'\), and sends \(\textsf {ct}'\) to adversary \(\mathcal {A}_1\) as its challenge ciphertext.

4. 4.

   \(\textsf {Phase} 2\): This is identical to Phase 1, with the restriction that the adversary \(\mathcal {A}_2\) cannot request a private decryption key for \(\textsf {id}'\).

5. 5.

   \(\textsf {Guess} \): \(\mathcal {A}_2\) submits his guess \(b'\). In the experiment the adversary \(\mathcal {A}\) wins if \(b'= b\).

Definition 3

An IBPCE scheme is \((t,q,\epsilon )\)-IND-ID-CPA secure if any probabilistic polynomial-time adversary making at most q-times secret key queries with the advantage at most \(\epsilon \) in winning the above game

$$\begin{aligned} Adv_{\textsf {IBPCE},\mathcal {A}}^{\textsf {ID-CPA}}(\lambda )= \Big |\Pr [b'= b]-1/2\Big |\le \epsilon (\lambda ) \end{aligned}$$

(1)

where the advantage is taken over the random bits used by the challenger and the adversary, and \(\epsilon (\lambda )\) is a negligible function in \(\lambda \).

2.3 IBS framework

An identity-based signature (IBS) is a digital signature that can provide non-repudiation and integrity in the identity setting. An IBS scheme can be described as four algorithms:

• \(\textsf {IBS}.\textsf {Setup}(1^\lambda )\rightarrow (\textsf {pp},\textsf {msk})\): It takes as input security parameter \(\lambda \), and the PKG generates public system parameter \(\textsf {pp}\) and a master secret key \(\textsf {msk}\).

• \(\textsf {IBS}.\textsf {Extract}(\textsf {pp},\textsf {msk},\textsf {id})\): It takes as input public system parameter \(\textsf {pp}\), the master secret key msk and an identity \(\textsf {id}\), and generates a signing key \(\textsf {sk}_\textsf {id}\).

• \(\textsf {IBS}.\textsf {Sign}(\textsf {pp},M,\textsf {sk}_\textsf {id})\): It takes as input public system parameter \(\textsf {pp}\), a plaintext M and a signing key \(\textsf {sk}_\textsf {id}\), and generates a signature \(\sigma _M\) on the plaintext M.

• \(\textsf {IBS}.\textsf {Verify}(\textsf {pp},M,\textsf {id},\sigma _M)\): It takes as input public system parameter \(\textsf {pp}\), a plaintext M, an identity \(\textsf {id}\) and a signature \(\sigma _M\), and outputs 1 (accept) if is a valid signature on the plaintext M. Otherwise, it outputs 0 (reject).

2.4 System model and roles

Figure 2 shows the system model of our scheme, with four roles described as follows:

Fig. 2

System model

Key generation center (KGC) is responsible for setting up system, generating the public system parameter \(\textsf {pp}\) and the master private key \(\textsf {msk}\). Meanwhile, it creates private decryption key \(\textsf {pdk}_\textsf {id}\) and sends \(user_\textsf {id}\) to via a secure channel.

Buyer must register to obtain the private decryption key \(\textsf {pdk}_\textsf {id}\). If the buyer wants to order service or personal belongings from vendor. He encrypts his order \(M_B\) and generates signature \(\sigma _{HB}\) and sends them to the cloud data server. Note that only the vendor could verifies signature \(\sigma _{HB}\) and decrypt the encrypted order information.

Vendor must register to obtain the private decryption key \(\textsf {pdk}_\textsf {id}\). Additionally, the vendor can verify signature \(\sigma _{HB}\) and uses \(\textsf {pdk}_\textsf {id}\) to decrypt buyer’s encrypted order information that stored in the cloud data server. Then, the vendor encrypts the service or personal belongings \(M_V\) required by the buyer and generates signature \(\sigma _{HV}\) and sends them to the buyer.

Cloud data server is in charge of resolving possible dispute between registered buyer and vendor, and returning the identification results. In addition, the buyer and vendor need to submit \((M_B,M_V,\textsf {id}_B,\textsf {ct}_B,\sigma _{HB})\) and \((M_B,M_V,\textsf {id}_V,\textsf {ct}_V,\sigma _{HB})\) to cloud data server, respectively, so that the server can check the encrypted transaction records to identify who is dishonest and return a feedback.

3 Proposed scheme

In this section, we give the proposed identity-based plaintext-checkable encryption (IBPCE) scheme, and prove its security and finally provide the performance analysis.

3.1 Our construction

The construction of IBPCE scheme comprises the following five concrete algorithms:

• \(\textsf {Setup}(1^\lambda )\rightarrow (\textsf {pp},\textsf {msk})\): Taking as input a security parameter \(\lambda \), this algorithm does the following:

1. 1.

   Generate the pairing parameters: two groups \(\mathbb {G}\) and \(\mathbb {G}_\tau \) of order p, and an admissible bilinear map \(\textit{e}\).

2. 2.

   At random choose generators \(g,h\in \mathbb {G}\).

3. 3.

   Choose two collision-resistant hash functions: \(H_1: \{0,1\}^*\rightarrow \mathcal {Z}_p^*\), \(H_2: \mathbb {G}_\tau \rightarrow \mathcal {Z}_p^*\).

4. 4.

   At random pick \(\alpha \in \mathcal {Z}_p\) and set \(k= g^\alpha \).

5. 5.

   Calculate \(X= \textit{e}(g,h)\).

6. 6.

   Calculate \(Y= \textit{e}(g,g)\).

7. 7.

   Calculate \(W= \textit{e}(k,h)\).

8. 8.

   Set and publish the parameter

   $$\begin{aligned} \textsf {pp}= \Big (p,\mathbb {G},\mathbb {G}_\tau , \textit{e},g,h,k, H_1,H_2,X,Y,W\Big ) \end{aligned}$$
9. 9.

   Keep the master key \(\textsf {msk}= \alpha \).

• \(\textsf {Extract}(\textsf {pp},\textsf {msk},\textsf {id})\rightarrow \textsf {pdk}_\textsf {id}\): For a given identity string \(\textsf {id}\in \{0,1\}^*\), this algorithm does:

1. 1.

   At random select \(r_\textsf {id}\in \mathcal {Z}_p^*\), and compute \(t_\textsf {id}= (hg^{-r_\textsf {id}})^{\frac{1}{\alpha -H_1(\textsf {id})}}\).

2. 2.

   Set the private decryption key \(\textsf {pdk}_\textsf {id}= (r_\textsf {id},t_\textsf {id})\).

• \(\textsf {Encrypt}(\textsf {pp},\textsf {id},M)\rightarrow \textsf {ct}\): To encrypt a message \(M\in \mathcal M\) under identity \(\textsf {id}\), this algorithm performs as following:

1. 1.

   Select random number \(s\in \mathcal {Z}_p\).

2. 2.

   Compute \(C_1= k^s g^{-sH_1(\textsf {id})}= g^{s(\alpha -H_1(\textsf {id}))}\).

3. 3.

   Compute \(C_2= Y^s\).

4. 4.

   Compute \(C_3= M\cdot X^{-s}\).

5. 5.

   Compute \(C_4= W^{s+H_2(C_2)}\).

6. 6.

   Return the ciphertext \(\textsf {ct}= (C_1,C_2,C_3,C_4)\).

• \(\textsf {Decrypt}(\textsf {pp},\textsf {ct},\textsf {pdk}_\textsf {id})\): On input the system parameter \(\textsf {pp}\), a ciphertext \(\textsf {ct}\) and a decryption key \(\textsf {pdk}_\textsf {id}\), the decryption algorithm performs the following:

1. 1.

   Parse the ciphertext as \(\textsf {ct}= (C_1,C_2,C_3,C_4)\), and check whether \(C_1\) is an element in \(\mathbb {G}\) and \(C_2,C_3\) and \(C_4\) are elements in \(\mathbb {G}_\tau \). Return \(\bot \) as ill-formed if the checks fail.

2. 2.

   Parse the key as \(\textsf {pdk}_\textsf {id}= (r_\textsf {id},t_\textsf {id})\), and check whether \(r_\textsf {id}\in \mathcal {Z}_p^*\) and \(t_\textsf {id}\in \mathbb {G}\) hold. Return \(\bot \) as ill-formed if the checks fail.

3. 3.

   Compute and return \(M= \textit{e}(t_\textsf {id},C_1)C_2^{r_\textsf {id}}C_3\).

Remark 1

(Correctness of decryption). Assuming the ciphertext and decryption key are well-formed, then

$$\begin{aligned}&\textit{e}(t_\textsf {id},C_1)C_2^{r_\textsf {id}}C_3\nonumber \\&= \textit{e}((hg^{-r_\textsf {id}})^{\frac{1}{\alpha -H_1(\textsf {id})}}, g^{s(\alpha -H_1(\textsf {id}))})\textit{e}(g,g)^{r_\textsf {id}s}\cdot M\textit{e}(g,h)^{-s}\nonumber \\&= M\cdot \textit{e}(hg^{-r_\textsf {id}},g^s)\textit{e}(g,g)^{r_\textsf {id}s}\textit{e}(g,h)^{-s}\nonumber \\&= M\cdot \textit{e}(g,h)^s\textit{e}(g,g)^{-r_\textsf {id}s}\textit{e}(g,g)^{r_\textsf {id}s}\textit{e}(g,h)^{-s}\nonumber \\&= M \end{aligned}$$

(2)

• \(\textsf {Check}(\textsf {pp},\textsf {ct},\textsf {id},M)\rightarrow 1/0\): To decide whether \(\textsf {ct}\) is the encryption of message M under identity \(\textsf {id}\), this algorithm checks the equation

$$\begin{aligned} C_4 = {\textit{e}(C_1,h)\cdot W^{H_2(C_2)}}{(\frac{M}{C_3})^{H_1(\textsf {id})}}~? \end{aligned}$$

(3)

It returns 1 if the above equation holds and returns 0 otherwise.

Remark 2

(Consistency of check algorithm). Assuming the ciphertext components are well-formed for \(\textsf {id}\), the consistency of the check is described as:

$$\begin{aligned}&{\textit{e}(C_1,h)\cdot W^{H_2(C_2)}}\cdot {(\frac{M}{C_3})^{H_1(\textsf {id})}}\nonumber \\&= {\textit{e}(g^{s(\alpha -H_1(\textsf {id}))},h)\textit{e}(g,h)^{\alpha H_2(C_2)}}{\textit{e}(g,h)^{sH_1(\textsf {id})}}\nonumber \\&= \textit{e}(g,h)^{s\alpha }\textit{e}(g,h)^{\alpha H_2(C_2)}\nonumber \\&= \textit{e}(g,h)^{\alpha (s+H_2(C_2))}\nonumber \\&= \textit{e}(g^\alpha ,h)^{s+H_2(C_2)}\nonumber \\&= C_4 \end{aligned}$$

(4)

3.2 Security

To demonstrate that the security of our proposed scheme is statistically unlinkable under the decisional q-augmented bilinear Diffie-Hellman exponent (q-ABDHE) assumption, we use similar technique outlined in (Gentry 2006; Han et al. 2016).

Theorem

Our proposed IBPCE scheme is \((t,q,\epsilon )\)-secure, assuming that the \((t',q',\epsilon ')\)-decisional q-ABDHE assumption holds in bilinear groups, and \(H_1\) and \(H_2\) are \((t_1,\epsilon _1)\) and \((t_2,\epsilon _2)\) collision-resistant hash functions, respectively, where

$$\begin{aligned} \left\{ \begin{array}{l} \epsilon '= (1-\epsilon _1)(\epsilon -\frac{1}{q}) \\ t'= t+t_1+t_2+o(q^2 t_{e}) \\ q'= q+1 \end{array} \right. \end{aligned}$$

(5)

Proof

Let \(\mathcal {A}= (A_1,\mathcal {A}_2)\) be an adversary that can \((t,q,\epsilon )\)-break the security of the proposed scheme. We will construct an algorithm \(\mathcal {B}\) that can use \(\mathcal {A}\) to solve the decisional \((q+1)\)-ABDHE problem. The challenger \(\mathcal {C}\) flips an unbiased coin from \(\{0,1\}\), and obtains a bit \(b\in \{0,1\}\). Then, \(\mathcal {C}\) sends \((g',g'_{q+2},g_1,g_2,\ldots ,g_q,Z)\) to \(\mathcal {B}\), where \(Z= \textit{e}(g_{q+1},g')\) when \(b= 0\); otherwise, \(Z= R\in \mathbb {G}_\tau \). Note that we set \(g_i= g^{\alpha ^i}\) in \((q+1)\)-ABDHE instance. \(\mathcal {B}\) will output his guess \(b'\) on b and proceeds as follows. \(\square \)

Setup: \(\mathcal {B}\) selects a random polynomial \(f(x)\in \mathcal {Z}_p[x]\) with \(f(x)= f_0+f_1x+\cdots +f_q x^q\) of degree q, and sets \(h= g^{f(\alpha )}\), computing h from \((g,g_1,\ldots g_q)\). It sends the public parameter \(\textsf {pp}= (g,h,k,X= \textit{e}(g,h),Y= \textit{e}(g,g),W= \textit{e}(h,k))\) to \(\mathcal {A}\) where \(k= g^\alpha \).

Phase 1: \(\mathcal {A}\) can adaptively query the key generation oracle. \(\mathcal {B}\) responds to the query on an identity \(\textsf {id}\in \{0,1\}^*\) as follows. If \(H_1(\textsf {id})= \alpha \), \(\mathcal {B}\) uses \(\mathcal {A}\) to solve the decisional q-ABDHE problem immediately. Otherwise, let \(F_\textsf {id}(x)\) stands for \((q-1)\)-degree polynomial \(\frac{f(x)-f(H_1(\textsf {id}))}{x-H_1(\textsf {id})}\). Obviously, \(\mathcal {B}\) sets a valid secret key \((r_\textsf {id},t_\textsf {id})\) for identity \(\textsf {id}\) since

$$\begin{aligned} \left\{ \begin{array}{l} r_\textsf {id}= f(H_1(\textsf {id})) \\ t_\textsf {id}= (hg^{-r_\textsf {id}})^{\frac{1}{\alpha -H_1(\textsf {id})}} = g^{\frac{f(\alpha ) - f(H_1(\textsf {id}))}{\alpha - H_1(\textsf {id})}} = g^{F_\textsf {id}(\alpha )} \end{array} \right. \end{aligned}$$

(6)

\(\mathcal {B}\) responds the key extraction query with the simulated secret key \(\textsf {pdk}_\textsf {id}= (r_\textsf {id},t_\textsf {id})\).

Challenge: The adversary \(\mathcal {A}\) submits an challenged identity \(\textsf {id}'\) and messages \((M_0,M_1)\) with the same length. Also, if \(H_1(\textsf {id}')= \alpha \), \(\mathcal {B}\) also uses it to solve the decisional q-ABDHE problem immediately. Furthermore, if there exists an \(\textsf {id}\) which is selected by \(\mathcal {A}\) to query secret key with \(H_1(\textsf {id})= H_1(\textsf {id}')\ne \alpha \), challenger \(\mathcal {C}\) aborts. Otherwise, \(\mathcal {B}\) flips an unbiased coin to obtain a bit \(\beta \in \{0,1\}\). It computes a private decryption key \(\textsf {pdk}_{\textsf {id}'}= (r_{\textsf {id}'},t_{\textsf {id}'})\) for \(\textsf {id}'\) as in Phase 1.

We define

$$\begin{aligned} f'(x)= & {} x^{q+2}\end{aligned}$$

(7)

$$\begin{aligned} F'_{\textsf {id}'}(x)= & {} \frac{f'(x)-f'(H_1(\textsf {id}'))}{x-H_1(\textsf {id}')}\nonumber \\= & {} F'_0+F'_1x+\cdots +F'_{q+1}x^{q+1} \end{aligned}$$

(8)

Note that \(F'_{\textsf {id}'}(x)\) is a polynomial of degree \((q+1)\). It computes

$$\begin{aligned} C_1= & {} g'^{f(\alpha )-f(H_1(\textsf {id}'))}\nonumber \\ C_2= & {} Z^{F'_{q+1}}\cdot \textit{e}(g',~\prod _{i= 0}^q g^{\alpha ^i}F_i')\nonumber \\ C_3= & {} \frac{M_\beta }{\textit{e}(C_1, t_{\textsf {id}'})\cdot (C_2)^{r_{\textsf {id}'}}}\nonumber \\ C_4= & {} Z^{f_q F'(\alpha )}\cdot \prod _{i= 1}^q \textit{e}(g',g_i)^{f_{i-1}F'(\alpha )} \end{aligned}$$

(9)

where \(F_i'\) is the coefficient \(x^j\) of in \(F'_{\textsf {id}'}\).

It is easily to see that the above ciphertext \(\textsf {ct}= (C_1,C_2,C_3,C_4)\) is a valid challenge ciphertext for message \(M_\beta \).

Let \(s= (\log _g g')F_{\textsf {id}'}'(\alpha )\). That is, \(g'= g^{\frac{s}{F_{\textsf {id}'}(\alpha )}}\). If \(Z= \textit{e}(g',g_{q+1})= \textit{e}(g',g^{\alpha ^{q+1}})\), we have

$$\begin{aligned} C_1= & {} g'^{f(\alpha )-f(H_1(\textsf {id}'))} \\= & {} g^{\frac{s(f'(\alpha )-f'(H_1(\textsf {id}')))}{F_{\textsf {id}'}'(\alpha )}}\\= & {} g^{s(\alpha -H_1(\textsf {id}'))}\\= & {} (g^{\alpha }g^{-H_1(\textsf {id}')})^s\\= & {} (kg^{-H_1(\textsf {id}')})^s\\ C_2= & {} Z^{F'_{q+1}}\cdot \textit{e}(g',~\prod _{i= 0}^q g^{\alpha ^i}F_i')\\= & {} \textit{e}(g',g)^{F'_{q+1}\alpha ^{q+1}}\textit{e}(g',\prod _{i= 0}^q g^{F'_i \alpha ^i})\\= & {} \textit{e}(g,g)^{\frac{sF'(\alpha )}{F'(\alpha )}}= \textit{e}(g,g)^s\\ C_3= & {} \frac{M_\beta }{\textit{e}(C_1, t_{\textsf {id}'})\cdot (C_2)^{r_{\textsf {id}'}}}\\= & {} \frac{M_\beta }{\textit{e}(g,g)^{sf(\alpha )-sf(H_1(\textsf {id}'))}\textit{e}(g,g)^{sf(H_1(\textsf {id}'))}} \\= & {} M_\beta \cdot \textit{e}(g,g^{f(\alpha )})^{-s}\\= & {} M_\beta \cdot \textit{e}(g,h)^{-s}\\ C_4= & {} Z^{f_q F'(\alpha )}\cdot \prod _{i= 1}^q \textit{e}(g',g_i)^{f_{i-1}F'(\alpha )}\\= & {} \prod _{i= 1}^{q+1}\textit{e}(g',g)^{f_{i-1}\alpha ^i F'(\alpha )}\\= & {} \textit{e}(k,h)^s \end{aligned}$$

Obviously, the challenge ciphertext is well-formed.

Phase 2: The adversary \(\mathcal {A}_2\) makes key generation queries with the only restriction that \(\mathcal {A}_2\) cannot query key generation oracle with the challenge identity \(\textsf {id}'\) and \(\mathcal {B}\) responds the query as in Phase 1.

Guess: The adversary \(\mathcal {A}\) outputs his guess \(\beta '\) on \(\beta \). If \(\beta '= \beta \) , \(\mathcal {B}\) outputs \(b'= b= 0\) which indicates that \(Z= \textit{e}(g_{q+1},g')\) in q-ABDHE instance. Otherwise, it outputs \(b'= b= 1\) which indicates Z is a random element in \(\mathbb {G}_\tau \).

Probability Analysis: We now give the advantage with which \(\mathcal {B}\) can solve the decisional \((q+1)\)-ABDHE assumption. From the simulation and response in the above reduction, we require that \(\mathcal {C}\) cannot abort.

• If \(\textsf {id}'\) is appeared in key generation query of phase 1 with \(H_1(\textsf {id}')= H_1(\textsf {id})\ne \alpha \), \(\mathcal {C}\) aborts. Let \(\Pr [\lnot abort]\) be the probability with which the challenger \(\mathcal {C}\) does not abort the game. By the security and collision-resistance of hash function \(H_1\),

  $$\begin{aligned} p_0= \Pr [\lnot abort] = 1-\epsilon _1\end{aligned}$$

  (10)

• If \(\beta '= \beta \) in guess phase, \(\mathcal {B}\) can solve the decisional \((q+1)\)-ABDHE problem and outputs 1 to indicate \(b'= b= 0\). In this case, \(\mathcal {A}_2\) can guess correctly with probability

  $$\begin{aligned} p_1 = |\Pr [\beta '= \beta ]|b'= b= 0|\ge \epsilon \end{aligned}$$

  (11)

• If \(\beta '\ne \beta \), the simulator \(\mathcal {B}\) cannot solve the decisional \((q+1)\)-ABDHE problem. Since Z is uniformly random, the components \(C_1,C_2\) and \(C_4\) are uniformly random and independent elements in \(\mathbb {G}\times \mathbb {G}_\tau ^2\). In this case, \(C_4\ne \textit{e}(C_1,h)W^{H_2(C_2)}(M_\beta /C_3)^{H_1{\textsf {id}'}}\) holds with the probability \(1-1/q\). When the above inequality holds, then

  $$\begin{aligned}&\textit{e}(C_1,t_{\textsf {id}'})C_2^{r_{\textsf {id}'}} \nonumber \\&= \textit{e}(C_1, (hg^{-r_{id'}})^{\frac{1}{\alpha -H_1(\textsf {id}')}})\cdot C_2^{r_{\textsf {id}'}}\nonumber \\&= \textit{e}(C_1,h)^{\frac{1}{\alpha -H_1(\textsf {id}')}}(C_2/\textit{e}(C_1,g)^{\frac{1}{\alpha -H_1(\textsf {id}')}})^{r_{\textsf {id}'}} \end{aligned}$$

  (12)

As \(r_{\textsf {id}'}\) is randomly selected, \(C_3\) is also uniformly random. Namely, the ciphertext \(\textsf {ct}= (C_1,C_2,C_3,C_4)\) can reveal no information regarding the bit \(\beta \). Thus, the adversary \(\mathcal {A}_2\) can guess \(\beta '\ne \beta \) with probability

$$\begin{aligned} ~~~~p_2= \Big |\Pr [\beta '\ne \beta |~b'= b= 1]\Big |\le \frac{1}{q} \end{aligned}$$

(13)

Thus, \(\mathcal {B}\) can solve the decisional \((q+1)\)-ABDHE problem with probability

$$\begin{aligned} ~~~~\epsilon ' = \Pr [\lnot abort]\cdot |p_2-p_1|\ge (1-\epsilon _1)(\epsilon -\frac{1}{q}) \end{aligned}$$

(14)

3.3 Time complexity

Let \(H_1\) and \(H_2\) are and collision-resistant hash functions, respectively. In order to response to adversary \(\mathcal {A}\)’s key generation query on identity \(\textsf {id}\), \(\mathcal {B}\)’s overhead is dominated by computing \(t_\textsf {id}= g^{F_\textsf {id}(\alpha )}\) in the phase 1. And each such computation requires o(q) exponentiations. When \(\mathcal {A}\) makes at most \((q-1)\) queries, the time complexity is

$$\begin{aligned} t'= t+t_1+t_2+o(q^2t_e) \end{aligned}$$

(15)

where \(t_e\) denotes the computation cost of an exponentiation operation.

This concludes the proof of Theorem 1 and it demonstrates that an algorithm is able to solve the decisional \((q+1)\)-ABDHE problem with probability at least \(\epsilon '\) and in time at most \(t'\) if an adversary can break our scheme, which is contradicted against the decisional \((q+1)\)-ABDHE assumption. Thus, our proposed IBPCE scheme is secure.

3.4 Performance analysis

As shown in Table 1, the second, third and fourth rows represent the computation comparison of encryption, decryption and check algorithm, respectively. The fifth row denotes sizes of ciphertext. The following two rows indicate whether the schemes are plaintext checkable and proved under the standard model respectively. The last row shows the security assumptions.

Table 1 Performance analysis Calc Cost: calculation cost, Enc: encryption algorithm, Dec: decryption algorithm, Check: check algorithm \(T_{exp}\): an exponentiation operation, \(T_{pm}\): an point multiplication operation, \(T_{add}\): an addition operation, \(T_h\): hash function operation, \(T_{bp}\): a bilinear pair-ing operation, \(|\mathbb {G}|\): size of an element in \(\mathbb {G}\), \(|\mathcal {Z}_p|\): size of an element in \(\mathcal {Z}_p\) (i.e., \(\log p\)), |H|: size of hash output, decisional q-ABDHE: decisional q-augmented bilinear Diffie-Hellman exponent assumption

In terms of computing complexity, the encryption and check phases of our scheme are decreased in comparison with Han et al.’s IBPCE scheme (Han et al. 2016), respectively. However, the decryption phases of our scheme is same with that in (Han et al. 2016). And in terms of storage, the size of ciphertext in our IBPCE scheme is shorter than that of (Han et al. 2016). Additionally, both schemes provide plaintext check, and both of them are proven secure based on the decisional q-ABDHE assumption in the standard model.

4 Accountable mobile E-commerce

To guarantee the security of mobile e-commerce, in this section, we exploit the proposed IBPCE scheme and an efficient IBS scheme (Ma et al. 2015) incorporated into the mobile e-commerce scenario which generates an accountable mobile e-commerce scheme. We first introduce the interaction between mobile client and cloud server. Then, we present our proposed accountable mobile e-commerce scheme. Figure 3 demonstrates the process of our proposed accountable mobile e-commerce scheme.

Fig. 3

Protocol of accountable mobile e-commerce

After a user finishing his registration and login, he can gain access to the system and choose services/goods according to personal needs. These services or goods on the web page are presented in a dynamic form, and the user selects the transaction on demand. At this point, the system requires users to fill in some necessary information for recording the transaction process, and sends these encrypted information to the server and generate sessions. Certainly, the above transaction requests, encrypted information and the response data will be packaged into transaction data returned to user for viewing. Before returning the data, the server will judge information that the user has filled out and the service selected by user, dynamically generate the specific transaction flow for user and guide to complete transaction.

• Setup \((1^\lambda )\):

1. 1.

   Taking as input a system security parameter, generate bilinear description \((\textit{e},p,\mathbb {G},\mathbb {G}_\tau )\leftarrow \mathcal {G}(1^\lambda )\).

2. 2.

   At random pick two generators \(g,h\in \mathbb {G}\), and three collision-resistant hash functions \(H_1:\{0,1\}^*\rightarrow \mathcal {Z}_p\), \(H_2:\mathbb {G}_\tau \rightarrow \mathcal {Z}_p^*\), and \(H_3:\{0,1\}^*\rightarrow \mathcal M\) where \(\mathcal M\) denotes the message space.

3. 3.

   Select \(\alpha \in \mathcal {Z}_p\) and set \(k= g^\alpha \).

4. 4.

   Run the algorithm \(\textsf {IBS}.\textsf {Setup}\) to create \((\textsf {IBS}.\textsf {pp},\textsf {IBS}.\textsf {msk}).\)

5. 5.

   Set and keep the master private key \((\alpha ,\textsf {IBS}.\textsf {msk})\).

6. 6.

   Publish the parameter

   $$\begin{aligned} \textsf {pp}&= \Big (\textsf {IBS}.\textsf {pp},(\textit{e},p,\mathbb {G},\mathbb {G}_\tau ),g,h,k,X= \textit{e}(g,h),\\ {}&~~~~Y= \textit{e}(g,g),W= \textit{e}(k,h)\Big )\end{aligned}$$

• User Register \((\textsf {pp},\textsf {id}_U)\rightarrow \textsf {pdk}_U\):

1. 1.

   Submit user’s mobile phone number or email address \(\textsf {id}_U\in \{0,1\}^*\).

2. 2.

   Select a randomness \(r_U\in \mathcal {Z}_p\) , and then compute \(t_U= (hg^{-r_U})^{1/(\alpha -H_1(\textsf {id}_U))}\).

3. 3.

   Run the algorithm \(\textsf {IBS}.\textsf {Extract}\) to obtain the key \(\textsf {sk}_U\).

4. 4.

   Generate and output the user’s decryption key \(\textsf {pdk}_U= (r_U,t_U,\textsf {sk}_U)\).

• Order \((\textsf {pp},\textsf {id}_V,M_B)\): To order a service or personal belongings from vendor’s description \(M_B\in \mathcal M\), the order algorithm does as follows:

1. 1.

   At random select \(s_B\in \mathcal {Z}_p\) , and compute \(C_{B_1}= (kg^{-H_1(N_V)})\), \(C_{B_2}= Y^{s_B}\), \(C_{B_3}= M_B\cdot X^{-s_B}\), \(C_4= W^{s_B+H_2(C_{B_2})}\).

2. 2.

   Set the ciphertext as \(\textsf {ct}_B= (C_{B_1},C_{B_2},C_{B_3},C_{B_4})\).

3. 3.

   Compute \(HB_1= H_3(\textsf {ct}_B)\).

4. 4.

   Run the signing algorithm \(\textsf {IBS}.\textsf {Sign}(\textsf {IBS}.\textsf {pp},HB_1,\textsf {sk}_B)\) to obtain the signature \(\sigma _{HB_1}\).

5. 5.

   Send \((\textsf {ct}_B,\sigma _{HB_1})\) to the vendor.

• Delivery: To send service or personal belongings where the buyer ordered, the delivery protocol proceeds as follows:

1. 1.

   Compute \(HV_1= H_3(\textsf {ct}_B)\),

2. 2.

   Run the IBS verifying algorithm to check

   $$\begin{aligned} \textsf {IBS}.\textsf {Verify}(\textsf {IBS}.pp, HV_1,\textsf {id}_B,\sigma _{HB_1})= 1? \end{aligned}$$

   If check fail, return \(\bot \) and the protocol fail.

3. 3.

   Calculate \(M_B= \textit{e}(t_V, C_{B_1})\cdot C_{B_2}^{r_V}\cdot C_{B_3}\).

4. 4.

   Pick \(s_V\in \mathcal {Z}_p\) randomly, and calculate \(C_{V_1}= (kg^{-H_1(N_B)})^{s_V}\), \(C_{V_2}= Y^{s_V}\), \(C_{V_3}= M_V\cdot X^{-s_V}\), \(C_{V_4}= W^{s_V+H_2(C_{V_2})}\), where \(M_V\in \mathbb {G}_\tau \) is the buyer required.

5. 5.

   Set the ciphertext \(\textsf {ct}_{V}= (C_{V_1},C_{V_2},C_{V_3},C_{V_4})\).

6. 6.

   Calculate \(HV_2= H_3(\textsf {ct}_V)\).

7. 7.

   Run the algorithm \(\textsf {IBS}.\textsf {Sign}(\textsf {IBS}.\textsf {pp},HV_2,\textsf {sk}_V)\) to obtain the signature \(\sigma _{HV_2}\).

8. 8.

   Finally, send \((\textsf {ct}_V,\sigma _{HV_2})\) to the buyer.

• Retrieve \((\textsf {pp},\textsf {ct}_V,\textsf {pdk}_B)\rightarrow M_V\): To retrieve order confirmation, the retrieve algorithm does as follows:

1. 1.

   Calculate \(HB_2= H_3(\textsf {ct}_V)\).

2. 2.

   Run the verifying algorithm to check

   $$\begin{aligned} \textsf {IBS}.\textsf {Verify}(\textsf {IBS}.\textsf {pp}, \textsf {id}_V,HB_2,\sigma _{HV_2})= 1? \end{aligned}$$

   If fail, return \(\bot \) and stop the protocol.

3. 3.

   Return \(M_V= \textit{e}(t_B, C_{V_1})\cdot C_{V_2}^{r_B}\cdot C_{V_3}\).

• Payment: After confirming the received personal belongings or services, the system transfers the buyer’s payments from a third-party payment platform to the vendor, and finishes the transaction.

• Dispute Settlement \((\textsf {pp},\textsf {ct},\textsf {id}_U,M)\): To deal with the possible dispute, the adjudicator does as follows:

1. 1.

   Require the buyer to send \((M_B,M_V,\textsf {id}_B,\textsf {ct}_B,\sigma _{HB})\) and the vendor to send \((M_B,M_V,\textsf {id}_V,\textsf {ct}_V,\sigma _{HV})\) the adjudicator, respectively.

2. 2.

   Parse \(\textsf {ct}_B= (C_{B_1},C_{B_2},C_{B_3},c_{B_4})\in \mathbb {G}\times \mathbb {G}_\tau ^3\), and \(\textsf {ct}_V= (C_{V_1},C_{V_2},C_{V_3},c_{V_4})\in \mathbb {G}\times \mathbb {G}_\tau ^3\).

3. 3.

   Calculate \(HB= H_3(\textsf {ct}_B)\) and \(HV= H_3(\textsf {ct}_V)\).

4. 4.

   Check the following equations:

$$\begin{aligned}&\textsf {IBS}.\textsf {Verify}(\textsf {pp},\textsf {id}_B,HB,\sigma _{HB})= 1\end{aligned}$$

(16)

$$\begin{aligned}&C_{B_4} = \textit{e}(C_{B_1},h)\cdot W^{H_2(C_{B_2})}(M_B/C_{B_3})^{H_1(\textsf {id}_V)}\end{aligned}$$

(17)

$$\begin{aligned}&\textsf {IBS}.\textsf {Verify}(\textsf {pp},\textsf {id}_V,HV,\sigma _{HV})= 1\end{aligned}$$

(18)

$$\begin{aligned}&C_{V_4} = \textit{e}(C_{V_1},h) \cdot W^{H_2(C_{V_2})} (M_V/C_{V_3})^{H_1(\textsf {id}_B)} \end{aligned}$$

(19)

1. 5.

   If both eqs. (16) and (17) hold, the buyer is honest. Otherwise it is dishonest. If both eqs. (18) and (19) hold, the vendor is honest. Otherwise it is dishonest.

5 Performance evaluation

In this section, we evaluate the performance of the proposed accountable mobile e-commerce and the Han et al.’s AMEC scheme (Han et al. 2016), in terms of the computation and communication complexity. It is mentioned that Han et al.’s AMEC scheme is derived from their proposed IBPCE scheme and Patson et al.’s IBS scheme (Paterson and Schuldt 2006). We not only propose our IBPCE scheme in section 3.1 and make a comparison in section 3.3, but also use an IBS scheme which is proved to be more efficient than Patson et al.’s. Therefore, we are not going to repeat that comparison between the two IBS schemes. We compare the other part of AMEC scheme which is derived from our proposed IBPCE scheme.

5.1 Computation cost and experiments

The comparison of computing costs is presented in Table 2, which includes different phases, such as order, delivery, retrieve and dispute etc.

Table 2 Computation complexity

The running time is described in Table 3. To obtain the execution time of the basic operations in the two schemes, we conduct the experiment with MIRACL libraries (2017) running on a 2.30 GHz-processor and 1 GB-memory computing machine. The experimental results listed in Table 3.

Table 3 Running time of different operations

We provide the comparison of computation costs in Figure 4 based on the above execution time by graph so as to reflect the difference intuitively.

Fig. 4

Computation comparison in different phases

From the results in Fig. 4, it is obviously to show that the computation costs in Order, Delivery and dispute settlement phases of our scheme decrease by 4.03%, 1.46% and 30.80% as compared to that of AMEC scheme (Han et al. 2016), respectively. Even though the computation cost in the Cost and Delivery phase of our scheme is a little bit lower than that in (Han et al. 2016), these two parts would not be used by cloud server in the processing of identifying users who is dishonest. Therefore, our scheme achieves a better computation efficiency compared to that of AMEC scheme.

5.2 Communication cost

To achieve the similar security level of 1024-bit RSA (or AES-80), it should satisfy \(l\times \omega \ge 1024\) where l is the group size of elliptic curve and \(\omega \) is embedding degree. When evaluating communication performance of our scheme, we select Type-A curve with \(l= 512\)-bit, and a 160-bit length prime order p. In this way, the elements in \(\mathbb {G}\) and \(\mathbb {G}_\tau \) are 64 bytes (512-bit) and 128 bytes (1024-bit), respectively. Besides, we choose SHA-1 as the collision-resistant hash function. The comparison of communication complexity is presented in Figure 4, and the communication costs in Figure 5.

Fig. 5

Communication cost

From the results in figures 4 and 5, it is easily to indicate that communication costs of our scheme are a little bit lower than AMEC scheme in generally. Our scheme can provide the security of the user’s private information and resolve possible disputes, and since the combined scheme has been proved more efficient than Paterson et al.’s (Paterson and Schuldt 2006) used in scheme (Han et al. 2016), the efficiency of our scheme has a greater improvement advantage compared with previous schemes.

6 Conclusion

We presented a mobile e-commerce transaction based on cloud computing for intelligent information services and we also proposed an accountable mobile e-commerce scheme to take the transaction in this open and distributed intelligent systems. We gave the concrete construction of the scheme and analyzed the security. Compared with related scheme, our scheme is more practical and efficient.