Summary

The design of ID-based cryptography has received much attention from researchers. However, how to revoke the misbehaviour/compromised user in ID-based public key cryptosystem becomes an important research issue. Recently, Tseng and Tsai proposed a novel public key cryptosystem called revocable ID-based public key cryptosystem (RIBE) to solve the revocation problem. Later on, numerous research papers based on the Tseng-Tsai key RIBE were proposed. In this paper, we brief review Tseng and Tsais RIBE. We hope this review can help the readers to understand the Tseng and Tsais revocable ID-based public key cryptosystem.

Keywords

Identity-based ; Revocable ; Encryption ; Bilinear pairings

Introduction

In the traditional public key cryptosystems (Diffie and Hellman, 1976 , ElGamal, 1985  and Rivest et al., 1978 ), certificates play important roles to make publicly available the mapping between identities and public keys. Certificate is a signature generated by a trusted certificate authority (CA) which usually include the identity of a user, its associated public key, the issuing date and the expiration date. When users public key is used, the associated certificate must be checked to ensure its validity (revoked or non-revoked). In general, Certificate Revocation List (CRL) (Housley et al., 2002 ) is used to revoke the users public key. Anyone can check these revoked users’ public keys by querying the CRL.

In order to solve the management of users’ certificates, Shamir (1984) first proposed the concept of ID-based public key cryptosystem (ID-PKS). In his system, each users identity (e.g. e-mail address or social security number) can be viewed as public key and the users private key is generated by a trusted private key generation center (PKG). However, Shamir’ ID-PKS was not easy in practice because the underlying mathematical methods are not suitable. In 2001, Boneh and Franklin, (2001) followed Shamirs concept to propose a practical ID-based encryption scheme (IBE) from the Weil pairing. Later on, the design of ID-based cryptographic schemes and protocols using bilinear pairings has received much attention from researchers.

For the revocation problem in the ID-PKS system, Boneh and Franklin, (2001) have suggested a solution in which the PKG can periodically renew the private keys for non-revoked users. In other words, when the PKG wants to revoke a specific user, it only stops to issue the new private key. However, this solution has following drawbacks: (1) the workload of generating new private keys of non-revoked users is too heavy for the PKG; (2) secure channels are needed between the PKG and the non-revoked users to transmit the new private keys for each time period.

Boldyreva et al. (2008) proposed a revocable ID-based encryption scheme (RIBE) by using binary tree to reduce the PKGs workload in the Boneh–Franklin IBE. Unfortunately, their scheme is based on the relaxed selective-ID model (Canetti et al., 2003 ), a weak security model. In the next year, Libert and Vergnaud (2009) based on the Boldyreva et al.’s RIBE to propose a more secure RIBE scheme under an adaptive-ID model, a strong security model. Seo and Emura (2013a) demonstrated Boldyreva et al.’s RIBE (Boldyreva et al., 2008 ) is vulnerable to the decryption key exposure. They also proposed a provably secure tree-based revocable ID-based encryption scheme. Subsequently, Seo and Emura (2013b) presented a hierarchical revocable ID-based encryption scheme which solved the open problem mentioned in the Libert–Vergnaud RIBE.

Tseng and Tsai (2012) proposed a practical RIBE scheme over a public channel. The key construction their scheme is different from the previous schemes (Boldyreva et al., 2008 , Libert and Vergnaud, 2009 , Seo and Emura, 2013a  and Seo and Emura, 2013b ). In the Tseng-Tsai RIBE, each users private key consists of a fixed initial private key and an updating time key, where the updating time key is renewed along with the current period. For an honest (non-revoked) user, the PKG periodically issues new time key and sends it to the user via a public channel. Upon receiving the new time key, the user can renew her/his private key by herself/himself. To revoke a malicious/misbehaviour user, the PKG only stops issuing the new time key in current period. In other words, the malicious/misbehaviour user cannot compute the newest private. She/he cannot execute any cryptographic behaviours in later periods. Later on, several revocable ID-based cryptographic schemes and protocols based on the key construction of the Tseng-Tsai RIBE were proposed such as encryption (Tsai et al., 2012  and Tsai et al., 2014 ), signature (Hung et al., 2014 , Tsai et al., 2013  and Wu et al., 2012a ), signcryption (Wu et al., 2012b ), and authenticated group key exchange (Wu et al., 2012  and Wu et al., 2014 ).

In this paper, we brief review Tseng and Tsais RIBE scheme which contains the underlying mathematical problems and assumptions, the framework of RIBE, a concrete RIBE scheme, the security notion of RIBE, the security analysis of RIBE (sketched), and a full RIBE scheme. We hope this review can help the readers to understand the Tseng and Tsais revocable ID-based public key cryptosystem.

Underlying mathematical problems and assumptions

Bilinear pairings

Bilinear pairings defined on elliptic curves over finite fields have been used to establish many ID-based cryptographic mechanisms. Let G₁ be an additive cyclic group of large prime order q and G₂ be a multiplicative cyclic group of the same order q . Specifically, particular, G₁ is a subgroup of the group of points on an elliptic curve over a finite field and G₂ is a subgroup of the multiplicative group over a finite field. A bilinear pairing is a map e : G₁  × G₁  → G₂ and satisfies the following three properties:

• Bilinear. e (aP , bQ ) = e (P , Q )^ab , for all P , Q  ∈ G₁ and ${\textstyle a,b\in Z_{q}^{_{\ast }}}$ .
• Non-degenerate. There exist P , Q  ∈ G₁ such that e (P , Q ) ≠ 1.
• Computable. For all P , Q  ∈ G₁ , there is an efficient algorithm to compute e (P , Q ).

A bilinear map that satisfies the above three properties is called an admissible bilinear map. Such non-degenerate admissible bilinear maps can be obtained from the Weil, Tate, or Ate pairings over supersingular elliptic curves or abelian varieties (Boneh and Franklin, 2003  and Chen et al., 2007 ). Some research results (Galbraith et al., 2008  and Wu and Tseng, 2010 ) for the relationship between security levels and speed of pairing computations on microprocessors were presented.

Bilinear Diffie–Hellman (BDH) assumption

The BDH assumption is often used in the security proof of ID-based encryption scheme. The BDH problem is described as follows. Given P , aP , bP , cP  ∈ G₁ for some ${\textstyle a,{\mbox{ }}b,{\mbox{ }}c\in Z_{q}^{_{\ast }}}$ , this problem is to compute the value e (P , P )^abc  ∈ G₂ . The BDH assumption is stated as follows.

Definition 1 BDH assumption.

Given an additive cyclic group G₁ and P , aP , bP , cP  ∈ G₁ for unknown ${\textstyle a,{\mbox{ }}b,{\mbox{ }}c\in Z_{q}^{_{\ast }}}$ , no probabilistic polynomial time (PPT) algorithm A with non-negligible probability which can compute e (P , P )^abc  ∈ G₂ . The successful probability (advantage) of A is presented as

${\displaystyle {\begin{array}{l}\displaystyle {\mbox{Adv}}_{A}=Pr[P\in G_{1},a,b,c\in Z_{q}^{_{\ast }}\vert A(P,aP,bP,cP)=e(P\\\displaystyle P)abc\in G_{2}]{\mbox{,}}\end{array}}}$

where the probability is over the random choice consumed by A .

Framework of the Tseng-Tsai RIBE

The Tseng-Tsai RIBE consists of two roles: a trusted PKG and users. Without loss of generality, the whole lifetime of the system is divided into distinct time periods 1, 2, …, z . For simplicity, these time periods may be viewed as 1 day, 1 week, or 1 month. The PKG selects a master secret key and generates public parameters. For a given users identity ID, the PKG computes his/her associated initial private key and sends it to the user via a secure channel. At the beginning of each time period, the PKG uses the master secret key to generate a time updating key for each non-revoked users identity ID and then sends them to users via a public channel. For a revoked user, it is unable to receive the associated time updating key in the current time period.

Remark 1.

For a RIBE, the point is that any sender can encrypt a message to some identity ID without concerning with the key updating process. In a RIBE, encrypting a message m to a receiver with identity ID during time period i that results in a ciphertext tuple (ID, i , C ). Upon receiving (ID, i , C ), a non-revoked user with the valid private key can recover the message m .

A RIBE with a public channel is a 5-tuple of polynomial-time algorithms (G , IKE , TKU , E , D ):

• System setup algorithm G is a probabilistic algorithm that takes as input a security parameter 1^k and the total number z of time periods. It returns a master private key and the public parameters Parms . The public parameters Parms are made public and implicitly inputted to all the following algorithms.
• Initial key extract algorithm IKE is a deterministic algorithm that takes as input the master private key s and a users identity ID ∈ {0, 1}*, and then returns the users initial secret key DID.
• Time key updating algorithm TKU takes as input the master private key s , a users identity ID ∈ {0, 1}* and a time period i , and then returns the users time update key TID_i .
• Encryption algorithm E takes as input a time period i , a message m and a users ID. Then it returns a ciphertext C .
• Decryption algorithm D takes as input a ciphertext C and an entire private key DID_i . Then it returns a plaintext m .

Remark 2.

The users entire private key DID_i for the time period i is not explicitly provided for the user. Each legitimate (non-revoked) user may obtain the corresponding entire decryption key DID_i by DID_i  = DID + TID_i , where the users initial private key DID is generated by the initial key extract algorithm and the users time updating key TID_i is periodically generated by the PKG along with time.

Concrete basic RIBE scheme

Basic RIBE scheme consists of five algorithms: the system setup, the initial key extract, the time key updating, the encryption, and the decryption algorithms.

• Decryption . Given a ciphertext C  = (U , V ), the receiver can use his/her entire decryption key to compute V  ⊕ H₂ (e (DID_i , U )) = m .
• System setup . Given a security parameter k and the total number z of time periods, a trusted private key generator (PKG) generates two groups G₁ , G₂ of prime order q  > 2^k , an admissible bilinear map e : G₁  × G₁  → G₂ and a generator P of G₁ . The PKG randomly chooses a master secret key ${\textstyle s\in Z_{q}^{_{\ast }}}$ and computes P_pub  = s ·P  ∈ G₁ as the system public key. The PKG picks three hash functions H₀ : {0, 1}* → G₁ , H₁ : {0, 1}* → G₁ , and H₂ : G₂  → {0, 1}ⁿ . The public parameters and functions are presented as Parms = {q , G₁ , G₂ , e , P , P_pub , H₀ , H₁ , H₂ }.
• Initial key extract . For a given users identity ID ∈ {0, 1}*, the PKG computes QID = H₁ (ID) and the associated initial secret key DID = s ·QID ∈ G₁ . Then DID is transmitted to the user via a secure channel.
• Time key updating . Given a non-revoked users identity ID and time period i , the PKG computes RID_i  = H₀ (ID, i ) and the associated users time update key TID_i  = s ·RID_i  ∈ G₁ for time period i . The PKG sends TID_i to the user using a public channel. Thus, the non-revoked user can update his/her entire private key DID_i  = D ID + TID_i for time period i .
• Encryption . In time period i , given a message m   and a non-revoked receiver with identity ID, a sender chooses a random number ${\textstyle r\in Z_{q}^{_{\ast }}}$ and computes QID_i  = QID + RID_i  = H₁ (ID) + H₀ (ID, i ). Then, the sender uses QID_i to compute U  = r ·P and V  = m  ⊕ H₂ (g^r ), where g  = e (QID_i , P_pub ). The ciphertext for the message m is C  = (U , V ).

Here, we present the correctness of the decryption equation as follows:

${\displaystyle {\begin{array}{cc}V\oplus H_{2}(e({\mbox{DID}}_{i},U))&=V\oplus H_{2}(e(s\cdot H_{1}({\mbox{ID}})+s\cdot H_{0}({\mbox{ID}},i),r\cdot P))\\{\mbox{ }}&=V\oplus H_{2}(e(s\cdot H_{1}({\mbox{ID}})+s\cdot H_{0}({\mbox{ID}},i),P)^{r})\\{\mbox{ }}&=V\oplus H_{2}(e(H_{1}({\mbox{ID}})+H_{0}({\mbox{ID}},i),s\cdot P)^{r})\\{\mbox{ }}&=V\oplus H_{2}(e({\mbox{QID}}_{i},P_{pub})^{r}).\end{array}}}$

Security analysis of basic RIBE scheme

Security notions

Tseng and Tsai followed the security requirement of IBE (Boneh and Franklin, 2001 ) to propose the requirements of RIBE. A RIBE is semantically secure against an adaptive CPA (IND-RID-CPA) if no PPT adversary A has a non-negligible advantage against the challenger B in the following IND-RID-CPA game:

• System setup. The challenger B runs the System setup algorithm . It gives the adversary A the resulting public parameters Parms and B keeps the master private key s .
• Phase 1. The adversary A may make a number of different queries adaptively to the challenger B as follows:
• Initial key extract query (ID). Upon receiving this query with ID, the challenger B runs the initial key extract algorithm IKE to return the users initial secret key DID to A .
• Time key updating query (ID, i ). The challenger B responds by running the time key update algorithm TKU to generate the users time updating key TID_i corresponding to the time period i and the identity ID. It returns TID_i to A .
• Challenge . The adversary A outputs a target plaintext pair (M₀ , M₁ ) and target identity (ID*, i *). A restriction here is that either ID* or (ID*, i *) did not appear in the initial key extract query or the time key updating query, respectively. The challenger B picks β  ∈ {0, 1} at random and creates a target ciphertext C * = E (ID*, i *, M_β ). Then the challenger B returns C * to A .
• Phase 2. The adversary A may issue more queries as follows:
• Initial key extract query (ID) as in Phase 1.
• Time key updating query (ID, i ) as in Phase 1.

The restriction here is that either ID* or (ID*, i *) is disallowed to be queried in the initial key extract query or the time key update query, respectively.

• Guess . The adversary A outputs its guess β ′ ∈ {0, 1} and wins this game if β ′ = β .

We refer to such an adversary A as an IND-RID-CPA adversary. We define the adversary A s advantage in attacking the RIBE as the following function of the security parameter k: Adv_A (k ) = |Pr[β ′ = β ] − 1/2|.

Definition 2.

We say that a RIBE is semantically secure against an adaptive CPA if, for any polynomial time IND-RID-CPA adversary A , the function Adv_A (k ) is negligible.

Then, a more secure security model than CPA model is introduced called CCA model. We say that a RIBE is semantically secure against an adaptive CCA (IND-RID-CCA) if no PPT adversary A has a non-negligible advantage against the challenger B in the following IND-RID-CCA game:

• System setup. As in the IND-RID-CPA game.
• Phase 1. The adversary A may make a number of different queries adaptively to the challenger B as follows:
• Initial key extract query (ID). As in the IND-RID-CPA game.
• Time key updating query (ID, i ). As in the IND-RID-CPA game.
• Decryption query (ID, i , C ). Upon receiving the query, the challenger B obtains an entire decryption key associated with (ID, i ) which is denoted by DID_i . The entire decryption key DID_i is implicitly obtained by issuing the initial key extract query (ID) and the time key update query (ID, i ). B runs the decryption algorithm D to decrypt the ciphertext C using this entire decryption key DID_i . Then it returns D (DID_i , C ) to A .
• Challenge . The adversary A outputs a target plaintext pair (M₀ , M₁ ) and target identity (ID*, i *). A restriction here is that either ID* or (ID*, i *) did not appear in the initial key extract query or the time key updating query, respectively. The challenger B picks β  ∈ {0, 1} at random and creates a target ciphertext C * = E (ID*, i *, M_β ). Then the challenger B returns C * to A .
• Phase 2. The adversary A may issue more queries as follows:
• Initial key extract query (ID) as in Phase 1.
• Time key update query (ID, i ) as in Phase 1.
• Decryption query (ID, i , C ). The challenger B responds as in Phase 1, where (ID, i , C ) ≠ (ID*, i *, C *).

The restriction here is that either ID* or (ID*, i *) is disallowed to be queried in the initial key extract query or the time key update query, respectively.

• Guess . The adversary A outputs its guess β ′ ∈ {0, 1} and wins this game if β ′ = β .

We refer to such an adversary A as an IND-RID-CCA adversary. We define the adversary A s advantage in attacking the RIBE as the following function of the security parameter k: Adv_A (k ) = |Pr[β ′ = β ] − 1/2|.

Definition 3.

We say that a RIBE is semantically secure against an adaptive CPA if, for any polynomial time IND-RID-CCA adversary A , the function Adv_A (k ) is negligible.

Remark 3.

In the IND-RID-CPA and IND-RID-CCA games, an adversary A is disallowed to issue both an initial key extract query on ID* and a time key update query on (ID*, i   *) because it is obvious that the users entire decryption key ${\textstyle {\mbox{DI}}{\mbox{D}}_{i}^{_{\ast }}}$ will be revealed. Hence, it is only allowed that the adversary A may issue either the initial key extract query on ID* or the time key updating query on (ID*, i *). If the initial key extract query   on ID* is allowed, it simulates the ability of a revoked user (an inside adversary) without the corresponding time key update key ${\textstyle {\mbox{TI}}{\mbox{D}}_{i}^{_{\ast }}}$ for time period i   *. On the other hand, an outside adversary is only allowed to obtain the time key update key ${\textstyle {\mbox{TI}}{\mbox{D}}_{i}^{_{\ast }}}$ for time period i *. Certainly, the adversary A is allowed to obtain the initial key and the time key for any other ID and any time period.

Security analysis (CPA)

Tseng and Tsai applied the work of Boneh and Franklin, (2001) to provide a tight security proof in the random model (Bellare and Rogaway, 1993  and Canetti et al., 2004 ). The following two theorems are given to show that the Basic RIBE scheme is semantically secure against adaptive CPA (IND-RID-CPA) for the outside adversary and the revoked user (or an inside adversary).

Theorem 1.

Suppose that the hash functions H₀, H₁, and H₂are random oracles. Then the basic RIBE is a semantically outsider-secure IBE scheme (IND-O-RID-CPA) assuming that the BDH problem is hard in groups generated by G. Concretely, assume that there is an outside adversary A that has advantage ɛ(k) against the Basic RIBE scheme. Suppose that A makes at most q_E  >  0 initial key extraction queries, q_U  >  0 time key updating queries, and q_Hi  >  0 queries to hash functions H_i(i  =  0, 1, 2). Then there is an algorithm B that solves the BDH problem in groups generated by G with advantage at least Adv_G,B(k)  =  2ɛ(k)/[e(1  +  q_E)·q_H2], where e is the base of the natural logarithm .

Theorem 2.

Suppose that the hash functions H₀, H₁, and H₂are random oracles. Then the basic RIBE is a semantically insider-secure IBE scheme (IND-I-RID-CPA) assuming that the BDH problem is hard in groups generated by G. Concretely, assume that there is an outside adversary A that has advantage ɛ(k) against the basic RIBE scheme. Suppose that A makes at most q_E  >  0 initial key extraction queries, q_U  >  0 time key updating queries, and q_Hi  >  0 queries to hash functions H_i(i  =  0, 1, 2). Then there is an algorithm B that solves the BDH problem in groups generated by G with advantage at least Adv_G,B(k)  =  2ɛ(k)/[e(1  +  q_U) ·q_H2], where e is the base of the natural logarithm .

Full RIBE scheme

Fujisaki and Okamoto (1999) presented a simple conversion from a weak public-key encryption scheme (IND-CPA) to a strong public-key encryption scheme (IND-CCA) in the random oracle model. Kitagawa et al. (2006) proposed an improvement on Fujisaki and Okamotos (1999) conversion to IBE. They can transform a weak IBE scheme (IND-ID-CPA) to a strong IBE scheme (IND-ID-CCA). In Kitagawa et al.’s conversion, a weak IBE scheme (IND-ID-CPA) must be γ -uniformity, where γ -uniformity means that the used hash functions are random oracles. Meanwhile, the weak IBE scheme must be proved to be semantically secure against an adaptive CPA (IND-RID-CPA). Meanwhile, an extra hash function (also random oracle) must be added to the system to achieve strong IBE scheme.

Based on the basic RIBE scheme (IND-RID-CPA), Tseng and Tsai applied the transformation technique (Kitagawa et al., 2006 ) to construct the full RIBE scheme (IND-RID-CCA). The full RIBE scheme consists of five algorithms that include the system setup , the initial key extract , the time key updating , the encryption , and the decryption algorithms.

• System setup   . As in the basic RIBE scheme. In addition, the other hash function ${\textstyle H_{3}:{\mbox{ }}\lbrace 0,1\rbrace ^{l}\times \lbrace 0,1\rbrace ^{n-l}\times \lbrace 0,l\rbrace ^{_{\ast }}\rightarrow Z_{q}^{_{\ast }}}$ is needed.
• Initial key extract . As in the basic RIBE scheme.
• Time key updating . As in the basic RIBE scheme.
• Encryption . In time period i , given a message m  ∈ {0, 1}^l and a non-revoked receiver with identity ID, a sender chooses a random number σ  ∈ {0, 1}^{n −l} and sets r  = H₃ (m , σ , ID). Then the sender computes QID_i  = QID + RID_i  = H₁ (ID) + H₀ (ID, i ) and uses QID_i to compute U  = r ·P and V  = (m ||σ ) ⊕ H₂ (g^r ), where g  = e (Q ID_i , P_pub ). The ciphertext for the message is C  = (U , V ).
• Decryption . Given a ciphertext C  = (U , V ), the non-revoked receiver with identity ID can use his/her entire private key DID_i to do the following procedures:
• Computing V  ⊕ H₂ (e (DID_i , U )) = m ′ and let [m ′]^l  = m and [m ′]^{n −l}  = σ , where [a ]^b and [a ]_b denote the first and the last b bits of a string a , respectively.
• Testing that (H₃ (m , σ , ID)·P , m ′ ⊕ H₂ (g^r )) = (U , V ) = C . If it does not hold, then the receiver rejects it.
• Outputting m as the decryption of C .

For the general transformation from a basic IBE scheme with γ -uniformity to a full IBE scheme, Kitagawa et al. have already given a theorem to prove the security of the full IBE scheme (IND-ID-CCA) using the basic IBE scheme (IND-ID-CPA). Here, we introduce their theorem. Without loss of generality, let Π₁ and Π₂ be the basic IBE scheme and the full IBE scheme, respectively. An extra hash function is ${\textstyle H:{\mbox{ }}\lbrace 0,1\rbrace ^{l}\times \lbrace 0,1\rbrace ^{n-l}\times \lbrace 0,l\rbrace ^{_{\ast }}\rightarrow Z_{q}^{_{\ast }}}$ .

Theorem 3.

Suppose that the hash function H is a random oracle and Π₁is a γ-uniform basic IBE scheme. Let A be an IND-ID-CCA adversary that has an advantage ɛ(k) against the full IBE scheme Π₂. Suppose the challenger B makes at most q_H  >  0 queries to hash function H, q_E  >  0 initial key extraction queries, and q_D  >  0 decryption queries. Then, there is an IND-ID-CPA adversary that has advantage at least (ɛ(k)  +  1/2  −  q_H/2^n−l)·(1  −  γq_D)  −  1/2 against the basic IBE scheme Π₁ .

Since the hash functions used in the basic RIBE scheme are random oracles, it is γ -uniformity ( Fujisaki and Okamoto, 1999  and Kitagawa et al., 2006 ). The full RIBE scheme is constructed from basic RIBE scheme by applying the general transformation technique proposed by Kitagawa et al. (2006) . Thus, we can enjoy Theorem 3 to obtain two theorems, directly. The following two theorems state that the full RIBE is semantically outsider-secure (IND-O-RID-CCA) and insider-secure (IND-I-RID-CCA) based on the basic RIBE scheme.

Theorem 4.

Suppose that the hash function H₃is a random oracle. Let A be an outsider adversary (IND-O-RID-CCA) which has advantage ɛ(k) against the full RIBE scheme. Suppose the challenger B makes at most q_Hi  >  0 queries to hash functions H_i(i  =  0, 1, 2, 3), q_E  >  0 initial key extraction queries, q_U  >  0 time key updating queries, and q_D  >  0 decryption queries. Then there is an outsider adversary (IND-O-RID-CPA) that has advantage at least (ɛ(k)  +  1/2  −  q_H3/2^n−l)·(1  −  γq_D)  −  1/2 against the basic RIBE scheme .

Theorem 5.

Suppose that the hash function H₃is a random oracle. Let A be an insider adversary (IND-I-RID-CCA) which has advantage ɛ(k) against the full RIBE scheme. Suppose the challenger B makes at most q_Hi  >  0 queries to hash functions H_i(i  =  0, 1, 2, 3), q_E  >  0 initial key extraction queries, q_U  >  0 time key updating queries, and q_D  >   0 decryption queries. Then there is an outsider adversary (IND-I-RID-CPA) that has advantage at least (ɛ(k)  +  1/2  −  q_H3/2^n−l)·(1  −  γq_D)  −  1/2 against the basic RIBE scheme .

Conclusion

In this paper, we have given a brief review of Tseng and Tsais RIBE. We have introduced the underlying mathematical problems and assumptions, framework of RIBE, two concrete RIBE schemes (basic RIBE and full RIBE), sketched security analysis of two RIBE schemes. For the details of security analysis, readers can refer to the full paper.

Conflict of interest

The authors declare that there is no conflict of interest.

Acknowledgements

This publication has been created within the project Support of VŠB-TUO activities with China with financial support from the Moravian-Silesian Region and partially was supported by the grant SGS reg. no. SP2015/82 conducted at VSB-Technical University of Ostrava, Czech Republic, and was partially supported by the Natural Scientific Research Innovation Foundation in Harbin Institute of Technology under grant no. HIT.NSRIF.2015089, by the National Natural Science Foundation of China under grant no. 61402135, by the Shenzhen Strategic Emerging Industries Program of China under grant no. ZDSY20120613125016389.

References

1. Bellare and Rogaway, 1993 M. Bellare, P. Rogaway; Random oracles are practical: a paradigm for designing efficient protocols; Proceedings of the 1st ACM Conference on Computer and Communications Security (1993), pp. 62–73
2. Boldyreva et al., 2008 A. Boldyreva, V. Goyal, V. Kumart; Identity-based encryption with efficient revocation; Proceedings of the 15th ACM Conference on Computer and Communications Security (2008), pp. 417–426
3. Boneh and Franklin, 2003 D. Boneh, M. Franklin; Identity-based encryption from the Weil pairing; SIAM J. Comput., 32 (3) (2003), pp. 586–615 Preliminary version: Advances in Cryptology – CRYPTO 2001, LNCS 2139, 213–229.
4. Canetti et al., 2004 R. Canetti, O. Goldreich, S. Halevi; The random oracle methodology, revisited; J. ACM, 51 (2004), pp. 557–594
5. Canetti et al., 2007 R. Canetti, S. Halevi, J. Katz; A forward-secure public key encryption scheme; J. Cryptol., 20 (3) (2007), pp. 265–294 Preliminary version: Advances in Cryptology – EUROCRYPT 2003, LNCS 2656, 255–271.
6. Chen et al., 2007 L. Chen, Z. Cheng, N.P. Smart; Identity-based key agreement protocols from pairings; Int. J. Inf. Secur., 6 (2007), pp. 213–241
7. Diffie and Hellman, 1976 W. Diffie, M.E. Hellman; New directions in cryptography; IEEE Trans. Inf. Theory, 22 (6) (1976), pp. 644–654
8. ElGamal, 1985 T. ElGamal; A public key cryptosystem and a signature scheme based on discrete logarithms; IEEE Trans. Inf. Theory, 31 (4) (1985), pp. 469–472
9. Fujisaki and Okamoto, 1999 E. Fujisaki, T. Okamoto; How to enhance the security of public key encryption at minimum cost; Proceedings of 2nd International Workshop on Practice and Theory in Public Key Cryptography, LNCS 1560 (1999), pp. 53–68
10. Galbraith et al., 2008 S. Galbraith, K. Paterson, N.P. Smart; Pairings for cryptographers; Discrete Appl. Math., 156 (2008), pp. 3113–3121
11. Housley et al., 2002 R. Housley, W. Polk, W. Ford, D. Solo; Internet X.509 public key infrastructure certificate and certificate revocation list (CRL) profile, RFC 3280; IETF, CA (2002)
12. Hung et al., 2014 Y.H. Hung, T.T. Tsai, Y.M. Tseng, S.S. Huang; Strongly secure revocable ID-based signature without random oracles; Inf. Technol. Control, 43 (3) (2014), pp. 264–276
13. Kitagawa et al., 2006 T. Kitagawa, P. Yang, G. Hanaoka, R. Zhang, K. Matsuura, H. Imai; Generic transforms to acquire CCA-security for identity based encryption: the cases of FOPKC and REACT; Proceedings of 11th Australasian Conference on Information Security and Privacy, LNCS 4058 (2006), pp. 348–359
14. Libert and Vergnaud, 2009 B. Libert, D. Vergnaud; Adaptive-ID secure revocable identity-based encryption; Top. Cryptol. – CT-RSA, LNCS 5473 (2009), pp. 1–15
15. Rivest et al., 1978 R. Rivest, A. Shamir, L. Adleman; A method for obtaining digital signatures and public key cryptosystems; CACM, 21 (2) (1978), pp. 120–126
16. Seo and Emura, 2013a J.H. Seo, K. Emura; Revocable identity-based encryption revisited: security model and construction; Proceedings of 16th International Conference on Practice and Theory in Public Key Cryptography, LNCS 7778 (2013), pp. 216–234
17. Seo and Emura, 2013b J.H. Seo, K. Emura; Efficient delegation of key generation and revocation functionalities in identity-based encryption; Top. Cryptol. – CT-RSA, LNCS 7779 (2013), pp. 343–358
18. Shamir, 1984 A. Shamir; Identity-based cryptosystems and signature schemes; Adv. Cryptol. – CRYPTO, LNCS 196 (1984), pp. 47–53
19. Tsai et al., 2012 T.T. Tsai, Y.M. Tseng, T.Y. Wu; A fully secure revocable ID-based encryption in the standard model; Informatica, 23 (3) (2012), pp. 487–505
20. Tsai et al., 2013 T.T. Tsai, Y.M. Tseng, T.Y. Wu; Provably secure revocable ID-based signature in the standard model; Secur. Commun. Netw., 6 (10) (2013), pp. 1250–1260
21. Tsai et al., 2014 T.T. Tsai, Y.M. Tseng, T.Y. Wu; RHIBE: constructing revocable hierarchical ID-based encryption from HIBE; Informatica, 25 (2) (2014), pp. 299–326
22. Tseng and Tsai, 2012 Y.M. Tseng, T.T. Tsai; Efficient revocable ID-based encryption with a public channel; Comput. J., 55 (4) (2012), pp. 475–486
23. Wu et al., 2012 T.Y. Wu, T.T. Tsai, Y.M. Tseng; Revocable ID-based signature scheme with batch verifications; Proceedings of the 8th International Conference on Intelligent Information Hiding and Multimedia Signal Processing (2012), pp. 49–54
24. Wu et al., 2012a T.Y. Wu, T.T. Tsai, Y.M. Tseng; A revocable ID-based signcryption scheme; J. Inf. Hiding Multimedia Signal Process., 3 (3) (2012), pp. 240–251
25. Wu and Tseng, 2010 T.Y. Wu, Y.M. Tseng; An ID-based mutual authentication and key exchange protocol for low-power mobile devices; Comput. J., 53 (7) (2010), pp. 1062–1070
26. Wu et al., 2012b T.Y. Wu, Y.M. Tseng, T.T. Tsai; A revocable ID-based authenticated group key exchange protocol with resistant to malicious participants; Comput. Netw., 56 (12) (2012), pp. 2994–3006
27. Wu et al., 2014 T.Y. Wu, T.T. Tsai, Y.M. Tseng; A provably secure revocable ID-based authenticated group key exchange protocol with identifying malicious participants; Sci. World J., 2014 (2014) Article ID 367264, 10 pp.