Keywords

1 Introduction

Certificateless public key cryptography (CL-PKC), which was originally introduced by Al-Riyami and Paterson [1], represents an interesting and potentially useful balance between identity-based cryptography (ID-PKC) and public key cryptography (PKC) based on public key infrastructure (PKI). It eliminates the key escrow associated with identity-based cryptography without requiring the introduction of public key certificates. In CL-PKC, a key generation center (KGC) is involved in issuing partial private keys computed from the master secret for users. Each user also independently generates a secret value and the corresponding public key for itself. Cryptographic operations can then be performed successfully only when both a user partial private key and its secret value are obtained. An attacker who knows only one of them should not be able to impersonate the user to carry out any cryptographic operation such as decrypting or signing.

Since the KGC is no longer fully trusted, there are two different types of adversaries [1, 8] in CL-PKC. A Type I adversary is able to compromise a user secret value and/or replace the user public key with some values chosen by the adversary. However, it does not know the user partial private key and the master secret key. Comparing with a Type I adversary, a Type II adversary knows the master secret key (and hence knows the partial private key of any user), but does not know the user secret value or being able to replace the user public key. Up to now, a number of CLE schemes [1, 4, 6, 7, 10, 14, 18] that can withstand the attacks of both types of adversaries have been available.

In 2007, Au et al. introduced the original concept of malicious key generation center [3] in CL-PKC. They pointed out that the malicious KGC is an important but seemingly previously neglected security concern in CL-PKC. In their improved security model, they allow the malicious KGC to launch the Type II attack at the beginning of the system initialization. That is the KGC may maliciously generate (by setting some trapdoors) the master public/secret key pair so that it may compromise the security of the resulting certificateless cryptosystem. As we no longer fully trust the KGC, a secure CL-PKC system should require that the KGC cannot get a non-negligible advantage in attacking a certificateless cryptosystem even if it is malicious. As all of those CLE schemes proposed before 2007 have an implicit assumption that the KGC always generates the master public/secret key pair honestly according to the scheme specification in their security model, most of them are insecure against malicious KGC attacks.

Since the introduction of malicious KGC, some attentions have been paid to the construction of secure CL-PKC systems which can withstand malicious KGC attacks. Several papers in this line of research have been available (The summary from the Table 1). In 2007, Huang et al. introduced the earliest secure generic CLE scheme (HW Scheme) [11] without random oracle. In 2008, Hwang et al. proposed a concrete CLE scheme (Hwang scheme) [13] in the standard model and claimed that their scheme was secure against the malicious KGC attack. Unfortunately, Zhang et al. later pointed out that Hwang scheme could not withstand the key replacement attack in [20]. Although Hwang et al. especially emphasize that their scheme could resist malicious KGC attacks, we find that the Hwang scheme is not secure against a traditional type II adversary/malicious KGC. In 2009, Zhang et al. presented a CLE scheme (ZW scheme) with a shorter public key without using random oracle. They proved the security of their scheme in the standard model and claimed it could resist malicious KGC attacks. Regrettably, Shen et al. [15] remarked that Zhang et al.’s security proof is not sound and their security conclusion is wrong. They showed that the ZW scheme is vulnerable to attacks of an ordinary type II adversary let alone malicious KGC attacks. In 2010, Huang et al. also proposed an improved generic CLE scheme [12] in the standard model. Unfortunately, they still did not give a concrete CLE scheme. As far as we know, until 2014, Yang et al. [19] constructed a CLE scheme secure against malicious KGC without random oracles (YZ scheme). Nevertheless, its security depends on the total number of partial private key extraction queries made by an adversary. So, it seems that there are few concrete secure CLE schemes withstanding malicious KGC attacks.

Table 1. Security comparison
Full size table

In this paper, we first demonstrate that Hwang et al.’s security proof in [13] is not sound by giving concrete Type II attacks according to their security model. We then present a new CLE scheme and rigorously prove that our construction is secure against both Type I adversaries and malicious KGCs under the Decisional Bilinear Diffie-Hellman assumption without random oracles.

Note that, it seems to be somewhat self-contradictory [11] if we require a certificateless encryption scheme to be secure against both the Type I adversaries with access to the strong decryption oracle and the malicious KGC adversaries. The reason is as follows. If a type I adversary is allowed to assess the strong decryption oracle, the challenger (who knows the master secret) can successfully answer the decryption queries without knowing the secret value corresponding to the public key used in producing the ciphertext. Then, employing the same strategy as the strong decryption oracle for type I adversaries, the malicious KGC should also be able to decrypt any ciphertext. Based on this observation, in our security model, if the public key has been replaced, when making some decryption queries or private key extraction queries, the Type I adversaries are required to provide the corresponding secret value to the challenger. That is, the Type I adversary cannot access to the strong decryption oracle.

The rest of this paper is organized as follows. Some preliminaries and the security notions for CLE schemes are given in Sect. 2. Then, the insecurity of the Hwang scheme against type II adversaries is analyzed in Sect. 3. Our new CLE scheme is put forward in Sect. 4. And in Sect. 5 we give security analysis and performance analysis of our new scheme. Finally we present our conclusions in Sect. 6.

2 Preliminaries

We briefly introduce some basic notions used in this paper, namely bilinear pairings, complexity assumptions and the basic concepts of certificateless public key encryption schemes.

2.1 Bilinear Pairings and Complexity Assumptions

Definition 1

(Bilinear Pairing). Suppose G and \(G_T\) are two multiplicative cyclic groups of the same prime order p. We call a map \(\hat{e}:G \times G \rightarrow G_T\) a bilinear pairing (or a bilinear map) if it satisfies the following conditions:

  1. 1.

    Bilinearity: \(\hat{e}(u^a,v^b) = \hat{e}(u,v)^{ab}\) for all \(u,v \in G\) and all \(a,b\in Z^*_p\).

  2. 2.

    Non-degeneracy: \(\hat{e}(u,u) \ne 1\) for some \(u\in G\).

  3. 3.

    Computability: for any \(u,v\in G\), \(\hat{e}(u,v)\) can be computed efficiently.

Next, we recall the following intractability assumptions related to the security of our scheme.

Definition 2

(Decisional Bilinear Diffie-Hellman (DBDH) Assumption). Let \((G, G_T, \hat{e})\) be groups and a bilinear map as in definition 1. Let \(a,b,c,z \in Z_p^*\) be chosen at random and g be a generator of G. The \((t,\epsilon )\)-DBDH assumption in \((G, G_T, \hat{e})\) is that no probabilistic polynomial-time algorithm \(\mathcal {A}\) can distinguish the tuple \((A=g^a,B=g^b,C=g^c,\hat{e}(g,g)^{abc})\) from the tuple \((A=g^a,B=g^b,C=g^c,\hat{e}(g,g)^z)\) with a non-negligible advantage \(\epsilon \) in time t, where the advantage of \(\mathcal {A}\) is defined as

$$\begin{aligned} Adv_\mathcal {A}^{DBDH}= & {} |Pr[\mathcal {A}(g,g^a,g^b,g^c,\hat{e}(g,g)^{abc})=1]\\&-Pr[\mathcal {A}(g,g^a,g^b,g^c,\hat{e}(g,g)^z)=1]| \end{aligned}$$

Definition 3

(Collision Resistant (CR) Assumption). A hash function \(H \leftarrow \mathcal {H}(k)\) is collision resistant if for all PPT algorithms \(\mathcal {A}\) the advantage

$$\begin{aligned} Adv^{CR}_A(k)= & {} Pr[H(x)=H(y)\wedge x \ne y | (x,y) \leftarrow \mathcal {A}(1^k,H) \wedge H \leftarrow \mathcal {H}(k)] \end{aligned}$$

is negligible as a function of the security parameter.

2.2 Security Definitions

A certificateless public key encryption scheme [1] is specified by seven algorithms: Setup\((1^k)\), ExtPPriK(mpkmskID), SetSecV(mpkID), SetPubK\((mpk, sv_{ID})\), SetPriK\((mpk, sv_{ID}, d_{ID})\), Encrypt\((mpk, PK_{ID}, ID, M)\), Decrypt\((mpk, SK_{ID}, C)\). The description of each algorithm is as follows:

  • Setup\((1^k)\): Taking a security parameter k as input, the KGC runs this probabilistic polynomial time (PPT) algorithm to output a randomly chosen master secret key msk and a master public key mpk.

  • ExtPPriK(mpkmskID): Taking the master public key mpk, the master secret key msk, and a user’s identity ID as input, the KGC runs this PPT algorithm to generate the partial private key \(d_{ID}\) for the user with identity ID.

  • SetSecV(mpkID): Taking the master public key mpk and a user’s identity ID as input, the user with identity ID runs this PPT algorithm to output a secret value \(sv_{ID}\).

  • SetPubK\((mpk, ID, sv_{ID})\): Taking the master public key mpk and the user’s secret value \(sv_{ID}\) as input, the user with identity ID runs this algorithm to output a public key \(PK_{ID}\).

  • SetPriK\((mpk, sv_{ID}, d_{ID})\): Taking the master public key mpk, the user’s secret key \(sv_{ID}\), and the user’s partial private key \(d_{ID}\) as input, the user with identity ID runs this PPT algorithm to generate a private key \(SK_{ID}\).

  • Encrypt\((mpk, PK_{ID}, ID, M)\): Taking a plaintext M, the master public key mpk, a user’s identity ID and its public key \(PK_{ID}\) as input, a sender runs this PPT algorithm to create a ciphertext C.

  • Decrypt\((mpk, SK_{ID}, C)\): Taking the master public key mpk, the user’s private key \(SK_{ID}\), and a ciphertext C as input, the user as a recipient runs this deterministic algorithm to get a decryption \(\sigma \), which is either a plaintext message or a “reject” message.

IND-CLE-CCA2 security:

As defined in [1], there are two types of security for a CLE scheme, Type I security and Type II security, along with two types of adversaries, \(\mathcal {A_I}\) and \(\mathcal {A_{II}}\) [1] respectively. The original model believes that the KGC honestly generates the master public key and master secret key pairs. However, in our security model, the KGC can maliciously generate them [3] by setting some trapdoors. Therefore, we allow a type II adversary generate all public parameters in any way it favours, which matches better with the original motivation of the CL-PKC.

Definition 4

(IND-CLE-CCA2). A certificateless public key encryption scheme is semantically secure against an adaptive chosen cipher-text attack (IND-CLE-CCA2 secure) if no PPT adversary \(\mathcal {A}\) of Type I or Type II has a non-negligible advantage in the following game played against the challenger:

  1. (1)

    If \(\mathcal {A}\) is a Type I attacker, the challenger takes a security parameter k and runs the Setup algorithm of the CLE scheme. It gives \(\mathcal {A}\) the master public key mpk, and keeps the master secret key msk to itself. Otherwise, the challenger invokes \(\mathcal {A}\) (type II adversary, it may be a malicious KGC)to get mpk and msk.

  2. (2)

    \(\mathcal {A}\) is given access to the following oracles:

    • Request Public Key \(\mathcal {O}_{PubK}(ID)\): With a user’s ID as input, the oracle computes \(sv_{ID}= SetSecV(mpk, ID)\) and \(PK_{ID}= SetPubK(mpk, ID, sv_{ID})\). It returns \(PK_{ID}\) to \(\mathcal {A}\).

    • Extract Partial Private Key \(\mathcal {O}_{ParPriK}(ID)\): With a user’s ID as input, compute \(d_{ID}=ExtPPriK\) (mpkmskID). Return \(d_{ID}\) to \(\mathcal {A}\). (Note that this is only useful to a Type I attacker.)

    • Extarct Private Key \(\mathcal {O}_{PriK}(ID)\): With a user’s ID as input, compute \(SK_{ID}=SetPriK(mpk, d_{ID}, sv_{ID})\), then return it to \(\mathcal {A}\). Note that if the corresponding public key has been replaced by the Type I attacker, when making the private key request query, the attacker \(\mathcal {A}\) is required to provide the corresponding secret value \(sv_{ID}\) to the challenger.

    • Replace Public Key \(\mathcal {O}_{RepPK}(ID,PK_{ID})\): With a user’s identity ID and a valid public key \(PK_{ID}\) as input, replace the public key of user ID with \(PK_{ID}\) and return \(\top \) if \(PK_{ID}\) is not a valid public key. Otherwise, return \(\bot \). (Note that this is only useful to a Type I attacker.)

    • Request Decrypt \(\mathcal {O}_{Dec}(ID,PK_{ID},C)\): On input an identity ID, a public key \(PK_{ID}\), together With a ciphertext \(\mathcal {C}\), compute \(m= Decrypt(mpk, SK_{ID}, C)\) and return it to \(\mathcal {A}\) if \(\sigma \) is a valid ciphertext, where \(SK_{ID}\) is the secret key corresponding to \(PK_{ID}\). Otherwise, return \(\bot \). Note that if the corresponding public key has been replaced, the Type I attacker is required to provide the corresponding secret value \(sv_{ID}\) to the challenger \(\mathcal {C}\) in order to correctly decrypt the ciphertext under the replaced public key.

  3. (3)

    After making the oracle queries a polynomial number of times, \(\mathcal {A}\) outputs and submits two messages \((M_0,M_1)\), together with an identity \(ID^*\). The challenger picks a random bit b from \(\{ 0, 1 \}\) and computes the challenging ciphertext \(C^*=Encrypt(mpk,PK_{ID^*},ID^*,M_b)\) and delivers it to \(\mathcal {A}\).

  4. (4)

    \(\mathcal {A}\) makes a new sequence of queries as in Step(2).

  5. (5)

    \(\mathcal {A}\) outputs a bit \(b'\) as its guess to b. \(\mathcal {A}\) wins the game if \(b'=b\) and the following conditions are satisfied:

    • At any time, \(ID^*\) has not been submitted to extract the private key.

    • In Step(4), \(\mathcal {O}_{Dec}(ID^*,PK_{ID^*},C^*)\) has not been submitted for Decryption.

    • With a Type I attacker, \(ID^*\) has not been submitted to both the Replace Public Key before Step(3) and the Extract Partial Private Key at any step.

We define \(\mathcal {A}\)’s advantage in this game as

$$\begin{aligned} Adv^{IND-CCA2}_{CLE}(\mathcal {A})= |Pr[b'=b]- \frac{1}{2}| \end{aligned}$$

3 Security Analysis of Hwang Scheme

In this section, we show that the Hwang scheme [13] is insecure against the attack of ordinary type II adversaries, and hence cannot withstand malicious KGC attacks.

3.1 Review of Hwang Scheme

  • Setup(\(1^k\)): The KGC chooses groups G and \(G_T\) of prime order p such that a pairing \(\hat{e}:G\times G \rightarrow G_T\) can be constructed and selects a generator g of G. It picks random values \(\alpha , \beta , \mu ', \mu _1,\ldots ,\mu _n, \nu ', \nu _1,\ldots ,\nu _n\) in \(Z_p^*\) and computes \(g_1=g^\alpha \), \(h=\hat{e}(g^\alpha , g^\beta )\), \(u'=g^{\mu '}\), \(u_1=g^{\mu _1},\ldots ,u_n=g^{\mu _n}\), \(v'=g^{\nu '}\), \(v_1=g^{\nu _1},\ldots ,v_n=g^{\nu _n}\), where n is the length of an identity in binary string representation. Let \(H:\{0,1\}^* \rightarrow \{0,1\}^n\) be a collision-resistant hash function. The master public key is \(mpk=(\hat{e},G,G_T,g,g_1,h,u',u_1,\ldots ,u_n,v',v_1,\ldots ,v_n,H)\) and the master secret key is \(msk=(\alpha , \beta , \mu ', \mu _1,\ldots , \mu _n, \nu ', \nu _1,\ldots ,\nu _n)\).

  • ExtPPriK(mpkmskID): Let ID be a bit string of length n and ID[i] be its i-th bit. Let \(\mathcal {U} \subset \{ 1,2,\ldots ,n\}\) be the set of indices i such that \(ID[i]=1\). The KGC picks a random value \(r\in Z_p^*\) and computes

    $$\begin{aligned} d_{ID}=(psk_1,psk_2)=(g_1^\beta \cdot F_u(ID)^r,g^r) \qquad where \quad F_u(ID)=u'\prod _{i\in \mathcal {U}}u_i. \end{aligned}$$

    \(d_{ID}\) is secretly delivered to the user with identity ID as its partial private key.

  • SetSecV(mpkID): The user with identity ID Picks at random an \(x_{ID}\in Z_p^*\) as its secret value \(sv_{ID}\).

  • SetPubK\((mpk, ID, sv_{ID})\): The user with identity ID computes its public key \(pk_{ID}=(X_{ID},\sigma _{ID})\), where \(X_{ID}=h^{x_{ID}}\) and \(\sigma _{ID}\) is the Schnorr one-time signature using \(x_{ID}\) as the signing key and \((h, X_{ID}=h^{x_{ID}})\) as the verification key. (The message can be any arbitrary string which can be included in mpk. The signature can be generated using the technique of Fiat-Shamir transform without random oracles as described in [5].)

  • SetPriK\((mpk, sv_{ID},d_{ID})\): The user ID picks \(r'\) randomly from \(Z^*_p\) and computes the private key \(SK_{ID}=(sk_1,sk_2)\) as

    $$\begin{aligned} (sk_1,sk_2)=(psk_1^{x_{ID}}\cdot F_u(ID)^{r'},psk_2^{x_{ID}}\cdot g^{r'})=(g_1^{\beta x_{ID}}\cdot F_u(ID)^{rx_{ID}+r'}, g^{rx_{ID}+r'}). \end{aligned}$$

  • Encrypt(\(mpk,PK_{ID},ID,m\)): To encrypt \(m\in G_T\), first check whether the public key \(X_{ID}\) is correctly formed, by checking whether \(\sigma _{ID}\) is a valid signature using \((h, X_{ID})\) as the verification key. If not, output \(\bot \) and abort the algorithm. Otherwise, select a random value \(s \in Z_p^*\) and compute

    $$\begin{aligned} C=(C_0,C_1,C_2,C_3)=(m \cdot (X_{ID})^s, g^s, F_u(ID)^s, F_v(w)^s) \end{aligned}$$

    where \(w=H(C_0,C_1,C_2,ID,PK_{ID})\in \{ 0,1 \}^n\) and \(F_v(w)=v'\prod ^n_{j=1}v_j^{w_j}\).

  • Decrypt(\(mpk,SK_{ID},C\)): For a ciphertext \(C=(C_0,C_1,C_2,C_3)\), check that

    $$\begin{aligned} \hat{e}(C_1,F_u(ID)\cdot F_v(w))=\hat{e}(g, C_2C_3) \end{aligned}$$

    where \(w=H(C_0,C_1,C_2,ID,PK_{ID})\in \{ 0,1 \}^n\). If not, output \(\bot \). Otherwise, compute

    $$\begin{aligned} m=C_0 \cdot \hat{e}(C_2,sk_2)/\hat{e}(C_1,sk_1). \end{aligned}$$

3.2 Analysis of Hwang Scheme

Hwang et al. [13] claimed their scheme is semantically secure even in the strengthened model considering the malicious KGC attack. Unfortunately, their conclusion is not sound. We show a concrete type II attack to their scheme which indicates Hwang scheme is vulnerable to type II adversaries including malicious KGCs. Our attack is depicted as follows.

  • If the adversary \(\mathcal {A_{II}}\) is an ordinary type II adversary, the challenger \(\mathcal {C}\) takes a security parameter k and runs the Setup algorithm. It gives \(\mathcal {A_{II}}\) the master secret key msk and publishes the master public key mpk. If the adversary \(\mathcal {A_{II}}\) is a malicious KGC, the challenger \(\mathcal {C}\) invokes \(\mathcal {A_{II}}\) to get mpk and msk.

  • In phase 1, adversary \(\mathcal {A_{II}}\) needs not to issue any query.

  • In the challenge phase, the adversary \(\mathcal {A_{II}}\) picks uniformly at random an identity \(ID^*\) and two plaintexts \( M_0,M_1 \in G_T^2\). Then, \(\mathcal {A_{II}}\) is given a challenge ciphertext \(C^*=Encrypt(mpk,pk_{ID^*},ID^*,M_\gamma )\), where \(\gamma \) is the random bit chosen from \(\{0,1\}\) by the challenger. Recall that \(\mathcal {A_{II}}\)’s goal is to correctly guess the value \(\gamma \). Note that according to algorithm Encrypt, the ciphertext \(C^*=(C^*_0,C^*_1,C^*_2,C^*_3)\) is of the following form:

    $$\begin{aligned} C_0^*=M_\gamma \cdot (X_{ID^*})^s,C_1^*=g^s,C_2^*=F_u(ID^*)^s,C_3^*=F_v(w^*_\gamma )^s=(v'\prod _{j\in \mathcal {W^*}_\gamma }v_j)^s \end{aligned}$$

    where \(s\in _R Z^*_p\), \(w^*_\gamma =H(C^*_0,C^*_1,C^*_2,ID^*,pk_{ID^*})\in \{ 0,1 \}^n\) and \(\mathcal {W}^*_\gamma =\{j|w^*_\gamma [j]=1,1,2,\ldots ,n\}\).

  • In phase 2, adversary \(\mathcal {A_{II}}\) first randomly picks \(s'\in Z_p^*\) and generates another ciphertext \(C'=(C'_0,C'_1,C'_2,C'_3)\) with

    $$\begin{aligned} C_0'=C_0^*\cdot (X_{ID})^{s'},C_1'=C_1^* \cdot g^{s'}, C_2'=C_2^*\cdot F_u(ID^*)^{s'}, \end{aligned}$$
    $$\begin{aligned} C_3'= {{(C_1')^{\nu '+\sum _{j\in \mathcal {W'_\gamma }}\nu _j}}}=F_v(w'_\gamma )^{s+s'}, \end{aligned}$$

    where \(w'_\gamma =H(C_0',C_1',C_2',ID^*,pk_{ID^*})\in \{ 0,1 \}^n\) and \(\mathcal {W}'_\gamma =\{j|w'_\gamma [j]=1, j=1,2,\ldots ,n\}\). Note that \(C'=(C'_0,C'_1,C'_2,C'_3)\) is another valid ciphertext of message \(M_\gamma \) encrypted under identity ID and the public key \(PK_{ID}\).

Next, the adversary \(\mathcal {A_{II}}\) issues a decryption query \(\mathcal {O}_{Dec}(ID^*,PK_{ID^*},C')\). That is it submits the ciphertext \(C'\) to the challenger for decryption under the identity \(ID^*\) and the public key \(PK_{ID^*}\). Recall that according to the restrictions specified in the security model, it is legal for \(\mathcal {A_{II}}\) to issue such a query since \(C^* \ne C'\). So, the challenger has to return the underlying message \(M_\gamma \) to \(\mathcal {A_{II}}\). With \(M_\gamma \), adversary \(\mathcal {A_{II}}\) can certainly know the value \(\gamma \), and then wins in the game. Thus, the Hwang scheme is insecure against chosen ciphertext attack of a type II adversary including malicious KGC.

4 Our CLE Scheme

Our new scheme below is motivated from the identity-based encryption scheme proposed by Waters [16]. In our scheme, the user partial private key and the user secret value are generated and used fully independently, while retaining high efficiency. Intuitively, an attacker cannot re-random or decrypt any ciphertext instead of the user if the attacker just has one of the two parts.

  • Setup(\(1^k\)): Let \((G,G_T)\) be bilinear map groups of prime order \(p > 2^k\) and let g be a generator of G. Set \(g_1= g^\alpha \), for a random \(\alpha \in Z_p^*\), and pick at random a group element \(g_2 \in G\) and vectors \((u',u_1,\ldots ,u_{n})\), \((v',v_1,\ldots ,v_{n}) \in G^{n+1}\). These vectors define the hash functions

    $$\begin{aligned} F_u(ID)=u'\prod ^n_{j=1}u_j^{ID_j} \qquad and \qquad F_v(w)=v'\prod ^n_{j=1} v_j^{w_j} \end{aligned}$$

    where \(ID=ID_1ID_2 \ldots ID_n\) and \(w = w_1w_2 \ldots w_n\) are bit-strings of length n. The KGC also selects a collision-resistant hash function \(H:\{ 0,1 \}^* \rightarrow \{ 0,1 \}^n\). The master public key is \(mpk = (g,g_1,g_2,u',u_1,\ldots ,u_n,v',v_1,\ldots ,v_n)\), the message space is \(G_T\), and the master secret is \(msk=g_2^\alpha \).

  • ExtPPriK(mpkmskID): Pick at random \(r \in Z^*_p\) and return \(d_{ID} = (d_0,d_1) = (g_2^\alpha \cdot F_u(ID)^r, g^r)\).

  • SetSecV(mpkID): Pick at random \(x_0, x_1 \in _R Z^*_p\) and return \(sv_{ID}=(x_0,x_1)\).

  • SetPubK(\(mpk,ID, sv_{ID}\)): Return \(PK_{ID}=(pk_0, pk_1)=(g^{x_0}, g^{x_1})\). SetPriK(\(mpk,sv_{ID},d_{ID}\)): Set \(SK_{ID}=(sv_{ID}, d_{ID})=(x_0,x_1,d_0,d_1)\). Encrypt\((mpk,PK_{ID},ID,M)\): To encrypt \(M\in _R G_T\), parse \(PK_{ID}\) as \((pk_0,pk_1)\). Choose \(s,t \in _R Z^*_p\) uniformly at random and compute

    $$\begin{aligned} C= & {} (C_0, C_1, C_2, C_3, C_4)\\= & {} (M \cdot \hat{e}(pk_0, pk_1)^{-t} \cdot \hat{e}(g_1, g_2)^s, \hat{e}(g,g)^t, g^s, F_u(ID)^s, F_v(w)^s), \end{aligned}$$

    where \(w=H(C_0, C_1, C_2, C_3, PK_{ID}, ID, \hat{e}(pk_0,g)^t)\).

  • Decrypt\((mpk,SK_{ID},C )\): Parse C as \((C_0, C_1,C_2,C_3,C_4)\) and the private key \(SK_{ID}\) as \((x_0,x_1,d_0,d_1)\). Then compute

\(K= C_1^{x_0}=\hat{e}(g,g)^{tx_0}=\hat{e}(pk_0,g)^t\), and \(w=H(C_0, C_1, C_2, C_3, PK_{ID}, ID, K)\). Check that

$$\begin{aligned} \hat{e}(C_2, F_u(ID)\cdot F_v(w)) {\mathop {=}\limits ^{?}} \hat{e}(g, C_3 \cdot C_4). \end{aligned}$$

Reject C if the equation does not hold. Otherwise, return

$$\begin{aligned} M= & {} C_0 \cdot K^{x_1} \cdot \hat{e}(C_3, d_1) \cdot \hat{e}(C_2, d_0)^{-1}. \end{aligned}$$

5 Analysis of the Scheme

5.1 Correctness

The correctness of the scheme can be directly verified by the following equations.

$$\begin{aligned} \hat{e}(C_2, F_u(ID)\cdot F_v(w))= & {} \hat{e}(g^s, F_u(ID)\cdot F_v(w))\\= & {} \hat{e}(g, F_u(ID)^s \cdot F_v(w)^s)\\= & {} \hat{e}(g,C_3\cdot C_4), \end{aligned}$$

and

$$\begin{aligned}&C_0 \cdot K^{x_1} \cdot \hat{e}(C_3, d_1) \cdot \hat{e}(C_2, d_0)^{-1}\\= & {} C_0 \cdot (\hat{e}(pk_0,g)^t)^{x_1} \cdot \hat{e}(F_u(ID)^s, g^r) \cdot \hat{e}(g^s, g_2^\alpha \cdot F_u(ID)^r)^{-1}\\= & {} C_0 \cdot \hat{e}(pk_0,pk_1)^{t} \cdot \hat{e}(g_1,g_2)^{-s}\\= & {} M \cdot \hat{e}(pk_0,pk_1)^{-t} \cdot \hat{e}(g_1,g_2)^s \cdot \hat{e}(pk_0,pk_1)^{t} \cdot \hat{e}(g_1,g_2)^{-s}\\= & {} M. \end{aligned}$$

5.2 Security

For more details about security analysis, the readers are referred to the full version of this paper.

5.3 Performance Analysis

Here, we compare the major computational cost and security properties of our scheme with some available concrete CLE schemes that are claimed to be secure against malicious KGC attacks. The comparison is listed in Table 1. All the schemes involve three major operations: Pairing, Multiplication and Exponentiation (in G and \(G_T\)). For ease of analysis, we only count the number of those operations in the Encrypt and Decrypt phases. For the security properties, we consider the confidentiality against the Type I adversaries and the Type II adversaries respectively. Note that, in the table, the symbol (n) in pairing column denotes the number of pairing operations is independent of the message and can be pre-computed.

Table 2. Performance analysis
Full size table

Table 2 shows that, although the computational cost of our scheme is relatively high, our scheme overcomes the security weaknesses of the previous schemes [13, 20]. On the face of it, the ZW scheme has the advantages of a short public key and a higher computational efficiency. Unfortunately, the ZW scheme is not only insecure against type II adversaries, but also relies on a stronger assumption.

6 Conclusion

In this paper, we have shown that the CLE scheme introduced by Hwang and Liu is vulnerable to the attacks from the type II adversaries including malicious KGC. Furthermore, we have put forward a new concrete CLE scheme and proved its security against both types of adversaries including malicious KGC. Our security proofs have been rigorously presented in the standard model under the Decisional Bilinear Diffie-Hellman assumption.