ID-based key-insulated signcryption with equality test in cloud computing

Key-insulated encryption reduces the problem of secret key exposure in hostile setting while signcryption cryptosystem attains the benefits of digitally signing a ciphertext and public key cryptosystem. In this study, we merge the primitives of parallel key-insulation cryptosystem and signcryption with equality test to construct ID-based parallel key-insulated signcryption with a test for equality (ID-PKSET) in cloud computing. The construction prevent data forgery, data re-play attacks and reduces the leakage of secret keys in harsh environments. Our scheme attains the security property of existential unforgeable chosen message attack (EUF-CMA) and indistinquishable identity chosen ciphertext attack (IND-ID-CCA2) using random oracle model.


Introduction
The cloud system has seen paradigm shift in data outsourcing and computations. Thus, the cloud ecosystem has served as a means to data outsourcing in this era of ubiquitous and distributed computing. However, trust as a security property has been evasive over the years due to the peddling of data outsourced to the cloud. The user's data needs to be encrypted before being uploaded to the cloud [1]. In spite of the encryption of user's data before uploading to the cloud, there is no guarantee to the security and privacy of the outsourced encrypted or unencrypted data to the cloud system. Several research in this direction has been conducted with provable security.
With regard to public key encryption (PKE) [2], a disasterous phenomenon curtailed by key-insulation [3] has played a major role for the effective deployment of PKE constructions in an insecure environment. Thus, private keys for encryption/decryption can be exposed in an insecure environment and the approach to alleviate this menace requires the adoption of key-insulation in public key cryptosystem. It is not practical to download the entire data stored in the cloud before a search on the data is conducted. Thus, the user should be able to search on the data while the data is stored in the cloud. The user makes a request to the cloud system and the cloud system respond to the request by searching through the stored data. In this way, the entire data is not downloaded from the cloud system before a search is conducted ( see Fig. 1). The use of the helper in key-insulated cryptosystem enables the user update his decryption key with a time-stamp. Thus, helper serves as a physically secured device ( see Fig. 2) used to update the secret keys during user key updates. The helper serves as an attachment during user key update and it is designed such that the presence of the helper is required to ensure a successful key update process. Figure 2 depicts a typical scenario of our scheme using multiple helper to update decryption keys.
Public key encryption with keyword search (PKE-KS) [2] ensures that user's can search on ciphertext stored in the cloud without the need to download the entire ciphertext before a search is conducted. In spite of this work by Boneh et al. [2], several key-insulated cryptosystem schemes on keyword search deployed using PKE [4][5][6], without random oracle model [7], and schemes deployed via identity-based encryption (IBE) [8,9] have been constructed. The combination of identity (ID)-based key-insulated signcryption with equality test is yet to be unveiled.  It is important to safeguard the privacy concerns of user's data outsourced to the cloud system to attain a security property of digital signature with PKE. The adoption of key-insulated signcryption with equality test in this paradigm gives our scheme a novel approach to effectively secure user's data that has been outsourced to the cloud. Therefore, the construction of ID-based parallel key insulated signcryption with equality test (ID-PKSET) in cloud computing is presented. Our scheme achieves multiple security enhancement in PKE with signcrypted key-insulated cryptosystem. The use of multiple helper instead of single and or double helper as shown in Fig. 2 is considered in our construction.

Paper organization
The remaining part of our work is organized as follows; Sect. 2 outlines our contribution, sect. 3 details the related work, sect. 4 outlines the preceedings of our construction and formulates ID-PKSET definitions. Section 5 outlines the security model, section 6 details the construction of our scheme and section 7 gives a comparative anlysis and section 7 concludes our work and outlines future improvement.

Our contribution
A recent work by Zhu et al. [10] attacked Chen et al.'s [11] scheme. They dispelled their security of EUF-CMA. Accordingly, the scheme could not attain the security of EUF-CMA. In this regard, a scheme to fulfill the primitive of identity based key-insulated cryptosystem with equality test in support for EUF-CMA property is yet to be unveiled. In this paper, our contribution is in three folds; (1) We construct an ID-based key-insulated signcryption scheme with equality test. (2) Our scheme achieves the security property of EUF-CMA with an added ID-based security assumption. (3) Our method delegates the cloud server to perform equality test and support for key-insulation while resisting re-play attacks and message forgery.

Related work
The untrusted nature of the cloud has called for the need to protect the integrity of outsourced data to cloud systems. There is a risk of private key exposure as a result of the deployment of cryptographic algorithms for harsh environments. Thus, the risk of private key exposure is equally disasterous for the effective utilization of cryptographic algorithms. Several schemes have deployed key-insulated constructions to reduce the exposure of decryption keys. Notably, Dodis et al. [4] were the first to introduce the concept of key-insulation in public key cryptosystem. Their proposed scheme had a total time period which was not known in advance. A combined effort of schemes in [4,12,13] has still not received the needed research attention. Several other schemes adopted the time based approach to construct keyinsulated cryptosystems. Other directions of this primitive have been proposed; such as proxy re-encryption [14] which allowed a proxy to re-encrypt the ciphertext before transmission. A combination of key-insulated cryptosystem with certificateless encryption by He et al. [15] enabled the introduction of certificateless key-insulated cryptosystem. Moreover, a combination of identity-based scheme with support for key insulation by Hanaoka et al. [8] gave rise to identity based key insulated encryption using a single helper. The introduction of identity based key insulated cryptosystem without the use of random oracle model has also been proposed by Libert et al. [7]. These and many other related schemes has given rise to the need for further research into identity based key insulated cryptosystem.

Equality test
The concept of PKEKS unveiled by Boneh et al. [2] made it possible to encrypt a keyword with data. However, their scheme only supported an encryption scheme with same public key. The use of same public key in their scheme was a drawback to the successful implementation of the construction, hence Yang et al. [16] constructed public key encryption with equality test (PKE-ET) that supported encryption with same and different public key. With regard to the construction in [2], Yang et al.'s [16] work served as an improved version of Boneh et al.'s [2] work. Several schemes have been unveiled afterwards [17,18]. Most of the schemes constructed were based on public key infrastructure (PKI). Therefore, there was the need to forego the inhibiting properties of using certificates generated by certificate authority (CA) in public key crptosystem. Hence, Ma et al. [19] proposed ID-based cryptographic primitive with equality test to curtail the problems associated with CA. Although, Ma et al. [19] had an excellent performance in terms of security improvement and the use of ID-based primitive to support keyword search, their scheme does not achieve the benefit of digital signature and key-insulation simultaneously. Therefore, the need to construct a scheme to fill this gab has become necessary.

Key-insulated signcryption cryptosystem
A signcryption cryptographic primitive proposed by Li et al. [12] attained the benefit of digitally signing a ciphertext and PKE. Their scheme served as improvement to previous schemes that were not based on signature-then-encrypt with high computational cost. Thus, the use of signature-then-encrypt inherits high computational cost. The deployment of signcryption ensures the attainment of less computational cost. In view of this, several schemes on signcryption have been constructed [20,22] and a combination of digital signature and signcryption [21,23] cryptosystems with its variants in proxy-signcryption [24][25][26], anonymous signcryption [11,27] and ring signcryption [10,28].
Key-insulated signcryption schemes have also been constructed [10,11]. The scheme in [11] launched an attack on Chen et al.'s [26] construction to dispel the security feature of EUF-CMA. Up till now, no scheme have been constructed to fulfill the cryptographic primitive of key-insulated signcryption with equality test.
: Given the secured paramenter , time period TP, helper keys . The algorithm returns PP, helper keys (U n 0 , ..., U n −1 ) as well as temporal master key MTK.

2.
− Extract : On input, MTK, arbitrary ID ∈ {0, 1} * , system parameter PP, it returns a secret key sdk ID 0 to user associated with identity ID. PKG executes same function and forwards to corresponding user with the identity ID through a secured channel.

KeyGeneration:
The key generation method on input received secret key sdk ID , public parameter PP, time period TP with identity ID. It finally outputs base key BSK 0 . 4. KeyUpdate-HelperKey(BK 0 , bk j , t) : On input base key BSK 0 at a span bsk j and index t s . The scheme outputs updated key UTK t s . 5. TempKeyUpdate: On input sdk ID t s −1 , index t s of the next updated key UTK t . It output the secret key mdk ID t s for a next span t s corresponding to a user. 6. SET-Trapdoor: It selects as input MTK, arbitrary ID ∈ {0, 1} * index time span t s and returns a SET − trapdoorstdr to the corresponding identity ID. 7. Signcrypt: It inputs PP, the index t s , identity ID ∈ {0, 1} * with plaintext M 1 ∈ M , and return the ciphertext CT t s as CT t s = (t s , CT 1 ) , where CT t s ∈ CT . 8. Unsigncrypt: It takes current private secret key sdk ID t s and ciphertext CT t s as input and returns plaintext M 1 ∈ M or generates ⟂ as invalid, if there is a mismatch of ciphertext is invalid. 9. Test: It takes ciphertext CT t s A and CT t s A outputted by two users: A and B. It outputs 1 of the message corresponding to CT t s A and CT t s B if they are equal. It outputs 0, otherwise.

Setup:
The challenger execute the parameter and total time period TP with helper keys (U n 0 , ..., U n −1 ) and achieves PP. It forwards the parameter PP to the adversary and keeps MTK. 2. Phase 1: Adversary issues query (N 1 , N 2 , ...., N m ) . The query is as follows: • Query (ID i ) : The challenger execute H(.) to output sdk ID i corresponding to public key (ID i ) . It forwards sdk ID i to A. • SET-Trapdoor: The challenger execute private unsigncryption on TempKeyUpdate. The algorithm run SET − Trapdoor to derive a trapdoor std i using MTK. Finally, it forwards stdr i to A. • Unsigncrypt queries: We execute the unsigncrypt algorithm to decrypt the ciphertext CT t a i by executing the extract algorithm to derive sdk ID i relating to (ID i ) . Finally, plaintext M i is forwarded to A.
3. Challenge: When phase 1 is over, A submits two equallength message (m 0 , m 1 ) and ID * to be challenged by the challenger . However, both (m 0 , m 1 ) were not the signcrypt query and ID * happens not to be the extract query used in phase 1. The challenger randomly picks b ∈ {0, 1} relating to CT * ← (M b , ID * , t * s ) . The algorithm forwards a challenge SET − trapdoor stdr * = (ID * , t * s ) by running the SET − trapdoor stdr * ← stdr(dk, M b , t * s ) algorithm and returns stdr * to A. 4. Phase 2: The adversary issues query (N 1 , N 2 , ...., N m ) .
Each query is of the form: • Query. The challenger reply similar to phase 1. This is because ID i ≠ ID * . • SET − Trapdoor query. Where t s ≠ t * s . The challenger respond as in phase 1. • Unsigncryption Query. Where It is seen that ID-PKSET achieves EUF-CMA. It is expected that there are no polynomial adversary with a non-negligible advantage.

Construction
Our construction includes the following: 1.
: Given an input parameter , total time period TP, number of helper key . The public parameter PP is returned. The system set initial master key as MTK and associated multiple multiple helper key (U n 0 , ..., U n −1 ).
• Multiplicative two groups of G and G T generated with same order d with length bits and bilinear map e ∶ G × G → G T . Arbitrary generator P ∈ G is selected by the system.

•T h e s y s t e m a d o p t s h a s h f u n c t i o n s
where l is the random numbers length and ml message length. The system randomly picks (s 1 , s 2 ) ∈ Z 2 p and set P 1 = P s 1 , P 2 = P s 2 . The public parameter P P = (A, ml, G, G T , e, P, P 1 , P 2 , Un , MAC, H 1 , H 2 , H 3 ) i s published and a MTK=(s 1 , s 2 ) . A is known as Message Authentication Code (MAC) tag. 2. SET-extract: With a string ID ∈ {0, 1} * , the parameter PP and MTK. The system compute J ID = H 2 (ID) ∈ G , set temporal master key decryption msdk ID t s = (J where (s 1 , s 2 ) are known as secret key at the initial time index t s . 3. KeyGeneration: On input msdk ID t s , a randomly choosen Un i ∈ {0, 1} ml and set: Un w h e r e r 2 = F(Un i , Un −1 ). We therefore note that F is regarded as pseudorandom permutation.
Therefore, we denote the base helper key as Un ) with BKU −1 =(P 3 t s , P 4 t s ).
) . Therefore, The current index period decryption key is noted as: ). . It is however noted that stdr ID serves as the second element of msdk. msdk ID t s , stdr ID and MSTK are distributed in a secure secure channel to authorized users. 6. Signcrypt: To signcrypt, a signer with a corresponding ID can signcrypt a message M with a public ID by choosing two random selected numbers (r a , r b ) ∈ Z * p to computes:

SET-Trapdoor
Where D=(( However, X ← S(t 2 , CT 3 ) is for a signcrypted algorithm of MAC. Corresponding tag X is used to affirm the signcrypted CT 3 .

Unsigncrypt: The algorithm on input signcrypted
ciphertext CT , decryption helper updated key sdk ID t s and a token MSTK = (t 1 , t 2 ) . The system compute:

Security property of IND-CCA2
Our ID-PKSET is ( SET , t s , q ks , q ns , q us ) − IND − CCA2 secure if ( mdbdh , t s ) − mDBHDH assumption holds. Thus, H 1 and H 2 serves as ( H 1 ) and ( H 2 ) are both collision resistant hash functions, such that: Where, t s is noted as index period, q ks as extract key queries, q ns as signcryption queries and q us as unsigncryption queries.

EUF-CMA unforgeability
Proof theorem: We outline the unforgeability against adaptive CMA derived from the security of Chow's IDbased cryptosystem under CDH assumption. Thus, if the attacker can forge a valid signcrypted message of a message, then he must equally be able to forge Chow's valid signature scheme. Thus, the adversary can equally forge cipher tex t of a message M if we assume CT = (CT 1 , CT 2 , CT 3 , CT 4 ) of a user with an identity ID, It is a known fact that the problem of CDH makes the primitive unforgeable.
A g a i n , o u r s c h e m e P K I -I D -S E T i s ( SET , t s , q ks , q ns , q us ) − EUF − CMA s e c u r e a s s u ming the work of Paterson and Sachuldt's signature is ( SET , t � s , q ks , q ns ) existentially unforgeable , whereby t � s = t s + q ks C ek + q ns C sn + q us C un . Where q ks represents key extract queries, q ns as number of signcryption queries, q us as number of unsigncryption queries, C ek as key extract cost of ID-PKSET, C sn also as cost of signcryption of ID-PKSET and finally C un represents cost of unsigncryption of ID-PKSET. However, details of the security analysis proof similar to our work can further be accessed in the appendix section of the work by Li et al. [31]

Comparison
We outline the security strength of our proposed scheme with related signcryption schemes in terms of computational cost in Table 1. The current existing schemes on keyinsulated signcryptions such as [10,11] are compared with and other ID-based signcryption cryptosystem schemes [31][32][33] are also compared with in terms of their security strength. Thus, the security parameters for our comparison includes IND-ID-CCA2 with key exposure (IND-ID-SC-KI-CCA2), EUF-CMA with key exposure (EUF-CMA-KI-SC-CMA), support for key insulation, cloud delegation and token generation. Our method has a favourable security feature of IND-ID-KI-CCA2 and EUF-ID-SC-KI-CMA similar to [10,33], but ID-PKSET has an added and extended security feature of key-insulation, delegated equality test and token key generation absent in [10,11]. Therefore, it's clear that the additional computational overheads makes our scheme practical and feasible when deployed in cloud computing environment. This is agreeable due to the cost of group exponentiation and group multiplication same to our scheme, even though our scheme has additional computational overheads. Therefore, the computational results and communicational overhead outlined in our scheme scientifically makes the scheme feasible with an added security and improvement on [10,33].
Using [34], the pairing-based cryptographic repository were deployed to quantify time consumption of our scheme. The VC++ 6.0 program codes were executed using windows Operating System with capacity of i5-4460 CPU 3.20 Ghz and a RAM size of 4Gb. The average time of execution were extracted (see Table 2 ). Using [35] with other pairing based schemes of security level 1024-bit RSA, supersingular curve z 2 = x 3 + x using embedded degree 2. q = 2 159 + 2 17 + 1 regarded as 160-bit Solinas prime with p = 12qr − 1 as 512-bit prime. With ECC-based approach, a security of Koblitz elliptic curve y = x 3 + ax 2 + b defined on F 2 163 function adopted to provide same security level in ECC. Milliseconds (ms) and bytes were used to measure the units. Each respective execution times were calculated using Matlab program in Table 3. Computational results are outlined in Table 3. Computational results are outlined in Table 4.  Computational cost of our method is outlined based on the running times in Table 2 to compare the computational cost and communication overheads in Table 4 with schemes in key-insulated signcryption cryptosystem. We compared the work of Yu et al. [10], the schemes [30,31,33] and the scheme [10] with ours.
It is clear that our scheme attains a remarkable security property in signcryption comparable to existing schemes. A security property of IND-ID-SC-CCA2, EUF-ID-SC-KI-CMA and key insulation are achieved in our scheme. However, ID-PKSET proposes additional security functionality to existing schemes such as secured delegation to cloud systems, equality test and a token key generation to enhance the security of our scheme. However, we achieve a computational equality test result of 95.246ms. Therefore, it is obvious that ID-PKSET achieves IND-ID-SC-CCA2, EUF-ID-KI-SC-CMA, key-insulated with multiple helper, cloud delegation, equality test and token generation simultaneously and thus an ideal scheme deployable in an insecure environment.

Conclusion and future work
Our paper proposed ID-based parallel key-insulated signcryption in cloud computing. Our construction achieves efficient and lesser computational cost. Even though other scheme on key-insulated cryptosystems with equality test exist [3,36], ID-PKSET achieves remarkable property of signcryption cryptosystem using the random oracle model. Future direction of this work will invlove the construction of certificateless methodology to prevent the problem with key-escrow in PKE. The private key generator could be a bad actor and needs to be resisted.

Conflict of interest
The authors declare that they have no conflict of interest.
Ethical Approval This paper does not contain any studies with human participants or animals performed by any of the authors.
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http:// creat iveco mmons. org/ licen ses/ by/4. 0/.