Revocable identity-based proxy re-signature against signing key exposure

Identity-based proxy re-signature (IDPRS) is a novel cryptographic primitive that allows a semi-trusted proxy to convert a signature under one identity into another signature under another identity on the same message by using a re-signature key. Due to this transformation function, IDPRS is very useful in constructing privacy-preserving schemes for various information systems. Key revocation functionality is important in practical IDPRS for managing users dynamically; however, the existing IDPRS schemes do not provide revocation mechanisms that allow the removal of misbehaving or compromised users from the system. In this paper, we first introduce a notion called revocable identity-based proxy re-signature (RIDPRS) to achieve the revocation functionality. We provide a formal definition of RIDPRS as well as its security model. Then, we present a concrete RIDPRS scheme that can resist signing key exposure and prove that the proposed scheme is existentially unforgeable against adaptive chosen identity and message attacks in the standard model. To further improve the performance of signature verification in RIDPRS, we introduce a notion called server-aided revocable identity-based proxy re-signature (SA-RIDPRS). Moreover, we extend the proposed RIDPRS scheme to the SA-RIDPRS scheme and prove that this extended scheme is secure against adaptive chosen message and collusion attacks. The analysis results show that our two schemes remain efficient in terms of computational complexity when implementing user revocation procedures. In particular, in the SA-RIDPRS scheme, the verifier needs to perform only a bilinear pairing and four exponentiation operations to verify the validity of the signature. Compared with other IDPRS schemes in the standard model, our SA-RIDPRS scheme greatly reduces the computation overhead of verification.


Introduction
A digital signature provides security services such as data integrity, authentication and nonrepudiation; therefore, it is one a key technology to ensure information security. In particular, PLOS  oracle is instantiated by a specific hash function. Therefore, it is of practical significance to construct secure RIDPRS schemes in the standard model. The existing IDPRS schemes do not consider the problem of user revocation [20][21][22][23]. A revocation mechanism is essential for practical identity-based cryptosystem [26]. If a user's key is compromised or a user's authorization expires, that user needs to be revoked from the system. When users have been revoked, they should no longer be able to use their previous private keys to gain access to sensitive data or to generate valid digital signatures. Researchers have designed a series of revocable cryptographic schemes to achieve user revocation in identity-based settings [27][28][29]. The main idea behind these schemes is that the PKG periodically updates the private keys of non-revoked users. Tsai et al. [30] proposed a revocable identitybased signature scheme in the standard model, in which a user's signing key consists of a longterm secret key and a periodically changed update key. However, Tsai et al.'s scheme [30] is insecure against a signing key exposure attack: an adversary can obtain a fixed secret key from a compromised signature key and then combine it with subsequent update keys to forge the signature of any message. Lian et al. [31] proposed a revocable attribute-based signature scheme, but Wei et al. [32] revealed that Lian et al.'s scheme is vulnerable to signing key exposure. If a signature scheme can resist the signing key exposure attack, then the users store their secret keys on physical devices with relatively high security levels, while the update keys can be stored on devices with relatively low security levels (such as mobile phones, smart cards, etc.). However, to the best of our knowledge, no identity-based proxy re-signature scheme with a user revocation mechanism is available. Therefore, how to design a revocable identity-based proxy re-signature (RIDPRS) scheme is an open and interesting question.
In this paper, we formally define the syntax of RIDPRS and present a security model for RIDPRS against signing key exposure. Based on Shao et al.'s IDPRS scheme [20], we design a bidirectional and multi-use RIDPRS scheme. In the proposed scheme, the PKG's master secret key is divided into two parts: one part is used to construct the user's fixed secret key, and the other part is used to generate periodically changed update keys for the user. Only a nonrevoked user can re-randomize their secret key and update key to generate a corresponding signing key. Consequently, our scheme can not only effectively revoke a user from the system, but also resist signing key exposure attacks. Furthermore, we introduce a new cryptographic primitive called server-aided revocable identity-based proxy re-signature (SA-RIDPRS), which is particularly suitable for verifiers with limited computing power. SA-RIDPRS allows the verifier to delegate most of the computational work involved in signature verification to a server with powerful computing capabilities; the verifier needs to perform only a small number of computational operations to verify the legitimacy of the signature. In addition, we formalize the security model for SA-RIDPRS. Based on our RIDPRS scheme, we also construct an SA-R-IDPRS scheme and prove that the proposed scheme is secure against adaptive chosen message and collusion attacks. The results of our analysis show that our two schemes are bidirectional and multi-use, and they achieve user revocation functionality while maintaining efficiency in terms of computational complexity and storage overhead. In our SA-RIDPRS scheme, the verifier verifies the validity of the signature with minimal computational cost by executing the server-aided verification algorithm in conjunction with a server, which efficiently reduces the computational cost of the verifier.
The rest of this paper is organized as follows. Section 2 reviews some preliminaries used in our schemes. Section 3 presents security notions for RIDPRS and SA-RIDPRS. Section 4 constructs an IDPRS scheme and an SA-RIDPRS scheme and gives their security proof and performance analysis. Finally, Section 5 concludes the paper.

Preliminaries
In this section, we briefly review bilinear parings and the computational Diffie-Hellman (CDH) assumption.

Bilinear parings
Let p be a prime, G 1 and G 2 be two multiplicative cyclic groups of order p, and g be a generator of G 1 . An efficiently computable bilinear paring e: G 1 × G 1 ! G 2 is a map with the following properties [16]: • Bilinear: e(g a , g b ) = e(g, g) ab = e(g b , g a ) for any a, b 2 Z p .

Complexity assumption
The security of our scheme depends on the hardness of the CDH problem. Let G 1 be a cyclic group of prime order p, and g be a generator of G 1 . Given ðg; g a ; g b Þ 2 G 3 1 , where a, b 2 Z p , the CDH problem is to compute g ab 2 G 1 . Definition 1. We say that the CDH assumption holds if no probabilistic polynomial-time (PPT) algorithm can solve the CDH problem in G 1 with a non-negligible probability [20].

Security notions of RIDPRS
An RIDPRS scheme consists of the following eight algorithms (Setup, Extract, KeyUp, SKGen, ReKey, Sign, ReSign, Verify): • Setup(λ) ! (pp, msk): Given a security parameter λ, this algorithm outputs public parameters pp and a master secret key msk of the PKG.
• Extract(pp, msk, ID) ! sk ID : Given pp, msk and a user's identity ID, this algorithm outputs a secret key sk ID of the identity ID.
• KeyUp(pp, msk, ID, t) ! vk ID,t : Given pp, msk, an identity ID and a time period t, this algorithm outputs an update key vk ID,t with respect to identity ID and time period t.
• SKGen(pp, sk ID , vk ID,t ) ! dk ID,t : Given pp, a secret key sk ID and an update key vk ID,t , this algorithm outputs an error symbol ? if the identity ID has been revoked during the time period t; otherwise, it outputs a signing key dk ID,t on (ID, t).
• ReKey(pp, dk A,t , dk B,t ) ! rk A!B,t : Given pp and two signing keys (dk A,t , dk B,t ) corresponding to identities (ID A , ID B ) at time period t, this algorithm outputs a re-signing key rk A!B,t of the proxy.
• Sign(pp, dk ID,t , M) ! σ: Given pp, a signing key dk ID,t and a message M, this algorithm generates a signature σ on M.
•  The security of an RIDPRS scheme should be existentially unforgeable under adaptive chosen identity and message attacks. Based on the security model of IDPRS in [20] and the security definition of revocable identity-based signature schemes in [30][31][32], the existential unforgeability of a bidirectional RIDPRS scheme that captures signing key exposure is formally defined by using the following security game between a challenger B and an adversary A: Setup: B executes the algorithm Setup(λ) to generate public parameters pp and the PKG's master secret key msk. Then, B sends pp to A.
Queries: The adversary A adaptively makes the following queries: • Extract-query: When A asks for a secret key of an identity ID, B executes the algorithm Extract(pp, msk, ID) and returns the corresponding output sk ID to A.
• KeyUp-query: When A inquires about an update key with respect to an identity ID and a time period t, B executes the algorithm KeyUp(pp, msk, ID, t) and returns an update key vk ID,t to A.
• SKGen-query: When A asks for a signing key with respect to an identity ID and a time period t, B first makes an Extract-query for ID and a KeyUp-query for the tuple (ID, t) to obtain a secret key sk ID and an update key vk ID,t , respectively. Then, B runs the algorithm SKGen(pp, sk ID , vk ID,t ) to generate a signing key dk ID,t , and sends it to A.
• ReKey-query: When A requests a re-signing key of two identities (ID A , ID B ) at time period t, B first makes the SKGen-query on tuples (ID A , t) and (ID B , t) to obtain the corresponding signing keys dk A,t and dk B,t , respectively. Afterwards, B runs the algorithm ReKey(pp, dk A,t , dk B,t ) to output a re-signing key rk A!B,t , and then sends it to A.
• Sign-query: When A requests a signature on a message M with respect to an identity ID and a time period t, B first makes a SKGen-query on tuple (ID, t) to obtain a signing key dk ID,t . Then, B runs the algorithm Sign(pp, dk ID,t , M) and returns a signature σ on M to A.

Forgery:
The adversary A finally outputs a forged signature σ Ã on a message M Ã with respect to an identity ID Ã and a time period t Ã . We say that A wins in the above game if the following conditions hold.
2. (ID Ã , t Ã ) has never been queried of the SKGen-query. 3. ID Ã has never been submitted to the Extract-query, and (ID Ã , t Ã ) has never been submitted to the KeyUp-query. 4. ID Ã has never been submitted to the ReKey-query.

Definition 2.
A bidirectional RIDPRS scheme is said to be existentially unforgeable against adaptive chosen identity and message attacks if for any polynomial-time adversary A the probability of winning in the above game is negligible.

Security notions of SA-RIDPRS
An SA-RIDPRS scheme consists of an RIDPRS scheme and a server-aided verification protocol. Due to the weaker computing power, the verifier is unable to perform complicated cryptographic operations. Therefore, the verifier needs to execute an interactive verification protocol to verify the validity of the signature with the help of a server. Specifically, a bidirectional SA-RIDPRS scheme is a tuple of the following ten algorithms (Setup, Extract, KeyUp, SKGen, ReKey, Sign, ReSign, Verify, SA-Setup, SA-Verify): • The Setup, Extract, KeyUp, SKGen, ReKey, Sign, ReSign and Verify algorithms are the same as those in the RIDPRS scheme described in Section 3.1.
• SA-Setup(pp) ! V String: On input public parameters pp, this algorithm generates a secret string V String that contains the pre-computed information of the verifier. The security of an SA-RIDPRS scheme includes both the existential unforgeability of RIDPRS and the soundness of the algorithm SA-Verify. Existential unforgeability ensures that an attacker cannot generate a valid signature on a new message, whereas soundness ensures that the server cannot convince a verifier that an invalid signature is valid. The unforgeability of a bidirectional SA-RIDPRS scheme is the same as that of the RIDPRS scheme defined in Section 3.1. Based on the soundness of server-aided verification PRS [24], the soundness of the algorithm SA-Verify under adaptive chosen message and collusion attacks is defined by the following security game between a challenger C and an adversary A. In this game, the challenger C acts as a verifier while the adversary A acts as the server. A is allowed to collude with the signer or the proxy; therefore, A can generate or transform the signature of any message. The goal of A is to convince C that an invalid signature is valid. C and A interact as follows: Setup: C executes the Setup and SA-Setup algorithms to generate the public parameters pp and the string V String, respectively. Then, C sends pp to A.
Queries: A can adaptively make a number of server-aided verification queries to C. For each query on (ID i , t i , M i , σ i ), C runs the algorithm SA-Verify with A and then returns the corresponding output to A as a response.
Forgery: The adversary A eventually outputs an identity ID Ã , a time period t Ã , a message M Ã and a string σ , then the adversary A wins the game. Definition 3. The algorithm SA-Verify is soundness if the probability that any polynomialtime adversary A wins in the above game is negligible. Definition 4. If an RIDPRS scheme is existentially unforgeable against adaptive chosen identity and message attacks, and the algorithm SA-Verify is soundness, then the resulting SA-RIDPRS scheme is said to be secure against adaptive chosen message and collusion attacks.

Our constructions
In this section, we first construct a bidirectional RIDPRS scheme based on the IDPRS scheme of Shao et al. [20]. Then, we extend it to the SA-RIDPRS scheme. Moreover, we provide security proofs and performance analyses for the proposed schemes.

Bidirectional and revocable ID-based proxy re-signature scheme
Description. In our RIDPRS scheme, we assume that the length of the identity and the length of the message are n u -bit and n m -bit strings, respectively. We can achieve these by two collision-resistant hash functions H 1 : f0; 1g Ã ! f0; 1g n u and H 2 : f0; 1g Ã ! f0; 1g n m . The details of our RIDPRS scheme are described as follows: • Setup: Given a security parameter λ, the PKG does the following: 1. Choose two multiplicative cyclic groups G 1 and G 2 of prime order p, a generator g of G 1 and a bilinear pairing e: 3. Pick four random elements g 2 , u 0 , v 0 , w 0 2 G 1 and three random vectorsũ 4. Choose two random integers a; b 2 Z Ã p and compute g 1 ¼ g aþb .
• KeyUp: Given an identity ID and a time period t, the PKG randomly chooses s ID 2 Z p , and computes T ID = H(ID, t) and vk ID,t = (vk ID,t,1 , vk ID,t,2 ) = ðg b 2 F W;2 ðT ID Þ s ID ; g s ID Þ. Then, the PKG sends an update key vk ID,t to the user via a public channel.
• SKGen: On input (ID, t), if identity ID has been revoked within time period t, the user is unable to generate a valid signing key because he cannot obtain valid update keys. Otherwise, the user with identity ID uses his secret key sk ID = (sk ID,1 , sk ID,2 ) and update key vk ID,t = (vk ID,t,1 , vk ID,t,2 ) to generate a signing key using the following steps: 3. Output a signing key dk ID,t = (dk ID,t,1 , dk ID,t,2 , dk ID,t,3 ). • Sign: Given a message M, a signer randomly chooses r m 2 Z p and uses the signing key dk t,3 and s ID;4 ¼ g r m . Then, the signer outputs a signature σ ID = (σ ID,1 , σ ID,2 , σ ID,3 , σ ID,4 ) on M.
• ReSign: Given a re-signing key 4 ) on a message M with respect to an identity ID A and a time period t, the proxy outputs ? if Verify(pp,ID A , t, M, σ A ) = 0; otherwise, the proxy randomly chooses The following equation shows that our RIDPRS scheme satisfies correctness: From the above equation, we can see that σ B satisfies the condition Verify(pp, ID B , t, M, σ B ) = 1, so our RIDPRS scheme is correct. The distribution of the re-signature σ B generated by the algorithm ReSign is the same as that of the signature generated by ID B himself using the algorithm Sign, which demonstrates that our RIDPRS scheme is multi-use. By using the re-signing key rk A!B,t between ID A and ID B , it is easy to compute the re-signing key rk B!A,t = 1/rk A!B,t between ID B and ID A , which implies that our RIDPRS scheme is bidirectional.
Security analysis. In our RIDPRS scheme, the algorithm SKGen re-randomizes a secret key sk ID and an update key vk ID,t to generate a corresponding signing key for an identity ID and time period t. Even if an adversary obtains the signing key dk ID,t , it is difficult to extract ID's secret key sk ID from dk ID,t . Moreover, the exposure of dk ID,t at time period t does not reveal any information concerning other signing keys for identity ID at other time periods. Therefore, our RIDPRS scheme can resist signing key exposure attacks.
To simplify the security analysis of our RIDPRS scheme, we classify adversaries into two types: external and internal. The main difference between these two types of attackers is that an external adversary is not allowed to make queries about the secret key of the challenged identity ID Ã whereas an internal adversary is not allowed to make queries about the update key of the challenged identity ID Ã or the challenged time period t Ã . The following two lemmas prove that our RIDPRS scheme is existentially unforgeable against adaptive chosen identity and message attacks. Lemma 1. If a polynomial-time external adversary A 1 breaks our RIDPRS scheme with non-negligible probability, then there exists an algorithm B that can solve the CDH problem with non-negligible probability.
Proof. Assume that an adversary A 1 breaks the existential unforgeability of our RIDPRS scheme with the probability ε after making at most q sk secret key queries, q vk update key queries, q dk signing key queries, q rk re-signing key queries and q s signing queries. We will construct an algorithm B to solve the CDH problem in G 1 with the probability at least ε 1 by using A 1 's forgery. Given a random instance ðg; g a ; g b Þ 2 G 3 1 of the CDH problem, the goal of B is to compute g ab . The algorithm B interacts with A 1 as follows.
Setup: B randomly chooses two integers k u (0 k u n u ) and k m (0 k m n m ), and sets g 2 = g b , l u = 2(q sk + q dk + q rk + q s ) and l m = 2q s such that l u (n u + 1)<p and l m (n m + 1)<p. To generate the public parameters pp, B executes the following operations: 1. Randomly choose x 0 , x 1 , . . ., x n u 2 Z l u and y 0 , y 1 , . . ., y n u 2 Z p , then compute u 0 ¼ g À l u k u þx 0 2 g y 0 and a vectorũ ¼ ðu i Þ, where u i ¼ g x i 2 g y i for 1 i n u . 2. Randomly choose z 0 , z 1 , . . ., z n v 2 Z p and then compute v 0 ¼ g z 0 and a vectorṽ ¼ ðv j Þ, where v j ¼ g z j for 1 j n v .
5. Choose a random integer b 2 Z Ã p and compute g 1 ¼ g a g b ¼ g aþb . This calculation implies that the master secret key is msk ¼ ðg a 2 ; g b 2 Þ but a is unknown to B. 6. Send the public parameters (G 1 , G 2 , e, p, g, g 1 , g 2 , H, u 0 , v 0 , w 0 ;ũ;ṽ;wÞ to A 1 .
For any identity ID ¼ ðID 1 ; . . . ; ID n u Þ 2 f0; 1g n u , any string T ¼ ðT 1 ; . . . ; T n v Þ 2 f0; 1g n v and any message M ¼ ðM 1 ; . . . ; M n m Þ 2 f0; 1g n m , we define the following five functions: Thus, we have g LðMÞ : Queries: The adversary A 1 can issue the following types of queries adaptively: • Extract-query: When A 1 asks for a secret key query on an identity ID, B first computes F(ID). We note that FðIDÞ ¼ 0 mod p implies FðIDÞ ¼ 0 mod l u (and thus

FðIDÞ g r ID ;
and then sends the secret key sk ID to A 1 .
• KeyUp-query: When A 1 issues an update key query on an identity ID and a time period t, B randomly chooses s ID 2 Z p and computes T ID = H(ID, t). Then, B uses the secret value β to compute and returns an update key vk ID,t to A 1 .
• SKGen-query: For a signing key query on (ID, t), if identity ID has been revoked at time period t, B outputs ?. Otherwise, B randomly chooses r 0 ID ; s 0 ID 2 Z p , and performs an Extract-query on ID and a KeyUp-query on (ID, t) to obtain a secret key sk ID = (sk ID,1 , sk ID,2 ) and an update key vk ID,t = (vk ID,t,1 , vk ID,t,2 ), respectively. Then, B computes T ID = H(ID, t) and returns a signing key dk ID,t = (dk ID,t,1 , dk ID,t,2 , dk ID,t,3 ) to A 1 .
• ReKey-query: When A 1 issues a re-signing key query on two identities (ID A , ID B ) and a time period t, B first makes SKGen-query on (ID A , t) and (ID B , t) to obtain the corresponding signing keys dk A,t and dk B,t , respectively. Then, B executes the algorithm ReKey(pp, dk A,t , dk B,t ) to produce a re-signing key rk A!B,t and sends it to A 1 .
• Sign-query: When A 1 issues a signature query on a message M with respect to an identity ID and a time period t, B considers the following two cases:  Then, B returns a signature σ = (σ 1 , σ 2 , σ 3 , σ 4 ) on M to A 1 .

Forgery:
The adversary A 1 finally outputs a signature s Ã ¼ ðs Ã 1 ; s Ã 2 ; s Ã 3 ; s Ã 4 Þ on a message M Ã with respect to an identity ID Ã and a time period t Ã . If FðID Ã Þ 6 ¼ 0 mod p or KðM Ã Þ 6 ¼ 0 mod p, B aborts. Otherwise, to solve the instance of the CDH problem, B computes T ID Ã = H(ID Ã , t Ã ) and outputs g ab as follows: Now, we analyse the probability that B does not abort in the above simulation. If B completes the simulation without aborting, then the following events must have occurred: • In the Extract-query, SKGen-query and ReKey-query phases, the condition FðIDÞ 6 ¼ 0 mod l u must be satisfied for any queried identity ID.
• In the Sign-query phase, FðIDÞ 6 ¼ 0 mod l u or KðMÞ 6 ¼ 0 mod l m must be satisfied for any queried identity ID and message M.
• In the forgery phase, FðID Ã Þ ¼ 0 mod p and KðM Ã Þ ¼ 0 mod p must be satisfied for the challenged identity ID Ã and message M Ã .
Similar to the probability analysis described in [20,33], we define the following events: • X i : FðID i Þ 6 ¼ 0 mod l u for i = 1, . . ., q sk + q dk + q rk + q s .
Hence, the probability that B will not abort in the above simulation is Because l u (n u +1)<p, we can find that and Pr \ q sk þq dk þq rk þq s i¼1 X i jX Ã " # Pr :X i jX Ã ½ ¼ 1 À q sk þ q dk þ q rk þ q s l u : Since l m (n m +1) < p, we have that As l u = 2(q sk + q dk + q rk + q s ) and l m = 2q s , we can obtain the resulting probability Therefore, B can successfully solve the CDH problem in G 1 with a probability of ε 1 > ε 16ðn u þ1Þðn m þ1Þq s ðq sk þq dk þq rk þq s Þ . Lemma 2. If a polynomial-time internal adversary A 2 breaks our RIDPRS scheme with a non-negligible probability, then there exists an algorithm B that can solve the CDH problem with non-negligible probability.
Proof. Assume that an adversary A 2 breaks the existential unforgeability of our RIDPRS scheme with the probability ε after making at most q sk secret key queries, q vk update key queries, q dk signing key queries, q rk re-signing key queries and q s signing queries. We can construct an algorithm B that solves the CDH problem in G 1 with a probability ε 2 using the adversary's forgery A 2 . B is given a random instance ðg; g a ; g b Þ 2 G 3 1 of the CDH problem. To calculate g ab , B interacts with A 2 as follows.
Setup: B randomly chooses two integers k v (0 k v n v ) and k m (0 k m n m ), and sets g 2 = g b , l v = 2(q vk + q dk + q rk + q s ) and l m = 2q s such that l v (n v + 1)<p and l m (n m + 1)<p. Then, B generate public parameters pp according to the following steps: 1. Randomly choose x 0 , x 1 , . . ., x n v 2 Z l v and y 0 , y 1 , . . ., y n v 2 Z p ; then, compute v 0 ¼ g À l v k v þx 0 2 g y 0 and a vectorṽ ¼ ðv j Þ, where v j ¼ g x j 2 g y j for 1 j n v .
2. Randomly choose z 0 , z 1 , . . ., z n u 2 Z p ; then, compute u 0 ¼ g z 0 and a vectorũ ¼ ðu i Þ, where 3. Set parameter w 0 and vectorw ¼ ðw k Þ in the same way as is done in Lemma 1.

Select a collision-resistant hash function
5. Choose a random integer t 2 Z Ã p and compute g 1 ¼ g a g t ¼ g aþt , which implies that the master secret key is msk ¼ ðg t 2 ; g a 2 Þ, but a is unknown to B. 6. Send the public parameters (G 1 , G 2 , e, p, g, g 1 , g 2 , H, u 0 , v 0 , w 0 ;ũ;ṽ;wÞ to A 2 .
• Extract-query: Upon receiving a secret key query for identity ID, B randomly chooses r ID 2 Z p and computes Then, B sends a secret key sk ID to A 2 .
• KeyUp-query: Upon receiving an update key query on an identity ID and a time period t, B first computes • SKGen-query: B answers a signing key query in the same way as it does the SKGen-query in Lemma 1.
• ReKey-query: B answers a re-signing key query in the same way as it does the ReKey-query in Lemma 1.
• Sign-query: Upon receiving a signature query on a message M with respect to an identity ID and a time period t, B computes T ID = H(ID, t) and considers the following two cases: Forgery: The adversary A 2 finally outputs a signature s Ã ¼ ðs Ã 1 ; s Ã 2 ; s Ã 3 ; s Ã 4 Þ on a message M Ã with respect to an identity ID Ã and a time period t Ã . B first computes T ID Ã = H(ID Ã , t Ã ). If F 2 ðT ID Ã Þ 6 ¼ 0 mod p or KðM Ã Þ 6 ¼ 0 mod p, B aborts. Otherwise, B computes g ab as follows: Similar to the probabilistic analysis for Lemma 1, the probability that algorithm B successfully solves the CDH problem in G 1 is at least ε 16ðn v þ1Þðn m þ1Þq s ðq vk þq dk þq rk þq s Þ . Combining Lemma 1 and Lemma 2, we obtain the following theorem. Theorem 1. Our RIDPRS scheme is existentially unforgeable against adaptive chosen identity and message attacks in the standard model under the CDH assumption.
is also 1 pÀ 1 . Moreover, because p is a large prime, A can convince C that σ Ã is a valid signature for message M Ã on (ID Ã , t Ã ) with a negligible probability ( 1 pÀ 1 ). Therefore, the algorithm SA-Verify in our SA-RIDPRS scheme satisfies the soundness requirement.
By combining Theorem 1, Lemma 3 and Definition 4, the following theorem can be deduced.
Theorem 2. In the standard model, our SA-RIDPRS scheme is secure against adaptive chosen message and collusion attacks.

Performance analysis
In this section, we discuss the performance of our schemes and other IDPRS schemes in the standard model in terms of their computational cost and security properties. Because multiplication and hash function operations have relatively low computational costs, we consider only bilinear pairing and exponentiation operations, which have relatively high computational costs. In Table 1, "Size" denotes the size of a signature; "Sign", "Verify" and "ReSign" denote the computational cost of the Sign, Verify and ReSign algorithms, respectively; and "Revocation" denotes whether the scheme includes a user revocation function. E represents the time to execute an exponentiation operation; P represents the time to execute a bilinear pairing operation; |p| represents the length of an element in Z p ; and |G 1 | represents the length of an element in group G 1 .
As shown in Table 1, in our SA-RIDPRS scheme, the verifier must perform one pairing operation and 4 exponentiations to verify the validity of a signature. In contrast, the verifier must compute 4 pairings in our RIDPRS scheme. Based on the results reported in [34], the computational overhead of a bilinear pair is, at minimum, more than five exponentiations in G 1 . Obviously, our SA-RIDPRS scheme is considerably less computationally intensive than is our RIDPRS scheme; therefore, it substantially reduces the verifier's computational overhead, making it suitable for limited-resource devices.
In terms of signature size, the signature in our SA-RIDPRS scheme contains 4 elements in G 1 . The signatures in Shao et al.'s scheme [20] and Feng et al.'s scheme [21] contain 3 elements in G 1 , while the signature in Hu et al.'s scheme [22] contains 4 elements in G 1 and one element in Z p . However, our two schemes are the only ones that provide user revocation functionality and can withstand signing key exposure attacks.
In the signing phase, our SA-RIDPRS scheme and Shao et al.'s scheme [20] require 2 exponentiations to generate a signature on a message, whereas the schemes of Feng et al. [21] and Hu et al. [22] require 3 and 6 exponentiations respectively.
In the re-signing phase, our SA-RIDPRS scheme performs one pairing operation and 6 exponentiations to create a valid re-signature, while the scheme of Shao et al. [20] [22] requires 3 pairings and 4 exponentiations. In summary, our SA-RIDPRS scheme has considerably less computational overhead than do the other schemes.
We evaluate the performance of our SA-RIDPRS scheme and the three other IDPRS schemes [20][21][22]. The experiments are implemented in a hardware environment consisting of an Intel Core i7-6500 CPU 2.5 GHz with 8 GB of RAM. The corresponding simulation algorithms are implemented in the C language using the PBC-0.47-VC library and executed on a Windows 10 operating system. We chose the standard parameter a.param in the PBC library and set the group order p = 160 bits. The performance comparison results for all the schemes are shown in Figs 1, 2, 3 and 4.
In Fig 1, we can see that the length of the signature and re-signature in Shao et al.'s scheme [20] are both 532 bits. The length of the signature in Feng et al.'s scheme [21] is 384 bits, but the length of the re-signature is 512 bits. The length of the signature and re-signature in Hu et al.'s scheme [22] are both 532 bits. The length of the signature and re-signature in our SA-R-IDPRS scheme are both 512 bits. However, Feng et al.'s scheme [21] is not multi-use because the lengths of signatures and re-signatures are different. While our SA-RIDPRS scheme includes one more element in G 1 than the scheme of Shao et al. [20] does, it also effectively solves the user revocation problem. Therefore, compared with the other three schemes, our SA-RIDPRS scheme has comparable efficiency in terms of signature size. This is consistent with the above theoretical analysis.
According to Table 1, the cost of generating a signature in our SA-RIDPRS scheme is equivalent to that of Shao et al.'s scheme [20]. The experimental results shown in Fig 2 indicate that our SA-RIDPRS scheme has lower computational overhead for signature generation than do the other two schemes [21,22]. Fig 3 demonstrates that our SA-RIDPRS scheme improves on the other three schemes [20][21][22] in terms of the computational overhead for re-signature generation. From Fig 4, we can observe that the computational cost of the verifier is not related to    the size of the message in our SA-RIDPRS scheme. Because the verifier in our SA-RIDPRS scheme offloads most of the time-consuming bilinear pairing computations to the server via the server-aided verification algorithm, it can perform signature verification at a relatively low computational cost. Thus, our SA-RIDPRS scheme greatly reduces the cost of the verifier. Moreover, our SA-RIDPRS scheme is more efficient than are the other schemes [20][21][22] in terms of the verifier's computational overhead. Clearly, the results of these experiments are consistent with the results of the theoretical analysis in Table 1.

Conclusions
In this paper, we present two IDPRS schemes that include a user revocation mechanism. In our schemes, the PKG constructs an identity-dependent long-term key for all users and periodically generates update keys related to their identities and time periods for non-revoked users. Only non-revoked users can re-randomize the secret key and the update key to generate a corresponding signing key; therefore, our schemes are resistant to signing key exposure attacks. In the standard model, we prove that our schemes are secure under the CDH assumption. In particular, our SA-RIDPRS scheme substantially reduces the verifier's computational burden. However, the security of our schemes relies on the hardness assumption of the CDH problem, which can be easily solved by quantum algorithms. In the future, we plan to construct a post-quantum secure RIDPRS scheme.