A generic construction for revocable identity-based encryption with subset difference methods

To deal with dynamically changing user’s credentials in identity-based encryption (IBE), providing an efficient key revocation method is a very important issue. Recently, Ma and Lin proposed a generic method of designing a revocable IBE (RIBE) scheme that uses the complete subtree (CS) method by combining IBE and hierarchical IBE (HIBE) schemes. In this paper, we propose a new generic method for designing an RIBE scheme that uses the subset difference (SD) method instead of using the CS method. In order to use the SD method, we generically design an RIBE scheme by combining IBE, identity-based revocation (IBR), and two-level HIBE schemes. If the underlying IBE, IBR, and HIBE schemes are adaptively (or selectively) secure, then our RIBE scheme is also adaptively (or selectively) secure. In addition, we show that the layered SD (LSD) method can be applied to our RIBE scheme and a chosen-ciphertext secure RIBE scheme also can be designed generically.


Introduction
Identity-based encryption (IBE) is a new type of public-key encryption (PKE) that solve the public-key management problem in PKE by using a user's identity as a public key [1]. Since the first IBE scheme in bilinear maps was proposed by Boneh and Franklin [2], research on new types of cryptographic encryption such as IBE, hierarchical IBE (HIBE), attribute-based encryption (ABE), and predicate encryption (PE) has been actively studied as an important research topic [2][3][4][5]. Despite the long history of research on IBE, the IBE schemes have not been widely deployed in real environments. One reason of this problem is that unlike PKE schemes, which uses a public-key infrastructure to handle certificate issuance and revocation, it is not simple to revoke the private key of a user in IBE. Therefore, an important additional feature of IBE schemes is to support the private key revocation flexibly and efficiently.
The method of revoking the private key of a user in IBE has been studied since the initial IBE scheme was designed, but this method is not suitable for handling a large number of users [2]. The first revocable IBE (RIBE) scheme to efficiently handle large numbers of users was proposed by Boldyreva et al. [6]. The key design principle of their RIBE scheme is that a trusted center periodically creates and broadcasts an update key on time T for non-revoked users, along with the generation of a user's private key. In this case, if the private key of a user ID is not revoked in the update key on time T, the user can decrypt a ciphertext for his identity ID and the corresponding time T. In other words, the RIBE scheme proposed by Boldyreva et al. can be seen as a method to support the indirect private key revocation, in which the center decides the revocation of private keys instead of the sender. Specifically, Boldyreva et al. designed their RIBE scheme by combining a tree-based broadcast method with a fuzzy identity-based encryption scheme. After the work of Boldyreva et al., various RIBE schemes and extension schemes have been proposed to enhance the efficiency, security, and functionality of RIBE [7][8][9][10][11][12][13][14][15][16][17]. Currently, to design an RIBE scheme, we redesign an RIBE scheme from the beginning by directly modifying an efficient IBE scheme proposed before. This is problematic in that a new RIBE scheme must be designed again whenever a new IBE scheme having a different mathematical structure is proposed. Ma and Lin recently overcome this problem by suggesting a generic method of designing an RIBE scheme by using an IBE scheme as a black-box [18]. In their generic RIBE scheme with the complete subtree (CS) method, an update key consists of O r log N r À � IBE private keys and a ciphertext consists of O(logN) IBE ciphertexts where r is the number of revoked users and N is the number of users. In the RIBE scheme, reducing the size of update keys is an important issues since an update key should be broadcasted to all users for each time period. The motivation of this work is to reduce the update key size of the generic RIBE scheme. In tree-based broadcast encryption, there exists the subset difference (SD) method proposed by Naor et al. [19] which is more efficient than the CS method. Additionally, the layered SD (LSD) method which improved the SD method has also been proposed [20]. Therefore, we ask whether it is possible to design an RIBE scheme from an IBE scheme in a generic way using the SD/LSD method to reduce the size of update keys. If the SD/LSD method can be applied to a generic RIBE scheme, the size of an update key can be reduced from O r log N r À � key elements to O(r) key elements.

Our contributions
In this paper, we show that it is possible to design an RIBE scheme with the SD method in a generic way. As described above, the generic RIBE scheme with the CS method uses IBE and two-level HIBE schemes as basic building blocks [18]. On the contrary, our generic RIBE scheme with the SD method uses IBE, identity-based revocation (IBR), and two-level HIBE schemes as basic building blocks. The IBR scheme is a special type of identity-based broadcast encryption (IBBE) scheme in which a set R of revoked users is specified in an IBR ciphertext whereas a set S of receivers is specified in an IBBE ciphertext. The newly derived RIBE scheme with the SD method consists of O(r) number of IBE and IBR private keys in an update key and O(log 2 N) number of IBE and IBR ciphertexts in a ciphertext. Compared with the previous generic RIBE scheme with the CS method, the size of an update key is reduced but the size of a ciphertext is increased. The detailed comparison of RIBE schemes is given in Table 1.
To analyze the security of our generic RIBE scheme with the SD method, we show that if the underlying IBE, IBR, and HIBE schemes are adaptively (or selectively) secure under chosen plaintext attacks, then the proposed generic RIBE scheme is also adaptively (or selectively) secure under chosen plaintext attacks. The key idea of our proof is to first divide the types of an attacker according to the queries of the attacker, and to isolate the attacker of a specific type to break the security of the underlying IBE, IBR, or HIBE scheme. However, this idea is not simple to apply since the SD method has a complicated subset cover structure unlike the CS method. To handle this complicated structure in a ciphertext, we introduce additional hybrid games in the security proof and handle each ciphertext element of the challenge ciphertext one by one.
In addition, we show that it is possible to reduce the size of a ciphertext by extending our generic RIBE scheme to use the more efficient LSD method instead of using the SD method, but this modified scheme increases the size of an update key slightly. We also show that our generic RIBE scheme which provides only chosen-plaintext attack (CPA) security can be extended to provide the security against the more powerful chosen-ciphertext attacker (CCA). To provide the CCA security of RIBE, the underlying IBE, IBR, and HIBE schemes should provide the CCA security and a one-time signature scheme with strong unforgeability should be used.

Related work
Certificate revocation. The study of certificate revocation in public-key encryption has been the subject of much research. In reality, the most widely used certificate revocation method is to periodically issue a certificate revocation list (CRL) containing serial numbers of revoked user's certificates. In addition, a delta-CRL can be used to more efficiently issue the revocation information, and it is also possible to immediately check the state of a certificate by using the online certificate status protocol (OCSP) service. In the theoretical aspect, various certificate revocation methods which are more efficient than the traditional methods also have been proposed [21][22][23].
Broadcast encryption. Public-key broadcast encryption (PKBE) provides the revocation of receivers because a sender can specify a receiver set S in a ciphertext directly [24]. Identitybased broadcast encryption (IBBE) can provide more powerful revocation than existing PKBE because the maximum number of users in the system can be exponential [25]. Identity-based revocation (IBR) can be viewed as a cryptographic scheme that implements direct user revocation because all system users except the revoked users can decrypt a ciphertext where a revoked set R is specified in the ciphertext [26,27]. However, PKBE, IBBE, and IBR have the disadvantage that a user cannot be revoked after the creation of a ciphertext. Particularly, it is a critical problem in a cryptographic system in which ciphertexts are stored in cloud storage and a user accesses these ciphertexts later since the user cannot be revoked when his or her credential is expired.
Let λ be a security parameter, N be the number of maximum users, and r be the number of revoked users. We count the number of group elements to measure the size of parameters. We use symbols SE for selective IND-CPA and AD for adaptive IND-CPA. https://doi.org/10.1371/journal.pone.0239053.t001

PLOS ONE
Revocable IBE. Boneh and Franklin [2] proposed a revocation method for IBE such that a trusted center periodically issues a private key for a user by combining an identity and time as IDkT, but this method is not scalable since a secure channel should be established for every time. The efficient and scalable RIBE scheme was proposed by Boldyreva et al. [6] by combining the complete subtree (CS) method and a fuzzy identity-based encryption scheme. In their RIBE scheme, a ciphertext is associated with a receiver's identity D and time T, and a trusted center periodically issues an update key one time T for non-revoked users to implement the indirect key revocation. A number of secure and efficient RIBE schemes using a broadcast method for key updates have been proposed [7-9, 13, 14, 17, 28]. Most of the RIBE schemes follow the CS method for update keys, but Lee et al. [15] showed that an RIBE scheme with the SD method can be designed to reduces the size of update keys. Recently, Ma and Lin [18] proposed a generic RIBE construction with the CS method by combining IBE and HIBE schemes.
Revocable HIBE. The first revocable HIBE (RHIBE) scheme, which provides the private key revocation in HIBE, was proposed by Seo and Emura [10]. They proposed an RHIBE scheme by applying the design principle of previous RIBE schemes to an HIBE scheme. To improve the initially proposed RHIBE scheme, Seo and Emura later introduced a history-free update method to reduce the size of private keys and update keys [12]. After that, Lee and Park have introduced a new RHIBE scheme with short private keys and short updated keys by introducing an intermediate private key in HIBE and using a modular design method [16]. In order to enhance the selective security of previous RHIBE schemes, Lee [29] proposed an adaptively secure RHIBE scheme by applying the dual system encryption method of Waters [30], which was successfully used in adaptively secure IBE and HIBE schemes.
Revocable ABE. ABE is an extension of IBE in which a ciphertext is associated with attributes and a private key is associated with an access structure, and the ciphertext of ABE can be decrypted by the private key of ABE if the attributes satisfies the access structure [4]. An revocable ABE (RABE) scheme was proposed by Boldyreva et al. [6] by following the design principle of their RIBE scheme. ABE is well-suited for environments such as cloud storage where multiple users access different ciphertexts since it can provide flexible access control. For such an environment, Sahai et al. [31] proposed a revocable-storage ABE (RS-ABE) scheme that supports ciphertext updates as well as user key revocation. Lee et al. [29,32] proposed an improved RS-ABE scheme by using a self-updatable encryption scheme, and they also proposed an RS-ABE scheme that provides the CCA security [33]. A generic construction of ABE with direct revocation in which a revoked set is attached in a ciphertext was proposed by Yamada et al. [34].

Preliminaries
In this section, we first review the definition and security model of IBE, IBR, and HIBE. Next, we review the definition and security model of RIBE.

Identity-based encryption
Identity-based encryption (IBE) is a kind of public key encryption (PKE) that can use a receiver's identity as a public key [2]. In IBE, a sender generates a ciphertext by encryption a message for the receiver's identity ID. A receiver retrieves a private key corresponding to his identity ID from a trusted center and then decrypts the ciphertext if the identity of the ciphertext is equal to the identity of the private key. The detailed syntax of IBE is given as follows. The security model of IBE is defined by extending the IND-CPA security model of PKE to allow additional private key queries [2]. In this model, an attacker can request a private key of an identity ID. In the challenge stage, the attacker submits a challenge identity ID � and challenge messages M � 0 , M � 1 , and then receives a challenge ciphertext CT � . The attacker further queries private keys and finally guesses the message hidden in CT � . The detailed description of the security model of IBE is given as follows.
Definition 2.2 (IND-CPA Security). The IND-CPA security of IBE is defined in terms of the following game between a challenger C and a PPT adversary A:

Phase 2:
A may continue to request private keys for ID q1 +1, . . ., ID q .
The advantage of A is defined as Adv IBE A ðlÞ ¼ j Pr ½m ¼ m 0 � À 1 2 j where the probability is taken over all the randomness of the game. An IBE scheme is IND-CPA secure if for all PPT adversary A, the advantage of A is negligible in the security parameter λ.

Identity-based revocation
Identity-based revocation (IBR) is a kind of public-key broadcast encryption (PKBE) [26], in which a large number of users with identities can participate to the system and a sender can specify the set R of revoked users in a ciphertext instead of the set S of receivers. In IBR, a sender generates a ciphertext CT by using a revoked set R and a message M, and then broadcasts the ciphertext. A receiver retrieves a private key for his or her identity from a trusted central and decrypt the ciphertext if his or her identity is not included in the set R. The detailed syntax of IBR is given as follows.   The security model of IBR is defined by extending the IND-CPA security model of PKBE to account for the revoked set R [26]. In this model, an attacker requests private key queries on identities. In the challenge step, the attacker submits a challenge revoked set R � and the challenge message M � 0 ; M � 1 and receives a challenge ciphertext CT � . The attacker additionally requests private key queries and finally guesses the hidden message in CT � . In this game, all identities of private keys must belong to the revoked set R � . The detailed description of the security model is given as follows.

Setup: C generates a master key MK and public parameters PP by running Setup(1 λ ). It keeps
MK to itself and gives PP to A.

Phase 1:
A may adaptively request private keys for identities ID 1 ; . . . ; ID q 1 . In response, C gives the corresponding private keys SK ID 1 ; . . . ; SK ID q 1 to A by running GenKey(ID i , MK, PP).

Challenge:
A submits a challenge revoked set R � of users and two messages M � 0 ; M � 1 with the equal length subject to the restriction: for all ID i of private key queries, ID i 2 R � . C flips a random coin μ 2 {0, 1} and gives the challenge ciphertext CT � to A by running Encrypt ðR � ; M � m ; PPÞ.

Phase 2:
A may continue to request private keys for ID q1 +1, . . ., ID q .

The advantage of A is defined as Adv IBR
where the probability is taken over all the randomness of the game. An IBR scheme is IND-CPA secure if for all PPT adversary A, the advantage of A is negligible in the security parameter λ.

Hierarchical identity-based encryption
Hierarchical identity-based encryption (HIBE) is an extension of IBE in which a hierarchical identity is used to represent a user's identity and the delegation of private keys is provided [3,35]. In HIBE, a user receives a private key for his hierarchical identity from a trusted center, or receives a delegated private key from another user. If a sender creates a ciphertext for a receiver's hierarchical identity and transmits it to a receiver, then the receiver can decrypt the ciphertext by using his private key if the hierarchical identity of his private key is a prefix of the hierarchical identity of the ciphertext.
Let HID = (ID 1 , . . ., ID k ) be an identity vector of size k. We let HID| j be a vector (ID 1 , . . ., ID j ) of size j derived from HID. We define a function Prefix(HID| k ) that returns a set of prefix vectors {HID| j } 1�j�k where HID| k = (ID 1 , . . ., ID k ). The detailed syntax of HIBE is given as follows.
Definition 2.5 (Hierarchical Identity-Based Encryption, HIBE). An HIBE scheme consists of five algorithms Setup, GenKey, Delegate, Encrypt, and Decrypt, which are defined as follows: The setup algorithm takes as input a security parameter 1 λ and maximum hierarchical depth L max . It outputs a master key MK and public parameters PP.  The security model of HIBE is defined by extending the security model of IBE to include additional private key delegations [3,35]. That is, an attacker can request delegated private key queries together with general private key queries. In this case, if the distribution of general private keys and the distribution of delegate private keys are the same, then we can only consider general private key queries to simplify the security model. The detailed security model of HIBE is given as follows.

Encrypt(HID| ℓ , M, PP). The encryption algorithm takes as input a hierarchical identity HIDj
Definition 2.6 (IND-CPA Security). The IND-CPA security of HIBE is defined in terms of the following game between a challenger C and a PPT adversary A:

Phase 2:
A may continue to request private key queries.

The advantage of A is defined as Adv HIBE
A ðlÞ ¼ j Pr ½m ¼ m 0 � À 1 2 j where the probability is taken over all the randomness of the game. An HIBE scheme is IND-CPA secure if for all PPT adversary A, the advantage of A is negligible in the security parameter λ.

Revocable identity-based encryption
Revocable identity-based encryption (RIBE) is an extension of existing identity-based encryption (IBE) to support private key revocation [6]. In RIBE, each user receives a private key for his or her identity ID from a trusted center. The trusted center then periodically generates an update key which is associated with time T and a non-revoked user set, and then it broadcasts the update key through the public channel. In this case, if the private key of a user is not revoked in the update key, the user can derive a decryption key for ID and T by combining the private key and the update key, and this decryption key can be used to decrypt a ciphertext which is related with ID and T. The syntax of RIBE is given as follows. The security model of RIBE was first defined by Boldyreva et al. [6], and then this security model was extended by Seo and Emura [9] to support decryption key exposure resistance. In the security model of RIBE, an attacker can request a private key query for an identity ID, an update key query for time T, a decryption key query for ID and T, and a revocation query. In the challenge step, the attacker submits a challenge identity ID � , challenge time T � , and challenge messages M � 0 ; M � 1 , and receives a challenge ciphertext CT � . Note that the private key query for ID � is not allowed in the IBE security model, but this private key query for ID � is allowed in the RIBE security model. At this time, if the private key for ID � is queried, then the private key for ID � must be revoked in the update key on the challenge time T � . The detailed definition of the RIBE security model is given as follows.

Phase 2:
A may continue to request a polynomial number of additional queries subject to the same restrictions as before.

The advantage of A is defined as Adv RIBE
where the probability is taken over all the randomness of the experiment. An RIBE scheme is IND-CPA secure if for all PPT adversary A, the advantage of A is negligible in the security parameter λ.

Revocable IBE with SD
In this section, we first review the perfect binary tree and the subset difference method, and then we propose a generic construction for RIBE by combining subset difference, IBE, IBR, and HIBE schemes.

Binary tree
A perfect binary tree BT is a tree data structure in which all internal nodes have two child nodes and all leaf nodes have the same depth. Let N = 2 n be the number of leaf nodes in BT . The number of all nodes in BT is 2N − 1 and we denote v i as a node in BT for any 1 � i � 2N − 1. The depth d i of a node v i is the length of the path from a root node to the node. The root node of a tree has depth zero. The depth of BT is the length of the path from the root node to a leaf node. A level of BT is a set of all nodes at given depth.
Each node v i 2 BT has an identifier L i 2 {0, 1} � which is a fixed and unique string. An identifier of each node is assigned as follows: Each edge in the tree is assigned with 0 or 1 depending on whether it is connected to the left or right child node. The identifier L i of a node v i is obtained by reading all labels of edges in a path from the root node to the node v i . The root node has an empty identifier �. For a node v i , we define Label(v i ) be the identifier of v i and Depth(v i ) be the depth d i of v i .
A subtree T i in BT is defined as a tree that is rooted at a node v i 2 BT . A subset S i is defined as a set of all leaf nodes in T i . For any two nodes v i ; v j 2 BT where v j is a descendant of v i , T i;j is defined as a subtree T i À T j , that is, all nodes that are descendants of v i but not v j . A subset S i,j is defined as the set of leaf nodes in T i;j , that is, For a perfect binary tree BT and a subset R of leaf nodes, STðBT ; RÞ is defined as the Steiner Tree induced by the set R and the root node, that is, the minimal subtree of BT that connects all the leaf nodes in R and the root node.

Subset difference method
The subset difference (SD) method is one instance of the subset cover (SC) framework proposed by Naor et al. [19] which was used for efficient symmetric key broadcast encryption. The SD method is more efficient than the complete subtree (CS) method because the size of the cover set representing the non-revoked users is smaller than that of the CS method. We follow the SD definition of Lee et al. [36]. The SD method uses a perfect binary tree and each user is located at a leaf node in the binary tree. The Assign algorithm computes a path set PV, which is consists of subsets associated with the path from the root node to a user's leaf node. The Cover algorithm derives a cover set CV that can effectively cover non-revoked leaf nodes. The Match algorithm can derive two related subsets if a user's leaf node is not revoked in the cover set. A simple example of the SD method is given in Figs 1 and 2. A detailed description of the SD method is given as follows.

SD.Setup(N):
Let N = 2 n be the number of leaf nodes. It sets a perfect binary tree BT of depth n and outputs BT . Note that a user is assigned to a leaf node in BT and the collection S of SD is the set of all subsets

SD.Assign(BT ; v):
Let v be the leaf node of BT that is assigned to a user ID. Let ðv k 0 ; v k 1 ; . . . ; v k n Þ be a path from the root node v k 0 to the leaf node v k n ¼ v. It initializes a path set PV as an empty one. For all i, j 2 {k 0 , . . ., k n } such that v j is a descendant of v i , it adds a subset S i,j defined by two nodes v i and v j in the path into PV. It outputs the path set PV = {S i,j }.

SD.Cover(BT ; R):
Let R be a revoked set of leaf nodes (or users). It first sets a subtree T as STðBT ; RÞ, and then it builds a cover set CV iteratively by removing nodes from T until T consists of just a single node as follows: If two subsets exist, then it outputs (S i,j , S i 0 , j 0 ). Otherwise, it outputs ?.
The correctness of the SD scheme requires that if v = 2 R, then SD.Match(CV, PV) = (S i,j , S i 0 , 19]). Let N = 2 n be the number of leaf nodes in a perfect binary tree and r be the size of a revoked set. In the SD method, the size of a path set is O(log 2 N) where the hidden constant is 1/2 and the size of a cover set is at most 2r − 1.

Design principle
In order to design a generic RIBE scheme with the SD method, we first analyze the generic RIBE scheme with the CS method proposed by Ma and Lin [18]. The key design principle of their RIBE scheme with the CS method is that the identity ID of a receiver can be fixed to the path of a binary tree and a ciphertext is associated with the path set of the receiver's identity ID where as the private key of a user is associated with the path set of a binary tree in directly constructed many RIBE schemes. Therefore, if the receiver's identity ID is not revoked in the CS method, there is a common node in the path set of the binary tree and a node in the cover set of an update key. Thus, the equality function of IBE can be used to handle this common node since the path can be related to IBE ciphertexts and the cover set can be related to IBE private keys.
However, this design method is difficult to apply to the SD method. The reason is that in the SD method, unlike the CS method, there are no common nodes in the path set and the cover set. To solve this problem, we use the new interpretation of the SD method which was used for an efficient public-key revocation (PKR) scheme and RIBE scheme by using the SD method [15,36]. To design an efficient PKR scheme, Lee et al. [36] observed that the subset S i,j of the SD method can be interpreted as a set of single member revocation instead of the existing interpretation that the subset S i,j is a set of leaf nodes where each leaf node belongs to the subtree T i but does not belong to the subtree T j . That is, if we consider a group set GL which consists of all nodes of the subtree T i that has the same depth as the node v j , the subset S i,j can be interpreted as the same as GL except that the node v j is excluded from GL. Thus, S i,j can be interpreted as single member revocation because it revokes one node v j in GL.
This interesting observation was also used to directly construct an RIBE scheme with the SD method by Lee et al. [15]. They used a degree-one polynomial in the exponent to implement single member revocation, but they only achieved an RIBE scheme in a non-generic way. In this work, we found that IBE and IBR schemes can be combined in a generic way to achieve single member revocation if an RIBE ciphertext is associated with a path set PV for a receiver's identity ID and an RIBE update key is associated with a cover set CV for a revoked set R. That is, given the subset S i,j , if we set a group label GL = L i kd j and a member label ML = L j where L i , L j are identifiers of nodes v i , v j and d j is the depth of v j , then all members of the group GL can be represented by a label pair (GL, ML). In this case, a label pair (GL, ML) in a ciphertext and another label pair (GL 0 , ML 0 ) in an update key can be matching pairs if the group labels are equal but the member labels are different such that GL = GL 0^M L 6 ¼ ML 0 . Thus, we can support the equality GL = GL 0 by using an IBE scheme, and we can support the inequality ML 6 ¼ ML 0 by using an IBR scheme. In addition, to provide security against collusion attacks in the black-box construction, we divided the message M of a ciphertext into several secret shares by using a simple secret sharing scheme, and then encrypt these shares by using IBE and IBR schemes. Additionally, we use an HIBE scheme to provide the decryption key exposure resistance.

Generic construction
Let IBE = (Setup, GenKey, Encrypt, Decrypt) be an IBE scheme, IBR = (Setup, GenKey, Encrypt, Decrypt) be an IBR scheme that supports a single revoked identity, and HIBE = (Setup, GenKey, Delegate, Encrypt, Decrypt) be a two-level HIBE scheme. We define GMLabels(S i,j ) = (GL = Label(v i )kDepth(v j ), ML = Label(v j )) where GL is a group label and ML is a member label. A simple example of a group of nodes derived from a subset S i,j is given in Fig 3. A generic RIBE scheme using the SD method is described as follows. 2. It defines a binary tree BT by running SD.Setup(2 n ) where I 2 f0; 1g n . Note that it will deterministically assign an identity ID to a leaf node v 2 BT such that Label(v) = ID.
2. Finally, it outputs a private key SK ID = SK HIBE .

RIBE.UpdateKey(T, RL, MK, PP):
To generate an update key for T, it proceeds as follows: 1. It initializes RV = ;. For each (ID j , T j )2RL, it adds a leaf node v j 2 BT which is associated with ID j into RV if T j � T. It obtains CV T by running SD.Cover ðBT ; RVÞ.

Correctness
The correctness of the above RIBE scheme can be easily seen by using the correctness of the underlying IBE, IBR, HIBE and SD schemes. Let CT ID,T = (CT PV , CT HIBE ) be a ciphertext associated with ID and T, and DK ID 0 , T 0 = (UK T , DK HIBE ) be a decryption key is associated with ID 0 and T 0 . In this case, if the condition ID = ID 0^T = T 0 is satisfied, then the random R 2 is correctly decrypted by running HIBE.Decrypt(CT HIBE , SK HIBE , PP HIBE ) because of the correctness of HIBE. Now we show that random R 1 can be correctly decrypted from CT PV and UK T if the identity ID of the ciphertext is not revoked in the update key UK T . Recall that the ciphertext CT PV is associated with PV ID and the update key UK T is associated with CV T . By the correctness of the SD scheme, the SD.Match algorithm outputs two subsets of S i,j ,

Discussions
Layered subset difference. Since our generic RIBE scheme uses the SD method, the size of a ciphertext depends on the size of the PV set and the size of an update key depends on the size of the CV set in the SD method. Thus, the ciphertext and update key of generic RIBE consists of approximately O(log 2 N) IBE ciphertexts and 2r IBE private keys respectively where N = 2 n is the number of users and r is the number of revoked users. In order to reduce the size of ciphertexts in this generic RIBE scheme, we can apply the layered subset difference (LSD) method of Halevy and Shamir [20]. If the LSD method is used instead of the SD method, the ciphertext and the update key of this general RIBE scheme consists of O(log 1.5 N) IBE ciphertexts and 4r IBE private keys, respectively.
Chosen-ciphertext security. The CCA security model, which is stronger than the CPA security model, allows an adversary to request decryption queries on ciphertexts. The above generic RIBE construction only can derive a CPA secure RIBE scheme by using CPA secure IBE, IBR, and HIBE schemes as building blocks. To derive a CCA secure RIBE scheme, we may try to use CCA secure encryption primitives as building blocks. However, this simple construction can not be CCA secure because it allows ciphertext elements reordering attacks. To solve this problem, we apply the CCA methodology for multiple encryption proposed by Dodis and Katz [37]. That is, a CCA secure RIBE scheme can be constructed by combining CCA secure IBE, IBR, HIBE schemes with a one-time signature (OTS) scheme with strong unforgeability. At this time, the underlying IBE, IBR, and HIBE schemes should be modified to receive additional labels as inputs since the public key of OTS should be tied with ciphertexts. This approach also provides the decryption key exposure resistance (DKER) property since a decryption key is generated by using the delegation property of HIBE.

Security analysis
In this section, we prove the IND-CPA security of the generic RIBE construction proposed in the previous section. The basic idea of this proof is to show that if there is an attacker that breaks the IND-CPA security of the RIBE scheme, then we can construct an algorithm that breaks the IND-CPA security of underlying IBE, IBR, or HIBE schemes. In order to simplify the security proof, we try to prove the security by separating the attacker into two types. That is, the Type-I attacker does not request a private key query on the challenge identity ID � , and the Type-II attacker requests a private key query on the identity ID � .
First, since the Type-I attacker does not query the private key for the identity ID � , we perform the proof that relates the security of the underlying HIBE scheme with the security of the RIBE scheme. Next, since the Type-II attacker queries the private key for ID � , we perform the proof that relates the security of the underlying IBE or IBR scheme and the security of the RIBE scheme. Proof. Let ID � be the challenge identity and T � be the challenge time. We divide the behavior of an adversary as two types: Type-I and Type-II, which are defined as follows: Type-I. An adversary is Type-I if it requests a private key for ID 6 ¼ ID � for all private key queries. In this case, the adversary can request a decryption key for ID and T such that

Type-II.
An adversary is Type-II if it requests a private key for ID = ID � for some private key query. In this case, the private key for ID � should be revoked at some time T such that T � T � by the restriction of the security model. This completes our proof.

Type-I adversary
The Type-I attacker does not request a private key query on the challenge ID � , but can request decryption key queries such that ID = ID � and T 6 ¼ T � . To deal with this attacker, we build a reduction algorithm that attacks the HIBE scheme and selects the other IBE and IBR schemes by itself. In this case, this algorithm will be able to handle all queries of the Type-I attacker by using the queries for the HIBE scheme. The detailed proof is as follows.

Lemma 4.2. For the Type-I adversary, the generic RIBE scheme is IND-CPA secure if the HIBE scheme is IND-CPA secure.
Proof. Suppose there exists an adversary A that attacks the RIBE scheme with a non-negligible advantage. An algorithm B that attacks the HIBE scheme is initially given public parameters PP HIBE by a challenger C. Then B that interacts with A is described as follows: Setup: B generates MK IBE , PP IBE by running the IBE.Setup algorithm, generates MK IBR , PP IBR by running the IBR.Setup algorithm. It initializes RL = ; and gives PP = (PP IBE , PP IBR , PP HIBE ) to A.
Phase 1: A adaptively requests a polynomial number of private key, update key, decryption key, and revocation queries.
• For a private key query with an identity ID, B proceeds as follows: It receives SK HIBE from C by querying a private key for ID since ID 6 ¼ ID � by the restriction of the Type-I adversary. It gives SK ID = SK HIBE to A.
• For an update key query with time T, B proceeds as follows: It simply generates UK T by running the RIBE.UpdateKey algorithm since it knows MK IBE and MK IBR . It gives UK T to A.
• For a decryption key query with an identity ID and time T, B proceeds as follows: 1. It generates UK T by running the RIBE.UpdateKey algorithm since it knows MK IBE and MK IBR .
2. It receives DK HIBE from C by querying a private key for ID and T since ID 6 ¼ ID � or ID = ID �^T 6 ¼ T � by the restriction of the Type-I adversary.
• For a revocation query with an identity ID and time T, B proceeds as follows: It adds (ID, T) to RL if ID was not revoked before.
Challenge: A submits a challenge identity ID � , challenge time T � , and two challenge messages M � 0 ; M � 1 . B proceeds as follows: 1. It first select random R 1 and sets Next, it receives CT � HIBE from C by submitting ID � , T � , and two challenge messages R 2,0 , R 2,1 .

To creates CT �
PV for ID � and T � , it simply follows the procedures in the RIBE.Encrypt algorithm with the random R 1 input.

Type-II adversary
Since the Type-II attacker requests a private key query on the challenge ID � , we can not handle the private key queries of the RIBE scheme by using the private key queries of the HIBE scheme in the proof. Therefore, we prove the security by relating the security of the IBE and IBR schemes with the security of the RIBE scheme against the Type-II attacker.
The main idea of the proof is to take advantage of the restriction of the RIBE security model such that if the attacker queries the private key for the challenge identity ID � , then the corresponding private key for ID � must be revoked from the update key on the challenge time T � . Thus, the ciphertext CT � PV in the challenge ciphertext consists of the IBE and IBR ciphertexts associated with the subset S i,j belonging to the path set PV ID � , but the IBE and IBR private keys that can decrypt the corresponding ciphertext elements in CT � PV are not included in the update key for T � because of the restriction. Using this fact, we can prove the security of the RIBE scheme against the Type-II attacker by using the security of the IBE or IBR scheme.
We prove the security by using hybrid games consisting of multiple sub-games because the ciphertext CT � PV is composed of many IBE and IBR ciphertexts. That is, in the hybrid games, a ciphertext which encrypts a random value related to M � 0 is changed to another ciphertext which encrypts a random value related to M � 1 . In this hybrid steps, since the number of IBE and IBR ciphertext pairs in CT � PV is maximum O(n 2 ), the proof can be completed by performing O(n 2 ) hybrid games. The detailed proof is described as follows. Type-II adversary, the generic RIBE scheme is IND-CPA secure if the IBE  and IBR schemes are IND-CPA secure. Proof. Let ID � be the challenge identity and PV ID � be the path set of ID � where the number of subsets in PV ID � is ℓ = n(n − 1)/2. The challenge ciphertext is formed as

Lemma 4.3. For the
Þ. For the security proof, we define hybrid games G 0 , G 1 , G 2 , G 3 as follows: Game G 0 . This game is the original security game defined in the security model except that the challenge bit μ is fixed to 0.
Game G 1 . This game is the same as the game G 0 except that the settings of random R 1 and R 2 in the challenge ciphertext are changed. That is, R 2 are randomly chosen and R 1 is set as In this game, the generation of CT � PV in the challenge ciphertext CT � is changed. That is, a random R 0 Þ is an encryption on the random R 0 We divide the adversary as the following sub-types: -An adversary is Type-II-A if it requests an update key for time T � such that GL 6 ¼ GL � for all labels (GL, -An adversary is Type-II-B if it requests an update key for time T � such that GL = GL � for some labels (GL, ML) = GMLabels(S i,j ) of S i,j 2 CV R where UK T � is related with CV R . In this case, we have that ML 6 ¼ ML � since the identity ID � should be revoked in UK T � by the restriction of the security model. 3 . This game is the same as the game G 2 except that the settings of random R 0 1 and R 2 in the challenge ciphertext are changed. That is, R 0 1 is randomly chosen and R 2 is set as M � 1 � R 0 1 . This game is the original security game in the security model except that the challenge bit μ is fixed to 1.

Let S G i
A be the event that A outputs 0 in a game G i . From Lemmas 4.4 and 4.5, we obtain the following result • For a decryption key query with an identity ID and time T, B proceeds as follows: 1. It retrieves SK ID = SK HIBE by querying a private key to its own oracle. It also retrieves UK T by querying an update key to its own oracle.
2. Next, it generates a delegated key DK HIBE of SK HIBE by running HIBE.DelegateKey for ID and T.
• For a revocation query with an identity ID and time T, B proceeds as follows: It adds (ID, T) to RL if ID was not revoked before.
Challenge: A submits a challenge identity ID � , challenge time T � , and two challenge messages M � 0 ; M � 1 . B proceeds as follows: 1. It first selects random R 2 and sets R 1; 2. Next, it generates CT � HIBE by running HIBE.Encrypt((ID � , T � ), R 2 , PP HIBE ). 3. It obtains PV ID � by running SD.Assign ðBT ; v ID � Þ where a leaf node v ID � is associated with ID � . For each S i,j 2 PV ID � , it obtains (GL k , ML k ) = GMLabels(S i,j ) and proceeds as follows: • If k < ρ, then it selects random R 3,k and sets R 4;k ¼ R 1;M 1 � R 3;k , and then generates CT � IBE;S i;j by running IBE.Encrypt(GL k kT � , R 3,k , PP IBE ) and CT � IBR;S i;j by running IBR. Encrypt (ML k kT � , R 4,k , PP IBR ).
• If k = ρ, then it performs the follows: (a) It selects random R 4,k and sets R 3;k; • For a decryption key query with an identity ID and time T, B proceeds as follows: 1. It retrieves SK ID = SK HIBE by querying a private key to its own oracle. It also retrieves UK T by querying an update key to its own oracle.
2. Next, it generates a delegated key DK HIBE of SK HIBE by running HIBE.DelegateKey for ID and T.
• For a revocation query with an identity ID and time T, B proceeds as follows: It adds (ID, T) to RL if ID was not revoked before.
3. It obtains PV ID � by running SD.Assign ðBT ; v ID � Þ where a leaf node v ID � is associated with ID � . For each S i,j 2 PV ID � , it obtains (GL k , ML k ) = GMLabels(S i,j ) and proceeds as follows: • If k < ρ, then it selects random R 3,k and sets R 4;k ¼ R 1;M 1 � R 3;k , and then generates CT � IBE;S i;j by running IBE.Encrypt(GL k kT � , R 3,k , PP IBE ) and CT � IBR;S i;j by running IBR. Encrypt (ML k kT � , R 4,k , PP IBR ).
• If k = ρ, then it performs the follows: (a) It selects random R 3,k and sets R 4;k;

Instantiations
In this section, we show that our generic RIBE construction can be instantiated as real RIBE schemes by using bilinear maps or lattices.

RIBE from bilinear maps
Previously, many RIBE schemes using the CS method were directly constructed on bilinear maps [6,7,9]. In addition, an RIBE scheme using the SD method was also directly constructed on bilinear maps [15]. Recently, a generic construction for RIBE using the CS method was proposed by Ma and Lin [18]. Nonetheless, different generic construction for RIBE using the SD/ LSD method is still an interesting method because it allows different RIBE instantiations by changing the underlying cryptographic schemes and allows RIBE schemes with shorter update keys. Here, we will look at different instantiations of RIBE using the SD/LSD method that provide selective security or adaptive security.
First, we instantiate an efficient RIBE scheme that provides selective security by following the generic construction. To do this, we choose the BB-IBE scheme of Boneh and Boyen [38] as the underlying IBE scheme, which provides selective security in the DBDH assumption. For underlying IBR scheme, we choose the efficient LSW-IBR scheme of Lewko et al. [26]. However, the IBR scheme for our generic construction only requires that the revoked set R of ciphertexts just consists of a single revoked identity ID. Thus, we can derive a simplified LSW-IBR scheme which supports a single revoked identity, and this simplified IBR scheme provides selective security in the DBDH assumption [27]. Finally, we choose the two-level BB-HIBE scheme of Boneh and Boyen [38] that provides selective security in the DBDH assumption. The resulting RIBE scheme that uses the SD/LSD method provides selective security under the DBDH assumption.
We analyze the private key, update key, and ciphertext size of our generic RIBE scheme with the LSD method in an asymmetric bilinear group. In the MNT159 bilinear group, the size of the G group is 159 bits, and the size of theĜ group and the G T group is 954 bits. In the BB-IBE scheme, the private key size is 2jG 2 j and the ciphertext size is 2jGj þ jG T j where jGj denotes the size of a group element. In the LSW-IBR scheme, the private key size is 3jĜj and the ciphertext size is 3jGj þ jG T j. In the BB-HIBE scheme, the private key size is 2jĜj and the ciphertext size is 3jGj þ jG T j. In our RIBE scheme, the private key size is 2jĜj since it consists of the private key of HIBE, and the update key size is 20 � r � jĜj since it is composed of the IBE and IBR private keys associated with a cover set, and the ciphertext size is approximately 0:5 � log 1:5 N � ð5jGj þ 2jG T jÞ since it consists of the IBE and IBR ciphertexts associated with a path set. Thus, if we set N = 2 32 and r = 1000, the private key size is 238 bytes, the update key size is 2385 kilobytes, and the ciphertext size is 30 kilobytes.
Next, we instantiate an RIBE scheme that provides adaptive security. To this security, we use the IBE scheme of Waters [30] which provides adaptive security under the DBDH and DLIN assumptions, the IBR scheme of Okamoto and Takashima [39] which is derived from an NIPE scheme that provides adaptive security, and the two-level HIBE scheme of Waters [30] that provides adaptive security under the DBDH and DLIN assumptions. The resulting RIBE scheme provides adaptive security under these standard assumptions in prime-order bilinear groups. The previous adaptively secure RIBE scheme of Lee et al. [15] is built in compositeorder bilinear groups, but this generic RIBE scheme is built in prime-order bilinear groups. However, this generic RIBE scheme has a small size of private keys and a large size of ciphertexts, whereas the RIBE scheme of Lee et al. has a small size of ciphertexts and a large size of private keys.

RIBE from lattices
A number of RIBE schemes in lattices have been previously proposed [8,11,14,17]. Although the first lattice based RIBE scheme using the CS method did not provide decryption key exposure resistance (DKER), the new RIBE scheme using the CS method that allows DKER was recently proposed by using the delegation property of HIBE [8,17]. In addition, a lattice based RIBE scheme using the SD method also has been proposed, but this scheme has a serious limitation such that the identity space is restricted to be small universe because the Lagrange interpolation technique is directly applied to lattices [11].
We use the previously proposed efficient lattice based IBE, IBR, and two-level HIBE schemes to instantiate a lattice based RIBE scheme using the SD method. For the underlying IBE and HIBE schemes, we choose efficient IBE and HIBE schemes of Agrawal et al. [40] that provide selective security in the LWE assumption. For the underlying simple IBR scheme, we choose the NIPE scheme of Katsumata and Yamada [41] which is derived from a linear functional encryption scheme. Note that an NIPE scheme is easily transformed into a simplified IBR scheme with a single revoked identity and this resulting IBR scheme provides selective security in the LWE assumption.
We compare our RIBE scheme with the SD method and the RIBE scheme directly designed by Cheng and Zhang [11]. Cheng and Zhang derived their RIBE scheme in lattices by applying the design principle of the RIBE scheme of Lee et al. [15] in bilinear maps. To use the technique of Lee et al., it is necessary to use the Lagrange interpolation to recover a polynomial value in decryption. In lattices, if Lagrange coefficients and noise values in ciphertexts are multiplied, then a large noise value is obtained in the decryption process, which should be removed to obtain a message. Since the resulting noise value is exponentially increased as the size of the identity space increases, their RIBE scheme has a serious problem that only a small universe of identity can be accepted. Therefore, our RIBE scheme with the SD method is the first lattice based RIBE scheme using the SD method that supports a large universe of identity and provides the DKER property.

Conclusion
In this paper, we proposed a new generic RIBE construction with the SD method. Our generic construction uses an IBE scheme, an IBR scheme with single revoked identity, and a two-level HIBE scheme as building blocks. The generic RIBE construction can be instantiated by bilinear maps or lattices, and the private key consists of constant IBE and HIBE private keys, the update key consists of O(r) number of IBE and IBR private keys, and the ciphertext mainly consists of O(n 2 ) number of IBE and IBR ciphertexts. If our generic RIBE construction is extended to use the more efficient LSD method instead of the SD method, the ciphertext is reduced to O(n 1.5 ) number of IBE and IBR ciphertexts. In addition, if the underlying IBE, IBR, and HIBE schemes provide the CCA security and a one-time signature is used, then a CCA secure RIBE scheme can be generically constructed.
There are some interesting open problems. The first problem is to reduce the size of a ciphertext in our generic RIBE scheme with the SD method. In the previous generic RIBE scheme with the CS method, the size of a ciphertext can be reduced by using an IBBE scheme. In our generic RIBE scheme with the SD method, it is difficult to reduce the size of a ciphertext since it uses an IBR scheme. The second problem is to design a generic RHIBE scheme with the SD method. To design a generic RHIBE scheme, the private key delegation is needed. It is possible to extend the IBE scheme to support key delegation by using an HIBE scheme, but it is unclear how to extend the IBR scheme to support key delegation.