An IBE Scheme with Verifiable Outsourced Key Generation Based on a Single Server

ABSTRACT It is well known that private key generation is a computing bottleneck in an identity-based encryption scheme when a large number of users exist. Outsourcing computation can greatly reduce the users’ computational cost, but the existing schemes are all based on two servers, which are not feasible in the real cloud environment. In this paper, we first propose a scheme where the PKG outsources the task of private key generation to a single server, and the results can be verified effectively. Moreover, PKG only needs to execute 1 modular exponentiation, so it is more efficient when compared with previous schemes. Meanwhile, we prove the indistinguishability of the ciphertext and verifiability of the outsourcing results in the security model. Finally, the proposed algorithm is realized in a simulation environment. Theoretical analysis and experimental results show that total computing time of PKG and the server in the outsourced algorithm is far less than that of direct computation.


INTRODUCTION
With the rapid development of cloud computing, the safety and efficiency of outsourcing computation have attracted widespread attention. By outsourcing computation, outsourcers with limited ability can outsource complex computing tasks to powerful servers, which will greatly reduce users' computational costs. However, outsourcing computing tasks to servers also presents some security risks because the servers are not completely trusted. Verifiable outsourcing schemes can keep the information of users confidential and verify computational results returned from the server. At present, verifiable outsourcing schemes have involved in many aspects in cryptography, such as modular exponentiation [1,2], polynomial operations [3], attribute-based encryption operations [4,5], image feature extraction [6], and so on.
Modular exponentiation is one of the most timeconsuming and commonly used operations in cryptography, and many outsourcing schemes for modular exponentiations have been proposed. Hohenbergerd et al. [7] first proposed an outsourcing scheme for single modular exponentiation with two non-colluding servers, where the outsourcer could check the fault that the servers might make with a probability of 1/2, and they also defined the security model of outsourcing calculation. Then Wang et al. [8] presented an outsourcing solution for batch modular exponentiations based on a single untrusted server with increased security, but the checkability was only 1/(s + 1)(where s is the number of modular exponentiations), which means it was not efficient and the checkability was only 1/2 for outsourcing single modular exponentiation. Different from the previous schemes, Liu et al. [9] did the work for outsourcing composite modular exponentiations. Ye et al. [10] proposed a new secure outsourcing algorithm based on a single server, and the verifiable probability is close to 1 while the outsourcer appended much computation cost. Chen et al. [11] firstly presented an efficient outsourcing algorithm for bilinear pairing based on two untrusted servers and the outsourcer need not any expensive operations in their algorithm. Then another outsourcing algorithm was proposed with improved checkability based on two servers for bilinear pairing [12]. Recently, Ren et al. [13] presented a new outsourcing algorithm of bilinear pairing with a verifiability of close to 1 if one of the servers misbehaved, which improved the checkability without an interactive operation between the server and the outsourcer.
In identity-based cryptography, the user's identity is directly used as a public key, and the private key generator needs to generate a private key or perform key update for each user. The identity-based cryptography was firstly proposed in 1984 by Shamir [14], but the first IBE scheme was constructed by Boneh and Franklin in 2001 [15]. In order to reduce the risk of key leakage, Ren et al. [16] proposed an identity-based parallel key encryption scheme, then Yu et al. [17] presented a securer solution because this algorithm supports frequent key updates without increasing the risk of key leakage. With the increase of users, the calculation burden of PKG will be heavy and it may cause the bottleneck of the system. In order to solve this problem effectively, Li et al. [18] proposed an outsourced deletion algorithm based on identity encryption scheme, which transfers the calculation burden of deleting users from PKG to cloud server. Recently, Ren et al. [19] firstly proposed a verifiable algorithm for outsourcing private key generation in the IBE scheme. Based on the LW − IBE scheme [20], PKG can outsource the tasks of generating private keys and verify the correctness of returned results. This scheme can verify the results with a probability of 1 if one of the servers returned fault results, but it is based on two untrusted servers. So far, there is no relevant algorithm proposed based on a single server.
Our contributions: In this paper, we introduce the concept of verifiable computation into the identity-based encryption scheme, and then propose an IBE scheme that includes an outsourcing private key generation algorithm. In the proposed scheme, PKG outsources the tasks of generating the private key and verifies the returned results effectively. The outsourcing algorithm is based on a single server and it can greatly reduce the computational cost of PKG, meanwhile, the server cannot obtain PKG or the private key of any user during the outsourcing process. The PKG can detect the failure with a probability of about 1 if the server misbehaves, the experiment shows the time cost for PKG is much smaller than that of generating the private keys directly and the server in the outsourcing algorithm.

DEFINITION AND SECURITY MODEL
In this section, we introduce some definitions including bilinear groups with the order of composite number, the identity-based encryption scheme and the security model of IBE.

Bilinear Groups with Order of Composite Number
People first presented bilinear groups with the order of composite number in [20], the algorithm takes security parameter λ as input and then outputs (N = p 1 p 2 p 3 , G, G T , e), where p 1 , p 2 , p 3 are distinct primes, G and G T are cyclic groups with order N = p 1 p 2 p 3 , if it has following conditions, then e: G × G → G T is a bilinear map: (1) (Bilinear): ∀g, h ∈, G, a, b ∈ Z N , e(g a , h b ) = e(g, h) ab .
(2) (Non-degenerate): ∃g ∈ G, which makes e(g, g) is a generator of G T . (3) (Computable): There is an efficient algorithm to compute e(g, h) for all g ∈ G, h ∈ G.
Let G p 1 , G p 2 , G p 3 represent the subgroups of G with order p 1 , p 2 , p 3 , respectively. G r,p 1 , G r,p 2 , G r,p 3 represent the subgroups of G T with order p 1 , p 2 , p 3 , respec- 3 . Assume g is a generator of G, and then g p 2 p 3 , g p 1 p 3 ,

Identity-Based Encryption Scheme
An IBE scheme is usually composed of four aspects, including Setup, KeyGen, Encrypt, and Decrypt algorithms [20], which typically involves two entities, PKG, and users (including sender and receiver). If PKG sends the task of outsourcing private key generation to the server, the KeyGen Out algorithm will be added and the scheme consists of the following algorithms. sends it to the server. When the server returns the calculation results CR ID , we verify the results correct or not, if correct, then calculate the user's private key SK ID , otherwise return an error ⊥.

Security Model of an IBE Scheme
We first introduce the full security model against the chosen-plaintext attack (CPA) in an IBE scheme, and then introduce the security model of an IBE scheme which adds the outsourcing private key generation algorithm. A game between a challenger and an adversary A can describe them.
In the following games, we define the advantage of A and the scheme is secure if the advantage is negligible. [20]. The game contains 2 participants: challenger and adversary A.

Setup:
The challenger executes the Setup algorithm to get the public key PK and the master key MK, which then sends the public key PK to attacker A while ensuring that MK is secret.

Phase 1:
The attacker A adaptively issues.
Private key query: the attacker A sends an identity ID to the challenger, then the challenger runs the KeyGen algorithm, and sends the private key of identity to the attacker A.
Challenge: A sends an identity ID * and two same length messages M 0 , M 1 to the challenger, in Phase 1, ID * has not been executed the private key query. The challenger randomly chooses a bit β ∈ {0, 1} and forms the ciphertext CT * = Encrypt(PK, M β , ID * ), and then returns CT * to A.

Phase 2:
The adversary A continues to issue private key queries and the challenger responds queries adaptively. However, ID * will not been executed the private key query.
Definition 2: (IND-OID-CPA) Through the following games, the definition of indistinguishability of an IBE scheme under the chosen-plaintext attack is given after adding private key generation algorithm [19]. The game contains two participants: challenger and adversary A.

Setup:
The challenger executes the Setup algorithm to get the public key PK and the master key MK, which then sends the public key PK to attacker A while ensuring that MK is secret.
Phase 1: First the challenger initializes an empty outsourcing list OL and the adversary A adaptively issues queries.
Private key query: the adversary A sends an identity ID to the challenger, then the challenger runs the KeyGen algorithm, and sends the private key of identity to the adversary A.
Outsourcing key query: The adversary A sends ID to the challenger and then the challenger search (ID, OK ID ) in OL. If it exists, then returns OK ID to A, Otherwise, generates OK ID and returns it to A.
Challenge: A sends an identity ID * and two same length messages M 0 , M 1 to the challenger, in Phase 1, ID * has not been executed the private key query or outsourcing key query. The challenger randomly chooses a bit β ∈ {0, 1} and forms the ciphertext CT * = Encrypt(PK, M β , ID * ), then returns CT * to the adversary.

Phase 2:
The adversary A continues to issue private key queries and the challenger responds queries adaptively. However, ID * will not been executed the private key query or outsourcing key query.
In the above two games, we define the advantage of A as Different from Definition 1, Definition 2 adds the outsourcing private key generation algorithm, and it mainly adds the outsourcing key query in Phase 1. Moreover, in the above two security models, ID * will not been executed the private key query or outsourcing key query.

IDENTITY-BASED ENCRYPTION WITH OUTSOURCED PRIVATE KEY GENERATION
This section proposes an algorithm with verifiable outsourced private key generation based on the LW − IBE scheme [20], PKG can verify the correctness of the returned results effectively, but the server cannot obtain the PKG or the private key of any user.

LW − IBE Scheme
In this section, we first review the LW − IBE scheme [20].

Setup(λ):
PKG runs the Setup algorithm, which selects a bilinear group G of order N = p 1 p 2 p 3 , where p 1 , p 2 , p 3 are three large primes. Let G pi be a subgroup of order p i in G, where i ∈ {1, 2, 3}. Then PKG randomly chooses g, u, h ∈ G p 1 , α ∈ Z N , and generates a public key PK = {N, g, u, h, e(g, g) α }, and the master key is α ∈ Z N and a generator of G p 3 .
KeyGen (MK, ID, PK): PKG randomly selects r ID ∈ Z N , R 11 , R 12 ∈ G p 3 based on identity ID, and computes: Then PKG outputs SK ID = (K 1 , K 2 ) corresponding to ID.

Encrypt (M, ID, PK):
For an identity ID and a message M ∈ G T , we randomly choose s ∈ Z N and computes: Then creates the ciphertext CT = (C 0 , C 1 , C 2 ).
Decrypt (CT, SK ID , PK): Take as input an identity ID, a private SK ID and a ciphertext CT, then it decrypts the ciphertext as below: Since (u ID 1 h 1 ) s , g s ∈ G p 1 , R 11 , R 12 ∈ G p 3 , then e((u ID 1 h 1 ) s , g r ID R 11 ) = e(g s , R 12 ) = 1.
Thus, the ciphertext can be decrypted successfully.

The IBE Scheme with Verifiable Outsourced Key Generation
In this section, we propose an IBE scheme with verifiable outsourced key generation. The Setup, KeyGen, Encrypt, and Decrypt algorithms are run as the LW − IBE scheme, and then we only introduce the identity-based encryption with verifiable outsourced key generation. In [7], a subroutine Rand is used to generate random tuple with the form of (c, c −1 , g c modp), where c ∈ Z q , so that the computations of the outsourcer can be speeded, and U represents the server.

KeyGen Out (ID):
(1) Firstly PKG computes g α and stores it in the system, then running Rand sixth to create six blinding pairs: and (t 6 , t −1 6 , g t 6 ).
We denote v 1 = g t 1 mod p, v 2 = g t 2 modp, so that we get the first logical divisions: Then we get the second logical divisions: g IDr ID t 1 g r ID t 2 m IDr ID n r ID = g t 3 g t 4 g r 1 g r 2 m IDr ID n r ID , where r 1 = IDr ID t 1 − t 3 mod q, r 2 = r ID t 2 − t 4 mod q.
(4) PKG makes queries to U in random order: The verification calculation is as follows: If not, PKG outputs "error"; otherwise, PKG randomly chooses R 21 , R 22 ∈ G p 3 , and computes: The private key corresponding to the ID is SK ID = (K 1 , K 2 ).
In the above outsourcing algorithm, the server need not know the relationship between OK ID and ID, and users only need to perform modular exponentiation operations once in the outsourcing process, which greatly reduces the computational cost of PKG, and the server cannot obtain the PKG or the private key of any user.

ANALYSIS OF THE SCHEME
This section analyzes the IBE − VOK scheme, including the indistinguishability of the ciphertext and verifiability of the outsourcing results. Then, we show the computation cost comparison of PKG for generating private keys directly and outsourcing the task to a single server, and an efficiency comparison for different schemes with outsourced key generation. Finally, the simulation of the scheme is implemented.

Security Analysis
When the proposed scheme is under the choice of plaintext attack (CPA), Theorem 1 and Theorem 2 prove the indistinguishability of the ciphertext and verifiability of the outsourcing results, respectively.

Theorem 1: (indistinguishability of ciphertext):
Assuming that the LW − IBE scheme [20] is completely secure under CPA attack, then the IBE − VOK scheme is also completely secure under CPA attack.
Proof: Suppose that an adversary A can distinguish two different plaintexts with a probability of ε under the CPA security model of the IBE − VOK scheme, then the algorithm B can be constructed to distinguish two different plaintexts with the same probability of ε under the CPA security model of the LW − IBE scheme.
Let C represent the challenger who answered B in the LW − IBE scheme, A and B perform the following steps: Setup: C sends PK = {N, g, u, h, e(g, g) α } to B as a public parameter of the LW − IBE scheme, and B returns PK to A as a public parameter of the IBE − VOK scheme.
Phase1: Firstly, B creates an empty outsourced list OL and then performs the following inquiries.
Private key query: A sends identity ID to B, then B sends the ID to C for private key query in the LW − IBE scheme and C generates SK ID = (K 1 , K 2 ), where K 1 = g r ID R 11 , K 2 = g α (u ID h) r ID R 12 , which is returned to B and B returns SK ID to A.
Outsourcing key query: A sends identity ID to B, B searches (ID, OK ID ) in OL and returns OK ID to A if it exists, otherwise randomly selects r ID , a ∈ Z N , and calculates OK ID = (r 1 , r 2 , x 1 , x 2 , A 1 , B 1 , k, m, n), then adds the (ID, OK ID ) to the outsourced list OL and returns OK ID to A.
Challenge: A sends two plaintexts M 0 , M 1 of the same length and an identity ID * to B, where ID * does not perform the outsourcing key query or private key query. Then B sends them to C to complete the challenge phase of the LW − IBE scheme. C randomly chooses β ∈ {0, 1}, then generates ciphertext CT * = (C * 0 , C * 1 , C * 2 ) of M β , and returns CT * to B. At last, B sends CT * to A as the challenge ciphertext.
Phase2: A continues to ask, and B runs the same operation as Phase1. However, ID * can not been executed the outsourcing key query or private key query.
Then we analyze B's success probability. When A runs the outsourcing key query about identity ID, the value of r 1 , r 2 , x 1 , x 2 , A 1 , B 1 , k, m, n can be obtained by ID and OK ID . If A continues to ask ID for private key query and it can obtain SK ID . Therefore, if A can break the IBE − VOK scheme with a probability of ε, then B can also break the LW − IBE scheme with the same probability of ε.
In the above game, B successfully simulates the full security model under the CPA attack of the IBE − VOK scheme. As in [20], the LW − IBE scheme is completely secure under CPA attack, similarly, the IBE − VOK scheme is also completely secure under CPA attack according to theorem 1.Then the verifiability of the IBE − VOK scheme is proved as below. Proof: Assume U is a malicious server, at the end of the algorithm, the PKG verifies the result as below: Since the PKG sends (r 1 , r 2 , x 1 , x 2 , A 1 , B 1 , k, m, n) to the server, and U must return true values of m g i , n l i , g r 1 , g r 2 , m x 1 , n x 2 . Otherwise, the Equations (1) and (2) cannot pass the verification successfully.
Therefore, if U returns the error result, the PKG will surely detect this error with a probability of (2t + 6)/(2t + 8) in the proposed IBE − VOK scheme, (t is the number of random numbers).

Efficiency Comparison
Suppose the system has a total of m users. PKG can precompute g α and store it in the system. The following is a computational comparison of PKG between generating private keys directly and outsourcing the task to a single server, as shown in Table 1.
In Tables 1 and 2, m represents the total number of system users and n is the bit length of N. Note that G and G T are  As we know, using the table-lookup method to invoke the Rand subroutine takes O(1) MM, and using the squareand-multiply method to execute the modular exponentiation operation takes 1.5n MM. In the outsourcing algorithms, we omit other operations such as modular addition.
It can be seen from Table 1, if PKG directly generates the private keys for the users and need to perform 3m + 1 MExp, 4m MM operations and the total computation cost is roughly 4.5mn MM. Then if PKG outsources the task of generating private keys to a single server, it only needs to execute 1 MExp, 2tm + 15m MM and 6m Rand operations for m users, the total computation cost is roughly 1.5n MM. The server U runs 2tm + 8m MExp operations. Therefore, the cost of the PKG is much smaller than that of generating private keys directly.
As shown in Table 2, the proposed scheme is based on a single server compared with [19], and PKG only needs to perform modular exponentiation operations once during the outsourcing process. Moreover, with the increasing number of users in the system, the computation of PKG remains basically unchanged, and the total computation cost is roughly 1.5n MM in this paper. However, in scheme [19], the total computation cost is roughly 1.5mn MM and it is much more expensive than this scheme, so the scheme of this paper has more practical advantages.

Simulation Result
In this section, we provide the experiment evaluation to show the efficiency of the proposed algorithm based on one untrusted server. The PKG and the cloud server are simulated by Intel Core i5 Processor running at 3.2 GHz with 8G memory and Intel Xeon Processor running at 2.2, 2.19 GHz (two processors) with 128G memory, respectively. Note that G and G T are cyclic groups of order N = p 1 p 2 p 3 , where p 1 , p 2 , p 3 are all 512-bit primes. The programing language is Java.
In Figure 2, we give the time cost of PKG for generating private keys directly and outsourcing the task to the server of the IBE scheme respectively. In the figure, the abscissa represents the total number of users in the system and the ordinate represents the total time cost. It is obvious that the time cost for PKG and the server are less than half of generating private keys directly, with the increasing number of users in the system, the total calculation of the server and PKG is also less than generating private keys directly. For example, when the number of system users is 2 11 , the PKG calculation time is about 1100 s and the server is about 1400 s, however, the time cost of direct computation is about 4700 s, obviously, it is far higher than the sum of PKG and the server. Therefore, the algorithm of this paper will become more practical when the number of users is continuously increasing.

CONCLUSION
In this paper, we use combinatorial bilinear groups to propose a verifiable outsourcing algorithm for private key generation based on identity-based encryption. The scheme greatly reduces the time cost of PKG, and the server cannot obtain PKG or the private keys of any user during the outsourcing process. PKG outsources the tasks to a single server, and it can improve security and verify the correctness of outsourced results. Finally, the experimental results show that the total calculation of the server and PKG is far less than generating private keys directly.