An Efficient Revocable Identity-Based Encryption with Equality Test Scheme for the Wireless Body Area Network

With the rapid development and popularization of cloud computing, people are willing to upload their own data to the cloud to enjoy the services. However, some personal and private data are not suitable for uploading directly to the cloud. Therefore, these data must be encrypted before uploading to the cloud to ensure the con ﬁ dentiality. To achieve the con ﬁ dentiality of data and enjoy cloud services, a notion of identity-based encryption with equality test (IBEET) was proposed. Using IBEET, two ciphertexts encrypted under di ﬀ erent public keys can be tested to con ﬁ rm whether they contain the same plaintext. The equality test can be applied to the wireless body area network system in which the cloud can utilize ciphertexts from patients and medical institutions to perform equality tests to determine whether which patient ’ s status is abnormal. Indeed, revoking illegal or expired users on any cryptosystem is an important issue. To the best of our knowledge, there is little research on the design mechanism of user revocation in the IBEET. In this paper, we propose a novel notion of revocable identity-based encryption with an equality test, called RIBEET. Based on the notion, we present the ﬁ rst RIBEET scheme. Meanwhile, the proposed scheme will be proven to be secure under the bilinear Di ﬃ e-Hellman (BDH) assumption.


Introduction
With the rapid development and popularization of cloud computing, people are willing to upload their own data to the cloud to enjoy the services. However, some personal and private data are not suitable for uploading directly to the cloud. To ensure the confidentiality of data, several encryption mechanisms [1][2][3][4] have been applied to cloud computing. Identity-based encryption (IBE) [5] is one of the encryption mechanisms of public key systems. The system of an IBE contains two roles: the private key generator (PKG) and users (including senders and receivers). Each user utilizes his own identity (e.g., e-mail address, name, or social security number) to register with the PKG to obtain a private key. Senders can regard the identity of the receiver as a public key to encrypt private data. After receiving the encrypted message (ciphertext), the receiver can decrypt it with her/his own private key.
To achieve the confidentiality of data and enjoy cloud services, the first identity-based encryption with equality test (IBEET) was proposed by Ma [6]. Using IBEET, two ciphertexts encrypted under different public keys can be tested to confirm whether they contain the same plaintext. Ma [6] also gave an application of IBEET used to classify encrypted e-mails. Each encrypted e-mail can be attached with a tag for classification, while the tag can be encrypted under different public keys in the IBEET system. An e-mail server in the cloud can test the equality of any two encrypted tags to classify encrypted e-mails. Subsequently, many studies on IBEET have been published in the literature [7][8][9][10][11].
The equality test can be applied to the wireless body area network (WBAN) system [12][13][14][15][16][17] in which the cloud can utilize ciphertexts from patients and medical institutions to perform equality tests to determine whether the patient's status is abnormal. Figure 1 shows the architecture of WBANs. A patient is equipped with wearable sensors to collect her/his health record data from sensors of electroencephalogram (EEG), electrocardiogram (ECG), blood pressure, pulse oximeter, insulin pump, electromyogram (EMG), and motion. These health record data are encrypted through the mobile device and uploaded to the cloud server. On the other hand, the medical institution also uploads the patient's encrypted health data to the cloud server. The ciphertexts can be tested for equality without knowing the health data of the patient by the cloud server. If the patient's health data are different from the medical institution's health data, it means that the patient's health data are abnormal.
Indeed, revoking illegal or expired users on any cryptosystem is an important issue. In the traditional public key cryptosystem (PKC), public key infrastructures (PKI) must be established to manage each user's certificate which links the user's identity and public key. In addition, the certificate revocation list [18] is also included in the PKI to revoke illegal or expired users. In identity-based public key cryptosystems (ID-PKC), the first IBE was presented by Boneh and Franklin [5] in which a user can be revoked by the PKG, who sends new private keys for all nonrevoked users at each period, if the user did not receive the new private key. So far, many literatures related to revocable IBE [19][20][21][22][23][24][25][26] have been published. To the best of our knowledge, there is little research on design mechanism of user revocation in the IBEET. In this paper, we propose a novel notion of revocable identity-based encryption with equality test, called RIBEET. Based on the notion, we present the first RIBEET scheme. Meanwhile, the scheme will be proven to be secure under the bilinear Diffie-Hellman (BDH) assumption.

Related Work.
In the era of advanced network communication, cloud computing is an indispensable part. The terminal devices on the user side usually do not have highperformance computing power. However, users can entrust large computing tasks to the cloud. Then, the cloud will return the corresponding results to users after finishing the tasks. Indeed, the cloud can assist each user in performing tasks that require a lot of computation, but it also means that the cloud can know each user's data if the data is not encrypted. Typically, users will encrypt data to the cloud if the data is sensitive or private. In addition, encrypted data also needs to be quickly retrieved from the cloud. To achieve this function, several schemes [3,4,27,28] related to public key encryption with a keyword search were proposed. Although these schemes can retrieve encrypted data, only data encrypted under the same public key can be retrieved.
To support searchable encrypted data under different public keys, Yang et al. [29] proposed a comparison mechanism of two ciphertexts encrypted under different public keys in the traditional public key cryptosystem, called public key encryption with equality test (PKEET). However, the traditional public key cryptosystem must rely on the public key infrastructure to manage each user's certificate which links the user's identity and her/his public key. To avoid the use of public key infrastructure and certificates, Shamir [30] introduced a new concept of ID-PKC in which a user's public key is her/his identity such as name, e-mail, or telephone number. In this way, certificates will no longer be needed in the ID-PKC since the public key is meaningful and can represent the user's identity. Combining the concepts of PKEET and ID-PKC, Ma [6] proposed the first identity-based encryption with equality test, called IBEET. To consider more types of authorizations, Li et al. [31] proposed the IBEET scheme with four types of authorizations. Unfortunately, the proposed scheme of Li et al. [31] is not suitable for the IoT environment because the performance of the scheme is not good. Immediately, Elhabob et al. [10] proposed another IBEET scheme with four types of authorizations which has higher performance.
For the issue of user revocation in the ID-PKC, Boneh and Franklin [5] suggested that the new private keys should be resent to users who have not been revoked at different periods. As a result, secure channels will be established to send these private keys, and the PKG's workload will also increase. To reduce the PKG's workload, Boldyreva et al. [19] hired a binary tree to propose an IBE scheme with user revocation, named revocable IBE (RIBE). However, Boldyreva et al.'s scheme [19] only satisfied the selective-ID security. Later, Libert and Vergnaud [20] proposed another RIBE scheme which meets the adaptive-ID security. A mechanism for revoking users through public channels was proposed by Tseng and Tsai [21], in which each user's full private key is divided into two parts: a fixed key and a time updated key. The fixed key is delivered to the user through secure channels only once, while the time updated key is delivered to the user through public channels at different periods. Users can be revoked if they do not receive the new time updated keys. For the security of decryption key exposure, Seo and Emura [22] proposed a new RIBE scheme to enhance the security. To reduce the length of public parameters and meet the security of decryption key exposure resistance, Watanabe et al. [23] presented another RIBE scheme. In addition, several lattice-based RIBE schemes [24][25][26] were proposed to resist quantum attacks.
1.2. Motivation. As mentioned earlier, revoking illegal or expired users on any cryptosystem is still an important issue. In the traditional PKC, the PKEET [29] can hire the certificate revocation list [18] to revoke illegal or expired users. However, the IBE [5] cannot effectively revoke illegal or expired users in the ID-PKC, so the RIBE [21] was proposed. To the best of our knowledge, there is little research on the design mechanism of user revocation in the IBEET [6]. Table 1 shows the comparisons between the PKEET [29], the IBE [5], the RIBE [21], the IBEET [6], and our RIBEET in terms of public key setting, avoiding the use of certificates, supporting the equality test of ciphertexts, and providing user revocation. Hence, we attempt to propose the first revocable identity-based encryption with equality test, called RIBEET.

Contribution and Organization.
Although the existing RIBE schemes [21][22][23][24][25][26] provide a mechanism to revoke users, they do not extend to support the equality test for ciphertexts. On the other hand, the existing IBEET schemes [6,10,31] do not support to revoke users. To the best of our knowledge, there is little research on the design mechanism of user revocation in the IBEET. In this paper, we propose a novel notion of revocable identity-based encryption with equality test, called RIBEET. In the following, we list specific contributions.
(i) Based on the existing syntax and security notions of IBEET, we consider the property of user revocation to define a new syntax and security notions of RIBEET (ii) Following the syntax of RIBEET, a concrete RIBEET scheme is proposed (iii) In the security notions of RIBEET, the proposed scheme is proven to be secure under the bilinear Diffie-Hellman (BDH) assumption (iv) We compare the proposed scheme with the previous RIBE scheme and IBEET scheme. We demonstrate that the proposed scheme not only provides user revocation but also supports the equality test for ciphertexts The rest of the article includes six sections. Preliminaries are given in Section 2. Section 3 presents the syntax and security notions of RIBEET. A concrete RIBEET scheme is proposed in Section 4. The security analysis of the RIBEET scheme is shown in Section 5. We compare the RIBEET scheme with other existing schemes in Section 6. The last section gives the conclusion.

Preliminaries
In this section, we introduce two definitions related to a mathematical tool and security assumption. We hire the bilinear pairings [5] as a mathematical tool to construct our RIBEET scheme. To prove the security of the proposed scheme, we consider the bilinear Diffie-Hellman (BDH) problem and then give a BDH assumption [6]. The definition of the bilinear pairings is given as follows.
Definition 1. Let G 1 , G 2 , and G T be three multiplicative cyclic groups of a prime order q. Assume that a mappingê : G 1 × G 2 ⟶ G T is an asymmetric bilinear map. Then, the mapê satisfies the following properties.

Syntax and Security Notions
3.1. Syntax of RIBEET. Based on the syntax of IBEET schemes [6], we employ the revocation technique [21] to present a new syntax of RIBEET depicted in Figure 2 which consists of three roles and seven algorithms, namely Setup, InitialKey, TimeKey, Encryption, Decryption, Trapdoor, and Test. The first role is the private key generator (PKG) who is responsible for executing the first three algorithms, and the second role is the users who can, respectively, utilize Encryption, Decryption, and Trapdoor algorithms for encryption, decryption, and authorization. The last role is the cloud server (CS) who runs the Test algorithm to compare the two ciphertexts. For the user revocation, we use Figure 3 to illustrate how users are revoked by the PKG. If the PKG stops sending the time key to a user, it means that the user has been revoked since both initial key and time key are required to execute Decryption and Trapdoor algorithms. Here, we arrange some notations used in these algorithms in Table 2. The algorithms of RIBEET are described in detail as follows.
(i) Setup: this algorithm is performed by the PKG who takes a security parameter k and a time period t as input to produce the public system parameters PSP, the system life time SLT, and the master private key mpk (ii) InitialKey: this algorithm is performed by the PKG who takes the public system parameter PSP, the master private key mpk, and a user's identity ID ∈ f0, 1g * as input to produce user initial key IK ID (iii) TimeKey: this algorithm is performed by the PKG who takes the public system parameter PSP, the master private key mpk, a user's identity ID ∈ f0, 1g * , and a period T ∈ SLT as input to produce user time key TK ID (iv) Encryption: this algorithm is performed by a user (sender) who takes the public system parameter PSP, a user's identity ID ∈ f0, 1g * , a period T ∈ SLT, and a message M ∈ f0, 1g λ as input to produce a ciphertext CT (v) Decryption: this algorithm is performed by a user (receiver) who takes the public system parameter PSP, the receiver's initial key IK ID , the receiver's time key TK ID , and the ciphertext CT as input to produce the message M (vi) Trapdoor: this algorithm is performed by a user who takes her/his initial key IK ID and time key T K ID as input to produce the trapdoor TD ID (vii) Test: this algorithm is performed by the CS who takes the public system parameters PSP and two ciphertext-trapdoor pairs ðCT ζ , TD ζ Þ and ðCT η , T D η Þ from any two users U ζ and U η as input to produce 1 or 0

Security Notions of RIBEET.
In this section, we define the security notions of RIBEET which includes four types of adversaries. Two of these types are the same as the security notions of IBEET [6]. Considering the revoked users from RIBEET, we need to add two types of adversaries in the security notions. These four types of adversaries are presented as follows.
(1) Type I adversary: such an adversary can obtain all information (including time key TK ID ) transmitted through public channels. The adversary can be regarded as an outside attacker (2) Type II adversary: such an adversary owns her/his initial key IK ID , but he does not have the current time key TK ID . The adversary can be regarded as a revoked user (3) Type III adversary: this adversary is identical to the type I adversary, except that she/he possesses the trapdoor TD (4) Type IV adversary: this adversary is identical to the type II adversary, except that she/he possesses the trapdoor TD Following the security notions of IBEET [6], we consider revoked users to define the new security notions of RIBEET. Definitions 3 and 4, respectively, are given to state IND-ID-CCA and OW-ID-CCA security of an RIBEET scheme.
The ciphertext-trapdoor pair of the user U η 5 Journal of Sensors Definition 3 (IND-ID-CCA). Let A be a type I or type II adversary for an RIBEET scheme and B be a challenger in the following game. The scheme is IND-ID-CCA secure if the advantage that A wins the game is negligible.
(1) Setup. The challenger B takes a security parameter k and a time period t as input to produce the public system parameters PSP, the system life time SLT, and the master private key mpk. The public system parameters PSP and the system life time SLT are sent to the adversary A Definition 4 (OW-ID-CCA). Let A be a type III or type IV adversary for an RIBEET scheme and B be a challenger in the following game. The scheme is OW-ID-CCA secure if the advantage that A wins the game is negligible.
(1) Setup. The challenger B takes a security parameter k and a time period t as input to produce the public system parameters PSP, the system life time SLT, and the master private key mpk. The public system parameters PSP and the system life time SLT are sent to the adversary A

Concrete RIBEET Scheme
A revocable identity-based encryption with equality test scheme, which we denote by RIBEET, consists of algorithms Setup, InitialKey, TimeKey, Encryption, Decryption, Trapdoor, and Test. Each of the algorithms is described as follows.
(1) Setup: this algorithm is performed by the PKG who takes a security parameter k and a time period t as input to produce an asymmetric bilinear mapê : G 1 × G 2 ⟶ G T and a system life time SLT = fT 0 , T 1 , ⋯, T t g , where G 1 , G 2 , and G T are multiplicative cyclic groups of prime order q. The PKG first chooses two arbitrary generators g 1 ∈ G 1 and g 2 ∈ G 2 and picks eight cryptographic one-way hash functions H 1 : f0, 1g * ⟶ G 2 , Journal of Sensors , G 2 , G T ,ê, g 1 , g 2 , P pub , H 1 , H 2 , H 3 , H 4 , H 5 , H 6 , H 7 , H 8 g, the system life time is SLT = fT 0 , T 1 , ⋯, T t g, and the master private key is mpk = s (2) InitialKey: this algorithm is performed by the PKG who takes the public system parameter PSP, the master private key mpk, and a user's identity ID ∈ f0, 1g * as input to produce user initial key Here, the procedure of this algorithm is depicted in Figure 4.
(3) TimeKey: this algorithm is performed by the PKG who takes the public system parameter PSP, the master private key mpk, a user's identity ID ∈ f0, 1g * , and a period T ∈ SLT as input to produce user time key Here, the procedure of this algorithm is depicted in Figure 5.
(4) Encryption: this algorithm is performed by a sender who takes the public system parameter PSP, a user's identity ID ∈ f0, 1g * , a period T ∈ SLT, and a message M ∈ f0, 1g λ as input to produce ciphertexts CT = ðC T 1 , CT 2 , CT 3 , CT 4 Þ which are shown as follows The correctness of obtaining M′jjV ′ can be demonstrated as follows.
(6) Trapdoor: this algorithm is performed by a user who takes her/his initial key IK ID = ðIK ID1 , IK ID2 Þ and time key TK ID = ðTK ID1 , TK ID2 Þ as input to produce the trapdoor TD ID = IK ID2 · TK ID2 = H 2 ðIDÞ s · H 4 ðID, TÞ s (7) Test: this algorithm is performed by the CS who takes the public system parameters PSP and two ciphertexttrapdoor pairs ðCT ζ , TD ζ Þ and ðCT η , TD η Þ, where C T ζ = ðCT ζ1 , CT ζ2 , CT ζ3 , CT ζ4 Þ and CT η = ðCT η1 , C T η2 , CT η3 , CT η4 Þ, from any two users U ζ and U η as input to produce 1 or 0 according to the following steps (a) Compute R ζ and R η as follows: Journal of Sensors In the following, we present the details of ½leftmargin = 0em

Security Analysis
In this section, we give four theorems to show that the proposed scheme has the IND-ID-CCA security for type I and II adversaries and the OW-ID-CCA security for type III and IV adversaries.
Theorem 5. If the BDH assumption holds, the proposed RIBEET scheme satisfies the IND-ID-CCA security in the security game. More precisely, suppose that A 1 is a PPT type 1 adversary who has at least ε advantage to break the RIBEET scheme. Then, there exists an algorithm B to solve the BDH problem with the advantage where q H 5 , q H 8 , q IK , q T , q D , and e, respectively, are the number of queries to random oracle H 5 , random oracle H 8 , Initialkey query, Trapdoor query, Decryption query, and Euler's number.
Proof. An algorithm B is constructed to solve the BDH problem. The algorithm B is given a BDH tuple hq, G 1 , G 2 , G T ,ê, g 1 , g a 1 , g c 1 , g 2 , g a 2 , g b 2 i which is defined in Section 2. The algorithm B can be seen as a challenger to find the answer of the BDH problem. The answer A =êðg 1 , g 2 Þ abc can be found by interacting with the PPT type I adversary A 1 in the following security game.
(1) Setup: the challenger B utilizes the BDH tuple to set P pub = g a 1 and then generates the public system param- where H i is a random oracle for i = 1, 2, ⋯, 8. In addition, the system life time SLT = f T 0 , T 1 , ⋯, T t g can be generated by the challenger B. Then, B gives A 1 the public system parameters PSP and system life time SLT. Here, the adversary A 1 can issue queries to each random oracle as follows (a) H 1 queryðIDÞ: A 1 can utilize ID to obtain a response to the random oracle H 1 from the challenger B. To obtain the response, B maintains a list, called ListH 1 which is composed of tuples, and the format of the tuple is hID, U ID , u, rbi. The response is acquired from the ListH 1 which is initially empty and can be updated by the following steps (i) B returns U ID as the response if ID exists in a tuple hID, U ID , u, rbi from the ListH 1 (ii) Otherwise, B picks a random value u ∈ Z * q and a random bit rb ∈ f0, 1g to compute where Pr½rb = 0 = δ and Pr½rb = 1 = 1 − δ (which will be which is composed of tuples, and the format of the tuple is hID, V ID , v, rbi. The response is acquired from the ListH 2 which is initially empty and can be updated by the following steps: (a) B returns V ID as the response if ID exists in a tuple hID, V ID , v, rbi from the ListH 2 (b) Otherwise, B picks a random value v ∈ Z * q and utilizes ID to find rb in the ListH 2 . Then, B computes (ii) Otherwise, B picks a random value ζ ∈ Z * q to compute V IDT = g ζ 2 . Then, B adds the tuple hID, T, V IDT , ζi to the ListH 4 and returns V IDT to A 1 (e) H 5 queryðW, CT 1 , CT 2 Þ: A 1 can utilize ðW, CT 1 , C T 2 Þ to obtain a response to the random oracle H 5 from the challenger B. To obtain the response, B maintains a list, called ListH 5 which is composed of tuples, and the format of the tuple is hW, CT 1 , CT 2 , ωi. The response is acquired from the ListH 5 which is initially empty and can be updated by the following steps  and ω. Further, B utilizes M ′ and V ′ to find the corresponding tuples hM, V, γi from the ListH 7 and hM, Qi from the ListH 6 . Obviously, γ and Q can be obtained. If S can be found in the corresponding tuple hN, Si from the ListH 8 such that CT 4 = Q γ · S holds, B will confirm whether CT 1 = g γ 1 holds. If CT 1 = g γ 1 , the message M′ is sent to A 1 (d) Trapdoor queryðID, TÞ: A 1 utilizes ðID, TÞ to issue the query, while B, respectively, uses ID and ðID, TÞ to run InitialKey query and Timekey query to obtain IK ID = ðIK ID1 , IK ID2 Þ and TK ID = ðTK ID1 , T K ID2 Þ. Then, B utilizes IK ID2 and TK ID2 to produce the trapdoor TD ID = IK ID2 · TK ID2 which is sent to A 1 (3) Challenge: when the phase 1 is over, A 1 outputs a tuple hID * , T * , M * 0 , M * 1 i as the target of the challenge. B utilizes ID * to find the corresponding tuples hID, U ID , u, rbi from the ListH 1 . If rb = 0, B interrupts this game. If rb = 1, B randomly selects b ∈ f0, 1g and V ∈ f0, 1g l to run H 7 query with M * b and V. Then, γ can be obtained. B utilizes γ to set CT * 1 = g γ 1 . In addition, B sets CT * 2 = g c 1 , while a random value CT 3 ∈ f0, 1g λ+l and a random point CT * 4 ∈ G 2 are chosen. Finally, the challenge ciphertext C T * = ðCT * 1 , CT * 2 , CT * 3 , CT * 4 Þ is sent to A 1 (4) Phase 2: A 1 can issue the same query as phase 1, but it must be under the condition of ID ≠ ID * and CT ≠ CT * (5) Guess: A 1 responds to B with a guess b ′ ∈ f0, 1g. If b ′ ≠ b, B responds with failure and terminates. Otherwise, A 1 wins the game. Then, B randomly selects a tuple hW * , CT * 1 , CT * 2 , ω * i from the ListH 5 and calculates Analysis. Let us start with two cases, namely, the simulation of H i query for i = 1, 2, ⋯, 8 and the simulation of decryption query.
Moreover, we obtain Since Pr½¬E Abort = δ q IK +q T ð1 − δÞ, we can gain Pr½¬ E Abort ≥ 1/eðq IK + q T + 1Þ when δ = 1 − ð1/ðq IK + q T + 1ÞÞ. Then, we have Here, the adversary A 1 can distinguish the target ciphertext CT * is the real one when E * H 5 occurs. In addition, the tuple hêðg 1 , g 2 Þ abcu * ·êðg ac 1 , g 2 Þ η * , CT * 1 , CT * 2 i has been added in the ListH 5 . If the challenger B picks the correct tuple from the ListH 5 , B wins this security game. Meanwhile, the advantage of solving the BDH problem is Theorem 6. If the BDH assumption holds, the proposed RIBEET scheme satisfies the IND-ID-CCA security in the security game. More precisely, suppose that A 2 is a PPT type 2 adversary who has at least ε advantage to break the RIBEET scheme. Then, there exists an algorithm B to solve the BDH problem with the advantage where q H 5 , q H 8 , q TK , q T , q D , and e, respectively, are the number of queries to random oracle H 5 , random oracle H 8 , Timekey query, Trapdoor query, Decryption query, and Euler's number.
Proof. An algorithm B is constructed to solve the BDH problem. The algorithm B is given a BDH tuple hq, G 1 , G 2 , G T ,ê, g 1 , g a 1 , g c 1 , g 2 , g a 2 , g b 2 i which is defined in Section 2. The algorithm B can be seen as a challenger to find the answer of the BDH problem. The answer A =êðg 1 , g 2 Þ abc can be found by interacting with the PPT type II adversary A 2 in the following security game.
(1) Setup: the challenger B utilizes the BDH tuple to set P pub = g a 1 and then generates the public system parameters PSP = fq, G 1 , G 2 , G T ,ê, g 1 , g 2 , P pub , H 1 , H 2 , H 3 , H 4 , H 5 , H 6 , H 7 , H 8 g, where H i is a random oracle for i = 1, 2, ⋯, 8. In addition, the system life time SLT = fT 0 , T 1 , ⋯, T t g can be generated by the challenger B. Then, B gives A 2 the public system parameters PSP and system life time SLT. Here, the adversary A 2 can issue queries to each random oracle as follows (a) H 1 queryðIDÞ: A 2 can utilize ID to obtain a response to the random oracle H 1 from the challenger B. To obtain the response, B maintains a list, called ListH 1 which is composed of tuples, and the format of the tuple is hID, U ID , ui. The response is acquired from the ListH 1 which is initially empty and can be updated by the following steps (i) B returns U ID as the response if ID exists in a tuple hID, U ID , ui from the ListH 1 (ii) Otherwise, B picks a random value u ∈ Z * q to compute U ID = g u 2 . Then, B adds the tuple hID, U ID , ui to the ListH 1 and returns U ID to A 2 selects a tuple hW * , CT * 1 , CT * 2 , ω * i from the ListH 5 , and outputs the BDH solution A = ðW * /êðg ac The security analysis is similar to Theorem 5. We obtain that B's advantage to solve the BDH problem is ε ′ ≥ ð1/ q H 5 ÞPr½E * H 5 ≥ ð1/q H 5 Þ½ðε − ð1/2 λ ÞÞ/eðq TK + 1Þ − ðq D /qÞ.

Theorem 9.
The proposed RIBEET scheme is secure for brute force attacks if the discrete logarithm problem is hard.
Proof. As mentioned in the concrete RIBEET scheme, the public system parameters are PSP = {q, G 1 , G 2 , G T ,ê, g 1 , g 2 , P pub , H 1 , H 2 , H 3 , H 4 , H 5 , H 6 , H 7 , H 8 }, the system life time is SLT = {T 0 , T 1 ,⋯, T t } and the master private key is mpk = s. Based on the discrete logarithm problem, we ensure that the adversary cannot recover the master private key m pk = s form P pub = g s 1 . In addition, the security of the user initial key IK ID and user time key TK ID is also based on the discrete logarithm problem due to IK ID = (IK ID1 , I K ID2 ) = (H 1 ðIDÞ mpk , H 2 ðIDÞ mpk ) = (H 1 ðIDÞ s , H 2 ðIDÞ s ) and TK ID = (TK ID1 , TK ID2 ) = (H 3 ðID, TÞ mpk , H 4 ðID, TÞ mpk ) = (H 3 ðID, TÞ s , H 4 ðID, TÞ s ). Hence, the proposed RIBEET scheme can resist brute force attacks.

Comparison
In this section, we compare the proposed RIBEET scheme with the previous RIBE scheme [21] and IBEET scheme [6]. In order to analyze the cost of performing encryption, decryption and equality test, we first define two notations as follows.
(1) Pair: time to perform a bilinear pairingê : G 1 × G 2 ⟶ G T (2) Exp: time to perform an exponentiation in G 1 , G 2 or G T We gain Pair = 7:8351 ms and Exp = 0:4746 ms from the literature [32]. These two execution times are obtained under the hardware device with Intel Core i7-8550U 1.80 GHz processor. Meanwhile, the prime number q selected in the cryptosystem setting phase is 256-bit. In addition, three multiplicative cyclic groups G 1 , G 2 , and G T of the prime order q are chosen in the simulation.
In Table 3, we list the comparisons of our proposed RIBEET scheme with the RIBE scheme [21] and several IBEET schemes [6,10,11] in terms of the cost of performing encryption, decryption and equality test, and two properties related to user revocation and equality test of ciphertexts. For the cost of performing encryption and decryption, Tseng and Tsai's RIBE scheme [21] has better performance than the other two schemes. However, Tseng and Tsai's RIBE scheme does not support equality test of ciphertexts. Although the existing IBEET schemes [6, 10, 11] and our proposed RIBEET scheme support equality test of ciphertexts, the IBEET schemes does not have a mechanism to revoke users. Conversely, our proposed RIBEET scheme not only provides user revocation, but also retains the cost of encryption, decryption and equality test with the existing IBEET schemes. Additionally, Table 4 compares our RIBEET scheme with the RIBE scheme [21] and several IBEET schemes [6,10,11] in terms of jPKj, jCTj, and jTDj which are, respectively, denoted as the bit length of user public key, ciphertext and trapdoor. We observed that the communication cost of our RIBEET scheme is similar to that of other schemes.
As mentioned in Section 1, the data collected from sensors on the patients is finally encrypted by the mobile device and then transmitted to the cloud. For the analysis of energy cost, we employ the "ampere" app to measure the voltage and current on the mobile device. After running this app, we obtain 14.28 V and 2856 mA on the mobile device. Table 5 lists the energy cost of performing encryption on the mobile device by using the formula W = U · I · t, where W, U, I, and t, respectively, are watt, voltage, current, and time.

Conclusions
We considered the existing syntax of IBEET and the property of user revocation to present the new syntax of RIBEET. Under the new syntax, we proposed a concrete RIBEET scheme. Meanwhile, we demonstrated that the proposed scheme has the IND-ID-CCA security for type I and II adversaries and the OW-ID-CCA security for type III and IV adversaries. We compared the proposed scheme with the previous RIBE scheme and IBEET scheme. We showed that the proposed scheme not only supports equality test for ciphertexts but also provides user revocation.

Data Availability
The data used to support the findings of this study are included within the article.

Conflicts of Interest
The authors declare no conflicts of interest.