Certificateless Public Key Encryption Scheme with Hybrid Problems and Its Application to Internet of Things

Certificateless cryptography aims at combining the advantages of public key cryptography and identity based cryptography to avoid the certificate management and the key escrow problem. In this paper, we present a novel certificateless public key encryption scheme on the elliptic curve over the ring, whose security is based on the hardness assumption of Bilinear Diffie-Hellman problem and factoring the large number as in an RSA protocol. Moreover, since our scheme requires only one pairing operation in decryption, it is significantlymore efficient than other related schemes. In addition, based on our encryption system,we also propose a protocol to protect the confidentiality and integrity of information in the scenario of Internet ofThings with constrained resource nodes.


Introduction
In a traditional public key cryptography (PKC) scheme, public key certificates signed by a certificate authority (CA) are employed to ensure the authenticity of public keys.Thus, the PKC takes a huge effort to manage the certificates, including revocation, storage, distribution, and verification, which places a computational burden on the whole system.To simplify the complex certificate management process, Shamir proposed the concept of identity-based public key cryptography (ID-PKC) [1], where an entity is allowed to use his identity such as email and IP address as his public key.However, the private keys of users are totally generated by a trusted third party named private key generator (PKG), which enables the PKG to impersonate any user to recover his/her confidential messages.
In order to resolve the inherent key escrow problem while preserving the advantage of ID-PKC, Al-Riyami and Paterson [2] introduced a new paradigm called certificateless public key cryptography (CL-PKC), which does not require the management of certificates and resolve the key escrow problem.Specifically, in CL-PKC, there also exists a trusted third party called key generation center (KGC) which supplies a partial private key for entity.Then, the entity takes advantage of this partial private key and a secret value picked by itself to generate the full private key.According to this method, KGC cannot obtain the user's private key to decrypt his/her ciphertext anymore, and it avoids the escrow problem in ID-PKC.Therefore, CL-PKC is considered as lying in between PKC and ID-PKC.However, it should be emphasized that so far certificateless public key encryption (CL-PKE) schemes have been constructed within the framework of identitybased encryption (IBE) schemes from Weil pairing proposed by Boneh and Franklin [3].As a result, the CL-PKE schemes in the literature are always based on the bilinear pairings.
Recently, the pairings, such as Weil pairing and Tate pairing, have been of essential use in CL-PKE, because of the excellent properties of bilinearity and nondegeneracy [4][5][6][7].The central idea is the construction of a mapping between two useful cryptographic groups that allow for new cryptographic schemes based on the reduction of one problem in one group to a different group and usually is easier problem than the other group.Therefore, the construction based on the bilinear pairing is more concise than the existing 2 Mathematical Problems in Engineering methods of cryptographic scheme constructions and it owns the merits of security.In Cheng and Comley's scheme [4], they constructed a more efficient scheme and then extended it to an authenticated encryption.Shi and Li [5] proposed a CL-PKE scheme which was based on the Weil pairing.That scheme worked in a kind of parallel model and it was more efficient on computation.In [6], Dent et al. presented the first constructions for CL-PKE schemes that were provably secure against strong adversaries in the standard model.For raising efficiency, Sun and Li [7] proposed a short-ciphertext CCA2 secure certificateless encryption scheme under the standard bilinear Diffie-Hellman assumption.Due to short ciphertext and convincing security, their scheme had practical value.
The Internet of Things (IoT) [8,9] is a kind of network, which can connect everything to the Internet by using of the RFID, Infrared Sensors, GPS, Laser Scanner, Sensor Node, and other sensor equipments, thus possessing the ability of identifying, locating, tracking, monitoring, managing, and other intelligent actions.In IoT, it requires sensor nodes to be employed in unprotected and even hostile environments, and therefore IoT brings lots of research challenges; one of the important issues is the security [10,11].
In this paper, we employ use of the bilinear pairing to design a certificateless encryption scheme on the elliptic curves over the ring   [12,13], which overcomes the security defect of the Koyama et al. 's scheme [14] whose security is only based on the problem of factoring the large number as in RSA.Furthermore, we prove that our scheme is secure in the random oracle model, provided that the BDH assumption and the problem of factoring the large number are intractable.Comparing with the related CL-PKE schemes, our proposal offers better performances than others on the efficiency and security.At last, based on our CL-PKE scheme, we also present another protocol to protect the confidentiality and integrity of data transmitted between the gateway node and the sensor node in IoT.
The remainder of this paper is organized as follows.In Section 2, we introduce the preliminary concepts, including properties of the elliptic curve over the ring   , the related computational problems, and the formal definition and security model of CL-PKE.In Section 3, we present our CL-PKE scheme and analyze the security and performance of it.Based on our CL-PKE, in Section 4, we propose a scheme to protect the confidentiality and integrity of information in the business of IoT.Finally, we conclude the paper in Section 5.

Preliminaries
In this section, we summarize the definitions and properties of elliptic curve over a ring   = /, bilinear pairing, and models of CL-PKE, where  is a RSA modulus.

Elliptic Curve over the Ring
Definition 1.Let   be a field and prime  > 3; all the points (, ) ∈   ×   satisfying the equation  2 ≡  3 +  +  (mod ) compose the elliptic curve over   together with the point at infinity denoted O, where ,  ∈   are two parameters satisfying 4 3 + 27 2 ̸ = 0 (mod ); such a curve is denoted by   (, ).
The addition operation on the points of   (, ) can be defined as follows.
From these definitions, we know the fact that the addition operation on the points of   (, ) can be made as an Abelian group, where O is the neutral element of   (, ).
Let   = /, where  =  is the product of two large primes as the RSA modulus.The Chinese Remainder Theorem says that there is an isomorphism of rings given by  mod  ←→ ( mod ,  mod ) .
This yields a bijection between elements in   and pairs of elements, one in   and the other in   .Thus, the following theorem can be given.Theorem 2. Let  and  be odd integers with gcd(, ) = 1; let  be an elliptic curve defined over   .Then, there is a group isomorphism Therefore, there is an isomorphism mapping where   ∈ (  ),   ∈ (  ) and   ∈ (  ).
Let   ∈ (  ),   ∈ (  ) and   ∈ (  ); we can get Because  is an isomorphism mapping, there is an inverse mapping of it, denoted .Thus,  ( (  +   )) =   +   =  ([  +   ,   +   ]) , (7) which means that the addition law on (  ) can be defined as an isomorphism mapping of the addition law in For more details concerning the addition law on elliptic curves over the ring, see [12,13,15].Besides, there is an important theorem in constructing our CL-PKE over the ring as shown below.

Bilinear Pairings.
Let  1 be a cyclic additive group generated by an elliptic curve point , whose order is ; let  2 be a multiplicative group of the same order.Assume that bilinear pairing is a map  :  1 × 1 →  2 with the following properties.
We also consider the following computational problem in ⟨ 1 ,  2 , ⟩ as above which will form the basis of security for our CL-PKE scheme.
The BDHP is said to be   -intractable if there is no algorithm that A solves this problem with   .
Setup.On input a security parameter 1  , this algorithm returns the system parameters param and the master key msk.
The system param includes the plaintext space M and the ciphertext space C.After this algorithm is over, the KGC publishes param and keeps the msk secret.
Partial-Private-Key-Extract.On input param, msk, and an identity ID for the entity, KGC executes this algorithm and returns the partial private key  ID to entity via a confidential and authentic channel.
Set-Secret-Value.On input param and an identity ID, entity executes this algorithm and returns entity's secret value  ID .
Set-Private-Key.On input param, entity's partial private key  ID , and secret value  ID , this algorithm returns the entity's full private key SK ID .Note that this algorithm is executed by the entity itself.
Set-Public-Key.On input param and entity's secret value  ID , this algorithm returns the public key PK ID to the entity.This algorithm is also executed by the entity itself.
Encrypt.Running by a sender.On input message  ∈ M, public key PK ID , and identity ID of an entity, this algorithm returns a ciphertext  ∈ C.
Decrypt.Running this determinate algorithm by a receiver.On input param,  ∈ C, and a private key SK ID , this algorithm returns a message  ∈ M, which is either a plaintext message or a "Reject" message.

Security Model for CL-PKE.
In CL-PKE, there are two types of adversary with different capabilities, Type I and Type II adversaries [2].A difference between these two attackers is that A I does not have access to the master key of KGC, while A II does have.Specifically, the adversary A I in Type I represents a normal third party attacker against the CL-PKE scheme; that is, A I is not allowed to access to the master key but A I may request public keys and replace public keys with values of its choice.The adversary A II represents a malicious KGC who generates partial private keys of users.The adversary A II is allowed to have access to the master key but not replace a public key.

Definition 5. A CL-PKE scheme is IND-CCA secure if neither polynomially bounded adversary A of Type I nor
Type II has a nonnegligible advantage against the challenger in the following game.
Setup.The challenger CH takes a security parameter 1  as inputs and runs the Setup algorithm; then it sends the resulting system parameters param to A. If A is of Type I, CH keeps the master secret key  to itself.Otherwise, it returns  to A.

Phase 1.
A is given access to the following oracles.
(1) Partial-Key-Extract-Oracle: upon receiving a partial key query for a user's identity ID, CH computes  ID and returns it to A. (Note that it is only useful to Type I adversary.) (2) Private-Key-Request-Oracle: upon receiving a private key query for a user's identity ID, CH computes SK ID and returns it to A. It outputs ⊥ (denotes failure) if the user's public key has been replaced (in the case of Type I adversary).
(3) Public-Key-Request-Oracle: upon receiving a public key query for a user's identity ID, CH computes PK ID and returns it to A.
(4) Public-Key-Replace-Oracle: for identity ID and a valid public key, A replaces the associated user's public key with the new one of its choice (this is only for Type I adversary).The new value will be recorded and used by CH in the coming computations or responses to the adversary's queries.
(5) Decryption-Oracle: On input a ciphertext and an identity, it returns the correct decryption of ciphertext, which is encrypted under the private key corresponding to the current value of the public key associated with an identity of the user, even if the corresponding public key for the user ID has been replaced.
Challenge Phase.Once A decides that Phase 1 is over, it outputs and submits two messages ( 0 ,

Our CL-PKE Scheme
In this section, we propose a CL-PKE scheme based on the bilinear pairing over the ring and evaluate its performance.
Decrypt.To decrypt ciphertext  = ( 1 ,  2 ) for the entity with identity ID and private key SK ID , compute and return  as plaintext.
Notice that if ( 1 ,  2 ) is the encryption of  with public key PK ID , we have 3.2.Security Analysis.In this section, we will show that the scheme described in the previous is secure in the random oracle model.Theorem 6.Given that  1 and  2 are two collision resistant hash functions.The proposed CL-PKE scheme based on the ring   is IND-CCA secure in the random oracle model assuming that the BDHP is intractable.
In the procession of attacking this system by an adversary A, it chooses two messages  0 ,  1 and is given the challenge ciphertext  * for one of these two messages   by the challenger CH firstly.Then, A may make decryption queries but not ask for the decryption of  * .If A's guess   is equal to , it wins the game.
In order to prove Theorem 6, we prove two lemmas firstly to show that our CL-PKE scheme is secure against Type I and Type II attacker whose behavior is as described in Definition 5.
Lemma 7. The CL-PKE scheme is (  1 ,   2 ,  par ,  pub ,  prv ,   , )-IND-CCA secure against Type I attacker A in the random oracle assuming that the BDH problem is  intractable, where Proof.In this lemma, Type I models an "outside" adversary, which can replace the public key of arbitrary identities but cannot corrupt the master secret key.
Let A I be a Type I IND-CCA adversary against our scheme.Suppose that A I has the advantage  and makes    queries to random oracle   ( = 1, 2) and   decryption queries.We show how to construct an algorithm B to solve the BDH problem with the instance of (, , , ) by interacting with A I .
At the beginning, B simulates the algorithm Setup for A I by supplying it with  = { 1 ,  2 , , , ,  1 ,  2 }, where  1 ,  2 is random oracles that will be controlled by B. B chooses an index  uniformly at random with 1 ≤  ≤   1 .
The adversary A I may make queries of the random oracles   ( = 1, 2) at any time during its attack.B responds as follows.
1 Queries.B maintains a list of tuples ⟨ID  ,   ,   ⟩ in  1 List  1 .On receiving a query ID  to  1 , B responds as follows.
(1) If ID  already appears on the list  1 in a tuple ⟨ID  ,   ,   ⟩, B responds   as an answer.
Private-Key-Extraction. B maintains a Private Key List of tuples ⟨ID  ,   ,   ⟩.On receiving a query ID  , B responds as follows.
(2) Otherwise, if  ̸ = , run the simulation algorithm Request-Public-Key to get a tuple ⟨ID  ,   , PK  ⟩ and the simulation algorithm Private-Key-Extraction to get a tuple ⟨ID  ,   ⟩, add ⟨ID  ,   ,   ⟩ to the Private Key List, and return ⟨  ,   ⟩ as an answer.(Note that if the corresponding public key has been replaced, such a private key query is not allowed.) (3) If  = , return "Abort" and terminate.
Request-Public-Key.B maintains a Public Key List of tuples ⟨ID  ,   , PK  ⟩.On receiving a query ID  , B responds as follows.
(1) If ⟨ID  ,   , PK  ⟩ exist in Public Key List, return PK  as an answer.
Replace-Public-Key.A I may replace any public key with a new value of its choice and B records all the changes.Decryption-Queries.On receiving a query ⟨ID  , PK  , ⟩, where  = ( 1 ,  2 ) and PK  =    1 (ID  ).B responds as follows.
(1) If  ̸ =  and PK  is the correct public key not a replaced one, B decrypts  by using the corresponding private key.
(2) Otherwise, search  2 for a tuple ⟨ID  ,   ,   ⟩.If such a tuple exists, B retrieves the related   to compute  ‖  =  2 ⊕   and returns  as an answer.
( Otherwise, simulation error may occur while B is running the decryption oracle simulation specified above.Let DecErr be this event.Suppose that ID, PK ID , , where  = ( 1 ,  2 ) and PK ID =  ID , have been issued as a valid decryption query.Even if  is valid, there is a possibility that  can be produced without querying (ID,   ) to  2 .Let Valid be an event that  is valid; let Ask 2 and Ask 1 be events that (ID,   ) have been queried to  2 and ID have been queried to  1 , respectively.Since DecErr is an event that Valid | ¬Ask 2 happens after the entire simulation and   decryption oracle queries being performed, we have Pr where, Now, the event (Ask * 2 ∨ (Ask * 1 | ¬Ask * 2 ) ∨ DecErr) | ¬Abort is denoted by E, where Abort denotes an event that B aborts during the simulation.The probability ¬Abort that happens is given by   prv + par (1 − ) which is maximized at  = 1 − 1/( prv +  par + 1).Hence, we have Pr[¬Abort] ≤ 1/( prv +  par + 1), where  denotes the base of the natural logarithm.
If E does not happen, it is clear that A I does not gain any advantage greater than 1/2 to guess  due to the randomness of the output of the random oracle  2 .Namely, we have Pr By definition of , we have Consequently, we obtain Lemma 8.The CL-PKE scheme is (  1 ,   2 ,  par ,  pub ,  prv ,   , )-IND-CCA secure against Type II attacker A in the random oracle assuming that the BDH problem is   -intractable, where Proof.In this lemma, a Type II models an "insider" adversary, who has access to msk but cannot replace public keys of entities.
Let A II be a Type II IND-CCA adversary against our scheme.Suppose that A II has the advantage , makes    queries to random oracle   ( = 1, 2), and   decryption queries.We show how to construct an algorithm B to solve the BDH problem with the instance of (, , , ) by interacting with A II .
At the beginning, B simulates the algorithm Setup for A II by supplying A II with  = { 1 ,  2 , , , ,  1 ,  2 }, where  1 ,  2 are random oracles that will be controlled by B. B chooses an index  uniformly at random with 1 ≤  ≤   1 .
The adversary A II may make queries of the random oracles   ( = 1, 2) at any time during its attack.B responds as follows.
1 Queries.B maintains a list of tuples ⟨ID  ,   ⟩ in  1 List  1 .On receiving a query ID  to  1 , B responds as follows.
(1) If ID  already appears on the list  1 in a tuple ⟨ID  ,   ⟩, B responds   as an answer.
(2) Otherwise, search  2 for a tuple ⟨ID  ,   ,   ⟩.If such a tuple exists, B retrieves the related   to compute  ‖  =  2 ⊕   and returns  as an answer.
( These two lemmas complete the proof of Theorem 6.Furthermore, in our CL-PKE scheme,  1 =   (, ) is an elliptic curve over the ring   , where  = .According to Theorem 6, in order to run the algorithm on   (, ), such as addition and scalar multiplication, we should construct two elliptic curves   (, ) and   (, ) firstly and execute the corresponding operation on them, respectively.Then, we use the results of operation on   (, ) and   (, ) to present the operation on   (, ), which means that we should factoring  into  and  firstly.Therefore, the security of our CL-PKE scheme is also based on the intractability of factoring the large number.

Comparison to Related Schemes.
In this section, we compare the proposed scheme with other related CL-PKE schemes on the computation complexity of encryption (Enc) and decryption (Dec), security level (Sec-Lev), and security assumption (Sec-Ass), where RSA in Table 1 represents the problem of factoring the large number.Without considering the addition of two points and hash function on the elliptic curves, all the schemes have three major operations, that is, Pairing (P), Scalar Multiplication (S), and Exponentiation (E).The essential operation of our proposed scheme is to compute a bilinear pairing.According to [16], the computation of a bilinear pairing becomes efficient.From Table 1, compared with the related works, our scheme needs only one pairing and two scalar multiplications in Encrypt and one pairing operation in Decrypt, which will consume less energy while preserving a higher security level.Therefore, the scheme proposed in this paper is more suitable to be applied in IoT with the characteristics of low cost, low power, multifunctional sensor nodes that are small in size and communicate wirelessly with each other node in a short distance.

Application to Internet of Things
In this section, based on our proposed scheme, we present a protocol to protect the confidentiality and integrity of the transmitting information between the gateway node and the sensor node.
In IoT, Smart Car, as illustrated in Figure 1, the gateway nodes in the car is responsible for transmitting the information of driving, such as the speed and location that are collected by sensor nodes fixed in the car, to the platform so that it can be monitored in real time.Furthermore, the gateway will deliver the data and signaling obtained from the platform to sensor nodes for updating and managing equipments.Consequently, the transmitted information between the gateway node and the sensor nodes should be protected in confidentiality and integrity from being eavesdropped and destroyed by an adversary and damaging the normal operation of a Smart Car as a result.
Considering the sensor node with identity ID ∈ {0, 1}  in the initial phase, the details of this encryption scheme are as follows.
The algorithms of Setup, Partial-Private-Key-Extract, Set-Secret-Value, Set-Private-Key, and Set-Public-Key are the same as that of the proposed CL-PKE scheme in Section 3.1.
The sensor node checks whether the equation ID  = ID holds.
If the verification succeeds, return   as the legal data and signaling.Otherwise, return "Reject".According to the encryption scheme above, this encryption scheme can not only protect the confidentiality of the transmitted data and signaling between gateway node and sensor node in the Smart Car, but also the integrity.This is because the sensor node can determine the transmitted data that was distorted or destroyed by an adversary or the reasons of environment in the public wireless channel, provided that ID  is not equal to ID in the phase of Decrypt.Moreover, there is only one pairing operation in Decrypt, which satisfies the characteristics of low-cost, low-power, and low-computation of the sensor node in the Smart Car.

Conclusion
We have proposed a CL-PKE scheme on the elliptic curve over the ring   and proved that the scheme is IND-CCA secure in the random oracle model, relative to the intractability of the BDHP and factoring the large number problem.A comparison in Table 1 concludes that the proposed scheme is advantageous over the existing related schemes on performance.Due to the appealing properties, based on the proposed one, we also present another CL-PKE scheme for Smart Car in the end, which can provide confidentiality and integrity.

( 3 )
If  = , set PK  = , add ⟨ID  , * , PK  = ⟩ to the public key list, and return PK  =  as an answer (where * denotes the arbitrary value).

Encrypt.Figure 1 :
Figure 1: Transmitting the data and signaling to the sensor node in a Smart Car.
(  ) and (  ), with the convention that the infinity point O of (  ) can be presented by [O  , O  ], where O  and O  are the points at infinity on (  ) and (  ), respectively.Then, (  ) is an Abelian group under this definition of point addition.
( = I, II) breaks an IND-CCA secure CL-PKE scheme with (  ,  par ,  pub ,  prv ,   , ) if and only if the guessing advantage of A  that makes   times the random oracle (⋅),  par times Partial-Key-Extract-Oracle,  pub times Public-Key-Request-Oracle,  prv times Private-Key-Request-Oracle, and   times Decryption-Oracle queries is greater than .The scheme is said to be (  ,  par ,  pub ,  prv ,   , )-IND-CCA secure if there is no attacker A  that breaks IND-CCA secure scheme with (  ,  par ,  pub ,  prv ,   , ).
1), together with a challenge identity ID * of the uncorrupted secret key.Note that A is not allowed to know the private key of ID * in anyway.The challenger CH picks a random bit  ∈ {0, 1} and computes  * , which is the encryption of   under the current public key PK ID * for ID * .If the output of the encryption is ⊥, A immediately loses the game.Otherwise,  * is delivered to A. Phase 2. Now A issues a second sequence of queries as in Phase 1.A decryption query on the challenge ciphertext  * for the combination of ID * and PK ID * is not allowed.Guess.Finally, A outputs its guess   for .The adversary wins the game if   =  and the advantage of A in this game is defined to be Adv(A) = |Pr(  = ) − 1/2|.The adversary A Setup.Let  1 ,  2 be bilinear groups of order  with an arbitrary generator  ∈  1 , and  :  1 × 1 →  2 is a bilinear pairing, where  1 is a elliptic curve   (, ).The KGC selects an   ∈  *  at random and computes  =  as the master public key.Then, it chooses two collision resistant hash functions  1 : {0, 1}  →  * 1 ,  2 :  2 → {0, 1} * , where  denotes the bit-length of identity.The system parameters are  = { 1 ,  2 , , , ,  1 ,  2 } and the master secret key is  = .Partial-Private-Key-Extract.On input an entity's identity ID ∈ {0, 1}  , this algorithm computes  ID =  1 (ID) ∈  * 1 and sends the partial private key  ID =  ⋅  ID ∈  * 1 to entity via a secure channel.Set-Secret-Value.On input param and an identity ID, entity picks a secret value  ∈  *  .Return  ID = .Set-Private-Key.On input param, ID and  ID , entity obtains the private key SK ID by computing SK ID =  ⋅  ID =  1 (ID) ∈  * 1 .Set-Public-Key.On input param and ID, this algorithm returns PK ID =  ID  ID as the public key.
Phase 1.After receiving param from B, A I issues a sequence of polynomially bounded number of requests, each request being either a Partial-Private-Key-Extraction, a Private-Key-Extraction, a Request-Public-Key, a Replace-Public-Key, or Decryption-Queries for an entity.We assume that A I always makes the appropriate  1 queries on the identity ID before making one of these requests and never makes a decryption query on a ciphertext obtained from the encryption oracle.B replies to these requests as follows.
Challenge Phase.A I then outputs two messages ( 0 ,  1 ) and a challenge identity ID * .On receiving a challenge query ⟨ID * , ( 0 ,  1 )⟩:(1) If ID * ̸ = ID  , B aborts the game.(2)Otherwise, B selects  * ∈  *  and  ∈ {0, 1} * randomly, computes  * 1 =  *  and  2 ((SK ID * ,  * 1 )) =  * 2 ⊕ (  ‖ ) (note that B does not know " * "), returns  * = ( * 1 ,  * 2 ) as a target ciphertext.Phase 2. A I requests in the same ways as in Phase 1.Moreover, no private key extraction on ID * is allowed and no decryption query can be made on the ciphertext  * for the combination of identity ID * and public key PK ID * that encrypted plaintext   .Guess.A I should make a guess   for .The adversary wins the game if   = .Analysis.By Ask * 2 we denote the event that (ID * ,  *  ) has been queried to  2 .Also, by Ask * 1 we denote the event that ID * has been queried to  1 .If happens, B will be able to solve the BDH problem by choosing a tuple ⟨ID  ,   ,   ⟩ from  2 and computing  2 (  ) with the probability at least 1/  2 .Hence, we have   ≥ (1/  2 )Pr[Ask * 2 ].It is easy to notice that if B does not abort, the simulations of Partial-Key-Extract, Private-Key-Request, Public-Key-Request, and the simulated target ciphertext are identically distributed as the real one from the construction.Now, we evaluate the simulation of the decryption oracle.If a public key PK ID has not been replaced nor PK ID has been produced by reselecting   ∈  *  , the simulation is perfect as B knowing the private key SK ID corresponding to PK ID .
) Otherwise, if  ̸ = , choose   ∈  * 1 at random and add ⟨ID  ,   ⟩ to  1 and return   as an answer.2Queries.B maintains a list of tuples ⟨ID  ,   ,   ⟩ in  2 List  2 .On receiving a query ⟨ID  ,   ⟩ to  2 , B responds as follows.(1)IfIDalreadyappearson the list  2 in a tuple ⟨ID  ,   ,   ⟩, B responds   as an answer.(2)Otherwise,pick∈{0,1}*atrandom, add ⟨ID  ,   ,   ⟩ to  2 , and return   as an answer.After receiving param from B, A II issues a sequence of polynomially bounded number of requests, each request being either a Private-Key-Extraction, a Request-Public-Key, or Decryption-Queries for an entity.We assume that A II always makes the appropriate  1 queries on the identity ID before making one of these requests and never makes a decryption query on a ciphertext obtained from the encryption oracle.B replies to these requests as follows.Private-Key-Extraction. B maintains a Private Key List of tuples ⟨ID  ,   ,   ⟩.On receiving a query ID  , B responds as follows.(1)If⟨ID,,⟩exist in Private Key List, return ⟨  ,   ⟩ as an answer.(2)Otherwise,pickatrandom,so that Pr[ ̸ = ] = .(isthesameas it is in the proof of Lemma 7.) If  ̸ = , run the simulation algorithm Request-Public-Key to get a tuple ⟨ID  ,   , PK  ⟩ and compute   =   , add ⟨ID  ,   ,   ⟩ to the Private Key List, and return ⟨  ,   ⟩ as an answer.(3)If=,return "Abort" and terminate.Request-Public-Key.B maintains a Public Key List of tuples ⟨ID  ,   , PK  ⟩.On receiving a query ID  , B responds as follows.(1)If⟨ID  ,   , PK  ⟩ exist in Public Key List, return PK  as an answer.(2)Otherwise, if  ̸ = , choose   ∈  *  , compute PK  =    1 (ID  ), add ⟨ID  ,   , PK  ⟩ to the Public Key List, and return PK  as an answer.

Table 1 :
Comparison of the CL-PKE schemes.