Computer Systems Science & Engineering DOI:10.32604/csse.2021.015004
Article

Front-end Control Mechanism of Electronic Records

Jiang Xu1, Ling Wang1,2, Xinyu Liu1,2, Xiujuan Feng3, Yongjun Ren1,2,* and Jinyue Xia4

1School of Computer and Software, Engineering Research Center of Digital Forensics, Ministry of Education, Nanjing University of Information Science & Technology, Nanjing, 210044, China
2Jiangsu Collaborative Innovation Center of Atmospheric Environment and Equipment Technology (CICAEET), Nanjing University of Information Science & Technology, Nanjing, 210044, China
3School of Mines, China University of Mining and Technology, Xuzhou, 221116, China
4International Business Machines Corporation (IBM), NY, USA
*Corresponding Author: Yongjun Ren. Email: renyj100@126.com
Received: 01 November 2020; Accepted: 22 March 2021

Abstract: In the digital era, how to ensure the authenticity and integrity of electronic records has become an open challenging issue. Front-end control is an important concept as well as a basic principle in electronic record management. Under the instruction of front-end control, many original management links in the record-management stage are required to move forward, and the managers enter the formation stage of the electronic records to ensure the originality. However, the front-end control technique primarily focuses on transaction management, and it lacks the strategy of providing the control of electronic records. In this paper, a novel electronic record front-end control mechanism is proposed by adopting proxy re-encryption and requiring archivists to participate in the management of electronic records before the record is created to solve the problem. Specifically, when an electronic record is generated, the proposed mechanism interacts with the producer of the electronic record to generate a corresponding encryption key. Moreover, electronic records are encrypted by the key to protect their confidentiality, which can prevent the leakage of electronic record information. In addition, when transferring the electronic record, archivists use proxy re-encryption technology to convert electronic records, allowing management by an archivist, ensuring their originality and authenticity.

Keywords: Electronic record; front-end control; proxy re-encryption

1  Introduction

It is widely acknowledged that front-end control is an important idea and basic principle of electronic records management, which is based on record life cycle theory. This concept also emphasizes that control of the electronic record starts at the beginning of its life cycle and runs through the entire archive management process [1–3]. Under the guidance of front-end control, many management links that belonged originally to the record management stage need to be advanced to the electronic record formation stage. The goal is to capture and control relevant records and information as required, as well as to meet the filing and archival preservation demands for electronic records [4–6]. This is the key to ensuring the originality and authenticity of electronic records from the source, and also aids in avoiding the distortion, loss and inadequate control of electronic records.

At present, the front-end management of electronic records mainly focuses on dividing the electronic record formation process into specific record management functions. According to the functions, the electronic record formation process can be subdivided into the following six stages: generate, capture, integrate, solidify, register, and audit trail [7–9]. However, the front-end management of electronic records focuses primarily on transaction management at present. In addition, there are few technical means available to support it. To solve this problem, this paper proposes a front-end control method of electronic records based on proxy re-encryption. In the proposed mechanism, the archivist and the producer of the electronic records interact before the electronic record is created. Moreover, when the electronic record is transferred from the producer to the archivist, proxy re-encryption technology is used to ensure its originality and authenticity [10–12].

2  Related Work

The front-end control of electronic records is based on the digital characteristics of these records, which are totally different from those of paper records [13–15]. According to record life cycle theory and the whole-process control principle, the objectives, requirements and rules of the entire electronic record management process are systematically analyzed. In this way, during the design phase of the electronic record system, the management functions implemented in the electronic record formation phase can be planned as uniformly as possible. Moreover, effective supervision should be conducted during the record formation and maintenance stage; this will ensure that the content, background and structure of electronic records are not changed or lost, keep it consistently, thereby providing better assurance of the authenticity, integrity, readability and availability of electronic records [16–18].

According to record life cycle theory, electronic records have a life cycle in a similar way to paper records. The management of electronic records is a systematic process that runs through the entire life cycle when records are generated. Throughout the whole life cycle, records may be changed or lost at any time for various reasons and purposes [19–21]. Accordingly, the archive scope and preservation value should be determined before records are produced, at the design phase, and corresponding protection technology should be adopted. If the archive management organization waits passively, some valuable records may be lost, or received records may be mislaid or out of date. Front-end control should focus on the overall planning of the entire record operation process. Supervision should be implemented during the record formation and maintenance phase. In other words, the value of archives should be identified during the record formation stage, with a focus on the entire record life cycle, extending the protection work forward and reflecting its foresight [22–24]. Intervening from the beginning of record formation and taking corresponding protection measures for valuable records can thus effectively prevent leakage or the destruction of records by other links. This will maximize work efficiency and realize comprehensive record management in a true sense.

The ideological root of front-end control was first developed by the French archivist C. Nogales, who stated that “Archivists need to rethink the timing of their interventions in the record life cycle, even rethink the life cycle itself” [25–27]. The Guidelines for the Management of Electronic Records (Draft) prepared by the Electronic Records Committee of the International Archives Council also dedicates significant space to the importance of rethinking the electronic record life cycle and the appropriate time to intervene in this life cycle. Eventually, this work determines that the “time to intervene” is at the design stage of the electronic record management system; it further puts many “post control” means in the original paper record management system at the front end, and advocates “taking action before record formation” [28–30].

3  Problem Statement

With the rapid development of the information age, the number of electronic records is increasing day by day, exhibiting an exponential growth trend. Information waste is also increasing, which is generating more interest in the use of front-end control to avoid generating electronic records without practical significance [31–33].

The quality of electronic records is variable. In the era of electronic records, due to the influence of traditional habits, along with the convenience and operability of sending records, the number of resulting records is much higher than in the traditional environment, and their quality is also uneven [34–36]. Therefore, to ensure the record's certificate, it is necessary to control the front-end.

The security of electronic records is expected to be guaranteed. Because of their unique characteristics, matters of their security are more serious than those pertaining to paper records [37–39]. It is thus urgent to strengthen the front-end control of electronic records. Electronic records exhibit a separation between information and carrier, as well as dependence on the system. Following technical innovation or improper operation, the recorded information content may be easily lost or become a “dead record”; resolving this situation also requires proper front-end control of electronic records.

The current situation in the field of electronic records management is worrying. At present, electronic record management typically adopts the “double set system” management method and multi-carrier backup. This not only demonstrates that the legal effect of electronic records has not yet been finally confirmed, but also reflects people's distrust of the security of electronic records management systems. The current situation of electronic records management and the popularization of electronic records management systems therefore needs to be addressed [40–42]. Therefore, to ensure that electronic records can be safely saved, uploaded and released, it is also necessary to control the front-end.

As electronic records are processed by means of computers and network technology, it is easy to add, delete and modify electronic records without leaving any trace. This causes a loss of originality and authenticity for electronic records. The authenticity of electronic record content is linked with the premise of its original record formation and the role of investigation [43–45]. The original voucher checking function is also an underlying principle of electronic records: without this function, there could be no electronic records. In addition, the content of electronic records can be read by any terminal device on the network, which puts the electronic record itself and its verification and security at risk.

In order to ensure the authenticity of electronic records, we can use “front-end control” technology. That is to say, in the formation stage of electronic records, the value of archives should be identified, with filing marks added as needed to prevent records from being modified or deleted. This approach fundamentally breaks the traditional management mode and the boundary between records and archives, enabling archives departments to intervene in the life cycle of records in advance [46–48]. Adopting this approach can thus effectively prevent leakage or the destruction of electronic records by other links, thereby maximizing work efficiency and enabling truly comprehensive record management to be realized. Front-end control is therefore an important method for ensuring the authenticity and originality of archived records.

4  Front-end Control Mechanism of Electronic Records Based on Proxy Re-encryption

After an electronic record is generated, it is encrypted by the record producer. When the electronic record is transferred from the producer to the archivist, the archivist re-encrypts it. In this way, the front-end management of electronic records can be realized.

4.1 Preliminaries

4.1.1 Definition 4.1: Bilinear Pairings

G1 is a cyclic group of prime order p, while g is any generator element in G1; G2 is a multiplicative cyclic group of the same order as G1. The bilinear pairing e:G1×G2→G2 is a mapping that satisfies the following properties.

Bilinear: For any a,b∈Zp,g1,g2∈G1 , there is e(g1a,g2b)=e(g1,g2)ab .

● Non-degradation: For any g1,g2∈G1 , make e(g1,g2)≠IG , where IG is the unit element of the group G2.

● Computability: For any g1,g2∈G1 , there is an effective algorithm for calculating e(g1,g2) . A Weil pair and Tate pair can be used on an elliptic curve to construct an effective bilinear pair.

4.1.2 Definition 4.2: Hypothesis 3-QDBDH

e:G1×G1→G2 is a bilinear pairing. The advantage function AdvG1,B3−QDBDH(λ) of PPT adversary B is defined as follows:

|Pr[B(g,gx2,gx2,gx3,gz,e(g,g)z/x)]=1−Pr[B(g,gx2,gx2,gx3,gz,e(g,g)r)]=1| (1)

Here, x,z,r∈Zp , and they are randomly selected. If, for all probabilistic polynomial time (PPT) adversaries B,AdvG1,B3−QDBDH(λ) is negligible, then the hypothesis 3-QDBDH holds.

4.1.3 Definition 4.3: Hypothesis Truncated q-ABDHE

e:G1×G1→G2 is a bilinear pairing. The advantage function AdvG1,Bq−ABDHE(λ) of PPT adversary B is defined as follows:

|Pr[B(g,gx,...,gxq,gz,gzxq+2,e(g,g)zxq+1)]=1−Pr[B(g,gx,...,gxq,gz,gzxq+2,e(g,g)r)]=1| (2)

Here, x,z,r∈Zp , and they are randomly selected. The distribution above is recorded as Pq−ABDHE and the distribution above is recorded as Rq−ABDHE . If AdvG1,Bq−ABDHE(λ) is negligible for all PPT adversaries B, then the truncated q-ABDHE hypothesis holds.

4.2 Re-encryption Scheme for Electronic Records

The scheme is defined as follows:

● GloSetup(λ) : λ is the security parameter, (p,g,G1,G2,e) is the parameter of the bilinear pair, u,v(u,v∈G1) represent the generators of G1, and Sig=(G,S,V) is a signature. The message field is G2, the conditional field is Zp∗ , and the public parameter is GP=(p,g,G1,G2,e,u,v,Sig) .

● KeyGen(i) : The electronic records producer i chooses the random number xi,yi,a0,a1,a2∈Zp∗ , and calculates Xi=gxi ,Yi=gyi ,hk=gak . Its public key is set to pki=(Xi,Yi,{hk}k∈{0,1,2}) and its private key to ski=(pki,xi,yi,a0,a1,a2) .

● RKeyGen(ski,pkj) : Given the user i’s private key ski=(pki,xi,yi) and the user j’s public key, a one-way partial re-encryption key rki,j=Xj1/xi is generated.

●CKeyGen(ski,w) : Given the electronic records producer i’s private key ski ’s xi and the condition w∈Zp∗ , select three random numbers sk∈Zp∗ , calculate dk=(hkg−sk)1/(yi−w) , and set the conditional key as cki,w=(dk,sk)k∈{0,1,2} .

● Enc(pki,m,w) : To encrypt the electronic records m∈G2 with public keypki and conditions w∈Zp∗ , the electronic records producer takes the following steps.

I) Select a strongly unforgivable signature, set the key pair as (ssk,svk)←G(λ) , and set C1=svk .

II) Select r∈Zp∗ at random and calculate C2=Xir , C3=e(g,g)rm , and C4=(usvkv)r .

III) Generate a signature σ=S(ssk,(C3,C4)) for (C3,C4) , and the conventional cipher text is CRi=(C1,C2,C3,C4,σ) .

IV) Select r′∈Zp∗ at random and calculate K=e(g,h0)r′ , C3′=C3K , G5=(Yig−w)r′,G6=e(g,g)r′, t=H(C3′,C5,C6),C7=e(g,h1)r′te(g,h2)r′ .

V) Generate another one-time signature: σ′=S(ssk,(C1,C2,C3′,C4,σ,C5,C6,C7)) .

VI) Conditional cipher text original cipher text: CTi=(C1,C2,C3′,C4,σ,C5,C6,C7,σ′) .

● ReEnc(CTi,rki,j,cki,w) : Enter a partial re-encryption key rki,j=Xj1/xi , conditional key cki,w , and conditional cipher textCTi . First, run Test(CTi,cki,w) , calculate t=H(C3′,C5,C6) , and test to determine whether the following formula is true: V(C1,σ′(C1,C2,C3′,C4,σ,C5,C6,C7))=1 and C7=e(C5,d1td2)C6s1t+s2 . Print “0” if the check fails or “1” otherwise; if the result is “1,” calculate K=e(C5,d0)C6s0,C3=C3′/K . Accordingly, the conventional cipher text is CRi=(C1,C2,C3,C4,σ) , and the following formula is tested to check its validity: e(C2,uC1v)=e(Xi,C4) , V(C1,σ,(C3,C4))=1 . If the preceding equation is true, CTi is re-encrypted, so that t∈Zp∗ is selected at random and the following formulas are calculated: C2′=Xit, C2″=rkij1/t=g(xj/xi)t−1,C2‴=C2t=Xirt, and the re-encryption cipher text is the following formula: CTj=(C1,C2′,C2″,C2‴,C3,C4,σ) . If the equation is false, output the error symbol ⊥ .

● Dec1(CTi,ski) : Enter private key ski , conditional cipher text CTi , and break cipher text CTi=(C1,C2,C3′,C4,σ,C5,C6,C7,σ′) . If V(C1,σ′(C1,C2,C3′,C4,σ,C5,C6,C7))=1 , calculate t=H(C3′,C5,C6) , and then verify whether C7=C6a1t+a2 . If not, output ⊥ ; if so, calculate C3=C3′/(C6a0) . Therefore, the conventional cipher text is CRi=(C1,C2,C3,C4,σ) . If the cipher text satisfies e(C2,uC1v)=e(Xi,C4) and V(C1,σ,(C3,C4))=1 , i can obtain m=C3/e(C2,g)1/xi ; otherwise, the algorithm outputs ⊥ .

● Dec2(CTj,skj) : After entering the private key skj and the re-encryption cipher text CTj=(C1,C2,C2′,C2″,C3,C4,σ), the validity of the re-encryption cipher text is checked by the following test: e(C2′,C2″)=e(Xj,g), e(C2′′′,uC1v)=e(C2′,C4) , and V(C1,σ,(C3,C4))=1 . If both equations are true, output plaintext m=C3/e(C2″,C2‴)1/xj ; otherwise, the algorithm outputs the error sign ⊥ .

Correctness: Properly generated original re-encryption cipher text can be correctly decrypted. As shown below, re-encryption cipher text encrypted by a proxy without the correct encryption key or conditional key cannot be decrypted by the entrusting party. Given the original conditional cipher text CTi=(C1,C2,C3′,C4,σ,C5,C6,C7,σ′) encrypted with the keyword w and public key pki , two cases exist.

Case 1 (incorrect conditional key): Assume that the proxy has a partial re-encryption key rki,j=Xj1/xi and conditional keys cki,w′=(dk,sk)k∈{0,1,2} , dk=(hkg−sk)1−(yi−w′) , and w≠w′ . Run ReEnc(CTi,rki,j,cki,w′) to convert the cipher text CTi to the user j’s cipher text: obviously, CTi cannot pass the legality check.

Order C5=(Yig−w)r′, C6=e(g,g)r′, t=H(C3′,C5,C6) and C7=e(g,h1)r′te(g,h2)r′ . Then,

e(C5,(d1′)t(d1′))C6s1′+s2′≠e(g,h1)r′te(g,h2)r′=C7 (3)

⇔e(g(yi−w)r′,(g(a1−s1′)/(yi−w′)))te(g(yi−w)r′,g(a2−s2′)/(yi−w′))e(g,g)r′(s1′t+s2′)≠C7⇔e(g,g)r′(yi−w)/(yi−w′)((a1−s1′)t+(a2−s2′))e(g,g)r′(s1′t+s2′)≠e(g,g)(a1t+a2)r′⇔((a1t+a2)r′((yi−w)/(yi−w′)−1))−((s1′t+s2′)r′((yi−w)/(yi−w′)−1))≠0⇔(a1t+a2−s1′t−s2′)((w′−w)/(yi−w′))≠0 (4)

Because s1′ and s2′ are randomly selected, a1,a2,yi comprise the private key. Therefore, (a1t+a2−s1′t−s2′)≠0 , (w′−w)≠0 , and (yi−w′)≠0 .

Even if it passes the validation test, it is still evident that K′=e(C5,d0′)C6s0′≠e(g,h0)r′=K , because

K′=e(C5,d0′)C6s0′≠e(g,h0)r′=K (5)

⇔K′=e(g(yi−w)r′,g(a0−s0′)/(yi−w′))e(g,g)r′s0′≠e(g,g)a0r′⇔e(g,g)r′(yi−w)/(yi−w′)(a0−s0′)e(g,g)r′s0′≠e(g,g)a0r′⇔(a0−s0′)r′((yi−w)/(yi−w′)−1))≠0⇔(a0−s0′)r′(w′−w)/(yi−w′)≠0 (6)

Case 2 (incorrect re-encryption key): Assume that the proxy has a partial re-encryption key rki,j′=Xj′1/xi and conditional keys cki,w=(dk,sk)k∈{0,1,2} , dk=(hkg−sk)1−(yi−w′) , and j≠j′ . Run ReEnc(CTi,rki,j,cki,w′) to convert the cipher text CTi to the user j’s cipher text. Decompose CTj and set C2′=Xit,C2″=rkij′1/t=g(xj′/xi)t−1 and C2‴=C2t=Xirt. When decryption is conducted, CTj evidently cannot pass the legality check, because e(C2′,C2″)≠e(Xj,g) .

4.3 Safety Certificate

Theorem 1: Assuming that the 3-QDBDH problem and q-ABDHE problem are difficult to solve, the above scheme for the re-encryption of electronic records is secure under the standard model.

Lemma 1: If an IND-CCA attacker exists that can attack the scheme in this paper, there is an algorithm 'B' that can solve the 3-QDBDH problem. To prove lemma 1, we first prove an assertion.

Assertion 1: The difficulty assumption of 3-QDBDH is equivalent to whether a given (g,g1/a,ga,gas,gb) decides that T is equal to e(g,g)b/a2 or a random value.

Proof: Given (g,g1/a,ga,ga2,gb) , set up a 3-QDBDH instance by setting (y=g1/a,yx=g,yx2=g,yx3=ga2,y2=b) ; this implies x=a,z=ab . One then has e(g,g)z/x=e(g1/a,g1/a)(ab)/a=e(g,g)b/a2 , which means that these two problems are equivalent, thereby completing the proof of Assertion 1.

Proof of Lemma 1: If there is a PPT attacker that can attack the scheme proposed in this paper, a simulator B exists that can solve the 3-QDBDH problem. The simulation proceeds as follows.

First, the challenger sets the groups G1 and G2, the bilinear pair e, and generator g of group G1. The simulator enters an instance of a q-ABDHE problem (A−1=g1/a,A1=ga,A2=ga2,B=gb,T) : the purpose of the simulator B is to distinguish T=e(g,g)b/a2 , T or a random number of group G2.

CT∗=(C1∗,C2∗,C3′∗,C4∗,σ∗,C5∗,C6∗,C7∗,σ′∗) represents the challenge cipher text sent to A in the game. The event FOTS indicates that A performs A’s decryption query and A’s re-encryption query on the cipher text CT∗=(C1∗,C2,C3′,C4,σ,C5,C6,C7,σ′) , but V(C1∗,σ′,(C1,C2,C3′,C4,σ,C5,C6,C7,σ′))=1 , or V(C1∗,σ(C3,C4))=1 .

In phase 1, A has no information on the event svk∗ , meaning that the probability of the previous event FOTS is no more than qkθ . qk denotes the total number of times the query was tested, while θ represents the maximum probability (no more than 1/p ) of a signature’s verification key svk∗ . In phase 2, FOTS presents an algorithm to break a signature. Therefore, Pr[FOTS]≤qk/p+AdvOTS ; the second part represents the probability of a signature being destroyed, which is also negligible. A detailed description of the B simulation is now provided: when FOTS occurs, B simply stops and output a random bit. During the preparation phase, B generates a signature pair (ssk∗,svk∗)←G(λ) and provides public parameters to A, including u=A1α1 and v=A1−α1svk∗A2α2 , where α1 and α2 are random and α1,α1∈Zp∗ . The set of honest participants is represented by HU, including the user i∗ specifying the public key pki∗ , while CU is the set of corrupted participants. The environment simulation of A proceeds as follows.

(a) System setup: λ is the security parameter, (p,g,G1,G2,e) is the bilinear pair parameter, u=A1α1 , and v=A1−α1svk∗A2α2 , where α1 and α2 are random, and α1,α1∈Zp∗ . Generate a signature Sig=(G,S,V) . The public parameter is GP=(p,q,G1,G2,e,u,v,Sig) .

(b) Query phase 1: The attacker A makes the following queries.

- Uncorrupted-key-generation query ⟨i⟩ : The public key of the honest user i∈HU∖{i∗} is defined as Xi=(ga)xi=gaxi , while xi∈Zp∗ is random. Select yi,a0,a1,a2∈Zp∗ at random and calculate Yi=gyi,hk=gak . Then, set the public key to pki∗=(xi∗,yi∗,{hk∗}k∈{0,1,2}) and send to A.

- Corrupt-key-generation query ⟨j⟩ : Considering the corrupt user j∈CU , select random numbers xi,yj,a0,a1,a2∈Zp∗ and calculate Xj=gxj,Yj=gyj,hk=gak . Set its public key pkj=(Xj,Yj,{hk}k∈{0,1,2}) and private key skj=(pkj,xj,yj,a0,a1,a2) , and send (pkj,skj) to A.

- Partial-re-encryption-key query ⟨pki,pkj⟩ : The following cases involving B must be distinguished.

- If i∈CU , B knows that ski=(pki,xi,yi,a0,a1,a2) and Xj is given, such that it is easy to output the one-way re-encryption key rki,j=Xj1/xi .

- If i∈HU∖{i∗} and j=i∗ , B returns a valid re-encryption key rki,i∗=(g1/a)xi/xi∗=g(axi)/(a2xi∗) .

- If i=i∗,j∈HU∖{i∗} , B returns the correct distribution rki∗,i=(g1/a)xi/xi∗=g(axi)/(a2xi∗) .

- If i,j∈HU∖{i∗} , B returns rki,j=gxj/xi=g(axj)/(axi) .

- Conditional key query ⟨pki,w⟩ : B selects sk∈Zp∗ at random and calculates dk=(hkg−sk)1/(yi−w) .

- Re-encryption key query ⟨pki,pkj,(w,CTi)⟩ : For the re-encryption key query of the conditional cipher text CTi=(C1,C2,C3′,C4,σ,C5,C6,C7,σ′) from user i to j, the conditional key is cki,w={dw,k,sw,k}k∈{0,1,2} . Calculate t=H(C3′,C5,C6) , and then verify whether the following formula is true: V(C1,σ′(C1,C2,C3′,C4,σ,C5,C6,C7))=1 and C7=e(C5,d1td2)C6s1t+s2 . If the verification fails, output ⊥ ; otherwise, calculate K=e(C5,d0)C6s0,C3=C3′/K , obtain the conventional cipher text CRi=(C1,C2,C3,C4,σ) and check its validity by testing the following expressions:

e(C2,uC1v)=e(Xi,C4) ,

V(C1,σ,(C3,C4))=1. (7)

If the equation is not true, then B returns ⊥ .

- If i=i∗ or i=i∗,j∈HU∖{i∗} , in both cases B is encrypted with the re-encryption key rki,j .

- If i=i∗ and j∈CU :

     i)  If C1=svk∗ , then (C1,C2,C3′,C4,σ,C5,C6,C7,σ′)≠(C1∗,C2∗,C3∗,C4∗,σ∗,C5∗,C6∗,C7∗,σ′∗) , and B is faced with the FOTS event and stops the game.

    ii)  Another possible situation is the following: C1≠svk∗ , i=i∗ , j∈CU . At this time, C21/xi∗ is given from C4=(usvkv)r=((ga)α1(svk−svk∗)(ga2)α2)r . B calculates (A1)r=(ga)r=(C4/(C2α2/xi∗))1/(α1(svk−svk∗))

and knows (A1)r and user j’s private key. B randomly selects t∈Zp∗ , calculates C2′=(A1)t=gat, C2″=(A−1)xj/t=(g1/a)xj/t,C2‴=(A1)rt=Xirt , and returns the correct cipher text Cj=(C1,C2′,C2″,C2‴,C3,C4,σ) .

- Decryption query ⟨pki,CTi⟩ or ⟨pkj,CTj⟩ : If ⟨pki,CTi⟩ represents a decryption query on the original conditional re-encryption cipher text CTj=(C1,C2,C2′,C2″,C3,C4,σ) , use the following formulae to check the validity of the re-encryption cipher text: e(C2′,C2″)=e(Xj,g),e(C2‴,uc1v)=e(C2′,C4) , and V(C1,σ,(C3,C4))=1 . If the equation is not true, return⊥ . Supposing that j∈HU , because B otherwise knows the private key, it does not need to perform a decryption query.

First, if C1=C1∗=svk∗ : if (C3,C4,σ)≠(C3′∗,C4∗,σ∗) , B faces the occurrence of the FOTS event and stops the game; if (C3,C4,σ)=(C3′∗,C4∗,σ∗) , B outputs ⊥ , indicating that ⟨pkj,CTj⟩ is derived from ⟨pki∗,CT∗⟩ . As in stage 2 for the same hidden index r, the following must be the case that, assuming C1≠C1∗ :

•   For Xj=gaxj , if j∈HU∖{i∗} , the legitimacy of the cipher text ensures that, for r∈Zp∗ , the following formulas are satisfied: e(C2′′,C2′′′)=e(g,Xj)r=e(g,g)arxj and C4=(usvkv)r=((ga)α1(svk−svk∗)(ga2)α2)r .

Therefore,

e(C4,A−1)=e(C4,g1/a)=e(g,g)a1r(svk−svk∗)e(g,g)aα2r (8)

e(g,g)r=((e(C4,A−1))/(e(C2″,C2‴))α2/xj)1/(α1(svk−svk∗)) (9)

It is thus easy to calculate the plaintext m.

- If j=i∗ , for the index, it is known that xi∗∈Zp∗ and one has Xj=ga2xi∗ . Because

e(C2′′,C2′′′)=e(g,Xi∗)r=e(g,g)a2rxi∗ (10)

and

e(C4,g)=e(g,g)aα1r(svk−svk∗)e(g,g)a2α2r, (11)

B first obtains γ=e(g,g)ar=((e(C4,g))/(e(C2″,C2‴))α2/xi∗)1/(α1(svk−svk∗)) .

As relationship e(C4,A−1)=e(C4,g1/a)=e(g,g)a1r(svk−svk∗)e(g,g)aa2r , γ reveals that

e(g,g)r=((e(C4,A−1))/(γ)a2/xi∗))1/(α1(svk−svk∗)). (12)

It is thus easy to calculate the plaintext m=C3/e(g,g)r .

In phase 2, B must check that m is different from the challenge message to m0, m1. According to the security model’s restriction rules, if m∈{m0,m1} , B returns ⊥ .

(c) Challenge: Once A decides that the query 1 phase is over, it outputs the challenge condition w∗ and two plaintexts of the same length (m0, m1). Challenge B randomly selects b∈{0,1} , and sets the challenge cipher text by taking the following steps: set C1∗=svk∗ and calculate C2∗=Bxi∗, C3∗=T⋅mbandC3∗=Bx2 ; for (C3∗,C4∗) generating a strong and unforgettable σ∗=S(ssk,(C3∗,C4∗)) , so that the conventional cipher text is CRi∗=(C1∗,C2∗,C3∗,C4∗,σ∗) ; choose r′∈Zp∗ randomly, calculate K=e(g,h0)r′ ,C3′ *=C3*K , G5∗=(Yi∗g−w)r′, G6∗=e(g,g)r′ , t∗=H(C3′∗,C5∗,C6∗) ,C7∗=e(g,h1)r′t∗e(g,h2)r′ ; generate another strong and unforgettable σ′∗=S(ssk,(C1∗, C2∗,C3′∗,C4∗,σ∗,C5∗,C6∗,C7∗)) ; therefore, the conditional cipher text is CT∗=(C1∗,C2∗,C3′∗,C4∗,σ∗,C5∗,C6∗,C7∗,σ′∗) . Return CT∗ to A.