Mediated Encryption : Analysis and Design ∗

Boneh, Ding and Tsudik presented identity-based mediated RSA encryption and signature systems in which the users are not allowed to decrypt/sign messages without the authorisation of a security mediator. We show that ID-MRSA is not secure and we present a secure modified version of it which is as efficient as the original system. We also propose a generic mediated encryption that translates any identity based encryption to a mediated version of this IBE. It envelops an IBE encrypted message using a user’s identity into an IBE envelope using the identity of the SEM. We present two security models based on the role of the adversary whether it is a revoked user or a hacked SEM. We prove that GME is as secure as the SEM’s IBE against a revoked user and as secure as the user’s IBE against a hacked SEM. We also present two implementations of GME based on Boneh-Franklin FullIBE system which is a pairing-based system and Boneh, Gentry and Hamburg (BGH) system which is pairing-free system.


Introduction
For the last few years, the key revocation problem has received the attention of the cryptography community because the user's public key cannot be used if the corresponding private key is compromised.This problem occurs in public key cryptography because it depends on digital certificates.Digital certificates are signatures issued by a trusted certificate authority (CA) that securely ties together a number of quantities.Typically, these quantities contain at least the ID of a user (U ) and its public key (P K).Frequently, the CA comprises a serial number (SN ) for managing certificates.The CA also binds the certificates to an issue date D 1 and an expiration date D 2 .By issuing the signature of SigCA(U , P K, SN , D 1 , D 2 ), the CA provides P K between the current date D 1 and the future date D 2 .
A user's public key may have to be revoked before its expiration date D 2 if a user's secret key is accidentally leaked or an attacker successfully compromises it.A new key pair should be generated and the corresponding certificate should be issued.
If the CA can revoke a certificate, then third parties cannot depend on this certificate unless the CA # This paper is an extended version of the paper entitled 'Generic Mediated Encryption' in Securecomm 2013.
shares certificate status information indicating whether this certificate is still valid.This certificate status information has to be recently generated and must be widely distributed.Sharing a great deal of fresh certificates periodically leads to the key revocation problem which consumes large amount of computation power and bandwidth.This is considered a hindrance to global application of public-key cryptography.

Some Previous Solutions to the Key Revocation Problem
The most widely-known and a very ineffective way to solve the key revocation problem is the certificate revocation list (CRL) [10,23] which is a list that contains revoked certificates.The CA produces this list periodically with its signature.Because the CA will probably revoke many of its certificates -say 10 %if they are produced for a validity time of one year [14,20], the CRL will be too lengthy if the CA has many clients.Moreover, the complete CRL must be sent to any party that needs to carry out a certificate status check.There are improvements to this approach such as delta CRLs [5] which lists only those certificates revoked since the CA's last update.But the consumed transmission bandwidth and computation costs of the transmission of these lists are still very high.Another method of solving the key revocation problem is the online certificate status protocol (OCSP) [18].If a client wants to check certificate status, he sends to the CA a certificate status query.The CA replies to this query by producing a fresh signature on the certificate's current status.This omits the need to send a list of all revoked certificates and reduces the transmission costs to a single signature per query but it significantly increases computation costs.It also negatively affects security.If the CA is centralised, the system will have a single point of failure and consequently will become highly vulnerable to denial-of-service (DoS) attacks [14,20].
Kocher [17] suggested an improved version of OCSP called certificate revocation trees (CRTs).The CA can be considered as a global service provider and must be replicated using many servers in order to stand the entire load of certificate validation requests.The CA's signing key must be distributed securely over many servers.This process is expensive and insecure.A solution to this problem is that a highly secure root CA sends a signed CRL-like data structure to other less-secure servers and then clients can query these servers for their certificate validation requests.The data structure is like a tree where the leaves are the revoked certificates and the root is a signature of the highly secure root CA.This structure is called a certificate revocation tree (CRT).If a user wants to check the validity of a certificate, he sends a request to the nearest less-secure CA server.
A disadvantage of the current CRT structure is that the whole CRT must be recalculated and sent to all servers if a new certificate is revoked.This problem can be solved if the CRT can be updated without the need to recalculate it.2-3 trees proposed by Naor and Nissim [21], Aiello-Lodha-Ostrovsky [1] and skip-lists proposed by Goodrich [16] are two proposed solutions to this problem.
Micali [14,19,20] proposed a promising way to solve this problem.(See also [1,12,22].)Similar to previous PKI proposals, Micali's Novomodo system includes a CA, one or more directories (to distribute the certification information) and the users.Despite this similarity, it is more efficient than CRLs and OCSP without sacrificing security.
The advantage of Novomodo over a CRL-based system is that a directory's reply to a certificate status query is brief, only 160 bits per query (if T has cached SigCA(U , P K, SN , D 1 , D 2 , X n )).On the other hand, the length of a CRL increases with the number of certificates that have been revoked (i.e.number of clients).Novomodo has several advantages over OCSP.First, Novomodo depends on hashing while OCSP depends on signing.Because hashing has lower computation costs than signing, the CA's computational costs in Novomodo is typically much lower.Second, the directories in Novomodo do not have to be trusted unlike the distributed components of an OCSP CA.Instead of issuing signatures depending on third parties, the directories publish only hashed preimages sent by the CA (which cannot be produced by Novomodo directories).Third, the directories do not perform any online computation and make Novomodo less vulnerable to DoS attacks.Finally, although OCSP does not consume too much bandwidth, Novomodo's bandwidth consumption is typically even lower since public-key signatures are typically longer than 160 bits (length of X n−i sent per query).
A disadvantage of all the above techniques is relaying on third-party queries [14].It is preferable to eliminate third-party queries for several reasons.First, since anyone can ask for third-party queries, each certificate server must be able to get the certificate status of every client in the system.The situation is much simpler if third-party queries are eliminated.Each server is only required to have certification proofs for the clients that it works for.In addition, multi-cast can be used to push certificate proofs to clients to reduce the transmission costs.Second, third-party queries multiply the query computation costs of the CA and/or its servers.For example, if each client queries the certificate status of X clients per day, the system must process XN queries (where N is the number of clients).Third, from a business model perspective, non-client queries are not recommended because if T is not a client of the CA, he will not be motivated to deliver T fresh certificate status information.Finally, since the CA must reply to queries from non-clients, it becomes more vulnerable to DoS attacks and this is a security concern.In summary, removing third-party queries leads to a reduction in infrastructure costs, simplifies the business model and increases security.We can completely remove thirdparty queries by using an implicit certification such as identity-based encryption (IBE).
The notion of identity-based cryptography was put forth by Shamir [25].In the same paper, Shamir also proposed a concrete construction of an identity-based signature system.Identity-based cryptography offers the advantage of simplifying public key management as it eliminates the need for public key certificates.In Shamir's seminal paper, he successfully achieved this goal by designing an identity-based signature based on RSA but not identity-based encryption since sharing a common modulus between different users makes EAI for Innovation European Alliance Mediated Encryption: Analysis and Design RSA insecure.Examples of RSA cryptanalysis with the same modulus used for different encryption/decryption pairs are [3,26].Sixteen years later, Sakai, Ohgishi and Kasahara [24] proposed the first identity-based cryptography and independently Boneh and Franklin [7] proposed the first reliable and provable identitybased cryptography based on Weil pairings over elliptic curves.Cocks [9] presented a system that is based on factorisation of a composite integer.These cryptosystems opened a new era in cryptography.
Gentry presented the notion of certificate-based encryption (CBE) [14].This system combines publickey encryption (PKE) and IBE while keeping most of the advantages of each.Using PKE, each client creates its own public-key/secret-key pair and asks for a certificate from the CA.The CA uses an IBE system to create the certificate.This certificate has all of the functionality of a conventional PKI certificate as well as a decryption key.This double encryption gives us implicit certification.If T wants to encrypt a message, it double encrypts it using PKI and IBE and then the decryptor uses both his secret key and an up-to-date certificate from his CA to decrypt the message.CBE has no escrow (since the CA does not know the user's secret key) and it does not a have secret key distribution problem because the CA's certificate needs not be kept secret.Although CBE consumes less computation and transmission costs than Novomodo, it is preferable to completely eliminate the use of certificates to preserve the infrastructure costs.
Boneh, Ding, Tsudik and Wong were the first to introduce the notion of mediated cryptosystems in [6].They designed a variant of RSA that allows an immediate revocation of, for instance, an employee's key by an employer for any reason.Their system is the first to propose a secure variant of identitybased RSA that shares a common modulus between different users.Their system is based on the so-called security mediator (SEM) architecture in which the SEM is a semi-trusted server.If an employee wants to decrypt/sign a message, he must co-operate with the SEM to do so.The idea behind their system is splitting the secret key of an employee between the employee himself and the SEM.Hence, without the SEM cooperation, the employee cannot sign or encrypt messages.This is also helpful to monitor the security of sent/received secure messages in the company.Later on, Ding and Tsudik presented a security proof for these systems.In particular, they stated that 'IB-mRSA/OAEP encryption offers equivalent the semantic security to RSA/OAEP against adaptive chosen ciphertext attacks in the random oracle model if the key generation function is division intractable'.To make the key generation function division intractable, Ding and Tsudik used a division intractable hash function to generate division intractable public keys.
The SEM architecture was proven useful [6] to simplify signature validation and enable key revocation in legacy systems.Although this system does not require a CA to create a certificate or send certificate status information and the computation and transmission costs are kept to minimum, it has two major security concerns.First, There is a security flaw in [11,15].Second, since SEM is centralised, it represents a single point of failure for the system and hence the system is vulnerable to DOS attacks.Moreover, a hacked SEM can be a major threat to the system security because the SEM is a semitrusted server.

Our Contribution
First, we investigate the mediated encryption [6,11] by reviewing the security of the ID-MRSA.We show that hashing users' identities using a division intractable hash function does not necessarily generate division intractable public keys.We show that an insider attacker can breach the ID-MRSA even if the hash function used is division intractable.We present two solutions that make the key generation function division intractable and hence, the ID-MRSA is secure.Second, we take the work of [6] one step further and present a generic mediation system that is capable of making any IBE system support key revocation.This idea is based on a letter-envelope technique.If U A wants to encrypt a message to U B , he first encrypts it normally using U B 's identity (letter) then he encrypts the letter again using SEM identity (envelope) and sends the resulted ciphertext to U B .To decrypts the ciphertext, U B sends the message to the SEM.If U B is revoked, the SEM will not open the envelope for him.If U B is not revoked, the SEM will open the envelope and send the letter to U B who decrypts the message using his private key.The structure of our system combines the advantages of both Gentry [14] and Boneh et al. [6].It completely eliminates the use of certificates.In addition, the SEM in our system is not a single point of failure.If the SEM is compromised, the system can continue working using the user's IBE system.In addition, all messages sent to the SEM before or after an attack are safe and secure.Through the paper, U represents the user, S represents the SEM, P represents the system parameters, Gen represents the

EAI for Innovation
European Alliance setup algorithm, KG is the Key Generation Algorithm, Enc is the encryption algorithm, Dec is the decryption algorithm and r is the private key.
The rest of the paper is organised as follows: Sec. 2 discusses the ID-MRSA encryption/signature systems and their implementations.Sec. 3 discusses the security flaw of the ID-MRSA.Sec. 4 proposes two solutions to overcome the ID-MRSA security flaw.The effect of using these solutions on the ID-MRSA are discussed in Sec. 5. Sec.6 presents the generic mediated encryption (GME) and its security proof.Sec.7 presents two implementations of GME, the first one is based on the BF IBE system [7] which is a pairing-based system and the second one is based on the BGH system [8] which is not a pairing-based system.The last section presents the conclusions of the paper.

The ID-MRSA
We review the structure of ID-MRSA as follows.In the setup phase, PKG produces two safe primes p, q then computes n = pq.He preserves p, q as secret system parameters while makes the modulus n public.Next, PKG produces the private key for U A by hashing his identity to a value KG() then the PKG pads KG() with one to get an odd public key for U A .After that, he makes the corresponding full RSA private key for U A and splits it between U A and the SEM.U B encrypts message m to U A normally using the public key of U A .After getting the encrypted message C from U B , U A directs it to the SEM to partially decrypt it.If U A is revoked, the SEM declines to decrypt the message and returns 'error'.Otherwise, the SEM partially decrypts the message to get P D S and sends it to U A .After receiving the partially decrypted message P D S from the SEM, U A computes his own partially decrypted version of the message P D U and then combines it with the SEM's partially decrypted message to get his fully decrypted message.The algorithms of key generation, encryption and decryption are shown below.The signature system has the same key generation as the encryption system.When U A signs a message to U B , he sends it to the SEM to partially sign the message for him if he is not revoked.U A combines the partially signed message of the SEM with his partially signed version of the message to get his own signature.U B can verify the signature of U A normally as RSA.

The ID-MRSA Security
The ID-MRSA is assumed to be secure in the random oracle model based on [15] and [11].However, there Key Generation: Input: two safe primes p and q Output: r U , r S n = pq (Generating the modulus) This lemma and its proof are presented in [11].If e a |e b i.e. e b = k × e a , we can build a mapping function f such that f (a) = a k (mod n).To protect the system

EAI for Innovation European Alliance
Signing: against this attack, the user's public key cannot be a factor of the product of the other users' public keys.To ensure that, Ding and Tsudik used a division intractable hash function to map a user's identity to his public key (KG()).This notion of division intractable hash functions was presented by Gennaro et al. [13].
In this section, we prove that the ID-MRSA is still vulnerable to this attack.A division intractable hash function does not necessarily produce division intractable public keys because the output of the hash function KG() is padded with a 'one'.The public key is e = KG() 1 [11] or e = KG() 00000001 [4].This means that e = 2KG() + 1 or e = 8KG() + 1.This multiplication and addition completely change the property of the public key and it is likely, with overwhelming probability, to no more becoming division intractable.For example, if |KG(ID We now demonstrate how an insider one-wayness adversary takes advantage of this simple notice to initiate two different attacks against the ID-MRSA.The first attack is a direct application of lemma 1.The second attack is a common modulus attack against the ID-MRSA.For the signature system, we prove that if such a mapping function exists, an insider attacker can forge the signature of another user without knowing his private key.

Attacks on the ID-MRSA Encryption
The first attack holds when the effect of using an intractable hash function is canceled by padding the output with one and the resulting public keys are in the form of (e B = k × e A ).Under these conditions, U B can obtain the message of U A using the following formula: and then decrypt this message using his private key.This attack is executed as follows: • The attacker U B chooses an identity ID B such that e B = k × e A where k is an integer.
• At the challenge phase, U B sends to the challenger any two messages m 0 and m 1 and the identity ID A .
• U B sends C B to the SEM for decryption.
• After decryption, U B can successfully find b = b.
The gravity of this attack is that it makes the ID-MRSA exposed against a one-wayness adversary; not only can U B distinguish between two messages m 0 and m 1 , he can decrypt it as a message of his own.

EAI for Innovation
European Alliance The second attack can be applied if the same message was sent to two users, U A and U B , U C with public key satisfies gcd(e A , e B )|e C can launch an attack to decrypt this message as follows.
• Assuming that g = gcd(e A , e B )|e C , U C finds the values of a and b such that a × e A + b × e B = g using the extended euclidian algorithm.
• After obtaining a and b, U C calculates obtains his version of m as follows: and then he can decrypt it using his private key.

The attack on the ID-MRSA signature
In this subsection, we demonstrate an attack on the ID-MRSA signature system even with a division intractable hash function.We assume that there are two users, U A and U B and show that U B can forge the signature of U A without knowing his private key using the following steps, as long as a mapping function between their public keys exists: • U B signs the message m with the SEM using his private key.
• After obtaining his signed message (m B ), he calculates the forged signature of where k = e B /e A .
• m A can be verified using the public key of U A .
The proof of the correctness of this attack is described as follows: e a h a = 1 (mod ϕ(n))

The ID-MRSA-V2
After showing the security flaw of the ID-MRSA encryption/signature systems, we present two solutions that correctly make the ID-MRSA secure against these types of attacks.We denote the ID-MRSA with these solutions as the ID-MRSA-V2.Any solution to these attacks must satisfy the following conditions: • There is a deterministic one-to-one mapping function that maps the identities of the users to their public keys.
• This function must be division intractable.
• The produced public keys must be co-prime with ϕ(n).
The first solution ensures that the maximum value of a public key is less than three times the smallest public key value, i.e. e M < 3e m .The subscript M denotes maximum while the subscript m denotes minimum.One can see that this completely eliminates the problem.The relation between the hash function of the maximum and minimum public keys values must be: If the inequality |KG M | < 3|KG M | + 1 holds, then all public keys are division intractable.The disadvantage of this solution is that it limits the space of the hash function.The other solution to fix this security flaw is mapping the users' identities to public keys that are primes.To generate primes from identities, we first calculate a = H(ID) and then apply the following function: where step is the value used to generate unique primes.After that, find the next smallest prime larger than f (a).The algorithm is shown as follows.
where N xP rime(x) is a function that finds the smallest prime larger than x.This function must satisfy the following conditions: it is unfeasible to find two different values X, Y such that a = H(Y ) = H(X).This guarantees that each identity is mapped to a unique public key.

EAI for Innovation
• The value of step is chosen carefully such that f (a) < P a < f (a + 1) for any value a.This will guarantee that each identity will be mapped to a unique prime.Fig. 1 shows this idea.The value of step can be determined by finding a value greater than the maximal prime gap which is the gap larger than the gaps of smaller primes.For primes less than 2 40 , a value of step greater than 1476 can be safely used [2].
• If the mapping function satisfies the above conditions, it will overcome the first attack to the encryption system because primes satisfy the division intractable property.However, it cannot withstand the second attack because the greatest common divisor (gcd) between primes is one.
The only solution for this attack is not to use the same OAEP padding when encrypting the same message to multiple users.For the signature systems, there is no mapping function exists between primes and consequently it will be safe from such attacks.After fixing these drawbacks, the ID-MRSA-V2 can be proven CCA2 secure in the random oracle model using the same methodology explained in [11] or [15].

Implementation
The ID-MRSA-V2 was programmed using MIRACL software C library and its performance was compared with the ID-MRSA and RSA.The PC used to run these tests has a processor Intel(R) Core(TM) i5-2410M CPU @ 2.30GHz (4 CPUs) and 4096MB RAM.Table 2 shows the test results.The results are in ms.
From these results, we can see that: • The ID-MRSA-V2 has the same performance of the original ID-MRSA.
• The results of the key generation of RSA are larger than those of the ID-MRSA and the ID-MRSA-V2 because the key generation of the ID-MRSA and the ID-MRSA-V2 is for each user and it does not involve the prime key generation that exists in RSA key generation.
• The encryption time increases slightly with the key length so the key length is not problematic.This can be seen also in the encryption times of the ID-MRSA and IDMRSA-V2.
• The decryption times are longer than the encryption times in all systems.This drawback is actually inherited from RSA because the decryption keys are extremely large (of the length of n).
• The times consumed by all these systems are proportional to the modulus size.

Generic Mediated Encryption
In this section, we take the idea of ID-MRSA one step ahead.Assume that there is a company XYZ and the security manager of this company wants to upgrade the currently-used IBE to one that supports key revocation.
The security manager has two options.He can install a CBE system [14] but he has to uninstall the currentlyused IBE and install a PKE.PKE certificates will lead to more computation and transmission costs.The other option is using mediated cryptosystem such as ID-MRSA [6,15].The security manager also has to uninstall the current IBE system and install ID-MRSA.The process of uninstalling the currently-used IBE and installing a new encryption system is time-consuming and expensive.It is like having a safe with a one-key lock and you want to replace it with a two-key lock, you will have to completely remove the old lock and install the new one.The question we address here is "Is there a way to make any IBE support key revocation without having to uninstall it?".We take the idea of ID-MRSA and make it generic and applicable to any encryption system.In the following section, we explain the security model and security proof of GME.• KG S (MSK S , P S , ID S ): This algorithm generates the secret key r S for a SEM with identity ID S using P S and MSK S .

The Model
• KG U (MSK U , P U , ID U ): This algorithm generates the secret key r U for a user with identity ID U using P U and MSK U .
• Enc(P S , P U , ID U , ID S , m): The probabilistic algorithm Enc takes P S , P U , ID U , ID S , m.It returns a ciphertext C.
• Dec S (P S , r S , C): The deterministic decryption algorithm Dec S takes (P S , r S , C) as input along with the user revocation status.If the user is revoked, Dec S returns ⊥.Otherwise it returns C U .
• Dec U (P U , r U , C U ): The deterministic decryption algorithm Dec U takes (P U , r U , C U ) as input and returns m.

Security
Our main concern is the GME security against two different types of attackers: 1) by a revoked user or 2) by a hacked SEM.GME must be secure against each of these individuals considering that each obtains 'half' of the information needed to decrypt.Correspondingly, we define IND-CCA security using two different games.
The adversary selects the game to play.In the first game, Type 1, the adversary plays the role of a revoked user.After demonstrating knowledge of the private key related to his identity, the revoked user can make Dec S queries.In the second game, Type 2, the adversary plays the role of a compromised SEM.After demonstrating knowledge of the private key related to his identity, a

EAI for Innovation
European Alliance Mediated Encryption: Analysis and Design compromised SEM can make Dec U queries.We can say that our system is secure if no adversary can win either Type 1 or Type 2. Type 1: The challenger runs Gen S (1 k 1 ) and Gen U (1 k 2 ) and gives P S and P U to the adversary.The adversary then interleaves key extraction quires and decryption queries with a single challenge query.These queries are answered as follows: • On key extraction queries (MSK U , P U , ID U , P S , ID S ), the challenger runs KG U , KG S and outputs r U and r S corresponding to the identities ID U and ID S .
• On decryption queries (P S , P U , ID U , ID S , r U , C), the challenger checks that r U is the private key related to ID U .If so, it generates r S and outputs Dec U (Dec S (C)).
• On challenge query (P S , P U , ID * S , ID * U , m 0 , m 1 ), the challenger checks that r * U is the private key related to ID * U .Then, upon receiving two messages m 0 and m 1 from the adversary, the challenger chooses random bit b ∈ {0, 1} and returns Enc(m b ) to the adversary.The adversary is allowed to make key extraction and decryption queries after submitting the challenge.
In the end, the adversary outputs a guess b ∈ {0, 1}.The adversary wins the game if b = b and ID * S and r *

S
were not subject of valid key extraction and decryption queries.The adversary's advantage is defined to be the absolute value of the difference between 1/2 and its probability of winning.Type 2: The challenger runs Gen S (1 k 1 ) and Gen U (1 k 2 ) and gives P S and P U to the adversary.The adversary then interleaves key extraction quires and decryption queries with a single challenge query.These queries are answered as follows: • On key extraction queries (MSK U , P U , ID U , P S , ID S ), the challenger runs KG U , KG S and outputs r U and r S corresponding to the identities ID U and ID S .
• On decryption queries (P S , P U , ID U , ID S , r S , C), the challenger checks that r S is the private key related to ID S .If so, it generates r U and outputs Dec U (Dec S (C)).
• On challenge query (P S , P U , ID * U , ID * S , m 0 , m 1 ), the challenger checks that r * S is the private key related to ID * S .Then, upon receiving two messages m 0 and m 1 from the adversary, the challenger chooses random bit b ∈ {0, 1} and returns Enc(m b ) to the adversary.The adversary is allowed to make key extraction and decryption queries after submitting the challenge.
In the end, the adversary outputs a guess b ∈ {0, 1}.The adversary wins the game if b = b and ID * U and r *

U
were not subject of valid key extraction and decryption queries.The adversary's advantage is defined to be the absolute value of the difference between 1/2 and its probability of winning.

Security Proof
The security proof of GME is defined by the following two theorems.Theorem 1.If an adversary A who plays the role of a revoked user has an advantage against GME, then this adversary has the same advantage against IBE S .Theorem 2. If an adversary A who plays the role of a hacked SEM has an advantage against GME, then this adversary has the same advantage against IBE U .
Proof: Theorem 1 means that the game between an adversary A who plays the role of a revoked user with a challenger B against GME (Type 1) is identical to the game between the same adversary A and the challenger B against IBE S .To prove that, we rewrite Type 1 as follows: Type 1': • The Setup phase is the same as Type 1.
• Key extraction queries are the same as Type 1.
• Decryption queries are the same as Type 1.
• On challenge query (P S , P U , ID * S , ID * U , m 0 , m 1 ), the challenger checks that r * U is the private key related to ID * U .Then, upon receiving two messages m 0 and m 1 from the adversary, the challenger chooses a random bit b ∈ {0, 1} and returns Enc(m b )

EAI for Innovation
European Alliance to the adversary.Since the revoked user has r U , he can partially decrypt the message to get C S =Enc S (m) where Enc S is the SEM's IBE encryption algorithm.
In the end, the adversary outputs a guess b ∈ {0, 1}.The adversary wins the game if b = b and ID * S and r *

S
were not subject of valid key extraction and decryption queries.The adversary's advantage is defined to be the absolute value of the difference between 1/2 and its probability of winning.This concludes Type 1'.
From Type 1', we can see that: • Type 1' represents a game against IBE S because in the challenge phase the adversary A has to attack C S = Enc S (m) to get the message m.
• The only difference between a game against GME (in the case of a revoked user) and IBE S is the excess information of P U which does not give the adversary any excessive information to identify m.
This concludes the proof of Theorem 1.The proof of Theorem 2 is similar.

Implementation of GME
Generally speaking, a GME system is produced by the combination of two IBE systems.To prove that GME is generic, we present GME in two different instantiations.The first one is based on the BF FullIBE [7] which is a pairing-based system.The other instantiation is based on BGH IBE system [8] which is not a pairing-based system.We first briefly review bilinear pairings and the bilinear Diffi-Helman assumption which is the base of the BF FullIBE security then we present GME using BF FullIBE.After that, we briefly review some of the security topics related to the BGH IBE system then we represent GME using BGH IBE system.We note here that the proposed GMEs systems use the same setup and key generation algorithms for both the users and SEM.I

Review on pairings
BF IBE [7] is based on bilinear map called a 'pairing'.The pairing which is often used to construct BF IBE is a modified Weil or Tate pairing on a supersingular elliptic curve or Abelian variety.However, we review pairings and the related mathematics in a more general form here.
Let G 1 and G 2 be two cyclic groups of a large prime order q.G 1 is an additive group and G 2 is a multiplicative group.
Admissible pairings: ê is called an admissible pairing if ê : G 1 × G 1 → G 2 is a map with the following properties: • Bilinear: ê(aQ, bR)= ê(Q, R) ab for all Q, R ∈ G 1 and all a, b ∈ Z.
• Computable: There is an efficient algorithm to compute ê(Q, R) for any Q, R ∈ G 1 . • Bilinear Diffie-Hellman (BDH) Parameter Generator: A randomized algorithm I G is a BDH parameter generator if I G takes a security parameter k > 0, runs in time polynomial in k and outputs the description of two groups G 1 and G 2 of the same prime order q and the description of an admissible pairing ê : BDH Problem: Given a randomly chosen P ∈ G 1 as well as aP , bP and cP (for unknown randomly chosen a, b, c ∈ Z q ), compute ê(P , P ) abc .
For the BDH problem to be hard, G 1 and G 2 must be chosen so that there is no known algorithm for efficiently solving the Diffie-Hellman problem in either G 1 or G 2 .BDH Assumption: If I G is a BDH parameter generator, the advantage Adv I G (B) of algorithm B in solving the BDH problem is defined to be the probability that the algorithm B outputs ê(P , P ) abc when the inputs to the algorithm are G 1 , G 2 , ê,aP , bP and cP where (G 1 , G 2 , ê) is I G's output for large enough security parameter k, P is a random generator of G 1 and a, b, c are random elements of Z q .The BDH assumption is that Adv I G (B) is negligible for all efficient algorithms B [7].

GME BF
Let k be the security parameter given to the setup algorithm and let I G be a BDH parameter generator.
Setup: The public key generator (PKG) runs I G on input k to generate groups G 1 , G 2 of some prime order q and an admissible pairing ê : G 1 × G 1 → G 2 .It picks an arbitrary generator P ∈ G 1 and a master secret s ∈ Z q and sets P pup = sP and chooses cryptographic hash functions space is M = {0, 1} n .The master secret is s ∈ Z q .KG: For given strings ID U , ID S ∈ {0, 1} * , the PKG computes Q S = H 1 (ID S ) and Q U = H 1 (ID U ) and sets the private key r S = sQ S and r U = sQ U .
Enc: To encrypt a message m for a user with public key ID U , compute Q S = H 1 (ID S ) and Q U = H 1 (ID U ).After that, choose a random σ ∈ {0, 1} n and set r = H 3 (σ , m).The ciphertext C is: where g U = ê(Q U , P pub ) and g S = ê(Q S , P pub ).Dec: To decrypt C = U , V , W for a user with public key ID U , the user sends C to the SEM.If the user is revoked, the SEM returns ⊥.If the user is not revoked, the SEM calculates

Security Proof
Lemma 2. Let A be a IND-CCA adversary that has advantage against GME BF .adversary A can be a revoked user or a hacked SEM.Then, there is an IND-CCA adversary B with the same probability against the BF FullIBE.
Proof.As shown in section 6.3.

Boneh-Gentry-Hanburg (BGH) system
Boneh, Gentry and Hamburg presented an anonymous IND-ID-CPA secure system (BGH) [8].Unlike Boneh-Franklin system, this system is secure based on the interactive quadratic residuosity (IQR) assumption.In the following, we present the IQR assumption and the core algorithm of the BGH system, then we present GME based on that system.

The IQR assumption
For a positive integer n, define the following set: where a n is the Jacobi symbol of a w.r.t n [8].The Quadratic Residue set QR(n) is defined as follows

QAlgorithm
Q is a deterministic algorithm with inputs (n, u, R, T ) where n ∈ Z + and R, u, T ∈ Z n .This algorithm outputs four polynomial functions f , f , g, τ ∈ Z n .This algorithm must satisfy the following conditions : • If R and T are quadratic residues, then f (r)g(t) is also quadratic residue for all values of r ← R  • If uR and T are quadratic residues, then f (r)g(t)τ(t) is also quadratic residue for all values of r ← uR • If R is quadratic residue, then f (r)f (−r)T is quadratic residue for every r ← R • If uR is quadratic residue, then f (r)f (−r)T is quadratic residue for every r ← uR • If T is quadratic residues, then τ(t)τ(−t)u is also quadratic residue for all values of t ← T • τ is independent of R, that is Q(n, u, R 1 , T ) and Q(n, u, R 2 , T ) produces the same value of τ for any value of n, u, R 1 , R 2 , T .
An example of Q is explained [8] as follows: • Find a solution (x, y) ∈ Z 2 n to the equation Rx 2 + T y 2 ≡ 1 (mod n).

EAI for Innovation
European Alliance Mediated Encryption: Analysis and Design 7.8.Security Proof Lemma 3. Let A be an Anon-IND-CPA adversary that has advantage against GME BGH .This adversary A can be a revoked user or hacked SEM.Then, there is an Anon-IND-CPA adversary B with the same probability against the BGH system.
Proof.As shown in section 6.3.

Conclusion
In this paper, we investigate the mediated structure of the ID-MRSA which is a solution to the key revocation problem.We showed that using a division intractable hash function does not necessarily guarantee that the generated public keys are also division intractable.Consequently, the system may not be secure even if the hash function used is division intractable.We proposed two solutions to overcome this drawback.
After applying these modifications, the ID-MRSA is secure in the random oracle model if the mapping function parameters have been chosen correctly.After that, we extended the idea of the ID-MRSA to be generic by presenting a generic mediated encryption (GME) system that converts any IBE system to a mediated system.Although it is based on double encryption, our system is efficient.The ciphertext size is the same as a single IBE.It combines the advantage of CBE and SEM structures.Our system is more efficient than CBE because it does not depend on certificates and it is more secure than [6] and [15] because the SEM in GME is not a single point of failure and can be untrusted.We prove that GME is as secure as the IBE system used in the case of a revoked user or a hacked SEM.

Lemma 1 .
the message using RSA/OAEP Decryption: Input: C, r U , r S Output: m for S do if U is Revoked then return (ERROR) Exit end P D S = C r S (mod n) (Calculate the partially decrypted message of the SEM) end for U do P D U = C r U (mod n) (Calculate the partially decrypted message of U) M = (P D S × P D U ) (mod n) (Decrypt the message) end m = OAEP Decoding of M is a special attack that an insider user can initiate.He can modify the encrypted message so that it can be decrypted using his private key by finding a mapping function f (C A ) = C B .Assume that there are two users U A and U B , U B is able to obtain a mapping function f (C A ) = C B and decrypt/forge the encrypted message/signed message of U A iff e a |e b .

Figure 1 .
Figure 1.The distribution of primes and returns C U to the user.After receivingC U = U , V U , W , the user computes V U ⊕ H 2 ( ê(d U , U )) = σ and W ⊕ H 4 (σ ) = m and sets r = H 3 (σ , m).He outputs m as a decryption of C if U = rp.This concludes GME BF .Remark: A symmetric encryption E can be used instead of Xor to encrypt the message m[7].

Table 2 .
The time results • Gen U (1 k 2 ): The PKG runs the probabilistic IBE key generation algorithm Gen U which takes as input a security parameter 1 k 2 .It returns MSK U (the second PKG master secret) and public parameters P U .
Type 1 and Type 2 are IND-GME-CCA secure if both IBE S and IBE U are IND-ID-CCA secure.If IBE S and IBE U are IND-ID-CPA secure, then Type 1 and Type 2 are modified by eliminating the decryption queries to get IND-GME-CPA security. Remark: Z q and a hash function H 4 : {0, 1} n → {0, 1} n for some n.The system parameters are P = (G 1 ,G 2 , ê, P , Q, H 1 , H 2 , H 3 , H 4 ).The message