Certificateless cryptosystems have attracted great interests in cryptographic research since its invention. Because compared with traditional public key cryptosystems or identity-based cryptosystems, they could not only simplify the certificate management, but also alleviate the key escrow problem. In certificateless cryptosystems, user revocation is a challenging issue. To address this issue, one popular method is to update the key via public channels. However, most of the existing schemes in this approach are impractical because of the following two shortcomings. Firstly, the user needs to maintain a list of decryption keys, but the size of the list will keep increasing. Secondly, the revoked user can still recover the plaintexts of the encrypted data prior to revocation, and this is a particular threat in some applications. To solve these problems, this paper presents revocable certificateless encryption with ciphertext evolution. We give a generic construction and then describe how it can be initialized concretely. In our proposed scheme, the user only needs to keep one decryption key, and once a user is revoked, it can no longer decrypt any ciphertext in the server. Moreover, the IND-CCA security model is defined against three types of attacks. And our schemes are formally proved to satisfy these security requirements.
Provably secure certificateless encryption scheme in the standard model
