FORWARD-SECURE IDENTITY-BASED ENCRYPTION WITH DIRECT CHOSEN-CIPHERTEXT SECURITY IN THE STANDARD MODEL

. The paradigm of forward security provides a promising approach to deal with the key exposure problem as it can eﬀectively minimize the damage caused by the key exposure. In this paper, we develop a new forward-secure identity-based encryption scheme without random oracles. We formally prove that the proposed scheme is secure against adaptive chosen-ciphertext attacks in the standard model. In the proposed scheme, the running time of the private key extraction and decryption algorithms and the sizes of the user’s initial private key and the ciphertext are independent on the total number of time peri- ods, and any other performance parameter has at most log-squared complexity in terms of the total number of time periods. Compared with the previous forward-secure identity-based encryption schemes, the proposed scheme enjoys obvious advantage in the overall performance. To the best of our knowledge, it is the ﬁrst forward-secure identity-based encryption scheme that achieves direct chosen-ciphertext security in the standard model.


Introduction
In public key cryptography, each user has a pair of keys, namely a public key and a private key. The public key is usually published to the public while the corresponding private key is only known to its owner. However, in traditional public key cryptography, the public key is generated randomly and does not contain any information associated with its owner. Therefore, it is infeasible to prove that a user is indeed the owner of a given public key. This problem can be solved by employing a trusted certification authority (CA) to generate public key certificates. A public key certificate is a digital signature issued by CA that binds a public key to the identity of its owner. By verifying the public key certificate, anyone can confirm whether a public key belongs to a user. This kind of certificate systems is referred to as the public key infrastructure (PKI). However, the need for PKI-certificates is usually considered as the main difficulty in the deployment of traditional public key cryptography.
In 1984, Shamir [37] introduced the concept of identity-based cryptography to simplify public key certificate management. In identity-based cryptography, a user's public key is his unique identity information such as an e-mail address or a telephone number, and his private key is generated by a trusted third party called Private Key Generator (PKG). Because the identity is a natural link to a user, the ability to use identities as public keys eliminates the need for public key certificates and certificate authorities. However, how to construct a secure and practical identitybased encryption scheme remained open for many years since the question was first posed by Shamir in [37]. Until 2001, Boneh and Franklin [10] presented a practical and provably secure identity-based encryption scheme using the bilinear pairings. Since then, identity-based encryption has undergone quite rapid development and many schemes have been proposed, e.g. [8,9,15,16,20,21,24,27,41].
The standard security of identity-based cryptography depends on the assumption that the private keys are kept perfectly secure. However, as cryptographic operations are performed frequently on the unprotected and insecure devices, private key exposure seems to be inevitable. Actually, it is much easier for an adversary to steal a user's private key from his insecure device than to break the computational assumption(s) on which an identity-based cryptosystem is based. Undoubtedly, private key exposure has become one of the most devastating attacks on the identitybased cryptosystems, as it means all security guarantees are lost. To mitigate the damage caused by private key exposure, one effective way is to build forward-secure identity-based cryptosystems. Forward-secure identity-based cryptosystems enable a user to frequently update his private key while maintaining a fixed public key (i.e., his identity). More concretely, in a forward-secure identity-based cryptosystem the whole lifetime of the system (e.g., one year) is divided into T time periods (e.g., one day). A user's device begins by storing an initial private key. At each time period, a new private key is computed from the former private key by a key update algorithm and then the old key is deleted. Meanwhile, this user's public key (i.e., his identity) remains fixed throughout the lifetime of the system. The forward security property means that even if an adversary obtains the current private key, he still cannot compromise private keys and communications for the past time. Therefore, the paradigm of forward security provides a promising approach to deal with the private key exposure problem in the identity-based cryptosystems.
The notion of forward security was first proposed in the context of key-exchange protocols by Günther [22] and later by Diffie et al. [17]. Subsequently, Anderson [3] suggested forward security for the non-interactive setting and proposed a general forward-secure signature scheme. The non-interactive forward security was first formalized in the context of signature by Bellare and Miner [4], in which the first practical forward-secure signature scheme was proposed. Inspired by the initial works in [3,4], a number of forward-secure signature schemes have been proposed, e.g. [1,2,11,25,28,29,31,36,49]. Moreover, Bellare and Yee [7] proposed a forwardsecure scheme in the symmetric-key encryption setting. The first non-interactive and forward-secure public key encryption scheme was proposed by Canetti et al. [13] in 2003. Canetti et al.'s scheme was constructed from the hierarchical identitybased encryption scheme proposed by Gentry and Silverberg [21] and proven to be chosen-plaintext secure in the standard model. Based on the hierarchical identitybased encryption scheme proposed by Boneh et al. [9], Lu and Li [32] proposed an efficient forward-secure public key encryption scheme with chosen-plaintext security in the standard model. Recently, Lu and Li [34] proposed an efficient forward-secure public key encryption scheme that achieves chosen-ciphertext security in the standard model.
The first forward-secure encryption scheme in the identity-based setting was proposed by Yao et al. [45]. In [45], Yao et al. constructed a forward-secure hierarchical identity-based encryption scheme by combining Canetti et al.'s forward-secure public key encryption scheme [13] with Gentry and Silverberg's hierarchical identitybased encryption scheme [21]. The biggest drawback of Yao et al.'s scheme lies in that any performance parameter has the poly-logarithmic complexity in terms of the total number of time periods. Therefore, Yao et al.'s scheme is inefficient for large values of the total number of the time periods. In addition, the security of Yao et al.'s scheme only holds in the random oracle model [6]. In [44], Yang et al. proposed a forward-secure public key encryption scheme with short public parameters. But, their scheme only satisfies the weaker chosen-plaintext security in the random oracle model and any other performance parameter in their scheme has the poly-logarithmic complexity in terms of the total number of time periods. In [47], Yu et al. proposed the first forward-secure identity-based encryption scheme without random oracles. Compared with the schemes in [44,45], Yu et al.'s scheme has shorter ciphertext and lower decryption cost as its ciphertext size and decryption time are both independent on the total number of time periods. However, Yu et al.'s scheme was only proven to be chosen-plaintext secure in the standard model. Recently, Lu and Li [33] proposed a generic construction of forward-secure identity-based encryption from binary tree encryption. In addition, Singh and Trichy [38] proposed a forward-secure identity-based encryption scheme from lattices which achieves chosen-plaintext security in the standard model. Singh and Trichy's scheme is quite inefficient because it encrypts the messages bit-by-bit and has huge ciphertext extension.
Motivated by the works on forward security, the notion of key insulation [5,19,23] was introduced into the identity-based setting as a mean of mitigating the harmful effects caused by private key exposure, e.g. [30,35,39,40,42,43]. Similar to the forward-secure paradigm, the key-insulated paradigm also applies some keyevolving approach to update the users' private keys so as to limit the effect of the private key exposure. Interestingly, this paradigm achieves a stronger security level compared with forward security, as it guarantees that the exposure of the private key at some periods does not compromise the security of all non-exposed time periods. However, the drawback of the key-insulated paradigm is that each user in a key-insulated cryptosystem must use a physically-secure device named helper to update his private key in each time period. Obviously, it makes key-insulated cryptosystems unable to be used in many circumstances.
Recently, the notion of intrusion-resilience [18,26] was also introduced into the identity-based setting [46,48] to fight against private key exposure. The intrusionresilient paradigm combines both the notions of forward security and key insulation. As in the key-insulated cryptosystems, the intrusion-resilient paradigm assumes that a user performs all cryptographic operations and interacts with a helper to refresh his private keys at discrete time intervals. The difference is that all the users and the helper should update their private keys periodically as in the forward-secure cryptosystems. Thus, an intrusion-resilient cryptosystem remains secure in the face of multiple compromises of both the user and the helper, as long as they are not both compromised simultaneously. Furthermore, in case the user and the helper are compromised simultaneously, prior time periods remain secure as in the forwardsecure cryptosystems.
1.1. Our motivation and contribution. Indistinguishable security against adaptive chosen-ciphertext attacks (i.e., chosen-ciphertext security) is the de facto level of security required for the public key cryptographic schemes used in practice. However, the previous forward-secure identity-based encryption schemes without random oracles [38,47] merely satisfy the weaker chosen-plaintext security. Although Yao et al.'s scheme [45] achieves chosen-ciphertext security, it's security only holds in the random oracle model. A proof in the random oracle model may not necessarily imply the security in the reality [12]. As shown by Canetti et al. in [12], when the random oracles are instantiated with the concrete cryptographic hash functions, the resulting cryptographic schemes may not be practically secure. Therefore, the search for forward-secure identity-based encryption schemes that can achieve chosen-ciphertext security without resorting to the random oracles is of great interesting and importance.
In this paper, we design a new forward-secure identity-based encryption scheme without random oracles. The construction of the proposed scheme is based on Gentry's identity-based encryption scheme [20] and its variant [27]. We formally prove in the standard model that the proposed scheme is chosen-ciphertext secure under the truncated decision q-augmented bilinear Diffie-Hellman exponent assumption. In the proposed scheme, the running time of key extraction and decryption algorithms and the sizes of the user's initial private key and the ciphertext are independent on the total number of time periods, and any other performance parameter has at most log-squared complexity in terms of the total number of time periods. Compared with the previous forward-secure identity-based encryption schemes, our scheme enjoys obvious advantage in the overall performance while achieving direct chosen-ciphertext security in the standard model.

1.2.
Paper organization. The rest of this paper is organized as follows. Some related definitions are briefly reviewed in Section 2. The proposed forward-secure identity-based encryption scheme is presented in Section 3. The security and performance of the proposed scheme are analyzed in Section 4 and 5 respectively. Finally, conclusions are given in Section 6.

Preliminaries
In this section, we briefly review some preliminaries that are related to our paper.
2.1. Bilinear map and computational assumption. Let k be a security parameter and p be a k-bit prime number, G and G T denote two multiplicative cyclic groups of the same order p respectively. A mapping e: G × G → G T is called an admissible bilinear map if it satisfies the following three properties: -Bilinearity: e(u a , v b ) = e(u, v) ab for all u, v ∈ G and a, b ∈ Z * p . -Non-degeneracy: e(g, g) = 1 G T for a random generator g ∈ G.
-Computability: e(u, v) can be efficiently computed for all u, v ∈ G. The security of our forward-secure identity-based encryption scheme is based on the following truncated decision q-augmented bilinear Diffie-Hellman exponent (q-ABDHE) assumption proposed by Gentry in [11].
Let B be a probabilistic polynomial-time (PPT) algorithm that takes as input a random truncated decision q-ABDHE problem instance and outputs a bit b ∈ {0, 1}. The algorithm B has advantage in solving the truncated decision q-ABDHE problem if where the probability is over the random choice of generators g, g ∈ G, the random choice of the element Z ∈ G T , the random choice of the value α ∈ Z * p , and the random bits consumed by the algorithm B.
Definition 2.1. We say that the truncated decision (t, , q)-ABDHE assumption holds in (G, G T ) if no t-time algorithm has advantage at least in solving the truncated decision q-ABDHE problem in (G, G T ).

2.2.
Forward-secure identity-based encryption. Formally, a forward-secure identity-based encryption scheme is specified by a 5-tuple of algorithms (Setup, KeyExtract, KeyUpdate, Encrypt, Decrypt) such that: (1) Setup is the system setup algorithm that takes a security parameter k and the total number of time periods T as input, and outputs a master secret key msk and a list of public parameters params. Usually, this algorithm is performed by a PKG. After the algorithm is performed, the PKG keeps the master secret key msk secret and publishes the public parameters params to the public.
(2) KeyExtract is the key extraction algorithm that takes params, msk and an identity ID as input, and outputs an initial private key SK φ ID for the user with identity ID. This algorithm is also performed by a PKG. After the algorithm is performed, the PKG sends SK φ ID to the user with identity ID via a secure channel. (3) KeyUpdate is the key update algorithm that takes params, the index i ∈ [0, N ] of the current time period, a user's identity ID and private key SK i−1 ID in the time period i − 1 as input, and outputs a private key SK i ID in the time period i for that user. Specially, when i = 0, SK i−1 ID = SK φ ID . This algorithm is performed by each user. After the algorithm is performed, the former private key SK i−1 ID is deleted.
(4) Encrypt is the encryption algorithm that takes params, the index i ∈ [0, N ] of the current time period, the receiver's identity ID and a message M as input, and outputs a ciphertext C in the time period i. For simplicity, we represent a ciphertext C in the time period i as a pair i, C and write i, C ← Encrypt(params, i, ID, M ).
(5) Decrypt is the decryption algorithm that takes params, the receiver's current private key SK i ID and a ciphertext i, C as input, and outputs a message M or a special symbol ⊥ if the ciphertext is invalid.
For correctness, it is required that, for any message M , if i, C ←Encrypt (params, i, ID, M ), then M = Decrypt(params, SK i ID , i, C ). As introduced in [45], the chosen-ciphertext security for forward-secure identitybased encryption schemes (fs-ID-CCA2) is defined via an adversarial game, in which a game challenger/simulator S interacts with an adversary A in the following way: Setup. The challenger S runs the system setup algorithm Setup(k, T ) to generate a master secret key msk and a list of public system parameters params. It then sends params to the adversary A and keeps msk to itself. Phase 1. In this phase, the adversary A adaptively makes a series of key extraction queries and decryption queries and the challenger S responds as follows: -KeyExtract(ID, i): When receiving a key extraction query on (ID, i), the challenger S first performs the key extraction algorithm KeyExtract to generate an initial private key SK φ ID for the identity ID, and then runs the key update algorithm KeyUpdate recursively to derive a private key SK i ID for the time period i. The adversary A is responded with the key SK i ID . -Decrypt(ID, i, C ): When receiving a decryption query on (ID, i, C ), the challenger S first generates a private key SK i ID as above, and then performs the algorithm Decrypt to decrypt the ciphertext i, C . The adversary A is responded with the result of decryption. Challenge. Once the adversary A decides that Phase 1 is over, it outputs an identity ID * , a time period i * and two length-equal plaintexts M 0 and M 1 on which it wishes to be challenged. The constraint is that no key extraction query has been issued on (

and then outputs
i * , C * as the challenge ciphertext to the adversary A. Phase 2. In this phase, the adversary A issues more key extraction queries and decryption queries. The constraint is that: (1) no key extraction query can be issued on (ID * , j), where j ∈ [0, i * ]; (2) no decryption query can be issued on (ID * , i * , C * ). The challenger S responds the adversary A's queries as in Phase 1.
Guess. Finally, the adversary A outputs a guess b ∈ {0, 1} for the bit b and wins the game if b = b . The adversary A's advantage in the above game is defined to be Adv We call an adversary in the above game an fs-ID-CCA2 adversary.
Definition 2.2. A forward-secure identity-based encryption scheme is said to be (t, q E , q D , ) -fs-ID-CCA2 secure if for any t-time fs-ID-CCA2 adversary that makes at most q E key extraction queries and q D decryption queries has advantage at most in the above game.
Similarly, the chosen-plaintext security (fs-ID-CPA) can be defined for forwardsecure identity-based encryption schemes if the adversary is disallowed to make any decryption queries in the above game. The concrete definition can be found in [47].

The proposed scheme
In this section, we propose a new forward-secure identity-based encryption scheme without random oracles. We first give an overview of the key-evolving mechanism in our scheme. Then, we propose the detailed construction.
3.1. Overview. Like the previous forward-secure identity-based encryption schemes [44,45,47], we use the full binary tree structure to update the users' private keys. In [44,45,47], all the time periods are associated with the leaf nodes of a full binary tree. Thus, to produce a forward-secure identity-based encryption scheme with T time periods, a full binary tree with level log 2 T should be used. Inspired by the key-evolving mechanism proposed by Canetti et al. in [14], we associate the time periods with all non-root nodes of the binary tree rather than with the leaf nodes only. Note that, in Canetti et al.'s original proposal [14], the time periods are associated with all nodes of the binary tree. Such minor modification in our construction enables us to generate a short initial private key with constant length for each user, which consists of only four elements. We note that the user's initial private key consists of O(log 2 T ) elements in [44,45] and O(log 2 2 T ) elements in [47]. Therefore, our scheme needs a lower communication bandwidth to send the initial private key from the PKG to each user. Moreover, to produce a cryptosystem with same T time periods, our scheme only needs a full binary tree with level l = log 2 (T + 2) − 1 which is less than the level log 2 T in [44,45,47].
We label each node of the binary tree with a binary string. The root node is labelled with an empty string ε and if an internal node is labelled with a binary string ω, then its left child and right child are labelled with ω0 and ω1 respectively. Let ω i denote the node associated with the time period i. We associate the time periods with all non-root nodes of a full binary tree in a pre-order style as follows: -ω 0 = 0 is the left child of the root node; -If ω i is an internal node, then ω i+1 = ω i 0; -If ω i is a leaf node, then ω i+1 = ω 1, where ω is a binary string such that ω 0 is equal to ω i or the longest prefix of ω i .  In the binary tree, each node has a secret key. We denote the secret key of a node labelled with ω by sk ω . In our construction, the secret key of a node at level d is a vector (a 0 , a 1 , a 2 , a 3 , a 4 , b d+1 , . . . , b l ) of 5 + l − d elements and the private key of a user in a time period i is a set of node secret keys. If let ω i denote the node associated with the time period i, then a user's private key in the time period i is composed of the secret key of the node ω i and all secret keys of the right siblings of the nodes on the path from the root to the node ω i . FIGURE 2 gives a concrete example to show which node secret keys are included in the private key of a user with identity ID in each time period i(0 ≤ i ≤ 13). For simplicity of description, we represent a private key of a user as a stack of node keys. The secret key of the node ω i is on top of the stack and the following are the secret keys of the right siblings of the nodes on the path from the node ω i to the root in the binary tree.

3.2.
Description of the proposed scheme. The construction of our scheme is based on Gentry's identity-based encryption scheme [20] and its variant [27]. We assume that the identities in our scheme are elements of Z * p . Of course, we can extend our scheme to identities over {0, 1} * by first hashing them into the elements of Z * p using a collision-resistant hash function. The details of our scheme is described as follows: (1) Setup(k, T ): This algorithm performs as follows: Generate two cyclic groups G and G T of some prime order p and an admissible bilinear map e : G × G → G T ; Randomly choose three generators g, h 1 , h 2 ∈ G and a random value α ∈ Z * p , compute g 1 = g α ; Randomly choose two l-length vectors − → U = (u 1 , u 2 , . . . , u l ) ∈ G l , − → V = (v 1 , v 2 , . . . , v l ) ∈ G l ; Choose a collision-resistant hash function H : G × G T × G → Z * p ; Set the public system parameters params = {T, p, G, G T , e, g, g 1 , h 1 , h 2 , − → U , − → V , H} and the master secret key msk = α.
(2) KeyExtract(params, msk, ID): This algorithm randomly chooses two random values β 1 , β 2 ∈ Z * p and generates an initial private key for a user with identity ID as  (a 0 , a 1 , a 2 , a 3 , a 4 , b 2 , . . . , b l ) where z j = u −ID j v j for j = 1, 2, . . . , l. Push sk 1 and then sk 0 onto the stack. Then, the node keys in the stack compose the user's private key SK 0 ID in the time period 0, namely that SK 0 ID = (sk 0 , sk 1 ). Otherwise, let ω i−1 = ω 1 ω 2 . . . ω d ∈ {0, 1} d≤l be the node associated with the time period i − 1 and sk ω i−1 be the node key associated with the node ω i−1 . Pop sk ω i−1 off the stack, in which the user's private key SK i−1 ID is stored. -If ω i−1 is a leaf node, set the remaining node keys in the stack as the user ID's private key SK i ID in the time period i. It is easy to see that the node key on the top of the stack is sk ω i after sk ω i−1 is popped off.
-Else if ω i−1 is an internal node, choose a random value s ∈ Z * p , parse the node key sk ω i−1 as . . , z r l , and respectively compute two node keys sk ω1...ω d 0 (sk ω i−1 0 ) and sk ω1.
where ω d+1 = 0 or 1 and r = r + s. Push sk ω1...ω d 1 and then sk ω1...ω d 0 onto the stack. Now, the node keys in the stack compose the user's private key SK i ID in the time period i.  = (a 0 , a 1 , a 2 , a 3 , a 4 , b d+1 , . . . , b l ) and decrypt the ciphertext to get the message The correctness of the proposed scheme can be verified as follows:

Security proof
The security of the proposed scheme can be proved by the following theorem.
Theorem 4.1. Let q = (q E + q D ) · l + 1. Assume that the truncated decision (t, , q) -ABDHE assumption holds in the group (G, G T ). Then, the above forwardsecure identity-based encryption scheme is (t , , q E , q D ) -fs-ID-CCA2 secure for t ≥ t − O(t exp · q 2 · l), where t exp is the time required to compute an exponentiation in the group G.
Proof. Let A be a (t , , q E , q D ) -fs-ID-CCA2 adversary against our forward-secure identity-based encryption scheme. We show how to construct a PPT algorithm B to solve the truncated decision q-ABDHE problem in (G, G T ) with advantage at least and in time at most t + O(t exp · q 2 · l). Assume that the algorithm B is given a random truncated decision q-ABDHE problem instance (G, G T , p, g , g α q+2 , g, g α , . . . , g α q , Z), where Z is either e(g, g ) α q+1 or a random element of G T . The goal of the algorithm B is to decide whether Z = e(g, g ) α q+1 . To do so, the algorithm B interacts with the adversary A as follows: Setup. The algorithm B first generates two random polynomial functions f 1 (x), f 2 (x) ∈ Z p [x] of degree q. It then sets g 1 = g α , computes h 1 = g f1(α) and h 2 = g f2(α) respectively. Clearly, h 1 and h 2 can be completely computed from the tuple (g, g α , . . . , g α q ) which is known to the algorithm B. It further chooses 2l random values r 1 , . . . , r l , s 1 , . . . , s l ∈ Z * p , computes u i = g ri and v i = g si 1 for i = 1, . . . , l, and sets − → U = (u 1 , u 2 , . . . , u l ), − → V = (v 1 , v 2 , . . . , v l ). Let T be the total number of the time periods and H be a collision-resistant hash function H : G × G T × G → Z * p . The algorithm B outputs params = {T, p, G, G T , e, g, g 1 , h 1 , h 2 , − → U , − → V , H} to the adversary A as the public system parameters.
To answer the adversary A's queries, the algorithm B uses the following subalgorithm NodeKeyExtract to extract the node keys in the binary tree that is used to update the users' private keys.
NodeKeyExtract(params, ID, ω): Let ω ∈ {0, 1} d≤l . This algorithm generates a secret node key sk ω for the node ω as follows: (1) Parse ω = ω 1 ω 2 . . . ω d ; (2) Choose a random value r ∈ Z * p and compute a 1 , a 2 , a 3 , a 4 , b d+1 , . . . , b l ). It is easy to see that g F ID,1 (α) and g F ID,2 (α) can be computed from the tuple (g, g α , . . . , g α q−1 ) which is known to the algorithm B and sk ω is a valid secret node key for the node ω as Phase 1. In this phase, the adversary A adaptively makes a series of key extraction queries and decryption queries and the algorithm B responds as follows: -KeyExtract(ID, i): When receiving a key extraction query on (ID, i), let ω i denote the node associated with the time period i, the algorithm B generates the user's private key SK i ID in the time period i by performing the subalgorithm NodeKeyExtract recursively to extract the secret node keys of the node ω i and all right siblings of the nodes on the path from the root to the node ω i . It then outputs the resulting private key SK i ID to the adversary A.
-Decrypt(ID, i, C ): When receiving a decryption query on (ID, i, C ), the algorithm B first generates the user's private key SK i ID in the time period i as above. It then performs the algorithm Decrypt to decrypt the ciphertext i, C and outputs the result to the adversary A.
Challenge. Once the adversary A decides that Phase 1 is over, it outputs (ID * , i * , M 0 , M 1 ) on which it wants to be challenged. Let ω * = ω * 1 ω * 2 . . . ω * n ∈ {0, 1} n≤l be the node associated with the time period i * and F * (x) = x q+2 −(ID * ) q+2 x−ID * = q+1 j=0 (F * j · x j ) be a polynomial function of degree q+1, where F * j is the coefficient of x j in the function F * (x). The algorithm B chooses a random bit b ∈ {0, 1} and computes c * . It then sets C * = (c * 1 , c * 2 , c * 3 , c * 4 ) and outputs i * , C * to the adversary A as the challenge ciphertext.
Phase 2. In this phase, the adversary A issues more key extraction and decryption queries and the algorithm B responds as in Phase 1.
Guess. Finally, the adversary A outputs a guess b ∈ {0, 1} for the bit b. If b = b , then the algorithm B outputs 1 meaning Z = e(g, g ) α q+1 . Otherwise, it outputs 0 meaning Z is a random element of G T .
Below, we analyze the advantage of the algorithm B in solving the given truncated decision q-ABDHE problem.
As for the running time, the algorithm B's overhead is dominated by performing sub-algorithm NodeKeyExtract in response to the adversary A's various queries. This sub-algorithm requires computing O(q · l) exponentiations in the group G to generate a node secret key. From the above simulation, the algorithm B performs this sub-algorithm at most q − 1 = (q E + q D ) · l times. Therefore, we have that the time complexity of the algorithm B is bounded by t + O(t exp · q 2 · l).
This completes the proof.

Comparison analysis
To evaluate the performance of the proposed scheme, we compare it with the forward-secure identity-based encryption schemes [45,47] in terms of security, storage cost, computation cost (including key extraction time, key update time, encryption time and decryption time) and communication cost (including public parameters size, initial private key size and ciphertext size). For ease of comparison, we assume that l = log 2 (T + 2) − 1 and l = log 2 T , where T is the total number of the time periods. 5.1. Security. As shown in TABLE 1, Yu et al.'s scheme [47] can only achieve the weaker fs-ID-CPA security in the standard model; Yao et al.'s scheme [45] achieves the fs-ID-CCA2 security, but in the random oracle model. To our knowledge, our scheme is the first forward-secure identity-based encryption scheme that achieves the fs-ID-CCA2 security directly in the standard model. Therefore, it can provide stronger security guarantee for the practical applications.  [47], a user's private key is composed of at most l + 1 node secret keys and each node secret key includes at most l + 2 elements, thus the private key size is at most O(l 2 ) bits. In our scheme, a user's private key is composed of at most l + 1 node secret keys and each node secret key includes at most l + 4 elements, thus the private key size is at most O(l 2 ) bits. The storage cost of our scheme is higher than that of Yao et al.'s scheme, but is lower than that of Yu et al.'s scheme.

Communication cost.
In our scheme, the public parameters include 2l + 4 elements in G, therefore, the public parameters size is O(l) bits. The user's initial private key consists of two elements in G and two elements in Z * p . So, the initial private key size is O(1) bits. The ciphertext is composed of two elements in G and two elements in G T . So, the ciphertext size is O(1) bits. As shown in TABLE 4, the sizes of the public parameters, the initial private key and the ciphertext are O(l ), O(l ) and O(l ) bits respectively in Yao et al.'s scheme [45] and O(l ), O(l 2 ) and O(1) bits respectively in Yu et al.'s scheme [47]. Obviously, our scheme has lower communication cost because the sizes of initial private key and ciphertext are both independent on the total number of time periods T .

Conclusions
We have presented a new forward-secure identity-based encryption scheme without random oracles. To the best of our knowledge, our scheme is the first forwardsecure identity-based encryption scheme that achieves direct chosen-ciphertext security in the standard model. We have proved that the proposed scheme is fs-ID-CCA2 secure under the truncated decision q-ABDHE assumption. In the proposed scheme, the time of key extraction and decryption algorithms and the sizes of initial private key and ciphertext are independent on the total number of time periods T and any other performance parameter has at most log-squared complexity in terms of T . Compared with previous forward-secure identity-based encryption schemes, our scheme has obvious advantage in the overall performance.
As the previous forward-secure identity-based encryption schemes, the total number of time periods in our scheme is bounded and known at the time of the system setup. However, in some environments where the number of time periods is very large, a scheme with bounded time periods may be inefficient as its performance depends on the number of time periods. Therefore, the construction of forwardsecure identity-based encryption schemes that can support unbounded number of time periods becomes an interesting topic in our future work.