conditional identity-based broadcast proxy re-encryption ...€¦ · conditional identity-based...

0018-9340 (c) 2015 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. Seehttp://www.ieee.org/publications_standards/publications/rights/index.html for more information.

This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI10.1109/TC.2015.2417544, IEEE Transactions on Computers

1

Conditional Identity-based Broadcast ProxyRe-Encryption and Its Application to Cloud Email

Peng Xu, Member, IEEE , Tengfei Jiao, Qianhong Wu, Member, IEEE ,Wei Wang, Member, IEEE ,Hai Jin, Senior Member, IEEE

Abstract—Recently, a number of extended Proxy Re-Encryptions (PRE), e.g. Conditional (CPRE), Identity-Based PRE (IPRE) andBroadcast PRE (BPRE), have been proposed for flexible applications. By incorporating CPRE, IPRE and BPRE, this paper proposesa verstatile primitive referred to as Conditional Identity-based Broadcast PRE (CIBPRE) and formalizes its semantic security. CIBPREallows a sender to encrypt a message to multiple receivers by specifying these receivers’ identities, and the sender can delegate are-encryption key to a proxy so that he can convert the initial ciphertext into a new one to a new set of intended receivers. Moreover,the re-encryption key can be associated with a condition such that only the matching ciphertexts can be re-encrypted, which allows theoriginal sender to enforce access control over his remote ciphertexts in a fine-grained manner. We propose an efficient CIBPRE schemewith provable security. In the instantiated scheme, the initial ciphertext, the re-encrypted ciphertext and the re-encryption key are allin constant size, and the parameters to generate a re-encryption key is independent of the original receivers of any initial ciphertext.Finally, we show an application of our CIBPRE to secure cloud email system advantageous over existing secure email systems basedon Pretty Good Privacy protocol or Identity-Based Encryption.

Index Terms—Proxy Re-Encryption, Cloud Storage, Identity-based Encryption, Broadcast Encryption, Secure Cloud Email

F

1 INTRODUCTION

P Roxy Re-Encryption (PRE) [1] provides a secure andflexible method for a sender to store and share data.

A user may encrypt his file with his own public key andthen store the ciphertext in an honest-but-curious server.When the receiver is decided, the sender can delegatea re-encryption key associated with the receiver to theserver as a proxy. Then the proxy re-encrypts the initialciphertext to the intended receiver. Finally, the receivercan decrypt the resulting ciphertext with her private key.The security of PRE usually assures that (1) neither theserver/proxy nor non-intended receivers can learn anyuseful information about the (re-)encrypted file, and (2)before receiving the re-encryption key, the proxy can notre-encrypt the initial ciphertext in a meaningful way.

Efforts have been made to equip PRE with versatile ca-pabilities. The early PRE was proposed in the traditionalpublic-key infrastructure setting which incurs compli-cated certificate management [2]. To relieve from thisproblem, several Identity-based PRE (IPRE) schemes [3],

• P. Xu, T. Jiao and H. Jin are with Services Computing Technology andSystem Lab, Cluster and Grid Computing Lab, School of Computer Scienceand Technology, Huazhong University of Science and Technology, Wuhan,430074, China. P. Xu is also with the State Key Laboratory of IntegratedServices Networks, Xidian University, Xi’an, China. E-Mail: {xupeng,M201272784, hjin}@mail.hust.edu.cn.

• Q. Wu is with the School of Electronics and Information Engineering,Beihang Univerisity, Beijing, 100191, China and the State Key Laboratoryof Information Security, Institute of Information Engineering, ChineseAcademy of Sciences, Beijing 100093, China. E-mail: [email protected].

• W. Wang is with Embedded and Pervasive Computing Lab, School ofComputer Science and Technology, Huazhong University of Science andTechnology, Wuhan, 430074, China. E-Mail: [email protected].

[4], [5], [6], [7], [8] were proposed so that the receivers’recognizable identities can serve as public keys. Insteadof fetching and verifying the receivers’ certificates, thesender and the proxy just need to know the receivers’identities, which is more convenient in practice.

PRE and IPRE allows a single receiver. If there aremore receivers, the system needs to invoke PRE or IPREmultiple times. To address this issue, the concept ofBroadcast PRE (BPRE) has been proposed [9]. BPREworks in a similar way as PRE and IPRE but moreversatile. In contrast, BPRE allows a sender to generatean initial ciphertext to a receiver set, instead of a singlereceiver. Further, the sender can delegate a re-encryptionkey associated with another receiver set so that the proxycan re-encrypt to.

The above PRE schemes only allows the re-encryptionprocedure is executed in an all-or-nothing manner. Theproxy can either re-encrypt all the initial ciphertexts ornone of them. This coarse-gained control over cipher-texts to be re-encrypted may limit the application ofPRE systems. To fill this gap, a refined concept referredto as Conditional PRE (CPRE) has been proposed. InCPRE schemes [6], [7], [8], [9], [10], [11], [12], [13], asender can enforce fine-grained re-encryption controlover his initial ciphertexts. The sender achieves this goalby associating a condition with a re-encryption key. Onlythe ciphertexts meeting the specified condition can bere-encrypted by the proxy holding the corresponding re-encryption key.

A recent conditional proxy broadcast re-encryptionscheme [14] allows the senders to control the time to re-encrypt their initial ciphertexts. When a sender generatesa re-encryption key to re-encrypt an initial ciphertext, the



sender needs to take the original receivers’ identities ofthe initial ciphertext as input. In practice, it means thatthe sender must locally remember the receivers’ identi-ties of all initial ciphertexts. This requirement makes thisscheme constrained for the memory-limited or mobilesenders and efficient only for special applications.

1.1 Our Contribution

In this paper, we refine PRE by incorporating the ad-vantages of IPRE, CPRE and BPRE for more flexibleapplications and propose a new concept of ConditionalIdentity-based Broadcast PRE (CIBPRE). In a CIBPREsystem, a trusted Key Generation Center (KGC) ini-tializes the system parameters of CIBPRE, and gener-ates private keys for users. To securely share files tomultiple receivers, a sender can encrypt the files withthe receivers’ identities and file-sharing conditions. Iflater the sender would also like to share some filesassociated with the same condition with other receivers,the sender can delegate a re-encryption key labeledwith the condition to the proxy, and the parameters togenerate the re-encryption key is independent of theoriginal receivers of these files. Then the proxy can re-encrypt the initial ciphertexts matching the condition tothe resulting receiver set. With CIBPRE, in addition tothe initial authorized receivers who can access the fileby decrypting the initial ciphertext with their privatekeys, the newly authorized receivers can also access thefile by decrypting the re-encrypted ciphertext with theirprivate keys. Note that the initial ciphertexts may bestored remotely while keeping secret. The sender doesnot need to download and re-encrypt repetitively, butdelegates a single key matching condition to the proxy.These features make CIBPRE a versatile tool to secureremotely stored files, especially when there are differentreceivers to share the files as time passes.

We define a practical security notion for CIBPREsystems. Intuitively, without the corresponding privatekeys, one can learn nothing about the plaintext hiddenin the initial or re-encrypted CIBPRE ciphertext; an initialciphertext can not be correctly re-encrypted by a re-encryption key if the ciphertext and the key are associ-ated with different conditions. We formally define thesesecurity requirements via the standard indistinguisha-bility under selective-ID and Chosen Plaintext Attack(IND-sID-CPA). We model the adversarial deploymentenvironment via a game between a challenger and anattacker trying to break a CIBPRE scheme. Both the chal-lenger and the attacker are modeled as ProbabilisticallyPolynomial Time (PPT) algorithms. If the attacker hasonly negligible advantage to win in this game, then theCIBPRE scheme is IND-sID-CPA secure.

We propose an efficient CIBPRE that is provably se-cure in the above adversary model. We prove that theIND-sID-CPA security of the proposed CIBPRE schemeif the underlying identity-based broadcast encryption(IBBE) scheme is secure and the Decisional Bilinear

Diffie-Hellman (DBDH) assumption holds. Our pro-posed CIBPRE scheme enjoys constant-size initial andre-encrypted ciphertexts, and eliminates the constraintsof the recent work in [14].

1.2 Cloud Email System: A Promising ApplicationCloud email system allows an enterprise to rent thecloud SaaS service to build an email system. It is muchcheaper and scalable than traditional on-premises so-lution. In 2014, the Radicati Group [17] showed theworldwide revenue forecast for Cloud Business Email,from 2014 to 2018. Fig. 1 shows that the Cloud BusinessEmail market is expected to generate nearly 17 billionby 2018.

$6,320

$8,532

$11,689

$14,143

$16,972

$-

$2,000

$4,000

$6,000

$8,000

$10,000

$12,000

$14,000

$16,000

$18,000

2014 2015 2016 2017 2018

Fig. 1. The worldwide revenue forecast for Cloud Busi-ness Email (unit: Million) [17].

In 2012, the Proofpoint Group [18] used an economicmodel that estimates opportunities for quantifiable costsavings of cloud email system compared with tradi-tional on-premises email system. The Proofpoint modelcalculates expenses for both systems at the time ofacquisition as well as over a four-year period, such assoftware licensing costs, hardware and storage costs, ser-vice expenses, operational expenses. Table 1 summarizessavings using the economic model. Note that NAS (Net-work Attached Storage) and CAS (Content-addressablestorage) in this table are two different technologies whichare usually applied in many storage systems.

TABLE 1Cloud-based archiving vs. on-premises archiving [18].

Number of

Users

Storage

Technology

On-Premises Costs,

Including Labor

SaaS Costs,

Including Labor

Total Cost Savings

Through Proofpoint SaaS

5,000 NAS $2,108,300 $1,097,488 48%

10,000 CAS $23,259,600 $1,986,232 92%

20,000 CAS $45,829,200 $3,634,976 93%

30,000 CAS $69,357,200 $5,454,975 93%

Cloud email system is a promising and importantapplication due to its advantageous features. We buildan encrypted cloud email system with CIBPRE. It allowsa user to send an encrypted email to multiple receivers,store his encrypted emails in an email server, reviewhis history encrypted emails, forward his history en-crypted emails of the expected subject to multiple new

2



receivers. Moreover, the cost of an extra email headerto achieve this goal is the constant. Compared withexisting approaches such as Privacy Good Privacy (PGP)protocol [15] and Identity-Based Encryption (IBE) [16],our CIBPRE-based system is implementation-friendlyand more efficient in communication.

In PGP, a sender first verifies a receiver’s certificateand encrypts an email by the receiver’s public key;then the receiver decrypts the received email with hisprivate key. IBE avoids the certificate verification of PGP.Using IBE, a sender directly encrypts an email using areceiver’s email address. Though both PGP and IBE keepthe security of cloud email, their performances are lessthan CIBPRE. When a sender wants to send an encryptedemail to multiple receivers, the size of the ciphertext gen-erated by CIBPRE is constant. In contrast, both PGP andIBE cause the size linear with the number of receivers.When a sender wants to forward a historically encryptedemail to multiple receivers, CIBPRE only requires thesender to generate a re-encryption key (with constantsize) and send the key to cloud, and then the cloud re-encrypts the email and generates a constant size cipher-text for these receivers. In contrast, with PGP or IBE, thesender must fetch the historically encrypted email fromthe cloud and decrypt it, and then re-encrypt it againto these receivers one by one. Therefore, CIBPRE is verysuitable for building encrypted cloud email systems andour proposed CIBPRE scheme is more convenient thanPGP and IBE to keep the security of cloud email system.

1.3 Related Work

The first PRE scheme was proposed by Blaze, Bleumerand Strauss in [1]. Following this seminal work, a num-ber of PRE schemes [19], [20], [21], [22], [23], [24], [25]have been proposed in the traditional public key setting.These PRE schemes need certificates to prove the validityof public keys. A user has to verify the certificates beforeencrypting a plaintext.

In order to avoid the overhead to verify public keys’certificates, several IPRE schemes [3], [4], [5] have beenpresented by incorporating the idea of identity-basedencryption [16]. The scheme in [3] is proven secure inthe random oracle (RO) model in which a hash functionis assumed fully random. In contrast, the scheme in [4]is proven secure in the standard model. The scheme in[5] is proven secure in a stronger security sense, i.e.,indistinguishability against chosen-ciphertext attack inthe standard model.

The above PRE schemes only allow data sharing ina coarse-grained manner. That is, if the user delegatesa re-encryption key to the proxy, all ciphertexts canbe re-encrypted and then be accessible to the intendedusers; else none of the ciphertexts can be re-encrypted oraccessed by others. This issue is addressed in the recentCPRE schemes [6], [8], [9], [10], [11], [12], [13] allowingfine-grained data sharing. The schemes in [8], [12], [13]are proven secure against chosen-ciphertext attack. The

conditional identity-based PRE (CIPRE) schemes in [6],[7], [8] combines the underlying ideas of CPRE and IPRE.Similarly, the two conditional broadcast PRE (CBPRE)schemes in [9] combines the notions of CPRE and broad-cast encryption, and are secure against chosen-plaintextattacks and chosen-ciphertext attacks, respectively. Inaddition to fine-grained data sharing, an extra advantageof these CBPRE schemes is that it allows one to sharedata with multiple users in a more efficient way.

Several other optional properties have been achievedin recent PRE schemes. The PRE schemes in [13], [24],[25] are equipped with an extra property that the receiverof a ciphertext is anonymous. The schemes in [26], [27]achieve multi-use bidirectional re-encryption. A cipher-text can be re-encrypted multiple times. Moreover, a re-encryption key realizes the bidirectional share betweentwo users. Specifically, if Alice delegates a re-encryptionkey to a proxy for re-encrypting her ciphertexts to Bob.The re-encryption key can also enable to re-encryptBob’s ciphertexts to Alice. These two PRE schemes areprovably secure under the chosen-ciphertext attack re-spectively in the random oracle and standard models. Incontrast, the PRE scheme in [21] is multi-use unidirec-tional PRE schemes in which bidirectional re-encryptionis forbidden. The work in [28] defines a general notionfor PRE, which is called deterministic finite automata-based functional PRE (DFA-based FPRE), and proposesa concrete DFA-based FPRE system. The recent workin [29] proposes cloud-based revocable identity-basedproxy re-encryption that supports user revocation anddelegation of decryption rights.

1.4 OrganizationSection 2 reviews the IBBE scheme in [30] and its prov-able security. Section 3 defines the concept of CIBPREand its semantic security. Based on the IBBE scheme inSection 2, an instance of CIBPRE is proposed in Section4. Its semantic security is proved in Section 5. Section6 compares the performance of existing PRE schemes.Section 7 shows the CIBPRE-based cloud email systemand its advantages. Section 8 concludes this paper.

2 REVIEWING AN IBBE SCHEME

Our CIBPRE scheme exploits a known IBBE scheme,referred to as the D07 scheme, proposed by Delerableein [30]. The the D07 scheme is proven secure and hasthe short private keys and ciphertexts.

2.1 Bilinear MapOur constructions are built from bilinear maps reviewedbelow. Let G and GT be two multiplicative groups withprime order p, and let g be a generator of G. A bilinearmap is a function e : G × G → GT with followingproperties:• Bilinearity: for any (u, v) ∈ G2 and (a, b) ∈ Z∗ 2

p ,e(ua, vb) = e(u, v)ab holds.

3



• Non-degeneracy: e(g, g) is a generator of GT .• Computability: for any (u, v) ∈ G2, e(u, v) can be

efficiently computed.

2.2 D07 Scheme

The D07 scheme consists of algorithms SetupIBBE,ExtractIBBE, EncIBBE and DecIBBE. Let N ∈ N be themaximal size of receiver set for one IBBE encryption.These algorithms work as follows:• SetupIBBE(λ,N): Given a security parameter λ ∈ N

and N , this algorithm probabilistically constructsa bilinear map e : G × G → GT , where G andGT are two multiplicative group with prime or-der p and |p| = λ, randomly chooses two gener-ators (g, h) ∈ G2 and a value γ ∈ Z∗p, choosesa cryptographic hash function H : {0, 1}∗ →Z∗p, finally outputs a master public key PKIBBE =

(p,G,GT , e, w, v, h, hγ , . . . , hγN

,H) and a master se-cret key MKIBBE = (g, γ), where w = gγ andv = e(g, h).

• ExtractIBBE(MKIBBE, ID): Given MKIBBE and an iden-tity ID, this algorithm outputs the private keySKID

IBBE = g1

γ+H(ID) .• EncIBBE(PKIBBE,S,m): Given PKIBBE, a set S of some

identities (where |S| ≤ N ) and a plaintext m ∈ GT ,this algorithm randomly picks k ∈ Z∗p, and outputsan IBBE ciphertext C = (c1, c2, c3), where c1 = w−k,c2 = hk·

∏IDi∈S(γ+H(IDi)) and c3 = vk ·m.

• DecIBBE(PKIBBE, ID, SKIDIBBE , C,S): given PKIBBE, an

identity ID and its private key SKIDIBBE , an IBBE

ciphertext C = (c1, c2, c3), and a set S of someidentities (where |S| ≤ N ), this algorithm computes

K = (e(c1, h∆γ (ID,S)

) · e(SKIDIBBE, c2))

1∏IDi∈S

∧IDi 6=ID H(IDi)

with

∆γ(ID,S) = γ−1 · (

∏IDi∈S

∧IDi 6=ID(γ +H(IDi))−

∏IDi∈S

∧IDi 6=IDH(IDi))

and finally outputs a plaintext m =c3K .

In a typical implementation scenario of the D07scheme, there are a sender, a KGC and some receivers.The KGC runs algorithm SetupIBBE to generate a mas-ter public key PKIBBE and a master secret key MKIBBE,and then runs algorithm ExtractIBBE for each receiverto generate their private keys. To securely broadcast aplaintext to these receivers, the sender runs algorithmEncIBBE to generate an IBBE ciphertext and sends it tothese receivers. The consistency of the D07 scheme guar-antees that these receivers can decrypt out the plaintextby running algorithm DecIBBE. In addition, the provablesecurity of the D07 scheme, which will be introducedin the next subsection, guarantees that except for thesender, the KGA and these receivers, no one can learnsomething about the plaintext in practice. In the aspectof performance, since the generated IBBE ciphertext hasthe constant size, D07 scheme obtains the high efficiencyin communication cost.

2.3 The D07 scheme Security

[30] shown that the D07 scheme has ciphertexts indis-tinguishability against the selective identity and chosenplaintext attack (IND-sID-CPA). The IND-sID-CPA se-curity means that no PPT adversary can know whichone of two plaintexts is linked with an IBBE ciphertext,if the adversary does not know the private keys ofthe ciphertext’s receivers. The IND-sID-CPA security areformally defined as follows.

Definition 1 (IND-sID-CPA Security of IBBE): An IBBEscheme is IND-sID-CPA secure, if any PPT adversary Bhas a negligible advantage AdvIND-sID-CPA

IBBE, B to win in thefollowing game:• Initialization Phase: Adversary B chooses a set S∗

of challenge identities (with |S∗| ≤ N ) that he wantsto attack, and sends S∗ to challenger C.

• Setup Phase: Challenger C runs algorithm SetupIBBE

to generate a master public key PKIBBE and a mastersecret key MKIBBE, and sends PKIBBE to adversary B.

• Query Phase 1: Adversary B adaptively issues thefollowing query multi-times.

- Private Key Query QSKIBBE (ID): With the con-straint ID /∈ S∗, challenger C runs algorithmExtractIBBE(MKIBBE, ID) to generate the privatekey SKID

IBBE , and sends SKIDIBBE to adversary B.

• Challenge Phase: Adversary B gives two chal-lenge plaintexts (m0,m1) to challenger C. ChallengerC generates a challenge IBBE ciphertext C∗ ←EncIBBE(PKIBBE,S∗,mb) (where b is randomly chosenin {0, 1}), and sends C∗ to adversary B.

• Query Phase 2: Adversary B continuously issuesqueries as in Query Phase 1.

• Guess Phase: Adversary B outputs a guess b′ ∈{0, 1}. We say that adversary B wins if b′ = b. Andlet AdvIND-sID-CPA

IBBE, B = |Pr[b′ = b]− 12 | be the advantage

to win this game.Based on the General Decisional Diffie- Hellman Ex-

ponent (GDDHE) assumption [30], the D07 scheme isproven IND-sID-CPA secure in the RO model, as statedin the following lemma.

Lemma 1: Suppose the GDDHE assumption holds.The D07 scheme is IND-sID-CPA secure in the ROmodel.

3 DEFINING CIBPRE AND ITS SECURITY

A CIBPRE system consists of algorithms SetupPRE,ExtractPRE, EncPRE, RKExtractPRE, ReEncPRE, Dec-1PRE

and Dec-2PRE. In a typical implementation scenario of aCIBPRE system, a KGA runs algorithms SetupPRE andExtractPRE respectively to set up a CIBPRE scheme andgenerate users’ private keys according to their identities.A sender runs algorithm EncPRE to encrypt a plaintext,and generate an initial CIBPRE ciphertext which canbe decrypted by some intended receivers, and uploadsthe ciphertext to a server. Let S be the set of theseintended receivers. When a receiver in set S is online,

4



he retrieves the initial CIBPRE ciphertext from the serverand runs algorithm Dec-1PRE to decrypt out the plaintext.when a receiver in set S wants to share the plaintext toseveral new receivers (who are not in set S), he runsalgorithm RKExtractPRE to generate a re-encryption keyand delegate this key to a proxy. Let S ′ be the set ofthese new receivers. The proxy runs algorithm ReEncPRE

to re-encrypt the initial CIBPRE ciphertext and generatea re-encrypted CIBPRE ciphertext. When a receiver inset S ′ is online, he retrieves the re-encrypted CIBPREciphertext from the proxy and runs algorithm Dec-2PRE

to decrypt out the plaintext. The formal definition ofCIBPRE is as follows.

Definition 2 (CIBPRE): Let N ∈ N be the maximalsize of receiver set for one CIBPRE encryption or re-encryption. A CIBPRE scheme consists of following al-gorithms:

• SetupPRE(λ,N): Given a security parameter λ ∈ Nand value N , this algorithm outputs a master publickey PKPRE and a master secret key MKPRE.

• ExtractPRE(MKPRE, ID): Given MKPRE and an iden-tity ID, this algorithm outputs the private keySKID

PRE .• EncPRE(PKPRE,S,m, α): Given PKPRE, a set S of some

identities (where |S| ≤ N ), a plaintext m and a con-dition α, this algorithm outputs an initial CIBPREciphertext C.

• RKExtractPRE(PKPRE, ID, SKIDPRE ,S ′, α): Given

PKPRE, an identity ID and its private key SKIDPRE ,

a set S ′ of some identities (where |S ′| ≤ N ) and acondition α, this algorithm outputs a re-encryptionkey dID→S′|α.

• ReEncPRE(PKPRE, dID→S′|α, C,S): Given PKPRE, a re-encryption key dID→S′|α, an initial CIBPRE cipher-text C and a set S of some identities (where |S| ≤N ), this algorithm outputs a re-encrypted CIBPREciphertext C.

• Dec-1PRE(PKPRE, ID, SKIDPRE , C,S): Given PKPRE, an

identity ID and its private key SKIDPRE , an initial

CIBPRE ciphertext C, and a set S of some identities(where |S| ≤ N ), this algorithm outputs a plaintext.

• Dec-2PRE(PKPRE, ID, SKIDPRE , C,S ′): Given PKPRE, an

identity ID and its private key SKIDPRE , a re-

encrypted CIBPRE ciphertext C and a set S ′ of someidentities (where |S ′| ≤ N ), this algorithm outputsa plaintext.

As usual, a CIBPRE scheme must satisfy the followingconsistencies:

• For any initial CIBPRE ciphertext C ← EncPRE(PKPRE,S,m, α) and any private key SKID

PRE ←ExtractPRE(MKPRE, ID), if ID ∈ S, then algorithmDec-1PRE(PKPRE, ID, SK

IDPRE , C,S) always outputs the

plaintext m.• For any re-encrypted CIBPRE ciphertext C ←

ReEncPRE(PKPRE, dID→S′|α′ , C,S) and any privatekey SKID′

PRE ← ExtractPRE(MKPRE, ID′), where

dID→S′|α′ ← RKExtractPRE(PKPRE, SKIDPRE ,S ′, α′),

C ← EncPRE(PKPRE,S,m, α) and SKIDPRE ←

ExtractPRE(MKPRE, ID), if ID ∈ S∧α = α′∧

ID′ ∈ S ′, then algorithm Dec-2PRE(PKPRE, ID′,

SKID′PRE , C,S ′) always outputs the plaintext m.

The first consistency is straightforward. It means thatany initial CIBPRE ciphertext can be correctly decryptedby its intended receivers. The second consistency is asomewhat sophisticated. Its main idea is to define thatany correctly re-encrypted CIBPRE ciphertext can becorrectly decrypted by its intended receivers. Therefore,to define the second consistency, we must define what isa correctly re-encrypted CIBPRE ciphertext, and definewho can correctly decrypt the ciphertext.

For any re-encrypted CIBPRE ciphertext of an initialCIBPRE ciphertext by a re-encryption key, the secondconsistency defines that the re-encrypted CIBPRE cipher-text is correct, if the generator of the re-encryption keyis an intended receiver of the initial CIBPRE ciphertext,and the initial CIBPRE ciphertext and the re-encryptionkey has the same condition. Also it defines that the cor-rectly re-encrypted CIBPRE ciphertext can be correctlydecrypted by the receivers who are defined by the re-encryption key.

We next define the IND-sID-CPA security of CIBPRE.Roughly speaking, the security means that no PPTadversary can decide which one of two plaintexts isencrypted by an initial CIBPRE ciphertext, if he doesnot know the private keys of the intended receiversboth of the initial CIBPRE ciphertext and its re-encryptedCIBPRE ciphertexts. In other words, without the corre-sponding private keys, an initial CIBPRE ciphertext andits re-encrypted CIBPRE ciphertexts leak nothing abouttheir encrypted plaintext.

The IND-sID-CPA security of CIBPRE defines an at-tack game between a PPT adversary and a challenger.The attack game consists of several phases. In the ini-tialization phase, the adversary commits a set S∗ ofchallenge identities and a challenge condition α∗ thathe wants to attack. In the setup phase, the challengersets up a CIBPRE scheme. In the challenge phase, theadversary chooses two challenge plaintexts; the chal-lenger randomly chooses one of these two plaintexts,encrypts the chosen plaintext by the committed S∗ andα∗ to generate an initial CIBPRE ciphertext (it also is achallenge ciphertext in the attack game), and asks theadversary to decide which one of these two plaintexts isencrypted. Before and after the challenge phase, the ad-versary is allowed to query some identities’ private keysand re-encryption keys. It means that the adversary cancollude with some users in practice. But the adversarycan not query the private keys of the challenge identitiesin set S∗ and the private keys which can decrypt the re-encrypted CIBPRE ciphertext of the challenge ciphertext.If the adversary has no advantage to make a correctdecision, then we say that the CIBPRE scheme is IND-sID-CPA secure. The details are as follows:

Definition 3 (IND-sID-CPA Security of CIBPRE): Wesay that a CIBPRE scheme is IND-sID-CPA secure,

5



if any PPT adversary A has a negligible advantageAdvIND-sID-CPA

CIBPRE, A to win in the following game:

• Initialization Phase: Adversary A chooses a setS∗ of challenge identities (where |S∗| ≤ N ) and achallenge condition α∗ that he wants to attack, andsends S∗ and α∗ to challenger C.

• Setup Phase: Challenger C runs algorithmSetupPRE(λ,N) to generate a master public keyPKPRE and a master secret key MKPRE, and sendsPKPRE to adversary A.

• Query Phase 1: Adversary A can adaptively issuethe following two kinds of queries multi-times.

– Private Key Query QSKPRE (ID): With the con-straint ID /∈ S∗, challenger C runs algorithmExtractPRE(MKPRE, ID) to generate the privatekey SKID

PRE , and sends SKIDPRE to adversary A.

– Re-Encryption Key Query QRKPRE (ID,S ′, α): Withthe constraint that adversary A can not queryboth QRKPRE (ID,S ′, α∗) and QSKPRE (ID′) for any S ′,ID ∈ S∗ and ID′ ∈ S ′, challenger C runs algo-rithm ExtractPRE(MKPRE, ID) to generate iden-tity ID’s private key SKID

PRE , and then runs al-gorithm RKExtractPRE(PKPRE, ID, SK

IDPRE ,S ′, α)

to generate a re-encryption key dID→S′|α, finallysends dID→S′|α to adversary A.

• Challenge Phase: Adversary A gives two chal-lenge plaintexts (m0,m1) to challenger C. Chal-lenger C generates a challenge ciphertext C∗ ←EncPRE(PKPRE,S∗,mb, α

∗) (where b is randomly cho-sen in {0, 1}), and send C∗ to adversary A.

• Query Phase 2: Adversary A continuously issuesqueries as in Query Phase 1.

• Guess Phase: Adversary A outputs a guess b′ ∈{0, 1}. We say that adversary A wins if b′ = b.And let AdvIND-sID-CPA

CIBPRE, A = |Pr[b′ = b] − 12 | be the

advantage to win this game.

From above definitions, it is easy to see how thecapabilities “Identity-based” and “Broadcast” were de-fined in the concept of CIBPRE. The capability “Con-ditional” definition is sophisticated. We explain it withmore details. Note that both algorithms EncPRE andRKExtractPRE take a parameter of condition as one ofinputs respectively to generate an initial CIBPRE cipher-text and a re-encryption key. And one can arbitrarilychoose a specified condition in each running of thesetwo algorithms. Suppose an initial CIBPRE ciphertexthas the specified condition α, and a re-encryption keyhas the specified condition α′. The second consistencydefines that α = α′ is one of sufficient conditions tocorrectly re-encrypt the initial CIBPRE ciphertext by there-encryption key. In addition, the IND-sID-CPA securitydefined that if α 6= α′, the re-encryption key can notbe used to break the initial CIBPRE ciphertext. In otherwords, if α 6= α′, the re-encryption key can not be usedto correctly re-encrypt the initial CIBPRE ciphertext.

4 THE PROPOSED CIBPRE SCHEME

Referring to the concept of CIBPRE, roughly speaking,both the initial CIBPRE ciphertext and the re-encryptedCIBPRE ciphertext are the IBBE ciphertexts. But it isdifferent with an IBBE scheme that CIBPRE providesalgorithms to transform an IBBE ciphertext (correspond-ing to an initial CIBPRE ciphertext) into another IBBEciphertext (corresponding to an re-encrypted CIBPREciphertext). Moreover, the transformation is correct if itsatisfies the consistencies defined by CIBPRE. Therefore,in order to construct a CIBPRE scheme, we refers to theD07 scheme which was reviewed in Section 2. Comparedwith the D07 scheme, the proposed CIBPRE schemeassociates a D07 IBBE ciphertext with a new part to gen-erate an initial CIBPRE ciphertext. This new part will beused to realize the capability ”Conditional” of CIBPRE.In addition, it provides some new algorithms, which arerespectively to generate a re-encryption key, re-encryptan initial CIBPRE ciphertext and decrypt a re-encryptedCIBPRE ciphertext. The decryption of an initial CIBPREciphertext is the same with the D07 scheme.

The proposed CIBPRE scheme is as follows:• SetupPRE(λ,N): Given a security parameter λ ∈ N

and value N (the maximum number of receiversin each encryption), this algorithm probabilisticallyconstructs a bilinear map e : G × G → GT , whereG and GT are two multiplicative group with primeorder p (|p| = λ), randomly chooses (g, h, u, t) ∈ G4

and γ ∈ Z∗p, chooses two cryptographic hashfunctions H : {0, 1}∗ → Z∗p and H′ : GT → G,finally outputs a master public key PKPRE =

(p,G,GT , e, w, v, h, hγ , . . . , hγN

, u, uγ , . . . , uγN

, t, tγ ,

. . . , tγN

,H,H′) and a master secret keyMKPRE = (g, γ), where w = gγ and v = e(g, h).

• ExtractPRE(MKPRE, ID): Given MKPRE and an iden-tity ID, this algorithm outputs the private keySKID

PRE = g1

γ+H(ID) .• EncPRE(PKPRE,S,m, α): Given PKPRE, a set S of some

identities (where |S| ≤ N ), a plaintext m ∈ GT anda condition α ∈ Z∗p, this algorithm randomly picksk ∈ Z∗p, and outputs an initial CIBPRE ciphertextC = (c1, c2, c3, c4), where

c1 = w−k, c2 = hk·∏IDi∈S(γ+H(IDi)),

c3 = vk ·m, c4 = (u · tα)k·∏IDi∈S(

γ+H(IDi)

H(IDi))

• RKExtractPRE(PKPRE, ID, SKIDPRE ,S ′, α): Given

PKPRE, an identity ID and its private key SKIDPRE ,

a set S ′ of some identities (where |S ′| ≤ N ) and acondition α ∈ Z∗p, this algorithm randomly picks(k′, s) ∈ Z∗ 2

p , and outputs a re-encryption keydID→S′|α = (d1, d2, d3, d4), where

d1 = w−k′, d2 = hk

′·∏IDi∈S′ (γ+H(IDi)),

d3 = H′(vk′) · hs, d4 = SKIDPRE · (u · tα)

sH(ID)

• ReEncPRE(PKPRE, dID→S′|α, C,S): Given PKPRE, a re-encryption key dID→S′|α = (d1, d2, d3, d4), an ini-

6



tial CIBPRE ciphertext C = (c1, c2, c3, c4), and aset S of some identities (where |S| ≤ N ), thisalgorithm outputs a re-encrypted CIBPRE ciphertextC = (c1, c2, c3, c4, c5), where c1 = d1, c2 = d2,c3 = d3, c4 = c4 and

c5 = c3 · (e(c1, h∆γ (ID,S)) · e(d4, c2))

−1∏IDi∈S

∧IDi 6=ID H(IDi)

with

∆γ(ID,S) = γ−1 · (

∏IDi∈S


∏IDi∈S

∧IDi 6=IDH(IDi)).

• Dec-1PRE(PKPRE, ID, SKIDPRE , C,S): Given PKPRE, an identity ID and

its private key SKIDPRE , an initial CIBPRE ciphertext C = (c1, c2, c3, c4),

and a set S of some identities (where |S| ≤ N ), this algorithm computes

K = (e(c1, h∆γ (ID,S)

) · e(SKIDPRE , c2))

1∏IDi∈S

∧IDi 6=ID H(IDi)

with

∆γ(ID,S) = γ−1 · (

∏IDi∈S


∏IDi∈S

∧IDi 6=IDH(IDi))

and finally outputs plaintext m =c3K .

• Dec-2PRE(PKPRE, ID′, SKID′

PRE , C,S′): Given PKPRE, an identity ID′

and its private key SKID′PRE , a re-encrypted CIBPRE ciphertext C =

(c1, c2, c3, c4, c5), and a set S′ of some identities (where |S′| ≤ N ),this algorithm computes

K = (e(c1, h∆γ (ID′,S′)

)·e(SKID′PRE , c2))

1∏IDi∈S′

∧IDi 6=ID′

H(IDi)

with

∆γ(ID′,S′) = γ

−1 · (∏

IDi∈S′∧IDi 6=ID′(γ +H(IDi))−

∏IDi∈S′

∧IDi 6=ID′H(IDi)),

computes K′ =c3H′(K)

, and finally outputs plaintext m = c5 · e(K′, c4).

The consistency of the proposed CIBPRE scheme isguaranteed by the following Theorems 1 and 2, whichare respectively proved in Fig. 1 and 2.

Theorem 1: For any initial CIBPRE ciphertext C ←EncPRE(PKPRE,S,m, α) and any private key SKID

PRE ←ExtractPRE(MKPRE, ID), if ID ∈ S, then algorithmDec-1PRE(PKPRE, ID, SK

IDPRE , C,S) always outputs the

plaintext m.Theorem 2: For any re-encrypted CIBPRE ciphertext

C ← ReEncPRE(PKPRE, dID→S′|α′ , C,S) and any pri-vate key SKID′

PRE ← ExtractPRE(MKPRE, ID′), where

dID→S′|α′ ← RKExtractPRE(PKPRE, ID, SKIDPRE ,S ′, α′),

C ← EncPRE(PKPRE,S,m, α) and SKIDPRE ← ExtractPRE(

MKPRE, ID), if ID ∈ S∧α = α′∧ID′ ∈ S ′, then algo-

rithm Dec-2PRE(PKPRE, ID′, SKID′

PRE , C,S ′) always outputsthe plaintext m.

5 SECURITY PROOF

Before the security proof of the proposed CIBPREscheme, we first review the DBDH assumption. Thisassumption is very popular in the security proof ofcryptographic schemes. It has been used in many famouscryptographic schemes, e.g., [31], [32]. This assumptionalso will be used in our security proof. It is defined asfollows.

Definition 4 (The DBDH Assumption): Let G and GT betwo multiplicative groups with prime order p, and let gbe a generator of G. The DBDH problem on the bilinearmap e : G × G → GT is defined as the advantage of

any adversary A to distinguish the following two tuples(ga, gb, gc, e(g, g)abc) and (ga, gb, gc, e(g, g)r), where a, b,c and r are randomly chosen in Z∗q . Let AdvINDDBDH, A bethe advantage. We say that the DBDH assumption holds,if for any PPT adversary A the advantage AdvINDDBDH, Ais negligible.

In addition to the DBDH assumption, the security ofour proposed CIBPRE scheme also relies on the IND-sID-CPA security of the D07 scheme. In other words, theIND-sID-CPA security of the proposed CIBPRE schemewill be reduced to the DBDH assumption and the IND-sID-CPA security of the D07 scheme. Let ⊥ denote toabort an algorithm. The proof is as follows.

Theorem 3: Suppose that the DBDH assumption holds.Since the D07 scheme is IND-sID-CPA secure in the ROmodel, the proposed CIBPRE scheme is IND-sID-CPAsecure in the RO model.Proof. Suppose that there is an adversary A havingadvantage AdvIND-sID-CPA

CIBPRE, A to break the IND-sID-CPA se-curity of the proposed CIBPRE scheme. To prove this the-orem, we will construct an adversary B, who leveragesadversary A to break the IND-sID-CPA security of theD07 scheme with advantage AdvIND-sID-CPA

D07, B . Moreover,we will prove that AdvIND-sID-CPA

D07, B = AdvIND-sID-CPACIBPRE, A(1 −

T ·AdvINDDBDH, A − T ·AdvIND-sID-CPAD07, A ) holds, where value

T will be defined latterly.Let C be the challenger defined in D07’s IND-sID-CPA

security. Next, we will describe a game among adversaryA, adversary B and challenger C. In this game, challengerC tests adversary B’s ability in breaking D07’s IND-sID-CPA security; adversary B also serves as a challengerto test adversary A’s ability in breaking the IND-sID-CPA security of the proposed CIBPRE scheme. So in thisgame, adversary B aims to utilize adversary A’s abilityto break the IND-sID-CPA security of D07. The detailsof this game are as follows:• Initialization Phase: Adversary A chooses a setS∗ of challenge identities (where |S∗| ≤ N ) anda challenge condition α∗ that he wants to attack,and sends S∗and α∗ to adversary B, then adversaryB forwards set S∗ to challenger C. In addition,adversary B prepares the following two tables:

– LSK to store the identities which’s private keyshave been queried by adversary A.

– LRK with columns (Identity,ReceiverSet,Re-EncryptionKey,Condition) to store therelated information of the re-encryption keysqueried by adversary A.

• Setup Phase: This phase consists of two parts:firstly challenger C generates D07’s master publicand secret keys for adversary B; secondly adversaryB generates the proposed CIBPRE scheme’s mas-ter public key for adversary A. In this two parts,three hash functions are modeled as random oraclesrespectively by challenger C and adversary B. Soabove master public keys do not contain any hashfunction in this proof. The details are as follows:

7



For any initial CIBPRE ciphertext C ← EncPRE(PKPRE,S,m, α) and any private key SKIDPRE ← ExtractPRE(

MKPRE, ID), we have C = (c1, c2, c3, c4) and SKIDPRE = g

1γ+H(ID) without loss of generality, where c1 = w−k,

c2 = hk·∏IDi∈S(γ+H(IDi)), c3 = vk ·m and c4 = u

k·∏IDi∈S(γ+H(IDi)

H(IDi)).

We next prove Dec-1PRE(PKPRE, ID, SKIDPRE , C,S) = m if ID ∈ S. When ID ∈ S, we have

(e(c1, h∆γ(ID,S)) · e(SKID

PRE , c2))1∏

IDi∈S∧IDi 6=ID H(IDi)

= (e(g−k·γ , h∆γ(ID,S)) · e(g 1γ+H(ID) , hk·

∏IDi∈S(γ+H(IDi))))

1∏IDi∈S

∧IDi 6=ID H(IDi)

= (e(g−k·γ , h∆γ(ID,S)) · e(g, h)k·∏IDi∈S

∧IDi 6=ID(γ+H(IDi)))

1∏IDi∈S

∧IDi 6=ID H(IDi)

= (e(g, h)k·∏IDi∈S

∧IDi 6=IDH(IDi))

1∏IDi∈S

∧IDi 6=ID H(IDi) = vk

with∆γ(ID,S) = γ−1 · (

∏IDi∈S


∏IDi∈S

∧IDi 6=IDH(IDi))

Since m = c3vk

, we proved that Dec-1PRE(PKPRE, ID, SKIDPRE , C) = m if ID ∈ S.

Fig. 2. The proof of Theorem 1.

For dID→S′|α′ ← RKExtractPRE(PKPRE, ID, SKIDPRE ,S ′, α′), let dID→S′|α′ = (d1, d2, d3, d4) without loss of generality,

where d1 = w−k′, d2 = hk

′·∏IDi∈S′ (γ+H(IDi)), d3 = H′(vk′) · hs and d4 = SKIDPRE · (u · tα′) s

H(ID) . For C ←EncPRE(PKPRE,S,m, α), let C = (c1, c2, c3, c4) without loss of generality, where c1 = w−k, c2 = hk·

∏IDi∈S(γ+H(IDi)),

c3 = vk · m and c4 = (u · tα)k·∏IDi∈S(

γ+H(IDi)

H(IDi)). For C ← ReEncPRE(PKPRE, dID→S′|α′ , C,S), we have C =

(c1, c2, c3, c4, c5), where c1 = d1, c2 = d2, c3 = d3, c4 = c4, c5 = c3 · (e(c1, h∆γ(ID,S)) · e(d4, c2))−1∏


with∆γ(ID,S) = γ−1 · (

∏IDi∈S


∏IDi∈S

∧IDi 6=IDH(IDi))

We next prove Dec-2PRE(PKPRE, ID′, SKID′

PRE , C,S ′) = m if ID ∈ S∧α = α′∧ID′ ∈ S ′. If ID′ ∈ S ′, we have

K ′ = (e(c1, h∆γ(ID′,S′)) · e(SKID′

PRE , c2))1∏

IDi∈S′∧IDi 6=ID′

H(IDi) = vk′

with∆γ(ID′,S ′) = γ−1 · (

∏IDi∈S′

∧IDi 6=ID′(γ +H(IDi))−

∏IDi∈S′

∧IDi 6=ID′H(IDi))

If ID ∈ S∧α = α′, we have

c5 = c3 · (e(c1, h∆γ(ID,S)) · e(d1, c2))−1∏


= c3 · (e(c1, h∆γ(ID,S)) · e(SKIDPRE , c2) · e((u · tα)

sH(ID) , c2))

−1∏IDi∈S

∧IDi 6=ID H(IDi)

= c3 · v−k · e((u · tα)s

H(ID) , hk·∏IDi∈S(γ+H(IDi)))

−1∏IDi∈S

∧IDi 6=ID H(IDi) = m · e((u · tα), h)

−s·k·∏IDi∈S(γ+H(IDi)

H(IDi))

Since c3 = d3 = H′(vk′) · hs, we have hs = c3H′(K′) . Furthermore, we have

c5 · e(K ′, c4) = m · e((u · tα), h)−s·k·∏IDi∈S(

γ+H(IDi)

H(IDi)) · e(hs, (u · tα)

k·∏IDi∈S(γ+H(IDi)

H(IDi))) = m.

Consequently, we proved that Dec-2PRE(PKPRE, ID′, SKID′

PRE , C,S ′) = m if ID ∈ S∧α = α′∧ID′ ∈ S ′.

Fig. 3. The proof of Theorem 2.

– Challenger C runs D07’s algorithmSetupIBBE(λ,N) to generate a master publickey PKIBBE and a master secret key MKIBBE,where PKIBBE = (p,G,GT , e, w = gγ , v =

e(g, h), h, hγ , . . . , hγN

,H) and MKIBBE = (g, γ).Since the hash function H is modeled as arandom oracle in this proof, challenger Csends the reduced master public key PKIBBE =

(p,G,GT , e, w = gγ , v = e(g, h), h, hγ , . . . , hγN

)to adversary B. And challenger C provideshash query service QHIBBE(ID) for adversary B

and models the hash function H as a randomoracle. He prepares a table LH for QHIBBE(ID)with columns (Identity,HashV alue) to storethe queried identities and their responses.

– Adversary B randomly picks (x, y) ∈ Z∗ 2p , and

generates the proposed CIBPRE scheme’s mas-ter public key PKPRE = (PKIBBE, u, u

γ , . . . , uγN

, t,

tγ , . . . , tγN

,H,H′), where uγi

= hγi·x and tγ

i

=hγ

i·y for i ∈ [0, N ]. Since the hash func-tions H and H′ also are modeled as tworandom oracles in this proof, adversary B

8



sends the reduced master public key PKPRE =

(PKIBBE, u, uγ , . . . , uγ

N

, t, tγ , . . . , tγN

) to adver-sary A. And adversary B provides the hashquery services QHPRE(ID) and QH′PRE(Y ) (whereY ∈ GT ) for adversary A and models the hashfunctions H and H′ as two random oracles. In-deed,QHPRE(ID) is a copy ofQHIBBE(ID). Any queryof adversaryA toQHPRE(ID) will be forwarded byadversary B to challenger C, and any responsefrom challenger C also will be forwarded byadversary B to adversary A. In addition, ad-versary B prepares a table LH′ for QH′PRE withcolumns (GroupElement,HashV alue) to storethe queried group elements and their responses.

• Query Phase 1: Adversary B can issue hash queryQHIBBE(ID) and private key query QSKIBBE (ID) to chal-lenger C. Adversary A can issue hash queriesQHPRE(ID) and QH′PRE(Y ), private key query QSKPRE (ID),and re-encryption key query QRKPRE (ID,S ′, a) to ad-versary B. These queries work as follows:

– Hash Query QHIBBE(ID): To answer the query“ID”, if there is a tuple (ID,X ∈ Z∗p) ∈ LH ,challenger C responds X ; otherwise challengerC randomly chooses a value X ∈ Z∗p, adds tuple(ID,X) into table LH and responds X .

– Private Key Query QSKIBBE (ID): To answer thequery “ID”, if ID ∈ S∗, challenger C responds⊥; otherwise, challenger C responds SKID

IBBE =

g1

γ+QHIBBE(ID) .– Hash Query QHPRE(ID): To answer the query

“ID”, adversary B forwards the query toQHIBBE(ID), and returns the response of QHIBBE(ID).

– Hash Query QH′PRE(Y ∈ GT ): To answer the query“Y ”, if there is a tuple (Y,Z ∈ G) ∈ LH′ ,adversary B responds Z; otherwise adversaryB randomly chooses a value Z ∈ G, adds tuple(Y,Z) into table LH′ and responds Z.

– Private Key Query QSKPRE (ID): To answer thequery “ID”, if ID ∈ S∗, adversary B responds⊥; if there is a tuple (ID′,S ′, ∗, α∗) in table LRKhas ID′ ∈ S∗ and ID ∈ S ′, adversary B re-sponds ⊥; otherwise, adversary B forwards thequery to QSKIBBE (ID) and obtains SKID

IBBE , returnsSKID

PRE = SKIDIBBE and adds ID into table LSK .

– Re-Encryption Key Query QRKPRE (ID,S ′, α): Ad-versary A queries the re-encryption key fromthe identity ID to the identity set S ′ with thecondition α. To answer this query, if there isa tuple (ID,S ′, dID→S′|α, α) in table LRK , ad-versary B responds dID→S′|a to adversary A;otherwise, we have the following cases:

1) ID /∈ S∗: Adversary B queries QSKIBBE (ID)to get the private key SKID

IBBE , randomlychooses (k′, s) ∈ Z∗ 2

p , computes there-encryption key dID→S′|α = (w−k

′,

hk′·∏IDi∈S′ (γ+QHPRE(IDi)),QH′PRE(v

k′) · hs, SKIDIBBE ·

(u · tα)s

QHPRE(ID) ), responds dID→S′|α to adver-sary A, and adds tuple (ID,S ′, dID→S′|α, α)into table LRK .

2) ID ∈ S∗, α = α∗ and S ′⋂LSK 6= ∅:Adversary B responds ⊥.

3) In the following three cases: a) ID ∈ S∗,α 6= α∗ and S ′⋂LSK 6= ∅; b) ID ∈ S∗, α 6=α∗ and S ′⋂LSK = ∅; c) ID ∈ S∗, α = α∗

and S ′⋂LSK = ∅. Adversary B randomlychooses d4 ∈ G and (k′, s) ∈ Z∗ 2

p , respondsthe re-encryption key dID→S′|α = (w−k

′,

hk′·∏IDi∈S′ (γ+QHPRE(IDi)),QH′PRE(v

k′) · hs, d4) toadversary A, and adds tuple (ID,S ′,dID→S′|α, α) into table LRK .

• Challenge Phase: When adversary A decidesthat Query Phase 1 is over, he sends two chal-lenge messages (m0,m1) to adversary B. Adver-sary B forwards (m0,m1) to challenger C. Chal-lenger C generates the challenge ciphertext C∗IBBE ←EncIBBE(PKIBBE,S∗,mb) (where b is randomly chosenin {0, 1}), and sends C∗IBBE to adversary B. Accordingto the structure of the ciphertext C∗IBBE, let C∗IBBE =(c1, c2, c3). And without loss of generality, let c1 =

w−k, c2 = hk·∏IDi∈S∗ (γ+QHIBBE(IDi)) and c3 = vk ·mb.

Recall that in Setup Phase, adversary B randomlychose (x, y) ∈ Z∗ 2

p and set u = hx and t = hy .Adversary B can extend the ciphertext C∗IBBE to avalid initial CIBPRE ciphertext by computing c4 =

(cx2 · cy·α2 )ΠIDi∈S∗

1

QHPRE(IDi) . And let C∗PRE = (C∗IBBE, c4).The ciphertext C∗PRE is a valid challenge ciphertextwhich was defined in the IND-sID-CPA security ofCIBPRE, since we have QHIBBE = QHPRE and c4 = (cx2 ·

cy·α2 )ΠIDi∈S∗

1

QHPRE(IDi) = (u · tα)k·ΠIDi∈S∗ (

γ+QHIBBE(IDi)

QHPRE(IDi)).

Finally adversary B sends the challenge ciphertextC∗PRE to adversary A.

• Query phase 2: This phase is the same with QueryPhase 1.

• Guess Phase: When adversary A outputs a guessb′ ∈ {0, 1}, adversary B forwards b′ to challenger C.

We can find that adversary B successfully and effi-ciently simulates A’s view in attacking the IND-sID-CPAsecurity of the proposed CIBPRE scheme, except the re-encryption key query QRKPRE (ID,S ′, α) in the followingthree cases:

• Case 1: ID ∈ S∗, α 6= α∗ and S ′⋂LSK 6= ∅;• Case 2: ID ∈ S∗, α 6= α∗ and S ′⋂LSK = ∅;• Case 3: ID ∈ S∗, α = α∗ and S ′⋂LSK = ∅.

In other words, suppose the exception in above threecases never be found by adversary A. Then adversaryB successfully breaks the IND-sID-CPA security of D07scheme, if adversary A successfully breaks the IND-sID-CPA security of the proposed CIBPRE scheme. Next,we compute the probability of adversary A to find theexception.

9



In the exception, adversary B forges a re-encryptionkey dID→S′|α = (w−k

′, hk

′·∏IDi∈S′ (γ+QHPRE(IDi)),QH′PRE(vk′) ·

hs, d4) by randomly choosing d4 ∈ G and (k′, s) ∈ Z∗ 2p .

Suppose adversary A totally queries QRKPRE T times.We next prove that the probability of adversary A tofind the exception is no more than T · (AdvINDDBDH, A +

AdvIND-sID-CPAD07, A ) by following the following two lemmas.

Let ADis(A,B) denote the event that adversary A candistinguish event A and event B.

Lemma 2: In Case 1, the probability of adversary Ato find the exception of dID→S′|α is no more thanAdvINDDBDH, A.Proof. Suppose adversary A can find the exception ofdID→S′|α in this case. In Case 1, since S ′⋂LSK 6=∅, adversary A can decrypt out hs, we have that

ADis(d4, SKIDIBBE · (u · tα)

s

QHPRE(ID) ) holds. Since adversaryA can computes h(γ+QHPRE(ID)), we have

ADis(d4, SKIDIBBE · (u · tα)

s

QHPRE(ID) ) holds

⇒ ADis(e(d4, h(γ+QHPRE(ID))), e(SKID

IBBE · (u · tα)s

QHPRE(ID) ,

h(γ+QHPRE(ID)))) holds

Since e(g, h) is a public value, we have

ADis(e(d4, h(γ+QHPRE(ID))), e(SKID

IBBE · (u · tα)s

QHPRE(ID) ,

h(γ+QHPRE(ID))) holds

⇒ ADis(e(d4, h(γ+QHPRE(ID))) · e(g, h)−1, e((u · tα)

s

QHPRE(ID) ,


Since d4 was randomly chosen in G, there is a valuer ∈ Z∗p having e(d4, h

(γ+QHPRE(ID))) · e(g, h)−1 = e(h, h)r.And since u = hx and t = hy , we have

ADis(e(d4, h(γ+QHPRE(ID))) · e(g, h)−1, e((u · tα)

s

QHPRE(ID) ,


⇒ ADis(e(h, h)r, e(h, h)(x+yα)·s·(γ+QHPRE(ID))· 1

QHPRE(ID) )

holds

In addition, it is clear that adversary A knows

hx+yα, hs and h(γ+QHPRE(ID))· 1

QHPRE(ID) . Now wecompute the probability of the event that

ADis(e(h, h)r, e(h, h)(x+yα)·s·(γ+QHPRE(ID))· 1

QHPRE(ID) ) holds.

WhenADis(e(h, h)r, e(h, h)(x+yα)·s·(γ+QHPRE(ID))· 1

QHPRE(ID) )holds, it means that taking hx+yα, hs and

h(γ+QHPRE(ID))· 1

QHPRE(ID) as input, adversary A can solve aninstance of the DBDH problem by distinguishing e(h, h)r

and e(h, h)(x+yα)·s·(γ+QHPRE(ID))· 1

QHPRE(ID) . According tothe definition of the DBDH problem, we have that

ADis(e(h, h)r, e(h, h)(x+yα)·s·(γ+QHPRE(ID))· 1

QHPRE(ID) ) holdswith the probability no more than AdvINDDBDH, A.Therefore, adversary A has the probability no morethan AdvINDDBDH, A to find the exception of dID→S′|α inCase 1. �

Lemma 3: In Cases 2 and 3, the probability of adver-sary A to find the exception of dID→S′|α is no more thanAdvIND-sID-CPA

D07, A .Proof. Since d4 is randomly chosen in G, it is clearthat there is a value s′ ∈ Z∗p having d4 = SKID

IBBE ·(u · tα)

s′QHPRE(ID) . If adversary A can find the excep-

tion in cases 2 and 3, it means that adversary Acan find that s′ 6= s. Recall that in dID→S′|α, thepart (w−k

′, hk

′·∏IDi∈S′ (γ+QHPRE(IDi)),QH′PRE(vk′) · hs) indeed

is an encryption of hs. If adversary A can findthat s′ 6= s, we have that ADis(A,B) holds, whereA = (w−k

′, hk

′·∏IDi∈S′ (γ+QHPRE(IDi)),QH′PRE(vk′) · hs), B =

(w−k′′, hk

′′·∏IDi∈S′ (γ+QHPRE(IDi)),QH′PRE(vk′′) · hs′) and k′′ is

randomly chosen in Z∗p. Next, we prove that ADis(A,B)holds only when adversary A can break the IND-sID-CPA security of the D07 scheme.

Since QH′PRE is a random oracle, there is a value R ∈ GThaving QH′PRE(v

k′′) · hs′ = QH′PRE(vk′′ · R) · hs. So when

ADis(A,B) holds, we have that ADis(A′,B′) holds,where A′ = (w−k

′, hk

′·∏IDi∈S′ (γ+QHPRE(IDi)), vk′), B′ =

(w−k′′, hk

′′·∏IDi∈S′ (γ+QHPRE(IDi)), vk′′ ·R). It is clear that A′

and B′ are two ciphertexts generated by the D07 scheme.Furthermore, since we have S ′⋂LSK = ∅ both in Cases2 and 3, it means that when adversary A takes S ′ asthe set of challenge identities and takes 1 ∈ GT and Ras two challenge messages, he can break the IND-sID-CPA security of the D07 scheme without knowing theprivate key SKID

IBBE of any ID ∈ S ′. According to thedefinition of D07’s IND-sID-CPA security, the probabilityof adversary A to find the exception is no more thanAdvIND-sID-CPA

D07, A in Cases 2 and 3. �According to above two lemmas, we clearly have the

following result.Lemma 4: When adversary A totally queries QRKPRE T

times, adversary B successfully simulates adversary A’sview in attacking the IND-sID-CPA security of our pro-posed CIBPRE scheme, except the probability no morethan T · (AdvINDDBDH, A +AdvIND-sID-CPA

D07, A ).Since we suppose that adversary A has the advantage

AdvIND-sID-CPACIBPRE, A to break our CIBPRE scheme, we have

that adversary B has the advantage AdvIND-sID-CPAD07, B =

AdvIND-sID-CPACIBPRE, A(1 − T · AdvINDDBDH, A − T · AdvIND-sID-CPA

D07, A )to break the IND-sID-CPA security of the D07 scheme.

Since the D07 scheme is IND-sID-CPA secure in theRO model, both AdvIND-sID-CPA

D07, B and AdvIND-sID-CPAD07, A are

negligible. In addition, since the DBDH assumptionholds, AdvINDDBDH, A also is negligible. So it demonstratesthat AdvIND-sID-CPA

CIBPRE, A must be negligible. In other words,the proposed CIBPRE scheme is IND-sID-CPA secure inthe RO model. �

6 PERFORMANCE

In this section, we compare our proposed CIBPREscheme with the related up-to-dated TR-CPBRE scheme[14]. To compare the performances, Table 2 summarizes

10



TABLE 2The complexity of algortihms EncPRE, Dec-1PRE, RKExtractPRE, ReEncPRE and Dec-2PRE.

EncPRE Dec-1PRE RKExtractPRE ReEncPRE Dec-2PRE

BM ME MI BM ME MI BM ME MI BM ME MI BM ME MITR-CPBRE 1 S + 7 1 2 S − 1 2 0 2S + 7 1 8 S 2 4 3S+2 4

CIBPRE 0 3S + 4 1 2 S 2 0 S + 6 1 2 S 1 3 S 2Symbols BM, ME and MI respectively denote bilinear map, modular exponentiation and modular inversion.Symbols S denotes the number of receivers.

TABLE 3The size of initial ciphertext, re-encryption key and re-encrypted ciphertext; and whether the original receivers’

identities is needed in running algorithms RKExtractPRE and Dec-2PRE.

Size of Size of Size of Take S as Input ?Initial Ciphertext Re-Encryption Key Re-Encrypted Ciphertext RKExtractPRE Dec-2PRE

TR-CPBRE 7.5|G| 6|G| 9.5|G|+ |GT | Yes YesCIBPRE 3|G|+ |GT | 4|G| 4|G|+ |GT | No No

Symbol S denotes the original receivers’ identities of an initial ciphertext.Symbols |G| and |GT | respectively denote the binary size of groups G and GT .

the number of expensive algebraic operations in algo-rithms EncPRE, Dec-1PRE, RKExtractPRE, ReEncPRE andDec-2PRE. It shows that our CIBPRE is slightly moreefficient than the TR-CPBRE, with both CIBPRE andTR-CPBRE having the constant-size initial ciphertext, re-encryption key and re-encrypted ciphertext.

One may note that CIBPRE is more convenient thanTR-CPBRE in practice, since the CIBPRE does not takeextra burden on storage and communication as TR-CPBRE does (showed in Table 3). TR-CPBRE takes theoriginal receivers’ identities (denoted by S) of an initialciphertext as input to run algorithms RKExtractPRE andDec-2PRE. Hence it requires extra storage for each senderwith the original receivers’ identities of all generatedinitial ciphertexts, and increased communication over-head for the proxy to send the corresponding S to allnew receivers of a re-encrypted ciphertext. Conclusively,CIBPRE avoids these constraints and makes the applica-tion more practical.

TABLE 4Configuration of System Parameters.

Hardware Intel Core 2 Duo CPU E5300 @ 2.60GHzOS and Compiler Windows XP, Microsoft Visual C++ 6.0Program Library MIRACL version 5.4.1

Parameters of bilinear mapElliptic Curve y2 = x3 + A · x + B · x

Pentanomial Basis tm + ta + tb + tc + 1Base Field: 2m m = 379

A 1B 1

Group Order: q 2m + 2(m+1)/2 + 1a 315b 301c 287

The default unit is decimal.

Finally, we coded our CIBPRE scheme and tested thetime cost of algorithms EncPRE, Dec-1PRE, RKExtractPRE,ReEncPRE and Dec-2PRE for different number of receivers.Table 4 shows the system parameters including hard-ware, software and the chosen elliptic curve. Table 5shows the experiment results.

7 CIBPRE-BASED CLOUD EMAIL SYSTEM

Recall that CIBPRE consists of algorithms SetupPRE,ExtractPRE, EncPRE, RKExtractPRE, ReEncPRE, Dec-1PRE

and Dec-2PRE. The CIBPRE-based cloud email systemconsists of a trusted KGC (built by an enterprise admin-istrator), a cloud server and users. The CIBPRE-basedcloud email system works as follows:• Initialization: In this phase, the KGC generates the

system parameters to initialize the CIBPRE-basedcloud email system. It chooses a security parameterλ ∈ N and a value N ∈ N (the maximal num-ber of receivers of an email), and runs algorithmSetupPRE(λ,N) to generate a pair of master publicand secret keys PKPRE and MKPRE. It chooses asecure symmetric key encryption scheme, i.e. AES(the popular choice in practice). Without loss ofgenerality, let the chosen symmetric key encryptionscheme be (X , SEx, SDx), where X ⊆ GT ∈ PKPRE isthe symmetric key space, SEx and SDx respectivelydenotes the encryption and decryption algorithmsboth with a symmetric key x ∈ X . Finally, it pub-lishes (PKPRE,X , SEx, SDx).In the email system, we take users’ email addressesas their identities. When running algorithm EncPRE

to encrypt an email, we take the subject of theemail as the inputted condition. Though an inputtedcondition must belong to Z∗p ∈ PKPRE, it is easyto map the subject of an email into Z∗p. So it isconvenient for us to suppose that all emails’ subjectsbelong to Z∗p. In addition, we suppose that all emailsof a user have the different subjects.

• Key Management: In this phase, when a new userjoins this system, the KGC generates a private keyfor him. Without loss of generality, let ID denotethe email address of the new user. The KGC runsalgorithm ExtractPRE(MKPRE, ID) to generate theprivate key SKID

PRE , and sends it to the user in asecure channel which is established by the SSL/TLSprotocol.

• Send An Encrypted Cloud Email: In this phase, a

11



TABLE 5Time Cost of algorithms EncPRE, Dec-1PRE, RKExtractPRE, ReEncPRE and Dec-2PRE.

Number ofReceivers

Time Cost (Unit: CPU cycle)EncPRE Dec-1PRE RKExtractPRE ReEncPRE Dec-2PRE

4 34397064 (13.230ms) 79089153 (30.419ms) 36721919 (14.124ms) 78398268 (30.153ms) 123970236 (47.681ms)8 54009982 (20.773ms) 88327408 (33.972ms) 41353858 (15.905ms) 86587345 (33.303ms) 128471538 (49.412ms)12 74940619 (28.823ms) 96779670 (37.223ms) 49816676 (19.160ms) 93755987 (36.060ms) 136606496 (52.541ms)

Sender ID1 Cloud Receiver IDi ∈ S

Choose x ∈ X ,

Choose α,

C = EncPRE(PKPRE,S, x, α),C ′ = SEx(F ).

α||C||C ′||SRequest email

α||C||C ′||S

x = Dec-1PRE(PKPRE, IDi, SKIDiPRE , C,S),

F = SDx(C′).

(a) Send an email.

Sender ID1 Cloud Receiver IDi ∈ S ′

dID1→S′|α = RKExtractPRE(

PKPRE, ID1, SKID1PRE ,S ′, α).

dID1→S′|α||S ′

C = ReEncPRE(

PKPRE, dID1→S′|α, C,S),Generate α||C||C ′||S ′.

Request email

α||C||C ′||S ′

x = Dec-2PRE(PKPRE, IDi, SKIDiPRE , C,S ′),

F = SDx(C′).

(b) Forward an email.

• ID1: an email sender;

• IDi: an email receiver;

• S: the identity set of the original receivers;

• S ′: the identity set of the new receivers;

• x: a symmetric key;

• α: the subject of an email;

• C: an initial CIBPRE ciphertext;

• C ′: a symmetric-key ciphertext;

• SKIDiPRE : the private key of user IDi;

• PKPRE: the master public key of CIBPRE;

• F : the content of an email;

• dID1→S′|α: a re-encryption key;

• C: a re-encrypted CIBPRE ciphertext;

(c) The related notions.

Fig. 4. Two main processes of CIBPRE-based cloud email system and their related notions.

user can send an encrypted email to other users.And this email will be stored in the cloud server. Ifthe user wants to review this email, he can fetch theencrypted email from the cloud server and decryptit. Suppose user ID1 wants to send the email contentF (including the associated attachment) to the users{ID2, ..., IDn} (where n ≤ N ). Fig. 4(a) shows thisphase. The details are as follows.

1) User ID1 sets S = {ID1, ..., IDn}, randomlychooses a symmetric key x ∈ X , chooses asubject α of this email, runs algorithms C =EncPRE(PKPRE,S, x, α) and C ′ = SEx(F ), finallysends α||C||C ′||S to the cloud server.

2) The cloud server stores the received ciphertextα||C||C ′||S.

3) When user IDi ∈ S is online, he re-trieves the ciphertext α||C||C ′||S from thecloud sever, and runs algorithms x =Dec-1PRE(PKPRE, IDi, SK

IDiPRE , C,S) and F =

SDx(C ′) to decrypt out the email content F .4) When user ID1 wants to read this email again,

he retrieves the ciphertext α||C||C ′||S fromthe cloud sever, and runs algorithms x =Dec-1PRE(PKPRE, ID1, SK

ID1PRE , C,S) and F =

SDx(C ′) to decrypt out the email content F .Security. According to the IND-sID-CPA securityof CIBPRE and the security of the symmetric keyencryption (X , SEx, SDx), only users {ID1, ..., IDn}can decrypt out the email content F .Performance. In above steps, the capability“Identity-based” of CIBPRE avoids user ID1

to fetch and verify the certificates of users{ID2, ..., IDn} before encrypting the email. Thecapability “Broadcast” of CIBPRE makes C havingthe constant size.

• Forward A History Encrypted Cloud Email: In thisphase, a user can forward a history encrypted email

to new users by generating a re-encryption key forthese users and the subject of this email. Supposeuser ID1 wants to forward his history encryptedemail α||C||C ′||S to the new users {ID′2, ..., ID′n}(where n ≤ N + 1). Fig. 4(c) shows this phase. Thesteps are as follows.

1) User ID1 sets S ′ = {ID′2, ..., ID′n}, runs algo-rithm RKExtractPRE(PKPRE, ID1, SK

ID1PRE ,S ′, α)

to generate a re-encryption key dID1→S′|α, andsends dID1→S′|α||S ′ to the cloud server.

2) The cloud server runs algorithm C =ReEncPRE(PKPRE, dID1→S′|α, C,S) to re-encryptC, and generate the re-encrypted emailα||C||C ′||S ′.

3) When user ID′i ∈ S ′ is online, heretrieves the ciphertext α||C||C ′||S ′ fromthe cloud sever, and runs algorithmx = Dec-2PRE(PKPRE, IDi, SK

IDiPRE , C,S ′) and

algorithm F = SDx(C ′) to decrypt out theemail content F .

Security. According to the IND-sID-CPA securityof CIBPRE and the security of the symmetric keyencryption (X , SEx, SDx), the re-encrypted emailα||C||C ′||S ′ only can be decrypted by the users inS ′. According to the capability ”Conditional”, there-encryption key dID1→S′|α only can re-encrypt thehistory email α||C||C ′||S. It implies that the cloudserver can not forward the other history encryptedemails to any user.Performace. In the above steps, the capability“Identity-based” of CIBPRE avoid user ID1 to fetchand verify the certificates of users {ID′2, ..., ID′n}before generating a re-encryption key. The capability“Broadcast” of CIBPRE makes the generated re-encryption key having the constant size.

In the CIBPRE-based cloud email system, the enter-prise administrator only needs to initialize the system

12



and generate the private key for the newly joined user. Inother words, the enterprise administrator can be offlineif no new user joins the system. It is a useful paradigmfor the enterprise administrator to resist the outsideattacks in practice. The cloud server provides efficientservices to send, store and forward users’ encryptedemails. Moreover, it is convenient that all users takesemail addresses as public keys to encrypt emails. In theaspect of security, all users’ emails are confidential evenif the cloud sever is compromised.

8 CONCLUSION

This paper presented a new kind of PRE conceptcalled Conditional Identity-based Broadcast Proxy Re-Encryption (CIBPRE), as well as its IND-sID-CPA se-curity definitions. The CIBPRE is a general conceptequipped with the capabilities of Conditional PRE(CPRE), Identity-based PRE (IPRE) and Broadcast PRE(BPRE). The IND-sID-CPA security definition of CIBPREincorported the security requirements of CPRE, IPREand BPRE.

CIBPRE inherits the advantages of CPRE, IPRE andBPRE for applications. It allows a user to share theiroutsourced encrypted data with others in a fine-grainedmanner. All CIBPRE users takes their identities as publickeys to encrypt data. It avoids a user to fetch andverify other users’ certificates before encrypting his data.Moreover, it allows a user to generate a broadcast ci-phertext for multiple receivers and share his outsourcedencrypted data to multiple receivers in a batch manner.

we instantiated the first CIBPRE scheme based onthe Identity-Based Broadcast Encryption (IBBE) in [30].Upon the provable security of the IBBE scheme and theDBDH assumption, the instance of CIBPRE is provablyIND-sID-CPA secure in the RO model. It indicates thatwithout the corresponding private key or the right toshare a user’s outsourced data, one can learn nothingabout the user’s data.

Finally, we compared the proposed CIBPRE schemewith similar works and the comparison confirms the ad-vantages of our CIBPRE scheme. We built the encryptedcloud email system based our CIBPRE scheme. Com-pared with the previous techniques such as PGP andIBE, our CIBPRE-based system is much more efficient inthe aspect of communication and more practical in userexperience.

ACKNOWLEDGMENTS

The authors would like to thank the reviewers fortheir valuable suggestions that helped to improvethe paper greatly. The first author is partly sup-ported by the National Natural Science Foundationof China under grant no. 61472156 and the NationalProgram on Key Basic Research Project (973 Pro-gram) under grant no. 2014CB340600. The third au-thor is supported by by the Chinese National KeyBasic Research Program (973 program) through project

2012CB315905, the Natural Science Foundation of Chinathrough projects 61370190, 61173154, 61472429, 61402029,61272501, 61202465, 61321064 and 61003214, the BeijingNatural Science Foundation through project 4132056, theFundamental Research Funds for the Central Universi-ties, and the Research Funds (No. 14XNLF02) of RenminUniversity of China and the Open Research Fund ofBeijing Key Laboratory of Trusted Computing.

REFERENCES[1] M. Blaze, G. Bleumer and M. Strauss, “Divertible Protocols and

Atomic Proxy Cryptography”, Proc. Advances in Cryptology-EUROCRYPT ’ 98, Springer, Heidelberg, 1998, pp. 127-144.

[2] A. Boldyreva, M. Fischlin, A. Palacio and B. Warinschi, “A CloserLook at PKI: Security and Efficiency”, Proc. PKC 2007 Springer,Heidelberg, 2007, pp. 458-475.

[3] M. Green and G. Ateniese, “Identity-Based Proxy Re-Encryption”,Proc. ACNS 2007, Springer, Heidelberg, 2007, pp. 288-306.

[4] T. Matsuo, “Proxy Re-encryption Systems for Identity-Based En-cryption”, Proc. PAIRING 2007, Springer, Heidelberg, 2007, pp.247-267.

[5] C.-K. Chu and W.-G. Tzeng, “Identity-Based Proxy Re-encryptionWithout Random Oracles”, Proc. ISC 2007, Springer, Heidelberg,2007, pp. 189-202.

[6] L. Ibraimi, Q. Tang, P. Hartel and W. Jonker, “A Type-and-Identity-based Proxy Re-Encryption Scheme and its Application in Health-care”, Proc. SECURE DATA MANAGEMENT 2008, Springer, Hei-delberg, 2008, pp. 185-198.

[7] J. Shao, G. Wei, Y. Ling and M. Xie, “Identity-based ConditionalProxy Re-encryption”, Proc. IEEE International Conference onCommunications (ICC), 2011, pp. 1-5.

[8] K. Liang, Z. Liu, X. Tan, D.S. Wong and C. Tang, “A CCA-Secureidentity-based conditional proxy re-encryption without randomoracles”, Proc. ICISC, 2012, pp. 231-146.

[9] C.-K. Chu, J. Weng, S.S.M. Chow, J. Zhou and R.H. Deng, “Con-ditional Proxy Broadcast Re-Encryption”, Proc. INFORMATIONSECURITY AND PRIVACY 2009, Springer, Heidelberg, 2009, pp.327-342.

[10] Q. Tang, “Type-Based Proxy Re-encryption and Its Construction”,proc. INDOCRYPT, 2008, pp. 130-144.

[11] J. Weng, R.H. Deng, X. Ding, C.-K. Chu and J. Lai, “ConditionalProxy Re-Encryption Secure against Chosen-Ciphertext Attack”,Proc. ASIACCS ’09, ACM, 2009, pp. 322-332.

[12] J. Weng, Y. Yang, Q. Tang, R.H. Deng and F. Bao, “Efficient Con-ditional Proxy Re-Encryption with Chosen-Ciphertext Security”,Proc. Information Security 2009, Springer-Verlag, 2009, pp. 151-166.

[13] L. Fang, W. Susilo and J. Wang, “Anonymous ConditionalProxy Re-encryption without Random Oracle”, Proc. ProvSec 2009,Springer, Heidelberg, 2009, pp. 47-60.

[14] K. Liang, Q. Huang, R. Schlegel. D. S. Wong and C. Tang, “AConditional Proxy Broadcast Re-Encryption Scheme SupportingTimed-Release”, Proc. ISPEC 2013, LNCS 7863, Springer, Heidel-berg, 2013, pp. 132-146.

[15] Philip R. Zimmermann, “PGP Source Code and Internals”, MITPress, ISBN 0-262-24039-4, 1995.

[16] D. Boneh and M. Franklin, “Identity-Based Encryption fromthe Weil Pairing”, Proc. Advances in Cryptology-CRYPTO 2001,Springer, Heidelberg, 2001, pp. 213-239.

[17] Radicati Group, “Cloud Business Email Mar-ket, 2014-2018”, http://www.radicati.com/wp/wp-content/uploads/2014/10/Cloud-Business-Email-Market-2014-2018-Executive-Summary.pdf, 2014.

[18] Proofpoint Group, “Cloud-based Archiving vs. On-PremisesLegacy Archiving”, http://video.proofpoint.com/id/cloud-based-archiving-vs.-on-premises-legacy-archiving-TCO-white-paper,2012.

[19] G. Ateniese, K. Fu, M. Green and S. Hohenberger, “ImprovedProxy Reencryption Schemes with Applications to Secure Dis-tributed Storage”, ACM Transactions on Information and SystemSecurity, 2006, pp. 1-30.

[20] R.H. Deng, J. Weng, S. Liu and K. Chen, “Chosen-ciphertextsecure proxy re-encryption without pairings”, Cryptology andNetwork Security, vol. 5339, 2008, pp. 1-17.

13



[21] V. Kirtane and C.P. Rangan, “RSA-TBOS signcryption with proxyre-encryption”, Proceedings of the 8th ACM workshop on Digitalrights management (DRM ’08), 2008, pp. 59-66.

[22] B. Libert and D. Vergnaud, “Unidirectional Chosen-Ciphertext Se-cure Proxy Re-Encryption”, Proc. PKC 2008, Springer, Heidelberg,2008, pp. 360-379.

[23] J. Shao and Z. Cao, “CCA-Secure Proxy Re-Encryption withoutpairings”, Proc. PKC 2009, Springer-Verlag, 2009, pp. 357-176.

[24] G. Ateniese, K. Benson and S. Hohenberger, “Key-Private ProxyRe-Encryption”, Proc. CT-RSA 2009, Springer-Verlag, 2009, pp. 279-294.

[25] J. Shao, P. Liu, G. Wei and Y. Ling, “Anonymous proxy re-encryption”, Security and Communication Networks, vol. 5, no.5, 2012, pp. 439-449.

[26] R. Canetti and S. Hohenberger, “Chosen-ciphertext secure proxyreencryption”, Proceedings of the 14th ACM conference on Com-puter and communications security (CCS’07), 2007, pp. 185-194.

[27] T. Matsuda, R. Nishimaki and K. Tanaka, “CCA Proxy Re-Encryption without Bilinear Maps in the Standard Model”, Proc.PKC 2010 Springer, Heidelberg, 2010, pp. 261-278.

[28] K. Liang, M. H. Au, J. K. Liu, X. Qi, W. Susilo, X. P. Tran, D. S.Wong and G. Yang, “A DFA-based Functional Proxy Re-EncryptionScheme for Secure Public Cloud Data Sharing”, IEEE Transactionson Information Forensics and Security 9(10), 2014, pp. 1667-1680.

[29] K. Liang, J. K. Liu, D. S. Wong, W. Susilo, ”An Efficient Cloud-based Revocable Identity-based Proxy Re-encryption Scheme forPublic Clouds Data Sharing”, European Symposium on Research inComputer Security (ESORICS), LNCS 8712, Springer, Heidelberg,2014, pp. 257-272.

[30] C. Delerablee, “Identity-based broadcast encryption with constantsize ciphertexts and private keys”, Proc. Advances in Cryptology-ASIACRYPT 2007, Springer, Heidelberg, 2007, pp. 200-215.

[31] D. Boneh and X. Boyen, “Efficient Selective-ID Secure Identity-Based Encryption Without Random Oracles”, Proc. Advances inCryptology-EUROCRYPT 2004, Springer, Heidelberg, 2004, pp.223-238.

[32] D. Boneh and X. Boyen, “Secure Identity Based Encryption With-out Random Oracles”, Proc. Advances in Cryptology-CRYPTO2004. Springer, Heidelberg, 2004, pp. 197-206.

Peng Xu received the B.A. degree in computerscience from Wuhan university of science andtechnique, Wuhan, China, in 2003, the Masterand Ph.D. degree in computer science fromHuazhong university of science and technol-ogy, Wuhan, China, respectively in 2006 and2010. Since 2010, he works as a post-doctor atHuazhong university of science and technology,Wuhan, China. He was PI in three grants respec-tively from National Natural Science Foundationof China (No. 61472156 and No. 61100222) and

China Postdoctoral Science Foundation (No. 20100480900), and a keymember in several projects supported by 973 (No. 2014CB340600). Hehas authored over 20 research papers. He is a member of ACM andIEEE.

Tengfei Jiao received the B.A. degree incomputer science from Zhengzhou University,Zhengzhou, China, in 2011. Now, he is studyingfor a master degree in computer science atHuazhong University of Science and Technol-ogy. His research interest is cryptography andcloud security.

Qianhong Wu received his Ph.D. in Cryptog-raphy from Xidian University in 2004. Sincethen, he has been with Wollongong University(Australia) as an associate research fellow, withWuhan University (China) as an associate pro-fessor, with Universitat Rovira i Virgili (Catalonia)as a research director and now with BeihangUniversity (China) as a full professor. His re-search interests include cryptography, informa-tion security and privacy, and ad hoc networksecurity. He has been a holder/co-holder of 7

China/Australia/Spain funded projects. He has authored 7 patents andover 100 publications. He has served in the program committee ofseveral international conferences in information security and privacy. Heis a member of IACR, ACM and IEEE.

Wei Wang received her PhD degree in Elec-tronic and Communication Engineering fromHuazhong university of science and technique,Wuhan, China, in 2011. She is now doing Post-doctor work in Peking University, Beijing, China.Her research interests are cloud security, net-work coding, multimedia transmission.

Hai Jin received his PhD in computer engi-neering from HUST in 1994. In 1996, he wasawarded a German Academic Exchange Ser-vice fellowship to visit the Technical Universityof Chemnitz in Germany. He worked at The Uni-versity of Hong Kong between 1998 and 2000,and as a visiting scholar at the University ofSouthern California between 1999 and 2000. Hewas awarded Excellent Youth Award from theNational Science Foundation of China in 2001.He is the chief scientist of National 973 Basic

Research Program Project of Virtualization Technology of ComputingSystem. He has co-authored 15 books and published over 400 researchpapers. He is a senior member of the IEEE and a member of the ACM.

14

conditional identity-based broadcast proxy re-encryption ...€¦ · conditional identity-based...

Documents