Nowadays, public cloud storage is gaining popularity and a growing number of users are beginning to use the public cloud storage for online data storing and sharing. However, how the encrypted data stored in public clouds can be effectively shared becomes a new challenge. Proxy reencryption is a publickey primitive that can delegate the decryption right from one user to another. In a proxy reencryption system, a semitrusted proxy authorized by a data owner is allowed to transform an encrypted data under the data owner’s public key into a reencrypted data under an authorized recipient’s public key without seeing the underlying plaintext. Hence, the paradigm of proxy reencryption provides a promising solution to effectively share encrypted data. In this paper, we propose a new certificatebased proxy reencryption scheme for encrypted data sharing in public clouds. In the random oracle model, we formally prove that the proposed scheme achieves chosenciphertext security. The simulation results show that it is more efficient than the previous certificatebased proxy reencryption schemes.
1. Introduction
C
loud computing has increasingly become a technology trend due to its key properties, such as cost saving and ondemand provisioning. There is an emerging trend that increasingly more users are beginning to use the public cloud storage for online data storing and sharing. However, many users still hesitate to move their data into a cloud, since they worry about their sensitive information being leaked by a cloud service provider (CSP). To preserve the confidentiality of the data stored at a cloud storage server, one can encrypt the data before sending it to the server. However, traditional encryption paradigm makes it difficult for flexibly sharing encrypted data between different users. For data sharing, there are two ways for a data owner to choose under the traditional encryption paradigm: he encrypts all data with a single symmetric key and gives his friends the symmetric key directly; or he downloads the encrypted data from the cloud storage, decrypts them, reencrypts them using a new symmetric key and reuploads the reencrypted data along with the new symmetric key encrypted under his friend’s public key to cloud. Obviously, the first way violates the least privilege principle since all data are leaked to his friends. For the second way, there are practical concerns on efficiency. Because the data owner has to reencrypt the data and then reupload to cloud, it brings heavy computation load and bandwidth cost to the data owner. In addition, the second way also loses the value of cloud storage.
How the encrypted data can be effectively shared in clouds has become a challenge. So far, a variety of methods (
e.g.
[1

10]
) have been introduced in an attempt to deal with this problem. Among these approaches, proxy reencryption (PRE) provides a promising solution for encrypteddata sharing in public clouds. The notion of PRE was introduced by Blaze
et al.
[11]
in Eurocrypt’98. Its goal is to securely delegate the decryption right from one user (the
delegator
) to another (the
delegate
) without relying on trusted third parties. In a PRE scheme, a semitrusted proxy authorized by the delegator is allowed to transform a ciphertext under the delegator’s public key into a new ciphertext under the delegate’s public key without seeing the underlying plaintext. More concretely, this cryptographic system works as follows: The delegator generates a proxy reencryption key and sets it in a proxy. On receiving the ciphertexts under the delegator’s public key, the proxy transforms them into the ciphertexts under the delegate’s public key using the reencryption key. Then, the delegate can decrypt the reencrypted ciphertexts by using its private key directly. PRE can serve as a fundamental cryptographic building block for constructing secure data sharing applications in cloud systems. With a PRE system, a data owner is able to delegate the access rights of the sharing data to others so that they can access these data from the cloud storage directly. Furthermore, PRE introduces minor overhead on cloud users by eliminating any direct interaction between a data owner and its recipients.
Since its advent, PRE has attracted much attention in the research community and a number of schemes have been proposed. However, most of previous PRE schemes were constructed under either traditional publickey encryption (PKE) (
e.g.
[12

16]
) or identitybased encryption (IBE) (
e.g.
[17

20]
). It is well recognized that traditional PKE suffers from the cumbersome certificate management problem and IBE has inherent key escrow and distribution problems. To solve the key escrow problem in identitybased PRE, Xu
et al.
[3]
proposed the notion of certificateless PRE by extending PRE into certificateless publickey cryptography (CLPKC) that was presented by AlRiyami and Paterson in Asiacrypt’03
[21]
. However, CLPKC needs a secure communication channel to distribute a partial private key to each user. Therefore, certificateless PRE inevitably suffers from the key distribution problem similar to identitybased PRE. This feature limits the application of certificateless PRE in public clouds.
To address the problems imposed on the previous approaches, Sur
et al.
[4]
introduced the notion of certificatebased PRE (CBPRE) that follows the idea of certificatebased encryption (CBE) presented by Gentry
[22]
in Eurocrypt’03. CBE is a publickey encryption primitive that has attracted great interest in the recent years
[23

30]
. This primitive combines traditional PKE with IBE while preserving some of their most attractive features. As in traditional PKE, each user in CBE generates a pair of public key and private key independently and then requests a certificate from a CA. The difference is that a certificate is pushed only to its owner and acts as a partial decryption key. This additional functionality provides an efficient implicit certificate mechanism so that a user needs both his private key and certificate to perform decryption operations, while the other parties need not obtain the fresh information on this user’s certificate status. The feature of implicit certificate makes CBE eliminate thirdparty queries for the certificate status and simplify the public key revocation problem in traditional PKE. Furthermore, there are no key escrow problem (since CA does not know users’ private keys) and key distribution problem (since the certificates can be sent to their owners publicly) in CBE. To the best of our knowledge, two CBPRE schemes have been proposed in the literature so far. In
[4]
, Sur
et al.
provided a formal security model for CBPRE schemes and proposed the first CBPRE scheme that is provably secure in the random oracle model
[31]
. In
[32]
, Li
et al.
proposed another CBPRE scheme in the random oracle model. However, both of these two CBPRE schemes are inefficient due to many costly pairing operations. For example, to reencrypt a ciphertext, Sur
et al.
’s scheme
[4]
requires computing seven pairings while Li
et al.
’s scheme
[32]
requires computing five pairings.
The contribution of this paper is that we develop an efficient CBPRE scheme with bilinear pairings. The proposed scheme requires computing at most two bilinear pairings in each operation. Compared with the previous CBPRE schemes, it has obviously advantage in both the computation efficiency and the communication bandwidth. In the random oracle model, we strictly prove that the proposed scheme is chosenciphertext secure under the hardness of the bilinear DiffieHellman problem.
2. Preliminaries
 2.1 Bilinear Map and Complexity Assumption
Let
k
be a security parameter and
p
be a
k
bit prime number. Let
G
and
G_{T}
be two cyclic groups of prime order
p
and
P
be a generator of the group
G
.
A bilinear pairing is a map
e
:
G
×
G
→
G_{T}
that takes two elements
U
and
V
in the group
G
as input and outputs an element
e
(
U
,
V
) in the group
G_{T}
. It satisfies the following three properties:
(1) Bilinearity: For all
U
,
V
∈
G
and all
a
,
b
∈
,
e
(
U^{a}
,
V^{b}
) =
e
(
U
,
V
)
^{ab}
;
(2) Nondegeneracy:
e
(
P
,
P
) ≠ 1;
(3) Computability: For all
U
,
V
∈
G
,
e
(
U
,
V
) can be efficiently computed.
The security of our CBPRE scheme is based on the following complexity assumption.
Definition 1
[33]
. The bilinear DiffieHellman (BDH) problem in (
G
,
G_{T}
) is, given a tuple (
P
,
aP
,
bP
,
cP
) ∈
G
^{4}
for unknown
a
,
b
,
c
∈
, to compute
e
(
P
,
P
)
^{abc}
∈
G_{T}
. The advantage of a probabilistic polynomial time (PPT) algorithm
A_{BDH}
in solving the BDH problem in (
G
,
G_{T}
) is defined as
The BDH assumption is that, for any PPT algorithm
A_{BDH}
, the advantage
Adv
(
A_{BDH}
) is negligible.
 2.2 CertificateBased Proxy ReEncryption
In this paper, a CBPRE scheme is composed of eight algorithms: (1) System setup algorithm
Setup
, which is performed by a CA to generate a master secret key and a list of public system parameters; (2) User key generation algorithm
UserKeyGen
, which is performed by the users to generate their private key and public key pairs; (3) Certificate generation algorithm
Certify
, which is performed by a CA to generate a certificate for each user in the system; (4) Encryption algorithm
Encrypt
, which is performed by the delegators to encrypt their data to generate the original ciphertexts; (5) Reencryption key generation algorithm
ReKeyGen
, which is performed by the delegators to generate the reencryption keys; (6) Reencryption algorithm
ReEncrypt
, which is performed by a proxy to reencrypt the original ciphertexts; (7) Normal decryption algorithm
Decrypt1
, which is performed by the delegators to decrypt the original ciphertexts; (8) Reencrypted ciphertext decryption algorithm
Decrypt2
, which is performed by the delegates to decrypt the reencrypted ciphertexts.
A more concrete functional description of a CBPRE scheme is as follows:
In the above algorithms
UserKeyGen
and
Certify
, a user
U
may be a delegator
A
or a delegate
B
.
For correctness, it is required that, for any message
M
and any identity
id_{A}
and
id_{B}
, the following two equations should hold:
Decrypt1
(
params
,
Encrypt
(
params
,
M
,
id_{A}
,
PK_{A}
),
SK_{A}
,
Cert_{A}
) =
M
,
Decrypt2
(
params
,
ReEncrypt
(
params
,
Encrypt
(
params
,
M
,
id_{A}
,
PK_{A}
),
RK
_{A→B}
),
id_{B}
,
SK_{B}
,
Cert_{B}
,
id_{A}
,
PK_{A}
) =
M
.
As introduced by Sur
et al.
in
[4]
, the security model of CBPRE schemes is an extension of the model of CBE schemes in which there are two kinds of adversaries, namely TypeI adversary (denoted by
A_{I}
) and TypeII adversary (denoted by
A_{II}
). The TypeI adversary models an uncertified entity while the TypeII adversary models a malicious CA who knows the master secret key. To formalize the security notions for CBPRE schemes, we first describe the following six oracles. A TypeI or TypeII adversary can adaptively make requests to some of these oracles. We assume that the challenger keeps a history of “queryanswer” when interacting with the adversary.
(1) OUserCreate(idU): On input an identity idU, the challenger responds with the public key PKU associated with the identity idU. If the identity idU has not been created, then the challenger generates a public key PKU and a private key SKU respectively and returns PKU. In this case, the identity idU is said to be created. Note that other oracles defined below only respond to an identity which has been created.
(2) OCorrupt(idU): On input an identity idU, the challenger outputs the private key SKU associated with the identity idU.
(3) OCertificate(idU): On input an identity idU, the challenger responds with a certificate CertU. Note that such an oracle is only queried by the TypeI adversary since the TypeII adversary can generate any user’s certificate by itself.
(4)
O^{ReKeyGen}
(
id_{A}
,
id_{B}
): On input two identities
id_{A}
and
id_{B}
, the challenger responds with a reencryption key
RK
_{A→B}
.
(5)
O^{ReEncrypt}
(
id_{A}
,
id_{B}
,
C_{A}
): On input two identities
id_{A}
,
id_{B}
and a ciphertext
C_{A}
under the identity
id_{A}
and the public key
PK_{A}
, the challenger responds with a transformed ciphertext
C_{B}
under the identity
id_{B}
and the public key
PK_{B}
.
(6)
O^{Decrypt}
(
id_{U}
,
C_{U}
): On input an identity
id_{U}
and a ciphertext
C_{U}
, the challenger responds with the decryption of the ciphertext
C_{U}
.
The chosenciphertext security of CBPRE schemes can be formally defined by the following adversarial game “
INDCBPRECCA2 Game
”, in which a TypeI or TypeII adversary
A_{X}
∈ {
A_{I}
,
A_{II}
} interacts with a challenger.
Setup.
On input a security parameter
k
, the challenger runs the algorithm
Setup
(
k
) to generate a master secret key
msk
and a list of public parameters
params
. It then sends
params
to the adversary
A_{X}
. If
A_{X}
is a TypeII adversary, the challenger also sends the master secret key
msk
to it.
Phase 1.
In this phase, the adversary
A_{X}
can adaptively query the oracles
O^{CreateUser}
,
O^{Corrupt}
,
O^{Certificate}
,
O^{ReKeyGen}
,
O^{ReEncrypt}
and
O^{Decrypt}
if it is a TypeI adversary or the oracles
O^{CreateUser}
,
O^{PrivateKey}
,
O^{ReKeyGen}
,
O^{ReEncrypt}
and
O^{Decrypt}
if it is a TypeII adversary. The challenger responds as described above.
Challenge.
Once the adversary
A_{X}
decides that Phase 1 is over, it outputs an identity
id_{ch}
and two equallength messages (
M
_{0}
,
M
_{1}
) on which it wants to be challenged. The challenger picks a random bit
b
∈{0,1}, computes
C_{ch}
=
Encrypt
(
params
,
M_{b}
,
id_{ch}
,
PK_{ch}
), and then outputs
C_{ch}
as the challenge ciphertext to the adversary
A_{X}
.
Phase 2.
In this phase, the adversary
A_{X}
issues a second sequence of queries as in Phase 1.
Guess.
After all queries, the adversary
A_{X}
outputs a guess
b′
∈{0,1} for the bit
b
. We say that the adversary
A_{X}
wins the game if
b
=
b′
and the following restrictions are simultaneously satisfied: (1) (
id_{ch}
,
C_{ch}
) and its derivatives cannot be submitted to the oracle
O^{Decrypt}
; (2)
id_{ch}
cannot be submitted to the oracle
O^{Certificate}
if
A_{X}
is a TypeI adversary or the oracle
O^{PrivateKey}
if
A_{X}
is a TypeII adversary. The advantage of the adversary
A_{X}
is defined to be
For our definition to make sense, we consider the notion of derivative of the challenge ciphertext
[13]
.
Definition 2.
Assume that
id_{ch}
is the challenge identity and
C_{ch}
is the challenge ciphertext in the above games, (
id_{U}
,
C_{U}
) is said to be a derivative of (
id_{ch}
,
C_{ch}
) if either (1) the adversary
A_{X}
has queried the oracle
O^{ReEncrypt}
on (
id_{ch}
,
id_{U}
,
C_{ch}
) to get a new ciphertext
C_{U}
, or (2) the adversary
A_{X}
has queried the oracle
O^{ReKeyGen}
(
id_{ch}
,
id_{U}
) to get the reencryption key
RK
_{ch→U}
and
C_{U}
is the result of
ReEncrypt
(
params
,
C_{ch}
,
RK
_{ch→U}
).
It is clear that in the above game we should disallow the queries to
O^{Decrypt}
not only on the challenge ciphertext (
id_{ch}
,
C_{ch}
) as usual, but also on any derivative of (
id_{ch}
,
C_{ch}
). Otherwise, the adversary
A_{X}
can easily win the game by making a query to
O^{ReEncrypt}
or
O^{ReKeyGen}
corresponding to (
id_{ch}
,
C_{ch}
).
Definition 3.
A CBPRE scheme is said to be secure against adaptive chosenciphertext attacks (or INDCBPRECCA2 secure) if no PPT adversary has nonnegligible advantage in the above game.
3. Description of the Proposed CBPRE Scheme
Motivated by Green and Ateniese’s identitybased PRE scheme
[17]
, we propose a new CBPRE scheme. The proposed scheme consists of the following eight algorithms:
(1)
Setup
(
k
). The CA chooses a
k
bit prime number
p
, generates two cyclic groups
G
and
G_{T}
of order
p
such that there exists a bilinear paring map
e
:
G
×
G
→
G_{T}
. It randomly chooses a generator
P
∈
G
and a master secret key
s
∈
, and sets
P_{pub}
=
P^{s}
. Additionally, it selects five cryptographic hash functions
H
_{1}
: {0,1}
^{*}
×
G
→
G
,
H
_{2}
: {0,1}
^{n}
×
G_{T}
× {0,1}
^{*}
×
G
→
,
H
_{3}
: {0,1}
^{*}
×
G
×
G
→
G
,
H
_{4}
:
G_{T}
→ {0,1}
^{n}
and
H
_{5}
: {0,1}
^{*}
× {0,1}
^{*}
×
G_{T}
×
G
→
G
, where
n
is the bitlength of the message to be encrypted. The public system parameters are
params
= {
p
,
G
,
G_{T}
,
e
,
n
,
P
,
P_{pub}
,
H
_{1}
,
H
_{2}
,
H
_{3}
,
H
_{4}
,
H
_{5}
} and the master secret key is
msk
=
s
.
(2)
UserKeyGen
(params). A user
U
with identity
id_{U}
chooses a random value
x_{U}
∈
as his private key
SK_{U}
and computes his public key
PK_{U}
=
P^{xU}
.
(3)
Certify
(
params
, msk,
id_{U}
,
PK_{U}
). The CA computes
Cert_{U}
=
as a certificate for a user
U
with identity
id_{U}
and public key
PK_{U}
, where
Q_{U}
=
H
_{1}
(
id_{U}
,
PK_{U}
). The user
U
can check the validness of
Cert_{U}
by verifying whether
e
(
P
,
Cert_{U}
) =
e
(
P_{pub}
,
Q_{U}
).
(4)
Encrypt
(
params
,
M
,
id_{A}
,
PK_{A}
). To encrypt a message
M
∈ {0,1}
^{n}
, the delegator
A
randomly chooses
σ
∈
G_{T}
, sets
r
=
H
_{2}
(
M
,
σ
,
id_{A}
,
PK_{A}
), and then computes an original ciphertext
C_{A}
= (
U_{A}
,
V_{A}
,
W_{A}
) = (
P^{r}
,
σ
⋅
e
(
P_{pub}
,
Q_{A}
)
^{r}
⋅
e
(
PK_{A}
,
R_{A}
)
^{r}
,
M
⊕
H
_{4}
(
σ
)), where
Q_{A}
=
H
_{1}
(
id_{A}
,
PK_{A}
) and
R_{A}
=
H
_{3}
(
id_{A}
,
PK_{A}
,
P_{pub}
).
The algorithm
Encrypt
does not require any paring computations once
e
(
P_{pub}
,
Q_{A}
) and
e
(
PK_{A}
,
R_{A}
) have been precomputed.
(5)
ReKeyGen
(
params
,
id_{A}
,
SK_{A}
,
Cert_{A}
,
id_{B}
,
PK_{B}
). To generate a proxy reencryption key
RK
_{A→B}
, the delegator
A
computes
K
_{1}
=
e
(
Cert_{A}
,
Q_{B}
),
K
_{2}
=(
PK_{B}
)
^{SKA}
and
K
_{3}
=(
R_{A}
)
^{SKA}
⋅
Cert_{A}
, and then sets
RK
_{A→B}
=
H
_{5}
(
id_{A}
,
id_{B}
,
K
_{1}
,
K
_{2}
) ⋅
K
_{3}
, where
Q_{B}
=
H
_{1}
(
id_{B}
,
PK_{B}
) and
R_{A}
=
H
_{3}
(
id_{A}
,
PK_{A}
,
P_{pub}
).
(6)
ReEncrypt
(
params
,
C
,
RK
_{A→B}
). To convert an original ciphertext
C_{A}
= (
U_{A}
,
V_{A}
,
W_{A}
) under identity
id_{A}
and public key
PK_{A}
into a reencrypted ciphertext
C_{B}
under identity
id_{B}
and public key
PK_{B}
using the proxy reencryption key
RK
_{A→B}
, the proxy sets
U_{B}
=
U_{A}
and
W_{B}
=
W_{A}
respectively, computes
V_{B}
=
V_{A}
⋅
e
(
U_{A}
,
RK
_{A→B}
) and then sets
C_{B}
= (
U_{B}
,
V_{B}
,
W_{B}
).
(7)
Decrypt1
(
params
,
C_{A}
,
id_{A}
,
SK_{A}
,
Cert_{A}
). To decrypt an original ciphertext
C_{A}
= (
U_{A}
,
V_{A}
,
W_{A}
), the delegator
A
first computes
σ′
=
V_{A}
⋅
e
(
U_{A}
, (
R_{A}
)
^{SKA}
⋅
Cert_{A}
) and
M′
=
W_{A}
⊕
H
_{4}
(
σ′
), where
R_{A}
=
H
_{3}
(
id_{A}
,
PK_{A}
,
P_{pub}
). It then checks whether
U_{A}
=
P^{r′}
where
r′
=
H
_{2}
(
M′
,
σ′
,
id_{A}
,
PK_{A}
). If this check holds, it outputs
M′
, otherwise outputs ⊥.
(8)
Decrypt2
(
params
,
C_{B}
,
id_{B}
,
SK_{B}
,
Cert_{B}
,
id_{A}
,
PK_{A}
). To decrypt a reencrypted ciphertext
C_{B}
= (
U_{B}
,
V_{B}
,
W_{B}
) from a delegator
A
with identity
id_{A}
and public key
PK_{A}
, the delegate
B
first computes
σ′
=
V_{B}
⋅
e
(
U_{B}
,
H
_{5}
(
id_{A}
,
id_{B}
,
e
(
Q_{A}
,
Cert_{B}
), (
PK_{A}
)
^{SKB}
)
^{1}
) and
M′
=
W_{B}
⊕
H
_{4}
(
σ′
), where
Q_{A}
=
H
_{1}
(
id_{A}
,
PK_{A}
). It then checks whether
U_{B}
=
P
^{r′}
where
r′
=
H
_{2}
(
M′
,
σ′
,
id_{A}
,
PK_{A}
). If this check holds, it outputs
M′
, otherwise outputs ⊥.
4. Analysis of the Proposed CBPRE Scheme
 4.1 Correctness
The correctness of the proposed CBPRE scheme can be verified as follows:
If
C_{A}
is an original ciphertext,
i.e.
,
C_{A}
= (
U_{A}
,
V_{A}
,
W_{A}
), then we have
If
C_{B}
is a reencrypted ciphertext from a delegator
A
with identity
id_{A}
and public key
PK_{A}
,
i.e.
,
C_{B}
= (
U_{B}
,
V_{B}
,
W_{B}
) = (
U_{A}
,
V_{A}
⋅
e
(
U_{A}
,
RK
_{A→B}
),
W_{A}
), then we have
Hence, the normal decryption and the reencrypted ciphertext decryption are both correct.
 4.2 Security Proof
Theorem 1.
In the random oracle model, our CBPRE scheme is INDCBPRECCA2 secure under the BDH assumption.
This theorem can be proved by combining the following
Lemma 1
and
Lemma 2
.
Lemma 1.
Assume that a TypeI adversary
A_{I}
has an advantage ε against our CBPRE scheme when asking at most
q_{uc}
queries to the oracle
O^{UserCreate}
,
q_{cr}
queries to the oracle
O^{Corrupt}
,
q_{cer}
queries to the oracle
O^{Certificate}
,
q_{rk}
queries to the oracle
^{OReKeyGen}
,
q_{ren}
queries to the oracle
O^{ReEncrypt}
,
q_{dec}
queries to the oracle
O^{Decrypt}
and
q_{i}
queries to the random oracles
H_{i}
(
i
= 1,2,3,4,5) respectively, then there exists an algorithm
A_{BDH}
to solve the BDH problem with advantage
Proof.
We show how to construct an algorithm
A_{BDH}
to solve the BDH problem. Assume that the algorithm
A_{BDH}
is given a random instance (
P
,
P^{a}
,
P^{b}
,
P^{c}
) of the BDH problem in (
G
,
G_{T}
) and asked to compute
e
(
P
,
P
)
^{abc}
. In order to solve the given problem,
A_{BDH}
needs to simulate a challenger and all oracles for the adversary
A_{I}
.
In the setup phase, the algorithm
A_{BDH}
sets
P_{pub}
=
P^{a}
and randomly chooses an index
θ
∈ {1,2,…,
q
_{1}
}. Then, it starts
INDCBPRECCA2 Game
by supplying the adversary
A_{I}
with
params
= {
p
,
G
,
G_{T}
,
e
,
n
,
P
,
P_{pub}
,
H
_{1}
,
H
_{2}
,
H
_{3}
,
H
_{4}
,
H
_{5}
}, where
H
_{1}
~
H
_{5}
are random oracles controlled by
A_{BDH}
. Note that the master key msk is the value a that is unknown to
A_{BDH}
.
Now, the algorithm
A_{BDH}
starts to respond various queries as follows:
H_{1} queries
: We assume that the adversary
A_{I}
’s queries to the random oracle
H
_{1}
are distinct. The algorithm
A_{BDH}
maintains a list
H
_{1}
List
of tuples (
id_{i}
,
PK_{i}
,
Q_{i}
,
Cert_{i}
). On receiving such a query on (
id_{i}
,
PK_{i}
), it does the following: (1) If idi already appears on the list
H
_{1}
List
in a tuple (
id_{i}
,
PK_{i}
,
Q_{i}
,
Cert_{i}
), then it outputs
Q_{i}
to the adversary
A_{I}
. (2) Else if the query is on the
θ
th distinct identity
id_{θ}
, it sets
h
_{1i}
=
P^{b}
, inserts a new tuple (
id_{i}
,
PK_{i}
,
Q_{i}
, ⊥) into the list
H
_{1}
List
and then returns
Q_{i}
. (3) Otherwise, it randomly choose
s_{i}
∈
, sets
Q_{i}
=
P^{si}
and
Cert_{i}
= (
P^{a}
)
^{si}
, inserts a new tuple (
id_{i}
,
PK_{i}
,
Q_{i}
,
Cert_{i}
) into the list
H
_{1}
List
and then returns
Q_{i}
.
H_{2} queries
: The algorithm
A_{BDH}
maintains a list
H
_{2}
List
of tuples (
M
,
σ
,
id_{i}
,
PK_{i}
,
r
). On receiving such a query on (
M
,
σ
,
id_{i}
,
PK_{i}
), it checks whether (
M
,
σ
,
id_{i}
,
PK_{i}
) already appears on the list
H
_{2}
List
in a tuple (
M
,
σ
,
id_{i}
,
PK_{i}
,
r
). If so, it outputs
r
. Otherwise, it outputs a random value
r
∈
to
A_{I}
and inserts a new tuple (
M
,
σ
,
id_{i}
,
PK_{i}
,
r
) into the list
H
_{2}
List
.
H_{3} queries
: The algorithm
A_{BDH}
maintains a list
H
_{3}
List
of tuples (
id_{i}
,
PK_{i}
,
t_{i}
,
R_{i}
). On receiving such a query on (
id_{i}
,
PK_{i}
,
P_{pub}
), it checks whether (
id_{i}
,
PK_{i}
) already appears on the list
H
_{3}
List
in a tuple (
id_{i}
,
PK_{i}
,
t_{i}
,
R_{i}
). If so, it returns
R_{i}
to
A_{I}
directly. Otherwise, it randomly chooses
t_{i}
∈
, sets
R_{i}
=
P^{ti}
, inserts a new tuple (
id_{i}
,
PK_{i}
,
t_{i}
,
R_{i}
) into
H
_{3}
List
and returns
R_{i}
to
A_{I}
.
H_{4} queries
: The algorithm
A_{BDH}
maintains a list
H
_{4}
List
of tuples (
σ
,
h
_{4}
). On receiving such a query on
σ
, it checks whether
σ
already appears on the list
H
_{4}
List
in a tuple (
σ
,
h
_{4}
). If so, it returns
h
_{4}
to
A_{I}
directly. Otherwise, it returns a random value
h
_{4}
∈ {0, 1}
^{n}
and inserts a new tuple (
σ
,
h
_{4}
) into the list
H
_{4}
List
.
H_{5} queries
: The algorithm
A_{BDH}
maintains a list
H
_{5}
List
of tuples (
id_{i}
,
id_{j}
,
K
_{1}
,
K
_{2}
,
h
_{5ij}
). On receiving such a query on (
id_{i}
,
id_{j}
,
K
_{1}
,
K
_{2}
), it checks whether (
id_{i}
,
id_{j}
,
K
_{1}
,
K
_{2}
) already appears on the list
H
_{5}
List
in a tuple (
id_{i}
,
id_{j}
,
K
_{1}
,
K
_{2}
,
h
_{5ij}
). If so, it returns
h
_{5ij}
to
A_{I}
directly. Otherwise, it returns a random value
h
_{5ij}
∈
G
and inserts a new tuple (
id_{i}
,
id_{j}
,
K
_{1}
,
K
_{2}
,
h
_{5ij}
) into the list
H
_{5}
List
.
O^{UserCreate} queries
: The algorithm
A_{BDH}
maintains a list
KeyList
of tuples (
id_{i}
,
PK_{i}
,
SK_{i}
). On receiving such a query on id
_{i}
, it checks whether the identity
id_{i}
already appears on the list
KeyList
in a tuple (
id_{i}
,
PK_{i}
,
SK_{i}
). If so, it returns
PK_{i}
to
A_{I}
directly. Otherwise, it randomly chooses
x_{i}
∈
as
SK_{i}
, computes
PK_{i}
=
P^{xi}
, inserts a new tuple (
id_{i}
,
PK_{i}
,
SK_{i}
) into the list
KeyList
and then returns
PK_{i}
.
O^{Corrupt} queries
: On receiving such a query on
id_{i}
,
A_{BDH}
searches
id_{i}
in the list
KeyList
to find a tuple (
id_{i}
,
PK_{i}
,
SK_{i}
) and returns
SK_{i}
to
A_{I}
.
O^{Certificate} queries
: On receiving such a query on
id_{i}
,
A_{BDH}
aborts if
id_{i}
=
id_{θ}
. Otherwise, it searches
id_{i}
in the list
H
_{1}
List
to find a tuple (
id_{i}
,
PK_{i}
,
Q_{i}
,
Cert_{i}
) and returns
Cert_{i}
to
A_{I}
.
O^{ReKeyGen} queries
: On receiving such a query on (
id_{i}
,
id_{j}
),
A_{BDH}
aborts if
id_{i}
=
id_{θ}
. Otherwise, it respectively retrieves the private key
SK_{i}
and certificate
Cert_{i}
associated with the identity
id_{i}
and the public key
PK_{j}
associated with the identity
id_{j}
, then computes
ReKeyGen
(
params
,
id_{i}
,
SK_{i}
,
Cert_{i}
,
id_{j}
,
PK_{j}
) and outputs the result to
A_{I}
.
O^{ReEncrypt} queries
: On receiving such a query on (
id_{i}
,
id_{j}
,
C_{i}
= (
U_{i}
,
V_{i}
,
W_{i}
)),
A_{BDH}
does the following: (1) If
id_{i}
=
id_{θ}
, it searches in the list
H
_{2}
List
for a tuple (
M
,
σ
,
id_{i}
,
PK_{i}
,
r
) such that
U_{i}
=
P^{r}
,
V_{i}
=
σ
⋅
e
(
P_{pub}
,
H
_{1}
(
id_{i}
,
PK_{i}
))
^{r}
⋅
e
(
PK_{i}
,
H
_{3}
(
id_{i}
,
PK_{i}
,
P_{pub}
))
^{r}
and
W_{i}
=
M
⊕
H
_{4}
(
σ
). The query is rejected if no such tuple is found. Otherwise, it sets
V_{j}
=
σ
⋅
e
(
U_{i}
,
H
_{5}
(
id_{i}
,
id_{j}
,
e
(
H
_{1}
(
id_{i}
,
PK_{i}
),
Cert_{j}
),(
PK_{i}
)
^{SKj}
)) and returns
C_{j}
= (
id_{i}
,
U_{i}
,
V_{j}
,
W_{i}
) as the reencryption ciphertext to
A_{I}
. (2) Otherwise, it makes a query
O^{ReKeyGen}
(
id_{i}
,
id_{j}
) to obtain a reencryption key
RK
_{i→j}
and then returns the result of
ReEncrypt
(
params
,
C_{i}
,
RK
_{i→j}
) to
A_{I}
. Note that a valid ciphertext submitted to this oracle is rejected with probability smaller than
q_{ren}
/2
^{k}
across the whole game.
O^{Decrypt} queries
: On receiving such a query on (
id_{i}
,
C_{i}
),
A_{BDH}
does the following: (1) If
id_{i}
=
id_{θ}
and
C_{i}
= (
U_{i}
,
V_{i}
,
W_{i}
) is an original ciphertext, it searches in the list
H
_{2}
List
for a tuple (
M
,
σ
,
id_{i}
,
PK_{i}
,
r
) such that
U_{i}
=
rP
,
V_{i}
=
σ
⋅
e
(
P_{pub}
,
H
_{1}
(
id_{i}
,
PK_{i}
))
^{r}
⋅
e
(
PK_{i}
,
H
_{3}
(
id_{i}
,
PK_{i}
,
P_{pub}
))
^{r}
and
W_{i}
=
M
⊕
H
_{4}
(
σ
). If no such tuple is found, it rejects this query. Otherwise, it returns
M
in this tuple to
A_{I}
. (2) Else if
id_{i}
=
id_{θ}
and
C_{i}
= (
id_{j}
,
U_{j}
,
V_{i}
,
W_{j}
) is a transformed ciphertext, it queries the oracle
O^{ReKeyGen}
on (
id_{j}
,
id_{i}
) to obtain a reencryption key
RK
_{j→i}
and computes
V_{j}
=
V_{i}
/
RK
_{j→i}
. It then searches in the list
H
_{2}
List
for a tuple (
M
,
σ
,
id_{j}
,
PK_{j}
,
r
) such that
U_{j}
=
rP
,
V_{j}
=
σ
⋅
e
(
P_{pub}
,
H
_{1}
(
id_{j}
,
PK_{j}
))
^{r}
⋅
e
(
PK_{j}
,
H
_{3}
(
id_{j}
,
PK_{j}
,
P_{pub}
))
^{r}
and
W_{j}
=
M
⊕
H
_{4}
(
σ
). If no such tuple is found, B rejects this query. Otherwise, it returns
M
in this tuple to
A_{I}
. (3) Otherwise, it obtains
SK_{i}
and
Cert_{i}
associated with the identity
id_{i}
and then returns the result of
Decrypt
(
params
,
C_{i}
,
SK_{i}
,
Cert_{i}
). Note that a valid ciphertext submitted to this oracle is rejected with probability smaller than
q_{dec}
/2
^{k}
.
In the challenge phase,
A_{I}
outputs (
M
_{0}
,
M
_{1}
,
id_{ch}
) on which it wants to be challenged. If
id_{ch}
≠
id_{θ}
, then
A_{BDH}
aborts. Otherwise, it sets
U_{ch}
=
cP
, randomly chooses
V_{ch}
∈
G_{T}
,
W_{ch}
∈ {0, 1}
^{n}
, and returns
C_{ch}
= (
U_{ch}
,
V_{ch}
,
W_{ch}
) as the challenge ciphertext to
A_{I}
.
In the guess phase,
A_{I}
outputs a bit
b′
which is ignored by
A_{BDH}
. Observe that the decryption of
C_{ch}
is
W_{ch}
⊕
H
_{4}
(
V_{ch}
/
e
(
U_{ch}
,
Cert_{ch}
+
SK_{ch}R_{ch}
)) where
R_{ch}
=
H
_{3}
(
id_{ch}
,
PK_{ch}
,
P_{pub}
).
To produce a result,
A_{BDH}
randomly picks a tuple (
σ
,
h
_{4}
) from the list
H
_{4}
List
, retrieves the value
t_{ch}
from the tuple (
id_{ch}
,
PK_{ch}
,
t_{ch}
,
R_{ch}
) in the list
H
_{3}
List
and returns
as the solution to the given BDH problem.
Note that if
σ
=
V_{ch}
/
e
(
U_{ch}
,
Cert_{ch}
+
SK_{ch}R_{ch}
), then
V_{ch}
=
σ
⋅
e
(
P_{pub}
,
Q_{ch}
)
^{c}
⋅
e
(
PK_{ch}
,
R_{ch}
)
^{c}
, where
Q_{ch}
=
H
_{1}
(
id_{ch}
,
PK_{ch}
). Thus, we have
We now estimate
A_{BDH}
’s advantage in solving the BDH problem.
Let
Fail
denote the event that the above simulation fails and
QueryH_{4}
the event that
A_{I}
makes a query
H
_{4}
(
V_{ch}
/
e
(
U_{ch}
,
Cert_{ch}
+
SK_{ch}R_{ch}
). From the above simulation, the event
Fail
occurs if any one of the following five events occurs: (1)
E_{1}
: In the challenge phase,
A_{I}
does not choose
id_{θ}
as the challenge identity; (2)
E_{2}
:
A_{I}
queries the oracle
O^{Certificate}
on
id_{θ}
; (3)
E_{3}
:
A_{I}
queries the oracle
O^{ReKeyGen}
on (
id_{θ}
,
id_{j}
); (4)
E_{4}
:
A_{BDH}
rejects a valid ciphertext submitted to the oracle
O^{ReEncrypt}
; (5)
E_{5}
:
A_{BDH}
rejects a valid ciphertext submitted to the oracle
O^{Decrypt}
.
We clearly have that Pr[¬
E_{1}
] = 1/
q
_{1}
and ¬
E_{1}
implies ¬
E_{2}
and ¬
E_{3}
. We also already observed that Pr[
E_{4}
] ≤
q_{ren}
/2
^{k}
and Pr[
E_{5}
] ≤
q_{dec}
/2
^{k}
. Thus, the probability that the above simulation does not fail is
Let
Event
be the event
QueryH_{4}
 ¬
Fail
. It is clear that if
Event
does not happen, then
A_{I}
does not gain any advantage greater than 1/2 in guessing
b
. Namely, we have the probability Pr[
b
=
b
′¬
Event
] = 1/2. Hence, by splitting the probability Pr[
b
=
b
′], we obtain Pr[
b
=
b
′]= Pr[
b
=
b
′¬
Event
]⋅Pr[¬
Event
] + Pr[
b
=
b
′
Event
]⋅Pr[
Event
] ≤ Pr[¬
Event
]/2 + Pr[
Event
] = 1/2 + Pr[
Event
]/2. By the definition of the advantage in
INDCBPRECCA2 Game
, we have
ε
≤ 2Pr[
b
=
b
′]  1/2 ≤ Pr[
Event
] ≤ Pr[
QueryH_{4}
]/Pr[¬
Fail
]. Hence, we get
Finally, we get the announced bound on
A_{BDH}
’s advantage in solving the BDH problem by noting that
A_{BDH}
selects the correct tuple from the list
H
_{4}
List
with probability 1/
q
_{4}
.
Lemma 2.
Assume that a TypeII adversary
A_{II}
has an advantage
ε
against our CBPRE scheme when asking at most
q_{uc}
queries to the oracle
O^{UserCreate}
,
q_{cr}
queries to the oracle
O^{Corrupt}
,
q_{rk}
queries to the oracle
O^{ReKeyGen}
,
q_{ren}
queries to the oracle
O^{ReEncrypt}
,
q_{dec}
queries to the oracle
O^{Decrypt}
and
q_{i}
queries to the random oracles
H_{i}
(
i
= 1,2,3,4,5) respectively, then there exists an algorithm
A_{BDH}
to solve the BDH problem with advantage
Proof.
We show how to construct an algorithm
A_{BDH}
to solve the BDH problem. Assume that
A_{BDH}
is given a random instance (
P
,
aP
,
bP
,
cP
) of the BDH problem in (
G
,
G_{T}
) and asked to compute
e
(
P
,
P
)
^{abc}
. In order to solve the given problem,
A_{BDH}
needs to simulate a challenger and all oracles for the adversary
A_{II}
.
In the setup phase,
A_{BDH}
randomly chooses
α
∈
and sets
P_{pub}
=
αP
. Furthermore, it randomly chooses an index
θ
∈ {1,2,…,
q_{uc}
}. Then, it starts
INDCBPRECCA2 Game
by supplying
A_{II}
with
msk
=
α
and
params
= {
p
,
G
,
G_{T}
,
e
,
n
,
P
,
P_{pub}
,
H
_{1}
,
H
_{2}
,
H
_{3}
,
H
_{4}
,
H
_{5}
}, where
H
_{1}
~
H
_{5}
are random oracles controlled by
A_{BDH}
.
During the queryanswer phase,
A_{BDH}
responds
A_{II}
’s queries to the oracles
H
_{2}
,
H
_{4}
,
H
_{5}
,
O^{ReKeyGen}
,
O^{ReEncrypt}
and
O^{Decrypt}
as in the proof of Lemma 1 and other queries as follows:
H_{1} queries
:
A_{BDH}
maintains a list
H
_{1}
List
of tuples (
id_{i}
,
PK_{i}
,
Q_{i}
). On receiving such a query on (
id_{i}
,
PK_{i}
),
A_{BDH}
checks whether (
id_{i}
,
PK_{i}
) already appears on the list
H
_{1}
List
in a tuple (
id_{i}
,
PK_{i}
,
Q_{i}
). If so, then it returns
Q_{i}
to
A_{II}
. Otherwise, it returns a random value
Q_{i}
∈
to
A_{II}
and inserts a new tuple (
id_{i}
,
PK_{i}
,
Q_{i}
) into the list
H
_{1}
List
.
H_{3} queries
:
A_{BDH}
maintains a list
H
_{3}
List
of tuples (
id_{i}
,
PK_{i}
,
R_{i}
). On receiving such a query on (
id_{i}
,
PK_{i}
,
P_{pub}
),
A_{BDH}
does the following: (1) If (
id_{i}
,
PK_{i}
) already appears on
H
_{3}
List
in a tuple (
id_{i}
,
PK_{i}
,
R_{i}
), it returns
R_{i}
to
A_{II}
directly. (2) Else if
id_{i}
=
id_{θ}
, it returns
R_{i}
=
bP
to
A_{II}
and inserts a new tuple (
id_{i}
,
PK_{i}
,
R_{i}
) into the list
H
_{3}
List
. (3) Otherwise, it returns a random element
R_{i}
∈
G
to
A_{II}
and inserts a new tuple (
id_{i}
,
PK_{i}
,
R_{i}
) into the list
H
_{3}
List
.
O^{UserCreate} queries
:
A_{BDH}
maintains a list
KeyList
of tuples (
id_{i}
,
PK_{i}
,
SK_{i}
). On receiving such a query on
id_{i}
,
A_{BDH}
does the following: (1) If
id_{i}
already appears on
KeyList
in a tuple (
id_{i}
,
PK_{i}
,
SK_{i}
), it returns
PK_{i}
to
A_{II}
directly. (2) Else if the query is on the
θ
th distinct identity
id_{θ}
, it returns
PK_{θ}
=
bP
to
A_{II}
and inserts (
id_{θ}
,
PK_{θ}
, ⊥) into the list
KeyList
. Note that the private key corresponding to
PK_{θ}
is
SK_{θ}
=
b
which is unknown to
A_{BDH}
. (3) Otherwise, it randomly chooses
x_{i}
∈
as
SK_{i}
, computes
PK_{i}
=
x_{i}P
, inserts a new tuple (
id_{i}
,
PK_{i}
,
SK_{i}
) into the list
KeyList
and then returns
PK_{i}
to
A_{II}
.
In the challenge phase,
A_{II}
outputs (
M
_{0}
,
M
_{1}
,
id_{ch}
) on which it wants to be challenged. If
id_{ch}
≠
id_{θ}
, then
A_{BDH}
aborts. Otherwise, it sets
U_{ch}
=
cP
, randomly chooses
V_{ch}
∈
G_{T}
,
W_{ch}
∈ {0, 1}
^{n}
, and returns
C_{ch}
= (
U_{ch}
,
V_{ch}
,
W_{ch}
) as the challenge ciphertext to
A_{II}
.
In the guess phase,
A_{II}
outputs a bit
b′
which is ignored by
A_{BDH}
. Observe that the decryption of
C_{ch}
is
W_{ch}
⊕
H
_{4}
(
V_{ch}
/
e
(
U_{ch}
,
Cert_{ch}
+
SK_{ch}R_{ch}
)) where
R_{ch}
=
H
_{3}
(
id_{ch}
,
PK_{ch}
,
P_{pub}
). To produce a result,
A_{BDH}
randomly picks a tuple (
σ
,
h
_{4}
) from the list
H
_{4}
List
and returns
as the solution to the given BDH problem, where
Q_{ch}
=
H
_{1}
(
id_{ch}
,
PK_{ch}
).
Note that if
σ
=
V_{ch}
/
e
(
U_{ch}
,
Cert_{ch}
+
SK_{ch}R_{ch}
), then
V_{ch}
=
σ
⋅
e
(
P_{pub}
,
Q_{ch}
)
^{c}
⋅
e
(
PK_{ch}
,
R_{ch}
)
^{c}
. Thus, we have
We now estimate
A_{BDH}
’s advantage in solving the BDH problem.
Let
Fail
denote the event that the above simulation fails and
QueryH_{4}
the event that
A_{II}
makes a query
H
_{4}
(
V_{ch}
/
e
(
U_{ch}
,
Cert_{ch}
+
SK_{ch}R_{ch}
). From the above simulation, the event
Fail
occurs if any one of the following events occurs: (1)
E_{1}
: In the challenge phase,
A_{II}
does not choose
id_{θ}
as the challenge identity; (2)
E_{2}
:
A_{II}
queries the oracle
O^{Corrupt}
on
id_{θ}
; (3)
E_{3}
:
A_{II}
queries the oracle
O^{ReKeyGen}
on (
id_{θ}
,
id_{j}
); (4)
E_{4}
:
A_{BDH}
rejects a valid ciphertext submitted to the oracle
O^{ReEncrypt}
; (5)
E_{5}
:
A_{BDH}
rejects a valid ciphertext submitted to the oracle
O^{Decrypt}
.
We clearly have that Pr[¬
E_{1}
] = 1/
q_{uc}
and ¬
E_{1}
implies ¬
E_{2}
and ¬
E_{3}
. As in the proof of Lemma 1, we have Pr[
E_{4}
] ≤
q_{ren}
/2
^{k}
and Pr[
E_{5}
] ≤
q_{dec}
/2
^{k}
. Thus, the probability that the above simulation does not fail is
Let
Event
be the event
QueryH_{4}
 ¬
Fail
. It is clear that if
Event
does not happen, then
A_{II}
does not gain any advantage greater than 1/2 in guessing
b
. Namely, we have the probability Pr[
b
=
b
′¬
Event
] = 1/2. Hence, by splitting the probability Pr[
b
=
b
′], we obtain Pr[
b
=
b
′]= Pr[
b
=
b
′¬
Event
]⋅Pr[¬
Event
] + Pr[
b
=
b
′
Event
]⋅Pr[
Event
] ≤ Pr[¬
Event
]/2 + Pr[
Event
] = 1/2 + Pr[
Event
]/2. By the definition of the advantage in
INDCBPRECCA2 Game
, we have
ε
≤ 2Pr[
b
=
b
′]  1/2 ≤ Pr[
Event
] ≤ Pr[
QueryH_{4}
]/Pr[¬
Fail
]. Hence, we get
Finally, we get the announced bound on
A_{BDH}
’s advantage in solving the BDH problem by noting that
A_{BDH}
selects the correct tuple from the list
H
_{4}
List
with probability 1/
q
_{4}
.
 4.3 Performance Comparison
To evaluate the performance of the proposed scheme, we provide a comparison of it and the previous two CBPRE schemes
[4
,
32]
. Without considering precomputation, the details of the compared schemes are listed in
Table 1
. We denote pairing, exponentiation in
G_{T}
, exponentiation in
G
, maptopoint hash and general hash by
P
,
E_{T}
,
E
,
H_{M}
and
H
respectively, the bit length of an element in
G
, an element in
G_{T}
and a message by 
G
, 
G_{T}
 and
n
respectively. In Sur
et al.
’s scheme
[4]
,
k
_{0}
denotes the bitlength of the random values used to encrypt the data, which should be at least 160 in order to obtain a reasonable security.
Performance of the CBPRE schemes
Performance of the CBPRE schemes
To give a more intuitive comparison, we implement these CBPRE schemes using the standard cryptographic library MIRACAL
[34]
. Our experimental platform is a PIV 3GHZ processor with 512MB memory and a Windows XP operation system. To achieve the 1024bit (2048bit) RSA level security, the Tate pairing defined over the supersingular elliptic curve
E
/
F_{p}
:
y
^{2}
=
x
^{3}
+
x
with embedding degree 2 is used, where
p
is a 512bit (1024bit) prime. The simulation results are given in
Table 2
and
Table 3
.
Simulation results of the CBPRE schemes (1024bit security level)
Simulation results of the CBPRE schemes (1024bit security level)
Simulation results of the CBPRE schemes (2048bit security level)
Simulation results of the CBPRE schemes (2048bit security level)
The above comparison shows that our scheme is more efficient than the previous two CBPRE schemes in both the computation cost and the communication cost. Actually, the computation performance of our scheme can be further optimized. If the pairings
e
(
P_{pub}
,
Q_{A}
) and
e
(
PK_{A}
,
R_{A}
) are precomputed, then the algorithm
Encrypt
of our scheme requires computing only two exponentiations in
G_{T}
, one exponentiation in
G
and two general hashes to encrypt a message.
5. Conclusion
In this paper, we develop an efficient CBPRE scheme from pairings and prove it to achieve chosenciphertext security in the random oracle model. Compared with the previous CBPRE schemes, the proposed scheme enjoys obvious advantage in both the computation efficiency and the communication bandwidth. However, as pairing operation is extremely disliked by the powerconstrained devices, it would be interesting to construct CBPRE schemes that do not depend on parings. In addition, the security of our scheme can only be achieved in the random oracle model. So, another interesting problem is to construct secure CBPRE schemes in the standard model.
BIO
Yang Lu received the Ph.D. degree from PLA University of Science and Technology in 2009. He has been working in HoHai University from 2003. Currently, he is an Assistant Professor in College of Computer and Information Engineering. His major research interests include information security and cryptography, network security and cloud security, etc. He has published more than 30 scientific papers in international conferences and journals.
Do J.M.
,
Song Y.J.
,
Park N.
“Attribute based proxy reencryption for data confidentiality in cloud computing environments,”
in Proc. of 2011 First ACIS/JNU International Conference on Computers, Networks, Systems and Industrial Engineering
2011
248 
251
Wang G.
,
Liu Q.
,
Wu J.
2011
“Achieving finegrained access control for secure data sharing on cloud servers,”
Concurrency and Computation: Practice and Experience
23
(12)
1443 
1464
DOI : 10.1002/cpe.1698
Xu L.
,
Wu X.
,
Zhang X.
“CLPKE: a certificateless proxy reencryption scheme for secure data sharing with public cloud,”
in Proc. of the 7th ACM Symposium on Information, Computer and Communications Security
2012
87 
88
Sur C.
,
Park Y.
,
Shin S.U.
,
Rhee K.H.
,
Seo C.
“Certificatebased proxy reencryption for public cloud storage,”
in Proc. of the 7th International Conference on Innovative Mobile and Internet Services in Ubiquitous Computing
2013
159 
166
Lee S.H.
,
Lee I.Y.
2013
“A secure index management scheme for providing data sharing in cloud storage,”
Journal of Information Processing Systems
9
(2)
287 
300
DOI : 10.3745/JIPS.2013.9.2.287
Seo S.H.
,
Nabeel M.
,
Ding X.
,
Bertino E.
2013
“An efficient certificateless encryption for secure data sharing in public clouds,”
IEEE Transactions on Knowledge and Data Engineering
26
(9)
2107 
2119
DOI : 10.1109/TKDE.2013.138
Liang K.
,
Au M.H.
,
Liu J.K.
,
Susilo W.
,
Wong D.S.
,
Yang G.
,
Phuong T.V.X.
,
Xie Q.
2014
“A DFAbased functional proxy reencryption scheme for secure public cloud data sharing,”
IEEE Transactions on Information Forensics and Security
9
(10)
1667 
1680
DOI : 10.1109/TIFS.2014.2346023
Liu Q.
,
Wang G.
,
Wu J.
2014
“Timebased proxy reencryption scheme for secure data sharing in a cloud environment,”
Information Sciences
258
355 
370
DOI : 10.1016/j.ins.2012.09.034
Han N.D.
,
Han L.
,
Tuan D.M.
,
In H.P.
,
Jo M.
2014
“A scheme for data confidentiality in cloudassisted wireless body area networks,”
Information Sciences
284
157 
166
DOI : 10.1016/j.ins.2014.03.126
Li J.W.
,
Li J.
,
Liu Z.
,
Jia C.
2014
“Enabling efficient and secure data sharing in cloud computing,”
Concurrency and Computation: Practice and Experience
26
(5)
1052 
1066
DOI : 10.1002/cpe.3067
Blaze M.
,
Bleumer G.
,
Strauss M.
“Divertible protocols and atomic proxy cryptography,”
in Proc. of Advances in Cryptology  Eurocrypt 1998
1998
127 
144
Ateniese G.
,
Fu K.
,
Green M.
,
Hohenberger S.
2006
“Improved proxy reencryption schemes with applications to secure distributed storage,”
ACM Transactions on Information and System Security
9
(1)
1 
30
DOI : 10.1145/1127345.1127346
Canetti R.
,
Hohenberger S.
“Chosenciphertext secure proxy reencryption,”
in Proc. of the 14th ACM conference on Computer and Communications Security
2007
185 
194
Deng R.H.
,
Weng J.
,
Liu S.
,
Chen K.
“Chosenciphertext secure proxy reencryption without pairings,”
in Proc. of CANS 2008
2008
1 
17
Libert B.
,
Vergnaud D.
“Unidirectional chosenciphertext secure proxy reencryption,”
in Proc. of Public Key Cryptography  PKC 2008
2008
360 
379
Shao J.
,
Cao Z.
“CCAsecure proxy reencryption without pairings,”
in Proc. of Public Key Cryptography  PKC 2009
2009
357 
376
Green M.
,
Ateniese G.
“Identitybased proxy reencryption,”
in Proc. of ACNS 2007
2007
288 
306
Chu C.K.
,
Tzeng W.G.
“Identitybased proxy reencryption without random oracles,”
in Proc. of Information Security 2007
2007
189 
202
Matsuo T.
“Proxy reencryption systems for identitybased encryption,”
in Proc. of PairingBased Cryptography  Pairing 2007
2007
247 
267
Luo S.
,
Shen Q.
,
Chen Z.
“Fully secure unidirectional identitybased proxy reencryption,”
in Proc. of Information Security and Cryptology  ICISC 2011
2012
109 
126
AlRiyami S.S.
,
Paterson K.G.
“Certificateless public key cryptography,”
in Proc. of Advances in Cryptology  Asiacrypt 2003
2003
452 
473
Gentry C.
“Certificatebased encryption and the certificate revocation problem,”
in Proc. of Advances in Cryptology  Eurocrypt 2003
2003
272 
293
Sur C.
,
Jung C. D.
,
Rhee K. H.
“Multireceiver certificatebased encryption and application to public key broadcast encryption,”
in Proc. of 2007 ECSIS Symposium on Bioinspired, Learning, and Intelligent Systems for Security
2007
35 
40
Galindo D.
,
Morillo P.
,
Ràfols C.
2008
“Improved certificatebased encryption in the standard model,”
Journal of Systems and Software
81
(7)
1218 
1226
DOI : 10.1016/j.jss.2007.09.009
Liu J. K.
,
Zhou J.
“Efficient certificatebased encryption in the standard model,”
in Proc. of 6th Int. Conf. on Security and Cryptography for Networks
2008
144 
155
Lu Y.
,
Li J.
,
Xiao J.
2009
“Constructing efficient certificatebased encryption with paring,”
Journal of Computers
4
(1)
19 
26
DOI : 10.4304/jcp.4.1.1926
Yao J.
,
Li J.
,
Zhang Y.
2013
“Certificatebased encryption scheme without pairing,”
KSII Transactions on Internet and Information Systems
7
(6)
1480 
1491
DOI : 10.3837/tiis.2013.06.008
Hyla T.
,
Maćków W.
,
Pejaś J.
“Implicit and explicit certificatesbased encryption scheme,”
in Proc. of the 13th IFIP TC8 International Conference on Computer Information Systems and Industrial Management
2014
651 
666
Lu Y.
,
Li J.
2014
“Efficient construction of certificatebased encryption secure against public key replacement attacks in the standard model,”
Journal of Information Science and Engineering
30
(5)
1553 
1568
Bellare M.
,
Rogaway P.
“Random oracles are practical: a paradigm for designing efficient protocols,”
in Proc. of 1st ACM Conf. on Communications and Computer Security
1993
62 
73
Li J.
,
Zhao X.
,
Zhang Y.
“Certificatebased conditional proxy reencryption,”
in Proc. of the 8th International Conference on Network and System Security
2014
299 
310
Boneh D.
,
Franklin M.
“Identitybased encryption from the Weil pairing,”
in Proc. of Advances in Cryptology  Crypto 2001
2001
213 
229
MIRACL, Multiprecision integer and rational arithmetic cryptographic library
http://certivox.org/display/EXT/MIRACL