You are on page 1of 5

Key Policy Attribute-based Proxy Re-encryption

with Matrix Access Structure
Keying Li
Department of Mathematics
Xidian University
Xi’an 710071, P.R.China
Email: likeying818@163.com
Yinghui Zhang
State Key Laboratory of Integrated Service Networks (ISN)
Xidian University
Xi’an 710071, P.R.China
Email: prrd2007@163.com
Hua Ma
Department of Mathematics
Xidian University
Xi’an 710071, P.R.China
Email: ma hua@126.com
Abstract—Cloud computing has achieved rapid development.
The cloud server even provides unlimited storage and powerful
computing capability as services. A lot of attribute-based
schemes have been constructed for cloud computing to come
into practical applications. To our knowledge, there seems no
flexible key policy attribute-based proxy re-encryption (KP-
AB-PRE) scheme in the literature, which is a promising
cryptographic primitive. In this paper, we propose a KP-AB-
PRE scheme, in which the cloud server can function as the
proxy. In the proposed scheme, matrix access structure is used
for the key policy. Furthermore, our construction enjoys the
desirable properties of unidirectionality, non-interactivity, and
multi-Use, and the secret key security is guaranteed.
Keywords-key policy; attribute-based encryption; proxy re-
encryption; matrix access structure;
I. INTRODUCTION
Cloud computing is a promising computing paradigm
which recently has drawn extensive attention from both
academia and industry [1], [2]. Especially, cloud computing
is used to provide data storage for internet businesses. It
has become a great solution for providing a flexible, on-
demand, and dynamically scalable computing infrastructure
for many applications. The businesses could utilize these
characteristics to increase revenue [3]. As compared to
building their own infrastructures, users are able to save their
investments significantly by migrating businesses into the
cloud. With the increasing development of cloud computing
technologies, in the near future more and more businesses
will be moved into the cloud [4].
As promising as it is, this paradigm also has many
new challenges for data security and access control when
users outsource sensitive data for sharing on cloud servers.
These challenges come from the fact that cloud servers are
generally operated by commercial providers which are very
likely to be outside of the trusted domain. Data confidential
against cloud servers is hence frequently desired when users
outsource data for storage and computing in the cloud
servers.
Now we describe an application scenario. The data owner
encrypts the message M with the attributes set S
1
using
KP-ABE algorithm [11] that the key policy is constructed
by LSSS access structure (M
1
, ρ
1
). Then he sends the
ciphertext to the cloud server. U
1
1
can decrypt the ciphertext
if the attributes associated with the ciphertext satisfy his
key’s access structure. But U
1
is on a business trip, he has
no time to deal with the ciphertext. Then he empower his
secretary U
2
to deal with the ciphertext. In this scenario:
a) U
1
don’t want to let anyone know his private key.
b) the cloud proxy updates the ciphertext.
c) U
2
can get the message.
Our Contribution. We present a key policy attribute-based
proxy re-encryption (KP-AB-PRE) scheme. The key policy
realized in our scheme is matrix access structure, and the
proxy can convert the KP-ABE ciphertext under pk
i
into
ciphertext under pk
j
with the help of transform key. Our
scheme inherits the following properties of PRE mentioned
in [5], [6]:
− Unidirectionality. The converting can only from User1
to User2.
− Non-interactivity. The private key generator (PKG) can
compute the transform key without the participation of User1
or User2.
− Multi-Use. The cloud proxy can re-encrypt a ciphertext
multiple times, e.g. re-encrypt from User1 to User2, and then
re-encrypt the result from User2 to User3. In this process, the
computation would increase, but not exponent increasing.
Our scheme has the other properties:
Secret Key Security. The cloud proxy cannot obtain
User1’s secret key even collude with User2.
Re-encryption Control. The encryptor can decide
whether the ciphertext can be re-encrypted [12].
Related Work. Attribute-based encryption was first
proposed by Sahai and Waters [7]. Attribute based
encryption is classified as Ciphertext Policy-Attribute Based
Encryption (CP-ABE) [8] and Key Policy-Attribute Based
Encryption(KP-ABE) [9]. The access structure including
AND and OR gates, tree access structure, and LSSS
1
U
1
could also be a user group that every user has the common attributes
2013 5th International Conference on Intelligent Networking and Collaborative Systems
978-0-7695-4988-0/13 $26.00 © 2013 IEEE
DOI 10.1109/INCoS.2013.17
46
access structure. The notion of PRE was first introduced
by Mambo and Okamoto [10]. Green, Hohenberger, and
Waters [11] first presented outsourcing the decryption of
abe ciphertexts in the cloud environments. Luo, Hu, and
Chen [12] presented a novel ciphertext policy attribute-
based proxy re-encryption (CP-AB-PRE) scheme. For the
purpose of data confidentiality and fine-grained access
control in cloud computing environments, Yu et al. [4]
put forward a system model using Key Policy-Attribute
Based Encryption (KP-ABE) and Proxy Re-Encryption
(PRE). Do, Song, and Park [13] propose system model that
store and divide data file into header, body. In addition,
their scheme selectively delegate decryption right using
Type-based Proxy re-encryption. Zhao, Feng, et al. [17]
raised Attribute-Based Conditional Proxy Re-Encryption
with Chosen-Ciphertext Security. Mizuno and Doi [18]
come up with Hybrid Proxy Re-encryption Scheme for
Attribute-Based Encryption.
Organization. The paper is organized as follows. We give
necessary background knowledge and assumptions in Sec-
tion 2. We present our scheme and security model, then
construct and give security analysis in Section 3. We discuss
the scheme and the follow-up work in Section 4. In Section
5, we give the conclusions of our work.
II. PRELIMINARIES
A. Bilinear Maps
Let G and G
T
be two multiplicative cyclic groups of
prime order p. Let g be a generator of Gand e : G×G →G
T
be a bilinear map with the properties:
1. Bilinearity: for all u, v ∈ G and a, b ∈ Z
p
, we have
e(u
a
, v
b
) = e(u, v)
ab
.
2. Non-degeneracy: e(g, g) = 1. We say that G is a
bilinear group if the group operation in G and the bilinear
map e: G×G →G
T
are both efficiently computable.
B. Access Structure
Definition 1 (Access Structure [14]) Let {P
1
, P
2
, · · · ,
P
n
} be a set of parties. A collection A ⊆ 2
{P1,P2,··· ,Pn}
is
monotone if ∀B, C : if B ∈ A and B ⊆ C then C ∈ A. An
access structure (respectively, monotone access structure) is
a collection (resp., monotone collection) A of non-empty
subsets of {P
1
, P
2
, · · · , P
n
}, i.e., A ⊆ 2
{P1,P2,··· ,Pn}
\{∅}
The sets in A are called the authorized sets, and the sets not
in A are called the unauthorized sets.
C. LSSS and Monotone Span Programs [9]
LSSS has a close relation with a linear algebraic model
of computation called monotone span programs (MSP) [15].
It has been shown that the existence of an efficient LSSS
for some access structure is equivalent to the existence of a
small monotone span program for the characteristic function
of that access structure [14], [15].
Using Access Trees. Some prior ABE works (e.g. [9])
described access formulas in binary trees. Using standard
techniques [14] one can convert any monotonic boolean
formula into an LSSS representation. An access tree of l
nodes can be converted into an LSSS matrix of l rows.
D. The Bilinear Diffie-Hellman (BDH) Problem
Definition 2 DBDH Assumption
The decisional BDH assumption [7], [16] is that no
probabilistic polynomial-time algorithm B can distinguish
the tuple (A = g
a
; B = g
b
; C = g
c
; e(g; g)
abc
) from the
tuple (A = g
a
; B = g
b
; C = g
c
; e(g; g)
z
) with more than a
negligible advantage.
III. PROXY RE-ENCRYPT KP-ABE CIPHERTEXT
A. Algorithms of KP-AB-PRE
In our scheme, from the system level, there are six
algorithms as follows:
Setup(λ,U). This algorithm takes the security parameter
κ and a universe description of attributes as input and then
generates a public key PK, a master secret key MSK.
Encrypt(PK;M;S
1
). This algorithm takes as input a
message M, a set of attributes S
1
, and PK. It output the
ciphertext CT.
KeyGen(MSK;(M
1
; ρ
1
). This algorithm takes as input an
access structure A
1
, the master key MSK and the public
parameters. It outputs a decryption key SK
1
.
TransformKey(MSK,S
2
). It firstly call the KeyGen al-
gorithm, output the transform key. Then call the Encrypt
algorithm to encrypt g
αd
under the attributes set S
2
.
ReEnc(TK,CT). This algorithm takes as input the TK,
CT that is associated with S
1
. At final, it output the updated
ciphertext-CT

.
Decryption(SK
1
, SK
2
;CT, CT

). This algorithm takes
as input secret key and the ciphertext. Output the message
M.
Fig.1 KP-AB-PRE System
B. Security Model for Our Scheme
Through the analysis of the above algorithms, we need to
construct two security models [12]. One is for the system
level and the other is for the private key.
47
1) Selective-Policy Model for KP-AB-PRE:
Init: The adversary declares the set of attributes S

, that
he wishes to be challenged upon. Then he commits to the
challenge key policy A

1
.
Setup: The challenger runs the Setup algorithm and gives
PK to A.
Phase 1: A makes the queries as follows.
− Extract(S

1
): A submits an attribute list S

1
for a
KeyGen query where S

1
A

1
, the challenger gives the
adversary the secret key SK
S

1
.
− TKExtract(SK
S

1
, A

1
): A submits SK
S

1
and access
structure A

1
for a TK query, the challenger gives the
adversary the transform key TK
S

1
.
Challenge: A submits two equal-length messages M
0
,
M
1
to the challenger. The challenger flips a random coin
b, then Encrypt(PK,M
b
, S

1
) and compute ReEnc(TK,CT),
gives the 1st level ciphertext to the adversary.
Phase 2: Phase 1 is repeated.
Guess: A outputs a guess b

of b.
The advantage of A in this game is defined as
Adv
A
= |Pr[b

= b] −1/2|.
2) Selective Secret Key Security Model:
Init: The adversary declares the set of attributes S

that
he wishes to be challenged upon. Then he commits to the
challenge ciphertext policy A

1
.
Setup: The challenger runs the Setup algorithm and gives
PK to A.
Phase 1: A makes the queries as follows.
− Extract(S

1
): A submits an attribute list S

1
for a
KeyGen query where S

1
= S

, the challenger computes
the secret key SK
S

1
.
− TKExtract(S

1
, A

1
): A submits S

1
and access structure
A

1
for a TK query, the challenger gives the adversary the
transform key TK
S

1
.
Output: A outputs SK
S
∗ for the attribute list S

, then
A succeeds.
The advantage of A in this game is defined as Adv
A
=
Pr[Asucceeds].
C. The Proposed Scheme
The first three algorithms is the same as in [11]:
Setup(λ,U). The setup algorithm takes as input a universe
description U and the security parameter. Let U = {0, 1}

.
It then chooses a group G of prime order p, a generator g
and a hash function F that maps {0, 1}

to G. Furthermore,
it randomly chooses values α ∈ Z
p
and g
1
, h ∈ G. The
authority sets α as the master secret key. MSK=α. The public
key is published as
PK = g; g
1
; g
α
; h; F
Encrypt(PK;M;S
1
). The encryption algorithm takes as
input the public parameters PK, a message M, and a set of
attributes S
1
. It chooses a random s
1
∈ Z
p
. The 2nd-level
2
ciphertext is published as CT = (S
1
;C
0
) where
CT
0
= M · e(g, h)
αs1
; C
1
= g
s1
; C

1
= g
s1
1
; {C
x
=
F(x)
s1
}
x∈S1
KeyGen(MSK;(M
1

1
)). The KeyGen algorithm takes as
input MSK and security parameter. Furthermore, it takes as
input an LSSS access structure (M
1
; ρ
1
). The function ρ
1
associates rows of M
1
to attributes. Let M
1
be an l
1
×n
1
ma-
trix. It first chooses a random vector
−→
v
1
= (α, y
2
, · · · , y
n
) ∈
Z
n
p
, which are used to share the encryption exponent α. For
i = 1 to l, it calculates λ
1,i
=
−→
v
1
· M
1,i
, where M
1,i
is the
vector corresponding to the ith row of M. In addition, the
algorithm chooses random r
11
, · · · , r
1l
∈ Z
p
. The SK
1
is
published as :
(D
11
= h
λ11
· F(ρ
1
(1))
r11
, R
11
= g
r11
), · · · , (D
1l
=
h
λ
1l
· F(ρ
1
(l))
r
1l
, R
1l
= g
r
1l
)
along with a description of (M
1
; ρ
1
).
TransformKey(SK
1
,(M
1
, ρ
1
)). The Transform key algo-
rithm calls the KeyGen algorithm, then chooses random d ∈
Z
p
, and compute g
λ1,id
1
, g
αd
. Then encrypt g
αd
with the pub-
lic key (attributes) of User2 using the Encrypt(PK;g
αd
; S
2
)
algorithm. It output CT
1
= En
S2
(g
αd
) and the TK as:
(D

11
= h
λ11
· F(ρ
1
(1))
r

11
· g
λ11d
1
, R
11
= g
r

11
), · · · ,
(D

1l
= h
λ
1l
· F(ρ
1
(l))
r

1l
· g
λ
1l
d
1
, R
1l
= g
r

1l
)
ReEnc(TK,CT). The ReEnc algorithm takes as input
the CT, public parameters PK. The Re-encryption algorithm
then takes as input S
1
. Suppose that S
1
satisfies the access
structure (M
1
; ρ
1
) and let I
1
⊂ {1, 2, · · · , l
1
} be defined as
I
1
= {i : ρ
1
(i) ∈ S
1
}. Then, let {ω
i
∈ Z
p
}
i∈I1
be a set of
constants such that if λ
1i
are valid shares of any secret α
according to M
1
, then

i∈I1
ω
i
λ
1i
= α. It calculate CT
2
as follow:
CT
2
=
e(C
1
,

i∈I1
D

ωi
1i
)

i∈I1
e(R
1i
, C
ωi
ρ1(i)
)
=
e(g
s1
,

i∈I1
(h
λ1iωi
· F(ρ
1
(i))
r

1i
ωi
· g
λ1idωi
1
))
(

i∈I1
e(g
r

1i
, F(ρ
1
(i))
s1ωi
))
= e(g, h)
s1α
e(g, g
1
)
s1αd
The 1st-level CT

:
CT
0
= M · e(g, h)
αs1
; CT
1
= En
S2
(g
αd
); C
1
= g
s1
;
C

1
= g
s1
1
;CT
2
Decryption(SK
1
, SK
2
;CT,CT’). U
1
can decrypt the ci-
phertext if the attributes associated with the ciphertext satisfy
2
In our proxy re-encrypt KP-ABE CT scheme, a 2nd-level ciphertext
is an original ABE ciphertext and a 1st-level ciphertext is a transformed
ciphertext.
48
his key’s access structure, and if the attributes satisfy U
2

access structure he could get the message.
Dec
2
(SK
1
, CT). The decryption algorithm takes as input
a private key SK
1
and CT. Suppose that S
1
satisfies the ac-
cess structure (M
1
; ρ
1
). The decryption algorithm computes
ct
2
=
e(C
1
,

i∈I1
D
ωi
1i
)

i∈I1
e(R
1i
, C
ωi
ρ1(i)
)
= e(g, h)
s1α
then get M = CT
0
/ct
2
Dec
1
(SK
2
, CT

). User2 decrypts CT
1
using his secret
key sk
j
to get g
αd
. Next, calculate CT
3
= e(g
αd
, g
s1
1
) =
e(g, g
1
)
s1αd
. Finally, it calculate CT
0
· CT
3
/CT
2
= M.
D. Security Analysis
Theory 1. If there is an adversary who breaks our scheme
in selective the transform key security model to get User1’s
SK
S1
, then he can solve discrete logarithm problem.
Proof. In the security model, the simulator B runs A.
The adversary A commits to a challenge attribute list S

.
To provide a public key PK to A, B generate PK =
g; g
α

; F
1
, · · · , F
S
; h. A makes queries.
− Extract(S

1
): A submits an attribute list S

1
for a
KeyGen query where S

1
= S

, B randomly choose
λ

11
, · · · , λ

1l
,r
11
, · · · , r
1l
, computes the secret key SK
S

1
:
(D
11
= h
λ

11
·F(ρ
1
(1))
r11
, R
1
= g
r11
), · · · , (D
1l
= h
λ

1l
·
F(ρ
1
(l))
r
1l
, R
1l
= g
r
1l
)
− TKExtract(S

1
,A

1
): A submits an attribute list S

1
for
a transform key query, B runs the TransformKey algorithm.
TK : (D

11
= h
λ

11
· F(ρ
1
(1))
r

11
· g
λ

11
d

1
, R

1
= g
r

11
),· · · ,
(D

1l
= h
λ

1l
· F(ρ
1
(l))
r

1l
· g
λ

1l
d

1
, R

1
= g
r

1l
)
If the proxy collude with the User2, he can get g
α

d

from
User2. If he want to get SK
S

1
, he must firstly compute
g
λ

11
d

1
, · · · , g
λ

1l
d

1
, it equal to solve discrete logarithm
problem, and he knows nothing about the random parameter
r
11
, · · · , r
1l
.
Theory 2. Our KP-ABPRE scheme is a selectively CPA-
secure construction, as the GPSW KP-ABE scheme [7] is
selectively CPA-secure.
Proof.
3
If there exists a polynomial-time adversary A,
that can break our scheme in the Selective-Policy model
with advantage , it can can play the Decisional BDH game
with advantage /2.
Init: Given a DBDH tuple [g, g
a
, g
b
, g
c
, Z]. The simulator
B runs A. A gives the key policy A

1
to B.
Setup: B randomly choose α

r
←− Z
p
, g, h ∈ G set A =
g
α

. Then it gives the PK to A.
Phase 1: A makes the following queries.
− Extract(S

1
): A submits an attribute list S

1
for a
KeyGen query where S

1
A

1
. B choose λ

11
, · · · , λ

1l
3
The security of the 2nd level ciphertext and CT
1
have been proved
security [11]. We only need to prove the security of 1st level ciphertext.
satisfy that ∃ ω

i
, i ∈ I
1
,

i∈I1
λ

1i
ω

i
= α

. The secret
key SK

1
is:
(D
11
= h
λ

11
· F(ρ
1
(1))
r

11
, R
11
= g
r

11
),· · · ,(D
1l
= h
λ

1l
·
F(ρ
1
(l))
r

1l
, R
1l
= g
r

1l
)
− TKExtract(SK
S

1
, A

1
): A submits SK
S

1
and access
structure A

1
for a TK query. It randomly choose d

∈ Z
P
.
Finally B gives the adversary C = g
d

and the transform
key TK’:
(D

11
= h
λ

11
· F(ρ
1
(1))
r

11
· g
λ

11
d

1
, R
11
= g
r

11
), · · · ,
(D

1l
= h
λ

1l
· F(ρ
1
(l))
r

1l
· g
λ

1l
d

1
, R
1l
= g
r

1l
)
Challenge: A submits two challenge messages M
0
and
M
1
. Then B flips a random coin b ∈ {0, 1} and returns A
the ciphertext as CT
0
= M
b
· e(g; h)
α

s1
; B = C

1
= g
s1
1
;
CT
2
= Z · e(g; h)
α

s1
Phase 2: Phase 1 is repeated.
Guess: A outputs a guess b

of b. B outputs 1 if and only
if b

= b. The advantage of breaking DBDH assumption is
Adv
A
= |Pr[b

= b] −1/2| =
1
2

IV. DISCUSSIONS
A. Multi-Use
To realize the Multi-Use property, the form of the CT
1
is
CT
1
= g
αd
1
· e(g; h)
αs2
; C

2
= g
s2
; C

x
= F(x)
s2
x∈S2
. The
User2’s secret key is :(D
21
= h
λ21
· F(ρ
2
(1))
r21
, R
21
=
g
r21
), · · · , (D
2l
= h
λ
2l
· F(ρ
2
(l))
r
2l
, R
2l
= g
r
2l
) along
with a description of (M
2
; ρ
2
).
B. Re-encryption Control
Note that if the encryptor does not provide g
s1
1
in cipher-
text, the original decryption is not affected but the decryption
of re-encrypted ciphertext cannot go on. That’s because g
s1
1
is only used in decrypting re-encrypted step, so he can
control whether the ciphertext can be re-encrypted.
C. Construction of CCA-Secure KP-AB-PRE
Peikert and Waters [20] first put forward Lossy trapdoor
functions (LTFs), in particular as a means to construct
chosen-ciphertext (CCA) secure public-key encryption (P-
KE) schemes. After that, it drawn extensive attention by a
lot of cryptography scholars. We may construct the CCA-
Secure KP-AB-PRE scheme with the help of it. We can also
reference the work of Zhao, Feng [17]. But it is not an easy
work, we need more time to research.
V. CONCLUSIONS
We present a key policy attribute-based proxy re-
encryption(KP-AB-PRE)scheme, in which the proxy can
be the cloud server. In our scheme, we use matrix access
structure to realize the key policy. The secret key size,
encryption, and decryption time scales linearly with the
complexity of the access formula. Our work result can also
inherit some properties of PRE. In addition, our scheme
49
has secret key security property, the cloud proxy cannot
obtain the secret key information even collude with the
User. Cloud computing is a promising computing paradigm
which has drawn extensive attention from both academia
and commerce. A lot of security work need to do.
ACKNOWLEDGEMENTS
We would like to thank Xiaofeng Chen for the sug-
gestions to improve this paper. Also, we are grateful to
the anonymous referees for their invaluable suggestion-
s. This work is supported by the Fundamental Research
Funds for the Central Universities (K50511010001 and
JY10000901034), the National Natural Science Foundation
of China (No.61070249) and the Graduate Student Innova-
tion Fund of Xidian University (No.K50513100015).
REFERENCES
[1] Xiaofeng Chen, Jin Li, Willy Susilo, Efficient Fair Conditional
Payments for Outsourcing Computations, IEEE Transactions
on Information Forensics and Security, 7(6), pp 1687-1694,
2012.
[2] Xiaofeng Chen, Jin Li, Jianfeng Ma, Qiang Tang, Wenjing Lou,
New Algorithms for Secure Outsourcing of Modular Expo-
nentiations, ESORICS 2012, LNCS 7459, 541-556, Springer-
Verlag, 2012.
[3] T. Mather, S. Kumaraswamy, and S. Latif, Cloud Security and
Privacy. O’Reilly Media, Sep. 2009.
[4] S. Yu, C. Wang, K. Ren, and W. Lou, Achieving Secure,
Scalable, and Fine-grained Data Access Control in Cloud
Computing. INFOCOM, 2010 Proceedings IEEE, pp.321-334,
2010.
[5] M. Green, G. Ateniese, Identity-based proxy re-encryption. In:
Katz, J., Yung, M. (eds.) ACNS 2007. LNCS, vol. 4521, pp.
288-306. Springer, Heidelberg (2007).
[6] G. Ateniese, K. Fu, M. Green, S. Hohenberger, Improved proxy
re-encryption schemes with applications to secure distributed
storage. In: Proceedings of the Network and Distributed Sys-
tem Security Symposium, NDSS 2005. The Internet Society
(2005).
[7] A. Sahai, B. Waters, Fuzzy identity-based encryption. In:
Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp.
457C473. Springer, Heidelberg (2005).
[8] J. Bethencourt, A. Sahai, and B. Waters, Ciphertext-Policy
Attribute-Based Encryption. Proceedings of the 2007 IEEE
Symposium on Security and Privacy, pp.321-334, 2007.
[9] V. Goyal, O. Pandey, A. Sahai, and B. Waters, Attribute-based
encryption for finegrained access control of encrypted data. In
ACM Conference on Computer and Communications Security,
pages 89-98, 2006.
[10] M. Mambo, E. Okamoto, Proxy cryptosystems: Delegation
of the power to decrypt ciphertexts. IEICE Transactions on
Fundamentals of Electronics, Communications and Computer
Sciences 80(1), 54-63 (1997).
[11] M. Green, S. Hohenberger, and B. Waters, Outsourcing the
decryption of abe ciphertexts. In USENIX Security, pp. 523-
538, 2011.
[12] S. Luo, J. Hu, and Zh. Chen, Ciphertext Policy Attribute-
Based Proxy Re-encryption. ICICS 2010, LNCS 6476, pp. 401-
415, 2010
[13] J. Do, Y. Song, N. Park, Attribute based Proxy Re-Encryption
for Data Confidentiality in Cloud Computing Environments.
2011 First ACIS/JNU International Conference on Computers,
Networks, Systems and Industrial Engineering (CNSI), p 248-
51, 2011.
[14] A. Beimel, Secure Schemes for Secret Sharing and Key Dis-
tribution. PhD thesis, Israel Institute of Technology, Technion,
Haifa, Israel, 1996.
[15] M. Karchmer and A. Wigderson, On Span Programs. In The
Eighth Annual Structure in Complexity Theory, pages 102-111,
1993.
[16] D. Boneh and X. Boyen, Efficient Selective-ID Secure Identi-
ty Based Encryption Without Random Oracles. In Advances in
Cryptology-Eurocrypt, volume 3027 of LNCS, pages 223-238.
Springer, 2004.
[17] J. Zhao, D. Feng, Z. Zhang, Attribute-Based Conditional
Proxy Re-Encryption with Chosen-Ciphertext Security. Pro-
ceedings 2010 IEEE Global Communications Conference
(GLOBECOM 2010), p 6 pp., 2010.
[18] T. Mizuno, H. Doi, Hybrid Proxy Re-encryption Scheme for
Attribute-Based Encryption. Information Security and Cryp-
tology. 5th International Conference, Inscrypt 2009. Revised
Selected Papers, p 288-302, 2010.
[19] B. Waters, Ciphertext-policy attribute-based encryption: An
expressive, efficient, and provably secure realization. In PKC,
pages 53-70, 2011.
[20] C. Peikert and B. Waters, Lossy trapdoor functions and
their applications. In Richard E. Ladner and Cynthia Dwork,
editors, 40th ACM STOC, pages 187-196, Victoria, British
Columbia, Canada,May 17-20, 2008. ACM Press.
Keying Li, master of Faculty of science, Xidian University,
Xi’an, China. His research interests cover the attributes
based encryption, cloud computing, lossy trapdoor function,
lossy encryption, e-cash payment.
Yinghui Zhang, received his B.S. (2007) and M.S.
(2010) from Nanchang Hangkong University and Xidian
University, both in Mathematics. Currently, He is working
toward the Ph.D. degree in Cryptography, Xidian University.
His research interests are in the areas of cloud computing
security and cryptography.
Hua Ma, professor of Faculty of science, Xidian University,
Xi’an, China. Her research directions including The Theory
and technology in e-commerce security, Design and analysis
of fast public key cryptography, Theory and technology of
the network security.
50