0 Up votes0 Down votes

3 views6 pagesJul 06, 2016

© © All Rights Reserved

PDF, TXT or read online from Scribd

© All Rights Reserved

3 views

© All Rights Reserved

- Information Security Assignment Questions
- A Software for S-box Performance Analysis and Test
- Coupa EDI Connection Information
- Cyber Laws Notes
- Free Tools for Securing Your Network and PC
- The Soter Group - 2016 Cyber Security Conference Calendar
- Kmip Spec 1.0 CD 06
- Unit 2 CRYPTOGRAPHY
- Journal of Computer Science IJCSIS Vol. 9 No.11 November 2011
- How Can Human Behavior Be Considered One of the Biggest Potential Threats to Operating System Integrity_ - Google Search
- XO
- Chapter_7_Criptografia
- Sign Crypt Ion
- BackTrack 5 Tutorial 6
- SecPrTiesFinalmod
- Final Dissertation
- 2015 FCC CPNI Certification2.pdf
- ps 8 old
- Defective Sept19
- Mona Secure Multi-Owner Data Sharing

You are on page 1of 6

ZHOU Dehua1,2 , CHEN Kefei1 , LIU Shengli1 and ZHENG Dong3

(1.Department of Computer Science and Engineering, Shanghai Jiaotong University, Shanghai 200240, China)

(2.Department of Computer Science, Jinan University, Guangzhou 510632, China)

(3.School of Information Security Engineering, Shanghai Jiaotong University, Shanghai 200240, China)

Abstract In a Idendity-based proxy re-encryption

(IBPRE) scheme, a proxy, converts a ciphertext for one

identity into a ciphertext for another identity without

knowing the underlying plaintext. IBPRE can be used

for applications requiring delegation, such as delegated

email processing. However, some scenarios require handle a fine-grained delegation. For example, the delegator

wants to limit the proxy to only re-encrypt the encrypted

emails associated with specific conditions. To overcome the

limitation of existing IBPRE, we introduce the notion of

Identity-based conditional proxy re-encryption (IBCPRE),

whereby only ciphertext satisfying one condition set by delegator can be transformed by the proxy and then can be

decrypted by delegatee. We further proposed a concrete

IBCPRE scheme, and prove its security in the standard

model.

Key words Identity-based conditional proxy reencryption, Bilinear maps, Standard model.

I. Introduction

The notion of Proxy re-encryption (PRE) was initially introduced by Blaze, Bleumer and Strauss[1] . In a PRE scheme,

the proxy can convert any ciphertext under Alices public key

into ciphertext under Bobs public key. The requirement is

that the semantic security of encryptions for Alice is preserved

throughout the conversion, such that the proxy gains no information about the involved plaintext messages.

A number of proxy re-encryption protocols have been proposed in the context of public-key encryption[28] . The notion of Identity-based proxy re-encryption (IBPRE) schemes

was initially introduced by Green, Ateniese[9] . In an IBPRE

scheme, the proxy translate an encryption under Alices identity into one computed under Bobs identity. The proxy uses

proxy keys, or re-encryption keys, to perform the translation

without being able to learn the plaintext. Moreover, no information on the secret keys of Alice and Bob can be deduced

from the proxy keys.

The existing notion of IBPRE does not facilitate exible

delegation. Suppose that Alice instructs Bob to process emails

only when its subject contains the keyword urgent. For other

emails, Alice prefers to read them by herself after back to ofce. Obviously, the existing IBPRE schemes do not meet such

needs.

In this paper, we introduce the notion of Identity-based

conditional proxy re-encryption (IBCPRE), whereby Alice has

a ne-grained control over the delegation. As a result, one

identity (Alice) can exibly assign her delegate (another identity Bob) the decryption capability based on the conditions

attached to the messages. After formalize the denition and

security notions for IBCPRE, we further propose a concrete

IBCPRE scheme, and prove its security in the standard model.

1. Related work

Mambo and Okamoto proposed a technique for delegating decryption rights[10] . Blaze, Bleumer and Strauss[1] , rst

presented the bidirectional PRE scheme. In 2005, Ateniese

et al.[2,3] presented a unidirectional PRE scheme based on bilinear pairings. Canetti and Hohenberger[4] presented a construction of CCA secure bidirectional PRE scheme from bilinear pairings. Later, Libert and Vergnaud[5] presented a replayable CCA-secrue unidirectional PRE scheme from bilinear

pairings. In CANS08, Deng et al.[6] proposed a CCA-secure

bidirectional PRE scheme without pairings (in the random oracle model). Recently, Weng et al.[11] proposed an ecient

CCA-secure unidirectional proxy re-encryption scheme in the

standard model. In Pairing08, Libert and Vergnaud[12] introduced the notion of traceable proxy re-encryption, where

malicious proxies leaking their re-encryption keys can be identied. In Asia CCS09, Weng et al.[13] proposed conditional

proxy re-encryption, which can control the proxy at a negrained level.

Proxy re-encryption has also been studied in identity-based

scenarios[14] . Based on the ElGamal-type public key encryption system[15] and Boneh-Boyens identity-based encryption

system[16] , Boneh, Goh and Matsuo[17] described a hybrid

proxy re-encryption system. Based on Boneh and Franklins

identity-based encryption system[18] , Green and Ateniese[9]

presented CPA and CCA-secure IBPRE schemes in the random oracle model. Chu and Tzeng[19] presented the construc-

Manuscript Received Dec. 2010; Accepted Apr. 2012. This work is supported by the National Natural Science Foundation of China

(No.61133014, No.61070249, No.61005049, No.60903178, No.60970111), the Fundamental Research Funds for the Central Universities

(No.21612335), the Research Fund for the Doctoral Program of Higher Education of China (No.20100073110060), the Innovation Project

(No.12ZZ021) of Shanghai Municipal Education Commission.

62

2. Organization

The rest of the paper is organized as follows. In Section II

we formalize the denition and security notions for IBCPRE

systems then give related complexity assumptions. In Section III, we propose an IBCPRE scheme. The security proof

of the scheme is given in Section IV. Finally, we list some open

problems and conclude this paper.

II. Preliminaries

In this section, we rst formalize the denition and security notions for IBCPRE systems, and then present a complex

assumption on which our scheme is based.

1. Definition of IBCPRE systems

Formally, an IBCPRE scheme consists of the following algorithms:

Setup(1k ) The key generation algorithm takes as input

a security parameter 1k . It generates the global parameters

param.

KeyGen(msk, ID) On input an identity ID {0, 1}

and the master secret key msk, it generates a decryption key

SKID corresponding to that identity.

RKeyGen(SK ID1 , , ID1 , ID2 ) The re-encryption key

generation algorithm, run by user ID1 , takes as input a secret

key SKID1 , condition and identities (ID1 , ID2 ). It outputs

.

a re-encryption key rkID

ID2

1

Encrypt (ID, m, ) The encryption algorithm takes as

input an identity ID, a plaintext m M and a condition . It

outputs ciphertext CT associated with condition under the

specied identity. Here M denotes the message space.

) The re-encryption

ReEncrypt (CTID1 , rk ID

ID2

1

algorithm, run by the proxy, takes as input a ciphertext CTID1

associated with under identity ID1 , and a re-encryption key

. It outputs a re-encrypted ciphertext CTID2 under

rkID

ID2

1

identity ID2 .

Decrypt (CT, skID ) The decryption algorithm takes

as input a secret key skID and a cipertext CT. It outputs a

message m M or the error symbol .

2. Security notions of IBCPRE

Intuitively, the semantic security of a IBCPRE encryption

should be preserved against both the delegate and the proxy

if they do not associate with the proper condition . More

formally, the semantic security under adaptive-ID and chosenplaintext attacks for an IBCPRE scheme is dened according

to the following game between an adversary A and a challenger

C:

Setup Challenger C runs algorithm Setup(1k ) and gives

the global parameters param to A.

Phase 1 The adversary A adaptively issues queries

q1 , , qm where query qi is one of the following:

Extraction query ID C returns SKID KeyGen

(msk, ID) to A.

Re-encryption key generation query ID1 , , ID2

C rst runs SKID1 KeyGen (msk, ID1 ), and then returns

RKeyGen(SKID1 , , ID1 , ID2 ) to A.

rkID

ID

1

2013

Challenge Once A decides that Phase 1 is over, it outputs a target identity ID and two equal-length plaintexts

m0 , m1 M . C ips a random coin , and sets the challenge ciphertext to be CT = Encrypt(ID , m , ), which is

sent to A.

Phase 2 A adaptively issues queries as in Phase 1, and

C answers them as before.

Guess Finally, A outputs a guess {0, 1} and wins

the game if = and during the game the following requirements are simultaneously satised:

A can not issue the extraction query on ID to obtain

the target secret key SKID .

A can not issue the queries on ID , , ID , if ID appears in a previous extraction query.

We refer to the above adversary A as an IND-sIBCPRE

CPA adversary. His advantage in attacking scheme

is de

= |Pr[ = ] 1/2|; where the

ned as AdvINDIBCPRECPA

,A

probability is taken over the random coins consumed by the

challenger and the adversary.

Definition 1 An IBCPRE scheme

is said to be

(t, qe , qrk , )-IND-IBCPRE-CPA secure, if for any t-time

IND-IBCPRE-CPA adversary A that makes at most qe .

KeyGen queries, at most qrk RKeyGen queries, we have

< .

AdvINDIBCPRECPA

,A

3. Complexity assumptions

The Bilinear Die-Hellman (BDH) problem in (G, GT ) is

as follows: given a tuple g, g a , g b , g c G as input, output

e(g, g)abc GT . An algorithm A has advantage in solving

BDH in (G, GT ) if Pr[A(g, g a , g b , g c ) = e(g, g)abc ] , where

the probability is over the random choice of generator g in

G, the random choice of a, b, c in Zp , and the random bits

consumed by B.

Similarly, we say that an algorithm B that outputs b

{0, 1} has advantage in solving the decisional bilinear DieHellman (DBDH) problem in (G, GT ) if

g in G, the random choice of a, b, c in Zp , the random choice

of Q GT , and the random bits consumed by B.

Definition 2 We say that the (t, ) DBDH assumption holds in (G, GT ) if no t-time algorithm has advantage at

least in solving the DBDH problem in (G, GT ).

1. Construction

Based on Waterss identity-based encryption scheme[20] ,

the proposed scheme consists of the following algorithms:

Setup (k, n) On input a security parameter 1k , this

setup algorithm works as follows: First generate (p, G, GT , e),

where (G, GT ) are bilinear groups with prime order p, and

$

$

$

and V = (v1 , , vn ) R Gn . Finally, choose a hash function

H1 such that H1 : GT G, and output the master secret key

g2 and the public parameters param = (Z, g, g1 , g2 , U , V , H1 ).

For convenience, in the rest of this paper, given an n-bit

identity ID, we shall use UID to denote the set of indices for

which the bitstring ID is set to 1. Also, for an n-bit condition

, we shall use V to denote the set of indices for which the

bitstring is set to 1.

KeyGen (msk, ID) On input an identity ID Zp , this

$

key for ID as

r

SKID = (d1 , d2 ) = g2 u

ui , g r

iUID

SKID = (d1 , d2 ), a condition Zp and another identity ID2 ,

$

the re-encryption key from identity ID1 to ID2 associated with

condition as

rkID

= (d1 , d2 , d3 , d4 , d5 ) =

ID2

1

r2

r1

vj

H1 (Z r2 ), d2 , g r1 , g r2 , u

ui

d1 v

jV

iUID2

Encrypt (ID, m, )

dente the ciphertext to be:

CTID =(C1 , C2 , C3 , C4 )

z z

= g z , M Z z , u

ui , v

vj

iUID

jV

the message.

ID2

1

phertext CTID1 encrypted under identity ID1 and the re

= (d1 , d2 , d3 , d4 , d5 ), this reencryption key rkID

ID2

1

encryption algorithm rst computes

C2 =

C2 e(C3 , d2 ) e(C4 , d3 )

e(d1 , C1 )

CTID2 = (C1 , C2 , d4 , d5 ). Observe that C2 is equal to

M

, so, CTID2 = (C1 , C2 , d4 , d5 ) is in fact of

C2 =

e(H1 (Z r2 ), C1 )

the following forms:

r2

M

r2

,

g

,

u

u

CTID2 = g z ,

i

e(H1 (Z r2 ), g z )

iU

ID2

CTID and the secret key SKID = (d1 , d2 ), this algorithm decrypts the ciphertext according to two cases:

(1) CTID is an original ciphertext, i.e., CTID = (C1 ,

C2 e(C3 , d2 )

C2 , C3 , C4 ): Simply output M =

.

e(d1 , C1 )

(2) CTID is a transformed ciphertext, i.e., CTID =

e(d1 , d4 )

(C1 , C2 , d4 , d5 ): rst compute R =

, and then oute(d5 , d2 )

put M = C2 e(H1 (R), C1 ).

63

Our proposed scheme only achieve the chosen-plaintext security. Note that, as stated by Weng et al.[21] , there exists

three important and necessary principles for designing CCAthe validity of the origsecure proxy re-encryption systems:

the original ciinal ciphertexts should be publicly veriable;

the transformed

phertexts should satisfy the CCA-security;

ciphertexts should satisfy the CCA-security. We remark that,

we can also improve our scheme to achieve the replayable chosen plaintext security[22] . That is, we use the one-time signaand .

ture, as illustrated in Ref.[23], to satisfy principles

For principle , we can use Libert-Vergnauds re-encryption

technique[5] to provide the replayable chosen-plaintext security

for the transformed ciphertexts.

Theorem 1 Our IBCPRE scheme is IND-IBCPRE-CPA

secure in the standard model, assuming the DBDH assumption holds in groups (G, GT ). More specically, if there exists an IND-IBCPRE-CPA adversary A, who asks at most qe

extraction queries and at most qrk re-encryption key generation queries, and breaks the IND-IBCPRE -CPA security

of our scheme, then there exists an algorithm B that can

break the (t , )-DBDH assumption in groups (G, GT ) with

,

16(qe + qrk )2 (n + 1)2 qrk

where te denote the running time of an exponentiation in group

G.

Proof Suppose algorithm B is given a DBDH instance

$

(g, g a , g b , g c , Q) G4 GT with unknown a, b, c Zq . Bs

abc

goal is to decide whether Q = e(g, g) . B works by interacting with adversary A in the IND-IBCPRE-CPA game as

follows:

Setup B constructs the public parameters for A as follows:

(1) Set lu = 2(qe + 3qrk ), l = 2qrk , randomly choose

two integers ku , k Zn . We assume that lu (n + 1) < q and

l (n + 1) < q.

(2) Randomly choose the following integers:

x R Zlu , z R Zl , y , R Zq

x

i R Zlu , for i = 1, , n.

= {

Let X

xi }

zj }

zj R Zl , for j = 1, , n. Let Z = {

yi }

yi R Zq , for i = 1, , n. Let Y = {

tj R Zq , for j = 1, , n. Let T = {tj }

(3) Construct a set of public parameters as below:

g1 = g a , g2 , = g b , u = g2x lu ku g y , v = g2z

l k

U = (

ui ) with u

i = g2xi g yi for i = 1, , n

z

V = (

vj ) with vj = g2 j g tj for i = 1, , n

All these public parameters are passed to A.

Observe that from the perspective of the adversary, the

distributions of these public parameters are identical to the

real construction. Note that the master key is implicitly set

to be g2 = g2a = g ab .

64

functions J1 , J2 , K1 , and K2 such that for any set U, V

{1, , n},

x

i , J1 (U ) = y +

yi

K1 (U ) = x lu ku +

iU

K2 (V ) = z l k +

iU

zj , J2 (V ) = +

jV

tj

jV

equalities always hold:

K (U )

K (V )

g2 1 g J1 (U ) = u

ui , g2 2 g J2 (V ) = v

vi

iU

iV

queries as follows:

Extraction query ID Suppose the adversary issues

a query for an identity ID. If K1 (UID ) = 0 mod p (denoted

this event by E1), algorithm B aborts and randomly chooses

its guess of the challengers value . Otherwise, the sim$

ulator chooses a random r Zp and returns the secret key

SKID = (d1 , d2 ) to A as dened below:

d1 =

J1 (UID )

K (U )

g1 1 ID

u

r

ui

d2 =

1

K (U )

g1 1 ID g r

iUID

a

, we can see that the

K1 (UID )

above secret key has the correct form as required:

Note that, letting r = r

J1 (UID )

K1 (UID )

d1 =g1

r

u

ui

iUID

J1 (UID )

K1 (UID )

=g1

K (U

K1 (UID ) J1 (UID ) r

(g2

K1 (UID ) J1 (UID ) r

a

r

K1 (UID )

=g2a u

ui

=g2a

iUID

r

ui

=g

J2 (V )

K2 (V )

r

a

K1 (UID )

r

ui

iUID

d2 = g r ,

d3 =

u

ui

iUID2

a

and SKID1 =

Observe that, letting r1 = r1

r

K2 (V )

(d1 , d2 ) = g2 u iUID ui , g r , we can see that the

above re-encryption key has the correct form as required:

r r1

J2 (V )

K2 (V )

u

v

d1 =g1

ui

vj

H1 (Z r2 )

J2 (V )

K (V )

u

=g1 2

iUID

jV

r

ui

K2 (V ) J2 (V ) r1

(g2

) H1 (Z r2 )

iUID

r

a

r

K (V )

ui

(g2 2 g J2 (V ) ) 1 K2 (V ) H1 (Z r2 )

=g2a u

iUID

=g2a u

r

ui

iUID

=d1 v

r1

vj

v

r1

vj

a

K2 (V )

H1 (Z r2 )

jV

H1 (Z r2 )

jV

1

K (V )

d3 =g1 2 g r1

=g

r1

a

K2 (V )

= g r1

p, denoted this event by E2), algorithm B aborts and randomly

chooses its guess of the challengers value .

Challenge When A decides that Phase 1 is over, it outputs two equal-length messages m0 , m1 GT , a target identity

ID and a target condition , subjected to the restrictions

specied in the IND-IBCPRE-CCA game. If K1 (UID ) = 0

mod p or K2 (V ) = 0 mod p (denoted this event by E3), algorithm B aborts and submits a random guess for . Otherwise

(i.e., K1 (UID ) = 0 mod p K2 (V ) 0 mod p), algorithm B

picks {0, 1}, denes and returns the challenge ciphertext

to A.

Note that by the above construction, if Q = e(g, g)abc ,

then CT is a valid encryption of m under ID and , since

C2 =m Q = m e(g a , g b )c = m e(g1 , g2 )c = m Z c

K1 (UID ) J1 (UID ) c

=g

Algorithm B acts according to the following three cases:

If K1 (UID1 ) = 0 mod p: B rst generates the secret

key SKID1 as in the extraction queries. Then it runs algorithm RKeyGen(SKID1 , , ID2 ) and returns the resulting reencryption key to A.

K1 (UID1 ) = 0 mod p K2 (V ) = 0 mod p: B

=

picks r, r1 , r2 , and denes the re-encryption key rkID

ID2

1

(d1 , d2 , d3 , d4 , d5 ) as below:

d1 = g1

d5 =

C1 =g c

iUID

1

K (U )

d2 =g1 1 ID g r

d 4 = g r2 ,

r2

2013

1

K (V )

g 1 2 g r1

v

jV

r1

vj

H1 (Z r2 )

c

= u

ui

iUID

C4

c J2 (V )

K2 (V ) J2 (V ) c

=(g )

= (g J2 (V ) )c = (g2

c

= v

vi

iV

GT, the challenge ciphertext CT is independent of in the

adversarys view.

Phase 2 A continues to issue the rest of queries as in

Phase 1, with the restrictions described in the IND-IBCPRECPA game. B responds these queries in the same ways as in

Phase 2.

Guess Eventually, adversary A returns a guess

{0, 1} to B. If = , B outputs 1; otherwise, B outputs 0.

This completes the description of the simulation. Next, we

evaluate the probability of Bs not aborting in the above game.

Let Pr[abort] denote the probability of Bs not aborting in

the above game, then from the description of the above game,

we have

Pr[abort] = Pr[E1 E2 E3]

(1)

To make the analysis easier, we modify events E1 and E2

to be the following events, say E1 and E2 , respectively.

E1 : K1 (UID ) 0 mod lu

E2 : K1 (UID ) 0 mod lu (K2 (V ) 0 mod l

Since 0 ku n, the assumption lu (n + 1) < p leads to

i Zlu and |UID | n, then we

0 lu ku < p. Note that x , x

i (n + 1)lu < p. Since K1 (UID ) =

have 0 x + iUID x

i , it follows that 0 K1 (UID )+lu ku < p,

lu ku +x + iUID x

hence p < lu ku K1 (UID ) < p lu ku < p. So, if

K1 (UID ) = 0 mod p holds, the only case should be K1 (UID ) =

0, which immediately gives K1 (UID ) = 0 mod lu . This means

that K1 (UID ) = 0 mod p implies K1 (UID ) = 0 mod lu , that is,

E1E1 . Thus we have E1 E1. Similarly, E2 E2

also holds. Therefore, we have

Pr[abort] Pr[E1 E2 E3]

Combining the fact that ku , x , and X

we have

Pr[A ] =Pr[K1 (UID ) 0 mod p K1 (UID ) 0 mod lu ]

=Pr[K1 (UID ) 0 mod lu ]Pr[K1 (UID ) 0

mod p|K1 (UID ) 0 mod lu ]

1 1

(4)

=

lu n + 1

1 1

Similarly, we have

Pr[B ] =

(5)

l n + 1

Since the events Ai and A are independent for any i, we

(6)

have

Pr[Ai |A ] = 1/lu

Then we have

qI

qI

i=1

i=1

Dj : K2 (Vj ) = 0 mod l for j = 1, , q

A : K1 (UID ) = 0 mod p

B : K2 (V ) = 0 mod p

qI

i=1

qI

1

Pr[Ai |A ]

1

lu (n + 1)

i=1

q

1

1 I

lu (n + 1)

lu

1

qe + qrk

1

lu (n + 1)

lu

(2)

and the re-encryption key generation queries not equal to UID .

Also, let V1 , , Vq be the V s appearing in the re-encryption

key generation queries not equal to V . Clearly, we have

qI qe + qrk and q qrk . Dene the following events

65

(7)

Similarly, we get

1

qrk

1

Pr[( Dj D )]

j=1

l (n + 1)

l

qM

(8)

Pr[abort] Pr[E1 E2 E3 ]

qI

qM

Pr[ Ai A ]Pr[ Dj B ]

i=1

j=1

qe + qrk

qrk

1

1

1

1

lu (n + 1)

lu

l (n + 1)

l

Then we get

(9)

qI

i=1

j=1

qI

i=1

j=1

are independent. Essentially, this is because the functions K1

and K2 which dene these events are selected independently

and are hidden from the adversarys view of the simulation.

We proceed to bound the probability Pr[A ]. We rst

claim that if K1 (UID ) 0 mod lu holds, there will be a unique

choice of ku with 0 ku n such that K1 (UID ) 0 mod p.

i ),

To see this, recall that K1 (UID ) = lu ku + (x + iUID x

i )

so if K1 (UID ) 0 mod lu holds, the term (x + iUID x

i Zlu

must equal to rlu for some integer r. Since x , x

and |UID n|, it follows that 0 r n. Now, if

K1 (UID ) 0 mod p further holds, as has been noted, it must

be K1 (UID ) = 0. Thus

x

i ) = lu ku + rlu = 0

K1 (UID ) = lu ku + (x +

iUID

So, the unique choice of ku with 0 ku n is ku = r. Similarly to the proof of K1 (UID ) 0 mod p K1 (UID ) 0 mod

lu , we have K1 (UID ) 0 mod p K1 (UID ) 0 mod lu .

lu = 2(qe + qrk ) and l = 2qrk . Using the optimal value, we

have

(10)

Pr[abort]

16(qe + qrk )2 (n + 1)2 qrk

Note that, if B does not abort in the whole game, then the

simulation provided for A is indistinguishable to the real environment. So, we have that Bs advantage in solving the DBDH

16(qe + qrk )2 (n + 1)2 qrk

scription of the simulation, we can easily see that Bs running

time is bounded by t t + O((qe + qrk )te ). Thus the proof of

Theorem 1 is concluded.

V. Conclusion

In this paper, we tackle the problem of how to control the

proxy in PRE systems at a ne-grained level in the IBE setting. We introduce the concept of identity-based conditional

proxy re-encryption, formalize its denition and its security

notions, and propose a secure IBCPRE scheme in the standard

model. The conditions in our proposed solution are limited to

keyword. It remains as an interesting open problem how to

construct secure IBCPRE schemes with boolean predicate.

66

References

atomic proxy cryptography, Proc. of Eurocrypt98, SpringerVerlag, LNCS 1403, Espoo, Finland, pp.127144, 1998.

[2] G. Ateniese, K. Fu, M. Green and S. Hohenberger, Improved

proxy re-encryption schemes with applications to secure distributed storage, Proc. of NDSS 2005, San Diego, California,

USA, pp.2943, 2005.

[3] G. Ateniese, K. Fu, M. Green and S. Hohenberger, Improved

proxy re-encryption schemes with applications to secure distributed storage, ACM Transactions on Information and System Security (TISSEC), Vol.9, No.1, pp.130, 2006.

[4] R. Caneti R and S. Hohenberger, Chosen-ciphertext secure

proxy re-encryption, Proc. of ACM CCS 2007, ACM Press,

Alexandria, VA, USA, pp.185194, 2007.

[5] B. Libert B and D. Vergnaud, Unidirectional chosen-ciphertext

secure proxy re-encryption, Proc. of PKC08, Springer-Verlag,

LNCS 4929, Barcelona, Spain, pp.360379, 2008.

[6] R.H. Deng, J. Weng, S. Liu and K. Chen, Chosen-cipertext secure proxy re-encryption without pairings, Proc. of CANS08,

Springer-Verlag, LNCS 5339, Hong Kong, China, pp.117, 2008.

[7] J. Weng, S. Chow, Y. Yang and R.H. Deng, Ecient unidirectional proxy re-encryption, Cryptology ePrint Archive, Report

2009/189. 2009.

[8] J. Zhao, D. Feng, L. Yang and L. Ma, CCA-secure type-based

proxy re-encryption without pairings, Acta Electronica Sinica,

Vol.39, No.11, pp.25132519, 2011. (in Chinese)

[9] M. Green and G. Ateniese, Identity-based proxy reencryption, Proc. of ACNS07, Springer-Verlag, LNCS 4521,

Zhuhai, China, pp.288306, 2007.

[10] M. Mambo and E. Okamoto, Proxy cryptosystems: Delegation of the power to decrypt ciphertexts, IEICE Trans. Fund.

Electronics Communications and Computer Science, Vol.E80A, No.1, pp.5463, 1997.

[11] J. Weng, M. Chen, Y. Yang, R.H. Deng, K. Chen and F. Bao,

CCA-secure unidirectional proxy re-encryption in the adaptive

corruption model without random oracles, Science China: Information Science, Vol.53, No.3, pp.593606, 2010.

[12] B. Libert B and D. Vergnaud, Tracing malicious proxies in

proxy re-encryption, Proc. of Pairing08, Springer-Verlag,

LNCS 5209, Egham, UK, pp.332353, 2008.

[13] J. Weng, R.H. Deng, X. Ding, C. Chu and J. Lai, Conditional

proxy re-encryption secure against chosen-ciphertext attack,

Proc. of ASIACCS09, ACM Press, Sydney, Australia, pp.322

332, 2009.

[14] T. Matsuo, Proxy re-encryption systems for identity-based encryption, Proc. of Paring07, LNCS 4575, Springer-Verlag,

Tokyo, Japan, pp.247267, 2007.

[15] T. ElGamal, A public-key cryptosystem and a signature

scheme based on discrete logarithms, Proc.of Crypto84,

Springer-Verlag, LNCS 196, Santa Barbara, California, USA,

pp.1018, 1984.

[16] D. Boneh and X. Boyen, Ecient selective-ID secure identity based encryption without random oracles, Proc.of Eurocrypt04, Springer-Verlag, LNCS 3027, Interlaken, Switzerland,

pp.223238, 2004.

[17] D. Boneh, E.J. Goh and T. Matsuo, Proposal for P1363.3

proxy re-encryption, http://grouper.ieee.org/groups/1363/IBC

/submissions/NTTDataProposal -for-P1363.3-2006-08-14.pdf.

[18] D. Boneh and M. Franklin, Identity based encryption from the

Weil pairing, Proc.of Crypto01, Springer-Verlag, LNCS 2139,

Santa Barbara, California, USA, pp.213229, 2001.

[19] C. Chu and W. Tzeng, Identity-based proxy re-encryption

without random oracles, Proc. of ISC07, Springer-Verlag,

2013

[20] B. Waters, Ecient identity-based encryption without random

oracles, Proc. of Eurocrypt05, Springer-Verlag, LNCS 3494,

Aarhus, Denmark, pp.114127, 2005.

[21] J. Weng, Y. Yang, Q. Tang, R.H. Deng and F. Bao, Ecient

conditional proxy re-encryption with chosen-ciphertext security, Proc. of ISC09, Springer-Verlag, LNCS 5735, Pisa, Italy,

pp.151166, 2009.

[22] R. Canetti, H. Krawczyk and J.B. Nielsen, Relaxing chosenciphertext security, Proc.of Crypto03, Springer-Verlag, LNCS

2729, Santa Barbara, California, USA, pp.565582, 2003.

[23] R. Canetti, S. Halevi and J. Katz, Chosen-ciphertext security from identity-based encryption, Proc. of Eurocrypt04,

Springer-Verlag, LNCS 3027, Interlaken, Switzerland, pp.207

222, 2004.

ZHOU Dehua

received B.S. and

M.S. degrees in computer science from

South China University of Technology in

2000 and 2003 respectively. Since July

2003, he came to Department of Computer

Science in Jinan University and became

a lecturer. He is now a Ph.D. candidate

in Shanghai Jiaotong University. His research interests include exposure-resilient

cryptography and pairing based cryptosystems. (Email: dhzhou@sjtu.edu.cn)

CHEN Kefei (corresponding author)

received Ph.D. degree from Justus Liebig

University Giessen, Germany in 1994. His

main research areas include classical and

modern cryptography, theory and technology of network security, etc. He came to

Shanghai Jiaotong University in 1996 and

was appointed professor at the Department

of Computer Science and Engineering. He

is also the director of the Laboratory of

Cryptography and Information Security in Shanghai Jiaotong University. He has published more than 100 academic papers on cryptology and information security in journals and conferences. (Email:

kfchen@sjtu.edu.cn)

LIU Shengli

received B.S. degree,

M.S. degree and Ph.D. degree from Xidian University in 1995, 1998 and 2000 respectively. From 2000 till 2002, she continued her research on cryptography and

received another Ph.D. degree from Technische Universiteit Eindhoven, the Netherlands. Since 2002, she joined the Department of Computer Science and Engineering, Shanghai Jiaotong University. She is

now a professor and her research interests include public key cryptosystems, and information-theoretic security.

ZHENG Dong received Ph.D. degree from Xidian University in 1999. Now,

he is a professor, deputy director of the

Laboratory for Cryptography and Information Security, in Shanghai Jiaotong University. He is a member of the expert committee of NSFC and the expert reviewing

committee of NSFC. He was a general cochair of Asiacrypt2006, Cans2006, and Ispec2006. His main research interests include cryptographic algorithm, information hiding, digital watermarking, wireless security technology, etc. His research has been

funded by NSFC, 863 program, and private corporations.

- Information Security Assignment QuestionsUploaded bychithrasreemod
- A Software for S-box Performance Analysis and TestUploaded byAgustin Aboytes
- Coupa EDI Connection InformationUploaded byRavi
- Cyber Laws NotesUploaded byAnant Ruia
- Free Tools for Securing Your Network and PCUploaded byAcharya
- The Soter Group - 2016 Cyber Security Conference CalendarUploaded byThe Soter Group, LLC
- Kmip Spec 1.0 CD 06Uploaded bysonali_raisonigroup
- Unit 2 CRYPTOGRAPHYUploaded bydev chauhan
- Journal of Computer Science IJCSIS Vol. 9 No.11 November 2011Uploaded byijcsis
- XOUploaded byAlex Mejia
- Chapter_7_CriptografiaUploaded byVioleta Garcia Cervantes
- SecPrTiesFinalmodUploaded byRonnie Wright
- How Can Human Behavior Be Considered One of the Biggest Potential Threats to Operating System Integrity_ - Google SearchUploaded byJust Someone
- Sign Crypt IonUploaded byDilshini Jayamaha
- BackTrack 5 Tutorial 6Uploaded bybhuvi2312
- Final DissertationUploaded bySachin Sharma
- 2015 FCC CPNI Certification2.pdfUploaded byFederal Communications Commission (FCC)
- ps 8 oldUploaded byLadimarAmilL
- Defective Sept19Uploaded byWarren Rivera
- Mona Secure Multi-Owner Data SharingUploaded bynandhaku2
- Portal EnrollmentUploaded byPrabhat Sagar
- Unit IV NotesUploaded byvsakthi1985
- criptografIa_asimetrica.pdfUploaded bylmendizabal
- CIS562 Week 6 Assignment 3 Comparing and Selecting Forensic ToolsUploaded byLouis DeWeaver III
- (670926345) Acknowledgement, Abstract n IndexUploaded byMaan Shikha Sarabjeet
- ReviewUploaded bysreekuttyms
- International Journal of Sciences: Basic and Applied ResearchUploaded bykurama
- Embedded Systems LabmanualUploaded byManikanta Vysyaraju
- Application_Security_in_NET_Succinctly.pdfUploaded byCarlos Alberto Graniel Cordova
- 2019 Global Phish ReportUploaded bySakil Mahmud

- Convoy Mktg v AlbiaUploaded byCarlo Alexis D. Tabangcura
- otp-introUploaded bySara Toga
- (Draft) Model Question 1 Form 3 NovelUploaded byMohd Asraf
- 5011 NoticeUploaded byBe Naam
- 50 Multiple Choice Questions on General Knowledge 2012Uploaded byBhupender Singh
- model school policy - mobile phonesUploaded byapi-322503725
- Spies and NumbersUploaded bySara Toga
- world war ii notebookUploaded byapi-130087742
- ROXAS VSUploaded byJaime Palacol
- Ortiz in 11th CircuitUploaded byal_crespo
- Undoing Racism - White Privilege - McIntoshUploaded byKelseyGuillaum
- International Court of JusticeUploaded byGuiller C. Magsumbol
- Not in My NameUploaded byPeter Bleyer
- PRC Chapter 12 13Uploaded byRam Migue Saint
- Engaging Boys and Young Men in the Prevention of Sexual ViolenceUploaded byhelluvawhorella
- Daniel Clay sentence upheld by court of appealsUploaded byClickon Detroit
- Unodc Glotip 2018 Book Web SmallUploaded bysofiabloem
- Police Scanner CodesUploaded byjoncarline
- About Fabrica Web2Uploaded byEmilsonwerner
- 2 - omissionsUploaded byapi-248690201
- Bigamy Info&PretrialUploaded byRena Lyn
- CDPC submissionUploaded byThe Globe and Mail
- MOH ABU (2)Uploaded byBEKALU Y
- Tranceboy - The Psychology of Social EngineeringUploaded byMervin Imhotep Accouche
- Concerned Citizens of Laoag vs ArzagaUploaded bybraindead_91
- Project on iprUploaded bySonakshi Chaturvedi
- Agents of ChaosUploaded byJay Thomas Taber
- MadRiverUnion.11.16.16editionUploaded byMad River Union
- A Bibliography on Deradicalization Research and Its Implications for Indonesian Deradicalization ProgramsUploaded byJonathan Zilberg
- Motion to Post Bail SampleUploaded byMalen Roque Saludes

## Much more than documents.

Discover everything Scribd has to offer, including books and audiobooks from major publishers.

Cancel anytime.