You are on page 1of 6

Chinese Journal of Electronics

Vol.22, No.1, Jan. 2013

Identity-Based Conditional Proxy Re-Encryption


ZHOU Dehua1,2 , CHEN Kefei1 , LIU Shengli1 and ZHENG Dong3
(1.Department of Computer Science and Engineering, Shanghai Jiaotong University, Shanghai 200240, China)
(2.Department of Computer Science, Jinan University, Guangzhou 510632, China)
(3.School of Information Security Engineering, Shanghai Jiaotong University, Shanghai 200240, China)
Abstract In a Idendity-based proxy re-encryption
(IBPRE) scheme, a proxy, converts a ciphertext for one
identity into a ciphertext for another identity without
knowing the underlying plaintext. IBPRE can be used
for applications requiring delegation, such as delegated
email processing. However, some scenarios require handle a fine-grained delegation. For example, the delegator
wants to limit the proxy to only re-encrypt the encrypted
emails associated with specific conditions. To overcome the
limitation of existing IBPRE, we introduce the notion of
Identity-based conditional proxy re-encryption (IBCPRE),
whereby only ciphertext satisfying one condition set by delegator can be transformed by the proxy and then can be
decrypted by delegatee. We further proposed a concrete
IBCPRE scheme, and prove its security in the standard
model.
Key words Identity-based conditional proxy reencryption, Bilinear maps, Standard model.

I. Introduction
The notion of Proxy re-encryption (PRE) was initially introduced by Blaze, Bleumer and Strauss[1] . In a PRE scheme,
the proxy can convert any ciphertext under Alices public key
into ciphertext under Bobs public key. The requirement is
that the semantic security of encryptions for Alice is preserved
throughout the conversion, such that the proxy gains no information about the involved plaintext messages.
A number of proxy re-encryption protocols have been proposed in the context of public-key encryption[28] . The notion of Identity-based proxy re-encryption (IBPRE) schemes
was initially introduced by Green, Ateniese[9] . In an IBPRE
scheme, the proxy translate an encryption under Alices identity into one computed under Bobs identity. The proxy uses
proxy keys, or re-encryption keys, to perform the translation
without being able to learn the plaintext. Moreover, no information on the secret keys of Alice and Bob can be deduced
from the proxy keys.
The existing notion of IBPRE does not facilitate exible
delegation. Suppose that Alice instructs Bob to process emails

only when its subject contains the keyword urgent. For other
emails, Alice prefers to read them by herself after back to ofce. Obviously, the existing IBPRE schemes do not meet such
needs.
In this paper, we introduce the notion of Identity-based
conditional proxy re-encryption (IBCPRE), whereby Alice has
a ne-grained control over the delegation. As a result, one
identity (Alice) can exibly assign her delegate (another identity Bob) the decryption capability based on the conditions
attached to the messages. After formalize the denition and
security notions for IBCPRE, we further propose a concrete
IBCPRE scheme, and prove its security in the standard model.
1. Related work
Mambo and Okamoto proposed a technique for delegating decryption rights[10] . Blaze, Bleumer and Strauss[1] , rst
presented the bidirectional PRE scheme. In 2005, Ateniese
et al.[2,3] presented a unidirectional PRE scheme based on bilinear pairings. Canetti and Hohenberger[4] presented a construction of CCA secure bidirectional PRE scheme from bilinear pairings. Later, Libert and Vergnaud[5] presented a replayable CCA-secrue unidirectional PRE scheme from bilinear
pairings. In CANS08, Deng et al.[6] proposed a CCA-secure
bidirectional PRE scheme without pairings (in the random oracle model). Recently, Weng et al.[11] proposed an ecient
CCA-secure unidirectional proxy re-encryption scheme in the
standard model. In Pairing08, Libert and Vergnaud[12] introduced the notion of traceable proxy re-encryption, where
malicious proxies leaking their re-encryption keys can be identied. In Asia CCS09, Weng et al.[13] proposed conditional
proxy re-encryption, which can control the proxy at a negrained level.
Proxy re-encryption has also been studied in identity-based
scenarios[14] . Based on the ElGamal-type public key encryption system[15] and Boneh-Boyens identity-based encryption
system[16] , Boneh, Goh and Matsuo[17] described a hybrid
proxy re-encryption system. Based on Boneh and Franklins
identity-based encryption system[18] , Green and Ateniese[9]
presented CPA and CCA-secure IBPRE schemes in the random oracle model. Chu and Tzeng[19] presented the construc-

Manuscript Received Dec. 2010; Accepted Apr. 2012. This work is supported by the National Natural Science Foundation of China
(No.61133014, No.61070249, No.61005049, No.60903178, No.60970111), the Fundamental Research Funds for the Central Universities
(No.21612335), the Research Fund for the Doctoral Program of Higher Education of China (No.20100073110060), the Innovation Project
(No.12ZZ021) of Shanghai Municipal Education Commission.

Chinese Journal of Electronics

62

tions of CPA and CCA-secure IBPRE schemes without random oracles.


2. Organization
The rest of the paper is organized as follows. In Section II
we formalize the denition and security notions for IBCPRE
systems then give related complexity assumptions. In Section III, we propose an IBCPRE scheme. The security proof
of the scheme is given in Section IV. Finally, we list some open
problems and conclude this paper.

II. Preliminaries
In this section, we rst formalize the denition and security notions for IBCPRE systems, and then present a complex
assumption on which our scheme is based.
1. Definition of IBCPRE systems
Formally, an IBCPRE scheme consists of the following algorithms:
Setup(1k ) The key generation algorithm takes as input
a security parameter 1k . It generates the global parameters
param.
KeyGen(msk, ID) On input an identity ID {0, 1}
and the master secret key msk, it generates a decryption key
SKID corresponding to that identity.
RKeyGen(SK ID1 , , ID1 , ID2 ) The re-encryption key
generation algorithm, run by user ID1 , takes as input a secret
key SKID1 , condition and identities (ID1 , ID2 ). It outputs

.
a re-encryption key rkID
ID2
1
Encrypt (ID, m, ) The encryption algorithm takes as
input an identity ID, a plaintext m M and a condition . It
outputs ciphertext CT associated with condition under the
specied identity. Here M denotes the message space.
) The re-encryption
ReEncrypt (CTID1 , rk ID

ID2
1
algorithm, run by the proxy, takes as input a ciphertext CTID1
associated with under identity ID1 , and a re-encryption key
. It outputs a re-encrypted ciphertext CTID2 under
rkID

ID2
1
identity ID2 .
Decrypt (CT, skID ) The decryption algorithm takes
as input a secret key skID and a cipertext CT. It outputs a
message m M or the error symbol .
2. Security notions of IBCPRE
Intuitively, the semantic security of a IBCPRE encryption
should be preserved against both the delegate and the proxy
if they do not associate with the proper condition . More
formally, the semantic security under adaptive-ID and chosenplaintext attacks for an IBCPRE scheme is dened according
to the following game between an adversary A and a challenger
C:
Setup Challenger C runs algorithm Setup(1k ) and gives
the global parameters param to A.
Phase 1 The adversary A adaptively issues queries
q1 , , qm where query qi is one of the following:
Extraction query ID C returns SKID KeyGen
(msk, ID) to A.
Re-encryption key generation query ID1 , , ID2 
C rst runs SKID1 KeyGen (msk, ID1 ), and then returns
RKeyGen(SKID1 , , ID1 , ID2 ) to A.
rkID

ID
1

2013

Challenge Once A decides that Phase 1 is over, it outputs a target identity ID and two equal-length plaintexts
m0 , m1 M . C ips a random coin , and sets the challenge ciphertext to be CT = Encrypt(ID , m , ), which is
sent to A.
Phase 2 A adaptively issues queries as in Phase 1, and
C answers them as before.
Guess Finally, A outputs a guess  {0, 1} and wins
the game if  = and during the game the following requirements are simultaneously satised:
A can not issue the extraction query on ID  to obtain
the target secret key SKID .
A can not issue the queries on ID , , ID , if ID appears in a previous extraction query.
We refer to the above adversary A as an IND-sIBCPRE
CPA adversary. His advantage in attacking scheme
is de
= |Pr[  = ] 1/2|; where the
ned as AdvINDIBCPRECPA
,A
probability is taken over the random coins consumed by the
challenger and the adversary.

Definition 1 An IBCPRE scheme
is said to be
(t, qe , qrk , )-IND-IBCPRE-CPA secure, if for any t-time
IND-IBCPRE-CPA adversary A that makes at most qe .
KeyGen queries, at most qrk RKeyGen queries, we have

< .
AdvINDIBCPRECPA
,A
3. Complexity assumptions
The Bilinear Die-Hellman (BDH) problem in (G, GT ) is
as follows: given a tuple g, g a , g b , g c G as input, output
e(g, g)abc GT . An algorithm A has advantage in solving
BDH in (G, GT ) if Pr[A(g, g a , g b , g c ) = e(g, g)abc ] , where
the probability is over the random choice of generator g in
G, the random choice of a, b, c in Zp , and the random bits
consumed by B.
Similarly, we say that an algorithm B that outputs b
{0, 1} has advantage in solving the decisional bilinear DieHellman (DBDH) problem in (G, GT ) if




|Pr[B(g,g a , g b , g c , e(g, g)abc ) = 0] Pr[B(g, g a , g b , g c , Q) = 0]|

where the probability is over the random choice of generator


g in G, the random choice of a, b, c in Zp , the random choice
of Q GT , and the random bits consumed by B.
Definition 2 We say that the (t, ) DBDH assumption holds in (G, GT ) if no t-time algorithm has advantage at
least in solving the DBDH problem in (G, GT ).

III. A Secure IBCPRE Scheme


1. Construction
Based on Waterss identity-based encryption scheme[20] ,
the proposed scheme consists of the following algorithms:
Setup (k, n) On input a security parameter 1k , this
setup algorithm works as follows: First generate (p, G, GT , e),
where (G, GT ) are bilinear groups with prime order p, and
$

e : G G GT is a bilinear pairing. Then pick Zp


$

and g1 , g2 G, and dene g1 = g , Z = e(g2 , g1 ). Choose




 $

u , v G and two n-element vectors U = (u1 , , un ) R Gn


and V = (v1 , , vn ) R Gn . Finally, choose a hash function

Identity-Based Conditional Proxy Re-Encryption


H1 such that H1 : GT G, and output the master secret key
g2 and the public parameters param = (Z, g, g1 , g2 , U , V , H1 ).
For convenience, in the rest of this paper, given an n-bit
identity ID, we shall use UID to denote the set of indices for
which the bitstring ID is set to 1. Also, for an n-bit condition
, we shall use V to denote the set of indices for which the
bitstring is set to 1.
KeyGen (msk, ID) On input an identity ID Zp , this
$

algorithm randomly picks r Zp , and then denes the secret


key for ID as
r




SKID = (d1 , d2 ) = g2 u
ui , g r
iUID

RKeyGen (SK ID1 , , ID2 ) On input a secret key


SKID = (d1 , d2 ), a condition Zp and another identity ID2 ,
$

this algorithm randomly picks r1 , r2 Zp , and then generates


the re-encryption key from identity ID1 to ID2 associated with
condition as
rkID
= (d1 , d2 , d3 , d4 , d5 ) =

ID2
1

 
 r2
  r1

vj
H1 (Z r2 ), d2 , g r1 , g r2 , u
ui
d1 v 
jV

iUID2

Encrypt (ID, m, )

On input an identity ID, a plain$

text M GT and a condition , the sender picks z Zp , and


dente the ciphertext to be:
CTID =(C1 , C2 , C3 , C4 )


z    z 

= g z , M Z z , u
ui , v 
vj
iUID

jV

Here the condition maybe the keyword, label or attribute of


the message.

) Taking as input a ciReEncrypt (CTID1 , rk ID


ID2
1
phertext CTID1 encrypted under identity ID1 and the re
= (d1 , d2 , d3 , d4 , d5 ), this reencryption key rkID
ID2
1
encryption algorithm rst computes
C2 =

C2 e(C3 , d2 ) e(C4 , d3 )
e(d1 , C1 )

and then denes the ciphertext for identity ID2 as


CTID2 = (C1 , C2 , d4 , d5 ). Observe that C2 is equal to
M

, so, CTID2 = (C1 , C2 , d4 , d5 ) is in fact of
C2 =
e(H1 (Z r2 ), C1 )
the following forms:
 r2 



M
r2

,
g
,
u
u
CTID2 = g z ,
i
e(H1 (Z r2 ), g z )
iU
ID2

Decrypt (CT, sk ID ) Taking as input a ciphertext


CTID and the secret key SKID = (d1 , d2 ), this algorithm decrypts the ciphertext according to two cases:
(1) CTID is an original ciphertext, i.e., CTID = (C1 ,
C2 e(C3 , d2 )
C2 , C3 , C4 ): Simply output M =
.
e(d1 , C1 )
(2) CTID is a transformed ciphertext, i.e., CTID =
e(d1 , d4 )
(C1 , C2 , d4 , d5 ): rst compute R =
, and then oute(d5 , d2 )

put M = C2 e(H1 (R), C1 ).

63

2. Chosen ciphertext security


Our proposed scheme only achieve the chosen-plaintext security. Note that, as stated by Weng et al.[21] , there exists
three important and necessary principles for designing CCAthe validity of the origsecure proxy re-encryption systems:
the original ciinal ciphertexts should be publicly veriable;
the transformed
phertexts should satisfy the CCA-security;
ciphertexts should satisfy the CCA-security. We remark that,
we can also improve our scheme to achieve the replayable chosen plaintext security[22] . That is, we use the one-time signaand .
ture, as illustrated in Ref.[23], to satisfy principles
For principle , we can use Libert-Vergnauds re-encryption
technique[5] to provide the replayable chosen-plaintext security
for the transformed ciphertexts.




IV. Security Proof


Theorem 1 Our IBCPRE scheme is IND-IBCPRE-CPA
secure in the standard model, assuming the DBDH assumption holds in groups (G, GT ). More specically, if there exists an IND-IBCPRE-CPA adversary A, who asks at most qe
extraction queries and at most qrk re-encryption key generation queries, and breaks the IND-IBCPRE -CPA security
of our scheme, then there exists an algorithm B that can
break the (t ,  )-DBDH assumption in groups (G, GT ) with

t t + O((qe + qrk )te ) and 


,
16(qe + qrk )2 (n + 1)2 qrk
where te denote the running time of an exponentiation in group
G.
Proof Suppose algorithm B is given a DBDH instance
$
(g, g a , g b , g c , Q) G4 GT with unknown a, b, c Zq . Bs
abc
goal is to decide whether Q = e(g, g) . B works by interacting with adversary A in the IND-IBCPRE-CPA game as
follows:
Setup B constructs the public parameters for A as follows:
(1) Set lu = 2(qe + 3qrk ), l = 2qrk , randomly choose
two integers ku , k Zn . We assume that lu (n + 1) < q and
l (n + 1) < q.
(2) Randomly choose the following integers:
x R Zlu , z  R Zl , y  ,  R Zq
x
i R Zlu , for i = 1, , n.

= {
Let X
xi }

zj }
zj R Zl , for j = 1, , n. Let Z = {
yi }
yi R Zq , for i = 1, , n. Let Y = {
tj R Zq , for j = 1, , n. Let T = {tj }
(3) Construct a set of public parameters as below:


g1 = g a , g2 , = g b , u = g2x lu ku g y , v  = g2z

l k

U = (
ui ) with u
i = g2xi g yi for i = 1, , n
z

V = (
vj ) with vj = g2 j g tj for i = 1, , n
All these public parameters are passed to A.
Observe that from the perspective of the adversary, the
distributions of these public parameters are identical to the
real construction. Note that the master key is implicitly set
to be g2 = g2a = g ab .

Chinese Journal of Electronics

64

To make the notation easy to follow, we also dene four


functions J1 , J2 , K1 , and K2 such that for any set U, V
{1, , n},


x
i , J1 (U ) = y  +
yi
K1 (U ) = x lu ku +
iU


K2 (V ) = z l k +

iU


zj , J2 (V ) = +

jV

tj

jV

Note that for any set U, V {1, , n}, the following


equalities always hold:


K (U )
K (V )
g2 1 g J1 (U ) = u
ui , g2 2 g J2 (V ) = v 
vi
iU

iV

Phase 1 In this phase, adversary A issues a series of


queries as follows:
Extraction query ID Suppose the adversary issues
a query for an identity ID. If K1 (UID ) = 0 mod p (denoted
this event by E1), algorithm B aborts and randomly chooses
its guess  of the challengers value . Otherwise, the sim$
ulator chooses a random r  Zp and returns the secret key
SKID = (d1 , d2 ) to A as dened below:
d1 =

J1 (UID ) 
K (U )
g1 1 ID
u

r

ui

d2 =

1

K (U )
g1 1 ID g r

iUID

a
, we can see that the
K1 (UID )
above secret key has the correct form as required:
Note that, letting r = r 
J1 (UID )

K1 (UID )

d1 =g1

r 

u

ui

iUID

J1 (UID )
K1 (UID )

=g1

K (U

K1 (UID ) J1 (UID ) r 

(g2

K1 (UID ) J1 (UID ) r 

=g2a (g2 1 ID g J1 (UID ) ) K1 (UID ) (g2


a

r

K1 (UID )
=g2a u
ui
=g2a

iUID


r

ui

=g

J2 (V ) 
K2 (V )


r

a
K1 (UID )

r 
ui

iUID

d2 = g r ,

d3 =

u

ui

iUID2

a
and SKID1 =
Observe that, letting r1 = r1
r
K2 (V )



(d1 , d2 ) = g2 u iUID ui , g r , we can see that the
above re-encryption key has the correct form as required:
r   r1
J2 (V ) 

K2 (V )


u
v
d1 =g1
ui
vj
H1 (Z r2 )
J2 (V ) 
K (V )
u
=g1 2

iUID

jV

r
ui


K2 (V ) J2 (V ) r1

(g2

) H1 (Z r2 )

iUID


r 
a

r
K (V )
ui
(g2 2 g J2 (V ) ) 1 K2 (V ) H1 (Z r2 )
=g2a u
iUID

=g2a u


r  
ui

iUID

=d1 v 

 r1

vj

v

r1
vj

a
K2 (V )

H1 (Z r2 )

jV

H1 (Z r2 )

jV
1

K (V )
d3 =g1 2 g r1

=g


r1

a
K2 (V )

= g r1

Otherwise (i.e., K1 (UID1 ) = 0 mod p K2 (V ) = 0 mod


p, denoted this event by E2), algorithm B aborts and randomly
chooses its guess  of the challengers value .
Challenge When A decides that Phase 1 is over, it outputs two equal-length messages m0 , m1 GT , a target identity
ID and a target condition , subjected to the restrictions
specied in the IND-IBCPRE-CCA game. If K1 (UID ) = 0
mod p or K2 (V ) = 0 mod p (denoted this event by E3), algorithm B aborts and submits a random guess for  . Otherwise
(i.e., K1 (UID ) = 0 mod p K2 (V ) 0 mod p), algorithm B
picks {0, 1}, denes and returns the challenge ciphertext

CT = (C1 , C2 , C3 , C4 ) = (g c , m Q, (g c )J1 (UID ) , (g c )J2 ( ) )


to A.
Note that by the above construction, if Q = e(g, g)abc ,
then CT is a valid encryption of m under ID and , since
C2 =m Q = m e(g a , g b )c = m e(g1 , g2 )c = m Z c
K1 (UID ) J1 (UID ) c

=g

Re-encryption key generation query ID1 , , ID2 


Algorithm B acts according to the following three cases:
If K1 (UID1 ) = 0 mod p: B rst generates the secret
key SKID1 as in the extraction queries. Then it runs algorithm RKeyGen(SKID1 , , ID2 ) and returns the resulting reencryption key to A.
K1 (UID1 ) = 0 mod p K2 (V ) = 0 mod p: B

=
picks r, r1 , r2 , and denes the re-encryption key rkID
ID2
1
(d1 , d2 , d3 , d4 , d5 ) as below:
d1 = g1

d5 =

C1 =g c

iUID
1

K (U )
d2 =g1 1 ID g r

d 4 = g r2 ,

 r2

2013


1

K (V )
g 1 2 g r1

v


jV

r1
vj

H1 (Z r2 )

C3 =(g c )J1 (UID ) = (g J1 (UID ) )c = (g2



c

= u
ui

iUID

C4

c J2 (V )

K2 (V ) J2 (V ) c

=(g )
= (g J2 (V ) )c = (g2

c

= v
vi

iV

On the other hand, when Q is uniform and independent in


GT, the challenge ciphertext CT is independent of in the
adversarys view.
Phase 2 A continues to issue the rest of queries as in
Phase 1, with the restrictions described in the IND-IBCPRECPA game. B responds these queries in the same ways as in
Phase 2.
Guess Eventually, adversary A returns a guess 
{0, 1} to B. If  = , B outputs 1; otherwise, B outputs 0.

Identity-Based Conditional Proxy Re-Encryption


This completes the description of the simulation. Next, we
evaluate the probability of Bs not aborting in the above game.
Let Pr[abort] denote the probability of Bs not aborting in
the above game, then from the description of the above game,
we have
Pr[abort] = Pr[E1 E2 E3]
(1)
To make the analysis easier, we modify events E1 and E2
to be the following events, say E1 and E2 , respectively.
E1 : K1 (UID ) 0 mod lu
E2 : K1 (UID ) 0 mod lu (K2 (V ) 0 mod l
Since 0 ku n, the assumption lu (n + 1) < p leads to
i Zlu and |UID | n, then we
0 lu ku < p. Note that x , x

i (n + 1)lu < p. Since K1 (UID ) =
have 0 x + iUID x

i , it follows that 0 K1 (UID )+lu ku < p,
lu ku +x + iUID x
hence p < lu ku K1 (UID ) < p lu ku < p. So, if
K1 (UID ) = 0 mod p holds, the only case should be K1 (UID ) =
0, which immediately gives K1 (UID ) = 0 mod lu . This means
that K1 (UID ) = 0 mod p implies K1 (UID ) = 0 mod lu , that is,
E1E1 . Thus we have E1 E1. Similarly, E2 E2
also holds. Therefore, we have
Pr[abort] Pr[E1 E2 E3]

are randomly chosen,


Combining the fact that ku , x , and X
we have
Pr[A ] =Pr[K1 (UID ) 0 mod p K1 (UID ) 0 mod lu ]
=Pr[K1 (UID ) 0 mod lu ]Pr[K1 (UID ) 0
mod p|K1 (UID ) 0 mod lu ]
1 1
(4)
=
lu n + 1
1 1
Similarly, we have
Pr[B ] =
(5)
l n + 1
Since the events Ai and A are independent for any i, we
(6)
have
Pr[Ai |A ] = 1/lu
Then we have
qI

qI

Pr[( Ai A )] =Pr[A ]Pr[ Ai |A ]


i=1

i=1

Ai : K1 (Ui ) = 0 mod lu for i = 1, , qI


Dj : K2 (Vj ) = 0 mod l for j = 1, , q
A : K1 (UID ) = 0 mod p
B : K2 (V ) = 0 mod p

qI

=Pr[A ](1 Pr[ Ai |A ])


i=1
qI



1
Pr[Ai |A ]
1
lu (n + 1)
i=1


q
1

1 I
lu (n + 1)
lu


1
qe + qrk

1
lu (n + 1)
lu


(2)

Let U1 , , UqI be the UID s appearing in the extraction queries


and the re-encryption key generation queries not equal to UID .
Also, let V1 , , Vq be the V s appearing in the re-encryption
key generation queries not equal to V . Clearly, we have
qI qe + qrk and q qrk . Dene the following events

65

(7)

Similarly, we get



1
qrk
1
Pr[( Dj D )]
j=1
l (n + 1)
l
qM

(8)

By combining the above results, we have


Pr[abort] Pr[E1 E2 E3 ]
qI

qM

Pr[ Ai A ]Pr[ Dj B ]
i=1
j=1




qe + qrk
qrk
1
1
1
1

lu (n + 1)
lu
l (n + 1)
l

Then we get

(9)
qI

i=1

j=1

Pr[E1 E2 E3] Pr[( Ai A ) ( Dj B )] (3)


qI

i=1

j=1

It is easy to see that events ( Ai A ) and ( Dj B )


are independent. Essentially, this is because the functions K1
and K2 which dene these events are selected independently
and are hidden from the adversarys view of the simulation.
We proceed to bound the probability Pr[A ]. We rst
claim that if K1 (UID ) 0 mod lu holds, there will be a unique
choice of ku with 0 ku n such that K1 (UID ) 0 mod p.

i ),
To see this, recall that K1 (UID ) = lu ku + (x + iUID x

i )
so if K1 (UID ) 0 mod lu holds, the term (x + iUID x
i Zlu
must equal to rlu for some integer r. Since x , x
and |UID n|, it follows that 0 r n. Now, if
K1 (UID ) 0 mod p further holds, as has been noted, it must
be K1 (UID ) = 0. Thus

x
i ) = lu ku + rlu = 0
K1 (UID ) = lu ku + (x +
iUID

So, the unique choice of ku with 0 ku n is ku = r. Similarly to the proof of K1 (UID ) 0 mod p K1 (UID ) 0 mod
lu , we have K1 (UID ) 0 mod p K1 (UID ) 0 mod lu .

The right hand side of the last inequality is maximized at


lu = 2(qe + qrk ) and l = 2qrk . Using the optimal value, we
have

(10)
Pr[abort]
16(qe + qrk )2 (n + 1)2 qrk
Note that, if B does not abort in the whole game, then the
simulation provided for A is indistinguishable to the real environment. So, we have that Bs advantage in solving the DBDH

. From the deinstance satises 


16(qe + qrk )2 (n + 1)2 qrk
scription of the simulation, we can easily see that Bs running
time is bounded by t t + O((qe + qrk )te ). Thus the proof of
Theorem 1 is concluded.

V. Conclusion
In this paper, we tackle the problem of how to control the
proxy in PRE systems at a ne-grained level in the IBE setting. We introduce the concept of identity-based conditional
proxy re-encryption, formalize its denition and its security
notions, and propose a secure IBCPRE scheme in the standard
model. The conditions in our proposed solution are limited to
keyword. It remains as an interesting open problem how to
construct secure IBCPRE schemes with boolean predicate.

Chinese Journal of Electronics

66
References

[1] M. Blaze, G. Bleumer and M. Strauss, Divertible protocols and


atomic proxy cryptography, Proc. of Eurocrypt98, SpringerVerlag, LNCS 1403, Espoo, Finland, pp.127144, 1998.
[2] G. Ateniese, K. Fu, M. Green and S. Hohenberger, Improved
proxy re-encryption schemes with applications to secure distributed storage, Proc. of NDSS 2005, San Diego, California,
USA, pp.2943, 2005.
[3] G. Ateniese, K. Fu, M. Green and S. Hohenberger, Improved
proxy re-encryption schemes with applications to secure distributed storage, ACM Transactions on Information and System Security (TISSEC), Vol.9, No.1, pp.130, 2006.
[4] R. Caneti R and S. Hohenberger, Chosen-ciphertext secure
proxy re-encryption, Proc. of ACM CCS 2007, ACM Press,
Alexandria, VA, USA, pp.185194, 2007.
[5] B. Libert B and D. Vergnaud, Unidirectional chosen-ciphertext
secure proxy re-encryption, Proc. of PKC08, Springer-Verlag,
LNCS 4929, Barcelona, Spain, pp.360379, 2008.
[6] R.H. Deng, J. Weng, S. Liu and K. Chen, Chosen-cipertext secure proxy re-encryption without pairings, Proc. of CANS08,
Springer-Verlag, LNCS 5339, Hong Kong, China, pp.117, 2008.
[7] J. Weng, S. Chow, Y. Yang and R.H. Deng, Ecient unidirectional proxy re-encryption, Cryptology ePrint Archive, Report
2009/189. 2009.
[8] J. Zhao, D. Feng, L. Yang and L. Ma, CCA-secure type-based
proxy re-encryption without pairings, Acta Electronica Sinica,
Vol.39, No.11, pp.25132519, 2011. (in Chinese)
[9] M. Green and G. Ateniese, Identity-based proxy reencryption, Proc. of ACNS07, Springer-Verlag, LNCS 4521,
Zhuhai, China, pp.288306, 2007.
[10] M. Mambo and E. Okamoto, Proxy cryptosystems: Delegation of the power to decrypt ciphertexts, IEICE Trans. Fund.
Electronics Communications and Computer Science, Vol.E80A, No.1, pp.5463, 1997.
[11] J. Weng, M. Chen, Y. Yang, R.H. Deng, K. Chen and F. Bao,
CCA-secure unidirectional proxy re-encryption in the adaptive
corruption model without random oracles, Science China: Information Science, Vol.53, No.3, pp.593606, 2010.
[12] B. Libert B and D. Vergnaud, Tracing malicious proxies in
proxy re-encryption, Proc. of Pairing08, Springer-Verlag,
LNCS 5209, Egham, UK, pp.332353, 2008.
[13] J. Weng, R.H. Deng, X. Ding, C. Chu and J. Lai, Conditional
proxy re-encryption secure against chosen-ciphertext attack,
Proc. of ASIACCS09, ACM Press, Sydney, Australia, pp.322
332, 2009.
[14] T. Matsuo, Proxy re-encryption systems for identity-based encryption, Proc. of Paring07, LNCS 4575, Springer-Verlag,
Tokyo, Japan, pp.247267, 2007.
[15] T. ElGamal, A public-key cryptosystem and a signature
scheme based on discrete logarithms, Proc.of Crypto84,
Springer-Verlag, LNCS 196, Santa Barbara, California, USA,
pp.1018, 1984.
[16] D. Boneh and X. Boyen, Ecient selective-ID secure identity based encryption without random oracles, Proc.of Eurocrypt04, Springer-Verlag, LNCS 3027, Interlaken, Switzerland,
pp.223238, 2004.
[17] D. Boneh, E.J. Goh and T. Matsuo, Proposal for P1363.3
proxy re-encryption, http://grouper.ieee.org/groups/1363/IBC
/submissions/NTTDataProposal -for-P1363.3-2006-08-14.pdf.
[18] D. Boneh and M. Franklin, Identity based encryption from the
Weil pairing, Proc.of Crypto01, Springer-Verlag, LNCS 2139,
Santa Barbara, California, USA, pp.213229, 2001.
[19] C. Chu and W. Tzeng, Identity-based proxy re-encryption
without random oracles, Proc. of ISC07, Springer-Verlag,

2013

LNCS 4779, Valparaso, Chile, pp.189202, 2007.


[20] B. Waters, Ecient identity-based encryption without random
oracles, Proc. of Eurocrypt05, Springer-Verlag, LNCS 3494,
Aarhus, Denmark, pp.114127, 2005.
[21] J. Weng, Y. Yang, Q. Tang, R.H. Deng and F. Bao, Ecient
conditional proxy re-encryption with chosen-ciphertext security, Proc. of ISC09, Springer-Verlag, LNCS 5735, Pisa, Italy,
pp.151166, 2009.
[22] R. Canetti, H. Krawczyk and J.B. Nielsen, Relaxing chosenciphertext security, Proc.of Crypto03, Springer-Verlag, LNCS
2729, Santa Barbara, California, USA, pp.565582, 2003.
[23] R. Canetti, S. Halevi and J. Katz, Chosen-ciphertext security from identity-based encryption, Proc. of Eurocrypt04,
Springer-Verlag, LNCS 3027, Interlaken, Switzerland, pp.207
222, 2004.
ZHOU Dehua
received B.S. and
M.S. degrees in computer science from
South China University of Technology in
2000 and 2003 respectively. Since July
2003, he came to Department of Computer
Science in Jinan University and became
a lecturer. He is now a Ph.D. candidate
in Shanghai Jiaotong University. His research interests include exposure-resilient
cryptography and pairing based cryptosystems. (Email: dhzhou@sjtu.edu.cn)
CHEN Kefei (corresponding author)
received Ph.D. degree from Justus Liebig
University Giessen, Germany in 1994. His
main research areas include classical and
modern cryptography, theory and technology of network security, etc. He came to
Shanghai Jiaotong University in 1996 and
was appointed professor at the Department
of Computer Science and Engineering. He
is also the director of the Laboratory of
Cryptography and Information Security in Shanghai Jiaotong University. He has published more than 100 academic papers on cryptology and information security in journals and conferences. (Email:
kfchen@sjtu.edu.cn)
LIU Shengli
received B.S. degree,
M.S. degree and Ph.D. degree from Xidian University in 1995, 1998 and 2000 respectively. From 2000 till 2002, she continued her research on cryptography and
received another Ph.D. degree from Technische Universiteit Eindhoven, the Netherlands. Since 2002, she joined the Department of Computer Science and Engineering, Shanghai Jiaotong University. She is
now a professor and her research interests include public key cryptosystems, and information-theoretic security.
ZHENG Dong received Ph.D. degree from Xidian University in 1999. Now,
he is a professor, deputy director of the
Laboratory for Cryptography and Information Security, in Shanghai Jiaotong University. He is a member of the expert committee of NSFC and the expert reviewing
committee of NSFC. He was a general cochair of Asiacrypt2006, Cans2006, and Ispec2006. His main research interests include cryptographic algorithm, information hiding, digital watermarking, wireless security technology, etc. His research has been
funded by NSFC, 863 program, and private corporations.