Provable Security: 11Th International Conference, Provsec 2017, Xi'An, China, October 23-25, 2017, Proceedings 1St Edition Tatsuaki Okamoto

Provable Security: 11th International
Conference, ProvSec 2017, Xi’an,

China, October 23-25, 2017,
Proceedings 1st Edition Tatsuaki
Okamoto
Visit to download the full and correct content document:
https://textbookfull.com/product/provable-security-11th-international-conference-provs
ec-2017-xian-china-october-23-25-2017-proceedings-1st-edition-tatsuaki-okamoto/
More products digital (pdf, epub, mobi) instant
download maybe you interests ...
Provable Security: 11th International Conference,

ProvSec 2017, Xi’an, China, October 23-25, 2017,
Proceedings 1st Edition Tatsuaki Okamoto
https://textbookfull.com/product/provable-security-11th-
international-conference-provsec-2017-xian-china-
october-23-25-2017-proceedings-1st-edition-tatsuaki-okamoto/
Cyberspace Safety and Security 9th International

Symposium CSS 2017 Xi an China October 23 25 2017
Proceedings 1st Edition Sheng Wen
https://textbookfull.com/product/cyberspace-safety-and-
security-9th-international-symposium-css-2017-xi-an-china-
october-23-25-2017-proceedings-1st-edition-sheng-wen/
Provable Security 12th International Conference ProvSec

2018 Jeju South Korea October 25 28 2018 Proceedings
Joonsang Baek
https://textbookfull.com/product/provable-security-12th-
international-conference-provsec-2018-jeju-south-korea-
october-25-28-2018-proceedings-joonsang-baek/
Foundations and Practice of Security 10th International

Symposium FPS 2017 Nancy France October 23 25 2017
Revised Selected Papers 1st Edition Abdessamad Imine
https://textbookfull.com/product/foundations-and-practice-of-
security-10th-international-symposium-fps-2017-nancy-france-
october-23-25-2017-revised-selected-papers-1st-edition-
Algorithmic Decision Theory 5th International
Conference ADT 2017 Luxembourg Luxembourg October 25 27
2017 Proceedings 1st Edition Jörg Rothe
https://textbookfull.com/product/algorithmic-decision-theory-5th-
international-conference-adt-2017-luxembourg-luxembourg-
october-25-27-2017-proceedings-1st-edition-jorg-rothe/
Internet Multimedia Computing and Service 9th

International Conference ICIMCS 2017 Qingdao China
August 23 25 2017 Revised Selected Papers 1st Edition
Benoit Huet
https://textbookfull.com/product/internet-multimedia-computing-
and-service-9th-international-conference-icimcs-2017-qingdao-
china-august-23-25-2017-revised-selected-papers-1st-edition-
benoit-huet/
Trusted Computing and Information Security: 11th

Chinese Conference, CTCIS 2017, Changsha, China,
September 14-17, 2017, Proceedings 1st Edition Ming Xu
https://textbookfull.com/product/trusted-computing-and-
information-security-11th-chinese-conference-ctcis-2017-changsha-
china-september-14-17-2017-proceedings-1st-edition-ming-xu/
Communications and Networking: 12th International

Conference, ChinaCom 2017, Xi’an, China, October 10-12,
2017, Proceedings, Part II Bo Li
https://textbookfull.com/product/communications-and-
networking-12th-international-conference-chinacom-2017-xian-
china-october-10-12-2017-proceedings-part-ii-bo-li/
Analytical and Computational Methods in Probability

Theory First International Conference ACMPT 2017 Moscow
Russia October 23 27 2017 Proceedings 1st Edition
Vladimir V. Rykov
https://textbookfull.com/product/analytical-and-computational-
methods-in-probability-theory-first-international-conference-
acmpt-2017-moscow-russia-october-23-27-2017-proceedings-1st-
Tatsuaki Okamoto · Yong Yu
Man Ho Au · Yannan Li (Eds.)
LNCS 10592
Provable Security
11th International Conference, ProvSec 2017
Xi'an, China, October 23–25, 2017
Proceedings
123
Lecture Notes in Computer Science 10592
Commenced Publication in 1973
Founding and Former Series Editors:
Gerhard Goos, Juris Hartmanis, and Jan van Leeuwen
Editorial Board
David Hutchison
Lancaster University, Lancaster, UK
Takeo Kanade
Carnegie Mellon University, Pittsburgh, PA, USA
Josef Kittler
University of Surrey, Guildford, UK
Jon M. Kleinberg
Cornell University, Ithaca, NY, USA
Friedemann Mattern
ETH Zurich, Zurich, Switzerland
John C. Mitchell
Stanford University, Stanford, CA, USA
Moni Naor
Weizmann Institute of Science, Rehovot, Israel
C. Pandu Rangan
Indian Institute of Technology, Madras, India
Bernhard Steffen
TU Dortmund University, Dortmund, Germany
Demetri Terzopoulos
University of California, Los Angeles, CA, USA
Doug Tygar
University of California, Berkeley, CA, USA
Gerhard Weikum
Max Planck Institute for Informatics, Saarbrücken, Germany
More information about this series at http://www.springer.com/series/7410
Tatsuaki Okamoto Yong Yu
•
Man Ho Au Yannan Li (Eds.)

•
Provable Security
11th International Conference, ProvSec 2017
Xi’an, China, October 23–25, 2017
Proceedings
123
Editors
Tatsuaki Okamoto Man Ho Au
NTT Laboratories Hong Kong Polytechnic University
Tokyo Hong Kong
Japan China
Yong Yu Yannan Li
Shaanxi Normal University University of Wollongong
Xi’an Wollongong, NSW
China Australia
ISSN 0302-9743 ISSN 1611-3349 (electronic)

Lecture Notes in Computer Science
ISBN 978-3-319-68636-3 ISBN 978-3-319-68637-0 (eBook)
https://doi.org/10.1007/978-3-319-68637-0
Library of Congress Control Number: 2017956072
LNCS Sublibrary: SL4 – Security and Cryptology
© Springer International Publishing AG 2017

This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of the
material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation,
broadcasting, reproduction on microfilms or in any other physical way, and transmission or information
storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now
known or hereafter developed.
The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication
does not imply, even in the absence of a specific statement, that such names are exempt from the relevant
protective laws and regulations and therefore free for general use.
The publisher, the authors and the editors are safe to assume that the advice and information in this book are
believed to be true and accurate at the date of publication. Neither the publisher nor the authors or the editors
give a warranty, express or implied, with respect to the material contained herein or for any errors or
omissions that may have been made. The publisher remains neutral with regard to jurisdictional claims in
published maps and institutional affiliations.
Printed on acid-free paper
This Springer imprint is published by Springer Nature

The registered company is Springer International Publishing AG
The registered company address is: Gewerbestrasse 11, 6330 Cham, Switzerland
Preface
The 11th International Conference on Provable Security (ProvSec 2017) was held in
Xi’an, China, October 23–25, 2017. The conference was organized by Shaanxi Normal
University, Xidian University, and Xi’an University of Posts and Telecommunications.
The conference program consisted of two keynote speeches, four invited talks, and
29 contributed papers. We would like to express our special thanks to the distinguished
speakers, David Pointcheval from Ecole normale supérieure, Giuseppe Ateniese from
Stevens Institute of Technology, Mauro Barni from the University of Siena, Willy
Susilo from the University of Wollongong, Joseph Liu from Monash University, and
Man Ho Au from Hong Kong Polytechnic University, who gave very enlightening
talks.
Out of 76 submissions from 18 countries, 29 papers were selected, presented at the
conference, and are included in the proceedings. The accepted papers cover a range of
topics in the field of provable security research, including attribute-based cryptography,
cloud security, encryption, digital signatures, homomorphic encryption, and
blockchain-based cryptography.
The success of this event depended critically on the help and hard work of many
people, whose help we gratefully acknowledge. First, we heartily thank the Program
Committee and the additional reviewers, listed on the following pages, for their careful
and thorough reviews. Most of the papers were reviewed by at least three people, and
many by four or five. Significant time was spent discussing the papers. Thanks must
also go to the hard-working shepherds for their guidance and helpful advice on
improving a number of papers. We also thank the general co-chairs, Bo Yang, Hui Li,
and Dong Zheng, for the excellent organization of the conference.
We sincerely thank the authors of all submitted papers. We further thank the authors
of accepted papers for revising papers according to the various reviewer suggestions
and for returning the source files in good time. The revised versions were not checked
by the Program Committee, and thus the authors bear final responsibility for their
contents. We would also like to thank the Steering Committee and local Organizing
Committee.
We gratefully acknowledge the support of K.C.Wong Education Foundation, Hong
Kong. We also want to express our gratitude to our generous sponsors: Springer,
Shanghai HeFu Holding(Group) Company Limited, Shaanxi Normal University,
Xidian University, Xi’an University of Posts and Telecommunications, National 111
Project for Mobile Internet Security, and State Key Laboratory of Integrated Services
Networks. Finally, we would like to express our thanks to Springer again for contin-
uing to support the ProvSec conference and for help in the production of the conference
proceedings.
October 2017 Tatsuaki Okamoto

Yong Yu
Organization
ProvSec 2017
The 11th International Conference on Provable Security
Jointly organized by
Shaanxi Normal University

Xidian University
Xi’an University of Posts and Telecommunications
Honorary Co-chairs
Jianfeng Ma Xidian University, China
Xiaoming Wang Shaanxi Normal University, China
General Co-chairs
Bo Yang Shaanxi Normal University, China
Hui Li Xidian University, China
Dong Zheng Xi’an University of Posts and Telecommunications, China and
Westone Cryptologic Research Center/Morse Laboratory,
China
Program Co-chairs
Tatsuaki Okamoto NTT, Japan
Yong Yu Shaanxi Normal University, China
Organizing Co-chairs
Zhenqiang Wu Shaanxi Normal University, China
Qiqi Lai Shaanxi Normal University, China
Yanwei Zhou Shaanxi Normal University, China
Publication Co-chairs
Man Ho Au Hong Kong Polytechnic University, Hong Kong, China
Yannan Li University of Wollongong, Australia
VIII Organization
Publicity Co-chairs
Jianfeng Wang Xidian University, China
Kaitai Liang Manchester Metropolitan University, UK
Jianbing Ni University of Waterloo, Canada
Website Co-chairs
Yanqi Zhao Shaanxi Normal University, China
Ru Meng Shaanxi Normal University, China
Registration Co-chairs
Yujie Ding Shaanxi Normal University, China
Yuanxiao Li Shaanxi Normal University, China
Program Committee
Janaka Alawatugoda University of Peradeniya, Sri Lanka
Elena Andreeva KU Leuven, Belgium
Man Ho Au Hong Kong Polytechnic University, Hong Kong, China
Colin Boyd Norwegian University of Science and Technology, Norway
Aniello Castiglione University of Salerno, Italy
Kefei Chen Hangzhou Normal University, China
Liqun Chen University of Surrey, UK
Rongmao Chen National University of Defense Technology, China
Xiaofeng Chen Xidian University, China
Céline Chevalier École normale supérieure, France
Kim-Kwang The University of Texas at San Antonio, USA
Raymond Choo
Bernardo David Aarhus University, Denmark
Hongzhen Du Baoji University of Arts and Sciences, China
Christian Esposito University of Salerno, Italy
Jinguang Han Nanjing University of Finance and Economics, China
Debiao He Wuhan University, China
Qiong Huang South China Agricultural University, China
Xinyi Huang Fujian Normal University, China
Vincenzo Iovino University of Luxembourg, Luxembourg
Ryo Kikuchi NTT, Japan
Junzuo Lai Jinan University, China
Fagen Li University of Electronic Science and Technology of China,
China
Jin Li Guangzhou University, China
Shundong Li Shaanxi Normal University, China
Yannan Li University of Wollongong, Australia
Xiaodong Lin University of Ontario Institute of Technology, Canada
Organization IX
Feng Liu The State Key Laboratory of Information Security, China

Jiqiang Liu Beijing Jiaotong University, China
Joseph Liu Monash University, Australia
Zhe Liu University of Waterloo, Canada
Mark Manulis University of Surrey, UK
Barbara Masucci University of Salerno, Italy
Mitsuru Matsui Mitsubishi Electric, Japan
Bart Mennink Radboud University Nijmegen, The Netherlands
Yi Mu University of Wollongong, Australia
Pratyay Mukherjee University of California, Berkley, USA
Jianbing Ni University of Waterloo, Canada
Tatsuaki Okamoto NTT, Japan
Josef Pieprzyk Queensland University of Technology, Australia
Jae Hong Seo Myongji University, Republic of Korea
Jun Shao Zhejiang Gongshang University, China
Chunhua Su Osaka University, Japan
Willy Susilo University of Wollongong, Australia
Qiang Tang New Jersey Institute of Technology, USA
Mehdi Tibouchi NTT, Japan
Baocang Wang Xidian University, China
Ding Wang Peking University, China
Huaxiong Wang Nanyang Technological University, Singapore
Qian Wang Wuhan University, China
Qianhong Wu Beihang University, China
Shota Yamada AIST, Japan
Bo Yang Shaanxi Normal University, China
Chung-Huang Yang National Kaohsiung Normal University, Taiwan
Guomin Yang University of Wollongong, Australia
Xun Yi RMIT University, Australia
Siu Ming Yiu The University of Hong Kong, Hong Kong, SAR China
Yong Yu Shaanxi Normal University, China
Yu Yu Shanghai Jiao Tong University, China
Fangguo Zhang Sun Yat-sen University, China
Lei Zhang East China Normal University, China
Mingwu Zhang Hubei University of Technology, China
Rui Zhang Chinese Academy of Sciences, China
Wenzheng Zhang National Laboratory for Modern Communications, China
Fucai Zhou Northeastern University, China
X Organization
Additional Reviewers
Anada, Hiroaki Huang, Jianye Wang, Hao

Aono, Yoshinori Huang, Yan Wang, Huige
Arita, Seiko Jiang, Yan Wang, Zheng
Becerra, Jose Kelarev, Andrei Wu, Ge
Biwen, Chen Lai, Jianchang Xu, Dongqing
Castiglione, Arcangelo Lai, Qiqi Xu, Zhiyan
Chakraborty, Suvradip Larangeira, Mario Xuan Phuong, Tran Viet
Chillotti, Ilaria Li, Hongbo Yan, Dingyu
Chuah, Chai Wen Li, Huige Yang, Xu
Cui, Hui Li, Na Yang, Xuechao
Cui, Yuzhao Li, Qinyi Yoneyama, Kazuki
Dai, Feifei Li, Xingxin Zhang, Huang
Datta, Pratish Lin, Chengjun Zhang, Juanyang
Dowling, Benjamin Liu, Dongxi Zhang, Kai
Espitau, Thomas Liu, Jianghua Zhang, Wentao
Ferradi, Houda Naito, Yusuke Zhang, Yaqin
Flores, Manuela Nguyen, Khoa Zhang, Yudi
Galdi, Clemente Sun, Yang Zhang, Yuexin
Ganesh, Chaya Takashima, Katsuyuki Zhang, Zheng
Genc, Ziya A. Tan, Benjamin Hong Zhao, Ling
Guo, Hua Meng Zhou, Yanwei
Guo, Qingwen Thillard, Adrian Zhu, Youwen
Hu, Zhi Wang, Fuqun
Contents
Secure Cloud Storage and Computing
Provably Secure Self-Extractable Encryption . . . . . . . . . . . . . . . . . . . . . . . 3

Zhi Liang, Qianhong Wu, Weiran Liu, Jianwei Liu, and Fu Xiao
Towards Multi-user Searchable Encryption Supporting Boolean Query

and Fast Decryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Yunling Wang, Jianfeng Wang, Shi-Feng Sun, Joseph K. Liu,
Willy Susilo, and Xiaofeng Chen
An Efficient Key-Policy Attribute-Based Searchable Encryption

in Prime-Order Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Ru Meng, Yanwei Zhou, Jianting Ning, Kaitai Liang, Jinguang Han,
and Willy Susilo
Secure Multi-label Classification over Encrypted Data in Cloud . . . . . . . . . . 57

Yang Liu, Xingxin Li, Youwen Zhu, Jian Wang, and Zhe Liu
A Secure Cloud Backup System with Deduplication and Assured Deletion. . . 74

Junzuo Lai, Jie Xiong, Chuansheng Wang, Guangzheng Wu,
and Yanling Li
Digital Signature and Authentication
Practical and Robust Secure Logging from Fault-Tolerant Sequential

Aggregate Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Gunnar Hartung, Björn Kaidel, Alexander Koch, Jessica Koch,
and Dominik Hartmann
Verifiably Encrypted Group Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

Zhen Wang, Xiling Luo, and Qianhong Wu
Deniable Ring Authentication Based on Projective Hash Functions . . . . . . . . 127

Shengke Zeng, Yi Mu, Guomin Yang, and Mingxing He
Authenticated Encryption and Key Exchange
INT-RUP Security of Checksum-Based Authenticated Encryption . . . . . . . . . 147

Ping Zhang, Peng Wang, Honggang Hu, Changsong Cheng,
and Wenke Kuai
XII Contents
Leakage-Resilient Non-interactive Key Exchange

in the Continuous-Memory Leakage Setting . . . . . . . . . . . . . . . . . . . . . . . . 167
Suvradip Chakraborty, Janaka Alawatugoda, and C. Pandu Rangan
New Framework of Password-Based Authenticated Key Exchange

from Only-One Lossy Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
Haiyang Xue, Bao Li, and Jingnan He
Security Models
Impossibility of the Provable Security of the Schnorr Signature

from the One-More DL Assumption in the Non-programmable
Random Oracle Model. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
Masayuki Fukumitsu and Shingo Hasegawa
Bit Security of the Hyperelliptic Curves Diffie-Hellman Problem . . . . . . . . . 219

Fangguo Zhang
Natural sd-RCCA Secure Public-Key Encryptions . . . . . . . . . . . . . . . . . . . . 236

Yuan Chen, Qingkuan Dong, and Qiqi Lai
Long-Term Secure Time-Stamping Using Preimage-Aware Hash

Functions: (Short Version) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
Ahto Buldas, Matthias Geihs, and Johannes Buchmann
On the Hardness of Sparsely Learning Parity with Noise . . . . . . . . . . . . . . . 261

Hanlin Liu, Di Yan, Yu Yu, and Shuoyao Zhao
Lattice and Post-quantum Cryptography
Provable Secure Post-Quantum Signature Scheme Based on Isomorphism

of Polynomials in Quantum Random Oracle Model . . . . . . . . . . . . . . . . . . . 271
Bagus Santoso and Chunhua Su
Bootstrapping Fully Homomorphic Encryption with Ring Plaintexts

Within Polynomial Noise . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
Long Chen and Zhenfeng Zhang
Revocable Predicate Encryption from Lattices. . . . . . . . . . . . . . . . . . . . . . . 305

San Ling, Khoa Nguyen, Huaxiong Wang, and Juanyang Zhang
Public Key Encryption and Signcryption
Provable Secure Constructions for Broadcast Encryption

with Personalized Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329
Kamalesh Acharya and Ratna Dutta
Contents XIII
Provably Secure Homomorphic Signcryption . . . . . . . . . . . . . . . . . . . . . . . 349

Fatemeh Rezaeibagha, Yi Mu, Shiwei Zhang, and Xiaofen Wang
Public-Key Encryption with Simulation-Based Sender

Selective-Opening Security. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 361
Dali Zhu, Renjun Zhang, and Dingding Jia
Homomorphic Secret Sharing from Paillier Encryption . . . . . . . . . . . . . . . . 381

Nelly Fazio, Rosario Gennaro, Tahereh Jafarikhah,
and William E. Skeith III
Fuzzy Public-Key Encryption Based on Biometric Data . . . . . . . . . . . . . . . . 400

Hui Cui, Man Ho Au, Baodong Qin, Robert H. Deng, and Xun Yi
Proxy Re-encryption and Functional Encryption
An Efficient Certificateless Proxy Re-Encryption Scheme Without Pairing . . . 413

S. Sharmila Deva Selvi, Arinjita Paul,
and Chandrasekaran Pandu Rangan
Mergeable Functional Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434

Vincenzo Iovino and Karol Żebrowski
Protocols
Private Subgraph Matching Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455

Zifeng Xu, Fucai Zhou, Yuxi Li, Jian Xu, and Qiang Wang
A New Blockchain-Based Value-Added Tax System . . . . . . . . . . . . . . . . . . 471

Dimaz Ankaa Wijaya, Joseph K. Liu, Dony Ariadi Suwarsono,
and Peng Zhang
Verifiable Private Polynomial Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . 487

Xavier Bultel, Manik Lal Das, Hardik Gajera, David Gérault,
Matthieu Giraud, and Pascal Lafourcade
Author Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 507

Secure Cloud Storage and Computing
Provably Secure Self-Extractable Encryption
Zhi Liang1,2 , Qianhong Wu1,2(B) , Weiran Liu1 , Jianwei Liu1,2 , and Fu Xiao3(B)
1
School of Electronic and Information Engineering,
Beihang University, Beijing, China
seaeory@126.com, qianhong.wu@buaa.edu.cn, liuweiran900217@gmail.com,
liujianwei@buaa.edu.cn
2
State Key Laboratory of Cryptology, P.O. Box 5159, Beijing 100878, China
3
School of Computer, Nanjing University of Posts and Telecommunications,
Nanjing, China
xiaof@njupt.edu.cn
Abstract. There is an increasing demand of data sharing via cloud.

Data privacy and secrecy protections are arguably the major challenges
in such applications. It is widely suggested to encrypt outsourced data
using advanced encryption primitives for flexible sensitive data sharing
in cloud. In all existing asymmetric based systems, a subtle issue is that
the data owner itself cannot read the encrypted and outsourced data.
This raises a problem for the data owner when she needs to access the
outsourced data but locally there is no copy in the clear text form.
To cope with this problem, we formalize a new framework, referred
to as Self-EXtractable Encryption (SEXE). In addition to the normal
functionalities of an advanced encryption primitive, SEXE is equipped
with a useful self-extractability. With this property, the data owner can
always access her encrypted data. We propose a generic SEXE con-
struction from any advanced encryption primitives. Following the pro-
posed generic construction, we instantiate several typical SEXE systems,
including Self-EXtractable Identity-Based Encryption (SEXIBE), Self-
Extractable Attribute-Based Encryption (SXABE) in Key-Policy setting
and in Ciphertext-Policy setting.
Keywords: Cloud storage · Data sharing · Data secrecy · Self-

Extractable Encryption
1 Introduction
With the development of communication techniques and the popularity of

portable computing devices, people are shifting away from traditional desktops
and laptops to cloud storage. Through networks and mobile devices, users are
able to seamlessly interact with cloud service providers to enjoy new types of
services that were not available before. Cloud storage systems enable users to
share their data with peers so that the latter can access their data stored in
clouds anywhere and anytime. For instance, users can store their private photos,
c Springer International Publishing AG 2017
T. Okamoto et al. (Eds.): ProvSec 2017, LNCS 10592, pp. 3–23, 2017.
https://doi.org/10.1007/978-3-319-68637-0_1
4 Z. Liang et al.
videos, or other documents on cloud storage providers such as Dropbox, iCloud,

so that they can be remotely accessed and shared when necessary.
Most challenging obstacles for the wide usage of cloud storage systems may
be the concerns about data privacy and secrecy. Users often hesitate to use cloud
storage systems because of the worries of losing control on the outsourced data.
Typical method to protect data security is to encrypt them before outsourcing.
Encryption is a standard approach to protect the data outsourced to clouds.
However, traditional encryption systems cannot enforce fine-grained access con-
trol, which brings difficulties for flexible data sharing. To address this problem,
advanced encryption primitives, e.g., Identity-Based Encryption [8], Attribute-
Based Encryption [35] have been proposed and extensively employed in many
cloud storage systems. In these systems, a data owner can specify data attributes
for the outsourced data. Each data owner has its own secret key that is associ-
ated with key attributes. Access can be done only if the key attributes match
the data attributes.
A subtle problem arises when such advanced encryption primitive is used
to secure data in cloud. In all existing schemes, there exists a Trusted Keying
Authority (TKA) responsible for secret key distribution. The schemes require
all data users to be authorized by TKA to get their secret keys. Data owners
are not required to be authorized by TKA. They can directly encrypt the data
using the public keys. However, after encrypting the data, the data owner herself
cannot extract the data hidden in the ciphertext since she does not have any
secret keys. In a cloud storage setting, the encrypted files will be outsourced to
some cloud server and there is no local copy of the files in the clear, except some
meta-data of the file or file identifiers. These meta-data or file identifiers can
only used to check the integrity of the files or as clues to retrieve the outsourced
files, instead of recovering the encrypted files. Consequently, the outsourced files
are no longer accessible to their owners, although the data owners authorized
peers can access the files. Clearly, this is undesirable in practice.
At the first glance, this problem may be trivially addressed. One trivial solu-
tion is asking the data owner to simultaneously encrypt to herself a copy of the
file. However, this would incur significant computation and storage cost if the
file is large. Another trivial solution is to let the data owner also specify herself
as a data user of the encrypted file. This is difficult in practice. First, advanced
encryption primitive is a closed encryption system, i.e., before the data users
hold a secret key they must first register to TKA. This implies that each pos-
sible data owner has to first register to TKA as an authorized data user, which
badly makes the maximal number of data users in such system unnecessarily
large. Note that the complexity of most existing systems rely on the scale of
the data users. Second, some advanced encryption instantiations, e.g., Identity-
Based Encryption (IBE), only allow one receiver in an encryption, which makes
it impossible to allow the data owner as an extra receiver.
We investigate how to enable a data owner to access his/her own encrypted
data with a cost as low as possible. To achieve this goal, we formalize a new
framework, referred to as Self-EXtractable Encryption (SEXE). In addition to
Provably Secure Self-Extractable Encryption 5
the normal functionalities of a regular advanced encryption primitive, SEXE is

equipped with a useful self-extractability. Roughly speaking, the data owner can
always access her encrypted data in SEXE. We propose a generic SEXE construc-
tion from any advanced encryption scheme. The construction only additionally
requires a pseudo random function, a symmetric encryption cipher, and some
hash functions, all of which are efficient in terms of computation. The desirable
self-extractability only incurs a marginal cost, while posing little extra cost on
regular receivers. Following the generic construction, we instantiate several typi-
cal SEXE schemes, including Self-Extractable Identity-Based Encryption (SEX-
IBE), Self-Extractable Attribute-Based Encryption (SXABE) in Key-Policy set-
ting and in Ciphertext-Policy setting.
2 Related Work
Cloud storage follows the area of “database-as-a-service” paradigm, which is
a classic data storage topic that has been studied since 2000s. The intended
purpose of cloud storage is to enable data owners to outsource their data on the
Internet to service providers [20,21]. The basic idea to protect data privacy and
secrecy in cloud storage is to enforce data access control by encrypting the data
before outsourcing. Only the authorized data users can have access [2]. Classic
schemes employ traditional symmetric key/asymmetric cryptosystems to realize
access control [16,27]. As the number of data users increases, especially for cloud-
based data storage systems that potentially allow a vast number of data users,
the systems suffer from complicated entity and key managements.
Researches have been devoted to entity and key management problems.
In 2001, Boneh and Franklin [8] proposed a new encryption primitive, named
Identity-Based Encryption (IBE), the concept of which was first introduced by
Shamir [36]. Compared with the traditional asymmetric encryption system, the
public keys in IBE can be arbitrary strings, such as social security numbers, email
addresses, and phone numbers. Instead of generating the secret key by the data
owner itself, a Trusted Key Authority (TKA) is employed in IBE for user authen-
tication and key distribution. Since IBE brings flexibilities for user authentica-
tion and entity management, many advanced data access control schemes started
to leverage IBE as the basic encryption primitive [12,19]. Schemes exploiting IBE
and various other cryptographic primitives have been proposed to achieve more
flexible data sharing functionalities, including cross-domain [38] and emergency
sharing [39] for specific data outsourcing applications.
The IBE primitive only allows to assign one receiver in an encryption, which
brings difficulties for multi-entity data sharing application scenarios. Briefly
speaking, the access policy in IBE is “exact string match”, which is a limited data
access control mechanism. Although several encryption primitives and schemes,
e.g., Hierarchical IBE [15,24], (Identity-Based) Broadcast Encryption [9,14],
Proxy Re-Encryption [4], were proposed and/or applied to partially support one-
to-many data sharing mechanism in cloud storage applications [3], access policies
in all of which are somewhat restricted. How to support expressive access pol-
icy in encryption primitives remained as an open problem. In 2005, Sahai and
6 Z. Liang et al.
Waters introduced the concept of Attribute-Based Encryption (ABE) [35], in

which the access policy can be expressed as a monotonic boolean formula. For
example, the access policy for an outsourced data from an university can be “CS
AND (Ph.D OR Masters)”. The Ph.D or masters in the department of Computer
Science can have access to the data. Later, the concept of ABE was extended to
be Key-Policy ABE (KP-ABE) [18] (in which the boolean formula is assigned to
the secret key) and Ciphertext-Policy ABE (CP-ABE) [6] (in which the boolean
formula is assigned to the encrypted data).
With the capability to provide fine-grained access control over encrypted
data, ABE is suitable for cloud storage applications. In 2010, Yu et al. proposed
a KP-ABE based access control scheme for cloud storage [43]. Works [25,42] have
also been done to enforce data access control with multi-authority cloud storage
systems. To further support search mechanism over encrypted data, Zheng et al.
[45] and Sun et al. [40] respectively proposed two ABE schemes that allow key-
word search. Most recently, Zhang et al. [44] leverages multiple cryptographic
primitives, including CP-ABE [6], Homomorphic Encryption [32], and Oblivious
Transfer [11] to construct an outsourced photo sharing and searching scheme.
All above schemes neglect the situation where the data owners, very likely,
need to access his/her own encrypted data. We are interested in practical solu-
tions for achieving the desirable self-extractability property.
3 Techniques Preliminaries
3.1 Syntax
We denote [a, b] as the set {a, a + 1, · · · , b} containing consecutive integers, and
[a] as shorthand for [1, a]. The cardinality of a set S is denoted by |S|. We write
R
s ← S to denote the action of choosing s from a uniform random distribution
R R
over the set S, and s1 , s2 , · · · , sn ← S with n ∈ N as shorthand for s1 ←
R
S, · · · , sn ← S. We use Zm×n
p to denote the m × n matrices with entries in Zp .
For a vector v (row vector or column vector), we denote by v i the i-th element
of the vector v.
3.2 Pseudo Random Functions

Our construction exploits a classical cryptographic primitive named pseudo ran-
dom function (PRF), which was introduced by Goldreich, Goldwasser and Micali
[17]. A PRF system consists of a keyed function PRF and a key space KP RF such
that for a randomly chosen key κ ∈ KP RF , the outputs of the function PRF(κ, χ)
for any given input χ ∈ {0, 1}∗ look like random numbers [22].
In practice, such PRF is efficient and easy to be implemented. A general
approach is to treat the key κ as the password, the given input χ as the salt, and
runs classical key derivation technique to produce the output. We recommend
following PKCS #5 Version 2.0 Scheme 1, PKCS #5 Version 2.0 Scheme 2, or
PKCS #12 Version 1.0 specifications (all of which are standardized in RFC 2898)
to implement such PRF.
3.3 Bilinear Groups
Our instantiation demonstrations for self-extractable encryption are based on

bilinear groups. Here we review its definition and requirements following the
notation of [13]. The bilinear groups can be defined by a group generator G
that takes the security parameter λ ∈ N as input and outputs a quad-tuple
(p, G, GT , e), in which G, GT are two cyclic groups of prime order p, and e is an
efficient map e : G × G → GT satisfying the following properties.
– Bilinearity: for all g, h ∈ G and a, b ∈ Zp , we have that e(g a , hb ) = e(g, h)ab .

– Non-degeneracy: there exists at least an element g ∈ G such that e(g, g) is a
generator for the group GT .
3.4 Access Structures and Linear Secret Sharing Schemes
We next review the formal definitions of access structures and linear secret shar-
ing schemes (LSSS), which will be used in our self-extractable ABE instantia-
tions. Here we follow the definition given by Beimel [5].
Definition 1 (Access Structure [5]). Consider a set of parties U. A collection

A ⊆ 2U is monotone if for all B, C, we have that if B ∈ A and B ⊆ C, then
C ∈ A. An access structure (monotone access structure) on U is a collection
(monotone collection) A ⊆ 2U \ {∅}. The sets in A are called the authorized sets,
and the sets not in A are called the unauthorized sets.
In most of previous works [6,18,25], the access structure is described with

a tree called access tree. Each non-leaf node of the access tree is a threshold
gate, while each leaf node is described by an attribute. One data user’s access
capability matches the access structure if there is a sub-tree containing the root
node such that all threshold gates in the sub-tree are satisfied. In recent ABE
schemes, the access structure is represented by linear secret sharing schemes
(LSSS) [33,37] that can be defined as follows.
Definition 2 (Linear Secret Sharing Schemes (LSSS) [5,33]). Let p be a prime

number and let U be a set of parties. Let M ∈ Zl×n p be an l × n matrix with
entries in Zp . Let ρ : [l] → U be a function that labels the row of M with parties
in U. A secret sharing scheme Π for access structure A over a set of parties U
is a linear secret sharing scheme (LSSS) in Zp if:
– The shares of a secret s ∈ Zp for each party comprise of a vector over Zp .

– For each access structure A, there exists an corresponding matrix M ∈ Zl×n p
and a function ρ : [l] → U to represent the access structure. One can compute
the shares of s by first constructing a column vector v = (s, r2 , · · · , rn ), where
R
r2 , · · · , rn ← Zp , and then outputting M · v ∈ Zl×1
p as the vector of l shares.
The share λi = (M v)i belongs to the party ρ(i), where (M v)i denotes the i-th
column element in M v.
8 Z. Liang et al.
Lewko and Waters [29] showed that any access structures represented as
boolean formulas can be efficiently converted to be an LSSS policy (M, ρ). Later,
Liu et al. [31] proposed an efficient LSSS matrix generation algorithm from
any threshold access trees. Therefore, access tree and LSSS are identical access
structure representations both in theory and in practice. In our self-extractable
ABE instantiations, we describe the access policy using LSSS.
4 System Overview
4.1 System Model for Cryptography-Based Cloud Storage
We follow the generic cryptography-based cloud storage system model [37,43].
The typical cloud storage system architecture is shown in Fig. 1. There mainly
exist four kinds of parties: Trusted Key Authority (TKA), Data Owner, Cloud
Storage Server, and Data User.
TKA is responsible for initializing the system and issuing/managing secret
keys for data users according to their access capabilities. Data owners share
their data to data users via the cloud storage server. To achieve privacy and
secrecy of the shared data, data owners encrypt the data with on-demand access
policies before uploading. Cloud storage server maintains well-encrypted data
and responses to retrieval requests from data users. Each data user requests the
secret key associated with its access capability from TKA, retrieves encrypted
data from the cloud storage server, and accesses the data that its access capa-
bility matches the access policies assigned to.
The basic cloud storage systems can be described using four procedures,
namely:
– Setup: performed by TKA to initialize the system.
– KeyGen: performed by TKA to generate secret keys with specified access
capabilities for data users.
– Encrypt: performed by data owners to encrypt data with on-demand access
policy.
– Access: performed by data users to access data with their secret keys.
The above system model captures basic functionalities for cryptography-
based cloud storage systems [37,43]. Such model can be further extended to
meet additional mechanisms and security requirements for specific application
scenarios, e.g., multi-authority, data user revocation, encrypted search.
Multi-authority [25,34,42]: The basic system architecture has only one single
TKA to distribute secret keys. This brings security and efficiency challenges.
On one hand, the single TKA has root access capability thus it is easily to be
the main target for malicious adversaries. On the other hand, the single TKA
would be difficult to maintain since there may be a large number of data users to
request their secret keys. It is recommended that the cloud should employ multi-
authorities to distribute secret keys [34]. The basic system architecture can cover
the multi-authority extension by replacing the single TKA with multiple TKAs.
Fig. 1. Typical cloud storage system architecture.
Data User Revocation [26,30]: The importance of user revocation have been
taken noticed in specific application scenarios, because data users’ access capa-
bilities may be changed frequently, or data users themselves may be active-
ly/passively leave the system. One can support user revocation mechanism by
introducing revocation-related procedures in the basic system architecture.
Encrypted Search [40,44,45]: Data encryption can provide data privacy and
secrecy protection, but hinder some useful functions such as searching over the
outsourced encrypted data. Researches have been devoted to enable cloud-based
data sharing and search as well as preserve data privacy and secrecy. The basic
system architecture can be improved to support encrypted search by employing
a search server in the cloud, while introducing search-related procedures.
In this paper, we focus on basic functionalities for cryptography-based cloud
storage systems. We only consider typical Setup, KeyGen, Encrypt, Decrypt pro-
cedures.
4.2 Abstract Access Policy Representation: Predicate
We introduce the notion “Predicate” to better describe access control mecha-

nisms in cryptography-based cloud storage systems. This notion is firstly intro-
duced in data encryption systems by Boneh and Waters [10] and formally defined
by Katz, Sahai and Waters [28]. Briefly speaking, a predicate is a function that
takes an access policy and an access capability as input, and output {0, 1}. We
say that data user’s access capability matches the access policy assigned to the
encrypted data if the predicate outputs 1, while access is rejected if the predi-
cate outputs 0. Clearly, predicate can describe access control satisfactions and
dissatisfactions in a general way.
We follow the definition described by Yamada et al. [41] to abstract such
access control mechanism as Predicate Encryption (PE). Let P : Σk × Σe →
{0, 1} be a predicate family, where Σk denote the “key attribute” space and Σe
denote the “data attribute” space. A cryptography-based cloud storage system
that represents data user’s access capability as Σk and access policy as Σe can
be formally defined with four algorithms Setup, KeyGen, Encrypt, Decrypt:
10 Z. Liang et al.
(pk, msk) ← Setup(λ). The setup algorithm represents the system setup proce-
dure performed by TKA. It takes the security parameter λ ∈ N as input, and
outputs a public key pk and a master secret key msk. The public key pk is
treated as the system parameter that is publicly known, while the master secret
key msk is kept secretly by TKA.
skx ← KeyGen(msk, x). The key generation algorithm represents the secret key
generation procedure performed by TKA. The algorithm takes the master secret
key msk and a key attribute x ∈ Σk as inputs, where the key attribute x
describes the access capability for the data user. The algorithm outputs a secret
key skx associated with the key attribute x if the data user is authorized by
TKA.
(hdry , k) ← Encrypt(pk, y). The encryption algorithm represents the data
encryption procedure run by data owners. It takes as inputs the public key
pk and a data attribute y ∈ Σe , where the data attribute y describes the access
policy assigned to the data. The algorithm outputs an encryption header hdry
associated with the data attribute y, and a symmetric session key k related to
the header hdry . The symmetric session key k will be used as the key for a
symmetric encryption scheme to encrypt data of arbitrary length, or be used to
enforce other data service mechanisms, e.g., encrypted search under searchable
symmetric encryption.
k ← Decrypt(pk, skx , hdry ). The decryption algorithm represents the data access
procedure run by data users. It takes as inputs the public key pk, the data user’s
secret key skx for the key attribute x, and a header hdry associated with the
data attribute y. It recovers the session key k encapsulated in the header hdry
if P (x, y) = 1, i.e., the access capability matches the access policy. It returns ⊥
if P (x, y) = 0, representing the access failure.
The correctness property requires that for a fixed predicate P , all λ ∈ N, all
(pk, msk) ← Setup(λ), all x ∈ Σk , all skx ← KeyGen(msk, x), all y ∈ Σe , all
(hdry , k) ← Encrypt(pk, y), the following two conditions should be satisfied at
the same time:
– If P (x, y) = 1, then k = Decrypt(pk, skx , hdry ).
– If P (x, y) = 0, then ⊥ = Decrypt(pk, skx , hdry ).
4.3 Refined System Model for Self-Extractable Encryption
Our design goal is to help data owners securely share their data with data users
under the existing model. In addition, we allow data owners to retrieve and
extract its own encrypted data from the cloud storage servers without requesting
any secret keys from TKA. To achieve this goal, we explicitly introduce the data
retrieve procedure that is performed by data owners in the original system model.
The refined typical system architecture is shown in Fig. 2.
Fig. 2. Self-Extractable Encryption Overview.
Formally, the self-extractable encryption (SEXE) that represents data user’s

access capability as Σk and access policy as Σe can be defined with six algo-
rithms: Setup, KeyGen, SelfKeyGen, Encrypt, Decrypt, SelfDecrypt. The system
setup algorithm Setup, the secret key generation algorithm KeyGen, and the data
decryption algorithm Decrypt are identical with that of in the original system,
while the other three algorithms are as follows.
ek ← SelfKeyGen(pk). The self key generation algorithm is run by each data
owner. The algorithm only takes the public key pk as input and outputs an
encryptor key ek, which must kept secret by that data owner.
(hdry , k) ← Encrypt(pk, ek, y). The data encryption algorithm is similar with
that of in the original system. The difference is that it additionally takes the
encryptor key ek as input. The algorithm also outputs a header hdry associated
with the ciphertext attribute y, and a symmetric session key k.
k ← SelfDecrypt(pk, ek, hdry ). The self decryption algorithm is run by each data
owner. It takes as inputs the public key pk, the encryptor key ek, and a header
hdry that was previously generated by itself when outsourcing the data. It recov-
ers the session key k encapsulated in the header hdry , or ⊥ representing the
access failure.
SEXE should satisfy the correctness property of the original system. Mean-
while, it should ensure that the data owner can correctly access its own encrypted
data. Formally, for all λ ∈ N, all (pk, msk) ← Setup(λ), all ek ← SelfKeyGen(pk),
and all (hdry , k) ← Encrypt(pk, ek , y),
– If ek = ek , then k = SelfDecrypt(pk, ek, hdry ).

– If ek = ek , then ⊥ = SelfDecrypt(pk, ek , hdry ).
4.4 Threat Model
As most existing literatures dealing with the privacy and secrecy in cloud stor-
ages [37,43], we assume that TKA is fully trusted. It honestly sets up the system
and securely issues secret keys to legal data users. It never reveals any private
12 Z. Liang et al.
information to non-entitled parties. All other parties, including data owner, data
user, and the cloud storage server, are honest but untrusted. They correctly exe-
cute the procedure they need, but may collude to get information that they
are not authorized to access. SEXE is said to be secure if no attacker without
suitable secret keys can obtain useful information from the encrypted data.
4.5 Design Goal
Our system is designed to achieve self-extractability, compatibility, and efficiency

goals.
– Self-Extractability. The data owners must correctly access their own

encrypted data that were previously uploaded to the cloud storage servers.
No local copy of the outsourced files in the clear is required for them, except
some meta-data of the file or file identifiers.
– Compatibility. Our self-extractable encryption should be compatible with
existing schemes. In the functionality aspect, all existing mechanisms sup-
ported by the underlying schemes should remain unchange. In the security
aspect, SEXE must be secure under the same threat model. In the imple-
mentation aspect, the self-extract mechanism can be invoked in a block-box
manner, thus easy for the system developers to deploy such functionality.
– Efficiency. In some specific application scenarios, some data owners, e.g.,
mobile clients, may only have limited computation and storage resources.
To make SEXE suitable for even such data owners, operations at the data
owner’s side should be light-weight.
5 Generic SEXE Construction
5.1 Basic Idea
We present a generic SEXE construction that can convert any cryptography-

based cloud storage system to have self-extractable property. We first give an
overview of our construction. Our basic idea is to parse the header of the underly-
ing encrypted data into two parts, i.e., plaintext-independent part and plaintext-
dependent part. In the encryption procedure, a data owner first generates the
plaintext-independent part in the original encryption procedure. Then the data
owner applies a pseudo random number generator to this part with a long-term
key to produce a session key. Finally, the data owner uses the session key to
encrypt the digital content. For decryption, data users can access the encrypted
data in a regular way, as in the original scheme. However, if necessary, the data
owner can also access its own encrypted data as follows. The data owner first
extracts the plaintext-independent part of the header. Then it applies the pseudo
random number generator to it and obtains the session key with its long-term
key. With the recovered session key, the data owner is able to correctly recover
the encrypted digital content.
5.2 Our Construction
Let Π be a secure encryption scheme applied in the cryptography-based cloud

storage system with algorithms Setup, KeyGen, Encrypt, Decrypt. The access
control mechanism of Π is described using a fixed predicate P : Σk ×Σe → {0, 1}.
Assume that the session key space is K. Let PRF : KP RF × {0, 1}∗ → YP RF be a
secure pseudo random function with the key space KP RF and the output space
YP RF . We can construct an SEXE Π for the same predicate P with the session
key space K = YP RF as follows.
(pk, msk) ← Setup(λ). TKA first runs (pk, msk) ← Setup(λ). Then, it employs
a secure symmetric encryption scheme SymE with the encryption algorithm
SymEnc and the decryption algorithm SymDec. TKA outputs the public key
pk = (pk, PRF, SymE). It secretly keeps the master secret key msk = msk.
skx ← KeyGen(msk, x). TKA simply calls sk x ← KeyGen(msk, x) and returns
the secret key skx = sk x for the authorized data user who requests its secret key
with a key attribute x ∈ Σk .
R
ek ← SelfKeyGen(pk). Each data owner simply picks a random PRF key ek ←
KP RF from the PRF key space KP RF as the encryptor key. Note that this
procedure only involves picking random elements, thus efficient even for resource-
limited data owners.
(hdry , k) ← Encrypt(pk, ek, y). When a data owner wants to share its data
via cloud, it encapsulates a session key k in the header under the required
data attribute y, and encrypts the data using a secure encryption scheme
with k. To generate the header and the session key, the data owner first calls
(hdry , k) ← Encrypt(pk, y). Then, it computes the session key by invoking
k ← PRF(ek, hdr y ). Next, the data owner symmetrically encrypts the session
key k using k, i.e., hdrk ← SymEnc(k, k). The header associated with the data
attribute y and the encryptor key ek is hdry = (hdry , hdrk ).
k ← Decrypt(pk, skx , hdry ). If P (x, y) = 0, the key attribute x does not satisfy
the predicate P for the data attribute y. In this case, the decryption algorithm
outputs ⊥. Otherwise, the secret key skx = sk x can be used to recover the
session key from the header hdry = (hdry , hdrk ). To do this, the data user runs
k ← Decrypt(pk, sk x , hdr y ) and gets the key k. Then, it recovers the session key
by running k ← SymDec(k, hdrk ).
k ← SelfDecrypt(pk, ek, hdry ). If the encrypted data is not generated by the
data owner with the encryptor key ek, the self decryption algorithm outputs ⊥.
Otherwise, the data owner can use its encryptor key ek to recover the session
key k from hdry = (hdry , hdrk ) by calling k ← PRF(ek, hdry ).
Our generic SEXE construction satisfies self-extractability, compatibility, and
efficiency design goals.
Self-Extractability. If the data is correctly encrypted, the data owner can also
use its encryptor key ek to run k ← PRF(ek, hdr y ) and correctly recovers the
14 Z. Liang et al.
session key. With the session key k, the data owner can further symmetrically
decrypt the data content, or enforce other data service mechanisms by its own.
In this way, we achieve self-extractability property in the SEXE construction.
Compatibility. Our generic SEXE construction is based on the existing
schemes. Original algorithms involved in the existing schemes, i.e., Setup, Key-
Gen, Encrypt, Decrypt, are essentially the same, except some additional minor
operations for generating/recovering session keys. All existing mechanisms sup-
ported by the underlying schemes remain unchange. Specifically, if the key
attribute x for the secret key skx and the data attribute y for the header hdry =
(hdry , hdrk ) satisfy P (x, y) = 1, then the original encryption system ensures
that the key k can be correctly recovered by running k ← Decrypt(pk, sk x , hdry ).
Therefore, the data user can recover the session key k = SymDec(k, hdrk ), where
hdrk ← SymEnc(k, k).
The security of the original encryption system ensures that data users without
necessary access capabilities cannot reveal any useful information from hdry . The
security of the symmetric encryption scheme also ensures that hdrk does not leak
useful information about the session key k if k cannot be correctly recovered from
hdry . Formally, we have the following theorem.
Theorem 1. Suppose advanced encryption scheme Π used in the cryptography-

based cloud storage system with access control mechanism described by the pred-
icate P is secure, the pseudo random function PRF is secure, and the employed
symmetric encryption scheme SymE is secure. Then following our generic con-
struction, the resulting SEXE scheme for the same predicate P is also secure.
The detailed security analysis is shown in Sect. 7.

Performance. Our generic SEXE construction is efficient since only operations
for calling pseudo random function PRF and symmetric encryption scheme SymE
are additionally required in our proposal. Precisely, operations for algorithms
Setup and KeyGen are identical with the underlying encryption system. Encrypt
invokes operations for running PRF and SymEnc(k, k), while Decrypt invokes one
more operation SymDec(k, hdrk ). The newly required algorithms SelfKeyGen and
SelfDecrypt also only involve operations related to PRF. All the added operations
are rather efficient.
6 SEXE Instantiations
We now give several instantiations to explicitly show how our generic SEXE
construction applies in existing systems. We begin by leveraging our construction
into the Boneh-Franklin IBE [8], which is the basic encryption primitive for many
cloud-aided communication and storage systems [12,19]. Then, we turn into Key-
Policy and Ciphertext-Policy ABE proposed by Rouselakis-Waters [33] that have
been deployed in recent cloud storage systems [37,44]. The instantiations imply
that our generic transformation is easy to be applied into existing systems for
obtaining the corresponding SEXE variations.
6.1 Self-Extractable IBE
We first apply our SEXE transformation into IBE settings to obtain self-
extractable IBE (SEXIBE). In IBE, encrypted data and secret keys are asso-
ciated with arbitrary strings and the secret key can be used to decrypt if and
only if the associated strings are equal. To achieve this functionality, we set the
key attribute space and the data attribute space to be Σk = Σe = {0, 1}∗ . The
predicate is defined as P (x, y) = 1 if x = y.
The underlying IBE scheme we choose is the Boneh-Franklin IBE [8], which
is the first practical and fully secure IBE scheme that has been widely used in
advanced cloud-aided communication and storage systems [12,19]. The SEXIBE
construction is described as follows.
(pk, msk) ← Setup(λ). The setup algorithm generates bilinear groups by running
R
(p, G, GT , e) ← G(λ). Then, it picks a random generator g ← G, a random
R
exponent s ← Zp , and sets gs = g s . Next, the algorithm employs a cryptographic
hash function H : {0, 1}∗ → G, a secure pseudo random function PRF : KP RF ×
{0, 1}∗ → YP RF , and a secure symmetric encryption scheme SymE with the
encryption algorithm SymEnc and the decryption algorithm SymDec. The public
key pk and the master secret key are
pk = (g, gs , H, PRF, SymEnc) msk = (s)
skI ← KeyGen(msk, I). The secret key skI for an identity I ∈ Zp is H(ID)s .
R
ek ← SelfKeyGen(pk). The algorithm simply returns a random element ek ←
KP RF as the encryptor key.
(hdrI , k) ← Encrypt(pk, ek, I). To encapsulate a session key using an identity
I ∈ Zp and an encryptor key ek, the encryption algorithm generates a random
R
exponent r ← Zp and outputs the header
hdrI = (U, hdrk ) = (g r , hdrk )

= (g r , SymEnc(e(H(ID), g s )r , k)))
where k ← PRF(ek, U ).
k ← Decrypt(pk, skI , hdrI ). To recover the session key from hdrI = (U, hdrk )
using the secret key skI , the decryption algorithm outputs
k ← SymDec (e(skI , U ), hdrk )
k ← SelfDecrypt(pk, ek, hdrI ). To recover the session key from hdrI = (U, hdrk )
generated by the data owner with the encryptor key ek, the self decryption
algorithm outputs
k ← PRF(ek, U )
16 Z. Liang et al.
Correctness. It is easy to verify that the data owner can correctly recover the
session key by running SelfDecrypt since k ← PRF(ek, U ) is exactly the algorithm
for generating k. Also, the data user who has the secret key skI can correctly
recover the session key encapsulated in hdrI since
e(skI , U ) = e(H(ID)s , g r ) = e(H(ID), g s )r
Therefore,
SymDec (e(skI , U ), hdrk )

= SymDec (e(H(ID)s , g r ), hdrk )
r r
= SymDec (e(H(ID), g s ) , SymEnc(e(H(ID), g s ) , k))
=k
Security. Boneh and Franklin proved that their IBE scheme is fully secure [8].
Abdalla et al. further showed that the the encrypted data in the Boneh-Franklin
IBE even does not leak identity information for the potential data receiver [1].
Due to this favorable property (formally called anonymity property), the Boneh-
Franklin IBE can be transformed as asymmetric searchable encryption scheme
to offer encrypted data keyword search mechanism [7]. Following Theorem 1, we
claim that our SEXIBE construction based on the Boneh-Franklin IBE is also
fully secure and anonymous.
6.2 Self-Extractable ABE
We next demonstrate how to obtain self-extractable ABE (SEXABE) from exist-

ing ABE. ABE allows to share data according to fine-grained access policies.
ABE is classified into Key-Policy ABE (KP-ABE) [18] and Ciphertext-Policy
ABE (CP-ABE) [6]. Here we roughly describe how we define the predicate P to
capture these two kinds of ABE settings.
In KP-ABE, the data owner encrypts the data for a set of attributes S so that
users with secret keys for access structure A such that S ∈ A can decrypt. To
capture this functionality, we set U as an attribute universe. The key attribute
space Σk is the collection of access structures over U that can be described by
LSSS matrix with bounded polynomial size. The data attribute space is Σe = 2U .
We define the predicate as P (A, S) = 1 if and only if A ∈ Σk accepts S ∈ Σe .
In contrast, the CP-ABE encrypted data is associated with a set of attributes
S and the secret key is assigned to an access structure A. The secret key can be
used to decrypt the data if and only if S ∈ A. Similar to KP-ABE, to achieve
this functionality we set U be an attribute universe. The key attribute space is
Σk = 2U and the data attribute space Σk is the collection of access structures
over U described by LSSS matrix with bounded polynomial size. The predicate
is defined as P (S, A) = 1 if and only if A ∈ Σe accepts S ∈ Σk .
Our underlying schemes are the Rouselakis-Waters KP-ABE and CP-ABE
[33]. Both schemes support exponential number of attributes, achieve selective
security, and are equipped with desired properties, e.g., efficient pre-computation
[23], proxy re-encryption [37]. Here we show the detailed self-extractable CP-
ABE (SEX-CP-ABE) construction based on the Rouselakis-Waters CP-ABE.
The self-extractable KP-ABE (SEX-KP-ABE) can be obtained in a similar
way [33].
(pk, msk) ← Setup(λ). The setup algorithm calls the group generator G(λ) and
gets the descriptions of the bilinear groups (p, G, GT , e). Then, a secure pseudo
random function PRG : KP RF ×{0, 1}∗ → YP RF and a secure symmetric encryp-
tion scheme SymE with algorithms SymEnc and SymDec are employed in the sys-
R
tem. The setup algorithm picks random elements g, u, h, w, v ← G and a random
R
exponent α ← Zp . It outputs the public key pk and the master secret key msk
as
pk = (g, u, h, w, v, e(g, g)α , PRF, SymEnc) msk = (α)
skS ← KeyGen(msk, S). Given a set of attributes S = {A1 , A2 , · · · , Aτ } where

Ai ∈ Zp for i ∈ [τ ], the key generation algorithms picks τ + 1 random exponents
R
r, r1 , r2 , · · · , rτ ← Zp . Then, it computes K0 = g α wr , K1 = g r , and for every
i ∈ [τ ], ri
Ki,2 = g ri , Ki,3 = uAi h · v −r
The secret key associated with the set of attributes S is skS =
(K0 , K1 , {Ki,2 , Ki,3 }i∈τ ).
ek ← SelfKeyGen(pp). The self key generation algorithm simply returns a random
R
ek ← KP RF .
(hdrA , k) ← Encrypt(pk, ek, A). The encryption algorithm encapsulates a session
key for the given access structure A encoded by the LSSS policy (M, ρ) as follows.
R
It picks random exponents s, y2 , · · · , yn ← Zp and constructs the vector y =
(s, y2 , · · · , yn ). The vector of the shares is computed as λ = (λ1 , · · · , λl )T = M y.
R
It then picks l random exponents t1 , · · · , tl ← Zp and calculates C0 = g s , and
for every j ∈ [l],
−tj
Cj,1 = wλj v tj , Cj,2 = uρ(j) h , Cj,3 = g tj
The algorithm next generates the session key k ← PRF(ek, C0 C1,1 C1,2
C1,3 · · · Cl,1 Cl,2 Cl,3 ), and calculates hdrk = SymEnc(e(g, g)αs , k). The
header output is
hdrA = (C0 , {Cj,1 , Cj,2 , Cj,3 }j∈[l] , hdrk )
k ← Decrypt(pk, skS , hdrA ). The decryption algorithm first calculates the set
of row in M that provides a valid share to attributes in S, i.e., it collects the
set I = {i : ρ(i) ∈ S}. Then, it computes the constants {ωi }i∈I such that
Another random document with
no related content on Scribd:
centre of Russia, and on the other to the new northern through
route, which, via Kotlass and Archangel, is this year to bring
the cereals of Siberia to London."
Great Britain, Parliamentary Publications

(Papers by Command: Miscellaneous Series No. 533,
1900, pages 5-7).
"It may be a wild idea, but Russian engineers are actually

talking of a railroad from Stryetensk to Bering Strait, over a
comparatively easy route that does not enter the Arctic
Circle. This imaginary line, they hope, would connect with the
American line which is now being built to Dawson City, the
distance from which to Stryetensk is about three thousand
miles. If this road ever is completed they figure that New
York will be placed in railroad connection with London,
Calcutta and Cape Town."
A. H. Ford,
The Warfare of Railways in Asia
(Century, March, 1900).
"Siberia and the Amur lands are rich beyond belief. … This
vast territory, long looked upon as a barren waste, is
destined to be one of the world's richest and most productive
sections. In northern France, wheat ripens in 137 days; in
Siberia, in 107. Even heavy night frosts do not injure the
young seed. Under such conditions, the possibilities of
agriculture are practically unlimited. I may add that oats
require, in Siberia and in the Amur country, only 96 days, and
in the regions of the Yenisei only 107. The frost period lasts
only 97 days in the Irkutsk country. Transbaikalia lies
entirely within the agricultural regions; so, too, almost the
entire territory traversed by the Amur as far north as it
runs. Efforts are being made to obtain along the Amur at least
300,000 square kilometers (115,835 square miles) for the
higher forms of northern agriculture. Climatically, the best
of northern Asia's territory, for planting purposes, is the
Usuri country, which, in spite of its vast tracts of wood and
grazing lands, has 195,000 square kilometers (75,292 square
miles) of arable ground. The building of the Trans-Siberian
Railroad has already added to the Empire's wheat product.
"The mineral resources of western Siberia are vast. Between

Tomsk and Kooznesk lie 60,000 square kilometers (23,167 square
miles) of coal lands which have never been touched. The coal
is said to be excellent. In eastern Siberia, with its 280,000
square kilometers (108,112 square miles) of fruitful soil,
there are 400 places yielding gold. Rich mineral
deposits—graphite, lapis lazuli; iron mines, particularly rich
in quality (as high as 60 per cent); hard and soft coals, i.
e., black and brown coals—await hands willing to work for
them. To-day, thousands of colonists are hurrying to these
promising lands. Russia's output in gold and silver is already
very large, and is constantly increasing.
"The industries of Siberia are in their infancy; still, they

are growing and are bound to grow, so rich are the rewards
promised. Chemical, sugar, and paper mills have been put up in
several places and are paying well. Even Manchuria, a province so
vast that it might make an empire, is looking to Russia for
its future development. The wealth of this province, like that
of Siberia and all eastern Russia, is ripe for harvesting. The
traffic in Siberia and eastern Russia is increasing faster
than even the advocates of the great Trans-Siberian road
anticipated. The Ob, one of the world's big rivers, emptying
through the Gulf of Ob into the Arctic Ocean, has 102 steamers
and 200 tugs running already. On the Yenisei, 10 steamers
carry the mails regularly. The mouths of both these rivers
were visited last summer by English and Russian ships. This
proves the practicability of connecting eastern and western
Siberia with Europe by water."
United States Consular Reports,

November, 1899, page 411.
An official publication of the year 1900 from St. Petersburg,

furnished to American journals by the Russian embassy at
Washington, is the source of the following statements relative
to the rapid development of the vast Siberian country along
the line of the great railway:
"When viewed with reference to colonization Siberia divides

itself naturally into two zones, extending east and west, and
differing essentially from one another. The first of these
embraces the region traversed by the new Siberian railway, the
more populous southern portion of Siberia, in which the
conditions of climate and soil are favorable to the
development of agriculture and colonization. The other zone
occupies the extensive, deserted northern region, the land of
tundras, or polar marshes, with a constantly frozen subsoil
and a severe climate, a dreary tract of land totally unfit for
agriculture. Between these two zones stretches a broad belt of
forests of tall trees, partly primeval pine and fir, partly
leafy trees. The wealth of these broad agricultural and timber
areas is, moreover, augmented by mineral deposits of every
conceivable nature, as abundant and diversified as those of
America, and into this whole region immigration is pouring in
volume unequalled except in the history of American
colonization. Ever since the serfs were emancipated in 1861
they have formed the bulk of the emigrants from the thickly
populated agricultural districts of European Russia, but the
great tide of settlers in the new territory is only now
assuming tremendous proportions. During the twenty years'
period of 1860 to 1880 about 110,000 persons emigrated to
Siberia, while for the thirteen years from 1880 to 1892 there
were over 440,000, and for the succeeding years since the
great railway has been building the number of immigrants of
both sexes has been as follows:
1893, 65,000;
1894, 76,000;
1895, 109,000;
1896, 203,000;
1897, 87,000;
1898, 206,000;
1899, 225,000.
Total, 971,000.
According to the census of 1897, the population of Siberia had

risen to 8,188,368 inhabitants, of which the Russian peasantry
formed over 25 per cent."
RUSSIA IN ASIA: A. D. 1899 (May).

Steps toward the abolition of transportation.
See (in this volume)

RUSSIA: A. D. 1899 (MAY).
{430}
RUSSIA IN ASIA: A. D. 1900.

Russian railway building and railway projects in
Persia and Afghanistan.
By several writers who seem to have knowledge of what is doing

in those parts of the eastern world, it was reported in the
spring of 1900 that an active projection, planning, and
building (to some extent) of railroads in Persia and
Afghanistan was on foot among the Russians. From Tiflis, it
was said, their plans contemplated a line of rail to Teheran;
thence to be extended by one branch, southward, via Ispahan,
to the Persian Gulf, and by another branch westward to Herat,
in Afghanistan. From their Central Asian acquisitions they had
advanced their railway to within 70 miles of Herat, and were
said to be confidently expecting to push it on, through
Kandahar and through Baluchistan, to the Arabian Sea. If these
extensive plans could be carried out, and if Russian influence
in Persia, said to be growing fast, should become actually
controlling, the Muscovite Power would have made an enormous
gain, by planting itself on the shores of the Indian Ocean.
How far Russia can continue to press forward in this line of
policy without collision with Great Britain and with
Germany—which seems to have aims in the same direction,
through Asiatic Turkey—is an interesting question for the
future.
The following is from a despatch to the "London Times" from

its correspondent at Vienna, February 24, 1901:
"According to trustworthy information from Teheran, Russia is

particularly active just now in Persia and the Persian Gulf. …
The road from Resht to Teheran, which has been built by a
Russian company, is of no value for European trade in the
absence of an agreement with Russia respecting the transit
traffic through that country. European commerce is dependent
upon the long and expensive caravan routes via Trebizond,
Bushire, Baghdad, Mochamera,&c. These occupy from four to six
months."
RUSSO-CHINESE BANK, Concessions to the.

CHINA: A. D. 1898 (FEBRUARY-DECEMBER).
S.
SAGASTA, Señor Praxedes Mateo:

Resignation from Spanish Ministry.

SPAIN: A. D. 1895-1896.

Return to power.

SPAIN: A. D. 1897 (AUGUST-OCTOBER).

Resignation.

SPAIN: A. D. 1899.
SAGHALIEN.

SAKHALIN.
SAHARA, The: French possessions.

NIGERIA: A. D. 1882-1899.
ST. KITTS: Industrial condition.

WEST INDIES, THE BRITISH: A. D. 1897.
ST. LOUIS: A. D. 1896.

Republican National Convention.

UNITED STATES OF AMERICA: A. D. 1896 (JUNE-NOVEMBER).
ST. VINCENT, The British colony of.

WEST INDIES, THE BRITISH: A. D. 1897.
SAKHALIN.
"Of late years … its increasing importance as a place of exile

for Russian political and criminal offenders has invested
Sakhalin with a certain interest, derived, perhaps, more from
penal associations than physical resources, which latter may,
when fully developed, materially affect trade and commerce in
the far East. The island of Sakhalin is 584 miles in length,
its breadth varying from 18 to 94 miles. The southern
extremity is separated from the island of Yezo, twenty miles
distant, by the Straits of La Perouse, and its western coast
by the shallow Gulf of Tartary (at one point barely five miles
across) from the mainland of Siberia. Although Dutch explorers
are said to have landed here in 1643, the first reliable
survey of the island was probably obtained in the year 1787 by
La Perouse. Russian fur traders followed in the early part of
the present century, but it was only in 1853 that,
disturbances having occurred with the natives, a score or so
of Cossacks were stationed at Dui on the west coast. In 1867
negotiations were entered into by the Russian and Japanese
Governments for joint occupation of Sakhalin, but the
subsequent discovery of coal, and consequent influx of Russian
convicts, rendered this arrangement highly unsatisfactory.
Further negotiations, therefore, ensued, with the result that,
in 1875, the island was formally ceded to Russia, Japan
receiving, in exchange, the entire Kurile Archipelago.
"Sakhalin is by no means easy of access. Even during the open

season (from May to September) but very few vessels visit the
island, and, with the exception of the monthly arrival of
convict-ships from Europe, and a couple of small Russian trading
steamers, there is no fixed service with Vladivostok, which, with
the exception of Nikolaefsk, is the only Siberian port whence
Sakhalin may, in three days, be reached. During the winter months
the island is completely ice-bound and unapproachable by water.
Communication with the mainland is then maintained by means of
dog-sledges, and the mails for Europe are dispatched across
the frozen Gulf of Tartary—a journey, under favourable
circumstances, of about three months. …
"Sakhalin is, for administrative purposes, divided into three

districts, viz.: Korsakovsky-Post in the south, Tymovsk in the
north, and Alexandrovsky-Post on the western coast. The
latter, which is situated in the centre of the coal district,
is a picturesque, straggling town of about 7,000 inhabitants,
consisting almost entirely of officials and convicts. This is
the most important penal settlement on the island, contains
the largest prison, and is, moreover, the residence of the
Governor of Sakhalin, a subordinate of the Governor-General of
Eastern Siberia. Alexandrovsky is garrisoned by about 1,500
men, and contains large foundries and workshops for convict
labour, but most of the prisoners are employed in the adjacent
coal mines of Dui. … Korsakovsky-Post, on the south coast, is
the next largest settlement, containing about 5,000 convicts
who are chiefly employed in agricultural pursuits. Although it
may seem a paradox, the remaining prisons in the interior of
the island, Derbynskaya, Rykovskaya, and Onor are not prisons
at all, but huge wooden barracks, innocent of bolts and bars.
Here, also, the work done is solely agricultural."
Harry de Windt,
The Island of Sakhalin
(Fortnightly Review, May, 1897).
SALISBURY, Lord Robert Cecil, Marquis of:

Third Ministry.

ENGLAND: A. D. 1894-1895.
{431}

Correspondence with the Government of the United States
on the Venezuela boundary question.

VENEZUELA: A. D. 1895 (JULY) and (NOVEMBER).

Fourth Ministry.

ENGLAND: A. D. 1900 (NOVEMBER-DECEMBER).

Tribute to Queen Victoria.

ENGLAND: A. D. 1901 (JANUARY).
SALISBURY PLAIN: Purchase by Government.

ENGLAND: A. D. 1897 (FEBRUARY).
SALVADOR.

CENTRAL AMERICA.
SALVATION ARMY, The:

Secession of the American Volunteers.
Late account of the Army's work.
Much feeling in the American branch of the Salvation Army, and

among those who valued its work, was caused in January, 1896,
by an order from the London headquarters of the Army recalling
Mr. Ballington Booth, who had been its American Commander for
nine years. Commander Booth and Mrs. Booth had been remarkably
successful in their organization and direction of the
Salvation Army work, and had won a high place in the esteem,
not only of their own followers, but of the American public at
large. A wide and strong movement of protest against their
removal from the field failed to change the London order,
which was said to be made in obedience to a necessary rule of
the Army against long service in any one post. Miss Eva Booth,
representing her father, General Booth, with Colonel Nicol, from
London, and Commandant Herbert Booth, from Canada, came to New
York as mediators, endeavoring to heal a threatened breach in
the ranks; but their mission failed. Commander Ballington
Booth resigned his office, and withdrew from the Salvation
Army service, declining to return to London. After a time, he
and Mrs. Booth became the heads of a new organization called
the "Volunteers of America," for religious work, not in
rivalry with that of the Salvation Army, but directed more
towards the awakening of the interest of the working people,
Mr. Ballington Booth was succeeded as Commander in America by
a son-in-law of General Booth, Commissioner Frederick St.
Clair Tucker. —For an account of the origin and growth of the
Salvation Army see, under that heading, in the Supplement
(volume 5) of the original edition of this work, or in volume
4 of the revised edition.
Of results accomplished in that part of the work of the

Salvation Army known as the "Darkest England Scheme," General
Booth wrote, early in 1900, an extended account in the "Sunday
Strand." He stated that the public had subscribed altogether
for his scheme about $1,300,000. "It is a debated point," he
wrote, "with the intelligent admirers of the scheme and the
careful observers of its progress whether the benefits
bestowed on the wretched classes for whom it was originated
have been greater within than without our borders. The
copyists of our plan have been legion, both at home and
abroad, in church and state. The representatives of the
different governments specially charged with the
responsibility for the outcast classes have been gradually
coming to appreciate the principles and methods involved in
the scheme, and to show willingness to cooperate in giving it
a chance. They have done this in two ways:
(1) In attempting similar tasks themselves;

(2) in using and subsidizing the army for doing the work for
them.
Many governments make grants to our various institutions in

varying amounts toward the cost of dealing with different
classes of the submerged."
The following is a summary of the agencies which have been set

at work by the general: "We have now 158 shelters and food
depots for homeless men and women, 121 slum posts, each with
its own slum sisters, 37 labor bureaus, (10 labor factories
for the unemployed, 11 land colonies, 91 rescue homes for
women, 11 labor homes for ex-criminals, several nursing
institutions, 2 maternity hospitals for deserted women, an
institution with branches in forty-five countries and colonies
for finding lost and missing persons, together with a host of
allied and minor agencies which I am not able here to
enumerate. The total number of institutions named above is now
545, under the care of more than 2,000 trained officers and
others wholly employed, all working in harmony with the
principles I have laid down for helping the poorest and most
unfortunate of their fellows, and all more or less experts at
their work.
"Nearly 20,000 destitute men and women are in some way or

other touched by the operations of the scheme every day. No
less than 15,000 wretched and otherwise homeless people are
housed under our roofs every night, having their needs met, at
least in part, with sympathy and prayer and the opportunity
for friendly counsel. More than 300 ex-criminals are to-day in
our houses of reformation, having before them another chance
for this life, and in many cases the first they have ever had
for preparing for the life to come. More than 5,000 women
taken from lives of darkness and shame are safely sheltered in
our homes each year, on the way—as we have abundantly proved
in the case of others, in respect of a large proportion of
them—to a future of virtue, goodness, and religion. Over 1,000
men are employed on the land colonies. Many of them are working
out their own deliverance, and at the same time helping to
solve one of the most difficult problems of modern times, and
proving that many of the helpless loafers of the great cities
can be made useful producers on the soil. Over the gates of
every one of these homes, elevators, labor factories, and
colonies there might be written: 'No man or woman need starve,
or beg, or pauperize, or steal, or commit suicide. If willing
to work, apply within. Here there is hope for all.'" General
Booth adds that he has always 2,000 women in the rescue homes
of the army.
SAMOAN ISLANDS, The:

Ending of the joint control of the Islands by Germany,
England and the United States.
Partition between Germany and the United States.
Retirement of England.
Said President Cleveland, in his annual Message to the

Congress of the United States, December 4, 1893: "Led by a
desire to compose differences and contribute to the
restoration of order in Samoa, which for some years previous
had been the scene of conflicting foreign pretensions and
native strife, the United States, departing from its policy
consecrated by a century of observance, entered [in 1889] …
into the, treaty of Berlin [see, in volume 4, SAMOA], thereby
becoming jointly bound with England and Germany to establish
and maintain Malietoa Laupepa as King of Samoa.
{432}
The treaty provided for a foreign court of justice; a
municipal council for the district of Apia, with a foreign
president thereof, authorized to advise the King; a tribunal
for the settlement of native and foreign land titles, and a
revenue system for the Kingdom. It entailed upon the three
powers that part of the cost of the new Government not met by
the revenue of the islands. Early in the life of this triple
protectorate the native dissensions it was designed to quell
revived. Rivals defied the authority of the new King, refusing
to pay taxes and demanding the election of a ruler by native
suffrage. Mataafa, an aspirant to the throne, and a large
number of his native adherents were in open rebellion on one
of the islands. Quite lately, at the request of the other
powers and in fulfillment of its treaty obligation, this
Government agreed to unite in a joint military movement of
such dimensions as would probably secure the surrender of the
insurgents without bloodshed. The war ship Philadelphia was
accordingly put under orders for Samoa, but before she arrived
the threatened conflict was precipitated by King Malietoa's
attack upon the insurgent camp. Mataafa was defeated and a
number of his men killed. The British and German naval vessels
present subsequently secured the surrender of Mataafa and his
adherents. The defeated chief and ten of his principal
supporters were deported to a German island of the Marshall
group, where they are held as prisoners under the joint
responsibility and cost of the three powers. This incident and
the events leading up to it signally illustrate the impolicy
of entangling alliances with foreign powers."
United States, Message and Documents

(Abridgment), 1893-1894.
In his next annual Message, December 3, 1894, the President

thus summarized the later situation in the islands: "The
suppression of the Mataafa insurrection by the powers and the
subsequent banishment of the leader and eleven other chiefs,
as recited in my last message, did not bring lasting peace to
the islands. Formidable uprisings continued, and finally a
rebellion broke out in the capital island, Upolu, headed in
Aana, the western district, by the younger Tamasese, and in
Atua, the eastern district, by other leaders. The insurgents
ravaged the country and fought the Government's troops up to
the very doors of Apia. The King again appealed to the powers
for help, and the combined British and German naval forces
reduced the Atuans to apparent subjection, not, however,
without considerable loss to the natives. A few days later
Tamasese and his adherents, fearing the ships and the marines,
professed submission. Reports received from our agents at Apia
do not justify the belief that the peace thus brought about
will be of long duration. It is their conviction that the
natives are at heart hostile to the present Government, that
such of them as profess loyalty to it do so from fear of the
powers, and that it would speedily go to pieces if the war
ships were withdrawn. … The present Government has utterly
failed to correct, if indeed it has not aggravated, the very
evils it was intended to prevent. It has not stimulated our
commerce with the islands. Our participation in its
establishment against the wishes of the natives was in plain
defiance of the conservative teachings and warnings of the
wise and patriotic men who laid the foundations of our free
institutions, and I invite an expression of the judgment of
Congress on the propriety of steps being taken by this
Government looking to the withdrawal from its engagements with
the other powers on some reasonable terms not prejudicial to
any of our existing rights."
United States, Message and Documents

(Abridgment, 1894-1895).
In the Message of 1895 the subject was again pressed on the

attention of Congress without result.
In August, 1898, Malietoa Laupepa died. By the Berlin Treaty

of 1889 "it was provided that in case any question should
arise in Samoa, respecting the rightful election of King, or
of any other Chief claiming authority over the islands, or
respecting the validity of the powers which the King or any
Chief might claim in the exercise of his office, such question
should not lead to war, but should be presented for decision
to the Chief Justice of Samoa, who should decide it in
writing, conformably to the provisions of the Act, and to the
laws and customs of Samoa not in conflict therewith, and that
the Signatory Governments would accept and abide by such
decision. After the death of Malietoa an exchange of views
took place between the Powers, and it was agreed that there
should be no interference with the right of the Samoans to
elect a King, and that the election should proceed strictly in
accordance with the provisions of the Final Act. Some time
elapsed before any action was taken, pending the completion of
certain ceremonial usages customary in Samoa on the death of a
High Chief. … As soon as the funeral ceremonies were at an end,
deliberation and discussion among the Chiefs ensued. There
were in the first instance several candidates for the
succession. Their number was eventually reduced to two:
1. Malietoa Tanu, the son of the late King.

2. The High Chief Mataafa.
This Chief had been in rebellion against Malietoa Laupepa, but

had suffered defeat, and with other Chiefs had been deported,
by agreement between the three Powers, to the Marshall
Islands. On the recommendation of the Consular officers at
Apia, the Powers, in July 1898, consented to his return. … On
the 19th September, Mataafa and the other exiled Chiefs landed
in Samoa. It does not appear that he took any overt steps to
claim the vacant throne, but a section of the natives
pronounced in his favour and announced on the 12th November to
the Consuls and to the Chief Justice that he had been duly
elected King. On the 13th November the opposing faction
declared that the real election of a King had not taken place,
and on the following day announced that their choice had
fallen upon Malietoa Tanu. Both parties appealed to Mr.
Chambers, the Chief Justice, who considered himself then in a
position to take cognisance of the matter, according to the
provisions of the Final Act, a question having arisen 'in
Samoa respecting the rightful election or appointment of
King.'"
Great Britain, Parliamentary Publications

(Papers by Command: Samoa, Number 1, 1899).
The decision of the Chief Justice was in favor of Malietoa

Tanu, and the adherents of Mataafa took up arms, defeating
those of the favored candidate and driving many of them to
take refuge on British and German ships of war. Subsequent
events were related by the President of the United States in
his Message to Congress, December 5, 1899, as follows: "In
this emergency a joint commission of representatives of the
United States, Germany, and Great Britain was sent to Samoa to
investigate the situation and provide a temporary remedy.
{433}
By its active efforts a peaceful solution was reached for the
time being, the kingship being abolished and a provisional
government established. Recommendations unanimously made by
the commission for a permanent adjustment of the Samoan
question were taken under consideration by the three powers
parties to the General Act. But the more they were examined
the more evident it became that a radical change was necessary
in the relations of the powers to Samoa. The inconveniences
and possible perils of the tripartite scheme of supervision
and control in the Samoan group by powers having little
interest in common in that quarter beyond commercial rivalry
had been once more emphasized by the recent events. The
suggested remedy of the Joint Commission, like the scheme it
aimed to replace, amounted to what has been styled a
'tridominium,' being the exercise of the functions of
sovereignty by an unanimous agreement of three powers. The
situation had become far more intricate and embarrassing from
every point of view than it was when my predecessor, in 1894,
summed up its perplexities and condemned the participation in
it of the United States. The arrangement under which Samoa was
administered had proved impracticable and unacceptable to all
the powers concerned. To withdraw from the agreement and
abandon the islands to Germany and Great Britain would not be
compatible with our interests in the archipelago. To
relinquish our rights in the harbor of Pago Pago, the best
anchorage in the Pacific, the occupancy of which had been
leased to the United States in 1878 by the first foreign
treaty ever concluded by Samoa, was not to be thought of
either as regards the needs of our Navy or the interests of
our growing commerce with the East. We could not have
considered any proposition for the abrogation of the
tripartite control which did not confirm us in all our rights
and safeguard all our national interests in the islands. Our
views commended themselves to the other powers. A satisfactory
arrangement was concluded between the Governments of Germany
and of England, by virtue of which England retired from Samoa
in view of compensations in other directions, and both powers
renounced in favor of the United States all their rights and
claims over and in respect to that portion of the group lying
to the east of the one hundred and seventy-first degree of
west longitude, embracing the islands of Tutuila, Ofoo,
Olosenga, and Manua."
United States, Message and Documents (Abridgment),

1899-1900, volume 1.
The compensations to England "in other directions" were given

by Germany, in the following provisions of a treaty signed at
London, November 14, 1899:
"ARTICLE II.
Germany renounces in favour of Great Britain all her rights
over the Tonga Islands, including Vavau, and over Savage
Island, including the right of establishing a naval station
and coaling station, and the right of extra-territoriality in
the said islands. … She recognizes as falling to Great Britain
those of the Solomon Islands, at present belonging to Germany,
which are situated to the east and southeast of the Island of
Bougainville, which latter shall continue to belong to
Germany, together with the Island of Buka, which forms part of
it. The western portion of the neutral zone in West Africa, as
defined in Article V of the present Convention, shall also
fall to the share of Great Britain. …
"ARTICLE IV.
The arrangement at present existing between Germany and Great
Britain and concerning the right of Germany to freely engage
labourers in the Solomon Islands belonging to Great Britain
shall be equally extended to those of the Solomon Islands
mentioned in Article II, which fall to the share of Great
Britain.
"ARTICLE V.
In the neutral zone the frontier between the German and
English territories shall be formed by the River Daka as far
as the point of its intersection with the 9th degree of north
latitude, thence the frontier shall continue to the north,
leaving Morozugu to Great Britain, and shall be fixed on the
spot by a Mixed Commission of the two Powers, in such manner
that Gambaga and all the territories of Mamprusi shall fall to
Great Britain, and that Yendi and all the territories of Chakosi
shall fall to Germany.
"ARTICLE VI.
Germany is prepared to take into consideration, as much and as
far as possible, the wishes which the Government of Great
Britain may express with regard to the development of the
reciprocal Tariffs in the territories of Togo and of the Gold
Coast.
"ARTICLE VII.
Germany renounces her rights of extra-territoriality in
Zanzibar, but it is at the same time understood that this
renunciation shall not effectively come into force till such
time as the rights of extra-territoriality enjoyed there by
other nations shall be abolished."
To the treaty was appended the following "Declaration":
"It is clearly understood that by Article II of the Convention

signed to-day, Germany consents that the whole group of the
Howe Islands, which forms part of the Solomon Islands, shall
fall to Great Britain. It is also understood that the
stipulations of the Declaration between the two Governments
signed at Berlin on the 10th April, 1886, respecting freedom
of commerce in the Western Pacific, apply to the islands
mentioned in the aforesaid Convention. It is similarly
understood that the arrangement at present in force as to the
engagement of labourers by Germans in the Solomon Islands
permits Germans to engage those labourers on the same
conditions as those which are or which shall be imposed on
British subjects nonresident in those islands."
Great Britain, Parliamentary Publication,

(Papers by Command: Treaty Series, Number 7, 1900).
Article III of the general treaty between the United States,

Germany and Great Britain stipulated: "It is understood and
agreed that each of the three signatory Powers shall continue
to enjoy, in respect to their commerce and commercial vessels,
in all the islands of the Samoan group, privileges and
conditions equal to those enjoyed by the sovereign Power, in
all ports which may be open to the commerce of either of
them."
United States, 56th Congress, 1st Session,

Senate Document Number 157.
{434}
On the 17th of April, 1900, an "instrument of cession" was

signed by the marks of twenty-two chiefs, conveying to the
United States the islands of the Samoan group lying east of
the 171st degree of west longitude, and the American flag was
raised over the naval station at Pago-Pago. From Pago-Pago,
March 27, 1901, a Press despatch announced: "The natives under
the United States Government number 5,800, according to a
census just taken, while the natives in the other islands
under German rule number 32,000. The population has increased
very slightly in the last thirty years, and the main cause of
this failure to increase is the infant mortality, due to the
violation of the simplest health principles in the care and
diet of children. … Reports from the six islands under United
States control show that the natives are improving in general
conditions, and that they show a desire to keep their houses
neat and to educate their children. Not a single native has
been arrested for drunkenness since the Americans assumed
control of Tutuila island."
SAMPSON, Rear-Admiral William T.:

Commanding North Atlantic Station.
Blockade of Cuban ports.

UNITED STATES OF AMERICA: A. D. 1898 (APRIL-MAY: CUBA).

Operations at Santiago de Cuba.
UNITED STATES OF AMERICA: A. D. 1898 (APRIL-JUNE).

Destruction of Spanish squadron.

UNITED STATES OF AMERICA: A. D. 1898 (JULY 3).
SAN DOMINGO.

Provable Security: 11Th International Conference, Provsec 2017, Xi'An, China, October 23-25, 2017, Proceedings 1St Edition Tatsuaki Okamoto

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Provable Security: 11Th International Conference, Provsec 2017, Xi'An, China, October 23-25, 2017, Proceedings 1St Edition Tatsuaki Okamoto

Uploaded by

Copyright:

Available Formats

Provable Security: 11th International

Conference, ProvSec 2017, Xi’an,

Provable Security: 11th International Conference,

Cyberspace Safety and Security 9th International

Provable Security 12th International Conference ProvSec

Foundations and Practice of Security 10th International

Internet Multimedia Computing and Service 9th

Trusted Computing and Information Security: 11th

Communications and Networking: 12th International

Analytical and Computational Methods in Probability

Man Ho Au Yannan Li (Eds.)

ISSN 0302-9743 ISSN 1611-3349 (electronic)

Library of Congress Control Number: 2017956072

LNCS Sublibrary: SL4 – Security and Cryptology

© Springer International Publishing AG 2017

Printed on acid-free paper

This Springer imprint is published by Springer Nature

October 2017 Tatsuaki Okamoto

Shaanxi Normal University

Feng Liu The State Key Laboratory of Information Security, China

Anada, Hiroaki Huang, Jianye Wang, Hao

Secure Cloud Storage and Computing

Provably Secure Self-Extractable Encryption . . . . . . . . . . . . . . . . . . . . . . . 3

Towards Multi-user Searchable Encryption Supporting Boolean Query

An Efficient Key-Policy Attribute-Based Searchable Encryption

Secure Multi-label Classification over Encrypted Data in Cloud . . . . . . . . . . 57

A Secure Cloud Backup System with Deduplication and Assured Deletion. . . 74

Digital Signature and Authentication

Practical and Robust Secure Logging from Fault-Tolerant Sequential

Verifiably Encrypted Group Signatures . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

Deniable Ring Authentication Based on Projective Hash Functions . . . . . . . . 127

Authenticated Encryption and Key Exchange

INT-RUP Security of Checksum-Based Authenticated Encryption . . . . . . . . . 147

Leakage-Resilient Non-interactive Key Exchange

New Framework of Password-Based Authenticated Key Exchange

Impossibility of the Provable Security of the Schnorr Signature

Bit Security of the Hyperelliptic Curves Diffie-Hellman Problem . . . . . . . . . 219

Natural sd-RCCA Secure Public-Key Encryptions . . . . . . . . . . . . . . . . . . . . 236

Long-Term Secure Time-Stamping Using Preimage-Aware Hash

On the Hardness of Sparsely Learning Parity with Noise . . . . . . . . . . . . . . . 261

Lattice and Post-quantum Cryptography

Provable Secure Post-Quantum Signature Scheme Based on Isomorphism

Bootstrapping Fully Homomorphic Encryption with Ring Plaintexts

Revocable Predicate Encryption from Lattices. . . . . . . . . . . . . . . . . . . . . . . 305

Public Key Encryption and Signcryption

Provable Secure Constructions for Broadcast Encryption

Provably Secure Homomorphic Signcryption . . . . . . . . . . . . . . . . . . . . . . . 349

Public-Key Encryption with Simulation-Based Sender

Homomorphic Secret Sharing from Paillier Encryption . . . . . . . . . . . . . . . . 381

Fuzzy Public-Key Encryption Based on Biometric Data . . . . . . . . . . . . . . . . 400

Proxy Re-encryption and Functional Encryption

An Efficient Certificateless Proxy Re-Encryption Scheme Without Pairing . . . 413

Mergeable Functional Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434

Private Subgraph Matching Protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 455

A New Blockchain-Based Value-Added Tax System . . . . . . . . . . . . . . . . . . 471

Verifiable Private Polynomial Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . 487

Author Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 507

Abstract. There is an increasing demand of data sharing via cloud.

Keywords: Cloud storage · Data sharing · Data secrecy · Self-

With the development of communication techniques and the popularity of

videos, or other documents on cloud storage providers such as Dropbox, iCloud,

the normal functionalities of a regular advanced encryption primitive, SEXE is

Waters introduced the concept of Attribute-Based Encryption (ABE) [35], in