Efficient and Adaptively Secure Attribute-Based Proxy Reencryption Scheme

Ciphertext-Policy Attribute-Based Proxy Reencryption (CP-ABPRE) has found many practical applications in the real world, because it extends the traditional Proxy Reencryption (PRE) and allows a semitrusted proxy to transform a ciphertext under an access policy to the one with the same plaintext under another access policy. The existing CP-ABPRE schemes were proven secure only in the selective security model, a limited model, which is an unnatural constraint on the attacker. The scheme proved in this model can only be called selectively secure one. However, from a security perspective, the adaptively secure CP-ABPRE scheme is more desirable. In this paper, an adaptively secure CP-ABPRE scheme is proposed, which is based on Waters’ dual system encryption technology. The proposed scheme is constructed in composite order bilinear groups and proven secure under the complexity assumptions of the subgroup decision problem for 3 primes (3P-SDP). Analyses show that our proposal provides higher computational efficiency compared with the existing schemes.


Introduction
With the development of Internet and open distributed networks, the Attribute-Based Encryption (ABE) scheme [1] has drawn great attention of researchers in recent years.Unlike the Public Key Encryption mechanism, ABE scheme takes attributes as the public key and associates the ciphertext and user's secret key with attributes, so that it provides more flexible access control mechanism over encrypted data.This dramatically reduces the cost of network bandwidth and sending node's operation in fine-grained access control of data sharing.Therefore, ABE has a broad prospect in the large-scale distributed applications to support one-to-many communication mode.Traditional ABE has two variants according to the form of access policy: Key-Policy ABE (KP-ABE) and Ciphertext-Policy ABE (CP-ABE) [2].In a KP-ABE system, ciphertexts are associated with attribute sets and secret keys are associated with access policies.However, CP-ABE is complementary, and the sender could specify access control policy, so, compared with KP-ABE schemes, CP-ABE schemes are more suitable for the realistic scenes.
As the research and application of the ABE go ahead, Proxy Reencryption (PRE) [3] has been introduced into ABE schemes.Considering such a scenario, in the email forwarding, Alice is going on vacation and wishes the others like Bob could still read the message in her encrypted emails.With an Attribute-Based Proxy Reencryption (ABPRE) system, in which a proxy is allowed to transform a ciphertext under a specified access policy into the one under another access policy, she could meet her intentions without giving her secret key to either the mail server or Bob.So ABPRE schemes [4] are needed in most of practical network applications, especially Ciphertext-Policy ABPRE (CP-ABPRE) schemes [5], which have more flexible access control policy than Key-Policy ABPRE (KP-ABPRE) schemes [4].Generally speaking, an ABPRE scheme has an authority, a sender, a user called a delegator who needs to delegate his/her decryption ability to someone else, a proxy who helps the delegator to generate a reencrypted ciphertext, and some receivers as participants.Recently, due to their widespread use in the realistic scenes, widespread attention was paid to ABPRE schemes by researchers and some excellent ABPRE schemes have been proposed [6][7][8][9][10][11][12].
2 International Journal of Distributed Sensor Networks However, most of existing ABPRE schemes [6][7][8][9][10][11][12] were proven secure only in the selective security model [13], in which an adversary must firstly choose an attack target before the public parameters are published.This restriction on an attacker was not natural, which causes attackers to behave differently from the way in a real environment.And most of existing schemes [11][12][13][14][15] demanded a number of paring operations, which indeed costs much in the communications.Therefore, motivated by these concerns, an efficient and adaptively secure CP-ABPRE scheme is proposed in our paper.Our scheme overcomes the restriction on an attacker in a selective security model and could be better applied to the open distributed networks.In the meantime, our proposal supports any monotone access formulas and costs less computational overhead compared with the existing schemes.
The rest of this paper is organized as follows.In the next section, we shall briefly review related works in the field of ABE.In Section 3, some preliminaries including complexity assumptions, access structures, and CP-ABPRE model are provided.Then, the concrete CP-ABPRE scheme is given in Section 4. In Section 5, we analyze the correctness and security of our scheme and compare our scheme with existing schemes in terms of access structure, security, and computations efficiency.Finally, the conclusion is drawn in Section 6.

Related Works
In 2005, Sahai and Waters [16] proposed a new type of IBE [17] called Fuzzy IBE (FIBE) which regards identities as a set of descriptive attributes.It is often regarded as the first concept of ABE [1,18].ABE can be categorized as either KP-ABE or CP-ABE, and the latter is more flexible and more suitable for the realistic scenes [2].In 2007, Cheung and Newport [19] used AND gates on positive and negative to express attributes in order to achieve their CP-ABE scheme's access policy and proved the security under the DBDH assumption.And then Nishide et al. [20] designed a new CP-ABE scheme with AND gates on multivalue attributes as its access policy.To realize fine-grained access control strategy, Bethencourt et al. [21] used the Access Tree in their scheme.In order to design CP-ABE schemes with flexible strategy under the DBDH assumption, Goyal et al. [22] and Liang et al. [23] adopted Bounded Access Tree, respectively.Later, Ibraim et al. [24] used the general Access Tree to eliminate the boundary constraints in the literature [22,23].In 2011, Waters [25] used Linear Secret Sharing Scheme (LSSS) access structure under -PBDHE assumption to construct a CP-ABE scheme.
However, unfortunately, the security of those CP-ABE schemes that we mentioned above was proven in a weaker security model, called the selective-policy security model which derived from the selective-ID security model for constructing an IBE scheme without the random oracle model [26].In the selective security model, the adversary must firstly declare which policy he wishes to be challenged on before the public parameters are published.This restriction on the attacker is not natural, which causes attacker to behave differently from the real environment [13].Considering the restrictions of the selective security model, researchers expected that the ABE scheme should be designed and proven secure under the adaptive security model.So, in order to overcome the drawbacks of the selectively secure ABE schemes, Lewko et al. [13] proposed an adaptively (or fully) secure ABE scheme by using the dual system encryption technique [27] which is a common method for proving an adaptively secure scheme in IBE or ABE.Later, Lewko and Waters [28] provided a new methodology which can transform the selectively secure schemes to adaptively secure ones and presented a CP-ABE scheme that is proven fully secure.In 2014, Garg et al. [29] constructed the first fully secure ABE scheme that can handle access control policies expressible as polynomial-size circuits.Afterwards, some excellent adaptively secure ABE schemes were proposed [3,30,31].
Recently, in the field of cryptography, the concept of PRE has been proposed to make data sharing more efficient.Introduced by Mambo and Okamoto [32] and first defined by Blaze et al. [33], PRE can support the delegation of decryption rights, which is never considered in extending the traditional Public Key Encryption (PKE).In PRE, a semitrusted proxy is enabled to transform a ciphertext encrypted under one's public key into a new ciphertext intended for others with the plaintext unchanged.The decryption proxy, however, can learn nothing about the secret key or the plaintext.Due to these characteristics, PRE has many practical applications.For example, Xu et al. [34] built an encrypted cloud email system with PRE, which allows a user to send an encrypted email to multiple receivers, store his encrypted emails in an email server, and review his history.In addition, it can also be used in secure distributed files systems, cloud storage, on-line Electronic Medical Record (EMR), and so on [4,5,[35][36][37][38][39].
To date, PRE has been extended to adapt different cryptographic systems.The ABPRE is one of the extensions in which a user is able to empower designated users to decrypt reencrypted ciphertext by deploying attributes.In 2008, Guo et al. [40] proposed the first ABPRE scheme and it is also the first KP-ABPRE scheme.In 2009, Liang et al. [6] proposed the first CP-ABPRE scheme, in which the proxy is enabled to transform a given ciphertext under a specified access policy into the one under another access policy.But, unfortunately, only AND gates on positive and negative attributes are supported by their access policy.In 2010, Luo et al. [7] proposed a new CP-ABPRE scheme which supports AND gates on multivalue and negative attributes.Compared with [6], it has a new property named reencryption control which means that the user can decide which ciphertext can be reencrypted later during the encryption process.Later, Seo and Kim [8] presented another CP-ABPRE scheme which only needs a constant number of bilinear pairing operations.So the computation cost and ciphertext length are reduced significantly compared to previous schemes [7,27].In 2013, Li [9] presented a new CP-ABPRE scheme in which the ciphertext policy is matrix access policy based on LSSS matrix access structure.In 2014, Chung et al. [10] analyzed these CP-ABPRE schemes [6][7][8]33] and made comparisons of them by some criteria.The aforementioned CP-ABPRE schemes, however, are only CPA-secure.To tackle this International Journal of Distributed Sensor Networks 3 problem, Liang et al. [11], for the first time, proposed a new single-hop unidirectional CP-ABPRE scheme supporting any monotonic access formulas.Despite being constructed in the random oracle model, it is proved to be CCA-secure.In 2015, Kawai [12] proposed a flexible CP-ABPRE scheme in which the reencryption key generation can be outsourced in Attribute-Based Encryption and proved their scheme is secure in the selective security model.
All these CP-ABPRE schemes mentioned above, unfortunately, were only proven to be selectively secure [13], which is just discussed above.A CP-ABPRE system with selective security, which limits an adversary to choose an attack target before playing a security game, might not scale well in practice as well.This is because a realistic adversary is able to adaptively choose his attack target when attacking a cryptosystem.Therefore, an adaptively secure CP-ABPRE scheme is extremely desirable in most practical network applications.In 2014, Liang et al. [14], for the first time, formalized the notion of adaptive security for CP-ABPRE systems and proposed a new CP-ABPRE scheme, which is proven adaptively secure in the standard model, but their scheme demands a number of paring operations that imply huge computational overheads.In 2015, Backes et al. [15] presented an Inner-Product Proxy Reencryption scheme.Although their scheme can easily be converted into an Attribute-Based Proxy Reencryption scheme, the ciphertext is only associated with AND gates access structure, which does not conform to the flexible access policy.Motivated by these concerns, in this paper, we propose an efficient and adaptively secure CP-ABPRE scheme which supports any monotone access formulas.
Our contributions can be briefly outlined as follows.(1) A new scheme is proposed and it overcomes the restriction on the attacker in a selective security model in the existing schemes [6][7][8][9]11] and is proved to be adaptively secure.(2) Our proposal supports any monotone access formulas including what the AND gate access structure supports.(3) Our scheme costs less computational overhead compared with the corresponding scheme [14].(4) We try to construct our scheme in composite order groups and use three assumptions to prove its security.

Preliminaries
3.1.Composite Order Bilinear Groups.Composite order bilinear groups were introduced by Boneh et al. [41].First, let  and   be a cyclic additive group and a multiplication cyclic group of order , where  =  1  2  3 and  1 ,  2 , and  3 are three distinct prime numbers.Let  : × →   be a bilinear map.
Then, let   1 ,   2 , and   3 denote the subgroups of order  1 ,  2 , and  3 in group , respectively.Because  is a cyclic group, it is easy to conclude that if ℎ and  are group elements chosen from different subgroups, then (ℎ, ) = 1.This is called the orthogonality property in composite order bilinear groups.

Complexity Assumptions.
We now present three assumptions of the subgroup decision problem for 3 primes (3P-SDP) [13].First, we let  and   be two cyclic groups of order , where  =  1  2  3 and  1 ,  2 , and  3 are three distinct primes.And we let   1 ,   2 , and   3 denote the subgroups of order  1 ,  2 , and  3 in , respectively.Let  :  ×  →   be a bilinear map.Assumption 1.We randomly choose element  as the generator of   1 and element  3 as the generator of   3 .Given  = (, ,   , , ,  3 ),  1 ∈   1  2 and  2 ∈   1 .Let  be the security parameter and the advantage of a polynomial time algorithm  in breaking Assumption 1 is defined as

Access Structures.
In this paper, the role of the participants is taken by the attributes.As shown in [42], any monotone access structure can be represented by a Linear Secret Sharing Scheme.
Definition 7 (Linear Secret Sharing Schemes (LSSS)).Let Π denote a secret sharing scheme over a participant collection .One says that Π is called linear over   if (1) the shares distributed for each participant can form a vector over   ; (2) for Π there always exists a share-generating matrix , which has  rows and  columns.Now, function  is defined and used to each party.That is, the party labeling row  can be denoted as () for  = 1, 2, . . ., .

International Journal of Distributed Sensor Networks
The linear reconstruction property can be defined as follows.Suppose that Π is an LSSS for access structure .Let  ∈  denote the authorized set and define  ⊆ {1, 2, . . ., } as  = { | () ∈ }.Then, there exist {  ∈   } ∈ such that if {  } are valid shares of any secret , we have ∑ ∈     =  [41].But it does not hold for unauthorized sets.In our scheme, we will employ LSSS matrices over   , where  is the product of 3 different prime numbers.

CP-ABPRE
3.4.1.Algorithm Model.Generally speaking, a CP-ABPRE scheme is composed of 6 fundamental algorithms and it has an authority, a sender, a user that we call a delegator who needs to delegate his/her decryption ability to someone else, a proxy who helps the delegator to generate a reencrypted ciphertext, and some receivers as participants.The 6 algorithms are shown as follows.
(1  , ) → (, ).It is performed by an authority to establish a new CP-ABPRE system.With the security parameter  and attributes  as input, it generates the public key (PK) and the master secret key (MSK).
(, , ) →   .With PK, MSK, and a set of attributes  that describe the key as input, this algorithm is executed by the authority for the purpose of generating a secret key SK  .
(,  = (, ), ) →   .Performed by a sender, with PK, a message , and an access policy  = (, ) as input, the algorithm generates a ciphertext CT  of  such that only a user whose attributes meet the access policy  can decrypt it.(,   ,   = (  ,   )) →  →  .This algorithm is performed by the delegator.With PK, SK  , and an access policy   = (  ,   ) as input, it generates a reencryption key RK →  for the proxy.

Master Secret Security.
Master secret security is an important property for unidirectional PRE defined by Ateniese et al. [43].Roughly speaking, even if the dishonest proxy colludes with the receiver who can decrypt the reencrypted ciphertext, it is still impossible for them to get any information on delegator's secret key and the plaintext [44].Definition 9.The master secret security of a CP-ABPRE scheme can be defined based on the following master secret security game.
Setup.The challenger  runs the Setup algorithm to create a new system and then sends the adversary  the public key (PK).
Queries. makes the following queries.
(i) (). runs the KeyGen algorithm after  submitting attribute sets  and returns secret keys SK  to .
(ii) (,   ). submits attribute sets  and an access structure   = (  ,   ) to .Then,  runs the ReKey-Gen algorithm and returns the reencryption key RK →  to .
Output. outputs the secret key SK  * corresponding to the attribute sets  * .
In the above game, the advantage of  is defined as Adv  = Pr[ succeeds].A CP-ABPRE scheme meets master secret security if there is no polynomial time adversary  who has a nonnegligible advantage in winning the above game.
Lemma 10.For a CP-ABPRE scheme, the plaintext security implies the master secret security.That is to say, for a CP-ABPRE scheme, if there is an adversary  who can break its master secret security defined above, then there also exists an adversary   who can break this CP-ABPRE scheme.
In Section 5, we will prove that there is no polynomial time adversary who can break the CP-ABPRE scheme with a nonnegligible advantage.So Lemma 10 is obvious.

The Proposed CP-ABPRE Scheme
In this section, we shall introduce our adaptively secure CP-ABPRE scheme.Before this, in order to facilitate understanding, notations used throughout the paper are summarized in Notations.
Our adaptively secure CP-ABPRE scheme is constructed in composite order linear groups of order  =  1  2  3 ( 1 ,  2 , and  3 are 3 different prime numbers) with LSSS access structure.Let    denote the subgroup of order   in  where  ∈ {1, 2, 3}.The subgroup   2 is only used in security proof.Our scheme is shown as follows.
(1) (1  , ).Taking as input the security parameter  and system attribute set , the trusted authority chooses random elements ,  ∈   , a generator  ∈   1 , an element  0 ∈   1 , and a generator  3 ∈   3 .And then it computes  1 = (, )  and  2 =   .For each attribute  ∈ , it also chooses a random element ℎ  ∈   and computes   =  ℎ  .The public key is denoted as The trusted authority sets the master secret key as MSK = (,  3 ).
(2) (, , ).Taking the public key (PK), the master secret key (MSK), and the user attribute set  as input, this algorithm first chooses a random value  ∈   and another three random elements  0 ,   0 ,   ∈   3 .Then, it computes the secret key as SK = (,  =      0 ,  =     0 ,   =      , ∀ ∈ ) . ( (3) (, , ).This algorithm takes as input the public key (PK), an access policy  = (, ), and a message , where  is an  ×  matrix and the function  associates rows of  to attributes.This algorithm randomly chooses a column vector  ⇀ V = (, Both the original ciphertext decryption and the reencrypted ciphertext decryption processes in Section 4 are correct because the message  can be recovered correctly.Hence, our CP-ABPRE scheme is also correct.[27] is considered as a common and powerful tool to transform a selectively secure scheme into an adaptively secure one [13,45,46].In a dual system encryption scheme, both keys and ciphertexts have two forms: normal and semifunctional [13].A normal key can be used to decrypt normal or semifunctional ciphertexts, while a semifunctional key can only be used to decrypt normal ciphertexts.Notably, the semifunctional keys and ciphertexts are only used in security proof.To prove the security of our CP-ABPRE scheme, we firstly define the semifunctional keys and ciphertexts as follows.

Security Proof. Dual system encryption
Let  2 be a generator of   2 .
Semifunctional Ciphertexts.We firstly use the Enc algorithm to generate normal ciphertext and choose element  ∈   randomly.Then, we choose random values   ∈   for each attribute, random values   ∈   for the th row of matrix , and a random column vector  ⇀  ∈    .The semifunction ciphertext is set as Semifunctional Key.We use KeyGen algorithm to generate normal secret key.And then we choose random exponents ,  ∈   to set the semifunctional key as follows.
A semifunctional key of type 1 is A semifunctional key of type 2 (in type 1  = 0) is We should note that there will be an extra factor 0, 0, . . ., 0) ⋅  ⇀  ) when a semifunctional key is used to decrypt a semifunctional ciphertext.But when the formula  =  1 holds, the semifunctional key of type 1 called a nominally semifunctional key can decrypt the semifunctional ciphertext successfully.
Our proof of security relies on Assumptions 1, 3, and 5 defined in Section 3. The security proof is obtained via a hybrid argument over a sequence of games defined bellow.Let  be the maximum number of key queries that the adversary makes, and a series of games are defined as follows,   .It denotes the real CP-ABPRE security game defined in Section 3, with normal keys and ciphertexts.
International Journal of Distributed Sensor Networks 7  0 .It is similar to the above real game except that the challenge ciphertext is transformed into semifunctional one.
,1 .In the game, the challenge ciphertext is semifunctional, the first  − 1 queried keys are semifunctional ones of type 2, the th key is semifunctional one of type 1, and the rest of the keys are normal ones.
,2 .The challenge ciphertext is semifunctional, the first  queried keys are semifunctional ones of type 2, and the remaining keys are normal ones.
.All keys are semifunctional ones of type 2 and the challenge ciphertext is semifunctional encryption of a random message which is independent of the two messages provided by the adversary.So the advantage of the adversary in this game is negligible.
In the latter part of this section, we will prove that the above games are indistinguishable under the composite assumption.
Lemma 11.Assume that there is a polynomial time adversary  such that   V  −  0 V  = .Then, we can construct another polynomial time algorithm  that can break Assumption 1 with a nonnegligible advantage .
Proof.We establish a polynomial time algorithm  which receives {,  3 , } to simulate either Game real or Game 0 with  based on setting whether  ∈   1  2 or  ∈   1 .
Phase 1.  responds to whatever 's key requests by using the KeyGen algorithm to make normal keys, since it has the MSK.
Challenge. provides two messages  0 and  1 with equal length and a challenge access matrix  * = ( * , ) to .For each row  of matrix  * ,  first chooses random values Then,  chooses a random message   from  0 and  1 and computes the challenge ciphertext  * as where  ∈ {0, 1} is the random coin.
Phase 1.This phase can be divided into three parts.
(1) To form the first  − 1 semifunctional keys of type 2,  responds to each 's key query by randomly choosing elements  ∈   and   0 ,   ∈   3 and sets (2) To generate the normal keys of queries greater than ,  needs to run the KeyGen algorithm since it has the master secret key (MSK).
(3) To answer the th query, set   equal to the   1 part of .Then,  randomly chooses elements  0 ,   0 ,   ∈   3 and computes If  ∈   1  3 , the above key is a normal one.And if  ∈ , it is a semifunctional one of type 1.In this case, there exists where  ∈ {0, 1} is the random coin.We set  ⇀ V =  Actually, if the th key can be used to decrypt the challenge ciphertext, then  −  1 =  −  = 0 modulo  2 holds, so our key is either normal or nominally semifunctional.We must argue that this is hidden to  that cannot request any keys that can be used to decrypt the challenge ciphertext.Note that attributes are only used once in labeling the rows of the matrix.When attribute  ∉ ,   only appeared in the th key because all keys are semifunctional ones of type 2 except for the th one.Because the th key cannot be used, decrypting the challenge ciphertext, which implies the row space  formed by the rows of the matrix  whose attributes are in the key, does not include the vector (1, 0, . . ., 0).Thus, we denote a vector  ⇀  that is orthogonal to  and not orthogonal to vector (1, 0, . . ., 0).We set an equation that  ⇀  =   ⇀  +  ⇀   for  ∈   and   is in the span of the basis elements not equal to  ⇀  .
For () ∈ , the equation is attribute which does not appear in the th key.As long as each   mod  2 is not congruent to 0, each equation brings a new unknown factor  () that appears nowhere else, and so the adversary  can get nothing about .More precisely, for any value of  1 , there is the same number of solutions to these equations.Hence, as long as each   is nonzero modulo  2 , the ciphertext and the th key are properly distributed in the adversary's view with a probability negligibly close to 1. Thus, if  ∈   1  3 , then  has simulated Game −1,2 with .If  ∈  and   is nonzero modulo  2 , then  has simulated Game ,1 .Hence,  can use the output result of  to distinguish between these possibilities for .In other words,  can break Assumption 3 with advantage .
Hence, if the adversary  has a nonnegligible advantage  to distinguish Game −1,2 and Game ,1 ,  can also distinguish element on   1  3 and  with a nonnegligible advantage .Lemma 13.Suppose that there is a polynomial time adversary  such that  ,1 V  −  ,2 V  = .Then, another polynomial time algorithm , which breaks Assumption 3 with a nonnegligible advantage , can be constructed.
Proof. receives {,  1  2 ,  3 ,  2  3 , } to simulate either Game ,1 or Game ,2 with the adversary  depending on whether  ∈  or  ∈   1  3 .This proof is very similar to that of Lemma 12, so here we only describe Phases 1 and 2.
Phase 1.The first ( − 1) semifunctional keys of type 2 and the last ( − ) normal keys are constructed exactly as in Lemma 12.To answer the th query,  randomly chooses an exponent ℎ ∈   and then computes The only difference from Lemma 12 here is adding a term ( 2  3 ) ℎ which randomizes the   2 part of , so the th key is no longer a semifunctional one.Setup. chooses random values , ℎ  ∈   (∀ ∈ ) and sends the public key PK = (, ,  0 , (, )  = (,    2 ),   ,   =  ℎ  ∀) to .Note that  does not know .
where  ∈ {0, 1} is the random coin.We note that there exists V =  −1   and  =   , so  is being shared in the subgroup   1 and  is being shared in the subgroup   2 .At the same time, set   =    and   = −   .Phase 2. Repeat Phase 1.
Guess.A outputs its guess result   of .
If  = (, )  , then this is a properly distributed semifunctional ciphertext with message   .Otherwise, this is a semifunctional ciphertext of a random message and will not give anything about  to the attacker.
Hence, if  can distinguish Game ,2 and Game Final with a nonnegligible advantage ,  can distinguish the element (, )  and a random element in   with a nonnegligible advantage .Theorem 15.If Assumptions 1, 3, and 5 hold, our CP-ABPRE scheme is adaptively secure.
Proof.If Assumptions 1, 3, and 5 hold, we have proved that the real CP-ABPRE security game Game real is indistinguishable from Game Final by previous Lemmas 11-14.And because the challenger in Game Final chooses a random message   to encrypt, the adversary could not get any information on .In other words, the advantage of adversary in Game Final can be negligible, so the advantage of the adversary in Game real can be also negligible.Hence, our CP-ABPRE scheme is secure.

Security Analysis.
The reencryption control, which allows the encryptor to decide whether the ciphertext can be reencrypted, was first put forward by Luo et al. in [7].In our CP-ABPRE scheme, we can see that the element   =   0 is of no use in the original ciphertext decryption phase, and it is only used in the reencrypted ciphertext decryption phase.If the encryptor does not provide the factor   0 , it is impossible for the decryption of reencrypted ciphertext.So in our scheme, the encryptor can control whether the ciphertext can be reencrypted (in fact he can decide whether the reencrypted ciphertext can be decrypted).In addition, our scheme overcomes the restriction on the attacker in a selective security model in the existing schemes [6][7][8][9]11] and is proven adaptively secure in the standard model without jeopardizing the expressiveness of access policy.

Performance Analyses.
In this part, we will make some comparisons of different CP-ABPRE schemes, and the results are summarized in Tables 1-3.A comparison of access expression and some properties is given in Table 1.In addition, we shall compare the performance and efficiency of our proposal with the existing ones in Tables 2 and 3. We use |  |, |  |, and  to denote the attributes held by user , the attributes required by the ciphertext, and the number of attributes in systems, respectively.We use  to denote the operation in group ,   for the operation in group   , and  for the bilinear pairing operation.We use symbol  * to denote the bit length of element in * .At last, we use   = ∑  =1   to denote the total number of possible values of attributes, where   is the number of possible values for attribute .
From Tables 1-3, we can draw the following conclusions.Liang et al. [6], Luo et al. [7], Seo and Kim [8], and Backes et al. [15], respectively, proposed their schemes based on the CP-ABE in which the ciphertext is associated with AND gates access structure.However, the access policy in these four schemes is not flexible enough; it can only support AND operation on attributes.The ciphertext policy realized in Li's [9], Liang et al. 's [11,14], and our scheme is LSSS matrix access structure which supports any monotonic access formula including what the AND gate access structure supports.Different from Li's [9] and Liang et al. 's [11] schemes, our scheme is adaptively secure.And, what is more, our scheme needs only a constant number of paring operations in Reencryption and Decryption phase when compared with Liang et al. 's scheme [14].That is, our scheme greatly reduces the computational overhead.
From the above analysis, we can conclude that our scheme is more efficient and secure than previous CP-ABPRE schemes.

Conclusions
CP-ABPRE employs the PRE technology in the ABE cryptographic setting and could be applicable to many real world applications, such as email forwarding.The existing CP-ABPRE systems, however, were proven secure only in the selective security model which causes attacker to behave differently from real environment.So an efficient and adaptively secure Attribute-Based Proxy Reencryption scheme is proposed in this paper.By using the dual system encryption, the proposed scheme can be proven to be adaptively secure rather than selectively secure which is much less practical.Meantime, our scheme supports any monotone access formulas including what the AND gate access structure supports.And compared with the existing schemes, our scheme needs only a constant number of paring operations in Reencryption and Decryption phase, which greatly reduces the computational overhead.

Notations
: Largeprimenumber( = 1, 2, 3) : Order of composite order linear groups : Additive group of order     : The subgroup of order   in  ( = 1, 2, 3) : Security parameter : System attribute set   : The set of positive integers which are less than  : Generator of   1  3 : Generator of   3 : Bilinearmapping,thatis, :  ×  →   PK: The private key MSK: The master secret key : User attribute set SK: The secret key : An access policy : An ×  matrix

)
Definition 2. Assumption 1 holds if there is no polynomial time algorithm  which has a nonnegligible advantage Adv 1  ().
→  ,   ) →    .It is performed by the proxy, with PK, RK →  , and CT  as input.Firstly, the proxy checks whether the attribute in RK →  meets the access policy of CT  .If yes, it outputs a reencrypted ciphertext CT   and otherwise ⊥. (,   ,   ) → .With PK, an original ciphertext CT  , and a secret key SK  as input, it returns the plaintext message  if  satisfies the access policy  specified for CT  , and otherwise ⊥.   (,    ,    ) → .This algorithm returns the plaintext message  if   meets the access policy   specified for CT   , and otherwise ⊥.3.4.2.Security Model.The adaptive security definition for a CP-ABPRE scheme is described by a security game between a challenger  and an adversary , which is shown as follows.Setup.runs the Setup algorithm to create a new system and then sends  the public key PK.Phase 1.  makes the following queries.(i)SecretKeyExtractQueries.runs the KeyGen algorithm after  submitting sets of attribute  1 ,  2 , ...,   1 and returns secret keys SK  to .(ii)ReencryptionKeyExtractQueries.submitssets of attribute  1 ,  2 , ...,   1 and an access structure   = (  ,   ).Then,  runs the ReKeyGen algorithm and gives the reencryption key RK →  to .Challenge.chooses two messages  0 and  1 with equal length and an access structure  * , which cannot be met by any of the queried attribute sets { 1 ,  2 , ...,   1 }.randomly flips coin  ∈ {0, 1} and encrypts   under  * to generate CT * , which is then sent to .Phase 2. Phase 1 is repeated.Note that there is a restriction that no sets of attributes {  1 +1 ,   1 +2 , ...,   } can satisfy the access structure corresponding to .Guess.outputs a guess result   for .In the above game, the advantage of  is defined as Adv  = |Pr[  = ] − 1/2|.And the above security model can be easily extended to simulate a game between a CCA adversary and a challenger by permitting Reencryption and Decryption queries during Phases 1 and 2.
we let factor   2 denote the   2 part of , there is  ≡  mod  2 .Note that   mod  2 is uncorrelated to ℎ  modulo  1 , let   2  be equal to the   2 part of , let   2 be equal to the   2 part of , and let    2 be equal to the   2 part of   .International Journal of Distributed Sensor Networks Challenge. provides two messages  0 and  1 with equal length and a challenge access matrix ( * , ) for . sets   =  1 and   2 =  2 .Then,  chooses random values  2 ,  3 , . . .,   ∈   to define the vector  ⇀   = (,  2 ,  3 , . . .,   ) and randomly chooses exponent    ∈   . chooses a random message   from  0 and  1 and computes the challenge ciphertext  * as , so  is shared in the subgroup   1 and  ⋅  is shared in the subgroup   2 .It also sets   =  ⋅    and   = − ⋅    .The values  () = ℎ () match those in the th key if it is semifunctional of type 1.
nothing to do with .
It would be failed if we try to use it to decrypt the semifunctional ciphertext, because condition  −  1 ≡ 0mod  2 is no longer established.Phase 1 is repeated.Hence, if  ∈   1  3 , the th key is a properly distributed semifunctional key of type 2 and therefore  simulates Game ,2 for .If  ∈ , the th key is a properly distributed semifunctional key of type 1 and therefore  simulates Game ,1 for .As a result, if  has a nonnegligible advantage  to distinguish Game ,2 and Game ,1 ,  also has a nonnegligible advantage  to distinguish element in   1  3 and .Assume that there is a polynomial time adversary  such that  ,2 V  −   V  = .Then, we can construct a polynomial time algorithm , which can break Assumption 5 with a nonnegligible advantage , which can be constructed.Proof.The proof is similar to those of Lemmas 11-13. receives {,    2 ,  3 ,    2 ,  2 , } to simulate Game ,2 or Game Final with  based on whether  = (, )  or  is a random element of   .