Identity-Based Proxy Re-Encryption Scheme Using Fog Computing and Anonymous Key Generation

In the fog computing architecture, a fog is a node closer to clients and responsible for responding to users’ requests as well as forwarding messages to clouds. In some medical applications such as the remote healthcare, a sensor of patients will first send encrypted data of sensed information to a nearby fog such that the fog acting as a re-encryption proxy could generate a re-encrypted ciphertext designated for requested data users in the cloud. Specifically, a data user can request access to cloud ciphertexts by sending a query to the fog node that will forward this query to the corresponding data owner who preserves the right to grant or deny the permission to access his/her data. When the access request is granted, the fog node will obtain a unique re-encryption key for carrying out the re-encryption process. Although some previous concepts have been proposed to fulfill these application requirements, they either have known security flaws or incur higher computational complexity. In this work, we present an identity-based proxy re-encryption scheme on the basis of the fog computing architecture. Our identity-based mechanism uses public channels for key distribution and avoids the troublesome problem of key escrow. We also formally prove that the proposed protocol is secure in the IND-PrID-CPA notion. Furthermore, we show that our work exhibits better performance in terms of computational complexity.


Introduction
Cloud computing was first introduced by Chellappa [1] who hoped to store data in remote servers via networks. In 2006, Amazon brought in the so-called Amazon Web Services (AWS) to seek more business opportunities. Since then, such services have been widely developed and spread out. Many companies like Microsoft and Google are gradually competing for the cloud computing market due to its advantages in reducing costs and improving productivity. Cloud services have also become an inevitable part of our daily life. When using cloud services, we have to pay attention to the safeguard of Internet security [2] by employing all kinds of cryptographic techniques [3][4][5][6].
Clouds are not only for storage; the deployment model influences managing and owning the cloud, and the location and users of the cloud. According to the location of stored data and how the technologies are deployed and consumed, we can classify cloud service models into three kinds, as follows: (i) Public Cloud: It is usually constructed by third-party cloud service companies (such as Google (Mountain View, CA, USA), Azure (Redmond, WA, USA), etc.). Users can purchase storage space from service providers and the latter will be responsible for system maintenance, which helps with reducing unnecessary user costs. Yet, the security is low owing to uncontrollable cloud environments. (ii) Private Cloud: It is constructed by the individual company and hence has high security and privacy. However, it requires self-maintenance and the cost is relatively high.
(iii) Hybrid Cloud: It combines the advantages of public and private clouds and can separately store data by its confidentiality. Nevertheless, it is also relatively difficult to manage and maintain.
According to the definition given in NIST SP 800-145, the cloud service model is also categorized into the following three kinds: (i) Software as a Service (SaaS): It is the most common model in which users can utilize all kinds of interfaces (including web-based or program-based) to acquire resources and web services [7] such as stream media platforms running on cloud infrastructure. The advantage of this model is that users do not have to be responsible for controlling or maintaining the cloud infrastructure, such as communication networks [8], operating systems, storage, and applications. (ii) Platform as a Service (PaaS): In this model, the cloud service provider is responsible for providing application development platforms such as storage capacity, computing resources, programming languages, libraries and related development tools, etc. Users can utilize these tools to deploy consumer-created application programs on the cloud infrastructure and they do not have to control or maintain the cloud infrastructure. (iii) Infrastructure as a Service (IaaS): The cloud service provider supplies users with all kinds of storage, computing, and network resources, and users can utilize these infrastructures to deploy their own platforms and application programs. The advantage of this model is that users do not have to control or maintain the cloud infrastructure, but have the control over their deployed applications, storage, and operating systems.
Fog computing in IoT environments [9][10][11] is an extension of cloud computing and was first addressed by the research of Stolfo et al. [12], who attempt to protect the cloud data security [13] with the assistance of fog computing. Bonomi et al. [14] viewed the fog as a cloud closer to the ground and users. The architecture of fog computing can also benefit by sharing cloud data. A proxy re-encryption (PRE) scheme [15] is a commonly adopted ciphertext sharing protocol in which a ciphertext intended for Alice can be re-encrypted into another ciphertext designated for Bob by a proxy. When we combine the PRE scheme with fog computing, a fog would act as the proxy to carry out the cloud ciphertext transformation process, so as to reduce the network transmission latency. However, the privacy of cloud ciphertexts in the transformation must be further assured and the fog node (proxy) should learn nothing about the ciphertext.

Related Work
In 2010, Luo et al. [16] developed a ciphertext-policy attribute-based PRE scheme using AND-Gates policy. In particular, their policy supports multi-value attributes, negative attributes, and wildcards. They also showed that their mechanism fulfills the property of unidirectionality, non-interactivity, and multi-use. Moreover, in their scheme, the encryptor can decide if the ciphertext can be re-encrypted.
Considering the property of keyword search, in 2012, Fang et al. [15] proposed a chosen-ciphertext secure-anonymous-conditional PRE with keyword search. That is, they provided the PRE mechanism with the property of keyword search. Additionally, they gave the CCA security definition of conditional PRE schemes and showed that their protocol satisfies such a definition. Wang et al. [17] further introduced a constrained PRE scheme with a conjunctive keyword search. Specifically, their mechanism is both single-hop and unidirectional.
In 2013, Liang et al. [18] addressed a ciphertext-policy attribute-based PRE with chosen-ciphertext security assuming the hardness of the decisional q-parallel bilinear Diffie-Hellman exponent problem. In this mechanism, a ciphertext with respect to a given access policy is able to be re-encrypted into one in relation to another access policy. Their scheme is suitable for any monotonic access structure. They proved the security of their scheme in the random oracle model. Considering the queries from intra-domain and inter-domain in a cloud computing scenario, Han et al. [19] proposed an identity-based PRE scheme. Their scheme is secure against collusion attacks and the access permission could be made by the data owner, rather than by the central authority. However, the computational complexity of their scheme is high.
In 2014, Liang et al. [20] presented an adaptively CCA-secure ciphertext-policy attributebased PRE for cloud data sharing. Their work integrated the dual system encryption technology with selective proof technique to achieve the adaptive CCA security in the standard model. Additionally, their work supports any monotonic access structures.
To improve the security of sharing data using QR codes, Akhil et al. [21] combined the PRE mechanism with QR code applications. Using QR codes to share data among different users is a commonly utilized approach. However, it is easily altered during transmission, since the format of QR codes is only readable by machines.
For improving the security of cloud storage, in 2018, Zeng and Choo [22] introduced a new conditional PRE scheme that is also known as the sender-specified PRE, i.e., SS-PRE, since their scheme only allows the proxy to transform the ciphertexts of the designated sender to the delegatee. They also present the formal definition of their SS-PRE scheme and prove its security in the standard model.
In order to share data securely in the cloud, in 2020, Zhang et al. [23] proposed an identity-based data storage scheme combining the architecture of fog computing. In their scheme, the fog node sends the request of the data user to both the cloud and the data owner. If the requested data user is non-revoked and has access privilege, the data owner will delegate the fog node to perform the cloud ciphertext re-encryption process. The fog node then forwards the re-encrypted ciphertext to the data user for decryption.
Considering the security of message transmission in a group, in 2021, Xiong et al. [24] presented a so-called puncturable PRE scheme on the identity-based cryptosystem. In particular, there is a message server that carries out the ciphertext re-encryption for all users and thus the computational efforts of the user sides are released. Yet, the message server plays a crucial role in the system performance and might become an obvious attacking target.
In 2022, Lin et al. [25] improved Zhang et al.'s scheme [23] by eliminating some security flaws. They also showed that their enhanced scheme maintains the properties to revoke invalid users and generate private keys anonymously. Although their work has improved security, which is provably secure in the random oracle model, the computational complexity is still high. Motivated by this challenging problem, we propose a more efficient PRE scheme based on the study of Lin et al. [25]. Up to the present, there have been several PRE mechanisms [26][27][28][29][30][31][32] proposed for different applications. However, only a few works [19,23,25] take the issue of cloud computing or fog computing scenarios into consideration. We compare the proposed mechanism with these schemes and show the computational advantage of ours in a later section.
The main contribution of this study is to propose an identity-based PRE scheme for the fog computing scenario and using the technique of anonymous key generation. In the proposed system, we use public channels for key distribution and avoid the troublesome problem of key escrow. In addition, the decision of access privilege for cloud ciphertexts is controlled by the data owner, rather than by the central authority. Moreover, we demonstrate that the proposed protocol is not only IND-PrID-CPA secure, but also has lower computational costs.

Preliminaries
Let the symbols (G 1 , G 2 ) be two multiplicative groups and p is a prime order of both groups. We express e: G 1 × G 1 → G 2 as a symmetric bilinear pairing. The properties of e are listed as follows: (i) Bilinearity: Given a group element g in G 1 and two integers a, b in Z p , we have e(g a , g b ) = e(g, g) ab .

(ii) Non-degeneracy:
There are group elements A, B in G 1 such that e(A, B) = 1.

(iii) Computability:
Given two group elements A, B in G 1 , the value e(A, B) can be efficiently computed.

Decisional Bilinear Diffie-Hellman (DBDH) Problem and Assumption
Let the problem instance be (g, g x , g y , g z , e(g, g) xyz , C) in which (g, g x , g y , g z ) are elements in G 1 while (e(g, g) xyz , C) are elements in G 2 ; the DBDH problem has to decide if the equality e(g, g) xyz = C holds or not. Its assumption asserts that the chance of any adversary running in polynomial-time to solve the DBDH problem is insignificant.

Proposed IB-PRE-FCAK Scheme
Before introducing the proposed identity-based proxy re-encryption scheme using fog computing and anonymous key generation (short for IB-PRE-FCAK), we first address the system model and composed algorithms.

System Model
We illustrate the system model for our proposed IB-PRE-FCAK scheme in Figure 1, and it is mainly composed of three levels. Among the hierarchy, the top level is a cloud server that can be viewed as a data repository center storing ciphertexts. The middle level is a collection of fog nodes that process requests from users and transmit ciphertexts to the cloud server. The third level consists of the data owner and the data user. The former generates ciphertexts to be uploaded to the cloud server while the latter can request access to cloud ciphertexts. Note that both the ciphertext uploading and downloading processes are assisted by the fog nodes. In particular, the data owner can authorize the fog node to perform the ciphertext re-encryption procedure for sharing cloud ciphertexts with other data users. Moreover, there is also a private key generation center (PKG) responsible for issuing private keys to all users.
Given two group elements A, B in G1, the value e(A, B) can be efficient

Decisional Bilinear Diffie-Hellman (DBDH) Problem and Assumption
Let the problem instance be (g, g x , g y , g z , e(g, g) xyz , C) in which (g, g x , g y , g in G1 while (e(g, g) xyz , C) are elements in G2; the DBDH problem has to decid ity e(g, g) xyz = C holds or not. Its assumption asserts that the chance of any a ning in polynomial-time to solve the DBDH problem is insignificant.

Proposed IB-PRE-FCAK Scheme
Before introducing the proposed identity-based proxy re-encryption fog computing and anonymous key generation (short for IB-PRE-FCAK), w the system model and composed algorithms.

System Model
We illustrate the system model for our proposed IB-PRE-FCAK schem and it is mainly composed of three levels. Among the hierarchy, the top l server that can be viewed as a data repository center storing ciphertexts. Th is a collection of fog nodes that process requests from users and transmit the cloud server. The third level consists of the data owner and the data us generates ciphertexts to be uploaded to the cloud server while the latter can to cloud ciphertexts. Note that both the ciphertext uploading and downloa are assisted by the fog nodes. In particular, the data owner can authorize t perform the ciphertext re-encryption procedure for sharing cloud cipherte data users. Moreover, there is also a private key generation center (PKG) r issuing private keys to all users.

Algorithms
The IB-PRE-FCAK scheme can be divided into several subroutines, i.e., Setup, KeyExtract, Enc, Tkgen, RKgen, Re-Enc, and Dec. We define the parameters and corresponding outputs of these subroutines as follows: where ID is a user identity, and performs an interactive process to return the private key K ID associated with ID.

Construction
We introduce a concrete construction based on the previously defined subroutines. First, some utilized symbols are defined as Table 1: re-encryption key (r 1 , r 2 , r 3 , r 4 , r 5 ) re-encrypted ciphertext -Setup: Taking the value l as a security value, the PKG chooses G 1 and G 2 groups of prime order p and both are multiplicative. Let the symbol g denote a generator in group G 1 and the notation e be a bilinear map written as e: Msk determined by the PKG is a random value s ∈ Z p *, and its corresponding master public key (Mpk) is calculated as Q = g s . There is also a user revocation list, i.e., RL, maintained by the PKG. Whenever ID i has to be revoked, the PKG renews RL as RL = RL ∪ {ID i }. Three collision-resistant hash functions are defined as follows: h i : {0, 1}* → G 1 , for i = 1 and 2 h 3 : Except for Msk, all the other parameters could be viewed as the system public information Φ.
-KeyExtract: For obtaining his/her private key, a user ID i randomly chooses integers d i , k i ∈ Z p * and computes The values (ID i , H i ) are delivered to the PKG. After receiving it, the PKG derives and sends K i back to ID i . Consequently, ID i is able to calculate his private key as With the following equality, the correctness of K i can be easily verified.
-Enc: Let m = (m 1 , m 2 , . . . , m n ) be a plaintext to be encrypted and SK ∈ G 2 a chosen symmetric key. A data owner ID o then selects an integer z ∈ R Z p * to calculate where the notation E(·) denotes the symmetric encryption function.
Here, the ciphertext C is composed of {r 1 , r 2 , r 3 }. Next, the data owner sends (ID o , C) along with the data category name C ind to the adjacent fog. It stores (ID o , C ind , r 1 , r 2 ) in the local repository and further transmit (ID o , C ind , r 3 ) to the cloud server.
-Tkgen: For accessing the cloud data with respect to the data category name C ind , a data user ID u randomly selects an integer r ∈ R Z p * to compute and delivers his request (ID u , C ind , R) to the adjacent fog. It then searches for the record (ID o , C ind , r 1 , r 2 ) from the local repository and further forwards the token T u,ind = (ID u , R) to the associated data owner ID o .
-RKgen: Upon obtaining the token T u,ind = (ID u , R), the data owner ID o asks the PKG to check if the maintained user revocation list RL contains ID u . If it does, an error symbol ⊥ is sent to the requested data user ID u via the assistance of the fog. Or else, ID o randomly selects two random numbers t, y ∈ Z p * and computes w 1 = Q t (10) w 3 = e(g y , Q) Next, ID o sends the re-encryption key RK o,u,ind = (w 1 , w 2 , w 3 ) to the fog node.
-Re-Enc: Upon receiving RK o,u,ind , the fog re-encrypts the original ciphertext C as C by setting At last, the re-encrypted ciphertext C consisting of (r 1 , r 2 , r 3 , r 4 , r 5 ) is sent back to ID u . Note that the partial ciphertext r 3 can be retrieved from the cloud storage.
-Dec: In the case that the data owner ID o wants to access his/her original ciphertext C = (r 1 , r 2 , r 3 ), he/she can derive the symmetric key by computing Then, the plaintext can be decrypted as where D(·) is a symmetric decryption function. The correctness of Equation (16) can be verified as follows. From the right side of Equation (16), it can be derived that Whenever a data user ID u obtains a re-encrypted ciphertext C that is composed of (r 1 , r 2 , r 3 , r 4 , r 5 ), he/she first utilizes his/her own private key K u to calculate X = r 4 ·h 3 r r 5 ·e(K u , g) e(h 1 (ID u ||k u ), Q) Consequently, the plaintext m can be decrypted with the symmetric key SK by Equation (17). We give the derivations of Equation (19) below. Our first step is to simplify Equation (18): h 3 e(g yr , Q)e(K u , g) e(h 1 (ID u ||k u ), Q) Next, we could rewrite Equation (19) as

Formal Model and Security Proof
The fundamental security for any encryption scheme is confidentiality. There is also a well-defined security model for PRE schemes. We adopt this security model to demonstrate formally the security of the proposed IB-PRE-FCAK protocol. Namely, we initially review the security definition of IND-PrID-CPA, i.e., indistinguishability against adaptively chosen identity and chosen plaintext attacks. Then, we demonstrate that the proposed construction fulfills the secure notion of IND-PrID-CPA by utilizing the proof techniques of random oracle models.
The concept of this security proof is a technique of proof by contradiction. That is, we first assume that there is an adversary who is able to break the proposed scheme under the adaptively chosen identity and chosen plaintext attacks. Then, we can take the advantage of this adversary to break a well-known intractable cryptographic assumption with nonnegligible advantage. Since there is no efficient polynomial-time algorithm that could solve any well-known cryptographic assumption, we conclude that our initial assumption is wrong, which also completes the whole security proof.
(IND-PrID-CPA) In the following interactive game between a probabilistic adversary A and a challenger B, if the former does not have a non-negligible advantage to defeat the latter in polynomialtime, we say that an IB-PRE-FCAE scheme fulfills the security requirement of indistinguishability under the attacks of adaptively chosen identity and chosen-plaintext: Setup: At first, the challenger B invokes the Setup(1 l ) subroutine to obtain system public information Φ along with the master secret key Msk. The adversary A can only learn the public information Φ.
Phase 1: A is allowed to adaptively invoke the following queries: -KeyExtract Queries: A can query the private key for his chosen identity. -RKgen Queries: A can query the re-encryption key for his chosen (ID o , ID u , C ind ) in which ID u has to be a non-revoked data user and C ind is the name of data category.

Challenge:
A chooses the identity of ID* as an object and prepares the plaintext m* = (m 1 *, m 2 *, . . . , m n *). Let (SK 0 , SK 1 ) be symmetric keys with an identical length. Then, B flips a bit bt and then creates a challenge ciphertext C* = (r 1 *, r 2 *, r 3 *) in relation to (ID*, m*, SK bt ) for A.
Phase 2: Given the ciphertext C*, the adversary A goes on to invoke previous queries based on the following limits: - The KeyExtract query with respect to ID*, i.e., the target identity, is prohibited. -Any RKgen query for the identities (ID*, ID u ) or (ID o , ID*) is prohibited. - A can invoke at most q ke KeyExtract and q rk RKgen queries.
Guess: After invoking enough queries, A returns a bit bt . We say that A wins this game, provided that bt = bt. Therefore, we can express A's advantage as Adv(A) = | Pr[bt = bt ] − 1/2 |.
Using the techniques of random oracle proof models, we prove that the proposed IB-PRE-FCAK scheme satisfies the security notion of IND-PrID-CPA as Theorem 1.

Theorem 1.
Provided thatthe DBDH assumption holds, the proposed IB-PRE-FCAK scheme satisfies the security requirement of indistinguishability under adaptively chosen identity and chosen plaintext attacks (IND-PrID-CPA). Specifically, an algorithm B breaking the DBDH problem with non-negligible advantage ε can be created by utilizing a probabilistic adversary A that is able to break the IND-PrID-CPA security of the proposed IB-PRE-FCAK scheme with non-negligible advantage ε in polynomial-time. To be precise, the non-negligible advantage ε can be expressed as ε ≥ ε e(q ke + q rk + 1) where q ke and q rk are the maximum numbers of KeyExtract and RKgen queries, respectively.
Proof. Given an instance (g, g a , g b , g c , e(g, g) abc , F) of DBDH, we build an algorithm B to judge if e(g, g) abc = F holds or not by taking the adversary A as subroutine. In the following interactions, B is responsible for responding to various queries submitted by A.
Setup: At first, the challenger B invokes the Setup(1 l ) subroutine to obtain system public information Φ. Let (h 1 , h 2 ) be random oracles and h 3 a collision-resistant hash function. B further sets Mpk = Q = g a , i.e., Msk is implicitly specified as the value a unknown to B.
Phase 1: A is allowed to adaptively invoke the following queries: h 1 (ID i k i ) query: In this query, B first searches the maintained h 1 -list for a matched record. Or else, he selects a bit η such that Pr[η = 1] = τ. The value τ would be derived subsequently. Whenever η = 0, B returns the value J 1 = (g b ) v1 in which v 1 ∈ Z p * . Otherwise, J 1 is computed as g v1 . The maintained h 1 -list is also renewed by adding the record (ID i , k i , η, v 1 , J 1 ). -h 2 (ID i ID PKG ) query: In this query, B first searches the maintained h 2 -list for a matched record. Or else, he returns the value J 2 = g v2 in which v 2 ∈ Z p * . The maintained h 2 -list is also renewed by adding the record (ID i , ID PKG , v 2 , J 2 ). -KeyExtract query: In response to the KeyExtract(ID i ) query, B tries to determine the corresponding records (ID i , k i , η, v 1 , J 1 ) and (ID i , ID PKG , v 2 , J 2 ) in h 1 -list and h 2 -list, respectively. (If one datum exists, B could directly invoke the two queries to create records.) As long as η = 1, B aborts; or else, the return value is computed as RKgen query: In response to the RKgen(ID o , ID u , C ind ) query in which ID u is a nonrevoked user, B obtains the private key K IDo by invoking the KeyExtract(ID o ) query and checks the record (ID i , k i , η, v 1 , J 1 ) kept in the h 1 -list. As long as η = 0, B aborts. Or else, B chooses random numbers r, t, y ∈ Z p * and calculates R = g r , w 1 = Q t , )R y , Q)) , w 3 = e(g y , Q). Thus, the returned re-encryption key RK o,u,ind is composed of (w 1 , w 2 , w 3 ).

Challenge:
A chooses the identity of ID* as an object and prepares the plaintext m* = (m 1 *, m 2 *, . . . , m n *). Let (SK 0 , SK 1 ) be symmetric keys with an identical length. Then, B flips a bit bt and then creates a challenge ciphertext C* = (r 1 *, r 2 *, r 3 *) in relation to (ID*, m*, SK bt ) for A as follows: Step 1 Suppose that the h 1 (ID* k*) query has been made. As long as η* = 1, B directly aborts.
Step 3 Set the partial ciphertext r 2 * = g c .
Step 4 Determine the value v 1 of the record (ID*, k*, η*, v 1 , J 1 ) in the h 1 -list and calculate Consequently, the returned challenge ciphertext is C* = (r 1 *, r 2 *, r 3 *). Phase 2: Given the ciphertext C*, the adversary A goes on to invoke queries based on the previous limitations.
Guess: After invoking enough queries, A returns a bit bt . In case that bt = bt, B directly returns 1, meaning that F = e(g, g) abc . Otherwise, the value 0 is outputted instead.
Analysis: In these simulation processes, it can be observed that when F is equivalent to e(g, g) abc , the prepared challenge ciphertext C* is a legal one. According to the initial assumption, A would have the non-negligible advantage to break the proposed IB-PRE-FCAK scheme provided that the simulated ciphertext C* is valid. That is to say, we know that Adv(A) = | Pr[bt = bt] − 1/2 | ≥ ε. Yet, when F is not equivalent to e(g, g) abc , the advantage for A to output a correct bit bt is not superior, which implies that Pr[bt = bt] = 1/2. Therefore, the chance for B to solve the problem of DBDH could be written as | Pr[(g, g a , g b , g c , e(g, g) abc ) = 1] − Pr[(g, g a , g b , g c , F) = 1] | ≥ | (1/2 + ε) − 1/2 |·Pr[Good] = ε·Pr [Good] where Pr[Good] represents the probability event that B never aborts during the game interaction processes. ≤ (τ) qke (τ) qrk (1 − τ) = (τ) qke + qrk (1 − τ). = 1 e(q pk +q pr +1) To maximize the value of Pr[Good], we set τ to be 1 − 1 q ke +q rk +1 such that Pr[Good] = 1 e(q pk +q pr +1) becomes the greatest value, where e denotes the base of natural logarithm. As a result, we claim that the constructed algorithm B has a non-negligible advantage ε ≥ ε e(q pk +q pr +1) to break the DBDH problem.

Efficiency and Comparison
We made some efficiency comparisons with related protocols [19,23,25] in terms of several time-consuming computations. For convenience, the simulation environments are listed in Table 2 and the compared computation is also converted into approximate running time in Table 3. The detailed evaluation results are summarized in Table 4 and Figure 2.  Enc cost

Conclusions
Fog-based applications have received much attention in recent years due to their advantages in fast response time and more bandwidth savings. A fog-enabled proxy re-en-

Conclusions
Fog-based applications have received much attention in recent years due to their advantages in fast response time and more bandwidth savings. A fog-enabled proxy reencryption scheme allows a fog node to perform the ciphertext re-encryption process, so as to share cloud ciphertexts to desired data users. In this paper, we propose an identitybased proxy re-encryption scheme taking the advantage of fog computing. Specifically, the proposed scheme removes the necessity for a fully trusted system authority, as the private key of each user is not generated by the system authority solely. Therefore, it is unnecessary to establish a secure channel for distributing private keys in the proposed scheme. The access privilege of cloud ciphertexts can be determined independently by the data owner. As for security, we adopt the security notion of IND-PrID-CPA to formally prove that the proposed mechanism is able to withstand the adaptive adversary in random oracle models. In the performance analyses, we also demonstrate that our work is efficient in the processes of Setup, KeyExtract, Enc, and Dec, when compared with related protocols.