Identity-Based Broadcast Proxy Re-Encryption with Dynamic Functionality for Flexible Data Sharing in Cloud Environments

Abstract

Cloud computing has witnessed widespread adoption across numerous sectors, primarily due to its substantial storage capacity and powerful computational resources. In this context, secure data sharing in cloud environments is critically important. Identity-based broadcast proxy re-encryption (IB-BPRE) has emerged as a promising solution; however, existing IB-BPRE schemes lack dynamic functionality—specifically, the ability to support user revocation and addition without updating re-encryption keys. Consequently, data owners must frequently reset and distribute these keys in response to user membership changes, leading to increased system complexity and communication overhead. In this paper, we propose an identity-based broadcast proxy re-encryption scheme with dynamic functionality (IB-BPRE-DF) to address this challenge. The proposed scheme utilizes a symmetric design of re-encryption keys to enable dynamic user updates while preserving a constant re-encryption key size. Furthermore, IB-BPRE-DF is constructed under the $(f,g,F)$-GDDHE assumption and achieves semantic security in the random oracle model. Performance evaluations demonstrate that IB-BPRE-DF significantly reduces both the communication overhead (by maintaining a constant size for the re-encryption key and re-encrypted ciphertext) and the computational burden (with near-zero computational cost for generating the re-encryption key) for resource-constrained users. This work provides a practical and scalable cryptographic solution for secure and efficient data sharing in dynamic cloud environments.

1. Introduction

Cloud computing, with its powerful computational capabilities and massive storage capacity, has become widely adopted for large-scale data processing and efficient data management, particularly in personal information systems to enhance data sharing. However, data transmitted over public networks is vulnerable to eavesdropping, and stored data may be accessed by unauthorized users. Public key encryption protects data by converting it into ciphertext, preventing unauthorized access during transmission and storage. To support secure and efficient data sharing in the cloud, systems must also ensure flexibility and fine-grained access control. Proxy re-encryption (PRE) [1] offers a promising solution by enabling secure data sharing while supporting delegated access control. In addition to cloud data sharing [2,3], PRE has also been applied in areas such as email forwarding [4] and distributed file systems [5,6].

Green and Ateniese [7] first introduced identity-based proxy re-encryption (IB-PRE), combining proxy re-encryption with identity-based encryption [8] to simplify public key infrastructure and enable flexible access control. While IB-PRE supports secure data sharing, it is inefficient in cloud scenarios involving multiple receivers. Specifically, for n receivers, the sender must generate n re-encryption keys, and the proxy must produce n ciphertexts. To overcome this limitation, Xu et al. [9] proposed identity-based broadcast proxy re-encryption (IB-BPRE), which allows a single re-encryption key to support multiple receivers, thereby reducing overhead and improving efficiency.

Dynamic user revocation and addition are common in cloud-based data sharing, requiring timely updates to user access permissions. Although identity-based broadcast proxy re-encryption (IB-BPRE) reduces the computational and communication overhead associated with generating multiple re-encryption keys, it still requires re-encryption keys to be updated whenever user membership changes. This creates a burden for data owners, who must remain online to generate new keys, especially in scenarios with frequent updates. Moreover, existing IB-BPRE schemes lack key security guarantees—if a re-encryption key is leaked, any holder can perform re-encryption. To ensure confidentiality, each updated key must be securely transmitted, further increasing overhead. Thus, dynamic user updates still incur considerable computational and communication costs due to the need for frequent key updates.

To address the aforementioned challenges, we propose an identity-based broadcast proxy re-encryption scheme with dynamic functionality (IB-BPRE-DF) that enables flexible and secure data sharing in cloud environments. The proposed scheme introduces a novel re-encryption key generation mechanism, departing from traditional designs by deriving the re-encryption key from the delegator’s private value. This results in a symmetric key structure that maintains a constant key size, regardless of dynamic changes in user membership. This approach significantly reduces computational and communication overhead while supporting efficient and secure dynamic user updates.

Contributions

As previously discussed, user revocation and addition represent common requirements in cloud-based data sharing. Considering the limited resources of user devices, operations for achieving dynamic functionality must be lightweight. In data-sharing systems, user revocation and addition can be achieved without updating or re-encrypting keys, which is our primary design objective. Specifically, the contributions of this research can be summarized as follows:

• The proposed IB-BPRE-DF scheme ensures both flexibility and efficiency in cloud-based data sharing by maintaining a constant re-encryption key size, even under frequent user revocation and addition.
• The proposed IB-BPRE-DF scheme employs a symmetric key structure derived from the delegator’s private value to maintain a constant key size in dynamic settings, while a dual-agent mechanism improves fault tolerance and security.
• We provide a comprehensive security analysis of IB-BPRE-DF and conduct a detailed performance comparison with existing BPRE schemes. The results highlight the practical applicability and efficiency of the proposed scheme.

2. Related Work

2.1. Proxy Re-Encryption

Proxy re-encryption (PRE) was first introduced by Blaze et al [1]. To address the issue of costly certificate management in public key infrastructure (PKI) systems, Green and Ateniese [7] proposed the identity-based proxy re-encryption, which integrates the concept of identity-based encryption with PRE. Since its inception, extensive research [10,11,12,13] has been dedicated to constructing proxy re-encryption schemes with diverse properties to satisfy varying application requirements. However, traditional PRE schemes often encounter challenges in efficiently delegating authority to multiple receivers. Specifically, the number of re-encryption keys and re-encryption ciphertexts grows with the number of receivers.

2.2. Broadcast Proxy Re-Encryption

Broadcast encryption is a cryptographic primitive that allows a sender to encrypt a message for a subset S of authorized receivers over a broadcast channel, such that only receivers in the subset S can decrypt the broadcast using their respective private keys [14]. Building on this concept [15,16], Chu et al. [17] proposed conditional broadcast proxy re-encryption, enabling a sender to delegate decryption rights to a specific subset of users. In this scheme, the proxy cannot re-encrypt ciphertexts without the sender’s explicit authorization. Xu et al. [9] subsequently proposed a conditional identity-based broadcast proxy re-encryption scheme with constant-length re-encrypted ciphertexts, which is well suited for cloud email systems. Building on this, Sun et al. [18] designed a broadcast proxy re-encryption scheme tailored for cloud computing environments (e.g., cloud data sharing) and proved its security against chosen-ciphertext attacks. Existing broadcast proxy re-encryption schemes [9,18] enable the delegation of decryption rights to a subset of receivers at a specific time. However, these schemes impose substantial computational burdens on resource-constrained mobile devices. To address this limitation, Sumana et al. [19] proposed a privacy-preserving identity-based broadcast proxy re-encryption scheme aimed at reducing decryption overhead. More recently, Zhang et al. [20] introduced an IB-BPRE scheme tailored for flexible data sharing in VANETs. The work in [21] introduced identity-based threshold BPRE to incorporate multiple proxies, thereby effectively resisting single-point attacks. Subsequently, the studies in [22,23] proposed pairing-free BPRE for application in vehicular networks and cloud data-sharing environments, respectively, thereby enhancing data-sharing efficiency. Although the aforementioned BPRE schemes have achieved improvements in terms of efficiency and security, they exhibit limited flexibility. This limitation stems primarily from their design for static environments, without adequately addressing user revocation and addition in dynamic settings.

2.3. Revocable Proxy Re-Encryption

Ge et al. [24] proposed a revocable identity-based broadcast proxy re-encryption scheme for cloud-based data sharing, enabling the proxy to revoke a subset of receivers authorized by the delegator. However, the scheme imposes significant computational overhead on receivers, particularly those operating on resource-constrained mobile devices. Maiti et al. [25] proposed a coalitional game-based BPRE scheme that efficiently updates re-encryption keys for an optimal number of users in dynamic environments. Nevertheless, the recipient set needs to be predetermined prior to the generation of re-encryption keys. Recently, the study in [26] achieved efficient computation and communication among multiple sets of broadcast receivers by introducing a multi-channel BPRE scheme. However, to enable ciphertext transformation among different sets of broadcast receivers, it is necessary to configure multiple re-encryption keys, which introduces additional computational overhead. Subsequently, Chen et al. [27] designed a conditional identity-based broadcast proxy re-encryption scheme with anonymity and revocation, which is capable of simultaneously optimizing multiple performance metrics. Nevertheless, this scheme also encounters the challenge of re-encryption key updates. It is worth noting that existing BPRE and revocable (or dynamic) BPRE schemes demonstrate limitations when applied to data sharing in dynamic environments. The primary reason is that, with frequent user updates, the data owner must remain continuously online to update re-encryption keys in real time, thereby achieving dynamic functionality. This requirement substantially increases system overhead and diminishes the practical feasibility of the scheme in real-world scenarios.

This paper is organized as follows: Section 2 presents the related work. Section 3 offers a rigorous definition of bilinear maps and computational complexity, along with the formal definition and security model of the IB-BPRE-DF scheme. Section 4 elaborates on the concrete construction of the proposed IB-BPRE-DF scheme. Section 5 and Section 6 provide the security proof and performance analysis, respectively. Finally, Section 7 concludes this paper and outlines potential future research directions.

3. Preliminaries

We first give a strict definition of the bilinear map and then elaborate on the complexity assumption relied upon for the security proofs in detail.

3.1. Bilinear Map

For cyclic groups ${\mathbb{G}}_1,{\mathbb{G}}_2$, and ${\mathbb{G}}_T$ of the large prime order p, a bilinear pairing is a function $e:{\mathbb{G}}_1\times {\mathbb{G}}_2\to {\mathbb{G}}_T$ that maps pairs of elements in (${\mathbb{G}}_1,{\mathbb{G}}_2$) to elements of the group ${\mathbb{G}}_T$. The map e must satisfy the following properties:

• Bilinear: For all $u\in {\mathbb{G}}_1,v\in {\mathbb{G}}_2$, and $a,b\in {\mathbb{Z}}_p$, it holds that $e\left(u^a,v^b\right)=e{(u,v)}^{ab}$.
• Non-degenerate: There exist $g_1\in {\mathbb{G}}_1$ and $g_2\in {\mathbb{G}}_2$ such that $e\left(g_1,g_2\right)\ne 1$.
• Computable: The map e is efficiently computable and so are the group operations in ${\mathbb{G}}_1,{\mathbb{G}}_2$, and ${\mathbb{G}}_T$.

There are two forms of pairings used in the cryptography literature [28]. In the symmetric setting, it holds that ${\mathbb{G}}_1={\mathbb{G}}_2$, whereas in the asymmetric setting, ${\mathbb{G}}_1\ne {\mathbb{G}}_2$. The IB-BPRE-DF scheme adopts a symmetric bilinear pairing $\left({\mathbb{G}}_1={\mathbb{G}}_2=\mathbb{G}\right)$, fully exploiting the characteristics of its symmetric form. Bilinear pairings provide the mathematical foundation for designing the IB-BPRE-DF structure, enabling the implementation of complex access control and authorization mechanisms.

3.2. Complexity Assumption

The $(f,g,F)$-GDDHE) assumption [29] is explained as follows: Let $\mathcal{B}$ = ($p,{\mathbb{G}}_1,{\mathbb{G}}_2,{\mathbb{G}}_T,$ $e(·,·)$) be a bilinear map group system and let f and g be two coprime polynomials with pairwise distinct roots of respective orders t and n. Let $g_0$ be a generator of ${\mathbb{G}}_1$ and $h_0$ be a generator of ${\mathbb{G}}_2$. Solving the $(f,g,F)$-GDDHE problem, vector $\overrightarrow{y}$ is

$$\begin{array}{l}\hfill g_0,{g_0}^{\gamma },\dots ,g_0{\gamma }^{t-1},{g_0}^{\gamma ·f\left(\gamma \right)},{g_0}^{k\gamma ·f\left(\gamma \right)},\hfill \\ h_0,{h_0}^{\gamma },\dots ,{h_0}^{{\gamma }^{2n}},{h_0}^{k·\gamma ·f\left(\gamma \right)},\hfill \end{array}$$

and $T\in {\mathbb{G}}_T$; non-probabilistic polynomial-time adversary $\mathcal{A}$ can decide whether T is equal to $e{\left(g_0,h_0\right)}^{k·f\left(\gamma \right)}$ or to some random element of ${\mathbb{G}}_T$ with a non-negligible advantage. The $(f,g,F)$-GDDHE assumption underpins the scheme’s security by preventing attackers without legitimate keys from recovering plaintext or private keys from ciphertext or re-encryption keys, thus ensuring data confidentiality during proxy re-encryption.

3.3. Definition and Security Model

As illustrated in Figure 1, the IB-BPRE-DF scheme is applied to cloud-based data sharing involving three primary entities: data owners, data users, and proxies. The process proceeds as follows: the data owner first encrypts the data and outsources the ciphertext to the cloud server to preserve data confidentiality. To enforce access control, the data owner then generates the re-encryption key. The proxies use the re-encryption key and the original ciphertext to produce a re-encrypted ciphertext, which authorized users can decrypt to access the data. In dynamic settings, when user updates occur, the same re-encryption key allows the proxies to transfer the ciphertext into the re-encryption ciphertext for authorized updated users, eliminating the need for frequent key regeneration and thus supporting efficient dynamic access control. The definition of IB-BPRE-DF, along with its correctness and security, is elaborated upon below.

3.3.1. Definition of IB-BPRE-DF

Definition 1

(IB-BPRE-DF). An IB-BPRE-DF scheme comprises the following algorithms: the setup algorithm, the key extract algorithm, the encryption algorithm (abbreviated as Enc), the re-encryption key generation algorithm (abbreviated as RKeyGen), the re-encryption algorithm (abbreviated as Re-Enc), and the decryption algorithms (abbreviated as Dec₁ and Dec₂). These algorithms are formally defined as follows:

• Setup $\left(1^k,n\right)\to \left(msk,mpk\right)$. The trusted key generation center (KGC) executes the setup algorithm to establish the master secret key ($msk$) and the master public key ($mpk$). It takes as inputs a system security parameter $1^k$ and the maximum number n of broadcast receivers allowed in a single re-encryption process and outputs a key pair $(mpk,msk)$.
• Extract $\left(mpk,msk,id\right)\to \left(s{k}_{id}\right)$. The KGC executes the extract algorithm to generate the secret key $s{k}_{id}$ for the user $id$. It takes as inputs the master public key $mpk$, the master secret key $msk$, and the identity $id$ and outputs the corresponding secret key $s{k}_{id}$.
• Enc $\left(mpk,id,m\right)\to \left(c_0,s{v}_{id}\right)$. The delegator $id$ executes the Enc algorithm to generate the ciphertext $c_0$ for the message m. It takes as the input the master public key $mpk$, an identity $id$, and the message m and outputs the ciphertext c along with the secret value $s{v}_{id}$ (note that the secret value $s{v}_{id}$ is selected and stored by the delegator during the initial execution of the encryption algorithm).
• RKeyGen $\left(mpk,s{v}_{id}\right)\to \left(rk\right)$. The delegator $id$ performs the RKeyGen algorithm to generate the re-encryption key $rk$. It takes as inputs the master public key $mpk$ and the secret value $s{v}_{id}$ of the delegator $id$ and outputs the re-encryption key $rk$.
• ReEnc $(mpk,rk,c_0,S_j)\to \left(c_j\right)$. Proxies execute the ReEnc algorithm to transform the ciphertext $c_0$ under the delegator into the ciphertext $c_{\ell }$, associated with the set $S_{\ell }$ of broadcast receivers, for $1\le j\le \ell$, where ℓ denotes the number of dynamic user updates. The algorithm takes as inputs the master public key $mpk$, the re-encryption key $rk$, and the ciphertext $c_0$ corresponding to the delegator and outputs the ciphertext $c_{\ell }$ corresponding to the receiver set $S_{\ell }$.
• Dec₁$\left(mpk,s{k}_{id},c_0\right)\to \left(m/\perp \right)$. The delegator $id$ executes the Dec₁ algorithm to decrypt the ciphertext $c_0$. Upon input of the master public key $mpk$, the delegator’s secret key $s{k}_{id}$, and a ciphertext $c_0$, if the ciphertext is valid, the algorithm returns the message m; otherwise, it outputs an error symbol ⊥.
• Dec₂$\left(mpk,c_j,s{k}_{id},S_j\right)\to \left(m/\perp \right)$. The receiver $id$ in the receiver set $S_j$, where $1\le j\le \ell$, executes the Dec₂ algorithm to decrypt the ciphertext $c_j$. It takes as inputs the master public key $mpk$, the ciphertext $c_j$ associated with the receiver set $S_j$, and the private key $s{k}_{id}$ of the receiver $id$ in the receiver set $S_j$. If the re-encryption ciphertext is valid, the algorithm returns the message m; otherwise, it outputs an error symbol ⊥.

Correctness. We say that the IB-BPRE-DF scheme is correct if it satisfies the following two equations:

• ${\mathrm{Dec}}_1$$\left(mpk,s{k}_{id},Enc(mpk,m,id)\right)=m$, where $id\notin S_j$, $1\le j\le \ell$.
• ${\mathrm{Dec}}_2$$\left(mpk,c_j,S_j,s{k}_{id},ReEnc(mpk,rk,c_0,S_j)\right)=m$, where $id\in S_j$, $1\le j\le \ell$.

3.3.2. Security Model

We formally define the indistinguishability under the chosen-plaintext attack (CPA) security of the IB-BPRE-DF system against a probabilistic polynomial-time adversary $\mathcal{A}$. This security notion is captured through a game played between the adversary $\mathcal{A}$ and a challenger $\mathcal{C}$. In this game, $\mathcal{C}$ simulates the execution environment for the IB-BPRE-DF scheme and provides responses to queries issued by $\mathcal{A}$:

• Init. The adversary $\mathcal{A}$ selects a challenge identity set $S_j^{*}=\{i{d}_{j_1}^{*},i{d}_{j_2}^{*},\dots ,i{d}_{j_s}^{*}\}$, with $1\le j\le \ell$; $s\le n$.
• Setup. The challenger $\mathcal{C}$ generates the system public parameters $pp$ and subsequently provides it to the adversary $\mathcal{A}$.
• Query phase 1. At this stage, the adversary’s capabilities are formally defined, including the allowable queries for key extraction and re-encryption key generation. The adversary $\mathcal{A}$ makes the following queries:
  For an extraction query ${\mathcal{O}}_{sk}\left(i{d}_{j_i}\right)$, subject to the constraint that $i{d}_{j_i}\notin S_j^{*}$, the challenger $\mathcal{C}$ executes the extract algorithm to generate the secret key $s{k}_{i{d}_{j_i}}$. Subsequently, $\mathcal{C}$ provides the secret key $s{k}_{i{d}_{j_i}}$ to the adversary $\mathcal{A}$.
  For a re-encryption key query ${\mathcal{O}}_{rkg}\left(i{d}_{j_i}\right)$, upon receiving an identity $i{d}_{j_i}$, the challenger $\mathcal{C}$ executes the re-encryption key generation algorithm to generate the re-encryption key $rk$. Subsequently, $\mathcal{C}$ provides the re-encryption key $rk$ to the adversary $\mathcal{A}$.
• Challenge. The adversary $\mathcal{A}$ outputs two messages $m_0,m_1\in \mathcal{M}$. Subsequently, the challenger $\mathcal{C}$ selects a random bit $a\in \{0,1\}$ and encrypts the message $m_a$ under the challenge set $S_j^{*}$. The resulting re-encryption ciphertext $c_j^{*}$ is then provided to the adversary $\mathcal{A}$. During the challenge phase of the IND-CPA game, the challenger generates a ciphertext that is computationally indistinguishable from a real ciphertext, ensuring the adversary $\mathcal{A}$ cannot distinguish between the two with a non-negligible advantage.
• Query phase 2. $\mathcal{A}$ continues making queries as in query phase 1. Note that $\mathcal{A}$ cannot make query ${\mathcal{O}}_{sk}\left(i{d}_{j_i}\right)$ for $i{d}_{j_i}\in S_j^{*}$. In query phase 2, the adversary is explicitly allowed to continue making queries even after receiving the challenge ciphertext.
• Guess. The adversary $\mathcal{A}$ outputs a guess $a^{\prime }\in \{0,1\}$ and succeeds in the game if $a^{\prime }=a$. Let $Ad{v}_{IB-BPRE-DF}^{\mathcal{A}}\left(\lambda \right)$ denote the advantage of an adversary $\mathcal{A}$ in winning the game, defined as follows:

  $$Ad{v}_{IB-BPRE-DF}^{\mathcal{A}}\left(\lambda \right)=Pr|[a^{\prime }=a]-1/2|.$$

Definition 2.

The IB-BPRE-DF scheme is said to be semantically secure under the IND-CPA notion if the advantage $Ad{v}_{IB-BPRE-DF}^{\mathcal{A}}\left(\lambda \right)$ is negligible.

4. Proposed IB-BPRE-DF

In this section, we formally define the concrete construction of the proposed IB-BPRE-DF scheme and provide a rigorous correctness analysis. The overall architecture and the high-level interactions among the participating entities are depicted in Figure 2. In the IB-BPRE-DF scheme, the key generation, encryption, and decryption algorithm are largely consistent with those of existing BPRE schemes. The novelty of IB-BPRE-DF lies in the use of two cooperating proxies for re-encryption and a distinctive re-encryption key management approach. Specifically, the delegator generates a re-encryption key and splits it into two components, $r{k}_1$ and $r{k}_2$, which are distributed to proxy 1 and proxy 2, respectively. Proxy 1 uses $r{k}_1$ to compute a partial re-encryption ciphertext $c_{j,1}$, which is then forwarded to proxy 2. Upon receiving $c_{j,1}$, proxy 2 combines it with $r{k}_2$ to compute the re-encryption ciphertext $c_j$, which can be correctly decrypted by authorized users to recover the plaintext m.

4.1. Our Techniques

In contrast to existing IB-BPRE schemes [18,19,20,24], which necessitate re-encryption key updates for user revocation or addition, the dynamic mechanism introduced in this paper enables seamless user updates without altering the re-encryption key. In this section, we provide a concise overview of our primary implementation techniques. Consider the re-encryption ciphertext $c_1$, corresponding to a broadcast receiver set $S_1=\{i{d}_1,i{d}_2,i{d}_3\}$, which includes the term $h^{(k_0+k_1+r^{*}+t^{*})·(\gamma +H\left(i{d}_1\right))·(\gamma +H\left(i{d}_2\right))·(\gamma +H\left(i{d}_3\right))}$. Similarly, the re-encryption ciphertext $c_2$, associated with an updated receiver set $S_2=\{i{d}_1^{\prime },i{d}_2^{\prime },i{d}_3^{\prime }\}$, includes the term $h^{(k_0+k_2+r^{*}+t^{*})·(\gamma +H\left(i{d}_1^{\prime }\right))·(\gamma +H\left(i{d}_2^{\prime }\right))·(\gamma +H\left(i{d}_3^{\prime }\right))}$. In this context, the proxies ${\mathcal{P}}_1$ and ${\mathcal{P}}_2$ assist in generating these components by leveraging their respective partial re-encryption keys $t_1$ and $t_2$, such that the re-encryption key is defined as $rk=t_1+t_2$. This construction ensures that ciphertexts corresponding to different receiver sets can be generated in a consistent format using the same re-encryption key while preserving data privacy—since neither proxy gains access to sensitive information.

4.2. Construction

We formally present the construction of IB-BPRE-DF with constant-size re-encryption keys, which comprises the following algorithms:

• Setup algorithm. The key generation center, acting as the trusted party, generates the master secret key and public key pair $(msk,mpk)$ by executing the setup algorithm.
  Setup $\left(1^{\lambda },n\right)\to \left(msk,mpk\right)$. It takes as inputs the system’s security parameter $1^{\lambda }$ and the maximum number n of receivers in a single re-encryption and outputs a pair of master keys $(msk,mpk)$. Given a bilinear map parameter $\mathcal{B}=(q,\mathbb{G},{\mathbb{G}}_T,e(·,·))$ and a cryptographically secure function $\mathcal{H}:{\{0,1\}}^{*}\to {\mathbb{Z}}_q^{*}$ modeled as a random oracle for security analysis, it randomly selects two generators $g\in \mathbb{G}$ and $h\in \mathbb{G}$, as well as a secret value $\gamma \in {\mathbb{Z}}_q^{*}$. The master secret key is defined as $msk=(g,\gamma )$, and the master public key is defined as $mpk=(\mathcal{B},\mathcal{H},w,v,h,h^{\gamma },\dots ,h^{{\gamma }^n})$, where $w=g^{\gamma }$ and $v=e(g,h)$.
• Extract algorithm. The KGC generates the secret key for the user $id$ by executing the extract algorithm.
  Extract $\left(msk,id\right)\to \left(s{k}_{id}\right)$. It takes as inputs the master secret key $msk$ and the identity $id$ and outputs the corresponding secret key:

  $$s{k}_{id}=g^{{\displaystyle \frac{1}{\gamma +\mathcal{H}\left(id\right)}}}.$$
• Encryption algorithm. The delegator $id$ encrypts the message m by executing the encryption algorithm.
  Enc $\left(mpk,m,id\right)\to \left(c,s{v}_{id}\right)$. The delegator $id$ randomly selects $k_0$, $r^{*}$, and $t^{*}$ from ${\mathbb{Z}}_q^{*}$, sets the secret value $s{v}_{id}=(r^{*},t^{*})$, and computes the ciphertext $c_0=\{c_0^1,c_0^2,c_0^3,c_0^4\}$ and $pv=v^{r^{*}}$ as the public parameter, where

  $$c_0^1=k_0+r^{*},c_0^2=w^{-\left(k_0+r^{*}+t^{*}\right)},c_0^3=m·v^{k_0+t^{*}},\mathrm{and}{c}_0^4=h^{\left(k_0+r^{*}+t^{*}\right)·\left(\left(\gamma +\mathcal{H}\left(id\right)\right)·\left(\gamma +\mathcal{H}\left(id\right)\right)\right)}.$$
  Note that ciphertext $c_0$ mainly consists of four parts $c_0^1,c_0^2,c_0^3,$ and $c_0^4$, each of which is calculated by the client.
• Re-encryption key algorithm. The delegator $id$ performs the re-encryption key algorithm to set the re-encryption key.
  RKeyGen $\left(s{v}_{id},id\right)\to \left(rk\right)$. Given the secret value $s{v}_{id}$ of the delegator $id$, it partitions $t^{*}$ into $t_1^{*}$ and $t_2^{*}$ such that $t^{*}=t_1^{*}+t_2^{*}$, and sets the re-encryption key $rk=(r{k}_1,r{k}_2)$, where $r{k}_1=t_1^{*}$ and $r{k}_2=t_2^{*}$. Finally, the delegator transmits $r{k}_1$ and $r{k}_2$ to proxies ${\mathcal{P}}_1$ and ${\mathcal{P}}_2$, respectively, via the secure channel.
• Re-encryption algorithm. The proxies ${\mathcal{P}}_1$ and ${\mathcal{P}}_2$ generate the re-encryption ciphertext via executing the re-encryption algorithm.
  ReEnc $(mpk,rk,c_0,S_j)\to \left(c_j\right)$. Assume for notational simplicity that $S_j=\left\{i{d}_{j_1},\cdots ,i{d}_{j_s}\right\}$, where $1\le j\le \ell$ and $s\le n$. The proxy ${\mathcal{P}}_1$ randomly selects $k_{j,1}\in {\mathbb{Z}}_q^{*}$ and computes partial re-encryption ciphertext $c_{j,1}=(c_{j,1}^1,c_{j,1}^2,c_{j,1}^3)$, where

  $$c_{j,1}^1=c_0^2·w^{-k_{j,1}},c_{j,1}^2=c_0^3·v^{k_{j,1}},\mathrm{and}{c}_{j,1}^3=\left(c_0^1+t_1^{*}+k_{j,1}\right),$$

  and sends it to the proxy ${\mathcal{P}}_2$. After receiving partial re-encryption ciphertext $c_{j,1}$, the proxy ${\mathcal{P}}_2$ randomly chooses $k_{j,2}\in {\mathbb{Z}}_q^{*}$ and computes the re-encryption ciphertext $c_j=(c_j^1,c_j^2,c_j^3)$, where

  $$c_j^1=c_{j,1}^1·w^{-k_{j,2}},c_j^2=c_{j,1}^2·v^{k_{j,2}},\mathrm{and}{c}_j^3=h^{\left(c_{j,2}^3+t_2^{*}+k_{j,2}\right)·{\prod }_{i=1}^s\left(\gamma +\mathcal{H}\left(i{d}_{j_i}\right)\right)}.$$
  We have $c_j^1=w^{-\left(k_0+k_j+r^{*}+t^{*}\right)},c_j^2=m·v^{k_0+k_j+t^{*}},$ and $c_j^3=h^{\left(k_0+k_j+r^{*}+t^{*}\right)·{\prod }_{i=1}^s\left(\gamma +\mathcal{H}\left(i{d}_{j_i}\right)\right)}$, where $k_j=k_{j,1}+k_{j,2}$.
• Decryption algorithm. The users (i.e., the delegator and receivers) perform the decryption algorithm to recover the plaintext m.
  Dec₁$\left(mpk,pv,s{k}_{id},c_0\right)\to \left(m/\perp \right)$. For a ciphertext $c_0$, the delegator $id$ with the corresponding private key $s{k}_{id}=g^{{\displaystyle \frac{1}{\gamma +\mathcal{H}\left(id\right)}}}$ computes

  $$K={\left(e\left(c_0^2,h\right)·e\left(s{k}_{id},c_0^4\right)\right)}^{{\displaystyle \frac{1}{\mathcal{H}\left(id\right)}}},$$

  then computes $v^{k_0+t^{*}}={\displaystyle \frac{K}{pv}}$ and $m={\displaystyle \frac{c_0^3}{v^{k_0+t^{*}}}}$.
  Dec₂$\left(mpk,pv,s{k}_{i{d}_{j_i}},c_j\right)\to \left(m/\perp \right)$. For the re-encryption ciphertext $c_j$, the receiver with identity $i{d}_{j_i}$ in $S_j$ and the corresponding private key $s{k}_{i{d}_{j_i}}=g^{{\displaystyle \frac{1}{\gamma +\mathcal{H}\left(i{d}_{j_i}\right)}}}$ computes

  $$K={\left(e\left(c_j^1,h^{p_{i{d}_{j_i},\mathcal{S}}\left(\gamma \right)}\right)·e\left(s{k}_{i{d}_{j_i}},c_j^3\right)\right)}^{{\displaystyle \frac{1}{{\prod }_{k=1,k\ne i}^s\mathcal{H}\left(i{d}_{j_k}\right)}}},$$

  with

  $$p_{i{d}_{j_i},\mathcal{S}}\left(\gamma \right)={\displaystyle \frac{1}{\gamma }}·\left({\prod }_{k=1,k\ne i}^s\left(\gamma +\mathcal{H}\left(i{d}_{j_k}\right)\right)-{\prod }_{k=1,k\ne i}^s\mathcal{H}\left(i{d}_{j_k}\right)\right),$$

  then computes $v^{k_0+k_j+t^{*}}={\displaystyle \frac{K}{pv}}$ and $m={\displaystyle \frac{c_j^2}{v^{k_0+k_j+t^{*}}}}$.

In the dynamic setting, the IB-PRE-DF scheme employs a symmetric form of re-encryption keys. Specifically, if data owner Alice intends to share data with the broadcast receiver set $S_1$ and the updated set $S_2$, she can generate the re-encryption key $r{k}_{A\to S_1}$ for $S_1$ and the re-encryption key $r{k}_{A\to S_2}$ for $S_2$, where $r{k}_{A\to S_1}=r{k}_{A\to S_2}$. This symmetric form of re-encryption keys effectively minimizes the computational overhead associated with re-encryption key generation in dynamic settings.

4.3. Correctness

(1)

For the ciphertext $c_0$, the delegator $id$ computes

$$\begin{array}{ll}\hfill & \begin{array}{cc}K\hfill & ={\left(e\left(c_0^2,h\right)·e\left(s{k}_{id},c_0^4\right)\right)}^{{\displaystyle \frac{1}{\mathcal{H}\left(id\right)}}}\hfill \\ \hfill & ={\left(e\left(g^{-\left(k_0+r^{*}+t^{*}\right)·\gamma },h\right)·e\left(g^{{\displaystyle \frac{1}{\gamma +\mathcal{H}\left(id\right)}}},h^{\left(k_0+r^{*}+t^{*}\right)·\left(\left(\gamma +\mathcal{H}\left(id\right)\right)·\left(\gamma +\mathcal{H}\left(id\right)\right)\right)}\right)\right)}^{{\displaystyle \frac{1}{\mathcal{H}\left(id\right)}}}\hfill \\ \hfill & ={\left(e{(g,h)}^{-\left(k_0+r^{*}+t^{*}\right)·\gamma }·e{(g,h)}^{\left(k_0+r^{*}+t^{*}\right)·\left(\gamma +\mathcal{H}\left(id\right)\right)}\right)}^{{\displaystyle \frac{1}{\mathcal{H}\left(id\right)}}}\hfill \\ \hfill & ={\left(e{(g,h)}^{\left(k_0+r^{*}+t^{*}\right)\mathcal{H}\left(id\right)}\right)}^{{\displaystyle \frac{1}{\mathcal{H}\left(id\right)}}}\hfill \\ \hfill & =e{(g,h)}^{\left(k_0+r^{*}+t^{*}\right)}\hfill \end{array}\hfill \end{array}$$

(1)

In the decryption algorithm, the entire decryption process is systematically divided into three steps. For Equation (1), the parameter K is obtained by combining the secret key $s{k}_{i{d}_{j_i}}$, the ciphertexts $c_0^1$ and $c_0^3$, and the public parameter h and then computing

$$\begin{array}{cc}\hfill & \hfill \begin{array}{c}\hfill v^{k_0+t^{*}}={\displaystyle \frac{K}{pv}}={\displaystyle \frac{e{(g,h)}^{\left(k_0+r^{*}+t^{*}\right)}}{e{(g,h)}^{r^{*}}}}.\end{array}\hfill \end{array}$$

(2)

For Equation (2), based on the intermediate parameter K and the public parameter $pv$, further operations are performed to calculate $v^{k_0+t^{*}}$. We have

$$\begin{array}{cc}\hfill & \hfill \begin{array}{c}\hfill m={\displaystyle \frac{c_0^3}{v^{k_0+t^{*}}}}={\displaystyle \frac{m·e{(g,h)}^{\left(k_0+t^{*}\right)}}{e{(g,h)}^{\left(k_0+t^{*}\right)}}}=m.\end{array}\hfill \end{array}$$

(3)

For Equation (3), the data m is finally recovered by using the ciphertext $c_j^2$ and the parameter $v^{k_0+t^{*}}$ obtained by Equation (2).

(2)

For the re-encryption ciphertext $c_j$, the receiver with identity $i{d}_{j_i}$ in $S_j$ computes

$$\begin{array}{ll}\hfill & \begin{array}{cc}K\hfill & ={\left(e\left(c_j^1,h^{p_{i{d}_{j_i},\mathcal{S}}\left(\gamma \right)}\right)·e\left(s{k}_{i{d}_{j_i}},c_j^3\right)\right)}^{{\displaystyle \frac{1}{{\prod }_{k=1,k\ne i}^s\mathcal{H}\left(i{d}_{j_k}\right)}}}\hfill \\ \hfill & ={\left(e\left(g^{-\left(k_0+k_j+r^{*}+t^{*}\right)·\gamma },h^{p_{i{d}_{j_i},\mathcal{S}}\left(\gamma \right)}\right)·e\left(g^{{\displaystyle \frac{1}{\gamma +\mathcal{H}\left(i{d}_{j_i}\right)}}},h^{\left(k_0+k_j+r^{*}+t^{*}\right)·{\prod }_{k=1}^s\left(\gamma +\mathcal{H}\left(i{d}_{j_k}\right)\right)}\right)\right)}^{{\displaystyle \frac{1}{{\prod }_{k=1,k\ne i}^s\mathcal{H}\left(i{d}_{j_k}\right)}}}\hfill \\ \hfill & ={\left(e{(g,h)}^{\left(k_0+k_j+r^{*}+t^{*}\right)·{\prod }_{k=1,k\ne i}^s\mathcal{H}\left(i{d}_{j_k}\right)}\right)}^{{\displaystyle \frac{1}{{\prod }_{k=1,k\ne i}^s\mathcal{H}\left(i{d}_{j_k}\right)}}}\hfill \\ \hfill & =e{(g,h)}^{\left(k_0+k_j+r^{*}+t^{*}\right)}\hfill \end{array}\hfill \end{array}$$

(4)

In the decryption algorithm of re-encryption ciphertext $c_j$, the entire decryption process is divided into three steps. For Equation (4), the parameter K is obtained by combining the secret key $s{k}_{i{d}_{j_k}}$, the ciphertexts $c_j^1$ and $c_j^3$, and the public parameter $h^{p_{i{d}_{j_i},\mathcal{S}}\left(\gamma \right)}$ and then computing

$$\begin{array}{cc}\hfill & \hfill \begin{array}{c}\hfill v^{k_0+k_j+t^{*}}={\displaystyle \frac{K}{pv}}={\displaystyle \frac{e{(g,h)}^{\left(k_0+k_j+r^{*}+t^{*}\right)}}{e{(g,h)}^{r^{*}}}}.\end{array}\hfill \end{array}$$

(5)

For Equation (5), based on the intermediate parameter K and the public parameter $pv$, further operations are performed to calculate $v^{k_0+k_j+t^{*}}$. We have

$$\begin{array}{cc}\hfill & \hfill \begin{array}{c}\hfill m={\displaystyle \frac{c_j^2}{v^{k_0+k_j+t^{*}}}}={\displaystyle \frac{m·e{(g,h)}^{\left(k_0+k_j+t^{*}\right)}}{e{(g,h)}^{\left(k_0+k_j+t^{*}\right)}}}=m.\end{array}\hfill \end{array}$$

(6)

For Equation (6), the data m is finally recovered by using the ciphertext $c_j^2$ and the parameter $v^{k_0+k_j+t^{*}}$ obtained by Equation (5).

From the above verification procedure, we conclude that the IB-BPRE-DF scheme satisfies the correctness property, as all operations produce the expected outputs under the defined system parameters and algorithms.

5. Security Proof

In this section, we formally prove that the IB-BPRE-DF scheme achieves CPA security. The detailed security analysis and proof are provided below to rigorously demonstrate the security of the IB-BPRE-DF scheme.

Theorem 1.

The IB-BPRE-DF scheme proposed in Section 4 is provably secure against chosen-plaintext attacks. Specifically, it achieves CPA security for re-encryption ciphertexts under the decisional $(f,g,F)$-GDDHE assumption, within the random oracle model.

Proof of Theorem 1. 

Suppose there exists a probabilistic polynomial-time adversary $\mathcal{A}$ that can attack the IB-BPRE-DF scheme described in Section 3 with a non-negligible advantage $ϵ$. We build a $\mathcal{PPT}$ adversary $\mathcal{B}$ that uses $\mathcal{A}$ as a subroutine to solve the $\left(f,g,F\right)$-GDDHE assumption in $\mathbb{G}$ with advantage ${ϵ}^{\prime }$. Let n be the maximum number of receivers included in a single re-encryption operation, and let t be the total number of queries made by $\mathcal{A}$, including key extraction, hash, and re-encryption key queries. Algorithm $\mathcal{B}$ is provided with a bilinear group system $B=\left(p,{\mathbb{G}}_1,{\mathbb{G}}_2,{\mathbb{G}}_T,e(·,·)\right)$ and a decisional $(f,g,F)$-GDDHE challenge instance $\overrightarrow{y}$ defined as follows:

$$\begin{array}{ccc}\hfill g_0,{g_0}^{\gamma },\dots ,{g_0}^{{\gamma }^{t-1}},\hfill & \hfill {g_0}^{\gamma ·f\left(\gamma \right)},\hfill & \hfill g_0^{k·\gamma ·f\left(\gamma \right)},\hfill \\ \hfill h_0,{h_0}^{\gamma },\dots ,{h_0}^{{\gamma }^{2n}},\hfill & \hfill {h_0}^{k·g\left(\gamma \right)},\hfill \end{array}$$

as well as $T\in {\mathbb{G}}_T$, which is either equal to $e{\left(g_0,h_0\right)}^{k·f\left(\gamma \right)}$ or to a random element of ${\mathbb{G}}_T$. We first define some notations as follows:

-

$f\left(X\right)={\prod }_{i=1}^t\left(X+x_{j_i}\right),g\left(X\right)={\prod }_{i=t+1}^{t+n}\left(X+x_{j_i}\right),$ for $j\in [1,\ell ]$.

-

$f_{j_i}\left(x\right)={\displaystyle \frac{f\left(x\right)}{x+x_{j_i}}}$ for $i\in [1,t]$ and $j\in [1,\ell ]$, which is a polynomial of degree $t-1$.

-

$g_{j_i}\left(x\right)={\displaystyle \frac{g\left(x\right)}{x+x_{j_i}}}$ for $i\in [t+1,t+n]$ and $j\in [1,\ell ]$, which is a polynomial of degree $n-1$.

These notations $f\left(X\right)$, $f_{j_i}\left(x\right)$, and $g_{j_i}\left(x\right)$ are mainly used to construct simulation schemes, thereby making the simulation schemes indistinguishable from the real ones in terms of functionality and performance.

The above process first assumes that adversary $\mathcal{A}$ has certain capabilities (i.e., it can break the proposed scheme IB-BPRE-DF with a non-negligible advantage $ϵ$). Based on this, adversary $\mathcal{B}$ takes a decisional $(f,g,F)$-GDDHE challenge instance $\overrightarrow{y}$ as the input to simulate the scheme and interact with $\mathcal{A}$. If $\mathcal{A}$ succeeds, $\mathcal{B}$ can solve the $(f,g,F)$-GDDHE problem, thereby establishing the security of IB-BPRE-DF under this assumption.

• Init. The adversary $\mathcal{A}$ outputs a set ${\mathcal{S}}_j^{*}=\left\{i{d}_{j_1}^{*},\dots ,i{d}_{j_s}^{*},\right\}$ of identities that they intend to attack, where $s\le n$.
• Setup. To generate the system parameters $pp$, $\mathcal{B}$ formally sets $g={g_0}^{f\left(\gamma \right)}$ (i.e., without computing it) and randomly selects $r^{*}\in \mathbb{Z}$ and then sets

  $$\begin{array}{c}h=h_0^{{\prod }_{i=t+s+1}^{t+n}\left(\gamma +x_{j_i}\right)},w={g_0}^{\gamma ·f\left(\gamma \right)}=g^{\gamma },\hfill \\ v=e{\left(g_0,h_0\right)}^{f\left(\gamma \right)·{\prod }_{i=t+s+1}^{t+n}\left(\gamma +x_{j_i}\right)}=e(g,h),pv=v^{r^{*}}.\hfill \end{array}$$
  $\mathcal{B}$ defines the system parameters as $pp=(w,v,pv,h,h^{\gamma },\dots ,h^{{\gamma }^n})$. Subsequently, $\mathcal{B}$ sends $pp$ and $B=\left(p,{\mathbb{G}}_1,{\mathbb{G}}_2,{\mathbb{G}}_T,e(·,·)\right)$ to $\mathcal{A}$, where $\mathcal{H}$ is a random oracle controlled by $\mathcal{B}$ and is described below.
• Hash queries. At any point during the game, the adversary $\mathcal{A}$ may issue a hash query to the random oracle on an identity $i{d}_{j_i}$, up to a total of $t-q_e-q_r$ times, where $q_e$ and $q_r$ denote the number of key extraction and re-encryption key queries, respectively. To respond to these queries, $\mathcal{B}$ maintains a list ${\mathcal{L}}_{\mathcal{H}}$ of tuples of the form $(i{d}_{j_i},x_{j_i},s{k}_{i{d}_{j_i}})$. Initially, this list includes

  $${\left\{\left(\ast ,x_{j_i},\ast \right)\right\}}_{i=1}^t \mathrm{and} {\left\{\left(i{d}_{j_i},x_{j_i},\ast \right)\right\}}_{i=t+1}^{t+s},$$

• where “∗” denotes an empty entry. Upon receiving a hash query for an identity $i{d}_{j_i}$, the challenger proceeds as follows:

  1.

  If $i{d}_{j_i}$ already exists in the list ${\mathcal{L}}_{\mathcal{H}},\mathcal{B}$ sets the corresponding value $x_{j_i}$.

  2.

  Otherwise, $\mathcal{B}$ sets $\mathcal{H}\left(i{d}_{j_i}\right)=x_{j_i}$, appends $(i{d}_{j_i},x_{j_i},\ast )$ to ${\mathcal{L}}_{\mathcal{H}}$, and returns $x_{j_i}$ to the adversary.

• Query phase 1.
  Extraction query $\left(i{d}_{j_i}\right)$. Upon receiving an extraction query for an identity $i{d}_{j_i}\notin S_j^{*}$, the challenger $\mathcal{B}$ proceeds as follows:

• -

  If an extraction query for $i{d}_{j_i}$ has already been made, $\mathcal{B}$ returns the corresponding private key ${\mathrm{sk}}_{i{d}_{j_i}}$ from the list ${\mathcal{L}}_{\mathcal{H}}$.

  -

  If a hash query has been previously issued for $i{d}_{j_i}$, $\mathcal{B}$ retrieves the corresponding $x_{j_i}$ and computes the private key as

  $${\mathrm{sk}}_{i{d}_{j_i}}={g_0}^{f_{j_i}\left(\gamma \right)}=g^{{\displaystyle \frac{1}{\gamma +\mathcal{H}\left(i{d}_{j_i}\right)}}}.$$

  We use a random oracle $\mathcal{H}$ to simulate the generation of private keys, ensuring that no real key is leaked.

  Re-encryption key generation query $\left(i{d}_{j_i}\right)$. When $\mathcal{A}$ issues a re-encryption key generation query, $\mathcal{B}$ performs the RKeyGen algorithm to set the re-encryption key $rk=t^{*}$, where the value $t^{*}$ is uniformly sampled from ${\mathbb{Z}}_q^{*}$.

• Challenge. When $\mathcal{A}$ decides that phase 1 is over, algorithm $\mathcal{B}$ computes the encrypt algorithm to obtain $c^{*}=Encrypt\left({\mathcal{S}}_j^{*},pp\right)$, as shown below:

  $$c_j^1=g_0^{-\left(k\right)·\gamma ·f\left(\gamma \right)},c_j^3=h_0^{k·q\left(\gamma \right)},$$

  $$c_j^2=m_b·{\left(e{(g_0,h_0)}^{f\left(\gamma \right)·{\prod }_{i=t+s^{*}+1}^{t+n}(\gamma +x_{j_i})}\right)}^k·{\left(e{(g_0,h_0)}^{f\left(\gamma \right)·{\prod }_{i=t+s^{*}+1}^{t+n}(\gamma +x_{j_i})}\right)}^{-r^{*}},$$

  with $q\left(\gamma \right)={\displaystyle \frac{1}{\gamma }}·\left({\prod }_{i=t+s+1}^{t+n}\left(\gamma +x_{j_i}\right)-{\prod }_{i=t+s+1}^{t+n}{x}_{j_i}\right)$. One can verify that

  $$c_j^1=w^{-k},c_j^3={h_0}^{k·{\prod }_{i=t+s+1}^{t+n}\left(\gamma +x_{j_i}\right)·{\prod }_{i=t+1}^{t+s}\left(\gamma +x_{j_i}\right)}=h^{k·{\prod }_{i=t+1}^{t+s}\left(\gamma +\mathcal{H}\left(i{d}_{j_i}^{*}\right)\right)},$$
  $c_j^2=m_b·{\left(e{(g_0,h_0)}^{f\left(\gamma \right)·{\prod }_{i=t+s+1}^{t+n}(\gamma +x_{j_i})}\right)}^k·{\left(e{(g_0,h_0)}^{f\left(\gamma \right)·{\prod }_{i=t+s+1}^{t+n}(\gamma +x_{j_i})}\right)}^{-r^{*}}=m_b·v^{k-r^{*}}.$
  We observe that $c^{*}=(c_j^2,c_j^3,c_j^4)$ is a valid challenge ciphertext when $T=$$e{\left(g_0,h_0\right)}^{k·f\left(\gamma \right)}$. When T is a random value in ${\mathbb{G}}_T$, the challenge ciphertext $c^{*}$ appears independent of b from the adversary’s view. The challenge ciphertext $c^{*}$ constructed by adversary $\mathcal{B}$ either conforms to the ciphertext structure of the proposed scheme or is generated at random, making it indistinguishable from adversary $\mathcal{A}$ under the given security assumptions.
• Query phase 2. $\mathcal{A}$ continues to make queries as in query phase 1 while strictly adhering to the constraints imposed by the indistinguishable game.
• Guess. In the guessing phase, the adversary $\mathcal{A}$’s success probability in distinguishing the challenge ciphertext $c^{*}$ is used to derive a non-negligible advantage in solving the underlying hard problem (the decisional $(f,g,F)$-GDDHE), thereby reinforcing the security reduction. $\mathcal{A}$ outputs a guess $b^{\prime }\in \{0,1\}$. If $b^{\prime }=b,\mathcal{B}$ outputs 1, this indicates that $T=e{\left(g_0,h_0\right)}^{k·f\left(\gamma \right)}$; otherwise $\mathcal{B}$ outputs 0, indicating that T is a random element in $G_T$. This concludes the simulation. We now analyze the probability that the adversary $\mathcal{B}$ solves the decisional $(f,g,F)$-GDDHE assumption. If $T\ne e{\left(g_0,h_0\right)}^{k·f\left(\gamma \right)}$, the view of $\mathcal{A}$ is independent of the bit b, implying that $Pr\left[\mathcal{B}(\overrightarrow{y},T)=1\mid T\ne e{\left(g_0,h_0\right)}^{k·f\left(\gamma \right)}\right]={\displaystyle \frac{1}{2}}$. Conversely, if $T=e{\left(g_0,h_0\right)}^{k·f\left(\gamma \right)}$, the adversary ${\mathcal{B}}^{\prime }$s output is dependent on ${\mathcal{A}}^{\prime }$s behavior, yielding $Pr\left[\mathcal{B}(\overrightarrow{y},T)=1\mid T=e{\left(g_0,h_0\right)}^{k·f\left(\gamma \right)}\right]={\displaystyle \frac{1}{2}}+ϵ$. Consequently, the advantage ${ϵ}^{\prime }$ of ${\mathcal{B}}^{\prime }$ in solving the decisional $(f,g,F)$-GDDHE assumption is ${ϵ}^{\prime }=\mid Pr[\mathcal{B}(\overrightarrow{y},T)=1\mid T=$$\left.e{\left(g_0,h_0\right)}^{k·f\left(\gamma \right)}\right]-Pr\left[\mathcal{B}(\overrightarrow{y},T)=1\mid T\ne e{\left(g_0,h_0\right)}^{k·f\left(\gamma \right)}\right]|=|{\displaystyle \frac{1}{2}}+$$\left.ϵ-{\displaystyle \frac{1}{2}}\right|=ϵ$. This concludes the proof of Theorem 1, thereby establishing the IB-BPRE-DF is CPA secure.

 □

6. Performance Analysis

This section presents a comprehensive performance analysis of the proposed scheme from both theoretical and experimental perspectives.

6.1. Theoretical Analysis

A Comparison of the IB-BPRE-DF and IB-BPRE Schemes in [18,19,20,24]. Firstly, we define the notations used in

Table 1. Function comparison.

Schemes	Broadcast	Dynamics	Revocation	Constant Size—(rk)
[18]	√	×	×	√
[24]	√	×	√	×
[19]	√	×	×	×
[20]	√	×	×	×
IB-BPRE-DF	√	√	√	√

,

Table 2. Computation overhead comparison.

Schemes	$\mathbf{\left|}\mathit{pp}\mathbf{\right|}$	$\mathbf{\left|}\mathit{ct}\mathbf{\right|}$	$\mathbf{\left|}\mathit{rk}\mathbf{\right|}$	$\mathbf{|}{\mathit{ct}}^{\mathbf{\prime }}\mathbf{|}$
[18]	$2n\left|\mathbb{G}\right|+4\left|H\right|$	$4\left|\mathbb{G}\right|+2\left|H\right|$	$6\left|\mathbb{G}\right|+1\left|H\right|$	$7\left|\mathbb{G}\right|+2\left|H\right|$
[24]	$(2n+5)\left|\mathbb{G}\right|+2\left|H\right|+1|{\mathbb{Z}}_p|$	$2\left|\mathbb{G}\right|$	$(k+6)\left|\mathbb{G}\right|$	$3\left|\mathbb{G}\right|$
[19]	$8\left|\mathbb{G}\right|+2\left|H\right|$	$3\left|\mathbb{G}\right|$	$2\left|\mathbb{G}\right|+\mathcal{O}\left(\right|S\left|\right)|{\mathbb{Z}}_p|$	$2\left|\mathbb{G}\right|+\mathcal{O}\left(\right|S\left|\right)|{\mathbb{Z}}_p|$
[20]	$8\left|\mathbb{G}\right|+2\left|H\right|$	$4\left|\mathbb{G}\right|+1|{\mathbb{Z}}_p|$	$2\left|\mathbb{G}\right|+\mathcal{O}\left(\right|S\left|\right)|{\mathbb{Z}}_p|$	$3\left|\mathbb{G}\right|+\mathcal{O}\left(\right|S\left|\right)|{\mathbb{Z}}_p|$
IB-BPRE-DF	$(n+6)\left|\mathbb{G}\right|+1\left|H\right|+1|{\mathbb{Z}}_p|$	$4\left|\mathbb{G}\right|+1|{\mathbb{Z}}_p|$	$1|{\mathbb{Z}}_p|$	$3\left|\mathbb{G}\right|$

,

Table 3. Storage overhead comparison.

Schemes	Extract	Enc	Re-Key	Re-En	Dec($\mathit{ct}$)	Dec(${\mathit{ct}}^{\prime }$)
[18]	$1t_e$	$\mathcal{O}\left(\right|S\left|\right)t_e+t_p$	$\mathcal{O}\left(\right|S\left|\right)t_e+1t_p$	$\mathcal{O}\left(\right|S\left|\right)t_e+8t_p|$	$\mathcal{O}\left(\right|S\left|\right)t_e+8t_p$	$\mathcal{O}\left(\right|S\left|\right)t_e+7t_p$
[24]	$1t_e$	$4t_e$	$\mathcal{O}\left(\right|S\left|\right)t_e$	$1t_e+2t_p$	$1t_e+2t_p$	$\mathcal{O}\left(\right|S\left|\right)t_e+3t_p$
[19]	$1t_e$	$3t_e$	$\mathcal{O}\left(\right|S\left|\right)t_e$	$1t_p$	$1t_p$	$1t_e+2t_p$
[20]	$2t_e$	$3t_e+\mathcal{O}\left(\right|S\left|\right)t_h$	$\mathcal{O}\left(\right|S\left|\right)t_e$	$\mathcal{O}\left(\right|S\left|\right)t_e+2t_p$	$2t_e+2t_p+\mathcal{O}\left(\right|S\left|\right)t_h$	$2t_e+2t_p+\mathcal{O}\left(\right|S\left|\right)t_h$
IB-BPRE-DF	$1t_e$	$3t_e$	0	$\mathcal{O}\left(\right|S\left|\right)t_e$	$1t_e+2t_p$	$\mathcal{O}\left(\right|S\left|\right)t_e+3t_p$

and Table 4 and align with those introduced in [19,24]. Let $\left|pp\right|$, $\left|ct\right|$, $\left|rt\right|$, and $|c{t}^{\prime }|$ denote the sizes of the public parameter, ciphertext, re-encryption key, and re-encryption ciphertext, respectively. The variables n, k, and $\left|S\right|$ denote the maximum number of receivers in a single re-encryption, the number of revoked users, and the size of a broadcast receiver set S, respectively. Denote $t_e$, $t_p$, and $t_h$ as the computational costs for a modular exponentiation, a bilinear pairing operation, and a hash operation, respectively. $\left|\mathbb{G}\right|$, $|{\mathbb{Z}}_p|$, and $\left|\mathcal{H}\right|$ represent the bit lengths of an element in $\mathbb{G}$, ${\mathbb{Z}}_p$, and $\mathcal{H}$, respectively. To simplify the discussion, we uniformly represent all groups involved in the schemes [18,19,20,24] by the symbol $\mathbb{G}$, all prime fields by the symbol ${\mathbb{Z}}_p$, and all hash functions by the symbol $\mathcal{H}$.

Feature Comparisons of IB-BPRE Schemes. Table 1 provides a summary of the feature metrics for the proposed IB-BPRE-DF scheme. These metrics are compared with those of relevant schemes [18,19,20,24]. The results indicate that the IB-BPRE-DF scheme achieves distinctive properties such as dynamic functionality, revocation functionality, and maintaining constant-size re-encryption keys. In contrast, some existing schemes struggle to effectively maintain these properties simultaneously. For instance, the BPRE schemes in [18,19,20] fail to support dynamic functionality while keeping re-encryption keys of a constant size. Additionally, the BPRE schemes in [24] require the proxy to achieve revocation by updating re-encryption keys.

Efficiency Comparisons of IB-BPRE Schemes. In Table 2 and Table 3, we present a comprehensive comparison between the IB-BPRE-DF scheme and related works [18,19,20,24] in terms of communication and computation overheads.

Communication costs encompass data transmission via private channels and broadcast channels, whereas computational costs primarily focus on the burden associated with private channels. System public parameters, ciphertexts, and re-encrypted ciphertexts are public information and do not require transmission to the user through private channels. Consequently, this paper emphasizes the communication burden imposed by re-encryption keys. The IB-BPRE-DF scheme exhibits a significant advantage in the setting of re-encryption keys compared to other schemes [18,19,20,24]. Specifically, this scheme only requires selecting one element from the domain as the re-encryption key, and its selection process is independent of the number of broadcast receivers. By contrast, the number of re-encryption keys in other schemes is typically directly proportional to the number of receivers.

Computational costs primarily stem from key extraction, encryption, re-encryption key generation, re-encryption operations, and the decryption of both original and re-encrypted ciphertexts. Key extraction and re-encryption algorithms are handled by the key generation center and proxy server, respectively, both assumed to have ample computational resources. This study focuses on the computational costs borne by terminal users with constrained computing capabilities. As shown in Table 3, in the IB-BPRE-DF scheme, the delegator incurs no computational overhead for setting up the re-encryption key, whereas schemes [18,19,20,24] require at least $\mathcal{O}\left(\right|S\left|\right)$ exponentiations, which imposes a significant burden on users with constrained computing power. During the decryption of the original ciphertext, the computational overhead of IB-BPRTE-DF is comparable to that in [19,24], but users in [18,20] bear higher computational costs. In the stage of decrypting the re-encrypted ciphertext, the computational overhead of this scheme is similar to that in [18,20,24]. However, although the scheme [19] requires users to bear only a small amount of computational overhead, it struggles to flexibly and efficiently adapt to frequent data-sharing scenarios in cloud environments.

6.2. Experimental Results

We utilized the Java Pairing-Based Cryptography (JPBC) Library [30] to implement the IB-BPRE-DF scheme and related works on personal computers. Specifically, the smartphone was employed to represent users with resource-constrained mobile devices.

Experiment settings. In the experiment, the smartphone operated on the Android 11 platform with specifications of 8 GB RAM and an 8-core 64-bit CPU processor running at 3072 MHz. The type A elliptic curve in the PBC library [30], with a 160-bit group order, was selected for conducting experiments. The elliptic curve had the form $E:y^2=x^3+x$ and was defined over the finite field ${\mathbb{F}}_q$. Two groups, $\mathbb{G}$ and ${\mathbb{G}}_T$, were introduced, both of which had an order p and were subgroups of $E\left({\mathbb{F}}_q\right)$. Specifically, $p=160$ bits and $q=512$ bits in the binary system. Additionally, we let $\left|\mathbb{G}\right|=|{\mathbb{G}}_T|=1024$ bits and $|{\mathbb{F}}_q|=160$ bits.

Experiment results. Figure 2 and Table 3 illustrate the implementation of the algorithms presented in [24] (referred to as BPRE-1), in [20] (referred to as BPRE-2), and the proposed IB-BPRE-DF scheme. To provide a clearer visualization, Figure 3 employs a non-uniform axis. As illustrated in Figure 4 (with $\left|S\right|=50$), the encryption time of the proposed IB-BPRE-DF scheme is approximately 93.433 ms, which is lower than that of [24] (123.36 ms) and comparable to [20] (93.523 ms). Figure 3 shows that the re-encryption key generation in IB-BPRE-DF incurs only 1.347 ms (with $\left|S\right|=50$), in stark contrast to the 1558.7 ms and 1559.724 ms required by [24] and [20], respectively. This significant reduction greatly alleviates the computational burden on resource-constrained mobile devices. According to Table 4 and Figure 5 (for $\left|S\right|=50$), the decryption times for original ciphertexts in [20,24] and IB-BPRE-DF are 403.234 ms, 436.86 ms, and 401.352 ms, respectively. For re-encrypted ciphertexts, the decryption time of IB-BPRE-DF is comparable to [20]. Although [24] requires slightly less computation during decryption, it lacks dynamic support for user revocation and addition. The experimental results shown in Figure 4, Figure 5 and Figure 6 and Table 4 demonstrate that the IB-BPRE-DF scheme provides a notable efficiency advantage for algorithms executed on resource-constrained mobile devices.

Table 4. Execution time.

Algorithms	Enc	Re-Key	Dec($\mathit{ct}$)	Dec(${\mathit{ct}}^{\prime }$)
$\left|S\right|=10$	$92.243$ ms	$1.221$ ms	$401.686$ ms	$499.946$ ms
$\left|S\right|=20$	$93.124$ ms	$1.340$ ms	$402.347$ ms	$812.680$ ms
$\left|S\right|=30$	$92.574$ ms	$1.274$ ms	$403.580$ ms	$1125.426$ ms
$\left|S\right|=40$	$92.822$ ms	$1.210$ ms	$402.554$ ms	$1438.166$ ms
$\left|S\right|=50$	$92.433$ ms	$1.347$ ms	$401.352$ ms	$1750.906$ ms

Table 4. Execution time.

Algorithms	Enc	Re-Key	Dec($\mathit{ct}$)	Dec(${\mathit{ct}}^{\prime }$)
$\left|S\right|=10$	$92.243$ ms	$1.221$ ms	$401.686$ ms	$499.946$ ms
$\left|S\right|=20$	$93.124$ ms	$1.340$ ms	$402.347$ ms	$812.680$ ms
$\left|S\right|=30$	$92.574$ ms	$1.274$ ms	$403.580$ ms	$1125.426$ ms
$\left|S\right|=40$	$92.822$ ms	$1.210$ ms	$402.554$ ms	$1438.166$ ms
$\left|S\right|=50$	$92.433$ ms	$1.347$ ms	$401.352$ ms	$1750.906$ ms

7. Conclusions

We presented an identity-based broadcast proxy re-encryption scheme with dynamic functionality (IB-BPRE-DF) designed to facilitate secure and efficient data sharing in cloud environments. The proposed scheme supported dynamic user revocation and addition without requiring updates to the re-encryption key, thereby maintaining a constant key size. This design eliminated the need for repeated reconfiguration and distribution of re-encryption keys by the data owner in response to changes in user membership, which significantly improved system flexibility and reduced communication overhead. Furthermore, performance evaluations demonstrated that IB-BPRE-DF achieved communication and computational efficiency compared to existing BPRE schemes, particularly in reducing the computational burden on resource-constrained users.

Although the proposed identity-based broadcast proxy re-encryption scheme with dynamic functionality (IB-BPRE-DF) effectively reduced computational and communication overhead in dynamic environments, several limitations remained to be addressed. First, the current design did not consider resistance to quantum attacks. Second, while the computational cost of encrypting and decrypting the original ciphertext had been reduced, the decryption of re-encrypted ciphertext still imposed a considerable burden on resource-constrained users.

Future work will focus on integrating quantum-resistant cryptographic techniques, including lattice-based cryptography and hash-based cryptography, into the broadcast proxy re-encryption framework, thereby enhancing its resilience against quantum adversaries. In particular, we aim to design a lattice-based BPRE scheme that preserves dynamic functionality while ensuring security under post-quantum assumptions. To improve computational efficiency, we will investigate lightweight lattice constructions and optimize key and ciphertext sizes using structured lattices such as Ring-LWE. Moreover, we will investigate secure outsourcing mechanisms that delegate the decryption of re-encrypted ciphertext to third-party servers with substantial computational capabilities while preserving both the correctness of the decryption process and the confidentiality of the underlying data.