Autonomous Path Identity-Based Broadcast Proxy Re-Encryption for Data Sharing in Clouds

Cloud computing with massive storage and computing capabilities has become widespread in actual applications. It is critical to ensure secure data sharing in cloud-based applications. Currently, numerous identity-based broadcast proxy re-encryption (IB-BPRE) schemes have been proposed to resolve the privacy issue. However, the existing IB-BPRE schemes cannot reach the transformation of the decryption right for outsourced encrypted data between the broadcast receiver sets (data user sets) delegated by the data owner (Alice) because it is difficult for the IB-BPRE to hold the character of multi-hop. Consequently, a new cryptographic primitive called autonomous path identity-based broadcast proxy re-encryption (APIB-BPRE) is presented to address the above issue. In an APIB-BPRE scheme, the delegator establishes an autonomous path involving preferred multiple broadcast receiver sets and the proxy can convert the decryption right for the broadcast receiver set into the decryption right for the next broadcast receiver set by the re-encryption key from the delegator. This solution is convenient and flexible for cloud users and utilizes the benefits of cloud computing. The evaluation and comparison indicate that our APIB-BPRE system is effective and practical.


I. INTRODUCTION
Cloud computing has been widely used in data sharing because it is effective and flexible. However, there exist privacy issues (e.g., data confidentiality) when cloud computing is used for data sharing. Identity-based encryption (IBE) as an efficient approach is available to ensure data confidentiality in a cloud-based data sharing system because of simple public key infrastructure (PKI) [1], [2]. In a real-world scenario, the data owner would like to share outsourced encrypted data with the data users if he has no time to deal with encrypted sensitive data stored in the server cloud. For example, a data owner Alice with an identity id from the disease research unit wants to safely share the disease record m about volunteers with his n colleagues with identities id 1 , . . . , id n , note that we denote a colleague set (a data user set) S 1 = {id 1 , . . . , id n }. When IBE is applied in the above scene for achieving data confidentiality, Alice needs to perform the The associate editor coordinating the review of this manuscript and approving it for publication was Muhammad Asif . encryption algorithm Enc of IBE to generate the encrypted disease data c about the disease record m (note that c = Enc(id, m)) and upload the ciphertext to the cloud server.
Obviously, there are some shortages with identity-based encryption to ensure data confidentiality in outsourced data sharing. First, the data owner Alice needs to download the outsourced encrypted disease data c from the cloud server and decrypt the ciphertext c to obtain the data m, and re-set a ciphertext for every colleague. In other words, Alice has a high computing cost to share outsourced encrypted data with the data users because the number of ciphertexts shows a linear correlation with the size of data users. Second, Alice has to completely keep online for converting the decryption right for outsourced encrypted data c into the decryption right for outsourced encrypted data c j because he needs to re-set the ciphertext c j = Enc(id j , m) under identity id j for each colleague id j (j = 1, . . . , n). Third, if all users in a data user set S 1 = {id 1 , . . . , id n } obtain the data m, Alice wants to transfer the decryption right for outsourced encrypted data from a data user set S 1 = {id 1 , . . . , id n } to another data user set S 2 = id 1 , . . . , id n he trusts. In such a scenario, the traditional IBE guarantees data confidentiality but it is not flexible for the data owner to perform the transformation of decryption right between the data user sets delegated by the data owner.
Alternatively, it might be an idea to outsource the amount of computing overhead for Alice to the cloud server. That is, the cloud server needs to obtain Alice's private key so that it has ability to decrypt the encrypted disease data and re-set the ciphertext for each colleague. However, if the cloud server is an untrusted server, this solution cannot maintain data confidentiality. We did not expect the untrusted server to obtain the disease record about volunteers via Alice's private key because the disease data involves a lot of personal sensitive data, such as illness and allergies. Prior, Blaze et al. [3] introduced the concept of proxy re-encryption (PRE) that is a potential approach to dealing with outsourced encrypted data. In a PRE scheme, a proxy (e.g., a cloud server) can convert the decryption right for outsourced encrypted data between the users without exposing the underlying data to the cloud server. This approach uses the benefits of cloud computing because the cloud server undertakes heavy computation cost of re-setting ciphertexts.
Identity-Based Proxy Re-Encryption (IB-PRE): Green and Ateniese [4] presented identity-based PRE (IB-PRE) to simplify PKI since the concept of PRE was introduced. In an IB-PRE scheme, the proxy has the ability to convert the ciphertext under a delegator's identity into ciphertext under a delegatee's identity without obtaining any information about sensitive data. One may think that we can utilize the solution of IB-PRE to solve the drawbacks of IBE applied in cloud data sharing. Unfortunately, IB-PRE is still an inefficient approach for the data owner. For example, if IB-PRE is applied in the outsourced data sharing, Alice needs to set n re-encryption keys rk id→id 1 , . . . , rk id→id n for a data user set S 1 = {id 1 , . . . , id n } and secrectly send these re-encryption keys to the proxy during the process. It is flexible for the proxy to set the cipertexts for these data users via these re-encryption keys. Additionally, IB-PRE resolves the issue of complete online for the delegator by outsourcing the computation cost of re-setting ciphertexts to the proxy. However, IB-PRE is still an inefficient approach for the data owner because the size of re-encryption keys is equal to the number of delegatees. Therefore, IB-PRE is not suited to actual applications if there exist many delegatees.
Identity-Based Broadcast Proxy Re-Encryption (IB-BPRE): Chu et al. [5] introduced the concept of broadcast proxy re-encryption (BPRE) to solve the linear computing issue of the re-encryption key for the delegator. In a BPRE scheme, the proxy can convert the ciphertext for the delegator into the ciphertext for a broadcast receiver (delegatee) set. In the process, the delegator only generates a re-encryption key for multiple delegatees and the proxy (e.g., a cloud server) sets a re-encryption ciphertext for a broadcast receiver set without obtaining any information about sensitive data.
Lately, Xu et al. [6] introduced the notion of identity-based BPRE (IB-BPRE) to take the identity of the user as his public key. Despite IB-BPRE solving the heavy computing issue of re-encryption keys for the delegator, the transformation of decryption rights between the broadcast receiver sets authorized by the delegator is still an issue in IB-BPRE schemes. Therefore, our challenge point is how to implement a cloud data sharing system to achieve the transformation of decryption rights for outsourced encrypted data from a data user set S 1 = {id 1 , . . . , id n } to another data user set S 2 = id 1 , . . . , id n , where sets S 1 and S 2 are chosen by the data owner.

A. MOTIVATION
The existing IB-BPRE schemes are effective in addressing the issues of IBE applied in the outsourced data sharing system, but they cannot solve the issue of autonomous path multi-hop. In other words, the existing IB-BPRE cannot achieve the transformation of decryption rights between the broadcast receiver sets delegated by the delegator. However, autonomous path multi-hop is very critical in IB-BPRE since we can perform flexible data sharing according to the data owner's wishes. Consequently, this motivates us to discover an autonomous path identity-based broadcast proxy re-encryption (APIB-BPRE) as a new cryptographic mechanism that supports to easily achieve an autonomous path multi-hop in IB-BPRE. More specifically, in an APIB-BPRE scheme, the delegator designates a delegation path involving preferred broadcast receiver sets. The delegation path comprises multiple broadcast delegatee sets, if all receivers of a broadcast receiver set in the path complete the decryption, the proxy automatically transforms decryption rights to the next broadcast receiver set in the path. By the method, the delegator guarantees that the decryption right is carried out among these broadcast receiver sets he trusts.
Imagine a data owner Alice from the disease reseach unit holds the diseases data m about volunteers. If Alice is too busy to deal with the disease data m, he may share the outsourced encrypted data with a data user set Meanwhile, if all users in S 1 gain the disease data, decryption rights will be automatically delegated to next set of data users S 2 = id 1 , id 2 , id 3 choosen by Alice. Our APIB-BPRE is suitable to the above cloud data sharing system, the data owner Alice encrypts his sensitive data as c = Enc(id, m) and sets an autonomous path Pa = (id = S 0 , S 1 , S 2 ), and then uploads c and Pa to the cloud server. The proxy can transform the ciphertext c for Alice into the ciphertext c 1 for a data user set S 1 by the re-encryption key rk id→S 1 from Alice, and convert the ciphertext c 1 for a data user set S 1 into the ciphertext c 2 for a data user set S 2 via the re-encryption key rk S 1 →S 2 from Alice. The idea of our APIB-BPRE for data sharing in clouds is shown in Figure.1. With this motivation in mind, we designed APIB-BPRE, in which the proxy can achieve the transformation of decryption right for the   [3]. In a multi-hop PRE scheme, the proxy can convert the ciphertext from Alice to Bob, from Bob to Carol and so on. In a single-hop PRE scheme, the proxy only transforms the ciphertext under Alice into the ciphertext under Bob. Since Blaze et al. proposed the concept of PRE, numerous works [4], [7], [8], [9], [10], [11], [12], [13], [14], [15], [16], [17], [18], [19], [20] with different properties have been designed to meet kinds of actual demands. In traditional multi-hop PRE schemes, the delegator cannot dominate the selection of all delegatees with the decryption right for the encrypted data, he only chooses the first delegatee. For example, the proxy converts the decryption right from a delegator Alice to a delegatee Bob, and from a delegatee Bob to the delegatee Carol. In the process, Alice only chooses the first delegatee Bob, but the delegatee Carol is authorized by the delegatee Bob. It indicates that the delegator has no right to control all delegatees he trusts when decryption rights have been transformed from a delegatee to another delegatee. It is desirable for the delegator that he is able to control the decryption rights for encrypted files among the authorized delegatees in actual application demands. This ensures that the encrypted data can be decrypted by his authorized delegatees. Recently, Cao et al. [21] proposed an autonomous path PRE (AP-PRE) as a new cryptographic primitive to resolve the above issue. This approach has better fine-grained access control for encrypted data because AP-PRE has the property of autonomous path multi-hop. Put simply, autonomous path multi-hop in AP-PRE means that the delegator sets an autonomous delegation path Pa including multiple delegatees and the proxy can transform the ciphertext for the delegatee in Pa into the ciphertext for the next delegatee in Pa via the re-encryption key from the delegator.
Berkovits [22] introduced the concept of broadcast encryption (BE) that a sender broadcasts encrypted data to a broadcast receiver set and each receiver in the broadcast receiver set can decrypt the encrypted data via his private key. However, the user outside of the broadcast receiver set cannot get any information about the sensitive data. Since Fiat and Naor [23] gave the formal definitions about broadcast encryption and its security model, various BE works [24], [25] have been designed to increase efficiency. Broadcast proxy re-encryption (BPRE) is another interesting research field that the proxy can convert the decryption right for a delegator into the decryption right for a broadcast receiver (delegatee) set [5]. After that, Xu et al. [6] proposed a conditional IB-BPRE with constant re-encrypted ciphertext. Such a construction is significantly adapt to the cloud email system. After this work, Sun et al. [26] designed an IB-BPRE with CCA secure that is also sultable for the cloud computing environment application (e.g., cloud data sharing). Lately, Ge et al. [27] proposed an IB-BPRE with a revocation function that the proxy can revoke decryption rights for left delegatees. Unfortunately, none of these works addressed the property of autonomous multi-hop to IB-BPRE.

C. OUR CONTRIBUTIONS
In this work, we adopted the autonomous path multi-hop mechanism proposed for AP-PRE [21] to address the autonomous path multi-hop for IB-BPRE. One may think that this exists a direct connection between the autonomous path multi-hop for AP-PRE [21] and IB-BPRE. However, there are technical difficulties in applying the solution of autonomous path multi-hop showed in work [21] to the IB-BPRE scheme because there is a one-to-one correspondence between the re-encryption key and the delegatee in work [21]. That is, a delegator cannot set a re-encryption key for a broadcast receiver set by executing a re-encryption key generation algorithm. One might think that a possible attempt is to address the character of the autonomous path to the multi-hop IB-BPRE. Nevertheless, the existing IB-BPRE schemes do not have the character of multi-hop, mainly because it is a challenging task to set a re-encryption key rk S 1 →S 2 from a broadcast receiver set S 1 to another broadcast receiver set S 2 . Therefore, reaching an autonomous path multi-hop for IB-BPRE is a challenging task. This paper presents a new mechanism called autonomous path identity-based broadcast proxy re-encryption to guarantee the function of autonomous path multi-hop in IB-BPRE. Our APIB-BPRE allows the proxy to convert the decryption right for outsourced encrypted data from the data user set S 1 to the next data user set S 2 , where S 1 and S 2 are delegated by the data owner. We give the formal definitions of our APIB-BPRE and its security model. Meanwhile, we give the concrete construction for our APIB-BPRE and prove its security in the decision n-BDHE problem. Additionally, the evaluation and comparison indicate that APIB-BPRE is efficient and practical.

D. ORGANIZATION
In Section II , we give the definitions of bilinear paring and hard problem assumption. Then, we define our APIB-BPRE and give the security model in Section III . In Section IV , we present a concrete construction of APIB-BPRE. Section V proves that our scheme is semantic security. In Section VI , The evaluation and comparison indicate that our scheme is efficient. Finally, we give a conclusion in Section VII .

II. PRELIMINARIES
We give the definition of the bilinear pairing and state the complex assumption needed for security proof.

A. BILINEAR PAIRING
Let G and G T are two multiplicative cyclic groups of prime order q, and g is a generation of G. A bilinear pairing is a map e : G×G → G T with the following three properties [1], [28]: e (g, g) = 1.
• Computability. There exists an efficient algorithm to compute the map e.

B. COMPLEX ASSUMPTION
The security of our APIB-BPRE scheme is based on the following assumption. Assumption (decision n-bilinear Diffie-Hellman Exponent assumption (decision n-BDHE) [29]). Let G and G T are two multiplicative cyclic groups of prime order q, and g is a generation of G. The decision n-BDHE assumption is stated as follows: given a vector y g,α,n = h, g, g 1 , g 2 , · · · , g n , g n+2 , · · · , g 2n ∈ G 2n+1 and an element Z ∈ G T as input, decide whether Z is equal to e (g n+1 , h). Note that we use g i to denote g i = g α i ∈ G (i = 1, · · · , n, n + 2, · · · , 2n), an algorithm A that outputs b ∈ {0, 1} with advantage in solving the decision n-BDHE problem in G if where the probability is the choice of random generation g and random h in G, the choice of random α in Z * q , the choice of random Z in G T , and the random bits consumed by A.
Definition 1: The decision (t, , n)-BDHE assumption holds in G if any probabilistic polynomial time (PPT ) algorithm with an negligible advantage in solving the decision n-BDHE problem in G.

III. DEFINITION AND SECURITY MODEL
We define our APIB-BPRE and the security model.

A. AUTONOMOUS PATH IDENTITY-BASED BROADCAST PROXY RE-ENCRYPTION (APIB-BPRE)
An APIB-BPRE refers to three types of entries: the delegator, the proxy, and the delegatee (receiver). In an APIB-BPRE system, the delegator id is able to choose multiple broadcast receiver sets S 1 , . . . , S m he trusts and generates a path Pa = (id = S 0 , S 1 , . . . , S m ) involving m preferred broadcast receiver sets (note that we denote id as id = S 0 ). To simplify the discussion, we suppose that each broadcast receiver set S µ includes k receivers, where S µ = id µ 1 , . . . , id µ k , for µ = 1, . . . , m. Meanwhile, the delegator uploads the ciphertext about his sensitive data to the proxy and sends the re-encryption key rk µ−1→µ to the corresponding proxy through a secure channel for µ = 1, . . . , m. After obtaining the re-encryption key rk µ−1→µ from the delegator, the corresponding proxy converts the ciphertext under broadcast receiver set S µ−1 into the ciphertext under the next broadcast receiver set S µ without revealing sensitive data. In this way, we can gain the property of multi-hop from S µ−1 to S µ in the autonomous path Pa for identity-based broadcast proxy re-encryption. The definition of APIB-BPRE is illustrated as follows.
Definition 2 (APIB-BPRE): An autonomous path identitybased broadcast proxy re-encryption scheme consists of the following algorithms: • Setup 1 λ , n → (msk, mpk). A trusted party key generation center (KGC) runs the setup algorithm Setup to generate the master public/secret keys. On input a security parameter 1 λ , and the maximum number of receivers n in one encryption. It outputs the master public key mpk and the master secret key msk.
• Extract (msk, id) → (sk id ). KGC runs the key extraction algorithm Extract to set the private key. The algorithm inputs the master secret key msk and an identity id for the user ( delegator or delegatee). It outputs a private key sk id .
• CreatPath (mpk, id) → (Pa). The delegator id runs the path creation algorithm CreatPath to generate an autonomous path. It inputs the master public key mpk, and the identity id and outputs an autonomous path Pa of length m. The autonomous path Pa = (id = S 0 , S 1 , . . . , S m ) is a sequence of ordered m different broadcast receiver sets, where id is denoted to be S 0 and S µ = id µ 1 , · · · , id µ k is a set of broadcast receivers with identities id µ j , for 1 ≤ µ ≤ m, k ≤ n. Note that, we implicitly assume that the size of each broadcast receiver set is k in order to simplify the discussion. Meanwhile, we denote a set S µ in path Pa by S µ ∈ Pa and denote that the length of Pa is equal to the number of broadcast receiver sets.
• RKeyGen (mpk, id, Pa) → (rk). The delegator id performs the re-encryption key generation algorithm RKeyGen to set the re-encryption key. It inputs the master public key mpk, identity id, and an autonomous path Pa created by the delegator id. It outputs the re-encryption key rk = rk µ−1→µ µ=1,...,m . Note that the proxy can convert the ciphertext under S µ−1 into ciphertext under S µ in the autonomous path Pa via the re-encryption key rk µ−1→µ .
• Enc ( mpk, id, m) → c 0 . The delegator id runs the encryption algorithm Enc to set the ciphertext. It inputs the master public key mpk, the identity id, and a message m from the message space M and outputs the ciphertext c 0 . For simplicity, we call c 0 the original ciphertext.
The proxy performs the re-encryption algorithm ReEnc to convert the ciphertext under S µ−1 into ciphertext under S µ . On input an autonomous path Pa, two broadcast receiver sets S µ−1 and S µ , a re-encryption key rk µ−1→µ , and a ciphertext c µ−1 under the broadcast receiver set S µ−1 . It first checks whether S µ−1 , S µ ∈ Pa and outputs ''⊥'' if not. Otherwise, the algorithm outputs the re-encrypted ciphertext c µ for the set of broadcast receivers S µ . For simplicity, we denote call c µ the re-encryption ciphertext.
• Dec mpk, c 0 /c µ , s k id → (m, ⊥), where µ = 1, . . . , m. The delegator (delegatee) runs the decryption algorithm Dec to recover the message. It inputs the master public key mpk, the original ciphertext c 0 (re-encryption ciphertext c µ ), and a private key sk id and outputs the message m ∈ M, or an error symbol ⊥. Correctness: Our APIB-BPRE is correct, if for autonomous path Pa set by the delegator id, the following equations hold for any m ∈ M: where for any µ, 1 ≤ µ ≤ m, ReEnc Pa, S µ−1 , S µ , r k µ−1→µ , c µ−1 → c µ .

B. SECURITY MODEL FOR APIB-BPRE
We consider the security of APIB-BPRE in chosen plaintext attack model for the original ciphertext and the re-encryption ciphertext, respectively. We use the following two indistinguishable games between a PPT adversary A and a challenger C to define the security for the original ciphertext and the re-encryption ciphertext separately. Game 1. We define the following indistinguishable game of our APIB-BPRE scheme for the original ciphertext in the chosen plaintext attack model. The adversary A and the challenger C perform the following indistinguishable game: • Init. A chooses an identity id * as a challenging identity.
• Setup. C generates the master public key mpk and the master secret key msk via running the setup algorithm Setup and returns mpk to A.
• Query phase 1. A makes the following queries: a) Key extraction query O sk (mpk, id). It inputs an identity id and the master public key mpk, if id ∈ S * µ , C returns an error symbol ⊥; otherwise C generates the private key sk id via executing the key extraction algorithm Extract and returns sk id to A. b) Path creation query O cp (mpk, id). On input the master public key mpk and an identity id, C generates a path Pa = (id = S 0 , S 1 , . . . , S m ) via running the path creation algorithm GreatPath and returns Pa to A. c) Re-encryption key generation query O rk mpk, id, Pa, S µ−1 , S µ . On input the master public key mpk, an identity id, broadcast receiver sets S µ−1 and S µ , where S µ−1 , S µ ∈ Pa. C retrieves rk µ−1→µ from rk via running the re-encryption key generation algorithm RKeyGen and returns rk µ−1→µ to A.
• Challenge. After receiving two messages m 0 , m 1 ∈ M, C chooses a random bit b ∈ {0, 1} and sets the challenging ciphertext c * µ . It returns c * µ to the adversary A. • Query phase 2. A continues making key extraction, path creation, and re-encryption key queries and C responds to these queries like as in the query phase 1.

Remark 1:
The adversary A does not need to make the re-encryption query because there is to be no limitation on making re-encryption key query.
Definition 4: Our APIB-BPRE scheme is t, q sk , q cp , q rk , -CPA secure at re-encryption ciphertext if for any PPT adversary A who makes at most q sk key extraction queries, q cp path creation queries, and q rk re-encryption key queries,

IV. PROPOSED APIB-BPRE SCHEME
This section presents a concrete construction of APIB-BPRE. For ease of reference, Table 1 summary improtant notations.

B. CONSTRUCTION
Generally, an APIB-BPRE scheme consists of the following algorithms.
• Setup 1 λ , n . To set the master public key mpk and the master secret key msk, it generates a bilinear pairing group PG = (q, g, G, G T , e). Let e : G × G → G T is a bilinear pairing, G and G T are multiplicative groups with the same prime order q, g be a generation of group G. The algorithm selects random α, s, r ∈ Z * q and computes h = g s ,ĥ = h s , v = h r g n = g α n , h i = h α i for i = 1, . . . , n, n + 2, . . . , 2n, and d i = (h i ) r for i = 1, . . . , n. Nextly, it selects a cryptographic hash function ...,n,n+2,...,2n , {d i } i=1,...,n ) and the master secret key is msk = (s, α). Note that it sends the secret key α to the delegator via the secure channel.
• Extract(mpk, id). To generate the private key for the user id, if the user id is the delegator, it sets private key sk id = H (id) s ; otherwise, it sets private key sk id = H (id) sα , where the user id is the delegatee.

V. SECURITY PROOF
This section proves that our APIB-BPRE system is the semantic security (CPA secure) by Theorem 1 and Theorem 2. Theorem 1: Our APIB-BPRE scheme is CPA secure for the original ciphertext under the decision n-BDHE assumption in G without random oracle.
Proof 1: We suppose that there is a PPT adversary A with advantage in breaking the IND-CPA-Or security of our APIB-BPRE scheme in time t. We construct a simulator B to solve the decision n-BDHE assumption with the advantage in time t . B is given the decision n-BDHE instance (h , h, h α , . . . , h α n , h α n+2 , . . . , h α 2n , Z ), where we denote h = g s and y α,n,h = (h , h, h α , . . . , h α n , h α n+2 , . . . , h α 2n ). B's task is to decide whether Z ? = e h , h n+1 . B needs to maintains an initially empty table T sk that is a private key table used to record tuples (id, sk id ). The simulator B interacts with A, and works as follows: • Init. B gains a challenging identity id * from the adversary A.
• Setup. To generate the master public key mpk = (PG, h,ĥ, v, g n , H , {h i } i=1,...,n,n+2,...,2n , {d i } i=1,...,n ). Firstly, B generates a bilinear pairing group PG = {q, g, G, G T , e}. Next, B randomly chooses r ∈ Z * q and setsĥ = h s , v = h r , g n = h s −1 n , and d i = (h i ) r for i = 1, . . . , n, where the elements h, {h i } i=1,...,n,n+2,...,2n are from the problem instance. Finally, B selects a secure hash function H : {0, 1} * → G and returns the master public key mpk to A. Note that the distribution of the master public key is identified as the distribution of the real world from the view of adversary A, because these parameters r and s are uniforms and random distributions.
Therefore, c * 0 is a correct challenging ciphertext to encrypt message m b for id * .
• Query phase 2. A continues to issue the key extraction query and B responds to the query like as in query phase 1. Theorem 2: The proposed APIB-BPRE scheme is is CPA secure for the re-encryption ciphertext under the decision n-BDHE assumption in G with the random oracle model.

Proof 2:
We suppose that there is a PPT adversary A with the advantage in breaking the IND-CPA-Re security of our APIB-BPRE scheme in time t. We construct a simulator B to solve the decision n-BDHE assumption with the advantage in time t . B is given the decision n-BDHE instance (h , h, h α , . . . , h α n , h α n+2 , . . . , h α 2n , Z ), where we denote h = g s and y α,n,h = (h , h, h α , . . . , h α n , h α n+2 , . . . , h α 2n ). B's task is to decide whether Z ? = e h , h n+1 . B maintains private key table T sk , re-encryption key table T rk , and autonomous path table T P . These tables are initially empty. Let T sk record tuples (id, sk id ), T rk record tuples (id, S µ−1 , S µ , rk µ−1→µ ), and T P record tuples id, Pa = . . . , S µ−1 , S µ , . . . . The simulator B interacts with A, and works as follows: • Init. The adversary A outputs a challenging broadcast receiver set S * µ = id * 1 , . . . , i d * k , for any µ, µ = 1, . . . , m and k ≤ n.  n,n+2,...,2n are from the problem instance). It returns the master public key mpk to A. Note that since these parameters r and u are uniforms and random distributions, the master public key is an identical distribution as the real construction from the view of adversary A.
• H -Query. In this phase, A issues the hash query. B needs to maintain a hash table T H that is initially empty and used to record queries and responses. For a query on id, B chooses random x id ∈ Z * q and sets as B responds to the query on id with H (id) and adds tuples (id, x id , H (id)) to T H . and Therefore, the re-encryption key rk µ−1→µ is a valid re-encryption key.
• Challenge. After receiving two messages m 0 , m 1 ∈ M, B randomly chooses b ∈ {0, 1}. We write h = h T * µ for some unknown T * µ ∈ Z * q . B sets the challenging ciphertext c * µ as Therefore, c * µ is a correct challenging ciphertext to encrypt message m b for id.
• Query phase 2. A continues making private key, path creation, and re-encryption key queries and B responds to these queries like as in the query phase 1. h n+1 ); otherwise, it returns 1 to indicate that Z is random in G T . This completes the simulation and the solution. B has the advantage in solving the decision n-BDHE assumption in time t . We here analyze the advan- (1/2) |= ( /2). We denote denote the time cost of the simulation T s = O q sk + q rk + q cp + q H , where private key generation, re-encryption key generation, path creation, hash fuction queries mainly dominate the time cost of the simulation T s . Thus, B will solve the decision n-BDHE assumption with time t = t + T s .

VI. EVALUATION AND COMPARISON ANALYSIS
We first define the notations used in Table 2. Let k denote the size of each broadcast receiver set. Notations t p and t e denote the times consumed for a pairing operation, and a modular exponentiation in G or G T , separately. Notations Dec(Or) and Dec(Re) denote the decryption execution for the original ciphertext and the re-encryption ciphertext, respectively. Here, we omit the computing time of addition, multiplication, and hash function operations because these operations are much less modular exponentiation and pairing operations. As shown in Table 2, the computation overhead of our APIB-BPRE scheme in each algorithm is compared to other works [6], [21], [26].
• Extract. In the key extraction algorithm, KGC in works [6], [21], [26] and our APIB-BPRE only excutes a modular exponentiation operation to generate the private key for each user. However, broadcast proxy re-encryption schemes [6] and [26] cannot realize the property of autonomous path multi-hop, and the work [21] has no the character of broadcast encryption.
• Enc. Our APIB-BPRE and work [21] has lower computing cost to set the original ciphertext. Nevertheless, the delegator in works [6] and [26] has to undertake the amount of computing overhead in the encryption phase. For example, the delegator in work [26] needs to undertake O(k) modular exponentiation operations and a pairing operation for setting ciphertext.
• RKeyGen. Table 2 shows that schemes [6], [26] and our APIB-BPRE have lower computation overhead to generate the re-encryption key. However, the delegator in work [21] needs abundant computing overhead to set the re-encryption key because each receiver in the broadcast receiver set needs one re-encryption key.
• ReEnc. In this phase, our APIB-BPRE has no modular exponentiation and paring operations. In fact, only a few lightweight multiplication calculations are required in APIB-BPRE. On the contrary, the related works [6], [21], and [26] need to perform a large number of modular exponentiation and pairing operations to set ren-encryption ciphertext.
• Dec(Or). In the decryption algorithm for the original ciphertext, the delegator in APIB-BPRE and work [21] only executes a pairing operation to decrypt the original ciphertext. However, there are heavy computing overhead in works [6] and [26].
• Dec(Re). Table 2 shows that our APIB-BPRE has less computing cost to execute the decryption algorithm for the re-encryption ciphertext compared with IB-BPRE schemes [6] and [26]. While our APIB-BPRE is less efficinet comparied with work [21] in the decryption algorithm for the re-encryption ciphertext. However, it cannot support the broadcast encryption functionality. The comparison results displayed in Table 2 clearly show that our APIB-BPRE has the least computation overhead compared to related works.

VII. CONCLUSION
This paper designed an autonomous path broadcast proxy re-encryption as a new cryptographic primitive to support flexible data sharing in clouds. We formally define autonomous path identity-based broadcast proxy re-encryption and its security model, and demonstrate that our APIB-BPRE is CPA secure in the decision n-BDHE problem. More importantly, through performance analysis, our APIB-BPRE system is efficient and practical. In addition, our APIB-BPRE must be a multi-hop IB-BPRE, so that our APIB-BPRE system can provide much better fine-grained access control to delegation broadcast receiver sets than the traditional IB-BPRE employed in a cloud environment. It motivates researchers to design other APIB-BPRE schemes to support many interesting applications.