coleleavitt/opaque-lattice
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
9c4a3a30b6c86221e13ab20c1652c640d1bc5cba
opaque-lattice/papers_txt/Sharing-as-You-Desire--A-fuzzy-certificateless-proxy-re-e_2026_Computer-Stan.txt
Cole Leavitt dfa968ec7d initial
2026-01-06 12:49:26 -07:00

946 lines
114 KiB
Plaintext
Raw Blame History

This file contains invisible Unicode characters
This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
Computer Standards & Interfaces 97 (2026) 104121
Contents lists available at ScienceDirect
Computer Standards & Interfaces
journal homepage: www.elsevier.com/locate/csi
Sharing as You Desire: A fuzzy certificateless proxy re-encryption scheme for
efficient and privacy-preserving cloud data sharing
Jiasheng Chen a , Zhenfu Cao a ,, Liangliang Wang b,c , Jiachen Shen a , Xiaolei Dong a
a
East China Normal University, Software Engineering Institute, Shanghai Collaborative Innovation Center of Trusted Industry Internet
Software, Shanghai, 200062, China
b
Shanghai University of Electric Power, Faculty of Artificial Intelligence, Shanghai, 201306, China
c
Police Integration Computing Key Laboratory of Sichuan Province, Luzhou, 646000, China
ARTICLE INFO ABSTRACT
Keywords: Secure sharing mechanism in the cloud environment not only needs to realize efficient ciphertext storage of
Cloud security resource-constrained clients, but also needs to build a trusted data sharing system. Aiming at the limitations of
Proxy re-encryption existing schemes in terms of user identity privacy protection, insufficient access control granularity, and data
Certificateless cryptography
sharing security, we propose a fuzzy certificateless proxy re-encryption (FCL-PRE) scheme. In order to achieve
Conditional privacy
much better fine-grained delegation and effective conditional privacy, our scheme regards the conditions as an
attribute set associated with pseudo-identities, and re-encryption can be performed if and only if the overlap
distance of the senders and receivers attribute sets meets a specific threshold. Moreover, the FCL-PRE scheme
ensures anonymity, preventing the exposure of users real identities through ciphertexts containing identity
information during transmission. In the random oracle model, FCL-PRE not only guarantees confidentiality,
anonymity, and collusion resistance but also leverages the fuzziness of re-encryption to provide a certain level
of error tolerance in the cloud-sharing architecture. Experimental results indicate that, compared to other
existing schemes, FCL-PRE offers up to a 44.6% increase in decryption efficiency while maintaining the lowest
overall computational overhead.
1. Introduction In response to the demand for secure cloud data sharing, the proxy
re-encryption (PRE) [4] scheme was proposed. This technology not
As information technology and the Internet continue to evolve, only allows data to be stored on the cloud server but also capitalizes
users can now access networks anytime and anywhere through mo- on the clouds computing capabilities to securely achieve decryption
bile devices, driving the widespread adoption of cloud services. By authorization in Fig. 1. In a typical PRE scheme, key generation center
leveraging flexible resource scheduling and high network accessibility, (KGC) is responsible for generating the systems public parameters
cloud computing has attracted enterprises such as Amazon, Google, and issuing publicprivate key pairs for registered users based on the
and Alibaba to introduce cloud-based data storage, access, and shar- master secret key. Generally, the data sender encrypts information
ing services [13]. However, cloud service providers are not always with their own 𝐼𝐷 (i.e., e-mail account, phone numbers) and produces
completely trustworthy. Due to factors such as technical limitations the re-encryption key for authorized users, which is stored on the
or economic incentives, they may engage in practices that could com- cloud server alongside the ciphertext. Only the authorized recipient
promise users rights. In recent years, data breaches have occurred
can instruct the cloud server to perform ciphertext transformation using
frequently: in 2018, Teslas Kubernetes console on AWS was left un-
the re-encryption key, thereby achieving secure data sharing. However,
secured, allowing attackers to exploit the cloud environment; in 2019,
despite simplifying certificate management, traditional identity-based
Capital One faced misconfigurations on AWS, enabling hackers to gain
proxy re-encryption (IB-PRE [5]) still suffers from several limitations:
unauthorized access and disclose more than 100 million user data. Ev-
(1) it relies on the KGC for key escrow, meaning that if the KGC is
idently, although outsourcing data to the cloud can reduce the burden
of hardware maintenance, it also deprives users of direct control over compromised or acts maliciously, users private keys are at serious risk
their data, thereby increasing the risk of potential privacy breaches. of exposure; (2) it lacks flexible dynamic authorization, such that even
Corresponding author.
E-mail addresses: jschen@stu.ecnu.edu.cn (J. Chen), zfcao@sei.ecnu.edu.cn (Z. Cao), llwang@shiep.edu.cn (L. Wang), jcshen@sei.ecnu.edu.cn (J. Shen),
dongxiaolei@sei.ecnu.edu.cn (X. Dong).
https://doi.org/10.1016/j.csi.2025.104121
Received 30 June 2025; Received in revised form 23 November 2025; Accepted 21 December 2025
Available online 23 December 2025
0920-5489/© 2025 Elsevier B.V. All rights are reserved, including those for text and data mining, AI training, and similar technologies.
J. Chen et al. Computer Standards & Interfaces 97 (2026) 104121
progressed, the limitations of the original PRE model gradually be-
came evident. For example, a malicious user may collude with the
proxy to recover the senders private key. Ateniese et al. [12] later
presented a unidirectional PRE scheme that offers a certain level of
resistance against collusion attacks, although it still depends on a
public key infrastructure (PKI) for certificate management. Gentry [13]
addressed the burden imposed by PKI by introducing the paradigm
of certificate-based cryptography, thereby eliminating the need for
Fig. 1. Data sharing based on proxy re-encryption.
online third-party certificate queries. Sur et al. [14] further applied
this paradigm by designing a certificate-based encryption scheme. They
were the first to combine it with proxy re-encryption, and thus pro-
minor changes in a users identity information require the regeneration posed a certificate-based proxy re-encryption (CB-PRE) scheme that
of private keys, thus increasing administrative overhead and system achieves chosen-ciphertext (IND-CCA) security in the random oracle
complexity; and (3) it struggles to satisfy the requirements of high- model. On the other hand, to further simplify the public key infrastruc-
privacy scenarios. For instance, in mobile healthcare, patients private ture, Green and Ateniese [5] extended PRE to identity-based scenarios,
information may be directly used as public keys for encryption [68]. significantly reducing certificate management overhead by replacing
Once an attacker traces such identifiers to a patients real identity, a traditional public keys with user identifiers and achieving adaptive
severe privacy breach can result, endangering the patients information CCA security. In this context, Ge et al. [15] designed an identity-
security. based broadcast PRE (BPRE) scheme that supports revocation of a
To address the challenges of insufficient anonymity, key escrow, shared user set and can resist chosen-plaintext attacks, while Zhang
and difficulty in dynamic privilege adjustment, we propose an anony- et al. [16] employed bilinear pairings to construct an identity-based
mous fuzzy certificateless proxy re-encryption scheme (FCL-PRE). Our BPRE scheme for VANETs that achieves CPA security with constant
scheme not only supports identity hiding and fuzzy matching, but decryption overhead.
also effectively prevents unauthorized access and significantly improves
(2) Conditional PRE schemes: Once the basic transformation capabil-
system error tolerance. The main contributions of FCL-PRE are as
ity of PRE had been established, researchers began to enrich PRE with
follows.
more expressive access control and privacy guarantees. In traditional
• Fuzzy certificateless PRE with conditional privacy. A new PRE systems, once the proxy obtains a re-encryption key, it can often
fuzzy certificateless proxy re-encryption scheme that is tolerant convert all ciphertexts of the delegator for the designated delegatee,
to noisy biometric measurements is proposed. Specifically, the which is incompatible with fine-grained authorization requirements. To
trusted authority first derives a stable, unique biometric iden- address this issue, Weng et al. [19] first proposed conditional proxy
tity 𝑈 𝐼𝐷 from noisy biometric samples, and then generates a re-encryption (CPRE). In their construction, a condition expression is
pseudo-identity with a specific set of attributes 𝜔 = (𝜔𝑖 )𝑛𝑖=1 embedded into the re-encryption key, so that the proxy is only able
for it. Re-encryption is allowed only when the overlap between to transform ciphertexts that satisfy the specified condition, which
the senders and receivers attribute sets satisfies a threshold enforces strict control over the proxys capability at the semantic level.
condition, that is |𝜔 ∩ 𝜔′ | ≥ 𝑑. This policy enforces conditional At the same time, Ateniese et al. [22] presented a PRE scheme with key
privacy on top of pseudo-identities, simplifies key management in privacy. Even if an adversary obtains a re-encryption key, it cannot dis-
the certificateless setting, and enables flexible and efficient data tinguish the delegatees identity, which further protects the receivers
sharing among users with similar attributes. privacy. Shao et al. [18] achieved key privacy while preserving CCA
• Anonymous data sharing via pseudonyms. The proposed security. Li et al. [17] incorporated the idea of conditional PRE into
scheme enhances conditional privacy and reduces the cost of certificate-based cryptography. Their scheme allows only ciphertexts
managing pseudonyms by tightly binding biometrics, pseudo- associated with specific subsets to be transformed and forwarded to
identities, and strong keys. The trusted authority internally main- designated delegatees, and also attains CCA security. In order to sup-
tains a mapping (𝑈 𝐼𝐷, 𝑃 𝑈 𝐼𝐷, 𝜔), where 𝜔 is associated with port more expressive access structures, Yao et al. [21] designed a CPRE
𝑃 𝑈 𝐼𝐷. Thus, the privacy-preserving pseudo-identity can only scheme with ciphertext evolution, which ensures that the delegation
be recovered by the fully trusted authority. Meanwhile, a user process remains under the data owners control. Li et al. [20] proposed
can encrypt and share data on behalf of an attribute group a CPRE scheme that supports only a single receiver. Lin et al. [30]
using a single 𝑃 𝑈 𝐼𝐷, rather than maintaining many separate developed a CPRE scheme tailored for IoT scenarios, which supports
pseudonyms, thus significantly reducing the key management revocation of misbehaving users without relying on a fully trusted
overhead on the user side. third party. Zhang et al. [31] designed a key-sharing mechanism based
• Security and practicality. We provide a detailed security proof on CPRE and combined it with a bilinear accumulator to verify the
of FCL-PRE in the random oracle model, demonstrating that it integrity of homomorphic encryption keys stored in the cloud. Chen
satisfies chosen plaintext attack (IND-CPA) security. Theoreti- et al. [25] constructed a conditional BPRE scheme based on bilinear
cal analysis and experimental results show that FCL-PRE not pairings under conditional constraints.
only achieves anonymity, error tolerance, and resistance to collu- (3) Certificateless-based PRE schemes: Due to the inherent key escrow
sion attack, but also has minimal computational overhead in the problem in identity-based cryptography, Sur et al. [32] introduced
decryption phase. PRE into the certificateless public key setting [33], and then proposed
the concept of certificateless proxy re-encryption (CL-PRE). In CL-PRE,
2. Related work each users private key is split into a partial private key generated
by a key generation center (KGC) and a user-chosen secret value.
(1) Basic PRE schemes: In 1998, Blaze et al. [4] first introduced the This design avoids full key escrow by the KGC and does not require
notion of proxy re-encryption (PRE), which enables a semi-honest proxy traditional certificate management, which makes CL-PRE particularly
to transform ciphertexts without accessing the underlying decryption suitable for resource-constrained environments. Within this framework,
keys. Subsequent early works primarily examined how to delegate Bhatia et al. [34] constructed a lightweight pairing-free CL-PRE scheme
decryption capabilities securely and efficiently so as to support data and applied it to mobile healthcare scenarios. Eltayieb et al. [35]
sharing and access control in cloud environments [911]. As research further adopted blockchain as the proxy to execute the re-encryption
2
J. Chen et al. Computer Standards & Interfaces 97 (2026) 104121
Table 1
Summary of functional comparison with other schemes.
Schemes Techniques Conditional privacy Fuzzy matching Anonymity Multiple receivers Collusion resistance
[13,14,17] CB-PRE × × × ×
[18] CPRE ✓ × ✓ ✓ ×
[15,16] IB-PRE × × × ✓ ✓
[19,20] CPRE ✓ × × × ×
[21] IB-CPRE ✓ × × ✓ ✓
[22] CPRE ✓ ×× ×
[23,24] CL-PRE × × × ✓ ✓
[25] IB-CPRE ✓ × ✓ ✓ ✓
[26,27] Fuzzy IB-CPRE ✓ ✓ ××
[28,29] CL-CPRE ✓ × × ✓ ✓
Ours Fuzzy CL-CPRE ✓ ✓ ✓ ✓ ✓
algorithm, which not only preserves data confidentiality but also pro- 3.1. Bilinear map
vides a flexible revocation mechanism. Subsequent CL-PRE works [23,
24,36] mainly focused on improving efficiency, supporting revocation, Suppose there exists a mapping 𝑒 G × G → G𝑇 , where G and
and enhancing traceability. Similarly, to prevent cloud platforms from G𝑇 represent two cyclic groups with the same prime order 𝑞. 𝑃 is
abusing re-encryption permissions, Li et al. [28] proposed a novel a generator of G, then a bilinear map 𝑒 should have the following
pairing-free scheme based on certificateless conditional BPRE. Zhou properties [40]:
et al. [29] combined certificateless public key cryptography and PRE,
• Bilinearity: 𝑒(𝑎𝑃 , 𝑏𝑃 ) = 𝑒(𝑃 , 𝑃 )𝑎𝑏 holds for all 𝑎, 𝑏𝑍𝑞 .
which realizes multi-level data access control, dynamic key update, and
ciphertext evolution. • Nondegeneracy: There exists 𝑃 such that 𝑒(𝑃 , 𝑃 ) ≠ 1.
(4) Fuzzy PRE schemes: In another line of research, advances in • Computability: 𝑒(𝑃1 , 𝑃2 ) can be computed efficiently for all 𝑃1 , 𝑃2
biometric technologies have introduced new design dimensions for ∈ G.
PRE. Fuzzy identity-based encryption (FIBE) [37] leverages biometric
characteristics such as fingerprints and irises, which are inherently 3.2. Useful definitions
unique and tamper-resistant, to derive descriptive attribute sets that
serve as a natural attribute space for encryption and authorization. Definition 1 (Shamir Secret Sharing [41]). Shamirs secret sharing
Following this idea, Fang et al. [26] proposed an FCPRE scheme in scheme, introduced in 1979, is based on polynomial interpolation. A
which descriptive keywords are used as conditions to realize fuzzy secret 𝑠 is divided into 𝑛 shares, denoted as 𝑠1 , … , 𝑠𝑛 with a threshold
𝑡, such that any set of at least 𝑡 participants 𝑖 can recover 𝑠, whereas
conditional PRE. In their scheme, the proxy can re-encrypt ciphertexts
any subset of size less than 𝑡 gains no information about it. The scheme
according to a 𝑡-out-of-𝑑 threshold strategy. Xiong et al. [38] later
consists of the following phases:
proposed an improved pairing-based fuzzy identity-based signature
(FIBS) scheme that supports the error tolerance property. Li et al. [27] • Secret distribution: Let  = {1 , … , 𝑛 } denote the set of par-
presented the first lattice-based FIB-CPRE scheme. Their scheme pro- ticipants and randomly select the secret value 𝑠𝑍𝑞 . Then, a
vides finer-grained control over delegated decryption, but incurs high polynomial 𝐹 (𝑥) of degree 𝑡 1 is selected that satisfying the
computational cost, which negatively affects overall encryption and condition of 𝐹 (0) = 𝑠, then 𝐹 (𝑥) can be expressed as:
decryption efficiency. It should be noted that the use of biometric
𝑡1
traits can significantly improve usability, but the noise inevitably intro- 𝐹 (𝑥) = 𝑠 + 𝑎𝑗 𝑥𝑗 mod 𝑞.
duced during biometric acquisition and feature extraction makes key 𝑗=1
generation and matching more challenging. To cope with this issue, Therefore, the share set 𝑆𝑆 = {(𝜔𝑖 , 𝑠𝑖 )|1 ≤ 𝑖𝑛}, where 𝐹 (𝜔𝑖 ) =
Wang et al. [39] proposed a novel fuzzy certificateless signature au- 𝑠𝑖 . The 𝑖th share (𝜔𝑖 , 𝑠𝑖 ) is privately delivered to the corresponding
thentication scheme that achieves conditional privacy while effectively participant 𝑖 .
protecting the confidentiality of users real biometric characteristics. • Secret reconstruction: Let 𝑆 ⊆ {1, … , 𝑛} be a group with |𝑆| = 𝑡.
As summarized in Table 1, existing PRE schemes and their variants The secret value is reconstructed from shares 𝑠1 , … , 𝑠𝑛 using the
have achieved substantial progress in terms of functionality and ap- Lagrange interpolation method:
plicability to diverse scenarios. However, several important limitations ∑ ∑
remain. 𝐹 (𝑥) = 𝛥𝜔𝑖 ,𝑆 (𝑥)𝐹 (𝜔𝑖 ) = 𝛥𝜔𝑖 ,𝑆 (𝑥)𝑠𝑖 .
𝑖 ∈𝑆 𝑖 ∈𝑆
• The scalability on the receiver side is restricted. Many schemes ∏ 𝑥−𝜔𝑘
where 𝛥𝜔𝑖 ,𝑆 (𝑥) = 𝑖 ∈𝑆,𝑘≠𝑖 𝜔𝑖 −𝜔𝑘 is denoted as the Lagrange
do not efficiently support data sharing among multiple receivers, coefficient.
which limits their practicality in large-scale collaborative appli-
cations, such as schemes [14,17,20]. Definition 2 (Decisional Bilinear DiffieHellman (DBDH) Assumption).
• The strong binding between real identities and biometric char- Given a random instance (𝑃 , 𝑎𝑃 , 𝑏𝑃 , 𝑐𝑃 , 𝑇 ), 𝑃 ∈ G, 𝑎, 𝑏, 𝑐 are randomly
acteristics introduces significant privacy risks. Some biometric- selected elements from 𝑍𝑞 , and 𝑇 is an element in G𝑇 . The DBDH
based schemes do not adequately protect the identity privacy assumption requires determining whether 𝑇 is equal to 𝑒(𝑃 , 𝑃 )𝑎𝑏𝑐 or
of senders and receivers, and therefore cannot satisfy stringent a random element in G𝑇 . For any PPT algorithms , the advantage
privacy requirements, as in schemes [23,24,26,28,29]. of successfully distinguishing between 𝑇 = 𝑒(𝑃 , 𝑃 )𝑎𝑏𝑐 and a random
element is defined as follows.
3. Preliminaries 𝐴𝑑𝑣𝐷𝐵𝐷𝐻 (𝜆) = |𝑃 𝑟[(𝑃 , 𝑎𝑃 , 𝑏𝑃 , 𝑐𝑃 , 𝑒(𝑃 , 𝑃 )𝑎𝑏𝑐 ) = 1]|
|𝑃 𝑟[(𝑃 , 𝑎𝑃 , 𝑏𝑃 , 𝑐𝑃 , 𝑇 ) = 1]|
This section briefly overviews the basic concepts and techniques
discussed in our scheme. Table 2 provides a list of symbols and their If the advantage 𝐴𝑑𝑣𝐷𝐵𝐷𝐻
(𝜆) in solving the DBDH is negligible, then
descriptions. the DBDH assumption holds.
3
J. Chen et al. Computer Standards & Interfaces 97 (2026) 104121
Table 2
Summary of notations.
Symbol Description
𝜆 Security parameter
𝑚𝑠𝑘 Master secret key
𝑏𝑖𝑜 Biometric characteristic
𝐼𝑑𝐺𝑒𝑛(⋅) An identity extraction function
𝑈 𝐼𝐷 Realistic identity
𝑃 𝑈 𝐼𝐷 Pseudo-identity
𝑑 Error tolerance
𝜔 An attribute set
𝑥𝑃 𝑈 𝐼𝐷 Secret value
𝑆𝐾𝑃 𝑈 𝐼𝐷 Users full private key
𝑃 𝐾𝑃 𝑈 𝐼𝐷 Public key
𝑅𝐾,𝜔, Re-encryption key
𝐶𝑇 Original ciphertext
𝐶𝑇 Re-encrypted ciphertext
Fig. 2. The operation flow of FCL-PRE.
Definition 3 (Syntax of FCL-PRE). The nine polynomial-time algorithms
shown below constitute our FCL-PRE scheme.
• Key Generation Center (KGC): As an honest but curious KGC, it
• Setup. On input a security parameter 𝜆, TA and KGC generate
is responsible for performing system initialization and generating
system parameter 𝑝𝑎𝑟𝑎𝑚𝑠, and a master secret key 𝑚𝑠𝑘 that is kept
a partial private key related to the users identity, and it is
secret from user.
assumed that KGC and TA will not collude.
• PartialPrivateKey. After TA publishes the pseudo-identity 𝑃 𝑈 𝐼𝐷
• Cloud Proxy Server (CPS): CPS is responsible for storing original
for each registered user, KGC generates the corresponding partial
ciphertexts and executing conditional re-encryption operations.
private key 𝐷𝑃 𝑈 𝐼𝐷 and sends it to the user.
When the receiver  sends an access request, CPS first verifies
• SetSecretValue. The sender  executes the algorithm, and
whether the condition |𝜔 ∩ 𝜔′ | ≥ 𝑑. If so, sender  generates a cor-
chooses a secret value 𝑥𝑃 𝑈 𝐼𝐷 randomly.
responding re-encryption key for CPS to perform re-encryption.
• SetPrivateKey. On input 𝑃 𝑈 𝐼𝐷, 𝑝𝑎𝑟𝑎𝑚𝑠, 𝑥𝑃 𝑈 𝐼𝐷 and 𝐷𝑃 𝑈 𝐼𝐷 , 
Otherwise, CPS refuses to implement the re-encryption operation.
generates the complete private key 𝑆𝐾𝑃 𝑈 𝐼𝐷 .
Please note that, as a semi-trusted entity, it may still attempt to
• SetPublicKey.  performs this algorithm, and inputs 𝑥𝑃 𝑈 𝐼𝐷 , then
infer user privacy from the shared data.
outputs the full public key 𝑃 𝐾𝑃 𝑈 𝐼𝐷 .
• Sender ():  can use the public key associated with 𝑃 𝑈 𝐼𝐷 to
• Encryption. On input 𝑃 𝑈 𝐼𝐷, 𝑝𝑎𝑟𝑎𝑚𝑠, a message 𝑚, and 𝑃 𝐾𝑃 𝑈 𝐼𝐷 , encrypt the data to be shared, generate the original ciphertext
 computes the original ciphertext 𝐶𝑇 .
𝐶𝑇 and upload it to CPS storage. In addition,  produces the
• ReKey Generation. Given the private key 𝑆𝐾𝑃 𝑈 𝐼𝐷 , s pseudo- corresponding re-encryption key 𝑅𝐾 ,𝜔, according to the result
identity 𝑃 𝑈 𝐼𝐷 and the corresponding 𝑃 𝐾𝑃 𝑈 𝐼𝐷 ,  generates a of the verification equation, and sends it to CPS.
conditional re-encryption key 𝑅𝐾 ,𝜔, by running this algorithm.
• Receiver (): The authorized receiver  can decrypt and obtain
• Re-encryption. Upon receiving 𝑅𝐾 ,𝜔, , the original ciphertext the plaintext by downloading the re-encrypted ciphertext.
𝐶𝑇 , the cloud should verify whether the equation |𝜔 ∩ 𝜔′ | ≥
𝑑 holds. If and only when the algorithm satisfies, the origi-
nal ciphertext 𝐶𝑇 can be re-encrypted, and the second-layer of 4.2. Security guarantee model
ciphertext 𝐶𝑇 can be generated.
• Decryption. The user invokes it to decrypt the corresponding There are two types of adversaries in the certificateless cryptosys-
ciphertext, resulting in either the plaintext 𝑚 or ⟂. tem [42]: 1 is the first type of adversary, which can replace the users
public key, and 2 is the second type of adversary, which can obtain
4. Scheme model the master secret key. Game-I and Game-II are the IND-CPA security
games for FCL-PRE. Please note that each pseudo-identity 𝑃 𝑈 𝐼𝐷 is
In this section, we introduce the system model, outline the security associated with an attribute set 𝜔.
guarantee model, and specify security requirements, respectively. Game-I. This game embodies the attack ability of 1 , challenger 
responds to 1 s a series queries by controlling the following oracles.
4.1. System model
• Initialization. When 𝜆 is received,  first executes the Setup
The operation flow of fuzzy certificateless proxy re-encryption algorithm to obtain 𝑝𝑎𝑟𝑎𝑚𝑠, and generates the system master key
scheme is shown in Fig. 2. It includes five different parties, namely: 𝑚𝑠𝑘. Then,  outputs 𝑝𝑎𝑟𝑎𝑚𝑠 and keeps 𝑚𝑠𝑘 in secret.
Trusted Authority, Key Generation Center, Cloud Proxy Server, Sender, • Phase 1. The adversary 1 initiates a series of queries, and 
and Receiver. responds accordingly.
• Trusted Authority (TA): TA is a fully trusted authority whose PPKQuery oracle 𝑝𝑝𝑘 :  executes the PartialPrivateKey
primary role is to generate privacy-preserving pseudo-identities algorithm to generate the partial private key 𝐷𝑃 𝑈 𝐼𝐷 for the
𝑃 𝑈 𝐼𝐷 for users and to cooperate with KGC in setting up and pub- 𝑃 𝑈 𝐼𝐷 and returns it to 1 .
lishing the public parameters. At the same time, it maintains an SKQuery oracle 𝑠𝑘 : After receiving the partial private key
internal mapping (𝑈 𝐼𝐷, 𝑃 𝑈 𝐼𝐷, 𝜔), where 𝜔 denotes the attribute 𝐷𝑃 𝑈 𝐼𝐷 ,  first runs PartialPrivateKey and SetSecretValue
set associated with each 𝑃 𝑈 𝐼𝐷. Only the pseudo-identity and algorithms to obtain the corresponding 𝐷𝑃 𝑈 𝐼𝐷 and 𝑥𝑃 𝑈 𝐼𝐷 .
its associated attribute information are exposed to other entities, Next,  runs the SetPrivateKey algorithm to generate the
while the real identity 𝑈 𝐼𝐷 remains exclusively known to TA. complete private key 𝑆𝐾𝑃 𝑈 𝐼𝐷 , and returns it to 1 .
4
J. Chen et al. Computer Standards & Interfaces 97 (2026) 104121
PKQuery oracle 𝑝𝑘 :  runs the SetSecretValue algorithm (3) If 2 has sent the private key queries to the challenge
to obtain 𝑥𝑃 𝑈 𝐼𝐷 , and extracts the users public key 𝑃 𝐾𝑃 𝑈 𝐼𝐷 identity 𝑃 𝑈 𝐼𝐷𝜋 that meets the |𝜔 ∩ 𝜔𝜋 | ≥ 𝑑 condition,
by running the SetPublicKey algorithm. Finally,  returns the re-encryption key queries can no longer be performed,
it to 1 . and the information related to the re-encrypted ciphertext
PK replacement oracle 𝑝𝑘𝑟𝑝 : When 1 queries a two- cannot be queried.
tuple (𝑃 𝑈 𝐼𝐷, 𝑃 ̃𝐾𝑃 𝑈 𝐼𝐷 ), where 𝑃 ̃𝐾𝑃 𝑈 𝐼𝐷 is the newly se-
• Guess. Finally, 2 guesses the challenge bit 𝑏 ∈ {0, 1}. If 𝑏 = 𝑏,
lected public key to replace the public key 𝑃 𝐾𝑃 𝑈 𝐼𝐷 cur-
2 wins this game.
rently associated with 𝑃 𝑈 𝐼𝐷. Therefore, 1 performs pub-
lic key replacement, such as 𝑃 𝐾𝑃 𝑈 𝐼𝐷 = 𝑃 ̃ 𝐾𝑃 𝑈 𝐼𝐷 .
Definition 5. According to the definition of Game-II, our FCL-PRE is
ReKeyGen oracle 𝑟𝑘 :  runs the ReKey Generation al-
IND-CPA secure if the advantage of 2 is negligible, defined as
gorithm and returns a re-encryption key 𝑅𝐾 ,𝜔, to 1 . If
1
the public key of 𝑃 𝑈 𝐼𝐷 has been replaced at this time, 1 𝐴𝑑𝑣𝐺𝑎𝑚𝑒−𝐼𝐼
(𝜆) = |𝑃 𝑟[𝑏 = 𝑏] |.
2 2
cannot perform this query.
Re-encryption oracle 𝑟𝑒𝑒𝑛 :  performs it and returns a re-
4.3. Security requirements
encrypted 𝐶𝑇 to 1 . If the public key of 𝑃 𝑈 𝐼𝐷 has been
replaced, 1 cannot perform the query.
The proposed FCL-PRE scheme should satisfy the following security
• Challenge. After completing all the interactions between 1 and objectives.
, 1 outputs a challenge identity 𝑃 𝑈 𝐼𝐷𝜋 and two messages of
• Confidentiality. FCL-PRE must protect sensitive information before
equal length (𝑚0 , 𝑚1 ).  randomly selects a message 𝑚𝑏 , 𝑏 ∈ {0, 1},
it is uploaded to the CPS and prevent any access by unauthorized
calculates the corresponding ciphertext and returns it to 1 .
recipients. Additionally, when generating the original ciphertext
• Phase 2. 1 and challenger  continue to conduct queries and and re-encryption key, conditional information is incorporated to
answers similar to phase 1, but must follow three constraints. ensure that re-encryption can only be performed if the original
ciphertext meets specific conditions.
(1) 1 has never queried the partial private key or private key
• Anonymity. To protect user privacy, FCL-PRE must conceal the
for the challenge identity 𝑃 𝑈 𝐼𝐷𝜋 that meets the |𝜔 ∩ 𝜔𝜋 | ≥
users real biometric identity. Unless it is a trusted third party,
𝑑.
no adversary can establish a valid biometric identification as-
(2) If 1 sends the re-encryption key queries to a challenge
sociation, thereby preventing the leakage of the users identity
identity 𝑃 𝑈 𝐼𝐷𝜋 that meets the |𝜔 ∩ 𝜔𝜋 | ≥ 𝑑 condition, then
information.
the partial private key queries or private key queries can no
• Error tolerance. Considering that biometric characteristic may con-
longer be performed.
tain some noise with each sampling, FCL-PRE must exhibit error
(3) If 1 has sent the partial private key or private key queries tolerance. Specifically, when the distance between the biometric
to challenge identity 𝑃 𝑈 𝐼𝐷𝜋 that meets the |𝜔 ∩ 𝜔𝜋 | ≥ 𝑑 identity 𝜔 of the sender  and another identity 𝜔′ is higher than
condition, the re-encryption key queries can no longer be a predefined threshold 𝑑, the proxy can use the re-encryption
performed, and the information related to the re-encrypted key to generate the corresponding re-encrypted ciphertext for 𝜔′ ,
ciphertext cannot be queried. enabling efficient data sharing.
• Collusion resistance. In our FCL-PRE, even in the presence of semi-
• Guess. Finally, 1 guesses the challenge bit 𝑏 ∈ {0, 1}. If 𝑏 = 𝑏,
trusted parties, such as collusion between CPS and the receiver,
1 wins this game.
CPS cannot obtain the senders complete private key and thus
cannot perform any decryption operations, ensuring the systems
Definition 4. According to the definition of Game-I, our FCL-PRE is security against internal collusion attacks.
IND-CPA secure if the advantage of 1 is negligible, defined as
1
𝐴𝑑𝑣𝐺𝑎𝑚𝑒−𝐼
(𝜆) = |𝑃 𝑟[𝑏 = 𝑏] |. 5. The proposed FCL-PRE scheme
1 2
Game-II. The game embodies the attack ability of 2 , challenger  In this section, we thoroughly describe FCL-PRE, which supports
responds to 2 s a series queries by controlling the following oracles. efficient fuzzy data sharing through anonymized biometric identities.
Game-II is similar to Game-I, therefore, only their main differences are The procedure flow of FCL-PRE is presented in Fig. 3.
presented below.
5.1. System initialization
• Initialization. When 𝜆 is received,  first executes the Setup
algorithm to obtain 𝑝𝑎𝑟𝑎𝑚𝑠, and generates a system master key (1) Upon inputting the security parameter 𝜆, KGC generates a bilinear
𝑚𝑠𝑘. Then,  returns them to 2 . pairing parameters (𝑒, G, G𝑇 , 𝑞, 𝑃 ), where G and G𝑇 represent two
• Phase 1. 2 issues a series of queries similar to those in Game-I, cyclic groups with the same prime order 𝑞, 𝑒 G × G → G𝑇 , 𝑃
and  responds accordingly. At this time, 2 lacks the ability to is the generator of G. Then, KGC selects 𝑠𝑍𝑞 randomly and
replace the public key. calculates the system public key 𝑃𝑝𝑢𝑏 = 𝑠𝑃 .
• Challenge. Similar to the Game-I. (2) TA considers a symmetric key encryption scheme to hide the
• Phase 2. 2 and challenger  continue to conduct similar queries users realistic identity 𝑈 𝐼𝐷, denoted by 𝐸𝑛𝑐𝜙 (⋅) and 𝐷𝑒𝑐𝜙 (⋅).
and answers as in phase 1, but must follow three constraints. Here, 𝐸𝑛𝑐𝜙 (⋅) represents the encryption algorithm, 𝐷𝑒𝑐𝜙 (⋅) rep-
resents the decryption algorithm, and 𝜙 is the shared symmetric
(1) 2 has never queried the private key for the challenge key.
identity 𝑃 𝑈 𝐼𝐷𝜋 that meets the |𝜔 ∩ 𝜔𝜋 | ≥ 𝑑 condition. (3) Finally, TA and KGC choose four collision-resistant hash func-
(2) If 2 sends the re-encryption key queries to a challenge tions: 𝐻1 {0, 1} → G, 𝐻2 {0, 1} → G, 𝐻3 {0, 1} → G,
identity 𝑃 𝑈 𝐼𝐷𝜋 that meets the |𝜔 ∩ 𝜔𝜋 | ≥ 𝑑 condition, then and 𝐻4 {0, 1}𝑍𝑞 , define the system parameters as 𝑝𝑎𝑟𝑎𝑚𝑠 =
the private key queries can no longer be performed. {G, G𝑇 , 𝑒, 𝑞, 𝑑, 𝑃 , 𝑃𝑝𝑢𝑏 , 𝐻1 , 𝐻2 , 𝐻3 , 𝐻4 }.
5
J. Chen et al. Computer Standards & Interfaces 97 (2026) 104121
Fig. 3. The algorithm procedure of FCL-PRE.
5.2. User registration phase (1) 𝑗 picks a random number 𝑟𝑗𝑍𝑞 , and a polynomial 𝑔(𝑥) of
degree 𝑑 1 such that 𝑔(0) = 𝑟𝑗 and assigns 𝑔(𝜔𝑖 ) = 𝑟𝑖,𝑗 , where
Before sharing data, each user must register their identity informa- 𝑖 ∈ {1, … , 𝑛}. Then, 𝑗 computes
tion with TA. Let the sender be denoted as 𝑗 . First, 𝑗 transmits the
𝑈1 = 𝑟𝑗 𝑃 , 𝐸𝑗 = 𝐻2 (𝑃 𝑈 𝐼𝐷𝑗𝑃 𝐾𝑃 𝑈 𝐼𝐷𝑗𝑃𝑝𝑢𝑏 ),
realistic biometric information 𝑏𝑖𝑜 (i.e., fingerprint) to TA via a secure ∏
channel. Then, TA applies the identity extraction function 𝐼𝑑𝐺𝑒𝑛(⋅) 𝑉1 = 𝑚 (𝑒(𝑃𝑝𝑢𝑏 , 𝐻1 (𝑃 𝑈 𝐼𝐷𝑗 ))𝑟𝑖,𝑗 × 𝑒(𝑃 𝐾𝑃 𝑈 𝐼𝐷𝑗 , 𝐸𝑗 )𝑟𝑖,𝑗 )𝛥𝜔𝑖 ,𝑆 (0)
to convert 𝑏𝑖𝑜 into a unique biometric identity 𝑈 𝐼𝐷𝑗 = 𝐼𝑑𝐺𝑒𝑛(𝑏𝑖𝑜). 𝜔𝑖 ∈𝑆
The 𝐼𝑑𝐺𝑒𝑛(⋅) function is similar to a hash function and is irreversible. 𝑗 uploads the original ciphertext 𝐶𝑇 = (𝑈1 , 𝑉1 ) to the CPS.
It transforms the biometrics into an identity that is indistinguishable
(2) Finally, 𝑗 selects 𝑘𝑍𝑞 randomly, and computes 𝑅 = 𝑘𝑃 ,
from random information and cannot be used to infer the original
= 𝐻4 (𝑈1 ∥ 𝑉1 ∥ 𝑅𝑃 𝐾𝑃 𝑈 𝐼𝐷𝑗𝑃 𝑈 𝐼𝐷𝑗 ). Then, 𝑗 generates a
biometrics [39,41].
signature 𝜎𝑗 = 𝑘 + 𝑥𝑃 𝑈 𝐼𝐷𝑗 mod 𝑞, and transmits (𝑅, 𝜎) to the
Next, TA generates a pseudo-identity as 𝑃 𝑈 𝐼𝐷𝑗 = 𝐸𝑛𝑐𝜙 (𝑈 𝐼𝐷𝑗
CPS.
𝑛𝑃 𝑈 𝐼𝐷 ) ∥ 𝑇𝑗 to protect the real biometric identity, where 𝑛𝑃 𝑈 𝐼𝐷 repre-
sents the number of pseudo-identities requested and 𝑇𝑗 is the validity
period of the pseudo-identity. Meanwhile, TA internally maintains a 5.4. Verification and sharing phase
mapping (𝑈 𝐼𝐷𝑗 , 𝑃 𝑈 𝐼𝐷𝑗 , 𝜔), where 𝜔 is the attribute set associated with
𝑃 𝑈 𝐼𝐷𝑗 . Eventually, TA publishes 𝑃 𝑈 𝐼𝐷𝑗 and keeps 𝑈 𝐼𝐷𝑗 secret. When a new receiver 𝑗 initiates an access request, 𝑗 first needs
to send the current pseudo-identity to CPS. After the identity authen-
(1) Upon receiving the attribute set 𝜔 associated with 𝑗 s pseudo- tication is successful, CPS performs re-encryption operations based on
identity 𝑃 𝑈 𝐼𝐷𝑗 , KGC first randomly selects a polynomial 𝑝(𝑥) of this pseudo-identity.
degree 𝑑 1 such that 𝑝(0) = 𝑠 and assigns 𝑝(𝜔𝑖 ) = 𝑠𝑖 , where
𝑖 ∈ {1, … , 𝑛}. Then it calculates the partial private key as 𝐷𝑖,𝑗 = (1) The CPS first computes = 𝐻4 (𝑈1 ∥ 𝑉1 ∥ 𝑅𝑃 𝐾𝑃 𝑈 𝐼𝐷
𝑗
𝑠𝑖 𝐻1 (𝑃 𝑈 𝐼𝐷𝑗 ). The partial private key (𝐷𝑖,𝑗 )𝑛𝑖=1 of 𝑗 is represented ?
by KGC as 𝐷𝑃 𝑈 𝐼𝐷𝑗 . 𝑃 𝑈 𝐼𝐷𝑗 ) and 𝜎𝑗 𝑃 = 𝑅 + 𝑃 𝐾𝑃 𝑈 𝐼𝐷 . After the signature verifi-
𝑗
cation is successful, CPS selects a 𝑑-element subset, 𝑆 ⊆ 𝜔 ∩ 𝜔′
(2) After receiving the partial private key 𝐷𝑃 𝑈 𝐼𝐷𝑗 , 𝑗 can calculate
randomly, and determines whether the input attribute set 𝜔′
Lagrange coefficients and perform local verification to ensure
satisfies |𝜔 ∩ 𝜔′ | ≥ 𝑑, if yes, CPS returns the result to the sender.
consistency: 𝑒(𝐷𝑃 𝑈 𝐼𝐷𝑗 , 𝑃 ) = 𝑒(𝐻1 (𝑃 𝑈 𝐼𝐷𝑗 ), 𝑃𝑝𝑢𝑏 ). Then, 𝑗 chooses
(2) 𝑗 generates the corresponding re-encryption key for the pseudo-
a random secret value 𝑥𝑃 𝑈 𝐼𝐷𝑗𝑍𝑞 , a polynomial 𝑦(𝑥) of degree
identity based on the result. 𝑗 computes 𝜑 = 𝑒(𝐷𝑃 𝑈 𝐼𝐷𝑗 ,
𝑑 1 such that 𝑦(0) = 𝑥𝑃 𝑈 𝐼𝐷𝑗 , and lets 𝑦(𝜔𝑖 ) = 𝑥𝑖,𝑃 𝑈 𝐼𝐷𝑗 , where
𝐻1 (𝑃 𝑈 𝐼𝐷𝑗 )), 𝑅𝐾 ,𝜔, = 𝐷𝑃 𝑈 𝐼𝐷𝑗 𝑥𝑃 𝑈 𝐼𝐷𝑗 𝐸𝑗 + 𝐻3 (𝜑 ∥ 𝑥𝑃 𝑈 𝐼𝐷𝑗
𝑖 ∈ {1, … , 𝑛}. Then, 𝑗 s secret value (𝑥𝑖,𝑃 𝑈 𝐼𝐷𝑗 )𝑛𝑖=1 is defined as
𝑃 𝐾𝑃 𝑈 𝐼𝐷 ∥ 𝜔 ∥ 𝜔′ ), and then sends 𝑅𝐾 ,𝜔, to CPS.
𝑥𝑃 𝑈 𝐼𝐷𝑗 . 𝑗
(3) Obtaining 𝐷𝑃 𝑈 𝐼𝐷𝑗 , 𝑗 sets the full private key as 𝑆𝐾𝑃 𝑈 𝐼𝐷𝑗 = (3) Finally, CPS can use the re-encryption key 𝑅𝐾 ,𝜔, to convert
(𝐷𝑃 𝑈 𝐼𝐷𝑗 , 𝑥𝑃 𝑈 𝐼𝐷𝑗 ). 𝐶𝑇 into a re-encrypted ciphertext 𝐶𝑇 . It computes 𝑈2 = 𝑈1 ,
𝑉2 = 𝑉1 𝑒(𝑈1 , 𝑅𝐾 ,𝜔, ), and then outputs 𝐶𝑇 = (𝑈2 , 𝑉2 ) to the
(4) 𝑗 calculates 𝑃 𝐾𝑃 𝑈 𝐼𝐷𝑗 = 𝑥𝑃 𝑈 𝐼𝐷𝑗 𝑃 as the public key, and pub-
authorized recipient.
lishes it.
5.3. Data encryption phase 5.5. Data decryption phase
Given the 𝑗 s identity 𝑃 𝑈 𝐼𝐷𝑗 associated with an attribute set 𝜔 = The procedure to decrypt the original ciphertext and the re-
(𝜔𝑖 )𝑛𝑖=1 , the public key 𝑃 𝐾𝑃 𝑈 𝐼𝐷𝑗 , and a message 𝑚. encrypted ciphertext is as follows:
6
J. Chen et al. Computer Standards & Interfaces 97 (2026) 104121
Correctness
For the original ciphertext 𝐶𝑇 = (𝑈1 , 𝑉1 ):
𝑉1
𝑚= ∏
𝛥𝜔𝑖 ,𝑆 (0)
𝜔𝑖 ∈𝑆 𝑒(𝑈1 , 𝐷𝑃 𝑈 𝐼𝐷𝑗 + 𝑥𝑃 𝑈 𝐼𝐷𝑗 𝐸𝑗 )
𝑚 𝜔𝑖 ∈𝑆 (𝑒(𝑃𝑝𝑢𝑏 , 𝐻1 (𝑃 𝑈 𝐼𝐷𝑗 ))
𝑟𝑖,𝑗
× 𝑒(𝑃 𝐾𝑃 𝑈 𝐼𝐷𝑗 , 𝐸𝑗 )𝑟𝑖,𝑗 )𝛥𝜔𝑖 ,𝑆 (0)
= ∏ 𝛥𝜔𝑖 ,𝑆 (0)
𝜔𝑖 ∈𝑆 𝑒(𝑈1 , 𝐷𝑃 𝑈 𝐼𝐷𝑗 + 𝑥𝑃 𝑈 𝐼𝐷𝑗 𝐸𝑗 )
𝑚
=
𝑒(𝑈1 ,𝐷𝑃 𝑈 𝐼𝐷𝑗 +𝑥𝑃 𝑈 𝐼𝐷𝑗 𝐸𝑗 ) 𝛥𝜔𝑖 ,𝑆 (0)
𝜔𝑖 ∈𝑆 ( 𝑒(𝑃𝑝𝑢𝑏 ,𝐻1 (𝑃 𝑈 𝐼𝐷𝑗 ))
𝑟𝑖,𝑗
×𝑒(𝑃 𝐾𝑃 𝑈 𝐼𝐷𝑗 ,𝐸𝑗 )𝑟𝑖,𝑗
)
𝑚
= ∑
𝑒(𝑟𝑗 𝑃 , 𝜔 ∈𝑆 (𝑝(𝜔𝑖 )𝛥𝜔𝑖 ,𝑆 (0))𝐻1 (𝑃 𝑈 𝐼𝐷𝑗 ))𝑒(𝑟𝑗 𝑃 ,𝑥𝑃 𝑈 𝐼𝐷𝑗 𝐸𝑗 )
𝑖
∑ ∑
𝑒(𝑠𝑃 , 𝜔 ∈𝑆 (𝑔(𝜔𝑖 )𝛥𝜔𝑖 ,𝑆 (0))𝐻1 (𝑃 𝑈 𝐼𝐷𝑗 ))𝑒(𝑥𝑃 𝑈 𝐼𝐷𝑗 𝑃 , 𝜔 ∈𝑆 (𝑔(𝜔𝑖 )𝛥𝜔𝑖 ,𝑆 (0))𝐸𝑗 )
𝑖 𝑖
𝑚
= =𝑚
𝑒(𝑟𝑗 𝑃 ,𝑠𝐻1 (𝑃 𝑈 𝐼𝐷𝑗 ))𝑒(𝑟𝑗 𝑃 ,𝑥𝑃 𝑈 𝐼𝐷𝑗 𝐸𝑗 )
𝑒(𝑠𝑃 ,𝑟𝑗 𝐻1 (𝑃 𝑈 𝐼𝐷𝑗 ))𝑒(𝑥𝑃 𝑈 𝐼𝐷𝑗 𝑃 ,𝑟𝑗 𝐸𝑗 )
For the re-encrypted ciphertext 𝐶𝑇 = (𝑈2 , 𝑉2 ):
𝑉2
𝑚= ∏
𝛥𝜔𝑖 ,𝑆 (0)
𝜔𝑖 ∈𝑆 𝑒(𝑈2 , 𝐻3 (𝜑 ∥ 𝑥𝑃 𝑈 𝐼𝐷𝑗 𝑃 𝐾𝑃 𝑈 𝐼𝐷𝑗 ∥ 𝜔 ∥ 𝜔 ))
𝑚 𝜔𝑖 ∈𝑆 (𝑒(𝑃𝑝𝑢𝑏 , 𝐻1 (𝑃 𝑈 𝐼𝐷𝑗 ))𝑟𝑖,𝑗 × 𝑒(𝑃 𝐾𝑃 𝑈 𝐼𝐷𝑗 , 𝐸𝑗 )𝑟𝑖,𝑗 )𝛥𝜔𝑖 ,𝑆 (0) 𝑒(𝑈1 , 𝑅𝐾 ,𝜔, )
= ∏ 𝛥𝜔𝑖 ,𝑆 (0)
𝜔𝑖 ∈𝑆 𝑒(𝑈2 , 𝐻3 (𝜑 ∥ 𝑥𝑃 𝑈 𝐼𝐷 𝑃 𝐾𝑃 𝑈 𝐼𝐷𝑗 ∥ 𝜔 ∥ 𝜔 ))
𝑗
𝑚𝑒(𝑠𝑃 , 𝑟𝑗 𝐻1 (𝑃 𝑈 𝐼𝐷𝑗 ))𝑒(𝑥𝑃 𝑈 𝐼𝐷𝑗 𝑃 , 𝑟𝑗 𝐸𝑗 )𝑒(𝑟𝑗 𝑃 , 𝐷𝑃 𝑈 𝐼𝐷𝑗 𝑥𝑃 𝑈 𝐼𝐷𝑗 𝐸𝑗 + 𝐻3 (𝜑 ∥ 𝑥𝑃 𝑈 𝐼𝐷𝑗 𝑃 𝐾𝑃 𝑈 𝐼𝐷 ∥ 𝜔 ∥ 𝜔′ ))
𝑗
=
𝑒(𝑟𝑗 𝑃 , 𝐻3 (𝜑 ∥ 𝑥𝑃 𝑈 𝐼𝐷 𝑃 𝐾𝑃 𝑈 𝐼𝐷𝑗 ∥ 𝜔 ∥ 𝜔′ ))
𝑗
𝑚𝑒(𝑟𝑗 𝑃 , 𝐷𝑃 𝑈 𝐼𝐷𝑗 + 𝑥𝑃 𝑈 𝐼𝐷𝑗 𝐸𝑗 )𝑒(𝑟𝑗 𝑃 , 𝐷𝑃 𝑈 𝐼𝐷𝑗 𝑥𝑃 𝑈 𝐼𝐷𝑗 𝐸𝑗 )𝑒(𝑟𝑗 𝑃 , 𝐻3 (𝜑 ∥ 𝑥𝑃 𝑈 𝐼𝐷𝑗 𝑃 𝐾𝑃 𝑈 𝐼𝐷 ∥ 𝜔 ∥ 𝜔′ )))
𝑗
= =𝑚
𝑒(𝑟𝑗 𝑃 , 𝐻3 (𝜑 ∥ 𝑥𝑃 𝑈 𝐼𝐷 𝑃 𝐾𝑃 𝑈 𝐼𝐷𝑗 ∥ 𝜔 ∥ 𝜔′ ))
𝑗
(1) For the original ciphertext 𝐶𝑇 , sender 𝑗 can get the plaintext by  restores the corresponding record and returns 𝐻1 (𝑃 𝑈 𝐼𝐷)
computing = (1𝑖 )𝑛𝑖=1 to 1 . Otherwise, for this tuple,  considers the
𝑉1 following two cases:
𝑚= ∏
𝛥𝜔𝑖 ,𝑆 (0)
𝜔𝑖 ∈𝑆 𝑒(𝑈1 , 𝐷𝑃 𝑈 𝐼𝐷𝑗 + 𝑥𝑃 𝑈 𝐼𝐷𝑗 𝐸𝑗 ) Case 1: If |𝜔 ∩ 𝜔𝜋 | ≥ 𝑑,  randomly selects a polyno-
mial 𝑡(𝑥) of degree 𝑑 1 such as 𝑡(0) = , and returns
(2) For the re-encrypted ciphertext 𝐶𝑇 , only authorized receivers to 1 . Then,  saves the tuple (𝑃 𝑈 𝐼𝐷, , ⟂, ⟂) in the
can successfully obtain the data. 𝐿1 .
𝑉2 Case 2: If |𝜔 ∩ 𝜔𝜋 | < 𝑑,  need to selects 𝛼𝑢 ∈ {0, 1} at
𝑚= ∏
𝛥𝜔𝑖 ,𝑆 (0) random, where the probability of 𝛼𝑢 = 1 is 𝛾.
𝜔𝑖 ∈𝑆 𝑒(𝑈2 ,𝐻3 (𝜑 ∥ 𝑥𝑃 𝑈 𝐼𝐷𝑗 𝑃 𝐾𝑃 𝑈 𝐼𝐷𝑗 ∥ 𝜔 ∥ 𝜔 ))
(1) When 𝛼𝑢 = 0,  chooses a random number
𝑧𝑖𝑍𝑞 , a polynomial 𝑦(𝑥) of degree 𝑑 1,
6. Security analysis 𝑦(0) = 𝑧. Let 𝑧𝑖 = 𝑦(𝜔𝑖 ), where 𝑖 = {1, … , 𝑛},
 calculates 𝐻1 (𝑃 𝑈 𝐼𝐷) = 𝑧𝑖 𝑐𝑃 , and saves tuple
6.1. Security proof for FCL-PRE (𝑃 𝑈 𝐼𝐷, 𝑧𝑖 𝑐𝑃 , (𝑧𝑖 )𝑛𝑖=1 , 0) in the 𝐿1 .
(2) When 𝛼𝑢 = 1,  selects 𝑧𝑍𝑞 , outputs
Theorem 1. If adversary 1 breaks FCL-PRE with a non-negligible advan- 𝐻1 (𝑃 𝑈 𝐼𝐷) = 𝑧 𝑃 and saves tuple (𝑃 𝑈 𝐼𝐷, 𝑧 𝑃 ,
tage 𝜀, we can construct an algorithm  that solves the DBDH assumption 𝑧 , 1) in the 𝐿1 .
in polynomial time with an advantage 𝜀′ .
Proof. Given a set of challenge instance (𝑃 , 𝑎𝑃 , 𝑏𝑃 , 𝑐𝑃 , 𝑇 ),  acts as
𝐻2 Query:  maintains an initially empty list of the form
a subroutine of the adversary 1 and attempts to determine whether
𝐿2 (𝑃 𝑈 𝐼𝐷, 𝑡𝑖 , 𝑌𝑖 ). When 1 makes a query, if 𝑃 𝑈 𝐼𝐷 already
𝑇 = 𝑒(𝑃 , 𝑃 )𝑎𝑏𝑐 . Therefore,  needs to answer a series of inquiries from
exists in the 𝐿2 ,  answers with 𝑌𝑖 , otherwise it randomly
1 .
selects 𝑡𝑖𝑍𝑞 , calculates 𝑌𝑖 = 𝑡𝑖 𝑃 and adds the tuple
∙ Initialization. By executing Setup algorithm,  gets 𝑝𝑎𝑟𝑎𝑚𝑠 = (𝑃 𝑈 𝐼𝐷, 𝑡𝑖 , 𝑌𝑖 ) to the 𝐿2 .
{G, G𝑇 , 𝑞, 𝑒, 𝑑, 𝑃 , 𝑃𝑝𝑢𝑏 , 𝐻1 , 𝐻2 , 𝐻3 }. Then,  sets 𝑃𝑝𝑢𝑏 = 𝑎𝑃 , and 𝑎 𝐻3 Query:  maintains an initially empty list of the form
is the master key, which is unknown to . 𝐿3 (𝑋 , 𝐻 ). If 𝑋 is in the list 𝐿3 ,  returns 𝐻 to 1 .
Otherwise,  uniformly selects an element 𝐻 ∈ G, returns
𝐻1 Query:  maintains an initially empty list of the form it and records the pair (𝑋 , 𝐻 ) in 𝐿3 .
𝐿1 (𝑃 𝑈 𝐼𝐷, (1𝑖 )𝑛𝑖=1 , (𝑧𝑖 )𝑛𝑖=1 , 𝛼𝑢 ), 1 publishes 𝑃 𝑈 𝐼𝐷 for
query.  first chooses 𝜋 ∈ {1, 2, … , 𝑞𝐻1 } and defines 𝑃 𝑈 𝐼𝐷𝜋 ∙ Phase 1. For a series of inquiries raised by 1 ,  answers as
as the challenge identity. If 𝑃 𝑈 𝐼𝐷 already exists in the 𝐿1 , follows.
7
J. Chen et al. Computer Standards & Interfaces 97 (2026) 104121
PPKQuery oracle 𝑝𝑝𝑘 : 1 publishes an identity 𝑃 𝑈 𝐼𝐷 for 𝑃 𝑈 𝐼𝐷𝜋 ,  fails in this game. Otherwise,  randomly selects a
query,  maintains a list of the form 𝐿𝑝𝑝𝑘 (𝑃 𝑈 𝐼𝐷, 𝐷𝑃 𝑈 𝐼𝐷 ) message 𝑚𝑏 , where 𝑏 ∈ {0, 1}, calculates the ciphertext 𝐶𝑇𝑏 =
as the answer to 1 . If 𝑃 𝑈 𝐼𝐷 already exists in the 𝐿𝑝𝑝𝑘 , (𝑈𝑏 , 𝑉𝑏 ) = (𝑏𝑃 , 𝑚𝑏 𝜔𝑖 ∈𝑆 𝑒(𝑃 𝐾𝑃 𝑈 𝐼𝐷𝜋 , 𝑡𝑖 𝑏𝑃 )𝑇 𝛥𝜔𝑖 ,𝑆 (0) ) and sends 𝐶𝑇𝑏
 first performs the 𝐻1 Query in the above steps to obtain to 1 .
𝐻1 (𝑃 𝑈 𝐼𝐷). Otherwise,  finds the tuple in the 𝐿1 : ∙ Phase 2. Adversary 1 initiates a series of queries similar to
Case1: If |𝜔 ∩ 𝜔𝜋 | ≥ 𝑑, the challenger  aborts and Phase 1, and  responds accordingly. Please note that the queries
outputs fault. issued by 1 in this phase must comply with the constraints in
Case2: If |𝜔 ∩ 𝜔𝜋 | < 𝑑,  randomly selects a polyno- the security model.
mial 𝑝(𝑥) of degree 𝑑 1, 𝑝(0) = 𝑎, let 𝑝(𝜔𝑖 ) = 𝑎𝑖 , where ∙ Guess. Once the adversary 1 provides a guess 𝑏 ∈ {0, 1} for the
𝑖 ∈ {1, … , 𝑛}.  returns 𝑧𝑖 𝑎𝑃 to 1 , and saves tuple challenge bit,  outputs 1 if 𝑏 = 𝑏 and 0 otherwise. □
(𝑃 𝑈 𝐼𝐷, (𝐷𝑃 𝑈 𝐼𝐷 )) in the 𝐿𝑝𝑝𝑘 .
Theorem 2. If adversary 2 breaks FCL-PRE with a non-negligible advan-
PKQuery oracle 𝑝𝑘 : 1 publishes an identity 𝑃 𝑈 𝐼𝐷 for tage 𝜀, we can construct an algorithm  that solves the DBDH assumption
query,  maintains a list of the form 𝐿𝑝𝑢𝑏 (𝑃 𝑈 𝐼𝐷, 𝑃 𝐾𝑃 𝑈 𝐼𝐷 , in polynomial time with an advantage 𝜀′ .
(𝑥𝑖,𝑃 𝑈 𝐼𝐷 )𝑛𝑖=1 ) as the answer to 1 . If 𝑃 𝑈 𝐼𝐷 already exists in
the 𝐿𝑝𝑢𝑏 ,  restores the corresponding record and returns
Proof. Similar to the Theorem 1, therefore, only their main differences
𝑃 𝐾𝑃 𝑈 𝐼𝐷 to 1 . Otherwise,  randomly selects 𝑥𝑗𝑍𝑞 ,
are presented below.
a polynomial 𝑦(𝑥) of degree 𝑑 1, 𝑦(0) = 𝑥𝑗 , let 𝑦(𝜔𝑖 ) =
𝑥𝑖,𝑃 𝑈 𝐼𝐷 , where 𝑖 ∈ {1, … , 𝑛}. In this case, we suppose that ∙ Initialization.  returns the 𝑝𝑎𝑟𝑎𝑚𝑠 and 𝑚𝑠𝑘 = 𝑠 to 2 . It should
𝑥𝑃 𝑈 𝐼𝐷 = (𝑥𝑖,𝑃 𝑈 𝐼𝐷 )𝑛𝑖=1 while  calculates 𝑃 𝐾𝑃 𝑈 𝐼𝐷 = 𝑥𝑃 𝑈 𝐼𝐷 𝑃 , be noted that 2 represents the KGC, which has access to the
and returns it to 1 . Finally,  maintains (𝑃 𝑈 𝐼𝐷, 𝑃 𝐾𝑃 𝑈 𝐼𝐷 , partial private key and is computed by challenger . Therefore,
(𝑥𝑖,𝑃 𝑈 𝐼𝐷 )𝑛𝑖=1 ) in 𝐿𝑝𝑢𝑏 . in this case, there is no need to simulate the PartialPrivateKey
PK replacement oracle 𝑝𝑘𝑟𝑝 : When 1 queries the tuple algorithm as well as the hash function 𝐻1 . Next,  randomly
(𝑃 𝑈 𝐼𝐷, 𝑃 ̃
𝐾𝑃 𝑈 𝐼𝐷 ), if 𝑃 𝑈 𝐼𝐷 has not been queried for the chooses an integer 𝑟 ∈ [1, 𝑞𝐻2 ] and to the queries raised by 2 , 
public key,  generates a public key query on 𝑃 𝑈 𝐼𝐷 to answers as follows:
obtain 𝑃 ̃𝐾𝑃 𝑈 𝐼𝐷 and records (𝑃 𝑈 𝐼𝐷, 𝑃 ̃ 𝐾𝑃 𝑈 𝐼𝐷 , ⟂) in 𝐿𝑝𝑢𝑏 .
Otherwise,  maintains (𝑃 𝑈 𝐼𝐷, 𝑃 ̃ 𝐾𝑃 𝑈 𝐼𝐷 , ⟂) in 𝐿𝑝𝑢𝑏 . 𝐻2 Query: When 2 queries the existing 𝑃 𝑈 𝐼𝐷 in 𝐿2 , 
SKQuery oracle 𝑠𝑘 : 1 publishes an identity 𝑃 𝑈 𝐼𝐷 for will respond with 𝑌𝑖 , otherwise it considers the following
query,  maintains a list of the form 𝐿𝑠𝑘 (𝑃 𝑈 𝐼𝐷, 𝑆𝐾𝑃 𝑈 𝐼𝐷 ) two situations:
as the answer to 1 . If 𝑃 𝑈 𝐼𝐷 has already queried, 
restores the corresponding record and returns 𝑆𝐾𝑃 𝑈 𝐼𝐷 to Case 1: If 𝑗 = 𝑟,  computes 𝐻2 (𝑃 𝑈 𝐼𝐷𝑗𝑃 𝐾𝑃 𝑈 𝐼𝐷𝑗
1 , otherwise,  considers the following two cases: 𝑃𝑝𝑢𝑏 ) = 𝑐𝑃 and returns it to 2 .
Case 2: If 𝑗𝑟,  randomly selects 𝑡𝑖𝑍𝑞 , and
Case 1: If |𝜔 ∩ 𝜔𝜋 | ≥ 𝑑,  aborts and outputs fault. calculates 𝑌𝑖 = 𝑡𝑖 𝑃 , then  returns it to 2 . Finally,
Case 2: If |𝜔 ∩ 𝜔𝜋 | < 𝑑,  returns the 𝑆𝐾𝑃 𝑈 𝐼𝐷 to 1  adds the tuple (𝑃 𝑈 𝐼𝐷, 𝑡𝑖 , 𝑌𝑖 ) to 𝐿2 .
and saves tuple (𝑃 𝑈 𝐼𝐷, 𝐷𝑃 𝑈 𝐼𝐷 , 𝑥𝑃 𝑈 𝐼𝐷 ) in the 𝐿𝑠𝑘 .
∙ Phase 1. For a series of inquiries raised by 2 ,  answers as
ReKeyGen oracle 𝑟𝑘 :  first searches whether tuple follows.
(𝑃 𝑈 𝐼𝐷, 𝑃 𝑈 𝐼𝐷 , 𝑅𝐾 ,𝜔, ) exists in the 𝐿𝑟 𝑘. If so,  returns
𝑅𝐾 ,𝜔, to 1 . Otherwise, we suppose that 1 has con- PKQuery oracle 𝑝𝑘 : 2 publishes an identity 𝑃 𝑈 𝐼𝐷 for
ducted the above series of queries when querying the ROM, query,  first selects 𝜋 ∈ [1, 𝑞𝑝𝑢𝑏 ] randomly, and defines
so when |𝜔 ∩ 𝜔𝜋 | ≥ 𝑑,  will follow the steps below: 𝑃 𝑈 𝐼𝐷𝜋 as the challenge identity.
Case 1: When 𝛼1 = 1,  follows the above steps Case 1: If 𝑃 𝑈 𝐼𝐷 has been queried,  restores the
to obtain 𝑃 𝑈 𝐼𝐷s publicprivate key pair (𝑆𝐾𝑃 𝑈 𝐼𝐷 , corresponding record and returns 𝑃 𝐾𝑃 𝑈 𝐼𝐷 = 𝑥𝑃 𝑈 𝐼𝐷 𝑃
𝑃 𝐾𝑃 𝑈 𝐼𝐷 ), and the public key 𝑃 𝐾𝑃 𝑈 𝐼𝐷 of 𝑃 𝑈 𝐼𝐷 . to 2 .
Then,  calculates 𝜑 = 𝑒(𝐷𝑃 𝑈 𝐼𝐷 , 𝐻1 (𝑃 𝑈 𝐼𝐷 )), and the
Case 2: If 𝑃 𝑈 𝐼𝐷 has not been queried, then  consid-
re-encryption key 𝑅𝐾 ,𝜔, = 𝐷𝑃 𝑈 𝐼𝐷𝑗 𝑥𝑃 𝑈 𝐼𝐷𝑗 𝐸𝑗 +
ers the following scenario:
𝐻3 (𝜑 ∥ 𝑥𝑃 𝑈 𝐼𝐷𝑗 𝑃 𝐾𝑃 𝑈 𝐼𝐷 ∥ 𝜔 ∥ 𝜔′ ).
𝑗
Case 2: When 𝛼1 = 0 and 𝛼2 = 1,  response fails. (1) If |𝜔 ∩ 𝜔𝜋 | < 𝑑 and 𝑗 ≠ 𝜋,  selects a ran-
Case 3: When 𝛼1 = 0 and 𝛼2 = 0,  randomly selects dom number 𝑥𝑖,𝑃 𝑈 𝐼𝐷𝑍𝑞 , a polynomial 𝑦(𝑥)
𝑗
𝑅𝐾 ,𝜔, ∈ G and returns to 1 . of degree 𝑑 1, 𝑦(0) = 𝑥𝑖,𝑃 𝑈 𝐼𝐷 , let 𝑦(𝜔𝑖 ) =
𝑗
𝑥𝑖,𝑃 𝑈 𝐼𝐷 , where 𝑖 ∈ {1, … , 𝑛}. Next,  calculates
𝑗
Re-encryption oracle 𝑟𝑒𝑒𝑛 : Suppose that the public key of 𝑃 𝐾𝑃 𝑈 𝐼𝐷 = 𝑥𝑃 𝑈 𝐼𝐷 𝑃 , and returns it to 2 . Finally,
𝑃 𝑈 𝐼𝐷 has not been replaced, the original ciphertext 𝐶𝑇 =
 saves the tuple (𝑃 𝑈 𝐼𝐷, (𝑥𝑖,𝑃 𝑈 𝐼𝐷𝑗 )𝑛𝑖=1 , 𝑃 𝐾𝑃 𝑈 𝐼𝐷 )
(𝑈1 , 𝑉1 ) at this time.
to 𝐿𝑝𝑢𝑏 .
Case 1: If |𝜔 ∩ 𝜔𝜋 | < 𝑑,  aborts and outputs fault. (2) If |𝜔 ∩ 𝜔𝜋 | ≥ 𝑑 and 𝑗 = 𝜋,  calculates 𝑃 𝐾𝑃 𝑈 𝐼𝐷 =
Case 2: If |𝜔 ∩ 𝜔𝜋 | ≥ 𝑑,  considers the following two 𝑎𝑃 , and returns it to the adversary 2 . Finally, 
cases: maintains the tuple (𝑃 𝑈 𝐼𝐷𝜋 , (𝑥𝑖,𝑃 𝑈 𝐼𝐷𝑗 )𝑛𝑖=1 ,
𝑃 𝐾𝑃 𝑈 𝐼𝐷 ) to the 𝐿𝑝𝑢𝑏 .
(1) If 𝛼𝑢 = 1,  aborts and outputs fault.
(2) If 𝛼𝑢 = 0,  re-encrypts the 𝐶𝑇 into 𝐶𝑇 = SKQuery oracle 𝑠𝑘 :  considers the following two cases:
(𝑈1 , 𝑉1 𝑒(𝑈1 , 𝑅𝐾 ,𝜔, )) and sends it to 1 .
Case 1: If 𝑃 𝑈 𝐼𝐷 has been queried,  restores the
corresponding record and returns 𝑆𝐾𝑃 𝑈 𝐼𝐷 to 2 .
∙ Challenge. 1 outputs 𝑃 𝑈 𝐼𝐷𝜋 and two messages of equal length Case 2: If 𝑃 𝑈 𝐼𝐷 has not been queried,  considers the
(𝑚0 , 𝑚1 ). If the flag variable 𝛼𝑢 ≠ 0 of the challenge identity following scenario:
8
J. Chen et al. Computer Standards & Interfaces 97 (2026) 104121
(1) If |𝜔 ∩ 𝜔𝜋 | < 𝑑 and 𝑗𝑟,  makes sure 7. Performance evaluation
that 2 has performed PKQuery and all hash
queries. Then,  calculates 𝐷𝑃 𝑈 𝐼𝐷 and returns This section provides a systematic performance evaluation of FCL-
the 𝑆𝐾𝑃 𝑈 𝐼𝐷 = (𝐷𝑃 𝑈 𝐼𝐷 , 𝑥𝑃 𝑈 𝐼𝐷 ) to 2 , while PRE and other related schemes from both theoretical and experimental
saving the tuple (𝑃 𝑈 𝐼𝐷, 𝐷𝑃 𝑈 𝐼𝐷 , 𝑥𝑃 𝑈 𝐼𝐷 ) in the perspectives. First, we built an experimental system on Ubuntu 20.10,
𝐿𝑠𝑘 . using Python 3.10 and Sagemath 9.8, setting the security parameter to
(2) If |𝜔 ∩ 𝜔𝜋 | ≥ 𝑑 and 𝑗 = 𝑟,  aborts and outputs 𝜆 = 256. The chosen elliptic curve 𝐸𝐹𝑝 is defined by the simplified
fault. Weierstrass equation 𝑦2 = 𝑥3 + 𝑎𝑥 + 𝑏.
ReKeyGen oracle 𝑟𝑘 : For the re-encryption key queries
7.1. Theoretical analysis
of 𝑃 𝑈 𝐼𝐷 and 𝑃 𝑈 𝐼𝐷 , when |𝜔 ∩ 𝜔𝜋 | ≥ 𝑑,  makes the
following answer:
Table 3 compares the number of modular exponentiations, scalar
(1) If 𝑗𝑟, the challenger  outputs the re-encryption multiplications, and bilinear pairings for FCL-PRE, YDKR21 [43],
key 𝑅𝐾 ,𝜔, = 𝐷𝑃 𝑈 𝐼𝐷𝑗 𝑥𝑃 𝑈 𝐼𝐷𝑗 𝐸𝑗 + 𝐻3 (𝜑 ∥ 𝑥𝑃 𝑈 𝐼𝐷𝑗 FLWL24 [24], and ZZYL20 [44], to assess the computational overhead
𝑃 𝐾𝑃 𝑈 𝐼𝐷 ∥ 𝜔 ∥ 𝜔′ ). at different stages. All three references adopt CL-PRE in data-sharing
𝑗
scenarios. In the following, we focus on the major computational
(2) If 𝑗 = 𝑟 and the private key of 𝑃 𝑈 𝐼𝐷 has been
overhead on the sender side 𝑗 .
queried,  responds with failure.
Encryption: The efficiency ranking is YDKR21 [43] < FLWL24 [24]
(3) If 𝑗 = 𝑟 and the private key of 𝑃 𝑈 𝐼𝐷 has not been
< Ours < ZZYL20 [44]. Since biometric characteristic 𝑏𝑖𝑜 inevitably
queried,  randomly selects 𝑅𝐾 ,𝜔, ∈ G as the
contains noise during collection, FCL-PRE binds each registered users
answer and returns it to 2 . pseudo-identity to an attribute set {𝜔}𝑛𝑖=1 . Consequently, during encryp-
∙ Challenge. 2 outputs 𝑃 𝑈 𝐼𝐷𝜋 and two messages of equal length tion, 𝑗 must bind attribute fragments to the message, ensuring both
(𝑚0 , 𝑚1 ). If the challenge identity 𝑃 𝑈 𝐼𝐷𝜋 ≠ 𝑃 𝑈 𝐼𝐷𝑟 ,  fails in this data confidentiality and system error tolerance.
game. Otherwise,  randomly selects a message 𝑚𝑏 , where 𝑏 ∈ ReKey Generation: The efficiency ranking is YDKR21 [43] <
∏ ZZYL20 [44] < Ours < FLWL24 [24]. In FCL-PRE, users are allowed
{0, 1}, calculates the ciphertext 𝐶𝑇𝑏 = (𝑈𝑏 , 𝑉𝑏 ) = (𝑏𝑃 , 𝑚𝑏 𝜔𝑖 ∈𝑆
𝑒(𝑏𝑃 , 𝑠𝐻1 (𝑃 𝑈 𝐼𝐷𝜋 ))𝑇 𝛥𝜔𝑖 ,𝑆 (0)
) and sends 𝐶𝑇𝑏 to 2 . □ to omit or update some attributes during key generation, eliminating
the extra computational overhead associated with regenerating public
private key pairs. Moreover, even if the proxy CPS colludes with the
6.2. Security properties of FCL-PRE receiver, it cannot deduce the users real identity from the re-encryption
key.
• Confidentiality. According to the above security proof, the pro- Decrypt1: The efficiency ranking is ZZYL20 [44] < YDKR21 [43]
posed FCL-PRE scheme satisfies IND-CPA secure in the random < FLWL24 [24] = Ours. Compared to ZZYL20 [44] and YDKR21 [43],
oracle model and holds under the DBDH assumption. In addition, FCL-PRE improves the decryption efficiency on the sender side 𝑗 by
before re-encryption, the proxy CPS needs to authenticate regis- 40.57% and 44.6%, respectively, significantly reducing computational
tered users, and re-encryption is only allowed when the original burden.
ciphertext meets a certain condition, which further enhances the In summary, by integrating certificateless encryption with secret
confidentiality of the scheme. sharing technology, FCL-PRE enhances user privacy and system error
• Anonymity. FCL-PRE converts each users real biometric identity tolerance while effectively addressing the stringent privacy require-
𝑈 𝐼𝐷𝑗 into a pseudo-identity 𝑃 𝑈 𝐼𝐷𝑗 = 𝐸𝑛𝑐𝜙 (𝑈 𝐼𝐷𝑗𝑛𝑃 𝑈 𝐼𝐷𝑗 ) ∥ 𝑇𝑗 ments in cloud-based data-sharing scenarios.
through a symmetric encryption algorithm for hiding. Therefore,
if an adversary wishes to obtain 𝑈 𝐼𝐷𝑗 , he/she must first acquire 7.2. Experimental analysis
the symmetric key 𝜙. However, in our scheme, only a trusted TA
can extract 𝜙, thereby ensuring the anonymity of the users real Computational overhead. To ensure the objectivity and accuracy
identity. of our results, we excluded the Setup algorithm from the experiment,
• Error tolerance. We employ secret sharing technology to divide as it is executed only once and has a negligible impact on the user
the system master key 𝑠 and the secret value 𝑥𝑃 𝑈 𝐼𝐷𝑗 into 𝑛 encryption experience. For the remaining algorithms, each was exe-
independent components. Based on these components, the sender cuted 100 times, and the average execution time was recorded. Fig.
𝑗 generates the final complete private key and the corresponding 4 reports the execution time of all main stages in our scheme as a
ciphertext. In the verification phase, the ciphertext can be re- function of the number of receivers/messages. Specifically, Fig. 4(a)(c)
encrypted if the attribute set contains at least 𝑑 valid attributes. show the sender-side costs, including Encryption time, ReKey Gen-
Here, 𝑑 is defined as an error tolerance parameter, so as to achieve eration time, and Decrypt1 time, respectively. Fig. 4(d) presents the
the systems error tolerance and enhance its robustness. Re-encryption time at the cloud proxy server, while Fig. 4(e) depicts
• Collusion Resistance. Given the commercial nature of cloud ser- the Decrypt2 time at the authorized receiver. Fig. 4(f) summarizes
vice providers, a potential risk arises that they may collude the total computational overhead across all parties. As the number
with the receiver 𝑗 to acquire 𝑗 s private key 𝑆𝐾𝑃 𝑈 𝐼𝐷𝑗 = of receivers/messages increases, all stages exhibit an approximately
(𝐷𝑃 𝑈 𝐼𝐷𝑗 , 𝑥𝑃 𝑈 𝐼𝐷𝑗 ). However, under the threshold secret sharing, linear growth. Our FCL-PRE scheme consistently incurs lower decryp-
collusion between 𝑗 and CPS is infeasible. First, 𝑗 s full private tion time, re-encryption time, and overall computational cost than the
key consists of a partial private key 𝐷𝑃 𝑈 𝐼𝐷𝑗 and a secret value compared schemes, as illustrated in Fig. 4(c), (d), and (f). These results
𝑥𝑃 𝑈 𝐼𝐷𝑗 , both of which are divided into 𝑛 components. This means demonstrate that FCL-PRE achieves better efficiency and scalability,
that at least 𝑡 attribute shards must be obtained to recover one particularly in multi-receiver settings.
of the keys. Second, even if the colluder obtains 𝑥𝑃 𝑈 𝐼𝐷𝑗 , they Communication overhead. Table 3 compares the communication
cannot deduce the senders partial private key 𝐷𝑃 𝑈 𝐼𝐷𝑗 , because overhead of YDKR21 [43], FLWL24 [24], ZZYL20 [44], and our pro-
𝐷𝑃 𝑈 𝐼𝐷𝑗 = 𝑠𝐻1 (𝑃 𝑈 𝐼𝐷𝑗 ), where 𝑠 is the master key. Since the posed scheme. The storage and transmission overheads of the data
master key 𝑠 is unknown to the colluder, they cannot calculate sender and cloud proxy server, including the original ciphertext, re-
𝐷𝑃 𝑈 𝐼𝐷𝑗 . encryption key, and re-encrypted ciphertext, are discussed in detail.
9
J. Chen et al. Computer Standards & Interfaces 97 (2026) 104121
Table 3
Comparison of cryptographic operations of related schemes.
Scheme Computational cost Communication cost
Encryption ReKeyGen Re-encryption Decrypt1 Decrypt2 CT1 CT2 ReKey
YDKR21 [43] 𝑇𝑝 + 8𝑇𝑒 6𝑇𝑒 2𝑇𝑝 + 2𝑇𝑒 𝑇𝑝 + 𝑇𝑒 𝑇𝑝 + 2𝑇𝑒 3|G| + 2|G𝑇 | 4|G| + 2|G𝑇 | 6|G| + 4|𝑍𝑞 |
FLWL24 [24] 𝑇𝑝 + 3𝑇𝑒 2𝑇𝑒 2𝑇𝑝 𝑇𝑝 2𝑇𝑒 2|G| + |G𝑇 | 3|G𝑇 | |G|
ZZYL20 [44] 2𝑇𝑒 + 𝑇𝑠𝑚 𝑇𝑝 + 3𝑇𝑒 + 𝑇𝑠𝑚 𝑇𝑝 𝑇𝑝 + 𝑇𝑒 + 𝑇𝑠𝑚 𝑇𝑝 + 𝑇𝑒 + 𝑇𝑠𝑚 2|G| + |𝑍𝑞 | 2|G| + |𝑍𝑞 | |𝑍𝑞 |
Ours 2𝑇𝑝 + 𝑇𝑒 + 2𝑇𝑠𝑚 𝑇𝑝 + 𝑇𝑒 𝑇𝑝 𝑇𝑝 2𝑇𝑝 |G| + |G𝑇 | + |𝑍𝑞 | |G| + |G𝑇 | |G| + 2|𝑍𝑞 |
(a) Execution time of Encryption. (b) Execution time of ReKey Genera- (c) Execution time of Decrypt1.
tion.
(d) Execution time of Re-encryption. (e) Execution time of Decrypt2. (f) Total execution time.
Fig. 4. The execution time of each phase.
(a) Original ciphertext. (b) Re-encrypted ciphertext. (c) Re-encryption key.
Fig. 5. Communication overhead comparison.
Sender side: Regarding the transmission of the original ciphertext, which may lead to a potential risk of key misuse. As we can see in Fig.
our proposed scheme and ZZYL20 [44] achieve the lowest commu- 5(c), FCL-PRE requires only KB level for storage, making it well-suited
nication cost, as shown in Fig. 5(a). Although our scheme incurs for resource-constrained mobile devices without imposing a significant
slightly higher communication overhead for the transmission of the burden on the sender side.
re-encryption key compared to ZZYL20 [44], it is worth noting that Cloud proxy server (CPS) side: For the storage of re-encrypted cipher-
ZZYL20 pre-generates and stores the re-encryption key in the cloud, text, our scheme also demonstrates the lowest communication cost, as
10
J. Chen et al. Computer Standards & Interfaces 97 (2026) 104121
shown in Fig. 5(b). Even when the number of designated recipients [5] Matthew Green, Giuseppe Ateniese, Identity-based proxy re-encryption, in: Ap-
is relatively large, i.e., 50 receivers, FCL-PRE requires only 12.5 KB plied Cryptography and Network Security: 5th International Conference, ACNS
2007, Zhuhai, China, June 5-8, 2007, Springer, 2007, pp. 288306.
of communication overhead at the CPS side. It indicates that FCL-
[6] Chunpeng Ge, Willy Susilo, Jiandong Wang, Liming Fang, Identity-based condi-
PRE not only effectively minimizes the clouds communication burden tional proxy re-encryption with fine-grained policy, Comput. Stand. Interfaces 52
but also ensures a flexible and reliable sharing mechanism without (2017) 19.
compromising data security. [7] Hongmei Pei, Peng Yang, Weihao Li, Miao Du, Zhongjian Hu, Proxy re-encryption
for secure data sharing with blockchain in internet of medical things, Comput.
Netw. 245 (2024) 110373.
8. Conclusion [8] Guijiang Liu, Haibo Xie, Wenming Wang, Haiping Huang, A secure and efficient
electronic medical record data sharing scheme based on blockchain and proxy
In this paper, we propose FCL-PRE, a fuzzy certificateless proxy re-encryption, J. Cloud Comput. 13 (1) (2024) 44.
re-encryption scheme that facilitates flexible key management while [9] Anca-Andreea Ivan, Yevgeniy Dodis, Proxy cryptography revisited, in: NDSS,
2003.
ensuring efficient and secure data sharing. By integrating anonymous
[10] Yang Lu, Efficient certificate-based proxy re-encryption scheme for data sharing
biometric recognition, our approach conceals users real identities, in public clouds, KSII Trans. Internet Inf. Syst. (TIIS) 9 (7) (2015) 27032718.
achieving effective conditional privacy and bolstering system error [11] Zhiguang Qin, Hu Xiong, Shikun Wu, Jennifer Batamuliza, A survey of proxy re-
tolerance. Notably, we prevent malicious re-encryption requests by encryption for secure data sharing in cloud computing, IEEE Trans. Serv. Comput.
verifying the signature, while secret sharing technology enhances collu- (2016) 118.
[12] Giuseppe Ateniese, Kevin Fu, Matthew Green, Susan Hohenberger, Improved
sion resistance. Moreover, a formal security analysis under the random proxy re-encryption schemes with applications to secure distributed storage, ACM
oracle model demonstrates that FCL-PRE resists chosen-plaintext at- Trans. Inf. Syst. Secur. (TISSEC) 9 (1) (2006) 130.
tacks. Compared to existing schemes, FCL-PRE significantly reduces [13] Craig Gentry, Certificate-based encryption and the certificate revocation problem,
computational and communication overhead, achieving the lowest total in: International Conference on the Theory and Applications of Cryptographic
Techniques, Springer, 2003, pp. 272293.
computational cost and ciphertext storage overhead. In future work, we
[14] Chul Sur, Youngho Park, Sang Uk Shin, Kyung Hyune Rhee, Changho Seo,
aim to optimize dynamic user revocation and enhance adaptability to Certificate-based proxy re-encryption for public cloud storage, in: 2013 Sev-
real-world cloud environments with more complex access policies. enth International Conference on Innovative Mobile and Internet Services in
Ubiquitous Computing, IEEE, 2013, pp. 159166.
CRediT authorship contribution statement [15] Chunpeng Ge, Zhe Liu, Jinyue Xia, Liming Fang, Revocable identity-based
broadcast proxy re-encryption for data sharing in clouds, IEEE Trans. Dependable
Secur. Comput. 18 (3) (2019) 12141226.
Jiasheng Chen: Writing original draft, Software, Methodology, [16] Jing Zhang, Shuangshuang Su, Hong Zhong, Jie Cui, Debiao He, Identity-based
Investigation, Formal analysis, Conceptualization. Zhenfu Cao: Writing broadcast proxy re-encryption for flexible data sharing in VANETs, IEEE Trans.
review & editing, Supervision, Resources, Funding acquisition. Lian- Inf. Forensics Secur. 18 (2023) 48304842.
[17] Jiguo Li, Xuexia Zhao, Yichen Zhang, Certificate-based conditional proxy re-
gliang Wang: Writing review & editing, Validation, Methodology,
encryption, in: International Conference on Network and System Security,
Formal analysis, Data curation. Jiachen Shen: Validation, Supervision, Springer, 2015, pp. 299310.
Formal analysis. Xiaolei Dong: Validation, Funding acquisition, Formal [18] Jun Shao, Peng Liu, Yuan Zhou, Achieving key privacy without losing CCA
analysis. security in proxy re-encryption, J. Syst. Softw. 85 (3) (2012) 655665.
[19] Jian Weng, Robert H. Deng, Xuhua Ding, Cheng-Kang Chu, Junzuo Lai,
Conditional proxy re-encryption secure against chosen-ciphertext attack, in:
Declaration of competing interest Proceedings of the 4th International Symposium on Information, Computer, and
Communications Security, 2009, pp. 322332.
The authors declare that they have no known competing finan- [20] Cui Li, Rongmao Chen, Yi Wang, Qianqian Xing, Baosheng Wang, REEDS: An
cial interests or personal relationships that could have appeared to efficient revocable end-to-end encrypted message distribution system for IoT,
IEEE Trans. Dependable Secur. Comput. 21 (5) (2024) 45264542.
influence the work reported in this paper.
[21] Shimao Yao, Ralph Voltaire J. Dayot, In-Ho Ra, Liya Xu, Zhuolin Mei, Jiaoli
Shi, An identity-based proxy re-encryption scheme with single-hop conditional
Acknowledgments delegation and multi-hop ciphertext evolution for secure cloud data sharing, IEEE
Trans. Inf. Forensics Secur. 18 (2023) 38333848.
[22] Giuseppe Ateniese, Karyn Benson, Susan Hohenberger, Key-private proxy re-
This work was supported in part by the National Natural Science
encryption, in: Cryptographers Track at the RSA Conference, Springer, 2009,
Foundation of China (Grant No. 62132005, 62172162), in part by pp. 279294.
Shanghai Trusted Industry Internet Software Collaborative Innovation [23] Chengdong Ren, Xiaolei Dong, Jiachen Shen, Zhenfu Cao, Yuanjian Zhou, Clap-
Center, in part by Fundamental Research Funds for the Central Uni- pre: Certificateless autonomous path proxy re-encryption for data sharing in the
versities, in part by Police Integration Computing Key Laboratory of cloud, Appl. Sci. 12 (9) (2022) 4353.
[24] Jingyu Feng, Yue Li, Teng Wang, Shuanggen Liu, A certificateless threshold proxy
Sichuan Province (Grant No. JWRH202401001).
re-encrypted data sharing scheme with cloud-chain collaboration in industrial
internet environments, IEEE Internet Things J. 11 (20) (2024) 3324733268.
Data availability [25] Liqing Chen, Meng Zhang, Jiguo Li, Conditional identity-based broadcast proxy
re-encryption with anonymity and revocation, IEEE Trans. Reliab. 74 (3) (2025)
35733584.
Data will be made available on request.
[26] Liming Fang, Jiandong Wang, Chunpeng Ge, Yongjun Ren, Fuzzy conditional
proxy re-encryption, Sci. China Inf. Sci. 56 (5) (2013) 113.
[27] BaoHong Li, JieFei Xu, YanZhi Liu, Lattice-based fuzzy conditional proxy
References re-encryption, J. Internet Technol. 20 (5) (2019) 13791385.
[28] Binhan Li, Lunzhi Deng, Yiming Mou, Na Wang, Yanli Chen, Siwei Li, A pairing-
[1] Shuzhou Sun, Hui Ma, Zishuai Song, Rui Zhang, WebCloud: Web-based cloud free data sharing scheme based on certificateless conditional broadcast proxy
storage for secure data sharing across platforms, IEEE Trans. Dependable Secur. re-encryption suitable for cloud-assisted IoT, IEEE Internet Things J. 12 (20)
Comput. 19 (3) (2020) 18711884. (2025) 4275442768.
[2] Maithilee Joshi, Karuna P. Joshi, Tim Finin, Delegated authorization framework [29] Yousheng Zhou, Yurong Li, Yuanni Liu, A certificateless and dynamic conditional
for ehr services using attribute-based encryption, IEEE Trans. Serv. Comput. 14 proxy re-encryption-based data sharing scheme for IoT cloud, J. Internet Technol.
(6) (2019) 16121623. 26 (2) (2025) 165172.
[3] Yinbin Miao, Robert H. Deng, Ximeng Liu, Kim-Kwang Raymond Choo, Hongjun [30] Shi Lin, Li Cui, Niu Ke, End-to-end encrypted message distribution system for
Wu, Hongwei Li, Multi-authority attribute-based keyword search over encrypted the Internet of Things based on conditional proxy re-encryption, Sensors 24 (2)
cloud data, IEEE Trans. Dependable Secur. Comput. 18 (4) (2019) 16671680. (2024) 116.
[4] Matt Blaze, Gerrit Bleumer, Martin Strauss, Divertible protocols and atomic proxy [31] Yongjing Zhang, Zhouyang Zhang, Shan Ji, Shenqing Wang, Shitao Huang,
cryptography, in: International Conference on the Theory and Applications of Conditional proxy re-encryption-based key sharing mechanism for clustered
Cryptographic Techniques, Springer, 1998, pp. 127144. federated learning, Electronics 13 (5) (2024) 848.
11
J. Chen et al. Computer Standards & Interfaces 97 (2026) 104121
[32] Chul Sur, Chae Duk Jung, Youngho Park, Kyung Hyune Rhee, Chosen-ciphertext Zhenfu Cao is currently a Distinguished Professor with
secure certificateless proxy re-encryption, in: IFIP International Conference on East China Normal University, China. Since 1981, he has
Communications and Multimedia Security, Springer, 2010, pp. 214232. been published over 400 academic papers in journals or
[33] Sattam S. Al-Riyami, Kenneth G. Paterson, Certificateless public key cryptogra- conferences. His research interests include cryptography,
phy, in: International Conference on the Theory and Application of Cryptology number theory, and information security. He has received
and Information Security, Springer, 2003, pp. 452473. a number of awards, including the Ying-Tung Fok Young
[34] Tarunpreet Bhatia, Anil K. Verma, Gaurav Sharma, Secure sharing of mobile Teacher Award, in 1989, the National Outstanding Youth
personal healthcare records using certificateless proxy re-encryption in cloud, Fund of China, in 2002, and the Special Allowance by
Trans. Emerg. Telecommun. Technol. 29 (6) (2018) e3309. the State Council, in 2005. He was a co-recipient of the
[35] Nabeil Eltayieb, Liang Sun, Ke Wang, Fagen Li, A certificateless proxy re- 2007 IEEE International Conference on Communications
encryption scheme for cloud-based blockchain, in: Frontiers in Cyber Security: Computer Award, in 2007.
Second International Conference, FCS 2019, Xian, China, November 1517,
2019, Proceedings 2, Springer, 2019, pp. 293307.
[36] Emmanuel Ahene, Junfeng Dai, Hao Feng, Fagen Li, A certificateless signcryption Liangliang Wang received the Ph.D. degree from Shanghai
with proxy re-encryption for practical access control in cloud-based reliable smart Jiao Tong University, in 2016. He has published academic
grid, Telecommun. Syst. 70 (2019) 491510. papers in prestigious venues including IEEE Transactions
[37] Amit Sahai, Brent Waters, Fuzzy identity-based encryption, in: Annual Interna- on Dependable and Secure Computing, IEEE Transactions
tional Conference on the Theory and Applications of Cryptographic Techniques, on Vehicular Technology, IEEE Internet of Things Journal,
Springer, 2005, pp. 457473. Knowledge-Based Systems and SCIENCE CHINA Information
[38] Hu Xiong, YaNan Chen, GuoBin Zhu, ZhiGuang Qin, Analysis and improvement Sciences. He is currently an Associate Professor with the
of a provable secure fuzzy identity-based signature scheme, Sci. China Inf. Sci. College of Computer Science and Technology, Shanghai
57 (2014) 15. University of Electric Power. His research interests include
[39] Liangliang Wang, Jiangwei Xu, Baodong Qin, Mi Wen, Kefei Chen, An efficient applied cryptography, information security and privacy
fuzzy certificateless signature-based authentication scheme using anonymous preserving.
biometric identities for VANETs, IEEE Trans. Dependable Secur. Comput. 22 (1)
(2024) 292307. Jiachen Shen received the bachelors degree from Shang-
[40] Dan Boneh, Matt Franklin, Identity-based encryption from the Weil pairing, in: hai Jiao Tong University, Shanghai, China, in 2001, and
Annual International Cryptology Conference, Springer, 2001, pp. 213229. the masters and Ph.D. degrees from the University of
[41] Adi Shamir, How to share a secret, Commun. ACM 22 (11) (1979) 612613. Louisiana at Lafayette, Lafayette, LA, USA, in 2003 and
[42] A. Riyami, Sattam S., K.G. Paterson, Certificateless public key cryptography, in: 2008, respectively. He joined East China Normal University,
Chi-Sung Laih (Ed.), Advances in Cryptology - ASIACRYPT 2003, Springer Berlin Shanghai, China, in 2015. His research interests include
Heidelberg, Berlin, Heidelberg, 2003, pp. 452473. applied cryptography, cloud security, searchable encryption,
[43] Shimao Yao, Ralph Voltaire J. Dayot, Hyung-Jin Kim, In-Ho Ra, A novel revo- and blockchains.
cable and identity-based conditional proxy re-encryption scheme with ciphertext
evolution for secure cloud data sharing, IEEE Access 9 (2021) 4280142816.
[44] Xiaoyu Zheng, Yuyang Zhou, Yalan Ye, Fagen Li, A cloud data deduplication
scheme based on certificateless proxy re-encryption, J. Syst. Archit. 102 (2020)
Xiaolei Dong is currently a Distinguished Professor with
101666.
East China Normal University. She hosts a lot of research
projects supported by the National Basic Research Program
Jiasheng Chen is currently pursuing the Ph.D. degree with of China (973 Program), the National Natural Science
the Department of Cryptography and Cyber Security School Foundation of China, and the Special Funds on Information
of Software Engineering, East China Normal University, Security of the National Development and Reform Commis-
Shanghai, China. Her research interests include applied sion. Her research interests include cryptography, number
cryptography and information security. theory, and trusted computing.
12
Reference in New Issue View Git Blame Copy Permalink