Provably Secure Self-Extractable Encryption 5
the normal functionalities of a regular advanced encryption primitive, SEXE is
equipped with a useful self-extractability. Roughly speaking, the data owner can
always access her encrypted data in SEXE. We propose a generic SEXE construc-
tion from any advanced encryption scheme. The construction only additionally
requires a pseudo random function, a symmetric encryption cipher, and some
hash functions, all of which are efficient in terms of computation. The desirable
self-extractability only incurs a marginal cost, while posing little extra cost on
regular receivers. Following the generic construction, we instantiate several typi-
cal SEXE schemes, including Self-Extractable Identity-Based Encryption (SEX-
IBE), Self-Extractable Attribute-Based Encryption (SXABE) in Key-Policy set-
ting and in Ciphertext-Policy setting.
2 Related Work
Cloud storage follows the area of “database-as-a-service” paradigm, which is
a classic data storage topic that has been studied since 2000s. The intended
purpose of cloud storage is to enable data owners to outsource their data on the
Internet to service providers [20,21]. The basic idea to protect data privacy and
secrecy in cloud storage is to enforce data access control by encrypting the data
before outsourcing. Only the authorized data users can have access [2]. Classic
schemes employ traditional symmetric key/asymmetric cryptosystems to realize
access control [16,27]. As the number of data users increases, especially for cloud-
based data storage systems that potentially allow a vast number of data users,
the systems suffer from complicated entity and key managements.
Researches have been devoted to entity and key management problems.
In 2001, Boneh and Franklin [8] proposed a new encryption primitive, named
Identity-Based Encryption (IBE), the concept of which was first introduced by
Shamir [36]. Compared with the traditional asymmetric encryption system, the
public keys in IBE can be arbitrary strings, such as social security numbers, email
addresses, and phone numbers. Instead of generating the secret key by the data
owner itself, a Trusted Key Authority (TKA) is employed in IBE for user authen-
tication and key distribution. Since IBE brings flexibilities for user authentica-
tion and entity management, many advanced data access control schemes started
to leverage IBE as the basic encryption primitive [12,19]. Schemes exploiting IBE
and various other cryptographic primitives have been proposed to achieve more
flexible data sharing functionalities, including cross-domain [38] and emergency
sharing [39] for specific data outsourcing applications.
The IBE primitive only allows to assign one receiver in an encryption, which
brings difficulties for multi-entity data sharing application scenarios. Briefly
speaking, the access policy in IBE is “exact string match”, which is a limited data
access control mechanism. Although several encryption primitives and schemes,
e.g., Hierarchical IBE [15,24], (Identity-Based) Broadcast Encryption [9,14],
Proxy Re-Encryption [4], were proposed and/or applied to partially support one-
to-many data sharing mechanism in cloud storage applications [3], access policies
in all of which are somewhat restricted. How to support expressive access pol-
icy in encryption primitives remained as an open problem. In 2005, Sahai and