Research Article  Open Access
Rong Ma, Zhenfu Cao, Xingkai Wang, "Efficient Asymmetric Index Encapsulation Scheme for Anonymous Content Centric Networking", Security and Communication Networks, vol. 2017, Article ID 9248654, 9 pages, 2017. https://doi.org/10.1155/2017/9248654
Efficient Asymmetric Index Encapsulation Scheme for Anonymous Content Centric Networking
Abstract
Content Centric Networking (CCN) is an effective communication paradigm that well matches the features of wireless environments. To be considered a viable candidate in the emerging wireless networks, despite the clear benefits of locationindependent security, CCN must at least have parity with existing solutions for confidential and anonymous communication. This paper designs a new cryptographic scheme, called Asymmetric Index Encapsulation (AIE), that enables the router to test whether an encapsulated header matches the token without learning anything else about both of them. We suggest using the AIE as the core protocol of anonymous Content Centric Networking. A construction of AIE which strikes a balance between efficiency and security is given. The scheme is proved to be secure based on the DBDH assumption in the random oracle with tight reduction, while the encapsulated header and the token in our system consist of only three elements.
1. Introduction
Conventional networking protocols designed to support endtoend communications between nodes which are uniquely identified through an IP address may fail in wireless environments due to dynamic changes caused by the mobility. Content Centric Networking is an emerging networking architecture with the goal of becoming an alternative to the IPbased Internet. Communication in CCN adheres to the pull model. Its primary characteristic is that content and routable content in the network are always named. Interests represent the willingness of the consumer to retrieve certain content, independently of its location. A consumer who wishes to obtain content first issues an interest by name, which is then routed to the producer or router that is capable of satisfying the request. The corresponding content carrying the same name is then sent to the consumer along the reverse path.
The CCN architecture has some innate privacy friendly features; for example, the source addresses of contents are hard to trace. However, support for name privacy is not a standard feature. Names reveal significantly more information about content than IP addresses [1].
ANDaNA [2] and AC^{3}N [3] are the initial attempt to provide anonymous communication in CCN. They are inspired by Tor, using onionlike encryption to wrap interests, and forwarded by participating anonymizing routers. However, caching mechanism as one of the most important features of CCN could not be used in these designs due to the lack of an cryptographic primitive keeping the name private while ensuring accessibility and routability.
In this paper we propose a new cryptographic scheme called Asymmetric Index Encapsulation (AIE) to hide the name except the entity which is given appropriate token. Token can be viewed as a kind of encrypted interest; it can only be generated from the authorized consumers and the functionality of the token kept secret even during the name and interest match procedure. We believe AIE is a positive answer to the open question raised in [1, 4]. AIE is proved to be secure based on the DBDH/CDH assumption in the random oracle with tight reduction, while the encapsulated header and the token in our system consist of only three elements. Moreover, AIE is applicable in any CCN incarnation, for example, CCNx and NDN [5].
1.1. Organization
The rest of this paper is organized as follows. The next section shows the related work of our paper. Section 3 gives an overview of CCN. The scheme description is presented in Section 4. Definitions of security model are given and discussed in Section 5. The reduction proofs are shown in Sections 6 and 7. Then we show implementation and provide an analysis of the performances of the proposed schema in Section 8. Finally, we conclude with related work and future work in Section 9.
2. Related Work
Symmetric searchable encryption with adaptive security against chosenkeyword attacks was first considered explicitly in [6], where symmetric index encapsulation was first considered explicitly by [7]. Unlike in asymmetric settings, securely encapsulating a single keyword/index is nearly trivial in symmetric settings. In these schemes and subsequent work [8ā11], researchers focus on how to handle full text indices and try to improve efficiency. Another line of work uses deterministic encryption [8, 12]. It only provides security for data and queries that have high entropy.
Starting with the work of Boneh et al. [13ā15], searchable encryption has also been considered in the public key setting [10, 16ā19]. The early works lack function privacy until the first definition was suggested very recently by Boneh et al. [20].
One of the key goals of CCN projects is āsecurity by designā [21]. In contrast to todayās Internet, where security problems were identified along the way, the research community stresses both awareness of issues and support for features and countermeasures from the outset. To this end, a few of papers investigate various attacks and solutions in CCN or CON [1, 2, 5]. However, to the best of our knowledge, there is an absence of cryptographic perspective. The major contribution of our paper is in defining a new cryptographic primitive known as Asymmetric Index Encapsulation scheme.
A preliminary version of this paper [22], which concentrated on solving the related fundamental cryptographic problem, appeared at ProvSec 2016, while this paper focuses more on solving practical problem of CCN network. The extra contents mainly are shown in Sections 8 and 9.
3. CCN Overview
We now review the building blocks of Content Centric Networking. There are three types of entities in CCN:(i)Consumer which issues interests for content(ii)Producer which generates and publishes content to the network(iii)Routers which forward interest messages and content between consumers and producers
CCN supports two types of packets:(i)Named content: in CNN, contents are always named to facilitate data dissemination and search. A content name is a URIlike string composed of one or more variablelength segments.(ii)Interest: to obtain content, consumer issues a request, called an interest message, with the name of the desired content. This interest will be satisfied by either a router or the content producer.
Name and interest matching in CCN is exact, for example, an interest for ā/2017/news.txtā can only be satisfied by a content object named ā/2017/news.txt.ā
Each CCN entity should maintain the following components:(i)Forwarding Interest Base (FIB): this includes a lookup table used to determine entities for forwarding incoming interests.(ii)Pending Interest Table (PIT): this include a lookup table of outstanding pending interests and a set of corresponding incoming entities.(iii)Content Store (CS): this is a buffer used for content caching and retrieval. Each network entity can provide content caching, which is limited only by resource availability. Note that this is different from packet buffers in todayās routers, as cache size is expected to be several orders of magnitude bigger in CCN.
All CCN communication is initiated by a consumer that sends an interest for a specific content [23]. When a router receives an interest, it looks up its PIT to determine whether an interest for the content is pending:(i)If the desired name in the PIT, the interest does not need to be forwarded further. If the arrival entity is new, the router just updates the PIT entry by adding a new incoming entity.(ii)Otherwise, the router looks up its CS for a matching content. If it succeeds, the cached content is returned and no new PIT entry is needed. If no matching content is found, the router creates a new PIT entry and forwards the interest using its FIB.
During receipting of the interest, the producer distributes requested content among the network, thus satisfying the interest. Then, the content is forwarded towards the consumer, by the path of the preceding interest, in reverse.
4. Scheme Description
Formally, AIE is specified by a quadruple of probabilistic polynomialtime algorithms:(i)The setup algorithm is run by the central authority, takes a security parameter , and outputs the public system parameters together with a master secret key . The system parameters will be publicly known, while the master key will be known only to the key generation algorithm.(ii)The index (a.k.a. name) encapsulation algorithm is run by the producer, takes as input an index , and outputs encapsulated header .(iii)The token generation algorithm is run by the central authority, takes as input the master secret key and an interest , and outputs a related token .(iv)The test algorithm is run by the router, takes as input a header and a token , and outputs a value which indicates the matching relationship between and , ā1ā for matching and ā0ā on the contrary. Usage of this algorithm is to show the linkability between headers and tokens.
To deploy AIE in CCN, we should introduce a trusted central authority which is in charge of issuing token. As illustrated in Figure 1, if a consumer plans to request a content named , instead of sending the plain interest packet, it should use the token issued by from the central authority. Token is like a private key of public encryption scheme. However, its functionality is not decrypting but testing.
When a producer generates new content named , it encrypts the content at first. The encryption algorithm used by consumers to conceal content should be secure against adaptive chosen ciphertext (CCA) attacks. Then, the producer runs encapsulation algorithm to encapsulate the name . We call the output of the encapsulated header of . Finally, a signature binds the encrypted content with its encapsulated header and provides origin authentication no matter how or from where it is retrieved. For any adversary without the correct token, this signed and encrypted packet will lose no information under our security model (discussed in Section 5.4).
When a token is received and there are no same pending tokens in its cache, router runs algorithm to find an encapsulated header which matches the token. If there is no such encapsulated header, the router forwards this new token to the neighbor routers. When the desired content is returned or there is already an encapsulated header matching this token in the cache, the router forwards it out on all neighbors and flushes the corresponding cache entry.
Since adversary can mount a guessing attack, exhaustively testing the known token, we give a reasonable security model in Section 5.5 to ensure that there is no more obviously effective attack better than the brute force method.
4.1. Construction
Let be a probabilistic polynomialtime algorithm taking as security parameter and outputs , where and are groups of prime order , , is a generator of group , and is a nondegenerate efficiently computable bilinear map. See [24] for a description of the properties of such pairings. We present AIE scheme as follows; the design inspiration comes from [20, 25].(i) : on input security parameter , the setup algorithm works as follows:(1) Generate .(2) Randomly sample .(3) Compute .(4) Choose two cryptographic hash functions and . The security analysis will view , as random oracles.(5) Output as master key and as public parameters.(ii) : given , the index encapsulation algorithm does the following:(1) Randomly sampling (2) Computing , , and (3) Outputting as an encapsulated header(iii) : on input master key and an index , the token generation algorithm does the following:(1) If the same query for is repeated twice, then the same token is provided.(2) It randomly chooses .(3) It computes .(4) It outputs and records as the token of .(iv) : given an encapsulated header and a token , the test algorithm does the following:(1) It parses as and as .(2) It checks if the following equation holds true:āand āif it holds, output ā1,ā meaning matches ; else output ā0.ā
Correctness. For any index , we need to guarantee , where and . Denoting and , that is clear since
5. Security Models
We give the precise formal definitions based on the above discussion.
5.1. Notation
We denote by a joint distribution of random variables, and by a sample drawn from . The minentropy of a random variable is . A source is a random variable with . A blocksource is a random variable , where, for each , holds that is source. The statistical distance between two random variables and over a finite domain is defined as
5.2. DBDH and CDH Assumption
Decisional bilinear DiffieHellman (DBDH) problem is to distinguish two distributions and for random , , , and . Computational DiffieHellman (CDH) problem is to compute given and . To state the assumption asymptotically we rely on the bilinear group generator algorithm .
Definition 1. Let be a bilinear group generator. The DBDH assumption holds for if, for all probabilistic polynomialtime algorithm , its BDDH advantage, denoted byis a negligible function of , where the probability is over , , .
Definition 2. Let be a bilinear group generator. The CDH assumption holds for if, for all probabilistic polynomialtime algorithm , its CDH advantage, denoted byis a negligible function of , where the probability is over , .
5.3. The Leftover Hash Lemma
Definition 3 (universal hash function). A collection of function with form is universal if for any such that the following holds:
Theorem 4 (leftover hash lemma for blocksource; see [20]). Let be a universal collection of functions ; let be blocksource where . Then there exists the distributionwhere is close to the uniform distribution over .
5.4. Security Model for Anonymity
AIE is anonymous if leaks no information about . To capture the anonymity properties formally, a game between a challenger and an adversary is defined as follows:(i)Setup Phase: the challenger runs and sends to adversary and keeps to itself.(ii)Prechallenge Phase: in this phase, adversary is allowed to make token extraction query. The challenger responds to the query about index by sending to the output of .(iii)Challenge Phase: submits two indices , , which is restricted to the indices that he did not request in prechallenge phase. The challenger flips a fair binary coin and returns as challenge header.(iv)Postchallenge Phase: this phase is repeat of prechallenge phase. The adversary issues additional adaptive queries with the restriction where it can not request token of or .(v)Guess Phase: finally, submits a guess of . The adversary wins if .
Definition 5 (anonymity of AIE). AIE is anonymous if, for any probabilistic polynomialtime algorithm , its ANON advantage, denoted byis a negligible function of , where the probability is over the random bits used by the challenger and the adversary.
5.5. Security Model for Function Privacy
Formalizing such a notion is not straightforward since adversary can mount a guessing attack. If adversary has some knowledge that the token comes from a small set, it can encapsulate each candidate index and run the legitimate procedure to learn the function embedded inside the token. We adapt the notion from [20] which requires that is indistinguishable from a random token if is chosen from a sufficiently high minentropy distribution. The following security game parameterized by a distribution helps us capture properties of function privacy:(i)Setup Phase: the challenger runs and sends both master secret key and public parameters to adversary .(ii)Challenge Phase: in this phase, the challenger samples an indices vector from the distribution and then, for every , computes and returns to .(iii)Guess Phase: finally, submits a guess of the distribution challenger has used. It outputs āā standing for uniform distribution; otherwise it outputs ā.ā
Definition 6 (privacy of AIE). AIE says private function if, for any probabilistic polynomialtime algorithm and any blocksource distribution where is a polynomial of , its PRIV advantage, denoted byis a negligible function of where stands for uniform distribution.
To gain reasonable high minentropy in anonymous CCN, we suggest that data provider should assign a complicated name of the encrypted data. Since adversary can mount a guessing attack (exhaustively testing the token by using pairings), the definition of privacy actually guarantees that there is no more obviously effective attack better than the brute force method.
6. Proof of Anonymity
We use reduction to prove anonymity of our scheme under the DBDH assumption.
Lemma 7. Suppose there is an adversary that can win the anonymity game with advantage . Then there is an algorithm which solves the DBDH problem with advantage .
Given a tuple , which is either sampled from or from , algorithm interacts with adversary as follows.
Setup Phase. sets up public parameter .
Programming the Random Oracle. simulates the random oracle for as follows.āIf the same query is repeated twice, then the same return value is provided, on issuing a fresh query for , and (1) samples , ,(2) stores tuple in table ,(3) returns ,āOn issuing a fresh query for , (1) samples , ,(2) stores tuple in table ,(3) returns .
Prechallenge Phase. On issuing a token for index , algorithm does the following:(1) If the same query for is repeated twice, then the same token is provided.(2) If has not made a query for and/or , it programs and/or as mentioned above.(3) It retrieves from and from .(4) It samples and computes . That is, it randomly samples and such that .(5) It computes .(6) It returns .
Correctness of Simulation. We argue that is always a proper token corresponding to since
Challenge Phase. After sends and , algorithm does the following:(1)It picks a random bit .(2) If has not made a query for and/or , it programs and/or as mentioned above.(3) It retrieves from and from .(4) It computes , , .(5) It returns as challenge header.
Postchallenge Phase. responds as before in prechallenge phase.
Guess Phase. Finally outputs a guess of . concludes its own game by outputting a guess as follows. if , returns , else returns .
Analysis of ā¬ās Behavior. Denote . If is sampled from , that is, , then is a perfectly legitimate header of since Therefore, simulates a perfect environment of , and the probability of the event winning the game is identical to . However, when is uniformly random, the challenge header will not be legitimate. This is not a problem, and indeed it is crucial to the proof of security.
Lemma 8. If is sampled from uniform random, the distribution of is independent of the adversaryās view, so the probability of event winning the game is identical to .
Proof. Consider the joint distribution of the adversaryās view. Note that the adversary is not allowed to make a token query for and ; from his view, only , , , and may leak information about . What we need to prove is that, for any fixed , , , , , , , , and ,where the probability is over , , , , and . That is clear because the four equations are linearly independent since, for any fixed , , , and ,That concludes that learns nothing about .
To summarize, when the input tuple is sampled from , then adversaryās view is identical to its view in a real security game and therefore satisfies . When the input tuple is sampled from , then . Therefore, we have thatWe present our conclusion as the following statement.
Theorem 9. The AIE scheme one proposed is anonymous, assuming the DBDH assumption holds for the bilinear group generated by .
7. Proof of Function Privacy
Proof. Denote by the distribution of ās view in the game and by the distribution of ās view in the game . We prove that is statistically close to even for arbitrary fixed public parameters.
Suppose received tokens corresponding to in the challenge phase. As knows the master key and having fixed , we can assume that is equivalent towhere and for each .
Without loss of generality, we can assume that and are injective since they are modeled as random oracle. Assuming that and are injective guarantees that for any blocksource over the fact that is also a blocksource over holds.
Note that the collection of functions defined by are universal (see [26]). This enables us to directly apply the leftover hash lemma on blocksource, implying that the statistical distance between and the uniform distribution is negligible in . The same holds also for since is a blocksource in particular. This completes the proof of function privacy.
We present our conclusion as the following statement.
Theorem 10. The AIE scheme one proposed is (computational) function privacy under random oracle model.
8. Implementation and Performance
We implement our AIE schema by JPBC Library [27]. JPBC Library provides cryptographic interface to perform the mathematical operations underlying pairingbased cryptosystems. Our experiments were deployed on Intel Xeon E31231, a 4core 3.40āGHz CPU, with 8āGB of RAM. We calculate the average time cost of each algorithm run on security parameters with different length. The result is shown in Table 1.

As we introduced in Section 3, is run by the central authority only once, when deploying the environment. When the producer generates new content, is run by producer once. When a consumer plans to request a content, is run by the central authority and is run by each router. Thus, the extra time a consumer would spend for AIE is no more than , where represents the hop count. Taking 120bit security parameter as an example, assuming the hop count is 5 on average [2], the total extra time cost for a consumer is āms on average. AIE schema brings only less than 5āms latency on each hop.
The relationship between time cost and the length of security parameter is shown in Figure 2. The comparison of four groups of data with different length of security parameter is shown in the graph horizontally. Each bar represents an algorithm in AIE, which is , , , and from left to right. The vertical axis represents the average time cost of each experiment. It concludes that the performance of AIE is satisfying with small size of security parameter. But the time cost increases by a large margin with the increase of security parameter size. However, it is not necessary to choose too large security parameter since no one can break DBDH and CDH assumption up to the present.
Finally we turn to study the stability of our protocols run time. Figures 3 and 4 show time cost of each independent call of and with 240bit security parameter. axis represents the index of each call and axis represents the time cost. Each point in the graph represents a result of one experiment. As expected, the result shows most calls of and are very close to the average time cost.
The experimental results are quite different from other approaches [2, 3]. The main time costs of [2, 3] are used in the transmission of data. But since our scheme decouples index from data, the run time costs are used in encapsulating the index, and the performance of our scheme can be seen as a negligible constant, which is uncorrelated with the data size.
9. Conclusion
This work presents an initial attempt to provide privacy and anonymity in CCN by cryptographic protocol. We embed AIE scheme in the CCN to provide comparable anonymity with lower relative overhead.
AIE is a new cryptographic primitive. There are at least two differences between Asymmetric Index Encapsulation and PEKS or identity based searchable encryption [13, 20]. Firstly, the goal of AIE scheme is to decouple index hiding and searching procedure from encryption scheme. There are independent application scenarios of index encapsulation. Identity based searchable encryption can be replaced by any combination of AIE and anonymous identity based encryption. Secondly, Asymmetric Index Encapsulation scheme does not imply public key encryption or identity based encryption. There is possibility of getting better security reduction and efficiency.
The security of our scheme relies on the DBDH/CDH assumption in primeorder groups and random oracle. An encapsulated header in our system consists of only three elements, while a token in our system also consists of only three elements. Besides the acceptable efficiency in practice, the scheme has tight security reduction against all kinds of adversaries. (A security reduction is said to be tight when breaking the scheme is exactly as hard as solving the underlying problem.)
We introduce new adversarial models for anonymous CCN. The anonymity model captures the intuitive notion that an adversary should not be able to distinguish between the encapsulated header of two challenge indices of his choice, even if it is allowed to obtain tokens for any other indices. The privacy model requires any token belonging to index to be indistinguishable from a random token if is chosen from a sufficiently high minentropy distribution.
An interesting open problem is to construct AIE schemes for other classes of functions. A possible starting point is to consider simple functionalities, such as wildcard [28] and innerproduct testing [29]. Another fascinating open problem is to design a scheme which is secure in the standard model as well as keeping the token size and header size constant. Finally, we leave it as an open problem to design an AIE scheme without pairing.
Disclosure
An extended abstract was presented at Provable Security 10th International Conference, ProvSec 2016 [22].
Conflicts of Interest
The authors declare that there are no conflicts of interest regarding the publication of this paper.
References
 A. Chaabane, E. De Cristofaro, M. A. Kaafar, and E. Uzun, āPrivacy in contentoriented networking: threats and countermeasures,ā ACM SIGCOMM Computer Communication Review, vol. 43, no. 3, pp. 25ā33, 2013. View at: Publisher Site  Google Scholar
 S. DiBenedetto, P. Gasti, G. Tsudik, and E. Uzun, āANDaNA: Anonymous Named Data Networking Application,ā in Proceedings of the Proceedings of the Network and Distributed System Security Symposium (NDSS' 12), San Diego, Calif, USA, 2012. View at: Google Scholar
 G. Tsudik, E. Uzun, and C. A. Wood, āAC3N: Anonymous communication in ContentCentric Networking,ā in Proceedings of the 13th IEEE Annual Consumer Communications and Networking Conference, CCNC 2016, pp. 988ā991, Las Vegas, Nev, USA, January 2016. View at: Publisher Site  Google Scholar
 C. Ghali, G. Tsudik, and C. A. Wood, ā(The futility of) data privacy in contentcentric networking,ā in Proceedings of the 15th ACM Workshop on Privacy in the Electronic Society, WPES 2016, pp. 143ā152, Vienna, Austria, 2016. View at: Publisher Site  Google Scholar
 P. Gasti, G. Tsudik, E. Uzun, and L. Zhang, āDoS and DDoS in named data networking,ā in Proceedings of the 2013 22nd International Conference on Computer Communication and Networks, ICCCN 2013, Nassau, Bahamas, August 2013. View at: Publisher Site  Google Scholar
 R. Curtmola, J. Garay, S. Kamara, and R. Ostrovsky, āSearchable symmetric encryption: improved definitions and efficient constructions,ā Journal of Computer Security, vol. 19, no. 5, pp. 895ā934, 2011. View at: Publisher Site  Google Scholar
 E.J. Goh, Secure Indexes, 2004.
 S. Kamara, C. Papamanthou, and T. Roeder, āDynamic searchable symmetric encryption,ā in Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS 2012, pp. 965ā976, USA, October 2012. View at: Publisher Site  Google Scholar
 D. Cash and S. Tessaro, āThe locality of searchable symmetric encryption,ā in Advances in Cryptology – EUROCRYPT 2014, vol. 8441 of Lecture Notes in Computer Science, pp. 351ā368, 2014. View at: Publisher Site  Google Scholar  MathSciNet
 J. G. Li, Y. R. Shi, and Y. C. Zhang, āSearchable ciphertextpolicy attributebased encryption with revocation in cloud storage,ā International Journal of Communication Systems, 2015. View at: Publisher Site  Google Scholar
 J. G. Li, X. N. Lin, Y. C. Zhang, and J. G. Han, āKSFOABE: outsourced attributebased encryption with keyword search function for cloud storage,ā IEEE Transactions on Services Computing, vol. PP, no. 99, p. 1, 2016. View at: Publisher Site  Google Scholar
 M. Bellare, A. Boldyreva, and A. O'Neill, āDeterministic and efficiently searchable encryption,ā in Advances in Cryptology  CRYPTO 2007, vol. 4622 of Lecture Notes in Computer Science, pp. 535ā552, 2007. View at: Publisher Site  Google Scholar  MathSciNet
 D. Boneh, G. Di Crescenzo, R. Ostrovsky, and G. Persiano, āPublic key encryption with keyword search,ā in Advances in Cryptology  EUROCRYPT 2004, vol. 3027 of Lecture Notes in Computer Science, pp. 506ā522, 2004. View at: Publisher Site  Google Scholar  MathSciNet
 J. Li, Y. Guo, Q. Yu, Y. Lu, and Y. Zhang, āProvably secure identitybased encryption resilient to postchallenge continuous auxiliary input leakage,ā Security and Communication Networks, vol. 9, no. 10, pp. 1016ā1024, 2016. View at: Publisher Site  Google Scholar
 J. Li, M. Teng, Y. Zhang, and Q. Yu, āA leakageresilient CCAsecure identitybased encryption scheme,ā Computer Journal, vol. 59, no. 7, pp. 1066ā1075, 2016. View at: Publisher Site  Google Scholar
 M. Abdalla, M. Bellare, D. Catalano et al., āSearchable encryption revisited: consistency properties, relation to anonymous IBE, and extensions,ā Journal of Cryptology, vol. 21, no. 3, pp. 350ā391, 2008. View at: Publisher Site  Google Scholar  MathSciNet
 J. Camenisch, M. Kohlweiss, A. Rial, and C. Sheedy, āBlind and anonymous identitybased encryption and authorised private searches on public key encrypted data,ā in Public Key Cryptography – PKC 2009, vol. 5443 of Lecture Notes in Computer Science, pp. 196ā214, 2009. View at: Publisher Site  Google Scholar  MathSciNet
 J. Baek, R. SafaviNaini, and W. Susilo, āPublic key encryption with keyword search revisited,ā in Computational Science and Its Applications—ICCSA 2008, vol. 5072 of Lecture Notes in Computer Science, pp. 1249ā1259, Springer, Berlin, Germany, 2008. View at: Publisher Site  Google Scholar
 T. H. Yuen, Y. Zhang, S. M. Yiu, and J. K. Liu, āIdentitybased encryption with postchallenge auxiliary inputs for secure cloud applications and sensor networks,ā in Computer Security  ESORICS 2014, vol. 8712 of Lecture Notes in Computer Science, pp. 130ā147, 2014. View at: Publisher Site  Google Scholar
 D. Boneh, A. Raghunathan, and G. Segev, āFunctionprivate identitybased encryption: hiding the function in functional encryption,ā in Advances in Cryptology – CRYPTO 2013, vol. 8043 of Lecture Notes in Computer Science, pp. 461ā478, 2013. View at: Publisher Site  Google Scholar  MathSciNet
 A. Compagno, M. Conti, P. Gasti, and G. Tsudik, āPoseidon: Mitigating interest flooding DDoS attacks in named data networking,ā in Proceedings of the 38th Annual IEEE Conference on Local Computer Networks, LCN 2013, pp. 630ā638, Sydney, NSW, Australia, October 2013. View at: Publisher Site  Google Scholar
 R. Ma and Z. Cao, āEfficient asymmetric index encapsulation scheme for named data,ā in Provable Security, vol. 10005 of Lecture Notes in Computer Science, pp. 191ā203, 2016. View at: Publisher Site  Google Scholar  MathSciNet
 C. Ghali, A. Narayanan, D. Oran, G. Tsudik, and C. A. Wood, āSecure fragmentation for contentcentric networks,ā in Proceedings of the IEEE 14th International Symposium on Network Computing and Applications (NCA '15), pp. 47ā56, Cambridge, Mass, USA, September 2015. View at: Publisher Site  Google Scholar
 D. Boneh and M. Franklin, āIdentitybased encryption from the Weil pairing,ā SIAM Journal on Computing, vol. 32, no. 3, pp. 586ā615, 2003. View at: Publisher Site  Google Scholar  MathSciNet
 J.S. Coron, āA variant of BonehFranklin IBE with a tight reduction in the random oracle model,ā Designs, Codes and Cryptography, vol. 50, no. 1, pp. 115ā133, 2009. View at: Publisher Site  Google Scholar  MathSciNet
 J. L. Carter and M. N. Wegman, āUniversal classes of hash functions,ā Journal of Computer and System Sciences, vol. 18, no. 2, pp. 143ā154, 1979. View at: Publisher Site  Google Scholar  MathSciNet
 A. de Caro and V. Iovino, ājPBC: Java pairing based cryptography,ā in Proceedings of the 16th IEEE Symposium on Computers and Communications (ISCC '11), pp. 850ā855, July 2011. View at: Publisher Site  Google Scholar
 M. Abdalla, J. Birkett, D. Catalano et al., āWildcarded identitybased encryption,ā Journal of Cryptology, vol. 24, no. 1, pp. 42ā82, 2011. View at: Publisher Site  Google Scholar  MathSciNet
 J. Katz, A. Sahai, and B. Waters, āPredicate encryption supporting disjunctions, polynomial equations, and inner products,ā Journal of Cryptology, vol. 26, no. 2, pp. 191ā224, 2013. View at: Publisher Site  Google Scholar  MathSciNet
Copyright
Copyright © 2017 Rong Ma et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.