#### Abstract

A large number of wireless devices like WiFi cameras and 4G robots have been deployed in the rapidly growing wireless network such as Internet of Things. All of the devices (sensors) are collecting and analyzing multimedia data all the time while they are actively working, and it is also required to share data among these the sensors. Typically, the wireless data is transmitted through the network gateway or the cloud platforms. In such a wireless environment, if there is no appropriate protection to the data, it is easy to cause potential data leakage. In reality, the owner of the sensor might only want to share the multimedia data stored in the sensor with a trusted third party (e.g., a family member or a coworker) through an internet gateway or the cloud platform. Ideally, the gateway or the cloud platform in the wireless network should transform one user’s encrypted data (wireless multimedia data) directly into another ciphertext under a set of new users (e.g., a trusted third party) without accessing the user’s plaintext data. In this work, a new secure notion called fuzzy-conditional proxy broadcast re-encryption (FC-PBRE) is presented to address the concern. In a FC-PBRE scheme, the proxy (the gateway or cloud server) uses a broadcast re-encryption key to re-encrypt the encrypted wireless multimedia data which can be decrypted by a set of delegatees if and only if the broadcast key’s conditional set is close to the conditional set of the ciphertext. With the FC-PBRE scheme, the wireless multimedia data is not disclosed and cannot be learnt by the proxy (the gateway or cloud server). In this paper, we first present the definition of security against chosen-ciphertext attacks for FC-PBRE. Second, we propose an efficient fuzzy-conditional proxy broadcast re-encryption scheme. Third, we prove that our FC-PBRE scheme is CCA-secure in the random oracle model based on the Decisional nBDHE assumption.

#### 1. Introduction

Generally, a user (can be an attacker) has the access to the data stored in the wireless devices via a direct connection with the devices, the gateway of the network, and a cloud platform. Because many wireless devices need to localize the configuration before they start working, they usually have a backend configuration interface (e.g., WEB, PC) open. Moreover the devices sometimes go offline even when they are actively working. As a result, the attacker can simply hack the login system of the configuration interface and obtain the multimedia data. In this case, even though the device and the cloud have been authenticated and encrypted (e.g., using SSL), the attack cannot be prevented. So, ensuring the multimedia data to be stored and shared securely has become extremely important [1–8]. To share the data partially, it would be good if all the multimedia data are encrypted via the data owner’s public key. For example, the device owner can give the data permission of the wireless camera configuration to the maintenance engineer, but the maintenance is not allowed to access to the video data. Obviously, such a scheme cannot allow sharing the private key directly with the maintenance engineer because sharing the private key means exposing the data to the engineer.

One approach to ensure data confidentiality in the wireless network is that user data can be encrypted before it is updated into the server. The encryption technology is an effective way to protect user data; however it does have some drawbacks. For example, when a cloud user Alice shares her data with another user Bob, her encrypted data cannot be as the plain data and cloud servers should not be directly transmitted to the shared user’s ciphertext, because users (including Bob) cannot decrypt the received data. Of course, one easy way for Alice to fix this issue is to download her own encrypted data that is saved in the cloud, then decrypt and upload the decrypted data to the cloud again, and finally send it to Bob who Alice wants to share the data. However, using this method, the user’s data will be obtained by the untrusted third-party cloud, which cannot guarantee the data confidentiality. Therefore, in the cloud storage environment, a security mechanism is needed to allow the cloud server to transform the encrypted data of users directly into another shared user’s encrypted data without accessing the user’s plaintext data.

Since the data security problem of users in the nontrusted third-party cloud server is increasingly prominent and traditional encryption technology has been unable to meet these application needs, the cloud server really should be able to convert a user’s ciphertext to a second’s user ciphertext on the basis of not involving decryption. There have been quite a few researches done in this area to address this concern. For example, proxy re-encryption [9] can directly transfer encrypted data of a user Alice, stored in a nontrusted third-party cloud under the authorization of Alice, into user Bob’s ciphertext, so as to achieve data sharing of Alice and Bob. Because of this feature, proxy re-encryption has been applied in IoT, cloud computing, email forwarding systems [9], and distributed file systems [10]. In proxy re-encryption, the third party can convert all Alice’s ciphertexts into Bob’s ciphertext, but in many applications, Alice hopes that the third party can only transform some specific conditions of ciphertext instead of all ciphertext. For example, the owners of wireless devices might only want to share part of the encrypted multimedia data instead of sharing all the data with a group of other users. To achieve that goal, conditional proxy re-encryption was proposed to provide such a mechanism that allows Alice to freely determine which encrypted data needs to be shared with Bob [11]. The third party in the conditional proxy re-encryption scheme has the ability to convert a ciphertext only if it meets certain specific conditions.

For applications like group photo sharing, however, conditional proxy re-encryption scheme becomes a problem if one person’s multimedia needs to be shared with a group of users via a cloud platform. For example, in a scenario of a picture’s owner (Alice) who wishes to share the encrypted photo data with the family members, the cloud cannot directly forward the owner Alice’s encrypted data of camera to a group of family members, since only Alice has the private key to decrypt after forwarding. Although conditional proxy re-encryption can convert Alice’s ciphertext into a different ciphertext, only the one person can decrypt the ciphertext, not a group of people to decrypt. Thus it cannot be adapted to the situation of group data sharing. Recently, the conditional proxy broadcast re-encryption(C-PBRE) was presented [12] to resolve the issue. In a C-PBRE scheme, a user’s ciphertext can be transformed to another ciphertext for a group of users by a third party proxy. Moreover, the third-party proxy can only convert ciphertext with specific conditions.

Although the C-PBRE has addressed some concerns, still there is a flaw, which is that the C-PBRE scheme cannot support fuzzy condition matching. Here, we give an example of an online medical service system to show the importance of fuzzy condition matching and the fuzzy-conditional proxy broadcast re-encryption (FC-PBRE). Usually a multimedia electronic medical record is a system that tracks the electronic medical record of the patients. It integrates image, video, audio, and text and everything can be stored in the cloud at the same time. Doing so enables the medical staff to look up all medical records related to the patient such as an MRI or X-ray image from a PC or a smart phone. In order to protect patient privacy of multimedia electronic medical records, we need to encrypt and protect relevant data. But how to implement the sharing of multimedia electronic medical records after encryption is a difficult problem and FC-PBRE comes to solve this problem. More specifically, in an online medical system, patients are more likely to find a doctor who meets the following requirements for the treatment of a cold. We can simply denote the requirements as follows: . With a patient can encrypt her health record before she uploads it to the medical system. However, the medical system cannot directly access the disease record in this case, because it does not necessarily have a matching secret key under . What the system can do is re-encrypt the ciphertext so that other doctors may be able to see the case as long as these doctors meet at least conditions of . By adopting FC-PBRE, a doctor sets up a different access policy and sends a re-encryption key to the proxy. When a doctor is away, the proxy can re-encrypt the ciphertext if and only if . However, in many situations Alice may want to cooperate with a set of colleagues satisfying to consultation on the patient’s condition. In traditional FC-PRE, if Alice wants to consulate with colleagues, the proxy needs to perform re-encryption operations. The problem, though, is that the proxy’s computation is linear with ; this may not be desirable in terms of the complexity. In contrast, in FC-PBRE, the proxy can re-encrypte Alice’s ciphertext to a group of users at one time. As a result, an FC-PBRE scheme is likely to resolve this complexity problem.

In the multimedia data sharing environment, it is needed to have a secure mechanism that allows the cloud server to transform one user’s encrypted data directly into another ciphertext under a set of new users without accessing the user’s plaintext data. In this paper, fuzzy-conditional proxy broadcast re-encryption (FC-PBRE) is proposed to address the concern. In FC-PBRE, the proxy uses a broadcast re-encryption key to re-encrypt a ciphertext which can be decrypted by a set of delegatees if and only if the broadcast key’s conditional set is close to the conditional set of the ciphertext. With the FC-PBRE scheme, the plaintext data is not disclosed and cannot be learnt by the proxy. The paper is structured as follows. First we introduce the security definition against chosen-ciphertext attacks for FC-PBRE. Second, our efficient fuzzy-conditional proxy broadcast re-encryption scheme is presented. Finally, we prove that our FC-PBRE scheme is CCA-secure in the random oracle model based on the Decisional nBDHE assumption.

#### 2. Related Work

Proxy re-encryption [9] can directly transfer encrypted data of user Alice stored in nontrusted third-party cloud under the authorization of Alice into user Bob ciphertext, so as to achieve data sharing of Alice and Bob. But the third party can transform all Alice’s ciphertext into Bobs ciphertext in PRE scheme, but in many applications, Alice hopes that the third party can only transform some specific conditions of ciphertext instead of all ciphertext. In a C-PRE scheme [11], only the one ciphertext from Alice that meets certain specific conditions can be converted by third parties into a Bob’s ciphertext. Therefore, with conditional proxy re-encryption, Alice can determine which ciphertext for third parties to re-encrypt; thus a flexible control of the ciphertext can be observed. Weng et al. [11] proposed conditional proxy re-encryption scheme and they proved that it is chosen-ciphertext attack secure in the random oracle model. Similarly, Tang [13] proposed a type based proxy re-encryption scheme, a secure proxy re-encryption with keyword search scheme, and it is proven secure in the random oracle model [14]. On top of the keyword search scheme, an anonymous conditional proxy re-encryption with keyword search scheme was proposed by Fang et al. [15]. On the paper, they also proved that their scheme is chosen-ciphertext secure. Fang et al. [16] presented a fuzzy-conditional proxy re-encryption scheme and proved the security in the random oracle model. The scheme can support fuzzy matching between multiple keywords; that is, only some key words in the re-encryption key satisfy the matching, and the third party can complete the re-encryption.

Without the random oracle, a conditional proxy re-encryption scheme [17] was proposed to support a more fine-grained access strategy under the standard model. Reference [18] designed an identity based proxy re-encryption mechanism for multiple hop (Multihop) under the standard model. In this scheme, the re-encrypt ciphertext can still be re-encrypted repeatedly, and the length of ciphertext does not increase with the number of re-encryptions. So the length of the ciphertext is constant.

With regard to anonymity, Ateniese et al. [19] came out with the idea of anonymous proxy re-encryption and proved that their scheme is chosen plaintext attack security under the standard model. With anonymous proxy re-encryption, an attacker cannot obtain user’s identity from the key. Later, a new scheme was proposed to achieve the security of chosen-ciphertext attack with the random oracle [20]. Subsequently, Shao et al. improved the scheme by using the standard model for the security proof [21]. Followed by Shao et al.’s work, a security model is enhanced for anonymous proxy re-encryption [22]. In the security model of [22], it allows attackers to get re-encrypted queries directly, instead of obtaining re-encrypted query by acquiring re-encryption key query. Shao et al. [23] proposed an anonymous ID based proxy re-encryption to extend anonymous proxy re-encryption to identity based anonymous proxy re-encryption. Their scheme is proven secure in the random oracle model. An anonymous identity based multiuser identity based proxy re-encryption scheme was proven CCA-secure in the standard model [18]. The same literature also analyzed its application in privacy protection and data sharing in big data storage system. The above schemes are about proxy anonymous encryption with user identity anonymity. A keyword anonymity conditional proxy re-encryption scheme [24] was demonstrated to achieve the anonymity of conditions.

#### 3. Preliminaries

##### 3.1. Bilinear Map

and denote two multiplicative cyclic groups with the same prime order . is a generator of group . A bilinear pairing is a bilinear map with the following properties:(1) for all and .(2).(3) can be computed in polynomial time for all .

##### 3.2. The n-BDHE Assumption

If is a prime, let denote the set and denote the set . Let be a bilinear map. Given elements and an element , the adversary’s task is to decide if .

Denote as , and define the advantage of an adversary aswhere , , and are randomly chosen. We conclude that the n-BDHE assumption relative to holds [25], if is negligible for all probability polynomial time (PPT) adversary .

#### 4. FC-PBRE Model and Security Notion

Two security definitions for fuzzy-conditional proxy broadcast re-encryption as well as its model are introduced in this section.

*Definition 1 (FC-PBRE). *A (single-use) proxy broadcast re-encryption scheme runs the following algorithms: (i): in the setup step, for the input, is the security parameter, is the maximum allowed number of users, and is the threshold. The system at this step generates a public key and a master secret key .(ii): given the public key , the master key , and a user , the system generates secret key for the user .(iii): the algorithm takes the public key , a user sets , a message , and a set of keywords as the input, it then outputs the ciphertext for the user set with condition set .(iv): on inputting , the user’s private key , a set of users () and a keywords set , outputs the re-encryption key .(v): with the public key , a re-encryption key , the user , two different user sets and , and the original ciphertext , this algorithm computes the re-encrypted ciphertext . This step requires , where is the threshold and if the condition cannot be met, an error symbol will be output instead.(vi): represents the decryption algorithm for the original ciphertext. It takes the public key , user , the private key of the user , a set of users , and ciphertext for user set , and it outputs the plaintext .(vii): represents the re-encrypted ciphertext decryption algorithm. It outputs the plaintext from the input of a public key, a user’s private key , users , , user sets , , and a re-encrypted . If the algorithm aborts, it outputs .

*Correctness*. The definition of the correctness of a FC-PBRE scheme is as follows; given two user sets , condition sets , , and , then , if

, if ;

, if .

The game-based model is used to define the security for the FC-PBRE scheme. Similar to a security model from [25], the CCA security of the FC-PBRE scheme is considered in the selective-set model. In such a model, the adversary is supposed to commit ahead the challenge user set and the condition set .

*Definition 2 (IND-set-CCA game). *The following lists two games between one adversary and a challenger .

Game 1 is to consider the security of the original ciphertexts. We define the IND-OR-CCA game as follows:(1)Init. In the initial phase, the adversary selects a target users set and the condition set .(2)Setup. At this stage of the game, the challenger runs , and as a result, he can generate the public key and the master key . Then he gives to .(3)Query phase 1. makes the following queries:(a): the challenger runs and returns to .(b): runs and and returns to .(c): runs , where and , and returns the output to .(d): runs , where , and returns the output to .(e): runs , where , and returns the output to . has to follow the restrictions in this phase. First, cannot make for any ; second cannot make and , if , , and .(4)Challenge. As soon as finishes Query phase 1, computes two equal length messages . selects a bit and sets the challenge ciphertext to be . is then sent to .(5)Query phase 2. In addition to the restrictions in phase 1, continues making queries with the following extra restrictions: is not allowed to run and if and ;(a) is not allowed to run for any ;(b) is not allowed to run if , and .(6)Guess. makes the guess for . The adversary wins the game if .

The above adversary is referred to as an IND-OR-CCA adversary. The advantage is defined as

Game 2. IND-Re-CCA game is used for the indistinguishability of the re-encrypted ciphertext.(1)Init. To begin the game, an adversary selects a target users set and a condition set .(2)Setup. The challenger generates the public key and master key by running runs . Then gives to .(3)Query phase 1. The adversary makes the following queries:(a): gets from . Then it returns it to . Note that cannot make for any user ;(b): runs , where , and returns to .(c): runs , where , and returns the result to .(4)Challenge. Once finishes Query phase 1, outputs two equal length messages . Challenger chooses a bit and sets the challenge ciphertext to be , where , and . is returned to the adversary .(5)Query phase 2. continues making queries but is subject to the following restrictions:(a) cannot make for any ;(b) cannot make , if and .(6)Guess. makes the guess . The adversary wins the game if .

The above adversary is referred as an IND-Re-CCA adversary. Its advantage is defined as

A fuzzy-conditional proxy broadcast re-encryption scheme is called IND-Set-CCA-secure if for all PPT adversary , , and are negligible.

#### 5. The Proposed FC-PBRE Scheme

##### 5.1. Our Construction

A Lagrange coefficient is defined for and a set , of elements in :

Our FC-PBRE scheme contains the following algorithms:(i): Let denote the message space. The algorithm randomly selects and and computes for . Let , , , , and be collusion-resistant hash functions. It computes . outputs the public key and the master key for the cloud server as follows: (ii): The secret key for a cloud user is generated in this phase, where(iii): To encrypt a plaintext under the set with condition , it randomly picks a , computes , and outputs the results of the ciphertext: . (iv): On inputting , and , it randomly selects and a polynomial with degree, where . For each , it selects a random value and computes It chooses random value , , computes , and sets It outputs the re-encryption key (v): On inputting a re-encryption key and a ciphertext , it verifies whether the following hold: If not, it outputs . Otherwise, it randomly selects a element set . If such a set cannot be found, the algorithm outputs , or else it computes Then the re-encrypted ciphertext is .(vi): It takes a secret key and a ciphertext as the inputs, it(1)verifies if the three equations (11)–(13) hold. If not, it aborts and outputs the error or, else,(2)computes , , and and verifies whether hold. It returns or else returns .(vii): On inputting a secret key and a re-encrypted ciphertext , it proceeds as follows: First verifying whether all of the equations hold: If they do not hold, it outputs . Otherwise, it computes It verifies whether hold. If not, it returns , or else it computes , , and . It verifies whether holds. If it holds, it returns or else it returns .

##### 5.2. Security Proof

In section, we prove that our scheme is IND-Set-CCA-secure in the ROM.

Theorem 3. *If are target collision-resistant hash functions and the Decisional nBDHE assumption holds, the above scheme then is IND-Set-CCA-secure in the ROM.*

Lemma 4. *If an IND-OR-CCA is attacker that can successfully attack FC-PBRE, then we are able to construct a simulator that can solve Decisional nBDHE assumption.*

*Proof. *The simulator is provided a Decisional nBDHE instance and has to decide whether from a random value. The simulator controls the random oracles (RO) as follows:

searches for . If list already exists, then sends to . Else, randomly selects , sends to , and puts in list.

searches for . If list already exists, then sends to . Else, randomly selects , sends to , and puts to .

searches for . If list already exists, then sends to . Else, randomly selects , generates , sends to , and puts to list.

searches for . If list already exists, then sends to . Else, randomly selects and sets , sends to , and puts to list.

searches for . If list already exists, then sends to . Else, randomly selects , sends to , and adds to list.

then keeps the lists as follows:

(i) stores the tuples ;

(ii) stores the tuples , which maintains the results of query . If , then it is a valid re-encryption key, or else it is random.

(iii) stores the tuples , which maintains query . Note that if , then a re-encryption key which is used to generate the re-encrypted ciphertext should be valid, or else the re-encrypted ciphertext is invalid and randomly generated.(1)** Init.** The attacker selects a challenge user set and challenge conditional set .(2)** Setup.** The simulator randomly selects values and and sets sets the public key as and . sends to the attacker .(3)** Query phase 1. ** does some of the columns of the query, and the response of is as follows:(i): If , then aborts. Else the simulator first searches , and if are in , then it outputs . Otherwise, throws a biased coin ( for some ).(a)When , aborts and outputs a random bit.(b)When , calculates . Note that we have (ii): the simulator verifies whether tuple is in (, , and ). If not, then aborts. Otherwise searches whether there is a tuple in . If yes, outputs . Otherwise, the simulator proceeds:(a)If exists in , as in the real algorithm of the scheme, the simulator generates the re-encryption key from by using the secret key . returns to . Then it puts to , where are randomly selected.(b)Otherwise, throws a biased coin . If , queries the oracle to get and, then, generates from . returns the re-encryption key to . Then it adds and to and , respectively. If , sets for randomly chosen . Then constructs to encrypted random as the real environment. The simulator sends the re-encryption key to . Then it adds to .(iii): searches in . If yes, returns . Else, it is dealt with in the below:(a)If in , as the real environment, uses to construct by and sends to . Then it adds to . Here we need and .(b)Otherwise, first makes query to retrieve the re-encryption key . Next, constructs . Then it puts to .(iv): tests (11)-(13). If the test does not pass, it aborts with an error . Else(a)If already exists in , recovers by using .(b)Otherwise, queries to obtain and recovers by using .(v): checks (18)-(19). If one of the equations cannot be validated, it aborts and outputs . Otherwise, proceeds:(a)If already exists in , recovers by using .(b)Otherwise, queries to get and recovers by using .(4)** Challenge.** Once the attacker decides that Phase 1 is finished, it outputs two messages . And randomly selects . Let for some randomly chosen . computes where queries to RO for entry . sends to . If , we have . Hence the challenge ciphertext is a valid one. Otherwise, is independent of if is a random value, in the attacker’s view.(5)** Query phase 2. ** makes queries continuously.(6)** Guess. ** generates the guess bit , if , and then outputs , which means that ; else outputs . In this case, is a random value in .

**Probability analysis.** When aborting happens, we define the game as . In the case does not abort, does not know the different between the game and the actual scheme. Let denote the total number of all queries; we have , which is maximized at . Using , the probability is at least , where is the base of the nature logarithm. Therefore, we have

With this we complete the proof of Lemma 4.

Lemma 5. *If an IND-Re-CCA attacker can successfully attack our scheme, then a simulator that can be constructed to solve the Decisional nBDHE assumption.*

*Proof. *We use the same game construction from the proof of Lemma 4 and modify the challenge phase to prove Lemma 5. To construct the challenge re-encrypt ciphertext, randomly selects . Let for the randomly selected . then computes then constructs in the same way as in game 1.

The proofs of Lemmas 4 and 5 conclude that we have proven Theorem 3.

#### 6. Comparison

We use schemes from [24, 26] as baselines as [26] achieves the same security and [24] supports the same fuzzy property with our scheme. In the implementation, we selected two most efficient schemes to do experimental comparisons. Our experimental environment is as follows: Core i7 Processor (6M Cache, 3.40 GHz) with a Linux operating system. In the implementation, the proxy re-encrypted the ciphertext of the delegator to 20 different ciphertext for the delegate. The average value of the execution time of 50 experiments is used to eliminate the errors. Table 1 lists the comparison of the performance of the schemes. Although , , , , and time is a little greater than [24, 26] as our scheme needs to support the property of broadcast, the time overhead of the re-encryption algorithm is much slower than our scheme. This is due to the fact that the proxy is only required to run the re-encryption algorithm once.

#### 7. Application

With the proposed FC-PBRE scheme, we illustrate an example of the scheme’s possible application and show how FC-PBRE scheme protects the confidentiality and privacy of multimedia data in the Internet of Things.

##### 7.1. Application of Security in Internet of Things

With the development of wireless networks and the Internet of Things, a large number of wireless devices (WiFi cameras, wireless sensors, etc.) are deployed; they are collecting and analyzing multimedia data at all times. Many applications require these wireless devices to share data, and insecure data sharing before wireless devices can easily lead to data leakage. Usually a normal user accesses a wireless device in three ways: first, through direct connection with the wireless device; second, through the gateway; third, through the cloud platform. Because many wireless devices need to be localized before they start to work, they usually have backend configuration interfaces (WEB, PC) and are offline at some point during their work, so it is more convenient for an attacker to access multimedia data directly by cracking the login password of the backend configuration interface. In this case, even if the device and cloud have been authenticated and encrypted (such as using SSL) they cannot prevent the attack. How to ensure the safe storage and sharing of wireless multimedia data becomes particularly important. In this environment, we can deploy FC-PBRE to ensure the security of the system. The data of each device (including multimedia data, control data) is encrypted by the device owner’s public key (). Obviously, no user can decrypt the data except the data owner A. When the device owner A needs to grant data privileges to the maintenance engineer for the configurations of wireless devices (such as WiFi cameras), the maintenance engineer B has to request a re-encryption key , where from the device owner A. The maintenance engineer B can use the re-encrypted key to perform the re-encryption algorithm to convert the device owner’s ciphertext into their own ciphertext , and then B uses his own public key to decrypt the ciphertext by performing the re-encrypted ciphertext decryption algorithm . Similarly, if the gateway or cloud platform wishes to share encrypted multimedia data to authorized third-party users (i.e., ) without decryption, the device owner A only needs to produce a re-encrypted key , which will be used to re-encrypt the message from the device owner A to the third-party user sets . After the key is generated, it will be sent to the cloud platform. Therefore, the cloud platform can run the re-encryption algorithm to convert the device owner’s ciphertext into , which can be decrypted with the third party’s own private key.

#### 8. Conclusions

In the paper, a new security notion called fuzzy-conditional proxy broadcast re-encryption (FC-PBRE) is presented. In a FC-PBRE, the proxy uses a broadcast re-encryption key to re-encrypt a ciphertext which can be decrypted by a set of delegatees if and only if the broadcast key’s conditional set is close to the conditional set of the ciphertext. Moreover, the proxy learns nothing about the plaintext from entire process. Second, we define the security notion against chosen-ciphertext attacks for FC-PBRE and propose an efficient fuzzy-conditional proxy broadcast re-encryption scheme. Finally, we prove that our FC-PBRE scheme is the chosen-ciphertext attack secure in the random oracle model under the Decisional nBDHE assumption.

Given our contributions, further research might explore constructing a CCA-secure FC-PBRE scheme in the standard model. It also can focus on the construction of the fuzzy-conditional proxy broadcast re-encryption schemes without pairings.

#### Data Availability

The data used to support the findings of this study are included within the article.

#### Disclosure

This paper is an extended version of the oral report [27] the authors made at the International Conference on Cloud Computing and Security (ICCCS 2018). However, this paper has not been published by the conference ICCCS 2018.

#### Conflicts of Interest

The authors declare that the funding in the Acknowledgments did not lead to any conflicts of interest regarding the publication of this manuscript. Also, there is no conflicts of interest in the manuscript.

#### Acknowledgments

Liming Fang is supported by the National Natural Science Foundation of China (nos. 61872181, 61702236, and 61300236), the National Natural Science Foundation of Jiangsu (under Grant no. BK20130809), the National Science Foundation for Postdoctoral Scientists of China (no. 2013M530254), the National Science Foundation for Postdoctoral Scientists of Jiangsu (no. 1302137C), China Postdoctoral Science Special Foundation (no. 2014T70518), and Changzhou Sci&Tech Program (no. CJ20179027). Jinyue Xia is partially supported by the National Natural Science Foundation of China (no. 6127208361300236).