Timed-Release Encryption (TRE) (proposed by May in 1993) prevents even a legitimate recipient decrypting a ciphertext before a semi-trusted Time Server (TS) sends trapdoor
assigned with a release time
of the encryptor’s choice. Cathalo et al. (ICICS2005) and Chalkias et al. (ESORICS2007) have already considered encrypting a message intended to multiple recipients with the same release time. These schemes are efficient compared with previous TRE schemes with recipient-to-recipient encryption, since the most costly part (especially pairing computation) has only to be computed once, and this element is used commonly. One drawback of these schemes is the ciphertext size and computational complexity, which depend on the number of recipients
. In this paper, for the first time we propose Timed-Release Proxy Re-Encryption (TR-PRE) scheme. As in PRE, a semi-trusted proxy transforms a ciphertext under a particular public key (this can be regarded as a mailing list) into re-encrypted ciphertexts under each recipient (who can be regarded as mailing list members).
Even if the proxy transformation is applied to a TRE ciphertext, the release time is still effective
. An encryptor can transfer
-dependent computation parts to the proxy. This function can be applied to multicast communication with a release time indication. For example, in an on-line examination, an examiner sends encrypted e-mails to each examinee, and each examination can be fairly opened at the same time. Our TR-PRE scheme is provably secure under both chosen-time period chosen-ciphertext attack (IND-CTCA) and replayable chosen-ciphertext attack (IND-RCCA) without random oracles.