Recently, a number of extended Proxy Re-Encryptions (PRE), e.g. Conditional (CPRE), Identity-Based PRE (IPRE) and Broadcast PRE (BPRE), have been proposed for flexible applications. By incorporating CPRE, IPRE and BPRE, this paper proposes a verstatile primitive referred to as Conditional Identity-based Broadcast PRE (CIBPRE) and formalizes its semantic security. CIBPRE allows a sender to encrypt a message to multiple receivers by specifying these receivers' identities, and the sender can delegate a re-encryption key to a proxy so that he can convert the initial ciphertext into a new one to a new set of intended receivers. Moreover, the re-encryption key can be associated with a condition such that only the matching ciphertexts can be re-encrypted, which allows the original sender to enforce access control over his remote ciphertexts in a fine-grained manner. We propose an efficient CIBPRE scheme with provable security. In the instantiated scheme, the initial ciphertext, the re-encrypted ciphertext and the re-encryption key are all in constant size, and the parameters to generate a re-encryption key is independent of the original receivers of any initial ciphertext. Finally, we show an application of our CIBPRE to secure cloud email system advantageous over existing secure email systems based on Pretty Good Privacy protocol or Identity-Based Encryption.[4], [5], [6], [7], [8] were proposed so that the receivers' recognizable identities can serve as public keys. Instead of fetching and verifying the receivers' certificates, the sender and the proxy just need to know the receivers' identities, which is more convenient in practice.PRE and IPRE allows a single receiver. If there are more receivers, the system needs to invoke PRE or IPRE multiple times. To address this issue, the concept of Broadcast PRE (BPRE) has been proposed [9]. BPRE works in a similar way as PRE and IPRE but more versatile. In contrast, BPRE allows a sender to generate an initial ciphertext to a receiver set, instead of a single receiver. Further, the sender can delegate a re-encryption key associated with another receiver set so that the proxy can re-encrypt to.The above PRE schemes only allows the re-encryption procedure is executed in an all-or-nothing manner. The proxy can either re-encrypt all the initial ciphertexts or none of them. This coarse-gained control over ciphertexts to be re-encrypted may limit the application of PRE systems. To fill this gap, a refined concept referred to as Conditional PRE (CPRE) has been proposed. In CPRE schemes [6], [7], [8], [9], [10], [11], [12], [13], a sender can enforce fine-grained re-encryption control over his initial ciphertexts. The sender achieves this goal by associating a condition with a re-encryption key. Only the ciphertexts meeting the specified condition can be re-encrypted by the proxy holding the corresponding reencryption key.A recent conditional proxy broadcast re-encryption scheme [14] allows the senders to control the time to reencrypt their initial ciphertexts. When a sender generat...
