Generative steganography hides secret messages by generating sufficiently natural or true samples with secret，which is a hot research topic in information hiding， but there is little research in the field of video steganography. Combined with the idea of digital Cardan grille， a semi-generative video steganography scheme based on Deep Convolutional Generative Adversarial Net （DCGAN） was proposed. In this scheme， a dual-stream video generation network based on DCGAN was designed to generate three parts of videos： dynamic foreground， static background and spatio-temporal mask， and different videos were produced by the generation network driven by random noise. The sender in this scheme was able to set the steganography threshold and adaptively generate a digital Cardan grille in the mask， then the obtain digital cardan grille was used as the key for steganography and extraction； at same time， with the foreground as the carrier， the optimal embedding of information was realized. Experimental results show that the video-with-secret generated by the proposed scheme has good visual quality， with a Frechet Inception Distance score （FID） of 90， and the embedding capacity of the scheme is better than those of the existing generative steganography schemes， up to 0.11 bpp. It can be seen that the proposed scheme can transmit secret messages more efficiently.

Focused on the issue that the CKKS (Cheon-Kim-Kim-Song) homomorphic encryption scheme based on the Learning With Errors (LWE) problem has large ciphertext, complicated calculation key generation and low homomorphic calculation efficiency in the encrypted data calculation, an optimized scheme of LWE type CKKS was proposed through the method of bit discarding and homomorphic calculation key reorganization. Firstly, the size of the ciphertext in the homomorphic multiplication process was reduced by discarding part of the low-order bits of the ciphertext vector and part of the low-order bits of the ciphertext tensor product in the homomorphic multiplication. Secondly, the method of bit discarding was used to reorganize and optimize the homomorphic calculation key, so as to remove the irrelevant extension items in powersof2 during the key exchange procedure and reduce the scale of the calculation key as well as the noise increase in the process of homomorphic multiplication. On the basis of ensuring the security of the original scheme, the proposed optimized scheme makes the dimension of the calculation key reduced, and the computational complexity of the homomorphic multiplication reduced. The analysis results show that the proposed optimized scheme reduces the computational complexity of the homomorphic calculation and calculation key generation process to a certain extent, so as to reduce the storage overhead and improve the efficiency of the homomorphic multiplication operation.

In order to further improve the security and efficiency of Number Theory Research Unit (NTRU)-type Multi-Key Fully Homomorphic Encryption (MKFHE) schemes, based on the prime power cyclotomic rings, the properties of the original decryption structure of NTRU-type multi-key fully homomorphic encryption were studied, and two optimization methods of multi-key homomorphic decryption structures were proposed. Firstly, by reducing the polynomial's coefficients, the "Regev-Style" multi-key decryption structure was designed. Secondly, the "Ciphertext-Expansion" multi-key decryption structure was designed by expanding the dimension of ciphertexts. Compared with the original decryption structure of NTRU-type multi-key homomorphic encryption scheme, the "Regev-Style" multi-key decryption structure reduced the magnitude of error, which was able to reduce the number of key-switching and modulo-switching when it was used in the design of NTRU-type multi-key homomorphic encryption scheme; the "Ciphertext-Expansion" multi-key decryption structure eliminated the key-switching operation, reduced the magnitude of error, and was able to process the ciphertext product of repeated users more effectively. The security of the optimized multi-key decryption structures was based on the Learning With Errors (LWE) problem and Decisional Small Polynomial Ratio (DSPR) assumption on the prime power cyclotomic rings, so these structures were able to resist subfield attacks well. Therefore, they can be used to design a more secure and efficient NTRU-type multi-key fully homomorphic encryption scheme by selecting appropriate parameters.

Aiming at the problem of low embedding capacity and poor invisibility in compressed domain video hiding algorithm, a reversible steganography scheme for H.264/AVC encryption domain was proposed. Firstly, the reference frame interval parameter was determined by the embedded capacity and the carrier size, and whether the cover was encrypted was determined by the need. Then, an embedded key was generated according to the number of video frames to be embedded. Finally, the reversible information embedding on motion vector was realized by the vector histogram shifting in the compressed video. The proposed scheme overcame the distortion accumulation effect due to motion vector modification by specifying a decoding reference frame and is compatible with motion vector-based video encryption algorithms. Video decryption and information extraction depend on the decryption key and the embedded key respectively, which are separated from each other. The information can be extracted in the video ciphertext domain or the decrypted plaintext domain and has no influence on video cover recovery. As security of the information depends on the embedded key, the length of the key can be controlled as needed with the maximum length equal to the number of frames in which the information can be embedded. Experimental results show that the proposed scheme has low computational complexity and high security, and can adjust capacity and invisibility according to embedded load. Compared with BCH code reversible embedding scheme, the PSNR (Peak Signal-to-Noise Ratio) value increases by 3 to 5 dB and the average embedded capacity increases by 5 to 10 times.

Focusing on the issue that the traditional Identity-Based Fully Homomorphic Encryption scheme (IBFHE) cannot perform homomorphic operations on ciphertexts under different IDentities (ID), a hierarchical identity-based multi-identity fully homomorphic encryption scheme based on Learning With Error (LWE) problem was proposed. In the proposed scheme, the transformation mechanism of identity-based multi-identity homomorphic encryption scheme ([CM15] scheme) proposed by Clear et al. (CLEAR M, McGOLDRICK C. Multi-identity and multi-key leveled FHE from learning with errors. Proceedings of the 2015 Annual Cryptology Conference, LNCS 9216. Berlin:Springer, 2015:630-656) in 2015 was combined with Identity-Based Encryption (IBE) scheme proposed by Cash et al. (CASH D, HOFHEINZ D, KILTZ E, et al. Bonsai trees, or how to delegate a lattice basis. Proceedings of the 2010 Annual International Conference on the Theory and Applications of Cryptographic Techniques, LNCS 6110. Berlin:Springer, 2010:523-552) in 2010 ([CHKP10] scheme), guranteeing IND-ID-CPA (INDistinguishability of IDentity-based encryption under Chosen-Plaintext Attack) security in the random oracle model and realizing ciphertext homomorphic operation under different identities, so the application of this scheme was more promising. Compared with[CM15] scheme, the proposed scheme has advantages in terms of public key scale, private key scale, ciphertext size, and hierarchical properties, and has a wide application prospect.

In Ciphertext-Policy Attribute-Based Encryption (CP-ABE) schemes, the private key is defined on attributes shared by multiple users. For any private key that can not be traced back to the owner of the original key, the malicious users may sell their decryption privileges to the third parties for economic benefit and will not be discoverable. In addition, most of the existing ABE schemes have a linear increase in decryption cost and ciphertext size with the complexity of access structure. These problems severely limit the applications of CP-ABE. By defining a traceable table to trace the users who intentionally disclosed the key, the cost of the decryption operation was reduced through the outsourcing operation, and a CP-ABE scheme with traceable and fully verifiable outsourced decryption was proposed. The scheme can simultaneously check the correctness for transformed ciphertexts of authorized users and unauthorized users, and supports any monotonous access structure, which traceability will not have any impact on its security. Finally, the proposed scheme is proved to be CPA (Chosen Plaintext Attack)-secure in the standard model.

Aiming at the current status of Niederreiter public key cryptosystem which is vulnerable to distinguishing attack and ISD (Information Set Decoding), an improved Niederreiter public key cryptosystem was proposed. Firstly, the permutation matrix in the Niederreiter cryptography scheme was improved, and the original permutation matrix was replaced by a random matrix. Secondly, the error vector in the Niederreiter cryptography scheme was randomly divided to conceal the Hamming weight. Finally, the encryption and decryption processes of the Niederreiter cryptography scheme were improved to improve the security. The analysis shows that the improved scheme can resist the distinguishing attack and ISD. The public key size of the improved scheme is smaller than that of the scheme proposed by Baldi, et al. (BALDI M, BIANCHI M, CHIARALUCE F, et al. Enhanced public key security for the McEliece cryptosystem. Journal of Cryptology, 2016, 29(1):1-27). At the 80-bit security level, the public key of the improved scheme is reduced from 28408 bits to 4800 bits. At the 128-bit security level, the public key size of the improved scheme is reduced from 57368 bits to 12240 bits. As one of the anti-quantum cryptography schemes, the viability and competitiveness of the improved scheme are enhanced.

Coding-based encryption scheme, with the advantages of anti-quantum feature and fast encryption and decryption speed, is one of the candidate schemes for anti-quantum cryptography. The existing coding-based hybrid encryption schemes have the INDistinguishability under Chosen Ciphertext Attack (IND-CCA) security, which have the disadvantage that the public key size used to encrypt the shared secret key of the sender and receiver is large. The problem of large size of public key in hybrid encryption scheme based on Niederreiter coding was solved by the following three steps. Firstly, the private key of Niederreiter coding scheme was randomly split. Then, the plaintext of Niederreiter coding scheme was split randomly. Finally, the encryption and decryption processes of Niederreiter coding scheme were improved. It is concluded through analysis that, the public key size of the improved scheme is less than that of Maurich scheme. Compared with Maurich scheme, the public key of the improved scheme is reduced from 4801 bits of the original scheme to 240 bits under the security level of 80 bits, and the public key of the improved scheme is reduced from 9857 bits to 384 bits under the security level of 128 bits. Although the improved scheme is more complicated than the original scheme, its storage cost and calculation cost are smaller, and the practicability of the improved scheme is enhanced.

The main problems exist in current Attribute-Based Encryption (ABE) schemes, such as the access policy has a single function, and the size and decryption time of ciphertext increase with the complexity of access formula. In order to solve the problems, a multi-function ABE scheme for effecient outsourced computing was proposed. Firstly, through the fine-grained access control of sensitive data, different function encryption systems were implemented. Then, using the huge computing power of cloud server to perform partial decryption calculations, the user attribute ciphertext satisfying the access policy was converted into a (constant-size) ElGamal-style ciphertext. At the same time, the correctness of outsourced computing was ensured through the efficient verification methods. The theoretical analysis results show that, compared with the traditional attribute-based functional encryption scheme, the decryption computation at the user end of the proposed scheme is reduced to one exponential operation and one pair operation. The proposed scheme can save a lot of bandwidth and decryption time for users without increasing the amount of transmission.

Combining with the privacy-preserving problem of secure outsourced computation in the cloud and aiming at arbitrary outsourcing multivariate polynomials, a publicly verifiable outsourced computation scheme based on two-server model was constructed by homomorphic encryption and multilinear mapping. The scheme can guarantee the privacy and security of inputs and outputs of polynomial functions, and reach the goal that users or any third party can verify the correctness of the results, thus achieving open verification and availability. The results returned by the cloud are in the state of encryption, only users who have decryption key can output the final results, which can ensure the security of computation. Besides, the scheme can achieve Chosen Plaintext Attack (CPA) security of inputs in the standard model, and the user's computational cost is much less than that of the server and direct computation.

Focusing on the issue that information-hidden carriers will leave traces of modification, and it is fundamentally difficult to resist statistical steganalysis algorithm detection, a new security steganography model based on Generative Adversarial Network (GAN) was proposed. In this scheme, the generator model G in GAN was utilized to generate the original carrier information with noise as the driver. Next, by using the ±1 embedding algorithm, the secret message was embedded into the generated carrier information to generate the secret information. Finally, the secret information and the real image sample were used as the input of discriminator D in the GAN for iterative optimization. At the same time, discriminative model S was used to detect whether the image has a steganography operation, and timely feedback to generate image quality features, G&D&S competed with each other in the iterative process, and the performance was continuously improved. The proposed strategy is different from the two schemes of Steganographic GAN (SGAN) and Secure Steganography based on GAN (SSGAN). The main feature is that the secret information and the real image sample are used as input for the discriminative model, and the discriminative network D is reconstructed, so that the network can better evaluate the performance of the generated images. Compared with SGAN and SSGAN, the proposed model reduces the detection accuracy of steganalysis by 13.1% and 6.4% respectively. Experimental results show that the new information hiding scheme guarantees the security of information hiding by generating more suitable carrier information and can effectively resist the detection of steganographic algorithms, it is significantly superior to the contrast schemes in terms of anti-steganography analysis and security indicators.

Aiming at the problem of private set intersection calculation in secure two-party computation, an improved private set intersection protocol based on Bloom Filter was proposed. On the premise of ensuring the security of both parties about their own privacy, the intersection of two datasets could be calculated. Only one party can calculate the intersection elements whereas the other party can't calculate the intersection. Both parties can't obtain or infer any other set elements except the intersection of the other party, which ensures the security of sensitive information for both parties. The proposed protocol introduced the identity-based key agreement protocol, which can resist the malicious attacks of illegal users, protect the privacy and achieve the security defense, resist the risk of key disclosure, reduce the amount of encryption and decryption. The proposed protocol has the ability to support large scale data computation.

The traditional key policy attribute base encryption and decryption scheme has the disadvantages that the ciphertext length increases linearly with the increase of the number of attributes, and consumes a large amount of communication bandwidth of the user in the communication process. The improved scheme of attribute encryption was proposed. Based on the encryption of key policy attributes, a verifiable packet decryption scheme with fixed ciphertext length was proposed. In the non-monotonic access structure, the cipher length was fixed, and the communication bandwidth was effectively saved. Through the improvement of outsourced key generation algorithm, a primary modular exponentiation operation was realized, and the generation time of key generation was effectively shortened.The hash function was used to realize the verification of the decryption and its security was proved.

Code-based cryptography has natural advantage to resist the attack from quantum computers. Considering the long ciphertext length and the large key size of the traditional Goppa-codes-based cryptography, Low-Density Generator-Matrix (LDGM) code and hash function were used to construct a provably secure signcryption scheme. The generator matrix of LDGM code is sparse, so it can effectively reduce the amount of data, and the hash function is of high computation efficiency. It satisfies IND-CCA2 (INDistinguishability under Adaptive Chosen Ciphertext Attacks) and EUF-CMA (Existential UnForgeability under Chosen Message Attacks) security under random oracle model. As it guarantees data confidentiality and integrality, the ciphertext is reduced by 25% compared with the traditional case of "sign then encrypt"; compared with the "two birds one stone" and the SCS signcryptions, its computational efficiency gets significant improvement.

In order to reduce the decryption burden of the mobile device in cloud application, using Identity-Based Broadcast Encryption (IBBE) scheme, Identity-Based Encryption (IBE) scheme and conditional identity-based broadcast proxy re-encryption scheme, an asymmetric cross-cryptosystem proxy re-encryption scheme with multiple conditions was proposed. In this scheme, the sender is allowed to encrypt information into IBBE ciphertext, which can be sent to multiple recipients at a time. Anyone of the receivers can authorize a multi-condition re-encryption key to the proxy to re-encrypt the original ciphertext which meets the conditions into the IBE ciphertext that a new receiver can decrypt. The scheme realizes asymmetric proxy re-encryption from IBBE encryption system to IBE encryption system and allows the proxy to re-encrypt the original ciphertext according to the conditions, which avoids the proxy to re-encrypt the unnecessary original ciphertext. The scheme not only improves the re-encryption efficiency of the proxy, but also saves the time of the receiver to get the correct plaintext.

The lackness of trusted verification of mobile terminal may affect the security of mobile network. A trusted anonymous authentication protocol for mobile networks was proposed, in which both user identity and platform integrity were authenticated when the mobile terminal accesses the networks. On the basis of trusted network connection architecture, the concrete steps of trusted roaming authentication and trusted handover authentication were described in detail. The authentication used pseudonyms and the corresponding public/private keys to achieve the protection of the user anonymous privacy. The security analysis indicates that the proposed protocol meets mutual authentication, strong user anonymity, untraceability and conditional privacy preservation; moreover, the implementation of the first roaming authentication requires two rounds of communications while the handover authentication protocol just needs one round. The analytic comparisons show that the proposed protocol is efficient in terminal computation and turns of message exchange.

In order to make the mobile device more convenient and faster decrypt the outsourcing data stored in the cloud, on the basis of Identity-Based Broadcast Encryption (IBBE) system and Identity-Based Encryption (IBE) system, using the technique of outsourcing the decryption proposed by Green et al. (GREEN M, HOHENBERGER S, WATERS B. Outsourcing the decryption of ABE ciphertexts. Proceedings of the 20th USENIX Conference on Security. Berkeley:USENIX Association, 2011:34), a Modified Asymmetric Cross-cryptosystem Proxy Re-Encryption (MACPRE) scheme across the encryption system was proposed. The proposed scheme is more suitable for mobile devices with limited computing power to securely share the data stored in the cloud. When the mobile user decrypts the re-encrypted data, the plaintext can be restored by performing one exponent operation and one bilinear pairing operation, which greatly improves the decryption efficiency of the mobile user and saves the power consumption of the mobile user. The security of this proposed scheme can be reduced to the security of the IBE and IBBE scheme. The theoretical analysis and experimental results show that, the proposed scheme can allow the mobile devices to decrypt data stored in the cloud by spending less time, and ease the problem of limited computing power of the mobile devices. The proposed scheme is more practical.

Focusing on the issue of low security and poor practicability in the lattice-based broadcast encryption scheme proposed by Wang et al. (WANG J, BI J. Lattice-based identity-based broadcast encryption. https://eprint.iacr.org/2010/288.pdf.) in the random oracle, an identity-based broadcast encryption shceme based on Learning With Errors (LWE) in the standard model was constructed by expanding control algorithm of bonsai tree and one-time signature algorithm. Firstly, the random oracle was replaced by a coding function to make the scheme be in the standard model. Then, the bonsai tree expanding control algorithm was used to generate the private keys of users and public key. Finally, the one-time signature algorithm was added to improve the security. Analysis shows that compared with existed similar schemes, the scheme gets stronger security, achieves adaptively indistinguishable-chosen ciphertext attack security with dynamic extension, which means the users can be added or deleted by expanding or contracting the identity matrix. Hence it has strong practicability.

Concerning the sensitive information leakage problem resulted from making friends by interest matching in social network, a privacy preserving interest matching scheme based on private attributes was proposed. Bloom Filters were used to get the intersection of interest set for both sides, and the interest matching level was determined in the proposed scheme. Both sides intended to add each other as a friend according to their will as long as they met the matching requirements. Based on the semi-honest model, the cryptographic protocols were adopted to protect data security for preventing malicious users obtaining sensitive information illegally, which could avoid information abuse and leakage. Theoretical analysis and calculation results show that the proposed scheme has linear complexity about operational time, support large-scale data sets, and can be applied in Internet environments with different kinds of information and great number of data content, meet user's demands of real-time and efficiency.

In view of the problem that mobile nodes lack trusted verification in Wireless Sensor Network (WSN), a mobile node access authentication protocol was proposed in Internet of Things (IoT). Mutual authentication and key agreement between the sensor nodes and mobile sink nodes were realized, when they wre authenticated. At the same time, the trustness of mobile node platform was authenticated by sensor nodes. The authentication scheme was based on trusted computing technology without using base station and its concrete steps were described in detail. Pseudonyms and the corresponding public/private keys were used in authentication to achieve the protection of the user privacy. The proposed scheme was provably secure in the CK (Canetti-Krawczyk) security model. Compared to similar mobile node schemes, the protocol is more suitable for fast authentication in IoT, with less computation and communication overhead.

To solve the problem that current signcryption schemes based on lattice cannot achieve forward security, a new identity-based signcryption scheme with forward security was proposed. Firstly, lattice basis delegation algorithm was used to update the users' public keys and private keys. Then, the preimage sampleable functions based on Learning With Errors (LWE) over lattice was used to sign the message,and the signature was also used to encrypt the message. The scheme was proved to be adaptive INDistinguishiability selective IDentity and Chosen-Ciphertext Attack (IND-sID-CCA2) secure, strong UnForgeable Chosen-Message Attack (sUF-CMA) secure and forward secure. Compared with the signcryption schemes based on pairings, the proposed scheme has more advantages in computational efficiency and ciphertext extension rate.

Reversible data hiding is a new research direction of information hiding technology. Reversible data hiding in encrypted domain is a significant point which combines the technologies of the signal processing in encrypted domain and information hiding and can play an important role of double insurance for information security in data processing. In particular with the adoption of cloud services, reversible data hiding in encrypted domain has become a focused issue to achieve privacy protection in the cloud environment. Concerning the current technical requirements, the background and the development of reversible data hiding were introduced in encrypted domain, and the current technical difficulties were pointed out and analysed. By studying on typical algorithms of various types, the reversible data hiding algorithms in encrypted domain were systematically classified and their technical frameworks, characteristics and limitations of different applications were analysed. Finally, focused on the technology needs and difficulties, several future directions in this field were proposed.

Since the ciphertext length of attribute-based encryption scheme from multilinear maps is large, the decryption is inefficient and the scheme has key escrow problem, a key-policy attribute-based encryption scheme from multilinear maps was proposed by using outsourcing technology and user's secret value. The proposed scheme supported general polynomial-size circuit and arbitrary fanout, the private key was generated by key generation center and user. The length of the ciphertext is fixed to | G|+| Z|, compared with the known ciphertext scheme with the minimum ciphertext, the storage cost is decreased by 25% after setting reasonable parameters in accordance with the standards elliptic curves. Users only need to compute transformation ciphertext and the ciphertext is verifiable. The decryption multilinear operation count is only 3, which greatly reduces the computional cost. Selective security is proved in standard model under the multilinear decisional Diffie-Hellman problem. Additionally, it also can be applied in small mobile devices with limited computing capability.

The present Identity Based Encryption (IBE) scheme cannot meet user revocation and fuzzy identity extraction at the same time, a Revocable Fuzzy IBE (RFIBE) scheme based on hardness of Learning With Errors (LWE) problem over ideal lattice was proposed to resolve the above problems by using revocable binary trees and threshold secret sharing algorithm. Firstly, the trapdoor generating function over ideal lattice and threshold secret sharing algorithm were used to generate user' private key. Then an RFIBE scheme was put forward by using revocable binary trees. Finally, the scheme was proved to be INDistinguishabity against selective IDentity and Chosen Plaintext Attack (IND-sID-CPA) secure. Compared with previous IBE scheme, RFIBE has stronger practicability with the function of revocation and efficient fuzzy identity extraction.

Aiming at the problem that signcryption scheme of the conditional public key cryptosystems cannot resist the quantum attack, a new signcryption scheme based on multivariate public key cryptosystems was proposed. Combining the central map of multilayer structure in Multi-layer Matsumoto-Imai (MMI) with the CyclicRainbow signature scheme, and using the constructure of the central map in Hidden Field Equation (HFE), the signcryption scheme was designed by introducing an improved method of constructing central map. The analysis shows that, compared with the original MMI, the scheme's key size decreases by 5% and the ciphertext reduces by 50%, and it also makes encryption and signature both realizable at the same time. In the random oracle model, its indistinguishability under the hardness of Multivariate Quadratic (MQ) problem and its unforgeability under the Isomorphism of Polynomials (IP) assumption were proved respectively. And it shows that the proposed scheme has unforgeability under the adaptive chosen-ciphertext attack as well as indistinguishability under the adaptive chosen message attack.

The existing identity-based signcryption schemes are based on random oracle model. In order to solve its low security, a new identity-based efficient signcryption scheme was proposed in standard model. The proposed scheme was based on the difficult problems of discrete logarithm and factorization and could efficiently improve the security. And it is proved that the confidentiality relies on the Decisional Bilinear Diffie-Hellman (DBDH) assumption and the unforgeablity relies on the Computational Diffie-Hellman (CDH) assumption. In addition, the scheme has public verifiability. The comparison and analysis show that the proposed scheme is more efficient and has a wide application range compared with similar schemes.

At present, the safety analysis of SNAKE algorithm is mainly about interpolation attack and impossible differential attack. The paper evaluated the security of SNAKE(2) block cipher against integral attack. Based on the idea of higher-order integral attack, an 8-round distinguisher was designed. Using the distinguisher, integral attacks were made on 9/10 round SNAKE(2) block cipher. The attack results show that the 10-round SNAKE(2) block cipher is not immune to integral attack.

In recent years, research of almost optimal resilient Boolean functions develops rapidly, and it is important to improve the nonlinearity degree of almost optimal functions. Analysis and improvement of an almost optimal function with good performance was given, and an almost optimal function with even variables was constructed using concatenating construction method. A nonlinear optimal function with higher nonlinearity was got while maintaining its resilience and algebraic degree, which improved the performance of the function. And the construction method was also given to construct an elastic Boolean function with high nonlinearity. Analysis shows that the proposed construction method is simple and easy to implement, the nonlinearity is improved with m resilience and unchanged algebraic degree.

There is a great demand for publicly verifiable encryption in key escrow, optimistic fair exchange, publicly verifiable secret sharing and secure multiparty computation, but the current schemes are either chosen plaintext secure or chosen ciphertext secure in the random oracle model, which obviously are not secure enough to be applied in the complicated circumstances. Based on the analysis of the current schemes and application of the reality, this paper proposed a new publicly verifiable encryption scheme by combining the CS encryption scheme with the non-interactive zero knowledge proof protocol. The new scheme enabled any third party other than the sender and receiver to verify the validity of the ciphertext, but leaked no information about the message. Finally, without using the random oracle, the adaptively chosen ciphertext security of the scheme is proved in the standard model.