ABSTRACT
With the development of communication networks, there is a trend for users to store
their sensitive data on the Internet. To distribute a message to a specific set of users,
a trivial method is to encrypt it under each user’s public key or identity in traditional
cryptosystem [34, 37, 87, 89, 90]. As expected, ciphertext size and computational cost
of encryption/decryption algorithms are linear with the number of receivers. Therefore,
it is less attractive or even intolerable when the number of receivers is large. Indeed,
in most cases, the qualified receivers share some common attributes, such as working
location, gender, and age range.