A dynamic policy-aware conditional proxy re-encryption system for fine-grained access control in IoT pub/sub systems

The publish-subscribe paradigm has become the mainstream communication model for large-scale Internet of Things (IoT) systems. However, existing end-to-end encryption solutions based on Conditional Proxy Re-Encryption (CPRE) suffer from limitations in supporting dynamic and fine-grained access control policies. This paper proposes a dynamic policy-aware CPRE system that extends traditional CPRE with multi-dimensional condition support and policy hiding capabilities. Our system introduces a JSON-based policy language to define complex access control rules incorporating temporal, spatial, role-based, and device status conditions. We design a policy matching engine that enables fine-grained authorization while preserving policy privacy. The proposed scheme is implemented as an extension to the HiveMQ MQTT broker and evaluated comprehensively. Experimental results demonstrate that our system achieves enhanced security with acceptable performance overhead, providing only 5–15% increase in encryption time while supporting rich dynamic policies compared to the original CPRE scheme.