Securing AI-powered Internet of Things (IoT) EcosystemsView this Special Issue
Certificateless Group to Many Broadcast Proxy Reencryptions for Data Sharing towards Multiple Parties in IoTs
Proxy reencryption delegates encrypted data stored in a proxy to a third party. This proxy reencryption takes the form of one sender providing data to one receiver. However, this method incurs a significant overhead for both the sender and proxy as the number of users receiving the same data increases. In addition, in a large-scale environment, such as an Internet of Things or big data environment, a scenario where several workers jointly create and own an output may exist. In such an environment, ownership disputes can arise when only one operator owns a piece data used by other operators. In this study, to solve this problem, we propose a technique in which multiple users can jointly own one piece of data, and multiple recipients can receive the same data through proxy reencryption.
The development of information technology has brought about numerous changes to data storage and utilization technology. The Internet, which is the most widely used network, has made it possible to transmit and use data anytime and anywhere without restrictions in time and place. Internet technologies have been developed to achieve improved speeds, allowing more data to be transmitted concurrently. In addition, the Internet can be used in a wireless form. Storage media that allow more data to be stored and used in a unit area have also been developed. Because more data can be stored in a smaller space, removable storage devices have emerged, and removable storage media have provided an environment in which data can be held and utilized more efficiently. The development of such network technologies and storage media has recently achieved a rapid growth and has taken on various forms, reaching the stage of virtual storage spaces such as cloud computing. We believe that this change in the environment is a transition from an environment using a storage medium to an environment using a storage space, and that the change in such an environment is accelerating.
Gartner, an American information technology research and advisory firm, publishes the Top Strategic Technology Trends and Hype Cycles . Cloud computing is an important strategic technology to the extent that it is selected by this publication every year. However, despite the growing awareness and importance of cloud computing, many companies and institutions are hesitant to adopt it for security reasons. Because cloud computing technology is always connected to a network, it is continuously exposed to data leakage and multiple foes using the network. Therefore, security technology is essential when introducing cloud computing. The secure storage and transmission of data are essential for a secure cloud computing environment. In addition, cloud storage, a subclass of cloud computing technology, stores data and must provide availability for future use. Therefore, cloud computing must consider more security factors than portable storage media.
Cloud storage is a representative technology for storing data using cloud computing technology. As described above, cloud storage can be used as storage space by utilizing network technology, and in this way, the digital data can be stored and used without a physical storage medium. Using the advantages of cloud storage, one can not only store and use one’s own data, such data, and also be shared with other users. Data sharing in this manner increases the efficiency because data can be passed through the cloud storage without being passed directly between the data owner and recipient. In addition, even when sharing the same data with multiple recipients, it achieves the advantage of being able to transmit data from cloud storage without the need for the owner to transmit the data each time the data are accessed. However, as described above, the cloud computing technology used over a network is continuously exposed to data leakage and security threats. Therefore, the security factor must be considered in data-sharing methods using cloud storage.
To securely share data using cloud storage, protection of both the data and transmission process must be considered. In general, a cloud storage server is a remote server managed by a data owner and other administrators. Such a server has an honest-but-curious characteristic, which processes the user’s request accurately but always incurs the possibility of exposing the data. Therefore, if an owner’s sensitive data are stored in cloud storage, there is a possibility that the content of the data will be exposed. Data encryption must be applied to solve this problem. Data encryption technology refers to a technology in which only a user who possesses a decryption key corresponding to the encryption key of the data can view the content of the encrypted data. Therefore, only a user who has a decryption key corresponding to the encryption key used for the data uploaded by the owner can view the content of the data. Two encryption algorithms may be primarily used for this encryption method, and a total of four encryption methods may be used by combining the two encryption algorithms. However, these four encryption methods cannot be applied to data-sharing methods using cloud storage because each of them has certain problems such as a key distribution, computational inefficiency, and exposure to the data source. To solve this, a proxy reencryption technique has been proposed.
Proxy reencryption technology securely shares data using a proxy server, as proposed by Blaze et al. in 1998 . Proxy reencryption technology refers to a technology that stores data encrypted with the owner’s encryption key in the proxy and then converts the encrypted data into a specified number of cipher texts. During this process, because the proxy does not decrypt the encrypted data, the contents of the data cannot be known, and the receiver can decrypt the data using its own private key. Therefore, the data are not exposed during the process of data storage and delivery. With this proxy reencryption technology, the proxy may be represented by cloud storage, and if such technology is used, data can be shared securely and efficiently in the cloud storage environment.
As large-scale network environments such as IoT, secure e-mail, and connected cars become more common, cases of data sharing between multiple users are increasing [3–5]. In such an environment, data sharing using cloud storage can be an effective way to deliver data securely and efficiently to multiple users. However, because general proxy reencryption technology uses a 1 : 1 data transmission method, it cannot support multiple data owners or multiple data receivers. In this case, to provide the same data to multiple recipients, it is necessary to generate a reencryption key and conduct as many reencryption operations as the number of recipients. In addition, even when multiple workers collaborate to create a single data point, only one worker can be the owner. In this case, because the data cannot be efficiently owned or shared in a large-scale data ownership and reception environment, an appropriate method that considers these issues is required. This study was conducted to provide a method that considers multiple owners and recipients simultaneously. Thus, it provides a method for flexibly and efficiently carrying out the ownership and sharing of data using proxy reencryption technology.
2. Related Works
This section describes related studies for a proper understanding of this study.
2.1. Secure Data Sharing
As a basic concept of data-sharing technology, data owners give permission for their data to be available to other users. In existing systems, such as Linux or Windows, ownership of data is provided in the same form as RWX, and the meanings of readable, writable, and executable are the same. This indicates that data ownership is further subdivided and provided as a logical form of usage rights. By contrast, from a cryptographic perspective, data ownership can be accessed in the form of determining whether data can be decrypted. That is, if one has a decryption key corresponding to a key having encrypted data, it can be determined that one has ownership of the data because the data source can be obtained through decryption. Therefore, the method of sharing data through such a cryptographic concept can be accessed by delegating the decryption authority of the encrypted data .
A method of providing the decryption rights of encrypted data to another user can be approached in four major ways using a symmetric key encryption algorithm, and a public key encryption algorithm is shown in Figure 1(1)Use of only symmetric key encryption: with this method, the data that the sender uploads to the proxy are first encrypted with the sender’s own symmetric key and uploaded. When the receiver requests data, the proxy delivers a ciphertext of the sender to the receiver, and the sender must deliver its symmetric key to the receiver. When this method is applied, both the sender and receiver can conduct encryption/decryption using a symmetric key. However, this process requires a symmetric key distribution process. Symmetric key eavesdropping by an attacker may occur during the process of symmetric key distribution. In addition, because the symmetric key delivered to the recipient cannot be delivered to another recipient, reusing the ciphertext uploaded to the proxy becomes impossible. Therefore, the data sharing method using symmetric key encryption is unsuitable in terms of security and efficiency(2)Use of only public key encryption: with this method, the data that the sender uploads to the proxy are first encrypted with the sender’s public key and then uploaded. When the receiver requests data, the proxy delivers the sender’s ciphertext to the receiver. However, because this method can only be decrypted using the sender’s private key, the sender must deliver his or her private key to the receiver. However, in this case, the sender’s private key is exposed by other users, which can lead to serious security problems. Consequently, the receiver cannot decrypt the ciphertext of the sender without lowering the level of security(3)Complex use of public key encryptions: with this method, the data uploaded by the sender to the proxy are first encrypted and uploaded with a symmetric key shared between the sender and the proxy. Upon receiving the data, the proxy decrypts the ciphertext of the sender using a symmetric key to obtain the original data. After that, just like the 2. Use of only public key encryption method, the data source is encrypted with the recipient's public key and delivered to the recipient, who can decrypt it. As with the method that uses public key encryption multiple times, the data source is encrypted with the recipient’s public key and delivered to the recipient, and the recipient can decrypt it. In this method, even if there are many recipients, the proxy can directly perform encryption with the public key of each recipient, so that the computational burden on the sender is not increased. As with the method of using public key encryption multiple times, even if the number of recipients increases, the computational burden on the sender does not increase because the proxy can conduct encryption directly using the public key of each recipient. However, this process allows the proxy to know the list of recipients, exposing the contents of the data source to threats both inside and outside the proxy. Therefore, the method of using public key encryption and symmetric key encryption together has the efficiency of data sharing but without guaranteeing security(4)Complex use of public key encryption and symmetric encryption: with this method, the data that the sender uploads to the proxy are first encrypted with the sender’s public key and then uploaded. When the receiver requests data, the proxy delivers the sender’s ciphertext to the receiver. However, because this method can only be decrypted using the sender’s private key, the sender must deliver his or her private key to the receiver. However, in this case, the sender’s private key is exposed by other users, which can lead to serious security problems. Consequently, the receiver cannot decrypt the ciphertext of the sender without lowering the level of security
As described above, use of the symmetric and public key encryption methods to securely share data through cloud storage does not provide sufficient security. Therefore, a method that can provide both security and efficiency throughout the data sharing process is required. Various studies have been conducted to satisfy such requirements, and proxy reencryption technology has been proposed.
2.2. Proxy Reencryption
In 1998, Blaze et al. proposed proxy reencryption (PRE) , which is a technology that transforms data through a proxy and delivers them securely to the receiver. This technology converts data encrypted using the sender’s public key into data encrypted using the receiver’s public key at a proxy. Through this process, the private keys of the sender and receiver, as well as the original data, are not exposed because data decryption is not applied. Using proxy reencryption, data can be securely stored in cloud storage and shared efficiently by converting the data into the recipient’s ciphertext at the request of the recipient. The basic form of such a proxy reencryption is shown in Figure 2, and research on various sharing methods using proxy reencryption technology is currently underway.
Proxy reencryption comprises five steps: encryption, reencryption key generation, reencryption, decryption, and redecryption. The details of each step are as follows: (i)Encryption: in this step, the data owner encrypts the data and uploads them to a proxy. To this end, the data owner encrypts the data using his or her own encryption key, such that the source of the data cannot be known. The encrypted data are then delivered to the proxy through the public network and stored. In this case, the proxy cannot know the contents of the data stored in the proxy, and even if the encrypted data are exposed or leaked, decryption corresponding to the encryption key is applied, and a user without a key cannot know its contents(ii)Reencryption key generation: in this step, the data owner provides the receiver with the authority to decrypt his or her data stored in the proxy. For this, the data owner first receives the information of the recipient who requested the data. The data owner then creates a reencryption key by combining the information of the recipient with his or her own decryption key and secret information. The data owner can control the reencryption by passing the generated reencryption key to the proxy. In this case, the proxy and attacker should not be able to obtain the secret information of the data owner through the reencryption key(iii)Reencryption: this step refers to the process of converting the encrypted data of the data owner into receiver data. To this end, the proxy applies a reencryption algorithm using the cipher text and reencryption key received from the data owner, and as a result, can obtain a reencrypted cipher text. In this case, the reencrypted cipher text is the cipher text in which the decryption authority is delegated from the data owner to the receiver, and the proxy cannot know the contents of the data during the reencryption process. The reencrypted ciphertext is then sent to the receiver(iv)Decryption: in this step, the data owner decrypts the ciphertext. This step is conducted to obtain the data source by downloading the ciphertext uploaded by the data owner to the proxy during the encryption step again by the data owner. Accordingly, the data owner represents the data decryption process using a decryption key that corresponds to the encryption key used for data encryption. This process represents a typical encryption-decryption relationship and shows that data owners can reuse their data at will(v)Redecryption: in this step, the receiver decrypts the reencrypted ciphertext. To this end, the receiver receives the reencrypted cipher text from the proxy and performs a process of decrypting the received cipher text using its decryption key. At this time, if the recipient is not the correct recipient, the data cannot be decrypted even if the reencrypted cipher text is received
Most proxy reencryption structures are as above, and various methods can be used to configure the above steps. Currently, most proxy reencryption studies use public-key encryption methods [7–16]. Because PKC performs encryption using a public key, it offers excellent accessibility and usability. However, additional computations and certificate management problems occur because procedures such as the generation of a certificate for the public key are essential. To solve this problem, identity-based PKC (IB-PKC) using a key issuance method through a key generation center (KGC) has been proposed . Since IB-PKC was first proposed, various proxy reencryption studies based on IB-PKC have been conducted [7, 18–22]. However, in IB-PKC, because KGC directly issues the user’s key, the problem of a key escrow by the KGC arises. To solve this problem, CL-PKC, a method in which a complete key is not generated by the KGC without the use of a certificate, has been proposed . CL-PKC follows a method in which KGC issues only a partial secret key to each user, and the users then combine their secret information to complete a private key. Therefore, the key escrow problem of KGC does not occur. Accordingly, studies on certificateless proxy reencryption (CL-PRE) have recently been conducted using CL-PKC [24–27].
2.3. Multireceiver Encryption
Multireceiver encryption (MRE) is a technology that grants the same data decryption authority to multiple recipients with only a single encryption. MRE has been utilized in various studies based on PKC as shown in Figure 3 [28–36]. However, the existing MRE method has the problem of receiver identification. This is because the recipient can be identified by extracting the recipient information included in the ciphertext. To solve this problem, a method for specifying the receiver using a polynomial has been proposed . Using this method, the receiver’s information cannot be extracted by combining it with a polynomial. However, other studies have demonstrated that this scheme can obtain the recipient’s identity [38, 39]. Fan et al. proposed an improved version of this scheme . In addition, Zhang and Takagi proposed a method in which both the sender and receiver are anonymous . However, Zhang and Mao found that this scheme does not provide complete anonymity; therefore, they proposed a new type of identity-based MRE (IB-MRE) . However, after the key escrow problem of IB-PKC was presented, a study was conducted on applying CL-PKC to MRE.
Based on research conducted on CL-MRE, Sur et al. improved the implicit certificate-based MRE proposed in 2007  and proposed CL-MRE in 2011 . In addition, Islam et al. proposed a CL-MRE, which achieved confidentiality and anonymity in a random oracle model . However, Hung et al. pointed out a large number of computations, similar to that indicted by Islam, which takes a lengthy computation time . However, Hung et al. also had a problem in that the map-to-point (MTP) hash operation, which requires a lengthy operation time, increases linearly in proportion to the number of users. He et al.  proposed a method that does not use a map-to-point (MTP) hash to solve this problem. Although Deng et al.  and Zhu et al.  proposed CL-MRE to solve the key escrow problem, a considerable computational load was incurred using bilinear pairing, and the scheme developed by Zhu et al. did not provide additional receiver anonymity. Although Win et al.  did not use bilinear pairing, they also did not provide receiver anonymity or decryption fairness.
This section describes the basic environment and settings for understanding the scheme proposed in this study.
3.1. System Model
This section describes the system model used in the present study. The participants in this system model are divided into KGC, proxy, user, owner, and receiver, and the description of each participant is as follows. (i)Key generation center (KGC): with this model, KGC plays a role in managing the system administrator or users in the system. KGC manages all users in the system and registers and manages users through preset settings. In addition, common parameters are created and disclosed such that all participants can conduct the operations of a predetermined algorithm. Using these parameters, all participants can generate their own keys or conduct such predetermined algorithm operations. At this time, to avoid the key escrow problem caused by the KGC, the KGC cannot know the user’s complete key(ii)Proxy: with this model, a proxy indicates a remote server that can store and distribute data between users. The most representative form of a proxy is cloud storage, which can store, transmit, and calculate data according to the user’s request. With this model, because the proxy is considered a semitrusted environment, there is a possibility that the contents of the unencrypted data may be exposed or leaked(iii)User: using this model, a user means all users including the owner and receiver. Each user has his/her own public and private keys and can encrypt and decrypt data using these keys(iv)Owner group: with this model, the owner means the group of users who own the data. It is assumed that ownership of one piece of data is shared by several users. Examples of such environments include operations, organizations, and the military. Under this environment, because each user has equal ownership, decryption and reencryption keys can be generated using the threshold method to prevent abuse of authority by one owner(v)Receiver: with this model, the receiver means all receivers who receive the data decryption right from the owner. These recipients may consist of one or more individuals, and multiple recipients who have been granted the same data rights have the same rights. In addition, each authorized recipient can decrypt the data using their own private keys
3.2. Security Requirements
This study consists of seven security requirements. The details are as follows: (i)Confidentiality: the data that are kept in the proxy, and the data delivered through the proxy, shall not be unknown other than to the authorized user. To do this, the data must be encrypted using the encryption key, and a user who does not have a legitimate decryption key should not be able to decrypt the contents(ii)Integrity: data uploaded and shared by the sender must not be changed without permission in the process of being delivered to the cloud and the receiver and stored in the proxy. If the content is changed at all, the sender or receiver who shares the data must be made aware of the change(iii)Key escrow problem: all users who want to use the proxy must communicate with the KGC to generate a private key and public key pair. During this process, the KGC generates a user’s full private key, and the KGC may increase the user’s authority. This problem is called the key escrow problem, and a method for solving this problem is required(iv)Partial key verifiability: to solve the previously described key escrow problem, a key generation method in the form of a partial key can be used. In this case, each user must be able to verify whether the partial key generated and issued by the KGC to each user is generated legitimately by the correct KGC(v)Receiver anonymity: the reencrypted ciphertext in proxy storage can be decrypted by a number of designated receivers. For this purpose, the reencryption key and reencrypted ciphertext include the information generated by the public key of each receiver. However, privacy issues arise when such information allows a particular recipient or a third party to identify another receiver(vi)Decryption fairness: each legitimate receiver designated by the sender can decrypt the reencrypted ciphertext. However, through this process, a specific receiver should not be discriminated against or disadvantaged during the decryption by a specific receiver or third party
This section describes the algorithm used for the proposed scheme. Eleven algorithms were used in this study: Setup, Set-Secret-Value, Partial-Key-Extract, Set-Private-Key, Set-Public-Key, Set-Owner-Group, Enc, Re-Key-Gen, Re-Enc, Dec, and Re-Dec. The description of each algorithm is as follows. (i)Setup: this algorithm is executed by inputting a security parameter. With this algorithm, the KGC generates public parameters and master secret keys and publishes the public parameters, which are made available for all users and proxies(ii)Set-Secret-Value: this algorithm is applied by the user. With this algorithm, user calculates using a randomly selected and sends and to the KGC(iii)Partial-Key-Extract: this algorithm is performed by KGC. Using this algorithm, the KGC generates the partial key of user using and received from user and sends it to user (iv)Set-Private-Key: this algorithm is applied by the user. With this algorithm, the user calculates private key using partial key received from the KGC. The obtained is kept confidential(v)Set-Public-Key: this algorithm is applied by the user. Using this algorithm, the user calculates the public key by using the partial key received from the KGC and the secret value generated by user . The values obtained are disclosed(vi)Initialization, Group Agreement: this algorithm is run by users to be included in the owner group. With this algorithm, users that are to be included in the owner group exchange the public key with each other to generate the group key(vii)Enc: this algorithm is applied by users included in the owner group. In this algorithm, member of owner group encrypts plaintext with public key of owner group to obtain ciphertext . Subsequently, the obtained ciphertext, , is transmitted to the proxy and stored(viii)Re-Key-Gen: this algorithm is applied by users included in the owner group. With this algorithm, member of the owner group uses the group private key and calculates the reencryption key using the receiver’s public key . In this case, the receiver consists of one or more persons. Member of 1owner group passes the reencryption key to the proxy(ix)Re-Enc: this algorithm is conducted by a proxy. Using this algorithm, the proxy applies reencryption using the cipher text uploaded by the owner group and reencryption key . The reencrypted ciphertext is then obtained. Subsequently, the acquired is broadcast(x)Dec: this algorithm is applied by a user included in the owner group. Using this algorithm, a member of the owner group can download ciphertext stored in the proxy. Subsequently, members may obtain plaintext by decrypting the ciphertext with their group private key (xi)Re-Dec: this algorithm is conducted using the receiver. With this algorithm, the recipient included in the receiver set decrypts the reencrypted ciphertext received from the proxy with its private key , and the plaintext can thus be obtained
4. Proposed G2M Broadcast Proxy Reencryption
This section describes the proposed scheme. For this purpose, a technical overview, system parameters, and algorithm construction are described.
4.1. Technical Overview
The basic model of the proposed scheme, as shown in Figure 4, can be broadly divided into five phases: a Setup Phase, Key Generation Phase, Group Agreement Phase, Data Storage Phase, and Data Broadcast Phase. More details regarding these phases are presented in Sections 4.2 and 4.3.
4.2. System Parameters
The system parameters used in the proposed scheme are as follows: (i) Participants (KGC, user , owner group , owner group member , receiver set , receiver )(ii): -bits prime integer(iii): elliptic curve(iv): finite field for (v): security parameter(vi): length of the message space (determined by the )(vii): random generator in ()(viii): additive group on the elliptical curve, (ix): subgroup of with prime order (x): identity of the participant ()(xi): KGC system master secret key(xii): KGC system master’s public key(xiii): user ’s private key(xiv): user ’s full public key(xv): reencryption key (owner group delegates to receiver set )(xvi): message space(xvii): plaintext (message) (xviii): ciphertext(xix): reencrypted ciphertext(xx) one-way hash function, (xxi) one-way hash function, (xxii) one-way hash function, (xxiii) one-way hash function, (xxiv) one-way hash function, (xxv) one-way hash function, (xxvi) one-way hash function,
4.3. Main Algorithm
The scheme was designed based on Kim et al.  and Braeken . This scheme is mainly composed of five phases, each of which comprises a Setup Phase, Key Generation Phase, Group Agreement Phase, Data Storage Phase, and Data Broadcast Phase as shown in Figure 5. A detailed description of each phase is given.
4.3.1. Setup Phase
This phase includes a Setup algorithm. This phase is performed by the KGC in advance so that each user can use the proxy. Here, a master public key that can be commonly used by each user and a master secret key known only to the KGC are generated. (i)Setup: this algorithm is executed by the KGC. With security parameter as the input, the KGC performs the following process: (1)Choose two -bits prime integers and elliptic curve defined on . Let be an additive group on the elliptic curve and be a subgroup of with prime order (2)Select randomly a generator (3)Randomly choose as the and calculate which is part of Select five secure one-way hash functions as follows: Here, and are the lengths of the bit string and are determined by the security parameter . (4)Publish the system’s maser public key and message space
4.3.2. Key Generation Phase
In this phase, the Set-Secret-Value, Partial-Key-Extract, Set-Private-Key, and Set-Public-Key algorithms are executed. Each user generates his/her own private key and public key pair so that he/she can use the proxy. Furthermore, each user communicates with the KGC to receive a partial key and uses the partial key to generate his/her own public and private key pair, as shown in Figure 6. (ii)Set-Secret-Value: this algorithm is executed by user . User randomly selects and maintains security. User computes as the public key, and user sends to the KGC(iii)Partial-Key-Extract: this algorithm is performed by the KGC. According to the identity of user , the KGC performs the following steps. (1)Randomly select and compute (2)Calculate a part of the partial private key as follows: (3)After that, partial key is delivered to user through a public channel(iv)Set-Private-Key: this algorithm is executed by user . After receiving the partial key from the KGC, user verifies it as shown in Eqs. (2) and (3). If the key is verified, user computes the private key as follows: (4)Verify whether the following equation holds: (5)If not, return ; otherwise, user compute . (6)Subsequently, user keeps secret as his/her full private key(v)Set-Public-Key: this algorithm is performed by user . User keeps as a full public key
4.3.3. Group Agreement Phase
This phase includes the Initialization and Group Agreement algorithms. It represents the process of forming a group of users who jointly own data. Through this process, all users belonging to a group have equal ownership. (vi)Group Agreement: this algorithm is performed by all group members who will form group . Each member creates a secret to share with other members using their private and public keys . Each member transmits the generated shared secret to other members and generates a group public key and a group private key using the shared secret sent by other members and their own shared secret as follows: (7)Group member computes using (8)Group member computes and for each other group member (9)Group member chooses and computes session key between and and encrypts using a symmetric encryption algorithm (10)Group member sends to each group member and receives from the other members(11)All group members of group obtain the generated by each group member through the following operation: (12)Group member computes group private key and group public key
4.3.4. Data Storing Phase
The Enc and Dec-1 algorithms are executed in this phase. This phase represents the process of group member encrypting his/her data with the group public key and storing it in a proxy. In addition, group member downloads his/her own data stored in the proxy, and a decryption process is included using the group private key to obtain the data source again. (vii)Enc: this algorithm is performed by group member . Group member encrypts message with ciphertext by entering the group public key and message . Then, the ciphertext is uploaded to the proxy (13)Group member computes , , and using given message and (14)Group member chooses and calculates , and as follows: (15)Group member generates the ciphertext . The generated is then uploaded and stored as a proxy(viii)Dec-1: this algorithm is performed by group member . Group member can download the ciphertext from the proxy. Group member who has downloaded the ciphertext can obtain the plaintext by decrypting the ciphertext with his/her group private key (16)Group member calculates by inputting and (17)Group member computes by inputting (18)Verify whether the following equation holds. If not, return ; otherwise, group member keeps the plaintext
4.3.5. Data Broadcast Phase
This phase includes the Re-Key-Gen, Re-Enc, and Dec-2 algorithms. In this phase, group member generates a reencryption key for a set of recipients and passes it to the proxy. After receiving the reencryption key, the proxy reencrypts the encrypted data and broadcasts them to the recipients. A receiver that has received the broadcast ciphertext can obtain the message by decrypting the ciphertext with its private key. (ix)Re-Key-Gen: in this algorithm, group member specifies a set of recipients and generates a reencryption key to delegate the ciphertext (19)Group member computes for all receiver (20)Group member computes a polynomial with degree using as follows: where (21)Group member computes using and as follows: (22)Group member generates a reencryption key and sends to the proxy(x)Re-Enc: this algorithm is executed using a proxy. This algorithm reencrypts the ciphertext into ciphertext using the reencryption key (23)Compute using ciphertext and reencryption key (24)Output and send to receivers (xi)Dec-2: this algorithm is executed by the selected receiver to extract plaintext from the received ciphertext . Receiver performs the following steps: (25)Compute (26)Generate polynomial and compute (27)Compute as an input and (28)Compute as an input where (29)Verify message . If not, return ; otherwise, receiver outputs the plaintext where and
5. Analysis of the Proposed G2M BPRE Scheme
In this section, we perform a security analysis and computational analysis of the security requirements of the proposed scheme.
5.1. Analysis of the Security Requirements
In this section, we analyze the security requirements presented in Section 3.2. Here, we analyze the security of the seven security requirements, as shown in Table 1. (i)Confidentiality: this proposed method performs an encryption operation based on elliptic curve encryption. Because elliptic curve encryption provides high security, even with a short key, efficient encryption is possible. The proposed method uses this elliptic curve encryption method such that a user without a decryption key cannot know the contents of the data. First, the proposed method encrypts a message using a public key:
Here, message encryption is performed by the XOR operation, and in the XOR operation is created with the owner’s public key. In addition, the owner’s private key is required to create using the ciphertext . Accordingly, the ciphertext of the proposed method can only be decrypted with the group private key paired with the group public key used for encryption. (ii)Integrity: recipients who decrypt the data can verify the integrity of the data using the values contained in the integrity ciphertext and parameters of the public KGC. The proofing methods are as follows.
where and .
The receiver that decrypts the ciphertext can obtain message and verification value . Here, is equal to ; thus, the integrity of the message can be verified by determining whether is equal to . (iii)Key escrow problem: in the certificate-based public key encryption method, a certificate corresponding to the public key must be issued and stored. To solve this problem, a certificateless public-key encryption method may be used. However, in the general certificate public-key encryption method, the KGC generates and delivers the user’s private key. Thus, because the KGC user’s complete private key is known, the key escrow problem of the KGC may occur. In this study, an algorithm is designed using the partial-key method to solve this problem
First, the user creates his/her secret value , converts it into , and transmits it to the KGC. Upon receiving , KGC generates a secret value for the user, generates through the following calculation process, and delivers to the user.
The user who receives from the KGC calculates using and known only to the user as follows:
Thereafter, the user uses as private keys and as public keys.
Finally, generated by the user and generated by the KGC are used as public keys. Consequently, the partial key known to the KGC and the unknown partial key are as follows:
KGC only knows and
KGC cannot knows (iv)Partial key verifiability: the proposed scheme uses a partial key in the key generation process to solve the key-escrow problem. However, it is possible for the malicious KGC to deliver the generated partial key with a value other than the passed to the KGC by the user. To solve this problem, the proposed scheme provides a partial key verification function through the following operation:
where (v)Receiver anonymity: in the proposed scheme, the public key and of the recipient are used to designate multiple recipients. This method was designed based on multireceiver encryption. However, in the existing multireceiver encryption, other users can identify the recipient because the ciphertext contains information that can identify the recipient. To solve this problem, in this study, a receiver identification process was designed using a polynomial, as follows:
It is possible to generate of the receiver to identify a specific recipient in the above polynomial. However, as in the confidentiality item above, an attacker cannot forge .
As a result, the attacker cannot identify the recipient. (vi)Decryption fairness: as described in the receiver anonymity section, each receiver’s public key and ID are used to designate multiple receivers. However, in the design process, there is a threat that a specific receiver performs more operations during the decoding process or makes decoding impossible. This is known as the decryption fairness problem. Such problems can be caused by removing or changing some elements in the data that specify and validate the recipient. In the proposed scheme, an algorithm is designed using polynomials to address this problem. These polynomials, which can only be changed and falsified by the user who created them, are as follows:
5.2. Analysis of Computational Efficiency
The scheme proposed in this study was designed to provide extended functions based on the method proposed by Kim et al. Accordingly, its overall structure is similar to that reported by Kim et al., but its detailed calculations are different. As shown in Figure 6 and Table 2, the computation time of the proposed scheme is almost the same as that of Kim et al. There are differences in some calculations; however, they are not so large in terms of the total number of calculations. In addition, compared with other schemes, the reencryption key generation algorithm requires a relatively larger amount of computation time than the other algorithms in the scheme. In addition, in the proposed scheme, a group agreement algorithm is additionally used to provide a group joint ownership function. Accordingly, although its total computation time is greater than that of other schemes, the proposed method is able to perform group-owned functions that cannot be executed by other schemes.
This study examined the extended form of proxy reencryption. Existing proxy reencryption technology provides a data delegation method that assumes one owner and one receiver. It provides an intuitive and clear form of data communication. However, owing to recent technological developments, an environment in which multiple devices exchange data, such as device-to-device communication, rather than human-to-human communication, is becoming common. A typical example of this is the IoT environment. The IoT environment is an environment in which multiple devices communicate with each other and share and use data for various purposes. However, in this environment, existing proxy reencryption for 1 : 1 communication is inevitably inefficient. In an IoT environment, where the same data must be delivered to multiple devices in the same way, when using the existing proxy reencryption, the same data must be reencrypted several times. This method inevitably reduces the data transfer efficiency. In addition, in a large-scale communication environment, an environment in which multiple users form a group to create and own data can be presented. However, because the existing proxy reencryption is a form in which only one user can be the owner, data ownership disputes may arise. To solve this problem, this study proposes proxy reencryption, which can support multiple owners and recipients. In addition, to increase the security and efficiency of the proposed technology, only elliptic curve encryption is used, and security is improved using the partial key form. However, because the proposed scheme uses a group key method that has not been used in other existing schemes, the group agreement algorithm is additionally applied and requires a relatively large amount of computation time. As a result, the proposed method provides more functions than the existing proxy reencryption and improved security; however, it requires additional computation. This method can be used more effectively in environments in which scalability is more important than computational efficiency.
The data used to support the findings of this study are included within the article.
Conflicts of Interest
The authors declare no conflict of interest.
Won-Bin Kim and Su-Hyun Kim contributed equally to this work.
This work was supported by the National Research Foundation of Korea (NRF) grant funded by the Korea government (MSIT) (No. 2022R1A2B5B01002490) and Soonchunhyang University Research Fund
Gartner, “Gartner top strategic technology trends for 2022,” Tech. Rep., Technical report, Gartner, 2022.View at: Google Scholar
M. Blaze, G. Bleumer, and M. Strauss, “Divertible protocols and atomic proxy cryptography,” in International Conference on the Theory and Applications of Cryptographic Techniques, pp. 127–144, Espoo, Finland, 1998.View at: Publisher Site | Google Scholar
Z. Cai and X. Zheng, “A private and efficient mechanism for data uploading in smart cyber-physical systems,” IEEE Transactions on Network Science and Engineering, vol. 7, no. 2, pp. 766–775, 2020.View at: Publisher Site | Google Scholar
Z. Cai, X. Zheng, J. Wang, and Z. He, “Private data trading towards range counting queries in Internet of Things,” IEEE Transactions on Mobile Computing, pp. 1–17, 2022.View at: Publisher Site | Google Scholar
J. Byabazaire, G. O’Hare, and D. Delaney, “Data quality and trust: review of challenges and opportunities for data sharing in iot,” Electronics, vol. 9, no. 12, p. 2083, 2020.View at: Publisher Site | Google Scholar
Z. Cai and Z. He, “Trading private range counting over big IoT data,” in 2019 IEEE 39th International Conference on Distributed Computing Systems (ICDCS), Dallas, TX, USA, 2019.View at: Publisher Site | Google Scholar
G. Ateniese, F. Kevin, M. Green, and S. Hohenberger, “Improved proxy re-encryption schemes with applications to secure distributed storage,” ACM Transactions on Information and System Security (TISSEC), vol. 9, no. 1, pp. 1–30, 2006.View at: Publisher Site | Google Scholar
R. H. Deng, J. Weng, S. Liu, and K. Chen, “Chosen- ciphertext secure proxy re-encryption without pairings,” in International Conference on Cryptology and Network Security, pp. 1–17, Hong-Kong, China, 2008.View at: Publisher Site | Google Scholar
B. Libert and D. Vergnaud, “Unidirectional chosen-ciphertext secure proxy re-encryption,” in 11th International Workshop on Practice and Theory in Public-Key Cryptography, pp. 360–379, Barcelona, Spain, 2008.View at: Publisher Site | Google Scholar
J. Shao and Z. Cao, “Cca-secure proxy re-encryption without pairings,” in International Workshop on Public Key Cryptography, pp. 357–376, Irvine, CA, USA, 2009.View at: Publisher Site | Google Scholar
G. Ateniese, K. Benson, and S. Hohenberger, “Key-private proxy re-encryption,” in Cryptographers’ Track at the RSA Conference, pp. 279–294, San Francisco,CA, USA, 2009.View at: Publisher Site | Google Scholar
S. S. M. Chow, J. Weng, Y. Yang, and R. H. Deng, “Efficient unidirectional proxy re-encryption,” in International Conference on Cryptology in Africa, pp. 316–332, Stellenbosch, South Africa, 2010.View at: Publisher Site | Google Scholar
J. Shao, P. Liu, G. Wei, and Y. Ling, “Anonymous proxy re-encryption,” Security and Communication Networks, vol. 5, no. 5, p. 449, 2012.View at: Publisher Site | Google Scholar
H. Wang and Z. Cao, “More efficient cca-secure unidirectional proxy re-encryption schemes without random oracles,” Security and Communication Networks, vol. 6, no. 2, p. 181, 2013.View at: Publisher Site | Google Scholar
Z. Cai, Z. Xiong, H. Xu, P. Wang, W. Li, and Y. Pan, “Generative adversarial networks,” ACM Computing Surveys, vol. 54, no. 6, pp. 1–38, 2021.View at: Publisher Site | Google Scholar
G. Hanaoka, Y. Kawai, N. Kunihiro et al., Eds.“Generic construction of chosen ciphertext secure proxy re-encryption,” in Cryptographers’ Track at the RSA Conference, G. Hanaoka, Y. Kawai, N. Kunihiro et al., Eds., pp. 349–364, San Francisco, CA, USA, 2012.View at: Publisher Site | Google Scholar
A. Shamir, “Identity-based cryptosystems and signature schemes,” Workshop on the Theory and Application of Cryptographic Techniques, Springer, pp. 47–53, 1985.View at: Google Scholar
C.-K. Chu and W.-G. Tzeng, “Identity-based proxy re- encryption without random oracles,” in International Conference on Information Security, pp. 189–202, Valparaiso, Chile, 2007.View at: Publisher Site | Google Scholar
M. Green and G. Ateniese, “Identity-based proxy re- encryption,” in International Conference on Applied Cryptography and Network Security, pp. 288–306, Zhuhai, China, 2007.View at: Publisher Site | Google Scholar
K. Liang, J. K. Liu, D. S. Wong, and W. Susilo, “An efficient cloud-based revocable identity-based proxy re-encryption scheme for public clouds data sharing,” in European symposium on research in computer security, pp. 257–272, Wroclaw, Poland, 2014.View at: Publisher Site | Google Scholar
A. Paul, S. Varshika Srinivasavaradhan, S. D. Selvi, and C. P. Rangan, “A ca-secure collusion-resistant identity-based proxy re-encryption scheme,” in International Conference on Provable Security, pp. 111–128, Jeju, South Korea, 2018.View at: Publisher Site | Google Scholar
L. Wang, L. Wang, M. Mambo, and E. Okamoto, “New identity-based proxy re-encryption schemes to prevent collusion attacks,” in International Conference on Pairing-Based Cryptography, pp. 327–346, Yamanaka Hot Spring, Japan, 2010.View at: Publisher Site | Google Scholar
S. S. Al-Riyami and K. G. Paterson, “Certificateless public key cryptography,” in International conference on the theory and application of cryptology and information security, pp. 452–473, Taipei, Taiwan, 2003.View at: Publisher Site | Google Scholar
X. Lei, W. Xiaoxin, and X. Zhang, “Cl-pre: a certificateless proxy re-encryption scheme for secure data sharing with public cloud,” in Proceedings of the 7th ACM symposium on information, computer and communications security, pp. 87-88, Seoul Korea, 2012.View at: Publisher Site | Google Scholar
W. Xiaoxin, X. Lei, and X. Zhang, “Poster: a certificateless proxy re-encryption scheme for cloud-based data sharing,” in Proceedings of the 18th ACM conference on computer and communications security, pp. 869–872, Chicago Illinois USA, 2011.View at: Publisher Site | Google Scholar
K. Yang, X. Jing, and Z. Zhang, “Certificateless proxy re- encryption without pairings,” in International Conference on Information Security and Cryptology, pp. 67–88, Seoul, Korea, 2014.View at: Google Scholar
X. Zheng, Y. Zhou, Y. Ye, and F. Li, “A cloud data deduplication scheme based on certificateless proxy re-encryption,” Journal of Systems Architecture, vol. 102, article 101666, 2020.View at: Publisher Site | Google Scholar
J. Baek, R. Safavi-Naini, and W. Susilo, “Efficient multi- receiver identity-based encryption and its application to broadcast encryption,” International Workshop on Public Key Cryptography, Springer, pp. 380–397, 2005.View at: Publisher Site | Google Scholar
S. Chatterjee and P. Sarkar, “Multi-receiver identity-based key encapsulation with shortened ciphertext,” in International Conference on Cryptology in India, pp. 394–408, Kolkata, India, 2006.View at: Publisher Site | Google Scholar
P. Vijayakumar, S. Bose, A. Kannan, and L. J. Deborah, “Computation and communication efficient key distribution protocol for secure multicast communication,” KSII Transactions on Internet and Information Systems, vol. 7, no. 4, pp. 878–894, 2013.View at: Publisher Site | Google Scholar
I. Kim and S. O. Hwang, “An optimal identity-based broadcast encryption scheme for wireless sensor networks,” IEICE Transactions on Communications, vol. E96.B, no. 3, pp. 891–895, 2013.View at: Publisher Site | Google Scholar
X. Zheng and Z. Cai, “Privacy-preserved data sharing towards multiple parties in industrial IoTs,” IEEE Journal on Selected Areas in Communications, vol. 38, no. 5, pp. 968–979, 2020.View at: Publisher Site | Google Scholar
J. Kim, W. Susilo, A. Man Ho, and J. Seberry, “Adaptively secure identity-based broadcast encryption with a constant-sized ciphertext,” IEEE Transactions on Information Forensics and Security, vol. 10, no. 3, pp. 679–693, 2015.View at: Publisher Site | Google Scholar
F.-C. Zhou, M.-Q. Lin, Y. Zhou, and Y.-X. Li, “Efficient Anonymous broadcast encryption with adaptive security,” KSII Transactions on Internet and Information Systems, vol. 9, no. 11, pp. 4680–4700, 2015.View at: Publisher Site | Google Scholar
J. Li, Y. Qihong, and Y. Zhang, “Identity-based broadcast encryption with continuous leakage resilience,” Information Sciences, vol. 429, pp. 177–193, 2018.View at: Publisher Site | Google Scholar
J. Lai, M. Yi, F. Guo, P. Jiang, and S. Ma, “Identity- based broadcast encryption for inner products,” The Computer Journal, vol. 61, no. 8, pp. 1240–1251, 2018.View at: Publisher Site | Google Scholar
C.-I. Fan, L.-Y. Huang, and P.-H. Ho, “Anonymous multireceiver identity-based encryption,” IEEE Transactions on Computers, vol. 59, no. 9, pp. 1239–1249, 2010.View at: Publisher Site | Google Scholar
Y. Huaqun Wang, Z.,. H. Xiong, and B. Qin, “Cryptanalysis and improvements of an anonymous multi-receiver identity-based encryption scheme,” IET Information Security, vol. 6, no. 1, pp. 20–27, 2012.View at: Publisher Site | Google Scholar
H.-Y. Chien, “Improved anonymous multi-receiver identity-based Encryption,” The Computer Journal, vol. 55, no. 4, pp. 439–446, 2012.View at: Publisher Site | Google Scholar
C.-I. Fan, P.-J. Tsai, J.-J. Huang, and W.-T. Chen, “Anonymous multi-receiver certificate-based encryption,” in 2013 International Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery, pp. 19–26, Beijing, China, 2013.View at: Publisher Site | Google Scholar
M. Zhang and T. Takagi, “Efficient constructions of anonymous multireceiver encryption protocol and their deployment in group e-mail systems with privacy preservation,” IEEE Systems Journal, vol. 7, no. 3, pp. 410–419, 2013.View at: Publisher Site | Google Scholar
J. Zhang and J. Mao, “An improved anonymous multi-receiver identity-based encryption scheme,” International Journal of Communication Systems, vol. 28, no. 4, pp. 645–658, 2015.View at: Publisher Site | Google Scholar
C. Sur, C. D. Jung, and K. H. Rhee, “Multi-receiver certificate-based encryption and application to public key broadcast encryption,” in 2007 ECSIS Symposium on Bio-inspired, Learning, and Intelligent Systems for Security (BLISS 2007), pp. 35–40, Edinburgh, UK, 2007.View at: Publisher Site | Google Scholar
C. Sur, Y.-H. Park, and K.-H. Rhee, “A multi-receiver certificateless encryption scheme and its application,” Journal of Korea Multimedia Society, vol. 14, no. 6, pp. 775–784, 2011.View at: Publisher Site | Google Scholar
S. K. Hafizul Islam, M. K. Khan, and A. M. Al-Khouri, “Anonymous and provably secure certificateless multireceiver encryption without bilinear pairing,” Security and Communication Networks, vol. 8, no. 13, p. 2231, 2015.View at: Publisher Site | Google Scholar
Y.-H. Hung, S.-S. Huang, Y.-M. Tseng, and T.-T. Tsai, “Efficient anonymous multireceiver certificateless encryption,” IEEE Systems Journal, vol. 11, no. 4, pp. 2602–2613, 2017.View at: Publisher Site | Google Scholar
D. He, H. Wang, L. Wang, J. Shen, and X. Yang, “Efficient certificateless anonymous multi-receiver encryption scheme for mobile devices,” Soft Computing, vol. 21, no. 22, pp. 6801–6810, 2017.View at: Publisher Site | Google Scholar
L. Deng, “Anonymous certificateless multi-receiver encryption scheme for smart community management systems,” Soft Computing, vol. 24, no. 1, pp. 281–292, 2020.View at: Publisher Site | Google Scholar
J. Zhu, L.-L. Chen, X. Zhu, and L. Xie, “A new efficient certificateless multi-receiver public key encryption scheme,” International Journal of Computer Science Issues, vol. 13, no. 6, pp. 1–7, 2016.View at: Publisher Site | Google Scholar
E. K. Win, T. Yoshihisa, Y. Ishi, T. Kawakami, Y. Teranishi, and S. Shimojo, “A lightweight multi-receiver encryption scheme with mutual authentication,” in 2017 IEEE 41st annual computer software and applications conference (COMPSAC), pp. 491–497, Turin, Italy, 2017.View at: Publisher Site | Google Scholar
W.-B. Kim, S.-H. Kim, D. Seo, and I.-Y. Lee, “Broadcast proxy reencryption based on certificateless public key cryptography for secure data sharing,” Wireless Communications and Mobile Computing, vol. 2021, 16 pages, 2021.View at: Publisher Site | Google Scholar
A. Braeken, “Pairing free certified common asymmetric group key agreement protocol for data sharing among users with different access rights,” Wireless Personal Communications, vol. 121, no. 1, pp. 307–318, 2021.View at: Publisher Site | Google Scholar
X. Wang and X. Yang, “Identity based broadcast encryption based on one to many identity based proxy re-encryption,” in 2009 2nd IEEE International Conference on Computer Science and Information Technology, Beijing, China, 2009.View at: Publisher Site | Google Scholar
S. Maiti and S. Misra, “P2B: privacy preserving identity-based broadcast proxy re-encryption,” IEEE Transactions on Vehicular Technology, vol. 69, no. 5, pp. 5610–5617, 2020.View at: Publisher Site | Google Scholar
M. Sun, C. Ge, L. Fang, and J. Wang, “A proxy broadcast re-encryption for cloud data sharing,” Multimedia Tools and Applications, vol. 77, no. 9, pp. 10455–10469, 2018.View at: Publisher Site | Google Scholar
S. Yin, H. Li, and L. Teng, “A novel proxy re-encryption scheme based on identity property and stateless broadcast encryption under cloud environment,” International Journal of Network Security, vol. 21, no. 5, pp. 797–803, 2019.View at: Google Scholar
G. Chunpeng, Z. Liu, J. Xia, and F. Liming, “Revocable identity-based broadcast proxy re-encryption for data sharing in clouds,” IEEE Transactions on Dependable and Secure Computing, vol. 18, pp. 1214–1226, 2019.View at: Publisher Site | Google Scholar