Efficient pairing-free PRE schemes for multimedia data sharing in IoT

Abstract

Nowadays, Internet of things (IoT) become more and more popular. At the same time, the requirements of security mechanism for multimedia in IoT received a huge concern. Multimedia data is easily shared by devises, applications and social networks set by IoT. Therefore, it is indispensable to guarantee the privacy and security of shared multimedia data. In this paper, we address the secure multimedia data sharing problem in cloud computing by designing proxy re-encryption (PRE) scheme. Our schemes cope with the issues of data validity, data confidentiality and authentication during encrypted multimedia data sharing. Unlike as usually done in the literature, we present a CCA-secure PRE scheme which removes pairings firstly. Then we design a refined CCA-secure PRE scheme called publicly verifiable PRE without parings. It is demonstrated that our schemes meet not only the security and high efficiency requirements of multimedia data sharing, but also the public verifiability. The validity of ciphertext, both the original and re-encrypted ciphertext, can be publicly verified which brings additional efficiency due to offloading the validity check of ciphertexts from the power-limited clients to any semi-honest public cloud.

1 Introduction

1.1 Motivation

Multimedia data includes all kinds of media types, such as audio, image, video etc. The proliferation of cloud computing make multimedia data sharing in networks much easier. Actually, cloud server plays an important role in multimedia data collecting. Multimedia data is now the main information source stored and transformed in the cloud. The truth, however, is that maximum endeavors are devoted to multimedia contents whereas less attention is paid to its security and privacy. In cloud settings, it is of particular importance to ensure a high privacy and security during multimedia data sharing.

1.2 Use case

Consider the following scenario:

1. 1.

   A user, Alice, is planning to upload several multimedia files F ₁, F ₂,⋯ ,F _n to Dropbox. The general idea is for Alice to encrypt these files before sending them to Dropbox. The encryption is done using the conventional hybrid encryption paradigm. In particular, the files F ₁, F ₂,⋯ ,F _n are first encrypted to C ₁, C ₂,⋯ ,C _n under random symmetric content keys, K ₁, K ₂,⋯ ,K _n , using a block cipher with an appropriate mode of operation (e.g. AES-CBC), then encrypt the keys K ₁, K ₂,⋯ ,K _n by using a public key encryption (PKE) scheme (e.g. ElGamal encryption scheme over an Elliptic Curve Group) under the user’s public key. The ciphertexts uploaded to Dropbox consists of the encrypted multimedia files C ₁, C ₂,⋯ ,C _n and the encrypted content keys denoted by C K ₁, C K ₂,⋯ ,C K _n . Note that in each encrypted multimedia file, say C _i , it also includes the initialization vector. For simplicity, we assume that the initialization vector is part of each encrypted private file, C _i .

2. 2.

   At a certain time, the user Alice would like to share her multimedia files with a friend Bob. A conventional solution is that Alice downloads all the encrypted content keys C K ₁, C K ₂,⋯ ,C K _n from Dropbox, then decrypts them to obtain the content keysK ₁, K ₂,⋯ ,K _n , and encrypts them again to \(CK_{1}^{\prime }\), \(CK_{2}^{\prime },\cdots ,CK_{n}^{\prime }\), under Bob’s public key, finally uploads these newly encrypted content keys to the Dropbox for Bob to download. The advantage of this solution is that Alice does not need to download any of the encrypted multimedia files, hence, can save the bandwidth during the communications between Alice and Dropbox. However, this solution still involves a lot of downloads and uploads of the encrypted content keys and the network overhead is linear to the number of files that Alice wants to share. Furthermore, this solution also incurs a lot of computation on Alice’s side and may not be practical, especially for battery-powered computing devices.

The technical challenge in this use case is therefore on how to do this encrypted multimedia data sharing efficiently without triggering too much communications between the cloud server and the cloud user, and without incurring much computational burden to the user simultaneously.

There is another potential solution to this problem. The solution is to let Alice give out her private key to Dropbox, and let Dropbox do the decrypt-then-encrypt on behalf of Alice. However, this solution relies on the security of Dropbox and Alice has to trust Dropbox not to disclose the multimedia files to any third party without authorization. Hence this solution cannot provide much assurance to Alice that only she has the control on the accessibility of her own encrypted files.

By applying PRE, we target to minimize the communication between the cloud server and the cloud user for encrypted multimedia data sharing. We also target to reduce the user’s computational burden, and at the same time, to ensure the privacy of Alice’s encrypted multimedia files so that no adversary can obtain the files even after compromising the cloud storage service provider, i.e. Dropbox in the example above. We also applying a interesting property called public verifiability. With this property, the validity of ciphertexts can be publicly verified by anyone. So we can offload the validity check of ciphertexts from power-limited clients to any semi-honest public cloud to further improve the efficiency.

1.3 A practical and efficient encrypted multimedia data sharing solution using Velosti’s USB device

The multimedia data owner, say Alice, has a Velosti USB device which contains her key-pair (i.e. public and private), and also a software which is called the encrypted cloud data client-side management software (in short, we call it a client software). In Alice’s Dropbox folder, the client software creates a folder called Velosti. All the files stored in the Velosti folder will be encrypted in the hybrid encryption fashion as described above, but using the Velosti USB device. To access the encrypted files, Alice has to insert the Velosti USB device and execute the client software.

Furthermore, a copy of Alice’s public key will be made available in the public folder of Alice’s Dropbox so that all Dropbox users can get a copy of her public key once after learning the identity of Alice’s Dropbox account. It is also the case for other users. For example, Bob, who will also have a copy of his public key in his Dropbox public folder.

Suppose Alice is about to share several encrypted files in the Velosti folder with Bob. Through the client software, Alice specifies the encrypted files that she wants to share with Bob. The client software will then notifies Dropbox using the Dropbox API on the files that Alice wants to share with Bob. Next, Dropbox will notify Bob about this sharing using Dropbox’s existing data sharing notification protocol. However, since these files are encrypted, in particularly, the corresponding content keys are encrypted by using Alice’s public key, Bob or anyone else cannot decipher these files. Hence, besides notifying Dropbox, Alice’s client software also visits Bob’s Dropbox public folder to get a copy of Bob’s public key, and computes a transformation key ReKey using the private key of Alice and the public key of Bob. Notice that, the transformation key is used to complete a transformation from Alice’s encrypted files to another form that Bob can decrypt. After generating the transformation key ReKey, Alice encrypts ReKey under Bob’s public key and uploads a copy of the encrypted ReKey to Alice’s public folder.

After receiving a sharing notification from Dropbox, Bob, via his own client software, visits Alice’s public folder for getting the encrypted transformation key ReKey, then decrypts and recovers ReKey using his decryption key. By using the key ReKey and his private key, Bob can download the encrypted files from Dropbox that are shared by Alice, and decipher them.

In this PRE-based solution, no server is needed. The integration of security and the existing sharing mechanism of Dropbox is done seamlessly. The user experience is also enhanced by making use of the Velosti’s USB device so that user passwords are not mandatory, instead, they are optional for providing the additional two-factor authentication.

1.4 Related work

Many researches has been done to provide the data privacy in IoT. Yang et al. [48] presented a fuzzy information retrieval scheme based on lattice assumption. Their contribution supports multiple user system without sharing secret key. This scheme is secure for multimedia cloud applications even in quantum-era. Wang et al. [47] proposed leakage resilient CP-ABE and KP-ABE schemes in a improved auxiliary input model. This scheme has been prove to be secure by constructing an improved strong extractor from the modified GoldreichCLevin theorem. Chang et al. [15] proposed a framework which is used in business clouds. Experiments have been designed in detail to show its robustness is secure in multilayered structure. Vijayakumar et al. [46] introduced an improved authentication for vehicular ad-hoc networks, and a method of anonymous authentication has been presented to preserve privacy. Amin et al. [1] presented an authentication protocol using smartcard, which is based on an architecture proposed in this paper for distributed cloud environment. This protocol allows the registered user to securely access all private information from all the private cloud servers.

Many approaches are available for protecting the shared multimedia data. Take encryption algorithm as an example, it transforms the multimedia data into encrypted form using a private key and the encrypted form can only be decrypted by the user hold the decryption key. Encryption is the primary tool which can guarantee the data privacy and against an unauthorized access [16, 24].

Commutative Encryption and Watermarking can provide extensive security for the multimedia data. Bouslimi et al. [11] presented a algorithm jointing watermarking and encryption. Its convergence primitives promotes the research of privacy and security [7]. Cancellaro et al. [12] combine the encryption and watermarking to protect image.

Besides, Bianchi [8] applied discrete Fourier transform on encrypted multimedia data. A combination of SVD and CA was proposed which can provide novel solutions to preserve multimedia data privacy [49]. Ye et al. [50] proposed the first JFE method to address the problem of multimedia data sharing.

PRE scheme can also be used for implementing secure multimedia data sharing, since any multimedia data can be transformed into binary.

A PRE scheme allows a private key holder (e.g. Alice) to produce a re-encryption key. By using it, a conversion from Alice’s ciphertext C _A to Bob’s ciphertext C _B can be made by a proxy (e.g. network server). Therefore, a PRE scheme can be applied into various applications, such as encrypted email forwarding [9], the DRM of Apple’s iTunes [44], distributed file storage systems [4, 5], secure certified email mailing lists [35, 36] and access control [45]. In the above-mentioned cases, the core idea is the re-encryption.

The definition of PRE was first introduced by [9]. However, the presented PRE scheme is secure against chosen-plaintext attack (CPA).

Ivan et al. [33] presented a CCA security model for PRE, but Canetti et al. proved that the CCA security of their schemes is not hold [13]. Green and Ateniese [30] focus on CCA secure ID-based PRE and proposed a corresponding security model. Chu et al. [18] presented a ID-based PRE which removes random oracles. However, it is demonstrated that [18] was not CCA secure [43].

Homomorphic encryption (HE) scheme can also used to construct PRE schemes. Goldwasser et al [26] gave the first semantically secure additively HE scheme over Z ₂. It is followed by other additively HE schemes, such as Paillier [40] and Damgard [21]. Besides, linear codes and lattices are also used to obtain additively HE schemes [2, 27, 34, 39, 41]. Another type of HE is multiplicative HE, and ElGamal [23] is the typical one.

A fully homomorphic encryption (FHE) scheme allows anyone to evaluate both additive or multiplicative functions over encrypted data without decrypting firstly. Gentry [28] proposed the first FHE scheme, and based on which a CPA-secure PRE was directly constructed. Subsequently, some progress were made in FHE [10, 19, 25]. However, these existing constructions of FHE are not suitable for practical uses due to efficiency drawbacks.

Another major concern about multimedia in IoT is that of supporting public verifiability for the encrypted multimedia data stored in remote network servers. The property of public verifiability enable anyone to complete the validity verification tasks without disclosing any private information. This property adds flexibility in various applications in IoT setting, especially multimedia data sharing. Although the property of public verifiability of ciphertexts is important, it received insufficient care from researchers.

If the validity of a ciphertext can only be checked by the receiver (delegatee) with his private key, the scheme is vulnerable ciphertext-malleable attack. The right ciphertext transferred in the network can be easily modified by the attackers, then lots of malicious ciphertexts can be created to instead the right ones. While these malicious created ciphertexts can be rejected by the receiver at the last minute, they have already caused great problem which can affect the users’ feeling on using the scheme, even bring damage to the service providing corporations. If the validity of these ciphertexts can be checked publicly, the above problems can be easily solved, the routers or the access infrastructure can drop these maliciously created ciphertexts, and the bandwidth has been effectively preserved [29].

Canetti et al. [13] introduced the concept of public verifiability in PRE scheme. Libert et al. [38] proposed a publicly verifiable PRE which is unidirectional. However, Chow et al. [17] pointed out that, the security assurance supplied by [38] only against a weakened CCA [14].

Deng et al. [22] presented a construction of PRE which enabled the original ciphertext to be public verified, but it suffers from the attack in Remark 2 in [42]. Shao et al. [42] constructed a PRE by using signature of knowledge [3] to obtain public verifiability, but their public verifiability is only for original ciphertexts, and it is vulnerable to chosen-ciphertext attack [17].

So, public verifiability should be an essential property of CCA-secure PRE [4, 5, 13, 30, 51, 52]. Active attackers can issue queried to the data owner and receivers decryption oracle arbitrarily. If the proxy forward an invalid ciphertext to the receiver, and the receiver has decrypted it, some useful information can be derived and then used for breaking CCA security by the attackers. Although the proxy doesn’t have the private key, he has to firstly verify the integrity of ciphertexts, so the property of publicly verify is essential to achieve the CCA security of PRE.

Moreover, most existing PRE schemes are constructed by pairings. Ateniese et al. [4, 5], Hohenberger et al. [31], Libert et al. [38] and Ateniese et al. [6] presented collusion resistant unidirectional PRE scheme respectively, those scheme are relied on pairings. However, those schemes are CPA secure.

It is worth noting that bilinear pairing is an important tool to construct PRE scheme, but it’s implementation speed is relatively slower, especially in computational resource-constrained devices. Canetti et al. [13] raised an open problem that how to design a pairing-free PRE scheme. Afterwards, many researchers become interested in removing paring from the construction of PRE. Deng et al. [22], Shao [42] and Chow et al. [17] removed pairings from their PRE scheme respectively, but didn’t achieve public verifiability.

Zhang et al. [53] care about how to construct publicly verifiable paring-free PKE scheme. They find it is very easy to construct publicly verifiable scheme for PKE.

Therefore, we want a PRE scheme simultaneously satisfy the following features: CCA-secure, high efficiency, public verifiability, paring-free and simple design.

1.5 Our contributions

In this paper, we research on the privacy and security protection mechanism of multimedia data in IoT by employing proxy re-encryption. We target to ensure the privacy and security of shared multimedia data, and at the same time, to reduce the multimedia data owner’s computational burden. Our contributions are summarized below:

1. 1.

   We propose a basic CPA-secure PRE scheme in which the bilinear parings is removed from the construction for efficiency and practical use.

2. 2.

   To enhance the security of shared multimedia data in IoT, we propose a new CCA-secure paring-free PRE scheme based on the resulting CPA-secure one.

3. 3.

   To ensure the validity of shared multimedia data in IoT, we construct a publicly verifiable PRE scheme which is CCA-secure, and also bilinear pairings is removed.

1.6 Organization

Section 2 introduces the definition of PRE scheme and its security models. In Section 3, we describe three PRE schemes without parings meet different security requirements, and the security proof and efficiency comparison are provided. Section 4 is the conclusion.

2 Definition and security models

We give the definition of PRE and its CCA security model as follows. A PRE is unidirectional, means that a ciphertext can be converted from one user to another without the opposite direction. If a ciphertext can only be transformed one time, the PRE scheme is single-hop. Namely that, a user can’t further re-encrypt a re-encrypted ciphertext.

2.1 Definition of PRE

Definition 1

A PRE scheme is composed of 7 algorithms as follows:

1. 1.

   p a r ← S e t u p(1^k): given a system parameter \(k\in \mathbb {N}\), output a group of system parameters p a r.

2. 2.

   (p k _i , s k _i ) ← K e y G e n(p a r): given p a r, a pair of public/private key (p k _i , s k _i ) is outputted. For ease of description, other algorithms take p a r as an implicitly input.

3. 3.

   r k _i→j ← R e K e y G e n(s k _i , p k _j ): given s k _i (i.e. user i’s private key) and p k _j (i.e. user j’s public key), output r k _i→j as the re-encryption key. With this key, a ciphertext encrypted by p k _i will be transformed to another ciphertext encrypted by p k _j , here p o l y(1^k) is some polynomial in k, i ≠ j and i, j ∈{1,…,p o l y(1^k)}.

4. 4.

   C _i ← E n c(p k _i , m): given p k _i and \( m \in \mathcal M(pk_{i})\), output an original ciphertext C _i , where \(\mathcal M(pk_{i})\) is a space of message.

5. 5.

   C _j ← R e E n c(r k _i→j , C _i ): given r k _i→j and C _i , a re-encrypted ciphertext C _j is outputted. Here r k _i→j is the re-encryption key, C _i is an original ciphertext under p k _i .

6. 6.

   m/ ⊥← D e c(s k _i , C _i ): given s k _i and C _i , output message m if C _i is valid, otherwise, a symbol ⊥is outputted. Here s k _i is user i’s private key, C _i is an original ciphertext under p k _i .

7. 7.

   m/ ⊥← D e c _R (s k _j , C _j ): given s k _j and C _j , output message m if C _j is valid, otherwise, a symbol ⊥is outputted. Here s k _j is user j’s private key and C _j is a re-encrypted ciphertext.

The definition 1 is correct, because that for any \(k \in \mathbb {N}\), any users i ≠ j ∈{1,...,p o l y(1^k)}, and any message \( m \in \mathcal M(pk_{i})\), if p a r ← S e t u p(1^k) and (p k _i , s k _i ) ← K e y G e n(p a r), then we have

$$C_i = Enc(pk_i, m), Dec(sk_i, C_i) = m;$$

$$C_j = ReEnc(ReKeyGen(sk_i, pk_j), C_i), Dec_R(sk_j, C_j) = m.$$

2.2 Security models

Definition 2 (Unidirectional Single-hop PRE IND-CCA Game)

Denote k as the security parameter. Let \(\mathcal A\) be a probabilistic polynomial time (PPT) adversary and let \(\mathcal B\) be a game challenger. This game is composed of the following oracles executed by \(\mathcal A\) and \(\mathcal B\). These oracles can be invoked more than once and regardless of the order.

1. 1.

   Setup. The challenger \(\mathcal B\) runs p a r ← S e t u p(1^k)to generate p a r and give to \(\mathcal A\) the output p a r.

2. 2.

   Phase 1. The adversary \(\mathcal A\) can issue the following oracles.

   1. (1)

      \(\mathcal {O}_{pk}(i)\): given an index i ∈{1,...,p o l y(1^k)}, \(\mathcal B\) runs (p k _i , s k _i )←K e y G e n(p a r), then returns to \(\mathcal A\) the p k _i .

   2. (2)

      \(\mathcal {O}_{sk}(i)\): given a public key p k _i , \(\mathcal B\) passes to \(\mathcal A\) the private key s k _i , here (p k _i , s k _i ) ← K e y G e n(p a r).

   3. (3)

      \(\mathcal {O}_{rk}(pk_{i},pk_{j})\): given public keys p k _i and p k _j , \(\mathcal B\) returns r k _i→j ←R e K e y G e n(s k _i , p k _j )to \(\mathcal A\), here (p k _i , s k _i ) ← K e y G e n(p a r), (p k _j , s k _j )← K e y G e n(p a r).

   4. (4)

      \(\mathcal {O}_{re}(pk_{i}, pk_{j}, C_{i})\): given public keys p k _i , p k _j and a user i’s ciphertext C _i , \(\mathcal B\) returns a re-encrypted ciphertext C _j ← R e E n c(r k _i→j , C _i )to \(\mathcal A\), where r k _i→j ← R e K e y G e n(s k _i , p k _j ), (p k _i , s k _i ) ← K e y G e n(p a r)and (p k _j , s k _j ) ← K e y G e n(p a r).

   5. (5)

      \(\mathcal {O}_{dec}(sk_{i}, C_{i})\): on input C _i and p k _i , \(\mathcal B\) returns m ← D e c(s k _i , C _i ), where (p k _i , p k _j ) ← K e y G e n(p a r).

   6. (6)

      \(\mathcal {O}_{dec_{R}}(sk_{j}, C_{j})\): on input C _j and p k _j , \(\mathcal B\) returns m ← D e c _R (s k _j , C _j ), where (p k _j , s k _j ) ← K e y G e n(p a r).

3. 3.

   Challenge. The adversary \(\mathcal A\) returns two messages, say m ₀, m ₁, and a challenged public key \(pk_{i^{*}}\). If the following queries

   • (1) \(\mathcal {O}_{sk}(pk_{i^{*}})\); and

   • (2) \(\mathcal {O}_{rk}(pk_{i^{*}}, pk_{j})\) and \(\mathcal {O}_{sk}(pk_{j})\) for any index p k _j ,

   are never made, \(\mathcal B\) outputs \(C_{i^{*}}=Enc(pk_{i^{*}}, m_{b})\) for \(\mathcal A\), here b is randomly choosen from {0,1}. and \(pk_{i^{*}}\) is output by \(\mathcal {O}_{pk}(i^{*})\).

4. 4.

   Phase 2. The adversary \(\mathcal A\) issues queries as he did in Phase 1. However, the following queries are not issued:

   1. (1)

      \(\mathcal {O}_{sk}(pk_{i^{*}})\);

   2. (2)

      \(\mathcal {O}_{rk}(pk_{i^{*}}, pk_{j})\) and \(\mathcal {O}_{sk}(pk_{j})\) for any index j;

   3. (3)

      \(\mathcal {O}_{re}(pk_{i^{*}}, pk_{j}, C_{i^{*}})\) and \(\mathcal {O}_{sk}(pk_{j})\) for any index i ≠ j, here (i, j ∈{1,...,p o l y(1^k)});

   4. (4)

      \(\mathcal {O}_{dec}(pk_{i^{*}}, C_{i^{*}})\); and

   5. (5)

      \(\mathcal {O}_{dec_{R}}(pk_{j}, C_{j})\) for any p k _j and C _j , if (p k _j , C _j ) is derived from \((pk_{i^{*}}\), \(C_{i^{*}})\). As of [13], we define the derivative of \((pk_{i^{*}}\), \(C_{i^{*}})\) as shown below.

      1. (a)

         \((pk_{i^{*}}\), \(C_{i^{*}})\) is derived from itself.

      2. (b)

         If a query \(\mathcal {O}_{rk}\) has been made on \((pk_{i^{*}}\), p k _j )by \(\mathcal A\), a \(rk_{i^{*} \to j}\) will be returned as the re-encryption key, then computed C _j ←\(ReEnc(rk_{i^{*} \to j}, C_{i^{*}})\), we say (p k _j , C _j )is derived from \((pk_{i^{*}}\), \(C_{i^{*}})\).

      3. (c)

         If a query \(\mathcal {O}_{re}\) has been made on \((pk_{i^{*}}, pk_{j},C_{i^{*}})\) by \(\mathcal A\), and obtained C _j , then (p k _j , C _j )is a derivative of \((pk_{i^{*}}, C_{i^{*}})\).

5. 5.

   Guess. The adversary \(\mathcal A\) returns a value b ^′from {0,1} as his conjecture. If b ^′equals to b, \(\mathcal A\) wins.

Definition 3 (CCA Security of Original Ciphertext)

: Let \(Adv_{PRE,{\mathcal A}}^{IND\text {-}CCA\text {-}Or}(1^{k})=|Pr[b' = b]-\frac {1}{2}|\) be \(\mathcal A\)’s advantage in the game described in Definition 2. An unidirectional single-hop PRE scheme is (t, q _{p k} , q _{s k} , q _{r k} , q _{r e} , q _d , \(q_{d_{R}}\), 𝜖)-IND-CCA secure at original ciphertext, means that if any t-time IND-CCA adversary \({\mathcal A}\) is given at most q _{p k} queries to \(\mathcal {O}_{pk}\), q _{s k} queries to \(\mathcal {O}_{sk}\), q _{r k} queries to \(\mathcal {O}_{rk}\), q _{r e} queries to \(\mathcal {O}_{re}\), q _d queries to \(\mathcal {O}_{dec}\) and \(q_{d_{R}}\) queries to \(\mathcal {O}_{dec_{R}}\), then we have \(Adv_{PRE,{\mathcal A}}^{IND\text {-}CCA\text {-}Or}\)≤ 𝜖.

Remark 1

The IND-CPA security at original ciphertext can be easily achieved from the above notion by only providing \(\mathcal {O}_{pk}\), \(\mathcal {O}_{sk}\) and \(\mathcal {O}_{rk}\) for \(\mathcal A\).

Definition 4 (CCA Security of Re-encrypted Ciphertext)

Set \(\bar {O}=\{{\mathcal {O}_{pk}}\), \({\mathcal {O}_{sk}}\), \({\mathcal {O}_{rk}}\), \({\mathcal {O}_{dec}}\), \({\mathcal {O}_{dec_{R}}}\}\). We define the advantage of \(\mathcal A\) in the following experiment with given security parameter k and state information S t a t e,

$$\begin{array}{@{}rcl@{}} Adv_{PRE,{\mathcal A}}^{IND\text{-}CCA\text{-}Re}(1^{k})&=&|Pr[b=b':\mathbf{par} \gets Setup(1^{k}); \\&&(C_{0}, C_{1},pk_{i},pk_{j^{*}}, State)\gets {\mathcal A}^{\bar{O}}(\mathbf{par}); \\&& b\in_{R} \{0,1\}; C_{j^{*}}\gets ReEnc(rk_{i \to j^{*}}, C_{b}); \\&& b' \gets {\mathcal A}^{\bar{O}}(C_{j^{*}}, State)]-\frac{1}{2}|, \end{array} $$

here i and j ^∗ are two distinct indices, p k _i and p k _j are outputted by \({\mathcal {O}_{pk}}\), \(rk_{i \to j^{*}}\) is generated by R e K e y G e n(s k _i , \(pk_{j^{*}})\). C ₀ and C ₁ are valid ciphertexts constructed under p k _i by \({\mathcal A}\). Those oracles \({\mathcal {O}_{pk}}\), \({\mathcal {O}_{sk}}\), \({\mathcal {O}_{rk}}\), \({\mathcal {O}_{dec}}\), \({\mathcal {O}_{dec_{R}}}\) are defined in the above with limitation of the following constraints: if \({\mathcal A}\) makes queries \({\mathcal {O}_{sk}}\) on \(pk_{j^{*}}\), \({\mathcal {O}_{sk}}\) outputs ⊥. For \(\mathcal {O}_{dec_{R}}\), the query on \((pk_{j^{*}}\), \(C_{j^{*}})\) is forbidden to issue. There is no restriction on \({\mathcal {O}_{rk}}\) and \(\mathcal {O}_{dec}\). Besides, \({\mathcal {O}_{re}}\) is unnecessary as \({\mathcal A}\) is allowed for querying any re-encryption key. An unidirectional single-hop PRE scheme is (t, q _{p k} , q _{s k} , q _{r k} , q _d , \(q_{d_{R}},\epsilon )\)-IND-CCA secure at re-encrypted ciphertext, means that if any t-time IND-CCA adversary \({\mathcal A}\) can issue at most q _{p k} queries to \(\mathcal {O}_{pk}\), q _{s k} queries to \(\mathcal {O}_{sk}\), q _{r k} queries on \(\mathcal {O}_{rk}\), q _d queries to \(\mathcal {O}_{dec}\) and \(q_{d_{R}}\) queries to \(\mathcal {O}_{dec_{R}}\), we have \(Adv_{PRE,{\mathcal A}}^{IND\text {-}CCA\text {-}Re}\)≤ 𝜖.

Remark 2

In Definition 3, if \(\mathcal A\) can deduce the private key \(sk_{i^{*}}\) from \(rk_{i^{*}\to j}\) (resp. \(rk_{j \to i^{*}}\)), \(\mathcal A\) can definitely win the game above, where j is a corrupted user. Therefore, Definition 3 implies collusion resistance that the whole private key of the data owner can’t be compromised by proxy even after compromising the corresponding receiver. We can deduce the IND-CPA security at re-encrypted ciphertext from the above notion by providing \(\mathcal {O}_{pk}\), \(\mathcal {O}_{sk}\) and \(\mathcal {O}_{rk}\) for \(\mathcal A\) only.

3 Our constructions

The core technology in our solutions is PRE which allows Alice to generate a re-encryption key r k _A→B with her decryption key and a friend’s public key where the friend is whom that Alice intends to share her encrypted multimedia data with. For example, the friend is Bob. Then this re-encryption key r k _A→B will allow Bob to decrypt the encrypted content keys when used together with his own private key.

On the one hand, any multimedia data will be transformed into binary before travelling over the network, and on the other hand, proxy re-encryption (PRE) can be used as long as the data are in binary, so we can implement secure multimedia data sharing by design efficient PRE scheme. More specifically, in our PRE schemes, a message m represents a binary multimedia file.

Our system model is shown in Fig. 1. There are three roles in our scheme: multimedia data owner, a receiver and cloud server. The data owner, say Alice, will encrypt her multimedia files (such as images, audio, video etc.) using a PKE scheme (e.g. ElGamal encryption over an Elliptic Curve Group) before uploading them to the cloud server. These encrypted multimedia data (i.e. original ciphertext) are stored in the cloud. At a certain time, Alice would like to share her multimedia files with a friend Bob whereas share her private key. Therefore, Alice can use her privacy key and her friend’s public key to generate r k _A→B by running the ReKeyGen algorithm of our scheme. The key r k _A→B allows the cloud server to transform the original ciphertext into another ciphertext (i.e. re-encrypted ciphertext). This re-encrypted ciphertext can only be decrypt by Bob with his privacy key. The detail explanation of our protocol is as follows.

Fig. 1

System model

In the following section, we propose three efficient PRE schemes meet different security requirements to guarantee the privacy and security of shared multimedia data. In our schemes, encrypted multimedia files can be shared between a user, Alice, and her friend without share Alice’s private key. Each of Alice’s friend can decrypt the multimedia files using his own privata key.

3.1 A basic CPA secure PRE scheme without parings

3.1.1 Construction

A basic CPA-secure PRE scheme without parings is proposed in this part. In this scheme, the cloud server is deemed to be semi-honest, meaning that it is honest but curious about the plaintext of multimedia data owner. In this scheme, with the re-encryption key r k _A→B , the multimedia data owner’s encrypted data will be transformed into another form that an anticipant receiver can decrypt. Finally, The receiver decrypt the re-encrypted data by his decryption key to obtain the plaintext which is the real multimedia files Alice intends to share. This scheme is follows:

1. 1.

   S e t u p(k): for a given security parameter \(k\in \mathbb {N}\), a group G is generated with order q and |q| = k. Denote by g the G’s generator. This algorithm also generates two hash functions H ₁ and H ₂, each of which maps from G to Z _q . The message space is defined as G. The system parameters of the PRE is set to p a r = (G, q, g, H ₁, H ₂).

2. 2.

   K e y G e n(p a r):

   1. (1)

      Pick two random values x _i,1, x _i,2 ∈ _R Z _q , set the private key s k _i = (x _i,1, x _i,2).

   2. (2)

      Set the public key \(pk_{i} = (pk_{i,1}, pk_{i,2}) = (g^{x_{i,1}}, g^{x_{i,2}})\).

3. 3.

   E n c(p k _i , m): given p k _i = (p k _i,1, p k _i,2) and m ∈ G, a ciphertext C _i is generated as shown below. Here p k _i is user i’s public key, m ∈ G is a message.

   1. (1)

      Pick r randomly from Z _q .

   2. (2)

      Compute E = m g ^r.

   3. (3)

      Compute \(F = (pk_{i,1}^{H_{2}(pk_{i,2})} pk_{i,2})^{r}\).

   4. (4)

      Set C _i = (E, F).

4. 4.

   R e K e y G e n(s k _i , p k _j ):

   1. (1)

      Randomly pick V from G and u from Z _q .

   2. (2)

      Compute v = H ₁ (V )(x _i,1 H ₂ (p k _i,2) + x _i,2)^− 1 m o d q.

   3. (3)

      Compute U = V g ^u.

   4. (4)

      Compute \(W = pk_{j,2}^{u}\).

   5. (5)

      Output r k _i→j = (v, U, W).

5. 5.

   R e E n c(r k _i→j , C _i ): given r k _i→j = (v, U, W) and C _i = (E, F), a re-encrypted ciphertext C _j ia generated as shown below. Here r k _i→j is a re-encryption key and C _i is a ciphertext under p k _i .

   1. (1)

      Compute F ^′ = F ^v.

   2. (2)

      Output C _j = (E, F ^′,U, W).

6. 6.

   D e c(s k _i , C _i ): given s k _i = (x _i,1, x _i,2) and C _i = (E, F), the message m is recovered. Here s k _i is user i’s private key, C _i is the original ciphertext under p k _i .

   1. (1)

      Compute t = x _i,1 H ₂ (p k _i,2) + x _i,2 (m o d q).

   2. (2)

      Output m = E(F ^1/t)^− 1.

7. 7.

   D e c _R (s k _j , C _j ):given s k _j = (x _j,1, x _j,2) and C _j = (E, F ^′,U, W), the message m is recovered. Here s k _j is user j’s private key, C _j is a re-encrypted ciphertext.

   1. (1)

      Compute \(V = U (W^{1/x_{j,2}})^{-1}\).

   2. (2)

      Output \(m = E (F'^{1/H_{1}(V)})^{-1}\).

3.1.2 Security analysis

In this scheme, the multimedia data owner’s files are encrypted by ElGamal encryption scheme. Therefore, the security of ElGamal encryption scheme can ensure that our scheme is secure. Moreover, throughout the whole process, as this re-encryption key r k _i→j alone does not allow anyone to recover the multimedia files, the network server gains no information about the multimedia data owner’s files and private key.

3.1.3 Efficiency analysis

Let EXP represents the exponentiation operation in G (assuming that G is a multiplicative group, otherwise, if G is an additive group such as an elliptic curve group, then EXP represents the elliptic curve scalar multiplication), PreEXP denotes pre-computable exponentiation operation in G. Decrypt^Odenotes the cost of decrypting an original ciphertext, Decrypt^Rrepresents the decryption cost of a re-encrypted message. |C ^O| denotes the original ciphertext size, |C ^R| denotes the size of a re-encrypted message. |R e K e y|denotes the size of a re-encryption key.

From Table 1, we can conclude that the number of exponentiation operations needed in each algorithm is small (say one or two), the size of the ciphertext is at most 4 elements in G, and the R e K e y contains 3 elements (2 elements in G and 1 element in Z _q ).

Table 1 Efficiency analysis

3.2 A CCA-secure paring-free PRE scheme

3.2.1 Construction

We proposed a CPA-secure PRE scheme in the above section. However, the CCA security is usually demanded in applications. For this purpose, we design a CCA-secure PRE scheme consisting of 7 algorithms:

1. 1.

   S e t u p(k): for a given security parameter \(k\in \mathbb {N}\), the following steps are invoked:

   1. (1)

      Generate a group G with order q such that |q| = k, and picks a generator g∈ _R G.

   2. (2)

      Set the massage space as {0,1}^k.

   3. (3)

      Set four hash functions: \(H_{1}:G \to Z_{q}^{*}, H_{2}:G \to Z_{q}^{*}, H_{3}:G \to \{0,1\}^{k}, H_{4}: \{0,1\}^{k} \times G \to Z_{q}^{*}.\)

   4. (4)

      Output the public parameters p a r = (G, q, g, H _i )(i = 1,⋯ ,4).

2. 2.

   K e y G e n(p a r):

   1. (1)

      Pick two random values x _i,1, x _i,2 ∈ _R Z _q , sets the private key s k _i = (x _i,1, x _i,2).

   2. (2)

      Set the public key \(pk_{i} = (pk_{i,1}, pk_{i,2}) = (g^{x_{i,1}}, g^{x_{i,2}})\).

3. 3.

   E n c(p k _i , m): given p k _i = (p k _i,1, p k _i,2)and m ∈{0,1}^k, it carries out the following steps to generate a ciphertext C _i . Here p k _i is user i’s public key, m ∈{0,1}^kis a message.

   1. (1)

      Pick σ randomly from G, then compute r = H ₄ (m, σ).

   2. (2)

      Compute E = σ g ^r.

   3. (3)

      Compute \(F = (pk_{i,1}^{H_{2}(pk_{i,2})} pk_{i,2})^{r}\).

   4. (4)

      Compute J = m ⊕ H ₃ (σ).

   5. (5)

      Set C _i = (E, F, J).

4. 4.

   R e K e y G e n(s k _i , p k _j ):

   1. (1)

      Randomly pick V from G and u from Z _q .

   2. (2)

      Compute v = H ₁ (V )(x _i,1 H ₂ (p k _i,2) + x _i,2)^− 1 m o d q.

   3. (3)

      Compute U = V g ^u.

   4. (4)

      Compute \(W = pk_{j,2}^{u}\).

   5. (5)

      Output r k _i→j = (v, U, W).

5. 5.

   R e E n c(r k _i→j , C _i ): given r k _i→j = (v, U, W) and C _i = (E, F, J), a re-encrypted ciphertext C _j is generated. Here r k _i→j is the re-encryption key, C _i is an original ciphertext under p k _i .

   1. (1)

      Compute F ^′ = F ^v.

   2. (2)

      Output C _j = (E, F ^′,J, U, W).

6. 6.

   D e c(s k _i , C _i ): given s k _i = (x _i,1, x _i,2) and C _i = (E, F, J), the message m is recovered. Here s k _i is user i’s private key, C _i is the original ciphertext under p k _i .

   1. (1)

      Compute t = x _i,1 H ₂ (p k _i,2) + x _i,2 m o d q.

   2. (2)

      Compute σ ^′ = E(F ^1/t)^− 1.

   3. (3)

      Compute m ^′ = J ⊕ H ₃ (σ ^′).

   4. (4)

      If \(E = \sigma ^{\prime } g^{H_{4}(m',\sigma ^{\prime })}\) holds, output m = m ^′, otherwise output ⊥.

7. 7.

   D e c _R (s k _j , C _j ): given s k _j = (x _j,1, x _j,2) and C _j = (E, F ^′,J, U, W), the message m is recovered. Here s k _j is user j’s private key, C _j is a re-encrypted ciphertext.

   1. (1)

      Compute \(V = U (W^{1/x_{j,2}})^{-1}\).

   2. (2)

      Compute \(\sigma ^{\prime } = E (F'^{1/H_{1}(V)})^{-1}\).

   3. (3)

      Compute m ^′ = J ⊕ H ₃ (σ ^′).

   4. (4)

      If \(E = \sigma ^{\prime } g^{H_{4}(m',\sigma ^{\prime })}\) holds, output m = m ^′, otherwise output ⊥.

3.2.2 Security analysis

Obviously, this scheme is CCA secure due to the underlying CCA-secure ElGamal encryption which generates the original ciphertext and re-encrypted ciphertext. Furthermore, since the re-encryption key r k _i→j alone does not allow anyone to recover the files from the encrypted files, it can ensure that the encrypted files will still remain secure even if an adversary has compromised cloud server and also obtained a copy of ReKey. In other words, the secrecy of the encrypted files is still relying on the secrecy of the private keys of multimedia data owner and her friend Bob (even after the encrypted files are shared). The detailed proof can be deduced from the security analysis described in Sections 3.3.3, 3.3.4. We then focus on the generating of re-encryption key.

1. 1.

   Only s k _i has been taken as an input(s k _i is not involved), thus, our scheme is unidirectional.

2. 2.

   Even if someone can obtained s k _j and r k _i→j simultaneously, the true value of x _i,1 or x _i,2 are still remain secure, as the H ₁ (V )can be recovered only leak information about the value of x _i,1 H ₂ (p k _i,2) + x _i,2, so that the secret security of the multimedia data owner is ensured.

Remark 3

IoT has the merits of low cost and effective accessibility. However, network servers may not be fully trusted. The validity related to the data shared between users is problematic. In Internet, the users are resources-limited and hence cannot afford excessive validity checks. Therefor, in practice, it is more reasonable to add public verifiability into the construction of scheme. With public verifiability, anyone, not just the data owner, is allowed to complete the validity verification tasks without keeping any private information. Let’s consider the goal that allowing network servers to verify the correctness of ciphertext on behalf of the multimedia data owner. In the next section, we give an improved CCA secure PRE scheme, and give an thorough security analysis.

3.3 A CCA-secure publicly verifiable PRE scheme without paring (PVPRE)

3.3.1 Main idea

In practice, the multimedia data in IoT is stored in remote servers and exposed to malicious attackers. Moreover, in the context of PRE, the remote server is asked to complete the transformation from an encrypted multimedia data under the owner’s public key to another form that an anticipated recipient can decrypt, it is probable for an attacker to derive sensitive information or even tamper with the encrypted multimedia data with his own sake. The following attack gives an explanation.

Let \(C' = (E',F',J')\) be a challenged ciphertext encrypted by a challenged public key \(pk' = (pk'_{i,1}, pk'_{i,2})=(g^{x'_{i,1}}, g^{x'_{i,2}})\), where s k ^′ = (x i,1′,x i,2′) is the challenged private key, \(E' = \sigma ^{\prime } g^{r'}\), \(F' =({pk'_{i,1}}^{H_{2}(pk'_{i,2})} pk'_{i,2})^{r'}\), 0J ^′ = m ⊕ H ₃ (σ ^′). Suppose C ^′ is given to the adversary \({\mathcal A}\) and he will win the IND-CCA secure game as the following: Firstly, \({\mathcal A}\) chooses a random t from {0,1}^l, and creates a new malicious ciphertext C ₁ = (E ₁, F ₁, J ₁)instead of C ^′, here E ₁ = E ^′, F ₁ = F ^′,J ₁ = J ⊕ t. Obviously, C ₁ is an invalid one. Secondly, \({\mathcal A}\) get a key pair (p k ^″,s k ^″)by making a corrupted-key generation query, and also get re-encrypted ciphertext C ₂ = (E ₂, F ₂, J ₂, U, W) by making a re-encryption query on p k ^″, here \(pk^{\prime \prime } = (pk^{\prime \prime }_{i,1}, pk^{\prime \prime }_{i,2})= (g^{x^{\prime \prime }_{i,1}}, g^{x^{\prime \prime }_{i,2}})\), s k ^″ = (x i,1″,x i,2″), E ₂ = E ₁, \(F_{2} = {F_{1}^{v}}\), J ₂ = J ₁, (v, U, W) is the re-encryption key. Finally, \({\mathcal A}\) can use private key x i,2″ to obtain \(V = U (W^{1/x^{\prime \prime }_{i,2}})^{-1}\) and \(\sigma _{2} = E_{2} (F_{2}^{1/H_{1}(V)})^{-1}\), then recover m as m = t ⊕ H ₃ (σ ₂) ⊕ J ₂. And then \({\mathcal A}\) can recover the bit δ which means \({\mathcal A}\) wins the game. We note that the queries \({\mathcal A}\) issued above are legal, because they follows the restraints in definition 2.

The adversary \({\mathcal A}\)’s attack is successful due to the reason that the validity of re-encrypted ciphertext can not be verified by the proxy (server). Thus, it is fascinating to embed public verifiability into a CCA-secure PRE scheme.

Next, we briefly describe how the public verifiability is used. Firstly, we modifies the above scheme slightly such that the original ciphertext generated by algorithm E n c(p k _i , m) is the form C _i = (E, F, J, s). Suppose the proxy(server) is asked to perform a ciphertext transformation. The proxy verifies \((pk_{i,1}^{H_{2}(pk_{i,2})} pk_{i,2})^{s} = E\cdot F^{H_{5}(E,F,J)}\) firstly to guarantee the validity of C _i , and then outputs the re-encryption ciphertext C _j = (E ^′,F ^′,J, s ^′,U, W).

The validity of the re-encryption ciphertext can be verified before being re-encrypted and decrypted. Thus, it is impossible for malicious attackers to obtain any advantage through tampering with the re-encrypted ciphertext.

3.3.2 Construction

Now, we give the details of our construction. We proposed a refined publicly verifiable PRE scheme called PVPRE in which the validity of ciphertexts can be publicly verified by anyone [32]. Although capturing this useful property comes at a price: three more components need to be computed in E n c and R e E n c, the public verifiability feature is attractive, it is worth the performance tradeoff. We now shown the construction of the publicly verifiable scheme.

1. 1.

   S e t u p(k): for a given security parameter k, the following steps are invoked:

   1. (1)

      Generate a group G with order q such that |q| = k, and picks a generator g∈ _R G.

   2. (2)

      Define the massage space as {0,1}^k.

   3. (3)

      Define five hash functions:

      $$\begin{array}{@{}rcl@{}} &&H_1:G \to Z_q^{*}, H_2:G \to Z_q^{*}, H_3:G \to \{0,1\}^k,\\ &&H_4:\{0,1\}^k \times G \to Z_q^{*}, H_5:G \times G \times G \to Z_q^{*}. \end{array} $$
   4. (4)

      Output the public parameter p a r = (G, q, g, H _i )(i = 1,⋯ ,5).

2. 2.

   K e y G e n(p a r):

   1. (1)

      Pick two random values x _i,1, x _i,2 ∈ _R Z _q , set s k _i = (x _i,1, x _i,2)as the private key.

   2. (2)

      Define \(pk_{i} = (pk_{i,1}, pk_{i,2}) = (g^{x_{i,1}}, g^{x_{i,2}})\) as the public key.

3. 3.

   E n c(p k _i , m): given p k _i = (p k _i,1, p k _i,2)and m ∈{0,1}^k, it carries out the following steps to generate a ciphertext C _i . Here p k _i is user i’s public key and m ∈{0,1}^kis a message.

   1. (1)

      Randomly pick σ from \(Z_{q}^{*}\), then compute r = H ₄ (m, g ^σ).

   2. (2)

      Compute \(E = (pk_{i,1}^{H_{2}(pk_{i,2})} pk_{i,2})^{\sigma }\).

   3. (3)

      Compute \(F = (pk_{i,1}^{H_{2}(pk_{i,2})} pk_{i,2})^{r}\).

   4. (4)

      Compute J = m ⊕ H ₃ (g ^σ).

   5. (5)

      Compute s = σ + r H ₅ (E, F, J)m o d q.

   6. (6)

      Output C _i = (E, F, J, s).

4. 4.

   R e K e y G e n(s k _i , p k _j ):

   1. (1)

      Randomly pick V ← G, then compute u = H ₁ (V ).

   2. (2)

      Compute v = H ₂ (V )(x _i,1 H ₂ (p k _i,2) + x _i,2)^− 1 m o d q.

   3. (3)

      Compute U = V g ^u.

   4. (4)

      Compute \(W = pk_{j,2}^{u}\).

   5. (5)

      Output r k _i→j = (v, U, W).

5. 5.

   R e E n c(r k _i→j , C _i ): given r k _i→j = (v, U, W) and C _i = (E, F, J, s), a re-encrypted ciphertext C _j is generated. Here r k _i→j is a re-encryption key, C _i is the original ciphertext under p k _i .

   1. (1)

      If \((pk_{i,1}^{H_{2}(pk_{i,2})} pk_{i,2})^{s} = E\cdot F^{H_{5}(E,F,J)}\) is not satisfied, then return ⊥. Otherwise,

   2. (2)

      Compute E ^′ = E ^vand F ^′ = F ^v.

   3. (3)

      Compute s ^′ = s v(m o d q).

   4. (4)

      Output C _j = (E ^′,F ^′,J, s ^′,U, W).

6. 6.

   D e c(s k _i , C _i ): given s k _i = (x _i,1, x _i,2) and C _i = (E, F, J, s), the message m is recovered. Here s k _i is user i’s private key, and C _i is the original ciphertext under p k _i .

   1. (1)

      If \((pk_{i,1}^{H_{2}(pk_{i,2})} pk_{i,2})^{s} = E\cdot F^{H_{5}(E,F,J)}\) is not satisfied, then return ⊥. Otherwise,

   2. (2)

      Compute t = x _i,1 H ₂ (p k _i,2) + x _i,2 (m o d q).

   3. (3)

      Compute \(g^{\sigma ^{\prime }} = E^{1/t}\).

   4. (4)

      Compute \(m' = J \oplus H_{3}(g^{\sigma ^{\prime }})\).

   5. (5)

      If \(F = (pk_{i,1}^{H_{2}(pk_{i,2})} pk_{i,2})^{H_{4}(m',g^{\sigma ^{\prime }})}\) holds, output m = m ^′, otherwise output ⊥.

7. 7.

   D e c _R (s k _j , C _j ): given s k _j = (x _j,1, x _j,2) and C _j = (E ^′,F ^′,J, s ^′,U, W), the message m is recovered. Here s k _j is user j’s private key, C _j is a re-encrypted ciphertext.

   1. (1)

      If \((pk_{i,1}^{H_{2}(pk_{i,2})} pk_{i,2})^{s'} = E' \cdot {F'}^{H_{5}(E',F',J)}\) is not satisfied, then return ⊥. Otherwise,

   2. (2)

      Compute \(V = U (W^{1/x_{j,2}})^{-1}\).

   3. (3)

      Compute \(g^{\sigma ^{\prime }} = E'^{1/H_{2}(V)}\).

   4. (4)

      Compute \(m' = J \oplus H_{3}(g^{\sigma ^{\prime }})\).

   5. (5)

      If \( F' = g^{H_{4}(m',g^{\sigma ^{\prime }})H_{2}(V)}\) and \(W = pk_{j,2}^{H_{1}(V)}\) hold, output m = m ^′, otherwise output ⊥.

Remark 4

The refined scheme PVPRE can guarantee both the multimedia data owner’s and the recipient’s anonymity simultaneously. Each proxy or anticipant recipient can easily check the validity of ciphertexts without disclosing any sensitive information.

3.3.3 Original ciphertext security analysis

Definition 5 (Decisional Diffie-Hellman (DDH) Assumption)

Consider a group G of order q, and let g be a generator of G. The DDH assumption states that, given a tuple (g, g ^a,g ^b,g ^d)for uniformly and independently chosen \(a, b, d \in Z_{q^{*}}\), decide whether d = a b.

For a given \({\mathcal A}\) with at most \(q_{H_{i}}\) queries to H _i (i ∈{1,3,4,5}) to break the (t, q _{p k} , q _{s k} , q _{r k} , q _{r e} , q _d , \(q_{d_{R}}\), 𝜖)-IND-CCA security of PVPRE, a polynomial time algorithm \({\mathcal B}\) will be constructed who can break the DDH assumption in G.

Our proofs works under the random oracle model. Those oracles simulated by \({\mathcal B}\) are depicted in Table 2. The tuple (G, q, g, H _i )(i ∈{1,3,4,5}) is given to \({\mathcal A}\). \({\mathcal B}\) controls the random oracles H _i (i ∈{1,3,4,5}) and also keeps hash lists \(H_{i}^{list}\) (i ∈{1,3,4,5}), they are initialized empty. \({\mathcal B}\) answers the queries whenever \({\mathcal A}\) issues. These answers are shown in Table 2.

Table 2 Simulations of H _i (i = 1,3,4,5)

\({\mathcal B}\) also keeps two lists K ^list and R ^list, they are initialized empty. Here the lists K ^listis used to store key-pair (i.e. public key and private key) and the re-encryption key is stored in list R ^list.

Theorem 1

The scheme PVPRE is IND-CCA secure at the original ciphertext, if the DDH assumption hold in group G.

Proof

Phase 1 A number of queries are issued by adversary \({\mathcal A}\), \({\mathcal B}\) responses to \({\mathcal A}\) as follows.

1. 1.

   \(\mathcal {O}_{pk}(i)\): the uncorrupted-keys and corrupted-keys are generated by \({\mathcal B}\) as shown below.

   • (1) Uncorrupted-key. \({\mathcal B}\) choose \(x_{i,1}, x_{i,2}\gets Z_{q}^{*}\) randomly and draws a coin c _i ∈{0,1} that generates 1 with probability 𝜃 and 0 otherwise [20].

     • (a) If c _i = 1, define \(pk_{i} = (pk_{i,1}, pk_{i,2}) = (g^{x_{i,1}}, g^{x_{i,2}})\).

     • (b) If c _i = 0, define \(pk_{i} = (pk_{i,1}, pk_{i,2}) = ((g^{\frac {1}{a}})^{x_{i,1}}, (g^{\frac {1}{a}})^{x_{i,2}})\).

     Then, the tuple (p k _i , x _i,1, x _i,2, c _i )is added to K ^listand p k _i is returned to \({\mathcal A}\).

   • (2) Corrupted-key. \({\mathcal B}\) choose \(x_{i,1}, x_{i,2}\gets Z_{q}^{*}\) randomly, and set p k _i =\((g^{x_{i,1}}\), \(g^{x_{i,2}})\), c _i = ^′−^′. Then the tuple (p k _i , x _i,1, x _i,2, c _i ) is added to K ^listand output (p k _i ,(x _i,1, x _i,2))to \({\mathcal A}\).

2. 2.

   \(\mathcal {O}_{sk}(i)\): \({\mathcal B}\) recovers (p k _i , x _i,1, x _i,2, c _i ) firstly from K ^list. If c _i = 1, output (p k _i ,(x _i,1, x _i,2)) to \({\mathcal A}\), else return a bit b∈ _R {0,1}then aborts.

3. 3.

   \(\mathcal {O}_{rk}(pk_{i},pk_{j})\): If there is a tuple (p k _i , p k _j )in R ^list, it outputs \({\mathcal A}\) the predefined re-encryption key. Otherwise, \({\mathcal B}\) takes action as shown below:

   • (1) Extract two tuple (p k _i , x _i,1, x _i,2, c _i ), (p k _j , x _j,1, x _j,2, c _j )by searching K ^list.

   • (2) Randomly choose V ← G, compute u = H ₁ (V )and h = H ₂ (V ).

   • (3) Compute U = V g ^uand \(W = pk_{j,2}^{u}\).

   • (4) Compute v according to the following case:

     • (a) (c _i = 0 ∧ c _j = ^′−^′), output ⊥and aborts.

     • (b) (c _i = 1 ∨ c _j = ^′−^′), sets v = h(x _i,1 H ₂ (p k _i,2) + x _i,2)^− 1 m o d q and set τ = 1. In this case, v is obviously correct due to s k _i = (x _i,1, x _i,2).

     • (c) (c _i = 0 ∧ c _j ≠^′−^′), randomly pick \(v \gets Z_{q}^{*}\) and set τ = 0. In this case, the value h, which related to U, W, would not match with a random v, this depends on the CCA security of ElGamal encryption scheme.

   • (5) If \({\mathcal B}\) does not aborts, add (p k _i , p k _j ,(v, U, W),h, τ)to R ^list.

   • (6) Output r k _i→j = (v, U, W)to \({\mathcal A}\).

4. 4.

   \(\mathcal {O}_{re}(pk_{i}, pk_{j}, C_{i})\):

   • (1) If \((pk_{i,1}^{H_{2}(pk_{i,2})}pk_{i,2})^{s} \neq E\cdot F^{H_{5}(E, F, J)}\), return symbol ⊥which means C _i is invalid.

   • (2) Otherwise, extracts tuples (p k _i , x _i,1, x _i,2, c _i )and (p k _j , x _j,1, x _j,2, c _j )by searching K ^list.

   • (3) If condition c _i = 0and c _j = ^′−^′are not satisfied simultaneously, the query \(\mathcal {O}_{rk}(pk_{i}, pk_{j})\) is issued to generate a r k _i→j = (v, U, W)for \({\mathcal A}\).

   • (4) Else, searching the tuple \((R, \beta ) \in H_{3}^{list}\) and \((m, \sigma , g^{\sigma }, r) \in H_{4}^{list}\) such that \((pk_{i,1}^{H_{2}(pk_{i,2})}pk_{i,2})^{\sigma } = E\), \((pk_{i,1}^{H_{2}(pk_{i,2})}pk_{i,2})^{r} = F\). If no eligible tuple exist, output ⊥.

   • (5) Extract (p k _i , p k _j ,(v, U, W),h, τ)from R ^list, define E ^′ = g ^σh, F ^′ = g ^rh, s ^′ = s v.

   • (6) Return C _j = (E ^′,F ^′,J, s ^′,U, W) to \({\mathcal A}\).

5. 5.

   \(\mathcal {O}_{dec}(pk_{i}, C_{i})\): \({\mathcal B}\) first parses p k _i = (p k _i,1, p k _i,2) and extract tuple (p k _i , x _i,1, x _i,2, c _i ) by searching K ^list.

   • (1) If (c _i = 1 ∨ c _j = ^′−^′), \({\mathcal B}\) runs D e c((x _i,1, x _i,2),c _i ), then output the result to \({\mathcal A}\).

   • (2) Else,

     • (a) if \((pk_{i,1}^{H_{2}(pk_{i,2})}pk_{i,2})^{s} \neq E\cdot F^{H_{5}(E, F, J)}\), output symbol ⊥which indicates C _i is invalid.

     • (b) else, search list \(H_{3}^{list}\) and \(H_{4}^{list}\) to find tuples \((R, \beta )\in H_{3}^{list}\) and \((m, \sigma , g^{\sigma }, r)\in H_{4}^{list}\) such that \((pk_{i,1}^{H_{2}(pk_{i,2})}pk_{i,2})^{\sigma } = E, (pk_{i,1}^{H_{2}(pk_{i,2})}pk_{i,2})^{r} = F, \beta \oplus m = J, R = g^{\sigma }.\) if such two tuples are exist, output m to \({\mathcal A}\). else output ⊥.

6. 6.

   \(\mathcal {O}_{dec_{R}}(pk_{j}, C_{j})\): \({\mathcal B}\) first parses p k _j = (p k _j,1, p k _j,2) and recovers tuple (p k _j , x _j,1, x _j,2, c _j ) from K ^list. If (c _j = 1 ∨ c _j = ^′−^′), \({\mathcal B}\) runs D e c _R ((x _j,1, x _j,2),C _j ) and returns the result to \({\mathcal A}\). Otherwise,

   • (1) if \((pk_{i,1}^{H_{2}(pk_{i,2})}pk_{i,2})^{s'} \neq E' \cdot F'^{H_{5}(E', F', J)}\), output symbol ⊥which indicates C _j is invalid.

   • (2) Else, if there exists a tuple (p k _i , p k _j ,(v, U, W),V,0) ∈ R ^list, compute \(E = E'^{\frac {1}{v}}\), \(F = F'^{\frac {1}{v}}\), search to see whether there exist \((R, \beta )\in H_{3}^{list}\) and \((m, \sigma , g^{\sigma }, r)\in H_{4}^{list}\) such that \((pk_{i,1}^{H_{2}(pk_{i,2})}pk_{i,2})^{\sigma } = E, (pk_{i,1}^{H_{2}(pk_{i,2})}pk_{i,2})^{r} = F, \beta \oplus m = J, R = g^{\sigma }.\) If such two tuples are exist, output m to \({\mathcal A}\), otherwise, output ⊥. Actually, the value of each U, W in R ^listis correct.

Challenge If \({\mathcal A}\) find that Phase 1 is finish, it returns 3 contents (\(pk_{i^{*}}\), m ₀, m ₁), here \(pk_{i^{*}} = (pk_{i^{*},1}, pk_{i^{*},2})\) is a challenged public key, m ₀, m ₁ ∈{0,1}^k are messages. Algorithm \({\mathcal B}\) extract tuple \((pk_{i^{*}} , x_{i^{*},1}, x_{i^{*},2}, c_{i^{*}})\) by searching K ^list. In accordance with the constraints in definition 2, we obtain \(c_{i^{*}} \in \{0,1\}\), \({\mathcal B}\) chooses δ ∈{0,1} and acts as shown below:

1. 1.

   If \(c_{i^{*}} = 1\), challenger \({\mathcal B}\) picks a value b∈ _R {0,1}, then aborts.

2. 2.

   Else, compute \(E^{*} = (g^{b})^{x_{i^{*},1}H_{2}(pk_{i^{*},2}) + x_{i^{*},2}}\).

3. 3.

   Choose \(e^{*}, t^{*}\gets Z_{q}^{*}\), set s ^∗ = e ^∗ t ^∗ randomly and compute

   $$F^{*} = (g^{b})^{-(x_{i^{*},1}H_{2}(pk_{i^{*},2}) + x_{i^{*},2})\frac{1}{e^{*}}} \times(g^{\frac{1}{a}})^{(x_{i^{*},1}H_{2}(pk_{i^{*},2}) + x_{i^{*},2})t^{*}}. $$
4. 4.

   Choose J ^∗←{0,1}^krandomly, set H ₅ (E ^∗,F ^∗,J ^∗) = e ^∗.

5. 5.

   Choose \(\sigma ^{*} \gets Z_{q}^{*}\) randomly, implicitly define σ ^∗ = d and H ₃ (g ^d) = m _δ ⊕ J ^∗.

6. 6.

   Output a challenge original ciphertext C ^∗ = (E ^∗,F ^∗,J ^∗,s ^∗) for \({\mathcal A}\).

According to the construction, if d = a b, the challenge ciphertext C ^∗is indistinguishable from the real one. This can be demonstrated as follows. Let \(\sigma ^{*} \triangleq ab\), \(r^{*} \triangleq (t^{*} - \frac {ab}{e^{*}})\), we have

$$\begin{array}{@{}rcl@{}}E^{*} &=& (g^{b})^{x_{i^{*},1}H_{2}(pk_{i^{*},2}) + x_{i^{*},2}} \\ &=& ((g^{\frac{1}{a}})^{x_{i,1}H_{2}(pk_{i,2})+x_{i,2}})^{ab}\\ &=& (pk_{i^{*},1}^{H_{2}(pk_{i^{*},2})}pk_{i^{*},2})^{\sigma^{*}}\\ F^{*} &=& (g^{b})^{-(x_{i^{*},1}H_{2}(pk_{i^{*},2}) + x_{i^{*},2})\frac{1}{e^{*}}} \times(g^{\frac{1}{a}})^{(x_{i^{*},1}H_{2}(pk_{i^{*},2}) + x_{i^{*},2})t^{*}} \\ &=& ((g^{\frac{1}{a}})^{x_{i^{*},1}H_{2}(pk_{i^{*},2}) + x_{i^{*},2}})^{(t^{*} - \frac{ab}{e^{*}})}\\ &=& (pk_{i^{*},1}^{H_{2}(pk_{i^{*},2})}pk_{i^{*},2})^{r^{*}}\\ J^{*} &=& H_{3}(g^{ab})\oplus m_{\delta} = H_{3}(g^{\sigma^{*}})\oplus m_{\delta}\\ s^{*} &=& ab + (e^{*}t^{*} - ab) \\ &=& ab + (t^{*} - \frac{ab}{e^{*}})e^{*} \\ &=& \sigma^{*} + r^{*} \cdot H_{5}(E^{*}, F^{*}, J^{*}). \end{array} $$

Phase 2 \({\mathcal A}\) makes queries continuously according to the constraints in definition 2. Challenger \({\mathcal B}\) answers to \({\mathcal A}\)’s queries.

Guess \({\mathcal A}\) passes to \({\mathcal B}\) a bit δ ^′∈{0,1} as its conjecture. If δ ^′equals to δ, \({\mathcal B}\) return 1 meaning d = a b; otherwise returns 0 meaning random value \(d\in _{R} Z_{q}^{*}\).

The description of the simulation is completed. Next, the correctness of the simulation above will be demonstrated.

Analysis With adversary \({\mathcal A}\), the DDH problem can be solved with the advantage 𝜖 ^′ by algorithm \({\mathcal B}\) within time t ^′, here

$$\begin{array}{@{}rcl@{}} \epsilon^{\prime} &\geq& \frac{1}{q_{H_{3}}}\left( \frac{2\epsilon}{e(1+q_{rk})} - \frac{q_{d} + q_{d_{R}} + 2q_{re}}{q} - \frac{(q_{H_{3}} + q_{H_{4}})(q_{d} + q_{d_{R}}) + q_{H_{5}}}{2^{k}} - \epsilon_{1}\right),\\ &&t^{\prime} \leq t + \left( \sum\limits_{i = 1}^{5} q_{H_{i}} + q_{pk} + q_{sk} + q_{rk} + q_{re} + q_{d} + q_{d_{R}}\right)O(1) \\ &&+ (7q_{re} + 2q_{rk} + (q_{H_{3}} + q_{H_{4}})q_{re} + (6+ q_{H_{3}} + q_{H_{4}})(q_{d} + q_{d_{R}}))t_{exp}. \end{array} $$

Denotes t _{e x p} as the time cost that an exponentiation operation needed in G, let 𝜖 ₁ be the advantage of breaking the CCA security of ElGamal encryption.

The key point of our correctness proof is referenced from [17]. We analysis these simulations firstly. Obviously, according to the construction of H ₄, the corresponding simulation is perfect. Denote by \(AskH_{4}^{*}\) a event that issue query to H ₄ on (m, g ^σ), similarly, let \(AskH_{5}^{*}\) be a event that (E ^∗,F ^∗,J ^∗) has been queried to H ₅ before Challenge phase. The simulation of H ₄ and H ₅ are prefect, only if \({\mathcal A}\) neither query (m, g ^σ)to H ₄ nor (E ^∗,F ^∗,J ^∗) to H ₅. In Challenge phase, since J ^∗ is chosen from {0,1}^krandomly, we have \(Pr[AskH_{5}^{*}]\leq \frac {q_{H_{5}}}{2^{k}}\).

Let A s k H ₃ be the event that g ^d has been queried to H ₃. The corresponding simulation is also prefect, only if g ^d is not queried to H ₃ by \({\mathcal A}\) during the Challenge phase.

It is obvious that the simulated queries for public/private key generation are perfect. Denote Aborts be the event that \({\mathcal B}\) aborts when interacts with \({\mathcal A}\) in a query \(\mathcal {O}_{rk}\) or challenge phase. Notice that the probability P r[¬Aborts]is given by \(\theta ^{q_{rk}}(1-\theta )\) with the upper bound \(\frac {q_{rk}}{1+q_{rk}}\), then we have \(\theta ^{q_{rk}}(1-\theta )\geq \frac {1}{e(1+q_{rk})}\).

Then, we can see that the simulation of query \(\mathcal {O}_{rk}\) is not different from the real one, except for the case (c _i = 0 ∧ c _j ≠^′−^′), here the component v is chosen randomly. If the event Aborts did not happen, the real one and its corresponding simulation are computationally indistinguishable for the following truth:

1. 1.

   c _j ≠^′−^′indicate that the private key s k _j is unknown to \({\mathcal A}\).

2. 2.

   \((pk_{j,2}^{u}, Vg^{u})\) with u = H ₁ (V )is actually an ciphertext of V encrypted under p k _j,2 by using the underlying ElGamal encryption scheme based on the DDH assumption.

Now, we analyze the simulation of query \(\mathcal {O}_{re}\). If \({\mathcal A}\) cannot submit a valid original ciphertext without querying H ₃ and H ₄ (denoted by REErr), the simulation of re-encryption query \(\mathcal {O}_{re}\) is perfect too. However, since H ₃ and H ₄ act as random oracles, we have \(Pr[REErr]\leq \frac {2q_{re}}{q}\).

The simulations of the decryption oracles, namely \(\mathcal {O}_{dec}\) and \(\mathcal {O}_{dec_{R}}\), are perfect, unless the simulation errors happened in the situation that a valid ciphertext is rejected. But, it is not significant for these errors happening, the reason is as follows. Assume that a decryption query Q has been issued. Even if Q is a valid query, it is possible to generate Q with a probability without querying H ₃ on g ^σ.

Denote Valid as the event indicating Q is a valid query, denote A s k H ₃ as the event that g ^σ has been queried to H ₃. We note that the probability that \({\mathcal A}\) can lead to a valid J with reference to the output of H ₃ without querying H ₃ is \(\frac {1}{q}\). Then, we haveP r[V a l i d|¬A s k H ₃ ]\(\leq \frac {1}{q}.\)

Denote D e c E r r as the event that V a l i d|¬A s k H ₃ occurred during the whole simulation. As the decryption oracles issued by \({\mathcal A}\) is at most \((q_{d} + q_{d_{R}})\), we get \(Pr[DecErr]\leq \frac {(q_{H_{3}} + q_{H_{4}})(q_{d} + q_{d_{R}})}{2^{k}} + \frac {q_{d} + q_{d_{R}}}{q}\).

Finally, let E r r be the event \((AskH_{3}^{*}\vee AskH_{5}^{*}\vee REErr\vee DecErr)|\)¬Aborts. If E r r dose not happen, since the output of H ₃ is random, the advantage of \({\mathcal A}\) in guessing a δ is less than \(\frac {1}{2}\). In other word, \(Pr[\delta ^{\prime } = \delta | \neg Err] = \frac {1}{2}\) holds. Therefore, we expand P r[δ = δ ^′]to obtain

$$\begin{array}{@{}rcl@{}} Pr[\delta = \delta^{\prime}] &=& Pr[\delta = \delta^{\prime}| Err]Pr[Err] + Pr[\delta = \delta^{\prime}|\neg Err]Pr[\neg Err] \\ &\leq & Pr[Err] + \frac{1}{2}Pr[\neg Err] = \frac{1}{2}Pr[Err] + \frac{1}{2} \end{array} $$

and \(Pr[\delta = \delta ^{\prime }]\geq Pr[\delta = \delta ^{\prime }|\neg Err]Pr[\neg Err] = \frac {1}{2} - \frac {1}{2}Pr[Err].\)

By the definition of 𝜖, we have

$$\begin{array}{@{}rcl@{}} \epsilon &\leq & |Pr[\delta = \delta^{\prime}] - \frac{1}{2}| \leq \frac{1}{2}Pr[Err] \\ &= & \frac{1}{2} Pr[(AskH_{3}^{*}\vee AskH_{5}^{*}\vee REErr\vee DecErr)| \neg \textbf{Aborts}]\\ &\leq & (Pr[AskH_{5}^{*}] + Pr[AskH_{3}^{*}] + Pr[REErr] + Pr[DecErr]) / 2Pr[\neg \textbf{Aborts}], \end{array} $$

then we have

$$\begin{array}{@{}rcl@{}} Pr[AskH_{3}^{*}] &\geq & 2Pr[\neg \textbf{Aborts}]\cdot \epsilon - Pr[AskH_{5}^{*}] - Pr[DecErr]- Pr[REErr]\\ &\geq & \frac{2\epsilon}{e(1+q_{rk})} - \frac{q_{H_{5}}}{2^{k}} - \frac{(q_{H_{3}}+q_{H_{4}})(q_{d} + q_{d_{R}})}{2^{k}} - \frac{q_{d} + q_{d_{R}}}{q} - \frac{2q_{re}}{q}\\ &=& \frac{2\epsilon}{e(1+q_{rk})} - \frac{q_{d} + q_{d_{R}} + 2q_{re}}{q} - \frac{(q_{H_{3}} + q_{H_{4}})(q_{d} + q_{d_{R}}) + q_{H_{5}}}{2^{k}}. \end{array} $$

Meanwhile, if \(AskH_{3}^{*}\) occur, algorithm \({\mathcal B}\) can solve the DDH instance. Therefore, we have

$$\begin{array}{@{}rcl@{}} \epsilon^{\prime} &\geq & \frac{1}{q_{H_{3}}}Pr[AskH_{3}^{*}]\\ & =& \frac{1}{q_{H_{3}}}\left( \frac{2\epsilon}{e(q_{rk} + 1)} - \frac{q_{d} + q_{d_{R}} + 2q_{re}}{q} - \frac{(q_{H_{3}} + q_{H_{4}})(q_{d} + q_{d_{R}}) + q_{H_{5}}}{2^{k}}\right). \end{array} $$

Base on the above simulations, the bound on algorithm \({\mathcal B}\)’s running time is given by

$$\begin{array}{@{}rcl@{}} t' \leq t &+& \left( \sum\limits_{i = 1}^{5} q_{H_{i}} + q_{pk} + q_{sk} + q_{rk} + q_{re} + q_{d} + q_{d_{R}}\right)O(1) \\ &+& (2q_{rk} + 7q_{re} + (q_{H_{3}} + q_{H_{4}})q_{re} + (6+ q_{H_{3}} + q_{H_{4}})(q_{d} + q_{d_{R}}))t_{exp}. \end{array} $$

□

3.3.4 Re-encrypted ciphertext security analysis

For re-encrypted ciphertext security, the task is to decide decide whether \(d = \frac {b}{a}\) given (g, g ^a,g ^b,g ^d) ∈ G ³ with unknown \(a, b \gets Z_{q}^{*}\). H _i (i ∈{1,3,4,5}) is the same as proof of Theorem 1.

Theorem 2

Our scheme PVPRE is IND-CCA secure at the re-encrypted ciphertext, if the DDH assumption holds in group G.

Proof

Phase 1 A number of queries issued by adversary \({\mathcal A}\), \({\mathcal B}\) responses to \({\mathcal A}\) as follows.

1. 1.

   \(\mathcal {O}_{pk}(i)\): the uncorrupted-keys and corrupted-keys are generated by \({\mathcal B}\) as shown below .

   • (1) Uncorrupted-key. \({\mathcal B}\) randomly choose \(x_{i,1}, x_{i,2}\gets Z_{q}^{*}\) and draws a coin c _i ∈{0,1} that generates 1 with probability 𝜃 and 0 otherwise [20].

     • (a) If c _i = 1, set \(pk_{i} = (pk_{i,1}, pk_{i,2}) = \left ((g^{a})^{\frac {1}{H_{2}(pk_{i,2})}}\cdot g^{x_{i,1}}, \frac {g^{x_{i,2}}}{g^{a}}\right )\).

     • (b) If c _i = 0, set \(pk_{i} = (pk_{i,1}, pk_{i,2}) = ((g^{a})^{x_{i,1}}, (g^{a})^{x_{i,2}})\).

     Next, the tuple (p k _i , x _i,1, x _i,2, c _i )is added to K ^listand return p k _i to the adversary \({\mathcal A}\).

   • (2) Corrupted-key. \({\mathcal B}\) acts as the same in Theorem 1.

2. 2.

   \(\mathcal {O}_{rk}(pk_{i},pk_{j})\): If there is a tuple (p k _i , p k _j )in R ^list, output to \({\mathcal A}\) a re-encryption key which is predefined. Otherwise, \({\mathcal B}\) takes action as shown below:

   • (1) Extract two tuple (p k _i , x _i,1, x _i,2, c _i ), (p k _j , x _j,1, x _j,2, c _j )by searching K ^list.

   • (2) Compute r k _i→j under the following situation:

     • 1) If (c _i = 1 ∨ c _i = ^′−^′):

       1. (a)

          Randomly pick V ← G, compute u = H ₁ (V )and h = H ₂ (V ).

       2. (b)

          Set v = h(x _i,1 H ₂ (p k _i,2) + x _i,2)and τ = 1.

       3. (c)

          Compute U = V g ^uand \(W = pk_{j,2}^{u}\).

     • 2) If (c _i = 0 ∧ c _j = 0)

       1. (a)

          Randomly pick \(v\gets Z_{q}^{*}\), set τ = 0.

       2. (b)

          Randomly pick \(z\gets Z_{q}^{*}\), set \(g^{u} = (g^{\frac {b}{a}})^{\frac {z}{x_{j,2}}}\), which defines W = (g ^b)^z.

       3. (c)

          Randomly pick U ←{0,1}^k, implicitly define \(V = \frac {U}{g^{u}}\).

     • 3) If (c _i = 0 ∧ c _j ≠ 0): output ⊥and aborts.

   • (3) If \({\mathcal B}\) does not aborts, add (p k _i , p k _j ,(v, U, W),z, τ)into list R ^list.

   • (4) Return r k _i→j = (v, U, W) to the adversary \({\mathcal A}\).

3. 3.

   \(\mathcal {O}_{dec}(pk_{i}, C_{i})\): \({\mathcal B}\) acts as the same in Theorem 1.

4. 4.

   \(\mathcal {O}_{dec_{R}}(pk_{j}, C_{j})\): \({\mathcal B}\) acts as the same in Theorem 1.

Challenge If \({\mathcal A}\) find that Phase 1 is finish, it returns 4 components (p k _i , \(pk_{j^{*}}\), m ₀, m ₁), here p k _i is a public key, \(pk_{j^{*}}\) is a challenge public key, m ₀ and m ₁ are messages. Algorithm \({\mathcal B}\) extract two tuples (p k _i , x _i,1, x _i,2, c _i ) and \((pk_{j^{*}} , x_{j^{*},1}, x_{j^{*},2}, c_{j^{*}})\) by searching K ^list. Based on the restriction in definition 2, we have \(c_{i}, c_{j^{*}} \in \{0,1\}\), \({\mathcal B}\) chooses a δ ∈{0,1}then make simulations for a challenged ciphertext. More specifically,

1. 1.

   If c _i = 1or \(c_{j^{*}} = 1\), algorithm \({\mathcal B}\) returns a value b∈ _R {0,1}, then aborts.

2. 2.

   If \(c_{i} = 0 \wedge c_{j^{*}} = 0\), algorithm \({\mathcal B}\) generates the challenge ciphertext by the following steps:

   • (1) Retrieve \((pk_{i}, pk_{j^{*}}, (v^{*}, U^{*}, W^{*}), z^{*}, 0)\) from R ^list.

   • (2) Randomly pick \(t \gets Z_{q}^{*}\), set E ^{′ ∗} = (g ^b)^t, implicitly define σ ^∗ h ^∗ = b t, i.e. \(\sigma ^{*} = \frac {bt}{h^{*}}\).

   • (3) Randomly pick \(e^{*}\gets Z_{q}^{*}\), set F ^{′ ∗} = (g ^b)^e, implicitly define r ^∗ h ^∗ = b e, i.e. \(r^{*} = \frac {be}{h^{*}}\).

   • (4) Randomly pick J ^∗←{0,1}^k, implicitly define

     $$J^{*} = H_{3}((g^{\frac{b}{a}})^{\frac{t}{v^{*}(x_{i,1}H_{2}(pk_{i,2}) + x_{x_{i},2})}})\oplus m_{\delta}.$$

     Recall that h ^∗ = H ₂ (V ^∗) = v ^∗ a(x _i,1 H ₂ (p k _i,2) + x _i,2)for c _i = 0.

   • (5) Randomly pick \(k^{*}\gets Z_{q}^{*}\), set H ₅ (E ^{′ ∗},F ^{′ ∗},J ^∗) = k ^∗, which defines s ^{′ ∗} = t ^∗ h ^∗ + e ^∗ k ^∗ h ^∗.

   • (6) Otherwise, take the following steps to set U ^∗, W ^∗ and z ^∗.

     • (a) Randomly pick \(z^{*}\gets Z_{q}^{*}\), set \(g^{u^{*}} = (g^{d})^{\frac {z^{*}}{x_{j,2}}}\), implicitly define \(W^{*} = (g^{b})^{z^{*}}\).

     • (b) Randomly pick U ^∗←{0,1}^k, implicitly define \(V^{*} = \frac {U^{*}}{g^{u^{*}}}\)

     • (c) Add U ^∗, W ^∗and z ^∗into R ^list.

   • (7) Pass to \({\mathcal A}\) the C ^∗ = (E ^{′ ∗},F ^{′ ∗},J ^∗,s ^{′ ∗},U ^∗,W ^∗)as the challenged re-encrypted ciphertext.

Phase 2 \({\mathcal A}\) makes queries continuously according to the restrictions in definition 2. \({\mathcal B}\) answers to \({\mathcal A}\)’s queries.Guess \({\mathcal A}\) passes to \({\mathcal B}\) a bit δ ^′∈{0,1} as its conjecture. If δ ^′equals to δ, \({\mathcal B}\) return 1 meaning \(d = \frac {b}{a}\); otherwise returns 0 meaning \(d\in _{R} Z_{q}^{*}\).

The description of the simulation is completed. We now show the correctness of the above simulation.

Analysis With adversary \({\mathcal A}\), the DDH problem can be solved with advantage 𝜖 ^′ by \({\mathcal B}\) within time t ^′, here

$$\begin{array}{@{}rcl@{}} \epsilon^{\prime} &\geq& \frac{1}{q_{H_{3}}}\left( \frac{2\epsilon}{e(1+q_{rk})} - \frac{q_{d} + q_{d_{R}}}{q} - \frac{(q_{H_{3}} + q_{H_{4}})(q_{d} + q_{d_{R}}) + q_{H_{5}}}{2^{k}} - \epsilon_{1}\right),\\ &&t^{\prime} \leq t + \left( \sum\limits_{i = 1}^{5} q_{H_{i}} + q_{pk} + q_{sk} + q_{rk} + q_{re} + q_{d} + q_{d_{R}}\right)O(1) \\ &&+ ((6+ q_{H_{3}} + q_{H_{4}})(q_{d} + q_{d_{R}}) + 2q_{rk})t_{exp} . \end{array} $$

Denote t _{e x p} as the time cost that an exponentiation operation needed in G, let 𝜖 ₁ be the advantage of breaking the CCA security of ElGamal encryption.

As described in Theorem 1, it is clear that the answers passed to \({\mathcal A}\) are all perfect, including the queries of public and private key generation, re-encryption, and also re-encryption key generation. The simulations of the two decryption queries are perfect too, unless the simulation errors happened in the case of rejecting some valid ciphertext which denoted by D e c E r r. As in Theorem 1, a similar analysis can yield \(Pr[DecErr]\leq \frac {(q_{H_3} + q_{H_4})(q_d + q_{d_R})}{2^k} + \frac {q_d + q_{d_R}}{q}.\)

Based on the above analysis, we can conclude that the simulations for H _i (i = 1,2,4) are perfect too.

Denote \(AskH_3^{*}\) as the event that \((g^{\frac {b}{a}})^{\frac {t}{v^{*}(x_{i,1}H_2(pk_{i,2}) + x_{x_i,2})}}\) has been queried to H ₃, \(AskH_5^{*}\) denotes the event that (E ^∗,F ^∗,J ^∗) has been queried to H ₅. The simulation of H ₃ and H ₅ are perfect too, only if \(AskH_3^{*}\) and A s k H5∗ doesn’t occur, here t and J ^∗ are chosen randomly. Denote E r r as the even (A s k H3∗∨ A s k H5∗∨ R E E r r ∨ D e c E r r)|¬Aborts. As in Theorem 1, A similar analysis can yield

$$\begin{array}{@{}rcl@{}} Pr[AskH_{3}^{*}] &\geq & 2Pr[\neg \textbf{Aborts}]\cdot \epsilon - Pr[AskH_{5}^{*}] - Pr[DecErr]\\ &\geq & \frac{2\epsilon}{e(1+q_{rk})} - \frac{q_{H_{5}}}{2^{k}} - \frac{(q_{H_{3}}+q_{H_{4}})(q_{d} + q_{d_{R}})}{2^{k}} - \frac{q_{d} + q_{d_{R}}}{q}\\ &=& \frac{2\epsilon}{e(1+q_{rk})} - \frac{q_{d} + q_{d_{R}}}{q} - \frac{(q_{H_{3}} + q_{H_{4}})(q_{d} + q_{d_{R}}) + q_{H_{5}}}{2^{k}}. \end{array} $$

Meanwhile, if \(AskH_3^{*}\) occurred, the DDH instance can be solved by \({\mathcal B}\). Therefore, we have

$$\begin{array}{@{}rcl@{}} \epsilon^{\prime} &\geq & \frac{1}{q_{H_{3}}}Pr[AskH_{3}^{*}]\\ & = & \frac{1}{q_{H_{3}}}\left( \frac{2\epsilon}{e(1+q_{rk})} - \frac{q_{d} + q_{d_{R}}}{q} - \frac{(q_{H_{3}} + q_{H_{4}})(q_{d} + q_{d_{R}}) + q_{H_{5}}}{2^{k}}\right). \end{array} $$

Based on the above simulations, the bound on algorithm \({\mathcal B}\)’s running time is given by

$$\begin{array}{@{}rcl@{}} t' \leq t &+& \left( \sum\limits_{i = 1}^{5} q_{H_{i}} + q_{pk} + q_{sk} + q_{rk} + q_{re} + q_{d} + q_{d_{R}}\right)O(1) \\ &+& (2q_{rk} + (6+ q_{H_{3}} + q_{H_{4}})(q_{d} + q_{d_{R}}))t_{exp}. \end{array} $$

□

3.3.5 Efficiency analysis

We now make an efficiency comparison between our PVPRE and Chow et al. [17].

Notations in Table 3, namely EXP, PreEXP, Decrypt^O, Decrypt^R, |C ^O|, |C ^R|, |R e K e y|, are the same meaning as in Table 1. Specifically, \((pk_{i,1}^{H_2(pk_{i,2})} pk_{i,2})\) can be pre-computed in our scheme PVPRE.

Table 3 Efficiency comparison

Nine aspects are compared in Table 3. These are described in more detail below.

• Encrypt algorithm: This algorithm have the same exponentiation operations both in [17] and ours.

• ReEncrypt algorithm: In scheme [17], there are 6 exponentiation operations needed to be calculated, while 4 exponentiation operations needed in our scheme.

• Decrypt ^O algorithm: This algorithm have the same exponentiation operations both in [17] and ours.

• Decrypt ^R algorithm: This algorithm have 4 exponentiation operations, while 6 in ours.

• C ^O Size: The original ciphertext contains 4 components (3 in Gand 1 in Z _q ) both in [17] and ours.

• C ^R Size: In scheme [17], the re-encrypted ciphertext has 4 G components. In our scheme, there are 6 components (5 in G and 1 in Z _q ).

• ReKey Size: The re-encryption key size is the same both in [17] and ours.

• Pairing-Free Feature: Both the scheme [17] and ours are removing pairing from the construction.

• Public Verifiability Feature: In scheme [17], only the original ciphertext can be verified. In our scheme, the validity of ciphertexts can be publicly verified, that is, anyone can check the validity of an original ciphertext as well as a re-encrypted ciphertext.

From Table 3, compared with the Chow et al. scheme [17], our PVPRE scheme is more efficient by saving two exponentiation operations in G at the algorithm ReEncrypt of our scheme PVPRE. More importantly, our scheme PVPRE achieves the public verifiability by using only two more exponentiations in G at the Decrypt^R phase. It is worth the performance tradeoff, since the public verifiability feature is attractive, which makes our scheme PVPRE more flexible in various applications, such as multimedia data sharing.

Remark 5

In our scheme PVPRE, the computational complexity incurred by generating ReKey as well as the ReKey size are both independent to the number of encrypted files to be shared with Bob, and the validity check of ciphertexts can be offloaded from Alice to the semi-honest cloud. Hence, we solve both of the technical problems described in Section 1. First, we significantly reduce the computational burden of Alice during multimedia data sharing. Second, as this re-encryption key ReKey alone does not allow anyone to recover the files from the encrypted files, it can ensure that the encrypted files will still remain secure even if an adversary has compromised Dropbox and also obtained a copy of ReKey. In other words, the secrecy of the encrypted files is still relying on the private keys secrecy of multimedia data owner and his friend, even after the encrypted files are shared.

4 Conclusion

In this work, we address the privacy and security problem of multimedia data sharing in IoT by developing new PRE schemes. In contrast to all existing CCA-secure schemes in which the public verifiability is depended on bilinear parings, we construct a new publicly verifiable CCA-secure PRE scheme in which the costly pairings is removed. And the efficiency comparison demonstrates that our proposed scheme is highly efficient than most existing pairing-base PRE schemes. More importantly, our constructions satisfy the following features simultaneously: (1) CCA-secure; (2) paring-free; (3) public verifiability; (4)simple design. We believe that our design will be useful for fostering multimedia data security and also improving the usability of secure IoT.

We also raise some open problems, such as constructing PRE scheme with the following features: (1)multi-hop, (2)bidirectional, (3)pairing-free, (4)CCA-secure and (5)publicly verifiable.