Efficient pairingfree PRE schemes for multimedia data sharing in IoT
 875 Downloads
Abstract
Nowadays, Internet of things (IoT) become more and more popular. At the same time, the requirements of security mechanism for multimedia in IoT received a huge concern. Multimedia data is easily shared by devises, applications and social networks set by IoT. Therefore, it is indispensable to guarantee the privacy and security of shared multimedia data. In this paper, we address the secure multimedia data sharing problem in cloud computing by designing proxy reencryption (PRE) scheme. Our schemes cope with the issues of data validity, data confidentiality and authentication during encrypted multimedia data sharing. Unlike as usually done in the literature, we present a CCAsecure PRE scheme which removes pairings firstly. Then we design a refined CCAsecure PRE scheme called publicly verifiable PRE without parings. It is demonstrated that our schemes meet not only the security and high efficiency requirements of multimedia data sharing, but also the public verifiability. The validity of ciphertext, both the original and reencrypted ciphertext, can be publicly verified which brings additional efficiency due to offloading the validity check of ciphertexts from the powerlimited clients to any semihonest public cloud.
Keywords
Multimedia data security Proxy reencryption CCA security Without pairing Public verifiability1 Introduction
1.1 Motivation
Multimedia data includes all kinds of media types, such as audio, image, video etc. The proliferation of cloud computing make multimedia data sharing in networks much easier. Actually, cloud server plays an important role in multimedia data collecting. Multimedia data is now the main information source stored and transformed in the cloud. The truth, however, is that maximum endeavors are devoted to multimedia contents whereas less attention is paid to its security and privacy. In cloud settings, it is of particular importance to ensure a high privacy and security during multimedia data sharing.
1.2 Use case
 1.
A user, Alice, is planning to upload several multimedia files F _{1}, F _{2},⋯ ,F _{ n } to Dropbox. The general idea is for Alice to encrypt these files before sending them to Dropbox. The encryption is done using the conventional hybrid encryption paradigm. In particular, the files F _{1}, F _{2},⋯ ,F _{ n } are first encrypted to C _{1}, C _{2},⋯ ,C _{ n } under random symmetric content keys, K _{1}, K _{2},⋯ ,K _{ n }, using a block cipher with an appropriate mode of operation (e.g. AESCBC), then encrypt the keys K _{1}, K _{2},⋯ ,K _{ n } by using a public key encryption (PKE) scheme (e.g. ElGamal encryption scheme over an Elliptic Curve Group) under the user’s public key. The ciphertexts uploaded to Dropbox consists of the encrypted multimedia files C _{1}, C _{2},⋯ ,C _{ n } and the encrypted content keys denoted by C K _{1}, C K _{2},⋯ ,C K _{ n }. Note that in each encrypted multimedia file, say C _{ i }, it also includes the initialization vector. For simplicity, we assume that the initialization vector is part of each encrypted private file, C _{ i }.
 2.
At a certain time, the user Alice would like to share her multimedia files with a friend Bob. A conventional solution is that Alice downloads all the encrypted content keys C K _{1}, C K _{2},⋯ ,C K _{ n } from Dropbox, then decrypts them to obtain the content keysK _{1}, K _{2},⋯ ,K _{ n }, and encrypts them again to \(CK_{1}^{\prime }\), \(CK_{2}^{\prime },\cdots ,CK_{n}^{\prime }\), under Bob’s public key, finally uploads these newly encrypted content keys to the Dropbox for Bob to download. The advantage of this solution is that Alice does not need to download any of the encrypted multimedia files, hence, can save the bandwidth during the communications between Alice and Dropbox. However, this solution still involves a lot of downloads and uploads of the encrypted content keys and the network overhead is linear to the number of files that Alice wants to share. Furthermore, this solution also incurs a lot of computation on Alice’s side and may not be practical, especially for batterypowered computing devices.
The technical challenge in this use case is therefore on how to do this encrypted multimedia data sharing efficiently without triggering too much communications between the cloud server and the cloud user, and without incurring much computational burden to the user simultaneously.
There is another potential solution to this problem. The solution is to let Alice give out her private key to Dropbox, and let Dropbox do the decryptthenencrypt on behalf of Alice. However, this solution relies on the security of Dropbox and Alice has to trust Dropbox not to disclose the multimedia files to any third party without authorization. Hence this solution cannot provide much assurance to Alice that only she has the control on the accessibility of her own encrypted files.
By applying PRE, we target to minimize the communication between the cloud server and the cloud user for encrypted multimedia data sharing. We also target to reduce the user’s computational burden, and at the same time, to ensure the privacy of Alice’s encrypted multimedia files so that no adversary can obtain the files even after compromising the cloud storage service provider, i.e. Dropbox in the example above. We also applying a interesting property called public verifiability. With this property, the validity of ciphertexts can be publicly verified by anyone. So we can offload the validity check of ciphertexts from powerlimited clients to any semihonest public cloud to further improve the efficiency.
1.3 A practical and efficient encrypted multimedia data sharing solution using Velosti’s USB device
The multimedia data owner, say Alice, has a Velosti USB device which contains her keypair (i.e. public and private), and also a software which is called the encrypted cloud data clientside management software (in short, we call it a client software). In Alice’s Dropbox folder, the client software creates a folder called Velosti. All the files stored in the Velosti folder will be encrypted in the hybrid encryption fashion as described above, but using the Velosti USB device. To access the encrypted files, Alice has to insert the Velosti USB device and execute the client software.
Furthermore, a copy of Alice’s public key will be made available in the public folder of Alice’s Dropbox so that all Dropbox users can get a copy of her public key once after learning the identity of Alice’s Dropbox account. It is also the case for other users. For example, Bob, who will also have a copy of his public key in his Dropbox public folder.
Suppose Alice is about to share several encrypted files in the Velosti folder with Bob. Through the client software, Alice specifies the encrypted files that she wants to share with Bob. The client software will then notifies Dropbox using the Dropbox API on the files that Alice wants to share with Bob. Next, Dropbox will notify Bob about this sharing using Dropbox’s existing data sharing notification protocol. However, since these files are encrypted, in particularly, the corresponding content keys are encrypted by using Alice’s public key, Bob or anyone else cannot decipher these files. Hence, besides notifying Dropbox, Alice’s client software also visits Bob’s Dropbox public folder to get a copy of Bob’s public key, and computes a transformation key ReKey using the private key of Alice and the public key of Bob. Notice that, the transformation key is used to complete a transformation from Alice’s encrypted files to another form that Bob can decrypt. After generating the transformation key ReKey, Alice encrypts ReKey under Bob’s public key and uploads a copy of the encrypted ReKey to Alice’s public folder.
After receiving a sharing notification from Dropbox, Bob, via his own client software, visits Alice’s public folder for getting the encrypted transformation key ReKey, then decrypts and recovers ReKey using his decryption key. By using the key ReKey and his private key, Bob can download the encrypted files from Dropbox that are shared by Alice, and decipher them.
In this PREbased solution, no server is needed. The integration of security and the existing sharing mechanism of Dropbox is done seamlessly. The user experience is also enhanced by making use of the Velosti’s USB device so that user passwords are not mandatory, instead, they are optional for providing the additional twofactor authentication.
1.4 Related work
Many researches has been done to provide the data privacy in IoT. Yang et al. [48] presented a fuzzy information retrieval scheme based on lattice assumption. Their contribution supports multiple user system without sharing secret key. This scheme is secure for multimedia cloud applications even in quantumera. Wang et al. [47] proposed leakage resilient CPABE and KPABE schemes in a improved auxiliary input model. This scheme has been prove to be secure by constructing an improved strong extractor from the modified GoldreichCLevin theorem. Chang et al. [15] proposed a framework which is used in business clouds. Experiments have been designed in detail to show its robustness is secure in multilayered structure. Vijayakumar et al. [46] introduced an improved authentication for vehicular adhoc networks, and a method of anonymous authentication has been presented to preserve privacy. Amin et al. [1] presented an authentication protocol using smartcard, which is based on an architecture proposed in this paper for distributed cloud environment. This protocol allows the registered user to securely access all private information from all the private cloud servers.
Many approaches are available for protecting the shared multimedia data. Take encryption algorithm as an example, it transforms the multimedia data into encrypted form using a private key and the encrypted form can only be decrypted by the user hold the decryption key. Encryption is the primary tool which can guarantee the data privacy and against an unauthorized access [16, 24].
Commutative Encryption and Watermarking can provide extensive security for the multimedia data. Bouslimi et al. [11] presented a algorithm jointing watermarking and encryption. Its convergence primitives promotes the research of privacy and security [7]. Cancellaro et al. [12] combine the encryption and watermarking to protect image.
Besides, Bianchi [8] applied discrete Fourier transform on encrypted multimedia data. A combination of SVD and CA was proposed which can provide novel solutions to preserve multimedia data privacy [49]. Ye et al. [50] proposed the first JFE method to address the problem of multimedia data sharing.
PRE scheme can also be used for implementing secure multimedia data sharing, since any multimedia data can be transformed into binary.
A PRE scheme allows a private key holder (e.g. Alice) to produce a reencryption key. By using it, a conversion from Alice’s ciphertext C _{ A } to Bob’s ciphertext C _{ B } can be made by a proxy (e.g. network server). Therefore, a PRE scheme can be applied into various applications, such as encrypted email forwarding [9], the DRM of Apple’s iTunes [44], distributed file storage systems [4, 5], secure certified email mailing lists [35, 36] and access control [45]. In the abovementioned cases, the core idea is the reencryption.
The definition of PRE was first introduced by [9]. However, the presented PRE scheme is secure against chosenplaintext attack (CPA).
Ivan et al. [33] presented a CCA security model for PRE, but Canetti et al. proved that the CCA security of their schemes is not hold [13]. Green and Ateniese [30] focus on CCA secure IDbased PRE and proposed a corresponding security model. Chu et al. [18] presented a IDbased PRE which removes random oracles. However, it is demonstrated that [18] was not CCA secure [43].
Homomorphic encryption (HE) scheme can also used to construct PRE schemes. Goldwasser et al [26] gave the first semantically secure additively HE scheme over Z _{2}. It is followed by other additively HE schemes, such as Paillier [40] and Damgard [21]. Besides, linear codes and lattices are also used to obtain additively HE schemes [2, 27, 34, 39, 41]. Another type of HE is multiplicative HE, and ElGamal [23] is the typical one.
A fully homomorphic encryption (FHE) scheme allows anyone to evaluate both additive or multiplicative functions over encrypted data without decrypting firstly. Gentry [28] proposed the first FHE scheme, and based on which a CPAsecure PRE was directly constructed. Subsequently, some progress were made in FHE [10, 19, 25]. However, these existing constructions of FHE are not suitable for practical uses due to efficiency drawbacks.
Another major concern about multimedia in IoT is that of supporting public verifiability for the encrypted multimedia data stored in remote network servers. The property of public verifiability enable anyone to complete the validity verification tasks without disclosing any private information. This property adds flexibility in various applications in IoT setting, especially multimedia data sharing. Although the property of public verifiability of ciphertexts is important, it received insufficient care from researchers.
If the validity of a ciphertext can only be checked by the receiver (delegatee) with his private key, the scheme is vulnerable ciphertextmalleable attack. The right ciphertext transferred in the network can be easily modified by the attackers, then lots of malicious ciphertexts can be created to instead the right ones. While these malicious created ciphertexts can be rejected by the receiver at the last minute, they have already caused great problem which can affect the users’ feeling on using the scheme, even bring damage to the service providing corporations. If the validity of these ciphertexts can be checked publicly, the above problems can be easily solved, the routers or the access infrastructure can drop these maliciously created ciphertexts, and the bandwidth has been effectively preserved [29].
Canetti et al. [13] introduced the concept of public verifiability in PRE scheme. Libert et al. [38] proposed a publicly verifiable PRE which is unidirectional. However, Chow et al. [17] pointed out that, the security assurance supplied by [38] only against a weakened CCA [14].
Deng et al. [22] presented a construction of PRE which enabled the original ciphertext to be public verified, but it suffers from the attack in Remark 2 in [42]. Shao et al. [42] constructed a PRE by using signature of knowledge [3] to obtain public verifiability, but their public verifiability is only for original ciphertexts, and it is vulnerable to chosenciphertext attack [17].
So, public verifiability should be an essential property of CCAsecure PRE [4, 5, 13, 30, 51, 52]. Active attackers can issue queried to the data owner and receivers decryption oracle arbitrarily. If the proxy forward an invalid ciphertext to the receiver, and the receiver has decrypted it, some useful information can be derived and then used for breaking CCA security by the attackers. Although the proxy doesn’t have the private key, he has to firstly verify the integrity of ciphertexts, so the property of publicly verify is essential to achieve the CCA security of PRE.
Moreover, most existing PRE schemes are constructed by pairings. Ateniese et al. [4, 5], Hohenberger et al. [31], Libert et al. [38] and Ateniese et al. [6] presented collusion resistant unidirectional PRE scheme respectively, those scheme are relied on pairings. However, those schemes are CPA secure.
It is worth noting that bilinear pairing is an important tool to construct PRE scheme, but it’s implementation speed is relatively slower, especially in computational resourceconstrained devices. Canetti et al. [13] raised an open problem that how to design a pairingfree PRE scheme. Afterwards, many researchers become interested in removing paring from the construction of PRE. Deng et al. [22], Shao [42] and Chow et al. [17] removed pairings from their PRE scheme respectively, but didn’t achieve public verifiability.
Zhang et al. [53] care about how to construct publicly verifiable paringfree PKE scheme. They find it is very easy to construct publicly verifiable scheme for PKE.
Therefore, we want a PRE scheme simultaneously satisfy the following features: CCAsecure, high efficiency, public verifiability, paringfree and simple design.
1.5 Our contributions
 1.
We propose a basic CPAsecure PRE scheme in which the bilinear parings is removed from the construction for efficiency and practical use.
 2.
To enhance the security of shared multimedia data in IoT, we propose a new CCAsecure paringfree PRE scheme based on the resulting CPAsecure one.
 3.
To ensure the validity of shared multimedia data in IoT, we construct a publicly verifiable PRE scheme which is CCAsecure, and also bilinear pairings is removed.
1.6 Organization
Section 2 introduces the definition of PRE scheme and its security models. In Section 3, we describe three PRE schemes without parings meet different security requirements, and the security proof and efficiency comparison are provided. Section 4 is the conclusion.
2 Definition and security models
We give the definition of PRE and its CCA security model as follows. A PRE is unidirectional, means that a ciphertext can be converted from one user to another without the opposite direction. If a ciphertext can only be transformed one time, the PRE scheme is singlehop. Namely that, a user can’t further reencrypt a reencrypted ciphertext.
2.1 Definition of PRE
Definition 1
 1.
p a r ← S e t u p(1^{ k }): given a system parameter \(k\in \mathbb {N}\), output a group of system parameters p a r.
 2.
(p k _{ i }, s k _{ i }) ← K e y G e n(p a r): given p a r, a pair of public/private key (p k _{ i }, s k _{ i }) is outputted. For ease of description, other algorithms take p a r as an implicitly input.
 3.
r k _{ i→j } ← R e K e y G e n(s k _{ i }, p k _{ j }): given s k _{ i } (i.e. user i’s private key) and p k _{ j } (i.e. user j’s public key), output r k _{ i→j } as the reencryption key. With this key, a ciphertext encrypted by p k _{ i } will be transformed to another ciphertext encrypted by p k _{ j }, here p o l y(1^{ k }) is some polynomial in k, i ≠ j and i, j ∈{1,…,p o l y(1^{ k })}.
 4.
C _{ i } ← E n c(p k _{ i }, m): given p k _{ i } and \( m \in \mathcal M(pk_{i})\), output an original ciphertext C _{ i }, where \(\mathcal M(pk_{i})\) is a space of message.
 5.
C _{ j } ← R e E n c(r k _{ i→j }, C _{ i }): given r k _{ i→j } and C _{ i }, a reencrypted ciphertext C _{ j } is outputted. Here r k _{ i→j } is the reencryption key, C _{ i } is an original ciphertext under p k _{ i }.
 6.
m/ ⊥← D e c(s k _{ i }, C _{ i }): given s k _{ i } and C _{ i }, output message m if C _{ i } is valid, otherwise, a symbol ⊥is outputted. Here s k _{ i } is user i’s private key, C _{ i } is an original ciphertext under p k _{ i }.
 7.
m/ ⊥← D e c _{ R } (s k _{ j }, C _{ j }): given s k _{ j } and C _{ j }, output message m if C _{ j } is valid, otherwise, a symbol ⊥is outputted. Here s k _{ j } is user j’s private key and C _{ j } is a reencrypted ciphertext.
2.2 Security models
Definition 2 (Unidirectional Singlehop PRE INDCCA Game)
 1.
Setup. The challenger \(\mathcal B\) runs p a r ← S e t u p(1^{ k })to generate p a r and give to \(\mathcal A\) the output p a r.
 2.Phase 1. The adversary \(\mathcal A\) can issue the following oracles.
 (1)
\(\mathcal {O}_{pk}(i)\): given an index i ∈{1,...,p o l y(1^{ k })}, \(\mathcal B\) runs (p k _{ i }, s k _{ i })←K e y G e n(p a r), then returns to \(\mathcal A\) the p k _{ i }.
 (2)
\(\mathcal {O}_{sk}(i)\): given a public key p k _{ i }, \(\mathcal B\) passes to \(\mathcal A\) the private key s k _{ i }, here (p k _{ i }, s k _{ i }) ← K e y G e n(p a r).
 (3)
\(\mathcal {O}_{rk}(pk_{i},pk_{j})\): given public keys p k _{ i } and p k _{ j }, \(\mathcal B\) returns r k _{ i→j } ←R e K e y G e n(s k _{ i }, p k _{ j })to \(\mathcal A\), here (p k _{ i }, s k _{ i }) ← K e y G e n(p a r), (p k _{ j }, s k _{ j })← K e y G e n(p a r).
 (4)
\(\mathcal {O}_{re}(pk_{i}, pk_{j}, C_{i})\): given public keys p k _{ i }, p k _{ j } and a user i’s ciphertext C _{ i }, \(\mathcal B\) returns a reencrypted ciphertext C _{ j } ← R e E n c(r k _{ i→j }, C _{ i })to \(\mathcal A\), where r k _{ i→j } ← R e K e y G e n(s k _{ i }, p k _{ j }), (p k _{ i }, s k _{ i }) ← K e y G e n(p a r)and (p k _{ j }, s k _{ j }) ← K e y G e n(p a r).
 (5)
\(\mathcal {O}_{dec}(sk_{i}, C_{i})\): on input C _{ i } and p k _{ i }, \(\mathcal B\) returns m ← D e c(s k _{ i }, C _{ i }), where (p k _{ i }, p k _{ j }) ← K e y G e n(p a r).
 (6)
\(\mathcal {O}_{dec_{R}}(sk_{j}, C_{j})\): on input C _{ j } and p k _{ j }, \(\mathcal B\) returns m ← D e c _{ R } (s k _{ j }, C _{ j }), where (p k _{ j }, s k _{ j }) ← K e y G e n(p a r).
 (1)
 3.Challenge. The adversary \(\mathcal A\) returns two messages, say m _{0}, m _{1}, and a challenged public key \(pk_{i^{*}}\). If the following queriesare never made, \(\mathcal B\) outputs \(C_{i^{*}}=Enc(pk_{i^{*}}, m_{b})\) for \(\mathcal A\), here b is randomly choosen from {0,1}. and \(pk_{i^{*}}\) is output by \(\mathcal {O}_{pk}(i^{*})\).

(1) \(\mathcal {O}_{sk}(pk_{i^{*}})\); and

(2) \(\mathcal {O}_{rk}(pk_{i^{*}}, pk_{j})\) and \(\mathcal {O}_{sk}(pk_{j})\) for any index p k _{ j },

 4.Phase 2. The adversary \(\mathcal A\) issues queries as he did in Phase 1. However, the following queries are not issued:
 (1)
\(\mathcal {O}_{sk}(pk_{i^{*}})\);
 (2)
\(\mathcal {O}_{rk}(pk_{i^{*}}, pk_{j})\) and \(\mathcal {O}_{sk}(pk_{j})\) for any index j;
 (3)
\(\mathcal {O}_{re}(pk_{i^{*}}, pk_{j}, C_{i^{*}})\) and \(\mathcal {O}_{sk}(pk_{j})\) for any index i ≠ j, here (i, j ∈{1,...,p o l y(1^{ k })});
 (4)
\(\mathcal {O}_{dec}(pk_{i^{*}}, C_{i^{*}})\); and
 (5)\(\mathcal {O}_{dec_{R}}(pk_{j}, C_{j})\) for any p k _{ j } and C _{ j }, if (p k _{ j }, C _{ j }) is derived from \((pk_{i^{*}}\), \(C_{i^{*}})\). As of [13], we define the derivative of \((pk_{i^{*}}\), \(C_{i^{*}})\) as shown below.
 (a)
\((pk_{i^{*}}\), \(C_{i^{*}})\) is derived from itself.
 (b)
If a query \(\mathcal {O}_{rk}\) has been made on \((pk_{i^{*}}\), p k _{ j })by \(\mathcal A\), a \(rk_{i^{*} \to j}\) will be returned as the reencryption key, then computed C _{ j } ←\(ReEnc(rk_{i^{*} \to j}, C_{i^{*}})\), we say (p k _{ j }, C _{ j })is derived from \((pk_{i^{*}}\), \(C_{i^{*}})\).
 (c)
If a query \(\mathcal {O}_{re}\) has been made on \((pk_{i^{*}}, pk_{j},C_{i^{*}})\) by \(\mathcal A\), and obtained C _{ j }, then (p k _{ j }, C _{ j })is a derivative of \((pk_{i^{*}}, C_{i^{*}})\).
 (a)
 (1)
 5.
Guess. The adversary \(\mathcal A\) returns a value b ^{′}from {0,1} as his conjecture. If b ^{′}equals to b, \(\mathcal A\) wins.
Definition 3 (CCA Security of Original Ciphertext)
: Let \(Adv_{PRE,{\mathcal A}}^{IND\text {}CCA\text {}Or}(1^{k})=Pr[b' = b]\frac {1}{2}\) be \(\mathcal A\)’s advantage in the game described in Definition 2. An unidirectional singlehop PRE scheme is (t, q _{ p k }, q _{ s k }, q _{ r k }, q _{ r e }, q _{ d }, \(q_{d_{R}}\), 𝜖)INDCCA secure at original ciphertext, means that if any ttime INDCCA adversary \({\mathcal A}\) is given at most q _{ p k } queries to \(\mathcal {O}_{pk}\), q _{ s k } queries to \(\mathcal {O}_{sk}\), q _{ r k } queries to \(\mathcal {O}_{rk}\), q _{ r e } queries to \(\mathcal {O}_{re}\), q _{ d } queries to \(\mathcal {O}_{dec}\) and \(q_{d_{R}}\) queries to \(\mathcal {O}_{dec_{R}}\), then we have \(Adv_{PRE,{\mathcal A}}^{IND\text {}CCA\text {}Or}\)≤ 𝜖.
Remark 1
The INDCPA security at original ciphertext can be easily achieved from the above notion by only providing \(\mathcal {O}_{pk}\), \(\mathcal {O}_{sk}\) and \(\mathcal {O}_{rk}\) for \(\mathcal A\).
Definition 4 (CCA Security of Reencrypted Ciphertext)
Remark 2
In Definition 3, if \(\mathcal A\) can deduce the private key \(sk_{i^{*}}\) from \(rk_{i^{*}\to j}\) (resp. \(rk_{j \to i^{*}}\)), \(\mathcal A\) can definitely win the game above, where j is a corrupted user. Therefore, Definition 3 implies collusion resistance that the whole private key of the data owner can’t be compromised by proxy even after compromising the corresponding receiver. We can deduce the INDCPA security at reencrypted ciphertext from the above notion by providing \(\mathcal {O}_{pk}\), \(\mathcal {O}_{sk}\) and \(\mathcal {O}_{rk}\) for \(\mathcal A\) only.
3 Our constructions
The core technology in our solutions is PRE which allows Alice to generate a reencryption key r k _{ A→B } with her decryption key and a friend’s public key where the friend is whom that Alice intends to share her encrypted multimedia data with. For example, the friend is Bob. Then this reencryption key r k _{ A→B } will allow Bob to decrypt the encrypted content keys when used together with his own private key.
On the one hand, any multimedia data will be transformed into binary before travelling over the network, and on the other hand, proxy reencryption (PRE) can be used as long as the data are in binary, so we can implement secure multimedia data sharing by design efficient PRE scheme. More specifically, in our PRE schemes, a message m represents a binary multimedia file.
In the following section, we propose three efficient PRE schemes meet different security requirements to guarantee the privacy and security of shared multimedia data. In our schemes, encrypted multimedia files can be shared between a user, Alice, and her friend without share Alice’s private key. Each of Alice’s friend can decrypt the multimedia files using his own privata key.
3.1 A basic CPA secure PRE scheme without parings
3.1.1 Construction
 1.
S e t u p(k): for a given security parameter \(k\in \mathbb {N}\), a group G is generated with order q and q = k. Denote by g the G’s generator. This algorithm also generates two hash functions H _{1} and H _{2}, each of which maps from G to Z _{ q }. The message space is defined as G. The system parameters of the PRE is set to p a r = (G, q, g, H _{1}, H _{2}).
 2.K e y G e n(p a r):
 (1)
Pick two random values x _{ i,1}, x _{ i,2} ∈_{ R } Z _{ q }, set the private key s k _{ i } = (x _{ i,1}, x _{ i,2}).
 (2)
Set the public key \(pk_{i} = (pk_{i,1}, pk_{i,2}) = (g^{x_{i,1}}, g^{x_{i,2}})\).
 (1)
 3.E n c(p k _{ i }, m): given p k _{ i } = (p k _{ i,1}, p k _{ i,2}) and m ∈ G, a ciphertext C _{ i } is generated as shown below. Here p k _{ i } is user i’s public key, m ∈ G is a message.
 (1)
Pick r randomly from Z _{ q }.
 (2)
Compute E = m g ^{ r }.
 (3)
Compute \(F = (pk_{i,1}^{H_{2}(pk_{i,2})} pk_{i,2})^{r}\).
 (4)
Set C _{ i } = (E, F).
 (1)
 4.R e K e y G e n(s k _{ i }, p k _{ j }):
 (1)
Randomly pick V from G and u from Z _{ q }.
 (2)
Compute v = H _{1} (V )(x _{ i,1} H _{2} (p k _{ i,2}) + x _{ i,2})^{− 1} m o d q.
 (3)
Compute U = V g ^{ u }.
 (4)
Compute \(W = pk_{j,2}^{u}\).
 (5)
Output r k _{ i→j } = (v, U, W).
 (1)
 5.R e E n c(r k _{ i→j }, C _{ i }): given r k _{ i→j } = (v, U, W) and C _{ i } = (E, F), a reencrypted ciphertext C _{ j } ia generated as shown below. Here r k _{ i→j } is a reencryption key and C _{ i } is a ciphertext under p k _{ i }.
 (1)
Compute F ^{′} = F ^{ v }.
 (2)
Output C _{ j } = (E, F ^{′},U, W).
 (1)
 6.D e c(s k _{ i }, C _{ i }): given s k _{ i } = (x _{ i,1}, x _{ i,2}) and C _{ i } = (E, F), the message m is recovered. Here s k _{ i } is user i’s private key, C _{ i } is the original ciphertext under p k _{ i }.
 (1)
Compute t = x _{ i,1} H _{2} (p k _{ i,2}) + x _{ i,2} (m o d q).
 (2)
Output m = E(F ^{1/t })^{− 1}.
 (1)
 7.D e c _{ R } (s k _{ j }, C _{ j }):given s k _{ j } = (x _{ j,1}, x _{ j,2}) and C _{ j } = (E, F ^{′},U, W), the message m is recovered. Here s k _{ j } is user j’s private key, C _{ j } is a reencrypted ciphertext.
 (1)
Compute \(V = U (W^{1/x_{j,2}})^{1}\).
 (2)
Output \(m = E (F'^{1/H_{1}(V)})^{1}\).
 (1)
3.1.2 Security analysis
In this scheme, the multimedia data owner’s files are encrypted by ElGamal encryption scheme. Therefore, the security of ElGamal encryption scheme can ensure that our scheme is secure. Moreover, throughout the whole process, as this reencryption key r k _{ i→j } alone does not allow anyone to recover the multimedia files, the network server gains no information about the multimedia data owner’s files and private key.
3.1.3 Efficiency analysis
Let EXP represents the exponentiation operation in G (assuming that G is a multiplicative group, otherwise, if G is an additive group such as an elliptic curve group, then EXP represents the elliptic curve scalar multiplication), PreEXP denotes precomputable exponentiation operation in G. Decrypt^{ O }denotes the cost of decrypting an original ciphertext, Decrypt^{ R }represents the decryption cost of a reencrypted message. C ^{ O } denotes the original ciphertext size, C ^{ R } denotes the size of a reencrypted message. R e K e ydenotes the size of a reencryption key.
Efficiency analysis
Algorithm  Operation 

Encrypt  2 EXP + 1 PreEXP 
ReEncrypt  1 EXP 
Decrypt^{ O }  1 EXP 
Decrypt^{ R }  2 EXP 
C ^{ O }  2 G 
C ^{ R }  4 G 
R e K e y  2 G + Z _{ q }  
3.2 A CCAsecure paringfree PRE scheme
3.2.1 Construction
 1.S e t u p(k): for a given security parameter \(k\in \mathbb {N}\), the following steps are invoked:
 (1)
Generate a group G with order q such that q = k, and picks a generator g∈_{ R } G.
 (2)
Set the massage space as {0,1}^{ k }.
 (3)
Set four hash functions: \(H_{1}:G \to Z_{q}^{*}, H_{2}:G \to Z_{q}^{*}, H_{3}:G \to \{0,1\}^{k}, H_{4}: \{0,1\}^{k} \times G \to Z_{q}^{*}.\)
 (4)
Output the public parameters p a r = (G, q, g, H _{ i })(i = 1,⋯ ,4).
 (1)
 2.K e y G e n(p a r):
 (1)
Pick two random values x _{ i,1}, x _{ i,2} ∈_{ R } Z _{ q }, sets the private key s k _{ i } = (x _{ i,1}, x _{ i,2}).
 (2)
Set the public key \(pk_{i} = (pk_{i,1}, pk_{i,2}) = (g^{x_{i,1}}, g^{x_{i,2}})\).
 (1)
 3.E n c(p k _{ i }, m): given p k _{ i } = (p k _{ i,1}, p k _{ i,2})and m ∈{0,1}^{ k }, it carries out the following steps to generate a ciphertext C _{ i }. Here p k _{ i } is user i’s public key, m ∈{0,1}^{ k }is a message.
 (1)
Pick σ randomly from G, then compute r = H _{4} (m, σ).
 (2)
Compute E = σ g ^{ r }.
 (3)
Compute \(F = (pk_{i,1}^{H_{2}(pk_{i,2})} pk_{i,2})^{r}\).
 (4)
Compute J = m ⊕ H _{3} (σ).
 (5)
Set C _{ i } = (E, F, J).
 (1)
 4.R e K e y G e n(s k _{ i }, p k _{ j }):
 (1)
Randomly pick V from G and u from Z _{ q }.
 (2)
Compute v = H _{1} (V )(x _{ i,1} H _{2} (p k _{ i,2}) + x _{ i,2})^{− 1} m o d q.
 (3)
Compute U = V g ^{ u }.
 (4)
Compute \(W = pk_{j,2}^{u}\).
 (5)
Output r k _{ i→j } = (v, U, W).
 (1)
 5.R e E n c(r k _{ i→j }, C _{ i }): given r k _{ i→j } = (v, U, W) and C _{ i } = (E, F, J), a reencrypted ciphertext C _{ j } is generated. Here r k _{ i→j } is the reencryption key, C _{ i } is an original ciphertext under p k _{ i }.
 (1)
Compute F ^{′} = F ^{ v }.
 (2)
Output C _{ j } = (E, F ^{′},J, U, W).
 (1)
 6.D e c(s k _{ i }, C _{ i }): given s k _{ i } = (x _{ i,1}, x _{ i,2}) and C _{ i } = (E, F, J), the message m is recovered. Here s k _{ i } is user i’s private key, C _{ i } is the original ciphertext under p k _{ i }.
 (1)
Compute t = x _{ i,1} H _{2} (p k _{ i,2}) + x _{ i,2} m o d q.
 (2)
Compute σ ^{′} = E(F ^{1/t })^{− 1}.
 (3)
Compute m ^{′} = J ⊕ H _{3} (σ ^{′}).
 (4)
If \(E = \sigma ^{\prime } g^{H_{4}(m',\sigma ^{\prime })}\) holds, output m = m ^{′}, otherwise output ⊥.
 (1)
 7.D e c _{ R } (s k _{ j }, C _{ j }): given s k _{ j } = (x _{ j,1}, x _{ j,2}) and C _{ j } = (E, F ^{′},J, U, W), the message m is recovered. Here s k _{ j } is user j’s private key, C _{ j } is a reencrypted ciphertext.
 (1)
Compute \(V = U (W^{1/x_{j,2}})^{1}\).
 (2)
Compute \(\sigma ^{\prime } = E (F'^{1/H_{1}(V)})^{1}\).
 (3)
Compute m ^{′} = J ⊕ H _{3} (σ ^{′}).
 (4)
If \(E = \sigma ^{\prime } g^{H_{4}(m',\sigma ^{\prime })}\) holds, output m = m ^{′}, otherwise output ⊥.
 (1)
3.2.2 Security analysis
 1.
Only s k _{ i } has been taken as an input(s k _{ i } is not involved), thus, our scheme is unidirectional.
 2.
Even if someone can obtained s k _{ j } and r k _{ i→j } simultaneously, the true value of x _{ i,1} or x _{ i,2} are still remain secure, as the H _{1} (V )can be recovered only leak information about the value of x _{ i,1} H _{2} (p k _{ i,2}) + x _{ i,2}, so that the secret security of the multimedia data owner is ensured.
Remark 3
IoT has the merits of low cost and effective accessibility. However, network servers may not be fully trusted. The validity related to the data shared between users is problematic. In Internet, the users are resourceslimited and hence cannot afford excessive validity checks. Therefor, in practice, it is more reasonable to add public verifiability into the construction of scheme. With public verifiability, anyone, not just the data owner, is allowed to complete the validity verification tasks without keeping any private information. Let’s consider the goal that allowing network servers to verify the correctness of ciphertext on behalf of the multimedia data owner. In the next section, we give an improved CCA secure PRE scheme, and give an thorough security analysis.
3.3 A CCAsecure publicly verifiable PRE scheme without paring (PVPRE)
3.3.1 Main idea
In practice, the multimedia data in IoT is stored in remote servers and exposed to malicious attackers. Moreover, in the context of PRE, the remote server is asked to complete the transformation from an encrypted multimedia data under the owner’s public key to another form that an anticipated recipient can decrypt, it is probable for an attacker to derive sensitive information or even tamper with the encrypted multimedia data with his own sake. The following attack gives an explanation.
Let \(C' = (E',F',J')\) be a challenged ciphertext encrypted by a challenged public key \(pk' = (pk'_{i,1}, pk'_{i,2})=(g^{x'_{i,1}}, g^{x'_{i,2}})\), where s k ^{′} = (x i,1′,x i,2′) is the challenged private key, \(E' = \sigma ^{\prime } g^{r'}\), \(F' =({pk'_{i,1}}^{H_{2}(pk'_{i,2})} pk'_{i,2})^{r'}\), 0J ^{′} = m ⊕ H _{3} (σ ^{′}). Suppose C ^{′} is given to the adversary \({\mathcal A}\) and he will win the INDCCA secure game as the following: Firstly, \({\mathcal A}\) chooses a random t from {0,1}^{ l }, and creates a new malicious ciphertext C _{1} = (E _{1}, F _{1}, J _{1})instead of C ^{′}, here E _{1} = E ^{′}, F _{1} = F ^{′},J _{1} = J ⊕ t. Obviously, C _{1} is an invalid one. Secondly, \({\mathcal A}\) get a key pair (p k ^{″},s k ^{″})by making a corruptedkey generation query, and also get reencrypted ciphertext C _{2} = (E _{2}, F _{2}, J _{2}, U, W) by making a reencryption query on p k ^{″}, here \(pk^{\prime \prime } = (pk^{\prime \prime }_{i,1}, pk^{\prime \prime }_{i,2})= (g^{x^{\prime \prime }_{i,1}}, g^{x^{\prime \prime }_{i,2}})\), s k ^{″} = (x i,1″,x i,2″), E _{2} = E _{1}, \(F_{2} = {F_{1}^{v}}\), J _{2} = J _{1}, (v, U, W) is the reencryption key. Finally, \({\mathcal A}\) can use private key x i,2″ to obtain \(V = U (W^{1/x^{\prime \prime }_{i,2}})^{1}\) and \(\sigma _{2} = E_{2} (F_{2}^{1/H_{1}(V)})^{1}\), then recover m as m = t ⊕ H _{3} (σ _{2}) ⊕ J _{2}. And then \({\mathcal A}\) can recover the bit δ which means \({\mathcal A}\) wins the game. We note that the queries \({\mathcal A}\) issued above are legal, because they follows the restraints in definition 2.
The adversary \({\mathcal A}\)’s attack is successful due to the reason that the validity of reencrypted ciphertext can not be verified by the proxy (server). Thus, it is fascinating to embed public verifiability into a CCAsecure PRE scheme.
Next, we briefly describe how the public verifiability is used. Firstly, we modifies the above scheme slightly such that the original ciphertext generated by algorithm E n c(p k _{ i }, m) is the form C _{ i } = (E, F, J, s). Suppose the proxy(server) is asked to perform a ciphertext transformation. The proxy verifies \((pk_{i,1}^{H_{2}(pk_{i,2})} pk_{i,2})^{s} = E\cdot F^{H_{5}(E,F,J)}\) firstly to guarantee the validity of C _{ i }, and then outputs the reencryption ciphertext C _{ j } = (E ^{′},F ^{′},J, s ^{′},U, W).
The validity of the reencryption ciphertext can be verified before being reencrypted and decrypted. Thus, it is impossible for malicious attackers to obtain any advantage through tampering with the reencrypted ciphertext.
3.3.2 Construction
 1.S e t u p(k): for a given security parameter k, the following steps are invoked:
 (1)
Generate a group G with order q such that q = k, and picks a generator g∈_{ R } G.
 (2)
Define the massage space as {0,1}^{ k }.
 (3)Define five hash functions:$$\begin{array}{@{}rcl@{}} &&H_1:G \to Z_q^{*}, H_2:G \to Z_q^{*}, H_3:G \to \{0,1\}^k,\\ &&H_4:\{0,1\}^k \times G \to Z_q^{*}, H_5:G \times G \times G \to Z_q^{*}. \end{array} $$
 (4)
Output the public parameter p a r = (G, q, g, H _{ i })(i = 1,⋯ ,5).
 (1)
 2.K e y G e n(p a r):
 (1)
Pick two random values x _{ i,1}, x _{ i,2} ∈_{ R } Z _{ q }, set s k _{ i } = (x _{ i,1}, x _{ i,2})as the private key.
 (2)
Define \(pk_{i} = (pk_{i,1}, pk_{i,2}) = (g^{x_{i,1}}, g^{x_{i,2}})\) as the public key.
 (1)
 3.E n c(p k _{ i }, m): given p k _{ i } = (p k _{ i,1}, p k _{ i,2})and m ∈{0,1}^{ k }, it carries out the following steps to generate a ciphertext C _{ i }. Here p k _{ i } is user i’s public key and m ∈{0,1}^{ k }is a message.
 (1)
Randomly pick σ from \(Z_{q}^{*}\), then compute r = H _{4} (m, g ^{ σ }).
 (2)
Compute \(E = (pk_{i,1}^{H_{2}(pk_{i,2})} pk_{i,2})^{\sigma }\).
 (3)
Compute \(F = (pk_{i,1}^{H_{2}(pk_{i,2})} pk_{i,2})^{r}\).
 (4)
Compute J = m ⊕ H _{3} (g ^{ σ }).
 (5)
Compute s = σ + r H _{5} (E, F, J)m o d q.
 (6)
Output C _{ i } = (E, F, J, s).
 (1)
 4.R e K e y G e n(s k _{ i }, p k _{ j }):
 (1)
Randomly pick V ← G, then compute u = H _{1} (V ).
 (2)
Compute v = H _{2} (V )(x _{ i,1} H _{2} (p k _{ i,2}) + x _{ i,2})^{− 1} m o d q.
 (3)
Compute U = V g ^{ u }.
 (4)
Compute \(W = pk_{j,2}^{u}\).
 (5)
Output r k _{ i→j } = (v, U, W).
 (1)
 5.R e E n c(r k _{ i→j }, C _{ i }): given r k _{ i→j } = (v, U, W) and C _{ i } = (E, F, J, s), a reencrypted ciphertext C _{ j } is generated. Here r k _{ i→j } is a reencryption key, C _{ i } is the original ciphertext under p k _{ i }.
 (1)
If \((pk_{i,1}^{H_{2}(pk_{i,2})} pk_{i,2})^{s} = E\cdot F^{H_{5}(E,F,J)}\) is not satisfied, then return ⊥. Otherwise,
 (2)
Compute E ^{′} = E ^{ v }and F ^{′} = F ^{ v }.
 (3)
Compute s ^{′} = s v(m o d q).
 (4)
Output C _{ j } = (E ^{′},F ^{′},J, s ^{′},U, W).
 (1)
 6.D e c(s k _{ i }, C _{ i }): given s k _{ i } = (x _{ i,1}, x _{ i,2}) and C _{ i } = (E, F, J, s), the message m is recovered. Here s k _{ i } is user i’s private key, and C _{ i } is the original ciphertext under p k _{ i }.
 (1)
If \((pk_{i,1}^{H_{2}(pk_{i,2})} pk_{i,2})^{s} = E\cdot F^{H_{5}(E,F,J)}\) is not satisfied, then return ⊥. Otherwise,
 (2)
Compute t = x _{ i,1} H _{2} (p k _{ i,2}) + x _{ i,2} (m o d q).
 (3)
Compute \(g^{\sigma ^{\prime }} = E^{1/t}\).
 (4)
Compute \(m' = J \oplus H_{3}(g^{\sigma ^{\prime }})\).
 (5)
If \(F = (pk_{i,1}^{H_{2}(pk_{i,2})} pk_{i,2})^{H_{4}(m',g^{\sigma ^{\prime }})}\) holds, output m = m ^{′}, otherwise output ⊥.
 (1)
 7.D e c _{ R } (s k _{ j }, C _{ j }): given s k _{ j } = (x _{ j,1}, x _{ j,2}) and C _{ j } = (E ^{′},F ^{′},J, s ^{′},U, W), the message m is recovered. Here s k _{ j } is user j’s private key, C _{ j } is a reencrypted ciphertext.
 (1)
If \((pk_{i,1}^{H_{2}(pk_{i,2})} pk_{i,2})^{s'} = E' \cdot {F'}^{H_{5}(E',F',J)}\) is not satisfied, then return ⊥. Otherwise,
 (2)
Compute \(V = U (W^{1/x_{j,2}})^{1}\).
 (3)
Compute \(g^{\sigma ^{\prime }} = E'^{1/H_{2}(V)}\).
 (4)
Compute \(m' = J \oplus H_{3}(g^{\sigma ^{\prime }})\).
 (5)
If \( F' = g^{H_{4}(m',g^{\sigma ^{\prime }})H_{2}(V)}\) and \(W = pk_{j,2}^{H_{1}(V)}\) hold, output m = m ^{′}, otherwise output ⊥.
 (1)
Remark 4
The refined scheme PVPRE can guarantee both the multimedia data owner’s and the recipient’s anonymity simultaneously. Each proxy or anticipant recipient can easily check the validity of ciphertexts without disclosing any sensitive information.
3.3.3 Original ciphertext security analysis
Definition 5 (Decisional DiffieHellman (DDH) Assumption)
Consider a group G of order q, and let g be a generator of G. The DDH assumption states that, given a tuple (g, g ^{ a },g ^{ b },g ^{ d })for uniformly and independently chosen \(a, b, d \in Z_{q^{*}}\), decide whether d = a b.
For a given \({\mathcal A}\) with at most \(q_{H_{i}}\) queries to H _{ i } (i ∈{1,3,4,5}) to break the (t, q _{ p k }, q _{ s k }, q _{ r k }, q _{ r e }, q _{ d }, \(q_{d_{R}}\), 𝜖)INDCCA security of PVPRE, a polynomial time algorithm \({\mathcal B}\) will be constructed who can break the DDH assumption in G.
Simulations of H _{ i } (i = 1,3,4,5)
H _{ i } (.)  Simulations 

H _{1} (Q)  Given a tuple (Q, ρ), the \(H_{1}^{list}\) return the predefined value ρ. Otherwise, pick ρ randomly from \(Z_{q}^{*}\), add tuple (Q, ρ) to \(H_{1}^{list}\), then return H _{1} (Q) = ρ. 
H _{3} (R)  Given a tuple (R, ξ), the \(H_{3}^{list}\) return the predefined value ξ. Otherwise, pick ξ randomly from {0, 1}^{ k }, add tuple (R, ξ) to \(H_{3}^{list}\), then return H _{3} (R) = ξ. 
H _{4} (m, g ^{ σ })  Given a tuple (m,,σ, g ^{ σ },r), the \(H_{4}^{list}\) return the predefined value r. 
Otherwise, pick r randomly from \(Z_{q}^{*}\), add tuple (m,,σ, g ^{ σ },r) to \(H_{4}^{list}\), then return H _{4} (m, g ^{ σ }) = r.  
H _{5} (E, F, J)  Given a tuple (E, F, J, γ), the \(H_{5}^{list}\) return the predefined value γ. 
Otherwise, pick γ randomly from \(Z_{q}^{*}\), add tuple (E, F, J, γ) to \(H_{5}^{list}\), then return H _{5} (E, F, J) = γ. 
\({\mathcal B}\) also keeps two lists K ^{ l i s t } and R ^{ l i s t }, they are initialized empty. Here the lists K ^{ l i s t }is used to store keypair (i.e. public key and private key) and the reencryption key is stored in list R ^{ l i s t }.
Theorem 1
The scheme PVPRE is INDCCA secure at the original ciphertext, if the DDH assumption hold in group G.
Proof
 1.\(\mathcal {O}_{pk}(i)\): the uncorruptedkeys and corruptedkeys are generated by \({\mathcal B}\) as shown below.
 (1) Uncorruptedkey. \({\mathcal B}\) choose \(x_{i,1}, x_{i,2}\gets Z_{q}^{*}\) randomly and draws a coin c _{ i } ∈{0,1} that generates 1 with probability 𝜃 and 0 otherwise [20].Then, the tuple (p k _{ i }, x _{ i,1}, x _{ i,2}, c _{ i })is added to K ^{ l i s t }and p k _{ i } is returned to \({\mathcal A}\).

(a) If c _{ i } = 1, define \(pk_{i} = (pk_{i,1}, pk_{i,2}) = (g^{x_{i,1}}, g^{x_{i,2}})\).

(b) If c _{ i } = 0, define \(pk_{i} = (pk_{i,1}, pk_{i,2}) = ((g^{\frac {1}{a}})^{x_{i,1}}, (g^{\frac {1}{a}})^{x_{i,2}})\).


(2) Corruptedkey. \({\mathcal B}\) choose \(x_{i,1}, x_{i,2}\gets Z_{q}^{*}\) randomly, and set p k _{ i } =\((g^{x_{i,1}}\), \(g^{x_{i,2}})\), c _{ i } = ^{′}−^{′}. Then the tuple (p k _{ i }, x _{ i,1}, x _{ i,2}, c _{ i }) is added to K ^{ l i s t }and output (p k _{ i },(x _{ i,1}, x _{ i,2}))to \({\mathcal A}\).

 2.
\(\mathcal {O}_{sk}(i)\): \({\mathcal B}\) recovers (p k _{ i }, x _{ i,1}, x _{ i,2}, c _{ i }) firstly from K ^{ l i s t }. If c _{ i } = 1, output (p k _{ i },(x _{ i,1}, x _{ i,2})) to \({\mathcal A}\), else return a bit b∈_{ R } {0,1}then aborts.
 3.\(\mathcal {O}_{rk}(pk_{i},pk_{j})\): If there is a tuple (p k _{ i }, p k _{ j })in R ^{ l i s t }, it outputs \({\mathcal A}\) the predefined reencryption key. Otherwise, \({\mathcal B}\) takes action as shown below:

(1) Extract two tuple (p k _{ i }, x _{ i,1}, x _{ i,2}, c _{ i }), (p k _{ j }, x _{ j,1}, x _{ j,2}, c _{ j })by searching K ^{ l i s t }.

(2) Randomly choose V ← G, compute u = H _{1} (V )and h = H _{2} (V ).

(3) Compute U = V g ^{ u }and \(W = pk_{j,2}^{u}\).
 (4) Compute v according to the following case:

(a) (c _{ i } = 0 ∧ c _{ j } = ^{′}−^{′}), output ⊥and aborts.

(b) (c _{ i } = 1 ∨ c _{ j } = ^{′}−^{′}), sets v = h(x _{ i,1} H _{2} (p k _{ i,2}) + x _{ i,2})^{− 1} m o d q and set τ = 1. In this case, v is obviously correct due to s k _{ i } = (x _{ i,1}, x _{ i,2}).

(c) (c _{ i } = 0 ∧ c _{ j } ≠^{′}−^{′}), randomly pick \(v \gets Z_{q}^{*}\) and set τ = 0. In this case, the value h, which related to U, W, would not match with a random v, this depends on the CCA security of ElGamal encryption scheme.


(5) If \({\mathcal B}\) does not aborts, add (p k _{ i }, p k _{ j },(v, U, W),h, τ)to R ^{ l i s t }.

(6) Output r k _{ i→j } = (v, U, W)to \({\mathcal A}\).

 4.\(\mathcal {O}_{re}(pk_{i}, pk_{j}, C_{i})\):

(1) If \((pk_{i,1}^{H_{2}(pk_{i,2})}pk_{i,2})^{s} \neq E\cdot F^{H_{5}(E, F, J)}\), return symbol ⊥which means C _{ i } is invalid.

(2) Otherwise, extracts tuples (p k _{ i }, x _{ i,1}, x _{ i,2}, c _{ i })and (p k _{ j }, x _{ j,1}, x _{ j,2}, c _{ j })by searching K ^{ l i s t }.

(3) If condition c _{ i } = 0and c _{ j } = ^{′}−^{′}are not satisfied simultaneously, the query \(\mathcal {O}_{rk}(pk_{i}, pk_{j})\) is issued to generate a r k _{ i→j } = (v, U, W)for \({\mathcal A}\).

(4) Else, searching the tuple \((R, \beta ) \in H_{3}^{list}\) and \((m, \sigma , g^{\sigma }, r) \in H_{4}^{list}\) such that \((pk_{i,1}^{H_{2}(pk_{i,2})}pk_{i,2})^{\sigma } = E\), \((pk_{i,1}^{H_{2}(pk_{i,2})}pk_{i,2})^{r} = F\). If no eligible tuple exist, output ⊥.

(5) Extract (p k _{ i }, p k _{ j },(v, U, W),h, τ)from R ^{ l i s t }, define E ^{′} = g ^{ σ h }, F ^{′} = g ^{ r h }, s ^{′} = s v.

(6) Return C _{ j } = (E ^{′},F ^{′},J, s ^{′},U, W) to \({\mathcal A}\).

 5.\(\mathcal {O}_{dec}(pk_{i}, C_{i})\): \({\mathcal B}\) first parses p k _{ i } = (p k _{ i,1}, p k _{ i,2}) and extract tuple (p k _{ i }, x _{ i,1}, x _{ i,2}, c _{ i }) by searching K ^{ l i s t }.

(1) If (c _{ i } = 1 ∨ c _{ j } = ^{′}−^{′}), \({\mathcal B}\) runs D e c((x _{ i,1}, x _{ i,2}),c _{ i }), then output the result to \({\mathcal A}\).
 (2) Else,

(a) if \((pk_{i,1}^{H_{2}(pk_{i,2})}pk_{i,2})^{s} \neq E\cdot F^{H_{5}(E, F, J)}\), output symbol ⊥which indicates C _{ i } is invalid.

(b) else, search list \(H_{3}^{list}\) and \(H_{4}^{list}\) to find tuples \((R, \beta )\in H_{3}^{list}\) and \((m, \sigma , g^{\sigma }, r)\in H_{4}^{list}\) such that \((pk_{i,1}^{H_{2}(pk_{i,2})}pk_{i,2})^{\sigma } = E, (pk_{i,1}^{H_{2}(pk_{i,2})}pk_{i,2})^{r} = F, \beta \oplus m = J, R = g^{\sigma }.\) if such two tuples are exist, output m to \({\mathcal A}\). else output ⊥.


 6.\(\mathcal {O}_{dec_{R}}(pk_{j}, C_{j})\): \({\mathcal B}\) first parses p k _{ j } = (p k _{ j,1}, p k _{ j,2}) and recovers tuple (p k _{ j }, x _{ j,1}, x _{ j,2}, c _{ j }) from K ^{ l i s t }. If (c _{ j } = 1 ∨ c _{ j } = ^{′}−^{′}), \({\mathcal B}\) runs D e c _{ R } ((x _{ j,1}, x _{ j,2}),C _{ j }) and returns the result to \({\mathcal A}\). Otherwise,

(1) if \((pk_{i,1}^{H_{2}(pk_{i,2})}pk_{i,2})^{s'} \neq E' \cdot F'^{H_{5}(E', F', J)}\), output symbol ⊥which indicates C _{ j } is invalid.

(2) Else, if there exists a tuple (p k _{ i }, p k _{ j },(v, U, W),V,0) ∈ R ^{ l i s t }, compute \(E = E'^{\frac {1}{v}}\), \(F = F'^{\frac {1}{v}}\), search to see whether there exist \((R, \beta )\in H_{3}^{list}\) and \((m, \sigma , g^{\sigma }, r)\in H_{4}^{list}\) such that \((pk_{i,1}^{H_{2}(pk_{i,2})}pk_{i,2})^{\sigma } = E, (pk_{i,1}^{H_{2}(pk_{i,2})}pk_{i,2})^{r} = F, \beta \oplus m = J, R = g^{\sigma }.\) If such two tuples are exist, output m to \({\mathcal A}\), otherwise, output ⊥. Actually, the value of each U, W in R ^{ l i s t }is correct.

 1.
If \(c_{i^{*}} = 1\), challenger \({\mathcal B}\) picks a value b∈_{ R } {0,1}, then aborts.
 2.
Else, compute \(E^{*} = (g^{b})^{x_{i^{*},1}H_{2}(pk_{i^{*},2}) + x_{i^{*},2}}\).
 3.Choose \(e^{*}, t^{*}\gets Z_{q}^{*}\), set s ^{∗} = e ^{∗} t ^{∗} randomly and compute$$F^{*} = (g^{b})^{(x_{i^{*},1}H_{2}(pk_{i^{*},2}) + x_{i^{*},2})\frac{1}{e^{*}}} \times(g^{\frac{1}{a}})^{(x_{i^{*},1}H_{2}(pk_{i^{*},2}) + x_{i^{*},2})t^{*}}. $$
 4.
Choose J ^{∗}←{0,1}^{ k }randomly, set H _{5} (E ^{∗},F ^{∗},J ^{∗}) = e ^{∗}.
 5.
Choose \(\sigma ^{*} \gets Z_{q}^{*}\) randomly, implicitly define σ ^{∗} = d and H _{3} (g ^{ d }) = m _{ δ } ⊕ J ^{∗}.
 6.
Output a challenge original ciphertext C ^{∗} = (E ^{∗},F ^{∗},J ^{∗},s ^{∗}) for \({\mathcal A}\).
Phase 2 \({\mathcal A}\) makes queries continuously according to the constraints in definition 2. Challenger \({\mathcal B}\) answers to \({\mathcal A}\)’s queries.
Guess \({\mathcal A}\) passes to \({\mathcal B}\) a bit δ ^{′}∈{0,1} as its conjecture. If δ ^{′}equals to δ, \({\mathcal B}\) return 1 meaning d = a b; otherwise returns 0 meaning random value \(d\in _{R} Z_{q}^{*}\).
The description of the simulation is completed. Next, the correctness of the simulation above will be demonstrated.
Denotes t _{ e x p } as the time cost that an exponentiation operation needed in G, let 𝜖 _{1} be the advantage of breaking the CCA security of ElGamal encryption.
The key point of our correctness proof is referenced from [17]. We analysis these simulations firstly. Obviously, according to the construction of H _{4}, the corresponding simulation is perfect. Denote by \(AskH_{4}^{*}\) a event that issue query to H _{4} on (m, g ^{ σ }), similarly, let \(AskH_{5}^{*}\) be a event that (E ^{∗},F ^{∗},J ^{∗}) has been queried to H _{5} before Challenge phase. The simulation of H _{4} and H _{5} are prefect, only if \({\mathcal A}\) neither query (m, g ^{ σ })to H _{4} nor (E ^{∗},F ^{∗},J ^{∗}) to H _{5}. In Challenge phase, since J ^{∗} is chosen from {0,1}^{ k }randomly, we have \(Pr[AskH_{5}^{*}]\leq \frac {q_{H_{5}}}{2^{k}}\).
Let A s k H _{3} be the event that g ^{ d } has been queried to H _{3}. The corresponding simulation is also prefect, only if g ^{ d } is not queried to H _{3} by \({\mathcal A}\) during the Challenge phase.
It is obvious that the simulated queries for public/private key generation are perfect. Denote Aborts be the event that \({\mathcal B}\) aborts when interacts with \({\mathcal A}\) in a query \(\mathcal {O}_{rk}\) or challenge phase. Notice that the probability P r[¬Aborts]is given by \(\theta ^{q_{rk}}(1\theta )\) with the upper bound \(\frac {q_{rk}}{1+q_{rk}}\), then we have \(\theta ^{q_{rk}}(1\theta )\geq \frac {1}{e(1+q_{rk})}\).
 1.
c _{ j } ≠^{′}−^{′}indicate that the private key s k _{ j } is unknown to \({\mathcal A}\).
 2.
\((pk_{j,2}^{u}, Vg^{u})\) with u = H _{1} (V )is actually an ciphertext of V encrypted under p k _{ j,2} by using the underlying ElGamal encryption scheme based on the DDH assumption.
Now, we analyze the simulation of query \(\mathcal {O}_{re}\). If \({\mathcal A}\) cannot submit a valid original ciphertext without querying H _{3} and H _{4} (denoted by REErr), the simulation of reencryption query \(\mathcal {O}_{re}\) is perfect too. However, since H _{3} and H _{4} act as random oracles, we have \(Pr[REErr]\leq \frac {2q_{re}}{q}\).
The simulations of the decryption oracles, namely \(\mathcal {O}_{dec}\) and \(\mathcal {O}_{dec_{R}}\), are perfect, unless the simulation errors happened in the situation that a valid ciphertext is rejected. But, it is not significant for these errors happening, the reason is as follows. Assume that a decryption query Q has been issued. Even if Q is a valid query, it is possible to generate Q with a probability without querying H _{3} on g ^{ σ }.
Denote Valid as the event indicating Q is a valid query, denote A s k H _{3} as the event that g ^{ σ } has been queried to H _{3}. We note that the probability that \({\mathcal A}\) can lead to a valid J with reference to the output of H _{3} without querying H _{3} is \(\frac {1}{q}\). Then, we haveP r[V a l i d¬A s k H _{3} ]\(\leq \frac {1}{q}.\)
Denote D e c E r r as the event that V a l i d¬A s k H _{3} occurred during the whole simulation. As the decryption oracles issued by \({\mathcal A}\) is at most \((q_{d} + q_{d_{R}})\), we get \(Pr[DecErr]\leq \frac {(q_{H_{3}} + q_{H_{4}})(q_{d} + q_{d_{R}})}{2^{k}} + \frac {q_{d} + q_{d_{R}}}{q}\).
3.3.4 Reencrypted ciphertext security analysis
For reencrypted ciphertext security, the task is to decide decide whether \(d = \frac {b}{a}\) given (g, g ^{ a },g ^{ b },g ^{ d }) ∈ G ^{3} with unknown \(a, b \gets Z_{q}^{*}\). H _{ i } (i ∈{1,3,4,5}) is the same as proof of Theorem 1.
Theorem 2
Our scheme PVPRE is INDCCA secure at the reencrypted ciphertext, if the DDH assumption holds in group G.
Proof
 1.\(\mathcal {O}_{pk}(i)\): the uncorruptedkeys and corruptedkeys are generated by \({\mathcal B}\) as shown below .
 (1) Uncorruptedkey. \({\mathcal B}\) randomly choose \(x_{i,1}, x_{i,2}\gets Z_{q}^{*}\) and draws a coin c _{ i } ∈{0,1} that generates 1 with probability 𝜃 and 0 otherwise [20].Next, the tuple (p k _{ i }, x _{ i,1}, x _{ i,2}, c _{ i })is added to K ^{ l i s t }and return p k _{ i } to the adversary \({\mathcal A}\).

(a) If c _{ i } = 1, set \(pk_{i} = (pk_{i,1}, pk_{i,2}) = \left ((g^{a})^{\frac {1}{H_{2}(pk_{i,2})}}\cdot g^{x_{i,1}}, \frac {g^{x_{i,2}}}{g^{a}}\right )\).

(b) If c _{ i } = 0, set \(pk_{i} = (pk_{i,1}, pk_{i,2}) = ((g^{a})^{x_{i,1}}, (g^{a})^{x_{i,2}})\).


(2) Corruptedkey. \({\mathcal B}\) acts as the same in Theorem 1.

 2.\(\mathcal {O}_{rk}(pk_{i},pk_{j})\): If there is a tuple (p k _{ i }, p k _{ j })in R ^{ l i s t }, output to \({\mathcal A}\) a reencryption key which is predefined. Otherwise, \({\mathcal B}\) takes action as shown below:

(1) Extract two tuple (p k _{ i }, x _{ i,1}, x _{ i,2}, c _{ i }), (p k _{ j }, x _{ j,1}, x _{ j,2}, c _{ j })by searching K ^{ l i s t }.
 (2) Compute r k _{ i→j } under the following situation:
 1) If (c _{ i } = 1 ∨ c _{ i } = ^{′}−^{′}):
 (a)
Randomly pick V ← G, compute u = H _{1} (V )and h = H _{2} (V ).
 (b)
Set v = h(x _{ i,1} H _{2} (p k _{ i,2}) + x _{ i,2})and τ = 1.
 (c)
Compute U = V g ^{ u }and \(W = pk_{j,2}^{u}\).
 (a)
 2) If (c _{ i } = 0 ∧ c _{ j } = 0)
 (a)
Randomly pick \(v\gets Z_{q}^{*}\), set τ = 0.
 (b)
Randomly pick \(z\gets Z_{q}^{*}\), set \(g^{u} = (g^{\frac {b}{a}})^{\frac {z}{x_{j,2}}}\), which defines W = (g ^{ b })^{ z }.
 (c)
Randomly pick U ←{0,1}^{ k }, implicitly define \(V = \frac {U}{g^{u}}\).
 (a)

3) If (c _{ i } = 0 ∧ c _{ j } ≠ 0): output ⊥and aborts.


(3) If \({\mathcal B}\) does not aborts, add (p k _{ i }, p k _{ j },(v, U, W),z, τ)into list R ^{ l i s t }.

(4) Return r k _{ i→j } = (v, U, W) to the adversary \({\mathcal A}\).

 3.
\(\mathcal {O}_{dec}(pk_{i}, C_{i})\): \({\mathcal B}\) acts as the same in Theorem 1.
 4.
\(\mathcal {O}_{dec_{R}}(pk_{j}, C_{j})\): \({\mathcal B}\) acts as the same in Theorem 1.
 1.
If c _{ i } = 1or \(c_{j^{*}} = 1\), algorithm \({\mathcal B}\) returns a value b∈_{ R } {0,1}, then aborts.
 2.If \(c_{i} = 0 \wedge c_{j^{*}} = 0\), algorithm \({\mathcal B}\) generates the challenge ciphertext by the following steps:

(1) Retrieve \((pk_{i}, pk_{j^{*}}, (v^{*}, U^{*}, W^{*}), z^{*}, 0)\) from R ^{ l i s t }.

(2) Randomly pick \(t \gets Z_{q}^{*}\), set E ^{′} ^{∗} = (g ^{ b })^{ t }, implicitly define σ ^{∗} h ^{∗} = b t, i.e. \(\sigma ^{*} = \frac {bt}{h^{*}}\).

(3) Randomly pick \(e^{*}\gets Z_{q}^{*}\), set F ^{′} ^{∗} = (g ^{ b })^{ e }, implicitly define r ^{∗} h ^{∗} = b e, i.e. \(r^{*} = \frac {be}{h^{*}}\).
 (4) Randomly pick J ^{∗}←{0,1}^{ k }, implicitly defineRecall that h ^{∗} = H _{2} (V ^{∗}) = v ^{∗} a(x _{ i,1} H _{2} (p k _{ i,2}) + x _{ i,2})for c _{ i } = 0.$$J^{*} = H_{3}((g^{\frac{b}{a}})^{\frac{t}{v^{*}(x_{i,1}H_{2}(pk_{i,2}) + x_{x_{i},2})}})\oplus m_{\delta}.$$

(5) Randomly pick \(k^{*}\gets Z_{q}^{*}\), set H _{5} (E ^{′} ^{∗},F ^{′} ^{∗},J ^{∗}) = k ^{∗}, which defines s ^{′} ^{∗} = t ^{∗} h ^{∗} + e ^{∗} k ^{∗} h ^{∗}.
 (6) Otherwise, take the following steps to set U ^{∗}, W ^{∗} and z ^{∗}.

(a) Randomly pick \(z^{*}\gets Z_{q}^{*}\), set \(g^{u^{*}} = (g^{d})^{\frac {z^{*}}{x_{j,2}}}\), implicitly define \(W^{*} = (g^{b})^{z^{*}}\).

(b) Randomly pick U ^{∗}←{0,1}^{ k }, implicitly define \(V^{*} = \frac {U^{*}}{g^{u^{*}}}\)

(c) Add U ^{∗}, W ^{∗}and z ^{∗}into R ^{ l i s t }.


(7) Pass to \({\mathcal A}\) the C ^{∗} = (E ^{′} ^{∗},F ^{′} ^{∗},J ^{∗},s ^{′} ^{∗},U ^{∗},W ^{∗})as the challenged reencrypted ciphertext.

Phase 2 \({\mathcal A}\) makes queries continuously according to the restrictions in definition 2. \({\mathcal B}\) answers to \({\mathcal A}\)’s queries.Guess \({\mathcal A}\) passes to \({\mathcal B}\) a bit δ ^{′}∈{0,1} as its conjecture. If δ ^{′}equals to δ, \({\mathcal B}\) return 1 meaning \(d = \frac {b}{a}\); otherwise returns 0 meaning \(d\in _{R} Z_{q}^{*}\).
The description of the simulation is completed. We now show the correctness of the above simulation.
As described in Theorem 1, it is clear that the answers passed to \({\mathcal A}\) are all perfect, including the queries of public and private key generation, reencryption, and also reencryption key generation. The simulations of the two decryption queries are perfect too, unless the simulation errors happened in the case of rejecting some valid ciphertext which denoted by D e c E r r. As in Theorem 1, a similar analysis can yield \(Pr[DecErr]\leq \frac {(q_{H_3} + q_{H_4})(q_d + q_{d_R})}{2^k} + \frac {q_d + q_{d_R}}{q}.\)
Based on the above analysis, we can conclude that the simulations for H _{ i } (i = 1,2,4) are perfect too.
3.3.5 Efficiency analysis
We now make an efficiency comparison between our PVPRE and Chow et al. [17].
Efficiency comparison
Algorithm  Chow et al. [17]  Our scheme PVPRE 

Encrypt  3 EXP + 1 PreEXP  3 EXP + 1 PreEXP 
ReEncrypt  6 EXP + 1 PreEXP  4 EXP + 1 PreEXP 
Decrypt^{ O }  4 EXP + 1 PreEXP  4 EXP + 1 PreEXP 
Decrypt^{ R }  4 EXP  6 EXP + 1 PreEXP 
C ^{ O }  3 G + Z _{ q }   3 G + Z _{ q }  
C ^{ R }  4 G  5 G + Z _{ q }  
R e K e y  5 G + Z _{ q }   5 G + Z _{ q }  
PairingFree  Y  Y 
Public verifiability  N  Y 

Encrypt algorithm: This algorithm have the same exponentiation operations both in [17] and ours.

ReEncrypt algorithm: In scheme [17], there are 6 exponentiation operations needed to be calculated, while 4 exponentiation operations needed in our scheme.

Decrypt ^{ O } algorithm: This algorithm have the same exponentiation operations both in [17] and ours.

Decrypt ^{ R } algorithm: This algorithm have 4 exponentiation operations, while 6 in ours.

C ^{ O } Size: The original ciphertext contains 4 components (3 in Gand 1 in Z _{ q }) both in [17] and ours.

C ^{ R } Size: In scheme [17], the reencrypted ciphertext has 4 G components. In our scheme, there are 6 components (5 in G and 1 in Z _{ q }).

ReKey Size: The reencryption key size is the same both in [17] and ours.

PairingFree Feature: Both the scheme [17] and ours are removing pairing from the construction.

Public Verifiability Feature: In scheme [17], only the original ciphertext can be verified. In our scheme, the validity of ciphertexts can be publicly verified, that is, anyone can check the validity of an original ciphertext as well as a reencrypted ciphertext.
From Table 3, compared with the Chow et al. scheme [17], our PVPRE scheme is more efficient by saving two exponentiation operations in G at the algorithm ReEncrypt of our scheme PVPRE. More importantly, our scheme PVPRE achieves the public verifiability by using only two more exponentiations in G at the Decrypt^{ R } phase. It is worth the performance tradeoff, since the public verifiability feature is attractive, which makes our scheme PVPRE more flexible in various applications, such as multimedia data sharing.
Remark 5
In our scheme PVPRE, the computational complexity incurred by generating ReKey as well as the ReKey size are both independent to the number of encrypted files to be shared with Bob, and the validity check of ciphertexts can be offloaded from Alice to the semihonest cloud. Hence, we solve both of the technical problems described in Section 1. First, we significantly reduce the computational burden of Alice during multimedia data sharing. Second, as this reencryption key ReKey alone does not allow anyone to recover the files from the encrypted files, it can ensure that the encrypted files will still remain secure even if an adversary has compromised Dropbox and also obtained a copy of ReKey. In other words, the secrecy of the encrypted files is still relying on the private keys secrecy of multimedia data owner and his friend, even after the encrypted files are shared.
4 Conclusion
In this work, we address the privacy and security problem of multimedia data sharing in IoT by developing new PRE schemes. In contrast to all existing CCAsecure schemes in which the public verifiability is depended on bilinear parings, we construct a new publicly verifiable CCAsecure PRE scheme in which the costly pairings is removed. And the efficiency comparison demonstrates that our proposed scheme is highly efficient than most existing pairingbase PRE schemes. More importantly, our constructions satisfy the following features simultaneously: (1) CCAsecure; (2) paringfree; (3) public verifiability; (4)simple design. We believe that our design will be useful for fostering multimedia data security and also improving the usability of secure IoT.
We also raise some open problems, such as constructing PRE scheme with the following features: (1)multihop, (2)bidirectional, (3)pairingfree, (4)CCAsecure and (5)publicly verifiable.
Notes
Acknowledgement
I would like to thank Prof. Duncan S. WONG for his instructive suggestions, which have significantly improved the design and revised the manuscript. Hu’s research was supported in part by the Scientific Research Fund of Hunan Provincial Education Department (No. 15C0536), Tang’s research was supported in part by the Foundation of National Natural Science of China (No. 11271003), Guangdong Province Natural Science Foundation of major basic research and Cultivation project (No. 2015A030308016), Project of Ordinary University Innovation Team Construction of Guangdong Province (No. 2015KCXTD014), Basic Research Major Projects of Department of education of Guangdong Province (No. 2014KZDXM044) and Collaborative Innovation Major Projects of Bureau of Education of Guangzhou City (No. 1201610005). The authors declare that they have no conflict of interest.
References
 1.Amin R, Kumar N, Biswas GP, Iqbal R., Chang V (2016) A light weight authentication protocol for IoTenabled devices in distributed Cloud Computing environment. Future Generation Computer SystemsGoogle Scholar
 2.Armknecht F, Sadeghi AR (2008) A new approach for algebraically homomorphic encryption. IACR Cryptology ePrint Archive 2008:422Google Scholar
 3.Ateniese G, Camenisch J, Joye M, Tsudik G (2000) A practical and provably secure coalitionresistant group signature scheme. In: Annual international cryptology conference. Springer, Berlin, pp 255–270Google Scholar
 4.Ateniese G, Fu K, Green M, Hohenberger S (2005) Improved proxy reencryption schemes with applications to secure distributed storage. In: IN NDSSGoogle Scholar
 5.Ateniese G, Fu K, Green M, Hohenberger S (2006) Improved proxy reencryption schemes with applications to secure distributed storage. ACM Trans Inf Syst Secur (TISSEC) 9(1):1–30CrossRefzbMATHGoogle Scholar
 6.Ateniese G, Benson K, Hohenberger S (2009) Keyprivate proxy reencryption. In: Cryptographers Track at the RSA Conference. Springer, Berlin, pp 279–294Google Scholar
 7.Bianchi T, Piva A (2013) Secure watermarking for multimedia content protection: a review of its benefits and open issues. IEEE Signal Proc Mag 30(2):87–96CrossRefGoogle Scholar
 8.Bianchi T, Piva A, Barni M (2009) On the implementation of the discrete Fourier transform in the encrypted domain. IEEE Trans Inf Forensics Secur 4(1):86–97CrossRefGoogle Scholar
 9.Blaze M, Bleumer G, Strauss M (1998) Divertible protocols and atomic proxy cryptography. In: Advances in CryptologyEUROCRYPT’98, pp 127–144Google Scholar
 10.Boneh D, Goh EJ, Nissim K (2005) Evaluating 2DNF formulas on ciphertexts. In: TCC, vol 3378, pp 325–341Google Scholar
 11.Bouslimi D, Coatrieux G, Roux C (2012) A joint encryption/watermarking algorithm for verifying the reliability of medical images: application to echographic images. Comput Methods Prog Biomed 106(1):47–54CrossRefGoogle Scholar
 12.Cancellaro M, Battisti F, Carli M, Boato G, De Natale FG, Neri A (2011) A commutative digital image watermarking and encryption method in the tree structured Haar transform domain. Signal Process Image Commun 26(1):1–12CrossRefzbMATHGoogle Scholar
 13.Canetti R, Hohenberger S (2007) Chosenciphertext secure proxy reencryption. In: Proceedings of the 14th ACM conference on computer and communications security. ACM, pp 185–194Google Scholar
 14.Canetti R, Krawczyk H, Nielsen JB (2003) Relaxing chosenciphertext security. In: Annual international cryptology conference. Springer, Berlin, pp 565–582Google Scholar
 15.Chang V, Kuo YH, Ramachandran M (2016) Cloud computing adoption framework: a security framework for business clouds. Futur Gener Comput Syst 57:24–41CrossRefGoogle Scholar
 16.Cheng H, Li X (2000) Partial encryption of compressed images and videos. IEEE Trans Signal Process 48(8):2439–2451CrossRefGoogle Scholar
 17.Chow SS, Weng J, Yang Y, Deng RH (2010) Efficient unidirectional proxy reencryption. In: International conference on cryptology in Africa. Springer, Berlin, pp 316–332Google Scholar
 18.Chu CK, Tzeng WG (2007) Identitybased proxy reencryption without random oracles. In: International conference on information security. Springer, Berlin, pp 189–202Google Scholar
 19.Cohen JD, Fischer MJ (1985) A robust and verifiable cryptographically secure election scheme. Yale University. Department of Computer Science, pp 372–382Google Scholar
 20.Coron JS (2000) On the exact security of full domain hash. In: Annual international cryptology conference. Springer, Berlin, pp 229–235Google Scholar
 21.Damgard I, Jurik M (2003) A lengthflexible threshold cryptosystem with applications. In: ACISP, vol 3, pp 350–356Google Scholar
 22.Deng RH, Weng J, Liu S, Chen K (2008) Chosenciphertext secure proxy reencryption without pairings. In: International conference on cryptology and network security. Springer, Berlin, pp 1–17Google Scholar
 23.ElGamal T (1985) A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Trans Inf Theory 31(4):469–472MathSciNetCrossRefzbMATHGoogle Scholar
 24.Fouda JAE, Effa JY, Sabat SL, Ali M (2014) A fast chaotic block cipher for image encryption. Commun Nonlinear Sci Numer Simul 19(3):578–588MathSciNetCrossRefGoogle Scholar
 25.Goldwasser S, Micali S (1982) Probabilistic encryption and how to play mental poker keeping secret all partial information. In: Proceedings of the fourteenth annual ACM symposium on Theory of computing. ACM, pp 365–377Google Scholar
 26.Goldwasser S, Micali S (1984) Probabilistic encryption. J Comput Syst Sci 28(2):270–299MathSciNetCrossRefzbMATHGoogle Scholar
 27.Goldwasser S, Kharchenko D (2005) Proof of plaintext knowledge for the AjtaiDwork cryptosystem. In: TCC, pp 529–555Google Scholar
 28.Gentry C (2009) Fully homomorphic encryption using ideal lattices. In: STOC, vol 9, pp 169–178Google Scholar
 29.Goto K, Sasaki Y, Hara T, Nishio S (2013) Data gathering using mobile agents for reducing traffic in dense mobile wireless sensor networks. Mob Inf Syst 9(4):295–314Google Scholar
 30.Green M, Ateniese G (2007) Identitybased proxy reencryption. In: Applied Cryptography and Network Security. Springer, Berlin, pp 288–306Google Scholar
 31.Hohenberger S, Rothblum GN, Vaikuntanathan V (2007) Securely obfuscating reencryption. In: Theory of cryptography conference. Springer, Berlin, pp 233–252Google Scholar
 32.Hu X, Tang C, Wong DS (2016) Highly efficient proxy reencryption schemes for userend encrypted cloud data sharing. In: 2016 15th International Symposium on Parallel and Distributed Computing (ISPDC). IEEE, pp 261–268Google Scholar
 33.Ivan AA, Dodis Y (2003) Proxy cryptography revisited. In: NDSSGoogle Scholar
 34.Kawachi A, Tanaka K, Xagawa K (2007) Multibit cryptosystems based on lattice problems. In: International workshop on public key cryptography. Springer, Berlin, pp 315–329Google Scholar
 35.Khurana H, Hahm HS (2006) Certified mailing lists. In: Proceedings of the 2006 ACM Symposium on information, computer and communications security. ACM, pp 46–58Google Scholar
 36.Khurana H, Slagell A, Bonilla R (2005) SELS: A secure email list service. In: Proceedings of the 2005 ACM symposium on applied computing. ACM, pp 306–313Google Scholar
 37.Libert B, Vergnaud D (2008) Unidirectional chosenciphertext secure proxy reencryption. In: International workshop on public key cryptography. Springer, Berlin, pp 360–379Google Scholar
 38.Libert B, Vergnaud D (2008) Tracing malicious proxies in proxy reencryption. In: International conference on pairingbased cryptography. Springer, Berlin, pp 332–353Google Scholar
 39.Melchor CA, Castagnos G, Gaborit P (2008) Latticebased homomorphic encryption of vector spaces. In: IEEE international symposium on information theory, 2008. ISIT 2008. IEEE, pp 1858– 1862Google Scholar
 40.Paillier P (1999) Publickey cryptosystems based on composite degree residuosity classes. In: Eurocrypt, vol 99, pp 223–238Google Scholar
 41.Peikert C, Waters B (2011) Lossy trapdoor functions and their applications. SIAM J Comput 40(6):1803–1844MathSciNetCrossRefzbMATHGoogle Scholar
 42.Shao J, Cao Z (2009) CCASecure proxy reencryption without pairings. In: International workshop on public key cryptography. Springer, Berlin, pp 357–376Google Scholar
 43.Shao J, Xing D, Cao Z (2008) Analysis of cca secure unidirctional idbased pre scheme. Technical Report of TDT, Shanghai Jiao Tong UniversityGoogle Scholar
 44.Smith T (2005) DVD Jon: buy DRMless tracks from apple itunes. 20121001]. http://www.theregister.co.uk/2005/03/18/itunes_pymusique.
 45.Talmy A, Dobzinski O (2006) Abuse freedom in access control schemes. In: 20th international conference on advanced information networking and applications, 2006. AINA 2006, vol 2. IEEE, pp 77–86Google Scholar
 46.Vijayakumar P, Azees M, Chang V, Deborah J, Balusamy B (2017) Computationally efficient privacy preserving authentication and key distribution techniques for vehicular ad hoc networks. Clust Comput 12:1–12Google Scholar
 47.Wang Z, Cao C, Yang N, Chang V (2017) ABE with improved auxiliary input for big data security. J Comput Syst Sci 89:41–50MathSciNetCrossRefzbMATHGoogle Scholar
 48.Yang Y, Zheng X, Chang V, Ye S, Tang C (2017) Lattice assumption based fuzzy information retrieval scheme support multiuser for secure multimedia cloud. Multimedia Tools and Applications 1–15Google Scholar
 49.Ye C, Ling H, Zou F, Lu Z, Xiong Z, Zhang K (2013) A novel JFE scheme for social multimedia distribution in compressed domain using SVD and CA. In: The international workshop on digital forensics and watermarking 2012. Springer, Berlin, pp 507–519Google Scholar
 50.Ye C, Xiong Z, Ding Y, Wang G, Li J, Zhang K (2014) Joint fingerprinting and encryption in hybrid domains for multimedia sharing in social networks. J Vis Lang Comput 25(6):658– 666CrossRefGoogle Scholar
 51.Zhang J, Wang XA (2012) On the security of a multiuse CCAsecure proxy reencryption scheme. In: 2012 4th international conference on intelligent networking and collaborative systems (INCoS). IEEE, pp 571–576Google Scholar
 52.Zhang J, Wang XA (2012) Security analysis of a multiuse identity based CCAsecure proxy reencryption scheme. In: 2012 4th international conference on intelligent networking and collaborative systems (INCoS). IEEE, pp 581–586Google Scholar
 53.Zhang M, Wang XA, Li W, Yang X (2013) CCA secure publicly verifiable public key encryption without pairings nor random oracle and its applications. JCP 8(8):1987–1994Google Scholar
Copyright information
Open AccessThis article is distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made.