Advertisement

Multimedia Tools and Applications

, Volume 77, Issue 14, pp 18327–18354 | Cite as

Efficient pairing-free PRE schemes for multimedia data sharing in IoT

  • Xing Hu
  • Chunming TangEmail author
  • Duncan S. Wong
  • Xianghan Zheng
Open Access
Article
  • 875 Downloads

Abstract

Nowadays, Internet of things (IoT) become more and more popular. At the same time, the requirements of security mechanism for multimedia in IoT received a huge concern. Multimedia data is easily shared by devises, applications and social networks set by IoT. Therefore, it is indispensable to guarantee the privacy and security of shared multimedia data. In this paper, we address the secure multimedia data sharing problem in cloud computing by designing proxy re-encryption (PRE) scheme. Our schemes cope with the issues of data validity, data confidentiality and authentication during encrypted multimedia data sharing. Unlike as usually done in the literature, we present a CCA-secure PRE scheme which removes pairings firstly. Then we design a refined CCA-secure PRE scheme called publicly verifiable PRE without parings. It is demonstrated that our schemes meet not only the security and high efficiency requirements of multimedia data sharing, but also the public verifiability. The validity of ciphertext, both the original and re-encrypted ciphertext, can be publicly verified which brings additional efficiency due to offloading the validity check of ciphertexts from the power-limited clients to any semi-honest public cloud.

Keywords

Multimedia data security Proxy re-encryption CCA security Without pairing Public verifiability 

1 Introduction

1.1 Motivation

Multimedia data includes all kinds of media types, such as audio, image, video etc. The proliferation of cloud computing make multimedia data sharing in networks much easier. Actually, cloud server plays an important role in multimedia data collecting. Multimedia data is now the main information source stored and transformed in the cloud. The truth, however, is that maximum endeavors are devoted to multimedia contents whereas less attention is paid to its security and privacy. In cloud settings, it is of particular importance to ensure a high privacy and security during multimedia data sharing.

1.2 Use case

Consider the following scenario:
  1. 1.

    A user, Alice, is planning to upload several multimedia files F 1, F 2,⋯ ,F n to Dropbox. The general idea is for Alice to encrypt these files before sending them to Dropbox. The encryption is done using the conventional hybrid encryption paradigm. In particular, the files F 1, F 2,⋯ ,F n are first encrypted to C 1, C 2,⋯ ,C n under random symmetric content keys, K 1, K 2,⋯ ,K n , using a block cipher with an appropriate mode of operation (e.g. AES-CBC), then encrypt the keys K 1, K 2,⋯ ,K n by using a public key encryption (PKE) scheme (e.g. ElGamal encryption scheme over an Elliptic Curve Group) under the user’s public key. The ciphertexts uploaded to Dropbox consists of the encrypted multimedia files C 1, C 2,⋯ ,C n and the encrypted content keys denoted by C K 1, C K 2,⋯ ,C K n . Note that in each encrypted multimedia file, say C i , it also includes the initialization vector. For simplicity, we assume that the initialization vector is part of each encrypted private file, C i .

     
  2. 2.

    At a certain time, the user Alice would like to share her multimedia files with a friend Bob. A conventional solution is that Alice downloads all the encrypted content keys C K 1, C K 2,⋯ ,C K n from Dropbox, then decrypts them to obtain the content keysK 1, K 2,⋯ ,K n , and encrypts them again to \(CK_{1}^{\prime }\), \(CK_{2}^{\prime },\cdots ,CK_{n}^{\prime }\), under Bob’s public key, finally uploads these newly encrypted content keys to the Dropbox for Bob to download. The advantage of this solution is that Alice does not need to download any of the encrypted multimedia files, hence, can save the bandwidth during the communications between Alice and Dropbox. However, this solution still involves a lot of downloads and uploads of the encrypted content keys and the network overhead is linear to the number of files that Alice wants to share. Furthermore, this solution also incurs a lot of computation on Alice’s side and may not be practical, especially for battery-powered computing devices.

     

The technical challenge in this use case is therefore on how to do this encrypted multimedia data sharing efficiently without triggering too much communications between the cloud server and the cloud user, and without incurring much computational burden to the user simultaneously.

There is another potential solution to this problem. The solution is to let Alice give out her private key to Dropbox, and let Dropbox do the decrypt-then-encrypt on behalf of Alice. However, this solution relies on the security of Dropbox and Alice has to trust Dropbox not to disclose the multimedia files to any third party without authorization. Hence this solution cannot provide much assurance to Alice that only she has the control on the accessibility of her own encrypted files.

By applying PRE, we target to minimize the communication between the cloud server and the cloud user for encrypted multimedia data sharing. We also target to reduce the user’s computational burden, and at the same time, to ensure the privacy of Alice’s encrypted multimedia files so that no adversary can obtain the files even after compromising the cloud storage service provider, i.e. Dropbox in the example above. We also applying a interesting property called public verifiability. With this property, the validity of ciphertexts can be publicly verified by anyone. So we can offload the validity check of ciphertexts from power-limited clients to any semi-honest public cloud to further improve the efficiency.

1.3 A practical and efficient encrypted multimedia data sharing solution using Velosti’s USB device

The multimedia data owner, say Alice, has a Velosti USB device which contains her key-pair (i.e. public and private), and also a software which is called the encrypted cloud data client-side management software (in short, we call it a client software). In Alice’s Dropbox folder, the client software creates a folder called Velosti. All the files stored in the Velosti folder will be encrypted in the hybrid encryption fashion as described above, but using the Velosti USB device. To access the encrypted files, Alice has to insert the Velosti USB device and execute the client software.

Furthermore, a copy of Alice’s public key will be made available in the public folder of Alice’s Dropbox so that all Dropbox users can get a copy of her public key once after learning the identity of Alice’s Dropbox account. It is also the case for other users. For example, Bob, who will also have a copy of his public key in his Dropbox public folder.

Suppose Alice is about to share several encrypted files in the Velosti folder with Bob. Through the client software, Alice specifies the encrypted files that she wants to share with Bob. The client software will then notifies Dropbox using the Dropbox API on the files that Alice wants to share with Bob. Next, Dropbox will notify Bob about this sharing using Dropbox’s existing data sharing notification protocol. However, since these files are encrypted, in particularly, the corresponding content keys are encrypted by using Alice’s public key, Bob or anyone else cannot decipher these files. Hence, besides notifying Dropbox, Alice’s client software also visits Bob’s Dropbox public folder to get a copy of Bob’s public key, and computes a transformation key ReKey using the private key of Alice and the public key of Bob. Notice that, the transformation key is used to complete a transformation from Alice’s encrypted files to another form that Bob can decrypt. After generating the transformation key ReKey, Alice encrypts ReKey under Bob’s public key and uploads a copy of the encrypted ReKey to Alice’s public folder.

After receiving a sharing notification from Dropbox, Bob, via his own client software, visits Alice’s public folder for getting the encrypted transformation key ReKey, then decrypts and recovers ReKey using his decryption key. By using the key ReKey and his private key, Bob can download the encrypted files from Dropbox that are shared by Alice, and decipher them.

In this PRE-based solution, no server is needed. The integration of security and the existing sharing mechanism of Dropbox is done seamlessly. The user experience is also enhanced by making use of the Velosti’s USB device so that user passwords are not mandatory, instead, they are optional for providing the additional two-factor authentication.

1.4 Related work

Many researches has been done to provide the data privacy in IoT. Yang et al. [48] presented a fuzzy information retrieval scheme based on lattice assumption. Their contribution supports multiple user system without sharing secret key. This scheme is secure for multimedia cloud applications even in quantum-era. Wang et al. [47] proposed leakage resilient CP-ABE and KP-ABE schemes in a improved auxiliary input model. This scheme has been prove to be secure by constructing an improved strong extractor from the modified GoldreichCLevin theorem. Chang et al. [15] proposed a framework which is used in business clouds. Experiments have been designed in detail to show its robustness is secure in multilayered structure. Vijayakumar et al. [46] introduced an improved authentication for vehicular ad-hoc networks, and a method of anonymous authentication has been presented to preserve privacy. Amin et al. [1] presented an authentication protocol using smartcard, which is based on an architecture proposed in this paper for distributed cloud environment. This protocol allows the registered user to securely access all private information from all the private cloud servers.

Many approaches are available for protecting the shared multimedia data. Take encryption algorithm as an example, it transforms the multimedia data into encrypted form using a private key and the encrypted form can only be decrypted by the user hold the decryption key. Encryption is the primary tool which can guarantee the data privacy and against an unauthorized access [16, 24].

Commutative Encryption and Watermarking can provide extensive security for the multimedia data. Bouslimi et al. [11] presented a algorithm jointing watermarking and encryption. Its convergence primitives promotes the research of privacy and security [7]. Cancellaro et al. [12] combine the encryption and watermarking to protect image.

Besides, Bianchi [8] applied discrete Fourier transform on encrypted multimedia data. A combination of SVD and CA was proposed which can provide novel solutions to preserve multimedia data privacy [49]. Ye et al. [50] proposed the first JFE method to address the problem of multimedia data sharing.

PRE scheme can also be used for implementing secure multimedia data sharing, since any multimedia data can be transformed into binary.

A PRE scheme allows a private key holder (e.g. Alice) to produce a re-encryption key. By using it, a conversion from Alice’s ciphertext C A to Bob’s ciphertext C B can be made by a proxy (e.g. network server). Therefore, a PRE scheme can be applied into various applications, such as encrypted email forwarding [9], the DRM of Apple’s iTunes [44], distributed file storage systems [4, 5], secure certified email mailing lists [35, 36] and access control [45]. In the above-mentioned cases, the core idea is the re-encryption.

The definition of PRE was first introduced by [9]. However, the presented PRE scheme is secure against chosen-plaintext attack (CPA).

Ivan et al. [33] presented a CCA security model for PRE, but Canetti et al. proved that the CCA security of their schemes is not hold [13]. Green and Ateniese [30] focus on CCA secure ID-based PRE and proposed a corresponding security model. Chu et al. [18] presented a ID-based PRE which removes random oracles. However, it is demonstrated that [18] was not CCA secure [43].

Homomorphic encryption (HE) scheme can also used to construct PRE schemes. Goldwasser et al [26] gave the first semantically secure additively HE scheme over Z 2. It is followed by other additively HE schemes, such as Paillier [40] and Damgard [21]. Besides, linear codes and lattices are also used to obtain additively HE schemes [2, 27, 34, 39, 41]. Another type of HE is multiplicative HE, and ElGamal [23] is the typical one.

A fully homomorphic encryption (FHE) scheme allows anyone to evaluate both additive or multiplicative functions over encrypted data without decrypting firstly. Gentry [28] proposed the first FHE scheme, and based on which a CPA-secure PRE was directly constructed. Subsequently, some progress were made in FHE [10, 19, 25]. However, these existing constructions of FHE are not suitable for practical uses due to efficiency drawbacks.

Another major concern about multimedia in IoT is that of supporting public verifiability for the encrypted multimedia data stored in remote network servers. The property of public verifiability enable anyone to complete the validity verification tasks without disclosing any private information. This property adds flexibility in various applications in IoT setting, especially multimedia data sharing. Although the property of public verifiability of ciphertexts is important, it received insufficient care from researchers.

If the validity of a ciphertext can only be checked by the receiver (delegatee) with his private key, the scheme is vulnerable ciphertext-malleable attack. The right ciphertext transferred in the network can be easily modified by the attackers, then lots of malicious ciphertexts can be created to instead the right ones. While these malicious created ciphertexts can be rejected by the receiver at the last minute, they have already caused great problem which can affect the users’ feeling on using the scheme, even bring damage to the service providing corporations. If the validity of these ciphertexts can be checked publicly, the above problems can be easily solved, the routers or the access infrastructure can drop these maliciously created ciphertexts, and the bandwidth has been effectively preserved [29].

Canetti et al. [13] introduced the concept of public verifiability in PRE scheme. Libert et al. [38] proposed a publicly verifiable PRE which is unidirectional. However, Chow et al. [17] pointed out that, the security assurance supplied by [38] only against a weakened CCA [14].

Deng et al. [22] presented a construction of PRE which enabled the original ciphertext to be public verified, but it suffers from the attack in Remark 2 in [42]. Shao et al. [42] constructed a PRE by using signature of knowledge [3] to obtain public verifiability, but their public verifiability is only for original ciphertexts, and it is vulnerable to chosen-ciphertext attack [17].

So, public verifiability should be an essential property of CCA-secure PRE [4, 5, 13, 30, 51, 52]. Active attackers can issue queried to the data owner and receivers decryption oracle arbitrarily. If the proxy forward an invalid ciphertext to the receiver, and the receiver has decrypted it, some useful information can be derived and then used for breaking CCA security by the attackers. Although the proxy doesn’t have the private key, he has to firstly verify the integrity of ciphertexts, so the property of publicly verify is essential to achieve the CCA security of PRE.

Moreover, most existing PRE schemes are constructed by pairings. Ateniese et al. [4, 5], Hohenberger et al. [31], Libert et al. [38] and Ateniese et al. [6] presented collusion resistant unidirectional PRE scheme respectively, those scheme are relied on pairings. However, those schemes are CPA secure.

It is worth noting that bilinear pairing is an important tool to construct PRE scheme, but it’s implementation speed is relatively slower, especially in computational resource-constrained devices. Canetti et al. [13] raised an open problem that how to design a pairing-free PRE scheme. Afterwards, many researchers become interested in removing paring from the construction of PRE. Deng et al. [22], Shao [42] and Chow et al. [17] removed pairings from their PRE scheme respectively, but didn’t achieve public verifiability.

Zhang et al. [53] care about how to construct publicly verifiable paring-free PKE scheme. They find it is very easy to construct publicly verifiable scheme for PKE.

Therefore, we want a PRE scheme simultaneously satisfy the following features: CCA-secure, high efficiency, public verifiability, paring-free and simple design.

1.5 Our contributions

In this paper, we research on the privacy and security protection mechanism of multimedia data in IoT by employing proxy re-encryption. We target to ensure the privacy and security of shared multimedia data, and at the same time, to reduce the multimedia data owner’s computational burden. Our contributions are summarized below:
  1. 1.

    We propose a basic CPA-secure PRE scheme in which the bilinear parings is removed from the construction for efficiency and practical use.

     
  2. 2.

    To enhance the security of shared multimedia data in IoT, we propose a new CCA-secure paring-free PRE scheme based on the resulting CPA-secure one.

     
  3. 3.

    To ensure the validity of shared multimedia data in IoT, we construct a publicly verifiable PRE scheme which is CCA-secure, and also bilinear pairings is removed.

     

1.6 Organization

Section 2 introduces the definition of PRE scheme and its security models. In Section 3, we describe three PRE schemes without parings meet different security requirements, and the security proof and efficiency comparison are provided. Section 4 is the conclusion.

2 Definition and security models

We give the definition of PRE and its CCA security model as follows. A PRE is unidirectional, means that a ciphertext can be converted from one user to another without the opposite direction. If a ciphertext can only be transformed one time, the PRE scheme is single-hop. Namely that, a user can’t further re-encrypt a re-encrypted ciphertext.

2.1 Definition of PRE

Definition 1

A PRE scheme is composed of 7 algorithms as follows:
  1. 1.

    p a rS e t u p(1 k ): given a system parameter \(k\in \mathbb {N}\), output a group of system parameters p a r.

     
  2. 2.

    (p k i , s k i ) ← K e y G e n(p a r): given p a r, a pair of public/private key (p k i , s k i ) is outputted. For ease of description, other algorithms take p a r as an implicitly input.

     
  3. 3.

    r k ij R e K e y G e n(s k i , p k j ): given s k i (i.e. user i’s private key) and p k j (i.e. user j’s public key), output r k ij as the re-encryption key. With this key, a ciphertext encrypted by p k i will be transformed to another ciphertext encrypted by p k j , here p o l y(1 k ) is some polynomial in k, ij and i, j ∈{1,…,p o l y(1 k )}.

     
  4. 4.

    C i E n c(p k i , m): given p k i and \( m \in \mathcal M(pk_{i})\), output an original ciphertext C i , where \(\mathcal M(pk_{i})\) is a space of message.

     
  5. 5.

    C j R e E n c(r k ij , C i ): given r k ij and C i , a re-encrypted ciphertext C j is outputted. Here r k ij is the re-encryption key, C i is an original ciphertext under p k i .

     
  6. 6.

    m/ ⊥← D e c(s k i , C i ): given s k i and C i , output message m if C i is valid, otherwise, a symbol ⊥is outputted. Here s k i is user i’s private key, C i is an original ciphertext under p k i .

     
  7. 7.

    m/ ⊥← D e c R (s k j , C j ): given s k j and C j , output message m if C j is valid, otherwise, a symbol ⊥is outputted. Here s k j is user j’s private key and C j is a re-encrypted ciphertext.

     
The definition 1 is correct, because that for any \(k \in \mathbb {N}\), any users ij ∈{1,...,p o l y(1 k )}, and any message \( m \in \mathcal M(pk_{i})\), if p a rS e t u p(1 k ) and (p k i , s k i ) ← K e y G e n(p a r), then we have
$$C_i = Enc(pk_i, m), Dec(sk_i, C_i) = m;$$
$$C_j = ReEnc(ReKeyGen(sk_i, pk_j), C_i), Dec_R(sk_j, C_j) = m.$$

2.2 Security models

Definition 2 (Unidirectional Single-hop PRE IND-CCA Game)

Denote k as the security parameter. Let \(\mathcal A\) be a probabilistic polynomial time (PPT) adversary and let \(\mathcal B\) be a game challenger. This game is composed of the following oracles executed by \(\mathcal A\) and \(\mathcal B\). These oracles can be invoked more than once and regardless of the order.
  1. 1.

    Setup. The challenger \(\mathcal B\) runs p a rS e t u p(1 k )to generate p a r and give to \(\mathcal A\) the output p a r.

     
  2. 2.
    Phase 1. The adversary \(\mathcal A\) can issue the following oracles.
    1. (1)

      \(\mathcal {O}_{pk}(i)\): given an index i ∈{1,...,p o l y(1 k )}, \(\mathcal B\) runs (p k i , s k i )←K e y G e n(p a r), then returns to \(\mathcal A\) the p k i .

       
    2. (2)

      \(\mathcal {O}_{sk}(i)\): given a public key p k i , \(\mathcal B\) passes to \(\mathcal A\) the private key s k i , here (p k i , s k i ) ← K e y G e n(p a r).

       
    3. (3)

      \(\mathcal {O}_{rk}(pk_{i},pk_{j})\): given public keys p k i and p k j , \(\mathcal B\) returns r k ij R e K e y G e n(s k i , p k j )to \(\mathcal A\), here (p k i , s k i ) ← K e y G e n(p a r), (p k j , s k j )← K e y G e n(p a r).

       
    4. (4)

      \(\mathcal {O}_{re}(pk_{i}, pk_{j}, C_{i})\): given public keys p k i , p k j and a user i’s ciphertext C i , \(\mathcal B\) returns a re-encrypted ciphertext C j R e E n c(r k ij , C i )to \(\mathcal A\), where r k ij R e K e y G e n(s k i , p k j ), (p k i , s k i ) ← K e y G e n(p a r)and (p k j , s k j ) ← K e y G e n(p a r).

       
    5. (5)

      \(\mathcal {O}_{dec}(sk_{i}, C_{i})\): on input C i and p k i , \(\mathcal B\) returns mD e c(s k i , C i ), where (p k i , p k j ) ← K e y G e n(p a r).

       
    6. (6)

      \(\mathcal {O}_{dec_{R}}(sk_{j}, C_{j})\): on input C j and p k j , \(\mathcal B\) returns mD e c R (s k j , C j ), where (p k j , s k j ) ← K e y G e n(p a r).

       
     
  3. 3.
    Challenge. The adversary \(\mathcal A\) returns two messages, say m 0, m 1, and a challenged public key \(pk_{i^{*}}\). If the following queries
    • (1) \(\mathcal {O}_{sk}(pk_{i^{*}})\); and

    • (2) \(\mathcal {O}_{rk}(pk_{i^{*}}, pk_{j})\) and \(\mathcal {O}_{sk}(pk_{j})\) for any index p k j ,

    are never made, \(\mathcal B\) outputs \(C_{i^{*}}=Enc(pk_{i^{*}}, m_{b})\) for \(\mathcal A\), here b is randomly choosen from {0,1}. and \(pk_{i^{*}}\) is output by \(\mathcal {O}_{pk}(i^{*})\).
     
  4. 4.
    Phase 2. The adversary \(\mathcal A\) issues queries as he did in Phase 1. However, the following queries are not issued:
    1. (1)

      \(\mathcal {O}_{sk}(pk_{i^{*}})\);

       
    2. (2)

      \(\mathcal {O}_{rk}(pk_{i^{*}}, pk_{j})\) and \(\mathcal {O}_{sk}(pk_{j})\) for any index j;

       
    3. (3)

      \(\mathcal {O}_{re}(pk_{i^{*}}, pk_{j}, C_{i^{*}})\) and \(\mathcal {O}_{sk}(pk_{j})\) for any index ij, here (i, j ∈{1,...,p o l y(1 k )});

       
    4. (4)

      \(\mathcal {O}_{dec}(pk_{i^{*}}, C_{i^{*}})\); and

       
    5. (5)
      \(\mathcal {O}_{dec_{R}}(pk_{j}, C_{j})\) for any p k j and C j , if (p k j , C j ) is derived from \((pk_{i^{*}}\), \(C_{i^{*}})\). As of [13], we define the derivative of \((pk_{i^{*}}\), \(C_{i^{*}})\) as shown below.
      1. (a)

        \((pk_{i^{*}}\), \(C_{i^{*}})\) is derived from itself.

         
      2. (b)

        If a query \(\mathcal {O}_{rk}\) has been made on \((pk_{i^{*}}\), p k j )by \(\mathcal A\), a \(rk_{i^{*} \to j}\) will be returned as the re-encryption key, then computed C j \(ReEnc(rk_{i^{*} \to j}, C_{i^{*}})\), we say (p k j , C j )is derived from \((pk_{i^{*}}\), \(C_{i^{*}})\).

         
      3. (c)

        If a query \(\mathcal {O}_{re}\) has been made on \((pk_{i^{*}}, pk_{j},C_{i^{*}})\) by \(\mathcal A\), and obtained C j , then (p k j , C j )is a derivative of \((pk_{i^{*}}, C_{i^{*}})\).

         
       
     
  5. 5.

    Guess. The adversary \(\mathcal A\) returns a value b from {0,1} as his conjecture. If b equals to b, \(\mathcal A\) wins.

     

Definition 3 (CCA Security of Original Ciphertext)

: Let \(Adv_{PRE,{\mathcal A}}^{IND\text {-}CCA\text {-}Or}(1^{k})=|Pr[b' = b]-\frac {1}{2}|\) be \(\mathcal A\)’s advantage in the game described in Definition 2. An unidirectional single-hop PRE scheme is (t, q p k , q s k , q r k , q r e , q d , \(q_{d_{R}}\), 𝜖)-IND-CCA secure at original ciphertext, means that if any t-time IND-CCA adversary \({\mathcal A}\) is given at most q p k queries to \(\mathcal {O}_{pk}\), q s k queries to \(\mathcal {O}_{sk}\), q r k queries to \(\mathcal {O}_{rk}\), q r e queries to \(\mathcal {O}_{re}\), q d queries to \(\mathcal {O}_{dec}\) and \(q_{d_{R}}\) queries to \(\mathcal {O}_{dec_{R}}\), then we have \(Adv_{PRE,{\mathcal A}}^{IND\text {-}CCA\text {-}Or}\)𝜖.

Remark 1

The IND-CPA security at original ciphertext can be easily achieved from the above notion by only providing \(\mathcal {O}_{pk}\), \(\mathcal {O}_{sk}\) and \(\mathcal {O}_{rk}\) for \(\mathcal A\).

Definition 4 (CCA Security of Re-encrypted Ciphertext)

Set \(\bar {O}=\{{\mathcal {O}_{pk}}\), \({\mathcal {O}_{sk}}\), \({\mathcal {O}_{rk}}\), \({\mathcal {O}_{dec}}\), \({\mathcal {O}_{dec_{R}}}\}\). We define the advantage of \(\mathcal A\) in the following experiment with given security parameter k and state information S t a t e,
$$\begin{array}{@{}rcl@{}} Adv_{PRE,{\mathcal A}}^{IND\text{-}CCA\text{-}Re}(1^{k})&=&|Pr[b=b':\mathbf{par} \gets Setup(1^{k}); \\&&(C_{0}, C_{1},pk_{i},pk_{j^{*}}, State)\gets {\mathcal A}^{\bar{O}}(\mathbf{par}); \\&& b\in_{R} \{0,1\}; C_{j^{*}}\gets ReEnc(rk_{i \to j^{*}}, C_{b}); \\&& b' \gets {\mathcal A}^{\bar{O}}(C_{j^{*}}, State)]-\frac{1}{2}|, \end{array} $$
here i and j are two distinct indices, p k i and p k j are outputted by \({\mathcal {O}_{pk}}\), \(rk_{i \to j^{*}}\) is generated by R e K e y G e n(s k i , \(pk_{j^{*}})\). C 0 and C 1 are valid ciphertexts constructed under p k i by \({\mathcal A}\). Those oracles \({\mathcal {O}_{pk}}\), \({\mathcal {O}_{sk}}\), \({\mathcal {O}_{rk}}\), \({\mathcal {O}_{dec}}\), \({\mathcal {O}_{dec_{R}}}\) are defined in the above with limitation of the following constraints: if \({\mathcal A}\) makes queries \({\mathcal {O}_{sk}}\) on \(pk_{j^{*}}\), \({\mathcal {O}_{sk}}\) outputs ⊥. For \(\mathcal {O}_{dec_{R}}\), the query on \((pk_{j^{*}}\), \(C_{j^{*}})\) is forbidden to issue. There is no restriction on \({\mathcal {O}_{rk}}\) and \(\mathcal {O}_{dec}\). Besides, \({\mathcal {O}_{re}}\) is unnecessary as \({\mathcal A}\) is allowed for querying any re-encryption key. An unidirectional single-hop PRE scheme is (t, q p k , q s k , q r k , q d , \(q_{d_{R}},\epsilon )\)-IND-CCA secure at re-encrypted ciphertext, means that if any t-time IND-CCA adversary \({\mathcal A}\) can issue at most q p k queries to \(\mathcal {O}_{pk}\), q s k queries to \(\mathcal {O}_{sk}\), q r k queries on \(\mathcal {O}_{rk}\), q d queries to \(\mathcal {O}_{dec}\) and \(q_{d_{R}}\) queries to \(\mathcal {O}_{dec_{R}}\), we have \(Adv_{PRE,{\mathcal A}}^{IND\text {-}CCA\text {-}Re}\)𝜖.

Remark 2

In Definition 3, if \(\mathcal A\) can deduce the private key \(sk_{i^{*}}\) from \(rk_{i^{*}\to j}\) (resp. \(rk_{j \to i^{*}}\)), \(\mathcal A\) can definitely win the game above, where j is a corrupted user. Therefore, Definition 3 implies collusion resistance that the whole private key of the data owner can’t be compromised by proxy even after compromising the corresponding receiver. We can deduce the IND-CPA security at re-encrypted ciphertext from the above notion by providing \(\mathcal {O}_{pk}\), \(\mathcal {O}_{sk}\) and \(\mathcal {O}_{rk}\) for \(\mathcal A\) only.

3 Our constructions

The core technology in our solutions is PRE which allows Alice to generate a re-encryption key r k AB with her decryption key and a friend’s public key where the friend is whom that Alice intends to share her encrypted multimedia data with. For example, the friend is Bob. Then this re-encryption key r k AB will allow Bob to decrypt the encrypted content keys when used together with his own private key.

On the one hand, any multimedia data will be transformed into binary before travelling over the network, and on the other hand, proxy re-encryption (PRE) can be used as long as the data are in binary, so we can implement secure multimedia data sharing by design efficient PRE scheme. More specifically, in our PRE schemes, a message m represents a binary multimedia file.

Our system model is shown in Fig. 1. There are three roles in our scheme: multimedia data owner, a receiver and cloud server. The data owner, say Alice, will encrypt her multimedia files (such as images, audio, video etc.) using a PKE scheme (e.g. ElGamal encryption over an Elliptic Curve Group) before uploading them to the cloud server. These encrypted multimedia data (i.e. original ciphertext) are stored in the cloud. At a certain time, Alice would like to share her multimedia files with a friend Bob whereas share her private key. Therefore, Alice can use her privacy key and her friend’s public key to generate r k AB by running the ReKeyGen algorithm of our scheme. The key r k AB allows the cloud server to transform the original ciphertext into another ciphertext (i.e. re-encrypted ciphertext). This re-encrypted ciphertext can only be decrypt by Bob with his privacy key. The detail explanation of our protocol is as follows.
Fig. 1

System model

In the following section, we propose three efficient PRE schemes meet different security requirements to guarantee the privacy and security of shared multimedia data. In our schemes, encrypted multimedia files can be shared between a user, Alice, and her friend without share Alice’s private key. Each of Alice’s friend can decrypt the multimedia files using his own privata key.

3.1 A basic CPA secure PRE scheme without parings

3.1.1 Construction

A basic CPA-secure PRE scheme without parings is proposed in this part. In this scheme, the cloud server is deemed to be semi-honest, meaning that it is honest but curious about the plaintext of multimedia data owner. In this scheme, with the re-encryption key r k AB , the multimedia data owner’s encrypted data will be transformed into another form that an anticipant receiver can decrypt. Finally, The receiver decrypt the re-encrypted data by his decryption key to obtain the plaintext which is the real multimedia files Alice intends to share. This scheme is follows:
  1. 1.

    S e t u p(k): for a given security parameter \(k\in \mathbb {N}\), a group G is generated with order q and |q| = k. Denote by g the G’s generator. This algorithm also generates two hash functions H 1 and H 2, each of which maps from G to Z q . The message space is defined as G. The system parameters of the PRE is set to p a r = (G, q, g, H 1, H 2).

     
  2. 2.
    K e y G e n(p a r):
    1. (1)

      Pick two random values x i,1, x i,2 R Z q , set the private key s k i = (x i,1, x i,2).

       
    2. (2)

      Set the public key \(pk_{i} = (pk_{i,1}, pk_{i,2}) = (g^{x_{i,1}}, g^{x_{i,2}})\).

       
     
  3. 3.
    E n c(p k i , m): given p k i = (p k i,1, p k i,2) and mG, a ciphertext C i is generated as shown below. Here p k i is user i’s public key, mG is a message.
    1. (1)

      Pick r randomly from Z q .

       
    2. (2)

      Compute E = m g r .

       
    3. (3)

      Compute \(F = (pk_{i,1}^{H_{2}(pk_{i,2})} pk_{i,2})^{r}\).

       
    4. (4)

      Set C i = (E, F).

       
     
  4. 4.
    R e K e y G e n(s k i , p k j ):
    1. (1)

      Randomly pick V from G and u from Z q .

       
    2. (2)

      Compute v = H 1 (V )(x i,1 H 2 (p k i,2) + x i,2)− 1 m o d q.

       
    3. (3)

      Compute U = V g u .

       
    4. (4)

      Compute \(W = pk_{j,2}^{u}\).

       
    5. (5)

      Output r k ij = (v, U, W).

       
     
  5. 5.
    R e E n c(r k ij , C i ): given r k ij = (v, U, W) and C i = (E, F), a re-encrypted ciphertext C j ia generated as shown below. Here r k ij is a re-encryption key and C i is a ciphertext under p k i .
    1. (1)

      Compute F = F v .

       
    2. (2)

      Output C j = (E, F ,U, W).

       
     
  6. 6.
    D e c(s k i , C i ): given s k i = (x i,1, x i,2) and C i = (E, F), the message m is recovered. Here s k i is user i’s private key, C i is the original ciphertext under p k i .
    1. (1)

      Compute t = x i,1 H 2 (p k i,2) + x i,2 (m o d q).

       
    2. (2)

      Output m = E(F 1/t )− 1.

       
     
  7. 7.
    D e c R (s k j , C j ):given s k j = (x j,1, x j,2) and C j = (E, F ,U, W), the message m is recovered. Here s k j is user j’s private key, C j is a re-encrypted ciphertext.
    1. (1)

      Compute \(V = U (W^{1/x_{j,2}})^{-1}\).

       
    2. (2)

      Output \(m = E (F'^{1/H_{1}(V)})^{-1}\).

       
     

3.1.2 Security analysis

In this scheme, the multimedia data owner’s files are encrypted by ElGamal encryption scheme. Therefore, the security of ElGamal encryption scheme can ensure that our scheme is secure. Moreover, throughout the whole process, as this re-encryption key r k ij alone does not allow anyone to recover the multimedia files, the network server gains no information about the multimedia data owner’s files and private key.

3.1.3 Efficiency analysis

Let EXP represents the exponentiation operation in G (assuming that G is a multiplicative group, otherwise, if G is an additive group such as an elliptic curve group, then EXP represents the elliptic curve scalar multiplication), PreEXP denotes pre-computable exponentiation operation in G. Decrypt O denotes the cost of decrypting an original ciphertext, Decrypt R represents the decryption cost of a re-encrypted message. |C O | denotes the original ciphertext size, |C R | denotes the size of a re-encrypted message. |R e K e y|denotes the size of a re-encryption key.

From Table 1, we can conclude that the number of exponentiation operations needed in each algorithm is small (say one or two), the size of the ciphertext is at most 4 elements in G, and the R e K e y contains 3 elements (2 elements in G and 1 element in Z q ).
Table 1

Efficiency analysis

Algorithm

Operation

Encrypt

2 EXP + 1 PreEXP

ReEncrypt

1 EXP

Decrypt O

1 EXP

Decrypt R

2 EXP

|C O |

2 |G|

|C R |

4 |G|

|R e K e y|

2 |G| + |Z q |

3.2 A CCA-secure paring-free PRE scheme

3.2.1 Construction

We proposed a CPA-secure PRE scheme in the above section. However, the CCA security is usually demanded in applications. For this purpose, we design a CCA-secure PRE scheme consisting of 7 algorithms:
  1. 1.
    S e t u p(k): for a given security parameter \(k\in \mathbb {N}\), the following steps are invoked:
    1. (1)

      Generate a group G with order q such that |q| = k, and picks a generator g R G.

       
    2. (2)

      Set the massage space as {0,1} k .

       
    3. (3)

      Set four hash functions: \(H_{1}:G \to Z_{q}^{*}, H_{2}:G \to Z_{q}^{*}, H_{3}:G \to \{0,1\}^{k}, H_{4}: \{0,1\}^{k} \times G \to Z_{q}^{*}.\)

       
    4. (4)

      Output the public parameters p a r = (G, q, g, H i )(i = 1,⋯ ,4).

       
     
  2. 2.
    K e y G e n(p a r):
    1. (1)

      Pick two random values x i,1, x i,2 R Z q , sets the private key s k i = (x i,1, x i,2).

       
    2. (2)

      Set the public key \(pk_{i} = (pk_{i,1}, pk_{i,2}) = (g^{x_{i,1}}, g^{x_{i,2}})\).

       
     
  3. 3.
    E n c(p k i , m): given p k i = (p k i,1, p k i,2)and m ∈{0,1} k , it carries out the following steps to generate a ciphertext C i . Here p k i is user i’s public key, m ∈{0,1} k is a message.
    1. (1)

      Pick σ randomly from G, then compute r = H 4 (m, σ).

       
    2. (2)

      Compute E = σ g r .

       
    3. (3)

      Compute \(F = (pk_{i,1}^{H_{2}(pk_{i,2})} pk_{i,2})^{r}\).

       
    4. (4)

      Compute J = mH 3 (σ).

       
    5. (5)

      Set C i = (E, F, J).

       
     
  4. 4.
    R e K e y G e n(s k i , p k j ):
    1. (1)

      Randomly pick V from G and u from Z q .

       
    2. (2)

      Compute v = H 1 (V )(x i,1 H 2 (p k i,2) + x i,2)− 1 m o d q.

       
    3. (3)

      Compute U = V g u .

       
    4. (4)

      Compute \(W = pk_{j,2}^{u}\).

       
    5. (5)

      Output r k ij = (v, U, W).

       
     
  5. 5.
    R e E n c(r k ij , C i ): given r k ij = (v, U, W) and C i = (E, F, J), a re-encrypted ciphertext C j is generated. Here r k ij is the re-encryption key, C i is an original ciphertext under p k i .
    1. (1)

      Compute F = F v .

       
    2. (2)

      Output C j = (E, F ,J, U, W).

       
     
  6. 6.
    D e c(s k i , C i ): given s k i = (x i,1, x i,2) and C i = (E, F, J), the message m is recovered. Here s k i is user i’s private key, C i is the original ciphertext under p k i .
    1. (1)

      Compute t = x i,1 H 2 (p k i,2) + x i,2 m o d q.

       
    2. (2)

      Compute σ = E(F 1/t )− 1.

       
    3. (3)

      Compute m = JH 3 (σ ).

       
    4. (4)

      If \(E = \sigma ^{\prime } g^{H_{4}(m',\sigma ^{\prime })}\) holds, output m = m , otherwise output ⊥.

       
     
  7. 7.
    D e c R (s k j , C j ): given s k j = (x j,1, x j,2) and C j = (E, F ,J, U, W), the message m is recovered. Here s k j is user j’s private key, C j is a re-encrypted ciphertext.
    1. (1)

      Compute \(V = U (W^{1/x_{j,2}})^{-1}\).

       
    2. (2)

      Compute \(\sigma ^{\prime } = E (F'^{1/H_{1}(V)})^{-1}\).

       
    3. (3)

      Compute m = JH 3 (σ ).

       
    4. (4)

      If \(E = \sigma ^{\prime } g^{H_{4}(m',\sigma ^{\prime })}\) holds, output m = m , otherwise output ⊥.

       
     

3.2.2 Security analysis

Obviously, this scheme is CCA secure due to the underlying CCA-secure ElGamal encryption which generates the original ciphertext and re-encrypted ciphertext. Furthermore, since the re-encryption key r k ij alone does not allow anyone to recover the files from the encrypted files, it can ensure that the encrypted files will still remain secure even if an adversary has compromised cloud server and also obtained a copy of ReKey. In other words, the secrecy of the encrypted files is still relying on the secrecy of the private keys of multimedia data owner and her friend Bob (even after the encrypted files are shared). The detailed proof can be deduced from the security analysis described in Sections 3.3.33.3.4. We then focus on the generating of re-encryption key.
  1. 1.

    Only s k i has been taken as an input(s k i is not involved), thus, our scheme is unidirectional.

     
  2. 2.

    Even if someone can obtained s k j and r k ij simultaneously, the true value of x i,1 or x i,2 are still remain secure, as the H 1 (V )can be recovered only leak information about the value of x i,1 H 2 (p k i,2) + x i,2, so that the secret security of the multimedia data owner is ensured.

     

Remark 3

IoT has the merits of low cost and effective accessibility. However, network servers may not be fully trusted. The validity related to the data shared between users is problematic. In Internet, the users are resources-limited and hence cannot afford excessive validity checks. Therefor, in practice, it is more reasonable to add public verifiability into the construction of scheme. With public verifiability, anyone, not just the data owner, is allowed to complete the validity verification tasks without keeping any private information. Let’s consider the goal that allowing network servers to verify the correctness of ciphertext on behalf of the multimedia data owner. In the next section, we give an improved CCA secure PRE scheme, and give an thorough security analysis.

3.3 A CCA-secure publicly verifiable PRE scheme without paring (PVPRE)

3.3.1 Main idea

In practice, the multimedia data in IoT is stored in remote servers and exposed to malicious attackers. Moreover, in the context of PRE, the remote server is asked to complete the transformation from an encrypted multimedia data under the owner’s public key to another form that an anticipated recipient can decrypt, it is probable for an attacker to derive sensitive information or even tamper with the encrypted multimedia data with his own sake. The following attack gives an explanation.

Let \(C' = (E',F',J')\) be a challenged ciphertext encrypted by a challenged public key \(pk' = (pk'_{i,1}, pk'_{i,2})=(g^{x'_{i,1}}, g^{x'_{i,2}})\), where s k = (x i,1′,x i,2′) is the challenged private key, \(E' = \sigma ^{\prime } g^{r'}\), \(F' =({pk'_{i,1}}^{H_{2}(pk'_{i,2})} pk'_{i,2})^{r'}\), 0J = mH 3 (σ ). Suppose C is given to the adversary \({\mathcal A}\) and he will win the IND-CCA secure game as the following: Firstly, \({\mathcal A}\) chooses a random t from {0,1} l , and creates a new malicious ciphertext C 1 = (E 1, F 1, J 1)instead of C , here E 1 = E , F 1 = F ,J 1 = Jt. Obviously, C 1 is an invalid one. Secondly, \({\mathcal A}\) get a key pair (p k ,s k )by making a corrupted-key generation query, and also get re-encrypted ciphertext C 2 = (E 2, F 2, J 2, U, W) by making a re-encryption query on p k , here \(pk^{\prime \prime } = (pk^{\prime \prime }_{i,1}, pk^{\prime \prime }_{i,2})= (g^{x^{\prime \prime }_{i,1}}, g^{x^{\prime \prime }_{i,2}})\), s k = (x i,1″,x i,2″), E 2 = E 1, \(F_{2} = {F_{1}^{v}}\), J 2 = J 1, (v, U, W) is the re-encryption key. Finally, \({\mathcal A}\) can use private key x i,2″ to obtain \(V = U (W^{1/x^{\prime \prime }_{i,2}})^{-1}\) and \(\sigma _{2} = E_{2} (F_{2}^{1/H_{1}(V)})^{-1}\), then recover m as m = tH 3 (σ 2) ⊕ J 2. And then \({\mathcal A}\) can recover the bit δ which means \({\mathcal A}\) wins the game. We note that the queries \({\mathcal A}\) issued above are legal, because they follows the restraints in definition 2.

The adversary \({\mathcal A}\)’s attack is successful due to the reason that the validity of re-encrypted ciphertext can not be verified by the proxy (server). Thus, it is fascinating to embed public verifiability into a CCA-secure PRE scheme.

Next, we briefly describe how the public verifiability is used. Firstly, we modifies the above scheme slightly such that the original ciphertext generated by algorithm E n c(p k i , m) is the form C i = (E, F, J, s). Suppose the proxy(server) is asked to perform a ciphertext transformation. The proxy verifies \((pk_{i,1}^{H_{2}(pk_{i,2})} pk_{i,2})^{s} = E\cdot F^{H_{5}(E,F,J)}\) firstly to guarantee the validity of C i , and then outputs the re-encryption ciphertext C j = (E ,F ,J, s ,U, W).

The validity of the re-encryption ciphertext can be verified before being re-encrypted and decrypted. Thus, it is impossible for malicious attackers to obtain any advantage through tampering with the re-encrypted ciphertext.

3.3.2 Construction

Now, we give the details of our construction. We proposed a refined publicly verifiable PRE scheme called PVPRE in which the validity of ciphertexts can be publicly verified by anyone [32]. Although capturing this useful property comes at a price: three more components need to be computed in E n c and R e E n c, the public verifiability feature is attractive, it is worth the performance tradeoff. We now shown the construction of the publicly verifiable scheme.
  1. 1.
    S e t u p(k): for a given security parameter k, the following steps are invoked:
    1. (1)

      Generate a group G with order q such that |q| = k, and picks a generator g R G.

       
    2. (2)

      Define the massage space as {0,1} k .

       
    3. (3)
      Define five hash functions:
      $$\begin{array}{@{}rcl@{}} &&H_1:G \to Z_q^{*}, H_2:G \to Z_q^{*}, H_3:G \to \{0,1\}^k,\\ &&H_4:\{0,1\}^k \times G \to Z_q^{*}, H_5:G \times G \times G \to Z_q^{*}. \end{array} $$
       
    4. (4)

      Output the public parameter p a r = (G, q, g, H i )(i = 1,⋯ ,5).

       
     
  2. 2.
    K e y G e n(p a r):
    1. (1)

      Pick two random values x i,1, x i,2 R Z q , set s k i = (x i,1, x i,2)as the private key.

       
    2. (2)

      Define \(pk_{i} = (pk_{i,1}, pk_{i,2}) = (g^{x_{i,1}}, g^{x_{i,2}})\) as the public key.

       
     
  3. 3.
    E n c(p k i , m): given p k i = (p k i,1, p k i,2)and m ∈{0,1} k , it carries out the following steps to generate a ciphertext C i . Here p k i is user i’s public key and m ∈{0,1} k is a message.
    1. (1)

      Randomly pick σ from \(Z_{q}^{*}\), then compute r = H 4 (m, g σ ).

       
    2. (2)

      Compute \(E = (pk_{i,1}^{H_{2}(pk_{i,2})} pk_{i,2})^{\sigma }\).

       
    3. (3)

      Compute \(F = (pk_{i,1}^{H_{2}(pk_{i,2})} pk_{i,2})^{r}\).

       
    4. (4)

      Compute J = mH 3 (g σ ).

       
    5. (5)

      Compute s = σ + r H 5 (E, F, J)m o d q.

       
    6. (6)

      Output C i = (E, F, J, s).

       
     
  4. 4.
    R e K e y G e n(s k i , p k j ):
    1. (1)

      Randomly pick VG, then compute u = H 1 (V ).

       
    2. (2)

      Compute v = H 2 (V )(x i,1 H 2 (p k i,2) + x i,2)− 1 m o d q.

       
    3. (3)

      Compute U = V g u .

       
    4. (4)

      Compute \(W = pk_{j,2}^{u}\).

       
    5. (5)

      Output r k ij = (v, U, W).

       
     
  5. 5.
    R e E n c(r k ij , C i ): given r k ij = (v, U, W) and C i = (E, F, J, s), a re-encrypted ciphertext C j is generated. Here r k ij is a re-encryption key, C i is the original ciphertext under p k i .
    1. (1)

      If \((pk_{i,1}^{H_{2}(pk_{i,2})} pk_{i,2})^{s} = E\cdot F^{H_{5}(E,F,J)}\) is not satisfied, then return ⊥. Otherwise,

       
    2. (2)

      Compute E = E v and F = F v .

       
    3. (3)

      Compute s = s v(m o d q).

       
    4. (4)

      Output C j = (E ,F ,J, s ,U, W).

       
     
  6. 6.
    D e c(s k i , C i ): given s k i = (x i,1, x i,2) and C i = (E, F, J, s), the message m is recovered. Here s k i is user i’s private key, and C i is the original ciphertext under p k i .
    1. (1)

      If \((pk_{i,1}^{H_{2}(pk_{i,2})} pk_{i,2})^{s} = E\cdot F^{H_{5}(E,F,J)}\) is not satisfied, then return ⊥. Otherwise,

       
    2. (2)

      Compute t = x i,1 H 2 (p k i,2) + x i,2 (m o d q).

       
    3. (3)

      Compute \(g^{\sigma ^{\prime }} = E^{1/t}\).

       
    4. (4)

      Compute \(m' = J \oplus H_{3}(g^{\sigma ^{\prime }})\).

       
    5. (5)

      If \(F = (pk_{i,1}^{H_{2}(pk_{i,2})} pk_{i,2})^{H_{4}(m',g^{\sigma ^{\prime }})}\) holds, output m = m , otherwise output ⊥.

       
     
  7. 7.
    D e c R (s k j , C j ): given s k j = (x j,1, x j,2) and C j = (E ,F ,J, s ,U, W), the message m is recovered. Here s k j is user j’s private key, C j is a re-encrypted ciphertext.
    1. (1)

      If \((pk_{i,1}^{H_{2}(pk_{i,2})} pk_{i,2})^{s'} = E' \cdot {F'}^{H_{5}(E',F',J)}\) is not satisfied, then return ⊥. Otherwise,

       
    2. (2)

      Compute \(V = U (W^{1/x_{j,2}})^{-1}\).

       
    3. (3)

      Compute \(g^{\sigma ^{\prime }} = E'^{1/H_{2}(V)}\).

       
    4. (4)

      Compute \(m' = J \oplus H_{3}(g^{\sigma ^{\prime }})\).

       
    5. (5)

      If \( F' = g^{H_{4}(m',g^{\sigma ^{\prime }})H_{2}(V)}\) and \(W = pk_{j,2}^{H_{1}(V)}\) hold, output m = m , otherwise output ⊥.

       
     

Remark 4

The refined scheme PVPRE can guarantee both the multimedia data owner’s and the recipient’s anonymity simultaneously. Each proxy or anticipant recipient can easily check the validity of ciphertexts without disclosing any sensitive information.

3.3.3 Original ciphertext security analysis

Definition 5 (Decisional Diffie-Hellman (DDH) Assumption)

Consider a group G of order q, and let g be a generator of G. The DDH assumption states that, given a tuple (g, g a ,g b ,g d )for uniformly and independently chosen \(a, b, d \in Z_{q^{*}}\), decide whether d = a b.

For a given \({\mathcal A}\) with at most \(q_{H_{i}}\) queries to H i (i ∈{1,3,4,5}) to break the (t, q p k , q s k , q r k , q r e , q d , \(q_{d_{R}}\), 𝜖)-IND-CCA security of PVPRE, a polynomial time algorithm \({\mathcal B}\) will be constructed who can break the DDH assumption in G.

Our proofs works under the random oracle model. Those oracles simulated by \({\mathcal B}\) are depicted in Table 2. The tuple (G, q, g, H i )(i ∈{1,3,4,5}) is given to \({\mathcal A}\). \({\mathcal B}\) controls the random oracles H i (i ∈{1,3,4,5}) and also keeps hash lists \(H_{i}^{list}\) (i ∈{1,3,4,5}), they are initialized empty. \({\mathcal B}\) answers the queries whenever \({\mathcal A}\) issues. These answers are shown in Table 2.
Table 2

Simulations of H i (i = 1,3,4,5)

H i (.)

Simulations

H 1 (Q)

Given a tuple (Q, ρ), the \(H_{1}^{list}\) return the predefined value ρ. Otherwise, pick ρ randomly from \(Z_{q}^{*}\), add tuple (Q, ρ) to \(H_{1}^{list}\), then return H 1 (Q) = ρ.

H 3 (R)

Given a tuple (R, ξ), the \(H_{3}^{list}\) return the predefined value ξ. Otherwise, pick ξ randomly from {0, 1} k , add tuple (R, ξ) to \(H_{3}^{list}\), then return H 3 (R) = ξ.

H 4 (m, g σ )

Given a tuple (m,,σ, g σ ,r), the \(H_{4}^{list}\) return the predefined value r.

 

Otherwise, pick r randomly from \(Z_{q}^{*}\), add tuple (m,,σ, g σ ,r) to \(H_{4}^{list}\), then return H 4 (m, g σ ) = r.

H 5 (E, F, J)

Given a tuple (E, F, J, γ), the \(H_{5}^{list}\) return the predefined value γ.

 

Otherwise, pick γ randomly from \(Z_{q}^{*}\), add tuple (E, F, J, γ) to \(H_{5}^{list}\), then return H 5 (E, F, J) = γ.

\({\mathcal B}\) also keeps two lists K l i s t and R l i s t , they are initialized empty. Here the lists K l i s t is used to store key-pair (i.e. public key and private key) and the re-encryption key is stored in list R l i s t .

Theorem 1

The scheme PVPRE is IND-CCA secure at the original ciphertext, if the DDH assumption hold in group G.

Proof

Phase 1 A number of queries are issued by adversary \({\mathcal A}\), \({\mathcal B}\) responses to \({\mathcal A}\) as follows.
  1. 1.
    \(\mathcal {O}_{pk}(i)\): the uncorrupted-keys and corrupted-keys are generated by \({\mathcal B}\) as shown below.
    • (1) Uncorrupted-key. \({\mathcal B}\) choose \(x_{i,1}, x_{i,2}\gets Z_{q}^{*}\) randomly and draws a coin c i ∈{0,1} that generates 1 with probability 𝜃 and 0 otherwise [20].
      • (a) If c i = 1, define \(pk_{i} = (pk_{i,1}, pk_{i,2}) = (g^{x_{i,1}}, g^{x_{i,2}})\).

      • (b) If c i = 0, define \(pk_{i} = (pk_{i,1}, pk_{i,2}) = ((g^{\frac {1}{a}})^{x_{i,1}}, (g^{\frac {1}{a}})^{x_{i,2}})\).

      Then, the tuple (p k i , x i,1, x i,2, c i )is added to K l i s t and p k i is returned to \({\mathcal A}\).
    • (2) Corrupted-key. \({\mathcal B}\) choose \(x_{i,1}, x_{i,2}\gets Z_{q}^{*}\) randomly, and set p k i =\((g^{x_{i,1}}\), \(g^{x_{i,2}})\), c i = . Then the tuple (p k i , x i,1, x i,2, c i ) is added to K l i s t and output (p k i ,(x i,1, x i,2))to \({\mathcal A}\).

     
  2. 2.

    \(\mathcal {O}_{sk}(i)\): \({\mathcal B}\) recovers (p k i , x i,1, x i,2, c i ) firstly from K l i s t . If c i = 1, output (p k i ,(x i,1, x i,2)) to \({\mathcal A}\), else return a bit b R {0,1}then aborts.

     
  3. 3.
    \(\mathcal {O}_{rk}(pk_{i},pk_{j})\): If there is a tuple (p k i , p k j )in R l i s t , it outputs \({\mathcal A}\) the predefined re-encryption key. Otherwise, \({\mathcal B}\) takes action as shown below:
    • (1) Extract two tuple (p k i , x i,1, x i,2, c i ), (p k j , x j,1, x j,2, c j )by searching K l i s t .

    • (2) Randomly choose VG, compute u = H 1 (V )and h = H 2 (V ).

    • (3) Compute U = V g u and \(W = pk_{j,2}^{u}\).

    • (4) Compute v according to the following case:
      • (a) (c i = 0 ∧ c j = ), output ⊥and aborts.

      • (b) (c i = 1 ∨ c j = ), sets v = h(x i,1 H 2 (p k i,2) + x i,2)− 1 m o d q and set τ = 1. In this case, v is obviously correct due to s k i = (x i,1, x i,2).

      • (c) (c i = 0 ∧ c j ), randomly pick \(v \gets Z_{q}^{*}\) and set τ = 0. In this case, the value h, which related to U, W, would not match with a random v, this depends on the CCA security of ElGamal encryption scheme.

    • (5) If \({\mathcal B}\) does not aborts, add (p k i , p k j ,(v, U, W),h, τ)to R l i s t .

    • (6) Output r k ij = (v, U, W)to \({\mathcal A}\).

     
  4. 4.
    \(\mathcal {O}_{re}(pk_{i}, pk_{j}, C_{i})\):
    • (1) If \((pk_{i,1}^{H_{2}(pk_{i,2})}pk_{i,2})^{s} \neq E\cdot F^{H_{5}(E, F, J)}\), return symbol ⊥which means C i is invalid.

    • (2) Otherwise, extracts tuples (p k i , x i,1, x i,2, c i )and (p k j , x j,1, x j,2, c j )by searching K l i s t .

    • (3) If condition c i = 0and c j = are not satisfied simultaneously, the query \(\mathcal {O}_{rk}(pk_{i}, pk_{j})\) is issued to generate a r k ij = (v, U, W)for \({\mathcal A}\).

    • (4) Else, searching the tuple \((R, \beta ) \in H_{3}^{list}\) and \((m, \sigma , g^{\sigma }, r) \in H_{4}^{list}\) such that \((pk_{i,1}^{H_{2}(pk_{i,2})}pk_{i,2})^{\sigma } = E\), \((pk_{i,1}^{H_{2}(pk_{i,2})}pk_{i,2})^{r} = F\). If no eligible tuple exist, output ⊥.

    • (5) Extract (p k i , p k j ,(v, U, W),h, τ)from R l i s t , define E = g σ h , F = g r h , s = s v.

    • (6) Return C j = (E ,F ,J, s ,U, W) to \({\mathcal A}\).

     
  5. 5.
    \(\mathcal {O}_{dec}(pk_{i}, C_{i})\): \({\mathcal B}\) first parses p k i = (p k i,1, p k i,2) and extract tuple (p k i , x i,1, x i,2, c i ) by searching K l i s t .
    • (1) If (c i = 1 ∨ c j = ), \({\mathcal B}\) runs D e c((x i,1, x i,2),c i ), then output the result to \({\mathcal A}\).

    • (2) Else,
      • (a) if \((pk_{i,1}^{H_{2}(pk_{i,2})}pk_{i,2})^{s} \neq E\cdot F^{H_{5}(E, F, J)}\), output symbol ⊥which indicates C i is invalid.

      • (b) else, search list \(H_{3}^{list}\) and \(H_{4}^{list}\) to find tuples \((R, \beta )\in H_{3}^{list}\) and \((m, \sigma , g^{\sigma }, r)\in H_{4}^{list}\) such that \((pk_{i,1}^{H_{2}(pk_{i,2})}pk_{i,2})^{\sigma } = E, (pk_{i,1}^{H_{2}(pk_{i,2})}pk_{i,2})^{r} = F, \beta \oplus m = J, R = g^{\sigma }.\) if such two tuples are exist, output m to \({\mathcal A}\). else output ⊥.

     
  6. 6.
    \(\mathcal {O}_{dec_{R}}(pk_{j}, C_{j})\): \({\mathcal B}\) first parses p k j = (p k j,1, p k j,2) and recovers tuple (p k j , x j,1, x j,2, c j ) from K l i s t . If (c j = 1 ∨ c j = ), \({\mathcal B}\) runs D e c R ((x j,1, x j,2),C j ) and returns the result to \({\mathcal A}\). Otherwise,
    • (1) if \((pk_{i,1}^{H_{2}(pk_{i,2})}pk_{i,2})^{s'} \neq E' \cdot F'^{H_{5}(E', F', J)}\), output symbol ⊥which indicates C j is invalid.

    • (2) Else, if there exists a tuple (p k i , p k j ,(v, U, W),V,0) ∈ R l i s t , compute \(E = E'^{\frac {1}{v}}\), \(F = F'^{\frac {1}{v}}\), search to see whether there exist \((R, \beta )\in H_{3}^{list}\) and \((m, \sigma , g^{\sigma }, r)\in H_{4}^{list}\) such that \((pk_{i,1}^{H_{2}(pk_{i,2})}pk_{i,2})^{\sigma } = E, (pk_{i,1}^{H_{2}(pk_{i,2})}pk_{i,2})^{r} = F, \beta \oplus m = J, R = g^{\sigma }.\) If such two tuples are exist, output m to \({\mathcal A}\), otherwise, output ⊥. Actually, the value of each U, W in R l i s t is correct.

     
Challenge If \({\mathcal A}\) find that Phase 1 is finish, it returns 3 contents (\(pk_{i^{*}}\), m 0, m 1), here \(pk_{i^{*}} = (pk_{i^{*},1}, pk_{i^{*},2})\) is a challenged public key, m 0, m 1 ∈{0,1} k are messages. Algorithm \({\mathcal B}\) extract tuple \((pk_{i^{*}} , x_{i^{*},1}, x_{i^{*},2}, c_{i^{*}})\) by searching K l i s t . In accordance with the constraints in definition 2, we obtain \(c_{i^{*}} \in \{0,1\}\), \({\mathcal B}\) chooses δ ∈{0,1} and acts as shown below:
  1. 1.

    If \(c_{i^{*}} = 1\), challenger \({\mathcal B}\) picks a value b R {0,1}, then aborts.

     
  2. 2.

    Else, compute \(E^{*} = (g^{b})^{x_{i^{*},1}H_{2}(pk_{i^{*},2}) + x_{i^{*},2}}\).

     
  3. 3.
    Choose \(e^{*}, t^{*}\gets Z_{q}^{*}\), set s = e t randomly and compute
    $$F^{*} = (g^{b})^{-(x_{i^{*},1}H_{2}(pk_{i^{*},2}) + x_{i^{*},2})\frac{1}{e^{*}}} \times(g^{\frac{1}{a}})^{(x_{i^{*},1}H_{2}(pk_{i^{*},2}) + x_{i^{*},2})t^{*}}. $$
     
  4. 4.

    Choose J ←{0,1} k randomly, set H 5 (E ,F ,J ) = e .

     
  5. 5.

    Choose \(\sigma ^{*} \gets Z_{q}^{*}\) randomly, implicitly define σ = d and H 3 (g d ) = m δ J .

     
  6. 6.

    Output a challenge original ciphertext C = (E ,F ,J ,s ) for \({\mathcal A}\).

     
According to the construction, if d = a b, the challenge ciphertext C is indistinguishable from the real one. This can be demonstrated as follows. Let \(\sigma ^{*} \triangleq ab\), \(r^{*} \triangleq (t^{*} - \frac {ab}{e^{*}})\), we have
$$\begin{array}{@{}rcl@{}}E^{*} &=& (g^{b})^{x_{i^{*},1}H_{2}(pk_{i^{*},2}) + x_{i^{*},2}} \\ &=& ((g^{\frac{1}{a}})^{x_{i,1}H_{2}(pk_{i,2})+x_{i,2}})^{ab}\\ &=& (pk_{i^{*},1}^{H_{2}(pk_{i^{*},2})}pk_{i^{*},2})^{\sigma^{*}}\\ F^{*} &=& (g^{b})^{-(x_{i^{*},1}H_{2}(pk_{i^{*},2}) + x_{i^{*},2})\frac{1}{e^{*}}} \times(g^{\frac{1}{a}})^{(x_{i^{*},1}H_{2}(pk_{i^{*},2}) + x_{i^{*},2})t^{*}} \\ &=& ((g^{\frac{1}{a}})^{x_{i^{*},1}H_{2}(pk_{i^{*},2}) + x_{i^{*},2}})^{(t^{*} - \frac{ab}{e^{*}})}\\ &=& (pk_{i^{*},1}^{H_{2}(pk_{i^{*},2})}pk_{i^{*},2})^{r^{*}}\\ J^{*} &=& H_{3}(g^{ab})\oplus m_{\delta} = H_{3}(g^{\sigma^{*}})\oplus m_{\delta}\\ s^{*} &=& ab + (e^{*}t^{*} - ab) \\ &=& ab + (t^{*} - \frac{ab}{e^{*}})e^{*} \\ &=& \sigma^{*} + r^{*} \cdot H_{5}(E^{*}, F^{*}, J^{*}). \end{array} $$

Phase 2 \({\mathcal A}\) makes queries continuously according to the constraints in definition 2. Challenger \({\mathcal B}\) answers to \({\mathcal A}\)’s queries.

Guess \({\mathcal A}\) passes to \({\mathcal B}\) a bit δ ∈{0,1} as its conjecture. If δ equals to δ, \({\mathcal B}\) return 1 meaning d = a b; otherwise returns 0 meaning random value \(d\in _{R} Z_{q}^{*}\).

The description of the simulation is completed. Next, the correctness of the simulation above will be demonstrated.

Analysis With adversary \({\mathcal A}\), the DDH problem can be solved with the advantage 𝜖 by algorithm \({\mathcal B}\) within time t , here
$$\begin{array}{@{}rcl@{}} \epsilon^{\prime} &\geq& \frac{1}{q_{H_{3}}}\left( \frac{2\epsilon}{e(1+q_{rk})} - \frac{q_{d} + q_{d_{R}} + 2q_{re}}{q} - \frac{(q_{H_{3}} + q_{H_{4}})(q_{d} + q_{d_{R}}) + q_{H_{5}}}{2^{k}} - \epsilon_{1}\right),\\ &&t^{\prime} \leq t + \left( \sum\limits_{i = 1}^{5} q_{H_{i}} + q_{pk} + q_{sk} + q_{rk} + q_{re} + q_{d} + q_{d_{R}}\right)O(1) \\ &&+ (7q_{re} + 2q_{rk} + (q_{H_{3}} + q_{H_{4}})q_{re} + (6+ q_{H_{3}} + q_{H_{4}})(q_{d} + q_{d_{R}}))t_{exp}. \end{array} $$

Denotes t e x p as the time cost that an exponentiation operation needed in G, let 𝜖 1 be the advantage of breaking the CCA security of ElGamal encryption.

The key point of our correctness proof is referenced from [17]. We analysis these simulations firstly. Obviously, according to the construction of H 4, the corresponding simulation is perfect. Denote by \(AskH_{4}^{*}\) a event that issue query to H 4 on (m, g σ ), similarly, let \(AskH_{5}^{*}\) be a event that (E ,F ,J ) has been queried to H 5 before Challenge phase. The simulation of H 4 and H 5 are prefect, only if \({\mathcal A}\) neither query (m, g σ )to H 4 nor (E ,F ,J ) to H 5. In Challenge phase, since J is chosen from {0,1} k randomly, we have \(Pr[AskH_{5}^{*}]\leq \frac {q_{H_{5}}}{2^{k}}\).

Let A s k H 3 be the event that g d has been queried to H 3. The corresponding simulation is also prefect, only if g d is not queried to H 3 by \({\mathcal A}\) during the Challenge phase.

It is obvious that the simulated queries for public/private key generation are perfect. Denote Aborts be the event that \({\mathcal B}\) aborts when interacts with \({\mathcal A}\) in a query \(\mathcal {O}_{rk}\) or challenge phase. Notice that the probability P rAborts]is given by \(\theta ^{q_{rk}}(1-\theta )\) with the upper bound \(\frac {q_{rk}}{1+q_{rk}}\), then we have \(\theta ^{q_{rk}}(1-\theta )\geq \frac {1}{e(1+q_{rk})}\).

Then, we can see that the simulation of query \(\mathcal {O}_{rk}\) is not different from the real one, except for the case (c i = 0 ∧ c j ), here the component v is chosen randomly. If the event Aborts did not happen, the real one and its corresponding simulation are computationally indistinguishable for the following truth:
  1. 1.

    c j indicate that the private key s k j is unknown to \({\mathcal A}\).

     
  2. 2.

    \((pk_{j,2}^{u}, Vg^{u})\) with u = H 1 (V )is actually an ciphertext of V encrypted under p k j,2 by using the underlying ElGamal encryption scheme based on the DDH assumption.

     

Now, we analyze the simulation of query \(\mathcal {O}_{re}\). If \({\mathcal A}\) cannot submit a valid original ciphertext without querying H 3 and H 4 (denoted by REErr), the simulation of re-encryption query \(\mathcal {O}_{re}\) is perfect too. However, since H 3 and H 4 act as random oracles, we have \(Pr[REErr]\leq \frac {2q_{re}}{q}\).

The simulations of the decryption oracles, namely \(\mathcal {O}_{dec}\) and \(\mathcal {O}_{dec_{R}}\), are perfect, unless the simulation errors happened in the situation that a valid ciphertext is rejected. But, it is not significant for these errors happening, the reason is as follows. Assume that a decryption query Q has been issued. Even if Q is a valid query, it is possible to generate Q with a probability without querying H 3 on g σ .

Denote Valid as the event indicating Q is a valid query, denote A s k H 3 as the event that g σ has been queried to H 3. We note that the probability that \({\mathcal A}\) can lead to a valid J with reference to the output of H 3 without querying H 3 is \(\frac {1}{q}\). Then, we haveP r[V a l i dA s k H 3 ]\(\leq \frac {1}{q}.\)

Denote D e c E r r as the event that V a l i dA s k H 3 occurred during the whole simulation. As the decryption oracles issued by \({\mathcal A}\) is at most \((q_{d} + q_{d_{R}})\), we get \(Pr[DecErr]\leq \frac {(q_{H_{3}} + q_{H_{4}})(q_{d} + q_{d_{R}})}{2^{k}} + \frac {q_{d} + q_{d_{R}}}{q}\).

Finally, let E r r be the event \((AskH_{3}^{*}\vee AskH_{5}^{*}\vee REErr\vee DecErr)|\)¬Aborts. If E r r dose not happen, since the output of H 3 is random, the advantage of \({\mathcal A}\) in guessing a δ is less than \(\frac {1}{2}\). In other word, \(Pr[\delta ^{\prime } = \delta | \neg Err] = \frac {1}{2}\) holds. Therefore, we expand P r[δ = δ ]to obtain
$$\begin{array}{@{}rcl@{}} Pr[\delta = \delta^{\prime}] &=& Pr[\delta = \delta^{\prime}| Err]Pr[Err] + Pr[\delta = \delta^{\prime}|\neg Err]Pr[\neg Err] \\ &\leq & Pr[Err] + \frac{1}{2}Pr[\neg Err] = \frac{1}{2}Pr[Err] + \frac{1}{2} \end{array} $$
and \(Pr[\delta = \delta ^{\prime }]\geq Pr[\delta = \delta ^{\prime }|\neg Err]Pr[\neg Err] = \frac {1}{2} - \frac {1}{2}Pr[Err].\)
By the definition of 𝜖, we have
$$\begin{array}{@{}rcl@{}} \epsilon &\leq & |Pr[\delta = \delta^{\prime}] - \frac{1}{2}| \leq \frac{1}{2}Pr[Err] \\ &= & \frac{1}{2} Pr[(AskH_{3}^{*}\vee AskH_{5}^{*}\vee REErr\vee DecErr)| \neg \textbf{Aborts}]\\ &\leq & (Pr[AskH_{5}^{*}] + Pr[AskH_{3}^{*}] + Pr[REErr] + Pr[DecErr]) / 2Pr[\neg \textbf{Aborts}], \end{array} $$
then we have
$$\begin{array}{@{}rcl@{}} Pr[AskH_{3}^{*}] &\geq & 2Pr[\neg \textbf{Aborts}]\cdot \epsilon - Pr[AskH_{5}^{*}] - Pr[DecErr]- Pr[REErr]\\ &\geq & \frac{2\epsilon}{e(1+q_{rk})} - \frac{q_{H_{5}}}{2^{k}} - \frac{(q_{H_{3}}+q_{H_{4}})(q_{d} + q_{d_{R}})}{2^{k}} - \frac{q_{d} + q_{d_{R}}}{q} - \frac{2q_{re}}{q}\\ &=& \frac{2\epsilon}{e(1+q_{rk})} - \frac{q_{d} + q_{d_{R}} + 2q_{re}}{q} - \frac{(q_{H_{3}} + q_{H_{4}})(q_{d} + q_{d_{R}}) + q_{H_{5}}}{2^{k}}. \end{array} $$
Meanwhile, if \(AskH_{3}^{*}\) occur, algorithm \({\mathcal B}\) can solve the DDH instance. Therefore, we have
$$\begin{array}{@{}rcl@{}} \epsilon^{\prime} &\geq & \frac{1}{q_{H_{3}}}Pr[AskH_{3}^{*}]\\ & =& \frac{1}{q_{H_{3}}}\left( \frac{2\epsilon}{e(q_{rk} + 1)} - \frac{q_{d} + q_{d_{R}} + 2q_{re}}{q} - \frac{(q_{H_{3}} + q_{H_{4}})(q_{d} + q_{d_{R}}) + q_{H_{5}}}{2^{k}}\right). \end{array} $$
Base on the above simulations, the bound on algorithm \({\mathcal B}\)’s running time is given by
$$\begin{array}{@{}rcl@{}} t' \leq t &+& \left( \sum\limits_{i = 1}^{5} q_{H_{i}} + q_{pk} + q_{sk} + q_{rk} + q_{re} + q_{d} + q_{d_{R}}\right)O(1) \\ &+& (2q_{rk} + 7q_{re} + (q_{H_{3}} + q_{H_{4}})q_{re} + (6+ q_{H_{3}} + q_{H_{4}})(q_{d} + q_{d_{R}}))t_{exp}. \end{array} $$

3.3.4 Re-encrypted ciphertext security analysis

For re-encrypted ciphertext security, the task is to decide decide whether \(d = \frac {b}{a}\) given (g, g a ,g b ,g d ) ∈ G 3 with unknown \(a, b \gets Z_{q}^{*}\). H i (i ∈{1,3,4,5}) is the same as proof of Theorem 1.

Theorem 2

Our scheme PVPRE is IND-CCA secure at the re-encrypted ciphertext, if the DDH assumption holds in group G.

Proof

Phase 1 A number of queries issued by adversary \({\mathcal A}\), \({\mathcal B}\) responses to \({\mathcal A}\) as follows.
  1. 1.
    \(\mathcal {O}_{pk}(i)\): the uncorrupted-keys and corrupted-keys are generated by \({\mathcal B}\) as shown below .
    • (1) Uncorrupted-key. \({\mathcal B}\) randomly choose \(x_{i,1}, x_{i,2}\gets Z_{q}^{*}\) and draws a coin c i ∈{0,1} that generates 1 with probability 𝜃 and 0 otherwise [20].
      • (a) If c i = 1, set \(pk_{i} = (pk_{i,1}, pk_{i,2}) = \left ((g^{a})^{\frac {1}{H_{2}(pk_{i,2})}}\cdot g^{x_{i,1}}, \frac {g^{x_{i,2}}}{g^{a}}\right )\).

      • (b) If c i = 0, set \(pk_{i} = (pk_{i,1}, pk_{i,2}) = ((g^{a})^{x_{i,1}}, (g^{a})^{x_{i,2}})\).

      Next, the tuple (p k i , x i,1, x i,2, c i )is added to K l i s t and return p k i to the adversary \({\mathcal A}\).
    • (2) Corrupted-key. \({\mathcal B}\) acts as the same in Theorem 1.

     
  2. 2.
    \(\mathcal {O}_{rk}(pk_{i},pk_{j})\): If there is a tuple (p k i , p k j )in R l i s t , output to \({\mathcal A}\) a re-encryption key which is predefined. Otherwise, \({\mathcal B}\) takes action as shown below:
    • (1) Extract two tuple (p k i , x i,1, x i,2, c i ), (p k j , x j,1, x j,2, c j )by searching K l i s t .

    • (2) Compute r k ij under the following situation:
      • 1) If (c i = 1 ∨ c i = ):
        1. (a)

          Randomly pick VG, compute u = H 1 (V )and h = H 2 (V ).

           
        2. (b)

          Set v = h(x i,1 H 2 (p k i,2) + x i,2)and τ = 1.

           
        3. (c)

          Compute U = V g u and \(W = pk_{j,2}^{u}\).

           
      • 2) If (c i = 0 ∧ c j = 0)
        1. (a)

          Randomly pick \(v\gets Z_{q}^{*}\), set τ = 0.

           
        2. (b)

          Randomly pick \(z\gets Z_{q}^{*}\), set \(g^{u} = (g^{\frac {b}{a}})^{\frac {z}{x_{j,2}}}\), which defines W = (g b ) z .

           
        3. (c)

          Randomly pick U ←{0,1} k , implicitly define \(V = \frac {U}{g^{u}}\).

           
      • 3) If (c i = 0 ∧ c j ≠ 0): output ⊥and aborts.

    • (3) If \({\mathcal B}\) does not aborts, add (p k i , p k j ,(v, U, W),z, τ)into list R l i s t .

    • (4) Return r k ij = (v, U, W) to the adversary \({\mathcal A}\).

     
  3. 3.

    \(\mathcal {O}_{dec}(pk_{i}, C_{i})\): \({\mathcal B}\) acts as the same in Theorem 1.

     
  4. 4.

    \(\mathcal {O}_{dec_{R}}(pk_{j}, C_{j})\): \({\mathcal B}\) acts as the same in Theorem 1.

     
Challenge If \({\mathcal A}\) find that Phase 1 is finish, it returns 4 components (p k i , \(pk_{j^{*}}\), m 0, m 1), here p k i is a public key, \(pk_{j^{*}}\) is a challenge public key, m 0 and m 1 are messages. Algorithm \({\mathcal B}\) extract two tuples (p k i , x i,1, x i,2, c i ) and \((pk_{j^{*}} , x_{j^{*},1}, x_{j^{*},2}, c_{j^{*}})\) by searching K l i s t . Based on the restriction in definition 2, we have \(c_{i}, c_{j^{*}} \in \{0,1\}\), \({\mathcal B}\) chooses a δ ∈{0,1}then make simulations for a challenged ciphertext. More specifically,
  1. 1.

    If c i = 1or \(c_{j^{*}} = 1\), algorithm \({\mathcal B}\) returns a value b R {0,1}, then aborts.

     
  2. 2.
    If \(c_{i} = 0 \wedge c_{j^{*}} = 0\), algorithm \({\mathcal B}\) generates the challenge ciphertext by the following steps:
    • (1) Retrieve \((pk_{i}, pk_{j^{*}}, (v^{*}, U^{*}, W^{*}), z^{*}, 0)\) from R l i s t .

    • (2) Randomly pick \(t \gets Z_{q}^{*}\), set E = (g b ) t , implicitly define σ h = b t, i.e. \(\sigma ^{*} = \frac {bt}{h^{*}}\).

    • (3) Randomly pick \(e^{*}\gets Z_{q}^{*}\), set F = (g b ) e , implicitly define r h = b e, i.e. \(r^{*} = \frac {be}{h^{*}}\).

    • (4) Randomly pick J ←{0,1} k , implicitly define
      $$J^{*} = H_{3}((g^{\frac{b}{a}})^{\frac{t}{v^{*}(x_{i,1}H_{2}(pk_{i,2}) + x_{x_{i},2})}})\oplus m_{\delta}.$$
      Recall that h = H 2 (V ) = v a(x i,1 H 2 (p k i,2) + x i,2)for c i = 0.
    • (5) Randomly pick \(k^{*}\gets Z_{q}^{*}\), set H 5 (E ,F ,J ) = k , which defines s = t h + e k h .

    • (6) Otherwise, take the following steps to set U , W and z .
      • (a) Randomly pick \(z^{*}\gets Z_{q}^{*}\), set \(g^{u^{*}} = (g^{d})^{\frac {z^{*}}{x_{j,2}}}\), implicitly define \(W^{*} = (g^{b})^{z^{*}}\).

      • (b) Randomly pick U ←{0,1} k , implicitly define \(V^{*} = \frac {U^{*}}{g^{u^{*}}}\)

      • (c) Add U , W and z into R l i s t .

    • (7) Pass to \({\mathcal A}\) the C = (E ,F ,J ,s ,U ,W )as the challenged re-encrypted ciphertext.

     

Phase 2 \({\mathcal A}\) makes queries continuously according to the restrictions in definition 2. \({\mathcal B}\) answers to \({\mathcal A}\)’s queries.Guess \({\mathcal A}\) passes to \({\mathcal B}\) a bit δ ∈{0,1} as its conjecture. If δ equals to δ, \({\mathcal B}\) return 1 meaning \(d = \frac {b}{a}\); otherwise returns 0 meaning \(d\in _{R} Z_{q}^{*}\).

The description of the simulation is completed. We now show the correctness of the above simulation.

Analysis With adversary \({\mathcal A}\), the DDH problem can be solved with advantage 𝜖 by \({\mathcal B}\) within time t , here
$$\begin{array}{@{}rcl@{}} \epsilon^{\prime} &\geq& \frac{1}{q_{H_{3}}}\left( \frac{2\epsilon}{e(1+q_{rk})} - \frac{q_{d} + q_{d_{R}}}{q} - \frac{(q_{H_{3}} + q_{H_{4}})(q_{d} + q_{d_{R}}) + q_{H_{5}}}{2^{k}} - \epsilon_{1}\right),\\ &&t^{\prime} \leq t + \left( \sum\limits_{i = 1}^{5} q_{H_{i}} + q_{pk} + q_{sk} + q_{rk} + q_{re} + q_{d} + q_{d_{R}}\right)O(1) \\ &&+ ((6+ q_{H_{3}} + q_{H_{4}})(q_{d} + q_{d_{R}}) + 2q_{rk})t_{exp} . \end{array} $$
Denote t e x p as the time cost that an exponentiation operation needed in G, let 𝜖 1 be the advantage of breaking the CCA security of ElGamal encryption.

As described in Theorem 1, it is clear that the answers passed to \({\mathcal A}\) are all perfect, including the queries of public and private key generation, re-encryption, and also re-encryption key generation. The simulations of the two decryption queries are perfect too, unless the simulation errors happened in the case of rejecting some valid ciphertext which denoted by D e c E r r. As in Theorem 1, a similar analysis can yield \(Pr[DecErr]\leq \frac {(q_{H_3} + q_{H_4})(q_d + q_{d_R})}{2^k} + \frac {q_d + q_{d_R}}{q}.\)

Based on the above analysis, we can conclude that the simulations for H i (i = 1,2,4) are perfect too.

Denote \(AskH_3^{*}\) as the event that \((g^{\frac {b}{a}})^{\frac {t}{v^{*}(x_{i,1}H_2(pk_{i,2}) + x_{x_i,2})}}\) has been queried to H 3, \(AskH_5^{*}\) denotes the event that (E ,F ,J ) has been queried to H 5. The simulation of H 3 and H 5 are perfect too, only if \(AskH_3^{*}\) and A s k H5∗ doesn’t occur, here t and J are chosen randomly. Denote E r r as the even (A s k H3∗∨ A s k H5∗∨ R E E r rD e c E r r)|¬Aborts. As in Theorem 1, A similar analysis can yield
$$\begin{array}{@{}rcl@{}} Pr[AskH_{3}^{*}] &\geq & 2Pr[\neg \textbf{Aborts}]\cdot \epsilon - Pr[AskH_{5}^{*}] - Pr[DecErr]\\ &\geq & \frac{2\epsilon}{e(1+q_{rk})} - \frac{q_{H_{5}}}{2^{k}} - \frac{(q_{H_{3}}+q_{H_{4}})(q_{d} + q_{d_{R}})}{2^{k}} - \frac{q_{d} + q_{d_{R}}}{q}\\ &=& \frac{2\epsilon}{e(1+q_{rk})} - \frac{q_{d} + q_{d_{R}}}{q} - \frac{(q_{H_{3}} + q_{H_{4}})(q_{d} + q_{d_{R}}) + q_{H_{5}}}{2^{k}}. \end{array} $$
Meanwhile, if \(AskH_3^{*}\) occurred, the DDH instance can be solved by \({\mathcal B}\). Therefore, we have
$$\begin{array}{@{}rcl@{}} \epsilon^{\prime} &\geq & \frac{1}{q_{H_{3}}}Pr[AskH_{3}^{*}]\\ & = & \frac{1}{q_{H_{3}}}\left( \frac{2\epsilon}{e(1+q_{rk})} - \frac{q_{d} + q_{d_{R}}}{q} - \frac{(q_{H_{3}} + q_{H_{4}})(q_{d} + q_{d_{R}}) + q_{H_{5}}}{2^{k}}\right). \end{array} $$
Based on the above simulations, the bound on algorithm \({\mathcal B}\)’s running time is given by
$$\begin{array}{@{}rcl@{}} t' \leq t &+& \left( \sum\limits_{i = 1}^{5} q_{H_{i}} + q_{pk} + q_{sk} + q_{rk} + q_{re} + q_{d} + q_{d_{R}}\right)O(1) \\ &+& (2q_{rk} + (6+ q_{H_{3}} + q_{H_{4}})(q_{d} + q_{d_{R}}))t_{exp}. \end{array} $$

3.3.5 Efficiency analysis

We now make an efficiency comparison between our PVPRE and Chow et al. [17].

Notations in Table 3, namely EXP, PreEXP, Decrypt O , Decrypt R , |C O |, |C R |, |R e K e y|, are the same meaning as in Table 1. Specifically, \((pk_{i,1}^{H_2(pk_{i,2})} pk_{i,2})\) can be pre-computed in our scheme PVPRE.
Table 3

Efficiency comparison

Algorithm

Chow et al. [17]

Our scheme PVPRE

Encrypt

3 EXP + 1 PreEXP

3 EXP + 1 PreEXP

ReEncrypt

6 EXP + 1 PreEXP

4 EXP + 1 PreEXP

Decrypt O

4 EXP + 1 PreEXP

4 EXP + 1 PreEXP

Decrypt R

4 EXP

6 EXP + 1 PreEXP

|C O |

3 |G| + |Z q |

3 |G| + |Z q |

|C R |

4 |G|

5 |G| + |Z q |

|R e K e y|

5 |G| + |Z q |

5 |G| + |Z q |

Pairing-Free

Y

Y

Public verifiability

N

Y

Nine aspects are compared in Table 3. These are described in more detail below.
  • Encrypt algorithm: This algorithm have the same exponentiation operations both in [17] and ours.

  • ReEncrypt algorithm: In scheme [17], there are 6 exponentiation operations needed to be calculated, while 4 exponentiation operations needed in our scheme.

  • Decrypt O algorithm: This algorithm have the same exponentiation operations both in [17] and ours.

  • Decrypt R algorithm: This algorithm have 4 exponentiation operations, while 6 in ours.

  • C O Size: The original ciphertext contains 4 components (3 in Gand 1 in Z q ) both in [17] and ours.

  • C R Size: In scheme [17], the re-encrypted ciphertext has 4 G components. In our scheme, there are 6 components (5 in G and 1 in Z q ).

  • ReKey Size: The re-encryption key size is the same both in [17] and ours.

  • Pairing-Free Feature: Both the scheme [17] and ours are removing pairing from the construction.

  • Public Verifiability Feature: In scheme [17], only the original ciphertext can be verified. In our scheme, the validity of ciphertexts can be publicly verified, that is, anyone can check the validity of an original ciphertext as well as a re-encrypted ciphertext.

From Table 3, compared with the Chow et al. scheme [17], our PVPRE scheme is more efficient by saving two exponentiation operations in G at the algorithm ReEncrypt of our scheme PVPRE. More importantly, our scheme PVPRE achieves the public verifiability by using only two more exponentiations in G at the Decrypt R phase. It is worth the performance tradeoff, since the public verifiability feature is attractive, which makes our scheme PVPRE more flexible in various applications, such as multimedia data sharing.

Remark 5

In our scheme PVPRE, the computational complexity incurred by generating ReKey as well as the ReKey size are both independent to the number of encrypted files to be shared with Bob, and the validity check of ciphertexts can be offloaded from Alice to the semi-honest cloud. Hence, we solve both of the technical problems described in Section 1. First, we significantly reduce the computational burden of Alice during multimedia data sharing. Second, as this re-encryption key ReKey alone does not allow anyone to recover the files from the encrypted files, it can ensure that the encrypted files will still remain secure even if an adversary has compromised Dropbox and also obtained a copy of ReKey. In other words, the secrecy of the encrypted files is still relying on the private keys secrecy of multimedia data owner and his friend, even after the encrypted files are shared.

4 Conclusion

In this work, we address the privacy and security problem of multimedia data sharing in IoT by developing new PRE schemes. In contrast to all existing CCA-secure schemes in which the public verifiability is depended on bilinear parings, we construct a new publicly verifiable CCA-secure PRE scheme in which the costly pairings is removed. And the efficiency comparison demonstrates that our proposed scheme is highly efficient than most existing pairing-base PRE schemes. More importantly, our constructions satisfy the following features simultaneously: (1) CCA-secure; (2) paring-free; (3) public verifiability; (4)simple design. We believe that our design will be useful for fostering multimedia data security and also improving the usability of secure IoT.

We also raise some open problems, such as constructing PRE scheme with the following features: (1)multi-hop, (2)bidirectional, (3)pairing-free, (4)CCA-secure and (5)publicly verifiable.

Notes

Acknowledgement

I would like to thank Prof. Duncan S. WONG for his instructive suggestions, which have significantly improved the design and revised the manuscript. Hu’s research was supported in part by the Scientific Research Fund of Hunan Provincial Education Department (No. 15C0536), Tang’s research was supported in part by the Foundation of National Natural Science of China (No. 11271003), Guangdong Province Natural Science Foundation of major basic research and Cultivation project (No. 2015A030308016), Project of Ordinary University Innovation Team Construction of Guangdong Province (No. 2015KCXTD014), Basic Research Major Projects of Department of education of Guangdong Province (No. 2014KZDXM044) and Collaborative Innovation Major Projects of Bureau of Education of Guangzhou City (No. 1201610005). The authors declare that they have no conflict of interest.

References

  1. 1.
    Amin R, Kumar N, Biswas GP, Iqbal R., Chang V (2016) A light weight authentication protocol for IoT-enabled devices in distributed Cloud Computing environment. Future Generation Computer SystemsGoogle Scholar
  2. 2.
    Armknecht F, Sadeghi AR (2008) A new approach for algebraically homomorphic encryption. IACR Cryptology ePrint Archive 2008:422Google Scholar
  3. 3.
    Ateniese G, Camenisch J, Joye M, Tsudik G (2000) A practical and provably secure coalition-resistant group signature scheme. In: Annual international cryptology conference. Springer, Berlin, pp 255–270Google Scholar
  4. 4.
    Ateniese G, Fu K, Green M, Hohenberger S (2005) Improved proxy re-encryption schemes with applications to secure distributed storage. In: IN NDSSGoogle Scholar
  5. 5.
    Ateniese G, Fu K, Green M, Hohenberger S (2006) Improved proxy re-encryption schemes with applications to secure distributed storage. ACM Trans Inf Syst Secur (TISSEC) 9(1):1–30CrossRefzbMATHGoogle Scholar
  6. 6.
    Ateniese G, Benson K, Hohenberger S (2009) Key-private proxy re-encryption. In: Cryptographers Track at the RSA Conference. Springer, Berlin, pp 279–294Google Scholar
  7. 7.
    Bianchi T, Piva A (2013) Secure watermarking for multimedia content protection: a review of its benefits and open issues. IEEE Signal Proc Mag 30(2):87–96CrossRefGoogle Scholar
  8. 8.
    Bianchi T, Piva A, Barni M (2009) On the implementation of the discrete Fourier transform in the encrypted domain. IEEE Trans Inf Forensics Secur 4(1):86–97CrossRefGoogle Scholar
  9. 9.
    Blaze M, Bleumer G, Strauss M (1998) Divertible protocols and atomic proxy cryptography. In: Advances in CryptologyEUROCRYPT’98, pp 127–144Google Scholar
  10. 10.
    Boneh D, Goh EJ, Nissim K (2005) Evaluating 2-DNF formulas on ciphertexts. In: TCC, vol 3378, pp 325–341Google Scholar
  11. 11.
    Bouslimi D, Coatrieux G, Roux C (2012) A joint encryption/watermarking algorithm for verifying the reliability of medical images: application to echographic images. Comput Methods Prog Biomed 106(1):47–54CrossRefGoogle Scholar
  12. 12.
    Cancellaro M, Battisti F, Carli M, Boato G, De Natale FG, Neri A (2011) A commutative digital image watermarking and encryption method in the tree structured Haar transform domain. Signal Process Image Commun 26(1):1–12CrossRefzbMATHGoogle Scholar
  13. 13.
    Canetti R, Hohenberger S (2007) Chosen-ciphertext secure proxy re-encryption. In: Proceedings of the 14th ACM conference on computer and communications security. ACM, pp 185–194Google Scholar
  14. 14.
    Canetti R, Krawczyk H, Nielsen JB (2003) Relaxing chosen-ciphertext security. In: Annual international cryptology conference. Springer, Berlin, pp 565–582Google Scholar
  15. 15.
    Chang V, Kuo YH, Ramachandran M (2016) Cloud computing adoption framework: a security framework for business clouds. Futur Gener Comput Syst 57:24–41CrossRefGoogle Scholar
  16. 16.
    Cheng H, Li X (2000) Partial encryption of compressed images and videos. IEEE Trans Signal Process 48(8):2439–2451CrossRefGoogle Scholar
  17. 17.
    Chow SS, Weng J, Yang Y, Deng RH (2010) Efficient unidirectional proxy re-encryption. In: International conference on cryptology in Africa. Springer, Berlin, pp 316–332Google Scholar
  18. 18.
    Chu CK, Tzeng WG (2007) Identity-based proxy re-encryption without random oracles. In: International conference on information security. Springer, Berlin, pp 189–202Google Scholar
  19. 19.
    Cohen JD, Fischer MJ (1985) A robust and verifiable cryptographically secure election scheme. Yale University. Department of Computer Science, pp 372–382Google Scholar
  20. 20.
    Coron JS (2000) On the exact security of full domain hash. In: Annual international cryptology conference. Springer, Berlin, pp 229–235Google Scholar
  21. 21.
    Damgard I, Jurik M (2003) A length-flexible threshold cryptosystem with applications. In: ACISP, vol 3, pp 350–356Google Scholar
  22. 22.
    Deng RH, Weng J, Liu S, Chen K (2008) Chosen-ciphertext secure proxy re-encryption without pairings. In: International conference on cryptology and network security. Springer, Berlin, pp 1–17Google Scholar
  23. 23.
    ElGamal T (1985) A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Trans Inf Theory 31(4):469–472MathSciNetCrossRefzbMATHGoogle Scholar
  24. 24.
    Fouda JAE, Effa JY, Sabat SL, Ali M (2014) A fast chaotic block cipher for image encryption. Commun Nonlinear Sci Numer Simul 19(3):578–588MathSciNetCrossRefGoogle Scholar
  25. 25.
    Goldwasser S, Micali S (1982) Probabilistic encryption and how to play mental poker keeping secret all partial information. In: Proceedings of the fourteenth annual ACM symposium on Theory of computing. ACM, pp 365–377Google Scholar
  26. 26.
    Goldwasser S, Micali S (1984) Probabilistic encryption. J Comput Syst Sci 28(2):270–299MathSciNetCrossRefzbMATHGoogle Scholar
  27. 27.
    Goldwasser S, Kharchenko D (2005) Proof of plaintext knowledge for the Ajtai-Dwork cryptosystem. In: TCC, pp 529–555Google Scholar
  28. 28.
    Gentry C (2009) Fully homomorphic encryption using ideal lattices. In: STOC, vol 9, pp 169–178Google Scholar
  29. 29.
    Goto K, Sasaki Y, Hara T, Nishio S (2013) Data gathering using mobile agents for reducing traffic in dense mobile wireless sensor networks. Mob Inf Syst 9(4):295–314Google Scholar
  30. 30.
    Green M, Ateniese G (2007) Identity-based proxy re-encryption. In: Applied Cryptography and Network Security. Springer, Berlin, pp 288–306Google Scholar
  31. 31.
    Hohenberger S, Rothblum GN, Vaikuntanathan V (2007) Securely obfuscating re-encryption. In: Theory of cryptography conference. Springer, Berlin, pp 233–252Google Scholar
  32. 32.
    Hu X, Tang C, Wong DS (2016) Highly efficient proxy re-encryption schemes for user-end encrypted cloud data sharing. In: 2016 15th International Symposium on Parallel and Distributed Computing (ISPDC). IEEE, pp 261–268Google Scholar
  33. 33.
    Ivan AA, Dodis Y (2003) Proxy cryptography revisited. In: NDSSGoogle Scholar
  34. 34.
    Kawachi A, Tanaka K, Xagawa K (2007) Multi-bit cryptosystems based on lattice problems. In: International workshop on public key cryptography. Springer, Berlin, pp 315–329Google Scholar
  35. 35.
    Khurana H, Hahm HS (2006) Certified mailing lists. In: Proceedings of the 2006 ACM Symposium on information, computer and communications security. ACM, pp 46–58Google Scholar
  36. 36.
    Khurana H, Slagell A, Bonilla R (2005) SELS: A secure e-mail list service. In: Proceedings of the 2005 ACM symposium on applied computing. ACM, pp 306–313Google Scholar
  37. 37.
    Libert B, Vergnaud D (2008) Unidirectional chosen-ciphertext secure proxy re-encryption. In: International workshop on public key cryptography. Springer, Berlin, pp 360–379Google Scholar
  38. 38.
    Libert B, Vergnaud D (2008) Tracing malicious proxies in proxy re-encryption. In: International conference on pairing-based cryptography. Springer, Berlin, pp 332–353Google Scholar
  39. 39.
    Melchor CA, Castagnos G, Gaborit P (2008) Lattice-based homomorphic encryption of vector spaces. In: IEEE international symposium on information theory, 2008. ISIT 2008. IEEE, pp 1858– 1862Google Scholar
  40. 40.
    Paillier P (1999) Public-key cryptosystems based on composite degree residuosity classes. In: Eurocrypt, vol 99, pp 223–238Google Scholar
  41. 41.
    Peikert C, Waters B (2011) Lossy trapdoor functions and their applications. SIAM J Comput 40(6):1803–1844MathSciNetCrossRefzbMATHGoogle Scholar
  42. 42.
    Shao J, Cao Z (2009) CCA-Secure proxy re-encryption without pairings. In: International workshop on public key cryptography. Springer, Berlin, pp 357–376Google Scholar
  43. 43.
    Shao J, Xing D, Cao Z (2008) Analysis of cca secure unidirctional id-based pre scheme. Technical Report of TDT, Shanghai Jiao Tong UniversityGoogle Scholar
  44. 44.
    Smith T (2005) DVD Jon: buy DRM-less tracks from apple itunes. 2012-10-01]. http://www.theregister.co.uk/2005/03/18/itunes_pymusique.
  45. 45.
    Talmy A, Dobzinski O (2006) Abuse freedom in access control schemes. In: 20th international conference on advanced information networking and applications, 2006. AINA 2006, vol 2. IEEE, pp 77–86Google Scholar
  46. 46.
    Vijayakumar P, Azees M, Chang V, Deborah J, Balusamy B (2017) Computationally efficient privacy preserving authentication and key distribution techniques for vehicular ad hoc networks. Clust Comput 12:1–12Google Scholar
  47. 47.
    Wang Z, Cao C, Yang N, Chang V (2017) ABE with improved auxiliary input for big data security. J Comput Syst Sci 89:41–50MathSciNetCrossRefzbMATHGoogle Scholar
  48. 48.
    Yang Y, Zheng X, Chang V, Ye S, Tang C (2017) Lattice assumption based fuzzy information retrieval scheme support multi-user for secure multimedia cloud. Multimedia Tools and Applications 1–15Google Scholar
  49. 49.
    Ye C, Ling H, Zou F, Lu Z, Xiong Z, Zhang K (2013) A novel JFE scheme for social multimedia distribution in compressed domain using SVD and CA. In: The international workshop on digital forensics and watermarking 2012. Springer, Berlin, pp 507–519Google Scholar
  50. 50.
    Ye C, Xiong Z, Ding Y, Wang G, Li J, Zhang K (2014) Joint fingerprinting and encryption in hybrid domains for multimedia sharing in social networks. J Vis Lang Comput 25(6):658– 666CrossRefGoogle Scholar
  51. 51.
    Zhang J, Wang XA (2012) On the security of a multi-use CCA-secure proxy re-encryption scheme. In: 2012 4th international conference on intelligent networking and collaborative systems (INCoS). IEEE, pp 571–576Google Scholar
  52. 52.
    Zhang J, Wang XA (2012) Security analysis of a multi-use identity based CCA-secure proxy re-encryption scheme. In: 2012 4th international conference on intelligent networking and collaborative systems (INCoS). IEEE, pp 581–586Google Scholar
  53. 53.
    Zhang M, Wang XA, Li W, Yang X (2013) CCA secure publicly verifiable public key encryption without pairings nor random oracle and its applications. JCP 8(8):1987–1994Google Scholar

Copyright information

© The Author(s) 2017

Open AccessThis article is distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made.

Authors and Affiliations

  • Xing Hu
    • 1
    • 2
  • Chunming Tang
    • 3
    Email author
  • Duncan S. Wong
    • 4
  • Xianghan Zheng
    • 5
  1. 1.School of Mathematical and Computational ScienceHunan University of Science and TechnologyHunanChina
  2. 2.Key Laboratory of Information Secirity, School of Mathematics and Information ScienceGuangzhou UniversityGuangzhouChina
  3. 3.School of Mathematics and Information ScienceGuangzhou UniversityGuangzhouChina
  4. 4.CryptoBLK CompanyHong KongChina
  5. 5.College of Mathematics and Computer SciencesFuzhou UniversityFuzhouChina

Personalised recommendations