Identity-Based Proxy Re-Encryption Scheme Using Fog Computing and Anonymous Key Generation

Abstract

In the fog computing architecture, a fog is a node closer to clients and responsible for responding to users’ requests as well as forwarding messages to clouds. In some medical applications such as the remote healthcare, a sensor of patients will first send encrypted data of sensed information to a nearby fog such that the fog acting as a re-encryption proxy could generate a re-encrypted ciphertext designated for requested data users in the cloud. Specifically, a data user can request access to cloud ciphertexts by sending a query to the fog node that will forward this query to the corresponding data owner who preserves the right to grant or deny the permission to access his/her data. When the access request is granted, the fog node will obtain a unique re-encryption key for carrying out the re-encryption process. Although some previous concepts have been proposed to fulfill these application requirements, they either have known security flaws or incur higher computational complexity. In this work, we present an identity-based proxy re-encryption scheme on the basis of the fog computing architecture. Our identity-based mechanism uses public channels for key distribution and avoids the troublesome problem of key escrow. We also formally prove that the proposed protocol is secure in the IND-PrID-CPA notion. Furthermore, we show that our work exhibits better performance in terms of computational complexity.

1. Introduction

Cloud computing was first introduced by Chellappa [1] who hoped to store data in remote servers via networks. In 2006, Amazon brought in the so-called Amazon Web Services (AWS) to seek more business opportunities. Since then, such services have been widely developed and spread out. Many companies like Microsoft and Google are gradually competing for the cloud computing market due to its advantages in reducing costs and improving productivity. Cloud services have also become an inevitable part of our daily life. When using cloud services, we have to pay attention to the safeguard of Internet security [2] by employing all kinds of cryptographic techniques [3,4,5,6].

Clouds are not only for storage; the deployment model influences managing and owning the cloud, and the location and users of the cloud. According to the location of stored data and how the technologies are deployed and consumed, we can classify cloud service models into three kinds, as follows:

(i)

Public Cloud: It is usually constructed by third-party cloud service companies (such as Google (Mountain View, CA, USA), Azure (Redmond, WA, USA), etc.). Users can purchase storage space from service providers and the latter will be responsible for system maintenance, which helps with reducing unnecessary user costs. Yet, the security is low owing to uncontrollable cloud environments.

(ii)

Private Cloud: It is constructed by the individual company and hence has high security and privacy. However, it requires self-maintenance and the cost is relatively high.

(iii)

Hybrid Cloud: It combines the advantages of public and private clouds and can separately store data by its confidentiality. Nevertheless, it is also relatively difficult to manage and maintain.

According to the definition given in NIST SP 800-145, the cloud service model is also categorized into the following three kinds:

(i)

Software as a Service (SaaS): It is the most common model in which users can utilize all kinds of interfaces (including web-based or program-based) to acquire resources and web services [7] such as stream media platforms running on cloud infrastructure. The advantage of this model is that users do not have to be responsible for controlling or maintaining the cloud infrastructure, such as communication networks [8], operating systems, storage, and applications.

(ii)

Platform as a Service (PaaS): In this model, the cloud service provider is responsible for providing application development platforms such as storage capacity, computing resources, programming languages, libraries and related development tools, etc. Users can utilize these tools to deploy consumer-created application programs on the cloud infrastructure and they do not have to control or maintain the cloud infrastructure.

(iii)

Infrastructure as a Service (IaaS): The cloud service provider supplies users with all kinds of storage, computing, and network resources, and users can utilize these infrastructures to deploy their own platforms and application programs. The advantage of this model is that users do not have to control or maintain the cloud infrastructure, but have the control over their deployed applications, storage, and operating systems.

Fog computing in IoT environments [9,10,11] is an extension of cloud computing and was first addressed by the research of Stolfo et al. [12], who attempt to protect the cloud data security [13] with the assistance of fog computing. Bonomi et al. [14] viewed the fog as a cloud closer to the ground and users. The architecture of fog computing can also benefit by sharing cloud data. A proxy re-encryption (PRE) scheme [15] is a commonly adopted ciphertext sharing protocol in which a ciphertext intended for Alice can be re-encrypted into another ciphertext designated for Bob by a proxy. When we combine the PRE scheme with fog computing, a fog would act as the proxy to carry out the cloud ciphertext transformation process, so as to reduce the network transmission latency. However, the privacy of cloud ciphertexts in the transformation must be further assured and the fog node (proxy) should learn nothing about the ciphertext.

2. Related Work

In 2010, Luo et al. [16] developed a ciphertext-policy attribute-based PRE scheme using AND-Gates policy. In particular, their policy supports multi-value attributes, negative attributes, and wildcards. They also showed that their mechanism fulfills the property of unidirectionality, non-interactivity, and multi-use. Moreover, in their scheme, the encryptor can decide if the ciphertext can be re-encrypted.

Considering the property of keyword search, in 2012, Fang et al. [15] proposed a chosen-ciphertext secure-anonymous-conditional PRE with keyword search. That is, they provided the PRE mechanism with the property of keyword search. Additionally, they gave the CCA security definition of conditional PRE schemes and showed that their protocol satisfies such a definition. Wang et al. [17] further introduced a constrained PRE scheme with a conjunctive keyword search. Specifically, their mechanism is both single-hop and unidirectional.

In 2013, Liang et al. [18] addressed a ciphertext-policy attribute-based PRE with chosen-ciphertext security assuming the hardness of the decisional q-parallel bilinear Diffie–Hellman exponent problem. In this mechanism, a ciphertext with respect to a given access policy is able to be re-encrypted into one in relation to another access policy. Their scheme is suitable for any monotonic access structure. They proved the security of their scheme in the random oracle model. Considering the queries from intra-domain and inter-domain in a cloud computing scenario, Han et al. [19] proposed an identity-based PRE scheme. Their scheme is secure against collusion attacks and the access permission could be made by the data owner, rather than by the central authority. However, the computational complexity of their scheme is high.

In 2014, Liang et al. [20] presented an adaptively CCA-secure ciphertext-policy attribute-based PRE for cloud data sharing. Their work integrated the dual system encryption technology with selective proof technique to achieve the adaptive CCA security in the standard model. Additionally, their work supports any monotonic access structures.

To improve the security of sharing data using QR codes, Akhil et al. [21] combined the PRE mechanism with QR code applications. Using QR codes to share data among different users is a commonly utilized approach. However, it is easily altered during transmission, since the format of QR codes is only readable by machines.

For improving the security of cloud storage, in 2018, Zeng and Choo [22] introduced a new conditional PRE scheme that is also known as the sender-specified PRE, i.e., SS-PRE, since their scheme only allows the proxy to transform the ciphertexts of the designated sender to the delegatee. They also present the formal definition of their SS-PRE scheme and prove its security in the standard model.

In order to share data securely in the cloud, in 2020, Zhang et al. [23] proposed an identity-based data storage scheme combining the architecture of fog computing. In their scheme, the fog node sends the request of the data user to both the cloud and the data owner. If the requested data user is non-revoked and has access privilege, the data owner will delegate the fog node to perform the cloud ciphertext re-encryption process. The fog node then forwards the re-encrypted ciphertext to the data user for decryption.

Considering the security of message transmission in a group, in 2021, Xiong et al. [24] presented a so-called puncturable PRE scheme on the identity-based cryptosystem. In particular, there is a message server that carries out the ciphertext re-encryption for all users and thus the computational efforts of the user sides are released. Yet, the message server plays a crucial role in the system performance and might become an obvious attacking target.

In 2022, Lin et al. [25] improved Zhang et al.’s scheme [23] by eliminating some security flaws. They also showed that their enhanced scheme maintains the properties to revoke invalid users and generate private keys anonymously. Although their work has improved security, which is provably secure in the random oracle model, the computational complexity is still high. Motivated by this challenging problem, we propose a more efficient PRE scheme based on the study of Lin et al. [25]. Up to the present, there have been several PRE mechanisms [26,27,28,29,30,31,32] proposed for different applications. However, only a few works [19,23,25] take the issue of cloud computing or fog computing scenarios into consideration. We compare the proposed mechanism with these schemes and show the computational advantage of ours in a later section.

The main contribution of this study is to propose an identity-based PRE scheme for the fog computing scenario and using the technique of anonymous key generation. In the proposed system, we use public channels for key distribution and avoid the troublesome problem of key escrow. In addition, the decision of access privilege for cloud ciphertexts is controlled by the data owner, rather than by the central authority. Moreover, we demonstrate that the proposed protocol is not only IND-PrID-CPA secure, but also has lower computational costs.

3. Preliminaries

Let the symbols (G₁, G₂) be two multiplicative groups and p is a prime order of both groups. We express e: G₁ × G₁ → G₂ as a symmetric bilinear pairing. The properties of e are listed as follows:

(i) 

Bilinearity:  

Given a group element g in G₁ and two integers a, b in Z_p, we have e(g^a, g^b) = e(g, g)^ab.

(ii) 

Non-degeneracy: 

There are group elements A, B in G₁ such that e(A, B) ≠ 1.

(iii) 

Computability: 

Given two group elements A, B in G₁, the value e(A, B) can be efficiently computed.

Decisional Bilinear Diffie–Hellman (DBDH) Problem and Assumption

Let the problem instance be (g, g^x, g^y, g^z, e(g, g)^xyz, C) in which (g, g^x, g^y, g^z) are elements in G₁ while (e(g, g)^xyz, C) are elements in G₂; the DBDH problem has to decide if the equality e(g, g)^xyz = C holds or not. Its assumption asserts that the chance of any adversary running in polynomial-time to solve the DBDH problem is insignificant.

4. Proposed IB-PRE-FCAK Scheme

Before introducing the proposed identity-based proxy re-encryption scheme using fog computing and anonymous key generation (short for IB-PRE-FCAK), we first address the system model and composed algorithms.

4.1. System Model

We illustrate the system model for our proposed IB-PRE-FCAK scheme in Figure 1, and it is mainly composed of three levels. Among the hierarchy, the top level is a cloud server that can be viewed as a data repository center storing ciphertexts. The middle level is a collection of fog nodes that process requests from users and transmit ciphertexts to the cloud server. The third level consists of the data owner and the data user. The former generates ciphertexts to be uploaded to the cloud server while the latter can request access to cloud ciphertexts. Note that both the ciphertext uploading and downloading processes are assisted by the fog nodes. In particular, the data owner can authorize the fog node to perform the ciphertext re-encryption procedure for sharing cloud ciphertexts with other data users. Moreover, there is also a private key generation center (PKG) responsible for issuing private keys to all users.

4.2. Algorithms

The IB-PRE-FCAK scheme can be divided into several subroutines, i.e., Setup, KeyExtract, Enc, Tkgen, RKgen, Re-Enc, and Dec. We define the parameters and corresponding outputs of these subroutines as follows:

– 

Setup(1^l): This subroutine utilizes the value l as a security parameter and returns the system public information Φ along with the master secret key Msk.

– 

KeyExtract(Φ, Msk, ID): This subroutine utilizes three input parameters (Φ, Msk, ID) where ID is a user identity, and performs an interactive process to return the private key K_ID associated with ID.

– 

Enc(Φ, ID, m, SK): This subroutine utilizes four input parameters (Φ, ID, m, SK) where (m, SK) separately represents a plaintext and a symmetric encryption key. It returns a ciphertext C of the plaintext m under the key SK.

– 

Tkgen(Φ, ID_u, K_IDu, C_ind): This subroutine utilizes four input parameters (Φ, ID_u, K_IDu, C_ind) where C_ind is the name of data category, and then returns a token T_u,ind.

– 

RKgen(Φ, ID_u, K_IDo, T_u,ind): This subroutine utilizes five input parameters (Φ, ID_u, K_IDo, T_u,ind) where ID_o is the data owner. It returns either the symbol of error ⊥ or a corresponding key RK_o,u,ind for re-encryption.

– 

Re-Enc(Φ, ID_u, C, RK_o,u,ind): This subroutine utilizes four input parameters (Φ, ID_u, C, RK_o,u,ind) and then returns a re-encrypted ciphertext C′.

– 

Dec(Φ, K_ID, C*): This subroutine utilizes three input parameters (Φ, K_ID, C*) where C* could be C or C′, and then returns a plaintext m.

4.3. Construction

We introduce a concrete construction based on the previously defined subroutines. First, some utilized symbols are defined as

Table 1. Symbol notations.

Notation	Description
l	security value
G1, G2	groups of prime order p
g	a generator of G1
e	a bilinear map satisfying e: G1 × G1 → G2
s	master secret key
Q	master public key satisfying Q = gs
RL	revocation list
h1, h2, h3	collision-resistant hash functions
Φ	system public information
SK	symmetric key
E(·)/D(·)	symmetric encryption/decryption function
{r1, r2, r3}	ciphertext
Cind	data category name
(w1, w2, w3)	re-encryption key
(r1′, r2, r3, r4′, r5′)	re-encrypted ciphertext

:

– 

Setup: Taking the value l as a security value, the PKG chooses G₁ and G₂ groups of prime order p and both are multiplicative. Let the symbol g denote a generator in group G₁ and the notation e be a bilinear map written as e: G₁ × G₁ → G₂. Msk determined by the PKG is a random value s ∈ Z_p*, and its corresponding master public key (Mpk) is calculated as Q = g^s. There is also a user revocation list, i.e., RL, maintained by the PKG. Whenever ID_i has to be revoked, the PKG renews RL as RL′ = RL ∪ {ID_i}. Three collision-resistant hash functions are defined as follows:

h_i: {0, 1}* → G₁, for i = 1 and 2

h₃: G₂ → G₁

Except for Msk, all the other parameters could be viewed as the system public information Φ.

– 

KeyExtract: For obtaining his/her private key, a user ID_i randomly chooses integers d_i, k_i∈ Z_p* and computes

D_i = g^di,

(1)

H′_i = D_i·h₁(ID_i ‖ k_i)

(2)

The values (ID_i, H′_i) are delivered to the PKG. After receiving it, the PKG derives

K′_i = (H′_i·h₂(ID_i ‖ ID_PKG))^s,

(3)

and sends K′_i back to ID_i. Consequently, ID_i is able to calculate his private key as

K_i = K′_i/(Q)^di = (h₁(ID_i‖ k_i)·h₂(ID_i‖ ID_PKG))^s

(4)

With the following equality, the correctness of K_i can be easily verified.

e(K_i, g) = e(h₁(ID_i ‖ k_i)·h₂(ID_i ‖ ID_PKG), Q)

(5)

– 

Enc: Let m = (m₁, m₂, …, m_n) be a plaintext to be encrypted and SK ∈ G₂ a chosen symmetric key. A data owner ID_o then selects an integer z ∈ _R Z_p* to calculate

r₁ = SK · e(Q, (h₁(ID_o ‖ k_o)·h₂(ID_o ‖ ID_PKG))^z),

(6)

r₂ = g^z,

(7)

r₃ = (E(SK, m₁), E(SK, m₂), …, E(SK, m_n))

(8)

where the notation E(·) denotes the symmetric encryption function.

Here, the ciphertext C is composed of {r₁, r₂, r₃}. Next, the data owner sends (ID_o, C) along with the data category name C_ind to the adjacent fog. It stores (ID_o, C_ind, r₁, r₂) in the local repository and further transmit (ID_o, C_ind, r₃) to the cloud server.

– 

Tkgen: For accessing the cloud data with respect to the data category name C_ind, a data user ID_u randomly selects an integer r ∈ _R Z_p* to compute

R = g^r,

(9)

and delivers his request (ID_u, C_ind, R) to the adjacent fog. It then searches for the record (ID_o, C_ind, r₁, r₂) from the local repository and further forwards the token T_u,ind = (ID_u, R) to the associated data owner ID_o.

– 

RKgen: Upon obtaining the token T_u,ind = (ID_u, R), the data owner ID_o asks the PKG to check if the maintained user revocation list RL contains ID_u. If it does, an error symbol ⊥ is sent to the requested data user ID_u via the assistance of the fog. Or else, ID_o randomly selects two random numbers t, y ∈ Z_p* and computes

w₁ = Q^t

(10)

$$w_2=\frac{K_o{w}_1}{h_3\left(e\left(h_2(I{D}_u||I{D}_{PKG})R^y, Q\right)\right)}$$

(11)

w₃ = e(g^y, Q)

(12)

Next, ID_o sends the re-encryption key RK_o,u,ind = (w₁, w₂, w₃) to the fog node.

– 

Re-Enc: Upon receiving RK_o,u,ind, the fog re-encrypts the original ciphertext C as C′ by setting

r₁′ = r₁·e(w₁, r₂),

(13)

r₄′ = w₂,

(14)

r₅′ = w₃

(15)

At last, the re-encrypted ciphertext C′ consisting of (r₁′, r₂, r₃, r₄′, r₅′) is sent back to ID_u. Note that the partial ciphertext r₃ can be retrieved from the cloud storage.

– 

Dec: In the case that the data owner ID_o wants to access his/her original ciphertext C = (r₁, r₂, r₃), he/she can derive the symmetric key by computing

$$SK=\frac{r_1}{e\left(r_2, K_o\right)}$$

(16)

Then, the plaintext can be decrypted as

m = (m₁, m₂, …, m_n) = (D(SK, r_{3, 1}), D(SK, r_{3, 2}), …, D(SK, r_{3, n})).

(17)

where D(·) is a symmetric decryption function.

The correctness of Equation (16) can be verified as follows. From the right side of Equation (16), it can be derived that

$$\begin{array}{cc}\hfill \frac{r_1}{e\left(r_2,K_o\right)}& =\frac{SK·e\left(Q, {(h_1(I{D}_O\left|\right|k_O)h_2(I{D}_O\left|\right|I{D}_{PKG}))}^z\right)}{e\left(g^z,{(h_1(I{D}_O\left|\right|k_O)h_2(I{D}_O\left|\right|I{D}_{PKG}))}^s\right)}\hfill \\ \hfill & =\frac{SK·e(g^{sz}, (h_1(I{D}_O||k_O)h_2(I{D}_O||I{D}_{PKG})))}{e\left(g^z,{(h_1(I{D}_O\left|\right|k_O)h_2(I{D}_O\left|\right|I{D}_{PKG}))}^s\right)}\hfill \\ \hfill & =SK\hfill \end{array}$$

Whenever a data user ID_u obtains a re-encrypted ciphertext C′ that is composed of (r₁′, r₂, r₃, r₄′, r₅′), he/she first utilizes his/her own private key K_u to calculate

$$X={r_4}^{\prime }·h_3\left(\frac{{r^{\prime }}_5^r·e\left(K_u, g\right)}{e\left(h_1(I{D}_u||k_u), Q\right)}\right)$$

(18)

$$SK=\frac{{r_1}^{\prime }}{e\left(X, r_2\right)}.$$

(19)

Consequently, the plaintext m can be decrypted with the symmetric key SK by Equation (17). We give the derivations of Equation (19) below. Our first step is to simplify Equation (18):

$$\begin{array}{cc}\hfill {X}& ={r_4}^{\prime }·h_3\left(\frac{{r^{\prime }}_5^r·e\left(K_u, g\right)}{e\left(h_1(I{D}_u||k_u),Q\right)}\right)\hfill \\ \hfill & =\frac{K_o{w}_1}{h_3\left(e\left(h_2(I{D}_u||I{D}_{PKG})R^y,Q\right)\right)}{h}_3\left(\frac{e\left(g^{yr}, Q\right)e\left(K_u,g\right)}{e\left(h_1(I{D}_u||k_u),Q\right)}\right)\hfill \\ \hfill & =\frac{K_o{w}_1}{h_3\left(e\left(h_2(I{D}_u||I{D}_{PKG})R^y,Q\right)\right)}{h}_3\left(\frac{e\left(g^{yr}, Q\right)e\left(h_1(I{D}_u||k_u)h_2(I{D}_u||I{D}_{PKG}),g^s\right)}{e\left(h_1(I{D}_u||k_u),Q\right)}\right)\hfill \\ \hfill & =\frac{K_o{w}_1}{h_3\left(e\left(h_2(I{D}_u||I{D}_{PKG})R^y,Q\right)\right)}{h}_3\left(e\left(R^y{h}_2(I{D}_u||I{D}_{PKG}), Q\right)\right)\hfill \\ \hfill & =K_o{w}_1\hfill \end{array}$$

Next, we could rewrite Equation (19) as

$$\begin{array}{cc}\hfill \frac{{r_1}^{\prime }}{e\left(X, r_2\right)}& =\frac{r_1·e\left(w_1, r_2\right)}{e\left(K_o{w}_1,r_2\right)}\hfill \\ \hfill & =\frac{SK·e\left(Q,{(h_1(I{D}_O\left|\right|k_O)h_2(I{D}_O\left|\right|I{D}_{PKG}))}^z\right)e\left(Q^t,g^z\right)}{e\left({(h_1(I{D}_O\left|\right|k_O)h_2(I{D}_O\left|\right|I{D}_{PKG}))}^s{Q}^t,g^z\right)}\hfill \\ \hfill & =\frac{SK·e\left({(h_1(I{D}_O\left|\right|k_O)h_2(I{D}_O\left|\right|I{D}_{PKG}))}^s{Q}^t,g^z\right)}{e\left({(h_1(I{D}_O\left|\right|k_O)h_2(I{D}_O\left|\right|I{D}_{PKG}))}^s{Q}^t,g^z\right)}\hfill \\ \hfill & =SK\hfill \end{array}$$

5. Formal Model and Security Proof

The fundamental security for any encryption scheme is confidentiality. There is also a well-defined security model for PRE schemes. We adopt this security model to demonstrate formally the security of the proposed IB-PRE-FCAK protocol. Namely, we initially review the security definition of IND-PrID-CPA, i.e., indistinguishability against adaptively chosen identity and chosen plaintext attacks. Then, we demonstrate that the proposed construction fulfills the secure notion of IND-PrID-CPA by utilizing the proof techniques of random oracle models.

The concept of this security proof is a technique of proof by contradiction. That is, we first assume that there is an adversary who is able to break the proposed scheme under the adaptively chosen identity and chosen plaintext attacks. Then, we can take the advantage of this adversary to break a well-known intractable cryptographic assumption with non-negligible advantage. Since there is no efficient polynomial-time algorithm that could solve any well-known cryptographic assumption, we conclude that our initial assumption is wrong, which also completes the whole security proof.

(IND-PrID-CPA) In the following interactive game between a probabilistic adversary $A$ and a challenger $B$, if the former does not have a non-negligible advantage to defeat the latter in polynomial-time, we say that an IB-PRE-FCAE scheme fulfills the security requirement of indistinguishability under the attacks of adaptively chosen identity and chosen-plaintext:

Setup: At first, the challenger $B$ invokes the Setup(1^l) subroutine to obtain system public information Φ along with the master secret key Msk. The adversary $A$ can only learn the public information Φ.

Phase 1: $A$ is allowed to adaptively invoke the following queries:

–

KeyExtract Queries: $A$ can query the private key for his chosen identity.

–

RKgen Queries: $A$ can query the re-encryption key for his chosen (ID_o, ID_u, C_ind) in which ID_u has to be a non-revoked data user and C_ind is the name of data category.

Challenge: $A$ chooses the identity of ID* as an object and prepares the plaintext m* = (m₁*, m₂*, …, m_n*). Let (SK₀, SK₁) be symmetric keys with an identical length. Then, $B$ flips a bit bt and then creates a challenge ciphertext C* = (r₁*, r₂*, r₃*) in relation to (ID*, m*, SK_bt) for $A$.

Phase 2: Given the ciphertext C*, the adversary $A$ goes on to invoke previous queries based on the following limits:

–

The KeyExtract query with respect to ID*, i.e., the target identity, is prohibited.

–

Any RKgen query for the identities (ID*, ID_u) or (ID_o, ID*) is prohibited.

–

$A$ can invoke at most q_ke KeyExtract and q_rk RKgen queries.

Guess: After invoking enough queries, $A$ returns a bit bt′. We say that $A$ wins this game, provided that bt′ = bt. Therefore, we can express $A$’s advantage as Adv($A$) = | Pr[bt′ = bt′] − 1/2 |.

Using the techniques of random oracle proof models, we prove that the proposed IB-PRE-FCAK scheme satisfies the security notion of IND-PrID-CPA as Theorem 1.

Theorem 1. 

Provided thatthe DBDH assumption holds, the proposed IB-PRE-FCAK scheme satisfies the security requirement of indistinguishability under adaptively chosen identity and chosen plaintext attacks (IND-PrID-CPA). Specifically, an algorithm $B$ breaking the DBDH problem with non-negligible advantage ε′ can be created by utilizing a probabilistic adversary $A$ that is able to break the IND-PrID-CPA security of the proposed IB-PRE-FCAK scheme with non-negligible advantage ε in polynomial-time. To be precise, the non-negligible advantage ε′ can be expressed as

$${\epsilon }^{\prime } \ge \frac{\epsilon }{e\left(q_{ke}+q_{rk}+1\right)}$$

where q_ke and q_rk are the maximum numbers of KeyExtract and RKgen queries, respectively.

Proof. 

Given an instance (g, g^a, g^b, g^c, e(g, g)^abc, F) of DBDH, we build an algorithm $B$ to judge if e(g, g)^abc = F holds or not by taking the adversary $A$ as subroutine. In the following interactions, $B$ is responsible for responding to various queries submitted by $A$.

Setup: At first, the challenger $B$ invokes the Setup(1^l) subroutine to obtain system public information Φ. Let (h₁, h₂) be random oracles and h₃ a collision-resistant hash function. $B$ further sets Mpk = Q = g^a, i.e., Msk is implicitly specified as the value a unknown to $B$.

Phase 1: $A$ is allowed to adaptively invoke the following queries:

–

h₁(ID_i ‖ k_i) query: In this query, $B$ first searches the maintained h₁-list for a matched record. Or else, he selects a bit η such that Pr[η = 1] = τ. The value τ would be derived subsequently. Whenever η = 0, $B$ returns the value J₁ = (g^b)^v1 in which v₁ ∈ Z_p^*. Otherwise, J₁ is computed as g^v1. The maintained h₁-list is also renewed by adding the record (ID_i, k_i, η, v₁, J₁).

–

h₂(ID_i ‖ ID_PKG) query: In this query, $B$ first searches the maintained h₂-list for a matched record. Or else, he returns the value J₂ = g^v2 in which v₂ ∈ Z_p^*. The maintained h₂-list is also renewed by adding the record (ID_i, ID_PKG, v₂, J₂).

–

KeyExtract query: In response to the KeyExtract(ID_i) query, $B$ tries to determine the corresponding records (ID_i, k_i, η, v₁, J₁) and (ID_i, ID_PKG, v₂, J₂) in h₁-list and h₂-list, respectively. (If one datum exists, $B$ could directly invoke the two queries to create records.) As long as η = 1, $B$ aborts; or else, the return value is computed as K_i = $Q^{\left(v_1 + v_2\right)}$

–

RKgen query: In response to the RKgen(ID_o, ID_u, C_ind) query in which ID_u is a non-revoked user, $B$ obtains the private key K_IDo by invoking the KeyExtract(ID_o) query and checks the record (ID_i, k_i, η, v₁, J₁) kept in the h₁-list. As long as η = 0, $B$ aborts. Or else, $B$ chooses random numbers r, t, y ∈ Z_p^* and calculates R = g^r, w₁ = Q^t, w₂ = $\frac{K_o{Q}^t}{h_3\left(e\left(h_2(I{D}_u||I{D}_{PKG}))R^y, Q\right)\right)}$, w₃ = e(g^y, Q). Thus, the returned re-encryption key RK_o,u,ind is composed of (w₁, w₂, w₃).

Challenge: $A$ chooses the identity of ID* as an object and prepares the plaintext m* = (m₁*, m₂*, …, m_n*). Let (SK₀, SK₁) be symmetric keys with an identical length. Then, $B$ flips a bit bt and then creates a challenge ciphertext C* = (r₁*, r₂*, r₃*) in relation to (ID*, m*, SK_bt) for $A$ as follows:

• Step 1 Suppose that the h₁(ID* ‖ k*) query has been made. As long as η* = 1, $B$ directly aborts.
• Step 2 Define h₂(ID* ‖ ID_PKG) = g^v2 in which v₂ ∈ Z_p^*.
• Step 3 Set the partial ciphertext r₂* = g^c.
• Step 4 Determine the value v₁ of the record (ID*, k*, η*, v₁, J₁) in the h₁-list and calculate

$${r_1}^{\ast }=S{K}_{bt}·F^{v_1^{-1}}·e\left(Q, {\left(g^c\right)}^{v_2}\right),$$

r₃* = (E(SK_bt, m₁*), E(SK_bt, m₂*), …, E(SK_bt, m_n*)).

Consequently, the returned challenge ciphertext is C* = (r₁*, r₂*, r₃*).

Phase 2: Given the ciphertext C*, the adversary $A$ goes on to invoke queries based on the previous limitations.

Guess: After invoking enough queries, $A$ returns a bit bt′. In case that bt′ = bt, $B$ directly returns 1, meaning that F = e(g, g)^abc. Otherwise, the value 0 is outputted instead.

Analysis: In these simulation processes, it can be observed that when F is equivalent to e(g, g)^abc, the prepared challenge ciphertext C* is a legal one. According to the initial assumption, $A$ would have the non-negligible advantage to break the proposed IB-PRE-FCAK scheme provided that the simulated ciphertext C* is valid. That is to say, we know that Adv($A$) = | Pr[bt′ = bt] − 1/2 | ≥ ε. Yet, when F is not equivalent to e(g, g)^abc, the advantage for $A$ to output a correct bit bt′ is not superior, which implies that Pr[bt′ = bt] = 1/2. Therefore, the chance for $B$ to solve the problem of DBDH could be written as

| Pr[(g, ga, gb, gc, e(g, g)abc) = 1] − Pr[(g, ga, gb, gc, F) = 1] |

≥ | (1/2 + ε) − 1/2 |·Pr[Good]

= ε·Pr[Good]

where Pr[Good] represents the probability event that $B$ never aborts during the game interaction processes. To calculate Pr[Good], we further consider the following several cases:

Pr[¬KeyExtract]: the likelihood that $B$ never aborts in any KeyExtract query;

Pr[¬RKgen]: the likelihood that $B$ never aborts in any RKgen query;

Pr[¬Challenge]: the likelihood that $B$ never aborts in the challenge phase.

In the first case of a KeyExtract query, $B$ aborts as long as the bit η in the corresponding entry of the h₁-list equals 0. Thus, we can learn that Pr[¬KeyExtract] ≤ τ ^qke. Likewise, as for the second case of an RKgen query, we also know that $B$ aborts on the condition that the bit η = 0, which indicates that Pr[¬RKgen] ≤ τ ^qrk. In the third case that $B$ might abort only when the bit η* for the chosen identity ID* is equivalent to 1. Therefore, we could derive that Pr[¬Challenge] ≤ (1 − τ). Putting all the three independent probability events together, we further obtain

Pr[Good] = Pr[¬KeyExtract]·Pr[¬RKgen]·Pr[¬Challenge]

≤ (τ)qke(τ)qrk(1 − τ)

= (τ)qke + qrk(1 − τ).

= $\frac{1}{e\left(q_{pk}+q_{pr}+1\right)}$

To maximize the value of Pr[Good], we set τ to be $1-\frac{1}{q_{ke }+q_{rk}+1}$ such that Pr[Good] = $\frac{1}{e\left(q_{pk}+q_{pr}+1\right)}$ becomes the greatest value, where e denotes the base of natural logarithm. As a result, we claim that the constructed algorithm $B$ has a non-negligible advantage ε′ ≥ $\frac{\epsilon }{e\left(q_{pk}+q_{pr}+1\right)}$ to break the DBDH problem. □

6. Efficiency and Comparison

We made some efficiency comparisons with related protocols [19,23,25] in terms of several time-consuming computations. For convenience, the simulation environments are listed in

Table 2. Simulation environments.

Item	Environment
Processor	Intel Core 2 Duo @ 2.1 Ghz
Memory size	2 GB
Operating system	Linux Ubuntu version 9.1
Software	PBC library [33]

and the compared computation is also converted into approximate running time in

Table 3. Computation and approximate running time.

	Item	Notation	Running Time
Computation
Bilinear pairing		C0	5.883 ms
Exponentiation over G1		C1	0.736 ms
Exponentiation over G2		C2	0.142 ms

. The detailed evaluation results are summarized in

Table 4. Evaluation of computational cost.

	Scheme	Han et al. [19]	Zhang et al. [11]	Lin et al. [13]	Proposed
Phase
Setup cost		6C1	2C1	2C1	C1
KeyExtract cost		5C0 + 5C1	5C1	5C1	3C1
Enc cost		3C0 + 3C1 + C2	C0 + 2C1 + C2	C0 + 2C1 + C2	C0 + 2C1
Tkgen cost		2C1	C1	C1	C1
RKgen cost		5C0 + 4C1 + C2	2C1	2C0 + 3C1 + C2	2C0 + 3C1
Re-Enc cost		0	C0	C0	C0
Dec cost by IDo		2C0	2C0	2C0	C0
Dec cost by IDu		2C0 + 2C1	2C0 + C1	4C0 + C2	3C0 + C2

and Figure 2.

Although Han et al.’s scheme is cost-free in the Re-Enc phase, their scheme has the highest computation costs in the Setup, KeyExtract, Enc, TKgen, and RKgen phases. Zhang et al.’s scheme has the lowest computation costs in both the RKgen and the Dec by ID_u phases. Lin et al.’s scheme incurs higher computation cost in the Dec by ID_u phase. As a whole, the proposed protocol exhibits optimal computational costs in the Setup, KeyExtract, Enc, and Dec by ID_o phases.

7. Conclusions

Fog-based applications have received much attention in recent years due to their advantages in fast response time and more bandwidth savings. A fog-enabled proxy re-encryption scheme allows a fog node to perform the ciphertext re-encryption process, so as to share cloud ciphertexts to desired data users. In this paper, we propose an identity-based proxy re-encryption scheme taking the advantage of fog computing. Specifically, the proposed scheme removes the necessity for a fully trusted system authority, as the private key of each user is not generated by the system authority solely. Therefore, it is unnecessary to establish a secure channel for distributing private keys in the proposed scheme. The access privilege of cloud ciphertexts can be determined independently by the data owner. As for security, we adopt the security notion of IND-PrID-CPA to formally prove that the proposed mechanism is able to withstand the adaptive adversary in random oracle models. In the performance analyses, we also demonstrate that our work is efficient in the processes of Setup, KeyExtract, Enc, and Dec, when compared with related protocols.