Next Article in Journal
Modelling the Impact of the Introduction of the EURO 6d-TEMP/6d Regulation for Light-Duty Vehicles on EU Air Quality
Next Article in Special Issue
Special Issue on Intelligent Computing for Big Data
Previous Article in Journal
Biophotonics in Dentistry
Previous Article in Special Issue
A Convolution Neural Network-Based Representative Spatio-Temporal Documents Classification for Big Text Data
 
 
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

Proxy Re-Encryption Scheme for Decentralized Storage Networks

1
Department of Communications and Networking, Xi’an Jiaotong-Liverpool University, Suzhou 215123, China
2
College of Data Science, Taiyuan University of Technology, Taiyuan 030024, China
3
Cyber Technology Institute, De Montfort University, Leicester LE1 9BH, UK
*
Author to whom correspondence should be addressed.
These authors contributed equally to this work.
Appl. Sci. 2022, 12(9), 4260; https://doi.org/10.3390/app12094260
Submission received: 14 March 2022 / Revised: 9 April 2022 / Accepted: 9 April 2022 / Published: 22 April 2022
(This article belongs to the Special Issue Intelligent Computing for Big Data)

Abstract

:
Storage is a promising application for permission-less blockchains. Before blockchain, cloud storage was hosted by a trusted service provider. The centralized system controls the permission of the data access. In web3, users own their data. Data must be encrypted in a permission-less decentralized storage network, and the permission control should be pure cryptographic. Proxy re-encryption (PRE) is ideal for cryptographic access control, which allows a proxy to transfer Alice’s ciphertext to Bob with Alice’s authorization. The encrypted data are stored in several copies for redundancy in a permission-less decentralized storage network. The redundancy suffers from the outsourcing attack. The malicious resource provider may fetch the content from others and respond to the verifiers. This harms data integrity security. Thus, proof-of-replication (PoRep) must be applied to convince the user that the storage provider is using dedicated storage. PoRep is an expensive operation that encodes the original content into a replication. Existing PRE schemes cannot satisfy PoRep, as the cryptographic permission granting generates an extra ciphertext. A new ciphertext would result in several expensive replication operations. We searched most of the PRE schemes for the combination of the cryptographic methods to avoid transforming the ciphertext. Therefore, we propose a new PRE scheme. The proposed scheme does not require the proxy to transfer the ciphertext into a new one. It reduces the computation and operation time when allowing a new user to access a file. Furthermore, the PRE scheme is CCA (chosen-ciphertext attack) security and only needs one key pair.

1. Introduction

Blockchain technology has been actively developing in recent years. A decentralized storage network [1] based on the blockchain is a promising application direction. The decentralized storage network would redefine data ownership, privacy, and accessibility. Taking the example of the traffic surveillance cameras, the data may be stored on a decentralized storage network. Therefore, the public can verify that the data exist, but only authorized parties can access it. Multiple institutions (such as insurance companies) to access data require an encryption scheme with access control. Traditional symmetric or asymmetric cryptography cannot meet this requirement, as these schemes require specifying who can decrypt before encrypting. The proxy re-encryption (PRE) is a suitable scheme for data sharing.
PRE allows a user to grant access permission in a cryptographic method. Alice would allow Bob to visit her data under Alice’s authorization. However, the ciphertext must be transferred to the new one (Figure 1). In a decentralized storage network, data integration suffers from the challenge of the outsourcing attack. Blockchain consists of many semi-trusted resource providers. When asked for proof, the malicious provider would download the data content from other honest providers on the fly. Proof-of-replication (PoRep) brings the concept against the outsourcing attack. The idea is to encode the user data with a unique key, e.g., the provider’s public key. Meanwhile, the encoding algorithm should be expensive, and decoding is cheap, so the resource provider would not drop the replicated data, as regenerating the replication would cost more. Since everyone tends to reduce the cost, the data would lose redundancy without PoRep. PoRep is the mandatory algorithm to convenience the verifiers that the dedicating storage resource is spending.
Existing PRE is not ideal for a decentralized storage network because the extra ciphertext would trigger an expensive replicating operation (Figure 2). Combined with PoRep, the cost of PRE sharing is too high.
We propose a CCA (chosen ciphertext attack)-secure and collusion-resilience (collusion safe) proxy re-encryption scheme for the decentralized storage network (Figure 3).
  • No new ciphertext is generated for the permission grant in a decentralized storage network. It brings down the cost for proof-of-replication in a permission-less decentralized storage network.
  • The collusion-resilience scheme in group algebra requires only one key pair.
The rest of the paper is organized as follows. In Section 2, we talk about the detail of decentralized storage networks and proxy re-encryption. In Section 3, we dive into the knowledge, terms, and formula used in this work. The proposed scheme and security analysis are presented in Section 4. In Section 5 we give a practical implementation and show the experiment result. The various extended questions are talked about in the evaluation, Section 6. Finally, Section 7 and Section 8 provide the conclusion and future work.

2. Related Work

This section will dive deep into the background of the decentralized storage network, blockchain, and its relationship with proxy re-encryption.

2.1. Decentralized Storage Network

The cloud service is provided by a trusted third party. The data permission is controlled with a centralized mechanism. With the blockchain innovation, the recent study shows that the decentralized storage network is viable [1,2,3,4]. In the decentralized storage network, the user is not required to trust any providers, just the cryptography. It brings enormous confidence to the data owner.
The decentralized storage network is ideally built upon a permission-less blockchain. Blockchain miners provide the storage resource. The content that a user uploads to the blockchain is kept by miners. The blockchain makes the storage network permission-less. The miners can freely join or quit.
In the decentralized storage network, permission control must be cryptographic since the storage providers are semi-trusted. The existing public-key crypto is required to specify the target user to decrypt before encryption. Beyond this, PRE allows users to add the target users by re-encrypt the existing ciphertext into a new one. It is identical to permission granting at the application level. Thus, PRE schemes are helpful for blockchain storage.
However, a decentralized storage network must periodically check content integrity. The malicious miner may cheat by fetching content from other honest miners and responding to the checking. The cheater is committing to keep the content but never spending the storage resource. A decentralized storage network must be resilient to the outsourcing attack. Proof-of-replication requires the miners to encode the user content into the replication with each miner’s unique identity. It is intended to make the encoding more expensive. The miner is willing to save the replication on disk, as it is impossible to fetch the content from other miners and finish the encoding in the limited time.

2.2. Proxy Re-Encryption and Proof-of-Replication

In 1998, Blaze, Bleumer, and Strauss [5] proposed the first proxy re-encryption scheme based on a cyclic group [6]. In 2010, Weng et al. [7] proposed a CCA and collusion-resilience PRE scheme. After 2010 [8,9], most PRE schemes were based on bilinear pairing [10,11,12] or lattice algebra structure [13]. The data uploaded must be encrypted in the decentralized storage network. However, most the PRE schemes are generating the new ciphertext during the re-encryption. A ciphertext would be replicated with each miners’ unique identity. Any modification of the ciphertext would lead to more expensive PoRep operations. A PRE scheme is ideal not to generate new ciphertext during the frequent permission sharing actions under the decentralize storage network scenario. Thus, we propose the new PRE scheme.
While the new PRE schemes are diving into more complex algebra structure, the use scenarios of PRE are still limited. As business companies back the cloud service, the cloud and mobile do not fully utilize PRE schemes. The encryption will prevent data analysis and take extra cost of storage and computation. Owing to the blockchain, we foresee that blockchain-based decentralized applications will heavily rely on cryptographic schemes. Web3 allows the user to own their data. The decentralized storage network requires a pure cryptographic access control feature. PRE is ideal, but PoRep is mandatory.
The first blockchain, Bitcoin, proposed the proof-of-work (PoW) as the consensus algorithm [14] after PoW was used earlier for anti-spam purpose [15]. Computation was used as the resource for consensus, such as voting. Later, the storage space as a resource was studied, which can be classified into two categories. The proof-of-space intends to replace proof-of-work as the consensus algorithm. This replacement can bring down the cost of electricity by PoW, but junk data needs to be filled in the hard disk so far. Conversely, the proof-of-storage algorithm focuses on storing useful data. However, this algorithm cannot agree on a consensus. It only shows the proof of the data stored. Proof-of-replication is an extension of proof-of-storage, which convinces the owner that the unique storage resource keeps the data. In the permission-less blockchain, the PoRep is the key algorithm. It is nice to design schemes working with PoRep for the storage features. Filecoin uses SDR as the PoRep encoding and proves with the zero-knowledge-based algorithm [2,3]. Filecoin lets users decide how to encrypt their data. Therefore, there is no cryptographic access control for decentralized storage networks yet. The improved PRE scheme is worth studying.
In 1998, Blaze, Bleumer, and Strauss [5] proposed the first proxy re-encryption scheme. The ciphertext can be re-encrypted into another by the proxy authorized by the owner. Although the first PRE scheme is not collusion-resilient, it shows the possibility to change the key or password of the ciphertext without decryption. In 2003, Ivan and Dodis [16] proposed the group-based proxy cryptography scheme. In their unidirectional scheme, the secret key is first divided into two parts. This is the main technique that is used for collusion safety by many schemes. This illuminates our idea. In 2009, Shao et al. [17] proposed a CCA-secure scheme without pairing. Their scheme uses double trapdoors with the big prime multiplication as the secret key. One year later, Weng et al. [7] proposed a CCA-secure scheme WDLC10 without pairing. Two key pairs are used to avoid collusion for the secret key in their scheme, which is similar to Ivan and Dodis [16]. In the following years, most CCA-secure schemes were based on bilinear pairing or lattice. The PRE schemes such as AFGH06 [18] and GA07 [19] are based on bilinear pairing. XT10 [20] and ABPW13 [21] are based on lattice (LWE). NAL15a [22] is based on lattice (NTRU).
Let us take a look at how WDLC10 [7] works. To achieve collusion resilience, WDLC10 uses two key pairs. The core idea of preventing collusion is to use the sum of two secret keys instead of one. This results from the fact that the delegatee and proxy can only work together to obtain the sum of the keys, but cannot learn the value of each secret. The two keys are used for two different layers of ciphertext.
Our scheme achieved collusion resilience with one regular public/secret key pair. Under the general concept of asymmetry encryption, the cleartext can be encrypted with a public key, and the ciphertext is decrypted with the corresponding secret key. However, in the scenario of PRE, we slightly changed the definition. Assuming that anyone can create PRE ciphertext with the given public key, the malicious user could keep the crucial internal value which should be discarded during the encryption. The internal value can be used to generate new re-keys, where the access permission to the ciphertext should be controlled by the owner. In this case, the ciphertext generated with Alice’s public key may not actually be controlled by Alice. This may lead to security issues. The proposed scheme uses the secret key for encryption and decryption to ensure that only the owner can create the ciphertext. Alice can generate a re-key with her secret key and Bob’s public key.
To summarize, BBS98 [5], Dodis and Ivan [16], and WDLC10 [7] use groups. WDLC10 [7] improved many features compared to BBS98 (including the most important feature, collusion resilience). To archive collusion resilience in “hashed” ElGamal, two key pairs are required for WDLC10 [7]. Shao et al. [17] used double trapdoors. For the other PRE schemes, most of them are based on bilinear pairing or lattice.

3. Preliminaries

We briefly talk about preliminary knowledge for the decentralized storage network and proxy re-encryption.

3.1. Outsourcing Attack and Proof-of-Replication

In a permission-less decentralized storage network, whoever joins the network can provide resources and make incoming attacks. The resource providers may make arbitrary attacks to reduce their costs and increase the margin. One of the most critical is the outsourcing attack. The solution to prevent outsourcing attacks is proof-of-replication [1].
The data must have redundancy stored in a permission-less decentralized storage network. An individual resource provider who deleted the local copy of data to save the storage cost makes an outsourcing attack. When the request to retrieve data comes, the resource provider can fetch the content from another provider and send it back to the requester. The data must be preprocessed into the replication format with the unique key to prevent the outsourcing attack. The cost of replication should be more expensive and time-costly than honestly storing the data. The replicated data are hard for another to utilize, as the replication key is unique. Proof-of-replication ensures the dedicating unique physical store for the data.

3.2. Public Key Encryption

Public key encryption has advantages in key management compared with symmetry key encryption. Users only need to keep their secret keys safe instead of memorizing many passwords. RSA and ElGamal (including ECC) are the most commonly used public key encryption schemes. In RSA, we can either encrypt with a public key or secret key and decrypt with the other, respectively. In ElGamal, the public key is for encryption via Equation (2), and the secret key is for decryption via Equation (3). Public key encryption allows anyone to create an encrypted message and send it to the secret key owner to establish secure communication. We mainly focus on ElGamal here:
a , r Z p ,
p k A = g a ,
s k A = a .
where p k A is the public key, and s k A is the secret key. Ciphertext c is encrypted with the public key p k A and the clear message m via Equation (4):
c = c 0 , c 1 = g r , m · p k A r = g r , m · g a r .
The secret key is required for decryption via Equation (5):
m = c 1 ( c 0 ) s k A = m · g a r ( g r ) a .
The ElGamal scheme satisfies the CPA security. Given the same input m, the output c is different each time according to the random value r. To achieve CCA security, validation is required before the decryption. It detects if the adversary had modified the ciphertext.

3.3. Proxy Re-Encryption

We review the model of collusion-resilience PRE. A CCA collusion-resilience proxy re-encryption scheme is an algorithm:
( K e y G e n , R e n K e y G e n , E n c , R e E n c , D e c ) .
K e y G e n ( ) : The algorithm generates the public/secret key pair ( p k , s k ) .
R e K e y G e n ( s k A , p k B ) : The re-encryption key generation algorithm accepts the secret key s k A of Alice and the public key p k B of Bob. It outputs a re-encryption key r k A B .
E n c ( s k , m ) : The encryption algorithm takes the public key s k and the clear message returns the encrypted message c.
R e E n c ( r k A B , c A ) : The re-encryption algorithm transfers the encrypted message c A into the ciphertext c B using the re-encryption key r k A B . Bob’s secret key can decrypt the transformed ciphertext c B .
D e c ( s k , c ) : The user decrypts the ciphertext with his secret key and encrypted c, e.g., c A or c B . It outputs the cleartext m.
Correctness. Correctness is ensured for any m M and any key pair of ( p k A , s k A ) , ( p k B , s k B ) , following the conditions Equations (7) and (8):
D e c ( s k A , E n c ( s k A , m ) ) = m ,
D e c ( s k B , R e E n c ( R e K e y G e n ( s k A , p k B ) , E n c ( s k A , m ) ) ) = m .
Security definition. Security for a CCA collusion-resilience PRE scheme is defined in the game between an adversary A and a challenger C . There are two ciphertexts from the cleartext message for the PRE scheme: encrypted cipher m c A and re-encrypted m c B are required for chosen-ciphertext security.
Phase 1. The adversary A issues queries q 1 , , q m , of which q i is one of the following:
  • Uncorrupted key generation query: The challenger C computes ( p k i , s k i ) K e y G e n ( ) , and sends the p k i to the adversary A .
  • Corrupted key generation query: The challenger C computes ( p k j , s k j ) K e y G e n ( ) , and sends the ( p k j , s k j ) to the adversary A .
  • Re-encryption key generation query: The challenger C computes
    r k 1 2 R e K e y G e n ( s k 1 , p k 2 ) , and sends the r k 1 2 to the adversary A . Here, s k 1 and p k 2 must be from different key pairs. This query allows any key pair except that A cannot know the value of s k 1 .
  • Re-encryption query: The challenger C computes c 2 R e E n c ( r k 1 2 , c 1 ) , and sends the ciphertext c 2 to the adversary A .
  • Decryption query: The challenger C computes m D e c ( s k , c ) , and sends the cleartext m to the adversary A . Here, s k cannot be s k 1 or s k 2 .
Challenge. After the adversary A ends up Phase 1, A chooses from two equal-length messages m 0 , m 1 M , and sends to the challenger C .
The challenger C receives m 0 , m 1 . C flips a random coin δ Equation (9), and computes c,
δ { 0 , 1 } ,
c E n c ( s k A , m δ ) ,
then sends the c Equation (10) back to the adversary A .
Phase 2. The adversary A continues to issue queries q m + 1 , , q m a x , which q i can be one of the queries:
  • Uncorrupted key generation query: The challenger C responses are the same as in Phase 1.
  • Corrupted key generation query: The challenger C responses are the same as in Phase 1.
  • Re-encryption key generation query: The challenger C responses are the same as in Phase 1.
  • Re-encryption query: The challenger C responses are the same as in Phase 1.
  • Decryption query: The challenger C responses are the same as in Phase 1, except that c c A and s k s k A , or c c B and s k s k B .
Guess. The adversary A outputs δ ^ { 0 , 1 } .
Referring to adversary A as an IND-PRE-CCA adversary, we define the advantage of the adversary A in attacking scheme Π as
Adv Π , A I N D P R E C C A = | Pr [ δ = δ ^ ] 1 2 | .
Definition 1.
A PRE scheme Π is said to be ( t , q u , q c , q r k , q r e , q d , ϵ ) -IND-PRE-CCA secure, if for any t-time, IND-PRE-CCA adversary A makes at most q u uncorrupted key generation queries, at most q c corrupted key generation queries, at most q r k re-encryption key generation queries, at most q r e re-encryption queries, and at most q d decryption queries; thus we have
Adv Π , A I N D P R E C C A ϵ .

3.4. Complexity Assumptions

The computational assumption of Diffie–Hellman (CDH) is defined as
Definition 2.
G is a cyclic multiplicative group with prime order p. The CDH problem is said in group G , given a tuple ( g , g x , g y ) G 3 with unknown x , y Z p , to compute g x y .
A variant of the CDH problem named divisible computation Diffie–Hellman (DCDH) [23] problem is defined as follows.
Definition 3.
Let G be a cyclic multiplicative group with prime order p. The DCDH problem in group G is, given ( g , g 1 x , g y ) G 3 with unknown x , y Z p , to compute g x y .
The construction of our chosen ciphertext-secure PRE scheme is based on the assumption of modified computational Diffie–Hellman (mCDH). The mCDH problem is a combination of the CDH problem and the DCDH problem.
Definition 4.
Let G be a cyclic multiplicative group with prime order p. The mCDH problem in group G is, given a tuple ( g , g 1 x , g x , g y ) G 4 with unknown x , y Z p , to compute g x y .
Definition 5.
For a polynomial time adversary B , the advantage is defined as solving the mCDH problem in group G :
Adv B m C D H = Pr [ B ( g , g 1 x , g x , g y ) = g x y ] .

4. Proxy Re-Encryption Scheme

Our PRE scheme is adopted with the PoRep in a permission-less decentralized storage network. The ciphertext R e E n c is an optional operation in the definition. This CCA and collusion-resilience PRE scheme is based on “hashed" ElGamal. ElGamal is one of the most important asymmetry cryptographic schemes based on CDH assumption. Both discrete logarithm and ECC can be used for the ElGamal implementation.

4.1. Features

Collusion resilience. Collusion resilience (collusion safe) states that the proxy and the delegate (Bob) can collude to obtain the delegator’s (Alice) secret key. In BBS98 [5], r k A B = s k B s k A , proxy and delegate (Bob) can calculate s k A = r k A B · s k B . Collusion resilience (collusion safe) is an important feature. In any case, s k A should be safe because it is related to more than the current ciphertext. All the ciphertexts generated by Alice are bound with the security of s k A . Our scheme is collusion resilience due to the novel method of re-key generation, inspired by the bidirectional scheme of Ivan and Dodis [16].
Bidirectional. Delegation from A B allows re-encryption from B A . It is observed that unidirectional and bidirectional delegation can be applied in different use cases. It is nice to distinguish between unidirectional and bidirectional proxy re-encryption. The bidirectional PRE refers to the fact that it can generate r k B A from r k A B . WDLC10 [7] used the two layers for unidirectional encryption, where layer 2 cipher can be converted into layer 1 cipher by r k A B = Δ s k A 1 + s k A 2 .
The bidirectional scheme means the re-encrypted ciphertext can transfer back to the original cipher. It depends on how the re-encryption key is designed. In BBS98, r k A B = s k B s k A and the reversed key r k B A = s k A s k B can be easily calculated. Obviously, this reversed encryption key can be applied to all the ciphertext generated by Bob. In the Ivan and Dodis 2003 bidirectional ElGamal scheme, r k = g r ( x 2 x 1 ) also can be reversed, but due to the random r, the reversed key can be only applied to Bob’s current ciphertext. Comparing the two scenarios, BBS98’s bidirectional feature leads to more privacy issues than Ivan and Dodis [16].
Noninteractive. The generation of the re-encryption key requires Alice to use Bob’s public key. Bob is not involved in the interaction of re-key generation.
Proxy invisibility. The user sending messages to Alice does not need to be aware of the existence of the proxy. The same applies to Bob, the delegate.
Key optimality. Bob should keep a constant number of secrets, regardless of how many delegations he accepts.
Nontransitive. A proxy re-encryption scheme is transitive if the proxy has right to re-delegate decryption permission. Moreover, it combines several re-encryption keys to produce a new re-key (e.g., from r k A B and r k B C one can obtain r k A C ). Our scheme is nontransitive, as generating a re-key requires Alice’s authorization to prevent transitive action on a proxy.
Transferability. This property, first considered by Ateniese et al. in [18], catches the inability of collusion of the proxy and the delegates to re-delegate decryption rights (i.e., producing new re-encryption keys). The proxy has r k and Bob knows g r and s k B , which can generate a new re-key for another user.

4.2. Proposed Scheme

Setup
In the CCA-secure and collusion-resilience PRE scheme, g is the generator of a cyclic multiplicative group G of prime order p. s k A Equation (16) is the secret key and p k A Equation (15) is the public key of Alice. s k B Equation (18) is the secret key and p k B Equation (17) is the public key of Bob.
m is the clear message of l 0 bits length in the binary message space denoted by M . w is the random bits of l 1 length. H is the hash function, where H 1 : Z p · Z p Z p , H 2 : { 0 , 1 } l 0 · { 0 , 1 } l 1 Z p , H 3 : G 2 { 0 , 1 } l 0 + l 1 , H 4 : G · { 0 , 1 } l 0 + l 1 Z p .
K e y G e n ( ) : The key generation algorithm generates the public/secret key pair ( p k , s k ) for the user:
a , b Z p ,
p k A = g a ,
s k A = a ,
p k B = g b ,
s k B = b .
R e K e y G e n ( s k A , p k B ) : The re-encryption-key-generating algorithm accepts the secret key s k A from Alice and the public key p k B from Bob. The algorithm returns the re-encryption key r k A B .
Re-key r k A B = ( p k B p k A ) d = ( g b g a ) d = g b d a d , where the p k A can be derived from s k A . When re-encrypting D B = D A · r k A B = ( g a ) d · g b d a d = g b d , the re-key can only be issued by Alice, who knows d = H 1 ( s k A , r ) .
E n c ( s k A , m ) : The encryption algorithm takes the secret key s k A , and the clear message m returns the encrypted message c A via Equation (19):
( m | | w ) E n c c A = D A , r , E , F , V , S .
where D , r , E , F , V , a n d S are defined as Equations (20)–(24):
D A = ( p k A ) d , d = H 1 ( s k A , r ) , r Z p ,
E = g e , e = H 2 ( m , w ) , w { 0 , 1 } l 1 ,
F = H 3 ( g d , E ) ( m | | w ) ,
V = g v , v Z p ,
S = g s , s = v + s k A · r .
R e E n c ( r k A B , c A ) : The re-encryption algorithm transfers the encrypted message c A into the ciphertext c B using the generated re-encryption key r k A B via Equation (25). Bob’s secret key can decrypt the transformed ciphertext c B . Here, d is used to generate the permission of delegation. Only the content owner can create new D or r k with s k A and r.
Before the transferring, the validation S = ? V · p k A r of ciphertext should be checked to ensure Alice generates the ciphertext. Otherwise, the algorithm outputs ⊥:
c A R e E n c c B = D B , r , E , F , V , S = D A · r k A B , r , E , F , V , S .
D e c ( s k , c ) : The user decrypts the ciphertext with his secret key and encrypted c, e.g., c A or c B . It outputs the cleartext m and random bits w via Equation (26). After decryption, the validation of ciphertext should be checked E = ? g H 2 ( m , w ) . If not, the algorithm outputs :
c B D e c ( m | | w ) = F H 3 ( g d , E ) , g d = D B 1 s k B = F H 3 ( D B 1 s k B , E ) .
In WDLC10 [7], CCA-secure “hashed” ElGamal and modified version is used. The textbook ElGamal is CPA-secure and risky in the rounded attack. To enhance the security, “hashed” ElGamal is applied with a message authenticated mechanism.

4.3. Security Analysis

Our collusion-resilience PRE scheme is CCA-secure in a random oracle model, under the modified-computation Diffie–Hellman (mCDH) assumption [24].
In this section, we prove the scheme under mCDH assumption [24] that any efficient algorithm’s mCDH advantage is negligible.
Theorem 1.
Our PRE scheme ∏ is IND-PRE-CCA-secure under the assumption of the mCDH [24] in group G , and the Schnorr signature [25] is EUF-CMA-secure in the random oracle model. An adversary A , who asks at most q H i random oracle queries to H i with i { 1 , , 4 } , can effectively break the ( t , q u , q c , q r e , q d , ϵ ) -IND-PRE-CCA of our scheme ∏, for any 0 < ν < ϵ . Thus we have:
  • The ( t , ϵ ) -mCDH problem [24] in group G can be solved by an algorithm B with Equations (27) and (28):
    t t + ( q H 1 + q H 2 + q H 3 + q H 4 + q u + q c + q r k + q r e + q d ) O ( 1 ) + ( q u + q c + 4 q r e + 3 q d + ( 2 q d + q r e ) q H 2 ) t e ,
    ϵ 1 q H 3 ( 2 ( ϵ ν ) q H 2 + ( q H 2 + q H 3 ) q d 2 l 0 + l 1 2 q d + q r e q ) .
    where t e is the exponential running time in the group G .
  • The EUF-CMA security of the Schnorr signature [25] can be broken by an attacker with advantage ν within time t .
Proof. 
It is assumed that the Schnorr signature [25] is ( t , ϵ ) -EUF-CMA-secure for the probability 0 < ν < ϵ . While the CDH problem (given g , g x , g y output g x y ) is as hard as the mCDH problem [24] (given g , g 1 x , g x , g y outputs g x y ), this theorem is proved under the mCDH problem [24]. A t-time adversary A can break the IND-PRE-CCA security of scheme ∏ with advantage ϵ ν . We show how an algorithm B solves the ( t , ϵ ) -mCDH problem [24] in group G . □
Suppose algorithm B accepts the input of mCDH challenge tuple ( g , g x , g 1 x , g y ) G 4 , and x , y Z p is unknown. Algorithm B plays the role of challenger playing the IND-PRE-CCA game with adversary A . Algorithm B ’s goal is to output g x y .
Setup. Algorithm B passes parameters ( p , G , g , H 1 , H 2 , H 3 , H 4 , l 0 , l 1 ) to adversary A . H 1 , H 2 , H 3 , H 4 are random hash oracles controlled by the algorithm B .
Hash Oracle Queries. Adversary A may send the queries to random oracle H 1 , H 2 , H 3 , and H 4 at any time. Algorithm B has four empty lists H 1 l i s t , H 2 l i s t , H 3 l i s t , and H 4 l i s t initially, used for storing the query parameters and result value tuples.
  • H 1 queries. With the parameters ( a , r ) , if this query exists in the H 1 l i s t as a tuple ( a , r , d ) , output the value d as the result to adversary A . Otherwise, choose d Z p and add the tuple ( a , r , d ) to the hash list H 1 l i s t , and respond with H 1 ( a , r ) = d to adversary A .
  • H 2 queries. With the parameters ( m , w ) , if this query exists in the H 2 l i s t as a tuple ( m , w , v ) , output the value v as the result to adversary A . Otherwise, choose v Z p and add the tuple ( m , w , v ) to the hash list H 2 l i s t , and respond with H 2 ( m , w ) = v to adversary A .
  • H 3 queries. With the parameters ( g d , E ) , if this query exists in the H 3 l i s t as a tuple ( g d , E , α ) , output the value α as the result to adversary A . Otherwise, choose α { 0 , 1 } l and add the tuple ( g d , E , α ) to the hash list H 3 l i s t , and respond with H 3 ( g d , E ) = α to adversary A .
  • H 4 queries. With the parameters ( E , F ) , if this query exists in the H 4 l i s t as a tuple ( E , F , β ) , output the value β as the result to adversary A . Otherwise, choose β Z p and add the tuple ( E , F , β ) to the hash list H 4 l i s t , and respond with H 4 ( E , F ) = β to adversary A .
Phase 1. The adversary A sends a series of queries as in the definition of the IND-PRE-CCA game. The algorithm B holds three hash lists K U n c o r r u p t e d l i s t , K C o r r u p t e d l i s t , and R l i s t , answering the adversary A as follows:
  • Uncorrupted key generation query q u . If the tuple ( a , g a ) is not in the hash list K U n c o r r u p t e d l i s t , the algorithm B chooses a Z p ; add the tuple ( a , g a ) to the hash list K U n c o r r u p t e d l i s t . Respond with p k = g a to adversary A .
  • Corrupted key generation query q c . If the tuple ( a , g a ) is not in the hash list K C o r r u p t e d l i s t , the algorithm B chooses a Z p ; add the tuple ( a , g a ) to the hash list K C o r r u p t e d l i s t . Respond with ( s k , p k ) = ( a , g a ) to adversary A .
  • Re-encryption key generation query q r k . The re-key generation is from Alice’s secret key and Bob’s public key; both key pairs can be uncorrupted or corrupted. It is because in the re-encryption from c A to c B , ciphertexts can be decrypted by either s k A or s k B .
    In the case algorithm, B recovers ( s k A , p k A ) , ( s k B , p k B ) from K U n c o r r u p t e d l i s t or K C o r r u p t e d l i s t . Then, algorithm B generates re-key r k A B = ( p k B p k A ) H 1 ( s k A , r ) = ( g b g a ) H 1 ( a , r ) . The tuple ( s k A , p k A , s k B , p k B , r k A B ) is added to the R l i s t . Then, the r k A B is returned to adversary A .
    For the challenge purpose, both s k A and s k B should be uncorrupted.
  • Re-Encryption query q r e . Given r k A B and c A = D A , r , E , F , V , S : If S V · p k A r , it outputs . Otherwise, the algorithm returns the re-encrypted ciphertext c B = D A · r k A B , r , E , F , V , S to adversary A .
  • Decryption query q d . The algorithm recovers s k from K U n c o r r u p t e d l i s t or K C o r r u p t e d l i s t . Run ( m , w ) = D e c ( s k , c ) . If E = g H 2 ( m , w ) , give m back to the adversary, otherwise it outputs .
Challenge. When adversary A ends Phase 1, the adversary outputs a target public key p k * and two equal-length messages m 0 , m 1 { 0 , 1 } l 0 , queries to algorithm B . Algorithm B responds as follows:
  • Recovers ( s k * , p k * ) from K U n c o r r u p t e d l i s t and let p k * = g a : = g 1 x .
  • Let D * = ( p k * ) d = ( g a ) d : = g y , so that ( g a ) d = ( g 1 x ) x y . We can obtain d = x y as g a = g 1 x . Then, g d = g x y .
  • As F = H 3 ( g d , E ) ( m | | w ) defined, choose δ { 0 , 1 } , w * { 0 , 1 } l 1 and F * = H 3 ( g d , E * ) ( m δ | | w * ) .
  • Return c * = D * , r * , E * , F * , V * , S * as the challenged ciphertext to adversary A .
Phase 2. The adversary A issues the queries as in Phase 1. Algorithm B responds to those queries to A as in Phase 1.
Guess. The adversary A responds a guess δ ^ { 0 , 1 } to B . Algorithm B calculates H 3 ( g d , E * ) = H 3 ( g x y , E * ) = F * m δ ^ = α ^ . B looks up the hash list H 3 l i s t for the tuple ( g d , E * , α ) where α = α ^ , then returns the g d as the solution g x y to the given mCDH instance.
Analysis. First, let us evaluate the simulation of random oracles. H 1 , H 4 are perfect As long as A does not query ( m δ , w ) to H 2 or ( g x y , E ) to H 3 , so H 2 and H 3 are perfect. We denote A s k H 2 * the event ( m δ , w ) has been queried to H 2 , and A s k H 3 * the event that ( g x y , E ) has been queried to H 3 .
The challenged ciphertext is identically distributed.
Second, the simulation for the re-encryption oracle. The re-encryption query is perfect unless the adversary A can transfer the ciphertext into the new one without querying hash H 1 to obtain the r k . We denote this event as R e E n c E r r . Since H 1 plays the role of the random oracle, which is queried by adversary A at most q r e times, we have
Pr [ R e E n c E r r ] q r e q .
Third, the simulation for the decryption oracle. Suppose that ( p k , c ) , c = ( D , r , E , F , V , S ) is a valid ciphertext, as the validation S = ? V · p k A r of ciphertext can be checked. There is still a chance that c can be generated by querying other random values to H 3 instead of g d , where d = H 1 ( s k A , r ) . Denote V a l i d to be an event that c is valid. Let A s k H 3 be the event that ( g d , E ) has been queried to H 3 and A s k H 2 be the event that ( m , w ) has been queried to H 2 . Then, we have
Pr [ V a l i d | ¬ A s k H 2 ] = Pr [ V a l i d A s k H 3 | ¬ A s k H 2 ] + Pr [ V a l i d ¬ A s k H 3 | ¬ A s k H 2 ] Pr [ A s k H 3 | ¬ A s k H 2 ] + Pr [ V a l i d | ¬ A s k H 3 ¬ A s k H 2 ] q H 3 2 l 0 + l 1 + 1 q ,
similarly,
Pr [ V a l i d | ¬ A s k H 3 ] = Pr [ V a l i d A s k H 2 | ¬ A s k H 3 ] + Pr [ V a l i d ¬ A s k H 2 | ¬ A s k H 3 ] Pr [ A s k H 2 | ¬ A s k H 3 ] + Pr [ V a l i d | ¬ A s k H 2 ¬ A s k H 3 ] q H 2 2 l 0 + l 1 + 1 q .
Thus, we have
Pr [ V a l i d | ¬ A s k H 2 ¬ A s k H 3 ] Pr [ V a l i d | ¬ A s k H 2 ] + Pr [ V a l i d | ¬ A s k H 3 ] q H 2 + q H 3 2 l 0 + l 1 + 2 q .
Denote D e c E r r as the event that V a l i d | ( ¬ A s k H 2 ¬ A s k H 3 ) happens during the entire simulation. The q d times of decryption queries have been issued to a decryption oracle, and we have
Pr [ D e c E r r ] ( q H 2 + q H 3 ) q d 2 l 0 + l 1 + 2 q d q .
Denote G o o d as the event A s k H 3 * ( A s k H 2 * | ¬ A s k H 3 * ) R e E n c E r r D e c E r r . If G o o d has not happened, the adversary A cannot gain any advantage in guessing δ from m 0 , m 1 , due to the random E as one of the input of H 3 ( g d , E ) and E = g e = g H 2 ( m , w ) is generated with the random bits w { 0 , 1 } l 1 . We have Pr [ δ = δ | ¬ G o o d ] = 1 2
Pr [ δ = δ ] = Pr [ δ = δ | ¬ G o o d ] Pr [ ¬ G o o d ] + Pr [ δ = δ | G o o d ] Pr [ G o o d ] 1 2 Pr [ ¬ G o o d ] + Pr [ G o o d ] = 1 2 ( 1 Pr [ G o o d ] ) + Pr [ G o o d ] = 1 2 + 1 2 Pr [ G o o d ] ,
and
Pr [ δ = δ ] Pr [ δ = δ | ¬ G o o d ] Pr [ ¬ G o o d ] = 1 2 ( 1 Pr [ G o o d ] ) = 1 2 1 2 Pr [ G o o d ] ,
we have
| Pr [ δ = δ ] 1 2 | 1 2 Pr [ G o o d ] .
By the definition, the advantage ( ϵ ν ) for IND-PRE-CCA adversary:
ϵ ν = | Pr [ δ = δ ] 1 2 | 1 2 Pr [ G o o d ] = 1 2 ( Pr [ A s k H 3 * ( A s k H 2 * | ¬ A s k H 3 * ) R e E n c E r r D e c E r r ] ) = 1 2 ( Pr [ A s k H 3 * ] + Pr [ A s k H 2 * | ¬ A s k H 3 * ] + Pr [ R e E n c E r r ] + Pr [ D e c E r r ] ) .
Since Pr [ R e E n c E r r ] q r e q , Pr [ D e c E r r ] ( q H 2 + q H 3 ) q d 2 l 0 + l 1 + 2 q d q and Pr [ A s k H 2 * | ¬ A s k H 3 * ] q H 2 2 l 0 + l 1 , we obtain
Pr [ A s k H 3 * ] 2 ( ϵ ν ) [ A s k H 2 * | ¬ A s k H 3 * ] Pr [ D e c E r r ] Pr [ R e E n c E r r ] 2 ( ϵ ν ) q H 2 2 l 0 + l 1 ( q H 2 + q H 3 ) q d 2 l 0 + l 1 2 q d q q r e q = 2 ( ϵ ν ) q H 2 + ( q H 2 + q H 3 ) q d 2 l 0 + l 1 2 q d + q r e q .
In event A s k H 3 * , algorithm B will be able to solve the mCDH instance, and, consequentially, the following is obtained:
ϵ 1 q H 3 ( 2 ( ϵ ν ) q H 2 + ( q H 2 + q H 3 ) q d 2 l 0 + l 1 2 q d + q r e q ) .
From the description of the simulation, the running time of algorithm B can be bounded by
t t + ( q H 1 + q H 2 + q H 3 + q H 4 + q u + q c + q r k + q r e + q d ) O ( 1 ) + ( q u + q c + 4 q r e + 3 q d + ( 2 q d + q r e ) q H 2 ) t e .
This completes the proof of Theorem 1.

5. Experiment

In this section, we analyze the computation cost. With the development of the blockchain in the past decade, elliptic curves cryptography (ECC), including ECDSA and 25519, has become the standard user access credential. The group with big integers is less used nowadays. As ECC computation is still heavy even for a modern CPU, we propose the practical implementation which cached the ECC operation to speed up for practice. Otherwise, the encryption and decryption over ECC would take too long a time and become meaningless.

5.1. Schemes Comparison

The two group-based schemes without pairings are using double trapdoors [26] and “hashed: ElGamal [7]. In Table 1, the comparison results indicate that the proposed scheme is slower than WDLC10 for encryption, since “hashed” ElGamal is used. Our scheme does not differentiate the first and the second level of ciphertext. t e N is the time in exponential operation over the N 2 group, where N is the safe prime. Let N = p q be a safe prime modulus, such that p = 2 p + 1 , q = 2 q + 1 , and p, p , q, q are primes. t e is the time in exponential operation over the group. k is the length of generated key in K e y G e n ( 1 k ) . k 1 is the hash algorithm H : { 0 , 1 } * { 0 , 1 } k 1 . N x and N y are the safe-prime modulus corresponding to the delegator and the delegatee, respectively. The ReEnc is not available in our scheme as we do not transfer the ciphertext, but it only generates a re-key.

5.2. Practical Implementation

Due to the computation inefficiency of ECC, in the practical implementation, we can use elliptic curves and cyclic multiplicative group together to boost the encryption.
For the practical encryption and decryption, the message is divided into small chunks m, as each time that group operation is involved in the computation, using ECC will cost much longer time. For the calculation F = H 3 ( g d , E ) ( m | | w ) , where E = g e , e = H 2 ( m , w ) , w { 0 , 1 } l 1 , the operation E = g e will be too expensive if using ECC. On the other hand, ECC provides better security with less secret key length in bits for the user’s public key and secret key. Roughly speaking, 160 bits of the ECC secret key are as strong as 1024 bits of the secret key required in RSA or ElGamal over the multiplicative integer group.
It is better to divide and conquer the problem by using both the elliptic curves group and the cyclic multiplicative integer group g G p . In the calculation D A = ( p k A ) d , d = H 1 ( s k A , r ) , r Z p , for the user key pair ( p k , s k ) , we use generator g E C C G E C C , then p k = g E C C s k . Meanwhile F = H 3 ( g d , E ) ( m | | w ) the exponential operation g d in H 3 can be calculated only once in ECC and cached. Another exponential calculation E = g e must be evaluated for every m and w. Thus, for g e , the ECC operation will be too heavy. Here, we have the modification below:
( m | | w ) E n c c A = D A , r , E , F , V , S .
where D , r , E , F , V , S is defined as:
D A = ( p k A ) d , d = H 1 ( s k A , r ) , r Z p ,
E = g e , e = H 2 ( m , w ) , w { 0 , 1 } l 1 ,
F = H 3 ( g E C C d , E ) ( m | | w ) ,
V = g E C C v , v Z p ,
S = g E C C s , s = v + s k A · r .
For the re-encryption c A R e E n c c B , re-encrypting D B = D A · r k A B = ( g E C C a ) d · g E C C b d a d = g E C C b d , where re-key r k A B = ( p k B p k A ) d = ( g E C C b g E C C a ) d = g E C C b d a d . For the validation E = ? g H 2 ( m , w ) after decryption, as p k is not involved, no ECC operation needs to be performed.

5.3. Performance Comparison

Python 3.8 is used to implement our PRE scheme and WDLC10. Since Shao09 uses a different theory over the large prime numbers, it was hard to make a fair comparison by choosing the parameters. The code is modified from an open-source pure Python library named python-ecdsa, which is licensed in the public domain.
We implemented the ECC version of our PRE scheme and the practical modification in Python 3.8 and tested it on a MacBook Air of Intel Core i5 at a processor speed of 1.3 GHz. For every 64 bytes of data (including 48 bytes clear message m and 16 bytes of random initialization vector w), we repeat encryption 100 thousand times and note the time cost.
Our scheme is slightly slower than WDLC10 for encrypting in theory, as we described in Table 1. However, for the modification for practical cached exponential operation for g E C C , from Figure 4, we can observe that practical modification can speed up the encryption by avoiding ECC computation. In most cases, elliptic curve-based asymmetry cryptography is commonly used in the signature or key exchange due to its slowness. However, the decentralized storage network shows the scenarios where an asymmetry encryption is required. Meanwhile, it is nice to have the key strength and reasonable encryption/decryption speed. The result of Figure 4 shows that even for a modern CPU, the computation is insufficient for fast encryption. The practical implementation is helpful to speed up the operation while maintaining the security from ECC with less key length.
In the experiment, we use the cyclic multiplicative group over an integer of 196 bits for both ours and WDLC10. The ECC curve is NIST192p. The message m size is 48 bytes and w is 16 bytes since the blake2b outputs up to 64 bytes (512 bits) each time.
In Figure 5, we compare our practical modification PRE scheme with pure-Python-implemented WDLC10. PRE brings useful access control, privacy features, and better key management than symmetry encryption. Unlike WDLC10, there is no requirement for layer 1 and layer 2 ciphertext. Our scheme needs only one public/secret key pair. For the hash function, we use blake2b, which can output a flexible length of the hash digest. For the curve, we use NIST192p. Our proxy re-encryption is ready for practice. Figure 5 shows that with the modification on our scheme, the ECC computing is cached, so our scheme can be slightly faster than WDLC10 even if the theory shows our scheme was slower, shown in Table 1.

5.4. Performance on the Embedded Device

The PRE encryption and decryption are highly likely to be performed on an embedded device, such as an IP camera or mobile phone. Figure 6 shows the performance of our PRE scheme and WDLC10 on an early model of Raspberry Pi microcomputer. The early version of Raspberry Pi has quite low computation capacity; however, it achieves a reasonable performance. In addition, the permission grant in our scheme does not require transfer of the ciphertext, which would be friendly to the embedded devices. Recently, the embed device has attained a faster CPU with multi-cores. The feature of skipping the re-encryption makes it fit better for the embedded device.

6. Evaluation

6.1. Remove Access or Corrupted Ciphertext

Thus far, our scheme covers the encryption and decryption of data and shares the data with the public key of another user. We can either choose to generate a r k A B or D B , and it is possible to generate a new ciphertext by replacing D B with D A or reuse c A by placing D B in a separate file.
c A R e E n c c B
How about removing the access permission of a user? The concept of forwarding secrecy [27] was introduced in cryptography. Strictly, since a message is sent to another one, it is not a secret anymore, as the content could be copied and shared again. It is impossible to revoke a message or erase information with cryptography. However, in practice, people come and leave the organization, and granting or revoking data access permission is the daily operation. If a user intends to expose the critical information g E C C d to the public, the cipher c is no longer a secret. In those cases, the cryptography method can not ensure security in practice. The only choice is to remove the existing ciphertext to prevent further information leaking.
We provide another ciphertext transfer operation. It is not a part of our scheme but it is useful when transferring the ciphertext into a new one when the message is leaking, and this operation could be applied after any data access permission is revoked.
Transfer operation c A T r a n s f e r c A , where c A = D A , r , E , F , V , S :
D A = ( p k A ) d , d = H 1 ( s k A , r ) , r Z p ,
F = F r e = F H 3 ( g d , E ) H 3 ( g d , E ) = H 3 ( g d , E ) ( m | | w ) H 3 ( g d , E ) H 3 ( g d , E ) = H 3 ( g d , E ) ( m | | w ) ,
V = g v , v Z p ,
S = g s , s = v + s k A · r .
The ciphertext transfering key r e is defined:
r e = H 3 ( g d , E ) H 3 ( g d , E ) .
It is safe to send the transfer key to the proxy and transfer the existing ciphertext into a new one. By this operation, the previous ciphertext is discarded, and the new permission of access should be regenerated.
The concept above is also helpful in blockchain storage content for key renewal. Periodically changing the secret key is recommended to avoid potential confidential key leakage. A finance blockchain such as Bitcoin can create another secret/public key pair and transfer existing coin assets to the new wallet address. The signature is the evidence of a coin transaction. As opposed to this, the storage blockchain uses a secret key to decrypt. Losing a key is losing the data unless an algorithm can transfer the old ciphertext to the new one under the new key. Our PRE scheme is suitable for this scenario.

6.2. Search with PRE

The commercial applications are interested in searching [28,29]. Nowadays, searching in data is more than just full-text matching. Complexity algorithms are applied to texts, images, videos, and even speech. A CPA-secure encryption works against searching over the ciphertext in concept. Even if, in the future, the full homomorphic encryption [30] is ready, it might be hard to perform a search over CPA ciphertexts.
With proxy re-encryption, it is possible to design the application that outsources the information processing to the trusted party. Data could be stored safely on the cloud with versions, and the index for the recent version will be processed in-house.

6.3. Applications with PRE

We introduced PRE for decentralized storage network scenarios, which are the fundamental components for lots of blockchain applications. It is possible to build a media store for movies and music based on blockchain. Once a user purchases the movie, he has the right to download the movie file content freely. A purchase record is marked on the blockchain, as evidence of the right to use from the intellectual property owner. It is publicly verifiable. The PRE re-key can be used as evidence. The evidence can be listed publicly and it is meaningful only to the purchaser who owns the secret key.

7. Conclusions

In this paper, we proposed a PRE scheme satisfying the PoRep scenario. Since the PoRep is the key algorithm for a decentralized storage network, the proposed PRE would be an important candidate for a future blockchain storage network. In a decentralized storage network, access control must be cryptography-based. Meanwhile, the decentralized storage network suffers from outsourcing attacks. Proof-of-replication helps to convince users that their content is kept by the dedicated storage resource. The proposed PRE scheme is suited for proof-of-replication, which does not generate the extra ciphertext. The scheme reduces the cost of cryptographic access control. Moreover, our PRE scheme is CCA-secure and only requires one key pair. With the practical implementation, it is reasonably fast to use in applications.
Nowadays, users become used to placing their data on the public cloud. Although the data access is permission-controlled, it might be transparent to cloud storage providers. Employing the PRE scheme will bring true privacy to user data, even if the service provider is semi-trusted.
Due to the computation efficiency, symmetry encryption is widely used for encryption. However, the key management for symmetry encryption is complex, leading to more privacy issues. With the maturity of the PRE scheme, it can bring more flexibility to data storage and access control. Asymmetry encryption will play a more important role in blockchain-based systems.

8. Future Work

In this paper, we proposed the proxy re-encryption for the decentralized storage networks. It is a CCA-secure, collusion-resilience PRE scheme that requires only one key pair. The PRE scheme works under the concept of proof-of-replication, which is the core algorithm of the decentralized storage network, and the proposed scheme is reasonable, fast, and practical. It can be used for mobile and IoT devices. In the future, we will keep working on speeding up the scheme. Furthermore, it is possible to add more features based on the current scheme, e.g., the multiply public keys re-encryption, or the time-limited re-key issuing. To enable searching within PRE is also an interesting topic.

Author Contributions

Funding acquisition, D.L.; Supervision, X.H.; Writing—original draft, J.K.; Writing—review & editing, J.Z. All authors have read and agreed to the published version of the manuscript.

Funding

This research was funded in part by the XJTLU Key Program Special Fund under grant number KSF-E-05. This work is supported by Research Project Supported by Shanxi Scholarship Council of China 2021-038, and Applied Basic Research Project of Shanxi Province No. 20210302123130, No. 20210302124273. This work was partially supported by the National Natural Science Foundation of China under Grant No. 62002296; the Natural Science Foundation of Jiangsu Province under Grant No. BK20200250; and the XJTLU Key Programme Special Fund under Grant No. KSF-E-54.

Conflicts of Interest

The authors declare no conflict of interest.

Glossaries

p k The public key is a part of the key pair. The p k is a big integer internally.
s k The secret key is a part of the key pair. The s k is a generator of a multiplicative group or the generator point in ECC.
r k The re-key r k is from the concept of proxy re-encryption, which converts the ciphertext c A encrypted by Alice’s p k A to a new ciphertext c B which can be decrypted with Bob’s s k B .
The r k A B is generated under Alice’s permission. It requires Alice’s s k A and Bob’s p k B to generate r k A B .
Mis the message space that contains all the combinations of message m.
mis the clear message which will be encrypted. It is represented in binary in length l. In our scheme, we have m { 0 , 1 } l 0 .
wis the random bits of length l 1 generated when encrypting message m. This provides CPA-level security that the same message will output different ciphertext under multiple times of encryption.
lis the message length in bits. We have l = l 0 + l 1 , where l 0 is the length of m and l 1 is the length of w.
cis the ciphertext. In proxy re-encryption, beside encryption and decryption, the ciphertext c A can be transfered to another ciphertext c B with the r k A B under Alice(A)’s permission grant.
dis the hash value generated by user Alice’s secret key s k A and the random integer r. d is an important value during the calculation which needs to be discarded to keep the ciphertext safe. Otherwise, g d can be used for decryption without a secret key.
Dis the first element of the ciphertext. When decrypting, g d will be calculated from D with s k , and when re-encrypting, r k A B is applied to D A to obtain D B as D B = D A · r k A B .
ris the second element of the ciphertext. The random r makes sure the value d is random.
Eis a part of the ciphertext. E is calculated from m and w. It is a signature used for satisfying the CCA security. This signature E = ? g H 2 ( m , w ) will be checked after decryption by the user to verify m.
Fis a part of the ciphertext. The concatenation of message m and w is hidden in F. Value g d is required for encryption or decryption.
vis a random value used in the Schnorr signature. It is an internal value, which needs to be discarded to keep the secret key safe in s.
Vis a part of the ciphertext. Together with s and p k , it performs the Schnorr signature check before re-encryption.
sis used for Schnorr’s signature to verify the identity of who encrypts the ciphertext. s is hiding in S = g s to stay safe. Even if m is too long and split into m = m 1 | | m 2 | | . . . | | m i , the v and s only need to generate once.
Sis the last element of the ciphertext. It is a value for Schnorr’s signature. This signature S = ? V · p k A r will be checked before re-encrypting c by the proxy.
His the hash function. The hash function is a one-way function, which is easy to calculate the function’s output from the input value, but it is hard to obtain the input from the given output.
In our scheme, we have H 1 , H 2 , H 3 , and H 4 , which take different types of input and return different outputs. H 1 : G · Z p Z p , H 2 : { 0 , 1 } l 0 · { 0 , 1 } l 1 Z p , H 3 : G 2 { 0 , 1 } l 0 + l 1 , H 4 : G · { 0 , 1 } l 0 + l 1 Z p .
In practice, those H functions can use any standard hash function such as sha2 or blake2b with data type converting between bytes and integer.
CDHis computational Diffie–Hellman (CDH) assumption. The CDH problem in group G is, given a tuple ( g , g x , g y ) G 3 with unknown x , y Z p , to compute g x y .
mCDHis the modified computational Diffie–Hellman (mCDH) assumption. Given a tuple ( g , g 1 x , g x , g y ) G 4 with unknown x , y Z p , it is hard to compute g x y .
gIn our PRE scheme, g stands for the generator of the multiplicative group.
g E C C In our PRE scheme, g E C C stands for the generator point of the group of the elliptic curve (ECC).
Z p is the non-negative integer set less than a prime integer p, and p is the prime order of a cyclic multiplicative group.
Adversary A is an efficient adversary who attempts to solve the problem in the security game. Adversary A issues the queries to the challenger C , and the challenger responds.
Algorithm B is an algorithm which can break the mCDH problem. In a security reduction, adversary A transforms the existing problem to the mCDH problem, which algorithm B can solve, to show the hardness of security.
Challenger C is the role in the security game that responds to adversary A ’s queries following CCA-secure rules.
K l i s t is a hash list used to simulate the random oracle behavior. The algorithm B maintains two hash list K U n c o r r u p t e d l i s t , K C o r r u p t e d l i s t and R l i s t , answering the adversary A ’s queries.
H l i s t is a hash list used to simulate the random oracle behavior. Algorithm B has four lists H 1 l i s t , H 2 l i s t , H 3 l i s t , and H 4 l i s t , answering the adversary A ’s queries.

References

  1. Benet, J.; Dalrymple, D.; Greco, N. Proof of Replication; Protocol Labs: San Francisco, CA, USA, 2017. [Google Scholar]
  2. Fisch, B. PoReps: Proofs of Space on Useful Data; Protocol Labs: San Francisco, CA, USA, 2018. [Google Scholar]
  3. Fisch, B.; Bonneau, J.; Greco, N.; Benet, J. Scaling proof-of-replication for Filecoin Mining; Protocol Labs: San Francisco, CA, USA, 2018. [Google Scholar]
  4. Kan, J. Economic Proof of Work. In Cryptology ePrint Archive; Report 2020/1117; Springer: Berlin/Heidelberg, Germany, 2020. [Google Scholar]
  5. Blaze, M.; Bleumer, G.; Strauss, M.J. Divertible protocols and atomic proxy cryptography. In Theory and Application of Cryptographic Techniques; Springer: Berlin/Heidelberg, Germany, 1998; pp. 127–144. [Google Scholar]
  6. Elgamal, T. A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Trans. Inf. Theory 1985, 31, 469–472. [Google Scholar] [CrossRef]
  7. Weng, J.; Deng, R.H.; Liu, S.; Chen, K. Chosen-ciphertext secure bidirectional proxy re-encryption schemes without pairings. Inf. Sci. 2010, 180, 5077–5089. [Google Scholar] [CrossRef]
  8. Ran, C.; Susan, H. Chosen-ciphertext secure proxy reencryption. In Proceedings of the 14th ACM Conference on Computer and Communications Security, Alexandria, VA, USA, 2 November–31 October 2007; pp. 185–194. [Google Scholar]
  9. Benoît, L.; Damien, V. Unidirectional chosen-ciphertext secure proxy re-encryption. Information Theory. IEEE Trans. 2011, 57, 1786–1802. [Google Scholar]
  10. Chu, C.-K.; Tzeng, W.-G. Identity-Based proxy re-encryption without Random Oracles; Springer: Berlin/Heidelberg, Germany, 2007. [Google Scholar]
  11. Toshihiko, M. Proxy re-encryption systems for identity-based encryption. In Pairing-Based Cryptography–Pairing 2007; Springer: Berlin/Heidelberg, Germany, 2007; pp. 247–267. [Google Scholar]
  12. Giuseppe, A.; Karyn, B.; Susan, H. Key-Private proxy re-encryption; Springer: Berlin/Heidelberg, Germany, 2009. [Google Scholar]
  13. Elena Kirshanova. Proxy re-encryption from lattices. In Public-Key Cryptography–PKC 2014; Springer: Berlin/Heidelberg, Germany, 2004; pp. 77–94. [Google Scholar]
  14. Satoshi, N. Bitcoin: A peer-to-peer electronic cash system. Decentralized Bus. Rev. 2008, 21260. [Google Scholar]
  15. Dwork, C.; Naor, M. Pricing via Processing or Combatting Junk Mail. In International Cryptology Conference; Springer: Berlin/Heidelberg, Germany, 1992. [Google Scholar]
  16. Ivan, A.; Dodis, Y. Proxy Cryptography Revisited. In Network and Distributed System Security Symposium; Springer: Berlin/Heidelberg, Germany, 2003. [Google Scholar]
  17. Nuez, D.; Agudo, I.; Lopez, J. proxy re-encryption. J. Netw. Comput. Appl. 2017, 87, 193–209. [Google Scholar] [CrossRef]
  18. Ateniese, G.; Fu, K.; Green, M.; Hohenberger, S. Improved proxy re-encryption schemes with applications to secure distributed storage. ACM Trans. Inf. Syst. Secur. 2006, 9, 1–30. [Google Scholar] [CrossRef]
  19. Green, M.; Ateniese, G. Identity-Based Proxy Re-encryption. In Applied Cryptography and Network Security; Springer: Berlin/Heidelberg, Germany, 2007; pp. 288–306. [Google Scholar]
  20. Keita, X.; Keisuke, T. Proxy re-encryption based on learning with errors. In Proceedings of the 2010 Symposium on Cryptography and Information Security, Amalfi, Italy, 13–15 September 2010. [Google Scholar]
  21. Yoshinori, A.; Xavier, B.; Le Trieu, P.; Lihua, W. Keyprivate proxy re-encryption under LWE. In Progress in Cryptology–INDOCRYPT 2013; Springer: Cham, Switzerland, 2013; pp. 1–18. [Google Scholar]
  22. David, N.; Isaac, A.; Javier, L. NTRUReEncrypt: An efficient proxy re-encryption scheme based on NTRU. In Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security, ASIA CCS ’15, New York, NY, USA, 14–17 April 2015; pp. 179–189. [Google Scholar]
  23. Bao, F.; Deng, R.H.; Zhu, H. Variations of Diffie-Hellman Problem. In International Conference on Information and Communication Security; Springer: Berlin/Heidelberg, Germany, 2003. [Google Scholar]
  24. Libert, B.; Vergnaud, D. Multi-use unidirectional proxy re-signatures. In Proceedings of the 15th ACM Conference on Computer and Communications Security, Alexandria, VA, USA, 27–31 October 2008. [Google Scholar]
  25. Schnorr, C. Efficient Identification and Signatures for Smart Cards. In International Cryptology Conference; Springer: New York, NY, USA, 1989. [Google Scholar]
  26. Shao, J.; Cao, Z. CCA-Secure Proxy Re-encryption without Pairings. In Public Key Cryptography; Springer: Berlin/Heidelberg, Germany, 2009; pp. 357–376. [Google Scholar]
  27. Derler, D.; Krenn, S.; Lorünser, T.; Ramacher, S.; Slamanig, D.; Striecks, C. Revisiting Proxy Re-encryption: Forward Secrecy, Improved Security, and Applications. In Proceedings of the Public-Key Cryptography, Rio de Janeiro, Brazil, 25–29 March 2018; pp. 219–250. [Google Scholar]
  28. Boneh, D. Public Key Encryption with Keyword Search; Springer: Berlin/Heidelberg, Germany, 2004. [Google Scholar]
  29. Kamara, S.; Lauter, K.E. Cryptographic Cloud Storage; Financial Cryptography; Springer: Berlin/Heidelberg, Germany, 2010. [Google Scholar]
  30. Van Dijk, M.; Gentry, C.; Halevi, S.; Vaikuntanathan, V. Fully homomorphic encryption over the integers. In Theory and Application of Cryptographic Techniques; Springer: Berlin/Heidelberg, Germany, 2010. [Google Scholar]
Figure 1. Traditional PRE requires proxy computation to re-encrypt.
Figure 1. Traditional PRE requires proxy computation to re-encrypt.
Applsci 12 04260 g001
Figure 2. Comparison of the replication in decentralized storage network with or without transferred ciphertext.
Figure 2. Comparison of the replication in decentralized storage network with or without transferred ciphertext.
Applsci 12 04260 g002
Figure 3. Our PRE scheme use C A and ReEncrypt key to decrypt.
Figure 3. Our PRE scheme use C A and ReEncrypt key to decrypt.
Applsci 12 04260 g003
Figure 4. Time cost for PRE ECC and practical encryption for every 1000 times of encryption of 64 bytes data on MacBook 1.3 GHz Intel Core i5.
Figure 4. Time cost for PRE ECC and practical encryption for every 1000 times of encryption of 64 bytes data on MacBook 1.3 GHz Intel Core i5.
Applsci 12 04260 g004
Figure 5. Time cost for our PRE scheme and WDLC10 encryption for every 100 k times of encryption of 64 bytes data on MacBook 1.3 GHz Intel Core i5.
Figure 5. Time cost for our PRE scheme and WDLC10 encryption for every 100 k times of encryption of 64 bytes data on MacBook 1.3 GHz Intel Core i5.
Applsci 12 04260 g005
Figure 6. Time cost for our PRE scheme and WDLC10 encryption for every 1000 times of encryption of 64 bytes data on a 1st generation of Raspberry Pi model B 700 Hz.
Figure 6. Time cost for our PRE scheme and WDLC10 encryption for every 1000 times of encryption of 64 bytes data on a 1st generation of Raspberry Pi model B 700 Hz.
Applsci 12 04260 g006
Table 1. Comparison with Shao09 and WDLC10.
Table 1. Comparison with Shao09 and WDLC10.
SchemesShao09WDLC10Ours
Compute CostReKenGen 2 t e N t e t e
Enc 5 t e N 3 t e 5 t e
Dec 4 t e N 3 t e 2 t e
ReEnc 5 t e N 3 t e N / A
Ciphertext Size1st level 2 k + 3 | N x 2 | + | m | 3 | G | 4 | G | + | m | + | w |
2nd level k 1 + 3 | N x 2 | + 2 | N y 2 | + | m | 3 | G | + | Z q |
SecuritySecurity Levelcollusion resistant, CCAcollusion resistant, CCAcollusion resistant, CCA
Standard modelYesYesYes
Underlying AssumptionsDDHCDHCDH
Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Share and Cite

MDPI and ACS Style

Kan, J.; Zhang, J.; Liu, D.; Huang, X. Proxy Re-Encryption Scheme for Decentralized Storage Networks. Appl. Sci. 2022, 12, 4260. https://doi.org/10.3390/app12094260

AMA Style

Kan J, Zhang J, Liu D, Huang X. Proxy Re-Encryption Scheme for Decentralized Storage Networks. Applied Sciences. 2022; 12(9):4260. https://doi.org/10.3390/app12094260

Chicago/Turabian Style

Kan, Jia, Jie Zhang, Dawei Liu, and Xin Huang. 2022. "Proxy Re-Encryption Scheme for Decentralized Storage Networks" Applied Sciences 12, no. 9: 4260. https://doi.org/10.3390/app12094260

APA Style

Kan, J., Zhang, J., Liu, D., & Huang, X. (2022). Proxy Re-Encryption Scheme for Decentralized Storage Networks. Applied Sciences, 12(9), 4260. https://doi.org/10.3390/app12094260

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop