A Pre-Authentication Approach To Proxy Re-Encryption in Big Data Context

This article has been accepted for publication in a future issue of this journal, but has not been
fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TBDATA.2017.2702176, IEEE
Transactions on Big Data
A Pre-Authentication Approach to Proxy

Re-encryption in Big Data Context
Kun Wang, Member, IEEE, Jiahui Yu, Xiulong Liu, Member, IEEE, and Song Guo, Senior Member, IEEE
Abstract—With the growing amount of data, the demand of big data storage significantly increases. Through the cloud center, data
providers can conveniently share data stored in the center with others. However, one practically important problem in big data storage is
privacy. During the sharing process, data is encrypted to be confidential and anonymous. Such operation can protect privacy from being
leaked out. To satisfy the practical conditions, data transmitting with multi receivers is also considered. Further more, this paper proposes
the notion of pre-authentication for the first time, i.e., only users with certain attributes that have already. The pre-authentication
mechanism combines the advantages of proxy conditional re-encryption multi-sharing mechanism with the attribute-based authentication
technique, thus achieving attributes authentication before re-encryption, and ensuring the security of the attributes and data. Moreover,
this paper finally proves that the system is secure and the proposed pre-authentication mechanism could significantly enhance the system
security level.
Keywords—Privacy-preserving, pre-authentication, proxy re-encryption, big data.
1 I NTRODUCTION preserving in big data storage. However, most encryption

methods such as the public key encryption are not anony-
Nowadays, big data is a hot research topic. More and
mous, i.e., if the adversaries obtain the ciphertexts, they can
more users prefer to save their data in the cloud center
easily know the owner of the ciphertext as well as who will
because the cloud has a considerable amount of storage
receive the ciphertext. The PKE cannot achieve the anonymity
space, and users can download their data anywhere and
of the users send and receive the ciphertext, so personal infor-
anytime. People take photos, record music and do many other
mation may be leaked. If an adversary is able to achieve the
operations on their personal equipments, producing large
ciphertext, he can know whose key the ciphertext is encrypt-
amount of data. As a matter of fact, the demand of cloud
ed under, thus knowing the owner of the ciphertext. To over-
storage space is growing faster than ever before.
come this point, some anonymous encryption mechanisms
When people upload their data to the cloud, the first
have been proposed, e.g., anonymous mechanism [1] [2]. They
thing they may confider is whether the cloud storage is
achieve anonymity by removing the linkage between the data
secure or not. They do not want other persons to peep their
and the identity. Identities are splitted into two randomized
data without their permission. Public key encryption is a
complementary components and hide the identities of the
mechanism designed for data providers to encrypt their data,
receivers behind some randomization. Moreover, when users
and thus protecting the privacy of their data. Except the data
intend to store data in another cloud center, the data needs
receivers who have valid private key, no one can access the
to be converted so as to be shareable among different cloud
data. For example, in a hospital system, the patient records
centers. Therefore, data receivers need to be updated. When
are too large and hard to store. A solution is to upload the
users intend to share their data conditionally, like some parts
massive data to the cloud for storage. Since everyone has
of the data, the public key encryption cannot satisfy the
access to the cloud, the data needs to be encrypted to prevent
users’ requirements because when receivers know the key
the private information of patients from being leaked out.
and decrypt the ciphertext, they can achieve all the data. For
When doctors intend to access the records, they decrypt the
example, when one user wants to share data about ”music”,
ciphertext by using their keys and obtain the message they
he cannot do it because there are only boolean conditions:
need. With this method of Public Key Encryption (PKE), the
receivers know everything or they know noting.
privacy required by the patients could be ensured.
Up to now, many cryptographic encryptions methods To solve the above problems, a great deal of effort has
have been proposed to satisfy the requirements of privacy- been made by the research communities. Boyen et al. [1]
proposed an identity-based encryption technique which is
K. Wang and J. Yu is with Jiangsu High Technology Research Key Lab-
oratory for Wireless Sensor Networks, Nanjing University of Posts and anonymous. By applying the method, linkage between users
Telecommunications, Nanjing 210003, China. (e-mail: [email protected], and ciphertexts can be protected. [3], [4] encrypt patients’
[email protected]). PHRs to ensure that data store in the central will not be leaked
X. Liu and S. Guo are with Department of Computing, The Hong Kong out, which are similar to the problem studied in this paper.
Polytechnic University, Hong Kong, China (e-mail: [email protected],
[email protected]). However, many aspects have not been considered yet. For
example, when a user transfers his/her data to another cloud
2332-7790 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TBDATA.2017.2702176, IEEE
center, a simple method is that the data provider decrypts system construction in Section 5. Then, we analyse the secu-
the ciphertexts first, and encrypts again before uploading it rity of the system in Section 6. Finally, we conclude this paper
to another cloud center. This method is not feasible when in Section 7.
it comes to big data because time and computation cost
will be enormous. Another drawback of this method is that
when the provider is offline, no one can achieve the data. 2 R ELATED W ORK
Entrusting the decrypt-encrypt-transmit task to a trusted
third party is a good solution. But the information of receivers In this section, we review some existing work on multi-
will be exposed to the third party during the re-encryption sharing mechanism in big data. The comparison between our
process. Blaze et al. [5] proposed a technique named proxy re- work and previous ones is shown afterwards.
encryption. By applying a semi-trusted proxy and re-encrypt Nowadays, with vast data been produced, more and more
the ciphertext, data can be shared without exposing informa- people tend to store data in the cloud, making big data
tion to the third party. Furthermore, Green et al. [6] proposed a hot research direction [9], [10], [11], [12], [13], [14], [15].
a technique called identity-based proxy re-encryption. They Many works about security have been proposed [16], [17]. By
achieved control of access in storage in the network. Encryp- using conventional methods like identity based encryption,
tion techniques should be developed to meet requirements of users can share data stored in the cloud. Receivers who are
the cloud users. [7] presented a proxy re-encryption technique qualified to know the data can use their keys to decrypt
called advanced multi hop- identity based conditional proxy the ciphertext, but others cannot, so data providers’ privacy
re-encryption (AMH-IBCPRE) to realize receiver update and can be protected. Many works have considered the security
conditional share in big data storage. in storing data in cloud center, and most of them focused
In this paper, we consider another situation. Users of on the storage security. Wei et al. [18] proposed a privacy
the cloud center have the access to decide who to share cheating discouragement and secure computation auditing
with the data. They may intend to share data only with protocol. They designed verifier signature and batch verifi-
receivers who have certain attributes. Data providers and cation to achieve privacy cheating discouragement. Zhu et
receivers have to verify the authenticity of each other to make al. [19] proposed iTrust to protect the data privacy. They
sure that data and the identity won’t be leaked out. The used a probabilistic misbehavior detection scheme to judge
attributes also need to be protected. [8] proposed a verifica- the nodes behavior, thus ensuring the security. However,
tion mechanism to verify the authenticity of users’ attributes. another problem has arisen that once providers intend to
By applying this technique, we propose a mechanism called transmit data to another cloud center, they have to decrypt
pre-authentication approach to proxy re-encryption. In our the ciphertext first, encrypt again and send the outcome to
scheme, data providers can verify the authenticity of re- the new cloud center, thus leaking the privacy to the previous
ceivers. Once receivers’ attributes do not meet the conditions, cloud center. To deal with the problem, Mambo and Okamoto
provider will not communicate with him any more and et al. [20] proposed a delegation to decrypt the ciphertext.
he cannot obtain the data as well. Our scheme is able to This has arisen another problem that whether users’ privacy
achieve four-fold properties: providing anonymity; updating will be leaked or not totally depends on the delegation.
receivers; verifying the attributes; sharing conditionally. Our Their method may be defective, but they have started a new
main contributions can be concluded as follows: way to study. Blaze et al. [5] followed the idea of proxy re-
encryption and described a bidirectional proxy re-encryption
• We propose a new notion called pre-authentication mechanism.
mechanism in the model of MH-IBCPRE. Different With the development of PRE, many great works on pri-
from the existing work, the proposed mechanism can vacy and resisting attacks have been proposed [5], [21], [22],
verify users’ attributes before data sharing, thus satis- [23], making the mechanism more secure and considerate.
fying the actual needs of users. The data of users can Green et al. combined proxy re-encryption with identity-
be shared with users having appointed attributes, and based encryption and proposed the notion of identity-based
others have no access to the data. proxy re-encryption (IBPRE). The two IBPRE schemes can
• Our new proposed pre-authentication mechanism can resist chosen plaintext attacks and chosen ciphertext attacks
provide multi-dimension privacy protection including separately. Later on, IBPRE system has been developed to
data, user identities, and attributes. Only users whose meet some certain requirements. Considering the scenario
attributes are authenticated could be qualified to share with multiple data receivers, Green first proposed MH-IBPRE
the data. This enhances the protection of user privacy. in [6]. The scheme can realize that multiple data receivers
• We provide rigorous analysis to prove that our system can obtain the ciphertext, and they don’t know others’ key.
is secure against chosen ciphertext attacks, tracing at- Chosen plaintext attacks can also be resisted. A replayable
tacks and collusion attacks. Side-by-side comparisons chosen ciphertext attack secure MH-IBPRE was proposed
reveal that our scheme strengthens the security than afterwards by Chu et al. in [24]. However, their scheme cannot
MH-IBCPRE. resist collusion attacks. To handle the defect, Shao et al. raised
The remainder of the paper is organized as follows. In a chosen ciphertext attack (CCA)-secure MH-IBPRE scheme
Section 2, we describe the related works. After that, we give which is collusion-safe. Another threat to privacy is tracing
the system model and definitions in Section 3. In Section 4, attacks, which was not considered in the above works. Emura
we introduce some preliminaries. We present the complete et al. came up with an unidirectional IBPRE, in which even an
TABLE 1: Comparisons on Security and Functions cloud conditionally and keep the owner of the data privacy-
preserved meanwhile. Our system can apply to the situation
Scheme Security M.S. C.A.R Anonymity Attrib. Authen.
when the data is extremely large. When a user upload his
[24] RCCA ! # # #
data to the cloud, he needs to encrypt the data to prevent
[6] CPA ! # # #
that the data may be exposed to the cloud server. Then proxy,
[27] CCA # ! # #
which is a semi-trust party, is used here for re-encrypting the
[7] CCA ! ! ! #
ciphertext. Every receiver who wants to share the data has
[26] CCA ! ! # #
his own key for decryption. Our system can let the receiver
Ours CCA ! ! ! !
to obtain his desired data and ensure the rest of the data still
been encrypted. Our system not only provide re-encryption
operation, but can also ensure the authentication between
adversary has the message, he/she cannot identify where the
data providers and receivers without leaking any privacy.
message comes from.
Different from schemes totally based on identity, we also
Protecting privacy does not only means protecting the
adopt authentication that based on attribute which enhances
ciphertext and data, but also needs to protect the key. Ate-
the security to resist tracing and collusion attacks. With the
niese et al. [25] first proposed the concept of the privacy
two techniques, our system is able to meet the demand of
of the keys. For example, the delegator and delegatee are
flexibility and privacy preserving in big data storage.
anonymous to the adversary even the adversary has the key
for re-encryption. Further more, Shao et al. [26] developed TABLE 2 gives the primary symbols we use in the sys-
the matrix of security in [25]. He first raised the anonymous tem. A credible authority is needed here to distribute keys
PRE in [27]. After that, he gathered the advantages of the
above works and proposed CCA-secure anonymous IBPRE. TABLE 2: Symbols And Variables
To perfect the existing PRE system, Liang et al. [7] considered
G1 ,G2 ,GT multiplicative groups
the scenario that data providers may want the data to be
conditionally shared. That means receivers just obtain a part q prime order
of the data instead of the whole. Such an assumption is more g generator of G1
close to the reality. They described their multi hop- identity ĝ generator of G2
based conditional proxy re-encryption (MH-IBCPRE) system k security level
which can realize conditionally share and protect users’ e bilinear map
privacy from CCA, chosen plaintext attack (CPA), collusion Adv advantage to solve the problem
attacks and tracing attacks. Pr probability to solve the problem
Different from the above works, we inetnd to realize Sig key generation function
the function that data provider can authenticate receivers’ Es signing key
attributes before sharing the data. If a receiver’s attribute does Ev verification key
not satisfy the provider’s requirement, he will not send the σ signature
ciphertext. Only receivers with certain attributes can share Sign signature generation function
the data. Guo et al. [8] proposed an authentication mechanism V er verification function
that can verify patients’ and physicians’ attributes. Physicians SY M.Enc encryption scheme
can receive patients’ PHRs only after his attribute has been SY M.Dec decryption scheme
verified. sk secret key
The novelty of this work different from prior art is in pk public key
three-fold. First, we develop the MH-IBCPRE to meet the rek re-encryption key
requirement that data providers’ and receivers’ attributes be PS pseudonyms
authenticated before data sharing. This can protect users from M1 enrty-wised Zq module of G1
mendacious information and wasting time and resource. Sec- πi none interaction witness-indistinguishable proof
ond, we combine identity-based encryption with attribute-
based encryption. Third, as to security, we also achieve secu- for users (both data providers and receivers), and a semi-
rity against CCA, CPA, collusion attacks, tracing attacks and trusted cloud center produce and release credentials based
attribute exposure. TABLE 1 shows the comparisons between on users’ attributes. Distinct data providers use their portable
our scheme with the some previous works on security and devices like smartphones, wearable devices to collect data,
functions. Here, M.S. means multi-sharing, C.A.R represents and then encrypt and transmit them to the cloud center.
collusion attack resistance and Attrib. Authen. indicates At- Note that we assume the cloud center verifies the facticity
tribute authentication. of the data providers’ attributes. The providers will get their
corresponding credentials which represent their attributes.
3 S YSTEM M ODEL A ND D EFINITION Each provider can use the pseudonyms allocated before to
verify his attribute anonymously and communicate with oth-
3.1 System Overview ers without leaking any privacy. Similar to the providers, data
First, we take an overview of our system. We propose the receivers can prove their qualifications without exposing any
system mainly for multi receivers to share a data from the privacy. After the re-encryption and authentication process,
users may start to share data with each other (data provider- and q =| k |, g and ĝ are random generators of G1 and
to-receiver). G2 separately. BSetup is an algorithm where users input k
and output the parameters (q,g,ĝ,G1 ,G2 ,GT ,e). Let e denote
a bilinear map e : G1 × G2 → GT which has three properties:
3.2 System Definition
In the following part we will introduce the algorithms • Bilinear: e(g a ,g b ) = e(g,g)ab , where g ∈ G1 and
which will be used in the system construction. a,b ∈R Zq∗
• Non-degenerate: ∃g ∈ G1 , that e(g,ĝ) 6= 1.
1) Setup(1k ) → (ppk,psk): input a parameter k to con- • Computable: for ∀g ∈ G1 , there exists an algorithm
trol security level, output the primary public key and that can efficiently calculate e(g,g) .
the primary secret key.
2) KeyGen(psk,ID) → skid : input the user’s identity Given a set (g,g a ,g c ,ĝ,ĝ a ,ĝ b ) ∈ G31 × G32 and T ∈ GT ,
ID ∈ {0,1}∗ and the primary secret key psk , output whether T = e(g,ĝ)abc can hold needs to be computed.
the secret key skID to the user. It is called asymmetric decisional ADBDH problem in [29].
3) ReKeyGen(IDi ,skIDi ,IDi0 ,w) → rekIDi →IDi0 ,w : in- An algorithm X has good performance in solving ADB-
ADBDH
DH problem with an advantage AdvA = under
put the identity of a delegator IDi , the related secret
the condition that | P r[A(g,g a ,g c ,ĝ,ĝ a ,ĝ b ,e(g,ĝ)abc ) = 0] −
key skIDi and condition requirement w ∈ {0,1}∗ ,
output key for the re-encryption rekIDi →ID 0 ,w .
P r[A(g,g a ,g c ,ĝ,ĝ a ,ĝ b ,T ) = 0] |≥ . If PPT algorithm doesn’t
i have superiority in solving ADBDH problem, then ADBDH
4) Enc(IDi ,w,d) → Ct1,IDi ,w : input the identity IDi ,
holds in (G1 ,G2 ).
the condition requirement w and the original message
Given a set (g,g a ,g ab ,g c ,ĝ,ĝ a ,ĝ b ) ∈ G41 × G32 and T ∈ GT ,
m, output the ciphertext Ct1,IDi ,w . The subscript 1
whether T = e(g,ĝ)abc can hold needs to be comput-
means the ciphertext is in the first level.
ed. It is called asymmetric decisional P-BDH problem in
5) ReEnc(rekIDi →IDi0 ,w ,Cti,IDi ,w ) → Cti+1,IDi ,w : in-
[29]. An algorithm X has good performance in solving P-
put rekIDi →ID 0 ,w and ciphertext in the i-level , re- P −BDH
i BDH problem with an advantage AdvA = under
encrypt the ciphertext and output Cti+1,IDi ,w
the condition that | P r[A(g,g a ,g ab ,g c ,ĝ,ĝ a ,ĝ b ,g abc ) = 0] −
6) Dec(skIDi ,Cti,IDi ,w ) → m: input skIDi and the ci-
P r[A(g,g a ,g ab ,g c ,ĝ,ĝ a ,ĝ b ,T ) = 0] |≥ . If PPT algorithm has
phertext, decrypt the ciphertext and output the origi-
no superiority in solving ADBDH problem, then ADBDH
nal message m.
holds in (G1 ,G2 ).
3.3 Security Model 4.2 Signature

In our system, we intend to ensure the security under A signature is used to verify if the message is valid with-
several attacks, including selective condition CCA, selective out knowing the value of the message. Once the signature can
identity CCA and collusion attacks, and make sure that the make the verification equation hold, it means the message
ciphertext, re-encryption keys and the attributes of users is valid, and we do not have to know the exact content.
are anonymous. There are several re-encryption keys in our We use strong and unforgeable signature in [30]. For the
system ReK = {rekIDi1 →IDi2 ,· · ·,rekIDil−1 →IDil }. In the completeness, we present the details in the following.
Rek , two identities are different IDij 6= IDij+1 for any re-
encryption keys rekIDij−1 →IDij . We define an authorization 1) Sig.KGen(1k ) → (Es ,Ev ): input a parameter con-
trolling security level k ∈ N , output a pair of keys
chain exists from IDi1 to IDil : IDi1 → · · · → Dil . The
(Es ,Ev ) representing signing and verification respec-
situation that IDi1 = IDil is included in the chain. If an
tively.
adversary can compromise the encryption key of an identity,
2) Sign(Es ,m) → σ : input Es and the message m,
we say that the identity is corrupted. Otherwise, the identity
output a signature σ .
is uncorrupted. Once a corrupted identity is contained in a
3) V er(Ev ,σ,m) → 1/0: input Ev , a signature σ and the
authorization chain, we define the chain to be corrupted. On-
message m, output 1 if the signature σ of the message
ly if the authorization chain has no corrupted identities can
m is valid. Otherwise, output 0.
it be uncorrupted. As to the anonymity of the attributes and
ciphertexts, we give the following definition. If an adversary One-off Symmetric Encryption: We use the one-off symmet-
is given the attributes or the ciphertexts, he cannot identify ric encryption in [31]. Denote ED the space to store keys
k
the user. {0,1}poly(1 ) . SY M is denoted by a symmetric encryption
k
scheme, and poly (1 ) is a settled size of a polynomial in
4 P RELIMINARIES regard to k . SY M.Enc is an encryption scheme which inputs
a key E ∈ ED and the original message m, outputs the
In this section, we will present some techniques used in ciphertext Ct. Relatively, SY M.Dec is a decryption scheme
our system. inputting E and Ct, and outputting m or false.
4.1 Bilinear Pairing 4.3 Encryption Scheme

The bilinear paring is operated on elliptic curves [28]. Let In this part, we introduce three schemes of encryption,
G1 ,G2 and GT be the multiplicative groups of the order q namely 1-level, 2-level and 3-level encryption schemes. The
1-level encryption scheme is a basic anonymous IBE. The 2- , calculate Ct0 = Ev ,Ct1 = e(g1 ,ĝ2 )s ·
s
level encryption scheme is based on 1-level scheme and can m,Ct2 = g s ,Ct3 = v ID z1 ,Ct4 =
s w s
resist chosen plaintext attack (CPA). The 3-level encryption t ,Ct5 = (v z2 ) ,Ct6 = (v z3 )s ,Ct7
kv
=
scheme is the extension of 2-level encryption scheme and can Sign(Es ,(Ct1 ,Ct2 ,Ct3 ,Ct4 ,Ct5 ,Ct6 )).
resist CCA. First is the efficient anonymous identity based • Given the ciphertext Ct =
encryption in [29]: (Ct1 ,Ct2 ,Ct3 ,Ct4 ,Ct5 ,Ct6 ,Ct7 ), verify
• run BSetup 1k → (q,g,ĝ,G1 ,G2 ,GT ,e) , choose
whether e(v̂ Ev ẑ3 ,Ct2 ) = e(ĝ,Ct6 ) and
α,β,γ,δ,η ∈ Zq∗ , then set g1 = g α ,g2 = g β ,v = g γ ,z = V er(Ev ,Ct7 ,(Ct1 ,Ct2 ,Ct3 ,Ct4 ,Ct5 ,Ct6 )) = 1 hold.
Output m = Ct1 · e(Ct3 ,skID1 ) · e(Ct5 ,skID2 ) ·
g δ ,t = g η ,ĝ1 = ĝ α ,ĝ2 = ĝ β ,v̂ = ĝ γ ,ẑ = ĝ δ ,t̂ = ĝ η . The
e(Ct6 ,skID3 ) · e(Ct4 ,skID4 )/e(Ct2 ,skID0 ) if both of
primary pubilc key is ppk = (g,ĝ,g1 ,v,z,t,ĝ2 ,v̂), and
the above equations hold, and output false otherwise.
primary secret key is psk = (ĝ0 = ĝ αβ ,ẑ,t̂).
• With the psk computed above, the identity ID ∈ Zq∗ ,
and chose r,R ∈ Zq∗ , the identity-based secret key 5 S YSTEM C ONSTRUCTION
can be computed asskID = (skID0 ,skID1 ,skID2 ) =
In this section, we present our whole system, including
r
ĝ0 v̂ ID ẑ t̂R ,ĝ r ,ĝ R .
system set up, key generation, encryption, re-encryption, pre-
• Choose s ∈ Zq∗ randomly, calculate Ct1 = e(g1 ,ĝ2 )s ·
s authentication and decryption. First, the parameters are set
m,Ct2 = g s ,Ct3 = v ID z ,Ct4 = ts where up and the secret keys are generated. The data is encrypted
ID ∈ Zq ∗ ,m ∈ GT and the ciphertext Ct = into ciphertext. Then the the generation of the re-encryption
(Ct1 ,Ct2 ,Ct3 ,Ct4 ). keys is carried on. After that, the attributes of the data
• By using secret key skID , decrypt ciphertext Ct = receivers are verified, and only receivers with specific at-
(Ct1 ,Ct2 ,Ct3 ,Ct4 ) to restore message m = Ct1 · tributes have access to the re-encryption keys and re-encrypt
e(Ct3 ,skID1 ) · e(Ct4 ,skID2 )/e(Ct2 ,skID0 ). the ciphertexts. Finally, the decryption of the re-encrypted
By using the basic encryption scheme and BB1 HIBE in ciphertexts is given.
[32], we can extend the scheme into a 2-level scheme with
conditions considered in it:
5.1 Parameters Setting and Encryption
• Denote w ∈ Zq∗ a condition, choose α,β,γ,δ1 ,δ2 ,η ∈R
Parameters Setting: The firststep is to set up 1k : After
Zq∗ , then set g1 = g α ,g2 = g β ,v = g γ ,z1 = g δ1 ,z2 =
been given k , run BSetup 1k → (q,g,ĝ,G1 ,G2 ,GT ,e) .
g δ2 ,t = g η ,ĝ1 = ĝ α ,ĝ2 = ĝ β ,v̂ = ĝ γ ,ẑ1 = ĝ δ1 ,ẑ2 = Assume x̃i the attribute information and α,β,γ,δ1 ,δ2 ,δ3 ,η ∈R
ĝ δ2 ,t̂ = ĝ η . The primary pubilc key and primary Zq∗ , then set the parameters as TABLE 3.
secret key are ppk = (g,ĝ,g1 ,v,z1 ,z2 ,t,ĝ2 ,ẑ2 ,v̂) and
psk = (ĝ0 = ĝ αβ ,ẑ1 ,t̂). TABLE 3: Parameters Setting
• Compute skID = (skID0 ,skID1 ,skID2 ,skID3 ) =
(ĝ0 (v̂ ID ẑ1 )r1 (v̂ w ẑ2 )r2 t̂R ,ĝ r ,ĝ R ), where r1 ,r2 ,R ∈ Zq∗ g1 g2 v z1 z2 z3 t ĝ1
• Choose s ∈ Zq∗ randomly, calculate Ct1 = e(g1 ,ĝ2 )s · gα gβ gγ g δ1 g δ2 g δ3 gη ĝ α
s
m,Ct2 = g s ,Ct3 = v ID z1 ,Ct4 = ts ,Ct5 = (v w z2 )s ĝ2 v̂ ẑ1 ẑ2 ẑ3 t̂
where ID ∈ Zq ∗ ,m ∈ GT and the ciphertext Ct = ĝ β ĝ γ ĝ δ1 ĝ δ2 ĝ δ3 ĝ η
(Ct1 ,Ct2 ,Ct3 ,Ct4 ,Ct5 ).
• Restore message m = Ct1 · e(Ct3 ,skID1 ) · Two TCR hash functions are needed here:
e(Ct5 ,skID2 ) · e(Ct4 ,skID3 )/e(Ct2 ,skID0 ). H1 : {0,1}k → Zq∗ ,H2 : GT → {0,1}poly(i ) , and a
k
The above scheme is called 2-level HIBE. It is extended by symmetric key encryption which is one-time and can resist
using BB1 HIBE technique. Whether the scheme is CPA secure CCA attack: SY M = (SY M.Enc,SY M.Dec).Denote
or not depends on whether P − BDH assumption holds or (Sig.KGen,Sign,V er) a signature scheme and
not. Then we develop the 2-level to resist chosen ciphertext Ev a key for verification in Zq∗ . The primary
attacks by applying the CHK transformation in [33]: public key and primary secret key are ppk =
• Denote w ∈ Zq∗ a condition, choose (q,k,g,ĝ,G1 ,G2 ,GT ,e,g1 ,v,z1 ,z2 ,z3 ,t,ĝ2 ,ẑ2 ,ẑ3 ,v̂,H1 ,H2 ,SY M,
∗ (Sig.KGen,Sign,V er)) and psk = (ĝ0 = ĝ αβ ,ẑ 1 ,t̂).
α,β,γ,δ1 ,δ2 ,δ3 ,η ∈R Zq , then set g1 = g α ,g2 = g β ,v =
Secret Key Generation: With the psk computed above,
g γ ,z1 = g δ1 ,z2 = g δ2 ,z3 = g δ3 ,t = g η ,ĝ1 = ĝ α ,ĝ2 =
the identity ID ∈ Zq∗ , and r,RZq∗ , the identity-based secret
ĝ β ,v̂ = ĝ γ ,ẑ1 = ĝ δ1 ,ẑ2 = ĝ δ2 ,ẑ3 = ĝ δ3 ,t̂ = ĝ η . The
primary pubilc key and primary secret key are ppk =
key
can ber computed as skID = (skID0 ,skID1 ,skID2 ) =
ID R r R
(g,ĝ,g1 ,v,z1 ,z2 ,z3 ,t,ĝ2 ,ẑ2 ,ẑ3 ,v̂,(Sig.KGen,Sign,V er)) ĝ0 v̂ ẑ1 t̂ ,ĝ ,ĝ . The public key generation process
and psk = (ĝ0 = ĝ αβ ,ẑ 1 ,t̂). (PKG) outputs the secret key, and the key can be checked
• Compute skID = (skID0 ,skID1 ,skID2 ,skID3 ,skID4 ) = by the users with the following equation:
?
(ĝ0 (v̂ ID ẑ1 )r1 (v̂ w ẑ2 )r2 v̂ Ev ẑ3 )r3 t̂R ,ĝ r ,ĝ R ), e(g,skID0 ) = e(g1 ,ĝ2 ) · e v ID z1 ,skID1 · e(t,skID2 ).

where
r1 ,r2 ,r3 ,R ∈ Zq∗ Encryption: The message m can be encrypted based on
• Select s ∈R Zq∗ randomly and a pair of one- the identity ID with attribute x̃i . To obtain the 1-st level
off signatures Sig.KGen(1k ) → (Es ,Ev ) ciphertext, first choose s0 ∈R Zq∗ and a signature key pair
Sig.KGen 1k → (Es ,Ev ) . Compute a set of parame-

5.3.2 Credential Issuance
s0
ters from Ct0 to Ct s70: Ct0 = E v ,Ct1 (g1 ,ĝ2 ) ·m,Ct2 = A credential is used by the users who have verified their
s0 IDi s0 x̃i s
g ,Ct3 = v z1 ,Ct4 = t ,Ct5 = v z2 0 ,Ct6 = attributes to show their validity. Once users have verified
Ev s0
v z3 ,Ct7 = Sign(Es ,(Ct1 ,Ct2 ,Ct3 ,Ct4 ,Ct5 ,Ct6 )), thus their attributes, credentials are computed and are given to
the ciphertext Ct1,IDi ,x̃i = (Ct1 ,Ct2 ,Ct3 ,Ct4 ,Ct5 ,Ct6 ,Ct7 ), them. Users who are valid on the specific attributes can
where IDi ∈ Zq∗ , m ∈ GT . use their credentials to show that they have access to the
data. To compute the credential, the cloud center randomly
5.2 Re-encryption Key Generation chooses an integer x̃i ∈ Zq∗ , where i represents the attributes
After the encryption of the message, we present the like gender, age, disease, etc. Once the attributes have been
detail of the re-encryption process. The re-encryption keys verified, the cloud center calculate credential ṽi = gx̃i ∈
are generated by using the following steps. Choose θ1i ∈R G1 ,e(g,g) ∈ G2 . The public key and secret key for verifica-
(i) tion are (g,ṽi ,e(g,g)),x̃i separately. For security reasons, the
GT ,p(i) ,s1 ,ri1 ∈R Zq∗ , signature key pair Sig.KGen(1k ) →
credential can not be shown directly, so we use ĝ1 ,ĝ2 ,τ to

(i) (i)
Es ,Ev , and calculate rekx̃i ,IDi →ID 0 as TABLE 4:
i verify ṽi , where τ = e(ĝ1 ,v̂) ∈ G2 . The cloud center choose a
TABLE 4: Re-encryption Keys Setting random parameter ĉ ∈ Zq , calculate (a,b) := (ĝ1−ĉ ,(ĝ2 · ṽ)ĉ · v̂).
We can check the credential by using the following equation
rek0
(i)
rek1
(i)
rek2
(i) e(a,ĝ2 · ṽ)e(ĝ1 ,b) = τ .
(i)

ρ(i)
H1 (θ1 ) (i) (i)
(i) H (θ1 ))
skIDi v̂ x̃i ẑ2 (ĝ ρ )H1 (θ1 )
skID1 5.3.3 Verification
0 i1
(i)
rek3
(i)
rek4
(i)
rek5 Receivers use u1 ,u2 ,u3 ∈ M1 and randomly choose
(i)
H (θ )) (i) (i) (i) r11 ,r12 ,r13 ,r21 ,r22 ,r23 ∈ Zq . Compute Com(ĝ2 · ṽ) := c0 :=
skID1 1 e(g1 ,ĝ2 ) s1
· θ1 g s1
i2 (1,1,ĝ2 · ṽ)ur111 ur212 ur313 ,Com(b) := d0 := (1,1,(ĝ2 · ṽ)ĉ ·
(i)
rek6 rek7
(i)
rek8
(i)
v̂)ur121 ur222 ur323 and a proof π1 := (1,1,ĝ1−ĉ )r1i (1,1,ĝ1 )r2i . Then
ID 0 (i) (i) (i)
(v i z1 ) s1
ts1
(v x̃i z2 )s1 receiver send (c0 ,d0 ,π1 ,π2 ,π3 ) to the cloud center to verify.
(i) (i) For privacy reasons, receivers may not intend to expose
rek9 rek10
(i)
Ev
(i)
s1 (i) their identities or credentials to the third party. With the
(v z3 ) Ev
common reference string and ĝ1 ,ĝ2 ,τ , receivers can verify
(i) (i) (i)
rek11 rek12 rek13 the effectiveness of the credentials. Define a new bilinear map
(i)
(i) (i)
Sign(Es ,(rek4 ,· ·
(i)
·,rek9 ) (v
ID 0
i
(i)
r1
z1 )
r
g1 i ê9 : G31 × G31 → G92 :
(i) (i) (i)
rek14 rek15 rek16      
r
(i)
r
(i) (i) a x e(a,x) e(a,y) e(a,z)
t11 v1 1 e(g1 ,ĝ2 )r1
(i) (i)
ê9  b ,y  →  e(b,x) e(b,y) e(b,z)  (1)
rek17 rek18 c z e(c,x) e(c,y) e(c,z)
(i) (i)
r r
z2 1 z3 1
Data providers can use the following formula to check
where IDi ,IDi0 ∈ Zq∗
and i ∈ {1,· · ·,poly(1 )}. With the key k receivers’ credentials.
for re-encryption, the re-encryption process is presented as
follows. We re-encrypt the ciphertext Cti,IDi ,x̃i with the key
       
1 1 1 1 1 Y3
rekx̃i ,IDi →ID 0 . ?
i ê9 c0 , 1  · ê9 d0 , 1  = 1 1 1 ê(ui ,πi )
ĝ1−ĉ ĝ1 1 1 τ i=1
5.3 Pre-Authentication (2)
5.3.1 Setting up
If the equation holds, that means data receivers’ attributes are
Randomly choose a domain primary secret ζ ∈ Zq∗
verified, and they are qualified to share the data. Otherwise,
and calculate Ppub = g ζ . Publish the domain parame- they have no access to the data.
ters {q,G1 ,G2 ,e,g,H0 ,} and still keep ζ secret. Allocate a The left side of Eq. (2) can be derived as follows:
set of pseudonyms which can resist collusion attacks for
users to communicate anonymously. For example, a set  c11 +cu c13  
of pseudonyms are given to user X , P SA = {P SA E
| g1 1
1 ≤E ≤| P SA |}, and each pseudonym has a set of se- L = ê9 g2c12 +sv c13  1 
cret keys pskP SA E = {pskP SAE } = {H(P SA )ζA ∈ G1 | gˆ2 ṽ, gˆ1 −ĉ
1 ≤E ≤| P SA |}. Every user can ask for Ppub and psk  c11 +cu c13  
g1 1

of his pseudonym set. Randomly choose ru ,sv ← Zq , and ·ê9 g2c12 +sv c13 , 1 
tx̃i = ru + sv . Produce u1 = (g1 ,1,g),u2 = (1,g2 ,g),u3 = g ċ , ĝ1−ĉ
rx̃
(g1 i ,g2sv ,g tx̃i ). Then common reference string can be denot-  c21 +cu     c21 +cu   
ed as (q,G1 ,G2 ,e,M1 ,M2 ,ê,g,u1 ,u2 ,u3 ,η1 ,η2 ,η3 ) where entry- g1 1 g1 1
wised Zq module of G1 ,G2 , and u1 ,u2 ,u3 are public parame- ·ê9  g2c22 +sv , 1  · ê9 g2c22 +sv ,1,
ters in M1 . Publish the common reference string to users. (gˆ2 ṽ)ĉ v̂, ĝ1 g c̈ , ĉ
7
(i−1) (i) (i)rek (i−1) (i)
where ċ = c11 + c12 + tc13 , and c̈ = c21 + c22 + tc23 . The right (i) e(rek5 ,rek0 rek15 10 )/e(rek8 ,rek1 )
Ct7,0 = ,
side of the equation is e(rek6
(i−1) (i)
,rek2 )/e(rek7
(i−1) (i)
,rek3 )rek9
(i)
(i−1) (i) (i)rek (i−1) (i)
R = τ e(g,g1−ĉc11 +c21 )e(g,g1−ĉc12 +c22 )e(g,g1−ĉc13 +c23 ) (i) e(Ct9 ,rek0 rek15 10 )/e(Ct12 ,rek1 )
Ct7,1 = (i−1) (i) (i−1) (i) (i)
,
= τ e(g,c)−ĉċ+c̈ e(Ct10 ,rek2 )/e(Ct11 ,rek3 rek9 )
(i−1) (i−1)
Due to the page limit, we leave out the detail extension of θ(i) = SY M.Enc(θi−1 k Ct8 k · · · k Ct14 k
(i−1) (i−1) (i−1) (i−1) (1)
the equation’s left side. Once the attributes are verified, it is rek4 k · · · k rek11 k Ct7,0 k Ct7,1 ,H2 (θ2 )),
obvious to see that the two sides are equal.
TABLE 6: Ciphertexts Calculation if l > 1
5.4 Re-encryption (1) (1) (1)
Ct8 Ct9 Ct10
We use the keys generated before to encrypt the data, and s
(i)
(i) (i)s
(i)
(i)s2
(i)
rek162 · θ2 rek13 2 rek12
we need to consider two situations here.
(1) (1)
If i=1 : Ct11 Ct12
(i)
Verification: (i)s (i)(x̃ +E (i) ) (i) (i) (i)
rek14 2 (rek15 i v rek17 rek18 )s2
(1) (1)
Ct13 Ct14
?
e(v̂ Ev ,v̂ x̃i ,Ct2 ) = e(ĝ,Ct5 ,Ct6 )/e(g,ẑ2 ,ẑ3 ), Ev
(i) (i) (i) (i)
Sign(E s ,(Ct8 ,· · ·,Ct12 ))
?
V er(Ev ,Ct7 ,(Ct1 ,Ct2 ,Ct3 ,Ct4 ,Ct5 ,Ct6 )) = 1. (3)
and the final output is Cti,IDi0 ,x̃i =
If Eq. (3) holds, we will continue the following steps; (i) (i) (i) (i) (i) (i) (i)
(σ ,Ct8 ,Ct9 ,Ct10 ,Ct11 ,Ct12 ,Ct13 ,Ct14 ,rek4(i) ,
(i)
otherwise, it outputs failure. (i) (i) (i) (i) (i) (i) (i)
(i) rek5 ,rek6 ,rek7 ,rek8 ,rek9 ,rek10 ,rek11 ).
Re-encryption: Choose θ21 ∈R GT ,s2 ∈R Zq∗ , signature
The decryption of the ciphertext will be described in
the next section. We use skIDi to encrypt the ciphertext
TABLE 5: Ciphertexts Calculation if l = 1
Cti,IDi ,x̃i . Two conditions i = 1 and i > 1 are also considered
Ct8
(1)
Ct9
(1)
Ct10
(1) here.
(1) (1) (1)
s2 (1) (1)s2 (1)s2
rek16 · θ2 rek13 rek12
(1) (1)
Ct11 Ct12 5.5 Decryption
(1)
(1)s2 (1)(x̃ +E (1) ) (1) (1) (1)
rek14 (rek15 i v rek17 rek18 )s2 If the qualified receivers intend to obtain the data, they
(1)
Ct13
(1)
Ct14 need to decrypt the ciphertext by using their keys. There are
(1)
Ev
(1) (1) (1)
Sign(E s ,(Ct8 ,· · ·,Ct12 )) also two conditions here.
If i = 1 :
(i) (i)
(1) The ciphertext can be decrypted only when Eq. ( 6) holds.
key pair Sig.KGen(1k ) → E s ,E v . Compute Ct7 =
(i) (i) Otherwise, output failure. After Eq. (3) is verified, we can
e(Ct2 ,rek0 )/e(Ct5 ,rek1 ) calculate
(i) (1)
, θ(i) = SY M.Enc(Ct0 k Ct1 k
e(Ct3 ,rek2 )/e(Ct4 ,rek3 )
(i) (1) e(Ct2 ,skID0 )
· · · k Ct7 k Ct7 ,H2 (θ2 )), and the calculation of the rest Ct1 /
e(Ct3 ,skID1 ) · e(Ct4 ,skID2 )
ciphertexts are shown in TABLE 5.
The final output is Ct2,IDi0 ,x̃i = e(g s0 ,ĝ0 (v̂ IDi ẑ)r t̂R )
= e(g1 ,ĝ2 )s0 · m/
(1) (1) (1) (1) (1)
(σ (1) ,Ct8 ,Ct9 ,Ct10 ,Ct11 ,Ct12 ,Ct13 ,Ct14 ,rek4(1) ,rek5 ,
(1) (1) (1) e((v IDi z)s0 ,ĝ r ) · e(ts0 ,ĝ R )
(1) (1) (1) (1) (1) (1)
rek6 ,rek7 ,rek8 ,rek9 ,rek10 ,rek11 ). = e(g1 ,ĝ2 ) · m/e(g1 ,ĝ2 )s0
s0
If i> 1 : = m.
Verification:
? (i−1) (i−1) (i−1) If i > 1 :
e(rek5i−1 ,v̂ x̃i ,g) = e(rek8 ,rek9 ,ĝ)/e(g,ẑ2 ,v̂ Ev ),
? (i) (i) ? (i) (i)
i−1
V er(rek10 i−1
,rek11 ,(rek4i−1 ,· · ·,rek9i−1 )) = 1. (4) e(rek5 ,v̂ x̃i ẑ2 ,v̂ Ev ẑ3 ) = e(rek8 ,rek9 ,ĝ),
?
(6)
i i
V er(rek10 ,rek11 ,(rek4i ,· · ·,rek9i )) = 1.
(i−1) ? (i−1)
e(Cti−1 x̃i
9 ,v̂ ẑ2 ,v̂
Ev
) = e(Ct12 ,ĝ)/e(g,ẑ2 ,ẑ3 ), (i) ? (i)
? e(Cti9 ,v̂ x̃i ẑ2 ,v̂ E v ẑ3 ) = e(Ct12 ,ĝ),
V er(Cti−1 i−1 i−1
13 ,Ct14 ,(Ct8 ,· · ·,Cti−1
12 )) = 1. (5) (7)
?
V er(Cti13 ,Cti14 ,(Cti8 ,· · ·,Cti12 )) = 1.
Only when Eq. (4) and Eq.(5) both holds can we continue
the next steps. Otherwise, output failure. The process can only be proceeded when Eq. (6) and Eq. (7)
Re-encryption: hold. Otherwise, output failure.
(i)
Choose θ2i ∈R GT ,s2 ∈R Zq∗ , signature key pair Decryption:
(i) (i) (i) (i) (i)
Sig.KGen(1k ) → E s ,E v . Compute Set s2 = s2 · r1 . Compute
6.1 CCA Secure

(i)
e(rek5 ,skID 0 ) CCA means the adversary has some ciphertexts, and he
i0
(i) (i)
uses them in the system to obtain the corresponding plain-
e(rek6 ,skID 0 ) · e(rek7 ,skID 0 ) texts, so as to calculate the secret keys.
i 1 i2
s1
(i)
IDi0 r R (8) Theorem 1: Our scheme is secure under chosen ciphertext
e(g ,ĝ0 (v̂ ẑ1 ) t̂ attacks if the P -BDH assumption can hold.
= (i) (i)
e((v IDi0 z1 ) s1 ,ĝ r ) · e(t s1 ,ĝ R Proof : Assuming that an adversary X can invade our scheme
(i)
s1 through selective condition and identity chosen ciphertext
=e(g1 ,ĝ2 ) .
attacks, we then carry out Y , which is a reduction algorithm.
Let Y invade the 3-level efficient anonymous IBE introduced
(i) in [29] and Y1 be an challenger of the IBE.
e(Ct9 ,skID 0 )
i0
(i) (i) • DC: mark the authorization chain from IDi to ID :

e(Ct10 ,skID 0 ) · e(Ct11 ,skID 0 )
i 1 i2 (x̃i | IDi ,···,IDj ,tag), where tag means that the chain
(i) (9) is uncorrupted and is either (”1”) or (”0”), and i,j ∈
e(g s2 ,ĝ0 (v̂ IDi0 ẑ1 )r t̂R
= (i) (i) {1,· · ·,poly(1k )},
e((v IDi0 z1 )s2 ,ĝ r ) · e(ts2 ,ĝ R ) • SK: mark the secret keys (IDi ,skIDi ),
(i)
s2 • RK: mark the outputs of Orek :
=e(g1 ,ĝ2 ) ,
(IDi ,IDi0 ,x̃i ,rekx̃i ,IDi →IDi0 ,θ1 ),
(i) (i) (i) (i) (i) (i) • RE: mark the outputs of Ore :
θ1 = rek4 /e(g1 ,ĝ2 )s1 , θ2 = Ct8 /e(g1 ,ĝ2 )s2 . θi−1 k
(i−1) (i−1) (i−1) (i−1) (i−1) (IDi ,IDi0 ,x̃i ,Ct(i+1,ID 0 ,x̃i ) ,tag), where tag means
Ct8 k Ct9 k · · · k Ct14 k Ct7,0 k Ct7,1 k i
that a effective key (”1”) and a randomly-chosen key
(i−1) (i−1) (i−1)
rek4 k rek5 k · · · k rek11 . (”0”) generate the re-encryption ciphertext, or the
(1) (i)
H2 (θ2 ) can be decrypted to SY M.Dec(σ (i) ,H2 (θ2 )) . ciphertext comes out with no keys.
Then calculate
The process is as follows:
(i)
1) Init: X sends ID∗ along with x̃∗i to Y , then Y send on
(i−1)(H1 (θ1 ))−1
Ct7,0 them to Y1 along with the Ev∗2 chosen by itself.
(i−1) (i) (i)
))(H1 (θ1 ))−1
2)Setup: Y1 send Y the primary public key ppk =
= (e(g1 ,ĝ2 )s1 )(H1 (θ1 (10)
(g,ĝ,g1 ,v,z1 ,z2 ,z3 ,t,ĝ2 ,ẑ2 ,ẑ3 ,v̂,(Sig.KGen,Sign,V er)). Y
(i−1)
= e(g1 ,ĝ2 )s1 , chooses two target collusion resistant hash function H1 ,H2
and a one-time key encryption SY M . Y inserts the above
(i−1) (i−1) (i−1) parameters to ppk and sends on the new ppk to X .
If Eq. (4) holds, θ1 = rek4 /e(g1 ,ĝ2 )s1 . Then calcu-
3) Phase 1: X releases a set of problems
late
(i)
Osk ,Orek ,Ore ,Odec :
(i)(H1 (θ1 ))−1
Ct7,1 Osk (ID) : If there exists (ID,skID ) in SK , Y sends the
(i−1) (i) (i)
))(H1 (θ1 ))−1
skID to X . Otherwise, there is two conditions:
= (e(g1 ,ĝ2 )s2 )(H1 (θ1 (11)
(i−1) • If ID is contained in the (x̃∗i | ID∗ ,· · ·,1) ∈ DC , or
= e(g1 ,ĝ2 )s2 , ID∗ = ID, Y outputs false.
• Otherwise, Y sends the problem to the IBE in [29] to
(j) (j)
We can obtain θ1 and θ2 from j = i − 2 to j = 1 by get the secret key , and then sends it to X . Y inserts
(1)
using the steps above. Ct0 k Ct1 k · · · k Ct7 k Ct7 can the (ID,skID ) to SK finally.
(1)
be recovered to SY M.Dec(θ(1),H2 (θ2 ) ). Then the ciphertext Orek (IDi ,IDi0 ,x̃i ) : If there exists
can be decrypted (i)
(ID,IDi0 ,x̃i ,rekx̃i ,IDi →IDi0 ,θ1 ,∗) in RK , Y sends the
(i)
(i)(H1 (θ1 ))−1
rekx̃i ,IDi →IDi0 to X . Otherwise, there are four conditions:
Ct1 /Ct7
(i) (i) • If either of ID∗ = IDi or IDi is contained in the
s0 s0 H1 (θ1 )(H1 (θ1 ))−1 (12)
= e(g1 ,ĝ2 ) · m/e(g1 ,ĝ2 ) (x̃∗i | ID∗ ,· · ·,1) ∈ DC holds , and IDi0 is contained
= m. in the (x̃∗i | ID∗ ,· · ·,1) ∈ DC , where x̃∗i = x̃i , Y
outputs false.
By using the above equation, the receivers then obtain the • If ID∗ = IDi and IDi0 is contained in the (x̃∗i |
(i) (i)
data they want. ID∗ ,· · ·,1) ∈ DC , Y sets rek0 = σ1 ,rek1 =
(i) (i)
σ2 ,rek03 = σ4 ,rek3 = σ4 , where σ1 ,σ2 ,σ3 ,σ4 ∈R
G2 ,x̃∗i = x̃i . Y carry on the rest part as introduced
6 S ECURITY A NALYSIS above, send the key for re-encryption to X and inserts
(i)
(ID,IDi0 ,x̃i ,rekx̃i ,IDi →IDi0 ,θ1 ,0) to RK .
In this section, similar to [7], we present the detailed proof • If ID∗ = IDi and x̃∗i 6= x̃i , Y obtains skID by
that our system is secure. inputting ID = (ID∗ ,x̃i ) to Oextract . skID is similar
9
(i) (i) (i)
(i)H1 (θ1 )−1 (i)H1 (θ1 )−1 (i)H1 (θ1 )−1
to rek0 ,rek1 ,rek2 ,
(i)
(i)H (θ )−1 Therefore, our system can resist chosen ciphertext attacks.
rek3 1 1 .Y implements the same steps as the
above part to get the rest of the key for re-encryption
(i)
and then insert (ID,IDi0 ,x̃i ,rekx̃i ,IDi →ID 0 ,θ1 ,1 to 6.2 Collusion Attacks Secure
i
RK . Collusion attack means the adversary colludes with the
• Otherwise, Y sends IDi to Oextract to get skIDi , use data receivers, then he can compromise the secret key
the similar steps above to produce the key for re- through the corrupted receivers.
encryption and send to X . Finally, Y inserts IDi ,skIDi Theorem 2: Our scheme can resist collusion attacks.
(i) Proof : If the adversary X have obtain the re-encryption keys
to SK and (ID,IDi0 ,x̃i ,rekx̃i ,IDi →ID 0 ,θ1 ,1 to RK .
i
rekx̃i ,ID∗ →IDi0 ,rekx̃i ,IDi0 →IDi00 , where x̃i does not represent
Ore (IDi ,IDi0 ,x̃i ,Cti,IDi ,x̃i ): the condition to be challenged, and IDi0 is honest while IDi00
• If the first condition in Orek (IDi ,IDi0 ,x̃i ) is not sat- isn’t. We assume that our system can not resist collusion
isfied, Y obtain the key for re-encryption by us- attacks, then X may be a threat to skID0 because it knows
ing the similar steps in b) and get the ciphertex- skID00 and rekx̃i ,IDi0 →IDi00 from the corrupted IDi00 . X then
t by using the key. Y send the ciphertext to X try to obtain skID∗ when it gets skID0 and rekx̃i ,ID∗ →ID 0 .
i
(i) With the ciphertext Cti∗ ,ID∗ ,x̃∗i , the adversary X is able to
and inserts (ID,IDi0 ,x̃i ,rekx̃i ,IDi →ID 0 ,θ1 ,1 to RK ,
i
(ID,IDi0 ,x̃i ,Ct(i+1,ID 0 ,x̃i ) ,∗) to RE . use skid∗ to recover b, which bit’s value.
• Otherwise
i
As to pre-authentication process, users use several
If i = 1, Y outputs false if Eq. (3) doesn’t hold. pseudonyms to generate commitments representing the same
Otherwise, Y sends (IDi ,x̃i ,Ev ,Ct1,IDi ,x̃i ) to the IBE attribute, making the adversary confused about the relation-
in [29] Odecrypt for decryption to get the message. ship between the fake identities and commitments. Hereto,
With the message already known, Y can restore the collusion attacks fail, representing that our system can
H (θ
(1)
) resist collusion attacks.
E0 = e(g1 ,ĝ2 )s0 and calculate Ct17 = E0 1 1 . Y
can also implement encryption σ1 with θ1 , get the
(1) (1) (1) (1) 6.3 Anonymous Ciphertexts
ciphertext Ct8 ,· · ·,Ct15 and rek4 ,· · ·,rek15 of IDi0
(1) (1) Theorem 3: Our scheme can realize the anonymity of the
to ensure θ2 and θ1 remain under cover, where
(1) (1) ciphertexts if the P -BDH assumption can hold.
θ1 ,θ2 ∈R GT . Y sends the ciphertext to X and
Proof :
insert (IDi ,IDi0 ,x̃i ,Ct(2,ID 0 ,x̃i ) ,f alse) to RE .
i Init: The adversary X sends ID0∗ and ID1∗ to Y , then Y
If i ≥ 2, Y outputs false when Eq. (4) and Eq. (5) transmits IDb∗ to Y1 , where b ∈ {0,1}. The rest process is
don’t hold. Otherwise, Y re-encrypt the ciphertext by same as that in the proof of Theorem 1.
using the method similar to the above part. Note that Set up and Phase 1 are just same as the proof of Theorem
(i) (i)
the way to produce Ct7,0 ,Ct7,1 is just like the way to 1.
(i)
produce Ct7 . Challenge: If X make the decision that Phase 2 is finished,
X sends m to Y .0 Then Y makes a random choice from data
Odec (IDi ,x̃i ,Cti,IDi ,x̃i ): Y outputs false if Cti,IDi ,x̃i is a 0
space and get m . Set m1 = m and m0 = m and transmit
derivant of the ciphertext to be challenged. Y can distinguish
m0 ,m1 to Y1 , get back the ciphertext Ct1,IDb∗ ,x̃∗i in order to
any derivants because it has access to the Odecrypt .
If i = 1, that means Cti,IDi ,x̃i hasn’t been re-encrypted obtain mb from Y1 , where b ∈ {0,1}. Y sends Ct1,IDb∗ ,x̃∗i to
and is a 1-level ciphertext. Y outputs false if Eq. (3) does not X.
hold. Otherwise, Y continues the following steps. Phase 2: The process is same as that in the proof of
Theorem 1.
I) If (IDi ,skIDi ) ∈ SK , Y can decrypt the ciphertext to Guess: No matter what X outputs, Y outputs the same
obtain message m by using skIDi . content.
II) Otherwise, Y sends ((IDi ,x̃i ,Ev ),Ct1,IDi ,x̃i ) to Therefore, our system realizes the anonymity of the ci-
Odecrypt to get m. phertexts.
If i ≥ 2 , that means Cti,IDi ,x̃i has been re-encrypted. Y
outputs false if Eq. (6) and Eq. (7) do not hold. Otherwise, Y 6.4 Anonymous Re-encryption Keys
continue the following steps. Theorem 4: Our scheme can realize the anonymity of the re-
I) If x̃∗i = x̃i and ID∗ = IDi , Y sends ID = encryption keys if the P -BDH assumption can hold.
(i)
(ID∗ ,x̃∗i ,E v ) to Oextract to get skID . Then Y can Proof : Make the assumption that the adversary X is able to
(i) (i) invade the protection of the anonymity of the re-encryption
restore θ1 ,θ2 and message m.
(i) (i) (i) (i) keys.
II) Otherwise, Y sends (rek4 ,· · ·,rek11 ),(Ct8 ,· · ·,Ct15 ) 0
Init: The adversary X sends ID and ID1∗ to Y , then Y
(i) (i)
to Oextract to get θ1 ,θ2 , and use them to restore transmits ID∗ to Y1 . The rest process is same as that in the
(i) (i)
θ1 ,θ2 , where 1 ≤ i ≤ i − 1 from big number to proof of Theorem 1.
(1) (1)
small one. Then Y uses θ1 to work out bE0 and θ2 Set up: The process is same as that in the proof of Theorem
to restore (Ct0 ,· · ·,Ct7 ), and obtain m finally. 1.
10
Phase 1: X can inquire for Osk ,Orek ,Ore ,Odec , and the verification and comparison only have connections with the
process is same as that in the proof of Theorem 1. relevant attribute and values. The adversary cannot obtain
Challenge: If X makes the decision to finish Phase 1, Y the specific attribute because the plaintexts of the attributes
randomly choose a number b from {0,1}. wasn’t leaked out. Since the commitments of the attribute
(i) (i)
(i) H1 (θ ) (i) H1 (θ ) values and pseudonyms are random, the adversary cannot
If b = 0: Y sets rek0 = σ1 1,b ,· · ·,rek4 = σ4 1,b .
(i) (i) (i) find out the relations between identities and attributes. Users’
Then Y sends θ1,0 ,θ1,1 ∈R GT to Y1 and gets back rek4 ,· · attributes are protected.
(i) (i)
·,rek11 to obtain θ1,b . The re-encryption key’s rest parts are
conducted same as that in actual scheme by Y .
If b = 1: Y can obtain skID0 from Oextract . The re- 7 C ONCLUSION
encryption key generation rekx̃∗ ,ID0 →ID∗ is conducted just In this paper, we realize multi-sharing, anonymous and
i
the same as the condition b = 0, apart from that the CCA-secure data sharing in big data context. Furthermore,
parts which are conducted like in the real scheme are we propose a new notion called pre-authentication in the
(i) (i) (i) (i)
rek0 ,rek1 ,rek2 ,rek3 . X gets rekx̃∗ ,ID0 →ID∗ from Y . proxy re-encryption system, which can ensure that only users
i
Phase 2: The process is the same as Phase 1. whose attributes have been verified are permitted to obtain
Guess: No matter what X outputs, Y outputs the same the data and provide well protection for the private attributes.
content. The pre-authentication function greatly facilitates the needs
Therefore, our system realizes the anonymity of the re- of the users. Besides, we prove that users’ data, identities and
encryption keys. attributes are protected, and the pre-authentication process
enhances the security of the system. To the best of our
6.5 Security of Pre-Authentication knowledge, we are the first to propose the concept of pre-
authentication in this aspect.
For the security of the attributes, users can only use
the commitments of the qualified attributes for the verifica-
tion process. Unless leaking the original data of attributes 8 ACKNOWLEDGEMENT
directly, we can ensure that the adversaries cannot obtain
This work is supported by NSFC (61572262, 61533010,
the private information. We aim to achieve the anonymous
61373135, 61571233, 61532013); National China 973 Project
of the attributes, that is to say, remove the linkages be-
(2015CB352401); the NSF of Jiangsu Province (BK20141427);
tween the attributes and identities. Our pre-authentication
The Qinlan Project of Jiangsu Province; China Postdoctoral
scheme applies random commitments of attributes, so the
Science Foundation.
adversaries cannot find the linkage between attributes and
identities. What’s more, the commitments produced from
same attributes are independent, which prevents the adver-
R EFERENCES
saries from getting attributes from specific users. The pre- [1] X. Boyen and B. Waters, “Anonymous hierarchical identity-based
authentication scheme can resist tracing attacks. Once an ad- encryption (without random oracles(lecture notes in computer sci-
ence),” Advances in Cryptology, vol. 4117, pp. 290–307, Aug 2006.
versary wants to launch tracing attacks, he will need enough [2] X. Liu, X. Xie, K. Li, B. Xiao, J. Wu, H. Qi, and D. Lu, “Fast tracking
information to identify a real identity. By using random the population of key tags in large-scale anonymous rfid systems,”
numbers in commitments, our scheme can resist this kind of IEEE/ACM Transactions on Networking, vol. 25, no. 1, pp. 278–291,
2017.
attack. The adversary cannot use a fake identity in the system.
[3] K. R. M. Li, S. Yu and W. Lou, “Securing personal health records in
Otherwise, he is not able to pass the verification. Even if we cloud computing: Patient-centric and fine-grained data access con-
assume the authentication passes, the adversary will not keep trol in multi-owner settings,” Security and Privacy in Communication
generating commitments by using the same random number, Networks -, Iternational ICST Conference, SECURECOMM, pp. 89–106,
2010.
thus our scheme is tracing attack-secure. [4] E. H. J. Benaloh, M. Chase and K. Lauter, “Patient controlled
The pre-authentication technique can verify the users’ encryption: Ensuring privacy of electronic medical records,” ACM
attributes before the data communication, that means both Cloud Computing Security Workshop, pp. 103–114, 2009.
data providers and receivers can authenticate the attributes [5] G. B. M. Blaze and M. Strauss, “Divertible protocols and atomic
proxy cryptography,” Advances in Cryptology, pp. 127–144, 1998.
of the opposite side. This protects users’ privacy from being [6] M. Green and G. Ateniese, “Identity-based proxy re-encryption,”
leaked out. For example, what the data provider wants to Applied Cryptography and Network Security (Lecture Notes in Computer
share contains some information about some kinds of disease, Science), vol. 4521, pp. 288–306, 2007.
[7] W. S. K. Liang and J. Liu, “Privacy-preserving ciphertext multi-
and he just wants to share them to people who have the same sharing control for big data storage,” IEEE Transaction on Information
disease. If others who doesn’t have the disease knows the da- Forensics and Security, vol. 10, no. 8, Aug 2015.
ta, privacy may be leaked out, and they will know what kind [8] J. S. L. Guo, C. Zhang and Y. Fang, “A privacy-preserving attribute-
of disease the provider has. On the other hand, if the provider based authentication system for mobile health networks,” IEEE
Transaction on Mobile Computing, vol. 13, no. 9, Sep 2014.
doesn’t have the disease, but he wants to share data with [9] K. Wang, Y. Shao, L. Shu, G. Han, and C. Zhu, “Ldpa: A local data
people who have it. This part of people don’t want health processing architecture in ambient assisted living communications,”
ones to know their physical conditions, but if they receive IEEE Communications Magazine, vol. 53, no. 1, pp. 56–63, Jan 2015.
the data, privacy will be leaked out, so the authentication [10] K. Wang, J. Mi, C. Xu, Q. Zhu, L. Shu, and D. J. Deng, “Real-
time load reduction in multimedia big data for mobile Internet,”
of both data providers’ and receivers’ attributes can further ACM Transactions on Multimedia Computing, Communications and
protect their privacy. As to attribute privacy, the process of Applications, vol. 12, no. 5s, Article 76, Oct 2016.
11
[11] K. Wang, Y. Shao, L. Shu, Y. Zhang, and C. Zhu, “Mobile big [33] S. H. R. Canetti and J. Katz, “Chosen-ciphertext security from
data fault-tolerant processing for ehealth networks,” IEEE Network, identity-based encryption,” Advances in Cryptology- EUROCRYPT,
vol. 30, no. 1, pp. 1–7, Jan 2017. pp. 207–222, 2004.
[12] X. Liu, K. Li, J. Wu, A. X. Liu, X. Xie, C. Zhu, and W. Xue, “TOP-k
Queries for Multi-category RFID Systems,” Proc. of IEEE INFOCOM, Jiahui Yu received his B.S. degree from Nanjing
2016. University of Posts and Telecommunications, Chi-
[13] K. Wang, Y. Wang, X. Hu, Y. Sun, D. J. Deng, A. Vinel, and Y. Zhang, na, in 2017, where he is currently pursuing the
“Wireless big data computing in smart grid,” IEEE Wireless Commu- M.S. degree with the College of Internet of Things.
nications, vol. 24, no. 2, pp. 58–64, Apr 2017. His current research interests are mainly in the
[14] X. Liu, K. Li, G. Min, K. Lin, B. Xiao, Y. Shen, and W. Qu, “Efficient area of big data, information security technologies
Unknown Tag Identification Protocols in Large-Scale RFID System- and networking.
s,” IEEE Transactions on Parallel and Distributed Systems, vol. 25,
no. 12, pp. 3145–3155, 2014.
[15] K. Wang, L. Zhuo, Y. Shao, D. Yue, and K. F. Tsang, “Toward
distributed data processing on intelligent leakpoints prediction in
petrochemical industries,” IEEE Transactions on Industrial Informatics,
vol. 12, no. 6, pp. 2091–2102, Dec 2016.
[16] K. Wang, X. Qi, L. Shu, D. J. Deng, and J. J. Rodrigues, “Toward Kun Wang received the B. Eng. and Ph.D. degree
trustworthy crowdsourcing in social internet of things,” IEEE Wire- in the School of Computer, Nanjing University of
less Communications, vol. 30, no. 5, pp. 30–36, Oct 2016. Posts and Telecommunications, Nanjing, China, in
[17] K. Wang, M. Du, Y. Sun, A. Vinel, and Y. Zhang, “Attack detection 2004 and 2009, respectively. From 2013 to 2015,
and distributed forensics in machine-to-machine networks,” IEEE he was a Postdoc Fellow in Electrical Engineering
Network, vol. 30, no. 6, pp. 49–55, Nov 2016. Department, University of California, Los Angeles
[18] L. Wei, H. Zhu, Z. Cao, X. Dong, W. Jia, Y. Chen, and A. Vasilakos, (UCLA), CA, USA. In 2016, he was a Research
“Security and privacy for storage and computation in cloud com- Fellow in the School of Computer Science and En-
puting,” Information Sciences, vol. 258, pp. 371–386, Feb 2014. gineering, the University of Aizu, Aizu-Wakamatsu
[19] H. Zhu, S. Du, Z. Gao, M. Dong, and Z. Cao, “A probabilistic mis- City, Fukushima, Japan. He is currently a Re-
behavior detection scheme toward efficient trust establishment in search Fellow in the Department of Computing,
delay-toltrant networks,” IEEE Transaction on Parallel and Distributed the Hong Kong Polytechnic University, Hong Kong, China, and also an
Systems, vol. 25, no. 1, pp. 22–32, Jan 2014. Associate Professor in the School of Internet of Things, Nanjing University
[20] M. Mambo and E. Okamoto, “Proxy cryptosystems: Delegation of of Posts and Telecommunications, Nanjing, China. His current research
the power to decrypt ciphertexts,” Ieice Transactions on Fundamentals interests are mainly in the area of big data, wireless communications
of Electronics Communications and Computer Sciences, vol. 80, no. 1, and networking, smart grid, energy Internet, and information security
pp. 54–63, 1997. technologies.
[21] S. G. S. Yu and I. Stojmenovic, “Fool me if you can: Mimicking
attacks and anti-attacks in cyberspace,” IEEE Transactions on Com-
puters, vol. 64, pp. 139–151, 2015.
[22] K. Wang, M. Du, D. Yang, C. Zhu, J. Shen, and Y. Zhang, Xiulong Liu received the B.E. degree from the
“Game theory-based active defense for intrusion detection in cyber- School of Software Technology, Dalian Universi-
physical embedded systems,” ACM Transactions on Embedded Com- ty of Technology, China, in 2010; and the Ph.D.
puting Systems, vol. 16, no. 1, Article 18, Oct 2016. degree from the School of Computer Science and
[23] K. Wang, L. Yuan, T. Mizayaki, Y. Sun, and S. Guo, “Anti- Technology, Dalian University of Technology, Chi-
eavesdropping with selfish jamming in wireless networks: a na, in 2016. He was a visiting scholar with the De-
bertrand game approach,” IEEE Transactions on Vehicular Technology, partment of Computer and Information Sciences,
vol. PP, no. 99, pp. 1–1, 2016. Temple University, USA, in 2015; and a Postdoc-
toral Fellow with the School of Computer Science
[24] C. Chu and W. Tzeng, “Identity-based proxy re-encryption without
and Engineering, the University of Aizu, Japan,
random oracles,” Information Security (Lecture Notes in Computer
2016. Currently, he is a Postdoctoral Fellow with
Science), vol. 4779, pp. 189–202, 2007.
the Department of Computing, The Hong Kong Polytechnic University.
[25] K. B. G. Ateniese and S. Hohenberger, “Key-private proxy re- His research interests include wireless sensing, ubiquitous computing,
encryption,” Topics in Cryptology- CT- RSA (Lecture Notes in Computer internet of things, etc.
Science), vol. 5473, pp. 279–294, 2009.
[26] P. L. J. Shao and Y. Zhou, “Achieving key privacy without losing
cca security in proxy re-encryption,” Journal of Systems and Software,
vol. 85, no. 3, pp. 655–665, 2011.
[27] G. W. J. Shao, P. Liu and Y. Ling, “Anonymous proxy re-encryption,” Song Guo received his Ph.D. in computer science
Security and Communication Networks, vol. 5, no. 5, pp. 439–449, May from University of Ottawa. He is currently a full
2012. professor at Department of Computing, The Hong
[28] D. Boneh and M. Franklin, “Identity-based encryption from the weil Kong Polytechnic University. Prior to joining PolyU,
pairing,” Advances in Cryptology CRYPTO, pp. 213–229, 2001. he was a full professor with the University of Aizu,
[29] L. Ducas, “Anonymity from asymmetry: New constructions for Japan. His research interests are mainly in the
anonymous hibe,” Topics in Cryptology-CT-RSA(Lecture Notes in Com- areas of cloud and green computing, big data,
puter Science), vol. 5985, pp. 148–164, 2010. wireless networks, and cyber-physical systems.
[30] M. Bellare and S. Shoup, “Two-tier signatures, strongly unforgeable He has published over 300 conference and journal
signatures, and fiat-shamir without random oracles,” Public Key papers in these areas and received multiple best
Cryptography(Lecture Notes in Computer Science), vol. 4450, pp. 201– paper awards from IEEE/ACM conferences. His
216, 2007. research has been sponsored by JSPS, JST, MIC, NSF, NSFC, and
[31] R. Cramer and V. Shoup, “Design and analysis of practical public- industrial companies. Dr. Guo has served as an editor of several journals,
key encryption schemes secure against adaptive chosen ciphertext including IEEE TPDS, IEEE TETC, IEEE TGCN, IEEE Communications
attack,” Siam Journal on Computing, vol. 33, no. 1, pp. 167–226, Jan Magazine, and Wireless Networks. He has been actively participating in
2004. international conferences as general chair and TPC chair. He is a senior
[32] D. Boneh and X. Boyen, “Efficient selective-id secure identity- member of IEEE, a senior member of ACM, and an IEEE Communications
based encryption without random oracles,” Advances in Cryptology- Society Distinguished Lecturer.
EUROCRYPT, pp. 223–238, 2004.

A Pre-Authentication Approach To Proxy Re-Encryption in Big Data Context

Uploaded by

Copyright:

Available Formats

A Pre-Authentication Approach To Proxy Re-Encryption in Big Data Context

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

A Pre-Authentication Approach To Proxy Re-Encryption in Big Data Context

Uploaded by

Copyright:

Available Formats

This article has been accepted for publication in a future issue of this journal, but has not been

A Pre-Authentication Approach to Proxy

Keywords—Privacy-preserving, pre-authentication, proxy re-encryption, big data.

1 I NTRODUCTION preserving in big data storage. However, most encryption

3.3 Security Model 4.2 Signature

4.1 Bilinear Pairing 4.3 Encryption Scheme

Sig.KGen 1k → (Es ,Ev ) . Compute a set of parame-

6.1 CCA Secure

(i) (i) • DC: mark the authorization chain from IDi to ID :

You might also like