A certificateless signcryption with proxy-encryption for securing agricultural data in the cloud

Abstract

Precision agriculture (PA) involves collecting, processing, and analyzing datasets in agriculture for an informed decision. Due to the high data storage and application maintenance costs, farmers usually outsource their agricultural data obtained from PA to cloud service providers to leverage cloud services. Nonetheless, serious security concerns arise from using cloud services for farmers. For instance, an attacker can intercept agricultural data and run comprehensive statistical analyses to adjudicate farmers’ financial status, extort money, commit identity theft, etc. As a result, compelling data security schemes have become crucial for secure precision farming, where only legitimate users are required to access the agricultural data outsourced to the cloud. This article presents a certificateless signcryption scheme with proxy re-encryption (CLS-PRE) for secure access control in PA. An in-depth security analysis proves that the CLS-PRE scheme is secure in the Random Oracle Model. Detailed performance evaluation also shows that the scheme can reduce the time required to signcrypt and unsigncrypt messages and lower communication overhead.

Keywords

Cloud computing precision agriculture proxy re-encryption access control signcryption

1. Introduction

Precision agriculture (PA) is a cutting-edge farming practice that leverages advanced technology and data analytics to optimize crop production and minimize costs, environmental degradation, and waste [8]. This approach involves collecting and analyzing multisource data with a high spatial and temporal resolution to ensure that crops and soil receive exactly what they require for optimal health and productivity. The core of PA is agricultural data, which is gathered through sensors such as GPS receivers, yield monitors, soil sensors, and weather stations. The agriculture data is used to create detailed field maps and customized plans for each field or plot, allowing farmers to make informed decisions about how best to cultivate their crops [8].

Using collaborative cloud-based platforms for exchanging agricultural data can unleash the full potential of valuable farming resources to optimize efficiency in the agricultural industry. The cloud-based platforms can facilitate the sharing of collective knowledge and improve decision-making by enabling farmers to communicate with other farmers and pertinent stakeholders about the best farming techniques, such as site-specific crop management, conservation tillage, yield mapping, and variable rate planting and fertilization. However, the platform users ought to prioritize the security of agricultural data since a cyber-attack could compromise the data’s confidentiality and integrity, which would have severe repercussions like the loss of sensitive data, financial losses, and identity theft [17]. It is paramount to safeguard the accuracy of the information in agricultural data and the privacy of farmers by maintaining the confidentiality and integrity of farming data.

One savvy solution that can help to protect the confidentiality and integrity of agricultural data in collaborative data-sharing platforms is the use of certificateless signcryption [1,3,4]. This cryptographic primitive allows a sender to sign and encrypt a message in a single logical step, providing both authenticity and confidentiality at a lower cost than the traditional separate encryption and signature schemes. Certificateless signcryption also reduces the reliance on a single trusted authority, making it more resistant to attacks and tampering [4]. For instance, a certificate authority (CA) is responsible for issuing and managing certificates in traditional public key encryption schemes, which can be a potential point of vulnerability. However, in certificateless signcryption, the KGC (Key Generation Center) and users work together to generate a shared key for secure communication. The KGC computes one portion of the key while each user independently generates the other half. This shared key is then used to signcrypt (encrypt-then-sign) and unsigncrypt (decrypt-then-verify) messages, eliminating the need for a central authority to manage certificate distribution and authenticate users. As depicted in Fig. 1, unmanned aerial vehicles (UAVs), sensors, and network modules generate real-time data on a farm and transmit it to a trusted edge server. To guarantee data security, the garnered data on the edge server is signcrypted (encrypted-then-signed) under the public key of an AI data analyzer before the resultant ciphertext is outsourced to the cloud service provider (CSP) for model training and analysis. The problem is as follows: How can the data owner (DO) securely share the outsourced ciphertext with a researcher concerned with maximizing agricultural productivity while minimizing environmental degradation?

Fig. 1.

Data sharing scenario in precision agriculture.

Certificateless-based signcryption primitives can solve the key escrow problem, in which the private key generator uses archive keys to decrypt ciphertext without authorization. However, a traditional certificateless-based scheme is unsuitable as the delegator has to download the data from the cloud server before it can be unsigncrypted and re-encrypted with the new user’s public key to grant the user access to the data. This process can result in high computation and communication overhead, negating the benefits of cloud-based data sharing [1,3]. One effective solution is using proxy re-encryption [10], in which a “proxy” party acts as an intermediary between the sender and receiver of the encrypted data. The proxy server performs the re-encryption process on behalf of the sender without being able to read or access the data itself. Proxy re-encryption is helpful in situations where data access needs to be granted to new users, as it allows prior signcrypted data to be transformed into a new ciphertext that can be accessed with a different set of private keys. The advantage of the proxy encryption scheme is that an authorized user, the data owner (DO), can generate a valid proxy re-encryption key to grant users access to ciphertexts without needing multiple signcryptions for each set of users.

Fig. 2.

Data sharing scenario with proxy re-encryption.

1.1. Motivation

As shown in Fig. 2, suppose Alice is a farmer who has recently adopted precision agriculture techniques. She uses sensors and drones to collect data on soil properties, crop production, water use efficiency, and analytical data to make informed decisions about her farming practices. Alice also participates in a collaborative data-sharing platform, where she shares her data with other farmers and relevant stakeholders to improve the group’s collective knowledge and decision-making.

One day, a researcher named Bob approaches Alice and requests access to her data to study the effects of different farming practices on crop yields and environmental degradation. Alice is willing to share her data, but she wants to ensure the confidentiality and integrity of her data. She does not want anyone to be able to access it without her permission.

To protect the confidentiality and integrity of an outsourced data, Alice decides to use a certificateless identity-based signcryption with proxy encryption to securely share her data with Bob. In this scheme, Alice first signcrypts her data using her own public key (identity), which provides both authenticity (verification to prove the originality of the data source) and confidentiality (protection of the data from unauthorized access). The signcrypted data is then stored in the cloud and can be re-encrypted using a proxy encryption scheme.

Fig. 3.

Proxy re-encryption data sharing scenario between DO and Alice.

To grant Bob access to the data, Alice generates a proxy re-encryption key using Bob’s public key (identity) and sends it to the cloud server. The cloud server can then transform the original ciphertext (signcrypted data) into a form that Bob can decrypt with his private key. As Alice’s public key is used in computing the first level of ciphertext, she can implement fine-grained access control with proxy re-encryption for each user or group she wants to grant access to the data. When a user wants to access the data, she can use her private key to generate a proxy re-encryption key which the cloud server can use to transform the ciphertext into a form that the user can decrypt. Figure 3 illustrates the proxy re-encryption approach facilitating secure data sharing between Alice and Bob. This approach allows Alice to selectively grant access to her data to specific users or groups of users while still retaining control over who can access the data. Note that the cloud server cannot perform data transformation to grant data access to entities without legitimate authorization from Alice, as the cloud server is unaware of the private key required to generate valid proxy re-encryption keys.

The existing certificateless signcryption with proxy re-encryption (CLS-PRE) methods [1–3] have several limitations that make them unsuitable for our proposed application of agricultural data sharing. In particular, they require the presence of a ciphertext to generate a proxy re-encryption key, which can lead to performance bottlenecks. This means that the data owners (DOs) cannot pre-generate proxy re-encryption keys for a set of users that they want to grant access to a ciphertext. Additionally, each proxy re-encryption key is bound to a specific ciphertext, so it is impossible to generate a single key that can transform multiple ciphertexts. This can be cumbersome and inefficient when many ciphertexts need to be transformed. To address these limitations, we propose a new scheme that allows for the generation of proxy re-encryption keys before or after ciphertexts have been created. Our scheme is based on the standard notion of proxy re-encryption, as introduced by Blaze et al. [10] and has been tailored specifically for use in a cloud-based collaborative data-sharing context. The absence of bilinear pairing in the scheme makes it lightweight and cost-effective for PA applications.

We summarize our contributions as follows:

We propose a certificateless identity-based signcryption with a proxy re-encryption (CLS-PRE) scheme and provide the security proof in the Random Oracle Model (ROM).

The proposed scheme is not based on bilinear pairing, a highly computation-intensive operation in cryptographic constructions. This makes the scheme lightweight for resource constraints environments such as PA. The proposed scheme’s novelty is the pairing-free operation without key escrow issues and a proxy re-encryption key without any ciphertext component. None of the existing CLS-PRE schemes has achieved these properties.

We provide system architecture for PA and demonstrate the communication process required in the system to achieve data security.

Our security analysis indicates that the proposed CLS-PRE scheme maintains authentication, integrity, non-repudiation, and confidentiality while eliminating the key escrow vulnerability.

We conduct comprehensive performance evaluations to show that the proposed CLS-PRE scheme achieves relatively fewer communication and computation costs when compared to other CLS-PRE schemes applicable to PA.

1.2. Paper organization

The rest of the paper is organized as follows. Related works are shown in the Section 2. The important theories and hard mathematical problems applied in the work are briefly reviewed in Section 3. Section 4 shows the system overview and the detailed implementation of the proposed scheme. Security analysis for the system is presented in Section 6. Performance evaluation of the proposed scheme is done in Section 7. Finally, we give a brief conclusion in Section 8.

2. Related works

2.1. Data access control schemes

As cloud-based data-sharing continues to evolve, various cryptographic schemes have been proposed to provide secure access control. Two cryptographic primitives that have received significant attention in this context are “signcryption” and “proxy re-encryption” (PRE).

Signcryption combines digital signature and public-key encryption, providing non-repudiation, authentication, confidentiality, and integrity at a lower cost than traditional methods such as sign-then-encrypt or encrypt-then-sign [32]. In 2002, Malone-Lee [25] constructed an identity-based signcryption (IBSC) scheme that applies to resource-constrained devices due to low computation cost. However, the IBSC scheme depends on a private key generator (PKG) to generate private keys for all the system users. As such, the scheme suffers from a key escrow inherent, as the PKG can access the private keys of all system users, decrypt every ciphertext, and forge signatures for any system user. To address the key escrow issue in the IBSC of [22,25,37], Barbosa et al. [7] introduced the concept of “certificateless signcryption” (CLSC). The certificateless technique improves the efficiency and security of signcryption cryptographic schemes by eliminating the need for certificate maintenance and verification. It simplifies system design and improves scalability while reducing the risk of security breaches associated with a rogue certificate authority. However, the certificateless signcryption schemes in [14,41,42] do not appear relevant to our application scenario as they do not support proxy re-encryption functionality.

The benefit of PRE (Proxy Re-Encryption) is that it enables secure data sharing with multiple users by re-encrypting the data with their public keys, without the need to download it from the cloud server, thereby reducing data transfer costs. Due to the cost-effectiveness of PRE, it has been used in identity-based cryptography to construct identity-based proxy re-encryption (IB-PRE) schemes [7,45]. The IB-PRE schemes are a variant of traditional proxy re-encryption (PRE) schemes that use an identity string instead of a public key to determine who is authorized to decrypt the ciphertext. Hence, they do not have certificate management issues. However, the key escrow issue is a potential drawback, as they require absolute trust in the private key generator (PKG) to safeguard all the private keys. Therefore, a malicious PKG can sell or leak the escrowed private keys to unauthorized parties, allowing them to decrypt messages meant for only the legitimate private key owner. The IB-PRE schemes such as [13,21,37] and [34] are vulnerable to key escrow attacks. Also, the scheme in [18] is mathematically incorrect, while [37] and [13] are vulnerable to adaptive chosen ciphertext attacks. The authors of [22] developed a secure identity-based signcryption (IBSC) and demonstrated that the scheme is applicable for access control in cloud computing. Likewise, [20,24,36] showed that PRE techniques can be employed in cloud computing to gain access control. However, these schemes are also vulnerable to key escrow attacks.

In addressing the key escrow vulnerability in signcryption and PRE cryptographic primitives, Ahene et al. [1–3] proposed identity-based signcryption with proxy re-encryption (CLS-PRE) for cloud-based data sharing using certificateless cryptography. Certificateless cryptography eliminates the need for certificate management by dividing the responsibility of key creation between the user and a semi-trusted entity called the Key Generation Center (KGC). This approach allows the authenticity of the keys to be verified without the use of certificates and also solves key escrow issues present in Identity based Encryption (IBE) methods by not allowing the KGC to access the user’s secret keys. However, the CLS-PRE schemes in [1–3] do not follow the standard definition of proxy re-encryption scheme introduced in [10] as elements of the ciphertext are required to generate proxy re-encryption keys. Therefore, a re-encryption key has to be generated for every ciphertext that a designator wants a delegatee to decrypt. The number of re-encryption keys created in the scheme will grow linearly with the number of ciphertexts the delegatee can access.

Furthermore, the bilinear pairing-free scheme proposed in [1] is not secure against forgery attacks, as the ciphertext component $C_{1}$ is not included in the computation of the signing element $h_{2}$ . This can allow a malicious designator to manipulate the ciphertext and deceive the delegatee into believing it is from the original encryptor.

Similarly, data access control can be accomplished through either the Attribute-based encryption(ABE) method or a combination of ABE and PRE techniques. Yu et al. [44] introduced data access control with ABE and PRE technologies. Their framework achieves adequate fine-grained access control in cloud systems. Also, the authors in [19,23,27,44] used ABE techniques to control access to data, which may be appropriate for PA as in [16,28,29], but ABE schemes have two shortcomings.

They have key escrow flaws and do not perform authentication or non-repudiation.

They are entangled with the complexity of changing access policies (i.e. revoking or adding attributes to an access structure).

Authors in [19,27] have made tremendous efforts to build ABE schemes to surmount these shortcomings. However, the resultant schemes are extremely complex and associated with high communication and computation costs due to the expressiveness of the ABE access structure.

Consequently, no existing known CCA21

¹
CCA2 (Adaptive Chosen Ciphertext Attack) is the strongest security definition for cryptographic schemes that allows the adversary to adaptively query a decryption oracle with ciphertexts of their choice.

and EUF-CMA2

EUF-CMA (Existential Unforgeability under Chosen Message Attack) is a security definition for digital signature schemes that ensures that an adversary cannot forge a signature on a message that they did not create.

secure CLS-PRE schemes are available to provide data security without requiring ciphertext components in the generation of the proxy re-encryption key with bilinear pairing free operations. The existing CLS-PRE scheme [2] in the literature relies on bilinear pairing, with the drawback of requiring ciphertext components to generate proxy re-encryption keys. Note that bilinear pairing is the most expensive operation in cryptographic algorithms.

In PA, the use of IoT devices such as sensors and drones to collect data about crops, weather, and soil conditions is prevalent. However, these devices are typically power-constrained and have limited computing capabilities, making it challenging to handle the computational load of cryptographic algorithms required to protect the sensitive agricultural data being collected. To ensure security, we offload the cryptographic operation to the edge server and provide a lightweight CLS-PRE scheme to secure the data. The proposed scheme does not rely on bilinear pairing but instead uses modular point multiplication on an elliptic curve, which is less computationally expensive. As a result, it allows the edge server to efficiently encrypt the agricultural data from these devices while reducing power consumption, ensuring faster and more efficient data processing, and preventing transmission delays and backlogs in the system.

2.2. Data security in precision agriculture

In [17,35,43], the authors identified security threats, vulnerabilities, and threat scenarios in precision agriculture. In contrast, their work presented limitations to abstracted cybersecurity solutions with no concrete construction.

Barreto and Amaral [8] presented empirical methodology to highlight security issues and challenges in smart farming. The work deliberates security challenges, including agro-terrorism, social engineering, ransomware attacks, denial of service attacks, and cyber espionage. However, they did not present concrete implementation with results. Moreover, there was no demonstration of orchestrated attacks through use cases.

Chae and Cho [12] proposed an enhanced secure device authentication algorithm in the peer-to-peer (P2P) based smart farm system. They devised a lightweight encryption and decryption method to facilitate a robust authentication solution in smart farming P2P communication. However, the certificate authority (CA) used in the scheme introduces certificate management problems into the precision agriculture architecture. The CA’s issuance, revocation, and distribution of certificates are opaque and vulnerable to attack. Like the DigiNotar attack, there have been times when a rogue CA has made fake certificates for targeted people.

West [40] provided a methodology for predicting cyber-attacks on precision agriculture to create a standard vulnerability scoring system (CVSS score) that relies on smart farming technology. Although the CVSS score has become the industry standard for determining the severity of vulnerabilities and prioritizing patches, it has some flaws. Smart farming encompasses a wide range of devices and systems linked together. The CVSS score only looks at individual weaknesses and does not consider its effect on the general system.

Ametepe et al. [5] proposed a hybrid technique for secure data transmission in an intelligent network for crop monitoring in agriculture fields by integrating asymmetric and symmetric cryptographic schemes. They designed a secure, scalable, robust, and reliable wireless sensor network to overcome the inherited limitations of storage capacity, processing power, and communication range of IoT devices. However, the scheme relies heavily on public key infrastructure and is subjected to certificate management problems. Also, the scheme does not provide the ability to perform proxy re-encryption of ciphertext. Furthermore, no concrete scheme addresses the security challenges in precision (smart) agriculture by ensuring PA’s data integrity, non-repudiation, and confidentiality while eliminating key escrow threats. Hence, we propose the use of CLS-PRE in PA to achieve the desired security properties.

3. Preliminaries

3.1. Security assumptions

Let P be a generator with prime order q. Let G be a set of points on an elliptic curve over a finite field $(E / F_{p})$ . The following hard assumptions are used in our scheme:

Elliptic curve discrete logarithm (ECDL) problem is to find the value a given $(P, aP)$ , where $P \in G$ and $a \in Z_{q}^{*}$ .

Computational Diffie–Hellman (CDH) problem in G is to find $abP$ given $(P, aP, bP)$ where $a, b \in Z_{q}^{*}$ ;

Given a random instance $(P, aP, bP, T) \in G$ for unknown $a, b \in Z_{q}^{*}$ , the decisional Diffie–Hellman (DDH) problem is to decide whether or not $T = abP \in G$ . If $T = abP \in G$ , then DDH oracle outputs TRUE, else the oracle outputs FALSE;

The gap Diffie–Hellman (GDH) problem is to compute $T = abP \in G$ with the support of DDH oracle that on the input of random instance $(aP, bP, T) \in G$ returns TRUE if $T = abP \in G$ or FALSE if otherwise.

Table 1
Descriptions of symbols and notations

Symbols Notations

CA Certificate authority

⊥ Error

s Master secret key

P Generator of G

π Security parameter

$P_{pub}$ Master public key

q Large prime number

$H_{i}$ Secured hash function, where ${i = 1, 2, 3, 4}$

$d_{ID}$ User partial private key

PP System parameters

Symbols Notations

⊕ Bitwise XOR operation

m Message

$ID$ User’s identity

$S_{ID}$ Private key

${PK}_{ID}$ Public key

$δ_{AB}$ First level ciphertext

$δ_{AE}$ Second level ciphertext

$K_{BE}$ Proxy re-encryption key

PA Precision agriculture

DO Data owner

Symbols	Notations
CA	Certificate authority
⊥	Error
s	Master secret key
P	Generator of G
π	Security parameter
$P_{pub}$	Master public key
q	Large prime number
$H_{i}$	Secured hash function, where ${i = 1, 2, 3, 4}$
$d_{ID}$	User partial private key
PP	System parameters

Symbols	Notations
⊕	Bitwise XOR operation
m	Message
$ID$	User’s identity
$S_{ID}$	Private key
${PK}_{ID}$	Public key
$δ_{AB}$	First level ciphertext
$δ_{AE}$	Second level ciphertext
$K_{BE}$	Proxy re-encryption key
PA	Precision agriculture
DO	Data owner

3.2. Syntax of CLS-PRE

The important symbols used in the CLS-PRE scheme are presented in Table 1. The general syntax of CLS-PRE comprises the following ten algorithms.

Setup: The KGC executes this algorithm with the input of a security parameter π to generate master secret key s and public parameters $pp$ , including master public key $P_{pub}$ . Finally, the system parameters $pp$ are published by the KGC. The KGC keeps its master secret key private.

SVS: This algorithm is executed by the user by taking its identity $ID$ as input to obtain a secret value $x_{ID}$ as output.

PPKE: The KGC performs this algorithm. It obtains an identity $ID$ from the user and takes its master secret key s to produce a partial private key $(d_{ID})$ for the user.

PKS: The user initiates this algorithm by using the tuple $(x_{ID}, d_{ID})$ , to derive its full private key as $S_{ID}$ .

PKG: The user performs this algorithm by taking its secret value $x_{ID}$ to establish its public key as ${PK}_{ID}$ .

SC: This algorithm is used to signcrypt messages. A sender (Alice) creates a ciphertext $δ_{AB}$ with the message m, her identifier ${ID}_{A}$ , private key $S_{A}$ , public key ${PK}_{A}$ , Bob’s (receiver) identifier ${ID}_{B}$ and his public key ${PK}_{B}$ .

PKGen: This algorithm is designed to generate proxy re-encryption keys. Bob defines the proxy re-encryption key $K_{BE}$ with his private key $S_{B}$ , along with the public key ${PK}_{E}$ and the identifier of Eve ${ID}_{E}$ .

Re-Enc: This algorithm is used to proxy re-encrypt the first level of a ciphertext $δ_{AB}$ with the proxy re-encryption key $K_{BE}$ . The proxy generates Alice and Eve a second-level ciphertext $δ_{AE}$ .

USC: This algorithm simultaneously decrypts and verifies the authenticity of a ciphertext. It is a deterministic algorithm which outputs the message m with a given inputs ${δ_{AB}, {PK}_{A}, {PK}_{B}, {ID}_{A}, {ID}_{B}, S_{B}}$ . It returns an error ⊥ when $δ_{AB}$ is false between Bob and Alice.

Dec: This algorithm is used for deciphering a ciphertext. It takes the input of $δ_{AE}$ , ${ID}_{A}$ , and ${ID}_{B}$ along with the private key of Eve $S_{E}$ and returns either m or ⊥, if it is false between Alice and Eve.

In general, the CLS-PRE scheme must be consistent. It must comply with the following: If $δ_{AB} = SC (m, S_{A}, {ID}_{A}, {PK}_{A}, {PK}_{B}, {ID}_{B})$ then $m = USC (δ_{AB}, {ID}_{A}, S_{B}, {PK}_{B}, {ID}_{B})$ . Also, if $K_{BE} = PKGen (S_{B}, {PK}_{E}, {ID}_{E})$ and $δ_{AE} = Re - Enc (δ_{AB}, K_{BE})$ , then $m = Dec (δ_{AE}, {ID}_{A}, {ID}_{B}, S_{E})$ . Here, we have omitted $pp$ for the sake of simplicity.

3.3. Security notion

First, confidentiality must be maintained in the CLS-PRE scheme against indistinguishability adaptive chosen ciphertext attack IND-CCA2. Secondly, it should retain unforgeability against adaptive chosen message attacks (EUF-CMA). We, therefore, adopt the techniques proposed in [22] and [31] for the IND-CCA2 and the EUF-CMA security analysis. We use two types of adversaries $A_{1}$ , and $A_{2}$ as in [7] with different capabilities to break the confidentiality and unforgeability of the CLS-PRE scheme. An adversary type I acts like a corrupt external user who cannot access the master secret key (MSK), but he/she is permitted to substitute a user’s public key with his or her preferred valid public key.

Moreover, a type II adversary is an honest but curious internal user like the KGC who has access to the MSK but cannot change any user’s public key. We now define the security models for the CLS-PRE scheme using a sequence of games. Finally, a challenger $C$ engages an adversary $A$ to play an interactive security game to solve the hard cryptographic problems.

3.4. Confidentiality model

To achieve IND-CCA2, we define $A_{1}$ as type I adversary while $A_{2}$ is defined as type II adversary. Furthermore, Games 1 and 2 are interactive games played between $C$ and $A_{1}$ and $A_{2}$ , respectively.

Game 1: $A_{1}$ makes interactions with $C$ as follows.

3.4.1. Setup

$C$ runs this algorithm by inputting π (a security parameter) to initialize public parameters $pp$ and issues the $pp$ to $A_{1}$ while the MSK is confidentially kept.

3.4.2. Phase 1

$A_{1}$ is permitted to initiate interaction in this phase and execute queries bounded in polynomial time.

Partial Private Key Queries: $A_{1}$ sends a request to $C$ to ask for the partial private key based on the identifier $ID$ . When $C$ receives the request, it runs the PPKE algorithm and returns $d_{ID}$ to $A_{1}$ as the partial private key.

Private Key Queries: $A_{1}$ makes queries based on the identifier $ID$ . $C$ runs PKS algorithm and then returns $S_{ID}$ to $A_{1}$ as the complete private key. Notice that $C$ can call the PKG algorithm when it deems it necessary.

Public Key Queries: $A_{1}$ makes queries based on identifier $ID$ . $C$ executes PKG algorithm and returns ${PK}_{ID}$ as the public key to $A_{1}$ .

Public Key Substitution Queries: $A_{1}$ may decide to replace a ${PK}_{ID}$ with a desired valid public key.

Proxy Key Generation Queries: $A_{1}$ can pick two different identities ${ID}_{i}$ and ${ID}_{j}$ . Firstly, $C$ runs the PKG algorithm and PKS algorithm to obtain the delegators’ public key ${PK}_{j}$ and private key $S_{i}$ , respectively. Afterwards, $C$ runs PKGen algorithm with the input of $(S_{i}, {PK}_{j}, {ID}_{j})$ and transmits ${RK}_{i \to j}$ to $A_{1}$ .

Signcryption Queries: $A_{1}$ queries with the input of triple $({ID}_{i}, {ID}_{j}, m)$ . $C$ firstly executes the PKS algorithm and PKG algorithm to obtain the private key $S_{i}$ and the sender’s public key ${PK}_{i}$ , respectively. Afterwards, $C$ runs the Signcryption algorithm with the quintuple input of $(m, S_{i}, P_{i}, {ID}_{i}, {ID}_{j})$ and transmits $δ_{i j}$ to $A_{1}$ .

Re-Encryption Queries: In this phase, $A_{1}$ inputs $δ_{i j}$ along with three identities ${ID}_{i}$ , ${ID}_{j}$ and ${ID}_{U}$ . $C$ firstly runs PKS and PKG algorithm to obtain the private key $S_{j}$ and the public key ${PK}_{U}$ , respectively. Then, $C$ obtains the proxy re-encryption key ${RK}_{j \to U}$ through the PKGen algorithm with the input of the tuple $(S_{j}, {ID}_{U})$ . Finally, $C$ calls Re-Enc algorithm with the input of the tuple $(δ_{i j}, {RK}_{j \to U})$ and transmits $δ_{i U}$ to $A_{1}$ .

Unsigncryption Queries: $A_{1}$ queries with the triple input $(δ_{i j}, {ID}_{i}, {ID}_{j})$ . $C$ initially executes the PKS algorithm and PKG algorithm for the private key $S_{j}$ and the public key ${PK}_{j}$ of the recipient, respectively. Then $C$ calls the USC algorithm with quintuple inputs $(δ_{i j}, S_{j}, {ID}_{i}, {ID}_{j})$ and transmits m to $A_{1}$ or error ⊥ if $δ_{i j}$ is invalid.

Decryption Queries: $A_{1}$ queries with the quadruple inputs $(δ_{i j}, {ID}_{i}, {ID}_{j}, {ID}_{U})$ . $C$ initially gets private key $S_{U}$ through the PKS algorithm. Then, $C$ calls Dec algorithm with the quadruple inputs $(δ_{i U}, S_{U}, {ID}_{i}, {ID}_{j})$ and transmits m to $A_{1}$ or error ⊥ if $δ_{i j}$ is invalid.

3.4.3. Challenge

$A_{1}$ may willingly abort Phase 1 and deliberately picks two targeted identifiers ${ID}_{A}$ and ${ID}_{B}$ and two messages $m_{0}$ and $m_{1}$ of the same size for which it would like to be confronted. Here, the following constraints are applied.

$A_{1}$ is forbidden to execute private key query on ${ID}_{B}$ .

$A_{1}$ is forbidden to execute the partial private key query and public key substitution query on ${ID}_{B}$ .

$A_{1}$ is forbidden to execute private key query on ${ID}_{U}$ and proxy re-encryption key query on $({ID}_{B}, {ID}_{U})$ .

3.4.4. Phase 2

Identical to Phase 1 regarding queries execution, $A_{1}$ adaptively executes several queries which are bounded in polynomial time for which these limitations apply.

$A_{1}$ is not permitted to execute private key queries on ${ID}_{B}$ .

$A_{1}$ is not permitted to execute the partial private key query and the public key substitution query on ${ID}_{B}$ .

$A_{1}$ is not permitted to execute proxy key generation queries on the tuple $({ID}_{B}, {ID}_{U})$ and also the private key query on ${ID}_{U}$ .

$A_{1}$ is not permitted to execute the unsigncryption query on the triples $(δ_{AB}, {ID}_{A}, {ID}_{B})$ , except an instance where the ${PK}_{A}$ is substituted after the challenge phase.

$A_{1}$ is not permitted to make private key and re-encryption queries on the identity ${ID}_{U}$ and quadruples $(δ_{AB}, {ID}_{A}, {ID}_{B}, {ID}_{U})$ respectively.

$A_{1}$ cannot make re-encryption and decryption queries on the quadruples $(δ_{AB}, {ID}_{A}, {ID}_{B}, {ID}_{U})$ which return $δ_{AU}$ and $(δ_{AU}, {ID}_{A}, {ID}_{B}, {ID}_{U})$ , respectively, for an identity ${ID}_{U}$ .

3.4.5. Guess

$A_{1}$ guesses a bit b of $b^{'}$ and succeeds in winning the game if $b = b^{'}$ . According to this interactive game, the advantage of $A_{1}$ is defined as ${Adv}_{A}^{IND - CCA 2} = | 2 Pr [b = b^{'}] - 1 |$ , where $Pr [b = b^{'}]$ is the probability that $b = b^{'}$ .

Game 2: $C$ plays this interactive game with $A_{2}$ .

3.4.6. Setup

$C$ inputs π into this algorithm and gets the output of $pp$ and s. $C$ sends $pp$ and s to $A_{2}$ .

3.4.7. Phase 1

The execution queries between $A_{2}$ and $C$ are identical to queries in Game 1, except that $A_{2}$ knows the MSK and therefore can create a private key for any identity. Hence, it is inconsequential for $A_{2}$ to seek a partial private key from $C$ based on their identity.

3.4.8. Challenge

$A_{2}$ intentionally terminates Phase 1 and picks two identities ${ID}_{A}$ and ${ID}_{B}$ and also two messages $m_{0}$ and $m_{1}$ of the same size on which it is expected to be challenged. Here the following constraints apply:

$A_{2}$ is forbidden to execute private key query on ${ID}_{B}$ .

$A_{2}$ is forbidden to execute proxy re-encryption key query on $({ID}_{B}, {ID}_{U})$ and private key query on ${ID}_{U}$ .

3.4.9. Phase 2

Identical to Phase 1 in terms of the execution of queries. $A_{2}$ adaptatively executes several polynomially bounded queries. But with these constraints:

$A_{2}$ cannot make private key queries on ${ID}_{B}$ .

$A_{2}$ cannot perform proxy key generation queries on $({ID}_{B}, {ID}_{U})$ and also private key queries on ${ID}_{U}$ .

$A_{2}$ cannot make unsigncryption queries on the triples $(δ_{AB}, {ID}_{A}, {ID}_{A})$ .

$A_{2}$ cannot make re-encryption query on the quadruples $(δ_{AB}, {ID}_{A}, {ID}_{B}, {ID}_{U})$ and also private queries on the identity ${ID}_{U}$ .

$A_{2}$ cannot make re-encryption query on the quadruples $(δ_{AB}, {ID}_{A}, {ID}_{B}, {ID}_{U})$ which returns $δ_{AU}$ and decryption query on another quadruples $(δ_{AU}, {ID}_{A}, {ID}_{B}, {ID}_{U})$ for identity ${ID}_{U}$ .

3.4.10. Guess

$A_{2}$ guesses a bit b of $b^{'}$ and succeeds in winning the game if $b = b^{'}$ . According to this interactive game, the advantage of $A_{2}$ is defined as ${Adv}_{A}^{IND - CCA 2} = | 2 Pr [b = b^{'}] - 1 |$ , where $Pr [b = b^{'}]$ is the probability that $b = b^{'}$ .

Definition 1.
The CLS-PRE scheme is IND-CCA2 secure if there are no polynomially bounded adversaries $A_{1}$ and $A_{2}$ who can respectively win Game 1 and Game 2 with non-negligible advantage.

3.5. Unforgeability model

In this stage, two interactive games are played between $C$ and either $F_{1}$ or $F_{2}$ to achieve EUF-CMA. Here $F_{1}$ and $F_{2}$ are denoted as type I and II adversaries as in [7]. Here, we present Game 3, the unforgeability interactive game between $F_{1}$ and $C$ .

3.5.1. Setup

Inputting π, $C$ produces $pp$ to adversary $F_{1}$ .

3.5.2. Attack

$F_{1}$ executes a polynomially bounded number of queries as in the case of the confidentiality game.

3.5.3. Forgery

$F_{1}$ generates a triple $({ID}_{A}, {ID}_{B}, δ_{AB})$ at the end of the game and wins when the following conditions are applied:

$m = USC (δ_{AB}, {ID}_{A}, S_{B}, {ID}_{B})$ .

$F_{1}$ cannot execute private key query with ${ID}_{A}$ .

$F_{1}$ cannot execute proxy re-encryption key query on $({ID}_{A}, {ID}_{U})$ and private key query on ${ID}_{U}$ .

$F_{1}$ cannot perform partial private and public key substitution queries on ${ID}_{A}$ .

$F_{1}$ cannot execute a signcryption query on $(m, {ID}_{A}, {ID}_{U})$ that yields a ciphertext $δ_{AU}$ , if the associated decryption key $S_{U}$ is allegedly forged. Here, ${ID}_{U}$ can be different from ${ID}_{B}$ .

The advantage of

F_{1}

depends on its chance to win this game. We present another unforgeability Game 4 which is played between

F_{2}

and

C

3.5.4. Setup

Inputting π, $C$ generates $pp$ and s to $F_{2}$ .

3.5.5. Attack

$F_{2}$ executes polynomially bounded queries as in the case of the confidentiality game. However, because $F_{2}$ knows the MSK, it can independently produce the partial private key of his or her choice without relying on $C$ to get the key from the executed partial private key queries.

3.5.6. Forgery

$F_{2}$ produces the tuple $({ID}_{A}, {ID}_{B}, δ_{AB})$ at the end of the game and wins the game, if the following conditions are met:

$m = USC (δ_{AB}, {ID}_{A}, S_{B}, {ID}_{B})$ .

$F_{2}$ cannot execute private key query on ${ID}_{A}$ .

$F_{2}$ cannot execute proxy re-encryption key query on $({ID}_{A}, {ID}_{U})$ and private key query on ${ID}_{U}$ .

$F_{2}$ cannot perform signcryption query on $(m, {ID}_{A}, {ID}_{U})$ to produce a valid ciphertext $δ_{AU}$ if decryption key $S_{U}$ is forged. Here, ${ID}_{U}$ can be different from ${ID}_{B}$ .

The advantage of

F_{2}

depends on its chance to win this game.

Definition 2.
The CLS-PRE scheme is assumed to be EUF-CMA secure if there is no probabilistic polynomial time (PPT) adversaries $F_{1}$ and $F_{2}$ who can win Game 3 and Game 4 respectively with non-negligible advantage ϵ.

4. System overview

Fig. 4.

System model.

Figure 4 describes the system model for the proposed scheme. The system has four layers: the physical layer, the edger layer, the cloud layer, and the data user layer.

The physical layer comprises unmanned aerial vehicles (UAVs), sensors, and network modules that can gather real-time data from the farm and transmit it to the edge layer. The sensors usually support short-range communications. Mostly, they prefer to exchange data with nearby sensor nodes that relay information to the gateway node.

The Edge layer comprises an edge server and router to receive data from the physical layer and relay it to the cloud server. The edge server encrypts the agricultural data locally before sending it to the cloud.

The cloud layer comprises the cloud server and a key generation center (KGC). The KGC is for registering and generating a partial private key for the system users, such as DOs and data users. The DO is the front end of the sensor nodes (edger server). The cloud server (CS) provides cloud-based data storage, virtualization, and proxy re-encryption (PRE). Succinctly, the CS acts as a proxy for re-encryption and maintains the outsourced encrypted data. We assume the KGC is trustworthy and can never be compromised, whereas the CS is honest but curious. First, a data consumer sends a query message to the DO if he/she wants to obtain data from the CS. Afterward, the DO sends a re-encryption command to the CS. Finally, the CS re-encrypts the ciphertext and forwards it to the data for decryption.

Data user layer comprises researchers and government agencies. For the users to access the agricultural data resources, they need to send a request to the DO, which then generates a proxy re-encryption key for the CS, so that the CS can transform the ciphertext that can be decrypted with their private key.

4.1. Security requirements

The system model must have the following properties: confidentiality, authentication, integrity, and non-repudiation. It is said to be confidential when data is kept private from all entities except approved entities such as DOs and users. This means CS is not aware of the data contents. When outsourced data is protected against unauthorized modification, data integrity is established. Authentication is gained when only the authorized DO outsources information. Finally, non-repudiation is realized when the DO cannot reverse his previous acts, such as outsourcing encrypted data to a CS.

5. Our proposed scheme

5.1. Construction

We introduce a novel CLS-PRE scheme and then evaluate its security and performance. For simplicity, we suppose that Alice (DO) identified with ${ID}_{A}$ would securely transmit data to the CS, which is signcrypted for AI data analyzer dubbed as Bob with identity ${ID}_{B}$ . Also, Bob may give an authorized third-party user, dubbed Eve, the identity ${ID}_{E}$ right to access the content of the data. With the provision of the proxy re-encryption key from Bob, the proxy server can re-encrypt the ciphertext to provide legal access to Eve. We now present the CLS-PRE scheme below.

5.1.1. Setup

This algorithm is run by the key generation center (KGC). With the input of the security parameter π, the KGC proceeds as follows.

Chooses random $s \in Z_{q}^{*}$ as a master secret key. Selects the master public key as $P_{pub} = sP$ , where $P \in G$ is a generator of an elliptic curve $E / F_{q}$ , whose size is determined by the security parameter $π ⩾ 2^{160}$ .

Selects these hash functions:

$H_{1} : {0, 1}^{*} \times G^{2} \to Z_{q}^{*}$

$H_{2} : G \to {0, 1}^{κ}$

$H_{3} : {0, 1}^{*} \to Z_{q}^{*}$

$H_{4} : G \to {0, 1}^{κ}$

where κ represents the size of the message.

Publishes the public parameters $pp = ⟨ F_{q}, κ, G, P, P_{pub}, H_{1}, H_{2}, H_{3}, H_{4} ⟩$ and keeps the master secret s private.

5.1.2. SVS

The user selects random $x_{U} \in Z_{q}^{*}$ as secret value and returns a partial public key as $P_{U} = x_{U} P$ .

5.1.3. PPKE

To get a partial private key, a user sends ${ID}_{U} \in {0, 1}^{*}$ and the self-generated partial public key $P_{U} = x_{U} P$ to KGC. To respond, the KGC does the following:

Selects $r_{U} \leftarrow Z_{q}^{*}$ and computes $R_{U} = r_{U} P$ .

Computes $d_{U} = r_{U} + s H_{1} ({ID}_{U}, R_{U}, P_{U})$ .

The KGC securely sends

d_{U}

and

R_{U}

through a secure channel to the requested user. The user validates the partial private key by checking if

d_{U} P = R_{U} + H_{1} ({ID}_{U}, R_{U}, P_{U}) P_{pub}

holds. If the partial key is valid, the user accepts it; otherwise, rejects it.

5.1.4. PKG

This algorithm is executed by a user U with the input of $P_{U}$ and $R_{U}$ and sets the full public key as ${PK}_{U} = (P_{U}, R_{U})$ .

5.1.5. PKS

This algorithm is executed by a user U with the input of $d_{U}$ and $x_{U}$ , sets the full private key as $S_{U} = (x_{U}, d_{U})$

5.1.6. SC

Given Alice’s identifier ${ID}_{A}$ , message m, public key ${PK}_{A} = (P_{A}, R_{A})$ , and private key $S_{A} = (x_{A}, d_{A})$ , and also the public key ${PK}_{B} = (P_{B}, R_{B})$ of Bob, the algorithm performs the following:

Selects random $λ \in Z_{q}^{*}$ and computes $C_{1} = λ P$ .

Computes $Q_{B} = (R_{B} + H_{1} ({ID}_{B}, R_{B}, P_{B}) P_{pub} + H_{2} (R_{B}) P_{B})$ and sets $T = λ Q_{B}$ and $β_{B} = H_{2} ({ID}_{B}, T)$ .

Sets $C_{2} = m \oplus β_{B}$ .

Computes $h = H_{3} (C_{1}, C_{2}, m, T, R_{A}, P_{A}, {ID}_{A})$ .

Computes $ϕ = λ + h (x_{A} + d_{A}) mod q$ .

Outputs the first level ciphertext as $δ_{AB} = (C_{1}, C_{2}, ϕ)$ .

5.1.7. PKGen

This algorithm generates a proxy re-encryption key. It accepts the input of Eve’s public key ${PK}_{E} = (P_{E}, R_{E})$ and Bob’s private key $S_{B} = (x_{B}, d_{B})$ and does the following:

Selects random $ω \in {0, 1}^{κ}$ and computes $Γ = r P$ , where $r \in Z_{P}^{*}$ .

Computes $Ω = ω (d_{B} + x_{B} H_{2} (R_{B}))$ , where $d_{B} = r_{B} + s H_{1} ({ID}_{B}, R_{B}, P_{B})$ .

Computes $Q_{E} = (R_{E} + H_{1} ({ID}_{E}, R_{E}, P_{E}) P_{pub} + H_{2} (R_{E}) P_{E})$ and sets $φ = r Q_{E}$ and $β_{E} = H_{4} ({ID}_{E}, φ)$ .

Selects $\overline{C} = ω \oplus β_{E}$ .

Outputs $K_{BE} = (\overline{C}, Γ, Ω)$ as the proxy re-encryption key.

5.1.8. Re-Enc

This algorithm accepts the input of $δ_{AB} = (C_{1}, C_{2}, ϕ)$ and $K_{BE} = (\overline{C}, Γ, Ω)$ , and proceeds as follows:

Computes $C_{1}^{'} = C_{1} Ω = ω λ Q_{B}$ .

Outputs a second level ciphertext $δ_{AE} = (C_{1}^{'}, C_{2}, ϕ, \overline{C}, Γ)$ .

5.1.9. USC

With a given ciphertext $δ_{AB} = (C_{1}, C_{2}, ϕ)$ , Alice’s identity ${ID}_{A}$ and the public key ${PK}_{A}$ , Bob’s private key $S_{B} = (x_{B}, D_{B})$ and the public key ${PK}_{B} = (P_{B}, R_{B})$ . The algorithm proceeds as:

Computes $T = (r_{B} + s H_{1} ({ID}_{B}, R_{B}, P_{B}) + x_{B} H_{2} (R_{B})) C_{1} = λ Q_{B}$ and $β_{B} = H_{2} ({ID}_{B}, T)$ .

Computes $m = C_{2} \oplus β_{B}$ .

Computes $h = H_{3} (C_{1}, C_{2}, m, T, R_{A}, P_{A}, {ID}_{A})$ .

Checks if $ϕ P = = C_{1} + h (P_{A} + R_{A} + H_{1} ({ID}_{A}, R_{A}, P_{A}) P_{pub})$ holds. If valid, accepts the message m; else, rejects the ciphertext and output ⊥.

5.1.10. Dec

With a given ciphertext $δ_{AE} = (C_{1}^{'}, C_{2}, ϕ, \overline{C}, Γ)$ , Eve’s private key $S_{E} = (x_{E}, D_{E})$ , Eve performs the following:

Computes $φ = r Q_{E} = (r_{E} + s H_{1} ({ID}_{E}, R_{E}, P_{E}) + x_{E} H_{2} (R_{E})) Γ$ and $β_{E} = H_{4} ({ID}_{E}, φ)$ .

Computes $ω = \overline{C} \oplus β_{E}$ .

Computes $T = C_{1}^{'} (ω^{- 1}) = \frac{ω}{ω} λ Q_{B}$ and $β_{B} = H_{2} ({ID}_{B}, T)$ .

Computes $m = C_{2} \oplus β_{B}$ .

Computes $h = H_{3} (C_{1}, C_{2}, m, T, R_{A}, P_{A}, {ID}_{A})$ .

Checks if $ϕ P = = C_{1} + h (P_{A} + R_{A} + H_{1} ({ID}_{A}, R_{A}, P_{A}) P_{pub})$ holds. If valid, accepts the message m; else, rejects the ciphertext and output ⊥.

5.2. Correctness for signature verification

We give the correctness of the verification of the scheme as follows: $\begin{array}{l} \begin{matrix} ϕ & = λ + h (x_{A} + d_{A}) \end{matrix} \\ \begin{matrix} ϕ P & = C_{1} + h (x_{A} + d_{A}) P \\ = C_{1} + h (x_{A} + (r_{A} + s H_{1} ({ID}_{A}, R_{A}, P_{A})) P \\ = C_{1} + h (P_{A} + R_{A} + H_{1} ({ID}_{A}, R_{A}, P_{A}) P_{pub} \end{matrix} \end{array}$

Furthermore, we provide the correctness of proxy decryption and unsigncryption for the users Eve and Bob, respectively. Bob can retrieve the plaintext $m = C_{2} \oplus H_{2} ({ID}_{B}, T)$ as a result of $T = (r_{B} + s H_{1} ({ID}_{B}, R_{B}, P_{B}) + x_{B} H_{2} (R_{B})) C_{1}$ and $T = C_{1}^{'} (ω^{- 1})$ . The decryption of the message is successful due to the correctness of the following equations: $\begin{array}{l} \begin{matrix} T & = (r_{B} + s H_{1} ({ID}_{B}, R_{B}, P_{B}) + x_{B} H_{2} (R_{B})) C_{1} \\ = (r_{B} + s H_{1} ({ID}_{B}, R_{B}, P_{B}) + x_{B} H_{2} (R_{B})) \cdot λ P \\ = λ (R_{B} + H_{1} ({ID}_{B}, R_{B}, P_{B}) P_{pub} + H_{2} (R_{B}) P_{B}) \\ = λ Q_{B} \end{matrix} \\ \begin{matrix} C_{1}^{'} & = C_{1} Ω \\ = ω (r_{B} + s H_{1} ({ID}_{B}, R_{B}, P_{B}) + x_{B} H_{2} (R_{B})) C_{1} \\ = ω (r_{B} + s H_{1} ({ID}_{B}, R_{B}, P_{B}) + x_{B} H_{2} (R_{B})) \cdot λ P \\ = ω λ (R_{B} + H_{1} ({ID}_{B}, R_{B}, P_{B}) P_{pub} + H_{2} (R_{B}) P_{B}) \\ = ω λ Q_{B} \end{matrix} \\ \begin{matrix} φ & = (r_{E} + s H_{1} ({ID}_{E}, R_{E}, P_{E}) + x_{E} H_{2} (R_{E})) Γ \\ = (r_{E} + s H_{1} ({ID}_{E}, R_{E}, P_{E}) + x_{E} H_{2} (R_{E})) \cdot r P \\ = r (R_{E} + H_{1} ({ID}_{E}, R_{E}, P_{E}) P_{pub} + H_{2} (R_{E}) P_{E}) \\ = r Q_{E} \end{matrix} \end{array}$

6. Security analysis

The CLS-PRE scheme uses Theorems 1 and 2 to achieve confidentiality and unforgeability, respectively.

6.1. Confidentiality

Theorem 1.
Our CLS-PRE scheme is IND-CCA2 secure in the random oracle model (ROM) against the adversaries $A_{1}$ and $A_{2}$ assuming GDH assumption cannot be broken in Probabilistic Polynomial Time (PPT).
Proof.
We use Lemma 1 and Lemma 2 to prove the Theorem 1. □
Lemma 1.
Assuming that there exists $A_{1}$ , a PPT adversary, which has the advantage of ϵ to win the IND-CCA2 confidentiality game with the random oracles $H_{i} (1 ⩽ i ⩽ 4)$ , then there exist an algorithm $C$ which uses $A_{1}$ to solve the GDH hard problem with the advantage of $\begin{matrix} ϵ gdh ⩾ (\frac{ϵ}{q^{2} H_{1}}) (1 - \frac{q_{s} (q H_{2} + q H_{3})}{2^{π}}) (1 - \frac{q_{u}}{2^{π}}) \end{matrix}$ in a time $t^{'} ⩽ t + O (q_{pk} + q_{s} + q_{e} + q_{u} + q_{d})$ , where $q_{pk}$ is the proxy key generation queries, $q_{s}$ is the signcryption queries, $q_{u}$ is the unsigncryption queries, $q_{e}$ is the re-encryption queries, and $q_{d}$ is the decryption queries.
Proof.
The challenge algorithm $C$ uses $(P, aP, bP)$ as a challenge tuple to break the GDH assumption. $C$ interacts with $A_{1}$ as follows: □
6.1.1. Setup

$C$ defines $C_{1} = aP$ , $Q_{B} = bP$ and $P_{pub} = sP$ . Here, $C$ does not know the values $a, b \in Z_{P}^{*}$ . The hash functions $H_{i}$ ( $1 ⩽ i ⩽ 4$ ) are simulated as random oracles that $C$ controls. $C$ maintains records $L_{i}$ (where $i = 1, 2, 3, 4$ ) for congruity in answering the hash queries. $C$ maintains a record $L_{5}$ for the returned public and private keys. Also, $C$ selects ${ID}_{ζ}$ as the challenge and submits the $pp$ , $C_{1}$ , $Q_{ζ}$ , $P_{pub}$ to $A_{1}$ . We adopt the irreflexivity assumption [11] and assume that $A_{1}$ queries on ${ID}_{i}$ based on distinct identities.

6.1.2. Phase 1

Let i represents a counter with the default value set to 1. $A_{1}$ sends polynomial bounded adaptive queries to $C$ , in which $C$ replies as follows:

$H_{1}$ Queries: $A_{1}$ performs queries on $({ID}_{i}, R_{i}, P_{i})$ . $C$ searches in the entry $L_{1}$ for $({ID}_{i}, R_{i}, P_{i}, α_{i})$ and returns $α_{i}$ to $A_{1}$ . If the hash value is not defined in $L_{1}$ , C executes the public key queries on $({ID}_{i}, R_{i}, P_{i})$ and outputs the associated hash value $α_{i}$ to $A_{1}$ . $C$ inserts $({ID}_{i}, R_{i}, P_{i}, α_{i})$ into $L_{1}$ .

$H_{2}$ Queries: $A_{1}$ queries on $({ID}_{B}, T)$ , $C$ replies as follows:

It checks whether the DDH oracle outputs TRUE when queried on $(aP, bP, T) \in G$ . If TRUE, $C$ outputs T and stops.

$C$ looks up $L_{2}$ for an entry $({ID}_{B}, *, β_{B})$ where DDH oracle outputs TRUE. (Here, ${ID}_{B} = {ID}_{ζ}$ ). $C$ returns $β_{B}$ when an entry like that exists and replaces ∗ appropriately with T.

When $C$ ’s simulation gets to this point, it generates a random $β_{B}$ and updates $L_{2}$ (an initially empty list) with the corresponding input and return values, respectively.

$H_{3}$ Queries: $A_{1}$ queries on $H_{3} (C_{1}, C_{2}, m, T, R_{A}, P_{A}, {ID}_{A})$ . $C$ checks $L_{3}$ for $H_{3} (C_{1}, C_{2}, m, T, R_{A}, P_{A}, {ID}_{A}, h)$ and sends h to $A_{1}$ if it exists. Otherwise, $C$ randomly selects $h \in Z_{q}^{*}$ as a reply. $C$ inserts $H_{3} (C_{1}, C_{2}, m, T, R_{A}, P_{A}, {ID}_{A}, h)$ into $L_{3}$ .

$H_{4}$ Queries: $A_{1}$ queries on $({ID}_{i}, φ_{i})$ . First, $C$ searches all the entries in $L_{4}$ for $H_{4} ({ID}_{i}, φ_{i}, β_{i})$ . If the corresponding entry is found in $L_{4}$ , $C$ sends $β_{i}$ to $A_{1}$ ; otherwise $C$ selects $β_{i} \in {0, 1}^{κ}$ randomly as reply. $C$ updates $L_{4}$ with $({ID}_{i}, φ_{i}, β_{i})$ .

Partial Private Key Queries: $A_{1}$ makes polynomial time bounded queries based on ${ID}_{i}$ , $C$ responds as follows:

If ${ID}_{i} = {ID}_{ζ}$ , $C$ aborts.

If ${ID}_{i} \neq {ID}_{ζ}$ , then $C$ gets $d_{i}$ from $L_{5}$ . Hint: In Game 1, $A_{1}$ is required to query on ${ID}_{i}$ in $H_{1}$ oracle before the ${ID}_{i}$ can be used in the subsequent oracles.

Public Key Queries: $A_{1}$ queries on ${ID}_{i}$ . In response, $C$ checks if $L_{5}$ contains $({ID}_{i}, d_{i}, P_{i}, R_{i}, x_{i})$ . If it is TRUE, $C$ submits ${PK}_{i} = (P_{i}, R_{i})$ to $A_{1}$ ; otherwise, $C$ performs the following:

If ${ID}_{i} = {ID}_{ζ}$ , $C$ selects random $x_{ζ}, α_{ζ} \in Z_{q}^{*}$ and outputs $P_{ζ} = x_{ζ} P$ and $R_{ζ} = bP + α_{ζ} P_{pub}$ . Here, $α_{ζ}$ is defined as an $H_{1}$ query on $({ID}_{ζ}, R_{ζ}, P_{ζ})$ . $C$ inserts $({ID}_{ζ}, ⊥, P_{ζ}, R_{ζ}, α_{ζ})$ into $L_{5}$ . Note that $aP$ is an instance of a GDH problem.

If ${ID}_{i} \neq {ID}_{ζ}$ , $C$ selects random $x_{ζ}, α_{ζ} \in Z_{q}^{*}$ and fixes $P_{i} = x_{i} P$ and $R_{i} = bP + α_{i} P_{pub}$ . Here, $α_{i}$ is defined as an $H_{1}$ query on ${ID}_{i}$ , $R_{i}$ , $P_{i}$ . $C$ inserts $({ID}_{i}, ⊥, P_{i}, R_{i}, α_{i})$ into $L_{5}$ .

Public Key Substitution Queries: $A_{1}$ queries on ${ID}_{i}$ for public key replacement. $C$ updates $L_{5}$ with the quintuple $({ID}_{i}, ⊥, P_{i}, R_{i}, ⊥)$ . The resultant value is important for $C$ ’s later computations.

Private Key Queries: $A_{1}$ queries on ${ID}_{i}$ . If there has not been any public key substitution on ${ID}_{i}$ and ${ID}_{i} \neq {ID}_{ζ}$ , then $C$ checks the record $L_{5}$ and responds to $A_{1}$ with $S_{i} = (x_{i}, d_{i})$ . If a public key substitution query has been performed on ${ID}_{i}$ , then $A_{1}$ is not permitted to access $S_{i}$ . If ${ID}_{i} = {ID}_{ζ}$ , then $C$ terminates.

Proxy key generation Queries: $A_{1}$ makes a query on an identity pair $({ID}_{i}, {ID}_{j})$ . In response, $C$ firstly executes the public key query and the private key query with ${ID}_{i}$ to obtain the delegator’s private key $S_{i}$ and the public key ${PK}_{i}$ , respectively. Next, $C$ gets ${Pk}_{j}$ by running the public key query with ${ID}_{j}$ . $C$ selects random $ω \in {0, 1}^{κ}$ and $r \in Z_{P}^{*}$ and computes $Γ = r P$ . Also, $C$ Computes $Ω = ω (r_{B} + s H_{1} ({ID}_{i}, R_{i}, P_{i}) + x_{i} H_{2} (R_{i}))$ , $Q_{j} = (R_{j} + H_{1} ({ID}_{j}, R_{j}, P_{j}) P_{pub} + H_{2} (R_{j}) P_{j})$ and set $φ = r Q_{j}$ and $β_{j} = H_{2} ({ID}_{j}, φ)$ . $C$ further computes $\overline{C} = ω \oplus β_{j}$ and outputs ${RK}_{i \to j} = (\overline{C}, Γ, Ω)$ as answer to the query. Note, $C$ will fail if $i = ζ$ .

Signcryption Queries: The sender’s identity is represented as ${ID}_{A}$ whilst the recipient’s identity is symbolized as ${ID}_{B}$ . When $A_{1}$ queries on $(m, {ID}_{A}, {ID}_{B})$ , $C$ responds as follows:

If ${ID}_{A} \neq {ID}_{ζ}$ , then $C$ can respond $A_{1}$ with $δ_{AB}$ by executing the SC algorithm. Note that $C$ can run the signcryption because it knows the private key $S_{A}$ .

Now, if ${ID}_{A} = {ID}_{ζ}$ , then $C$ queries the public key ${ID}_{ζ}$ . It selects $h \in Z_{p}^{*}$ and sets $C_{1} = ϕ P - (P_{A} + R_{A} + H_{1} ({ID}_{A}, R_{A}, P_{A}) P_{pub})$ . Next, it computes $Q_{B} = (R_{B} + H_{1} ({ID}_{B}, R_{B}, P_{B}) P_{pub} + H_{2} (R_{B}) P_{B})$ , $T = (ϕ - h (x_{A} + d_{A})) Q_{B}$ , $β_{B} = H_{2} ({ID}_{B}, T)$ and sets $C_{2} = m \oplus β_{B}$ . Finally $C$ returns $δ_{AB} = (C_{1}, C_{2}, ϕ)$ to $A_{1}$ . Hint: The construction of the private key for ${ID}_{B}$ is right under the irreflexivity assumptions [11]. $C$ fails if at least one of this tuple $(h, β_{B})$ is predefined.

Re-Encryption Queries. $A_{1}$ queries on $(δ_{AB}, {ID}_{A}, {ID}_{B}, {ID}_{E})$ , $C$ responds as follows:

If ${ID}_{B} \neq {ID}_{ζ}$ , then $C$ responds $A_{1}$ with $δ_{AE}$ at the execution of Re-Enc algorithm. Via the proxy key generation queries, $C$ can acquire the proxy re-encryption key $K_{BE}$ on the tuples $({ID}_{B}, {ID}_{E})$ .

Now, if ${ID}_{B} = {ID}_{ζ}$ , then $C$ queries on ${ID}_{A}$ for the public key ${PK}_{A}$ . $C$ randomly chooses $ω \in Z_{p}^{*}$ , $Γ \in G$ and $\overline{C} \in {0, 1}^{k}$ and defines $Ω = ω (r_{B} + s H_{1} ({ID}_{B}, R_{B}, P_{B}) + x_{B} H_{2} (R_{B}))$ according to the assumption of irreflexivity [11]. Consequently, $C$ computes $C_{1}^{'} = C_{1} Ω$ . Ultimately, $C$ outputs $δ_{AE} = (C_{1}^{'}, C_{2}, ϕ, \overline{C}, Γ)$ to $A_{1}$ . $C$ fails if at least one of this tuple $(h, β_{B})$ has been pre-defined.

6.1.3. Unsigncryption queries

$A_{1}$ queries on $δ_{AB} = (C_{1}, C_{2}, U, ϕ), {ID}_{A} and {ID}_{B}$ . To reply, $C$ runs the public key query on ${ID}_{A}$ and continues as follows:

If ${ID}_{B} \neq {ID}_{ζ}$ , then $C$ runs the USC algorithm and returns m to $A_{1}$ . Note that via the private key query on ${ID}_{B}$ , $C$ can get the private key $S_{B}$ .

Now, if ${ID}_{B} = {ID}_{ζ}, S_{B}$ is not known. To simulate the USC algorithm correctly, $C$ firstly searches for T in $L_{2}$ to retrieve the corresponding entry $({ID}_{B}, T, β_{B})$ . When the DBDH oracle is queried with $(aP, bP, T)$ , $C$ outputs TRUE if $(T)$ exists in $L_{2}$ . Next, $C$ gets $m = C_{2} \oplus β_{B}$ and continues to get h through $H_{3}$ query on $(C_{1}, C_{2}, m, T, R_{A}, P_{A}, {ID}_{A})$ . To accept m as a valid message, $C$ checks if $ϕ P = = C_{1} + (P_{A} + R_{A} + H_{1} ({ID}_{A}, R_{A}, P_{A}) P_{pub})$ hold. If valid, accept m and returns it to $A_{1}$ . Otherwise, $C$ discards the ciphertext and outputs ⊥.

At this point, $C$ randomly puts $β_{B} \in {0, 1}^{κ}$ in $L_{2}$ , i.e. $(*, T, β_{B})$ , computes $m = C_{2} \oplus β_{B}$ and inserts $h \in Z_{q}^{*}$ into $L_{3}$ i.e. $(C_{1}, C_{2}, m, T, R_{A}, P_{A}, {ID}_{A}, h)$ . Ultimately, $C$ proceeds to verify if $ϕ P = = C_{1} + (P_{A} + R_{A} + H_{1} ({ID}_{A}, R_{A}, P_{A}) P_{pub})$ hold. If it is valid, $C$ outputs m to $A_{1}$ . Otherwise, discard the ciphertext and output ⊥. Here, ∗ is associated with the recipient’s identity ${ID}_{B}$ . Hint, $C$ fails if at least one of the hash values has been defined in steps 2) and 3).

6.1.4. Decryption queries

$A_{1}$ queries on $δ_{AE} = (C_{1}^{'}, C_{2}, ϕ, \overline{C}, Γ), {ID}_{A}, {ID}_{B} and {ID}_{E}$ . To reply, $C$ calls the public key query on ${ID}_{A}$ and proceeds as follows:

If ${ID}_{E} \neq {ID}_{ζ}$ , then $C$ possibly replies $A_{1}$ with m by executing the Dec algorithm. Here $C$ can get the private key $S_{E}$ via the private key query on ${ID}_{E}$ .

Now, if ${ID}_{E} = {ID}_{ζ}$ , then $S_{E}$ is not known. To comply with the Dec algorithm, $C$ searches $L_{4}$ with the entries $({ID}_{ι}, φ_{ι}, β_{ι})$ indexed by $ι = {1, \dots, q H_{4}}$ . $C$ computes $ω = \overline{C} \oplus β_{ι}$ and verifies if $ϕ P = = C_{1} + (P_{A} + R_{A} + H_{1} ({ID}_{A}, R_{A}, P_{A}) P_{pub})$ holds. If it is valid, m is returned to $A_{1}$ ; otherwise, $C$ continues to the next item in $L_{5}$ . If no message is retrieved from $L_{5}$ after an exhaustive search, then $C$ outputs ⊥.

6.1.5. Challenge

$A_{1}$ selects identity pair ${ID}_{A}^{*}$ , ${ID}_{B}^{*}$ and two messages of the same length $m_{0}$ and $m_{1}$ on which it anticipates to be confronted. Assuming ${ID}_{A}^{*} \neq {ID}_{ζ}^{*}$ , the $C$ aborts. Otherwise, $C$ randomly selects $C_{1}^{*} \in G, ϕ^{*}$ , $h^{*} \in Z_{q}^{*}, C_{2}^{*}$ , $β_{B}^{*} \in {0, 1}^{n}$ and $b \in {0, 1}$ . Then, $C$ defines $C_{1}^{*} = aP = ϕ P - (P_{A}^{*} + R_{A}^{*} + h^{*} H_{1} ({ID}_{A}^{*}, R_{A}^{*}, P_{A}^{*}) P_{pub})$ and $C_{2}^{*} = m_{b}^{*} \oplus β_{B}^{*}$ . Eventually, $C$ outputs $δ_{AB}^{*} = (C_{1}^{*}, C_{2}^{*}, ϕ^{*})$ to $A_{1}$ .

6.1.6. Phase 2

$A_{1}$ makes a series of polynomially bounded adaptive queries as in Phase 1 with the constraints mentioned in Game 1 in Section 3.4. $C$ replies to $A_{1}$ ’s queries as in Phase 1.

6.1.7. Guess

$A_{1}$ makes a guess $b^{'}$ of b but $C$ rejects the guess value. $A_{1}$ cannot make the correct guess except for searching for the challenged tuple $({ID}_{B}^{*}, T^{*}, β_{B}^{*})$ in $L_{2}$ such that $T^{*} = abP$ . Hence, $T^{*} \in L_{2}$ is the answer to the GDH problem which is bounded by at most $1 / q H_{1}$ . Analysis: Here, we assess the probability of $C$ ’s succeeding in the following independent events.

$E_{1} : A_{1}$ chooses not to be challenged on ${ID}_{ζ}$ .

$E_{2} : A_{1}$ issues queries on ${ID}_{ζ}$ for private key.

$E_{3} : A_{1}$ issues queries on ${ID}_{ζ}$ for partial private key.

$E_{4} : A_{1}$ issues queries on $({ID}_{ζ}, {ID}_{j})$ for proxy re-encryption key.

$E_{5}$ : At signcryption query, $C$ aborts if collision is found in $H_{2} - H_{4}$ .

$E_{6}$ : at unsigncryption query, $C$ aborts due to the rejection of a valid ciphertext during simulation.

Hence, it is evident that $Pr [\neg E_{1}] = 1 / q H_{1}$ , $Pr [\neg E_{5}] = (1 - q_{s} (q H_{2} + q H_{3}) / 2^{π}$ , $Pr [\neg E_{6}] = (1 - q_{u} / 2^{π})$ . Note $\neg E_{1}$ implies $\neg E_{2}$ , $\neg E_{3}$ and $\neg E_{4}$ . Therefore, we have $\begin{array}{l} Pr [\neg E_{1} \land E_{5} \land E_{6}] \\ ⩾ (\frac{ϵ}{q H_{1}}) (1 - \frac{q_{s} (q H_{2} + q H_{3})}{2^{π}}) (1 - \frac{q_{u}}{2^{π}}) \end{array}$

The probability of selecting T randomly from the record $L_{2}$ such that it is the solution of the GDH problem is $1 / q H_{1}$ . Therefore, $\begin{array}{l} Pr [C] = (\frac{ϵ}{q H_{1}}) (1 - \frac{q_{s} (q H_{2} + q H_{3})}{2^{π}}) (1 - \frac{q_{u}}{2^{π}}) \end{array}$ in time $t^{'} ⩽ t + O (q_{pk} + q_{s} + q_{e} + q_{u} + q_{d})$ .

Lemma 2.
Assuming that there exists $A_{2}$ , a PPT adversary, which has the advantage of ϵ to win the IND-CCA2 confidentiality game with the random oracles $H_{i}$ ( $1 ⩽ i ⩽ 4$ ), then there exist an algorithm $C$ which uses $A_{2}$ to solve the GDH hard problem with the advantage of $\begin{matrix} ϵ gdh ⩾ (\frac{ϵ}{q^{2} H_{1}}) (\frac{q_{s} (q H_{2} + q H_{3})}{2^{π}}) (1 - \frac{q_{u}}{2^{π}}) \end{matrix}$ in a time $t^{'} ⩽ t + O (q_{pk} + q_{s} + q_{e} + q_{u} + q_{d}) t_{p}$ where $q_{pk}$ is the proxy key generation queries, $q_{s}$ is the signcryption queries, $q_{u}$ is the unsigncryption queries, $q_{e}$ is the re-encryption queries and $q_{d}$ is the decryption queries.

6.1.8. Setup

$C$ sets $P_{pub} = y P$ where y is the MSK and sends $pp$ , y and $P_{pub}$ to $A_{2}$ . For uniformity of the hash query reply, $C$ maintains records $L_{i}$ where $(1 ⩽ i ⩽ 4)$ . Also, $C$ keeps an additional record $L_{5}$ for the returned public and private keys. We suppose $A_{2}$ queries on ${ID}_{i}$ with a distinct identifier for $q H_{1}$ different queries. Here, i, a counter, is initially fixed as 1. $C$ selects ${ID}_{ζ}$ and ${ID}_{η}$ as challenge identities from the list of identities in $q H_{1}$ . The interaction between $C$ and $A_{2}$ proceeds as follows:

6.1.9. Phase 1

$A_{2}$ sends polynomial bounded adaptive queries to $C$ , in which $C$ replies as follows:

$H_{1}$ Queries: $A_{2}$ performs queries on $({ID}_{i}, R_{i}, P_{i})$ . $C$ searches in the entry $L_{1}$ for $({ID}_{i}, R_{i}, P_{i}, α_{i})$ and returns $α_{i}$ to $A_{2}$ . If the hash value is not defined in $L_{1}$ , C executes the public key queries on $({ID}_{i}, R_{i}, P_{i})$ and outputs the associated hash value $α_{i}$ to $A_{2}$ . $C$ adds $({ID}_{i}, R_{i}, P_{i}, α_{i})$ to $L_{1}$ .

$H_{2}$ Queries: $A_{2}$ queries on $({ID}_{B}, T)$ , $C$ replies as follows:

It checks whether the DDH oracle outputs TRUE when queried on $(aP, bP, T) \in G$ . If TRUE, $C$ outputs T and stops.

$C$ looks up $L_{2}$ for an entry $({ID}_{B}, *, β_{B})$ where DDH oracle outputs TRUE. (Here, ${ID}_{B} = {ID}_{ζ}$ ). $C$ returns $β_{B}$ if an entry like that exists and replaces ∗ appropriately with T.

When $C$ ’s simulation gets to this point, it generates a random $β_{B}$ and updates $L_{2}$ (initially empty) with the corresponding input and return values, respectively.

$H_{3}$ Queries: $A_{2}$ queries on $H_{3} (C_{1}, C_{2}, m, T, R_{A}, P_{A}, {ID}_{A})$ . $C$ checks $L_{3}$ for $H_{3} (C_{1}, C_{2}, m, T, R_{A}, P_{A}, {ID}_{A}, h)$ and sends h to $A_{2}$ if it exists. Otherwise, $C$ randomly selects $h \in Z_{q}^{*}$ as a reply. $C$ inserts $H_{3} (C_{1}, C_{2}, m, T, R_{A}, P_{A}, {ID}_{A}, h)$ into $L_{3}$ .

$H_{4}$ Queries: $A_{2}$ queries on $({ID}_{i}, φ_{i})$ . First, $C$ searches all the entries in $L_{4}$ for $H_{4} ({ID}_{i}, φ_{i}, β_{i})$ . If the corresponding entry is found in $L_{4}$ , $C$ sends $β_{i}$ to $A_{2}$ ; otherwise $C$ selects $β_{i} \in {0, 1}^{κ}$ randomly as reply. $C$ updates $L_{4}$ with $({ID}_{i}, φ_{i}, β_{i})$ .

Public Key Queries: $A_{2}$ queries on ${ID}_{i}$ . In response, $C$ checks if $L_{5}$ contains $({ID}_{i}, d_{i}, P_{i}, R_{i}, x_{i})$ . If it is TRUE, $C$ submits ${PK}_{i} = (P_{i}, R_{i})$ to $A_{2}$ ; otherwise, $C$ performs the following:

If ${ID}_{i} = {ID}_{ζ}$ , $C$ selects random $x_{ζ}, α_{ζ} \in Z_{q}^{*}$ and outputs $P_{ζ} = x_{ζ} P$ and $R_{ζ} = bP + α_{ζ} P_{pub}$ . Here, $α_{ζ}$ is defined as an $H_{1}$ query on $({ID}_{ζ}, R_{ζ}, P_{ζ})$ . $C$ inserts $({ID}_{ζ}, d_{ζ}, P_{ζ}, R_{ζ}, α_{ζ})$ into $L_{5}$ . Note that $aP$ is an instance of a GDH problem.

Private Key Queries: $A_{2}$ queries on ${ID}_{i}$ . If there has not been any public key substitution on ${ID}_{i}$ and ${ID}_{i} \neq {ID}_{ζ}$ , then $C$ checks the record $L_{5}$ and responds to $A_{2}$ with $S_{i} = (x_{i}, d_{i})$ . If a public key substitution query has been performed on ${ID}_{i}$ , then $A_{2}$ is not permitted to access $S_{i}$ . If ${ID}_{i} = {ID}_{ζ}$ , then $C$ terminates.

Proxy key generation Queries: $A_{2}$ queries on identity pair $({ID}_{i}, {ID}_{j})$ . In response, $C$ firstly executes the public key query and the private key query with ${ID}_{i}$ to obtain the delegator’s private key $S_{i}$ and the public key ${PK}_{i}$ , respectively. Next $C$ gets ${Pk}_{j}$ by running the public key query with ${ID}_{j}$ . $C$ selects random $ω \in {0, 1}^{κ}$ and $r \in Z_{P}^{*}$ and computes $Γ = r P$ . Also, $C$ Computes $Ω = ω (r_{B} + s H_{1} ({ID}_{i}, R_{i}, P_{i}) + x_{i} H_{2} (R_{i}))$ , $Q_{j} = (R_{j} + H_{1} ({ID}_{j}, R_{j}, P_{j}) P_{pub} + H_{2} (R_{j}) P_{j})$ and set $φ = r Q_{j}$ and $β_{j} = H_{2} ({ID}_{j}, φ)$ . $C$ further computes $\overline{C} = ω \oplus β_{j}$ and outputs ${RK}_{i \to j} = (\overline{C}, Γ, Ω)$ as answer to the query. Note, $C$ will fail if $i = ζ$ .

Signcryption Queries: The sender’s identity is represented as ${ID}_{A}$ while the recipient’s identity is symbolized as ${ID}_{B}$ . When $A_{2}$ queries on $(m, {ID}_{A}, {ID}_{B})$ , $C$ responds as follows:

If ${ID}_{A} \neg {ID}_{ζ}$ , then $C$ can respond $A_{2}$ with $δ_{AB}$ by executing the SC algorithm. Note that $C$ can run the signcryption because it knows the private key $S_{A}$ .

Now, if ${ID}_{A} = {ID}_{ζ}$ , then $C$ queries for the public key ${ID}_{ζ}$ . It selects $h \in Z_{p}^{*}$ and sets $C_{1} = ϕ P - (P_{A} + R_{A} + H_{1} ({ID}_{A}, R_{A}, P_{A}) P_{pup})$ . Next, it computes $Q_{B} = (R_{B} + H_{1} ({ID}_{B}, R_{B}, P_{B}) P_{pub} + H_{2} (R_{B}) P_{B})$ , $T = (ϕ - h (x_{A} + d_{A})) Q_{B}$ , $β_{B} = H_{2} ({ID}_{B}, T)$ and sets $C_{2} = m \oplus β_{B}$ . Finally $C$ returns $δ_{AB} = (C_{1}, C_{2}, ϕ)$ to $A_{2}$ . Hint: The construction of the private key for ${ID}_{B}$ is right by the irreflexivity assumptions [11]. $C$ fails if at least one of this tuple $(h, β_{B})$ is predefined.

Re-Encryption Queries. $A_{2}$ queries on $(δ_{AB}, {ID}_{A}, {ID}_{B}, {ID}_{E})$ , $C$ responds as follows:

If ${ID}_{B} \neq {ID}_{ζ}$ , then $C$ responds $A_{2}$ with $δ_{AE}$ at the execution of Re-Enc algorithm. Via the proxy key generation queries, $C$ can acquire the proxy re-encryption key $K_{BE}$ on the tuples $({ID}_{B}, {ID}_{E})$ .

Now, if ${ID}_{B} = {ID}_{ζ}$ , then $C$ queries on ${ID}_{A}$ for the public key ${PK}_{A}$ . $C$ randomly chooses $ω \in Z_{p}^{*}$ , $Γ \in G$ and $\overline{C} \in {0, 1}^{k}$ and defines $Ω = ω (r_{B} + s H_{1} ({ID}_{B}, R_{B}, P_{B}) + x_{B} H_{2} (R_{B}))$ according to the assumption of irreflexivity [11]. Consequently, $C$ computes $C_{1}^{'} = C_{1} Ω$ . Ultimately, $C$ outputs $δ_{AE} = (C_{1}^{'}, C_{2}, ϕ, \overline{C}, Γ)$ to $A_{2}$ . $C$ fails if at least one of this tuple $(h, β_{B})$ has been pre-defined.

6.1.10. Unsigncryption queries

$A_{2}$ queries on $δ_{AB} = (C_{1}, C_{2}, U, ϕ), {ID}_{A} and {ID}_{B}$ . To reply, $C$ runs the public key query on ${ID}_{A}$ and continues as follows:

If ${ID}_{B} \neq {ID}_{ζ}$ , then $C$ runs the USC algorithm and returns m to $A_{2}$ . Note that via the private key query on ${ID}_{B}$ , $C$ can get the private key $S_{B}$ .

Now, if ${ID}_{B} = {ID}_{ζ}, S_{B}$ is not known. To simulate the USC algorithm correctly, $C$ firstly searches for T in $L_{2}$ to retrieve the corresponding entry $({ID}_{B}, T, β_{B})$ . When the DBDH oracle is queried with $(aP, bP, T)$ , $C$ outputs TRUE if $(T)$ exists in $L_{2}$ . Next, $C$ gets $m = C_{2} \oplus β_{B}$ and continues to get h through $H_{3}$ query on $(C_{1}, C_{2}, m, T, R_{A}, P_{A}, {ID}_{A})$ . To accept m as a valid message, $C$ checks if $ϕ P = = C_{1} + (P_{A} + R_{A} + H_{1} ({ID}_{A}, R_{A}, P_{A}) P_{pub})$ hold. If valid, accept m and returns it to $A_{2}$ . Otherwise, $C$ discards the ciphertext and outputs ⊥.

At this point, $C$ randomly puts $β_{B} \in {0, 1}^{κ}$ in $L_{2}$ , i.e. $(*, T, β_{B})$ , computes $m = C_{2} \oplus β_{B}$ and inserts $h \in Z_{q}^{*}$ into $L_{3}$ i.e. $(C_{1}, C_{2}, m, T, R_{A}, P_{A}, {ID}_{A}, h)$ . Ultimately, $C$ proceeds to verify if $ϕ P = = C_{1} + (P_{A} + R_{A} + H_{1} ({ID}_{A}, R_{A}, P_{A}) P_{pub})$ hold. If it is valid, $C$ outputs m to $A_{2}$ . Otherwise, discard the ciphertext and output ⊥. Here, ∗ is associated with the recipient’s identity ${ID}_{B}$ . Hint: $C$ fails if at least one of the hash values has been defined in steps 2) and 3).

6.1.11. Decryption queries

$A_{2}$ queries on $δ_{AE} = (C_{1}^{'}, C_{2}, ϕ, \overline{C}, Γ), {ID}_{A}, {ID}_{B} and {ID}_{E}$ . To reply, $C$ calls the public key query on ${ID}_{A}$ and proceeds as follows:

If ${ID}_{E} \neq {ID}_{ζ}$ , then $C$ possibly replies $A_{2}$ with m by executing the Dec algorithm. Here $C$ can get the private key $S_{E}$ via the private key query on ${ID}_{E}$ .

Now, if ${ID}_{E} = {ID}_{ζ}$ , then $S_{E}$ is not known. To comply with the Dec algorithm, $C$ searches $L_{4}$ with the entries $({ID}_{ι}, φ_{ι}, β_{ι})$ indexed by $ι = {1, \dots, q H_{4}}$ . $C$ computes $ω = \overline{C} \oplus β_{ι}$ and verifies if $ϕ P = = C_{1} + (P_{A} + R_{A} + H_{1} ({ID}_{A}, R_{A}, P_{A}) P_{pub})$ holds. If it is valid, m is returned to $A_{2}$ ; otherwise, $C$ continues to the next item in $L_{5}$ . If no message is retrieved from $L_{5}$ after an exhaustive search, then $C$ outputs ⊥.

6.1.12. Challenge

$A_{2}$ selects identity pair ${ID}_{A}^{*}$ , ${ID}_{B}^{*}$ and two messages of the same length $m_{0}$ and $m_{1}$ on which it anticipates to be confronted. Assuming ${ID}_{A}^{*} \neq {ID}_{ζ}^{*}$ , the $C$ aborts. Otherwise, $C$ randomly selects $C_{1}^{*} \in G, ϕ^{*}$ , $h^{*} \in Z_{q}^{*}, C_{2}^{*}$ , $β_{B}^{*} \in {0, 1}^{n}$ and $b \in {0, 1}$ . Then, $C$ defines $C_{1}^{*} = aP = ϕ P - (P_{A}^{*} + R_{A}^{*} + h^{*} H_{1} ({ID}_{A}^{*}, R_{A}^{*}, P_{A}^{*}) P_{pub})$ and $C_{2}^{*} = m_{b}^{*} \oplus β_{B}^{*}$ . Eventually, $C$ outputs $δ_{AB}^{*} = (C_{1}^{*}, C_{2}^{*}, ϕ^{*})$ to $A_{2}$ .

6.1.13. Phase 2

$A_{2}$ makes a series of polynomially bounded adaptive queries as in Phase 1 with the constraints mentioned in Game 1 in Section 3.4. $C$ replies to $A_{2}$ ’s queries as in Phase 1.

6.1.14. Guess

$A_{2}$ makes a guess $b^{'}$ of b but $C$ rejects the guess value. $A_{2}$ cannot make the correct guess except it searches for the challenged tuple $({ID}_{B}^{*}, T^{*}, β_{B}^{*})$ in $L_{2}$ such that $T^{*} = abP$ . Hence, $T^{*} \in L_{2}$ is the answer to the GDH problem, which is bounded by at most $1 / q H_{1}$ .

Analysis: Here, we assess the probability of $C$ ’s succeeding in the following independent events.

$E_{1} : A_{2}$ does not select to be challenged on ${ID}_{ζ}$ .

$E_{2} : A_{2}$ issues queries on ${ID}_{ζ}$ for private key.

$E_{3} : A_{2}$ issues queries on $({ID}_{ζ}, {ID}_{j})$ for proxy re-encryption key.

$E_{4}$ : At signcryption query, $C$ aborts if collision is found in $H_{2} - H_{4}$ .

$E_{5}$ : at unsigncryption query: $C$ aborts due to the rejection of a valid ciphertext during simulation.

Hence, it is evident that

Pr [\neg E_{1}] = 1 / q H_{1}

Pr [\neg E_{5}] = (1 - q_{s} (q H_{2} + q H_{3}) / 2^{π}

Pr [\neg E_{5}] = (1 - q_{u} / 2^{π})

. Note

\neg E_{1}

implies

\neg E_{2}

and

\neg E_{3}

. Therefore, we have

\begin{array}{l} Pr [\neg E_{1} \land E_{4} \land E_{5}] \\ ⩾ (\frac{ϵ}{q H_{1}}) (1 - \frac{q_{s} (q H_{2} + q H_{3})}{2^{π}}) (1 - \frac{q_{u}}{2^{π}}) \end{array}

The probability of selecting T randomly from the record

L_{2}

such that it is the solution of the GDH problem is

1 / q H_{1}

. Therefore,

\begin{array}{l} Pr [C] = (\frac{ϵ}{q H_{1}}) (1 - \frac{q_{s} (q H_{2} + q H_{3})}{2^{π}}) (1 - \frac{q_{u}}{2^{π}}) \end{array}

in time

t^{'} ⩽ t + O (q_{pk} + q_{s} + q_{e} + q_{u} + q_{d})

6.2. Authenticity

Theorem 2.
The proposed CLS-PRE scheme is EUF-CMA secure in the ROM.
Proof.
The proof for Theorem 2 is done using Lemma 3 and Lemma 4. □
Lemma 3.
Assuming that there exist $F_{1}$ , a PPT adversary, which has the advantage of ϵ to win the EUF-CMA authenticity game at time t with $q_{pk}$ proxy key generation queries, $q_{s}$ signcryption queries, $q_{u}$ unsigncryption queries, $q_{e}$ re-encryption queries, $q_{d}$ decryption queries and $q H_{i}$ queries to oracle $H_{i}$ (where $1 ⩽ i ⩽ 4$ ), then there exist an algorithm $C$ which uses $F_{1}$ to break the ECDL assumption with the advantage of $\begin{matrix} ϵ ecdl ⩾ (\frac{ϵ}{q H_{1}}) (1 - \frac{q_{u} (q H_{2} + q H_{3})}{(2^{π})}) \end{matrix}$ in time $t^{'} ⩽ t + O (q_{pk} + q_{s} + q_{e} + q_{u} + q_{d})$ .
Proof.
Analogous to [14] and [1], we prove Lemma 3 using forking lemma [33]. □

Firstly, we describe how our scheme fits in with the signature scheme proposed in [33]. With the forking lemma, a simulation can be done without the sender’s private key [32]. We assert that during the signcryption process, the tuple generated as $(δ_{1}, h, δ_{2})$ conforms to the three-phase honest-checking protocol for zero-knowledge proof of identity. Here, $δ_{1} = C_{1}$ is the prover’s commitment, $h = H_{3} (C_{1}, C_{2}, m, T, R_{A}, P_{A}, {ID}_{A})$ is the hash value replacing the verifier’s challenge, and $δ_{2} = ϕ$ is the prover’s reply. In the simulation steps, a challenger $C$ attempts to use a forger $F_{1}$ to solve ECDL hard problem through interactions. $C$ intends to compute b with a given ECDL instance $(P, ab, bP)$ . $C$ interacts with $F_{1}$ as follows:
6.2.1. Setup

$C$ supplies $F_{1}$ with $pp$ after executing the Setup algorithm.

6.2.2. Attack

Every hash query is identical to that of Lemma 1. Here, we set the identical challenge ${ID}_{A} = {ID}_{ζ}$ in $H_{1}$ queries. $C$ runs the private key query to obtain the partial key $x_{A} = a \in Z_{q}^{*}$ . Here, b simulates the secret value that the sender ${ID}_{A}$ used in constructing the partial private key, which is unknown to $F_{1}$ .

6.2.3. Forgery

$F_{1}$ outputs $({ID}_{A}, {ID}_{B}, δ_{AB})$ , where $δ_{AB} = (C_{1}, C_{2}, ϕ)$ . Note that $F_{1}$ does not perform a private key query on ${ID}_{A}^{*}$ according to Section 3.5. Based on the theory of irreflexivity, $C$ can generate the message-signature pair from $δ_{AB}$ with the private key ${ID}_{B}$ . Since identity-less chosen message attack is possible with forking lemma [33], we unify the sender’s message m and identity ${ID}_{A}$ as a fake message $({ID}_{A}, m)$ . Supposing $F_{1}$ is an effective forger, then there exists a powerful algorithm $F_{1}^{'}$ which can produce a pair of signed messages $(({ID}_{A}, h^{*}, C_{1}^{*}), ϕ^{*})$ and $(({ID}_{A}, h, C_{1}), ϕ)$ , where $h \neq h^{*}$ under the same commitment. $C$ interacts with $F_{1}$ ’and $F_{1}$ to solve the ECDL problem as follows:

Based on the forking lemma in [33], by executing $F_{1}$ ’, $C$ can derive two distinct equations from the signatures $(({ID}_{A}, m, h, U), ϕ)$ and $(({ID}_{A}, m, h^{*}, U^{*}), ϕ^{*})$ as: $\begin{array}{l} (1) & ϕ^{*} P = C_{1} + h^{*} (P_{A}^{*} + R_{A}^{*} + H_{1} ({ID}_{A}^{*}, R_{A}^{*}, P_{A}^{*}) P_{pup} \\ (2) & ϕ P = C_{1}^{*} + h^{*} (P_{A}^{*} + R_{A}^{*} + H_{1} ({ID}_{A}^{*}, R_{A}^{*}, P_{A}^{*}) P_{pub} \end{array}$

Subtracting equation (1) from equation (2), we obtain $\begin{array}{l} (3) & \frac{P (ϕ^{*} - ϕ)}{h^{*} - h} = (x_{a} + b) P \end{array}$ From equation (3), we get b as: $\begin{matrix} (4) & b = \frac{ϕ^{*} - ϕ}{h^{*} - h} \end{matrix}$

$C$ outputs solution to the ECDL problem as b.

6.2.4. Analysis

Here, we provide an analysis of the probability of this event happening.

$E_{1} : F_{1}$ does not select to be challenged on ${ID}_{ζ}$ .

$E_{2} : F_{1}$ issues queries on ${ID}_{ζ}$ for private key.

$E_{3} : F_{1}$ issues queries on ${ID}_{ζ}$ for public key substitution and partial private key.

$E_{4}$ : at unsigncryption query, $C$ aborts due to the rejection of a valid ciphertext during simulation.

Hence, it is evident that

Pr [\neg E_{1}] = 1 / q H_{1}

Pr [\neg E_{4}] = (1 - q_{u} (q H_{2} + q H_{3}) / 2^{π}

. Note

\neg E_{1}

implies

\neg E_{2}

and

\neg E_{3}

. Therefore, we have

\begin{array}{l} Pr [\neg E_{1} \land E_{4}] \\ ⩾ (\frac{ϵ}{q H_{1}}) (1 - \frac{q_{u} (q H_{2} + q H_{3})}{2^{π}}) \\ Therefore, \\ Pr [C] = (\frac{ϵ}{q^{2} H_{1}}) (1 - \frac{q_{u} (q H_{2} + q H_{3})}{2^{π}}) \\ in time t^{'} ⩽ t + O (q_{p} k + q_{s} + q_{e} + q_{u} + q_{d}) . \end{array}

Lemma 4.
Assuming that there exist $F_{2}$ , a PPT adversary, which has the advantage of ϵ to win the EUF-CMA authenticity game at time t with $q_{pk}$ proxy key generation queries, $q_{s}$ signcryption queries, $q_{u}$ unsigncryption queries, $q_{e}$ re-encryption queries, $q_{d}$ decryption queries and $q H_{i}$ queries to oracle $H_{i}$ ( $1 ⩽ i ⩽ 4$ ), then there exist an algorithm $C$ which uses $F_{2}$ to solve the ECDL hard problem with the advantage of $\begin{array}{l} ϵ ecdl ⩾ (\frac{ϵ}{q H_{1}}) (1 - \frac{q_{u} (q H_{2} + q H_{3}}{(2^{π})}) \\ in time t^{'} ⩽ t + O (q_{p} k + q_{s} + q_{e} + q_{u} + q_{d}) . \end{array}$
Proof.
Suppose $C$ is authorized to access the ECDL oracle. We demonstrate how $C$ employs $F_{2}$ as a subroutine algorithm to solve the ECDL problem given the instance of $(P, ν P)$ . $C$ interacts with $F_{2}$ as follows: □

6.2.5. Attack

$F_{2}$ has the MSK, and it can produce the recipients’ partial private keys and private keys. $C$ outputs the $pp$ , $P_{ζ} = μ P, ν$ , $P_{pub} = ν P$ to $F_{2}$ . ν simulates the sender’s secret value. The challenged public key $P_{ζ}$ is produced from this secret value. This phase is identical to Lemma 2 except the $H_{3}$ and the public key query. Here, we provide how $H_{3}$ and the public key query are executed.

Public Key Queries: $F_{1}$ queries on ${ID}_{i}$ . In response, $C$ checks if $L_{5}$ contains $({ID}_{i}, d_{i}, P_{i}, R_{i}, x_{i})$ . If it is TRUE, $C$ submits ${PK}_{i} = (P_{i}, R_{i})$ to $F_{2}$ ; otherwise, $C$ performs the following:

If ${ID}_{i} = {ID}_{ζ}$ , $C$ selects random $x_{ζ}, r_{ζ} \in Z_{q}^{*}$ and outputs $P_{ζ} = (P, ν P)$ and $R_{ζ} = r_{ζ}$ . Here, $α_{ζ}$ is defined for the hash value $H_{1} ({ID}_{ζ}, R_{ζ}, P_{ζ}), d_{ζ} = r_{ζ} + α_{ζ} μ$ . $C$ inserts $({ID}_{ζ}, d_{ζ}, ⊥, R_{ζ}, α_{ζ})$ into $L_{1}$ . Note that $ν P$ is an instance of ECDL problem. $C$ sends $(R_{ζ}, P_{ζ})$ to $F_{2}$ .

If ${ID}_{i} \neq {ID}_{ζ}$ , $C$ selects random $x_{ζ}, r_{i} α_{ζ} \in Z_{q}^{*}$ and fixes $P_{i} = x_{i} P$ and $R_{i} = r_{i} P$ and $d_{i} = r_{i} + α_{i} μ$ . Here, $α_{i}$ is defined as the hash value $H_{1} ({ID}_{i}, R_{i}, P_{i})$ . $C$ inserts $({ID}_{i}, ⊥, P_{i}, R_{i}, α_{i})$ into $L_{1}$ . $C$ sends $(R_{ζ}, P_{ζ})$ to $F_{2}$ .

$H_{3}$ Queries: $F_{2}$ queries on $H_{3} (C_{1}, C_{2}, m, T, R_{A}, P_{A}, {ID}_{A})$ . $C$ checks $L_{3}$ for $H_{3} (C_{1}, C_{2}, m, T, R_{A}, P_{A}, {ID}_{A}, h)$ and sends h to $F_{2}$ if it exists. Otherwise, $C$ randomly selects $h \in Z_{q}^{*}$ as a reply. $C$ inserts $H_{3} (C_{1, i}, C_{2, i}, m, T_{i}, R_{i}, P_{i}, {ID}_{i}, h)$ into $L_{3}$ .

6.2.6. Forgery

$F_{2}$ returns $({ID}_{A}^{*}, {ID}_{B}^{*}, δ_{AB})$ , where $δ_{AB}^{*} = (C_{1}^{*}, C_{2}^{*}, ϕ^{*})$ . $F_{2}$ did not perform queries on ${ID}_{A}^{*}$ for the senders private key. If ${ID}_{A}^{*} \neq {ID}_{ζ}$ , $C$ terminates; otherwise $C$ queries on $(C_{1}^{*}, C_{2}^{*}, m^{*}, T^{*}, R_{A}^{*}, P_{A}^{*}, {ID}_{A}^{*})$ to get h. $F_{2}$ fails if h and ϕ values are predefined. $F_{2}$ cannot determine that $δ_{AB}^{*}$ is not a valid ciphertext except it executes a query on $H_{3}$ for the hash values. $F_{2}$ can win the game if equation (1) returns true.

6.2.7. Analysis

Here, we analyze the probability of this event happening.

$E_{1} : F_{2}$ does not select to be challenged on ${ID}_{ζ}$ .

$E_{2} : F_{2}$ issues queries on ${ID}_{ζ}$ for private key.

$E_{3}$ : at unsigncryption query, $C$ aborts due to the rejection of a valid ciphertext during simulation.

Hence, it is evident that

Pr [\neg E_{1}] = 1 / q H_{1}

Pr [\neg E_{3}] = (1 - q_{u} (q H_{2} + q H_{3}) / 2^{π}

. Note

\neg E_{1}

implies

\neg E_{2}

and

\neg E_{2}

. Therefore, we have

6.3. System security analysis

This section analyzes the security requirements outlined in Section 4.1.

Confidentiality: An illegitimate user or attacker can decrypt the ciphertext only if it can solve the underlying mathematical hard problems: GDH and ECDL, or successfully execute unsigncryption algorithms without the knowledge of the actual private key. This Attack, however, is impossible for a polynomially bound adversary, according to the Theorem 1.

Integrity: Integrity is achieved if an authorized user can use the unsigncryption algorithm in the proposed model to verify the authenticity of the data m. Thusly, $m = USC δ_{AB} = (C_{1}, C_{2}, ϕ)$ . If the unsigncryption output is equal to ⊥, then the data is falsified; otherwise, the data is authentic.

Authentication: Authentication is ensured through the SC algorithm since it is computationally hard to forge a legitimate ciphertext $δ_{AB}$ without knowing the full private key. An adversary can forge $δ_{AB}$ only if s/he can solve the underlying ECDL problem of the CLS-PRE scheme. The validity of $δ_{AB}$ can be verified.

Non-repudiation: If the customer denies sending $δ_{AB}$ or $δ_{AE}$ any third party can perform the verification phase $ϕ P = C_{1} + h (P_{A} + R_{A} + m c H_{1} ({ID}_{A}, R_{A}, P_{A}) P_{pub}$ to determine the message’s originality.

Absence of Key Escrow: The generation of the user’s private and public keys is not left solely dependent on the KGC. The KGC instead produces partial private keys to enable users to derive their private keys. Hence, the developed algorithm alleviates escrow problems.

No ciphertext components in proxy re-encryption key: Our proposed scheme does not require ciphertext components to generate a proxy re-encryption key. Therefore, the number of proxy re-encryption keys developed in the scheme is linearly independent of the number of ciphertexts the delegatee can access.

7. Performance evaluation

The efficacy of the proposed CLS-PRE is demonstrated by utilizing performance benchmarks (criteria) in terms of scheme functionality, computational cost, and communication overhead.

7.1. Scheme functionality

The functionality requirements outlined in Table 2 pertain to the various security properties considered essential for a secure proxy re-encryption scheme. These properties include confidentiality, integrity, authentication, non-repudiation, key escrow-free, and the presence of ciphertext components in the computation of proxy re-encryption keys. From observation, it is evident that all the schemes meet the confidentiality requirement, which is a fundamental security property in any cryptographic scheme. All schemes meet the integrity requirement except for the method proposed in [1]. Furthermore, the scheme [1] lacks several other crucial security properties, such as authentication and non-repudiation. Additionally, it does include ciphertext components in the computation of the proxy re-encryption key, which is a significant drawback. In comparison, the scheme proposed in [3] has been improved to include all the security properties outlined in the table but still needs to include ciphertext components in the computation of proxy re-encryption keys. On the other hand, the schemes proposed in [22,37] satisfy all the security requirements outlined in the table but still suffer from the inherent effects of key escrow, which could compromise the system’s security. Lastly, the scheme proposed in [34] fulfills all the security requirements outlined in the table; however, it still needs to meet the non-repudiation requirement.

Table 2
Comparison of computational costs

Scheme Functionality Formal security

Confidentiality Integrity Authentication Non-repudiation Key escrow free No ciphertext components in re-encryption key IND-CCA2 EUF-CMA

IBW [37] ✓ ✓ ✓ ✓ ✗ ✓ ✗ ✓

IBS [22] ✓ ✓ ✓ ✓ ✗ ✓ ✓ ✗

SBT [34] ✓ ✓ ✓ ✗ ✓ ✓ ✓ ✓

AH [1] ✓ ✗ ✗ ✗ ✓ ✗ ✗ ✓

AH [3] ✓ ✓ ✓ ✓ ✓ ✓ ✗ ✓

CLS-PRE ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓

Scheme	Functionality	Formal security
IBW [37]	✓	✓	✓	✓	✗	✓	✗	✓
IBS [22]	✓	✓	✓	✓	✗	✓	✓	✗
SBT [34]	✓	✓	✓	✗	✓	✓	✓	✓
AH [1]	✓	✗	✗	✗	✓	✗	✗	✓
AH [3]	✓	✓	✓	✓	✓	✓	✗	✓
CLS-PRE	✓	✓	✓	✓	✓	✓	✓	✓

✓-scheme satisfies functionality; ✗-schemes lacks functionality

The proposed CLS-PRE scheme not only fulfills all the necessary functions listed in Table 2, but it also surpasses other schemes by not incorporating ciphertext components in the computation of the re-encryption keys. This allows for generating the re-encryption key before computing the ciphertext.

7.2. Computational cost

A simulation is conducted on a 16 GB RAM computer with a 2.9 GHz Intel Core i7 processor to achieve quantitative results for our analysis. The Multiprecision Integer and Rational Arithmetic Cryptographic Library (MIRACL) [26] was adopted for the simulation. In the pairing-based scheme, a bilinear pairing $\overline{e} : G_{1} \times G_{1} \to G_{T}$ is constructed, where $G_{1}$ denotes an additive group formed by a point $\overline{p}$ of order $\overline{q}$ on a super-singular elliptic curve. The curve is defined by $\overline{E} : y^{2} \equiv x^{2} + x mod \overline{p}$ , for which $\overline{p}$ is a 512-bit prime number and $\overline{q}$ is a 160-bit prime number. To achieve the same level of security for ECC-anchored schemes, an additive group G is produced by a point p with order q on a non-singular elliptic curve defined by $E : y^{2} \equiv x^{3} + a x + b mod p$ , for which p and q are 160-bit prime numbers and $a, b \in Z_{q}^{*}$ .

With the evaluation of the cryptographic schemes [1,3,22,34,37] and ours CLS-PRE, we take into account the computational cost of specific mathematical operations such as bilinear pairing $T_{P_{b}}$ , scalar multiplication related to Elliptic Curve Cryptography (ECC) $M_{ECC}$ , and scalar multiplication related to pairing $M_{p_{b}}$ . These operations are known to have a higher computational cost than others, such as XOR, hashing, and addition, which are omitted in this analysis as they are considered to have minimal impact on the overall computation cost. The cost of these operations are $T_{p_{b}} = 3.1504 ms$ , $M_{p_{b}} = 1.6513 ms$ , and $M_{ECC} = 0.4623 ms$ respectively, based on average results of 300 simulations.

Table 3
Analysis of computation and communication cost

Scheme Computation cost Communication overheard

SC PKGen Re-Enc USC Dec $δ_{AB}$ $δ_{AE}$

IBW [37] $2 T_{p_{b}} + 2 M_{p_{b}}$ $T_{p_{b}}$ $T_{p_{b}}$ $4 T_{p_{b}} + M_{p_{b}}$ $5 T_{p_{b}} + M_{p_{b}}$ $2 | G_{1} | + | G_{T} | + | m |$ $2 | G_{1} | + | G_{T} | + | m |$

AH [1] $4 M_{ECC}$ $6 M_{ECC}$ - $4 M_{ECC}$ $4 M_{ECC}$ $2 | G | + | Z_{q}^{} | + | m |$ $3 | G | + | Z_{q}^{} | + | m |$

AH [3] $5 M_{ECC}$ $4 M_{ECC}$ - $3 M_{ECC}$ $3 M_{ECC}$ $2 | G | + | Z_{q}^{} | + | m |$ $3 | G | + | Z_{q}^{} | + | m |$

IBS [22] $T_{p_{b}} + 4 M_{p_{b}}$ $T_{p_{b}}$ $3 T_{p_{b}}$ $5 T_{p_{b}} + M_{p_{b}}$ $4 T_{p_{b}} + M_{p_{b}}$ $3 | G_{1} | + | G_{T} |$ $2 | G_{1} | + | G_{T} |$

SBT [34] $3 M_{ECC}$ $M_{ECC}$ $5 M_{ECC}$ $4 M_{ECC}$ $M_{ECC}$ $3 | G |$ $3 | G |$

CLS-PRE $3.5 M_{ECC}$ $3.5 M_{ECC}$ $M_{ECC}$ $3 M_{ECC}$ $3 M_{ECC}$ $| G | + | Z_{q}^{} | + | m |$ $2 | G | + | Z_{q}^{} | + 2 | m |$

Scheme	Computation cost	Communication overheard
IBW [37]	$2 T_{p_{b}} + 2 M_{p_{b}}$	$T_{p_{b}}$	$T_{p_{b}}$	$4 T_{p_{b}} + M_{p_{b}}$	$5 T_{p_{b}} + M_{p_{b}}$	$2 \| G_{1} \| + \| G_{T} \| + \| m \|$	$2 \| G_{1} \| + \| G_{T} \| + \| m \|$
AH [1]	$4 M_{ECC}$	$6 M_{ECC}$	-	$4 M_{ECC}$	$4 M_{ECC}$	$2 \| G \| + \| Z_{q}^{*} \| + \| m \|$	$3 \| G \| + \| Z_{q}^{*} \| + \| m \|$
AH [3]	$5 M_{ECC}$	$4 M_{ECC}$	-	$3 M_{ECC}$	$3 M_{ECC}$	$2 \| G \| + \| Z_{q}^{*} \| + \| m \|$	$3 \| G \| + \| Z_{q}^{*} \| + \| m \|$
IBS [22]	$T_{p_{b}} + 4 M_{p_{b}}$	$T_{p_{b}}$	$3 T_{p_{b}}$	$5 T_{p_{b}} + M_{p_{b}}$	$4 T_{p_{b}} + M_{p_{b}}$	$3 \| G_{1} \| + \| G_{T} \|$	$2 \| G_{1} \| + \| G_{T} \|$
SBT [34]	$3 M_{ECC}$	$M_{ECC}$	$5 M_{ECC}$	$4 M_{ECC}$	$M_{ECC}$	$3 \| G \|$	$3 \| G \|$
CLS-PRE	$3.5 M_{ECC}$	$3.5 M_{ECC}$	$M_{ECC}$	$3 M_{ECC}$	$3 M_{ECC}$	$\| G \| + \| Z_{q}^{*} \| + \| m \|$	$2 \| G \| + \| Z_{q}^{*} \| + 2 \| m \|$

Fig. 5.

Computation time comparison.

The results from Table 3 and Fig. 5 show that our proposed ECC-based CLS-PRE scheme has the lowest computation cost of $3.5 M_{ECC} + 3.5 M_{ECC} + 3 M_{ECC} + 3 M_{ECC} = 6.4722 ms$ , making it a suitable option for practical implementation. The ECC-based SBT [34] scheme also has a similar computation cost of $3 M_{ECC} + M_{ECC} + 5 M_{ECC} + 4 M_{ECC} + M_{ECC} = 6.4722 ms$ . The next ECC-based schemes, AH [1] and AH [3], have computation costs of $4 M_{ECC} + 6 M_{ECC} + 4 M_{ECC} + 4 M_{ECC} = 8.321 ms$ and $5 M_{ECC} + 4 M_{ECC} + 3 M_{ECC} + 3 M_{ECC} = 6.934 ms$ , respectively. The pairing-based schemes, IBW [37] and IBS [22], have higher computation costs of $2 T_{p_{b}} + 2 M_{p_{b}} + T_{p_{b}} + T_{p_{b}} + 4 T_{p_{b}} + M_{p_{b}} + 5 T_{p_{b}} + M_{p_{b}} = 34.958 ms$ and $T_{p_{b}} + 4 M_{p_{b}} + T_{p_{b}} + 3 T_{p_{b}} + 5 T_{p_{b}} + M_{p_{b}} + 4 T_{p_{b}} + M_{p_{b}} = 54.013 ms$ , respectively.

The efficiency of the proposed CLS-PRE scheme compared to other schemes can be calculated using the standard equation: $\begin{matrix} (5) & efficiency = \frac{({Cost}_{S} - {Cost}_{C})}{{Cost}_{S}} * 100 \end{matrix}$ Where ${Cost}_{S}$ represents the computation cost of other cryptographic schemes and ${Cost}_{C}$ represents the computation cost of the proposed CLS-PRE scheme. Using equation (5), the efficiency of the CLS-PRE scheme compared to IBW [37] is $81.48 %$ , compared to AH [1] is $22.24 %$ , compared to AH [3] is $6.69 %$ , and compared to IBS [22] is $88.02 %$ . The SBT [34] scheme has a similar efficiency to the CLS-PRE scheme; however, it is IND-CCA2 insecure and subject to key certificate management overhead. Therefore, the CLS-PRE scheme is the most efficient and secure option among the schemes considered.

7.3. Communication overhead

The communication overhead of a scheme is the cost incurred when transmitting a message from a sender to a receiver. In our analysis, we assume that the message length, denoted by $| m |$ , is equal to $| Z_{q}^{*} | = 160$ bits, where $q = 512$ bits. The length of $| G_{1} = G_{T} |$ is 1024 bits, and the size of $| G |$ is 320 bits, where $q = 160$ bits. Both pairing-based and ECC-based schemes attain an equivalent of 80-bit security level as per [30]. Table 3 illustrates the total communication overhead of various schemes. The scheme CLS-PRE has a total communication overhead of $3 | G | + 2 | Z_{q}^{*} | + 2 | m | = 1600$ bits. In comparison, the scheme AH [1] has $5 | G | + 2 | Z_{q}^{*} | + | 2 | m | = 2240$ bits, SBT [34] has $6 | G | = 1920$ bits, IBS [22] has $5 | G_{1} | + 2 | G_{T} | = 7175$ bits, and IBW [37] has $4 | G_{1} | + 2 | G_{T} | + 2 | m | = 6464$ bits.

The efficiency of our CLS-PRE scheme can be calculated using the following equation: $\begin{matrix} (6) & Efficiency = \frac{{Com}_{S} - {Com}_{C}}{{Com}_{S}} \times 100 % \end{matrix}$ where ${Com}_{S}$ represents the communication overhead of other schemes and ${Com}_{C}$ denotes the communication overhead of CLS-PRE. Using equation (6), we can see that our CLS-PRE scheme has:

$((2240 - 1600) / 2240) * 100 = 78.6 %$ lower communication overhead than AH [1] and AH [3]

$((1920 - 1600) / 1920) * 100 = 16.7 %$ lower communication overhead than SBT [34]

$((7175 - 1600) / 7175) * 100 = 77.8 %$ lower communication overhead than IBS [22]

$((6464 - 1600) / 6464) * 100 = 75 %$ lower communication overhead than IBW [37]

This means that our CLS-PRE scheme has the smallest communication overhead among all the schemes, thus reducing the communication cost when ciphertext is outsourced to a cloud server. The benchmark of the results is shown in Fig. 6.

Fig. 6.

The signcryption and unsigncryption cost.

Fig. 7.

Example of data partition tree.

7.4. Application scenario

Our CLS-PRE scheme offers a cost-effective advantage for secure data distribution in a cloud-based PA system. Inferring from Fig. 7, the data owner (DO) partitions their data according to the sensitivity level and user roles. The agricultural data is divided into four categories: crop yield, weather data, soil data, and satellite imagery. Each type of data has a specific use case and is considered sensitive. For example, crop yield data includes information on crop types, field locations, and yields per hectare which is used to predict crop yields and make decisions about planting and harvesting. Weather data includes information on temperature, precipitation, and wind speed and is used to predict weather conditions and make decisions about planting and harvesting. Similarly, soil data provides information on pH levels, nutrient levels, and soil types which is also used to predict soil conditions and make decisions about planting and harvesting. Satellite imagery contains images of the earth’s surface taken by satellites and is used to monitor crop growth, predict crop yields, and identify suitable areas for farming.

The DO then creates a hierarchical access tree for the partitioned data, as shown in Fig. 8, by generating identities and public and private key pairs for each data point at the leaf nodes. The DO aggregates the information in each leaf-node pair to the immediate non-leaf node until it reaches the root node. The primary purpose of the hierarchical access tree is to assign a different access level to users based on their role and the sensitivity level of the datasets.

The DO further derives a ciphertext for each data point in the chosen tree by using a secure method called MAC (Message Authentication Code), denoted as ${MAC}_{(\cdot)} (\cdot)$ , symmetric encryption algorithm $E_{(\cdot)} (\cdot)$ [15], and signcryption (SC) algorithm.

The MAC value protects both the integrity and authenticity of a message generated by the symmetric encryption scheme. Also, the symmetric encryption scheme encrypts the actual data whiles the SC algorithm is used to signcrypt the session key and MAC value due to the efficiency of the symmetric encryption over the Public key encryption schemes. With the following inputs: DO’s identity, public and secret keys (i.e., ${ID}_{DO}$ , ${PK}_{DO}$ , $S_{DO}$ ), and the identity and public key of the dataset (i.e., ${ID}_{Di}, {PK}_{Di} \forall i = {1, 2, 3, 4}$ ), the DO performs the following operations:

Select a session key $K_{i}$ on input $1^{n}$ , where n is the security parameter and compute $ζ_{i} = E_{K_{i}} ({Data}_{i})$ .

Compute ${MAC}_{i} = {MAC}_{K_{i}} (ζ_{i})$ and let $m_{i} = (K_{i} | {MAC}_{i})$ .

Compute $SC (m_{i}, s_{DO}, {ID}_{DO}, {PK}_{DO}, {PK}_{Di}, {ID}_{Di}) = δ_{DO D_{i}}$

where

i = (1, 2, 3, 4)

and “|” is the concatenation operator. The DO outsources the resultant ciphertexts to the cloud server.

Fig. 8.

Example of hierarchical access tree.

Fig. 9.

Data sharing in cloud-based precision agriculture.

Fig. 10.

The communication in cloud-based precision agriculture data sharing.

Assuming a user requests access to agricultural data, the DO must determine the level of the hierarchical access tree at which the user will be given the appropriate access privileges. The DO generates one or more proxy re-encryption keys based on the matching level of permissions in the access tree with the user’s public key. These re-encryption keys are then disseminated to the cloud server, where the data users can authorize the server to perform re-encryption on their behalf, enabling them to access the ciphertext utilizing their private key. Figure 9 and Fig. 10 describe the process in which the ciphertext and proxy re-encryption keys are stored on the cloud server to authorize data access for system users. For instance, when a user named Alice requests permission to access $D_{1}$ data, the DO employs the PKGen algorithm to generate a proxy re-encryption key using the $D_{1}$ private key, system parameters, and Alice’s identity, resulting in $K_{D_{1} A} = PKGen (s_{D_{1}}, {PK}_{A}, {ID}_{A})$ . Subsequently, the proxy re-encryption key is transmitted to the cloud server (CS). Alice can then issue a re-encryption command to obtain $δ_{D_{1} A}$ , which the CS uses the Re-Enc algorithm, i.e., $δ_{D_{1} A} = Re - Enc (δ_{{DOD}_{1}}, K_{D_{1} A})$ , to produce the transformed ciphertext. It is worth noting that $δ_{D_{1} A}$ belongs to Alice, who can decrypt it using her private key. Alice then performs the following operations:

Compute $Dec (δ_{D_{1} A}, {ID}_{DO}, {ID}_{D_{1}}, s_{A}) = (K_{1} | {MAC}_{1}) = m_{1}$ . If the decryption algorithm Dec returns $m_{1}$ rather than the error symbol ⊥, it implies that the ciphertext $δ_{D_{1} A}$ is valid.

Verify if ${MAC}_{K_{1}} (ζ_{1}) = = {MAC}_{1}$ , if true, it indicates that the ciphertext $ζ_{1}$ has not been altered.

Compute the symmetric decryption algorithm $D_{(\cdot)} (\cdot)$ using the session key $K_{1}$ as ${Data}_{1} = D_{K_{1}} (ζ_{1})$ .

Notably, the CS does not know

{Data}_{1}

at any point during the process.

7.5. Application-level benchmark

We utilized the 128-bit AES-CBC method for symmetric encryption in MIRACL [26] in addition to the elliptic curve E and the associated values of p and q as specified in the communication Section 10 to evaluate the performance of our proposed CLS-PRE scheme.

To provide clarity, we have divided the process into three distinct steps. The first step, data creation, is handled by the data owner and involves data encryption. The second step, delegation, consists of the first-level ciphertext re-encryption. The final step, data opening, involves the decryption of the provided ciphertexts. The overall process is depicted in Fig. 11 for ease of understanding.

Fig. 11.

Steps in sharing data with CLS-PRE scheme.

Fig. 12.

Data owner computation time.

Fig. 13.

Data user computation time.

The benchmark results from the CLS-PRE scheme operations are presented in Fig. 12 and Fig. 13. From the results, we conclude that the CLS-PRE operations are suitable for use in an access control solution for cloud-based collaborative data sharing. For example, the data owner operations of data creation (AES encryption, MAC, and signcryption) for 200 megabytes (MB) of data have a computational cost of 0.06487 ms. On the client side, the data opening (AES decryption, MAC, and unsigncryption) for 200 megabytes (MB) of data has a computational cost of 0.064451 ms. The costs are minimal, making the proposed approach viable for real-world implementation.

We also observe that the time cost for signcryption is constant regardless of the increase in data size. This is because the CLS-PRE scheme encrypts only the symmetric key (data key), which is the same size for each item, not the original data. However, the AES encryption/decryption and MAC operations increase concerning the file size. For larger file sizes, performing symmetric (AES) encryption and decryption requires an extended computational period.

7.6. Scalability

We evaluated the performance of our access control server when faced with heavy workloads. As shown in Fig. 14, our proxy re-encryption server can handle up to 2457600 pending requests without showing any signs of strain. To simulate this, we replayed a trace of proxy re-encryption Remote Procedure Calls (RPCs) on the server. This process required no computation on the part of the data user and caused the server to perform proxy re-encryption. We made one request at a time, waiting for the response before sending another. To simulate multiple clients, we gradually increased the number of outstanding RPCs. Our server could sustain 200 re-encryptions per 0.03 seconds until reaching 2457600 outstanding requests. These results show that the server can handle a large number of requests in a short period and has good scalability under heavy loads.

Fig. 14.

Aggregate access control server throughput.

7.7. Advantages of the proposed CLS-PRE scheme in the application scenario

The application instance of the CLS-PRE scheme has several advantages over existing methods. It allows the DO to change and define the granular level of data access based on the dataset’s public information rather than the users. It also makes it easy for the DO to quickly revoke access rights by removing the proxy re-encryption keys associated with a user or dataset. Furthermore, the scheme allows the DO to add new data to the system quickly and securely, as the new data can be partitioned based on the existing partition tree and signcrypted based on the hierarchical access tree. The cloud server can re-encrypt the ciphertext using the existing proxy re-encryption keys so that the authorized user can use their secret key to access the data. Note that this functionality is not present in existing CLS-PRE schemes, as the proxy re-encryption key is typically bound to a particular ciphertext, as the component of the ciphertext is used in the proxy re-encryption key generation.

7.8. Cloud-enabled user revocation

Attribute-based encryption (ABE) is a promising solution for fine-grained encryption of cloud data. However, one major challenge with ABE is revoking access for individual users. Traditional ABE schemes, such as those in [9,29,39], use an “expiry time” attribute in the attribute set, but this method does not allow for immediate revocation of access. Other variants of ABE, such as predicate encryption and functional encryption, are also limited in their revocation capabilities. In a situation where a single user in ABE is identified as malicious, ABE does not provide any alternative to remove such a user. Revoking the attribute related to the malicious user automatically removes other legitimate users who shared the same or some attributes with the malicious user, which is not a desirable outcome. Stateful user revocation mechanisms such as [6,38,44] have limitations as they require regenerating cloud data and redistributing new keys, which puts a significant burden on the cloud and are not an ideal solution for data users. General, user revocation remains a considerable challenge that needs to be addressed for ABE to be an effective solution for fine-grained encryption of cloud data.

Remarks 5.
The proposed cloud-enabled user revocation approach, based on the CLS-PRE scheme, addresses the challenges associated with traditional ABE schemes and other variants by allowing the cloud to hold the re-encryption keys of all authorized users. This allows the cloud to transform encrypted data records into ciphertexts under a user’s public key if the user is authorized and has a re-encryption key held by the cloud. To revoke a user, the cloud erases the user’s re-encryption key, preventing the cloud from transforming encrypted data for that user. However, there are a few essential points to note regarding this approach.
The cloud is assumed to be semi-trusted, meaning that it is considered an adversary mainly to the secrecy of cloud data but honest in managing cloud data, processing user access requests, and other administrative activities.

When a user requests data from the cloud, he needs to include his identity with the request, facilitating the cloud’s determination of the corresponding re-encryption key to use from the Re-encryption Key database. However, the cloud is not required to check the authenticity of the request, meaning the cloud does not concern itself with one user impersonating another. This is because each user’s unique re-encryption key only pairs up with his private key.

The novelty of our proposal is that it utilizes CLS-PRE for user revocation, and the CLS-PRE scheme proposed attains “fine-grainedness” comparable to ABE. However, it should be noted that a user who has successfully obtained ω from the decrypt algorithm can authorize another user to decrypt the data with the assistance of ω. The scheme only requires that a user i without a valid secret key $S_{i}$ cannot authorize another user, say j, to decrypt the ciphertext by generating a proxy re-encryption key ${RK}_{i \to j}$ . This property is achieved by our scheme, as demonstrated by the security proof in Section 6.

7.9. Limitation

The application of CLS-PRE for implementing cloud-enabled user revocation has challenges. It requires the cloud to perform a Re-Enc operation upon every data access request, which is expensive. However, the actual deployment of the CLS-PRE scheme can amortize this overhead by encrypting the payload data with a random key under symmetric encryption and encapsulating the encryption key with the CLS-PRE scheme. This allows for a Re-Enc operation by the cloud to allow a user to access many data records rather than one per request. The proposed approach also provides for user revocation by using a new key for a specific level of the hierarchical access tree when encrypting new data records. However, the online computation required by this approach is a tradeoff for the unique feature of user-side efficiency and the non-requirement of pairing support on the user side.

8. Conclusion

Precision agriculture is a field that has received minimal attention from cryptographic researchers. In this era of outsourced cloud data sharing, farmers can make use of cloud computing and storage for collaborative data sharing to improve farming methodology and practices. However, cyber threats affect data stored in cloud servers. The authors propose an efficient access control scheme for precision agriculture that utilizes a novel CLS-PRE method to mitigate these threats. The cloud server acts as a proxy, performing re-encryption of ciphertext for third-party data consumers. The proposed CLS-PRE scheme is IND-CCA2, and EUF-CMA secures in the Random Oracle Model under the assumptions of GDH and ECDL. The proposed scheme also outperforms comparative schemes while achieving authentication, confidentiality, non-repudiation, and integrity, resolving the key escrow problem.

Footnotes

Acknowledgments

This work was partially supported by Sichuan Science and Technology Program (2018HH0102, 2019YFH0014, 2020YFH0030, 2020YFSY0061).

References

Ahene,

Dai,

Feng and

Li, A certificateless signcryption with proxy re-encryption for practical access control in cloud-based reliable smart grid, Telecommunication Systems 70(4) (2019), 491–510. doi:10.1007/s11235-018-0530-5.

Ahene,

Qin,

A.K.

Adusei and

Li, Efficient signcryption with proxy re-encryption and its application in smart grid, IEEE Internet of Things Journal 6(6) (2019), 9722–9737. doi:10.1109/JIOT.2019.2930742.

Ahene,

Walker,

R.-m.O.M.

Gyening,

Abdul-Salaam and

J.B.

Hayfron-Acquah, Heterogeneous signcryption with proxy re-encryption and its application in EHR systems, Telecommunication Systems 80(1) (2022), 59–75. doi:10.1007/s11235-022-00886-2.

S.S.

Al-Riyami and

K.G.

Paterson, Certificateless public key cryptography, in: International Conference on the Theory and Application of Cryptology and Information Security, Springer, 2003, pp. 452–473.

A.F.-X.

Ametepe,

S.A.R.

Ahouandjinou and

E.C.

Ezin, Secure encryption by combining asymmetric and symmetric cryptographic method for data collection WSN in smart agriculture, in: 2019 IEEE International Smart Cities Conference (ISC2), IEEE, 2019, pp. 93–99. doi:10.1109/ISC246665.2019.9071658.

Attrapadung and

Imai, Attribute-based encryption supporting direct/indirect revocation modes, in: IMA International Conference on Cryptography and Coding, Springer, 2009, pp. 278–300. doi:10.1007/978-3-642-10868-6_17.

Barbosa and

Farshim, Certificateless signcryption, in: Proceedings of the 2008 ACM Symposium on Information, Computer and Communications Security, 2008, pp. 369–372. doi:10.1145/1368310.1368364.

Barreto and

Amaral, Smart farming: Cyber security challenges, in: 2018 International Conference on Intelligent Systems (IS), IEEE, 2018, pp. 870–876. doi:10.1109/IS.2018.8710531.

Bethencourt,

Sahai and

Waters, Ciphertext-policy attribute-based encryption, in: 2007 IEEE Symposium on Security and Privacy (SP’07), IEEE, 2007, pp. 321–334. doi:10.1109/SP.2007.11.

10.

Blaze,

Bleumer and

Strauss, Divertible protocols and atomic proxy cryptography, in: International Conference on the Theory and Applications of Cryptographic Techniques, Springer, 1998, pp. 127–144.

11.

Boyen, Multipurpose identity-based signcryption, in: Annual International Cryptology Conference, Springer, 2003, pp. 383–399.

12.

C.-J.

Chae and

H.-J.

Cho, Enhanced secure device authentication algorithm in P2P-based smart farm system, Peer-to-peer networking and applications 11(6) (2018), 1230–1239. doi:10.1007/s12083-018-0635-3.

13.

Chandrasekar,

Ambika et al., Signcryption with proxy re-encryption, Cryptology ePrint Archive (2008).

14.

Chen and

Malone-Lee, Improved identity-based signcryption, in: International Workshop on Public Key Cryptography, Springer, 2005, pp. 362–379.

15.

M.J.

Dworkin,

E.B.

Barker,

J.R.

Nechvatal,

Foti,

L.E.

Bassham,

Roback,

J.F.

DrayJr. et al., 2001, Advanced encryption standard (AES).

16.

Guan,

Li,

Zhu,

Zhang,

Du and

Guizani, Toward delay-tolerant flexible data access control for smart grid with renewable energy resources, IEEE Transactions on Industrial Informatics 13(6) (2017), 3216–3225. doi:10.1109/TII.2017.2706760.

17.

Gupta,

Abdelsalam,

Khorsandroo and

Mittal, Security and privacy in smart farming: Challenges and opportunities, IEEE Access 8 (2020), 34564–34584. doi:10.1109/ACCESS.2020.2975142.

18.

Huige,

Caifen and

Hao, ID-based proxy re-signcryption scheme, in: 2011 IEEE International Conference on Computer Science and Automation Engineering, Vol. 2, IEEE, 2011, pp. 317–321. doi:10.1109/CSAE.2011.5952478.

19.

Hur, Improving security and efficiency in attribute-based data sharing, IEEE transactions on knowledge and data engineering 25(10) (2011), 2271–2282. doi:10.1109/TKDE.2011.78.

20.

A.N.

Khan,

Kiah,

S.A.

Madani,

Ali,

Shamshirband et al., Incremental proxy re-encryption scheme for mobile cloud computing environment, The Journal of Supercomputing 68(2) (2014), 624–651. doi:10.1007/s11227-013-1055-z.

21.

Kirtane and

C.P.

Rangan, RSA-TBOS signcryption with proxy re-encryption, in: Proceedings of the 8th ACM Workshop on Digital Rights Management, 2008, pp. 59–66. doi:10.1145/1456520.1456531.

22.

Li,

Liu and

Hong, An efficient signcryption for data access control in cloud computing, Computing 99(5) (2017), 465–479. doi:10.1007/s00607-017-0548-7.

23.

Li,

Huang,

Li,

Chen and

Xiang, Securely outsourcing attribute-based encryption with checkability, IEEE Transactions on Parallel and Distributed Systems 25(8) (2013), 2201–2210. doi:10.1109/TPDS.2013.271.

24.

Liu,

C.C.

Tan,

Wu and

Wang, Reliable re-encryption in unreliable clouds, in: 2011 IEEE Global Telecommunications Conference-GLOBECOM 2011, IEEE, 2011, pp. 1–5.

25.

Malone-Lee, Identity-based signcryption, Cryptology ePrint Archive (2002).

26.

MIRACL Core Cryptographic Library, https://github.com/miracl/core.

27.

Nabeel,

Shang and

Bertino, Privacy preserving policy-based content sharing in public clouds, IEEE Transactions on Knowledge and Data Engineering 25(11) (2012), 2602–2614. doi:10.1109/TKDE.2012.180.

28.

I.A.

Obiri,

Xia,

Affum,

Abla and

Gao, Personal health records sharing scheme based on attribute based signcryption with data integrity verifiable, Journal of Computer Security 30(2) (2022), 291–324.

29.

I.A.

Obiri,

Xia,

K.O.-B.

Obour Agyekum,

K.O.

Asamoah,

E.B.

Sifah,

Zhang and

Gao, A Fully Secure KP-ABE Scheme on Prime-Order Bilinear Groups Through Selective Techniques, Security and Communication Networks 2020, 2020.

30.

S.O.

Ogundoyin and

I.A.

Kamil, Secure and privacy-preserving D2D communication in fog computing services, Computer Networks 210 (2022), 108942. doi:10.1016/j.comnet.2022.108942.

31.

A.A.

Omala,

Robert and

Li, A provably-secure transmission scheme for wireless body area networks, Journal of medical systems 40(11) (2016), 1–14. doi:10.1007/s10916-016-0615-1.

32.

V.Y.

Pillitteri,

T.L.

Brewer et al., Guidelines for smart grid cybersecurity, NIST Interagency/Internal Report (NISTIR) (2014).

33.

Pointcheval and

Stern, Security arguments for digital signatures and blind signatures, Journal of cryptology 13(3) (2000), 361–396. doi:10.1007/s001450010003.

34.

Shabisha,

Braeken,

Touhafi and

Steenhaut, Elliptic curve Qu–Vanstone based signcryption schemes with proxy re-encryption for secure cloud data storage, in: International Conference of Cloud Computing Technologies and Applications, Springer, 2017, pp. 1–18.

35.

Sontowski,

Gupta,

S.S.L.

Chukkapalli,

Abdelsalam,

Mittal,

Joshi and

Sandhu, Cyber attacks on smart farming infrastructure, in: 2020 IEEE 6th International Conference on Collaboration and Internet Computing (CIC), IEEE, 2020, pp. 135–143. doi:10.1109/CIC50333.2020.00025.

36.

Tian,

Wang and

Zhou, DSP RE-Encryption: A flexible mechanism for access control enforcement management in DaaS, in: 2009 IEEE International Conference on Cloud Computing, IEEE, 2009, pp. 25–32. doi:10.1109/CLOUD.2009.65.

37.

Wang and

Cao, An improved signcryption with proxy re-encryption and its application, in: 2011 Seventh International Conference on Computational Intelligence and Security, IEEE, 2011, pp. 886–890. doi:10.1109/CIS.2011.200.

38.

Wang,

Liu and

Wu, Hierarchical attribute-based encryption for fine-grained access control in cloud storage services, in: Proceedings of the 17th ACM Conference on Computer and Communications Security, 2010, pp. 735–737. doi:10.1145/1866307.1866414.

39.

Waters, Ciphertext-policy attribute-based encryption: An expressive, efficient, and provably secure realization, in: International Workshop on Public Key Cryptography, Springer, 2011, pp. 53–70.

40.

West, A prediction model framework for cyber-attacks to precision agriculture technologies, Journal of Agricultural & Food Information 19(4) (2018), 307–330. doi:10.1080/10496505.2017.1417859.

41.

Wu and

Chen, A new efficient certificateless signcryption scheme, in: 2008 International Symposium on Information Science and Engineering, Vol. 1, IEEE, 2008, pp. 661–664.

42.

Xie and

Zhang, Efficient and provably secure certificateless signcryption from bilinear maps, in: 2010 IEEE International Conference on Wireless Communications, Networking and Information Security, IEEE, 2010, pp. 558–562. doi:10.1109/WCINS.2010.5541841.

43.

Yazdinejad,

Zolfaghari,

Azmoodeh,

Dehghantanha,

Karimipour,

Fraser,

A.G.

Green,

Russell and

Duncan, A review on security of smart farming and precision agriculture: Security aspects, attacks, threats and countermeasures, Applied Sciences 11(16) (2021), 7518. doi:10.3390/app11167518.

44.

Yu,

Wang,

Ren and

Lou, Achieving secure, scalable, and fine-grained data access control in cloud computing, in: 2010 Proceedings IEEE INFOCOM, IEEE, 2010, pp. 1–9.

45.

Zheng,

Zhou,

Ye and

Li, A cloud data deduplication scheme based on certificateless proxy re-encryption, Journal of Systems Architecture 102 (2020), 101666. doi:10.1016/j.sysarc.2019.101666.

A certificateless signcryption with proxy-encryption for securing agricultural data in the cloud

Abstract

Keywords

1. Introduction

2. Related works

2.1. Data access control schemes

1 CCA2 (Adaptive Chosen Ciphertext Attack) is the strongest security definition for cryptographic schemes that allows the adversary to adaptively query a decryption oracle with ciphertexts of their choice.

3. Preliminaries

3.1. Security assumptions

3.3. Security notion

3.4. Confidentiality model

3.4.1. Setup

3.4.2. Phase 1

3.4.3. Challenge

3.4.4. Phase 2

3.4.5. Guess

3.4.6. Setup

3.4.7. Phase 1

3.4.8. Challenge

3.4.9. Phase 2

3.4.10. Guess

Definition 1. The CLS-PRE scheme is IND-CCA2 secure if there are no polynomially bounded adversaries A 1 and A 2 who can respectively win Game 1 and Game 2 with non-negligible advantage. 3.5. Unforgeability model

3.5.1. Setup

3.5.2. Attack

3.5.3. Forgery

3.5.4. Setup

3.5.5. Attack

3.5.6. Forgery

Definition 2. The CLS-PRE scheme is assumed to be EUF-CMA secure if there is no probabilistic polynomial time (PPT) adversaries F 1 and F 2 who can win Game 3 and Game 4 respectively with non-negligible advantage ϵ. 4. System overview

5. Our proposed scheme

5.1. Construction

5.1.1. Setup

5.1.2. SVS

5.1.3. PPKE

5.1.4. PKG

5.1.5. PKS

5.1.6. SC

5.1.7. PKGen

5.1.8. Re-Enc

5.1.9. USC

5.1.10. Dec

5.2. Correctness for signature verification

6. Security analysis

6.1. Confidentiality

6.1.2. Phase 1

6.1.3. Unsigncryption queries

6.1.4. Decryption queries

6.1.5. Challenge

6.1.6. Phase 2

6.1.7. Guess

6.1.9. Phase 1

6.1.10. Unsigncryption queries

6.1.11. Decryption queries

6.1.12. Challenge

6.1.13. Phase 2

6.1.14. Guess

6.2. Authenticity

6.2.2. Attack

6.2.3. Forgery

6.2.4. Analysis

6.2.6. Forgery

6.2.7. Analysis

6.3. System security analysis

7. Performance evaluation

7.1. Scheme functionality

7.8. Cloud-enabled user revocation

8. Conclusion

Footnotes

Acknowledgments

References

¹
CCA2 (Adaptive Chosen Ciphertext Attack) is the strongest security definition for cryptographic schemes that allows the adversary to adaptively query a decryption oracle with ciphertexts of their choice.

Definition 1.
The CLS-PRE scheme is IND-CCA2 secure if there are no polynomially bounded adversaries $A_{1}$ and $A_{2}$ who can respectively win Game 1 and Game 2 with non-negligible advantage.

3.5. Unforgeability model

Definition 2.
The CLS-PRE scheme is assumed to be EUF-CMA secure if there is no probabilistic polynomial time (PPT) adversaries $F_{1}$ and $F_{2}$ who can win Game 3 and Game 4 respectively with non-negligible advantage ϵ.

4. System overview