A Secure Multimedia Data Sharing Scheme for Wireless Network

. A large number of wireless devices like WiFi cameras and 4G robots have been deployed in the rapidly growing wireless network such as Internet of Things. All of the devices (sensors) are collecting and analyzing multimedia data all the time while they are actively working, and it is also required to share data among these the sensors. Typically, the wireless data is transmitted through the network gateway or the cloud platforms. In such a wireless environment, if there is no appropriate protection to the data, it is easy to cause potential data leakage. In reality, the owner of the sensor might only want to share the multimedia data stored in the sensor with a trusted third party (e.g., a family member or a coworker) through an internet gateway or the cloud platform. Ideally, the gateway or the cloud platform in the wireless network should transform one user’s encrypted data (wireless multimedia data) directly into another ciphertext under a set of new users (e.g., a trusted third party) without accessing the user’s plaintext data. In this work, a new secure notion called fuzzy-conditional proxy broadcast re-encryption (FC-PBRE) is presented to address the concern. In a FC-PBRE scheme, the proxy (the gateway or cloud server) uses a broadcast re-encryption key to re-encrypt the encrypted wireless multimedia data which can be decrypted by a set of delegatees if and only if the broadcast key’s conditional set 𝑊 is close to the conditional set 𝑊 󸀠 of the ciphertext. With the FC-PBRE scheme, the wireless multimedia data is not disclosed and cannot be learnt by the proxy (the gateway or cloud server). In this paper, we first present the definition of security against chosen-ciphertext attacks for FC-PBRE. Second, we propose an efficient fuzzy-conditional proxy broadcast re-encryption scheme. Third, we prove thatourFC-PBRE schemeis CCA-securein the random oraclemodel based on the Decisional nBDHE assumption.


Introduction
Generally, a user (can be an attacker) has the access to the data stored in the wireless devices via (1) a direct connection with the devices, (2) the gateway of the network, and (3) a cloud platform.Because many wireless devices need to localize the configuration before they start working, they usually have a backend configuration interface (e.g., WEB, PC) open.Moreover the devices sometimes go offline even when they are actively working.As a result, the attacker can simply hack the login system of the configuration interface and obtain the multimedia data.In this case, even though the device and the cloud have been authenticated and encrypted (e.g., using SSL), the attack cannot be prevented.So, ensuring the multimedia data to be stored and shared securely has become extremely important [1][2][3][4][5][6][7][8].To share the data partially, it would be good if all the multimedia data are encrypted via the data owner's public key.For example, the device owner can give the data permission of the wireless camera configuration to the maintenance engineer, but the maintenance is not allowed to access to the video data.Obviously, such a scheme cannot allow sharing the private key directly with the maintenance engineer because sharing the private key means exposing the data to the engineer.
One approach to ensure data confidentiality in the wireless network is that user data can be encrypted before it is updated into the server.The encryption technology is an effective way to protect user data; however it does have some drawbacks.For example, when a cloud user Alice shares her data with another user Bob, her encrypted data cannot be as the plain data and cloud servers should not be directly transmitted to the shared user's ciphertext, because users Security and Communication Networks (including Bob) cannot decrypt the received data.Of course, one easy way for Alice to fix this issue is to download her own encrypted data that is saved in the cloud, then decrypt and upload the decrypted data to the cloud again, and finally send it to Bob who Alice wants to share the data.However, using this method, the user's data will be obtained by the untrusted third-party cloud, which cannot guarantee the data confidentiality.Therefore, in the cloud storage environment, a security mechanism is needed to allow the cloud server to transform the encrypted data of users directly into another shared user's encrypted data without accessing the user's plaintext data.
Since the data security problem of users in the nontrusted third-party cloud server is increasingly prominent and traditional encryption technology has been unable to meet these application needs, the cloud server really should be able to convert a user's ciphertext to a second's user ciphertext on the basis of not involving decryption.There have been quite a few researches done in this area to address this concern.For example, proxy re-encryption [9] can directly transfer encrypted data of a user Alice, stored in a nontrusted thirdparty cloud under the authorization of Alice, into user Bob's ciphertext, so as to achieve data sharing of Alice and Bob.Because of this feature, proxy re-encryption has been applied in IoT, cloud computing, email forwarding systems [9], and distributed file systems [10].In proxy re-encryption, the third party can convert all Alice's ciphertexts into Bob's ciphertext, but in many applications, Alice hopes that the third party can only transform some specific conditions of ciphertext instead of all ciphertext.For example, the owners of wireless devices might only want to share part of the encrypted multimedia data instead of sharing all the data with a group of other users.To achieve that goal, conditional proxy re-encryption was proposed to provide such a mechanism that allows Alice to freely determine which encrypted data needs to be shared with Bob [11].The third party in the conditional proxy reencryption scheme has the ability to convert a ciphertext only if it meets certain specific conditions.
For applications like group photo sharing, however, conditional proxy re-encryption scheme becomes a problem if one person's multimedia needs to be shared with a group of users via a cloud platform.For example, in a scenario of a picture's owner (Alice) who wishes to share the encrypted photo data with the family members, the cloud cannot directly forward the owner Alice's encrypted data of camera to a group of family members, since only Alice has the private key to decrypt after forwarding.Although conditional proxy re-encryption can convert Alice's ciphertext into a different ciphertext, only the one person can decrypt the ciphertext, not a group of people to decrypt.Thus it cannot be adapted to the situation of group data sharing.Recently, the conditional proxy broadcast re-encryption(C-PBRE) was presented [12] to resolve the issue.In a C-PBRE scheme, a user's ciphertext can be transformed to another ciphertext for a group of users by a third party proxy.Moreover, the third-party proxy can only convert ciphertext with specific conditions.
Although the C-PBRE has addressed some concerns, still there is a flaw, which is that the C-PBRE scheme cannot support fuzzy condition matching.Here, we give an example of an online medical service system to show the importance of fuzzy condition matching and the fuzzy-conditional proxy broadcast re-encryption (FC-PBRE).Usually a multimedia electronic medical record is a system that tracks the electronic medical record of the patients.It integrates image, video, audio, and text and everything can be stored in the cloud at the same time.Doing so enables the medical staff to look up all medical records related to the patient such as an MRI or X-ray image from a PC or a smart phone.In order to protect patient privacy of multimedia electronic medical records, we need to encrypt and protect relevant data.But how to implement the sharing of multimedia electronic medical records after encryption is a difficult problem and FC-PBRE comes to solve this problem.More specifically, in an online medical system, patients are more likely to find a doctor who meets the following requirements for the treatment of a cold.We can simply denote the requirements as follows: R 1 = ("Cold" ∧ "fever" ∧ "runny nose" ∧ "sore throat").With R 1 a patient can encrypt her health record before she uploads it to the medical system.However, the medical system cannot directly access the disease record in this case, because it does not necessarily have a matching secret key under R 1 .What the system can do is re-encrypt the ciphertext so that other doctors may be able to see the case as long as these doctors meet at least ( ≤ |R 1 |) conditions of R 1 .By adopting FC-PBRE, a doctor sets up a different access policy R 2 and sends a re-encryption key  R 1 to the proxy.When a doctor is away, the proxy can re-encrypt the ciphertext if and only if |R 1 ∩ R 2 | ≥ .However, in many situations Alice may want to cooperate with a set of colleagues satisfying R 2 to consultation on the patient's condition.In traditional FC-PRE, if Alice wants to consulate with  colleagues, the proxy needs to perform  re-encryption operations.The problem, though, is that the proxy's computation is linear with ; this may not be desirable in terms of the complexity.In contrast, in FC-PBRE, the proxy can re-encrypte Alice's ciphertext to a group of users at one time.As a result, an FC-PBRE scheme is likely to resolve this complexity problem.
In the multimedia data sharing environment, it is needed to have a secure mechanism that allows the cloud server to transform one user's encrypted data directly into another ciphertext under a set of new users without accessing the user's plaintext data.In this paper, fuzzy-conditional proxy broadcast re-encryption (FC-PBRE) is proposed to address the concern.In FC-PBRE, the proxy uses a broadcast reencryption key to re-encrypt a ciphertext which can be decrypted by a set of delegatees if and only if the broadcast key's conditional set  is close to the conditional set   of the ciphertext.With the FC-PBRE scheme, the plaintext data is not disclosed and cannot be learnt by the proxy.The paper is structured as follows.First we introduce the security definition against chosen-ciphertext attacks for FC-PBRE.Second, our efficient fuzzy-conditional proxy broadcast re-encryption scheme is presented.Finally, we prove that our FC-PBRE scheme is CCA-secure in the random oracle model based on the Decisional nBDHE assumption.

Related Work
Proxy re-encryption [9] can directly transfer encrypted data of user Alice stored in nontrusted third-party cloud under the authorization of Alice into user Bob ciphertext, so as to achieve data sharing of Alice and Bob.But the third party can transform all Alice's ciphertext into Bobs ciphertext in PRE scheme, but in many applications, Alice hopes that the third party can only transform some specific conditions of ciphertext instead of all ciphertext.In a C-PRE scheme [11], only the one ciphertext from Alice that meets certain specific conditions can be converted by third parties into a Bob's ciphertext.Therefore, with conditional proxy re-encryption, Alice can determine which ciphertext for third parties to re-encrypt; thus a flexible control of the ciphertext can be observed.Weng et al. [11] proposed conditional proxy re-encryption scheme and they proved that it is chosen-ciphertext attack secure in the random oracle model.Similarly, Tang [13] proposed a type based proxy re-encryption scheme, a secure proxy reencryption with keyword search scheme, and it is proven secure in the random oracle model [14].On top of the keyword search scheme, an anonymous conditional proxy re-encryption with keyword search scheme was proposed by Fang et al. [15].On the paper, they also proved that their scheme is chosen-ciphertext secure.Fang et al. [16] presented a fuzzy-conditional proxy re-encryption scheme and proved the security in the random oracle model.The scheme can support fuzzy matching between multiple keywords; that is, only some key words in the re-encryption key satisfy the matching, and the third party can complete the reencryption.
Without the random oracle, a conditional proxy reencryption scheme [17] was proposed to support a more fine-grained access strategy under the standard model.Reference [18] designed an identity based proxy re-encryption mechanism for multiple hop (Multihop) under the standard model.In this scheme, the re-encrypt ciphertext can still be re-encrypted repeatedly, and the length of ciphertext does not increase with the number of re-encryptions.So the length of the ciphertext is constant.
With regard to anonymity, Ateniese et al. [19] came out with the idea of anonymous proxy re-encryption and proved that their scheme is chosen plaintext attack security under the standard model.With anonymous proxy re-encryption, an attacker cannot obtain user's identity from the key.Later, a new scheme was proposed to achieve the security of chosenciphertext attack with the random oracle [20].Subsequently, Shao et al. improved the scheme by using the standard model for the security proof [21].Followed by Shao et al. 's work, a security model is enhanced for anonymous proxy reencryption [22].In the security model of [22], it allows attackers to get re-encrypted queries directly, instead of obtaining re-encrypted query by acquiring re-encryption key query.Shao et al. [23] proposed an anonymous ID based proxy re-encryption to extend anonymous proxy re-encryption to identity based anonymous proxy re-encryption.Their scheme is proven secure in the random oracle model.An anonymous identity based multiuser identity based proxy reencryption scheme was proven CCA-secure in the standard model [18].The same literature also analyzed its application in privacy protection and data sharing in big data storage system.The above schemes are about proxy anonymous encryption with user identity anonymity.A keyword anonymity conditional proxy re-encryption scheme [24] was demonstrated to achieve the anonymity of conditions.

Preliminaries
3.1.Bilinear Map. and   denote two multiplicative cyclic groups with the same prime order . is a generator of group .A bilinear pairing is a bilinear map  :  ×  →   with the following properties: (3) (, ) can be computed in polynomial time for all ,  ∈ .

FC-PBRE Model and Security Notion
Two security definitions for fuzzy-conditional proxy broadcast re-encryption as well as its model are introduced in this section.
Definition 1 (FC-PBRE).A (single-use) proxy broadcast reencryption scheme runs the following algorithms: (i) (, , ): in the setup step, for the input,  is the security parameter,  is the maximum allowed number of users, and  is the threshold.The system at this step generates a public key  and a master secret key .
(ii) (, , ): given the public key , the master key , and a user , the system generates secret key   for the user .
The game-based model is used to define the security for the FC-PBRE scheme.Similar to a security model from [25], the CCA security of the FC-PBRE scheme is considered in the selective-set model.In such a model, the adversary is supposed to commit ahead the challenge user set  * and the condition set  * .

Definition 2 (IND-set-CCA game). The following lists two games between one adversary A and a challenger C.
Game 1 is to consider the security of the original ciphertexts.We define the IND-OR-CCA game as follows: (1) Init.In the initial phase, the adversary A selects a target users set  * ⊆ {1, 2, . . ., } and the condition set  * = { * 1 ,  * 2 , . . .,  *  }.
(2) Setup.At this stage of the game, the challenger C runs (), and as a result, he can generate the public key  and the master key .Then he gives  to A.
(3) Query phase 1.A makes the following queries: A has to follow the restrictions in this phase.First, A cannot make () for any  ∈  * ; second A cannot make (,   ,   ) and (), if  ∈  * ,  ∈   , and |  ∩  * | ≥ .
(6) Guess.A makes the guess for   .The adversary wins the game if   = .
The above adversary A is referred to as an IND-OR-CCA adversary.The advantage is defined as

Security Proof.
In section, we prove that our scheme is IND-Set-CCA-secure in the ROM.
With this we complete the proof of Lemma 4.

Lemma 5.
If an IND-Re-CCA attacker can successfully attack our scheme, then a simulator S that can be constructed to solve the Decisional nBDHE assumption.
Proof.We use the same game construction from the proof of Lemma 4 and modify the challenge phase to prove Lemma 5.
The proofs of Lemmas 4 and 5 conclude that we have proven Theorem 3.

Comparison
We use schemes from [24,26] as baselines as [26] achieves the same security and [24] supports the same fuzzy property with our scheme.In the implementation, we selected two most efficient schemes to do experimental comparisons.Our experimental environment is as follows: Core i7 Processor (6M Cache, 3.40 GHz) with a Linux operating system.In the implementation, the proxy re-encrypted the ciphertext of the delegator to 20 different ciphertext for the delegate.The average value of the execution time of 50 experiments is used to eliminate the errors.Table 1 lists the comparison of the performance of the schemes.Although , , , 2, and 1 time is a little greater than [24,26] as our scheme needs to support the property of broadcast, the time overhead of the re-encryption algorithm is much slower than our scheme.This is due to the fact that the proxy is only required to run the re-encryption algorithm once.

Application
With the proposed FC-PBRE scheme, we illustrate an example of the scheme's possible application and show how FC-PBRE scheme protects the confidentiality and privacy of multimedia data in the Internet of Things.

Application of Security in Internet of Things.
With the development of wireless networks and the Internet of Things, a large number of wireless devices (WiFi cameras, wireless sensors, etc.) are deployed; they are collecting and analyzing multimedia data at all times.Many applications require these wireless devices to share data, and insecure data sharing before wireless devices can easily lead to data leakage.Usually a normal user accesses a wireless device in three ways: first, through direct connection with the wireless device; second, through the gateway; third, through the cloud platform.Because many wireless devices need to be localized before they start to work, they usually have backend configuration interfaces (WEB, PC) and are offline at some point during their work, so it is more convenient for an attacker to access multimedia data directly Similarly, if the gateway or cloud platform wishes to share encrypted multimedia data to authorized third-party users (i.e.,  =  1 ,  2 , . . .,   ) without decryption, the device owner A only needs to produce a re-encrypted key  ,,  = (  ,   , ,   ), which will be used to re-encrypt the message from the device owner A to the third-party user sets  =  1 ,  2 , . . .,   .After the key  ,,  is generated, it will be sent to the cloud platform.Therefore, the cloud platform can run the re-encryption algorithm   = (  ,  ,,  , , ,   ,   ) to convert the device owner's ciphertext into   , which can be decrypted with the third party's own private key.

Conclusions
In the paper, a new security notion called fuzzy-conditional proxy broadcast re-encryption (FC-PBRE) is presented.In a FC-PBRE, the proxy uses a broadcast re-encryption key to re-encrypt a ciphertext which can be decrypted by a set of delegatees if and only if the broadcast key's conditional set  is close to the conditional set   of the ciphertext.Moreover, the proxy learns nothing about the plaintext from entire process.Second, we define the security notion against chosen-ciphertext attacks for FC-PBRE and propose an efficient fuzzy-conditional proxy broadcast re-encryption scheme.Finally, we prove that our FC-PBRE scheme is the chosen-ciphertext attack secure in the random oracle model under the Decisional nBDHE assumption.
Given our contributions, further research might explore constructing a CCA-secure FC-PBRE scheme in the standard model.It also can focus on the construction of the fuzzyconditional proxy broadcast re-encryption schemes without pairings.
Security and Communication Networks (iii) (, , , ): the () algorithm takes the public key , a user sets  ⊆ {1, 2, . . ., }, a message , and a set of keywords  as the input, it then outputs the ciphertext  for the user set  with condition set . (iv) (,   ,   ,   ): on inputting , the user's private key   , a set of users (  ⊆ {1, 2, . . ., }) and a keywords set   , outputs the re-encryption key  ,  ,  .(v) (,  ,  ,  , , ,   , ): with the public key , a re-encryption key  ,  ,  , the user , two different user sets  and   , and the original ciphertext , this algorithm computes the re-encrypted ciphertext   .This step requires | ∩   | ≥ , where  is the threshold and if the condition cannot be met, an error symbol ⊥ will be output instead.
(2)Setup.The challenger C generates the public key  and master key  by running runs ().Then C gives  to A.(3) Query phase 1.The adversary A makes the following queries:(a) (): C gets   from (, , ).* is returned to the adversary A.(5) Query phase 2. A continues making queries but is subject to the following restrictions:(a) A cannot make () for any  ∈  * ; (b) A cannot make 1(, , ,  * ,  * ), if  ∈  and  ∈  * .(6)Guess.A makes the guess   .The adversary wins the game if   = .

Table 1 :
[24]arison with Weng et al.[26]and Fang et al.[24].In this case, even if the device and cloud have been authenticated and encrypted (such as using SSL) they cannot prevent the attack.How to ensure the safe storage and sharing of wireless multimedia data becomes particularly important.In this environment, we can deploy FC-PBRE to ensure the security of the system.The data of each device (including multimedia data, control data) is encrypted by the device owner's public key (  = (  , , , )).Obviously, no user can decrypt the data except the data owner A. When the device owner A needs to grant data privileges to the maintenance engineer for the configurations of wireless devices (such as WiFi cameras), the maintenance engineer B has to request a reencryption key  ,  ,  = (,   ,   ,   ), where   from the device owner A. The maintenance engineer B can use the re-encrypted key to perform the re-encryption algorithm   = (  ,  ,  ,  , , ,   ,   ) to convert the device owner's ciphertext   into their own ciphertext   , and then B uses his own public key to decrypt the ciphertext by performing the re-encrypted ciphertext decryption algorithm  = 1(  ,   , , , ,   ,   ).