A Source Hiding Identity-Based Proxy Reencryption Scheme for Wireless Sensor Network

Wireless sensor network (WSN), which extends the typical Internet environment to Internet ofThings, has been deployed in various environments such as safety monitoring, intelligent transportation, and smart home. In a WSN, encryption is typically used to protect data that are stored inwireless devices.However some features like data sharing canbe affected if the traditional encryption is used. A securemechanism should support a gateway of the network to directly convert a user’s encrypted data (encrypted pollution data) to a new user’s encryption without exposing the underlying plaintext data during the whole sharing phase. In this work, a new source hiding identity-based proxy reencryption scheme (SHIB-PRE) is proposed to deal with the issue.The proposed SHIBPRE scheme supports a proxy (gateway or cloud server) to transform a user’s encrypted date to a new user’s ciphertext as long as the proxy has the proxy reencryption key. In SHIB-PRE, the encrypted pollution data is kept secure from the proxy and the relationship between a source ciphertext and a reencrypted ciphertext is concealed from the outside eavesdropper. In this paper, we give an introduction to the definition of a source hiding identity-based proxy reencryption and its chosen plaintext security model. Further, a concrete construction will be presented and proven chosen plaintext secure under the q − DDHE assumption in the standard model.


Introduction
With the growth of wireless sensor devices, people are facing a formidable problem of huge sensor data management and maintenance [1,2].One cost-effective and convenient approach to resolve this issue is to deploy the sensor data on the cloud, for example, IBM cloud [3] and Amazon AWS [4].People can adopt data encryption as an intuitive defense to ensure data confidentiality on the cloud [5].By encrypting the sensor data and saving on the cloud, however, sharing sensor data within the wireless sensor network is limited.As a result, traditional public key encryption only guarantees the confidentiality of wireless sensor data, yet it is frustrating with the data sharing functionality.
Considering the following scenario, we will need a secure mechanism that supports a gateway of the network to directly convert a user's encrypted data (encrypted pollution data) to a new user's encrypted data without revealing the underlying plaintext data.Suppose many wireless sensor nodes are deployed in a wireless pollution sensor network to monitor the campus air quality.All sensor nodes send their monitoring data to the sink node and then send to the cloud through the gateway.For the purpose of confidentiality, we could encrypt the monitoring data before sending it to the sink node.In some situations, the campus administrator Alice may want to cooperate with the government institute researcher Bob to analyze the environment.As the data is encrypted by Alice's public key, Bob cannot decrypt the encryption to get the underlying plaintext due to the fact that he does not access to Alice's private key.What we can do in this case is that let the campus administrator Alice fetch the secret data off the cloud and then reencrypt the data with Bob's public key.However, it can significantly increase Alice workload and violates the original intention of cloud computing, leaving heavy workload to the cloud.What is worse is that Alice should be online all time during each sharing phase.Another native solution is that Alice can store the private key in cloud.Thus the cloud can perform the download-decrypt-reencrypt work instead of Alice.But, it may be a disaster if the cloud is disclosed as the attacker can use Alice's private key.
In addition to secure data sharing, another security requirement for above scenario is privacy preservation.If the government system is disclosed, the campus' identity should not be revealed.This privacy-preserving property enables that, even if the government system is assailed by an adversary, the adversary can not know who is sharing the data with the government system.This requires the relationship between the campus and the government system can not be revealed by an attacker.
Therefore, a new public key encryption mechanism is desired to support data sharing and privacy preservation at the same time.Enabling the confidentiality of data and preserving the privacy without losing efficiency [6] are an important problem to be issued.In this work, we focus on solving these elusive problems by presenting a novel notion of source hiding identity-based proxy reencryption.In our proposed source hiding identity-based proxy reencryption scheme, a proxy (gateway or cloud server) with a proxy reencryption key can convert a delegator's (campus) ciphertext to a delegate's (government institute researcher) ciphertext without exposing the plaintext.At the meanwhile, an outsider eavesdropper can not gain the relationship between the original ciphertext and the reencrypted ciphertext.
In related work, proxy reencryption (PRE) was proposed to enable a semitrusted proxy to convert Alice's ciphertext to Bob's ciphertext by a reencryption key [7].Proxy reencryption has been applied into several places, such as secure email forwarding [7,8] and cloud computing [9].Green et al. [10] introduced identity-based proxy reencryption in which a user's public key is viewed as his identity.After their work, a great number of identity-based proxy reencryptions have came out [11][12][13] to deal with the efficiency and security property.An AB-PRE scheme was presented to apply attribute-based setting to proxy reencryption [14].Luo, Hu, and Chen [15] revealed another scheme to provide "AND" gates on both positive and negative attributes.Later on, a ciphertext-policy attribute-based proxy reencryption (CPAB-PRE) [16,17] was presented to support a monotonic access formula in the selective model.Further, they enhanced its security in the adaptive model [18].Meanwhile, Ge et al. [19,20] presented two key-policy attribute-based proxy reencryption (KPAB-PRE) schemes in both the selective and adaptive model, respectively.Recently, a DFA-based proxy reencryption scheme [21] allows the access to be described as a DFA.Unfortunately, none of these schemes support the functionality of privacy-preserving keyword search.
To capture the source hiding property, Emura, Miyaji, and Omote [22] introduced the notion of source hiding and they presented the first source hiding IB-PRE scheme in the random oracle model.However, their proof is only a heuristic argument and might lead to the scheme insecure [23].Furthermore, the previous source hiding scheme [22] is found not collusion resistant.As a result, if a proxy colludes a set of delegates, the delegator's message is revealed as well as the delegator's private key.

Our Contribution.
To address above problems [22], this work presents a CPA secure collusion resistant source hiding identity-based proxy scheme.Additionally, we prove the security without random oracles.More specifically, a proxy and a set of delegates can only collude to reveal the plaintext but not the delegator's private key.The paper organizes as follows: first we describe our scheme, second we prove our scheme secure in the standard model, and finally we show it is collusion resistant.(2) (, ) ̸ = 1.
(3) (1) Setup: B runs the Setup() algorithm to obtain the (PP, msk) and assigns PP to A.

Security Notion for
( (5) Guess: A makes the guess   and wins the game if   = .
We claim IB-PRE is IND-CPA secure, if the probability is negligible for all probabilistic polynomial time adversary A.
Next, we present the source hiding property of IB-PRE (IND-SH-CPA) and we follow the security model of [22].IND-SH-CPA guarantees that even if an adversary knows a mailing-list address and a mailing-list member address included in the mailing-list system, the adversary cannot identify whether a source ciphertext is the source of a destination ciphertext or not.We allow an adversary to select the challenge source identities  * 0 ,  * 1 and the challenge ciphertext  * .An adversary A is provided the  and  queries as in the IND-CPA game.
(1) Setup: run the Setup() algorithm to get the (PP, msk) and then assign PP to A.

Security and Communication Networks
We say that a source hiding IB-PRE scheme is IND-SH-CPA secure, if the following probability is negligible for all probabilistic polynomial time adversary A: Note that, unlike the IND-CPA security game, in the IND-SH-CPA security game, the adversary A is allowed to get the private key of the target ciphertext.The IND-SH-CPA guarantees that even if A can decrypt the challenge ciphertext  *  , A only can obtain the following: (1)  *  is encrypted under identity ; (2)  * is the plaintext, all of which however have been already known by A.

Our Proposed Source Hiding IB-PRE
First, we analyze what conditions IB-PRE scheme should meet such that it has the source hiding property.Second, we describe our source hiding IB-PRE scheme and prove its IND-CPA and IND-SH-CPA security.

Impossibility Result for Source
Hiding IB-PRE.Before presenting our scheme, we introduce several necessary yet not sufficient conditions that are satisfying the source hiding property.[22]

Security of Our Source Hiding IB-PRE Scheme
Theorem 5. Our scheme is IND-CPA secure without random oracles under the q-DDHE assumption.
Proof.Assuming there exists an adversary A that can break our scheme's IND-CPA security with the probability , we can construct an algorithm B that can solve the q-DDHE problem with probability   , where B inputs a q-DDHE instance (,  1 =   ,  2 =   2 , . . .,   =    , ) and has to distinguish  =  +1 =   +1 from a random element in .
The approach to prove Theorem 5 follows the steps of the security proof of Gentry's scheme [25].Note B maintains a list of tables that are empty initialized.Here is the list: (i)   : it keeps the secret keys tuples (, ,   ).
(ii)   : it maintains the result of the queries to RKExtract(  ,   ) which are the tuples (  ,   ,    →  , ).In the tuples,  = 1 represents the reencryption key which is a valid one, while  = 0 represents the reencryption key which is a random value.

Efficiency Theoretical Analysis.
To compare the performance of our scheme, we choose the existing source hiding IB-PRE scheme [22] as the base.We make the comparison in the aspect of the public/private key size, reencryption key size, level 1/level 2 ciphertext size, reencryption key generation cost, reencryption cost, and security model.Table 1 illustrates the detailed comparison.To construct a fair comparison, we choose Emura, Miyaji, and Omote's first scheme denotes EMO 1 scheme [22], which is also CPA secure with source hiding.Let   ,   represent the computational cost of an exponentiation and a pairing cost, respectively, |  |, ||, |  | denote the bit-length of an element in   , ,   , respectively, and || denotes the size of a hash function.From Table 1, we found that, although the ciphertext size of our scheme is a little larger than the scheme of [22] in terms of the computational cost.However, the computational cost is the same order of magnitude.Most of important, our scheme is collusion resistant and without relying on random oracle.4.2.Execute Time.Now we compare the proposed scheme with the existing source hiding IB-PRE scheme [22] regarding the execute time.For the scheme implementation, we use the Pairing Based Cryptography Library [26] to calculate the implementation time.Our Hardware is Intel(R) Core(TM) i5-8250U CPU @ 1.60GHZ 8GB RAM.The operation system is Linux Mint 18.1 Serena and programming language is GO 1.9.The elliptic curve  2 =  3 +  and the group order is 160 bits which are selected for the experiment.In our experiment we run each experiment for 20 times to obtain the average execution time.
From Table 2, it is observable that the execution time of , , , , (), and () of our scheme is a little more than scheme [22].This coincides with the theoretical analysis.

Conclusions
In this paper, we introduced a new source hiding identitybased proxy reencryption scheme (SHIB-PRE) which is proposed to support a gateway of the wireless network to directly convert a user's encrypted data (encrypted pollution data) to a new user's encrypted data without exposing the underlying plaintext data during the whole sharing phase.Additionally, our SHIB-PRE scheme addresses the open problems left by Emura, Miyaji, and Omote [22] by presenting collusion resistant, source hiding, and against chosen ciphertextplaintext attack secure in the standard model.Still, interesting questions are remained to be resolved and can be our future work, such as the following: CCA-Secure.Designing a source hiding IB-PRE scheme that is chosen ciphertext secure is necessary.The technique described in [27] might be the potential approach to achieve CCA-secure.
Key-Private IB-PRE.The property of source hiding protects the source identity from a destination ciphertext.It will be challenging to design a key-private IB-PRE, in which a source identity and a destination identity are not disclosed from a reencryption key.The technique presented in [28] could be the potential approach to achieve a key-private IB-PRE scheme.
Query phase 1: (a) Extract(): A runs the KeyGen(, *  to A. (4) Query phase 2: A continues making queries as in the query phase 1.
, the adversary breaks the IND-SH-CPA security if he can learn to determine if destination ciphertexts are derived from the same source ciphertext or not.Suppose the  algorithm is deterministic, an adversary A can win the IND-SH-CPA game as below.Suppose the source ciphertext is  *  0 and  *  1 and the challenge ciphertext is  *  .The adversary works as follows: (1) Makes a t( 1 , ) query and get the reencryption key   1 → .(2)Using the reencryption key   1 → , run the deterministic algorithm ( *  1 ,   1 → ) →   .(3)If=*  , it outputs 1, else returns 0. It is not difficult to see that A can succeed with an overwhelming probability.3.2.Our Construction.Let  and   be bilinear group of prime order , and  be a generator of .Additionally, let  :  ×  →   denote the bilinear map.The proposed scheme contains the following steps: (i) Setup():  is the security parameter, and (, , ,   , ) are the bilinear map parameters.The PKG chooses random generators , ℎ ∈ , random value  ∈   , and a collusion resistant hash function  :   →  *  .It sets  1 =   ∈ .The PKG keeps ℎ secret and outputs the public parameters .So master secrets are set as  = (,  1 ,  (, ℎ) , )  = .

Table 1 :
Efficiency and security comparison.