Group Delegated ID-Based Proxy Reencryption for the Enterprise IoT-Cloud Storage Environment

In general, ID-based proxy reencryption (IBPRE) includes data transfer in a 1 : 1 manner between a sender and receiver. Therefore, only the data owner has the authority to decrypt or reencrypt the data that is encrypted with his/her public key. However, in an environment with data self-sovereignty, such as an enterprise IoT-cloud environment, the data are directly managed by cloud once data is uploaded from user-controlled IoT devices. In such a situation, there is no way of sharing data if the data owner has no access over the data due to being outside the workplace and other issues. In this study, to solve this problem, data can be shared even when the data cannot be accessed by delegating the authority of the data owner to generate the reencryption key to other users. In addition, by solving the security threats that may appear in this process, data sharing can be performed securely and efficiently in the corporate environment.


Introduction
Cloud storage technology is a technology that can store and use data remotely through a network by combining network technology with existing offline storage technology. When using cloud storage, the data owner uploads his or her data to the cloud storage. If another user requests this data in the future, it can be provided to the requestor through the provision of the data access path and authority of the cloud storage.
These cloud storage technologies are used not only for personal data storage purposes but also for securely storing and utilizing all data generated inhouse in a corporate environment. From the perspective of a company, when using cloud storage, data generated within the company can be securely stored and managed and can be used for other purposes as needed. However, if the data source is uploaded to the cloud storage in original form, the data content can be exposed to other users. Hence, encryption must be applied to solve this problem.
Encryption can be used for secure storage and sharing of data through cloud storage [1][2][3][4][5]. However, in general sym-metric key encryption or public key encryption, it is difficult to change a key distribution problem or the user of already encrypted data. Therefore, proxy reencryption has been proposed to solve this problem. Proxy reencryption is a form of encryption technology that allows the sender to securely share data with the receiver [6,7]. However, a feature that is different from the general encryption scheme is that the sender can provide data encrypted with his or her public key by converting it into an encrypted text that can be decrypted by the receiver with only the receiver's public key. This feature allows the sender to avoid performing decryption and encryption or sharing a secret key with the receiver in order to provide encrypted data to the receiver. Therefore, in a cloud storage environment, it is possible to provide the encrypted text generated by the user with his/her key by converting it into data encrypted with the requestor's key upon request.
However, a corporate-like environment has one additional property. For security reasons, access to cloud storage may be blocked from outside the enterprise. Let us assume that the data owner is outside the company on a business trip.
If data is requested from other employees and departments within the company, the request cannot be processed. In preparation for this situation, there are ways to share the private key with other employees, but this can lead to a serious security threat. Employees who have access to the private key of the owner can exercise all the rights of the owner. Therefore, it is necessary to be able to share designated data without sharing the private key. In this research, studies were conducted to satisfy these conditions. Our study provides an environment in which the owner of the data can provide the right to reencrypt specific data to other users. We propose a traceable group delegated ID-based proxy reencryption (IBPRE).

Related Works
This section describes related studies and theoretical constructs for understanding our study.

Proxy Reencryption.
Proxy reencryption is an encryption technology that converts data encrypted with the sender's public key into data encrypted with the receiver's public key through a proxy. To this end, the sender generates a reencryption key using his/her own private key and the recipient's public key of the recipient and delivers it to the proxy. Upon receiving the reencryption key, the proxy reencrypts the sender's cipher text using the reencryption key to obtain the receiver's cipher text as shown in Figure 1(e) [6][7][8].
Thereafter, the recipient can obtain the plaintext from the ciphertext using his/her private key. The advantage of proxy reencryption is that the senders can share data without exposing their private keys or the original message to the proxy. Therefore, only the sender and receiver can know the source of the data.
IBPRE uses ID-based encryption to encrypt a user's ID as a public key or derive a public key from an ID. In this manner, a user can identify another user through an ID using a system such as a cloud and share data with the user [9][10][11][12][13][14][15][16][17][18][19][20]. Basically, proxy reencryption is a technique that allows data encrypted with the key of the data sender to be decrypted by a third party, the receiver, as shown in Figure 2.
In 2012, Xu et al. proposed a certificate-free IBPRE [18]. Noncertificate ID-based encryption is a technology that generates a public key through a user's ID without using a certificate. Therefore, the amount of computation is reduced compared to that in the scheme of generating the certificate. Additionally, it is secure with regards to the key escrow problem and the key exposure problem because the KGC (Key Generate Center) does not generate the key directly [19,20].
As evident from the above algorithm configuration, this scheme assumes a form of traditional 1 : 1 data sharing. Therefore, it is difficult to resolve a situation in which a data owner cannot control data, such as an enterprise environment as covered in this study. However, in this scheme, the existing IBPRE has been applied to present the multiproxy crtificateless proxy reencryption (CL-PRE) and the randomized CL-PRE, which aims at diversity in the traditional IBPRE approach [21,22].

Proxy Reencryption in the Enterprise Environment.
In recent years, an increasing number of companies have begun operating private clouds. The cloud of a company is a technology that enables the storage and use of data produced within the company. It helps to efficiently manage sensitive data for data management and prevention of leakage. In general, it is necessary to distinguish between personal data and public data and even the data generated during work within the company. Therefore, data encryption should be applied in order to prevent other employees from viewing personal business data. Additionally, as encrypted data cannot be decrypted by a third party, the data owner must be able to decrypt the shared user with his or her private key in order to share data with the third party [23,24]. As a result, the owner's ciphertext needs to be converted into the requestor's ciphertext through a process such as proxy reencryption [25,26].
This process follows the IBPRE process described above. Therefore, data inside the company can be securely stored by blocking external access for data security as shown in Figure 3.
However, if the data owner is outside the premises of the organization, the data owner may not be able to share data as the owner cannot access the cloud outside the company as shown in Figure 3. In this case, the data is not transmitted, which causes a delay. Therefore, a scheme to solve this problem is required.
We hereby require a scheme for reencrypting data even when the owner of the data is absent. However, in the general IBPRE scheme, when there is a data request, a reencryption key is generated using the requestor's public key and the owner's private key. Therefore, it is impossible to create a reencryption key in advance because the data owner cannot know the identity of the data requestor before venturing out of the organization. As a result, a reencryption key must be generated whenever there is a data sharing request. However, reencryption is impossible because it is impossible to obtain the other party's public key and upload the reencryption key from outside the company. We have previously conducted research to solve this problem [27]. In the previous study, we tried to solve by using the group delegation method in a more restrictive environment. However, in previous studies, problems in computational aspects and some improvement in security aspects were required. Therefore, in this study, we propose a scheme that allows the sender to generate a reencryption key through a delegatee. In this process, the group delegation is not used. Additionally, we present a scheme to trace the delegated reencryption key generator to confirm that the delegatee does not abuse the sender's authority.

System Model
This section describes the necessary mathematical basis before describing the proposed scheme and presents the construction and security requirements accordingly.
In this study, the concept of group delegated ID-based proxy reencryption (GD-PRE) is proposed. The form of this concept is shown in Figure 4. In the absence of the data    3 Wireless Communications and Mobile Computing owner, another user who has been delegated the owner's authority creates a delegated reencryption key and can share the data with a third party on behalf of the owner. In this process, the user who has been delegated the owner's authority cannot know the owner's private key or the contents of the original data and can only generate the reencryption key for the data designated by the owner. The composition and role of participants in this scheme are described in the next section.

KGC (Key Generation Center).
It is an administrator that issues and manages the keys to all participants in the system. In order to use this system, a private key must be issued and registered by the KGC, and the parameters disclosed by the KGC must be used.

3.1.2.
Proxy. This is a device that stores user data and performs reencryption upon request. Represented by cloud storage, it responds honestly to user requests, but has the characteristic of honest-but-curious, i.e., wants to know the contents of the data.

Users.
Users include all senders, receivers, and delegates who use the system provided by the KGC. Any user can act as a sender, receiver, or delegate group member.

Sender.
The sender is the owner of the data. Therefore, after encrypting the data using his/her own public key, they upload to the proxy. Thereafter, a reencryption key is generated according to the receiver's request, and the reencrypted encrypted text is provided to the receiver through a proxy. In addition, the sender can delegate the authority to generate the reencryption key to another user in case they are absent, and the delegated user is called the delegate group member.
3.1.5. Delegate Group. The delegate group is a group composed of the sender and delegate group member. The delegate group member is a user who has been delegated the authority to generate reencryption keys from the sender. The delegate group member has been delegated some authorities from the sender, but cannot know the sender's private key or the origin of the message, and can only generate the delegated reencryption key and deliver it to the proxy.
3.1.6. Receiver. The recipient is among the users. Encrypted data can be obtained by requesting data from the sender along with his/her public key. Recipients who have properly obtained data from the sender can decrypt the encrypted data using his/her own private key.

Algorithms of GD-PRE.
This section describes the algorithms included in the proposed technique. The algorithms are of ten types and include setup to encryption, decryption, and reencryption. Detailed formulae and explanations for the algorithms are presented in Section 4.

Setup (λ).
Algorithm performed by the KGC, the KGC uses the security parameter λ as an input and executes a probability-reducing algorithm that outputs the parameter params shared with all the users, while the master secret key x remains private.   Wireless Communications and Mobile Computing 3.2.2. Partial Private Key Extraction (params, x, ID i ). This is the process in which the KGC receives an input from the master secret key x and the user's identifier ID i ∈ f0, 1g * , outputs the individual partial private key D i that corresponds to the ID i , and sends it securely to the user.

3.2.3.
Private Key Generation (params, D i ). Algorithm performed by the user, the user generates a complete private key sk i using the partial private key D i received from the KGC. The private key is then kept securely.
3.2.4. Public Key Generation (params, ID i ). Algorithm performed by the user, the user creates a public key pk i using params and his/her ID i and distributes this public key pk i .
3.2.5. Encryption (params, ID S , pk S , m). Algorithm performed by the user, the user computes first-level ciphertext C S by encrypting message m by the sender inputting message m ∈ M and ID S .
3.2.6. Reencryption Key Generation (params, sk S , pk R ). Algorithm performed by the sender, the sender generates a reencryption key RK S→R to delegate C R ciphertext to the receiver. For this purpose, the sender generates a reencryption key RK S→R by using its own private key and public key of the receiver.
3.2.7. Reencryption (params, RK S→R , C S ). Algorithm performed by the proxy, the proxy takes the first-level ciphertext C S and the reencryption key RK S→R as input and outputs a reencrypted ciphertext C R , called the second-level ciphertext.
3.2.8. Group Delegation (params, ID G j ). Algorithm performed by the sender, the sender establishes a delegate group G who will be delegated the authority to generate his/her reencryption key RK S→R in case he/her are away from the company.
3.2.9. Proxy Delegation (params, ID G j ). Algorithm performed by the sender, the sender adds the value σ′′ to his ciphertext uploaded to the proxy so that reencryption can be performed by the delegated group member. Through this, the delegated group member can generate the delegated reencryption key DRK S→R instead of the sender even if they do not know the sender's private key sk S .

Delegated Group
Member Setup (params, σ ′ ). Algorithm performed by a delegated group member, each member can obtain v required to generate the delegated reencryption key DRK S→R using the σ ′ received from the sender.
3.2.11. Delegated Reencryption Key Generation (params, v, s k G j ). Algorithm performed by the delegated group member, the delegated group member generates a delegated reencryption key DRK S→R for the receiver without the sender's private key sk S . DRK S→R enables the creation of C R by reencrypting the sender's first-level ciphertext C S .
3.2.12. Delegated Reencryption (params, DRK S→R , C S ). Algorithm performed by the proxy, the proxy receives the first-level ciphertext C S and the delegated reencryption key DRK S→R as input and outputs a reencrypted ciphertext C R , called the second-level ciphertext.
3.2.13. Decryption/Redecryption/Delegated Redecryption (params, C R , sk R ). The decryption algorithms are algorithms executed by the owner. When the ciphertext C R and the receiver R ' s private key sk R are input, the algorithm outputs a message m ∈ M or an error message.
3.2.14. Trace (params, DRK S→R , ID G j ). Algorithm performed by the sender, the sender can search for the delegated group member who generated the delegated reencryption key on their behalf. For this, the delegated reencryption key DR K S→R generated by the delegated group member and the delegated group member's ID G j are used.

Security Requirements.
In order to design a more secure GD-IBPRE, there are seven security requirements in this study, which are as follows.
3.3.1. Confidentiality. In all processes, users without data authority must not be able to know the contents of the data. The owner of the data can provide data decryption authority to the user requesting the data through reencryption.

Integrity.
In all processes, such as data transfer and storage, data must remain intact. If the contents of the data are changed, the data owner and the user who has access to the data must know that the data has been changed.

Availability.
Legitimate users must be able to access stored data in the proxy. To this end, users who access the data must prove that they are legitimate users and must be able to use the desired data at any time.

Access Control.
Users who want to access data can use it by showing that they have permission to use it. To do this, one needs to verify the identity of the user, which is accessed by the proxy (cloud) or makes it available only to legitimate users of the data itself.
3.3.5. Forward Secrecy. It should not be possible to obtain the data owner's private key and personal information using a reencrypted ciphertext or reencrypted key. In addition, it should not be possible to derive a new reencryption key or reencryption statement using the public reencryption key or reencryption statement.
3.3.6. Delegated Reencryption. If the data owner cannot access the data due to absence or other reasons, a delegated group member (delegatee) should be able to reencrypt the data. In this process, the group member must not know the private key of the data owner.
3.3.7. Traceability. The sender delegates the authority to reencrypt his/her data to the delegated group member. However, this privilege can be abused to provide data to unauthorized users. Therefore, the sender must be able to identify the member who abused the authority by identifying 5 Wireless Communications and Mobile Computing who generated the reencryption key among the members of the delegated group.

Proposed Scheme
This section describes the proposed scheme. For this, first, the system parameters are described. Subsequently, detailed equations and explanations for this proposed scheme are presented.    Figures 5 and 6. Each algorithm can be classified into a key generation, group delegation, data storing, data sharing, and delegated data sharing phase according to the role and procedure. The detailed procedure is as follows.

Key Generation
Phase. First, with the given security parameter λ, the KGC sets the common and secret parameters. Thereafter, each user receives a public key and a private key from the KGC using a common parameter.
(1) Setup. Let G 1 , G 2 be two cyclic groups of prime order q and e : G 1 × G 1 → G 2 be a bilinear map. Set the two λ-bit integers l 1 , l 2 and the message space M ∈ f0, 1g l 1 . A random generator g ∈ G 1 is chosen. The KGC randomly picks an integer x ∈ ℤ * q as the master key and publishes params = ðG 1 , G 2 , e, H 1 , H 2 , H 3 , g x , g, λ, l 1 , l 2 Þ .
(2) Partial Private Key Extraction. User U i sends his/her identity ID i to the KGC. The KGC calculates g i = H 1 ðID i Þ, D i = g x i using ID i and the master key x and sends user U i 's partial private key D i to user U i . The same operation continues with the other users.
(3) Private Key Generation. User U i randomly selects d i ∈ ℤ * q and keeps secret and computes his/her private key sk i : (4) Public Key Generation. User U i computes his/her public key pk i : The user creates a public key pk i using params and his/her ID i and distributes this public key pk i . User U i publishes pk i , and anyone can use pk i to provide ciphertext to user U i . When the key generation phase is completed, the users who want to form the group perform the initialize of the group delegation phase described in Section 4.2.4.

Data Storing Phase.
In this phase, the sender encrypts the data using his/her own public key and stores it in the proxy as shown in Figure 5. After that, the sender can obtain his ciphertext uploaded to the proxy and decrypt it with his/her own private key.
(1) Encryption. Sender S selects a random integer r ∈ ℤ * q and the public key pk i of the target U i and calculates the message m ∈ G 2 as a ciphertext that can only decrypt U i as follows: As a result, the ciphertext becomes C i = ðc 1 , c 2 Þ. In this proposed environment, sender S creates C S using his public key and uploads C S to proxy. 6 Wireless Communications and Mobile Computing (2) Decryption. User U i can download the C i stored in the proxy and decrypt it using his/her private key sk i as follows.

Data Sharing
Phase. This phase is performed when the sender uploads the ciphertext to the proxy and then the receiver requests data. In this phase, the sender who receives the request from the receiver generates a reencryption key using his/her private key and the receiver's public key and delivers it to the proxy. The proxy receiving the reencryption key may obtain the receiver's cipher text by reencrypting the sender's ciphertext with the reencryption key as shown in Figure 5.
(1) Reencryption Key Generation. The sender S receiving the request of the recipient R selects random value π ∈ G 2 and t ∈ ℤ * q . Then, the reencryption key RK S→R is generated for converting C S to C R .
RK S→R is then sent to the proxy by sender S.
(2) Reencryption. The proxy generates the reencrypted ciphertext C R using the following operation using the ciphertext C S and the reencryption key RK S→R of sender S.

Wireless Communications and Mobile Computing
If sender S cannot access the proxy, any member of group G can perform the 4.2.5 delegated data sharing phase on behalf of the sender S.
(3) Redecryption. Receiver R decrypts a ciphertext C R received from a proxy by using his/her private key sk R to obtain w = Dec sk R ðc 4 Þ. Finally, receiver R can compute the plaintext m.
4.2.4. Initialize of the Group Delegation Phase. In this phase, the sender generates and transmits a value to the proxy and the delegates who will generate the reencryption key on their behalf, as shown in Figure 6.
(1) Group Delegation. Sender S sets up the delegate group G = fG 1 , ⋯, G k g ðG k ∈ U i Þ to delegate its authority. Sender S randomly selects a, δ ∈ ℤ * q and w ∈ f0, 1g l 2 and computes g a , z: Then, sender S computes L i and y j for j = 1, 2, ⋯, k.
L j ← e g a j , g x•d j : Sender S computes f ðxÞ and E and outputs σ.
(2) Proxy Delegation. Sender S uploads an additional value σ ′ ′ to the proxy to enable delegate reencryption. σ ′ ′ is a value that enables the proxy to be reencrypted by the delegated group member.

Delegated Data Sharing
Phase. When the sender leaves the company due to a business trip, etc., they can add the delegation information to the data, which is to be delegated to the concerned authority. Thereafter, when the sender is absent, the delegated group member can generate a delegation reencryption key using the delegated information on behalf of the sender and provide the reencrypted data to the receiver as shown in Figure 6.
(1) Delegated Group Member Setup. Sender S sends σ′ to all delegate group members. And each group member G j constructs f ðxÞ and obtains m using σ′ = ðE, g a , z, g n−1 , ⋯, g 1 , g 0 Þ as follows: Each group member G j checks z as follows: (2) Delegated Reencryption Key Generation. Group member G j generates a delegated reencryption key DRK S→R using the acquired v.
DRK S→R is then sent to the proxy by one of group member G j .

Wireless Communications and Mobile Computing
(3) Delegated Reencryption. The proxy generates the reencrypted ciphertext C R using the following operation using ciphertext C S and the delegated reencryption key DR K S→R = ðc 3 , H v 2 ðπÞ, H 3 ðeðg a j , g x•d j ÞÞ Þ of sender S.
C R = ðc 1 , c 2 ′ , c 3 Þ is then sent to receiver R by the proxy.
(4) Delegated Redecryption. Receiver R decrypts a ciphertext C R received from a proxy by using his/her private key sk R to obtain ω. Finally, receiver R can compute the plaintext m.
(5) Trace. If illegal generation of the delegated reencryption key is confirmed, sender S can browse the information of the group member who generated the delegated reencryption key. To do this, sender S creates γ using the IDs of all members in the group. In this process, if the ID of the user who created the delegated reencryption key DR K S→R is used, the correct γ is created, and the perpetrator can be identified through this.

Analysis of Proposed Scheme
This section analyzes the proposed scheme and explains the results. We analyze the achievement of the proposed scheme with respect to the security requirements and then the efficiency.

Analysis of Security
Requirements. This section analyzes whether the proposed scheme meets the security requirements.
5.1.1. Confidentiality. The owner of the data encrypts the data source m with his/her public key pk i , converts it to C i , and uploads it before uploading the data to the proxy. In addition, the decryption of the encrypted data must use the private key sk i corresponding to the public key pk i used for data encryption. The decryption operation is as follows, and the data source m can be obtained through the decryption operation.
5.1.2. Integrity. The ciphertext C i stored in the proxy consists of C i = ðc 1 , c 2 Þ. c 1 is necessary for decrypting c 2 , and if c 1 or c 2 is tampered with, the data owner cannot confirm that the source data is correct, and thus the data is tampered with.

Availability.
Sender S can decrypt data using his/her private key sk S , and receiver R can decrypt ciphertext C S with his/her private key sk R as follows.
5.1.4. Access Control. Sender S stores their generated ciphertext in a proxy. Thereafter, when another user requests the use of the data, the sender S can generate a reencryption key RK S→R by combining his/her private key and the receiver R's public key. The generated reencryption key R K S→R is transmitted to the proxy to generate a ciphertext C R that the receiver R can decrypt as follows.

Wireless Communications and Mobile Computing
Thereafter, the receiver who has received the reencrypted data C R can obtain the data source by decrypting the corresponding ciphertext with his/her private key sk R .
5.1.5. Forward Secrecy. Sender S uses his/her private key sk S and the receiver R's public key pk R to generate a reencryption key RK S→R . In addition, the sender S creates the reencryption key RK S→R using the one-way function H 2 ð·Þ and the difficulty of discrete algebra (DLP) such that he/she cannot extract his/her private key sk S from the reencryption key.
5.1.6. Delegated Reencryption. If sender S is unable to access the data, the other members of the preconfigured group are delegated the authority to reencrypt the encrypted data without the sender S's private key sk S . For this, the sender S performs a separate operation as follows so that the delegated group member G j can generate the delegated reencryption key DRK S→R .

Efficiency
Analysis of the Proposed GD-PRE Scheme. Table 1 shows the characteristics of the proposed scheme. This proposed scheme was designed by applying an encryption scheme using the existing multireceiver encryption [28][29][30][31]. Here, the delegate group includes the sender and the delegate group member, and users included in the delegate group can generate the delegate reencryption key. In this proposed scheme, there is no separate group formation process, and the sender designates a user to delegate his/her authority and transmits the value in one direction. Therefore, even if the number of members of the delegation group increases, the number of communications does not increase. As a result, it is possible to share data through a member of a delegated group when the sender is absent, without showing significant difference in terms of general proxy reencryption and computational requirements.

Conclusions
Proxy reencryption is a technology that converts (reencrypts) data encrypted with a public key such that other users can decrypt it with their private key. Therefore, it is not necessary to decrypt the encrypted data for data sharing; hence, it has the efficiency of operation and communication. In addition, when proxy reencryption is used, data is encrypted and uploaded to the cloud storage, such that it can later be easily shared through the generation of a reencryption key at the request of another user. By utilizing these features, corporate cloud storage can efficiently manage data such as collaboration and business data delivery. However, in a corporate environment, employees are not always resident in the company, but often leave the workplace on business trips, vacations, etc. When the data owner is away and receives a request to share data from another employee, the data owner must return to the company to provide the data. If the data owner urgently needs important business data while on a long-term overseas business trip, they have no alternative other than providing his/her own private key. However, such private key sharing is a serious security breach and can pose considerable risk to the company and the individual themselves. This study was conducted to solve this problem.
In this study, we propose a scheme that allows a preformed group to perform reencryption key generation in the event of an emergency by applying existing IBPRE techniques. The proposed scheme is designed for situations in which general IBPRE techniques cannot be used by owners of data in data self-sovereign environments, such as enterprise environments. In such environments, as the individual directly controls his/her own data, the sovereignty of his/her data can be guaranteed. However, if an individual cannot exercise sovereignty, such as when they are rendered unconscious in an emergency, data that are necessary for handling the emergency cannot be accessed. Therefore, in the proposed scheme, users form groups with other trusted individuals in advance. Therefore, in the event of an emergency, group members can control data by reencrypting the data of other users on their behalf, which can solve the limitations of self-sovereign data in existing enterprise environments.

Data Availability
No data were used.

Conflicts of Interest
The authors declare that there is no conflict of interests regarding the publication of this paper.