Certificateless Group to Many Broadcast Proxy Reencryptions for Data Sharing towards Multiple Parties in IoTs

Proxy reencryption delegates encrypted data stored in a proxy to a third party. This proxy reencryption takes the form of one sender providing data to one receiver. However, this method incurs a signi ﬁ cant overhead for both the sender and proxy as the number of users receiving the same data increases. In addition, in a large-scale environment, such as an Internet of Things or big data environment, a scenario where several workers jointly create and own an output may exist. In such an environment, ownership disputes can arise when only one operator owns a piece data used by other operators. In this study, to solve this problem, we propose a technique in which multiple users can jointly own one piece of data, and multiple recipients can receive the same data through proxy reencryption.


Introduction
The development of information technology has brought about numerous changes to data storage and utilization technology. The Internet, which is the most widely used network, has made it possible to transmit and use data anytime and anywhere without restrictions in time and place. Internet technologies have been developed to achieve improved speeds, allowing more data to be transmitted concurrently. In addition, the Internet can be used in a wireless form. Storage media that allow more data to be stored and used in a unit area have also been developed. Because more data can be stored in a smaller space, removable storage devices have emerged, and removable storage media have provided an environment in which data can be held and utilized more efficiently. The development of such network technologies and storage media has recently achieved a rapid growth and has taken on various forms, reaching the stage of virtual storage spaces such as cloud computing. We believe that this change in the environment is a transition from an environ-ment using a storage medium to an environment using a storage space, and that the change in such an environment is accelerating.
Gartner, an American information technology research and advisory firm, publishes the Top Strategic Technology Trends and Hype Cycles [1]. Cloud computing is an important strategic technology to the extent that it is selected by this publication every year. However, despite the growing awareness and importance of cloud computing, many companies and institutions are hesitant to adopt it for security reasons. Because cloud computing technology is always connected to a network, it is continuously exposed to data leakage and multiple foes using the network. Therefore, security technology is essential when introducing cloud computing. The secure storage and transmission of data are essential for a secure cloud computing environment. In addition, cloud storage, a subclass of cloud computing technology, stores data and must provide availability for future use. Therefore, cloud computing must consider more security factors than portable storage media.
Cloud storage is a representative technology for storing data using cloud computing technology. As described above, cloud storage can be used as storage space by utilizing network technology, and in this way, the digital data can be stored and used without a physical storage medium. Using the advantages of cloud storage, one can not only store and use one's own data, such data, and also be shared with other users. Data sharing in this manner increases the efficiency because data can be passed through the cloud storage without being passed directly between the data owner and recipient. In addition, even when sharing the same data with multiple recipients, it achieves the advantage of being able to transmit data from cloud storage without the need for the owner to transmit the data each time the data are accessed. However, as described above, the cloud computing technology used over a network is continuously exposed to data leakage and security threats. Therefore, the security factor must be considered in data-sharing methods using cloud storage.
To securely share data using cloud storage, protection of both the data and transmission process must be considered. In general, a cloud storage server is a remote server managed by a data owner and other administrators. Such a server has an honest-but-curious characteristic, which processes the user's request accurately but always incurs the possibility of exposing the data. Therefore, if an owner's sensitive data are stored in cloud storage, there is a possibility that the content of the data will be exposed. Data encryption must be applied to solve this problem. Data encryption technology refers to a technology in which only a user who possesses a decryption key corresponding to the encryption key of the data can view the content of the encrypted data. Therefore, only a user who has a decryption key corresponding to the encryption key used for the data uploaded by the owner can view the content of the data. Two encryption algorithms may be primarily used for this encryption method, and a total of four encryption methods may be used by combining the two encryption algorithms. However, these four encryption methods cannot be applied to data-sharing methods using cloud storage because each of them has certain problems such as a key distribution, computational inefficiency, and exposure to the data source. To solve this, a proxy reencryption technique has been proposed.
Proxy reencryption technology securely shares data using a proxy server, as proposed by Blaze et al. in 1998 [2]. Proxy reencryption technology refers to a technology that stores data encrypted with the owner's encryption key in the proxy and then converts the encrypted data into a specified number of cipher texts. During this process, because the proxy does not decrypt the encrypted data, the contents of the data cannot be known, and the receiver can decrypt the data using its own private key. Therefore, the data are not exposed during the process of data storage and delivery. With this proxy reencryption technology, the proxy may be represented by cloud storage, and if such technology is used, data can be shared securely and efficiently in the cloud storage environment.
As large-scale network environments such as IoT, secure e-mail, and connected cars become more common, cases of data sharing between multiple users are increasing [3][4][5].
In such an environment, data sharing using cloud storage can be an effective way to deliver data securely and efficiently to multiple users. However, because general proxy reencryption technology uses a 1 : 1 data transmission method, it cannot support multiple data owners or multiple data receivers. In this case, to provide the same data to multiple recipients, it is necessary to generate a reencryption key and conduct as many reencryption operations as the number of recipients. In addition, even when multiple workers collaborate to create a single data point, only one worker can be the owner. In this case, because the data cannot be efficiently owned or shared in a large-scale data ownership and reception environment, an appropriate method that considers these issues is required. This study was conducted to provide a method that considers multiple owners and recipients simultaneously. Thus, it provides a method for flexibly and efficiently carrying out the ownership and sharing of data using proxy reencryption technology.

Related Works
This section describes related studies for a proper understanding of this study.
2.1. Secure Data Sharing. As a basic concept of data-sharing technology, data owners give permission for their data to be available to other users. In existing systems, such as Linux or Windows, ownership of data is provided in the same form as RWX, and the meanings of readable, writable, and executable are the same. This indicates that data ownership is further subdivided and provided as a logical form of usage rights. By contrast, from a cryptographic perspective, data ownership can be accessed in the form of determining whether data can be decrypted. That is, if one has a decryption key corresponding to a key having encrypted data, it can be determined that one has ownership of the data because the data source can be obtained through decryption. Therefore, the method of sharing data through such a cryptographic concept can be accessed by delegating the decryption authority of the encrypted data [6].
A method of providing the decryption rights of encrypted data to another user can be approached in four major ways using a symmetric key encryption algorithm, and a public key encryption algorithm is shown in Figure 1 (1) Use of only symmetric key encryption: with this method, the data that the sender uploads to the proxy are first encrypted with the sender's own symmetric key and uploaded. When the receiver requests data, the proxy delivers a ciphertext of the sender to the receiver, and the sender must deliver its symmetric key to the receiver. When this method is applied, both the sender and receiver can conduct encryption/decryption using a symmetric key. However, this process requires a symmetric key distribution process. Symmetric key eavesdropping by an attacker may occur during the process of symmetric key distribution. In addition, because the symmetric key delivered to the recipient cannot be delivered to 2 Wireless Communications and Mobile Computing another recipient, reusing the ciphertext uploaded to the proxy becomes impossible. Therefore, the data sharing method using symmetric key encryption is unsuitable in terms of security and efficiency (2) Use of only public key encryption: with this method, the data that the sender uploads to the proxy are first encrypted with the sender's public key and then uploaded. When the receiver requests data, the proxy delivers the sender's ciphertext to the receiver. However, because this method can only be decrypted using the sender's private key, the sender must deliver his or her private key to the receiver. However, in this case, the sender's private key is exposed by other users, which can lead to serious security problems. Consequently, the receiver cannot decrypt the ciphertext of the sender without lowering the level of security (3) Complex use of public key encryptions: with this method, the data uploaded by the sender to the proxy are first encrypted and uploaded with a symmetric key shared between the sender and the proxy. Upon receiving the data, the proxy decrypts the ciphertext of the sender using a symmetric key to obtain the original data. After that, just like the 2. Use of only public key encryption method, the data source is encrypted with the recipient's public key and delivered to the recipient, who can decrypt it.
As with the method that uses public key encryption multiple times, the data source is encrypted with the recipient's public key and delivered to the recipient, and the recipient can decrypt it. In this method, even if there are many recipients, the proxy can directly perform encryption with the public key of each recipient, so that the computational burden on the sender is not increased. As with the method of using public key encryption multiple times, even if the number of recipients increases, the computational burden on the sender does not increase because the proxy can conduct encryption directly  3 Wireless Communications and Mobile Computing using the public key of each recipient. However, this process allows the proxy to know the list of recipients, exposing the contents of the data source to threats both inside and outside the proxy. Therefore, the method of using public key encryption and symmetric key encryption together has the efficiency of data sharing but without guaranteeing security (4) Complex use of public key encryption and symmetric encryption: with this method, the data that the sender uploads to the proxy are first encrypted with the sender's public key and then uploaded. When the receiver requests data, the proxy delivers the sender's ciphertext to the receiver. However, because this method can only be decrypted using the sender's private key, the sender must deliver his or her private key to the receiver. However, in this case, the sender's private key is exposed by other users, which can lead to serious security problems. Consequently, the receiver cannot decrypt the ciphertext of the sender without lowering the level of security As described above, use of the symmetric and public key encryption methods to securely share data through cloud storage does not provide sufficient security. Therefore, a method that can provide both security and efficiency throughout the data sharing process is required. Various studies have been conducted to satisfy such requirements, and proxy reencryption technology has been proposed.

Proxy
Reencryption. In 1998, Blaze et al. proposed proxy reencryption (PRE) [2], which is a technology that transforms data through a proxy and delivers them securely to the receiver. This technology converts data encrypted using the sender's public key into data encrypted using the receiver's public key at a proxy. Through this process, the private keys of the sender and receiver, as well as the original data, are not exposed because data decryption is not applied. Using proxy reencryption, data can be securely stored in cloud storage and shared efficiently by converting the data into the recipient's ciphertext at the request of the recipient. The basic form of such a proxy reencryption is shown in Figure 2, and research on various sharing methods using proxy reencryption technology is currently underway.
Proxy reencryption comprises five steps: encryption, reencryption key generation, reencryption, decryption, and redecryption. The details of each step are as follows: (i) Encryption: in this step, the data owner encrypts the data and uploads them to a proxy. To this end, the data owner encrypts the data using his or her own encryption key, such that the source of the data cannot be known. The encrypted data are then delivered to the proxy through the public network and stored. In this case, the proxy cannot know the contents of the data stored in the proxy, and even if the encrypted data are exposed or leaked, decryption corresponding to the encryption key is applied, and a user without a key cannot know its contents (ii) Reencryption key generation: in this step, the data owner provides the receiver with the authority to decrypt his or her data stored in the proxy. For this, the data owner first receives the information of the recipient who requested the data. The data owner then creates a reencryption key by combining the information of the recipient with his or her own decryption key and secret information. The data owner can control the reencryption by passing the generated reencryption key to the proxy. In this case, the proxy and attacker should not be able to obtain the secret information of the data owner through the reencryption key (iii) Reencryption: this step refers to the process of converting the encrypted data of the data owner into receiver data. To this end, the proxy applies a reencryption algorithm using the cipher text and reencryption key received from the data owner, and as a result, can obtain a reencrypted cipher text. In this case, the reencrypted cipher text is the cipher text in which the decryption authority is delegated from the data owner to the receiver, and the proxy cannot know the contents of the data during the reencryption process. The reencrypted ciphertext is then sent to the receiver (iv) Decryption: in this step, the data owner decrypts the ciphertext. This step is conducted to obtain the data source by downloading the ciphertext uploaded by the data owner to the proxy during the encryption step again by the data owner. Accordingly, the data owner represents the data decryption process using a decryption key that corresponds to the encryption key used for data encryption. This process represents a typical encryption-decryption relationship and shows that data owners can reuse their data at will (v) Redecryption: in this step, the receiver decrypts the reencrypted ciphertext. To this end, the receiver receives the reencrypted cipher text from the proxy and performs a process of decrypting the received cipher text using its decryption key. At this time, if the recipient is not the correct recipient, the data cannot be decrypted even if the reencrypted cipher text is received Most proxy reencryption structures are as above, and various methods can be used to configure the above steps. Currently, most proxy reencryption studies use public-key encryption methods [7][8][9][10][11][12][13][14][15][16]. Because PKC performs encryption using a public key, it offers excellent accessibility and usability. However, additional computations and certificate management problems occur because procedures such as the generation of a certificate for the public key are essential. To solve this problem, identity-based PKC (IB-PKC) using a key issuance method through a key generation center (KGC) has been proposed [17]. Since IB-PKC was first proposed, 4 Wireless Communications and Mobile Computing various proxy reencryption studies based on IB-PKC have been conducted [7,[18][19][20][21][22]. However, in IB-PKC, because KGC directly issues the user's key, the problem of a key escrow by the KGC arises. To solve this problem, CL-PKC, a method in which a complete key is not generated by the KGC without the use of a certificate, has been proposed [23]. CL-PKC follows a method in which KGC issues only a partial secret key to each user, and the users then combine their secret information to complete a private key. Therefore, the key escrow problem of KGC does not occur. Accordingly, studies on certificateless proxy reencryption (CL-PRE) have recently been conducted using CL-PKC [24][25][26][27].

Multireceiver Encryption.
Multireceiver encryption (MRE) is a technology that grants the same data decryption authority to multiple recipients with only a single encryption. MRE has been utilized in various studies based on PKC as shown in Figure 3 [28][29][30][31][32][33][34][35][36]. However, the existing MRE method has the problem of receiver identification. This is because the recipient can be identified by extracting the recipient information included in the ciphertext. To solve this problem, a method for specifying the receiver using a polynomial has been proposed [37]. Using this method, the receiver's information cannot be extracted by combining it with a polynomial. However, other studies have demonstrated that this scheme can obtain the recipient's identity [38,39]. Fan et al. proposed an improved version of this scheme [40]. In addition, Zhang and Takagi proposed a method in which both the sender and receiver are anonymous [41]. However, Zhang and Mao found that this scheme does not provide complete anonymity; therefore, they proposed a new type of identity-based MRE (IB-MRE) [42]. However, after the key escrow problem of IB-PKC was presented, a study was conducted on applying CL-PKC to MRE. Based on research conducted on CL-MRE, Sur et al. improved the implicit certificate-based MRE proposed in 2007 [43] and proposed CL-MRE in 2011 [44]. In addition, Islam et al. proposed a CL-MRE, which achieved confidentiality and anonymity in a random oracle model [45]. However, Hung et al. pointed out a large number of computations, similar to that indicted by Islam, which takes a lengthy computation time [46]. However, Hung et al. also had a problem in that the map-to-point (MTP) hash operation, which requires a lengthy operation time, increases linearly in proportion to the number of users. He et al. [47] proposed a method that does not use a map-to-point (MTP) hash to solve this problem. Although Deng et al. [48] and Zhu et al. [49] proposed CL-MRE to solve the key escrow problem, a considerable computational load was incurred using bilinear pairing, and the scheme developed by Zhu et al. did not provide additional receiver anonymity. Although Win et al. [50] did not use bilinear pairing, they also did not provide receiver anonymity or decryption fairness.  Figure 2: Basic proxy reencryption method.

Preliminaries
This section describes the basic environment and settings for understanding the scheme proposed in this study.

System
Model. This section describes the system model used in the present study. The participants in this system model are divided into KGC, proxy, user, owner, and receiver, and the description of each participant is as follows.
(i) Key generation center (KGC): with this model, KGC plays a role in managing the system administrator or users in the system. KGC manages all users in the system and registers and manages users through preset settings. In addition, common parameters are created and disclosed such that all participants can conduct the operations of a predetermined algorithm. Using these parameters, all participants can generate their own keys or conduct such predetermined algorithm operations. At this time, to avoid the key escrow problem caused by the KGC, the KGC cannot know the user's complete key (ii) Proxy: with this model, a proxy indicates a remote server that can store and distribute data between users. The most representative form of a proxy is cloud storage, which can store, transmit, and calculate data according to the user's request. With this model, because the proxy is considered a semitrusted environment, there is a possibility that the contents of the unencrypted data may be exposed or leaked (iii) User: using this model, a user means all users including the owner and receiver. Each user has his/her own public and private keys and can encrypt and decrypt data using these keys (iv) Owner group: with this model, the owner means the group of users who own the data. It is assumed that ownership of one piece of data is shared by several users. Examples of such environments include operations, organizations, and the military. Under this environment, because each user has equal ownership, decryption and reencryption keys can be generated using the threshold method to prevent abuse of authority by one owner (v) Receiver: with this model, the receiver means all receivers who receive the data decryption right from the owner. These recipients may consist of one or more individuals, and multiple recipients who have been granted the same data rights have the same rights. In addition, each authorized recipient can decrypt the data using their own private keys

Security
Requirements. This study consists of seven security requirements. The details are as follows: (i) Confidentiality: the data that are kept in the proxy, and the data delivered through the proxy, shall not be unknown other than to the authorized user. To do this, the data must be encrypted using the encryption key, and a user who does not have a legitimate decryption key should not be able to decrypt the contents (ii) Integrity: data uploaded and shared by the sender must not be changed without permission in the process of being delivered to the cloud and the receiver and stored in the proxy. If the content is changed at all, the sender or receiver who shares the data must be made aware of the change  Wireless Communications and Mobile Computing (iii) Key escrow problem: all users who want to use the proxy must communicate with the KGC to generate a private key and public key pair. During this process, the KGC generates a user's full private key, and the KGC may increase the user's authority. This problem is called the key escrow problem, and a method for solving this problem is required (iv) Partial key verifiability: to solve the previously described key escrow problem, a key generation method in the form of a partial key can be used. In this case, each user must be able to verify whether the partial key generated and issued by the KGC to each user is generated legitimately by the correct KGC (v) Receiver anonymity: the reencrypted ciphertext in proxy storage can be decrypted by a number of designated receivers. For this purpose, the reencryption key and reencrypted ciphertext include the information generated by the public key of each receiver. However, privacy issues arise when such information allows a particular recipient or a third party to identify another receiver (vi) Decryption fairness: each legitimate receiver designated by the sender can decrypt the reencrypted ciphertext. However, through this process, a specific receiver should not be discriminated against or disadvantaged during the decryption by a specific receiver or third party 3.3. Algorithms. This section describes the algorithm used for the proposed scheme. Eleven algorithms were used in this study: Setup, Set-Secret-Value, Partial-Key-Extract, Set-Private-Key, Set-Public-Key, Set-Owner-Group, Enc, Re-Key-Gen, Re-Enc, Dec, and Re-Dec. The description of each algorithm is as follows.
(i) Setup: this algorithm is executed by inputting a security parameter. With this algorithm, the KGC generates public parameters and master secret keys and publishes the public parameters, which are made available for all users and proxies (ii) Set-Secret-Value: this algorithm is applied by the user. With this algorithm, user i calculates T i using a randomly selected t i and sends T i and ID i to the KGC (iii) Partial-Key-Extract: this algorithm is performed by KGC. Using this algorithm, the KGC generates the partial key ðR i , k i Þ of user i using ðT i , ID i Þ and mpk received from user i and sends it to user i (iv) Set-Private-Key: this algorithm is applied by the user. With this algorithm, the user calculates private key sk i using partial key ðR i , k i Þ received from the KGC. The sk i obtained is kept confidential (v) Set-Public-Key: this algorithm is applied by the user. Using this algorithm, the user calculates the public key pk i by using the partial key ðR i , k i Þ received from the KGC and the secret value t i generated by user i. The pk i values obtained are disclosed (vi) Initialization, Group Agreement: this algorithm is run by users to be included in the owner group. With this algorithm, users G j that are to be included in the owner group G exchange the public key gpk G with each other to generate the group key (vii) Enc: this algorithm is applied by users included in the owner group. In this algorithm, member G j of owner group G j encrypts plaintext m with public key gpk G of owner group G to obtain ciphertext CT. Subsequently, the obtained ciphertext, CT, is transmitted to the proxy and stored (viii) Re-Key-Gen: this algorithm is applied by users included in the owner group. With this algorithm, member G j of the owner group G uses the group private key gsk G and calculates the reencryption key RK G⟶R using the receiver's public key pk R . In this case, the receiver consists of one or more persons. Member G j of 1owner group G passes the reencryption key RK G⟶R to the proxy (ix) Re-Enc: this algorithm is conducted by a proxy. Using this algorithm, the proxy applies reencryption using the cipher text CT uploaded by the owner group G and reencryption key RK G⟶R . The reencrypted ciphertext CT R is then obtained. Subsequently, the acquired CT R is broadcast (x) Dec: this algorithm is applied by a user included in the owner group. Using this algorithm, a member G j of the owner group G can download ciphertext CT stored in the proxy. Subsequently, members G j may obtain plaintext m by decrypting the ciphertext CT with their group private key gsk G (xi) Re-Dec: this algorithm is conducted using the receiver. With this algorithm, the recipient r j included in the receiver set R decrypts the reencrypted ciphertext CT R received from the proxy with its private key sk r j , and the plaintext m can thus be obtained

Proposed G2M Broadcast Proxy Reencryption
This section describes the proposed scheme. For this purpose, a technical overview, system parameters, and algorithm construction are described.
The scheme was designed based on Kim et al. [51] and Braeken [52]. This scheme is mainly composed of five phases, each of which comprises a Setup Phase, Key Generation Phase, Group Agreement Phase, Data Storage Phase, and Data Broadcast Phase as shown in Figure 5. A detailed description of each phase is given.

Setup
Phase. This phase includes a Setup algorithm. This phase is performed by the KGC in advance so that each user can use the proxy. Here, a master public key that can be (i) Setup ðλÞ ⟶ ðmsk, mpkÞ: this algorithm is executed by the KGC. With security parameter λ as the input, the KGC performs the following process: (1) Choose two λ-bits prime integers p, q and elliptic curve E defined on F p . Let G be an additive group on the elliptic curve E and G q be a subgroup of G with prime order q (2) Select randomly a generator P ∈ G q (3) Randomly choose d ∈ ℤ * q as the msk and calculate P pub = d•P which is part of mpk Select five secure one-way hash functions as follows: Here, l 1 and l 2 are the lengths of the bit string and are determined by the security parameter λ.

Key Generation Phase.
In this phase, the Set-Secret-Value, Partial-Key-Extract, Set-Private-Key, and Set-Public-Key algorithms are executed. Each user generates his/her own private key and public key pair so that he/she can use the proxy. Furthermore, each user communicates with the KGC to receive a partial key and uses the partial key to generate his/her own public and private key pair, as shown in Figure 6.
(ii) Set-Secret-Value: this algorithm is executed by user i. User i randomly selects t i ∈ ℤ * q and maintains security. User i computes T i = t i •P as the public key, and user i sends ðT i , ID i Þ to the KGC (iii) Partial-Key-Extract: this algorithm is performed by the KGC. According to the identity ID i of user i, the KGC performs the following steps.
(1) Randomly select r i ∈ ℤ * q and compute R i = r i •P (2) Calculate a part of the partial private key k i as follows: (3) After that, partial key ðR i , k i Þ is delivered to user i through a public channel (iv) Set-Private-Key: this algorithm is executed by user i. After receiving the partial key ðR i , k i Þ from the KGC, user i verifies it as shown in Eqs. (2) and (3). If the key is verified, user i computes the private key sk i = ðs i , t i Þ as follows: (4) Verify whether the following equation holds: (5) If not, return ⊥; otherwise, user i compute s i .
(6) Subsequently, user i keeps secret sk i = ðs i , t i , k i Þ as his/her full private key (v) Set-Public-Key: this algorithm is performed by user i . User i keeps pk i = ðR i , T i Þ as a full public key

Group Agreement
Phase. This phase includes the Initialization and Group Agreement algorithms. It represents the process of forming a group of users who jointly own data. Through this process, all users belonging to a group have equal ownership.
(vi) Group Agreement: this algorithm is performed by all group members G i who will form group G. Each member creates a secret to share with other members using their private sk i and public keys pk i . Each member transmits the generated shared secret to other members and generates a group public key gpk G and a group private key gsk G using the shared secret sent by other members and their own shared secret as follows: (8) Group member G i computes h 1 and h 2 for each other group member G j ð1 ≤ j ≤ n, j ≠ iÞ (9) Group member G i chooses a i ∈ ℤ * q and computes session key ssk ij between G i and G j and encrypts a i using a symmetric encryption algorithm

10
Wireless Communications and Mobile Computing (10) Group member G i sends x i,j ð1 ≤ j ≤ n, j ≠ iÞ to each group member and receives x j,i ð1 ≤ j ≤ n, j ≠ iÞ from the other members (11) All group members of group G obtain the a i ð1 ≤ j ≤ nÞ generated by each group member through the following operation: (12) Group member G i computes group private key gsk G = t G and group public key gpk G = T G t G ⟵ a 1 + a 2 +⋯+a n , 4.3.4. Data Storing Phase. The Enc and Dec-1 algorithms are executed in this phase. This phase represents the process of group member G i encrypting his/her data with the group public key gpk G and storing it in a proxy. In addition, group member G i downloads his/her own data stored in the proxy, and a decryption process is included using the group private key gsk G to obtain the data source again.
(vii) Enc: this algorithm is performed by group member G i . Group member G i encrypts message m with ciphertext CT by entering the group public key gpk G = T G and message m ∈ M. Then, the ciphertext CT is uploaded to the proxy (13) Group member G i computes w, z, and Z using given message m ∈ M and gpk (14) Group member G i chooses α ∈ ℤ * q and calculates β, θ, and C as follows: (15) Group member G i generates the ciphertext CT ⟵ ðC 1 , C 2 , C 3 Þ = ðC, Z, βÞ. The generated CT is then uploaded and stored as a proxy (viii) Dec-1: this algorithm is performed by group member G i . Group member G i can download the ciphertext CT ⟵ ðC 1 , C 2 , C 3 Þ = ðC, Z, βÞ from the proxy. Group member G i who has downloaded the ciphertext CT can obtain the plaintext m by decrypting the ciphertext CT with his/her group private key gsk G = t G (16) Group member G i calculates θ ′ by inputting gsk G and C 3 (17) Group member G i computes m by inputting (18) Verify whether the following equation holds.
If not, return ⊥; otherwise, group member G i keeps the plaintext m Þ P, 4.3.5. Data Broadcast Phase. This phase includes the Re-Key-Gen, Re-Enc, and Dec-2 algorithms. In this phase, group member G i generates a reencryption key for a set of recipients and passes it to the proxy. After receiving the reencryption key, the proxy reencrypts the encrypted data and broadcasts them to the recipients. A receiver that has received the broadcast ciphertext can obtain the message by decrypting the ciphertext with its private key.
(ix) Re-Key-Gen: in this algorithm, group member G i specifies a set of recipients R = ðr 1 , r 2 ,⋯,r n Þ and generates a reencryption key RK G⟶R to delegate the ciphertext CT (19) Group member G i computes U j for all receiver r j ðr j ∈ RÞ (20) Group member G i computes a polynomial f ðxÞ with degree n using γ ∈ ℤ * q as follows:

Analysis of the Proposed G2M BPRE Scheme
In this section, we perform a security analysis and computational analysis of the security requirements of the proposed scheme.

Analysis of the Security Requirements.
In this section, we analyze the security requirements presented in Section 3.2.
Here, we analyze the security of the seven security requirements, as shown in Table 1.
(i) Confidentiality: this proposed method performs an encryption operation based on elliptic curve encryption. Because elliptic curve encryption provides high security, even with a short key, efficient encryption is possible. The proposed method uses this elliptic curve encryption method such that a user without a decryption key cannot know the contents of the data. First, the proposed method encrypts a message using a public key:

12
Wireless Communications and Mobile Computing Here, message encryption is performed by the XOR operation, and θ in the XOR operation is created with the owner's public key. In addition, the owner's private key is required to create θ using the ciphertext C 3 . Accordingly, the ciphertext of the proposed method can only be decrypted with the group private key psk G paired with the group public key gpk G used for encryption.
(ii) Integrity: recipients who decrypt the data can verify the integrity of the data using the values contained in the integrity ciphertext and parameters of the public KGC. The proofing methods are as follows.
where Z = zP and z = H 1 ðmkwÞ. The receiver that decrypts the ciphertext CT R can obtain message m and verification value w. Here, H 1 ðmkwÞ is equal to z; thus, the integrity of the message can be verified by determining whether H 1 ðmkwÞP is equal to C 2 = Z.
(iii) Key escrow problem: in the certificate-based public key encryption method, a certificate corresponding to the public key must be issued and stored. To solve this problem, a certificateless public-key encryption method may be used. However, in the general certificate public-key encryption method, the KGC generates and delivers the user's private key. Thus, because the KGC user's complete private key is known, the key escrow problem of the KGC may occur. In this study, an algorithm is designed using the partial-key method to solve this problem First, the user creates his/her secret value t i , converts it into T i , and transmits it to the KGC. Upon receiving T i , KGC generates a secret value r i for the user, generates k i through the following calculation process, and delivers ðR i , k i Þ to the user.
The user who receives ðR i , k i Þ from the KGC calculates s i using k i and t i known only to the user as follows: Thereafter, the user uses ðs i , t i , k i Þ as private keys and ð R i , T i Þ as public keys.
Finally, T i generated by the user and R i generated by the KGC are used as public keys. Consequently, the partial key known to the KGC and the unknown partial key are as follows: KGC only knows pk i = ðT i , R i Þ and k i KGC cannot knows sk i = ðs i , t i Þ (iv) Partial key verifiability: the proposed scheme uses a partial key in the key generation process to solve the key-escrow problem. However, it is possible for the malicious KGC to deliver the generated partial key with a value other than the T i passed to the KGC by the user. To solve this problem, the proposed scheme provides a partial key verification function through the following operation: where k i = r i + dH 7 ðR i , T i , ID i Þ + H 5 ðdT i , ID i Þ, R i = r i P, T i = t i P, P pub = dP: ð28Þ