IoT-Assisted Cloud Data Sharing with Revocation and Equality Test under Identity-Based Proxy Re-Encryption

Abstract

Cloud services, favored by many enterprises due to their high flexibility and easy operation, are widely used for data storage and processing. However, the high latency, together with transmission overheads of the cloud architecture, makes it difficult to quickly respond to the demands of IoT applications and local computation. To make up for these deficiencies in the cloud, fog computing has emerged as a critical role in the IoT applications. It decentralizes the computing power to various lower nodes close to data sources, so as to achieve the goal of low latency and distributed processing. With the data being frequently exchanged and shared between multiple nodes, it becomes a challenge to authorize data securely and efficiently while protecting user privacy. To address this challenge, proxy re-encryption (PRE) schemes provide a feasible way allowing an intermediary proxy node to re-encrypt ciphertext designated for different authorized data requesters without compromising any plaintext information. Since the proxy is viewed as a semi-trusted party, it should be taken to prevent malicious behaviors and reduce the risk of data leakage when implementing PRE schemes. This paper proposes a new fog-assisted identity-based PRE scheme supporting anonymous key generation, equality test, and user revocation to fulfill various IoT application requirements. Specifically, in a traditional identity-based public key architecture, the key escrow problem and the necessity of a secure channel are major security concerns. We utilize an anonymous key generation technique to solve these problems. The equality test functionality further enables a cloud server to inspect whether two candidate trapdoors contain an identical keyword. In particular, the proposed scheme realizes fine-grained user-level authorization while maintaining strong key confidentiality. To revoke an invalid user identity, we add a revocation list to the system flows to restrict access privileges without increasing additional computation cost. To ensure security, it is shown that our system meets the security notion of IND-PrID-CCA and OW-ID-CCA under the Decisional Bilinear Diffie-Hellman (DBDH) assumption.