Leakage resilient ID-based proxy re-encryption scheme for access control in fog computing

Accepted Manuscript Leakage resilient ID-based proxy re-encryption scheme for access control in fog computing Zhiwei Wang

PII: DOI: Reference:

S0167-739X(17)31007-5 https://doi.org/10.1016/j.future.2017.12.001 FUTURE 3839

To appear in:

Future Generation Computer Systems

Received date : 13 May 2017 Revised date : 12 October 2017 Accepted date : 3 December 2017 Please cite this article as: Z. Wang, Leakage resilient ID-based proxy re-encryption scheme for access control in fog computing, Future Generation Computer Systems (2017), https://doi.org/10.1016/j.future.2017.12.001 This is a PDF file of an unedited manuscript that has been accepted for publication. As a service to our customers we are providing this early version of the manuscript. The manuscript will undergo copyediting, typesetting, and review of the resulting proof before it is published in its final form. Please note that during the production process errors may be discovered which could affect the content, and all legal disclaimers that apply to the journal pertain.

Leakage Resilient ID-based Proxy Re-encryption Scheme for Access Control in Fog Computing Zhiwei Wang 1.School of Computer, Nanjing University of Posts and Telecommunications, Nanjing 210003, China 2.Jiangsu Key Laboratory of Big Data Security and Intelligent Processing, Nanjing 210023, China 3.Shanghai Key Laboratory of information security integrated management technology, Shanghai 200240, China Email: [email protected]

Abstract—In fog computing, fog-devices are usually physically close to end-devices, and have a high speed connection with cloud servers. They provide good access control service for end-devices to cloud, if an ID-based proxy re-encryption scheme is deployed on them. Each file stored on a cloud sever is encrypted using a symmetric key, and these keys are encrypted by a public master key which is stored in a fog-device. If an end-device want to access a file in cloud, then the fog-device reencrypts these encapsulated symmetric keys from the master key to the key of the end-device. However, due to the geographic dispersion of fog-devices, they are apt to be attacked by side channel attacks. In this work, we propose a leakage resilient ID-based proxy re-encryption scheme in auxiliary input model. It can resist the continuous leakage of secret keys caused by side channel attacks. We implement our scheme over two platforms, and the results show that our scheme is feasible in practice. Keywords-fog-devices; ID-based proxy re-encryption; access control; auxiliary input; leakage resilient

I. I NTRODUCTION Fog (From cOre to edGe) computing, a term coined by Cisco in 2012[1], is a distributed computing paradigm, that empowers the network devices at edge levels with various degrees of computational and storage capability. Fog computing serves the demands of the realtime, latencysensitive applications in the context of IoT systems[2], [3]. In IoT system, the physical world and cyber world are more tightly coupled than before, which makes the physical world easy to be attacked, since a malicious instruction from the cyber world may bring serious damage for the physical world. Thus, we hope that IoT security issues can be handled effectively by fog computing. As Fig.1, the IoT system is a typical three-layer architecture[4], including a fog layer. We depict these layers as follows. 1)Things layer, which is used to collect data and control the physical world[5]. Most end-devices in the things layer are resource-constrained, which is low as 64 bytes of RAM and 2KB of storage[6]. 2) Fog layer, which is introduced to help end-devices. Fog-devices, such as smartphones, routers, and home servers, also help connect end-devices to the clouds. There are some advantages in deploying security services at the edge layer. Firstly, fogdevices have much more resources than the end-devices.

And then, end-devices can can leverage these resources to offload computation-intensive tasks. Secondly, fog-devices are physically close to end-devices, which can set up the relatively stable relationship. Finally, fog-devices can be used to access control from end-devices to clouds. 3) Cloud layer, which is resource-rich, and can be used to store, process, and analyze the collected data. The fog layer usually has high-speed connection with the cloud layer, and it is easy for the fog-devices to get extra support from clouds as needed. Fog computing refers to the enabling technologies allowing computation to be performed at the edge of the network. Here we define fog as any computing and network resources along the path between end-devices and cloud centers. For example, a smart phone is at the fog between body end-devices and cloud, a gateway in a smart home is at the fog between home end-devices and cloud. In fog computing, data security protection are the most important services that should be provided[7]. Keeping the computing at fog (the edge of the network) may be a decent method to protect data security, but two challenges remain open. First is the missing of efficient tools to protect data security at the fog. Some of the end-devices and fog-devices are highly resource constrained so the current methods for security protection might not be able to be deployed on the fog because they are resource hungry. Second is the awareness of security to the fog. We take WiFi networks security as an example. 89% of public WiFi hotspots are unsecured. If fog-devices are located in such unsecured network, then cryptographic primitives running on the fog-devices can leak additional information, such as the computation time, powerconsumption, radiation/noise/heat emission etc. Moreover, the highly dynamic environment at the fog also makes the network become vulnerable or unprotected. It is difficult for enforcing cryptographic access control over remotely stored data in cloud[12], [13]. If the encrypted data is given a classification level, and keys are shared with users according to access control policy, then re-encryption is used to enforce changes to the policy. In particular, reencryption can signify a change in user access rights. Proxy re-encryption enables a third party (proxy) to re-encrypt a ciphertext using an update token generated by the user, in

Figure 1.

Hierarchical Structure of Internet of Things

such a way that neither the decryption keys nor plaintext are revealed[8], [9], [10], [11], [14]. The most important property of proxy re-encryption schemes is that the proxy is not fully trusted, i.e., it does not know the decryption keys and does not learn the plaintext during the translation. ID-based proxy re-encryption may be more useful for IoT systems than the normal proxy re-encryption, since it does not need the public-key infrastructure (PKI) and a secure database to store key pairs[15]. Fig. 2 shows an ID-based proxy re-encryption scheme is deployed on a fog-device1 , which provides access control service for the streaming cloud. Each multimedia file stored on an untrusted streaming cloud server is encrypted using a symmetric key K. These keys are encrypted by a public master key , and the ciphertexts are stored in a fog-device. If a DVD player wants to access an encrypted multimedia file in cloud, then the semitrusted fog-device re-encrypts the encapsulated symmetric key K from the public master key to the identity of this DVD player. Then, the DVD player can decrypt K using its secret key, and then access the multimedia files downloaded from streaming cloud using K. It is a challenge for ID-based proxy re-encryption scheme deployed for fog-devices, since the fog-devices have limited expensive tamper-proof memory and are graphically dispersed, and thus the re-encryption keys are prompt to be leaked by the side channel attacks (Attackers can learn partial information about the secret key through observing physical properties of a cryptographic scheme execution such as power assumption, radiation, and temperature etc[16], [17], [18], [19], [20].). Our goal is to propose a leakage-resilient ID-based proxy re-encryption scheme, 1 The

fog-device may be a network gateway, a smart phone or a laptop.

which can be proved secure with leakage resiliency. Among the proposed ID-based proxy re-encryption schemes, Green et al.’s scheme[31] is very efficient, and has been proved secure under the DBDH assumption. Our motivation is to design a leakage-resilient scheme under Green et al.’s construction. The notion of leakage resilient cryptography has been proposed recently[22], and many efforts have been made in this domain. Generally, there are three leakage models have been proposed. Bounded retrieval model: In this model, the total number of bits leaked over the lifetime of system is bounded, and hope the attack is detected and stopped before the whole secret is leaked[21], [22], [23]. Continual leakage model: In this model, it is assumed the leakage between consecutive updates is bounded in term of a fraction of the secret key size, and the secret key should be refreshed continually[24], [25]. Auxiliary input model: In this model, it allows any uninvertible leakage function f that no probabilistic polynomial-time (PPT) attacker can compute the actual pre-image with non-negligible probability. That is to say, even such a function informationtheoretically reveals the entire secret key SK, it still computationally infeasible to recover SK from f (SK)[26], [27], [28]. Obviously, the auxiliary input model is the strongest leakage model, in which the secret keys do not need to be updated. For the graphically dispersed and power-limited fog-devices, refreshing keys may be very costly. Moreover, refreshing keys need to generate the new randomness,

Figure 2.

Access Control for Streaming Cloud

which is still a challenge for the fog-devices, since the randomness can also be leaked by poor implementation of a pseudorandom number generator (PRNG) in resourceconstrained fog-devices. Michaelis et al. found that there exists significant weakness of PRNG in some Java runtime libraries[29]. Some fog-devices are exposed in the open air, such as wireless gateways. The attacker can easily guess the randomness used for refreshing keys. Thus, we aims to propose leakage-resilient ID-based proxy re-encryption scheme in auxiliary input model. The key point for the designing of cryptographic schemes with auxiliary input is how to split the secret key into m pieces, which is the ”hardcore” of modified Goldreich-Levin theorem[26]. The modified Goldreich-Levin theorem states that if the pieces of secret key belong to a field GF (q) (q is a λ-bit prime), then the running time of inverter is closed to poly(2λ)2 , which cannot be born by the inverter. The contributions of this paper can be listed as follows. 1) We design an ID-based proxy re-encryption scheme with auxiliary input by modifying Green et al.’s scheme[31], which can achieve leakage resiliency. 2)From the property of strong extractor used in our construction, we prove that our scheme is auxiliary input chosen-plaintext attack (CPA) secure. 3) To evaluate the appropriacy of our scheme for the resource-constrained fog-devices and end-devices, we implement our scheme on the Intel Edison platform. The experimental result shows that our scheme is feasible in practice. Organization. Related mathematical concepts and assumptions are reviewed in Section II. Security model of ID-based proxy re-encryption with auxiliary input is defined in Section III. We design an ID-based proxy re-encryption scheme with auxiliary input in Section IV. Section V discusses the performances of our scheme. Finally, we conclude our 2 The

polynomial function of λ is denoted as poly(λ).

paper in Section VI. II. P RELIMINARY A. Bilinear Map and DBDH Assumption We assume that G and GT are two cyclic groups with the prime order p. We define e : G × G → GT be the bilinear map which has the following properties[15], [31]: 1) Bilinear: ∀g ∈ G, a1 , a2 ∈ Zp , e(g a1 , g a2 ) = e(g, g)a1 a2 . 2) Non-degenerate: ∃g ∈ G, e(g, g) 6= 1. 3) Efficient Computability: There exists an efficient algorithm to compute e(g, g) for all g ∈ G. We define the Decisional Bilinear Diffie-Hellman (DBDH) assumption[31] over G as follows. Definition 1: (DBDH Assumption.) Let Gen(1ι ) be a group generation algorithm, which takes a security parameter ι as input, and outputs a description of a prime order group Θ = {p, G, GT , e}. The DBDH Assumption over group G states that for any probability polynomial-time (PPT) attackers A, given a tuple (g, p, e, g x1 , g x2 , g x3 ) for R randomly chosen x1 , x2 , x3 −→ Zp and g is a generator of G, the advantage for |P r[A(g, p, e, g x1 , g x2 , g x3 , hb ) = b] − 1/2| is negligible in ι, where h0 = e(g, g)x1 x2 x3 , h1 = R e(g, g)ω , ω −→ Zp and b ∈R {0, 1}. B. Strong Extractor with Auxiliary Input Definition 2: (One-way Hash Function Family)[30] Let How () be a class of all polynomial-time computable functions h : {0, 1}|x| → {0, 1}∗ . If it satisfies that given h(x), where x is randomly generated, no PPT algorithm can recover x with probability greater than , then How () is called a one-way hash function family. Here, the function h(x) can be consisted of q functions: h(x) = {h1 (x), · · · , hq (x)}, and {h1 (x), · · · , hq (x)} ∈ How ().

Next, we introduce the definition of strong extractor under one-way hash function family[30]. Definition 3: ((, δ)-Strong Extractor with Auxiliary Input) Let Ext : Zpm × Zpm → Zp , where m is polynomial in λ. Ext is called a (, δ)-strong extractor with auxiliary input, on the condition that for any PPT attacker A, given all f (~s) such that ~s ∈ Zpm and f ∈ How (), we have |P r[A(~r, f (~s, Ext(~r, ~s) = 1)]−P r[A(~r, f (~s), ϑ = 1)]| < δ, where ~r ∈ Zpm , ϑ ∈P Zp are randomly chosen. m Let < ~r, ~s >= i=1 ri si denote the inner product of vectors ~r = (r1 , · · · , rm ) and ~s = (s1 , · · · , sm ). From the modified Goldreich-Leivin theorem, we can construct a (, δ)-strong extractor with auxiliary input. Let’s review the modified Goldreich-Leivin theorem[26] as following: Theorem 1: (Modified Goldreich-Leivin Theorem) Let q be a big prime, and let H be any subset of GF (q). ¯ Let f map from H m to {0, 1}∗ be any polynomial-time computable functions. Then a vector ~s is uniformly random ¯ chosen from H m , and we have y = f (~s). Then, randomly ¯ selects a vector ~r from GF (q)m , and ϑ is randomly chosen from GF (q). If a PPT distinguisher A runs in time t, and there exists a probability  such that |P r[A(y, ~r, < ~s, ~r >) = 1] − P r[A(y, ~r, ϑ) = 1]| = ,

then there exists an inverter B who can compute ~s from y in time t0 = t · poly(m, ¯ |H|, 1/) with the probability ¯ P r[~s ← H m , y ← f (~s) : B(y) = ~s] ≥

3 . 512 · m · q 2

We show that a (, 0 )-strong extractor with auxiliary input can be constructed from inner product by using the modified Goldreich-Leivin theorem[30]. m(λ) Theorem 2: Let ~s be randomly chosen from Zp where m(λ) = poly(λ) and λ is the security parameter. m(λ) and ϑ random Similarly, we randomly choose ~r from Zp from Zp . Then, given f ∈ How (), no PPT attacker can distinguish (~r, f (~s), < ~r, ~s >) from (~r, f (~s), ϑ) with probability 0 ≥ (512m(λ)p2 )1/3 III. D EFINITION OF ID- BASEC P ROXY R E - ENCRYPTION WITH AUXILIARY I NPUT

A. Properties Ateniese et al. proposed a series of properties to evaluated proxy re-encryption schemes[10]. We briefly review some of these properties related to our scheme. Unidirectionality: In a unidirectionality scheme, user A can delegate to user B, but A cannot decrypt B’s ciphertexts. Non-Interactivity: In a non-interactivity scheme, user A can construct a re-encryption key rkIDA →IDB while offline, without the participation of user B and any other third parties. Multi-use capability: In a multi-use scheme, once a reencryption from user A to user B is computed, the

resulting ciphertext can be re-encrypted again from user B to user C, etc., multiple times. Our scheme provides the unidirectionality and noninteractivity properties, but it is only a single-use scheme, since a fog-device and related end-devices only consists of a single-hop network. B. Security Model We denote the negligible function of λ as notation negl(λ). Let M denote the message space. An ID-based proxy re-encryption scheme Λ consists of six PPT algorithms: Setup(1λ ): This algorithm takes as input the security parameter λ, and outputs the public parameter param, and the master secret key msk. Extract(param, msk, ID):This algorithm takes as input the public parameter param, the master secret key msk, and an identity ID ∈ {0, 1}∗ , outputs a secret key skID corresponding to the identity ID. Enc(param, ID, M ):This algorithm takes as input the public parameter param, an identity ID ∈ {0, 1}∗ and a message M ∈ M, outputs a ciphertext CTID on the message M under the identity ID. RKGen(param, skID1 , ID1 , ID2 ): This algorithm takes as input the public parameter param, a secret key skID1 and identities ID1 , ID2 , outputs a reencryption key rkID1 →ID2 . ReEnc(param, rkID1 →ID2 , CTID1 ):This algorithm takes as input the public parameter param, a reencryption key rkID1 →ID2 and a ciphertext CTID1 under identity ID1 , outputs a re-encrypted ciphertext CTID2 . Dec(param, skID , CTID ):This algorithm takes as input the public parameter param, an ciphertext CTID under identity ID and a secret key skID , outputs a message. If for all M ∈ M and ID1 , ID2 ∈ {0, 1}∗ , we have Dec(param, skID1 , CTID1 ) = M Dec(param, skID2 , ReEnc(param, rkID1 →ID2 , CTID1 ))

= M

then we call the ID-based proxy re-encryption scheme Λ is correct. Next, we introduce the security model of ID-based proxy re-encryption with auxiliary input, which is similar to the classic chosen plaintext-attacks (CPA) model and the auxiliary input model. Let F denote a polynomialtime computable leakage function family. Let Λ = (Setup, Extract, Enc, RKGen, ReEnc, Dec) be an IDbased proxy re-encryption scheme, and we define the security model as following: Setup: The challenger B runs param ← Setup(1λ ) to get (param, msk), and sends param to the attacker

A. The challenger also maintains an empty list LID . Query1: The following queries can be issued by A. Extract Query: When A makes an extract query on an ID, the challenger firstly checks LID for the tuple (skID , ID, j). If there is no such tuple in LID , then the challenger sets j to 1, and runs skID ← Extract(param, msk, ID) and puts (skID , ID, j) to LID . Otherwise, the skID from the tuple (skID , ID, j) is returned. Leakage Query: When A chooses f ∈ F for the leakage query on secret keys, the challenger returns f (msk, param, LID ). RKGen Query: When A makes a re-encryption key query on an ID1 and ID2 , the challenger firstly makes extract query on ID1 and gets skID1 . Then, the challenger returns rkID1 →ID2 ← RKGen(param, skID1 , ID1 , ID2 ). Challenge: A sends a goal identity ID∗ and two messages M0 and M1 with the same length to B. The selection of ID∗ should satisfy a restriction that by using re-encryption key to translate from ID∗ to ID0 for which A holds a secret key is prohibited. The challenger B chooses a random bit b, and returns CT ∗ ← Enc(param, ID∗ , Mb ) to A. Query2: A is allowed to adaptively make extract queries under the restriction that A has not issued the extract query on ID∗ . A is also allowed to adaptively make RKGen queries on (ID, ID0 ), but A cannot previously make extract query on the goal identity ID0 . Output:A outputs a guess bit b0 of b. If b0 = b, then A wins the above game. If the advantage P r[Awins] − 1/2 is negligible, then the ID-based proxy re-encryption scheme Λ is CPA secure with auxiliary input. Definition 4: An ID-based proxy re-encryption scheme is auxiliary input CPA secure if P r[Awins] − 1/2 ≤ negl(λ). IV. L EAKAGE R ESILIENT ID- BASED P ROXY R E - ENCRYPTION S CHEME WITH AUXILIARY I NPUT A. Review of Green et al.’s ID-based Proxy Re-encryption Scheme In this section, we review Green et al.’s ID-based Proxy Re-encryption Scheme[31], which consists of six PPT algorithms. Not that we only needs a single-use scheme for access control in fog computing. Setup(1λ ): This algorithm takes the security parameter λ as input, chooses two prime order group G =< g > and GT with order p, such that

e : G × G → GT is a bilinear map. Selects two full domain hash functions H1 : {0, 1}∗ → G and H2 : GT → G. And then, randomly selects s ∈ Zp∗ as the master secret key msk, and the public parameters are param = (G, H1 , H2 , g, g s ). Extract(params, msk, ID): To extract the secret key for identity ID ∈ {0, 1}∗ , computes skID = H1 (ID)s . Enc(param, ID, M ): This algorithm takes the public parameters param, an identity ID and a message M ∈ GT as input, randomly chooses r ∈ Zp∗ , and outputs the ciphertext CTID = (g r , M · e(g s , H1 (ID))r ). RKGen(param, skID1 , ID2 ): Randomly chooses X ∈ GT and computes (B1 , B2 ) ← Enc(param, ID2 , X). Outputs the re-encryption −1 key rkID1 →ID2 =< B1 , B2 , skID · H2 (X) >. 1 ReEnc(param, rkID1 →ID2 , CTID1 ): Let CTID1 = (C1 , C2 ) and rkID1 →ID2 = (B1 , B2 , B3 ). To re-encrypt a ciphertext from ID1 to ID2 , returns CTID2 = (C1 , C2 · e(C1 , B3 ), B1 , B2 ). Dec(param, skID , CTID ): The decryption algorithm does as follows. 1) If CTID = (C1 , C2 ) is a original ciphertext, then outputs M = C2 /e(C1 , skID ). 2) If CTID = (C1 , C20 , B1 , B2 ) is a reencrypted ciphertext from ID1 to ID2 , then decrypts X = B2 /e(B1 , skID2 ), and then computes M = C20 /e(g r , H2 (X)). B. Construction of ID-based Proxy Re-encryption Scheme with Auxiliary Input Our ID-based proxy re-encryption scheme with auxiliary input can be described as follows. Setup(1λ ): This algorithm is the same as above, except that selects s1 , · · · , sm ∈R Zp∗ as the master secret key msk where m is polynomial in λ, and the public parameters are param = (G, H1 , H2 , g, < g s1 , · · · , g sm >). Extract(params, msk, ID): To extract the secret key for identity ID ∈ {0, 1}∗ , outputs skID = (H1 (ID)s1 , · · · , H1 (ID)sm ). Enc(param, ID, M ): This algorithm takes the public parameters param, an identity ID and a message M ∈ GT as input, randomly chooses r1 , · · · , rm ∈ Zp∗ , and outputs the Qmciphertext CTID = (< g r1 , · · · , g rm >, M · i=1 e(g si , H1 (ID)ri )). RKGen(param, skID1 , ID2 ): Randomly chooses X ∈ GT and computes (B1 , B2 ) ← Enc(param, ID2 , X). Outputs the re-encryption key rkID1 →ID2 = (B1 , B2 , H1 (ID1 )−s1 · H2 (X), · · · , H1 (ID1 )−sm · H2 (X)). ReEnc(param, rkID1 →ID2 , CTID1 ): Let CTID1 = (C1 , C2 ) = (< g r1 , · · · , g rm >

Qm si ri ,M · and i=1 e(g , H1 (ID1 ) )) rkID1 →ID2 = (B1 , B2 , H1 (ID1 )−s1 · H2 (X), · · · , H1 (ID1 )−sm · H2 (X)). To reencrypt a ciphertext from Qm ID1 to ID2 , returns CTID2 = (C1 , C2 · i=1 e(g ri , H1 (ID1 )−si · H2 (X)), B1 , B2 ). Dec(param, skID , CTID ): The decryption algorithm does as follows. 1) If CTID = (C1 , C2 ) is a original Q ciphertext, then outputs m M = C2 / i=1 e(g ri , H1 (ID)si ). 2) If CTID = (C1 , C20 , B1 , B2 ) is a re-encrypted ciphertext from ID1 Q to ID2 , then decrypts X = 0 m −si B2 / i=1 e(g ri , H1 (ID ) ), and then 2 Qm computes M = C20 / i=1 e(g ri , H2 (X)). The correctness of decryption can be depicted as following:

Theorem 3: If Ext is a (, neg(λ))-strong extractor with auxiliary input, then Λ based on Λ0 is auxiliary input CPA secure with respect to the family How (r ). Proof: Let SE : Zpm × Zpm → Zpm be a (, neg(λ))strong extractor with auxiliary input. In Λ0 scheme, the ciphertext is CT = (C1 , C2 ) = (g r , M · e(g s , H1 (ID)r )), which implies e(g, H1 (ID))s·r in C2 . In our scheme Λ, the ciphertext is CT = (C1 , C2 ) = (< g r1 , · · · , g rm > Qm , M · i=1 e(g si , H1 (ID)ri )), where C2 can be denoted as M · e(g, H1 (ID))Ext(~r,~s) . That is to say, in Λ scheme, the secret key s is substituted by the strong extractor Ext(~r, ~s) with auxiliary input. Furthermore, the re-encryption ciphertext from ID1 to ID2 in Λ0 scheme is (C1 , C2 · e(C1 , e(C1 , H1 (ID1 )−s · H2 (X)), B1 , B2 ). In our scheme Qm Λ, the re-encryption ciphertext is CTID2 = (C1 , C2 · i=1 e(g ri , H1 (ID1 )−si · H2 (X)), B1 , B2 ), where C2 can be denoted as M ·e(g, H1 (ID1 ))Ext(~r,~s) and B2 can ~0 be denoted as M · e(g, H1 (ID2 ))Ext(r ,~s) . Let Game0 be the auxiliary input CPA secure game 1) with the scheme Λ. Game1 is the same as Game0 except m that when encrypting the challenge ciphertext, we submit a Y e(g ri , H1 (ID)si ) C2 / random number ϑ ∈ Zp instead of Ext(~r, ~s)). The leakage i=1 oracle outputs fi (~s) for the both games. m m Y Y Let Adv Gamei (Λ) denote the advantage that an attacke(g ri , H1 (ID)si ) er A winsA in Game with the scheme Λ. We should e(g si , H1 (ID)ri ))/ = M· i i=1 i=1 Game0 prove that for any PPT attacker A, |AdvA (Λ) − = M Game1 AdvA (Λ)| ≤ negl(λ). Now, we assume that Game0 Game1 |AdvA (Λ) − AdvA (Λ)| ≥  which is non2) negligible. m Y The challenger C is given (~r, f1 (~s), · · · , fq (~s), T ) C20 = C2 · e(g ri , H1 (ID1 )−si · H2 (X)) where T is either T0 =< ~r, ~s > or T1 = ϑ i=1 which is a random number in Zp . From the definim Y si ri tion of How (r ), given f1 (~s), · · · , fq (~s), no PPT at= M· e(g , H1 (ID) )) tacker can recover ~s with the probability greater than i=1 m r , where q is polynomial in the security parameY · e(g ri , H1 (ID1 )−si · H2 (X)) ter λ. Then, the challenger C runs (param, msk) ← i=1 Setup(1λ ), skID ← Extract(param, msk, ID) and m Y rkID1 →ID2 ← RKGen(param, skID1 , ID2 ), and gives = M· e(g ri , H2 (X)) (param, ID1 , ID2 ) to the attacker A. C can answer all the i=1 leakage queries, extract queries and re-encryption queries Then, as it has (msk, skID1 , rkID1 →ID2 ). Finally, A sends two messages M0 and M1 where |M0 | = |M1 | to C, and C m Y randomly chooses a bit b. Then, C encrypts Mb to get the C20 / e(g ri , H2 (X)) ∗ ∗ challenge ciphertext CTID by using T , and returns CTID i=1 0 0 m m to A. Then, A outputs its guess bit b to C. If b = b, then Y Y = M· e(g ri , H2 (X))/ e(g ri , H2 (X)) A wins the game; otherwise, it loses. Game0 Game1 i=1 i=1 Since we assume that |AdvA (Λ) − AdvA (Λ)| ≥ 0 0 = M , we can get |P r[b = b|T0 ] − |P r[b = b|T1 ]| ≥  easily, which is non-negligible. However, it contradicts the C. Security Proof property of strong extractor Ext(~r, ~s). Thus, no PPT attacker Green et al. have proved that their ID-based proxy can distinguish Game0 and Game1 with non-negligible re-encryption scheme is CPA secure under the DBDH probability. Game1 assumption[31]. Let Λ0 denote Green et al.’s scheme and Then, we can easily find that AdvA (Λ) = negl(λ), since the challenge ciphertext in Game1 involves a random Λ denote our scheme.

number ϑ not Ext(~r, ~s). Thus, the answers of leakage queries fi (~s) in Game1 are useless, and they will not disclose any information related to the challenge ciphertext. Then Game1 is the same as the CPA game with Λ0 . Since Game1 Λ0 has been proved CPA secure, we have that AdvA (Λ) is negligible. Thus, Λ scheme is auxiliary input CPA secure with respect to the one way hash family How (r ). V. P ERFORMANCE A NALYSIS For leakage resilient to auxiliary input, we find that it doesn’t need to set the number of secret key pieces m to be very large. For example m = 10, according to the Theorem 2, the distinguish probability is 0 ≥ (512m(λ)p2 )1/3 , we 3 ·10 1/3 ≈ have that p = 512,  ≤ 1601 10 and 0 ≥ ( 512 16010 ) 1 . Such probability is very negligible, and our scheme 10 80 can achieve leakage resilient to auxiliary input. Thus, we choose m = 10 in our experiments. In IoT systems, end-devices usually have a limited connection with fog-devices, and support different communication protocols, such as ZigBee, Bluetooth, Wi-Fi etc. Thus, we should make the communication cost between end-devices and fog-devices to be low. The length of reencryption ciphertext is the deciding factor in the communication cost, which involves 2m elements in G and 2 elements in GT in our scheme. If we take the group order p to be a 170-bit prime, then each group element is 170bit. If m = 10, the lengths of re-encryption ciphertexts is only 467.5 bytes, which is suitable for such constrained communications. We implement our ID-based proxy re-encryption schemes with auxiliary input over two different platforms. The first one is MacBook Pro with Intel core i5 CPU (2.5GHz) running Os X 10.9.3, which RAM is 4GB. The second one is Intel Edison development platform with a dualcore, dual-threaded Intel Atom CPU at 500 MHz and 1GB RAM, running Yocto Linux v1.6. Intel Edison development platform is considered as a good choice to rapidly prototype the IoT devices. We implement our scheme in C by using the pairing based cryptography (PBC) library[32], which has been implemented the basic arithmetic and pairing operations. There are seven types of curves in PBC, and we choose the fastest Type-A curves for the implementation. In our experiments, we test the time costs of RKGen and ReEnc, since the RKGen algorithm will be carried out by the data owner’s end-devices, while the ReEnc algorithm will be executed by the fog-devices. We test these two algorithms over Macbook and Edison platforms, since the end-devices or fog-devices are heterogeneous in nature. Some of them are more powerful like laptops and smart phones, and some of them are resource-constrained devices like smart watches and smart meters. We use Macbook to simulate the normal devices, and use Edison to simulate the restricted devices. Table I. shows the time costs of re-encryption key generation algorithm over two platforms. We compute the average value

Table I C OMPUTATIONAL C OST OF RKG EN A LGORITHM Platforms Computational Cost of RKGen Algorithm

MacBook Pro 0.57s

Intel Edison 11s

Table II C OMPUTATIONAL C OST OF R E E NC A LGORITHM Platforms Computational Cost of ReEnc Algorithm

MacBook Pro 0.15s

Intel Edison 3.1s

on 100 randomized runs. The time costs of re-encryption algorithm over two platforms is shown in Table II. These experiments show that our schme is feasible in practice. The DEC algorithm is usually carried out by the user’s enddevices. Table III. shows the time cost of decryption in our scheme over two platforms, and the results shows that the decryption process can be carried out quickly over the Intel Edison platform. VI. C ONCLUSION In fog computing, fog-devices are physically close to end devices, and have a high speed connection with cloud. These characteristics make fog-devices to play an important role in access control from end-devices to cloud. However, the geographic dispersion of fog-devices may make them easy to be attacked by side-channel attacks. In this paper, we devise an ID-based proxy re-encryption scheme with auxiliary input, by which fog devices can act as a semitrusted key server to translate the ciphertexts. Our designing can make the ID-based proxy re-encryption scheme to resist the secret key leakage from side-channel attacks, when it is deployed for fog-devices. The performance analysis shows that our scheme is applicable. Although ID-based encryption saves the cost of certificates, it needs a fully trusted private key generator (PKG) to extract the secret key from ID. However, a fully trusted PKG is very difficult to be maintained in IoT systems. Thus, leakage resilient certificateless proxy re-encryption will be the future research. ACKNOWLEDGMENT This research is partially supported by the National Natural Science Foundation of China under Grant No.61373006, 61672016, the QingLan Project, and the Open Project Program under Grant No.AGK201603. Table III C OMPUTATIONAL C OST OF D EC A LGORITHM Platforms Original Ciphertext Re-encryption Ciphertext

MacBook Pro 0.14s 0.3

Intel Edison 2.6s 5.7s

R EFERENCES [1] (2014, Jan.) Cisco delivers vision of fog computing to accelerate value from billions of connected devices. Press release. Cisco. [Online]. Available: http://newsroom.cisco.com/release/1334100/Cisco-DeliversVision-of-Fog-Computing-to-Accelerate-Value-fromBillionsof- Connected-Devices-utm-medium-rss [2] I. Stojmenovic and S. Wen, The Fog Computing Paradigm: Scenarios and Security Issues, in Proceedings of FedCSIS, 2014. [3] K. Hong, D. Lillethun, U. Ramachandran, B. Ottenwalder, and B. Koldehofe, Mobile fog: A programming model for largescale applications on the internet of things, in Proceedings of the Second ACM SIGCOMM Workshop on Mobile Cloud Computing, ser. MCC13. ACM, 2013, pp. 15C20. [4] K. Sha, W. Wei, A. Yang, and W. Shi, Security in internet of things: Opportunities and challenges, in Proceedings of the 2016 International Conference on Identification, Information, and Knowledge in the Internet of Things (IIKI), Oct 2016.

[14] Dodis, Y., Ivan, A.: Proxy cryptography revisited. In: Proceedings of the Tenth Network and Distributed System Security Symposium (February 2003) [15] Boneh, D., Franklin, M.: Identity-based encryption from the Weil Pairing. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 213C229. Springer, Heidelberg (2001) [16] Akavia A, Goldwasser S and Vaikuntanathan V. Simultaneous hardcore bits and cryptography against memory attacks”. TCC’09, LNCS 5444, pp. 474-495, Berlin: Springer-Verlag, 2009. [17] Alwen J, Dodis Y, Naor M. Public-key encryption in the bounded-retrieval model. EUROCRYPT’10, LNCS 6110, pp. 113-134, Berlin: Springer-Verlag, 2010. [18] Dodis Y, Lewko A, Waters B, Wichs D. Storing secrets on continually leaky devices. FOCS’11, pp. 688-697, 2011. [19] Yang B and Zhang M. LR-UESDE: A continual-leakage resilient encryption with unbounded extensible set delegation, ProvSec’12, LNCS 7496, pp.125-142, Berlin: Springer-Verlag, 2012.

[5] A. Jacobsson and P. Davidsson, Towards a model of privacy and security for smart homes, in Proceedings of the 2015 IEEE 2nd World Forum on Internet of Things (WF-IoT), Dec 2015.

[20] Zhang M, Yang B, Takagi T. Bounded leakage-resilient funtional encryption with hidden vector predicate. The Computer Journal, Oxford, 56(4): 464-477,2013.

[6] NIST, Report on lightweight cryptography, http://csrc.nist.gov/publications/drafts/nistir-8114/nistir 8114 draft.pdf, August 2016, [online; accessed 16-Septemeber2016].

[21] J. Alwen, Y. Dodis, M. Naor, G. Segev, S. Wallsh, and D. Wichs. Public-key encryption in the bounded-retrieval model. In EUROCRYPT, pages 113-134, 2010.

[7] Weisong Shi, Jie Cao, Quan Zhang, Youhuizi Li, and Lanyu Xu. Edge Computing: Vision and Challenges, IEEE INTERNET OF THINGS JOURNAL, 3(5): 637-646, 2016. [8] Mambo, M., Okamoto, E.: Proxy Cryptosystems: Delegation of the Power to Decrypt Ciphertexts. IEICE Trans. Fund. Electronics Communications and Computer Science E80-A/1, 54C63 (1997) [9] Blaze, M., Bleumer, G., Strauss, M.: Divertible protocols and atomic proxy cryptography. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 127C144. Springer, Heidelberg (1998) [10] Ateniese, G., Fu, K., Green, M., Hohenberger, S.: Improved Proxy Re-encryption Schemes with Applications to Secure Distributed Storage. In: The 12th Annual Network and Distributed System Security Symposium, pp. 29C43 (2005).

[22] J. Alwen, Y. Dodis, and D. Wichs. Leakage-resilient publickey cryptography in the bounded-retrieval model. In CRYPTO, pages 36-54, 2009. [23] D. Di Crescenzo, R. J. Lipton, and S. Wallsh. Perfectly secure password protocols in the bounded retrieval model. In TCC, pages 225-244, 2006. [24] Y. Dodis, K. Haralambiev, A. Lopez-Alt, and D. Wichs. Cryptography against continuous memory attacks. In FOCS, pages 511-520, 2010. [25] A. Lewko, Y. Rouselakis, B. Waters. Achieving Leakage Resilience through Dual System Encryption. TCC 2011, LNCS 6597, pages: 70-88, 2011 [26] Dodis, Y., Goldwasser, S., Kalai, Y.T., Peikert, C., Vaikuntanathan, V.: Public Key Encryption Schemes with Auxiliary Inputs. In: Micciancio, D. (ed.) TCC 2010. LNCS, vol. 5978, pp. 361C381. Springer, Heidelberg (2010)

[11] Jakobsson, M.: On quorum controlled asymmetric proxy reencryption. In: Imai, H., Zheng, Y. (eds.) PKC 1999. LNCS, vol. 1560, pp. 112C121. Springer, Heidelberg (1999)

[27] Tsz Hon Yuen, Sherman S. M. Chow, Ye Zhang, Siu-Ming Yiu: Identity-Based Encryption Resilient to Continual Auxiliary Leakage. EUROCRYPT 2012: 117-134.

[12] Ateniese, G., Fu, K., Green, M., Hohenberger, S.: Improved proxy re-encryption schemes with applications to secure distributed storage. ACM Trans. Inf. Syst. Secur. 9(1), 1C30 (2006)

[28] Zhiwei Wang, Siu Ming Yiu: Attribute-Based Encryption Relient to Auxiliary Input, ProvSec 2015, LNCS 9451, pp. 371-390, 2015.

[13] Polyakov, Y., Rohloff, K., Sahu, G., Vaikuntanthan, V.: Fast proxy re-encryption for publish/subscribe systems. IACR Cryptology ePrint Archive 2017, 410 (2017)

[29] Michaelis, K., Meyer, C., Schwenk, J.: Randomly failed! the state of randomness in current java implementations. In: Dawson, E. (ed.) CT-RSA 2013. LNCS, vol. 7779, pp. 129144. Springer, Heidelberg (2013)

[30] Tsz Hon Yuen,Ye Zhang, Siuming Yiu, Joseph K. Liu: Identity-Based Encryption with Post-Challenge Auxiliary Inputs for Secure Cloud Applications and Sensor Networks, ESORICS 2014, Part I, LNCS 8712, pp. 130-147, 2014. [31] Green M., Ateniese G. (2007) Identity-Based Proxy Reencryption. In: Katz J., Yung M. (eds) Applied Cryptography and Network Security. Lecture Notes in Computer Science, vol 4521. Springer, Berlin, Heidelberg [32] B. Lynn., The pairing-based cryptography (pbc) library, http://crypto.stanford.edu/pbc.

    wei Wang iss an associate professoor of the Sch hool of Com mputer at Naanjing  Zhiw Univversity of Posts and Te elecommuniications from 2009 to n now. Beforee that, he  receeived his received his P PhD degree in cryptogrraphy from Beijing Univversity of Posts  and d Telecomm munications, and servedd as a research associatte at the Unniversity of  Hon ng Kong from m 2014.3‐2015.3. His rresearch intterests inclu ude appliedd cryptograp phy,  secu urity and prrivacy in mo obile and wiireless syste ems, clouding computiing and  fog//edge comp puting. He h has publisheed over 40 jjournal articcles and refferred  conference pap pers.       

1) We design an ID‐based proxy re‐encryption scheme with auxiliary input by modifying Green et al.'s scheme, which can achieve leakage resiliency.    2) From  the  strong  extractor  property  used  in  our  construction,  we  prove  that  our  scheme  is   auxiliary input chosen‐plaintext attack (CPA) secure.    3) To  evaluate  the  appropriateness  of  our  scheme  for  resource‐constrained  edge‐devices  and   end‐devices,  we  implement  our  scheme  on  the  Intel  Edison  platform.  The  experimenta result shows that our scheme is feasible in practice.    l