Data sharing is the main way to give full play to the value

of data itself. For small amount of data, the generator directly

sends the data to the requester peer-to-peer. With the rapid

growth of user data scale, the cost of local storage, data

security and data services grow exponentially. Cloud storage

provides a cost-efficient way for data delegation, and can

deploy stable data services. However, data security turns out

to be critical since most delegated data are in plaintext. The

build-in access control and domain separation methods are

major security strategies rather than data encryption. In recent

years, several serious data leaking accidents are caused by

improper security setting in the cloud, explaining that all

sensitive data should be in fine-grained, ciphertext manner,

and the data sharing via cloud storage should be authenticated

by a safe key, which cannot be used to decrypt the original

data. Blaze et al. [1] announced the idea of proxy re-

encryption, where a proxy can convert a confidential message

encrypted by using one party’s public key into another one

that can be decrypted by using another party’s private key.

The Umbral project [2] propose a threshold-based proxy re-

encryption scheme following a key encapsulation mechanism

(KEM) approach. The data owner can delegate decryption

rights to any receiver for any ciphertext in intended grained,

through a re-encryption process performed by a set of N semi-

honest proxies. Under the threshold of (t, N), where at least t

out of N of these proxies participate by performing re-

encryption algorithm, and then the receiver is able to combine

these independent segments and decrypt the original message

using its private key.

In PRE schemes, the directionality and the transitivity are

critical characters for applications. In a bi-directional PRE

scheme, the re-encryption phase is reversible, which means

the proxy can use the same re-encryption key to re-encrypt

each ciphertext both from owner to receiver and receiver to

owner with zero knowledge to data. In this case, both the

owner and receiver must combine their secret keys to produce

the re-encryption key. The bi-directionality seems to bridge a

peer-to-peer data sharing relationship. On the other hand, a

unidirectional PRE means the proxy delegation is one-way.

The ciphertext can be re-encrypted from owner to receiver,

but not the reverse. Thus, the construction of re-encryption

key only requires the owner’s secret key. As for the

transitivity character, it represents the times for a ciphertext

to be re-encrypted. Ciphertext that can be re-encrypted only

once refers to single-hop PRE scheme, while multi-hop PRE

scheme enables the unlimited-time transitivity of ciphertext

re-encryption. The permutation of types for PRE characters

allows a various of applications such as e-mail forwarding,

authorization transfer, and data distribution. However, most

PRE schemes require a centralized proxy to perform data

storage and re-encryption, which means the proxy turns out

to be the keypath of the system and has to handle all the

delegations.

We improve the system soundness by implementing a

decentralized proxy network, where each participant

possesses a key-share of re-encryption key, and can execute

the re-encrypt task separately. Meanwhile, our proposal also

involves multi-hop PRE to release data owner from re-

encryption key generation upon an authorized request, which

frequently calls the owner’s secret key and has to be executed

locally at owner side. The distributed PRE scheme adopts

secret sharing and multi-hop re-encryption to provide reliable

and full delegation service. Moreover, this proposal achieves

a reshare function to process the continuing node variations

in decentralized environment.

The prototype of safe PRE scheme is introduced by

Mambo and Okamoto [3] by using the partial decryptions,

without offering any extra security benefits for delegator’s

secret key. Their proposal aggregated the decrypt and re-

encrypt into an atomic execution by taking the re-encryption

key as input, during which the cipher-state original data is

never revealed. Later, Blaze, Bleumer and Strauss proposed

the ciphertext conversion algorithm [2] on the ElGamal

This work was supported by a grant from the Core Technology Research

and Development Program of Lin-Gang.

A Multi-hop and Distributed Proxy Re-encryption Scheme with

Dynamic Re-sharing

1JUNTAO CAO, 1XIN PEI, 2XIAOCHUAN WU

1The Idol Group, Shanghai, CHINA

2School of Computer Science, Fudan University, Shanghai, CHINA

Abstract: In order to achieve delegated data sharing, a reliable proxy is required for both data storage and execution of the

delegated authorization. The PRE scheme is a representative technique for delegating data sharing, which involves a single

proxy to transform the encryption by reencrypting algorithm with an auth-key, without knowing any knowledge about the

plaintext. However, most PRE schemes are performed in a centralized environment, which means the system will crash

upon the proxy is off-work. In this paper, we optimize the PRE scheme from two aspects. Firstly, the proxy acting as the

key path is decentralized in a thresholdbased network, which will provide continuous PRE service when any t out of N

nodes work. Moreover, considering the flexible entry and exit mechanism of the decentralized nodes, this proposal presents

a re-share algorithm to ensure N live nodes. Secondly, we adopt the multi-hop re-encryption strategy for transitivity of

ciphertext, so that the data owner is released from re-encryption key generation task upon user requests, and the authorized

delegatees are able to retransform the encryption to designated users by using its own secret key.

Keywords: data sharing, proxy re-encryption, KMS, reshare, multi-hop, transitivity

Received: April 25, 2021. Revised: July 15, 2022. Accepted: August 12, 2022. Published: September 13, 2022.

1. Introduction

2. Related Works

WSEAS TRANSACTIONS on INFORMATION SCIENCE and APPLICATIONS

DOI: 10.37394/23209.2022.19.18

Juntao Cao, Xin Pei, Xiaochuan Wu

E-ISSN: 2224-3402

180

Volume 19, 2022

cryptosystem, which requires taking secret keys of both

parties in the construction procedure. In a semi-honest model,

the proxy takes a re-encryption key(RK) generated by the

delegator’s private key and delegatee’s public key to re-

encrypt the ciphertext, which was originally encrypted using

the delegator’s public key, into a new ciphertext that can be

decrypted by the delegatee’s private key. The classical PRE

procedure is shown in Figure 1. Thus, the delegator can share

its fine-grained data by simple authentication via generating

the re-encryption key, rather than to execute decryption each

time or give out its private key.

Fig. 1. The classical unidirectional PRE scheme

Above re-encryption scheme only supports single-hop type,

so that the ciphertext is not transformable after re-encryption.

In other words, if the delegatee intends to re-authenticate the

ciphertext to another, it has to run decryption with the private

key and then encrypt the original data with its public key to a

new ciphertext. Ateniese and Fu [4] proposed the first

unidirectional proxy re-encryption scheme, where the

delegator can assign a proxy to authorize requestors on data

access without revealing its private key. In 2009, Wang and

Cao[5] proposed the multi-hop re-encryption scheme,

enabling the decryption right of cipertext to be transferred

multiple times. Their proposal was then enhanced by Cai and

Liu [6] to CCA-secured. Based on these works, Luo et al. [7]

proposed a unidirectional, multi-hop, identity-based proxy

re-encryption scheme with CPA-security. Sun et al. suggested

the identity-based PRE encryption schemes with the ability

of ciphertext evolution [8,9,10]. However, the length of

ciphertext will grow linearly with the times of updating. To

solve this, Liang et al. [11] proposed a constant ciphertext

size scheme, with the properties of collusion-resistant,

bidirectional and multi-hop. To address the directionality

problem, Weng et al. proposed a conditional PRE approach

in which the proxy can re-encrypt ciphertexts for a user only

if it satisfies the necessary conditions [12]. The unidirectional,

multi-hop PRE scheme is shown in Figure 2.

To improve the reliability of secrets, the centralized proxy

is distributed to a multi-proxy network, where each sub-proxy

possesses a secret share and executes partial computation, so

that the aggregation of multi-proxy outputs can meet the

demand. Secret sharing is a fundamental primitive in

cryptography, and the original secret sharing model was

proposed by Shamir. In [13], a (k, n) threshold scheme was

proposed. A secret data S can be divided into n share pieces

𝑠!,…,𝑠"

and S can be obtained through any k or more

𝑠#

pieces, and S cannot be obtained through any

𝑘 −1

or fewer

𝑠#

pieces.

Fig. 2. The unidirectional, multi-hop PRE scheme

On the other hand, the nodes in proxy network should

periodically prove the possession of secret shares. In the

research of remote data checking, Ateniese et al. firstly

propose the “challenge-response” mode [14]. For each

checking request, the remote server has to calculate a

corresponding response with local data as input. Sebe et al.

propose a periodically scheme based on PDP [15]. The

requestor randomly chooses several data blocks as part of the

whole data to check. This reduces the overhead of server, but

the probability of error recognition decreases from 100% to

[16] or [17], where c is number of the

selected blocks in N rounds, and is sector number in each

block if divided. is the average error probability of each

block or sector.

Before the construction of the proposed distributed PRE

scheme with multi-hop delegation, we introduce the secret

Re-share algorithm.

Fig. 3. The Re-share algorithm

The secret Re-share algorithm provides a mechanism for

reliability of the distributed network. The shares are

generated by a secret sharing scheme by taking the re-

encryption key and the threshold as input. Then, the N shares

are distributed to the corresponding nodes, who get the

rewards from the contributed storage and computation.

However, there are probabilities that several nodes exit or

crash. In order to guarantee the retrievability of secret, a

heartbeat mechanism of share possession proof is established,

so that N live nodes are kept for most of the time and the Re-

share algorithm will execute when any node fails. Moreover,

the Re-share algorithm can generate any number of shares

unless the amount of live nodes is less then t as defined in the

1(1 )

3. The Construction of Our Proposal

WSEAS TRANSACTIONS on INFORMATION SCIENCE and APPLICATIONS

DOI: 10.37394/23209.2022.19.18

Juntao Cao, Xin Pei, Xiaochuan Wu

E-ISSN: 2224-3402

181

Volume 19, 2022

threshold. Figure 3 illustrates a situation where a node

possessing the share E exits from the network under threshold

(3, 5). Then, the network executes the Re-share algorithm to

calculate a new share F on the polynomial via Lagrange

interpolation. Let

𝐹$

be a random number on

ℤ%

𝐹&=

𝑦'𝑙'

(

𝑥

)

+𝑦(𝑙(

(

𝑥

)

+𝑦)𝑙)

(

𝑥

), where

𝑙'

(

𝑥

)

!+$"

$#+$"⋅*

!+$$

$#+$$,

𝑙(

(

𝑥

)

!+$#

$"+$#⋅*

!+$$

$"+$$

𝑙)

(

𝑥

)

!+$#

$$+$#⋅*

!+$"

$$+$"

, and the new

share is

𝐹 = (𝐹$,𝐹&)

By adopting the KEM methods, the asymmetric encryption

only encrypts the data key, which is used to encrypt the

original data symmetrically. We use “capsule” to term the

encryption of the data key to differ from the ciphertext of the

original data. The ability to decrypt a capsule means an

authentication to access the corresponding original data. Our

proposal consists of four pair of functions, the key

management pair Key Generation and ReKey-Generation, the

enc/dec pair Encrypt and Decrypt, the re-enc/retrieve pair re-

encrypt and Retrieve, the updating pair Resharing and

Transmit.

Firstly, we setup the public parameters and define the hash

families.

𝑆𝑒𝑡𝑢𝑝(𝜆)

: Determine a cyclic group

𝔾

of prime order p,

according to the security parameter

8𝜆

. Let

𝑔,𝑈 ∈ 𝔾

generators. Let

𝐻:𝔾 → ℤ%

, be hash functions that behave as

random oracles. Let

KDF:

𝔾 →

{

0,1

}

be a random oracle key

derivation function, where

𝑙

is the fixed length according to

the security parameter

𝜆

. The global public parameters are

represented by the tuple:

𝑝𝑎𝑟𝑎𝑚𝑠 =

(

𝔾,𝑔,𝑈,𝐻,KDF

) (1)

𝐾𝑒𝑦𝐺𝑒𝑛

(

) : Sample

𝑎 ∈ ℤ%

uniformly at random as

private key, compute

𝑔-

and output the keypair (

𝑝𝑘,𝑠𝑘

)

(𝑔-,𝑎)

In this model, we assume A as the data owner or delegator,

B as the requestor or delegatee.

𝐸𝑛𝑐𝑟𝑦𝑝𝑡(𝑝𝑘')

: On input the public key

𝑝𝑘'

, the encrypt

algorithm first samples random

𝑟,𝑢 ∈ ℤ%

and computes

𝐸 =

𝑔.

and

𝑉 = 𝑔/

. Computes the value

𝑐 = 𝑢 + 𝑟 ∙𝐻0(𝐸,𝑉)

The derived data key, used to encrypt the original data

symmetrically, is computed as

𝐷𝐾 =KDF(𝑝𝑘'

.1/)

. The

tuple

(𝐸,𝑉,𝑐)

is called capsule and allows to derive again

the data key DK. To examine the validity of the capsule, we

can check if the following equation holds:

8𝑔28?= 𝑉 ∙𝐸3%45678

(2)

Then, the

𝐸𝑛𝑐𝑟𝑦𝑝𝑡

function runs a ChaCha20 to encrypt

the original data with DK into ciphertext Cipher. Finally, the

encrypt algorithm outputs

(𝐶𝑖𝑝ℎ𝑒𝑟,𝑐𝑎𝑝𝑠𝑢𝑙𝑒)

𝑅𝑒𝑘𝑒𝑦𝐺𝑒𝑛(𝑠𝑘',𝑝𝑘(,𝑡,𝑁)

: Firstly, pick a random

𝑡 −1

degree polynomial in (3), where

𝑎

is the secret generated in

𝑘𝑒𝑦𝐺𝑒𝑛

, and

𝑎!~𝑎9

are randomly chosen.

𝑓

(

𝑥

)

= 𝑎 +𝑎!𝑥 +𝑎0𝑥0+⋯+𝑎9+!𝑥9+!

(3)

We can calculate

𝑂!= 𝑓

(

𝑥!

)

,…,𝑂"= 𝑓

(

𝑥"

), and then we

generated n share group data:

(𝑥!,𝑂!),…,(𝑥",𝑂")

, and S can

be calculated by any t group data of

(𝑥#,𝑂#)

. Note that the

picked prime p should be bigger than both S and n, and data

range is in [0, p), and the values of

(𝑥!,𝑂!),…,(𝑥",𝑂")

are

computed modulo p. If the secret S is long, it can be break

into shorter blocks of m bits. Then, input A’ secret key

𝑠𝑘'=

𝑎

and B’ public key

𝑝𝑘(= 𝑔:

, a threshold

(𝑡,𝑁)

, the

𝑅𝑒𝑘𝑒𝑦𝐺𝑒𝑛

algorithm computes

𝑁

fragments of the re-

encryption key between A and B as follows:

(1) Sample a

𝑟'∈ ℤ%

at random, and compute

𝑅'= 𝑔.#

(2) Compute

𝑑 = 𝐻0

(

𝑅',𝑝𝑘(,(𝑝𝑘().#

), where

𝑑

is the

result of a non-interactive Diffie-Hellman (DH) key

exchange between B’s keypair and the ephemeral key

pair

8(𝑟',𝑅')

(3) Compute

𝐷 = 𝐻(𝑝𝑘',𝑝𝑘(,𝑝𝑘(

(4) Initialize set

𝑘𝐹𝑟𝑎𝑔𝑆𝑒𝑡 = ∅

and repeat

𝑁

times:

a. Sample random

𝑦

𝑖𝑑 ∈ ℤ%

b. Compute

𝑠$= 𝐻(𝑖𝑑,𝐷)

and

𝑌 = 𝑔&

c. Compute

𝑟𝑘 = 𝑓(𝑠$)

d. Compute

𝑈!= 𝑈.;

e. Compute

𝑧!= 𝐻(𝑌,𝑖𝑑,𝑝𝑘',𝑝𝑘(,𝑈!,𝑅')

Fig. 4 The System architecture of the multi-hop PRE in distributed environment

WSEAS TRANSACTIONS on INFORMATION SCIENCE and APPLICATIONS

DOI: 10.37394/23209.2022.19.18

Juntao Cao, Xin Pei, Xiaochuan Wu

E-ISSN: 2224-3402

182

Volume 19, 2022

f. Compute

𝑧0= 𝑦 − 𝑎 ∙𝑧!

g. Obtain

𝑘𝐹𝑟𝑎𝑔

as the tuple

(𝑖𝑑,𝑟𝑘,𝑅',𝑈!,𝑧!,𝑧0)

h. Add into

𝑘𝐹𝑟𝑎𝑔𝑆𝑒𝑡

𝑘𝐹𝑟𝑎𝑔𝑆𝑒𝑡 ∪{𝑘𝐹𝑟𝑎𝑔}

(5) Finally, output the set

𝑘𝐹𝑟𝑎𝑔𝑆𝑒𝑡

This means A’ grants its own permissions which are in

form of encryptions under

𝑝𝑘'

to B.

𝑅𝑒𝐸𝑛𝑐𝑟𝑦𝑝𝑡(𝑘𝐹𝑟𝑎𝑔,𝑐𝑎𝑝𝑠𝑢𝑙𝑒)

:" For" each" node," on

receiving a

𝑘𝐹𝑟𝑎𝑔 = (𝑖𝑑,𝑟𝑘,𝑅',𝑈!,𝑍!,𝑍0)

and the

𝑐𝑎𝑝𝑠𝑢𝑙𝑒 = (𝐸,𝑉,𝑠)

, it first checks the validity of the capsule

and outputs

⊥

if the check fails. Otherwise, it runs the re-

encrypt algorithm to compute

𝐸!= 𝐸.;

and

𝑉!= 𝑉.;

, and

outputs the capsule fragment

𝑐𝑓𝑟𝑎𝑔 = (𝐸!,𝑉!,𝑖𝑑,𝑅')

. Due

to that the threshold requires t shares to retrieve the secret, the

𝑅𝑒𝐸𝑛𝑐𝑟𝑦𝑝𝑡

algorithm should appoint at least t nodes to

calculate t pieces of

𝑐𝑓𝑟𝑎𝑔

𝑅𝑒𝑡𝑟𝑖𝑒𝑣𝑒(𝑠𝑘(,𝑝𝑘',{𝑐𝑓𝑟𝑎𝑔#}#<!

: Taking A’s public key

𝑝𝑘'

, B’s public key

𝑝𝑘(

and corresponding t

𝑐𝑓𝑟𝑎𝑔𝑠

, being

each of them

𝑐𝐹𝑟𝑎𝑔#= (𝐸!6#,𝑉!,𝑖𝑑#,𝑋')

as input, the

𝑅𝑒𝑡𝑟𝑖𝑒𝑣𝑒

algorithm runs as following to aggregate them

into

8𝑐𝑎𝑝𝑠𝑢𝑙𝑒′

, which can be decrypted by

𝑠𝑘(

(1) Compute

𝐷 = 𝐻(𝑝𝑘',𝑝𝑘'

:,𝑝𝑘()

, where

𝑝𝑘'

𝑝𝑘(

by adopting DH protocol.

(2) Let

𝑆 = {𝑠$6#}#<!

, where

𝑠$6# = 𝐻(𝑖𝑑#,𝐷)

. For all

𝑠$6# ∈ 𝑆

, compute:

𝜆#6= =

𝑠$6>

𝑠$6> −𝑠$6#

><!6>?#

(3) Then, compute the values in

𝑐𝑓𝑟𝑎𝑔#

𝐸@=

𝐸!6#

A&,(

#<!

, 𝑉′ =

(𝑉!6#)A&,(

#<!

(4) Compute

𝑑 = 𝐻

𝑅',𝑅':,𝑝𝑘(

j, as the result of a non-

interactive DH key exchange between B’s keypair and the

ephemeral key pair

(𝑟',𝑅')

. The value

𝑅'

is the same for all

the

𝑐𝑓𝑟𝑎𝑔𝑠

that are produced by re-encryptions using a

𝑘𝐹𝑟𝑎𝑔

in the set of re-encryption key fragments

𝑘𝐹𝑟𝑎𝑔𝑆𝑒𝑡

(5) Finally, output the symmetric key

𝐷𝐾 =KDF(

(

𝐸@∙

𝑉@

)

𝐷𝑒𝑐𝑟𝑦𝑝𝑡(𝐶𝑖𝑝ℎ𝑒𝑟,𝐷𝐾)

: Decrypts the

𝐶𝑖𝑝ℎ𝑒𝑟

using the

CHACHA20 decryption function with key DK, which results

in message M if decryption is correct, and ⊥ otherwise.

The entire distributed PRE procedure is ended with the

user decryption with its own secret key. However, this system

might confront two reliability issues. One relates to the shares

in the distributed PRE network, as discussed above, nodes

could exit or crash any time, so that we build the Reshare

algorithm to guarantee enough valid shares live. The other is

the delegatee point, acting as the key-path role in this system,

transforming the data access right to specified users

according to the owner’s delegation. Therefore, the chosen

PRE algorithm must be multi-hop, otherwise, the owner has

to generate the re-encryption key upon each user request or

reveal its secret key to the delegatee, which is quite unsafe.

Besides, the delegatee proxy should have online standbys to

ensure continuous service, which is also achieve by the Key

Transform algorithm.

𝑅𝑒𝑠ℎ𝑎𝑟𝑒({𝑘𝐹𝑟𝑎𝑔#}#<!

: Under the nodes live checking

mechanism, the

𝑅𝑒𝑠ℎ𝑎𝑟𝑒

algorithm will generate a new

𝑘𝐹𝑟𝑎𝑔

without updating the existing ones. When any node

crashes, the system samples an

𝑥 ∈ ℤC

at random, and use

Lagrange interpolation to calculate the corresponding

𝑦 =

∑

𝑦>𝑙>(𝑥)

;

><D

, where

𝑙>

(

𝑥

)

∏

$+$&

$)+$&

;

#<D6#?>

on the given

polynomial. Thus, the calculated point

(𝑥,𝑦)

turns out to be

a new

𝑘𝐹𝑟𝑎𝑔

assigned to a live node.

𝑇𝑟𝑎𝑛𝑠𝑚𝑖8𝑡({𝑘𝐹𝑟𝑎𝑔'E(6#}#<!

9,𝑠𝑘(,𝑝𝑘))

: To transmit an

authorization from

𝐴 → 𝐵

𝐵 → 𝐶

requires

{𝑘𝐹𝑟𝑎𝑔'E(6# }#<!

𝑠𝑘(

𝑝𝑘)

as input. Compared with

the

8𝑅𝑒𝑘𝑒𝑦𝐺𝑒𝑛

algorithm, the difference is that the

𝑇𝑟𝑎𝑛𝑠𝑚𝑖𝑡

algorithm achieves transitivity, which enables the

delegator to authorize any delegatee without using his own

secret key

𝑠𝑘'

The proposal PRE scheme has the following properties:

Unidirectionality. The delegation from the data owner to the

delegatee is unidirectional, while the reversal requires

another setup.

Non-interactivity. The adopted Diffie-Hellman protocol

between the delegator and delegatee’s keypair makes a shared

secret, enabling the re-encryption key generation of the

scheme non-interactive.

Transitivity. The encryption can be re-delegated more than

once by a series of transform keys.

Multi-hop. The designated delegatees are allowed to be the

delegators that can re-delegate the encryption under the

owner’s authorizations, chaining the transformations.

Collusion safety. During the re-encryption, none of the

delegatees is able to collude with the distributed proxy nodes

that hold the transform key to recover the private key of the

delegator.

In this section discuss, we evaluate the performances of re-

encryption key generation algorithm, capsule re-encryption

algorithm, data key retrieval algorithm and

𝑘𝐹𝑟𝑎𝑔

reshare

algorithm. The results of all tests are the average of 20 times.

Figure 5 illustrates a complete text process on above

algorithms by a given threshold (3, 5).

Figure 6 illustrates the time cost of

𝑘𝐹𝑟𝑎𝑔𝑠𝑒𝑡

generation.

There are 8 tuples of threshold included, where any t out of N

pieces can recover the re-encryption key. The growing rate is

decided by both t and N, due to that the t factor decides the

order of the polynomial, and N determines the total shares.

Fig. 6. Re-encryption key shares generation time

Figure 7 shows the computation cost in re-encryption.

Since out proposal adopts KEM strategy, the complexity only

relates to t in the threshold, with no regards to N or the size

of original file. However, this proposal ignores the node crash

probability during the re-encryption procedure, and several

4. Experiments of Our Proposal

WSEAS TRANSACTIONS on INFORMATION SCIENCE and APPLICATIONS

DOI: 10.37394/23209.2022.19.18

Juntao Cao, Xin Pei, Xiaochuan Wu

E-ISSN: 2224-3402

183

Volume 19, 2022

backup nodes possessing their

𝑘𝐹𝑟𝑎𝑔

can be arranged to run

re-encryption algorithm to enhance the correctness.

Fig. 7. Re-encryption time of an increasing size of files

Figure 8 shows the cost of retrieving a data key with

different thresholds. This procedure can be regarded as the

reverse execution of data key encryption. We compare 8

tuples of thresholds, similarly, the cost only relates to t

numbers of

𝑐𝑓𝑟𝑎𝑔

, corresponding to the re-encrypted

𝑘𝐹𝑟𝑎𝑔𝑠.

Fig. 8. Data key retrieval time

We also test the cost of Reshare algorithm. Given a fixed

polynomial, to sample an x at random and calculate

corresponding y is quite easy. But taking any t points to

recover the polynomial by using Lagrange interpolation is

costly. For a threshold with t = 50, the calculation time

Fig. 5. A complete verification on all algorithms of this proposal by a threshold (3, 5)

WSEAS TRANSACTIONS on INFORMATION SCIENCE and APPLICATIONS

DOI: 10.37394/23209.2022.19.18

Juntao Cao, Xin Pei, Xiaochuan Wu

E-ISSN: 2224-3402

184

Volume 19, 2022

requires 4872 milli seconds. In a decentralized network

environment, the participants are required to pledge their

assets for providing stable service, so that the Reshare

algorithm also means the crash times of participated nodes.

This paper proposes a distributed proxy re-encryption

network with multi-hop delegatees for reliable encryption

transformation. The proposed scheme is unidirectional, non-

interactive, transitive, multi-hop and collusion-safe. Also, we

have implemented this scheme in a test environment, which

only involves one local node that performed multiple roles in

the scheme. Experiments show that most of the overhead of

algorithm computation is in millisecond level except for

resharing in huge threshold, while the generations of re-

encryption key and multi-hop re-encrypting as well as the

reshare algorithms are regardless of the raw data size. Next,

we will combine this proposal with a DAG structured

blockchain to provide decentralized KMS service.

This work was supported by a grant from the Core Tech-

nology Research and Development Program of Lin-Gang.

[1] Matt Blaze, G. Bleumer, and M. Strauss. 1998. Divertible protocols

and atomic proxy cryptography. In Proceedings of Eurocrypt ’98,

volume 1403, 127–144.

[2] Egorov M, Wilkison M L . NuCypher KMS: Decentralized key

management system[J]. 2017.

[3] M. Mambo and E. Okamoto. Proxy cryptosystems: Delegation of the

power to decrypt ciphertexts[J]. IEICE Trans Fundament. Electron.

Commun. Comput. Sci. 1997, 54–63.

[4] Ateniese G, Fu K, Green M, et al. Improved proxy re-encryption

schemes with applications to secure distributed storage[J]. Acm

Transactions on Information & System Security. 2006, 9(1):1-30.

[5] Wang H , Cao Z. A Fully Secure Unidirectional and Multi-use Proxy

Re-encryption Scheme[J]. ACM CCS poster session, 2009.

[6] Cai Y , Liu X . A Multi-use CCA-Secure Proxy Re-encryption

Scheme[J]. IEEE, 2014:39-44.

[7] Song L, Shen Q, Chen Z. Fullysecureunidirectionalidentity- based

proxy re-encryption. In Proceedings of the International Conference on

Infor- mation Security and Cryptology (ICISC 2011). Springer, Berlin,

Heidelberg, 109-126, 2011.

[8] Sun Y, Willy S, Zhang F, Anmin Fu. CCA-Secure Revocable Identity-

Based Encryption With Ciphertext Evolution in the Cloud. IEEE

Access 6 (Oct, 2018), 56977-56983, 2018.

[9] Sun Y, Mu Y, Willy S, Zhang F,Anmin F. Revocableidentity- based

encryption with server-aided ciphertext evolution. Theoretical

Computer Science 815 (May, 2020), 11-24, 2020.

[10] Benhamouda F, Krawczyk H, Rabin T. “Robust Non-interactive

Multiparty Computation Against Constant-Size Collusion”, 2017.

[11] Liang K, Joseph Liu, Wong D,Willy S. An Efficient Cloud-Based

Revocable Identity-based Proxy Re-encryption Scheme for Public

Clouds Data Sharing. In Proceedings of the European Symposium on

Research in Computer Security (ESORICS 2014). Springer, Cham,

257-272, 2014.

[12] W. Chang and Y. F. Wang. 2015. Seeing through the Appearance:

Body Shape Estimation using Multi-view Clothing Images. In Proc.

IEEE Int. Conf. on Multimedia and Expo. 1–6.

[13] Shamir. 1979. How to Share a Secret. Commun. ACM 22, 11 (Nov.

1979), 612–613.

[14] Ateniese G, Burns R, Curtmola R, et al. “Provable data possession at

untrusted stores”. ACM Conference on Computer & Communications

Security. ACM, 2007.

[15] Sebé F, Domingo-Ferrer J, Martinez-Balleste A, et. al. “Efficient

remote data possession checking in critical information infrastructures”.

IEEE Transactions on Knowledge and Data Engineering, 2008, 20(8):

1034-1038.

[16] Wang Q, Wang C, Ren K, et. al. “Enabling public auditability and data

dynamics for storage security in cloud computing”. IEEE Transactions

on Parallel and Distributed Systems, 2011, 22(5): 847-859.

[17] Yang K, Jia X, Ren K. “DAC-MACS: Effective data access control for

multiauthority cloud storage systems”. IEEE Transactions on

Information Forensics and Security, 2013, 8(11): 1790-1801.

5. Conclutions

Acknowledgement

5HIHUHQFHV

Creative Commons Attribution License 4.0

(Attribution 4.0 International, CC BY 4.0)

This article is published under the terms of the Creative

Commons Attribution License 4.0

https://creativecommons.org/licenses/by/4.0/deed.en_US

WSEAS TRANSACTIONS on INFORMATION SCIENCE and APPLICATIONS

DOI: 10.37394/23209.2022.19.18

Juntao Cao, Xin Pei, Xiaochuan Wu

E-ISSN: 2224-3402

185

Volume 19, 2022