1 Introduction

Cloud services minimize cost and associated maintenance and obsolescence problems. It increases scalability, interoperability, and availability. However, cloud-based data sharing gives rise to issues like privacy, access control, confidentiality, and data integrity. Data owner can encrypt his sensitive data before outsourcing to cloud and share decryption rights with authorized users. But, encryption is inefficient as users are always in the loop to perform encryption and decryption algorithms twice or share their secret keys for decryption while sharing the data.

Proxy re-encryption scheme (PRE) provides secure and efficient data sharing on cloud. A cryptographic technique is used to authorize a third party (proxy) to convert outsourced encrypted ciphertext from the public key of the data owner into ciphertext that can only be decrypted using the user’s private key i.e., re-encryption. The data owner generates the re-encryption key and is securely shared with the proxy, allowing the proxy to perform re-encryption. Re-encryption of the data owner’s ciphertext does not reveal user/data owner’s private key and underlying plaintext to the proxy. PRE methodology reduces the dependence of trust between end-users by not sharing the private key or symmetric key.

PRE is suitable for access control delegation [1, 2], privacy preservation in cloud computing [3, 4], e-healthcare system [5, 6], authorization in IoT [7], group key management [8], secure data forwarding [9, 10], etc.

Existing PRE schemes [11] need a single semi-trusted proxy to perform the re-encryption process as shown in Fig. 1. This is not practical in real-world scenarios and is a single point of failure. The semi-trusted proxy can collude with malicious users for re-encryption. Threshold proxy re-encryption (TPRE) scheme delegates task to multiple proxies. This eliminates the dependence on a single entity and prevents collusion between semi-trusted proxy and malicious users. It uses shamir secret sharing scheme [12] to distribute the re-encryption process and maintain trust among multiple proxies. Multiple proxies make TPRE schemes fault-tolerant and achieve secure delegation. However, such quorum-controlled re-encryption schemes do not satisfy the critical properties of the PRE scheme.

Existing TPRE [15, 21] schemes use symmetric keys and RSA algorithm for re-encryption and decryption of data. This increases key handling overhead, computational cost overhead and overhead of secure channel. The schemes [20,21,22] use the same share of proxies for re-encrypting multiple data, which increases the possibility of leakage of shares of proxies. Therefore, shares need to be updated to secure the data and prevent the collusion attack between malicious proxies and users. They allow any proxy to generate the final ciphertext after sending their partial re-encryption ciphertext, which increases the delay and computational cost. Therefore, we need a secure and efficient TPRE scheme.

Fig. 1
figure 1

Proxy re-encryption scheme

Full size image

TPRE scheme can be used in cloud-based data sharing applications like IIoT and healthcare system. In IIoT, IoT sensors and actuators are responsible for collecting the data and enhancing industrial processes. Here, the parent company (data owner) is responsible for sharing data with a subsidiary company and other users (vendor, supplier, etc) and for predictive maintenance in the subsidiary company and itself. The parent company has multiple authorized entities, verification, and maintenance nodes for different aspects. Cloud, honest but curious, is used to store sensed and collected data in encrypted form. When a user or subsidiary company requests for data, the data owner generates a re-encryption key according to the requester, splits the re-encryption key into n numbers, and sends it to authorized entities, verifiers, and maintenance nodes. After verification, if the cloud receives t out of n or n out of n re-encryption keys then, it re-encrypts the requested data and sends it to the user, else the user is not a legitimate entity.

In the healthcare system, a person stores encrypted health-related records and insurance claim information in the cloud. When a person gets hospitalized, he cannot provide his previous health-related records required for better diagnosis and cannot claim insurance. For this, he can generate a re-encryption key and split it into N semi-trusted entities, and share the keys with them in order to share his health-related data and claim insurance while he is indisposed.

The proposed proactive-based threshold proxy re-encryption scheme provides privacy-preserving data sharing with high access control cloud. It satisfies critical properties like non-transitivity, collusion-resistance and non-interactivity. The existing proxy re-encryption schemes and threshold proxy re-encryption schemes are vulnerable to securing the secret shares after t time period or from collusion attacks. Therefore, secret needs to be changed or updated but changing the secret every time increases the computation cost and time complexity. We have introduced proactive property [13] in the proxy re-encryption that helps proxies to join or remain in the system, protects from a malicious proxy or an adversary who knows secret share below the threshold proxies, and mitigates the possibility of attacks like wormhole attacks without changing the secret. Hence, the data owner need not change the secret after every attack or leakage of secret shares.

1.1 PRE scheme properties

We consider two users (U as sender and V as receiver), a re-encryption key \((r_{{\rm u} \rightarrow {\rm v}})\) and public-private key pair for user u is \((pk_{\rm u}, sk_{\rm u})\) simultaneously. The properties [14] are as below.

  1. A)

    Unidirectional: Delegation of re-encryption key from U to V cannot be reversed into re-encryption key from V to U. This means \((r_{{\rm u} \rightarrow {\rm v}})\) cannot be converted into \((r_{{\rm v} \rightarrow {\rm u}})\).

  2. B)

    Key optimality: Proxy and user storage capacity should remain constant after getting multiple delegation’s for re-encryption.

  3. C)

    Proxy invisibility: User U and user V should be oblivious of the existence of the proxy. This means that user V should not be able to distinguish between the ciphertexts generated from encryption by receiver public key \((pk_{\rm v})\) and ciphertext generated from re- encryption key \((r_{{\rm u} \rightarrow {\rm v}})\).

  4. D)

    Non interactive: User U should generate re-encryption key \((r_{{\rm u} \rightarrow {\rm v}})\) using user V public key and not require his private key. This means that no interaction is required with user V.

  5. E)

    Original access: User U should be able to decrypt the re-encrypted ciphertext generated for user V.

  6. F)

    Collusion resistance: Private key of user U used in transformation of re-encryption key \((r_{{\rm u} \rightarrow {\rm v}})\) should not be revealed to proxy and user V. This means that information about the re-encryption key and the private key of the user will not reveal the secret key of user U.

  7. G)

    Temporary: Re-encryption rights given by delegation of re-encryption key should be grant for a limited amount of time.

  8. H)

    Non transferable: Proxy cannot redirect the decryption rights to third party when he knows about re-encryption key \((r_{{\rm u} \rightarrow {\rm v}})\), public key of third party \((pk_{\rm t})\) and private key of user \((sk_{\rm v})\)

  9. I)

    Non transitive: If proxy knows the re-encryption keys \((r_{{\rm u} \rightarrow {\rm v}})\) and \((r_{{\rm v} \rightarrow {\rm w}})\) then he cannot compute \((r_{{\rm u} \rightarrow {\rm w}})\) for re-delegation of decryption.

1.2 Our contributions

The contributions of this paper are

  1. A)

    A proactive threshold proxy re-encryption scheme that provides privacy-preserving data sharing with high degree of access control for cloud-based data sharing applications.

  2. B)

    A proactive property is introduce in the scheme that helps to remove or add any proxy from quorum and also renew all shares after a duration of time.

  3. C)

    Collusion resistance in the scheme against cloud and proxy for accessing unauthorized data and against proxies and user for getting data of data owner.

  4. D)

    The scheme is Indistinguishable against chosen plaintext attack (IND-CPA) using Random Oracle model under the Decisional Bilinear Diffie-Hellman Inverse (DBDHI) assumption. We also determine the storage, communication and computational cost of the scheme and compare them with the existing threshold proxy re-encryption to demonstrate the efficiency and suitability of our scheme.

  5. E)

    The scheme is shown to satisfy properties required by proxy re-encryption technique. These properties are unidirectional, non-interactive, key optimal, original access, collusion safe, non-transitive, non-transferable, and limited time delegation.

The rest of this paper is organized as follows. Section 2 reviews the related work. Section 3 defines the system model and threat model of proposed scheme. In Sect. 4, We explains the problem statement of traditional TPRE schemes. In section 5, we describe preliminaries required in the proposed work. In Sect. 6, we describe our definition of the proposed schemes. Section 7 defines construction and the security analysis of our proposed scheme. Section 8 shows the analysis and comparison of proposed scheme with existing scheme based on properties. Performance evaluation is given in Sects. 9. Finally, Sect. 10 concludes this article.

2 Related works

We review the exiting proxy re-encryption schemes and threshold-based proxy re-encryption schemes [12, 23, 24] with multiple proxies under the consideration of the above-enumerated properties of the PRE scheme. Instead of a single proxy, these schemes require at least t proxies out of the total number of proxies to generate the valid re-encrypted ciphertext. Likewise, threshold proxy re-signature [30, 31] schemes also provide the secure delegation with access control in different applications and prevent collusion attacks by proxies and malicious users who want unauthorized access to data owner’s data.

Jakobsson [16] introduced a quorum-based proxy re-encryption scheme where the data owner uses (tN) threshold secret sharing scheme to divide the secret into N shares and these shares distribute to semi-trusted proxies for performing re-encryption. Jakobsson [16] splits his private key and distributes them to proxies, making his scheme vulnerable while collusion of the quorum of proxies. Lin [9] proposed the proxy re-encryption scheme based on threshold cryptography with homomorphic property on the decentralized scenario, which does not consider the addressed issue in the Jakobsson scheme [16]. This scheme uses threshold cryptography to decrypt re-encrypted ciphertext by collaborating with t proxies instead of re-encryption. This scheme does not generate final re-encryption ciphertext based on achieving the threshold t out of N proxies. In this scheme, any proxy that joins or leaves the network has to change the secret to update the share of every proxy that proves the inefficiency in the scheme. Song [17] circumvent addressed issue in Jakobsson scheme. This scheme proposed a cloud-based healthcare system using id-based encryption in threshold proxy re-encryption scheme, but it uses a private key generator as a trusted third party for providing public-private key pair that makes it prone to a single point of failure. This scheme does not offer security if less than t share is leaked to an adversary. Hence, this proposed scheme is insecure as well as inefficient.

Li et al. [18] proposes the multi-hop proxy re-encryption scheme via branching program by using lattice-based cryptography where, they used key switching algorithm to generate a re-encryption key. The key switching algorithm can not only generate a re-encryption key, but also ensure the homomorphism of ciphertext. However, the re-encryption key generated by key switching algorithm can only resist weak anti-collusion. This scheme do not provide proofs to satisfy the PRE properties. Fucoi [19] has proposed a single hop homomorphic proxy re-encryption in which PRE supports fully homomorphic operations. Qian [32] has proposed autonomous path delegation function and its application in healthcare cloud using proxy re-encryption. It allows patients to set up multi-hop delegation path with their preferences, and the delegated doctors in the path can search for and access the patient’s private medical information. Yingying [25] proposed a Controllable encrypted cloud image Search scheme in multi-user settings (namely CSM) by using the polynomial-based access strategy and proxy re-encryption technique. It has not define the Collusion-resistant attack. Peng [26] proposed conditional identity-based broadcast proxy re-encryption. It encrypts a data for many users and it delegates a re-encryption key to a proxy so, it can convert the ciphertext into re-encrypted for new set of intended users. Furthermore, the re-encryption key can be associated with a condition, which allows the data owner to enforce access control over his outsourced data. Qinlong [27] proposed secure data group sharing and dissemination with attribute in public cloud using proxy re-encryption, which allows data owner to outsource encrypted data to semi-trusted cloud and share it with a group of users at one time.

Existing multi-hop proxy re-encryption schemes [28, 29] generate valid re-encrypted ciphertext by re-encrypting the data owner ciphertext multiple times in the available sequence of re-encryption keys where every proxy compute re-encryption successively else the process will not proceed. If proxies do not follow the fixed sequence, then valid re-encrypted ciphertext will not generate. These multi-hop proxy re-encryption schemes used a single proxy to perform multiple re-encryption in the fixed sequence that causes reliability and trust issues.

Chen [15] proposed a threshold proxy re-encryption scheme by employing ElGamal-based proxy re-encryption with threshold cryptography in the consortium blockchain access permission. This generates the valid re-encrypted ciphertext by collaborating at least t proxies out of N proxies. However, this scheme does not provide chosen plaintext attack security against the malicious user and does not explaining under which security assumption [15] scheme is secure. This scheme is using the consortium blockchain which is permissioned blockchain where each user is authorized by a node. Consortium blockchain is not storage efficient and consumes more time to verify the transactions due to that [15] scheme is inefficient. Shravani M.H [20] proposed RSA-based collusion resistant quorum controlled proxy re-encryption scheme for distributed secure communication. They analyze the Jakobsson scheme and try to circumvent the issues by generating valid re-encrypted ciphertext, and proxies can not get the secret key of the data owner by collusion attack. However, the data owner does not require the user’s secret key to generate the re-encryption key. Still, the data owner will interact with the user to share the decryption key of re-encrypted ciphertext that violates the non-interactive property of the PRE scheme. The size of keys is very large in RSA algorithm [33] due to that this scheme is inefficient and insecure.

B R Purushothama [21] proposed a non-transitive and collusion resistant quorum controlled proxy re-encryption scheme for resource-constrained devices. In this scheme, all active proxies exchange at least t share of re-encrypted ciphertext with each other, increasing the interaction between the proxies and increasing the network’s communication cost. This scheme requires an interaction between the data owner and user for getting the secret key of the user to compute the re-encryption key that violates the non-interactive property of the PRE scheme as well as this scheme does not follow the temporary, original access non-transferable properties of the PRE scheme. Pareek G [22] proposed threshold progressive proxy re-encryption for secure data access delegation. This scheme has a progressive property in which all proxies consecutively re-encrypt the ciphertext in any sequence until t proxies generate the final re-encrypted ciphertext out of N proxies. In progressive property, proxies have to perform multiple computations for generating one re-encrypted ciphertext until then, other intermediate proxies have to stand by, which makes it inefficient and reduces fault tolerance. Here, the first and last proxy will not get a re-encryption key, acting as a trusted third party and prone to the single point of failure. This scheme does not provide any security against the share of secret leakage with reduced complexity.

The proposed proactive threshold proxy re-encryption scheme performs re-encryption concurrently by proxies with proactive property whereas satisfying enumerated properties of PRE scheme and increases fault-tolerance, reliability, efficiency, and security of our scheme.

3 System model

Sensitive data of data owners is outsourced to the cloud and shared with other users on request. This process requires secure data sharing and access control over the stored data over the cloud. The proposed scheme can be widely applied to outsourced data sharing to achieve privacy preserving data sharing. Figure 2  represents the system architecture of cloud-based data sharing scheme where users are. The system consists of three entities, i.e., data owner, cloud, and, user.

Fig. 2
figure 2

System model of the outsourced data sharing without using proxy

Full size image
  1. A)

    Data owner: The data owners are honest entities but they have limited storage and computational power. So, they encrypt his data and outsourced to cloud. They have access control over the outsourced data so cloud or user cannot manipulate or update the data without his permission.

  2. B)

    Cloud: The cloud is an honest but curious entity, i.e., semi-trusted. It provides the storage facility to resource constrained users, and it helps users to share data with other users non-interactively. It maintains the integrity of the stored ciphertext. While querying a keyword to cloud, it searches for data that existed or not related to that keyword.

  3. C)

    Proxy: We assumed that the proxies are semi-trusted. They compute the re-encrypted ciphertext of encrypted data using re-encryption keys and send it to the user.

  4. D)

    User: In the proposed scheme, users can be a reader, doctor, company employees, analysts etc. They search on the cloud that required data is exist or not. After that, the user requests the required data related to the owner with a keyword for accessing his data. The users can be trusted and malicious. They get the re-encrypted requested data of regarding his requested keyword, which decrypts using his private key.

3.1 Threat model

According to the system model defined above, the PB-TPRE scheme is prone to the following active attacks by an adversary which tries to manipulate or steal the data.

  1. A)

    The user can collude with proxies to attempt to obtain the shares of re-encryption key without the permission of the data owner. Once the user obtains re-encryption key, the outsourced data of the data owner can be re-encrypted. User gets the benefits of that ciphertext.

  2. B)

    The semi-trusted cloud may impersonate data owners or authorized data consumers to try to access outsourced data.

  3. C)

    The proxy is prone to a single point of failure due to DoS (Denial of service) or DDoS (Distributed Denial of service) attacks. So, the availability of proxy is reduced to the data owner and user that stops the process.

  4. D)

    The semi-trusted cloud can collude with a malicious user to get the data of data owner other than requested data.

  5. E)

    The semi-trusted proxies can collude with each other to compute the re-encryption key then, they act as user to get the data of data owner. The proxy can also perform a wormhole attack in which the proxy can act as an insider attacker where proxy sends share of re-encryption keys to malicious users.

4 Problem description

The data owner encrypts his data that outsourced to the cloud, but the issues, access control on encrypted data and scalable user revocation need to be solved. Cloud does not have any decryption rights of stored encrypted data. Hence, sharing data with a user requires sharing of decryption key or a data download decryption-encryption process. The process of decryption-encryption with public key of user is computational and communication intensive.

Existing threshold proxy re-encryption schemes cannot protect the shares of a secret for a long time as the probability of an adversary knowing shares increases with time. Proxies can be malicious and perform wormhole attacks. The existing threshold proxy re-encryption schemes [16, 20,21,22],

do not satisfy some of the desirable properties of PRE scheme like collusion safety, non-transitive, non-interactive, and unidirectionality. In existing schemes, if any proxy wants to leave or join the quorum then these schemes cannot update the quorum by sharing new shares without changing the secret. Existing proxy re-encryption schemes are centralized in the context of a proxy, which is considered as a fully trusted entity to re-encrypt the data, so they are prone to a single point of failure. In applications like IIoT and secure healthcare systems, existing proxy re-encryption schemes do not provide distributed authorization for high access control over sharing sensitive data.

5 Preliminaries

The proposed scheme provides privacy preserving secure sensitive data sharing with access control using proxy re-encryption, threshold secret sharing. The scheme is collusion resistant against proxies and cloud and users. Table 1 describes the following notations and cryptographic functions used to define, construct, and secure our proposed method.

Table 1 Notations and cryptographic functions
Full size table

5.1 Bilinear map

We consider two cyclic group \(G_1\) and \(G_2\) of prime order p. Take g be the generator of \(G_1\). A pairing \(e:G_1*G_1=G_2\) is the map which satisfies the following properties.

  1. A)

    Bilinearity: \(\forall x,y \in Z^*_{\rm p}\) and \(\forall A,B \in G_1\), \(e(A^x,B^y) = e(A^y,B^x) =e(A,B)^{xy}\)

  2. B)

    Non-degeneracy: \(e(g,g) \ne 1\)

if the paring map e and group operations in \(G_1\) are efficiently computable then \(G_1\) will be the bilinear group and the algorithm will take polynomial time for computing pairing operations.

5.2 Computational bilinear diffie hellman

Let us consider \(G_1\) and \(G_2\) be the two cyclic additive and multiplicative group respectively, whose generator point is g and prime order is p. The computational bilinear Diffie-Hellman CBDH problem is to deciding the value of T, whether \((T=e(g,g)^{\alpha \beta \gamma })\) or T is the random element of \(G_2\) on a given random group element \(A,B,C\in G_1\) where as \(\alpha ,\beta ,\gamma \in _R Z^{*}_{\rm p}\).

\(BDH(A,B,C) = T\), where \(A = g^\alpha , B=g^\beta , C=g^\gamma\) and \(T = e(g, g)^{\alpha \beta \gamma }\) Formally, the CBDH assumption says that: \(Pr[\mathcal {A} (A, B, C) = BDH(A, B, C)] \le negl(k)\) for all pro-probabilistic polynomial time algorithms \(\mathcal {A}\) where k is a security parameter of sufficient size.

5.3 Decisional bilinear diffie-hellman inverse (DBDHI) assumption

Let g be generator of \(G_1\). The assumption is that \(e(g, g)^{\alpha / \beta }\) and \(T \in G_2\) are indistinguishable for any probabilistic polynomial time algorithm \(\mathcal {A}\) if the challenge instances D = \(((g,G_1,G_2, e), P, P^{\alpha }, P^{\beta })\) and T are given. The advantage of \(\mathcal {A}\) is defined as \({Adv_{\mathcal {A}}^{DBDHI}}(\lambda ) = |Pr[{\mathcal {A}}(D, e(g,g)^{\alpha / \beta }) = 0]- Pr[\mathcal {A}(D, T) = 0]| \le \epsilon\). Note that the probability is taken over the random choice of \(T \in G_2\) and \(\alpha , \beta \in Z_{\rm p}\).

6 Proactive threshold proxy re-encryption scheme (PB-TPRE)

The PB-TPRE scheme provides secure data sharing between end-users without collusion between proxies/proxy and malicious users. Proxies re-encrypt the outsourced ciphertext of the data owner concurrently without waiting for other’s output using his partial re-encryption key in the proposed scheme. After that, the combination of t partial re-encrypted ciphertext out of N from proxies generates the final valid re-encrypted ciphertext intended for a user. The data owner encrypts his plaintext data using the set of keywords and his private key. The user sends the request with keywords to get the data owner’s private data. Keywords are sensitive data that should not know to any third party. The scheme renews old shares without changing the secret, so that disclosed shares to the adversary are useless. Data owners chooses the number of proxies to create the quorum. The security assumption is still satisfied when, the number of malicious agents exceeding the threshold t can launch a collusion attack, so when the proxy server transforms consider threshold to be 2t to ensure security. Data owners or users generate the quorum for secure data sharing. If a malicious proxy generates the wrong partial ciphertext and sends it to the user, then the user-generated final ciphertext will not be decrypted. The user needs to compute t partial ciphertexts. Therefore, after aggregating the t partial ciphertexts for different proxies helps to find the malicious proxy, the user can remove the misbehaving proxy from the quorum for secure data sharing between the data owner and user.

Fig. 3 shows the PB-TPRE schemes architecture. The data and control flow are as follows

Fig. 3
figure 3

PB-TPRE scheme architecture

Full size image
  1. A)

    Data owner encrypts his data and sends it to the cloud for storage.

  2. B)

    Users search in the cloud for data of interest. If data exist in the cloud or user knows the data owner then, they will send keywords for requesting data owners’ data, otherwise, process will stop and wait for it.

  3. C)

    Data owner generates re-encryption key and splits it into n number of semi-authorized proxies by using secret sharing technique after that, these keys securely share with n proxies. If some proxy becomes malicious or less than t shares are disclosed to an adversary or due to the usage of same shares for a long time, the possibility of attack and leakage also increased so, these shares can be renewed without changing the secret that reduces the computation cost and maliciousness in the network

  4. D)

    Requested data will be re-encrypted by proxies using the share of re-encryption keys gets form the data owner. After that, proxies send re-encrypted ciphertext to the user.

  5. E)

    When user receives the t re-encrypted ciphertext from proxies, then he combines all re-encrypted ciphertext to get the final ciphertext. After that, User will decrypt the re-encrypted data by using his private key and requesting data keywords. Otherwise, this data will not be decrypted, prevents a collusion attack between user and cloud or proxy.

Figure 4 shows the distribution of shares of re-encryption key from data owner and cloud shares the intended encrypt data to proxies for re-encryption of ciphertext. All proxies do parallel computation and next proxy did not need to wait for further computation.

Fig. 4
figure 4

Sharing of ciphertext and share of re-encryption Keys to Proxies

Full size image

6.1 Definitions

The PB-TPRE scheme contains tuple (Setup, KeyGen, Enc, ReKeyGen, ShareDis, ShareRnew, InReEnc, Dec) of probabilistic polynomial time algorithms. We consider the data owner (do), set of users \((u_1,u_2,...,u_{\rm n})\) and the set of proxies \((E_1,E_2,...,E_{\rm n})\), algorithms are defined based on its input and output parameters as follows

  1. A)

    Setup \((1^\zeta ) \rightarrow (Params)\): We consider a security parameter \((\zeta )\) as the input. By using that input, we generate global parameters (Params) as the output.

  2. B)

    KeyGen \(({do}, Params) \rightarrow (pk_{\rm do}, sk_{\rm do})\): We generate a public-private key pair \((pk_{\rm do}, sk_{\rm do})\) for a data owner (do) and user (u).

  3. C)

    Enc \((pk_{\rm do}, M, \kappa ) \rightarrow (C_{\rm do})\): We encrypt the data (M) by the using \(pk_{\rm do}\) key and data keywords \((\kappa )\). After that, encrypted data \((C_{\rm do})\) is stored in the cloud due to limited storage and computation power.

  4. D)

    Re-KeyGen \((pk_{u}, sk_{\rm do}) \rightarrow (R_{{do} \rightarrow u})\): We generate a re-encryption key \((R_{{do} \rightarrow u})\) by using private key of data owner\((sk_{\rm do})\) and public key of user\((pk_{u})\) that is used to re-encrypt the outsourced encrypted data for user.

  5. E)

    ShareDis \((E_{\rm n}, R_{{do} \rightarrow u}, \delta (z)) \rightarrow (R_{{\rm do} \rightarrow u}^n)\): We use threshold secret sharing method to split the re-encryption key \((R_{{\rm do} \rightarrow u})\) into n shares and sends it to n number of entities.

  6. F)

    ShareRnew \((R_{{\rm do} \rightarrow u}^n,E_{\rm n},t) \rightarrow (Rn_{{\rm do} \rightarrow u}^n)\): Some shares become known to adversary with time or to remove malicious entity, here, we replace the old shares \((R_{{do} \rightarrow u}^n,E_{\rm n},t)\) with new shares \((Rn_{{do} \rightarrow u}^n)\) without changing the secret.

  7. G)

    InReEnc \((E_{\rm t}, R_{{do} \rightarrow u}^n, C_{\rm do}) \rightarrow (C_{\rm u})\) We re-encrypt the encrypted data and combine the share of all re-encryption keys as follows.

    1. a)

      ReEnc \((C_2, E_{\rm n}, R_{{do} \rightarrow u}^n) \rightarrow (C_{E_{\rm t}})\): First, entities \((E_{\rm n})\) will re-encrypt the encrypted data \((C_2)\) by using their share of re-encryption key \((R_{{do} \rightarrow u}^n)\).

    2. b)

      Integrate \((C_{E_{\rm t}}, C_{\rm do}) \rightarrow (C_{\rm u})\): Second, We use lagrange interpolation method after receiving the t number of cipher-texts then we combine all the cipher-texts \((C_{E_{\rm t}})\) which provides final cipher-text \((C_{\rm u})\) that only decrypted by a user.

  8. H)

    Dec \((C_{\rm u},sk_{\rm u},\kappa ) \rightarrow (M)\): User will decrypt the \(C_{\rm u}\) by using his private key \((sk_{\rm u})\) and requested keyword \((\kappa )\) and gets the data (M).

7 Construction

We use elliptic curve cryptography, and threshold secret sharing to construct the proposed PB-TPRE scheme as follows.

  1. A)

    Setup \((1^\zeta )\): This take security parameter \(\zeta\) to generate public parameters as follows.

    • Take a large prime p.

    • Select distinct group \(G_1\) and \(G_2\) of prime order p.

    • Consider GF(q), where \(q=p^l\) and l is a positive integer.

    • Select the generator g from \(G_1\,( g \in G_1)\).

    • Consider a map \(e\,\ G_1 * G_1 \rightarrow G_2\) where e represents a bilinear paring.

    • The pubic parameter in the network is \(Params = (G_1,G_2,g, e, p, T)\) where \(T = e(g,g)\).

  2. B)

    KeyGen (doParams): This generates the public and private keys for everyone in the network as follows for data owner and user.

    • Consider a random number \(\Gamma _{\rm do} \in Z_{\rm p}\).

    • Generate private key of do is \(sk_{\rm do} = \Gamma _{\rm do}\) and public key of do is \(pk_{\rm do} = g^{\Gamma _{\rm do}}\ mod\ p\).

    • Public-private key pair of do are \((sk_{\rm do}, pk_{\rm do} ) = (\Gamma _{\rm do}, g^{\Gamma _{\rm do}} )\).

    • Public-private key pair of user (u) are \((sk_{u}, pk_{u} ) = (\Gamma _{u}, g^{\Gamma _{u}} )\).

  3. C)

    ReqData \((pk_{\rm do},\kappa )\): User encrypts the requested data keywords \((\kappa )\) with data owner public key \((pk_{\rm do})\) for requesting data.

  4. D)

    Enc \((pk_{\rm do},M,\kappa )\): This algorithm uses public key of data owner \((pk_{\rm do})\) and requested keywords \((\kappa )\) along with the data M. To encrypt the M of do. We compute the cipher-text \((C_{\rm do})\) as follows.

    • Consider a random number \(s \in Z_{\rm p}\)

    • Compute

      $$\begin{aligned} \begin{aligned} C_1&= M* e(g, g^s)^{H(\kappa )}\\ {}&= M * e(g, g)^{s*H(\kappa )}\\ {}&= M*T^{(s*H(\kappa ))} \end{aligned} \end{aligned}$$
      (1)

    • Compute

      $$\begin{aligned} \begin{aligned} C_2&= pk_{\rm do}^s\\ {}&= g^{\Gamma _{\rm do}*s} \end{aligned} \end{aligned}$$
      (2)

    • Cipher-text \(C_{\rm do} = (C_1,C_2 )\)

    • Send \(C_{\rm do}\) to cloud for storage.

  5. E)

    RekeyGen \((sk_{\rm do},pk_{\rm u})\): This algorithm generates the re-encryption key \(R_{do\ \rightarrow \ u}\) using data owner private key \((sk_{\rm do})\), requested data keyword (\(\kappa\)) and public key of user \((pk_{\rm u})\) as follows.

    • Consider a random number \(\nu \in Z_{\rm p}\)

    • Compute

      $$\begin{aligned} \begin{aligned} R_{do\ \rightarrow \ u }&= g^{\frac{1}{sk_{\rm do}}} * pk_{\rm u}^\nu \\ {}&= g^{\frac{1}{\Gamma _{\rm do}}} * g^{\Gamma _{u}*\nu }\\ {}&= g^{\frac{1}{\Gamma _{\rm do}}+\nu .\Gamma _{u}} \end{aligned} \end{aligned}$$
      (3)

    • Re-encrypted key is \(R_{do\ \rightarrow \ u} = g^{\frac{1}{\Gamma _{\rm do}}+\nu .\Gamma _{u}}\)

    • Compute \(Q=g^{\nu *H(\kappa )}\), which is used as public parameter.

  6. F)

    ShareDis \((E_{\rm n},R_{{do} \rightarrow u},\delta (z))\): This algorithm splits the re-encryption key \((R_{{do} \rightarrow u})\) into n entities \((E_{\rm n})\) by using a polynomial equation \((\delta (z))\) as follows.

    • Consider \(k-1\) as an element, \(x_1,x_2,...,x_{k-1} \in GF(q)\)

    • Generate a polynomial

      $$\delta (z) = x_0+x_1.z+x_2.z^2+,...,+x_{k-1}.z^{k-1}$$

      where \(x_0 = R_{{do} \rightarrow u}\) is re-encryption key (secret).

    • Construct n point from it, to retrieve (if(i)) for instance set \(i= 1,2,...,n\)

    • do sends \(R_{{do} \rightarrow u}^n = g^{f(i)}\) to \(E_{\rm n}\) securely.

  7. G)

    ShareRnew \((R_{{do} \rightarrow u}^n,E_{\rm n},t)\): Here, we replace the old share \((R_{({do} \rightarrow u)_i})\) with new share \((Rn_{({do} \rightarrow u)_i})\) when less than \(t-1\) share are leaked or to remove a malicious entity from the \(E_{\rm n}\) within time period T.

    • \(E_{\rm n}\) takes \(\omega\) as a element, \((b_{im})_{m \in (1,...,\omega )} \in GF(q)\)

    • Generate polynomial

      $$b_i(z) = b_{i1}.z+b_{i2}.z^2+,...,b_{i\omega }.z^\omega,$$

      Here free coefficient \((b_{i0})\) is 0, hence \(b_i(0) = 0\)

    • Every \(E_i\) consider \(j_{ij} = g^{b_i(j)}\) and

      figure a

    • After receiving \(j_{ij}\), every \(E_j\) computes its new share

      $$Rn_{({do} \rightarrow u)_i}^T \leftarrow R_{({do} \rightarrow u)_i} + (j_{i1}+j_{i2},...,+j_{in})$$

      then, \(E_{\rm n}\) will remove all other variables except new share.

  8. H)

    InReEnc \((E_{\rm t},R_{{do} \rightarrow u}^n,C_{\rm do})\): In this algorithm, entities re-encrypt the cipher-text \((C_{\rm do})\) by using the share of re-encryption key and if more than t entities send their re-encrypted cipher-text then we integrate them and generate final cipher-text \((C_{\rm u})\)

    1. a)

      ReEnc \((C_2,E_{\rm t},R_{{do} \rightarrow u}^n)\): Re-encryption of cipher-text \((C_{\rm do})\) steps are follows.

      • Consider \(y_{ij} = \Pi _{j=1}^t\frac{\chi -\chi _l}{\chi _i-\chi _l}\) Where \(\chi\) is argument of function from polynomial equation

      • Compute

        $$\begin{aligned} \begin{aligned} Z&= e((R_{{do} \rightarrow u}^n)^{y_{ij}},C_2)\\ {}&= e(g^{f(i).y_{ij}},g^{s.\Gamma _{\rm do}})\\ {}&= T^{(s.\Gamma _{\rm do}.f(i).y_{ij})} \end{aligned} \end{aligned}$$
        (4)

      • Every entity has \(C_{E_i} = (C_1,Z) = (M*T^{s.H(\kappa )},T^{(s.\Gamma _{\rm do}.f(i).y_{ij})})\)

    2. b)

      Integrate\((C_{E_{\rm t}},C_{\rm do})\): Here, if we have at-least t number the cipher-text \(C_{E_{\rm t}}\) then we integrate them and generate final cipher-text\((C_{\rm u})\) for user. Else, user is not allowed to get the requested data(M).

      • By using lagrange interpolation method, we combine \(C_{E_i}\)

        $$\begin{aligned} \begin{aligned} C_3&= \Pi _{i=1}^t Z\\ {}&= \Pi _{i=1}^t T^{(s.\Gamma _{\rm do}.f(i).y_{ij})}\\ {}&= T^{s.\Gamma _{\rm do}.\Sigma _{i=1}^t f(i).y_{ij}} \\ {}&= T^{s.\Gamma _{\rm do}.\left(\frac{1}{\Gamma _{\rm do}}+\nu .\Gamma _{u}\right)}\\ {}&= T^{s+s.\Gamma _{\rm do}.\nu .\Gamma _{u}} \end{aligned} \end{aligned}$$
        (5)

      • After integration of \(C_3\) and \(C_{\rm do}\), the final cipher-text of user is \(C_{\rm u} = (C_1,C_2,C_3)\)

  9. I)

    Dec \((C_{\rm u},sk_{\rm u},\kappa )\): This algorithm is used to get the data (M) by decrypting the cipher-text \((C_{\rm u})\) as follows.

    $$M\ =\ \frac{C_1.e(C_2,Q)^{sk_{\rm u}}}{C_3^{H(\kappa )}}$$

7.1 Proof of correctness

7.1.1 Correctness of decryption

We prove that decryption (Dec) will provide correct message (M)

$$\begin{aligned} \begin{aligned} Dec&= \frac{C_1.e(C_2,Q)^{sk_{\rm u}}}{C_3^{H(\kappa )}} \\&=\frac{M*T^{(s*H(\kappa ))}.e(g^{\Gamma _{\rm do}*s},g^{\nu *H(\kappa )})^{\Gamma _{u}}}{(T^{s+s.\Gamma _{\rm do}.\nu .\Gamma _{u}})^{H(\kappa )}}\\&=\frac{M*T^{(s*H(\kappa ))}.e(g,g)^{\Gamma _{\rm do}*s*\nu *{H(\kappa )*\Gamma _{u}}}}{T^{s*{H(\kappa )}}.T^{\Gamma _{\rm do}*s*\nu *{H(\kappa )*\Gamma _{u}}}}\\&=\frac{M.T^{\Gamma _{\rm do}*s*\nu *{H(\kappa )*\Gamma _{u}}}}{T^{\Gamma _{\rm do}*s*\nu *{H(\kappa )*\Gamma _{u}}}}\\&=M \end{aligned} \end{aligned}$$
(6)

7.1.2 Correctness of re-encryption

We use the lagrange equation to evaluate the correctness of shares of re-encryption. We have used the re-encryption key \(R_{do\ \rightarrow \ u} = g^{\frac{1}{\Gamma _{\rm do}}+\nu .\Gamma _{u}}\) and evaluate the values using the polynomial equation \(j_{ij} = g^{b_i(j)}\). We combine the \(R_{do\ \rightarrow \ u}\) and \(j_{ij}\) values of other proxies to generate the updated share of re-encryption key(\(Rn_{({do} \rightarrow u)_i}^T\)). We have compute the following equation for correctness.

\(f(x)\ = b+m*x\) where \(m = \Pi _{i=1}^n \frac{f_{i+1}(x)-f_{i}(x)}{x_{i+1}-x_i}\) and \(b=\ f_i(i)-m\) Hence, we get the old re-encryption key after combining the t, at f(0). The security of this process as same as mentioned in the [13]

7.2 Security analysis

We prove the security of PB-TPRE scheme in terms of proxy re-encryption with threshold secret sharing. We assume that there exists a PPT adversary \(\mathcal { A}\) which can break the \(IND-CPA\) security of the proposed scheme. In addition, there exist a challenger \(\mathcal {B}\) who uses \(\mathcal { A}\)’s parameters as a subroutine and play the same game. The considered DBDHI assumption is hard against the \(IND-CPA\) security.

Formal security

  1. A)

    Privacy for keyword: Under this notion, An adversary is allowed to get the plaintext of any cipher-text. It guarantees that the Cloud learns nothing about what the queries have been sent by the user’s end to complete this process. In our proposed scheme, the data is encrypted with the data owner’s public key before being outsourced to the cloud. A user sends request with the encrypted keyword, however, Cloud can not decide which keyword corresponds to a given ciphertext, which means he can not get any knowledge about the keyword.

  2. B)

    Collusion attack:In the proposed scheme, proxies want to collude with each other to get the final cipher-text. If t proxies are malicious then they collude with each other and get the re-encryption key but not able to get the decryption key that contain by the users. Therefore, after Collusion attack by proxies, they are only able to get the re-encryption key and ciphertext but not get the intended message.

  3. C)

    Message privacy:To proof this security notion, we have taken two algorithm Enc (E) and ReEnc (R), where we supposed E as \(C_1=M*T^{(s*H(\kappa ))}\) and this \(C_1\) is equivalent to ReEnc as \(C_{E_1}= M*T^{(s*H(\kappa ))}\). Therefore, it is clear that if Enc is secure then, ReEnc should also be secure. Next, we will see that Enc is semantically secure if DBDHI assumption holds. To do this, we assumed that there exist an IND-CPA adversary who can raise CPA queries any time.

Theorem (IND-CPA security): The proposed PB-TPRE scheme is secure under the IND-CPA assuming that DBDHI is hard problem in the considered groups \(G_1, G_2\).

Proof: Let us assume, there exists a PPT adversary \(\mathcal { A}\) that has non-negligible advantage \(\epsilon\) to break the PB-TPRE against the IND-CPA security.

On the given input of DBDHI \((g,g^\alpha ,g^\beta ,T) \in G_1^{3}*G_2\), the adversary \(\mathcal { B}\) is all set to break PB-TPRE scheme. If \(T=e(g,g)^{\alpha /\beta }\), \(\mathcal { B}\) set either \(T=1\) or \(T=0\). The communication between \(\mathcal { A}\) and \(\mathcal { B}\) is given below:

  1. A)

    CPA-Query 1:

    1. a)

      \(K_R\) queries: In this query, when \(\mathcal { B}\) receives a key generation query for a honest users \(u_i\), it selects \(T_{u_i}\ \in \ Z_q\) and responds with \(pk_i\ =\ g^{\Gamma _{u_i}}\). \(\Gamma _{u_i}\) is a secret key of users which is unknown to \(\mathcal { B}\). \(\mathcal { B}\) makes an entry of \((c_i\ =\ 0,pk_i,\Gamma _{u_i})\) to the \(L^{list}\), i.e., shows that \(u_i\) is honest/non-malicious when \(c_i= 0\).

    2. b)

      \(K_D\) queries: In this query, when \(\mathcal { B}\) receives a key generation query for a dishonest users \(u_i\), it selects \(\Gamma _{u_i}\ \in \ Z_q\) and responds with \(pk_i\ =\ g^{\Gamma _{u_i}}\). \(\Gamma _{u_i}\) is a secret key of dishonest users. \(\mathcal { B}\) makes an entry of \((c_i\ =\ 1,pk_i,T_{u_i})\) to the \(L^{list}\), i.e., shows that \(u_i\) is dishonest/malicious when \(c_i= 1\).

    3. c)

      \(R_0\) queries: When a user requests for re-encryption key \(R_{i \rightarrow j}\), adversary \(\mathcal { B}\) can extract the \(R_{i \rightarrow j}\) from \(L^{list}\) and computes as follows: If \(c_i = 0\ and\ c_j = 0\): \(R_{i\ \rightarrow \ j } = g^{\frac{1}{sk_{i}}} * pk_j^\nu\) is a valid re-encryption key. If \(c_i = 1\ and\ c_j = 0\): \(R_{i\ \rightarrow \ j } = g^{\Gamma _i} * pk_j^\nu \ = g^{sk_{i}^{-1}} * pk_j^\nu\) is a valid re-encryption key. If \(c_i = 1\ and\ c_j = 1\): \(R_{i\ \rightarrow \ j } = g^{\frac{1}{\Gamma _{i}}} * g^{\Gamma _{j}*\nu }\) is a valid re-encryption key. If \(c_i = 0\ and\ c_j = 1\): \(R_{i\ \rightarrow \ j } = g^{\frac{1}{\Gamma _{\rm do}}+\nu .\Gamma _{u}}\) is a valid re-encryption key.

    4. d)

      R queries: After getting these requests, \(\mathcal { B}\) tries to extract the information from \(L^{list}\). The re-encryption generation oracle outputs \(t-1\) re-encryption keys \(R_{i_1 \rightarrow j_1}, R_{i_2 \rightarrow j_2},..., R_{i_{t-1} \rightarrow j_{t-1}}\) irrespective of \(c_i\) and \(c_j\) values.

    5. e)

      \(Share R_0\) queries: This phase takes the re-encryption key \(R_{i \rightarrow j}\) and plaintext \((\mathcal { M})\) as a input. It computes the ShareDis procedure \((E_{\rm n},R_{{do} \rightarrow u},\delta (z))\) to calculate the re-encryption cipher-text \(C_j^t\).

    6. f)

      ShareR queries: After getting these requests, \(\mathcal { B}\) tries to extract the information from \(L^{list}\). If the user \(C_{\rm u}\) is a valid, the output would be \((M.Z^{s.H(\kappa )},T^{s+s.\Gamma _{\rm do}.\nu .\Gamma _{u}})\) other wise returns \(\bot\)

  2. B)

    CPA Challenge: Now, \(\mathcal { A}\) sends two keywords/plaintext (\(U_i, W_0, W_1\)) for the target user \(U_i\) on which he wants to be challenged and send it to the \(\mathcal { B}\).

    1. a)

      The challenger \(\mathcal { B}\) randomly selects bit \(b\in \{0,1\}\) and a random string \(l\in \{0,1\}^n\), and compute cipher-text (\(C_i^0,C_i'^0\)) and sends it to \(\mathcal { A}\).

    2. b)

      \(C_i^0=(M*T^{(s*H(\kappa ))}, g^{\Gamma _{\rm do}*s})\) and \(C_i'^0=(M*T^{(s*H(\kappa ))}, g^{\Gamma _{\rm do}*s}, T^{s+s.\Gamma _{\rm do}.\nu .\Gamma _{u}})\) One can notice that the above ciphertext are valid cipher-text and re-encrypted cipher-text for the user \(U_i\), respectively.

  3. C)

    CPA-Query 2: \(\mathcal {A}\) makes oracle queries \(K_R, K_D, R_o, R, ShareRo, ShareR\) queries continuously to \(\mathcal { B}\) same as CPA-Query 1 and CPA challenge.

  4. D)

    CPA Guess: \(\mathcal { A}\) outputs its guess bit b. \(\mathcal { A}\) outputs its guessed bit b which contains the value 0 and 1 such that \(b\in \{0,1\}\) and sent it to \(\mathcal {B}\). Now, \(\mathcal { B}\) checks if \(b=b'\). If yes, then \(\mathcal { B}\) ’wins’ the DBDHI game otherwise ’lose’ the game.

Note that the tuple \((g^{\Gamma _{\rm do}*s*\nu *{H(\kappa )*\Gamma _{u}}}, g^{{M*T^{(s*H(\kappa ))}}},\) \(e(g,g)^{\frac{M.T^{\Gamma _{\rm do}*s*\nu *{H(\kappa )*\Gamma _{u}}}}{T^{\Gamma _{\rm do}*s*\nu *{H(\kappa )*\Gamma _{u}}}}}=e(g,g)^M\) forms a perfect instance of the DBDHI \((g^\alpha , g^\beta , e(g,g)^{\alpha /\beta })\). So, \(\mathcal { B}\) selects the DBDHI tuples and output 1. Hence, the probability \({Adv_{\mathcal {A}}^{DBDHI}}(\lambda )\) = |Pr[\(\mathcal {B}\) outputs \(e(g,g)^{\alpha /\beta }=1]-\frac{1}{2}| = Pr[b=b'] \ge \epsilon\).

Hence, the above underlying proof contradicts the assumed DBDHI assumption of Sect. 5.3. So, \(Pr|b=b'| < \epsilon\) shows that the ciphertext values are not depend on bit b in terms of adversary point of view. Therefore, the proposed PB-TPRE scheme is semantically IND-CPA secure under the assumed DBDHI assumption.

8 Theoretical Analysis and Comparison

We analyze and compare the PB-TPRE scheme with existing TPRE schemes [15, 16, 20,21,22] based on enumerated properties like semantic (IND-CPA) security, parallel computation, verifiability of final re-encrypted ciphertext, and proactive nature. PB-TPRE scheme transforms the outsourced encrypted data of the data owner into a re-encrypted ciphertext for the user after performing t partial re-encryption concurrently. It, then, combines them without regulating the proxies in any sequence.

The PB-TPRE scheme re-encryption \((R_{{do} \rightarrow u})\) cannot be used as \((R_{u \rightarrow {do}})\) because \(sk_{\rm do}\) used in re-encryption is secure under Discrete Logarithm Problem assumption that means, a user cannot generate \((R_{u \rightarrow {do}})\) without knowing \(sk_{\rm do}\). Hence, PB-TPRE scheme is unidirectional like other existing schemes as the secret keys are unknown to users. The PB-TPRE scheme is uses elliptic curve cryptography to generate public and private keys. The re-encryption key in the PB-TPRE scheme is generated using a public key of the user, and a private key of the data owner. Decryption requires the private key of the user and hash of requested data keyword due to the need of the minimal number of keys in re-encryption key and decryption. This makes our PB-TPRE scheme key optimal. The scheme [20] uses the RSA algorithm to generate the public and private keys. The RSA algorithm requires a large number of bits to provide security than the elliptic curve, and [22] scheme uses the public key of the user and the private key of the data owner, which is generated from the elliptic curve. It also uses a master secret key that contains N number of random keys. Thus, these schemes [20, 22] are not key optimal. In the PB-TPRE scheme, the user and the data owner use the same decryption algorithm because the user cannot identify the difference between original ciphertext and re-encrypted ciphertext generated by proxies. Hence, it follows the property of proxy invisibility.

The computation of the re-encryption key requires the public key of user \(pk_{u}\) and secret key of data owner \(sk_{\rm do}\) instead of the secret key of user \(sk_{\rm u}\). Hence, PB-TPRE scheme is non-interactive. However, in schemes [20, 21], a user needs to interact or maintain a secure channel with the user to get his secret key for the generation of a re-encryption key. This increases the computation overhead, which makes these schemes interactive and inefficient.

Table 2 Comparison of existing schemes
Full size table

In the PB-TPRE scheme, even if all the proxies collude with one other and combine their shares, they will not get the secret key of the data owner. However, they get the re-encryption key that can be used for re-encrypting every outsourced data of the data owner. If proxy and malicious users collude, then, they will know every data of the data owner. The scheme uses the keywords to encrypt the outsourced data, so the user requires his private key and keyword to decrypt the re-encrypted ciphertext. Therefore, the scheme is Collusion-resistant against the Collusion of proxies as well as proxies and malicious users. The scheme in [16] is not Collusion-resistant because proxies will get the secret key of the data owner if they collude with each other and other schemes are also not Collusion resistant against the collusion of proxy with malicious users. Existing schemes [15, 16, 20,21,22] require the central dealer for re-encryption. While, [22] claims that they do not require the central dealer, but they fixed the proxy first and last proxy to receive the final re-encrypted ciphertext and transfer to the user that fixed last proxy behaves like a central dealer. The proposed PB-TPRE and [21, 22] provide semantic (IND-CPA) security i.e., the data plaintext cannot be known to the adversary if he knows the ciphertext.

In PB-TPRE, every proxy in the network computes his partial re-encryption concurrently, which rapidly increases re-encrypted ciphertext computation. In [22] proxies have to compute partial re-encrypted ciphertext one by one without fixed sequence until computation of at least t proxies. Thus, proxies have to perform multiple computations, and they have to wait for computation of other partial re-encrypted ciphertexts. This decreases the availability of proxies. As shown in Table 2, PB-TPRE scheme is non-transitive because proxy cannot compute \(g^\frac{1}{sk{do}}\) or remove the secret key of the user by applying any computation in the re-encryption key. However, in [16] scheme is transitive because after the collusion attack, the secret of the data owner transferred to anyone to decrypt all his outsourced data.

PB-TPRE is non-transferable because user A do not know \(\nu\) due to that user A cannot remove or his decryption key \(sk_{u_A}\) or do other computations on \(R_{do\ \rightarrow \ u_1 }\). User A can add user B decryption rights but user A needs to share his secret key for decryption of data owner’s data which is infeasible. The [20, 21] schemes are transferable because, in [21], if user adds private key of other user C \(sk_{c}\) and subtracts his private key \(sk_{\rm u}\) from re-encryption key, it transfers user re-encryption \((R_{{do} \rightarrow u})\) into the re-encryption key of user C \((R_{{u} \rightarrow c})\). In [20], if user multiplies his private key and public of another user C in re-encryption \((R_{{do} \rightarrow u})\) then the re-encryption generated for user \((R_{{do} \rightarrow u})\) will be transferred into re-encryption of user C \((R_{{u} \rightarrow c})\) that makes both [20, 21] schemes insecure. The final re-encrypted ciphertext will be verified by using the Q parameter that increases the verifiability of the final ciphertext, which gives the valid data after decryption. In existing schemes [15, 16, 20,21,22], if shares are known to adversary or proxy join or leaves the network, then they need to change the secret and repeat the whole process to protect the last secret because they do not provide any security against the leakage of shares. PB-TPRE scheme prevents leakage of secret shares and wormhole attacks without changing the secret and involvement the end-users. The data owner does not need to change the secret while proxies join or leave the network. This reduces the computation overhead of the end-users and increases the durability and security of PB-TPRE scheme.

Table 3 shows the space required by proxies and end-users. We compute the final re-encrypted ciphertext size, re-encryption key size, and storage space required by each proxy. In the proposed PB-TPRE scheme, the share of re-encryption key send to N proxies in the network, and every proxy will compute the partial re-encryption key, so the size of the final re-encrypted ciphertext requires \(n_d|Z_{\rm p}|\) space where \(n_d\) represents the number of times delegations between sender and receiver and \(|Z_{\rm p}|\) represents the size of prime number according to elliptic curves. Every proxy will do single time computation for evaluating the final re-encrypted ciphertext that why space required by each proxy is \(Z_{\rm p}\), but in Pareek et al. [22] scheme, each proxy has to compute t time for evaluating the final re-encrypted ciphertext. The re-encryption key required the sender’s private key and public key of the receiver without any interaction, so it requires the \(|G_1|+|G_2|\) space. In the proposed scheme, the size of the final ciphertext is more diminutive than [22] scheme, but its re-encryption key size is larger than the proposed scheme that trade-off equalize the space complexity of both schemes. As shown in Table 3, the PB-TPRE proxies require less space requirement than other existing schemes.

Table 3 Comparison of PB-TPRE scheme with existing TPRE based on storage capacity
Full size table

Hence, the proposed PB-TPRE scheme satisfies all desirable properties with other performance parameters, and it is better than other existing TPRE schemes mentioned in related work and as shown in Table 2. The space requirement of the PB-TPRE scheme is less than other schemes except Pareek et al. [22] where space requirement is the same as PB-TPRE scheme but PB-TPRE scheme proxies require less storage than them that our scheme is secure, fault-tolerant, efficient, and suitable for a wide range of cloud-based applications.

9 Performance evaluation

In this section, we evaluate the performance of the PB-TPRE scheme and other TPRE schemes. The performance of the PB-TPRE scheme is evaluated by computing the computational cost of its encryption phase (Enc), re-encryption key generation phase (ReKeyGen), partial re-encryption performed by single proxy phase (ReEnc), and decryption done by user (Dec) phase. In the PB-TPRE scheme, proxies perform the parallel computation to compute partial re-encrypted ciphertext using their partial share of re-encryption keys. Table 3 shows the parameters and their computational cost, respectively, used in different phases of the proposed scheme and other existing TPRE schemes. We compute the storage complexity of our proposed scheme. Modular exponentiation, ECC point multiplication and addition, bilinear pairing, hash computations, and inverse takes O(1) cost for single operations. Storage complexity contains auxiliary space and input space. Auxiliary space is additional space required from other computations than phases of schemes which is O(1) due to the generation of random numbers and generators. Input space is the total space consumed by the size of evaluated keys and ciphertexts. Furthermore, we compare the proposed scheme with Chen et al. [15], Song et al. [17], Patil et al. [20], Purushothama et al. [21], and Pareek et al. [22] and discuss how PB-TPRE is more efficient.

9.1 Experimental setup

We use the SageMath tool for evaluating the computational cost of the PB-TPRE scheme. The experiments are performed on Intel(R) Core(TM) i5-3220 CPU @ 3.30 GHz processor with 2GB RAM running on windows 10 enterprise of 64bit OS. Proxies in the network contain high computational power than end-users. The experiment evaluates the computation cost of phases as mentioned above of the PB-TPRE scheme where we consider one sender (data owner) and one receiver (users). The data’s size, which will be encrypted and decrypted, is 20 megabytes (MB). We compute each experiment 40-50 times. After that, the mean (\(\sigma\)) and a standard deviation \((\mu )\) were computed. SageMath tool implements the pairing operations as well as Type-A elliptic curve with 160-bit order. We consider \(N = 50\) proxies and threshold value is \(t = 20\). The value of \(d\ = \ N-t+1\). Table 4 shows the parameters and their time cost, respectively, used in different phases of the proposed scheme and other existing TPRE schemes.

Table 4 Approximate computational cost of operations
Full size table

9.2 Experimented results and discussion

Here, we illustrate the experiment’s outcomes and then critique different algorithms based on defined performance parameters.

9.2.1 Computational cost

We implement the PB-TPRE scheme on the SageMath tool and compute the total time consumed by the parameters used in different phases of the proposed scheme and other existing TPRE schemes, as shown in Table 4.

Table 5 Comparison of PB-TPRE scheme with existing TPRE based on computational cost
Full size table

Table 5 shows the computational cost of PB-TPRE scheme and other existing schemes. The setup and key generation algorithm of PB-TPRE scheme contain prime ordered group \(G_1\) and \(G_2\), and one \(T_e\) operation. Encryption algorithm Enc contains one paring operation, one hashing operation, two multiplication operations and one exponentiation so the overall computation of encryption algorithm is \(T_{\rm p}+ T_h + 2T_m + T_e\). Re-encryption algorithm ReKeyGen contains one inverse operation, one addition operation, and multiplication operations so the overall computation of ReKeyGen algorithm is \(T_i + T_a + T_m\). Re-encryption algorithm ReEnc contains one paring operation, and one exponentiation so the overall computation of ReEnc algorithm is \(T_{\rm p}+T_e\). Decryption algorithm Dec contains one paring operation, one hashing operation, two multiplication operations, and two exponentiation so the overall computation of encryption algorithm is \(2T_m + T_{\rm p} + 2T_e +T_h\). Hence, the overall time consumption of proposed TB-TPRE scheme is \(3T_{\rm p}+ 5T_m+4T_e+2T_h+T_i+T_a\). Based on computation cost ms given in Table 2, PB-TPRE scheme consumes \(18.172\ ms\) for securely sharing \(20\ MB\) data.

Fig. 5
figure 5

Overall computation cost of PB-TPRE with other TPRE scheme

Full size image
Fig. 6
figure 6

Computational cost of final re-encrypted ciphertext

Full size image
Fig. 7
figure 7

Computational cost of re-encryption by proxies with t

Full size image
Fig. 8
figure 8

Computation costs of Encryption, ReKeyGen, Re-Encryption and Decryption algorithms TPRE data sharing schemes

Full size image

The overall computational cost of TPRE schemes are computed by combining of Enc, RekeyGen, RE-Enc and Dec algorithms computational cost. Figure 5 shows that the overall computational cost of PB-TPRE scheme is lower than Chen et al. [15], Song et al. [17], and Pareek et al. [22] but higher than Patil al’s [20], Purushothama et al. [21] where. The Chen et al. [15] and Song et al. [17] schemes contain more pairing, exponential, multiplication, and inverse operations than our scheme that makes our scheme efficient than them. The Pareek et al. [22] scheme contains the same pairing operations as ours, but in his ReEnc, each proxy has to compute d times paring and exponentiation operations due to that each proxy receives more than at least d times computed re-encrypted ciphertext that why Pareek et al. [22] scheme consumes more computational cost than our proposed scheme.

The Patil al’s [20], Purushothama et al. [21] schemes are not satisfied critical properties of the PRE scheme like non-interactive, non-transferable, etc., as discussed above. Hence, these schemes are insecure. The computational cost of these scheme algorithms is less, but due to the addition of other computations in these schemes, which establish secure channel/ interaction for exchanging the secret keys and require additional N to N interaction for exchanging the partially encrypted ciphertext. Therefore, the combination of the computational cost of these schemes and additional computational makes these schemes inefficient. Hence, The proposed PB-TPRE scheme is efficient than these existing schemes.

Figure 6 shows the comparison between the PB-TPRE and other existing schemes based on the generation of final ciphertext computational time with the number of threshold proxies assumed as 30. The existing TPRE computational time of final ciphertext generation is higher than PB-TPRE except [20]. Each proxy generates the partial re-encrypted ciphertext and sends it to the user. User combine the first T threshold partial ciphertext to generate the final ciphertext. Therefore, the final generation of ciphertext depends on the complexity of partial ciphertext. The PB-TPRE scheme uses one pairing operation and one multiplication operation. Therefore, PB-TPRE consumes less computational time than existing TPRE schemes.

Figure 7 shows the comparison between the PB-TPRE and other existing schemes based on increasing proxies’ re-encryption computational time while increasing the number of threshold proxies. The proposed PB-TPRE, Chen et al. [15], Song et al. [17], and Patil al’s [20] schemes will not affect by increasing threshold value but Pareek et al. [22] and Purushothama et al. [21] schemes computational time increases because in these schemes, proxies have to compute partial re-encrypted ciphertext more than one time to generate the final re-encrypted ciphertext. Patil al’s [20] scheme proxies consume less computational time than PB-TPRE, but that scheme uses RSA-based cryptography that is inefficient than elliptic cryptography, and it is insecure due to the interactive and transferable nature of the scheme.

Figure 8a, b, c and d shows the comparison between the PB-TPRE and other existing scheme based on encryption, re-encryption key, re-encryption of data and decryption computational cost, respectively. In Fig. 8a, b and c shows that the PB-TPRE scheme takes less computational cost than other existing scheme. Hence, Proxies and data owner requires less computational power for computation so they can be re-source contained. This makes the proposed scheme lightweight for data owner and proxy. But, in Fig. 8(d), PB-TPRE takes more computational cost in decryption algorithm than [17, 20, 21] and less than [15] and [22]. For user, the PB-TPRE requires the high computational power.

9.2.2 Communication cost

To calculate the communication costs of the PB-TPRE scheme along with other existing schemes, we consider that the identities, random nonce, certificate and hash digest (SHA-256) require 160 bits, 160bits, 160bits and 256 bits respectively. We have taken 160 bit ECC, and an elliptic curve point is defined as \(P=(P_{\rm x}, P_{\rm y})\)=(160 + 160 bits = 320 bits), where Px and Py are the x and y coordinates of the point P. The comparative analysis of the communication cost of the PB-TPRE scheme, along with other analyzed schemes for encryption, re-encryption key and decryption, is shown in Table 6. The communication cost of the PB-TPRE scheme for encryption, re-encryption key and decryption is discussed below: As explained in the encryption phase, a patient outsourced his data \(C_{\rm do} = (C_1,C_2 )\) to cloud. Therefore, it requires a total (160+160+160+160)=640 bits to perform encryption, and the 480 and 800 bits cost is required to perform re-encryption key and decryption respectively. Table 6 shows the comparison with other mentioned schemes with their communication cost. From the analysis of Table 6, it is observed that the communication cost of the PB-TPRE scheme is relatively lesser or similar during encryption, generation of re-encryption key and decryption phases compared to the other analyzed schemes where N is number of proxies.

Table 6 Communication costs
Full size table

The discussion and comparison of results on various parameters explain that the PB-TPRE scheme is efficient than other existing schemes. It satisfies all critical properties of PRE schemes which makes PB-TPRE secure. Proxies have to do the single computation to generate a final re-encrypted ciphertext, so proxies are also available for further computations. The space requirement of the PB-TPRE scheme is less than other schemes except Pareek et al. [22] where space requirement is the same as PB-TPRE scheme but PB-TPRE scheme proxies require less storage than them. These results show that the PB-TPRE scheme is efficient, secure, and suitable for privacy-preserving data sharing in cloud-based data sharing applications like IIoT and healthcare system.

10 Conclusion

In this paper, we designed and implemented a privacy-preserving data sharing with the high access control scheme for outsourced data on the cloud by resource constrained users. We introduced the proactive property with threshold proxy re-encryption, which reduced the possibility of attacks on distributed shares to proxies. The PB-TPRE scheme is Collusion-resistant against the cloud, proxies, and users. The formal security proof and security of the PB-TPRE scheme showed that it is semantically secure against the IND-CPA attacks using the Random oracle model under the DBDHI assumption. Furthermore, we discussed the properties of the PB-TPRE scheme and compared them with existing schemes, and proved that PB-TPRE scheme is non-interactive, non-transitive, fault-tolerant, and secure. We also analyzed the space requirement by proxies and end-users by evaluating the ciphertext size and re-encryption key size and compared existing schemes that showed better space efficiency for end-users and proxies. We evaluated the computational cost of each algorithm of PB-TPRE scheme and compared it with existing TPRE schemes based on the computational cost of encryption, re-encryption key, re-encryption and decryption with respect to the number of users and number of the threshold value of proxies. We found that proxies and data owner required very little computational time to generate re-encryption key and computation of data encryption and re-encryption of ciphertext, and users took moderate time to decrypt the final ciphertext. The PB-TPRE scheme took less overall computation cost as compared existing schemes. Therefore, we can conclude that the PB-TPRE scheme is better in terms of computational cost, security, and efficiency than other existing schemes and is suitable for privacy-preserving data secure data sharing on the cloud. In future, we can use the blockchain to provide interoperability, maintain data integrity and verification. In the blockchain, users and data owners can rate the malicious proxies for their malicious behaviour, which helps to create the quorum in TPRE schemes.