An Improved Proxy Re-Encryption Scheme for IoT-Based Data Outsourcing Services in Clouds

IoT-based data outsourcing services in clouds could be regarded as a new trend in recent years, as they could reduce the hardware and software cost for enterprises and obtain higher flexibility. To securely transfer an encrypted message in the cloud, a so-called proxy re-encryption scheme is a better alternative. In such schemes, a ciphertext designated for a data aggregation is able to be re-encrypted as one designated for another by a semi-trusted proxy without decryption. In this paper, we introduce a secure proxy re-encryption protocol for IoT-based data outsourcing services in clouds. The proposed scheme is provably secure assuming the hardness of the bilinear inverse Diffie–Hellman problem (BIDHP). In particular, our scheme is bidirectional and supports the functionality of multi-hop, which allows an uploaded ciphertext to be transformed into a different one multiple times. The ciphertext length of our method is independent of the number of involved IoT nodes. Specifically, the re-encryption process only takes one exponentiation computation which is around 54 ms when sharing the data with 100 IoT devices. For each IoT node, the decryption process only requires two exponentiation computations. When compared with a related protocol presented by Kim and Lee, the proposed one also exhibits lower computational costs.


Introduction
The research of IoT-based applications [1] has received much attention recently. The concept of IoT-based cloud computing has also revolutionized people's lives. It allows IoT devices to remotely connect to cloud servers for requesting various cloud services. These IoT devices can also upload sensed data to the cloud for sharing, processing, and storing. Using IoT sensor technologies, we can realize the notion of connecting all real world things to the Internet without the intervention of human beings. For example, in supply chain networks, a factory could use Radio Frequency Identification (RFID) tags [2] to calculate the product count and trace the current location of shipped products. According to the definition of the European Telecommunications Standards Institute (ETSI) [3], the structure of IoT can be divided into three layers, including the lower perception layer, the middle network layer, and the upper application layer. The perception layer utilizes the techniques of embedded systems, RFID, and wireless sensor networks (WSNs) to collect data [4]. The network layer is responsible for receiving data of the perception layer and then forwards them to the application layer, which mainly employs all kinds of telecommunication techniques such as Bluetooth, WiFi, WiMax, etc. [5]. The application layer combines received data with practical development techniques to provide integrated IoT services [6]. Generally speaking, there are four communication modes for IoT devices [7]: (i) Device-to-Device Communication: Two or more devices could communicate with each other without relying on middleware servers. These devices can work in various networks such as Bluetooth, Z-Wave, and ZigBee, etc. (ii) Device-to-Cloud Communication: IoT devices could directly connect to cloud service providers for exchanging information and controlling flow messages. Such For facilitating the gradually popular IoT-based data outsourcing services in cloud environments, in this work, the authors propose a new PRE scheme. The proposed scheme could be applied in practical applications such as smart factory management and IoT-based healthcare services, in which a patient sensor could send the encrypted data to a proxy server for sharing with other devices. Some concrete contributions of our mechanism are stated as follows: (i) The proposed PRE scheme is bidirectional and supports the functionality of multi-hop. (ii) Our scheme is provably secure in the random oracle model using the Bilinear Inverse Diffie-Hellman assumption. (iii) The ciphertext size of our scheme is constant, i.e., it is independent of the number of IoT nodes. (iv) The re-encryption process only takes one exponentiation computation.
(v) The proposed PRE scheme earns more computational savings compared with a related work presented by Kim and Lee.
The remaining parts of this work would be arranged as follows. In the next section, we describe essential research backgrounds. Our proposed PRE system is fully presented in Section 3. In Section 4, we discuss its security and demonstrate comparisons with a related method. Lastly, a conclusion is given in Section 5.

Related Works
For sharing private multimedia content in social cloud storage, Wang et al. [13] proposed a non-transferable unidirectional PRE scheme. The non-transferable property of PRE schemes could prevent a malicious proxy from further re-delegating the decryption rights to other users, so as to protect the privacy of the data owner's data.
For secure communication between IoT devices and the gateway, Henriques and Vernekar [14] proposed a hybrid approach by combining symmetric and asymmetric cryptographic techniques. Especially, they utilized random keys generated from system timestamps to deal with the problem of session key distribution of symmetric algorithms. Their mechanism implements the modified Vigenere Cipher and the RSA algorithm.
Considering the functionality of multi-hop, Li et al. [15] introduced a multi-hop homomorphic identity-based PRE mechanism via branching program. Different from most existing PRE protocols that are mainly based on the Diffie-Hellman assumption, their scheme is based on the decisional learning with errors (LWEs) assumption. The construction of their work is modified from a lattice-based identity-based encryption (IBE) scheme. That is to say, they realized the idea of assembling a lattice-based PRE from a lattice-based IBE. Moreover, they also showed that their approach supports homomorphic evaluation.
Thinking of the merits of identity-based algorithms, Wang et al. [12] presented an ID-based PRE scheme (called IBPRE+) for secure cloud data sharing. In their scheme, the data owner could utilize a random number of encryption processes to dynamically control the capability of sharing. In 2016, without utilizing random oracles, Ge et al. [16] presented a key-policy attribute-based PRE scheme whose security relies on the 3-weak decisional bilinear Diffie-Hellman inversion (3-wDBDHI) assumption. Later, Fugkeaw and Sato [17] proposed a lightweight PRE scheme supporting mobile revocation management in cloud computing. Specifically, their mechanism could provide the functionalities of re-encryption key generation, re-encryption key update, and re-encryption key renewal.
In 2017, Chandu et al. [18] designed and implemented a hybrid encryption for ensuring the transmission security of IoT data. They employed the software of Xilinx ISE-Design 14.5 and Xilinx SPARTAN-6 to implement the proposed design. However, their method did not support the functionality of re-encryption.
Some researchers [19,20] further combined PRE mechanisms with the property of keyword search. That is to say, a user can choose a keyword and request its corresponding ciphertext. Liang et al. [21] also combined attribute-based encryption with the PRE scheme.
In 2016, Akhil et al. [22] applied the PRE scheme to QR code security and thus can provide efficient and secure data transmission between the sender and the receiver. In 2018, Zeng and Choo [23] introduced a conditional PRE scheme which could be utilized in secure cloud storage. They also demonstrated that their construction has lower computational costs and smaller ciphertext size. Hussain et al. [24] utilized binary-bit sequence and the XOR operation to design an encryption scheme for IoT communication. In their scheme, the data will be encrypted at multiple stages and the required encryption time is shorter than the traditional RSA system.
In 2019, Krishnamoorthy et al. [25] used near ring to introduce a privacy-preserving PRE scheme for IoT security. They analyzed the security of their scheme under equivalent private key attacks and chosen plaintext attacks. Although they claimed that their scheme allows IoT devices to efficiently store and manage their sensitive data, there is no related performance evaluation or comparisons presented in their work.
In 2020, Fan et al. [26] proposed a key-aggregate PRE with dynamic condition generation by multilinear map. A significant property of their scheme is that the size of public parameters remains small when the number of re-encryption keys becomes large. This allows a data owner to directly share his/her encrypted data on the cloud with the assistance of a proxy. Up to present, many PRE variants [27][28][29][30][31][32][33][34] have been proposed.
When PRE schemes are applied in IoT-based applications such as remote healthcare [35] and smart factory management, computation complexity is the biggest concern. Since previous protocols might not be suitable for IoT-based PRE platforms, in 2018, Kim and Lee [36] proposed a new PRE scheme for guaranteeing IoT device security. They claimed that their scheme could significantly reduce the cost of re-encryption. However, they failed to provide provable security and the overall computation complexity of their mechanism is still too high. Motivated by the above reason, the authors will devote themselves to the design and construction of a more efficient and secure PRE scheme for IoT-based application environments.

Preliminaries
A PRE scheme is one of the public key mechanisms whose security mainly rely on intractable computation problems such as the factorization and discrete logarithm problems. The former uses a composite number as the modulus while the latter employs a prime number as the modulus. In the proposed scheme, we will adopt the bilinear pairing operation from elliptic curves. For facilitating interested readers with better understanding of the proposed work, we first recall the definition of bilinear pairing as follows: Definition of Bilinear Pairing: Let q be a large prime and (G 1 , G 2 ) be two multiplicative groups of the order q. The symbol e: G 1 × G 1 → G 2 is defined as a bilinear map having some properties below: (i) Bilinearity: Given two group elements in G 1 , say g 1 and g 2 , and two integers in Z q , say a and b, the value e(g 1 a , g 2 b ) is equivalent to the value e(g 1 , g 2 ) ab . (ii) Non-degeneracy: There are two group elements in G 1 , say g 1 and g 2 such that e(g 1 , g 2 ) = 1. (iii) Computability: Given two group elements in G 1 , say g 1 and g 2 , there exists an efficient algorithm which could derive the value e(g 1 , g 2 ).
When we design and implement a cryptographic protocol in pairing-based systems, the computational problem such as the bilinear Diffie-Hellman problem or its related variant, i.e., the bilinear inverse Diffie-Hellman problem, is commonly adopted. The two problems are polynomial time reducible, i.e., they are regarded as equivalent. We describe these problems and their corresponding assumptions below: (i) Bilinear Diffie-Hellman Problem (BDHP) Given elements g, g a , g b , g c ∈ G 1 for three positive integers a, b, c ∈ Z q * , the Bilinear Diffie-Hellman problem is to derive the G 2 element e(g, g) abc .

(ii) Assumption of Bilinear Diffie-Hellman (BDH)
The assumption of BDH states that the probability for any probabilistic polynomial time algorithm A to successfully break the BDHP is negligible. (iii) Bilinear Inverse Diffie-Hellman Problem (BIDHP) Given elements g, g a , g b ∈ G 1 for some positive integers a, b ∈ Z q * , the BIDHP is to compute the value e(g, g) a −1 b ∈ G 2 . (iv) Assumption of Bilinear Inverse Diffie-Hellman (BIDH) The assumption of BIDH states that the probability for any probabilistic polynomial time algorithm A to successfully break the BIDHP is negligible.

Proposed PRE Scheme
The idea of the proposed PRE scheme is illustrated as Figure 1, in which an IoT node could share its encrypted data among various devices with the assistance of a proxy server. We present the proposed PRE scheme in detail. The composed algorithms are first defined. Then, a substantial construction is given.

Algorithms
Without loss of generality, we could divide the proposed PRE scheme into six algorithms, i.e., Initialize, KeypairGen, ReEnKGen, Encrypt, ReEncrypt, and Decrypt. The purpose of each algorithm is described as follows: The Initialize(1 k ) algorithm is used for generating system public parameters by inputting a security parameter k. Given a user index i, the KeypairGen(i) algorithm could create a corresponding key pair including a private key and a public one. Additionally, given two private keys, say xi and xj, the ReEnKGen(xi, xj) algorithm computes the corresponding re-encryption key, say rki→j, which transforms a ciphertext originally decrypted by the private key xi into the one decrypted by the private key xj. In the Encrypt(Yi, m) algorithm, given a public key Yi and a message m, the algorithm encrypts m with Yi and returns the final ciphertext. Similarly, in the ReEncrypt(rki→j, δi) algorithm, given a designated re-encryption key rki→j along with a ciphertext, say δi, the algorithm transforms the latter into a new ciphertext δj that is encrypted with the public key Yi by the assistance of the former. Lastly, given a designated private key xj along with a ciphertext δj, the Decrypt(xj, δj) algorithm decrypts δj with xj and then, returns either a decrypted message m or an invalid symbol ⊥.

Construction
According to the above algorithms, we present a substantial formation based on bilinear pairings as follows. Some used parameters are defined as in Table 1. By taking a security parameter k as the input, the Initialize(1 k ) algorithm will determine two multiplicative groups (G1, G2) whose order is a prime number q. The symbol g denotes a generator of G1 and e is the operation of bilinear pairing satisfying that e: G1 ×

Algorithms
Without loss of generality, we could divide the proposed PRE scheme into six algorithms, i.e., Initialize, KeypairGen, ReEnKGen, Encrypt, ReEncrypt, and Decrypt. The purpose of each algorithm is described as follows: The Initialize(1 k ) algorithm is used for generating system public parameters by inputting a security parameter k. Given a user index i, the KeypairGen(i) algorithm could create a corresponding key pair including a private key and a public one. Additionally, given two private keys, say x i and x j , the ReEnKGen(x i , x j ) algorithm computes the corresponding re-encryption key, say rk i→j , which transforms a ciphertext originally decrypted by the private key x i into the one decrypted by the private key x j . In the Encrypt(Y i , m) algorithm, given a public key Y i and a message m, the algorithm encrypts m with Y i and returns the final ciphertext. Similarly, in the ReEncrypt(rk i→j , δ i ) algorithm, given a designated re-encryption key rk i→j along with a ciphertext, say δ i , the algorithm transforms the latter into a new ciphertext δ j that is encrypted with the public key Y i by the assistance of the former. Lastly, given a designated private key x j along with a ciphertext δ j , the Decrypt(x j , δ j ) algorithm decrypts δ j with x j and then, returns either a decrypted message m or an invalid symbol ⊥.

Construction
According to the above algorithms, we present a substantial formation based on bilinear pairings as follows. Some used parameters are defined as in Table 1. By taking a security parameter k as the input, the Initialize(1 k ) algorithm will determine two multiplicative groups (G 1 , G 2 ) whose order is a prime number q. The symbol g denotes a generator of G 1 and e is the operation of bilinear pairing satisfying that e: G 1 × G 1 → G 2 . There are also two secure one-way hash functions, i.e., h 1 : {0, 1} k → {0, 1} k and h 2 : G 2 → Z q * . Finally, the algorithm will publish system parameters params which includes {G 1 , G 2 , e, g, q, h 1 , h 2 }.
Given an arbitrary index i as the input, the KeypairGen(i) algorithm randomly chooses an integer x i ∈ Z q as the private key and then, computes Y i = g x i as the corresponding public key. To generate a re-encryption key, the ReEnKGen(x i , x j ) algorithm first takes the input of two private keys, say x i and x j , and then, computes rk i→j = x j /x i mod q as a re-encryption key for subsequent re-encryption processes.
To produce a ciphertext δ i , the Encrypt(Y i , m) algorithm taking the input of a designated public key Y i and an arbitrary message m, where |m| = k 0 first picks a random number z ∈ {0, 1} k 1 in which k 1 = k − k 0 and then, computes Here, δ i is viewed as the resulted ciphertext composed of a, b, and c. In the reencryption phase, given a ciphertext δ i = (a, b, c) which is encrypted by the public key Y i along with a re-encryption key, say rk i→j , the ReEncrypt(rk i→j , δ i ) algorithm re-encrypts the ciphertext δ i by computing Lastly, the re-encrypted ciphertext is δ j which is composed of a , b, and c. To decrypt a ciphertext δ j = (a , b, c) (which is encrypted by the public key Y j ) and an intended private key x j , the Decrypt(x j , δ j ) algorithm first performs the decryption process by computing and then verifies whether the equality c = g h 1 (m || z) holds. If it does, the algorithm will output m; otherwise, an error symbol ⊥ is returned instead. The correctness of Equation (5) could be easily checked as follows. Derived from Equation (5), we obtain (3) and (4)), which verifies the correctness of Equation (5).

Security Analysis and Performance
To analyze the security of the proposed PRE scheme, a defined security model of confidentiality is first given in Section 4.1 and then, the authors will adopt it to prove the proposed mechanism using the security proof model of random oracles in Section 4.2. Additionally, the performance evaluation will also be conducted in Section 4.3.

Security Model
The crucial security requirement of PRE schemes is confidentiality, i.e., a secure PRE scheme should be able to withstand the attack of adaptively chosen ciphertext (abbreviated as CCA). We state such CCA security model in relation to our proposed PRE scheme as follows: Definition 3. (CCA Security) We say that a PRE scheme is unconditionally secure under CCA provided that there is no probabilistic adversary A who runs in polynomial time and has the non-negligible advantage to win the following simulation game in which an algorithm B behaves as a challenger: Setup: At first, B calls the algorithm of Initialize(1 k ) to create public parameters, say params, which will be forwarded to A.
Phase 1: The adversary A is allowed to adaptively submit the following queries: The first KeypairGen(i) query can be further classified into uncorrupted and corrupted. In the former case, B will return the public key Y i to A by calling the KeypairGen(i) algorithm. In the latter case, B also sends the private key x i to A. In the ReEnKGen(Y i , Y j ) query, B will return a re-encryption key rk i→j to A by calling the ReEnKGen(x i , x j ) algorithm. It is compulsory that the indexes (i, j) should be uncorrupted or corrupted. When A makes the ReEncrypt(Y i , Y j , δ i ) query in which the public keys (Y i , Y j ) are created by previous KeypairGen queries, B would return a re-encrypted ciphertext δ j by calling the ReEncrypt(rk i→j , δ i ) algorithm. Moreover, when A makes the Decrypt(Y j , δ j ) query in which the public key Y j is generated by a previous KeypairGen query, B would return either a message or an error symbol by calling the Decrypt(x j , δ j ) algorithm.
Challenge: The adversary A selects an uncorrupted public key Y* along with two fixed-length messages (m 0 , m 1 ). The challenger B will compute a ciphertext δ* of the message m λ , where λ is randomly picked from {0, 1} and then, send the challenge δ* to A.

Phase 2:
The adversary A could continue to submit queries below: In this phase, the index of any corrupted KeypairGen query could not be the target challenge Y* or any derivative such as Y**. The ReEnKGen(Y i , Y j ) query is the same as Phase 1. Similarly, the ReEncrypt(Y i , Y j , δ i ) query is the same as Phase 1 except that an error symbol might be returned, provided that the public key Y j is corrupted and δ i is one derivative of the target challenge δ*. The Decrypt(Y j , δ j ) query is also the same as Phase 1 except that an error symbol might be returned, provided that δ j is one derivative of the target challenge δ*.
Guess: Lastly, a guessed bit λ will be outputted by the adversary A. We say that A is the winner of the above game as long as λ = λ. Specifically, the advantage of A could be defined as Adv(A) = |Pr[λ = λ] − 1/2|.

Security Analysis
Following the previous security model of CCA, the authors demonstrate that the constructed PRE protocol is secure using the proof model of random oracles.

Theorem 1. (Confidentiality)
In the security proof model of random oracles, the proposed PRE scheme could resist the attacks of the adaptively chosen ciphertext (CCA), provided that there exists no probabilistic adversary running in polynomial time and having the non-negligible advantage to break the intractable BIDHP.
Proof: This proof idea of confidentiality is illustrated in Figure 2. We would complete this security proof by showing that a BIDHP breaker called B could be built by calling a probabilistic PRE adversary A whose running time is polynomial, say t, and has the non-negligible advantage ε to defeat the constructed mechanism under CCA attacks. We define the maximum times of each allowed query that A could make below. The BIDHP breaker B is responsible for answering the queries made by A. Its objective is to compute e(g, g) s −1 t from given input values (g, g s , g t ). Setup: At first, B calls the algorithm of Initialize(1 k ) for creating public parameters params = {G1, G2, e, g, q, h1, h2} and forwards them to A. n h1 : #maximum h 1 hash oracles; n h2 : #maximum h 2 hash oracles; n ckg : #maximum corrupted KeypairGen queries; n ukg : #maximum uncorrupted KeypairGen queries; n rkg : #maximum ReEnKGen queries; n ren : #maximum ReEncrypt queries; n dec : #maximum Decrypt queries. The BIDHP breaker B is responsible for answering the queries made by A. Its objective is to compute e(g, g) s −1 t from given input values (g, g s , g t ).
Setup: At first, B calls the algorithm of Initialize(1 k ) for creating public parameters params = {G 1 , G 2 , e, g, q, h 1 , h 2 } and forwards them to A.
Phase 1: By definition, A is able to adaptively submit the following queries: To answer an h 1 (m || z) hash query, B maintains an h 1 -table storing (m || z, v 1 ), in which m || z is submitted by A and v 1 ∈ {0, 1} k is the return value randomly chosen by B. To answer an h 2 (W) hash query, B maintains an h 2 -table storing (W, v 2 ) in which W is submitted by A and v 2 ∈ Z q * is the return value randomly chosen by B. To answer an uncorrupted KeypairGen(i) query, B maintains a Ukey-table storing (x i , Y i ), in which x i is randomly chosen from Z q and the return value Y i is computed as (g s ) x i . To answer a corrupted KeypairGen(j) query, B maintains a Ckey-table storing the return values (x j , Y j ), in which x j is randomly chosen from Z q and Y j is computed as g xj . To answer an ReEnKGen(Y i , Y j ) query, B first checks if both of (Y i , Y j ) is in either the Ukey-table or the Ckey-table. If it does, the return value rk i→j is computed as x j /x i mod q. To answer a ReEncrypt(Y i , Y j , δ i ) query, B first checks whether both of (Y i , Y j ) is in either the Ukey -table or the Ckey-table. If it does, the returned ciphertext δ j is computed as (a , b, c) in which a = a xj /x i (= e(Y j z , c)). If it does not, B finds out a matched record (m || z, v 1 ) in which c = g v 1 and a = e(Y i z , c) from the h 1 -table and then, the returned partial ciphertext a would be computed as e(Y j z , c). Still, when no such records exist, B would return an error symbol ⊥. Finally, in a Decrypt(Y j , δ j ) query, if Y j is in the Ckey-table, B directly calls the Decrypt(x j , δ j ) algorithm and returns the result. If not, B finds out a matched record (m || z, v 1 ) in which c = g v 1 , a = e(Y j z , c) and b = h 2 (e(g z , c))(m || z) from the h 1 -table and then outputs m. Nevertheless, if there exists no such records, the symbol ⊥ indicating an error would be outputted.
Challenge: The adversary A selects an uncorrupted public key Y* along with two fixed-length messages (m 0 , m 1 ). The challenger B will compute a ciphertext δ* of the message m λ where λ is randomly picked from {0, 1} by the processes below:

3.
Compute a* = e(g x* z* , c*) and let c* be g t , i.e., this parameter t is implicitly set to be the output of h 1 (m λ || z*) and the value b*(m λ || z*) −1 is implicitly defined as the output of 2 (a * (sx * ) −1 ); Here, the challenge ciphertext δ* is composed of (a*, b*, c*). Phase 2: After obtaining the challenge, A could continue submitting queries as described in Definition 3.
Guess: The adversary A returns the output of a bit λ . Output: The BIDHP breaker B computes the answer as W z * −1 , in which W is randomly chosen from the h 2 -table.
Simulation Analysis: According to the above simulation processes, some queries might return false results if the necessary precondition is not fulfilled. To evaluate the advantage of the constructed breaker B, we first define several probability events below.
SIP: the simulation is perfectly finished; ReEnc_Err: an error occurs during a ReEncrypt query; Dec_Err: an error occurs during a Decrypt query; QH: an h 1 (m λ || z*) oracle is queried in phase 2.
An error occurring in either a ReEncrypt or a Decrypt query is mainly due to the fact that no matched records are kept in the h 1 -table-that is, the adversary A has derived/guessed the correct return value with respect to an h 1 hash oracle. The probability of this condition is not greater than 1/2 k . Consequently, we can obtain When the above game is perfectly finished without any error, A has no better advantage in guessing λ. Therefore, it could be deduced that n ren + n dec 2 k When the event QH occurs, it can be learned that the h 2 -table would keep a new record of (W, v 2 ), in which Hence, B could solve the BIDHP by computing W z * −1 . The non-negligible advantage of the BIDHP breaker B could be represented as ε ≥ (2ε − n ren +n dec 2 k )/n h2 and the execution time is bounded by t < t + t b (2n ren + 2n dec + 1), in which t b is the time to carry out a bilinear pairing operation.

Performance Evaluation
In a PRE scheme, the processes of encryption, re-encryption, and decryption are considered as major operations. Hence, we will compare the efficiency of these algorithms in the proposed scheme with a previous work addressed by Kim and Lee [36]. There are two schemes introduced in the literature [36]. One is a data management scheme based on PRE and the other is a data sharing scheme based on attribute PRE. The first mechanism introduced by Kim and Lee is closely related to the proposed scheme, since it also has the properties of multi-hop and constant-size ciphertext. In particular, this scheme is designed for IoT-based environments. To obtain a fair evaluation result, we only take their first scheme as a comparison. Table 2 is the comparison of security and computation complexity. It is evident that the Kim-Lee scheme failed to provide provable security and the cryptographic assumption of their protocol is unknown too. As to the computation complexity, the proposed scheme outperforms theirs by two bilinear pairing operations. In the perspective of amount of data sharing, both schemes could utilize the proxy sever to share data among n IoT nodes, so as to reduce the encryption costs. That is, the amount of sharing for both schemes is O(n) as compared to the traditional way of O(n(n − 1)) without utilizing the proxy server. For simplicity, the authors merely consider the above time-consuming computation, i.e., bilinear pairing and exponentiation. According to the research of Scott et al. [37], the two operations would separately take (2.97, 0.54) milliseconds on an Intel Pentium IV CPU of 3 GHz. Table 3 compares data sharing duration according to number of devices. We calculate the node count from 2 to 50. For instance, when the node count is 50, we could derive that the communication count for the traditional way is 50 * 49 = 2450 while that of the proposed and the Kim-Lee schemes is 50 * 1 = 50. Since the Re-Encrypt computation of the proposed scheme is only T E , which is better than that of Kim-Lee, i.e., T B + 2T E , we hence derive the computation duration with respect to various node counts as shown in Table 3.  Figure 3 shows the comparison of computation duration of 100 IoT nodes. It can be seen that the Kim-Lee scheme would take more time for the entire procedure (which is composed of Encrypt, Re-Encrypt, and Decrypt operations). Although the Encrypt algorithm of both schemes has identical running time, i.e., 756 ms, the Re-Encrypt and Decrypt algorithms of the Kim-Lee scheme obviously take much more time.  For simplicity, the authors merely consider the above time-consuming computation, i.e., bilinear pairing and exponentiation. According to the research of Scott et al. [37], the two operations would separately take (2.97, 0.54) milliseconds on an Intel Pentium IV CPU of 3 GHz. Table 3 compares data sharing duration according to number of devices. We calculate the node count from 2 to 50. For instance, when the node count is 50, we could derive that the communication count for the traditional way is 50 * 49 = 2450 while that of the proposed and the Kim-Lee schemes is 50 * 1 = 50. Since the Re-Encrypt computation of the proposed scheme is only TE, which is better than that of Kim-Lee, i.e., TB + 2TE, we hence derive the computation duration with respect to various node counts as shown in Table 3.  Figure 3 shows the comparison of computation duration of 100 IoT nodes. It can be seen that the Kim-Lee scheme would take more time for the entire procedure (which is composed of Encrypt, Re-Encrypt, and Decrypt operations). Although the Encrypt algorithm of both schemes has identical running time, i.e., 756 ms, the Re-Encrypt and Decrypt algorithms of the Kim-Lee scheme obviously take much more time. In the evaluation of re-encryption duration among 10 to 100 IoT nodes as illustrated in Figure 4, both the Kim-Lee and our scheme will spend more running time when the involved IoT nodes increase. Nevertheless, the re-encryption duration of theirs would grow much faster with the increased number of IoT nodes.  In the evaluation of re-encryption duration among 10 to 100 IoT nodes as illustrated in Figure 4, both the Kim-Lee and our scheme will spend more running time when the involved IoT nodes increase. Nevertheless, the re-encryption duration of theirs would grow much faster with the increased number of IoT nodes. We demonstrate the decryption duration among different number of IoT nodes for the Kim-Lee and the proposed scheme in Figure 5. As shown in this figure, the duration curve of the former has a steeper slope than that of the latter. Take the case of 30 IoT nodes as an example, the proposed method would outperform the Kim-Lee one by 72.9 ms. In particular, the gap of duration dramatically enlarges according to the added IoT node count.

Discussion of Results
In the proposed PRE scheme, we attempt to reduce the computational complexity of designed algorithms. As indicated in Table 2, the total computational cost of our mechanism is 2TB + 6TE. In particular, we optimize the algorithms of ReEncrypt and Decrypt which are both pairing-free. On the contrary, these two algorithms of the Kim-Lee scheme We demonstrate the decryption duration among different number of IoT nodes for the Kim-Lee and the proposed scheme in Figure 5. As shown in this figure, the duration curve of the former has a steeper slope than that of the latter. Take the case of 30 IoT nodes as an example, the proposed method would outperform the Kim-Lee one by 72.9 ms. In particular, the gap of duration dramatically enlarges according to the added IoT node count.  In the evaluation of re-encryption duration among 10 to 100 IoT nodes as illustrated in Figure 4, both the Kim-Lee and our scheme will spend more running time when the involved IoT nodes increase. Nevertheless, the re-encryption duration of theirs would grow much faster with the increased number of IoT nodes. We demonstrate the decryption duration among different number of IoT nodes for the Kim-Lee and the proposed scheme in Figure 5. As shown in this figure, the duration curve of the former has a steeper slope than that of the latter. Take the case of 30 IoT nodes as an example, the proposed method would outperform the Kim-Lee one by 72.9 ms. In particular, the gap of duration dramatically enlarges according to the added IoT node count.

Discussion of Results
In the proposed PRE scheme, we attempt to reduce the computational complexity of designed algorithms. As indicated in Table 2, the total computational cost of our mechanism is 2TB + 6TE. In particular, we optimize the algorithms of ReEncrypt and Decrypt which are both pairing-free. On the contrary, these two algorithms of the Kim-Lee scheme

Discussion of Results
In the proposed PRE scheme, we attempt to reduce the computational complexity of designed algorithms. As indicated in Table 2, the total computational cost of our mechanism is 2T B + 6T E . In particular, we optimize the algorithms of ReEncrypt and Decrypt which are both pairing-free. On the contrary, these two algorithms of the Kim-Lee scheme have to take at least one pairing computation, which will inevitably incur higher computation and communication overheads when a large number of IoT nodes is involved in the system. The simulation results showed in Table 3 clearly reveal that the running time of the Re-Encrypt process alone in the Kim-Lee scheme has been longer than that of the proposed Re-Encrypt and Decrypt processes together. Although the simulated running time (as well as the computational efforts) of the Kim-Lee and the proposed schemes would naturally increase with the deployed number of IoT devices, illustrated in Figures 4 and 5, the growing rate of the running time curve in the proposed system is apparently lower.

Conclusions
To improve the security of gradually popular IoT-based data outsourcing services in clouds, in this paper, we came up with an efficient proxy re-encryption scheme with constant-size ciphertext. In particular, our scheme is bidirectional and supports the functionality of multi-hop, which enables a proxy server to transform the ciphertext multiple times. A significant property of the proposed mechanism is that the re-encryption process only requires one exponentiation computation. Using the cryptographic assumption of intractable BIDHP, the proposed PRE scheme could withstand the adaptive-chosen ciphertext attacks in the security proof model of random oracles. We also demonstrate that our mechanism exhibits better efficiency than a related protocol introduced by Kim and Lee. Specifically, the computation complexity of the proposed method is 2T B + 6T E which takes approximately 918 ms running time when sharing data with 100 IoT devices. The simulation results in Figure 5 also reveal that the decryption duration of our approach only requires 32.4 ms in the communication environment of 30 IoT nodes. The future work will incorporate more superior functionalities (such as hierarchical access control) with existing PRE schemes to fulfill more comprehensive application requirements.