Efficient and HRA Secure Universal Conditional Proxy Re-Encryption for Cloud-Based Data Sharing

Abstract

Cloud computing has become popular in data sharing mainly because it has huge storage capacity and computing power. Securing the privacy of sensitive data for cloud-based data sharing is vital. Currently, there are various conditional proxy re-encryption (UPRE) schemes that have been proposed to resolve the privacy issue. Nevertheless, the existing UPRE schemes cannot allow the proxy (e.g., the cloud server) to transfer the outsourced encrypted data under the data owner’s public key of any homomorphic encryption scheme into the encrypted data under the data user’s public key of a homomorphic encryption scheme (possibly different from the data owner). The transformation of outsourced encrypted data between homomorphic encryption schemes is more suitable for the real data sharing in clouds. Consequently, we present the notion of universal conditional proxy re-encryption (UCPRE) to solve the issue of flexible transformation of outsourced encrypted data between homomorphic encryption schemes in cloud-based data sharing. UCPRE is lightweight in the sense that it only requires the re-encrypted key generation and re-encryption algorithms. We give the definition of UCPRE and prove that it is HRA secure without random oracle. Finally, we show that our UCPRE is efficient and rational compared to other existing CPRE schemes by instantiating our UCPRE.

1. Introduction

Cloud computing has become popular in actual applications mostly because of its massive storage capacity and computing power. Ensuring the privacy of sensitive data is a challenge in cloud computing. Public key encryption (PKE) is worth considering, as this method ensures data privacy. By the method of PKE, the data owner stores the encrypted data in clouds to guarantee the privacy of the data so that he can securely share the data with other users in a cloud environment. Data sharing in clouds is easily achieved by decrypting encrypted data and re-encrypting the data with the data user’s public key. However, the above process is not feasible, because the data owner must keep online to decrypt the encrypted data and re-encrypt the data. Therefore, there is an urgent need to find a practical solution to achieve secure and practical data sharing in clouds without exposing sensitive information.

In prior, proxy re-encryption [1] is a solution for sharing outsourced encrypted data; in this process, the proxy (e.g., cloud server) gets no information about the underlying plaintext. One might think PRE schemes can be a trivial solution to realize data sharing in a cloud environment. However, this solution is inflexible. For example, the data owner Alice encrypted the data $m_1$, $m_2$, and $m_3$ via executing the encryption algorithm of PRE, and stores the cipheretexts ${\mathrm{ct}}_1$, ${\mathrm{ct}}_2$, and ${\mathrm{ct}}_3$ to the cloud server, where $c_i=\mathrm{Enc}(m_i,{\mathrm{sk}}_{Alice})$, $i=1,2,3$. In the process, the proxy has the ability to transfer all outsourced encrypted data ${\mathrm{ct}}_1$, ${\mathrm{ct}}_2$, and ${\mathrm{ct}}_3$ into the encrypted data ${\mathrm{ct}}_1^{\prime }$, ${\mathrm{ct}}_2^{\prime }$, and ${\mathrm{ct}}_3^{\prime }$ for data user Bob even if Alice only wants to share the data $m_1$ and $m_3$ with Bob. Alice may want to share part of the data with Bob in actual applications. The notion of conditional PRE (CPRE) is presented to solve the issue of access control about data delegation. CPRE permits the proxy to convert the ciphertexts holding a condition specified by the data owner Alice into the ciphertexts for Bob. Therefore, the CPRE scheme is a more flexible PRE scheme since it enables fine-grained delegation of decryption rights in practical scenarios.

Although the existing CPRE schemes achieve fine-grained delegation for outsourced encrypted data. However, these schemes are not suitable for real data sharing scenarios. In the actual applications, the data owner has encrypted his all data via a popular homomorphic encryption scheme (e.g., the Elgamal encryption) and stored the encrypted data in the cloud server before deciding to share the data with the data users. When conditional PRE schemes are used in the above case, the data owner needs to download the encrypted data and decrypt the ciphertext using his secret key, and re-encrypt the data using the data users’ public key. In other words, the data owner needs to keep online in actual data sharing. Therefore, the challenge is how to design a mechanism that allows the proxy to transfer the ciphertext under a homomorphic encryption scheme into the ciphertext under a (possibly different) homomorphic encryption scheme.

1.1. Motivation

The existing CPRE schemes can practically address the issues when encryption schemes and proxy re-encryption schemes are used in cloud-based data sharing. Nevertheless, the existing CPRE schemes are not applicable to support an encrypted data switching mechanism that the proxy can convert the ciphertext under a homomorphic encryption scheme into a (possibly different) homomorphic encryption scheme. This encrypted data switching mechanism is more actual situation in cloud-based data sharing because it is a common phenomenon in which the data owner has stored the encrypted data under a homomorphic encryption scheme (e.g., Elgammal encryption) before deciding to share data with someone. Therefore, securing the switching mechanisms between two homomorphic encryption schemes is meaningful in actual cloud-based data sharing.

Recently, Dottling and Nishimaki [2] proposed a universal proxy re-encryption scheme that solves the issue of ciphertext transformation from an encryption scheme to a (different) encryption scheme. However, their work does not support fine-grain access control for the ciphertext. Meanwhile, the computing cost of delegatee is related to the number of multihop. That is, the delegatee needs to undertake an enormous computation cost so that the work does not apply to the cloud-based data sharing when the data user has a weak mobile device. This motivates us to design a new ciphertext switching mechanism that the proxy transfers encrypted data under a homomorphic encryption scheme into encrypted data under a homomorphic encryption scheme effectively. In other words, the data user with weak mobile devices has low computing overhead such that our mechanism is valid to be used for data sharing in clouds. Meanwhile, our mechanism allows the proxy (e.g., the cloud server) to transfer the authorized ciphertext via the re-encrypted key. Thereform, the proxy needs to convert the ciphertext according to the will of the data owner.

Imagine a data owner Alice is under the homomorphic encryption scheme (e.g., Elgammal encryption). It means that he has a pair of keys (${\mathrm{sk}}_{Alice},{\mathrm{pk}}_{Alice}$) from the Elgammal encryption so that he can encrypt his data $m_1,m_2,m_3$ via his public key and store encrypted data ${\mathrm{ct}}_1,{\mathrm{ct}}_2,{\mathrm{ct}}_3$ in the cloud server, where ${\mathrm{ct}}_1=\mathrm{Enc}({\mathrm{pk}}_{Alice},m_1),{\mathrm{ct}}_2=\mathrm{Enc}({\mathrm{pk}}_{Alice},m_2),{\mathrm{ct}}_3=\mathrm{Enc}({\mathrm{pk}}_{Alice},m_3)$. While it is someday, Alice wants to share the data $m_1$ and $m_3$ with his friend Bob. Bob also has a pair of keys (${\mathrm{sk}}_{Bob},{\mathrm{pk}}_{Bob}$) from a homomorphic encryption scheme (e.g., Paillier encryption). Our UCPRE should satisfy the following function: The proxy has the ability to transfer the ciphertexts ${\mathrm{ct}}_1,{\mathrm{ct}}_3$ under the Elgammal encryption into the ciphertexts ${\mathrm{ct}}_1^{\prime },{\mathrm{ct}}_3^{\prime }$ under the Paillier encryption via the re-encryption key. Figure 1 depicts the idea of our UCPRE system for data sharing in clouds. In such a UCPRE system, the data owner Alice needs to generate a re-encryption key for each data that will be shared with Bob. In other words, the proxy can share the authorized data $m_1,m_3$ with Bob via the re-encryption keys ${\mathrm{rk}}_{A\to B,1}$ and ${\mathrm{rk}}_{A\to B,3}$ form Alice, respectively. With the motivation in mind, we present an efficient and secure notion—universal conditional proxy re-encryption (UCPRE).

1.2. Related Work

Blaze et al. [1] proposed the notion of proxy re-encryption to achieve delegation rights from ciphertexts for Alice to ciphertexts for Bob. PRE has many real-world applications, such as outsourcing computation, distributed file storage systems, and secure email forwarding [3,4]. Since the concept of PRE was introduced by Blaze et al. [1], a rich line of works has studied the construction of PRE schemes [2,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21] with kinds of properties to satisfy different application demands. For instance, to integrate PRE into identity-based encryption (IBE) setting, Green and Ateniese [6] defined the notion of identity-based proxy re-encryption (IB-PRE). They also proposed two constructions in the random oracle model where the proxy can transfer ciphertexts from Alice’s identity to Bob’s identity. Later on, a PRE scheme with an anonymous technique designed by Liang et al. [9] has anonymous about the identity information of users and holds multisharing that the proxy can conditionally and securely share multiple times a ciphertext. Recently, Cao et al. [10] proposed a new notion of autonomous path PRE in which the delegator designates a privilege path with his predetermined multiple delegatees from high to low. In the meantime, a collusion-resistant IB-PRE scheme is designed by Paul et al. [11] that satisfies a CCA security based on the random oracle. However, the existing PRE schemes cannot support ciphertext switching between two encryption schemes. To solve this issue, Dottling and Nishimaki [2] present the notion of universal proxy re-encryption that allows the proxy to convert ciphertext into one of the possibly different encryption schemes. However, this scheme exist some disadvantages: first, it is a relaxed case that the delegator needs to execute a modified decryption algorithm to decrypt the ciphertext; second, the computing costs of the delegatee increase with the number of delegations.

Another interesting research is conditional proxy re-encryption (CPRE) which was introduced by Weng et al. [22]. CPRE is a variant of PRE, enabling the delegator to enforce fine-grained delegation of decryption rights. Later, Weng et al. [23] proposed a new CPRE scheme by reformalizing the definitions and security concepts. Subsequently, lots of CPRE schemes [24,25,26,27,28] have been proposed to improve efficiency and security. For instance, Liang et al. [26] proposed a conditional proxy re-encryption scheme based on hierarchical identity-based encryption that is efficient and achieves CCA security. Lately, an identity-based CPRE scheme with a revocable feature for secure cloud data sharing was presented by Yao et al. [27]. In the meantime, Paul et al. [28] presented an efficient CPRE scheme in which there are no pairing operations. Unfortunately, none of these works addressed the ciphertext switching issue.

1.3. Our Contributions

In this paper, we adopted the ciphertext switching mechanism between (possibly different) encryption schemes proposed for PRE [2] to add the feature of ciphertext switching for conditional PRE. Although the approach sounds straightforward, there are technical difficulties to apply ciphertext switching notion to conditional PRE because we found that the method of work in [2] cannot realize the fine-grained access control for data delegation. Meanwhile, the design of UPRE in [2] is a relaxed sense that the delegator needs to decrypt the ciphertext by the modified decryption algorithm. In this process, the delegatee in work [2] needs to undertake amounts of computing costs to recover the plaintext such that it is not applied to the cloud users with weak mobile devices. Therefore, this paper introduces a novel notion-universal conditional proxy re-encryption (UCPRE) with ciphertext switching from a homomorphic encryption scheme to a (possibly different) homomorphic encryption scheme. In our UCPRE, we achieve the fine-grained access control for the encrypted message. That is, the proxy cannot transfer the unauthorized encrypted data of the data owner by the re-encryption key. The method of our UCPRE allows the delegatee to perform the original decryption algorithm instead of the modified decryption algorithm. We also give the definition of security for our UCPRE and prove its HRA secure. Finally, the evaluation shows that our UCPRE is lightweight in terms of computing cost for each algorithm.

2. Preliminaries

This section reviews some useful definitions and operations used in the rest of the paper.

2.1. Homomorphic Encryption Schemes

We will define universal conditional proxy re-encryption (UCPRE) in Section 3. Our UCPRE allows the proxy to transfer the ciphertext of the delegator under an encryption scheme ${\mathsf{\Pi }}_f$ into the ciphertext of the delegatee under a (possibly different) encryption scheme ${\mathsf{\Pi }}_t$. In the system, the schemes ${\mathsf{\Pi }}_f$ and ${\mathsf{\Pi }}_t$ are additively homomorphic encryption ${\mathsf{\Pi }}_{+}$ or multiplicatively homomorphic encryption ${\mathsf{\Pi }}_{\times }$, respectively.

Definition 1

(Additively homomorphic encryption (AHE) [29]). We say that the encryption scheme ${\mathsf{\Pi }}_{+}=\left(\mathrm{Setup},\mathrm{KeyGen},\mathrm{Enc},\mathrm{Dec},{\mathrm{Hom}}_{+},\mathrm{ScalMul}\right)$ over the message space $\mathcal{M}$ is additively homomorphic if Setup, KeyGen, Enc, Dec, ${\mathrm{Hom}}_{+}$, and ScalMul are the following probabilistic polynomial time $\mathcal{PPT}$ algorithms:

• $\mathrm{Setup}\left(1^{\lambda }\right)\to \left(\mathrm{Par}\right)$: It inputs a security parameter $1^{\lambda }$ and outputs the public parameter Par. For simplicity, Par is omitted from the input of algorithms.
• $\mathrm{KeyGen}\left(1^{\lambda }\right)\to \left(\mathrm{sk},\mathrm{pk}\right)$: It inputs a security parameter $1^{\lambda }$ and outputs the secret key sk and the public key pk.
• $\mathrm{Enc}\left(\mathrm{pk},m\right)\to \left(\mathrm{ct}\right)$: It inputs the public key $\mathrm{pk}$ and a message $m\in \mathcal{M}$ and outputs a ciphertext ct.
• $\mathrm{Dec}\left(\mathrm{sk},\mathrm{ct}\right)\to \left(m\right)$: It inputs a secret key sk and a ciphertext ct and outputs a message $m\in \mathcal{M}$ or a symbol ⊥.
• ${\mathrm{Hom}}_{+}\left(\mathrm{pk},\mathrm{ct},{\mathrm{ct}}^{\prime }\right)\to \left({\mathrm{ct}}^{″}\right)$: It inputs a public key pk and the ciphertext ct encrypting m and the ciphertext ${\mathrm{ct}}^{\prime }$ encrypting $m^{\prime }$ and outputs a ciphertext ${\mathrm{ct}}^{″}$ so that ${\mathsf{\Pi }}_{+}$.Dec $\left(\mathrm{sk},{\mathrm{ct}}^{″}\right)=m+m^{\prime }\in \mathcal{M}$.
• $\mathrm{ScalMul}\left(\mathrm{pk},\mathrm{ct},\alpha \right)\to \left({\mathrm{ct}}^{\prime }\right)$: It inputs a public key pk, a ciphertext ct encrypting m and a plaintext $\alpha \in \mathcal{M}$ and outputs a ciphertext ${\mathrm{ct}}^{\prime }$ such that ${\mathsf{\Pi }}_{+}$.Dec $\left(\mathrm{sk},{\mathrm{ct}}^{\prime }\right)=\alpha \times m\in \mathcal{M}$.

Definition 2

(Multiplicatively homomorphic encryption (MHE) [29]). We say that the scheme.${\mathsf{\Pi }}_{\times }=\left(\mathrm{Setup},\mathrm{KeyGen},\mathrm{Enc},\mathrm{Dec},{\mathrm{Hom}}_{\times },\mathrm{ScalMul}\right)$ over the message space $\mathcal{M}$ is multiplicatively homomorphic if Setup, KeyGen, Enc, Dec, ${\mathrm{Hom}}_{\times }$, and ScalMul are the following $\mathcal{PPT}$ algorithms:

• Setup, KeyGen, Enc and Dec algorithms are the same as the Definition 1.
• ${\mathrm{Hom}}_{\times }\left(\mathrm{pk},\mathrm{ct},{\mathrm{ct}}^{\prime }\right)\to \left({\mathrm{ct}}^{″}\right)$: It inputs a public key pk and the ciphertext ct encrypting m and the ciphertext ${\mathrm{ct}}^{\prime }$ encrypting $m^{\prime }$ and outputs a ciphertext ${\mathrm{ct}}^{″}$ such that ${\mathsf{\Pi }}_{\times }$.Dec $\left(\mathrm{sk},{\mathrm{ct}}^{″}\right)=m\times m^{\prime }\in \mathcal{M}$.
• $\mathrm{ScalMul}\left(\mathrm{pk},\mathrm{ct},\alpha \right)\to \left({\mathrm{ct}}^{\prime }\right)$: It inputs a public key $\mathrm{pk}$, a ciphertext c encrypting m and a plaintext $\alpha \in \mathcal{M}$ and outputs a ciphertext ${\mathrm{ct}}^{\prime }$ such that ${\mathsf{\Pi }}_{\times }$.Dec $\left(\mathrm{sk},{\mathrm{ct}}^{\prime }\right)=\alpha \times m\in \mathcal{M}$.

Note that the above encryption schemes need to satisfy the correctness in the usual situation. In addition, we require that the schemes are indistinguishable security under the standard model of the chosen-plaintext attack (IND-CPA). The reader refers to the work [30] for more details about the standard model definition of IND-CPA.

2.2. Hidden Secret Decryption

The encryption schemes used in the UCPRE have a vital character that supports hidden secret decryption. Hidden secret decryption means that these encryption schemes are provided with a algorithm Hidden Secret denoted by $\left(\mathrm{hsk}\right)\leftarrow \mathbf{HiddenSecret}\left(\mathrm{sk},\mathrm{ct}\right)$, which works as follows: it inputs a secret key sk and the ciphertext ct encrypting m, and outputs a hidden secret hsk, such that the semitrusted third party (e.g., cloud server) with the hidden secret key hsk can decrypt the ciphertext ct encrypting the message m. In other words, these schemes exist an algorithm Combine denoted by $\left(m,\perp \right)\leftarrow \mathbf{Combine}\left(\mathrm{hsk},\mathrm{ct}\right)$ if they are equipped with the algorithm Hidden Secret. The algorithm Combine works as follows: it inputs the hidden secret hsk and the ciphertext ct, and outputs the message m or a symbol ⊥. In our UCPRE, we can take the hidden secret as a condition. When the semitrusted third party holds the condition hsk about the message m, it means that the semitrusted third party can decrypt the ciphertext ct encrypting m without obtaining information about another message $m^{\prime }$ encrypted by the secret key sk. In UCPRE, the delegator performs the algorithm HiddenSecert to set the hidden secret key hsk and shares it with the proxy so that the proxy decrypts the ciphertext ${\mathrm{ct}}^{\prime }$ encrypting $mR$ by executing the algorithm Combine. This is because, in our context, the proxy does not decrypt the plaintext because it is disguised by a random element. Encryption schemes such as Elgamal [31], the extension of Elgamal [32] or RSA [33], satisfy all these properties.

The Elgamal Encryption. The Elgamal encryption [31] is homomorphic encryption scheme that is practical and universal in actual applications. In Section 5, we will employ an additive variation of the Elgamal for small domains plaintext space. Here we show the implementation of this scheme. By executing the algorithm Setup $\left(1^{\lambda }\right)$ to generate the public parameter $\mathrm{Par}=\left(\mathbb{G},p,g\right)$, where a generator g of multiplicative cyclic group $\mathbb{G}$ of prime order p. We randomly select $s\in {\mathbb{Z}}_p^{*}$ and compute $g^s$, and then set the secret key $\mathrm{sk}=s$ and the public key $\mathrm{pk}=g^s$. Encryption is executed by selecting $r\leftarrow {\mathbb{Z}}_p^{*}$ and setting $\mathrm{ct}=\left(\alpha ,\beta \right)$, where $\alpha =g^r$ and $\beta =h^r·g^m$. Decryption of a ciphertext $\mathrm{ct}=\left(\alpha ,\beta \right)$ is performed by computing $g^m=\beta /{\alpha }^s$. Then, the message m is retrieved through running an exhaustive search.

The Elgamal PKE with Hidden Secret Decryption. Setup, KeyGen, and Enc algorithms are the same as the above description of the Elgamal encryption. In our system, the user generates the hidden secret $\mathrm{hsk}={\alpha }^s$ by the algorithm SecretHidden $\left(\mathrm{pk},\mathrm{sk},\mathrm{ct}\right)$ and sends it to the semitrusted third party. Finally, decryption of a ciphertext $\mathrm{ct}=\left(\alpha ,\beta \right)$ is executed by computing $g^m=\beta /\mathrm{hsk}$. Then, the message m is retrieved through running an exhaustive search.

The BBS Encryption. The BBS encryption [32] is multiplicatively homomorphic encryption that can be viewed as an extension of the Elgamal encryption. In Section 5, we will instantiate our generic construction UCPRE by transferring the ciphertext under the Elgamal encryption scheme into the ciphertext under the BBS encryption scheme. Here we show the implementation of this scheme. By performing the algorithm Setup $\left(1^{\lambda }\right)$ to generate the public parameter $\mathrm{Par}=\left(\mathbb{G},p,g\right)$, where a generator g of a multiplicative cyclic group $\mathbb{G}$ of prime order p. To set the secret key $sk$ and the public key $pk$, we chose random $x,y\leftarrow {\mathbb{Z}}_p^{*}$ and compute $f=g^x$ and $h=g^y$, and then set $\mathrm{sk}=(x,y)$ and $\mathrm{pk}=(f,h)$. To encrypt a message $m\in \mathcal{M}$, we select $r,s\leftarrow {\mathbb{Z}}_p^{*}$ and set the ciphertext to be $\mathrm{ct}=(u,v,w)=\left(f^r,h^s,g^{r+s}·m\right)$. Decryption is executed by computing $m=w/u^{x^{-1}}{v}^{y^{-1}}$.

The BBS Encryption with Hidden Secret Decryption. Setup, KeyGen, and Enc algorithms are the same as the above description of the BBS encryption. Then, the user generates the hidden secret $\mathrm{hsk}=u^{x^{-1}}{v}^{y^{-1}}$ by the algorithm SecretHidden $\left(\mathrm{sk},\mathrm{ct}\right)$ and sends it to the third party. Finally, decryption of the ciphertext $\mathrm{ct}=\langle u,v,w\rangle$ is performed by computing $m=w/u^{x^{-1}}{v}^{y^{-1}}$.

The RSA Encryption. The RSA encryption [33] is a multiplicative homomorphic encryption scheme. In Section 5, we will instantiate our generic construction UCPRE between RSA encryption schemes. Here we show the implementation of this scheme. By executing the algorithm KeyGen $\left(1^{\lambda }\right)$ to generate the public key $pk$ and the secret key $sk$, we firstly choose two big prime $p,q$ and set $n=p·q$, and compute $\phi \left(n\right)=(p-1)·(q-1)$. Next, we choose a random e, and generate d, where $1<e<\phi \left(n\right)$ and $de\mathrm{mod}\phi \left(n\right)=1$. Finally, we set the public key $pk=(e,n)$ and the secret key $sk=(d,n)$. Encryption is executed by setting the ciphertext $\mathrm{ct}=m^e\mathrm{mod}n$. Decryption of a ciphertext ct is performed by computing $m={\left(ct\right)}^d\mathrm{mod}n$.

The RSA PKE with Hidden Secret Decryption. Key generation, and encrytion algorithms are the same as the above description of the RSA encryption. In our system, the user generates the hidden secret $\mathrm{hsk}={\left(ct\right)}^{e^{-1}d}=m^d\mathrm{mod}n$ by performing the algorithm SecretHidden $\left(\mathrm{pk},\mathrm{sk},\mathrm{ct}\right)$ and sends it to the semitrusted third party secretly. Finally, decryption of a ciphertext ct is executed by computing $m={\left(\mathrm{hsk}\right)}^e=m^{de}\mathrm{mod}n$.

3. Definition of Universal Conditional Proxy Re-Encryption

A UCPRE system includes three types of entities: the delegator, the proxy, and the delegatee. Our UCPRE allows the proxy to transfer the ciphertext of the public key (delegator) under a homomorphic encryption scheme ${\mathsf{\Pi }}_f$ into the ciphertext of the public key (delegatee) under a homomorphic encryption scheme ${\mathsf{\Pi }}_t$ that may be different from the scheme ${\mathsf{\Pi }}_f$. A UCPRE scheme does not need to set setup, key generation, and decryption algorithms. That is, it generates the public parameter, key pairs, and decrypt the ciphertext by executing the existing schemes ${\mathsf{\Pi }}_f$ and ${\mathsf{\Pi }}_t$. Therefore, UCPRE can be seen as a general construction of conditional proxy re-encryption. We give the definitions of syntax, correctness, and HAR security according to the works [2,34] (note that the notation and presentation have minor changes).

Notations. In our system, we denote separately delegator and delegatee key pairs by $({\mathrm{pk}}_f,{\mathrm{sk}}_f)$ and $\left({\mathrm{pk}}_t,{\mathrm{sk}}_t\right)$ $(f$ and t mean “from” and “to”, respectively) if we emphasize which user is a delegator or delegatee. When we write $\left({\mathrm{pk}}_i,{\mathrm{sk}}_i\right)\leftarrow {\mathsf{\Pi }}_i.\mathrm{KeyGen}\left(1^{\lambda }\right)$, it mean that a key pair is generated by the key generation algorithm KeyGen of the scheme ${\mathsf{\Pi }}_i$, where $i\in \left\{f,t\right\}$. When we write ${\mathbf{ct}}_f^m\leftarrow {\mathsf{\Pi }}_f·\mathrm{Enc}({\mathrm{pk}}_f,m)$, it mean that the ciphertext ${\mathbf{ct}}_f^m$ encrypting m is generated by the key encryption algorithm Enc of the scheme ${\mathsf{\Pi }}_f$. When algorithm of UCPRE take as an input ${\mathsf{\Pi }}_f$ (or ${\mathsf{\Pi }}_f$), we interpret it as a description of algorithms (rather than circuits or Turing machines).

3.1. Unidirectional and Multihop UCPRE

Definition 3

(UCPRE for Any Homomorphic Encryption: Syntax). A universal conditional proxy re-encryption scheme consists of two PPT lgorithms ReKeyGen and ReEnc shown as follows:

• ReKeyGen $\left(1^{\lambda },{\mathsf{\Pi }}_f,{\mathsf{\Pi }}_t,{\mathit{sk}}_f,{\mathit{pk}}_f,{\mathit{pk}}_t,{\mathit{ct}}_f^m\right)\to \left({\mathit{rk}}_{f\to t}\right)$: It inputs the security parameter $1^{\lambda }$, a pair of homomorphic encryption schemes $({\mathsf{\Pi }}_f,{\mathsf{\Pi }}_t)$, a secret key ${\mathit{sk}}_f$ and a public key ${\mathit{pk}}_f$ of ${\mathsf{\Pi }}_f$, a public key ${\mathit{pk}}_t$ of ${\mathsf{\Pi }}_t$, and and a ciphertext ${\mathit{ct}}_f^m$ under ${\mathit{pk}}_f$ of ${\mathsf{\Pi }}_f$ and outputs a re-encryption key ${\mathit{rk}}_{f\to t}$.
• $\mathrm{ReEnc}({\mathsf{\Pi }}_f,{\mathsf{\Pi }}_t,{\mathit{pk}}_t,{\mathit{rk}}_{f\to t})\to \left(\mathrm{rct}\right)$: It inputs a pair of homomorphic encryption schemes $({\mathsf{\Pi }}_f,{\mathsf{\Pi }}_t)$, a public key ${\mathit{pk}}_t$ of ${\mathsf{\Pi }}_t$, a re-encryption key ${\mathit{rk}}_{f\to t}$, and outputs a re-encrypted ciphertextrct(note that the re-encrypted ciphertext rct be equal to the ciphertext ${\mathit{ct}}_t$ under ${\mathit{pk}}_t$ of ${\mathsf{\Pi }}_t$.

Definition 4

(UCPRE for Any Homomorphic Encryption: Correctness). A UCPRE scheme for any homomorphic encryption is correct if for all pairs of homomorphic encryption schemes $({\mathsf{\Pi }}_f,{\mathsf{\Pi }}_t),({\mathit{pk}}_f,{\mathit{sk}}_f)\leftarrow {\mathsf{\Pi }}_f.\mathrm{KeyGen}\left(1^{\lambda }\right),\left({\mathit{pk}}_t,{\mathit{sk}}_t\right)\leftarrow {\mathsf{\Pi }}_t.{\mathrm{KeyGen}}_t\left(1^{\lambda }\right),m\in {\mathcal{M}}_f\cap {\mathcal{M}}_t$, ${\mathit{ct}}_f^m\leftarrow {\mathsf{\Pi }}_f·\mathrm{Enc}\left({\mathrm{pk}}_f,m\right)$, it holds that

$$\mathrm{Pr}\left[{\mathsf{\Pi }}_t.\mathrm{Dec}\left({\mathrm{sk}}_t,\mathrm{ReEnc}\left({\mathsf{\Pi }}_f,{\mathsf{\Pi }}_t,{\mathit{pk}}_t,{\mathit{rk}}_{f\to t}\right)\right)=m\right]=1,$$

where ${\mathit{rk}}_{f\to t}\leftarrow \mathrm{ReKeyGen}\left(1^{\lambda },{\mathsf{\Pi }}_f,{\mathsf{\Pi }}_t,{\mathit{sk}}_f,{\mathit{pk}}_f,{\mathit{pk}}_t,{\mathit{ct}}_f^m\right)$.

Security. In our UCPRE, we present the indistinguishable secure under honest re-encryption attacks (IND-HRA). This IND-HRA secure for UPRE is based on security against honest re-encryption attacks (HRA) of PRE proposed by Cohen [34]. Cohen observes that IND-CPA secure for PRE is not sufficient in actual applications. Therefore, we define IND-HRA secure for our UCPRE.

Definition 5

(UCPRE for Homomorphic Encryption: IND-HRA Secure). We define an indistinguishable experiment including three phases. The adversary $\mathcal{A}$ is interactive with the challenger $\mathcal{C}$ in the following indistinguishable experiment.

• Setup Phase 1: In this phase, the challenger $\mathcal{C}$ generates all security parameters.

  –

  $\mathcal{C}$ initializes a counternumkeys:=0, an honest indices setHon:=∅, and a corrupted indices setCor:=∅, a counter $\mathit{numCt}$:=0, a key-value storeCt:= ∅, and a setDeriv:= ∅.

  –

  For an honest key generation query i, $\mathcal{C}$ sets a new pair of keys (${\mathrm{pk}}_i,{\mathrm{sk}}_i)\leftarrow {\mathsf{\Pi }}_i.$$\mathrm{KeyGen}\left(1^{\lambda }\right)$ and shares (${\mathsf{\Pi }}_i$, ${\mathrm{pk}}_i$) to $\mathcal{A}$. Moreover, the challenger needs to setHon:=Hon∪ i andnumkeys:=numkeys+1.

  –

  For an corrupted key generation query i, $\mathcal{C}$ sets a new pair of keys (${\mathrm{pk}}_i,{\mathrm{sk}}_i)\leftarrow {\mathsf{\Pi }}_i.\mathrm{KeyGen}\left(1^{\lambda }\right)$ and shares (${\mathsf{\Pi }}_i$, ${\mathrm{sk}}_i$${\mathrm{pk}}_i$) to $\mathcal{A}$. Moreover, the challenger needs to setCor:=Cor∪ i andnumkeys:=numkeys+1.

• Oracle Query Phase 2: In this phase, $\mathcal{A}$ makes the following queries.

  –

  Encryption Oracle ${\mathcal{O}}_{\mathit{Enc}}$: For a query on $(i,\mathbf{m})$, where $i\le$ numKeys, the challenger $\mathcal{C}$ computes the ciphertext $\mathrm{ct}\leftarrow {\mathsf{\Pi }}_i.\mathrm{Enc}(\mathrm{pk},\mathbf{m})$ and setsnumCt:=numCt+1. Then, $\mathcal{C}$ stores the value ct inCtwith key $\left(i,\mathrm{numCt}\right)$ and return (numCt, ct).

  –

  Re-encryption Key Generation Oracle ${\mathcal{O}}_{\mathrm{ReKeyGen}:}$ For a query on $(i,j)$, where $i,j\le$ numKeys, $\mathcal{C}$ outputs ⊥, if $i=j$ or $i\in$ Hon and $j\in$ Cor. Otherwise, the challenger $\mathcal{C}$ returns the re-encryption key ${\mathrm{rk}}_{i\to j}\leftarrow$$\mathrm{ReKeyGen}\left(1^{\lambda },{\mathsf{\Pi }}_i,{\mathsf{\Pi }}_j,{\mathrm{sk}}_i,{\mathrm{pk}}_j\right)$.

  –

  Challenge Oracle: For a query on $\left(i,{\mathbf{m}}_0,{\mathbf{m}}_1\right)$, where $i\in$ Hon and ${\mathbf{m}}_0,{\mathbf{m}}_1\in \mathcal{M}$, the challeger $\mathcal{C}$ randomly chooses a bit b from $\left\{0,1\right\}$ and sets the challenge ciphertext ${\mathrm{ct}}^{*}\leftarrow {\mathsf{\Pi }}_i.\mathrm{Enc}\left({\mathrm{pk}}_i,{\mathbf{m}}_b\right)$. Meanwhile, $\mathcal{C}$ setsnumCt:=numCt+1 and addsnumCtto the setDeriv, and stores the value ${\mathrm{ct}}^{*}$ inCtwith key $\left(i,\mathrm{numCt}\right)$ and return (numCt, $\left.{\mathrm{ct}}^{*}\right)$. We just do challenge query once.

• Decision Phase 3: In this phase, A outputs a bit $b^{\prime }\in \{0,1\}$, return win if $b=b^{\prime }$. The advantage of $\mathcal{A}$ is defined as

  $${\mathrm{Adv}}_{\mathrm{hra}}^{\mathcal{A}}\left(\lambda \right)=\mathrm{Pr}\left[\mathit{win}\right],$$
  We say that our UCPRE is HRA secure if for any PPT adversary, it holds that

  $${\mathrm{Adv}}_{\mathrm{hra}}^{\mathcal{A}}\left(\lambda \right)<\frac{1}{2}+\mathrm{negl}\left(\lambda \right).$$

3.2. Re-Encryption Simulatability

Definition 6

(Re-encryption Simulatability [34]). A conditional PRE scheme is re-encryption simulatable if there exists a PPT algorithm ReEncSim with high probability over aux, for all $m\in \mathcal{M}$:

$$(\mathrm{ReEncSim}(\left(\mathrm{aux}\right),\mathrm{aux}){\approx }_s\left(\mathrm{ReEnc}\left({\mathrm{rk}}_{i\to j},{\mathrm{ct}}_i\right),\mathrm{aux}\right)$$

where notation ${\approx }_s$ denotes statistical indistinguishability, and the values ${\mathrm{ct}}_i^m$ and $\mathrm{aux}$ are shown as follows:

$$\begin{array}{cc}& \mathrm{Par}\leftarrow \mathrm{Setup}\left(1^{\lambda }\right),\left({\mathrm{pk}}_i,{\mathrm{sk}}_i\right)\leftarrow {\mathsf{\Pi }}_i.\mathrm{KeyGen}\left(1^{\lambda }\right),\hfill \\ & \left({\mathrm{pk}}_j,{\mathrm{sk}}_j\right)\leftarrow {\mathsf{\Pi }}_j.\mathrm{KeyGen}\left(\mathrm{Par}\right),{\mathrm{rk}}_{i\to j}\leftarrow \mathrm{ReKeyGen}\left(1^{\lambda },{\mathsf{\Pi }}_i,{\mathsf{\Pi }}_j,{\mathrm{sk}}_i,{\mathrm{pk}}_j\right),\hfill \\ & {\mathrm{ct}}_i^m\leftarrow {\mathsf{\Pi }}_i.\mathrm{Enc}\left({\mathrm{pk}}_i,m\right),\mathrm{aux}=\left(\mathrm{Par},{\mathrm{pk}}_i,{\mathrm{pk}}_j,{\mathrm{sk}}_j,{\mathrm{ct}}_i,m\right).\hfill \end{array}$$

When $\mathrm{Re}\mathrm{ncSim}\left(\mathrm{aux}\right)=\mathrm{Enc}\left({\mathrm{pk}}_j,m\right)$, it is special case. In other words, the scheme is re-encryption simulatable when the distribution of re-encryption ciphertexts likes the distribution of fresh ciphertexts.

Theorem 1.

If conditional PRE scheme is a CPA secure and re-encryption simulatable, then conditional PRE is HRA secure [34].

4. Generic Construction for UCPREA

In this section, we present our generic construction for UCPRE. Our UCPRE means that we adopted the ciphertext switching mechanism between (possibly different) encryption schemes proposed for PRE [2] to add the feature of ciphertext switching for conditional PRE. Meanwhile, our UCPRE is lightweight for the delegator and the delegatee. We also give the security proof of the UCPRE in this section.

4.1. Technical Overview

In this section, we provide a high-level overview of the techniques of our UCPRE system. To reach the ciphertext transformation mechanism between two (possibly different) homomorphic encryption schemes. A critical character of the encryption schemes used in the UCPRE is the fact that these schemes support the function of hidden secret decryption. In other words, these schemes are equipped with an algorithm HiddenSecret that is run by a delegator, which works as follows: it inputs his secret key ${\mathrm{sk}}_f$ and the ciphertext ${\mathrm{ct}}_f^{mR}$ encrypting the message $mR$ and outputs a hidden secret ${\mathrm{hsk}}_f$. After obtaining the hidden secret ${\mathrm{sk}}_f$, the proxy can perform the algorithm Combine that takes as inputs the hidden secret ${\mathrm{hsk}}_f$ and the ciphertext ${\mathrm{ct}}_f^{mR}$, and outputs the message $mR$. The proxy receives no information about the plaintext m because the plaintexts are masked by a random element in our context. Finally, the proxy performs the algorithm ScalMul that inputs the ciphertext ${\mathrm{ct}}_t^{R^{-1}}$ encrypting the message $R^{-1}$ and $mR$ to generate the re-encryption ciphertext rct, where we have $\mathrm{rct}={\mathrm{ct}}_{\mathrm{t}}^{\mathrm{m}}$.

4.2. Generic Construction

Our UCPRE supports the proxy to convert the ciphertext of the delegator under an encryption scheme ${\mathsf{\Pi }}_f$ into the ciphertext of the delegatee under a (possibly different) encryption scheme ${\mathsf{\Pi }}_t$. These schemes ${\mathsf{\Pi }}_f$ and ${\mathsf{\Pi }}_t$ are Additive homomorphism encryption scheme ${\mathsf{\Pi }}_{+}$ or Multiplicative homomorphic encryption scheme ${\mathsf{\Pi }}_{\times }$, respectively. Our generic construction for UCPRE consists of the algorithms ReKeyGen and ReEnc shown as follows:

• ReKeyGen $\left(1^{\lambda },{\mathsf{\Pi }}_f,{\mathsf{\Pi }}_t,{\mathrm{pk}}_t,{\mathrm{pk}}_f,{\mathrm{sk}}_f,{\mathrm{ct}}_f^m\right)\to {\mathrm{rk}}_{f\to t}$: The delegator performs the algorithm ReKeyGen to set the re-encryption key ${\mathrm{rk}}_{f\to t}$. In the process, the delegator firstly runs the algorithm ${\mathsf{\Pi }}_f.\mathrm{ScalMul}$ to generate ciphertext ${\mathrm{ct}}_f^{mR}$ about message $mR$. Second, the delegator runs the algorithm ${\mathsf{\Pi }}_t.\mathrm{Enc}$ to generate ciphertext ${\mathrm{ct}}_f^{R^{-1}}$ about message $R^{-1}$. Third, the delegator executes the algorithm ${\mathsf{\Pi }}_f.\mathrm{HiddenSecret}$ to generate the hidden secret key ${\mathrm{hsk}}_f$. Finally, we output the re-encryption key ${\mathrm{rk}}_{f\to t}$ that includes ${\mathrm{ct}}_f^{mR}$, ${\mathrm{ct}}_f^{R^{-1}}$, and ${\mathrm{hsk}}_f$.

  (1)

  Compute ${\mathrm{ct}}_f^{mR}\leftarrow {\mathsf{\Pi }}_f.\mathrm{ScalMul}\left({\mathrm{pk}}_f,{\mathrm{ct}}_f^m,R\right)$: The delegator runs the algorithm ${\mathsf{\Pi }}_f.\mathrm{ScalMul}$ in scheme ${\mathsf{\Pi }}_f$ to generate ciphertext ${\mathrm{ct}}_f^{mR}$ about message $mR$. This algorithm inputs the public key ${\mathrm{pk}}_f$ of the delegator, a ciphertext ${\mathrm{ct}}_f^m$ encrypting the message m, and a message R and ouputs a ciphertext ${\mathrm{ct}}_f^{mR}$ about message $mR$.

  (2)

  Compute ${\mathrm{ct}}_t^{R^{-1}}\leftarrow {\mathsf{\Pi }}_t.\mathrm{Enc}\left({\mathrm{pk}}_t,R^{-1}\right)$: The delegator executes the algorithm ${\mathsf{\Pi }}_t.\mathrm{Enc}$ in scheme ${\mathsf{\Pi }}_t$ to generate the ciphertext ${\mathrm{ct}}_t^{R^{-1}}$ about message $R^{-1}$. This algorithm inputs the public key ${\mathrm{pk}}_t$ of the delegatee and a message $R^{-1}$ and ouputs a ciphertext ${\mathrm{ct}}_t^{R^{-1}}$ about message $R^{-1}$.

  (3)

  Compute ${\mathrm{hsk}}_f\leftarrow {\mathsf{\Pi }}_f.\mathrm{HiddenSecret}\left({\mathrm{sk}}_f,{\mathrm{ct}}_f^{mR}\right)$: The delegator executes the algorithm ${\mathsf{\Pi }}_f.\mathrm{HiddenSecret}$ in scheme ${\mathsf{\Pi }}_f$ to generate the hidden secret key ${\mathrm{hsk}}_f$ about the secret key ${\mathrm{sk}}_f$. This algorithm inputs the secret key ${\mathrm{sk}}_f$ of the delegator and a ciphertext ${\mathrm{ct}}_f^{mR}$ and outputs the hidden secret key ${\mathrm{hsk}}_f$.

  (4)

  Output ${\mathrm{rk}}_{f\to t}=({\mathrm{ct}}_f^{mR},{\mathrm{ct}}_t^{R^{-1}},{\mathrm{hsk}}_f)$.

• ReEnc $\left({\mathsf{\Pi }}_f,{\mathsf{\Pi }}_t,{\mathrm{pk}}_t,{\mathrm{rk}}_{f\to t}\right)\to \mathrm{rct}$: The proxy parses ${\mathrm{rk}}_{f\to t}=({\mathrm{ct}}_f^{mR},{\mathrm{ct}}_t^{R^{-1}},{\mathrm{hsk}}_f)$ that performs the algorithm ReEnc to set the re-encryption ciphertext ${\mathrm{rk}}_{f\to t}$. In the process, the delegator firstly runs the algorithm ${\mathsf{\Pi }}_f.\mathrm{Combine}$ to recover the message $mR$. Second, the proxy runs the algorithm ${\mathsf{\Pi }}_t.\mathrm{ScalMul}$ to generate re-encryption ciphertext rct. Finally, we output re-encryption ciphertext rct.

  (1)

  Compute $mR\leftarrow {\mathsf{\Pi }}_f.\mathrm{Combine}\left({\mathrm{hsk}}_f,{\mathrm{ct}}_f^{mR}\right)$: The proxy executes the algorithm ${\mathsf{\Pi }}_f.\mathrm{Combine}$ in scheme ${\mathsf{\Pi }}_f$ to recover the message $mR$. This algorithm inputs the hidden secret key ${\mathrm{hsk}}_f$ and a ciphertext ${\mathrm{ct}}_f^{mR}$ encrypting the message $mR$ and outputs the message $mR$.

  (2)

  Compute ${\mathrm{ct}}_t^m\leftarrow {\mathsf{\Pi }}_t.\mathrm{ScalMul}\left({\mathrm{pk}}_t,{\mathrm{ct}}_t^{R^{-1}},mR\right)$: The proxy executes the algorithm ${\mathsf{\Pi }}_t.\mathrm{ScalMul}$ in scheme ${\mathsf{\Pi }}_t$ to generate the re-encryption ciphertext rct, where we have $\mathrm{rct}={\mathrm{ct}}_t^m$. This algorithm inputs the public key ${\mathrm{pk}}_t$ of the delegatee, the ciphertext ${\mathrm{ct}}_t^{R^{-1}}$, and the message $mR$ and outputs the re-encryption ciphertext rct.

  (3)

  Output rct = ${\mathrm{ct}}_t^m.$

Correctness. We now verify the correctness of our UCPRE. In the UCPRE, we get the $\mathrm{rct}={\mathrm{ct}}_t^m$ such that we get that $m^{\prime }={\mathsf{\Pi }}_t.Dec\left({\mathrm{sk}}_t,\mathrm{rct}\right)=m$ by the correctness of the decryption algorithm of scheme ${\mathsf{\Pi }}_t$.

Remark 1.

In our UCPRE, there are only re-encryption key generation and the re-encryption algorithm to achieve the feature of ciphertext switching between homomorphic encryption schemes. At the same time, the computing cost of delegates is not related to the number of time delegations. In addition, our UCPRE recognizes the fine-grained delegation by a new method that the re-encryption key is interrelated to the message. Our UCPRE is geared specifically for data sharing in clouds because the data owner has encrypted his all data via a popular homomorphic encryption scheme (e.g., the Elgamal encryption) and stored the encrypted data in the cloud server before deciding to share the data with the data users in the actual applications. Therefore, we design a mechanism that allows the proxy to transfer the ciphertext under a homomorphic encryption scheme into the ciphertext under a (possibly different) homomorphic encryption scheme.

4.3. Security Proof

In this section, we prove that our UCPRE is HRA secure. The proof is shown as follows.

Theorem 2.

If a homomorphic encryption scheme ${\mathsf{\Pi }}_t$ is CPA secure. Then UCPRE is CPA secure.

Proof. 

For our UCPRE, the correctness of ${\mathsf{\Pi }}_t$ implies the correctness of resulting UCPRE because we have re-encrypted ciphertext rct generated by the algorithm ${\mathsf{\Pi }}_t.\mathrm{ScalMul}$, where $\mathrm{rct}=\mathrm{ct}{}_t^m$. For any probabilistic and polynomial-time (PPT) adversary $\mathcal{A}$ with advantage ${\mathrm{Adv}}_{\mathrm{cpa}}^{{\mathcal{A}}^{\prime },{\mathsf{\Pi }}_t}$ attack our scheme UCPRE, we can construct an efficient algorithm ${\mathcal{A}}^{\prime }$ with advantage ${\mathrm{Adv}}_{\mathrm{cpa}}^{\mathcal{A},\mathrm{UCPRE}}$ to attack the encryption scheme ${\mathsf{\Pi }}_t$. We have ${\mathrm{Adv}}_{\mathrm{cpa}}^{{\mathcal{A}}^{\prime },{\mathsf{\Pi }}_t}={\mathrm{Adv}}_{\mathrm{cpa}}^{\mathcal{A},\mathrm{UCPRE}}$ because we have re-encrypted ciphertext rct generated by the algorithm ${\mathsf{\Pi }}_t.\mathrm{ScalMul}$, where $\mathrm{rct}=\mathrm{ct}{}_t^m$. By the CPA secure of ${\mathsf{\Pi }}_t$, the advantage ${\mathrm{Adv}}_{\mathrm{cpa}}^{\mathcal{A},\mathrm{UCPRE}}$ is neglectable. Furthermore, the UCPRE scheme is CPA secure. ☐

Theorem 3.

If the distribution of re-encryption ciphertexts likes the distribution of fresh ciphertexts. Then our UCPRE is re-encryption simulatable.

Proof. 

We prove that the UCPRE is re-encryption simulatable when $\mathrm{ReEncSim}={\mathsf{\Pi }}_t.\mathrm{Enc}$ We have ${\mathrm{ct}}_t^m:=\mathrm{ReEnc}({\mathsf{\Pi }}_f,{\mathsf{\Pi }}_t,{\mathrm{pk}}_t,{\mathrm{rk}}_{f\to t})$, where ${\mathrm{ct}}_t^m$ is the ciphertext of the public key under the scheme ${\mathsf{\Pi }}_t$. Therefore, we set the algorithm ReEncSim as ${\mathsf{\Pi }}_t.\mathrm{Enc}$ such that both the algorithms ReEncSim and ReEnc are statistical indistinguishability. That is, the distribution of re-encryption ciphertexts likes the distribution of fresh ciphertexts. Consequently, the UCPRE is re-encryption simulatable. ☐

Theorem 4.

If a homomorphic encryption scheme ${\mathsf{\Pi }}_t$ is CPA secure and UCPRE is re-encryption simulatable. Then UCPRE is HRA secure.

Proof. 

Here we first prove that the UCPRE is CPA secure if a homomorphic encryption scheme ${\mathsf{\Pi }}_t$ is CPA secure by the Theorem 2. Then, we prove that the UCPRE is re-encryption simulatable by the Theorem 3. Finally, by Theorem 1, we prove the UCPRE is HRA secure because UCPRE is CPA secure and UCPRE is re-encryption simulatable. ☐

5. Instantiation of Our Generic Construction

In this section we provide two kinds of instantiations of our generic construction. First, we provide an Instantiation 1 in which the proxy can transfer the ciphertext under an additively homomorphic encryption scheme (the Elgamal encryption [31]) into the ciphertext under a multiplicatively homomorphic one (the BBS encryption [32]-the extension of Elgamal). Then, we provide an Instantiation 2 by describing ciphertext transformation between the RSA encryption schemes [33]. Note that, the description of Elgamal, extension of Elgamal, and RSA encryption schemes in Section 2.2.

5.1. Instantiation 1

We suppose that the delegator is under the Elgamal encryptin scheme denoted by ${\mathsf{\Pi }}_f$. That is, the delegator obtains a pair of keys $({\mathrm{sk}}_f,{\mathrm{pk}}_f)$ throught the algorithm $\mathrm{KeyGen}\left(1^{\lambda }\right)$ of ${\mathsf{\Pi }}_f$, we randomly choose $s\in {\mathbb{Z}}_p^{*}$ and set have ${\mathrm{sk}}_f=s$ and the public key ${\mathrm{pk}}_f=h=g^s$. Meanwhile, the delegator generates the ciphertext ${\mathrm{ct}}_f^m=({\mathrm{ct}}_{f,1}^m,{\mathrm{ct}}_{f,2}^m)$ encrypting the plaintext m via excuting the algorithm $\mathrm{Enc}(m,{\mathrm{pk}}_f)$ of ${\mathsf{\Pi }}_f$, where ${\mathrm{ct}}_{f,1}^m=g^r$ and ${\mathrm{ct}}_{f,2}^m=h^r·g^m$. Suppose that the delegatee is under the BBS encryption scheme denoted by ${\mathsf{\Pi }}_t$. In other words, the delegatee gets a pair of keys $\left({\mathrm{sk}}_t,{\mathrm{pk}}_t\right)$ via the algorithm $\mathrm{KeyGen}\left(1^{\lambda }\right)$ of ${\mathsf{\Pi }}_t$, we set ${\mathrm{sk}}_t=\left(x,y\right)$ and ${\mathrm{pk}}_t=\left(f,h\right)$ where $f=g^x$, $h=g^y$, $x,y\in {\mathbb{Z}}_p^{*}$. In our system, the proxy can transfer the ciphertext ${\mathrm{ct}}_f^m$ encrypting the plaintext m under the Elgamal encryption scheme into the ciphertext ${\mathrm{ct}}_t^m$ under the BBS encryption scheme, as described in the following procedure.

• ReKeyGen $(1^{\lambda },{\mathsf{\Pi }}_f,{\mathsf{\Pi }}_t,{\mathbf{pk}}_t,{\mathbf{pk}}_f,{\mathbf{sk}}_f,{\mathbf{ct}}_f^m)\to {\mathbf{rk}}_{f\to t}$: The delegator performs the algorithm $\mathrm{ReKeyGen}(1^{\lambda },{\mathsf{\Pi }}_f,{\mathsf{\Pi }}_t,{\mathbf{pk}}_t,{\mathbf{ct}}_f^m)$ to set the re-encryption key ${\mathbf{rk}}_{f\to t}$ from the delegator to the delegatee, where ${\mathbf{rk}}_{f\to t}=({\mathbf{ct}}_f^{mR},{\mathbf{ct}}_t^{R^{-1}},{\mathbf{hsk}}_f)$. First, the delegator sets the ciphertext ${\mathbf{ct}}_f^{mR}$ encrypting the message $mR$ by performing the algorithm $\mathrm{ScalMul}({\mathbf{pk}}_f,{\mathbf{ct}}_f^m,R)$ of ${\mathsf{\Pi }}_f$. For the algorithm ${\mathsf{\Pi }}_f.\mathrm{ScalMul}\left({\mathbf{pk}}_f,{\mathbf{ct}}_f^m,R\right)$, randomly choose $R\in {\mathbb{Z}}_p^{*}$ and set ${\mathbf{ct}}_{f,1}^{mR}={\left({\mathbf{ct}}_{f,1}^m\right)}^R=g^{rR}$, and ${\mathbf{ct}}_{f,2}^{mR}={\left({\mathbf{ct}}_{f,2}^m\right)}^R={\left(h^r·g^m\right)}^R=h^{rR}·g^{mR}$, and returns ${\mathbf{ct}}_f^{mR}=({\mathbf{ct}}_{f,1}^{mR},{\mathbf{ct}}_{f,2}^{mR})$. Second, the delegator generates the ciphertext ${\mathbf{ct}}_t^{R^{-1}}$ encrypting the message $R^{-1}$ by excuting the algorithm $\mathrm{Enc}({\mathbf{pk}}_t,R^{-1})$ of ${\mathsf{\Pi }}_t$. For the algorithm ${\mathsf{\Pi }}_t.\mathrm{Enc}({\mathbf{pk}}_t,R^{-1})$, randomly pick $\alpha ,\beta \in {\mathbb{Z}}_p^{*}$, and compute ${\mathbf{ct}}_{t,1}^{R^{-1}}=f^{\alpha }$, ${\mathbf{ct}}_{t,2}^{R^{-1}}=h^{\beta }$, and ${\mathbf{ct}}_{t,3}^{R^{-1}}=g^{\alpha +\beta }·R^{-1}$, and return ${\mathbf{ct}}_t^{R^{-1}}=({\mathbf{ct}}_{t,1}^{R^{-1}},{\mathbf{ct}}_{t,2}^{R^{-1}},{\mathbf{ct}}_{t,3}^{R^{-1}})$. Third, we generate a hidden secret ${\mathbf{hsk}}_f$ by excuting the algorithm $\mathrm{HiddenSecret}({\mathbf{sk}}_f,{\mathbf{ct}}_f^{mR})$ of ${\mathsf{\Pi }}_f$. For the algorithm ${\mathsf{\Pi }}_f.\mathrm{HiddenSecret}({\mathbf{sk}}_f,{\mathbf{ct}}_f^{mR})$, we set ${\mathbf{hsk}}_f={\left({\mathbf{ct}}_{f,1}^{mR}\right)}^s=h^{rR}$ and return ${\mathbf{hsk}}_f$. Finally, output ${\mathbf{rk}}_{f\to t}=({\mathbf{ct}}_f^{mR},{\mathbf{ct}}_t^{R^{-1}},{\mathbf{hsk}}_f)$.
• ReEnc $({\mathsf{\Pi }}_f,{\mathsf{\Pi }}_t,{\mathbf{rk}}_{f\to t})\to {\mathbf{ct}}_t^m$: The proxy performs the algorithm $\mathrm{ReEnc}({\mathsf{\Pi }}_f,{\mathsf{\Pi }}_t,{\mathbf{rk}}_{f\to t})$ to generate re-encryption ciphertext rct, where $\mathbf{rct}={\mathbf{ct}}_t^m$. First, the proxy decrypts the ciphertext ${\mathbf{ct}}_f^{mR}$ by excuting the algorithm $\mathrm{Combine}({\mathbf{hsk}}_f,{\mathbf{ct}}_f^{mR})$ of ${\mathsf{\Pi }}_f$. For the algorithm ${\mathsf{\Pi }}_f.\mathrm{Combine}({\mathbf{hsk}}_f,{\mathbf{ct}}_f^{mR})$, the proxy sets $g^{mR}={\mathbf{ct}}_{f,2}^{mR}/{\mathbf{hsk}}_f$. Then, the message $mR$ is retrieved through running an exhaustive search. Second, the proxy obtains the ciphertext ${\mathbf{ct}}_t^m$ by excuting the algorithm $\mathrm{ScalMul}({\mathbf{pk}}_t,{\mathbf{ct}}_t^{R^{-1}},mR)$ of ${\mathsf{\Pi }}_t$. For the algorithm ${\mathsf{\Pi }}_t.\mathrm{ScalMul}({\mathbf{pk}}_t,{\mathbf{ct}}_t^{R^{-1}},mR)$, we compute ${\mathbf{ct}}_{t,1}^{mR}=f^{\sigma }$, ${\mathbf{ct}}_{t,2}^{mR}=h^{{\sigma }^{\prime }}$, and ${\mathbf{ct}}_{t,3}^{mR}=g^{\sigma +{\sigma }^{\prime }}·mR$ via encrypting $mR$, where $\sigma ,{\sigma }^{\prime }\in {\mathbb{Z}}_p^{*}$. Next, we compute ${\mathbf{ct}}_{t,1}^m={\mathbf{ct}}_{t,1}^{R^{-1}}·{\mathbf{ct}}_{t,1}^{mR}=f^{\alpha +\sigma }$, ${\mathbf{ct}}_{t,2}^m={\mathbf{ct}}_{t,2}^{R^{-1}}·{\mathbf{ct}}_{t,2}^{mR}=h^{\beta +{\sigma }^{\prime }}$, ${\mathbf{ct}}_{t,3}^m={\mathbf{ct}}_{t,3}^{R^{-1}}·{\mathbf{ct}}_{t,3}^{mR}=g^{\left(\alpha +\beta \right)+\left(\sigma +{\sigma }^{\prime }\right)}·m$, and return ${\mathbf{ct}}_t^m=({\mathbf{ct}}_{t,1}^m,{\mathbf{ct}}_{t,2}^m,{\mathbf{ct}}_{t,3}^m)$.

5.2. Instantiation 2

We suppose that the delegator is under a RSA encryptin scheme denoted by ${\mathsf{\Pi }}_f$. That is, the delegator obtains a pair of keys $({\mathrm{sk}}_f,{\mathrm{pk}}_f)$ throught the algorithm $\mathrm{KeyGen}\left(1^{\lambda }\right)$ of ${\mathsf{\Pi }}_f$, we set the public key ${\mathrm{pk}}_f=\left(e,n\right)$ and the secret key ${\mathrm{sk}}_f=\left(d,n\right)$. Meanwhile, The delegator generates the ciphertext ${\mathrm{ct}}_f^m$ encrypting the plaintext m via excuting the algorithm $\mathrm{Enc}(m,{\mathrm{pk}}_f)$ of ${\mathsf{\Pi }}_f$, where ${\mathrm{ct}}_f^m=m^e\mathrm{mod}n$. Suppose that the delegatee is under a RSA encryptin scheme denoted by ${\mathsf{\Pi }}_t$. In other words, the delegatee gets a pair of keys $({\mathrm{sk}}_t,{\mathrm{pk}}_t)$ throught the algorithm $\mathrm{KeyGen}\left(1^{\lambda }\right)$ of ${\mathsf{\Pi }}_t$, we set the public key ${\mathrm{pk}}_t=\left(e^{\prime },n^{\prime }\right)$ and the secret key ${\mathrm{sk}}_t=\left(d^{\prime },n^{\prime }\right)$. In our system, the proxy can transfer the ciphertext ${\mathrm{ct}}_f^m$ encrypting the plaintext m under a RSA encryption scheme into the ciphertext ${\mathrm{ct}}_t^m$ under a RSA encryption scheme, as described in the following procedure.

• ReKeyGen $(1^{\lambda },{\mathsf{\Pi }}_f,{\mathsf{\Pi }}_t,{\mathbf{pk}}_t,{\mathbf{pk}}_f,{\mathbf{sk}}_f,{\mathbf{ct}}_f^m)\to {\mathbf{rk}}_{f\to t}$: The delegator performs the algorithm $\mathrm{ReKeyGen}(1^{\lambda },{\mathsf{\Pi }}_f,{\mathsf{\Pi }}_t,{\mathbf{pk}}_t,{\mathbf{ct}}_f^m)$ to set the re-encryption key ${\mathbf{rk}}_{f\to t}$ from the delegator to the delegatee, where ${\mathbf{rk}}_{f\to t}=({\mathbf{ct}}_f^{mR},{\mathbf{ct}}_t^{R^{-1}},{\mathbf{hsk}}_f)$. First, the delegator sets the ciphertext ${\mathbf{ct}}_f^{mR}$ encrypting the message $mR$ by performing the algorithm $\mathrm{ScalMul}({\mathbf{pk}}_f,{\mathbf{ct}}_f^m,R)$ of ${\mathsf{\Pi }}_f$. For the algorithm ${\mathsf{\Pi }}_t.\mathrm{ScalMul}\left({\mathbf{pk}}_f,{\mathbf{ct}}_f^m,R\right)$, the delegator choose a random R$\left(0<R<n-1\right)$ and sets ${\mathbf{ct}}_f^{mR}$, where ${\mathbf{ct}}_f^{mR}=\left({\mathbf{ct}}_f^m\right)·\left(R^e\mathrm{mod}n\right)=$ $m^e\mathrm{mod}n·R^e\mathrm{mod}n={\left(mR\right)}^e\mathrm{mod}n$. Second, the delegator generates the ciphertext ${\mathbf{ct}}_t^{R^{-1}}$ encrypting the message $R^{-1}$ by excuting the algorithm $\mathrm{Enc}({\mathbf{pk}}_t,R^{-1})$ of ${\mathsf{\Pi }}_t$. For the algorithm ${\mathsf{\Pi }}_t.\mathrm{Enc}({\mathbf{ct}}_t,R^{-1})$, the delagator computes ${\mathbf{ct}}_t^{R^{-1}}={\left(R^{-1}\right)}^{e^{\prime }}\mathrm{mod}{n}^{\prime }$. Third, the delegator generates a hidden secret ${\mathbf{hsk}}_f$ by excuting the algorithm $\mathrm{HiddenSecret}({\mathbf{sk}}_f,{\mathbf{ct}}_f^{mR})$ of ${\mathsf{\Pi }}_f$. For the algorithm ${\mathsf{\Pi }}_f.\mathrm{HiddenSecret}({\mathbf{sk}}_f,{\mathbf{ct}}_f^{mR})$, we set ${\mathbf{hsk}}_f={\left({\mathbf{ct}}_f^{mR}\right)}^{e^{-1}d}={\left(mR\right)}^d\mathrm{mod}n$ and return ${\mathbf{hsk}}_f$. Finally, the algorithm outputs ${\mathbf{rk}}_{f\to t}=({\mathbf{ct}}_f^{mR},{\mathbf{ct}}_t^{R^{-1}},{\mathbf{hsk}}_f)$.
• ReEnc $({\mathsf{\Pi }}_f,{\mathsf{\Pi }}_t,{\mathbf{rk}}_{f\to t})\to {\mathbf{ct}}_t^m$: The proxy performs the algorithm $\mathrm{ReEnc}({\mathsf{\Pi }}_f,{\mathsf{\Pi }}_t,{\mathbf{rk}}_{f\to t})$ to generate re-encryption ciphertext rct, where $\mathbf{rct}={\mathbf{ct}}_t^m$. First, the proxy decrypts the ciphertext ${\mathbf{ct}}_f^{mR}$ by excuting the algorithm $\mathrm{Combine}({\mathbf{hsk}}_f,{\mathbf{ct}}_f^{mR})$ of ${\mathsf{\Pi }}_f$. For the algorithm ${\mathsf{\Pi }}_f.\mathrm{Combine}({\mathbf{hsk}}_f,{\mathbf{ct}}_f^{mR})$, the proxy sets $mR={\left({\mathbf{hsk}}_f\right)}^e={\left(mR\right)}^{de}\mathrm{mod}n=mR$. Second, the proxy obtains the ciphertext ${\mathbf{ct}}_t^m$ by excuting the algorithm ScalMul of ${\mathsf{\Pi }}_t$. For the algorithm ${\mathsf{\Pi }}_t.\mathrm{ScalMul}({\mathbf{pk}}_t,{\mathbf{ct}}_t^{R^{-1}},mR)$, we compute ${\mathbf{ct}}_t^{mR}={\left(mR\right)}^{e^{\prime }}\mathrm{mod}{n}^{\prime }$ via encrypting $mR$. Next, we compute ${\mathbf{ct}}_t^m={\mathbf{ct}}_t^{R^{-1}}·{\mathbf{ct}}_t^{mR}$, where we have ${\mathbf{ct}}_t^m={\mathbf{ct}}_t^{R^{-1}}·{\mathbf{ct}}_t^{mR}$ $={\left(R^{-1}\right)}^{e^{\prime }}\mathrm{mod}{n}^{\prime }·{\left(mR\right)}^{e^{\prime }}\mathrm{mod}{n}^{\prime }={\left(m\right)}^{e^{\prime }}\mathrm{mod}{n}^{\prime }$ Finally, return ${\mathbf{ct}}_t^m$.

We can fully understand how our UCPRE realizes ciphertext transformation from a homomorphic encryption scheme to a (different) homomorphic encryption scheme throught the above Instantiation 1 and Instantiation 2.

6. Efficiency Analysis

We first define the notations used in

Table 1. Computing cost comparison.

Schemes	Enc	RKeyGen	ReEnc	Dec(Or)	Dec(Re)
[24]	$2t_e+5t_{e_t}+5t_p$	$8t_e$	$2t_e+2t_{e_t}+2t_p$	$t_e+2t_{e_t}+t_p$	$t_e+t_{e_t}+t_p$
[25]	$4t_e+t_{e_t}+t_p$	$8t_e$	$t_e$	$2t_e+1t_{e_t}+3t_p$	$t_e+t_{e_t}+4t_p$
[26]	$4t_e+t_{e_t}+t_p$	$8t_e+t_{e_t}+t_p$	$5t_e+2t_p$	$2t_e+t_{e_t}+3t_p$	$4t_e+t_{e_t}+12t_p$
[27]	$8t_e+t_p$	$t_e+2t_p$	$6t_e$	$t_e+t_p$	$t_e+t_p$
Ours	$2t_e$	$3t_e$	$6t_e$	$t_e$	$2t_e$

. Notations $t_p$ and $t_e$, and $t_{e_t}$ denote the times consumed for a pairing operation, and a modular exponentiation in $\mathbb{G}$, and a modular exponentiation in ${\mathbb{G}}_T$, separately. Notations Dec(Or) and Dec(Re) denote the decryption execution for the original ciphertext and the re-encryption ciphertext, respectively. Here, we omit the computing time of addition, multiplication, and hash function operations because these operations are much less modular exponentiation and pairing operations. As shown in Table 1, the computation overhead of the instantiation scheme for UCPRE in each algorithm is compared to other works.

• Enc. The instantiation scheme for UCPRE has lower computing cost to set the original ciphertext. Nevertheless, the delegator in works [24,25,26,27] have to undertake the amount of computing overhead in the encryption phase. For exzample, the delegator in work [27] needs to undertake 8 modular exponentiation operations in ${\mathbb{G}}_T$ and a pairing operation for setting ciphertext.
• RKeyGen. Table 1 shows that scheme [27] and our scheme have lower computation overhead to generate the re-encryption key. However, the delegator in work [26] needs abundant computing overhead to set the re-encryption key.
• ReEnc. Table 1 shows that our instantiation scheme has less computing cost to execute the re-encryption algorithm for setting re-encryption ciphertext compared with the works [24,26]. While our scheme is less efficinet comparied with works [25,27] in the re-encryption phase. However, it cannot support the ciphertext switching functionality.
• Dec(Or). In the decryption algorithm for the original ciphertext, the delegator in our instantiation scheme and work [27] only executes lower computing costs to decrypt the original ciphertext. However, there are heavy computing overhead in works [24,25,26].
• Dec(Re). Table 1 shows that our instantiation scheme has less computing cost to execute the decryption algorithm for the re-encryption ciphertext compared with CPRE schemes [24,25,26,27].

The comparison results displayed in Table 1 clearly show that our UCPRE has the least computation overhead compared to related works. Meanwhile, our construction UCPRE adds the property of ciphertext transformation between two (different) homormorphic encryption schemes compared with conditional proxy re-encryption schemes. This function is important for a CPRE scheme that may be used in actual applications (e.g., data sharing in clouds).

7. Conclusions

We present a generic construction UCPRE named universal conditional proxy re-encryption in this article. Our solution supports fineness access control for sensitive data compared to the design of UPRE. In particular, our UCPRE is more applied in the real data sharing in clouds because it supports the flexible transformation of outsourced encrypted data between the (possibly different) homomorphic encryption schemes efficiently. Furthermore, our UCPRE is simple and efficient compared to the existing CPRE scheme via instantiating our generic construction. While this work achieves ciphertext switching between homomorphic encryption schemes for data sharing, it inspires some interesting open problems such as designing a UCPRE scheme to support the flexible transformation of ciphertext between any encryption schemes.