Advertisement
Browse Subject Areas
?

Click through the PLOS taxonomy to find articles in your field.

For more information about PLOS Subject Areas, click here.

  • Loading metrics

Open Access

Peer-reviewed

Research Article

Privacy preserving data sharing method for social media platforms

  • Snehlata Yadav ,

    Roles Conceptualization, Formal analysis, Investigation, Methodology, Validation, Visualization, Writing – original draft, Writing – review & editing

    yadavsnehlata@gmail.com

    Affiliations Department of Computer Science and Engineering, Maulana Azad National Institute of Technology, Bhopal, MP, India, Department of Computer Science and Engineering, Government Women’s Polytechnic College, Bhopal, MP, India

  • Namita Tiwari

    Roles Supervision

    Affiliation Department of Computer Science and Engineering, Maulana Azad National Institute of Technology, Bhopal, MP, India

Abstract

Digital security as a service is a crucial aspect as it deals with user privacy provision and secure content delivery to legitimate users. Most social media platforms utilize end-to-end encryption as a significant security feature. However, multimedia data transmission in group communication is not encrypted. One of the most important objectives for a service provider is to send the desired multimedia data/service to only legitimate subscriber. Broadcast encryption is the most appropriate cryptographic primitive solution for this problem. Therefore, this study devised a construction called anonymous revocable identity-based broadcast encryption that preserves the privacy of messages broadcasted and the identity of legitimate users, where even revoked users cannot extract information about the user’s identity and sent data. The update key is broadcast periodically to non-revoked users, who can obtain the message using the update and decryption keys. A third-party can also revoke the users. It is proven that the proposed construction is semantically secure against IND-ID-CPA attacks and efficient in terms of computational cost and communication bandwidth.

Citation: Yadav S, Tiwari N (2023) Privacy preserving data sharing method for social media platforms. PLoS ONE 18(1): e0280182. https://doi.org/10.1371/journal.pone.0280182

Editor: Pandi Vijayakumar, University College of Engineering Tindivanam, INDIA

Received: June 25, 2022; Accepted: December 22, 2022; Published: January 20, 2023

Copyright: © 2023 Yadav, Tiwari. This is an open access article distributed under the terms of the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original author and source are credited.

Data Availability: All relevant data are within the paper.

Funding: The author(s) received no specific funding for this work.

Competing interests: The authors have declared that no competing interests exist.

1 Introduction

Nowadays, the use of social media [1] has become an essential part of today’s life. Previously, short messaging service (SMS) was provided by Global System for Mo-bile Communication (GSM) and Code Division Multiple Access (CDMA) operators. Today, several instant messaging (IM) services offer multimedia data transmission to multiple users simultaneously and facilitate communication with many participants via group chats, which offers a significant advantage over SMS. IM chats [2] also allow the sharing of text messages and attachments, such as image or videos, for direct and group communication. Groups in social media comprise a set of members and contain meta information, such as group title. Based on the IM application and its underlying protocols, groups can be modified either by all the participating users or administrated by some selected users. These applications generate large amounts of data, which are sensitive in nature. If these data are revealed, then there may be many consequences related to the privacy of all associated users. For these applications, effective and efficient methods must be deployed to ensure data security and confidentiality of user credentials. Consider a scenario where the data owner wants to transmit multimedia data to only a subset of members from the group of users. For this, many cloud providers support a broadcast feature, which is not end-to-end encrypted. Government, healthcare services, social media networks, associations, businesses, and individuals have been gathering personal information for analysis, decision-making and other reasons for decades. For example, health records are used to monitor disease transmission to uncover the secret connection between diseases and their prevention and control. Organizations may, for instance, provide information of their clients to external third parties, such as advertising agencies. Sharing and distributing information in a targeted group while ensuring data privacy and user’s identity privacy is critical but has not been given much attention. In addtion to social media platforms, smart cities, the Internet of Things(IoT), cloud environments, Pay TV, and, healthcare systems have the potential for the application for proposed scheme. Consider a scenario of identity-based broadcast encryption in smart city that uses information and communication technologies (ICT) and IoT technologies to improve the life quality of all residents. For example, to identify traffic congestion data of users can be collected by some sensors, and electricity consumption can be monitored by smart meters enabling residents to receive better services than before. Nevertheless, most new devices, such as smart meters, sensors, traffic and surveillance cameras, traffic lights, and, cellphones are wireless, which are very easy to be attacked if communications are not properly encrypted. Another example of healthcare scenario using an anonymous identity-based broadcast encryption, is the health record sharing system for hospitals, which is supplied by a cloud service. Without losing generality, it can be assumed that the system consists of a cloud server, a data owner, and a group of doctors labelled “S”. The data owner first encrypts a data for a selected group and then stores the encrypted file in the cloud for sharing. When a doctor leaves the hospital, the server must revoke him from accessing all files. Revoked set is denoted as “R”. If the revoked doctors are not in group S, they cannot decrypt the ciphertext after the server conducts revocation. Most importantly, it requires the cloud server to be able to revoke users from a ciphertext without knowing the encrypted file and identities of receivers. For this, the server must have the ability to decrypt the ciphertext. When some identities should be revoked, the server first decrypts the ciphertext and removes them from the original authorized user set. It then re-encrypts the data using the new authorized user set. However, in this trivial solution, the cloud server is able to learn the content and the identity of authorized users who can access the file. A cloud server must revoke the user without knowing the identity of user at a particular time period using time key. Simultaneously, the cloud server must not learn any information pertaining to data owner’s health record. Thus, this paper proposes an anonymous revocable identity-based broadcast cryptosystem (ARIBBE) that overcomes these challenges through the following:

  • The proposed scheme preserves the privacy of legitimate subscribers.
  • The primary objective of the proposal method is the retrieval of the function without learning the revocation identity set with ciphertext evolution and protection of data privacy despite revoked user collisions.
  • This paper presents a new cryptosystem with ciphertext evolution over cloud, which is appropriate for fine-grained data access control, protects legitimate receiver’s identity, and allows a third party to revoke select receivers.
  • The construction is semantically secure under BDHP computational assumption and random oracle model.
  • The computation cost in the revocation phase is linear to the number of revoked users and revocation is performed using time key.

The remainder of the paper is organized as follows. The Literature review section 2 presents an overview of similar existing schemes. The Preliminaries section 3 provides the definition and the overview of basic ID-based broadcast cryptosystem. The Proposed Scheme section 4 describes the proposed method. The Security Model and Proof Overview section 5 provides the security analysis of the proposed scheme. Finally, the Conclusion section 6 presents the conclusions of the study.

2 Literature review

The concept of broadcast encryption (BE) was first proposed by Fiat and Naor [3], however, Boneh et al. [4] constructed a broadcast encryption scheme with smaller decryption, encryption key size, shorter encrypted message size, and better computational cost. BE is a cryptographic primitive which provides a solution to the problem of communicating encrypted messages to only legitimate set of users, “S”, over an insecure channel. Only legitimate users from S can decrypt the encrypted message. In contrast, revoked users of S would not learn anything about the message. Users who obtain access to the ciphertext are called legitimate subscribers (member of the set S) and unsubscribed users (non-member of the set S) are called revoked users. The broadcast encryption algorithm works on the demarcation of revoked and legitimate users and this partition can vary for each broadcasted message. Broadcast encryption is deployed in two settings: symmetric key and asymmetric key settings. In a symmetric key framework, a key generation center distributes the secret decryption keys to all legitimate users before message transmission phase. For each user, a separate secret key is maintained. In such a scenario, only the broadcaster or the sender acts as the source of a message. The sender shares a common session key with all the subscribed users.

To broadcast an encrypted message to all users in S, message is encrypted using the session key and then, to decrypt it, the legitimate users need the session key, their own secret key, and S to identify all the receivers. In the asymmetric key setting, the broadcast encryption uses public key framework. All users of the set S has a pair of keys, one for encryption function and another for decryption function. The broadcaster and other possible other entities can act as a source of a message, while, only legitimate subscribers or receivers can decrypt and learn the actual message. It also resolves the problem of refreshing the secret keys after any update in the set of legitimate subscribers for symmetric key setting. BE in the public key setting is well studied and can be classified as Fig 1: Identity-based broadcast encryption, attribute-based broadcast encryption, anonymous broadcast encryption, hierarchical broadcast encryption, dynamic broadcast encryption, and distributed broadcast encryption. It has several applications such as in secure email system, digital rights management system, pay TV, database security system, online social network system etc. Identity-based broadcast encryption (IBBE) was first introduced by C. Delerablée [5], which is an extension of identity-based encryption scheme in public key setting. Instead of public keys each legitimate subscriber is identified by their Identity, such as email-id, passport number, or driving license number (arbitrary strings, alphanumeric values, and numerals) etc., are used as encryption keys. It is a practical cryptographic primitive that allows an exponential number of recipients to exchange messages securely. This implies that the public parameter is not correlated by any means to the decryption key of recipients.

thumbnail
Download:
Fig 1. Broadcast encryption in public key framework.

https://doi.org/10.1371/journal.pone.0280182.g001

Due to high prevalence of IoT technology [6, 7] applications and blockchain technology (BCT), security issues such as identity authenticity and data privacy are becoming increasingly important concern. Fan et al. [8] integrated IoT with BCT and proposed efficient authentication and secure data sharing scheme. This scheme achieves a proper tradeoff between security and performance, compared with other schemes of IoT but the only drawback is, it doesn’t provide an anonymous authentication. Blockchain [9] along with attribute based searchable encryption offers decentralized and computationally efficient construction. For e-health [10] proposed secure and energy-efficient IoT model. It enables secure transmission and retrieval of biomedical images over IoT networks. All aforementioned schemes [6, 810] do not provide an anonymous authentication property.

Various online social networks [1113] (e.g. WhatsApp, Twitter, Instagram, and Facebook) make the distribution of user’s real time data between multiple users over the same and different networks very easy. The ease of use, faster transformation, and cost-effectiveness make online social networks an efficient method of communication and information sharing [14, 15]. Many researchers have extensively analyzed the impact of social media [16] on information sharing. However, these schemes does not ensure the anonymity of the receivers. To address this problem [4] has come up with the anonymous broadcast encryption in public key setting and the issue of anonymity has been studied extensively in schemes, [4, 1724]. Many applications e.g., vehicular ad-hoc network(VANET) [18] use computationally efficient privacy preserving anonymous authentication scheme based on the use of anonymous certificates and signatures which is an important component of IoT. This scheme is efficient in terms of certificate and signature verification cost and providing anonymity. Azees et al. [25, 26] proposed an efficient conditional privacy preserving scheme for VANET using bi-linear pairing. The scheme provides better efficiency in terms of fast verification on certificates, signatures, preserves anonymity among vehicle entities and revokes the privacy of misbehaving vehicles and provides conditional privacy in a computationally efficient manner. VANET entities become anonymous to each other until they are revoked from the VANET system. In the e-healthcare domain, data privacy and security of electronic health records are the most prominent challenges with cryptographic primitives playing a vital role in providing privacy and secure access. Chen et al. [27] presented a comprehensive review of privacy preserving methods in this domain. However, none of these schemes are able to achieve anonymity and revocation simultaneously with respect to the time key. This paper attempt to solve this problem.

2.1 System model

Consider an online e-healthcare system, such as that presented in Fig 2, where the data related to patients is collected and uploaded to the centralized storage server, for example, a cloud server. The patient’s data must be secure and the privacy (identity) of the patient must be preserved. If this is not taken seriously, the patients may suffer the consequences of having their medical records leaked online. Recently millions of user’s data has been compromised.

thumbnail
Download:
Fig 2. A system model for online data sharing.

https://doi.org/10.1371/journal.pone.0280182.g002

In online e-healthcare system, a patient acts as data owner and may they choose to share their medical data with various medical professionals or related personnel, such as

  1. to various doctors for taking opinion for his medical case.
  2. government offices for providing information as they are working in that office many a times, it is necessary to share medical records of the employee with employer.
  3. and insurance agencies for medical-claim disbursement purposes.

In other words, if a data owner chooses to share their medical records to various receivers where no receiver is able to learn other receivers’ identity. If some receivers are revoked then they cannot learn any message by combining their keys. This revocation list is based on time update keys. Most of the time, online healthcare data resides in shared environments, thus, ensuring that the data is shared and accessed in a secure manner on the cloud and access is a non-trivial task. One way to share data among group of legitimate subscribers is identity-based broadcast encryption. The privacy of the recipients is an important issue to be addressed in broadcast encryption schemes. There are scenarios where revealing the identity of receivers may result in a threat to the subscribed users. To some extent, this issue has been taken into consideration by several past researchers [4, 2831]. However, whilst these schemes did show data sharing capabilities including receiver anonymity, they did not provide a solution to the problem of when some receivers are revoked from the original subscriber set. Encrypting the message again for the newly formed subscriber set after the revoked user is a trivial but impractical solution. The notion of Recipient revocable identity-based broadcast encryption (R-IBBE) provides efficient solution to this problem.

2.1.1 Design goals.

  • No probabilistic polynomial-time (PPT) adversary is able to recover plaintext from ciphertext after revocation. This scheme is aimed at being secure against chosen plaintext attacks.
  • The scheme is collusion resistant. More particularly, if the maximum receivers is set as one, the resultant scheme is an anonymous revocable IBE scheme with timestamp revocation.
  • The receiver set is anonymous i.e., the identities of the receivers are hidden from outside world.
  • It should be difficult for the cloud server to retrieve the identities of receivers from C*.
  • The computational cost of decryption is independent of total number of receivers.
  • The public parameters in the proposed scheme is linear in the maximum size of the privileged identity set.

2.2 Design issues of the IBBE schemes

There are various essential design issues for the construction of IBBE cryptographic primitives. These are briefly discussed below.

2.2.1 Security model.

In the basic security model of IBBE schemes, an adversary is allowed to obtain the secret keys Sk for a specific set, S, of identities of k-subscribers. The adversary can-not break the encryption scheme for some another identity set S′ or for some other subscriber’s identity. The security model also allows adversary to obtain secret keys corresponding to an identity ID ⊆ S. Based on the targeted identity set by an adversary, two types of security notions emerge, namely: selective security and adaptive security. Selective security is a weaker security notion that allows an adversary to specify a target recipient set before learning about the public parameters, however, here the adversary is restricted in raising encryption queries.

Whereas, in the adaptive security, a stronger security notion, allows an adversary to specify target recipient set adaptively. The adversary is able to corrupt identities even before it knows about the recipient identity set. Semantic security and chosen ciphertext security notions are defined as stronger security notions and the schemes based on these security notions are highly desirable.

2.2.2 Computational complexity assumption.

Security of cryptographic primitives are based on computationally hard problems. There are several standard computation problems based on which most of the public-key cryptosystems are constructed. Apart from standard computational complexity assumption, many cryptosystems are constructed considering reduction of a problem to another problem. Bilinear pairings or mappings are employed in most of the public key broadcast encryption schemes. Moreover, lattice-based or code-based schemes can also serve as a candidate that can resist attacks using quantum computers.

2.2.3 Header size.

The ciphertext consists of a header (hdr) and a session key K. The original message to be transmitted is encrypted with the help of this session key. Moreover, the header and ciphertext contains some additional knowledge that facilitates only privileged recipients to retrieve the session key and then subscribed users obtain the message with the help of this recovered session key. It is desirable to have a compact size header to reduce communication overhead.

2.2.4 Key size.

For lightweight cryptographic applications, such as in IoT, Industry-IoT, and wireless sensor networks, a scheme is required where the size of keys and computational cost are kept to a minimum because of storage constraints. Therefore, it is preferred to use shorter key and header size.

2.2.5 Pairing choice.

There exist many pairing based efficient construction of IBBE schemes. Pairing based construction requires a function defined as , where and are additive groups and is a multiplicative group for some large prime q. Pairing based constructions can be categorized into three types: Type-I, Type-II, and Type-III, as described below [32, 33].

  1. If both the input cyclic groups are same (i.e. ) then the pairing is considered Symmetric pairing or Type-I pairing.
  2. If both the input cyclic groups are not same () and there exist precisely a computable homomorphism then the pairing is considered to be Type-II pairing.
  3. However, if both the input cyclic groups are not same and there does not exist a computable homomorphism then the pairing is called Asymmetric pairing or Type-III pairing.

All types of pairing have been well studied in literature [34, 35] with the consensus being that Type-III is more suitable to use because it provides designs based on this are most efficient, secure, and have more compact parameter sizes. In addition to bi-linear pairing, lattice is also one of the most powerful tools for constructing post quantum cryptographic primitives.

2.2.6 Additional properties.

Several efficient algorithms of IBBE have been constructed based on various complexity assumptions, security models, compact size of header, and keys. Apart from all these parameters, some additional properties are also required.

  1. Anonymity property: This states that the adversary cannot obtain set of receivers from the ciphertext. Leakage of the recipient set reveals the subscriber’s information which is a major security concern and may cause a personal attack to receivers such as trolling, bullying, etc. Previous schemes have focused on the confidentiality of the message while the recipient set was openly known to adversaries. Preserving privacy is a serious concern in designing cryptographic algorithms, and therefore, various broadcast encryption schemes consider this issue such as Anonymous-IBBE [21], Private broadcast encryption [4], Attribute-based broadcast encryption (hidden policy) [22, 23], outsider anonymous BE [36], lattice-based BE [24].
  2. Revocation: This is the intrinsic property of basic broadcast encryption techniques. Consider a scenario where the broadcast encryption setup algorithm and key generation algorithm generate all the parameters as per the construction. The system has reported some malicious receiver or somehow the legitimate receiver’s decryption key is leaked. Therefore, in these circumstances, a receiver needs to be revoked. Schemes with revocation property are preferred in the construction of systems.

3 Preliminaries

This section first describes a relevant IBBE cryptosystem followed by a Revocable identity-based broadcast encryption scheme. Secondly, the basic concepts on bilinear pairing and decisional BDHE assumption are also presented. The notations and acronym used in the paper are described in Table 1.

thumbnail
Download:
Table 1. Notations.

https://doi.org/10.1371/journal.pone.0280182.t001

3.1 Identity-based broadcast encryption scheme

The notion of IBBE construction as presented in [5] is described here. An identity-based broadcast encryption method consists of ensemble of three probabilistic algorithms (IBBE.setup, IBBE.extract, IBBE.Enc) and one deterministic algorithm (IBBE.Dec).

  1. IBBE.setup (1λ, m) → (PP, msk). λ is considered a security parameter in the algorithm, and the maximum count of identities in a privileged recipient set, m, is taken as input to produce the public parameter PP and a master secret key msk. Further, denotes the identity space, and represents the key space.
  2. IBBE.extract (ID, msk) → DSKID. Taking an msk and an identity vector ID as inputs, IBBE.extract produce a decryption key DSKID corresponding to the identity ID.
  3. IBBE.Enc . This randomized algorithm produces a pair (C, K), where C is the ciphertext and is a session key, on the input of public parameters PP, legitimate recipient set of size |S| ≤ m, and a message to be sent from the message space .
  4. IBBE.Dec (ID, PP, S, DSKID, C) → M. This deterministic algorithm recovers the message M on taking public parameter PP, legitimate recipients set S = {ID1, …, IDl}, identity ID, secret key DSKID, and ciphertext C as input. If the message is not recovered then a bottom symbol ⊥ is produced.

One of the essential requirements of IBBE scheme is that for every identity ID ∈ S output by IBBE.extract algorithm is a decryption key DSKID IBBE.enc then IBBE.Dec(ID, PP, S, DSKID, C) → M with certain probability. The ID-based encryption scheme is a particular instance of IBBE if size of recipient set is 1, i.e. |S| = 1.

3.2 Revocable identity-based broadcast scheme

An extension of identity-based broadcast cryptosystem that allows subscribed receivers to be revoked is called revocable identity-based broadcast encryption R-IBBE [37]. This extension facilitates a legitimate subscriber with an ID to be revoked if their credentials are expired or leaked. In R-IBBE, each user of a recipient set obtains a decryption key from the private key generation center/authority (PKGC) that is related with the user’s ID. Once the system is configured, the key generation authority periodically updates revoked recipient set RL with respect to time T and then broadcasts the update key for the remaining non-revoked recipients. The generation of the update key depends on RL and T.

If a legitimate user does not revoke at time T when the update key has been issued then the user can generate their own decryption key corresponding to ID. With the use of decryption key corresponding to their ID and time T, the legitimate recipient is able to decrypt a ciphertext for receiver IDp and time Tc only if ID = IDp and T = Tc holds.

  • If ID ∈ RL then it outputs a pair of decryption key for identity ID and time T.
  • If ID ∉ RL then it outputs ⊥ with all but negligible probability.
  • If (IDp = ID) ∧ (Tp = T), then Decryption algorithms outputs M
  • If (IDp ≠ ID) ∨ (Tp ≠ T), then Decryption algorithms outputs ⊥ with all but negligible probability.

3.3 Bilinear pairing based on prime order groups

Assume that and are cyclic groups of prime order q with the binary operation being addition, and denotes a multiplicative group of same prime order q. Bilinear pairing is a mapping or simply a function that satisfy the following properties as mentioned below.

  1. Bilinearity, where , and .
  2. Non-degeneracy is a generator element of i.e. , where iff and similarly if and only if .
  3. Computability—A pairing is defined as computable if there exist a polynomial runtime algorithm that can evaluate the expression , and , correctly.

3.4 Hardness assumptions

Let be a Type-I bilinear mapping with a generator . Bilinear Diffie–Hellman (BDH) hardness assumption states that given a tuple (P, aP, bP, cP) for some unknown as input then find the output .

Assumption 1. Let Adversarial algorithm be a τ−time algorithm that receives an input challenge for BDH problem and produces a decision bit β ∈ {0, 1} as output. has advantage ϵ in solving bilinear Diffie-Hellman problem when , where the probability is over the random choices of , random bits consumed by , random choice of and the random choices of generator P of , respectively.

Definition 1. The assumption 1 is tenable in if no τ-time algorithm has an advantage of at least ϵ in solving the BDH assumption over .

4 Proposed scheme

The proposed construction considers the idea of revocation of subscribed receivers used in the IBE scheme of [38] and the ID-based broadcast encryption scheme [37].

Definition 2. The anonymous revocable identity-based broadcast encryption (ARRIBE) scheme is associated with message space , identity space , and time space . The protocol is an ensemble of probabilistic algorithms, namely, ARIBBE.setup, ARIBBE.Genkey, ARIBBE.Timekey, ARIBBE.encrypt, ARIBBE.decrypt, and ARRIBE.revoke that are described as follows.

  1. ARIBBE.setup (1λ, m). This algorithm considers security parameter λ and m as the maximum count of identities of users as input parameters. It generates public parameter PP, an empty revocation list RL, and msk. This algorithm is executed by the PKGC.
  2. ARIBBE.Genkey (PP, msk, ID). This key generation algorithm takes , the master secret key msk, and the public parameter PP as inputs. It generates a decryption key DSKID corresponding to the ID as output. Trusted authority runs this algorithm.
  3. ARIBBE.Timekey (PP, msk, ID, T). This algorithm generates a time update key, and the PKGC broadcasts it periodically.
  4. ARIBBE.encrypt (PP, M, ID). This algorithm takes a message M to be broadcasted, public parameter PP, and a set of identities S = {ID1, …, IDl} as input. It produces a ciphertext C as output and the sender of data executes this algorithm.
  5. ARRIBE.revoke (PP, RL, C). The service provider executes this algorithm. Upon taking the public parameter PP, a ciphertext C, and a revocation identity set RL = {ID1, …, IDt} as inputs, a new revocation list is produced.
  6. ARIBBE.decrypt (PP, C, DSKID). Upon taking the public parameter PP, a ciphertext , and the corresponding decryption key DSKID as inputs, it generates the original message M only if ID ∈ S and ID ≠ RL. The receiver of the data runs this algorithm.

4.1 Proposed construction

The proposed scheme is ensemble of one deterministic algorithm ARIBBE.decrypt, and four randomized algorithm (ARIBBE.setup, ARIBBE.Genkey, ARIBBE.Timekey, ARIBBE.encrypt).

  1. ARIBBE.setup (1λ, m)
    1. (a). Randomly select .
    2. (b). Given , where .
    3. (c). Set message space .
    4. (d). Select a k-bit prime number q > 3.
    5. (e). Randomly select an element s from .
    6. (f). Now, set .
    7. (g). Define the following hash functions:
    8. (h). Public parameters are: (1)
  2. ARIBBE.Genkey
    1. (a). Evaluate .
  3. ARIBBE.Timekey (PP, msk, ID, T)
    1. (a). The private key generation center, to generate time keys, evaluate the following:
  4. ARIBBE.encrypt (PP, M, ID)
    1. (a). Given public parameter PP, a plaintext M and a set of identities S = {ID1, …, IDl}, select a dummy recipient ID0 ∈ S.
    2. (b). Select and .
    3. (c). Compute, (2) (3) (4) (5)
    4. (d). For i = [0, n] evaluate, and construct the polynomial function as,
  5. ARIBBE.revoke (PP, RL, C)
    1. (a). If RL = ∅ then set C* = C
    2. (b). Compute , where .
    3. (c). For all IDi ∈ RL compute,
    4. (d). For i = 1, 2, ⋯, t, evaluate and set, (6)
  6. ARIBBE.decrypt (PP, C, DSKID)
    Given and , the algorithm recovers original message in following computational steps: if g(xi) = 0 abort the process, otherwise, compute further, (7) (8) (9) then using decryption key dSKID, retrieve the session keys , and recovers the original message as . When the identity IDi ∈ S and IDi ∉ RL then and holds.

4.1.1 Correctness.

For any IDi ∈ S, After obtaining the xi with the help of decryption key, evaluate, Note that fi(xj) = 1 if i = j and fi(xj) = 0, otherwise. Now, κ1 is evaluated as,

For all IDi ∈ S and IDi ∉ RL, we have g(xi) ≠ 0, and obtains κ2 by computing

After retrieving κ1 and κ2, the message is recovered as,

5 Security model and proof overview

The formalization of selective-ID security against chosen-plaintext attack the proposed ARIBBE scheme is presented here. The data moderator or owner sends the encrypted data to the server. Therefore, apart from the essential requirement that the ciphertext preserves the message privacy as well as the receiver privacy from insiders and outsiders, the ciphertext must not reveal any information about the message and should also maintain the receiver privacy on the server. Specifically, the security requirements are as follows.

  1. No probabilistic polynomial-time (PPT) algorithm can distinguish between the message and identity set contained in ciphertext without having a valid decryption key for a valid identity ID ∈ S.
  2. No PPT algorithm can distinguish a message M contained in ciphertext C* without a valid decryption key for a valid identity ID ∈ S\R.
  3. No PPT algorithm can distinguish between a revoked identity set RL in C* without a valid decryption key in RL.

The indistinguishability of the ARIBBE cryptosystem is defined as a sequence of messages communicated between an Adversary and a Challenger described as a game shown below [39].

  • Setup. Challenger algorithm takes λ (security parameter) as an input to generate a master public key and a master secret key msk, which is then transmitted to the adversarial algorithm .
  • Phase I. adaptively issues queries to a decryption key generation oracle for any given identity. Therefore, executes the Genkey algorithm to produce decryption key DSKID.
  • Challenge. In this phase, transmits two equal length distinct messages M0 and >M1 and a challenge identity set S* = (ID1, ID2, …, IDn) with the only constraint that should not query the decryption key for any IDi ∈ S* in Phase I. randomly selects a bit β ∈ {0, 1} and produces the challenge ciphertext C* for plaintext Mβ under identity set S* and then transmits C* to . In Phase II, issues decryption key queries adaptively similar to Phase I.
  • Guess. Eventually, comes up with its guess β′ ∈ {0, 1} and if β = β′ then wins the game with invariable probability ϵ. advantage in winning the game is defined as: (10)

Definition 3. Semantic security of the proposed ARIBBE scheme achieves (τ, ϵ) IND-CPA security, if any PPT adversarial algorithm has invariable negligible advantage .

In Table 2, the proposed construction is compared with other similar broadcast encryption schemes. Here, Ano is anonymity property, RO is random oracle, |PK| denotes public key parameters, |CT| is the size of ciphertext, S denotes the receiver set, is the length of an identity bit string, TKU is the time key update, Rev is the revocability and m denotes the total number of subscribed users in the system. The scheme [40] does not use pairing for constructing the scheme. We have obtained this for comparing the anonymity and revocation property. Some schemes are anonymous but not revocable, while this scheme ensures both. Further, only proposed provides timestamp key based revocation. Our scheme is highly efficient in terms of computational cost and communication bandwidth.

thumbnail
Download:
Table 2. Comparison of various IBBE schemes.

https://doi.org/10.1371/journal.pone.0280182.t002

5.1 Security analysis

We prove the security of proposed ARIBBE scheme under the BDH problem cryptographic assumption.

Theorem 4.1 Let hash functions and be random oracles. The ARIBBE scheme in Type I pairing setting is selectively secure (IND-ID-CPA) under BDH assumption if it holds in . For maximum count n of legitimate users, it renders the equation , where qenc and denotes the adaptively asked queries.

Proof. Let there exists an adversarial algorithm that can break our proposed scheme with advantage ϵ. The algorithm can solve the BDH with advantage ϵ by executing algorithm .

Let (P, aP, bP, cP) be a random input instance of BDH selected by and its aim is to evaluate .

  1. Setup. Simulator algorithm computes Ppub = aP and generates , where and are random oracles restrained by .
    1. (a). Query I. Challenger is suppose to respond to query for identity IDi. Initially simulator has an empty tuple . It transmits value if IDi is in tuple, otherwise, selects randomly and and . If then compute , or otherwise, evaluate and append the tuple to and return .
    2. (b). Query II. Simulator has an empty tuple . It transmits value if is in tuple, otherwise, randomly selects and append the tuple to the and transmits νi to .
  2. Phase I. transmits decryption key queries to IDi, obtains the value of from list of tuple . If , aborts the process, else computes .
  3. Challenge. After completion of Phase I, transmits two equal length distinct messages M0, M1 and a challenge identity set S* = (ID1, ID2, ⋯, IDn) along with the only constraint that cannot query the decryption key for any IDi ∈ S* in Phase I. randomly selects a bit β ∈ {0, 1} and function as follows.
    1. (a). Select a dummy identity ID0 ∉ S* and , for i = [0, n].
    2. (b). Select and
    3. (c). Compute,
    4. (d). For i = [0, n] obtain the value of and evaluate
  4. Phase II. produces decryption key queries adaptively with the constraint that it cannot query the decryption key for identity IDi, where IDi ∈ S*. responds as in Phase I.
  5. Guess. Eventually, acknowledges with the guess β ∈ {0, 1}.

Let . In the proposed construction, . The output of is not known before someone querying the value of , since, κ is encrypted with a random value independent of . Thus, acts as a one-time pad. As per the assumption considered, the adversarial algorithm must query on . Now, comes up with the solution that is in . Therefore, from the above analysis, we define the following probabilities:

  1. The probability that does not abort in private key query is .
  2. The probability that at least one of the hash value of challenge identity contains BDH is ω.
  3. The probability that an adversary selects identity, when is .
  4. The probability of choosing the correct solution of the cryptographic assumption from is greater than or equal to .

Therefore, (11) this can also be written as, (12)

6 Conclusion

In this paper, a new technique called ARIBBE cryptosystem based on a public key framework using Type-I bi-linear map was proposed. The privacy of user’s content identity is one of the primary concerns in data sharing. Hence, this paper first proposed a privacy-preserving (anonymous) revocable ID-based broadcast cryptosystem with timestamp option that facilitates broadcasters to transmit encrypted data to legitimate group participants so that revoked users will not learn anything if they all collide with each other. The proposed construction also provides an access control method in online social networks that offers one-to-one and one-to-many encrypted communication. The scheme also offers a data access control method that permits a third party to revoke any recipient identity without learning the data contents and legitimate user identities. The result indicate that the proposed scheme is extremely efficient in terms of computational cost and communication bandwidth as well as secure under CPA attack, with the ciphertext size being independent of the number of receiver identities. The proposed cryptosystem could be deployed in OSN services for distributing information to provide data access control. Security proofs show that proposed security requirements are met. However, construction of a scheme with the same parameters but without pairing is left as an open problem.

References

  1. 1. Kumari K, Singh JP, Dwivedi YK, Rana NP. Towards Cyberbullying-free social media in smart cities: a unified multi-modal approach. Soft Computing. 2020;24(15):11059–11070.
  2. 2. Rosler, Paul, Christian Mainka JS. On the End-to-End Security of Group Chats in Instant Messaging Protocols. Proceedings of 3rd IEEE European Symposium on Security and Privacy (EuroS&P 2018). 2018.
    • 3. Fiat A, Naor M. Broadcast encryption. In: Annual International Cryptology Conference. Springer; 1993. p. 480–491.
      • 4. Barth A, Boneh D, Waters B. Privacy in Encrypted Content Distribution Using Private Broadcast Encryption. In: Di Crescenzo G, Rubin A, editors. Financial Cryptography and Data Security. Berlin, Heidelberg: Springer Berlin Heidelberg; 2006. p. 52–64.
        • 5. Delerablée C. Identity-based Broadcast Encryption with Constant Size Ciphertexts and Private Keys. In: Proceedings of the Advances in Crypotology 13th International Conference on Theory and Application of Cryptology and Information Security. ASIACRYPT’07. Berlin, Heidelberg: Springer-Verlag; 2007. p. 200–215. Available from: http://dl.acm.org/citation.cfm?id=1781454.1781471.
          • 6. Al-Qerem A, Alauthman M, Almomani A, Gupta BB. IoT transaction processing through cooperative concurrency control on fog–cloud computing environment. Soft Computing. 2020;24(8):5695–5711.
          • 7. Tewari A, Gupta BB. Secure timestamp-based mutual authentication protocol for iot devices using rfid tags. International Journal on Semantic Web and Information Systems (IJSWIS). 2020;16(3):20–34.
          • 8. Fan Q, Chen J, Deborah LJ, Luo M. A secure and efficient authentication and data sharing scheme for Internet of Things based on blockchain. Journal of Systems Architecture. 2021;117:102112.
          • 9. Gupta BB, Li KC, Leung VC, Psannis KE, Yamaguchi S, et al. Blockchain-assisted secure fine-grained searchable encryption for a cloud-based healthcare cyber-physical system. IEEE/CAA Journal of Automatica Sinica. 2021;8(12):1877–1890.
          • 10. Kaur M, Singh D, Kumar V, Gupta BB, Abd El-Latif AA. Secure and energy efficient-based E-health care framework for green internet of things. IEEE Transactions on Green Communications and Networking. 2021;5(3):1223–1231.
          • 11. Sharma Y, Bhargava R, Tadikonda BV. Named Entity Recognition for Code Mixed Social Media Sentences. International Journal of Software Science and Computational Intelligence (IJSSCI). 2021;13(2):23–36.
          • 12. Chen TY, Chen YM, Tsai MC. A status property classifier of social media user’s personality for customer-oriented intelligent marketing systems: intelligent-based marketing activities. International Journal on Semantic Web and Information Systems (IJSWIS). 2020;16(1):25–46.
          • 13. Yen S, Moh M, Moh TS. Detecting compromised social network accounts using deep learning for behavior and text analyses. International Journal of Cloud Applications and Computing (IJCAC). 2021;11(2):97–109.
          • 14. Sahoo SR, Gupta BB. Multiple features based approach for automatic fake news detection on social networks using deep learning. Applied Soft Computing. 2021;100:106983.
          • 15. Bouarara HA. Recurrent neural network (RNN) to analyse mental behaviour in social media. International Journal of Software Science and Computational Intelligence (IJSSCI). 2021;13(3):1–11.
          • 16. Noor S, Guo Y, Shah SHH, Nawaz MS, Butt AS. Research synthesis and thematic analysis of twitter through bibliometric analysis. International Journal on Semantic Web and Information Systems (IJSWIS). 2020;16(3):88–109.
          • 17. Vijayakumar P, Azees M, Deborah LJ. CPAV: Computationally efficient privacy preserving anonymous authentication scheme for vehicular ad hoc networks. In: 2015 IEEE 2nd international conference on cyber security and cloud computing. IEEE; 2015. p. 62–67.
            • 18. Vijayakumar P, Chang V, Deborah LJ, Balusamy B, Shynu P. Computationally efficient privacy preserving anonymous mutual and batch authentication schemes for vehicular ad hoc networks. Future generation computer systems. 2018;78:943–955.
            • 19. Vijayakumar P, Azees M, Chang V, Deborah J, Balusamy B. Computationally efficient privacy preserving authentication and key distribution techniques for vehicular ad hoc networks. cluster computing. 2017;20(3):2439–2450.
            • 20. Mahendran D, Luo C, Mcinnes BT. Privacy-Preservation in the Context of Natural Language Processing. IEEE Access. 2021;9:147600–147612.
            • 21. He K, Weng J, Liu JN, Liu JK, Liu W, Deng RH. Anonymous identity-based broadcast encryption with chosen-ciphertext security. In: Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security; 2016. p. 247–255.
              • 22. Rabaninejad R, Ameri MH, Delavar M, Mohajeri J. An attribute-based anonymous broadcast encryption scheme with adaptive security in the standard model. Scientia Iranica. 2019;26(3 D):1700–1713.
              • 23. Xu P, Li J, Wang W, Jin H. Anonymous identity-based broadcast encryption with constant decryption complexity and strong security. ASIA CCS 2016—Proceedings of the 11th ACM Asia Conference on Computer and Communications Security. 2016; p. 223–233.
                • 24. Fenghe W, Xuan W, Chunxiao W. Lattice-Based Dynamical and Anonymous Broadcast Encryption Scheme. Proceedings—2015 10th International Conference on P2P, Parallel, Grid, Cloud and Internet Computing, 3PGCIC 2015. 2015; p. 853–858.
                  • 25. Azees M, Vijayakumar P, Deboarh LJ. EAAP: Efficient anonymous authentication with conditional privacy-preserving scheme for vehicular ad hoc networks. IEEE Transactions on Intelligent Transportation Systems. 2017;18(9):2467–2476.
                  • 26. Vijayakumar P, Ganesh SM, Deborah LJ, Islam SH, Hassan MM, Alelaiwi A, et al. MGPV: A novel and efficient scheme for secure data sharing among mobile users in the public cloud. Future Generation Computer Systems. 2019;95:560–569.
                  • 27. Chenthara S, Ahmed K, Wang H, Whittaker F. Security and privacy-preserving challenges of e-health solutions in cloud computing. IEEE access. 2019;7:74361–74382.
                  • 28. Fan CI, Huang LY, Ho PH. Anonymous multireceiver identity-based encryption. IEEE Transactions on Computers. 2010;59(9):1239–1249.
                  • 29. Fazio N, Perera IM. Outsider-anonymous broadcast encryption with sublinear ciphertexts. In: International Workshop on Public Key Cryptography. Springer; 2012. p. 225–242.
                    • 30. Libert B, Paterson KG, Quaglia EA. Anonymous broadcast encryption: Adaptive security and efficient constructions in the standard model. In: International Workshop on Public Key Cryptography. Springer; 2012. p. 206–224.
                      • 31. Zhang L, Wu Q, Mu Y. Anonymous identity-based broadcast encryption with adaptive security. In: International Symposium on Cyberspace Safety and Security. Springer; 2013. p. 258–271.
                        • 32. Galbraith SD, Paterson KG, Smart NP. Pairings for cryptographers. Discrete Applied Mathematics. 2008;156(16):3113–3121.
                        • 33. Moody D, Peralta R, Perlner R, Regenscheid A, Roginsky A, Chen L. Report on Pairing-based Cryptography. Journal of Research of the National Institute of Standards and Technology. 2015;120:11. pmid:26958435
                        • 34. Smart N, Vercauteren F. On computable isomorphisms in efficient asymmetric pairing-based systems. Discrete Applied Mathematics. 2007;155:538–547.
                        • 35. Yadav S, Tiwari N. An Efficient and Secure Data Sharing Method Using Asymmetric Pairing with Shorter Ciphertext to Enable Rapid Learning in Healthcare. Computational Intelligence and Neuroscience. 2022;2022. pmid:35463282
                        • 36. Acharya K, Dutta R. Enhanced Outsider-anonymous Broadcast Encryption with Subset Difference Revocation. IACR Cryptology ePrint Archive. 2017;2017:265.
                          • 37. Lai J, Mu Y, Guo F, Susilo W, Chen R. Fully privacy-preserving and revocable ID-based broadcast encryption for data access control in smart city. Personal and Ubiquitous Computing. 2017;21(5):855–868.
                          • 38. Boldyreva A, Goyal V, Kumart V. Identity-based encryption with efficient revocation. Proceedings of the ACM Conference on Computer and Communications Security. 2008; p. 417–426.
                            • 39. Li X, Yanli R. Efficient Anonymous Identity-Based Broadcast Encryption Without Random Oracles. Int J Digit Crime For. 2014;6(2):40–51.
                            • 40. Ge A, Wei P. Identity-based broadcast encryption with efficient revocation. In: IACR International Workshop on Public Key Cryptography. Springer; 2019. p. 405–435.
                              • 41. Gentry C, Waters B. Adaptive security in broadcast encryption systems (with short ciphertexts). In: Annual International Conference on the Theory and Applications of Cryptographic Techniques. Springer; 2009. p. 171–188.
                                • 42. Gentry C, Halevi S. Hierarchical identity based encryption with polynomially many levels. In: Theory of Cryptography Conference. Springer; 2009. p. 437–456.
                                  • 43. Sakai R, Furukawa J. Identity-Based Broadcast Encryption. IACR Cryptol ePrint Arch. 2007;2007:217.
                                    • 44. Hur J, Park C, Hwang SO. Privacy-preserving identity-based broadcast encryption. Information Fusion. 2012;13(4):296–303.
                                    • 45. Lai J, Mu Y, Guo F, Susilo W, Chen R. Anonymous identity-based broadcast encryption with revocation for file sharing. In: Australasian Conference on Information Security and Privacy. Springer; 2016. p. 223–239.
                                      • 46. Susilo W, Chen R, Guo F, Yang G, Mu Y, Chow YW. Recipient revocable identity-based broadcast encryption: How to revoke some recipients in IBBE without knowledge of the plaintext. In: Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security; 2016. p. 201–210.
                                        • 47. Maiti S, Misra S. P2B: Privacy preserving identity-based broadcast proxy reencryption. IEEE Transactions on Vehicular Technology. 2020;69(5):5610–5617.