Conditional Proxy Re-Encryption-Based Key Sharing Mechanism for Clustered Federated Learning

Abstract

The need of data owners for privacy protection has given rise to collaborative learning, and data-related issues heterogeneity faced by federated learning has further given rise to clustered federated learning; whereas the traditional privacy-preserving scheme of federated learning using homomorphic encryption alone fails to fulfill the privacy protection demands of clustered federated learning. To address these issues, this research provides an effective and safeguarded answer for sharing homomorphic encryption keys among clusters in clustered federated learning grounded in conditional representative broadcast re-encryption. This method constructs a key sharing mechanism. By combining the functions of the bilinear pairwise accumulator and specific conditional proxy broadcast re-ciphering, the mechanism can verify the integrity of homomorphic encryption keys stored on cloud servers. In addition, the solution enables key management centers to grant secure and controlled access to re-encrypted homomorphic encryption keys to third parties without disclosing the sensitive information contained therein. The scheme achieves this by implementing a sophisticated access tree-based mechanism that enables the cloud server to convert forwarded ciphertexts into completely new ciphertexts customized specifically for a given group of users. By effectively utilizing conditional restrictions, the scheme achieves fine-grained access control to protect the privacy of shared content. Finally, this paper showcases the scheme’s security against selective ciphertext attacks without relying on random prediction.

1. Introduction

Developments in computing power have been instrumental in the rapid evolution of AI across fields such as finance, healthcare, computer vision, and autonomous driving [1]. At the heart of AI’s progress are increasingly sophisticated machine learning algorithms, drawing keen interest from the research community [2]. The efficacy of these algorithms is deeply dependent on access to large volumes of high-quality data. However, the richness of such data often entails privacy-sensitive information, making data owners cautious about sharing it. This caution leads to the formation of data silos, which not only diminish the quality of accessible data, but more critically, limit the availability of comprehensive datasets necessary for advancing machine learning research. Such restrictions pose significant barriers to innovation in machine learning, thereby directly affecting the pace and scope of advancements in AI [3,4].

To address the issue of data isolation, McMahan et al. suggested federated learning [5]. In federated learning, users perform model computation locally using their own datasets, and a server aggregates the individual local models, thereby updating the global model. Federated learning allows for model training without the exchange of data between users, thus significantly preserving data privacy [5].

However, federated learning requires the exchange of intermediate parameters between the client and the server for collaborative training, and in the process of data exchange, the raw data carried by the intermediate parameters may be exposed to all the training participants, which leads to privacy leakage [6,7,8]. To solve this problem, homomorphic encryption is widely used to encrypt the data exchange process between the client and the server [9,10]. Homomorphic encryption provides a cryptographic solution that enables the client to encrypt the intermediate parameter and send it to the server, which is able to complete the aggregation operation on the encrypted data without obtaining the plaintext information of the data [11,12]. The client receives the result of the encryption operation and decrypts it, which is the same as the result of the aggregation operation on the plaintext [13,14,15].

In addition to data privacy issues, data heterogeneity is also an important challenge facing federated learning today. In federated learning, data heterogeneity refers to the differences in distribution, characteristics, and size of data among different participants [16]. These differences may impact the effectiveness of federated learning and the model’s effectiveness. To tackle this issue, Ghosh et al. introduced the idea of clustered federated learning [17]. Clustering federated learning divides the participants’ data into different clusters by introducing clustering techniques using clustering algorithms (e.g., K-mean clustering or hierarchical clustering) [18]. Within each cluster, the participants share their data for model training, similar to traditional federated learning. After each cluster has trained its own local model, the model parameters can be selectively aggregated together to form a global model [19].

However, cluster federated learning brings new challenges to privacy protection based on homomorphic encryption. It requires that knowledge not be shared between clusters, and in traditional privacy-preserving schemes for federated learning systems using homomorphic encryption, all participants share the same encrypting public key and decrypting key, which results in the data of a participant in one cluster being potentially exposed to participants in other clusters. Therefore, different encryption and decryption keys are required between each cluster.

To this end, we propose a conditional proxy broadcast re-encryption method for distributing and managing homomorphic encryption keys for each cluster in clustered federated learning. By using proxy broadcast re-encryption, keys for homomorphic encryption produced by the Key Management Center (KMC) can be efficiently forwarded to participants in a cluster, while proxies and other cluster members cannot access useful data. This scheme also introduces the concept of access trees to achieve precise management of re-encryption authorization. In addition, we analyze the security and privacy protection of the solution in detail.

Moreover, homomorphic encryption keys may be compromised either intentionally or unintentionally due to non-fully trusted proxy servers [20,21,22,23]. Periodic integrity checks can verify key ownership and detect any unauthorized modifications [24]. This scheme uses a bilinear pair accumulator following a deterministic verification method to experiment with the integrity verification functionality. Unlike sampling detection, the verifier checks all the data blocks in the dataset, thus preventing any unauthorized operations from occurring.Through detailed security analysis, the program was proven to exhibit a high level of security against attacks.

In summary, this paper provides an efficient and secure solution for sharing homomorphic encryption keys among clusters in clustered federated learning. The particular contributions can be outlined as follows:

• In this paper, a key distribution and management scheme is proposed based on proxy re-encryption to ensure the privacy of homomorphic encryption key storage and sharing in cluster federated learning. The scheme employs a fine-grained strategy and provides a framework model and a security model.
• This paper uses a bilinear pair accumulator to implement integrity verification of homomorphic encryption keys and evaluates the effectiveness of the proposed scheme.

2. Related Work

2.1. Proxy Re-Encryption

In Eu-rocrypt98 [25], Blaze and his team proposed Proxy Re-Encryption (PRE). This scheme enables the agent to switch ciphertexts between Alice and Bob. The PRE scheme enables proxies to perform double encryption on users’ ciphertext, allowing Bob to directly decrypt the re-encrypted ciphertext while preventing the proxy from accessing any valuable information. However, the original PRE scheme lacked proper control over conversion permissions, as proxies could convert encrypted files without Alice’s consent.

Weng et al. put forward conditional proxy re-encryption (C-PRE) [26], where the proxy possesses the capability to solely re-encrypt the ciphertext after satisfying the criteria specified by Alice. However, this scheme consumes amounts of time and storage resources [27]. Chu et al. proposed a solution called Conditional Proxy Broadcast Re-encryption (CPBRE) to address this problem [28], which only once requires the re-encryption of the ciphertext.

Currently, proxy re-encryption techniques have undergone significant advancements [29,30,31]. These advancements have enabled the widespread application of proxy re-encryption in various systems, including cloud data sharing, distributed file systems, and network backups [32,33]. Despite these developments, previous approaches lacked free control over the proxy’s conversion conditions. In this system, the proposed proxy broadcast re-encryption scheme supports a variable number of conditions, allows for arbitrary combinations of conditions, and facilitates partial condition matching.

In this situation, the ciphertext undergoes encryption using a collection of keywords, W, while the access tree $\mathcal{T}$ generates a re-encryption key. The agent converts transforming Alice’s cryptographic text for a squad of users solely if the set of keywords W fulfills the requirements specified by the access tree $\mathcal{T}$.

2.2. Cryptographic Accumulator

The notion of an accumulator was initially introduced by Benaloh et al. [34]. If for all $x\in X$ and all $y_1,y_2\in Y$, the one-way hash function l:$X\times Y\to X$ satisfies the quasi-exchange property:

$$l\left(l\left(x,y_1\right),y_2\right)=l\left(l\left(x,y_2\right),y_1\right).$$

(1)

The accumulator can accumulate all the elements in the finite set $X=\{x_1,...,x_n\}$ into a compact value $ac{c}_X$, while the compact value is independent of the order of $x_i$. Randomly select $d\in D$ as the foundation, and the accumulator is described as:

$$ac{c}_X=l\left(l\left(\dots l\left(l\left(l\left(d,x_1\right),x_2\right),x_3\right),\dots \right),x_{k-1}\right),x_k).$$

(2)

By computing the witness $wi{t}_{x_i}$ for every element $x_i\in X$, one can verify $l(wi{t}_{x_i},x_i)=ac{c}_X$ and demonstrate the membership of $x_i$ in $ac{c}_X$. The witness in a dynamic accumulator can be updated by the user. The process involves calculating the witness $wi{t}_{x_i}$ for each element and verifying $l(wi{t}_{x_i},x_i)=ac{c}_X$ to prove $x_i^{\prime }s$ membership in $ac{c}_X$. Apart from offering member witnesses, the universal accumulator is also capable of providing non-member witnesses for $y\notin X$.

In the current research, many scholars have proposed many accumulator schemes with different characteristics based on different number theory hypotheses. For instance, hash-based accumulators are favored for their simplicity and efficient data processing capabilities, although they may not support complex dynamic data update operations. In contrast, RSA-based accumulators leverage the difficulty of large integer factorization problems to provide robust security for data, making them particularly suitable for security-sensitive applications, but this strong security often comes at the cost of computational efficiency. On the other hand, elliptic curve accumulators optimize data representation and computation processes, maintaining high security standards while improving processing speed, thus making them suitable for situations that demand high performance and security.

Initially, an accumulator is used to build a timestamp for recording a specific point in time for an event. With the continuous development of the accumulator scheme, its use has become more and more extensive, such as reliable certificate management, distributed signature, anonymous credentials, and digital cryptocurrency [35,36,37,38,39,40]. Subsequently, Barić enhanced the initial accumulator scheme and incorporated relevant security concepts [41]. Based on this solution, Camenisch added a dynamic add/delete value operation to build the first dynamic accumulator scheme [42]. Nguyen constructed the first dynamic accumulator scheme based on bilinear pairing, which uses the t-SDH assumption for security proof and allows for multiple values to be accumulated from a domain $Z_p$ [43]. Based on this scheme, Damgård et al. added general-purpose features to the bilinear pair accumulator [44].

3. Preliminaries

3.1. Bilinear Mapping

Consider two cyclic groups with multiplication operations, D and $D_T$, having identical prime orders g. The group D is generated by the element d. We have a bilinear map $v:D\times D\to D_T$ that fulfills the prerequisites below:

• $v\left(d_1^a,d_2^b\right)=v{\left(d_1,d_2\right)}^{ab}$ for all $a,b\stackrel{R}{⟵}{Z}_p^{\ast }$ and $d_1,d_2\in D$.
• $v\left(d,d\right)\ne 1$.

3.2. The N-BDHE Presupposition

Let us denote the set {$0,1,\dots ,g-1$} as $Z_p$ and the set {$1,2,\dots ,g-1$} as $Z_p^{\ast }$. We consider a prime number g. Now, we have a bilinear map $v:D\times D\to D_T$. We are given $2k+2$ elements:

$$\left(l,d,d^{\alpha },d^{{\alpha }^2},\dots ,d^{{\alpha }^k},d^{{\alpha }^{k+2}},\dots ,d^{{\alpha }^{2k}},T\right)\in D^{2k+1}\times D_T.$$

(3)

Use $d_i$ to indicate $d^{{\alpha }^i}$. The advantage of an adversary H is as follows:

$$Ad{v}_{D,H}^{n-BDHE}\left|\begin{array}{c}\mathsf{Pr}\left[H(l,d,d_1,\dots ,d_k,\dots ,d_{k+2},d_{2k},v(d_{k+1},l))\right]=1\\ -\mathsf{Pr}\left[H(l,d,d_1,\dots ,d_k,d_{k+2},\dots ,d_{2k},T)\right]=1\end{array}\right|,$$

(4)

where $d,l\in D$, $\alpha \in Z_p^{\ast }$, and $T\in D_T$ are chosen stochastically.

3.3. The Q-SDH Presupposition

Let g be a prime number with a bit length of $\kappa$, and d be a generator of D, $\alpha {\in }_R{Z}_p^{\ast }$. For all PPT opponents H:

$$\mathsf{Pr}\left[\left(c,d^{\frac{1}{\alpha +c}}\right)\leftarrow H\left(d,d^{\alpha },\dots \dots ,d^{{\alpha }^q}\right)\right]\le ϵ\left(\kappa \right),$$

(5)

for $\exists c\in Z_p\setminus \{-\alpha \}$.

3.4. Tag Index Table

The simplified tag retrieval table is derived from the mapping version table [45]. Data owners create distinct tags for individual data blocks and store them in the verifier to facilitate dynamic data operations. The tag index table comprises two components: data block indices and corresponding tag values. The data block index is used to locate the location of the data block quickly. Tag values are used to prevent conflicts between data blocks. The verifier verifies the legitimacy of the cloud storage provider’s certificate by locating the challenge data block. The data owner quickly performs data update, insert, and delete operations through the tag index block.

4. Scheme

4.1. Overview

The framework of a homomorphic encryption key sharing mechanism for clustered federated learning is shown in Figure 1. The roles in the mechanism are key management center (KMC), cloud agent, witness, and target cluster $S^{\prime }$. Among them, the KMC generates homomorphic encryption keys for each cluster and acts as an authorizer in the proxy re-encryption process for homomorphic encryption keys, while the target cluster $S^{\prime }$ is an authorized party; the cloud proxy also acts as an aggregation server. The solid arrows in the figure indicate the data movement within the key sharing process; the dashed arrows indicate the data movement within the key integrity verification process.

KMC saves data label $B=\{b_1,b_2,b_3,\dots \}$. When the data stored in the cloud (i.e., the ciphertext C of the homomorphic encryption key pair $<ek,sk>$ of the target cluster $S^{\prime }$) needs to be confirmed whether it has been corrupted or not, the KMC first hands over the data label B and the auxiliary threshold aux to the agent. It then uses a bilinear pair accumulator to compute the accumulated value of the data tag $ac{c}_B$, generates the tag index table $TIT$, and passes it to the verifier Witness Next which generates a random index j and hands it to the provider. After obtaining the index j, the provider removes $b_j$ from the tags, applies the accumulator to calculate the witness $wi{t}_{bj}$ for the remaining tags, and then hands over $wi{t}_{bj}$ and $b_j$ to the witness. Finally, the witness performs integrity verification using the received data and transmits the verification outcome to the data owner KMC.

When the KMC intends to grant access to its cloud storage data to a third party, it must generate the transformation key $r{k}_{i\to S^{\prime },\mathcal{T}}$ corresponding to the conditional access tree $\mathcal{T}$ and provide it to the agent. Once the agent receives the request from the KMC, it proceeds to verify that all participants individually satisfy the forwarding requirements specified in the access tree $\mathcal{T}$ and finds the cluster $S^{\prime }$ constituted by all participants that satisfy the conditions. Upon successful validation, the agent re-encrypts the data that resides on the server using the re-encryption key. Subsequently, the agent forwards the generated re-encrypted ciphertext exclusively to the participants in the target cluster $S^{\prime }$ that satisfy the conditions specified by the KMC, and then the participants in $S^{\prime }$ can decrypt the ciphertext with their individual private keys and acquire $<ek,sk>$. Meanwhile, the agent cannot obtain any KMC content in this process.

4.2. Re-Encryption Construction

This section will elaborate on the architecture of this system.

Let us define the Lagrange coefficient ${\Delta }_{\beta ,F\left(x\right)}$ which would be used in Equation (19) to generate the components of the re-encrypted ciphertext, denoted as $\beta \in Z_p$, for a given set P consisting of elements in $Z_p$. The Lagrange coefficient is shown below in Equation (6):

$${\Delta }_{\beta ,F}\left(x\right)=\prod _{i\in P,i\ne \beta }\frac{x-i}{\beta -i}.$$

(6)

The scheme includes the following algorithms:

• $Setup(\lambda ,k)$: Let us generate a set of instructions for constructing a bilinear map parameter $(g,d,D,D_T,v)$ and message $\mathsf{\Psi }={\left\{0,1\right\}}^n$. Start by stochastically selecting $\alpha$ and $\varpi$ from $Z_p$ and Z from D. Assign $d_i=d^{{\alpha }^i}$ for $i=1,2,\dots ,k,k+2,\dots ,2k$. Introduce $L_{\alpha }:Z_p^{\ast }\to D$ and $L_{\omega }:{\left\{0,1\right\}}^n\to Z_p^{\ast }$ as collision-resistant hash functions. Calculate $e=d^{\gamma }$. The output will be the public key $PK$ and the main secret key $\phi sk$, defined as $PK=\left(d,d_1,\dots ,d_k,d_{k+2},d_{2k},e,Z,L_{\alpha },L_{\omega }\right)$, $\phi sk=\varpi$.
• $KeyGen(PK,\phi sk,i)$: The private key of user i is $s{k}_i=d_i^{\varpi }$.
• $Encrypt\left(PK,S,\phi ,W\right)$: To securely encrypt information $\phi \in \mathsf{\Psi }$ for a user-set $S\subseteq \left\{1,2,\dots ,k\right\}$ based on the prerequisite set W, the encrypt function is employed. First, a random selection of $\mu \in D_T$ and $t\in Z_p^{\ast }$ is made. The initial ciphertext consists of six components from Equation (7) to Equation (10), including $C_1,C_2,C_3,C_4,C_5,S$. These components include not only the encrypted information but also the part used to construct the re-cipher key Equation (15). The resulting ciphertext is denoted as $C=\left(svk,C_1,C_2,C_3,C_4,C_5,S\right)$.

  $$C_1=\mu ·v{\left(d_1,d_k\right)}^t,C_2=d^t,C_3={\left(e·\prod _{j\in S}{d}_{k+1-j}\right)}^t,$$

  (7)

  $$C_4={\left(L_{\alpha \left(\beta \right)}\right)}^t,$$

  (8)

  $$C_5=[PRF{\left(\mu ,C_2\right)}^{K-n}\left|\right|\left({\left[PRF\left(\mu ,C_2\right)\right]}_n\oplus \phi \right),$$

  (9)

  $$\mathcal{G}\left(\lambda \right)\to \left(svk,ssk\right),S=\mathcal{S}\left(ssk,\left(C_2,C_4,C_5\right)\right).$$

  (10)
• $RKGen(PK,s{k}_i,S^{\prime },\mathcal{T})$: The following definitions are made: q represents the polynomial, x is a non-leaf node, $\mathcal{T}$ is the tree, r is the root node, and $q_r\left(0\right)$ expresses the degree of the root of the tree. Given the inputs $s{k}_i=d_i^{\varpi }$, $S^{\prime }\in \{1,2,\dots ,k\}$, and $\mathcal{T}$, we proceed with the following steps. Firstly, we stochastically select $\mu \in {\left\{0,1\right\}}^n$ and a $q_x$ for each x in the $\mathcal{T}$. The process begins at the r and $RKG\left(\mathcal{T},L_{\omega }\left(\mu \right)\right)$ is used to opt for the polynomials in a top-down manner. $RKG\left(\mathcal{T},L_{\omega }\left(\mu \right)\right)$ is described as follows: for each node x, the $q_x$ is set with a degree of $f_x=n_x-1$. The $q_r\left(0\right)$ is set to $L_{\omega }\left(\mu \right)$. For other x, we set $q_x\left(0\right)$ to $q_g\left(x\right)$, and then stochastically opt for the remaining coefficients to completely define the polynomial $q_x$. We set $\beta =keyword\left(x\right)$ for each x. Now, let us calculate the re-encryption key $r{k}_{i\to S^{\prime },{\mathcal{T}}^{\prime }}=\left(\mathcal{T},A_x,B_x,r{k}_1,r{k}_2,r{k}_3,r{k}_4,S^{\prime }\right)$ in Equation (15) for the agent:
  Choose a random value $r_x\stackrel{R}{⟵}{Z}_p^{\ast }$ and calculate it: $A_x=s{k}_i·Z^{q_x\left(0\right)}·L_{\alpha }{\left(\beta \right)}^{r_x};B_x=d^{r_x}$.
  Selects stochastic value $t^{\prime }\in Z_p^{\ast },r^{\prime }\in D_T,R\in {\left\{0,1\right\}}^n$ and sets:

  $$r{k}_1=r^{\prime }·v{\left(d_1,d_n\right)}^{t^{\prime }},r{k}_2=d^{t^{\prime }},$$

  (11)

  $$r{k}_3={\left(e·\prod _{j\in S^{\prime }}{d}_{k+1-j}\right)}^{t^{\prime }},$$

  (12)

  $$r{k}_4=[PRF{\left({\mu }^{\prime },r{k}_2\right)}^{K-n}\left|\right|\left({\left[PRF\left({\mu }^{\prime },r{k}_2\right)\right]}_n\oplus R\right),$$

  (13)

  $$\mathcal{G}\left(\lambda \right)\to \left(sv{k}^{\prime },ss{k}^{\prime }\right),S^{\prime }=\mathcal{S}{\left(ss{k}^{\prime },\left(r{k}_2,r{k}_4\right)\right)}^{t^{\prime }}.$$

  (14)
  Output the re-cipher key which is used to encrypt the ciphtext C into the cryptographic text $C_R$ Equation (21) that can be decrypted by others’ private keys in the group:

  $$r{k}_{i\to S^{\prime },{\mathcal{T}}^{\prime }}=\left(\mathcal{T},A_x,d^{r_x},r^{\prime }·v{\left(d_1,d_n\right)}^{t^{\prime }},d^{t^{\prime }},{\left(e·\prod _{j\in S^{\prime }}{d}_{k+1-j}\right)}^{t^{\prime }},r{k}_4,S^{\prime }\right).$$

  (15)
• $ReEnc(PK,r{k}_{i\to S^{\prime },{\mathcal{T}}^{\prime }},i,S,S^{\prime },C)$: Enter a $r{k}_{i\to ,S^{\prime },W^{\prime }}$ and a C. Verify if the equations below hold:

  $$v\left(C_2,e·\prod _{j\in S}{d}_{k+1-j}\right)\stackrel{?}{=}v\left(d,C_3\right),$$

  (16)

  $$\mathcal{V}\left(svk,S,\left(C_2,C_4,C_5\right)\right)\stackrel{?}{=}1,$$

  (17)

  $$v\left(C_2,L_{\alpha }\left(\mathcal{T}\right)\right)\stackrel{?}{=}v\left(d,C_4\right).$$

  (18)
  Equations (16)–(18) are used to verify the integrity of ciphertext C.
  In the event that any of the aforementioned equations fail to hold, the output will be ⊥. Conversely, a recursive algorithm named $NodeReEnc(C,r{k}_{i\to S^{\prime },{\mathcal{T}}^{\prime }},x)$ is introduced to process the initial C, the $r{k}_{i\to S^{\prime },{\mathcal{T}}^{\prime }}$, and the note x within the tree.
  • When it comes to leaf x, if $\beta \in W$, let $\beta =keyword\left(X\right)$, then
    $NodeReEnc\left(C,r{k}_{i\to S^{\prime },{\mathcal{T}}^{\prime }},x\right)=\frac{v\left(C_2,A_x\right)}{v\left(B_x,C_4\right)}=\frac{v\left(d^t,s{k}_i · Z^{q_x\left(0\right)} · L_{\alpha }{\left(\beta \right)}^{r_x}\right)}{v\left(d^{r_{\beta }},L_{\alpha }{\left(\beta \right)}^t\right)}$
    $=v\left(s{k}_i,d^t\right)·v{\left(Z,d\right)}^{t·q_x\left(0\right)}$. Otherwise, output ⊥.
  • In the case where x represents a non-leaf node, the recursive procedure
    $NodeReEnc(C,r{k}_{i\to j,{\mathcal{T}}^{\prime }},z)$ is called by all descendent nodes z of ancestor nodes x, and the resulting outcome is stored as ${\mathcal{T}}_z$. Let $F_x$ denote a random selection of children nodes z with a size of $k_x$, ensuring that ${\mathcal{T}}_z\ne \perp$. If the condition is not satisfied, $NodeReEnc$ returns the value ⊥. However, if a satisfactory set $F_x^{\prime }=\left\{index\left(z\right):z\in S\right\}$ can be formed, then the following computation is carried out using the Lagrange coefficient generated in Equation (6) and the result of $NodeReEnc(C,r{k}_{i\to j,{\mathcal{T}}^{\prime }},z)$:

    $$\begin{array}{cc}\hfill T_x& =\prod _{z\in F_x,i=index\left(z\right)}{\left(T_z\right)}^{{\Delta }_{i,F_x^{\prime }\left(0\right)}}\hfill \\ \hfill & =\prod _{z\in F_x,i=index\left(z\right)}{\left(v\left(s{k}_i,d^t\right)·v{\left(Z,d\right)}^{t·q_x\left(0\right)}\right)}^{{\Delta }_{i,F_x^{\prime }}\left(0\right)}\hfill \\ \hfill & =v\left(s{k}_i,d^t\right)·\prod _{z\in F_x,i=index\left(z\right)}{\left(v{\left(Z,d\right)}^{t·q_{g\left(z\right)}index\left(z\right)}\right)}^{{\Delta }_{i,F_x^{\prime }}\left(0\right)}\hfill \\ \hfill & =v\left(s{k}_i,d^t\right)·\prod _{z\in F_x,i=index\left(z\right)}{\left(v{\left(Z,d\right)}^{t·q_x\left(i\right)}\right)}^{{\Delta }_{i,F_x^{\prime }}\left(0\right)}\hfill \\ \hfill & =v\left(s{k}_i,d^t\right)·v{\left(Z,d\right)}^{s{q}_x\left(0\right)}.\hfill \end{array}$$

    (19)
    In the end, using Equation (19) to calculate $\widetilde{C_1}$:

    $$\widetilde{C_1}=C_1·\frac{v\left(T_r·{\prod }_{j\in S,j\ne i}{d}_{k+1-j+i},C_2\right)}{v\left(d_i,C_3\right)}.$$

    (20)
    The ciphertext C is re-encrypted into re-cipher $C_R$:

    $$C_R=\left(svk,\widetilde{C_1},C_2,C_4,C_5,S,r^{\prime }·v{\left(d_1,d_n\right)}^{t^{\prime }},d^{t^{\prime }},{\left(e·\prod _{j\in S^{\prime }}{d}_{k+1-j}\right)}^{t^{\prime }},r{k}_4,S^{\prime }\right).$$

    (21)
  The original ciphertext C can be decrypted by user i’s private $s{k}_i$ and the re-cipher $C_R$ can be decrypted by user j’s private key $s{k}_j$. If the result of $DecryptO$ and $DecryptR$ is equal, then the re-encryption succeed.
• $DecryptO(PK,s{k}_i,i,S,C)$: Enter a $s{k}_i$ and a $C=(C_1,C_2,C_3,C_4,C_5,S)$ with the following program:
  • Verifies the validity of Equation (16) to Equation (18). If any of these equations fail to hold, then the output will be ⊥, indicating the termination of the process.
  • Calculates $\mu =C_1·v\left(s{k}_i,{\prod }_{j\in S,j\ne i}{d}_{k+1-j+i},C_2\right)/v\left(d_i,C_3\right)$. If $PRF{\left[\mu ,C_2\right]}^{K-n}={\left[C_5\right]}^{K-n}$ hold, returns $\phi =PRF{\left[\mu ,C_2\right]}_n\oplus {\left[C_5\right]}_n$.
• $DecryptR(PK,s{k}_j,i,j,S,S^{\prime },C_R)$: Enter a $s{k}_j$ and a $C_R$ with the following program:
  • Checks the equations:

    $$v\left(r{k}_2,g·\prod _{j\in s}{d}_{k+1-j}\right)\stackrel{?}{=}v\left(d,r{k}_3\right)$$

    (22)

    $$\mathcal{V}\left(sv{k}^{\prime },S^{\prime },\left(r{k}_2,r{k}_4\right)\right)\stackrel{?}{=}1$$

    (23)
    Equations (22) and (23) are used to verify the integrity of re-cipher $C_R$. Success goes to the next step while failure returns ⊥.
  • Calculate ${\mu }^{\prime }=r{k}_1·v\left(s{k}_j·{\prod }_{a\in S^{\prime },a\ne j}{d}_{k+1-a+j},r{k}_2\right)/v\left(d_j,r{k}_3\right)$, if $PRF{\left[{\mu }^{\prime },r{k}_2\right]}^{K-n}$$={\left[r{k}_4\right]}^{K-n}$, output $R=PRF{\left[{\mu }^{\prime },r{k}_2\right]}_n\oplus {\left[r{k}_4\right]}_n$. Success goes to the next step while failure returns ⊥.
  • Calculate $\mu =\widetilde{C_1}/v\left(C_2,Z^{L_{\omega }\left(R\right)}\right)$. If $PRF{\left[\mu ,C_2\right]}^{K-n}={\left[V\right]}^{K-n}$, output $\phi =PRF{\left[\mu ,C_2\right]}_n\oplus {\left[C_5\right]}_n$. Otherwise, returns ⊥ and call off.

Consistency: For any set of common parameters pair, any message M in plaintext space, any user public-private key pair $\left(p{k}_i,s{k}_i\right)$, $\left(p{k}_j,s{k}_j\right)$, the following equation holds:

$$\mathrm{DecryptO}\left(\mathrm{par},{\mathrm{sk}}_{\mathrm{i}},\mathrm{Enc}\left(\mathrm{par},\mathrm{M},{\mathrm{pk}}_{\mathrm{i}}\right)\right)=\mathrm{M}$$

(24)

$$\mathrm{DecryptR}\left(\mathrm{par},{\mathrm{sk}}_{\mathrm{j}},\mathrm{ReEnc}\left(\mathrm{par},\mathrm{RKGen}\left(\mathrm{par},{\mathrm{sk}}_{\mathrm{i}},{\mathrm{pk}}_{\mathrm{j}}\right),C_R\right)\right)=\mathrm{M}$$

(25)

The integrity of the ciphertext has been verified in the DecryptO and DecryptR, so here only consistency checks need to be performed on the $C_1$ and $\widetilde{C_1}$ of the ciphertext C and the re-encrypted ciphertext $C_R$ Equation (21).

• If $C=\left(svk,C_1,C_2,C_3,C_4,C_5,S\right)$ represents the initial ciphertext, then the following conditions apply:

  $$\begin{array}{cc}\hfill & C_1·\frac{v\left(s{k}_i·{\prod }_{j\in S,j\ne i}{g}_{k+1-j+i},C_2\right)}{v\left(d_i,C_3\right)}\hfill \\ \hfill & =\mu ·v{\left(d_1,d_n\right)}^t·\frac{v\left(d_i^{\varpi }·{\prod }_{j\in S,j\ne i}{d}_{k+1-j+i},d^t\right)}{e{\left(d_i,d^{\varpi }·{\prod }_{j\in S}{d}_{k+1-j}\right)}^t}\hfill \\ \hfill & =\mu ·v{\left(d_1,d_n\right)}^t·\frac{e\left(d^t,{\prod }_{j\in S,j\ne i}{g}_{k+1-j+i}\right)}{e\left(d^t,{\prod }_{j\in S}{g}_{k+1-j+i}\right)}\hfill \\ \hfill & =\mu ·\frac{v{\left(d_1,d_n\right)}^t}{v\left(d^t,d_{n+1}\right)}\hfill \\ \hfill & =\mu \hfill \end{array}$$

  (26)
• If $C_R=(svk,\widetilde{C_1},C_2,C_4,S,sv{k}^{\prime },r{k}_1,r{k}_2,r{k}_3,r{k}_4,r{k}_5,S^{\prime })$ represents the re-encrypted ciphertext, then the following conditions apply:

  $$\begin{array}{cc}\hfill \widetilde{C_1}& =C_1·{\mathcal{T}}_r·\frac{v\left({\prod }_{j\in S,j\ne i}{g}_{k+1-j+i},C_2\right)}{v\left(d_i,C_3\right)}\hfill \\ \hfill & =\mu ·v{\left(d_1,d_k\right)}^t·v\left(s{k}_i,d^t\right)·v{\left(Z,d\right)}^{s{q}_x\left(0\right)}·\frac{v\left({\prod }_{j\in S,j\ne i}{d}_{k+1-j+i},d^t\right)}{v{\left(d_i,e·{\prod }_{j\in S}{g}_{k+1-j}\right)}^t}\hfill \\ \hfill & =\mu ·v{\left(d^t,Z\right)}^{L_{\omega }\left(R\right)}\hfill \end{array}$$

  (27)
  It is eventually feasible of calculating:

  $$\frac{\widetilde{C_1}}{v\left(C_2,Z^{L_{\omega }\left(R\right)}\right)}=\mu$$

  (28)

From the results of Equations (26)–(28), it can be seen that the decryption results of the corresponding parts of the ciphertext and re-encrypted ciphertext during the decryption process are the same, thus confirming consistency.

4.3. Integrity Verification Construction

$Setup$: Input a security parameter $\lambda$ and original ciphertext C, whereby the raw data owner proceeds as follows:

• Construct bilinear map tuple $t=\left(g,D_1,D_2,D_T,v,d_1,d_2\right)$ and $t^{\prime }=\left(d_2,d_2^s,\dots \dots ,d_2^{s^k}\right)$. Randomly select $s\stackrel{R}{⟵}{Z}_p^{\ast }$.
• Divide the data C into n copies, which is $C=\left\{c_1,c_2,c_3,\dots \right\}$. Then, each data block corresponds to a label ${\tau }_i$, where i is the segment index. Store each label in $TIT$ afterward.
• Add tags to the corresponding ciphertext segment $c_i$, generate a data block $B=\left\{b_1,b_2,b_3,\dots \right\}$, and calculate the accumulated value of the data block $ac{c}_B=d_1^{{\prod }_{i=1}^k\left(b_i+s\right)}$.
• Generate $aux=\left(d_2,d_2^s,\dots \dots ,d_2^{s^k}\right)$ and outsource them to the provider.
• The provider calculates $f\left(s\right)={\prod }_{b\in B\setminus b_i}\left(b+s\right)$, where s represents the unknown number and $a_i$ represents the coefficient of s. Finally, obtain $aux=\left\{d_2,d_2^s,\dots \dots ,d_2^{s^k}\right\}$.
• The witness calculates the challenge block: ${wit}_{b_j}=d_2^{a_0}\ast {\left(d_2^s\right)}^{a_1}\ast \dots \ast {\left(d_2^{s^{k-1}}\right)}^{a_{k-1}}={\prod }_{i=0}^{k-1}{\left(d_2^{s^i}\right)}^{a^i}$.
• The cloud storage provider sends $\left({wit}_{b_j},b_j\right)$ to the trusted witness.

$Verify$: The algorithms included in the verification process are as follows:

• The witness first checks $v\left({acc}_B,d_2\right)\stackrel{?}{=}v\left(d_1^{b_j}{d}_1^s,{wit}_{b_j}\right)$. In case the preceding equation fails to satisfy, an error symbol ⊥ should be outputted. If the equation holds, then proceed with the subsequent instructions.
• The witness retrieves the data segment $c_i$ and its associated indicator ${\tau }_i$ from the challenged block. Then, using $K_L$ and $c_j$, the witness calculates ${\tau }_j^{\prime }=L(c_i\left|\right|k_H)$.
• Verify ${\tau }_j^{\prime }\stackrel{?}{=}{\tau }_j$.

5. Proof of Security

5.1. Ind-Cca Security

Theorem 1. 

Assuming the Decisional n-BDHE assumption holds, and considering $L_{\alpha }$ and $L_{\omega }$ as collision-resistant hash functions, the key sharing mechanism achieves IND-CCA security in the absence of random oracles.

Lemma 1. 

Suppose there exists an opponent H capable of breaking the security of the key sharing mechanism under the IND-O-CCA notion. In such a case, one might consider constructing a simulator $\mathcal{B}$ that is capable of solving the Decisional n-BDHE assumption.

Proof. 

When presented with a Decisional n-BDHE instance $(l,d,d_1,\dots d_k,d_{k+2},\dots ,d_{2k},T),\mathcal{B}$ determines if T equals $v(d_{k+1},l)$ or if T is an arbitrary element chosen randomly from $D_T$.

$\mathcal{B}$ starts with an empty table as its initial state:

$Ke{y}^{List}$: It keeps track of the tuples $(\omega ,i,s{k}_i)$ which contain the details of the private keys.

$ReKe{y}^{List}$: Saves the data produced by $RKGen(s{k}_i,S^{\prime },W^{\prime })$ in the $({\omega }_1,i,S^{\prime },W^{\prime },r{k}_{i\to S^{\prime },\mathcal{T}},\mu ,R,fla{g}_1)$ tuple where the information is stored. $fla{g}_1=1$ signifies the legitimacy of the re-encryption key, while $fla{g}_1=0$ signifies that the re-cipher key is a randomly generated value. □

Initialize. The challenger H chooses a set of users $S^{\ast }$ from $\{1,2,\dots ,k\}$ and a set of conditions $W^{\ast }={\beta }_1^{\ast },{\beta }_2^{\ast },\dots ,{\beta }_k^{\ast }$.

Setup. The simulator $\mathcal{B}$ selects a random non-zero value $\sigma$ from $Z_p^{\ast }$ and an element Z from D. It then defines the following to create users’ private keys:

$$e=d^{\sigma }·{\left(\prod _{j\in S^{\ast }}{d}_{k+1-j}\right)}^{-1}\stackrel{\Delta }{=}{d}^{\varpi }$$

(29)

H is provided with the public key $PK=(d,d_1,\dots ,d_k,d_{k+2},\dots ,d_{2k},e,Z,L_{\alpha },L_{\omega })$ and the secret key $sk=\varpi$, which are chosen by $\mathcal{B}$.

Query Phase I. $\mathcal{B}$ provides answers to the inquiries posed by H as follows:

• $Extract\left(i\right)$: After verifying that i is not an element of $S^{\ast }$, $\mathcal{B}$ proceeds to check $Ke{y}^{List}$. If the tuple $(\omega ,i,s{k}_i)$ is present in $Ke{y}^{List}$, $\mathcal{B}$ will provide H with the corresponding $s{k}_i$. However, if the tuple does not exist, then $\mathcal{B}$ will generate a biased coin $\omega$ with a probability of $\mathrm{Pr}\left[\omega =1\right]$ equal to $\delta$.

  -

  If $\omega =0$, then $\mathcal{B}$ termination.

  -

  If $\omega =1$, then $\mathcal{B}$ calculates the following equation to obtain the private key $s{k}_i$ of user i in $S^{\ast }$:

  $$\begin{array}{cc}\hfill s{k}_i& =d_i^{\sigma }·{\left(\prod _{j\in S^{\ast }}{d}_{k+1-j}\right)}^{-1}\hfill \\ \hfill & ={\left(d^{\sigma }·{\left(\prod _{j\in S^{\ast }}{d}_{k+1-j}\right)}^{-1}\right)}^{{\alpha }^i}\hfill \\ \hfill & =e^{{\alpha }^i}\hfill \\ \hfill & =d_i^{\varpi }\hfill \end{array}$$

  (30)

• $RKGen(i,S^{\prime },\mathcal{T})$: Set $i\in S^{\ast }$, $j\in S^{\ast }$, and $\mathcal{T}\left(W^{\ast }\right)=1$. $\mathcal{B}$ ensures that there are no tuples in $Ke{y}^{List}$ of the form $(\ast ,j,s{k}_j)$, where ∗ is a placeholder. If such a tuple is found, $\mathcal{B}$ terminates the process. However, if there exists a tuple $(\ast ,i,S^{\prime },\mathcal{T},r{k}_{i\to S^{\prime },\mathcal{T}},\mu ,R,\ast )$ in $ReKe{y}^{List}$, $\mathcal{B}$ returns the value of $r{k}_{i\to S^{\prime },\mathcal{T}}$. If neither of these conditions is met, then $\mathcal{B}$ proceeds with the following steps:
  Suppose there is a tuple $\left(1,i,s{k}_i\right)$ present in $Ke{y}^{List}$. In that case, $\mathcal{B}$ employs $s{k}_i$ to create the re-cipher key $r{k}_{i\to S^{\prime },\mathcal{T}}$ using the $RKGen$ algorithm, following the same procedure as in the actual scheme. $\mathcal{B}$ then provides the re-cipher key to H, includes $(\ast ,i,S^{\prime },\mathcal{T},r{k}_{i\to S^{\prime },\mathcal{T}},\mu ,R,1)$ in $ReKe{y}^{List}$, and randomly selects $r^{\prime }$ and R during the $RKGen$ algorithm.
  Alternatively, $\mathcal{B}$ employs a biased coin $\mathcal{B}$ to make a decision. If $\omega$ equals 1, $\mathcal{B}$ interacts with $Extract\left(i\right)$ to obtain $s{k}_i$. Subsequently, $\mathcal{B}$ generates the re-encryption key $r{k}_{i\to S^{\prime },\mathcal{T}}$ using the $RKGen$ algorithm, returns it to H, and adds $(1,i,s{k}_i)$ and $(\ast ,i,S^{\prime },\mathcal{T},r{k}_{i\to S^{\prime },\mathcal{T}},\mu ,R,1)$ to $Ke{y}^{List}$ and $ReKe{y}^{List}$, respectively. In the case where $\omega$ equals 0, $\mathcal{B}$ sets $\left(A_{\beta }={\rho }_{\beta }\right),\left(B_{\beta }={\rho }_{\beta }^{\prime }\right);\beta \in keyword\left(\beta \right)$ for randomly selected ${\rho }_{\beta }$ and ${\rho }_{\beta }^{\prime }$ from D. Next, $\mathcal{B}$ constructs $r{k}_1,r{k}_2,r{k}_3,r{k}_4$ and selects ${\mu }^{\prime }$ and R. Finally, $\mathcal{B}$ forwards the re-cipher key to H and then appends $(\ast ,i,S^{\prime },\mathcal{T},r{k}_{i\to S^{\prime },\mathcal{T}},\mu ,R,0)$ to $ReKe{y}^{List}$.
• $ReEnc(i,S,S^{\prime },C)$: $\mathcal{B}$ executes the subsequent procedures:
  In the presence of $(\ast ,i,S^{\prime },\mathcal{T},r{k}_{i\to S^{\prime },\mathcal{T}},\mu ,R,\ast )$ in $ReKe{y}^{List}$, $\mathcal{B}$ encrypts $(PKm,S,\phi ,W)$ as C using the encrypt function. If $\mathcal{T}\left(W\right)$ equals 1, then $\mathcal{B}$ employs the re-encryption key $r{k}_{i\to S^{\prime },\mathcal{T}}$ to generate $C_R$ through the $ReEnc$. Following this, $\mathcal{B}$ appends $(i,S,S^{\prime },C,C_R,\ast )$ to $ReEn{c}^{List}$ and returns $C_R$ to H.
  If $(\ast ,i,S^{\prime },\mathcal{T},r{k}_{i\to S^{\prime },\mathcal{T}},\mu ,R,\ast )$ is not found in $ReKe{y}^{List}$, $\mathcal{B}$ initiates an $RKGen(i,S^{\prime })$ query to acquire the re-encryption key $r{k}_{i\to S^{\prime },\mathcal{T}}$. Subsequently, $\mathcal{B}$ generates $C_R$ and includes $(i,S,S^{\prime },C,C_R,\ast )$ in the $ReEn{c}^{List}$.
• $Decryp{t}_O(i,S,C)$: $\mathcal{B}$ performs a validation check to confirm the fulfillment of Equations (16)∼(18). If these equations are unsatisfied, then $\mathcal{B}$ outputs ⊥. Otherwise, B proceeds with the following steps:
  If there is an entry $(1,i,s{k}_i)$ in $Ke{y}^{List}$, then $\mathcal{B}$ utilizes $s{k}_i$ to retrieve $\phi$.
  In the absence of $(1,i,s{k}_i)$ in $Ke{y}^{List}$, B initiates an $Extract\left(i\right)$ query to acquire $s{k}_i$ and applies $s{k}_i$ to restore $\phi$.
• $Decryp{t}_R(i,j,S,S^{\prime },C_R)$: $\mathcal{B}$ validates the validity of Equations (22) and (23). If the aforementioned formulas are invalid, then $\mathcal{B}$ outputs ⊥ and terminates. If they hold, then $\mathcal{B}$ continues with the following steps:
  If there is an entry $\left(1,j,s{k}_j\right)$ in $Ke{y}^{List}$, then $\mathcal{B}$ utilizes $s{k}_j$ to retrieve $\phi$.
  In the absence of $(1,j,s{k}_i)$ in $Ke{y}^{List}$, B initiates an $Extract\left(j\right)$ query to acquire $s{k}_j$ and applies $s{k}_j$ to restore $\phi$.

Challenge. Upon completion of Query Phase I as determined by H, it produces two messages ${\phi }_0$ and ${\phi }_1$ of the same length. $\mathcal{B}$ randomly selects a value b from $\left\{0,1\right\}$ and $r^{\ast }$ from $G_T$. Let l be equal to $d^{t^{\ast }}$, where $t^{\ast }$ is randomly chosen. $\mathcal{B}$ performs the following computation:

$$C_1^{\ast }={\mu }^{\ast }·T$$

(31)

$$C_2^{\ast }=l=d^{t^{\ast }}$$

(32)

$$\begin{array}{cc}\hfill C_3^{\ast }& =l^{\sigma }=d^{\sigma t^{\ast }}\hfill \\ \hfill & ={\left(d^{\sigma }·{\left(\prod _{j\in S^{\ast }}{d}_{k+1-j}\right)}^{-1}\left(\prod _{j\in S^{\ast }}{d}_{k+1-j}\right)\right)}^{t^{\ast }}\hfill \\ \hfill & ={\left(e·\prod _{j\in S^{\ast }}{g}_{k+1-j}\right)}^{t^{\ast }}\hfill \end{array}$$

(33)

$$C_4^{\ast }=L_{\alpha }{\left(\beta \right)}^{t^{\ast }},\beta \in W^{\ast }$$

(34)

$$C_5^{\ast }={\left[PRF\left({\mu }^{\ast },C_2^{\ast }\right)\right]}^{K-k}\left|\right|\left({\left[PRF\left({\mu }^{\ast },C_2^{\ast }\right)\right]}_k\oplus {\phi }_b\right)$$

(35)

$$\mathcal{G}\left(\lambda \right)=\left(ss{k}^{\ast },{svk}^{\ast }\right)$$

(36)

$$S^{\ast }=\mathcal{S}\left(sv{k}^{\ast },\left(C_2^{\ast },C_4^{\ast },C_5^{\ast }\right)\right)$$

(37)

If $T=v\left(d_{k+1},l\right)$, then $C_1^{\ast }={\mu }^{\ast }·T={\mu }^{\ast }·v{\left(d,d_{k+1}\right)}^{t^{\ast }}$. Let us denote $C_3^{\ast }$ as a legitimacy challenge cryptographic text. If T represents a stochastic element in $D_T$, then the adversary’s observation of $C_3^{\ast }$ is unrelated to the value of b.

Query Phase II. While adhering to the constraints specified in the IND-O-CCA game, H proceeds to make further queries, following the identical pattern as in Query Phase I.

Guess. H provides the guess $b^{\prime }$, and if $b^{\prime }$ matches b, then the output is 1, indicating that $T=v(d_{k+1},l)$. Otherwise, the output is 0, indicating that T is a random value selected from $D_T$.

5.2. Attack Prevention

This section will analyze sequentially the types of attacks that may be affected by the integrity verification section. It will also demonstrate the resilience of this program to these attacks.

Tag counterfeiting attack. The property of collision resistance is essential for a hash function. Due to the utilization of a hash function $L\left(c_j^{\prime }\right)$ in generating tags ${\tau }_j^{\prime }$, the likelihood of generating the same tag with different data is extremely low. Consequently, cloud service providers are unable to deceive witnesses by creating counterfeit tags.

Data deletion attack. When confronted with the witness challenge, the provider is unable to compute the witness ${wit}_{b_j}$ by aggregating data blocks and tags ${\prod }_{i=0}^{k-1}{\left(d_2^{s^i}\right)}^{a^i}$ if the original data is misplaced or erased. Therefore, cloud service providers cannot use tags to generate legitimate proof of ownership in the event of the loss of raw data $\left({wit}_{b_j},b_j\right)$.

Substitution attack. In the event that the witness challenges the provider using a randomly selected block index, if the provider substitutes the corrupted or deleted data with an incompatible data block or label, then the token ${\tau }_j^{\prime }$ calculated by the witness becomes unverifiable. Consequently, the provider is unable to employ alternative tactics to deceive the witness.

Replay attack. The provider’s utilization of previously cached data to respond to the new challenge posed by the current authenticator holds no significance. Firstly, during the verification and challenge process, the likelihood of the verifier executing the challenge using the same random index j is negligible. This is due to the fact that the provider can solely compute the witness ${wit}_{b_j}$ through the auxiliary value ${aux}_2$, whereas the auxiliary value ${aux}_2$ transmitted by the original data owner does not include ${sk}_{acc}=s$. Second, the witness generated by the challenge before caching needs to store the corresponding data block, which requires more storage space for the cloud service provider. In summary, integrity verification is unaffected by replay attacks.

Data leakage attack. Since the data owner has encrypted the data stored on the server, no third party can know the actual content of the outsourced data during integrity verification and re-encryption. Therefore, even if leaking encrypted data, the system can still guarantee its security.

6. Performance

6.1. Performance of PBRE

For the proxy broadcast re-encryption subsystem, this section evaluates the time expenditure for each phase in the scheme with the prior scenario. The Golang-based PBC software package (version 0.5.14) implements the ciphertext conversion module of the mobile multimedia sharing system. The PBC software package not only comprises a cryptographic library based on bilinear pairings but also provides a framework for building cryptographic systems. The test was conducted on a system comprising an Intel Xeon X5365 @3.00 GHz processor, Centos 7.5 operating system, and Go 1.19 programming language. For the test, a 160-bit elliptic curve $Y^2=X^3+X$ was chosen. To minimize errors, the program was executed 10 times, and the average value was recorded as the test result. The test results are shown in

Table 1. Ciphertext conversion performance comparison.

Scheme	RKGen (ms)	Encrypt (ms)	ReEncrypt (ms)	DecryptO (ms)	DecryptR (ms)
Scheme [32]	26.87	14.96	169.6	19.45	20.37
This system	27.93	19.58	53.06	21.88	25.97

.

Based on the test findings, it was observed that the time required for ciphertext conversion in the experimental scheme is significantly lower compared to the control scheme. This is because the experimental scheme only requires a single re-encryption operation to generate a collection of public ciphertexts. However, the remaining steps of the system take more time than the control scheme. This is attributed to the fact that the key length generated by the system is directly proportional to the magnitude of the user group, and the amount of data processed in each operation is substantially larger. Nevertheless, the overall efficiency of the subsystem is deemed satisfactory.

6.2. Performance of Integrity Verification

For the integrity verification subsystem, the experiment uses the DCLXVI library to calculate the elliptic curve, and SHA-3 to generate the 160-bit label. The software and hardware environment used for the test is the same as the environment of the ciphertext conversion subsystem. In the subsystem establishment phase, the original ciphertext C needs to be divided into multiple data segments. Through previous experiments, it was empirically determined that a data block size of 768 bytes yields optimal results. For the current testing phase, a dataset of 1 GB was used. The obtained test results are presented in

Table 2. Integrity verification performance comparison.

Scheme	Setup (s)	Challenge ($\mathsf{\mu }$s)	Proof (s)	Verify (Bytes)	Storage (MB)
Scheme [46]	9480	3.3	68.4	42.3	33.1
This system	18.9	0.64	53.06	0.0033	28.9

.

It can be seen from the comparison between this scheme and the control scheme that our scheme exhibits certain benefits across various performance aspects. The most crucial point is that the time complexity of performing the verification operation is a fixed value of $O\left(2\right)$, which does not change as the block size increases. Moreover, the time spent in the system establishment phase is much smaller than that of the control scheme.

This is because the input field of the RSA accumulator used in the comparison scheme is limited to prime numbers, and each data block needs to be bitwise shifted to avoid a collision. The bilinear pair accumulator used in this scheme does not need to preprocess the data during the initialization phase. Moreover, the scheme possesses the advantages of time cost and space cost in terms of storage overhead, challenges, and proof. In summary, the solution used by the integrity verification subsystem is suitable for computing-capable devices or frameworks, so it has a broader range of applications, such as multimedia mobile devices, edge computing, etc.

7. Conclusions

In this paper, we propose a conditional agent-based re-encryption key sharing mechanism for clustered federated learning. The scheme combines a proxy broadcast re-encryption mechanism and an integrity verification mechanism to protect the keys used for homomorphic encryption across clusters stored in the cloud. The proxy broadcast re-encryption subsystem can convert the keys generated and encrypted by the KMC into a new set of ciphertexts to be provided to the user without the server having the capability to access the valuable data. Thus, the KMC can control the access conditions through an access tree. The integrity verification subsystem ensures that the keys are not deleted or corrupted while reducing the computational and storage costs of the verification process. Experiments show that the proposed scheme has significant improvements in overall computing efficiency and communication cost, especially in terms of storage overhead, challenges and proofs, and has greater advantages in time cost and space cost. Therefore, the scheme can be applied well in environments with limited computing power.