Identity-Based Broadcast Encryption with Outsourced Partial Decryption for Hybrid Security Models in Edge Computing

Each layer of nodes and communication networks in edge computing, from cloud to the end device (i.e, often considered as resource-constrained IoT devices), exhibits a different level of trust for each stakeholder - e.g., edge nodes may not be fully trusted by IoT devices and the cloud. Moreover, asymmetric nature of resources between layers makes it hard to establish a balance between security and performance - e.g., lightweight cryptography may degrade security level against untrusted nodes while heavyweight ones may not be feasible for the light-weight end devices. An advanced encryption scheme such as the Identity-Based Broadcast Encryption (IBBE) is a popular technique to reduce storage and communication overhead. However, IBBE requires heavy computation to the end devices and still does not fully satisfy the security requirements that exist in the layers of edge computing. This paper presents a new IBBE with outsourced partial decryption for hybrid security models that each layer in edge computing requires. It balances the computational overhead based on asymmetric nature that nodes in each layer have. Particularly, with new schemes, the ciphertext can be transformed from its initial format. The cloud encrypts their data for multiple end devices and store them in the edge nodes, but those interim nodes can blindly transform the ciphertext from the cloud into a form which (i) is decryptable by only an authorized end device, and (ii) imposes smaller decryption and data transmission burden to end devices, regardless of the number of recipients. Our security analysis shows that new schemes are selectively and adaptively secure. We implement our solution and show that new schemes reduce the communication overhead from an edge node to end devices and the computation overhead on the end devices, compared to the original IBBE schemes.