Jian Liu,N. Asokan,Benny Pinkas

DOI: https://doi.org/10.1145/2810103.2813623

2015-01-01

Abstract:Encrypting data on client-side before uploading it to a cloud storage is essential for protecting users' privacy. However client-side encryption is at odds with the standard practice of deduplication. Reconciling client-side encryption with cross-user deduplication is an active research topic. We present the first secure cross-user deduplication scheme that supports client-side encryption without requiring any additional independent servers. Interestingly, the scheme is based on using a PAKE (password authenticated key exchange) protocol. We demonstrate that our scheme provides better security guarantees than previous efforts. We show both the effectiveness and the efficiency of our scheme, via simulations using realistic datasets and an implementation.

Hsiao-Ying Lin,Wen-Guey Tzeng

DOI: https://doi.org/10.1109/tpds.2011.252

IF: 5.3

2012-06-01

IEEE Transactions on Parallel and Distributed Systems

Abstract:A cloud storage system, consisting of a collection of storage servers, provides long-term storage services over the Internet. Storing data in a third party's cloud system causes serious concern over data confidentiality. General encryption schemes protect data confidentiality, but also limit the functionality of the storage system because a few operations are supported over encrypted data. Constructing a secure storage system that supports multiple functions is challenging when the storage system is distributed and has no central authority. We propose a threshold proxy re-encryption scheme and integrate it with a decentralized erasure code such that a secure distributed storage system is formulated. The distributed storage system not only supports secure and robust data storage and retrieval, but also lets a user forward his data in the storage servers to another user without retrieving the data back. The main technical contribution is that the proxy re-encryption scheme supports encoding operations over encrypted messages as well as forwarding operations over encoded and encrypted messages. Our method fully integrates encrypting, encoding, and forwarding. We analyze and suggest suitable parameters for the number of copies of a message dispatched to storage servers and the number of storage servers queried by a key server. These parameters allow more flexible adjustment between the number of storage servers and robustness.

computer science, theory & methods,engineering, electrical & electronic

JIA Ya-ru,LIU Xiang-yang,LIU Sheng-li

DOI: https://doi.org/10.3969/j.issn.1000-3428.2012.03.043

2012-01-01

Abstract:This paper proposes the decentralized secure distributed storage system.The privacy of data is fulfilled by the combination of public key system and symmetric key system.Symmetric key for data from different sources are different,hence encryptions can be implemented in a distributed way.The employment of decentralized erasure code,together with the distributed encryptions,makes possible the decentralization of the system.RS codes are used to store the encryption of symmetric keys,and the list decoding of RS codes ensures the robust.Analysis result shows that the computing efficiency of this system is higher.

Xiao-Fen Wang,Yi Mu,Rongmao Chen,Xiao-Song Zhang

DOI: https://doi.org/10.1007/s11390-016-1676-9

2016-01-01

Abstract:Data sharing and searching are important functionalities in cloud storage. In this paper, we show how to securely and flexibly search and share cloud data among a group of users without a group manager. We formalize a novel cryptosystem: secure channel free searchable encryption in a peer-to-peer group, which features with the secure cloud data sharing and searching for group members in an identity-based setting. Our scheme allows group members to join or leave the group dynamically. We present two schemes: basic scheme and enhanced scheme. We formally prove that our basic scheme achieves consistency and indistinguishability against the chosen keyword and ciphertext attack and the outsider’s keyword guessing attack, respectively. An enhanced scheme is also proposed to achieve forward secrecy, which allows to revoke user search right over the former shared data.

Xiaolin Zhang,Dawu Gu,Tengfei Wang,Yu Huang

DOI: https://doi.org/10.1109/tcad.2023.3286260

IF: 2.9

2023-01-01

IEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems

Abstract:The Internet of Things (IoT) facilitates the information exchange between people and smart devices. It needs cryptographic measures to secure its communications and interconnected objects. However, cyber–physical attacks pose a great challenge to the protection of secret keys inside. Physically unclonable function (PUF) is a promising hardware primitive with unclonable structures providing tamper evidence for a device. Moreover, a PUF instance has a unique set of randomized challenge–response pairs. Although it can be integrated into a security scheme to replace long-term keys, designing a dedicated PUF-based cryptographic algorithm that supports peer-to-peer communication remains a challenging field to explore. In this article, we propose SPEAR, a scalable PUF-based authenticated encryption (AE) scheme that uses no cryptographic primitives other than PUF and hash functions. SPEAR can be deployed on peer IoT devices that have performed a handshake protocol to obtain shared credentials. Its security under the chosen ciphertext attack is formally proved using the game-playing technique, and it is still secure when attackers physically extract the credentials. In addition, we give a variant, $x$ SPEAR, to involve associated data and avoid the nonce reuse problem. Compared to other PUF-based ciphers, it performs better in terms of storage overhead and PUF evaluation times. SPEAR first realizes scalable AE based on PUF and can be a practical solution for IoT.

Peng Zhang,Yixin Jiang,Chuang Lin,Yanfei Fan,Xuemin (Sherman) Shen

DOI: https://doi.org/10.1109/infcom.2010.5462050

2010-01-01

Abstract:Though providing an intrinsic secrecy, network coding is still vulnerable to eavesdropping attacks, by which an adversary may compromise the confidentiality of message content. Existing studies mainly deal with eavesdroppers that can intercept a lim-ited number of packets. However, real scenarios often consist of more capable adversaries, e.g., global eavesdroppers, which can defeat these techniques. In this paper, we propose P-Coding, a novel security scheme against eavesdropping attacks in network coding. With the lightweight permutation encryption performed on each message and its coding vector, P-Coding can efficiently thwart global eavesdroppers in a transparent way. Moreover, P-Coding is also featured in scalability and robustness, which enable it to be integrated into practical network coded systems. Security analysis and simulation results demonstrate the efficacy and efficiency of the P-Coding scheme.

Fangyong Hou,Dawu Gu,Nong Xiao,Yuhua Tang

DOI: https://doi.org/10.1109/NAS.2008.48

2008-01-01

Abstract:Storage systems are more distributed and more subject to attacks. Cryptographic file system gives a promising way to mitigate the danger of exposing data by using encryption and integrity protection methods and guarantee end-to-end security to clients. This paper describes SRSAE, a generic approach to cryptographic file system, as well as its realization in a distributed data storage environment. SRSAE applies authenticated encryption to each data block transferred between clients and the remote block devices. It provides strong data confidentiality and integrity protections through trusted IV (Initialization Vector) and MAC (Message Authentication Code) comparison. Performance is optimized by buffering IV and MAC locally. Integration into original file system is presented with specific implementation. Related model, approach and system realization are elaborated, as well as testing results. Theoretical analysis and experimental simulations show that it is a practical and available way to build secure network storage system.

LI Liangbin,WANG Jinlin,CHEN Jun

DOI: https://doi.org/10.3969/j.issn.2095-347x.2011.05.001

2011-01-01

Abstract:Data dispersal is a key technology for survivable storage system,based on the analysis of features and shortcomings of existing data dispersal scheme,a verifiable short secret sharing data dispersal scheme supporting general access structure is proposed.The fragment generated by our scheme is composed of cipher-text portion and cipher-key portion.Firstly the original data is encrypted and dispersed with erasure coding,secondly the cipher-key is dispersed with an improved verifiable secret sharing algorithm,and dispersal of the cipher-key must depend on the cipher-text portion.Comparing to existing work,our scheme achieves high performance in all aspects of space cost,secrecy and verifiability,and the general access structure is also supported.

Ming Chen-,Guangwen Yang,Xuezheng Liu,Shuming Shi,Dingxing Wang

DOI: https://doi.org/10.1360/jos161790

2005-01-01

Journal of Software

Abstract:This paper proposes a cooperative secure reliable storage system depending on pure P2P and supporting self-repair. Participant nodes of this system form an overlay by Paramecium protocol, which maintains the organization of system and provides routing service, or other compatible distributed hash table (DHT) protocols. The PKI authentication mechanism is introduced to ensure security in an open environment. Binding user data with replica identifiers supports secure auto-repair. The introduction of replica types provides secure sharing-write. Preliminary analysis and experiments demonstrate that it maintains a high reliability and read/write performance in real settings while keeping the cost of maintenance bandwidth low.

Jingjin Wu,Guoqiang Long,Canhua Wang,Jianhua Wu

DOI: https://doi.org/10.1088/1402-4896/ad195b

2023-12-28

Physica Scripta

Abstract:Abstract Recent advances in cellular mobile telecommunication field have dramatically facilitated the multi-party collaborative work in social networks. However, the privacy issues exposed by insecure network channels and semi-trusted service providers, such as underlying data analysis and mining, have also gradually aroused public concerns. In this context, a novel Multi-Party Privacy Data Encryption (MP-PDE) scheme built upon the deep learning framework is proposed. In this scheme, a four-dimensional autonomous chaotic system is initially leveraged to configurate the key-controlled cipher streams. Under the guidance of a multi-objective optimization function, the proposed encryption network manipulates the multi party private data into a cipher image with the statistical pseudo-randomness. At the recipient side, distinct participants can decrypt the matching data availing their own licensing key from the identical cipher image. Furthermore, the encryption and decryption networks are equivalent except for their network parameters. Finally, numerous experiments are conducted to verify the effectiveness and security of the proposed scheme.

physics, multidisciplinary

Tong Li,Zheli Liu,Ping Li,Chunfu Jia,Zoe L. Jiang,Jin Li

DOI: https://doi.org/10.1016/j.future.2017.02.024

2016-01-01

Abstract:In a secure data sharing system, the keyword search over encrypted files is a basic need of a user with appropriate privileges. Although the traditional searchable encryption technique can provide the privacy protection, two critical issues still should be considered. Firstly, a cloud server may be selfish in order to save its computing resources, and thus returns only a fragment of results to reply a search query. Secondly, since different keys are always used for different document sets, making a search query over massive sets and verifying the search results are both impractical for a user with massive keys. In this paper, we propose a scheme named “verifiable searchable encryption with aggregate keys”. In the scheme, a data owner need only distribute a single aggregate key to other users to selectively share both search and verification privileges over his/her document sets. After obtaining such a key, a user can use it not only for generating a single trapdoor as a keyword search query, but for verifying whether the server just conducts a part of computing for the search request. Then, we define the requirements of the scheme and give a valid construction. Finally, our analysis and performance evaluation demonstrate that the scheme are practical and secure.

Run Xie,Chanlian He,Yu He,Chunxiang Xu,Kun Liu

DOI: https://doi.org/10.1007/978-3-319-69605-8_17

2016-01-01

Abstract:With networking became prevalent, the amount of data to be stored and managed on networked servers rapidly increases. Meanwhile, with the improvement of awareness of data privacy, the user’s sensitive data is usually encrypted before uploading them to the cloud server. The searchable public-key encryption provides an efficient mechanism to achieve data retrieval in encrypted storage. Therefore, it is a critical technique on promoting secure and efficient cloud storage. Unfortunately, only few the existing schemes are secure to resist outside keyword guessing attacks. In this paper, we propose two efficient searchable public-key encryption schemes with a designated tester (dPEKS). One is a basic dPEKS, where the dPEKS ciphertext indistinguishability is proved without the random oracle. Meanwhile, the basic scheme is secure to resist the outside KGA since it satisfies the property of trapdoor indistinguishability. Comparing with the existing dPEKS schemes which use expensive pairing computation, our scheme is more efficient since we only need multi-exponentiation. Another is an enhanced dPEKS scheme. With the sender’s identity is kept secret from server, this scheme can provide stronger security.

Liang Xue,Dongxiao Liu,Cheng Huang,Xuemin (Sherman) Shen,Weihua Zhuang,Rob Sun,Bidi Ying

DOI: https://doi.org/10.1109/icc45855.2022.9838811

2022-01-01

Abstract:In this paper, we propose a Secure and Flexible Data Sharing (SFDS) scheme for distributed storage, where data owners can outsource their data to a distributed storage network and share the data with authorized users. To preserve confidentiality, all data are encrypted by data owners' secret keys before being outsourced, and fine-grained access policies are enforced on the encrypted data (ciphertexts) to achieve flexible data sharing. Furthermore, based on the ciphertext puncturable encryption and the hierarchical identity-based encryption, we design an efficient key and ciphertext update mechanism, which enables data owners to update their secret keys and the corresponding ciphertexts periodically to deal with side-channel attacks and system vulnerabilities. Update tokens are constructed to directly derive new keys and ciphertexts. Through detailed security analysis, it is demonstrated that SFDS can achieve all three essential security properties, i.e., forward security, post-compromise security, and collusion attack resistance.

Lin Xu,Lai Xue-jia

DOI: https://doi.org/10.3969/j.issn.1674-9456.2011.09.007

2011-01-01

Abstract:Erasure code is a means of generating data redundancy to improve fault tolerance and availability of P2P storage systems.For unstructed P2P storage systems which based on Erasure code,using flooding algorithm to manage data will produce a large number of redundant messages in the network,and the systems will be inefficient.This paper presents an algorithm which use binary tree to save the information of file blocks.After the binary tree is built,update message will transmit between nodes of the tree,without flooding in the network.Analysis shows that,compared with flooding algorithm,the binary tree algorithm effectively reduces the number of redundant messages,improve the efficiency of data management,and to pay the storage costs are minimal.

Run Xie,Chunxiang Xu,Chanlian He,Xiaojun Zhang

DOI: https://doi.org/10.1504/ijwgs.2018.088357

2017-01-01

International Journal of Web and Grid Services

Abstract:With the improvement of awareness of data privacy, the user's sensitive data are usually encrypted before uploading them to cloud. Searchable encryption is a critical technique on promoting secure and efficient cloud storage. In particular, publickey encryption with keyword search (PEKS) provides an elegant approach to achieve data retrieval in encrypted storage. All existing searchable publickey encryption schemes only provide the security based on classical cryptography hardness assumption. With the development of quantum computers, these schemes will be insecure. Based on the lattice hardness assumptions, we propose a new searchable publickey encryption scheme with a designated tester (dPEKS). Our scheme has advantages: First, our scheme is the first searchable publickey encryption scheme that is considered to be secure even if quantum computers are ever developed. Second, our scheme achieves the trapdoor indistinguishability. The trapdoor indistinguishability implies the security against outside offline keyword guessing attacks (KGAs). Last, our scheme can achieve the trapdoor anonymity for server.

K. V. Rashmi,Nihar B. Shah,Kannan Ramchandran,P. Vijay Kumar

DOI: https://doi.org/10.1109/tit.2017.2769101

IF: 2.5

2018-03-01

IEEE Transactions on Information Theory

Abstract:Repair operations in erasure-coded distributed storage systems involve a lot of data movement. This can potentially expose data to malicious acts of passive eavesdroppers or active adversaries, putting security of the system at risk. This paper presents coding schemes and repair algorithms that ensure security of the data in the presence of passive eavesdroppers and active adversaries while maintaining high availability, reliability, and resource efficiency in the system. The proposed codes are optimal in that they meet previously proposed lower bounds on storage and network-bandwidth requirements for a wide range of system parameters. The results thus establish the secure storage capacity of such systems. The proposed codes are based on an optimal class of codes called product-matrix codes. The constructions presented for security from active adversaries provide an additional appealing feature of “on-demand security,” where the desired level of security can be chosen separately for each instance of repair, and the proposed algorithms remain optimal simultaneously for all possible security levels. This paper also provides necessary and sufficient conditions governing the transformation of any (non-secure) code into one providing on-demand security.

computer science, information systems,engineering, electrical & electronic

Yang Liu,Songfeng Lu,Youqiao Zhao,Fang Liu

DOI: https://doi.org/10.1115/1.859902.paper282

2011-01-01

Abstract:Considering the safety and the efficiency to transport files containing of sensitive data through internet, an encryption scheme based on the digital envelope technology and digital signature technology is proposed. The file is encrypted by AES while the symmetric key is encrypted using ECC. To ensure data integrity and encryption efficiency, the file is also processed by SHA-1 to get its digest which is then be encrypted by ECC. Moreover, in order to process large files or massive data effectively, a parallel encryption algorithm is proposed. The experiment result shows it performs well and provides a higher encryption speed.

Tianhao Wang,Yunlei Zhao

DOI: https://doi.org/10.1145/2897845.2897884

2016-01-01

Abstract:Cloud storage services such as Dropbox [1] and Google Drive [2] are becoming more and more popular. On the one hand, they provide users with mobility, scalability, and convenience. However, privacy issues arise when the storage becomes not fully controlled by users. Although modern encryption schemes are effective at protecting content of data, there are two drawbacks of the encryption-before-outsourcing approach: First, one kind of sensitive information, Access Pattern of the data is left unprotected. Moreover, encryption usually makes the data difficult to use. In this paper, we propose AIS (Access Indistinguishable Storage), the first client-side system that can partially conceal access pattern of the cloud storage in constant time. Besides data content, AIS can conceal information about the number of initial files, and length of each initial file. When it comes to the access phase after initiation, AIS can effectively conceal the behavior (read or write) and target file of the current access. Moreover, the existence and length of each file will remain confidential as long as there is no access after initiation. One application of AIS is SSE (Searchable Symmetric Encryption), which makes the encrypted data searchable. Based on AIS, we propose SBA (SSE Built on AIS). To the best of our knowledge, SBA is safer than any other SSE systems of the same complexity, and SBA is the first to conceal whether current keyword was queried before, the first to conceal whether current operation is an addition or deletion, and the first to support direct modification of files.

Jiwu Shu,Zhirong Shen,Wei Xue

DOI: https://doi.org/10.1016/j.jpdc.2014.06.003

IF: 4.542

2014-01-01

Journal of Parallel and Distributed Computing

Abstract:With the increasing amount of personal data stored in public storage, users are losing control of their physical data, putting their data information at risk of theft or being compromised. Traditional secure storage systems either require users to completely trust the storage provider or impose the considerable burden of managing files on file owners; such systems are inapplicable in the practical cloud environment. This paper addresses these challenging problems by proposing a new secure system architecture and implementing a stackable secure storage system named Shield, in which a proxy server is introduced to be in charge of authentication and access control. We propose a new variant of the Merkle Hash Tree to support efficient integrity checking and file content update; further, we have designed a hierarchical key organization to achieve convenient keys management and efficient permission revocation. Shield supports concurrent write access by employing a virtual linked list; it also provides secure file sharing without any modification to the underlying file systems. A series of evaluations over various real benchmarks show that Shield causes about 7%∼13% performance degradation when compared with eCryptfs but provides enhanced security for user’s data.

Lu Wei,Jie Cui,Yan Xu,Jiujun Cheng,Hong Zhong

DOI: https://doi.org/10.1109/tifs.2020.3040876

IF: 7.231

2021-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Owing to the development of wireless communication technology and the increasing number of automobiles, vehicular ad hoc networks (VANETs) have become essential tools to secure traffic safety and enhance driving convenience. It is necessary to design a conditional privacy-preserving authentication (CPPA) scheme for VANETs because of their vulnerability and security requirements. Traditional CPPA schemes have two deficiencies. One is that the communication or storage overhead is not sufficiently low, but the traffic emergency message requires an ultra-low transmission delay. The other is that traditional CPPA schemes do not consider updating the system secret key (SSK), which is stored in an unhackable Tamper Proof Device (TPD), whereas side-channel attack methods and the wide usage of the SSK increase the probability of breaking the SSK. To solve the first issue, we propose a CPPA signature scheme based on elliptic curve cryptography, which can achieve message recovery and be reduced to elliptic curve discrete logarithm assumption, so that traffic emergency messages are secured with ultra-low communication overhead. To solve the second issue, we design an SSK updating algorithm, which is constructed on Shamir's secret sharing algorithm and secure pseudo random function, so that the TPDs of unrevoked vehicles can update SSK securely. Formal security proof and analysis show that our proposed scheme satisfies the security and privacy requirements of VANETs. Performance analysis demonstrates that our proposed scheme requires less storage size and has a lower transmission delay compared with related schemes.

computer science, theory & methods,engineering, electrical & electronic