Zhenhua Chen,Shundong Li,Yimin Guo,Yilei Wang,Yunjie Chu

DOI: https://doi.org/10.1007/978-3-319-11698-3_7

2014-01-01

Abstract:In this paper, we introduce a new concept of limited proxy re-encryption with keyword search (LPREKS) for fine-grained data access control in cloud computing, which combines the function of limited proxy re-encryption (LPRE) and that of public key encryption with keyword search (PEKS). However, an LPREKS scheme cannot be obtained by directly combining those two schemes since the resulting scheme is no longer proven secure in our security model. Our scheme is proven semantically secure under the modified Bilinear Diffie-Hellman (mBDH) assumption and the q-Decisional Bilinear Diffie-Hellman inversion (qDBDHI) assumption in the random oracle model. Our proposal realizes three desired situations as follows: (1) the proxy cloud server can re-encrypt the delegated data containing some keyword which matches the trapdoor from delegatee, (2) the proxy can only reencrypt a limited number of delegated data to the delegatee; otherwise, the private key of the proxy will be exposed, and (3) the proxy cloud server learns nothing about the contents of data and keyword.

Jingwei Li,Jin Li,Xiaofeng Chen,Chunfu Jia,Zheli Liu

DOI: https://doi.org/10.1007/978-3-642-34601-9_37

2012-01-01

Abstract:As cloud computing becomes prevalent, more and more sensitive information is being centralized into the cloud, which raises a new challenge on how to efficiently share the outsourced data in a fine-grained manner. Although searchable encryption allows for privacy-preserving keyword search over encrypted data in public cloud, it could not work effectively for supporting fine-grained access control over encrypted data simultaneously. In this paper, we consider to tackle the challenge above under a hybrid architecture in which a private cloud is introduced as an access interface between users and public cloud. We firstly propose a basic scheme allowing both exact keyword search and fine-grained access control over encrypted data. Furthermore, an advanced scheme supporting fuzzy keyword search is presented. In both schemes, overhead computation is securely outsourced to private cloud but only left behind the file encryption and decryption at user side. Finally, we demonstrate approaches to realize outsourcing cryptographic access control mechanism and further relieve the computational cost at user side.

Zhirong Shen,Jiwu Shu,Wei Xue

DOI: https://doi.org/10.1109/jsen.2016.2634018

IF: 4.3

2016-01-01

IEEE Sensors Journal

Abstract:Cloud computing has become an increasingly popular service for data storage and processing. To keep users' data on the cloud from leaking to unauthorized users, probably including the cloud service providers, the data must be stored in an encrypted form. In the meantime, for data intended for sharing, an efficient access control must be provided. A common operation on the data is keyword search. Currently, search operation over encrypted search is performed at the cloud servers and access control for the in-cloud data is usually enforced by users. Separation of the two types of operations can lead to reduced efficiency and compromised privacy for users with a given set of access privileges to search over encrypted cloud data. In this paper, we study the problem of keyword search with access control over encrypted data in cloud computing. We first propose a scalable framework where user can use his attribute values and a search query to locally derive a search capability, and a file can be retrieved only when its keywords match the query and the user's attribute values can pass the policy check. Using this framework, we propose a novel scheme called KSAC. KSAC utilizes a recent cryptographic primitive called HPE to enforce fine-grained access control, perform multi-field query search, and support the derivation of the search capability. Intensive evaluations on real-world dataset are conducted to validate the applicability of the proposed scheme.

Xian Yong Meng,Zhong Chen,Xiang Yu Meng

DOI: https://doi.org/10.4028/www.scientific.net/amm.631-632.897

2014-01-01

Applied Mechanics and Materials

Abstract:In this paper, a novel proxy re-encryption (PRE) scheme with keyword search is proposed, where only the ciphertext containing the keyword set by the delegator can be transformed by the semi-trusted proxy and then decrypted by delegatee. In the proposed scheme, the semi-trusted proxy can convert the ciphertext encrypted under the delegator’s public key into the ciphertext encrypted under the delegatee’s public key. In addition, only the delegatee’s email gateway with a trapdoor can test whether or not a given cipheretext containing some keyword, but can learn nothing else about the sensitive data of email. We proposed an identity-based proxy re-encryption with keyword search scheme, where the delegator and the delegatee extract keys from a trusted party called the key generator center (KGC), who generates public-private key pair for delegator and delegatee based on their identities. Meanwhile, the identity-based proxy re-encryption with keyword search scheme satisfies the properties of PRE including unidirectionality, multi-use and transparency. Additionally, the proposed scheme is efficient in terms of both computation and communication, and can realize security privacy preserving in cloud computing environments.

WeiDong Zhong,Xu An Wang,Ziqing Wang,Yi Ding

DOI: https://doi.org/10.1109/CIS.2011.217

2011-01-01

Abstract:Proxy re-encryption (PRE) allows a proxy to transform a cipher text for Alice (delegator) to be the one which can be decrypted by Bob (delegatee). Since it is introduced by Blaze et al. in 1998, many variants of PRE have been proposed. In this paper, we concentrate on two of them: anonymous conditional proxy re-encryption (ACPRE) and constrained proxy re-encryption with keyword search (PRES). Conditional proxy re-encryption (CPRE) is a primitive which only allows those cipher texts satisfying the condition can be re-encrypted correctly by the proxy. Anonymous conditional proxy re-encryption (ACPRE) requires the proxy not knowing which condition the cipher text associated with. PRES is a primitive which allows the proxy simultaneously re-encrypt and search the delegator's cipher text. Based on the PRES proposed by Shao et al., We show the definition of constrained proxy re-encryption with keyword search (CPRES), give its security models and discuss its potential applications. At last, based on a concrete ACPRE scheme, we construct a concrete CPRES scheme.

Er-Shuo Zhuang,Chun-I Fan

DOI: https://doi.org/10.3390/math11183830

IF: 2.4

2023-09-07

Mathematics

Abstract:To protect the privacy of cloud data, encryption before uploading provides a solution. However, searching for target data in ciphertext takes effort. Therefore, searchable encryption has become an important research topic. On the other hand, since the advancement of quantum computers will lead to the crisis of cracking traditional encryption algorithms, it is necessary to design encryption schemes that can resist quantum attacks. Therefore, we propose a multi-keyword searchable identity-based proxy re-encryption scheme from lattices. In addition to resisting quantum attacks, the proposed scheme uses several cryptographic techniques to improve encryption efficiency. First, identity-based encryption is used to reduce the computation and transmission costs caused by certificates. Second, the proposed scheme uses proxy re-encryption to achieve the purpose of outsourced computing, allowing the proxy server to reduce the computation and transmission costs of the users. Third, the proposed multi-keyword searchable encryption can provide AND and OR operators to increase the flexibility of searchability. Moreover, the access structure of the proposed scheme is not based on a linear secret sharing scheme (LSSS), avoiding the errors caused by an LSSS-based structure in decryption or search results. Finally, we also give formal security proof of the proposed scheme under the decisional learning with errors assumption.

mathematics

Boshen Shan,Yuanzhi Yao,Weihai Li,Xiaodong Zuo,Nenghai Yu

DOI: https://doi.org/10.1109/trustcom56396.2022.00189

2022-01-01

Abstract:Due to the increasing popularity of cloud computing and privacy preservation concerns, sensitive data should be encrypted before outsourcing to the cloud and data utilization becomes a challenging issue. Searchable encryption (SE) is a promising technique to address this problem. Most existing searchable encryption schemes only support accurate keyword but fuzzy keyword search schemes are appreciated in practice. Moreover, in some application scenarios like the video on demand systems, data owners only hope to give the access of their data to those who have payed but authenticated user identity may often change. Therefore, dynamic user attribute updating should be considered. To solve about issues, we propose a fuzzy secure keyword search scheme over encrypted cloud data with dynamic fine-grained access control. We design a novel fuzzy keyword index to retrieve corresponding documents. To reduce the computation cost, the cloud server selects most relevant top-k documents and return them to the data users. The ciphertextpolicy attribute based encryption (CP-ABE) technique is introduced to implement fine-grained access control. Meanwhile, the basic CP-ABE is improved to meet the practical need of user attribute updating. Extensive security and performance analysis demonstrates that our proposed scheme is highly efficient and can satisfy the security requirements for fuzzy keyword search over encrypted cloud data.

Qiang Cao,Yanping Li,Zhenqiang Wu,Yinbin Miao,Jianqing Liu

DOI: https://doi.org/10.1007/s11280-019-00671-3

2019-01-01

World Wide Web

Abstract:Cloud storage over the internet gives opportunities for easy data sharing. To preserve the privacy of sharing data, the outsourced data is usually encrypted. The searchable encryption technique provides a solution to find the target data in the encrypted form. And the public-key encryption with keyword search is regarded as a major approach for the searchable encryption technique. However, there are still several privacy leakage challenges for the further adoption of these major schemes. One is how to resist the keyword guessing attack which still leaks data user’s keywords privacy. Another is how to construct the access control policy to prevent illegal access of outsourced data sharing since illegal access always leak the privacy of user’s attribute. In our paper, we firstly try to design a novel secure keyword index to resist the keyword guessing attack from access pattern and search pattern. Second, we propose an attribute-based encryption scheme which supports an enhanced fine-grained access control search. This allows the authenticated users to access different data although their searching request contains the same queried keywords, and meanwhile unauthenticated users cannot get any attribute privacy information. Third, we give security proofs to show that the construction of keyword index is against keyword guessing attack from the access pattern and search pattern, and our scheme is proved to be IND-CPA secure (the indistinguishability under chosen plaintext attack) under the standard model. Finally, theoretical analyses and a series of experiments are conducted to demonstrate the efficiency of our scheme.

Chunwei Lou,Mingsheng Cao,Yaohua Luo,Hua Xu,Yuan Gao,Weiwei Wang,Dong Wang

DOI: https://doi.org/10.1109/access.2020.2980886

IF: 3.9

2024-01-01

IEEE Access

Abstract:Key-aggregate keyword retrieval primitive enables a cloud server on behalf of delegated users to securely perform a keyword search over the data encrypted with various public keys. However, existing key-aggregate searchable encryption schemes are insecure against keyword guessing attacks, which result in the privacy leakage of keyword ciphertext and trapdoor. In this paper, we for the first time formulate a secure and efficient key-aggregate searchable encryption for cloud-assisted IoT applications, which not only enables a data owner to securely share the selected documents to multiple users, but also supports data users in delegating the capability of keyword search to a cloud server for searching the desired documents without leaking any privacy of keyword ciphertext and trapdoor. Then, the security of the proposed scheme is formally defined and proven to be secure against the indistinguishable selective-file chosen keyword attacks. The flexibility and practicability of the formulated scheme is also demonstrated by theoretical evaluations and experimental simulations.

Jianhong Zhang,Jian Mao

DOI: https://doi.org/10.1007/s10586-016-0584-7

2016-01-01

Cluster Computing

Abstract:Public key encryption with keyword search plays very important role in the outsourced data management. In most of public key encryption schemes with keyword search, the server can unlimitedly execute keyword search ability after obtaining a trapdoor information of a keyword. To restrict the ability of the server's unlimited search, we propose a novel public key encryption with revocable keyword search by combining hash chain and anonymous multi-receiver encryption scheme in this paper. The scheme can not only achieve security property of the indistinguishability of ciphertexts against an adaptive chosen keywords attack, but also resist off-line keyword guess attack. By comparison with Yu et al.'s scheme, our scheme is more efficient in terms of computational cost and communication overhead for the whole system.

Jingwei Li,Chunfu Jia,Jin Li,Zheli Liu

DOI: https://doi.org/10.1109/incos.2012.28

2012-01-01

Abstract:With the rapid growth of data, it is desirable to outsource data on remote storage server. The emergency of cloud computing makes the dream true and more and more sensitive data are being centralized into cloud for sharing. Since the public cloud server cannot be fully trusted in protecting them, encryption is a promising way to keep confidentiality but leads to high communication and computation overhead for some useful data operations. Searchable encryption initiated by Song et al. provides an efficient solution to support for keyword-based search directly on encrypted data. Nevertheless, existing work depends on key sharing among authorized users, which inevitably causes the risks of key exposure and abuse. In this paper, the keyword search over encrypted data with differential privileges is addressed. We provide a novel framework for secure outsourcing and sharing of encrypted data on hybrid cloud. The framework is full-featured: i) it enables authorized users to perform keyword-based search directly on encrypted data without sharing the same private key, ii) it provides two-layered access control to achieve fine-grained sharing of encrypted data. The security analysis shows that the proposed generic construction satisfies the requirements of message privacy and keyword privacy.

Peiming Xu,Lingling Xu,Xiang Jin

DOI: https://doi.org/10.1109/cbase60015.2023.10439115

2023-01-01

Abstract:With the rapid development of cloud computing, more and more data are stored in the cloud server. However, due to the increasing demands for security and user privacy, sensitive data are expected to be stored in an encrypted manner. Then how to perform keyword search over the encrypted data becomes a key issue. The technology of searchable encryption has been proposed to address this issue, which allows the data owners share their encrypted data with users without leaking the queried keyword privacy. In this paper, we study forward and backward private searchable encryption with fine-grained access control. Our system can resist against the file injection attacks from malicious cloud and support forward and backward data privacy. In addition, it enables the data owners to enforce "AND" "NOT" attribute-based access control on the data. We analyze the security and simulate the system. The experiment results show that our system can be applicable in the real-world scenarios.

Wenhai Sun,Shucheng Yu,Wenjing Lou,Y. Thomas Hou,Hui Li

DOI: https://doi.org/10.1109/tpds.2014.2355202

IF: 5.3

2016-01-01

IEEE Transactions on Parallel and Distributed Systems

Abstract:Search over encrypted data is a critically important enabling technique in cloud computing, where encryption-before-outsourcing is a fundamental solution to protecting user data privacy in the untrusted cloud server environment. Many secure search schemes have been focusing on the single-contributor scenario, where the outsourced dataset or the secure searchable index of the dataset are encrypted and managed by a single owner, typically based on symmetric cryptography. In this paper, we focus on a different yet more challenging scenario where the outsourced dataset can be contributed from multiple owners and are searchable by multiple users, i.e. multi-user multi-contributor case. Inspired by attribute-based encryption (ABE), we present the first attribute-based keyword search scheme with efficient user revocation (ABKS-UR) that enables scalable fine-grained (i.e. file-level) search authorization. Our scheme allows multiple owners to encrypt and outsource their data to the cloud server independently. Users can generate their own search capabilities without relying on an always online trusted authority. Fine-grained search authorization is also implemented by the owner-enforced access policy on the index of each file. Further, by incorporating proxy re-encryption and lazy re-encryption techniques, we are able to delegate heavy system update workload during user revocation to the resourceful semi-trusted cloud server. We formalize the security definition and prove the proposed ABKS-UR scheme selectively secure against chosen-keyword attack. Finally, performance evaluation shows the efficiency of our scheme.

Xu An Wang,Xinyi Huang,Xiaoyuan Yang,Longfei Liu,Xuguang Wu

DOI: https://doi.org/10.1016/j.jss.2011.09.035

IF: 3.5

2012-01-01

Journal of Systems and Software

Abstract:Recently Shao et al. proposed an interesting cryptographic primitive called proxy re-encryption with keyword search (PRES). The main novelty is simultaneously realizing the functionality of proxy re-encryption and keyword search in one primitive. In this paper, we further extend their research by introducing a new primitive: constrained single-hop unidirectional proxy re-encryption supporting conjunctive keywords search (CPRE-CKS). Our results are as following: (1) In Shao's PRES scheme, the proxy can re-encrypt all the second level ciphertext. While in our CPRE-CKS proposal, the proxy can only re-encrypt those second level ciphertexts which contain the corresponding keywords. (2) We give the definition and security model for CPRE-CKS, and propose a concrete scheme and prove its security. (3) On the way to construct a secure CPRE-CKS scheme, we found a flaw in the security proof of Hwang et al.'s public key encryption with conjunctive keyword search (PECK) scheme proposed in Pairing’07.

Shucheng Yu,Cong Wang,Kui Ren,Wenjing Lou

DOI: https://doi.org/10.1109/INFCOM.2010.5462174

2010-01-01

Abstract:Cloud computing is an emerging computing paradigm in which resources of the computing infrastructure are provided as services over the Internet. As promising as it is, this paradigm also brings forth many new challenges for data security and access control when users outsource sensitive data for sharing on cloud servers, which are not within the same trusted domain as data owners. To keep sensitive user data confidential against untrusted servers, existing solutions usually apply cryptographic methods by disclosing data decryption keys only to authorized users. However, in doing so, these solutions inevitably introduce a heavy computation overhead on the data owner for key distribution and data management when fine-grained data access control is desired, and thus do not scale well. The problem of simultaneously achieving fine-grainedness, scalability, and data confidentiality of access control actually still remains unresolved. This paper addresses this challenging open issue by, on one hand, defining and enforcing access policies based on data attributes, and, on the other hand, allowing the data owner to delegate most of the computation tasks involved in fine-grained data access control to untrusted cloud servers without disclosing the underlying data contents. We achieve this goal by exploiting and uniquely combining techniques of attribute-based encryption (ABE), proxy re-encryption, and lazy re-encryption. Our proposed scheme also has salient properties of user access privilege confidentiality and user secret key accountability. Extensive analysis shows that our proposed scheme is highly efficient and provably secure under existing security models.

Qian Xu,Chengxiang Tan,Wenye Zhu,Ya Xiao,Zhijie Fan,Fujia Cheng

DOI: https://doi.org/10.1016/j.future.2019.02.067

IF: 7.307

2019-01-01

Future Generation Computer Systems

Abstract:In recent years, the increasing popularity of cloud computing has led to a trend that data owners prefer to outsource their data to the clouds for the enjoyment of the on-demand storage and computing services. For security and privacy concerns, fine-grained access control and secure data retrieval for the outsourced data is of critical importance. Attribute-based keyword search (ABKS) scheme, as a cryptographic primitive which explores the notion of public key encryption with keyword search (PEKS) into the context of attribute-based encryption (ABE), can enable the data owner to flexibly share his data to a specified group of users satisfying the access policy and meanwhile, maintain the confidentiality and searchable properties of the sensitive data. However, in most of the previous ABKS schemes, the decryption service is not provided, and a fully trusted central authority is required, which is not practical in the scenario that the access policy is written over attributes or credentials issued across different trust domains and organizations. Moreover, the efficiency of storage and computation is also the bottleneck of implementation of ABKS scheme. In this paper, for the first time, we propose a decentralized ABKS scheme with conjunctive keyword search for the cloud storage system. Besides the multi-keyword search in the decentralized setting, our scheme outsources the undesirable costly operations of decryption to the cloud without degrading the user’s privacy. Furthermore, the encryption phase is also divided into two phases, an offline pre-computation phase which is independent with the plaintext message, access policy, and keyword set, and can be performed at any time when the data owner’s device is otherwise not in use, and an online encryption phase which only incurs very little computation costs. Security analysis indicates that our scheme is provably secure in the random oracle model. The asymptotic complexity comparison and simulation results also show that our scheme achieves high computation efficiency.

Ayad Ibrahim,Hai Jin,Ali A. Yassin,Deqing Zou

DOI: https://doi.org/10.1109/apscc.2012.59

2012-01-01

Abstract:Advances in cloud computing and Internet technologies have pushed more and more data owners to outsource their data to remote cloud servers to enjoy with huge data management services in an efficient cost. However, despite its technical advances, cloud computing introduces many new security challenges that need to be addressed well. This is because, data owners, under such new setting, loss the control over their sensitive data. To keep the confidentiality of their sensitive data, data owners usually outsource the encrypted format of their data to the untrusted cloud servers. Several approaches have been provided to enable searching the encrypted data. However, the majority of these approaches are limited to handle either a single keyword search or a Boolean search but not a multikeyword ranked search, a more efficient model to retrieve the top documents corresponding to the provided keywords. In this paper, we propose a secure multi-keyword ranked search scheme over the encrypted cloud data. Such scheme allows an authorized user to retrieve the most relevant documents in a descending order, while preserving the privacy of his search request and the contents of documents he retrieved. To do so, data owner builds his searchable index, and associates with each term document with a relevance score, which facilitates document ranking. The proposed scheme uses two distinct cloud servers, one for storing the secure index, while the other is used to store the encrypted document collection. Such new setting prevents leaking the search result, i.e. the document identifiers, to the adversary cloud servers. We have conducted several empirical analyses on a real dataset to demonstrate the performance of our proposed scheme.

Boli Hu,Kai Zhang,Junqing Gong,Lifei Wei,Jianting Ning

DOI: https://doi.org/10.1016/j.jisa.2024.103783

IF: 4.96

2024-05-25

Journal of Information Security and Applications

Abstract:E-Health Cloud can provide remote, accurate, real-time, intelligent information services for healthcare. Despite the benefits brought by data outsourcing, it may also cause data breaches and compromise user privacy. Searchable encryption can provide data security and search services in the encrypted data domain. However, in E-Health Cloud, users may have some other special needs, such as sharing their health information with doctors during the treatment period and updating the data access right when they transfer from one hospital to another. Some works introduced the primitive proxy re-encryption with public keyword search (Re-PEKS) to meet the above needs. However, the state-of-the-art solutions cannot support expressive boolean query, and its search cost time increases linearly with total number of outsourced documents, this is very impractical in huge E-Health Cloud system. An efficient Re-PEKS scheme termed PRTDs is proposed in this article to address this problem. PRTDs supports sub-linear boolean query, time controlled data sharing, and re-encryption to change data users simultaneously. To compare PRTDs with the most advanced time-enabled Re-PEKS scheme, we also implement exhaustive comparative experiments on HUAWEI Cloud with the Enron dataset, and the results show that PRTDs has a better performance on encryption and searching.

computer science, information systems

Jia-Zhi Li,Lei Zhang

DOI: https://doi.org/10.1109/CIS.2014.113

2014-01-01

Abstract:As more and more data is outsourced to cloud which is assumed to be a semi-trusted server, it is necessary to encrypt the sensitive data stored in the cloud. However, it brings a series of problems, such as: How to search over the encrypted data efficiently and securely? How should a data owner grant search capabilities to the data users? To solve these problems, we propose two attribute-based keyword search and data access control schemes based on public-key searchable encryption and attribute based encryption. Our solutions allow a data owner to control the access policy and grant the search policy to any data user who wants to retrieve the encrypted data efficiently.

Cheng Huang,Dongxiao Liu,Anjia Yang,Rongxing Lu,Xuemin Shen

DOI: https://doi.org/10.1109/tdsc.2023.3253786

2023-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:In this paper, we propose a multi-client secure and efficient keyword search scheme for cloud storage, which is built upon distributed point function (DPF). Specifically, outsourced keyword indexes are encoded by using garbled bloom filter and cuckoo filter, instead of bloom filter adopted by most of the state-of-the-art DPF-based schemes. In this way, clients can apply cuckoo hashing into DPF and utilize a segmentation method to interact with cloud servers for keyword search, and servers can obliviously aggregate DPF evaluation results to perform the search. Accordingly, the computational complexity at server side can be significantly reduced. Furthermore, the proposed scheme preserves constant downlink overheads, which is more communication-efficient for multi-keyword conjunctive search. To achieve privacy preservation and access control for multiple clients, we propose a double encryption method to encrypt outsourced indexes and correspondingly put forward an authorization algorithm from set-constrained pseudorandom functions by which fine-grained search-authorized keys can be generated, and collusion attacks among clients are addressed by integrating Wegman-Carter message authentication codes and cover-free systems. Since our scheme is designed under both semi-honest and malicious models (i.e., malicious servers may return incorrect query results), we use a simulation-based proof to formally demonstrate its security properties. Finally, we develop a proof-of-concept prototype and perform extensive experiments to show our scheme's practicality and efficiency in terms of computation, communication, and storage overheads.