Xian Yong Meng,Zhong Chen,Xiang Yu Meng,Bing Sun

DOI: https://doi.org/10.4028/www.scientific.net/amm.571-572.74

2014-01-01

Applied Mechanics and Materials

Abstract:In this paper, an identity-based conditional proxy re-encryption (PRE) scheme is proposed, where a delegator provides a re-encryption key satisfying one condition to a semi-trusted proxy who can convert a ciphertext encrypted under the delegator’s public key into one that can be decrypted using the delegatee’s private key. We address the identity-based proxy re-encryption scheme, where the delegator and the delegatee request keys from a trusted party known as a key generator center (KGC), who generates private keys for delegator and delegatee based on their identities. Meanwhile, the identity-based conditional proxy re-encryption scheme satisfies the properties of PRE including unidirectionality, non-interactivity and multi-hop. Additionally, the identity-based conditional proxy re-encryption scheme is efficient in terms of both the communication cost and the computing cost, and can realize security secret sharing in cloud computing environments.

Lu Yan,Haozhe Qin,Kexin Yang,Heye Xie,Xu An Wang,Shuanggen Liu

DOI: https://doi.org/10.3390/electronics13030534

IF: 2.9

2024-01-29

Electronics

Abstract:The popularity of secure cloud data sharing is on the rise, but it also comes with significant concerns about privacy violations and data tampering. While existing Proxy Re-Encryption (PRE) schemes effectively protect data in the cloud, challenges persist with certificate administration and key escrow. Moreover, the increasing number of users and prevalence of lightweight devices demand functional and cost-effective solutions. To address these issues, this paper presents a novel Pairing-free Certificate-Based Proxy Re-Encryption Plus scheme that leverages elliptic curve groups for improved effectiveness and performance. This scheme successfully resolves challenges related to certificate management and key escrow in traditional PRE schemes, while also introducing non-transferable and message-level fine-grained control characteristics. These enhancements bolster data security during sharing and minimize the risk of malicious information leakage. Our proposed scheme's correctness, security, and effectiveness are rigorously verified and analyzed. The results demonstrate that the scheme achieves the chosen ciphertext security in the random oracle model. Compared to current PRE schemes, our approach offers greater advantages, lower computational overhead, and enhanced suitability for practical cloud computing applications.

engineering, electrical & electronic,computer science, information systems,physics, applied

Fucai Luo,Haiyan Wang,Willy Susilo,Xingfu Yan,Xiaofan Zheng

DOI: https://doi.org/10.1109/tifs.2024.3357240

IF: 7.231

2024-02-02

IEEE Transactions on Information Forensics and Security

Abstract:Proxy re-encryption (PRE), as a promising cryptographic primitive for secure data sharing in clouds, has been widely studied for decades. PRE allows the proxies to use the re-encryption keys to convert ciphertexts computed under the delegator's public key into ones that can be decrypted using the delegatees' secret keys, without knowing anything about the underlying plaintext. This delegable property of decryption rights enables flexible cloud data sharing, but it raises an important issue: if some proxies reveal their re-encryption keys, or collude with some delegatees to create a pirate decoder, then anyone who gains access to the pirate decoder can decrypt all ciphertexts computed under the delegator's public key without the delegator's permission. This paper opens up a potentially new avenue of research to address the above (re-encryption) key abuse problem by proposing the first public trace-and-revoke PRE system, where the malicious delegatees and proxies involved in the generation of a pirate decoder can be identified by anyone who gains access to the pirate decoder, and their decryption capabilities can subsequently be revoked by the content distributor. Our construction is multi-hop, supports user revocation and public (black-box) traceability, and achieves significant efficiency advantages over previous constructions. Technically, our construction is a generic transformation from inner-product functional PRE (IPFPRE) that we introduce to trace-and-revoke PRE. In addition, we instantiate our generic construction of trace-and-revoke PRE from the Learning with Errors (LWE) assumption, which was widely believed to be quantum-resistant. This is achieved by proposing the first LWE-based IPFPRE scheme, which may be of independent interest. Finally, we conduct a comprehensive performance evaluation of our LWE-based trace-and-revoke PRE scheme, and the experimental results show that the proposed LWE-based trace-and-revoke PRE scheme is practical and outperforms current state-of-the-art traceable PRE schemes.

computer science, theory & methods,engineering, electrical & electronic

Jian Liu,N. Asokan,Benny Pinkas

DOI: https://doi.org/10.1145/2810103.2813623

2015-01-01

Abstract:Encrypting data on client-side before uploading it to a cloud storage is essential for protecting users' privacy. However client-side encryption is at odds with the standard practice of deduplication. Reconciling client-side encryption with cross-user deduplication is an active research topic. We present the first secure cross-user deduplication scheme that supports client-side encryption without requiring any additional independent servers. Interestingly, the scheme is based on using a PAKE (password authenticated key exchange) protocol. We demonstrate that our scheme provides better security guarantees than previous efforts. We show both the effectiveness and the efficiency of our scheme, via simulations using realistic datasets and an implementation.

XIE Qi,WU JiYi,WANG GuiLin,CHEN DeRen,YU XiuYuan

2012-01-01

Abstract:Mutual authentication between the user and the public cloud is essential requirement for the user to access the public cloud in cloud computing.In 2011,Juang et al.proposed a first authentication scheme based on proxy signature.The advantage of the scheme is that the user only needs to register on his home service cloud(HSC),and can pass through the authentication of the public cloud with the help of his HSC.However, their scheme has three weaknesses:1)the user’s HSC needs to update the user’s public key in each session to protect the user’s privacy;2)HSC may suffer from network jam when many users in the same HSC need to register on different public clouds simultaneously;and 3)a secret key should be shared between HSC and visiting cloud.To overcome these weaknesses,a provably secure convertible proxy signcryption for privacy preserving is proposed.Based on this scheme,a novel one-round authentication protocol is proposed,which the user only needs to register on his HSC,and can pass through the authentication of the visiting cloud without the help of his HSC.On the other hand,the proposed protocol can provide some nice properties,such as user privacy protection, non-repudiation,without updating the user’s public key,and secret key does not have to be shared between HSC and visiting cloud.In addition,the proposed scheme is provably secure in the random oracle model,and is more efficient than Juang et al.’s scheme.

Qi XIE,XiuYuan YU,WenHao LIU,DeRen CHEN,GuiLin WANG,JiYi WU

DOI: https://doi.org/10.1360/112011-915

2012-01-01

Scientia Sinica Informationis

Abstract:Mutual authentication between the user and the public cloud is essential requirement for the user to access the public cloud in cloud computing. In 2011, Juang et al. proposed a first authentication scheme based on proxy signature. The advantage of the scheme is that the user only needs to register on his home service cloud (HSC), and can pass through the authentication of the public cloud with the help of his HSC. However, their scheme has three weaknesses: 1) the users HSC needs to update the users public key in each session to protect the users privacy; 2) HSC may suffer from network jam when many users in the same HSC need to register on different public clouds simultaneously; and 3) a secret key should be shared between HSC and visiting cloud. To overcome these weaknesses, a provably secure convertible proxy signcryption for privacy preserving is proposed. Based on this scheme, a novel one-round authentication protocol is proposed, which the user only needs to register on his HSC, and can pass through the authentication of the visiting cloud without the help of his HSC. On the other hand, the proposed protocol can provide some nice properties, such as user privacy protection, non-repudiation, without updating the users public key, and secret key does not have to be shared between HSC and visiting cloud. In addition, the proposed scheme is provably secure in the random oracle model, and is more efficient than Juang et al.s scheme.

Kwame Opuni-Boachie Obour Agyekum,Qi Xia,Emmanuel Boateng Sifah,Jianbin Gao,Hu Xia,Xiaojiang Du,Moshen Guizani

DOI: https://doi.org/10.3390/s19051235

2019-03-11

Abstract:Access and utilization of data are central to the cloud computing paradigm. With the advent of the Internet of Things (IoT), the tendency of data sharing on the cloud has seen enormous growth. With data sharing comes numerous security and privacy issues. In the process of ensuring data confidentiality and fine-grained access control to data in the cloud, several studies have proposed Attribute-Based Encryption (ABE) schemes, with Key Policy-ABE (KP-ABE) being the prominent one. Recent works have however suggested that the confidentiality of data is violated through collusion attacks between a revoked user and the cloud server. We present a secured and efficient Proxy Re-Encryption (PRE) scheme that incorporates an Inner-Product Encryption (IPE) scheme in which decryption of data is possible if the inner product of the private key, associated with a set of attributes specified by the data owner, and the associated ciphertext is equal to zero 0 . We utilize a blockchain network whose processing node acts as the proxy server and performs re-encryption on the data. In ensuring data confidentiality and preventing collusion attacks, the data are divided into two, with one part stored on the blockchain network and the other part stored on the cloud. Our approach also achieves fine-grained access control.

Xu An Wang,Ziqing Wang,Yi Ding,Shujun Bai

DOI: https://doi.org/10.1109/cis.2011.213

2011-01-01

Abstract:The traditional proxy re-encryption (PRE) or conditional proxy re-encryption (CPRE) can re-encrypt infinite times on the delegator's cipher text. However many practical applications do not need this property, they prefer the delegator can control on the times the proxy can re-encrypt. In this paper, we introduce a new kind of proxy re-encryption: k-times proxy re-encryption (KPRE). To construct a concrete KPRE scheme, we add public/private key to the proxy. In k-times proxy re-encryption, the proxy can only re-encrypt k times, otherwise the proxy's private key will be exposed. We construct a concrete IND-RCCA secure KPRE scheme by combining the k-times signature and Libert et al's IND-RCCA PRE scheme in PKC'08.

Xin Qian,Zhen Yang,Shihui Wang,Yongfeng Huang

DOI: https://doi.org/10.1007/978-3-030-24274-9_8

2019-01-01

Abstract:To protect data sharing from leakage in untrusted cloud, proxy re-encryption is commonly exploited for access control. However, most proposed schemes require bilinear pair to attain secure data sharing, which gives too heavy burden on the data owner. In this paper, we propose a novel lightweight proxy re-encryption scheme without pairing. Our scheme builds the pre-encryption algorithm based on computational Diffie–Hellman problem, and designs a certificateless protocol based on a semi-trusted Key Generation Center. Theoretical analysis proves that our scheme is Chosen-Ciphertext-Attack secure. The performance is also shown to achieve less computation burden for the data owner compared with the state-of-the-art.

Wei-Hao Chen,Chun-I Fan,Yi-Fan Tseng

2024-10-11

Abstract:The development of cloud services in recent years has mushroomed, for example, Google Drive, Amazon AWS, Microsoft Azure. Merchants can easily use cloud services to open their online shops in a few seconds. Users can easily and quickly connect to the cloud in their own portable devices, and access their personal information effortlessly. Because users store large amounts of data on third-party devices, ensuring data confidentiality, availability and integrity become especially important. Therefore, data protection in cloud storage is the key to the survival of the cloud industry. Fortunately, Proxy Re-Encryption schemes enable users to convert their ciphertext into others ciphertext by using a re-encryption key. This method gracefully transforms the users computational cost to the server. In addition, with C-PREs, users can apply their access control right on the encrypted data. Recently, we lowered the key storage cost of C-PREs to constant size and proposed the first Key-Aggregate Proxy Re-Encryption scheme. In this paper, we further prove that our scheme is a CCA-secure Key-Aggregate Proxy Re-Encryption scheme in the adaptive model without using random oracle. Moreover, we also implement and analyze the Key Aggregate PRE application in the real world scenario.

Cryptography and Security

Zhenhua Chen,Shundong Li,Yimin Guo,Yilei Wang,Yunjie Chu

DOI: https://doi.org/10.1007/978-3-319-11698-3_7

2014-01-01

Abstract:In this paper, we introduce a new concept of limited proxy re-encryption with keyword search (LPREKS) for fine-grained data access control in cloud computing, which combines the function of limited proxy re-encryption (LPRE) and that of public key encryption with keyword search (PEKS). However, an LPREKS scheme cannot be obtained by directly combining those two schemes since the resulting scheme is no longer proven secure in our security model. Our scheme is proven semantically secure under the modified Bilinear Diffie-Hellman (mBDH) assumption and the q-Decisional Bilinear Diffie-Hellman inversion (qDBDHI) assumption in the random oracle model. Our proposal realizes three desired situations as follows: (1) the proxy cloud server can re-encrypt the delegated data containing some keyword which matches the trapdoor from delegatee, (2) the proxy can only reencrypt a limited number of delegated data to the delegatee; otherwise, the private key of the proxy will be exposed, and (3) the proxy cloud server learns nothing about the contents of data and keyword.

Jingyu Feng,Yue Li,Teng Wang,Shuanggen Liu

DOI: https://doi.org/10.1109/jiot.2024.3425450

IF: 10.6

2024-10-12

IEEE Internet of Things Journal

Abstract:The industrial Internet information system has become the key to protecting the new generation of information infrastructure, and its data security storage and sharing are crucial for platform construction and alliance development. In response to security challenges, such as privacy leakage, data tampering, and lack of effective isolation in the current industrial Internet data storage and sharing process, this article proposes an industrial Internet data-sharing scheme based on multiclouds and multichains collaborative storage mode. The proposed scheme supports keyword search and utilizes certificateless threshold proxy re-encryption (PRE) technology. Our scheme allows industrial enterprises to securely store a large amount of sensitive data ciphertext in private clouds, while classifying and storing metadata ciphertext on different blockchains. A data protection algorithm that avoids private key escrow and supports ciphertext retrieval is constructed by combining certificateless PRE, threshold secret sharing, and searchable encryption techniques. In addition, a trust evaluation consensus algorithm is designed to select nodes with high trust as proxies in blockchain networks, solving the trust problem in traditional PRE schemes. Security analysis shows that our scheme can effectively resist collusion attacks and data tampering. Performance and simulation comparison analysis show that the main algorithms in our scheme have a lower time cost compared to the other typical schemes involved in comparison.

computer science, information systems,telecommunications,engineering, electrical & electronic

Xinyu Feng,Cong Li,Qingni Shen,Jisheng Dong,Wenjun Qian,Yuejian Fang,Zhonghai Wu

DOI: https://doi.org/10.1109/icme57554.2024.10687480

2024-01-01

Abstract:Due to the rapid growth of mobile internet, massive multimedia data (e.g., movies, photos, notes, etc.) on mobile devices is synchronized and shared through the cloud. During this process, public key encryption plays an important role in ensuring the confidentiality of data. However, due to the bottleneck of computing and storage resources in mobile devices, it is difficult to execute complex cryptographic algorithms on them. In this paper, we present a novel Hybrid Proxy Reencryption (HyPRE) scheme for the sharing of multimedia data on mobile devices, which empowers a semi-trusted proxy to convert a ciphertext under an identity to a new one under an expressive policy without revealing the underlying plaintext. Our scheme allows mobile devices with limited resources to encrypt data efficiently, and then to share the encrypted data to multiple entities securely. We define the HRA security for our HyPRE scheme to improve the incompleteness of the security under chosen plaintext attacks (CPA) in traditional proxy re-encryption schemes and prove it selectively secure under HRA. Experimental analysis indicates that HyPRE achieves 2× to 3× improvement in terms of re-encryption performance compared with the state-of-the-art ones.

Yulong Shen

DOI: https://doi.org/10.1109/tbdata.2017.2707552

2017-01-01

IEEE Transactions on Big Data

Abstract:The k-nearest neighbors (k-NN) query is a fundamental primitive in spatial and multimedia databases. It has extensive applications in location-based services, classification & clustering and so on. With the promise of confidentiality and privacy, massive data are increasingly outsourced to cloud in the encrypted form for enjoying the advantages of cloud computing (e.g., reduce storage and query processing costs). Recently, many schemes have been proposed to support k-NN query on encrypted cloud data. However, prior works have all assumed that the query users (QUs) are fully-trusted and know the key of the data owner (DO), which is used to encrypt and decrypt outsourced data. The assumptions are unrealistic in many situations, since many users are neither trusted nor knowing the key. In this paper, we propose a novel scheme for secure k-NN query on encrypted cloud data with multiple keys, in which the DO and each QU all hold their own different keys, and do not share them with each other; meanwhile, the DO encrypts and decrypts outsourced data using the key of his own. Our scheme is constructed by a distributed two trapdoors public-key cryptosystem (DT-PKC) and a set of protocols of secure two-party computation, which not only preserves the data confidentiality and query privacy but also supports the offline data owner. Our extensive theoretical and experimental evaluations demonstrate the effectiveness of our scheme in terms of security and performance.

Jinqiu Hou,Changgen Peng,Weijie Tan,Hongfa Ding

DOI: https://doi.org/10.32604/cmes.2023.027276

2024-01-01

Computer Modeling in Engineering & Sciences

Abstract:Cloud-based services have powerful storage functions and can provide accurate computation. However, the question of how to guarantee cloud-based services access control and achieve data sharing security has always been a research highlight. Although the attribute-based proxy re-encryption (ABPRE) schemes based on number theory can solve this problem, it is still difficult to resist quantum attacks and have limited expression capabilities. To address these issues, we present a novel linear secret sharing schemes (LSSS) matrix-based ABPRE scheme with the fine-grained policy on the lattice in the research. Additionally, to detect the activities of illegal proxies, homomorphic signature (HS) technology is introduced to realize the verifiability of re-encryption. Moreover, the non-interactivity, unidirectionality, proxy transparency, multi-use, and anti-quantum attack characteristics of our system are all advantageous. Besides, it can efficiently prevent the loss of processing power brought on by repetitive authorisation and can enable precise and safe data sharing in the cloud. Furthermore, under the standard model, the proposed learning with errors (LWE)-based scheme was proven to be IND-sCPA secure.

engineering, multidisciplinary,mathematics, interdisciplinary applications

WeiDong Zhong,Xu An Wang,Ziqing Wang,Yi Ding

DOI: https://doi.org/10.1109/CIS.2011.217

2011-01-01

Abstract:Proxy re-encryption (PRE) allows a proxy to transform a cipher text for Alice (delegator) to be the one which can be decrypted by Bob (delegatee). Since it is introduced by Blaze et al. in 1998, many variants of PRE have been proposed. In this paper, we concentrate on two of them: anonymous conditional proxy re-encryption (ACPRE) and constrained proxy re-encryption with keyword search (PRES). Conditional proxy re-encryption (CPRE) is a primitive which only allows those cipher texts satisfying the condition can be re-encrypted correctly by the proxy. Anonymous conditional proxy re-encryption (ACPRE) requires the proxy not knowing which condition the cipher text associated with. PRES is a primitive which allows the proxy simultaneously re-encrypt and search the delegator's cipher text. Based on the PRES proposed by Shao et al., We show the definition of constrained proxy re-encryption with keyword search (CPRES), give its security models and discuss its potential applications. At last, based on a concrete ACPRE scheme, we construct a concrete CPRES scheme.

Xiuxia Tian,Ling Huang,Tony Wu,Xiaoling Wang,Aoying Zhou

DOI: https://doi.org/10.1109/icde.2016.7498383

2016-05-01

Abstract:Outsourcing keys (including passwords and data encryption keys) to professional password managers (honest-but-curious service providers) is attracting more and more attention from the researchers and users in the era of cloud computing. However, existing solutions in traditional data outsourcing scenario are unable to simultaneously meet the following three security requirements for keys outsourcing: 1)Confidentiality and privacy of keys; 2)Search privacy on identity attributes tied to keys; 3)Owner controllable authorization over his/her shared keys. In this paper, we propose CloudKeyBank, the first unified key management framework that addresses all the three goals above. To implement CloudKeyBank efficiently, we propose a new cryptographic primitive named Searchable Conditional Proxy Re-Encryption (SC-PRE) which combines the techniques of Hidden Vector Encryption (HVE) and Proxy Re-Encryption (PRE) seamlessly.

Ling Liu,Yuqing Zhang,Xuejun Li

DOI: https://doi.org/10.1109/tcc.2018.2869333

IF: 5.697

2021-04-01

IEEE Transactions on Cloud Computing

Abstract:Deduplication, which can save storage cost by enabling us to store only one copy of identical data, becomes unprecedentedly significant with the dramatic increase in data stored in the cloud. For the purpose of ensuring data confidentiality, they are usually encrypted before outsourced. Traditional encryption will inevitably result in multiple different ciphertexts produced from the same plaintext by different users’ secret keys, which hinders data deduplication. Convergent encryption makes deduplication possible since it naturally encrypts the same plaintexts into the same ciphertexts. One attendant problem is how to reliably and effectively manage a huge number of convergent keys. Several deduplication schemes have been proposed to deal with the convergent key management problem. However, they either need to introduce key management servers or require interaction between data owners. In this paper, we design a novel client-side deduplication protocol named KeyD without such an independent key management server by utilizing the identity-based broadcast encryption (IBBE) technique. Users only interact with the cloud service provider (CSP) during the process of data upload and download. Security analysis demonstrates that KeyD ensures data confidentiality and convergent key security, and well protects the ownership privacy simultaneously. A thorough and detailed performance comparison shows that our scheme makes a better tradeoff among the storage cost, communication and computation overhead.

computer science, information systems, theory & methods

Licheng Wang,Jing Li,Jianhua Yan,Zhiguo Qu

DOI: https://doi.org/10.1109/incos.2016.12

2016-01-01

Abstract:Proxy re-encryption (PRE) enables a semi-trusted proxy to transfer Alice's secrets into Bob's secrets but without seeing the secrets. This functionality is very interesting for making balance between the information confidentiality and the mutual accessibility in various scenarios such as public cloud storage systems. During the past decades, many smart PRE schemes were built based on intractability assumptions such as integer factorization problems (IFP) and discrete logarithm problems (DLP). However, Shor's efficient quantum algorithms for IFP and DLP manifests a threat towards the security baseline of these schemes. Enlightened by Gu et al.'s recent work on resisting known quantum attacks, we propose an efficient PRE scheme based on the intractability of the (semi) group factorization problems in this paper. The security of the proposed scheme is analyzed according to some conceivable attacks.

GU Bolun,XU Zikai,LI Weihai,YU Nenghai

DOI: https://doi.org/10.11959/j.issn.2096-109x.2024055

2024-01-01

Abstract:With the rapid development and application of the Internet, traditional storage resources have been found unable to meet the growing demand for massive data storage. An increasing number of users have attempted to upload their data to third-party cloud servers for unified storage. Efficient deduplication and secure file sharing in the cloud have emerged as critical concerns. Moreover, users have always preferred to customize their passwords for encrypting and decrypting files, only sharing encrypted files when necessary. Based on this preference, a deterministic stepwise encryption algorithm was first designed. It was such that when the keys for the two steps of encryption satisfied a certain relationship, the two steps of encryption could be equivalent to a single encryption process. A novel key-customizable encrypted deduplication scheme with access control for cloud storage was proposed, utilizing the deterministic stepwise encryption algorithm to encrypt files and a ciphertext-policy attribute-based encryption algorithm to encrypt file keys. This scheme not only offered the flexibility to customize encryption and decryption keys for different users with the same files, but also ensured secure file sharing through a dynamic access control mechanism. Moreover, the optional access control component was made compatible with the majority of existing ciphertext-policy attribute-based encryption (CP-ABE) schemes, even allowing for different CP-ABE schemes within different attribute groups. Security analysis results show that the proposed scheme achieves the highest level of security under the current encrypted deduplication paradigm. Experimental and analytical results indicate that it effectively meets the practical needs of cloud service providers and users, and also achieves acceptable efficiency.