XIE Qi,WU JiYi,WANG GuiLin,CHEN DeRen,YU XiuYuan

2012-01-01

Abstract:Mutual authentication between the user and the public cloud is essential requirement for the user to access the public cloud in cloud computing.In 2011,Juang et al.proposed a first authentication scheme based on proxy signature.The advantage of the scheme is that the user only needs to register on his home service cloud(HSC),and can pass through the authentication of the public cloud with the help of his HSC.However, their scheme has three weaknesses:1)the user’s HSC needs to update the user’s public key in each session to protect the user’s privacy;2)HSC may suffer from network jam when many users in the same HSC need to register on different public clouds simultaneously;and 3)a secret key should be shared between HSC and visiting cloud.To overcome these weaknesses,a provably secure convertible proxy signcryption for privacy preserving is proposed.Based on this scheme,a novel one-round authentication protocol is proposed,which the user only needs to register on his HSC,and can pass through the authentication of the visiting cloud without the help of his HSC.On the other hand,the proposed protocol can provide some nice properties,such as user privacy protection, non-repudiation,without updating the user’s public key,and secret key does not have to be shared between HSC and visiting cloud.In addition,the proposed scheme is provably secure in the random oracle model,and is more efficient than Juang et al.’s scheme.

Qi XIE,XiuYuan YU,WenHao LIU,DeRen CHEN,GuiLin WANG,JiYi WU

DOI: https://doi.org/10.1360/112011-915

2012-01-01

Scientia Sinica Informationis

Abstract:Mutual authentication between the user and the public cloud is essential requirement for the user to access the public cloud in cloud computing. In 2011, Juang et al. proposed a first authentication scheme based on proxy signature. The advantage of the scheme is that the user only needs to register on his home service cloud (HSC), and can pass through the authentication of the public cloud with the help of his HSC. However, their scheme has three weaknesses: 1) the users HSC needs to update the users public key in each session to protect the users privacy; 2) HSC may suffer from network jam when many users in the same HSC need to register on different public clouds simultaneously; and 3) a secret key should be shared between HSC and visiting cloud. To overcome these weaknesses, a provably secure convertible proxy signcryption for privacy preserving is proposed. Based on this scheme, a novel one-round authentication protocol is proposed, which the user only needs to register on his HSC, and can pass through the authentication of the visiting cloud without the help of his HSC. On the other hand, the proposed protocol can provide some nice properties, such as user privacy protection, non-repudiation, without updating the users public key, and secret key does not have to be shared between HSC and visiting cloud. In addition, the proposed scheme is provably secure in the random oracle model, and is more efficient than Juang et al.s scheme.

Hongyi Su,Geng Yang,and Dawei Li

2011-01-01

Abstract:Data storage is an important application of cloud computing. With a cloud computing platform, the burden of local data storage can be reduced. However, services and applications in a cloud may come from different providers, and creating an efficient protocol to protect privacy is critical. We propose a verification protocol for cloud database entries that protects against untrusted service providers. Based on identity-based encryption （IBE） for cloud storage, this protocol guards against breaches of privacy in cloud storage. It prevents service providers from easily constructing cloud storage and forging the signature of data owners by secret sharing. Simulation results confirm the availability and efficiency of the proposed protocol.

Xin Qian,Zhen Yang,Shihui Wang,Yongfeng Huang

DOI: https://doi.org/10.1007/978-3-030-24274-9_8

2019-01-01

Abstract:To protect data sharing from leakage in untrusted cloud, proxy re-encryption is commonly exploited for access control. However, most proposed schemes require bilinear pair to attain secure data sharing, which gives too heavy burden on the data owner. In this paper, we propose a novel lightweight proxy re-encryption scheme without pairing. Our scheme builds the pre-encryption algorithm based on computational Diffie–Hellman problem, and designs a certificateless protocol based on a semi-trusted Key Generation Center. Theoretical analysis proves that our scheme is Chosen-Ciphertext-Attack secure. The performance is also shown to achieve less computation burden for the data owner compared with the state-of-the-art.

Jian Liu,N. Asokan,Benny Pinkas

DOI: https://doi.org/10.1145/2810103.2813623

2015-01-01

Abstract:Encrypting data on client-side before uploading it to a cloud storage is essential for protecting users' privacy. However client-side encryption is at odds with the standard practice of deduplication. Reconciling client-side encryption with cross-user deduplication is an active research topic. We present the first secure cross-user deduplication scheme that supports client-side encryption without requiring any additional independent servers. Interestingly, the scheme is based on using a PAKE (password authenticated key exchange) protocol. We demonstrate that our scheme provides better security guarantees than previous efforts. We show both the effectiveness and the efficiency of our scheme, via simulations using realistic datasets and an implementation.

Xian Yong Meng,Zhong Chen,Xiang Yu Meng,Bing Sun

DOI: https://doi.org/10.4028/www.scientific.net/amm.571-572.74

2014-01-01

Applied Mechanics and Materials

Abstract:In this paper, an identity-based conditional proxy re-encryption (PRE) scheme is proposed, where a delegator provides a re-encryption key satisfying one condition to a semi-trusted proxy who can convert a ciphertext encrypted under the delegator’s public key into one that can be decrypted using the delegatee’s private key. We address the identity-based proxy re-encryption scheme, where the delegator and the delegatee request keys from a trusted party known as a key generator center (KGC), who generates private keys for delegator and delegatee based on their identities. Meanwhile, the identity-based conditional proxy re-encryption scheme satisfies the properties of PRE including unidirectionality, non-interactivity and multi-hop. Additionally, the identity-based conditional proxy re-encryption scheme is efficient in terms of both the communication cost and the computing cost, and can realize security secret sharing in cloud computing environments.

Yilei Wang,Dongjie Yan,Fagen Li,Hu Xiong

2017-01-01

Abstract:Proxy re-encryption (PRE) enables a semi-trusted proxy to delegate the decryption right by re-encrypting the ciphertext under the delegator’s public key to an encryption under the public key of delegatee. Fueled by the translation ability, PRE is regarded as a promising candidate to secure data sharing in a cloud environment. However, the security of the PRE will be totally destroyed in case the secret key of the delegator or the delegatee has been exposed. Despite the key exposure seems inevitable, the PRE scheme with resistance against secret key leakage has never been presented before. To deal with this intractable problem, we propose a key-insulated proxy reencryption (KIPRE) scheme by incorporating the mechanisms of PRE and key-insulated cryptosystem. In the proposed scheme, the lifetime of the secret key associated with the user, i.e., the delegator or the delegatee, has been divided into several periods. In each time period, the user can interact with his/her physically-secure but computation-limited helper to update his/her temporary secret key. On the contrary, the public keys of the users remained unchanged during the whole lifetime of the system. We then apply our KIPRE scheme to construct a practical solution to the problem of sharing sensitive information in public clouds with resilience to the key exposure. The performance evaluation and the security analysis demonstrate that our scheme is efficient and practical.

Han-Yu Lin,Pei-Ru Chen

DOI: https://doi.org/10.3390/s24196290

2024-09-28

Abstract:As technology advances rapidly, a diverse array of Internet of Things (IoT) devices finds widespread application across numerous fields. The intelligent nature of these devices not only gives people more convenience, but also introduces new challenges especially in security when transmitting data in fog-based cloud environments. In fog computing environments, data need to be transmitted across multiple devices, increasing the risk of data being intercepted or tampered with during transmission. To securely share cloud ciphertexts, an alleged proxy re-encryption approach is a commonly adopted solution. Without decrypting the original ciphertext, such a mechanism permits a ciphertext intended for user A to be easily converted into the one intended for user B. However, to revoke the decryption privilege of data users usually relies on the system authority to maintain a user revocation list which inevitably increases the storage space. In this research, the authors come up with a fog-based proxy re-encryption system with revocable identity. Without maintaining the traditional user revocation list, the proposed scheme introduces a time-updated key mechanism. The time-update key could be viewed as a partial private key and should be renewed with different time periods. A revoked user is unable to obtain the renewed time-update key and hence cannot share or decrypt cloud ciphertexts. We formally demonstrate that the introduced scheme satisfies the security of indistinguishability against adaptively chosen identity and chosen plaintext attacks (IND-PrID-CPA) assuming the hardness of the Decisional Bilinear Diffie-Hellman (DBDH) problem in the random oracle model. Furthermore, compared with similar systems, the proposed one also has lower computational complexity as a whole.

Lu Yan,Haozhe Qin,Kexin Yang,Heye Xie,Xu An Wang,Shuanggen Liu

DOI: https://doi.org/10.3390/electronics13030534

IF: 2.9

2024-01-29

Electronics

Abstract:The popularity of secure cloud data sharing is on the rise, but it also comes with significant concerns about privacy violations and data tampering. While existing Proxy Re-Encryption (PRE) schemes effectively protect data in the cloud, challenges persist with certificate administration and key escrow. Moreover, the increasing number of users and prevalence of lightweight devices demand functional and cost-effective solutions. To address these issues, this paper presents a novel Pairing-free Certificate-Based Proxy Re-Encryption Plus scheme that leverages elliptic curve groups for improved effectiveness and performance. This scheme successfully resolves challenges related to certificate management and key escrow in traditional PRE schemes, while also introducing non-transferable and message-level fine-grained control characteristics. These enhancements bolster data security during sharing and minimize the risk of malicious information leakage. Our proposed scheme's correctness, security, and effectiveness are rigorously verified and analyzed. The results demonstrate that the scheme achieves the chosen ciphertext security in the random oracle model. Compared to current PRE schemes, our approach offers greater advantages, lower computational overhead, and enhanced suitability for practical cloud computing applications.

engineering, electrical & electronic,computer science, information systems,physics, applied

Er-Shuo Zhuang,Chun-I Fan

DOI: https://doi.org/10.3390/math11183830

IF: 2.4

2023-09-07

Mathematics

Abstract:To protect the privacy of cloud data, encryption before uploading provides a solution. However, searching for target data in ciphertext takes effort. Therefore, searchable encryption has become an important research topic. On the other hand, since the advancement of quantum computers will lead to the crisis of cracking traditional encryption algorithms, it is necessary to design encryption schemes that can resist quantum attacks. Therefore, we propose a multi-keyword searchable identity-based proxy re-encryption scheme from lattices. In addition to resisting quantum attacks, the proposed scheme uses several cryptographic techniques to improve encryption efficiency. First, identity-based encryption is used to reduce the computation and transmission costs caused by certificates. Second, the proposed scheme uses proxy re-encryption to achieve the purpose of outsourced computing, allowing the proxy server to reduce the computation and transmission costs of the users. Third, the proposed multi-keyword searchable encryption can provide AND and OR operators to increase the flexibility of searchability. Moreover, the access structure of the proposed scheme is not based on a linear secret sharing scheme (LSSS), avoiding the errors caused by an LSSS-based structure in decryption or search results. Finally, we also give formal security proof of the proposed scheme under the decisional learning with errors assumption.

mathematics

Jinqiu Hou,Changgen Peng,Weijie Tan,Hongfa Ding

DOI: https://doi.org/10.32604/cmes.2023.027276

2024-01-01

Computer Modeling in Engineering & Sciences

Abstract:Cloud-based services have powerful storage functions and can provide accurate computation. However, the question of how to guarantee cloud-based services access control and achieve data sharing security has always been a research highlight. Although the attribute-based proxy re-encryption (ABPRE) schemes based on number theory can solve this problem, it is still difficult to resist quantum attacks and have limited expression capabilities. To address these issues, we present a novel linear secret sharing schemes (LSSS) matrix-based ABPRE scheme with the fine-grained policy on the lattice in the research. Additionally, to detect the activities of illegal proxies, homomorphic signature (HS) technology is introduced to realize the verifiability of re-encryption. Moreover, the non-interactivity, unidirectionality, proxy transparency, multi-use, and anti-quantum attack characteristics of our system are all advantageous. Besides, it can efficiently prevent the loss of processing power brought on by repetitive authorisation and can enable precise and safe data sharing in the cloud. Furthermore, under the standard model, the proposed learning with errors (LWE)-based scheme was proven to be IND-sCPA secure.

engineering, multidisciplinary,mathematics, interdisciplinary applications

Zhenhua Chen,Shundong Li,Yimin Guo,Yilei Wang,Yunjie Chu

DOI: https://doi.org/10.1007/978-3-319-11698-3_7

2014-01-01

Abstract:In this paper, we introduce a new concept of limited proxy re-encryption with keyword search (LPREKS) for fine-grained data access control in cloud computing, which combines the function of limited proxy re-encryption (LPRE) and that of public key encryption with keyword search (PEKS). However, an LPREKS scheme cannot be obtained by directly combining those two schemes since the resulting scheme is no longer proven secure in our security model. Our scheme is proven semantically secure under the modified Bilinear Diffie-Hellman (mBDH) assumption and the q-Decisional Bilinear Diffie-Hellman inversion (qDBDHI) assumption in the random oracle model. Our proposal realizes three desired situations as follows: (1) the proxy cloud server can re-encrypt the delegated data containing some keyword which matches the trapdoor from delegatee, (2) the proxy can only reencrypt a limited number of delegated data to the delegatee; otherwise, the private key of the proxy will be exposed, and (3) the proxy cloud server learns nothing about the contents of data and keyword.

GU Bolun,XU Zikai,LI Weihai,YU Nenghai

DOI: https://doi.org/10.11959/j.issn.2096-109x.2024055

2024-01-01

Abstract:With the rapid development and application of the Internet, traditional storage resources have been found unable to meet the growing demand for massive data storage. An increasing number of users have attempted to upload their data to third-party cloud servers for unified storage. Efficient deduplication and secure file sharing in the cloud have emerged as critical concerns. Moreover, users have always preferred to customize their passwords for encrypting and decrypting files, only sharing encrypted files when necessary. Based on this preference, a deterministic stepwise encryption algorithm was first designed. It was such that when the keys for the two steps of encryption satisfied a certain relationship, the two steps of encryption could be equivalent to a single encryption process. A novel key-customizable encrypted deduplication scheme with access control for cloud storage was proposed, utilizing the deterministic stepwise encryption algorithm to encrypt files and a ciphertext-policy attribute-based encryption algorithm to encrypt file keys. This scheme not only offered the flexibility to customize encryption and decryption keys for different users with the same files, but also ensured secure file sharing through a dynamic access control mechanism. Moreover, the optional access control component was made compatible with the majority of existing ciphertext-policy attribute-based encryption (CP-ABE) schemes, even allowing for different CP-ABE schemes within different attribute groups. Security analysis results show that the proposed scheme achieves the highest level of security under the current encrypted deduplication paradigm. Experimental and analytical results indicate that it effectively meets the practical needs of cloud service providers and users, and also achieves acceptable efficiency.

Chong Wang,Hao Jin,Ronglei Wei,Ke Zhou

DOI: https://doi.org/10.1007/s11227-021-04277-3

IF: 3.3

2022-01-20

The Journal of Supercomputing

Abstract:Attribute-based encryption(ABE) can enable user-centered data sharing in untrusted cloud scenario where users usually lack control on their outsourced data. However, existing ABE schemes have intrinsic limitations on scalability and revocation efficiency due to the bottleneck of a central authority and heavy re-encryption overhead on revocations. In this paper, we present a revocable decentralized attribute-based encryption scheme for data access control in cloud storage. In particular, by integrating decentralized attribute-based encryption, key regression technique, all-or-nothing transform, revocation list for involved attributes, and blacklist in a novel way, we provide a revocable ABE scheme with practical dynamic group membership and identity privacy protection, and meanwhile, it enhances the re-encryption efficiency caused by revocations without sacrificing security. We analyzed the security of our scheme. The experimental evaluation demonstrates that the cryptographic overhead on key derivation, encryption(decryption), and ABE ciphertext update are reasonable, and for the throughput of accessing encrypted data from the cloud, our scheme outperforms other schemes.

computer science, theory & methods,engineering, electrical & electronic, hardware & architecture

Wei-Hao Chen,Chun-I Fan,Yi-Fan Tseng

2024-10-11

Abstract:The development of cloud services in recent years has mushroomed, for example, Google Drive, Amazon AWS, Microsoft Azure. Merchants can easily use cloud services to open their online shops in a few seconds. Users can easily and quickly connect to the cloud in their own portable devices, and access their personal information effortlessly. Because users store large amounts of data on third-party devices, ensuring data confidentiality, availability and integrity become especially important. Therefore, data protection in cloud storage is the key to the survival of the cloud industry. Fortunately, Proxy Re-Encryption schemes enable users to convert their ciphertext into others ciphertext by using a re-encryption key. This method gracefully transforms the users computational cost to the server. In addition, with C-PREs, users can apply their access control right on the encrypted data. Recently, we lowered the key storage cost of C-PREs to constant size and proposed the first Key-Aggregate Proxy Re-Encryption scheme. In this paper, we further prove that our scheme is a CCA-secure Key-Aggregate Proxy Re-Encryption scheme in the adaptive model without using random oracle. Moreover, we also implement and analyze the Key Aggregate PRE application in the real world scenario.

Cryptography and Security

Wenlong Yi,Chuang Wang,Sergey Kuzmin,Igor Gerasimov,Xiangping Cheng

DOI: https://doi.org/10.3390/s24154939

2024-07-30

Abstract:Existing attribute-based proxy re-encryption schemes suffer from issues like complex access policies, large ciphertext storage space consumption, and an excessive authority of the authorization center, leading to weak security and controllability of data sharing in cloud storage. This study proposes a Weighted Attribute Authority Multi-Authority Proxy Re-Encryption (WAMA-PRE) scheme that introduces attribute weights to elevate the expression of access policies from binary to multi-valued, simplifying policies and reducing ciphertext storage space. Simultaneously, the multiple attribute authorities and the authorization center construct a joint key, reducing reliance on a single authorization center. The proposed distributed attribute authority network enhances the anti-attack capability of cloud storage. Experimental results show that introducing attribute weights can reduce ciphertext storage space by 50%, proxy re-encryption saves 63% time compared to repeated encryption, and the joint key construction time is only 1% of the benchmark scheme. Security analysis proves that WAMA-PRE achieves CPA security under the decisional q-parallel BDHE assumption in the random oracle model. This study provides an effective solution for secure data sharing in cloud storage.

Zhenhua Chen,Shundong Li,Qiong Huang,Yilei Wang,Sufang Zhou

DOI: https://doi.org/10.1002/cpe.3754

2016-01-01

Concurrency and Computation Practice and Experience

Abstract:SummaryFor fine‐grained data access control in cloud computing, for the first time, we introduce a new concept called restricted proxy re‐encryption with keyword search, which combines the function of proxy re‐encryption with keyword search and that of threshold cryptosystem. To demonstrate this concept, we present the formal syntax for restricted proxy re‐encryption with keyword search, the security model, and a concrete construction. In our scheme, we take advantage of the techniques of threshold cryptosystem to restrict the capacity of the proxy cloud server, and in the meantime, we let the proxy cloud server can only re‐encrypt the data containing a specified keyword, which matches the trapdoor from delegatee to provide an accurate access control for users. While in this process, the proxy cloud server learns nothing about the contents of data and keyword. Our scheme is proved to be semantically secure under the modified bilinear Diffie–Hellman assumption and the q‐decisional bilinear Diffie–Hellman inversion assumption in the random oracle model. Finally, we apply the techniques in our scheme to some practical problems. Copyright © 2016 John Wiley & Sons, Ltd.

Xuexue Jin,Lingbo Wei,Mengke Yu,Nenghai Yu,Jinyuan Sun

DOI: https://doi.org/10.1109/ICCChina.2013.6671119

2013-01-01

Abstract:Cloud computing is viewed as the next generation architecture of IT companies. As promising as it is, cloud computing also brings forth many new security issues when users outsource sensitive data to cloud servers. To keep sensitive users' data confidential against untrusted servers, existing solutions usually apply cryptographic methods. With data encryption, the same file will become different from each other, thus deduplication which is widely adopted by cloud storage service providers meets some challenges. Current method to solve the problem is to make use of some information computed from the shared file to achieve deduplication of encrypted data, say convergent encryption. But this piece of information which is computable from the file via a deterministic public algorithm is not really meant to be secret. To this end, we propose a scheme to address the deduplication of encrypted data efficiently and securely with the help of ensuring the ownership of the shared file, encrypting data using keys at user's will and realizing the anonymous store through the digital credential. We achieve this aims through proof of ownership (POW), proxy re-encryption (PRE) and digital credential.

Mang SU,Guozhen SHI,Anmin FU,Yan YU,Wei JIN

2018-01-01

Abstract:Cloud computing is one of the space-ground integration information network applications.Users can access data and retrieve service easily and quickly in cloud.The confidentiality and integrity of the data cloud have a direct correspondence to data security of the space-ground integration information network.Thus the data in cloud is transferred with encrypted form to protect the information.As an important technology of cloud security,access control should take account of multi-factor and cipher text to satisfy the complex requirement for cloud data protection.Based on this,a proxy re-encryption based multi-factor access control (PRE-MFAC) scheme was proposed.Firstly,the aims and assumptions of PRE-MFAC were given.Secondly,the system model and algorithm was defined.Finally,the security and properties of PRE-MFAC were analyzed.The proposed scheme has combined the PRE and multi-factor access control together and realized the multi-factor permission management of cipher text in cloud.Meanwhile,it can make the best possible use of cloud in computing and storing,then reduce the difficulty of personal user in cryptographic computing and key managing.

Xiuxia Tian,Ling Huang,Tony Wu,Xiaoling Wang,Aoying Zhou

DOI: https://doi.org/10.1109/icde.2016.7498383

2016-05-01

Abstract:Outsourcing keys (including passwords and data encryption keys) to professional password managers (honest-but-curious service providers) is attracting more and more attention from the researchers and users in the era of cloud computing. However, existing solutions in traditional data outsourcing scenario are unable to simultaneously meet the following three security requirements for keys outsourcing: 1)Confidentiality and privacy of keys; 2)Search privacy on identity attributes tied to keys; 3)Owner controllable authorization over his/her shared keys. In this paper, we propose CloudKeyBank, the first unified key management framework that addresses all the three goals above. To implement CloudKeyBank efficiently, we propose a new cryptographic primitive named Searchable Conditional Proxy Re-Encryption (SC-PRE) which combines the techniques of Hidden Vector Encryption (HVE) and Proxy Re-Encryption (PRE) seamlessly.