Hua Shen,Jian Zhou,Ge Wu,Mingwu Zhang

DOI: https://doi.org/10.1109/access.2023.3334733

IF: 3.9

2023-12-20

IEEE Access

Abstract:The convenience and efficient management of cloud servers have resulted in an increasing number of users opting to store their data in the cloud. Consequently, data-outsourcing services relying on cloud servers have been extensively deployed and utilized. In this case, before outsourcing the data to cloud storage, we should ensure unauthorized users cannot access the data. In this article, we present a scheme termed MKSABE-VaAR (multi-keyword searchable attribute-based encryption with verification and attribute revocation). Aiming at the problems of inefficiency, excessive computation in the search process, and only supporting single-keyword search in most attribute-based searchable encryption schemes, first, we package multiple keywords into a polynomial to realize multi-keyword search. Based on this polynomial, MKSABE-VaAR can reduce the amount of search calculation for keyword ciphertext and improve search efficiency by reducing the number of bilinear pairing operations. At the same time, we have made some special constructs for indexing to add verification of user attributes in the keyword search process, which improves the search accuracy. Moreover, we adopt a linear secret-sharing technique to construct the attribute revocation function of MKSABE-VaAR, making a lower computational cost of attribute revocation. Furthermore, the mechanism of storing data and indexes separately greatly reduces the risk of data leakage of MKSABE-VaAR.

computer science, information systems,telecommunications,engineering, electrical & electronic

Shangping Wang,Xiaoxue Zhang,Yaling Zhang

DOI: https://doi.org/10.1371/journal.pone.0167157

IF: 3.7

2016-11-29

PLoS ONE

Abstract:Cipher-policy attribute-based encryption (CP-ABE) focus on the problem of access control, and keyword-based searchable encryption scheme focus on the problem of finding the files that the user interested in the cloud storage quickly. To design a searchable and attribute-based encryption scheme is a new challenge. In this paper, we propose an efficiently multi-user searchable attribute-based encryption scheme with attribute revocation and grant for cloud storage. In the new scheme the attribute revocation and grant processes of users are delegated to proxy server. Our scheme supports multi attribute are revoked and granted simultaneously. Moreover, the keyword searchable function is achieved in our proposed scheme. The security of our proposed scheme is reduced to the bilinear Diffie-Hellman (BDH) assumption. Furthermore, the scheme is proven to be secure under the security model of indistinguishability against selective ciphertext-policy and chosen plaintext attack (IND-sCP-CPA). And our scheme is also of semantic security under indistinguishability against chosen keyword attack (IND-CKA) in the random oracle model.

Fucai Luo,Haiyan Wang,Changlu Lin,Xingfu Yan

DOI: https://doi.org/10.1109/tifs.2023.3301740

IF: 7.231

2023-08-19

IEEE Transactions on Information Forensics and Security

Abstract:The widespread adoption of cloud computing and the exponential growth of data highlight the need for secure data sharing and querying. Attribute-based keyword search (ABKS) has emerged as an efficient means of searching encrypted data stored in the cloud. However, existing ABKS schemes incur high end-to-end delay and are vulnerable to quantum computer attacks and/or (insider) keyword guessing attacks (KGA). To address these vulnerabilities, this paper introduces a new concept called attribute-based authenticated encryption with keyword search (ABAEKS) and proposes an efficient ABAEKS scheme. Our ABAEKS has low end-to-end delay, and is resistant to both quantum computer attacks and (insider) KGA. In addition, we formalize the security model of ABAEKS system and prove its security in the random oracle model. Finally, we conduct a comprehensive performance evaluation of ABAEKS, and the experimental results show that our ABAEKS is computationally efficient and outperforms current state-of-the-art ABKS schemes.

computer science, theory & methods,engineering, electrical & electronic

Kai Zhang,Zhe Jiang,Jianting Ning,Xinyi Huang

DOI: https://doi.org/10.1109/tifs.2022.3172627

IF: 7.231

2022-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Secure cloud search service allows resource-constrained clients to effectively search over encrypted cloud storage. Towards enabling owner-enforced search authorization, the notion of attribute-based keyword search (ABKS) has been introduced and widely deployed in practice. To enhance traditional security of ABKS, two state-of-the-art solutions are presented to address keyword guessing attacks or setup inconsistency for secret key. Nevertheless, they have not simultaneously considered the following threats to a data user: (i) inconsistent secret key/cipher-index caused by outside dishonest authority and/or data owner; (ii) algorithm substitution attacks (ASA) launched by inside adversarial eavesdropping. These attacks may unfortunately lead to cloud data breach and user information exposure. To tackle such outside and inside threats, we introduce subversion-resistance and consistency for secure and fine-grained cloud document search services. In particular, we propose a consistent ABKS system with cryptographic reverse firewalls (CRF). Technically, we refer to verifiable functional encryption and employ non-interactive zero-knowledge proofs of discrete logarithm equality to ensure strong input consistency for ABKS. In addition, we build a trusted CRF zone for sanitizing algorithm outputs against ASA attacks. Moreover, we formalize the security model and formally prove security of our system. To clarify practical performance, we implement state-of-the-art solutions and our system in real cloud environment based on Enron dataset. The results show that our system achieves more enhanced security properties without obviously sacrificing performance. In particular, our system achieves comparable time and storage cost for document-index encryption and document search, as compared to state-of-the-art solutions.

Zhongxiang He,Yuling Chen,Yun Luo,Lingyun Zhang,Yingying Tang

DOI: https://doi.org/10.3390/e26010045

IF: 2.738

2024-01-01

Entropy

Abstract:The emerging cloud storage technology has significantly improved efficiency and productivity in the traditional electronic healthcare field. However, it has also brought about many security concerns. Ciphertext policy attribute-based encryption (CP-ABE) holds immense potential in achieving fine-grained access control, providing robust security for electronic healthcare data in the cloud. However, current CP-ABE schemes still face issues such as inflexible attribute revocation, relatively lower computational capabilities, and key management. To address these issues, this paper introduces a revocable and traceable undeniable ciphertext policy attribute-based encryption scheme (MA-RUABE). MA-RUABE not only enables fast and accurate data traceability, effectively preventing malicious user key leakage, but also includes a direct revocation feature, significantly enhancing computational efficiency. Furthermore, the introduction of a multi-permission mechanism resolves the issue of centralization of power caused by single-attribute permissions. Furthermore, a security analysis demonstrates that our system ensures resilience against chosen plaintext attacks. Experimental results demonstrate that MA-RUABE incurs lower computational overhead, effectively enhancing system performance and ensuring data-sharing security in cloud-based electronic healthcare systems.

physics, multidisciplinary

Jian Su,Leyou Zhang,Yi Mu

DOI: https://doi.org/10.1016/j.future.2022.01.021

IF: 7.307

2022-07-01

Future Generation Computer Systems

Abstract:Due to the popularity of electronic medical technology and the rapid rise of cloud storage technology, how to securely share medical data has become a research hotspot at present. Fast and efficient keywords search in medical cloud is the key first step to achieve it. However, untrusted servicer may return the false search results or the results related to some special commercial purpose. Additionally, privacy leakage in medical data will also damage the benefits of the users and primary data owners. Ensuring fair and accurate searching of shared data and protecting the privacy of medical data have become important in the medical sharing system. This paper aims at solving these problems and a search framework for smart health system is proposed. In the framework, two smart contracts, named search smart contract(SSC) and verify smart contract(VSC), are constructed based on Ethereum blockchain, which are used to match the user’s trapdoor with index and check the correctness of search results. To improve the search accuracy, we realizes a ranking multi-keyword search where it only returns the top- k documents which best meet the user’s needs. Additionally, a new attribute-based encryption(ABE) is introduced to keep confidentiality and access authority of the sharing data. And the proposed ABE supports the hiding policy which solves the privacy protection during the data share. For reducing the computing burden of the data user, the decrypted-cloud service assistant system is proposed. Security proof and performance comparisons prove the security and efficiency of the scheme.

Payal Chaudhari,Manik Lal Das

DOI: https://doi.org/10.1109/tsc.2020.2973570

IF: 11.019

2022-03-01

IEEE Transactions on Services Computing

Abstract:In modern digital age, enterprise applications typically outsource user data in pubic cloud storage with the objective of availing flexibility and scalability features of cloud infrastructure, and importantly, making business goal more cost effective. Security and privacy concerns pose a challenging task to handle in cloud setup by both service providers and service consumers. In this landscape, before outsourcing the sensitive data on cloud storage, the data should be protected from unauthorized access and the privacy of the users should be preserved as per application requirement. In this article, we present a scheme, termed as KeySea, keyword-based search over attribute-based encrypted data with receiver anonymity. While searching documents pertaining to the target keyword(s), keeping receiver's anonymity and ensuring data privacy are important features in applications like healthcare, bureaucracy, social engineering, and so on. The construction of the KeySea scheme uses the hidden access policy in attribute-based searchable encryption. The KeySea scheme provides a secure and practical solution to address the issue of privacy-preserving search over encrypted data in the public cloud storage. We show the security strengths of the KeySea scheme and its practicality with experimental results.

computer science, information systems, software engineering

Jie Zhao,Hejiao Huang,Yongliang Xu,Xiaojun Zhang,Hongwei Du,Chao Huang

DOI: https://doi.org/10.1016/j.tcs.2024.114895

IF: 1.002

2024-10-05

Theoretical Computer Science

Abstract:Cloud-assisted e-healthcare sharing systems (EHSSs) play an increasingly pivotal role in the contemporary healthcare field. By outsourcing electronic medical records (EMRs) to the cloud, hospitals can alleviate local storage and management burdens while facilitating data sharing. Due to the highly sensitive nature of EMRs, encryption is necessary before storing them on the cloud. Attribute-based keyword search (ABKS) enables the privacy protection of EMRs with efficient search services. However, there remain some limitations in practical application. Firstly, most ABKS schemes only support single keyword queries, resulting in inaccurate results and wastage of computing and bandwidth resources. Secondly, since sensitive information within EMRs is encrypted as a whole, different data users (including internal doctors and external researchers) should have varying access rights to prevent leakage of this sensitive information. Thirdly, incorrect search results could lead to misdiagnosis or endanger patients' lives and affect researchers' decision-making processes. To effectively tackle these challenges, this paper proposes a verifiable attribute-based multi-keyword search scheme with sensitive information hiding (VABMKS-SIH) for cloud-assisted EHSSs, where we present a secure model for multi-keyword search with two-level access structure by incorporating an improved blindness filtering technique into ciphertext-policy attribute-based encryption (CP-ABE) within existing keyword search framework. Our scheme employs a super-increasing sequence to aggregate multiple filtered data blocks into one unified ciphertext, thereby greatly reducing communication overhead during the transmission phases of ciphertext. To check the correctness of returned results, we introduce a lightweight algebraic signature algorithm based on fundamental algebraic operations. A security analysis demonstrates that VABMKS-SIH is provably secure under the random oracle mode. Additionally, we also evaluate the proposed scheme's performance to demonstrate its utility in cloud-assisted EHSSs.

computer science, theory & methods

Kai Zhang,Yan Zhang,Yanping Li,Ximeng Liu,Laifeng Lu

DOI: https://doi.org/10.1109/jiot.2023.3290975

IF: 10.6

2023-01-01

IEEE Internet of Things Journal

Abstract:Attribute-based searchable encryption (ABSE) is a promising encryption mechanism for sharing outsourced encrypted data in clouds, allowing fine-grained access control over data while searching for encrypted data. However, the access policy in the most existing ABSE schemes exists in plaintext, which could expose sensitive information about legitimate data users. Moreover, such schemes delegate complex search operations to a cloud server, which can lead to data tampering and even untrusted results, and single point of failure. In this paper, we propose a blockchain-based anonymous attribute-based searchable encryption scheme for data sharing (BADS). First, attributes of the access policy are hidden, thus providing confidentiality to the set of attributes that satisfy the access policy. Then combining ABSE with blockchain have features of tamper-proof, integrity verification and non-repudiation. In particular, information such as secure index is stored in blockchain, while encrypted data is stored in a distributed system called the InterPlanetary File System (IPFS) to avoid single point of failure. Finally, BADS supports the matching algorithm that perform a fixed number of pairing operations before searching algorithm. We analysis security and evaluate performance to show the efficiency and practicability of BADS.

computer science, information systems,telecommunications,engineering, electrical & electronic

Sun Jingzhang,Cao Chunjie,Li Hui

DOI: https://doi.org/10.1007/978-3-030-00012-7_25

2018-01-01

Abstract:With the development in cloud storage, hospitals outsource the encrypted electronic medical records to the cloud services for economic saving. A cloud medical environment where the attribute is frequently updated, the existing searchable encryption schemes cannot support both ciphertext search and fine-grained access control. Therefore, combining ciphertext policy attribute-based encryption with searchable encryption technology, a cryptographic retrieval scheme supporting attribute update is proposed. Attributes can be updated frequently and partial decryption is transferred to the cloud storage server. Security analysis shows that the scheme can protect security and privacy under the DBDH assumption and the experimental results with real data show that the scheme is an efficient and practical application.

Jingwei Wang,Xinchun Yin,Jianting Ning,Geong Sen Poh

DOI: https://doi.org/10.1007/978-3-030-14234-6_26

2018-01-01

Abstract:Ciphertext policy attribute-based encryption (CP-ABE) is a promising cryptographic technology and a key component that enable secure data sharing in a cloud environment through fine-grained access control. Since it was introduced, many interesting schemes have been proposed. However, in addition to managing data sharing through access control, a comprehensive scheme should also cater for user revocation and ciphertext queries. This is because in a cloud environment new users may join while existing users may leave the system. At the same time, given the potentially large amount of data stored in a cloud storage, user should be able to retrieve the required files efficiently in a privacy-preserving manner. To address the above issue, in this paper, we propose a practical searchable CP-ABE scheme supporting user revocation. In contrast to existing schemes that provide only single keyword query, our efficient search function provides conjunctive search, which allows user to locate a ciphertext related to a set of keywords. The computation overhead of our user revocation is at least on par with existing schemes. Besides, the security analysis indicates that the proposed scheme is secure under the decisional Bilinear Diffie-Hellman assumption. We also provide extensive experimental results to confirm the efficiency and feasibility of our proposed construction.

Fan Zhao,Changgen Peng,Dequan Xu,Yicen Liu,Kun Niu,Hanlin Tang

DOI: https://doi.org/10.1016/j.comcom.2023.04.003

2023-05-01

Abstract:With the outbreak of COVID-19, the government has been forced to collect a large amount of detailed information about patients in order to effectively curb the epidemic of the disease, including private data of patients. Searchable encryption is an essential technology for ciphertext retrieval in cloud computing environments, and many searchable encryption schemes are based on attributes to control user's search permissions to protect their data privacy. The existing attribute-based searchable encryption (ABSE) scheme can only implement the situation where the search permission of one person meets the search policy and does not support users to obtain the search permission through collaboration. In this paper, we proposed a new attribute-based collaborative searchable encryption scheme in multi-user setting (ABCSE-MU), which takes the access tree as the access policy and introduces the translation nodes to implement collaborative search. The cooperation can only be reached on the translation node and the flexibility of search permission is achieved on the premise of data security. ABCSE-MU scheme solves the problem that a single user has insufficient search permissions but still needs to search, making the user's access policy more flexible. We use random blinding to ensure the confidentiality and security of the secret key, further prove that our scheme is secure under the Decisional Bilinear Diffie-Hellman (DBDH) assumption. Security analysis further shows that the scheme can ensure the confidentiality of data under chosen-keyword attacks and resist collusion attacks.

Shufen Niu,Ying Hu,Siwei Zhou,Honglin Shao,Caifen Wang

DOI: https://doi.org/10.1109/jsyst.2023.3283389

IF: 4.802

2023-01-01

IEEE Systems Journal

Abstract:The development of the Internet has dramatically facilitated the present society. While a large amount of data is produced, private data security involves users' data rights. Traditionally, attribute-based encryption (ABE) still needs to improve efficiency in the face of a large amount of data. The introduction of edge computing environments reduces the operating costs of lightweight devices by outsourcing some encryption and decryption operations. Therefore, we design an efficient attribute-based encryption scheme under edge computing that supports keyword search. Data owners and users do not disclose private information to the cloud during the search phase. Our work considers the computational efficiency of ordinary and lightweight users, and partial operations can be outsourced according to the demand during decryption, which is more flexible and applicable to practical applications. The scheme also supports efficient attribute revocation and ciphertext update in the cloud environment. Moreover, the proposed algorithm has been proven to be IND-sCP-CPA security and IND-CKA security. The work compares our algorithm with some typical schemes in terms of storage overhead and computation cost in the end. The performance analysis results indicate that the proposed work is efficient and suitable for edge computing.

computer science, information systems,telecommunications,engineering, electrical & electronic,operations research & management science

Zuojie Deng,Kenli Li,Keqin Li,Jingli Zhou

DOI: https://doi.org/10.1016/j.future.2016.05.017

IF: 7.307

2017-01-01

Future Generation Computer Systems

Abstract:Multi-user searchable encryption (MSE) allows a user to encrypt its files in such a way that these files can be searched by other users that have been authorized by the user. The most immediate application of MSE is to cloud storage, where it enables a user to securely outsource its files to an untrusted cloud storage provider without sacrificing the ability to share and search over it. Any practical MSE scheme should satisfy the following properties: concise indexes, sublinear search time, security of data hiding and trapdoor hiding, and the ability to efficiently authorize or revoke a user to search over a file. Unfortunately, there exists no MSE scheme to achieve all these properties at the same time. This seriously affects the practical value of MSE and prevents it from deploying in a concrete cloud storage system. To resolve this problem, we propose the first MSE scheme to satisfy all the properties outlined above. Our scheme can enable a user to authorize other users to search for a subset of keywords in encrypted form. We use asymmetric bilinear map groups of Type-3 and keyword authorization binary tree (KABtree) to construct this scheme that achieves better performance. We implement our scheme and conduct performance evaluation, demonstrating that our scheme is very efficient and ready to be deployed.

Duo Zhang,Shangping Wang,Qian Zhang,Yaling Zhang

DOI: https://doi.org/10.1109/tsc.2023.3311877

IF: 11.019

2023-01-01

IEEE Transactions on Services Computing

Abstract:Cloud computing has brought great convenience to data storage and resource sharing, however, there are still concerns about data security and service quality. Attribute-based encryption (ABE) and searchable encryption (SE) are always adopted to achieve data access authorization and data retrieval on encrypted data in data sharing, respectively. But more efficient and accurate methods have been always pursued. Moreover, the spoofing attacks is another important aspect that raises concerns, especially when it comes to reliability of search results and online payments. Blockchain, an emerging technology that can be used to solve the problem of trust, has shown great application potential in finance and data sharing. Based on blockchain, we propose an attribute-based conjunctive keyword search (ABCKS) scheme with verifiability and fairness. In this paper, data privacy-preserving, fine-grained access control, and multi-keywords search can be supported simultaneously. Blockchain and smart contract are employed to facilitate the search result verification process and ensure fair payment in the trustless case. Furthermore, we reduce the user's decryption load to a constant level by performing partial decryption on the cloud side. Finally, the results of the performance evaluation indicate that our scheme has higher efficiency and security.

computer science, information systems, software engineering

Shangping Wang,Tingting Gao,Yaling Zhang

DOI: https://doi.org/10.1371/journal.pone.0206126

IF: 3.7

2018-11-01

PLoS ONE

Abstract:With the development of outsourcing data services, data security has become an urgent problem that needs to be solved. Attribute-based encryption is a valid solution to data security in cloud storage. There is no existing scheme that can guarantee the privacy of access structures and achieve attribute-based encryption with keyword search and attribute revocation. In this article, we propose a new searchable and revocable multi-data owner attribute-based encryption scheme with a hidden policy in cloud storage. In the new scheme, the same access policy is used in both the keyword index and message encryption. The advantage of keyword index with access policy is that as long as a user's attributes satisfy the access policy, the searched ciphertext can be correctly decrypted. This property improves the accuracy of the search results. The hidden policy is used in both the ciphertext and the keyword index to protect users' privacy. The new scheme contains attribute revocation, which is suitable for the actual situation that a user's attributes maybe changed over time. In the general bilinear group model, the security of the scheme is demonstrated, and the efficiency of the scheme is analyzed.

Qian Wang,Chengzhe Lai,Rongxing Lu,Dong Zheng

DOI: https://doi.org/10.1109/tcc.2021.3120110

IF: 5.697

2021-01-01

IEEE Transactions on Cloud Computing

Abstract:Outsourcing medical data to healthcare cloud has become a popular trend. Since medical data of patients contain sensitive personal information, they should be encrypted before outsourcing. However, information retrieval methods based on plaintext cannot be directly applied to encrypted data. In this article, we present a new cryptographic primitive named conjunctive keyword search with secure channel free and autonomous path delegation function (AP-SCF-PECKS), which can be applied in scenarios where patients want to search for and autonomous delegate their private medical information without revealing their private key. Particularly, the proposed solution allows patients to set up multi-hop delegation path with their preferences, and the delegated doctors in the path can search for and access the patient’s private medical information with priority from high to low. Patients can ensure that authorized doctors are always trustworthy, and unauthorized users cannot obtain the private medical information of patients. Moreover, the scheme supports the conjunctive keyword search, secure channel free, and is secure against chosen keyword attack, chosen ciphertext attack, and keyword guessing attack. The security of proposed scheme has been formally proved in the standard model. Finally, the performance evaluations demonstrate that the overhead of proposed scheme are modest for healthcare cloud scenarios.

computer science, information systems, theory & methods

Suhui Liu,Jiguo Yu,Yinhao Xiao,Zhiguo Wan,Shengling Wang,Biwei Yan

DOI: https://doi.org/10.1109/jiot.2020.2993231

IF: 10.6

2020-09-01

IEEE Internet of Things Journal

Abstract:The Internet of Things (IoT) changed our lives with huge amounts of data production. Due to source-limited IoT devices, one of the best ways to process the data is cloud storage. However, a series of security and privacy issues arise, such as illegal data access, data tampering, and privacy leak. Though symmetric encryption can guarantee data confidentiality, it cannot realize fine-grained data sharing and searching. The keyword-based searchable attribute-based encryption (KSABE) can achieve data confidentiality and fine-grained access control. More importantly, it realizes a keyword-based search for data users. However, the heavy decryption computation burden and the management of massive user keys appear when implementing attribute-based encryption schemes to IoT. Therefore, this article proposes a blockchain-aided searchable attribute-based encryption (BC-SABE) with efficient revocation and decryption, where the traditional centralized server is replaced with a decentralized blockchain system being in charge of the threshold parameter generation, key management, and user revocation. All revocation tasks are done by the blockchain and it is on longer necessary for ciphertext reencryption and key update. Moreover, users utilize the coalition blockchain to generate partial tokens. Besides, the cloud server contained in our scheme not only stores the massive encrypted data but also performs search and predecryption for users who only require one exponentiation in the group ${mathbb {G}}$ to decrypt fully. Security analyses prove that our scheme realizes the security under the chosen plaintext attack and the chosen keyword attack. Simulations show that the decryption and token generation cost of our scheme are preferable.

computer science, information systems,telecommunications,engineering, electrical & electronic