Huige Wang,Yuan Zhang,Kefei Chen,Guangye Sui,Yunlei Zhao,Xinyi Huang

DOI: https://doi.org/10.1016/j.ins.2019.06.028

IF: 8.1

2019-01-01

Information Sciences

Abstract:Cloud storage services provide data owners an efficient and flexible way to share data. Among the shared data, some of them are very sensitive, and should be prevented for any leakage. Should users conventionally encrypt the data, however, flexibly sharing is lost. Public-key encryption with access control (PEAC) resolves this tension. Most of existing PEAC schemes only support the data owner to control either the parts of data to be accessed by other users (file-based PEAC), or the membership of users that access the entire data set (receiver-based PEAC). However, in reality a PEAC scheme with both file-based and receiver-based functionalities is required to ensure the efficiency, flexibility, and fine-grainess of the data sharing service. In this paper, we introduce a primitive of functional broadcast encryption (FBE). FBE is a manifestation of PEAC that enables a data owner to share a set of data files to a group of users, where only a specific subset of data files can be accessed and decrypted by a specific subgroup of users. We describe a construction for FBE based on indistinguishability obfuscation (iO). Security analysis demonstrates that the proposed scheme achieves selective IND-CCA security, and a comprehensive performance analysis shows the proposed scheme is efficient.

Liqing Chen,Jiguo Li,Yang Lu,Yichen Zhang

DOI: https://doi.org/10.1016/j.ins.2020.05.092

IF: 8.1

2020-10-01

Information Sciences

Abstract:<p>The existing public key broadcast encryption schemes are mainly constructed in identity-based cryptosystem, which bears the inherent problems of key escrow and key distribution. The certificate-based encryption mechanism can effectively address the problems in identity-based cryptosystem. Meanwhile, it simplifies the certificate revocation issue for traditional public key cryptosystem. Inspired by the idea of certificate-based encryption, we put forward the new primitive certificate-based broadcast encryption as well as its formal definition and security model. In virtue of prime order bilinear groups, we present an instantiation scheme of certificate-based broadcast encryption. To our best knowledge, the proposed scheme is the first adaptively secure scheme for certificate-based broadcast encryption in the standard model against chosen-ciphertext attack. Compared with the previous work, our scheme has advantages in the respects of computation cost as well as security properties. Furthermore, we present an application scenario of the proposed scheme for data access control in cloud storage service.</p>

computer science, information systems

Jianfei Sun,Hu Xiong,Hao Zhang,Li Peng

DOI: https://doi.org/10.1016/j.ins.2019.08.026

IF: 8.1

2020-01-01

Information Sciences

Abstract:Never before has data sharing been more convenient with the rapid popularity and wide adoption of cloud computing. However, mobile access and flexible search with security for outsourced data in heterogeneous systems are two major obstacles prior to practical deployment of cloud computing. To meet the requirements in secure mobile access and flexible search to sensitive data, this paper, for the first time, proposes a versatile primitive referred to as an identity based proxy re-encryption system with outsourced equality test (IBPRE-ET). This primitive allows a data owner in an identity based broadcast encryption system (IBBE) seamlessly to share his/her data with a data sharer in an identity based encryption system (IBE). Moreover, it supports a data sharer in an IBBE system to perform search functionality on ciphertexts related to a data sharer in an IBE system. We also formally prove that the proposed IBPRE-ET system is selective secure using a random oracle model. Meanwhile, the theoretic evaluation and experimental result demonstrate our scheme is practical in the heterogeneous system. Finally, we show an application of our IBPRE-ET to the collaborative office automation system.

Hu Xiong,Hao Zhang,Jianfei Sun

DOI: https://doi.org/10.1109/jsyst.2018.2865221

IF: 4.802

2018-01-01

IEEE Systems Journal

Abstract:The sharing of personal data with multiple users from different domains has been benefited considerably from the rapid advances of cloud computing, and it is highly desirable to ensure the sharing file should not be exposed to the unauthorized users or cloud providers. Unfortunately, issues such as achieving the flexible access control of the sharing file, preserving the privacy of the receivers, forming the receiver groups dynamically, and high efficiency in encryption/decryption still remain challenging. To deal with these challenges, we provide a novel anonymous attribute-based broadcast encryption (A$^{2}$ B$^{2}$ E) which features the property of hidden access policy and enables the data owner to share his/her data with multiple participants who are inside a predefined receiver set and fulfill the access policy. We first suggest a concrete A$^{2}$ B$^{2}$ E scheme together with the rigorous and formal security proof without the support of the random oracle model. Then, we design an efficient and secure data sharing system by incorporating the A$^{2}$ B$^{2}$ E scheme, verifiable outsourcing decryption technique for attribute-based encryption, and the idea of online/offline attribute-based encryption. Extensive security analysis and performance evaluation demonstrate that our data sharing system is secure and practical.

Jianfei Sun,Guowen Xu,Tianwei Zhang,Hu Xiong,Hongwei Li,Robert H. Deng

DOI: https://doi.org/10.1109/tcc.2021.3117998

IF: 5.697

2021-01-01

IEEE Transactions on Cloud Computing

Abstract:Benefiting from the powerful computing and storage capabilities of cloud services, data sharing in the cloud has been permeated across various applications including social networks, e-health and crowdsourcing transportation system. Intuitively, outsourcing data to untrusted cloud commonly raises concerns about data privacy breaches. To combat this, one approach is exploiting Broadcast Based Searchable Encryption (BBSE) for secure data sharing. Nevertheless, the latest proposed BBSE is still defective in either security or efficiency. In this article, we propose ESPD, an Efficient, Scalable and Privacy-preserving Data sharing framework over encrypted cloud dataset. Different from previous works, ESPD supports sharing target data to multiple users with distinct secret keys, and keeps a constant ciphertext length with the changes of the amount of system users. This feature significantly improves search efficiency and makes ESPD scalable in real-world scenarios. We show a formal analysis to prove the security of ESPD in terms of file privacy, keyword privacy and trapdoor privacy. Also, extensive experiments on real-world dataset are conducted to indicate the desirable performance of ESPD compared to other similar schemes.

Sheng Chang,Chunxiang Xu

DOI: https://doi.org/10.1109/ISPDS58840.2023.10235673

2023-01-01

Abstract:Cloud data sharing allows a sender to securely share data with a specific group of recipients through a cloud platform. To address privacy concerns, the data that is shared is usually encrypted and stored on the cloud server, which can make future retrieval challenging. To overcome this limitation, searchable broadcast authenticated encryption schemes have been introduced. These schemes enable the sender to authenticate and encrypt data for the intended recipients through the insecure and unreliable cloud platform. Only the user in the recipients set can perform keyword searches and access target data. However, certain existing schemes exhibit vulnerabilities such as keyword guessing attacks (KGA) and trapdoor misuse. Moreover, all of these schemes are based on either the public key certificate system or some identity base system, and these circumstances give rise to specific challenges, namely the complexities of managing certificates and the potential problems associated with key escrow. To tackle these challenges, we introduce a certificateless broadcast searchable encryption scheme that achieves ciphertext indistinguishability, trapdoor indistinguishability, and receiver anonymity. And we also eliminate the need for public certificates. Furthermore, we strengthen the security of our scheme by restricting search operations on the encrypted data to a designated server. We provide an extensive security analysis of our scheme and perform a thorough performance evaluation to showcase the practicality of the proposed scheme.

Yu Zhang,Jing Chen,Ruiying Du,Lan Deng,Yang Xiang,Qing Zhou

DOI: https://doi.org/10.1109/TrustCom.2014.42

2014-01-01

Abstract:In the past few years, cloud computing has emerged as one of the most influential paradigms in the IT industry. As promising as it is, this paradigm brings forth many new challenges for data security because users have to outsource sensitive data on untrusted cloud servers for sharing. In this paper, to guarantee the confidentiality and security of data sharing in cloud environment, we propose a Flexible and Efficient Access Control Scheme (FEACS) based on Attribute-Based Encryption, which is suitable for fine-grained access control. Compared with existing state-of-the-art schemes, FEACS is more practical by following functions. First of all, considering the factor that the user membership may change frequently in cloud environment, FEACS has the capability of coping with dynamic membership efficiently. Secondly, full logic expression is supported to make the access policy described accurately and efficiently. Besides, we prove in the standard model that FEACS is secure based on the Decisional Bilinear Diffie-Hellman assumption. To evaluate the practicality of FEACS, we provide a detailed theoretical performance analysis and a simulation comparison with existing schemes. Both the theoretical analysis and the experimental results prove that our scheme is efficient and effective for cloud environment.

Xiaofen Wang,Hong-Ning Dai,Ke Zhang

DOI: https://doi.org/10.1016/j.future.2018.11.013

IF: 7.307

2019-01-01

Future Generation Computer Systems

Abstract:Sharing economic data is paramount for improving quality and developing more efficient ways to produce statistics, and making better economic decisions. The economic data is of great importance to the corporations and governments, and they must be protected against the outsiders. Unfortunately, in an economic administration system, a few users may be malicious, or they are at high risk to leak information to the outsiders. Therefore, the economic data must also be protected against these users. The traditional broadcast encryption can provide protected data sharing among honest users. However, it is not efficient when most of the users are honest, and only a small amount of users are malicious. The traditional method is not cost effective, and does not fit to the situation where the set of malicious users dynamically changes either. Meanwhile, in traditional broadcast encryption, the authorized users’ identities need to be sent with the ciphertext. The valid users’ anonymity is not provided. To solve these problems, in this work, we present a novel cryptographic primitive, i.e. ID-based Dynamic Exclusive Broadcast Encryption (IBDEBE), and based on a hybrid framework (the combination of the exponent-inversion framework and the commutative-blinding framework) we propose an IBDEBE scheme with constant-size private keys and ciphertexts. The IBDEBE scheme is proved to be semi-adaptively semantically secure in the random oracle model. By applying the IBDEBE scheme, a secure economic data sharing protocol is devised, which is efficient and flexible in dynamic honest user groups, and it provides good security properties, i.e. source authenticity, data integrity protection, data access control, resistance to collusion attack and anonymity. We evaluate the performance of our solution with experiments and the results show good computation efficiency.

Yanli Ren,Dawu Gu

DOI: https://doi.org/10.1016/j.ipl.2009.01.017

IF: 0.851

2009-01-01

Information Processing Letters

Abstract:In broadcast encryption schemes, a broadcaster encrypts messages and transmits them to some subset S of users who are listening to a broadcast channel. Any user in S can use his private key to decrypt the broadcast. An identity based cryptosystem is a public key cryptosystem where the public key can be represented as an arbitrary string. In this paper, we propose the first identity based broadcast encryption (IBBE) scheme that is IND-ID-CCA2 secure without random oracles. The public key and ciphertext are constant size, and the private key size is linear in the total number of receivers. To the best of our knowledge, it is the first IBBE scheme that is fully CCA2 secure without random oracles. Moreover, our IBBE scheme is collusion resistant for arbitrarily large collusion of users.

Shengmin Xu,Jianting Ning,Xinyi Huang,Jianying Zhou,Robert H. Deng

DOI: https://doi.org/10.1109/tifs.2021.3113516

IF: 7.231

2021-01-01

IEEE Transactions on Information Forensics and Security

Abstract:As a versatile technique, cloud-fog computing extends the traditional cloud server to offer various on-demand data services. Maintaining data confidentiality is one of the most crucial requirements for data services, many cryptosystems have been proposed to reserve information privacy against such an untrusted environment. However, in cloud-fog computing, how to confidentially and efficiently share data and fetch desirable data without expensive data decryption for resource-constrained end-devices is challenging. In this paper, we propose a cloud-fog system for the Internet-of-Things (IoT) ecosystem by introducing a cryptographic primitive called server-aided revocable bilateral attribute-based encryption (SRB-ABE). Our solution is a secure and lightweight bilateral access control system with dynamic user groups, including (1) fine-grained data user and data owner access control simultaneously; (2) outsourced data source identification; (3) server-aided user revocation with publicly updatable ciphertexts; and (4) lightweight data decryption mechanism with one exponentiation computation. We present the formal definition and concrete construction of SRB-ABE with security proofs to build cloud-fog systems. The extensive comparison and experimental analysis demonstrate that our construction has superior functionality and comparable performance than the most relevant solutions.

Jianfei Sun,Guowen Xu,Tianwei Zhang,Xuehuan Yang,Mamoun Alazab,Robert H. Deng

DOI: https://doi.org/10.1109/TIFS.2022.3226577

IF: 7.231

2023-01-01

IEEE Transactions on Information Forensics and Security

Abstract:The cloud-based data sharing technology with cryptographic primitives enables data owners to outsource data into paradigms and privately share information with arbitrary recipients without geographic barriers. However, we argue that most of existing efforts for outsourced data sharing are either inefficient, inflexible, or incompletely secure due to the following problems: (1) lack of efficient strategies for dynamically designating target ciphertexts to multiple recipients; (2) how to hide the identity of the recipient and (3) how to verify the correctness of outsourced ciphertext transformation without any denial. To the best of our knowledge, no previous work has thoroughly explored the above three issues, motivating us to design such an efficient and comprehensively secure outsourced data sharing mechanism. We design VF-PPBA, the first Verifiable, Fair and Privacy-preserving Broadcast Authorization framework for flexible data sharing in clouds. In more detail, we first invent a new primitive, privacy-preserving multi-recipient broadcast proxy re-encryption (PPMR-BPRE), which enables the authorization of a given ciphertext to different recipients with efficient ciphertext transformation, and further guarantees that any malicious adversary deduces nothing about the identity of the recipient. Then, we present VF-PPBA for flexible data sharing with PPMR-BPRE as the underlying structure, which in addition to inheriting all the functionalities of PPMR-BPRE, is capable of supporting the verifiability of the outcome correctness of the outsourced conversion task, and being immune to the malicious accusation if the outsourcing outcome is correctly completed. We formalize the adversarial models and render comprehensively strict security proofs to prove the security of our proposed solutions. Its performance is also validated via experimental simulations to showcase the practicability and effectiveness.

Fagen Li,Bo Liu,Jiaojiao Hong

DOI: https://doi.org/10.1007/s00607-017-0548-7

2017-01-01

Computing

Abstract:Data storage is one of main services in cloud computing. How to ensure the confidentiality and authorized access of data is the central issue of data storage. In this paper, we propose a novel data access control scheme that can simultaneously achieve confidentiality and authentication for cloud computing. In this scheme, users store encrypted data in the cloud. When a user wants to access the data, the data owner delegates the cloud to re-encrypt the data and only the authorized user can decrypt the data. The cloud can not get any plaintext information about the data. In addition, the authorized user can verify the integrity and authentication of the data. We realize the data access control scheme by proposing an identity-based signcryption (IBSC) scheme with proxy re-encryption. We prove that the IBSC scheme has the indistinguishability against adaptive chosen ciphertext attack under the decisional bilinear Diffie-Hellman problem and existential unforgeability against adaptive chosen message attack under the computational Diffie-Hellman problem in the random oracle model.

Stefan Contiu,Rafael Pires,Sébastien Vaucher,Marcelo Pasin,Pascal Felber,Laurent Réveillère

DOI: https://doi.org/10.1109/DSN.2018.00032

2018-07-27

Abstract:While many cloud storage systems allow users to protect their data by making use of encryption, only few support collaborative editing on that data. A major challenge for enabling such collaboration is the need to enforce cryptographic access control policies in a secure and efficient manner. In this paper, we introduce IBBE-SGX, a new cryptographic access control extension that is efficient both in terms of computation and storage even when processing large and dynamic workloads of membership operations, while at the same time offering zero knowledge guarantees. IBBE-SGX builds upon Identity-Based Broadcasting Encryption (IBBE). We address IBBE's impracticality for cloud deployments by exploiting Intel Software Guard Extensions (SGX) to derive cuts in the computational complexity. Moreover, we propose a group partitioning mechanism such that the computational cost of membership update is bound to a fixed constant partition size rather than the size of the whole group. We have implemented and evaluated our new access control extension. Results highlight that IBBE-SGX performs membership changes 1.2 orders of magnitude faster than the traditional approach of Hybrid Encryption (HE), producing group metadata that are 6 orders of magnitude smaller than HE, while at the same time offering zero knowledge guarantees.

Cryptography and Security,Distributed, Parallel, and Cluster Computing

Jianhong Zhang,Peirong Ou

DOI: https://doi.org/10.3390/s19153370

IF: 3.9

2019-07-31

Sensors

Abstract:Nowadays, the widely deployed and high performance Internet of Things (IoT) facilitates the communication between its terminal nodes. To enhance data sharing among terminal devices and ensure the recipients’ privacy protection, a few anonymous multi-recipient broadcast encryption (AMBE) proposals are recently given. Nevertheless, the majority of these AMBE proposals are only proven be securely against adaptively chosen plain-text attack (CPA) or selectively chosen ciphertext attack (CCA). Furthermore, all AMBE proposals are subjected to key escrow issue due to inherent characteristics of the ID-based public cryptography (ID-PKC), and cannot furnish secure de-duplication detection. However, for cloud storage, it is very important for expurgating duplicate copies of the identical message since de-duplication can save the bandwidth of network and storage space. To address the above problems, in the work, we present a privacy-preserving multi-receiver certificateless broadcast encryption scheme with de-duplication (PMCBED) in the cloud-computing setting based on certificateless cryptography and anonymous broadcast encryption. In comparison with the prior AMBE proposals, our scheme has the following three characteristics. First, it can fulfill semantic security notions of data-confidentiality and receiver identity anonymity, whereas the existing proposals only accomplish them by formalizing the weaker security models. Second, it achieves duplication detection of the ciphertext for the identical message encrypted with our broadcast encryption. Finally, it also avoids the key escrow problem of the AMBE schemes.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Qian Mei,Minghao Yang,Jinhao Chen,Lili Wang,Hu Xiong

DOI: https://doi.org/10.1109/TDSC.2022.3188740

2023-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Expressive data sharing and efficient data deletion are essential to drive the development of cloud-assisted IoT. But insecure transmission and the vulnerability of the cloud server may cause potential threats to IoT data, attribute-based encryption (ABE) is widely applied to ensure data confidentially. Nonetheless, the potential data exposure caused by the compromised long-term key and the contradiction between conventional access structures in ABE and the various demands of data owners are still two huge challenges. To overcome these challenges, this article designs an unbounded and puncturable ciphertext-policy ABE with arithmetic span program ( <inline-formula><tex-math notation="LaTeX">$\mathcal {UP}$</tex-math></inline-formula> - <inline-formula><tex-math notation="LaTeX">$\mathcal {CP}$</tex-math></inline-formula> - <inline-formula><tex-math notation="LaTeX">$\mathcal {ABE}$</tex-math></inline-formula> - <inline-formula><tex-math notation="LaTeX">$\mathcal {ASP}$</tex-math></inline-formula> ) scheme and presents an expressive data sharing and self-controlled fine-grained data deletion solution in cloud-assisted IoT, which allows data owners to efficiently encrypt and share data with various computable access policies, but also enables data owners and data users to independently delete specific data stored in the cloud. The designed <inline-formula><tex-math notation="LaTeX">$\mathcal {UP}$</tex-math></inline-formula> - <inline-formula><tex-math notation="LaTeX">$\mathcal {CP}$</tex-math></inline-formula> - <inline-formula><tex-math notation="LaTeX">$\mathcal {ABE}$</tex-math></inline-formula> - <inline-formula><tex-math notation="LaTeX">$\mathcal {ASP}$</tex-math></inline-formula> leverages unbounded ABE and puncturable encryption to support the flexible update of system parameters and the deletion of specific data. Also, the arithmetic span program access structure is combined to realize expressive data sharing. Moreover, the <inline-formula><tex-math notation="LaTeX">$\mathcal {UP}$</tex-math></inline-formula> - <inline-formula><tex-math notation="LaTeX">$\mathcal {CP}$</tex-math></inline-formula> - <inline-formula><tex-math notation="LaTeX">$\mathcal {ABE}$</tex-math></inline-formula> - <inline-formula><tex-math notation="LaTeX">$\mathcal {ASP}$</tex-math></inline-formula> is adaptively secure in the standard model, and comprehensive performance evaluations demonstrate its practicability and scalability in cloud-assisted IoT.

Shucheng Yu,Cong Wang,Kui Ren,Wenjing Lou

DOI: https://doi.org/10.1109/INFCOM.2010.5462174

2010-01-01

Abstract:Cloud computing is an emerging computing paradigm in which resources of the computing infrastructure are provided as services over the Internet. As promising as it is, this paradigm also brings forth many new challenges for data security and access control when users outsource sensitive data for sharing on cloud servers, which are not within the same trusted domain as data owners. To keep sensitive user data confidential against untrusted servers, existing solutions usually apply cryptographic methods by disclosing data decryption keys only to authorized users. However, in doing so, these solutions inevitably introduce a heavy computation overhead on the data owner for key distribution and data management when fine-grained data access control is desired, and thus do not scale well. The problem of simultaneously achieving fine-grainedness, scalability, and data confidentiality of access control actually still remains unresolved. This paper addresses this challenging open issue by, on one hand, defining and enforcing access policies based on data attributes, and, on the other hand, allowing the data owner to delegate most of the computation tasks involved in fine-grained data access control to untrusted cloud servers without disclosing the underlying data contents. We achieve this goal by exploiting and uniquely combining techniques of attribute-based encryption (ABE), proxy re-encryption, and lazy re-encryption. Our proposed scheme also has salient properties of user access privilege confidentiality and user secret key accountability. Extensive analysis shows that our proposed scheme is highly efficient and provably secure under existing security models.

Hongbo Li,Qiong Huang,Sha Ma,Jian Shen,Willy Susilo

DOI: https://doi.org/10.1109/access.2019.2899680

IF: 3.9

2019-01-01

IEEE Access

Abstract:With the higher rate of using cloud storage, protecting data privacy becomes an important issue. The most effective solution is to encrypt data before uploading to the cloud. However, how to efficiently search over data encrypted with different keys is still an open problem. To address this problem, we introduce a new notion of the identity-based encryption with equality test supporting flexible authorization (IBEET-FA). It supports the test of whether two ciphertexts encrypted under the different keys encapsulate the same message, and in the meanwhile supports fine-grained authorization of the test. Based on the equality test on ciphertexts, there is a direct way to support an authorized user to search over ciphertexts of different users, which accelerates secret data sharing among a group of users. Besides, IBEET-FA does not suffer from the complex key management problem of its counterpart in the traditional public key infrastructure. We propose a concrete construction of IBEET-FA and prove it to be securely based on simple mathematical assumptions. The experimental results show that our IBEET-FA scheme is efficient and can satisfy various types of search over encrypted data.

Kaiping Xue,Weikeng Chen,Wei Li,Jianan Hong,Peilin Hong

DOI: https://doi.org/10.1109/tifs.2018.2809679

IF: 7.231

2018-01-01

IEEE Transactions on Information Forensics and Security

Abstract:People endorse the great power of cloud computing, but cannot fully trust the cloud providers to host privacy-sensitive data, due to the absence of user-to-cloud controllability. To ensure confidentiality, data owners outsource encrypted data instead of plaintexts. To share the encrypted files with other users, ciphertext-policy attribute-based encryption (CP-ABE) can be utilized to conduct fine-grained and owner-centric access control. But this does not sufficiently become secure against other attacks. Many previous schemes did not grant the cloud provider the capability to verify whether a downloader can decrypt. Therefore, these files should be available to everyone accessible to the cloud storage. A malicious attacker can download thousands of files to launch economic denial of sustainability (EDoS) attacks, which will largely consume the cloud resource. The payer of the cloud service bears the expense. Besides, the cloud provider serves both as the accountant and the payee of resource consumption fee, lacking the transparency to data owners. These concerns should be resolved in real-world public cloud storage. In this paper, we propose a solution to secure encrypted cloud storages from EDoS attacks and provide resource consumption accountability. It uses CP-ABE schemes in a black-box manner and complies with arbitrary access policy of the CP-ABE. We present two protocols for different settings, followed by performance and security analysis.

Elhabob Rashad,Zhao Yanan,Eltayieb Nabeil,Abdelgader Abdeldime M. S.,Xiong Hu

DOI: https://doi.org/10.1007/s10586-019-02979-1

2019-01-01

Cluster Computing

Abstract:The rising popularity of cloud computing is now widely adopted by many industries including resource-restricted data owners, i.e., with the smart sensors in the Internet of things (IoT) to store their data in the cloud. Considering the untrusted nature of cloud server, the data collected by smart sensors should be encrypted before offloading them to the cloud. This unfortunately raises a concern on how to perform search functionality on encrypted data in the cloud. To tackle this challenge, an identity-based encryption scheme with authorized equivalence test (IBE-AET) is proposed in this paper to achieve simultaneously encryption and search functionality over outsourced data in cloud-assisted IoT. In IBE-AET, an authorized cloud server is allowed to carry out the equivalence test of two messages encrypted using the same identity as well as also those messages encrypted in different identities. In addition, the authorization mechanism in IBE-AET is versatile such that it enables a user to delegate the testing capability to the cloud server in a fine-grained manner. In the random oracle model, the proposed IBE-AET is formally proved to be equivalent to the bilinear Diffie–Hellman (BDH) assumption. The practicability of the suggested scheme is demonstrated by both the theoretic analysis and experimentsimulation.

Jianting Ning,Xinyi Huang,Willy Susilo,Kaitai Liang,Ximeng Liu,Yinghui Zhang

DOI: https://doi.org/10.1109/tdsc.2020.3011525

2020-01-01

Abstract:Cloud-based data storage service has drawn increasing interests from both academic and industry in the recent years due to its efficient and low cost management. Since it provides services in an open network, it is urgent for service providers to make use of secure data storage and sharing mechanism to ensure data confidentiality and service user privacy. To protect sensitive data from being compromised, the most widely used method is encryption. However, simply encrypting data (e.g., via AES) cannot fully address the practical need of data management. Besides, an effective access control over download request also needs to be considered so that Economic Denial of Sustainability (EDoS) attacks cannot be launched to hinder users from enjoying service. In this article, we consider the dual access control, in the context of cloud-based storage, in the sense that we design a control mechanism over both data access and download request without loss of security and efficiency. Two dual access control systems are designed in this article, where each of them is for a distinct designed setting. The security and experimental analysis for the systems are also presented.