Jian Liu,N. Asokan,Benny Pinkas

DOI: https://doi.org/10.1145/2810103.2813623

2015-01-01

Abstract:Encrypting data on client-side before uploading it to a cloud storage is essential for protecting users' privacy. However client-side encryption is at odds with the standard practice of deduplication. Reconciling client-side encryption with cross-user deduplication is an active research topic. We present the first secure cross-user deduplication scheme that supports client-side encryption without requiring any additional independent servers. Interestingly, the scheme is based on using a PAKE (password authenticated key exchange) protocol. We demonstrate that our scheme provides better security guarantees than previous efforts. We show both the effectiveness and the efficiency of our scheme, via simulations using realistic datasets and an implementation.

Xinyu Tang,Cheng Guo,Kim-Kwang Raymond Choo,Xueru Jiang,Yining Liu

DOI: https://doi.org/10.1016/j.comcom.2024.05.003

IF: 5.047

2024-01-01

Computer Communications

Abstract:Data deduplication technology is extensively employed to enhance the storage efficiency of cloud servers by eliminating redundant files. Cloud users commonly encrypt their data prior to uploading it to the server. Conventional encryption algorithms, however, lead to the encryption of duplicated data from different users into distinct ciphertexts. Consequently, these ciphertexts must be stored in the cloud since the cloud server cannot identify such duplicated data. In this paper, we introduce a hybrid cloud-based secure deduplication scheme tailored for implementation on large-scale data systems. Specifically, our approach leverages ciphertext-policy attribute-based encryption (CP-ABE), which enables us to establish access control and key management via a private cloud server. Simultaneously, we leverage a public cloud server to cater to enterprises and groups seeking secure data storage. Notably, our approach ensures mutual zero-interaction verification between both public and private cloud servers through ElGamal encryption, thereby guaranteeing data unforgeability. The security assessment illustrates that our proposed approach ensures both data privacy and integrity. We also show that the approach resists brute-force attacks on the dictionary, prevents malicious users from deceiving cloud servers to return incorrect ciphertext, and achieves secure and efficient access control and key management. Furthermore, functional and performance evaluation underscores the superiority of our method over five other classical data deduplication schemes. Under the premise of having more comprehensive security settings, the performance of the scheme still maintains a good level at every stage.

GU Bolun,XU Zikai,LI Weihai,YU Nenghai

DOI: https://doi.org/10.11959/j.issn.2096-109x.2024055

2024-01-01

Abstract:With the rapid development and application of the Internet, traditional storage resources have been found unable to meet the growing demand for massive data storage. An increasing number of users have attempted to upload their data to third-party cloud servers for unified storage. Efficient deduplication and secure file sharing in the cloud have emerged as critical concerns. Moreover, users have always preferred to customize their passwords for encrypting and decrypting files, only sharing encrypted files when necessary. Based on this preference, a deterministic stepwise encryption algorithm was first designed. It was such that when the keys for the two steps of encryption satisfied a certain relationship, the two steps of encryption could be equivalent to a single encryption process. A novel key-customizable encrypted deduplication scheme with access control for cloud storage was proposed, utilizing the deterministic stepwise encryption algorithm to encrypt files and a ciphertext-policy attribute-based encryption algorithm to encrypt file keys. This scheme not only offered the flexibility to customize encryption and decryption keys for different users with the same files, but also ensured secure file sharing through a dynamic access control mechanism. Moreover, the optional access control component was made compatible with the majority of existing ciphertext-policy attribute-based encryption (CP-ABE) schemes, even allowing for different CP-ABE schemes within different attribute groups. Security analysis results show that the proposed scheme achieves the highest level of security under the current encrypted deduplication paradigm. Experimental and analytical results indicate that it effectively meets the practical needs of cloud service providers and users, and also achieves acceptable efficiency.

Xiaoyu Zheng,Yuyang Zhou,Yalan Ye,Fagen Li

DOI: https://doi.org/10.1016/j.sysarc.2019.101666

IF: 5.836

2019-01-01

Journal of Systems Architecture

Abstract:Cloud data deduplication removes redundant data blocks or files and keeps only one copy in the cloud storage server. In order to improve on security, we need to encrypt data files and blocks such that all same files and blocks are detectable based on ciphertext for deduplication. So how to detect a ciphertext to find the same files is a challenging problem. In this paper, we propose a cloud data deduplication scheme based on certificateless proxy re-encryption. It contains certificateless proxy re-encryption (CL-PRE) and proof of ownership based on certificateless signature (PoW-CLS). Compared with the existing scheme, we use certificateless cryptography to solve the problem of key escrow and avoid the situation where a key generation center (KGC) impersonates a user to decrypt the ciphertext. Our CL-PRE realizes data deduplication across users and our PoW-CLS improves the efficiency of the proof of ownership (PoW).

Heyi Tang,Yong Cui,Chaowen Guan,Jianping Wu,Jian Weng,Kui Ren

DOI: https://doi.org/10.1145/2897845.2897846

2016-01-01

Abstract:To secure cloud storage and enforce access control, data encryption has become essential, given the ever increasing cyber threat everywhere. Attribute-based Encryption (ABE) crypto systems are widely considered as a promising solution under such a context for its security strength, scalability and control flexibility. One major challenge, however, for applying ABE-based techniques in real world applications is its high overhead in various aspects. In this research, we are particularly concerned with the storage size expansion in existing ABE schemes. This combined with the vast-size nature of the cloud data poses an enormous challenge to the effective usage of the cloud data storage space and affects the utility of data deduplication. Normally, data deduplication is carried out based on identifying similar and even identical contents both within and between data files, however, these patterns will be destroyed after performing data encryption using any semantically secure encryption scheme including ABE. In this research, we focus on ciphertexts deduplication under ABE, which to our best knowledge is the first of such an effort. Our fundamental observation stems from the structure of ABE ciphertexts and the possible similarities among different access structures. We show how to design a secure ciphertext deduplication scheme based on a classical CP-ABE scheme by innovatively modifying the construction with a recursive algorithm, eliminating the duplicated secrets and adding additional randomness to some certain ciphertext. We then give a detailed analysis on the proposed scheme with respect to both efficiency and security. To thoroughly assess the performance of the proposed scheme, we also implement a prototype system and conduct comprehensive experiments, which shows that our ciphertext reduplication scheme could reduce up to 80% computation and storage cost in the best case.

Cheng Guo,Litao Wang,Xinyu Tang,Bin Feng,Guofeng Zhang

DOI: https://doi.org/10.1016/j.jisa.2023.103426

IF: 4.96

2023-01-01

Journal of Information Security and Applications

Abstract:Deduplication, which stores only one copy of duplicate data, is used extensively in cloud storage to reduce the overhead associated with storage. Unfortunately, client-side encryption prevents cloud storage from performing deduplication due to the randomness of traditional encryption. Some existing schemes can balance encryption and deduplication, but their interaction with third-party servers or online users adds additional overhead to the system. Also, the ownership of outsourced data will change frequently due to users’ requests to upload/delete/modify the data. But many existing schemes that can achieve dynamic ownership management have security flaws or require users to manage multiple keys. By focusing on these troubles, we have developed a secure deduplication scheme that does not rely on any third-party entities and supports data ownership management. More specifically, we take advantage of elliptic curve cryptography to design a key-sharing method so that different owners of the same data can share a random key only by interacting with the cloud service provider. And the broadcast encryption is used to manage the ownership of data, and this allows the cloud service provider to control users’ access to outsourced data by updating the broadcast key. In addition, the security analysis shows that the proposed scheme can meet the required security and that it outperforms other related schemes. The detailed simulation comparisons with other related schemes demonstrate that the proposed scheme has good performance.

Xuewei Ma,Wenyuan Yang,Yuesheng Zhu,Zhiqiang Bai

DOI: https://doi.org/10.1109/ipccc55026.2022.9894331

2022-01-01

Abstract:Encrypted data deduplication is an important technique for saving storage space and network bandwidth, which has been widely used in cloud storage. Recently, a number of schemes that solve the problem of data deduplication with dynamic ownership management have been proposed. However, these schemes suffer from low efficiency when the dynamic ownership changes a lot. To this end, in this paper, we propose a novel server-side deduplication scheme for encrypted data in a hybrid cloud architecture, where a public cloud (Pub-CSP) manages the storage and a private cloud (Pri-CSP) plays a role as the data owner to perform deduplication and dynamic ownership management. Further, to reduce the communication overhead we use an initial uploader check mechanism to ensure only the first uploader needs to perform encryption, and adopt an access control technique that verifies the validity of the data users before they download data. Our security analysis and performance evaluation demonstrate that our proposed server-side deduplication scheme has better performance in terms of security, effectiveness, and practicability compared with previous schemes. Meanwhile, our method can efficiently resist collusion attacks and duplicate faking attacks.

Yukun Zhou,Dan Feng,Yu Hua,Wen Xia,Min Fu,Fangting Huang,Yucheng Zhang

DOI: https://doi.org/10.1016/j.future.2017.10.014

IF: 7.307

2017-01-01

Future Generation Computer Systems

Abstract:Data deduplication has been widely used in the cloud to reduce storage space. To protect data security, users encrypt data with message-locked encryption (MLE) to enable deduplication over ciphertexts. However, existing secure deduplication schemes suffer from security weakness (i.e., brute-force attacks) and fail to support flexible access control. The process of chunk-level MLE key generation and sharing exists potential privacy issues and heavy computation consumption.& para;& para;We propose EDedup, a similarity-aware encrypted deduplication scheme that supports flexible access control with revocation. Specifically, EDedup groups files into segments and performs server-aided MLE at segment-level, which exploits similarity via a representative hash (e.g., the min-hash) to reduce computation consumption. This nevertheless faces a new attack that an attacker gets keys by guessing the representative hash. And hence EDedup combines source-based similar-segment detection and target-based duplicate-chunk checking to resist attacks and guarantee deduplication efficiency. Furthermore, EDedup generates message-derived file keys for duplicate files to manage metadata. EDedup encrypts file keys via proxy-based attribute-based encryption, which reduces metadata storage overheads and implements flexible access control with revocation. Evaluation results demonstrate that EDedup improves the speed of MLE up to 10.9X and 0.36X compared with DupLESS-chunk and SecDep respectively. EDedup reduces metadata storage overheads by 39.9%-65.7% relative to REED. (C) 2017 Elsevier B.V. All rights reserved.

Mingyang Song,Zhongyun Hua,Yifeng Zheng,Tao Xiang,Xiaohua Jia

DOI: https://doi.org/10.1109/tdsc.2023.3334475

2023-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:In cloud storage systems, secure deduplication plays a critical role in saving storage costs for the cloud server and ensuring data confidentiality for cloud users. Traditional secure deduplication schemes require users to encrypt their outsourced files using specific encryption algorithms that cannot provide semantic security. However, users are unable to directly benefit from the storage savings, as the relation between the actual storage cost and the offered prices remains not transparent. As a result, users may be unwilling to cooperate with the cloud by encrypting their data using semantically secure algorithms. Moreover, data integrity is a significant concern for cloud storage users. To address these issues, this paper proposes a novel transparent and secure deduplication scheme that supports integrity auditing. Compared to previous works, our design can verify the number of file owners and the integrity through one-time proof verification. It also protects the private contents of files and the privacy of file ownership from malicious users. Moreover, our scheme includes a batch auditing method to simultaneously verify the numbers of file owners and the integrity of multiple files. Theoretical analysis confirms the correctness and security of our scheme. Comparison results demonstrate its competing performance over previous solutions

Fangfang Shan,Hui Li,Fenghua Li,Yunchuan Guo,Jinbo Xiong

DOI: https://doi.org/10.4018/ijitwe.2019040105

2019-01-01

International Journal of Information Technology and Web Engineering

Abstract:With the rapid development of cloud computing, it has been increasingly attractive for individuals and groups to store and share data via cloud storage. Once stored in the third-party cloud storage service providers, the privacy and integrity of outsourced data should be attached with more attention as a challenging task. This article presents the attribute-based assured deletion scheme (AADS) which aims to protect and assuredly delete outsourced data in cloud computing. It encrypts outsourced data files with standard cryptographic techniques to guarantee the privacy and integrity, and assuredly deletes data upon revocations of attributes. AADS could be applied to solve important security problems by supporting fine-grained attribute-based policies and their combinations. According to the comparison and analysis, AADS provides efficient data encryption and flexible attribute-based assured deletion for cloud-stored data with an acceptable concession in performance cost.

Hongwei Liu,Ping Zhu,Zehong Chen,Peng Zhang,Zoe L. Jiang

DOI: https://doi.org/10.1109/CSE-EUC.2017.103

2017-01-01

Abstract:Aiming to reduce the user's computational overhead and tackle the attribute revocation issue, an attribute-based encryption scheme supporting decryption outsourcing and attribute revocation is proposed in this paper. The proposed scheme outsources some decryption computational tasks to a cloud server such that the computational overhead on the user is simple and constant. We also propose an efficient attribute revocation method which concentrates on the update of the ciphertexts and users' secret keys associated with the corresponding revoked attributes. Moreover, the security analysis indicates that the proposed scheme can resist collusion attacks, and ensure forward and backward secrecy. Experiment results show that our scheme is more efficient compared with other scheme in the literature.

Xinyan Wu,Huanwei Wang,Yangkai Yuan,Fagen Li

DOI: https://doi.org/10.1016/j.sysarc.2023.102858

IF: 5.836

2023-01-01

Journal of Systems Architecture

Abstract:Data deduplication technology is frequently used by many cloud service providers to handle the exponential growth in data. To protect their data privacy, users frequently encrypt their data before uploading it to a cloud storage provider. Therefore, efficient encrypted deduplication technology has been widely studied. Although cloud storage provides convenience for users, it also has the problem of high data concentration. Once an accident occurs in the data center, the impact is enormous. Therefore, it is necessary to back up the ciphertext data after deduplication. In this paper, we propose an efficient encrypted data deduplication technology that supports backup. Our scheme uses a one-way hash chain to verify the legitimacy of a user’s identity. It updates the user’s ownership of the data using the user’s index table. In this paper, we use the XOR operation to re-encrypt data to obtain backup ciphertext, reducing computational complexity. In LEDB, the user can extract the key from the data label. Therefore, the user does not need to manage the key separately. In addition, LEDB supports a two-level deduplication mechanism, which can not only ensure transmission security but also reduce network transmission bandwidth. Finally, LEDB allows the user to determine the integrity of the data before decrypting the ciphertext. Security analysis and experimental results show that our scheme is secure and efficient for data encryption and decryption.

Wenlong Yi,Chuang Wang,Sergey Kuzmin,Igor Gerasimov,Xiangping Cheng

DOI: https://doi.org/10.3390/s24154939

2024-07-30

Abstract:Existing attribute-based proxy re-encryption schemes suffer from issues like complex access policies, large ciphertext storage space consumption, and an excessive authority of the authorization center, leading to weak security and controllability of data sharing in cloud storage. This study proposes a Weighted Attribute Authority Multi-Authority Proxy Re-Encryption (WAMA-PRE) scheme that introduces attribute weights to elevate the expression of access policies from binary to multi-valued, simplifying policies and reducing ciphertext storage space. Simultaneously, the multiple attribute authorities and the authorization center construct a joint key, reducing reliance on a single authorization center. The proposed distributed attribute authority network enhances the anti-attack capability of cloud storage. Experimental results show that introducing attribute weights can reduce ciphertext storage space by 50%, proxy re-encryption saves 63% time compared to repeated encryption, and the joint key construction time is only 1% of the benchmark scheme. Security analysis proves that WAMA-PRE achieves CPA security under the decisional q-parallel BDHE assumption in the random oracle model. This study provides an effective solution for secure data sharing in cloud storage.

Jin Li,Yinghui Zhang,Xiaofeng Chen,Yang Xiang

DOI: https://doi.org/10.1016/j.cose.2017.08.007

IF: 5.105

2017-01-01

Computers & Security

Abstract:Data sharing becomes an exceptionally attractive service supplied by cloud computing platforms because of its convenience and economy. As a potential technique for realizing fine-grained data sharing, attribute-based encryption (ABE) has drawn wide attentions. However, most of the existing ABE solutions suffer from the disadvantages of high computation overhead and weak data security, which has severely impeded resource-constrained mobile devices to customize the service. The problem of simultaneously achieving fine-grainedness, high-efficiency on the data owner's side, and standard data confidentiality of cloud data sharing actually still remains unresolved. This paper addresses this challenging issue by proposing a new attribute-based data sharing scheme suitable for resource-limited mobile users in cloud computing. The proposed scheme eliminates a majority of the computation task by adding system public parameters besides moving partial encryption computation offline. In addition, a public ciphertext test phase is performed before the decryption phase, which eliminates most of computation overhead due to illegitimate ciphertexts. For the sake of data security, a Chameleon hash function is used to generate an immediate ciphertext, which will be blinded by the offline ciphertexts to obtain the final online ciphertexts. The proposed scheme is proven secure against adaptively chosen-ciphertext attacks, which is widely recognized as a standard security notion. Extensive performance analysis indicates that the proposed scheme is secure and efficient.

Haoran Yuan,Xiaofeng Chen,Jin Li,Tao Jiang,Jianfeng Wang,Robert H. Deng

DOI: https://doi.org/10.1109/TSC.2019.2948007

IF: 11.019

2022-01-01

IEEE Transactions on Services Computing

Abstract:Data deduplication technique has been widely adopted by commercial cloud storage providers, which is both important and necessary in coping with the explosive growth of data. To further protect the security of users' sensitive data in the outsourced storage mode, many secure data deduplication schemes have been designed and applied in various scenarios. Among these schemes, secure and efficient re-encryption for encrypted data deduplication attracted the attention of many scholars, and many solutions have been designed to support dynamic ownership management. In this paper, we focus on the re-encryption deduplication storage system and show that the recently designed lightweight rekeying-aware encrypted deduplication scheme (REED) is vulnerable to an attack which we call it stub-reserved attack. Furthermore, we propose a secure data deduplication scheme with efficient re-encryption based on the convergent all-or-nothing transform (CAONT) and randomly sampled bits from the Bloom filter. Due to the intrinsic property of one-way hash function, our scheme can resist the stub-reserved attack and guarantee the data privacy of data owners' sensitive data. Moreover, instead of re-encrypting the entire package, data owners are only required to re-encrypt a small part of it through the CAONT, thereby effectively reducing the computation overhead of the system. Finally, security analysis and experimental results show that our scheme is secure and efficient in re-encryption.

Chandrajeet Yadav,Vikash Yadav,Jasvant Kumar

DOI: https://doi.org/10.37391/ijeer.090305

2021-09-30

International Journal of Electrical and Electronics Research

Abstract:The field of data management has been reformed by the Cloud computing technologies which offered valuable establishments and amended the storage restrictions barriers for its users. In large enterprises the cloud has been extensively used for implementation due to its benefits. There are still lot of security threats for the data in the cloud. The data owners suffer from its privacy issues which are considered as one of the major concerns. Data privacy can be secured by employing some of the existing methods such as Attribute-based Encryption (ABE). Yet, the security issues are prevailing largely over the cloud. In this research a secured data access control is proposed using the Advanced Encryption Standard (AES) combined with a weighted attribute-based Encryption (AES-WABE). To encrypt the data, the access control policies are used and weight is assigned according to its significance of each attribute. The outsourced data is stored by the cloud service provider and the attribute authority based on the weight that updates the attributes. To minimize the computational overload the data file is accessed by the receiver corresponding to its weight. The proposed procedure provides resistance for collusion, multiple user security with control of fine-grained access based on protection, reliability and efficiency. On concerning the data collaboration and confidentiality, the performance rating is done related with the Cipher-text Policy–Attribute-based Encryption (CP-ABE) and the hybrid attribute-based encryption (HABE) scheme, access control flexibility, limited decryption, full delegation, verification and partial signing.

Yan Kit Li,Xiaofeng Chen,Patrick P. C. Lee,Wenjing Lou,Jin Li,Sriram Keelveedhi,Thomas Ristenpart,Mihir Bellare

2020-01-01

Abstract:The popularity and widespread use of Cloud have brought great convenience for data sharing and data storage. The data sharing with a large number of participants take into account issuers like data integrity, efficiency and privacy of the owner for data. In cloud storage services one critical challenge is to manage ever-increasing volume of data storage in cloud. To make data management more scalable in cloud computing field, deduplication a well-known technique of data compression to eliminating duplicate copies of repeating data in storage over a cloud. Even if data deduplication brings a lot of benefits in security and privacy concerns arise as user's sensitive data are susceptible to both attacks insider and outsider. A convergent encryption method enforces data confidentiality while making deduplication feasible. Traditional deduplication systems based on convergent encryption even though provide confidentiality but do not support the duplicate check on basis of differential privileges. This paper presents, the idea of authorized data deduplication proposed to protect data security by including differential privileges of users in the duplicate check. Deduplication systems, users with differential privileges are further considered in duplicate check besides the data itself. To support stronger security the files are encrypted with differential privilege keys. Users are only allowed to perform the duplicate check for files marked with the corresponding privileges to access. The user can verify his/her presence of file after deduplication in cloud with the help of a third party

Jingyi Li,Yidong Li,Jigang Wu,Zikai Zhang,Yi Jin

DOI: https://doi.org/10.1109/tnse.2024.3369630

IF: 6.6

2024-01-01

IEEE Transactions on Network Science and Engineering

Abstract:Data deduplication schemes have been widely used in cloud storage systems to save storage space by eliminating duplicate outsourced data. However, the reduction of redundancy leads to decreased data availability and unbalanced data distribution. This paper proposes a blockchain-based decentralized storage system with reliable deduplication and storage balance strategy to provide reliability for deduplicated outsourced data. Encrypted data is split into chunks by a ramp secret sharing scheme, and it is distributed to multiple independent cloud servers. States of the chunks are recorded on the tamper-proofed blockchain and they can be used to recover the raw data or support the verification of user identity. To balance the distribution of data among storage servers, a heuristic matching algorithm is designed to efficiently allocate the available storage space. The allocation services are published by autonomous smart contracts and other participants gain rewards by giving the best matching results of data chunks and storage servers. Formulation analysis demonstrates the correctness of the proposed scheme in terms of data consistency, integrity, and reliability. Experimental results show that the proposed scheme preserves the confidentiality of outsourced data with acceptable computational consumption.

engineering, multidisciplinary,mathematics, interdisciplinary applications

Cheng Guo,Xueru Jiang,Kim-Kwang Raymond Choo,Yingmo Jie

DOI: https://doi.org/10.1016/j.jnca.2020.102664

IF: 7.574

2020-01-01

Journal of Network and Computer Applications

Abstract:Deduplication technology is used extensively in applications such as cloud computing services to optimize their storage performance (e.g., cloud service providers store only one copy of identical data). However, due to the use of encryption (to ensure the confidentiality of data stored in the cloud), it can be challenging for cloud service providers to perform deduplication (e.g., due to the use of different keys on the same content). In this paper, we propose a randomized, secure, cross-user deduplication scheme (R-Dedup). The scheme does not involve any third-party entity (e.g., an additional cloud server) or require assistance from other users. In R-Dedup, the randomness feature means that users with identical copies of a file share the same random value via ElGamal encryption. The security analysis and experimental results demonstrate that R-Dedup is lightweight, and achieves both data privacy and data integrity.

Shunrong Jiang,Tao Jiang,Liangmin Wang

DOI: https://doi.org/10.1109/tsc.2017.2771280

IF: 11.019

2017-01-01

IEEE Transactions on Services Computing

Abstract:Data deduplication has been widely used in cloud storage to reduce storage space and communication overhead by eliminating redundant data and storing only one copy for them. In order to achieve secure data deduplication, the convergent encryption scheme and many of its variants are proposed. However, most of these schemes do not consider or cannot address the efficiently dynamic ownership changes and the secure Proof-of-Ownership (PoW), simultaneously. In this paper, we propose a secure data deduplication scheme with efficient PoW process for dynamic ownership management. Specially, our scheme supports both cross-user file-level and inside-user block-level data deduplication. During the file-level deduplication, we construct a new PoW scheme to ensure the tag consistency and achieve the mutual ownership verification. Moreover, we design a lazy update strategy to achieve efficient ownership management. For inside-user block-level deduplication, the user-aided key is used to realize convergent key management and reduce the key storage space. Finally, the security and performance analysis demonstrate that our scheme can ensure data confidentiality and tag consistency, and it is efficient in data ownership management.