Zhenwu Xu,Xingshu Chen,Xiao Lan,Rui Tang,Shuyu Jiang,Changxiang Shen

DOI: https://doi.org/10.1016/j.cose.2024.103978

2024-01-01

Abstract:Cloud services have attracted numerous enterprises, organizations, and individual users due to their exceptional computing power and almost limitless storage capacity. A vast amount of business data and private data are continuously uploaded to the cloud platform, driven by a series of attractive services offered by the cloud. Unfortunately, once data is uploaded to the cloud, its owner has no way of ensuring that it is actually deleted as intended. This obviously increases the concerns of data owners about the security of their data, because it is related to the privacy of users. Therefore, there must be a reliable solution to prove that data is deleted as requested by users, to prevent data leakage or abuse. In existing data deletion schemes, most are designed based on cryptographic knowledge rather than erasure or overwrite techniques, in order not to cause incalculable damage to the storage medium. However, most cryptographic-based data deletion schemes, particularly attribute-based encryption, involve numerous complex bilinear mapping operations, which are expensive for most devices. To address this issue, the paper proposes an Efficient and Verifiable Scheme for Secure Data Deletion (EVSD). Firstly, Elliptic Curve Cryptography (ECC) is introduced to achieve efficient encryption of data. Then, leveraging Linear Secret Sharing Scheme (LSSS), fine-grained data deletion policies supporting logical operations are implemented. Finally, the deletion of the data is efficiently verified using the root of the Merkle Hash Tree (MHT) generated by the defined illegal and legal attributes, while the deletion proof is also generated. Satisfactorily, security analysis shows that the EVSD scheme is much more advantageous compared to existing schemes, and a trait likewise is also observed in the performance evaluation.

Changsong Yang,Jianfeng Wang,Xiaoling Tao,Xiaofeng Chen

DOI: https://doi.org/10.1016/j.jnca.2017.11.011

IF: 7.574

2018-01-01

Journal of Network and Computer Applications

Abstract:With the rapid development of cloud storage, more and more resource-constraint data owners can employ cloud storage services to reduce the heavy local storage overhead. However, the local data owners lose the direct control over their data, and all the operations over the outsourced data, such as data transfer and deletion, will be executed by the remote cloud server. As a result, the data transfer and deletion have become two security issues because the selfish remote cloud server might not honestly execute these operations for economic benefits. In this article, we design a scheme that aims to make the data transfer and the transferred data deletion operations more transparent and publicly verifiable. Our proposed scheme is based on vector commitment (VC), which is used to deal with the problem of public verification during the data transfer and deletion. More specifically, our new scheme can provide the data owner with the ability to verify the data transfer and deletion results. In addition, by using the advantages of VC, our proposed scheme does not require any trusted third party. Finally, we prove that the proposed scheme not only can reach the expected security goals but also can satisfy the efficiency and practicality.

Yuchuan Luo,Ming Xu,Shaojing Fu,Dongsheng Wang

DOI: https://doi.org/10.1145/2898445.2898447

2016-01-01

Abstract:In the cloud storage, users lose direct control over their data. How to surely delete data in the cloud becomes a crucial problem for a secure cloud storage system. The existing way to this problem is to encrypt the data before outsourcing and destroy the encryption key when deleting. However, this solution may cause heavy computation overhead for the user-side and the encrypted data remains intact in the cloud after the deletion operation. To solve this challenge problem, we propose a novel method to surely delete data in the cloud storage by overwriting. Different from existing works, our scheme is efficient in the user-side and is able to wipe out the deleted data from the drives of the cloud servers.

Xiangman Li,Jianbing Ni

2023-08-04

Abstract:Secure data deletion enables data owners to fully control the erasure of their data stored on local or cloud data centers and is essential for preventing data leakage, especially for cloud storage. However, traditional data deletion based on unlinking, overwriting, and cryptographic key management either ineffectiveness in cloud storage or rely on unpractical assumption. In this paper, we present SevDel, a secure and verifiable data deletion scheme, which leverages the zero-knowledge proof to achieve the verification of the encryption of the outsourced data without retrieving the ciphertexts, while the deletion of the encryption keys are guaranteed based on Intel SGX. SevDel implements secure interfaces to perform data encryption and decryption for secure cloud storage. It also utilizes smart contract to enforce the operations of the cloud service provider to follow service level agreements with data owners and the penalty over the service provider, who discloses the cloud data on its servers. Evaluation on real-world workload demonstrates that SevDel achieves efficient data deletion verification and maintain high bandwidth savings.

Cryptography and Security

Jian Liu,N. Asokan,Benny Pinkas

DOI: https://doi.org/10.1145/2810103.2813623

2015-01-01

Abstract:Encrypting data on client-side before uploading it to a cloud storage is essential for protecting users' privacy. However client-side encryption is at odds with the standard practice of deduplication. Reconciling client-side encryption with cross-user deduplication is an active research topic. We present the first secure cross-user deduplication scheme that supports client-side encryption without requiring any additional independent servers. Interestingly, the scheme is based on using a PAKE (password authenticated key exchange) protocol. We demonstrate that our scheme provides better security guarantees than previous efforts. We show both the effectiveness and the efficiency of our scheme, via simulations using realistic datasets and an implementation.

Fangfang Shan,Hui Li,Fenghua Li,Yunchuan Guo,Jinbo Xiong

DOI: https://doi.org/10.4018/ijitwe.2019040105

2019-01-01

International Journal of Information Technology and Web Engineering

Abstract:With the rapid development of cloud computing, it has been increasingly attractive for individuals and groups to store and share data via cloud storage. Once stored in the third-party cloud storage service providers, the privacy and integrity of outsourced data should be attached with more attention as a challenging task. This article presents the attribute-based assured deletion scheme (AADS) which aims to protect and assuredly delete outsourced data in cloud computing. It encrypts outsourced data files with standard cryptographic techniques to guarantee the privacy and integrity, and assuredly deletes data upon revocations of attributes. AADS could be applied to solve important security problems by supporting fine-grained attribute-based policies and their combinations. According to the comparison and analysis, AADS provides efficient data encryption and flexible attribute-based assured deletion for cloud-stored data with an acceptable concession in performance cost.

Zhen Mo,Qingjun Xiao,Yian Zhou,Shigang Chen

DOI: https://doi.org/10.1109/CLOUD.2014.54

2014-01-01

Abstract:Data security is a major concern in cloud computing. After clients outsource their data to the cloud, will they lose control of the data? Prior research has proposed various schemes for clients to confirm the existence of their data on the cloud servers, and the goal is to ensure data integrity. This paper investigates a complementary problem: When clients delete data, how can they be sure that the deleted data will never resurface in the future if the clients do not perform the actual data removal themselves? How to confirm the non-existence of their data when the data is not in their possession? One obvious solution is to encrypt the outsourced data, but this solution has a significant technical challenge because a huge amount of key materials may have to be maintained if we allow fine-grained deletion. In this paper, we explore the feasibility of relieving clients from such a burden by outsourcing keys (after encryption) to the cloud. We propose a novel multi-layered key structure, called Recursively Encrypted Red-black Key tree (RERK), that ensures no key materials will be leaked, yet the client is able to manipulate keys by performing tree operations in collaboration with the servers. We implement our solution on the Amazon EC2. The experimental results show that our solution can efficiently support the deletion of outsourced data in cloud computing.

Jiguo Li,Ruyuan Zhang,Yang Lu,Jinguang Han,Yichen Zhang,Wenzheng Zhang,Xinfeng Dong

DOI: https://doi.org/10.1109/jsyst.2022.3208149

IF: 4.802

2022-01-01

IEEE Systems Journal

Abstract:In order to alleviate key escrow issue, the notion of multiauthority attribute-based encryption (MA-ABE) was presented, which was widely applied in cloud storage environment. In data sharing environment, secure data deletion is very crucial and challenging issue. Hence, in this article, we concentrate on verification of data deletion operation, i.e., assuring data deletion. To solve this problem, we put forward a system model, formal definition and security model of MA-ABE for assuring data deletion. Furthermore, we design a MA-ABE scheme for assuring data deletion, which is more practicable than the single authority ABE scheme. The designed scheme not only overcomes key escrow issue, but also resists collusion attack between malicious user and unauthorized user. In addition, our scheme utilizes merkle hash tree to obtain verifiable data deletion. Based on decisional bilinear Diffie-Hellman (DBDH) assumption, the scheme is proven to be secure under the selective-policy model. The experimental result indicates that the designed scheme is efficient for practical application.

computer science, information systems,telecommunications,engineering, electrical & electronic,operations research & management science

Shanshan Li,Chunxiang Xu,Yuan Zhang

DOI: https://doi.org/10.1016/j.jisa.2019.03.015

IF: 4.96

2019-01-01

Journal of Information Security and Applications

Abstract:As digital data are explosively generated nowadays, data management becomes a critical problem, which makes cloud storage services important and popular. In reality, the storage overhead can be reduced significantly by performing date deduplication. Among the outsourced data, some of them are very personal and sensitive, and should be prevented for any leakage. Generally, if clients conventionally encrypt the data, deduplication is lost. Message-locked encryption (MLE) is a cryptographic primitive supporting encrypted data deduplication. A secure client-side deduplication scheme can be built upon MLE to reduce both communication and computation overhead for cloud storage systems, where a client interacts with the cloud server to check the duplicate data and only the data which has not been outsourced by other clients before is required to be uploaded. However, existing client-side encrypted data deduplication schemes are confronted with brute-force attacks that can recover files falling into a known set. Furthermore, existing schemes are vulnerable to illegal content distribution attacks, where the adversary can distribute data to other users via the cloud server without detecting. In this paper, we propose a secure and efficient client-side encrypted data deduplication scheme (CSED). In CSED, a dedicated key server is introduced in generating MLE keys to resist brute-force attacks. We propose a Bloom filter-based proofs of ownership (PoW) mechanism and integrate it into CSED to resist illegal content distribution attacks. Moreover, a hierarchical storage architecture is employed to improve the I/O efficiency on the cloud server. Security analysis and performance evaluation demonstrate that CSED is secure and efficient.

Mingyang Song,Zhongyun Hua,Yifeng Zheng,Tao Xiang,Xiaohua Jia

DOI: https://doi.org/10.1109/tdsc.2023.3334475

2023-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:In cloud storage systems, secure deduplication plays a critical role in saving storage costs for the cloud server and ensuring data confidentiality for cloud users. Traditional secure deduplication schemes require users to encrypt their outsourced files using specific encryption algorithms that cannot provide semantic security. However, users are unable to directly benefit from the storage savings, as the relation between the actual storage cost and the offered prices remains not transparent. As a result, users may be unwilling to cooperate with the cloud by encrypting their data using semantically secure algorithms. Moreover, data integrity is a significant concern for cloud storage users. To address these issues, this paper proposes a novel transparent and secure deduplication scheme that supports integrity auditing. Compared to previous works, our design can verify the number of file owners and the integrity through one-time proof verification. It also protects the private contents of files and the privacy of file ownership from malicious users. Moreover, our scheme includes a batch auditing method to simultaneously verify the numbers of file owners and the integrity of multiple files. Theoretical analysis confirms the correctness and security of our scheme. Comparison results demonstrate its competing performance over previous solutions

Cheng Guo,Litao Wang,Xinyu Tang,Bin Feng,Guofeng Zhang

DOI: https://doi.org/10.1016/j.jisa.2023.103426

IF: 4.96

2023-01-01

Journal of Information Security and Applications

Abstract:Deduplication, which stores only one copy of duplicate data, is used extensively in cloud storage to reduce the overhead associated with storage. Unfortunately, client-side encryption prevents cloud storage from performing deduplication due to the randomness of traditional encryption. Some existing schemes can balance encryption and deduplication, but their interaction with third-party servers or online users adds additional overhead to the system. Also, the ownership of outsourced data will change frequently due to users’ requests to upload/delete/modify the data. But many existing schemes that can achieve dynamic ownership management have security flaws or require users to manage multiple keys. By focusing on these troubles, we have developed a secure deduplication scheme that does not rely on any third-party entities and supports data ownership management. More specifically, we take advantage of elliptic curve cryptography to design a key-sharing method so that different owners of the same data can share a random key only by interacting with the cloud service provider. And the broadcast encryption is used to manage the ownership of data, and this allows the cloud service provider to control users’ access to outsourced data by updating the broadcast key. In addition, the security analysis shows that the proposed scheme can meet the required security and that it outperforms other related schemes. The detailed simulation comparisons with other related schemes demonstrate that the proposed scheme has good performance.

Xuewei Ma,Wenyuan Yang,Yuesheng Zhu,Zhiqiang Bai

DOI: https://doi.org/10.1109/ipccc55026.2022.9894331

2022-01-01

Abstract:Encrypted data deduplication is an important technique for saving storage space and network bandwidth, which has been widely used in cloud storage. Recently, a number of schemes that solve the problem of data deduplication with dynamic ownership management have been proposed. However, these schemes suffer from low efficiency when the dynamic ownership changes a lot. To this end, in this paper, we propose a novel server-side deduplication scheme for encrypted data in a hybrid cloud architecture, where a public cloud (Pub-CSP) manages the storage and a private cloud (Pri-CSP) plays a role as the data owner to perform deduplication and dynamic ownership management. Further, to reduce the communication overhead we use an initial uploader check mechanism to ensure only the first uploader needs to perform encryption, and adopt an access control technique that verifies the validity of the data users before they download data. Our security analysis and performance evaluation demonstrate that our proposed server-side deduplication scheme has better performance in terms of security, effectiveness, and practicability compared with previous schemes. Meanwhile, our method can efficiently resist collusion attacks and duplicate faking attacks.

Qian Mei,Minghao Yang,Jinhao Chen,Lili Wang,Hu Xiong

DOI: https://doi.org/10.1109/TDSC.2022.3188740

2023-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Expressive data sharing and efficient data deletion are essential to drive the development of cloud-assisted IoT. But insecure transmission and the vulnerability of the cloud server may cause potential threats to IoT data, attribute-based encryption (ABE) is widely applied to ensure data confidentially. Nonetheless, the potential data exposure caused by the compromised long-term key and the contradiction between conventional access structures in ABE and the various demands of data owners are still two huge challenges. To overcome these challenges, this article designs an unbounded and puncturable ciphertext-policy ABE with arithmetic span program ( <inline-formula><tex-math notation="LaTeX">$\mathcal {UP}$</tex-math></inline-formula> - <inline-formula><tex-math notation="LaTeX">$\mathcal {CP}$</tex-math></inline-formula> - <inline-formula><tex-math notation="LaTeX">$\mathcal {ABE}$</tex-math></inline-formula> - <inline-formula><tex-math notation="LaTeX">$\mathcal {ASP}$</tex-math></inline-formula> ) scheme and presents an expressive data sharing and self-controlled fine-grained data deletion solution in cloud-assisted IoT, which allows data owners to efficiently encrypt and share data with various computable access policies, but also enables data owners and data users to independently delete specific data stored in the cloud. The designed <inline-formula><tex-math notation="LaTeX">$\mathcal {UP}$</tex-math></inline-formula> - <inline-formula><tex-math notation="LaTeX">$\mathcal {CP}$</tex-math></inline-formula> - <inline-formula><tex-math notation="LaTeX">$\mathcal {ABE}$</tex-math></inline-formula> - <inline-formula><tex-math notation="LaTeX">$\mathcal {ASP}$</tex-math></inline-formula> leverages unbounded ABE and puncturable encryption to support the flexible update of system parameters and the deletion of specific data. Also, the arithmetic span program access structure is combined to realize expressive data sharing. Moreover, the <inline-formula><tex-math notation="LaTeX">$\mathcal {UP}$</tex-math></inline-formula> - <inline-formula><tex-math notation="LaTeX">$\mathcal {CP}$</tex-math></inline-formula> - <inline-formula><tex-math notation="LaTeX">$\mathcal {ABE}$</tex-math></inline-formula> - <inline-formula><tex-math notation="LaTeX">$\mathcal {ASP}$</tex-math></inline-formula> is adaptively secure in the standard model, and comprehensive performance evaluations demonstrate its practicability and scalability in cloud-assisted IoT.

Jianghong Wei,Xiaofeng Chen,Jianfeng Wang,Xinyi Huang,Willy Susilo

DOI: https://doi.org/10.1109/tpds.2022.3225274

IF: 5.3

2023-01-01

IEEE Transactions on Parallel and Distributed Systems

Abstract:The wide use of internet-connected services makes massive personal data collected by service providers without the need of our consent. Although the archived data may enable them to provide better service experiences for users, it also presents serious risks to individual privacy, especially when active or unexpected data breaches have become commonplace. To mitigate this issue, several acts and regulations (e.g., the European Union general data protection regulation) have been issued and specified a lot of security requirements for personal data management. Among these various requirements, we mainly focus on the requirement of giving back the access control of personal data to data owners themselves and the right to be forgotten for data erasure. In this article, we provide a cryptographic solution of achieving these two requirements in the setting of outsourced storage. Specifically, we introduce a personal data management framework built upon a novel cryptographic primitive dubbed as forward-secure attribute-based puncturable encryption (FS-DABPE). This primitive simultaneously features of system-wide forward secrecy and practical key management as well as fine-grained access control of the encrypted personal data. Consequently, by locally puncturing, updating and erasing system-wide secret keys, it securely realizes fine-grained personal data sharing and data erasure without interactions. Furthermore, to instantiate the proposed framework, we present a concrete FS-DABPE construction, and prove its security under a well-studied complexity assumption. In addition, we provide a prototype implementation of the concrete construction, and present extensive experimental results that illustrate its feasibility and practicability.

Bo Zhang,Helei Cui,Yaxing Chen,Xiaoning Liu,Zhiwen Yu,Bin Guo

DOI: https://doi.org/10.1007/978-3-031-23020-2_26

2022-01-01

Abstract:With the rapid development of blockchain technology, decentralized cloud storage services are emerging and have been a storage new option in this era. They aim to leverage the unused storage resources across the network to build a more economical and reliable distributed storage network and thus eliminate the trust in the centralized storage providers via matured blockchain consensus mechanisms. However, current solutions either lack the protection of user data privacy or apply conventional encryption methods that cannot support cross-user deduplication over encrypted data. These limitations make them struggle to balance the need for optimized storage space utilization and encrypted data protection, especially in the scenario where the user's files are geographically distributed in different nodes around the world. In this paper, we propose a secure deduplication system in the context of encrypted decentralized cloud storage. It utilizes smart contract to incorporate the message-locked encryption (MLE) scheme, the most prominent cryptographic primitive in secure data deduplication. With a carefully tailored design, our proposed scheme can be seamlessly deployed to the public blockchain with transparency. Together, our design enables secure data deduplication over decentralized storage, while providing stringent cryptographic data privacy guarantees. In particular, our proposed design has a natural benefit to prevent potential malicious attacks such as file ownership cheating and file ciphertext poisoning. We implement a prototype of our system and deploy it to Ethereum. Comprehensive performance evaluations are conducted with real datasets to demonstrate the effectiveness and efficiency of our design.

Zhengyu Yue,Yuanzhi Yao,Weihai Li,Nenghai Yu

DOI: https://doi.org/10.1109/icc45855.2022.9838336

2022-01-01

Abstract:With the rapid development of general cloud services, more and more individuals or collectives use cloud platforms to store data. Assured data deletion deserves investigation in cloud storage. In time-sensitive data storage scenarios, it is necessary for cloud platforms to automatically destroy data after the data owner-specified expiration time. Therefore, assured time-sensitive data deletion should be sought. In this paper, a fine-grained assured time-sensitive data deletion (ATDD) scheme in cloud storage is proposed by embedding the time trapdoor in Ciphertext-Policy Attribute-Based Encryption (CP-ABE). Time-sensitive data is self-destructed after the data owner-specified expiration time so that the authorized users cannot get access to the related data. In addition, a credential is returned to the data owner for data deletion verification. This proposed scheme provides solutions for fine-grained access control and verifiable data self-destruction. Detailed security and performance analysis demonstrate the security and the practicability of the proposed scheme.

JIN Xue-xue,YU Neng-hai,ZHANG Chi,SUN Chang-xiang

DOI: https://doi.org/10.3969/j.issn.1009-8054.2013.05.028

2013-01-01

Abstract:For the requirements by efficient and secure data storage in cloud storage,a de-duplication scheme of encrypted data with proof of ownership is proposed.Firstly,a data owner is identified by taking advantage of the proof of ownership based on Merkle Hash Tree.After that,encrypted data is deduplicated by combining the proxy re-encryption.For some selfish clients an incentive mechanism is given.And the security of this proposed scheme is analysed.The experiment results show that the overhead of communication and computing required for reduction of storage space and bandwidth is very low.

Xinyan Wu,Huanwei Wang,Yangkai Yuan,Fagen Li

DOI: https://doi.org/10.1016/j.sysarc.2023.102858

IF: 5.836

2023-01-01

Journal of Systems Architecture

Abstract:Data deduplication technology is frequently used by many cloud service providers to handle the exponential growth in data. To protect their data privacy, users frequently encrypt their data before uploading it to a cloud storage provider. Therefore, efficient encrypted deduplication technology has been widely studied. Although cloud storage provides convenience for users, it also has the problem of high data concentration. Once an accident occurs in the data center, the impact is enormous. Therefore, it is necessary to back up the ciphertext data after deduplication. In this paper, we propose an efficient encrypted data deduplication technology that supports backup. Our scheme uses a one-way hash chain to verify the legitimacy of a user’s identity. It updates the user’s ownership of the data using the user’s index table. In this paper, we use the XOR operation to re-encrypt data to obtain backup ciphertext, reducing computational complexity. In LEDB, the user can extract the key from the data label. Therefore, the user does not need to manage the key separately. In addition, LEDB supports a two-level deduplication mechanism, which can not only ensure transmission security but also reduce network transmission bandwidth. Finally, LEDB allows the user to determine the integrity of the data before decrypting the ciphertext. Security analysis and experimental results show that our scheme is secure and efficient for data encryption and decryption.

Xinyu Tang,Cheng Guo,Kim-Kwang Raymond Choo,Xueru Jiang,Yining Liu

DOI: https://doi.org/10.1016/j.comcom.2024.05.003

IF: 5.047

2024-01-01

Computer Communications

Abstract:Data deduplication technology is extensively employed to enhance the storage efficiency of cloud servers by eliminating redundant files. Cloud users commonly encrypt their data prior to uploading it to the server. Conventional encryption algorithms, however, lead to the encryption of duplicated data from different users into distinct ciphertexts. Consequently, these ciphertexts must be stored in the cloud since the cloud server cannot identify such duplicated data. In this paper, we introduce a hybrid cloud-based secure deduplication scheme tailored for implementation on large-scale data systems. Specifically, our approach leverages ciphertext-policy attribute-based encryption (CP-ABE), which enables us to establish access control and key management via a private cloud server. Simultaneously, we leverage a public cloud server to cater to enterprises and groups seeking secure data storage. Notably, our approach ensures mutual zero-interaction verification between both public and private cloud servers through ElGamal encryption, thereby guaranteeing data unforgeability. The security assessment illustrates that our proposed approach ensures both data privacy and integrity. We also show that the approach resists brute-force attacks on the dictionary, prevents malicious users from deceiving cloud servers to return incorrect ciphertext, and achieves secure and efficient access control and key management. Furthermore, functional and performance evaluation underscores the superiority of our method over five other classical data deduplication schemes. Under the premise of having more comprehensive security settings, the performance of the scheme still maintains a good level at every stage.

Dulin,Zhiwei Zhang,Shichong Tan,Jianfeng Wang,Xiaoling Tao

DOI: https://doi.org/10.1007/978-3-030-05063-4_38

2018-01-01

Abstract:Cloud storage reduces the cost of data storage and brings great convenience for data backup, therefore in order to improve data availability, more and more users choose to outsource personal data for multiple copies instead of storing them locally. However, multi-copy storage brings the difficulty in associating all the copies to store, increases the number of keys for encrypting every single copy and makes the integrity and the verifiable deletion of copies hard to be guaranteed, all of these issues introduce more threatens to the security of user data. In this paper, we present a cryptographic solution called ADM to solve above problems. To reduce management cost, we outsource data keys encrypted by blinded RSA to the third party, and not only to guarantee the integrity of multi-copy but also to give the verifiable evidence for deletion operation of the copies, we propose a multi-copy associated deleting solution based on pre-deleting sequence and Merkle hash tree. Finally, a proof-of-concept implementation of ADM is presented to demonstrate its practical feasibility, and we compare our scheme with other typical schemes in functionalities and conduct the security analysis and empirical performance of the prototype.