Jian Zhang,Yang,Yanjiao Chen,Jing Chen,Qian Zhang

DOI: https://doi.org/10.1016/j.comnet.2017.08.019

IF: 5.493

2017-01-01

Computer Networks

Abstract:With the growing popularity of cloud storage, to guarantee the security of outsourced data becomes more and more important. In this paper, we make the first attempt to explore the intrinsic relationship between secure cloud storage and homomorphic encryption scheme, based on which we present a Generic way to design a Secure Cloud Storage protocol, denoted as G-SCS, using any homomorphic encryption scheme (HES). The proposed G-SCS is secure under a definition that satisfy the security requirement of cloud storage. To address various issues in real application scenarios, we further extend the protocol to support deterministic and randomized auditing, data dynamics (i.e., data insertion, deletion and modification), as well as third-party public auditing, while preserving the efficiency and security of the protocol. By instantiating all abstract semantics in G-SCS, we construct three concrete secure cloud storage protocols using RSA-based, Paillier-based and DGHV-based HESs, which are multiplicatively, additively and fully HESs, respectively. We conduct extensive theoretical analysis and experimental evaluations to validate the practicability of the proposed protocol.

Hongyi Su,Geng Yang,and Dawei Li

2011-01-01

Abstract:Data storage is an important application of cloud computing. With a cloud computing platform, the burden of local data storage can be reduced. However, services and applications in a cloud may come from different providers, and creating an efficient protocol to protect privacy is critical. We propose a verification protocol for cloud database entries that protects against untrusted service providers. Based on identity-based encryption （IBE） for cloud storage, this protocol guards against breaches of privacy in cloud storage. It prevents service providers from easily constructing cloud storage and forging the signature of data owners by secret sharing. Simulation results confirm the availability and efficiency of the proposed protocol.

Guojun Wang,Qin Liu,Jie Wu,Minyi Guo

DOI: https://doi.org/10.1016/j.cose.2011.05.006

IF: 5.105

2011-01-01

Computers & Security

Abstract:With rapid development of cloud computing, more and more enterprises will outsource their sensitive data for sharing in a cloud. To keep the shared data confidential against untrusted cloud service providers (CSPs), a natural way is to store only the encrypted data in a cloud. The key problems of this approach include establishing access control for the encrypted data, and revoking the access rights from users when they are no longer authorized to access the encrypted data. This paper aims to solve both problems. First, we propose a hierarchical attribute-based encryption scheme (HABE) by combining a hierarchical identity-based encryption (HIBE) system and a ciphertext-policy attribute-based encryption (CP-ABE) system, so as to provide not only fine-grained access control, but also full delegation and high performance. Then, we propose a scalable revocation scheme by applying proxy re-encryption (PRE) and lazy re-encryption (LRE) to the HABE scheme, so as to efficiently revoke access rights from users.

Ehab Zaghloul,Kai Zhou,Jian Ren

DOI: https://doi.org/10.48550/arXiv.1801.02685

2018-01-09

Abstract:Cloud computing has changed the way enterprises store, access and share data. Data is constantly being uploaded to the cloud and shared within an organization built on a hierarchy of many different individuals that are given certain data access privileges. With more data storage needs turning over to the cloud, finding a secure and efficient data access structure has become a major research issue. With different access privileges, individuals with more privileges (at higher levels of the hierarchy) are granted access to more sensitive data than those with fewer privileges (at lower levels of the hierarchy). In this paper, a Privilege-based Multilevel Organizational Data-sharing scheme~(P-MOD) is proposed that incorporates a privilege-based access structure into an attribute-based encryption mechanism to handle these concerns. Each level of the privilege-based access structure is affiliated with an access policy that is uniquely defined by specific attributes. Data is then encrypted under each access policy at every level to grant access to specific data users based on their data access privileges. An individual ranked at a certain level can decrypt the ciphertext (at that specific level) if and only if that individual owns a correct set of attributes that can satisfy the access policy of that level. The user may also decrypt the ciphertexts at the lower levels with respect to the user's level. Security analysis shows that P-MOD is secure against adaptively chosen plaintext attack assuming the DBDH assumption <a class="link-external link-http" href="http://holds.The" rel="external noopener nofollow">this http URL</a> comprehensive performance analysis demonstrates that P-MOD is more efficient in computational complexity and storage space than the existing schemes in secure data sharing within an organization.

Cryptography and Security

Xin Dong,Jiadi Yu,Yuan Luo,Yingying Chen,Guangtao Xue,Minglu Li

DOI: https://doi.org/10.1109/glocom.2013.6831152

2013-01-01

Abstract:Data sharing in the cloud, fueled by favorable cloud technology trends, has emerging as a promising pattern in regard to enabling data more accessible to users in a convenient manner. To achieve data sharing, enterprises and customers in increasing numbers keep their data stored into cloud server. In this paper, we focus on seeking a solution that allows secure and effective access to the cloud data. We propose an effective and flexible privacy-preserving data policy, P2E, utilizing ciphertext policy attribute-based encryption (CP-ABE) and combining it with technique of identity-based encryption (IBE). In addition to ensuring strong data sharing security, the policy succeeds in preserving the privacy of cloud users. Security analysis indicates that the proposed policy is security and enforces fine-grained access control and full collusion resistance simultaneously. Furthermore, our performance analysis and experimental results show that P2E is as light as possible.

Hongbo Li,Qiong Huang,Willy Susilo

DOI: https://doi.org/10.1109/tdsc.2020.3027611

2020-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:Cloud storage becomes the priority for storing and sharing data for enterprise users. Encrypting prior to uploading data to the cloud is the best way to protect business secrets, however, it hinders the convenient operations on plaintexts, such as searching over the cloud data. In addition, employees in an enterprise have multiple layer structures and a higher layer employee should have the privilege to monitor the lower layer employees' data to check if these users violate the regulation without letting the employees be aware of. Public key encryption with keyword search (PEKS) is a well-known cryptographic primitive suitable for secure cloud storage, which supports keyword search without decryption in public key encryption settings. Unfortunately, no existing PEKS scheme supports the monitoring function without authorization from the sender. To address this issue, we propose a variant of PEKS named Hierarchical Public Key Encryption with Keyword Search (HPEKS) and provide a semi-generic construction utilizing a public key tree (PKTree) and a PEKS scheme. To better suit for the enterprise secret data sharing, we build an advanced HPEKS scheme, named designated-tester decryptable hierarchical public key encryption with keyword search (dDHPEKS), which enjoys stronger security and integrates the public key and symmetric key encryptions. We prove our dDHPEKS scheme secure under the security definition in the random oracle model. Particularly, it satisfies the security against outside offline keyword guessing attacks and furthermore, enjoys the transparency property so that the sender does not need to know the internal hierarchy structure of an enterprise in order to share encrypted data to the enterprise. Theoretical evaluation and concrete experiments show that our dDHPEKS scheme has comparable running efficiency with existing PEKS schemes.

computer science, information systems, software engineering, hardware & architecture

Subhranil Dutta,Tapas Pal,Ratna Dutta

DOI: https://doi.org/10.1016/j.tcs.2024.114502

IF: 1.002

2024-03-17

Theoretical Computer Science

Abstract:Cloud computing serves as an advanced computing technology to support Internet services and has numerous applications, including medical fields, online data storage, social network, big data analysis, and e-learning platforms. Inner product encryption ( IPE ) is a promising cryptographic primitive that facilitates access control over outsourced encrypted data by restricting decryption capability via an inner product relation. Most of the existing IPE s are built assuming a priori bound on the length of attribute vectors associated with the plane data. A situation may occur when adding new attributes is essential due to upgradation. Thus it is desirable to construct IPE with variable length attribute vectors instead of fixing the length at the setup phase. Such IPE s are more flexible while encrypting data and consequently have more real-life applications. In the following, we make our contributions: – We design the first efficient adaptively payload-hiding secure unbounded non-zero IPE ( UNIPE ) scheme from the standard symmetric external Diffie-Hellman (SXDH) assumption and prove security in the standard model. – We propose a generic construction of an adaptively weak attribute-hiding UNIPE from an unbounded inner product functional encryption ( UIPFE ) scheme. We also instantiate UNIPE from the SXDH assumption and prove security in the standard model. – Finally, we present the first unbounded anonymous identity-based revocation ( UAnon-IBRV ) scheme using our generic UNIPE as the building block. The anonymity feature ensures that the ciphertext reveals no information about the revoking sets of the system.

computer science, theory & methods

Jianfei Sun,Hu Xiong,Hao Zhang,Li Peng

DOI: https://doi.org/10.1016/j.ins.2019.08.026

IF: 8.1

2020-01-01

Information Sciences

Abstract:Never before has data sharing been more convenient with the rapid popularity and wide adoption of cloud computing. However, mobile access and flexible search with security for outsourced data in heterogeneous systems are two major obstacles prior to practical deployment of cloud computing. To meet the requirements in secure mobile access and flexible search to sensitive data, this paper, for the first time, proposes a versatile primitive referred to as an identity based proxy re-encryption system with outsourced equality test (IBPRE-ET). This primitive allows a data owner in an identity based broadcast encryption system (IBBE) seamlessly to share his/her data with a data sharer in an identity based encryption system (IBE). Moreover, it supports a data sharer in an IBBE system to perform search functionality on ciphertexts related to a data sharer in an IBE system. We also formally prove that the proposed IBPRE-ET system is selective secure using a random oracle model. Meanwhile, the theoretic evaluation and experimental result demonstrate our scheme is practical in the heterogeneous system. Finally, we show an application of our IBPRE-ET to the collaborative office automation system.

Xiaofen Wang,Xiaosong Zhang,Yi Mu

DOI: https://doi.org/10.1109/smartcity.2015.204

2015-01-01

Abstract:In a hierarchical system, a set of users with ranked rights are organized in a tree-architecture, and the user with higher grade can search and access data of users with lower grade in its branch. Nowadays hierarchical systems are constructed by utilizing the cloud to improve their performance due to the cloud server's powerful computation and storage capabilities. However, the untrusted cloud server may give rise to the risk of private information exposure. To enable ranked and controllable data search in cloud without revealing users' privacy in a hierarchical system is a challenging open problem. In this paper, we formally define the hierarchical searchable encryption, where the user in the hierarchical system can search the data of its descendants. A basic hierarchical ID-based searchable encryption (HIBSE) scheme with constant size ciphertext and probe (i.e. trapdoor) is proposed, which satisfies IND-sID-CKA security. An extended secure channel free HIBSE scheme is also given, where the user can search the data of all his descendants at one time, and it achieves IND-sID-OKGA. The performance evaluation demonstrates that the extended scheme greatly reduces the computation cost when the user searches the data of all his descendants in the branch. Therefore, the extended scheme is efficient and practical in various applications.

Jian-Wu Zheng,Jing Zhao,Xin-Ping Guan

DOI: https://doi.org/10.1007/s10207-018-0402-8

2018-01-01

International Journal of Information Security

Abstract:It has been almost one and a half decades since the introduction of the concept of hierarchical identity-based encryption (HIBE) systems, and many pairing-based HIBE systems have been proposed; however, how to achieve independent private key delegation in HIBE systems is still open. Independent private key delegation in HIBE systems requires that the following three conditions are satisfied: (1) private keys are not valid delegation credentials for deriving descendants’ private keys, (2) any entity intending to derive a private key for any one of its descendants should own a valid delegation credential distributed by the root private key generator (PKG), and (3) a credential is only valid for deriving private keys for a given descendant. We present a new technique for composing private keys for entities in HIBE systems that we call identifier discrimination, aiming at resolving the problem of independent private key delegation. With the technique, we construct a selective identity secure HIBE system under the decisional bilinear Diffie–Hellman (DBDH) assumption in the standard model with the following properties. (1) Every entity in the HIBE system is prevented from deriving private keys for its descendants with the only use of its private key and the public parameters. (2) The root PKG can delegate the privilege (if needed) of generating private keys for each individual entity to any of its ancestors through authorization that we call authorized delegation, by distributing a specifically crafted secret (delegation credential) to the ancestor. (3) The encryption privacy of each ciphertext for its intended recipient is achieved, that is, ciphertexts encrypted on identity of any entity cannot be decrypted by any of its ancestors that we call dedicated encryption privacy.

Dongyang Xu,Fengying Luo,Lin Gao,Zhi Tang

DOI: https://doi.org/10.1109/intech.2013.6653703

2013-01-01

Abstract:With the rapid development of cloud computing, more and more users begin to share documents in cloud servers. Since cloud servers are not within the trusted domain of users, encryption and access control are needed to protect the digital content. Attribute-based encryption is a favorable scheme that has been used for content protection in cloud computing. It can provide “one-to-many” encryption service so that one encrypted file can be decrypted by multiple prospective recipients whose attributes conform to the access policy. Currently, all existing attribute-based encryption schemes assume that the digital content and authorized users are equally privileged; however, there are emerging application scenarios that demand digital content and users with different privileges. In this paper, we present a new attribute-based encryption scheme that can generate security keys of different class for users by integrating ciphertext-policy attribute-based encryption and hierarchical cryptographic key management. Thus, we achieve the fine-grained document sharing which means that users can preview the same document with different privileges. We use hierarchical keys derived from a chain of one-way functions. Extensive analysis shows that our proposed scheme is simple, efficient and secure. The proposed scheme can provide “one-fits-many” encryption service.

Liang Xue,Dongxiao Liu,Cheng Huang,Xuemin (Sherman) Shen,Weihua Zhuang,Rob Sun,Bidi Ying

DOI: https://doi.org/10.1109/icc45855.2022.9838811

2022-01-01

Abstract:In this paper, we propose a Secure and Flexible Data Sharing (SFDS) scheme for distributed storage, where data owners can outsource their data to a distributed storage network and share the data with authorized users. To preserve confidentiality, all data are encrypted by data owners' secret keys before being outsourced, and fine-grained access policies are enforced on the encrypted data (ciphertexts) to achieve flexible data sharing. Furthermore, based on the ciphertext puncturable encryption and the hierarchical identity-based encryption, we design an efficient key and ciphertext update mechanism, which enables data owners to update their secret keys and the corresponding ciphertexts periodically to deal with side-channel attacks and system vulnerabilities. Update tokens are constructed to directly derive new keys and ciphertexts. Through detailed security analysis, it is demonstrated that SFDS can achieve all three essential security properties, i.e., forward security, post-compromise security, and collusion attack resistance.

Yanyan Ji,Bilin Shao,Jinyong Chang,Genqing Bian

DOI: https://doi.org/10.1007/s10586-021-03408-y

2021-09-09

Cluster Computing

Abstract:Provable data possession (PDP) protocol is a mechanism that guarantees the integrity of user's cloud data, and many efficient protocols have been proposed. Many of them ignore data's privacy against the third-party auditor (TPA) and also suffer from intricate management of certificates, which heavily relies on the public key infrastructure (PKI). In order to overcome the two shortcomings, Li et al. recently proposed an "identity-based" (IB) PDP protocol with the privacy-preserving property (IEEE Syst J, https://doi.org/10.1109/JSYST.2020.2978146). However, we find out that (1) their protocol has great communication overhead, (2) a PKI-based signature scheme is used as a building block, which results in their protocol is not completely identity-based. Hence, in this paper, we try to improve the performance of this protocol. Concretely, by adopting flexible data-splitting and tag-aggregating techniques, we can greatly reduce its communication overhead. A concrete example shows that the total communication overhead can be reduced over 99%. Moreover, by replacing with an identity-based signature, we can twist this protocol into a complete IB-PDP protocol.

English Else

Haining Yang,Ye Su,Jing Qin,Huaxiong Wang,Yongcheng Song

DOI: https://doi.org/10.1016/j.ins.2020.05.118

IF: 8.1

2020-10-01

Information Sciences

Abstract:<p>With the rapid development of cloud computing, the practical applications such as the machine learning based on the outsourced data have been investigated in the data sharing setting. In machine learning, the inner product is a necessary primitive to analyze the description statistics. However, the inner product computation in selective data sharing setting has not been fully considered. For this fact, we propose a verifiable inner product computation scheme based on Inner Product Functional Encryption (IPFE). IPFE is employed to preserve the outsourced data privacy and restrict the computation on the outsourced data to be inner product. To achieve the key privacy and result privacy, we transform the secret key into blinded form, which in turn results in a blinded result. With the aim of implementing access control over the data user and outsourced data, we design to let cloud server perform the authentication procedures before computing inner product. This can also eliminate most computational overhead resulting from the unauthorized data user and undesired data. As a result, only the authorized data user can obtain the inner product computed on the designated outsourced data. The proposed scheme is proved to be secure under the authentication model and the result unforgeability model. The performance evaluation shows that the proposed scheme is feasible. To achieve a better security level, the proposed scheme is extended to be secure against the corrupted cloud server.</p>

computer science, information systems

Jianfei Sun,Guowen Xu,Tianwei Zhang,Hu Xiong,Hongwei Li,Robert H. Deng

DOI: https://doi.org/10.1109/tcc.2021.3117998

IF: 5.697

2021-01-01

IEEE Transactions on Cloud Computing

Abstract:Benefiting from the powerful computing and storage capabilities of cloud services, data sharing in the cloud has been permeated across various applications including social networks, e-health and crowdsourcing transportation system. Intuitively, outsourcing data to untrusted cloud commonly raises concerns about data privacy breaches. To combat this, one approach is exploiting Broadcast Based Searchable Encryption (BBSE) for secure data sharing. Nevertheless, the latest proposed BBSE is still defective in either security or efficiency. In this article, we propose ESPD, an Efficient, Scalable and Privacy-preserving Data sharing framework over encrypted cloud dataset. Different from previous works, ESPD supports sharing target data to multiple users with distinct secret keys, and keeps a constant ciphertext length with the changes of the amount of system users. This feature significantly improves search efficiency and makes ESPD scalable in real-world scenarios. We show a formal analysis to prove the security of ESPD in terms of file privacy, keyword privacy and trapdoor privacy. Also, extensive experiments on real-world dataset are conducted to indicate the desirable performance of ESPD compared to other similar schemes.

Lixue Sun,Chunxiang Xu,Fugeng Zeng

DOI: https://doi.org/10.1016/j.jpdc.2024.104956

IF: 4.542

2024-01-01

Journal of Parallel and Distributed Computing

Abstract:Cloud computing is a promising service architecture that enables a data owner to share data in an economic and efficient manner. To ensure data privacy, a data owner will generate the ciphertext of the data before outsourcing. Attribute-based encryption (ABE) provides an elegant solution for a data owner to enforce fine-grained access control on the data to be outsourced. However, ABE cannot support ciphertext transformation when needing to share the underlying data with a public-key infrastructure (PKI) user further. In addition, an untrusted cloud server may return random ciphertexts to the PKI user to save expensive computational costs of ciphertext transformation. To address above issues, we introduce a novel cryptographic primitive namely verifiable and hybrid attribute-based proxy re-encryption (VHABPRE). VHABPRE provides a transformation mechanism that re-encrypts an ABE ciphertext to a PKI-based public key encryption (PKE) ciphertext such that the PKI user can access the underlying data, meanwhile this PKI user can ensure the validity of the transformed ciphertext. By leveraging a key blinding technique and computing the commitment of the data, we construct two VHABPRE schemes to achieve flexible data sharing. We give formal security proofs and comprehensive performance evaluation to show the security and efficiency of the VHABPRE schemes.

xuejiao liu,yingjie xia,yang xiang,mohammad mehedi hassan,abdulhameed alelaiwi

DOI: https://doi.org/10.1109/SocialSec2015.13

2015-01-01

Abstract:Hybrid cloud is a widely used cloud architecture in large companies that can outsource data to the publiccloud, while still supporting various clients like mobile devices. However, such public cloud data outsourcing raises serious security concerns, such as how to preserve data confidentiality and how to regulate access policies to the data stored in public cloud. To address this issue, we design a hybrid cloud architecture that supports data sharing securely and efficiently, even with resource-limited devices, where private cloud serves as a gateway between the public cloud and the data user. Under such architecture, we propose an improved construction of attribute-based encryption that has the capability of delegating encryption/decryption computation, which achieves flexible access control in the cloud and privacy-preserving in datautilization even with mobile devices. Extensive experiments show the scheme can further decrease the computational cost and space overhead at the user side, which is quite efficient for the user with limited mobile devices. In the process of delegating most of the encryption/decryption computation to private cloud, the user can not disclose any information to the private cloud. We also consider the communication securitythat once frequent attribute revocation happens, our scheme is able to resist some attacks between private cloud and data user by employing anonymous key agreement.

Wenxiu Ding,Zheng Yan,Robert H. Deng

DOI: https://doi.org/10.1016/j.ins.2017.05.004

IF: 8.1

2017-10-01

Information Sciences

Abstract:Cloud computing offers various services to users by re-arranging storage and computing resources. In order to preserve data privacy, cloud users may choose to upload encrypted data rather than raw data to the cloud. However, processing and analyzing encrypted data are challenging problems, which have received increasing attention in recent years. Homomorphic Encryption (HE) was proposed to support computation on encrypted data and ensure data confidentiality simultaneously. However, a limitation of HE is it is a single user system, which means it only allows the party that owns a homomorphic decryption key to decrypt processed ciphertexts. Original HE cannot support multiple users to access the processed ciphertexts flexibly. In this paper, we propose a Privacy-Preserving Data Processing (PPDP) system with the support of a Homomorphic Re-Encryption Scheme (HRES). The HRES extends partial HE from a single-user system to a multi-user one by offering ciphertext re-encryption to allow multiple users to access processed ciphertexts. Through the cooperation of a Data Service Provider (DSP) and an Access Control Server (ACS), the PPDP system can support seven basic operations over ciphertexts, which include Addition, Subtraction, Multiplication, Sign Acquisition, Comparison, Equivalent Test, and Variance. To enhance the flexibility and security of our system, we further apply multiple ACSs to take in charge of the data from their own users and design computing operations over ciphertexts belonging to multiple ACSs. We then prove the security of PPDP, analyze its performance and advantages by comparing with some latest work, and demonstrate its efficiency and effectiveness through simulations with regard to big data process.

computer science, information systems

Wenjuan Tang,Ju Ren,Kuan Zhang,Deyu Zhang,Yaoxue Zhang,Xuemin (Sherman) Shen

DOI: https://doi.org/10.1145/3341104

IF: 5

2019-01-01

ACM Transactions on Intelligent Systems and Technology

Abstract:Pervasive data collected from e-healthcare devices possess significant medical value through data sharing with professional healthcare service providers. However, health data sharing poses several security issues, such as access control and privacy leakage, as well as faces critical challenges to obtain efficient data analysis and services. In this article, we propose an efficient and privacy-preserving fog-assisted health data sharing (PFHDS) scheme for e-healthcare systems. Specifically, we integrate the fog node to classify the shared data into different categories according to disease risks for efficient health data analysis. Meanwhile, we design an enhanced attribute-based encryption method through combination of a personal access policy on patients and a professional access policy on the fog node for effective medical service provision. Furthermore, we achieve significant encryption consumption reduction for patients by offloading a portion of the computation and storage burden from patients to the fog node. Security discussions show that PFHDS realizes data confidentiality and fine-grained access control with collusion resistance. Performance evaluations demonstrate cost-efficient encryption computation, storage and energy consumption.

Jianfei Sun,Yangyang Bao,Weidong Qiu,Rongxing Lu,Songnian Zhang,Yunguo Guan,Xiaochun Cheng

DOI: https://doi.org/10.1109/tdsc.2024.3432650

2024-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:The cloud-edge computing model has been expected to play a revolutionary role in promoting the quality of future generation large-scale Internet of Things (IoT) services. However, security and privacy in data sharing remain crucial issues hindering the success of cloud-edge IoT services. While some solutions based on attribute-based encryption (ABE) have been proposed to address these issues, they still face practical challenges such as attribute privacy leakage, resource-constrained devices, dynamic user groups, inflexible and inefficient service response. To address these challenges, this paper proposes a privacy-preserving fine-grained data sharing scheme with dynamic service (PF2DS), which implements access control by calculating the inner product between an attribute vector and an access vector. PF2DS is also capable of providing dynamic user group services through an efficient and indirect user revocation mechanism that periodically updates the key-embedded leaf nodes. Building on PF2DS, edge-assisted PF2DS (EPF2DS) delegates most of the operations to the edge device, which facilitates the performance of resource-constrained IoT devices. EPF2DS also supports efficient and asynchronous keyword search over the ciphertexts stored in the cloud. We demonstrate the security by the rigorous security proof. Both theoretical comparisons and experimental simulations demonstrate the practicality and superiority of our schemes over existing works.