Jianhong Zhang,Wenle Bai,Yuehai Wang

DOI: https://doi.org/10.1109/access.2019.2899828

IF: 3.9

2019-01-01

IEEE Access

Abstract:The Internet of Things (IoT) is the internetworking of terminal physical devices depends on application programming interfaces and sensors to be connected to the Internet for collecting and exchanging data. According to the characteristics of IoT, it can provide rich services for the terminal user. However, the centralized cloud computing-based storage architecture in IoT faces many challenges, such as data security, identity privacy, and high latency. To overcome these challenges, this paper introduces an IoT network storage architecture based on mobile edge computing, which not only achieves low-latency message response and computation offloading of the terminal user but also preserves identity-privacy of the terminal user. Afterward, we presented a novel non-interactive pairing-free ID-based proxy re-signature scheme (ID-PRS), which is a kernel technique to construct the aforementioned storage architecture. Compared with most of proxy re-signature schemes constructed based on traditional public-key-infrastructure, the proposed scheme avoids expensive pairing operation and intricate certificate-maintenance. And it is demonstrated to be provably secure under the classic security assumptions: integer factoring problem and the RSA assumption. Finally, in contrast to the other two ID-PRS schemes, the proposed ID-PRS scheme has more advantages in terms of security, functionability, and computation costs. Thus, it is very suitable to be applied to the resource-constrained mobile users.

Kwame Opuni-Boachie Obour Agyekum,Qi Xia,Emmanuel Boateng Sifah,Jianbin Gao,Hu Xia,Xiaojiang Du,Moshen Guizani

DOI: https://doi.org/10.3390/s19051235

2019-03-11

Abstract:Access and utilization of data are central to the cloud computing paradigm. With the advent of the Internet of Things (IoT), the tendency of data sharing on the cloud has seen enormous growth. With data sharing comes numerous security and privacy issues. In the process of ensuring data confidentiality and fine-grained access control to data in the cloud, several studies have proposed Attribute-Based Encryption (ABE) schemes, with Key Policy-ABE (KP-ABE) being the prominent one. Recent works have however suggested that the confidentiality of data is violated through collusion attacks between a revoked user and the cloud server. We present a secured and efficient Proxy Re-Encryption (PRE) scheme that incorporates an Inner-Product Encryption (IPE) scheme in which decryption of data is possible if the inner product of the private key, associated with a set of attributes specified by the data owner, and the associated ciphertext is equal to zero 0 . We utilize a blockchain network whose processing node acts as the proxy server and performs re-encryption on the data. In ensuring data confidentiality and preventing collusion attacks, the data are divided into two, with one part stored on the blockchain network and the other part stored on the cloud. Our approach also achieves fine-grained access control.

Yilei Wang,Dongjie Yan,Fagen Li,Hu Xiong

2017-01-01

Abstract:Proxy re-encryption (PRE) enables a semi-trusted proxy to delegate the decryption right by re-encrypting the ciphertext under the delegator’s public key to an encryption under the public key of delegatee. Fueled by the translation ability, PRE is regarded as a promising candidate to secure data sharing in a cloud environment. However, the security of the PRE will be totally destroyed in case the secret key of the delegator or the delegatee has been exposed. Despite the key exposure seems inevitable, the PRE scheme with resistance against secret key leakage has never been presented before. To deal with this intractable problem, we propose a key-insulated proxy reencryption (KIPRE) scheme by incorporating the mechanisms of PRE and key-insulated cryptosystem. In the proposed scheme, the lifetime of the secret key associated with the user, i.e., the delegator or the delegatee, has been divided into several periods. In each time period, the user can interact with his/her physically-secure but computation-limited helper to update his/her temporary secret key. On the contrary, the public keys of the users remained unchanged during the whole lifetime of the system. We then apply our KIPRE scheme to construct a practical solution to the problem of sharing sensitive information in public clouds with resilience to the key exposure. The performance evaluation and the security analysis demonstrate that our scheme is efficient and practical.

Xian Yong Meng,Zhong Chen,Xiang Yu Meng,Bing Sun

DOI: https://doi.org/10.4028/www.scientific.net/amm.571-572.74

2014-01-01

Applied Mechanics and Materials

Abstract:In this paper, an identity-based conditional proxy re-encryption (PRE) scheme is proposed, where a delegator provides a re-encryption key satisfying one condition to a semi-trusted proxy who can convert a ciphertext encrypted under the delegator’s public key into one that can be decrypted using the delegatee’s private key. We address the identity-based proxy re-encryption scheme, where the delegator and the delegatee request keys from a trusted party known as a key generator center (KGC), who generates private keys for delegator and delegatee based on their identities. Meanwhile, the identity-based conditional proxy re-encryption scheme satisfies the properties of PRE including unidirectionality, non-interactivity and multi-hop. Additionally, the identity-based conditional proxy re-encryption scheme is efficient in terms of both the communication cost and the computing cost, and can realize security secret sharing in cloud computing environments.

Han-Yu Lin,Pei-Ru Chen

DOI: https://doi.org/10.3390/s24196290

2024-09-28

Abstract:As technology advances rapidly, a diverse array of Internet of Things (IoT) devices finds widespread application across numerous fields. The intelligent nature of these devices not only gives people more convenience, but also introduces new challenges especially in security when transmitting data in fog-based cloud environments. In fog computing environments, data need to be transmitted across multiple devices, increasing the risk of data being intercepted or tampered with during transmission. To securely share cloud ciphertexts, an alleged proxy re-encryption approach is a commonly adopted solution. Without decrypting the original ciphertext, such a mechanism permits a ciphertext intended for user A to be easily converted into the one intended for user B. However, to revoke the decryption privilege of data users usually relies on the system authority to maintain a user revocation list which inevitably increases the storage space. In this research, the authors come up with a fog-based proxy re-encryption system with revocable identity. Without maintaining the traditional user revocation list, the proposed scheme introduces a time-updated key mechanism. The time-update key could be viewed as a partial private key and should be renewed with different time periods. A revoked user is unable to obtain the renewed time-update key and hence cannot share or decrypt cloud ciphertexts. We formally demonstrate that the introduced scheme satisfies the security of indistinguishability against adaptively chosen identity and chosen plaintext attacks (IND-PrID-CPA) assuming the hardness of the Decisional Bilinear Diffie-Hellman (DBDH) problem in the random oracle model. Furthermore, compared with similar systems, the proposed one also has lower computational complexity as a whole.

Yingwen Chen,Bowen Hu,Hujie Yu,Zhimin Duan,Junxin Huang

DOI: https://doi.org/10.3390/electronics10192359

IF: 2.9

2021-09-27

Electronics

Abstract:The IoT devices deployed in various application scenarios will generate massive data with immeasurable value every day. These data often contain the user’s personal privacy information, so there is an imperative need to guarantee the reliability and security of IoT data sharing. We proposed a new encrypted data storing and sharing architecture by combining proxy re-encryption with blockchain technology. The consensus mechanism based on threshold proxy re-encryption eliminates dependence on the third-party central service providers. Multiple consensus nodes in the blockchain network act as proxy service nodes to re-encrypt data and combine converted ciphertext, and personal information will not be disclosed in the whole procedure. That eliminates the restrictions of using decentralized network to store and distribute private encrypted data safely. We implemented a lot of simulated experiments to evaluate the performance of the proposed framework. The results show that the proposed architecture can meet the extensive data access demands and increase a tolerable time latency. Our scheme is one of the essays to utilize the threshold proxy re-encryption and blockchain consensus algorithm to support IoT data sharing.

engineering, electrical & electronic,computer science, information systems,physics, applied

Abdalla Hadabi,Zheng Qu,Rashad Elhabob,Sachin Kumar,Kuo-Hui Yeh,Saru Kumari,Hu Xiong

DOI: https://doi.org/10.1016/j.compeleceng.2024.109164

IF: 4.152

2024-03-18

Computers & Electrical Engineering

Abstract:Digital Twin (DT) technology has emerged as a robust mechanism for overseeing and improving the lifecycle processes of the Industrial Internet of Things (IIoT) by creating their virtual counterparts. The widespread employment of cloud computing is apparent in delivering computational and storage services for the DT within the IIoT environment. Ensuring the confidentiality of DT data is crucial since data owners, cloud service providers, and users operate across separate trust domains. Accordingly, public key encryption is a viable solution for managing access. However, traditional public key encryption encounters challenges in achieving effective search and secure sharing of encrypted DT data in the cloud. This paper introduces a proxy re-encryption scheme with plaintext checkable encryption for data access control (PRE-IBSC-PCE), which addresses the challenges associated with searching for and sharing encrypted digital twin data in the cloud. The PRE-IBSC-PCE achieves efficient data search and sharing while ensuring privacy, integrity, non-repudiation, and authenticity. Meanwhile, we prove that PRE-IBSC-PCE is secure under the decisional bilinear Diffie–Hellman assumption in the random oracle model. Lastly, when compared to similar schemes, the performance analysis of the PRE-IBSC-PCE is more efficient and suitable for DT applications in IIoT.

engineering, electrical & electronic,computer science, interdisciplinary applications, hardware & architecture

Jialu Hao,Cheng Huang,Jian Liu,Ming Xian,Xuemin (Sherman) Shen

DOI: https://doi.org/10.1109/glocom.2018.8647659

2018-01-01

Abstract:Data owners have benefited significantly from cloud computing for managing the numerous data produced by massive devices in various Internet of Things (IoT) applications, such as smart home and electronic healthcare. On the other hand, fine-grained access control on outsourced data is a big concern for data owners, after they lose physical control over their data. Key-policy attribute-based encryption (KP-ABE), which provides data confidentiality and fine-grained data access control simultaneously, can be naturally introduced in this cloud-based IoT paradigm. However, the primitive KP-ABE cannot achieve efficient data access control with flexible user revocation. In this paper, we propose an efficient and fine-grained data access control scheme based on the proxy re-encryption and key blinding techniques for cloud-based IoT. With the scheme, the decryption capability of misbehaving users can be efficiently revoked to prevent data disclosure. In addition, most of the costly update operations over ciphertexts and keys due to user revocation, are delegated to the cloud. Extensive experiment results demonstrate that our scheme is more efficient than existing solutions in terms of computation and communication overheads.

Yuyang Zhou,Liang Zhao,Yuqiao Jin,Fagen Li

DOI: https://doi.org/10.1016/j.ins.2022.05.007

IF: 8.1

2022-08-01

Information Sciences

Abstract:The wireless body area network (WBAN) provides users with real-time medical services. Meanwhile, the cloud technology provides greater storage space and computing power for medical data. Both of them have contribute to the development of telemedicine. In a cloud-assisted WBAN, the open network environment and the semi-trust cloud service providers expose the user’s private medical data to backdoor adversaries who can make exfiltration attacks, such as the algorithm substitution attack (ASA) through the process of data sharing. Therefore, it is necessary to find a secure and efficient medical data sharing scheme for the huge amount of medical data. In this paper, we first design an identity-based proxy re-encryption scheme with cryptographic reverse firewall (IBPRE-CRF), then show the application in a multiple-access telemedicine data sharing scenario. Security analysis shows that the IBPRE-CRF scheme provides chosen plaintext attack security and resists exfiltration attacks. Performance analysis shows that the IBPRE-CRF scheme has a significant communication and computational cost advantage while being resistant to exfiltration attacks in clouds. Therefore, our IBPRE-CRF scheme is suitable for telemedicine data sharing in a cloud-assisted WBAN.

computer science, information systems

Jiahao Liu,Junjian Li,Ruoyu Wang,Chao Li,Wuhao Xia

DOI: https://doi.org/10.1109/DSC59305.2023.00028

2023-08-18

Abstract:In today's digital economy, data sharing has become imperative for advancing economic growth and technology development, as multi-party collaboration requires secure data exchange. During data sharing, upholding data security and privacy is paramount. However, existing data sharing solutions mostly rely on cloud storage and transfer, which have risks of single-point failure and compromise privacy and security. To tackle these challenges, we propose a novel solution that leverages proxy re-encryption and digital watermarking technologies, and employs blockchain to achieve equivalent access control functions based on the cloud environment, thereby mitigating the single point of failure issue. Moreover, our solution can effectively prevent data requesters from illegally sharing data with others. If any requester leaks data without authorization, we can trace the source based on the watermark embedded in the leaked data. In summary, our proposed solution enables more secure and privacy-preserving data sharing, which can potentially benefit a wide range of data sharing applications.

Computer Science,Engineering

Xin Qian,Zhen Yang,Shihui Wang,Yongfeng Huang

DOI: https://doi.org/10.1007/978-3-030-24274-9_8

2019-01-01

Abstract:To protect data sharing from leakage in untrusted cloud, proxy re-encryption is commonly exploited for access control. However, most proposed schemes require bilinear pair to attain secure data sharing, which gives too heavy burden on the data owner. In this paper, we propose a novel lightweight proxy re-encryption scheme without pairing. Our scheme builds the pre-encryption algorithm based on computational Diffie–Hellman problem, and designs a certificateless protocol based on a semi-trusted Key Generation Center. Theoretical analysis proves that our scheme is Chosen-Ciphertext-Attack secure. The performance is also shown to achieve less computation burden for the data owner compared with the state-of-the-art.

Ling Liu,Yuqing Zhang,Xuejun Li

DOI: https://doi.org/10.1109/tcc.2018.2869333

IF: 5.697

2021-04-01

IEEE Transactions on Cloud Computing

Abstract:Deduplication, which can save storage cost by enabling us to store only one copy of identical data, becomes unprecedentedly significant with the dramatic increase in data stored in the cloud. For the purpose of ensuring data confidentiality, they are usually encrypted before outsourced. Traditional encryption will inevitably result in multiple different ciphertexts produced from the same plaintext by different users’ secret keys, which hinders data deduplication. Convergent encryption makes deduplication possible since it naturally encrypts the same plaintexts into the same ciphertexts. One attendant problem is how to reliably and effectively manage a huge number of convergent keys. Several deduplication schemes have been proposed to deal with the convergent key management problem. However, they either need to introduce key management servers or require interaction between data owners. In this paper, we design a novel client-side deduplication protocol named KeyD without such an independent key management server by utilizing the identity-based broadcast encryption (IBBE) technique. Users only interact with the cloud service provider (CSP) during the process of data upload and download. Security analysis demonstrates that KeyD ensures data confidentiality and convergent key security, and well protects the ownership privacy simultaneously. A thorough and detailed performance comparison shows that our scheme makes a better tradeoff among the storage cost, communication and computation overhead.

computer science, information systems, theory & methods

Lu Yan,Haozhe Qin,Kexin Yang,Heye Xie,Xu An Wang,Shuanggen Liu

DOI: https://doi.org/10.3390/electronics13030534

IF: 2.9

2024-01-29

Electronics

Abstract:The popularity of secure cloud data sharing is on the rise, but it also comes with significant concerns about privacy violations and data tampering. While existing Proxy Re-Encryption (PRE) schemes effectively protect data in the cloud, challenges persist with certificate administration and key escrow. Moreover, the increasing number of users and prevalence of lightweight devices demand functional and cost-effective solutions. To address these issues, this paper presents a novel Pairing-free Certificate-Based Proxy Re-Encryption Plus scheme that leverages elliptic curve groups for improved effectiveness and performance. This scheme successfully resolves challenges related to certificate management and key escrow in traditional PRE schemes, while also introducing non-transferable and message-level fine-grained control characteristics. These enhancements bolster data security during sharing and minimize the risk of malicious information leakage. Our proposed scheme's correctness, security, and effectiveness are rigorously verified and analyzed. The results demonstrate that the scheme achieves the chosen ciphertext security in the random oracle model. Compared to current PRE schemes, our approach offers greater advantages, lower computational overhead, and enhanced suitability for practical cloud computing applications.

engineering, electrical & electronic,computer science, information systems,physics, applied

Song Luo,Qingni Shen,Zhong Chen

DOI: https://doi.org/10.1007/978-3-642-31912-9_8

2011-01-01

Abstract:Proxy re-encryption (PRE) allows the proxy to translate a ciphertext encrypted under Alice's public key into another ciphertext that can be decrypted by Bob's secret key. Identity-based proxy re-encryption (IB-PRE) is the development of identity-based encryption and proxy re-encryption, where ciphertexts are transformed from one identity to another. In this paper, we propose two novel unidirectional identity-based proxy re-encryption schemes, which are both non-interactive and proved secure in the standard model. The first scheme is a single-hop IB-PRE scheme and has master secret security, allows the encryptor to decide whether the ciphertext can be re-encrypted. The second scheme is a multi-hop IB-PRE scheme which allows the ciphertext re-encrypted multiple times but without the size of ciphertext growing linearly as previous multi-hop IB-PRE schemes.

Ismail Keshta,Yassine Aoudni,Mukta Sandhu,Abha Singh,Pardayev Abdunabi Xalikovich,Ali Rizwan,Mukesh Soni,Sachin Lalar

DOI: https://doi.org/10.1016/j.phycom.2023.102048

IF: 2.379

2023-03-11

Physical Communication

Abstract:The blockchain stores transaction data in a distributed shared global ledger. It is challenging to strike a balance between privacy protection and usefulness while sharing data. Moreover, the dynamic adjustment of blockchain data access rights is a challenging problem. To this end, this paper suggests a blockchain data-controlled sharing scheme based on proxy re-encryption. First, a proxy re-encryption algorithm is constructed based on SM2 and the blockchain. Blockchain data sharing can give businesses a secure way to store and share data. Since this network is decentralized, and data is transmitted across a peer-to-peer network under the protection of an unchangeable cryptographic signature. Blockchain makes it more difficult to alter or hack the data. The data-controlled sharing scheme uses proxy re-encryption to protect transaction data privacy and realize data security sharing. Secondly, a dynamic adjustment mechanism for user rights is proposed. Blockchain nodes divide labor and manage re-encryption key parameters separately to achieve user access rights determinism Update, the visibility of transaction data is dynamically adjusted. Finally, the performance and security evaluation demonstrate that this scheme can realize the dynamic sharing of blockchain data while protecting transaction privacy and has advantages in computing overhead, which is better applicable to the Controlled sharing of blockchain data. This research suggests a regulated blockchain-based data-sharing system that makes use of proxy re-encryption. They are developing a proxy re-encryption algorithm with SM2 in order to fully safeguard the privacy of transaction data and to achieve data access authority determination by controlling proxy re-encryption key parameters. It is suggested to employ a hybrid attribute-based proxy re-encryption method that enables the proxy server to change attribute-encrypted cypher texts into identity-based encrypted cypher texts so that users with limited resources can access the previously encrypted material.

telecommunications,engineering, electrical & electronic

Xiuxia Tian,Ling Huang,Tony Wu,Xiaoling Wang,Aoying Zhou

DOI: https://doi.org/10.1109/icde.2016.7498383

2016-05-01

Abstract:Outsourcing keys (including passwords and data encryption keys) to professional password managers (honest-but-curious service providers) is attracting more and more attention from the researchers and users in the era of cloud computing. However, existing solutions in traditional data outsourcing scenario are unable to simultaneously meet the following three security requirements for keys outsourcing: 1)Confidentiality and privacy of keys; 2)Search privacy on identity attributes tied to keys; 3)Owner controllable authorization over his/her shared keys. In this paper, we propose CloudKeyBank, the first unified key management framework that addresses all the three goals above. To implement CloudKeyBank efficiently, we propose a new cryptographic primitive named Searchable Conditional Proxy Re-Encryption (SC-PRE) which combines the techniques of Hidden Vector Encryption (HVE) and Proxy Re-Encryption (PRE) seamlessly.

Chunhua Jin,Zhiwei Chen,Wenyu Qin,Kaijun Sun,Guanhua Chen,Liqing Chen

DOI: https://doi.org/10.1002/nem.2305

2024-10-09

International Journal of Network Management

Abstract:As the internet of vehicles (IoV) technology develops, it promotes the intelligent interaction among vehicles, roadside units, and the environment. Nevertheless, it also brings vehicle information security challenges. In recent years, vehicle data sharing is suffering to algorithm substitution attacks (ASA), which means backdoor adversaries can carry out filtering attacks through data sharing. Therefore, this paper designs a blockchain‐based proxy re‐encryption (PRE) scheme with cryptographic reverse firewall (BIBPR‐CRF) for IoV. In our proposal, CRF can promise the internal safety of vehicle units. More specifically, it can prevent ASA attacks while ensuring chosen plaintext attack (CPA)‐security. Meanwhile, the PRE algorithm can provide the confidential sharing and secure operation of data. Moreover, we use a consortium blockchain service center (CBSC) to store the first ciphertext and re‐encrypt it with smart contracts on the blockchain, which can avoid single point of failure and achieve higher efficiency compared to proxy servers. Finally, we evaluate the performance of BIBPR‐CRF with regard to communication cost, computational cost, and energy consumption. Our proposal is the most fitting for IoV application, in contrast with the other three schemes.

computer science, information systems,telecommunications

Kaiping Xue,Peilin Hong

DOI: https://doi.org/10.1109/tcc.2014.2366152

IF: 5.697

2014-01-01

IEEE Transactions on Cloud Computing

Abstract:With the popularity of group data sharing in public cloud computing, the privacy and security of group sharing data have become two major issues. The cloud provider cannot be treated as a trusted third party because of its semi-trust nature, and thus the traditional security models cannot be straightforwardly generalized into cloud based group sharing frameworks. In this paper, we propose a novel secure group sharing framework for public cloud, which can effectively take advantage of the cloud servers' help but have no sensitive data being exposed to attackers and the cloud provider. The framework combines proxy signature, enhanced TGDH and proxy re-encryption together into a protocol. By applying the proxy signature technique, the group leader can effectively grant the privilege of group management to one or more chosen group members. The enhanced TGDH scheme enables the group to negotiate and update the group key pairs with the help of cloud servers, which does not require all of the group members been online all the time. By adopting proxy re-encryption, most computationally intensive operations can be delegated to cloud servers without disclosing any private information. Extensive security and performance analysis shows that our proposed scheme is highly efficient and satisfies the security requirements for public cloud based secure group sharing.

Bruno Rodrigues,Ivone Amorim,Ivan Costa,Alexandra Mendes

2023-07-04

Abstract:The exponential growth in the digitisation of services implies the handling and storage of large volumes of data. Businesses and services see data sharing and crossing as an opportunity to improve and produce new business opportunities. The health sector is one area where this proves to be true, enabling better and more innovative treatments. Notwithstanding, this raises concerns regarding personal data being treated and processed. In this paper, we present a patient-centric platform for the secure sharing of health records by shifting the control over the data to the patient, therefore, providing a step further towards data sovereignty. Data sharing is performed only with the consent of the patient, allowing it to revoke access at any given time. Furthermore, we also provide a break-glass approach, resorting to Proxy Re-encryption (PRE) and the concept of a centralised trusted entity that possesses instant access to patients' medical records. Lastly, an analysis is made to assess the performance of the platform's key operations, and the impact that a PRE scheme has on those operations.

Cryptography and Security

Cui Li,Rongmao Chen,Yi Wang,Qianqian Xing,Baosheng Wang

DOI: https://doi.org/10.1109/tdsc.2024.3353811

2024-01-01

IEEE Transactions on Dependable and Secure Computing

Abstract:To address the confidentiality concerns of malicious adversaries that fully compromise the message broker in pub/sub based IoT systems, several researchers use proxy re-encryption (PRE) to realize end-to-end encrypted message distribution (from publisher to subscriber). However, the all-or-nothing share feature of PRE poses a problem that the share cannot be efficiently revoked. The only way for publishers to revoke the access rights of subscribers is to pick a new public-private key pair and re-generate the re-encryption keys for all the remaining subscribers, which hampers the scalability in practice. To realize efficient user revocation, we present REEDS, an efficient revocable end-to-end encrypted message distribution system for IoT. The core of REEDS is a novel proxy-aided identity-based conditional proxy re-encryption (PIB-CPRE) scheme. Essentially, we use a binary-tree structure to organize re-encryption keys, so that the update of re-encryption keys is reduced from linear to logarithmic in the number of subscribers. We show that REEDS satisfies confidentiality, efficient immediate revocation, decentralized authorization, and maintains low overhead for publishers and subscribers. The prototype system is implemented and its performance is evaluated. The results show that REEDS is not only easy to deploy over existing message brokers but also highly efficient.

computer science, information systems, software engineering, hardware & architecture