Jin Li,Yinghui Zhang,Xiaofeng Chen,Yang Xiang

DOI: https://doi.org/10.1016/j.cose.2017.08.007

IF: 5.105

2017-01-01

Computers & Security

Abstract:Data sharing becomes an exceptionally attractive service supplied by cloud computing platforms because of its convenience and economy. As a potential technique for realizing fine-grained data sharing, attribute-based encryption (ABE) has drawn wide attentions. However, most of the existing ABE solutions suffer from the disadvantages of high computation overhead and weak data security, which has severely impeded resource-constrained mobile devices to customize the service. The problem of simultaneously achieving fine-grainedness, high-efficiency on the data owner's side, and standard data confidentiality of cloud data sharing actually still remains unresolved. This paper addresses this challenging issue by proposing a new attribute-based data sharing scheme suitable for resource-limited mobile users in cloud computing. The proposed scheme eliminates a majority of the computation task by adding system public parameters besides moving partial encryption computation offline. In addition, a public ciphertext test phase is performed before the decryption phase, which eliminates most of computation overhead due to illegitimate ciphertexts. For the sake of data security, a Chameleon hash function is used to generate an immediate ciphertext, which will be blinded by the offline ciphertexts to obtain the final online ciphertexts. The proposed scheme is proven secure against adaptively chosen-ciphertext attacks, which is widely recognized as a standard security notion. Extensive performance analysis indicates that the proposed scheme is secure and efficient.

Li Kang,Leyou Zhang

2020-01-01

Abstract:The huge storage space and powerful computing power make cloud servers be the best place for people to store data. However, convenience comes with the risk of data leakage as the cloud servers are not completely reliable. To ensure data confidentiality and user privacy, decentralized attribute-based encryption (ABE) can provide a solu-tion. Nevertheless, most of existing works cannot provide a complete method since there are some vulnerabilities in users’ collusion resilience and privacy protection. In this paper, a decentralized ciphertext-policy (CP) ABE scheme is proposed for the secure sharing of data. In the proposed scheme, without requiring any cooperation and knowing users’ global identifiers (GID), authorities can issue private keys for users independently through a privacy-preserving key generation protocol. Additionally, this scheme supports policy anonymity. The security of the proposed scheme is reduced to the decisional bilinear Diffie-Hellman (DBDH) assumption. Theoretical analysis and performance evaluations illustrate the efficiency of the scheme.

Jie Cui,Bei Li,Hong Zhong,Geyong Min,Yan Xu,Lu Liu

DOI: https://doi.org/10.1109/TPDS.2021.3094126

IF: 5.3

2022-01-01

IEEE Transactions on Parallel and Distributed Systems

Abstract:The cloud computing paradigm provides numerous tempting advantages, enabling users to store and share their data conveniently. However, users are naturally resistant to directly outsourcing their data to the cloud since the data often contain sensitive information. Although several fine-grained access control schemes for cloud-data sharing have been proposed, most of them focus on the access control of the encrypted data (e.g., restricting the decryption capabilities of the receivers). Distinct from the existing work, this article aims to address this challenging problem by developing a more practical bidirectional fine-grained access control scheme that can restrict the capabilities of both senders and receivers. To this end, we systematically investigate the access control for cloud data sharing. Inspired by the access control encryption (ACE), we propose a novel data sharing framework that combines the cloud side and the edge side. The edge server is located in the middle of all the communications, checking and preventing illegal communications according to the predefined access policy. Next, we develop an efficient access control algorithm by exploiting the attribute-based encryption and proxy re-encryption for the proposed framework. The experimental results show that our scheme exhibits superior performance in the encryption and decryption compared to the prior work.

Qinlong Huang,Yixian Yang,Mansuo Shen

DOI: https://doi.org/10.1016/j.future.2016.09.021

IF: 7.307

2017-01-01

Future Generation Computer Systems

Abstract:With the increasing trend of outsourcing data to the cloud for efficient data storage, secure data collaboration service including data read and write in cloud computing is urgently required. However, it introduces many new challenges toward data security. The key issue is how to afford secure write operation on ciphertext collaboratively, and the other issues include difficulty in key management and heavy computation overhead on user since cooperative users may read and write data using any device. In this paper, we propose a secure and efficient data collaboration scheme, in which fine-grained access control of ciphertext and secure data writing operation can be afforded based on attribute-based encryption (ABE) and attribute-based signature (ABS) respectively. In order to relieve the attribute authority from heavy key management burden, our scheme employs a full delegation mechanism based on hierarchical attribute-based encryption (HABE). Further, we also propose a partial decryption and signing construction by delegating most of the computation overhead on user to cloud service provider. The security and performance analysis show that our scheme is secure and efficient.

Huang Qinlong,Ma Zhaofeng,Yang Yixian,Fu Jingyi,Niu Xinxin

DOI: https://doi.org/10.1049/cje.2015.10.033

IF: 1.019

2015-01-01

Chinese Journal of Electronics

Abstract:Ciphertext-policy attribute-based encryption（CP-ABE） is becoming a promising solution to guarantee data security in cloud computing. In this paper,we present an attribute-based secure data sharing scheme with Efficient revocation（EABDS） in cloud computing.Our scheme first encrypts data with Data encryption key（DEK） using symmetric encryption and then encrypts DEK based on CP-ABE, which guarantees the data confidentiality and achieves fine-grained access control. In order to solve the key escrow problem in current attribute based data sharing schemes, our scheme adopts additively homomorphic encryption to generate attribute secret keys of users by attribute authority in cooperation with key server, which prevents attribute authority from accessing the data by generating attribute secret keys alone.Our scheme presents an immediate attribute revocation method that achieves both forward and backward security.The computation overhead of user is also reduced by delegating most of the decryption operations to the key server.The security and performance analysis results show that our scheme is more secure and efficient.

Ke Han,Qingbo Li,Zhongliang Deng

DOI: https://doi.org/10.1016/j.chaos.2016.02.010

IF: 9.922

2016-01-01

Chaos Solitons & Fractals

Abstract:With the adoption and diffusion of data sharing paradigm in cloud storage, there have been increasing demands and concerns for shared data security. Ciphertext Policy Attribute-Based Encryption (CP-ABE) is becoming a promising cryptographic solution to the security problem of shared data in cloud storage. However due to key escrow, backward security and inefficiency problems, existing CP-ABE schemes cannot be directly applied to cloud storage system. In this paper, an effective and secure access control scheme for shared data is proposed to solve those problems. The proposed scheme refines the security of existing CP-ABE based schemes. Specifically, key escrow and conclusion problem are addressed by dividing key generation center into several distributed semi-trusted parts. Moreover, secrecy revocation algorithm is proposed to address not only back secrecy but efficient problem in existing CP-ABE based scheme. Furthermore, security and performance analyses indicate that the proposed scheme is both secure and efficient for cloud storage.

Qinlong Huang,Nan Li,Yixian Yang

DOI: https://doi.org/10.1109/glocom.2018.8648113

2018-01-01

Abstract:Data collaboration is more and more popular in cloud computing. In a typical collaboration scenario, data owner outsources the data to cloud platforms, and users can access and re-upload the data. In consideration of the semi-trusted cloud platform, attribute-based encryption (ABE) has been utilized to guarantee data confidentiality and fine-grained access control. However, how to allow the collaborative data to be accessed only by authorized users in a flexible and dynamic manner is a challenging problem. In this paper, we propose DACSC, a dynamic and fine-grained access control scheme for secure data collaboration in cloud computing. First of all, we adopt ciphertext-policy ABE technique to define the original access policy of outsourced data. Second, we introduce a tree-based policy extending framework which allows users who satisfy the original access policy to customize a new access policy and add it to current access policies in a non-restrictive or restrictive way. Furthermore, we achieve integrity checking during the policy extending procedure based on ABE with equality test algorithm, which ensures that the added access policy comes from authorized user. The security analysis and experimental results indicate that DACSC is secure and efficient, and is suitable for the data collaboration scenario in cloud computing.

Haifeng Li,Caihui Lan,Xingbing Fu,Caifen Wang,Fagen Li,He Guo

DOI: https://doi.org/10.3390/s20174720

IF: 3.9

2020-01-01

Sensors

Abstract:With the explosion of various mobile devices and the tremendous advancement in cloud computing technology, mobile devices have been seamlessly integrated with the premium powerful cloud computing known as an innovation paradigm named Mobile Cloud Computing (MCC) to facilitate the mobile users in storing, computing and sharing their data with others. Meanwhile, Attribute Based Encryption (ABE) has been envisioned as one of the most promising cryptographic primitives for providing secure and flexible fine-grained “one to many” access control, particularly in large scale distributed system with unknown participators. However, most existing ABE schemes are not suitable for MCC because they involve expensive pairing operations which pose a formidable challenge for resource-constrained mobile devices, thus greatly delaying the widespread popularity of MCC. To this end, in this paper, we propose a secure and lightweight fine-grained data sharing scheme (SLFG-DSS) for a mobile cloud computing scenario to outsource the majority of time-consuming operations from the resource-constrained mobile devices to the resource-rich cloud servers. Different from the current schemes, our novel scheme can enjoy the following promising merits simultaneously: (1) Supporting verifiable outsourced decryption, i.e., the mobile user can ensure the validity of the transformed ciphertext returned from the cloud server; (2) resisting decryption key exposure, i.e., our proposed scheme can outsource decryption for intensive computing tasks during the decryption phase without revealing the user’s data or decryption key; (3) achieving a CCA security level; thus, our novel scheme can be applied to the scenarios with higher security level requirement. The concrete security proof and performance analysis illustrate that our novel scheme is proven secure and suitable for the mobile cloud computing environment.

Leyou Zhang,Yilei Cui,Yi Mu

DOI: https://doi.org/10.1109/JSYST.2019.2911391

IF: 4.802

2020-01-01

IEEE Systems Journal

Abstract:Data sharing is a convenient and economic service supplied by cloud computing. Data contents privacy also emerges from it since the data is outsourced to some cloud servers. To protect the valuable and sensitive information, various techniques are used to enhance access control on the shared data. In these techniques, Ciphertext-policy attribute-based encryption (CP-ABE) can make it more convenient and secure. Traditional CP-ABE focuses on data confidentiality merely, while the user's personal privacy protection is an important issue at present. CP-ABE with hidden access policy ensures data confidentiality and guarantees that user's privacy is not revealed as well. However, most of the existing schemes are inefficient in communication overhead and computation cost. Moreover, most of those works take no consideration about authority verification or the problem of privacy leakage in authority verification phase. To tackle the problems mentioned above, a privacy preserving CP-ABE scheme with efficient authority verification is introduced in this paper. Additionally, the secret keys of it achieve constant size. Meanwhile, the proposed scheme achieves the selective security under the decisional n-BDHE problem and decisional linear assumption. The computational results confirm the merits of the presented scheme.

Yingjie Xue,Kaiping Xue,Na Gai,Jianan Hong,David S. L. Wei,Peilin Hong

DOI: https://doi.org/10.1109/tifs.2019.2911166

IF: 7.231

2019-01-01

IEEE Transactions on Information Forensics and Security

Abstract:In public cloud storage services, data are outsourced to semi-trusted cloud servers which are outside of data owners' trusted domain. To prevent untrustworthy service providers from accessing data owners' sensitive data, outsourced data are often encrypted. In this scenario, conducting access control over these data becomes a challenging issue. Attribute-based encryption (ABE) has been proved to be a powerful cryptographic tool to express access policies over attributes, which can provide a fine-grained, flexible, and secure access control over outsourced data. However, the existing ABE-based access control schemes do not support users to gain access permission by collaboration. In this paper, we explore a special attribute-based access control scenario where multiple users having different attribute sets can collaborate to gain access permission if the data owner allows their collaboration in the access policy. Meanwhile, the collaboration that is not designated in the access policy should be regarded as a collusion and the access request will be denied. We propose an attribute-based controlled collaborative access control scheme through designating translation nodes in the access structure. Security analysis shows that our proposed scheme can guarantee data confidentiality and has many other critical security properties. Extensive performance analysis shows that our proposed scheme is efficient in terms of storage and computation overhead.

Yang Chen,Wenmin Li,Fei Gao,Wei Yin,Kaitai Liang,Hua Zhang,Qiaoyan Wen

DOI: https://doi.org/10.1093/comjnl/bxz052

2019-01-01

Abstract:Online data sharing has become a research hotspot while cloud computing is getting more and more popular. As a promising encryption technique to guarantee the security shared data and to realize flexible fine-grained access control, ciphertext-policy attribute-based encryption (CP-ABE) has drawn wide attentions. However, there is a drawback preventing CP-ABE from being applied to cloud applications. In CP-ABE, the access structure is included in the ciphertext, and it may disclose user's privacy. In this paper, we find a more efficient method to connect ABE with inner product encryption and adopt several techniques to ensure the expressiveness of access structure, the efficiency and security of our scheme. We are the first to present a secure, efficient fine-grained access control scheme with hidden access structure, the access structure can be expressed as AND-gates on multi-valued attributes with wildcard. We conceal the entire attribute instead of only its values in the access structure. Besides, our scheme has obvious advantages in efficiency compared with related schemes. Our scheme can make data sharing secure and efficient, which can be verified from the analysis of security and performance.

Zhusong Liu,Hongyang Yan,Zhiqiang Lin,Lingling Xu

DOI: https://doi.org/10.3217/jucs-021-03-0454

2015-01-01

Abstract:Cloud computing is an emerging computing paradigm that can provide storage resources and computing capacities services over the Internet. However, some new security issues arise when users' sensitive data are outsourced and shared in untrusted cloud. The traditional techniques to protect the confidentiality of sensitive data stored in cloud are encryption and related cryptographic tools. And the corresponding private keys to access and decrypt the files are disclosed to only authorized users. However, these traditional solutions are not scalable because the computational cost of encryption and other access control is heavy for devices with limited computation ability.In this paper, we present a new way to implement scalable and fine-grained access control systems, which can be applied for big data in untrusted cloud computing environment. The solution is based on symmetric, efficient broadcast encryption and fine-grained attribute-based encryption (ABE). In this access control system, users are able to join and revoked with broadcast encryption. An outsourced Hierarchical ABE scheme is first proposed in this paper to construct the access control system. The security analysis is also presented under the security model.

Jianghong Wei,Xinyi Huang,Wenfen Liu,Xuexian Hu

DOI: https://doi.org/10.1142/s0129054117500289

2017-01-01

International Journal of Foundations of Computer Science

Abstract:Cloud storage greatly facilitates both individuals and organizations to share data over the Internet. However, there are several security issues that impede to outsource their data. Among various approaches introduced to overcome these issues, attribute-based encryption (ABE) provides secure and flexible access control on shared data, and thus is rather promising. But the original ABE is not adaptable to some special circumstances, where attributes are organized in a hierarchical structure, such as enterprises and official institutions. On the other hand, although the wide use of mobile devices enables users to conveniently access shared data anywhere and anytime, this also increases the risk of key exposure, which will result into unwanted exposure of the shared data. In this paper, we extend the functionality of the original ABE and enhance its security by providing key generation delegation and forward security. Consequently, the enhanced ABE meets applications of large organizations with hierarchies and minimizes the damage in the case of unexpected key exposures. Specifically speaking, we present a forward-secure ciphertext-policy hierarchical attribute-based encryption scheme in prime order bilinear groups, as a core building of attribute-based data sharing scheme. The security of the proposed scheme is proven in the standard model. We conduct experiments to demonstrate its efficiency and practicability.

Jianwei Chen,Huadong Ma

DOI: https://doi.org/10.1109/CLOUD.2014.74

2014-01-01

Abstract:Along with a large amount of data being outsourced to the cloud, it is imperative to enforce a secure, efficient and privacy-aware access control scheme on the cloud. Decentralized Attribute-based Encryption (ABE) is a variant of multi-authority ABE scheme which is regarded as being more suited to access control in a large-scale cloud. Constructing a decentralized ABE scheme should not need a central Attribute Authority (AA) and any cooperative computing, where most schemes are not efficient enough. Moreover, they introduced a Global Identifier (GID) to resist the collusion attack from users, but corrupt AAs can trace a user by his GID, resulting in the leakage of the user's identity privacy. In this paper, we design a privacy-preserving decentralized access control framework for cloud storage systems, and propose a decentralized CP-ABE access control scheme with the privacy preserving secret key extraction. Our scheme does not require any central AA and coordination among multi-authorities. We adopt Pedersen commitment scheme and oblivious commitment based envelope protocols as the main cryptographic primitives to address the privacy problem, thus the users receive secret keys only for valid identity attributes while the AAs learn nothing about the attributes. Our theoretical analysis and extensive experiment demonstrate the presented scheme's security strength and effectiveness in terms of scalability, computation and storage.

Kai Fan,Qiang Pan,Junxiong Wang,Tingting Liu,Hui Li,Yintang Yang

DOI: https://doi.org/10.1109/edge.2018.00019

2018-01-01

Abstract:With the development of Internet technology, the demand for openness and sharing of information in the network grows rapidly. Data sharing in one domain can not satisfy users' requirement. What a user needs may be the data in another management domain, so there is an urgent need for a secure way to share data among different domains. At present, some web technology (JSONP, server proxy, cross frame and so on) and attribute-based encryption (ABE) are main methods to solve cross-domain sharing. The main problem cross-domain sharing face is security of data and authentication among different domains. In edge computing model, the cloud service provider is a trust root which links all the edge computing nodes together. Edge computing node is the administrator of one domain, and responsible for data transmission and processing. In this paper, we propose a secure way to share data among different domains by edge computing model, we regard the edge computing node and managed edge equipment as a domain, and all the domains are linked together by the cloud, it is easy to solve the problem of authentication among different domains in this way. Meanwhile, RSA algorithm and ciphertext-policy attribute-based encryption (CP-ABE) are used to ensure the confidentiality of the information and one-to-many sharing of data. Finally, analysis shows that our scheme is secure.

Xin Dong,Jiadi Yu,Yuan Luo,Yingying Chen,Guangtao Xue,Minglu Li

DOI: https://doi.org/10.1016/j.cose.2013.12.002

IF: 5.105

2014-01-01

Computers & Security

Abstract:Data sharing in the cloud, fueled by favorable trends in cloud technology, is emerging as a promising technique for allowing users to conveniently access data. However, the growing number of enterprises and customers who stores their data in cloud servers is increasingly challenging users' privacy and the security of data. This paper focuses on providing a dependable and secure cloud data sharing service that allows users dynamic access to their data. In order to achieve this, we propose an effective, scalable and flexible privacy-preserving data policy with semantic security, by utilizing ciphertext policy attribute-based encryption (CP-ABE) combined with identity-based encryption (IBE) techniques. In addition to ensuring robust data sharing security, our policy succeeds in preserving the privacy of cloud users and supports efficient and secure dynamic operations including, but not limited to, file creation, user revocation and modification of user attributes. Security analysis indicates that the proposed policy is secure under the generic bilinear group model in the random oracle model and enforces fine-grained access control, full collusion resistance and backward secrecy. Furthermore, performance analysis and experimental results show that the overheads are as light as possible.

Ti Wang,Yongbin Zhou,Hui Ma,Rui Zhang

DOI: https://doi.org/10.1155/2022/1867584

IF: 1.968

2022-01-01

Security and Communication Networks

Abstract:As a promising service paradigm, cloud computing has attracted lots of enterprises and individuals to outsource big data to public cloud. To facilitate secure data using and sharing, dual-policy attribute-based encryption (DP-ABE) is a suitable solution. It allows two access control mechanisms over encrypted data at the same time: one involves access policies over subjective attributes ascribed to user credentials, and the other involves policies over objective attributes ascribed to data. In this work, we are exploring methods to make DP-ABE more flexible, more efficient, and more secure for deployments in cloud scenes. Our proposal features the following achievements simultaneously: (1) beyond the access control mechanisms of DP-ABE, it also supports two flexible features called encryption and key generation in single-policy modes; (2) most operations of key generation, encryption, and decryption are securely outsourced to cloud servers, leaving extremely low overheads for the PKG, data owners, and users; and (3) it realizes the strongest security notion of public-key encryption schemes, namely, CCA security. We formalize the security definition and formally prove its security in the random oracle model. Moreover, we implement the proposed schemes using the Charm framework. The experiment results demonstrate that our schemes are efficient and practical.

Jin Li,Gansen Zhao,Xiaofeng Chen,Dongqing Xie,Chunming Rong,Wenjun Li,Lianzhang Tang,Yong Tang

DOI: https://doi.org/10.1109/cloudcom.2010.44

2010-01-01

Abstract:Cloud computing is an emerging computing paradigm in which IT resources and capacities are provided as services over the Internet. Promising as it is, this paradigm also brings forth new challenges for data security and access control when users outsource sensitive data for sharing on cloud servers, which are likely outside of the same trust domain of data owners. To maintain the confidentiality of, sensitive user data against untrusted servers, existing work usually apply cryptographic methods by disclosing data decryption keys only to authorized users. However, in doing so, these solutions inevitably introduce heavy computation overhead on the data owner for key distribution and data management when fine-grained data access control is desired, and thus do not scale well. In this paper, we present a way to implement, scalable and fine-grained access control systems based on attribute-based encryption (ABE). For the purpose of secure access control in cloud computing, the prevention of illegal key sharing among colluding users is missing from the existing access control systems based on ABE. This paper addresses this challenging open issue by defining and enforcing access policies based on data attributes and implementing user accountability by using traitor tracing. Furthermore, both the user grant and revocation are efficiently supported by using the broadcast encryption technique. Extensive analysis shows that the proposed scheme is highly efficient and provably secure under existing security models.

Jing-yi FU,Qin-long HUANG,Zhao-feng MA,Yi-xian YANG

DOI: https://doi.org/10.1016/s1005-8885(14)60344-7

2014-01-01

Abstract:The ciphertext-policy（CP） attribute-based encryption（ABE）（CP-ABE） emergings as a promising technology for allowing users to conveniently access data in cloud computing. Unfortunately, it suffers from several drawbacks such as decryption overhead, user revocation and privacy preserving. The authors proposed a new efficient and privacy-preserving attribute-based broadcast encryption（BE）（ABBE） named EP-ABBE, that can reduce the decryption computation overhead by partial decryption, and protect user privacy by obfuscating access policy of ciphertext and user’s attributes. Based on EP-ABBE, a secure and flexible personal data sharing scheme in cloud computing was presented, in which the data owner can enjoy the flexibly of encrypting personal data using a specified access policy together with an implicit user index set. With the proposed scheme, efficient user revocation is achieved by dropping revoked user’s index from the user index set, which is with very low computation cost. Moreover, the privacy of user can well be protected in the scheme. The security and performance analysis show that the scheme is secure, efficient and privacy-preserving.

Shucheng Yu,Cong Wang,Kui Ren,Wenjing Lou

DOI: https://doi.org/10.1109/INFCOM.2010.5462174

2010-01-01

Abstract:Cloud computing is an emerging computing paradigm in which resources of the computing infrastructure are provided as services over the Internet. As promising as it is, this paradigm also brings forth many new challenges for data security and access control when users outsource sensitive data for sharing on cloud servers, which are not within the same trusted domain as data owners. To keep sensitive user data confidential against untrusted servers, existing solutions usually apply cryptographic methods by disclosing data decryption keys only to authorized users. However, in doing so, these solutions inevitably introduce a heavy computation overhead on the data owner for key distribution and data management when fine-grained data access control is desired, and thus do not scale well. The problem of simultaneously achieving fine-grainedness, scalability, and data confidentiality of access control actually still remains unresolved. This paper addresses this challenging open issue by, on one hand, defining and enforcing access policies based on data attributes, and, on the other hand, allowing the data owner to delegate most of the computation tasks involved in fine-grained data access control to untrusted cloud servers without disclosing the underlying data contents. We achieve this goal by exploiting and uniquely combining techniques of attribute-based encryption (ABE), proxy re-encryption, and lazy re-encryption. Our proposed scheme also has salient properties of user access privilege confidentiality and user secret key accountability. Extensive analysis shows that our proposed scheme is highly efficient and provably secure under existing security models.