In traditional cloud storage systems, attribute-based encryption (ABE) is regarded as an important technology for solving the problem of data privacy and fine-grained access control. However, in all ABE schemes, the private key generator has the ability to decrypt all data stored in the cloud server, which may bring serious problems such as key abuse and privacy data leakage. Meanwhile, the traditional cloud storage model runs in a centralized storage manner, so single point of failure may leads to the collapse of system. With the development of blockchain technology, decentralized storage mode has entered the public view. The decentralized storage approach can solve the problem of single point of failure in traditional cloud storage systems and enjoy a number of advantages over centralized storage, such as low price and high throughput. In this paper, we study the data storage and sharing scheme for decentralized storage systems and propose a framework that combines the decentralized storage system interplanetary file system, the Ethereum blockchain, and ABE technology. In this framework, the data owner has the ability to distribute secret key for data users and encrypt shared data by specifying access policy, and the scheme achieves fine-grained access control over data. At the same time, based on smart contract on the Ethereum blockchain, the keyword search function on the cipher text of the decentralized storage systems is implemented, which solves the problem that the cloud server may not return all of the results searched or return wrong results in the traditional cloud storage systems. Finally, we simulated the scheme in the Linux system and the Ethereum official test network Rinkeby, and the experimental results show that our scheme is feasible.

A Blockchain-Based Framework for Data Sharing With Fine-Grained Access Control in Decentralized Storage Systems

Attribute-based encryption (ABE) can guarantee confidentiality and achieve fine-grained data access control in a cloud storage system. Due to the fact that every attribute in ABE may be shared by multiple users and each user holds multiple attributes, any single-attribute revocation for some user may affect the other users with the same attribute in the system. Therefore, how to revoke attribute efficiently is an important and challenging problem in ABE schemes. In order to solve above problems, we first give a concrete attack to the existing ABE scheme with attribute revocation. Then, we formalize the definition and security model, which model collusion attack executed by the existing users cooperating with the revoked users. Finally, we present a user collusion avoidance ciphertext-policy ABE scheme with efficient attribute revocation for the cloud storage system. The problem of attribute revocation is solved efficiently by exploiting the concept of an attribute group. When an attribute is revoked from a user, the group manager updates other users’ secret keys. Furthermore, we prove that the proposed scheme is secure against collusion attack launched by the existing users and the revoked users. The security of the proposed scheme is reduced to the computational Diffie–Hellman assumption.

User Collusion Avoidance CP-ABE With Efficient Attribute Revocation for Cloud Storage

Cloud storage service supplies people with an efficient method to share data within a group. The cloud server is not trustworthy, so lots of remote data possession checking (RDPC) protocols are proposed and thought to be an effective way to ensure the data integrity. However, most of RDPC protocols are based on the mechanism of traditional public key infrastructure (PKI), which has obvious security flaw and bears big burden of certificate management. To avoid this shortcoming, identity-based cryptography (IBC) is often chosen to be the basis of RDPC. Unfortunately, IBC has an inherent drawback of key escrow. To solve these problems, we utilize the technique of certificateless signature to present a new RDPC protocol for checking the integrity of data shared among a group. In our scheme, user's private key includes two parts: a partial key generated by the group manager and a secret value chosen by herself/himself. To ensure the right public keys are chosen during the data integrity checking, the public key of each user is associated with her unique identity, for example the name or telephone number. Thus, the certificate is not needed and the problem of key escrow is eliminated too. Meanwhile, the data integrity can still be audited by public verifier without downloading the whole data. In addition, our scheme also supports efficient user revocation from the group. The security of our scheme is reduced to the assumptions of computational Diffie-Hellman (CDH) and discrete logarithm (DL). Experiment results exhibit that the new protocol is very efficient and feasible.

Certificateless Public Integrity Checking of Group Shared Data on Cloud Storage

Attribute based encryption (ABE) is a popular cryptographic technology to protect the security of users’ data. However, the decryption cost and ciphertext size restrict the application of ABE in practice. For most existing ABE schemes, the decryption cost and ciphertext size grow linearly with the complexity of access structure. This is undesirable to the devices with limited computing capability and storage space. Outsourced decryption is considered as a feasible method to reduce the user's decryption overhead, which enables a user to outsource a large number of decryption operations to the cloud service provider (CSP). However, outsourced decryption cannot guarantee the correctness of transformation done by the cloud, so it is necessary to check the correctness of outsourced decryption to ensure security for users’ data. Current research mainly focuses on verifiability of outsourced decryption for the authorized users. It still remains a challenging issue that how to guarantee the correctness of outsourced decryption for unauthorized users. In this paper, we propose an ABE scheme with verifiable outsourced decryption (called full verifiability for outsourced decryption), which can simultaneously check the correctness for transformed ciphertext for the authorized users and unauthorized users. The proposed ABE scheme with verifiable outsourced decryption is proved to be selective CPA-secure in the standard model.

Full Verifiability for Outsourced Decryption in Attribute Based Encryption

As an important application in cloud computing, cloud storage offers user scalable, flexible, and high-quality data storage and computation services. A growing number of data owners choose to outsource data files to the cloud. Because cloud storage servers are not fully trustworthy, data owners need dependable means to check the possession for their files outsourced to remote cloud servers. To address this crucial problem, some remote data possession checking (RDPC) protocols have been presented. But many existing schemes have vulnerabilities in efficiency or data dynamics. In this paper, we provide a new efficient RDPC protocol based on homomorphic hash function. The new scheme is provably secure against forgery attack, replace attack, and replay attack based on a typical security model. To support data dynamics, an operation record table (ORT) is introduced to track operations on file blocks. We further give a new optimized implementation for the ORT, which makes the cost of accessing ORT nearly constant. Moreover, we make the comprehensive performance analysis, which shows that our scheme has advantages in computation and communication costs. Prototype implementation and experiments exhibit that the scheme is feasible for real applications.

A Novel Efficient Remote Data Possession Checking Protocol in Cloud Storage

With the development of cloud computing, outsourcing data to cloud server attracts lots of attentions. To guarantee the security and achieve flexibly fine-grained file access control, attribute based encryption (ABE) was proposed and used in cloud storage system. However, user revocation is the primary issue in ABE schemes. In this article, we provide a ciphertext-policy attribute based encryption (CP-ABE) scheme with efficient user revocation for cloud storage system. The issue of user revocation can be solved efficiently by introducing the concept of user group. When any user leaves, the group manager will update users’ private keys except for those who have been revoked. Additionally, CP-ABE scheme has heavy computation cost, as it grows linearly with the complexity for the access structure. To reduce the computation cost, we outsource high computation load to cloud service providers without leaking file content and secret keys. Notably, our scheme can withstand collusion attack performed by revoked users cooperating with existing users. We prove the security of our scheme under the divisible computation Diffie-Hellman assumption. The result of our experiment shows computation cost for local devices is relatively low and can be constant. Our scheme is suitable for resource constrained devices.

Flexible and Fine-Grained Attribute-Based Data Storage in Cloud Computing

A proxy re-encryption scheme (PRE) allows a semi-trusted proxy to convert a ciphertext encrypted under one key into a ciphertext encrypted under another key without leaking the underlying plaintext. In the process of the arithmetic processing, proxy should be able to learn as little information about the plaintext as possible. Conditional proxy re-encryption (CPRE) is a new cryptography primitive which only those ciphertexts satisfying one condition set by the delegator can be re-encrypted correctly by the proxy. In this paper, we first propose the formal definition and security model of certificate-based conditional proxy re-encryption. Further, we combine the conditional proxy re-encryption with certificate-based encryption and present a certificate-based conditional proxy re-encryption scheme. The proposed scheme is proved secure against chosenciphertext attack (CCA) in the random oracle model. Security of the scheme is reduced to the intractability of the bilinear Diffie-Hellman problem. Finally, we give the efficiency analysis of our scheme.

Provably Secure Certificate-based Conditional Proxy Re-encryption.

The invention discloses a ciphertext poly attribute base encryption method having an efficient attribute revocation capability. The method successively comprises the following steps: (1) system establishment, (2) attribute administrator establishment, (3) user private key generation, (4) encryption, (5) decryption, (6) attribute administrator upgrading, (&)user upgrading, and (8) re-encryption. The method has the advantages of less users related in the revocation process, small revocation cost, high revocation efficiency and the like.

Ciphertext poly attribute base encryption method having efficient attribute revocation capability

Certiﬁcate-based cryptography is a newkind of public key algorithm, which combines the merits oftraditional Public key infrastructure (PKI) and identitybased cryptography. It removes the inherent key escrowproblem in the identity-based cryptography and eliminatesthe certiﬁcate revocation problem and third-party queriesin the traditional PKI. In this paper, we propose an eﬃcient certiﬁcate-based signature scheme based on bilinearpairings. Under the strong security model of certiﬁcatebased signature scheme, we prove that our scheme is existentially unforgeable against adaptive chosen message andidentity attacks in the random oracle. In our scheme, onlytwo pairing operations are needed in the signing and veriﬁcation processes. Compared with some certiﬁcate-basedsignature schemes from bilinear pairings, our scheme enjoys more advantage in computational cost and communicational cost.

https://ietresearch.onlinelibrary.wiley.com/doi/pdf/10.1049/cje.2015.10.019

Wei Yao

Papers

Flexible and Fine-Grained Attribute-Based Data Storage in Cloud Computing

User Collusion Avoidance CP-ABE With Efficient Attribute Revocation for Cloud Storage

Provably Secure Certificate-based Conditional Proxy Re-encryption.

Ciphertext poly attribute base encryption method having efficient attribute revocation capability

A New Eﬃcient Certiﬁcate-Based Signature Scheme