Purdue University
Purdue e-Pubs
<'*5*27*5 8'0.(&7.326 <'*5*27*5
An E"cient Certi#cateless Encryption for Secure
Data Sharing in Public Clouds
Seung-Hyun Seo
Purdue Unviersity, West Lafayee, IN, USA6*3485)8**)8
Mohamed Yoosuf Mohamed Nabeel
Purdue University
Xiaoyu Ding
Purdue University, West Lafayee, IN, USA).2,485)8**)8
Elisa Bertino
Purdue University'*57.23(6485)8**)8
3003:7-.6&2)&)).7.32&0:35/6&7 -@4)3(60.'485)8**)8((48'6
&573+7-* 2,.2**5.2,311326 .+*!(.*2(*6311326 *).(.2*&2)*&07-!(.*2(*6
311326&2)7-* -<6.(&0!(.*2(*6&2)&7-*1&7.(6311326
>.6)3(81*27-&6'**21&)*&9&.0&'0*7-538,- 85)8** 8'6&6*59.(*3+7-* 85)8*#2.9*56.7<.'5&5.*6 0*&6*(327&(7*48'6485)8**)8+35
&)).7.32&0.2+351&7.32
!*3!*82,<823-&1*)&'**03-&1*)%3368+.2,$.&3<8&2)*57.230.6&2=(.*27*57.?(&7*0*662(5<47.32+35
!*(85*&7&!-&5.2,.2 8'0.(038)6 Cyber Center Publications. &4*5
-@4);)3.35,"
IEEE TRANSACTIONS ON KNOWLEDGE AND DATA ENGINEERING, VOL. 26, NO. 9, SEPTEMBER 2014 2107
An Efficient Certificateless Encryption for
Secure Data Sharing in Public Clouds
Seung-Hyun Seo, Member, IEEE, Mohamed Nabeel, Member, IEEE,
Xiaoyu Ding, Student Member, IEEE, and Elisa Bertino, Fellow, IEEE
Abstract—We propose a mediated certificateless encryption scheme without pairing operations for securely sharing sensitive
information in public clouds. Mediated certificateless public key encryption (mCL-PKE) solves the key escrow problem in identity
based encryption and certificate revocation problem in public key cryptography. However, existing mCL-PKE schemes are either
inefficient because of the use of expensive pairing operations or vulnerable against partial decryption attacks. In order to address the
performance and security issues, in this paper, we first propose a mCL-PKE scheme without using pairing operations. We apply our
mCL-PKE scheme to construct a practical solution to the problem of sharing sensitive information in public clouds. The cloud is
employed as a secure storage as well as a key generation center. In our system, the data owner encrypts the sensitive data using the
cloud generated users’ public keys based on its access control policies and uploads the encrypted data to the cloud. Upon successful
authorization, the cloud partially decrypts the encrypted data for the users. The users subsequently fully decrypt the partially
decrypted data using their private keys. The confidentiality of the content and the keys is preserved with respect to the cloud, because
the cloud cannot fully decrypt the information. We also propose an extension to the above approach to improve the efficiency of
encryption at the data owner. We implement our mCL-PKE scheme and the overall cloud based system, and evaluate its security and
performance. Our results show that our schemes are efficient and practical.
Index Terms—Cloud computing, certificateless cryptography, confidentiality, access control
1INTRODUCTION
D
UE TO the benefits of public cloud storage, organiza-
tions have been adopting public cloud services such as
Microsoft Skydrive [18]andDropbox[11]tomanagetheir
data. However, for the widespread adoption of cloud stor-
age services, the public cloud storage model should solve
the critical issue of data confidentiality. That is, shared sen-
sitive data must be strongly secured from unauthorized
accesses. In order to assure confidentiality of sensitive data
stored in public clouds, a commonly adopted approach
is to encrypt the data before uploading it to the cloud.
Since the cloud does not know the keys used to encrypt
the data, the confidentiality of the data from the cloud is
assured. However, as many organizations are required to
enforce fine-grained access control to the data, the encryp-
tion mechanism should also be able to support fine-grained
encryption based access control. As shown in Fig. 1, a typi-
cal approach used to support fine-grained encryption based
access control is to encrypt different sets of data items to
which the same access control policy applies with different
symmetric keys and give users either the relevant keys [4],
[19] or the ability to derive the keys [20], [23]. Even though
• The authors are with the Department of Computer Science, Purdue
University, West Lafayette, IN 47907 USA.
E-mail: {seo29, nabeel, ding55, bertino}@purdue.edu.
Manuscript received 21 Dec. 2012; revised 19 Apr. 2013; accepted
3 July 2013. Date of publication 4 Aug. 2013; date of current version
31 July 2014.
Recommended for acceptance by E. Ferrari.
For information on obtaining reprints of this article, please send e-mail to:
reprints@ieee.org, and reference the Digital Object Identifier below.
Digital Object Identifier 10.1109/TKDE.2013.138
the key derivation-based approaches reduce the number of
keys to be managed, symmetric key based mechanisms in
general have the problem of high costs for key manage-
ment. In order to reduce the overhead of key management,
an alternative is to use a public key cryptosystem. However,
a traditional public key cryptosystem requires a trusted
Certificate Authority (CA) to issue digital certificates that
bind users to their public keys. Because the CA has to
generate its own signature on each user’s public key and
manage each user’s certificate, the overall certificate man-
agement is very expensive and complex. To address such
shortcoming, Identity-Based Public Key Cryptosystem (IB-
PKC) was introduced, but it suffers from the key escrow
problem as the key generation server learns the private keys
of all users. Recently, Attribute Based Encryption (ABE)
has been proposed that allows one to encrypt each data
item based on the access control policy applicable to the
data. However, in addition to the key escrow problem,
ABE has the revocation problem as the private keys given
to existing users should be updated whenever a user is
revoked. In order to address the key escrow problem in
IB-PKC, Al-Riyami and Paterson introduced a new cryp-
tosystem called Certificateless Public Key Cryptography
(CL-PKC) [2].
Lei et al. [16] then proposed the CL-PRE (Certificateless
Proxy Re-Encryption) scheme for secure data sharing in
public cloud environments. Although their scheme is based
on CL-PKC to solve the key escrow problem and certificate
management, it relies on pairing operations. Despite recent
advances in implementation techniques, the computational
costs required for pairing are still considerably high
1041-4347
c
2013 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.
See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
2108 IEEE TRANSACTIONS ON KNOWLEDGE AND DATA ENGINEERING, VOL. 26, NO. 9, SEPTEMBER 2014
Fig. 1. Symmetric key based fine-grained encryption.
compared to the costs of standard operations such as mod-
ular exponentiation in finite fields. Moreover, their scheme
only achieves Chosen Plaintext Attack (CPA) security. As
pointed out in [3], CPA security is often not sufficient to
guarantee security in general protocol settings. For exam-
ple, CPA is not sufficient for many applications such as
encrypted email forwarding and secure data sharing that
require security against Chosen Ciphertext Attack (CCA).
In this paper, we address the shortcomings of such
previous approaches and propose a novel mediated
Certificateless Public Key Encryption (mCL-PKE) scheme
that does not utilize pairing operations. Since most CL-PKC
schemes are based on bilinear pairings, they are computa-
tionally expensive. Our scheme reduces the computational
overhead by using a pairing-free approach. Further, the
computation costs for decryption at the users are reduced
as a semi-trusted security mediator partially decrypts the
encrypted data before the users decrypt. The security
mediator acts as a policy enforcement point as well and
supports instantaneous revocation of compromised or mali-
cious users. In Section 5, we show that our scheme is
much more efficient than the pairing based scheme pro-
posed by Lei et al. [16]. Moreover, compared to symmetric
key based mechanisms, our approach can efficiently man-
age keys and user revocations. In symmetric key systems,
users are required to manage a number of keys equal to
at least the logarithm of the number of users, whereas in
our approach, each user only needs to maintain its pub-
lic/private key pair. Further, revocation of users in a typical
symmetric key system requires updating the private keys
given to all the users in the group, whereas in our approach
private keys of the users are not required to be changed.
Based on our mCL-PKE scheme, we propose a novel
approach to assure the confidentiality of data stored in
public clouds while enforcing access control requirements.
There are five entities in our system: the data owner, users,
the Security Mediator (SEM), the Key Generation Center
(KGC), and the storage service (see Fig. 2 for a high-
level architecture of our approach). The SEM, KGC, and
Fig. 2. CL-PKE based fine-grained encryption.
Fig. 3. CL-PKE with intermediate keys based fine-grained encryption.
the storage service are semi-trusted and reside in a public
cloud. Although they are not trusted for the confidentiality
of the data and the keys, they are trusted for executing the
protocols correctly. According to the access control policy,
the data owner encrypts a symmetric data encryption key
using mCL-PKE scheme and encrypts the data items using
symmetric encryption algorithm. Then, data owner uploads
encrypted data items and the encrypted data encryption
key to the cloud. Notice that a major advantage of our
approach compared to conventional approaches is that the
KGC, which is the entity in charge of generating the keys,
resides in a public cloud. Thus, it simplifies a task of key
management for organizations.
In a conventional CL-PKE scheme, user’s complete pri-
vate key consists of a secret value chosen by the user and
a partial private key generated by the KGC. Unlike the CL-
PKE scheme, the partial private key is securely given to the
SEM, and the user keeps only the secret value as its own
private key in the mCL-PKE scheme. So, each user’s access
request goes through the SEM which checks whether the
user is revoked before it partially decrypts the encrypted
data using the partial private key. It does not suffer from the
key escrow problem, because the user’s own private key is
not revealed to any party. It should be noted that neither
the KGC nor the SEM can decrypt the encrypted data for
specific users. Moreover, since each access request is medi-
ated through the SEM, our approach supports immediate
revocation of compromised users.
It is important to notice that if one directly applies our
basic mCL-PKE scheme to cloud computing and if many
users are authorized to access the same data, the encryp-
tion costs at the data owner can become quite high. In such
case, the data owner has to encrypt the same data encryp-
tion key multiple times, once for each user, using the users’
public keys. To address this shortcoming, we introduce an
extension of the basic mCL-PKE scheme. Our extended
mCL-PKE scheme requires the data owner to encrypt the
data encryption key only once and to provide some addi-
tional information to the cloud so that authorized users
can decrypt the content using their private keys. Fig. 3
gives a high-level view of the extension. The idea is similar
to Proxy Re-Encryption (PRE) by which the data encryp-
tion key is encrypted using the data owner’s public key
and later can be decrypted by different private keys after
some transformation by the cloud which acts as the proxy.
However, in our extension, the cloud simply acts as stor-
age and does not perform any transformation. Instead, the
user is able to decrypt using its own private key and an
intermediate key issued by the data owner.
SEO ET AL.: AN EFFICIENT CERTIFICATELESS ENCRYPTION FOR SECURE DATA SHARING IN PUBLIC CLOUDS 2109
Our main contributions are summarized as follows:
• We propose a new mCL-PKE scheme. We present
the formal security model and provide the secu-
rity proof. Since our mCL-PKE scheme does not
depend on the pairing-based operation, it reduces
the computational overhead. Moreover, we intro-
duce an extension of mCL-PKE scheme to efficiently
encrypt data for multiple users.
• We propose a novel approach to securely share data
in a public cloud. Unlike conventional approaches,
the KGC only needs to be semi-trusted and can
reside in the public cloud, because our mCL-
PKE scheme does not suffer from the key escrow
problem.
• We have implemented our mCL-PKE scheme and the
extension to evaluate the performance. The experi-
mental result shows that our mCL-PKE scheme can
be realistically applied in a public cloud for secure
data sharing.
The remainder of this paper is organized as follows:
Section 2 introduces our mCL-PKE scheme without pairing,
and presents a security model and security proof. Section 3
proposes an approach for secure sharing data in public
clouds. Section 4 proposes the extended scheme for secure
cloud storage. Section 5 shows the performance evaluation.
Section 6 discusses related works and Section 7 concludes
the paper.
2 MCL-PKE SCHEME WITHOUT PAIRINGS
In this section, we present the mediated Certificateless
Public Key Encryption (mCL-PKE) scheme and its security
model. Then, we prove the formal security of mCL-PKE
scheme.
2.1 Definitions
Definition 1. The mediated certificateless public key
encryption scheme is a 7-tuple mCL-PKE=(SetUp,
SetPrivateKey, SetPublicKey, SEM-KeyExtract, Encrypt,
SEM-Decrypt, USER-Decrypt). The description of each
algorithmisasfollows.
• SetUp: It takes a security parameter k as input and
returns system parameters
params
and a secret master
key
mk
. We assume that
params
are publicly available
to all users.
• SetPrivateKey: It takes
params
and ID as input and
outputs the user’s (the owner of ID) secret value SK
ID
.
Each user runs this algorithm.
• SetPublicKey: It takes
params
and a user’s secret value
SK
ID
as input and returns the user’s public key PK
ID
.
• SEM-KeyExtract: Each user registers its own identity
and public key to the KGC. After the KGC verifies the
user’s knowledge of the private key corresponding to its
public key, the KGC takes
params
,
mk
and user identity
ID as input and generates a SEM-key corresponding to ID
required during decryption time by the SEM. The KGC
runs this algorithm for each user, and we assume that the
SEM-key is distributed securely to the SEM.
• Encrypt: It takes
params
, a user’s identity ID, a user’s
public key PK
ID
, and a message M as inputs and returns
either a ciphertext C
ID
or a special symbol ⊥ meaning an
encryption failure. Any entity can run this algorithm.
• SEM-Decrypt: It takes
params
,aSEM-key,anda
ciphertext C
ID
as input, and then returns either a partial
decrypted message C
ID
for the user or a special symbol ⊥
meaning an decryption failure. Only the SEM runs this
algorithm using SEM-key.
• USER-Decrypt: It takes
params
, a user’s private key
SK
ID
, the partial decrypted message C
ID
by the SEM as
input and returns either a fully decrypted message M or
a special symbol ⊥ meaning an decryption failure. Only
the user can run this algorithm using its own private key
and the partial decrypted message by the SEM.
Definition 2. The Computational Diffie-Hellman (CDH)
problem is defined as follows: Let p and q be primes such
that q|(p − 1). Let g be a generator of Z
∗
p
.LetA be an
adversary.
A tries to solve the following problem: Given
(g, g
a
, g
b
) for uniformly chosen a, b, c ∈ Z
∗
q
,computek= g
ab
.
We define
A’s advantage in solving the CDH problem by
Adv(
A)=Pr[A(g, g
a
, g
b
) = g
ab
].
2.2 Security Model of Mediated CL-PKE
In general, in order to construct the security model of a
mediated CL-PKE scheme [9], we must consider two types
of adversaries: Type I adversary
A
I
and Type II adver-
sary
A
II
.AtypeIadversaryA
I
means a normal third
party attacker which does not know the master key, but
can replace public keys of users. That is,
A
I
does not have
access to the master key, but is able to choose any public
key to be used for the challenge ciphertext. A type II adver-
sary
A
II
is a malicious KGC which has the master key, but
is unable to replace public keys of users. That is,
A
II
can
have access to the master key, but can use only a registered
public key for the challenge ciphertext. We do not need to
consider a malicious SEM explicitly, because it is weaker
than
A
II
.
In order to describe the security of the mediated CL-PKE
scheme, we consider a formal game where the adversary
A interacting with their Challenger as follows. The adver-
sary
A can be either A
I
or A
II
. The Challenger should
keep a history of query-answer while interacting with the
adversaries.
A Formal Game for an adversary
A
• SetUp: The Challenger runs SetUp by taking a
security parameter k as input in order to return sys-
tem parameters params and a master key mk.The
Challenger gives params to the adversary
A and
keeps mk secret.
• Phase 1: The adversary A can adaptively make var-
ious queries and the Challenger can respond to the
queries as follows:
– SEM-key for ID Extraction: The Challenger
runs SEM-KeyExtract to generate the SEM-key
d
0
using an identity ID and params as the
input.
– Public Key Request for ID: The Challenger runs
SetPrivateKey to generate SK
ID
, and then runs
SetPublicKey to generate the public key PK
ID
2110 IEEE TRANSACTIONS ON KNOWLEDGE AND DATA ENGINEERING, VOL. 26, NO. 9, SEPTEMBER 2014
using ID, SK
ID
and params as the input. It
returns PK
ID
to A.
– Public Key Replacement: The adversary
A can
repeatedly replace the public key for any iden-
tity with any value of its choice. The SEM-
key is also updated if the Challenger bundles
the public key with the identity for SEM-
key creation. The replaced public key will be
used in the rest of the game unless replaced
again.
– Private Key Extraction for ID: The Challenger
runs SetPrivateKey to generate SK
ID
using ID
as the input. It returns SK
ID
to A. However,
if the public key of ID has been already
replaced by the adversary
A, this query is
disallowed.
– SEM-Decryption: The adversary provides
an identity ID and a ciphertext C
ID
.The
Challenger responds with the partial decryp-
tion C
ID
under the SEM-key d
0
that is
associated with the identity ID.
– USER-Decryption: The adversary provides
an identity ID and a ciphertext C
ID
.The
Challenger responds with the decryption of
C
ID
under the private key SK
ID
that is asso-
ciated with the identity ID.
• Challenge Phase: Once A determines that Phase 1
is over, it outputs a challenge identity ID
∗
and a
pair of plaintext (M
0
, M
1
) with an equal length. In
case that
A is a A
I
, it chooses a public key of iden-
tity ID
∗
, PK
ID
∗
by using the Public Key Replacement
query. For the identity ID
∗
, A
I
cannot ask both the
SEM-Key Extraction query and Private Key Extraction
query. If
A is a A
II
, the public key of identity ID
∗
cannot be replaced. For the identity ID
∗
, A
II
can-
not ask Private Key Extraction query. The Challenger
picks β ∈
R
{0, 1} and creates a target ciphertext C
ID
∗
which is the encryption of M
β
under the public key
of ID
∗
.IncaseofA
I
, the public key of ID
∗
is PK
ID
∗
.
Otherwise, the public key of ID
∗
is the original one.
The Challenger returns C
ID
∗
to A.
• Phase 2: A continues to issue more queries, but
it cannot issue both the SEM-Key Extraction query
and Private Key Extraction query for the ID
∗
.If
A
I
has requested the private key corresponding to
the public key PK
ID
∗
, then it cannot make a SEM-
Decrypt query for C
ID
∗
. On the other hand, if A
II
has requested the SEM-key corresponding to ID
∗
,it
cannot make a USER-Decrypt query for C
ID
∗
where
C
ID
∗
is the result of SEM-Decrypt query for C
ID
∗
.
• Guess: A outputs its guess bit β
∈
R
{0, 1}.
In case of β
= β, A wins. We define A
’s advantage
in the above game by 2 ×
Pr[β
= β] −
1
2
, i ∈{I, II}. A
mediated CL-PKE scheme is IND-CCA secure if there is no
probabilistic polynomial-time adversary in the above games
with non-negligible advantage in the security parameter
k. The security of our mediated certificateless public key
encryption scheme is based on the assumed intractability
of the CDH problem.
2.3 Basic Algorithm
• SetUp:
KGC takes as input a security parameter k to gen-
erate two primes p and q such that q|p − 1. It then
performs the following steps:
1) Pick a generator g of Z
∗
p
with order q.
2) Select x ∈ Z
∗
q
uniformly at random and com-
pute y = g
x
.
3) Choose cryptographic hash functions
H
1
:{0, 1}
∗
×Z
∗
p
→ Z
∗
q
, H
2
:{0, 1}
∗
×Z
∗
p
×Z
∗
p
→ Z
∗
q
,
H
3
:{0, 1}
∗
→ Z
∗
q
, H
4
:Z
∗
p
→{0, 1}
n+k
0
,
H
5
:Z
∗
p
→{0, 1}
n+k
0
,andH
6
:Z
∗
p
×{0, 1}
n+k
0
×
Z
∗
p
×{0, 1}
n+k
0
→ Z
∗
q
, where n, k
0
are the
bit-length of a plaintext and a random bit
string, respectively.
The system parameters params are (p, q, n, k
0
, g,
y, H
1
, H
2
, H
3
, H
4
, H
5
, H
6
). The master key of KGC
is x. The plaintext space is M ={0, 1}
n
and the
ciphertext space is C = Z
∗
p
×{0, 1}
n+k
0
× Z
∗
q
.
• SetPrivateKey:
The entity A chooses z
A
∈ Z
∗
q
uniformly at random
as the private key of A.
• SetPublicKey:
The entity A computes U
A
= g
z
A
.
• SEM-KeyExtract:
KGC selects s
0
, s
1
∈ Z
∗
q
and computes w
0
= g
s
0
,
w
1
= g
s
1
, d
0
= s
0
+ xH
1
(
ID
A
, w
0
)
, d
1
= s
1
+
xH
2
(
ID
A
, w
0
, w
1
)
.KGCsetsd
0
as the SEM-key for
A.AfterA proves the knowledge of the secret value
z
A
such that U
A
= g
z
A
,KGCsets
(
U
A
, w
0
, w
1
, d
1
)
as
the A’s public keys.
• Encrypt:
To encrypt a plaintext M ∈{0, 1}
n
for the entity A
with identity ID
A
and public keys
(
U
A
, w
0
, w
1
, d
1
)
,it
performs the following steps:
1) Check whether g
d
1
= w
1
· y
H
2
(
ID
A
,w
0
,w
1
)
.
If the checking result is not valid, encryption
algorithm must be aborted.
2) Choose σ ∈{0, 1}
k
0
and
compute r = H
3
(
M,σ,ID
A
, U
A
)
.
3) Compute C
1
= g
r
.
4) Compute C
2
= (M||σ)⊕ H
4
U
A
r
⊕ H
5
w
r
0
·
y
H
1
(
ID
A
,w
0
)
·r
.
5) Compute C
3
C
3
= H
6
U
A
,(M||σ)⊕ H
4
U
r
A
, C
1
, C
2
.
Output the ciphertext C = (C
1
, C
2
, C
3
).
In Step 1, an entity who wants to encrypt a message
can verify the validity of receiver’s public key. From
Step 2 to Step 5 are the process of encryption.
• SEM-Decrypt:
Given the ciphertext C = (C
1
, C
2
, C
3
),aID
A
, A’s pub-
lic keys (U
A
, w
0
, w
1
, d
1
), SEM performs the following
steps using the SEM-key d
0
:
1) Check that ID
A
is a legitimate user whose key
has not been revoked.
2) Compute C
1
d
0
.
C
1
d
0
= g
r·d
0
= g
r·
(
s
0
+xH
1
(
ID
A
,w
0
))
= g
r·s
0
· g
r·xH
1
(ID
A
,w
0
)
= w
0
r
· y
r·H
1
(ID
A
,w
0
)
.
