Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
1-2017
Robert H. DENG
Singapore Management University, robertdeng@smu.edu.sg
Yingjiu LI
Singapore Management University, yjli@smu.edu.sg
Guowei WU
Citation
CUI, Hui; DENG, Robert H.; LI, Yingjiu; and WU, Guowei. Attribute-based storage supporting secure
deduplication of encrypted data in cloud. (2017). IEEE Transactions on Big Data. PP, (99), 1-13. Research
Collection School Of Information Systems. Available at: http://ink.library.smu.edu.sg/sis_research/3898
This Journal Article is brought to you for free and open access by the School of Information Systems at Institutional Knowledge at Singapore
Management University. It has been accepted for inclusion in Research Collection School Of Information Systems by an authorized
administrator of Institutional Knowledge at Singapore Management University. For more information, please email libIR@smu.edu.sg.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TBDATA.2017.2656120, IEEE
Published in IEEE Transactions on Big Data, 2017 January Transactions on Big Data
https://doi.org/10.1109/TBDATA.2017.2656120
A
1
Abstract—Attribute-based encryption (ABE) has been widely used in cloud computing where a data provider outsources his/her
encrypted data to a cloud service provider, and can share the data with users possessing specific credentials (or attributes). However,
the standard ABE system does not support secure deduplication, which is crucial for eliminating duplicate copies of identical data in
order to save storage space and network bandwidth. In this paper, we present an attribute-based storage system with secure
deduplication in a hybrid cloud setting, where a private cloud is responsible for duplicate detection and a public cloud manages the
storage. Compared with the prior data deduplication systems, our system has two advantages. Firstly, it can be used to confidentially
share data with users by specifying access policies rather than sharing decryption keys. Secondly, it achieves the standard notion of
semantic security for data confidentiality while existing systems only achieve it by defining a weaker security notion. In addition, we put
forth a methodology to modify a ciphertext over one access policy into ciphertexts of the same plaintext but under other access
policies without revealing the underlying plaintext.
1 INTRODUCTION
Cloud computing greatly facilitates data providers who want different access policies. A data provider, Bob, intends to
to outsource their data to the cloud without disclosing their upload a file M to the cloud, and share M with users having
sensitive data to external parties and would like users with certain credentials. In order to do so, Bob encrypts M under
certain credentials to be able to access the data [1], [2], [3], [4], an access policy A over a set of attributes, and uploads the
[5]. This requires data to be stored in encrypted forms with corresponding ciphertext to the cloud, such that only users
access control policies such that no one except users with whose sets of attributes satisfying the access policy can
attributes (or credentials) of specific forms can decrypt the decrypt the ciphertext. Later, another data provider, Alice,
encrypted data. An encryption technique that meets this uploads a ciphertext for the same underlying file M but
0
requirement is called attribute-based encryption (ABE) [6], ascribed to a different access policy A . Since the file is
where a user’s private key is associated with an attribute set, a uploaded in an encrypted form, the cloud is not able to
message is encrypted under an access policy (or access discern that the plaintext corresponding to Alice’s ciphertext
structure) over a set of attributes, and a user can decrypt a is the same as that corresponding to Bob’s, and will store
ciphertext with his/her private key if his/her set of attributes M twice. Obviously, such duplicated storage wastes
satisfies the access policy associated with this ciphertext. storage space and communication bandwidth.
However, the standard ABE system fails to achieve secure
deduplication [7], which is a technique to save storage space 1.1 Our Contributions
and network bandwidth by eliminating redundant copies of the
In this paper, we present an attribute-based storage system
encrypted data stored in the cloud. On the other hand, to the
which employs ciphertext-policy attribute-based encryption
best of our knowledge, existing constructions [8], [9], [10], [11]
(CP-ABE) and supports secure deduplication. Our main
for secure deduplication are not built on attribute-based
contributions can be summarized as follows.
encryption. Nevertheless, since ABE and secure deduplication
have been widely applied in cloud computing, it would be Firstly, the system is the first that achieves the stan-
desirable to design a cloud storage system possessing both dard notion of semantic security for data confiden-
properties. tiality in attribute-based deduplication systems by
We consider the following scenario in the design of an resorting to the hybrid cloud architecture [12].
attribute-based storage system supporting secure dedupli- Secondly, we put forth a methodology to modify a
cation of encrypted data in the cloud, in which the cloud will ciphertext over one access policy into ciphertexts of
not store a file more than once even though it may receive the same plaintext but under any other access
multiple copies of the same file encrypted under policies without revealing the underlying plaintext.
This technique might be of independent interest in
addition to the application in the proposed storage
Hui Cui is with the Secure Mobile Centre, School of Information system.
Systems, Singapore Management University.
E-mail: hcui@smu.edu.sg Thirdly, we propose an approach based on two cryp-
Robert H. Deng, Yingjiu Li and Guowei Wu are with the School of tographic primitives, including a zero-knowledge
Information Systems, Singapore Management University. proof of knowledge [13] and a commitment scheme
Manuscript received Month Day, 2016; revised Month Day, 2016. [14], to achieve data consistency in the system.
2332-7790 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information:
DOI 10.1109/TBDATA.2017.2656120, IEEE Transactions on Big Data
A
JOURNAL OF L TEX CLASS FILES, VOL. , NO. , MONTH 2016 2
In a typical storage system with secure deduplication (e.g., the cloud. Later, an honest data provider wants to upload a
[9]), to store a file in the cloud, a data provider generates a tag ciphertext for an identical file. The cloud spots that the tags
and a ciphertext. The data provider uploads the tag and the of the two ciphertexts match each other, and thus might
ciphertext to the cloud. Upon receiving an outsourcing request discard the ciphertext from the honest data provider and
from a data provider for uploading a ciphertext and an keeps the maliciously modified ciphertext. When a user
associated tag, the cloud runs a so-called equality checking 0
downloads the ciphertext, a tampered message M rather
algorithm, which checks if the tag in the incoming request is than the correct M will be returned, which violates data
identical to any tags in the storage system. If there is a match, integrity. In order to address this problem, we require the
then the underlying plaintext of this incoming ciphertext has data provider to produce a proof of consistency reflecting
already been stored and the new ciphertext is discarded. It is that the tag and the ciphertext are legitimately generated.
apparent that such a system with a tag appended to the Our approach of producing such a proof makes use of the
ciphertext does not provide the standard notion of semantic randomness reuse technique in the generation of the tag
security for data confidentiality [15], because if the plaintexts and the ciphertext with an additional zero-knowledge proof
can be predicated from their tags, an adversary can always of knowledge (PoK) [13] on the shared random coin in the
make a correct guess by computing the tag of a plaintext and tag and the ciphertext. Therefore, it is impossible for an
then testing it against the tag in the challenge phase in the adversary to perform duplicate faking attacks unless the
semantic security game. To circumvent this obstacle, we bring adversary casually obtains the content of the plaintext
in our system a hybrid cloud architecture [12], which consists hidden in the ciphertext.
of a private cloud re-sponsible for tag checking and ciphertext Unfortunately, the above method only works for the
regeneration (to be introduced later) and a public cloud storing private cloud who is responsible for tag checking. It remains
the ciphertexts. Thanks to this architecture, we manage to challenging to achieve secure deduplication in the public
achieve semantic security with respect to the public cloud, cloud. Since the public cloud is not involved in any compu-
whilst in terms of the private cloud, a weaker security notion tation or verification, it is indispensable to guarantee that its
called privacy under chosen distribution attacks (PRV-CDA stored ciphertexts are kept intact without any modification. A
security) [8] is accomplished under the assumption that the straightforward way to achieve this is to save the tags and
message space is sufficiently large such that each message to 2
the ciphertexts in pairs in the public cloud , but if the tag
be uploaded to the cloud is unpredictable. and the corresponding ciphertext are both known to the
public cloud, then as we mentioned before, it is impossible
However, endowing such a tag checking ability to the to obtain semantic security. To achieve the standard
private cloud is not sufficient to achieve deduplication in the security notation for data confidentiality [15], we ask a data
attribute-based storage system which employs CP-ABE for provider to generate a label, in addition to the prior tag and
data encryption. In the proposed attributed-based system, cipher-text, using a commitment scheme [14]. This label is
the same file could be encrypted to different ciphertexts bound to the ciphertext and tag using the aforementioned
associated with different access policies, storing only one PoK system but reveals no information about the underlying
ciphertext of the file means that users whose attributes plaintext to the public cloud and users who are not entitled
satisfy the access policy of a discarded ciphertext (but not with the decryption privilege, and will be outsourced to the
that of the stored ciphertext) will be denied to access the public cloud with the ciphertext instead of the tag, so that
data that they are entitled to. To overcome this problem, we
even if an adversary who is aware of the data that an
equip the private cloud with another capability named
honest data provider may upload, the duplicate faking
ciphertext regeneration. For a ciphertext c of a plaintext M
attacks can be detected by users who download and
with access policy A, the private cloud will be provided with
a trapdoor key which is generated along with the ciphertext decrypt the data. Note that because the label is stored by
c by a data provider. The private cloud can use the trapdoor the private and public clouds, the tampering behaviour to
key to convert the ciphertext c with access policy A to a new the label in the public cloud will be immediately detected by
0 the private cloud. Therefore, a user having decryption
ciphertext C with another access policy A without knowing privilege to the ciphertext can always check the correctness
the underlying message M. Thus, if two data providers of the plaintext via the label since the tag and the label must
happen to upload two ciphertexts corresponding to the be tied to the same plaintext in terms of the proof.
0
same file but under different access policies A and A , the
private cloud can regenerate a ciphertext for the same
01
1.2 Related Work
underlying file with an access policy A [ A using the
Attribute-Based Encryption. Sahai and Waters [6] intro-
corresponding trapdoor key and then store the new
duced the notion of attribute-based encryption (ABE), and
ciphertext instead of the old one in the public cloud.
then Goyal et al. [16] formulated key-policy ABE (KP-ABE)
Another key challenge in secure deduplication is to
and ciphertext-policy ABE (CP-ABE) as two complimentary
make it secure against duplicate faking attacks [8] in which
forms of ABE. The first KP-ABE construction given in [16]
a legally generated message is unnoticeably replaced by a
realized the monotonic access structures, the first KP-ABE
fake one. In such an attack, a malicious user may intercept
system supporting the expression of non-monotone formu-
an outsourcing request and tamper with the ciphertext, and
las was presented in [17] to enable more viable access poli-
then sending the modified ciphertext but the original tag to
2. In this way, any user who downloads the file, after decryption, can
check the correctness of the decrypted plaintext by matching it to the
1. For simplicity, A [ A0 is used to denote an access policy which
0
corresponding tag.
satisfies both A and A .
2332-7790 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information:
DOI 10.1109/TBDATA.2017.2656120, IEEE Transactions on Big Data
A
JOURNAL OF L TEX CLASS FILES, VOL. , NO. , MONTH 2016 3
cies, and the first large class KP-ABE system was 2 PRELIMINARIES
presented by in the standard model in [18]. Nevertheless,
we believe that KP-ABE is less flexible than CP-ABE In this section, we review some basic cryptographic notions
because the access policy is determined once the user’s and definitions that are to be used later.
attribute private key is issued. Bethencourt, Sahai and
Waters [19] proposed the first CP-ABE construction, but it is
secure under the generic group model. Cheung and 2.1 Bilinear Pairings and Complexity Assumptions
Newport [20] presented a CP-ABE scheme that is proved to
be secure under the standard model, but it only supports Suppose that Groupgen is a probabilistic polynomial-time
the AND access structures. A CP-ABE system under more algorithm that inputs a security parameter , and outputs a
advanced access structures is proposed by Goyal et al. [21] triplet (G, p, g) where G is a group of order p that is
generated from g, and p is a prime number. We define e^ :
based on the number theoretic assumption. In order to
overcome the limitation that the size of the attribute space G G ! G1 to be a bilinear map if it has the following
is polynomially bounded in the securi-ty parameter and the properties [29].
attributes are fixed ahead, Rouselakis and Waters [22] built a
a large universe CP-ABE system under the prime-order Bilinear: for all g 2 G, and a, b 2 Zp , we have e^(g ;
b ab
group. In this paper, the Rouselakis-Waters system is taken g ) = e^(g; g) .
as the underlying scheme for the concrete construction. Non-degenerate: e^(g; g) 6= 1.
Secure Deduplication. With the goal of saving storage space We say that G is a bilinear group if the group operation
for cloud storage services, Douceur et al. [23] proposed the in G is efficiently computable and there exists a group G 1
first solution for balancing confidentiality and efficiency in and an efficiently computable bilinear map e^ : G G ! G 1 as
performing deduplication called convergent encryption, where above.
a message is encrypted under a message-derived key so that
identical plaintexts are encrypted to the same ciphertexts. In Decisional (q 1) Assumption [22]. The decisional (q 1)
this case, if two users upload the same file, the cloud server problem is that
!
for any probabilistic polynomial-time algo-
can discern the equal ciphertexts and store only one copy of rithm, given y =
them. Implementations and variants of convergent encryption
were deployed in [24], [25], [26], [27], g; g ;
i i i 2
[28]. In order to formalize the precise security definition for i b sb a b a =bj 8 (i; j) 2 [q; q];
ga ; g j ; g j ;g j ;g
convergent encryption, Bellare, Keelveedhi and Ristenpart a i =bj 2
8 (i; j) 2 [2q; q]; i 6=q + 1; ;
g
[8] introduced a cryptographic primitive named message- 0 0
g
a b =b
j j0 8 (i; j; j ) 2 [2q; q; q]; j 6=j
locked encryption, and detailed several definitions to cap- i i 2
b =b 0 0
ture various security requirements. Abadi et al. [9] then a b =b a j j0 8 (i; j; j ) 2 [q; q; q]; j 6=j ;
strengthened the security definition in [8] by considering the
g j j0 ;g
y e^(g; g) a ) from ( y Z) ,
q+1
plaintext distributions depending on the public parameters it is difficult to distinguish (!, !,
of the schemes. This model was later extended by Bellare where g 2 G, Z 2 G1, a, , b1, :::, b q 2 Zp chosen
and Keelveedhi [11] by providing privacy for messages that independently and uniformly at random.
are both correlated and dependent on the public system pa-
rameters. Since message-locked encryption cannot resist to
brute-force attacks where files falling into a known set will 2.2 Symmetric Encryption
be recovered, an architecture that provides secure dedupli-
cated storage resisting brute-force attacks was put forward A symmetric encryption (SE) scheme SE with a key space
by Keelveedhi, Bellare and Ristenpart [10] and realized in a K and a message space M [30] is composed of two
system called server-aided encryption for deduplicated algorithms: an encryption algorithm SE.Enc(K, m) which
storage. In this paper, a similar technique to that in [9] is outputs a ciphertext CT on input a key K 2 K and a
used to achieve secure deduplication with regard to the message m 2 M, and a decryption algorithm SE.Dec(K, CT)
private cloud in the concrete construction. which outputs a message m or a failure symbol ? on input a
key K 2 K and a ciphertext CT.
Let st be the state information. A symmetric encryption
1.3 Organization scheme SE is secure under chosen plaintext attacks (IND-
The remainder of this paper is organized as follows. In CPA secure), if for any PPT adversary A = (A 1, A2), the
Section 2, we briefly review the notions and definitions to be advantage function
used in the paper. In Section 3, after depicting the ar-
chitecture for the attribute-based storage system supporting AdvIND-CPA( ) =
2
Pr b0 = b
SE;A
(m0 ; m1; st) A1 (1 ) 3 1=2
secure deduplication, we present its security model. We K K; b f0; 1g )
give a concrete attribute-based storage system supporting
CT :Enc(K; m
6 SE b 7
secure deduplication and analyze its security and
2 CT
performance efficiency in Section 4, and compare it with
0
b (par; m ; m ; st; )
other related works in the literature in Section 5. We 6 0 1 7
4 A 5
conclude the paper in Section 6.
2332-7790 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information:
DOI 10.1109/TBDATA.2017.2656120, IEEE Transactions on Big Data
A
JOURNAL OF L TEX CLASS FILES, VOL. , NO. , MONTH 2016 4
2.3 Commitment Scheme Boolean Formulas [31]. Access structures can also be
A commitment scheme CME is composed of the following described in terms of monotonic boolean formulas. LSSS
three algorithms [14]: parameter generation algorithm CPG access structures are more general, and can be derived
which takes a security parameter as input and outputs the from representations as boolean formulas. There are
public parameters cpars, committal algorithm Com which standard techniques to convert any monotonic boolean
takes the public parameters cpars and data x as input and formula into a corresponding LSSS matrix. The boolean
outputs a commitment com to x along with a decommittal formula can be represented as an access tree, where the
key dec, and deterministic verification algorithm Ver which interior nodes are AND and OR gates, and the leaf nodes
takes the public parameter cpars, data x, a commitment correspond to attributes. The number of rows in the
com and a decommittal key dec as input and outputs 1 to corresponding LSSS matrix will be the same as the number
indicate that it accepts or 0 to indicate that it rejects. of leaf nodes in the access tree.
A commitment scheme should be both binding which
means that the decommit phase can successfully open to 3 SYSTEM ARCHITECTURE AND SECURITY MOD-
only one value, and hiding which means that the commit EL
phase does not reveal any information about x. For X 2
In this section, we describe the system architecture and the
fHiding, Bindingg, the advantages
formal definition of ciphertext-policy attribute-based storage
X A
Adv CMT ;A( ) = 2 Pr[X CMT ) true] 1 system supporting secure deduplication.
referring to the games of the hiding and binding properties
in Fig. 1 are negligible in the security parameter . 3.1 System Architecture
The architecture of our attribute-based storage system with
2.4 Access Structures and Linear Secret Sharing secure deduplication is shown in Fig. 2 in which four entities
Schemes are involved: data providers, attribute authority (AA), cloud
We review the the notions of access structures and linear and users. A data provider wants to outsource his/her data
secret sharing schemes in [31], [32] as follows. to the cloud and share it with users possessing certain
credentials. The AA issues every user a decryption key
Definition 1. (Access Structures). Let fP1, :::, Png be a set of associated with his/her set of attributes. The cloud consists
fP ;:::;P g
parties. A collection A 2 1 n is monotone if 8B; C : of a public cloud which is in charge of data storage and a
if B 2 A and B C, then C A. An (monotone) access private cloud which performs certain computation such as
structure is a (monotone) collection A of non-empty subsets tag checking. When sending a file storage request, each
fP ;:::;P g data provider firstly creates a tag T and a label L associated
of fP1, :::, Png, i.e., A 2 1 n n f;g. The sets in A are
called the authorized sets, and the sets not in A are called with the data, and then encrypts the data under an access
the unauthorized sets. structure over a set of attributes. Also, each data provider
generates a proof pf on the relationship of the tag T , the
Definition 2. (Linear Secret Sharing Schemes). Let P be 3
label L and the encrypted message ct , but this proof will
a set of parties. Let M be a matrix of size l n. Let : f1; :::; lg not be stored anywhere in the cloud and is only used during
! P be a function that maps a row to a party for labeling. the checking phase for any newly generated storage
Let p be a prime number. A secret sharing scheme over a request. After receiving a storage request, the private cloud
set of parties P is a linear secret-sharing scheme (LSSS) first checks the validity of the proof pf, and then tests the
over Zp if equality of the new tag T with existing tags in the system. If
there is no match for this new tag T , the private cloud adds
1) The shares for each party form a vector over Zp.
the tag T and the label L to a tag-label list, and forwards the
2) There exists a matrix M which has l rows and n label and the encrypted data, (L, ct) to the public cloud for
columns called the share-generating matrix for . For 0
i = 1, :::, l, the i-th row of matrix M is labeled by a storage. Otherwise, let ct be the ciphertext whose tag
party (i), where : f1, :::, lg ! P is a function that maps 0
matches the new tag and L be the label associated with
a row to a party for labeling. Considering that the 0
ct , and then the private cloud executes as follows.
column vector v = ( , r 2, :::, rn), where s 2 Zp is the
0
secret to be shared and r 2, :::, rn 2 Zp are randomly If the access policy in ct is a subset of that in ct , the
chosen, then Mv is the vector of l shares of the private cloud simply discards the new storage
0
secret s according to . The share (Mv) i belongs to request; else, if the access policy in ct is a subset
party (i). of that in ct, the private cloud asks the public cloud
0 0
to replace the stored pair (L , ct ) with the new pair
It has been noted in [31] that every LSSS enjoys the 0
linear reconstruction property. Denote as an LSSS for (L, ct) where L = L .
0
access structure A. Let A be an authorized set, and define I If the access policies in ct and ct are not mutually
f1, :::, lg as I = fij (i) 2 Ag. Then the vector (1, 0, :::, 0) is in contained, the private cloud runs the ciphertext re-
the span of rows of matrix M indexed by I, and there exist generation algorithm to yield a new ciphertext for the
same underlying plaintext file and associated with an
constants fwi 2 Zpgi2I such that, for any valid shares P
2332-7790 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information:
DOI 10.1109/TBDATA.2017.2656120, IEEE Transactions on Big Data
A 5
JOURNAL OF LTEX CLASS FILES, VOL. , NO. , MONTH 2016
proc Initialize proc Initialize
cpars CPG (1 ); b 2 f0; 1g cpars CPG (1 )
Return cpars Return cpars
proc LR(x0, x1) proc Finalize(com, x0, dec0, x1, dec1)
(com, dec) Com(cpars, xb) d0 Ver(cpars, x0, com, dec0)
d
Return com 1 Ver(cpars, x1, com, dec1)
0
proc Finalize(b ) Return (x0 6=x1 ^ d0 = 1 ^ d1 = 1)
0
Return (b = b)
Fig. 1: Game HidingCMT (left) achieves the hiding property and Game BindingCMT (right) achieves the binding property.
Note that LR can only be called once.
structures, and forwards the original label and the 3.2 Framework
resulting ciphertext to the public cloud.
Our ciphertext-policy attribute-based storage system with
At the user side, each user can download an item, and secure deduplication consists of the following algorithms:
decrypt the ciphertext with the attribute-based private key setup algorithm Setup, attribute-based private key gen-
generated by the AA if this user’s attribute set satisfies the eration algorithm KeyGen, encryption algorithm Encrypt,
access structure. Each user checks the correctness of the validity testing algorithm Validity-Test, equality testing al-
decrypted message using the label, and accepts the gorithm Equality-Test, re-encryption algorithm Re-encrypt
message if it is consistent with the label. and decryption algorithm Decrypt.
2332-7790 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information:
DOI 10.1109/TBDATA.2017.2656120, IEEE Transactions on Big Data
A
JOURNAL OF L TEX CLASS FILES, VOL. , NO. , MONTH 2016 6
0 0
Re-encrypt(pars, skT , (L, ct), A ) ! (L, ct ). Taking the IND-CPA Security. Denote our attribute-based storage
public parameter pars, the trapdoor key skT , a tag and system with secure deduplication . The definition of se-
0 lective IND-CPA security with respect to the public cloud in
ciphertext pair (L, ct) and an access structure A as the
input, this re-encryption algorithm outputs a new is given in Fig. 3, where we restrain algorithm A to issuing
0 0 queries to the key generation oracle on attribute sets
ciphertext ct associated with A sharing the same
0
label L of the ciphertext ct . satisfying the access structures A0 and A1.
This algorithm is run by the private cloud. An attribute-based storage system with secure dedu-
Decrypt(pars, (L; ct), A, skA) ! M=?. Taking the plication is IND-CPA secure if the advantage function
public parameter pars, a label and ciphertext pair (L; referring to the security game Game
IND
;A
ct) and an attribute-based private key skA associ- IND def 0
2332-7790 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information:
DOI 10.1109/TBDATA.2017.2656120, IEEE Transactions on Big Data
A 7
JOURNAL OF LTEX CLASS FILES, VOL. , NO. , MONTH 2016
Security game for selective IND-CPA: Security game for PRV-CDA:
IND PRV
Game Game
;A ;A
0 0
Return b = b Return b = b
Fig. 3: Security game for selective IND-CPA (left) and PRV-CDA (right), where st is information collected by the adversary.
5 n
cation, analyze its security, and show its performance from
( , y2, :::,
theoretical and experimental analysis.
yn) 2 Zp , of which the values will be
used to share the encryption exponent . For i = !
4.1 Construction 1, :::, l, it calculates vi = v Mi, where Mi is the vector
Let SE = (SE.Enc, SE.Dec) be a symmetric encryption corresponding to the i-th row of the matrix
scheme with a message space M and a key space K. On
the basis of the large universe CP-ABE scheme proposed 5. In addition, if is set to be H( ; M) where H is a hash function
in [22], below we present an attribute-based storage system mapping the input to an element from Zp , then the proposed scheme
with secure deduplication. can achieve the IND-CCA security in the random oracle model, which
is the generic transformation technology from IND-CPA security to IND-
CCA security proposed in [30].
2332-7790 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information:
DOI 10.1109/TBDATA.2017.2656120, IEEE Transactions on Big Data
Eg
i i2[1;l]
A
JOURNAL OF L TEX CLASS FILES, VOL. , NO. , MONTH 2016
It is straightforward to see that the distribution of
0 0 0 0 0 0 0 0 0
L , ((M , ), E , B , C , fCi , Di , Ei gi02[1;l0]) is
M. In addition, it randomly chooses 2 G1, z1, :::, zl 2
Zp, and computes
f(M) f (M) f ( )
U =g ; L=g 1 h 0 ;E =
SE:Enc(F ( ); M)
B=g;C= e^(g; g) ;
v z z (i) z
8i 2 [1; l] Ci = w i v i ; Di = g i ; Ei = (u h) i ;
f(M) f (M) f ( )
PoKf(M; ) : U = B ^ L = g1 h 0 g:
It outputs a trapdoor key skT = w , and a tuple of tag,
label, ciphertext and proof CT = (T , L, ct, pf)
where T = (U, B), ct = (M, ), E, B, C, f(Ci,
Di, Ei)gi2[1;l] , and pf is a zero-knowledge proof of
knowledge (PoK) for the equality of in U, B and
f(M) in U, L without leaking the values of , M and
. Here PoK is a zero-knowledge proof composed of
(U, B, L, 1, 2) and can be computed as follows. It
randomly chooses d1, d2 2 Zp , and computes
d1 d d
R1 = B ; R2 = g 1 h 2 ; c = H(U; B; L; R1; R2);
1 = d1 c f1(M); 2 = d2 c f0( ):
Note that according to the binding property of the
commitment scheme [14], each L can only be ob-
tained from a unique pair of M and , which guar-
antee the consistency of the ciphertext stored by the
public cloud.
Validity-Test. This algorithm takes the public param-
eter pars and a ciphertext CT as the input. To test
the validity of the ciphertext, it computes
c c
R1 = U B 1 ;
R2 = L g 1 h 2 :
If c = H(U; B; L; R1; R2), it accepts CT, and stores
L, ((M, ), E, B, C, fCi, Di, Eigi2[1;l])) to the
public cloud. Otherwise, it rejects CT.
Equality-Test. This algorithm takes the public param-
eter pars and two tags (U1; B1) and (U2; B2) of the
outsourced data as input. It outputs 1 if e^(U1; B2) =
e^(U2; B1). Otherwise, it outputs 0.
Re-encrypt. This algorithm takes the public parame-
ter pars, a trapdoor key skT , a ciphertext (M, ),
E, B, C, f(Ci, Di, Ei)g with a label L and an LSSS
0 0 0
access structure (M , ) where the function
0
associates the rows of M to attributes as the input.
0 0 0 !
Let M be an l n matrix. It randomly chooses v =
( , y20, :::, yn00) 2 Zpn0. For each row M0i0 = (m0i01, :::,
0 0 0, 0
mi 0n0) of M where i 2 [1; l ], it randomly chooses
zi0 0
2 Zp. Let !0 0 0
2 , , n0
0
for 0
. For
v =( y ::: y ) = +
0 0
i 2 [1; l ], it outputs the new ciphertext as
0 0 0 0
B = B g ; L = L; E = E; C = C e^(g; g) ;
0 0 0 0 0
0 0 0 0
! h) ;
0
0 M0
C =w i vi
0
;D =g i ; E = (u i
0 v z i
0 z i
0 (i ) z
0
i
where Ci00 can be computed as follows without
knowing the values of and e.
0 0
) z0
( m
! 1 n v
0
0 M0
C =w i vi
0
=w i0 i0 n0 i
0 v z0 0 0 +:::+y m
0
i
= w m0i1 w( m0i01+:::+yn0m0i0n0)vzi00 :
8 (U1, B1) and T2 = (U2, B2) are created by the encryption
scheme on the same underlying message M, then
consistent with that outputted by the encryption
0 0 f (M) f (M)
algorithm Encrypt(pars, M, (M ; )). e^(U1; B2) = e^(g 1 1 ; g 2 ) = e^(g; g) 1 12 ;
Decrypt. This algorithm takes the public parame- f (M) f (M)
ter pars, a ciphertext (M, ), E, B, C, fCi, Di, e^(U2; B1) = e^(g 1 2 ; g 1 ) = e^(g; g) 1 12 :
with the corresponding label L and a Thus, e^(U1; B2) = e^(U2; B1) as required.
private key skA for an attribute set A as the input.
Remarks. Note that a similar idea for ciphertext
Suppose that an attribute set A satisfies the access
structure (M, ). Define I as I = fi : (i) 2 Ag. Denote by regener-ation has been put forward by Lai et al. [34], but in
their method, the trapdoor key is created by the AA and can
fwi 2 Zpgi2I a set of constants such that if fv ig are
valid shares of any secret according to be used to transform any ciphertext over one access policy
P
2332-7790 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information:
DOI 10.1109/TBDATA.2017.2656120, IEEE Transactions on Big Data
A
JOURNAL OF L TEX CLASS FILES, VOL. , NO. , MONTH 2016 9
Then ( , M) can be extracted from (b 2 f0; 1g) from the message space, and then it randomly
chooses c, y2, :::, yn 2 Zp, and sets v = (c , y 2 , ::: , y n ) ,
U = Bf1(M) = B 10 1
0 ; v e
!
Ci = w ! i
v ; D1 = g i e h)
Then it sets c = H(U; B; L; R1; R2). Mi u i ;
v
z z (i) z
Next, we prove that the proposed storage system pre- where for i 2 [1; l], C can be computed as follows without
serves the privacy of the encrypted data in terms of public
i
i
i
c m (y m +:::+y m ) z
SE is a secure symmetric encryption scheme and L is = (w ) i1 w 2 i2 n in
v i
2332-7790 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information:
DOI 10.1109/TBDATA.2017.2656120, IEEE Transactions on Big Data
A 10
JOURNAL OF LTEX CLASS FILES, VOL. , NO. , MONTH 2016
TABLE 1: Comparison of storage complexity between the based scheme [22] and our storage system.
System System Public Cloud Private Cloud User
public master label and tag and private
parameter private key ciphertext label key
jparsj jmskj jctj + jLj jT j + jLj jskj
CP-ABE [22] 6 1 3l + 2 + jAj 2k + 2
The proposed storage system 10 1 3l + 5 + jAj 3 2k + 2
private key, the ciphertext, the label, the tag, the decryption rapid prototyping of cryptographic schemes and protocols.
key and the access structure, respectively. Denote l by the Since all Charm routines are designed under the asymmetric
number of attributes in an access structure, and k by the groups, our construction is transformed to the asymmetric
size of an attribute set ascribed to a user’s credentials. setting before the implementation. That is, three groups G,
^
Table 1 compares the storage complexity of our system with G and G1 are used and the pairing e^ is a function from
^
that in [22]. It is clear that our system is efficient in terms of G G to G1. Notice that it has been stated in [22] that the
the introduced storage overhead, which adds the underlying assumptions and the security proofs can be converted to
CP-ABE scheme [22] 4 elements to the system public the asymmetric setting in a generic way. We use the
parameter and 3 element to the ciphertext stored by the Charm-0.43 and the Python 3.4 in our implementation.
public cloud, with an additional private cloud storing 3 Along with the Charm-0.43, we install the PBC library for
elements. the underlying cryptographic operations. Our experiments
Let l be the number of attributes presented in an access are run on a laptop with Intel Core i5-4210U CPU @
structure, and k be the size of an attribute set associated 1.70GHz and 4.00 GB RAM running 64-bit Ubuntu 16.04.
with the private key. Denote y by the number of existing We simulate the proposed attribute-based storage sys-
tags stored by the private cloud. Table 2 shows the number tem with secure deduplication over four different ellip-tic
of exponential and paring operations in our storage system. curves: SS512, MNT159, MNT201 and MNT224, where
For example, it requires at most k + 2 exponential opera- SS512 is a supersingular elliptic curve with the symmetric
tions and 3k + 1 paring operations to decrypt a ciphertext. Type 1 pairing on it, and the pairings on the other three
Table 3 compares the computational costs incurred at the curves are asymmetric Type 3 pairings. These four curves
data provider, the cloud, and the user for one file storage provide the security level of 80-bit, 80-bit, 100-bit and 112-
between the system in [22] and our system. It is not difficult bit, respectively. Fig. 5 shows the computation complexity of
to see that the computational requirement for the user in the proposed attribute-based storage system supporting
our system is almost twice that in the underlying CP-ABE secure deduplication in terms of four algorithms: key gen-
scheme in [22]. With regard to the data provider, it requires eration algorithm KeyGen (Fig. 5-(a)), encryption algorith-m
4 extra exponential operations resulted from the tag, label, Encrypt (Fig. 5-(b)), re-encryption algorithm Re-encrypt
proof and trapdoor key in addition to the computational cost (Fig. 5-(c)) and decryption algorithm Decrypt (Fig. 5-(d)). As
of the underlying scheme in [22] lacking the capability of illustrated in Fig. 5, SS512 has the best performance, while
secure deduplication. In terms of the private cloud, our MNT224 has the most expensive computational cost
solution takes 5 + (6l + 2) exponential operations and 2y among all the curves. For each curve, the average compu-
pairing operations, among which 5 exponential operations tation time of key generation increases linearly with the size
are used to check the validity of the proof, 6l+2 exponential of attributes set whilst the average computation time of
operations are related to the ciphertext regeneration if nec- encryption and re-encryption grows linearly with the
6
essary and 2y pairing operations are calculated to check complexity of the access policy. In terms of the four curves
whether the plaintext hidden in the outsourcing request has used in our experiments, the average computation time of
existed in the public cloud. decrypting a ciphertext ranges from 1.60s to 5.80s for a
ciphertext with 100 attributes using a private key with 100
TABLE 3: Comparison of computational costs between the attributes. Clearly, the proposed attribute-based storage
underlying scheme [22] and our storage system. system with secure deduplication is sufficiently efficient to
Data Private User be applied in practice.
Provider Cloud
CP-ABE [22] Expo 5l + 2 k
3k + 1
Pairing 0 5 DISCUSSION
Our storage Expo 5l + 6 5 + (6l + 2) k+2
system Pairing 0 2y 3k + 1 In this section, we provide further elaboration on the two
main techniques we introduced in this paper.
4.4 Implementation
5.1 Adaptable Attribute-Based Encryption
We implement the algorithms of our storage system in
7
Charm [35] , which is a framework developed to facilitate Lai et al. [34] presented a cryptographic primitive called
adaptable CP-ABE, where a semi-trusted proxy is intro-duced
6. Recall that ciphertext regeneration is only executed when the into the setting of CP-ABE. The proxy, given a system wide
access structures associated with the incoming and existing
trapdoor key, is able to transform any ciphertext under one
ciphertexts are not mutually compatible.
7. For the explicit information on Charm, please refer to [35]. access policy into ciphertexts of the same plaintext
2332-7790 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information:
DOI 10.1109/TBDATA.2017.2656120, IEEE Transactions on Big Data
A 11
JOURNAL OF LTEX CLASS FILES, VOL. , NO. , MONTH 2016
TABLE 2: Computational overheads in our storage system.
Tag La- Encry- Proof Trap- Re-en- Vali- Equa- De-
bel pt door key crypt dity lity crypt
Expo 2 2 5l + 1 3 1 6l + 2 5 0 k+2
Pairing 0 0 0 0 0 0 0 2y 3k + 1
3.0
SS512 7 SS512
2.5 MNT159 MNT159
MNT201 6 MNT201
MNT224 MNT224
seconds
2.0 5
inseconds
1.5 4
Time
3
Time in
1.0
0.5 2
1
0.0 0 10 20 30 40 50 60 70 80 90 100
0 0 10 20 30 40 50 60 70 80 90 100
7
SS512 6 SS512
MNT159 MNT159
6
MNT201 MNT201
MNT224 5 MNT224
insec onds
3
Time inseconds
5
4 4
Time
2
3
2
1
1
0 0 10 20 30 40 50 60 70 80 90 100 0 0 10 20 30 40 50 60 70 80 90 100
under any other access policies without learning any in- 5.2 Deduplication in Hybrid Cloud
formation about the plaintext during the process of trans-
formation. However, this method of using a single trapdoor
key for all ciphertexts is quite risky, since if the single key is
compromised, the security for the system will be totally bro-
ken. An adversarial user using the compromised trapdoor
key can regenerate a ciphertext into an access structure
that his/her attributes satisfy, and thus he/she can obtain
the plaintext not intended for him/her. Besides, the trapdoor
key in [34] is generated by the AA who already controls the
decryption keys in the system, so it is desirable to reduce
its power in manipulating the encryption. Unlike that in [34],
our technique is one-to-one such that each trapdoor key
can only be used to transform its corresponding ciphertext.
Therefore, even at some point, a trapdoor key is comprised,
the damage is limited to one message. At a high level, our
technique brings another way to build adaptive CP-ABE
systems from a different point of view.
2332-7790 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information:
DOI 10.1109/TBDATA.2017.2656120, IEEE Transactions on Big Data
A
JOURNAL OF L TEX CLASS FILES, VOL. , NO. , MONTH 2016 12
in which the encrypted data is outsourced to the public [6] A. Sahai and B. Waters, “Fuzzy identity-based encryption,” in Ad-vances in
cloud whilst the deduplication checking is handled by the Cryptology - EUROCRYPT 2005, 24th Annual International Conference on
private cloud. the Theory and Applications of Cryptographic Techniques, Aarhus,
Denmark, May 22-26, 2005, Proceedings, ser. Lecture Notes in Computer
Science, vol. 3494. Springer, 2005, pp. 457–473.
6 CONCLUSIONS [7] B. Zhu, K. Li, and R. H. Patterson, “Avoiding the disk bottleneck in the
data domain deduplication file system,” in 6th USENIX Conference on
Attribute-based encryption (ABE) has been widely used in File and Storage Technologies, FAST 2008, February 26-29, 2008,
San Jose, CA, USA. USENIX, 2008, pp. 269–282.
cloud computing where data providers outsource their
encrypted data to the cloud and can share the data with users [8] M. Bellare, S. Keelveedhi, and T. Ristenpart, “Message-locked
encryption and secure deduplication,” in Advances in Cryptology -
possessing specified credentials. On the other hand, EUROCRYPT 2013, 32nd Annual International Conference on the
deduplication is an important technique to save the storage Theory and Applications of Cryptographic Techniques, Athens,
space and network bandwidth, which eliminates duplicate Greece, May 26-30, 2013. Proceedings, ser. Lecture Notes in
Computer Science, vol. 7881. Springer, 2013, pp. 296–312.
copies of identical data. However, the standard ABE systems
do not support secure deduplication, which makes them costly [9] M. Abadi, D. Boneh, I. Mironov, A. Raghunathan, and G. Segev,
“Message-locked encryption for lock-dependent messages,” in
to be applied in some commercial storage services. In this Advances in Cryptology - CRYPTO 2013 - 33rd Annual
paper, we presented a novel approach to realize an attribute- Cryptology Conference, Santa Barbara, CA, USA, August 18-22,
based storage system supporting secure dedupli-cation. Our 2013. Proceedings, Part I, ser. Lecture Notes in Computer
Science, vol. 8042. Springer, 2013, pp. 374–391.
storage system is built under a hybrid cloud architecture,
where a private cloud manipulates the compu-tation and a [10] S. Keelveedhi, M. Bellare, and T. Ristenpart, “Dupless: Server-
aided encryption for deduplicated storage,” in Proceedings of the
public cloud manages the storage. The private cloud is 22th USENIX Security Symposium, Washington, DC, USA,
provided with a trapdoor key associated with the corresponding August 14-16, 2013. USENIX Association, 2013, pp. 179–194.
ciphertext, with which it can transfer the ciphertext over one [11] M. Bellare and S. Keelveedhi, “Interactive message-locked encryp-tion
access policy into ciphertexts of the same plaintext under any and secure deduplication,” in Public-Key Cryptography - PKC 2015 -
other access policies without being aware of the underlying 18th IACR International Conference on Practice and Theory in Public-
Key Cryptography, Gaithersburg, MD, USA, March 30 - April 1, 2015,
plaintext. After receiving a storage request, the private cloud Proceedings, ser. Lecture Notes in Computer Science, vol. 9020.
first checks the validity of the uploaded item through the Springer, 2015, pp. 516–538.
attached proof. If the proof is valid, the private cloud runs a tag [12] S. Bugiel, S. Nurnberger,¨ A. Sadeghi, and T. Schneider, “Twin
matching algorithm to see whether the same data underlying clouds: Secure cloud computing with low latency - (full version),”
the ciphertext has been stored. If so, whenever it is necessary, in Communications and Multimedia Security, 12th IFIP TC 6 / TC
11 International Conference, CMS 2011, Ghent, Belgium, October
it regenerates the ciphertext into a ciphertext of the same 19-21,2011. Proceedings, ser. Lecture Notes in Computer
plaintext over an access policy which is the union set of both Science, vol. 7025. Springer, 2011, pp. 32–44.
access policies. The proposed storage system enjoys two [13] S. Goldwasser, S. Micali, and C. Rackoff, “The knowledge com-
major advantages. Firstly, it can be used to confidentially share plexity of interactive proof-systems (extended abstract),” in Pro-
data with other users by specifying an access policy rather ceedings of the 17th Annual ACM Symposium on Theory of
Computing, May 6-8, 1985, Providence, Rhode Island, USA.
than sharing the decryption key. Secondly, it achieves the ACM, 1985, pp. 291– 304.
standard notion of semantic security while existing [14] M. Fischlin and R. Fischlin, “Efficient non-malleable commitment
deduplication schemes only achieve it under a weaker security schemes,” in Advances in Cryptology - CRYPTO 2000, 20th Annual
notion. International Cryptology Conference, Santa Barbara, California, USA,
August 20-24, 2000, Proceedings, ser. Lecture Notes in Computer
Science, vol. 1880. Springer, 2000, pp. 413–431.
2332-7790 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information:
DOI 10.1109/TBDATA.2017.2656120, IEEE Transactions on Big Data
A 13
JOURNAL OF LTEX CLASS FILES, VOL. , NO. , MONTH 2016
Iceland, July 7-11, 2008, Proceedings, Part II - Track B: Logic, Hui Cui received her Ph.D. degree in the
Semantics, and Theory of Programming & Track C: Security and School of Computing and Information
Cryptography Foundations, ser. Lecture Notes in Computer Technology, Uni-versity of Wollongong,
Science, vol. 5126. Springer, 2008, pp. 579–591. Australia. She is currently a postdoctoral
[22] Y. Rouselakis and B. Waters, “Practical constructions and new research fellow in the Secure Mo-bile Centre
proof methods for large universe attribute-based encryption,” in under the School of Information Sys-tems,
2013 ACM SIGSAC Conference on Computer and Singapore Management University, Singa-pore.
Communications Security, CCS’13, Berlin, Germany, November Her research interests include cryptogra-phy,
4-8, 2013. ACM, 2013, pp. 463–474. applied cryptography, cloud security and so on.
[23] J. R. Douceur, A. Adya, W. J. Bolosky, D. Simon, and M. Theimer,
“Reclaiming space from duplicate files in a serverless distributed
file system,” in ICDCS, 2002, pp. 617–624.
[24] M. W. Storer, K. M. Greenan, D. D. E. Long, and E. L. Miller, “Se-cure
data deduplication,” in Proceedings of the 2008 ACM Workshop On
Storage Security And Survivability, StorageSS 2008, Alexandria, VA,
USA, October 31, 2008. ACM, 2008, pp. 1–10.
Robert H. Deng has been a Professor at the
[25] P. Anderson and L. Zhang, “Fast and secure laptop backups with School of Information Systems, Singapore Man-
encrypted de-duplication,” in Uncovering the Secrets of Sys-tem agement University since 2004. Prior to this, he
Administration: Proceedings of the 24th Large Installation System was Principal Scientist and Manager of In-focomm
Administration Conference, LISA 2010, San Jose, CA, USA, Security Department, Institute for Info-comm
November 7-12, 2010. USENIX Association, 2010. Research, Singapore. His research inter-ests
[26] A. Rahumed, H. C. H. Chen, Y. Tang, P. P. C. Lee, and J. C. S. Lui, “A include data security and privacy, multime-dia
secure cloud backup system with assured deletion and ver-sion security, network and system security. He has
control,” in 2011 International Conference on Parallel Processing served/is serving on the editorial boards of many
Workshops, ICPPW 2011, Taipei, Taiwan, Sept. 13-16, 2011. IEEE international journals in security, such as IEEE
Computer Society, 2011, pp. 160–167.
¨
Transactions on Information Forensics and
[27] P. Puzio, R. Molva, M. Onen, and S. Loureiro, “Cloudedup: Secure Security, IEEE Transactions on Dependable and Secure Computing,
deduplication with encrypted data for cloud storage,” in IEEE 5th the International Journal of Information Security, and IEEE Security
International Conference on Cloud Computing Technology and and Privacy Magazine. He is the chair of the Steering Committee of the
Science, CloudCom 2013, Bristol, United Kingdom, December 2-5, ACM Asia Conference on Computer and Communications Security
2013, Volume 1. IEEE Computer Society, 2013, pp. 363–370. (ASIACCS). He received the University Outstanding Researcher Award
[28] J. Stanek, A. Sorniotti, E. Androulaki, and L. Kencl, “A secure data from the National University of Singapore in 1999 and the Lee Kuan
deduplication scheme for cloud storage,” in Financial Yew Fellow for Research Excellence from the Singapore Management
Cryptography and Data Security - 18th International Conference, Uni-versity in 2006. He was named Community Service Star and
FC 2014, Christ Church, Barbados, March 3-7, 2014, Revised Showcased Senior Information Security Professional by (ISC)2 under
Selected Papers, ser. Lecture Notes in Computer Science, vol. its Asia-Pacific Information Security Leadership Achievements program
8437. Springer, 2014, pp. 99–118. in 2010. He is the Fellow of IEEE.
[29] D. Boneh and M. Franklin, “Identity-based encryption from the weil
pairing,” in CRYPTO, ser. Lecture Notes in Computer Science,
vol. 2139. Springer-Verlag, 2001, pp. 213–219.
[30] E. Fujisaki and T. Okamoto, “Secure integration of asymmetric
and symmetric encryption schemes,” J. Cryptology, vol. 26, no. 1,
pp. 80–101, 2013.
[31] A. B. Lewko and B. Waters, “Decentralizing attribute-based en-
cryption,” in Advances in Cryptology - EUROCRYPT 2011 - 30th Yingjiu Li is currently an Associate Professor in
Annual International Conference on the Theory and Applications the School of Information Systems at Singapore
of Cryptographic Techniques, Tallinn, Estonia, May 15-19, 2011. Management University (SMU). His research in-
Proceed-ings, ser. Lecture Notes in Computer Science, vol. 6632. terests include RFID Security and Privacy, Mo-bile
Springer, 2011, pp. 568–588. and System Security, Applied Cryptography and
[32] B. Waters, “Ciphertext-policy attribute-based encryption: An ex- Cloud Security, and Data Application Secu-rity and
pressive, efficient, and provably secure realization,” in Public Key Privacy. He has published over 130 tech-nical
Cryptography - PKC 2011 - 14th International Conference on Practice papers in international conferences and journals,
and Theory in Public Key Cryptography, Taormina, Italy, March 6-9, and served in the program committees for over 80
2011. Proceedings, ser. Lecture Notes in Computer Science, vol. international conferences and work-shops. Yingjiu
6571. Springer, 2011, pp. 53–70. Li is a senior member of the ACM
[33] A. Beimel, “Secure schemes for secret sharing and key distri- and a member of the IEEE Computer Society. The URL for his web
bution,” Ph.D. dissertation, Israel Institute of Technology, Israel page is http://www.mysmu.edu/faculty/yjli/.
Institute of Technology, June 1996.
[34] J. Lai, R. H. Deng, Y. Yang, and J. Weng, “Adaptable ciphertext-policy
attribute-based encryption,” in Pairing-Based Cryptography - Pairing
2013 - 6th International Conference, Beijing, China, November 22-24,
2013, Revised Selected Papers, ser. Lecture Notes in Computer
Science, vol. 8365. Springer, 2013, pp. 199–214.
[35] J. A. Akinyele, C. Garman, I. Miers, M. W. Pagano, M. Rushanan,
Guowei Wu is a master student in the De-
M. Green, and A. D. Rubin, “Charm: a framework for rapidly
partment of Computer Science, Jinan
prototyping cryptosystems,” J. Cryptographic Engineering, vol. 3,
no. 2, pp. 111–128, 2013. University, Guangzhou. He is also a visiting
student in the School of Information Systems,
Singapore Man-agement University, Singapore.
2332-7790 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.