A cloud data sharing scheme by using SM2 ring signature-based broadcast encryption

Cloud computing is an emerging computing paradigm that can provide storage resources and computing capacities services over the Internet. However, some new security issues arise when users' sensitive data are outsourced and shared in un- trusted cloud. The traditional techniques to protect the confidentiality of sensitive data stored in cloud are encryption and related cryptographic tools. And the correspond- ing private keys to access and decrypt the files are disclosed to only authorized users. However, these traditional solutions are not scalable because the computational cost of encryption and other access control is heavy for devices with limited computation ability. In this paper, we present a new way to implement scalable and fine-grained access control systems, which can be applied for big data in untrusted cloud computing en- vironment. The solution is based on symmetric, efficient broadcast encryption and fine-grained attribute-based encryption (ABE). In this access control system, users are able to join and revoked with broadcast encryption. An outsourced Hierarchical ABE scheme is first proposed in this paper to construct the access control system. The security analysis is also presented under the security model.

Searchable Encryption (SE) schemes provide security and privacy to the cloud data. The existing SE approaches enable multiple users to perform search operation by using various schemes like Broadcast Encryption (BE), Attribute-Based Encryption (ABE), etc. However, these schemes do not allow multiple users to perform the search operation over the encrypted data of multiple owners. Some SE schemes involve a Proxy Server (PS) that allow multiple users to perform the search operation. However, these approaches incur huge computational burden on PS due to the repeated encryption of the user queries for transformation purpose so as to ensure that users' query is searchable over the encrypted data of multiple owners. Hence, to eliminate this computational burden on PS, this paper proposes a secure proxy server approach that performs the search operation without transforming the user queries. This approach also returns the top-k relevant documents to the user queries by using Euclidean distance similarity approach. Based on the experimental study, this approach is efficient with respect to search time and accuracy.

The cloud computing is the advancement to shared volume of information through the network. There are lots of techniques that are used to providing security for data in cloud. But current techniques are not as better related to the ciphertext. So here, we propose information gathering, sharing and restrictive distribution plan with multi-owner privacy preserving in cloud. Here, data owner can impart private information to group of clients through cloud in secure manner with identity-based broadcast encryption (IBBE) technique.

E-governance can be implemented very effectively using the cloud computing technologies. Security and privacy of data are the major challenges in cloud-based e-governance systems. With proper access control and user revocation schemes, we can protect the privacy and security of data stored in cloud servers used for e-governance. There are a lot of techniques to achieve the controlled access in cloud computing. In some applications of e-government, the users should be allowed to access data, only for a specific period of time. In this paper, we introduce a temporal access control scheme based on attribute-based encryption (ABE), which allows users to access the data according to their access policy and for a specific time period only. Our model includes both the temporal access scheme and a time-based proxy re-encryption scheme to allow a user's access right to expire automatically.

E-governance can be implemented very effectively using the cloud computing technologies. Security and privacy of data are the major challenges in cloud-based e-governance systems. With proper access control and user revocation schemes, we can protect the privacy and security of data stored in cloud servers used for e-governance. There are a lot of techniques to achieve the controlled access in cloud computing. In some applications of e-government, the users should be allowed to access data, only for a specific period of time. In this paper, we introduce a temporal access control scheme based on attribute-based encryption (ABE), which allows users to access the data according to their access policy and for a specific time period only. Our model includes both the temporal access scheme and a time-based proxy re-encryption scheme to allow a user's access right to expire automatically.

Storing only one unique copy of the same cloud data and guaranteeing its integrity are two main goals for cloud storage auditing and deduplication schemes. In such schemes, data owners can firmly believe the data integrity by periodically auditing and the cloud server can save lots of storage space by exploiting the duplication techniques. However, when a data owner deletes or modifies his outsourced data, he should lose the ownership for the original data and should not be able to successfully retrieve this data any more. For all we know, existing cloud storage auditing and deduplication literatures fail to support the modifications of ownership, which actually occur quite often in actual cloud storage scenarios. In this paper, we propose the first deduplicated data integrity auditing scheme supporting the ownership modification. It guarantees the integrity of the outsourced data and supports the dynamic access control over the outsourced data. We employ a re-encryption algorithm and the secure identity-based broadcast encryption technology, which prevent data from being disclosed to the revoked owners, even if they previously had prior ownership of these data. The security and efficiency of our proposed scheme have been validated by detailed analysis and experiments.

In ESORICS2014, Liang et al. proposed an efficient cloud-based revocable identity-based proxy re-encryption scheme for public clouds data sharing, aimed at both supporting user revocation and delegation of decryption rights. The main strategy is to let the cloud periodic re-encrypt ciphertexts under the current time period to the next time period. If the user is revoked in the forth coming time period, he cannot decrypt the ciphertexts by using the expired private key anymore. Compared with traditional revocation technique by using PKG, this method has the advantage of computation and communication efficiency. However, in this paper we show an attack which allow the revoked user can decrypt the ciphertexts under the future time period, if the revoked users colludes with the proxy. Although cloud-based revocable identity based proxy re-encryption is a great idea for public cloud storage sharing, it needs further research before this scheme can be practically adapted.

With the rapid development of cloud computing, an increasing number of individuals and organizations are sharing data in the public cloud. To protect the privacy of data stored in the cloud, a data owner usually encrypts his data in such a way that certain designated data users can decrypt the data. This raises a serious problem when the encrypted data needs to be shared to more people beyond those initially designated by the data owner. To address this problem, we introduce and formalize an identity-based encryption transformation (IBET) model by seamlessly integrating two well-established encryption mechanisms, namely identity-based encryption (IBE) and identity-based broadcast encryption (IBBE). In IBET, data users are identified and authorized for data access based on their recognizable identities, which avoids complicated certificate management in usual secure distributed systems. More importantly, IBET provides a transformation mechanism that converts an IBE ciphertext into an IBBE ciphertext so that a new group of users not specified during the IBE encryption can access the underlying data. We design a concrete IBET scheme based on bilinear groups and prove its security against powerful attacks. Thorough theoretical and experimental analyses demonstrate the high efficiency and practicability of the proposed scheme.

In cloud storage systems, data outsourcing and untrusted service providers make data‐access control become a challenging issue because traditional technologies always consider service providers as a fully trusted party. Ciphertext‐policy attribute‐based encryption (CP‐ABE) shows particular advantages in this setting because this encryption gives the data owner a direct control on data‐access policies. However, malicious users in traditional CP‐ABE systems may leak their decryption keys in the form of a decryption device/blackbox with little risk of getting caught because no one (including the key authorities) can reveal them. This issue has become a major practicality concern in many data outsourcing applications (e.g., financial and healthcare systems) where the preservation of privacy with regard to sensitive data is critical. To address this problem, blackbox traceable CP‐ABE leveraged the “traitor tracing” property of broadcast encryption to identify these malicious users. However, the size of the keys and ciphertexts in the blackbox traceable CP‐ABE depends on the number of users. In this paper, we introduce an accumulator‐based encryption (ACC‐ENC), which can be integrated with conventional non‐traceable CP‐ABE‐based data‐access control to achieve an additional blackbox traceability feature without sacrificing performance (just adds elements to the ciphertext and the public key). We first formally define the model of ACC‐ENC and present a concrete construction that is proven fully secure; then, we illustrate applying ACC‐ENC to obtain CP‐ABE‐based data‐access control with blackbox traceability for cloud storage. Performance evaluation shows that additional computation costs of the proposition are very low compared to the original scheme. Copyright © 2015 John Wiley & Sons, Ltd.

This survey focuses on the cryptographic access control technique, attribute-based encryption (ABE), its applications and future directions. Since its inception, there has been a tremendous interest in applying this technique to solve various problems related to access control. Significant research efforts have been devoted to design efficient constructions and operational parameters to suit various applications. The main functionality of ABE is to enforce cryptographic access control with help of policies specified over a set of system defined attributes. A key generator maps the attributes, in an access policy, into encryption and decryption keys for a resource access request. ABE is categorized into Key-Policy ABE (KP-ABE) and Cipher-text Policy ABE (CP-ABE), depending on the approach used to map the attributes to the encryption and decryption keys. Implementations of ABE have relied on mathematical primitives such as elliptic curves, pairing functions, generalized secret sharing notions and on the hardness of problems like computing discrete logarithm and computational Diffie-Hellman problem over elliptic curves. As they are essentially public-key systems, these schemes are usually proven secure under the semantically secure adaptive chosen cipher-text attack (IND-CCA). ABE has been utilized in solving a number of problems in different application domains including network privacy, broadcast encryption for on-demand television programming, health data access control, cloud security, and verifiable computation. In this survey, we discuss the evolution of ABE, covering significant developments in this area, the applications of ABE across various domains, and the future directions for ABE.

The outsourcing of data into the cloud inherently requires a mechanism to control the access capability of the users and the cloud providers. This mechanism requires efficient cryptographic primitives to achieve fine grained access control of data, proof of storage, and revocation of the authorization. In this paper, we present a secure cloud data storage architecture with the features of dynamic user construction, revocation of the authorization, and proof of storage. In the proposed architecture, we used attribute based broadcast encryption, attribute based access control, and proxy re-encryption to achieve an efficient solution.

In a revocable broadcast encryption scheme, the group manager can flexibly set revoked users who cannot decrypt the ciphertext. Many applications of the revocable broadcast encryption have been found in the secure cloud data sharing. An adaptively secure revocable broadcast encryption system with constant ciphertext and private key size under standard assumptions is more suitable for use in the cloud environment. Few existing revocable broadcast encryption schemes meet such a requirement. We propose a revocable broadcast encryption scheme with constant size ciphertext and private key by combining the RSA cryptographic accumulator with an efficient identity based encryption system. We prove it to be adaptively secure under standard assumptions using dual system encryption techniques.

Internet of Things (IoT) and cloud computing are separate emerging paradigms, which are both an indispensable part of numerous ubiquitous devices that are connected to our life via the Internet. Their enactment and effectiveness are presumed to be more and more pervasive, making them essential ingredients of the Future Internet. Cloud data broadcast system is a novel framework where the advancement of both cloud and IoT is merged and becomes an enabler of a vast number of application scenarios. A data broadcast system with simultaneous individual messaging, aka broadcast encryption with personalized messages (BEPM), outsources not only a common encrypted message to a group of consumers but also encrypted personalized messages to individual consumers of the cloud server. Currently available BEPM are not secure against social engineering attacks, which means information of subscribed consumers is available to enemies. In this article, we present a new cloud data broadcast paradigm, called anonymous cloud data broadcast system with simultaneous individual messaging, in which anonymity of subscribed consumers is a primary concern. Furthermore, we extend our study of anonymization to develop the first traceable cloud data broadcast system with simultaneous individual messaging that concatenates two mutually orthogonal functionalities, namely consumer’s anonymity and traitor consumers traceability, in a unified manner. In particular, security and performance analysis explicates that both the designs are very cost-effective as consumer’s secret-key size is constant that fulfills the goals of achieving low overhead and computational cost for resource-constrained IoT devices.

Mobile access and flexible search over encrypted cloud data in heterogeneous systems

Cloud data sharing is an untrustworthy service where any malicious user can access the data from cloud storage and make use of it so an encryption technique is used to convert data into a unreadable format but an hacker uses an different technique to decrypt the data. So a steganography is introducing in cloud storage centre where the group member encrypt the data and send it to the cloud server, the server receive it and hide it in to an image. Data of the different owners in the group shares data with each other securely and preserving their identity from an untrusted cloud server is one of the challenging issues currently, due to the frequent change of the membership. In this paper, we propose a secure multiowner data sharing scheme for dynamic groups in the cloud. By aid of group signature and dynamic broadcast encryption techniques, any cloud user can anonymously share data with others. In addition to the dynamic broadcast encryption techniques we are using image Steganography to store the data in the form of image in the cloud storage.