Outsourced Files Research Articles

A General Blockchain-Based Automatic Audit Scheme For Proofs Of Retrievability

Abstract Cloud storage has been widely used in remote data management, although correct storage of the outsourced file is still challenging in practice. Proofs of Retrievability (PoRs), a storage-oriented cryptographic tool, support integrity checking and efficient retrieval of the file. However, due to the lack of a fully credible oversight mechanism or a serious dependence on a trusted third party, most PoRs are incapable of achieving essential and straightforward trust between participants (i.e. the client and server). While blockchain shows promise in solving this trust issue, existing blockchain-based storage systems are scenario-constrained as they require private/permissioned or special-construct blockchains. Consequently, none of these systems provide robust and decentralized trustworthiness. We propose a general Blockchain-based Automatic Audit (BAA) scheme for PoR without limitations based on specific blockchain types. Specifically, we present BAA via stitching together a carefully designed or chosen array of sub-components such as storage proofs and Turing-complete smart contracts. We also integrate BAA with specific PoR models to prove its strong generality and availability. To our best knowledge, our proposal is the first blockchain-based approach that enhances traditional PoR models with both automatic audit and fair payment. The final analysis and implemented prototype on Ethereum demonstrate the utility of BAA.

VMSE: Verifiable multi-keyword searchable encryption in multi-user setting supporting keywords updating

Since the powerful storage capacity of the cloud platform, more and more people are willing to store their files on the cloud service provider (CSP). In order to prevent the privacy of outsourced files from being leaked, data owners will encrypt files before uploading. However, encryption will significantly limit the accurate location of the files. Therefore, this paper mainly introduces a verifiable multi-keyword searchable encryption scheme supporting keywords updating (VMSE). First of all, our proposed VMSE scheme can achieve multiple keywords search while protecting the privacy of the outsourced files and users. Then, our VMSE scheme can also implement the integrity verification and decryption of search results, which are not considered in many existing multi-keyword searchable encryption schemes. Currently, the dynamics in search schemes mostly refer to the dynamic update of outsourced files or user’s search permissions. We consider the keyword dynamic update of outsourced files in this paper, which is a design challenge for searchable encryption schemes and achieved by few searchable encryption schemes. Finally, performance evaluation shows our scheme is efficient and feasible in practical application.

Threat Model and Defense Scheme for Side-Channel Attacks in Client-Side Deduplication

In cloud storage, client-side deduplication is widely used to reduce storage and communication costs. In client-side deduplication, if the cloud server detects that the user's outsourced data have been stored, then clients will not need to reupload the data. However, the information on whether data need to be uploaded can be used as a side-channel, which can consequently be exploited by adversaries to compromise data privacy. In this paper, we propose a new threat model against side-channel attacks. Different from existing schemes, the adversary could learn the approximate ratio of stored chunks to unstored chunks in outsourced files, and this ratio will affect the probability that the adversary compromises the data privacy through side-channel attacks. Under this threat model, we design two defense schemes to minimize privacy leakage, both of which design interaction protocols between clients and the server during deduplication checks to reduce the probability that the adversary compromises data privacy. We analyze the security of our schemes, and evaluate their performances based on a real-world dataset. Compared with existing schemes, our schemes can better mitigate data privacy leakage and have a slightly lower communication cost.

DMSE: Dynamic Multi-keyword Search Encryption based on inverted index

With the popularity of cloud storage, increasing people are willing to upload their files to cloud services. They will encrypt these files before uploading to protect the privacy of files. However, encryption makes effective search very difficult and inefficient. In this paper, we design a dynamic multi-keyword searchable encryption scheme on the encrypted cloud files, called DMSE. Firstly, the outsourced files in DMSE are pre-classified and preprocessed according to their privacy to achieve classified search. Secondly, based on the inverted index, DMSE realizes multiple keywords search, which protects the privacy of outsourced files and users and greatly improves the search efficiency. In addition, our DMSE extends the inverted index to the multi-DO/multi-DU scenario, which is the distinguishable difference between DMSE and other existing multi-keyword search schemes. Thirdly, our DMSE can further support the update of keywords to cope with the mismatch dilemma between the first extracted keywords and outsourced files, thus improving the practicality of DMSE scheme. Finally, comprehensive performance evaluation shows our DMSE scheme is effective and feasible in practical application.

Efficient decentralized access control for secure data sharing in cloud computing

SummaryAccess control is an important technique in information security that allows legitimate users to gain access to and prevent unauthorized users from getting access to resources in a system. The restriction between access from a user and a shared file of the data owner can be determined by the access policy. In most existing access control models, it is assumed that all entities, including users, the third party, and cloud service provider (CSP), are in the same trust domain. However, in cloud computing environments, it is usually assumed that the CSP cannot be fully trusted, and the data owner (DO) is desired to have the absolute initiative to control data access. This article proposes a blockchain‐based access control scheme for cloud computing, in which the DO maintains an access matrix to describe the access policy. Then, the public keys of all nodes and the access matrix are stored in the blockchain, to ensure the security of the proposed scheme. The DOs can encrypt the large shared files once using a symmetric key in a long time. And they also can encrypt the symmetric key in parallel using the public key of authorized users in a short time. Security analysis proves that the proposed scheme is able to prevent outsourced files from unauthorized access and collusion attack. Experimental results show that the proposed scheme outperforms the existing baselines in terms of overheads on computation and storage. On average, the computation overhead of the proposed scheme is lower than that of the scheme SVPAC, PpBAC, and Timely CP‐ABE by 25.37%, 45.46%, and 36.44%, respectively. The communication overhead of the proposed scheme is lower than that of the scheme Timely CP‐ABE by 17.16%, and it is more secure, although it is higher than that of the scheme SVPAC and PpBAC by 5.88% and 39.05%. And the storage overhead of the proposed scheme is lower than that of the scheme SVPAC, PpBAC, and Timely CP‐ABE by 59.36%, 20.25%, and 61.88%, respectively.

ReliableBox: Secure and Verifiable Cloud Storage With Location-Aware Backup

While the prevalent cloud storage platforms are offering convenient services in support of diverse data-driven applications for clients, various security concerns raise in terms of data confidentiality, availability, and retrievability. Among them, servers' dishonesty on the location-specific data backup becomes a serious concern when the data stands out clients' control, considering the strict regulations imposed by many governments and organizations on data storage location. This article studies location-aware data backup verification for the data stored in clouds and aims to design a secure framework, named as ReliableBox, enabling the clients to verify if their data have been backed up on the remote servers with specific geolocation. In the design of ReliableBox, we leverage the prominent proof-of-storage techniques for data possession proof, and take advantage of multilateration geolocation and Intel SGX for the precise communication delay measurement and trust computing delay measurement, respectively. In ReliableBox, a client first computes integrity tags for the files and then outsources both the files and tags to the cloud storage server. In the later attestation, with the precise network delay and distance measurement from location-known verifiers, the client verifies that the outsourced files are intact and backed-up to hosts at the specific geolocation. With the customized design, ReliableBox can support the security needs in terms of both data integrity and backup location verification for clients, even when there exists potential dishonest cloud service providers who may manipulate the network delays or forge verification proofs. We provide security analysis to show the security property of ReliableBox in terms of data access, confidentiality, and verifications. In the end, we implement the system prototype and deploy it into several prevalent and commercial cloud platforms for performance evaluation. The experimental results demonstrate that ReliableBox is secure in support of data integrity checking and location-aware backup auditing, while it is robust to the data possession and location spoofing attacks.

Identity-Based Provable Data Possession From RSA Assumption for Secure Cloud Storage

As cloud storage services have become popular nowadays, the integrity of outsourced data stored at untrusted servers received increased attention. Provable data possession (PDP) provides an effective and efficient solution for cloud data integrity by asking the cloud server to prove that the stored data are not tampered with or maliciously discarded without returning the actual data to users. In this article, we propose an efficient identity-based privacy-preserving provable data possession scheme (ID-P <inline-formula><tex-math notation="LaTeX">$^3$</tex-math></inline-formula> DP) based on the RSA assumption for secure cloud storage. In ID-P <inline-formula><tex-math notation="LaTeX">$^3$</tex-math></inline-formula> DP, a cloud user takes the outsourcing file and a global parameter in a time period as inputs to generate identity-based homomorphic authenticators, and any third-party auditor (TPA) can check the integrity of the outsourced file by verifying the validity of homomorphic authenticators. The distinguished feature of ID-P <inline-formula><tex-math notation="LaTeX">$^3$</tex-math></inline-formula> DP is to support the aggregation of identity-based homomorphic authenticators generated by different users under the RSA assumption, which is an open problem in provable data possession. Specifically, we transfer the identity-based homomorphic authenticators generated in distinct time periods into those with the same period parameter, and the cloud can compress the homomorphic authenticators of different users to generate a data possession proof for integrity verification. Besides, by exploiting zero-knowledge proof, the leakage of outsourced data to TPA can be prevented. The soundness of ID-P <inline-formula><tex-math notation="LaTeX">$^3$</tex-math></inline-formula> DP is proved based on the RSA assumption, and the privacy against TPA is perfectly preserved. Finally, we demonstrate ID-P <inline-formula><tex-math notation="LaTeX">$^3$</tex-math></inline-formula> DP is more efficient on integrity verification than the existing BLS-based schemes, and cross-user aggregate verification can significantly reduce computational and communication overhead for TPA.

Revocable Attribute-Based Data Storage in Mobile Clouds

It is becoming fashionable for people to access data outsourced to clouds with mobile devices. To protect data security and privacy, attribute-based encryption (ABE) has been widely used in cloud storage systems. However, one of the main efficiency drawbacks of ABE is the high computation overheads at mobile devices during user revocation and file access. To address this issue, we propose a revocable attribute-based data storage (RADS) scheme equipped with several attracting features. First, our RADS scheme achieves a fine-grained access control mechanism, by which file owners do not need to explicitly specify authorized visitors to their outsourced files. Second, our RADS scheme allows mobile users to authorize the cloud service provider (CSP) to share costly computations in file access, without exposing the file content. Third, our RADS scheme offloads the operations of access-credential update and file re-encryption during revocation process to CSP, leaving all non-revoked users undisturbed. The revocation of RADS achieves a strong data protection, i.e., revoked users can access neither newly uploaded files nor old ones. The security and efficiency of the RADS scheme are validated via both analysis and experimental results.

VPAMS: Verifiable and practical attribute-based multi-keyword search over encrypted cloud data

Abstract With fast development of cloud storage, people increasingly outsource their files to the cloud server. To protect the confidentiality of outsourced files, files often are encrypted before outsourced. However, the accurate location and search on encrypted files will be greatly limited. This paper mainly considers how to realize an accurate multi-keyword fine-grained search on the encrypted files. Firstly, we use multiple keywords and an improved k-nearest neighbor (k-NN) technology to improve the search accuracy. Secondly, our scheme can protect the privacy of the file keyword indexes and the search queries and further preserve the privacy of outsourced files and users. Thirdly, unlike other existing multi-keyword search schemes without considering the verification and decryption of search results, the data users in our scheme not only can check whether the returned files contain multiple queried keywords, but also can realize the authorized decryption of the search files by using attribute-based encryption. Finally, performance evaluations show the time costs of our search algorithm is a constant value and independent of the number of user attributes. Therefore, our scheme is more efficient and practical.

Secure Outsourcing and Sharing of Cloud Data Using a User-Side Encrypted File System

Cloud computing is an emerging paradigm that aims to provide computing resources, massive data storage capacity and, flexible data sharing services. The explosive growth of data produced persuade business and users, driven by the cloud-top features, to outsource their data to the cloud storage systems. However, the confidentiality and integrity of outsourced sensitive data in remote cloud servers are becoming a major concern. Data must be encrypted prior to storing it in the, potentially untrustworthy cloud. Existing traditional encryption systems impose a heavy burden of managing files and encryption operations on data owners. They suffer from serious security, efficiency, and usability issues, and some schemes are inappropriate for protecting cloud data. In this paper, we introduce OutFS, a user-side encrypted file system, focused on providing a transparent encryption for stored and shared outsourced data. In OutFS, we utilize a hybrid encryption scheme structure based on symmetric and asymmetric methods. The key management is conveniently designed. In order to ensure robust data sharing security, the identity-based encryption scheme (IBE) is integrated with OutFS. OutFS is designed to preserve the integrity of outsourced file data and file system data structure. Analysis of performance and experimental results show that OutFS is efficient. It can achieve an average throughput of 8.8 MB/sec, and 10.5 MB/sec for writing and reading outsourced files. Security analysis indicates that OutFS is extremely secure and robust against attacks such as brute-force, eavesdropping, man-in-the-middle, and offline-dictionary attacks.

Secure Data De-Duplication Based on Threshold Blind Signature and Bloom Filter in Internet of Things

Within the cloud environment, the availability of storage, as well as bandwidth, can be effectively preserved in virtue of data de-duplication. However, refraining redundancy from additional storage or communication is not trivial due to security concerns. Though intensive researches have been addressed on a convergent cryptosystem for secure data de-duplication, the conflicts amongst functionality, confidentiality, and authority remain unbalanced. More concretely, although data are obfuscated under convergent encryption, a violent dictionary attack is still efficacious since the whole pseudorandom process relies heavily on plaintexts. As for data ownership, the download privilege, which depends on hash value, may also be infringed due to the same reason. To dispose of these problems, we presented a conspiracy-free data de-duplication protocol based on a threshold blind signature in this article. With the help of multiple key servers, the outsourced file and de-duplication label will be computationally indistinguishable from random strings. We used the Boom filter as a tool to implement a proof of ownership, ensuring that the ownership claims made by users are real. It effectively prevents the attacker from using the stolen tag to get the whole file to gain file access without authorization. The most significant innovation of this article is to use homomorphism computation to aggregate and generate partial signature tags, and to introduce a secret sharing mechanism based on The Chinese Remainder Theorem to hide signature keys, thus balancing the security concerns of cloud and client. Compared with existing schemes, both communication and computation performances are preferable in our protocol. As far as we know, our scheme is the only data de-duplication scheme that satisfies the semantic security of ciphertext and label.

Efficient, dynamic and identity-based Remote Data Integrity Checking for multiple replicas

Nowadays, cloud storage plays an increasingly important role in our daily life. However, the cloud users do not have the physical possession of their own data anymore. To confirm whether the outsourced files are maintained intact without downloading them entirely, a mechanism namely Remote Data Integrity Checking (RDIC) is invented. Currently, some RDIC schemes allow the data owners with limited computation or communication power to delegate the checking task to a third-party verifier. However, most of these schemes rely on the complicated and resource consuming public key infrastructure (PKI). In this paper, we propose a novel identity-based RDIC scheme, namely Efficient, Dynamic and Identity-based Multiple Replication Provable Data Possession (EDID-MRPDP) without the burden of PKI. We introduce a new construction of Homomorphic Verifiable Tag (HVT) and a novel data structure namely Compressed Authentication Array (CAA), which allow EDID-MRPDP to perform batch verification for multiple data owners and cloud servers simultaneously and efficiently, both from computation and communication aspects. To the best of our knowledge, EDID-MRPDP is the first ID-based RDIC scheme with full dynamic updates and multi-replica batch checking. We provide comprehensive correctness and soundness proofs of EDID-MRPDP. Meanwhile, the detailed performance analyses and simulations show that EDID-MRPDP is practical for large-scale cloud applications.

CPDA: A Confidentiality-Preserving Deduplication Cloud Storage With Public Cloud Auditing

With growing popularity of cloud storage, the number of users of outsourcing data to cloud servers has increased dramatically. On the one hand, the rapidly increasing volume of data in the cloud is accompanied by a lot of data duplication. On the other hand, the cloud server stores only a unique copy of outsourced data in deduplication cloud storage system and the corruption or missing of the unique copy may bring immeasurable loss. Therefore, the file deduplication and integrity auditing are very important and how to securely and efficiently achieve them simultaneously needs to be settled urgently in academia and industry. In this paper, we propose a confidentiality-preserving deduplication cloud storage with public cloud auditing (CPDA). Firstly, our CPDA scheme achieves secure file deduplication on encrypted file, which supports public integrity auditing for the unique copy in the deduplication cloud storage system. Particularly, our CPDA scheme also realizes secure authentication tag deduplication. Secondly, our CPDA scheme utilizes the convergent encryption and random masking techniques to ensure data confidentiality during the file deduplication and integrity auditing process. Thirdly, our scheme not only supports each data owner to independently launch the integrity auditing of their own files, but also supports cloud server to periodically delegate the third party auditor to concurrently handle multiple auditing tasks to ensure the integrity of the outsourced files. Finally, the security of our scheme is formally proved and its performance is confirmed by numerical analyses and simulation experiments.

Secure and efficient proxy re-encryption scheme based on key-homomorphic constrained PRFs in cloud computing

With the rapid development of cloud computing, its security and privacy are of great concern. Since the cloud service provider is not completely trustworthy, the security of the outsourced files has become serious issues. Identity-based proxy re-encryption (IBPRE) schemes have been proposed to achieve feasible access control of encrypted data under the condition of guaranteeing the confidentiality of data, which can transfer the original ciphertexts to the re-encrypted ciphertexts for a designated decryptor. However, most of the existing IBPRE schemes either do not support revocation or computational complexity is too high. In this paper, we combine the properties of constrained pseudorandom functions (PRFs) and key homomorphic PRFs to construct a secure and efficient proxy re-encryption scheme for cloud computing. In our proposed scheme, the data owner authenticates the requesters and distributes the decryption keys by using an identity-based key exchange method. Meanwhile, a proxy re-encryption scheme is used to achieve data sharing and ciphertext update. We present the security proof of our scheme. In addition, compared with other existing schemes, our scheme has low computational complexity and communication cost.

Genuine and Secure Identity-Based Public Audit for the Stored Data in Healthcare Cloud.

Cloud storage has attracted more and more concern since it permits cloud users to save and employ the corresponding outsourced files at arbitrary time, with arbitrary facility and from arbitrary place. To make sure data integrality, numerous public auditing constructions have been presented. However, existing constructions mainly have built on the PKI. In these constructions, to achieve data integrality, the auditor first must authenticate the legality of PKC, which leads to a great burden for the auditor. To eliminate the verification of time-consuming certificate, in this work, we present an efficient identity-based public auditing proposal. Our construction is an identity-based data auditing system in the true sense in that the algorithm to calculate authentication signature is an identity-based signature algorithm. By extensive security evaluation and experimental testing, the consequences demonstrate that our proposal is safe and effective; it can efficiently hold back forgery attack and replay attack. Finally, compared with the two identity-based public auditing proposals, our proposal outperforms the two proposals under the condition of overall considering computational cost, communication overhead, and security strength.

Auditing Big Data Storage in Cloud Computing Using Divide and Conquer Tables

Cloud computing has arisen as the mainstream platform of utility computing paradigm that offers reliable and robust infrastructure for storing data remotely, and provides on demand applications and services. Currently, establishments that produce huge volume of sensitive data, leverage data outsourcing to reduce the burden of local data storage and maintenance. The outsourced data, however, in the cloud are not always trustworthy because of the inadequacy of physical control over the data for data owners. To better streamline this issue, scientists have now focused on relieving the security threats by designing remote data checking (RDC) techniques. However, the majority of these techniques are inapplicable to big data storage due to incurring huge computation cost on the user and cloud sides. Such schemes in existence suffer from data dynamicity problem from two sides. First, they are only applicable for static archive data and are not subject to audit the dynamic outsourced data. Second, although, some of the existence methods are able to support dynamic data update, increasing the number of update operations impose high computation and communication cost on the auditor due to maintenance of data structure, i.e., merkle hash tree. This paper presents an efficient RDC method on the basis of algebraic properties of the outsourced files in cloud computing, which inflicts the least computation and communication cost. The main contribution of this paper is to present a new data structure, called Divide and Conquer Table (D&CT), which proficiently supports dynamic data for normal file sizes. Moreover, this data structure empowers our method to be applicable for large-scale data storage with minimum computation cost. The one-way analysis of variance shows that there are significant differences between the proposed method and the existing methods in terms of the computation and communication cost on the auditor and cloud.

Attribute-Based Cloud Data Integrity Auditing for Secure Outsourced Storage

Outsourced storage such as cloud storage can significantly reduce the burden of data management of data owners. Despite of a long list of merits of cloud storage, it triggers many security risks at the same time. Data integrity, one of the most burning challenges in secure cloud storage, is a fundamental and pivotal element in outsourcing services. Outsourced data auditing protocols enable a verifier to efficiently check the integrity of the outsourced files without downloading the entire file from the cloud, which can dramatically reduce the communication overhead between the cloud server and the verifier. Existing protocols are mostly based on public key infrastructure or an exact identity, which lacks flexibility of key management. In this paper, we seek to address the complex key management challenge in cloud data integrity checking by introducing attribute-based cloud data auditing, where users can upload files to cloud through some customized attribute set and specify some designated auditor set to check the integrity of the outsourced data. We formalize the system model and the security model for this new primitive, and describe a concrete construction of attribute-based cloud data integrity auditing protocol. The new protocol offers desirable properties namely attribute privacy-preserving and collusion-resistance. We prove soundness of our protocol based on the computational Diffie-Hellman assumption and the discrete logarithm assumption. Finally, we develop a prototype of the protocol which demonstrates the practicality of the protocol.

Identity-Based Data Outsourcing With Comprehensive Auditing in Clouds

Cloud storage system provides facilitative file storage and sharing services for distributed clients. To address integrity, controllable outsourcing, and origin auditing concerns on outsourced files, we propose an identity-based data outsourcing (IBDO) scheme equipped with desirable features advantageous over existing proposals in securing outsourced data. First, our IBDO scheme allows a user to authorize dedicated proxies to upload data to the cloud storage server on her behalf, e.g., a company may authorize some employees to upload files to the company's cloud account in a controlled way. The proxies are identified and authorized with their recognizable identities, which eliminates complicated certificate management in usual secure distributed computing systems. Second, our IBDO scheme facilitates comprehensive auditing, i.e., our scheme not only permits regular integrity auditing as in existing schemes for securing outsourced data, but also allows to audit the information on data origin, type, and consistence of outsourced files. Security analysis and experimental evaluation indicate that our IBDO scheme provides strong security with desirable efficiency.

Privacy-Preserving Outsourced Auditing Scheme for Dynamic Data Storage in Cloud

As information technology develops, cloud storage has been widely accepted for keeping volumes of data. Remote data auditing scheme enables cloud user to confirm the integrity of her outsourced file via the auditing against cloud storage, without downloading the file from cloud. In view of the significant computational cost caused by the auditing process, outsourced auditing model is proposed to make user outsource the heavy auditing task to third party auditor (TPA). Although the first outsourced auditing scheme can protect against the malicious TPA, this scheme enables TPA to have read access right over user’s outsourced data, which is a potential risk for user data privacy. In this paper, we introduce the notion of User Focus for outsourced auditing, which emphasizes the idea that lets user dominate her own data. Based on User Focus, our proposed scheme not only can prevent user’s data from leaking to TPA without depending on data encryption but also can avoid the use of additional independent random source that is very difficult to meet in practice. We also describe how to make our scheme support dynamic updates. According to the security analysis and experimental evaluations, our proposed scheme is provably secure and significantly efficient.

DeyPoS: Deduplicatable Dynamic Proof of Storage for Multi-User Environments

Dynamic Proof of Storage (PoS) is a useful cryptographic primitive that enables a user to check the integrity of outsourced files and to efficiently update the files in a cloud server. Although researchers have proposed many dynamic PoS schemes in single-user environments, the problem in multi-user environments has not been investigated sufficiently. A practical multi-user cloud storage system needs the secure client-side cross-user deduplication technique, which allows a user to skip the uploading process and obtain the ownership of the files immediately, when other owners of the same files have uploaded them to the cloud server. To the best of our knowledge, none of the existing dynamic PoSs can support this technique. In this paper, we introduce the concept of deduplicatable dynamic proof of storage and propose an efficient construction called DeyPoS, to achieve dynamic PoS and secure cross-user deduplication, simultaneously. Considering the challenges of structure diversity and private tag generation, we exploit a novel tool called Homomorphic Authenticated Tree (HAT). We prove the security of our construction, and the theoretical analysis and experimental results show that our construction is efficient in practice.