Multiuser access control searchable privacy‐preserving scheme in cloud storage

Searchable encryption scheme‐based ciphertext‐policy attribute‐based encryption (CP‐ABE) is a effective scheme for providing multiuser to search over the encrypted data on cloud storage environment. However, most of the existing search schemes lack the privacy protection of the data owner and have higher computation time cost. In this paper, we propose a multiuser access control searchable privacy‐preserving scheme in cloud storage. First, the data owner only encrypts the data file and sets the access control list of multiuser and multiattribute for search data file. And the computing operation, which generates the attribute keys of the users' access control and the keyword index, is given trusted third party to perform for reducing the computation time of the data owner. Second, using CP‐ABE scheme, trusted third party embeds the users' access control attributes into their attribute keys. Only when those embedded attributes satisfy the access control list, the ciphertext can be decrypted accordingly. Finally, when the user searches data file, the keyword trap door is no longer generated by the user, and it is handed to the proxy server to finish. Also, the ciphertext is predecrypted by the proxy sever before the user performs decryption. In this way, the flaw of the client's limited computation resource can be solved. Security analysis results show that this scheme has the data privacy, the privacy of the search process, and the collusion‐resistance attack, and experimental results demonstrate that the proposed scheme can effectively reduce the computation time of the data owner and the users.     

Secure and privacy‐preserving keyword search retrieval over hashed encrypted cloud data

Cloud computing (CC) is the universal area in which the data owners will contract out their pertinent data to the untrusted public cloud that permits the data users to retrieve the data with complete integrity. To give data privacy along with integrity, majority of the research works were concentrated on single data owner for secure searching of encrypted data via the cloud. Also, searchable encryption supports data user to retrieve the particular encrypted document from encrypted cloud data via keyword search (KS). However, these researches are not efficient for keyword search retrieval. To trounce such drawbacks, this paper proposes efficient secure and privacy‐preserving keyword search retrieval (SPKSR) system, in which the user retrieves the hashed encrypted documents over hashed encrypted cloud data. The proposed system includes three entities explicitly, (a) data owner (DO), (b) cloud server (CS), and (c) data users (DU). The owner outsources hashed encrypted documents set, along with generated searchable index tree to the CS. The CS hoards the hashed encrypted document collection and index tree structure. DU performs the “search” over the hashed encrypted data. Experimental results of the proposed system are analyzed and contrasted with the other existent system to show the dominance of the proposed system.     

Research on technology of data encryption and search based on access broker

Broker executed searchable encryption (BESE) scheme was proposed for the confidentiality issues of cloud application data.The scheme did not need to modify the cloud application or user habits,thus had strong applicability.Firstly,systematic and quantitative analysis on BESE scheme was conducted in terms of query expressiveness,performance and security.Then,the main challenges of BESE scheme including securely sharing index and encrypted data between brokers were pointed out,and corresponding schemes were proposed to address the above challenges.The experimental results show that the BESE scheme can effectively protect the user data in the cloud,achieve a variety of search functions,and has high efficiency and security.     

A time-aware searchable encryption scheme for EHRs

Despite the benefits of EHRs (Electronic Health Records), there is a growing concern over the risks of privacy exposure associated with the technologies of EHR storing and transmission. To deal with this problem, a time-aware searchable encryption with designated server is proposed in this paper. It is based on Boneh's public key encryption with keyword search and Rivest's timed-release cryptology. Our construction has three features: the user cannot issue a keyword search query successfully unless the search falls into the specific time range; only the authorized user can generate a valid trapdoor; only the designated server can execute the search. Applying our scheme in a multi-user environment, the number of the keyword ciphertexts would not increase linearly with the number of the authorized users. The security and performance analysis shows that our proposed scheme is securer and more efficient than the existing similar schemes.     

Trapdoor Security Lattice-Based Public-Key Searchable Encryption with a Designated Cloud Server

Cloud storage technique has becoming increasingly significant in cloud service platform. Before choosing to outsource sensitive data to the cloud server, most of cloud users need to encrypt the important data ahead of time. Recently, the research on how to efficiently retrieve the encrypted data stored in the cloud server has become a hot research topic. Public-key searchable encryption, as a good candidate method, which enables a cloud server to search on a collection of encrypted data with a trapdoor from a receiver, has attracted more researchers’ attention. In this paper, we propose the frist efficient lattice-based public-key searchable encryption with a designated cloud server, which can resist quantum computers attack. In our scheme, we designate a unique cloud server to test and return the search results, thus can remove the secure channel between the cloud server and the receiver. We have proved that our scheme can achieve ciphertext indistinguishability under the hardness of learning with errors, and can achieve trapdoor security in the random oracle model. Moreover, our scheme is secure against off-line keyword guessing attacks from outside adversary.     

Secure and privacy-preserving DRM scheme using homomorphic encryption in cloud computing

Cloud computing provides a convenient way of content trading and sharing. In this paper, we propose a secure and privacy-preserving digital rights management （DRM） scheme using homomorphic encryption in cloud computing. We present an efficient digital rights management framework in cloud computing, which allows content provider to outsource encrypted contents to centralized content server and allows user to consume contents with the license issued by license server. Further, we provide a secure content key distribution scheme based on additive homomorphic probabilistic public key encryption and proxy re-encryption. The provided scheme prevents malicious employees of license server from issuing the license to unauthorized user. In addition, we achieve privacy preserving by allowing users to stay anonymous towards the key server and service provider. The analysis and comparison results indicate that the proposed scheme has high efficiency and security.     

云计算环境下支持排名的关键词加密检索方法

随着云计算的出现,越来越多的数据开始集中存储到云端,为了保护数据隐私,敏感数据需要在外包到云端之前进行加密,使在加密数据上进行有效检索成为一个挑战性任务。尽管传统的加密检索模型支持在加密数据上进行关键词检索,但是它们没有描述检索结果的相关度,导致返回所有包含关键词的检索结果占用了大量的网络带宽,并且用户从返回的检索结果中再次选择最相关的结果也会产生大量的时间开销,为此,提出了云计算环境下支持排名的关键词加密检索方法。该方法根据相关度返回排序后的检索结果,其中的保序对称加密模型不仅防止了相关度信息的泄漏,而且提供了高效的检索性能。实验表明了该方法的有效性。     

云计算环境中支持隐私保护的数字版权保护方案简

针对云计算环境中数字内容安全和用户隐私保护的需求,提出了一种云计算环境中支持隐私保护的数字版权保护方案。设计了云计算环境中数字内容版权全生命周期保护和用户隐私保护的框架,包括系统初始化、内容加密、许可授权和内容解密4个主要协议;采用基于属性基加密和加法同态加密算法的内容加密密钥保护和分发机制,保证内容加密密钥的安全性;允许用户匿名向云服务提供商订购内容和申请授权,保护用户的隐私,并且防止云服务提供商、授权服务器和密钥服务器等收集用户使用习惯等敏感信息。与现有的云计算环境中数字版权保护方案相比,该方案在保护内容安全和用户隐私的同时,支持灵活的访问控制,并且支持在线和超级分发应用模式,在云计算环境中具有较好的实用性。     

云环境下安全的可验证多关键词搜索加密方案

云计算的高虚拟化与高可扩展性等优势,使个人和企业愿意外包加密数据到云端服务器。然而,加密后的外包数据破坏了数据间的关联性。尽管能够利用可搜索加密(SE)进行加密数据的文件检索,但不可信云服务器可能篡改、删除外包数据或利用已有搜索陷门来获取新插入文件相关信息。此外,现有单关键词搜索由于限制条件较少,导致搜索精度差,造成带宽和计算资源的浪费。为了解决以上问题,提出一种高效的、可验证的多关键词搜索加密方案。所提方案不仅能够支持多关键词搜索,也能实现搜索模式的隐私性和文件的前向安全性。此外,还能实现外包数据的完整性验证。通过严格的安全证明,所提方案在标准模型下被证明是安全的,能够抵抗不可信云服务器的离线关键词猜测攻击(KGA)。最后,通过与最近3种方案进行效率和性能比较,实验结果表明所提方案在功能和效率方面具有较好的综合性能。     

基于授权的多服务器可搜索密文策略属性基加密方案

针对现有属性基可搜索加密方案缺乏对云服务器授权的服务问题,该文提出一种基于授权的可搜索密文策略属性基加密(CP-ABE)方案。方案通过云过滤服务器、云搜索服务器和云存储服务器协同合作实现搜索服务。用户可将生成的授权信息和陷门信息分别发送给云过滤服务器和云搜索服务器,在不解密密文的情况下,云过滤服务器可对所有密文进行检测。该方案利用多个属性授权机构,在保证数据机密性的前提下能进行高效的细粒度访问,解决数据用户密钥泄露问题,提高数据用户对云端数据的检索效率。通过安全性分析,证明方案在提供数据检索服务的同时无法窃取数据用户的敏感信息,且能够有效地防止数据隐私的泄露。     

云计算数据安全研究

随着云计算的快速发展和推广应用,在云计算环境中数据安全和隐私保护成为云计算研究中的关键问题。以数据全生命周期模型为基础,提出云计算环境中的数据安全和隐私保护框架,对云计算环境中数据安全和隐私保护的若干关键研究问题,包括密文检索、完整性验证和持有性证明、隐私保护及查询隐私进行了阐述,详细综述了全同态加密的发展、原理、意义及其在云计算数据安全和隐私保护中的应用,并指明了未来的研究方向。     

Research on oblivious keyword search protocols with CKA security

An oblivious keyword search (OKS) protocol allows a user to search and retrieve the data associated with a chosen keyword in an oblivious way. It has stronger security attributes than traditional searchable encryption schemes which suffer from keyword guessing attack. Whereas most of the existing OKS protocols are not satisfactory because they mainly have the following flaws: (1) Large ciphertext‐size, relatively low communication, and computation efficiency; (2) Do not protect both user and database's privacy simultaneity. To deal with the above two problems and to obtain strong privacy, we investigate new approaches to design efficient OKS protocols. Our OKS protocol mainly realizes three contributions: (1) Improving privacy for both users and database servers; (2) Realizing compact cipher‐size; and (3) Overcoming particular security flaws occurred in previous OKS protocols. To prove what precise security can be expected in our OKS protocol, a formal chosen keyword attack model is defined to incorporate real attackers' abilities. Chosen keyword attack model is also utilized to analyze and point out security flaws in current OKS protocols. Efficiency and security comparison with existing OKS protocols is described to indicate their appropriate applications.     

A based on blinded CP‐ABE searchable encryption cloud storage service scheme

Cloud computing has great economical advantages and wide application, more and more data owners store their data in the cloud storage server (CSS) to avoid tedious local data management and insufficient storage resources. But the privacy of data owners faces enormous challenges. The most recent searchable encryption technology adopts the ciphertext‐policy attribute‐based encryption (CP‐ABE), which is one good method to deal with this security issue. However, the access attributes of the users are transmitted and assigned in plaintext form. In this paper, we propose a based on blinded CP‐ABE searchable encryption cloud storage service (BCP‐ABE‐SECSS) scheme, which can blind the access attributes of the users in order to prevent the collusion attacks of the CSS and the users. Data encryption and keyword index generation are performed by the data owners; meanwhile, we construct that CSS not only executes the access control policy of the data but also performs the pre‐decryption operation about the encrypted data to solve higher time cost of decryption calculation to the data users. Security proof results show that this scheme has access attribute security, data confidentiality, indistinguishable security against chosen keyword attack, and resisting the collusion attack between the data user and the CSS. Performance analysis and the experimental results show that this scheme can effectively reduce the computation time cost of the data owners and the data users.     

Verifiable attribute-based searchable encryption scheme based on blockchain

For the problem that the shared decryption key lacks of fine-grained access control and the search results lacks of correctness verification under one-to-many search model,a verifiable attribute-based searchable encryption scheme based on blockchain was proposed.The ciphertext policy attribute-based encryption mechanism was used on the shared key to achieve fine-grained access control.Ethereum blockchain technology was combined to solve the problem of incorrect search results returned by the semi-honest and curious cloud server model,so it could prompt both the cloud server and the user to follow the rules of the contract honestly and achieved service-payment fairness between the user and the cloud server in the pay-per-use cloud environment.In addition,based on the irreversible modification of the blockchain,the cloud server was guaranteed to receive the service fee,and the user was assured to obtain the correct retrieval results without additional verification which reduced the computational overhead of the user.The security analysis shows that the scheme satisfies the semantic security against adaptive chosen keyword attack and can protect the privacy of users and the security of data.The performance comparison and experimental results show that the scheme has certain optimizations in security index generation,search token generation,retrieval efficiency and transaction quantity,so it is more suitable for one-to-many search scenarios such as smart medical.     

Approach of location privacy protection based on order preserving encryption of the grid

The centralized structure of the trusted third party is a major privacy protection structure on location based services.However,if the central third party server can not be trusted or compromised,users have the risk of leakage of privacy location.Aiming at the above problems,location privacy protection approach based on a user-defined grid to hide location was proposed.The system first automatically converted the query area into a user-defined grid,and then the approach utilized order preserving encryption,which made the user’s real-time position in the hidden state could still be compared.Because the information in the process of the approach was in a state of encryption,the server could not know the user’s location information,thus improved privacy protection of the user location.The central third party server only need to do simple comparison work,so its processing time overhead would effectively decrease.Security analysis certificate the security of the proposed approach and simulation experimental show the proposed approach can reduce the time cost of the central third party server.     

支持属性撤销的可验证多关键词搜索加密方案

近年来,可搜索加密技术及细粒度访问控制的属性加密在云存储环境下得到广泛应用。考虑到现存的基于属性的可搜索加密方案存在仅支持单关键词搜索而不支持属性撤销的问题,以及单关键词搜索可能造成返回搜索结果部分错误并导致计算和宽带资源浪费的缺陷,该文提出一种支持属性撤销的可验证多关键词搜索加密方案。该方案允许用户检测云服务器搜索结果的正确性,同时在细粒度访问控制结构中支持用户属性的撤销,且在属性撤销过程中不需要更新密钥和重加密密文。该文在随机预言机模型下基于判定性线性假设被证明具有抵抗选择关键词集攻击安全性及关键词隐私性,同时从理论和实验两方面分析验证了该方案具有较高的计算效率与存储效率。     

对称可搜索加密技术研究进展

云计算作为一种新型计算模式,具有海量资源、动态扩展、按需分配等特点。资源受限的用户可以将计算任务外包给云服务器,在享受高质量数据服务的同时大大降低了本地管理开销。然而,数据外包导致数据所有权与管理权分离,如何保证数据的安全性成为云计算中亟待解决的关键问题。传统的加密技术虽然可以保证数据的机密性,但是在密文中如何执行有意义的检索操作成为一个巨大的挑战。为了保证数据机密性的同时实现密文数据的高效检索,可搜索加密技术应运而生。近年来,可搜索加密方案的设计日趋多样化,旨在提高方案的实用性。该文主要围绕目前可搜索加密方案的研究热点,从4个方面展开阐述,具体包括:单关键词检索、多模式检索、前/后向安全检索和可验证检索。该文主要介绍和分析具有代表性的研究成果,总结最新研究进展及提炼关键技术难点,最后对未来的研究方向进行展望。     

抗关键词猜测的授权可搜索加密方案

大多数可搜索加密方案仅支持对单关键词集的搜索,且数据使用者不能迅速对云服务器返回的密文进行有效性判断,同时考虑到云服务器具有较强的计算能力,可能会对关键词进行猜测,且没有对数据使用者的身份进行验证。针对上述问题,该文提出一个对数据使用者身份验证的抗关键词猜测的授权多关键词可搜索加密方案。方案中数据使用者与数据属主给授权服务器进行授权,从而验证数据使用者是否为合法用户;若验证通过,则授权服务器利用授权信息协助数据使用者对云服务器返回的密文进行有效性检测;同时数据使用者利用服务器的公钥和伪关键词对关键词生成陷门搜索凭证,从而保证关键词的不可区分性。同时数据属主在加密时,利用云服务器的公钥、授权服务器的公钥以及数据使用者的公钥,可以防止合谋攻击。最后在随机预言机模型下证明了所提方案的安全性,并通过仿真实验验证,所提方案在多关键词环境下具有较好的效率。     

Secure personal data sharing in cloud computing using attribute-based broadcast encryption

The ciphertext-policy (CP) attribute-based encryption (ABE) (CP-ABE) emergings as a promising technology for allowing users to conveniently access data in cloud computing. Unfortunately, it suffers from several drawbacks such as decryption overhead, user revocation and privacy preserving. The authors proposed a new efficient and privacy-preserving attribute-based broadcast encryption (BE) (ABBE) named EP-ABBE, that can reduce the decryption computation overhead by partial decryption, and protect user privacy by obfuscating access policy of ciphertext and user's attributes. Based on EP-ABBE, a secure and flexible personal data sharing scheme in cloud computing was presented, in which the data owner can enjoy the flexibly of encrypting personal data using a specified access policy together with an implicit user index set. With the proposed scheme, efficient user revocation is achieved by dropping revoked user's index from the user index set, which is with very low computation cost. Moreover, the privacy of user can well be protected in the scheme. The security and performance analysis show that the scheme is secure, efficient and privacy-preserving.     

Multi-owner accredited keyword search over encrypted data

A sharing multi-owner setting where data was owned by a fixed number of data owners,the existing searchable encryption schemes could not support ciphertext retrieval and fine-grained access control at the same time.For this end,an efficient cryptographic primitive called as multi-owner accredited keyword search over encrypted data scheme was designed,through combining linear secret-sharing technique with searchable encryption schemes,only the data users authorized bymulti-owner by could decrypt the returned results.The formal security analysis shows that the scheme can protect security and privacy under the bilinear Diffie-Hellman assumption.As a further contribution,an empirical study over real-world dataset was conelucted to show the effectiveness and practicability of the scheme.