具有访问权限撤销的外包数据加密方案

对Zhou等提出的方案(ZHOU M, MU Y, SUSILO W, et al. Privacy enhanced data outsourcing in the cloud. Journal of network and computer applications, 2012, 35(4): 1367-1373)进行分析,指出了该方案无法实现对用户访问权限进行撤销的问题。针对该方案的不足,提出一种具有撤销用户访问权限的外包数据加密方案。首先,把数据分成多个数据块并分别对每个数据块加密;其次,通过密钥导出的方法减少数据拥有者管理和保存密钥的数量;最后,对同一个加密数据构造多个解密密钥,实现对某些用户的访问权限撤销,而未被撤销用户无需进行密钥更新。与Zhou等的方案相比,所提方案不仅保持该方案中的外包数据隐私保护优点,而且还实现了用户访问权限的撤销。分析结果表明,在离散对数困难问题(DLP)假设下,所提方案是安全的。

Outsourced data encryption scheme with access privilege revocation

The scheme proposed by Zhou et al. (ZHOU M, MU Y, SUSILO W, et al. Privacy enhanced data outsourcing in the cloud. Journal of network and computer applications, 2012, 35(4): 1367-1373) was analyzed, and the shortcoming of no access privilege revocation was shown. To address the shortcoming, an outsourced data encryption scheme with revoking access privilege was proposed. Firstly, the data were divided into several data blocks, and each data block was encrypted separately. Secondly, with the key derivation method, the number of keys stored and managed by the data owner was reduced. Finally, multiple decryption keys were constructed on an encrypted data to revoke access privileges of some users, without affecting the legitimate users. Compared with Zhou's scheme, the proposed scheme not only maintains the advantage of privacy protection to the outsourced data in the scheme, but also realizes access privilege revocation for users. The analysis results show that the proposed scheme is secure under the assumption of the Discrete Logarithm Problem (DLP).