Chunfu Jia

Identity-Based Encryption with Outsourced Revocation in Cloud Computing

Identity-Based Encryption (IBE) which simplifies the public key and certificate management at Public Key Infrastructure (PKI) is an important alternative to public key encryption. However, one of the main efficiency drawbacks of IBE is the overhead computation at Private Key Generator (PKG) during user revocation. Efficient revocation has been well studied in traditional PKI setting, but the cumbersome management of certificates is precisely the burden that IBE strives to alleviate. In this paper, aiming at tackling the critical issue of identity revocation, we introduce outsourcing computation into IBE for the first time and propose a revocable IBE scheme in the server-aided setting. Our scheme offloads most of the key generation related operations during key-issuing and key-update processes to a Key Update Cloud Service Provider, leaving only a constant number of simple operations for PKG and users to perform locally. This goal is achieved by utilizing a novel collusion-resistant technique: we employ a hybrid private key for each user, in which an AND gate is involved to connect and bound the identity component and the time component. Furthermore, we propose another construction which is provable secure under the recently formulized Refereed Delegation of Computation model. Finally, we provide extensive experimental results to demonstrate the efficiency of our proposed construction.

Fine-Grained Access Control System Based on Outsourced Attribute-Based Encryption

As cloud computing becomes prevalent, more and more sensitive data is being centralized into the cloud for sharing, which brings forth new challenges for outsourced data security and privacy. Attribute-based encryption (ABE) is a promising cryptographic primitive, which has been widely applied to design fine-grained access control system recently. However, ABE is being criticized for its high scheme overhead as the computational cost grows with the complexity of the access formula. This disadvantage becomes more serious for mobile devices because they have constrained computing resources.

Outsourcing encryption of attribute-based encryption with mapreduce

Attribute-based encryption (ABE) is a promising cryptographic tool for fine-grained access control. However, the computational cost in encryption commonly grows with the complexity of access policy in existing ABE schemes, which becomes a bottleneck limiting its application. In this paper, we formulize the novel paradigm of outsourcing encryption of ABE to cloud service provider to relieve local computation burden. We propose an optimized construction with MapReduce cloud which is secure under the assumption that the master node as well as at least one of the slave nodes is honest. After outsourcing, the computational cost at user side during encryption is reduced to approximate four exponentiations, which is constant. Another advantage of the proposed construction is that the user is able to delegate encryption for any policy.

New order preserving encryption model for outsourced databases in cloud environments

The order of the plaintext remains in the ciphertext, so order-preserving encryption (OPE) scheme is under threat if the adversary is allowed to query for many times. To hide the order in the ciphertext, the only ideal-security OPE scheme (Popa et al., 2013) requires the database server to maintain extra information and realize comparison or range query by user defined functions (UDFs). However, order operations will no longer be performed directly on the ciphertext. It will affect the efficiency and make this scheme to be not suitable for some cases.In this paper, we aim at constructing efficient and programmable OPE scheme for outsourced databases. Firstly, we introduce the system model of outsourced database where OPE scheme will be used, show that ciphertext-only attack is basic and practical security goal. Secondly, we discuss the statistical attack for OPE schemes, point out how to hide data distribution and data frequency is important when designing OPE schemes. Thirdly, we propose a new simple OPE model, which uses message space expansion and nonlinear space split to hide data distribution and frequency and further analyze its security against two kinds of attack in details. Finally, we discuss implementation details including how to use our OPE scheme in the database applications. And we also evaluate its performance through the experiment. The security analysis and performance evaluation show that our OPE scheme is secure enough and more efficient.

Efficient keyword search over encrypted data with fine-grained access control in hybrid cloud

As cloud computing becomes prevalent, more and more sensitive information is being centralized into the cloud, which raises a new challenge on how to efficiently share the outsourced data in a fine-grained manner. Although searchable encryption allows for privacy-preserving keyword search over encrypted data in public cloud, it could not work effectively for supporting fine-grained access control over encrypted data simultaneously. In this paper, we consider to tackle the challenge above under a hybrid architecture in which a private cloud is introduced as an access interface between users and public cloud. We firstly propose a basic scheme allowing both exact keyword search and fine-grained access control over encrypted data. Furthermore, an advanced scheme supporting fuzzy keyword search is presented. In both schemes, overhead computation is securely outsourced to private cloud but only left behind the file encryption and decryption at user side. Finally, we demonstrate approaches to realize outsourcing cryptographic access control mechanism and further relieve the computational cost at user side.

Linear obfuscation to combat symbolic execution

Trigger-based code (malicious in many cases, but not necessarily) only executes when specific inputs are received. Symbolic execution has been one of the most powerful techniques in discovering such malicious code and analyzing the trigger condition. We propose a novel automatic malware obfuscation technique to make analysis based on symbolic execution difficult. Unlike previously proposed techniques, the obfuscated code from our tool does not use any cryptographic operations and makes use of only linear operations which symbolic execution is believed to be good in analyzing. The obfuscated code incorporates unsolved conjectures and adds a simple loop to the original code, making it less than one hundred bytes longer and hard to be differentiated from normal programs. Evaluation shows that applying symbolic execution to the obfuscated code is inefficient in finding the trigger condition. We discuss strengths and weaknesses of the proposed technique.

Differentially private Naive Bayes learning over multiple data sources

Abstract For meeting diverse requirements of data analysis, the machine learning classifier has been provided as a tool to evaluate data in many applications. Due to privacy concerns of preventing disclosing sensitive information, data owners often suppress their data for an untrusted trainer to train a classifier. Some existing work proposed privacy-preserving solutions for learning algorithms, which allow a trainer to build a classifier over the data from a single owner. However, they cannot be directly used in the multi-owner setting where each owner is not totally trusted for each other. In this paper, we propose a novel privacy-preserving Naive Bayes learning scheme with multiple data sources. The proposed scheme enables a trainer to train a Naive Bayes classifier over the dataset provided jointly by different data owners, without the help of a trusted curator. The training result can achieve ϵ-differential privacy while the training will not break the privacy of each owner. We implement the prototype of the scheme and conduct corresponding experiment.

Cloud-based electronic health record system supporting fuzzy keyword search

As cloud computing becomes prevalent, electronic health record (EHR) system has appeared in the form of patient centric, in which more and more sensitive information from patients is being uploaded into the cloud. To protect patients’ privacy, sensitive EHR information has to be encrypted before outsourcing. However, this makes effective data utilization, such as fuzzy keyword search and data sharing, a very challenging problem. In this paper, aiming at allowing for securely storing, sharing and effectively utilizing the EHR, a new cloud-based EHR system is proposed. A binary tree is utilized to store the encrypted records in the proposed scheme, and an attribute-based encryption scheme is applied to encrypt the secret keys. The proposed system is very efficient because only symmetric encryption is introduced to encrypt the records. To support effectively retrieve patients’ records, an efficient fuzzy keyword search over encrypted data is proposed without reliance on heavy cryptographic operations, which greatly enhances system usability by returning the matching files. With rigorous security analysis, we show that the proposed scheme is secure, while it realized privacy-preserving data sharing and fuzzy keyword search. Extensive experimental results illustrate the efficiency of the proposed solution.

Enabling efficient and secure data sharing in cloud computing

With the rapid development of cloud computing, more and more data are being centralized into remote cloud server for sharing, which raises a challenge on how to keep them both private and accessible. Although searchable encryption provides an efficient solution to support keyword‐based search directly on encrypted data, considering its application in file sharing, existing work depends on key sharing among authorized users, which inevitably causes the risks of key exposure and abuse. In this paper, aiming at enabling efficient and secure data sharing in cloud computing, we provide a generic construction for this purpose. The proposed construction is full‐featured: (i) It enables authorized users to perform keyword‐based search directly on encrypted data without sharing the unique secret key; and (ii) it provides two‐layered access control to limit unauthorized users access to the shared data. On the basis of the proposed generic construction, we utilize the existing techniques on identity‐based broadcast encryption and public key searchable encryption to instantiate a concrete construction. Copyright

TMDS: Thin-Model Data Sharing Scheme Supporting Keyword Search in Cloud Storage

Data sharing systems based on cloud storage have attracted much attention recently. In such systems, encryption techniques are usually utilized to protect the privacy of outsourced sensitive data. However, to support data sharing while keeping data confidentiality, encryption keys should be shared by authorized users. As a result, many keys have to be stored and shared by the users in the data sharing system, which would be a bottleneck for users. To tackle the challenges above, we propose a secure thin-model data sharing scheme supporting a keyword search scheme called TMDS, where only a user’s master key is utilized and the keys used for keyword search are not required to be stored at the user side. Furthermore, the cloud server is assumed to be an honest-but-curious entity in our construction. TMDS offers many attractive features as follows: 1) users are able to encrypt and share data without distributing shared encryption keys; 2) each user can flexibly retrieve and decrypt data from the cloud with only a master key; 3) secure data sharing and keyword search are both supported in a single system. Furthermore, we explain how to construct a data sharing system based on TMDS. Security analysis and performance evaluation show that our scheme is secure and practical.