Ximeng Liu

A Secure Data Self-Destructing Scheme in Cloud Computing

With the rapid development of versatile cloud services, it becomes increasingly susceptible to use cloud services to share data in a friend circle in the cloud computing environment. Since it is not feasible to implement full lifecycle privacy security, access control becomes a challenging task, especially when we share sensitive data on cloud servers. In order to tackle this problem, we propose a key-policy attribute-based encryption with time-specified attributes (KP-TSABE), a novel secure data self-destructing scheme in cloud computing. In the KP-TSABE scheme, every ciphertext is labeled with a time interval while private key is associated with a time instant. The ciphertext can only be decrypted if both the time instant is in the allowed time interval and the attributes associated with the ciphertext satisfy the keys access structure. The KP-TSABE is able to solve some important security problems by supporting user-defined authorization period and by providing fine-grained access control during the period. The sensitive data will be securely self-destructed after a user-specified expiration time. The KP-TSABE scheme is proved to be secure under the decision l-bilinear Diffie-Hellman inversion (l-Expanded BDHI) assumption. Comprehensive comparisons of the security properties indicate that the KP-TSABE scheme proposed by us satisfies the security requirements and is superior to other existing schemes.

Secure, efficient and revocable multi-authority access control system in cloud storage

A multi-authority attribute-based access control system for cloud storage is proposed.An adaptively secure multi-authority CP-ABE (MA-CP-ABE) scheme in the standard model.A decryption outsourcing method for the proposed MA-CP-ABE scheme.An attribute-level revocation approach achieves back secrecy and forward secrecy. Multi-Authority Attribute-Based Encryption (MA-ABE) is an emerging cryptographic primitive for enforcing fine-grained attribute-based access control on the outsourced data in cloud storage. However, most of the previous multi-authority attribute-based systems are either proven to be secure in a weak model or lack of efficiency in user revocation. In this paper, we propose MAACS (Multi-Authority Access Control System), a novel multi-authority attribute-based data access control system for cloud storage. We construct a new multi-authority ciphertext-policy ABE (MA-CP-ABE) scheme with decryption outsourcing. The decryption overhead for users is largely eliminated by outsourcing the undesirable bilinear pairing operations to the cloud servers. The proposed MA-CP-ABE scheme is proven adaptively secure in the standard model and supports any monotone access policy. We also design an efficient attribute-level user revocation approach with less computation cost. The security analysis, numerical comparisons and implementation results indicate that our MAACS is secure, efficient and scalable.

Large universe decentralized key-policy attribute-based encryption

In multi-authority attribute-based encryption ABE systems, each authority manages a different attribute universe and issues the private keys to users. However, the previous multi-authority ABE schemes are subject to such restrictions during initializing the systems: either the attribute universe is polynomially sized and the attributes have to be enumerated or the attribute universe can be exponentially large, but the size of the set of attributes, which will be used in encryption, is not more than a predefined fixed value. These restrictions prevent multi-authority ABE schemes from being deployed in dynamic practice applications. In this paper, we present a large universe decentralized key-policy ABE scheme without such additional limitation. In our scheme, there is no requirement of any central authority. Each attribute authority executes independently from the others and can join or depart the system allodiality. Our system supports any monotone access policy. The proposed scheme is constructed on prime order groups and proved selectively secure in the standard model. To the best of our knowledge, our scheme is the first large universe decentralized key-policy ABE system in the standard model. Copyright

Provably secure unbounded multi-authority ciphertext-policy attribute-based encryption

Multi-authority attribute-based encryption ABE is a generation of ABE where the descriptive attributes are managed by different authorities. In current multi-authority ABE schemes, the scale of attribute universe employed in encryption is restricted by various predefined thresholds. In this paper, we propose an unbounded multi-authority ciphertext-policy ABE system without such restriction. Our scheme consists of multiple attribute authorities AAs, one central authority CA, and users labeled by the set of attributes. Each AA governs a different universe of attributes and operates separately. Moreover, there is no cooperation between the CA and AAs. To provide the private keys for a user, the AAs first issue partial attribute-related keys according to the attributes; the CA then issues identity-related keys and links these attribute-keys with the users global identifier. Both the identity-related and the linked attribute-related keys will be used in decryption. The proposed multi-authority ciphertext-policy ABE scheme can support arbitrary linear secret sharing scheme as the access policy. Performance analysis and security proof indicate that our scheme is efficient and secure. Copyright

Personal Health Records Integrity Verification Using Attribute Based Proxy Signature in Cloud Computing

Personal health records PHRs have been appeared as patient -centric model for health information exchange, which are often outsourced to be stored in cloud services. However, the integrity and privacy of the PHRs are cause for concern that personal health information could be compromised. The principal method to guarantee integrity of PHRs is using signature mechanism when a PHR owner use the PHR to generate signature and a user is able to verify the PHR by using the signature. In some scenario, PHR owner can not sign the PHR by himself/herself, he/her wants to delegate its sign ability to other people to sign the PHR. In order to solve delegation of original signers capabilities to guarantee integrity of PHR and the anonymity of the signer, attribute based proxy signature schemeABPS for personal health records was first proposed in this paper. We formalize and construct the ABPS. Our scheme is proved to be existentially unforgeable against chosen message attack in the standard model. Analysis shows that our ABPS is more appropriate for cloud computing environment to guarantee integrity of PHRs.

Key-Policy Weighted Attribute based Encryption for fine-grained access control

When we step into the new internet era, large numbers of new techniques have emerged in order to make our life better. However, these new techniques require some new properties in order to keep personal information confidentially which the traditional encryption method cannot catch up with. Recently, a new encryption primitive called Attribute Based Encryption(ABE) have appeared because it can achieve both information security and fine-grained access control. Although the ABE scheme has these new characters which can keep the information security that can fit for the new widely used technique, nevertheless, the characteristic of attributes are treated in the identical level in most of traditional schemes. In the real scenario, the importance of each attributes is always different. In this paper, we propose a scheme called Key-Policy Weighted Attribute based Encryption (KP-WABE) while the attributes have different weights according to their importance in the system. The KP-WABE scheme is proved to be secure under the l-th Bilinear Diffie-Hellman Inversion Assumption. Our scheme can be considered as the generalization of traditional KP-ABE scheme when all attributes have equal weights.

Efficient attribute based sequential aggregate signature for wireless sensor networks

Wireless sensor networks (WSNs) are broadly applied in real scenarios, such as remote environmental monitoring and target tracking. However, data can be easily compromised by the adversary. Although attribute based signature (ABS) scheme is an important cryptographic primitive which provides a powerful way for users to control their privacy. When the number of users involved in the system becomes huge, the computational and storage overhead will grow large so that existing ABS schemes are insufficient for WSNs. In order to reduce the communication and computational cost of ABS to make it more suitable for WSNs, we propose an efficient attribute based sequential aggregate signature (EABSAS) scheme which allows a set of sensor nodes to sign on different messages, combine and compress them into a short signature which can greatly decrease the storage space. Through extensive analysis, we demonstrate that our EABSAS scheme can achieve the existential unforgeability to keep the data integrity, and significantly reduces computation and communication overhead than existing competing approaches.

A Secure Document Self-Destruction Scheme with Identity Based Encryption

With the rapid emerging of the novelty Web services and cloud services, it becomes more and more easily to expose a users sensitive documents into the cloud. In this paper, we combine identity-based encryption (IBE) algorithm with distributed hash table (DHT) network and propose an IBE-based secure document self-destruction (ISDS) scheme to protect the privacy security of past, archived sensitive documents, and make sure that all copies of those documents become unreadable by making them utomatically destructed after a predefined time without any human intervention. Comprehensive analysis shows that the ISDS scheme is able to resist not only traditional cryptanalysis and brute-force attack, but also Sybil attacks (e.g., hopping attack and sniffer attack) in the DHT network. More significantly, our ISDS scheme can also provide fine-grained access control during the lifetime of the sensitive documents, which is not guaranteed in other existing schemes.

Efficient Data Integrity Verification Using Attribute Based Multi-signature Scheme in Wireless Network

Attribute based signature scheme is an important cryptographic primitive providing a powerful way for user to control their privacy. In wireless environment, the capacity of wireless channel is valuable resources which is limited. More information can be transmitted through the wireless channel when the cost of using signature to verify the message become less. In order to reduce the bandwidth needed to transmit attribute based signatures and keep signers privacy, attribute based multi-signature scheme(ABMS) was proposed in this paper. Moveover, We formalized and constructed the ABMS. Our scheme is existentially unforgeable against chosen message attack and on Computational Diffie-Hellman(CDH) problem in the standard model. Analysis shows that our ABMS is more appropriate for wireless network to guarantee integrity of the data.

SPEMR: A new secure personal electronic medical record scheme with privilege separation

With the pervasiveness of cloud computing, personal health record (PHR), which is outsourced to the third-party service providers and exchanges health information with patient-centric, has attracted considerable interest recently. However, the flourish of PHR still faces many challenges including privacy preservation and efficiency. Especially, PHR system allows patients to modify electronic medical record (EMR) documents, in which the veracity of patients EMR data has been questioned, even resulting in a few health accidents. In this paper, based on the attribute-based encryption and re-encryption under the attribute group keys, we present a new secure personal electronic medical record scheme, called SPEMR, which is privilege separation under the multi-owner settings. In specific, to achieve the veracity of patients EMR data and fine-grained access control, we introduce a privilege separation mechanism in SPEMR based on the RSA-Based proxy encryption. And in the SPEMR scheme, each patient can fully control the authorization of accessing to their EMR documents, achieve a fine-grained access policy and on-demand revocation. Detailed security analysis shows that the proposed SPEMR can achieve the data privacy preserving, privilege separation, and on-demand revocation.