Yinghui Zhang

Ensuring attribute privacy protection and fast decryption for outsourced data security in mobile cloud computing

Abstract Although many users outsource their various data to clouds, data security and privacy concerns are still the biggest obstacles that hamper the widespread adoption of cloud computing. Anonymous attribute-based encryption (anonymous ABE) enables fine-grained access control over cloud storage and preserves receivers’ attribute privacy by hiding attribute information in ciphertexts. However, in existing anonymous ABE work, a user knows whether attributes and a hidden policy match or not only after repeating decryption attempts. And, each decryption usually requires many pairings and the computation overhead grows with the complexity of the access formula. Hence, existing schemes suffer a severe efficiency drawback and are not suitable for mobile cloud computing where users may be resource-constrained. In this paper, we propose a novel technique called match-then-decrypt , in which a matching phase is additionally introduced before the decryption phase . This technique works by computing special components in ciphertexts, which are used to perform the test that if the attribute private key matches the hidden access policy in ciphertexts without decryption. For the sake of fast decryption, special attribute secret key components are generated which allow aggregation of pairings during decryption. We propose a basic anonymous ABE construction, and then obtain a security-enhanced extension based on strongly existentially unforgeable one-time signatures. In the proposed constructions, the computation cost of an attribute matching test is less than one decryption operation, which only needs small and constant number of pairings. Formal security analysis and performance comparisons indicate that the proposed solutions simultaneously ensure attribute privacy and improve decryption efficiency for outsourced data storage in mobile cloud computing.

Computationally Efficient Ciphertext-Policy Attribute-Based Encryption with Constant-Size Ciphertexts

Ciphertext-policy attribute-based encryption (CP-ABE) is extremely suitable for cloud computing environment in that it enables data owners to make and enforce access policies themselves. However, most of the existing CP-ABE schemes suffer severe efficiency drawbacks due to large computation cost and ciphertext size, both of which linearly increase with the complexity of access policies. Aiming at tackling the challenge above, in this paper, we propose a CP-ABE scheme which features constant computation cost and constant-size ciphertexts. The proposed CP-ABE scheme is proven selective-secure in the random oracle model under the decision n-Bilinear Diffie-Hellman Exponent (n-BDHE) assumption, where n represents the total number of attributes in universe. In particular, the proposed scheme can efficiently support AND-gate access policies with multiple attribute values and wildcards. Performance comparisons indicate that the proposed CP-ABE scheme is promising in real-world applications, especially for the scenarios where computation and bandwidth issues are major concerns.

Efficient attribute-based data sharing in mobile clouds

Ciphertext-policy attribute-based encryption (CP-ABE) is extremely suitable for cloud computing environment in that it enables data owners to make and enforce access policies themselves. However, most of existing CP-ABE schemes suffer severe efficiency drawbacks due to large ciphertext size and computation cost, and hence are not suitable for mobile clouds, where users are usually resource-limited. In this paper, we first present a generic attribute-based data sharing system based on a hybrid mechanism of CP-ABE and a symmetric encryption scheme. Then, we propose a CP-ABE scheme which features constant computation cost and constant-size ciphertexts. The proposed CP-ABE scheme is proven selective-secure in the random oracle model under the decision n -BDHE assumption, where n represents the total number of attributes in universe. It can efficiently support AND-gate access policies with multiple attribute values and wildcards. Theoretical analysis and experimental results indicate that the proposed scheme is extremely suitable for data sharing in mobile clouds.

Generic construction for secure and efficient handoff authentication schemes in EAP-based wireless networks

As a promising application scenario of wireless technologies, roaming communication initiates the demand for secure and efficient handoff authentication schemes. However, it seems that no existing scheme can simultaneously provide provable security and enjoy desirable efficiency. In this paper, we first utilize the double-trapdoor chameleon hash family to develop a generic method for secure and efficient handoff authentication in EAP-based wireless networks. The main idea is that the verification information, deduced from the one-time trapdoor, provides an authenticated transient Diffie-Hellman key exchange only between a mobile node and an access point. Moreover, we present an instantiation of the generic method based on a special double-trapdoor chameleon hashing. The proposed scheme not only provides robust security, but also enjoys desirable efficiency. To be specific, our scheme is proved to be secure in the random oracle model based on the computational Diffie-Hellman assumption and the unforgeability of an elliptic curve digital signature. Furthermore, formal verification by using the AVISPA tool shows that our scheme resists various malicious attacks. Finally, we evaluate the latency performance by the theoretical analysis and simulation. The results indicate that the proposed scheme achieves desirable efficiency in terms of the computation cost, the communication overhead and the storage requirement.

FDR-ABE: Attribute-Based Encryption with Flexible and Direct Revocation

In attribute-based encryption (ABE) systems, the revocation issue is essential and difficult, since users may change their attributes frequently in practice and each attribute is conceivably shared by multiple users. To our knowledge, all the existing ABE schemes fail to support flexible and direct revocation due to the burdensome update of attribute secret keys and cipher texts. Aiming at tackling the challenge above, in this paper, we formalize the notion of cipher text policy ABE with flexible and direct revocation (FDR-CP-ABE), and give out a concrete construction, which supports direct attribute and user revocation and is applicable to the data sharing architecture. The proposed FDR-CP-ABE scheme outperforms the previous revocation-related methods in that it has constant-size cipher texts and only partial cipher texts need to be updated whenever revocation events occur. Furthermore, we show that our FDR-CP-ABE scheme is provably secure in the standard model and it cannot be achieved by trivial combinations of the techniques of CP-ABE and BE.

Efficient and robust identity-based handoff authentication in wireless networks

In this paper, we propose a new identity-based construction for secure and efficient handoff authentication schemes, in which a special double-trapdoor chameleon hash function serves as the primary ingredient. Compared with all the existing identity-based handoff-related schemes, the main advantage of the proposed scheme eliminates the assumption that PKG is fully trusted. Besides, we show that the proposed scheme not only provides robust security properties, but also enjoys desirable efficiency for the real-world applications.

Efficient and robust identity-based handoff authentication for EAP-based wireless networks

The Extensible Authentication Protocol (EAP) framework aims to realize a flexible authentication for wireless networks. However, a full EAP authentication needs several round trips between a mobile node and the EAP server, and hence is unacceptable in a process of handoff authentication because of inefficient performance. Considering the advantage of the identity‐based cryptography, it is attractive to realize handoff authentication efficiently in the identity‐based setting. In this work, we propose a new identity‐based handoff authentication scheme in which a special double‐trapdoor chameleon hash function is used. Compared with the existing identity‐based handoff authentication construction, the main advantage of the proposed scheme eliminates the assumption that the private key generator is fully trusted. Besides, the detailed security analysis shows that the proposed scheme not only satisfies robust security properties but also enjoys desirable efficiency for the real‐world applications. Copyright © 2013 John Wiley & Sons, Ltd.

Key Policy Attribute-Based Proxy Re-encryption with Matrix Access Structure

Cloud computing has achieved rapid development. The cloud server even provides unlimited storage and powerful computing capability as services. A lot of attribute-based schemes have been constructed for cloud computing to come into practical applications. To our knowledge, there seems no flexible key policy attribute-based proxy re-encryption (KP-AB-PRE) scheme in the literature, which is a promising cryptographic primitive. In this paper, we propose a KP-ABPRE scheme, in which the cloud server can function as the proxy. In the proposed scheme, matrix access structure is used for the key policy. Furthermore, our construction enjoys the desirable properties of unidirectionality, non-interactivity, and multi-Use, and the secret key security is guaranteed.

Efficient and robust attribute-based encryption supporting access policy hiding in Internet of Things

The term of Internet of Things (IoT) remarkably increases the ubiquity of the internet by integrating smart object-based infrastructures. How to achieve efficient fine-grained data access control while preserving data privacy is a challenge task in the scenario of IoT. Despite ciphertext-policy attribute-based encryption (CP-ABE) can provide fine-grained data access control by allowing the specific users whose attributes match the access policy to decrypt ciphertexts. However, existing CP-ABE schemes will leak users attribute values to the attribute authority (AA) in the phase of key generation, which poses a significant threat to users privacy. To address this issue, we propose a new CP-ABE scheme which can successfully protect the users attribute values against the AA based on 1-out-of-n oblivious transfer technique. In addition, we use Attribute Bloom Filter to protect the attribute type of the access policy in the ciphertext. Finally, security and efficiency evaluations show that the proposed scheme can achieve the desired security goals, while keeping comparable computation overhead. We propose an efficient and robust attribute-encryption scheme supporting access policy hidden based on 1-out-of-n oblivious transfer.Our scheme does not require any change for the outsourced data in case of a new data is uploaded.We show how to extend the proposed scheme to support multi-user scenarios.