Zheli Liu

L-EncDB: A Lightweight Framework for Privacy-Preserving Data Queries in Cloud Computing

With the advent of cloud computing, individuals and organizations have become interested in moving their databases from local to remote cloud servers. However, data owners and cloud service providers are not in the same trusted domain in practice. For the protection of data privacy, sensitive data usually have to be encrypted before outsourcing, which makes effective database utilization a very challenging task. To address this challenge, in this paper, we propose L-EncDB, a novel lightweight encryption mechanism for database, which (i) keeps the database structure and (ii) supports efficient SQL-based queries. To achieve this goal, a new format-preserving encryption (FPE) scheme is constructed in this paper, which can be used to encrypt all types of character strings stored in database. Extensive analysis demonstrates that the proposed L-EncDB scheme is highly efficient and provably secure under existing security model.

New order preserving encryption model for outsourced databases in cloud environments

The order of the plaintext remains in the ciphertext, so order-preserving encryption (OPE) scheme is under threat if the adversary is allowed to query for many times. To hide the order in the ciphertext, the only ideal-security OPE scheme (Popa et al., 2013) requires the database server to maintain extra information and realize comparison or range query by user defined functions (UDFs). However, order operations will no longer be performed directly on the ciphertext. It will affect the efficiency and make this scheme to be not suitable for some cases.In this paper, we aim at constructing efficient and programmable OPE scheme for outsourced databases. Firstly, we introduce the system model of outsourced database where OPE scheme will be used, show that ciphertext-only attack is basic and practical security goal. Secondly, we discuss the statistical attack for OPE schemes, point out how to hide data distribution and data frequency is important when designing OPE schemes. Thirdly, we propose a new simple OPE model, which uses message space expansion and nonlinear space split to hide data distribution and frequency and further analyze its security against two kinds of attack in details. Finally, we discuss implementation details including how to use our OPE scheme in the database applications. And we also evaluate its performance through the experiment. The security analysis and performance evaluation show that our OPE scheme is secure enough and more efficient.

Efficient keyword search over encrypted data with fine-grained access control in hybrid cloud

As cloud computing becomes prevalent, more and more sensitive information is being centralized into the cloud, which raises a new challenge on how to efficiently share the outsourced data in a fine-grained manner. Although searchable encryption allows for privacy-preserving keyword search over encrypted data in public cloud, it could not work effectively for supporting fine-grained access control over encrypted data simultaneously. In this paper, we consider to tackle the challenge above under a hybrid architecture in which a private cloud is introduced as an access interface between users and public cloud. We firstly propose a basic scheme allowing both exact keyword search and fine-grained access control over encrypted data. Furthermore, an advanced scheme supporting fuzzy keyword search is presented. In both schemes, overhead computation is securely outsourced to private cloud but only left behind the file encryption and decryption at user side. Finally, we demonstrate approaches to realize outsourcing cryptographic access control mechanism and further relieve the computational cost at user side.

Location-Sharing Systems With Enhanced Privacy in Mobile Online Social Networks

Location sharing is one of the critical components in mobile online social networks (mOSNs), which has attracted much attention recently. With the advent of mOSNs, more and more users location information will be collected by the service providers in mOSN. However, the users privacy, including location privacy and social network privacy, cannot be guaranteed in the previous work without the trust assumption on the service providers. In this paper, aiming at achieving enhanced privacy against the insider attack launched by the service providers in mOSNs, we introduce a new architecture with multiple location servers for the first time and propose a secure solution supporting location sharing among friends and strangers in location-based applications. In our construction, the users friend set in each friends query submitted to the location servers is divided into multiple subsets by the social network server randomly. Each location server can only get a subset of friends, instead of the whole friends set of the user as the previous work. In addition, for the first time, we propose a location-sharing construction which provides checkability of the searching results returned from location servers in an efficient way. We also prove that the new construction is secure under the stronger security model with enhanced privacy. Finally, we provide extensive experimental results to demonstrate the efficiency of our proposed construction.

Differentially private Naive Bayes learning over multiple data sources

Abstract For meeting diverse requirements of data analysis, the machine learning classifier has been provided as a tool to evaluate data in many applications. Due to privacy concerns of preventing disclosing sensitive information, data owners often suppress their data for an untrusted trainer to train a classifier. Some existing work proposed privacy-preserving solutions for learning algorithms, which allow a trainer to build a classifier over the data from a single owner. However, they cannot be directly used in the multi-owner setting where each owner is not totally trusted for each other. In this paper, we propose a novel privacy-preserving Naive Bayes learning scheme with multiple data sources. The proposed scheme enables a trainer to train a Naive Bayes classifier over the dataset provided jointly by different data owners, without the help of a trusted curator. The training result can achieve ϵ-differential privacy while the training will not break the privacy of each owner. We implement the prototype of the scheme and conduct corresponding experiment.

Degradation and encryption for outsourced PNG images in cloud storage

In cloud storage environment, users frequently store images and retrieve them by personal device, including mobile phones. However, the content of outsourced images will be leaked to the cloud server, which is not trusted by users. To protect the privacy of sensitive images, this paper proposes format-compliant degradation and encryption method for Portable Network Graphics PNG. More specifically, for PNG degradation, improved prefix method and noise generation methods are developed. Furthermore, for PNG encryption, a modified generalised-Feistel method is developed. Finally, our security analysis demonstrates that the proposed scheme is secure. Our experiment results also show that the scheme is efficient and practical.

HybridORAM: Practical oblivious cloud storage with constant bandwidth

Abstract Along with the popularity of outsourcing data to the cloud server, data privacy becomes a central consideration. Because encryption alone has been proved insecure for the leakages of access pattern, Oblivious RAM (ORAM) was proposed to protect where, when and how often the data block has been accessed. However, different types of ORAM implementations have different limitations in terms of significant bandwidth cost or massive storage space, making them impractical for some applications like Internet of Things (IoT). In this paper, we present a practical ORAM, called HybridORAM, with constant bandwidth, which can be applied in wide application scopes. HybridORAM explores a new ORAM design to combine the advantages of layer and tree ORAMs; more specifically, it combines the frequently-accessed small levels of the former to improve the response time, and the small shuffle of the latter to save the storage capacity. Compared to the typical schemes, HybridORAM has an efficient response time reduced by O(logu2009k), low bandwidth cost optimized from O(logu2009Nu202f·u202fB) to O(B) and small client storage, where k is level size factor, B is block size, N is the number of real blocks in ORAM. Experiments show that the response time of HybridORAM is 50.3% shorter than OnionORAM and 34.8% shorter than OS-PIR by practical parameters.

Cloud-based electronic health record system supporting fuzzy keyword search

As cloud computing becomes prevalent, electronic health record (EHR) system has appeared in the form of patient centric, in which more and more sensitive information from patients is being uploaded into the cloud. To protect patients’ privacy, sensitive EHR information has to be encrypted before outsourcing. However, this makes effective data utilization, such as fuzzy keyword search and data sharing, a very challenging problem. In this paper, aiming at allowing for securely storing, sharing and effectively utilizing the EHR, a new cloud-based EHR system is proposed. A binary tree is utilized to store the encrypted records in the proposed scheme, and an attribute-based encryption scheme is applied to encrypt the secret keys. The proposed system is very efficient because only symmetric encryption is introduced to encrypt the records. To support effectively retrieve patients’ records, an efficient fuzzy keyword search over encrypted data is proposed without reliance on heavy cryptographic operations, which greatly enhances system usability by returning the matching files. With rigorous security analysis, we show that the proposed scheme is secure, while it realized privacy-preserving data sharing and fuzzy keyword search. Extensive experimental results illustrate the efficiency of the proposed solution.

Enabling efficient and secure data sharing in cloud computing

With the rapid development of cloud computing, more and more data are being centralized into remote cloud server for sharing, which raises a challenge on how to keep them both private and accessible. Although searchable encryption provides an efficient solution to support keyword‐based search directly on encrypted data, considering its application in file sharing, existing work depends on key sharing among authorized users, which inevitably causes the risks of key exposure and abuse. In this paper, aiming at enabling efficient and secure data sharing in cloud computing, we provide a generic construction for this purpose. The proposed construction is full‐featured: (i) It enables authorized users to perform keyword‐based search directly on encrypted data without sharing the unique secret key; and (ii) it provides two‐layered access control to limit unauthorized users access to the shared data. On the basis of the proposed generic construction, we utilize the existing techniques on identity‐based broadcast encryption and public key searchable encryption to instantiate a concrete construction. Copyright

Efficient Identity-based Broadcast Encryption without Random Oracles

We propose a new efficient identity-based broadcast encryption scheme without random oracles and prove that it achieves selective identity, chosen plaintext security. Our scheme is constructed based on bilinear Diffie-Hellman inversion assumption and it is a good efficient hybrid encryption scheme, which achieves O (1) -size ciphertexts, public parameters and constant size private keys. In our scheme, either ciphertexts or public parameters has no relation with the number of receivers, moreover, both the encryption and decryption only require one pairing computation. Compared with other identity-based broadcast encryption schemes, our scheme has comparable properties, but with a better efficiency.