Enabling efficient and secure data sharing in cloud computing

CONCURRENCY AND COMPUTATION: PRACTICE AND EXPERIENCE Concurrency Computat.: Pract. Exper. 2014; 26:1052–1066 Published online 21 June 2013 in Wiley Online Library (wileyonlinelibrary.com). DOI: 10.1002/cpe.3067

SPECIAL ISSUE PAPER

Enabling efficient and secure data sharing in cloud computing‡ Jingwei Li 1 , Jin Li 2 , Zheli Liu 1, * ,† and Chunfu Jia 1 1 College

of Information Technical Science, Nankai University, Tianjin, China of Computer Science, Guangzhou University, Guangzhou, China

2 School

SUMMARY With the rapid development of cloud computing, more and more data are being centralized into remote cloud server for sharing, which raises a challenge on how to keep them both private and accessible. Although searchable encryption provides an efficient solution to support keyword-based search directly on encrypted data, considering its application in file sharing, existing work depends on key sharing among authorized users, which inevitably causes the risks of key exposure and abuse. In this paper, aiming at enabling efficient and secure data sharing in cloud computing, we provide a generic construction for this purpose. The proposed construction is full-featured: (i) It enables authorized users to perform keyword-based search directly on encrypted data without sharing the unique secret key; and (ii) it provides two-layered access control to limit unauthorized user’s access to the shared data. On the basis of the proposed generic construction, we utilize the existing techniques on identity-based broadcast encryption and public key searchable encryption to instantiate a concrete construction. Copyright © 2013 John Wiley & Sons, Ltd. Received 2 May 2013; Revised 4 May 2013; Accepted 6 May 2013 KEY WORDS:

access control; broadcast encryption; privacy-preserving keyword search; cloud computing

1. INTRODUCTION With the rapid growth of data within organizations, it is desirable to make data storage and management outsourcing and enjoy the best-of-breed applications from a shared pool of configurable resources. The new coming term commonly referred to as cloud computing has made this dream come true. It delivers computing as a service rather than a product, whereby shared resources, softwares, and informations are provided to computers and other devices as a utility over a network. Recently, more and more data are being centralized into cloud for secure storage and sharing, such as emails, personal health records, private videos and photos, company finance data, and government documents. Although cloud computing has been rapidly developed, user’s concerns about data security are the main obstacles that impede cloud computing from widely deployed. These concerns, ranging from security and privacy of outsourced data to unauthorized access to shared data, are originated from the fact that cloud servers are very likely to be in a different trusted domain from that of the cloud users. To eliminate these concerns, a natural solution is to encrypt data by client before outsourcing. However, encryption may destroy some implicit attributes of original data and render the encrypted data difficult to be utilized. This fact would cause most of data operations impossible. For example, if a user wants to retrieve documents containing a certain keyword, he/she has to download all the data and decrypt it locally, causing huge communication and computation overhead. *Correspondence to: Zheli Liu, College of Information Technical Science, Nankai University, Weijin Road No. 94, Tianjin, China. † E-mail: [email protected] ‡ A preliminary version of this paper has been presented at 4th International Conference on Intelligent Networking and Collaborative Systems (INCoS 2012). Copyright © 2013 John Wiley & Sons, Ltd.

ENABLING EFFICIENT AND SECURE DATA SHARING IN CLOUD COMPUTING

1053

Searchable encryption, initiated by Song et al. [1], allows to perform keyword-based search directly on encrypted data without decryption. The technology roughly divides the cryptographic components into the client and the server side: client is able to encrypt/decrypt data and generate trapdoor for query while server processes keyword-based search. Although this technology is secure and effective, existing work on searchable encryption is not suitable for data sharing [2, 3] in cloud computing: it just allows authorized users to perform encryption/decryption and generate trapdoor for certain keyword through sharing a secret key. This implies that the operations are allowed to be executed by a group of users with the same secret key. As a result, it not only increases the risk of key exposure or key abuse but also makes it hard to revoke user’s search and decryption abilities. For example, a single user’s revocation indicates secret key changing globally, resulting in decrypting all the data with old keys and re-encrypting it using a newly updated key. For large data sets, this solution is obviously impractical. 1.1. Contribution In this paper, we consider to realize efficient and secure data sharing in hybrid cloud, that is, a trusted private cloud and a public cloud are assumed in our system. The utilization of the hybrid cloud computing system not only enables the users to search efficiently but also reaps the benefits of having fine-grained access to services and applications from cloud service providers. This allows us to expand our web presence and still maintain some level of autonomy and privacy. Under the hybrid architecture, we provide a generic construction for secure outsourcing and sharing searchable encrypted data. The construction does not rely on shared keys and has the following features.  Two-layered access control. Our construction provides two-layered access control on shared

encrypted data. (i) On the first layer, an authorization and revocation mechanism is provided: each authorized user is able to obtain his/her individual private key to perform search and decryption. After a user’s key has been revoked, the user will no longer be able to read and search the shared data. (ii) On the second layer, an identity-based access control mechanism is provided: any user is allowed to submit a set of identities along with the uploading encrypted data to public cloud server to restrict that only the users in the set are able to successfully search for and perform decryption on the shared encrypted data.  Keyword-based search. Authorized user is able to use his/her individual private key to generate query for some certain keyword. Public cloud server performs ‘test’ on each encrypted data and returns the matched data. In addition, on the basis of the proposed generic construction, we utilize the existing techniques on identity-based broadcast encryption (IBBE) and public key searchable encryption to instantiate a concrete construction. 1.2. Organization This paper is organized as follows: In Section 2, we introduce the related work. In Section 3, we provide the system model and security definition for data sharing in cloud computing. A generic construction and its rigorous security analysis are presented in Section 4. On the basis of the generic construction, in Section 5, we utilize the existing technique to instantiate a concrete construction and provide a simulation as well. The final conclusion is drawn in Section 6. 2. RELATED WORK The problem of searching on encrypted data can be solved in its full generality using the work of Goldreich and Ostrovsky [4] on oblivious RAMs. Unfortunately, this approach requires multiple interactions and has a high overhead. The symmetric searchable encryption (SSE) is proposed by Song et al. [1], in which a user stores his/her encrypted data in a semitrusted server and later searches with a certain keyword. In [1], each word is independently encrypted under a specified two-layered encryption. Later, Goh [5] introduced bloom filter to construct secure indexes for keyword search, which allows server to check if Copyright © 2013 John Wiley & Sons, Ltd.

Concurrency Computat.: Pract. Exper. 2014; 26:1052–1066 DOI: 10.1002/cpe

1054

J. LI ET AL.

a document contains a certain keyword without decrypting the entire document. Chang et al. [6] offered solutions to the problem of privacy-preserving keyword search through building pseudorandom bits to mask a dictionary-based keyword index for each file. A formal treatment to SSE was presented by Curtmola et al. [7]. They provided the improved security notions for SSE and presented ‘index’ approach, in which an array and a look-up table are built for the entire document collection. Each entry of the array is used to store an encryption of document identifier set associated with a certain keyword, whereas the look-up table enables one to locate and decrypt the appropriate entry from array. Subsequently, aiming at providing SSE with efficient search and update, Liesdonk et al. [8] presented two schemes: the first one transforms each unique keyword to a searchable representation such that user can keep track of the set of associated keywords via appropriate trapdoor. The second one deploys a hash chain by applying repeatedly a hash function to an initial seed. Because only the user knows the seed, he/she is able to traverse the chain forward and backward, whereas the server is able to traverse the chain forward only. Li et al. [9] provided a fuzzy keyword search scheme in the symmetric key setting. Recently, Kurosawa et al. [10] formulated the universal composability security of SSE and then presented an efficient construction which satisfies the universal composability security definition. Kamara et al. [11] proposed a scheme supporting both sublinear search time and the ability of efficient adding and deleting outsourced files. Searchable encryption in public key setting, originating from store-and-forward system, such as email system, in which a receiver can search data encrypted under the receiver’s public key on an outsourced storage system, is initiated by Boneh et al. [12]. They firstly suggested a public key encryption with keyword search (PEKS) construction with bilinear Diffie–Hellman assumption in random oracle. Accordingly, Khader [13] constructed a PEKS scheme, which is secure under a chosen keyword attack without random oracle, and Crescenzo [14] drew a construction without bilinear map. Recently, several researchers focused on making improvement and extension on Boneh’s construction [12], such as conjunctive keyword search [15–17], secure against keyword-guessing attack [18–20], and keyword search with delegated server [21–24]. Another line of work on privacy-preserving keyword search uses deterministic encryption [25,26] to enable search on encrypted data with existing database and search techniques. This approach differs from SSE as it only provides security for data and queries that have high entropy. We note that almost all the existing searchable encryption schemes need to share a private key leading to the risk of key exposure in sharing environment. Although [16] provided an extension to multiuser setting, their scheme needs to generate private key for users in setup phase and cannot support for user’s dynamic authorization or revocation. Some other work similar to ours are [27–30]. In [27], a scheme is provided, which enables efficient multidimensional keywords search simultaneously with range query and delegation and revocation of searching capabilities. In [28], the authors proposed an encryption scheme where each authorized user in the system has his/her own key to encrypt/decrypt data and perform keywordbased search. Compared with our work, the two lack of the support for access control on encrypted data. More precisely, their constructions only support for authorization on user according to some authentication information, whereas ours allows two-layered access control mechanism. On the first layer, it is similar to the both work, but on the second layer, the access control takes effect on encrypted data to restrict some users to access it even if they are authorized. Moreover, in [29], a searchable encryption scheme in multiuser setting is built over a hybrid cloud, whereas, this work is in a line of [30] but provides a more rigorous attention on the problem of efficient and secure data sharing in hybrid cloud and instantiate a concrete construction to explore its application in practice. 3. SYSTEM MODEL AND SECURITY DEFINITION 3.1. System model We present our system model in Figure 1, in which four entities namely users, trusted private cloud, public cloud server and authority are involved. The group of users make use of the storage service offered by a cloud service provider to outsource their data in a secure way for sharing. More precisely, the data owner in the group uploads a Copyright © 2013 John Wiley & Sons, Ltd.

Concurrency Computat.: Pract. Exper. 2014; 26:1052–1066 DOI: 10.1002/cpe

ENABLING EFFICIENT AND SECURE DATA SHARING IN CLOUD COMPUTING

1055

Figure 1. Hybrid cloud computing model.

collection of encrypted documents, a set of related keywords and a set of included users to the public cloud server. It only allows the authorized users (i.e., having obtained private keys from authority) in the set to perform keyword-based search on the encrypted documents. To achieve this goal (i.e., supporting access control and keyword-based search simultaneously), a trusted private cloud is utilized in the proposed model. It aims to provide a user fully trusted interface for secure storage. The interface allows to securely submit querying keyword. We require that the low bandwidth connection between user and private cloud is protected by a secure channel (e.g., via SSL/TLS). Actually, this hybrid cloud setting has attracted more and more attentions recently. For example, an enterprise might use a public cloud service, such as Amazon S3 for archived data but continue to maintain in-house storage for operational customer data. Alternatively, the trusted private cloud could be a cluster of virtualized cryptographic coprocessors, which are offered as a service by a third party and which provide the necessary hardware-based security features to implement a remote execution environment trusted by the users. On the basis of the hybrid cloud setting, let U be the user identity universe, ˙ be the dictionary, and M be the message space, we can define algorithms as follows which will be involved in our scheme.  Setup., n/. This algorithm is executed by the authority, which takes as input the security





 

parameter  and the number of users in the system n, and outputs the master key MK and the public key PK. Extract.MK, IDi /. This algorithm is executed by authority. Upon receiving a private key request on identity IDi , it takes as input the master key MK and outputs the user private key SKi . Encrypt.S, M , W/. This algorithm is executed by the data owner. Taking as input the set of authorized users S  U , the message M 2 M and the set of keywords W  ˙ , it outputs the ciphertext CT D .S, hdr, CM , CW /. We refer to .S, hdr/ as the full header for ciphertext, and CM and CW , which is message ciphertext and keyword ciphertext respectively as ciphertext body. We note that the key encapsulation mechanism (KEM) and data encryption mechanism (DEM) [31] are followed in CM production. That is, when a message M 2 M is to be encrypted, a KEM is used to encapsulate a symmetric key, whereas DEM encrypts M with such a session key. Query.SKi , IDi , W /. This algorithm is executed by a user. Taking as input the user’s private key SKi , the user’s identity IDi and the keyword W for querying, it outputs user’s query Qi ,W . Trapdoor.MK, Qi ,W /. This algorithm is executed by the trusted private cloud. Taking as input the master key MK and the user’s query Qi ,W , it outputs the trapdoor TPi ,W .

Copyright © 2013 John Wiley & Sons, Ltd.

Concurrency Computat.: Pract. Exper. 2014; 26:1052–1066 DOI: 10.1002/cpe

1056

J. LI ET AL.

Figure 2. Security games for message privacy.

 Test.CT, TPi ,W /. This algorithm is executed by the public cloud server to search the matched

ciphertext. It takes as input a ciphertext CT and the trapdoor TPi ,W and outputs ‘yes’ or ‘no’. If ‘yes’ is output, the tested ciphertext CT matches TPi ,W .  Decrypt.PK, SKi , S, hdr, CM /. This algorithm is executed by user. Taking as input the public key PK, the user’s private key SKi and the returned ciphertext .S, hdr, CM /, it outputs the original message M or ?. We note that for saving bandwidth, only the full header and message ciphertext are transmitted back to users. 3.2. Security definition We assume the private cloud is fully trusted and consider the public cloud server ‘honest-butcurious’, more precisely, it will follow our proposed protocol but try to find out as much secret information as possible based on its possessions. Thus, two types of adversaries are considered: (i) A curious server, which can potentially access all the ciphertexts; and (ii) a curious user, who can obtain his/her individual private key and share his/her authentication with other users. We note that as the server is honest, the two types of adversaries cannot collude together. Because the ciphertext shared in the system is encoded by message and keyword, we have two security demands: The first is message privacy, which requires that adversary could not learn anything from the message ciphertext. As shown in Figure 2, in the message privacy security game, we allow the adversary to access private key oracle and encryption oracle which coincides with the assumptions that curious users could collaborate together and encrypted documents transferred in the public channel are able to be intercepted. The advantage of an adversary A in the security game for message privacy is defined as PrŒb 0 D b  12 . Definition 1 (Message privacy) A scheme is secure for message privacy if all polynomial-time adversaries have at most a negligible advantage in the security game for message privacy. The second security notion needed to be considered is keyword privacy. It requires that a keyword ciphertext payload of the ciphertext does not reveal any information about the underlying keyword encrypted. This is covered by the ‘semantic security of PEKS against chosen keyword attack’ [12]. In our setting, this requirement relies on two sides. That is, on one side, it is required that the curious users could not distinguish ciphertexts even if they collaborate together; on the other side, the curious server should learn nothing about the original keywords through ciphertext or trapdoors. 4. GENERIC CONSTRUCTION 4.1. Building blocks Before providing the proposed generic construction, we will briefly review the definition of IBBE [32–38] and PEKS [12–14] first. Copyright © 2013 John Wiley & Sons, Ltd.

Concurrency Computat.: Pract. Exper. 2014; 26:1052–1066 DOI: 10.1002/cpe

ENABLING EFFICIENT AND SECURE DATA SHARING IN CLOUD COMPUTING

1057

4.1.1. Identity-based broadcast encryption. An IBBE scheme IBBE with security parameter  and maximal size n of the target user set is a tuple of algorithms described as follows.  Setup., n/ W Taking as input the security parameter  and the maximal size of the set of

receivers n for one encryption, the algorithm outputs a master key MK and a public key PK.  Extract.MK, ID/ W Taking as input the master key MK and a user identity IDi , the algorithm

outputs a user private key SKi .

 Encrypt.S, PK/ W Taking as input the public key PK and a set of included identities S D

fID1 , ID2 , : : : , IDs g with s 6 n, the algorithm outputs a pair .hdr, K/ where hdr is the header and K is a symmetric session key.  Decrypt.S, IDi , SKi , hdr/ W The algorithm takes as input a subset S D fID1 , ID2 , : : : , IDs g with s 6 n, an identity IDi , the corresponding private key SKi and a ciphertext header hdr. If ID 2 S, it outputs the symmetric session key K which is then used to decrypt the broadcast body and recover original message. 4.1.2. Public key encryption with keyword search. A PEKS scheme PEKS with security parameter  is a tuple of algorithms described as follows.  Setup./ W Taking as input the security parameter , the algorithm outputs the public and

private key pair .PK, SK/.  Encrypt.W , PK/ W Taking as input a keyword W and the public key PK, the algorithm outputs

CW which is a searchable encryption of W .  Trapdoor.SK, W / W Taking as input the private key SK and a keyword W , the algorithm

produces a trapdoor TW for W .  Test.CW 0 , TW / W Taking as input the searchable encryption CW 0 and the trapdoor TW , the

algorithm outputs ‘yes’ if W D W 0 and ‘no’ otherwise.

4.2. Proposed algorithms Let IBBE denote an IBBE scheme, SE denote a symmetric encryption scheme, SIG denote a digital signature scheme, and PEKS denote a PEKS scheme. We now attempt to use these primitives to provide generic construction for sharing searchable encrypted data in hybrid cloud.  Setup., n/ W In this algorithm, the authority runs IBBE.Setup., n/ and PEKS.Setup./









to obtain .PKIBBE , MKIBBE / and .PKPEKS , SKPEKS / respectively. In addition, an authorized user table Tuser is established and initialized. Finally output the public key PK D .PKIBBE , PKPEKS / and the master key MK D .MKIBBE , SKPEKS , Tuser /. Extract.MK, IDi / W Upon receiving a private key request on identity IDi , the authority runs SIG.Setup./ to obtain the key pair .VKiSIG , SKiSIG / for digital signature and computes SKiIBBE D IBBE.Extract.MKIBBE , IDi /. Finally after sending the entry .IDi , VKiSIG / to the trusted private cloud to be added into Tuser , the authority outputs user IDi ’s private key SKi D .SKiIBBE , SKiSIG /. Encrypt.S, M , W/ W Suppose a data owner wants to upload data M with related keywords W D fW1 , : : : , Wk g. He/she firstly runs IBBE.Encrypt.S, PKIBBE / to produce a session key K and its header hdr, and computes the encrypted message CM D SE.Encrypt.K, M /. After that, continue to perform searchable encryption on related keywords. More precisely, for each i D 1, 2i, : : : , k, run PEKS.Encrypt.Wi , PKPEKS / to obtain CWi . Finally, output ciphertext CT D .S, hdr, CM , CW D fCWi gkiD1 /. Query.SKi , IDi , W / W To submit a keyword-based query to the trusted private cloud, user computes the signature i , W D SIG.Sign.SKiSIG , IDi jjW /. Finally output user IDi ’s query Qi , W D .IDi , W , i , W /. Trapdoor.MK, Qi , W / W Upon receiving user’s query, the trusted private cloud needs to translate it into encrypted form. More precisely, the trusted private cloud firstly checks the validity of the query by finding the pair .IDi , VKiSIG / in Tuser and examining

Copyright © 2013 John Wiley & Sons, Ltd.

Concurrency Computat.: Pract. Exper. 2014; 26:1052–1066 DOI: 10.1002/cpe

1058

J. LI ET AL. ‹

SIG.Verify.VKiSIG , IDi jjW , i , W / D 1: if not valid, return ?; otherwise, compute TW D PEKS.Trapdoor.SKPEKS , W / and output the trapdoor TPi , W D .IDi , TW /.  Test.CT, TPi , W / W Upon receiving a trapdoor TPi , W from the trusted private cloud, the cloud server performs search by testing on each ciphertext. Specifically, in the test algorithm for each ciphertext CT D .S, hdr, CM , CW /, if IDi … S, directly output ‘no’. Otherwise check whether there exists some j D 1, 2, : : : , k such that PEKS.Test.CW 0 , TW / D 1, if so output ‘yes’; otherwise output ‘no’.  Decrypt.PK, SKi , S, hdr, CM / W Upon receiving the query result .S, hdr, CM /, data user obtains the session key by computing K D IBBE.Decrypt.S, IDi , SKiIBBE , hdr/. If K D? output ?, otherwise continue to recover and output the original message M D SE.Decrypt.K, CM /.

4.3. Working stages On the basis of the proposed algorithms, we can specify how the proposed generic construction works for secure and efficient data sharing in hybrid cloud, which involves five stages namely initialization, new user grant, data upload, data access, and user revocation.  Initialization. In the Initialization stage as shown in Figure 3, the authority runs Setup., n/









to obtain the public key PK and the master key MK D .MKIBBE , MKPEKS /. Finally, PK is published out, whereas MKIBBE and MKPEKS are kept secret at authority and trusted private cloud respectively. Data upload. Any user is able to submit a specified set S of identities along with the encrypted message directly to the storage and only authorized users in S is allowed to search for and decrypt the encrypted message with their private keys. The whole uploading does not need trusted private cloud’s involving. As shown in Figure 3(b), when a message M 2 M is to be outsourced and shared with users in S, the data owner runs Encrypt.S, M , W/ and finally submits the whole ciphertext CT D .S, hdr, CM , fCWi gkiD1 / to the public cloud server. New user grant. A new coming user needs to apply to authority for his/her individual private key, which is used for keyword-based search and performing decryption on the returned encrypted message. The stage is similar to private key extraction in identity-based broadcast encryption. The only difference is that a digital signature is used to avoid unauthorized user forging query and the registration information should be updated at trusted private cloud. More precisely, as shown in Figure 3(c), the new coming user submits his/her identity IDi to the authority. On one hand, authority runs Extract.MK, IDi / to extract the user’s private key .SKiIBBE , SKiSIG / and sends it back through secure channel. On the other hand, the registration information is sent to the trusted private cloud to update the authorized user table Tuser . Data access. This stage is a bit complex in the proposed construction. Assume an authorized user IDi wants to search the encrypted message correlated with a certain keyword W . As shown in Figure 3(d), firstly, he/she should run Query.SKi , IDi , W / to generate the query Qi , W D .IDi , W , i , W / and submit it to trusted private cloud through secure channel. Secondly, after receiving the query, trusted private cloud executes Trapdoor.SKPEKS , Qi , W / to generate the trapdoor TPi , W and transmits it to public cloud server. Thirdly, when receiving the trapdoor, the cloud server uses Test.CT, TPi , W / to perform tests on each ciphertext CT and returns the matched ones to user. (4) Finally, user IDi performs a two-phased decryption on returned data with SKi and recovers the original message M . User revocation. Intuitively, because each user has his individual private key, revocation is able to be realized by deleting the corresponding registration information in Tuser . More precisely, if authority determines to revoke user IDi ’s keyword-based searching ability, it only needs to send revocation list fIDi g to trusted private cloud to delete the pair .IDi , VKiSIG / in Tuser . Afterwards, for each query from user IDi , the trusted private cloud cannot find the pair .IDi , VKiSIG / in Tuser , accordingly, such a query is not allowed.

Copyright © 2013 John Wiley & Sons, Ltd.

Concurrency Computat.: Pract. Exper. 2014; 26:1052–1066 DOI: 10.1002/cpe

ENABLING EFFICIENT AND SECURE DATA SHARING IN CLOUD COMPUTING

1059

(b) Data Upload

(a) Initialization

(c) New User Grant

(d) Data Access Figure 3. Working stages for generic construction.

4.4. Security analysis Our security analysis lies in two folds, message privacy and keyword privacy. 4.4.1. Message privacy. Intuitively, in the proposed generic construction, message is encrypted using KEM-DEM philosophy, more precisely, IBBE works as a KEM to produce a random symmetric key and SE is used to encrypt original message with such a session key. If SE is indistinguishability under chosen plaintext attack (IND-CPA) secure, the cloud server without the symmetric key cannot obtain any information about original message. At the same time, the symmetric key is protected by IBBE, thus the storage is not able to recover the key if IBBE is secure. After the intuition earlier, we will provide the formal proof as follows. Theorem 1 If SE is IND-CPA secure and IBBE is secure in selective model, the proposed generic construction is secure in the sense of message privacy. Copyright © 2013 John Wiley & Sons, Ltd.

Concurrency Computat.: Pract. Exper. 2014; 26:1052–1066 DOI: 10.1002/cpe

1060

J. LI ET AL.

Proof We now give a proof of message privacy using a sequence of games. Game 0: Fix an efficient adversary AM and define game 0 to be the attack game against challenger in the security game of message privacy. Specifically, in the initial phase, AM outputs S  and W  for challenge. Next, after given pubic key PK, in the first stage, AM is allowed to adaptively make queries on private key oracle and encryption oracle to obtain SK and CT. In the challenge phase, AM outputs two messages M0 and M1 with the restriction jM0 j D jM1 j. The challenger flips a random coin b and returns the challenge ciphertext CT D Encrypt.PK, S  , Mb , W  /. Then, AM is allowed to continue to make more queries on private key oracle and encryption oracle. Finally, AM outputs a bit b 0 which is a guess of b. Game 1: It is just the same as game 0 but with the only difference that the challenger responds with a random symmetric key encapsulated. More precisely, in the challenge phase, after receiving M0 and M1 from adversary AM . The challenger obtains a session key K through running .hdrK , K/ D IBBE.Encrypt.S  , PKIBBE /. Next, it flips a random coin b 2 f0, 1g and uses  such session key to encapsulate message by running CM D SE.Encrypt.K, Mb /. Unlike game 0, it also produces an encapsulation for another random symmetric key by running .hdrKr , Kr / D IBBE.Encrypt.S, PKIBBE / where S is a random subset of U . After that, challenger continues to perform searchable encryption on related keywords. Finally, challenger returns the challenge   k ciphertext as C T  D .S  , CM , hdrKr , fCW g /. i i D1 Game 2: It is just the same as game 1 with the only difference that the challenger furthermore responds with a random message encapsulated. Specifically, in the challenge phase, after receiving M0 and M1 from adversary AM , the challenger flips a random coin b 2 f0, 1g. Next, it obtains a random key encapsulation by running .hdrKr , Kr / D IBBE.Encrypt.S, PKIBBE / where S is a random subset of U . Furthermore, challenger picks Mr 2R M and encapsulates  it with the normal symmetric key K to obtain CM . After that, the challenger continues to perr form searchable encryption on related keywords. Finally, challenger returns the challenge ciphertext   k CT D .S  , CM , hdrKr , fCW g /. r i i D1 Obviously, if we define S0 to be the event that b D b 0 , then the adversary’s advantage in security  k game for message privacy is jPrŒS0   12 j. After noting that .S  , fCW g / is independent with i i D1  .hdr, CM / and has no effect on adversary’s decision, we have three claims: Claim 1. Suppose IBBE is attacked by at most the probability of IBBE in the sense of IND-CPA, and S1 is the event that b D b 0 in game 1, then jPrŒS0   PrŒS1 j 6 IBBE .  This claim replies on the observation that the pair .hdr, CM / is of the form .hdrK , SE.Encrypt .K, Mb // where hdrK is the encapsulation of K in game 0, whereas in game 1, it is of the form .hdrKr , SE.Encrypt.K, Mb // for a random Kr . Therefore, any adversary should have at most IBBE in noticing the difference. Claim 2. Suppose that SE is attacked by at most the probability of SE in the sense of IND-CPA, and S2 is the event that b D b 0 in game 2, then jPrŒS1   PrŒS2 j 6 SE .  Similar to claim 1, this claim follows the fact that the pair .hdr, CM / is of the form .hdrKr , SE.Encrypt.K, Mb // in game 1, whereas, that is, .hdrKr , SE.Encrypt.K, Mr // for a random message Mr 2 M. Therefore, any adversary should have at most SE in detecting the difference in the both cases. PrŒS2  D 12 . We note that b is independent on any part of the challenge ciphertext in game 2. Therefore, adversary has nothing useful information to guess b, but attempts to output a random value. At this time, PrŒS2  D 12 . Combining the three claims earlier, we have the advantage of AM in attacking proposed generic construction in the sense of message privacy as jPrŒS0   12 j 6 IBBE C SE which is negligible because both IBBE and SE are negligible.  4.4.2. Keyword privacy. PEKS is utilized in the proposed framework to keep security for both the keyword and trapdoor. The mechanism not only uses encryption algorithm to protect Copyright © 2013 John Wiley & Sons, Ltd.

Concurrency Computat.: Pract. Exper. 2014; 26:1052–1066 DOI: 10.1002/cpe

ENABLING EFFICIENT AND SECURE DATA SHARING IN CLOUD COMPUTING

1061

original keywords but also generates trapdoor to make instead of the queried keyword being submitted to storage. Theorem 2 If PEKS is semantic secure, the proposed generic construction is secure in the sense of keyword privacy. Proof Because it is easily obtained, we only provide a sketch of proof, which relies on two sides: curious users and curious server. For curious users, they could collaborate together by sharing their private keys. Nevertheless, we point out that although authorized users are allowed to submit keywords to the private cloud for trapdoor generation, they cannot intercept the generated trapdoors, which are transferred over the private channel. Essentially, they cannot obtain enough information to launch meaningful attack. For curious server, it is able to access encrypted keywords and trapdoors. Because of the semantic security of PEKS, both the keyword ciphertexts and trapdoors leak nothing about original keywords. Therefore, the keyword privacy is preserved.  4.5. Transfer trapdoors in public channel In our construction which inherits the security requirement in [12], the trapdoors for keyword-based query are required to be transmitted in a private channel to protect against adversaries’ interceptions. Even if it is in low bandwidth, this is certainly not suitable for some applications as building a secure channel is usually expensive. Therefore, in this section, we attempt to remove such a secure channel and allow to transfer trapdoors in public channels. Actually, in our construction, if we straightforwardly enable transferring trapdoors over a public channel, a curious user is able to break the indistinguishability of message. More precisely, the user can submit query on a certain keyword and intercept the trapdoor such keyword on the public channel. With this trapdoor, he/she can check with the keyword ciphertext. In the extreme case that the message is one word and equals to its related keyword, the message privacy is compromised. We note that the security issue originates from the fact that the Test algorithm is able to be executed by anyone. Therefore, the relation between a ciphertext and a trapdoor can be easily utilized by adversaries to break the system. To securely remove the private channel for transferring trapdoors, we can utilize the idea of ‘test with designated server’ [21]. Specifically, we can restrict that only the public cloud server (the designated tester) is able to perform the Test algorithm to obtain the relation between a ciphertext and a trapdoor. To achieve the goal of ‘designated testing’, following [21], another pair of public and private keys for the public cloud server is introduced to build a secure public key encryption for test authentication. In the performance enhanced system, the keyword is encrypted in a hybrid manner. That is, a normal PEKS ciphertext is built in the first layer while in the second layer the PEKS ciphertext is encapsulated with a public key encryption primitive. In this case, the PEKS test can be successfully executed only if the public key encryption is decapsulated by the public cloud server. 5. CONCRETE CONSTRUCTION In this section, on the basis of the proposed generic construction, we will utilize the PEKS in [12] and IBBE in [38] to instantiate a concrete construction. 5.1. Cryptographic background Before providing the construction, we briefly introduce some cryptographic background. Definition 2 (Bilinear map) Let G, GT be cyclic groups of prime order p, writing the group action multiplicatively. g is a generator of G. Let e W G  G ! GT be a map with the following properties: ˇ

 Bilinearity: e.g1˛ , g2 / D e.g1 , g2 /˛ˇ for all g1 , g2 2 G, and ˛, ˇ 2R Zp ; Copyright © 2013 John Wiley & Sons, Ltd.

Concurrency Computat.: Pract. Exper. 2014; 26:1052–1066 DOI: 10.1002/cpe

1062

J. LI ET AL.

 Non-degeneracy: There exists g1 , g2 2 G such that e.g1 , g2 / ¤ 1, in other words, the map

does not send all pairs in G  G to the identity in GT ;  Computability: There is an efficient algorithm to compute e.g1 , g2 / for all g1 , g2 2 G.

Definition 3 (Decision bilinear Diffie–Hellman problem) The decision bilinear Diffie–Hellman (DBDH) problem is that, given g, g ˛ , g ˇ , g  2 G for unknown random values ˛, ˇ,  2R GT , to decide if T D e.g, g/˛ˇ  . We say that the -DBDH assumption holds in G, GT if no polynomial algorithm has probability at least 12 C  in solving the DBDH problem for non-negligible . Definition 4 (q-decisional truncated bilinear Diffie–Hellman exponent problem) The q-decisional truncated bilinear Diffie–Hellman exponent (TBDHE) problem is that, given a 2 q qC1 vector g 0 , g, g ˛ , g ˛ , : : : , g ˛ , T / 2 G qC2  GT to decide whether T D e.g 0 , g/˛ . Notice that the q-TBDHE problem is a truncated version of the q-BDHE problem, in which the qC2 2q terms .g ˛ , : : : , g ˛ / are omitted from the vector. Therefore, the q-BDHE problem can be solved once the q-TBDHE problem is solved whereas not. The TBDHE problem is at least as difficult as the BDHE problem. We say that the ., q/-TBDHE assumption holds in G, GT if no polynomial algorithm has probability at least 12 C  in solving the q-TBDHE problem in G, GT . 5.2. Proposed construction We provide the concrete construction as follows.  Setup., n/ W Define the bilinear groups G, GT with bilinear map e W G  G ! GT .

To initialize the PEKS mechanism, pick a generator g of G and set g˛ D g ˛ where ˛ 2R Zp . Next, pick ˇ 2R Zp and set gˇ D g ˇ . Then, choose g1 , g2 , h0 , h1 , h2 2R G and f .x/ D ax C b where a, b 2R Zp with the restrictions that g1 ¤ g2a and h0 ¤ g2b . Finally, after initializing the authorized user table Tuser , publish the public key PK D .g, g˛ , gˇ , g1 , g2 , h0 , h1 , h2 , f .x/, H1 ./, H2 ./, H3 .// where H1 W Zp  f1, 2, : : : , ng ! Zp and H2 W G 2  GT ! Zp for t 2 Zp are collision-resistant hash functions, and H3 W f0, 1g ! G is made as random oracle. MKau D ˇ and MKpriv D .Tuser , ˛/ are kept secret at authority and trusted private cloud respectively.  Extract.MKau , IDi / W Suppose the user’s identity IDi 2 Zp . Upon receiving a private key request on IDi , the authority picks si , si0 2R Zp and computes d1 D si0 , d0 D g si and 8  ˇ  si 0 0 ˆ H .ID ,i / ID ˆ < h0 g1si g2f .si / j Di h2 1 i h1 i dj D  s ˆ ˆ : hH1 .IDi ,j / hIDj i j ¤i 2

s0

1

f .s 0 /

for j 2 f1, 2, : : : , ng with h0 g1i g2 i ¤ 1. Next, authority runs SIG.Setup once to obtain .VKiSIG , SKiSIG / and assign the private key as SKi D .fdk gnkD1 , SKiSIG /. Furthermore, authority also sends the registration information .IDi , VKiSIG / to the trusted private cloud to be stored in Tuser .  Encrypt.PK, S, M , W/ W Suppose a data owner wants to encrypt a message M with keyword set W and share it with users in S. He/she firstly obtains a symmetric key K 2R GT and utilizes it to encrypt message CM D SE.Encrypt.K, M /. Furthermore, he/she encapsulates this symmetric key by picking s 2R Zp and computing hdr D .c1 , c2 , c3 , c4 , c5 , c6 , / where Y  H .ID ,i / ID s sCl  c1 D h2 1 i h1 i , c2 D g s , c3 D e.gˇ , g1 /s , c4 D e.gˇ , g2 /s , c5 D K  e gˇ , h0 i 2S

Copyright © 2013 John Wiley & Sons, Ltd.

Concurrency Computat.: Pract. Exper. 2014; 26:1052–1066 DOI: 10.1002/cpe

ENABLING EFFICIENT AND SECURE DATA SHARING IN CLOUD COMPUTING

1063

for l D H2 .c1 , c2 , c3 , c4 , e.gˇ , h0 /s / and  D H2 .c1 , c2 , c3 , c4 , c5 , K  e.gˇ , h0 /s /. r

For each keyword Wi 2 W, data owner computes ti D e.H3 .Wi /, g˛i / for ri 2R Zp and CWi D .gir , ti /. Finally, the ciphertext CT D .CM , hdr, fCWi gWi 2W /.  Query.SKi , IDi , W / W To make a keyword-based query, user with identity IDi generates a query Qi , W D .IDi , W , i , W / where i , W is a normal signature on IDi jjW using SKiSIG .  Trapdoor.MKpriv , Qi , W / W To generate a trapdoor for a query Qi , W , the trusted private cloud firstly finds the entry .IDi , VKiSIG / in Tuser and uses VKiSIG to verify the validity of the request. If the verification is passed, the trusted private cloud produces TPi ,W D .IDi , TW D H3 .W /˛ /.  Test.CT, TPi ,W / W Upon receiving the trapdoor TPi ,W D .IDi , TW /, the public cloud server performs test on each ciphertext CT D .S, CM , hdr, fCWi gWi 2W /. The test is performed in two stages. In the fist stage, public cloud server checks whether IDi 2 S, if so, the second stage ‹

continues: for each CWi D .g ri , ti /, e.TW , g ri / D ti is tested. If both stages are passed, the truncated ciphertext .S, hdr, CM / is sent back to user.  Decrypt.PK, SKi , S, hdr, CM / W The user with identity IDi decrypts by computing e.c2 , di  c3d1

Q

j 2S,j ¤i dj / f .d1 /  c4  e.c1 , d0 /

D e.g, h0 /ˇ s

and e.gcˇ5,h0 / D R where l D H2 .c1 , c2 , c3 , c4 , e.g, h0 /ˇ s /. Furthermore, the validity of ciphertext is verified by computing  0 D H2 .c1 , c2 , c3 , c4 , c5 , R/ and checking whether  0 D . If the equation holds, the symmetric key is recovered as K D e.g,hR /ˇs and original message is 0 decrypted M D SE.Decrypt.K, CM /. Otherwise, an error message is returned. Theorem 3 The proposed concrete construction achieves message and keyword privacy under the DBDH and q-TBDHE assumptions. Proof This construction is based on the previous generic construction, with the existing techniques of IBBE [38] and PEKS [12]. Therefore, the proof is easy to be derived from the proof for Theorem 1 and Theorem 2, and is omitted here.  5.3. Efficiency analysis Because the symmetric encryption and the normal digital signature are made as black box, we point out that the core of our concrete construction is the IBBE scheme and PEKS scheme. To make a precise efficiency evaluation, we provide a simulation for the data sharing system involving the both schemes on a Linux machine with Intel Core 2 processors running at 2.40 GHz and 2 G memory. The simulation based on our concrete construction is in terms of the initialization, data upload, new user grant and data access. As shown in Figure 4(a), in initialization stage, the authority has to spend constant time, nearly 60–70 ms, in initializing the public/private key for the system. When a new coming user requests for his/her private key, the time cost for private key generation at authority side grows linearly with the number of users in the data sharing system. In Figure 4(c), we simulate data uploading in three cases, that is, the data to be uploaded with one, five or ten keywords. The difference in these cases is the number of keywords to be encrypted. In Figure 4(d), we analyze the time cost at both trusted private cloud and user sides during data access stage (PR and U are short for private cloud and user respectively). Typically, in data access, trusted private cloud is responsible for translating user’s query into its trapdoor form which involves one exponentiation operation, while the IBBE decryption is performed at user side (as we stated before, the verification operation for digital signature Copyright © 2013 John Wiley & Sons, Ltd.

Concurrency Computat.: Pract. Exper. 2014; 26:1052–1066 DOI: 10.1002/cpe

1064

J. LI ET AL. 300

700

Authority

Authority 600

Time Cost (ms)

Time Cost (ms)

250 200 150 100 50 0

10

20

30

40

50

60

70

80

300 200

0

90 100

10

20

30

40

50

60

70

80

Number of Users in System

Number of Users in System

(a) Initialization

(b) New user grant

90 100

50

1 5 10

PR U 40

Time Cost (ms)

Time Cost (ms)

700

400

100

900 800

500

600 500 400 300 200

30 20 10

100 0

0 10

20

30

40

50

60

70

80

90 100

10

Number of Users to be Shared with (c) Data upload

20

30

40

50

60

70

80

90 100

Number of Users in System (d) Data access

Figure 4. Performance evaluation.

and decryption for symmetric encryption are both omitted). Obviously, as the growing of number of users in system, only a few multiplication operations are additionally involved in IBBE decryption, which costs less than one ms. Thus, the efficiency at user side is almost constant. 6. CONCLUSION In the paper, we present a hybrid architecture consisting of a trusted private cloud and a public cloud server data outsourcing and sharing in cloud computing. On the basis of the novel architecture, we provide a generic construction for our purpose. Unlike the previous work, a two-layered access control is supported in our proposed construction. On the first layer, the access control is supported by the authorization and revocation mechanism. On the second layer, the access control mechanism is controlled by data owner and to restrict users’ access to the encrypted data. The security analysis shows that proposed construction achieves message privacy as well as keyword privacy. Furthermore, on the basis of the proposed generic construction, we utilize the existing technique on IBBE and PEKS to instantiate a concrete construction and make extensive experiment to demonstrate its efficiency.

ACKNOWLEDGEMENTS

This research is supported by the National Key Basic Research Program of China (Grant No. 2013CB834204), the National Natural Science Foundation of China (Grant No. 61272423, No. 61100224) and the Specialized Research Fund for the Doctoral Program of Higher Education of China (Grant No. 20100031110030, 20120031120036), the Grant for Universities in Guangzhou City (Grant No. 10A008), the Foundation for Distinguished Young Talents in Higher Education of Guangdong Province (Grant No. LYM10106). Copyright © 2013 John Wiley & Sons, Ltd.

Concurrency Computat.: Pract. Exper. 2014; 26:1052–1066 DOI: 10.1002/cpe

ENABLING EFFICIENT AND SECURE DATA SHARING IN CLOUD COMPUTING

1065

REFERENCES 1. Song DX, Wagner D, Perrig A. Practical techniques for searches on encrypted data. In IEEE Symposium on Security and Privacy, 2000; 44–55. 2. Tu S, Niu S, Li H. A fine-grained access control and revocation scheme on clouds. Concurrency and Computation: Practice and Experience 2012; N/A:N/A. 3. Wang G, Liu Q, Wu J. Achieving fine-grained access control for secure data sharing on cloud servers. Concurrency and Computation: Practice and Experience 2011; 23:1443 –1464. 4. Goldreich O, Ostrovsky R. Software protection and simulation on oblivious rams. Journal of the ACM 1996; 43(3):431–473. 5. Goh E-J. Secure indexes. IACR Cryptology ePrint Archive 2003; 2003:1–18. 6. Chang Y-C, Mitzenmacher M. Privacy preserving keyword searches on remote encrypted data. In Applied Cryptography and Network Security, 2005; 442–455. 7. Curtmola R, Garay JA, Kamara S, Ostrovsky R. Searchable symmetric encryption: improved definitions and efficient constructions. In ACM Conference on Computer and Communications Security, 2006; 79–88. 8. van Liesdonk P, Sedghi S, Doumen J, Hartel PH, Jonker W. Computationally efficient searchable symmetric encryption. In Secure Data Management, 2010; 87–100. 9. Li J, Wang Q, Wang C, Cao N, Ren K, Lou W. Fuzzy keyword search over encrypted data in cloud computing. In INFOCOM, 2010; 441–445. 10. Kurosawa K, Ohtaki Y. Uc-secure searchable symmetric encryption. In Financial Cryptography, 2012; 285–298. 11. Kamara S, Papamanthou C, Roeder T. Dynamic searchable symmetric encryption. In ACM Conference on Computer and Communications Security, 2012; 965–976. 12. Boneh D, Di Crescenzo G, Ostrovsky R, Persiano G. Public key encryption with keyword search. In Advances in Cryptology - EUROCRYPT, 2004; 506–522. 13. Khader D. Public key encryption with keyword search based on k-resilient ibe. In Computational Science and Its Applications, 2006; 1086–1095. 14. Di Crescenzo G, Saraswat V. Public key encryption with searchable keywords based on jacobi symbols. In Progress in Cryptology - INDOCRYPT, 2007; 282–296. 15. Park DJ, Kim K, Lee PJ. Public key encryption with conjunctive field keyword search. In WISA, 2004; 73–86. 16. Hwang YH, Lee PJ. Public key encryption with conjunctive keyword search and its extension to a multi-user system. In Pairing, 2007; 2–22. 17. Boneh D, Waters B. Conjunctive, subset, and range queries on encrypted data. In TCC, 2007; 535–554. 18. Byun JW, Rhee HS, Park H-A, Lee DH. Off-line keyword guessing attacks on recent keyword search schemes over encrypted data. In Secure Data Management, 2006; 75–83. 19. Yau W-C, Heng S-H, Goi B-M. Off-line keyword guessing attacks on recent public key encryption with keyword search schemes. In ATC, 2008; 100–105. 20. Jeong IR, Kwon JO, Hong D, Lee DH. Constructing peks schemes secure against keyword guessing attacks is possible? Computer Communications 2009; 32(2):394–396. 21. Baek J, Safavi-Naini R, Susilo W. Public key encryption with keyword search revisited. In ICCSA (1), 2008; 1249–1259. 22. Fang L, Susilo W, Ge C, Wang J. A secure channel free public key encryption with keyword search scheme without random oracle. In CANS, 2009; 248–258. 23. Rhee HS, Park JH, Susilo W, Lee DH. Improved searchable public key encryption with designated tester. In ASIACCS, 2009; 376–379. 24. Rhee HS, Park JH, Lee DH. Generic construction of designated tester public-key encryption with keyword search. Informational Sciences 2012; 205:93–109. 25. Amanatidis G, Boldyreva A, O’Neill A. Provably-secure schemes for basic query support in outsourced databases. In DBSec, 2007; 14–30. 26. Bellare M, Boldyreva A, O’Neill A. Deterministic and efficiently searchable encryption. In CRYPTO, 2007; 535–552. 27. Li M, Yu S, Cao N, Lou W. Authorized private keyword search over encrypted data in cloud computing. In ICDCS, 2011; 383–392. 28. Dong C, Russello G, Dulay N. Shared and searchable encrypted data for untrusted servers. Journal of Computer Security 2011; 19(3):367–397. 29. Li J, Li J, Chen X, Jia C, Liu Z. Efficient keyword search over encrypted data with fine-grained access control in hybrid cloud. In NSS, 2012; 490–502. 30. Li J, Jia C, Li J, Liu Z. A novel framework for outsourcing and sharing searchable encrypted data on hybrid cloud. In INCoS, 2012; 1–7. 31. Cramer R, Shoup V. Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack. SIAM Journal on Computing 2004; 33(1):167–226. 32. Delerablée C. Identity-based broadcast encryption with constant size ciphertexts and private keys. In ASIACRYPT, 2007; 200–215. 33. Zhao X, Zhang F. Fully cca2 secure identity-based broadcast encryption with black-box accountable authority. Journal of Systems and Software 2012; 85(3):708–716. 34. Ren Y, Wang S, Zhang X. Non-interactive dynamic identity-based broadcast encryption without random oracles. In ICICS, 2012; 479–487. Copyright © 2013 John Wiley & Sons, Ltd.

Concurrency Computat.: Pract. Exper. 2014; 26:1052–1066 DOI: 10.1002/cpe

1066

J. LI ET AL.

35. Hur J, Park C, Hwang S. Privacy-preserving identity-based broadcast encryption. Information Fusion 2012; 13(4):296–303. 36. Zhang L, Hu Y, Wu Q. Adaptively secure identity-based broadcast encryption with constant size private keys and ciphertexts from the subgroups. Mathematical and Computer Modelling 2012; 55(1-2):12–18. 37. Ben-Othman J, Benitez YIS. Ibc-hwmp: a novel secure identity-based cryptography-based scheme for hybrid wireless mesh protocol for ieee 802.11s. Concurrency and Computation: Practice and Experience 2013; 25(5):686–700. 38. Ren Y, Gu D. Fully cca2 secure identity based broadcast encryption without random oracles. Inf. Process. Letters 2009; 109(11):527–533.

Copyright © 2013 John Wiley & Sons, Ltd.

Concurrency Computat.: Pract. Exper. 2014; 26:1052–1066 DOI: 10.1002/cpe