With the rapid development of network and storage technology, cloud storage has become a new service mode, while data sharing and user revocation are important functions in the cloud storage. Therefore, according to the characteristics of cloud storage, a revocable key-aggregate encryption scheme is put forward based on subset-cover framework. The proposed scheme not only has the key-aggregate characteristics, which greatly simplifies the user’s key management, but also can revoke user access permissions, realizing the flexible and effective access control. When user revocation occurs, it allows cloud server to update the ciphertext so that revoked users can not have access to the new ciphertext, while nonrevoked users do not need to update their private keys. In addition, a verification mechanism is provided in the proposed scheme, which can verify the updated ciphertext and ensure that the user revocation is performed correctly. Compared with the existing schemes, this scheme can not only reduce the cost of key management and storage, but also realize user revocation and achieve user’s access control efficiently. Finally, the proposed scheme can be proved to be selective chosen-plaintext security in the standard model.
With the continuous development of cloud computing technology, a new kind of data storage model called cloud storage has attracted great attention. Derived from cloud computing, cloud storage can provide online storage space through the network [
However, when cloud storage brings great convenience for users dealing with large-scale data, it also brings new security issues and challenges [
Therefore, according to the characteristics of cloud storage, the research and establishment of an efficient and secure revocable key-aggregate encryption scheme is very necessary and urgent, which has important theoretical significance and application value.
In order to solve the key management problems and realize dynamic access control during data sharing more effectively, this paper has been focused on the study of revocable key-aggregate cryptosystem in cloud. Its main contribution shows the following: According to the characteristics of the key-aggregate cryptosystem and the needs for user revocation, this paper first makes formal definition about the revocable key-aggregate cryptosystem. Combining the subset-cover framework, this paper puts forward an efficient revocable key-aggregate encryption scheme based on multilinear maps, realizing the user’s access control and revocation. Our construction not only has the characteristics of key aggregation, which simplifies the user’s key management effectively, but also can delegate different users with different decryption permission and achieve revocation of user access rights, realizing the flexible access control effectively. Compared with the existing schemes, this paper analyzes the related performance for the proposed scheme. It indicates that our scheme not only keeps the users’ secret key and the ciphertext in constant-size, but also reduces the length of system parameters to Lastly, security analysis shows that the proposed scheme is proved to be selective chosen-plaintext security based on Generalized DHDHE assumption in the standard model. In addition, we discuss a solution to extend our basic scheme to solve the rapid growing number of files in the cloud environment.
In recent years, it has become a crucial problem to realize secure and effective data sharing, as well as reducing the key management costs in the cloud environment. How to reduce the number of keys that users have to save, thus simplifying the key management problems effectively, has been a hot research topic. In existing research results, they can mainly be divided into four kinds in reducing the cost of the key management: hierarchical key management scheme, key compression scheme based on symmetric encryption, identity-based key compression scheme, and other related solutions.
In cloud storage, the hierarchical key management scheme generally utilizes tree structure, where the key of each nonleaf node can generate keys of its child nodes. And users only need to save the corresponding ancestor nodes, effectively simplifying the key management. This technology was first proposed by Akl and Taylor [
In order to solve the issue that it needs to transport a large number of keys in the broadcast encryption scenario, Benaloh et al. [
As Shamir [
Other relevant solutions include the attribute-based encryption (ABE) and proxy reencryption (PRE). Waters [
Recently, Chu et al. [
The rest of the paper is organized as follows: Section
In this section we describe some basic primitives and concepts that are used in our scheme.
Multilinear maps were first put forward by Boneh and Silverberg [ Setup
In the asymmetric multilinear maps [ Setup
We introduce a new complexity assumption named Generalized DHDHE. This new assumption is the variant version of the well-known Decisional
Let
For a polynomial-time adversary
From here we can see that this new assumption is the generalization of DHDHE assumption. Specifically, if we multiply
We say the Generalized DHDHE assumption holds if, for any polynomial-time adversary
Naor et al. [
Let
Subset-cover framework: Complete Subtree method.
When constructing the scheme based on the subset-cover framework, the path set is embedded in private key, while the cover set is related to the ciphertext. If and only if
Since the delegated users in cloud have the feature of dynamic change, revocable key-aggregate cryptosystem is essential for consummating the user revocation function in KAC.
Revocable key-aggregate cryptosystem (RKAC) is an extension of KAC such that a user can be revoked if his credential is expired. A revocable key-aggregate encryption scheme consists of seven polynomial-time algorithms as Setup, KeyGen, Encrypt, Extract, Update, Decrypt, and Verify, which are defined as follows:
For RKAC, we present its security model through the game between a challenger
Step Step
The acquired advantage of the adversary
If, for any polynomial-time
If, for any polynomial-time
Applying the RKAC in a cloud environment, the model is shown in Figure
The model for RKAC.
When the data owner Alice wants to share multiple files
Our main construction of the revocable key-aggregate encryption scheme is based on multilinear maps and realizes data sharing and user revocation in cloud storage securely and efficiently.
In KAC, the aggregation of file indices is embedded in the user’s private key so that authorized users store the aggregate key to realize the access to multiple files. However, the access of user in system is changed dynamically, requiring KAC to support user revocation. Therefore, in order to construct a revocable key-aggregate encryption scheme, two mainly challenges are remained to be solved. One is how to construct an efficient scheme with key-aggregate function, the other is how to realize revoking users securely while not affecting the legitimate users’ access to files.
For the first challenge, we are inspired by Boneh et al.’s broadcast encryption [
For the second challenge, our inspiration comes from Shi et al. [
Therefore, this paper proposes a revocable key-aggregate encryption scheme and proves its security in the standard model. The main thought of the scheme lies in constructing the ciphertext and the private key. The ciphertext of the new scheme includes not only the file index, but also the user revocation set, realizing the user revocable directly. At the same time, the private key is correspondingly divided into two parts. One is the aggregation of the file index set, and the other is the aggregation of the path set for each user, so as to realize the user’s key aggregation effectively. Through the above method, only the legitimate users have access to the appropriate file, realizing the file access control function in the system effectively. This new scheme achieves the ciphertext updating through the cloud servers to save the computational overhead of data owner; when the user revocation occurs, nonrevoked user does not need to update his private key, greatly reducing the key update expensive cost and the burden of key delegate authority; because the cloud server is not completely trusted, we consider to provide a verification mechanism for the scheme, so that the data owner can validate the updated ciphertext to make sure the user revocation is carried out correctly.
Let Setup Verify
For correctness, we can see that
In this section, we evaluate the proposed scheme in two aspects, performance analysis and security analysis.
Performance analysis mainly includes the cost of computation, storage, and communication by comparison with several related schemes. In computation, since our scheme is based on asymmetric multilinear maps,
Comparison with related schemes.
Scheme | System parameter | Private key | Ciphertext | Direct revocation | Revocation cost | Verifiability |
---|---|---|---|---|---|---|
[ |
|
|
|
|
|
|
[ |
|
|
|
|
|
|
[ |
|
|
|
|
|
|
[ |
|
|
|
|
|
|
Our scheme |
|
|
|
|
|
|
Note that the length of ciphertext refers to the length of original ciphertext when no user has been revoked, and the revocation cost refers to the computational cost when the user revocation occurs.
As can be seen from Table
Our scheme is based on Generalized DHDHE assumption and is proved to be adaptive IND-CPA security under the standard model. First we analyze Generalized DHDHE assumption. Let
By the following theorem, we prove the security of the proposed scheme.
If the Generalized DHDHE problem is hard to solve, then the proposed revocable key-aggregate encryption scheme is selective IND-CPA security.
Assume there exists a polynomial-time adversary
Suppose, in an asymmetric multilinear maps group system, For For
Algorithm
Step Step Step
Step Step Step Step
Probability analysis: when
As is known to us, the number of files may extremely be large and grow rapidly in cloud scenario. If the number of files exceeds
The Setup, KeyGen, Update, and Verify algorithm are the same as the basic scheme.
Encrypt
Extract
The correctness of this equation can be verified after computation and therefore is omitted. The security of this extended scheme can be proved as the similar method as the basic scheme, so we do not explain it in detail here.
In the cloud storage environment, in order to protect the security and privacy of users’ data and to simplify key management in the process of data sharing more effectively, key-aggregate cryptosystem has been put forward. It is realized under the public key cryptosystem and can aggregate the user’s private keys into a single one, greatly reducing the user’s key management cost. At the same time, the aggregation can be achieved without constraints, realizing the flexible data sharing in cloud environment. This paper mainly studies the revocable key-aggregate cryptosystem and proposes a revocable key-aggregate encryption scheme combined with the subset-cover framework in cloud environment, realizing the key aggregation and user access control effectively. By updating ciphertext via the cloud servers, the proposed scheme realizes the user permissions revocation while legitimate users do not need to update their private keys. What is more, it provides a verification mechanism to ensure user revocation is executed correctly. Performance analysis shows that, compared with the existing schemes, the proposed scheme reduces the cost of storage and transmission and realizes the user access control effectively. Security analysis shows that the proposed scheme proved to be selective CPA security based on Generalized DHDHE assumption in the standard model. Besides, an extended scheme is proposed to adapt for the cloud scenario, where the number of files is extremely large and growing rapidly.
This paper also has limitations that it only considers to construct a CPA security scheme. Since there are a lot of solutions to transfer a scheme from CPA security to CCA security [
The authors declare that they have no competing interests.
This work was partially supported by National Natural Science Foundation of China under Grants 61272415, 61070164; Natural Science Foundation of Guangdong Province, China, under Grant S2012010008767; Science and Technology Planning Project of Guangdong Province, China, under Grant 2013B010401015. This work was also supported by the Zhuhai Top Discipline-Information Security.