Professional Documents
Culture Documents
Key-Aggregate Cryptosystem For Scalable Data Sharing in Cloud Storage
Key-Aggregate Cryptosystem For Scalable Data Sharing in Cloud Storage
Key-Aggregate Cryptosystem
for Scalable Data Sharing in Cloud Storage
Cheng-Kang Chu, Sherman S. M. Chow, Wen-Guey Tzeng, Jianying Zhou, and
Robert H. Deng, Senior Member, IEEE
Abstract—Data sharing is an important functionality in cloud storage. In unexpected privilege escalation will expose all data. In
this article, we show how to securely, efficiently, and flexibly share data a shared-tenancy cloud computing environment, things
with others in cloud storage. We describe new public-key cryptosystems become even worse. Data from different clients can be
which produce constant-size ciphertexts such that efficient delegation
hosted on separate virtual machines (VMs) but reside
of decryption rights for any set of ciphertexts are possible. The novelty
is that one can aggregate any set of secret keys and make them as on a single physical machine. Data in a target VM could
compact as a single key, but encompassing the power of all the keys be stolen by instantiating another VM co-resident with
being aggregated. In other words, the secret key holder can release the target one [2]. Regarding availability of files, there
a constant-size aggregate key for flexible choices of ciphertext set in are a series of cryptographic schemes which go as far as
cloud storage, but the other encrypted files outside the set remain allowing a third-party auditor to check the availability
confidential. This compact aggregate key can be conveniently sent to
of files on behalf of the data owner without leaking
others or be stored in a smart card with very limited secure storage. We
provide formal security analysis of our schemes in the standard model.
anything about the data [3], or without compromising
We also describe other application of our schemes. In particular, our the data owners anonymity [4]. Likewise, cloud users
schemes give the first public-key patient-controlled encryption for flexible probably will not hold the strong belief that the cloud
hierarchy, which was yet to be known. server is doing a good job in terms of confidentiality. A
cryptographic solution, e.g., [5], with proven security re-
Index Terms—Cloud storage, data sharing, key-aggregate encryption, lied on number-theoretic assumptions is more desirable,
patient-controlled encryption
whenever the user is not perfectly happy with trusting
the security of the VM or the honesty of the technical
1 I NTRODUCTION staff. These users are motivated to encrypt their data
with their own keys before uploading them to the server.
Cloud storage is gaining popularity recently. In en- Data sharing is an important functionality in cloud
terprise settings, we see the rise in demand for data storage. For example, bloggers can let their friends view
outsourcing, which assists in the strategic management a subset of their private pictures; an enterprise may
of corporate data. It is also used as a core technology grant her employees access to a portion of sensitive
behind many online services for personal applications. data. The challenging problem is how to effectively
Nowadays, it is easy to apply for free accounts for email, share encrypted data. Of course users can download
photo album, file sharing and/or remote access, with the encrypted data from the storage, decrypt them, then
storage size more than 25GB (or a few dollars for more send them to others for sharing, but it loses the value of
than 1TB). Together with the current wireless technology, cloud storage. Users should be able to delegate the access
users can access almost all of their files and emails by a rights of the sharing data to others so that they can access
mobile phone in any corner of the world. these data from the server directly. However, finding an
Considering data privacy, a traditional way to en- efficient and secure way to share partial data in cloud
sure it is to rely on the server to enforce the access storage is not trivial. Below we will take Dropbox1 as an
control after authentication (e.g., [1]), which means any example for illustration.
Assume that Alice puts all her private photos on
• C.-K. Chu and J. Zhou are with the Cryptography and Security Depart- Dropbox, and she does not want to expose her photos to
ment at Institute for Infocomm Research, Singapore.
• S. S.-M. Chow is with the Department of Information Engineering, everyone. Due to various data leakage possibility Alice
Chinese University of Hong Kong. cannot feel relieved by just relying on the privacy protec-
• W.-G. Tzeng is with the Department of Computer Science, National Chiao tion mechanisms provided by Dropbox, so she encrypts
Tung University, Taiwan.
• R. H. Deng is with the School of Information Systems, Singapore Man- all the photos using her own keys before uploading. One
agement University. day, Alice’s friend, Bob, asks her to share the photos
• This work was supported by the Singapore A*STAR project SecDC-
112172014.
1. http://www.dropbox.com
taken over all these years which Bob appeared in. Alice
can then use the share function of Dropbox, but the
problem now is how to delegate the decryption rights
for these photos to Bob. A possible option Alice can
choose is to securely send Bob the secret keys involved.
Naturally, there are two extreme ways for her under the
traditional encryption paradigm:
• Alice encrypts all files with a single encryption key
and gives Bob the corresponding secret key directly.
• Alice encrypts files with distinct keys and sends Bob
the corresponding secret keys.
Obviously, the first method is inadequate since all un-
chosen data may be also leaked to Bob. For the second
method, there are practical concerns on efficiency. The
number of such keys is as many as the number of the
shared photos, say, a thousand. Transferring these secret
keys inherently requires a secure channel, and storing Fig. 1. Alice shares files with identifiers 2, 3, 6 and 8 with
these keys requires rather expensive secure storage. The Bob by sending him a single aggregate key.
costs and complexities involved generally increase with
the number of the decryption keys to be shared. In short,
it is very heavy and costly to do that.
“To design an efficient public-key encryption scheme which
Encryption keys also come with two flavors — sym-
supports flexible delegation in the sense that any subset of the
metric key or asymmetric (public) key. Using symmetric
ciphertexts (produced by the encryption scheme) is decryptable
encryption, when Alice wants the data to be originated
by a constant-size decryption key (generated by the owner of
from a third party, she has to give the encryptor her
the master-secret key).”
secret key; obviously, this is not always desirable. By
We solve this problem by introducing a special type
contrast, the encryption key and decryption key are
of public-key encryption which we call key-aggregate
different in public-key encryption. The use of public-key
cryptosystem (KAC). In KAC, users encrypt a message
encryption gives more flexibility for our applications. For
not only under a public-key, but also under an identifier
example, in enterprise settings, every employee can up-
of ciphertext called class. That means the ciphertexts are
load encrypted data on the cloud storage server without
further categorized into different classes. The key owner
the knowledge of the company’s master-secret key.
holds a master-secret called master-secret key, which can
Therefore, the best solution for the above problem is
be used to extract secret keys for different classes. More
that Alice encrypts files with distinct public-keys, but
importantly, the extracted key have can be an aggregate
only sends Bob a single (constant-size) decryption key.
key which is as compact as a secret key for a single class,
Since the decryption key should be sent via a secure
but aggregates the power of many such keys, i.e., the
channel and kept secret, small key size is always de-
decryption power for any subset of ciphertext classes.
sirable. For example, we can not expect large storage
With our solution, Alice can simply send Bob a single
for decryption keys in the resource-constraint devices
aggregate key via a secure e-mail. Bob can download
like smart phones, smart cards or wireless sensor nodes.
the encrypted photos from Alice’s Dropbox space and
Especially, these secret keys are usually stored in the
then use this aggregate key to decrypt these encrypted
tamper-proof memory, which is relatively expensive. The
photos. The scenario is depicted in Figure 1.
present research efforts mainly focus on minimizing
The sizes of ciphertext, public-key, master-secret key
the communication requirements (such as bandwidth,
and aggregate key in our KAC schemes are all of constant
rounds of communication) like aggregate signature [6].
size. The public system parameter has size linear in the
However, not much has been done about the key itself
number of ciphertext classes, but only a small part of it
(see Section 3 for more details).
is needed each time and it can be fetched on demand
from large (but non-confidential) cloud storage.
1.1 Our Contributions Previous results may achieve a similar property featur-
In modern cryptography, a fundamental problem we ing a constant-size decryption key, but the classes need
often study is about leveraging the secrecy of a small to conform to some pre-defined hierarchical relationship.
piece of knowledge into the ability to perform crypto- Our work is flexible in the sense that this constraint
graphic functions (e.g. encryption, authentication) mul- is eliminated, that is, no special relation is required
tiple times. In this paper, we study how to make a between the classes. The detail and other related works
decryption key more powerful in the sense that it allows can be found in Section 3.
decryption of multiple ciphertexts, without increasing its We propose several concrete KAC schemes with dif-
size. Specifically, our problem statement is – ferent security levels and extensions in this article. All
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication.
IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS
3
constructions can be proven secure in the standard ciphertext class the ciphertext C belongs to, and C,
model. To the best of our knowledge, our aggregation it outputs the decrypted result m if i ∈ S.
mechanism2 in KAC has not been investigated. There are two functional requirements:
• Correctness For any integers λ and n, any set S ⊆
2 K EY -AGGREGATE E NCRYPTION {1, · · · , n}, any index i ∈ S and any message m,
We first give the framework and definition for key- Pr[Decrypt(KS , S, i, C) = m : param ← Setup(1λ , n),
aggregate encryption. Then we describe how to use KAC (pk, msk) ← KeyGen(), C ← Encrypt(pk, i, m),
in a scenario of its application in cloud storage.
KS ← Extract(msk, S)] = 1.
TABLE 1
Comparisons between our basic KAC scheme and other related schemes
(a) (b)
review its key derivation process here for a concrete we mentioned, our schemes feature constant ciphertext
description of what are the desirable properties we want size, and their security holds in the standard model.
to achieve. The derivation of the key for a set of classes In fuzzy IBE [21], one single compact secret key can
(which is a subset of all possible ciphertext classes) is decrypt ciphertexts encrypted under many identities
as follows. A composite modulus N = p · q is chosen which are close in a certain metric space, but not for
where p and q are two large random primes. A master- an arbitrary set of identities and therefore it does not
secret key Y is chosen at random from Z∗N . Each class match with our idea of key aggregation.
is associated with a distinct prime ei . All these prime
numbers can be put in the public system parameter5 3.4 Other Encryption Schemes
A constant-size key for set S can be generated (with
Attribute-based encryption (ABE) [10], [24] allows each
the knowledge of φ(N )) as kS = Y 1/ j∈S (ej ) mod N .
ciphertext to be associated with an attribute, and the
For those who have been delegated the access rights for
(ej ) master-secret key holder can extract a secret key for a
S where S ⊂ S, kS can be computed by kS j∈S\S . policy of these attributes so that a ciphertext can be
As a concrete example, a key for classes represented by decrypted by this key if its associated attribute conforms
e1 , e2 , e3 can be generated as Y 1/(e1 ·e2 ·e3 ) , from which to the policy. For example, with the secret key for the
each of Y 1/e1 , Y 1/e2 , Y 1/e3 can easily be derived (while policy (2 ∨ 3 ∨ 6 ∨ 8), one can decrypt ciphertext tagged
providing no information about keys for any other class, with class 2, 3, 6 or 8. However, the major concern in
say, e4 ). This approach achieves similar properties and ABE is collusion-resistance but not the compactness of
performances as our schemes. However, it is designed secret keys. Indeed, the size of the key often increases
for the symmetric-key setting instead. The encryptor needs linearly with the number of attributes it encompasses,
to get the corresponding secret keys to encrypt data, or the ciphertext-size is not constant (e.g., [25]).
which is not suitable for many applications. Since their To delegate the decryption power of some ciphertexts
method is used to generate a secret value rather than a without sending the secret key to the delegatee, a useful
pair of public/secret keys, it is unclear how to apply this primitive is proxy re-encryption (PRE) (e.g., [26], [27],
idea for public-key encryption scheme. [28], [29]). A PRE scheme allows Alice to delegate to
Finally, we note that there are schemes which try the server (proxy) the ability to convert the ciphertexts
to reduce the key size for achieving authentication in encrypted under her public-key into ones for Bob. PRE
symmetric-key encryption, e.g., [19]. However, sharing is well known to have numerous applications includ-
of decryption power is not a concern in these schemes. ing cryptographic file system [30]. Nevertheless, Alice
has to trust the proxy that it only converts ciphertexts
3.3 Compact Key in Identity-Based Encryption according to her instruction, which is what we want
Identity-based encryption (IBE) (e.g., [20], [21], [22]) is a to avoid at the first place. Even worse, if the proxy
type of public-key encryption in which the public-key of colludes with Bob, some form of Alice’s secret key can
a user can be set as an identity-string of the user (e.g., be recovered which can decrypt Alice’s (convertible)
an email address). There is a trusted party called private ciphertexts without Bob’s further help. That also means
key generator (PKG) in IBE which holds a master-secret that the transformation key of proxy should be well-
key and issues a secret key to each user with respect protected. Using PRE just moves the secure key storage
to the user identity. The encryptor can take the public requirement from the delegatee to the proxy. It is thus
parameter and a user identity to encrypt a message. The undesirable to let the proxy reside in the storage server.
recipient can decrypt this ciphertext by his secret key. That will also be inconvenient since every decryption
Guo et al. [23], [9] tried to build IBE with key ag- requires separate interaction with the proxy.
gregation. One of their schemes [23] assumes random
oracles but another [9] does not. In their schemes, key 4 C ONCRETE C ONSTRUCTIONS OF KAC
aggregation is constrained in the sense that all keys Let G and GT be two cyclic groups of prime order p and
to be aggregated must come from different “identity ê : G × G → GT be a map with the following properties:
divisions”. While there are an exponential number of a b ab
• Bilinear: ∀g1 , g2 ∈ G, a, b ∈ Z, ê(g1 , g2 ) = ê(g1 , g2 ) .
identities and thus secret keys, only a polynomial num-
• Non-degenerate: for some g ∈ G, ê(g, g) = 1.
ber of them can be aggregated. Most importantly, their
key-aggregation [23], [9] comes at the expense of O(n) G is a bilinear group if all the operations involved above
sizes for both ciphertexts and the public parameter, where are efficiently computable. Many classes of elliptic curves
n is the number of secret keys which can be aggregated feature bilinear groups.
into a constant size one. This greatly increases the costs
of storing and transmitting ciphertexts, which is imprac- 4.1 A Basic Construction
tical in many situations such as shared cloud storage. As The design of our basic scheme is inspired from the
collusion-resistant broadcast encryption scheme pro-
5. Another way to do this is to apply hash function to the string
denoting the class, and keep hashing repeatedly until a prime is posed by Boneh et al. [31]. Although their scheme
obtained as the output of the hash function. supports constant-size secret keys, every key only has
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication.
IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS
6
• Encrypt(pkl , (a, b), m): Let pkl = {v1 , · · · , vl }. For an 4.2.2 Other Implication
index (a, b), 1 ≤ a ≤ l, 1 ≤ b ≤ n, pick t ∈R Zp , out- This key extension approach can also be seen as a key
put the ciphertext as C = g t , (va gb )t , m · ê(g1 , gn )t . update process. In case a secret value is compromised,
• Extract(mskl , Sl ): Let mskl = {γ1 , γ2 , · · · , γl }. For a we can replace the compromised pk1 with a new key
set Sl of indices (i, j), 1 ≤ i ≤ l, 1 ≤ j ≤ n, get pk2 . The small aggregate key size minimizes the com-
n+1−j
gn+1−j = g α from param, output: munication overhead for transferring the new key.
γ1
γ2
K Sl = ( gn+1−j , gn+1−j ,
(1,j)∈Sl (2,j)∈Sl
5 P ERFORMANCE A NALYSIS
γl 5.1 Compression Factors
··· , gn+1−j ).
(l,j)∈Sl For a concrete comparison, we investigate the space
requirements of the tree-based key assignment approach
• Decrypt(KSl , Sl , (a, b), C): If (a, b) ∈ / Sl , output ⊥. we described in Section 3.1. This is used in the Complete
Otherwise, let KSl = (d1 , · · · , dl ) and C = c1 , c2 , c3 . Subtree scheme, which is a representative solution to the
Output the message: broadcast encryption problem following the well-known
Subset-Cover framework [33]. It employs a static logical
c3 · ê(da · gn+1−j+b , c1 )
(a,j)∈Sl ,j=b key hierarchy, which is materialized with a full binary
m= . key tree of height h (equals to 3 in Figure 3), and thus
ê( gn+1−j , c2 )
(a,j)∈Sl can support up to 2h ciphertext classes, a selected part
of which is intended for an authorized delegatee.
Just like the basic construction, the decryption can In an ideal case as depicted in Figure 3(a), the dele-
be done more efficiently with the knowledge of γi ’s. gatee can be granted the access to 2hs classes with the
Correctness is not much more difficult to see: possession of only one key, where hs is the height of a
certain subtree (e.g., hs = 2 in Figure 3(a)). On the other
c3 · ê(da · gn+1−j+b , c1 )
(a,j)∈Sl ,j=b hand, to decrypt ciphertexts of a set of classes, sometimes
/ ê( gn+1−j , c2 ) the delegatee may have to hold a large number of keys,
(a,j)∈Sl
γa as depicted in Figure 3(b). Therefore, we are interested
= c3 · ê( gn+1−j · gn+1−j+b , g t ) in na , the number of symmetric-keys to be assigned in this
(a,j)∈Sl (a,j)∈Sl ,j=b
t hierarchical key approach, in an average sense.
/ ê( gn+1−j , (va gb ) )
(a,j)∈Sl We assume that there are exactly 2h ciphertext classes,
t
t
= c3 · ê( gn+1−j+b , g )/ê( gn+1−j , gb ) and the delegatee of concern is entitled to a portion
(a,j)∈Sl ,j=b (a,j)∈Sl r of them. That is, r is the delegation ratio, the ratio
= m · ê(g1 , gn )t /ê(gn+1 , g t ) = m. of the delegated ciphertext classes to the total classes.
Obviously, if r = 0, na should also be 0, which means
We can also prove the semantic security of this ex-
no access to any of the classes; if r = 100%, na should
tended scheme. The proof is very similar to that for the
be as low as 1, which means that the possession of only
basic scheme and therefore is omitted. The public-key of
the root key in the hierarchy can grant the access to all
our CCA construction to be presented below can also be
the 2h classes. Consequently, one may expect that na
extended using the same Extend algorithm.
may first increase with r, and may decrease later. We
set r = 10%, 20%, · · · , 90%, and choose the portion in a
4.2.1 Discussions random manner to model an arbitrary “delegation pat-
To make the best out of our extended scheme (i.e., to tern” for different delegatees. For each combination of r
make the key size as small as possible), we suggest that and h, we randomly generate 104 different combinations
the ciphertext classes for different purposes should be of classes to be delegated, and the output key set size
corresponded to different public-keys. This is reason- na is the average over random delegations.
able in practice and does not contradict our criticism We tabulate the results in Table 2, where h = 16, 18, 20
on hierarchical methods that an efficient assignment of respectively6 . For a given h, na increases with the dele-
hierarchy requires a priori knowledge on what to be gation ratio r until r reaches ∼ 70%. An amazing fact is
shared. Using our example, pk1 and pk2 correspond to that, the ratio of na to N (= 2h+1 − 1), the total number of
“personal” and “work”. It is likely to have many sub- keys in the hierarchy (e.g., N = 15 in Figure 3), appears
categories under either of them but it may not be equally to be only determined by r but irrelevant of h. This
likely to share both of them (if the user does not gossip is because when the number of ciphertext classes (2h )
about office drama with friends and do not expose party is large and the delegation ratio (r) is fixed, this kind
photos to colleagues). Another example, say a user’s of random delegation achieves roughly the same key
categorization include “music” and “game”. One day she
becomes a graduate student and needs to publish, and 6. Legend: h: The height of the binary tree: there are total 2h
ciphertext classes, na : The number of keys to be assigned, N : The
therefore find the new need to add a category “paper”, total number of keys in the hierarchy, r: The delegation ratio: the ratio
which is probably independent of “music” and “game”. of the delegated ciphertext classes to the total classes.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication.
IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS
8
h r 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 0.95
na 6224.8 11772.5 16579.3 20545.8 23520.7 25263.8 25400.1 23252.6 17334.6 11670.2
na
16 N
4.75% 8.98% 12.65% 15.68% 17.94% 19.27% 19.38% 17.74% 13.23% 8.90%
na 24895.8 47076.1 66312.4 82187.1 94078.8 101052.4 101594.8 93025.4 69337.4 46678.8
na
18 N
4.75% 8.98% 12.65% 15.68% 17.94% 19.27% 19.38% 17.74% 13.23% 8.90%
na 99590.5 188322.0 265254.1 328749.5 376317.4 404205.0 406385.1 372085.2 277343.1 186725.4
na
20 N
4.75% 8.98% 12.65% 15.68% 17.94% 19.27% 19.38% 17.74% 13.22% 8.90%
TABLE 2
Compression ratios for different delegation ratios and tree heights
r 0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 0.9 0.95
Setup 8.4
Extract 2 4 5 7 8 9 10 10 11 11
Decrypt 4 6 9 12 14 15 16 18 20 20
TABLE 3
Performance of our basic construction for h = 16 with respect to different delegation ratio r (in milliseconds)
A limitation in our work is the predefined bound of [16] Y. Sun and K. J. R. Liu, “Scalable Hierarchical Access Control in
the number of maximum ciphertext classes. In cloud Secure Group Communications,” in Proceedings of the 23th IEEE
International Conference on Computer Communications (INFOCOM
storage, the number of ciphertexts usually grows rapidly. ’04). IEEE, 2004.
So we have to reserve enough ciphertext classes for [17] Q. Zhang and Y. Wang, “A Centralized Key Management Scheme
the future extension. Otherwise, we need to expand the for Hierarchical Access Control,” in Proceedings of IEEE Global
Telecommunications Conference (GLOBECOM ’04). IEEE, 2004, pp.
public-key as we described in Section 4.2. 2067–2071.
Although the parameter can be downloaded with [18] J. Benaloh, “Key Compression and Its Application to Digital
ciphertexts, it would be better if its size is independent of Fingerprinting,” Microsoft Research, Tech. Rep., 2009.
[19] B. Alomair and R. Poovendran, “Information Theoretically Secure
the maximum number of ciphertext classes. On the other Encryption with Almost Free Authentication,” J. UCS, vol. 15,
hand, when one carries the delegated keys around in a no. 15, pp. 2937–2956, 2009.
mobile device without using special trusted hardware, [20] D. Boneh and M. K. Franklin, “Identity-Based Encryption from the
Weil Pairing,” in Proceedings of Advances in Cryptology - CRYPTO
the key is prompt to leakage, designing a leakage- ’01, ser. LNCS, vol. 2139. Springer, 2001, pp. 213–229.
resilient cryptosystem [22], [34] yet allows efficient and [21] A. Sahai and B. Waters, “Fuzzy Identity-Based Encryption,” in
flexible key delegation is also an interesting direction. Proceedings of Advances in Cryptology - EUROCRYPT ’05, ser. LNCS,
vol. 3494. Springer, 2005, pp. 457–473.
[22] S. S. M. Chow, Y. Dodis, Y. Rouselakis, and B. Waters, “Practi-
cal Leakage-Resilient Identity-Based Encryption from Simple As-
R EFERENCES sumptions,” in ACM Conference on Computer and Communications
Security, 2010, pp. 152–161.
[23] F. Guo, Y. Mu, and Z. Chen, “Identity-Based Encryption: How to
[1] S. S. M. Chow, Y. J. He, L. C. K. Hui, and S.-M. Yiu, “SPICE -
Decrypt Multiple Ciphertexts Using a Single Decryption Key,” in
Simple Privacy-Preserving Identity-Management for Cloud Envi-
Proceedings of Pairing-Based Cryptography (Pairing ’07), ser. LNCS,
ronment,” in Applied Cryptography and Network Security - ACNS
vol. 4575. Springer, 2007, pp. 392–406.
2012, ser. LNCS, vol. 7341. Springer, 2012, pp. 526–543.
[24] M. Chase and S. S. M. Chow, “Improving Privacy and Security in
[2] L. Hardesty, “Secure computers aren’t so secure,” MIT press, 2009,
Multi-Authority Attribute-Based Encryption,” in ACM Conference
http://www.physorg.com/news176107396.html.
on Computer and Communications Security, 2009, pp. 121–130.
[3] C. Wang, S. S. M. Chow, Q. Wang, K. Ren, and W. Lou, “Privacy-
[25] T. Okamoto and K. Takashima, “Achieving Short Ciphertexts or
Preserving Public Auditing for Secure Cloud Storage,” IEEE Trans.
Short Secret-Keys for Adaptively Secure General Inner-Product
Computers, vol. 62, no. 2, pp. 362–375, 2013.
Encryption,” in Cryptology and Network Security (CANS ’11), 2011,
[4] B. Wang, S. S. M. Chow, M. Li, and H. Li, “Storing Shared Data pp. 138–159.
on the Cloud via Security-Mediator,” in International Conference [26] R. Canetti and S. Hohenberger, “Chosen-Ciphertext Secure Proxy
on Distributed Computing Systems - ICDCS 2013. IEEE, 2013. Re-Encryption,” in Proceedings of the 14th ACM Conference on
[5] S. S. M. Chow, C.-K. Chu, X. Huang, J. Zhou, and R. H. Deng, Computer and Communications Security (CCS ’07). ACM, 2007,
“Dynamic Secure Cloud Storage with Provenance,” in Cryptog- pp. 185–194.
raphy and Security: From Theory to Applications - Essays Dedicated [27] C.-K. Chu and W.-G. Tzeng, “Identity-Based Proxy Re-encryption
to Jean-Jacques Quisquater on the Occasion of His 65th Birthday, ser. Without Random Oracles,” in Information Security Conference (ISC
LNCS, vol. 6805. Springer, 2012, pp. 442–464. ’07), ser. LNCS, vol. 4779. Springer, 2007, pp. 189–202.
[6] D. Boneh, C. Gentry, B. Lynn, and H. Shacham, “Aggregate [28] C.-K. Chu, J. Weng, S. S. M. Chow, J. Zhou, and R. H. Deng,
and Verifiably Encrypted Signatures from Bilinear Maps,” in “Conditional Proxy Broadcast Re-Encryption,” in Australasian
Proceedings of Advances in Cryptology - EUROCRYPT ’03, ser. LNCS, Conference on Information Security and Privacy (ACISP ’09), ser.
vol. 2656. Springer, 2003, pp. 416–432. LNCS, vol. 5594. Springer, 2009, pp. 327–342.
[7] M. J. Atallah, M. Blanton, N. Fazio, and K. B. Frikken, “Dynamic [29] S. S. M. Chow, J. Weng, Y. Yang, and R. H. Deng, “Efficient
and Efficient Key Management for Access Hierarchies,” ACM Unidirectional Proxy Re-Encryption,” in Progress in Cryptology -
Transactions on Information and System Security (TISSEC), vol. 12, AFRICACRYPT 2010, ser. LNCS, vol. 6055. Springer, 2010, pp.
no. 3, 2009. 316–332.
[8] J. Benaloh, M. Chase, E. Horvitz, and K. Lauter, “Patient [30] G. Ateniese, K. Fu, M. Green, and S. Hohenberger, “Improved
Controlled Encryption: Ensuring Privacy of Electronic Medical Proxy Re-Encryption Schemes with Applications to Secure Dis-
Records,” in Proceedings of ACM Workshop on Cloud Computing tributed Storage,” ACM Transactions on Information and System
Security (CCSW ’09). ACM, 2009, pp. 103–114. Security (TISSEC), vol. 9, no. 1, pp. 1–30, 2006.
[9] F. Guo, Y. Mu, Z. Chen, and L. Xu, “Multi-Identity Single-Key [31] D. Boneh, C. Gentry, and B. Waters, “Collusion Resistant Broad-
Decryption without Random Oracles,” in Proceedings of Informa- cast Encryption with Short Ciphertexts and Private Keys,” in
tion Security and Cryptology (Inscrypt ’07), ser. LNCS, vol. 4990. Proceedings of Advances in Cryptology - CRYPTO ’05, ser. LNCS,
Springer, 2007, pp. 384–398. vol. 3621. Springer, 2005, pp. 258–275.
[10] V. Goyal, O. Pandey, A. Sahai, and B. Waters, “Attribute-Based [32] L. B. Oliveira, D. Aranha, E. Morais, F. Daguano, J. Lopez, and
Encryption for Fine-Grained Access Control of Encrypted data,” R. Dahab, “TinyTate: Computing the Tate Pairing in Resource-
in Proceedings of the 13th ACM Conference on Computer and Com- Constrained Sensor Nodes,” in Proceedings of 6th IEEE International
munications Security (CCS ’06). ACM, 2006, pp. 89–98. Symposium on Network Computing and Applications (NCA ’07).
[11] S. G. Akl and P. D. Taylor, “Cryptographic Solution to a Problem IEEE, 2007, pp. 318–323.
of Access Control in a Hierarchy,” ACM Transactions on Computer [33] D. Naor, M. Naor, and J. Lotspiech, “Revocation and Tracing
Systems (TOCS), vol. 1, no. 3, pp. 239–248, 1983. Schemes for Stateless Receivers,” in Proceedings of Advances in
[12] G. C. Chick and S. E. Tavares, “Flexible Access Control with Cryptology - CRYPTO ’01, ser. LNCS. Springer, 2001, pp. 41–62.
Master Keys,” in Proceedings of Advances in Cryptology - CRYPTO [34] T. H. Yuen, S. S. M. Chow, Y. Zhang, and S. M. Yiu, “Identity-
’89, ser. LNCS, vol. 435. Springer, 1989, pp. 316–322. Based Encryption Resilient to Continual Auxiliary Leakage,” in
[13] W.-G. Tzeng, “A Time-Bound Cryptographic Key Assignment Proceedings of Advances in Cryptology - EUROCRYPT ’12, ser. LNCS,
Scheme for Access Control in a Hierarchy,” IEEE Transactions on vol. 7237, 2012, pp. 117–134.
Knowledge and Data Engineering (TKDE), vol. 14, no. 1, pp. 182–188, [35] D. Boneh, X. Boyen, and E.-J. Goh, “Hierarchical Identity Based
2002. Encryption with Constant Size Ciphertext,” in Proceedings of Ad-
[14] G. Ateniese, A. D. Santis, A. L. Ferrara, and B. Masucci, vances in Cryptology - EUROCRYPT ’05, ser. LNCS, vol. 3494.
“Provably-Secure Time-Bound Hierarchical Key Assignment Springer, 2005, pp. 440–456.
Schemes,” J. Cryptology, vol. 25, no. 2, pp. 243–270, 2012. [36] D. Boneh, R. Canetti, S. Halevi, and J. Katz, “Chosen-Ciphertext
[15] R. S. Sandhu, “Cryptographic Implementation of a Tree Hierarchy Security from Identity-Based Encryption,” SIAM Journal on Com-
for Access Control,” Information Processing Letters, vol. 27, no. 2, puting (SIAMCOMP), vol. 36, no. 5, pp. 1301–1328, 2007.
pp. 95–98, 1988.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication.
IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS
11
Cheng-Kang Chu received his Ph.D. in Com- Robert H. Deng has been a Professor at the
puter Science from National Chiao Tung Uni- School of Information Systems, Singapore Man-
versity (Hsinchu, Taiwan). After a postdoctoral agement University since 2004. Prior to this,
fellowship in Singapore Management University he was Principal Scientist and Manager of In-
with Prof. Robert H. Deng, he joined Cryptogra- focomm Security Department, Institute for Info-
phy and Security department at Institute for Info- comm Research, Singapore. His research in-
comm Research (I2R) as a Research Scientist. terests include data security and privacy, mul-
He has had a long-term interest in the develop- timedia security, network and system security.
ment of new technologies in Applied Cryptogra- He was the Associate Editor of the IEEE Trans-
phy, Cloud Computing Security, Wireless Sensor actions on Information Forensics and Security
Network Security and Smart Grid Security. Now from 2009 to 2012. He is currently Associate
he is mainly working on a project to develop security techniques in large Editor of IEEE Transactions on Dependable and Secure Computing,
scale shared storage systems. He has published many research papers Associate Editor of Security and Communication Networks (John Wiley),
in major conferences like PKC, CT-RSA, ACNS, etc. and received the and a member of Editorial Board of Journal of Computer Science and
best student paper award in ISC 2007. He also served as vice chair of Technology (the Chinese Academy of Sciences). He is the co-chair
IEEE CCNC 2012 and on the program committee of many international of the Steering Committee of the ACM Symposium on Information,
conferences including TrustBus, WISTP, IEEE CCNC, IEEE CloudCom, Computer and Communications Security (ASIACCS).
etc. He received the University Outstanding Researcher Award from the
National University of Singapore in 1999 and the Lee Kuan Yew Fellow
for Research Excellence from the Singapore Management University
in 2006. He was named Community Service Star and Showcased
Senior Information Security Professional by (ISC)2 under its Asia-Pacific
Information Security Leadership Achievements program in 2010. He
received the Distinguished Paper Award of the 19th Annual Network
Sherman S. M. Chow joined the Department
& Distributed System Security Symposium (NDSS 2012) and the Best
of Information Engineering at the Chinese Uni-
Paper Award of the 13th Joint IFIP TC6 & TC11 Conference on Com-
versity of Hong Kong as an assistant profes-
munications and Multimedia Security (CMS 2012).
sor in November 2012. He was a research fel-
low at Department of Combinatorics and Opti-
mization, University of Waterloo, a position he
commenced after receiving his Ph.D. degree
from the Courant Institute of Mathematical Sci-
ences, New York University. He interned at NTT
Research and Development (Tokyo), Microsoft
Research (Redmond) and Fuji Xerox Palo Alto
Laboratory, and has made research visits to U. Maryland, U. Calgary,
U. Texas, HKU, MIT, and Queensland University of Technology. These
visits resulted in US patent applications and also in publications at major
conferences such as ACM CCS and IACR EUROCRYPT. His research
interests are applied cryptography, privacy and distributed systems
security in general. He serves on the program committees of several in-
ternational conferences including ASIACRYPT 2012-2013, ACNS 2012-
2013, ASIACCS 2013, IEEE-CNS 2013 and Financial Crypt. 2013.