智慧医疗中基于属性加密的云存储数据共享

在电子病历系统中,为了实现多用户环境下的数据搜索,该文提出一种属性基可搜索加密方案。该文将密文和安全索引存储在医疗云,当用户请求医疗数据时,利用属性基可搜索加密算法进行数据搜索,实现了细粒度访问控制。同时方案引入了密文验证算法,解决了半诚实且好奇的云服务器模型下搜索结果不正确的问题。利用数据去重技术实现了重复数据的消除,减少占用医疗云的存储空间。方案同时实现了访问策略的隐藏,保证了数据用户的隐私安全。安全性分析表明,所提方案能很好地保护用户的隐私以及数据的安全。性能分析表明,该方案具有较好的性能,更加适用于智慧医疗等多对多应用场景,有效实现了医生和第三方数据用户在不侵犯患者隐私的前提下共享患者电子病历。     

Distributed compressed sensing for multi-sourced fusion and secure signal processing in private cloud

In this paper, a novel scheme is proposed for multi-sourced signal fusion and secure processing. Within a distributed compressed sensing (DCS) framework, traditional sampling, compression and encryption for signal acquisition are unified under the secure multiparty computation protocol. In the proposed scheme, generation of the pseudo-random sensing matrix offers a natural method for data encryption in DCS, allowing for joint recovery of multiparty data at legal users’ side. Experimental analysis and results indicate that the secure signal processing and recovery in DCS domain is feasible, and requires fewer measurements than the achievable approach of separate CS and Nyquist processing. The proposed scheme can be also extended to other cloud-based collaborative secure signal processing and data-mining applications.     

2DInpaint: A novel privacy-preserving scheme for image inpainting in an encrypted domain over the cloud

The low cost, agility, and mobility of cloud services for processing and storage data have attracted user’s attention today. Untrusted third parties support these services, and users are always concerned about utilizing them for personal data. Addressing these data-privacy issues for image inpainting over the cloud infrastructure(s), we propose a model, 2DInpaint, to perform image inpainting by protecting image information from an eavesdropping adversary. Inpainting is a technique for modifying an image in an undetectable manner with applications ranging from restoration of damaged photographs to object-removal and replacement of lost blocks in image coding and transmission. It can be accomplished by propagating the information in the isophotes direction of the desired region(s) from the neighborhood. Performing this propagation when the image is in the encrypted domain (ED) is a challenging dilemma. The challenge is addressed by employing a modified version of 2D-bicubic interpolation over the region to be inpainted in ED. The ramp secret sharing scheme is utilized to secure image information and to reduce storage overhead over the cloud server. 2DInpaint is proved to be information-theoretical secure in a probabilistic viewpoint and through various cryptographic attacks. The qualitative and quantitative results of 2DInpaint are analyzed under the scenarios of classical image inpainting, object-removal, and text-removal, and compared with the schemes in the plain domain. Moreover, no limitations related to the topology of the region to be inpainted are required using our approach. To the best of our knowledge, 2DInpaint is the first move towards image inpainting in the ED.     

Secure personal data sharing in cloud computing using attribute-based broadcast encryption

The ciphertext-policy (CP) attribute-based encryption (ABE) (CP-ABE) emergings as a promising technology for allowing users to conveniently access data in cloud computing. Unfortunately, it suffers from several drawbacks such as decryption overhead, user revocation and privacy preserving. The authors proposed a new efficient and privacy-preserving attribute-based broadcast encryption (BE) (ABBE) named EP-ABBE, that can reduce the decryption computation overhead by partial decryption, and protect user privacy by obfuscating access policy of ciphertext and user's attributes. Based on EP-ABBE, a secure and flexible personal data sharing scheme in cloud computing was presented, in which the data owner can enjoy the flexibly of encrypting personal data using a specified access policy together with an implicit user index set. With the proposed scheme, efficient user revocation is achieved by dropping revoked user's index from the user index set, which is with very low computation cost. Moreover, the privacy of user can well be protected in the scheme. The security and performance analysis show that the scheme is secure, efficient and privacy-preserving.     

基于区块链的细粒度云数据安全存储与删除方案

在基于云计算的存储与删除服务中,由于外包数据所有权和管理分离,现有的逻辑删除机制使云上的数据很容易暴露给未经授权的用户,甚至云服务器可能未遵循用户要求删除相应数据。为此,该文提出一种细粒度的安全云端数据存储与删除方案。基于椭圆曲线构造了基于密文策略的属性基加密以实现外包数据细粒度访问控制,应用区块链实现可公开验证的安全数据删除。该文方案具有责任可追踪性以及两方删除与可验证性等特性。理论分析与实验结果表明该文方案具有较好的安全性和较高的性能,能够满足云数据共享与安全删除的需求。     

Cloud data secure deduplication scheme via role-based symmetric encryption

The rapid development of cloud computing and big data technology brings prople to enter the era of big data,more and more enterprises and individuals outsource their data to the cloud service providers.The explosive growth of data and data replicas as well as the increasing management overhead bring a big challenge to the cloud storage space.Meanwhile,some serious issues such as the privacy disclosure,authorized access,secure deduplication,rekeying and permission revocation should also be taken into account.In order to address these problems,a role-based symmetric encryption algorithm was proposed,which established a mapping relation between roles and role keys.Moreover,a secure deduplication scheme was proposed via role-based symmetric encryption to achieve both the privacy protection and the authorized deduplication under the hierarchical architecture in the cloud computing environment.Furthermore,in the proposed scheme,the group key agreement protocol was utilized to achieve rekeying and permission revocation.Finally,the security analysis shows that the proposed role-based symmetric encryption algorithm is provably secure under the standard model,and the deduplication scheme can meet the security requirements.The performance analysis and experimental results indicate that the proposed scheme is effective and efficient.     

Optimization method for attribute-based cryptographic access control in mobile cloud computing

For the problem of secure data sharing and access control in mobile cloud,the drawback of traditional cryptographic access control schemes was deeply analyzed.Considering the truth that mobile devices were usually equipped with limited resources,an optimized attribute-based cryptographic access control scheme was proposed in this study.In the proposed scheme,a third party proxy was introduced into the system model,and the two-layer encryption method was applied.Combining traditional attribute-based encryption (ABE) algorithm with multi-secret sharing and split measurement of ABE encryption,the scheme could greatly reduce the cost of mobile users in terms of data publish and access management.Theoretical and experimental analysis shows that the contribution can well meet the requirements of mobile cloud in terms of security,computational complexity and communication cost,which means that it is promising for future applications.     

云计算平台下基于属性加密的动态版权使用控制方案（英文）

In order to achieve fine-grained access control in cloud computing,existing digital rights management(DRM) schemes adopt attribute-based encryption as the main encryption primitive.However,these schemes suffer from inefficiency and cannot support dynamic updating of usage rights stored in the cloud.In this paper,we propose a novel DRM scheme with secure key management and dynamic usage control in cloud computing.We present a secure key management mechanism based on attribute-based encryption and proxy re-encryption.Only the users whose attributes satisfy the access policy of the encrypted content and who have effective usage rights can be able to recover the content encryption key and further decrypt the content.The attribute based mechanism allows the content provider to selectively provide fine-grained access control of contents among a set of users,and also enables the license server to implement immediate attribute and user revocation.Moreover,our scheme supports privacy-preserving dynamic usage control based on additive homomorphic encryption,which allows the license server in the cloud to update the users' usage rights dynamically without disclosing the plaintext.Extensive analytical results indicate that our proposed scheme is secure and efficient.     

Hybrid cloud approach for block-level deduplication and searchable encryption in large universe

Ciphertext-policy attribute-based searchable encryption (CP-ABSE) can achieve fine-grained access control for data sharing and retrieval, and secure deduplication can save storage space by eliminating duplicate copies. However, there are seldom schemes supporting both searchable encryption and secure deduplication. In this paper, a large universe CP-ABSE scheme supporting secure block-level deduplication are proposed under a hybrid cloud mechanism. In the proposed scheme, after the ciphertext is inserted into bloom filter tree (BFT), private cloud can perform fine-grained deduplication efficiently by matching tags, and public cloud can search efficiently using homomorphic searchable method and keywords matching. Finally, the proposed scheme can achieve privacy under chosen distribution attacks block-level (PRV-CDA-B) secure deduplication and match-concealing (MC) searchable security. Compared with existing schemes, the proposed scheme has the advantage in supporting fine-grained access control, block-level deduplication and efficient search, simultaneously.     

Multi-authority attribute-based encryption with efficient revocation

Multi-authority attribute-based encryption was very suitable for data access control in a cloud storage environment.However,efficient user revocation in multi-authority attribute-based encryption remains a challenging problem that prevents it from practical applications.A multi-authority ciphertext-policy attribute-based encryption scheme with efficient revocation was proposed in prime order bilinear groups,and was further proved statically secure and revocable in the random oracle model.Extensive efficiency analysis results indicate that the proposed scheme significantly reduce the computation cost for the users.In addition,the proposed scheme supports large universe and any monotone access structures,which makes it more flexible for practical applications.     

云计算与区块链平台的遥感影像安全检索方案

遥感影像外包到半可信的云平台进行存储和检索时,可能导致影像数据的泄露和返回不完整的检索结果。加密可以保护影像数据的安全,但无法保证云平台提供真实、完整的存储和检索服务。区块链技术能有效保证存储和检索服务的真实性和完整性,但区块链的计算和存储能力有限,如何实现遥感影像的安全存储和检索仍是一个具有挑战性的问题。该文提出一种结合云平台和区块链的遥感影像安全检索方法,将影像哈希等轻量级数据存储于区块链,云平台存储海量加密影像数据,确保云存储影像的真实性;区块链执行基于遥感影像属性的检索,在此基础上由云平台执行复杂度较高的基于内容的安全检索,保证了检索结果的完整性;利用区块链技术设计遥感影像检索交易机制。实验表明方案可以实现安全、真实、完整和高效的遥感影像检索,并构建一个双方信任的公平交易环境。     

PRA-TPE: Perfectly Recoverable Approximate Thumbnail-Preserving Image Encryption

With the popularity of cloud servers, an increasing number of people are willing to store their images in the cloud due to many conveniences such as online browsing and managing images. On the other hand, this inevitably causes users’ concerns about image privacy leakage. Many image encryption schemes are proposed to prevent privacy leakage, while most of them focus only on privacy protection and ignore the usability of encrypted images. For this purpose, Marohn et al. (2017) designed two approximate thumbnail-preserving encryption (TPE) schemes to balance image privacy and usability. However, the decrypted image in these two schemes are only perceptually close to the original one and the original image cannot be perfectly recovered. To this end, we design a perfectly recoverable approximate TPE scheme in this paper, which combines reversibledata hiding (RDH) with encryption schemes. The thumbnails of the original and processed images are similar to balance image privacy and usability well. Meanwhile, the reversibility of RDH and encryption schemes is utilized to ensure the perfect recoverability in the proposed scheme. Experiments show that the proposed approximate TPE scheme is no longer limited to balancing usability and privacy but attains perfect recovery.     

具有隐私保护的云存储访问控制方案

针对传统的访问控制方案无法在云计算环境下保护用户的属性隐私,提出了具有隐私保护的云存储访问控制方案。采用混合加密体制实现了数据的机密性,即利用对称密钥加密明文数据,再利用公钥密码体制对对称密钥进行加密。在新的访问控制方案中,公钥加密采用了匿名的密文策略下基于属性的加密技术。安全性分析表明,新方案在保护用户属性隐私的同时,达到了选择明文安全性,可抵抗恶意用户及云存储服务器的合谋攻击。     

A novel image encryption–compression scheme using hyper-chaos and Chinese remainder theorem

Hyper-chaos has more than one positive Lyapunov exponents and it has more complex dynamical characteristics than chaos. Hence it becomes a better choice for secure image encryption schemes. In this paper, we propose a new image encryption scheme integrated with compression simultaneously. Specifically, we first use 2D hyper-chaos discrete nonlinear dynamic system to shuffle the plain image, and then we apply Chinese remainder theorem (well known in number theory) to diffuse and compress the shuffled image, simultaneously. This new scheme can be used to change the plain image information drastically and compress the plain image with a given compression ratio k, which is most crucial in multimedia transmission. Theoretical and experimental analyses both confirm the security and the validity of the proposed algorithm.     

Electronic medical record data sharing scheme based on searchable encryption via consortium blockchain

Considering that it was difficult to share medical record data among different medical institutions in cloud storage,an electronic medical record data sharing scheme based on searchable encryption on blockchain was proposed.In order to realize the secure storage and sharing of electronic medical records in the scheme,the patient’s electronic medical record ciphertext was stored in the hospital server,the ciphertext hash value was stored in the private blockchain,and the keyword index was stored in the consortium blockchain.Searchable encryption was used to implement secure search of keywords in the consortium blockchain,and proxy re-encryption technology was used to realize the sharing of electronic medical records of patients by other data users.Security analysis shows that the proposed scheme can achieve ciphertext security and keyword security.Moreover,the performance of the scheme was analyzed by function analysis,computational efficiency analysis and numerical simulation.The performance analysis shows that the scheme can achieve high computational efficiency.     

Secure and privacy-preserving DRM scheme using homomorphic encryption in cloud computing

Cloud computing provides a convenient way of content trading and sharing. In this paper, we propose a secure and privacy-preserving digital rights management （DRM） scheme using homomorphic encryption in cloud computing. We present an efficient digital rights management framework in cloud computing, which allows content provider to outsource encrypted contents to centralized content server and allows user to consume contents with the license issued by license server. Further, we provide a secure content key distribution scheme based on additive homomorphic probabilistic public key encryption and proxy re-encryption. The provided scheme prevents malicious employees of license server from issuing the license to unauthorized user. In addition, we achieve privacy preserving by allowing users to stay anonymous towards the key server and service provider. The analysis and comparison results indicate that the proposed scheme has high efficiency and security.     

Attribute-Based Access Control with Efficient and Secure Attribute Revocation for Cloud Data Sharing Service

Nowadays, there is the tendency to outsource data to cloud storage servers for data sharing purposes. In fact, this makes access control for the outsourced data a challenging issue. Ciphertext-policy attribute-based encryption (CP-ABE) is a promising cryptographic solution for this challenge. It gives the data owner (DO) direct control on access policy and enforces the access policy cryptographically. However, the practical application of CP-ABE in the data sharing service also has its own inherent challenge with regard to attribute revocation. To address this challenge, we proposed an attribute-revocable CP-ABE scheme by taking advantages of the over-encryption mechanism and CP-ABE scheme and by considering the semi-trusted cloud service provider (CSP) that participates in decryption processes to issue decryption tokens for authorized users. We further presented the security and performance analysis in order to assess the effectiveness of the scheme. As compared with the existing attribute-revocable CP-ABE schemes, our attribute-revocable scheme is reasonably efficient and more secure to enable attribute-based access control over the outsourced data in the cloud data sharing service.     

Secure and privacy‐preserving keyword search retrieval over hashed encrypted cloud data

Cloud computing (CC) is the universal area in which the data owners will contract out their pertinent data to the untrusted public cloud that permits the data users to retrieve the data with complete integrity. To give data privacy along with integrity, majority of the research works were concentrated on single data owner for secure searching of encrypted data via the cloud. Also, searchable encryption supports data user to retrieve the particular encrypted document from encrypted cloud data via keyword search (KS). However, these researches are not efficient for keyword search retrieval. To trounce such drawbacks, this paper proposes efficient secure and privacy‐preserving keyword search retrieval (SPKSR) system, in which the user retrieves the hashed encrypted documents over hashed encrypted cloud data. The proposed system includes three entities explicitly, (a) data owner (DO), (b) cloud server (CS), and (c) data users (DU). The owner outsources hashed encrypted documents set, along with generated searchable index tree to the CS. The CS hoards the hashed encrypted document collection and index tree structure. DU performs the “search” over the hashed encrypted data. Experimental results of the proposed system are analyzed and contrasted with the other existent system to show the dominance of the proposed system.     

QMLFD Based RSA Cryptosystem for Enhancing Data Security in Public Cloud Storage System

Nowadays sharing secure data turns out to be a challenging task for the data owner due to its privacy and confidentiality. Several IT companies stores their important information in the cloud since computing has developed immense power in sharing the data. On the other hand, privacy is considered a serious issue in cloud computing as there are numerous privacy concerns namely integrity, authentication as well as confidentiality. Among all those concerns, this paper focuses on enhancing the data integrity in the public cloud environment using Qusai modified levy flight distribution for the RSA cryptosystem (QMLFD-RSA). An effective approach named QMLFD for the RSA cryptosystem is proposed for resolving the problem based on data integrity in public cloud environment. A secured key generation and data encryption are done by employing the RSA cryptosystem thus the data is secured from unauthorized users. The key selection is done by using quasi based modified Levy flight distribution algorithm. Thus the proposed approach provides an effective model to enhance the integrity of data in cloud computing thus checking the data integrity uploaded in the public cloud storage system. In addition to this, ten optimization benchmark functions are calculated to determine the performances and the functioning of the newly developed QMLFD algorithm. The simulation results and comparative performances are carried out and the analysis reveals that the proposed QMLFD for the RSA cryptosystem provides better results when compared with other approaches.

     

对称可搜索加密技术研究进展

云计算作为一种新型计算模式,具有海量资源、动态扩展、按需分配等特点。资源受限的用户可以将计算任务外包给云服务器,在享受高质量数据服务的同时大大降低了本地管理开销。然而,数据外包导致数据所有权与管理权分离,如何保证数据的安全性成为云计算中亟待解决的关键问题。传统的加密技术虽然可以保证数据的机密性,但是在密文中如何执行有意义的检索操作成为一个巨大的挑战。为了保证数据机密性的同时实现密文数据的高效检索,可搜索加密技术应运而生。近年来,可搜索加密方案的设计日趋多样化,旨在提高方案的实用性。该文主要围绕目前可搜索加密方案的研究热点,从4个方面展开阐述,具体包括:单关键词检索、多模式检索、前/后向安全检索和可验证检索。该文主要介绍和分析具有代表性的研究成果,总结最新研究进展及提炼关键技术难点,最后对未来的研究方向进行展望。