基于f-mOPE的数据库密文检索方案

在云数据库环境下,为保证云存储数据的安全性,通常将数据加密存储。针对加密存储数据查询开销大,不支持密文排序,查询等缺点,该文提出一种 f-mOPE数据库密文检索方案。该方案基于可变保序编码(mOPE),采用二叉排序树数据结构思想,生成明文一一对应的保序编码;基于AES加密方案将数据明文转化为密文存储;采用改进的部分同态加密算法提升保序加密方案的安全性。通过安全性分析及实验结果表明,该方案在保证数据隐私的基础上,不但能抵御统计型攻击,而且能够有效地降低服务器计算开销,提高数据库处理效率。     

基于同态加密的DBSCAN聚类隐私保护方案

为了降低数据外包聚类运算过程中存在的隐私泄露风险,提出了一个基于同态加密的DBSCAN聚类隐私保护方案.为了加密实际场景中的浮点型数据,给出了针对不同数据精度的3种数据预处理方式,并提出了一种基于数据特点且综合考虑数据精度和计算开销等方面的数据预处理方式的选择策略.由于同态加密不支持密文比较运算,设计了一个用户端与云服...     

Mimic storage scheme based on regenerated code

Aiming to solve security threats in the cloud storage system due to static storage architecture and storage mode,a mimic storage scheme based on regenerated code was proposed.The scheme used network coding scheme to store the data in the cloud data node,and used mimicry transformation mechanism based on regeneration code to change data storage state dynamically according to the random time-varying factors,which could guarantee data integrity and data availability continuously.The mimicry transformation mechanism is a random,time-varying and dynamic scheme,which increases the uncertainty of storage system.It blocks and interferes with the attack chain,increases the difficulty and cost of the attack operation,and improves the security and reliability of the system.     

云存储中隐私保护的线性同态加密方案

云存储数据具有访问方便、可靠性高及可测量等优势,然而也存在一些安全风险,如敏感数据泄露、未授权访问及数据完整性等。针对敏感数据泄露问题,本文提出了一基于整多项式环上差错学习（R-LWE）问题的有效线性同态加密方案（LHES）,该方案可对要上传云端的数据进行加密并以密文形式分布式存储,其安全性是基于R-LWE问题的困难性。分析表明,该方案在效率上较基于LWE的加法同态加密方案有很大改进,并且在标准模型下是选择明文攻击安全的。最后,给出了本文方案在云存储隐私保护中的应用架构。      

A based on blinded CP‐ABE searchable encryption cloud storage service scheme

Cloud computing has great economical advantages and wide application, more and more data owners store their data in the cloud storage server (CSS) to avoid tedious local data management and insufficient storage resources. But the privacy of data owners faces enormous challenges. The most recent searchable encryption technology adopts the ciphertext‐policy attribute‐based encryption (CP‐ABE), which is one good method to deal with this security issue. However, the access attributes of the users are transmitted and assigned in plaintext form. In this paper, we propose a based on blinded CP‐ABE searchable encryption cloud storage service (BCP‐ABE‐SECSS) scheme, which can blind the access attributes of the users in order to prevent the collusion attacks of the CSS and the users. Data encryption and keyword index generation are performed by the data owners; meanwhile, we construct that CSS not only executes the access control policy of the data but also performs the pre‐decryption operation about the encrypted data to solve higher time cost of decryption calculation to the data users. Security proof results show that this scheme has access attribute security, data confidentiality, indistinguishable security against chosen keyword attack, and resisting the collusion attack between the data user and the CSS. Performance analysis and the experimental results show that this scheme can effectively reduce the computation time cost of the data owners and the data users.     

隐私保护的可验证多元多项式外包计算方案

随着云计算的发展和大数据时代的到来,如何对隐私数据进行外包计算且有效验证计算结果具有重要的现实意义。基于多线性映射和同态加密方案,提出了可验证的多元多项式外包计算方案,用户可准确验证外包计算结果的正确性。方案在标准模型中可证安全,且多项式函数和用户输入对于服务器都是保密的。分析表明,用户计算量远小于服务器的计算代价以及直接计算多项式函数。     

一种基于ORAM的数据可恢复性证明与访问模式的隐藏

随着云计算的发展与应用,越来越多的客户选择云存储作为存储媒质,因此,数据的完整性和私密性成为客户关心的主要问题。基于无关RAM模型机提出一种新的结构,将客户文件分割成大小相等的数据块,每个数据块在云存储中有两个备份,且随机地存储在不同的文件中,以保证数据的完整性。利用同态散列算法验证数据的可持有性,通过无关RAM隐藏客户对服务器的访问模式,敌手无法从客户的数据访问模式中获取有用的信息,从而实现了数据的私密性。     

EEPPDA—Edge-enabled efficient privacy-preserving data aggregation in smart healthcare Internet of Things network

The Internet of Things-based smart healthcare provides numerous facilities to patients and medical professionals. Medical professionals can monitor the patient's real-time medical data and diagnose diseases through the medical health history stored in the cloud database. Any kind of attack on the cloud database will result in misdiagnosis of the patients by medical professionals. Therefore, it becomes a primary concern to secure private data. On the other hand, the conventional data aggregation method for smart healthcare acquires immense communication and computational cost. Edge-enabled smart healthcare can overcome these limitations. The paper proposes an edge-enabled efficient privacy-preserving data aggregation (EEPPDA) scheme to secure health data. In the EEPPDA scheme, captured medical data have been encrypted by the Paillier homomorphic cryptosystem. Homomorphic encryption is engaged in the assurance of secure communication. For data transmission from patients to the cloud server (CS), data aggregation is performed on the edge server (ES). Then aggregated ciphertext data are transmitted to the CS. The CS validates the data integrity and analyzes and processes the authenticated aggregated data. The authorized medical professional executes the decryption, then the aggregated ciphertext data are decrypted in plaintext. EEPPDA utilizes the batch verification process to reduce communication costs. Our proposed scheme maintains the privacy of the patient's identity and medical data, resists any internal and external attacks, and verifies the health data integrity in the CS. The proposed scheme has significantly minimized computational complexity and communication overhead concerning the existing approach through extensive simulation.     

Secure and privacy-preserving DRM scheme using homomorphic encryption in cloud computing

Cloud computing provides a convenient way of content trading and sharing. In this paper, we propose a secure and privacy-preserving digital rights management （DRM） scheme using homomorphic encryption in cloud computing. We present an efficient digital rights management framework in cloud computing, which allows content provider to outsource encrypted contents to centralized content server and allows user to consume contents with the license issued by license server. Further, we provide a secure content key distribution scheme based on additive homomorphic probabilistic public key encryption and proxy re-encryption. The provided scheme prevents malicious employees of license server from issuing the license to unauthorized user. In addition, we achieve privacy preserving by allowing users to stay anonymous towards the key server and service provider. The analysis and comparison results indicate that the proposed scheme has high efficiency and security.     

同态加密技术及其在云计算安全中的应用

文章针对云计算的安全问题,提出了一种全同态加密方案和基于此方案的数据检索算法,既保证了用户数据的安全性,又保证了服务器能够对存储的用户密文直接检索,为云系统中的信息安全和数据处理提供了良好的解决方案。     

Design of exact regenerating hierarchical code for distributed storage system

Erasure code is widely used as the redundancy scheme in distributed storage system. When a storage node fails, the repair process often requires to transfer a large amount of data. Regenerating code and hierarchical code are two classes of codes proposed to reduce the repair bandwidth cost. Regenerating codes reduce the amount of data transferred by each helping node, while hierarchical codes reduce the number of nodes participating in the repair process. In this paper, we propose a "sub-code nesting framework" to combine them together. The resulting regenerating hierarchical code has low repair degree as hierarchical code and lower repair cost than hierarchical code. Our code can achieve exact regeneration of the failed node, and has the additional property of low updating complexity.     

云计算环境中支持隐私保护的数字版权保护方案简

针对云计算环境中数字内容安全和用户隐私保护的需求,提出了一种云计算环境中支持隐私保护的数字版权保护方案。设计了云计算环境中数字内容版权全生命周期保护和用户隐私保护的框架,包括系统初始化、内容加密、许可授权和内容解密4个主要协议;采用基于属性基加密和加法同态加密算法的内容加密密钥保护和分发机制,保证内容加密密钥的安全性;允许用户匿名向云服务提供商订购内容和申请授权,保护用户的隐私,并且防止云服务提供商、授权服务器和密钥服务器等收集用户使用习惯等敏感信息。与现有的云计算环境中数字版权保护方案相比,该方案在保护内容安全和用户隐私的同时,支持灵活的访问控制,并且支持在线和超级分发应用模式,在云计算环境中具有较好的实用性。     

A secure channel code‐based scheme for privacy preserving data aggregation in wireless sensor networks

Data aggregation is an efficient method to reduce the energy consumption in wireless sensor networks (WSNs). However, data aggregation schemes pose challenges in ensuring data privacy in WSN because traditional encryption schemes cannot support data aggregation. Homomorphic encryption schemes are promising techniques to provide end to end data privacy in WSN. Data reliability is another main issue in WSN due to the errors introduced by communication channels. In this paper, a symmetric additive homomorphic encryption scheme based on Rao‐Nam scheme is proposed to provide data confidentiality during aggregation in WSN. This scheme also possess the capability to correct errors present in the aggregated data. The required security levels can be achieved in the proposed scheme through channel decoding problem by embedding security in encoding matrix and error vector. The error vectors are carefully designed so that the randomness properties are preserved while homomorphically combining the data from different sensor nodes. Extensive cryptanalysis shows that the proposed scheme is secure against all attacks reported against private‐key encryption schemes based on error correcting codes. The performance of the encryption scheme is compared with the related schemes, and the results show that the proposed encryption scheme outperforms the existing schemes.     

Chaotic map‐based time‐aware multi‐keyword search scheme with designated server

The cloud storage service has been widely used in daily life because of its convenience. However, the service frequently suffers confidentiality problems. To address this problem, some efforts have been made on keyword search over encrypted data schemes. For instance, the chaotic‐based keyword search scheme over encrypted data has been proposed recently. However, the scheme just only support single‐ keyword search each time, which severely limits its utilization in cloud storage. This article proposes a novel chaotic‐based time‐aware multi‐keyword search scheme with designated server. Inner product similarity is adopted in our scheme to realize multiple keyword search and remove the constraint of single‐keyword search each time. Timed‐release encryption is integrated into the proposed scheme at the same time, which enables the data sender to specify the time when the cloud servers can search the encrypted data. Analysis indicates that our scheme not only can counter off‐line guessing attacks to the ciphertext and trapdoor, but also supports ranked search with a reasonable computational cost. Copyright © 2015 John Wiley & Sons, Ltd.     

同态密码理论与应用进展

随着云计算、云存储等各类云服务的普及应用,云环境下的隐私保护问题逐渐成为业界关注的焦点,同态密码成为解决该问题的关键手段,其中,如何构造高效的全同态加密方案是近年来同态加密研究的热点之一。首先,该文介绍了同态密码的发展情况,从不同角度对同态加密方案进行了分类分析,着重描述了可验证全同态加密方案的研究进展。通过分析近年来公开的同态加密领域知识产权文献,对同态加密在理论研究和实际应用中所取得的进展进行了归纳总结。其次,对比分析了目前主流全同态加密库Helib, SEAL以及TFHE的性能。最后,梳理了同态加密技术的典型应用场景,指出了未来可能的研究与发展方向。     

面向“互联网+”的公有云数据安全

“互联网+”催生了许多新的经济形态与商业模式,公有云面临着严峻的安全挑战。研究了公有云数据安全问题,并提出了研究思路。首先,分析了同态加密的概念、加法同态加密与乘法同态加密的特点以及当前的研究成果和需要解决的难题。然后,根据乘法同态加密算法、散列表和相似性理论,提出了一种数据安全保护方案,并阐述了具体实现流程,采用欧氏距离检验公有云中加密数据的相似性与完整性。最后,理论分析了该方案的正确性与安全性。仿真实验验证了该方案的可行性与有效性。     

云计算平台下基于属性加密的动态版权使用控制方案（英文）

In order to achieve fine-grained access control in cloud computing,existing digital rights management(DRM) schemes adopt attribute-based encryption as the main encryption primitive.However,these schemes suffer from inefficiency and cannot support dynamic updating of usage rights stored in the cloud.In this paper,we propose a novel DRM scheme with secure key management and dynamic usage control in cloud computing.We present a secure key management mechanism based on attribute-based encryption and proxy re-encryption.Only the users whose attributes satisfy the access policy of the encrypted content and who have effective usage rights can be able to recover the content encryption key and further decrypt the content.The attribute based mechanism allows the content provider to selectively provide fine-grained access control of contents among a set of users,and also enables the license server to implement immediate attribute and user revocation.Moreover,our scheme supports privacy-preserving dynamic usage control based on additive homomorphic encryption,which allows the license server in the cloud to update the users' usage rights dynamically without disclosing the plaintext.Extensive analytical results indicate that our proposed scheme is secure and efficient.     

Enhanced security‐aware technique and ontology data access control in cloud computing

Nowadays, security and data access control are some of the major concerns in the cloud storage unit, especially in the medical field. Therefore, a security‐aware mechanism and ontology‐based data access control (SA‐ODAC) has been developed to improve security and access control in cloud computing. The model proposed in this research work is based on two operational methods, namely, secure awareness technique (SAT) and ontology‐based data access control (ODAC), to improve security and data access control in cloud computing. The SAT technique is developed to provide security for medical data in cloud computing, based on encryption, splitting and adding files, and decryption. The ODAC ontology is launched to control unauthorized persons accessing data from storage and create owner and administrator rules to allow access to data and is proposed to improve security and restrict access to data. To manage the key of the SAT technique, the secret sharing scheme is introduced in the proposed framework. The implementation of the algorithm is performed by MATLAB, and its performance is verified in terms of delay, encryption time, encryption time, and ontology processing time and is compared with role‐based access control (RBAC), context‐aware RBAC and context‐aware task RBAC, and security analysis of advanced encryption standard and data encryption standard. Ultimately, the proposed data access control and security scheme in SA‐ODAC have achieved better performance and outperform the conventional technique.     

安全的WSN数据融合隐私保护方案设计

针对无线传感器网络数据融合过程中的数据隐私和完整性保护问题,提出一种安全的数据融合隐私保护方案(SPPDA),把节点的私密因子与原始数据构成复数,采用同态加密方法对复数进行加密,实现在密文不解密的情况下进行数据融合,同时采用基于复数的完整性验证方法,确保数据的可靠性。理论分析和仿真结果表明,SPPDA方案的计算代价和通信开销较少,数据融合的精确度高。     

ACDAS: Authenticated controlled data access and sharing scheme for cloud storage

Cloud storage services require cost‐effective, scalable, and self‐managed secure data management functionality. Public cloud storage always enforces users to adopt the restricted generic security consideration provided by the cloud service provider. On the contrary, private cloud storage gives users the opportunity to configure a self‐managed and controlled authenticated data security model to control the accessing and sharing of data in a private cloud. However, this introduces several new challenges to data security. One critical issue is how to enable a secure, authenticated data storage model for data access with controlled data accessibility. In this paper, we propose an authenticated controlled data access and sharing scheme called ACDAS to address this issue. In our proposed scheme, we employ a biometric‐based authentication model for secure access to data storage and sharing. To provide flexible data sharing under the control of a data owner, we propose a variant of a proxy reencryption scheme where the cloud server uses a proxy reencryption key and the data owner generates a credential token during decryption to control the accessibility of the users. The security analysis shows that our proposed scheme is resistant to various attacks, including a stolen verifier attack, a replay attack, a password guessing attack, and a stolen mobile device attack. Further, our proposed scheme satisfies the considered security requirements of a data storage and sharing system. The experimental results demonstrate that ACDAS can achieve the security goals together with the practical efficiency of storage, computation, and communication compared with other related schemes.