Research progress on secure data deduplication in cloud

In order to improve the efficiency of cloud storage and save the communication bandwidth, a deduplication mechanism for multi-duplicate of the same data in cloud environment was needed. However, the implement of the secure data deduplication was seriously hindered by the ciphertext in cloud. This issue has quickly aroused wide attention of academia and industry, and became a research hotspot. From a security standpoint, firstly the primary cause and the main challenges of secure data deduplication in cloud environment was analyzed, and then the deduplication system model as well as its security model was described. Furthermore, focusing on the realization mechanism of secure data deduplica-tion, the thorough analyses were carried on and reviews for the related research works in recent years from content-based encryption, proof of ownership and privacy protection for secure deduplication, then the advantages and common prob-lems of various key technologies and methods were summed up. Finally, the future research directions and development trends on secure data deduplication in cloud was given.     

Hybrid cloud approach for block-level deduplication and searchable encryption in large universe

Ciphertext-policy attribute-based searchable encryption (CP-ABSE) can achieve fine-grained access control for data sharing and retrieval, and secure deduplication can save storage space by eliminating duplicate copies. However, there are seldom schemes supporting both searchable encryption and secure deduplication. In this paper, a large universe CP-ABSE scheme supporting secure block-level deduplication are proposed under a hybrid cloud mechanism. In the proposed scheme, after the ciphertext is inserted into bloom filter tree (BFT), private cloud can perform fine-grained deduplication efficiently by matching tags, and public cloud can search efficiently using homomorphic searchable method and keywords matching. Finally, the proposed scheme can achieve privacy under chosen distribution attacks block-level (PRV-CDA-B) secure deduplication and match-concealing (MC) searchable security. Compared with existing schemes, the proposed scheme has the advantage in supporting fine-grained access control, block-level deduplication and efficient search, simultaneously.     

具有前向安全性质的秘密共享方案

由于已有的秘密共享方案都不具有前向安全的性质,该文基于有限域上离散对数难解问题和强RSA 假设,应用前向安全理论和已有的秘密共享方案特别是Boyd提出的乘法门限方案的思想,提出了一种具有前向安全特性的秘密共享方案。该方案具有子密的可验证性,能够检测伪子密,防止欺诈者;具有子密更新简便及更新后的子密的可验证性;具有秘密恢复快捷且能直接恢复时间周期j 的秘密信息及检测恢复得到的秘密信息是否正确等功效。该文同时还对方案的安全性进行了分析。     

新的安全分布式n个秘密乘积共享方案

由于Shamir的秘密共享方案并不具有乘法的同态性质, 因此针对安全分布式乘法计算中利用传统的Shamir线性多项式进行n个秘密乘积共享时需要不断调用两方秘密乘积子协议的缺点,首先用哥德尔数对保密数据进行编码,接着利用这种具有乘法同态的编码方法和一种加法同态承诺方案,实现了一种新的安全分布式一次性共享n个秘密乘积的方案,并证明了即使有恶意的参与者存在时,此方案仍为安全的。分析表明,本方案不但简单可行,而且相比传统方案效率明显提高。     

Cloud outsourcing secret sharing scheme against covert adversaries

In order to make computationally weak cloud tenants can reconstruct a secret with efficiency and fairness,a cloud outsourcing secret sharing scheme was proposed,which combined cloud outsourcing computation with secret sharing scheme.In the process of outsourcing secret sharing,cloud tenants just need a small amount of decryption and validation operations,while outsource expensive cryptographic operations to cloud service provider (CSP).The scheme,without complex interactive augment or zero-knowledge proof,could detect malicious behaviors of cloud tenants or cloud service providers.And the scheme was secure against covert adversaries.Finally,every cloud tenant was able to obtain the secret fairly and correctly.Security analysis and performance comparison show that scheme is safe and effective.     

基于多线性Diffie-Hellman问题的秘密共享方案

秘密共享方案的信息率是衡量秘密共享通信效率的重要指标,鉴于已有的秘密共享方案效率不高的问题,本文基于多线性对提出了信息率为m/（m+1）的可验证秘密共享方案.方案中,共享秘密为m维向量,其可验证性可利用多线性映射的多线性性质来实现;同时,在多线性Diffie-Hellman问题下,方案是可证明安全的.性能分析结果表明,与已有的相同安全级别下的秘密共享方案相比,该方案具有较高的通信效率,更适用于通信受限的数据容错的应用场景.     

基于确定/概率性文件拥有证明的机密数据安全去重方案

为解决云存储系统中机密数据去重面临的密文重复性检测与拥有性证明、针对数据机密性的攻击等难题,提出了基于Merkle散列树的MHT-Dedup方案和基于同态MAC的hMAC-Dedup方案。两者均通过对密文文件的拥有证明进行跨用户文件级重复性检测,并通过检查数据块明文的摘要进行本地数据块级重复性检测,避免了跨用户文件级客户端重复性检测中hash-as-a-proof方法存在的安全缺陷。MHT-Dedup方案通过数据块密文的标签生成的验证二叉树提供确定性的文件拥有证明,具有较低的计算和传输开销,而hMAC-Dedup方案则通过对抽样数据块密文和其标签进行同态MAC运算提供概率性的文件拥有证明,具有较低的额外存储开销。分析与比较表明,本方案在同时支持两级客户端机密数据安全去重和抵抗对数据块的暴力搜索攻击方面具有明显优势。     

基于密钥共享的安全多方计算应用

介绍了安全多方计算的基本概念和基于密钥共享的安全多方计算协议。现有的基于密钥共享的安全多方计算协议,能够计算有限域上的任意函数,但是研究表明,如果一个协议使用广泛,那么必然会牺牲性能上的一些代价。构造了函数f（s1,s2,…,sn）=αs1＋αs2＋…＋αsn的安全多方计算协议,对一般化的基于密钥共享的安全多方计算协议进行剪裁,去掉不相关的部分,并增加可验证性,大大提高了协议效率和实用性。     

A User-Centric Data Secure Creation Scheme in Cloud Computing

Due to the use of the cloud computing technology, the ownership is separated from the adminis-tration of the data in cloud and the shared data might be migrated between different clouds, which would bring new challenges to data secure creation, especially for the data privacy protection. We propose a User-centric data secure creation scheme (UCDSC) for the security requirements of resource owners in cloud. In this scheme, a data owner first divides the users into different domains. The data owner encrypts data and defines different secure managing poli-cies for the data according to domains. To encrypt the data in UCDSC, we present an algorithm based on Access con-trol conditions proxy re-encryption (ACC-PRE), which is proved to be master secret secure and Chosen-ciphertext attack (CCA) secure in random oracle model. We give the application protocols and make the comparisons between some existing approaches and UCDSC.     

AN EFFICIENT AND SECURE （t, n） THRESHOLD SECRET SHARING SCHEME

Based on Shamir＇s threshold secret sharing scheme and the discrete logarithm problem, a new （t, n） threshold secret sharing scheme is proposed in this paper. In this scheme, each participant＇s secret shadow is selected by the participant himself, and even the secret dealer cannot gain anything about his secret shadow. All the shadows are as short as the shared secret. Each participant can share many secrets with other participants by holding only one shadow. Without extra equations and information designed for verification, each participant is able to check whether another participant provides the true information or not in the recovery phase. Unlike most of the existing schemes, it is unnecessary to maintain a secure channel between each participant and the dealer. Therefore, this scheme is very attractive, especially under the circumstances that there is no secure channel between the dealer and each participant at all. The security of this scheme is based on that of Shamir＇s threshold scheme and the difficulty in solving the discrete logarithm problem. Analyses show that this scheme is a computationally secure and efficient scheme.     

一种基于身份加密的可验证秘密共享方案

 提出了一种使用IBE公钥算法实现的可验证秘密共享方案.该方案中秘密分发者将IBE私钥作为共享秘密在接入结构中分发,任何参与者可以通过公开的验证信息验证影子秘密的正确性.随后在随机预言模型中证明了所提方案的语义安全性.理论分析和仿真实验表明,方案可以有效检测来自内外部攻击者的欺骗攻击,并具有较低的时间复杂度和通信开销.     

Towards edge-collaborative,lightweight and secure region proposal network

Aiming at the problem of image privacy leakage and computing efficiency in edge environment,a lightweight and secure region proposal network (SecRPN) was proposed.A series of secure computing protocols were designed based on the additive secret sharing scheme.Two non-collusive edge servers cooperate to perform calculation modules such as secure feature processing,secure anchor transformation,secure bounding-box correction,and secure non-maximum suppression.Theoretical analysis guarantees the correctness and security of SecRPN.The actual performance evaluation shows that SecRPN is outstanding in the computational cost and communication overhead compared with the existing works.     

云存储中密文数据的客户端安全去重方案

云存储环境下,客户端数据去重能在本地进行文件重复性检测,有效地节约存储空间和网络带宽.然而,客户端去重仍面临着很多安全挑战.首先,由于将文件哈希值作为重复性检测的证据,攻击者很可能通过一个文件的哈希值获得整个文件;其次,为了保护数据隐私,收敛加密被广泛运用于数据去重方案,但是由于数据本身是可预测的,所以收敛加密仍不可避免地遭受暴力字典攻击.为了解决上述问题,本文首次利用盲签名构造了一个安全的密钥生成协议,通过引入一个密钥服务器,实现了对收敛密钥的二次加密,有效地预防了暴力字典攻击;并进一步提出了一个基于块密钥签名的拥有权证明方法,能够有效预防攻击者通过单一的哈希值来获取文件,并能同时实现对密文文件的文件级和块级去重.同时,安全分析表明本文方案在随机预言模型下是可证明安全的,并能够满足收敛密钥安全、标签一致性和抗暴力字典攻击等更多安全属性.此外,与现有方案相比,实验结果表明本文方案在文件上传和文件去重方面的计算开销相对较小.     

一种基于Einstein-Podolsky-Rosen (EPR)序列的量子安全直接通信协议

为了提高量子安全直接通信协议的安全性并同时降低其成本,该文通过对协议中检测窃听过程的分析给出了一种有效的方法,并从量子安全直接通信和量子秘密共享两种角度验证了这种方法的可行性。合法通信者使用携带有秘密消息的传输粒子检测窃听,并且不会泄露任何秘密消息。分析表明,合法通信者在不用制备单独用来检测窃听的检测粒子情况下,不仅能够让协议的量子比特理论效率达到100%,而且可以确保其无条件安全。     

一种高效的量子秘密共享方案

利用量子安全直接通信和量子密集编码的思想,本文提出一个新的基于GHZ三重态的高效量子秘密共享(QSS)方案.利用量子相干性和一个公开的比特串K,Alice直接让Bob和Charlie共享其秘密消息,而不是首先与Bob和Charlie建立共享的联合密钥,再用联合密钥传输消息.该方案中平均消耗一个GHZ态可以共享两比特的经典信息.我们分别给出了无噪声信道和有噪声信道情形的安全性分析,并重点就量子直接秘密共享和量子安全直接通信之间的区别说明了协议中使用公开的K的必要性.     

向量空间接入结构上信息论安全的可验证秘密分享

可验证秘密分享在诸如对机密信息的安全保存与合法利用、密钥托管、面向群体的密码学、多 方安全计算、接入控制及电子商务等许多方面都有着广泛的应用。该文对向量空间接入结构上的可验证秘密分享进行了研究。提出了这类接入结构上的一个信息论安全的高效可验证秘密分享协议。新提出的协议不仅具有较高的信息速率,而且计算和通信代价都远远的低于已有的广义可验证秘密分享协议。     

一种云存储数据确定性删除方案（英文）

In order to provide a practicable solution to data confidentiality in cloud storage service,a data assured deletion scheme,which achieves the fine grained access control,hopping and sniffing attacks resistance,data dynamics and deduplication,is proposed.In our scheme,data blocks are encrypted by a two-level encryption approach,in which the control keys are generated from a key derivation tree,encrypted by an All-OrNothing algorithm and then distributed into DHT network after being partitioned by secret sharing.This guarantees that only authorized users can recover the control keys and then decrypt the outsourced data in an ownerspecified data lifetime.Besides confidentiality,data dynamics and deduplication are also achieved separately by adjustment of key derivation tree and convergent encryption.The analysis and experimental results show that our scheme can satisfy its security goal and perform the assured deletion with low cost.     

基于ECC的可公开验证的非交互式密钥共享方案

提出一种基于椭圆曲线加密的非交互式零知识证明协议,并基于该证明协议提出一个可公开验证的密钥共享方案.在该方案中,密钥和密钥份额被嵌入椭圆曲线的点上,任何人均可对密钥和密钥份额进行验证,只有合法参与者集合可恢复出密钥,但无法知道密钥的具体内容;这样有效阻止了攻击者窃取密钥,也防止了数据的误发和成员之间的欺诈,更有利于密钥的复制与更新.     

双重门限秘密共享方案

基于RSA密码体制、Shamir门限方案和哈希函数的安全性,设计了一种双重门限秘密共享方案。方案中,参与者只需维护一个秘密份额,可实现对多个秘密的共享。秘密份额由参与者确定和保管,秘密分发者也不知晓,秘密共享过程中,只需出示伪秘密份额。方案不需要维护安全信道,算法能够保证信息安全传送,以及验证参与者是否进行了欺骗。     

Cloud data secure deduplication scheme via role-based symmetric encryption

The rapid development of cloud computing and big data technology brings prople to enter the era of big data,more and more enterprises and individuals outsource their data to the cloud service providers.The explosive growth of data and data replicas as well as the increasing management overhead bring a big challenge to the cloud storage space.Meanwhile,some serious issues such as the privacy disclosure,authorized access,secure deduplication,rekeying and permission revocation should also be taken into account.In order to address these problems,a role-based symmetric encryption algorithm was proposed,which established a mapping relation between roles and role keys.Moreover,a secure deduplication scheme was proposed via role-based symmetric encryption to achieve both the privacy protection and the authorized deduplication under the hierarchical architecture in the cloud computing environment.Furthermore,in the proposed scheme,the group key agreement protocol was utilized to achieve rekeying and permission revocation.Finally,the security analysis shows that the proposed role-based symmetric encryption algorithm is provably secure under the standard model,and the deduplication scheme can meet the security requirements.The performance analysis and experimental results indicate that the proposed scheme is effective and efficient.