Achieving fully privacy-preserving private range queries over outsourced cloud data

With the prevalence of cloud computing, data owners are motivated to outsource their databases to the cloud server. However, to preserve data privacy, sensitive private data have to be encrypted before outsourcing, which makes data utilization a very challenging task. Existing work either focus on keyword searches and single-dimensional range query, or suffer from inadequate security guarantees and inefficiency. In this paper, we consider the problem of multidimensional private range queries over encrypted cloud data. To solve the problem, we systematically establish a set of privacy requirements for multidimensional private range queries, and propose a multidimensional private range query (MPRQ) framework based on private block retrieval (PBR), in which data owners keep the query private from the cloud server. To achieve both efficiency and privacy goals, we present an efficient and fully privacy-preserving private range query (PPRQ) protocol by using batch codes and multiplication avoiding technique. To our best knowledge, PPRQ is the first to protect the query, access pattern and single-dimensional privacy simultaneously while achieving efficient range queries. Moreover, PPRQ is secure in the sense of cryptography against semi-honest adversaries. Experiments on real-world datasets show that the computation and communication overhead of PPRQ is modest.     

透明计算系统中基于BitMap的共享镜像存储管理

透明计算是一种将操作系统、应用程序和用户数据都作为资源存储在服务器端,资源以流块的方式调度到客户端执行的计算模式。针对透明计算系统中透明服务器端多用户的操作系统及应用程序资源冗余问题,设计并实现了一种基于BitMap的共享镜像存储管理方法BM-SISMS,该方法采用链式存储方法将系统数据和用户数据分离开来,多用户通过链式结构共享系统镜像,根据BitMap存储方法查找定位用户请求的各种资源。测试结果表明BM-SISMS方法能够完成多个客户端请求的实例操作系统加载和使用,在数据读写方面,BM-SISMS方法读数据速度约11.05 MB/s,写数据速度为4.01 MB/s,具有很高的性能,能够满足透明计算系统中镜像存储管理的需求。     

POPS: an off-peak precomputing scheme for privacy-preserving computing

Emerging privacy-preserving technologies help protect sensitive data during application executions. Recently, the secure two-party computing (TPC) scheme has demonstrated its potential, especially for the secure model inference of a deep learning application by protecting both the user input data and the model parameters. Nevertheless, existing TPC protocols incur excessive communications during the program execution, which lengthens the execution time. In this work, we propose the precomputing scheme, POPS, to address the problem, which is done by shifting the required communications from during the execution to the time prior to the execution. Particular, the multiplication triple generation is computed beforehand with POPS to remove the overhead at runtime. We have analyzed the TPC protocols to ensure that the precomputing scheme conforms the existing secure protocols. Our results show that POPS takes a step forward in the secure inference by delivering up to \(20\times \) and \(5\times \) speedups against the prior work for the microbenchmark and the convolutional neural network experiments, respectively.

     

Lattice based signature with outsourced revocation for Multimedia Social Networks in cloud computing

Multimedia Tools and Applications - Identity-based signature schemes enable any pair of users to communicate securely and to verify each other’s identity without exchanging private or public...     

容错云计算网络中自适应故障检测方案研究

当前大多数故障检测(FD)技术无法针对动态网络条件自动调整它们的检测服务参数,导致无法应用于实际环境中。针对容错云计算网络中的故障检测特性进行研究,提出了一种通用的容错云计算网络自适应故障检测(SFD)算法;基于上述通用算法,对当前故障检测器进行优化,提出了一种自适应累积型故障检测器,并对SFD算法的部署进行了研究。基于七种典型的广域网案例,比较评估了该故障检测算法与当前其他算法的性能。实验结果表明,该算法可以实现故障的自适应检测,满足用户需求,拥有较高的系统性能。     

CP2EH: a comprehensive privacy-preserving e-health scheme over cloud

The Journal of Supercomputing - In the Attribute-Based Encryption (ABE) scheme, patients encrypt their electronic health record (EHR), attach the appropriate attributes with it, and outsource them...     

基于访问控制安全高效的多用户外包图像检索方案

由于公有云不是可信的实体,通过公有云提供图像检索服务时,它可能会窃取图像数据的敏感信息。近年来,密文图像检索方法被提出,用于保护图像隐私。然而,传统的隐私保护图像检索方案搜索效率较低,且无法支持多用户场景。因此,提出一种基于访问控制安全高效的多用户外包图像检索方案。该方案采用一次一密和矩阵变换方法,实现基于欧几里得距离（简称欧氏距离）相似性的密文图像检索,并利用矩阵分解和代理重加密,实现多用户外包图像检索。采用局部敏感哈希算法构建索引,提高密文图像检索效率。特别地,提出一种基于角色多项式函数的轻量级访问控制策略,该策略能够灵活设定图像访问权限,防止恶意用户窃取隐私信息。安全性分析论证了所提方案能够保护图像和查询请求的机密性;实验结果表明所提方案能够达到高效的图像检索。     

An energy efficient privacy-preserving content sharing scheme in mobile social networks

The rising popularity of mobile social media enables personalization of various content sharing and subscribing services. These two types of services entail serious privacy concerns not only to the confidentiality of shared content, but also to the privacy of end users such as their identities, interests and social relationships. Previous works established on the attribute-based encryption (ABE) can provide fine-grained access control of content. However, practical privacy-preserving content sharing in mobile social networks either incurs great risk of information leaking to unauthorized third parties or suffers from high energy consumption for decrypting privacy-preserving content. Motivated by these issues, this paper proposes a publish–subscribe system with secure proxy decryption (PSSPD) in mobile social networks. First, an effective self-contained privacy-preserving access control method is introduced to protect the confidentiality of the content and the credentials of users. This method is based on ciphertext-policy ABE and public-key encryption with keyword search. After that, a secure proxy decryption mechanism is proposed to reduce the heavy burdens of energy consumption on performing ciphertext decryption at end users. The experimental results demonstrate the efficiency and privacy preservation effectiveness of PSSPD.     

Secure and efficient privacy-preserving public auditing scheme for cloud storage

Cloud computing poses many challenges on integrity and privacy of users’ data though it brings an easy, cost-effective and reliable way of data management. Hence, secure and efficient methods are needed to ensure integrity and privacy of data stored at the cloud. Wang et al. proposed a privacy-preserving public auditing protocol in 2010 but it is seriously insecure. Their scheme is vulnerable to attacks from malicious cloud server and outside attackers regarding to storage correctness. So they proposed a scheme in 2011 with an improved security guarantee but it is not efficient. Thus, in this paper, we proposed a scheme which is secure and with better efficiency. It is a public auditing scheme with third party auditor (TPA), who performs data auditing on behalf of user(s). With detail security analysis, our scheme is proved secure in the random oracle model and our performance analysis shows the scheme is efficient.     

可验证图像秘密共享方案*

提出了一种可验证的图像秘密共享方案.由于秘密份额由参与者自己选取,该方案可防止原始图像持有者和参与者的欺诈;不需要安全信道,降低了系统代价;影子图像小于原始图像,且参与者的秘密份额可以重用.在不可能存在安全信道的系统中该方案可以得到广泛应用.     

A secure data sharing scheme with cheating detection based on Chaum-Pedersen protocol for cloud storage

Frontiers of Information Technology & Electronic Engineering - With the development of cloud computing technology, data can be outsourced to the cloud and conveniently shared among users....     

An adaptive resource management scheme in cloud computing

There are various significant issues in resource allocation, such as maximum computing performance and green computing, which have attracted researchers’ attention recently. Therefore, how to accomplish tasks with the lowest cost has become an important issue, especially considering the rate at which the resources on the Earth are being used. The goal of this research is to design a sub-optimal resource allocation system in a cloud computing environment. A prediction mechanism is realized by using support vector regressions (SVRs) to estimate the number of resource utilization according to the SLA of each process, and the resources are redistributed based on the current status of all virtual machines installed in physical machines. Notably, a resource dispatch mechanism using genetic algorithms (GAs) is proposed in this study to determine the reallocation of resources. The experimental results show that the proposed scheme achieves an effective configuration via reaching an agreement between the utilization of resources within physical machines monitored by a physical machine monitor and service level agreements (SLA) between virtual machines operators and a cloud services provider. In addition, our proposed mechanism can fully utilize hardware resources and maintain desirable performance in the cloud environment.     

移动云计算中基于身份的轻量级加密方案

针对移动云计算中数据安全和移动用户的隐私保护问题,结合在线离线和外包解密技术,对基于身份加密机制（IBE）中加密和解密算法进行扩展,提出了一种可外包解密的基于身份在线离线加密方案,并证明其安全性,构造出适合于移动云计算环境中轻量级设备保护隐私数据的方案。为了减少移动终端运行IBE的加密和解密开销,利用在线离线技术将IBE的加密分解为离线和在线两个阶段,使得移动设备仅需执行少量简单计算即可生成密文;在此基础上,利用外包解密技术,修改IBE的密钥生成算法和解密算法,增加一个密文转化算法,将解密的大部分复杂计算外包给云服务器,移动设备仅计算一个幂乘运算即可获得明文。与现有IBE方案的性能相比,该方案具有较少的加解密开销,适合于轻量级移动设备。     

可验证的隐私保护k-means聚类方案

针对现有云外包隐私保护k-means聚类方案存在的效率不高,以及当云服务器不可信或遭受黑客攻击时返回不合理聚类结果的问题,提出了一种可应用于多方隐私保护场景的云外包可验证隐私保护k-means聚类方案.首先,提出了一种适用于云外包场景的改进的聚类初始化方法,从而有效提高算法的迭代效率;然后,利用乘法三元组技术来设计安全...     

Reversible secret image sharing scheme in encrypted images

The previous secret image sharing schemes did not provide a copyright and privacy for cover images. The reason is that a dealer selects a cover image by itself and embeds directly the secret data into the cover image. In this paper, a reversible secret image sharing scheme in encrypted images is proposed in order to provide the copyright and privacy of the cover image. We divide a role of the dealer into an image provider and a data hider. The image provider encrypts the cover image and transmits the encrypted image to the data hider, and the standard stream cipher as one-time pad (OTP) with a random secret key is used. The data hider embeds the secret data into the encrypted image, and the encrypted shadow images are transmitted to the corresponding participant. We utilize the polynomial arithmetic operation over GF(2⁸) during the sharing of the encrypted shadow images, and the coefficient of the highest-order term is fixed to one in order to prevent the overflow and the security problem. In the reconstruction procedure, the secret data can be extracted and the cover image can be reconstructed exactly from t or more encrypted shadow images with Lagrange interpolation. In experimental results, the proposed method shows that the PSNR is sustained close to 44 dB regardless of the embedding capacity, where the embedding capacity is 524,288 bits on average.     

云中面向图像并行计算的数据分布策略

有效地减少云计算系统中对计算任务的处理响应时间,并使各计算机节点负载均衡,数据分布算法是相当重要的.提出了一种面向图像并行计算的适用于主从类型云计算系统结构的数据分布策略,设计节点性能函数来表示节点的处理能力,根据节点间的性能比率进行任务数据量的分布,结合链路带宽制定数据发送的顺序.模拟实验结果表明,该算法适用于云计算环境,能明显提高系统的数据处理效率.     

云计算中的标准模型下基于证书混合加密方案

随着云计算的快速发展,数据安全已成为云安全的一个关键问题,尤其是云中存储和传输的数据量巨大,对安全性要求较高。另一方面,基于证书密码体制克服了传统公钥密码体制的证书管理问题及基于身份密码体制的密钥托管问题,为构造安全高效的PKI提供了新的方法,但现有基于证书加密方案大都采用双线性对构造,计算效率较低。针对云计算环境,基于判定性缩减Diffie-Hellman难题,提出了一个不含对运算的基于证书混合加密方案,分析了安全性和效率。该方案是建立在密钥封装算法、对称加密算法、消息认证码算法基础上的一次一密型加密方案。分析表明,该方案在标准模型下可以抵抗适应性选择密文攻击,计算效率较高,适合于对云计算中安全性要求较高的长消息的加密。     

An identity authentication scheme based on cloud computing environment

In order to solve the shortcomings of traditional identity authentication technology, such as low security, low efficiency, a mobile terminal identity authentication scheme based on cloud computing environment is proposed in this paper. In addition, the two-dimensional code technology is used for identity authentication in the cloud computing environment, and the QR coding technology is also used. The dynamic authentication of the mobile terminal is realized by using the two-dimensional code as the information transmission carrier. According to the security analysis, the scheme has simple structure and no need to use the third party equipment, which has high security and adaptability. Finally, the two fusion of two-dimensional code proposed in this paper provides a new way of thinking for the identity authentication based on the cloud environment, and also promotes the development of the Internet of things.     

Incremental proxy re-encryption scheme for mobile cloud computing environment

Due to the limited computational capability of mobile devices, the research organization and academia are working on computationally secure schemes that have capability for offloading the computational intensive data access operations on the cloud/trusted entity for execution. Most of the existing security schemes, such as proxy re-encryption, manager-based re-encryption, and cloud-based re-encryption, are based on El-Gamal cryptosystem for offloading the computational intensive data access operation on the cloud/trusted entity. However, the resource hungry pairing-based cryptographic operations, such as encryption and decryption, are executed using the limited computational power of mobile device. Similarly, if the data owner wants to modify the encrypted file uploaded on the cloud storage, after modification the data owner must encrypt and upload the entire file on the cloud storage without considering the altered portion(s) of the file. In this paper, we have proposed an incremental version of proxy re-encryption scheme for improving the file modification operation and compared with the original version of the proxy re-encryption scheme on the basis of turnaround time, energy consumption, CPU utilization, and memory consumption while executing the security operations on mobile device. The incremental version of proxy re-encryption scheme shows significant improvement in results while performing file modification operations using limited processing capability of mobile devices.