云计算环境中支持隐私保护的数字版权保护方案简

针对云计算环境中数字内容安全和用户隐私保护的需求,提出了一种云计算环境中支持隐私保护的数字版权保护方案。设计了云计算环境中数字内容版权全生命周期保护和用户隐私保护的框架,包括系统初始化、内容加密、许可授权和内容解密4个主要协议;采用基于属性基加密和加法同态加密算法的内容加密密钥保护和分发机制,保证内容加密密钥的安全性;允许用户匿名向云服务提供商订购内容和申请授权,保护用户的隐私,并且防止云服务提供商、授权服务器和密钥服务器等收集用户使用习惯等敏感信息。与现有的云计算环境中数字版权保护方案相比,该方案在保护内容安全和用户隐私的同时,支持灵活的访问控制,并且支持在线和超级分发应用模式,在云计算环境中具有较好的实用性。     

云计算平台下基于属性加密的动态版权使用控制方案（英文）

In order to achieve fine-grained access control in cloud computing,existing digital rights management(DRM) schemes adopt attribute-based encryption as the main encryption primitive.However,these schemes suffer from inefficiency and cannot support dynamic updating of usage rights stored in the cloud.In this paper,we propose a novel DRM scheme with secure key management and dynamic usage control in cloud computing.We present a secure key management mechanism based on attribute-based encryption and proxy re-encryption.Only the users whose attributes satisfy the access policy of the encrypted content and who have effective usage rights can be able to recover the content encryption key and further decrypt the content.The attribute based mechanism allows the content provider to selectively provide fine-grained access control of contents among a set of users,and also enables the license server to implement immediate attribute and user revocation.Moreover,our scheme supports privacy-preserving dynamic usage control based on additive homomorphic encryption,which allows the license server in the cloud to update the users' usage rights dynamically without disclosing the plaintext.Extensive analytical results indicate that our proposed scheme is secure and efficient.     

Multi-authority attribute-based encryption with efficient revocation

Multi-authority attribute-based encryption was very suitable for data access control in a cloud storage environment.However,efficient user revocation in multi-authority attribute-based encryption remains a challenging problem that prevents it from practical applications.A multi-authority ciphertext-policy attribute-based encryption scheme with efficient revocation was proposed in prime order bilinear groups,and was further proved statically secure and revocable in the random oracle model.Extensive efficiency analysis results indicate that the proposed scheme significantly reduce the computation cost for the users.In addition,the proposed scheme supports large universe and any monotone access structures,which makes it more flexible for practical applications.     

Attribute-based encryption scheme supporting attribute revocation in cloud storage environment

Attribute-based encryption (ABE) scheme is widely used in the cloud storage due to its fine-grained access control.Each attribute in ABE may be shared by multiple users at the same time.Therefore,how to achieve attribute-level user revocation is currently facing an important challenge.Through research,it has been found that some attribute-level user revocation schemes currently can’t resist the collusion attack between the revoked user and the existing user.To solve this problem,an attribute-based encryption scheme that supported the immediate attribute revocation was proposed.The scheme could achieve attribute-level user revocation and could effectively resist collusion attacks between the revoked users and the existing users.At the same time,this scheme outsourced complex decryption calculations to cloud service providers with powerful computing ability,which reduced the computational burden of the data user.The scheme was proved secure based on computational Diffie-Hellman assumption in the standard model.Finally,the functionality and efficiency of the proposed scheme were analyzed and verified.The experimental results show that the proposed scheme can safely implement attribute-level user revocation and has the ability to quickly decrypt,which greatly improves the system efficiency.     

基于半监督学习的社交网络用户属性预测

研究如何利用社交关系推测用户的隐藏属性(私隐信息),采用基于图的半监督学习方法推测用户属性。为了提高预测的准确率,提出利用属性聚集度评价属性推测的难易程度,并依用户节点标记的不同,设计不同的权重公式计算用户之间的关系强度。以“人人网”数据作为实验数据,对用户的兴趣与毕业学校进行预测,验证了方法的有效性。     

MACPABE: Multi-Authority-based CP-ABE with efficient attribute revocation for IoT-enabled healthcare infrastructure

The Internet of Things (IoT) technology along with cloud computing has gained much attention in recent years for its potential to upgrade conventional healthcare systems. Outsourcing healthcare data to a cloud environment from IoT devices is very essential as IoT devices are lightweight. To maintain confidentiality and to achieve fine-grained access control, the ciphertext policy attribute-based encryption (CP-ABE) technique is utilized very often in an IoT-based healthcare system for encrypting patients' healthcare data. However, an attribute revocation may affect the other users with the same attribute set, as well as the entire system due to its security concerns. This paper proposes a novel CP-ABE-based fine-grained access control scheme to solve the attribute revocation problem. The proposed technique includes multiple attribute authorities to reduce the work overhead of having a single authority in the traditional CP-ABE systems. In addition, the proposed scheme outsources the decryption process to a decryption assistant entity to reduce the decryption overhead of the end-users. To prove the efficiency of the proposed scheme, both formal security analysis and performance comparisons are presented in this paper. Results and discussion prove the effectiveness of the proposed scheme over some well-known schemes.     

Attribute-Based Access Control with Efficient and Secure Attribute Revocation for Cloud Data Sharing Service

Nowadays, there is the tendency to outsource data to cloud storage servers for data sharing purposes. In fact, this makes access control for the outsourced data a challenging issue. Ciphertext-policy attribute-based encryption (CP-ABE) is a promising cryptographic solution for this challenge. It gives the data owner (DO) direct control on access policy and enforces the access policy cryptographically. However, the practical application of CP-ABE in the data sharing service also has its own inherent challenge with regard to attribute revocation. To address this challenge, we proposed an attribute-revocable CP-ABE scheme by taking advantages of the over-encryption mechanism and CP-ABE scheme and by considering the semi-trusted cloud service provider (CSP) that participates in decryption processes to issue decryption tokens for authorized users. We further presented the security and performance analysis in order to assess the effectiveness of the scheme. As compared with the existing attribute-revocable CP-ABE schemes, our attribute-revocable scheme is reasonably efficient and more secure to enable attribute-based access control over the outsourced data in the cloud data sharing service.     

Cloud data secure deduplication scheme via role-based symmetric encryption

The rapid development of cloud computing and big data technology brings prople to enter the era of big data,more and more enterprises and individuals outsource their data to the cloud service providers.The explosive growth of data and data replicas as well as the increasing management overhead bring a big challenge to the cloud storage space.Meanwhile,some serious issues such as the privacy disclosure,authorized access,secure deduplication,rekeying and permission revocation should also be taken into account.In order to address these problems,a role-based symmetric encryption algorithm was proposed,which established a mapping relation between roles and role keys.Moreover,a secure deduplication scheme was proposed via role-based symmetric encryption to achieve both the privacy protection and the authorized deduplication under the hierarchical architecture in the cloud computing environment.Furthermore,in the proposed scheme,the group key agreement protocol was utilized to achieve rekeying and permission revocation.Finally,the security analysis shows that the proposed role-based symmetric encryption algorithm is provably secure under the standard model,and the deduplication scheme can meet the security requirements.The performance analysis and experimental results indicate that the proposed scheme is effective and efficient.     

云存储环境下无密钥托管可撤销属性基加密方案研究

属性基加密因其细粒度访问控制在云存储中得到广泛应用。但原始属性基加密方案存在密钥托管和属性撤销问题。为解决上述问题,该文提出一种密文策略的属性基加密方案。该方案中属性权威与中央控制通过安全两方计算技术构建无密钥托管密钥分发协议解决密钥托管问题。通过更新属性版本密钥的方式达到属性级用户撤销,同时通过中央控制可以实现系统级用户撤销。为减少用户解密过程的计算负担,将解密运算过程中复杂对运算外包给云服务商,提高解密效率。该文基于q-Parallel BDHE假设在随机预言机模型下对方案进行了选择访问结构明文攻击的安全性证明。最后从理论和实验两方面对所提方案的效率与功能性进行了分析。实验结果表明所提方案无密钥托管问题,且具有较高系统效率。     

支持属性撤销的可验证多关键词搜索加密方案

近年来,可搜索加密技术及细粒度访问控制的属性加密在云存储环境下得到广泛应用。考虑到现存的基于属性的可搜索加密方案存在仅支持单关键词搜索而不支持属性撤销的问题,以及单关键词搜索可能造成返回搜索结果部分错误并导致计算和宽带资源浪费的缺陷,该文提出一种支持属性撤销的可验证多关键词搜索加密方案。该方案允许用户检测云服务器搜索结果的正确性,同时在细粒度访问控制结构中支持用户属性的撤销,且在属性撤销过程中不需要更新密钥和重加密密文。该文在随机预言机模型下基于判定性线性假设被证明具有抵抗选择关键词集攻击安全性及关键词隐私性,同时从理论和实验两方面分析验证了该方案具有较高的计算效率与存储效率。     

k-times attribute-based authentication scheme using direct anonymous attestation

s: At present, the main drawbacks of existing k-times attribute-based authentication (abbreviated to k-TABA) schemes and related attribute-based authentication schemes are that the computation cost of the authentication process depends on the size of the access formula and none of these schemes considers the problems of member revocation and attribute update. A new k-TABA scheme was constructed based on the building blocks of direct anonymous attestation, set membership proof and ciphertext-policy attribute-based encryption. Moreover, in order to reduce user's calculation as much as possible, the underlying attribute-based encryption scheme was modified, and then the main decryption operations were outsourced by using the key binding technique of Green et al. The new scheme can be deployed on a trusted platform and support expressive authentication policies. In addition, it also satisfies several ideal properties, such as registration process verifiability, member revocation, attribute update, and so on. The significant performance advantage of the new scheme is that the computation overhead of the user in the authentication phase is constant.     

快速解密的自适应安全KP-ABE方案

已有的自适应安全ABE(attribute-based encryption)方案的解密开销随着解密时用到的属性数量呈线性增长。针对该问题,提出了一种快速解密的自适应安全key-policy ABE(FKP-ABE)方案,在合数阶群上构造,支持任意可以表达为线性秘密分享体制(LSSS, linear secret sharing schemes)的单调访问策略,将解密开销降为常数级,并在标准模型下证明该方案是自适应安全的。     

Fine-grained data access control for distributed sensor networks

Distributed sensor networks are becoming a robust solution that allows users to directly access data generated by individual sensors. In many practical scenarios, fine-grained access control is a pivotal security requirement to enhance usability and protect sensitive sensor information from unauthorized access. Recently, there have been proposed many schemes to adapt public key cryptosystems into sensor systems consisting of high-end sensor nodes in order to enforce security policy efficiently. However, the drawback of these approaches is that the complexity of computation increases linear to the expressiveness of the access policy. Key-policy attribute-based encryption is a promising cryptographic solution to enforce fine-grained access policies on the sensor data. However, the problem of applying it to distributed sensor networks introduces several challenges with regard to the attribute and user revocation. In this paper, we propose an access control scheme using KP-ABE with efficient attribute and user revocation capability for distributed sensor networks that are composed of high-end sensor devices. They can be achieved by the proxy encryption mechanism which takes advantage of attribute-based encryption and selective group key distribution. The analysis results indicate that the proposed scheme achieves efficient user access control while requiring the same computation overhead at each sensor as the previous schemes.     

具有隐私保护的细粒度智能家居远程数据安全更新方案

针对现存智能家居软件更新方案中存在的粗粒度访问控制、单点服务失效、用户解密效率低下等问题,该文提出一种具有隐私保护的细粒度智能家居远程数据安全更新方案。该方案通过属性基加密技术实现了细粒度访问控制,并结合区块链和星际文件系统(IPFS)技术对数据进行存储。通过对访问策略进行隐藏,构造出一种策略隐藏的密文策略基于属性加密(CP-ABE)算法,进一步保护了用户的隐私。此外,通过设计面向轻量级用户的外包解密算法,所提方案有效减轻了轻量级用户的计算负担,并结合区块链和智能合约技术实现了外包解密过程的公平支付。最后,基于判定的双线性迪菲赫尔曼 (DBDH)假设,证明了所提方案是选择明文攻击下的不可区分 (IND-CPA)安全的。仿真实验结果表明,所提方案与现有方案相比终端用户解密成本和通信开销明显降低。     

基于属性加密的高效密文去重和审计方案

针对当前支持去重的属性加密方案既不支持云存储数据审计,又不支持过期用户撤销,且去重搜索和用户解密效率较低的问题,该文提出一种支持高效去重和审计的属性加密方案。该方案引入了第3方审计者对云存储数据的完整性进行检验,利用代理辅助用户撤销机制对过期用户进行撤销,又提出高效去重搜索树技术来提高去重搜索效率,并通过代理解密机制辅助用户解密。安全性分析表明该方案通过采用混合云架构,在公有云达到IND-CPA安全性,在私有云达到PRV-CDA安全性。性能分析表明该方案的去重搜索效率更高,用户的解密计算量较小。     

基于区块链且支持验证的属性基搜索加密方案

针对一对多搜索模型下共享解密密钥缺乏细粒度访问控制且搜索结果缺乏正确性验证的问题,提出了一种基于区块链且支持验证的属性基搜索加密方案。通过对共享密钥采用密文策略属性加密机制,实现细粒度访问控制。结合以太坊区块链技术,解决半诚实且好奇的云服务器模型下返回搜索结果不正确的问题,在按需付费的云环境下,实现用户和云服务器之间服务-支付公平,使各方诚实地按照合约规则执行。另外,依据区块链的不可篡改性,保证云服务器得到服务费,用户得到正确的检索结果,而不需要额外验证,减少用户计算开销。安全性分析表明,所提方案满足自适应选择关键词语义安全,能很好地保护用户的隐私以及数据的安全。性能对比及实验结果表明,所提方案在安全索引产生、搜索令牌生成、检索效率以及交易数量方面有一定的优化,更加适用于智慧医疗等一对多搜索场景。     

具有两个可撤销属性列表的密钥策略的属性加密方案

可撤销的属性加密方案是属性加密方案的延伸和扩展。该文构造了细粒度属性撤销下的具有两个可撤销属性列表的密钥策略的属性加密方案,该方案是对含有单个属性撤销列表方案的推广,新方案涉及两个属性撤销列表,允许两个列表中被撤销用户存在交集或者无关,同时利用追踪算法,判定了用户与私钥的关联性。在选择安全模型下证明了方案的安全性,将方案的安全性规约到求解判定性双线性Diffie-Hellman 指数问题上。     

具有隐私保护的完整性可验证的关键字搜索方案

针对传统基于属性关键字搜索(ABKS)方案存在访问结构泄密、用户侧计算量高及缺乏完整性验证问题,该文提出具有隐私保护和完整性可验证的基于属性的关键字搜索方案。该方案提出了有序多值属性访问结构和有序多值属性集,固定每个属性的位置,减少参数及相关计算,提高了方案的效率,而在密钥生成时计算具体属性取值的哈希值,从而达到区别多值属性取值的不同。同时,采用Hash和对运算实现对访问结构的隐藏,防止访问结构泄密;采用倒序索引结构和Merkle树建立数据认证树,可验证云服务器返回文档和外包解密结果的正确性。此外,支持外包解密以降低用户侧的计算量。安全分析和实验表明所提方案实现云中共享数据的可验证性、关键字不可区分性和关键字不可链接性,且是高效的。     

Secure and privacy-preserving DRM scheme using homomorphic encryption in cloud computing

Cloud computing provides a convenient way of content trading and sharing. In this paper, we propose a secure and privacy-preserving digital rights management （DRM） scheme using homomorphic encryption in cloud computing. We present an efficient digital rights management framework in cloud computing, which allows content provider to outsource encrypted contents to centralized content server and allows user to consume contents with the license issued by license server. Further, we provide a secure content key distribution scheme based on additive homomorphic probabilistic public key encryption and proxy re-encryption. The provided scheme prevents malicious employees of license server from issuing the license to unauthorized user. In addition, we achieve privacy preserving by allowing users to stay anonymous towards the key server and service provider. The analysis and comparison results indicate that the proposed scheme has high efficiency and security.     

Multiuser access control searchable privacy‐preserving scheme in cloud storage

Searchable encryption scheme‐based ciphertext‐policy attribute‐based encryption (CP‐ABE) is a effective scheme for providing multiuser to search over the encrypted data on cloud storage environment. However, most of the existing search schemes lack the privacy protection of the data owner and have higher computation time cost. In this paper, we propose a multiuser access control searchable privacy‐preserving scheme in cloud storage. First, the data owner only encrypts the data file and sets the access control list of multiuser and multiattribute for search data file. And the computing operation, which generates the attribute keys of the users' access control and the keyword index, is given trusted third party to perform for reducing the computation time of the data owner. Second, using CP‐ABE scheme, trusted third party embeds the users' access control attributes into their attribute keys. Only when those embedded attributes satisfy the access control list, the ciphertext can be decrypted accordingly. Finally, when the user searches data file, the keyword trap door is no longer generated by the user, and it is handed to the proxy server to finish. Also, the ciphertext is predecrypted by the proxy sever before the user performs decryption. In this way, the flaw of the client's limited computation resource can be solved. Security analysis results show that this scheme has the data privacy, the privacy of the search process, and the collusion‐resistance attack, and experimental results demonstrate that the proposed scheme can effectively reduce the computation time of the data owner and the users.