云计算平台下基于属性加密的动态版权使用控制方案（英文）

In order to achieve fine-grained access control in cloud computing,existing digital rights management(DRM) schemes adopt attribute-based encryption as the main encryption primitive.However,these schemes suffer from inefficiency and cannot support dynamic updating of usage rights stored in the cloud.In this paper,we propose a novel DRM scheme with secure key management and dynamic usage control in cloud computing.We present a secure key management mechanism based on attribute-based encryption and proxy re-encryption.Only the users whose attributes satisfy the access policy of the encrypted content and who have effective usage rights can be able to recover the content encryption key and further decrypt the content.The attribute based mechanism allows the content provider to selectively provide fine-grained access control of contents among a set of users,and also enables the license server to implement immediate attribute and user revocation.Moreover,our scheme supports privacy-preserving dynamic usage control based on additive homomorphic encryption,which allows the license server in the cloud to update the users' usage rights dynamically without disclosing the plaintext.Extensive analytical results indicate that our proposed scheme is secure and efficient.     

云计算环境中支持隐私保护的数字版权保护方案简

针对云计算环境中数字内容安全和用户隐私保护的需求,提出了一种云计算环境中支持隐私保护的数字版权保护方案。设计了云计算环境中数字内容版权全生命周期保护和用户隐私保护的框架,包括系统初始化、内容加密、许可授权和内容解密4个主要协议;采用基于属性基加密和加法同态加密算法的内容加密密钥保护和分发机制,保证内容加密密钥的安全性;允许用户匿名向云服务提供商订购内容和申请授权,保护用户的隐私,并且防止云服务提供商、授权服务器和密钥服务器等收集用户使用习惯等敏感信息。与现有的云计算环境中数字版权保护方案相比,该方案在保护内容安全和用户隐私的同时,支持灵活的访问控制,并且支持在线和超级分发应用模式,在云计算环境中具有较好的实用性。     

Slight Homomorphic Signature for Access Controlling in Cloud Computing

With the popularity of cloud computing, how to securely authenticate a user while not releasing user’s sensitive information becomes a challenge. In this paper, we introduce a slight homomorphic signature, which is suitable to implement an access controlling service in cloud computing. In slight homomorphic signature, each user in cloud computing who have a set of identity attributes, firstly computes a full signature on all his identity attributes, and sends it to a semi-trusted access controlling server. The access controlling server verifies the full signature for all identity attributes. After then, if the user wants to require a cloud service, which may have a special requirement on one of the identity attributes, the user only needs to securely send the cloud service’s name to the access controlling server. The access controlling server which does not know the secret key can compute a partial signature on this special identity attribute, and then sends it to the cloud server for authentication. In the paper, we give a formal secure definition of this slight homomorphic signature, and construct a scheme from Boneh–Boyen signature. We prove that our scheme is secure under q-SDH problem with a weak adversary.     

隐私保护的可验证多元多项式外包计算方案

随着云计算的发展和大数据时代的到来,如何对隐私数据进行外包计算且有效验证计算结果具有重要的现实意义。基于多线性映射和同态加密方案,提出了可验证的多元多项式外包计算方案,用户可准确验证外包计算结果的正确性。方案在标准模型中可证安全,且多项式函数和用户输入对于服务器都是保密的。分析表明,用户计算量远小于服务器的计算代价以及直接计算多项式函数。     

利用RLWE构造基于身份的全同态加密体制

全同态加密为云计算中数据全生命周期隐私保护等难题的解决都提供了新的思路.公钥尺寸较大是现有全同态加密体制普遍存在的问题.本文将基于身份加密的思想和全同态加密体制相结合,利用环上容错学习问题（Ring Learning With Errors,RLWE）,其中将环的参数m扩展到任意正整数,提出了一种基于身份的全同态加密体制.体制以用户身份标识作为公钥,在计算效率和密钥管理方面都具有优势,安全性在随机喻示模型下可规约为判定性RLWE问题难解性假设.     

A Trusted Key Management Scheme for Digital Rights Management

In this paper, we propose a key management scheme which can provide delivery of the key used to encrypt a digital content from the package server to digital rights management (DRM) clients in a secure manner. The proposed scheme can protect digital content from attacks since an encrypted digital content is sent by a package server and only DRM clients can decrypt the encrypted digital content. It protects the key not only from purchasers but also among the other principals who manage the distribution and license servers.     

新型通用格式多媒体数字版权管理系统设计与实现

针对多媒体内容的版权保护问题,设计一种新型通用格式多媒体数字版权管理模型,包括内容加密与打包、密钥管理、安全引擎、许可证管理与分发、DRM客户端和DRM管理等功能单元,该模型通过非结构化加密方法,克服了基于内容格式加密方法的局限性,实现对通用格式多媒体内容的保护。另外,采用许可证提取码作为下载许可证的凭证,解决许可证重新发行和转让的问题,并支持细粒度使用控制方式。基于此模型,实现了基于固定与移动融合业务的多媒体数字版权管理系统,并将其运用于数字消费领域,实验结果和实际运行表明该方案不影响多媒体质量,效率及安全性较高,在多媒体内容版权保护方面具有较好的实用性。     

采用加密机制在云计算环境中进行访问控制

从数据的隐私角度来讲,公有云的服务提供商对用户来说是不可信的。为保障用户数据私密性,需要采用加密技术在云计算这种开放互联的环境中对托管数据进行访问控制。文中对广播加密机制和CPK组合公钥密码机制在云计算环境中的访问控制应用进行了探讨,并对这两种加密机制的主要理论基础——多项式插值法、多线性映射,以及ECC复合定理进行了介绍。通过加密技术的应用,为实现在云计算等不可信的空间安全存取敏感数据提供了一种研究思路。     

基于区块链的细粒度云数据安全存储与删除方案

在基于云计算的存储与删除服务中,由于外包数据所有权和管理分离,现有的逻辑删除机制使云上的数据很容易暴露给未经授权的用户,甚至云服务器可能未遵循用户要求删除相应数据。为此,该文提出一种细粒度的安全云端数据存储与删除方案。基于椭圆曲线构造了基于密文策略的属性基加密以实现外包数据细粒度访问控制,应用区块链实现可公开验证的安全数据删除。该文方案具有责任可追踪性以及两方删除与可验证性等特性。理论分析与实验结果表明该文方案具有较好的安全性和较高的性能,能够满足云数据共享与安全删除的需求。     

A secure regenerating code‐based cloud storage with efficient integrity verification

Cloud storage is gaining popularity as it relieves the data owners from the burden of data storage and maintenance cost. However, outsourcing data to third‐party cloud servers raise several concerns such as data availability, confidentiality, and integrity. Recently, regenerating codes have gained popularity because of their low repair bandwidth while ensuring data availability. In this paper, we propose a secure regenerating code‐based cloud storage (SRCCS) scheme, which utilizes the verifiable computation property of homomorphic encryption scheme to check the integrity of outsourced data. In this work, an error‐correcting code (ECC)–based homomorphic encryption scheme (HES) is employed to simultaneously provide data privacy as well as error correction while supporting efficient integrity verification. In SRCCS, server regeneration process is initiated on detection of data corruption events in order to ensure data availability. The ECC‐based HES significantly reduces the probability of server regeneration and minimizes the repair cost. Extensive theoretical analysis and simulation results validate the security, efficiency, and practicability of the proposed scheme.     

利用容错学习问题构造基于身份的全同态加密体制简

基于容错学习问题构造的一类全同态加密体制在云计算安全领域具有重要的潜在应用价值,但同时普遍存在着公钥尺寸较大的缺陷,严重影响其身份认证与密钥管理的效率。将基于身份加密的思想与基于容错学习问题的全同态加密相结合,提出一种基于身份的全同态加密体制,能够有效克服公钥尺寸对于全同态加密应用效率的影响。在随机喻示模型下,体制的安全性归约到容错学习问题难解性和陷门单向函数单向性,并包含严格的安全性证明。     

同态密码理论与应用进展

随着云计算、云存储等各类云服务的普及应用,云环境下的隐私保护问题逐渐成为业界关注的焦点,同态密码成为解决该问题的关键手段,其中,如何构造高效的全同态加密方案是近年来同态加密研究的热点之一.首先,该文介绍了同态密码的发展情况,从不同角度对同态加密方案进行了分类分析,着重描述了可验证全同态加密方案的研究进展.通过分析近年来...     

支持属性撤销的可验证多关键词搜索加密方案

近年来,可搜索加密技术及细粒度访问控制的属性加密在云存储环境下得到广泛应用。考虑到现存的基于属性的可搜索加密方案存在仅支持单关键词搜索而不支持属性撤销的问题,以及单关键词搜索可能造成返回搜索结果部分错误并导致计算和宽带资源浪费的缺陷,该文提出一种支持属性撤销的可验证多关键词搜索加密方案。该方案允许用户检测云服务器搜索结果的正确性,同时在细粒度访问控制结构中支持用户属性的撤销,且在属性撤销过程中不需要更新密钥和重加密密文。该文在随机预言机模型下基于判定性线性假设被证明具有抵抗选择关键词集攻击安全性及关键词隐私性,同时从理论和实验两方面分析验证了该方案具有较高的计算效率与存储效率。     

Secure service convergence based on scalable media coding

In multimedia services, security and privacy issues are urgent to be solved, such as the content security and service protection. To solve these issues, some means have been proposed, such as conditional access and digital rights management. However, for the latest application scenarios in convergent networks, there is still no solution. This paper focuses on the convergent multimedia broadcasting applications: the multimedia content, e.g., TV program, is encoded and packaged by the content provider, and is then transmitted to users through different communication networks, e.g., 3G network, DVB-H, ADSL, etc. Thus, the same multimedia content will be used for various services, i.e., mobile TV, Internet TV and home TV. Since different network channel support different bandwidths, the multimedia content should be transcoded before being transmitted through the networks. To protect the content and service in this application, we propose the content and service protection methods. In content protection, the content provider encrypts the scalable multimedia content with the manner denoted by Encryption Flag. The content distributor has no decryption keys, but can transcode the scalable content with the manner denoted by Layer Flag, and transmit the transcoded content to users. In service protection, the content provider combines the encryption key, Encryption Flag and the user right information, and transmits them, independent from the encrypted content, to certified users. At user side, the content is decrypted with the received key according to the Encryption Flag and Layer Flag. Thus, the content provider needs only to encrypt the content once, which can be transcoded by the content distributor in a secure manner and used for various networks. Additionally, the user rights need not to be changed when the service network is changed. Totally, the proposed scheme is secure and efficient for service convergence.     

视频内容加密封装技术研究

基于HTTP的动态自适应流媒体技术面向多种智能终端提供视频服务是目前互联网视频服务的主流模式,内容加密封装是互联网视频数字版权保护的关键技术之一.对主流互联网视频格式的封装方法、加密方法进行分析,并提出基于网络提取层的视频内容加密方案,为互联网视频服务提供商实现视频内容保护提供技术支撑.     

抗关键词猜测的授权可搜索加密方案

大多数可搜索加密方案仅支持对单关键词集的搜索,且数据使用者不能迅速对云服务器返回的密文进行有效性判断,同时考虑到云服务器具有较强的计算能力,可能会对关键词进行猜测,且没有对数据使用者的身份进行验证。针对上述问题,该文提出一个对数据使用者身份验证的抗关键词猜测的授权多关键词可搜索加密方案。方案中数据使用者与数据属主给授权服务器进行授权,从而验证数据使用者是否为合法用户;若验证通过,则授权服务器利用授权信息协助数据使用者对云服务器返回的密文进行有效性检测;同时数据使用者利用服务器的公钥和伪关键词对关键词生成陷门搜索凭证,从而保证关键词的不可区分性。同时数据属主在加密时,利用云服务器的公钥、授权服务器的公钥以及数据使用者的公钥,可以防止合谋攻击。最后在随机预言机模型下证明了所提方案的安全性,并通过仿真实验验证,所提方案在多关键词环境下具有较好的效率。     

同态加密技术及其在云计算安全中的应用

文章针对云计算的安全问题,提出了一种全同态加密方案和基于此方案的数据检索算法,既保证了用户数据的安全性,又保证了服务器能够对存储的用户密文直接检索,为云系统中的信息安全和数据处理提供了良好的解决方案。     

基于带宽请求预测和云资源预留的视频移植策略

随着云计算和大数据处理的飞速发展,同态加密和安全多方计算问题引起了广泛关注。分析了ElGamal的同态特性,针对协议设计需要,设计了ElGamal变体加密方案,使其满足加法同态和常数乘法同态。在半诚实模型下,基于这个变体提出了过私有点直线方程同态计算协议,并分析了协议的正确性、安全性、计算和通信复杂性,同时将该协议的应用范围扩展到安全两方线段求交协议等。与解决同类几何问题的协议相比,未采用基于不经意传输和百万富翁协议设计思路,而是基于同态加密体制提出了一种安全两方计算协议,提高了该类协议的执行效率,降低了通信负担。     

云计算中一种紧凑型的外包访问控制方案

密文策略的属性加密是实现云平台上安全的访问控制方案的最佳选择。然而,在大多数密文策略的属性加密方案中,用户密钥长度与属性的个数之间成线性关系;用户的解密时间与访问结构的复杂度成正比关系。为了减少用户密钥的存储和解密计算开销,本文提出一种面向云计算平台的紧凑型的外包访问控制方案。方案中的访问结构可以支持“与”、“或”以及“门限”三种策略。它仅采用简单的哈希和异或运算就可以验证用户外包解密返回的数据是否正确。在随机预言机模型中,基于aMSE-DDH难题,证明了方案是选择密文攻击安全的。分析表明,本文方案能够安全的实现云计算环境下的访问控制,尤其当用户终端设备受限时实现的访问控制。      

Secure grid-based density peaks clustering on hybrid cloud for industrial IoT

Cloud computing gives clients the convenience of outsourcing data calculations. However, it also brings the risk of privacy leakage, and datasets that process industrial IoT information have a high computational cost for clients. To address these problems, this paper proposes a secure grid-based density peaks clustering algorithm for a hybrid cloud environment. First, the client utilizes the homomorphic encryption algorithm to construct encrypted objects with client dataset. Second, the client uploads the encrypted data to the cloud servers to implement our security protocol. Finally, the cloud servers return the clustering results with the disturbance to the client. The experimental results on the UCI datasets and the smart power grid dataset reveal that the secure algorithm presented in this paper can improve upon the precision and efficiency of other clustering algorithms while also preserving user privacy. Moreover, it only performs encryption and removes the disturbance operation on the client, so that the client has lower computational complexity. Therefore, the secure clustering scheme proposed in this paper is applicable to industrial IoT big data and has high security and scalability.