Cloud Computing 1

Accepted Manuscript
SECO: Secure and Scalable Data Collaboration Services in Cloud Computing
Xin Dong, Jiadi Yu, Yanmin Zhu, Yingying Chen, Yuan Luo, Minglu Li
PII: S0167-4048(15)00004-8
DOI: 10.1016/j.cose.2015.01.003
Reference: COSE 869
To appear in: Computers & Security
Received Date: 3 April 2014

Revised Date: 21 November 2014
Accepted Date: 12 January 2015
Please cite this article as: Dong X, Yu J, Zhu Y, Chen Y, Luo Y, Li M, SECO: Secure and Scalable
Data Collaboration Services in Cloud Computing, Computers & Security (2015), doi: 10.1016/
j.cose.2015.01.003.
This is a PDF file of an unedited manuscript that has been accepted for publication. As a service to
our customers we are providing this early version of the manuscript. The manuscript will undergo
copyediting, typesetting, and review of the resulting proof before it is published in its final form. Please
note that during the production process errors may be discovered which could affect the content, and all
legal disclaimers that apply to the journal pertain.
ACCEPTED MANUSCRIPT
1
2
3
4
5
6
7
8
9 SECO: Secure and Scalable Data Collaboration
10
11 Services in Cloud Computing
PT
12
13
14 Xin Donga , Jiadi Yua,∗, Yanmin Zhua , Yingying Chenb , Yuan Luoa , Minglu Lia
15
a
Department of Computer Science and Engineering, Shanghai Jiao Tong University
RI
16
17 Shanghai, P.R.China 200240
18 b
Department of Electrical and Computer Engineering, Stevens Institute of Technology
19 Hoboken, USA 07030
SC
20
21
22
23
24 Abstract
U
25
26 Cloud storage services enable users to remotely store their data and eliminate ex-
27
28
29
AN
cessive local installation of software and hardware. There is an increasing trend
of outsourcing enterprise data to the cloud for efficient data storage and manage-
30 ment. However, this introduces many new challenges toward data security. One
31 critical issue is how to enable a secure data collaboration service including data
M
32 access and update in cloud computing. A data collaboration service is to sup-
33
34 port the availability and consistency of the shared data among multi-users. In
this paper, we propose a secure, efficient and scalable data collaboration scheme
D
35
36 SECO. In SECO, we employ a multi-level hierarchical identity based encryption
37
(HIBE) to guarantee data confidentiality against untrusted cloud. This paper is
TE
38
39 the first attempt to explore secure cloud data collaboration services that precludes
40 information leakage and enables a one-to-many encryption paradigm, data writ-
41 ing operation and fine-grained access control simultaneously. Security analysis
EP
42
43 indicates that the SECO is semantically secure against adaptive chosen ciphertext
44 attacks (IND-ID-CCA) in the random oracle model, and enforces fine-grained ac-
45 cess control, collusion resistance and backward secrecy. Extensive performance
46
C
analysis and experimental results show that SECO is highly efficient and has only
47
48 low overhead on computation, communication and storage.
AC
49
50
Keywords: Data collaboration, data security, HIBE, one-to-many encryption,
51 cloud computing.
52
53
54
∗
55 Corresponding author. Tel: +86 21 3420 5856; Fax: +86 21 3420 5856
56 Email address: jiadiyu@sjtu.edu.cn (Jiadi Yu)
57
58
59 Preprint submitted to Computers and Security November 21, 2014
60
61
62
63
64
65
ACCEPTED MANUSCRIPT
1
2
3
4
5
6
7
8
9 1. Introduction
10
11 Cloud computing (Armbrust et al., 2009), the long-held dream of computing
PT
12
13 as a utility, is rapidly evolving to revolutionize the way how data is stored/used.
14 Cloud computing benefits data users in that it allows convenient access and use of
15 storage resources offered by a cloud server provider (CSP). Challenges in security,
RI
16 however, posed by outsourcing data to the cloud, come along with benefits. Upon
17
18 loss of physical possession of the outsourced data, users no longer control their
19 data. But, CSPs may be untrusted and could monitor at will, lawfully or unlaw-
SC
20 fully, the data stored in the cloud and the communication between users and cloud.
21
22
As a result, outsourcing users’ data to the cloud initiates a series of problems about
23 security and privacy. Examples of security breaches never stop showing up (Ar-
24 rington, 2006; Wilson, 2008; Ren et al., 2012; Ateniese et al., 2007). Therefore,
U
25 maintaining data availability and confidentiality becomes critical to enable wide
26
deployment of CSP-based data service with high quality.
27
28
29
AN
One important security issue is how to ensure secure data storage service when
utilizing cloud services (Arora et al., 2013; De Capitani di Vimercati et al., 2010;
30 Samarati and De Capitani di Vimercati, 2010). For instance, enterprises can out-
31
M
32 source their data into the cloud and then enable their employees to access these
33 data. However, cloud servers are untrusted and they may disclose the confidential
34 information about an enterprise to their business competitors or even hide data
D
35
36
leakage to maintain their reputations. In order to ensure data security, compa-
37 nies and enterprises usually have to encrypt the data before outsourcing it into the
TE
38 cloud. Recently, the notion of secure cloud storage services has been proposed
39 in the content of ensuring remotely stored data under different systems and se-
40
41 curity models (Ateniese et al., 2007; Yu et al., 2010; Wang et al., 2010a; Dong
et al., 2013). These existing works addressed secure cloud storage and data ac-
EP
42
43 cess issue either by introducing attribute-based encryption (ABE) (Goyal et al.,
44
2006) for fine-grained access control (Wang et al., 2010b; Dong et al., 2014),
45
46 or by utilizing owner-write-user-read mechanism (Wang et al., 2009) to achieve
C
47 cryptography-based access control and only support coarse grained access control.
48 ABE-based schemes are data-read sharing services, while owner-write-user-read
AC
49
50 mechanism is a one-to-one encryption paradigm meaning encrypted data can only
51 be decrypted by a particular recipient. Consequently, existing solutions mainly
52 focus on how to afford secure data access control (read) for cloud users. None
53 of these works considers that multiple users operate (read/write) encrypted data
54
55 collaboratively in cloud computing, i.e., data collaboration services.
56 A Data Collaboration service is to support the availability and consistency of
57
58
59 2
60
61
62
63
64
65
ACCEPTED MANUSCRIPT
1
2
3
4
5
6
7
8
9 the shared cloud data among multi-users. Let’s consider a typical data collabora-
10
11
tion service scenario: Alice, who is the boss of a company, pays a CSP for a secure
data collaboration service, and assigns her two colleagues, Jack and Bob, to work
PT
12
13 collaboratively on a project. Alice first encrypts the project data and stores the
14 encrypted data into the cloud. Then, Alice authorizes Jack and Bob to access the
15
encrypted data so that they can modify the data. After modifying the data, Jack or
RI
16
17 Bob re-encrypts the data and sends it to the cloud. Within these three members,
18 anyone who modifies the data, then determines the access privilege of the data. In
19 total, three members work together and share data in a collaborative way. To avoid
SC
20
21 information leakage, the data have to be restrained within the reach of these three
22 members. Thus the access policy of the above scenario is: authorized users can
23 access the encrypted data while CSP and other unauthorized users know nothing
24
U
25
about the data in data collaboration services.
26 To realize secure data collaboration services in cloud computing, we face the
27
28
29
AN
following challenges. Firstly, since a confidential data involves more than one
recipient, the encryption paradigm should be one-to-many that indicates multiple
30 recipients can decrypt the encrypted data. Secondly, authorized users have the
31 privilege to operate the cloud data, so the encryption paradigm should support
M
32 data writing operation. Thirdly, in order to ensure data security among users, the
33
system should provide fine-grained access control to the users. To the best of
34
our knowledge, there is no existing solution to tackle the problems of secure data
D
35
36 collaboration services in cloud computing.
37 In this paper, we propose a scalable scheme (SECO) to enable secure cloud
TE
38
39 data collaboration with explicit dynamic data/users. For cloud data security, we
40 employ a multi-level hierarchical identity-based encryption (HIBE) scheme, which
41 contains a root private key generator (PKG), a series of lower-level PKGs and in-
EP
42 dependent domains. The root PKG only generates private keys for lower-level
43
44 PKGs, and lower-level PKGs in turn generate private keys for entities in their next
45 level. A domain consists of a D-PKG and a number of individual users who co-
46 operate to complete a project. During data collaboration, to achieve one-to-many
C
47
48
encryption paradigm, a user in a domain encrypts data with the public parameters
and multiple recipients’ public keys so that only the intended domain recipients
AC
49
50 are able to decrypt the data. To support writing operation, every authorized user
51 can encrypt the decrypted data after modifying (read/write) it, and then sends
52
53 it into the cloud to share with other domain users. The data writing operation
54 does not introduce security problems. To realize fine-grained access control, each
55 authorized user which encrypts data can decide on the intended decryption recip-
56 ients.
57
58
59 3
60
61
62
63
64
65
ACCEPTED MANUSCRIPT
1
2
3
4
5
6
7
8
9 Specifically, the main contributions of this paper can be summarized as fol-
10
11
lowing three aspects:
PT
12
13 • We propose a data collaboration service, SECO, which enables secure, ef-
14 ficient and scalable data collaboration in cloud computing, which realize
15 one-to-many encryption paradigm, writing operation and fine-grained ac-
RI
16
17
cess control simultaneously without any information leakage. Our work is
18 the first attempt to explore secure data collaboration in cloud computing.
19
SC
20 • We prove that SECO is semantically secure against adaptive chosen cipher-
21 text attacks (IND-ID-CCA) in the random oracle model under the Bilinear
22
Diffie-Hellman assumption (Boneh and Franklin, 2001), and SECO also en-
23
24 force collusion resistance and backward secrecy for cloud data collaboration
U
25 services.
26
27
28
29
AN
• We have conducted extensive theoretical analysis and real experiments to
evaluate the performance of SECO. The result indicates that SECO intro-
30 duces low overhead on computation, communication and storage while im-
31 proves the effectiveness and efficiency.
M
32
33 The remainder of this paper is organized as follows: Section 2 discusses re-
34 lated works; Section 3 introduces the system model, threat model and our design
D
35
36 goals; Section 4 presents the detail design of SECO; Section 5 provides the secu-
37 rity definition and security proof of SECO; Sections 6 and 7 analyze the theoretical
TE
38 and experimental performance of SECO, respectively; finally, Section 8 concludes

39
40
the whole paper.
41
EP
42 2. Related Work
43
44
Identity-based encryption (IBE) is an encryption choice in cloud comput-
45
46 ing (Li et al., 2013a; Guo et al., 2013). The concept of IBE is proposed by Shamir
C
47 (1985), and the first fully functional IBE schemes are described by Boneh and
48 Franklin (2001) and Cocks (2001). In IBE, the public key for a unique user can
AC
49
50 be set to any value (such as one’s identity) and the corresponding private key is
51 generated by a trusted third party called private key generator (PKG). Relatively
52 speaking, the IBE scheme is a public key cryptosystem (PKC) and can eliminate
53 the search for recipient’s public key. To reduce the workload on the PKG, Horwitz
54
55 and Lynn (2002) introduced a HIBE scheme with collusion-resistance. Gentry and
56 Silverberg (2002) presented a HIBE scheme with total collusion resistance and
57
58
59 4
60
61
62
63
64
65
ACCEPTED MANUSCRIPT
1
2
3
4
5
6
7
8
9 chosen ciphertext security (CCA) in the random oracle model. Later on, Boneh
10
11
et al. (2005) introduced an efficient HIBE scheme with selective-ID security with-
out random oracle model under BDH assumption. However, these HIBE schemes
PT
12
13 are all one-to-one encryption paradigms.
14 An attribute-based encryption (ABE) system is actually a simplified IBE sys-
15
tem, with only one attribute in the system. ABE was first proposed by Sahai and
RI
16
17 Waters (2005). In an ABE scheme, the sender encrypts the message with a set
18 of attributes and specifies a number d. The recipient who has at least d attributes
19 of the given attributes can decrypt the encrypted message. Based on these, Goyal
SC
20
21 et al. (2006) proposed a fine-grained data access control ABE scheme that sup-
22 ports any monotonic access structure, i.e., AND, OR, or other threshold gates.
23 Later on, Ostrovsky et al. (2007) proposed an enhanced scheme that supports
24
U
25
non-monotonic access structure which includes NOT gate that was not allowed
26 in Goyal et al. (2006). There are two classes of ABE named key-policy attribute-
27
28
29
AN
based encryption (KP-ABE) and ciphertext policy attribute-based encryption (CP-
ABE). In KP-ABE (Goyal et al., 2006), the access structure is used to encrypt the
30 secret key, while the attributes are used to describe the ciphertext. CP-ABE was
31 first introduced by Bethencourt et al. (2007). In a CP-ABE scheme, the access
M
32 structure is used to encrypt the ciphertext and the secret key is generated based
33
on an attribute set. Thus, the roles of the secret key and the ciphertext in CP-
34
ABE are opposite to what they are in KP-ABE. ABE is a one-to-many encryption
D
35
36 paradigm. However, it is not suitable for data collaboration services due to the
37 key management.
TE
38
39 Identity-based broadcast encryption is also a one-to-many encryption paradigm.
40 The concept of broadcast encryption (BE) was first proposed by Fiat and Naor
41 (1994). In BE schemes, a broadcast center encrypts messages and broadcasts them
EP
42 to a group of authorized users who are listening on a broadcast channel. More-

43
44 over, Mu et al. (2003) is the first to introduce the concept called “Identity-Based
45 Broadcasting Encryption”, which can be applied to dynamic key management in
46 secure broadcasting. Later on, Baek et al. (2005) constructs an efficient “multi-
C
47
48
receiver identity-based encryption scheme”, which only needs one pairing com-
putation to encrypt a single message for n receivers. Based on these, Delerablée
AC
49
50 (2007) describes an identity-based broadcast encryption with constant size cipher-
51 texts and private keys. However, in these identity-based broadcasting encryption
52
53 schemes, only the broadcast center can encrypt messages, and each authorized
54 user just reads the message. That is to say, identity-based broadcasting encryp-
55 tion schemes cannot support data writing operation in data collaboration services.
56 Moreover, identity-based broadcasting encryption schemes cannot achieve fine-
57
58
59 5
60
61
62
63
64
65
ACCEPTED MANUSCRIPT
1
2
3
4
5
6
7
8
9 grained access control in a group of authorized users.
10
11
Functional encryption is an emerging paradigm for public-key encryption that
enables fine-grained control access to encrypted data (Agrawal et al., 2013). It
PT
12
13 extends several precious notions, mostly notably IBE encryption system, and pro-
14 vides the ability to generate and release secret keys associated with a keyword
15
that can decrypt only those documents that contain the keyword. More gener-
RI
16
17 ally, functional encryption allows the owner of a “master” secret key to release
18 restricted secret keys that reveal a specific function of encrypted data. Based on
19 these, Goldwasser et al. (2014) introduces the problem of multi-input functional
SC
20
21 encryption, where a secret key sk f can correspond to an n-ary function f that takes
22 multiple ciphertexts as input. Later on, Boneh et al. (2013) develops an approach
23 for designing function-private identity-based encryption schemes. The authors
24
U
25
first put forward a new notion, function privacy, in IBE encryption and functional
26 encryption. In addition to function privacy, Boneh et al. (2013) proposed the
27
28
29
AN
first public-key searchable encryption scheme that are provably keyword private.
In their schemes, a search key skw enables to identify encryptions of an under-
30 lying keyword w, while not revealing any additional information about keyword
31 w. Therefore, the keyword w is sufficiently unpredictable. Functional encryption
M
32 is also a one-to-many encryption paradigm. However, functional encryption also
33
cannot support data writing operation in data collaboration services.
34
Furthermore, existing works can be found in the areas of secure outsourced
D
35
36 data storage and sharing services. Adya et al. (2002) used symmetric keys to en-
37 crypt data and provided a secure, scalable data system that logically functions as
TE
38
39 a centralized data server but is physically distributed among a set of untrusted
40 servers. However, every user used their public key to encrypt the symmetric keys
41 and thus bring high overhead on key management. In Kallahalla et al. (2003), the
EP
42 authors proposed a cryptographic data system and used verify and sign keys to
43
44 determine whether or not a user can read or write data respectively. Since the key
45 generation procedure is proportional to the total number of data-groups, the above
46 schemes are not suitable for the case of data collaboration in cloud computing,
C
47
48
in which the number of data-groups could be enormous. In addition, the above
schemes are one-to-one encryption paradigms and only support coarse-grained
AC
49
50 access control.
51 Goh et al. (2003) proposed SIRIUS that adopted a complicated structure and
52
53 provided end-to-end security. However, the complexity of the scheme depends on
54 each meta data size and thus is not scalable. Wang et al. (2009) proposed a mech-
55 anism in owner-write-users-read applications that assigned every data block with
56 a different key to achieve flexible cryptography based access control. However,
57
58
59 6
60
61
62
63
64
65
ACCEPTED MANUSCRIPT
1
2
3
4
5
6
7
8
9 the users only can read the data but not write data, and thus are not suitable for
10
11
data collaboration in cloud computing. Li et al. (2013b) proposed a novel patient-
centric framework and a suit of mechanisms for data access control to personal
PT
12
13 health records (PHRs) stored in semi-trusted servers. To achieve fine-grained and
14 scalable data access control for PHRs, they leverage ABE techniques to encrypt
15
each patient’s PHR file. However, the scheme is a data sharing services and can
RI
16
17 not support data writing operation in the stored PHR files. Wang et al. (2012)
18 proposed a flexible distributed storage integrity auditing mechanism, utilizing the
19 homomorphic token and distributed erasure-coded data. However, the scheme
SC
20
21 also cannot support data writing operation and the complexity of the homomor-
22 phic encryption is high. Moreover, the above schemes cannot support data writing
23 operation and are not suitable in data collaboration services.
24
U
25
26 3. Problem Statement
27
28
29
3.1. System Model
AN
30 Generally, a cloud data collaboration system has five different parties in net-
31 work: Cloud Server provides high-quality services utilizing a number of servers
M
32 with significant storage space and computation power; Root Private Key Genera-
33
tor (R-PKG) possesses a master key and generates corresponding private keys for
34
lower-level PKGs; Level Private Key Generators (L-PKGs) request private keys
D
35
36 from upper-level PKGs and generate private keys for lower-level PKGs; Domain
37 Private Key Generators (D-PKGs) request private keys from upper-level PKGs
TE
38
39 and generate private keys for their domain entities; Users cooperate with each
40 other to complete a project, receive their private keys from D-PKG and store their
41 data in the Cloud Server.
EP
42 Figure 1 depicts the system model, which is characterized by a multi-level

43
44 HIBE scheme. From the system model, we can see that it consists of a R-PKG, a
45 series of L-PKGs, D-PKGs and individual users. In this hierarchical architecture,
46 the R-PKG generates system public parameters for all system entities and private
C
47
48
keys for lower-level L-PKGs. Then, L-PKG in turn generates private keys for the
entities in the next level. L-PKGs share the workload of private key generation
AC
49
50 and identity authentication for R-PKG. Thus, secret key transmission and authen-
51 tication can be achieved locally. A domain consists of a D-PKG and a number of
52
53 individual users who cooperate to complete a project. In each domain, the D-PKG
54 keep a user list ULdom which records public keys of all the valid users in the do-
55 main. The D-PKG will send the latest domain user list ULdom to all valid users in a
56 domain. All entities in a domain store their data into a set of cloud servers that are
57
58
59 7
60
61
62
63
64
65
ACCEPTED MANUSCRIPT
1
2
3
4
5
6
7
8
9 running in a cooperated and distributed manner. Users use their keys to decrypt
10
11
the data stored in the Cloud Server. All entities in the domain can interact with
the Cloud Server to access (read, write, update, etc.) the stored data dynamically.
PT
12
13 Furthermore, PKGs and users do not have to be online all the time, whereas the
14 Cloud Server is always online.
15
RI
16
17 3.2. Threat Model
18 The adversary model considers most threats toward cloud data confidentiality.
19
In the system model, Cloud Server is semi-trusted. Namely, it behaves properly
SC
20
21 most of the time, but for some benefits the Cloud Server might try to find out as
22 much secret information as possible. In fact, there are several types of threats:
23 Both inner threats (CSP and users who might obtain the unauthorized data) and
24
U
25 outer threats (external adversaries beyond the domain of this system, e.g., unau-
26 thorized attackers) might be present; Attacks can either be active (unauthorized
27
28
29
AN
users who may inject malicious data into the cloud) or be passive (unauthorized
users eavesdropping on conversations between users and the cloud); For the pur-
30 pose of harvesting data contents, CSP and users may collude and try to access
31 unauthorized data.
M
32 For the purpose of secure data collaboration in cloud computing, the main
33
34
goal of this paper is to protect the contents of domain data from being learned by
the cloud and attackers, including inner intruders and unauthorized outer users.
D
35
36 All these attacks can be active or passive. With respect to data access control in
37 the cloud, we have the following requirements: 1) Fine-grained access control:
TE
38
39 Each user should only access the data he is allowed and should not access the data
40 he is not authorized to; 2) Collusion resistance: As described in the adversary
41 model, users cannot collude and share their secret key to access the data they are
EP
42 not allowed; 3) Backward secrecy: Users should not access the decrypted domain
43
44 data after they have been revoked from the domain. Note that, in the adversary
45 model, the communication channels between users and Cloud Server are secured
46 under existing protocols, such as SSL.
C
47
48
AC
49 4. The Design of SECO

50
51 In order to achieve secure cloud data collaboration, we propose a multi-level
52
HIBE scheme SECO. SECO realizes a one-to-many encryption paradigm in which
53
54 encrypted domain data can be decrypted by multiple authorized users, writing
55 operation and fine-grained access control can be done simultaneously without any
56 information leakage.
57
58
59 8
60
61
62
63
64
65
ACCEPTED MANUSCRIPT
1
2
3
4
5
6
7
8
9 4.1. Overview
10
11 SECO employs a multi-level hierarchical architecture to embody the users’
role in data collaboration in cloud computing. In SECO, R-PKG generates private
PT
12
13 keys for lower-level PKGs, and D-PKGs request private keys from upper-level
14
15
PKGs. In a domain, a user encrypts data with multiple recipients’ public keys and
stores it into the Cloud Server. So only those intended recipients and the D-PKG
RI
16
17 can decrypt the data using their own secret keys. A user only takes public keys of
18 the recipients and system parameters as inputs to encrypt data. Any other users
19
outside the recipient list cannot obtain any data information even if all of them
SC
20
21 collude. Therefore, users in the same domain can cooperate to complete work
22 without worrying about their data security.
23 SECO elegantly integrates five randomized algorithms: Root setup, Lower-
24
U
25 level setup, Key generation, Encryption, Decryption to achieve secure cloud data
26 collaboration. Figure 2 describes a simplified workflow of SECO in a domain.
27
28
29
AN
At the initialization phase, R-PKG uses the Root setup algorithm to generate sys-
tems parameters for all entities. L-PKGs and D-PKGs then use Lower-level setup
30 algorithm to pick some seeds for themselves. By the Key generation algorithm,
31 A PKG generates private keys for all his children by using the system parame-
M
32 ters and his private key. Suppose there are three users to work collaboratively in
33
34 Domaini. User1 has confidential data D0 and need User2 and User3 to operate it.
User1 first uses the Encryption algorithm to encrypt data D0 with User2 and User3
D
35
36 public keys and stores it to the cloud. So that User2 and User3 can access data
37
D0 . User2 downloads data D0 and uses the Decryption algorithm to decrypt it.
TE
38
39 After modifying D0 , User2 renames it to data D1 and uses Encryption algorithm
40 to encrypt with User1 and User3 public keys. User3 now can decrypt data D1 and
41 makes a final modification. User3 encrypts the final version D2 with User1 public
EP
42
43
key and stores it. In the end, User1 uses his private key to obtain the final data D2 .
44 Thus, User1 , User2 and User3 modify the confidential data collaboratively without
45 leaking any information to unauthorized users. In the following subsections, we
46 elaborate the design details. Table 1 shows the symbols and their meanings as
C
47
48 used in SECO.
AC
49
50 4.2. Preliminaries
51 We give some related definitions and assumptions similar to those given in
52
53 Boneh and Franklin (2001) and Gentry and Silverberg (2002), which are used in
54 SECO.
55 Bilinear Diffie-Hellman (BDH) Parameter Generator: As in Gentry and Sil-
56 verberg (2002), a randomized algorithm IG is a BDH parameter generator which
57
58
59 9
60
61
62
63
64
65
ACCEPTED MANUSCRIPT
1
2
3
4
5
6
7
8
9 takes a security parameter K >0 as input, and outputs the description of two
10
11
groups G1 , G2 of the prime order q and a bilinear map ê : G1 × G1 → G2 in
polynomial time.
PT
12
13 Bilinear Map: Let G1 and G2 be two groups of prime order q, and g1 is the
14
generator of group G1 . ê is a bilinear map if ê : G1 × G1 → G2 satisfies the
15
following properties:
RI
16
17
18 • Bilinearity: for all Q, R, S ∈ G1 and a, b ∈ Zq where Zq = {0, 1, 2, ....q − 1},
19 have ê(aQ, bR) = ê(bQ, aR) = ê(Q, R)ab , ê(Q + R, S ) = ê(Q, S )ê(R, S ) and
SC
20 ê(Q, R + S ) = ê(Q, R)ê(Q, S ).
21
22
23
• Computability: for any Q, R ∈ G1 , there is a polynomial time algorithm to
24 compute ê(Q, R) ∈ G2 .
U
25
26 • Non-degeneracy: ê(g1 , g1 ) , 1.
27
28
29
AN
BDH Problem: Randomly choose P as well as aP, bP and cP where P ∈ G1
and a, b, c ∈ Zq , compute ê(P, P)abc .
30
31 BDH Assumption: As in Gentry and Silverberg (2002), the advantage
M
32 AdvIG (B) that an algorithm B has in solving the BDH problem is defined to be the
33
probability that the algorithm B takes G1 , G2 , ê, P, aP, bP, cP as inputs and outputs
34
ê(P, P)abc , where (G1 , G2 , ê) is the output of BDH parameter generator IG for
D
35
36 large security parameter K > 0, P is a random generator of group G1 , and a, b, c
37 are random elements of Zq . The BDH assumption is that AdvIG (B) is negligible
TE
38
39
for all efficient algorithm B.
40
41 4.3. Construction of SECO
EP
42 In this section, we construct SECO using the bilinear map. We first introduce
43
44 the form of keys. Then, the detailed algorithms of SECO are presented.
45 Let Levelt be the set of entities at level t, and Level0 = {R-PKG}. In SECO,
46 Each L-PKG and D-PKG has two secret keys: a private key and a master key.
C
47
48
The private key is obtained from the upper-level PKG while the master key is a
random seed picked by the PKG itself. A D-PKG manages a number of domain
AC
49
50 users. In a domain, the D-PKG uses the two keys to generate private keys for
51 all users in this domain. In this hierarchy, each L-PKG, D-PKG and user has a
52
53 primitive ID, which is an arbitrary string, such as ID number and email address. A
54 user’s public key is an ID-tuple consisting of his ancestor L-PKG’s ID, D-PKG’s
55 ID and his own ID, i.e., (ID1 ,...,IDm−1 ), where m is the depth of the hierarchy.
56 For example, in a two-level hierarchy, Bob is a D-PKG which requests the private
57
58
59 10
60
61
62
63
64
65
ACCEPTED MANUSCRIPT
1
2
3
4
5
6
7
8
9
10 Table 1: Symbols and their meanings
11 Symbols Meanings
PT
12
13 M Message
14 C Ciphertext
15 S0 Identity element of group G1
RI
16
17
t The level of a entity
18 dom The level of each D-PKG
19 ULdom The user list in a domain
SC
20 i
E dom+1 A domain user at Leveldom+1
21
22 (ID − tupledom , IDidom+1 ) i
User E dom+1 ’s public key (ID-tuple)
23 s0 , sdom , sidom+1 i
Master key for R-PKG, D-PKG and User E dom+1
24 i i
S Kdom , S Kdom+1 Private key for D-PKG and User E dom+1
U
25 P 0 , Q0 System parameters generated by R-PKG
26
Pdom , Qdom D-PKG’s parameters
27
28
29
Pidom+1 , Qidom+1
H1 , H2 , H3 , H4
AN i
User E dom+1 ’s parameters
Hash function, example SHA-1
30
31
M
32 key from R-PKG and generates the private key for Alice which is a user in Bob’s
33 domain. Suppose the email addresses are used as their IDs, then the public keys of
34
Bob and Alice are (“Bob@email”) and (“Bob@email||Alice@email”, “||” denotes
D
35
36 string concatenation) , respectively. In addition, the R-PKG also publishes several
37 system parameters used to encrypt and decrypt the cloud data.
TE
38 SECO is specified by the following five randomized algorithms.

39
40 Root Setup: Let K be the security parameter used by a BDH parameter gen-
41 erator IG. The R-PKG takes K as input, and outputs params (system parameters)
EP
42
and a root master key. The system parameters which contain the description of
43
44 plaintext space M, ciphertext space C and some other parameters are published,
45 while the root master key is only known to the R-PKG.
46 The R-PKG takes as input a security parameter K and runs the BDH parameter
C
47
48
generator IG to generate two groups G1 , G2 of prime order q. It generates a bilin-
AC
49 ear map ê : G1 × G1 → G2 which has the properties of bilinearity, computability

50 and non-degeneracy. The R-PKG then picks an arbitrary generator P0 ∈ G1 and
51 a seed s0 ∈ Zq randomly, where Zq = {0, 1, 2, ....q − 1}, and it sets Q0 = s0 P0 .
52
53 Finally, the R-PKG defines four cryptographic hash functions H1 : {0, 1}∗ → G1 ,
54 H2 : G2 → {0, 1}n, H3 : {0, 1}n × {0, 1}n → G1 and H4 : {0, 1}n → {0, 1}n for some
55 n, and the four hash functions will be treated as random oracles.
56
57
58
59 11
60
61
62
63
64
65
ACCEPTED MANUSCRIPT
1
2
3
4
5
6
7
8
9 The plaintext space is M = {0, 1}n, while the ciphertext space is C = G1N+L ×
10
11
{0, 1}2n where N is the number of the intended recipients and L is the level of the
intended recipients. The parameters of the system are params =< G1 , G2 , ê, P0 ,
PT
12
13 Q0 , H1 , H2 , H3 , H4 >. The master key of R-PKG is s0 ∈ Zq .
14
15 Lower-Level Setup: Each PKG Et ǫ Levelt obtains the system parameters
(params) from the R-PKG. Each PKG randomly picks a st ∈ Zq as his master
RI
16
17 key which will be used to issue private keys to his children. Except for st , each
18 PKG is not permitted to generate any other parameters.
19
SC
20 Key Generation: A PKG (whether the root one or a lower-level one) uses its
21 private key (and any other secret information) and system parameters to generate
22
23
private keys for all of his children. The private keys of domain users are generated
24 by the D-PKG in the same domain. Let S 0 be the identity element of group G1 .
U
25 For each PKG Et ∈ Levelt (L-PKG or D-PKG) with ID-tuple (ID1 ,...,IDt ),
26 where (ID1 ,...,ID s ) for 1 ≤ s < t is the ID-tuple of Et ’s ancestor at Level s ,
27
28
29
AN
Et ’s parent generates the private keys S Kt for each Et . It first calculates Pt =
H1 (ID1 , ..., IDt ) ∈ G1 ; then Et ’s parent computes private key for Et as:
30
31 S Kt = S t−1 + st−1 Pt = Σtj=1 s j−1 P j
M
32
33
34
and sends Et the value Q j = s j P0 for 1 ≤ j ≤ t − 1.
For a D-PKG Edom ∈ Leveldom in domain A, it has two secret keys: a master
D
35
36 key sdom and a private key S Kdom . Private key S Kdom is used to decrypt all domain
37 data stored in the Cloud Server. Each D-PKG uses his private key S Kdom and
TE
38
39 master key sdom to generate private keys for all users belonging to this domain.
40 For each user in domain A whose D-PKG/parent is Edom , the ID-tuple for user
41 Eidom+1 is (ID-tupledom ,IDidom+1 ). Therefore, the level of these users in domain A is
EP
42
dom + 1. Eidom+1 randomly picks an element sidom+1 ∈ Zq as his master key. Edom
43 i
44 generates the private key S Kdom+1 for Eidom+1 .
45 i
For each user Edom+1 , the D-PKG Edom first calculates Pidom+1 = H1 (ID −
46 tupledom , IDidom+1 ) ∈ G1 ; then it computes private key for Eidom+1 as:
C
47
48
S Ki = S Kdom + sdom Pidom+1 = Σdom i
j=1 s j−1 P j + sdom Pdom+1
AC
49
50
51 and sends to Eidom+1 the value Q j for 1 ≤ j ≤ dom and Qidom+1 which Qidom+1 =
52 sidom+1 P0 . Eidom+1 has two secret keys: a master key sidom+1 and a private key
53 i
54
S Kdom+1 . Eidom+1 uses sidom+1 and S Kdom+1
i
to decrypt the authorized data in the
55 Cloud Server. Each D-PKG has a secret just like the root PKG. In addition,
56 the D-PKGs need not always use the same sdom for each private key extraction.
57
58
59 12
60
61
62
63
64
65
ACCEPTED MANUSCRIPT
1
2
3
4
5
6
7
8
9 That is to say, sdom could be generated randomly for each of the D-PKG’s chil-
10
11
dren. It is worth noticing that Eidom+1 public key (ID-tupledom ,IDidom+1 ) is equal to
(ID1 ,...,IDdom ,IDidom+1 ) where the D-PKG Edom ∈ Leveldom is the parent of Eidom+1 .
PT
12
13 Encryption: When a user wants to encrypt a file for N recipients in do-
14
15 main A, the data D is encrypted in the following form: Encrypt(paremters, ID −
tuple1 , ..., ID − tupleN , M), where parameters are the system public parameters,
RI
16
17 N is the number of the intended recipients, ID − tuple1 , ..., ID − tupleN are the
18 public key (ID-tuples) of N recipients E1dom+1 ,...,Edom+1
N
, respectively, and M is the
19
data. The user inputs system parameters params, plaintext M ∈ M and the ID-
SC
20
21 tuples of the N intended data recipients, and then calculates a ciphertext C ∈ C.
22 After modifying data M, the user encrypts it with N recipients’ ID-tuple (ID-
23
24
tupledom ,IDidom+1 ) for 1 ≤ i ≤ N in the same domain.
U
25 The user first calculates Pidom+1 = H1 (ID − tupledom , IDidom+1 ) ∈ G1 for every
26 1 ≤ i ≤ N and Pt = H1 (ID1 , ..., IDt ) for 1 ≤ t ≤ dom. Here Pidom+1 means the hash
27
28
29
AN
value for the i-th recipient at Leveldom+1 . Then the user picks a random σ ∈ {0, 1}n
and sets r = H3 (σ, M). Therefore, the ciphertext is set as:
30
31 C = [{rPidom+1 }, {rPt }, σ H2 (gr ), M H4 (σ)]
M
32
33 for 1 ≤ i ≤ N and 0 ≤ t ≤ dom where g = ê(Q0 , P1 ) ∈ G2 . The user encrypts the
34 data M with t intended recipients in the same domain, and sends the ciphertext C
D
35
36 to the Cloud Server.
37 Decryption: A user or D-PKG in domain A inputs system parameters params,
TE
38
39
ciphertext C ∈ C, and its private key S K, and then recovers the data M ∈ M. The
40 D-PKG can decrypt all the encrypted data belonging to the domain, whereas the
41 users only can decrypt the authorized data.
EP
42 i
Given C = [{Udom+1 }, {Ut }, V, W] be the ciphertext encrypted using the N recip-
43 i
44 ients’ ID-tuple (ID-tupledom ,IDi ), for i ∈ (1, 2, ..., N). Here Udom+1 = rPidom+1 , Ut =
45 rPt , V = σ H2 (gr ) and W = M H4 (σ). If (U0 , U1 , U2 , ..., Udom ) < G1dom+1 , Edom
46 rejects this ciphertext. To decrypt C, the D-PKG Edom computes
C
47
48 Y
dom
AC
49 V H2 (ê(U0 , S Kdom )/ ê(Q j−1 , U j )).

50
j=2
51
52
53
We observe that:
54 Y
dom
55
56
V H2 (ê(U0 , S Kdom )/ ê(Q j−1 , U j ))
57 j=2
58
59 13
60
61
62
63
64
65
ACCEPTED MANUSCRIPT
1
2
3
4
5
6
7
8
9 Y
dom
10 = V H2 (ê(rP0 , Σdom
i=1 si−1 Pi )/ ê(s j−1 P0 , rP j ))
11 j=2
PT
12
13 = V H2 (ê(rP0 , s0 P1 )ê(rP0 , Σdom dom
i=2 si−1 Pi )/ê(rP0 , Σ j=2 s j−1 P j ))
14 = V H2 (ê(Q0 , P1 )r ) = σ.
15
RI
16
17 After calculating the value of σ, Edom then computes W H4 (σ) = M.
i
18 Given the ciphertext C = [{Udom+1 }, {Ut }, V, W] to each intended recipient
19 Edom+1 of i ∈ {1, 2, ..., N}. If (U0 , U1 , U2 , ..., Udom ) < G1dom+1 , Eidom+1 rejects this
i
SC
20 ciphertext. To decrypt C, the recipient Eidom+1 executes the following setups:
21
22
23 • computes Pidom+1 = H1 (ID − tupledom , IDidom+1 );
24 Q
U
25
i
• computes V H2 (ê(U0 , S Kdom+1 )/ dom i
j=2 ê(Q j−1 , U j )ê(Qdom , U dom+1 )) to re-
26 cover σ;
27
28
29
• computes W H4 (σ) = M.
AN
30 i
• sets r = H3 (σ, M), tests that Udom+1 = rPidom+1 . If not, rejects the ciphertext.
31
M
32 Otherwise, outputs M as the decryption of C.
33
34 Observe that:
D
35
36 Y
dom
i i
37 V H2 (ê(U0 , S Kdom+1 )/ ê(Q j−1 , U j )ê(Qdom , Udom+1 ))
TE
38 j=2
39 Y
dom
40
= V H2 (ê(rP0 , S Kdom + sdom Pidom+1 )/ ê(s j−1 P0 , rP j )ê(sdom P0 , rPidom+1 ))
41
j=2
EP
42
43 = V H2 (ê(rP0 , s0 P1 )ê(rP0 , Σdom i
j=2 s j−1 P j )ê(rP0 , sdom Pdom+1 )/
44
45 ê(rP0 , Σdom i
j=2 s j−1 P j )ê(sdom P0 , rPdom+1 ))
46 V H2 (ê(s0 P0 , P1 )r ) = σ.
C
=
47
48
The domain users cooperate to complete a project and store their project data into
AC
49
50 the Cloud Server. The domain PKG can decrypt all domain data while any user in
51 this domain only can access the data that he is allowed.
52
53
54 4.4. Dynamic Operations
55 In this section, we present the detail dynamic data and user operation pro-
56 cesses in SECO. Since domain users do not physically possess their data but store
57
58
59 14
60
61
62
63
64
65
ACCEPTED MANUSCRIPT
1
2
3
4
5
6
7
8
9 them into the Cloud Server instead, the dynamic data and user operations are quite
10
11
challenging. When SECO deals with these dynamic requests, it needs to satisfy
the following requirements: firstly, secret keys cannot be disclosed to the Cloud
PT
12
13 Server; secondly, in order to manage keys efficiently, D-PKG should not redis-
14 tribute secret keys for domain users; finally, domain users need to guarantee that
15
all operations should be processed faithfully.
RI
16
17
18 4.4.1. Data operation
19 From data perspective, the domain users are about to create and delete the
SC
20
21 domain data.
22 Data creation: In a domain, to achieve data collaboration, any user in the domain
23 can create new data for his project and store the data into the Cloud Server. When
24
U
new data is created, SECO first chooses a unique ID for the new data, and then
25
26 the data creator decides the intended recipients. Finally, the creator encrypts the
27
28
29
AN
data with recipients’ public keys and uploads the ciphertext with his signature to
the Cloud Server. If verifying the signature correctly, the Cloud Server stores the
new data. Otherwise, the Cloud Server rejects the data. Upon completion of the
30
31 current work, the user can go offline as he likes.
M
32 Data deletion: In a domain, SECO also provides data deletion operation. The
33 delete operation we consider here is straightforward. Only D-PKG can delete the
34
domain data in SECO. When the D-PKG is ready to delete a data, he sends the
D
35
36 data ID and his signature to the Cloud Server. After verifying the signature on this
37 data ID correctly, the Cloud Server deletes the data.
TE
38
39
40
4.4.2. User operations
41 From users perspective, to preserve domain data security, the D-PKG is about
EP
42 to add new users into the domain and revoke outdated users from the domain.
43 User addition: Sometimes, some new users need to join a domain for working.
44
45 In SECO, secret key transmission can be implemented locally. So when a new
46 user applies for joining the domain, the D-PKG first verifies identity of the user,
C
47 if correct, the D-PKG first gives the user a new ID and calculates a private key
48
for the user using the key generation algorithm in Section 4.3. Then, the D-PKG
AC
49
50 sends the ID-tuple and the private key to the user. Finally, the D-PKG adds the
51 new user to the domain user list ULdom and sends the new domain user list ULdom
52 to all valid users in the domain. The new user picks a random seed as his master
53
54 key. After receiving the public/private key from D-PKG, the user can access the
55 domain data correctly. In addition, the user can use other users’ public key to
56 encrypt.
57
58
59 15
60
61
62
63
64
65
ACCEPTED MANUSCRIPT
1
2
3
4
5
6
7
8
9 User revocation: In a domain, the D-PKG may revoke some users’ access privi-
10
11
leges to preserve data security. The users are not allowed to access (read, write,
update, etc.) the domain data anymore after revoking. In SECO, users encrypt
PT
12
13 data with recipients’ public keys. When there is a user to be revoked from the
14 domain, D-PKG first cancels his public key. The D-PKG removes the revoked
15
user from the domain user list ULdom and sends the new domain user list ULdom
RI
16
17 to all valid users in the domain. Then, the data that is encrypted with this public
18 key will be re-encrypted by D-PKG. From then on, the domain users encrypt data
19 without the canceled public key. After revoking from the domain, the users can-
SC
20
21 not access the domain data anymore, even if he colludes with other unauthorized
22 users. In some related works, the D-PKG need to update the secret keys for the
23 non-revoked users (Yu et al., 2010) when there exist user revocation operations.
24
U
25
However, SECO does not need to update the keys for non-revoked users because
26 the private key of each user is independent.
27
28
29
4.4.3. Domain operations
AN
From domains perspective, SECO is about to add a new domain and revoke a
30
31 outdated domain from the system.
M
32 Domain addition: Sometimes, some new domains need to join in a system for
33 economic reason. In SECO, each domain is independent. That is to say, secret
34
keys among each domain are independent. So when a new domain applies for
D
35
36 joining the system, the system first verifies identity of the D-PKG. If correct,
37 the system gives an ID-tuple and calculates a secret key for the joining D-PKG.
TE
38 Finally, the new D-PKG generates secret keys for domain users using the key
39
40 generation algorithm in Section 4.3. The domain users can access their domain
41 data correctly.
EP
42 Domain revocation: As we know, the domains are independent. When there is a

43
44
domain which wants to leave the system, SECO just removes all the secret keys
45 and cloud files belonging to this domain. This operation will not affect other
46 domains.
C
47
48 4.5. Discussion
AC
49
50 Based on the current research, two issues remain to be addressed in SECO.
51
52 4.5.1. Data consistency
53
54 SECO supports multi-user reading and writing operations. Suppose a user A
55 downloads and modifies a data file. Before A uploading the modified data, another
56 user B also downloads the same date and modifies it. If user A and user B both
57
58
59 16
60
61
62
63
64
65
ACCEPTED MANUSCRIPT
1
2
3
4
5
6
7
8
9 upload their modified data to the Cloud Server, the data uploaded by user A does
10
11
not include user B’s modification, vice versa. Thus, data conflict will occur. It
results in the problem of data consistency. SECO can utilize the Cloud Server to
PT
12
13 solve the problem of data consistency. When more than one user downloads and
14 modify a same data from the Cloud Server at the same time, the Cloud Server
15
detects the data conflict if these users upload their data. Consequently, the Cloud
RI
16
17 Server just keeps the latest one as the final version. Meanwhile, the Cloud Server
18 informs other users that their modifications are not successful.
19
SC
20 4.5.2. Signature
21
22 SECO also has the ability to support signature. Compared to traditional public
23 key infrastructure (PKI), IBE scheme does not require online public key lookup.
24
U
Indeed, we can transform any PKI signature scheme to an ID-based signature
25
26 scheme using certificates. When a user Eidom+1 wants to sign M with his public
27
28
29
AN
key/ID-tuple (ID-tupledom ,IDidom+1 ), the following setups are executed:
• calculates P M = H3 ((ID − tupledom , IDidom+1 ), M) ∈ G1 ;
30
31 • calculates S ig M = S ig((ID − tupledom , IDidom+1 ), M) = S Kdom+1
i
+ sidom+1 P M ;
M
32
33 • sends [S ig M , Q1 , ..., Qdom , Qidom+1 ] as the signature for ((ID-tupledom ,IDidom+1 ),
34
M) where Q j = s j P0 for 1 ≤ j ≤ dom and Qidom+1 = sidom+1 P0 .
D
35
36
37
When the recipients receive the signature, they confirm the following equation:
TE
38
39
Y
dom
40 ê(P0 , S ig M ) = ê(Q0 , P1 )ê(Qidom+1 , P M ) ê(Qt−1 , Pt )ê(Qdom , Pidom+1 ).

41 t=2
EP
42
43 In addition, key management in SECO is straightforward because all D-PKGs
44 only need to keep track of two keys: private key and master key. Therefore, in a
45 domain, the key transmission and signature authentication can be executed locally.
46
C
47
There is no out-of-band communication of the key management.
48
AC
49 5. Security Analysis
50
51 In the previous section, we show that our secure data collaboration scheme
52
53 SECO can realize one-to-many encryption paradigm and writing operation simul-
54 taneously. In this section, we first provide a rigorous security proof about the
55 proposed scheme. Then, we analyze the fulfillment of the security requirements
56 discussed in Section 3.2.
57
58
59 17
60
61
62
63
64
65
ACCEPTED MANUSCRIPT
1
2
3
4
5
6
7
8
9 5.1. Security of SECO
10
11 We follow the security definition of the standard IBE (Boneh and Franklin,
2001) and show our scheme is IND-ID-CCA security. We first define the security
PT
12
13 of our scheme using a game which reflects the notion of IND-ID-CCA security
14
15 and then present the proof in this section.
RI
16
17 5.1.1. Security definition
18 We say that the proposed scheme is semantically secure against an adaptive
19
chosen ciphertext attack (IND-ID-CCA) if no polynomial bounded adversary A
SC
20
21 has a non-negligible advantage against the challenger in the following game:
22 Setup: The challenger runs the Root Setup algorithm taking a security pa-
23 rameter K as input. It gives A the system parameters params and keeps the root
24
U
25 master key to itself.
26 Phase 1: The adversary A can issue queries q1 , ..., qm where qi is one of:
27
28
29
AN
1)H1 -query (ID-tuplei ): the challenger obtains H(ID-tuplei ) corresponding to ID-
tuplei ; 2) Private key query (ID-tuplei ): the challenger runs the Key Generation
30 algorithm to generate the private key S Ki corresponding to ID-tuplei and sends it
31 to A; 3) Decryption query (ID-tuplei , Ci ): the challenger runs the Key Generation
M
32 algorithm to generate the private key S Ki and Decryption algorithm to decrypt Ci
33
34 using S Ki and then gives the resulting plaintext to A. These queries can be asked
adaptively by A, that is, each query qi may depend on the replies to q1 , ..., qi−1 .
D
35
36 Challenge: Once A decides Phase 1 is complete, it outputs N recipients’s ID-
37 tuples: ID-tuples1 ,... ID-tuplesN , and two equal length plaintexts M0 , M1 ∈ M on
TE
38
39 which it wishes to be challenged. The only constraint is that none of the ID-tuples
40 and his ancestors appear in any private key query in Phase 1. These ID-tuples may
41 correspond to positions at the same level in the hierarchy. The challenger picks
EP
42
43
a random bit d ∈ {0, 1} and uses the Encryption algorithm to encrypt Md as C =
44 Encryption(params, ID-tuples1,... ID-tuplesN , Md ). It sends the challenge C to
45 the adversary A.
46 Phase 2: The adversary A issues more queries qm+1 , ..., qn where qi is one of:
C
47
48 1)H1 -query (ID-tuplei ): Challenger responds as in Phase 1; 2) Private key query
AC
49 (ID-tuplei , ID-tuple or ancestor): Challenger responds as in Phase 1; 3) Decryp-

50 tion query ((ID-tuplei , Ci ) , (ID-tuple or ancestor, C)): Challenger responds as in
51
Phase 1. These queries may be asked adaptively as in Phase 1.
52 ′ ′
53 Guess: The adversary A outputs a guess d ∈ 0, 1. A wins the game if d = d .
′
54 The advantage of A in this game is defined as |Pr[d = d] − 12 |
55
56
57
58
59 18
60
61
62
63
64
65
ACCEPTED MANUSCRIPT
1
2
3
4
5
6
7
8
9 5.1.2. Proof of security
10
11 We prove the security with the following theorem:
PT
12
13 Theorem 5.1. Suppose there is an IND-ID-CCA adversary A which has the ad-
14 vantage ǫ(k) of successfully attacking the scheme SECO. Suppose A specifies N
15 recipients at levelt , and makes at most qE private key queries, at most qD decryp-
RI
16
17
tion queries, and at most qH2 , qH3 , qH4 queries to the hash functions H2 , H3 , H4 in
18 Levelt respectively. Then there is an algorithm B for IG that solves the BDH prob-
19 ǫ(k)(N+t)N+t
lem with the advantage at least 2FOadv ( (e(N+t+q E +qD ))
N+t , q H3 , q H4 , q D )/q H2 where the
SC
20 function FOadv is defined in Theorem 14 in Fujisaki and Okamoto (1999). Here
21
22 e ≈ 2.71 is the base of the natural logarithm.
23
24 The proof of Theorem 5.1 will use the result of Theorem 14 in Fujisaki and
U
25 Okamoto (1999). According to Theorem 14 in Fujisaki and Okamoto (1999), we
26 need the following Lemma 5.1 to translate between an IND-ID-CCA on SECO
27
28
29
AN
and an IND-CCA on BasicPubhy that is a related public key encryption scheme
used in Boneh and Franklin (2001). BasicPubhy is the result of applying the
30 Fujisaki-Okamoto transformation (Fujisaki and Okamoto, 1999) to a public key
31
M
encryption scheme (not an identity based scheme) called BasicPub. The details of
32
33 BasicPub and BasicPubhy are presented in Boneh and Franklin (2001). The differ-
34 ence here is that the message is encrypted with multiple recipients in BasicPubhy .
D
35
36 Lemma 5.1. Let A be an IND-ID-CCA adversary that has advantage ǫ(k) against
37 SECO. Suppose A makes at most qE private key queries and at most qD decryption
TE
38
39 queries. Then there is an IND-CCA adversary B that solves BasicPubhy with the
ǫ(k)(N+t)N+t
40 advantage at least (e(N+t+q E +qD ))
N+l .
41
Proof: We construct an IND-CCA adversary B that uses A to obtain advantage
EP
42
43 ǫ(k)(N+t)N+t
44 (e(N+t+qE +qD ))N+t
against BasicPubhy . The challenger and the adversary B start with
45 the challenger by running key generation algorithm of BasicPubhy . The result is
46 param =< q, G1, G2 , ê, N, P0 , Q0 , PB , H2 , H3 , H4 > and a private key S KB = s0 PB .
C
47
48
Here Q0 = s0 P0 . The challenger gives param to B. B mounts an IND-CCA attack
on param with the help of adversary A. B interacts with A as the above game:
AC
49
50 Setup: B gives A < q, G1, G2 , ê, N, P0 , Q0 , H1 , H2 , H3 , H4 > as the system
51 parameters. Here H1 is controlled by B as described below.
52
53 H1 -queries: At any time, A can query the hash H1 which will be used to
54 determine the P-tuplei = (T i1 , ..., T iti ), with Tik = H1 (IDi1 , ..., IDik ) for 1 ≤ k ≤ ti ,
55 corresponding to the ID-tuplei = (IDi1 , ..., IDiti ). B maintains a list of tuples (ID-
56 tuplei , P-tuplei , b-tuplei , s-tuplei , c-tuplei ) called H1list . The list is initially empty.
57
58
59 19
60
61
62
63
64
65
ACCEPTED MANUSCRIPT
1
2
3
4
5
6
7
8
9 When A queries H1 at a point ID-tuplei B responds as follows:
10
11
Let y be maximal such that (IDi1 , ...IDiy ) = (ID j1 , ..., ID jy ) for the tuple ((ID j1 , ...
ID jt j ), (T j1 , ..., T jt j ), (b j1 , ..., b jt j ), (s j1 , ..., s jt j ), (c j1 , ..., c jt j )) which is in H1list .
PT
12
13
14 • If ID-tuplei already appears on H1list for 1 ≤ k ≤ y, then B responds with
15 T ik = T jk , sik = s jk , bik = b jk , and cik = c jk . (Note that this is independent of
RI
16
17
j.)
18
19 • Otherwise (y ≤ k < ti ), B picks two random seeds sik and bik ∈ Zq , set
SC
20 ci0 = 0 and generates a random coin cik ∈ {0, 1} so that Pr[cik = 0] = δ for
21 some δ that will be determined later.
22
23 • If cik = ci(k−1) , B computes T ik = bik P0 . If cik = 1 and ci(k−1) = 0, computes
24
U
25 T ik = bik PB . If cik = 0 and ci(k−1) = 1, computes Pik = bik P0 − s−1 i(k−1) bi f (k) PB
26 where s−1i(k−1) is the inverse of s i(k−1) modulo q. Here, f (k) < k is the largest
27
28
29
AN
subscript which satisfies ci f (k) = 1 and ci( f (k)−1) = 0.
• B adds the tuple ((IDi1 ,...,IDiti ),(T i1 , ..., T iti ), (bi1 , ..., biti ), (si1 , ..., siti ), (ci1 , ...,
30
31 citi )) to the H1list and responds to A with P-tuple1 = (T i1 , ..., T iti ) to A.
M
32
33 Note that these values (T ik ) are uniform in G1 and independent of A’s current view
34 as required.
D
35 Phase 1: Private key queries. Let ID-tuplei be a private key query issued by
36
37 adversary A. B responds to this query as follows:
TE
38
39 • B runs the H1 -queries algorithm to obtain the corresponding tuples (ID-
40 tuplei , P-tuplei , b-tuplei , s-tuplei , c-tuplei ) on the H1list . If citi = 1, B reports
41 failure and terminates the interaction.
EP
42
43
44 • Therefore citi = 0, B computes S Kiti = Σtk=1 i
pi(k−1) T ik where
45 pi(k−1) = si(k−1) si( f (k)−1) si( f ( f (k))−1) ... with si0 = s0 and si( f ( j)−1) = 1 if f ( j) does
46 not exist.
C
47
48 B does not know the values of s0 or s0 PB , but it still can output the private key for
AC
49
50
ID-tuplei .
51 Phase 1: Decryption queries. Let (ID-tuplei , Ci ) be a decryption query issued
52 by A. B responds to this query as follows:
53
54 • B runs the H1 -queries algorithm to obtain the corresponding tuples (ID-
55
56
tuplei , P-tuplei , b-tuplei, s-tuplei , c-tuplei ) on the H1list .
57
58
59 20
60
61
62
63
64
65
ACCEPTED MANUSCRIPT
1
2
3
4
5
6
7
8
9 • Suppose citi = 0, B runs the private key queries to obtain the private key for
10
11
ID-tuplei . Then B uses the private key to respond to the decryption query.
PT
12
13 • Suppose citi = 1, B relays the decryption query Ci to the challenger and
14 relays the challenger’s response back to A.
15
Challenge: Once A decides that Phase 1 is over, it outputs N ID-tuples: ID-
RI
16
17 tuples1,... ID-tuplesN ∈ Levelt , and two plaintext M0 , M1 on which it wishes to be
18
19
challenged. B responds as follows:
SC
20
21 • B runs the H1 -queries algorithm to obtain the corresponding tuples ((ID j1 ,...,
22 ID jt ), (T j1 ,...,T jt ), (b j1 ,...,b jt ), (s j1 ,...,s jt ), (c j1 ,...,c jt )) for each ID-tuple j on
23 the H1list , where j ∈ {1, 2, ..., N}.
24
U
25 • If c jk = 0 for some 1 ≤ k ≤ t, then B reports failure and terminates. Other-
26
wise, we know T j1 = b j1 PB and T jk = b jk P0 , for 2 ≤ k ≤ t.
27
28
29
AN
• B gives the challenger M0 , M1 . Let C = [U, V, W]. The challenger responds
′
30 with a ciphertext C = [b−1 −1 −1 −1 −1
11 b1t U, b21 b2t U, ..., b N1 b Nt U, b j1 U, b j1 b j1 U, ...,
′
31 b−1
M
32 j1 b j(t−1) U, V, W) for j ∈ {1, 2, ..., N} such that C is the encryption of Md for
′
33 a random d ∈ {0, 1} and gives C to A.
34 ′ ′
In this challenge, the private key for ID-tuple j is S K jt = s0 T j1 + Σt−1
k=1 s jk T j(k+1)
D
35
′ ′ ′
36 with the additional information {s jk P0 : 1 ≤ k < t} for some (s j1 ,...,s j(t−1) ) ∈ (Zq )t−1 .
37
Observe that:
TE
38
39
′
Y
t
′
40 ê(b−1 ê(b−1 −1
41 j1 U, S K jt )/ j1 b jk U, s j(k−1) P0 ) = ê(b j1 U, s0 T j1 ) = ê(U, s0 PB ).
k=2
EP
42
43 ′
44 Therefore, C is a valid ciphertext for Md .
45 Phase 2: Adversary B responds to queries at a point ID-tuplei in the same way
46 it did in Phase 1. The constraint for A is listed in the definition of security model.
C
47 ′ ′
48
Guess: Eventually adversary A outputs a guess d for d. B outputs d as its
guess for d.
AC
49
50 The responses to H1 -queries are uniformly and independently distributed in
51 G1 . All responses to private key and decryption queries are valid. The challenge
52 ′
53 ciphertext C given to A is the encryption of Md for random d ∈ {0, 1}. So,
′
54 we have |Pr[d = d] − 21 | ≥ ǫ(k). Then, calculate the probability that B aborts
55 during the simulation. Let ε1 be the event that A issues a bad private key query
56 during phase 1 or 2, ε2 be the event A chooses a bad ID-tuplei to be challenge
57
58
59 21
60
61
62
63
64
65
ACCEPTED MANUSCRIPT
1
2
3
4
5
6
7
8
9 and ε3 be the event A issues a bad decryption query during phase 2. We have:
10
11
Pr[¬ε1 ∧ ¬ε2 ∧ ¬ε3 ] ≥ δqE +qD (1 − δ)N+t . Please refer to Boneh and Franklin (2001)
for the proof of the above formula. Here N is the number of recipients for a
PT
12
13 ciphertext and t is the level of the recipients. We now optimize the choice of δ.
14 Since Pr[¬ε1 ∧ ¬ε2 ∧ ¬ε3 ] ≥ δqE +qD (1 − δ)N+t , the probability that B does not
15
abort during the simulation is δqE +qD (1 − δ)N+t . Therefore, the success probability
RI
16
17 is maximized at δopt = 1 − (N + t)/(qE + qd + N + t). Using δopt , the probability
N+t
18 that B does not abort is at least ( (e(N+t+q E +qD ))
)N+t . This shows that B’s success
19 N+t
ǫ(k)(N+t)
probability is at least (e(N+t+q N+t as required.
SC
20 E +qD ))

21 We give the proof of Theorem 5.1 as follows:
22 Proof: By Lemma 5.1 an IND-ID-CCA adversary on SECO implies an IND-CCA
23
24 adversary on BasicPubhy . From the proof of Theorem 4.4 in Boneh and Franklin
U
25 (2001), this can imply an algorithm against BHD assumption. All these give the
26 required bounds in Theorem 5.1.
27
28
29 curity.
AN
According to Theorem 5.1, we can conclude that SECO is IND-ID-CCA se-
30
31 5.2. Security Requirements
M
32
33 For the purpose of secure data collaboration in cloud computing, SECO should
34 achieve the following security properties:
D
35
36 5.2.1. Fine-grained of access control
37
In SECO, the user who modifies data is able to define and enforce who can
TE
38
39 access this data and encrypt with multiple recipients’ public keys. Each user has
40 secret keys from the D-PKG. Suppose a user E i download the encrypted data.
41 We recall that the ciphertext is: C = [{rPidom+1 }, {rPt }, σ H2 (gr ), M H4 (σ)].
EP
42
43 If this data is encrypted with Eidom+1 public key, Eidom+1 can obtain the corre-
i
44 sponding Udom+1 = rPidom+1 , and then decrypts this data by calculating: W
Q
45 i
H4 (V H2 (ê(U0 , S Kdom+1 )/ dom i
j=2 ê(Q j−1 , U j )ê(Qdom , U dom+1 ))) to obtain the plain-
46
C
47
text. However, if a user is not in the encryption list, then he cannot obtain Ui in
48 the ciphertext text. So the decryption algorithm will fail. Specifically, only those
AC
49 intended recipients can decrypt this data. Therefore, users only can access the
50 data they are allowed and not access the data they are not authorized to.
51
52
53 5.2.2. Fully collusion secure
i
54 In SECO, the data M is encrypted in the form of C = [{Udom+1 }, {Ut }, V, W]
55 r
where V = σ H2 (g ) and W = M H4 (σ). Obviously, unauthorized users
56
57
58
59 22
60
61
62
63
64
65
ACCEPTED MANUSCRIPT
1
2
3
4
5
6
7
8
9 must construct H2 (gr ) where g = ê(Q0 , P1 ) ∈ G2 to decrypt ciphertext C. Al-
10
11
though unauthorized users can obtain Q0 and P1 , they are unaware of the ran-
dom seed r, so ê(Q0 , rP1 ) cannot to be constructed directly. Beside, unauthorized
PT
12
13 users observe that: ê(Q0 , rP1 ) = ê(rP0 , s0 P1 ) = ê(U0 , S K0 ). To recover plaintext,
14 unauthorized users may recover ê(Q0 , rP1 ) instead of ê(U0 , S K0 ). However, since
15
S K0 is only known to R-PKG, unauthorized users also cannot recover ê(U0 , S K0 ).
RI
16
17 Therefore, colluded users cannot recover plaintext.
18
19 5.2.3. Backward secrecy
SC
20
21 As described in Section 4.4, SECO will re-encrypt the related data after some
22 legitimate users are revoked. The D-PKG will cancel the revoked users’ public
23 key and the non-revoked users encrypt data without this public key afterward.
24
U
Therefore, the revoked users cannot access the encrypted data anymore.
25
26 According to the above analysis, we can conclude that SECO can realize fine-
27
28
29
AN
grained access control, collusion resistance and backward secrecy.
30 6. Theoretical Analysis
31
M
32 In this section, we provide the theoretical analysis of SECO. We first analyze
33 the computation and communication overhead. Then we analyze the user revoca-
34 tion and storage cost.
D
35
36
37 6.1. Computation Complexity
TE
38 In SECO, the R-PKG generates two groups G1 , G2 of order q and a bilin-

39
40 ear map to achieve the five randomized algorithms. In all computations, pairing
41 computation, i.e., bilinear map computation, is the most expensive operation. In
EP
42 SECO, Root Setup generates the system parameters and a master key for R-PKG,
43 and Lower-level Setup picks a master key for each lower-level PKG. In Key Gen-
44
45 eration, A PKG generates private keys for all his children. These three algorithms
46 have no pairing computations and need to run only once at initialization time.
C
47 Moreover, the size of system parameters and keys are fixed in length. Therefore,
48
the computation complexity of these three algorithms is negligible.
AC
49
50 Table 2 summarizes the operation numbers required in key generation, encryp-
51 tion and decryption algorithms. In Key generation, the D-PKG Edom ∈ Leveldom
52 i
needs dom + 1 scalar multiplications to calculate S Kdom+1 for each domain user
53 i
54 E dom+1 . In Encryption, a user encrypts data with N recipients’ public keys. He
55 needs one pairing computation to calculate ê(Q0 , P1 ), N scalar multiplications to
56 compute rPidom+1 for 1 ≤ i ≤ N, and dom + 1 scalar multiplications to compute rPt
57
58
59 23
60
61
62
63
64
65
ACCEPTED MANUSCRIPT
1
2
3
4
5
6
7
8
9
10 Table 2: Operation numbers required in encryption and decryption algorithm
11 Algorithm Scalar multiplication Pairing
PT
12
13 Key generation dom+1 0
14 Encryption N+dom+1 1
15 Decryption(D-PKG/User) 0/0 dom/dom+1
RI
16
17
18 Table 3: Computation complexity required in ABE-based schemes, BE-based schemes and SECO
19 Algorithm Encryption Decryption
SC
20
21 ABE-based schemes O(|I|) O(max(|I|, N))
22 BE-based schemes O(N) O(N)
23 SECO O(max(N, dom) O(dom)
24
U
25
26 for 0 ≤ t ≤ dom. Since the pairing computation is independent with data encryp-
27
28
29
AN
tion and Q0 , Pdom are the same in a domain, for each different data, pairing com-
putation is calculated only once for all domain users. In Decryption, the D-PKG
30 needs one pairing computation to calculate ê(U0 , S Kdom ) and dom−1 pairing com-
31 putations to calculate ê(Q j−1 , U j ) for 2 ≤ j ≤ dom. Each user Eidom+1 needs dom+1
M
32 i
33
pairing computations to calculate ê(U0 , S Kdom+1 ), ê(Q j−1 , U j ) for 2 ≤ j ≤ dom and
i i
34 ê(Qdom , Udom+1 ). Since U0 , S Kdom and S Kdom+1 are fixed, the D-PKG calculates
i i
D
35 ê(U0 , S Kdom ) once, and E dom+1 calculates ê(U0 , S Kdom+1 ) once. Table 3 shows
36 the computation complexity comparison among SECO, ABE-based schemes and
37
identity-based broadcast encryption (BE) schemes (Delerablée, 2007; Gentry and
TE
38
39 Waters, 2009). Here |I| is the number of attributes in ABE-based schemes and N
40 is the number of users. In practice, N is larger than dom. Therefore, we can see
41
SECO takes fewer computation complexities than BE-based schemes and ABE-
EP
42
43 based schemes. From the above analysis, SECO only needs a few pairing compu-
44 tations to achieve secure data collaboration in cloud computing, so the computa-
45 tion complexity of SECO is acceptable.
46
C
47
48
AC
49 Table 4: Communication cost in ABE-based schemes, SKC-based schemes BE-based schemes

50 and SECO
51 Scheme Communication costs
52
53 ABE-based |I| + 2log|I| + (|I| + 1)log|G1| + log|G2 | + n
54 SKC-based 3tk + n
55 SECO (N + dom + 1)log|G1 | + 2n
56
57
58
59 24
60
61
62
63
64
65
ACCEPTED MANUSCRIPT
1
2
3
4
5
6
7
8
9
10 Table 5: User revocation cost in ABE-based schemes and SECO
11 Scheme Scalar multiplication Pairing
PT
12
13
ABE-based Ik 1
14 SECO N 0
15
RI
16
17 6.2. Communication Cost
18
19 In SECO, the communication cost is mainly attributable to the encrypted data
transmission. After encryption, the following information is sent by users along
SC
20
i
21 with the encrypted data to the cloud: Value of Udom+1 for every intended recip-
22 ient which requires Nlog|G1 |bits, value of Ut which requires (dom + 1)log|G1 |
23
24 bits, value of V which requires n bits, and value of W which requires n bits.
U
25 Thus, the communication cost is given by (N + dom + 1)log|G1 | + 2n bits. Ta-
26 ble 4 shows the communication expenses comparison among SECO, ABE-based
27
28
29
AN
schemes, and symmetric key cryptosystem (SKC) schemes. Here n is the length
of the plaintext, t is the number of the users, I is the number of attributes used in
30 ABE-based schemes (Yu et al., 2010) and k is the length of keys used in SKC-
31
M
based schemes (Goh et al., 2003). Since the data size is fixed (n), N, k, dom and I
32
33 are varying but have the same order of magnitude as n. From Table 4, we can see
34 that SECO takes fewer communication cost than ABE-based schemes and SKC-
D
35 based schemes. The reason is that every data block is bind with t users KeyID and
36
two secret keys in SKC-based schemes, while in ABE-based schemes, the data
37
TE
38 owner needs transfer the access structure of the data and other parameters to the
39 cloud. From the above analysis, SECO takes small communication overhead to
40 achieve secure and efficient data collaboration services in cloud computing.
41
EP
42
43 6.3. Cost of Revocation Operation
44 When user revocation is necessary, the related ciphertext needs to be
45 re-encrypted without the revoked user public key in SECO. We first evaluate the
46
C
47 computation cost of the revocation operation. The user who encrypts the data
i
48 will choose a new σ randomly and recalculate Udom+1 , V and W. To update V and
AC
49 W, the user only needs Boolean XOR operator. For each corresponding recipient
50 i
51
public key, there is one scalar multiplication to update Udom+1 . The system does
52 not need to update the secret keys for non-revoked users because the secret keys
53 of each user is independent. Therefore, there are N scalar multiplications in total
54 to re-encrypt the ciphertext by the user. For the non-revoked users, they do not
55
56 need to do any computation. Next we give the communication cost of the user
57
58
59 25
60
61
62
63
64
65
ACCEPTED MANUSCRIPT
1
2
3
4
5
6
7
8
9
10 Table 6: Storage cost in ABE-based schemes, SKC-based schemes, BE-based schemes and SECO
11 Key storage
Scheme Ciphertext storage
PT
12
13
D-PKG(Data owner) User
14 ABE-based O(max(|I|, n)) O(n) O(logn)
15 SKC-based O(n2 ) O(n) O(1)
√ √
RI
16
17 BE-based O(N) O( N) O( N)
18 SECO O(max(N, dom) O(1) O(1)
19
SC
20
21 revocation. After re-encrypting the ciphertext, the user sends the new ciphertext
22
23
to the cloud, while the cloud just replaces the outdated ciphertext and does not
24 need to transfer it to the non-revoked users, so the additional communication costs
U
25 is Nlog|G1 | + 2n.
26 In the existing works, when revocation happens, the data owner needs to re-
27
28
29
AN
encrypt the related ciphertext and issue the new keys to those non-revoked users.
Table 5 shows the user revocation costs comparison between SECO and ABE-
30 based schemes. Here, I is the number of attributes which the revoked user pos-
31
M
sessed and k is the depth of the access structure. From Table 5, ABE-based
32
33 schemes bring an abundance of additional computation overhead. SECO can
34 accomplish this dynamic request with lightweight computation complexity and
D
35 communication cost.
36
37
6.4. Storage Cost
TE
38
39 The storage cost is one of the most significant aspects of the data access control
40 scheme in cloud storage services. We analyze the storage overhead of SECO and
41
compare it with SKC-based schemes and ABE-based schemes. The storage cost is
EP
42
43 assessed in terms of ciphertext storage overhead and key storage overhead (secret
44 keys and system parameters stored on the users and D-PKG). Table 6 presents the
45
46
comparative results.
C
47 Ciphertext storage overhead: In ABE-based schemes, the size of ciphertext is

48 O(max(|I|, n)), with |I| as the number of attributes the ciphertext issued. For SKC-
AC
49
50 based schemes, to achieve read and write permission, each data is binding with
51 each user access privilege. The size of ciphertext depends on the numbers of users
52 and the size of key. Thus, the size is O(n2 ). For BE-based schemes, the size of
53 ciphertext is O(N), with N is the number of recipients. In SECO, as depicted in
54
55 Section 4, the bit-length of the ciphertext grows only linearly with the level of the
56 message recipient. The ciphertext is composed of N intended recipients’ informa-
57
58
59 26
60
61
62
63
64
65
ACCEPTED MANUSCRIPT
1
2
3
4
5
6
7
8
9 tion, dom + 1 hierarchy information and a body. The body is just the encrypted
10
11
message. The length of the ciphertext is linear with the recipient quantity. The
length will increase an element on G1 when adding a recipient. Thus the message
PT
12
13 size is O(max(N, dom)). From Table 6, we can see SECO and BE-based schemes
14 take the least ciphertext storage cost. The analysis indicates that SECO achieves
15
efficient data collaboration with light weighted ciphertext storage.
RI
16
17 Key storage overhead: Compared with ABE-based schemes, SKC-based schemes
18 and BE-based schemes, SECO greatly reduced the key storage overhead of the D-
19
PKG(data owner). In ABE-based schemes, SKC-based schemes and BE-based
SC
20
21 schemes, the data owner needs to store every user’s access privilege. While
22 in SECO, the D-PKG just stores his own secret keys and system parameters.
23
24
Users only need store their own secret keys and system parameters in SCK-based
U
25 schemes and SECO. However, users in ABE-based schemes have to store their
26 own access structures with there corresponding secret keys. Therefore, SECO also
27
28
29 ing.
AN
takes small key storage overhead to achieves data collaboration in cloud comput-
30
31
M
7. Experimental Evaluation
32
33
In this section, we evaluate the performance of the algorithms used in SECO.
34
In our experiments, we utilize a three-level HIBE scheme, where Level0 = {Root
D
35
36 PKG} and Level1 = {D-PKGs}. All the domain users are lying at Level2. We
37 calculate the time cost and report the average of 100 trials of each algorithm.
TE
38
39 We first compare the overhead of SECO with ABE-based schemes and BE-based
40 schemes, and then examine the scalability of our scheme. Our implementation
41 was done in Python, and all experiments were performed on an Intel Core 2 Duo
EP
42 2.0GHz PC with 2GB RAM.

43
44 In the first set of experiments, we evaluate the overhead of encryption and de-
45 cryption algorithms in SECO, ABE-based schemes and BE-based schemes. We
46 assume the number of recipient users in SECO and BE-based schemes, and at-
C
47
48
tributes in ABE-based schemes both are 500. Figure 3 and 4 plots the overhead as
the data size varies in SECO, ABE-based schemes and BE-based schemes. Fig-
AC
49
50 ure 3 plots the time cost of encryption algorithms in SECO, ABE-based schemes
51 and BE-based schemes. From Figure 3, we can see the encryption cost increases
52
53 linearly with the file size in all the three schemes. This is consistent with the
54 above computation complexity analysis. However, with the increase of file size,
55 SECO takes less time cost than ABE-based schemes and BE-based schemes. Fig-
56 ure 4 plots time cost of encryption algorithms in SECO, ABE-based schemes and
57
58
59 27
60
61
62
63
64
65
ACCEPTED MANUSCRIPT
1
2
3
4
5
6
7
8
9 BE-based schemes. In Figure 4, we notice the cost in all the three schemes is
10
11
nearly linearly proportional to the number of the data size. Meanwhile, users take
more time than the D-PKG in decryption as the above analysis in SECO. To de-
PT
12
13 crypt 64KB data, the D-PKG takes 1 second and user Eidom+1 takes 1.5 seconds.
14 The algorithm does the pairing computation for each data, but the pairing com-
15
putation can be done once at the beginning as the above analysis. However, both
RI
16
17 the D-PKG and users in SECO take less time cost than ABE-based schemes and
18 BE-based schemes as well. The results of this experiments show SECO is light
19 weighted and efficient to be applied in practice.
SC
20
21 In the second set of experiments, we evaluate the scalability of SECO. Ac-
22 cording to the analysis in Section 6, the computation complexity of encryption
23 algorithm is O(max(N, dom)). In our experiment setting, we have N > dom.
24
U
25
Therefore, we study the overhead under different data size and different number
26 of users. Figure 5 plots the encryption overhead for preparing three kinds of data
27
28
29
AN
size as the number of recipients varies. From Figure 5, we see the encryption time
grows linearly with the number of the recipients. The time to encrypt 64KB data
30 with 800 recipients approaches to 1.6 seconds, which is an ideal result. Moreover,
31 the time cost is relatively stable versus the number of users. Thus, our scheme is
M
32 scalable in cloud computing. Figure 6 plots the re-encryption cost for preparing
33
three kinds of data size as the number of revoked users varies. The total number
34
of domain users in Figure 6 is 1000. From Figure 6, we can see the re-encryption
D
35
36 cost decreases linearly with the number of revoked users. When the system re-
37 vokes 100 users, the time to re-encrypt 32KB data approaches to 0.5 second. The
TE
38
39 result shows our user revocation scheme is efficient. As a summary, our scheme
40 is scalable to large number of users.
41
EP
42
43 8. Conclusion
44
45 In this paper, we address the one-to-many encryption paradigm, writing op-
46 eration and fine-grained access control issue, and propose a secure cloud data
C
47 collaboration scheme SECO with explicit dynamic data/user. SECO employs a

48
multi-level HIBE scheme to guarantee data security against the cloud. SECO
AC
49
50 realizes a one-to-many encryption paradigm and data writing operation simul-
51 taneously to achieve secure data collaboration in cloud computing. Moreover,
52 SECO provides dynamic operations such as data creation/deletion and user addi-
53
54 tion/revocation. Security analyses show that SECO is IND-CCA security under
55 the BDH assumption and can realize fine-grained access control, collusion resis-
56 tance and backward secrecy. In addition, we evaluate the performance of SECO
57
58
59 28
60
61
62
63
64
65
ACCEPTED MANUSCRIPT
1
2
3
4
5
6
7
8
9 about computation complexity, communication cost, user revocation cost and stor-
10
11
age cost. The result shows that SECO has low overhead and is highly efficient.
Following the current research, we will implement the proposed secure data col-
PT
12
13 laboration services in a real CSP platform, address the privacy issues and work on
14 the data synchronization in SECO for future work.
15
RI
16
17 References
18
19 Adya A, Bolosky WJ, Castro M, Cermak G, Chaiken R, Douceur JR, Howell J,
SC
20
21
Lorch JR, Theimer M, Wattenhofer RP. Farsite: Federated, available, and reli-
22 able storage for an incompletely trusted environment. ACM SIGOPS Operating
23 Systems Review 2002;36:1–14.
24
U
25 Agrawal S, Gorbunov S, Vaikuntanathan V, Wee H. Functional encryption: New
26
perspectives and lower bounds. In: Advances in Cryptology–CRYPTO 2013.
27
28
29
Springer; 2013. p. 500–18. AN
30 Armbrust M, Fox A, Griffith R, Joseph AD, Katz RH, Konwinski A, Lee G, Pat-
31 terson DA, Rabkin A, Stoica I, Zaharia M. Above the clouds: A Berkeley
M
32
33
view of cloud computing. Technical Report; EECS Department, University of
34 California, Berkeley, Tech. Rep. UCB/EECS-2009-28; 2009.
D
35
36 Arora R, Parashar A, Transforming CCI. Secure user data in cloud computing
37 using encryption algorithms. International Journal of Engineering Research
TE
38
and Applications (IJERA) 2013;3(4):1922–6.
39
40
41 Arrington M. Gmail disaster: Reports of mass email deletions. Retrieved online
on 28 December 2006 from,http://www.techcrunch.com/2006/12/28/gmail-
EP
42
43 disasterreports-ofmass-email-deletions/; 2006.
44
45 Ateniese G, Burns R, Curtmola R, Herring J, Kissner L, Peterson Z, Song D.
46
C
47 Provable data possession at untrusted stores. In: Proceedings of the 14th ACM
48 conference on Computer and Communications Security. 2007. p. 598–609.
AC
49
50 Baek J, Safavi-Naini R, Susilo W. Efficient multi-receiver identity-based encryp-
51 tion and its application to broadcast encryption. In: Public Key Cryptography–
52
53 PKC. Springer; 2005. p. 380–97.
54
55 Bethencourt J, Sahai A, Waters B. Ciphertext-policy attribute-based encryption.
56 In: IEEE Symposium on Security and Privacy. 2007. p. 321–34.
57
58
59 29
60
61
62
63
64
65
ACCEPTED MANUSCRIPT
1
2
3
4
5
6
7
8
9 Boneh D, Boyen X, Goh EJ. Hierarchical identity based encryption with constant
10
11
size ciphertext. In: Advances in Cryptology–EUROCRYPT. Springer; 2005. p.
440–56.
PT
12
13
14 Boneh D, Franklin M. Identity-based encryption from the Weil pairing. In: Ad-
15 vances in Cryptology–CRYPTO. Springer; 2001. p. 213–29.
RI
16
17 Boneh D, Raghunathan A, Segev G. Function-private identity-based encryption:
18
19 Hiding the function in functional encryption. In: Advances in Cryptology–
SC
20 CRYPTO 2013. Springer; 2013. p. 461–78.
21
22 Cocks C. An identity based encryption scheme based on quadratic residues. In:
23 Cryptography and Coding. Springer; 2001. p. 360–3.
24
U
25
26
De Capitani di Vimercati S, Foresti S, Jajodia S, Paraboschi S, Samarati P. En-
27
28
29
AN
cryption policies for regulating access to outsourced data. ACM Transactions
on Database Systems (TODS) 2010;35(2):12:1–12:46.
30 Delerablée C. Identity-based broadcast encryption with constant size ciphertexts
31
M
32
and private keys. In: Advances in Cryptology–ASIACRYPT. Springer; 2007.
33 p. 200–15.
34
Dong X, Yu J, Luo Y, Chen Y, Xue G, Li M. Achieving secure and efficient data
D
35
36 collaboration in cloud computing. In: Proceedings of the 2013 IEEE/ACM
37
International Symposium on Quality of Service. 2013. p. 195–200.
TE
38
39
40 Dong X, Yu J, Luo Y, Chen Y, Xue G, Li M. Achieving an effective, scalable
41 and privacy-preserving data sharing service in cloud computing. Computers &
EP
42 Security 2014;42(0):151–64.
43
44 Fiat A, Naor M. Broadcast encryption. In: Advances in Cryptology–CRYPTO.
45
46 Springer; 1994. p. 480–91.
C
47
48 Fujisaki E, Okamoto T. Secure integration of asymmetric and symmetric en-
AC
49 cryption schemes. In: Advances in Cryptology–CRYPTO. Springer; 1999. p.

50 537–54.
51
52
Gentry C, Silverberg A. Hierarchical ID-based cryptography. In: Advances in
53
54 Cryptology–ASIACRYPT. Springer; 2002. p. 548–66.
55
56
57
58
59 30
60
61
62
63
64
65
ACCEPTED MANUSCRIPT
1
2
3
4
5
6
7
8
9 Gentry C, Waters B. Adaptive security in broadcast encryption systems (with
10
11
short ciphertexts). In: Advances in Cryptology–EUROCRYPT. Springer; 2009.
p. 171–88.
PT
12
13
14 Goh EJ, Shacham H, Modadugu N, Boneh D. Sirius: Securing remote untrusted
15 storage. In: Proceedings of 10th ISOC Network and Distributed System Secu-
RI
16
17
rity Symposium. 2003. p. 40–55.
18
19 Goldwasser S, Gordon S, Goyal V, Jain A, Katz J, Liu FH, Sahai A, Shi E,
SC
20 Zhou HS. Multi-input functional encryption. In: Advances in Cryptology–
21 EUROCRYPT. Springer; 2014. p. 578–602.
22
23 Goyal V, Pandey O, Sahai A, Waters B. Attribute-based encryption for fine-
24
U
25 grained access control of encrypted data. In: Proceedings of the 13th ACM
26 conference on Computer and Communications Security. 2006. p. 89–98.
27
28
29
AN
Guo SC, Liu Y, Ling J. A quasi IBE Identity authentication scheme in a cloud
computing environment. Advanced Materials Research 2013;756:837–40.
30
31
M
32
Horwitz J, Lynn B. Toward hierarchical identity-based encryption. In: Advances
33 in Cryptology–EUROCRYPT. Springer; 2002. p. 466–81.
34
Kallahalla M, Riedel E, Swaminathan R, Wang Q, Fu K. Plutus: Scalable se-
D
35
36 cure file sharing on untrusted storage. In: Proceedings of the 2nd USENIX
37
Conference on File and Storage Technologies. 2003. p. 29–42.
TE
38
39
40 Li J, Li J, Chen X, Jia C, Lou W. Identity-based encryption with outsourced revo-
41 cation in cloud computing. IEEE Transactions on Computers 2013a;99(1):121–
EP
42 32.
43
44 Li M, Yu S, Zheng Y, Ren K, Lou W. Scalable and secure sharing of personal
45
46 health records in cloud computing using attribute-based encryption. Parallel
C
47 and Distributed Systems, IEEE Transactions on 2013b;24(1):131–43.

48
AC
49 Mu Y, Susilo W, Lin YX. Identity-based broadcasting. In: Progress in

50 Cryptology–INDOCRYPT. Springer; 2003. p. 177–90.
51
52
Ostrovsky R, Sahai A, Waters B. Attribute-based encryption with non-monotonic
53
54 access structures. In: Proceedings of the 14th ACM conference on Computer
55 and Communications Security. 2007. p. 195–203.
56
57
58
59 31
60
61
62
63
64
65
ACCEPTED MANUSCRIPT
1
2
3
4
5
6
7
8
9 Ren K, Wang C, Wang Q, et al. Security challenges for the public cloud. IEEE
10
11
Internet Computing 2012;16(1):69–73.
PT
12
13 Sahai A, Waters B. Fuzzy identity-based encryption. In: Advances in Cryptology–
14 EUROCRYPT. Springer; 2005. p. 557–73.
15
Samarati P, De Capitani di Vimercati S. Data protection in outsourcing scenarios:
RI
16
17 issues and directions. In: Proceedings of the 5th ACM Symposium on Infor-
18
19 mation, Computer and Communications Security (ASIACCS). ACM; 2010. p.
SC
20 1–14.
21
22 Shamir A. Identity-based cryptosystems and signature schemes. In: Advances in
23 Cryptology–CRYPTO. Springer; 1985. p. 47–53.
24
U
25
26
Wang C, Wang Q, Ren K, Cao N, Lou W. Toward secure and dependable stor-
27
28
29
2012;5(2):220–32.
AN
age services in cloud computing. Services Computing, IEEE Transactions on
30 Wang C, Wang Q, Ren K, Lou W. Privacy-preserving public auditing for data

31
M
32
storage security in cloud computing. In: Proceedings of the 31rd IEEE Interna-
33 tional Conference on Computer Communications. 2010a. p. 525–33.
34
Wang G, Liu Q, Wu J. Hierarchical attribute-based encryption for fine-grained
D
35
36 access control in cloud storage services. In: Proceedings of the 17th ACM
37
conference on Computer and Communications Security. 2010b. p. 735–7.
TE
38
39
40 Wang W, Li Z, Owens R, Bhargava B. Secure and efficient access to outsourced
41 data. In: Proceedings of the 2009 ACM workshop on Cloud Computing Secu-
EP
42 rity. 2009. p. 55–66.

43
44 Wilson S. Appengine outage. Online at http://www.cio-
45
46 weblog.com/50226711/appengine outage.php; 2008.
C
47
48 Yu S, Wang C, Ren K, Lou W. Achieving secure, scalable, and fine-grained
AC
49 data access control in cloud computing. In: Proceedings of the 31rd IEEE
50 International Conference on Computer Communications. 2010. p. 534–42.
51
52
53
54
55
56
57
58
59 32
60
61
62
63
64
65
ACCEPTED MANUSCRIPT
1
2
3
4
5
6
7
8
9 Figure captions
10
11
Figure 1: System model.
Figure 2: A simplified workflow of SECO in a domain..
PT
12
13 Figure 3: The overhead of encryption algorithms in SECO, ABE-based schemes
14 and BE-based schemes.
15
Figure 4: The overhead of decryption algorithms in SECO, ABE-based schemes
RI
16
17 and BE-based schemes.
18 Figure 5: The overhead of encryption algorithm.
19 Figure 6: The overhead of re-encryption algorithm.
SC
20
21
22
23
24
U
25
26
27
28
29
AN
30
31
M
32
33
34
D
35
36
37
TE
38
39
40
41
EP
42
43
44
45
46
C
47
48
AC
49
50
51
52
53
54
55
56
57
58
59 33
60
61
62
63
64
65
ACCEPTED MANUSCRIPT
PT
RI
U SC
AN
M
ĂĂ
Ă Ă Ă
D
ĂĂ ĂĂ ĂĂ ĂĂ ĂĂ ĂĂ
Ă Ă
TE
Ă Ă
EP
Ă Ă
C
AC
ĂĂ ĂĂ
ACCEPTED MANUSCRIPT
PT
RI
U SC
AN
M
D
TE
EP
C
AC
ACCEPTED MANUSCRIPT
PT
RI
U SC
3.0 AN
SECO
M
2.5
ABE-based
BE-based
D
TE
2.0
EP
Time(s)
1.5
C
AC
1.0
0.5
0.0
16 24 32 40 48 56 64
File Size (KB)
ACCEPTED MANUSCRIPT
PT
RI
U SC
3.0 AN
D-PKG in SECO
M
i
Edom
2.5 +1 in SECO
ABE-based
D
BE-based
TE
2.0
EP
Time(s)
1.5
C
AC
1.0
0.5
0.0
16 24 32 40 48 56 64
File Size (KB)
ACCEPTED MANUSCRIPT
PT
RI
U SC
3.0
AN
16KB
M
2.5 32KB
64KB
D
TE
2.0
EP
Time(s)
1.5
C
AC
1.0
0.5
0.0100 200 300 400 500 600 700 800 900 1000
Number of Users
ACCEPTED MANUSCRIPT
PT
RI
U SC
3.0 AN
16KB
32KB
M
2.5
64KB
D
TE
2.0
EP
Time(s)
1.5
C
AC
1.0
0.5
0.00 50 100 150 200 250 300 350 400 450 500
Number of Revoked Users
Biographical Sketch
ACCEPTED MANUSCRIPT
Biographical Sketch
Xin Dong is a Ph.D. candidate in Department of Computer Science and Engineering,
Shanghai Jiao Tong University, Shanghai, China. His research interests include
networking, information security and privacy, mobile computing and cloud
computing. He received his Bachelor degree in computer science and engineering
from South China University of Technology (SCUT), Guangzhou, China, in 2010.
PT
Jiadi Yu is an assistant professor in Department of Computer Science and
Engineering, Shanghai Jiao Tong University, Shanghai, China. He obtained the PhD
RI
degree in Computer Science from Shanghai Jiao Tong University, Shanghai, China, in
2007 and the MS degree in computer science from Xi'an Technological University,
Xi'an, China, in 2003. In the past, he has worked as a postdoc at Stevens Institute of
SC
Technology, USA, from 2009 to 2011. His research interests include networking,
mobile computing, cloud computing and wireless sensor networks.
U
Yanmin Zhu received the BEng degree in computer science from the Xi’an Jiao
AN
Tong University in 2002 and the PhD degree in computer science from Hong Kong
University of Science and Technology in 2007. He was a research associate in the
Department of Computing, Imperial College London. Now, he is an associate
professor in the Department of Computer Science and Engineering at the Shanghai
M
Jiao Tong University. His research interests include ad-hoc sensor networks, mobile
computing, grid computing, and resource management in distributed systems. He is a
D
member of the IEEE and the IEEE Communication Society.

TE
Yingying Chen received the PhD degree in computer science from Rutgers
University. She is working as an assistant professor in the Department of Electrical
and Computer Engineering at Stevens Institute of Technology. Her research interests
EP
include cyber security and privacy, wireless embedded systems, wireless and sensor
networks, mobile social networks, and pervasive computing. She was the recipient of
the US National Science Foundation CAREER award in 2010. She was the recipient
C
of the Google Research Award in 2010 and the Best Paper Award from the ACM
International Conference on Mobile Computing and Networking (MobiCom) in 2011.
AC
Yuan Luo received the B.S., M.S., and Ph.D. degrees in applied mathematics from
Nankai University, Tianjin, China, in 1993, 1996, and 1999, respectively. From July
1999 to April 2001, he held a postdoctoral position at the Institute of Systems Science,
Chinese Academy of Sciences, Beijing, China. From May 2001 to April 2003, he held
a postdoctoral position at the Institute for Experimental Mathematics, University of
Duisburg-Essen, Essen, Germany. Since June 2003, he has been with the Computer
Science and Engineering Department, Shanghai Jiao Tong University, Shanghai,
China. His current research interests include coding theory and information theory.
ACCEPTED MANUSCRIPT
Minglu Li received his PHD in Computer Software from Shanghai Jiao Tong
University in 1996. He is a Full Professor at the Department of Computer Science and
Engineering of Shanghai Jiao Tong University. Currently, his research interests
include grid computing, services computing, and cloud computing. He has published
over 100 papers in important academic journals and international conferences.
PT
RI
U SC
AN
M
D
TE
C EP
AC
ACCEPTED MANUSCRIPT
Summary of Differences
Computers & Security Submission title: SECO: Secure and Scalable Data
Collaboration Service in Cloud Computing
PT
Our IWQoS 2013 paper title: Achieving Secure and Efficient Data Collaboration in
Cloud Computing
Author list: Xin Dong, Jiadi Yu, Yanmin Zhu, Yingying Chen, Yuan Luo and Minglu
RI
Li
SC
An earlier version of this work was presented at ACM/IEEE IWQoS 2013. We have
made significant improvements in preparing this journal version as detailed below.
U
 In the previous conference version, we employed a two-level hierarchical identity
AN
based encryption (HIBE) scheme to achieve secure and efficient data
collaboration service. In the Computers & Security submission version, we
extend SECO to a multi-level HIBE scheme (Figure 1) which not only achieve
M
secure and efficient data collaboration service but also realize scalable data
collaboration service in cloud computing.
D
 In Section 4, in order to help readers to understand how SECO works in practice,

TE
we add a simplified workflow of SECO in a domain. In addition, Table 1 is added

to highlight the symbols used in the SECO algorithms. More than that, in SECO,
we reconstruct the five randomized algorithms based on a multi-level HIBE
EP
scheme. The new five algorithms are more complex.

C
 In Section 4, in the previous conference version, we did not consider the frequent
data creation/deletion and user creation/deletion in data collaboration scenarios.
AC
In the Computers & Security submission version, we add the detail of dynamic
data and user operations in Subsection 4.4.
 In Section 4, in order to support thorough data collaboration service, we add some

discussion about how SECO deals with data consistency problem and supports
signature scheme in Subsection 4.5.1 and 4.5.2.
 In Section 5, in the previous conference version, we discuss the security about

ACCEPTED MANUSCRIPT
SECO but did not present the rigorous security proof. In the Computers &
Security submission version, we prove SECO is IND-ID-CCA security and give
the rigorous proof of semantically secure against IND-ID-CCA in Subsection 5.1.
Moreover, we have further discussion about the security requirements such as
fine-grained of access control, fully collusion secure and backward secrecy.
PT
 In Section 6, compared with the conference version, we reconstruct the
algorithms based on a multi-level HIBE scheme. Therefore, in the Computers &
Security submission version, the computation complexity, communication cost
RI
and storage cost about SECO are reanalyzed in Subsection 6.1, 6.2, and 6.4,
respectively. In addition, we add analysis about the cost of revocation operation
SC
in Subsection 6.3. Table 5 is added to compare the user revocation cost in SECO
and attribute-based encryption (ABE) scheme.
U
AN
M
D
TE
C EP
AC
ACCEPTED MANUSCRIPT
Achieving Secure and Efficient Data Collaboration in

Cloud Computing
Xin Dong† , Jiadi Yu† , Yuan Luo† , Yingying Chen‡ , Guangtao Xue† and Minglu Li†
†
Department of Computer Science and Engineering, Shanghai Jiao Tong University, Shanghai, P.R.China
PT
Email: {xindong, jiadiyu, yuanluo, gt xue, mlli}@sjtu.edu.cn
‡
Department of Electrical and Computer Engineering, Stevens Institute of Technology, Hoboken NJ 07030, USA
Email: yingying.chen@stevens.edu
RI
Abstract—Cloud storage services enable users to remotely account that multi-users operate data (read/write) collabora-
store their data and eliminate excessive local installation of tively, i.e, data collaboration service.
software and hardware. One critical issue is how to enable
a secure data collaboration service including data access and A Data Collaboration service is to support the availability
SC
update in cloud computing. A data collaboration service is to and consistency of the shared data among multi-users. Let’s
support the availability and consistency of the shared data among consider a typical data collaboration service scenario. Com-
multi-users. In this paper, we propose a secure and efficient panies outsource their data to the cloud and then authorize
data collaboration scheme SECO. In SECO, we employ a two- employees to access these data. The untrusted cloud servers,
level hierarchical identity based encryption (HIBE) to guarantee however, may disclose confidential information about an en-
U
data confidentiality against untrusted cloud. This paper is the terprise to their business competitors or even hide data loss
first attempt to explore secure cloud data collaboration service
to maintain their reputations [7][8]. In order to ensure data
that precludes information leakage and enables a one-to-many
encryption paradigm, data writing operation and fine-grained
access control simultaneously. Security analysis indicates that
the SECO enforces fine-grained access control and collusion
AN security, companies and enterprises usually have to encrypt the
data before outsourcing it to the cloud, a fact that challenges
the convenience when employees need to access data. To avoid
resistant. Extensive performance analysis and experiment results information leakage, data have to be restrained within the reach
demonstrate that SECO is highly efficient and low overhead on of authorized users. Thus the access policy is: user can only
M
computation and communication. access the authorized data; the CSP and other unauthorized
users knows nothing about data. In addition, whoever updates
data can determine the access privilege of the data.
I. Introduction
D
To satisfy the above policies in data collaboration ser-

Cloud computing [1], the long-held dream of computing vice, we face the following challenges. Firstly, the encryp-
as a utility, is rapidly evolving to revolutionize the way data is tion paradigm should be one-to-many that indicates multiple
TE
stored/used. Cloud computing benefits the data users in that it recipients can decrypt the encrypted data to achieve data
allows convenient access and use of storage resources offered collaboration. Secondly, authorized users have the privilege
by a cloud server provided (CSP). Challenges in security, to operate the cloud data, so the encryption paradigm should
however, posed by outsourcing data to cloud, come along with support data writing operation. Thirdly, the system should
benefits. Outsourcing users’ data to the cloud initiates a series provide fine-grained access control to the team members. Thus,
EP
of problems about security and privacy. Examples of security realizing secure data collaboration service will be essential in
breach never stop showing up [2]. Therefore, maintaining data achieving robust and secure cloud storage systems. However,
confidentiality becomes critical to enable wide deployment of there is no existing solution, to the best of our knowledge, to
CSP-based data service with high quality. tackling the problem of secure data collaboration service in
C
cloud computing.
Recently, the notion of secure cloud storage services has
been proposed in the content of ensuring remotely stored In this paper, we propose a scalable scheme (SECO) to
AC
data under different systems. These existing works addressed enable secure cloud data collaboration with explicit dynamic
secure cloud storage issue either by introducing attribute-based data/user. For cloud data security, we employ a two-level
encryption (ABE) [3] for fine-grained access control [4][5], or hierarchical identity-based encryption (HIBE) scheme, which
by utilizing owner-write-user-read mechanism [6] to achieve contains a root private key generator (PKG) and a number of
cryptography-based access control and only support course independent cooperative domains. Each domain has a domain
grained access control. The ABE-based schemes are data-read PKG that requests a private key from the root PKG and
sharing services, while owner-write-user-read mechanism is generates secret keys for each domain user. During data
a one-to-one encryption paradigms meaning encrypted data collaboration, to achieve one-to-many encryption paradigm,
can only be decrypted by a particular recipient. Consequently, a user encrypts data with multiple recipients’ public keys so
existing solutions mainly focus on how to afford secure data that only the intended domain recipients are able to decrypt
access control (read) for single user. None of works takes into the data. To support writing operation, every authorized user
can encrypt the decrypted data after modifying (read/write) the
Research was sponsored by the Doctoral Program of Higher Education of decrypted data, and then send it into the cloud to share with
China (No. 20100073110016) other domain users. The data writing operation does not in-
978-1-4799-0590-4/13/$31.00 ©2013 IEEE

ACCEPTED MANUSCRIPT
troduce security problems. Specifically, the main contributions R-PKG

of this paper can be summarized as following: we propose
SECO that enables secure and efficient data collaboration
in cloud computing, which realized one-to-many encryption
paradigm, writing operation, fine-grainedness and collusion ĂĂ
resistant simultaneously without any information leakage. Our Domain Domain Domain
work is the first attempt to explore secure data collaboration
in cloud computing. We have conducted extensive theoretical
analysis and real experiments to evaluate the performance
of SECO. The result indicates that SECO introduces low
PT
Cloud Servers
overhead on computation, communication and storage and

realizes the effectiveness and efficiency. Fig. 1. System model.
The rest of the paper is organized as follows. Section II complexity of the scheme depends on each meta data size and
discusses related work. In Section III, we introduce the system thus is not scalable. Wang et al. [6] proposed a mechanism in
RI
model and thread model. Section IV presents details of SECO. owner-write-users-read applications that assigned every data
Section V and VI analyze the security and performance of block with a different key to achieve flexible cryptography
SECO respectively. Finally, Section VII concludes the whole based access control. However, the users only can read the
paper. data but not write data, and thus are not suitable for data
SC
collaboration in cloud computing.
II. Related work
III. Problem Statement
With enterprises outsourcing their data into the cloud, a
number of cryptosystems have been used to encrypt these data. A. System Model
U
Identity-based encryption (IBE) is one of the popular choices.
The concept of IBE is proposed by Shamir [9], and the first Generally, a cloud data collaboration system has four
fully functional IBE schemes are described by Boneh [10]
and Cocks [11]. In IBE, the public key for a unique user
can be set to any value (such as one’s identity) and the
AN different parties in network: Cloud Server (CS) provides high-
quality services utilizing a number of servers with significant
storage space and computation power; Users cooperate with
each other to complete a project, store their data in the CS
corresponding private key is generated by a trusted third party
called private key generator (PKG). Relatively speaking, the and reply upon the CS for data maintenance; Root Private
M
IBE scheme is a public key cryptosystem (PKC) and can Key Generator (R-PKG) possesses a master key and generates
eliminate the searching for recipient’s public key. To reduce the corresponding private keys for lower-level PKGs; Domain
workload on the PKG, Horwitz et al. [12] introduced a HIBE Private Key Generators (D-PKGs) request private key from
scheme with collusion-resistance. Gentry et al. [13] presented R-PKG and generates private keys for domain entities.
D
a HIBE scheme with total collusion resistance and chosen Fig.1 depicts the system model, which is characterized by
ciphertext security (CCA) in the random oracle model. Later a two-level HIBE scheme. From the system model, we can
TE
on, Boneh et al. [14] introduced an efficient HIBE scheme see that it consists of a R-PKG and a number of domains.
with selective-ID security without random oracles model under A domain consists of a D-PKG and a number of users who
BDH assumption. In recent works, Gentry et al. [15] presented cooperate to complete a project. In practice, R-PKG is a trusted
a fully secure HIBE scheme that has full security for more than third party which assigns keys, and D-PKG is a team leader
a constant number of levels. However, these HIBE schemes are who manages all users. All entities in a domain store their data
EP
all one-to-one encryption paradigms. into a set of cloud servers that are running in a cooperated
Furthermore, existing works can be found in the areas of and distributed manner. Users use their keys to decrypt the
secure outsourced data storage and sharing services. Adya et data stored in the CS. All entities in the domain can interact
al. [16] used symmetric keys to encrypt data and provided with the CS to dynamically access (read, write, update, etc.)
C
a secure, scalable data system that logically functions as a the data so that they can work collaboratively. The R-PKG
centralized data server but is physically distributed among generates keys for all D-PKGs and system public parameters
for all system entities. Furthermore, PKGs and users do not
AC
a set of untrusted servers. However, every user used their

public key to encrypt the symmetric keys and thus bring have to be online all the time, whereas the cloud server is
high overhead on key management. In [17], Kallahalla et al. always online.
proposed a cryptographic data system and used verify and
sign keys to determine whether or not a user can read or B. Thread Model
write data respectively. Since the key generation procedure
The adversary model considers most threats toward cloud
is proportional to the total number of data-groups, the above
data confidentiality. In the system model, cloud server is semi-
schemes are not suitable for the case of data collaboration in
trusted. Namely, it behaves properly most of time, but for
cloud computing, in which the number of data-groups could
some benefits the cloud server might try to find out as much
be enormous. In addition, the above schemes are one-to-one
secret information as possible.In fact, there are three types of
encryption paradigms and only support coarse-grained access
threats: Both inner threats (CSP and users who might obtain
control.
the unauthorized data) and outer threats (external adversaries
Goh et al. proposed SIRIUS [18] that adopted a compli- beyond the domain of this system, e.g., unauthorized attackers)
cated structure and provided end-to-end security. However, the might be presented; Attacks can either be active (unauthorized
ACCEPTED MANUSCRIPT
users who may inject malicious data into the cloud) or be C. Construction of SECO
passive (unauthorized users eavesdropping on conversations
between users and the cloud); For the purpose of harvesting SECO is a two-level HIBE system, where Level0 = {R-
data contents, CSP and users may collude and try to access PKG} and Level1 = {D-PKGs}. R-PKG generates private keys
unauthorized data. Note that, in the adversary model, the for the D-PKGs, and then D-PKG generates private keys for
communication channels between users and CS are secured the domain users. The D-PKG has two secret keys: a private
under existing protocols, such as SSL. key and a master key. D-PKG uses the two keys to generate
private keys for all his domain users. Each user then picks a
IV. The Design of SECO random seed as his master key. In a domain, each user and
D-PKG has a primitive ID, which is an arbitrary string, such
In order to achieve secure cloud data collaboration, we
PT
as users ID card number and email address. An user’s public
propose a two-level HIBE scheme SECO. SECO realizes one- key is an ID-tuple consisting of the D-PKG’s ID and his own
to-many encryption paradigm such that an encrypted domain ID, i.e, (D-PKG’s ID, User’s ID) [12]. In addition, the R-PKG
data can be decrypted by many authorized users. also publishes several system parameters used to encrypt and
decrypt the cloud data.
RI
A. Overview
Let K be the security parameter used by a BDH parameter
To embody the users’ role in data collaboration, SECO generator IG. The ID-tuple for user Ei is (IDdom , IDi ) where
employs a two-level hierarchical architecture in cloud com- IDdom is the ID of the D-PKG. SECO is specified by the
SC
puting. The P-PKG manages a number of D-PKGs while each following five randomized algorithms.
D-PKG manages a number of domain users. In a domain, a
user encrypts data with multiple recipients’ public key and Root Setup: The R-PKG takes a security parameter K as
stores it to the CS after modifying the data. So only those input, and outputs params (system parameters) and a root
intended recipients and the D-PKG can decrypt the data using master key s0 . The system parameters which contain the
U
their own secret keys. A user only takes public keys of the description of plaintext space M, ciphertext space C and some
recipients and system parameters as inputs to encrypt data. other parameters are published, while the root master key s0
Any other users outside the recipients list cannot obtain any
AN
data information even if all of them collude. Therefore, users
in the same domain can cooperate to complete work without
only is known to the R-PKG.
The R-PKG takes as input a security parameter K and
runs the BDH parameter generator IG to generate two group-
worrying about their data security.
s G1 , G2 of prime order q. It generates a bilinear map
M
B. Preliminaries ê : G1 × G1 → G2 which has the properties of bilinearity,
computability and non-degeneracy. The R-PKG then picks an
We give some related definitions and assumptions similar arbitrary generator P0 ∈ G1 and a seed s0 ∈ Zq randomly,
to those given in [10][13], which are used in SECO. where Zq = {0, 1, 2, ....q − 1}, and it sets Q0 = s0 P0 . Finally,
D
Bilinear Diffie-Hellman (BDH) Parameter Generator: As the R-PKG defines four cryptographic hash functions H1 :
in [13], a randomized algorithm IG is a BDH parameter {0, 1}∗ → G1 , H2 : G2 → {0, 1}n , H3 : {0, 1}n ×{0, 1}n → Zq and
generator which takes a security parameter K >0 as input, H4 : {0, 1}n → {0, 1}n for some n, and the four hash functions
TE
and outputs the description of two groups G1 , G2 of the prime will be treated as random oracles.
order q and a bilinear map ê : G1 × G1 → G2 in polynomial
The plaintext space is M = {0, 1}n , while the ciphertext
time.
space is C = Gt1 ×{0, 1}n where t is the number of the intended
Bilinear Map: Let G1 and G2 be two groups of prime recipients. The parameters of the system are params =<
EP
order q, and g1 is the generator of group G1 . ê is a bilinear G1 , G2 , ê, P0 , Q0 , H1 , H2 , H3 , H4 >. The master key of R-PKG
map if ê : G1 × G1 → G2 satisfies the following properties: is s0 ∈ Zq .
• Bilinearity: for all u, v ∈ G1 and a, b ∈ Zq where The Domain Setup: Each D-PKG obtains the system
Zq = {0, 1, 2, ....q − 1}, have ê(ua , vb ) = ê(u, v)ab .
C
parameters (params) from the R-PKG. Each D-PKG randomly

• Computability: for any u, v ∈ G1 , there is a polynomial picks a sdom ∈ Zq as his master key which will be used to issue
time algorithm to compute ê(u, v) ∈ G2 . private keys to the domain users. Except for sdom , each D-PKG
AC
is not permitted to generate any other parameters.

• Non-degeneracy: ê(g1 , g1 ) , 1.
Key Generation: The R-PKG uses its master key to gen-
BDH Problem: Randomly choose P as well as aP, bP and erate private keys for D-PKGs while D-PKG uses the system
cP where P ∈ G1 and a, b, c ∈ Zq , compute ê(P, P)abc . parameters params and their secret keys to compute private
BDH Assumption: As in [13], the advantage AdvIG (B) keys for all the domain users. Let S 0 be the identity element
that an algorithm B has in solving the BDH problem is of group G1 .
defined to be the probability that the algorithm B takes For each D-PKG Edom ∈ Level1 , it picks a random
G1 , G2 , ê, P, aP, bP, cP as inputs and outputs ê(P, P)abc , where sdom ∈ Zq as its master key. Given the public IDdom , the R-
(G1 , G2 , ê) is the output of BDH parameter generator IG for PKG generates the private keys S Kdom for each Edom . It first
large security parameter K > 0, P is a random generator calculates Pdom = H1 (IDdom ) ∈ G1 ; then the R-PKG computes
of group G1 , and a, b, c are random elements of Zq . The private key for D-PKG as:
BDH assumption is that AdvIG (B) is negligible for all efficient
algorithm B. S Kdom = S 0 + s0 Pdom
ACCEPTED MANUSCRIPT
and sends the value Qdom = sdom P0 to Edom . • computes V H2 (ê(U0 , S Ki )/ê(Q p , Ui )) to recover σ;
For each D-PKG, it has two secret keys: a master key sdom • computes W H4 (σ) = M.
and a private key S Kdom . Private key S Kdom is used to decrypt
all domain data stored in the CS. Each D-PKG uses his private • sets r = H3 (σ, M), tests that Ui = rPi . If not, rejects
key S Kdom and master key sdom to generate private keys for the ciphertext. Otherwise, outputs M as the decryption
all users belonging to this domain. of C.
For each user whose D-PKG is Edom , the ID-tuple for user Observe that:
Ei is (IDdom , IDi ). Ei randomly picks an element si ∈ Zq as
his master key. Edom generates the private key S Ki for Ei . V H2 (ê(U0 , S Ki )/ê(Qdom , Ui ))
PT
= V H2 (ê(rP0 , S Kdom + sdom Pi )/ê(Qdom , rPi ))
For each user Ei , the D-PKG Edom first calculates Pi =
= V H2 (ê(rP0 , s0 Pdom )ê(rP0 , sdom Pi )/ê(Qdom , rPi ))
H1 (IDdom , IDi ) ∈ G1 ; then it computes private key for Ei as:
= V H2 (ê(s0 P0 , rPdom )ê(sdom P0 , rPi )/ê(Qdom , rPi ))
S Ki = S Kdom + sdom Pi = V H2 (ê(s0 P0 , Pdom )r ) = σ.
RI
and sends to Ei the value Qdom and Qi which Qi = si P0 . Ei The domain users cooperate to complete a project and store
has two secret keys: a master key si and a private key S Ki . Ei their project data into the CS. The domain PKG can decrypt
uses si and S Ki to decrypt the authorized data in the CS. all domain data while any user in this domain only can access
SC
the data that he is allowed.
Encryption: A user inputs system parameters params,
plaintext M ∈ M and the ID-tuples of the intended data
recipients, and then calculates a ciphertext C ∈ C. After D. Signature scheme
modifying data D, the user encrypts it with t recipients’ ID-
U
SECO also has ability to support signature. Compared
tuple (IDdom , IDi ) for 1 ≤ i ≤ t in the same domain.
to traditional public key infrastructure (PKI), IBE scheme
The user first calculates Pi = H1 (IDdom , IDi ) ∈ G1 for does not require online public key lookup. Indeed, we can
1 ≤ i ≤ t and Pdom = H1 (IDdom ). Then the user picks a random
σ ∈ {0, 1}n and sets r = H3 (σ, M). Therefore, the ciphertext is
set as:
AN transform any PKI signature scheme to an ID-based signature
scheme using certificates. When a user E j wants to sign M
with his public key (IDdom , ID j ), he first calculates P M =
H1 (IDdom , IDi , M) ∈ G1 and S ig(IDdom , IDi , M) = S K j +s j P M .
C = [rP0 , rP1 , ..., rPt , σ H2 (gr ), M H4 (σ)]
M
Then, E j sends [S ig, Q j ] as the signature for (IDdom , ID j , M)
where Q j = s j P0 . When the recipients receive the signature,
where g = ê(Q0 , Pdom ) ∈ G2 as before. The user encrypts the
they confirm the following equation:
data D with t intended recipients in the same domain, and
sends the ciphertext C to the CS. Note here, as the D-PKG ê(P0 , S ig) = ê(Q0 , P1 )ê(Qdom , P j )ê(Q j , P M ).
D
manages all the domain users, a user can get the recipients’
public keys from the D-PKG or other users. In practice, we can use the signature and the aforementioned
TE
proposed scheme SECO in a PKI system together.

Decryption: A user or D-PKG inputs system parameters
params, ciphertext C ∈ C, and its private key S K, and then
V. Security Analysis
recovers the data D ∈ M. The D-PKG can decrypt all the
encrypted data belonging to the domain, whereas the users In the previous section, we show that our secure data col-
EP
only can decrypt the authorized data. laboration scheme SECO can realize one-to-many encryption
paradigm and writing operation simultaneously. In this section,
Given C = [U0 , U1 , ..., Ut , V, W] be the ciphertext encrypted
we first discuss the security about SECO. By lack of space, we
using the t recipients’ ID-tuple (IDdom , IDi ). Here Ui =
omit the rigorous security proof about the proposed scheme.
rPi , V = σ H2 (gr ) and W = M H4 (σ). If (U1 , ..., Ut ) < Gt1 ,
C
Then, we provide the realization of fine-grained of access

Edom rejects this ciphertext. To decrypt C, the D-PKG Edom
control and collusion resistant.
computes V H2 (ê(U0 , S K p )). We observe that:
AC
V H2 (ê(U0 , S Kdom )) A. Security of SECO

= V H2 (ê(rP0 , S 0 + s0 Pdom ))
In SECO, the message M is encrypted in the form of
= V H2 (ê(s0 P0 , rPdom )) C = [rP0 , rP1 , ..., rPt , σ H2 (gr ), M H4 (σ)]. Obviously, the
= V H2 (ê(Q0 , Pdom )r ) = σ. adversary need to construct σ. To obtain σ, the adversary
can recovery ê(Q0 , Pdom )r . Although the adversary can obtain
After calculating the value of σ, Edom then computes W some public parameters available. i.e, Q0 and Pdom , he is
H4 (σ) = M. unaware of the value of random seed r. Therefore, ê(Q0 , Pdom )r
Given the ciphertext C = [U0 , U1 , ..., Ut , V, W] to each cannot be constructed directly. We know that ê(Q0 , Pdom )r =
intended recipient Ei of 1 ≤ i ≤ t. If (U1 , ..., Ut ) < Gt1 , Ei ê(U0 , S Kdom ). To construct ê(Q0 , Pdom )r , the adversary can
rejects this ciphertext. To decrypt C, the recipient Ei executes obtain ê(U0 , S Kdom ) instead. We recall that, the occurrence
the following setups: of S Kdom is in the D-PKG secret key, the adversary cannot
obtain the private keys. For this reason, outside adversaries
• computes Pi = H1 (IDdom , IDi ); cannot compromise the ciphertext and SECO is secure.
ACCEPTED MANUSCRIPT
3.0
16KB
B. Fine-grained of access control 2.5
32KB
64KB
In SECO, the user who modifies data is able to define and 2.0
enforce who can access this data and encrypt with multiple
Time(s)
1.5
recipients’ public keys. Each user has secret keys from the 1.0
D-PKG. Suppose a user Ei download the encrypted data. 0.5
If this data is encrypted with Ei public key, Ei can obtain
0.0
the corresponding Ui = rPi , and then decrypts this data by 100 200 300 400 500 600
Number of Users
700 800 900 1000
calculating: W H4 (V H2 (ê(U0 , S Ki )/ê(Qdom , Ui ))) to obtain

the plaintext. However, if a user is not in the encryption Fig. 2. The cost of encryption algorithm.
PT
list, then he cannot obtain Ui in the ciphertext text. So the a domain, for each different data, pairing computation is calcu-
decryption algorithm will fail. Specifically, only those intended lated only once for all domain users. In Decryption, the D-PKG
recipients can decrypt this data. Therefore, users only can needs one pairing computation to calculate ê(U0 , S Kdom ), and
access the data they are allowed and not access the data they user Ei needs two pairing computations to calculate ê(U0 , S Ki )
are not authorized to. and ê(Qdom , Ui ). Since U0 , S Kdom and S Ki are fixed, the D-
RI
PKG calculates ê(U0 , S Ki ) once, and Ei calculates ê(U0 , S Ki )
C. Fully collusion secure once. From the above analysis, the computation complexity of
SECO is acceptable.
In SECO, the data M is encrypted in the form of C =
SC
[U0 , U1 , ..., Ut , V, W] where V = σH2 (gr ) and W = MH4 (σ). We also conduct a thorough experimental evaluation about
Obviously, unauthorized users must construct H2 (gr ) where the time cost of SECO. We calculate the total computing to
g = ê(Q0 , Pdom ) ∈ G2 to decrypt ciphertext C. Although gain the time cost. The whole experiment system is implement-
unauthorized users can obtain Q0 and Pdom , they are un- ed by Python language on a Windows 7 machine with Core 2
U
aware of the random seed r, so ê(Q0 , rPdom ) cannot to be Duo CPU running at 2.0 GHz. We report the average of 100
constructed directly. Beside, unauthorized users observe that: trials. Fig.2 plots the encryption cost for preparing three kinds
ê(Q0 , rPdom ) = ê(U0 , S Kdom ). To recover plaintext, unautho- of data size as the number of recipients various. From Fig. 2,
However, since S Kdom is only known to R-PKG and D-PKG,

AN
rized users may recover ê(Q0 , rPdom ) instead of ê(U0 , S Kdom ).
unauthorized users also cannot recover ê(U0 , S Kdom ). There-

we see the encryption time grows linearly with the number
of the recipients. The time to encrypt 64KB data with 800
recipients approaches to 1.6 seconds, which is an ideal result.
fore, colluded users cannot recover plaintext. In addition, for an Fig.3 plots the D-PKG and user decryption cost as the data
M
unauthorized ciphertext, there does not exist the corresponding size various. In Fig. 3, we notice the cost both by the D-PKG
Ui for these unauthorized users. Unauthorized users cannot use and user is nearly linearly proportional to the number of the
decryption algorithm to recover plaintext. Therefore, any of data size. Meanwhile, users take more time than the D-PKG
these unauthorized outside the intended recipients will have in decryption as the above analysis. To decrypt 64KB data,
D
no idea of the plaintext, even if all of them collude. the D-PKG takes 1 second and user Ei takes 1.5 seconds. The
algorithm does the pairing computation for each data, but the
VI. Performance Analysis pairing computation can be done once at the beginning as the
TE
above analysis. The results of our experiments show SECO is

In this section, we first evaluate the computation complex- light weighted and efficient to be applied in practice.
ity. Then we analyze the communication overhead. At last, we
present the storage cost.
B. Communication cost
EP
A. Computation Complexity
In SECO, the communication cost is mainly attributable
In SECO, the R-PKG generates two groups G1 , G2 of order to the encrypted data transmission. After encryption, the fol-
q and a bilinear map to achieve the five randomized algorithms. lowing information is sent by users along with the encrypted
C
In all computations, pairing computation, i.e., bilinear map data to the cloud: Value of Ui for every intended data recipient
computation, is the most expensive operation. In SECO, Root which requires (t + 1)log|G1 | bits, value of V which requires
Setup generates the system parameters and a master key for n bits, and value of W which requires n bits. Thus, the
AC
R-PKG, and Domain Setup picks a master key for D-PKG. communication cost is given by (t + 1)log|G1 | + 2n bits. Table I
In Key Generation, PKGs generate keys for users. These shows the communication expenses comparison among SECO,
three algorithms have no pairing computations and need to ABE-based schemes and symmetric key cryptosystem (SKC)
run only once at initialization time. Moreover, the size of schemes. Here n is the length of the plaintext, t is the numbers
system parameters and keys are fixed in length. Therefore, the of the users, i is the number of attributes used in ABE-based
computation complexity of these three algorithms is negligible. scheme [5] and k is the length of keys used in SKC-based
In key generation, the R-PKG needs two scalar multiplications scheme [18]. Since the data size is fixed (n), t, k and i are
to compute S Kdom and Qdom for each D-PKG Edom , and the D- varying but have the same order of magnitude as n. From
PKG needs two scalar multiplications to calculate S Ki and Qi Table I, we can see that SECO takes little communication
for each domain user Ei . In Encryption, a user encrypts data cost. The reason is that every data block is bind with t users
with t recipients’ public keys. He needs one pairing computa- KeyID and two secret keys in SKC-based scheme, while in
tion to calculate ê(Q0 , Pdom ), and t + 1 scalar multiplications ABE-based scheme, the data owner needs transfer the access
to compute rPi for 0 ≤ i ≤ t. Since the pairing computation is structure of the data and other parameters to the cloud. From
independent with data encryption and Q0 , Pdom are the same in the above analysis, SECO takes little communication overhead
ACCEPTED MANUSCRIPT
3.0 TABLE II. Storage cost in ABE-based scheme, SKC-based scheme and
D-PKG
2.5 Ei SECO
2.0
Key storage
Scheme Ciphertext storage
Time(s)
1.5 D-PKG(Data owner) User
1.0
ABE-based O(max(|I|, n)) O(n) O(logn)
SKC-based O(n2 ) O(n) O(1)
0.5
SECO O(n) O(1) O(1)
0.0
16 24 32 40 48 56 64
File Length (KB)
SECO. SECO employs a two-level HIBE scheme to guarantee

Fig. 3. The cost of decryption algorithm. data security against the cloud. SECO realizes a one-to-many
encryption paradigm and data writing operation simultaneously
PT
TABLE I. Communication cost in ABE-based scheme, SKC-based scheme
and SECO to achieve secure data collaboration in cloud computing. Se-
curity analysis show that SECO is secure and can realize fine-
Scheme Communication costs
grained access control and collusion resistance. In addition,
ABE-based |i| + 2log|i| + (|i| + 1)log|G1 | + log|G2 | + n
3tk + n we evaluate the performance of SECO about computation
RI
SKC-based
SECO (t + 1)log|G1 | + 2n complexity, communication cost and storage cost. The result
shows that SECO is low overhead and highly efficient.
to achieve secure and efficient data collaboration service in
cloud computing. References
SC
[1] A. Fox et al., “Above the clouds: A berkeley view of cloud computing,”
C. Storage cost University of California, Berkeley, Rep. UCB/EECS, vol. 28, 2009.
The storage cost is one of the most significant aspects of [2] M. Arrington, “Gmail disaster: Reports of mass email deletions,”
the data access control scheme in cloud storage services. We Online at http://www. techcrunch. com/2006/12/28/gmail-disasterreports-
U
ofmass-email-deletions, 2006.
analyze the storage overhead of SECO and compare it with
[3] V. Goyal, O. Pandey, A. Sahai, and B. Waters, “Attribute-based encryp-
SKC-based scheme and ABE-based scheme. The storage cost tion for fine-grained access control of encrypted data,” in CCS’2006.
is assessed in terms of ciphertext storage overhead and key
storage overhead (secret keys and system parameters stored
on the users and D-PKG). Table II presents the comparative
AN
[4]
Alexandria, USA: ACM, pp. 89–98.
G. Wang, Q. Liu, and J. Wu, “Hierarchical attribute-based encryption for
fine-grained access control in cloud storage services,” in Proceedings of
results. the 17th ACM conference on Computer and communications security.
Chicago, USA: ACM, 2010, pp. 735–737.
Ciphertext storage overhead: In ABE-based scheme, the size
M
[5] S. Yu, C. Wang, K. Ren, and W. Lou, “Achieving secure, scalable,
of ciphertext is O(max(|I|, n)), with |I| as the number of and fine-grained data access control in cloud computing,” in INFO-
attributes the ciphertext issued. For SKC-based scheme, to COM’2010, San Diego, USA, pp. 1–9.
achieve read and write permission, each data is binding with [6] W. Wang, Z. Li, R. Owens, and B. Bhargava, “Secure and efficient
each user access privilege. The size of ciphertext depends on
D
access to outsourced data,” in Proceedings of the 2009 ACM workshop

the numbers of users and the size of key. Thus, the size is on Cloud computing security. Chicago, USA: ACM, 2009, pp. 55–66.
O(n2 ). In SECO, as depicted in Section IV, the ciphertext is [7] M. Shah, M. Baker, J. Mogul, and R. Swaminathan, “Auditing to keep
online storage services honest,” in Proceedings of the 11th USENIX
TE
composed of t intended recipients’ information and a body. workshop on Hot topics in operating systems, San Diego, USA, 2007.
The body is just the encrypted message. The length of the
[8] G. Ateniese et al., “Provable data possession at untrusted stores,” in
ciphertext is linear with the recipient quantity. The length Proceedings of the 14th ACM conference on Computer and communi-
will increase an element on G1 when adding a recipient. cations security. Alexandria,USA: ACM, 2007, pp. 598–609.
Thus the message size is O(n). Note here, when joining more [9] A. Shamir, “Identity-based cryptosystems and signature schemes,” in
EP
recipients, it just have one ciphertext which contains more Advances in cryptology. Springer, 1985, pp. 47–53.
intended recipients’ information. From Table II, we can see [10] D. Boneh and M. Franklin, “Identity-based encryption from the weil
SECO takes the least ciphertext storage cost. pairing,” in Advances in CryptologyłCRYPTO 2001, 2001, pp. 213–229.
Key storage overhead: Compared with ABE-based scheme and [11] C. Cocks, “An identity based encryption scheme based on quadratic
C
residues,” Cryptography and Coding, pp. 360–363, 2001.

SKC-based scheme, SECO greatly reduced the key storage
[12] J. Horwitz and B. Lynn, “Toward hierarchical identity-based encryp-
overhead of the D-PKG(data owner). In ABE-based scheme tion,” in Advances in CryptologyłEUROCRYPT 2002, pp. 466–481.
and SKC-based scheme, the data owner needs to store ev-
AC
[13] C. Gentry and A. Silverberg, “Hierarchical id-based cryptography,”

ery users access privilege. While in SECO, the D-PKG just Advances in CryptologyłASIACRYPT 2002, pp. 149–155, 2002.
stores his own secret keys and system parameters. Users only [14] D. Boneh, X. Boyen, and E. Goh, “Hierarchical identity based
need store their own secret keys and system parameters in encryption with constant size ciphertext,” Advances in Cryptology–
SCK-based scheme and SECO. However, users in ABE-based EUROCRYPT 2005, pp. 562–562, 2005.
scheme have to store their own access structures with there [15] C. Gentry and S. Halevi, “Hierarchical identity based encryption with
corresponding secret keys. Therefore, SECO also takes little polynomially many levels,” in Theory of Cryptography, 2009.
key storage overhead to achieves data collaboration in cloud [16] A. Adya, et al., “Farsite: Federated, available, and reliable storage for
an incompletely trusted environment,” ACM SIGOPS Operating Systems
computing. Review, vol. 36, pp. 1–14, 2002.
[17] M. Kallahalla, E. Riedel, Q. Wang, and K. Fu, “Plutus: Scalable secure
VII. Conclusion file sharing on untrusted storage,” in Proceedings of the 2nd USENIX
Conference on File and Storage Technologies, 2003, pp. 29–42.
In this paper, we address the one-to-many encryption
[18] E. Goh, H. Shacham, N. Modadugu, and D. Boneh, “Sirius: Securing
paradigm, writing operation and fine-grained access control remote untrusted storage.” NDSS, 2003.
issue, and propose a secure cloud data collaboration scheme

Cloud Computing 1

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cloud Computing 1

Uploaded by

Copyright:

Available Formats

Accepted Manuscript

SECO: Secure and Scalable Data Collaboration Services in Cloud Computing

To appear in: Computers & Security

Received Date: 3 April 2014

38 and experimental performance of SECO, respectively; finally, Section 8 concludes

42 to a group of authorized users who are listening on a broadcast channel. More-

42 Figure 1 depicts the system model, which is characterized by a multi-level

49 4. The Design of SECO

38 SECO is specified by the following five randomized algorithms.

49 ear map ê : G1 × G1 → G2 which has the properties of bilinearity, computability

49 V  H2 (ê(U0 , S Kdom )/ ê(Q j−1 , U j )).

42 Domain revocation: As we know, the domains are independent. When there is a

40 ê(P0 , S ig M ) = ê(Q0 , P1 )ê(Qidom+1 , P M ) ê(Qt−1 , Pt )ê(Qdom , Pidom+1 ).

49 (ID-tuplei , ID-tuple or ancestor): Challenger responds as in Phase 1; 3) Decryp-

38 In SECO, the R-PKG generates two groups G1 , G2 of order q and a bilin-

49 Table 4: Communication cost in ABE-based schemes, SKC-based schemes BE-based schemes

47 Ciphertext storage overhead: In ABE-based schemes, the size of ciphertext is

42 2.0GHz PC with 2GB RAM.

47 collaboration scheme SECO with explicit dynamic data/user. SECO employs a

49 cryption schemes. In: Advances in Cryptology–CRYPTO. Springer; 1999. p.

47 and Distributed Systems, IEEE Transactions on 2013b;24(1):131–43.

49 Mu Y, Susilo W, Lin YX. Identity-based broadcasting. In: Progress in

30 Wang C, Wang Q, Ren K, Lou W. Privacy-preserving public auditing for data

42 rity. 2009. p. 55–66.

member of the IEEE and the IEEE Communication Society.

 In Section 4, in order to help readers to understand how SECO works in practice,

we add a simplified workflow of SECO in a domain. In addition, Table 1 is added

scheme. The new five algorithms are more complex.

 In Section 4, in order to support thorough data collaboration service, we add some

 In Section 5, in the previous conference version, we discuss the security about

Achieving Secure and Eﬃcient Data Collaboration in

To satisfy the above policies in data collaboration ser-

978-1-4799-0590-4/13/$31.00 ©2013 IEEE

troduce security problems. Specifically, the main contributions R-PKG

overhead on computation, communication and storage and

a set of untrusted servers. However, every user used their

parameters (params) from the R-PKG. Each D-PKG randomly

is not permitted to generate any other parameters.

proposed scheme SECO in a PKI system together.

Then, we provide the realization of fine-grained of access

V  H2 (ê(U0 , S Kdom )) A. Security of SECO

calculating: W  H4 (V  H2 (ê(U0 , S Ki )/ê(Qdom , Ui ))) to obtain

However, since S Kdom is only known to R-PKG and D-PKG,

unauthorized users also cannot recover ê(U0 , S Kdom ). There-

above analysis. The results of our experiments show SECO is

SECO. SECO employs a two-level HIBE scheme to guarantee

access to outsourced data,” in Proceedings of the 2009 ACM workshop

residues,” Cryptography and Coding, pp. 360–363, 2001.

[13] C. Gentry and A. Silverberg, “Hierarchical id-based cryptography,”

You might also like

49 V H2 (ê(U0 , S Kdom )/ ê(Q j−1 , U j )).

V H2 (ê(U0 , S Kdom )) A. Security of SECO

calculating: W H4 (V H2 (ê(U0 , S Ki )/ê(Qdom , Ui ))) to obtain