Achieving dynamic privileges in secure data sharing on cloud storage

SECURITY AND COMMUNICATION NETWORKSSecurity Comm. Networks 2014; 7:2211–2224

Published online 14 March 2013 in Wiley Online Library (wileyonlinelibrary.com). DOI: 10.1002/sec.739

SPECIAL ISSUE PAPER

Achieving dynamic privileges in secure data sharing oncloud storageXingwen Zhao1,2* and Hui Li1,2

1 State Key Laboratory of ISN, Xidian University, Xi’an, China2 School of Telecommunications Engineering, Xidian University, Xi’an, China

ABSTRACT

With the rapid development of cloud computing, more and more enterprises will outsource their sensitive data for sharing in acloud.Many data sharing and access control schemes have been submitted. However, dynamic privileges among user groups werenot considered. In many circumstances, some users may have higher privileges than others, and they can decrypt more contentsthan those with low privileges. Moreover, the data owner may want to dynamically control the privileges in data sharing. In thispaper, we present an efficient framework for data sharing system to achieve dynamic privileges, basing on chameleon hashfunction and one-way function. With this framework, any data sharing and access control scheme can be turned into a dynamicprivileged scheme, in which the data owner can change the group of each user dynamically and change the structure of privilegesflexibly when it is needed. The proposed framework requires much less storage than previous schemes in handling dynamicprivileges among the users. Copyright © 2013 John Wiley & Sons, Ltd.

KEYWORDS

multi-level security; dynamic privileges; cloud computing; data sharing; access control

*Correspondence

Xingwen Zhao, MBox #106, School of Telecommunications Engineering, Xidian University, #2 Taibai Road South, Xi’an 710071, China.Email: [email protected]

1. INTRODUCTION

Cloud storage is a model of networked online storage, whichenables users to remotely store their data in a cloud and doesnot require an end user’s knowledge of the physical locationand configuration of the system.Migrating data from end usersto the cloud brings great convenience to users because theycan access data in the cloud anytime and anywhere, usingany device, and need not care about the capital investment todeploy the hardware infrastructures. It is especially economicalfor small enterprises with limited budgets because they canachieve cost savings and the flexibility to scale investments,by using cloud-based services to manage projects, enterprise-wide contacts and schedules, and so on.

However, there are security and privacy issues for sensitivecorporate data because the cloud service provider (CSP) isoperated for making a profit. Thus, an untrustworthy CSPmay sell the confidential information about an enterprise toits closest business competitors to earn more money.Therefore, a natural way to keep sensitive data confidentialagainst an untrustful CSP is to store the data only in theencrypted form.

Copyright © 2013 John Wiley & Sons, Ltd.

We consider a data sharing system on cloud storagethat consists of data owners, data users, and cloud servers(maintained by a CSP). A data owner stores his or hersensitive data on cloud servers. Users are issued privatekeys. To access the remote stored data files shared bythe data owner, users need to download the data files fromcloud servers. For simplicity, we assume that the behaviors forusers are data file reading and writing. Cloud servers arealways online, and they are assumed to have abundant storagecapacity. In addition, we also assume that the data owner canstore data files besides running his or her own code on cloudservers to manage his or her data files. The architecture isshown in Figure 1.

Several tools can be used to provide data sharing andaccess control on cloud storage, for example, hierarchicalidentity-based encryption (IBE) [1], attribute-based encryption(ABE) [2], and broadcast encryption (BE) [3]. Related worksof these tools are discussed in Section 2.

In this paper, we deal with the situations of data sharing(encryptions and decryptions of common messages amongmultiple users) and access control among groups of users withdynamically different privileges. Our paper does not consider

2211

Figure 1. Architecture of data sharing system.

Dynamic privileges in secure data sharing on cloud storage X. ZHAO AND H. LI

other aspects of data security on cloud storage, such asefficient dynamic data updating, proof of retrievability andpublic verifiability of data integrity [4,5]. In our data sharingsystem, users are referred as data users. Users that are allowedto decrypt certain encrypted data are put together to form agroup. Usually, there exist multiple groups in a data sharingsystem, and the decrypting abilities of these groups are notthe same in some systems, for example, the pay-TV system[6]. We use privilege to define the level of decrypting abilityas in [7]. We say that the privilege of group GA is higher thanthat of group GB if users in GA can decrypt more data inaddition to the data that can be decrypted by users in GB.

Figure 2. The pay-TV services provided by FOXTEL [6] in Australia. Hilege relation between two packages. Users in package at the arrowhead. Users with higher privileges can access (in addition to the conte

following the arro

2212 Secur

We say that group GA and group GB are isolated if there isno privilege relation between them. Dynamic privilegesmean that the decrypting ability of a user and the structureof privileges are not fixed and that they can be changed at will(according to the strategies of data sharing system). Can wehandle these situations efficiently, for example, with storagecost and computation cost as less as possible?

We look for solutions that are suitable for the aforemen-tioned situations because some emerging scenarios demandprotection for contents with different values and for groupswith different privileges. As an instance shown in Figure 2,the pay television company FOXTEL [6] allows multiple

D means high-definition programs. Each arrow indicates the priv-nock have higher privilege than users in package at the arrownts for their packages) the contents for users with low privilegesw directions.

ity Comm. Networks 2014; 7:2211–2224 © 2013 John Wiley & Sons, Ltd.DOI: 10.1002/sec

Dynamic privileges in secure data sharing on cloud storageX. ZHAO AND H. LI

packages for pay-TV subscribers, where users in packagesof higher privileges (at arrow nocks) can access the con-tents for users in package of lower privileges (at arrowheads and its descending packages). Each arrow means adescent of privilege. For another instance (Figure 3), thereare many departments in an equipment manufacturer, witheach department sharing data among their members. Qualityassurance department, project management department, andsome other members may additionally have access to the datashared in research and development department and manufac-turing department. And administrative group may haveaccess to all data. Only ABE schemes among the relatedworks discussed in Section 2 can be used to fulfill the twoaforementioned scenarios, by adding proper attributes to usersin corresponding groups. However, ABE schemes can achieveonly static privileges that are corresponding to the rolesbecause the privileges cannot be changed once they aredetermined unless the private keys are renewed. In some cases,it is impossible to renew the private key freely; for example,the key authority does not support online issuing, or the keyauthority is not always online. Moreover, online rekeyingneeds additional mechanisms, such as authentication schemeand secure key updating protocol.

Some scenarios may require dynamic arrangement ofprivileges. For instance, in a data sharing system with incen-tives, those who contribute more to the system may haveadditional access to more valuable data. In such a system,users’ privileges are updated automatically (without updatingthe private keys) according to their contributions. Anotherinstance is graded digital library (database). Data in thelibrary (database) is graded. People can purchase a passwordof higher grade to obtain more data or password of lowestgrade to access fundamental information. People can changetheir grades anytime and anywhere bymaking a phone call orsubscribing through a self-servicewebsite, while their privatekeys do not need to be updated. Therefore, it is highly desir-able to design a dynamically privileged data sharing systemto enable flexible access control for content with differentvalues.

Figure 3. An instance of data sharing that enablesmultiple privileges.

Security Comm. Networks 2014; 7:2211–2224 © 2013 John Wiley & Sons, LtdDOI: 10.1002/sec

1.1. Our contributions

In this paper, we present an efficient framework for datasharing system to achieve dynamic privileges, and it can beapplied to any previous data sharing schemes. Our frameworkis not in conflict with previous data sharing schemes, and it isan enhancing method for previous data sharing schemes tohandle encrypted data sharing among users with dynamicallymultiple privileges.

We introduce a directed acyclic graph (DAG) [8] structurefor privileges, which is a generic structure and enables muchmore applications than the line-structured schemes [9,7,10].With this feature, previous works will become more practicaland require much less storage cost (and maybe less computa-tion cost) to achieve dynamic privileges among the users. Inorder to convert some data sharing scheme into a schemesupporting dynamic privileges, what we need to do is toregard the data sharing scheme as encryption scheme withoutconsidering privileges and use our framework to deal withthe privilege relations among the groups.

With the help of chameleon hash function [11], one-wayfunction, and the newly introduced computational nth-rootexponent problem (CNREP), our framework securely arrangesthe session key encapsulated in ciphertext for each groupaccording to the DAG structure of privilegeswhile ensuring thathigh-privilege session keys can be used to derive lower-privilege session keys.

1.2. Organization

The remainder of this paper is organized as follows. In Section2, we describe the related works of hierarchical IBE (HIBE),ABE, BE, and chameleon hash function. In Section 3, wedescribe the protocol model and security requirements.In Section 4, we describe the proposed DAG structurefor privileges and then the framework for achievingdynamic privileges in data sharing. The efficiency ofthe proposed framework is discussed in Section 5.Section 6 concludes the paper.

2. RELATED WORKS

2.1. Hierarchical identity-based encryption

Identity-based encryption system was introduced by Bonehand Franklin [12]. In this system, there is one private keygenerator (PKG) to distribute private keys to each user, whichis undesirable for a large network because PKG has to bear theheavy job of issuing all the keys. In order to reduce theworkload on the root PKG, Gentry and Silverberg [1] intro-duced a HIBE scheme. Their scheme is collusion resistant toan arbitrary number of levels. For better performance, Bonehet al. [13] proposed an efficient HIBE scheme, which requiresonly a constant length of ciphertext and a constant number ofbilinear map operations during decryption. Later, Gentry andHalevi [14] obtained a fully secure HIBE scheme from iden-tity-based BE with key randomization. Lewko and Waters

2213.


[15] achieved unbounded HIBE in which public parametersdid not impose additional limitations on the functionality ofthe systems.

Hierarchical IBE schemes cannot realize theDAG structurefor privileges explicitly because they do not allow cross-derivation (for instance, in Figure 2, the derivation fromSports Pack and Movies Pack to the common descendingFamily Pack).

2.2. Attribute-based encryption

Sahai andWaters [2] introduced the notion of ABE, in which amessage is encrypted under several attributes that compose a(fuzzy) identity. On the basis of their work, Goyal et al. [16]proposed a fine-grained access control ABE scheme, whichsupports any monotonic access formula. Their scheme ischaracterized as key-policy ABE (KP-ABE) in which theaccess structure is specified in the private key and the attributesare used to describe the ciphertext. Later, the scheme ofOstrovsky et al. [17] allows for non-monotonic access struc-tures. Bethencourt et al. [18] introduced a ciphertext-policyABE (CP-ABE) scheme, in which the roles of the ciphertextand keys are reversed with regard to the KP-ABE scheme.Muller et al. [19] constructed an efficient distributed ABEscheme achieving disjunctive normal form policy.

With the rapid development of cloud computing, peoplebegan to seek help from ABE to ensure data security in thecloud. Li et al. [20] obtained a fine-grained data access controlsystems with user accountability fromABE scheme to preventillegal key sharing in the cloud. Yu et al. [21] combinedKP-ABE, proxy re-encryption, and lazy re-encryption torealize scalable and fine-grained access control in cloudstorage. Later, Yu et al. [22] combined CP-ABE and proxyre-encryption to construct an attribute-based data sharingscheme with attribute revocation ability. The revocation isachieved by updating the master public key and updatingusers’ secret keys securely via proxy servers. Li et al. [23]presented a multi-authority ABE scheme to secure multi-owner personal health records in cloud computing environment.Their framework achieves flexible fine-grained access controland user revocation. Recently, Wang et al. [24] proposed aconjunctive fuzzy and precise IBE scheme for secure datasharing in cloud servers, by combining the HIBE systemwith the CP-ABE system. Some schemes [25,26] achievedconstant-length ciphertext.

The aforementioned ABE-based data sharing schemes canonly realize the static DAG structure for privileges becauseABE schemes arrange privileges explicitly with attributes. Asdiscussed in Section 1, they need to renew the private keysfrequently so that they can handle dynamic privileges explicitly.

2.3. Broadcast encryption

The first BE scheme was formally proposed by Fiat and Naor[3]. Later, Naor et al. [27] brought forward two subset-coverschemes that are suitable for the case of stateless receivers,namely “complete subtree” method and “subset difference”method. In subset-cover schemes, each user belongs to a set of

2214 Secur

subsets and stores all the keys corresponding to these subsets.The center selects proper subsets to cover all the innocent usersbut the revoked users and uses the keys of selected subsets toencrypt the messages. Halevy and Shamir [28] proposed“layered subset difference” method to reduce the transmissioncost. Goodrich et al. [29] described “stratified subset difference”method. In these well-known schemes, the receivers are state-less. That is, keys for each user are fixed throughout the lifetimeof the system, and receivers cannot record the operating states.

Some schemes do not rely on subset cover. Schemes suchas [30–33] specified all the revoked users in the broadcast.Naor and Pinkas [30] presented a trace and revoke schemebased on threshold secret sharing. They released the identitiesand personal keys of all revoked users as secret shares so thatonly those who are not revoked can collect enough shares torecover the session key. Delerablée et al. [31] introduced anaggregate algorithm to aggregate public keys of all revokedusers to obtain a value used in decryption. This aggregatealgorithm can only be computed by non-revoked users so thatthe revoked users cannot decrypt the messages. Similarly,schemes [32,33] used methods (which cannot be computedby the revoked users) to aggregate information of all revokedusers to obtain values that will be used in decryption. Schemesuch as [34–38] included the set of all the receivers in thebroadcast. The information of the intended receivers is neededfor calculating the session key. Boneh et al. [34] aggregatedpublic keys of all intended receivers and used it in encryptionso that only each intended receiver can cancel it with the helpof its private key and bilinear pairings. With the use of similarskills, schemes [35,36] achieved a constant size of private keysfor each user, and schemes [37,38] achieved adaptive securitywithout random oracles.

Some schemes [9,7,10] considered the situations whereusers belonged to different privileges. Adelsbach et al. [9]presented a broadcast tree with different subtrees for differentproperties, which correspond to different levels of security.Users in higher-level subtrees can recover more valuablecontents than those in low-level subtrees. This property isachieved by using one-way hash chains so that each userneeds to store only one set of keys, no matter which levelsubtree he or she belongs to. Recently, Jin and Lotspiech [7]presented a scheme with similar tree structure and one-waykey chains. Their scheme is designed for encrypted contentwith a single medium key block, which enables the contentto be shared by different home appliances. The aforemen-tioned schemes [9,7] considered only static privilegedsituations. Zhao and Zhang [10] considered dynamicallyprivileged situations, by introducing new covering algorithmand new media key block to enable dynamic privileges.However, the ciphertext length of their scheme is not short.Moreover, these schemes [9,7,10] considered only line-structuredprivileges, which largely limit their applications.

2.4. Chameleon hash function

Chameleon hash function was introduced by Krawczyk andRabin [39] to construct chameleon signatures. A chameleonhash function is a trapdoor one-way hash function, and it



enables only the holder of the trapdoor information to computethe collisions for a randomly given input. Chameleon hashfunction can provide non-repudiation and non-transferabilityfor chameleon signature additionally. Later, it was pointedout by Ateniese and Medeiros [40] that the hash collisionsprovided by the recipient would result in the exposure of theprivate key of this recipient. Ateniese and Medeiros [40]proposed a partial solution to this problem by requiring thesigner to use new key pair (public key and private key) whendoing a new transaction. However, in this case, the signer losesthe ability to deny signatures on any message in othertransactions.

Chen et al. [11] proposed the first chameleon hash functionwithout key exposure by using bilinear pairings in the gapDiffie–Hellman (GDH) groups. Ateniese and de Medeiros[41] then presented three key-exposure free chameleon hashschemes, two based on the RSA assumption (the firstconstructions without using pairings) and a new constructionbased on pairings. Gao et al. [42] presented a key-exposurefree chameleon hash construction based on the Schnorr signa-ture. Chen et al. brought forward identity-based constructionwithout key exposure in [43]. Chen et al. [44] proposed twokey-exposure free chameleon hash schemes. Their firstscheme is also based on GDH groups, and it needs only aweaker assumption and is more efficient in signing andcollisions computing than previous schemes based on GDHgroups [11,41]. They also provide another scheme that is notbased on GDH groups.

This paper takes advantage of the easy computing ofcollisions from chameleon hash functions in order to derivecommon session keys of lower-privilege groups from keysof higher-privilege groups.

3. PROTOCOL MODEL ANDSECURITY REQUIREMENTS

3.1. Protocol model

• Setup is the algorithm for system setup. It will generate thepublic parameters PK and private keys SK for the system.

• KeyGen is the algorithm for key generation. It willgenerate decryption key DKu for each user u.

• GroupInit is the algorithm for initializing the groupof each user. It takes the total number of groupsNumgroup as input and outputs a number of setsG1; . . . ;GNumgroup . Users in the same group Gi sharesome common access policy Si (may be an ID patternfor HIBE, an access structure for ABE, or a set ofdesignated users for BE).

• Enc is the algorithm for data encryption. It will take in anaccess policy S and output a ciphertext header Hdr. Thetemporary session key TK is encapsulated in the header,and the messageM is symmetrically encrypted using thesession key to generate ciphertext body C.

• Dec is the algorithm each user used to recover themessage.It will take in an access policy S and a decryption keyDKu

where u satisfies S (u matches the ID for HIBE, u’s

Security Comm. Networks 2014; 7:2211–2224 © 2013 John Wiley & Sons, Ltd.DOI: 10.1002/sec

attributes satisfy the access structure for ABE, or u is inthe set of designated users for BE), and output the recov-ered messageM.

• AddUser is the algorithm that is used to handle theevent that some user u joins certain group Gi, where1≤ i≤Numgroup.

• RemoveUser is the algorithm that is used to handlethe event that some user u is removed from certaingroup Gi, where 1≤ i≤Numgroup.

• AddGroup is the algorithm that is used to handle theevent that the data owner adds certain group Gj, wherej>Numgroup.

• RemoveGroup is the algorithm that is used to handlethe event that the data owner removes certain groupGi, where 1≤ i≤Numgroup.

3.2. Security requirements

• Correctness. Each honest user is able to recover themessages for his or her groups and subordinategroups.

• Semantic Security. The eavesdroppers cannot obtainany information of messages encrypted in the ciphertext.

• Collusion Resistance. Even when all the revokedusers collude, they cannot obtain any information ofmessages from the ciphertext.

• Service Bounded. Users are restricted to recover themessages encrypted for current groups and descendinggroups, they cannot recover the messages encrypted forother groups.

3.3. Computational nth-root exponentproblem

Here, we introduce a general problem called computationalnth-root exponent problem (CNREP), where n≥2. For in-stance, the problem will be the computational square root ex-ponent problem (CSREP) when n=2, and the problemwill bethe computational cube-root exponent problem when n=3.The CSREP was introduced by Konoma et al. in [45], andZhang et al. [46,47] proved that this problem is equivalent tocomputational Diffie–Hellman problem (CDHP). Let G be acyclic multiplicative group generated by g with the primeorder q. The definitions of CDHP, CSREP, and CNREP areas follows.

Definition 1 Computational Diffie-Hellman Problem (CDHP)The computational Diffie-Hellman problem (CDHP) isdefined as: given (g,ga,gb) for a; b 2 Z�q to compute gab.

Definition 2 Computational Square Root Exponent Prob-lem (CSREP)

The computational square root exponent problem(CSREP) is defined as: given (g, ga) for a 2 Z�q to compute

ga1=2, if a is a quadratic residue modulo q.

2215


Definition 3 Computational nth-root Exponent Problem(CNREP)

The computational nth-root exponent problem (CNREP)

is defined as: given (g, ga) for a 2 Z�q to compute ga1=n,

if a is a n-degree residue modulo q.As can be seen, CNREP is not easier than CSREP

because CSREP can be solved once CNREP is solvedwhereas CNREP may not be solved if CSREP is solved.

4. GENERIC FRAMEWORKSUITABLE FOR DYNAMICALLYPRIVILEGED DATA SHARINGSYSTEM

In this section, we describe a generic framework suitablefor dynamically privileged data sharing system. The frame-work can employ any data sharing scheme to turn it into aprivileged scheme. We denote the employed data sharingscheme as (DS.Setup, DS.KeyGen, DS.Enc, DS.Dec).They are as follows.

• DS.Setup is the algorithm for system setup. It willgenerate the public parameters PK and private keysSK for the system. We denote it as (PK, SK) DS.Setup(�).

• DS.KeyGen is the algorithm for key generation. Itwill generate decryption key DKu for each user u.We denote it as (DKu) DS.KeyGen(SK, u).

• DS.Enc is the algorithm for data encryption. It will takein an access policy S (an ID pattern for HIBE, an accessstructure for ABE, or a set of designated receivers forBE), which describes who will have access to theencrypted data, and output a ciphertext header Hdr anda ciphertext body C. The temporary session key TK isencapsulated in the header, and the message M issymmetrically encrypted using the session key togenerate ciphertext body. We denote the algorithm asHdr DS.Enc(PK, S, TK), C SEnc(M,TK), whereSEnc(�) is the symmetric encryption algorithm andSEnc(M,TK) means encrypting M using TK.

• DS.Dec is the algorithm each user used to recover thedata. It will take in an access policy S and a decryptionkeyDKuwhere u satisfies S (umatches the ID for HIBE,u’s attributes satisfy the access structure for ABE, or u isin the set of designated receivers for BE), and output therecovered message M. We denote it as TK DS.Dec(Hdr, S,DKu),M SDec(C,TK). SDec(�) is a symmetricdecryption algorithm corresponding to SEnc(�), andSDec(C,TK) means decrypting C using TK.

4.1. The proposed framework for dynamicdirected-acyclic-graph-structured privileges

The data sharing schemes are advised to use hybrid encryptionfor better efficiency [20], which means that data sharingschemes encapsulate a session key for each group and thesession key is used to encrypt the shared data symmetrically

2216 Secur

for that group. Those data sharing schemes not employinghybrid encryption can be altered to hybrid schemes trivially.Our proposed framework requires the adopted data sharingscheme to be hybrid. For converting any previous data sharingscheme to a dynamically privileged one, each session keyshould not be selected randomly and independently. Ourproposed framework arranges these session keys according totheir corresponding privileges; that is, session keys are derivedfollowing the relations of their privileges. The frameworkachieves dynamic directed-acyclic-graph-structured [8] keyderivation from session keys of high privileges to session keysof the lower privileges, by combining chameleon hash function[11] and one-way function. These tools can help us to generatedifferent session keys for different groups with the sameprivilege in the same branch, and these keys can derive the samehash value, which will be used as session key for the commondescending group with a lower privilege.

On the basis of any data sharing scheme (denoted as DS)without considering dynamic privileges, our proposed frame-work can achieve O(T) sets of original ciphertext headers andciphertext bodies, if T is the number of groups in DS. In otherwords, the ciphertext can be of length O(T) for an applicationof T groups if the ciphertext length of DS for each group isconstant, for example, schemes in [13,36,25,26]. We denotethe dynamically privileged framework (DPF) as (DPF.Setup,DPF.KeyGen, DPF.GroupInit, DPF.Enc, DPF.Dec, DPF.AddUser, DPF.RemoveUser, DPF.AddGroup, and DPF.RemoveGroup). Figure 4 shows the relations for thesealgorithms. It is not trivial to fulfill the flexible directed-acyclic-graph-structured privileges as shown in Figure 3.Without loss of generality, we use the instance shown inFigure 5 to show how the keys are computed, which coversone-to-many, many-to-one, and many-to-many cases. Thealgorithms are described as follows.

• DPF.Setup. By running (PK, SK) DS.Setup(�), thekey authority obtains PK as the public parameters andSK as private keys for the system. Additionally, thekey authority selects a GDH group G of some largeprime order q, as required for the chameleon hashfunction in [11]. g is a generator of G. It also selectsa random integer x 2 Zq and computes y= gx. Aone-way function f �ð Þ : G! Zq is selected. Thepublic parameters (G , q, g, y, f(�)) are added to theparameters PK generated by DS.Setup(�). We assumethat all groups’ identities are elements from G.

• DPF.KeyGen. We directly use the algorithm of DS.KeyGen(�). By running (DKu) DS.KeyGen(SK, u),we generate decryption key DKu for each user u.The key is transferred to each user in a secure channel,which is not considered in this paper.

• DPF.GroupInit. As shown in Figure 5, there are n+s + 4 groups in the system, and they are arranged intothree layers. If a user u is allowed to access the datafor group Gi,j, the identity of u is put into the set Gi,

j. Finally, {G1,1,G1,2,G2,1, . . .,G2,n + s,G3,1,G3,2} and{S1,1, S1,2S2,1, . . ., S2,n + s, S3,1, S3,2} are output, witheach Gi,j containing all the innocent users in the group


Figure 4. The relations among the algorithms of the proposed dynamically privileged framework.


Gi,j, and Si,j is the common access policy for group Gi,

j, which will exclude users outside Gi,j.• DPF.Enc. The data owner computes the temporarysession keys and corresponding random integers inthree cases. They are described as follows:

Case 1: Groups without ascending groups. In Figure 5,G1,1,G1,2, andG2,n+ s belong to this case. The data owner selectsrandom integers TK1;1; TK1;2;TK2;nþs 2 Zq as temporary ses-sion keys for the uppermost groups G1,1,G1,2, and G2,n+ s,respectively.

Case 2: Child groups with only one ascending group.In Figure 5,G2,1, . . .,G2,n� 1 belong to this case. In this case, thedata owner selects random integers to compute the key-derivingnumbers and the temporary session keys for these groups.

The data owner selects random integers R(1,1),(2,1), . . .,R 1;1ð Þ; 2;n�1ð Þ 2 Zq, and computes the key-deriving numbers

yR 1;1ð Þ; 2;1ð Þ, . . . yR 1;1ð Þ; 2;n�1ð Þ. The temporary session keys for groupsG2,1, . . ., G2,i, . . ., G2,n� 1 (1≤ i≤n� 1) are computed as

TK2;1 ¼ f g�G1;1� �TK1;1 �yR 1;1ð Þ; 2;1ð Þ

� �

⋮TK2;i ¼ f g�G1;1

� �TKi1;1 �yR 1;1ð Þ; 2;ið Þ

� �

⋮TK2;n�1 ¼ f g�G1;1

� �TKn�11;1 �yR 1;1ð Þ; 2;n�1ð Þ

� �

Figure 5. A generic instance for showing computations (n>m),with each arrow indicating the key deriving direction.


where f(�) is the one-way function andG1,1 denotes the identityof group G1,1. As G1,1 is the uppermost group, the computa-tions can be simply reduced to the one-way function withoutexponentiations. However, we use the form

f g�Gi1;j1

� �TKki1 ;j1 �yR i1 ;j1ð Þ; i2 ;j2ð Þ

� �to be consistent with the com-

putations of descending groups, which means deriving fromGi1;j1 toGi2;j2 for descending branch k. The branches are num-bered from left to right as 1, 2, 3, and so on, with respect to thesource group. For instance, the branch from G1,1 to G2,n� 1 isnumbered as n� 1 with respect to G1,1.

Case 3: Child groups with two or more ascendinggroups. In Figure 5, G2,n, G3,1, and G3,2 belong to thiscase. For each group in this case, the data owner computesthe key-deriving number and the temporary session keyfrom one of the ascending groups and then computes thekey-deriving numbers for other ascending groups.

Computations concerning G2,n:The data owner selects random integer R 1;1ð Þ; 2;nð Þ 2 Zq

and computes the key-deriving number yR 1;1ð Þ; 2;nð Þ . Thetemporary session key for group G2,n are computed as

TK2;n ¼ f g�G1;1� �TKn

1;1 �yR 1;1ð Þ; 2;nð Þ� �

Then, the key-deriving number for group G1,2 can becomputed as

yR 1;2ð Þ; 2;nð Þ ¼ g�G1;1� �TKn

1;1

g�G1;2� �TK1;2

�yR 1;1ð Þ; 2;nð Þ

Thus, users in G1,1 and G1,2 can derive the same temporarysession key for group G2,n with the help of chameleon hashfunction [11] because users in G1,2 can compute it as

TK2;n ¼ f g�G1;2� �TK1;2 �yR 1;2ð Þ; 2;nð Þ

� �

Computations concerning G3,1:

2217.


Similarly, the data owner selects random integerR 2;n�mþ1ð Þ; 3;1ð Þ 2 Zq and computes the key-deriving num-

ber yR 2;n�mþ1ð Þ; 3;1ð Þ . The temporary session key for groupG3,1 is computed as

TK3;1 ¼ f g�G2;n�mþ1� �TK2;n�mþ1 �yR 2;n�mþ1ð Þ; 3;1ð Þ

� �

Then, the key-deriving number for groups G2,n�m + 2, . . .,G2,n can be computed as

yR 2;n�mþ2ð Þ; 3;1ð Þ ¼ g�G2;n�mþ1� �TK2;n�mþ1

g�G2;n�mþ2ð ÞTK2;n�mþ2 �yR 2;n�mþ1ð Þ; 3;1ð Þ

⋮

yR 2;nð Þ; 3;1ð Þ ¼ g�G2;n�mþ1� �TK2;n�mþ1

g�G2;nð ÞTK2;n �yR 2;n�mþ1ð Þ; 3;1ð Þ

Computations concerning G3,2:Finally, the data owner selects random integer

R 2;n�mþ1ð Þ; 3;2ð Þ 2 Zq and computes the key-deriving num-

ber yR 2;n�mþ1ð Þ; 3;2ð Þ . The temporary session key for groupG3,2 is computed as

TK3;2 ¼ f g�G2;n�mþ1� �TK2

2;n�mþ1 �yR 2;n�mþ1ð Þ; 3;2ð Þ� �

Then, the deriving for groups G2,n�m + 2, . . ., G2,n+ s can becomputed as

yR 2;n�mþ2ð Þ; 3;2ð Þ ¼ g�G2;n�mþ1� �TK2

2;n�mþ1

g�G2;n�mþ2ð ÞTK22;n�mþ2�yR 2;n�mþ1ð Þ; 3;2ð Þ

⋮

yR 2;nþsð Þ; 3;2ð Þ ¼ g�G2;n�mþ1� �TK2

2;n�mþ1

g�G2;nþsð ÞTK2;nþs �yR 2;n�mþ1ð Þ; 3;2ð Þ

Then, the ciphertext headers for all groups are generated asfollows:

Hdr1;1 ¼ DS:Enc PK; S1;1;TK1;1� �

Hdr1;2 ¼ DS:Enc PK; S1;2;TK1;2� �

Hdr2;1 ¼ DS:Enc PK; S2;1;TK2;1� �

⋮Hdr2;nþs ¼ DS:Enc PK; S2;nþs; TK2;nþs

� �Hdr3;1 ¼ DS:Enc PK; S3;1;TK3;1

� �Hdr3;2 ¼ DS:Enc PK; S3;2;TK3;2

� �

(Hdr1,1, Hdr1,2, Hdr2,1, . . ., Hdr2,n + s, Hdr3,1, Hdr3,2)are the ciphertext headers. The temporary session keys(TK1,1, TK1,2, TK2,1, . . ., TK2,n + s, TK3,1, TK3,2) are usedto encrypted messages for G1,1, G1,2, G2,1, . . ., G2,n+ s,G3,1, G3,2, respectively, in symmetric encryption algorithmas follows:

2218 Secur

C1;1 ¼ SEnc M1;1;TK1;1� �

C1;2 ¼ SEnc M1;2;TK1;2� �

C2;1 ¼ SEnc M2;1;TK2;1� �⋮

C2;nþs ¼ SEnc M2;nþs;TK2;nþs� �

C3;1 ¼ SEnc M3;1;TK3;1� �

C3;2 ¼ SEnc M3;2;TK3;2� �

where Mi,j denotes the message for group Gi,j and C1,1,C1,2, C2,1, . . ., C2,n+ s, C3,1, C3,2 are the ciphertext bodies.The key-deriving numbers (n+ 2m+ s + 1 elements), theciphertext headers (n+ s + 4 sets), and the ciphertext bodies(n+ s + 4 sets) are stored in the cloud servers. As can beseen, our framework costs roughly O(T) storage cost, if Tis the number of groups in the system and the storage costfor the ciphertext of a single group in scheme DS is O(1).Encryption schemes without considering dynamic flexibleprivileges may result in n+ s + 4 sets of ciphertext headersand 2n+ 2m+ 2s + 9 sets of ciphertext bodies, which willcost more storage than our framework if the average lengthof ciphertext bodies is longer than the length of one Zq

element.

• DPF.Dec. Without loss of generality, we suppose useru belongs to group G1,1. DKu is used to recovertemporary session key TK1,1 as TK1,1 =DS.Dec(Hdr1,1, S1,1, DKu). User u can derive temporarysession keys for descending groups as follows:

TK2;1 ¼ f g�G1;1� �TK1;1 �yR 1;1ð Þ; 2;1ð Þ

� �

⋮TK2;n ¼ f g�G1;1

� �TKn1;1 �yR 1;1ð Þ; 2;nð Þ

� �

TK3;1 ¼ f g�G2;n� �TK2;n �yR 2;nð Þ; 3;1ð Þ

� �

TK3;2 ¼ f g�G2;n� �TK2

2;n �yR 2;nð Þ; 3;2ð Þ� �

Then, user u can recover messages M1,1, M2,1, . . ., M2,n,M3,1, M3,2 with the symmetric decryption algorithm usingthese key, such as M1,1 = SDec(C1,1, TK1,1) and so on.

• DPF.AddUser is the algorithm that is used to handle theevent that some user u joins certain existing group Gi,j.The identity of u is put into the set Gi,j, and Si,j is theupdated common access policy for the new group Gi,j.The ciphertext header Hdri,j is updated as Hdri,j=DS.Enc(PK,Si,j,TKi,j). Other ciphertext headers and cipher-text bodies remain unchanged.

• DPF.RemoveUser is the algorithm that is used tohandle the event that some user u is removedfrom certain group Gi,j. We assume that user uis removed from the system when consideringthe algorithm DPF.RemoveUser, and we canregard the case that u is moved from group Gi,j



to Gk,t (i 6¼ k or j 6¼ t) as u is added to Gk,t by thealgorithm DPF.AddUser after it is removed fromthe system. Here, we introduce a new notioncalled co-parent group. We define the co-parentgroups of group Gi,j as other parent groups ofGi,j’s nearest descending groups. For instance,G1,2 is the co-parent group of G1,1 with respectto the descending group G2,n. Likewise, G2,n�m +

2, . . ., G2,n are the co-parent groups of G2,n�m + 1

with respect to G3,1. We set Ω to an empty setand add Gi,j, Gi,j’s descending groups, co-parentgroups of Gi,j to it. If there are other descendinggroups for groups in Ω that are not included inΩ, we add them to Ω. If there are other co-parentgroups for groups in Ω that are not included in Ω,we add them to Ω. The operations are repeateduntil Ω is never changed. The temporary sessionkeys, the ciphertext headers, ciphertext bodies ofΩ, and the key-deriving numbers concerning Ωshould be renewed.

For example, if a user is removed from G1,1 in theinstance shown in Figure 5, the new Ω would include allgroups in the instance. Thus, all temporary session keys,all ciphertext headers, all ciphertext bodies, and all thekey-deriving numbers should be renewed. If a user isremoved from G2,n in the instance, the new Ω wouldinclude G2,n�m+ 1, . . ., G2,n+ s, G3,1, and G3,2. The tempo-rary session keys, the ciphertext headers, the ciphertextbodies for these groups, and the key-deriving numbersconcerning these groups should be renewed. If a user isremoved from G2,1 in the instance, the new Ω onlyincludes G2,1. The temporary session key, the ciphertextheader, the ciphertext body for G2,1 and the key-derivingnumber yR 1;1ð Þ; 2;1ð Þ concerning G2,1 should be renewed.

• DPF.AddGroup. If a new group Gi,j is added to thesystem, and Numgroup is increased accordingly. Thereare four cases:

a Case 1: Gi,j is a descending group of some group Gk,t.A new key-deriving number R(k,t),(i,j) is selected tocompute new TKi,j, Hdri,j, and Ci,j.

b Case 2: Gi,j is a descending group of some groups Gk,

h and Gs,t (k 6¼ s or h 6¼ t). A new key-deriving numberR(k,h),(i,j) is selected to compute new TKi,j, Hdri,j, Ci,j,and yR s;tð Þ; i;jð Þ . Group with multiple parent groups ishandled similarly.

c Case 3: Gi,j is a co-parent group of some group Gk,h (ik or j 6¼ h) with respect to the descending group Gs,t,and Gi,j is not a descending group of any group. Anew random value TKi,j is selected to compute newHdri,j and Ci,j, and yR i;jð Þ; s;tð Þ is computed from TKi,j, R

(k,h),(s,t), and TKi,k.d Case 4: Gi,j is the only parent group of some group Gk,t.

A new random value TKi,j is selected to compute newHdri,j and Ci,j. yR i;jð Þ; k;tð Þ cannot be computed easily if f(�)is not a trapdoor one-way function, soΩmay be selectedwith respect to Gi,j as described in algorithm DPF.

Security Comm. Networks 2014; 7:2211–2224 © 2013 John Wiley & Sons, Ltd.DOI: 10.1002/sec

RemoveUser. Then, the temporary session keys, theciphertext headers, ciphertext bodies of Ω, and the key-deriving numbers concerning Ω should be renewed.

• DPF.RemoveGroup is the algorithm that is used tohandle the event that the data owner removes a certaingroup Gi,j. Numgroup is decreased accordingly. Thisalgorithm is the similar to the algorithm DPF.Remove-User because removing a group means removing a setof users except that TKi,j, Hdri,j, Ci,j, and the relatedkey-deriving numbers yR �;�ð Þ; i;jð Þ or yR i;jð Þ; �;�ð Þ are no longerneeded. If Gi,j is the intermediate group of some ascend-ing groupGk,h and some descending groupGs,t, new key-deriving number yR k;hð Þ; s;tð Þ is needed for the derivationfrom Gk,h to Gs,t after Gi,j is removed.

4.2. Security analysis

Correctness. The correctness is straightforward because ofthe aforementioned descriptions.

Theorem 1. The DPF is semantically secure against the eaves-droppers assuming the employed data sharing scheme, and thesymmetric encryption algorithm are semantically secure.

ProofSketch Proof.The DPF uses the data sharing scheme to en-crypt the session key for each group. If someone who is notincluded in a group can obtain information about theencrypted session key for that group, it raises a contradic-tion to the semantic security of the data sharing scheme.

Only the users who are included in a service group canrecover the corresponding messages (actually recover thesession key and then the messages). If any eavesdroppercan learn something about a message Mi,j from the cipher-text SEnc(M1,1, TK1,1), . . ., SEnc(Mi,j, TKi,j), . . .,SEnc MNumgroup ; TKNumgroup

� �, then he or she can be used to

break the semantic security of symmetric encryptionalgorithm, with regard to the ciphertext SEnc(Mi,j, TKi,j),where TKi,j is unknown to the eavesdroppers.

Theorem 2. The DPF is collusion resistant assuming theemployed data sharing scheme is collusion resistant.

ProofSketch Proof.TheDPF uses the data sharing scheme to encryptthe session key for each group. If all colluding users who arenot included in a group can obtain information about theencrypted key for that group, it raises a contradiction to thecollusion resistance of the data sharing scheme.

Theorem 3. In our framework, the users are service bounded—that is, each user is restricted to recover the messages for his orher group and descending groups; assuming the chameleonhash function [11] is unforgeable, CNREP is hard in G, thekey extraction function (from a group with higher privilegeto a descending group with lower privilege) is one way, andthe symmetric encryption algorithm is semantically secure.

2219


Proof. Without loss of generality, we use the instanceshown in Figure 5 to prove the service-bounded security.We consider the security in several cases:

• Case 1: The adversary holds a session key andattempts to recover the ascending session key.Suppose the adversary holds a session key of groupGi,j and wants to recover the messages for group Gk,

h, where Gk,h is the ascending group of Gi,j. Thesession key TKk,h for group Gk,h is randomly selected.The adversary is allowed to query the derived keyTKi,j and encryption of messages for group Gk,h. Thechallenge for the adversary is to decide whether aciphertext Ck,h is encrypted by TKk,h on the messageM selected by himself or herself, or on a randomciphertext. Our proof consists of a sequence of hybridgames, starting with a real attack and ending in agame in which the adversary’s advantage is zero.We use Sx to denote Gamex and Pr[Sx] to denote theprobability of the adversary to win the Gamex, withx= 0, 1, 2.

Game0: This game corresponds to the real game, inwhich TKi,j is derived from TKk,h and ciphertext Ci,j isencrypted by TKi,j on the message M selected by theadversary or a random ciphertext. By definition, the advan-tage of the adversary A is

ADVA ¼ Pr S0½ � � 1=2 (1)

Game1: In this game, the TKi,j is randomly selected andis not derived from TKk,h. That is, the adversary is deprivedof the advantage of obtaining the key information fromTKi,j. Therefore, the difference between the successprobability of the adversary A for current and previousgames is at most the advantage of breaking the one-wayproperty of key extraction function f(�), denoted as ADVA

(f(�)). Thus, we have

Pr S1½ � � Pr S0½ � ≤ADVA f �ð Þð Þjj (2)

Game2: In this game, the ciphertext Ck,h is randomlyselected for the message M and is not really encrypted byTKk,h on the M selected by the adversary. Therefore, thedifference between the success probability of the adversaryA for current and previous games is at most the advantageof breaking the semantic security of symmetric encryptionalgorithm, denoted as ADVA(SE). Thus, we have

Pr S2½ � � Pr S1½ � ≤ADVA SEð Þjj (3)

As can be seen, the randomly selected ciphertext Ck,

h for the message M has nothing to do with the M. So,the probability of the adversary A to win is 1/2. That is,Pr[S2] = 1/2. Then, we have

2220 Secur

ADVA ¼ Pr S0½ � � 1=2≤Pr S1½ � þ ADVA f �ð Þð Þ � 1=2≤Pr S2½ � þ ADVA SEð Þþ ADVA f �ð Þð Þ � 1=2≤ADVA SEð Þ þ ADVA f �ð Þð Þ:

If A has non-negligible probability of recovering themessage for class j, we can take advantage of A to breakthe one-way property of key extraction function f(�) orthe symmetric encryption algorithm.

• Case 2: The adversary holds a session key and wants torecover the session key of co-parent group. The event thatthe adversary knowing a session key wants to recover thesession key of a descending group’s co-parent group alsobelongs to this case. For instance in Figure 5, theadversary holding session key TK1,1 of group G1,1 wantsto recover the session key TK1,2 of group G1,2. In thiscase, the adversary knows the common chameleon hashvalues g�G1;1

� �TKn1;1 �yR 1;1ð Þ; 2;nð Þ ¼ g�G1;2

� �TK1;2 �yR 1;2ð Þ; 2;nð Þ .If the adversary can obtain the session key TK1,2 of groupG1,2, it raises a contradiction to the unforgeability of thechameleon hash function (Theorem 3 in [11]).

• Case 3: The adversary holds a session key and wantsto recover the session key of co-parent group’sanother descending group. For instance, the eventknowing TK1,2 to recover TK2,1 belongs to this case.In this case, the adversary knows one commonchameleon hash value between G1,1 and G1,2 thatg�G1;1� �TKn

1;1 �yR 1;1ð Þ; 2;nð Þ ¼ g�G1;2� �TK1;2 �yR 1;2ð Þ; 2;nð Þ , so the

adversary knows g�G1;1� �TKn

1;1 . However, it is hardfor the adversary to obtain g�G1;1

� �TK1;1 , or it can beused to break CNREP. The probability that theadversary guesses the right session key TK2,1 withoutknowing the source value of the one-way function isat most 1/q, which is negligible for a q that is largeenough.

• Case 4: Cases other than the aforementioned threecases. For instance, the event that knowing TK2,1 torecover TK2,n belongs to this case. The probabilitythat the adversary guesses the right session key is atmost 1/q, which is negligible for a q that is largeenough.

Therefore, the users are service bounded.

5. EFFICIENCY EVALUATION

5.1. Storage cost

Suppose we use our framework to turn certain data sharingscheme (denoted as DS) without considering any privilegesinto a privileged scheme. Assuming DS has NG groups, weconsider the following cases:



• Case 1: There is no privilege relation among these NG

groups (each group is isolated from others). In thiscase, our framework changes nothing, and it needsstorage cost the same as DS.

• Case 2: The levels of privileges are no more than two.Suppose our framework needs n key deriving, andthen, it needs a storage cost of n key deriving numb-ers, NG ciphertext headers, and NG ciphertext bodies.Correspondingly, DS needs storage cost of NG cipher-text headers and NG + n ciphertext bodies to handlethe privileges. Our framework needs less storage costif the average length of ciphertext bodies is longerthan the length of one Zq element. This is the worstcase because it requires the average length of cipher-text bodies to be longer than the length of one elementin Zq so that our framework can be efficient.

• Case 3: The privileges are line structured, and the levelsof privileges are NG. Our framework needs storage costof NG key deriving numbers (can be reduced to onenumber by using address pointers linking to the samevalue),NG ciphertext headers, andNG ciphertext bodies.Correspondingly, DS needs storage cost of NG cipher-text headers and NG +NG(NG� 1)/2 ciphertext bodiesto handle the privileges. Thus, our frameworkneeds less storage cost if the average length ofciphertext bodies is longer than 2/(NG� 1) (canbe reduced to 2/(NG(NG� 1)), respectively) thelength of one Zq element. The efficiency of ourframework is in the best case when the privilegesare line structured.

5.2. Computation cost

Suppose we use our framework to turn certain data sharingscheme (denoted as DS) without considering any privilegesinto a privileged scheme. The computation cost for eachuser at his or her current group in our framework is the

Table I. Comparison w

Privileged StructureStorage Cost inCloud Servers User Sto

[7] Static Line O(max(2r,NG)) 12 log

2N þ 12lo

[20] Static DAG O(NW �NG) O(1)[10] Dynamic Line O(max(NG,c)), rlog N

rð Þ≤c≤N logNOurs Dynamic DAG O(C1 �NG) C2

†: reduced to O(1) in descending groups;

r: the number of revoked users;

c: the ciphertext length in the scheme of [10];

N: the number of total users;

NA: the number of attributes in the system;

NW: the average number of wildcards used in the access policies;

NG: the number of groups in the system;

C1: the ciphertext length of the employed data sharing scheme for a single acc

C2: the private key size of the employed data sharing scheme;

C3: the public key size of the employed data sharing scheme;

C4: the encryption cost of the employed data sharing scheme for a single acce

C5: the decryption cost of the employed data sharing scheme for a single acce


same as in DS. However, the computation cost for thedescending groups (with lower privileges) in our frame-work is reduced to O(1) because each user can obtain thesession keys for the descending groups by deriving, whilethe cost in DS may not be constant (e.g., in proportion tothe number of attributes in most ABE schemes).

5.3. Comparisons

We compare our framework with previous relatedschemes [7,20,10] on storage cost (on cloud servers), userstorage (in symmetric encryption schemes [7,10]; it refersto private key size in asymmetric encryption schemes [20]),center storage (in symmetric encryption schemes; it refersto public key size in asymmetric encryption schemes),encryption cost, and decryption cost. The comparisonis shown in Table I. We suppose that there are totallyN users, r (r<N) revoked users, and NG (NG<N� r)groups in each scheme.

As can be seen, our proposal is efficient in storage cost,which is dependent only on the number of groups in thesystem and the ciphertext length of the employed datasharing scheme. It is as efficient as ABE-based data shar-ing schemes (e.g., [20,24]), which achieve static privilegesonly. If the ciphertext length of the employed data sharingscheme is constant, the storage cost is dependent only onthe number of groups in the system. In other words, ourscheme can turn a data sharing scheme (e.g., [34,20,24])into a dynamically privileged scheme with a little extracost in encryption. Moreover, our framework is efficientin decrypting messages in descending groups because itneeds only O(1) computation, while it may not be constantin the employed data sharing schemes. For instance, itneeds O(|S|) computations in [34], where |S| is the numberof users in the receiver set S. Decryption cost in [20] is inproportion to the average number of wildcards used inthe access policies, and that in [24] is in proportion to the

ith previous works

rage Center Storage Encryption Cost Decryption Cost

gN þ 1 7N4 � 1ð Þ *(logN� 1) O(max(2r,NG)) O(1)

O(NA) O(NA �NG) O(NW)2N� 1 O(max(NG,c)) O(1)C3 O((C4+ 1) �NG) C†

5

ess group;

ss group;

ss group.

2221.


number of attributes described in access structure for theattribute-based decryption.

We also notice that subset-cover-based schemes [9,7,10]are efficient in decryptions. However, the storage cost inprevious static schemes [9,7] is dependent on the numberof revoked users and the number of groups, and the storagecost in previous dynamic scheme [10] is dependent on thenumber of groups, the number of revoked users, and the totalnumber of users (described in Subsection 5.2 of [10]). Thestorage cost in our framework is dependent on the numberof groups only, if the ciphertext length of the employed datasharing scheme is constant, as is the encryption scheme usedin [9,7,10]. Moreover, our framework allows directed-acyclic-graph-structured privileges, whereas these worksallow only line-structured privileges, that is, one groupin each privilege.

Suppose our framework employs the scheme of [20](where NA is the number of attributes in the system and NW

is the average number of wildcards in the access policies).We also assume that the size of each Pay-TV message is large(≫NW). With respect to the FOXTEL instance in Figure 2,our framework requires 19 sets of ciphertext to be stored incloud servers, constant storage for each user, O(NA) storagefor key generation center, 19 times of encryptions (with O(NA) computation for each encryption) for all 19 groups, O(NW) computation when decrypting the messages for user’scurrent privilege (it needs only O(1) computation for lowerprivileges). The scheme in [20] requires almost the same cost,with exception that it needs O(NW) computation whendecrypting the message for each lower-privilege group and itachieves only static privileges. As for the scheme of [10], itneeds 210 sets of ciphertext in the case that no user is revoked(much more sets are needed when there are revoked users),logN storage for each user, logN storage for broadcast center,210 times of encryptions (with O(1) computation for eachencryption), and O(1) computation for each decryption. Aswe can see, line-structured privileged scheme [10] is notsuitable for FOXTEL services though it is a dynamic scheme.

6. CONCLUSION

We present an efficient framework for data sharing systemto achieve dynamic privileges. Using this framework, anydata sharing and access control scheme can be turned intoa scheme allowing dynamic privileges of DAG structure,while previous schemes achieve only static privileges ordynamic line-structured privileges.

ACKNOWLEDGEMENTS

This work is supported by the National Natural Science Foun-dation of China (no. 61272457), the Fundamental ResearchFunds for the Central Universities (nos. K50511010001,K5051201039), and the National 111 Program (no. B08038).

2222 Secur

REFERENCES

1. Gentry C, Silverberg A. Hierarchical ID-based cryptogra-phy. ASIACRYPT, Lecture Notes in Computer Science,vol. 2501, Zheng Y (ed.), Springer, Heidelberg, 2002;548–566.

2. Sahai A, Waters B. Fuzzy identity-based encryption.EUROCRYPT 2005, Lecture Notes in Computer Science,vol. 3494, Springer, Heidelberg, 2005; 457–473.

3. Fiat A, Naor M. Broadcast encryption. CRYPTO, LectureNotes in Computer Science, vol. 773, Stinson DR (ed.),Springer, Heidelberg, 1993; 480–491.

4. Wang Q, Wang C, Li J, Ren K, Lou W. Enabling publicverifiability and data dynamics for storage security incloud computing. ESORICS, Lecture Notes in ComputerScience, vol. 5789, Backes M, Ning P (eds.), Springer,Heidelberg, 2009; 355–370.

5. Wang C,Wang Q, Ren K, Cao N, LouW. Toward secureand dependable storage services in cloud computing.IEEE T. Services Computing 2012; 5(2):220–232.

6. FOXTEL. Foxtel packeges 2012. http://www.foxtel.com.au/shop/packages/.

7. Jin H, Lotspiech J. Broadcast encryption for differentlyprivileged. SEC, IFIP, vol. 297, Gritzalis D, LopezJ (eds.), Springer, Heidelberg, 2009; 283–293.

8. Thulasiraman K, Swamy MNS. Graphs: Theory andAlgorithms. John Wiley & Son, New York, 1992.

9. Adelsbach A, Huber U, Sadeghi AR. Property-basedbroadcast encryption for multi-level security policies.ICISC, Lecture Notes in Computer Science, vol. 3935,Won D, Kim S (eds.), Springer, Heidelberg, 2005; 15–31.

10. Zhao X, Zhang F. Tracing and revoking scheme fordynamic privileges against pirate rebroadcast. Computers& Security 2012; 31(1):59–69.

11. ChenX, Zhang F, KimK. Chameleon hashing without keyexposure. ISC, Lecture Notes in Computer Science, vol.3225, Zhang K, Zheng Y (eds.), Springer, Heidelberg,2004; 87–98.

12. Boneh D, Franklin M. Identity-based encryption from theWeil pairing. CRYPTO 2001, Lecture Notes in ComputerScience, vol. 2139, Springer, Heidelberg, 2001; 213–229.

13. Boneh D, Boyen X, Goh E. Hierarchical identity basedencryption with constant size ciphertext. EUROCRYPT2005, Lecture Notes in Computer Science, vol. 3493,Springer, Heidelberg, 2005; 440–456.

14. Gentry C, Halevi S. Hierarchical identity based encryp-tion with polynomially many levels. TCC, Lecture Notesin Computer Science, vol. 5444, Reingold O (ed.),Springer, Heidelberg, 2009; 437–456.

15. Lewko AB, Waters B. Unbounded HIBE and attribute-based encryption. EUROCRYPT, Lecture Notes in Com-

puter Science, vol. 6632, Paterson KG (ed.), Springer,Heidelberg, 2011; 547–567.


http://www.foxtel.com.au/shop/packages/

http://www.foxtel.com.au/shop/packages/


16. Goyal V, Pandey O, Sahai A, Waters B. Attribute-based encryption for fine-grained access control ofencrypted data. ACM Conference on Computer andCommunications Security, Juels A, Wright RN, diVimercati SDC (eds.), ACM Press, New York, 2006;89–98.

17. Ostrovsky R, Sahai A, Waters B. Attribute-basedencryption with non-monotonic access structures.ACM Conference on Computer and Communica-tions Security, Ning P, di Vimercati SDC,Syverson PF (eds.), ACM Press, New York,2007; 195–203.

18. Bethencourt J, Sahai A, Waters B. Ciphertext-policyattribute-based encryption. IEEE Symposium on Securityand Privacy, IEEE Computer Society, Los Alamitos,2007; 321–334.

19. Müller S, Katzenbeisser S, Eckert C. Distributed attribute-based encryption. ICISC, Lecture Notes in ComputerScience, vol. 5461, Lee PJ, Cheon JH (eds.), Springer,Heidelberg, 2008; 20–36.

20. Li J, et al.. Fine-grained data access control systems withuser accountability in cloud computing. CloudCom,IEEE, Piscataway, N.J, 2010; 89–96.

21. Yu S, Wang C, Ren K, Lou W. Achieving secure,scalable, and fine-grained data access control in cloudcomputing. INFOCOM, IEEE, Piscataway, N.J, 2010;534–542.

22. Yu S, Wang C, Ren K, Lou W. Attribute based datasharing with attribute revocation. ASIACCS, Feng D,Basin DA, Liu P (eds.), ACM Press, New York,2010; 261–270.

23. Li M, Yu S, Ren K, Lou W. Securing personal healthrecords in cloud computing: patient-centric and fine-grained data access control in multi-owner settings.SecureComm, Lecture Notes of the Institute for ComputerSciences, Social Informatics and TelecommunicationsEngineering, vol. 50, Jajodia S, Zhou J (eds.), Springer,Heidelberg, 2010; 89–106.

24. Wang G, Liu Q, Wu J. Achieving fine-grained accesscontrol for secure data sharing on cloud servers. Concur-rency and Computation: Practice and Experience 2011;23(12):1443–1464.

25. Herranz J, Laguillaumie F, Ràfols C. Constant sizeciphertexts in threshold attribute-based encryption.Public Key Cryptography, Lecture Notes in ComputerScience, vol. 6056, Nguyen PQ, Pointcheval D (eds.),Springer, Heidelberg, 2010; 19–34.

26. Attrapadung N, Libert B, de Panafieu E. Expressivekey-policy attribute-based encryption with constant-sizeciphertexts. Public Key Cryptography, Lecture Notes inComputer Science, vol. 6571, Catalano D, Fazio N,Gennaro R, Nicolosi A (eds.), Springer, Heidelberg,2011; 90–108.


27. Naor D, Naor M, Lotspiech J. Revocation and tracingschemes for stateless receivers. In CRYPTO, LectureNotes in Computer Science, Vol. 2139, Kilian J (ed).Springer, Heidelberg, 2001; 41–62.

28. Halevy D, Shamir A. The LSD broadcast encryptionscheme. CRYPTO, Lecture Notes in Computer Science,vol. 2442, Yung M (ed.), Springer, Heidelberg, 2002;47–60.

29. Goodrich MT, Sun JZ, Tamassia R. Efficient tree-basedrevocation in groups of low-state devices. CRYPTO,Lecture Notes in Computer Science, vol. 3152, FranklinMK (ed.), Springer, Heidelberg, 2004; 511–527.

30. Naor M, Pinkas B. Efficient trace and revokeschemes. Financial Cryptography, Lecture Notesin Computer Science, vol. 1962, Frankel Y (ed.),Springer, Heidelberg, 2000; 1–20.

31. Delerablée C, Paillier P, Pointcheval D. Fullycollusion secure dynamic broadcast encryptionwith constant-size ciphertexts or decryption keys.Pairing, Lecture Notes in Computer Science, vol.4575, Takagi T, Okamoto T, Okamoto E, OkamotoT (eds.), Springer, Heidelberg, 2007; 39–59.

32. Kusakawa M, Hiwatari H, Asano T, Matsuda S.Efficient dynamic broadcast encryption and itsextension to authenticated dynamic broadcastencryption. CANS, Lecture Notes in ComputerScience, vol. 5339, Franklin MK, Hui LCK, WongDS (eds.), Springer, Heidelberg, 2008; 31–48.

33. Lewko AB, Sahai A, Waters B. Revocation systemswith very small private keys. IEEE Symposium onSecurity and Privacy, IEEE Computer Society, LosAlamitos, 2010; 273–285.

34. Boneh D, Gentry C, Waters B. Collusion resistantbroadcast encryption with short ciphertexts and privatekeys. CRYPTO, Lecture Notes in Computer Science,vol. 3621, Shoup V (ed.), Springer, Heidelberg,2005; 258–275.

35. Sakai R, Furukawa J. Identity-based broadcastencryption. Technical reports, Cryptology ePrintArchive, Report 2007/217 2007. http://eprint.iacr.org/2007/217.

36. Delerablée C. Identity-based broadcast encryption withconstant size ciphertexts and private keys. ASIACRYPT,Lecture Notes in Computer Science, vol. 4833, KurosawaK (ed.), Springer, Heidelberg, 2007; 200–215.

37. Gentry C, Waters B. Adaptive security in broadcast en-cryption systems (with short ciphertexts). EUROCRYPT2009, Lecture Notes in Computer Science, vol. 5479,Springer, Heidelberg, 2009; 171–188.

38. Ren Y, Gu D. Fully CCA2 secure identity basedbroadcast encryption without random oracles. Inf.Process. Lett. 2009; 109(11):527–533. doi:10.1016/j.ipl.2009.01.017.

2223.

http://eprint.iacr.org/2007/217



39. Krawczyk H, Rabin T. Chameleon signatures. NDSS,The Internet Society, Reston, VA, 2000; 143–154.

40. Ateniese G, de Medeiros B. Identity-based chameleonhash and applications. Financial Cryptography, LectureNotes in Computer Science, vol. 3110, Juels A (ed.),Springer, Heidelberg, 2004; 164–180.

41. Ateniese G, de Medeiros B. On the key exposureproblem in chameleon hashes. SCN, Lecture Notesin Computer Science, vol. 3352, Blundo C, CimatoS (eds.), Springer, Heidelberg, 2004; 165–179.

42. Gao W, Li F, Wang X. Chameleon hash without keyexposure based on Schnorr signature. ComputerStandards & Interfaces 2009; 31(2):282–285.

43. Chen X, Zhang F, Susilo W, Tian H, Li J, Kim K.Identity-based chameleon hash scheme without keyexposure. ACISP, Lecture Notes in Computer Science,vol. 6168, Steinfeld R, Hawkes P (eds.), Springer,Heidelberg, 2010; 200–215.

2224 Secur

44. Chen X, Zhang F, Tian H, Wei B, Kim K. Discretelogarithm based chameleon hashing and signatures with-out key exposure. Computers & Electrical Engineering2011; 37(4):614–623.

45. Konoma C, Mambo M, Shizuya H. The computationaldifficulty of solving cryptographic primitive problemsrelated to the discrete logarithm problem. IEICETransactions 2005; 88-A(1):81–88.

46. Zhang F, Wang P. On relationship of computationalDiffie–Hellman problem and computational square-rootexponent problem. IWCC, Lecture Notes in ComputerScience, vol. 6639, Chee YM, Guo Z, Ling S, Shao F,Tang Y, Wang H, Xing C (eds.), Springer, Heidelberg,2011; 283–293.

47. Zhang F. The computational square-root exponentproblem revisited. Technical Report, CryptologyePrint Archive, Report 2011/263 2011. http://eprint.iacr.org/2011/263.




Documents

Achieving dynamic privileges in secure data sharing on cloud storage