Identity based secure distributed data storage schemes

Identity-Based Secure DistributedData Storage Schemes

Jinguang Han, Student Member, IEEE, Willy Susilo, Senior Member, IEEE, and

Yi Mu, Senior Member, IEEE

Abstract—Secure distributed data storage can shift the burden of maintaining a large number of files from the owner to proxy servers.

Proxy servers can convert encrypted files for the owner to encrypted files for the receiver without the necessity of knowing the content

of the original files. In practice, the original files will be removed by the owner for the sake of space efficiency. Hence, the issues on

confidentiality and integrity of the outsourced data must be addressed carefully. In this paper, we propose two identity-based secure

distributed data storage (IBSDDS) schemes. Our schemes can capture the following properties: (1) The file owner can decide the

access permission independently without the help of the private key generator (PKG); (2) For one query, a receiver can only access

one file, instead of all files of the owner; (3) Our schemes are secure against the collusion attacks, namely even if the receiver can

compromise the proxy servers, he cannot obtain the owner’s secret key. Although the first scheme is only secure against the chosen

plaintext attacks (CPA), the second scheme is secure against the chosen ciphertext attacks (CCA). To the best of our knowledge, it is

the first IBSDDS schemes where an access permission is made by the owner for an exact file and collusion attacks can be protected in

the standard model.

Index Terms—Distributed data storage, identity-based system, access control, security

Ç

1 INTRODUCTION

CLOUD computing provides users with a convenientmechanism to manage their personal files with the

notion called database-as-a-service (DAS) [1], [2], [3]. InDAS schemes, a user can outsource his encrypted files tountrusted proxy servers. Proxy servers can perform somefunctions on the outsourced ciphertexts without knowinganything about the original files. Unfortunately, this tech-nique has not been employed extensively. The main reasonlies in that users are especially concerned on the confidenti-ality, integrity and query of the outsourced files as cloudcomputing is a lot more complicated than the local datastorage systems, as the cloud is managed by an untrustedthird party. After outsorcing the files to proxy servers, theuser will remove them from his local machine. Therefore,how to guarantee the outsoured files are not accessed by theunauthorized users and not modified by proxy servers is animportant problem that has been considered in the datastorage research community. Furthermore, how to guaran-tee that an authorized user can query the outsourced filesfrom proxy servers is another concern as the proxy server

only maintains the outsourced ciphertexts. Consequently,research around these topics grows significantly.

Confidentiality is proposed to prevent unauthorizedusers from accessing the sensitive data as it is subject tounauthorized disclose and access after being outsourced.Since the introduction of DAS, the confidentiality of out-sourced data has been the primary focus among the researchcommunity. To provide confidentiality to the outsourceddata, encryption schemes are deployed [4], [5], [6], [7], [8].

Integrity can prevent outsourced data from beingreplaced and modified. Some schemes have been pro-posed to protect the integrity of the outsourced data,such as proof of retrievability [9], [10], [11], [12], [13]and provable data possession [14], [15], [16]. In theseschemes, digital signature schemes and message authen-tication codes (MACs) are deployed.

Query in data storage is executed between a receiver anda proxy server. The proxy server can perform some func-tions on the outsourced ciphertexts and convert them tothose for the receiver. As a result, the receiver can obtain thedata outsourced by the owner without the proxy serverknowing the content of the data [17], [18], [19], [20].

1.1 Related Work

In this section, we review schemes related to identity-basedsecure distributed data storage (IBSDDS) schemes.

1.1.1 Data Storage Systems

Data storage systems enable users to store their data toexternal proxy servers to enhance the access and avail-ability, and reduce the maintainance cost. Samarati anddi Vimercati [21] addressed the privacy issues in dataoutsourcing expanding from the data confidentiality todata utility, and pointed out the main research directions

� J. Han is with the Centre for Computer and Information SecurityResearch, School of Computer Science and Software Engineering,University of Wollongong, Northfields Avenue, Wollongong NSW2522, Australia, and with the Jiangsu Provincial Key Laboratory ofE-Business, Nanjing University of Finance & Economics, Nanjing,Jiangsu 210003, China. E-mail: [email protected].

� W. Susilo and Y. Mu are with Centre for Computer and Information Secu-rity Research, School of Computer Science and Software Engineering, Uni-versity of Wollongong, Northfields Avenue, Wollongong NSW2522,Australia. E-mail: {wsusilo, ymu}@uow.edu.au.

Manuscript received 20 May 2012; revised 17 Dec. 2012; accepted 14 Jan.2013; date of publication 15 Feb. 2013; date of current version 5 Mar. 2014.Recommended for acceptance by C. Nita-Rotaru.For information on obtaining reprints of this article, please send e-mail to:[email protected], and reference the Digital Object Identifier below.Digital Object Identifier no. 10.1109/TC.2013.26

IEEE TRANSACTIONS ON COMPUTERS, VOL. 63, NO. 4, APRIL 2014 941

0018-9340 � 2013 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission.See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.

in the protection of the externally stored data. Kher andKim [22] surveyed the data storage systems comprehen-sively and classified them into three kinds based on theirsecurity services: networked file systems (NFS), storage-based intrusion detection systems (SBIDS) and crypto-graphic file systems (CFS).

Networked file systems. In these systems, proxy serversare assumed to be trusted. They authenticate receivers andvalidate access permissions. The interactions between theproxy servers and receivers are executed in a secure channel.Therefore, these systems cannot provide an end-to-end datasecurity, namely they cannot ensure the confidentiality ofthe data stored at the proxy server [23], [24], [25]. In theseschemes, a receiver authenticates himself to the proxy serverusing his password. Then, the proxy server passes theauthentication result to the file owner. The owner will makean access permission according to the received information.

Storage-based Intrusion Detection Systems. In these sys-tems, an intrusion detection scheme is embedded in proxyservers or the file owner to detect the intruder’s behaviors,such as adding backdoors, inserting Trojan horses and tam-pering with audit logs. These schemes can be classified intotwo types: host-based system and network-based system. Inthe host-based systems, an intrusion detection scheme isembedded in the host to detect the local intrusion actions[26]. On the contrary, in network-based systems, an intru-sion detection scheme is embedded in the proxy servers todetect the external intruder’s actions. The main advantageof these systems is that proxy servers can still detect theintrusion actions even if the host is compromised as theproxy server are independent from the host [27], [28], [29].

Cryptographic file system. In these systems, an end-to-end security is provided by cryptographic protocols whichare executed by the file owner to prevent proxy servers andunauthorized users from modifying and accessing the sensi-tive files. These systems can be divided into two types:shared file system and non-shared system. In shared filesystems [30], [31], the owner can share his files with a groupof users. Cryptographic techniques deployed in these sys-tems are key sharing, key agreement and key revocation. Innon-shared file systems [32], [33], in order to share a filewith another user, the owner can compute an access key forthe user using his secret key. In these two systems, the integ-rity of the sensitive files is provided by digital signatureschemes and message authentication codes.

1.1.2 Identity-Based Proxy Re-Encryption (IBPRE)

Proxy cryptosystem was introduced by Mambo and Oka-moto [34] to delegate the decryption power to a designateddecryptor. Then, Blaze et al. [35] proposed an atomic proxycryptosystem where a semi-trusted proxy server can trans-fer a ciphertext for the original decryptor to a ciphertext forthe designated decryptor without knowing the plaintext.Proxy cryptosystem as an efficient primitive has been usedin email forwarding, law enforcement and data storage.Identity-based cryptosystem introduced by Shamir [36] is asystem where the public key can be any arbitrary string andthe secret key is issued by a trusted party called the privatekey generator (PKG). Being different from public key infra-structure (PKI), two parties can communicate directly

without verifying their public key certificates in identity-based systems. The first secure and practical identity-baseencryption (IBE) was proposed by Boneh and Franklin [37]based on pairing.

Identity-based proxy encryption (IBPE) was first pro-posed by Ivan and Dodis [4] where the formal definitionsand security models for both unidirectional and bidirec-tional IBPE schemes were formalized. In their schemes, themaster secret key which is used to extract secret keys forusers is split into two parts. One is sent to the proxy serverand the other is sent to the user. The user can decrypt aciphertext for him with the help of the proxy server. Conse-quently, Ateniese et al. [5] pointed out that these schemesare not secure against the collusion attacks, namely the mas-ter secret key can be exposed if the user can compromise theproxy server. The first identity-based proxy re-encryptionwas proposed by Green and Ateniese [38] where the proxyserver can transfer a ciphertext for the original decryptor toa ciphertext for the designated decryptor after he gets a re-encryption key from the former. We divide the IBPREschemes into the following two types based on the genera-tion of the re-encryption key:

The re-encryption key can be computed by the originaldecryptor [38], [39], [40]. In these schemes, for a decryptionrequest, the original decryptor selects a random numberand computes a re-encryption key by randomizing hissecret key. Then, he encrypts the selected random numberunder the receiver’s identity. Finally, he sends the re-encryption key and the ciphertext to the proxy server. Usingthe re-encryption key, the proxy server can transfer aciphertext for the original decryptor to a ciphertext for thedesignated decryptor. The designated decryptor decryptsthe ciphertext using his secret key and obtains the randomnumber selected by the original decrptor. Then, he candecrypt the re-encrypted ciphertext by the random number.Unfortunately, these schemes are vulnerable to the collusionattacks. If the designated decryptor can compromise theproxy server, they can decrypt the ciphertext, obtain therandom number selected by the original decryptor andcompute the secret key of the original decryptor.

The re-encryption key must be computed by the PKG [41],[42], [43]. In these schemes, the PKG computes the re-encryption key by checking the secret keys of the originaldecryptor and the designated decryptor.

1.1.3 Identity-Based Secure Distributed Data Storage

In an identity-based secure distributed data storagescheme, a user’s identity can be an arbitrary string andtwo parties can communicate with each other withoutchecking the public key certificates. At first, the fileowner encrypts his files under his identity prior to out-sourcing them to proxy servers. Then, he sends theciphertexts to the proxy servers. Consequently, the proxyservers can transfer a ciphertext encrypted under theidentity of the owner to a ciphertext encrypted underthe identity of the receiver after they has obtained anaccess permission (re-encryption key) from the owner.

To provide confidentiality for the outsouced data, anefficient IBSDDS scheme should provide the followingproperties:

942 IEEE TRANSACTIONS ON COMPUTERS, VOL. 63, NO. 4, APRIL 2014

1. Unidirectional. After receiving an access permission,the proxy server can transfer a ciphertext for Alice toa ciphertext for Bob while he cannot transfer aciphertext for Bob to a ciphertext for Alice.

2. Non-interactive. The access permission can be createdby the file owner without any trusted third partyand interaction with him.

3. Key optimal. The size of the secret key of the receiveris constant and independent of the delegationswhich he accepts.

4. Collusion-safe. The secret key of the file owner issecure even if the receiver can compromise the proxyserver.

5. Non-transitive. Receiving the access permissionscomputed by Alice for Bob and Bob for Charlie, theproxy server cannot transfer a ciphertext for Alice toa ciphertext for Charlie.

6. File-based access. For one query, the receiver can onlyaccess one file. This can improve the security of theoutsourced files and is desirable to maintain theaccess record.

Here, 1)-5) are from [5]. Proxy invisibility discussed in [5] isdifficult to achieve as the length of the re-encrypted cipher-text is subject to be different from that of the original cipher-text. Furthermore, original-access mentioned in [5] cannot beguaranteed as the key escrow problem, namely the secretkey is created by the PKG, instead of the user. Hence, the fileowner in an IBSDSS scheme has less control on his secret keythan that in other public key encryption schemes.

Although IBPRE holds partial properties of IBSDDS, itcannot been used in IBSDDS systems directly. For example,in the current IBPRE schemes, the receiver and the proxyservers can cooperate to access all the files outsourced bythe owner as the access permission (re-encryption key) isonly bound to the identity of the receiver and independentof the file. This is undesirable for the file owner to recordthe accessed number of his files. Furthermore, they areinteractive [41], [42], [43] or not collusion safe [38], [39], [40].

Since the PKG can generate a secret key for each user, hecan decrypt the ciphertexts and obtain the original files if heknows the identity used to encrypt the files. Therefore, inthis paper, we assume that the PKG is honest and can betrusted by all users in the systems.

1.2 Our Contribution

In this paper, we propose two identity-based secure distrib-uted data storage schemes in standard model where, forone query, the receiver can only access one of the owner’sfiles, instead of all files. In other words, an access permis-sion (re-encryption key) is bound not only to the identity ofthe receiver but also the file. The access permission can bedecided by the owner, instead of the trusted party (PKG).Furthermore, our schemes are secure against the collusionattacks. Although the first scheme is CPA secure, the secondscheme achieves chosen ciphertext attacks (CCA) security.To the best of our knowledge, it is the first IBSDDS schemeswhere an access permission is made by the owner for anexact file and collusion attacks can be protected in the stan-dard model.

To achieve a stronger security and implement file-based access control, the owner must be online to

authenticate requesters and also to generate access per-missions for them. Therefore, the owner in our schemesneeds do more computations than that in PRE schemes.Although PRE schemes can provide the similar function-alities of our schemes when the owner only has one file,these are not flexible and practical.

1.3 Paper Organization

We review the preliminaries used throughout the paper inSection 2. In Section 3, we propose a CPA secure IBSDDSscheme and analyze its security. A CCA secure IBSDDSscheme is proposed and proven in Section 4. Section 5 con-cludes the paper.

2 PRELIMINARIES

In the remainder of this paper, we denote a R A as a is cho-sen from A at random. Especially, we denote a R A as a ischosen uniformly from A if A is a finite set. For n 2 IN, wedenote ½n� as the integers f1; 2; . . . ; ng. By AðxÞ ! y, wedenote that y is computed by running the algorithm A oninput x. We say that a function � : ZZ! IR is negligible if, forall k 2 ZZ, there exists a z 2 ZZ such that �ðxÞ � 1

xkwhen x > z.

2.1 Identity-Based Secure Distributed Data Storage

There are four entities in an identity-based secure distrib-uted data storage scheme: the private key generator, thedata owner, the proxy server and the receiver. The PKG val-idates the users’ identities and issues secret keys to them.The data owner encrypts his data and outsources the cipher-texts to the proxy servers. Proxy servers store the encrypteddata and transfer the ciphertext for the owner to the cipher-text for the receiver when they obtains an access permission(re-encryption key) from the owner. The receiver authenti-cates himself to the owner and decrypts the re-encryptedciphertext to obtain the data. An IBSDDS scheme consists ofthe following algorithms:

Setupð1‘Þ ! ðparams;MSKÞ: The setup algorithm takesas input a security parameter 1‘, and outputs the publicparameters params and a master secret MSK.

KeyGenðparams; ID;MSKÞ ! SKID: The key genera-tion algorithm takes as input the public parameters params,an identity ID and the master secret key MSK, and outputsa secret key SKID for the identity ID.

Encryptionðparams; ID;MiÞ ! CTi: Suppose that thereare k messages fM1;M2; . . . ;Mkg. To encrypt the messageMi, the encryption algorithm takes as input the publicparameters params, the identity ID and the messageMi, andoutputs the ciphertext CTi ¼ ðCi;1; Ci;2Þ, for i ¼ 1; 2; . . . ; k. Itsends the ciphertextsCTi to the proxy servers.

QueryðID0; SKID0 ; CTiÞ ! AI: The query algorithm takesas input the receiver’s identity ID0, the receiver’s secretekey SKID0 and the ciphertext CTi, and outputs an authenti-cation information AI. It sends ðID0; AI; CTiÞ to the proxyserver. The proxy server redirects ðID0; AI; Ci;2Þ to theowner with identity ID.

Permission ðparams; ID0; Ci;2; SKIDÞ ! RKID!ID0 . Thepermission algorithm checks the authentication informationAI. If the receiver is legal, this algorithm takes as inputs thepublic parameters params, the receiver’s identity ID0 andthe owner’s secret key SKID, and outputs an access

HAN ET AL.: IDENTITY-BASED SECURE DISTRIBUTED DATA STORAGE SCHEMES 943

permission (re-encryption key)RKID!ID0 . It sendsRKID!ID0to the proxy server.

Re-encryption ðparams; ID0; RKID!ID0 ; CTiÞ ! CT 0i . There-encryption algorithm takes as input the public parame-ters params, the receiver’s identity ID0, the access permis-sion RKID!ID0 and the ciphertext CTi, and outputs aciphertext CT 0i ¼ Encryptionðparams; ID0; MiÞ for thereceiver with identity ID0.

Decryption. There are two algorithms. One is for theowner and the other is for the receiver.

1. Decryption1ðparams; SKID; CTiÞ !Mi: The ownerdecryption algorithm takes as input the publicparameters params, the owner’s secret key SKID

and the ciphertext CTi, and outputs the message Mi.2. Decryption2ðparams; SKID0 ; CT

0i Þ !Mi: The receiver

decryption algorithm takes as input the publicparameters params, the receiver’s secret key SKID0

and the re-encrypted ciphertext CT 0i , and outputs themessage Mi.

Definition 1. We say an identity-based secure distributed datastorage scheme is correct if

where the probability is taken over the random coins which allthe algorithms in the scheme consumes.

2.2 Security Model

We formalize the security model of the IBSDDS scheme bythe following game. This game is run between a challengerand an adversary as follows:

Setup. The challenger runs Setupð1‘Þ to generate thepublic parameters params and a master secret key MSK,and sends params to the adversary A.

Phase 1. The adversary A can adaptively make the fol-lowing queries:

1. Secret Key query. The adversary A can query secretkey for an identity ID. The challenger runs KeyGenðparams; ID;MSKÞ to generate a secret key SKID.The challenger respondsAwith SKID.

2. Permission query. The adversary A can query a per-mission on ðID; ID0; Ci;2Þ. The challenger runs

KeyGenðparams; ID;MSKÞ to extract the secret keySKID and Permissionð params; ID0; Ci;2; SKIDÞ toobtain RKID!ID0 . The challenger responds A withRKID!ID0 .

3. Re-encryption query. The adversary A can query re-encryption on ðID; ID0; CTiÞ. The challenger runsKeyGenðparams; ID;MSKÞ to generate a secret keySKID, and runs Permissionðparams; ID0; Ci;2; SKIDÞto obtain RKID!ID0 . The challenger responds A withRe-encryption ðparams; ID0; RKID!ID0 ; CTiÞ.

4. Owner decryption query. The adversary A canquery owner decryption on ðID;CTiÞ. The chal-lenger runs KeyGenðparams; ID;MSKÞ to extractthe secret key SKID. The challenger responds Awith Decryption1ðparams; SKID; CTiÞ.

5. Receiver decryption query. The adversary Acan query receiver decryption on ðID; ID0; CTiÞ.The challenger runs KeyGenðparams; ID;MSKÞ andKeyGenðparams; ID0;MSKÞ to extract the secretkeys SKID and SK0ID, Permission ðparams; ID0; Ci;2;SKIDÞ to obtain RKID!ID0 and Re-encryptionðparams; ID0; RKID!ID0 ; CTiÞ to get CT 0i . The chal-lenger responds A with Decryption2 ðparams; SK0ID;CT 0i Þ.

Challenge. The adversary A submits an identity ID� and twomessagesM0 andM1 with equal length. The challenger flips anunbiased coin with f0; 1g and obtains b 2 f0; 1g. The chal-lenger computes C� ¼ Encryptionðparmas; ID�; MbÞ andsends C� to A.

Phase 2. The adversary can adaptively make queries asin Phase 1 with the following restricts:

1. Secret key query. The adversary A cannot queryKeyGenðparams; ID�; MSKÞ.

2. Permission query. The adversary A cannot queryPermissionðID�; ID;C�2Þ and KeyGen ðparams; ID;MSKÞ.

3. Re-encryption query. The adversary A cannot queryre-encryption on ðID�; ID; CT �Þ, PermissionðID�;ID;C�2Þ and KeyGenðparams; ID; MSKÞ.

4. Owner decryption query. The adversary A cannotquery owner decryption on ðID�; CT �Þ.

5. Receiver decryption query. The adversary A cannotquery re-encryption on ðID�; ID;CT �Þ and receiverdecryption on ðID; ~CT �Þ, where ~CT � is the re-encrypted ciphertext of CT �.

Guess. The adversary A outputs his guess b0 on b. A wins thegame if b0 ¼ b.Definition 2. An identity-based secure distributed data stor-

age scheme is ðT; q1; q2; q3; q4; q5; �ð‘ÞÞ-secure against cho-sen ciphertext attacks if no probabilistic polynomial-timeadversary A making at most q1 secret key queries, q2 per-mission queries, q3 re-encryption queries, q4 owner decryp-tion queries and q5 receiver decryption queries can win thegame with the advantage

AdvCCAA ¼

��Pr½b0 ¼ b� � 1

2

�� ð‘Þ

in the above model.


Definition 3. An identity-based distributed data storage(IBDDS) scheme is ðT; q1; q2; q3; �ð‘ÞÞ-secure against chosenplaintext attacks (CPA) if no probabilistic polynomial-timeadversary A making at most q1 secret key queries, q2 permis-sion queries and q3 re-encryption queries can win the gamewith the advantage

AdvCPAA ¼

��Pr½b0 ¼ b� � 1

2

�� ð‘Þ

in the above model.

Theorem 1. An identity-based secure distributed data storagescheme is unidirectional, nontransitive and collusion safe ifit is secure against the chosen plaintext attacks in the abovemodel.

Proof. Our proof is similar to that in [42]. In the CPA secu-rity model, the adversary A can query secret key oracle,permission oracle and re-encryption oracle.

Collusion-safe. If the scheme is not collusion safe,there exists an algorithm B that can use A to break theCPA security in the above security model. A can querysecret key SKID0 for an identity ID0 and permissionRKID!ID0 from an identity ID to ID0. After receiving thechallenged ciphertext CT � for the identity ID, if A cancompute the secret key SKID from SKID0 and RKID!ID0 ,B can use SKID to decrypt CT �. Hence, B can use A tobreak the CPA security in the above model.

Nontransitive. If the scheme is transitive, there existsan algorithm B that can use A to break the CPA securityin the above security model. A can query secret keysSKID0 and SKID00 for identities ID0 and ID00. Further-more, A can query permissions RKID!ID0 andRKID0!ID00 . After receiving the challenged ciphertextCT � for the identity ID, if A can compute the permissionRKID!ID00 from RKID!ID0 and RKID0!ID00 , B can useRKID!ID00 to transfer the ciphertext CT � to a ciphertextCT for the identity ID00. Then, B can use SKID00 todecrypt CT . So, B can use A to break the CPA security inthe above security model.

Unidirectional. If the scheme is not unidirectional inthe above model, there exists an algorithm B that canuse A to break the CPA security in the above securitymodel. The adversary A can query secret key SKID0 foran identity ID0 and permission RKID0!ID from an iden-tity ID0 to ID. After receiving the challenged ciphertextCT � for the identity ID, ifA can use RKID0!ID to transferCT � to a ciphertext CT for identity ID0. Then, B can usethe secret key SKID0 to decrypt CT . Therefore, B can useA to break the CPA security in the above model. tu

2.3 Complexity Assumption

Let GG and GGt be two multiple cyclic groups with primeorder p, and g be a generator of GG. A bilinear mape : GG�GG! GGt is a map satisfies the following properties:

1. Bilinearity. For all u; v 2 GG and x; y 2 ZZp,eðux; vyÞ ¼ eðu; vÞxy.

2. No-degeneracy. eðg; gÞ 6¼ 1 where 1 is the identity ofthe group GGt.

3. Computability. There exists an efficient algorithmwhich can compute eðu; vÞ for all u; v 2 GG.

We denote GGð1‘Þ as a bilinear group generator whichtakes as input a security parameter 1‘ and outputs a bilineargroup ðe; p;GG;GGtÞwith prime order p.

Definition 4 (Decisional bilinear Diffie-Hellman (DBDH)assumption [37]). Let a; b; c; z R ZZp, GGð1‘Þ ! ðe; p;GG;GGtÞ, and g be a generator of GG. We say that the DBDHassumption holds in ðe; p;GG;GGtÞ if no probabilistic polyno-mial-time adversary A can distinguish ðA;B;C; ZÞ ¼ ðga; gb;gc; eðg; gÞabcÞ from ðA;B;C; ZÞ ¼ ðga; gb; gc; eðg; gÞzÞ with theadvantage

AdvDBDHA ¼ Pr½AðA;B;C; eðg; gÞabcÞ��Pr½AðA;B;C; eðg; gÞzÞ�

��

�� ð‘Þ;

where the probability is token over the random choices ofa; b; c; z and the bits consumed by A.

2.4 Waters’s Identity-Based Encryption (IBE)

This identity-based encryption [44] works as follows:Setup. This algorithm takes as input the security parame-

ters 1‘, and outputs a bilinear group GGð1‘Þ ! ðe; p;GG;GGtÞwith prime order p, where e : GG�GG! GGt . Let g and h be

generators of the group GG, u0 R

GG and U ¼ ðu1; u2; . . . ; unÞwhere ui

RGG for i ¼ 1; 2; . . . ; n. It sets g1 ¼ ga where

a R ZZp. The public parameters are ðe; p;GG;GGt; g; h; u0;

g1; UÞ and the master secret key is ha.KeyGen. Let ID represent an identity which is an n bit

string, IDi be the ith bit of ID, and I be the set which con-sists of all i with IDi ¼ 1. This algorithm chooses r R ZZp,and computes

KID;1 ¼ ha

�

u0

Y

i2Iui

�r

and KID;2 ¼ gr:

The secret key for the identity ID is SKID ¼ ðKID;1; KID;2Þ.Encryption. To encrypt a message M 2 GGt , this algorithm

chooses s R ZZp and computes

C1 ¼M eðg1; hÞs; C2 ¼ gs and C3 ¼ u0

Y

i2Iui

!s

:

The ciphertext for the message M is CT ¼ ðC1; C2; C3Þ.Decryption. To decrypt the ciphertext CT ¼ ðC1; C2; C3Þ,

this algorithm takes as input the secret key SKID ¼ðKID;1; KID;2Þ and computes

M ¼ C1 eðKID;2; C3ÞeðKID;1; C2Þ

:

Theorem 2. This identity-based encryption scheme isðT; q; �ð‘ÞÞ-secure agasint chosen plaintex attacks (CPA) ifthe ðT þOð�ð‘Þ�2lnð�ð‘Þ�1Þ��1lnð��1ÞÞ; �ð‘Þ

32qðnþ1ÞÞ-decisionalbilinear Diffie-Hellman assumption holds on the bilineargroup ðe; p;GG; GGtÞ, where � ¼ 1

8qðnþ1Þ [44].

3 IDENTITY-BASED SECURE DISTRIBUTED DATA

STORAGE I (IBSDDS I)

In this section, we propose an identity-based secure distrib-uted data storage scheme which is secure against chosenplaintext attacks. At first, the file owner encrypts his files andoutsources the ciphertexts to the proxy servers. The proxyservers validate the outsourced ciphertexts and store themfor the owner. For one query, the receiver computes an


authentication information (AI) using his secret key andsends it to the proxy server. The proxy server sends the iden-tity of the receiver, AI and the partial intended ciphertext tothe owner. Suppose that the owner can know which file thereceiver wants to access from the partial ciphertext. To checkwhether the requester is a legal user in the system, the ownervalidates the received AI. If the AI is correct, the owner com-putes an access permission (re-encryption key) using hissecret key, the partial ciphertext and the identity of thereceiver, and sends it to the proxy server. Otherwise, theaccess is denied. The proxy server transfers the intendedciphertext to a ciphertext for the receiver using the receivedaccess permission. Finally, the receiver can decrypt the re-encrypted ciphertext by his secret key and obtains the origi-nal file. Fig. 1 explains the model of our IBSDDS schemes.

The specific protocol of our IBSDDS I scheme is demon-strated in Fig. 2. Our scheme can be seen as an extension ofWater’s IBE [44].

Correctness.We have

Ci;1 eðKID;2; Ci;3ÞeðKID;1; Ci;2Þ

¼Mi eðg1; hÞsie�

grID ;�

u0

Q

i2I ui�si�

e�

ha�

u0

Q

i2I ui�rID ; gsi

�

¼Mi eðg1; hÞsie�

grID ;�

u0

Q

i2I�si�

eðg1; hÞsi e�

grID ;�

u0

Q

i2I ui�si�

¼Mi eðg1; hÞsi 1

eðg1; hÞsi

¼Mi;

K1 ¼ K0ID0;1 C0ti;5 C0i;4

¼ K0ID0;1 grt KID;1

K0ID0;1 G

r u0

Y

i2I0ui

!b

¼ K0ID0;1 Gr KID;1

K0ID0;1 G

r u0

Y

i2I0ui

!b

¼ KID;1 u0

Y

i2Iui

!b

¼ ha u0

Y

i2Iui

!rID

u0

Y

i2I0ui

!

;b

and

C0i;1 ¼ D2 Ci;1

¼Mi eðg1; hÞsi e g; u0

Y

i2I0ui

! !bsi

:

Therefore

C0i;1 eðC0i;6; C0i;3ÞeðK1; Ci;2Þ

¼ C0i;1 e�

grID ;�

u0

Q

i2I ui�si�

e�

ha�

u0

Q

i2I ui�rID

�

u0

Q

i2I0 ui�b; gsi�

¼ C0i;1 1

eðg1; hÞsi e�

g;�

u0

Q

i2I0 ui��bsi

¼Mi eðg1; hÞsi e

�

g;�

u0

Q

i2I0 ui��bsi

eðg1; hÞsi e�

g;�

u0

Q

i2I0 ui��bsi

¼Mi:

Theorem 3. Our identity-based secure distributed data storage Ischeme is ðT; q1; q2; q3; �ð‘ÞÞ-secure against chose plaintextattacks (CPA) if the ðT 0; �0ð‘ÞÞ-decisional bilinear Diffie-Hell-man assumption holds in the bilinear group ðe; p;GG;GGtÞwhere

T 0 ¼ T þOðT Þ and �0ð‘Þ ¼ �ð‘Þ32ðq1 þ 2q2 þ 2q3Þðnþ 1Þ :

Proof. Our proof is similar to that in Waters’s IBE [44],except that we must answer the permission queries andre-encryption queries.

Suppose that there exists an adversary A that canðT; q1; q2; q3; �ð‘ÞÞ break the CPA security of our IBSDDS Ischeme, we can construct an algorithm B that can use Ato break the DBDH assumption as follows. The chal-

lenger generates the bilinear group GGð1‘Þ ! ðe; p;GG;GGtÞ and chooses a generator g R GG. It flips an unbi-ased coin m with f0; 1g. If m ¼ 0, he sends ðA;B;C; ZÞ ¼ ðga; gb; bc; eðg; gÞabcÞ to B. Otherwise, he sends

ðA;B;C; ZÞ ¼ ðga; gb; gc; eðg; gÞzÞ to B, where z R ZZp. Thealgorithm B will output his guess m0 on m.

Setup. The algorithm B sets s ¼ 4ðq1 þ 2q2 þ 2q3Þ and

chooses an integer n R ½n�. It uniformly selects two integ-

rity vectors P ¼ fp1;p2; . . . ;png and F ¼ ff1;f2; . . . ;fng,

Fig. 1. The Model of identity-based secure distributed data storage scheme.


where pi R ½s � 1� and fi

RZZp for i ¼ 1; 2; . . . ; n. It

choose p0 R ½s � 1� and f0

RZZp. Then, the algorithm B

defines three functions:

P ðIDÞ ¼ ðp� snÞ þ p0 þX

i2Ipi;

QðIDÞ ¼ f0 þX

i2Ifi;

and

RðIDÞ ¼ 0; if p0 þP

i2I pi 0 ðmod sÞ;1; if p0 þ

P

i2I pi 6 0 ðmod sÞ:

�

B sets g1 ¼ A, h ¼ B, g ¼ gu, g2 ¼ Au, u0 ¼ hp�snþp0gf0

and ui ¼ hpi gfi , where u R ZZp. It chooses h R GG. Thepublic parameters are ðe; p;GG;GGt; g; h; h; g; h; u0; g1;

Fig. 2. IBSDDS I: identity-based secure distributed data storage I.


g2;UUÞ. The master secret key is ha ¼ gab. The distributionof these parameters is identical to those in the realprotocol.

Phase 1.

1. Secret key query. The adversary A can query secretkey for an identity ID. B checks RðIDÞ ¼? 1.

a. If RðIDÞ ¼ 1, B chooses r R ZZp and computes

KID;1 ¼ A�QðIDÞP ðIDÞ

�

p0

Y

i2Ipi

�r

; (1)

KID;2 ¼ A�1

P ðIDÞ gr; (2)

and

KID;3 ¼ KuID;2: (3)

B responds with SKID ¼ ðKID;1; KID;2; KID;3Þ.b. If RðIDÞ ¼ 0, B aborts and outputs his guess m0

randomly.We claim that the secret key is generated cor-

rectly:

KID;1 ¼ A�QðIDÞP ðIDÞ

�

u0

Y

i2Iui

�r

¼ g�aQðIDÞP ðIDÞ

�

gbP ðIDÞþQðIDÞ�r

¼�

gbP ðIDÞþQðIDÞ� �aP ðIDÞgab

�

gbP ðIDÞþQðIDÞ�r

¼ gab�

gbP ðIDÞþQðIDÞ�r� a

P ðIDÞ

¼ ha�

u0

Y

i2Iui

�r� aP ðIDÞ

:

Let r ¼ r� aP ðIDÞ, we have

KID;1 ¼ ha�

u0

Y

i2Iui

�r

;

KID;2 ¼ A�1

P ðIDÞgr ¼ gr�a

P ðIDÞ ¼ gr;

and

KID;3 ¼ KuID;2 ¼ gur ¼ gr:

Therefore, the secret key is created correctly.Permission query. The adversaryA can query per-

mission on ðID; ID0; C2Þ. B checks whether he hasgenerated secret keys for identities ID and ID0. If hehas not generated secret keys for ID and ID0, Bchecks whether RðIDÞ ¼ 1 and RðIDÞ0 ¼ 1.

a. If those hold, he computes KID ¼ ðKID;1;KID;2; KID;3Þ and KID0 ¼ ðKID0;1; KID0;2; KID0;3Þ.Then, he can compute an access permission (there-encryption key) as follows. B chooses

t;b; r R ZZp, and computes

K0ID0;1 ¼ KID0;1ht; (4)

G ¼ gt; (5)

D1 ¼KID;1

K0ID0;1Gr

�

u0

Y

i2I0ui

�

;b (6)

D2 ¼ e�

C2;

�

u0

Y

i2I0ui

��b

; (7)

and

D3 ¼ gr: (8)

B sends ðD1; D2; D3; KID;2Þ to the adversary A.b. Otherwise, B aborts the simulation and outputs

his guess m0 randomly.Re-encryption query. The adversary can query re-

encryption on ðID; ID0; CÞ. B check whether he hasgenerated an access permission ðD1; D2; D3; KID;2Þfrom identities ID to identity ID0. If he has not gen-erated an access permission from ID to ID0, he gen-erated ðD1; D2; D3; KID;2Þ as above. Otherwise, B cancompute

C01 ¼ D2 C1; C02 ¼ C2; C

03 ¼ C3;

C04 ¼ D1; C05 ¼ D3 and C06 ¼ KID;2:

B responds with the re-encrypted ciphertextC0 ¼ ðC01; C02; C03; C04; C05; C06Þ.

Challenge. The adversary A submits an identity ID�

and two messages M0 and M1 with the equal length. Thealgorithm B checks RðID�Þ ¼? 0:

1. If RðID�Þ ¼ 1, B aborts and outputs his guess m0

randomly.2. If RðID�Þ ¼ 0, B flips an unbiased coin with f0; 1g

and obtains v 2 f0; 1g. The challenger computesC�1 ¼Mv Z, C�2 ¼ C ¼ gc and C�3 ¼ CQðID�Þ ¼ðu0

Q

i2I� uiÞc. B sends the ciphertext CT � ¼ ðC�1 ;

C�2 ; C�3Þ to A.

Phase 2. Phase 1 is repeated with the followingrestrictions:

1. Secret key query. The adversary A cannot querysecret key for ID�.

2. Permission query. The adversary A cannot querypermission on ðID�; ID; C�2Þ and secret key for ID.

3. Re-encryption query. The adversary A cannot queryre-encryption on ðID�; ID; C�Þ, permission onðID�; ID;C�2Þ and secret key for ID.

Guess. The adversary A outputs his guess v0 on v. Ifv0 ¼ v, B outputs m0 ¼ 0. If, v0 6¼ v, B outputs m0 ¼ 1.

As shown above, the public parameters and the secretkeys created in the simulation paradigm are identical tothose created in the real protocol. The algorithm B doesnot abort the simulation if and only if the secret keys canbe generated correctly and RðID�Þ ¼ 0. In q1 secret key


queries, q2 permission queries and q3 re-encryptionqueries, B needs to create at most q1 þ 2q2 þ 2q3 secretkeys. Thereafter, from Theorem 1, the advantage withwhich B can break the DBDH assumption is at least

�ð‘Þ32ðq1þ2q2þ2q3Þðnþ1Þ. tu

We demonstrate the computation cost and communica-tion cost of our IBSDDS I scheme in Tables 1 and 2, whereby E and P , we denote the running time of executing oneexponential and one paring, respectively. By EGG and EGGt ,we denote the length of one element in the group GG andGGt , respectively. By PKG, U , PS, O and R, we denote theprivate key generator, the user, the proxy server, the dataowner and the receiver, respectively. We compare the prop-erties of the related schemes in Table 3.

4 IDENTITY-BASED SECURE DISTRIBUTED DATA

STORAGE II (IBSDDS II)

In some complex network environments, such as cloud com-puting and distributed systems, CPA security cannot satisfythe application requirement. Therefore, identity-based dis-tributed data storage scheme with strong security (CCA) isdesirable. In this section, we propose a CCA-2 secure iden-tity-based secure distributed storage II scheme by introduc-ing an existentially unforgeable one-time signature schemeto the IBSDDS I scheme. This idea is from [45]. OurIBSDDS II scheme is demonstrated in Fig. 3.

Correctness. This is the same as in the scheme IBSDDS I.

Theorem 4. Our identity-based secure distributed data storagescheme II scheme is ðT; q1; q2; q3; q4; q5; �ð‘ÞÞ-secure againstchose ciphertext attacks if the one-time signature scheme isðT 0; 1; �0ð‘ÞÞ-existentially unforgeable and the ðT 00; �00ð‘ÞÞ deci-sional bilinear Diffie-Hellman assumption holds in the bilineargroup ðe; p;GG;GGtÞ where

T 0 ¼ T þ T 0 þ OðT þ T 0Þ

and

�ð‘Þ ¼ �0ð‘Þ þ 32ðq1 þ 2q2 þ 2q3 þ q4 þ 2q5Þðnþ 1Þ�00ð‘Þ:

Proof. Suppose that there exists an adversary A that canbreak the CCA security of our IBSDDS II scheme withadvantage AdvA > �0ð‘Þ þ 32ðq1 þ 2q2 þ 2q3 þ q4 þ 2q5Þðnþ 1Þ�00ð‘Þ, we can construct an algorithm B that can useA to forge a signature or break the DBDH assumption asfollows. The challenger generates the bilinear group

GGð1‘Þ ! ðe; p;GG;GGtÞ and chooses a generator g R GG. Itflips an unbiased coin m with f0; 1g. If m ¼ 0, he sendsðA;B;C; ZÞ ¼ ðga; gb; bc; eðg; gÞabcÞ to B. Otherwise, hesends ðA;B;C; ZÞ ¼ ðga; gb; gc; eðg; gÞzÞ to B, wherez R ZZp. The algorithmBwill outputs his guess m0 on m.

Setup. The algorithm B sets s ¼ 4ðq1 þ 2q2þ2q3 þ q4 þ 2q5Þ and chooses an integer n R ½n�. It uni-formly selects two integrity vectors P ¼ fp1;p2; . . . ;pngand F ¼ ff1;f2; . . . ;fng, where pi

R ½s � 1� andfi

RZZp for i ¼ 1; 2; . . . ; n. It choose p0

R ½s � 1� and

f0 R

ZZp. Then, the algorithm B defines three functions:

P ðIDÞ ¼ ðp� snÞ þ p0 þX

i2Ipi;

QðIDÞ ¼ f0 þX

i2Ifi;

and

RðIDÞ ¼0; if p0 þ

X

i2Ipi 0 ðmod sÞ;

1; if p0 þX

i2Ipi 6 0 ðmod sÞ:

8

><

>:

B sets g1 ¼ A, h ¼ B, g ¼ gu, g2 ¼ Au, u0 ¼ hp�snþp0gf0

and ui ¼ hpi gfi , where u R ZZp. It chooses h R GG and anone-time signature scheme SGð1‘Þ ! ðSKeyGen; Sign;VerifyÞ. The public parameters are ðe; p;GG;GGt; g; h; h;g; h; u0; g1; g2;UU; Sign;VerifyÞ and the master secret key isha ¼ gab. The distribution of these parameters is identicalto those in the real protocol.Phase 1.

1. Secret key query. A can query secret key for an iden-tity ID. B checks RðIDÞ ¼? 1. If RðIDÞ ¼ 0, B aborts

TABLE 1The Computation Cost of Our IBSDDS I Scheme

TABLE 2The Communication Cost of Our IBSDDS I Scheme

TABLE 3Property Comparison of Related Schemes


Fig. 3. Identity-based distributed data storage II.


the simulation and outputs his guess m0 randomly. IfRðIDÞ ¼ 1, B generates a secret key for ID using (1),(2) and (3). B responds A with SKID ¼ ðKID;1;KID;2; KID;3Þ.

2. Permission query. A can query permission onðID; ID0; C2Þ. B checks whether RðIDÞ ¼ 1 andRðID0Þ ¼ 1.

a. If those hold, B computes an access permissionusing (4), (5), (6), (7) and (8). B responds A withðD1; D2; D3; KID;2Þ.

b. Otherwise, B aborts the simulation and outputshis guess m0 randomly.

3. Re-encryption query. The adversary A can query onðID; ID0; CT Þ, where CT ¼ ðC1; C2; C3; C4; s; vkÞ. Bchecks whether he has created an access permissionfor ðID; ID0; C2Þ. If he has not created an access per-mission, he creates an access permission as above toobtain ðD1; D2; D3; KID;2Þ and computes C01 ¼ D2C1; C

02¼C2; C

03 ¼ C3; C

04¼C4; C

05¼D1; C

06¼D3; C

07 ¼

D3; s0 ¼ s; vk0 ¼ vk. B responds with CT 0 ¼ ðC01;

C02; C03; C

04; C

05; C

06; C

07; s

0; vk0Þ.4. Owner decryption query. The adversary A can query

owner decryption on ðID;CT Þ, where CT ¼ ðC1;C2; C3; C4; s; vkÞ is a ciphertext for the identity ID. Bcheck RðIDÞ ¼? 0.

a. If RðIDÞ ¼ 0, B aborts and outputs his guess m0

randomly.b. If RðIDÞ 6¼ 0, B check the signature s ¼?

Verifyðvk; C2; C3; C4Þ. If the equation holds, Bgenerates a secret key KID for ID as above and

responds with C1 eðKID;2;C3ÞeðKID;1;C2Þ

.

5. Receiver decryption query. The adversary A canquery receiver decryption on ðID; ID0; CT Þ. B checkswhether he has created secret keys for ID and ID0,an access permission for ðID; ID0; C2Þ and a re-encryption ciphertext CT 0. If he has not done these,he creates secret keys, an access permission and a re-encryption as in the secret key query, permissionquery and re-encryption query to obtain ðSKID;SKID0 Þ, ðD1; D2; D3; KID;2Þ and CT 0. Then, B com-putes K1 as above and responds with C01

eðC07;C3Þ

eðK1;C02Þ.

Challenge. The adversary A submits an identity ID�

and two messages M0 and M1 with the equal length. Bchecks RðIDÞ ¼? 0:

1. If RðIDÞ ¼ 1, B aborts and outputs his guess m0

randomly.2. If RðIDÞ ¼ 0, B flips an unbiased coin with f0; 1g and

obtains v 2 f0; 1g. The challenger runsSKeyGenð1‘Þ ! ðsk�; vk�Þ and computes C�1 ¼Mv Z;C�2 ¼C¼gc; C�3¼CQðID�Þ ¼ ðuo

Q

i2I� uiÞc; C�4 ¼

CHðvk�Þþu and s� ¼ Signðsk�; C�2 ; C�3 ; C�4Þ. B sends theciphertext CT � ¼ ðC�1 ; C�2 ; C�3 ; C�4 ; s�; vk�Þ to A.

Phase 2. Phase 1 is repeated with the followingrestricts:

1. Secret key query. The adversary A cannot querysecret key for ID�.

2. Permission query. The adversary A cannot querypermission on ðID�; ID; C�2Þ and secret key for ID.

3. Re-encryption query. The adversary A cannot queryre-encryption on ðID�; ID;CT �Þ, permission onðID�; ID;C2Þ and secret key for ID.

4. Owner decryption query. The adversary A cannotquery the owner decryption algorithm onðID�; CT �Þ.

5. Receiver decryption query. The adversary A cannotquery re-encryption on ðID�; ID;CT �Þ and thereceiver decryption algorithm on ðID; ~CT �Þ, where

~CT � is the re-encrypted ciphertext of CT �.Guess. The adversary A outputs his guess v0 on v. If

v0 ¼ v, B outputs m0 ¼ 0. If, v0 6¼ v, B outputs m0 ¼ 1.As shown above, the public parameters and the

secret keys created in the simulation paradigm areidentical to those created in the real protocol. Thealgorithm B does not abort the simulation if and onlyif the secret keys can be generated correctly,RðID�Þ ¼ 0 and the signatures in the ciphertext arevalid. In q1 secret key queries, q2 permission queries,q3 re-encryption queries, q4 owner decryption queriesand q5 receiver decryption queries, B needs to createat most q1 þ 2q2 þ 2q3 þ q4 þ 2q5 secret keys.

Now, we bound the probability with which B canbreak the DBDH assumption. This bound is computedusing the method in [46]. If m ¼ 1, A cannot obtain any-thing about v. Hence, A can output v0 6¼ v with noadvantage, namely, Pr½v0 6¼ vjm ¼ 1� ¼ 1

2. Since B outputsm0 ¼ 1 when v0 6¼ v, we have Pr½m0 ¼ mjm ¼ 1� ¼ 1

2. Ifm ¼ 0, A can output v0 ¼ v with the advantage at least�ð‘Þ, namely Pr½v0 ¼ vjm ¼ 0� � 1

2þ �ð‘Þ. If B outputsm0 ¼ 0 when v0 ¼ v, we have

Pr½m0 ¼ mjm ¼ 0� � 1

2� AdvA � Pr½abort�

� 32ðq1 þ 2q2 þ 2q3 þ q4 þ 2q5Þðnþ 1Þ�00ð‘Þ þ �0ð‘Þ � Pr½abort�;

where Pr½abort� is the probability with which B aborts thesimulation. The first inequality is from the caseZ ¼ eðg; gÞabc, so the simulation is performed correctly ifB does not abort. Hence, B can solve the DBDH assump-tion with the advantage at least

�ð‘Þ32ðq1 þ 2q2 þ 2q3 þ q4 þ 2q5Þðnþ 1Þ � �

00ð‘Þ:

It remains to bound the probability with which Baborts the simulation as a result of A’s decryptionqueries. We claim that Pr½abort� < �0ð‘Þ. Otherwise, aforged signature can be computed with advantage atleast �0ð‘Þ. Briefly, receiving the challenged signature keysk� in the simulation, A causes an abort by submitting adecryption query which includes a forged signature ofone ciphertext under sk�. Therefore, B can use the forgedsignature to break the existential unforgability of theone-time signature. Notably, A can only query one signa-ture for the challenged ciphertext. Hence, we havePr½abort� < �0ð‘Þ.

So, B can break the decisional bilinear Diffie-Hellman assumption with advantage more than

�ð‘Þ32ðq1þ2q2þ2q3þq4þ2q5Þðnþ1Þ. This finishes our proof. tu


5 CONCLUSION

Distributed data storage schemes provide the users withconvenience to outsource their files to untrusted proxy serv-ers. Identity-based secure distributed data storage schemesare a special kind of distributed data storage schemes whereusers are identified by their identities and can communicatewithout the need of verifying the public key certificates. Inthis paper, we proposed two new IBSDDS schemes in stan-dard model where, for one query, the receiver can onlyaccess one file, instead of all files. Furthermore, the accesspermission can be made by the owner, instead of the trustedparty. Notably, our schemes are secure against the collusionattacks. The first scheme is CPA secure, while the secondone is CCA secure.

ACKNOWLEDGMENTS

The first author was supported by PhD scholarships ofSmart Services Cooperative Research Centre (CRC) andUniversity of Wollongong. The second author was sup-ported by ARC Future Fellowship FT0991397.

REFERENCES

[1] H. Hacig€um€us, B.R. Iyer, C. Li, and S. Mehrotra, “Executing SQLover Encrypted Data in the Database-Service-Provider Model,”Proc. ACM SIGMOD Int’l Conf. Management of Data, vol. 2002,pp. 216-227, June 2002.

[2] L. Bouganim and P. Pucheral, “Chip-Secured Data Access: Confi-dential Data on Untrusted Servers,” Proc. Int’l Conf. Very LargeData Bases (VLDB ’02), pp. 131-142, Aug. 2002.

[3] U. Maheshwari, R. Vingralek, and W. Shapiro, “How to Build aTrusted Database System on Untrusted Storage,” Proc. Symp.Operating System Design and Implementation (OSDI ’00 ), pp. 135-150, Oct. 2000.

[4] A. Ivan and Y. Dodis, “Proxy Cryptography Revisited,” Proc. Net-work and Distributed System Security Symp. (NDSS ’03), pp. 1-20,Feb. 2003.

[5] G. Ateniese, K. Fu, M. Green, and S. Hohenberger, “ImprovedProxy Re-Encryption Schemes with Applications to Secure Dis-tributed Storage,” Proc. Network and Distributed System SecuritySymp. (NDSS ’05), pp. 1-15, Feb. 2005.

[6] G. Ateniese, K. Fu, M. Green, and S. Hohenberger, “ImprovedProxy Re-Encryption Schemes with Applications to Secure Dis-tributed Storage,” ACM Trans. Information and System Security,vol. 9, no. 1, pp. 1-30, 2006.

[7] S.D.C. di Vimercati, S. Foresti, S. Paraboschi, G. Pelosi, and P.Samarati, “Effficient and Private Access to Outsourced Data,”Proc. Int’l Conf. Distributed Computing Systems (ICDCS ’11),pp. 710-719, June 2011.

[8] H.-Y. Lin and W.-G. Tzeng, “A Secure Erasure Code-Based CloudStorage System with Secure Data Forwarding,” IEEE Trans. Paral-lel and Distributed Systems, vol. 23, no. 6, pp. 995-1003, June 2012,DOI: 10.1109/TPDS.2011.252.

[9] H. Shacham and B. Waters, “Compact Proofs of Retrievability,”Proc. Advances in Cryptology (ASIACRYPT ’08), pp. 90-107, Dec.2008.

[10] A. Juels and B.S. Kalki Jr., “PORs: Proofs of Retrievability forLarge Files,” Proc. ACM Conf. Computer and Comm. Security(CCS ’07), pp. 584-597, Oct. 2007.

[11] Y. Dodis1, S. Vadhan, and D. Wichs, “Proofs of Retrievability viaHardness Amplification,” Proc. Sixth Theory of Cryptography Conf.(TCC ’09), pp. 109-127, Mar. 2009.

[12] K.D. Bowers, A. Juels, and A. Oprea, “Proofs of Retrievability:Theory and Implementation,” Proc. ACM Cloud Computing SecurityWorkshop (CCSW ’09), pp. 43-53, Nov. 2009.

[13] G. Ateniese, S. Kamara, and J. Katz, “Proofs of Storage fromHomomorphic Identification Protocols,” Proc. 15th Int’l Conf. The-ory and Application of Cryptology and Information Security: Advancesin Cryptology (Asiacrypt ’09), pp. 319-333, Dec. 2009.

[14] G. Ateniese, R. Burns, R. Curtmola, J. Herring, L. Kissner, Z. Peter-son, and D. Song, “Provable Data Possession at Untrusted Stores,”Proc. ACM Conf. Computer and Comm. Security (CCS ’07), pp. 598-610, Oct. 2007.

[15] G. Ateniese, R.D. Pietro, L.V. Mancini, and G. Tsudik, “Scalableand Efficient Provable Data Possession,” Proc. Int’l Conf. Securityand Privacy in Comm. Networks (SecureComm ’08), Sep. 2008.

[16] C.C. Erway, A. K€upc€u, C. Papamanthou, and R. Tamassia,“Dynamic Provable Data Possession,” Proc. ACM Conf. Computerand Comm. Security (CCS ’09), pp. 213-222, Nov. 2009.

[17] B. Carbunar and R. Sion, “Toward Private Joins on OutsourcedData,” IEEE Trans. Knowledge and Data Eng., vol. 24, no. 9,pp. 1699-1710, Sept. 2012.

[18] J. Hur, “Improving Security and Efficiency in Attribute-BasedData Sharing,” IEEE Trans. Knowledge and Data Eng., vol. 25,no. 10, pp. 2271-2282, Oct. 2013, DOI: 10.1109/TKDE.2011.78.

[19] J. Hur and D.K. Noh, “Attribute-Based Access Control with Effi-cient Revocation in Data Outsourcing Systems,” IEEE Trans. Paral-lel and Distributed Systems, vol. 22, no. 7, pp. 1214-1221, July 2011.

[20] M.L. Yiu, G. Ghinita, C.S. Jensen, and P. Kalnis, “Enabling SearchServices on Outsourced Private Spatial Data,” The VLDB J.,vol. 19, no. 3, pp. 363-384, 2010.

[21] P. Samarati and S.D.C. di Vimercati, “Data Protection in Outsourc-ing Scenarios: Issues and Directions,” Proc. ACM Symp. Information,Computer and Comm. Security (ASIACCS ’10), pp. 1-14, Apr. 2010.

[22] V. Kher and Y. Kim, “Securing Distributed Storage: Challenges,Techniques, and Systems,” Proc. ACM Workshop Storage Securityand Survivability (StorageSS ’05), pp. 9-25, Nov. 2005.

[23] S. Jiang, X. Zhang, S. Liang, and K. Davis, “Improving NetworkedFile System Performance Using a Locality-Aware CooperativeCache Protocol,” IEEE Trans. Computers, vol. 59, no. 11, pp. 1508-1519, Nov. 2010.

[24] R. Sandberg, D. Goldberg, S. Kleiman, D. Walsh, and B. Lyon,“Design and Implementation of the Sun Network File System,”Proc. USENIX Technical Conf. (USENIX ’85), pp. 119-130, 1985.

[25] M. Satyanarayanan, “Scalable, Secure, and Highly Available Dis-tributed File Access,” Computer, vol. 23, no. 5, pp. 9-21, May 1990.

[26] S. Forrest, S.A. Hofmeyr, and A. Somayaji, “Sense of Self for UnixProcesses,” Proc. IEEE Symp. Security and Privacy (S&P ’96),pp. 120-128, May. 1996.

[27] A.G. Pennington, J.L. Griffin, J.S. Bucy, J.D. Strunk, and G.R.Ganger, “Storage-Based Intrusion Detection,” ACM Trans. Infor-mation and System Security, vol. 13, no. 4, pp. 30:1-30:27, 2010.

[28] M. Banikazemi, D. Poff, and B. Abali, “Storage-Based IntrusionDetection for Storage Area Networks (SANs),” Proc. Conf. MassStorage Systems and Technologies (MSST ’05), pp. 118-127, Apr.2005.

[29] A.G. Pennington, J.D. Strunk, J.L. Griffin, C.A. Soules, G.R.Goodson, and G.R. Ganger, “Storage-Based Intrusion Detec-tion: Watching Storage Activity for Suspicious Behavior,” Proc.USENIX Security Symp. (USENIX ’03), pp. 137-152, Aug. 2003.

[30] M. Kallahalla, E. Riedel, R. Swaminathan, Q. Wang, and K. Fu,“Plutus: Scalable Secure File Sharing on Untrusted Storage,” Proc.Conf. File and Storage Technologies (FAST ’03), pp. 29-42, Mar. 2003.

[31] B. Blanchet and A. Chaudhuri, “Automatic Formal Analysis of aProtocol for Secure File Sharing on Untrusted Storage,” Proc.Symp. Security and Privacy (S&P ’08), pp. 417-431, May 2008.

[32] M. Blaze, “A Cryptographic File System for Unix,” Proc. ACMConf. Computer and Comm. Security (CCS ’93), pp. 9-16, Nov. 1993.

[33] E.-J. Goh, H. Shacham, N. Modadugu, and D. Boneh, “SiRiUS:Securing Remote Untrusted Storage,” Proc. Network and Distrib-uted System Security Symp. (NDSS ’03), pp. 1-15, Feb. 2003.

[34] M. Mambo and E. Okamoto, “Proxy Cryptosystems: Delegation ofthe Power to Decyrpt Ciphertexts,” IEICE Trans. Fundamentals ofElectronics Comm. and Computer Sciences, vol. E80A, no. 1, pp. 54-63, 1997.

[35] M. Blaze, G. Bleumer, and M. Strauss, “Divertible Protocols andAtomic Proxy Cryptography,” Proc. Int’l Conf. Theory and Applica-tion of Cryptographic Techniques Advances in Cryptology (EURO-CRYPT ’98), pp. 127-144, May 1998.

[36] A. Shamir, “Identity-Based Cryptosystems and SignatureScheme,” Proc. Advances in Cryptology (CRYPTO ’84), pp. 47-53,Aug. 1984.

[37] D. Boneh and M. Franklin, “Identity-Based Encryption from theWeil Pairing,” Proc. Advances in Cryptology (CRYPTO ’01), pp. 213-229, Aug. 2001.


[38] M. Green and G. Ateniese, “Identity-Based Proxy Re-Encryption,”Proc. Fifth Int’l Conf. Applied Cryptography and Network Security(ACNS ’07), pp. 288-306, June 2007.

[39] C.-K. Chu and W.-G. Tzeng, “Identity-Based Proxy Re-Encryp-tion without Random Oracles,” Proc. Information Security Conf.(ISC ’07), pp. 189-202, Oct. 2007.

[40] Q. Tang, P. Hartel, and W. Jonker, “Inter-Domain Identity-BasedProxy Re-Encryption,” Proc. Fourth Int’l Conf. Information Securityand Cryptology (Inscrypt ’08), pp. 332-347, Dec. 2008.

[41] T. Matsuo, “Proxy Re-Encryption Systems for Identity-BasedEncryption,” Proc. Pairing-Based Cryptography (Pairing ’07),pp. 247-267, July 2007.

[42] L. Wang, L. Wang, M. Mambo, and E. Okamoto, “New Identity-Based Proxy Re-Encryption Schemes to Prevent CollusionAttacks,” Proc. Fourth Int’l Conf. Pairing-Based Cryptography(Pairing ’10), pp. 327-346, Dec. 2010.

[43] L. Wang, L. Wang, M. Mambo, and E. Okamoto, “Identity-BasedProxy Cryptosystems with Revocability and Hierarchical Con-fidentialities,” Proc. Int’l Conf. Information and Comm. Security(ICICS ’10), pp. 383-440, Dec. 2010.

[44] B. Waters, “Efficient Identity-Based Encryption without RandomOracles,” Proc. Advances in Cryptology (EUROCRYPT ’05), pp. 114-127, May 2005.

[45] R. Canetti, S. Halevi, and J. Katz, “Chosen-Ciphertext SecurityFrom Identity-Based Encryption,” Proc. Advances in Cryptology(EUROCRYPT ’04), pp. 207-222, May 2004.

[46] D. Boneh, C. Gentry, and B. Waters, “Collusion Resistant Broad-cast Encryption with Short Ciphertexts and Private Keys,” Proc.25th Ann. Int’l Conf. Advances in Cryptology (Crypto ’05), pp. 258-275, Aug. 2005.

Jinguang Han is currently a PhD candidate inthe School of Computer Science and SoftwareEngineering, University of Wollongong, Australia.His research interests include applied cryptogra-phy, identity management, access control, anddata outsourcing. He has been a student mem-ber of the IEEE since 2010.

Willy Susilo received the PhD degree in com-puter science from the University of Wollongong,Australia. He is a professor at the School of Com-puter Science and Software Engineering and thecodirector of Centre for Computer and Informa-tion Security Research (CCISR) at the Universityof Wollongong. He currently holds the prestigiousARC Future Fellow awarded by the AustralianResearch Council (ARC). His main researchinterests include cryptography and informationsecurity. His main contribution is in the area of

digital signature schemes. He has served as a program committee mem-ber for dozens of international conferences. He has published numerouspublications in the area of digital signature schemes and encryptionschemes. He has been a senior member of the IEEE since 2001.

Yi Mu received the PhD degree from the Austra-lian National University in 1994. He currently is aprofessor, the head of the School of ComputerScience and Software Engineering and the codi-rector of the Centre for Computer and Informa-tion Security Research at the University ofWollongong, Australia. His current research inter-ests include network security, computer security,and cryptography. He is the editor-in-chief ofInternational Journal of Applied Cryptographyand serves as an associate editor for nine other

international journals. He is a senior member of the IEEE and a memberof the IACR. He has been a senior member of the IEEE since 2000.

" For more information on this or any other computing topic,please visit our Digital Library at www.computer.org/publications/dlib.


Technology

Identity based secure distributed data storage schemes