Documente Academic
Documente Profesional
Documente Cultură
1, JANUARY 2016
Abstract—Benefited from cloud computing, users can achieve an effective and economical approach for data sharing among group
members in the cloud with the characters of low maintenance and little management cost. Meanwhile, we must provide security
guarantees for the sharing data files since they are outsourced. Unfortunately, because of the frequent change of the membership,
sharing data while providing privacy-preserving is still a challenging issue, especially for an untrusted cloud due to the collusion attack.
Moreover, for existing schemes, the security of key distribution is based on the secure communication channel, however, to have such
channel is a strong assumption and is difficult for practice. In this paper, we propose a secure data sharing scheme for dynamic
members. First, we propose a secure way for key distribution without any secure communication channels, and the users can securely
obtain their private keys from group manager. Second, our scheme can achieve fine-grained access control, any user in the group can
use the source in the cloud and revoked users cannot access the cloud again after they are revoked. Third, we can protect the scheme
from collusion attack, which means that revoked users cannot get the original data file even if they conspire with the untrusted cloud. In
our approach, by leveraging polynomial function, we can achieve a secure user revocation scheme. Finally, our scheme can achieve
fine efficiency, which means previous users need not to update their private keys for the situation either a new user joins in the group or
a user is revoked from the group.
1 INTRODUCTION
achieve efficient user revocation that combines role-based achieve secure user revocation with the help of
access control policies with encryption to secure large data polynomial function.
storage in the cloud. Unfortunately, the verifications 4) Our scheme is able to support dynamic groups
between entities are not concerned, the scheme easily suffer efficiently, when a new user joins in the group or a
from attacks, for example, collusion attack. Finally, this user is revoked from the group, the private keys of
attack can lead to disclosing sensitive data files. the other users do not need to be recomputed and
Zou et al. [15] presented a practical and flexible key man- updated.
agement mechanism for trusted collaborative computing. 5) We provide security analysis to prove the security of
By leveraging access control polynomial, it is designed to our scheme. In addition, we also perform simula-
achieve efficient access control for dynamic groups. Unfor- tions to demonstrate the efficiency of our scheme.
tunately, the secure way for sharing the personal permanent The remainder of the paper proceeds as follows. In
portable secret between the user and the server is not sup- Section 2, we describe the system model and our design
ported and the private key will be disclosed once the per- goals. Our proposed scheme is presented in detail in
sonal permanent portable secret is obtained by the attackers. Section 3, followed by the security analysis and perfor-
Nabeel et al. [16] proposed a privacy preserving policy- mance evaluation in Section 4 and 5, respectively. Finally,
based content sharing scheme in public clouds. However, the conclusion is made in Section 6.
this scheme is not secure because of the weak protection of
commitment in the phase of identity token issuance.
In this paper, we propose a secure data sharing scheme, 2 THREAT MODEL, SYSTEM MODEL
which can achieve secure key distribution and data sharing AND DESIGN GOALS
for dynamic group. The main contributions of our scheme 2.1 Threat Model
include: As the threat model, in this paper, we propose our scheme
based on the Delov-Yao model [17], in which the adversary
1) We provide a secure way for key distribution with- can overhear, intercept, and synthesis any message at the
out any secure communication channels. The users communication channels. With the Delov-Yao model, the
can securely obtain their private keys from group only way to protect the information from attacking by
manager without any Certificate Authorities due to the passive eavesdroppers and active saboteurs is to design
the verification for the public key of the user. the effective security protocols. This means there is not any
2) Our scheme can achieve fine-grained access control, secure communication channels between the communica-
with the help of the group user list, any user in the tion entities. Therefore, this kind of threaten model can be
group can use the source in the cloud and revoked more effective and practical to demonstrate the communica-
users cannot access the cloud again after they are tion in the real world.
revoked.
3) We propose a secure data sharing scheme which
can be protected from collusion attack. The 2.2 System Model
revoked users can not be able to get the original As illustrated in Fig. 1, the system model consists of three
data files once they are revoked even if they con- different entities: the cloud, a group manager and a large
spire with the untrusted cloud. Our scheme can number of group members.
42 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 27, NO. 1, JANUARY 2016
The cloud, maintained by the cloud service providers, 3.1.2 Complexity Assumptions
provides storage space for hosting data files in a pay-as- Definition 1 (Basic Diffie-Hellman Problem (BDHP)
you-go manner. However, the cloud is untrusted since the Assumption [19]). Given base point P and a value g 2 Zq ;
cloud service providers are easily to become untrusted. it is easy to compute g P: However, given P; g P; it is infea-
Therefore, the cloud will try to learn the content of the sible to compute g because of the discrete logarithm problem.
stored data.
Group manager takes charge of system parameters gen- Definition 2 (Decisional Diffie-Hellman Problem (DDHP)
eration, user registration, and user revocation. In the practi- Assumption [20]). Similar to definition 1, given base point P
and aP; ða þ bÞP; it is infeasible to compute bP:
cal applications, the group manager usually is the leader of
the group. Therefore, we assume that the group manager is Definition 3 (Weak Bilinear Diffie-Hellman Exponent
fully trusted by the other parties. (WBDHE) Assumption [21]). For unknown a 2 Zq ; given
1
Group members (users) are a set of registered users that Y; aY; a2 Y; . . . ; al Y; P 2 G1 ; it is infeasible to compute eðY; P Þa :
will store their own data into the cloud and share them with
others. In the scheme, the group membership is dynami-
cally changed, due to the new user registration and user 3.1.3 Notations
revocation. Each user has a pair of keys ðpk; skÞ; which is used in the
asymmetric encryption algorithm, and pk needs to be
2.3 Design Goals negotiated with the group manager on the condition that
We describe the main design goals of the proposed scheme no Certificate Authorities and security channels are
involved in. KEY is the private key of the user and is
including key distribution, data confidentiality, access con-
used for data sharing in the scheme. UL is the group user
trol and efficiency as follows:
list which records part of the private keys of the legal
Key distribution. The requirement of key distribution is
group users. DL is the data list which records the identity
that users can securely obtain their private keys from the
of the sharing data and the time that they are updated.
group manager without any Certificate Authorities. In
The description of notation used in our scheme is illus-
other existing schemes, this goal is achieved by assuming
trated in Fig. 2.
that the communication channel is secure, however, in
our scheme, we can achieve it without this strong
3.2 Scheme Description
assumption.
Access control. First, group members are able to use the The scheme of our scheme includes system initialization,
cloud resource for data storage and data sharing. Second, user registration for existing user, file upload, user revoca-
unauthorized users cannot access the cloud resource at any tion, registration for new user and file download.
time, and revoked users will be incapable of using the cloud
resource again once they are revoked. 3.2.1 System Initialization
Data confidentiality. Data confidentiality requires that The group manager takes charge of this operation. He gener-
unauthorized users including the cloud are incapable of ates a bilinear map group system S ¼ ðq; G1 ; G2 ; eð; ÞÞ; then
learning the content of the stored data. To maintain the selects two random elements P; G 2 G1 and a number g 2 Zq ;
availability of data confidentiality for dynamic groups is then computes W ¼ g P; Y ¼ g G and Z ¼ e ðG; P Þ: At last,
still an important and challenging issue. Specifically, the group manager publishes the parameters ðS; P; W;
revoked users are unable to decrypt the stored data file Y; Z; f; f1 ; EncðÞÞ; where f is hash function: f0; 1g ! Zq ; f1 is
after the revocation. hash function: f0; 1g ! G1 ; and EncðÞ is a symmetric encryp-
Efficiency. Any group member can store and share data tion algorithm. Besides, the group manager will keep the
files with others in the group by the cloud. User revoca- parameters ðg; GÞ as the secret master key.
tion can be achieved without involving the others, which
means that the remaining users do not need to update
3.2.2 Registration for Existing User
their private keys.
As illustrated in Fig. 3, this operation is performed by user,
the group manager and the cloud.
3 THE PROPOSED SCHEME First of all, the user sends IDi ; pk; v1 as a request to
3.1 Preliminaries the group manager, where IDi is the identity of the user,
3.1.1 Bilinear Maps pk is the public key used in the asymmetric encryption
Let G1 and G2 be additive cyclic groups of the same prime algorithm, such as ECC, ac is the account user used to
order q [18]. Let e : G1 G1 ! G2 denote a bilinear map pay for the registration, which is related to the identity
constructed with the following properties: of the user, and v1 2 Zq is a random number selected by
the user.
1) Bilinear: For all a; b 2 Zq and P; Q 2 G1 ; eðaP; bQÞ ¼ On receiving the request, the group manager then choo-
eðP; QÞab : ses a random number r 2 Zq and computes R ¼ eðP; P Þr ;
2) Nondegenerate: There exists a point Q such that U ¼ ðr þ g v1 fðpk k ac k IDi ÞÞ P: At last, the group man-
eðQ; QÞ 6¼ 1: ager sends U; R to the user for verification.
3) Computable: There is an efficient algorithm to com- Then the verification is performed by user through
?
pute eðP; QÞ for any P; Q 2 G1 : checking the equation R eðv1 fðpk k ac kIDi Þ P; W Þ ¼
ZHU AND JIANG: A SECURE ANTI-COLLUSION DATA SHARING SCHEME FOR DYNAMIC GROUPS IN THE CLOUD 43
eðU; P Þ: The user sends the message IDi ; v2 ; AENCsk the group manager generates the message KEY as fol-
ðIDi ; v1 ; acÞ to the group manager after successful verifica- lows when the IDi message matches the identity in the
tion, where v2 2 Zq is a random number, AENCðÞ is a asym- first step:
metric encryption algorithm, such as ECC, and sk is the The group manager selects a random number xi 2 Zq
corresponding private key to the public key pk used in the and computes the following equations:
asymmetric encryption algorithm. 8
< Ai ¼ g þ xi P 2 G1
1
The group manager compares the received IDi mes-
xi
sage with the identity IDi computed by decrypting B ¼ G 2 G1 (1)
: i g þ xi
AENCsk ðIDi ; v1 ; acÞ: In addition, the group manager veri- Vi ¼ fðBi Þ
fies if the decrypted number v1 is equal to the random
number v1 in the first step. After successful verifications, ðxi ; Ai ; Bi Þ constructs the message KEY:
Q Pm
TABLE 1 function fp ðxÞ ¼ m j¼1 ðx Vj Þ ¼ i¼0 ai x ðmod qÞ and the
i
Group User List
exponential function fW0 ; . . . ; Wm g ¼ fGa0 ; . . . ; Gam g: After
IDgroup A1 x1 that, the group manager selects a random re-encryption key
A2 x2 Kr and constructs EK ¼ fKr W0 ; . . . ; Wm g: Finally, the
group manager encrypts cipher-text CE ¼ fC1 ; C2 ; C gKr
Ar xr tul sig (UL)
with the re-encryption key and sends DF ¼ ðIDgroup ;
IDdata ; CE; EK; tdata Þ; s DF g to the cloud, where tdata is the
time that the data file is uploaded and s DF ¼ gf1 ðDF Þ is the
The group manager then sends the encrypted message
signature of the group manager for the data file.
AENCpk ðKEY; v2 Þ to user and stores ðxi ; Ai ; Vi ; IDi Þ in the
In addition, the group manager also sends the data list to
local storage space. In addition, the group manager adds
the cloud in order to let the users verify the freshness of the
ðAi ; xi Þ to the group user list UL, which is illustrated in
data file. As illustrated in Table 2, the group manager adds
Table 1. To guarantee the freshness of the group user list, the
ðIDdata ; tdata Þ and the current time tDL to the data list DL. To
group manager adds a time stamp tul to it. Then the group
guarantee that both users can obtain the latest version of
manager signs his signature sigðULÞ ¼ gf1 ðULÞ and sends
data file and the cloud can update the data file, the group
the group user list to the cloud. The cloud verifies the signa-
?
manager updates the data list everyday. At last, the group
ture by checking the equation eðW; f1 ðULÞÞ ¼ eðP; sigðULÞÞ manager adds his signature sigðDLÞ ¼ gf1 ðDLÞ to the data
and stores the group user list, which is only available for the list and sends the data list to the cloud for storage.
cloud, in the cloud after successful verification. Finally, on receiving the message, the cloud verifies the
Finally, the user decrypts the message AENCpk ðKEY; v2 Þ identity of the group manager by checking the equation
by his private key in ECC and then he can obtain his private ?
eðW; f1 ðDF ÞÞ ¼ eðP; s DF Þ and stores the message after suc-
key ðxi ; Ai ; Bi Þ: After successful registration, the user
cessful verification.
becomes a group member.
3.2.4 User Revocation
3.2.3 File Upload User revocation is performed by the group manager and the
The operation of file upload is performed as illustrated in cloud, which is illustrated in Fig. 5.
Fig. 4. When a user i with identity IDi is revoked, the group
First of all, the group member chooses a unique data file manager performs the following operations:
identity IDdata and a random number k 2 Zq ; then computes
these parameters as the following equation: 1) Removing user i from the group user list in the local
storage space and updating the group user list which
8 is stored in the cloud.
>
> C1 ¼ k Y 2 G1
< 2) Checking the new group user list, suppose that there
C2 ¼ k P 2 G1
(2) are m legal group members in the list. According
> K ¼ Z k 2 G2
>
: to the list, group manager then
C ¼ EncK ðMÞ: Q constructs the
new polynomial function fp0 ðxÞ ¼ j6¼i m j¼1 ðx Vj Þ ¼
P m1 j
Then the group member encrypts ðIDdata ; C1 ; C 2 ; C; tdata Þ a
j¼0 j x ðmod qÞ and the new exponential function
with his private key Bi ; where tdata is the real time stamp. fW0 ; . . . ; Wm1 g ¼ fG ; . . . ; G
a0 am1
g; where G 2 G1 :
0
At last, the group member sends EncBi ðIDdata ; C1 ; C 2 ; 3) Selecting a new random 0 re-encryption key Kr and
C; tdata Þ to the group manager. constructing EK ¼ Kr W0 ; . . . ; Wm1 :
After getting this message EncBi ðIDdata ; C1 ; C 2 ; C; tdata Þ; 4) Computing cipher-text CE ¼ fC1 ; C2 ; C gKr0 with the
the group manager decrypts it and gets ðIDdata ; C1 ; C 2 ; CÞ; new re-encryption key Kr0 :
then the group manager checks the legal group members in 5) Signing his signature sðDF Þ to the modified message
his local storage space and if Bi is the private key of a legal DF ¼ ðIDgroup ; IDdata ; CE; EK; t0data Þ; where t0data is
user, then the group manager constructs the polynomial the time stamp.
of the re-encryption, the group member computes v1 fðpk jj ac jj IDi ÞÞ P for unknown g 2 Zq : However,
Vi ¼ fðBi Þ with his private key, then he computes the re- this contradicts with the DDHP assumption. Therefore,
Q j
the user can verify the identity of the group manager
encryption key Kr W0 m j¼1 ðWj Þ
Vi
¼ Kr Gfp ðVi Þ ¼ Kr :
Finally, the group member decrypts CE and gets fC1 ; by the verification equation above and they can securely
C2 ; Cg: For the decryption of the first encryption, the negotiate the public key without any Certificate Authori-
^ ¼ eðC1 ; AÞeðC2 ; BÞ; and the ties and secure communication channels.
group member computes K
In addition, our scheme can guarantee the user and
member can decrypt the correct ciphertext due to the fol-
the group manager obtain the correct message which is
lowing equation:
sent by the legal communication entity. As illustrated in
^ ¼ eðC1 ; AÞeðC2 ; BÞ
K Fig. 3, in the third step of user registration, the group
manager performs verifications after receiving the mes-
1 x
¼ e k Y; P e k P; G sage from the user. First of all, he decrypts AENCsk
gþx gþx (3)
kg
ðIDi ; v1 ; acÞ and obtains IDi ; v1 : Then he compares them
kx
¼ eðG; P Þ gþx eðP; GÞ gþx with the received IDi message and the random number
v1 in the first step. If either of them is not equal, the man-
¼ Z ¼ K:
k
ager stops the registration and informs the user to send
new request in the third step. Moreover, the user sends a
Finally, the group member can decrypt the encrypted
random number v2 to the manager and the manager
data C and get the original data file M by leveraging the
^ encrypts it with the public key pk: Therefore, the attacker
encryption key K:
cannot cheat the legal users and our scheme can be pro-
tected from replay attack. u
t
4 SECURITY ANALYSIS
In this section, we prove the security of our scheme in terms 4.2 Access Control
of key distribution, access control and data confidentiality.
Theorem 2. Benefited from the group user list, which is generated
4.1 Key Distribution by the group manager, our scheme can achieve efficient access
control.
Theorem 1. In our scheme, the communication entities can
securely negotiate the public key pk and distribute the private Proof. The access control is based on the security of the group
key KEY ¼ fxi ; Ai ; Bi g to users without any Certificate user list, which is signed by the group manager with his
Authorities and secure communication channels. signature sigðULÞ ¼ gf1 ðULÞ and this operation is gener-
ally performed by the cloud. The cloud verifies the identity
Proof. As illustrated in Fig. 3, in the phase of user registra- of the group manager by checking the equation eðW;
tion, the user sends his public key pk and a random num- ?
ber v1 2 Zq to the group manager with his identity IDi . f1 ðULÞÞ ¼ eðP; sigðULÞÞ: The correctness of above verifica-
tion equation is based on the following relation:
Then the group manager computes corresponding value
U; R: Moreover, the user can verify the identity of the eðW; f1 ðULÞÞ ¼ eðgP; f1 ðULÞÞ
group manager by the equation R eðv1 fðpk jj ac jj IDi Þ
?
¼ eðP; f1 ðULÞÞg
P; W Þ ¼ eðU; P Þ: The pk becomes the negotiated public (5)
¼ eðP; gf1 ðULÞÞ
key after successful verification equation. Then the group
manager can securely distribute the private key KEY; ¼ eðP; sigðULÞÞ:
which is used for data sharing, to users with the help of
negotiated public key and without any Certificate Suppose that an attacker can forge the signature,
Authorities and secure communication channels. The which means that given P; g P; he needs to compute g;
correctness of the above verification equation is elabo- where g 2 Zq : However, this contradicts with BDHP
rated in equation (4). assumption. Therefore, there is no one except the group
manager that can modify and update the group user list
R eðv1 fðpk jj ac jj IDi Þ P; W Þ to make sure that the resources in the cloud is available
¼ eðP; P Þr eðv1 fðpk jj ac jj IDi Þ P; W Þ for the legal users and unavailable for the revoked users
and attackers. u
t
¼ eðP; P Þr eðv1 fðpk jj ac jj IDi Þ P; gP Þ
¼ eðP; P Þr eðg v1 fðpk jj ac jj IDi Þ P; P Þ
(4) 4.3 Data Confidentiality
¼ eðP; P Þr eðP; P Þgv1 fðpk jj ac jj IDi Þ Theorem 3. Our scheme can protect data confidentiality, the
¼ eðP; P Þrþgv1 fðpk jj ac jj IDi Þ cloud is unable to learn the content of the stored files
¼ eððr þ g v1 fðpk jj ac jj IDi ÞÞP; P Þ DF ¼ ðIDgroup ; IDdata ; CE; EK; tdata Þ even under the collu-
sion with the revoked users.
¼ eðU; P Þ:
Proof. Theorem 3 can be deduced from the following two
lemmas. u
t
If an attacker wants to pass the verification, he needs
to compute U ¼ ðr þ g v1 fðpk jj ac jj IDi ÞÞ P; which Lemma 3.1. The cloud is unable to learn the content of the stored
means that given P; R; he needs to compute U ¼ ðr þ g files DF ¼ ðIDgroup ; IDdata ; CE; EK; tdata Þ:
ZHU AND JIANG: A SECURE ANTI-COLLUSION DATA SHARING SCHEME FOR DYNAMIC GROUPS IN THE CLOUD 47
TABLE 3
Security Performance Comparison
Proof. First of all, the cloud cannot obtain the re-encryption we can know that the revoked user cannot recover the re-
0
key, even the cloud can get the re-encryption key, then encryption key due to the equation Kr0 Gfp ðVi Þ 6¼ Kr0 . Sup-
he can get ðC1 ; C2 ; CÞ; where C1 ¼ k Y; C2 ¼ k P; K ¼ pose that the revoked user can compute the re-encryption
Z k ; C ¼ EncK ðMÞ: Suppose that the cloud can compute key, which means that given Kr0 W0 ; he can compute Kr0 :
the encryption key, which means that given C1 ¼ k Y; P; Obviously, this contradicts with the BDHP assumption.
1
for unknown a; the cloud can compute eðC1 ; P Þa ¼ In addition, to make sure that the cloud updates the
eðG; P Þk ¼ K: However, this contradicts with WBDHE data files, the group manager adds a time stamp tdata to
assumption which is mentioned in [11]. u
t the data files and signs his signature s DF ¼ gf1 ðDF Þ for
verification. Moreover, the group manager updates the
Lemma 3.2. Even under the collusion with the revoked users, the data file list by using his signature sigðDLÞ ¼ gf1 ðDLÞ
cloud is incapable of learning the content of the stored files for the verifications of group members. Therefore, the
DF ¼ ðIDgroup ; IDdata ; CE; EK; tdata Þ: keys that the revoked users hold cannot be used to
Proof. When a user is revoked, the group manager updates decrypt the re-encryption data files anymore since the
the data files stored in the cloud with a new re-encryp- users are revoked. Thus the cloud is unable to learn the
tion key Kr0 and constructs the new polynomial function content of the stored files even under the collusion with
Q P m1 j the revoked users. u
t
fp0 ðxÞ ¼ j6¼i m
j¼1 ðx Vj Þ ¼ j¼0 aj x ðmod qÞ and the
new exponential function fW0 ; . . . ; Wm1 g ¼ fGa0 ; . . . ;
Gam1 g: From the original polynomial function in the 4.4 Security Comparison
phase of file upload, we can obtain that when x ¼ In general, our scheme can achieve secure key distribution,
Vi ; 8i 2 ½1; m; then fine access control and secure user revocation. For clearly
seeing the advantages of security of our proposed scheme,
X
m as illustrated in Table 3, we list a table compared with
a0 þ a1 x þ a2 x2 þ þ am xm ¼ ai xi Mona, which is Liu et al.’s scheme, the RBAC scheme,
i¼0
which is Zhou et al.’s scheme and ODBE scheme, which is
¼ fp ðxÞ p
Delerablee et al.’s scheme. The in the blank means the
Ym
scheme can achieve the corresponding goal.
¼ ðx Vj Þ
j¼1
Y
m 5 PERFORMANCE EVALUATION
¼ ðVi Vj Þ 8i 2 ½1; m We make the performance simulation with NS2 and com-
j¼1
pare with Mona in [10] and the original dynamic broadcast
¼ 0: encryption (ODBE) scheme in [12]. Without loss of general-
(6) ity, we set p ¼ 160 and the elements in G1 and G2 to be 161
and 1,024 bits, respectively. In addition, we assume the size
And for other values of x; the value of the polynomial of the data identity is 16 bits, which yield a group capacity
function is not zero. of 216 data files. Similarly, the size of user and group iden-
At last, the group manager constructs EK ¼ Kr0 tity are also set 16 bits. Both group members and group
W0 ; . . . ; Wm1 g and sends it to the cloud with a signature so managers processes are conducted on a laptop with Core 2
that others cannot fake it. Only the legal users can recover T5800 2.0 GHz, DDR2 800 2 G, Ubuntu 12.04 X86. The cloud
the re-encryption key due to the following equation: process is implemented on a laptop with Core i7-3630
Y
m1 Y
m1 2.4 GHz, DDR3 1600 8 G, Ubuntu 12.04 X64. We select an
j j
Kr W0 ðWj ÞVi ¼ Kr Ga0 ðGÞaj Vi elliptic curve with 160 bits group order.
j¼1 j¼1
¼ Kr G a0 þa1 Vi þa2 Vi2 þþam Vim1 (7) 5.1 Member Computation Cost
0 As illustrated in Fig. 7, we list the comparison on computa-
¼ Kr Gfp ðVi Þ tion cost of members for file upload among ODBE, RBAC,
¼ Kr : Mona and our scheme. It is obviously observed that the
computation cost for members in our scheme is irrelevant to
When a user is revoked, the group manager constructs the number of revoked users. The reason is that in our
new polynomial function fp0 ðxÞ: From the equation above, scheme, we move the operation of user revocation to the
48 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 27, NO. 1, JANUARY 2016
Fig. 7. Comparison on computation cost of members for file upload among ODBE, RBAC, Mona and our scheme.
Fig. 8. Comparison on computation cost of members for file download among ODBE, RBAC, Mona and our scheme.
Fig. 9. Comparison on computation cost of members for file upload among RBAC, Mona and our scheme.
group manager so that the legal clients can encrypt the data The computation cost of members for file download
files alone without involving information of other clients, operations with the size of 10 and 100 Mbytes are illus-
including both legal and revoked clients. On the contrary, trated in Fig. 8. The computation cost is irrelevant to the
the computation cost increases with the number of revoked number of revoked users in RBAC scheme. The reason is
users in ODBE. The reason is that several operations includ- that no matter how many users are revoked, the opera-
ing point multiplications and exponentiations have to be tions for members to decrypt the data files almost remain
performed by clients to compute the parameters in ODBE. the same. The computation cost in Mona increases with
ZHU AND JIANG: A SECURE ANTI-COLLUSION DATA SHARING SCHEME FOR DYNAMIC GROUPS IN THE CLOUD 49
Fig. 10. Comparison on computation cost of the cloud for file download among RBAC, Mona and our scheme.
[9] B. Waters, “Ciphertext-policy attribute-based encryption: An Zhongma Zhu is a student in the Department of
expressive, efficient, and provably secure realization,” in Proc. Int. Information Science and Engineering, Southeast
Conf. Practice Theory Public Key Cryptography Conf. Public Key Cryp- University, China. He majored in information
tography, 2008, pp. 53–70. security, mainly engaged in cloud storage secu-
[10] X. Liu, Y. Zhang, B. Wang, and J. Yang, “Mona: Secure multi- rity protocols research.
owner data sharing for dynamic groups in the cloud,” IEEE Trans.
Parallel Distrib. Syst., vol. 24, no. 6, pp. 1182–1191, Jun. 2013.
[11] D. Boneh, X. Boyen, and E. Goh, “Hierarchical identity based
encryption with constant size ciphertext,” in Proc. Annu. Int. Conf.
Theory Appl. Cryptographic Techn., 2005, pp. 440–456.
[12] C. Delerablee, P. Paillier, and D. Pointcheval, “Fully collusion
secure dynamic broadcast encryption with constant-size Ci-pher-
texts or decryption keys,” in Proc. 1st Int. Conf. Pairing-Based Cryp-
tography, 2007, pp. 39–59. Rui Jiang received the PhD degree from Shang-
[13] Z. Zhu, Z. Jiang, and R. Jiang, “The attack on mona: Secure multi- hai Jiaotong University, Shanghai, China, in
owner data sharing for dynamic groups in the cloud,” in Proc. Int. 2005. He is currently an associate professor at
Conf. Inf. Sci. Cloud Comput., Dec. 7, 2013, pp. 185–189. Southeast University, China. His current research
[14] L. Zhou, V. Varadharajan, and M. Hitchens, “Achieving secure interests include secure analysis and design of
role-based access control on encrypted data in cloud storage,” communication protocols, secure mobile cloud
IEEE Trans. Inf. Forensics Security, vol. 8, no. 12, pp. 1947–1960, computing, secure network and systems commu-
Dec. 2013. nications, mobile voice end-to-end secure com-
[15] X. Zou, Y.-S. Dai, and E. Bertino, “A practical and flexible key munications, and applied cryptography.
management mechanism for trusted collaborative computing,”
in Proc. IEEE Conf. Comput. Commun., 2008, pp. 1211–1219.
[16] M. Nabeel, N. Shang, and E. Bertino, “Privacy preserving policy
based content sharing in public clouds,” IEEE Trans. Know. Data
Eng., vol. 25, no. 11, pp. 2602–2614, Nov. 2013. " For more information on this or any other computing topic,
[17] D. Dolev and A. C. Yao, “On the security of public key protocols,” please visit our Digital Library at www.computer.org/publications/dlib.
IEEE Trans. Inf. Theory, vol. IT-29, no. 2, pp. 198–208, Mar. 1983.
[18] B. Dan and F. Matt, “Identity-based encryption from the weil
pairing,” in Proc. 21st Annu. Int. Cryptol. Conf. Adv. Cryptol., 2001,
vol. 2139, pp. 213–229.
[19] B. Den Boer, “Diffie–Hellman is as strong as discrete log for cer-
tain primes,” in Proc. Adv. Cryptol., 1988, p. 530.
[20] D. Boneh, X. Boyen, and H. Shacham, “Short group signature,”
in Proc. Int. Cryptology Conf. Adv. Cryptology, 2004, pp. 41–55.
[21] D. Boneh, X. Boyen, and E. Goh, “Hierarchical identity based
encryption with constant size ciphertext,” in Proc. Annu. Int. Conf.
Theory Appl. Cryptographic Techn., 2005, pp. 440–456.