DOI QR코드

DOI QR Code

A Fast and Secure Scheme for Data Outsourcing in the Cloud

  • Liu, Yanjun (Key Laboratory of Intelligent Computing and Signal Processing of Ministry of Education, School of Computer Science and Technology, Anhui University) ;
  • Wu, Hsiao-Ling (Department of Information Engineering and Computer Science, Feng Chia University) ;
  • Chang, Chin-Chen (Department of Computer Science and Information Engineering, Asia University)
  • Received : 2014.03.14
  • Accepted : 2014.06.18
  • Published : 2014.08.29

Abstract

Data outsourcing in the cloud (DOC) is a promising solution for data management at the present time, but it could result in the disclosure of outsourced data to unauthorized users. Therefore, protecting the confidentiality of such data has become a very challenging issue. The conventional way to achieve data confidentiality is to encrypt the data via asymmetric or symmetric encryptions before outsourcing. However, this is computationally inefficient because encryption/decryption operations are time-consuming. In recent years, a few DOC schemes based on secret sharing have emerged due to their low computational complexity. However, Dautrich and Ravishankar pointed out that most of them are insecure against certain kinds of collusion attacks. In this paper, we proposed a novel DOC scheme based on Shamir's secret sharing to overcome the security issues of these schemes. Our scheme can allow an authorized data user to recover all data files in a specified subset at once rather than one file at a time as required by other schemes that are based on secret sharing. Our thorough analyses showed that our proposed scheme is secure and that its performance is satisfactory.

Keywords

1. Introduction

At the present time, managing data securely and effectively poses monumental challenges in the area of cryptography. Data outsourcing is a new paradigm in which data are stored onto a trusted, external service provider, such as a cloud storage server. Data outsourcing in the cloud (DOC) is a promising solution for data management because it offers three beneficial features, i.e., 1) it provides on-demand, high-quality service from shared resources; 2) it provides universal data access by data users regardless of their locations; and 3) it reduces the costs of hardware and software [1, 2].

As DOC becomes more and more popular, data owners are storing huge quantities of data in the cloud. However, personal information, transmitted emails, financial data, and other sensitive or confidential data may be disclosed to unauthorized users. Thus, protecting the confidentiality of such data has become a main security issue. One of the most extensively used methods to fulfill this security requirement is to encrypt sensitive data before outsourcing them to prevent unauthorized access. Thus, only authorized users can decrypt the encrypted, outsourced data and obtain the plaintext, and unauthorized users are incapable of acquiring any of the original data.

To date, two approaches for the encryption of outsourced data have been proposed in the literature, and the traditional approach is to use an asymmetric or symmetric cryptosystem to conceal the content of the original data [3-8]. In 2011, Lu and Tsudik [4] proposed a DOC scheme based on an asymmetric cryptosystem to enhance the privacy of data. The scheme prevents the cloud server from knowing any plaintext of the outsourced data. In addition, it provides the data owner with content-level access control. Later, Raykova et al. [5] proposed a two-level, access-control scheme for DOC using a combination of asymmetric and symmetric encryption according to different access policies. Their scheme provides security guarantees for both data owners and data users. Zhou et al. [6] introduced a tree-based, key-management scheme in the cloud outsourcing environment that allows data users to access outsourced data with different levels of access rights. In their scheme, an asymmetric cryptosystem is used to encrypt data in each node with one key and decrypt it with two other keys. To achieve effective utilization of encrypted, outsourced data in the cloud, Wang et al. [7] proposed a ranked searchable symmetric encryption scheme. They showed that their method is secure and preserves the privacy of the data. Recently, Giweli et al. [8] proposed a robust DOC mechanism that integrated asymmetric encryption, symmetric encryption, and the Chinese remainder theorem.

However, along with the explosive growth in the amount of outsourced data and in the number of data users, each user may be authorized to access only a particular subset of data during a certain period of time. This makes the efficiency of data retrieval a very urgent challenge. The aforementioned solutions are not efficient since the computational cost of asymmetric or symmetric encryption/decryption operations is extremely high. Thus, secret sharing is emerging as an approach for the encryption of outsourced data due to its low computational complexity. Unlike the aforementioned encryption/decryption operations, secret sharing does not depend on any encryption/decryption keys. In recent years, only a few researchers [9-11] have focused on the development of DOC schemes based on Shamir’s secret sharing. In the schemes proposed in [9-11], a data file is divided into n pieces shared among n cloud storage servers; knowledge of any t or more pieces can be used to recover the file. The developers of these schemes have claimed that they are secure, but Dautrich and Ravishankar [12] pointed out that all of the three schemes are vulnerable to the collusion attack in which any t colluding servers can recover all files outsourced in the cloud.

Therefore, the objective of the scheme described in this paper was to achieve security and high efficiency at the same time in the context of DOC. We propose a fast and secure DOC scheme based on the concept of Shamir’s secret sharing. The contributions of our proposed protocol are listed below:

The rest of the paper is organized as follows. Section 2 addresses some background information. Section 3 describes the details of our proposed scheme. Security and performance analyses of our proposed protocol are given in Section 4, and our conclusions are presented in Section 5.

 

2. Preliminary Information

In this section, we briefly introduce some essential background information regarding DOC. First, we describe the entities that participate in a typical DOC scheme. Second, we specify the basic security requirements that a DOC scheme should satisfy. Third, we introduce the concept of Shamir’s secret sharing, which is used as the main building block in the design of our proposed DOC scheme.

2.1 Definitions and Entities

Three different entities, i.e., the data owner, the data user, and the cloud storage server, are involved in a classic DOC scheme that can preserve the privacy of the data by managing access to confidential files. The definition and responsibility of each entity are demonstrated as follows:

2.2 Security Requirements

A DOC scheme must satisfy four fundamental security requirements, i.e., data confidentiality, data correctness, query privacy, and collusion-resistance.

2.3 Shamir’s Secret Sharing Mechanism

Since we used the secret sharing mechanism proposed by Shamir in 1979 [13] as a main block in the construction of our proposed scheme, this subsection will thoroughly introduce the concept and principles of Shamir’s secret sharing.

Shamir’s secret sharing is a practical tool for safeguarding keys in the field of cryptography in which a dealer partitions a secret into n shares distributed among n shareholders. Based on the Lagrange interpolating polynomial, t or more shareholders can contribute their shares and cooperatively recover the secret; however, if fewer than t shares are available, the shareholders are unable to reconstruct the secret. Therefore, such a scheme is also called (t, n) Shamir’s secret sharing, denoted as (t, n)-SSS.

Assume that a dealer D wants to share a secret s among n shareholders, {u1, u2,…, un }, in a (t, n)-SSS. As a result, the share generation procedure and the secret reconstruction procedure must be conducted, and they are described as follows.

Share generation procedure

Dealer D constructs the following polynomial:

where p is a prime, t coefficients, a0,a1,a2,…,at-1 , are in the finite field GF(p), and the secret s = a0 = f(0). By choosing n random numbers xi for i = 1,2,…, n , dealer D generates n shares as Si = f(xi) for i = 1,2,…, n . Then, D issues share Si to shareholder ui .

Secret reconstruction procedure

In this procedure, t shareholders can release their shares, {S1,S2,…, St }, to recover the polynomial f(x) generated by the dealer D based on the Lagrange interpolating theorem [13] as follows:

Obviously, the secret s can be reconstructed immediately by s = f(0).

From the above procedures, we can infer that at least t distinct points, i.e., (x1,S1), (x2,S2), …, (xt , St ), are needed to recover a polynomial of degree t-1 in (t, n)-SSS. This scheme has been proven to be unconditionally secure [13-15], and it is used extensively in many applications of information security, such as group key distribution protocols [16-18], group authentication [19], and data outsourcing systems [9-11]. The following example illustrates the execution of a (3, 3)-SSS.

Example 2.1 Given {a0,a1,a2} = (3,2,1}, p = 53, and {x1,x2,x3) = (4,5,6}, recover the secret s using a (3, 3)-SSS.

In the share generation procedure, dealer D uses three coefficients, a0,a1, and a2, to construct a second-degree polynomial f(x) and f(x) = 3 + 2x + x2 mod53, where the secret s = a0 = 3. Then, D generates three shares, i.e., S1 = f(x1) = 27, S2 = f(x2) = 38, and S3 = f(x3) = 51, and sends Si secretly to shareholder ui . In the secret reconstruction procedure, shareholders u1,u2, and u3 work together to recover the original polynomial f(x) based on the Lagrange interpolation:

Therefore, the secret s can be reconstructed as s = f(0) = 3.

 

3. Our Proposed Scheme

In this section, we propose a fast and secure DOC scheme based on the (n, n)-SSS mechanism. First, we outline the architecture of our proposed scheme, and, then, a detailed description is given.

3.1 Architecture of Our Proposed Scheme

Fig. 1 shows the architecture of our proposed scheme using SSS. Assume that the data owner has a collection of data files to protect. Authorized data users can access different subsets of files depending on their positions and responsibilities in an organization. However, confidential files cannot be disclosed to unauthorized users. In our proposed scheme, the data owner splits a specified subset of files into two types of shares, i.e., public shares and private shares. Public shares are outsourced to the cloud storage servers, while private shares are transmitted to an authorized data user. When an authorized data user wants to access a particular subset of files, he/she submits a request to the cloud storage servers for the outsourced public shares of the files. Upon retrieving the public shares from the cloud storage servers, the data user can combine her/his private shares with the public shares to reconstruct the original files based on the concept of SSS.

Fig. 1.Architecture of our proposed DOC scheme

Our proposed scheme consists of two phases, i.e., 1) the construction phase and 2) the recovery phase. The phases are discussed in detail in Subsections 3.2 and 3.3, respectively.

3.2 Construction Phase

Assume that the data owner maintains a collection of n data files, S = {F1, F2, ⋯, Fn }. Let Aj represent a set of files that that an authorized data user can access. Thus, Aj is a subset of S. Assuming that the size of Aj is confined to , there totally exists Aj by combinations of the files. Let , and each Aj is associated with a unique access number, id(Aj ). In addition, there are C cloud storage servers, {H1, H2, ⋯, HC }.

In the construction phase, the data owner takes charge of generating n shares of each specified file subset Aj , including |Aj| private shares and ( n - | Aj |) public shares. Then, the data owner outsources public shares on the corresponding cloud storage server Hj and shares private shares with the authorized data user. The construction phase is executed by the following steps:

3.3 Recovery Phase

Assume that the authorized data user have obtained id( Aj ) and | Aj | private shares (ci , Si ) of Aj satisfying Fi ∈ Aj from the data owner. Thus, the authorized data user can combine private shares and the corresponding public shares to recover the original files in Aj that he/she wants to access.

Remark 1: In the proposed scheme, the size of Set Aj must be subject to the condition that . This is because there are ( n -| Aj |) unknown coefficients to be determined with | Aj | simultaneous equations. If the size of Set Aj exceeds will hold, which indicates that the number of simultaneous equations is equal to or greater than that of unknown coefficients and the unique solution for these coefficients must be determined by setting αj,k = Fk if Fk ∉ Aj . Therefore, it will lead to the consequence that unauthorized users can retrieve the file Fk that they do not have the right to access from the relationship of αj,k = Fk if Fk ∉ Aj . This violates the concept of our proposed scheme. Otherwise, if , are infinite possible solutions for unknown coefficients and an appropriate solution that satisfies αj,k = Fk if Fk ∉ Aj for 1 ≤ k ≤ n can be selected.

Remark 2: In the construction phase, the data owner generates a polynomial fj (x) of degree n-1 that conceals all of the confidential files in Aj that the authorized data user can access. Then, the authorized data user can recover fj (x) successfully through the n shares he/she holds based on the (n, n)-SSS mechanism. Therefore, all files in Aj are obtained at once in our proposed scheme. However, in other related schemes, only one file at a time can be derived from Aj since a single polynomial contains only one file. This is the major advantage of our scheme over other schemes based on secret sharing, and it can lead to a higher efficiency.

3.4 Example

Assume that the data owner maintains five ( n = 5 ) files, i.e., F1 = 10, F2 = 9, F3 = 8, F4 = 7, and F5 = 6. Since there is a total of five files, an authorized user can access, at most, files, which indicates that | Aj | = 1 or 2 and that U = { Aj }1≤j≤15 . More specifically, U = {A1 = {F1}, A2 = {F2}, A3 = {F3}, A4 = {F4}, A5 = {F5), A6 = (F1,F2}, A7 = {F1,F3}, A8 = {F1,F4}, A9 = {F1,F5}, A10 = {F2,F3}, A11 = {F2,F4}, A12 = {F2,F5}, A13 = {F3,F4}, A14 = {F3,F5}, A15 = {F4,F5}}. We just choose how to access A5 and A6 as two scenarios to show the process of our proposed scheme.

Example 3.1

Construction phase

The data owner constructs the polynomial f(x) = 10 + 9x + 8x2 + 7x3 + 6x4 mod31. Then, he/she generates five private shares, (c1, S1) = (1,9), (c2, S2) = (2,26), (c3, S3) = (3,29), (c4, S4) = (4,19), and (c5, S5) = (5,13).

The data owner also generates 15 additional polynomials. Among them, f5(x) and f6(x) are shown as follows:

in which fj (x) contains the information of Aj . To determine the coefficients in (3), the data owner lets f5(x) pass through the point (c5, S5), and f6(x) pass through two points (c1, S1) and (c2, S2). Consequently, (3) becomes (4).

Because αjk ≠ Fk for 1 ≤ j ≤ 15 and 1 ≤ k ≤ 5, an appropriate solution of the unknown coefficients is listed as follows: α5,1 = 7, α5,2 = 11, α5,3 = 14, α5,4 = 5, α6,3 = 12, α6,4 = 1, and α6,5 = 8. After that, the data owner outsources id( Aj ) and public shares of Aj to the cloud storage server Hj , where 1 ≤ j ≤ 15. The data owner also sends id( Aj ) and private shares of Aj to the authorized data user. Table 1 lists the crucial information associated with A5 and A6 in the construction phase.

Table 1.Information associated with A5 and A6 in Example 3.1

Recovery phase

Assume that an authorized data user wants to access A5 = {F5 = 6} and that he/she submits id( A5 ) to the cloud storage server H5. H5 returns four public shares of A5 (as shown in Table 1) to the data user. Finally, the data user uses private share (5, 13) and public shares to recover polynomial f5(x) as follows:

Therefore, the data user is able to obtain F5 = 6. Similarly, if an authorized data user wants to access A6 = {F1 = 10, F2 = 9}, he/she can reconstruct f6(x) by using private and public shares (as shown in Table 1) as follows:

Therefore, the data user is able to obtain F1 = 10 and F2 = 9.

 

4. Analyses

In this section, we analyze the security and performance of our proposed scheme. First, we show that our proposed scheme can achieve fundamental security requirements. Then, the performances of our proposed scheme and other related schemes are compared.

4.1 Security Analysis

Here, we show that our proposed scheme can satisfy four fundamental security requirements, i.e., data confidentiality, data correctness, query privacy, and collusion-resistance.

(1) Data confidentiality

Our proposed scheme can ensure the confidentiality of the data based on the fact that n shares must be collected to recover the secret in the (n, n)-SSS. Assume that l represents the size of a particular subset of files, Aj , that an authorized data user wants to access. In our proposed scheme, the data owner outsources only (n - l) public shares of this subset of files on the cloud storage server Hj . Therefore, the curious Hj cannot recover the original subset of files through the stored public shares since it does not have the other l private shares shared by the data owner and the data user. Furthermore, even if an outside attacker intrudes on the cloud storage servers and observes public shares, he/she cannot obtain the correct files for the same reason.

(2) Data correctness

If a data user is authorized to access a certain subset of files, he/she submits the access number of this subset to the corresponding cloud storage server to request (n - l) outsourced public shares of this subset. Upon receiving the public shares, the user can recover the correct subset of files by combining the l private shares that were obtained from the data owner secretly in the construction phase with (n - l) public shares based on (n, n)-SSS. Therefore, in our proposed scheme, the correctness of (n, n)-SSS determines the correctness of the data. However, if a data user attempts to retrieve the files that he/she does not have the right to access, he/she will learn nothing about the files because he/she does not know their private shares.

(3) Query privacy

In our proposed scheme, each Aj that contains file information is assigned an access number, i.e., id( Aj ), and the data user submits id( Aj ) to request public shares of Aj . Since the public shares of Aj have no direct relationship with Aj and do have such a relationship with id( Aj ), neither a cloud storage server nor an outside attacker can determine the subset of files to which these public shares belong. Thus, query privacy is achieved in our proposed scheme.

(4) Collusion-resistance

In our method, only (n - l) public shares of a specified subset of files are outsourced to a cloud storage server. Thus, each cloud storage server cannot recover a polynomial of degree n-1 to obtain all files in the subset at once, since these shares are not sufficient. If multiple cloud storage servers collude, they still cannot obtain any file. This is because different cloud storage servers store public shares of different subsets of files; even if they exchange their shares, they cannot collect enough shares of a single subset. Therefore, a collusion attack cannot be launched successfully.

Comparisons of the security provided by our proposed scheme and other SSS-based schemes [9-11] are provided in Table 2. From the results in Table 2, we can infer that our proposed scheme can satisfy all security requirements mentioned in Subsection 2.2, while the other schemes are unable to resist collusion attacks [12].

Table 2.Comparisons among different schemes

4.2 Performance Analysis

In this section, we evaluate the performance of our proposed scheme. According to the introduction described in Section 1, so far, there are two types of DOC schemes in the literature, one based on asymmetric or symmetric cryptosystem and the other based on SSS. One symmetric cryptosystem (DES) was about 100 times faster than one asymmetric cryptosystem (RSA-1024), and one SSS is 26 times faster than one symmetric cryptosystem [20]. Therefore, the computational cost of the schemes based on SSS is much lower than that of schemes based on asymmetric or symmetric cryptosystems. Table 2 compares the performances of our proposed scheme and other schemes [9-11], all of which are based on SSS. Since there is no significant difference in the computational costs of these schemes, we only compare the communication cost in Table 2. Let l denote the size of a particular subset of files that an authorized data user wants to access, where . Table 2 shows that recovering all l files in a subset requires l×t public shares in l rounds of transmission in the schemes proposed in [9-11], while our proposed scheme requires only n−l public shares at once to complete the same task. Thus, our proposed scheme can reduce the communication cost significantly compared to other schemes.

 

5. Conclusions

In this paper, we proposed a novel DOC scheme based on Shamir’s secret sharing mechanism. Unlike other DOC schemes based on secret sharing, our scheme can allow an authorized data user to recover all data files in a specified subset at once rather than one file at a time. Our proposed scheme can achieve all basic security requirements, such as data confidentiality, data correctness, query privacy, and collusion-resistance. Performance analyses demonstrated that the performance of our proposed scheme exceeded the performances of other related schemes.

References

  1. M. N. O. Sadiku, S. M. Musa and O. D.Momoh, "Cloud computing: opportunities and challenges," IEEE Potentials, vol. 33, no. 1, pp. 34-36, 2014. https://doi.org/10.1109/MPOT.2013.2279684
  2. M. Armbrust, A.Fox, R. Griffith, A. D. Joseph, R. H. Katz, A. Konwinski, G. Lee, D. A. Patterson, A. Rabkin and M. Zaharia, "Above the clouds: a berkeley view of cloud computing," University of California, Berkeley, Technical Report No. UCB/EECS-2009-28, Feb. 2009.
  3. J. Hur and D. K. Noh, "Attribute-based access control with efficient revocation in data outsourcing systems," IEEE Transactions on Parallel and Distributed Systems, vol. 22, no. 7, pp. 1214-1221, 2011. https://doi.org/10.1109/TPDS.2010.203
  4. Y. Lu and G. Tsudik, "Enhancing data privacy in the cloud," Proceedings of IFIP Advances in Information and Communication Technology, Copenhagen, Denmark, pp. 117-132, 2011. PMCid:PMC3630519
  5. M. P. Raykova, S.M. Bellovin and H. Zhao, "Privacy enhanced access control for outsourced data sharing," Proceedings of Financial Cryptography and Data Security, Kralendijk, Bonaire, pp. 223-238, Mar. 2012.
  6. M. Zhou, Y. Mu, W. Susilo, J. Yan and L. Dong, "Privacy enhanced data outsourcing in the cloud," Journal of Network and Computer Applications, vol. 35, no. 4, pp. 1367-1373, 2012. https://doi.org/10.1016/j.jnca.2012.01.022
  7. C. Wang, N. Cao, K. Ren and W. Lou, "Enabling secure and efficient ranked keyword search over outsourced cloud data," IEEE Transactions on Parallel and Distributed Systems, vol. 23, no. 8, pp. 1467-1479, 2012. https://doi.org/10.1109/TPDS.2011.282
  8. N. Giweli, S. Shahrestani and H. Cheung, "Enhancing data privacy and access anonymity in cloud computing," Communications of the IBIMA, article in press, 2013,
  9. M. A. Hadavi and R. Jalili, "Secure data outsourcing based on threshold secret sharing; towards a more practical solution," in Proc. of Proceedings of the 36th International Conference on Very Large Data Bases, Singapore, pp. 54-59, Sep. 2010.
  10. D. Agrawal, A. A. El, F. Emekci, A.Metwally and S. Wang, "Secure data management service on cloud computing infrastructures," Proceedings of Service and Application Design Challenges in the Cloud, pp. 57-80, 2011.
  11. X. Tian, C. Sha, X. Wang and A. Zhou, "Privacy preserving query processing on secret share based data storage," in Proc. of Proceedings of the 16th International Conference on Database Systems for Advanced Applications, Hong Kong, China, pp. 108-122, Apr. 2011.
  12. J. L. Dautrich and C. V. Ravishankar, "Security limitations of using secret sharing for data outsourcing," in Proc. of Proceedings of the 26th Annual IFIP WG 11.3 Conference on Data and Applications Security and Privacy, Paris, France, pp. 145-160, Jul. 2012.
  13. A. Shamir, "How to share a secret," Communications of the ACM, vol. 22, no. 11, pp. 612-613, 1979. https://doi.org/10.1145/359168.359176
  14. G. R. Blakley, "Safeguarding cryptographic keys," Proceedings of American Federation of Information Processing Societies National Computer Conference, New York, USA, vol. 48, pp. 313-317, Nov. 1979.
  15. L. Harn and C. Lin, "Strong (n, t, n) verifiable secret sharing scheme," Information Sciences, vol. 180, no. 16, pp. 3059-3064, 2010. https://doi.org/10.1016/j.ins.2010.04.016
  16. C. Guo and C. C. Chang, "An authenticated group key distribution protocol based on the generalized Chinese remainder theorem," International Journal of Communication Systems, article in press, 2012.
  17. L. Harn and C. Lin, "Authenticated group key transfer protocol based on secret sharing," IEEE Transactions on Computers, vol. 59, no. 6, pp. 842-846, 2010. https://doi.org/10.1109/TC.2010.40
  18. Liu Y., L. Harn and C. C. Chang, "An authenticated group key distribution mechanism using theory of numbers," International Journal of Communication Systems, article in press, 2013, DOI: 10.1002/dac.2569.
  19. L. Harn, "Group authentication," IEEE Transactions on Computers, vol. 62, no. 9, pp. 1893-1898, 2013. https://doi.org/10.1109/TC.2012.251
  20. Schneier B., Applied cryptography, protocols, algorithms, and source code in C, 2nd Edition, John Wiley and Sons Inc., New York, U.S.A., 1996.