Professional Documents
Culture Documents
Access Control Related Paper
Access Control Related Paper
Abstract—Cloud computing provides an efficient and convenient platform for cloud users to store, process and control their data.
Cloud overcomes the bottlenecks of resource-constrained user devices and greatly releases their storage and computing burdens.
However, due to the lack of full trust in cloud service providers, the cloud users generally prefer to outsource their sensitive data in an
encrypted form, which, however, seriously complicates data processing, analysis, as well as access control. Homomorphic encryption
(HE) as a single key system cannot flexibly control data sharing and access after encrypted data processing. How to realize various
computations over encrypted data in an efficient way and at the same time flexibly control the access to data processing results has
been an important challenging issue. In this paper, we propose a privacy-preserving data processing scheme with flexible access
control. With the cooperation of a data service provider (DSP) and a computation party (CP), our scheme, based on Paillier’s partial
homomorphic encryption (PHE), realizes seven basic operations, i.e., Addition, Subtraction, Multiplication, Sign Acquisition, Absolute,
Comparison, and Equality Test, over outsourced encrypted data. In addition, our scheme, based on the homomorphism of attribute-
based encryption (ABE), is also designed to support flexible access control over processing results of encrypted data. We further prove
the security of our scheme and demonstrate its efficiency and advantages through simulations and comparisons with existing work.
1 INTRODUCTION
this protocol must be executed for each data request, thus it any input. It lays a technical foundation for many problems,
is inefficient. Attribute-based encryption (ABE) is an effec- such as database query, intrusion detection and data mining
tive tool to support fine-grained access control and multi- with privacy preservation [8]. Several schemes [26], [27]
user access. It has been applied in many application scenar- based on the popular SMC construction Sharemind [28]
ios [15], [16], [17]. However, to our knowledge, there is no were proposed to achieve various secure computations,
effort in the literature on fine-grained access control over e.g., multiplication. But the product of N pieces of data
the computation/analysis results based on encrypted data. needs about 3N multiplications of 32-bit numbers under the
Our previous work [18] aims to solve this problem by com- cooperation of three involved servers, which obviously can-
bining homomorphic encryption and proxy re-encryption, not adapt to big data processing. Although a data requester
but it only supports one requester access at one time. In case can easily obtain the final result by requesting all secret pre-
multiple users want to access the same result, it needs to processing shares from all involved servers, how to realize
execute the designed scheme for each requester one by one, fine-grained access control in SMC is still an open issue.
which obviously incurs high communication and computa-
tion costs, as shown in experiments in Section 5.2.3. 2.2 Secure Data Processing Based on
In this paper, we propose a novel scheme in order to Homomorphic Encryption
overcome the challenges as described above. It supports FHE schemes [10], [11], [12] are designed to realize arbitrary
multiple basic computations over encrypted data and real- computations over encrypted data. Due to high computation
izes flexible access control over the processing results by overhead, some extended schemes [29], [30] were proposed
employing PHE and ABE. Specifically, the contributions of to improve FHE efficiency. However, the computation and
this paper can be summarized as follows: storage costs of existing schemes are still not satisfactory for
We propose a generic system architecture consisting of practical use [31], [32].
a data service provider (DSP) and a computation party PHE has been widely used in many applications because
(CP) that seamlessly work together to simultaneously it is more efficient and practical than FHE although it can
support secure computations over encrypted data and only support limited computations. Some schemes [3], [4]
fine-grained access control of computation results. were proposed to support more types of computations, but
We present a family of protocols to efficiently realize they can only support addition and multiplication over a
seven basic computations over encrypted data: Addi- limited number of data inputs. In [3], decryption requires
tion, Subtraction, Multiplication, Sign Acquisition, Abso- solving the problem of discrete logarithm, which seriously
lute, Comparison, and Equality Test. restricts the length and the number of data inputs. The mul-
We propose to utilize ABE with homomorphism to tiparty computation framework proposed in [4] achieves
realize fine-grained access control of the processing addition and multiplication by applying secret sharing.
result of encrypted data, which is not revealed to Similar to the SMC-based scheme in [27], it is unable to sup-
any system entities including DSP and CP. port the multiplication of a large number of data inputs. Liu
We prove the security of the proposed scheme and et al. [5] proposed a framework for efficient outsourced data
demonstrate its efficiency through simulations and calculations with privacy preservation, which can deal with
comparisons with existing schemes. We show that several types of operations, such as addition, multiplication,
the proposed scheme is suitable for big data process- and division. But this framework cannot support multipli-
ing. It can be applied in any scenarios with either a cation of a large number of data.
small or a large number of data providers. Besides the problems mentioned above, the biggest prob-
The rest of this paper is organized as follows. Section 2 lem of PHE is that it is a single-user system. This means that
gives a brief overview of related work. Section 3 introduces the data processing result based on PHE can only be
the system model and attack model of our proposed decrypted and accessed by the user with the corresponding
scheme, followed by its detailed design in Section 4. In secret key of PHE. PHE is not flexible to directly support
Section 5, security analysis and performance evaluation are multi-user access.
given. Finally, a conclusion is presented in the last section.
2.3 Secure Data Access Control
2 RELATED WORK Cloud storage enables cloud users to upload their data to
With the development of cloud computing, cloud users the cloud for storage and further sharing. However, this
benefit from outsourcing data storage and computation to causes a new problem that the cloud users lose full control
the cloud. However, the risk of personal data disclosure over their data. Thus, an efficient and secure data access
makes it urgent to enhance data security and user privacy. control scheme is needed. A number of solutions have been
Besides those schemes focusing on data aggregation [19], proposed to protect the outsourced data in the cloud, as
[20], [21], [22], [23], [24], [25], other studies were conducted briefly introduced below.
to achieve more efficient privacy-preserving operations. In Proxy re-encryption was adopted to manage data sharing
addition, many constructions have been proposed to realize in cloud [33], [34]. But it cannot support fine-grained access
secure access control although the aforementioned issues control on homomorphic computation results. Role-based
are still open. access control (RBAC) can only provide partial flexibility
based on one level policy, which ensures that only the user
2.1 Secure Data Processing Based on SMC with a specified role can access data. But, the constructions
Secure multi-party computation (SMC) enables computa- [35], [36] based on RBAC cannot support flexible access pol-
tions over multi-user outsourced data without revealing icies described with various attribute structures. ABE [37],
DING ET AL.: PRIVACY-PRESERVING DATA PROCESSING WITH FLEXIBLE ACCESS CONTROL 365
Partial Decryption with S K CP (PDec PDec2). Once the Finally, the DSP keeps ½mpkck or ½fpkck , and CK 0 for user
encrypted data ½mi pkCP is received, the CP can directly access.
decrypt it with its own secret key as follows: Step 6 (Data Access @ DR). If the DR satisfies the access
policy, Authority issues a secret key SK 0 to the DR. Hence,
1) Ti 0ð2Þ ¼ ðTi 0ð1Þ ÞskCP ¼ grab ¼ PK r mod n2 ; the DR can decrypt CK 0 to get ck, and further obtain m or f
2) mi ¼ LðTi ð1Þ =Ti 0ð2Þ mod n2 Þ, where LðuÞ ¼ ðu 1Þ=n. to meet their computation demand.
In addition, the encrypted data under any public key pk
has the following properties: 4.4 Detailed Data Processing
1) Additive homomorphism: System setup and data collection are the same as those in
½m1 pk ½m2 pk ¼ ½m1 þ m2 pk ; Section 4.3. The operations for access control are also the
2) ð½mpk Þt ¼ ffð1 þ mnÞpkr gt ; ðgr Þt g mod n2 same as those above, thus we do not introduce the details in
this section.
¼ fð1 þ m nÞt pkrt ; grt g mod n2
Our proposed scheme supports seven basic operations
¼ fð1 þ t m nÞpkrt ; grt g mod n2
over encrypted data: 1) Addition; 2) Subtraction; 3) Multiplica-
¼ ½t mpk ;
tion; 4) Sign Acquisition; 5) Absolute; 6) Comparison; and 7)
3) ð½mpk Þn1 ¼ ffð1 þ m nÞpkr gðn1Þ ; ðgr Þðn1Þ g mod n2 Equality Test. In the following sub-sections, we mainly focus
¼ fð1 þ m ðn 1Þ nÞpkrðn1Þ ; grðn1Þ g mod n2 on the steps from 3 to 5 in each basic operation.
¼ fð1 m n þ m n2 Þpkrðn1Þ ; grðn1Þ g mod n2
¼ fð1 m nÞpkrðn1Þ ; grðn1Þ g mod n2 4.4.1 Addition
P
¼ ½mpk : Addition obtains the sum of all raw data: m ¼ N i¼1 mi ,
which can be accomplished by multiplying all ciphertexts.
4.3 Data Processing Procedure Note that the number of the data in Addition affects the
The brief procedure of data processing is shown in Fig. 2. It length of the provided data. If we want to get the sum result
mainly involves six steps: of N pieces of data, it should guarantee that mi < n=N.
Step 1 (System Setup @ All Entities). Authority calls the Step 3 (Data Preparation @ DSP). Due to additive homo-
algorithm KeyGen in Section 4.2 and SetupABE ð; UÞ in morphism, the DSP can directly multiply encrypted data
Section 4.1.3 to complete the setup of HRES and ABE. Note: one by one as follows:
if multiple CPs are employed in the system, each CP can YN YN YN
negotiate a Diffie-Hellman key PK with the DSP and pub- ½m ¼ ðT; T 0 Þ ¼ i¼1
½mi ¼ T
i¼1 i
; i¼1
Ti
0
c a
Then DSP sends ½c1 ðm þ r1 ÞpkCP to the CP. 4) ½c2 m2 pkCP ¼ ðT2 ð1Þ ; T2 0ð1Þ Þ ¼ fT2 c2 ; ðT2 0 Þ 2 g ¼ fð1 þ c2
r2 c2 r2 ac2
Step 4 (Data Process @ CP). The CP calls the algorithm m2 nÞ PK ; g g.
PDec2 with skCP to finally decrypt the encrypted data and
PDec The data packet sent to the CP is {½c1 m1 pkCP ;
obtain c1 ðm þ r1 Þ. And then the CP chooses the second partial ½c2 m2 pkCP }.
key ck2 and a random number r to encrypt data as follows: Step 4 (Data Process @ CP). Upon receiving the data
½c1 ðm þ r1 Þ ¼ T; T 0 ¼ ð1 þ c1 ðm þ r1 ÞnÞgck2 r ; gr
pkck2
packet from the DSP, the CP uses the algorithm PDec PDec2 to
decrypt the data:
where pkck2 ¼ gck2 . b b
Then the CP encrypts ck2 to obtain CK20 and forwards c1 m1 ¼ T1 ð1Þ = T1 0ð1Þ ; c2 m2 ¼ T2 ð1Þ = T2 0ð1Þ :
^ pkck and CK20 back to the DSP.
½m
It then chooses ck2 and a random number r, and encrypts
Step 5 (Additional Process @ DSP). The DSP computes to
c1 m1 c2 m2 and ck2 as follows:
obtain the final encrypted processing result with ck1 and r1 :
1) ^ pkck ¼ ½c1 c2 mpkck ¼ ðT; T 0 Þ ¼ fð1 þ c1 m1 c2 m2 nÞ
½m
½mpkck ¼ T 1 ð1 r1 nÞ; T 0 ¼ ð1 þ m nÞgck1 ck2 r ; gr
ck
2 2
gck2 r ; gr g;
where pkck ¼ gck1 ck2 and ck ¼ ck1 ck2 . 2) CK20 ¼ EncABE ðck2 ; g; PK 0 Þ.
Similar to Section 4.3, it encrypts ck1 using ABE and gets Finally, the CP forwards ½m ^ pkck and CK20 to the DSP.
2
CK 0 ¼ CK10 CK20 ¼ EncABE ðck1 ck2 ; g; PK 0 Þ. Step 5 (Additional Process @ DSP). The DSP further pro-
cesses the data packet with ck1 and then gets ciphertext of
4.4.2 Subtraction key as follows:
Subtraction Pobtains the subtraction of some data ðm ¼
P 1) ½mpkck ¼ fT 1 ; T 0 g ¼ fð1 þ m nÞgck1 ck2 r ; gr };
ck
W N
i¼1 mi i¼W mi Þ with encrypted data ½mi ði ¼ 1; . . . ; NÞ.
It can be accomplished by negating the subtracted terms (by 2) CK 0 ¼ CK20 EncABE ðck1 ; g; PK 0 Þ.
raising to the power of ðn 1Þ), then following the proce-
dure of Addition. 4.4.4 Sign Acquisition
We assume that LðmÞ < LðnÞ=4 and BIG is the largest raw
PStep 3 (Data QWPreparation @ DSP).
PN The DSPQfirst computes
½ W i¼1 mi ¼ i¼1 ½mi and ½ i¼W þ1 m i ¼ N
i¼W þ1 ½mi . It
data of m. Then the raw data is in the scope ½BIG; BIG.
PN PN DR wants to know the sign of raw data m1 from ½m1 . Sign
further calculates ½ i¼W þ1 mi ¼ ð½ i¼W þ1 mi Þn1 and
P PN Acquisition can be achieved by masking the original cipher-
multiplies them to obtain: ½m ¼ ½ð W i¼1 mi i¼W þ1 mi Þ ¼ texts with random numbers of limited length and then
PW PN
½ i¼1 mi ½ i¼W þ1 mi . Then the subsequent process is checking the length of the masked data to further determine
the same to that in Addition. Due to length and simplicity the real length of original data. Here, the DR targets to
reasons, we skip its details. obtain the final sign indicator f from ½m1 .
Step 3 (Data Preparation @ DSP). The DSP chooses three
4.4.3 Multiplication random numbers R (LðRÞ < LðnÞ=4Þ, c1 and ck1 . It first
Multiplication obtains the product of all raw data encrypts “1” and then computes as follows:
Q
(m ¼ N i¼1 mi Þ. Multiplication is a bit more complicated 1)
0
½1 ¼ fð1 þ nÞ PK r ; gr g;
0
Step 5 (Additional Process @ DSP). The DSP further pro- the data packet ½sum1 pkck to the DR in a secure way. Then
cesses the data packet as follows: the DR can decrypt it to obtain su m1 .
1) Compute c3 ¼ c1 1 mod n; Note: if m1 0, su ¼ 1; Otherwise, su ¼ 1. Hence,
2)
ck c
½fpkck ¼ fT 1 3 ; ðT 0 Þ 3 g ¼ fð1 þ su
c su m is the absolute of data m.
nÞgck1 ck2 rc3 ; grc3 g. 4.4.6 Comparison
3) CK 0 ¼ EncABE ðck1 ; g; PK 0 Þ CK20 . Comparison can be simply accomplished by checking the
Step 6 (Data Access @ DR). The DR satisfying the access sign of the difference value of two data by calling Sign
policy in ABE can decrypt CK 0 to obtain ck and further Acquisition. Similar to the functions above, DR wants to
decrypt ½fpkck to obtain f. compare the raw data ðm1 ; m2 Þ based on their encrypted
Note: if f ¼ 1, m1 0; Otherwise, m1 < 0. data. For ease of presentation, m1 m2 is denoted as m12 .
½m1 ¼ ðT1 ; T1 0 Þ ¼ fð1 þ m1 nÞ PK r1 ; gr1 g
4.4.5 Absolute
½m2 ¼ ðT2 ; T2 0 Þ ¼ fð1 þ m2 nÞ PK r2 ; gr2 g
Besides the operations in Sign Acquisition, Absolute needs to
mask the original data by raising to the power of a random Step 3 (Data Preparation @ DSP). DSP first computes to get
number, and then remove the mask according to sign indi- the subtraction of encrypted data:
cator to achieve a final absolute result. We assume that n o
ðT; T 0 Þ ¼ T1 ðT2 Þn1 ; T1 0 ðT2 0 Þ
n1
¼ ½ðm1 m2 Þ:
LðmÞ < LðnÞ=4 and that BIG is the largest raw data of m.
Then the raw data is in the scope ½BIG; BIG. Here, given The following steps are the same as those in Sign Acquisi-
ciphertext ½m1 , DR wants to get the absolute value jm1 j. tion, which are skipped for the reason of paper length limi-
Step 3 (Data Preparation @ DSP). The DSP chooses three tation. Through the cooperation of the DSP and the CP, the
random numbers R where LðRÞ < LðnÞ=4, c1 and c2 , and DR finally gets the sign of m12 ¼ m1 m2 . In the end, the
also chooses the first partial key ck1 . It first encrypts “1” and DR can obtain the comparison result. If m12 0, m1 m2 ;
then computes as follows: otherwise, m1 < m2 .
0 0
1) ½1 ¼ fð1 þ nÞ PK r ; gr g;
4.4.7 Equality Test
2) ½2 m1 þ 1 ¼ ðT; T 0 Þ ¼ ½m1 2 ½1 ¼
0 0 Equality Test needs to check the signs of both difference
fð1 þ ð2 m1 þ 1Þ nÞ PK r þ2r1 ; gr þ2r1 g;
value and negative difference value of original two data by
3) Then it flips a coin s. If s ¼ 1; it computes:
calling Comparison twice. DR wants to know whether m1 is
n o
½m0 pkCP ¼ T nR ; ðT 0 Þ
aðnRÞ
¼ ½R ð2 m1 þ 1Þ equal to m2 or not from the encrypted data (½m1 , ½m2 ). The
DSP and the CP directly interact with each other in two par-
allel computations of Comparison.
Otherwise (s ¼ 1), it calls PDec PDec1 and computes:
They compare m1 and m2 in two forms: 1) m12 ¼
½m0 pkCP ¼ fT R ; T 0aR g ¼ ½R ð2 m1 þ 1Þ;
m1 m2 ; 2) m21 ¼ m2 m1 . Through the operations in
4) Compute ½c1 m1 ¼ ½m1 c1 , and call PDec
PDec1 to obtain Comparison, DSP can get two results ½f1 pkck and ½f2 pkck ,
½c1 m1 pkCP . respectively. Then the DSP can obtain ½fpkck ¼½f1 þ f2 pkck ¼
5) The DSP sets c3 ¼ ðck1 Þ1 mod n, and s0 ¼ c2 c3 s ½f1 pkck ½f2 pkck .
mod n. Finally, the DR that satisfies the access policy in ABE can
The data packet sent to the CP is {½m0 pkCP ; s0 ; ½c1 m1 pkCP }. decrypt CK 0 to obtain ck. The DSP sends the data packet
Step 4 (Data Process @ CP). Upon receiving the data ½fpkck to the DR in a secure way. Then the DR can further
packet from the DSP, the CP decrypts ½c1 m1 pkCP and decrypt ½fpkck to obtain f.
½m0 pkCP with PDec
PDec2 to obtain c1 m1 and m0 , respectively. The Note: if f ¼ 2, m1 ¼ m2 ; Otherwise, m1 6¼ m2 .
CP compares Lðm0 Þ with LðnÞ=2. If Lðm0 Þ < LðnÞ=2, it sets 4.5 Data Analysis over Fixed Point Numbers
u ¼ 1; otherwise, u ¼ 1. In order to adapt to various applications, we further design
Then CP chooses r and the second partial key ck2 , and a scheme to deal with fixed point numbers rather than
further computes as follows: integers.
1) ½c1 m1 s0 upkck ¼ ðT; T 0 Þ ¼ fð1 þ c1 m1 s0 u nÞgck2 r ; gr g; Normally, a fixed-point number can be represented with
2 three parts: the sign field, integer field and fractional field.
2) Encrypt ck2 using ABE: CK20 ¼ EncABE ðck2 ; g; PK 0 Þ.
Given a fixed point number m, we set it in binary format as
Finally, the CP forwards ½c1 m1 s0 upkck and CK20 to DSP. ðS; be2 ; be3 ; . . . ; b0 ; b1 ; . . . ; bf Þ, where S is its sign, e 1 is
2
Step 5 (Additional Process @ DSP). The DSP further pro- the length of the integer field, f isPthe length of the fractional
cesses the data packet as follows: field and its value is m ¼ S e2 i¼f ðbi 2 Þ. In order to
i
4.5.1 Multiplication over Encrypted Fixed SimDP receives the input of m1 and m2 , then it simulates
Point Numbers ADP as follows: it encrypts data m1 as ½m1 ¼ EncTKðm1 Þ,
For two fixed point numbers m1 and m2 , we perform as and data m2 as ½m2 ¼ EncTKðm2 Þ. Finally, it returns ½m1
follows: and ½m2 to ADP , and outputs the entire view of ADP .
The view of ADP is the encrypted data. The views of ADP
1) Get the integer representation of m1 and m2 : in the real and the ideal executions are indistinguishable.
m01 ¼ m1 2f and m02 ¼ m2 2f ; SimDSP simulates ADSP as follows: it runs the EncTK on
2) Users upload their ciphertext to CSP as: ½m01 and two randomly chosen numbers m f1 and m f2 ; then it multiplies
½m02 . f1 by ½m
½m f2 to get ½m
~ where m ¼ m f1 þ m f2 ; further it masks
3) Then execute Multiplication over ½m01 and ½m02 ; the ciphertext with two random numbers r1 and ck1 , and runs
4) Finally, DR can get the value of m01 m02 , then scale ~ þ r1 ÞpkCP . By accessing SimCP , it
PDec1 to obtain ½c1 ðm
the PDec
down to obtain the final result m1 m2 ¼ m01 m02 2f . b~
receives ½m and CKg0 $ based on a randomly generated
pkck2 2
key ck2 . Then it computes to obtain ½m ~ pkck and CKg0 . Finally,
4.5.2 Polynomial Computations over Encrypted Fixed b~ g 0
SimDSP outputs ½c1 ðm ~ þ r1 ÞpkCP , ½m ~ pkck and
pkck2 , CK2 , ½m
Point Numbers
g 0
CK to ADSP . If ADSP replies with ?, SimDSP returns ?.
For a clear presentation, we give an example of m1 m2 þ m3 .
The view of ADSP consists of the encrypted data and the
The detailed procedure is presented as follows:
ciphertext of corresponding decryption key. Owing to the
1) (@DPs) Get the integer representation of three num- honesty of the challenged cloud user and the security of
bers: m01 ¼ m1 2f , m02 ¼ m2 2f and m03 ¼ m3 2f ; the HRES, ADSP receives the same output in both real and
2) (@DSP) Execute the same operations to the Step 3 in ideal executions. As the decryption key ck is randomly con-
Multiplication to get: {½c1 m01 pkCP ; ½c2 m02 pkCP g. structed by CSP and CP in each challenge, ADSP would not
3) (@CP) Decrypt data packet to get c1 m01 and c2 m02 ; obtain more information by executing multiple challenges.
Then encrypt c1 m01 c2 m02 with Diffie-Hellman Thus, the views are indistinguishable.
key PK to get ½c1 c2 m01 m02 ; Send it to DSP. SimCP simulates ACP as follows: it randomly chooses
f
4) (@DSP) First compute ½m03 2 to scale the original data data m,^ uses Enc to obtain ½m ^ pkck and calls ABE encryption
2
0
and get ½2 m3 ; Execute the proposed scheme
f d 0
to obtain CK2 . Then it sends ½m ^ pkck and CK d0 to ACP . If ACP
2
2
Addition over ½2f m03 and ½c1 c2 m01 m02 under the replies with ?, SimCP returns ?. In both real and ideal exe-
cooperation with CP. cutions, it receives the output of two ciphertexts. In the real
Note: The length of data encrypted via Paillier system is world, the security is guaranteed by the semantic security
less than LðnÞ. In order to support various computations of HRES and the security of ABE.
above over positive and negative numbers, we strictly SimDR simulates ADR as follows: (it cannot enquire for
restrict the length of data such that LðmÞ < 1=2 LðnÞ. If the challenged data) it randomly chooses data ½m0 pkck and
multiplication of N pieces of data is needed, then it has a decrypts it to obtain m0 , and then sends it to ADP . If ADP
strict limitation that LðmÞ ¼ ðe þ fÞ < LðnÞ=ð2NÞ. Here, replies with ?, SimDR returns ?.
with the default setting LðnÞ ¼ 1024, e ¼ 45, f ¼ 15, we The view of ADR is the decrypted result without any
should limit the multiplication times (i.e., the number of other information. But in both the real and ideal executions,
provided data) to 8. it is guaranteed by the semantic security of the HRES. The
views are indistinguishable in both executions.
5 SECURITY ANALYSIS AND PERFORMANCE No matter how many times the adversary accesses the
EVALUATION simulator ADR , it is still difficult to obtain the original real
5.1 Security Analysis data for two reasons: 1) the randomly chosen data have no
relation to the original real data; 2) exhaustion attack is hard
The semantic security of HRES has been proved in our pre-
owing to the randomness of the chosen numbers.
vious work [18]. Hence, we skip its security proof and focus
The security proofs of other operations are similar to that
on the security analysis of our proposed schemes. Here, we
of the Addition under the semi-honest (non-colluding)
adopt the security model for securely realizing an ideal
adversaries A ¼ ðADR ; ADSP ; ACP ; ADP ).
functionality in the presence of semi-honest (non-colluding)
adversaries. It involves four types of parties: DSP, CP, DP 5.2 Performance Evaluation
and DR. Thus, we construct four simulators Sim ¼ ðSimDP ; In this section, we analyze the computational complexity
SimDSP ; SimCP ; SimDR Þ to against four kinds of adversaries and the communication overhead of our proposed seven
(ADP ; ADSP ; ACP ; ADR ) that corrupt DP , DSP , CP and DR, computing operation schemes. Further, we implemented
respectively. them and tested their performances through simulations.
Theorem 1. The Addition scheme in Section 4.4.1 can securely 5.2.1 Computational Complexity Analysis
obtain the plaintext of addition via computations on ciphertexts
Herein, we analyze the computational complexity of our
in the presence of semi-honest (non-colluding) adversaries
designed schemes. Notably, the ABE and the HRES are
A ¼ ðADR ; ADSP ; ACP ; ADP ).
based on different cryptographic techniques, while the
Proof. We present the construction of four independent sim- computational complexity by employing ABE to control
ulators ðSimDP ; SimDSP ; SimCP ; SimDR Þ. Here, we prove access in each operation is the same. Hence, we analyze the
the security of the case with two inputs (i.e., N ¼ 2). u
t computational complexity of ABE in a separate part.
DING ET AL.: PRIVACY-PRESERVING DATA PROCESSING WITH FLEXIBLE ACCESS CONTROL 371
1) The Computational Complexity of ABE. As presented in exponentiations, and then call PDec1. Moreover, it should do
Section 4.1.3, the computations of all four algorithms are one modular exponentiation for removing the mask in Step 5.
related to the number of attributes. In order to clarify the In Subtraction, the DSP needs to obtain the negative of subtrac-
relationships, we assume that there are jUj universal attrib- tor with two more modular exponentiations than that in Addi-
utes, that jgj attributes are in the access policy tree T , and tion. As the modular exponentiation of gr with r 2 ½1; n needs
that at most # attributes should be satisfied in the policy at most n modular multiplications, the multiplication of N
tree T to decrypt ciphertext. (N < n) pieces of provided data results in computational
The setup algorithm SetupABE ðÞ should choose the system complexity of Oð1Þ. Thus, the DSP has the computational
parameters and generate the public parameters. It needs to complexity of Oð1Þ in both Addition and Subtraction.
do jUj þ 1 exponentiations and one bilinear pairing. The In Multiplication, the DSP should first mask each piece of
encryption algorithm EncABE ðÞ needs to generate the cipher- data with a random number through two exponentiations
text by involving each attribute in T with one exponentiation, and then call PDecPDec1 to partially decrypt the data in Step 3,
and encrypt the original message with one exponentiation. which results in 3N modular exponentiations. In Step 5, it
Hence, the encryption algorithm needs jgj þ 1 exponentia- should do one exponentiation to remove the mask from
tions in total. KeyGenABE ðÞ operates jgj þ 1 exponentiations original data. Hence, the computational complexity of DSP
to generate decryption key. HE ABE ðÞ merely involves jgj þ 1 results in OðNÞ.
multiplications. As exponentiation is significantly more In Sign Acquisition, the DSP needs to do four modular
costly than multiplication, we ignore the computation cost of exponentiations in Step 3, and two more in Step 5. In
HE ABE ðÞ in our anlysis. The main operation in DecABE ðÞ is to Absolute, the DSP needs to do three more modular exponen-
compute the divided pieces of encrypted partial keys, which tiations in Step 3 than it does in Sign Acquisition. In Compari-
performs at most # bilinear pairings. son, the DSP should first get the subtraction of two pieces of
The system setup and data encryption only need to be encrypted data, which needs two modular exponentiations,
executed once. Thus, their computational complexity can be and then do the same operation as it does in Sign Acquisi-
amortized when multiple users access the final result. tion. In Equality Test, the DSP needs invoke the Comparison
Though the computation cost of cloud users in decryption twice. Hence, its computational complexity in these three
algorithm is higher than our previous scheme [18], it enhan- schemes are all Oð1Þ.
ces the security of processing results by introducing fine- Computational Complexity of CP. In the schemes except
grained access control. The system should balance efficiency Multiplication, Absolute and Equality Test, the CP first
and security according to its capabilities and requirements. decrypts ciphertext by calling PDec PDec2 and then encrypts the
Moreover, trust can be used as a single attribute in ABE in data with a partial secret key, which needs three modular
order to greatly reduce computational cost [15], [16], [17]. exponentiations in total. Hence, the computational complex-
2) The Computational Complexity of Data Analysis. As the ities in them are all Oð1Þ regardless of the ABE encryption.
computations related to ABE for access control neither vary In Multiplication, the CP should first decrypt each cipher-
with the number of provided data nor vary with the designed text of masked original data with PDec PDec2, then encrypt their
functions, their costs are ignored in the following analysis. product with Enc Enc. It totally needs ðN þ 2Þ modular exponen-
The modular exponentiation operation is significantly tiation and results in computational complexity OðN þ 2Þ.
more time-consuming than the modular addition and multi- Different from the analysis above, the CP in Absolute
plication, thus we ignore the fixed numbers of additions and should first do two partial decryptions PDec2. Generally, it
multiplications in the following analysis. In addition, the needs four modular exponentiations. Its computational
computational complexity of basic operations (modular complexity results in Oð1Þ.
exponentiation in HRES, exponentiation and bilinear pairing In Equality Test, the CP takes the double computation costs
in ABE) would never be affected by the number of provided in Comparison, which needs six modular exponentiations but
data or access policy. Thus, we set all their computational still results in the computational complexity of Oð1Þ.
complexities to be Oð1Þ. Computational Complexity of DR. The DR should first call
Enc and EncTK need two modular exponentiations. DecABE ðÞ to obtain the decryption key ck. Then, it further
Both the algorithms Dec and PDecPDec2 take one modular expo- decrypts the pre-processing result to obtain the final result
nentiation and one modular multiplication to obtain the by calling Dec
Dec, which needs one modular exponentiation.
ciphertext, and PDec
PDec1 needs one modular exponentiation. 3) The Summary of Computation Analysis in Seven Operation
Based on these analyzed results, we further give the compu- Schemes. In the following tables and figures, we use the foll-
tational complexity in seven operation functions. We hold owing corresponding notations: Addition (Add), Subtraction
the assumption that there are N pieces of provided data in (Sub.), Multiplication (Mul.), Sign Acquisition (Sign), Absolute
Addition, Subtraction, and Multiplication. (Abs.), Comparison (Comp.), and Equality Test (Equal). Here,
Computational Complexity of DP. The DP directly outsour- we present the total computation costs in each algorithm and
ces its data with EncTK for data processing/analyzing. Its compare them with existing work [18] in Table 2. The constant
computation cost of outsourcing one piece of data is two number of multiplications is not considered in the table. We
modular exponentiations, which is with the computational can observe that our new schemes introduce some computa-
complexity Oð1Þ. tion cost to the involved entities, but it can greatly reduce
Computational Complexity of DSP. In Addition, the DSP has the cost of DSP and CP when the number of DRs is high,
two parts of computations in each algorithm. In Step 3, especially in Multiplication, which is further discussed in
the DSP first needs to multiply the N pieces of data, mask Section 5.2.2. Moreover, our scheme provides fine-grained
ciphertexts with random numbers through two modular access control and enhances the security of processing results.
372 IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 17, NO. 2, MARCH/APRIL 2020
TABLE 2 TABLE 3
Computation Analysis Communication Overhead of Each Scheme
Fig. 3. Operation time of DPs with different length of n. Fig. 5. Operation time of CP with different length of n.
Fig. 4. Operation time of DSP in Step 3 with different length of n. Fig. 6. Operation time of DSP in Step 5 with different length of n.
Fig. 10. Operation time of each entity in Multiplication with different num-
Fig. 8. Operation time of each entity in Addition with different number of ber of DPs.
DPs.
DSP in Step 3 increases with the number of the provided processing and the data retrieve, respectively. Here, we
data, while it does not influence other steps. Even when the focus on the performance of ABE through one test.
number of provided data reaches 104 , the DSP only takes Test 4: Performance of ABE with different numbers of
about 530 ms. It takes almost the same time for the DR to attributes
complete the computation with different numbers of pro- In this experiment, we tested the performance of five
vided pieces of data. This fact implies that our schemes can steps of ABE with different number of attributes: System
deal with a great number of data for addition efficiently. Setup (Setup_ABE), Encryption (Enc_ABE), Key Generation
PW (KeyGen_ABE), Decryption (Dec_ABE) and its homomor-
PNWe assume that the subtraction formula is ð i¼1 mi phic computation (HE_ABE). The test was executed with
i¼W þ1 mi Þ with W ¼ N=2, which means that half of the
provided data is subtracted from the sum of another half. the setting that all universal attributes are involved in
Fig. 9 shows its performance, which is similar to that of encryption and that one attribute is needed to satisfy the
Addition and is efficient to support a big number of DPs. policy tree. That is, OðjUjÞ ¼ #, which varies from 2 to 8 in
our tests while OðjgjÞ ¼ 1.
In general, the scheme can flexibly be used in various sit-
Fig. 11 shows the costs of all operations in ABE except the
uations with different number of data providers.
algorithm HE_ABE, as it only takes less than 1ms. By apply-
Test 3: Performance of Multiplication with a large number of
ing trust-based access control schemes [15], [16], [17], the
provided data
decryption only involves one attribute and takes only
Different from Addition and Subtraction, the Multiplication
10 ms. We can observe that the computation cost of other
is time-consuming and communication-consuming. It is not
algorithms is proportional to the number of attributes.
flexible and possible to support the computation of a huge
Though employing ABE would cause high computation
number of provided data. Thus, we only tested it with lim-
overhead, high security and fine-grained access control can
ited numbers ðN ¼ 100; 200; 300; 400; 500; 600; 700; 800Þ.
be supported. Most computations are taken by cloud serv-
Moreover, the original data length is set as LðnÞ=N.
ers. In addition, the cloud servers only need to perform the
As shown in Fig. 10, it takes about 15 seconds to finish the
setup and encryption once, which can be amortized by mul-
computation in Step 3 for the DSP when the number of pro-
tiple accesses of DRs.
vided messages achieves 800. However, the data numbers
4) Experimental Comparison with Existing Work
do not influence the computation cost of the DR and no extra
Test 5: Performance comparison of Multiplication schemes in
overhead is introduced, which merely costs about 6.7 ms.
our work with an existing scheme in [18]
3) Efficiency of Attribute-Based Encryption
In this test, we compared the performance of Multiplica-
The non-colluding servers and the DRs employ ABE to
tion in our scheme with an existing scheme [18], as shown in
realize the flexible access control over the result of data
Fig. 12. We obtained the total computation time of all
TABLE 5
Comparison with Existing Work in Multiplication
[15] C. Huang, Z. Yan, N. Li, and M. Wang, “Secure pervasive social [40] M. Li, S. Yu, Y. Zheng, K. Ren, and W. Lou, “Scalable and secure
communications based on trust in a distributed way,” IEEE Access, sharing of personal health records in cloud computing using attri-
vol. 4, pp. 9225–9238, 2016. bute-based encryption,” IEEE Trans. Parallel Distrib. Syst., vol. 24,
[16] Z. Yan, X. Li, M. Wang, and A. Vasilakos, “Flexible data access no. 1, pp. 131–143, Jan. 2013.
control based on trust and reputation in cloud computing,” IEEE [41] Z. Wan, J. E. Liu, and R. H. Deng, “HASBE: A hierarchical attri-
Trans. Cloud Comput., vol. 5, no. 3, pp. 485–498, Jul.-Sep. 2015. bute-based solution for flexible and scalable access control in
[17] Z. Yan, X. Li, and R. Kantola, “Controlling cloud data access based cloud computing,” IEEE Trans. Inf. Forensics Secur., vol. 7, no. 2,
on reputation,” Mobile Netw. Appl., vol. 20, no. 6, pp. 828–839, 2015. pp. 743–754, Apr. 2012.
[18] W. Ding, Z. Yan, and R. H. Deng, “Encrypted data processing [42] P. Paillier, “Public-key cryptosystems based on composite degree
with homomorphic re-encryption,” Inf. Sci., vol. 409-410, pp. 35– residuosity classes,” in Proc. Adv. Cryptology—EUROCRYPT,
55, 2017. 1999, pp. 223–238.
[19] E. Ayday, J. L. Raisaro, J.-P. Hubaux, and J. Rougemont, “Protect- [43] E. Bresson, D. Catalano, and D. Pointcheval, “A simple public-key
ing and evaluating genomic privacy in medical tests and personal- cryptosystem with a double trapdoor decryption mechanism
ized medicine,” in Proc. 12th ACM Workshop Privacy Electron. Soc., and its applications,” in Proc. Adv. Cryptology-ASIACRYPT, 2003,
2013, pp. 95–106. pp. 37–54.
[20] C. Castelluccia, A. C. Chan, E. Mykletun, and G. Tsudik, “Efficient
and provably secure aggregation of encrypted data in wireless Wenxiu Ding received the BEng degree in infor-
sensor networks,” ACM Trans. Sens. Netw., vol. 5, no. 3, 2009, mation security from Xidian University, Xi’an,
Art. no. 20. China, in 2012. Now, she is working toward the
[21] T.-H. H. Chan, E. Shi, and D. Song, “Privacy-preserving stream PhD degree in information security in the School of
aggregation with fault tolerance,” in Financial Cryptography and Telecommunications Engineering, Xidian Univer-
Data Security. Berlin, Germany: Springer, 2012, pp. 200–214. sity. She was the research assistant in the School
[22] Q. Li, G. Cao, and T. La Porta, “Efficient and privacy-aware data of Information Systems, Singapore Management
aggregation in mobile sensing,” IEEE Trans. Dependable Secure University from 2015 to 2016. Her research inter-
Comput., vol. 11, no. 2, pp. 115–129, Mar. 2014. ests include RFID authentication, privacy preser-
[23] Q. Li and G. Cao, “Efficient privacy-preserving stream aggrega- vation, data mining and trust management.
tion in mobile sensing with low aggregation error,” in Proc. Int.
Symp. Privacy Enhancing Technol. Symp., 2013, pp. 60–81.
[24] M. Joye and B. Libert, “A scalable scheme for privacy-preserving Zheng Yan (M’06, SM’14) received the BEng
aggregation of time-series data,” in Proc. Int. Conf. Financial Cryp- degree in electrical engineering and the MEng
tography Data Secur., 2013, pp. 111–125. degree in computer science and engineering
[25] E. Shi, T. H. Chan, E. Rieffel, R. Chow, and D. Song, “Privacy-pre- from Xi’an Jiaotong University, Xi’an, China, in
serving aggregation of time-series data,” in Proc. 18th Annu. Netw. 1994 and 1997, respectively, the second MEng
Distrib. Syst. Secur. Symp., 2011, pp. 1–17. degree in information security from the National
[26] D. Bogdanov, R. Talviste, and J. Willemson, “Deploying secure University of Singapore, Singapore, in 2000, and
multi-party computation for financial data analysis,” in Proc. Int. the licentiate of science and the doctor of science
Conf. Financial Cryptography Data Secur., 2012, pp. 57–64. in technology in electrical engineering from the
[27] L. Kamm and J. Willemson, “Secure floating point arithmetic and Helsinki University of Technology (current Aalto
private satellite collision analysis,” Int. J. Inf. Secur., vol. 14, no. 6, University), Helsinki, Finland, in 2005 and 2007.
pp. 531–548, 2015. She is currently a full professor with the Xidian University, Xi’an, China
[28] D. Bogdanov, “Sharemind: Programmable secure computations and a visiting professor and an academy research fellow with the Aalto
with practical applications,” PhD dissertation, University of University, Espoo, Finland. Her research interests include trust, security
Tartu, Estonia, 2013. and privacy, as well as data mining. She is serving as an associate editor
[29] J. H. Cheon, et al., “Batch fully homomorphic encryption over of the IEEE Internet of Things Journal, the IEEE Access, the Information
the integers,” in Proc. Annu. Int. Conf. Theory Appl. Cryptographic Sciences, the Information Fusion, the Journal of Network and Computer
Techn., 2013, pp. 315–335. Applications, the Soft Computing, the Security and Communication Net-
[30] W. Wang, Y. Hu, L. Chen, X. Huang, and B. Sunar, “Exploring the works, etc. twelve journals. She serves as an organization and program
feasibility of fully homomorphic encryption,” IEEE Trans. Com- committee member for numerous international conferences. She is a
put., vol. 64, no. 3, pp. 698–706, Mar. 2015. senior member of the IEEE.
[31] L. Morris. “Analysis of partially and fully homomorphic
encryption,” (2017). [Online]. Available: http://www.liammorris.
com/crypto2/Homomorphic%20Encryption%20Paper.pdf Robert H. Deng is AXA chair professor of
[32] X. Liu, R. H. Deng, Y. Yang, H. N. Tran, and S. Zhong, “Hybrid pri- Cybersecurity and director of the Secure Mobile
vacy-preserving clinical decision support system in fog–cloud Centre, School of Information Systems, Singa-
computing,” Future Generation Comput. Syst., vol. 78, pp. 825–837, 2018. pore Management University. His research inter-
[33] Z. Yan, W. Ding, and H. Zhu, “A scheme to manage encrypted ests include the areas of data security and
data storage with deduplication in cloud,” in Proc. Int. Conf. Algo- privacy, cloud security and Internet of Things
rithms Archit. Parallel Process., 2015, pp. 547–561. security. He received the Outstanding University
[34] C. Dong, G. Russello, and N. Dulay, “Shared and searchable Researcher Award from National University of
encrypted data for untrusted servers,” in Proc. IFIP Annu. Conf. Singapore, Lee Kuan Yew fellowship for Research
Data Appl. Secur. Privacy, 2008, pp. 127–143. Excellence from SMU, and Asia-Pacific Informa-
[35] W. C. Garrison III, A. Shull, S. Myers, and A. J. Lee, “On the tion Security Leadership Achievements Commu-
practicality of cryptographically enforcing dynamic access control nity Service Star from International Information Systems Security
policies in the cloud,” in Proc. IEEE Symp. Secur. Privacy, 2016, Certification Consortium. His professional contributions include an exten-
pp. 819–838, doi: 10.1109/SP.2016.54. sive list of positions in several industry and public services advisory
[36] T. Zhu, W. Liu, and J. Song, “An efficient role based access control boards, editorial boards and conference committees. These include the
system for cloud computing,” in Proc. IEEE 11th Int. Conf. Comput. editorial boards of the IEEE Security & Privacy Magazine, the IEEE
Inf. Technol., 2011, pp. 97–102. Transactions on Dependable and Secure Computing, the IEEE Transac-
[37] J. Bethencourt, A. Sahai, and B. Waters, “Ciphertext-policy attri- tions on Information Forensics and Security, the Journal of Computer
bute-based encryption,” in Proc. IEEE Symp. Secur. Privacy, 2007, Science and Technology, and Steering Committee chair of the ACM Asia
pp. 321–334. Conference on Computer and Communications Security.
[38] V. Goyal, O. Pandey, A. Sahai, and B. Waters, “Attribute-based
encryption for fine-grained access control of encrypted data,” in
Proc. 13th ACM Conf. Comput. Commun. Secur., 2006, pp. 89–98. " For more information on this or any other computing topic,
[39] S. Yu, C. Wang, K. Ren, and W. Lou, “Achieving secure, scalable,
please visit our Digital Library at www.computer.org/csdl.
and fine-grained data access control in cloud computing,” in Proc.
IEEE INFOCOM, 2010, pp. 1–9.