Professional Documents
Culture Documents
fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TCC.2017.2709318, IEEE
Transactions on Cloud Computing
Abstract—Secure search techniques over encrypted cloud data allow an authorized user to query data files of interest by submitting
encrypted query keywords to the cloud server in a privacy-preserving manner. However, in practice, the returned query results may
be incorrect or incomplete in the dishonest cloud environment. For example, the cloud server may intentionally omit some qualified
results to save computational resources and communication overhead. Thus, a well-functioning secure query system should provide a
query results verification mechanism that allows the data user to verify results. In this paper, we design a secure, easily integrated, and
fine-grained query results verification mechanism, by which, given an encrypted query results set, the query user not only can verify
the correctness of each data file in the set but also can further check how many or which qualified data files are not returned if the set is
incomplete before decryption. The verification scheme is loose-coupling to concrete secure search techniques and can be very easily
integrated into any secure query scheme. We achieve the goal by constructing secure verification object for encrypted cloud data.
Furthermore, a short signature technique with extremely small storage cost is proposed to guarantee the authenticity of verification
object and a verification object request technique is presented to allow the query user to securely obtain the desired verification object.
Performance evaluation shows that the proposed schemes are practical and efficient.
Index Terms—Cloud computing, Query results verification, Secure query, Verification object.
2168-7161 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TCC.2017.2709318, IEEE
Transactions on Cloud Computing
ness and completeness. There are two limitations in these describe this part content in Section 7.
schemes:
1) These verification mechanisms provide a coarse- 1.2 Our Contributions
grained verification, i.e., if the query result set contains
all qualified and correct data files, then these schemes In this paper, we extend and reinforce our work in [27]
reply yes, otherwise reply no. Thus, if the verification to make it more applicable in the cloud environment and
algorithm outputs no, a data user has to abort the more secure to against dishonest cloud server. The main
decryption for all query results despite only one query contributions of this paper are summarized as follows:
result is incorrect. 1) We formally propose the verifiable secure search
2) These verification mechanisms are generally tightly system model and threat model and design a fine-
coupled to corresponding secure query constructions grained query results verification scheme for secure
and have not universality. keyword search over encrypted cloud data.
In a search process, for a returned query results set 2) We propose a short signature technique based on
that contains multiple encrypted data files, a data user certificateless public-key cryptography to guaran-
may wish to verify the correctness of each encrypted tee the authenticity of the verification objects them-
data file (thus, he can remove incorrect results and retain selves.
the correct ones as the ultima query results) or wants 3) We design a novel verification object request tech-
to check how many or which qualified data files are nique based on Paillier Encryption, where the
not returned on earth if the cloud server intentionally cloud server knows nothing about what the data
omits some query results. These information can be user is requesting for and which verification objects
regarded as a hard evidence to punish the cloud server. are returned to the user.
This is challenging to achieve the fine-grained verifi- 4) We provide the formal security definition and proof
cations since the query and verification are enforced and conduct extensive performance experiments to
in the encrypted environment. In [27], we proposed a evaluate the accuracy and efficiency of our pro-
secure and fine-grained query results verification scheme posed scheme.
by constructing the verification object for encrypted out- The rest of this paper is organized as follows. We
sourced data files. When a query ends, the query results reviews the related work in Section 2. Section 3 illustrates
set along with the corresponding verification object are background and presents the preliminary techniques.
returned together, by which the query user can accu- We propose the query results verification scheme in
rately verify: 1) the correctness of each encrypted data Section 4 and the a discussion of the scheme is shown in
file in the results set; 2) how many qualified data files Section 5. We describe the signature and authentication
are not returned and 3) which qualified data files are of verification object in Section 6. In Section 7, a secure
not returned. Furthermore, our proposed verification verification object request mechanism is proposed. We
scheme is lightweight and loose-coupling to concrete analyze the security and evaluate performances of our
secure query schemes and can be very easily equipped proposed scheme in Sections 8 and 9. In Section 10, we
into any secure query scheme for cloud computing. conclude the paper.
However, some necessary extensions and important
works need to be further supplied to perfect our original
2 R ELATED W ORK
scheme such as detailed performance evaluation and
formal security definition and proof. More importantly, 2.1 Secure Search in Cloud Computing
in the dishonest cloud environment, the scheme suffers Essentially, the secure search is thus a technique that
from the following two important security problems: allows an authorized data user to search over the data
1) Just as possibly tampering or deleting query results, owner’s encrypted data by submitting encrypted query
the dishonest cloud server may also tamper or forge keywords in a privacy-preserving manner and is an
verification objects themselves to make the data user effective extension of traditional searchable encryption
impossible to perform verification operation. Specially, to adapt for the cloud computing environment. Moti-
once the cloud server knows that the query results veri- vated by the effective information retrieve on encrypted
fication scheme is provided in the secure search system, outsourced cloud data, Wang et al. first proposed a
he may return inveracious verification object to escape keyword-based secure search scheme [13] and later the
responsibilities of misbehavior. secure keyword search issues in cloud computing have
2) When a data user wants to obtain the desired been adequately researched [14], [15], [16], [17], [18],
verification object, some important information will be [19], [20], [21], which aim to continually improve search
revealed such as which verification objects are being efficiency, reduce communication and computation cost,
or have been requested before frequently, etc. These and enrich the category of search function with bet-
information may leak query user’s privacy and expose ter security and privacy protection. A common basic
some useful contents about data files. More importantly, assumption of all these schemes is that the cloud is
these exposed information may become temptations of considered to be an ”honest-but-curious” entity as well
misbehavior for the cloud server. We will detailedly as always keeps robust and secure software/hardware
2168-7161 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TCC.2017.2709318, IEEE
Transactions on Cloud Computing
Trapd
ruct Verification oor
2.2 Verifiable Secure Search in Cloud Computing Const
Objects
Data Owners
Data Users
In practical applications, the cloud server may return File Decryption Keys
erroneous or false search results once he behaves dis-
honestly for illegal profits or due to possible soft-
Fig. 1. A system model of verifiable secure search over
ware/hardware failure of the cloud server. Because of
encrypted cloud data
the possible data corruption under a dishonest setting,
serval research works have been proposed to allow the
data user to enforce query results verification in the trapdoors and sends the query results to the data user.
secure search fields for cloud computing. In [23], Wang et The above application scenario is based on an ideal
al. applied hash chain technique to implement the com- assumption that the cloud server is considered as an
pleteness verification of query results by embedding the honest entity and always honestly returns all quali-
encrypted verification information into their proposed fied query results. In this paper, we consider a more
secure searchable index. In [24], Sun et al. used encrypted challenging model, where the query results would be
index tree structure to implement secure query result- maliciously deleted or tampered by the dishonest cloud
s verification functionality. In this scheme, when the server. When the query results face the risks that are
query ends, the cloud server returns query results along deleted or tampered, a well-functioning secure query
with a minimum encrypted index tree, then the data system should provide a mechanism that allows the
user searches this minimum index tree using the same data user to verify the correctness and completeness of
search algorithm as the cloud server did to finish result query results. To achieve the results verification goal, we
verification. Zheng et al. [25] constructed a verifiable propose to construct secure verification objects for data
secure query scheme over encrypted cloud data based files that are outsourced to the cloud with encrypted
on attribute-based encryption technique (ABE) [28] in the data and secure indexes together. The query results along
public-key setting. Sun et al. [26] referred to the Merkle with corresponding data verification object are returned
hash tree and applied Pairing operations to implement to the data user when a query ends. The improved
the correctness and completeness verification of query system model of verifiable secure search over encrypted
results for keyword search over large dynamic encrypted cloud data is illustrated in Fig. 1.
cloud data. However, these secure verification schemes
cannot achieve our proposed fine-grained verification 3.2 Threat Model
goals. Furthermore, these verification mechanisms are
generally tightly coupled to corresponding secure query In this paper, compared with the previous works, an
schemes and have not universality. important distinction about the threat model is that the
cloud is considered to be an untrusted entity. More
specifically, first of all, the cloud server tries to gain some
3 BACKGROUND valuable information from encrypted data files, secure
To clarify our proposed problems, in this section, we indexes, and verification objects (e.g., a misbehaving
present our system model, threat model, and several cloud administrator aims at obtaining these information
preliminaries used to implement our scheme. for possible monetary profits). Then, the cloud server
would intentionally return false search results for saving
3.1 System Model computation resource or communication cost. Further, if
the cloud server knows a query results verification mech-
The system model of the secure search over encrypted anism is embedded, he may tamper or forge verification
cloud data usually includes three entities: data owners, objects to escape responsibilities of misbehavior.
data users, and the cloud server, which describes the Similar to the previous works, both data owners and
following scenario: data owners encrypt their private authorized data users are considered to be trusted in our
data and upload them to cloud server for enjoying threat model.
the abundant benefits brought by the cloud computing
as well as guaranteeing data security. Meanwhile, the
3.3 Preliminaries
secure searchable indexes are also constructed to sup-
port effective keyword search over encrypted outsourced 3.3.1 Bloom Filter
data. An authorized data user obtains interested data A Bloom Filter [29] is a space-efficient probabilistic data
files from the cloud server by submitting query trap- structure which is used to test whether an element is a
doors (encrypted query keywords) to the cloud server, member of a set. An empty Bloom filter is a bit array
who performs search over secure indexes according to of m bits, where all bits are set to 0 initially. Given
2168-7161 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TCC.2017.2709318, IEEE
Transactions on Cloud Computing
Query Results
to 1. To determine whether an element b is in S or not, it
Trapdoor
Verification
checks whether all the positions corresponding to hi (b) Objects
equal to 1, 1 ≤ i ≤ l. If all are 1, then a ∈ S or resulting
in a false positive due to hash collision. If any one of Yes
?
these positions is 0, then b ∈ / S. We can control false Verify the authenticity of Verify the correctness and
positive rate by adjusting Bloom Filter parameters. If n Data user verification objects No
completeness of query results
2168-7161 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TCC.2017.2709318, IEEE
Transactions on Cloud Computing
Pm−1
TABLE 1 have the same value ( i=0 V Ow [i]) by padding dif-
Notations used in this paper ferent number of random elements for different verifi-
cation object V Ow . However, directly padding random
Notations Description elements into V Ow by hashing these random elements
F The plaintext set of data files to the range [0, m − 1] will disable the effective query
C The ciphertext set of data files results verification since the V Ow contains some invalid
W The keywords dictionary
data (i.e., random elements).
w Any keyword in W
To address this problem, we propose to let the data
Fw The set of data files containing the keyword w
owner generate a pad region only used for random
Cw The corresponding cipertext set of Fw
Rw The set of query results containing the keyword w
elements pad. Specifically, given a set Cw , the data owner
V Ow The verification object of Cw first generates a Bloom Filter V Ow with n counters and
prfk A pseudo-random function with the key k inserts all data files in Cw into the first m counters using
A hash function family with l hash functions h1 , h2 prfk and H. Then, let |Cw |max denote the maximum
H
..., hl with the same range [0, m − 1] number of data files containing some keyword w ∈ W ,
If α is a string, |α| denotes the bit length of α; i.e., |Cw |max = max{|Cwi |,Pi = 1, ..., |W |}, the data owner
|α| m−1
If α is a set, |α| denotes the cardinality of α generates l × |Cw |max − i=0 V Ow [i] random strings
{R1 , R2 , ...} and uses a pad function P with the range
[m, n − 1] to compute P(R), the corresponding position
(i.e., |Rw | < |Cw |) or contain some incorrect data due V Ow [P(R)] is increased by 1. The pad function P can be
to the possible misbehaviours of the dishonest cloud defined as:
server. To allow an authorized data user to verify the
query results Rw , our main idea is that the data owner P(x) = m + (prfk (x) mod (n − m)), x ∈ {0, 1}∗
constructs a secure verification object V Ow for each Cw
in {Cw }w∈W , by which the data user can efficiently verify After padding, all V Ow s in {V Ow }w∈W satisfy:
the correctness and completeness of the returned query
n−1
result set Rw . Let {V Ow }w∈W denote the corresponding X
(V Ow [j]) = l × |Cw |max
verification objects collection of {Cw }w∈W .
j=0
2168-7161 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TCC.2017.2709318, IEEE
Transactions on Cloud Computing
2168-7161 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TCC.2017.2709318, IEEE
Transactions on Cloud Computing
verification object V Ow and the number of data files in 5.3 An Enhanced Completeness Verification Con-
Cw , i.e., |Cw |, we set the number of hash functions l to struction
be |Cmw | × ln 2 to minimize the false positive rate to be: For completeness verification, a significant advantage of
our constructed verification object is that the query user
l
1 l|Cw |
can quickly count the number of data files omitted by
1− 1− ≈ (1−e−l|Cw |/m )l = 2−l ≈ 0.6185m/|Cw | the cloud server for an incomplete query result set. As
m
a more strict completeness verification requirement (i.e.,
However, the set size |Cwi | is different for different which qualified data files are not returned in a query),
Cwi , wi ∈ W, 1 ≤ i ≤ |W |, to choose the same hash func- an enhanced verification object based on the Counting
tions family H with the same number of hash functions Bloom Filter was proposed in our work [27], which
l for all verification object in {V Ow }w∈W , we set further allows the data user to definitely obtain the file
identifier of each data file that satisfies the query yet is
m omitted by the cloud server, by reasonably designing the
l= × ln 2
|Cw |max identifiers of data files and secretly preserving them in
the corresponding verification object. Here, we are not
where |Cw |max is the maximum number of data files con- intend to elaborate on the verification construction to
taining a certain keyword w. Thus, for any set Cw0 that avoid unnecessary repetition. Interested readers please
0
satisfies |Cw | < |Cw )|max , the false positive rate incurred refer to [27] to obtain details about this.
by the corresponding V Ow0 is less than 0.6185m/|Cw |max .
For example, to guarantee that the false positive rate
induced by Bloom Filter is less than 0.01, we can set the 6 S IGNATURE AND AUTHENTICATION OF V ER -
number of hash functions to be l = log 21 0.01 = 7 and the IFICATION O BJECT
length of Bloom Filter to be m = |Cw |max log0.6185 0.01. Under the dishonest threat model, the cloud server may
tamper or forge verification objects to escape respon-
sibilities of misbehaviour if it knows a query results
5.2 Size of Verification Objects verification mechanism is involved in the secure search
scheme. Therefore, authenticating the verification object
In addition, the bit length of each counter in V O should itself is the first indispensable step for the data user
be discussed adequately, because the huge V O will when he receives query results and the corresponding
bring heavy storage cost and communication cost, which verification object from the cloud server. To achieve this
makes the verification object impractical. Generally, the goal as well as prevent the cloud server from sending
4 bits for each counter are sufficient for Counting Bloom forged verification object to a data user, digital signature
Filters. We give a simple derivation and more detailed over verification objects is a natural and good choose.
analysis please refer to [30]. Theoretically, the probability That is to say, on one hand, the data owner computes
that the i-th counter has been increased by j times, when a signature on each verification object using his private
inserting the set Cw , 1 ≤ i ≤ m, w ∈ W using l hash key after constructing verification objects; on the other
functions, can be denoted: hand, the data user verify the authenticity of verification
|Cw |l−j object using the data owner’s public key upon receiving
|Cw |l 1 j 1 the specified verification object in a query.
P r(c(i) = j) = 1−
j m m However, traditional digital signature techniques such
as DSA require certificates to guarantee the authenticity
According to the Stirling’s approximation, the probabil- of public key by Certification Authority, which is gener-
ity that any counter is greater or equal j is: ally considered to be costly to use due to expensive cer-
j tificate library management and maintenance problem-
|Cw )|l 1 e|Cw |l s. To eliminate the certificates, certificateless signature
P r(c(i) ≥ j) ≤ ≤
j mj jm schemes [34], [35], [36], [37], [38] have been proposed
based on the certificateless cryptography [39], [40]. In
m
To minimize the false positive rate, we set l = |Cw | × ln 2 this paper, we present an efficient short signature scheme
and further simplify the above inequality: based on [34] and [36] to significantly reduce the storage
j and communication cost of signatures of verification ob-
e ln 2 jects. Compared to above existing schemes, the signature
pr(c(i) ≥ j) ≤ m
j length of our scheme is only a half or one-third of these
schemes. In certificateless cryptography, there needs a
Hence, if we set the bit length of each counter to be 4, trusted Key Generation Center (KGC) to help the user
obviously, when j = 16, the counter happens overflow to generate public/private key pair, while KGC cannot
and the probability can be calculated as pr(c(i) ≥ 16) ≤ obtain user’s public/private key.
1.37×10−15 ×m. Obviously, the value is infinitesimal and Assume that there exists a trusted KGC in our system,
the probability of happening overflow can be ignored. o is a data owner and u denotes an authorized data user,
2168-7161 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TCC.2017.2709318, IEEE
Transactions on Cloud Computing
value P VID = Spub · g QID to data users. = e(g (mk+QID )(kID +λ) , g (mk+QID )(kID +λ) )
• Set-secret-value: o randomly picks up a value kID ∈ = e(g, g)
Z∗q as own secret value.
∗ A comparison is presented in Table 2, where the group
• Set-private-key: o first computes H1 (ID) according
with 160-bit order is used to instantiate G1 and G2 .
to his own identity ID and then verifies whether
the following equation holds or not.
∗ 7 S ECURELY R EQUESTING V ERIFICATION
e(Spub ·g H1 (ID) , dID ) O BJECT
∗ 1
= e(g mk · g H1 (ID) , g mk+QID ) Another important question is that how to obtain the
1
mk+H1∗ (ID) correct verification object from the set {V Ow }w∈W with-
= e(g ,g mk+H1 (ID)
)
mk+H1∗ (ID)/mk+H1 (ID) out leaking any useful information to the cloud server.
= e(g, g) A simple way is to organize the set {V Ow }w∈W as
= e(g, g) {(w, V Ow )}w∈W , thus the cloud server can very easily
return back the correct verification object according to
If the above equation holds (i.e., H1∗ (ID) = H1 (ID)
the submitted keyword w by the data user. However,
holds), then o confirms that his identity ID is not
the straightforward method compromises the security
tampered and o further determines the complete
and privacy of whole secure query system from three
private key as skID =< dID , kID > according to
aspects at least. First, the set {(w, V Ow )}w∈W contains
the partial key dID and the secret value kID .
plaintext information of all keywords in W . Second, the
• Set-public-key: o computes H1 (ID) and uses the
query keywords of the data user are leaked (i.e., query
secret value kID to generate his public key:
privacy) when he submits a keyword w of interest to
pkID = [Spub · g H1 (ID) ]kID request the corresponding V Ow ; Third, the cloud knows
the associations between the keywords and verification
= [Spub · g QID ]kID
objects that may allow the cloud server to obtain some
= (P VID )kID useful information about data files (e.g., which data files
• Sign: Given a verification object V Ow , o signs the contain a given query keyword w).
V Ow using his private key as follows: To remedy these drawbacks, in [27], we pro-
posed to encrypt each keyword by a pseudo ran-
1
σ = (dID ) kID +H2 (V Ow ,pkID ) dom function prfg and store the verification object set
k
{(prf k (w), V Ow )}w∈W in a lookup table T. When the
g
Upon receiving a query result set Rw and its verifica- data user wishes to obtain V Ow after performing a query
tion object V Ow , the authorized data user u first verifies using keyword w, he encrypts w as prf g (w) under the
k
the authenticity of V Ow by invoking the verification shared key k and summits the ciphertext to the cloud
algorithm Ver(params, V Ow , ID, pkID , σ), which decides server. The cloud server returns back the verification
whether the following equation holds or not: object by scanning T according to prf g (w) without
k
e(σ, pkID · (P VID )H2 (VO(w),pkID ) ) = e(g, g) knowing any underlying plaintext about w. However,
we find the construction still leaks some important in-
If the above equation holds, then u continues to verify formation including: (1) the submitted verification object
the correctness of Rw according to the verification object request information, for example, whether data users
V Ow ; otherwise, u refuses this query. If the returned often adopt the same keyword to request verification
V Ow is not forged or tampered with by the cloud server, objects, (2) which verification object is being requested
2168-7161 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TCC.2017.2709318, IEEE
Transactions on Cloud Computing
and returned in the current request task, and (3) which cloud server knows nothing about which verification ob-
verification objects are frequently or rarely requested. ject is requested and which verification object is actually
These exposed information may become temptations of returned every time due to the undeterministic Paillier
behaving dishonestly for the dishonest cloud server. For encryption.
example, if the cloud server knows some verification In addition, to verify the authenticity of returned veri-
objects are returned rarely, he may maliciously delete fication object itself, the corresponding signature should
these data for saving storage space. also be returned together. A common way is to attach
Therefore, our goal is to prevent the cloud server the signature to its verification object by σ||V O, where
from obtaining these information by using the Paillier || denotes a string concatenation notation. Thus, the
encryption scheme to design thus a secure verification verification object set can be denoted as {(σ||V O)w }w∈W .
object request mechanism. Algorithm 4 shows the algorithm of securely obtaining
Now, we describe our proposed verification object a verification object and we use Epk and Dsk to denote
request scheme in detail. First of all, the authorized the Paillier encryption and decryption respectively, for
data user generates the public/private pair (pk = N, sk) simplicity.
for the Paillier encryption system, where N denotes a
large composite number. For a certain keyword wi ∈ W Algorithm 4 Securely Obtaining Verification Object
(assume |W | = d) that the data user wants to request the Input:
corresponding verification object V Owi from the cloud The keyword set W, |W | = d and corresponding
server, the data user sets a flag fi for wi to be 1 to verification object set {(σ||V O)w }w∈W , the submitted
denote V Owi to be the desired verification object. For keyword wi .
other all keywords wj ∈ W (1 ≤ j ≤ d, j 6= i), he sets Output:
the corresponding flag fj = 0(1 ≤ j ≤ d, j 6= i). Then, The objective verification object (σ||V O)wi
the data user encrypts each flag fk (k = 1, 2, ..., d) using 1: Generate the public/private pair (pk, sk)
the Paillier encryption under the public key pk and a 2: for k ∈ [1, d] do
∗
randomly-chosen rk ∈ ZN as follows: 3: if wi = wk then
4: Set fk = 1 and encrypt fk as Epk (fk )
ck = [(1 + N )fk · rkN mod N 2 ]
5: else
Further, the data user sends the ciphertext set {ck |1 ≤ 6: Set fk = 0 and encrypt fk as Epk (fk )
k ≤ d} to the cloud sever. Upon receiving the set, 7: end if
the cloud server computes the following ciphertext for 8: end for
each ck according to the corresponding verification object 9: for each k ∈ [1, d] do
V Owk in {V Ow }w∈W stored in the cloud server 10: Calculate ck = Epk (fk )(σ||V O)wk
11: end for
V O wk
c∗k = ck = [(1 + N )fk · rkN mod N 2 ]V Owk
Qd
12: Calculate c∗ = k=1 ck
N ·V Owk 13: Decrypt c∗ as V Owi = Dsk (c∗ )
= [(1 + N )fk ·V Owk · rk mod N 2 ]
V Owk N
14: return (σ||V O)wi .
= [(1 + N )fk ·V Owk · (rk ) mod N 2 ]
and further computes:
Yd d
Y
V Ow
8 S ECURITY A NALYSIS
c∗ = c∗k mod N 2 = ck k mod N 2
8.1 Security of Verification Object
k=1 k=1
Pd d
Y N Similar to the secure index semantic security [5], the
fk ·V Owk V Ow 2
= (1 + N ) k=1 · rk mod N security of the verification object aims to capture the
k=1 notion that the verification object reveals nothing about
d
Y N contents of data files. A more formal and rigorous securi-
= (1 + N )1·V Owi · rkV Ow mod N 2 ty definition is the verification object indistinguishability,
k=1 which is synoptically described as that, given two verifi-
d N
cation objects V Ow , V Ow0 of set Cw , Cw0 for two different
Y
= (1 + N )V Owi · rkV Ow mod N 2 keywords w, w0 , no polynomial-time adversary A can
k=1
determine which verification object is for which data
After finishing the above calculation, the cloud server file set with probability that is non-negligible greater
sends c∗ to the data user. Obviously, c∗ is an effective than 1/2. We use formulation of verification object in-
Paillier encryption of the message V Owi under the public distinguishability to prove the semantic security of our
Qd V Ow
key pk = N and the random number k=1 (rk ). scheme and formally use the following game to define
∗ the formulation.
Therefore, the data user can successfully decrypt c with
the owned private key sk to gain the objective verifica- The verification object indistinguishability game
tion object V Owi locally. During the whole process, the \ Let f denote the verification object construction
(Game):
2168-7161 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TCC.2017.2709318, IEEE
Transactions on Cloud Computing
10
algorithm described in Algorithm 1. There is a chal- Proof. Suppose the adversary A has a non-negligible ad-
lenger B and a probabilistic polynomial time adversary vantage ( < 1) to win Game, \ we can use A to construct
A in this game. a distinguisher D who can distinguish the output of
1) A asks B for the output of f for his submitted the pseudo-random function from the output of a real
challenging set Cw for different keyword w many random function with a non-negligible advantage.
times. According to the Algorithm 1 denoted as f0 , we
2) A sends two different set Cw0 and Cw1 to B, which construct another algorithm Algorithm 1∗ denoted as f1 .
are not challenged in setp 1. A continues to ask B The only difference between them is that Algorithm 1∗
for the output of f for Cw . The only restriction is uses a random function rrf : {0, 1}∗ → {0, 1}s to replace
that Cw is not Cw0 or Cw1 . the pseudo-random function prfk used in f0 . Essentially,
3) After receiving Cw0 and Cw1 , B chooses a bit b ∈ prfk and rrf are modeled the random oracles that D
{0, 1} with probability 1/2 and invokes f (Cwb ) to has access to. D accepts the algorithm fx , x ∈ {0, 1}
output the verification object V Owb for Cwb . and its goal is to determine whether x = 0 or whether
4) V Owb is sent to A, A outputs his guess b0 of b. If x = 1. To do this, D emulates the game Game \ for A, and
b = b0 , the game input 1, and 0 otherwise. We say observes whether A succeeds or not. If A succeeds then
A wins the game and succeeds if the input is 1. D determines x = 0; otherwise, x = 1.
Intuitively, if the verification object is indistinguishable, D is given the algorithm fx and A chooses two file sets
the probability of A wins the game is at most negligibly Cw1 and Cw2 . D randomly chooses a bit b ∈ {0, 1} with
greater that 1/2, since it is easy to succeed with proba- probability 21 and invokes fx (Cwb ) to output V Owb and
bility 1/2 by taking a random guess to input b0 . Before then sends V Owb to A. A outputs a bit b0 and D outputs a
proving the security of the verification objects, we first guess x0 for x. Since A has a non-negligible advantage
give the following two definitions. to succeed in the game Game \ (i.e., the output b0 satisfies
Definition 1. The advantage of the probabilistic polynomial b0 = b), correspondingly, D also has advantage to
time A in winning the above game is defined as: determine the guess x0 = x = 0. That is, D can dis-
tinguish the output V Owb of f0 (Cwb ) (using the pseudo-
f 1 random function prfk under the key k) from f1 (Cwb )
AdvA = |P r[b = b0 ] − |
2 (using the real random function rrf ) with the non-
f negligible advantage . Since V Owb contains |Cw |max (let
If AdvA is negligible, we say that our constructed verification
object is semantically secure and achieves indistinguishability. |Cw |max = α) elements after padding , for each element
c, assume that the advantage that D distinguishes prfk (c)
Definition 2. Given a computationally efficient and keyed from rrf (c) is 0 , we have:
function F: {0, 1}∗ × {0, 1}τ → {0, 1}s , for any probabilistic √
polynomial time distinguisher D and an arbitrary length |0 · {z
0
... · }0 = ⇒ 0 = α
string x ∈ {0, 1}∗ , the advantage that D distinguishes Fk (x) α
from a random string r of length s is defined as: √
Since is non-negligible, the advantage α is also non-
F
AdvD = |P r[D(r) = 1] − P r[D(Fk (x)) = 1]| negligible. Therefore, if A wins the game Game
\ with a
non-negligible advantage , then D distinguishes the out-
where k ∈ {0, 1}τ and r is chosen at random uniformly from put of the pseudo-random function prfk from the output
{0, 1}s (the output of a random function). If F is a pseudo- of the real random function rrf with the non-negligible
random function, then the advantage AdvA F
is negligible under √
advantage α , which contradicts the Definition 2.
the randomly chosen key k from {0, 1}τ .
Definition 2 means that no polynomial time algorithm 8.2 Unforgeability of Verification Object Signature
can distinguish the output of a pseudo-random func- To guarantee the authenticity of the verification objects
tion from the output of a real random function [31]. themselves, a short signature scheme is proposed based
According to the construction of verification objects, it on [34] and [36]. We follow the threat model and security
is easy to see that achieving the indistinguishability of definition of certificateless signature scheme by [36] and
verification objects needs to guarantee that the positions omit the unforgeability proof of our scheme due to space
in the Bloom Filter of the inserted elements are indis- limitations. Please refer to [36] for detail security proofs.
tinguishable, which can further reduce to guarantee the
indistinguishability of inserted elements (for a set Cw , 8.3 Security of Verification Object Request
the inserted elements include data files and padding
We design a secure verification object requesting tech-
elements). In Algorithm 1, we use the pseudo-random
nique by adopting Paillier encryption. During the w-
function guarantee the indistinguishability of inserted
hole verification object request process, the cloud server
elements. We give the formal security proof as follows.
knows nothing about which verification object is request-
Theorem 1. If prf is a pseudo-random function, then our con- ed and which verification object is actually returned
structed verification object is semantically secure and achieves since the Paillier encryption is a probabilistic public-key
indistinguishability in the random oracle model. encryption scheme.
2168-7161 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TCC.2017.2709318, IEEE
Transactions on Cloud Computing
11
9 E XPERIMENTAL E VALUATION 1 3 0
1 6 0
1 2 0
of our scheme from four aspects: verification object 1 1 0
T im e ( m s )
T im e ( m s )
1 0 0
construction and query results verification, verification 1 0 0 C s u b je c t
C n e tw o rk
C h a rd w a re C p ro to c a l 8 0
object signature and authentication, verification informa- 9 0
C m a c h in e
6 0
tion request generation, and verification accuracy. 8 0
4 0
7 0 2 0
2 0 0 4 0 0 6 0 0 8 0 0 1 0 0 0 1 0 0 2 0 0 3 0 0 4 0 0 5 0 0 6 0 0 7 0 0 8 0 0 9 0 0
9.1 Experiment Setup T h e n u m b e r o f th e d a ta f ile s f o r d if f e r e n t d a ta f ile s s e t T h e n u m b e r o f d a ta f ile s in th e q u e r y r e s u lts s e t
2168-7161 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TCC.2017.2709318, IEEE
Transactions on Cloud Computing
12
TABLE 3 TABLE 5
Time Cost of Operation Time Cost of Operation
T im e ( × 1 0 -1 s )
T im e ( m s )
4 1 5
1 0
w ith
w ith
2
4
th re
th re
a d
a d
s
s
9
observe that the size of keyword dictionary W has no 9
T im e ( × 1 0 -1 s )
8
T im e ( × 1 0 -1 s )
8
7
influence on time cost of the desired verification object 6
7
decryption. 5
4
5
2
4
0
2
size (Fig. 6(a)) and is not affected by the number of (a) (b)
data files contained in the verification object when fixing
the dictionary size (Fig. 6(b)). In the encryption process, Fig. 6. The time cost of generating encrypted desired
|W | − 1 operations of E(0)x , one E(1)x operation, and verification object for cloud server: (a) for different number
|W | − 1 operations of E(x) · E(x) are involved in the of keywords in the keyword dictionary W , and (b) for dif-
cloud server side. When setting the number of threads ferent number of data files in Cw with the fixed dictionary,
to be 1 and varying the size of the dictionary from 10 |W | = 70.
2168-7161 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TCC.2017.2709318, IEEE
Transactions on Cloud Computing
13
TABLE 6 10 C ONCLUSION
Events of Result Verification In this paper, we propose a secure, easily integrated,
Event Description and fine-grained query results verification scheme for
tp (True Positive) The correct query result pass verification. secure search over encrypted cloud data. Different from
f p (False Positive) The incorrect query result pass verification. previous works, our scheme can verify the correctness
f n (False Negative) The correct result does not pass verification.
of each encrypted query result or further accurately
find out how many or which qualified data files are
returned by the dishonest cloud server. A short signature
1 2 0 1 0 2
1 1 0
p r e c is io n p r e c is io n
technique is designed to guarantee the authenticity of
c o r r e c t_ r a d io
1 0 0 1 0 1
C o r r e c t_ r a d io
verification object itself. Moreover, we design a secure
9 0
1 0 0
verification object request technique, by which the cloud
8 0
server knows nothing about which verification object
%
7 0
%
6 0
9 9
is requested by the data user and actually returned by
5 0 9 8
the cloud server. Performance and accuracy experiments
4 0
demonstrate the validity and efficiency of our proposed
3 0 9 7
1 2 3 4 5 6 7 1 0 0 2 0 0 3 0 0 4 0 0 5 0 0 6 0 0
T h e n u m b e r o f in c o r r e c t q u e r y r e s u lts in R
7 0 0 scheme.
T h e n u m b e r o f h a s h f u n c tio n s in B lo o m F ilte r n e tw o r k
(a) (b)
ACKNOWLEDGMENTS
Fig. 7. Evaluation of verification accuracy: (a) for different The authors would like to express their gratitude to
number of hash functions in Bloom Filter, Rnetwork con- the anonymous reviewers whose constructive comments
tains 300 correct query results and 500 incorrect query have helped to improve the quality of the manuscript.
results, and (b) for different number of incorrect query The work is supported by the National Natural Science
results in Rnetwork with the fixed hash functions (l = 7), Foundation of China (61472131, 61300218, and 61472132);
Rnetwork contains 300 correct query reuslts. The Natural Science Foundation of Hunan Province
(2017JJ2292); Science and Technology Key Projects of Hu-
nan Province (2015TP1004, 2016JC2012); Open Research
Fund of Hunan Provincial Key Laboratory of Network
for each result, these events are independent eachPother.
Investigational Technology (2016WLZC011).
We define the two metrics correct radio = P tp+tp P
fn P
and precision = P tp+tp f p to evaluate the verification R EFERENCES
P
P
accuracy, where denotes the total number of occur-
[1] P. Mell and T. Grance, “The nist definition of cloud computing,”
rences of an event when using V Ow to verify Rw . We http://dx.doi.org/10.602/NIST.SP.800-145.
artificially formulate the query results set Rnetwork based [2] K. Ren, C. Wang, and Q. Wang, “Security challenges for the public
on the data files set Cnetwork as the experiment data cloud,” IEEE Internet Computing, vol. 16, no. 1, pp. 69–73, 2012.
[3] S. Kamara and K. Lauter, “Cryptographic cloud storage,” in
set. Correspondingly, the verification object is V Onetwork . Springer RLCPS, January 2010.
Fig. 7 shows the verification accuracy of our scheme. [4] D. Song, D. Wagner, and A. Perrig, “Practical techniques for
Fig. 7(a) and Fig. 7(b) show the correct radio always searches on encrypted data,” in IEEE Symposiumon Security and
Privacy, vol. 8, 2000, pp. 44–55.
keeps 100%. This is because that Bloom Filter does not [5] E.-J.Goh, “Secure indexes,” IACR ePrint Cryptography Archive,
introduce false negatives which means that our scheme http://eprint.iacr.org/2003/216, Tech. Rep., 2003.
can guarantee all correct results P in Rnetwork P to be able to [6] D. Boneh, G. D. Crescenzo, R. Ostrovsky, and G. Persiano,
“Public-key encryption with keyword search,” in EUROCRYPR,
correctly pass verifications ( f n = 0 and tp = 300). 2004, pp. 506–522.
On the other hand, from the Fig. 7(a), we can see that, [7] R. Curtmola, J. Garay, S. Kamara, and R. Ostrovsky, “Searchable
when the number of the hash functions of Bloom Filter symmetric encryption: improved deinitions and efficient construc-
tions,” in ACM CCS, vol. 19, 2006, pp. 79–88.
is set as 1, our schemeP causes about 420 incorrect results [8] M. Bellare, A. Boldyreva, and A. O’Neill, “Deterministic and
to pass verifications ( f p = 420) and P thus leads to a efficiently searchable encryption,” in Springer CRYPTO, 2007.
very low verification precision = P tp+tp P 300
f p = 300+420 =
[9] K. Kurosawa and Y. Ohtaki, “Uc-secure searchable symmetric
encryption,” Lecture Notes in Computer Science, vol. 7397, pp. 258–
41.7%; precision gradually increases with the increasing 274, 2012.
number of hash functions and approximatively achieves [10] P. Xu, H. Jin, Q. Wu, and W. Wang, “Public-key encryption with
300 fuzzy keyword search: A provably secure scheme under keyword
300+4 ≈ 98.7% when the number of hash functions is guessing attack,” IEEE Transactions on Computers, vol. 62, no. 11,
set to the optimal value l = 7. Fig. 7(b) demonstrates pp. 2266–2277, 2013.
that though the precision has the trend of decrease with [11] S. Kamara and C. Papamanthou, “Parallel and dynamic search-
the increases of the number of incorrect query results in able symmetric encryption,” in Financial Cryptography and Data
Security. Springer Berlin Heidelberg, 2013, pp. 258–274.
Rnetwork , it is not less than 98% when the number of hash [12] M. Naveed, M. Prabhakaran, and C. A. Gunter, “Dynamic search-
function is set to the optimal value l = 7 even Rnetwork able encryption via blind storage,” in IEEE S&P, May 2014, pp.
contains the large number of incorrect results. For the 639–654.
[13] C. Wang, N. Cao, J. Li, K. Ren, and W. Lou, “Secure ranked
very few incorrect query results that pass verifications, keyword search over encrypted cloud data,” in IEEE ICDCS, 2010,
the data user can delete them after decrypting. pp. 253–262.
2168-7161 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TCC.2017.2709318, IEEE
Transactions on Cloud Computing
14
[14] N. Cao, C. Wang, M. Li, K. Ren, and W. Lou, “Privacy-preserving area networks,” IEEE Transactions on Information Forensics and
multi-keyword ranked search over encrypted cloud data,” in IEEE Security, vol. 10, no. 7, pp. 1442–1455, 2015.
INFOCOM, 2011, pp. 829–837. [38] J. Liu, Z. Zhang, X. Chen, and K. S. Kwak, “Certificateless
[15] W. Sun, B. Wang, N. Cao, M. Li, W. Lou, Y. T. Hou, and remote anonymous authentication schemes for wirelessbody area
H. Li, “Privacy-preserving multi-keyword text search in the cloud networks,” IEEE Transactions on Parallel and Distributed Systems,
supporting similarity-based ranking,” in ACM ASIACCS, 2013. vol. 25, no. 2, pp. 332–342, 2014.
[16] B. Wang, S. Yu, W. Lou, and Y. T. Hou, “Privacy-preserving multi- [39] S. Al-Riyami and K. Paterson, “Certificateless public key cryptog-
keyword fuzzy search over encrypted data in the cloud,” in IEEE raphy,” in Springer ASIACRYPT, 2003, pp. 452–473.
INFOCOM, 2014, pp. 2112–2120. [40] H. Xiong, “Cost-effective scalable and anonymous certificateless
[17] W. Zhang, S.Xiao, Y. Lin, J. Wu, and S. Zhou, “Privacy preserving remote authentication protocol,” IEEE Transactions on Information
ranked multi-keyword search for multiple data owners in cloud Forensics and Security, vol. 9, no. 12, pp. 2327–2339, 2014.
computing,” IEEE Transactions on Computers, vol. 65, no. 5, pp. [41] “Rfc, request for comments database,”
1566–1577, May 2016. http://www.ietf.org/rfc.html.
[18] Z. Xia, X. Wang, X. Sun, and Q. Wang, “A secure and dynamic [42] http://gas.dia.unisa.it/projects/jpbc/index.html.
multi-keyword ranked search scheme over encrypted cloud data,”
IEEE Transactions on Parallel and Distributed System, vol. 27, no. 2,
Hui Yin received the BS degree from Hunan
pp. 340–352, 2015.
Normal University and the MS degree from Cen-
[19] Z. Fu, X. Sun, Q. Liu, L. Zhou, and J. Shu, “Achieving efficient
tral South University, both in computer science,
cloud search services: Multi-keyword ranked search over encrypt-
in 2002 and 2008, respectively. He is current-
ed cloud data supporting parallel computing,” IEICE Transactions
ly pursuing the PhD degree in the College of
on Communications, vol. E98-B, no. 1, pp. 190–200, 2015.
Computer Science and Electronic Engineering
[20] H. Li, D. Liu, Y. Dai, T. H. Luan, and X. S. Shen, “Enabling efficient
at Hunan University, China. His main interest-
multi-keyword ranked search over encrypted mobile cloud data
s are information security, privacy protection,
through blind storage,” IEEE Transactions on Emerging Topics in
cloud computing, and big data processing.
Computing, vol. 3, no. 1, 2014.
[21] H. Yin, Z. Qin, L. Ou, and K. Li, “A query privacy-
enhanced and secure search scheme over encrypted data in Zheng Qin received the PhD degree in comput-
cloud computing,” Journal of Computer and System Sciences, er software and theory from Chongqin Universi-
http://dx.doi.org/10.1016/j.jcss.2016.12.003. ty, China, in 2001. He is a professor of comput-
[22] B. Wang, B. Li, and H. Li, “Oruta: Privacy-preserving public er science and technology in Hunan University,
auditing for shared data in the cloud,” IEEE Transactions on Cloud China. He is a member of China Computer Fed-
Computing, vol. 2, no. 1, pp. 43–56, 2014. eration (CCF) and ACM respectively. His main
[23] C. Wang, N. Cao, K. Ren, and W. Lou, “Enabling secure and interests are computer network and information
efficient ranked keyword search over outsourced cloud data,” security, cloud computing, big data processing
IEEE Transactions on Parallel and Distributed Systems, vol. 23, no. 8, and software engineering.
pp. 1467–1479, 2012.
[24] W. Sun, B. Wang, N. Cao, M. Li, W. Lou, and Y. T. Hou, Jixin Zhang received the BS degree from Hubei
“Verifiable privacy-preserving multi-keyword text search in the Polytechnie University in Mathematics, and the
cloud supporting similarity-based ranking,” IEEE Transactions on MS degree from Wuhan University of Technolo-
Parallel and Distributed Systems, vol. 25, no. 11, pp. 3025–3035, 2014. gy in computer science and technology, in 2007
[25] Q. Zheng, S. Xu, and G. Ateniese, “Vabks: Verifiable attribute- and 2014, respectively. Currently, he is pursuing
based keyword search over outsourced encrypted data,” in IEEE the PhD degree in the College of Computer
INFOCOM, May 2014, pp. 522–530. Science and Electronic Engineering at Hunan
[26] W. Sun, X. Liu, W. Lou, Y. T. Hou, and H. Li, “Catch you if you lie University, China. His research focuses on mal-
to me: Efficient verifiable conjunctive keyword search over large ware detection, privacy protection and big data.
dynamic encrypted cloud data,” in IEEE INFOCOM, April 2015,
pp. 2110–2118.
[27] H. Yin, Z. Qin, L. Ou, Q. Liu, Y. Hu, and H. Rong, “A secure and Lu Ou received the BS degree from Science and
fine-grained query results verification scheme for private search Technology of Changsha University in computer
over encrypted cloud data,” in IEEE ICA3PP, 2015, pp. 667–681. science and the MS degree from Hunan Univer-
[28] V. Goyal, O. Pandey, A. Sahai, and B. Waters, “Attribute-based sity in software engineering, in 2005 and 2012,
encryption for fine-grained access control of encryption data,” in respectively. Currently, she is pursuing the PhD
ACM CCS, 2006, pp. 89–98. degree in the College of Computer Science and
[29] B. Bloom, “Space/time trade-offs in hash coding with allowable Electronic Engineering at Hunan University, Chi-
errors,” Commun. ACM, vol. 12, no. 7, pp. 422–426, 1970. na. Her research focuses on network security,
[30] L. Fan, P. Cao, J. Almeida, and A. Z. Broder, “Summary cache: privacy protection and big data.
A scalable wide area web cache sharing protocal,” in ACM
SIGCOMM, 1998, pp. 254–265. Keqin Li is a SUNY Distinguished Professor
[31] M. Bellare and P. Rogaway, Introduction to Modern Cryptography. of computer science. His current research in-
Lecture Notes, 2001. terests include parallel computing and high-
[32] D. Boneh and M. Franklin, “Identity-based encryption from the performance computing, distributed comput-
weil pairing,” in Springer CRYPTO, ser. LNCS 2139, J. Kilian, Ed., ing, energy-efficient computing and communica-
2001, pp. 213–229. tion, heterogeneous computing systems, cloud
[33] P. Paillier, “Public-key cryptosystems based on composite degree computing, CPU-GPU hybrid and cooperative
residuosity classes,” in Springer EUROCRYPT, 1999, pp. 223–238. computing, multicore computing, storage and
[34] X. Li, K. Chen, and L. Sun, “Certificateless signature and proxy file systems, wireless communication networks,
signature schemes from bilinear pairings,” Lithuanian Mathemati- sensor networks, peer-to-peer file sharing sys-
cal Journal, vol. 45, no. 1, pp. 76–83, 2005. tems, mobile computing, service computing, In-
[35] M. Gorantla and A. Saxena, “An efficient certificateless signature ternet of things and cyber-physical systems. He has published over 470
scheme,” in Computational Intelligence and Security, CIS 2005, 2005, journal articles, book chapters, and refereed conference papers, and
pp. 110–116. has received several best paper awards. He is currently or has served
[36] W. Yap, S. Heng, and B. Goi, “An efficient certificateless signa- on the editorial boards of IEEE Transactions on Parallel and Distribut-
ture scheme,” in Emerging Directions in Embedded and Ubiquitous ed Systems, IEEE Transactions on Computers, IEEE Transactions on
Computing, EUC 2006 Workshops, 2006, pp. 322–331. Cloud Computing, IEEE Transactions on Services Computing, and IEEE
[37] H. Xiong and Z. Qin, “Revocable and scalable certificateless Transactions on Sustainable Computing. He is an IEEE Fellow.
remote authentication protocol with anonymity for wireless body
2168-7161 (c) 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.