University of Wollongong

Research Online

Faculty of Engineering and Information Faculty of Engineering and Information

Sciences - Papers: Part A Sciences

1-1-2016

Two-factor data security protection mechanism for cloud storage system

Joseph K. Liu
University of Bristol, Monash University, [email protected]

Kaitai Liang
City University of Hong Kong, Aalto University, [email protected]

Willy Susilo
University of Wollongong, [email protected]

Jianghua Liu
Fujian Normal University

Yang Xiang
Deakin University

Follow this and additional works at: https://ro.uow.edu.au/eispapers

Part of the Engineering Commons, and the Science and Technology Studies Commons

Research Online is the open access institutional repository for the University of Wollongong. For further information
contact the UOW Library: [email protected]
Two-factor data security protection mechanism for cloud storage system

Abstract
In this paper, we propose a two-factor data security protection mechanism with factor revocability for
cloud storage system. Our system allows a sender to send an encrypted message to a receiver through a
cloud storage server. The sender only needs to know the identity of the receiver but no other information
(such as its public key or its certificate). The receiver needs to possess two things in order to decrypt the
ciphertext. The first thing is his/her secret key stored in the computer. The second thing is a unique
personal security device which connects to the computer. It is impossible to decrypt the ciphertext
without either piece. More importantly, once the security device is stolen or lost, this device is revoked. It
cannot be used to decrypt any ciphertext. This can be done by the cloud server which will immediately
execute some algorithms to change the existing ciphertext to be un-decryptable by this device. This
process is completely transparent to the sender. Furthermore, the cloud server cannot decrypt any
ciphertext at any time. The security and efficiency analysis show that our system is not only secure but
also practical.

Keywords
two, storage, cloud, mechanism, protection, security, data, factor, system

Disciplines
Engineering | Science and Technology Studies

Publication Details
Liu, J. K., Liang, K., Susilo, W., Liu, J. & Xiang, Y. (2016). Two-factor data security protection mechanism for
cloud storage system. IEEE Transactions on Computers, 65 (6), 1992-2004.

This journal article is available at Research Online: https://ro.uow.edu.au/eispapers/5944

 1

Two-Factor Data Security Protection Mechanism

for Cloud Storage System
Joseph K. Liu, Kaitai Liang∗ , Willy Susilo, Jianghua Liu, Yang Xiang

Abstract—In this paper, we propose a two-factor data security protection mechanism with factor revocability for cloud storage system.
Our system allows a sender to send an encrypted message to a receiver through a cloud storage server. The sender only needs to know
the identity of the receiver but no other information (such as its public key or its certificate). The receiver needs to possess two things
in order to decrypt the ciphertext. The first thing is his/her secret key stored in the computer. The second thing is a unique personal
security device which connects to the computer. It is impossible to decrypt the ciphertext without either piece. More importantly, once
the security device is stolen or lost, this device is revoked. It cannot be used to decrypt any ciphertext. This can be done by the cloud
server which will immediately execute some algorithms to change the existing ciphertext to be un-decryptable by this device. This
process is completely transparent to the sender. Furthermore, the cloud server cannot decrypt any ciphertext at any time. The security
and efficiency analysis show that our system is not only secure but also practical.

Keywords—two-factor, factor revocability, security, cloud storage.

1 I NTRODUCTION the cloud service. It can further protect data that is stored
Cloud storage [44], [43], [49], [45], [10] is a model of at the service provider. Even there is an unauthorized
networked storage system where data is stored in pools adversary who has gained access to the cloud, as the
of storage which are generally hosted by third parties. data has been encrypted, the adversary cannot get any
There are many benefits to use cloud storage. The most information about the plaintext. Asymmetric encryption
notable is data accessibility. Data stored in the cloud can allows the encryptor to use only the public information
be accessed at any time from any place as long as there (e.g. public key or identity of the receiver) to generate
is network access. Storage maintenance tasks, such as a ciphertext while the receiver uses his/her own secret
purchasing additional storage capacity, can be offloaded key to decrypt. This is the most convenient mode of
to the responsibility of a service provider. Another ad- encryption for data transition, due to the elimination of
vantage of cloud storage is data sharing between users. key management existed in symmetric encryption.
If Alice wants to share a piece of data (e.g. a video) to
Bob, it may be difficult for her to send it by email due to E NHANCED S ECURITY P ROTECTION . In a normal asym-
the size of data. Instead, Alice uploads the file to a cloud metric encryption, there is a single secret key corre-
storage system so that Bob can download it at anytime. sponding to a public key or an identity. The decryp-
Despite its advantages, outsourcing data storage also tion of ciphertext only requires this key. The key is
increases the attack surface area at the same time. For usually stored inside either a personal computer or a
example, when data is distributed, the more locations trusted server, and may be protected by a password. The
it is stored the higher risk it contains for unauthorized security protection is sufficient if the computer/server
physical access to the data. By sharing storage and net- is isolated from an opening network. Unfortunately,
works with many other users it is also possible for other this is not what happens in the real life. When being
unauthorized users to access your data. This may be connected with the world through the Internet, the
due to mistaken actions, faulty equipment, or sometimes computer/server may suffer from a potential risk that
because of criminal intent. A promising solution to offset hackers may intrude into it to compromise the secret
the risk is to deploy encryption technology. Encryption key without letting the key owner know. In the physical
can protect data as it is being transmitted to and from security aspect, the computer storing a user decryption
key may be used by another user when the original
• ∗ Kaitai Liang is the corresponding author. computer user (i.e. the key owner) is away (e.g. when
• J. K. Liu is with Monash University, Australia. E-mail: the user goes to toilet for a while without locking the
[email protected].
• K. Liang is with Aalto University, Finland. E-mail: [email protected].
machine). In an enterprise or college, the sharing usage
• W. Susilo is with University of Wollongong, Australia. E-mail: of computers is also common. For example, in a college,
[email protected]. a public computer in a copier room will be shared with
• J. Liu is with Fujian Provincial Key Laboratory of Network Security and
Cryptology, School of Mathematics and Computer Science, Fujian Normal
all students staying at the same floor. In these cases,
University, China. E-mail: [email protected]. the secret key can be compromised by some attackers
• Y. Xiang is with the School of Information Technology, Deakin University, who can access the victim’s personal data stored in the
Australia. E-mail: [email protected].
cloud system. Therefore, there exists a need to enhance
 2

the security protection. • The sender needs to know the serial number /
An analogy is e-banking security. Many e-banking public key of the security device, in additional
applications require a user to use both a password and a to the user’s identity / public key. That makes
security device (two factors) to login system for money the encryption process more complicated. In the
transfer. The security device may display a one-time case of identity-based encryption, the concept
password to let the user type it into the system, or it may of “identity-based” has been totally lost as the
be needed to connect with the computer (e.g. through sender needs to know not only the identity but
USB or NFC). The purpose of using two factors is to another serial number!
enhance the security protection for the access control.
As cloud computing becomes more mature and there 2) Split the secret key into two parts: Another naive
will be more applications and storage services provided way to think of is to simply split the secret key into
by the cloud, it is easy to foresee that the security for data two parts. The first part is stored in the computer
protection in the cloud should be further enhanced [47], while the second part is embedded into a security
[42], [12], [18]. They will become more sensitive and device. Similar to the above approach, without ei-
important, as if the e-banking analogy. Actually, we have ther part one cannot decrypt the ciphertext.
noticed that the concept of two-factor encryption, which Again it seems that this approach can achieve our
is one of the encryption trends for data protection1 , has goal. However, note that the security of a normal
been spread into some real-world applications, for exam- encryption scheme cannot be guaranteed if part of
ple, full disk encryption with Ubuntu system, AT&T two the secret key has been exposed. The security is only
factor encryption for Smartphones2 , electronic vaulting guaranteed if the whole secret key has not been ex-
and druva - cloud-based data encryption3 . However, posed to the adversary. In other words, if we simply
these applications suffer from a potential risk about split the secret key into two parts, the adversary
factor revocability that may limit their practicability. with either part may have non-negligible chance to
Note we will explain it later. A flexible and scalable two- decrypt (or at least to know some information about
factor encryption mechanism is really desirable in the era the plaintext). This is not the case that we expect.
of cloud computing. That motivates our work. There exists another cryptographic primitive
called “leakage-resilient encryption” [1], [37], [15].
The security of the scheme is still guaranteed if
1.1 Some Naive Approaches the leakage of the secret key is up to certain bits
We discuss some naive approaches for enhancement of such that the knowledge of these bits does not help
security protection and explain why they are not the best to recover the whole secret key. However, though
candidate to achieve the goal of flexibility. using leakage resilient primitive can safeguard the
leakage of certain bits, there exists another practical
1) Double encryption: A security device (with an limitation. Suppose we put part of the secret key
additional public key or serial number) is still re- into the security device. Unfortunately the device
quired. The encryption process is executed twice. is stolen. The user needs to obtain a replacement
First encrypt the plaintext corresponding to the device so that he can continue to decrypt his corre-
public key or identity of the user. Then encrypt sponding secret key. The trivial way is to copy the
it again corresponding to the public key or serial same bits (as in the stolen device) to the new device
number of the security device. For the decryption by the private key generator (PKG). This approach
stage, the security device first decrypts once. The can be easily achieved. Nevertheless, there exists
partially decrypted ciphertext is then passed to the security risk. If the adversary (who has stolen the
computer which uses the user secret key to further security device) can also break into the computer
decrypt it. Without either part (user secret key or where the other part of secret key is stored, then
security device) one cannot decrypt the ciphertext. it can decrypt all ciphertext corresponding to the
It seems that this naive approach can achieve our victim user. The most secure way is to cease the
goal. However, there exist many practical issues that validity of the stolen security device.
it cannot solve. For example, The same analogy is the online banking. A
• If the user has lost his security device, then user needs to have a security device (together with
his/her corresponding ciphertext in the cloud the knowledge of his/her password) in order to
cannot be decrypted forever! That is, the ap- login the e-banking service. If the security device
proach cannot support security device up- is reported as lost, the user can no longer use the
date/revocability. old device to login. Thus using leakage resilient
primitive cannot provide this security feature which
1. http://www.datamation.com/data-center/trends-in-data- is considered as the most important criterion of two-
protection-prevention-and-recovery.html
factor security protection.
2. http://www.securityweek.com/att-offer-carrier-provided-two-
factor-encryption-smartphones 3) Other methods: Some real-world systems, such
3. http://www.druva.com/ as AT&T and druva, also leverage two-factor en-
 3

cryption techniques to protect message from being We provide an estimation of the running time of our
leaked to malicious users. However, their techniques prototype to show its practicality, using some benchmark
suffer from a potential practical risk. Below we take results. We also note that although there exist some
druva system as an example. In a druva system, a naive approaches that seem to achieve our goal, we have
message is first encrypted under a user key k1 , and discussed in Section 1.1 that there are many limitations
next uploaded to a cloud server. The user key k1 by each of them and thus we believe our mechanism is
is further encrypted by another user key k2 , and the first to achieve all the above mentioned features in
stored in the server as well. The key k2 is held by the the literature.
user. When retrieving the message, the user needs
to use k2 to recover k1 which is further used to 2 R ELATED W ORK
recover m. It is undeniable that this message-key-
encrypt mechanism is much better than the mode We first review some solutions which may contain sim-
only using a single key to encrypt an outsourced ilar functionalities. We will further explain why they
data, and storing the ciphertext along with the key cannot fully achieve our goal.
in the server. Nevertheless, this mechanism suffers
from a potential risk in practice (which we have 2.1 Cryptosystems with Two Secret Keys
mentioned previously): once the user loses the key There are two kinds of cryptosystems that requires two
k2 , all data of the user stored in the cloud cannot secret keys for decryption. They are certificateless cryp-
be retrieved. The lack of revocability for encryption tosystem and certificate-based cryptosystem.
factor limits the flexibility of the system. Certificateless cryptosystem (CLC) was first intro-
duced in [2] and further improvements can be found
in [4], [28], [23]. It combines the merits of identity-
1.2 Our Contributions based cryptosystem (IBC) and the traditional public-key
In this paper, we propose a novel two-factor security infrastructure (PKI). In a CLC, a user with an identity
protection mechanism for data stored in the cloud. Our chooses his own user secret key and user public key.
mechanism provides the following nice features: At the same time the authority (called the Key Gener-
ation Centre (KGC)) further generates a partial secret
1) Our system is an IBE (Identity-based encryption)- key according to his identity. Encryption or signature
based mechanism. That is, the sender only needs verification requires the knowledge of both the public
to know the identity of the receiver in order to key and the user identity. On the opposite, decryption
send an encrypted data (ciphertext) to him/her. No or signature generation requires the knowledge of both
other information of the receiver (e.g. public key, the user secret key and the partial secret key given by
certificate etc.) is required. Then the sender sends the KGC. Different from the traditional PKI, there is no
the ciphertext to the cloud where the receiver can certificate required. Thus the costly certificate validation
download it at anytime. process can be eliminated. However, the encryptor or
2) Our system provides two-factor data encryption the signature verifier still needs to know the user public
protection. In order to decrypt the data stored in the key. It is less convenient than IBC where only identity is
cloud, the user needs to possess two things. First, required for encryption or signature verification.
the user needs to have his/her secret key which Similar to CLC, another primitive called certificate-
is stored in the computer. Second, the user needs based cryptosystem (CBC) was introduced in [19]. Fur-
to have a unique personal security device which ther variants may include [3], [29], [33], [30], [31]. The
will be used to connect to the computer (e.g. USB, concept is almost the same as CLC, except that the
Bluetooth and NFC). It is impossible to decrypt the partial secret key given by the KGC (which is called the
ciphertext without either piece. certificate) is a signature of the identity and the public key
3) More importantly, our system, for the first time, of the user by the KGC. (Note that in CLC, the partial
provides security device (one of the factors) revoca- secret key given by the KGC is just the signature of the
bility. Once the security device is stolen or reported identity of the user.) Due to the similarities, CBC faces
as lost, this device is revoked. That is, using this the same disadvantages as CLC mentioned above.
device can no longer decrypt any ciphertext (cor-
responding to the user) in any circumstance. The
cloud will immediately execute some algorithms to 2.2 Cryptosystems with Online Authority
change the existing ciphertext to be un-decryptable Mediated cryptography was first introduced in [7] for
by this device. While the user needs to use his the purpose of revocation of public keys. It requires an
new / replacement device (together with his secret online mediator, referred to a SEM (SEcurity Mediator),
key) to decrypt his/her ciphertext. This process is for every transaction. The SEM also provides a control
completely transparent to the sender. of security capabilities. If the SEM does not cooperate
4) The cloud server cannot decrypt any ciphertext at then no transactions with the public key are possible any
any time. longer. In other words, any revoked user cannot get the
 4

cooperation from the SEM. That means revoked users under an identity id and a time period T , and a non-
cannot decrypt any ciphertext successfully. revoked user is issued a private key skid,T by a PKG
Later on, this notion was further generalized as se- such that the user can access the data in T . Boldyreva,
curity mediated certificateless (SMC) cryptography [11], Goyal and Kumar [6] proposed the security notion for
[48]. In a SMC system, a user has a secret key, public revocable IBE. To achieve adaptive security, Libert and
key and an identity. The user secret key and the SEM Vergnaud [26] proposed a revocable IBE scheme based
are required to decrypt a ciphertext or sign a message. on the combination of attribute-based encryption and
On the opposite side, the user public key and the corre- IBE. Recently, Seo and Emura [39] formalized a revised
sponding identity are needed for signature verification notion for revocable IBE. Since its introduction, there
or encryption. Since the SEM is controlled by the revo- are many variants of revocable IBE, such as [38]. The
cation authority, the authority can refuse to provide any premise of a revocable IBE system is mainly related to a
cooperation for revoked user so that no revoked user can time period: next the decryption rights of the next time
generate signature or decrypt ciphertext. period relies on a secret token (for the next time period)
Note that SMC is different from our concept. The main issued by PKG and a current time period key. However,
purpose of SMC is to solve the revocation problem. Thus this premise yields inconvenience once the current time
the SME is controlled by the authority and it has to be period key is lost.
online for every signature signing and ciphertext decryp- Another cryptosystem supporting revocability is
tion. Furthermore, it is not identity-based. The encryptor proxy re-encryption (PRE). Decryption rights delegation
(or signature verifier) needs to know the corresponding is introduced in [35]. Blaze, Bleumer and Strauss [5]
public key in addition to the identity. That makes the formally defined the notion of PRE. To employ PRE in
system less practical and looses the advantages of using the IBE setting, Green and Ateniese [20] defined the
identity-based system. notion of identity-based PRE (IB-PRE). Later on, Tang,
Hartel and Jonker [41] proposed a CPA-secure IB-PRE
2.3 Cryptosystem with Security Device scheme, in which delegator and delegatee can belong
to different domains. After that there are many IB-PRE
The paradigm of key-insulated cryptography was in-
systems have been proposed to support different user
troduced in [16] and variants were proposed in
requirements, e.g., [13], [36], [34], [40], [24]. Among of
[17], [22], [25], [32]. There is a physically-secure but
the previously introduced IB-PRE systems, [20] is the
computationally-limited device in the system. A long-
most efficient one without loss of revocability. We state
term key is stored in this device, while a short-term
that leveraging [20] can only achieve one of our design
secret key is kept by users on a powerful but insecure
goals, revocability, but not two-factor protection.
device where cryptographic computations take place.
Short term secrets are then refreshed at discrete time
periods via interaction between the user and the base 3 OVERVIEW
while the public key remains unchanged throughout the 3.1 Our Intuition
lifetime of the system. The user obtains a partial secret Inspired by [21], we propose a two-factor data security
key from the device at the beginning of each time period. protection mechanism. Before giving the description of
He then combines this partial secret key with the one our mechanism, we first give an intuition on it. In our
from the previous period, in order to renew the secret system, we have the following entities:
key for the current time period.
• Private Key Generator (PKG): It is a trusted party
Different from our concept, key-insulated cryptosys-
responsible for issuing private key of every user.
tem requires all users to update their key in every time
• Security Device Issuer (SDI): It is a trusted party
period. It may require some costly time synchronization
responsible for issuing security device of every user.
algorithms between users which may not be practical
• Sender (Alice): She is the sender (and the creator)
in many scenarios. The key update process requires the
of the ciphertext. She only knows the identity (e.g.
security device. Once the key has been updated, the
email address) of the receiver but nothing else
signing or decryption algorithm does not require the
related to the receiver. After she has created the
device anymore within the same time period. While our
ciphertext, she sends to the cloud server to let the
concept does require the security device every time the
receiver for download.
user tries to decrypt the ciphertext. Furthermore, there is
• Receiver (Bob): He is the receiver of the ciphertext
no key updating required in our system. Thus we do not
and has a unique identity (e.g. email address). The
require any synchronization within the whole system.
ciphertext is stored on a cloud storage while he can
download it for decryption. He has a private key
2.4 Cryptosystem with Revocability (stored in his computer) and a security device (that
Since our system is an IBE-based mechanism, we be- contains some secret information related to his iden-
low introduce IBE-based systems supporting revoca- tity). They are given by the PKG. The decryption
bility. The first revocable IBE is proposed by Boneh of ciphertext requires both the private key and the
and Franklin [8], in which a ciphertext is encrypted security device.
 5

• Cloud Server: The cloud server is responsible for 2) Type-II: Decrypt without secret key: The adversary
storing all ciphertext (for receiver to download). tries to decrypt the ciphertext without any secret
Once a user has reported lost of his security device key. It can have its own security device.
(and has obtained a new one from the PKG), the Note that the above threat model has already captured
cloud acts as a proxy to re-encrypt all his past and the semi-trust behaviour of the cloud server.
future ciphertext corresponding to the new device.
That is, the old device is revoked. 3.4 Notations
We further illustrate our mechanism’s framework in We introduce the notations used in our system below.
Fig. 1 and Fig. 2. When a new system user, say Bob,
joins our system, a PKG will issue a private key, and TABLE 1: Frequently Used Notations
SDI will issue a security device to him. Both the private
Z∗q all positive integers (except 0) after module a prime q
key and the security device are necessary for recovering ⊕ exclusive OR
a data from its encrypted format. r ∈R Z∗q randomly choose an r from Z∗q
In ordinary data sharing, a data sender, say Alice, first {0, 1} a bit with value either 0 or 1
A||B string A concatenates string B
encrypts the sharing data under the identity of a data IDi the identity of user i
receiver, say Bob, and next uploads the ciphertext to the tpki the public information of the (old) security device
cloud server. Here we refer to this ciphertext as first- of a user IDi
tski the secret information embedded in the (old) security
level ciphertext. After receiving the first-level ciphertext device of a user IDi
from Alice, the cloud server then turns the ciphertext to tpk
f
i the public information of the new security device
become a second-level ciphertext for the corresponding of a user IDi
skIDi the secret key of a user IDi
security device belonging to Bob. Bob then downloads m a message
the second-level ciphertext from the cloud, and next C1 the first-level ciphertext of a message m
recovers the data from its encrypted form by using his C2 the second-level ciphertext of a message m
rktpk the information used to update a second-level
private key and security device. i →tpki
g
ciphertext under an old security device to another
When the security device of Bob is either lost or stolen, (second-level) ciphertext under a new security device
Bob first reports the issue to the SDI. The SDI then (up)
C2 the updated second-level ciphertext of a message m
issues a new security device to Bob, and meanwhile, under a new security device
it sends a request of updating Bob’s corresponding ci-
phertext along with a special key to the cloud server.
The cloud server updates the ciphertexts of Bob under 4 D ETAILS OF O UR P ROPOSED M ECHANISM
an old security device to the ones under a new device. 4.1 Mathematical Preliminaries
However, it does not gain access to the underlying data
Bilinear Maps. Let BSetup denote an algorithm that, on
in the update process. Here Bob is allowed to download
input the security parameter k, outputs the parameters
and recover the data by using his private key and new
for a bilinear map as (q, g, G, GT , e), where G and GT are
security device.
two multiplicative cyclic groups with prime order q ∈
Θ(2k ) and g is a generator of G. The efficient mapping
3.2 Assumptions e : G × G → GT has three properties: (1) Bilinearity: for
all g ∈ G and a, b ∈R Z∗q , e(g a , g b ) = e(g, g)ab ; (2) Non-
In our system, we assume that the PKG is a trusted degeneracy: e(g, g) 6= 1GT , where 1GT is the unit of GT ;
party4 . We further assume that the SDI is trusted, and (3) Computability: e can be efficiently computed.
the cloud service is semi-trust. That is, it is honest that Decisional Bilinear Diffie-Hellman (BDH) Assump-
it will execute all prescribed algorithms but it is curious. tion [46]. For an algorithm A, define its advantage
It may try to decrypt the ciphertext stored in the cloud as AdvA BDH
(k) = |P r[A(g, g a , g b , g c , e(g, g)abc ) = 1] −
storage. We also assume that an honest system user will P r[A(g, g , g , g , e(g, g)z ) = 1]|, where a, b, c, z ∈R Z∗q .
a b c
not expose his/her security device and secret key to an We say the BDH assumption holds, if for any PPT
adversary, and the security device is temper resistant. algorithm A, AdvA BDH
(k) is negligible in k.
q-weak Decision Bilinear Diffie-Hellman
Inversion (q-wDBDHI) Assumption. For
3.3 Threat Model
an algorithm A, define its advantage as
q−wDBDHI q
In this paper, we consider the following threats: AdvA (k) = |P r[A(g, g a , ..., g a , g b , e(g, g)b/a ) =
q
1) Type-I: Decrypt without security device: The ad- 1] − P r[A(g, g a , ..., g a , g b , e(g, g)z ) = 1]|, where
versary tries to decrypt the ciphertext without the a, b, z ∈R Z∗q . We say the q-wDBDHI asummption
q−wDBDHI
security device, or using a revoked security device, holds, if for any PPT algorithm A, AdvA (k) is
or using another security device belonging to others. negligible in k. In our proof, we set q = 1, that is, the
It can have its own secret key. 1-wDBDHI assumption [27].
Target Collision Resistant Hash Function [14]. A TCR
4. This is a normal assumption in all identity-based systems. hash function H guarantees that given a random element
 6

Fig. 1: Ordinary Data Sharing.

Fig. 2: Update Ciphertext after Issuing A New Security Device.

x which is from the valid domain of H, a PPT adversary we need to further support security device revocability.
A cannot find y 6= x such that H(x) = H(y). We let A trivial combination of IBE and PKE cannot achieve our
T CR
AdvH,A = P r[(x, y) ← A(1k ) : H(x) = H(y), x 6= goal. To support revocability, we employ re-encryption
y, x, y ∈ DH] be the advantage of A in successfully technology such that the part of ciphertext for an old
finding collisions from a TCR hash function H, where security device can be updated for a new device if the
DH is the valid input domain of H, and k is the security old device is revoked. Meanwhile, we need to generate
parameter. If a hash function is chosen from a TCR hash a special key for the above ciphertext conversion. We
T CR
function family, AdvH,A is negligible. also guarantee that the cloud server cannot achieve any
knowledge of message by accessing the special key, the
4.2 Our Construction old ciphertext and the updated ciphertext. We further
Construction Roadmap. We leverage two different encryp- use hash-signature method to “sign” ciphertext such
tion technologies: one is IBE and the other is traditional that once an component of ciphertext is tempered by
Public Key Encryption (PKE). We first allow a user to adversary, the cloud and ciphertext receiver can tell.
generate a first level ciphertext under a receiver’s iden- From the above presentations, we can see that our two-
tity. The first-level ciphertext will be further transformed factor protection system with security device revocability
into a second level ciphertext corresponding to a security cannot be obtained by trivially combining an IBE with a
device. The resulting ciphertext can be decrypted by a PKE. We present the system description as follows.
valid receiver with secret key and security device. Here, 1) Setup Phase: the setup phase generates all public
one might doubt that our construction is a trivial and parameters and master secret key used throughout
straightforward combination of two different encryp- the execution of system. The public parameters are
tions. Unfortunately, this is not true due to the fact that shared with all parties participating into the system
 7

(including data sender/receiver, cloud server and a a) Choose β1 , β2 ∈R {0, 1}k , set r = H2 (β1 , β2 ), com-
PKG), while the master secret key is given to the pute c5 = c1 ⊕(β1 ||β2 ), c6 = (β1 ||β2 )⊕H3 (e(g, g)r ),
H (tpki ) r
PKG. The details of setup phase are as follows. c7 = (tpki,1 · tpki,21 ) , c8 = hr , and c9 =
r
a) Set G and GT to be groups of prime order q, and H5 (c5 , c6 , c7 , c8 ) .
e : G × G → GT to be a bilinear map. b) Output the second-level ciphertext C2 = (c2 , c3 ,
b) Choose g, g2 , h ∈ G, α ∈R Z∗q , the target col- c4 , c5 , c6 , c7 , c8 , c9 ) to the cloud.
lision resistant hash functions: H1 : G → Z∗q , 5) Device Updated Phase: Once a device of a user
H2 : {0, 1}2k → Z∗q , H3 : GT → {0, 1}2k , H4 : needs to be updated due to some incidences (e.g.
{0, 1}∗ → G, H5 : {0, 1}∗ → G, and set g1 = g α , it is either lost or stolen), the user first reports the
where k is the security parameter as well as the issue to the SDI. The SDI then issues a new device
bit length of message. for the user.
c) Set the public parameters param to be (k, q, g, g1 , a) The SDI chooses zi,1 , zi,2 ∈R Z∗q , and sets the
g2 , h, e(g, g), e(g1 , g2 ), H1 , H2 , H3 , H4 , H5 , F (.)), security device’s description information as tpki :
α
and the master Q secret key msk to be g2 , where (tpki,1 = g zi,1 , tpki,2 = g zi,2 ), and its corre-
F (ID) = u0 · j∈V uj , u0 , uj , ..., un ∈R G, and ID sponding secret information as tski : (tski,1 = zi,1 ,
is an n-bit string and V is the set of all j for which tski,2 = zi,2 ). The SDI finally delivers the security
the j-th bit of ID is equal to 1. device to a user IDi .
2) Key and Device Issued Phase: A SDI and a PKG b) The SDI further updates the list List.
will respectively generate a security device and a 6) Ciphertext Updated Phase: The SDI notifies the
secret key for a registered user IDi in secure channel cloud server to update the ciphertext of the user by
such that the user can combine the security device sending a special piece of information.
with the secret key to recover message from its a) The SDI first sends a piece of information to
encrypted format. The details of key and security the cloud server so as to inform the cloud to
device issued phase are as follows. execute the ciphertext updated process. The in-
a) The SDI chooses zi,1 , zi,2 ∈R Z∗q , and sets the formation rktpki →tpk g = (rk1 , rk2 , IDi , tpki , tpki )
g
security device’s description information as tpki : is constructed as
i

(tpki,1 = g zi,1 , tpki,2 = g zi,2 ), and its corre-

H (tpk
g ) −1
sponding secret information as tski : (tski,1 = zi,1 , f · tpk
rk1 = (tpk f 1 i
)(δi,1 +δi,2 ·H1 (tpki )) · hξ ,
i,1 i,2
tski,2 = zi,2 ). The SDI finally delivers the security H (tpki ) ξ
device to a user IDi . rk2 = (tpki,1 · tpki,21 ) ,
b) The SDI stores the tuple (IDi , tpki ) in a list List where ξ ∈R Z∗q ,
tski = (δi,1 , δi,2 ) is the decryption
shared with the cloud storage system. key of the old security device.
c) The PKG sets the secret key for a user IDi as b) After receiving the information rktpki →tpkj , the
cloud server updates the ciphertext C2 as follows.
skIDi = (skIDi ,1 , skIDi ,2 ) = (g2α F (IDi )s , g s ), i) Parse C2 as (c2 , c3 , c4 , c5 , c6 , c7 , c8 , c9 ), and
rktpki →tpkj as (rk1 , rk2 , IDi , tpki , tpkj ).
where s ∈R Z∗q . ii) Check
3) First-Level Ciphertext Generation Phase: a data H (tpki )
sender encrypts a data under the identity of a data e(c7 , h) = e(tpki,1 · tpki,21 , c8 ),
(1)
receiver, and further sends the encrypted data to the e(c8 , H5 (c5 , c6 , c7 , c8 )) = e(h, c9 ).
cloud server. Knowing public parameters param, a
If the equations do not hold, output ⊥; else
data m ∈ {0, 1}k and a receiver’s identity IDi , a data
proceed.
sender encrypts a data to a first level encryption as e(c7 ,rk1 )
iii) Compute c10 = e(c .
follows. Note the first-level ciphertext generation is 8 ,rk2 )
(up)
built on top of Waters IBE [46]. iv) Output an updated ciphertext C2 = (c2 , c3 ,
a) Choose φ ∈R {0, 1}k , set t = H2 (m, φ), compute c4 , c5 , c6 , c10 ). Note that although the number
c1 = (m||φ) ⊕ H3 (e(g1 , g2 )t ), c2 = g t , c3 = F (IDi )t , of elements in the updated ciphertext is less
c4 = H4 (c1 , c2 , c3 )t . than that of the original ciphertext, the actual
b) Send the first-level ciphertext C1 = (c1 , c2 , c3 , c4 ) size of the updated ciphertext is larger than
to the cloud server. that of the original one. This can be seen in
our efficiency analysis in Table 4.
4) Second-Level ciphertext Phase: after receiving the
first-level ciphertext of a data from the data sender, 7) Data Recovery Phase. A data receiver uses a de-
the cloud server generates the second-level cipher- cryption key and a device to recover the data as
text. Knowing public parameters param, a first level follows.
encryption for the user, and the information (IDi , a) If the ciphertext has not been updated, run as
tpki ) stored in List, the cloud server encrypts C1 = • Parse C2 as (c2 , c3 , c4 , c5 , c6 , c7 , c8 , c9 ), skIDi
(c1 , c2 , c3 , c4 ) to a second-level ciphertext as follows. as (skIDi ,1 , skIDi ,2 ) and tski as (tski,1 , tski,2 ).
 8

• Security device computation phase: the device The two-factor protection is necessary for high
intakes a component of the ciphertext c7 , and valuable sensitive data, such as personal genome
1
tsk +tsk 1 ·H (tpk ) information and company commercial secret. A user
outputs the result θ = c7 i,1 i,2 i
.
may not always gain access to his PC. Suppose a
• Secret key decryption phase: given the partial
patient has to check his encrypted medical record
decryption result θ, the user uses his/her secret
stored in a cloud storage system in a publicly used
key to recover the message as follows. Compute
computer. He may download his secret key as well
e(g, g)r = e(g, θ) and c1 = c5 ⊕ c6 ⊕ H3 (e(g, g)r ).
e(c ,skIDi ,1 ) as an encrypted record to the local computer, and
Further compute e(g1 , g2 )t = e(c32 ,skID ) , and
i ,2 next plug in a security device to unlock the record
t
m||φ = c1 ⊕ H3 (e(g1 , g2 ) ). with the secret key. This message recovery is almost
• If c2 = g H2 (m,φ) , c3 = F (IDi )H2 (m,φ) , identical to the login operation of on-line banking
c4 = H4 (c1 , c2 , c3 )H2 (m,φ) , c7 = (tpki,1 · where user needs to use a login password along
H (tpki ) H2 (β1 ,β2 )
tpki,21 ) , c8 = hH2 (β1 ,β2 ) , and c9 = with a security token (sometimes with a smart-
H2 (β1 ,β2 )
H5 (c5 , c6 , c7 , c8 ) , output m; otherwise, phone). Compared to a smart-phone, a USB token
output ⊥. is portable. After reading the record, the patient
b) If the ciphertext has been updated, run as can just plug out the device and leave. Since the
(up) decryption depends on both the secret key and
• Parse C2 as (c2 , c3 , c4 , c5 , c6 , c10 ), skIDi as
(skIDi ,1 , skIDi ,2 ) and tski as (tski,1 , tski,2 ). the device, even the computer is corrupted by an
• Security device computation phase: the device intruder, the intruder still cannot access the record.
intakes a component of the ciphertext c10 , and We note that to date some information, such as
tsk +tsk
1
·H (tpk ) visit history, download history, may be easily leaked
outputs θ̂ = c10 i,1 i,2 1 i
= e(g, g)r . from browser, the usage of security device combin-
• Secret key decryption phase: given the partial ing with a secret key can double protect the secrecy
decryption result θ̂, the user recovers m as in of information to a large extent.
the above secret key decryption phase, com-
puting c1 = c5 ⊕ c6 ⊕ H3 (e(g, g)r ), e(g1 , g2 )t =
e(c2 ,skIDi ,1 ) t
e(c3 ,skID ,2 ) , and m||φ = c1 ⊕ H3 (e(g1 , g2 ) ).
i
5 S YSTEM E VALUATION
4.3 Discussions
• Multiple revocability for device. Our construction 5.1 Security Analysis
supports one-time device revocability that may
We separate two security levels for our scheme: one is
be not sufficient enough in practice. We here
allowing an adversary to achieve the secret key of user
show that the system can be extended to support
but not the corresponding secure device, and the other
multiple revocability by leveraging the technique
is the reversed case.
introduced in [9]. We revise the rktpki →tpk as
For Type-I Security. Here we allow an adversary to
g
i
tsk
f i,1 +tsk
f i,2 H1 (tpk
g )
tski,1 +tski,2 H1 (tpki ) , and the ciphertext update com-
i
obtain the secret key of a user but not the corresponding
rktpk →tpk security device. We analyze the security of our scheme
ponent c10 as c7 i i
. The updated ciphertex is
g

identical to the original one except for c10 taking under the model of Type-I.
place of c7 . We note that c7 is not an input for H5 Practical Analysis: An adversary A now is given the
here. It is not difficult to see that a user can recover secret key skIDi of user IDi . We show that A can-
the underlying message by using a updated security not recover the underlying message by only leveraging
device corresponding to tpk f . knowledge of skIDi as follows.
i
• Revocability for identity factor. It is possible to Suppose there is a ciphertext C2 = (c2 , c3 , c4 , c5 , c6 ,
extend our construction to support identity revo- c7 , c8 , c9 ) for a user IDi , which is stored in the cloud
cability as well by leveraging the IBPRE technology server, where c2 = g t , c3 = F (IDi )t , c4 = H4 (c1 , c2 , c3 )t ,
in [20]. We will leave this as a future work. c5 = (m||φ) ⊕ H3 (e(g1 , g2 )t ) ⊕ (β1 ||β2 ), c6 = (β1 ||β2 ) ⊕
H (tpki ) r
• Feasibility. Our system requires an SDI to issue a H3 (e(g, g)r ), c7 = (tpki,1 · tpki,21 ) , c8 = hr , and c9 =
r
security device to a user in the registration phase. H5 (c5 , c6 , c7 , c8 ) , t = H2 (m, φ), r = H2 (β1 , β2 ). A can
It is much like the case where a bank client is compute
issued a e-banking token when opening a bank
account. The device can be directly delivered to the e(c2 , skIDi ,1 )
H3 ( ) ⊕ c5
user by mail or in person. In practice, the security e(c3 , skIDi ,2 )
device can be constructed from a USB token that is e(g t , g2α F (IDi )s )
extremely portable for users. Meanwhile, the user = H3 ( ) ⊕ c5
e(F (IDi )t , g s )
also achieves a secret key given by a PKG. The secret
= H3 (e(g1 , g2 )t ) ⊕ H3 (e(g1 , g2 )t ) ⊕ (m||φ) ⊕ (β1 ||β2 )
key can be stored in the user’s PC or clouds based
on the preference of the user. = (m||φ) ⊕ (β1 ||β2 ). (2)
 9

H3 (e(g, c7
tski,1 +tski,2 ·H2 (tpki )
)) g zi,1 and tpki,2 = g zi,2 . B then adds (IDi , tpki ,
H (tpki )
r tski , coini = 1, zi,1 , zi,2 ) to DeviceList, and
= H3 (e(g, (tpki,1 tpki,21 ) tski,1 +tski,2 H1 (tpki ) )) returns (tski , tpki ) to A.
= H3 (e(g, g)r ). (3) 2) Secret Key Queries. A issues an IDi to B for query-
From E.q. (3), it can be seen that A can retrieve ing the secret key of IDi . B then checks whether
H3 (e(g, g)r ) (without given the security device) as long there exists a tuple (IDi , skIDi ) in SecretKeyList or
as it can correctly guess the secret components tski,1 and not. If yes, B returns skIDi ; else, B generates skIDi
tski,2 simultaneously with probability q12 . Alternatively, as in the real scheme with knowledge of α and next
if A is able to correctly guess the output of H3 with adds (IDi , skIDi ) to SecretKeyList.
probability 212k , then it can recover β1 ||β2 so as to gain 3) Ciphertext Update Queries. A issues a tuple (C2 ,
(up)
access to the message m. tpki ) to B for querying an update ciphertext C2
Theoretical Analysis: If an adversary A recovers the under (IDi , tpk f ). B first checks whether there are
i
message by a given secret key, we can build an algorithm tuples (m, φ, t), (β1 , β2 , r) in the list ListH2 so that
H (tpki ) r
B breaking the 1-wDBDHI assumption. c2 = g t , c4 = H4 (c1 , c2 , c3 )t , c7 = (tpki,1 ·tpki,21 ) ,
Setup Phase. B is given an instance of the 1-wDBDHI r r
c8 = h and c9 = H5 (c5 , c6 , c7 , c8 ) . If no, output ⊥;
problem, i.e. (g, A = g a , B = g b , T ), where T either is else proceed. B further recovers (IDi , tpki , ∗, coini ,
b
random or is equal to e(g, g) a . B chooses a F (.) as in zi,1 , zi,2 ) from the list DeviceList.
the real scheme, chooses α, ω ∈R Z∗q , sets y = A = g a , • If coini = 1, B uses zi,1 and zi,2 to construct the
and returns param = (k, q, g, g1 = g α , g2 = y, h = y ω , information rktpki →tpk g as in the real scheme.
e(g, g), e(g1 , g2 ), H1 , H2 , H3 , H4 , H5 , F (.)) to A. H1 , H2 , i
B then computes C10 by using rktpki →tpk g , and
H3 , H4 and H5 are chosen as in the real scheme, and (up)
i

meanwhile, they are random oracles controlled by B. outputs C2 as in the real scheme.
• H1 : On receipt of a tpki , if there exists a tuple (tpki , • If coini = 0, and tpk
f is given to A, B outputs
i

ϕ1 ) in the list ListH1 , B returns ϕ1 to A. Otherwise, ⊥. Otherwise, B computes c10 = e(g r , tpk
f
i,1 ·
H (tpk
g )
B chooses a ϕ1 ∈R Z∗q , returns it to A, and adds f 1
tpk
i
), and next outputs (c2 , c3 , c4 , c5 , c6 ,
i,2
(tpki , ϕ1 ) to the list ListH1 . c10 ) as the updated ciphertext.
• H2 : On receipt of a tuple (m, φ), if there exists a
4) Data Recovery Queries. A issues a ciphertext to B.
tuple (m, φ, ϕ2 ) in the list ListH2 , B returns ϕ2 to
B recovers the message as follows.
A. Otherwise, B chooses a ϕ2 ∈R Z∗q , returns it to
A, and adds (m, φ, ϕ2 ) to the list ListH2 . • For ciphertext C2 , B first checks whether there
• H3 : On receipt of a R ∈ GT , if there exists a tuple are tuples (m, φ, t), (β1 , β2 , r) in the list ListH2
(R, ξ) in the list ListH3 , B returns ξ to A. Otherwise, so that c2 = g t , c4 = H4 (c1 , c2 , c3 )t , c7 = (tpki,1 ·
H (tpki ) r
B chooses a ξ ∈R {0, 1}2k , returns it to A, and adds tpki,21 ) , c8 = hr and c9 = H5 (c5 , c6 , c7 , c8 )r .
(R, ξ) to the list ListH3 . If no, B outputs ⊥. Otherwise, B recovers tuples
• H4 : On receipt of a tuple (c1 , c2 , c3 ), if there exists a (R1 = e(g1 , g2 )t , ξ1 ) and (R2 = e(g, g)r , ξ2 ) from
tuple (c1 , c2 , c3 , ϕ3 ) in the list ListH4 , B returns g ϕ3 the list ListH3 , and computes m||φ = (c5 ⊕ (c6 ⊕
to A. Otherwise, B chooses a ϕ3 ∈R Z∗q , returns g ϕ3 ξ2 )) ⊕ ξ1 .
(up)
to A. B then adds (c1 , c2 , c3 , ϕ3 ) to the list ListH4 . • For ciphertext C2 , B first checks whether
• H5 : On receipt of a tuple (c5 , c6 , c7 , c8 ), if there there are tuples (m, φ, t), (β1 , β2 , r) in the list
exists a tuple (c5 , c6 , c7 , c8 , ϕ4 ) in the list ListH4 , B ListH2 so that c2 = g t , c4 = H4 (c1 , c2 , c3 )t and
H (tpki )
returns g ϕ4 (resp. g aϕ4 ) to A. Otherwise, if c5 = c∗5 , c10 = e(g r , tpki,1 · tpki,21 ). If no, B outputs
c6 = c∗6 , c7 = c∗7 , and c8 = c∗8 , B chooses a ϕ4 ∈R Z∗q , ⊥. Otherwise, B recovers tuples (R1 = e(g1 , g2 )t ,
and sets g aϕ4 for A; else it returns g ϕ4 to A. B then ξ1 ) and (R2 = e(g, g)r , ξ2 ) from the list ListH3 ,
adds (c5 , c6 , c7 , c8 , ϕ4 ) to the list ListH5 . and computes m||φ = (c5 ⊕ (c6 ⊕ ξ2 )) ⊕ ξ1 .
Phase 1. A issues the following queries to B. Challenge Phase. A outputs m0 , m1 and (IDi∗ , tpki∗ ).
1) Security Device Queries. A issues an IDi to B B searches tpki∗ from the list DeviceList. If coin∗i = 1, B
for querying its corresponding security device. B aborts and outputs a b ∈ {0, 1}. Else, B proceeds.
chooses coini ∈ {0, 1} so that P r[coini = 1] = ϑ • For original ciphertext, B chooses β1∗ , β2∗ , φ∗ ∈R
(ϑ will be determined later) and works as follows. {0, 1}k , b ∈R {0, 1}, and t ∈R Z∗q . It issues e(g1 , g2 )t
• If coini = 0, B aborts and outputs a random to H3 to obtain ξ ∗ and sets c∗1 = (mb ||φ∗ ) ⊕ ξ ∗ ,
bit b ∈ {0, 1}. B will add a tuple (IDi , tpki , ⊥, c∗2 = g t , c∗3 = F (IDi∗ )t . It then issues c∗1 , c∗2 , c∗3 to H4
∗
coini = 0, zi,1 , zi,2 ) to DeviceList, where tpki,1 = to obtain ϕ∗3 , and sets c∗4 = g tϕ3 . B further recovers
y zi,1 , tpki,2 = y zi,2 and zi,1 , zi,2 ∈R Z∗q . zi,1 , zi,2 from DeviceList, issues tpki∗ to H1 to obtain
∗ ∗

• Otherwise, if there exists a tuple (IDi , tpki , tski , ϕ∗1 , and sets
∗
c∗ ∗5 = c∗1 ⊕(β1∗ ||β2∗ ), c∗6 = (β1∗ ||β2∗ )⊕H3 (T ),
∗ zi,1 +zi,2 ϕ∗
1 and c∗ = B ω . It finally issues (c∗ ,
coini = 1, zi,1 , zi,2 ) in the list DeviceList, B c7 = B 8 5
∗
returns tski along with tpki to A; else, B chooses c6 , c7 , c8 ) to H5 to obtain ϕ∗4 , and sets c∗9 = B ϕ4 . B
∗ ∗ ∗

zi,1 , zi,2 ∈R Z∗q , sets tski = (zi,1 , zi,2 ), tpki,1 = outputs C2∗ = (c∗2 , c∗3 , c∗4 , c∗5 , c∗6 , c∗7 , c∗8 , c∗9 ).
 10

∗(up)
• For updated ciphertext, B sets C2 = (c∗2 , c∗3 , c∗4 , The running time of B is bounded by
∗
c5 , c6 , c10 ) as c2 = g , c3 = F (IDi ) , c∗4 = g tϕ3 ,
∗ ∗ ∗ ∗ t ∗ ∗ t

c∗5 = c∗1∗⊕ (β∗ 1∗ ||β ∗ ∗ ∗ ∗ ∗ t0 ≤ t + O(1)(qH1 + qH2 + qH3 + qH4 + qH5 + qsd
2 ), c6 = (β1 ||β2 ) ⊕ H3 (T ) and c10 =
zi,1 +zi,2 ϕ∗ + qsk + qcu + qdr ) + te (2qsd + 3qsk
e(g, B 1 ).
We imply H2 (β1∗ , β2∗ ) = ab . If b = b0 , B guesses T = + qH2 (5qcu + 5qdr ) + 5qcu + qdr ) + 2tp qcu ,
b
e(g, g) a ; else, T is a random element in GT .
Phase 2. As in Phase 1 (but with restrictions). where qHi (i ∈ {1, 2, 3, 4, 5}) denotes the total number of
Guess Phase. A outputs a guess bit b0 ∈ {0, 1}. random oracle Hi queries, and qsk denote the total num-
Probabilistic Analysis. The simulations of Hi (i ∈ ber of secret key queries, te and tp denote the running
{1, 4, 5}) are perfect. If A does not either issue (β1∗ , β2∗ ) time of an exponentiation and a pairing, respectively.
to H2 or issue T to H3 before the challenge phase, the For Type-II Security. We allow an adversary to obtain
simulations of H2 and H3 are perfect. We denote by the security device but not the corresponding secret key.
AskH2∗ and AskH3∗ the evens that (β1∗ , β2∗ ) has been We analyze the security under the model of Type-II.
issued to H2 , and T has been issued to H3 , respectively. Practical Analysis: An adversary A is given the security
The responses to the security device queries, secret key device only. We show that it cannot recover the message
queries, and the challenge phase are perfect as long as B by using the device. Complementary to the case of Type-
does not abort. We let Abort be the event of B aborting I adversary, Type-II A can only compute
in the responses to the security device queries or in the 1
tski,1 +tski,2 ·H1 (tpki )
challenge phase. Thus, we have P r[¬Abort] ≥ ϑqsd (1−ϑ), H3 (e(g, c7 ))
qsd
which is maximized at ϑopt = 1+q , where qsd is the r
H (tpki ) tski,1 +tski,2 H1 (tpki )
sd = H3 (e(g, (tpki,1 · tpki,21 ) ))
total number of security device queries. By using ϑopt ,
we have the probability P r[¬Abort] is at least ê(1+q 1
, = H3 (e(g, g)r ). (4)
sd )
where ê denotes the base of the natural logarithm.
The simulation of ciphertext update queries is perfect Thus, c5 ⊕ (c6 ⊕ H3 (e(g, g)r )) = (m||φ) ⊕ H3 (e(g1 , g2 )t ).
as well unless A is able to issue a valid original cipher- e(c2 , skIDi ,1 ) e(g t , g2α F (IDi )s )
text without the help of H2 . We state that this incident H3 ( ) = H3 ( )
e(c3 , skIDi ,2 ) e(F (IDi )t , g s )
will occur with probability P r[CU Error] ≤ qcu q , where = H3 (e(g1 , g2 )t ). (5)
qcu is the total number of ciphertext update queries.
The simulation of data recovery queries is perfect From the above equations, it can be seen that A can
except that B rejects the queries of some valid cipher- recover m, if it can make a correct guess on either the
texts. This kind of exception happens when an issued output of H3 or the secret key exponents α and r with
ciphertext can be constructed without querying H3 . We respective probability 212k and q12 .
set valid, AskH2 , AskH3 to be the events that a given Theoretical Analysis: If an adversary A can recover the
ciphertext is valid, (β1 , β2 ) has been issued to H2 , message by a given security device, we can build an
and e(g, g)r has been issued to H3 , respectively. From algorithm B to break the BDH assumption.
q
the simulation, we have P r[valid|¬AskH3 ] ≤ 2Hl3 + 1q ,
qH2 Setup Phase. B is given an instance of the BDH
and P r[valid|¬AskH2 ] ≤ 2l + 1q , where qH2 and qH3 problem, i.e. (g, A = g a , B = g b , C = g c , T ), where T
are the total numbers of querying H2 and H3 , respec- either is random or is equal to e(g, g)abc . In this proof, we
tively. We let P r[DRErr] be the probability that the mainly leverages Waters proof technique [46], and
event valid|(¬AskH2 ∨ ¬AskH3 ) occurs, then we have 0
P reuses
q +q the three functions, F (ID) = (q − 4q sk k̄) + x P j∈V xj ,
+
P r[DRErr] ≤ ( H2 2l H3 + 2q )qdr , where qdr denotes the J(ID) = y 0 + j∈V yj and K(ID) (0, if x0 + j∈V xj =
P
total number of data recovery queries. 0 mod 4qsk ; 1, otherwise) proposed in [46], where qsk is
Let Bad denote the event that (H2∗ |¬H3∗ ) ∨ H3∗ ∨ the number of secret key queries, an integer k̄ ∈R [0, n],
CU Err ∨ DRErr|¬Abort. We have →
−x = (xj ) and → −y = (yj ) are two random n-length vectors,
0
0 1 1
 = |P r[b = b ] − | ≤ P r[Bad] x is chosen from [0, 4qsk −1] and y 0 ∈R Z∗q . B sets g1 = A,
0
2 2 0 x
1 g2 = B, h = g , u0 = g2p−k̄4qsk +x g y and uj = g2 j g yj ,
ω
∗ ∗ ∗
= P r[(H2 |¬H3 ) ∨ H3 ∨ CU Err ∨ DRErr|¬Abort] ∗
where ω ∈R Zq . B finally outputs param = (k, q, g, g1 ,
2
1 qH + (qH2 + qH3 )qdr 2qdr + qcu g2 , h, e(g, g), e(g1 , g2 ), H1 , H2 , H3 , H4 , H5 , F (.)), where
≤ (AskH3∗ + 2 l
+ ). H , H , H , H and H are chosen as in the real scheme.
2P r[¬Abort] 2 q 1 2 3 4 5

After organizing the inequality above, we have • H1 : On receipt of a tpki , if there exists a tuple (tpki ,
qH2 + (qH2 + qH3 )qdr 2qdr + qcu ϕ1 ) in the list ListH1 , B returns ϕ1 to A. Otherwise,
AskH3∗ ≥ 2P r[¬Abort] − − B chooses a ϕ1 ∈R Z∗q , returns it to A, and adds
2l q
2 qH2 + (qH2 + qH3 )qdr 2qdr + qcu (tpki , ϕ1 ) to the list ListH1 .
≥ − − . • H2 : On receipt of a tuple (m, φ), if there exists a
ê(1 + qsd ) 2l q
tuple (m, φ, ϕ2 ) in the list ListH2 , B returns ϕ2 to
Therefore, we have 0 ≥ 1
(AskH3∗ ) ≥ 1 2
( ê(1+q −
qH3 qH3 sd ) A. Otherwise, B chooses a ϕ2 ∈R Z∗q , returns it to
qH2 +(qH2 +qH3 )qdr 2qdr +qcu
2l
− q ). A, and adds (m, φ, ϕ2 ) to the list ListH2 .
 11

∗(up)
• H3 : On receipt of a R ∈ GT , if there exists a tuple • For updated ciphertext, B sets C2 = (c∗2 , c∗3 , c∗4 ,
∗ ∗ ∗ ∗ ∗ J(IDi∗ )
(R, ξ) in the list ListH3 , B returns ξ to A. Otherwise, c5 , c6 , c10 ) as c2 = C, c3 = C , c∗4 = C ϕ3 ,
B chooses a ξ ∈R {0, 1}2k , returns it to A, and adds c5 = (mb ||φ ) ⊕ H3 (T ) ⊕ (β1 ||β2 ), c6 = (β∗1∗ ||β2∗ ) ⊕
∗ ∗ ∗ ∗ ∗
∗H (tpki )
(R, ξ) to the list ListH3 . H3 (e(g, g)r ) and c∗10 = e(g r , tpki,1
∗
tpki,2 1 ).
• H4 : On receipt of a tuple (c1 , c2 , c3 ), if there exists The above ciphertexts imply H2 (mb , φ∗ ) = c. If b =
a tuple (c1 , c2 , c3 , ϕ3 ) in the list ListH4 , B returns b0 , B guesses T = e(g, g)abc ; else, T is a random
g ϕ3 to A. Otherwise, B chooses a ϕ3 ∈R Z∗q and element in GT .
returns g ϕ3 to A. B then adds (c1 , c2 , c3 , ϕ3 ) to the Phase 2. Same as Phase 1 (but with restrictions).
list ListH4 . Guess Phase. A outputs a guess bit b0 ∈ {0, 1}.
• H5 : On receipt of a tuple (c5 , c6 , c7 , c8 ), if there Probabilistic Analysis: We analyze the probability by us-
exists a tuple (c5 , c6 , c7 , c8 , ϕ4 ) in the list ListH4 , B ing the same method presented in the security analysis of
returns g ϕ4 . Otherwise, B chooses a ϕ4 ∈R Z∗q , and Type-I adversary. Combining the non-abort probability
returns g ϕ4 to A. B then adds (c5 , c6 , c7 , c8 , ϕ4 ) to in [46], we have 0 ≥ qH1 (AskH3∗ ) ≥ qH1 ( 8(n+1)q 2
−
the list ListH5 . qH2 +(qH2 +qH3 )qdr
3 3 sk

2l
− 2qdrq+qcu ).
Phase 2. A issues the following queries to B.
The running time of B is bounded by
1) Security Device Queries. A issues an IDi to B. B
generates any security device as in the real scheme. t0 ≤ t + O(1)(qH1 + qH2 + qH3 + qH4 + qH5 + qsd
2) Secret Key Queries. A issues an IDi to B. If + qsk + qcu + qdr ) + te (2qsd + 4qsk
K(ID) = 0, B aborts. Else, B chooses an s ∈R + qH2 (5qcu + 5qdr ) + 5qcu + qdr ) + 2tp qcu .
−J(ID)

Z∗q , and constructs skIDi as (g1F (ID) (u0 j∈V uj )s ,

Q
−1

g1F (ID) g s ). 5.2 Efficiency Analysis

3) Ciphertext Update Queries. A issues a tuple (C2 , We analyze the efficiency of our mechanism as well as
(up)
tpki ) to B for querying an update ciphertext C2 its comparison with [2] (the most efficient two-secret
under (IDi , tpkj ). B first checks whether there are protection system but no revocability) and [20] (the most
tuples (m, φ, t), (β1 , β2 , r) in the list ListH2 so that efficient single secret system with revocability) in terms
H (tpki ) r
c2 = g t , c4 = H4 (c1 , c2 , c3 )t , c7 = (tpki,1 ·tpki,21 ) , of computational and communicational cost. We state
r r
c8 = h and c9 = H5 (c5 , c6 , c7 , c8 ) . If no, output ⊥; that both [2] and [20] only achieve partial design goal of
else proceed. B can generate any update ciphertext our system. The purpose of the comparison is to show
for A as it can generate any security device. that our system achieves more functionalities but not
4) Data Recovery Queries. requiring a great increase of complexity. In other words,
• For ciphertext C2 , B first checks whether there we would like to show our system is practical for real-
are tuples (m, φ, t), (β1 , β2 , r) in the list ListH2 world implementation.
so that c2 = g t , c4 = H4 (c1 , c2 , c3 )t , c7 = (tpki,1 · Before the efficiency analysis, we define the notations
H (tpki ) r we used in tables. We let |G| and |GT | denote the bit-
tpki,21 ) , c8 = hr and c9 = H5 (c5 , c6 , c7 , c8 )r .
If no, B outputs ⊥. Otherwise, B recovers tuples length of an element in groups G and GT , l denote
(R1 = e(g1 , g2 )t , ξ1 ) and (R2 = e(g, g)r , ξ2 ) from the bit-length of security parameter, |Zq | denote the bit-
the list ListH3 , and computes m||φ = (c5 ⊕ (c6 ⊕ length of an element in Zq , Cp , Cē , Ce denote the compu-
ξ2 )) ⊕ ξ1 . tation cost of a bilinear pairing, an exponentiation in GT ,
(up)
• For ciphertext C2 , B first checks whether and an exponentiation in G, respectively. We suppose the
there are tuples (m, φ, t), (β1 , β2 , r) in the list three schemes share the same security parameter. Note
ListH2 so that c2 = g t , c4 = H4 (c1 , c2 , c3 )t and by ⊥ we mean non-applicable.
H (tpki )
c10 = e(g r , tpki,1 · tpki,21 ). If no, B outputs Theoretical Comparison. We present the theoretical com-
⊥. Otherwise, B recovers tuples (R1 = e(g1 , g2 )t , parison in Table 2 and Table 3 for computation and
ξ1 ) and (R2 = e(g, g)r , ξ2 ) from the list ListH3 , communication complexity, respectively. From Table 2,
and computes m||φ = (c5 ⊕ (c6 ⊕ ξ2 )) ⊕ ξ1 . it can be seen that our system requires additional com-
putation cost in security device generation and update,
ChallengePPhase. A outputs m0 , m1 and (IDi∗ , tpki∗ )
whereas others do not need any cost. This is because
to B. If x0 + j∈V xj 6= 4k̄qsk , B aborts. Else, B proceeds.
ours supports security device revocability. In ciphertext
• For original ciphertext, B chooses β1∗ , β2∗ , φ∗ ∈R generation, our system does not require any pairings
{0, 1}k and b ∈R {0, 1}. It sets c∗1 = (mb ||φ∗ )⊕H3 (T ), operation, and it is worth of mentioning that the 2nd
∗
c∗2 = C, c∗3 = C J(IDi ) , c∗4 = C ϕ3 . B further is- level ciphertext generation cost can be offloaded to a
sues (β1∗ , β2∗ ) to H2 to obtain r (i.e. ϕ2 ), and sets cloud server. Compared to [20] for other metrics, our
c∗5 = c∗1 ⊕ (β1∗ ||β2∗ ), c∗∗6 = (β1∗ ||β2∗ ) ⊕ H3 (e(g, g)r ), system only requires slight extra cost; while we just need
∗H (tpki ) r
c∗7 = (tpki,1 ∗
tpki,2 1 ) and c∗8 = g ωr . It finally an additional pairing in ciphertext update. A similar
issues (c5 , c6 , c7 , c8 ) to H5 to obtain ϕ∗4 , and sets
∗ ∗ ∗ ∗
phenomenon does exist in Table 3 in the sense that
∗
c∗9 = g ϕ4 . B outputs C2∗ = (c∗2 , c∗3 , c∗4 , c∗5 , c∗6 , c∗7 , c∗8 , c∗9 ). our system needs extra communication cost in delivery
 12

TABLE 2: Computation Comparison I

Schemes [2] [20] Ours

Secret Key Generation 2Ce Ce 2Ce
Security Device Generation ⊥ ⊥ 2Ce
Ciphertext Generation Ce + Cē + 3Cp 4Ce + Cp 1st-level Ciph.: 3Ce + Cē
2nd-level Ciph.: 4Ce + Cē
Ciphertext Update ⊥ 2Ce + 5Cp 5Ce + 6Cp
Device Update ⊥ ⊥ 2Ce
Data Recovery (From Original Ciph.) Ce + Cp 4Ce + 2Cp 8Ce + 2Cp
Data Recovery (From Updated Ciph.) ⊥ Ce + 2Cp 7Ce + Cē + 2Cp

TABLE 3: Communication Comparison I

Schemes [2] [20] Ours

Secret Key Size |G| |G| 2|G|
Security Device Size ⊥ ⊥ 2|G| + 2|Zq |
Original Ciphertext Size |G| + 2l 2|G| + |GT | + l 6|G| + 4l
Updated Ciphertext Size ⊥ |G| + |GT | + 2l 3|G| + |GT | + 4l
Cost in Ciphertext Update ⊥ |G| + l 2|G|

of security device. Except for this, our communication receiver is required to use both his/her secret key and a
complexity is very closed to that of others. security device to gain access to the data. Our solution
Practical Comparison. For real-time complexity test, we not only enhances the confidentiality of the data, but
set the testbed to be: Pentium (R) G640 CPU, 3.33 also offers the revocability of the device so that once the
GB RAM, 500 G/5400 rpm hard disk, C programming device is revoked, the corresponding ciphertext will be
language, and Ubuntu 10.10 OS; pairing type is a with updated automatically by the cloud server without any
160-bit group order (using a supersingular curve Y 2 = notice of the data owner. Furthermore, we presented the
X 3 +X). In the experiment, to achieve the corresponding security proof and efficiency analysis for our system.
security level, we set l to be 160 bits, |Zq | = 160 bits,
|G| = 160 bits and |GT | = 1024 bits, respectively. ACKNOWLEDGEMENT
We show the running time comparison and practical Joseph K. Liu is supported by National Natural Sci-
communication comparison in Table 4 and Table 5, re- ence Foundation of China (61472083). Kaitai Liang is
spectively. The experimental results are somehow similar supported by Privacy-Aware Retrieval and Modelling of
to the theoretical ones. Our system needs extra running Genomic Data, Academy of Finland (13283250). Willy
time in device generation and update. In practice, if we Susilo is partially supported by the Australian Re-
make security device as a USB disk and deliver it to a search Council Discovery Project ARC DP130101383.
registered user by mail/in person, there is no need for Yang Xiang is supported by the Australian Research
paying the price for communication cost in the metrics of Council Discovery Projects DP150103732, DP140103649,
“Security Device Size” and “Cost in Ciphertext Update”. LP140100816 and LP120200266. This work is also sup-
From Table 4, we see that our running time is nearly ported by National Natural Science Foundation of China
the same as that of [20], and meanwhile, our system (61472083, 61402110, U1405255).
outperforms [20] and [2] in encryption. In the commu-
nication cost, our scheme suffers from the largest price R EFERENCES
in “Updated Ciphertext Size” due to a reason that the [1] A. Akavia, S. Goldwasser, and V. Vaikuntanathan. Simultaneous
scheme outputs a pairing in the update phase. However, hardcore bits and cryptography against memory attacks. In TCC,
we state that the price is only an approximately 50% volume 5444 of Lecture Notes in Computer Science, pages 474–495.
Springer, 2009.
increase from that of [20] in the same metric, which is [2] S. S. Al-Riyami and K. G. Paterson. Certificateless public key
an acceptable increment. cryptography. In ASIACRYPT, volume 2894 of Lecture Notes in
In summary, through the comparison, we can see that Computer Science, pages 452–473. Springer, 2003.
[3] M. H. Au, J. K. Liu, W. Susilo, and T. H. Yuen. Certificate based
our scheme achieves two factors protection and security (linkable) ring signature. In ISPEC, volume 4464 of Lecture Notes
device revocability without requiring a great amount of in Computer Science, pages 79–92. Springer, 2007.
additional complexity. [4] M. H. Au, Y. Mu, J. Chen, D. S. Wong, J. K. Liu, and G. Yang.
Malicious kgc attacks in certificateless cryptography. In ASIACCS,
pages 302–311. ACM, 2007.
6 C ONCLUSIONS [5] M. Blaze, G. Bleumer, and M. Strauss. Divertible protocols and
atomic proxy cryptography. In K. Nyberg, editor, EUROCRYPT,
In this paper, we introduced a novel two-factor data se- volume 1403 of LNCS, pages 127–144. Springer, 1998.
curity protection mechanism for cloud storage system, in [6] A. Boldyreva, V. Goyal, and V. Kumar. Identity-based encryption
with efficient revocation. In P. Ning, P. F. Syverson, and S. Jha,
which a data sender is allowed to encrypt the data with editors, ACM Conference on Computer and Communications Security,
knowledge of the identity of a receiver only, while the pages 417–426. ACM, 2008.
 13

TABLE 4: Computation Comparison (running time in second) II

Schemes [2] [20] Ours

Secret Key Generation 0.007311 0.003123 0.007311
Security Device Generation ⊥ ⊥ 0.006164
Ciphertext Generation 0.049203 0.027515 1st-level Ciph.: 0.010380
2nd-level Ciph.: 0.026214
Ciphertext Update ⊥ 0.055677 0.065312
Device Update ⊥ ⊥ 0.006606
Data Recovery (From Original Ciph.) 0.018146 0.036948 0.049095
Data Recovery (From Updated Ciph.) ⊥ 0.021569 0.032797

TABLE 5: Communication Comparison (length of size in bit) II

Schemes [2] [20] Ours

Secret Key Size 160 160 320
Security Device Size ⊥ ⊥ 640
Original Ciphertext Size 480 1504 1600
Updated Ciphertext Size ⊥ 1504 2144
Cost in Ciphertext Update ⊥ 320 320

[7] D. Boneh, X. Ding, and G. Tsudik. Fine-grained control of security public key encryption secure against malicious kgc attacks in the
capabilities. ACM Trans. Internet Techn., 4(1):60–82, 2004. standard model. J. UCS, 14(3):463–480, 2008.
[8] D. Boneh and M. Franklin. Identity-based encryption from the [24] K. Liang, Z. Liu, X. Tan, D. S. Wong, and C. Tang. A cca-secure
weil pairing. In CRYPTO ’01, volume 2139 of LNCS, pages 213– identity-based conditional proxy re-encryption without random
229. Springer, 2001. oracles. In T. Kwon, M.-K. Lee, and D. Kwon, editors, ICISC,
[9] R. Canetti and S. Hohenberger. Chosen-ciphertext secure proxy volume 7839 of LNCS, pages 231–246. Springer, 2012.
re-encryption. In P. Ning, S. D. C. di Vimercati, and P. F. Syverson, [25] B. Libert, J.-J. Quisquater, and M. Yung. Parallel key-insulated
editors, ACM Conference on Computer and Communications Security, public key encryption without random oracles. In Public Key
pages 185–194. ACM, 2007. Cryptography, volume 4450 of Lecture Notes in Computer Science,
[10] H. C. H. Chen, Y. Hu, P. P. C. Lee, and Y. Tang. Nccloud: A pages 298–314. Springer, 2007.
network-coding-based storage system in a cloud-of-clouds. IEEE [26] B. Libert and D. Vergnaud. Adaptive-id secure revocable identity-
Trans. Computers, 63(1):31–44, 2014. based encryption. In M. Fischlin, editor, CT-RSA, volume 5473 of
[11] S. S. M. Chow, C. Boyd, and J. M. G. Nieto. Security-mediated Lecture Notes in Computer Science, pages 1–15. Springer, 2009.
certificateless cryptography. In Public Key Cryptography, volume [27] B. Libert and D. Vergnaud. Unidirectional chosen-ciphertext se-
3958 of Lecture Notes in Computer Science, pages 508–524. Springer, cure proxy re-encryption. IEEE Transactions on Information Theory,
2006. 57(3):1786–1802, 2011.
[12] C.-K. Chu, S. S. M. Chow, W.-G. Tzeng, J. Zhou, and R. H. Deng. [28] J. K. Liu, M. H. Au, and W. Susilo. Self-generated-certificate
Key-aggregate cryptosystem for scalable data sharing in cloud public key cryptography and certificateless signature/encryption
storage. IEEE Trans. Parallel Distrib. Syst., 25(2):468–477, 2014. scheme in the standard model: extended abstract. In ASIACCS,
[13] C.-K. Chu and W.-G. Tzeng. Identity-based proxy re-encryption pages 273–283. ACM, 2007.
without random oracles. In J. A. Garay, A. K. Lenstra, M. Mambo, [29] J. K. Liu, J. Baek, W. Susilo, and J. Zhou. Certificate-based
and R. Peralta, editors, ISC, volume 4779 of LNCS, pages 189–202. signature schemes without pairings or random oracles. In ISC,
Springer, 2007. volume 5222 of Lecture Notes in Computer Science, pages 285–297.
[14] R. Cramer and V. Shoup. Design and analysis of practical public- Springer, 2008.
key encryption schemes secure against adaptive chosen ciphertext [30] J. K. Liu, J. Baek, and J. Zhou. Certificate-based sequential
attack. SIAM J. Comput., 33(1):167–226, January 2004. aggregate signature. In WISEC, pages 21–28. ACM, 2009.
[15] Y. Dodis, Y. T. Kalai, and S. Lovett. On cryptography with [31] J. K. Liu, F. Bao, and J. Zhou. Short and efficient certificate-based
auxiliary input. In STOC, pages 621–630. ACM, 2009. signature. In Networking Workshops, volume 6827 of Lecture Notes
[16] Y. Dodis, J. Katz, S. Xu, and M. Yung. Key-insulated public key in Computer Science, pages 167–178. Springer, 2011.
cryptosystems. In EUROCRYPT, volume 2332 of Lecture Notes in [32] J. K. Liu and D. S. Wong. Solutions to key exposure problem in
Computer Science, pages 65–82. Springer, 2002. ring signature. I. J. Network Security, 6(2):170–180, 2008.
[17] Y. Dodis, J. Katz, S. Xu, and M. Yung. Strong key-insulated [33] J. K. Liu and J. Zhou. Efficient certificate-based encryption in the
signature schemes. In Public Key Cryptography, volume 2567 of standard model. In SCN, volume 5229 of Lecture Notes in Computer
Lecture Notes in Computer Science, pages 130–144. Springer, 2003. Science, pages 144–155. Springer, 2008.
[18] L. Ferretti, M. Colajanni, and M. Marchetti. Distributed, concur- [34] S. Luo, Q. Shen, and Z. Chen. Fully secure unidirectional identity-
rent, and independent access to encrypted cloud databases. IEEE based proxy re-encryption. In H. Kim, editor, ICISC, volume 7259
Trans. Parallel Distrib. Syst., 25(2):437–446, 2014. of LNCS, pages 109–126. Springer, Heidelberg, 2011.
[19] C. Gentry. Certificate-based encryption and the certificate revo- [35] M. Mambo and E. Okamoto. Proxy cryptosystems: Delegation of
cation problem. In EUROCRYPT, volume 2656 of Lecture Notes in the power to decrypt ciphertexts. IEICE Transactions, E80-A(1):54–
Computer Science, pages 272–293. Springer, 2003. 63, 1997.
[20] M. Green and G. Ateniese. Identity-based proxy re-encryption. In [36] T. Matsuo. Proxy re-encryption systems for identity-based en-
ACNS ’07, volume 4512 of LNCS, pages 288–306. Springer, 2007. cryption. In Pairing ’07, volume 4575 of LNCS, pages 247–267.
[21] H. Guo, Z. Zhang, J. Zhang, and C. Chen. Towards a secure Springer, 2007.
certificateless proxy re-encryption scheme. In W. Susilo and [37] M. Naor and G. Segev. Public-key cryptosystems resilient to key
R. Reyhanitabar, editors, ProvSec, volume 8209 of Lecture Notes leakage. In CRYPTO, volume 5677 of Lecture Notes in Computer
in Computer Science, pages 330–346. Springer, 2013. Science, pages 18–35. Springer, 2009.
[22] G. Hanaoka, Y. Hanaoka, and H. Imai. Parallel key-insulated [38] A. Sahai, H. Seyalioglu, and B. Waters. Dynamic credentials and
public key encryption. In Public Key Cryptography, volume 3958 of ciphertext delegation for attribute-based encryption. In R. Safavi-
Lecture Notes in Computer Science, pages 105–122. Springer, 2006. Naini and R. Canetti, editors, CRYPTO, volume 7417 of Lecture
[23] Y. H. Hwang, J. K. Liu, and S. S. M. Chow. Certificateless Notes in Computer Science, pages 199–217. Springer, 2012.
 14

[39] J. H. Seo and K. Emura. Efficient delegation of key generation Professor Willy Susilo received the Ph.D. de-
and revocation functionalities in identity-based encryption. In gree in computer science from the University of
E. Dawson, editor, CT-RSA, volume 7779 of Lecture Notes in Wollongong, Australia. He is a Professor and the
Computer Science, pages 343–358. Springer, 2013. Head of School of Computing and Information
[40] J. Shao and Z. Cao. Multi-use unidirectional identity-based Technology at the University of Wollongong in
proxy re-encryption from hierarchical identity-based encryption. Australia. He is also the Director of Centre for
Information Sciences, 206(0):83 – 95, 2012. Computer and Information Security Research,
[41] Q. Tang, P. H. Hartel, and W. Jonker. Inter-domain identity-based University of Wollongong. He has been awarded
proxy re-encryption. In M. Yung, P. Liu, and D. Lin, editors, the prestigious ARC Future Fellow by the Aus-
Inscrypt, volume 5487 of Lecture Notes in Computer Science, pages tralian Research Council. His main research in-
332–347. Springer, 2008. terests include cloud security, cryptography and
[42] V. Varadharajan and U. K. Tupakula. Security as a service model information security. He has served as a program committee member in
for cloud environment. IEEE Transactions on Network and Service major international conferences.
Management, 11(1):60–75, 2014.
[43] C. Wang, S. S. M. Chow, Q. Wang, K. Ren, and W. Lou. Privacy-
preserving public auditing for secure cloud storage. IEEE Trans.
Computers, 62(2):362–375, 2013.
[44] C. Wang, Q. Wang, K. Ren, N. Cao, and W. Lou. Toward secure
and dependable storage services in cloud computing. IEEE T.
Services Computing, 5(2):220–232, 2012.
[45] H. Wang. Proxy provable data possession in public clouds. IEEE
T. Services Computing, 6(4):551–559, 2013.
[46] B. Waters. Efficient identity-based encryption without random
oracles. In R. Cramer, editor, EUROCRYPT, volume 3494 of Lecture
Notes in Computer Science, pages 114–127. Springer, 2005.
[47] K. Yang, X. Jia, K. Ren, B. Zhang, and R. Xie. Dac-macs: Effective Jianghua Liu received his B.S. degree from
data access control for multiauthority cloud storage systems. IEEE the Department of Electronic Information Sci-
Transactions on Information Forensics and Security, 8(11):1790–1801, ence and Technology, Hainan Normal University,
2013. China, in 2013. He is currently a Graduate at
[48] W.-S. Yap, S. S. M. Chow, S.-H. Heng, and B.-M. Goi. Security the Fujian Provincial Key Laboratory of Network
mediated certificateless signatures. In ACNS, volume 4521 of Security and Cryptology, School of Mathematics
Lecture Notes in Computer Science, pages 459–477. Springer, 2007. and Computer Science, Fujian Normal Univer-
[49] Y. Zhu, G.-J. Ahn, H. Hu, S. S. Yau, H. G. An, and C. Hu. Dynamic sity, China. His research interests include cryp-
audit services for outsourced storages in clouds. IEEE T. Services tography and information security.
Computing, 6(2):227–238, 2013.

Joseph K. Liu received the Ph.D. degree in

information engineering from the Chinese Uni-
versity of Hong Kong in July 2004, specializing
in cyber security, protocols for securing wireless
networks, privacy, authentication, and provable
security. He is now a senior lecturer at Monash Professor Yang Xiang received his PhD in
University, Australia. His current technical focus Computer Science from Deakin University, Aus-
is particularly cyber security in the cloud com- tralia. He is currently a full professor at School
puting paradigm, smart city, lightweight secu- of Information Technology, Deakin University.
rity, and privacy enhanced technology. He has He is the Director of the Network Security and
published more than 80 referred journal and Computing Lab (NSCLab) and the Associate
conference papers and received the Best Paper Award from ESORICS Head of School (Industry Engagement). His re-
2014. He has served as the program chair of ProvSec 2007, 2014, and search interests include network and system
as the program committee of more than 35 international conferences. security, distributed systems, and networking. In
particular, he is currently leading his team de-
veloping active defense systems against large-
scale distributed network attacks. He has published more than 200
research papers in many international journals and conferences, such
as IEEE Transactions on Computers, IEEE Transactions on Parallel and
Distributed Systems, IEEE Transactions on Information Security and
Forensics, and IEEE Journal on Selected Areas in Communications.
Kaitai Liang received the Ph.D. degree in the He serves as the Associate Editor of IEEE Transactions on Computers,
Department of Computer Science, City Univer- IEEE Transactions on Parallel and Distributed Systems, Security and
sity of Hong Kong. He is currently a post-doctoral Communication Networks (Wiley), and the Editor of Journal of Network
researcher at Department of Computer Science, and Computer Applications. He is the Coordinator, Asia for IEEE Com-
Aalto university in Finland. His research inter- puter Society Technical Committee on Distributed Processing (TCDP).
est is applied cryptography; in particular, cryp- He is a Senior Member of the IEEE.
tographic protocols, encryption/signature, and
RFID. He is also interested in cybersecurity,
such as network security, big data security, pri-
vacy enhanced technology, and security in cloud
computing.