A Secure and Verifiable Access Control Scheme for Big Data Storage in Clouds 343

Home , Secure channel

IEEE TRANSACTIONS ON BIG DATA, VOL. 4, NO. 3, JULY-SEPTEMBER 2018 341 A Secure and Veriﬁable Access Control Scheme for Big Data Storage in Clouds

Chunqiang Hu ,Member, IEEE, Wei Li,Member, IEEE, Xiuzhen Cheng ,Fellow, IEEE, Jiguo Yu,Member, IEEE, Shengling Wang ,Member, IEEE, and Rongfang Bie,Member, IEEE

Abstract—Due to the complexity and volume, outsourcing ciphertexts to a cloud is deemed to be one of the most effective approaches for big data storage and access. Nevertheless, verifying the access legitimacy of a user and securely updating a ciphertext in the cloud based on a new access policy designated by the data owner are two critical challenges to make cloud-based big data storage practical and effective. Traditional approaches either completely ignore the issue of access policy update or delegate the update to a third party authority; but in practice, access policy update is important for enhancing security and dealing with the dynamism caused by user join and leave activities. In this paper, we propose a secure and verifiable access control scheme based on the NTRU cryptosystem for big data storage in clouds. We first propose a new NTRU decryption algorithm to overcome the decryption failures of the original NTRU, and then detail our scheme and analyze its correctness, security strengths, and computational efficiency. Our scheme allows the cloud server to efficiently update the ciphertext when a new access policy is specified by the data owner, who is also able to validate the update to counter against cheating behaviors of the cloud. It also enables (i) the data owner and eligible users to effectively verify the legitimacy of a user for accessing the data, and (ii) a user to validate the information provided by other users for correct plaintext recovery. Rigorous analysis indicates that our scheme can prevent eligible users from cheating and resist various attacks such as the collusion attack.

Index Terms—Big data storage, access control, the NTRU cryptosystem, secret sharing, access policy update, cloud computing Ç

1 INTRODUCTION IGdata is a high volume, and/or high velocity, high could. But how to update the ciphertext stored in a cloud Bvariety information asset, which requires new forms of when a new access policy is designated by the data owner processing to enable enhanced decision making, insight dis- and how to verify the legitimacy of a user who intends to covery, and process optimization [1]. Due to its complexity access the data are still of great concerns. and large volume, managing big data using on hand data- Most existing approaches for securing the outsourced big base management tools is difficult. An effective solution is data in clouds are based on eitherattributed-based encryption to outsource the data to a cloud server that has the capabili- (ABE)orsecret sharing. ABE based approaches [4], [5], [6], [7], ties of storing big data and processing users’ access requests [8], [9], [10], [11] provide the flexibility for a data owner to in an efficient manner. For example in e-health applications, predefine the set of users who are eligible for accessing the the genome information should be securely stored in an data but they suffer from the high complexity of efficiently e-health cloud as a single sequenced human genome is updating the access policy and ciphertext. Secret sharing around 140 gigabytes in size [2], [3]. However, when a data [11], [12], [13], [14], [15], [16], [17] mechanisms allow a secret owner outsources its data to a cloud, sensitive information to be shared and reconstructed by certain number of cooper- may be disclosed because the cloud server is not trusted; ative users but they typically employ asymmetric public key therefore typically the ciphertext of the data is stored in the cryptograph such as RSA for users’ legitimacy verification, which incur high computational overhead. Moreover, it is also a challenging issue to dynamically and efficiently C. Hu is with the School of Software Engineering, Chongqing University, Chongqing, 400044, China. E-mail: [email protected]. update the access policies according to the new requirements X. Cheng is with the Department of Computer Science, George Washing- of the data owners in secret sharing approaches. ton University, Washington, DC 20052. E-mail: [email protected]. As a data owner typically does not backup its data locally W. Li is with the Department of Computer Science, Georgia State University, Atlanta, GA 30302. E-mail: [email protected]. after outsourcing the data to a cloud, it cannot easily man- J. Yu is with the School of Information Science & Engineering, Qufu age the data stored in the cloud. Besides, as more and more Normal University, Rizhao, Shandong 276826, P.R. China. companies and organizations are using clouds to store their E-mail: [email protected]. data, it becomes more challenging and critical to deal with S. Wang and R. Bie are with the College of Information Science & Technology, Beijing Normal University, Beijing 100875, China. the issue of access policy update for enhancing security and E-mail: {wangshengling, rfbie}@bnu.edu.cn. dealing with the dynamism caused by the users’ join and Manuscript received 1 Feb. 2016; revised 22 July 2016; accepted 18 Oct. 2016. leave activities. To the best of our knowledge, policy update Date of publication 5 Feb. 2017; date of current version 7 Sept. 2018. for outsourced big data storage in clouds has never been Recommended for acceptance by J. Chen, H. Wang, and M. Parashar. considered by the existing research [13], [17], [18], [19], [20]. For information on obtaining reprints of this article, please send e-mail to: [email protected], and reference the Digital Object Identifier below. Another challenging issue is how to verify the legitimacy Digital Object Identifier no. 10.1109/TBDATA.2016.2621106 of the users accessing the outsourced data in clouds. Existing

2332-7790 2016 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See ht_tp://www.ieee.org/publications_standards/publications/rights/index.html for more information. 342 IEEE TRANSACTIONS ON BIG DATA, VOL. 4, NO. 3, JULY-SEPTEMBER 2018 schemes proposed in [7], [8], [10], [21] do not support user eligibility verification. On the other hand, verifiable secret sharing based schemes rely on RSA [13], [14], [15] for access legitimacy verification. As multiple users need to mutually verify each other using multiple RSA operations, such a procedure has a high computational overhead. Furthermore, the classic asymmetric crypto solutions such as RSA could be broken by quantum computing in the near future. This is not a science fiction as in 2015 IBM brought quantum computing closer to reality [22], making it urgent to exploit new techni- Fig. 1. An example application of big data storage in banking. ques for quantum computing attack resistance. The NTRU cryptosystem is a type of lattice-based cryptography [23], We prove the correctness of the proposed scheme [24], [25], and its security is based on the shortest vector and investigate its efficiency and security strength. problem (SVP) in a lattice [26]. The major advantages of Particularly, we demonstrate that our scheme can NTRU are quantum computing attack resistance and light- resist various attacks such as the collusion attack via ing fast computation capability. However, NTRU suffers a rigorous analysis. from the problem of decryption failures [27], [28], [29], [30]. The rest of the paper is organized as follows. Section 2 The considerations mentioned above motivate us to introduces the motivation and the related work. Section 3 develop a verifiable access control scheme for securing the presents our system model, security model, and the prelimi- big data stored in clouds, tackling the challenges of the fol- nary knowledge employed by our scheme. Section 4 proposes lowing security services: an improved NTRU cryptosystem to overcome the decryption failures of the original NTRU cryptosystm. Section 5 Security. The proposed scheme should be able to details our secret sharing based scheme for big data storage in defend against various attacks such as the collusion clouds. The correctness, security properties, and performance attack. Meanwhile, access policy update should not of our proposed scheme are elaborated in Section 6. Conclu- break the security of the data storage, disclose sensi- sions and future work are discussed in Section 7. tive information about the data owner, and cause any new security problem. OTIVATION AND ELATED ORK Verification. When a user needs to decrypt a stored 2 M R W ciphertext, its access legitimacy should be verified by 2.1 Motivation other participating users and the secret shares In this information era, companies and organizations are obtained from other users must be validated for cor- facing a challenging problem of effectively managing their rect recovery. complex data. As the development of cloud storage, out- Authorization. To reduce the risk of information leak- sourcing the data to a cloud is an appropriate approach. age, a user should obtain authorization from the Generally speaking, clouds can be classified into two major data owner for accessing the encrypted data. categories: i) public clouds with each being a multi-tenant In this paper, we first propose an improved NTRU cryp- environment shared with a number of other tenants, and ii) tosystem to overcome the decryption failures of the original private clouds with each being a single-tenant environment NTRU. Then we design a secure and verifiable scheme dedicated to a single tenant. For example, the IBM cloud based on the improved NTRU and secret sharing for big was proposed as a public one for the data management of data storage. The cloud server can directly update the banking [31]. When a bank stores its data in the could server stored ciphertext without decryption based on the new as shown in Fig. 1, only its legal staff members have the access policy specified by the data owner, who is able to val- rights to access the stored data. Typically the bank system idate the update at the cloud. The proposed scheme can ver- contains many sensitive and private consumer information. ify the shared secret information to prevent users from In order to reduce the risk of information leakage, the access cheating and can counter various attacks such as the collu- right of an employee should be properly restricted, and a sion attack. It is also deemed to be secure with respect to single employee should not be allowed to reveal the data by quantum computing attacks due to NTRU. The multi-fold itself without obtaining the authorization from other users; contributions of the paper can be summarized as follows: that is, recovering the data requires to get the authorization We propose a new NTRU decryption procedure to of multiple employees. Moreover, the bank should be able overcome the decryption failures of the original to update the access policies for the stored data in a NTRU without reducing the security strength of dynamic and efficient manner. Similarly, military applica- NTRU. tions can utilize a private cloud to store their complex data We propose a secure and verifiable access control as shown in Fig. 2. Since the data is confidential, a military scheme to protect the big data stored in a cloud. The member, who needs to access the data, must pass the verifi- scheme can verify a user’s access legitimacy and vali- cation of its legitimacy and receive the authorization from date the information provided by other users for cor- multiple relevant departments. Besides, the military should rect plaintext recovery. be able to dynamically and efficiently update its access We devise an efficient and verifiable method to polices based on the changing requirements. update the ciphertext stored in clouds without Such applications usually require the data to be stored in a increasing any risk when the access policy is dynami- cloud in ciphertext format, and the access of the data by a cally changed by the data owner for various reasons. user requires multiple other users to verify the access HU ET AL.: A SECURE AND VERIFIABLE ACCESS CONTROL SCHEME FOR BIG DATA STORAGE IN CLOUDS 343

in which the data owners encrypt their data based on cryptographic primitives and store the encrypted data to the clouds. In outsourcing, a secure mechanism should be established between a data owner and a cloud. In order for the cloud to perform operations over the encrypted data, “Fully Homomorphic Encryption” (FHE) [36] was usually adopted, which allows direct addition and multiplication operations over the ciphertexts while preserving decrypt- ability. Homomorphic encryption was also applied to guarantee the security of data storage [37], [38]. Nevertheless, it is an immature cryptosystem, and is extremely inefficient in practice, which renders it hardly applicable in real world applications. Securely outsourcing big data computations to the clouds was also extensively studied [39], [40], [41] but this topic is out of the scope of the paper. Adequate access control is key to protect the stored data. Fig. 2. An example application of big data storage in military. Access control has traditionally been provided by operating systems or applications restricting access to the information, legitimacy of the user. Therefore in this paper we propose a which typically exposes all the information if the system or secure and verifiable access control scheme for big data stor- application is hacked [42]. A better approach is to protect age to tackle the following challenges: i) how to securely the information using encryption that only allows decryp- store the data in a cloud server and distribute the shares of tion by authorized entities. Attribute-Based Encryption the access right to all legitimate users of the data? ii) how to (ABE) [4], [7], [8], [10], [11] is one of the most powerful tech- verify the legitimacy of a user for accessing the data? iii) how niques for access control in cloud storage systems. In the to recover the plaintext data when the access right needs to past years, quite a few attribute-based access control be jointly granted by multiple users? and iv) how to dynami- schemes [19], [20], [43], [44] were proposed, in which the cally and efficiently update the ciphertext in the cloud when data owners define the access policies based on the attrib- the access policy of the data is changed by the data owner? utes required by the data and encrypt the data based on the To overcome these challenges, we make use of the following access policies. By this way the data owners are able to techniques in the design of our secure and verifiable access ensure that only the users meeting the access policies can control scheme for big data storage. First, a plaintext data is decrypt the ciphertexts. However, it is difficult to update bound to a secret that is shared by all legitimate users of the the policies when these ABE based schemes are applied data based onðt; nÞ-threshold secret sharing, and a message because the data owners do not store the data in their local certificate is computed for the data based on the NTRU systems once they outsource the data into the cloud servers. encryption; the ciphertext is produced from both the shared It is also difficult to verify the legitimacy of the downloaded secret and the message certificate. Second, the legitimacy of a data as the clouds housing the data are not trustworthy. user for accessing the data is verified by both the data owner Besides, the operations of encryption and decryption in and at leastt 1other legal users of the data, and the infor- ABE have a high computational overhead and incur a large mation provided by other users for the plaintext recovery energy consumption. needs to be validated by the user to prevent against cheating Secret sharing [45] is another powerful technique to pro- behaviors. Third, the plaintext data can be obtained when at tect the big data in cloud storage. The most related work to leastt 1other users participate in the recovery process and our proposed scheme are [14] and [15], whose verification provide correct information for the data recovery, based on procedure can resist potential attacks such as collusion and ðt; nÞ-threshold secret sharing. Last, the access policy of the cheating. In [15], two schemes were proposed, namely data and the secret shares bound to the data can be dynami- Scheme-I and Scheme-II, based on the homogeneous linear cally changed by the data owner, and the update of the recursion and the RSA cryptosystem, in which the homoge- ciphertext is conducted by the cloud server without the need neous linear recursion is used to construct the secret share of downloading the previous ciphertext from the cloud to and reconstruct the secret, and RSA is used to verify the the data owner. Meanwhile, the data owner is able to verify users’ access legitimacy. The difference between these two whether the ciphertext stored in the cloud is correctly schemes lies in that the users in Scheme-I mutually verify updated. each other’s legitimacy without seeking help from public values while in Scheme-II the users need the help of public 2.2 Related Work values. In [14], the authors presented a verifiable multi- Because big data frequently contains a huge amount of per- secret sharing scheme based on cellular automata, which is sonal identifiable information, how to securely store the used to construct the secret share and reconstruct the secret data and how to provide access control over the stored data with a linear computational complexity, and the RSA cypto- are two biggest challenges [32]. In this section, we mainly system, which is used for verification. In these schemes, as summarize the state-of-the-art of securing the big data multiple users mutually verify each other using multiple stored in clouds. RSA operations, a very high computational overhead Outsourcing to clouds is one of the most popular occurs. In addition, the classic asymmetric crypto solutions approaches to securing the big data storage [33], [34], [35], would be broken by quantum computing; that is, these 344 IEEE TRANSACTIONS ON BIG DATA, VOL. 4, NO. 3, JULY-SEPTEMBER 2018

For a piece of data to be stored in a cloud, the data owner generates a public key and privacy key pair, defines an access policy, and computes a sub-key for each potential user based on the policy. Then, the data owner produces a message certificate for the data, and stores the encrypted data with the access policy in the cloud. When a user needs to use the data, it solicits help from other users to recover the data. The cloud server can update the encrypted data with a new policy is designated by the data owner. The access policy is defined by at 1degree polynomial Pt 1 j bðxÞ¼b0þ j¼1bjx in this paper. Specifically, the data Fig. 3. System model. owner splits the access right of an encrypted plaintext into npieces fornusers, with one piece for each legitimate user traditional verification methods cannot satisfy the verifica- of the data. A user can recover the plaintext data if and only tion requirements with respect to quantum computing, if it obtains the message certificate from the data owner and which is made closer to reality by IBM in 2015 [22]. Thus we holds at leasttpieces of the access rights (with the help of at need to seek new verification methods to meet the future leastt 1other legal users), wheretis a threshold desig- requirements. For this purpose, we utilize the NTRU cryp- nated by the data owner for access control based on tosystem to counter the quantum computing attacks in the ðt; nÞ-threshold secret sharing. design of our proposed scheme. Delegation is a popular approach for policy update. In 3.2 Adversarial Model and Security Objectives [7], a user generates a new private key using its previous We assume that the cloud server honestly follows the proto- private key, and then delegates the new private key to a col, i.e., it sends the ciphertext to a user when receiving a local authority for access policy update. In [46], a procedure request from the user, and updates the ciphertext in its stor- called “ciphertext delegation” was designed for the third age when requested by the owner of the data. The data own- party to ‘re-encrypt’ the ciphertext to a more restrictive pol- ers do not have incentives to cheat the end users as their icy using only public information. These two approaches goals are to secure the data stored in the cloud server, but cannot satisfy our security requirements because they dele- one data owner may intend to recover the data belonging to gate the private key/ciphertext for a new access policy that a different data owner. The users do not have to be honest, is more restrictive than the old one—in our perspective, the i.e., they may have different cheating behaviors. For access policy to a ciphertext might need to be relaxed as example, a user may provide incorrect information for time goes for many real world applications. Therefore in the decryption of a ciphertext by other users, causing the our design, we allow the new access policy designated by decryption to fail; multiple users may collude to reveal the the data owner to be independent than the previous one, message; a user may forge a message certificate; just to and the ciphertext is updated by the cloud based on the name a few. new access policy. We intend to achieve the following security objectives when designing our access control scheme for big data stor- 3 MODELS ANDPRELIMINARIES age in clouds: 3.1 System Model Data confidentiality. The outsourced data must be We consider a cloud storage system that is applicable for protected from eavesdropping attacks during both public and private clouds as shown in Fig. 3. It consists upload, download, update, and retrieval of the data. of the following three types of entities: cloud server, data Verification. The legitimacy of any user to access the owner (owners), and data user (users). data must be verifiable; the information provided by Cloud Server. A cloud server provides spaces for data any user for plaintext recovery must be validated. owners to store their outsourced ciphertext data that can be Attack resistance. The proposed scheme must be able retrieved by the users. It is also responsible for updating the to counter potential attacks (cheating, collusion ciphertexts when the data owner changes its access policy. attacks, forging attacks, etc.) launched by misbehav- Owners. A data owner designates the access policy for its ing users and adversaries. data, encrypts the data based on the access policy before outsourcing the data to the cloud server, and requests the 3.3 Preliminaries cloud server to update the encrypted data when a new In this section, we introduce the following two crypto- access policy is adopted. It can also check whether the graphic primitives: NTRU and secret sharing. For better ciphertext at the cloud server is correctly updated. elaboration, we present the notations and their semantic Users. Each user is assigned with a sub-key for an meanings in Table 1. encrypted data the user is eligible to access. In order to decrypt the ciphertext, the user’s eligibility must be verified 3.3.1 The NTRU Cryptosystem by at leastt 1other users that are also eligible to access The NTRU cryptosystem is based on the shortest vector the data. The information provided by thet 1verifiers problem in a lattice that makes it lightning fast and resistant must be validated by the user for correct message decryp- to quantum computing attacks. It has been proved to tion based on theðt; nÞ-threshold secret sharing. be faster than RSA [28], [29]. In this section, we briefly HU ET AL.: A SECURE AND VERIFIABLE ACCESS CONTROL SCHEME FOR BIG DATA STORAGE IN CLOUDS 345

TABLE 1 computes his public keyhaccording to (4), and pub- The Notations and Their Semantic Meanings lishes his public parametersfp; q; hg Notations means h¼fq gðmod qÞ: (4) D The data owner Ui Theith user,1 i n Encryption: Assume that Alice wants to send a mes- id Theidof a user sagem to Bob, she needs to first convertm into a fH; H1g Two one-way hash functions polynomial inLm. For simplicity, we usem to denote (h,f) A pair of keys, withhbeing the public key the polynomial representation ofm inL too. Then andfbeing the private key. m she randomly chooses a polynomialf2Lf, encrypts S The set ofM messages S¼fS1;S2;...;SMg R Ris a ring, i.e.,R¼Z½X =ðXN 1Þ m using Bob’s public keyhaccording to (5), and p; q Two integers in R sends the encrypted messageeto Bob f A polynomial in R g A polynomial inZ½X =ðq; XN 1Þ e¼pf hþm ðmod qÞ: (5) N fp A polynomial inZ½X =ðp; X 1Þ N Decryption: Bob receives the encrypted messagee fq A polynomial inZ½X =ðq; X 1Þ Lf The set of polynomials inR from Alice, and decrypts it using his private keyf Lg The set of polynomials inR and the inverse offmodule p, i.e.,fp, via AES Advanced Encryption Standard a¼e fðmod qÞ: (6) m ¼a f ðmod pÞ: (7) introduce NTRU, and refer the interested readers to [27] and p [26] for more details. Remarks.In NTRU, if the system parameters are properly NTRU consists of three integer parameters ðN; p; qÞand selected, the probability of correctly recovering the plain- four setsL;L;LandL of polynomials of degreeN 1 f g f m text message is extremely high; otherwise, the probability with integer coefficients. Note that pandqare not required of decryption failures is extremely high. There are two to be prime, but they should simultaneously meet the fol- types of decryption failures: theWrap failure and theGap lowing two criterions:gcdðp; qÞ¼1andq >p. NTRU works N failure, which will be discussed in Section 4. in the ringR¼Z½X =ðX 1Þ, andLf;Lg;Lf andLm are defined inR whose selection criteria are detailed in [26]. 3.3.2 Secret Sharing Scheme Any element f2Lfcan be expressed as a polynomial or a vector as follows: Secret sharing schemes have been extensively studied [13], [17], ever since its development by Shamir [45] and Blakley NX 1 [47] in 1979. Generally speaking, secret sharing can be i f¼ fix ¼½f0;f1;...;fN 1: (1) briefly described as follows. In the context of adealersharing i¼0 a secret with a number ofusersU1;...;Un, a user learns the secret if and only if it can cooperate with at leastt 1other We use to denote the convolution multiplication of two users (on sharing what they learn from the dealer), where polynomialsfandginR, which can be computed via t nis a pre-determined parameter. The secret to be shared Xk NX 1 by the dealer and the users iss2GFðp1Þ, wherep1 > N. f g¼h with hk¼ figk iþ figNþk i; (2) Each userUiholds a secret keyki2GFðp1Þ, which is only i¼0 i¼kþ1 known byUiand the dealer. The dealer follows a two-step process. First, it constructs wherek2½0;N 1. Note that when we do a multiplication a polynomial function FðxÞof degree t 1 shown as of two polynomials moduloq, we mean to reduce the coeffi- follows: cients of the product moduloq. NTRU implements the following three basic functions. Xt 1 j Forbetterpresentation, weuse AliceandBobtorepre- FðxÞ¼sþ mjx; (8) sent the two entities for encrypting and decrypting a j¼1 message. by randomly choosing eachmji.i.d. with a uniform dis- Key Generation: To create his public and private keys, tribution fromGFðp1Þ. Note that all (addition and multi- Bob randomly chooses two polynomialsg2Lgand plication) operations used in (8) is modular arithmetic f2Lf, in whichfis his private key and is required (defined overGFðp1Þ) as opposedtoreal arithmetic. to have inverse moduloqand inverse modulop. Let Also note that sis the constant component ofFðxÞ—i.e., s¼Fð0Þ. Then, in the second step, the dealer transmits fqandfprespectively denote the inverse moduloq and the inverse modulopoff, which are formally to eachUia shared secretsi¼FðxiÞ, wherexiis a ran- defined as follows: dom number selected byUifor sharing the secretsand is sent to the dealer via the secure channel protected by

fq f¼1ðmod qÞ and fp f¼1ðmod pÞ: (3) the shared keyki. We now show how tor more users can cooperate to For any properly selectedf, it is easy to computefq recoversby sharing the secrets received from the dealer. and fp via the euclidean algorithm. Then Bob Without loss of generality, let U1;...;Utbe the cooperating 346 IEEE TRANSACTIONS ON BIG DATA, VOL. 4, NO. 3, JULY-SEPTEMBER 2018 users. Thesetusers can reconstruct the secrets¼Fð0Þfrom Case 1: If ai 0, it can be denoted by ðgþ1Þ ðgþ1Þ s1¼Fðx1Þ;...;st¼FðxtÞby computing q 1 q ai¼ 2 gþci , where0 ci < 2. There are 0 1 two sub-cases: - Case 1-1: Ifg¼0, we havea0¼a; then set Xt Y 0 x i i i ð1Þ ð2Þ ð3Þ ðtÞ s¼Fð0Þ¼ @sj A: (9) x x ci ¼ci ¼ci ¼ ¼ci ¼0. j¼1 i2½1;n;i6¼j j i ð1Þ ð2Þ ðgÞ q 1 - Case 1-2: Ifg 1, setci ¼ci ¼ ¼ci ¼ 2 ðgþ2Þ ðtÞ 0 ð1Þ ð2Þ andc ¼ ¼c ¼0; thena¼ai c c Note that the cumulative product in (9) is essentially the i i i i i cðgÞ¼cðgþ1Þ. Lagrange coefficient. The correctness of (9) can be easily ver- i i Case 2: If a < 0, it can be denoted asa¼ ified based on the definition ofFðxÞ. i i q 1 ðgþ1Þ q ðgþ1Þ In secret sharing, a user may cheat when recovering 2 gþci , where 2 q, the Gap 0 i N 1 i 0 i N 1 i Proof.According to [48] and our own analysis mentioned failure could happen, leading tom06¼m with a high proba- above, one can see that the root cause of the Gap failure bility. From the above analysis, one can see that the Gap fail- and the Wrap failure in the original NTRU decryption is ure leads to the Wrap failure and that overcoming the Wrap thatjaj q=2 exists for some a ina¼e f. Our failure can also getting rid of the Gap failure. i i improved NTRU decryption procedure first computesa0 In order to overcome the Wrap failure, we propose the fromato ensure that q

Proof.Our improved NTRU cryptosystem consists of the data storage in a cloud server in this section. Our scheme original encryption and the proposed improved decryp- consists of the following four stages: i) Setup: the data tion algorithm. Thus, proving this theorem is equivalent to owner initializes the system to generate the public and showing that our improved decryption cannot reduce the private keys via the improved NTRU cryptosystem; ii) security strength of the original NTRU. This can be ana- Construction: the data owner generates a sub-key for lyzed from the following two aspects. First, similar to the each user inB, produces a message certificate for each original NTRU, our improved NTRU is also based on the message, and stores the data securely in the cloud server; shortest vector problem in a lattice. Second, the improved iii) Reconstruction: the userUiandt 1other users inB decryption gets rid of the Gap failure and the Wrap failure mutually verify each other and work together to help Ui to correctly recover the original messagemwithout reveal- reconstruct the data; iv) Policy update: the cloud server ing any sensitive information as the decryptor computes instead of the data owner updates the encrypted data the adjusting vectors and keeps them to itself, which with a new policy if needed. implies that the improved decryption procedure is as secure as the original NTRU decryption. Therefore we 5.1 Setup claim that the improved NTRU cryptosystem does not A data owner has a set of messagesS¼fS1;S2;...;SMgfor reduce the security strength of the original NTRU. tu cloud storage, withM being the total number of messages inS. At the setup stage, the data owner generates its public An instance of decryption failure of the original NTRU keyhand private keyfaccording to the improved NTRU cryptosystem is shown in Appendix. We also demonstrate cryptosystem and then initializes the system according to that the improved NTRU cryptosystem can successfully the process presented in Algorithm 2. decrypt the ciphertext for the same example. Algorithm 2.Initialization Algorithm 1.The Improved NTRU Decryption 1: Chooses three integer parametersðN; p; qÞsatisfying 1:Input: cipher texte, secret keyff; fpg. gcdðp; qÞ¼1andq >p; 2:Output: plaintextm; 2: Chooses four setsLf;Lg;Lf;Lm of polynomials of degree 3: The decryptor computesa¼e f; N 1inRwith integer coefficients; 4:G¼maxfjmax0 i N 1faigj;jmin0 i N 1faigjg; 3: Generates the key pairðf; hÞaccording to the improved G 5:t¼bq=2c; NTRU cryptosystem, wherefis the private key and 6:Ift¼0 his the corresponding public key; 7: m ¼a fpðmod pÞ. 4: Selects two one-way hash functionsH1andH; 8:Else 5: Publishesfp; q; hgand the selection criteria offLf;Lmg. 9: For0 i N 1, jaij 10: Computeg¼bq=2c; 11: Ifg¼0 5.2 Construction 0 ð1Þ ð2Þ ðtÞ 12: ai¼aiandci ¼ci ¼ ¼ci ¼0; The data owner constructs a sub-key for each legitimate 13: Else Ifai 0 user inB, generates a certificate for each message inS, and 14: a0¼a q 1g; i i 2 stores the encrypted data into the cloud server. ð1Þ ð2Þ ðgÞ q 1 15: ci ¼ci ¼ ¼ci ¼ 2; ðgþ1Þ 0 16: ci ¼ai; 5.2.1 Sub-Key Construction ðgþ2Þ ðtÞ 17: ci ¼ ¼ci ¼0; The data owner randomly generates tdifferent integers N 18: Else b0;b1;...;bt 1, where bj2Z½X =ðX 1Þ for j¼0;1; 0 q 1 19: ai¼aiþ 2 g; ...;t 1, and uses them as coefficients to construct the ð1Þ ð2Þ ðgÞ q 1 20: ci ¼ci ¼ ¼ci ¼ 2; followingt 1degree polynomialbðxÞ ðgþ1Þ 0 t 1 21: ci ¼ai; X j ðgþ2Þ ðtÞ bðxÞ¼b0þ bjx: (10) 22: ci ¼ ¼ci ¼0; 23: EndIf j¼1 24: EndFor Each userU chooses a random integerr, encryptsrusing 0 0 ð1Þ ðtÞ i i i 25: m ¼a fpþc fpþ þc fpðmod pÞ; the data owner’s public keyh to get the ciphertext 26:EndIf 0 vi¼pf hþriðmod qÞ, and then sendsfidi;HðriÞ;vigto 27: Output plaintextm. the data owner. When the data owner receives the ciphertext vi,it 0 decrypts it using its private keyfto get the plaintextri. 5 THEPROPOSEDSCHEME Then the data owner checks the following two conditions: i) 0 LetBbe the set of users that are eligible to access the out- HðriÞ¼HðriÞfor the userUi; and ii)ri6¼rsfor the userUi sourced sensitive data in the cloud. Assume thatUi2Bis and any userUswho has received a sub-key from the data a user who needs to use the data. According to the access owner. If condition i) cannot hold, the message is falsified policy, at leastt 1other users inBshould participate in during transmission and it could be sent again; if condition the processes of verifyingUi’s eligibility and obtaining ii) cannot hold, the data owner requests the userUi to the data forUi. To achieve this objective, we propose a choose a different secret number and repeat the procedure secure and verifiable access control scheme for the big to compute a sub-key forUi. 348 IEEE TRANSACTIONS ON BIG DATA, VOL. 4, NO. 3, JULY-SEPTEMBER 2018

If the two conditions hold true forUi, the data owner Algorithm 3.Construction calculatesHðidijjriÞand generates the sub-keyxi forUi using (11). Then the data owner securely broadcasts 1: The data owner generates a polynomialbðxÞaccording to (10) in Section 5.2.1; fidi;xi;HðidijjriÞgto all the users inB 2:Foreach userUiinB Xt 1 3: Encrypts its selected numberriusing the data owner’s j xi¼bðriÞ¼ bj ðriÞ: (11) public keyhto getvi¼pf hþriðmod qÞ; 00 00 j¼0 4: ComputesH ¼HðriÞand sendsfidi;H;vigto the data owner; 5.2.2 Message Certificate Construction 5: The data owner decryptsvito getriusing Algorithm 1; 00 In order to validate the users inB for their legitimacy of 6: IfH ¼HðriÞ accessing the data inSand to prevent against the cheating 7: Ifri6¼rsfor anyUsthat has received a sub-keyxs 8: The data owner generates the sub-keyxusing (11); behaviors of the users, the data owner computes a certificate i 9: The data owner broadcastsfid;HðidjjrÞ;xgto all for each message inSaccording to the following procedure: i i i i 10: users inB; the data owner first randomly chooses the parameters 11: Else f2Lf and e¼fe1;...;ej;...;eMg, where ej2Z½X = 12: The data owner requestsUito choose a different N ðX 1Þ; then it generates the certificateðej;djÞfor message 13: random numberriand then go back to step 3; Sj2Sby (12), where1 j M, 14: EndIf 15: Else dj¼pf fþejðmod qÞ; (12) 16: The message is falsified; 17: Retransmitsfid;H00;vgto the data owner; and finally, the data owner publishes e¼fe;e;...; i i 1 2 18: Go back to step 5; e;...;egto all users inB. j M 19: EndIf 20:EndFor 5.2.3 Data Encryption 21: The data owner chooses parametersf2Lfand Before outsourcing the data to the cloud server, the data e¼ðe1;e2;...;ej;...;eMÞ; owner computes a set of ciphertexts K ¼fk1;k2;...; 22:Foreach messageSj2S kj;...;kMgfor the messages inS¼fS1;S2;...;Sj;...;SMg 23: The data owner generates a message certificateðej;djÞ according to (13), wherekjis the ciphertext ofSj forSjby (12); 24: The data owner encrypts the dataSjby (13) to getkj kj¼Sj Hðb0 djÞ: (13) and computesH1ðSjÞ; 25: The data owner publishesejand storeskjin the cloud Then the data owner keepsH1ðSjÞto itself and storeskj, server. j¼1;2;...; M, in the cloud server. 26:EndFor The construction operations in Sections 5.2.1, 5.2.2, and 5.2.3 are shown in Algorithm 3. 5.3.2 Certificate Verification

5.3 Message Reconstruction When a user UsinBreceivesWij, it uses the publicejto ver- Assume that a userUi2Bneeds to get the message/dataSj. ifyWijaccording to (16). If (16) holds,Uiis verified byUs, It downloadskjfrom the cloud server and then seeks help which implies that Uiis a valid user of the messageSjin from other users inBto decryptkj. This procedure consists Us’s perspective. ThenUsprovides itsfids;rsgtoUi of the following three stages: i) Exchange certificate compu- W ¼x e: (16) tation:UigetsSj’s message certificate from the data owner ij i j and computes an exchange certificate. ii) Certificate verifica- When Ui receives Us’s fids;rsg, it computes tion: other users inBandUimutually validate each other. iii) 0 H ¼HðidsjjrsÞ. SinceUiholds theHðidjjrÞvalues of all users Message reconstruction: Uireconstructs the messageSj. inB, it can verify whether thersvalue provided byidsis correct. Ifrsdoes not pass the verification,Us’s sub-key cannot 5.3.1 Exchange Certificate Computation be used byUifor the reconstruction ofSj, which implies that Uisends a request to the data owner to obtainSj’s message Ushas a cheating behavior in the perspective ofUi. certificatedj. Upon receiving this request, the data owner At leastt 1users inBshould be able to verify the legiti- encryptsdjusingUi’s secret numberribased onAES as macy of Uifor accessingSjand these users must be verifi- shown in follows: able byUiin order forUito use their provided sub-keys for the reconstruction ofSj. Cdj¼AESriðdjÞ: (14) 5.3.3 Message Reconstruction Upon receiving the ciphertext Cdj from the data owner, When the user U obtains authorizations fromt 1legal Uifirst decryptsCdjto obtaindj. Then, it uses its sub-keyxi i users inB, it recovers the messageS according to to compute the exchange certificateWijvia (15) and sends j W to other users inB ! ! ij X Y rs Sj¼kj H xi dj : (17) Wij¼xi dj: (15) rs ri Ui2B Us2B;Us6¼Ui HU ET AL.: A SECURE AND VERIFIABLE ACCESS CONTROL SCHEME FOR BIG DATA STORAGE IN CLOUDS 349

The processes of reconstruction and verification are sum- Remark.The cloud server can update the ciphertext when a marized in Algorithm 4. new access policy is specified by the data owner, and this update can be verified by the data owner; meanwhile, Algorithm 4.Reconstruction and Verification each user inB can easily update its secret number and

1: The userUidownloadskjfrom the cloud server, and sends the corresponding sub-key. a request to the data owner to obtaindj; 2: The data owner encryptsdjwithrito obtain ciphertext 6 ANALYSIS OF THEPROPOSEDSCHEME C ¼AES ðdÞ, and then sendsC toU; dj ri j dj i In this section, we conduct a rigorous analysis on the cor- 3:U decryptsC to getdusing its secret numberr; i dj j i rectness, security strengths, and computational complexity 4:U computes the exchange certificateW via (15), and sends i ij of the proposed scheme. Wijto other users inB; 5:Foreach userU inBDo s 6.1 Correctness 6: Upon receivingWij,UsverifiesWijby (16); 7: If(16) holds Theorem 3.A userUi2Bwho needs the dataSjand each of the 8: Ussends itsfids;rsgtoUi; other users inB can verify each other to helpUirecover the 9: Upon receivingfids;rsg,UicomputesHðidsjjrsÞ messageSj. 10: to verifyfids;rsg; Proof.After receivingd from the data owner,U generates 11: IfHðidsjjrsÞpasses the verification j i its exchange certificateW ¼x d and sendsW to the 12: Usparticipates in the reconstruction ofSj; ij i j ij 13: EndIf other users inB. Any userUs2Bcan verify the exchange 14: EndIf certificateWijby computingxi ejand checking whether 15:EndFor it is equal toWij.IfWijdoes equalxj ej,Us concludes 16:Ifat leastt 1other users inBare able to participate in the thatUi holds the correct message certificatedj, which recovery ofSj implies thatUiis the legitimate user ofSj. Such a verifica- 17: Uican reconstructSjvia (17); tion process is supported by the following derivation: 18:EndIf Wij¼xi dj

¼xi ðpf fþejÞmodp 5.4 Policy Update ¼xi ej: The data owner can dynamically control the access of its data by updating the access policy defined for the data. IfUsverifiesUito be a legitimate user ofSj, it sends its Intuitively, as the ciphertext of the data is stored in the fids;rsgtoUi. After receivingfids;rsg,Ui calculates 0 cloud server, the data owner needs to download the cipher- H ¼HðidsjjrsÞand checks against its local copy of text, decrypt it to get the plaintext, and then re-encrypt the HðidsjjrsÞ—recall that the data owner broadcasts the plaintext according to the new access policy. This is the HðidjjrÞvalue of each user inB to all other users inB approach adopted by all existing research. In this section, during the sub-key construction stage. If they are equal, we consider to update the encrypted data at the cloud Us provides the correctrs for the recovery ofSj; other- server based on the new access policy, which differs signifi- wise, Uscheats and it’srsvalue will not be used for the cantly than the traditional approaches. reconstruction ofSj. tu 0 0 The new access policy is defined by bðxÞ¼b0þ Pt0 1 Theorem 4.A userU inBcan reconstruct a messageS via (17) b0x, whereb0;b0;...;b0 are thet0coefficients of the i j j¼0 j j 0 1 t0 1 if there exist at leastt 1other users inBsatisfying the follow- new polynomialb0ðxÞselected by the data owner. The data ing two conditions: i) each of thet 1users can verify thatU owner needs to execute the procedures in Sections 5.2.1 and i 0 is a legitimate user ofSj; and ii) each of thet 1users can be 5.2.2 to generate a new sub-keyxifor each userUi2B, and 0 verified byUito provide the correct sub-key information. compute a new message certificatedjfor eachSj2S. Then j Proof. Without loss of generality, we denote by the data owner generates the intermediate valuekivbased 0 0 U1;U2;...;Ut 1thet 1users with each being able to ver- on the values ofb0,dj,b0, anddjby ify the legitimacy ofUiand each being verified byUifor j 0 0 kiv¼Hðb0 djÞ Hðb0 djÞ: (18) providing the correctrvalues. This implies thatUiholds the correct message certificatedjand the correctfids;rsg j The data ownerD sendskivto the cloud server, which of userUs, wheres¼1;2;...;t 1. ThusUican obtain will update the encrypted datakjvia the following result: 0 j ! k¼kj k : (19) X Y j iv rs xi dj 0 rs ri After that the cloud server sends k back to the data Ui2B Us2B;Us6¼Ui j ! owner to verify whether the server has successfully update X Y rs the ciphertext constructed from the new access policy. This ¼ xi dj rs ri procedure can be done by the data owner according to Ui2B Us2B;Us6¼Ui ! 0 0 0 X Y r H1ðSjÞ¼H1ðk Hðb dÞÞ: (20) s j 0 j ¼ bðriÞ dj: rs ri Ui2B Us2B;Us6¼Ui 350 IEEE TRANSACTIONS ON BIG DATA, VOL. 4, NO. 3, JULY-SEPTEMBER 2018

Since other honest user inBwhen verifying the legitimacy of Ui ! onSj; (ii) IfUsprovides an incorrect secret numberrsto a X Y rs legal userUi for the recovery ofSj, it can be detected b0 dj¼bð0Þ dj¼ bðriÞ dj: r r because Ui holds a local copy of the correct HðidsjjrsÞ, U2B U 2B;U 6¼U s i i s s i which is broadcast by the data owner during the sub-key P Q We have b d¼ð x rs Þ d. Thus construction process. Therefore, our proposed scheme can 0 j U2B i Us2B;Us6¼U r r j i i s i prevent users from cheating. Sj¼kj Hðb0 djÞ, which implies that the messageSj can be correctly reconstructed byU via (17). tu Attack 3.The users inBmay collude. i Analysis.Our scheme can resist the following type of col- Theorem 5.The cloud server instead of the data owner can cor- lusion attack:t 1or less number of users inBcollude to rectly update the access policy of a message without any decryp- recover the messageSj. From (13), we know that the users tion process. The data owner can verify the correctness of the should obtainb0anddjin order to decipher the message. update procedure. Nevertheless, since the security of our proposed scheme is guaranteed byðt; nÞ-threshold secret sharing, it is impossi- Proof.According to Section 5.4, the data owner re-generates ble for anyt 1or less number of users to obtainb. thet0integersfb0;b0;...;b0 gthat are used as the coefﬁ- 0 0 1 t0 1 Attack 4.An attacker intends to forgeW . cients of the polynomialb0ðxÞ, the new access policy, and ij j 0 Analysis. In order to forgeWij, which is deﬁned to be computes the intermediate valuekiv¼Hðb0 djÞ Hðb0 xi ðpf fþejÞaccording to (12) and (15), the attacker has d0Þbased on the values ofb,d,b0, andd0by (18). Then j 0 j 0 j to obtainf, the private key of the data owner. However, it is j the data owner sends the intermediate valuekivto the impossible for the attacker to getfasfis generated accord- cloud server, which updates the encrypted data in the ing to the NTRU cryptosystem, which is proved to be cloud via (19) as follows: secure.

0 j Theorem 6.The data owner can only decrypt its own ciphertexts k¼kj k j iv stored in the cloud server. j ¼Sj Hðb0 djÞ kiv Proof.Although a data owner can obtain any ciphertext ¼S Hðb dÞ Hðb dÞ Hðb0 d0Þ j 0 j 0 j 0 j from the cloud server, it cannot decrypt the ciphertext 0 0 ¼Sj Hðb0 djÞ: encrypted by other data owners. This claim can be proved as follows. Then, the cloud server sendsk0back to the data owner j Without loss of generality, assume the data owner Di who can verify the correctness of the policy update result downloads the ciphertext k0 generated by the data via (20). tu Dj D D ownerD , wherek0 ¼S0 Hðbj d jÞ. To obtain the j Dj Dj 0 j 6.2 Security Analysis 0 Dj Dj plaintextSD ,Dineeds to computeHðb0 dj Þ. How- The security of our scheme is based on the NTRU public key j Dj cryptosystem [26] and the Shamir’s secret sharing scheme ever, the values ofb0 is securely chosen byDj, which can be recovered only bytor more legal users ofS0 [45]. In this section, we analyze the security strength of our Dj D proposed scheme by examining how it can defend against based on secret-sharing, and the value ofd jis computed several major attacks. j Dj byDjfromej , which can be securely obtained fromDj only when a legal user ofS0 requests fromD and 6.2.1 Attack Resistance Dj j

Attack 1.A plotterE(not inB) may try to reveal the messageSj proves its legitimacy toDjvia the shared secret between fromkjwithout knowing any information abouttusers. the user andDj; thereforeDicannot figure out the cor- Analysis.If the plotterEintends to recover the message Dj Dj P rectb0 anddj as it cannot prove its legitimacy with S from k by computing k Hðð x P 0 j j j Ui2B i Ui2B; respect to the dataS . Thus a data owner can only Dj rs Us6¼Ui Þ djÞ, it has to (i) getdjfrom the data owner of rs ri decrypt its own ciphertexts stored in the cloud server. tu Sjand pass the verification by at leasttusers inB; and (ii) obtain the secret numbersfr1;r2;...;rtgfrom thetusers. To 6.3 Performance Analysis getdjfrom the data owner,Eneeds a shared secret with the 6.3.1 Computational Complexity data owner to prove that it is a legal user ofSj; to getrs In this section, we analyze the computational complexity of fromUs,Eneeds to pass the verification byUs, which again our proposed scheme and compare it with those of the three needsdjfor the computation of the exchange certificate. As schemes proposed in [15] and [16]. Note that our analysis will sharing a secret with the data owner is a proof of legitimacy, be focused on the processes of certificate verification and mes- it is impossible forE to getdj; thus the plotterEcannot sage reconstruction as other processes incur very low compu- recoverSj. tational overhead that can be ignored. The two schemes Attack 2.The users inBmay cheat to fail data recovery. Scheme-I and Scheme-II proposed in [15] and the scheme pre- Analysis.The cheating behaviors can be prevented during sented in [16] are briefly introduced in Section 2.2. data recovery according to Theorem 3. LetUibe the user Certificate Verification. The verification processes of who would like to getSj. (i) IfUicheats, it provides a wrong Scheme-I and Scheme-II in [15] and the scheme in [16] are exchange certificateWij, which can be identified by any based on the RSA cryptosystem. Since the computational HU ET AL.: A SECURE AND VERIFIABLE ACCESS CONTROL SCHEME FOR BIG DATA STORAGE IN CLOUDS 351

TABLE 2 The Comparisons Among [15]’s Scheme-I and Scheme-II,[16] Scheme and Our Scheme

Properties Scheme-I [15] Scheme-II [15] [16] Our scheme Prevent users from cheating by providing fake information Yes Yes Yes Yes Prevent the collusion oft 1or fewer users in message recovery Yes Yes Yes Yes Methods for establishing a secure channel RSA RSA RSA AES Resist quantum computing attacks No No No Yes Resist collusion attack Yes Yes Yes Yes Dynamically update the access policy No No No Yes Protect previously encrypted data No No No Yes Dynamically update the ciphertext for user join and leave activities No No No Yes Computational complexity of Veriﬁcation OðN3Þ OðN3Þ OðN3Þ OðNlogNÞ Computational complexity of Reconstruction OðNÞ OðNÞ OðNÞ OðNlog2NÞ NP-Hard problems for security guarantee DFL DFL DFL SVP complexity of the RSA encryption isOðN3Þ, the computa- 6.3.3 Summary 3 tional complexities of these three schemes are alsoOðN Þ. In Table 2, we present a comprehensive comparison study Our proposed scheme is based on the NTRU cryptosystem over Scheme-I and Scheme-II in [15], the scheme in [16], whose security is based on the SVP hardness in lattice. Its and our proposed scheme in terms of attack resistance, encryption process only requires add and shift operations security, policy update, and so on. From Table 2, one can without involving any multiplication. By employing the see that the signiﬁcant advantages of our scheme over the Fast Fourier transform (FFT), the encryption and decryption other three schemes include: quantum computing attack of NTRU can be performed withinOðN logNÞ. resistance, dynamic policy update, and lower computa- Message Reconstruction. In [15] and [16], recovering a tional complexity. plaintext message involves a linear computational complexity ofOðNÞ. In our scheme, the message is recovered by a 6.4 Discussions Lagrange interpolation polynomial with a computational In our scheme, a data owner maintains the access right to its complexity ofOðN log2NÞ, which is slightly larger than encrypted data. The advantages of such a policy are listed those of the schemes in [15] and [16]. as follows:

Remark. The schemes in [15] and [16] and our proposed The data owner splits the access right of the scheme all require a secure channel to transmit the mes- encrypted data intonpieces, with each legitimate sages. However, the secure channels of [15] and [16] are user holding one piece of the access right. This can established by the asymmetric cryptosystemRSA, while effectively reduce the risk of information leakage in our scheme employs the symmetric cryptosystemAES, big data storage. which has a much lower computational overhead. If a userUi wants to decrypt the data owner’s encrypted dataSj, its legitimacy must be verified by 6.3.2 Dynamic Update the data owner (by securely and successfully retriev- Our proposed scheme allows the dynamic update (refresh, ing the message certificatedjfrom the data owner) insert, delete) of the information regarding the users and and at leastt 1other legitimate users of the data the messages. (via the exchange certificate); the information provided by thet 1other users for the message recov- Insert a New Message.When a data owner needs to store ery also must be verified byUito prevent the user a new messageSnewinto the cloud server, it generates from providing fake information. This verification the certificateðenew;dnewÞforSnew by (12), encrypts process can ensure the legality ofUito accessSj. Snew to obtain the ciphertextknew via (13), computes The cloud sever only stores the outsourced cipher- H1ðSnewÞ, and then storesknewin the cloud server. text data—it cannot obtain the data owner’s original Delete an Old Message. When a data owner needs to plaintext data. In addition, the data owner updates delete a message Sdel, it sends an authenticated the access policy while the cloud server updates the request to the cloud server. Upon receiving the encrypted data. No data owner can access the plain- request, the cloud server deletes the ciphertext ofSdel. text data outsourced by other data owners in the A New User Joins.When a new user Unewjoins the sys- cloud server. tem, the data owner first verifies its legitimacy of Compared with RSA, at an equivalent cryptographic accessing its data; then it computes the sub-keyxnew strength, NTRU performs the costly encryption and decryp- for the legal userUnew according to (11), and pub- tion operations at a much faster speed, and its implementa- lishesxnewto all users inB. tions in both hardware and software are easier and require Remove a User.When a data owner wants to prevent a smaller size of memory; therefore NTRU can be employed a user inB from accessing its data, it updates its in applications involving devices with limited computation access policy according to the policy update proce- power and storage such as mobile devices and smart-cards. dure proposed in Section 5.4 and computes a new On the other hand, when our scheme is utilized in real sub-key for each of the other users inB. world applications, an adequate threshold tneeds to be 352 IEEE TRANSACTIONS ON BIG DATA, VOL. 4, NO. 3, JULY-SEPTEMBER 2018 2 3 selected by the data owner before deployment because an 0 0 1 0 0 1 1 1 0 0 6 7 unsuitable thresholdtwould decrease the security of the 6 0 0 0 0 1 0 0 1 0 07 6 7 data iftis too small or have a harmful effect on the flexibil- 6 0 0 1 0 1 0 0 0 0 07 6 7 ity of access control iftis too large. Nevertheless, the selec- 6 1 0 1 0 0 1 1 0 0 07 6 7 tion of a right value fortis not easy. One possible remedy 6 0 1 0 0 0 0 1 0 0 07 6 7 approach is to pick up an initial value oftbased on experi- g¼6 0 0 0 0 0 1 0 1 0 07 6 7 ence and adjust it via access policy update as time goes. 6 0 1 0 0 1 0 0 1 0 07 6 7 6 0 0 0 0 0 0 1 0 0 07 6 0 1 0 0 0 0 0 1 0 07 7 CONCLUSION ANDFUTUREWORKS 6 7 4 0 0 0 0 0 0 0 0 0 05 In this paper, we first propose an improved NTRU crypto- 1 0 0 0 0 1 0 system to overcome the decryption failures of the original 2 3 NTRU and then present a secure and verifiable access con- 2 2 1 1 1 0 2 0 2 0 trol scheme based on the improved NTRU to protect the 6 7 62 1 0 2 2 0 0 2 2 17 6 7 outsourced big data stored in a cloud. Our scheme allows 61 1 1 2 1 1 0 1 2 27 6 7 the data owner to dynamically update the data access policy 62 0 0 2 0 0 0 0 1 27 6 7 and the cloud server to successfully update the correspond- 61 1 2 2 0 1 2 1 1 07 6 7 ing outsourced ciphertext to enable efficient access control fp¼60 2 2 2 2 1 0 0 2 27 6 7 over the big data in the cloud. It also provides a verification 62 0 0 1 0 0 2 0 1 17 6 7 process for a user to validate its legitimacy of accessing the 60 1 2 1 0 1 1 0 0 07 6 7 data to both the data owner andt 1other legitimate users 62 1 2 1 1 0 2 2 1 07 and the correctness of the information provided by thet 1 41 0 1 2 0 0 2 0 0 15 other users for plaintext recovery. The security of our pro- 1 1 2 2 2 2 1 posed scheme is guaranteed by those of the NTRU crypto- 2 3 system and theðt; nÞ-threshold secret sharing. We have 59 5 41 10 34 28 31 13 5 36 6 7 rigorously analyzed the correctness, security strength, and 60 21 36 28 18 41 46 13 38 57 6 7 computational complexity of our proposed scheme. 631 7 1 49 26 37 27 12 14 587 6 7 Designing a secure, privacy preserving, and practical 660 9 23 7 17 41 6 29 38 127 6 7 scheme for big data storage in a cloud is an extremely chal- 654 39 52 9 36 19 47 29 44 267 6 7 lenging problem. In our future research, we will further fq¼640 30 52 60 25 52 10 61 7 77: 6 7 improve our scheme by combining theðt; nÞ-threshold 648 21 14 46 55 51 7 16 49 297 6 7 secret sharing with attribute-based access control, which 627 3 60 10 12 8 24 61 7 397 6 7 involves an access structure that can place various require- 62 54 47 34 4 47 52 17 41 607 4 5 ments for a user to decrypt an outsourced ciphertext data in 25 44 20 62 55 33 52 58 10 63 the cloud. Meanwhile, we will investigate the security prob- 63 7 58 42 52 44 49 lems when a data owner outsources its data to multi-cloud Public Key: servers and consider an attribute-based access structure 2 3 that can be dynamically updated, which is more applicable 28 63 13 41 31 6 30 54 45 37 6 7 for practical scenarios in big data storage. 663 41 33 58 32 62 13 62 18 597 6 7 644 25 12 40 49 7 41 8 2 317 6 7 APPENDIX 610 7 10 10 34 47 4 7 27 477 6 7 632 46 58 54 36 48 38 51 7 457 In this appendix, we give an instance of the NTRU decryp- 6 7 h¼626 22 35 45 53 9 19 63 50 387: tion failure of the original NTRU cryptosystem. Meanwhile, 6 7 65 52 14 25 60 61 50 37 20 27 we demonstrate how our improved NTRU can correct 6 7 636 11 20 36 18 11 54 23 36 67 the failure. The NTRU system parameters are 6 7 645 26 11 20 41 45 59 31 21 137 N ¼107;p¼3;q¼64. 49 8 48 25 9 57 45 0 29 605 Secret key: 12 50 14 22 1 55 33 2 3 Plaintextm: 1 0 1 1 0 0 0 0 0 1 6 7 2 3 6 0 0 0 1 0 0 0 0 0 17 1 2 1 2 0 2 0 0 2 0 6 0 0 0 0 0 1 0 0 0 17 6 7 6 7 61 2 0 2 2 2 0 2 1 07 6 7 6 7 6 0 0 0 0 0 0 0 1 1 07 60 2 2 1 2 2 2 2 0 27 6 7 6 7 6 0 0 1 1 0 0 0 1 0 17 62 2 1 2 2 2 2 0 0 27 6 7 6 7 f¼6 0 0 0 1 0 1 0 0 1 17 60 0 2 0 0 2 0 0 2 27 6 7 6 7 6 1 1 0 0 0 1 0 0 0 07 m ¼62 1 0 2 0 0 2 1 0 27: 6 7 6 7 6 0 0 0 0 0 0 0 0 0 07 62 2 0 0 0 2 0 2 2 07 6 7 6 7 6 0 0 1 0 0 1 0 1 0 17 62 2 1 0 2 1 2 0 0 07 4 5 6 7 0 0 1 1 0 0 0 0 0 1 62 0 0 2 2 2 2 1 2 27 0 0 0 1 0 0 0 42 2 2 2 2 0 0 2 2 25 1 2 2 0 2 0 2 HU ET AL.: A SECURE AND VERIFIABLE ACCESS CONTROL SCHEME FOR BIG DATA STORAGE IN CLOUDS 353

Polynomialf: One can see that one element of ais 33, which is larger q 2 3 than2¼32and causes the decryption failure. Now we uti- 0 1 0 0 0 0 0 0 0 0 lize the improved NTRU cryptosystem to decrypte. One 6 7 60 0 1 0 0 0 0 0 0 07 can obtaina0as follows: 6 7 60 0 0 1 0 0 0 0 0 07 6 7 2 3 61 0 0 0 0 1 0 0 0 07 1 11 1 4 5 2 5 4 6 10 6 7 6 7 60 1 0 0 0 0 0 0 0 07 612 0 4 10 1 3 7 1 3 17 6 7 6 7 f¼60 0 0 0 1 0 0 0 0 07: 6 1 6 5 9 9 1 6 1 3 87 6 7 60 0 0 0 0 0 0 0 0 07 6 3 15 2 2 1 14 1 4 15 27 6 7 6 7 60 0 0 1 0 0 0 0 0 07 6 7 6 3 8 6 8 6 1 12 57 6 7 0 6 7 60 0 0 1 0 0 0 0 0 07 a¼6 2 5 4 8 0 8 0 10 8 97: 6 7 6 7 40 0 0 0 0 0 1 0 0 05 6 0 5 5 6 2 7 6 10 2 27 6 7 611 3 12 7 8 8 8 31 8 77 0 0 0 0 0 0 0 6 7 615 6 5 2 3 1 4 3 10 67 4 1 11 10 1 6 6 5 6 4 15 Ciphertexte: 2 6 4 5 10 10 4 2 3 The adjusted vectorcis shown below 29 45 0 46 9 58 40 23 3 13 2 3 6 7 626 11 62 31 23 4 9 18 12 227 0 0 0 0 0 0 0 0 0 0 6 7 6 7 641 46 24 0 21 63 43 39 32 17 60 0 0 0 0 0 0 0 0 07 6 7 6 7 627 29 29 47 39 10 32 60 19 487 60 0 0 0 0 0 0 0 0 07 6 7 6 7 632 22 42 28 19 15 10 18 54 507 60 0 0 0 0 0 0 0 0 07 6 7 6 7 e¼629 42 35 57 57 29 44 26 28 577: 60 0 0 0 0 0 0 0 0 07 6 7 6 7 638 58 33 3 47 28 21 29 41 17 c¼60 0 0 0 0 0 0 0 0 07: 6 7 6 7 623 4 62 53 17 57 45 47 59 397 60 0 0 0 0 0 0 0 0 07 6 7 6 7 642 22 18 23 61 60 11 54 31 567 60 0 0 0 0 0 0 2 0 07 4 5 6 7 36 32 58 5 59 25 12 47 26 8 60 0 0 0 0 0 0 0 0 07 22 46 56 49 20 60 51 40 0 0 0 0 0 0 0 0 05 0 0 0 0 0 0 0

The decryption result of the original NTRU cryptosystemm0: And the decrypted result is 2 3 2 3 2 0 1 2 1 2 0 0 2 2 1 2 1 2 0 2 0 0 2 0 6 7 62 1 2 0 0 2 2 0 0 27 61 2 0 2 2 2 0 2 1 07 6 7 6 7 60 2 0 2 0 0 1 2 0 07 60 2 2 1 2 2 2 2 0 27 6 7 6 7 60 0 1 2 1 2 2 1 0 17 62 2 1 2 2 2 2 0 0 27 6 7 6 7 62 0 1 1 2 2 2 2 2 27 60 0 2 0 0 2 0 0 2 27 6 7 00 0 6 7 0 6 7 m ¼a fpþc fp¼62 1 0 2 0 0 2 1 0 27: m ¼62 2 2 0 2 2 2 2 1 17: 6 7 6 7 62 2 0 0 0 2 0 2 2 07 62 1 0 2 1 2 0 0 2 07 6 7 6 7 62 2 1 0 2 1 2 0 0 07 61 1 0 1 0 2 0 2 1 17 6 7 6 7 62 0 0 2 2 2 2 1 2 27 61 2 2 2 0 2 0 1 0 17 4 5 42 0 0 2 2 1 1 1 1 15 2 2 2 2 2 0 0 2 2 2 0 0 1 2 2 2 0 1 2 2 0 2 0 2 The decrypted result shows that m00¼m, which implies that our improved NTRU cryptosystem can suc- 0 Obviously, m 6¼m, which indicates that a decryption cessfully correct the decryption failure while the original failure occurs in the original NTRU decryption. Next we NTRU can not. analyze the cause of the decryption failure. The process of decryption based on the original NTRU is as follows: ACKNOWLEDGMENTS 2 3 1 11 1 4 5 2 5 4 6 10 This research was partially supported by the US National 6 7 612 0 4 10 1 3 7 1 3 17 Science Foundation under grants CNS-1318872, CCF- 6 7 6 1 6 5 9 9 1 6 1 3 87 1442642 and IIS-1343976, and the National Natural Science 6 7 6 3 15 2 2 1 14 1 4 15 27 Foundation of China under grants 61672119, 61373027, 6 7 6 7 6 3 8 6 8 6 1 12 57 61472044, 61272475, 61571049, 61472403, and 61672321, and e f6 7 a¼ 6 2 5 4 8 0 8 0 10 8 97: the Fundamental Research Funds for the Central Universi- 6 7 6 0 5 5 6 2 7 6 10 2 27 6 7 ties (No. 2014KJJCB32). Chunqiang Hu and Jiguo Yu are the 611 3 12 7 8 8 8 33 8 77 6 7 corresponding author. 615 6 5 2 3 1 4 3 10 67 4 1 11 10 1 6 6 5 6 4 15 2 6 4 5 10 10 4 REFERENCES [1] M. A. Beyer and D. Laney,The Importance of ‘Big Data’: A Deﬁni- tion. Stamford, CT, USA: Gartner, 2012. 354 IEEE TRANSACTIONS ON BIG DATA, VOL. 4, NO. 3, JULY-SEPTEMBER 2018

[2] V. Marx, “Biology: The big challenges of big data,”Nature, [29] S. Garg, C. Gentry, and S. Halevi, “Candidate multilinear maps vol. 498, no. 7453, pp. 255–260, 2013. from ideal lattices,” inAdvances in Cryptology. Berlin, Germany: [3] G. P. Consortium, et al., “A map of human genome variation from Springer, 2013, pp. 1–17. population-scale sequencing,”Nature, vol. 467, no. 7319, pp. 1061– [30] European Telecommunications Standards Institute, “Quantum 1073, 2010. safe cryptography and security—An introduction, benefits, ena- [4] A. Sahai and B. Waters, “Fuzzy identity-based encryption,” in blers and challenges,” Eur. Telecommun. Standards Inst.,White Advances in Cryptology. Berlin, Germany: Springer, 2005, pp. 457–473. Paper, Jun. 2015. [Online]. Available: https://www.etsi.org/ [5] C. Hu, F. Zhang, X. Cheng, X. Liao, and D. Chen, “Securing com- images/files/ETSIWhitePapers/QuantumSafeWhitepaper.pdf munications between external users and wireless body area [31] IBM, “IBM storage solutions for banking,” (2015). [Online]. Avail- networks,” inProc. 2nd ACM Workshop Hot Topics Wireless Netw. able: http://www-03.ibm.com/systems/storage/solutions/ Secur. Privacy, 2013, pp. 31–36. industries/banking.html [6] C. Hu, H. Li, Y. Huo, T. Xiang, and X. Liao, “Secure and efficient [32] A. Mora, et al., “Expanded top ten big data security and privacy data communication protocol for wireless body area networks,” challenges,” Cloud Secur. Alliance, Seattle, WA, USA, Tech. Rep. IEEE Trans. Multi-Scale Comput. Syst., vol. 2, no. 2, pp. 94–107, 20130616, 2013. Apr.–Jun. 2016. [33] L. Wei, et al., “Security and privacy for storage and computation [7] V. Goyal, O. Pandey, A. Sahai, and B. Waters, “Attribute-based in cloud computing,”Inf. Sci., vol. 258, pp. 371–386, 2014. encryption for fine-grained access control of encrypted data,” in [34] H. Cheng, C. Rong, K. Hwang, W. Wang, and Y. Li, “Secure big Proc. 13th ACM Conf. Comput. Commun. Secur., 2006, pp. 89–98. data storage and sharing scheme for cloud tenants,”China Com- [8] B. Waters, “Ciphertext-policy attribute-based encryption: An mun., vol. 12, no. 6, pp. 106–115, 2015. expressive, efficient, and provably secure realization,” inProc. 14th [35] J. Baek, Q. H. Vu, J. K. Liu, X. Huang, and Y. Xiang, “A secure Int. Conf. Practice Theory Public Key Cryptography, 2011, pp. 53–70. cloud computing based framework for big data information man- [9] C. Hu, N. Zhang, H. Li, X. Cheng, and X. Liao, “Body area net- agement of smart grid,”IEEE Trans. Cloud Comput., vol. 3, no. 2, work security: A fuzzy attribute-based signcryption scheme,” pp. 233–244, Apr.–Jun. 2015. IEEE J. Sel. Areas Commun., vol. 31, no. 9, pp. 37–46, Sep. 2013. [36] C. Gentry, “A fully homomorphic encryption scheme,” Ph.D. disser- [10] A. Lewko and B. Waters, “Decentralizing attribute-based tation, Dept. Comput. Sci., Stanford Univ., Stanford, CA, USA, 2009. encryption,” inAdvances in Cryptology.Berlin, Germany: Springer, [37] S. Kamara and K. Lauter, “Cryptographic cloud storage,” inProc. 2011, pp. 568–588. 14th Int. Conf. Financial Cryptography Data Secur., 2010, pp. 136–149. [11] C. Hu, X. Cheng, Z. Tian, J. Yu, K. Akkaya, and L. Sun, “An attri- [38] A. Hamlin, N. Schear, E. Shen, M. Varia, S. Yakoubov, and A. Yer- bute-based signcryption scheme to secure attribute-defined multi- ukhimovich, “Cryptography for big data security,” inBig Data: cast communications,” inProc. 11th EAI Int. Conf. SecureComm, Storage, Sharing, and Security, F. Hu, Ed. Boca Raton, FL, USA: 2015, pp. 418–435. CRC Press, 2016, ch. 10, pp. 241–288. [12] A. Shamir, “Identity-based cryptosystems and signature [39] G. Zhuo, Q. Jia, L. Guo, M. Li, and P. Li, “Privacy-preserving veri- schemes,” inAdvances in Cryptology. Berlin, Germany: Springer, fiable set operation in big data for cloud-assisted mobile 1985, pp. 47–53. crowdsourcing,”IEEE Internet Things J., vol. PP, no. 99, p. 1, 2016, [13] M. Dehkordi and S. Mashhadi, “An efficient threshold verifiable Doi: 10.1109/JIOT.2016.2585592. multi-secret sharing,” Comput. Standards Interfaces, vol. 30, no. 3, [40] L. Guo, Y. Fang, M. Li, and P. Li, “Verifiable privacy-preserving pp. 187–190, 2008. monitoring for cloud-assisted mHealth systems,” in Proc. IEEE [14] Z. Eslami and J. Z. Ahmadabadi, “A verifiable multi-secret shar- Conf. Comput. Commun., 2015, pp. 1026–1034. ing scheme based on cellular automata,”Inf. Sci., vol. 180, no. 15, [41] S. Salinas, X. Chen, J. Ji, and P. Li, “A tutorial on secure outsourc- pp. 2889–2894, 2010. ing of large-scale computations for big data,”IEEE Access, vol. 4, [15] M. H. Dehkordi and S. Mashhadi, “New efficient and practical pp. 1406–1416, Apr. 2016. verifiable multi-secret sharing schemes,”Inf. Sci., vol. 178, no. 9, [42] V. C. Hu, D. Ferraiolo, and D. R. Kuhn, “Assessment of access pp. 2262–2274, 2008. control systems,” US Dept. Commerce, Nat. Inst. Standards Tech- [16] J. Zhao, J. Zhang, and R. Zhao, “A practical verifiable multi-secret nol., Gaithersburg, MD, USA, Tech. Rep. 7316, 2006. sharing scheme,”Comput. Standards Interfaces, vol. 29, no. 1, [43] K. Yang and X. Jia, “Attributed-based access control for multi- pp. 138–141, 2007. authority systems in cloud storage,” inProc. IEEE 32nd Int. Conf. [17] C. Hu, X. Liao, and X. Cheng, “Verifiable multi-secret sharing Distrib. Comput. Syst., 2012, pp. 536–545. based on LFSR sequences,” Theoretical Comput. Sci., vol. 445, [44] T. Jung, X.-Y. Li, Z. Wan, and M. Wan, “Privacy preserving cloud pp. 52–62, 2012. data access with multi-authorities,” in Proc. IEEE INFOCOM, [18] C. Hu, X. Liao, and D. Xiao, “Secret image sharing based on cha- 2013, pp. 2625–2633. otic map and Chinese remainder theorem,”Int. J. Wavelets Multire- [45] A. Shamir, “How to share a secret,”Commun. ACM, vol. 22, no. 11, solution Inf. Process., vol. 10, no. 3, 2012, Art. no. 1250023. pp. 612–613, 1979. [19] K. Yang, X. Jia, K. Ren, B. Zhang, and R. Xie, “DAC-MACS: Effective [46] A. Sahai, H. Seyalioglu, and B. Waters, “Dynamic credentials and data access control for multiauthority cloud storage systems,”IEEE ciphertext delegation for attribute-based encryption,” inAdvances Trans. Inf. Forensics Secur., vol. 8, no. 11, pp. 1790–1801, Nov. 2013. in Cryptology. Berlin, Germany: Springer, 2012, pp. 199–217. [20] K. Yang and X. Jia, “Expressive, efficient, and revocable data [47] G. Blakley, “Safeguarding cryptographic keys,” inProc. Nat. Com- access control for multi-authority cloud storage,”IEEE Trans. Par- put. Conf., 1979, vol. 48, pp. 313–317. allel Distrib. Syst., vol. 25, no. 7, pp. 1735–1744, Jul. 2014. [48] J. H. Silverman and W. Whyte, “Estimating decryption failure [21] J. Bethencourt, A. Sahai, and B. Waters, “Ciphertext-policy attri- probabilities for NTRUEncrypt,”NTRU Cryptostystems, Tech. Rep. bute-based encryption,” inProc. IEEE Symp. Secur. Privacy, 2007, #018, Version 1, May 2003. [Online]. Available: http://grouper. pp. 321–334. ieee.org/groups/1363/lattPK/submissions/NTRUTech018.pdf [22] A. Corcoles, et al., “Demonstration of a quantum error detection code using a square lattice of four superconducting qubits,” Chunqiang Hureceived the BS degree in com- Nature Commun., vol. 6, pp. 1–10, 2015. puter science and technology from Southwest [23] O. Regev, “New lattice-based cryptographic constructions,”J. University, Chongqing, China, in 2006. He ACM, vol. 51, no. 6, pp. 899–942, 2004. received the MS and first PhD degree in com- [24] D. Micciancio, “Lattice-based cryptography,” inPost-Quantum puter science and technology from Chongqing Cryptography. Berlin, Germany: Springer, 2009, pp. 147–191. University, Chongqing, China, in 2009 and 2013, [25] C. Peikert, “Lattice cryptography for the internet,” inPost-Quantum respectively. He received the second PhD degree Cryptography. Berlin, Germany: Springer, 2014, pp. 197–219. in computer science from George Washington [26] J. Hoffstein, J. Pipher, and J. Silverman, “NTRU: A ring-based University, Washington, DC, in 2016. He was a public key cryptosystem,” inProc. 3rd Int. Symp. Algorithmic Num- visiting scholar with George Washington Univer- ber Theory, 1998, pp. 267–288. sity from Jan., 2011 to Dec., 2011. He won the [27]The NTRU Public Key Cryptosystem—A tutorial, NTRU Cryptosys- Best Paper Award in ACM PAMCO 2016. His current research interests tems, Wilmington, MA, USA, 1998. include applied cryptography, big data security and privacy, privacy- [28] A. Langlois, D. Stehle, and R. Steinfeld, “GGHLite: More efficient aware computing, wireless and mobile security, and algorithm design multilinear maps from ideal lattices,” in Advances in Cryptology. and analysis. He is a member of the IEEE and the ACM. Berlin, Germany: Springer, 2014, pp. 239–256. HU ET AL.: A SECURE AND VERIFIABLE ACCESS CONTROL SCHEME FOR BIG DATA STORAGE IN CLOUDS 355

Wei Li received the MS degree in computer sci- Shengling Wangreceived the PhD degree from ence from Beijing University of Posts and Tele- Xi’an Jiaotong University, in 2008. She is cur- communications, in 2011, and the PhD degree in rently an associate professor in the College of computer science from George Washington Uni- Information Science and Technology, Beijing versity, Washington, DC, in 2016. She is an assis- Normal University. She did the postdoctoral tant professor in the Department of Computer research in the Department of Computer Science Science, Georgia State University. She won the and Technology, Tsinghua University. Then, she Best Paper Awards in ACM MobiCom Workshop worked as an assistant and associate professor, CRAB 2013 and WASA 2011. Her current respectively, from 2010 and from 2013 in the research spans the areas of secure and privacy- Institute of Computing Technology, Chinese aware computing, secure and truthful auctions in Academy of Sciences. Her research interests dynamic spectrum access, resource management in cognitive radio net- include privacy-aware computing, mobile/wireless networking, game works and WiFi-based wireless access networks, game theory, and algo- theory, and crowdsourcing. She is a member of the IEEE. rithm design and analysis. She is a member of the IEEE and the ACM. Rongfang Bie received the PhD degree from Xiuzhen Cheng received the MS and PhD Beijing Normal University, China, in 1996. Cur- degrees in computer science from the University rently she is a professor with Beijing Normal Uni- of Minnesota—Twin Cities, in 2000 and versity. She visited the Computer Laboratory, 2002, respectively. She is a professor in the University of Cambridge, United Kingdom, in Department of Computer Science, George Wash- 2003. Her current research interests include ington University, Washington, DC. Her current knowledge representation and acquisition for the research interests include privacy-aware comput- Internet of Things, computational intelligence, ing, wireless and mobile security, cyber physical and model theory. She is a member of the IEEE. systems, mobile computing, and algorithm design and analysis. She has served on the editorial boards of several technical journals and the technical program committees of various professional conferences/work- " For more information on this or any other computing topic, shops. She also has chaired several international conferences. She is a please visit our Digital Library atwww.computer.org/publications/dlib. fellow of the IEEE and a member of the ACM.

Jiguo Yu received the PhD degree from the School of mathematics, Shandong University, in 2004. He became a full professor in the School of Computer Science, Qufu Normal University, Shandong, China, in 2007. Currently he is a full professor in the School of Information Science and Engineering, Qufu Normal University. His main research interests include privacy-aware computing, wireless networking, distributed algorithms, peer-to-peer computing, and graph theory. Particularly, he is interested in designing and analyzing algorithms for many computationally hard problems in networks. He is a member of the IEEE and the ACM and a senior member of the China Computer Federation (CCF).