Data Sharing on Untrusted Storage with Attribute-Based Encryption by Shucheng Yu A Dissertation Submitted to the Faculty of the WORCESTER POLYTECHNIC INSTITUTE In partial fulfillment of the requirements for the Degree of Doctor of Philosophy in Electrical and Computer Engineering July 2010 Approved: Professor Wenjing Lou Professor Kaveh Pahlavan ECE Department ECE Department Dissertation Advisor Dissertation Committee Professor Berk Sunar Professor Jie Wang ECE Department CS Department, UMASS Lowell Dissertation Committee Dissertation Committee Abstract Storing data on untrusted storage makes secure data sharing a challenge issue. On one hand, data access policies should be enforced on these storage servers; on the other hand, confidentiality of sensitive data should be well protected against them. Cryptographic methods are usually applied to address this issue – only encrypted data are stored on storage servers while retaining secret key(s) to the data owner her- self; user access is granted by issuing the corresponding data decryption keys. The main challenges for cryptographic methods include simultaneously achieving system scalability and fine-grained data access control, efficient key/user management, user accountability and etc. To address these challenge issues, this dissertation studies and enhances a novel public-key cryptography – attribute-based encryption (ABE), and applies it for fine-grained data access control on untrusted storage. The first part of this dissertation discusses the necessity of applying ABE to secure data sharing on untrusted storage and addresses several security issues for ABE. More specifically, we propose three enhancement schemes for ABE: In the first enhancement scheme, we focus on how to revoke users in ABE with the help of untrusted servers. In this work, we enable the data owner to delegate most computation-intensive tasks pertained to user revocation to untrusted servers with- out disclosing data content to them. In the second enhancement scheme, we address key abuse attacks in ABE, in which authorized but malicious users abuse their access privileges by sharing their decryption keys with unauthorized users. Our proposed scheme makes it possible for the data owner to efficiently disclose the original key owner’s identity merely by checking the input and output of a suspicious user’s de- cryption device. Our third enhancement schemes study the issue of privacy preserva- tion in ABE. Specifically, our proposed schemes hide the data owner’s access policy not only to the untrusted servers but also to all the users. The second part presents our ABE-based secure data sharing solutions for two specific applications – Cloud Computing and Wireless Sensor Networks (WSNs). In Cloud Computing cloud servers are usually operated by third-party providers, which are almost certain to be outside the trust domain of cloud users. To secure data storage and sharing for cloud users, our proposed scheme lets the data owner (also a cloud user) generate her own ABE keys for data encryption and take the full control on key distribution/revocation. The main challenge in this work is how to make the computation load affordable to the data owner and data consumers (both are cloud users). We address this challenge by uniquely combining various computation delegation techniques with ABE and allow both the data owner and data consumers to securely mitigate most computation-intensive tasks to cloud servers, which are envisaged to have unlimited resources. In WSNs, wireless sensor nodes are often unattendedly deployed in the field and vulnerable to strong attacks such as memory breach. For securing storage and shar- ing of data on distributed storage sensor nodes while retaining data confidentiality, sensor nodes encrypt their collected data using ABE public keys and store encrypted data on storage nodes. Authorized users are given corresponding decryption keys to read data. The main challenge in this case is that sensor nodes are extremely resource-constrained and can just afford limited computation/communication load. Taking this into account we divide the lifetime of sensor nodes into phases and dis- tribute the computation tasks into each phase. We also revised the original ABE scheme to make the overhead pertained to user revocation minimal for sensor nodes. 2 Feasibility of the scheme is demonstrated by experiments on real sensor platforms. 3 To my beloved wife, Jiaai, and my parents i Acknowledgements A lot of people helped me complete this dissertation, either directly or more sub- liminal. First of all, I would like to express my sincere thanks to my advisor Dr. Wenjing Lou, who guided me into my current research area, discussed with me about my ideas, proofread my papers, and gave me valuable advises on both my research and my life. She set an example not only as a hardworking and passionate researcher, but also as a responsible and decent person. The second person I would like to thank is Dr. Kui Ren, who was working very closely with me throughout my Ph.D study. He was always there to discuss with me on the technique details and help me think through the difficult problems. I am very grateful to my dissertation committee members, Dr. Kaveh Pahlavan, Dr. Berk Sunar and Dr. Jie Wang for their valuable time and suggestions, which significantly improved this dissertation. I wish to thank Dr. Fred J. Looft, our department head, who has been very supportive on my research and graduation issues. I also want to thank current and former fellow graduate students in the Wireless Networking and Security Laboratory, Kai Zeng, Zhengyu Yang, Ming Li, Ning Cao and Hanfei Zhao for their friendship and supports. It was with them that made my Ph.D. a rich and enjoyable experience. I am also grateful to my collaborators, Cong Wang and Jin Li for their valuable help. I am greatly indebted to my parents Guohong Yu and Jiamin Zuo. They are always very understanding and supportive on my choices. They love me more than themselves and have sacrificed so much to support me. I am very indebted to my grandfather, who passed away during my Ph.D study. Most importantly, I am specially indebted to my wife, Jiaai Zhang, for her support and sacrifice. To stay with me abroad, Jiaai gave up her chances in China, left her family and friends, and accustomed herself to American life although it ii was so hard for her. I could not have reached this far without her support and encouragement. Finally, I would like to acknowledge National Science Foundation for funding my research. iii Contents 1 Introduction 1 1.1 Motivation . 2 1.2 Contributions . 6 1.2.1 Security enhancements to ABE . 6 1.2.2 Secure Data Sharing Schemes for Cloud Computing and WSNs 8 1.3 Roadmap . 10 2 Technical Preliminaries 12 2.1 Attribute-Based Encryption . 12 2.1.1 Definition . 12 2.1.2 Overview . 15 2.2 Miscellaneous Techniques . 16 2.3 Complexity Assumptions . 16 3 User Revocation for Attribute-Based Encryption 18 3.1 Problem Description and Main Idea . 19 3.2 Definitions and Models . 21 3.2.1 Algorithm Definition . 21 3.2.2 Security Definition . 23 3.3 Our Construction . 25 iv 3.3.1 Overview . 25 3.3.2 The Detailed Construction . 25 3.3.3 CPA Security Proof . 28 3.4 CCA Security Construction . 31 3.4.1 CCA Secure Construction . 32 3.4.2 CCA Security Proof . 33 3.5 Applicability to KP-ABE . 35 3.6 Summary . 39 4 Attribute-Based Encryption with User Accountability 40 4.1 Main Idea . 41 4.2 Definitions and Models . 42 4.2.1 Definition of AFKP-ABE . 42 4.2.2 Definition of Attributes . 43 4.2.3 Security Definition . 45 4.3 Our Construction . 48 4.3.1 AFKP-ABE Scheme . 48 4.3.2 Security Proof . 53 4.3.3 Efficiency Analysis . 60 4.4 Applications . 61 4.5 Summary . 62 5 Privacy-Preserving Attribute-Based Encryption 63 5.1 Our Construction under Generic Group Model . 64 5.1.1 Definitions . 64 5.1.2 Scheme Description . 65 5.1.3 Security Analysis . 70 v 5.1.4 Performance Evaluation . 73 5.2 Our Construction under the XDH assumption . 79 5.2.1 Scheme Description . 79 5.2.2 Scheme Analysis . 81 5.3 Summary . 82 6 Secure Data Sharing with ABE in Cloud Computing 83 6.1 Models and Assumptions . 84 6.1.1 System Models . 84 6.1.2 Security Models . 85 6.1.3 Design Goals . 86 6.2 Our Proposed Scheme . 86 6.2.1 Main Idea . 86 6.2.2 Definition and Notation . 88 6.2.3 Scheme Description . 88 6.2.4 Discussion . 97 6.3 Analysis of Our Proposed Scheme . 98 6.3.1 Security Analysis . 98 6.3.2 Performance Analysis . 101 6.3.3 Related Work . 104 6.3.4 Discussion . 105 6.4 Summary . 106 7 Secure Data Sharing with ABE in Wireless Sensor Networks 107 7.1 Models and Assumptions . 108 7.1.1 Network Model . 108 7.1.2 Adversary Model . 109 vi 7.1.3 Security Requirements . 109 7.2 Our Proposed Scheme . 110 7.2.1 Access Control Strategy . 111 7.2.2 Scheme Overview . 113 7.2.3 The Basic Scheme . 114 7.2.4 The Advanced Scheme . 119 7.2.5 Discussions . 124 7.3 Scheme Evaluation . 126 7.3.1 Security Analysis . 126 7.3.2 Performance Evaluation . 129 7.4 Summary . 133 8 Conclusion and Future Work 135 8.1 Conclusion . 135 8.2 Future Work . 137 vii List of Figures 3.1 An example application scenario of data sharing. 19 3.2 An example use of KP-ABE. 36 4.1 The form of access structure . 45 5.1 Experiment results on computation load. 77 6.1 An example case in the healthcare scenario .