126689454 jv6

A
Homework Help
https://www.homeworkping.com/
Research Paper help
Online Tutoring
click here for freelancing tutoring sites
IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 23, NO. 6, JUNE 2012 995
A Secure Erasure Code-Based Cloud Storage
System with Secure Data Forwarding
Hsiao-Ying Lin, Member, IEEE, and Wen-Guey Tzeng, Member, IEEE
Abstract—A cloud storage system, consisting of a collection of storage servers, provides long-term storage services over the Internet.
Storing data in a third party’s cloud system causes serious concern over data confidentiality. General encryption schemes protect
data confidentiality, but also limit the functionality of the storage system because a few operations are supported over encrypted
data. Constructing a secure storage system that supports multiple functions is challenging when the storage system is distributed and
has no central authority. We propose a threshold proxy re-encryption scheme and integrate it with a decentralized erasure code such
that a secure distributed storage system is formulated. The distributed storage system not only supports secure and robust data
storage and retrieval, but also lets a user forward his data in the storage servers to another user without retrieving the data back. The
main technical contribution is that the proxy re-encryption scheme supports encoding operations over encrypted messages as well
as forwarding operations over encoded and encrypted messages. Our method fully integrates encrypting, encoding, and forwarding.
We analyze and suggest suitable parameters for the number of copies of a message dispatched to storage servers and the number
of storage servers queried by a key server. These parameters allow more flexible adjustment between the number of storage
servers and robustness.
Index Terms—Decentralized erasure code, proxy re-encryption, threshold cryptography, secure storage system.
Ç
1 INTRODUCTION
S high-speed networks and ubiquitous Internet access
become available in recent years, many services are
provided on the Internet such that users can use them from
anywhere at any time. For example, the email service is
probably the most popular one. Cloud computing is a
concept that treats the resources on the Internet as a unified
entity, a cloud. Users just use services without being
concerned about how computation is done and storage is
managed. In this paper, we focus on designing a cloud
storage system for robustness, confidentiality, and func-
tionality. A cloud storage system is considered as a large-
scale distributed storage system that consists of many
independent storage servers.
Data robustness is a major requirement for storage
systems. There have been many proposals of storing data
over storage servers [1], [2], [3], [4], [5]. One way to provide
data robustness is to replicate a message such that each
storage server stores a copy of the message. It is very robust
because the message can be retrieved as long as one storage
server survives. Another way is to encode a message of k
symbols into a codeword of n symbols by erasure coding. To

store a message, each of its codeword symbols is stored in a
different storage server. A storage server failure corresponds
. H.-Y. Lin is with the Intelligent Information and
Communications Research Center, Department of Computer Science,
National Chiao Tung University, No. 1001, University Road, Hsinchu
City 30010, Taiwan.
E-mail: hsiaoying.lin@gmail.com.
. W.-G. Tzeng is with the Department of Computer Science, National
Chiao
Tung University, No. 1001, University Road, Hsinchu City
30010, Taiwan. E-mail: wgtzeng@cs.nctu.edu.tw.
Manuscript received 21 Mar. 2011; revised 12 Sept. 2011; accepted 18
Sept.
2011; published online 30 Sept. 2011.
Recommended for acceptance by J. Weissman.
For information on obtaining reprints of this article, please send e-mail
to: tpds@computer.org, and reference IEEECS Log Number tpds-2011-03-
0162. Digital Object Identifier no. 10.1109/TPDS.2011.252.
to an erasure error of the codeword symbol. As long as the
number of failure servers is under the tolerance threshold of
the erasure code, the message can be recovered from the
codeword symbols stored in the available storage servers by
the decoding process. This provides a tradeoff between the
storage size and the tolerance threshold of failure servers. A
decentralized erasure code is an erasure code that indepen-
dently computes each codeword symbol for a message. Thus,
the encoding process for a message can be split into n
parallel tasks of generating codeword symbols. A
decentralized erasure code is suitable for use in a
distributed storage system. After the message symbols
are sent to storage servers, each storage server
independently computes a codeword symbol for the
received message symbols and stores it. This finishes the
encoding and storing process. The recovery process is the
same.
Storing data in a third party’s cloud system causes serious
concern on data confidentiality. In order to provide strong
confidentiality for messages in storage servers, a user can
encrypt messages by a cryptographic method before apply-
ing an erasure code method to encode and store messages.
When he wants to use a message, he needs to retrieve the
codeword symbols from storage servers, decode them, and
then decrypt them by using cryptographic keys. There are
three problems in the above straightforward integration of
encryption and encoding. First, the user has to do most
computation and the communication traffic between the user
and storage servers is high. Second, the user has to manage
his cryptographic keys. If the user’s device of storing the keys
is lost or compromised, the security is broken. Finally,
besides data storing and retrieving, it is hard for storage
servers to directly support other functions. For example,
storage servers cannot directly forward a user’s messages to
another one. The owner of messages has to retrieve, decode,
decrypt and then forward them to another user.
In this paper, we address the problem of forwarding data
to another user by storage servers directly under the
1045-9219/12/$31.00 2012 IEEE Published by the IEEE Computer Society

996 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 23, NO. 6, JUNE 2012
command of the data owner. We consider the system model
that consists of distributed storage servers and key servers.
Since storing cryptographic keys in a single device is risky,
a user distributes his cryptographic key to key servers that
shall perform cryptographic functions on behalf of the user.
These key servers are highly protected by security mechan-
isms. To well fit the distributed structure of systems, we
require that servers independently perform all operations.
With this consideration, we propose a new threshold proxy
re-encryption scheme and integrate it with a secure
decentralized code to form a secure distributed storage
system. The encryption scheme supports encoding opera-
tions over encrypted messages and forwarding operations
over encrypted and encoded messages. The tight integra-
tion of encoding, encryption, and forwarding makes the
storage system efficiently meet the requirements of data
robustness, data confidentiality, and data forwarding.
Accomplishing the integration with consideration of a
distributed structure is challenging. Our system meets the
requirements that storage servers independently perform
encoding and re-encryption and key servers independently
perform partial decryption. Moreover, we consider the
system in a more general setting than previous works. This
setting allows more flexible adjustment between the
number of storage servers and robustness.
Our contributions. Assume that there are n distributed
storage servers and m key servers in the cloud storage
system. A message is divided into k blocks and represented
as a vector of k symbols. Our contributions are as follows:
1. We construct a secure cloud storage system that
supports the function of secure data forwarding by
using a threshold proxy re-encryption scheme. The
encryption scheme supports decentralized erasure
codes over encrypted messages and forwarding
operations over encrypted and encoded messages.
Our system is highly distributed where storage
servers independently encode and forward mes-
sages and key servers independently perform partial
decryption.
2. We present a general setting for the parameters of our
secure cloud storage system. Our parameter setting
of
n ¼ akc
supersedes the previous one of n ¼
ak
pffi
k
ffi
,
storage devices over the network such that a user can access
the storage devices via network connection. Afterward,
many improvements on scalability, robustness, efficiency,
and security were proposed [1], [2], [9].
A decentralized architecture for storage systems offers
good scalability, because a storage server can join or leave
without control of a central authority. To provide robust-
ness against server failures, a simple method is to make
replicas of each message and store them in different servers.
However, this method is expensive as z replicas result in z
times of expansion.
One way to reduce the expansion rate is to use erasure
codes to encode messages [10], [11], [12], [13], [5]. A
message is encoded as a codeword, which is a vector of
symbols, and each storage server stores a codeword
symbol. A storage server failure is modeled as an erasure
error of the stored codeword symbol. Random linear codes
support distributed encoding, that is, each codeword
symbol is independently computed. To store a message of k
blocks, each storage server linearly combines the blocks
with randomly chosen coefficients and stores the
codeword symbol and coefficients. To retrieve the
message, a user queries k storage servers for the stored
codeword symbols and coefficients and solves the linear
system. Dimakis et al. [13] considered the case that n ¼
ak for a fixed constant a. They showed that distributing
each block of a message to v randomly chosen storage
servers is enough to have a probability 1 k=p oð1Þ of a
successful data retrieval, where v ¼ b ln k, b > 5a, and p is
the order of the used group. The sparsity parameter v ¼
b ln k is the number of storage servers which a block is sent
to. The larger v is, the communication cost is higher and
the successful retrieval probability is higher. The system
has a light data confidentiality because an attacker can
compromise k storage servers to get the message.
Lin and Tzeng [6] addressed robustness and confidenti-
ality issues by presenting a secure decentralized erasure
code for the networked storage system. In addition to
storage servers, their system consists of key servers, which
hold cryptographic key shares and work in a distributed
way. In their system, stored messages are encrypted and
then encoded. To retrieve a message, key servers query
where c 1:5 and a >pffi
2
ffi [6]. Our result n ¼ akc storage servers for the user. As long as the number of
allows the number of storage servers be much
greater than the number of blocks of a message. In
practical systems, the number of storage servers is
much more
available key servers is over a threshold t, the message can
be successfully retrieved with an overwhelming probability.
One of their results shows that when there are n storage
p pffiffiffi
than k. The sacrifice is to slightly increase the total servers with n ¼ ak
ffi
k
ffi
, the parameter v is
b
k ln k with
copies of an encrypted message symbol sent to
storage servers. Nevertheless, the storage size in each
storage server does not increase because each storage
server stores an encoded result (a codeword symbol),
which is a combination of encrypted message
symbols.
2 RELATED WORKS
We briefly review distributed storage systems, proxy re-
encryption schemes, and integrity checking mechanisms.
2.1 Distributed Storage Systems
At the early years, the Network-Attached Storage (NAS) [7]
and the Network File System (NFS) [8] provide extra

b > 5a, and each key server queries 2 storage servers for
each retrieval request, the probability of a successful
retrieval is at least 1 k=p oð1Þ.
2.2 Proxy Re-Encryption Schemes
Proxy re-encryption schemes are proposed by Mambo and
Okamoto [14] and Blaze et al. [15]. In a proxy re-encryption
scheme, a proxy server can transfer a ciphertext under a
public key PKA to a new one under another public key PKB
by using the re-encryption key RKA!B . The server does not
know the plaintext during transformation. Ateniese et al.
[16] proposed some proxy re-encryption schemes and
applied them to the sharing function of secure storage
systems. In their work, messages are first encrypted by the
owner and then stored in a storage server. When a user

A!BRKID
LIN AND TZENG: A SECURE ERASURE CODE-BASED CLOUD STORAGE SYSTEM WITH SECURE DATA FORWARDING 997
Fig. 1. A general system model of our work.
wants to share his messages, he sends a re-encryption key to
the storage server. The storage server re-encrypts the
encrypted messages for the authorized user. Thus, their
system has data confidentiality and supports the data
key server KSi holds a key share SKA;i , 1 i m. The key
is shared with a threshold t.
In the data storage phase, user A encrypts his message M
and dispatches it to storage servers. A message M is
decomposed into k blocks m1 ; m2 ; . . . ; mk and has
an identifier ID. User A encrypts each block mi into a
ciphertext Ci and sends it to v randomly chosen storage
servers. Upon receiving ciphertexts from a user, each
storage server linearly combines them with randomly
chosen coefficients into a codeword symbol and stores it.
Note that a storage server may receive less than k
message blocks and we assume that all storage servers
know the value k in advance.
In the data forwarding phase, user A forwards his
encrypted message with an identifier ID stored in storage
servers to user B such that B can decrypt the forwarded
message by his secret key. To do so, A uses his secret key
SKA and B’s public key
PKB to compute a re-encryption key RKID
and then sends
forwarding function. Our work further integrates encryp-
tion, re-encryption, and encoding such that storage robust-
ness is strengthened.
Type-based proxy re-encryption schemes proposed by
Tang [17] provide a better granularity on the granted right of
a re-encryption key. A user can decide which type of
messages and with whom he wants to share in this kind of
proxy re- encryption schemes. Key-private proxy re-
encryption schemes are proposed by Ateniese et al. [18]. In
a key-private proxy re-encryption scheme, given a re-
encryption key, a proxy server cannot determine the
identity of the recipient. This kind of proxy re-encryption
schemes provides higher privacy guarantee against proxy
servers. Although most proxy re-encryption schemes use
pairing operations, there exist proxy re-encryption schemes
without pairing [19].
2.3 Integrity Checking Functionality
Another important functionality about cloud storage is the
function of integrity checking. After a user stores data into
the storage system, he no longer possesses the data at hand.
The user may want to check whether the data are properly
stored in storage servers. The concept of provable data
possession [20], [21] and the notion of proof of storage [22],
[23], [24] are proposed. Later, public auditability of stored
data is addressed in [25]. Nevertheless all of them consider
the messages in the cleartext form.
3 SCENARIO
We present the scenario of the storage system, the threat
model that we consider for the confidentiality issue, and a
discussion for a straightforward solution.
3.1 System Model
As shown in Fig. 1, our system model consists of users, n
storage servers SS1 ; SS2 ; . . . ; SSn , and m key servers
KS1 ; KS2 ; . . . ; KSm . Storage servers provide storage
services and key servers provide key management services.
They work independently. Our distributed storage system
consists of four phases: system setup, data storage, data
forwarding, and data retrieval. These four phases are
described as follows.
In the system setup phase, the system manager chooses
system parameters and publishes them. Each user A is
assigned a public-secret key pair ðPKA ; SKA Þ. User
A distributes his secret key SKA to key servers such that
each

A!B to all storage servers. Each storage server uses the
re- encryption key to re-encrypt its codeword symbol for
later retrieval requests by B. The re-encrypted codeword
symbol is the combination of ciphertexts under B’s public
key. In order
to distinguish re-encrypted codeword symbols from intact
ones, we call them original codeword symbols and re-
encrypted codeword symbols, respectively.
In the data retrieval phase, user A requests to retrieve a
message from storage servers. The message is either stored
by him or forwarded to him. User A sends a retrieval request
to key servers. Upon receiving the retrieval request and
executing a proper authentication process with user A, each
key server KSi requests u randomly chosen storage servers
to get codeword symbols and does partial decryption on the
received codeword symbols by using the key share SKA;i .
Finally, user A combines the partially decrypted codeword
symbols to obtain the original message M .
System recovering. When a storage server fails, a new one
is added. The new storage server queries k available storage
servers, linearly combines the received codeword symbols
as a new one and stores it. The system is then recovered.
3.2 Threat Model
We consider data confidentiality for both data storage and
data forwarding. In this threat model, an attacker wants to
break data confidentiality of a target user. To do so, the
attacker colludes with all storage servers, nontarget users,
and up to ðt 1Þ key servers. The attacker analyzes stored
messages in storage servers, the secret keys of nontarget
users, and the shared keys stored in key servers. Note that
the storage servers store all re-encryption keys provided by
users. The attacker may try to generate a new re-encryption
key from stored re-encryption keys. We formally model this
attack by the standard chosen plaintext attack
1
of the proxy
1. Systems against chosen ciphertext attacks are more secure than
systems against the chosen plaintext attack. Here, we only consider
the chosen plaintext attack because a homomorphic encryption scheme is
not secure against chosen ciphertext attacks. Consider a multiplicative
homomorphic encryption scheme, where DðSK; EðPK; m1 Þ EðPK;
m2 ÞÞ ¼ m1 m2 for the encryption function E, the decryption function
D, a pair of public key PK and secret key SK, an operation , and two
messages m1 and m2 . Given a challenge ciphertext C, where C ¼ EðPK; m1
Þ, the attacker chooses m2 , computes EðPK; m2 Þ, and computes C0
¼ C
EðPK; m2 Þ. The attacker queries C0
to the decryption oracle. The response
m ¼ m1 m2 from the decryption oracle reveals the plaintext m1
to the attacker since m1 ¼ m=m2 .

r
p
xyz r
p
k
key to storage servers such that storage servers perform the
re-encryption operation for him. Thus, the communication
cost of the owner is independent of the length of forwarded
message and the computation cost of re-encryption is taken
care of by storage servers. Proxy re-encryption schemes
significantly reduce the overhead of the data forwarding
function in a secure storage system.
Fig. 2. The security game for the chosen plaintext attack.
re-encryption scheme in a threshold version, as shown in
Fig. 2.
The challenger C provides the system parameters. After
the attacker A chooses a target user T , the challenger gives
him ðt 1Þ key shares of the secret key SKT of the
target
user T to model ðt 1Þ compromised key servers. Then, the
4 CONSTRUCTION OF SECURE CLOUD STORAGE
SYSTEMS
Before presenting our storage system, we briefly introduce
the algebraic setting, the hardness assumption, an erasure
code over exponents, and our approach.
Bilinear map. Let GG1 and GG2 be cyclic
multiplicative groups2
with a prime order p and g 2 GG1
be a generator. A map e~ : GG1 GG1 ! GG2 is a
bilinear map if it is efficiently computable and has the
properties of bilinearity and
nondegeneracy: for any x; y 2 ZZ
xy
p
; e~ðgx
; gy
Þ ¼ e~ðg; gÞ and
attacker can query secret keys of other users and all re-
encryption keys except those from T to other users. This
models compromised nontarget users and storage servers.
In the challenge phase, the attacker chooses two messages
M0 and M1 with the identifiers ID0 and ID1 ,
respectively. The challenger throws a random coin b and
encrypts the message Mb with T ’s public key PKT .
After getting the
ciphertext from the challenger, the attacker outputs a bit b0
e~ðg; gÞ is not the identity element in GG2 . Let Genð1 Þ be
an
algorithm generating ðg; e~; GG1 ; GG2 ; pÞ, where is the
length
of p. Let x 2R X denote that x is randomly chosen from the
set X.
Decisional bilinear Diffie-Hellman assumption. This
assumption is that it is computationally infeasible to
distinguish the distributions (g, gx
, gy
, gz
, e~ðg; gÞ
xyz
) and
(g, gx
, gy
, gz
, e~ðg; gÞ ), where x; y; z; r 2R ZZ
for guessing b. In this game, the attacker wins if and only if
b0
¼ b. The advantage of the attacker is defined as
j1=2 Pr½b0
¼ b j.
A cloud storage system modeled in the above is secure if
p . Formally, for any
probabilistic polynomial time algorithm A, the following is
negligible (in ):
j Pr½Aðg; gx
; gy
; gz
; QQb Þ ¼ b : x; y; z; r 2R ZZ ;
no probabilistic polynomial time attacker wins the game
with a nonnegligible advantage. A secure cloud storage
QQ0 ¼ e~ðg;
gÞ
; QQ1 ¼ e~ðg; gÞ ; b 2R f0; 1g 1=2j:
system implies that an unauthorized user or server cannot
get the content of stored messages, and a storage server
cannot generate re-encryption keys by himself. If a storage
server can generate a re-encryption key from the target user
to another user B, the attacker can win the security game by
re-encrypting the ciphertext to B and decrypting the re-
encrypted ciphertext using the secret key SKB .
Therefore, this model addresses the security of data
storage and data forwarding.
3.3 A Straightforward Solution
Erasure coding over exponents. We consider that the
message domain is the cyclic multiplicative group
GG2 described above. An encoder generates a generator
matrix G ¼ ½gi;j for 1 i k; 1 j n as follows: for
each row, the encoder randomly selects an entry and
randomly sets a value from ZZ to the entry. The encoder
repeats this step v times with replacement for each row. An
entry of a row can be selected multiple times but only set
to one value. The values of the rest entries are set to 0.
Let the message be
ðm1 ; m2 ; . . . ; mk Þ 2 GG2
. The encoding process is to
generate
n g1;j g2;j gk;j
A straightforward solution to supporting the data forward-
ing function in a distributed storage system is as follows:
when the owner A wants to forward a message to user B, he
ðw1 ; w2 ; . . . ; wn Þ 2 GG2 , w h e r e wj ¼ m1 m2 mk
for
1 j n. The first step of the decoding process is to
compute the inverse of a k k submatrix K of G. Let K be
1
downloads the encrypted message and decrypts it by using
½gi;ji
for 1 i; ji k. Let K ¼ ½di;j 1 i;j k . The final step of
d1;i d2;i dk;i
his secret key. He then encrypts the message by using B’s
public key and uploads the new ciphertext. When B wants
to retrieve the forwarded message from A, he downloads
the ciphertext and decrypts it by his secret key. The whole
data forwarding process needs three communication
rounds for A’s downloading and uploading and B’s
downloading. The communication cost is linear in the
length of the forwarded message. The computation cost is
the decryption and encryption for the owner A, and the
decryption for user B.
Proxy re-encryption schemes can significantly decrease
communication and computation cost of the owner. In a
proxy re-encryption scheme, the owner sends a re-encryption

the decoding process is to compute mi ¼ wj1
wj2
wjk
for
1 i k. An example is shown in Fig. 3. User A stores two
messages m1 and m2 into four storage servers. When
the storage servers SS1 and SS3 are available and the
k k submatrix K is invertible, user A can decode m1
and m2 from the codeword symbols w1 ; w3 and the
coefficients ðg1;1 ; 0Þ; ð0; g2;3 Þ, which are stored in the
storage servers SS1 and SS3 .
Our approach. We use a threshold proxy re-encryption
scheme with multiplicative homomorphic property. An
encryption scheme is multiplicative homomorphic if it
2. It can also be described as additive groups over points on an elliptic
curve.

p
i
;
i¼1 m
i¼1
A B
A B
a
i
fA;1 ðzÞ ¼ a1 þ v1 z þ v2 z2
þ þ vt
fA;2 ðzÞ ¼ a 1
þ v1 z þ v2 z2
þ þ vt
1 zt 1
ðmod pÞ;
1 zt 1
ðmod pÞ;2
Fig. 3. A storage system with random linear coding over exponents.
supports a group operation on encrypted plaintexts
without decryption
DðSK; EðPK; m1 Þ EðPK; m2 ÞÞ ¼ m1 m2
;
where E is the encryption function, D is the decryption
function, and ðPK; SKÞ is a pair of public key and secret
key. Given two coefficients g1 and g2 , two message
symbols
m1 and m2 can be encoded to a codeword symbol m
g1
m
g2
in
where v1 ; v2 ; . . . ; vt 1 2R ZZ . The key share of
the secret key SKA to the key server KSi is
SKA;i ¼ ðfA;1 ðiÞ; fA;2 ðiÞÞ, where 1 i m.
Data storage. When user A wants to store a message of k
blocks m1 ; m2 ; . . . ; mk with the identifier ID, he
computes the identity token ¼ hf ða3 ;IDÞ
and performs the
encryption algorithm Encð Þ on and k blocks to get
k original
ciphertexts C1 ; C2 ; . . . ; Ck . An original ciphertext is
indicated by a leading bit b ¼ 0. User A sends each
ciphertext Ci to v randomly chosen storage servers. A
storage server receives a set of original ciphertexts with
the same identity token from A. When a ciphertext Ci is
not received, the storage server inserts Ci ¼ ð0; 1; ; 1Þ to
the set. The special format of ð0; 1; ; 1Þ is a mark for the
absence of Ci . The storage server performs Encodeð Þ on
the set of k ciphertexts and stores the encoded result
(codeword symbol).
. Enc(PKA ; ; m1 ; m2 ; . . . ; mk ). For 1 i k, this algo-
the encrypted form
g1
1 2
g2 g1 g2
rithm computes
Ci ¼ ð0; i ; ; i Þ ¼ ð0; gri
; ; mi e~ðga1
; ri
ÞÞ;C ¼ EðPK; m1 Þ EðPK; m2 Þ ¼ EðPK; m1 m2 Þ:
p ; 1 i k and 0 is the leading bitThus, a multiplicative homomorphic encryption scheme
supports the encoding operation over encrypted messages.
We then convert a proxy re-encryption scheme with multi-
plicative homomorphic property into a threshold version. A
secret key is shared to key servers with a threshold value t
via the Shamir secret sharing scheme [26], where t k.
In our system, to decrypt for a set of k message symbols,
each
key server independently queries 2 storage servers and
where ri 2R ZZ
indicating an original ciphertext.
. Encode(C1 ; C2 ; . . . ; Ck ). For each ciphertext Ci ,
the algorithm randomly selects a coefficient gi . If
some ciphertext Ci is ð0; 1; ; 1Þ, the coefficient gi is
set to 0. Let Ci ¼ ð0; i ; ; i Þ. The encoding
process is to compute an original codeword symbol
C0
!
k k
partially decrypts two encrypted codeword symbols. As
C0
¼ 0;
Y
gi
; ;
Y
gi
long as t key servers are available, k codeword symbols are
obtained from the partially decrypted ciphertexts.
i
i¼1
Pk
g r
i
i¼1
k Pk
!
g g r
4.1 A Secure Cloud Storage System with Secure ¼ 0; g i¼1
i i
; ;
Y
m i
e~ðg
1
; Þ i¼1
i i
Forwarding
As described in Section 3.1, there are four phases of our ¼ ð0; gr
i¼1
a1 r0
Þ
0
; ; W e~ðg; Þ
storage system.
System setup. The algorithm SetUpð1 Þ generates the
where W ¼
Qk gi
and r0
¼
Pk
gi ri . The en-
system parameters . A user uses KeyGenð Þ to generate
coded result is ðC0
; g1 ; g2 ; . . . ; gk Þ.
Data forwarding. User A wants to forward a message to
his public and secret key pair and ShareKeyGenð Þ to share
his secret key to a set of m key servers with a threshold t,
another user B. He needs the first component a1 of his
where k t m. The user locally stores the third compo-
nent of his secret key.
. SetUp(1 ). Run Genð1 Þ to obtain ðg; h; e~; GG1 ;
GG2 ; pÞ,
secret key. If A does not possess a1 , he queries key servers
for key shares. When at least t key servers respond, A
recovers the first component a1 of the secret key SKA via the
KeyRecoverð Þ algorithm. Let the identifier of the message
where e~ : GG1 GG1 ! GG2 is a bilinear map, g
and h
be ID. User A computes the re-encryption key RKID
! via
are generators of GG1 , and both GG1 and GG2
have the
prime order p. Set ¼ ðg; h; e~; GG1 ; GG2 ; p; f Þ,
where f :
the ReKeyGenð Þ algorithm and securely sends the re-
encryption key to each storage server. By using RKID
, a!
ZZ f0; 1g ! ZZ is a one-way hash
function. storage server re-encrypts the original codeword symbol C0
p p

p
. KeyGen( ). For a user A, the algorithm selects
a1 ; a2 ; a3 2R ZZ and sets
PKA ¼ ðga1
; ha2
Þ; SKA ¼ ða1 ; a2 ; a3 Þ:
. ShareKeyGen(SKA , t, m). This algorithm shares the
secret key SKA of a user A to a set of m key
servers by using two polynomials fA;1 ðzÞ and
fA;2 ðzÞ of degree ðt 1Þ over the finite field GF(p)
with the identifier ID into a re-encrypted codeword symbol
C00
via the ReEncð Þ algorithm such that C00
is decryptable
by using B’s secret key. A re-encrypted codeword symbol is
indicated by the leading bit b ¼ 1. Let the public key PKB of
user B be ðgb1
; hb2
Þ.
. KeyRecover(SKA;i1
; SKA;i2
; . . . ; SKA;it
). Let T ¼ fi1
; i2 ; . . . ; it g. This algorithm recovers a1 via
Lagrange interpolation as follows:

i1 ;j1
i ;j
p
ð Þ
RKID
A B
a1 r0
ðf ða3
;IDÞþeÞ
ð 0
0
a1 ¼
X
@fA;1 ðsÞ
Y s0
1
Amod p:
The algorithm combines the t values ( 0
;
s2T s s0
s0
2T=fsg
0
i2 ;j2
; . . . ; 0
t t
) to obtain a1
¼ fA;1 ð0Þ
via the
La-
grange interpolation over exponents
Q j
. ReKeyGen(PKA ; SKA ; ID; PKB ). This algorithm se-
lects e 2R ZZ and computes
a1
¼Y
ði;jÞ2S
0
i;j
r2SJ ;r¼j r j
¼ fA;1 ð0Þ:
A!B ¼ ððhb2 a1 ðf ða3
;IDÞþeÞ
Þ
; ha1 e
Þ:
For each of the partially decrypted codeword
symbols i;j , where i 2 SI , the algorithm
computes
. ReEnc(RKID
! ; C0
). Let C0
¼ ð0; ; ; Þ ¼ ð0; gr0
;
;
an encoded block
W e~ðga1
; r0
ÞÞ for some r0
and some W , and RKID
¼ a r0
A!B i;j wi e~ðg 1
; Þ
ðhb2 a1 ðf ða3 ;IDÞþeÞ
; ha1 e
Þ for some e. The re-encrypted wi ¼
e~ ; f 0 r f 0
; ð1Þ
codeword symbol is computed as follows:
ð i;j
A;1 ð Þ
Þ
¼
e~ðg
0
; A;1 ð Þ
Þ
for some r0
, where fA;1 ð0Þ ¼ a1 .
C00
¼ ð1; ; hb2 a1 ðf ða3 ;IDÞþeÞ
; e~ð ; ha1 e
ÞÞ Observe that w m
g1;i g2;i gk;i
i ¼ 1 m2 mk for i 2 SI , and
¼ ð1; gr0
; hb2 a1 ðf ða3 ;IDÞþeÞ
; W e~ðg; hÞ Þ: there are k such equations. Consider the square
matrix K ¼ ½gi;j , where 1 i k; j 2 SI . The decod-
Note that the leading bit 1 indicates C00
is a re-encrypted
ciphertext.
Data retrieval. There are two cases for the data retrieval
phase. The first case is that a user A retrieves his own
message. When user A wants to retrieve the message with
the identifier ID, he informs all key servers with the
identity token . A key server first retrieves original
codeword symbols from u randomly chosen storage
servers and then performs partial decryption ShareDecð Þ
on every retrieved
ing process is to compute K 1
and output the blocks
m1 ; m2 ; . . . ; mk . The algorithm fails when the
square matrix K is noninvertible. We shall
analyze the probability of K being noninvertible in
Section 4.2.
In the second case b ¼ 1 for re-encrypted code-
word symbols, user B wants to retrieve the message
forwarded to him. The algorithm does the following
computation to obtain
Q j
original codeword symbol C0
. The result of partial
decryption
is called a partially decrypted codeword symbol. The key
hðf ða3 ;IDÞþeÞa1
¼
Y
ði;jÞ2S
i;j Þ r2SJ ;r¼j r j
server sends the partially decrypted codeword symbols
and the coefficients to user A. After user A collects replies
from at
least t key servers and at least k of them are originally from
where fB;2 ð0Þ ¼ b 1
¼ hðf ða3 ;IDÞþeÞa1 b2 fB;2 ð0Þ
; i;j2 . Again, for each of
, where
distinct storage servers, he executes Combineð Þ on the t
partially decrypted codeword symbols to recover the blocks
i 2 SI , the algorithm computes an encoded block
a r0
ðf ða ;IDÞþeÞ
m1 ; m2 ; . . . ; mk . The second case is that a user B retrieves
a
wi ¼ i;j
wi e~ðg; hÞ 1 3
¼ ;
message forwarded to him. User B informs all key servers
directly. The collection and combining parts are the same as
the first case except that key servers retrieve re-encrypted
e~ð i;j ; hðf ða3 ;IDÞþeÞa1
Þ
e~ðgr0
; hðf ða3 ;IDÞþeÞa1
Þ
ð2Þ
codeword symbols and perform partial decryption Share-
Decð Þ on re-encrypted codeword symbols.
. ShareDec(SKj ; Xi ). Xi is a codeword symbol,
where Xi ¼ ðb; ; ; ) and b is the indicator for
original and re-encrypted codeword symbols. SKj
is a key share, where SKj ¼ ðsk0 ; sk1 Þ. By using the
key share
for some e and r0
. The rest in the second case is the
same as that in the first case.
4.2 Analysis
We analyze storage and computation complexities, correct-
ness, and security of our cloud storage system in this
section.
Let the bit-length of an element in the group GG1 be l1 and
GG2
l3
SKj , the partially decrypted codeword symbol i;j of
Xi is generated as follows:
be l2 . Let coefficients gi;j be randomly chosen from f0; 1g .
Storage cost. To store a message of k blocks, a storage
server SSj stores a codeword symbol ðb; j ; ; j Þ and the
i;j ¼ ðb; ; ; skb
;
Þ:
coefficient vector ðg1;j; g2;j; . . . ; gk;jÞ. They are total of ð1 þ

i;j
. Combine( i1 ;j1
; i2 ;j2
; . . . ; it ;jt
). Let a partially
de-
2l1 þ l2 þ kl3 Þ bits, where j ; 2 GG1 and j 2 GG2
. The average cost for a message bit stored in a storage
server is
crypted codeword symbol i;j be ðb; i;j ; i;j ; 0
; i;j Þ. ð1 þ 2l1 þ l2 þ kl3 Þ=kl2 bits, which is dominated by l3 =l2 for
a
This algorithm combines t partially decrypted code- sufficiently large k. In practice, small coefficients, i.e.,
word symbols, where i1 ;j1
¼ i2 ;j2
¼ ¼ it ;jt
¼ , j1 ¼ j2 ¼ . . . ¼ jt and there are at least k
distinct values in fi1 ; i2 ; . . . ; it g. Let SJ ¼ fj1 ; j2 ;
. . . ; jt g and S ¼ fði1 ; j1 Þ; ði2 ; j2 Þ; . . . ; ðit ; jt Þg.
Without loss of gen- erality, let SI ¼ fi1 ; i2 ; . . . ; ik g
be k distinct values in fi1 ; i2 ; . . . ; it g.
In the first case b ¼ 0 for original codeword
symbols, user A wants to retrieve his own message.
l3 l2 , reduce the storage cost in each storage server.
Computation cost. We measure the computation cost by
the number of pairing operations, modular exponentiations
in GG1 and GG2 , modular multiplications in GG1 and
GG2 , and arithmetic operations over GF ðpÞ. These
operations are denoted as Pairing, Exp1 , Exp2 , Mult1 ,
Mult2 , and Fp , respectively. The cost is summarized in
Table 1. Computing an Fp takes much less time than
computing a Mult1 or a

a >
ﬃ ﬃ
TABLE 1
The Computation Cost of Each Algorithm
in Our Secure Cloud Storage System
Mult2 . The time of computing an Exp1 is 1:5dlog pe times
as much as the time of computing a Mult1 , on average,
(by using the square-and-multiply algorithm). Similarly,
the time of computing a Exp2 is 1:5dlog pe times as much as
the time of computing a Mult2 , on average.
In the data storage phase, a user runs the Encð Þ
operations over GF ðpÞ, and the decoding for each block
takes k Exp2 and ðk 1Þ Mult2 .
Correctness. There are two cases for correctness. The
owner A correctly retrieves his message and user B correctly
retrieves a message forwarded to him. The correctness of
encryption and decryption for A can be seen in (1). The
correctness of re-encryption and decryption for B can be
seen in (2). As long as at least k storage servers are available,
a user can retrieve data with an overwhelming probability.
Thus, our storage system tolerates n k server failures.
The probability of a successful retrieval. A successful
retrieval is an event that a user successfully retrieves all k
blocks of a message no matter whether the message is
owned by him or forwarded to him. The randomness comes
from the random selection of storage servers in the data
storage phase, the random coefficients chosen by storage
servers, and the random selection of key servers in the data
retrieval phase. The probability of a successful retrieval
depends on (n; k; u; v) and all randomness.
The methodology of analysis is similar to that in [13] and
[6]. However, we consider a different system model from the
one in [13] and a more flexible parameter setting for n ¼ akc
than the settings in [13] and [6]. The difference between our
system model and the one in [13] is that our system model
has key servers. In [13], a single user queries k distinct
storage servers to retrieve the data. On the other hand, each
key server in our system independently queries u storage
servers. The use of distributed key servers increases the level
of key protection but makes the analysis harder.
The ratio n=k is considered as a fixed constant in [13].
3=2
algorithm and each storage server performs the Encodeð Þ In [6], the setting is extended to n ¼ ak
c
. Our general-
algorithm. In the Encð Þ algorithm, generating each i
requires a Exp1 , and generating each i requires a Exp1 , a
Pairing, and a Mult2 . Hence, for k blocks of a message, the
cost is (k Pairing þ 2k Exp1 þ k Mult2 ). For the Encodeð
Þ algorithm, each storage server encodes k ciphertexts
at most. The cost is k Exp1 þ ðk 1Þ Mult1 for computing
and k Exp2 þ ðk 1Þ Mult2 for computing .
In the data forwarding phase, a user runs KeyRecoverð Þ
and ReKeyGenð Þ and each storage server performs
ReEncð Þ. In the KeyRecoverð Þ algorithm, the computation
cost is Oðt2
Þ Fp . In the ReKeyGenð Þ algorithm,
the
computation cost is a Exp1 . In the ReEncð Þ algorithm, the
ization of parameter setting for n ¼ ak , where c 1:5,
allows the number of storage servers be much greater than
the number of blocks of a message. It gives a better
flexibility for adjustment between the number of storage
servers and robustness. This generalization is obtained by
observing that Pr½E1 is better bounded by choosing
c 1:5. The proof of Theorem 1 is given in Appendix A,
which can be found on the Computer Society Digital
Library at http://doi.ieeecomputersociety.org/10.1109/
TPDS.2011.252.
Theorem 1. Assume that there are k blocks of a message,
n
storage servers, and m key servers, where n ¼ akc
, m t k,
computation cost is a Pairing and a Mult1 . c 1:5 and a is a constant with
p
2. For v ¼ bkc 1
ln k
In the data retrieval phase, each key server runs the
ShareDecð Þ algorithm and the user performs the
Combineð Þ algorithm. In the ShareDecð Þ algorithm, each
key server performs a Exp1 to get skb
for a codeword
symbol. For a successful retrieval, t key servers would be
sufficient; hence, for this step, the total cost of t key servers
is t Exp1 . In the Combineð Þ algorithm, it needs the
computation of the Lagrange interpolation over exponents
in GG1 , the computation of the encoded blocks wj ’s from
the
and u ¼ 2 with b > 5a, the probability of a successful retrieval
is at least 1 k=p oð1Þ.
Security. The data confidentiality of our cloud storage
system is guaranteed even if all storage servers, nontarget
users, and up to ðt 1Þ key servers are compromised by the
attacker. Recall the security game illustrated in Fig. 2. The
proof for Theorem 2 is provided in Appendix B, available in
the online supplementary material.
partially decrypted codeword symbols ~i;j ’s, and
the
Theorem 2. Our cloud storage system described in Section 4.1 is
decoding computation which needs to perform the matrix
inversion and recovery of blocks mi ’s from the encoded
blocks wj ’s. The Lagrange interpolation over exponents
in
secure under the threat model in Section 3.2 if the decisional
bilinear Diffie-Hellman assumption holds.

GG1 needs Oðt2
Þ Fp , t Exp1 , and ðt 1Þ Mult1 . Computing
an encoded block wj needs one Pairing and one
modular
5 DISCUSSION AND CONCLUSION
division, which takes 2 Mult2 . As for the decoding
computation, the matrix inversion takes Oðk3
Þ arithmetic
In this paper, we consider a cloud storage system consists of
storage servers and key servers. We integrate a newly

proposed threshold proxy re-encryption scheme and
erasure codes over exponents. The threshold proxy re-
encryption scheme supports encoding, forwarding, and
partial decryption operations in a distributed way. To
decrypt a message of k blocks that are encrypted and
encoded to n codeword symbols, each key server only has
to partially decrypt two codeword symbols in our system.
By using the threshold proxy re-encryption scheme, we
present a secure cloud storage system that provides secure
data storage and secure data forwarding functionality in a
decentralized structure. Moreover, each storage server
independently performs encoding and re-encryption and
each key server independently performs partial decryption.
Our storage system and some newly proposed content
addressable file systems and storage system [27], [28], [29]
are highly compatible. Our storage servers act as storage
nodes in a content addressable storage system for storing
content addressable blocks. Our key servers act as access
nodes for providing a front-end layer such as a traditional
file system interface. Further study on detailed cooperation
is required.
ACKNOWLEDGMENTS
The authors thank anonymous reviewers for their valu-
able comments. The research was supported in part by
projects ICTL-100-Q707, ATU-100-W958, NSC 98-2221-E-
009-068-MY3, NSC 99-2218-E-009-017-, and NSC 99-2218-
E-009-020.
REFERENCES
[1] J. Kubiatowicz, D. Bindel, Y. Chen, P. Eaton, D. Geels,
R.
Gummadi, S. Rhea, H. Weatherspoon, W. Weimer, C. Wells, and
B. Zhao, “Oceanstore: An Architecture for Global-Scale Persis-
tent Storage,” Proc. Ninth Int’l Conf. Architectural Support
for Programming Languages and Operating Systems (ASPLOS), pp.
190-
201, 2000.
[2] P. Druschel and A. Rowstron, “PAST: A Large-Scale,
Persistent
Peer-to-Peer Storage Utility,” Proc. Eighth Workshop Hot Topics in
Operating System (HotOS VIII), pp. 75-80, 2001.
[3] A. Adya, W.J. Bolosky, M. Castro, G. Cermak, R. Chaiken,
J.R.
Douceur, J. Howell, J.R. Lorch, M. Theimer, and R. Wattenhofer,
“Farsite: Federated, Available, and Reliable Storage for an
Incompletely Trusted Environment,” Proc. Fifth Symp. Operating
System Design and Implementation (OSDI), pp. 1-14, 2002.
[4] A. Haeberlen, A. Mislove, and P. Druschel, “Glacier: Highly
Durable, Decentralized Storage Despite Massive Correlated Fail-
ures,” Proc. Second Symp. Networked Systems Design and Implemen-
tation (NSDI), pp. 143-158, 2005.
[5] Z. Wilcox-O’Hearn and B. Warner, “Tahoe: The Least-
Authority
Filesystem,” Proc. Fourth ACM Int’l Workshop Storage Security and
Survivability (StorageSS), pp. 21-26, 2008.
[6] H.-Y. Lin and W.-G. Tzeng, “A Secure Decentralized Erasure Code
for Distributed Network Storage,” IEEE Trans. Parallel and
Distributed Systems, vol. 21, no. 11, pp. 1586-1594, Nov. 2010.
[7] D.R. Brownbridge, L.F. Marshall, and B. Randell, “The Newcastle
Connection or Unixes of the World Unite!,” Software Practice and
Experience, vol. 12, no. 12, pp. 1147-1162, 1982.
[8] R. Sandberg, D. Goldberg, S. Kleiman, D. Walsh, and B.
Lyon, “Design and Implementation of the Sun Network
Filesystem,” Proc. USENIX Assoc. Conf., 1985.
[9] M. Kallahalla, E. Riedel, R. Swaminathan, Q. Wang, and K.
Fu, “Plutus: Scalable Secure File Sharing on Untrusted Storage,”
Proc. Second USENIX Conf. File and Storage Technologies (FAST),
pp. 29-
42, 2003.
[10] S.C. Rhea, P.R. Eaton, D. Geels, H. Weatherspoon, B.Y. Zhao,
and J. Kubiatowicz, “Pond: The Oceanstore Prototype,” Proc.
Second USENIX Conf. File and Storage Technologies (FAST), pp. 1-
14, 2003.

[11] R. Bhagwan, K. Tati, Y.-C. Cheng, S. Savage, and G.M.
Voelker, “Total Recall: System Support for Automated
Availability Management,” Proc. First Symp. Networked Systems
Design and Implementation (NSDI), pp. 337-350, 2004.
[12] A.G. Dimakis, V. Prabhakaran, and K. Ramchandran, “Ubiqui-
tous Access to Distributed Data in Large-Scale Sensor Net-
works through Decentralized Erasure Codes,” Proc. Fourth Int’l
Symp. Information Processing in Sensor Networks (IPSN), pp.
111-
117, 2005.
[13] A.G. Dimakis, V. Prabhakaran, and K. Ramchandran, “Decen-
tralized Erasure Codes for Distributed Networked Storage,” IEEE
Trans. Information Theory, vol. 52, no. 6 pp. 2809-2816, June 2006.
[14] M. Mambo and E. Okamoto, “Proxy Cryptosystems: Delegation of
the Power to Decrypt Ciphertexts,” IEICE Trans. Fundamentals
of Electronics, Comm. and Computer Sciences, vol. E80-A, no. 1, pp.
54-
63, 1997.
[15] M. Blaze, G. Bleumer, and M. Strauss, “Divertible Protocols and
Atomic Proxy Cryptography,” Proc. Int’l Conf. Theory and Applica-
tion of Cryptographic Techniques (EUROCRYPT), pp. 127-144, 1998.
[16] G. Ateniese, K. Fu, M. Green, and S. Hohenberger,
“Improved Proxy Re-Encryption Schemes with Applications
to Secure Distributed Storage,” ACM Trans. Information and
System Security, vol. 9, no. 1, pp. 1-30, 2006.
[17] Q. Tang, “Type-Based Proxy Re-Encryption and Its Construction,”
Proc. Ninth Int’l Conf. Cryptology in India: Progress in
Cryptology
(INDOCRYPT), pp. 130-144, 2008.
[18] G. Ateniese, K. Benson, and S. Hohenberger, “Key-Private Proxy
Re-Encryption,” Proc. Topics in Cryptology (CT-RSA), pp. 279-294,
2009.
[19] J. Shao and Z. Cao, “CCA-Secure Proxy Re-Encryption without
Pairings,” Proc. 12th Int’l Conf. Practice and Theory in Public
Key
Cryptography (PKC), pp. 357-376, 2009.
[20] G. Ateniese, R. Burns, R. Curtmola, J. Herring, L. Kissner, Z.
Peterson, and D. Song, “Provable Data Possession at
Untrusted Stores,” Proc. 14th ACM Conf. Computer and Comm.
Security (CCS), pp. 598-609, 2007.
[21] G. Ateniese, R.D. Pietro, L.V. Mancini, and G. Tsudik, “Scalable
and Efficient Provable Data Possession,” Proc. Fourth Int’l
Conf. Security and Privacy in Comm. Netowrks (SecureComm), pp.
1-10,
2008.
[22] H. Shacham and B. Waters, “Compact Proofs of
Retrievability,” Proc. 14th Int’l Conf. Theory and Application of
Cryptology and Information Security (ASIACRYPT), pp. 90-107,
2008.
[23] G. Ateniese, S. Kamara, and J. Katz, “Proofs of Storage from
Homomorphic Identification Protocols,” Proc. 15th Int’l Conf.
Theory and Application of Cryptology and Information
Security (ASIACRYPT), pp. 319-333, 2009.
[24] K.D. Bowers, A. Juels, and A. Oprea, “HAIL: A High-Availability
and Integrity Layer for Cloud Storage,” Proc. 16th ACM Conf.
Computer and Comm. Security (CCS), pp. 187-198, 2009.
[25] C. Wang, Q. Wang, K. Ren, and W. Lou, “Privacy-Preserving
Public Auditing for Data Storage Security in Cloud Computing,”
Proc. IEEE 29th Int’l Conf. Computer Comm. (INFOCOM), pp. 525-
533, 2010.
[26] A. Shamir, “How to Share a Secret,” ACM Comm., vol. 22, pp. 612-
613, 1979.
[27] C. Dubnicki, L. Gryz, L. Heldt, M. Kaczmarczyk, W. Kilian, P.
Strzelczak, J. Szczepkowski, C. Ungureanu, and M. Welnicki,
“Hydrastor: A Scalable Secondary Storage,” Proc. Seventh Conf. File
and Storage Technologies (FAST), pp. 197-210, 2009.
[28] C. Ungureanu, B. Atkin, A. Aranya, S. Gokhale, S. Rago, G.
Calkowski, C. Dubnicki, and A. Bohra, “Hydrafs: A High-
Throughput File System for the Hydrastor Content-Addressable
Storage System,” Proc. Eighth USENIX Conf. File and
Storage
Technologies (FAST), p. 17, 2010.
[29] W. Dong, F. Douglis, K. Li, H. Patterson, S. Reddy, and P. Shilane,
“Tradeoffs in Scalable Data Routing for Deduplication Clusters,”
Proc. Ninth USENIX Conf. File and Storage Technologies (FAST), p. 2,
2011.

Hsiao-Ying Lin received the MS and PhD
degrees in computer science from
National Chiao Tung University, Taiwan, in
2005 and
2010, respectively. Currently, she is working as
an assistant research fellow in Intelligent In-
formation and Communications Research Cen-
ter. Her current research interests include
applied cryptography and information security.
She is a member of the IEEE.
Wen-Guey Tzeng received the BS degree in
computer science and information engineering
from National Taiwan University, in 1985, and
MS and PhD degrees in computer science from
the State University of New York at Stony
Brook, in
1987 and 1991, respectively. He joined the
Department of Computer and Information
Science ( now, D epartment of
Computer Science), National Chiao Tung
University, Tai- wan, in 1991. He now serves as
a chairman of the
department. His current research interests include cryptology, informa-
tion security and network security. He is a member of the IEEE.
. For more information on this or any other computing
topic, please visit our Digital Library at
www.computer.org/publications/dlib.
Homework Help
Math homework help
Research Paper help
Algebra Help
Calculus Help
Accounting help
Paper Help
Writing Help
Online Tutor

Online Tutoring

126689454 jv6

More Related Content

What's hot (17)

Viewers also liked (8)

Similar to 126689454 jv6 (20)

Recently uploaded (20)

126689454 jv6