Key-Aggregate Cryptosystem for Scalable.pdf

Key-Aggregate Cryptosystem for ScalableData Sharing in Cloud Storage

Cheng-Kang Chu, Sherman S.M. Chow, Wen-Guey Tzeng, Jianying Zhou, and

Robert H. Deng, Senior Member, IEEE

AbstractData sharing is an important functionality in cloud storage. In this paper, we show how to securely, efficiently, and flexibly

share data with others in cloud storage. We describe new public-key cryptosystems that produce constant-size ciphertexts such that

efficient delegation of decryption rights for any set of ciphertexts are possible. The novelty is that one can aggregate any set of secret

keys and make them as compact as a single key, but encompassing the power of all the keys being aggregated. In other words, the

secret key holder can release a constant-size aggregate key for flexible choices of ciphertext set in cloud storage, but the other

encrypted files outside the set remain confidential. This compact aggregate key can be conveniently sent to others or be stored in a

smart card with very limited secure storage. We provide formal security analysis of our schemes in the standard model. We also

describe other application of our schemes. In particular, our schemes give the first public-key patient-controlled encryption for flexible

hierarchy, which was yet to be known.

Index TermsCloud storage, data sharing, key-aggregate encryption, patient-controlled encryption

1 INTRODUCTION

CLOUD storage is gaining popularity recently. In enter-prise settings, we see the rise in demand for dataoutsourcing, which assists in the strategic management ofcorporate data. It is also used as a core technology behindmany online services for personal applications. Nowadays,it is easy to apply for free accounts for email, photo album,file sharing and/or remote access, with storage size morethan 25 GB (or a few dollars for more than 1 TB). Togetherwith the current wireless technology, users can accessalmost all of their files and emails by a mobile phone in anycorner of the world.

Considering data privacy, a traditional way to ensure it isto rely on the server to enforce the access control afterauthentication (e.g., [1]), which means any unexpectedprivilege escalation will expose all data. In a shared-tenancycloud computing environment, things become even worse.Data from different clients can be hosted on separate virtualmachines (VMs) but reside on a single physical machine.Data in a target VM could be stolen by instantiating anotherVM coresident with the target one [2]. Regarding avail-ability of files, there are a series of cryptographic schemeswhich go as far as allowing a third-party auditor to check

the availability of files on behalf of the data owner withoutleaking anything about the data [3], or without compromis-ing the data owners anonymity [4]. Likewise, cloud usersprobably will not hold the strong belief that the cloud serveris doing a good job in terms of confidentiality. A crypto-graphic solution, for example, [5], with proven securityrelied on number-theoretic assumptions is more desirable,whenever the user is not perfectly happy with trusting thesecurity of the VM or the honesty of the technical staff.These users are motivated to encrypt their data with theirown keys before uploading them to the server.

Data sharing is an important functionality in cloudstorage. For example, bloggers can let their friends view asubset of their private pictures; an enterprise may grant heremployees access to a portion of sensitive data. Thechallenging problem is how to effectively share encrypteddata. Of course users can download the encrypted datafrom the storage, decrypt them, then send them to others forsharing, but it loses the value of cloud storage. Users shouldbe able to delegate the access rights of the sharing data toothers so that they can access these data from the serverdirectly. However, finding an efficient and secure way toshare partial data in cloud storage is not trivial. Below wewill take Dropbox1 as an example for illustration.

Assume that Alice puts all her private photos onDropbox, and she does not want to expose her photos toeveryone. Due to various data leakage possibility Alicecannot feel relieved by just relying on the privacy protectionmechanisms provided by Dropbox, so she encrypts all thephotos using her own keys before uploading. One day,Alices friend, Bob, asks her to share the photos taken overall these years which Bob appeared in. Alice can then usethe share function of Dropbox, but the problem now is howto delegate the decryption rights for these photos to Bob. Apossible option Alice can choose is to securely send Bob the

468 IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS, VOL. 25, NO. 2, FEBRUARY 2014

. C.-K. Chu and J. Zhou are with the Department of Cryptography andSecurity, Institute for Infocomm Research, Singapore 138632.

. S.S.M. Chow is with the Department of Information Engineering, ChineseUniversity of Hong Kong, Hong Kong.

. W.-G. Tzeng is with the Department of Computer Science, National ChiaoTung University, Taiwan.

. R.H. Deng is with the School of Information Systems, SingaporeManagement University, Singapore 188065.

Manuscript received 17 Sept. 2012; revised 17 Mar. 2013; accepted 29 Mar.2013; published online 9 Apr. 2013.Recommended for acceptance by X. Li, P. McDaniel, R. Poovendran, andG. Wang.For information on obtaining reprints of this article, please send e-mail to:[email protected], and reference IEEECS Log NumberTPDSSI-2012-09-0953.Digital Object Identifier no. 10.1109/TPDS.2013.112. 1. http://www.dropbox.com.

1045-9219/14/$31.00 2014 IEEE Published by the IEEE Computer Society

secret keys involved. Naturally, there are two extreme waysfor her under the traditional encryption paradigm:

. Alice encrypts all files with a single encryption keyand gives Bob the corresponding secret key directly.

. Alice encrypts files with distinct keys and sends Bobthe corresponding secret keys.

Obviously, the first method is inadequate since all unchosendata may be also leaked to Bob. For the second method,there are practical concerns on efficiency. The number ofsuch keys is as many as the number of the shared photos,say, a thousand. Transferring these secret keys inherentlyrequires a secure channel, and storing these keys requiresrather expensive secure storage. The costs and complexitiesinvolved generally increase with the number of thedecryption keys to be shared. In short, it is very heavyand costly to do that.

Encryption keys also come with two flavorssymmetrickey or asymmetric (public) key. Using symmetric encryp-tion, when Alice wants the data to be originated from athird party, she has to give the encryptor her secret key;obviously, this is not always desirable. By contrast, theencryption key and decryption key are different in public-key encryption. The use of public-key encryption givesmore flexibility for our applications. For example, inenterprise settings, every employee can upload encrypteddata on the cloud storage server without the knowledge ofthe companys master-secret key.

Therefore, the best solution for the above problem is thatAlice encrypts files with distinct public-keys, but only sendsBob a single (constant-size) decryption key. Since thedecryption key should be sent via a secure channel andkept secret, small key size is always desirable. For example,we cannot expect large storage for decryption keys in theresource-constraint devices like smart phones, smart cards,or wireless sensor nodes. Especially, these secret keys areusually stored in the tamper-proof memory, which isrelatively expensive. The present research efforts mainlyfocus on minimizing the communication requirements(such as bandwidth, rounds of communication) likeaggregate signature [6]. However, not much has been doneabout the key itself (see Section 3 for more details).

1.1 Our Contributions

In modern cryptography, a fundamental problem we oftenstudy is about leveraging the secrecy of a small piece ofknowledge into the ability to perform cryptographicfunctions (e.g., encryption, authentication) multiple times.In this paper, we study how to make a decryption key morepowerful in the sense that it allows decryption of multipleciphertexts, without increasing its size. Specifically, ourproblem statement is

To design an efficient public-key encryption scheme whichsupports flexible delegation in the sense that any subset of theciphertexts (produced by the encryption scheme) is decryptable bya constant-size decryption key (generated by the owner of themaster-secret key).

We solve this problem by introducing a special type ofpublic-key encryption which we call key-aggregate crypto-system (KAC). In KAC, users encrypt a message notonly under a public-key, but also under an identifier of

ciphertext called class. That means the ciphertexts arefurther categorized into different classes. The key ownerholds a master-secret called master-secret key, which can beused to extract secret keys for different classes. Moreimportantly, the extracted key have can be an aggregate keywhich is as compact as a secret key for a single class, butaggregates the power of many such keys, i.e., the decryp-tion power for any subset of ciphertext classes.

With our solution, Alice can simply send Bob a singleaggregate key via a secure e-mail. Bob can downloadthe encrypted photos from Alices Dropbox space and thenuse this aggregate key to decrypt these encrypted photos.The scenario is depicted in Fig. 1.

The sizes of ciphertext, public-key, master-secret key,and aggregate key in our KAC schemes are all of constantsize. The public system parameter has size linear in thenumber of ciphertext classes, but only a small part of it isneeded each time and it can be fetched on demand fromlarge (but nonconfidential) cloud storage.

Previous results may achieve a similar property featur-ing a constant-size decryption key, but the classes need toconform to some predefined hierarchical relationship. Ourwork is flexible in the sense that this constraint iseliminated, that is, no special relation is required betweenthe classes. The detail and other related works can be foundin Section 3.

We propose several concrete KAC schemes with differentsecurity levels and extensions in this paper. All construc-tions can be proven secure in the standard model. To thebest of our knowledge, our aggregation mechanism2 in KAChas not been investigated.

2 KEY-AGGREGATE ENCRYPTION

We first give the framework and definition for key-aggregate encryption. Then we describe how to use KACin a scenario of its application in cloud storage.

CHU ET AL.: KEY-AGGREGATE CRYPTOSYSTEM FOR SCALABLE DATA SHARING IN CLOUD STORAGE 469

Fig. 1. Alice shares files with identifiers 2, 3, 6, and 8 with Bob bysending him a single aggregate key.

2. It is obvious that we are not proposing an algorithm to compress thedecryption key. On one hand, cryptographic keys come from a high-entropy source and are hardly compressible. On the other hand, decryptionkeys for all possible combinations of ciphertext classes are all in constant-sizeinformation theoretically speaking such compression schemecannot exist.

2.1 Framework

A key-aggregate encryption scheme consists of five

polynomial-time algorithms as follows.The data owner establishes the public system parameter

via Setup and generates a public/master-secret3 key pair

via KeyGen. Messages can be encrypted via Encrypt by

anyone who also decides what ciphertext class is asso-

ciated with the plaintext message to be encrypted. The

data owner can use the master-secret to generate an

aggregate decryption key for a set of ciphertext classes via

Extract. The generated keys can be passed to delegatees

securely (via secure e-mails or secure devices) Finally, any

user with an aggregate key can decrypt any ciphertext

provided that the ciphertexts class is contained in the

aggregate key via Decrypt.4

. Setup1; n: executed by the data owner to setup anaccount on an untrusted server. On input a securitylevel parameter 1 and the number of ciphertextclasses n (i.e., class index should be an integerbounded by 1 and n), it outputs the public systemparameter param, which is omitted from the inputof the other algorithms for brevity.

. KeyGen: executed by the data owner to randomlygenerate a public/master-secret key pair pk; msk.

. Encryptpk; i;m: executed by anyone who wants toencrypt data. On input a public-key pk, an index idenoting the ciphertext class, and a message m, itoutputs a ciphertext C.

. Extractmsk;S: executed by the data owner fordelegating the decrypting power for a certain set ofciphertext classes to a delegatee. On input themaster-secret key msk and a set S of indicescorresponding to different classes, it outputs theaggregate key for set S denoted by KS .

. DecryptKS;S; i; C: executed by a delegatee whoreceived an aggregate key KS generated by Extract.On input KS , the set S, an index i denoting theciphertext class the ciphertext C belongs to, and C, itoutputs the decrypted result m if i 2 S.

There are two functional requirements:

. Correctness. For any integers and n, any setS f1; . . . ; ng, any index i 2 S and any message m,

. Compactness.For any integers,n, any setS, any indexi 2 S and any message m; param Setup1; n,pk; msk KeyGen, KS Extractmsk;S andC Encryptpk; i;m; jKSj and jCj only depend onthe security parameter but independent of thenumber of classes n.

2.2 Sharing Encrypted Data

A canonical application of KAC is data sharing. The keyaggregation property is especially useful when we expectthe delegation to be efficient and flexible. The schemesenable a content provider to share her data in a confidentialand selective way, with a fixed and small ciphertextexpansion, by distributing to each authorized user a singleand small aggregate key.

Here, we describe the main idea of data sharing in cloudstorage using KAC, illustrated in Fig. 2. Suppose Alicewants to share her data m1;m2; . . . ;m on the server. Shefirst performs Setup1; n to get param and execute KeyGento get the public/master-secret key pair pk; msk. Thesystem parameter param and public-key pk can be madepublic and master-secret key msk should be kept secret byAlice. Anyone (including Alice herself) can then encrypteach mi by Ci Encryptpk; i;mi. The encrypted data areuploaded to the server.

With param and pk, people who cooperate with Alicecan update Alices data on the server. Once Alice is willingto share a set S of her data with a friend Bob, she cancompute the aggregate key KS for Bob by performingExtractmsk;S. Since KS is just a constant-size key, it iseasy to be sent to Bob via a secure e-mail.

After obtaining the aggregate key, Bob can download thedata he is authorized to access. That is, for each i 2 S, Bobdownloads Ci (and some needed values in param) from theserver. With the aggregate key KS , Bob can decrypt each Ciby DecryptKS;S; i; Ci for each i 2 S.

3 RELATED WORK

This section we compare our basic KAC scheme with otherpossible solutions on sharing in secure cloud storage. Wesummarize our comparisons in Table 1.

3.1 Cryptographic Keys for a Predefined Hierarchy

We start by discussing the most relevant study in theliterature of cryptography/security. Cryptographic keyassignment schemes (e.g., [11], [12], [13], [14]) aim tominimize the expense in storing and managing secret keysfor general cryptographic use. Utilizing a tree structure, a key


Fig. 2. Using KAC for data sharing in cloud storage.

3. We call this as master-secret key to avoid confusion with the delegatedkey we will explain later.

4. For simplicity, we omit the inclusion of a decryption algorithm for theoriginal data owner using the master-secret key. In our specific construc-tions, we will show how the knowledge of the master-secret key allows afaster decryption than using Extract followed by Decrypt.

for a given branch can be used to derive the keys of itsdescendant nodes (but not the other way round). Justgranting the parent key implicitly grants all the keys of itsdescendant nodes. Sandhu [15] proposed a method togenerate a tree hierarchy of symmetric-keys by usingrepeated evaluations of pseudorandom function/block-cipher on a fixed secret. The concept can be generalized froma tree to a graph. More advanced cryptographic key assign-ment schemes support access policy that can be modeled byan acyclic graph or a cyclic graph [16], [17], [7]. Most of theseschemes produce keys for symmetric-key cryptosystems, eventhough the key derivations may require modular arithmeticas used in public-key cryptosystems, which are generallymore expensive than symmetric-key operations such aspseudorandom function.

We take the tree structure as an example. Alice can firstclassify the ciphertext classes according to their subjects likeFig. 3. Each node in the tree represents a secret key, whilethe leaf nodes represents the keys for individual ciphertextclasses. Filled circles represent the keys for the classes to bedelegated and circles circumvented by dotted lines repre-sent the keys to be granted. Note that every key of thenonleaf node can derive the keys of its descendant nodes.

In Fig. 3a, if Alice wants to share all the files in thepersonal category, she only needs to grant the key for thenode personal, which automatically grants the delegateethe keys of all the descendant nodes (photo, music). Thisis the ideal case, where most classes to be shared belong tothe same branch and thus a parent key of them is sufficient.

However, it is still difficult for general cases. As shown inFig. 3b, if Alice shares her demo music at work(work! casual! demo and work! confidential! demo) with a colleague who also has the rights to seesome of her personal data, what she can do is to give morekeys, which leads to an increase in the total key size. One cansee that this approach is not flexible when the classificationsaremore complex and shewants to share different sets of filesto different people. For this delegatee in our example, the

number of granted secret keys becomes the same as thenumber of classes.

In general, hierarchical approaches can solve theproblem partially if one intends to share all files under acertain branch in the hierarchy. On average, the number ofkeys increases with the number of branches. It is unlikely tocome up with a hierarchy that can save the number of totalkeys to be granted for all individuals (which can access adifferent set of leaf-nodes) simultaneously.

3.2 Compact Key in Symmetric-Key Encryption

Motivated by the same problem of supporting flexiblehierarchy in decryption power delegation (but in sym-metric-key setting), Benaloh et al. [8] presented an encryp-tion scheme which is originally proposed for conciselytransmitting large number of keys in broadcast scenario[18]. The construction is simple and we briefly review itskey derivation process here for a concrete description ofwhat are the desirable properties we want to achieve. Thederivation of the key for a set of classes (which is a subset ofall possible ciphertext classes) is as follows: A compositemodulus N p q is chosen where p and q are two largerandom primes. A master-secret key Y is chosen at randomfrom ZZN . Each class is associated with a distinct prime ei.All these prime numbers can be put in the public systemparameter.5 A constant-size key for set S0 can be generated(with the knowledge of N) as

kS0 Y 1=Q

j2S0 ejmod N:

For those who have been delegated the access rights for Swhere S0 S, kS0 can be computed by

k

Qj2SnS0 ej

S :

As a concrete example, a key for classes represented bye1; e2; e3 can be generated as Y

1=e1e2e3, from which each ofY 1=e1 , Y 1=e2 , and Y 1=e3 can easily be derived (whileproviding no information about keys for any other class,say, e4). This approach achieves similar properties andperformances as our schemes. However, it is designed forthe symmetric-key setting instead. The encryptor needs toget the corresponding secret keys to encrypt data, which isnot suitable for many applications. Since their method isused to generate a secret value rather than a pair of public/secret keys, it is unclear how to apply this idea for public-key encryption scheme.

Finally,we note that there are schemeswhich try to reducethe key size for achieving authentication in symmetric-key


Fig. 3. Compact key is not always possible for a fixed hierarchy.

5. Another way to do this is to apply hash function to the string denotingthe class, and keep hashing repeatedly until a prime is obtained as theoutput of the hash function.

TABLE 1Comparisons between Our Basic KAC Scheme and Other Related Schemes

encryption, for example, [19]. However, sharing of decryp-tion power is not a concern in these schemes.

3.3 Compact Key in Identity-Based Encryption (IBE)

IBE (e.g., [20], [21], [22]) is a type of public-key encryption inwhich the public-key of a user can be set as an identity-string of the user (e.g., an email address). There is a trustedparty called private key generator in IBE which holds amaster-secret key and issues a secret key to each user withrespect to the user identity. The encryptor can take thepublic parameter and a user identity to encrypt a message.The recipient can decrypt this ciphertext by his secret key.

Guo et al. [23], [9] tried to build IBE with key aggregation.One of their schemes [23] assumes random oracles butanother [9] does not. In their schemes, key aggregation isconstrained in the sense that all keys to be aggregated mustcome from different identity divisions. While there are anexponential number of identities and thus secret keys, only apolynomial number of them can be aggregated. Mostimportantly, their key-aggregation [23], [9] comes at theexpense of On sizes for both ciphertexts and the publicparameter, where n is the number of secret keyswhich can beaggregated into a constant size one. This greatly increases thecosts of storing and transmitting ciphertexts, which isimpractical in many situations such as shared cloud storage.As we mentioned, our schemes feature constant ciphertextsize, and their security holds in the standard model.

In fuzzy IBE [21], one single compact secret key candecrypt ciphertexts encrypted under many identities whichare close in a certain metric space, but not for an arbitraryset of identities and, therefore, it does not match with ouridea of key aggregation.

3.4 Other Encryption Schemes

Attribute-based encryption (ABE) [10], [24] allows eachciphertext to be associated with an attribute, and themaster-secret key holder can extract a secret key for apolicy of these attributes so that a ciphertext can bedecrypted by this key if its associated attribute conformsto the policy. For example, with the secret key for the policy2 _ 3 _ 6 _ 8, one can decrypt ciphertext tagged with class2, 3, 6, or 8. However, the major concern in ABE is collusion-resistance but not the compactness of secret keys. Indeed,the size of the key often increases linearly with the numberof attributes it encompasses, or the ciphertext-size is notconstant (e.g., [25]).

To delegate the decryption power of some ciphertextswithout sending the secret key to the delegatee, a usefulprimitive is proxy re-encryption (PRE) (e.g., [26], [27], [28],[29]). A PRE scheme allows Alice to delegate to the server(proxy) the ability to convert the ciphertexts encryptedunder her public-key into ones for Bob. PRE is well knownto have numerous applications including cryptographic filesystem [30]. Nevertheless, Alice has to trust the proxy that itonly converts ciphertexts according to her instruction,which is what we want to avoid at the first place. Evenworse, if the proxy colludes with Bob, some form of Alicessecret key can be recovered which can decrypt Alices(convertible) ciphertexts without Bobs further help. Thatalso means that the transformation key of proxy should bewell protected. Using PRE just moves the secure key storagerequirement from the delegatee to the proxy. It is, thus,undesirable to let the proxy reside in the storage server.

That will also be inconvenient since every decryptionrequires separate interaction with the proxy.

4 CONCRETE CONSTRUCTIONS OF KAC

Let GG and GGT be two cyclic groups of prime order p ande^ : GGGG! GGT be a map with the following properties:

. Bilinear: 8g1; g2 2 GG, a; b 2 ZZ, e^ga1; gb2 e^g1; g2ab.

. Nondegenerate: for some g 2 GG, e^g; g 6 1.GG is a bilinear group if all the operations involved aboveare efficiently computable. Many classes of elliptic curvesfeature bilinear groups.

4.1 A Basic Construction

The design of our basic scheme is inspired from thecollusion-resistant broadcast encryption scheme proposedby Boneh et al. [31]. Although their scheme supportsconstant-size secret keys, every key only has the power fordecrypting ciphertexts associated to a particular index. We,thus, need to devise a new Extract algorithm and thecorresponding Decrypt algorithm.

. Setup1; n: Randomly pick a bilinear group GG ofprime order p where 2 p 21, a generator g 2GG and 2R ZZp. Compute gi gi 2 GG for i 1; . . . ;n; n 2; . . . ; 2n. Output the system parameter asparam hg; g1; . . . ; gn; gn2; . . . ; g2ni ( can be safelydeleted after Setup).

Note that each ciphertext class is represented byan index in the integer set f1; 2; . . . ; ng, where n isthe maximum number of ciphertext classes.

. KeyGen(): Pick 2R ZZp, output the public andmaster-secret key pair: pk v g; msk .

. Encryptpk; i;m: For amessagem 2 GGT and an indexi 2 f1; 2; . . . ; ng, randomly pick t 2R ZZp and computethe ciphertext as C hgt; vgit;m e^g1; gnti.

. Extractmsk ;S: For the set S of indices js, theaggregate key is computed as KS

Qj2S g

n1j.

Since S does not include 0, gn1j gn1j can alwaysbe retrieved from param.

. DecryptKS ;S; i; C hc1; c2; c3i: If i 62 S, output ?.Otherwise, return the message: m c3 e^KS Q

j2S;j6i gn 1 j i; c1=e^Q

j2S gn1j; c2.For the data owner, with the knowledge of , the

term e^g1; gnt can be easily recovered by e^c1; gn e^gt; gn e^g1; gnt.

For correctness, we can see that

c3 e^ KS Y

j2S;j6ign1ji; c1

!e^Yj2S

gn1j; c2

!

c3 e^Qj2S gn1j Qj2S;j6i gn1ji; gt

e^Qj2S gn1j; vgit c3 e^

Yj2S;j 6i

gn1ji; gt !

e^Yj2S

gn1j; gti

!

c3 e^Qj2S gn1ji; gt=e^gn1; gt

e^Qj2S gn1ji; gt m e^g1; gnt=e^gn1; gt m:


4.1.1 Performance

For encryption, the value e^g1; gn can be precomputed andput in the system parameter. On the other hand, we can seethat decryption only takes two pairings while only one ofthem involves the aggregate key. That means we only needone pairing computation within the security chip storingthe (secret) aggregate key. It is fast to compute a pairingnowadays, even in resource-constrained devices. Efficientsoftware implementations exist even for sensor nodes [32].

4.1.2 Discussions

The magic of getting constant-size aggregate key andconstant-size ciphertext simultaneously comes from thelinear-size system parameter. Our motivation is to reducethe secure storage and this is a tradeoff between two kinds ofstorage. The parameter can be placed in nonconfidentiallocal storage or in a cache provided by the service company.They can also be fetched on demand, as not all of them arerequired in all occasions.

The system parameter can also be generated by a trustedparty, shared between all users and even hard-coded to theuser program (and can be updated via patches). In thiscase, while the users need to trust the parameter-generatorfor securely erasing any ephemeral values used, the accesscontrol is still ensured by a cryptographic mean instead ofrelying on some server to restrict the accesses honestly.

4.2 Public-Key Extension

If a user needs to classify his ciphertexts into more thann classes, he can register for additional key pairspk2; msk2; . . . ; pk; msk. Each class now is indexed bya two-level index in fi; j j 1 i ; 1 j ng and thenumber of classes is increased by n for each added key.

Since the new public-key can be essentially treated as anew user, one may have the concern that key aggregationacross two independent users is not possible. It seems thatwe face the problem of hierarchical solution as reviewed inSection 1, but indeed, we still achieve shorter key size andgain flexibility as illustrated in Fig. 4. Fig. 4 shows theflexibility of our approach. We achieve local aggregation,which means the secret keys under the same branch canalways be aggregated. We use a quaternary tree for the lastlevel just for better illustration of our distinctive feature.Our advantage is still preserved when compared withquaternary trees in hierarchical approach, in which thelatter either delegates the decryption power for all fourclasses (if the key for their parent class is delegated) or thenumber of keys will be the same as the number of classes.For our approach, at most two aggregate keys are neededin our example.

Below we give the details on how encryption and

decryption work when the public-key is extended, which

is similar to the np

-approach [31].

. Setup and KeyGen: Same as the basic construction.

. Extendpkl; mskl: Execute KeyGen() to get vl1;l1 2 GG ZZp, output the extended public andmaster-secret keys as pkl1 pkl; vl1; mskl1 mskl; l1.

. Encryptpkl; a; b;m: Let pkl fv1; . . . ; vlg. For anindex a; b; 1 a l; 1 b n, pick t 2R ZZp, outputthe ciphertext as C hgt; vagbt;m e^g1; gnti.

. Extractmskl;Sl: Let mskl f1; 2; . . . ; lg. For a setSl of indices i; j; 1 i l; 1 j n, get gn1j g

n1jfrom param, output:

KSl Y1;j2Sl

g1n1j;Y2;j2Sl

g2n1j; . . . ;Yl;j2Sl

gln1j

0@

1A:

. DecryptKSl ;Sl; a; b; C: If a; b 62 Sl, output ?.Otherwise, let KSl d1; . . . ; dl and C hc1; c2; c3i.Output the message:

m c3 e^da Qa;j2Sl ;j6b gn1jb; c1

e^Qa;j2Sl gn1j; c2 :Just like the basic construction, the decryption can be

done more efficiently with the knowledge of is.

Correctness is not much more difficult to see

c3 e^ da Y

a;j2Sl ;j6bgn1jb; c1

0@

1A,e^ Y

a;j2Slgn1j; c2

0@

1A

c3 e^Ya;j2Sl

gan1j Y

a;j2Sl ;j6bgn1jb; gt

0@

1A,

e^Ya;j2Sl

gn1j; vagbt0@

1A

c3 e^Y

a;j2Sl ;j6bgn1jb; gt

0@

1A,e^ Y

a;j2Slgn1j; gtb

0@

1A

m e^g1; gnt=e^gn1; gt m:We can also prove the semantic security of this extended

scheme. The proof is very similar to that for the basic

scheme and therefore is omitted. The public-key of our CCA

construction to be presented below can also be extended

using the same Extend algorithm.

4.2.1 Discussions

To make the best out of our extended scheme (i.e., to make

the key size as small as possible), we suggest that the

ciphertext classes for different purposes should be corre-

sponded to different public-keys. This is reasonable in

practice and does not contradict our criticism on hierarch-

ical methods that an efficient assignment of hierarchy

requires a priori knowledge on what to be shared. Using

our example, pk1 and pk2 correspond to personal and


Fig. 4. Key assignment in our approach.

work. It is likely to have many subcategories under eitherof them but it may not be equally likely to share both ofthem (if the user does not gossip about office drama withfriends and do not expose party photos to colleagues).Another example, say a users categorization includemusic and game. One day she becomes a graduatestudent and needs to publish, and therefore find the newneed to add a category paper, which is probablyindependent of music and game.

4.2.2 Other Implication

This key extension approach can also be seen as a keyupdate process. In case a secret value is compromised, wecan replace the compromised pk1 with a new key pk2. Thesmall aggregate key size minimizes the communicationoverhead for transferring the new key.

5 PERFORMANCE ANALYSIS

5.1 Compression Factors

For a concrete comparison, we investigate the spacerequirements of the tree-based key assignment approachwe described in Section 3.1. This is used in the completesubtree scheme, which is a representative solution to thebroadcast encryption problem following the well-knownsubset-cover framework [33]. It employs a static logical keyhierarchy, which is materialized with a full binary key treeof height h (equals to 3 in Fig. 3), and thus can support up to2h ciphertext classes, a selected part of which is intended foran authorized delegatee.

In an ideal case as depicted in Fig. 3a, the delegatee canbe granted the access to 2hs classes with the possession ofonly one key, where hs is the height of a certain subtree(e.g., hs 2 in Fig. 3a). On the other hand, to decryptciphertexts of a set of classes, sometimes the delegatee mayhave to hold a large number of keys, as depicted in Fig. 3b.Therefore, we are interested in na, the number of symmetric-keys to be assigned in this hierarchical key approach, in anaverage sense.

We assume that there are exactly 2h ciphertext classes, andthe delegatee of concern is entitled to a portion r of them.That is, r is the delegation ratio, the ratio of the delegatedciphertext classes to the total classes. Obviously, if r 0, nashould also be 0, whichmeans no access to any of the classes;if r 100%, na should be as low as 1, which means that thepossession of only the root key in the hierarchy can grant theaccess to all the 2h classes. Consequently, one may expectthat na may first increase with r, and may decrease later. Weset r 10%; 20%; . . . ; 90%, and choose the portion in arandom manner to model an arbitrary delegation pattern

for different delegatees. For each combination of r and h, werandomly generate 104 different combinations of classes tobe delegated, and the output key set size na is the averageover random delegations.

We tabulate the results in Table 2, where h 16; 18; 20respectively.6 For a given h, na increases with the delegationratio r until r reaches 70%. An amazing fact is that, theratio of na to N 2h1 1, the total number of keys in thehierarchy (e.g., N 15 in Fig. 3), appears to be onlydetermined by r but irrelevant of h. This is because whenthe number of ciphertext classes (2h) is large and thedelegation ratio (r) is fixed, this kind of random delegationachieves roughly the same key assignment ratios (na=N).Thus, for the same r, na grows exponentially with h. We caneasily estimate how many keys we need to assign when weare given r and h.

We then turn our focus to the compression7 factor F for acertain h, i.e., the average number of delegated classes thateach granted key can decrypt. Specifically, it is the ratio ofthe total number of delegated classes (r2h) to the number ofgranted keys required (na). Certainly, higher compressionfactor is preferable because it means each granted key candecrypt more ciphertexts. Fig. 5a illustrates the relationshipbetween the compression factor and the delegation ratio.Somewhat surprisingly, we found that F 3:2 even fordelegation ratio of r 0:9, and F < 6 for r 0:95, whichdeviates from the intuition that only a small number ofpowerful keys are needed for delegating most of theclasses. We can only get a high (but still small) compressionfactor when the delegation ratio is close to 1.

A comparison of the number of granted keys betweenthree methods is depicted in Fig. 5b. We can see that if wegrant the key one by one, the number of granted keyswould be equal to the number of the delegated ciphertextclasses. With the tree-based structure, we can save anumber of granted keys according to the delegation ratio.On the contrary, in our proposed approach, the delegationof decryption can be efficiently implemented with theaggregate key, which is only of fixed size.

In our experiment, the delegation is randomly chosen. Itmodels the situation that the needs for delegating todifferent users may not be predictable as time goes by,even after a careful initial planning. This gives empiricalevidences to support our thesis that hierarchical keyassignment does not save much in all cases.


6. Legend: h: The height of the binary tree: there are total 2h ciphertextclasses, na: The number of keys to be assigned, N : The total number of keysin the hierarchy, r: The delegation ratio: the ratio of the delegated ciphertextclasses to the total classes.

7. As discussed, we are not proposing a compression mechanism, yet weeffectively save the costly secure storage requirement.

TABLE 2Compression Ratios for Different Delegation Ratios and Tree Heights

5.2 Performance of Our Proposed Schemes

Our approaches allow the compression factor F (F n inour schemes) to be a tunable parameter, at the cost of On-sized system parameter. Encryption can be done inconstant time, while decryption can be done in OjSjgroup multiplications (or point addition on elliptic curves)with two pairing operations, where S is the set ofciphertext classes decryptable by the granted aggregatekey and jSj n. As expected, key extraction requires OjSjgroup multiplications as well, which seems unavoidable.However, as demonstrated by the experiment results, wedo not need to set a very high n to have better compressionthan the tree-based approach. Note that group multi-plication is a very fast operation.

Again, we confirm empirically that our analysis is true.We implemented the basic KAC system in C with thepairing-based cryptography (PBC) Library8 version 0.4.18for the underlying elliptic-curve group and pairing opera-tions. Since the granted key can be as small as one GGelement, and the ciphertext only contains two GG and oneGGT elements, we used (symmetric) pairings over Type-A(supersingular) curves as defined in the PBC library whichoffers the highest efficiency among all types of curves, eventhough Type-A curves do not provide the shortestrepresentation for group elements. In our implementation,p is a 160-bit Solinas prime, which offers 1,024-bit ofdiscrete-logarithm security. With this Type-A curves

setting in PBC, elements of groups GG and GGT take 512and 1,024 bits to represent, respectively.

The test machine is a Sun UltraSparc IIIi systemwith dualCPU (1,002MHz) running Solaris, each with 2-GB RAM. Thetimings reported below are averaged over 100 randomizedruns. In our experiment, we take the number of ciphertextclasses n 216 65,536. The Setup algorithm, while out-putting 2n 1 elements by doing 2n 2 exponentia-tions, can be made efficient by preprocessing functionoffered by PBC, which saves time for exponentiating thesame element (g) in the long run. This is the only low-leveloptimization trick we have used. All other operations areimplemented in a straightforward manner. In particular, wedid not exploit the fact that e^g1; gn will be exponentiatedmany times across different encryptions. However, weprecomputed its value in the setup stage, such that theencryption can be done without computing any pairing.

Our experiment results are shown in Table 3. Theexecution times of Setup, KeyGen, and Encrypt areindependent of the delegation ratio r. In our experiments,KeyGen takes 3.3 milliseconds and Encrypt takes 6.8milliseconds. As expected, the running time complexitiesof Extract and Decrypt increase linearly with the delegationratio r (which determines the size of the delegated set S).Our timing results also conform to what can be seen fromthe equation in Extract and Decrypttwo pairing opera-tions take negligible time, the running time of Decrypt isroughly a double of Extract. Note that our experimentsdealt with up to 65,536 number of classes (which is also thecompression factor), and should be large enough for fine-grained data sharing in most situations.

Finally, we remark that for applications where thenumber of ciphertext classes is large but the nonconfidentialstorage is limited, one should deploy our schemes using theType-D pairing bundled with the PBC, which only requires170-bit to represent an element in GG. For n 216, the systemparameter requires approximately 2.6 megabytes, which isas large as a lower quality MP3 file or a higher resolutionJPEG file that a typical cellphone can storemore than a dozenof them. But we saved expensive secure storage without thehassle of managing a hierarchy of delegation classes.

6 NEW PATIENT-CONTROLLED ENCRYPTION (PCE)

Motivated by the nationwide effort to computerize Amer-icas medical records, the concept of patient-controlledencryption has been studied [8]. In PCE, the health record isdecomposed into a hierarchical representation based on theuse of different ontologies, and patients are the parties whogenerate and store secret keys. When there is a need for ahealthcare personnel to access part of the record, a patientwill release the secret key for the concerned part of therecord. In the work of Benaloh et al. [8], three solutions havebeen provided, which are symmetric-key PCE for fixedhierarchy (the folklore tree-based method in Section 3.1),


TABLE 3Performance of Our Basic Construction for h 16 with Respect

to Different Delegation Ratio r (in Milliseconds)

8. http://crypto.stanford.edu/pbc.

Fig. 5. (a) Compression achieved by the tree-based approach for

delegating different ratio of the classes. (b) Number of granted keys (na)

required for different approaches in the case of 65,536 classes of data.

public-key PCE for fixed hierarchy (the IBE analog of thefolklore method, as mentioned in Section 3.1), and RSA-based symmetric-key PCE for flexible hierarchy (which isthe set membership access policy as we explained).

Our work provides a candidate solution for the missingpiece, public-key PCE for flexible hierarchy, which theexistence of an efficient construction was an open question.Any patient can either define her own hierarchy accordingto her need, or follow the set of categories suggested by theelectronic medical record system she is using, such as clinicvisits, x-rays, allergies, medications, and so on.When the patient wishes to give access rights to her doctor,she can choose any subset of these categories and issue asingle key, from which keys for all these categories can becomputed. Thus, we can essentially use any hierarchy wechoose, which is especially useful when the hierarchy canbe complex. Finally, one healthcare personnel deals withmany patients and the patient record is possible stored incloud storage due to its huge size (e.g., high-resolutionmedical imaging employing x-ray), compact key size andeasy key management are of paramount importance.

7 CONCLUSION AND FUTURE WORK

How to protect users data privacy is a central question ofcloud storage. With more mathematical tools, cryptographicschemes are getting more versatile and often involve multi-ple keys for a single application. In this paper, we considerhow to compress secret keys in public-key cryptosystemswhich support delegation of secret keys for differentciphertext classes in cloud storage. No matter which oneamong the power set of classes, the delegatee can always getan aggregate key of constant size. Our approach is moreflexible than hierarchical key assignment which can onlysave spaces if all key-holders share a similar set of privileges.

A limitation in our work is the predefined bound of thenumber of maximum ciphertext classes. In cloud storage,the number of ciphertexts usually grows rapidly. So wehave to reserve enough ciphertext classes for the futureextension. Otherwise, we need to expand the public-key aswe described in Section 4.2.

Although the parameter can be downloaded withciphertexts, it would be better if its size is independent ofthe maximum number of ciphertext classes. On the otherhand, when one carries the delegated keys around in amobile device without using special trusted hardware, thekey is prompt to leakage, designing a leakage-resilientcryptosystem [22], [34] yet allows efficient and flexible keydelegation is also an interesting direction.

ACKNOWLEDGMENTS

This work was supported by the Singapore A*STAR projectSecDC-112172014. The second author is supported by theEarly Career Scheme and the Early Career Award of theResearch Grants Council, Hong Kong SAR (CUHK 439713),and grants (4055018, 4930034) from Chinese University ofHong Kong.

REFERENCES[1] S.S.M. Chow, Y.J. He, L.C.K. Hui, and S.-M. Yiu, SPICE - Simple

Privacy-Preserving Identity-Management for Cloud Environ-ment, Proc. 10th Intl Conf. Applied Cryptography and NetworkSecurity (ACNS), vol. 7341, pp. 526-543, 2012.

[2] L. Hardesty, Secure Computers Arent so Secure. MIT press, http://www.physorg.com/news176107396.html, 2009.

[3] C. Wang, S.S.M. Chow, Q. Wang, K. Ren, and W. Lou, Privacy-Preserving Public Auditing for Secure Cloud Storage, IEEE Trans.Computers, vol. 62, no. 2, pp. 362-375, Feb. 2013.

[4] B. Wang, S.S.M. Chow, M. Li, and H. Li, Storing Shared Data onthe Cloud via Security-Mediator, Proc. IEEE 33rd Intl Conf.Distributed Computing Systems (ICDCS), 2013.

[5] S.S.M. Chow, C.-K. Chu, X. Huang, J. Zhou, and R.H. Deng,Dynamic Secure Cloud Storage with Provenance, Cryptographyand Security, pp. 442-464, Springer, 2012.

[6] D. Boneh, C. Gentry, B. Lynn, and H. Shacham, Aggregate andVerifiably Encrypted Signatures from Bilinear Maps, Proc. 22ndIntl Conf. Theory and Applications of Cryptographic Techniques(EUROCRYPT 03), pp. 416-432, 2003.

[7] M.J. Atallah, M. Blanton, N. Fazio, and K.B. Frikken, Dynamicand Efficient Key Management for Access Hierarchies, ACMTrans. Information and System Security, vol. 12, no. 3, pp. 18:1-18:43,2009.

[8] J. Benaloh, M. Chase, E. Horvitz, and K. Lauter, PatientControlled Encryption: Ensuring Privacy of Electronic MedicalRecords, Proc. ACM Workshop Cloud Computing Security(CCSW 09), pp. 103-114, 2009.

[9] F. Guo, Y. Mu, Z. Chen, and L. Xu, Multi-Identity Single-KeyDecryption without Random Oracles, Proc. Information Securityand Cryptology (Inscrypt 07), vol. 4990, pp. 384-398, 2007.

[10] V. Goyal, O. Pandey, A. Sahai, and B. Waters, Attribute-BasedEncryption for Fine-Grained Access Control of Encrypted Data,Proc. 13th ACM Conf. Computer and Comm. Security (CCS 06),pp. 89-98, 2006.

[11] S.G. Akl and P.D. Taylor, Cryptographic Solution to a Problem ofAccess Control in a Hierarchy, ACM Trans. Computer Systems,vol. 1, no. 3, pp. 239-248, 1983.

[12] G.C. Chick and S.E. Tavares, Flexible Access Control with MasterKeys, Proc. Advances in Cryptology (CRYPTO 89), vol. 435,pp. 316-322, 1989.

[13] W.-G. Tzeng, A Time-Bound Cryptographic Key AssignmentScheme for Access Control in a Hierarchy, IEEE Trans. Knowledgeand Data Eng., vol. 14, no. 1, pp. 182-188, Jan./Feb. 2002.

[14] G. Ateniese, A.D. Santis, A.L. Ferrara, and B. Masucci, Provably-Secure Time-Bound Hierarchical Key Assignment Schemes,J. Cryptology, vol. 25, no. 2, pp. 243-270, 2012.

[15] R.S. Sandhu, Cryptographic Implementation of a Tree Hierarchyfor Access Control, Information Processing Letters, vol. 27, no. 2,pp. 95-98, 1988.

[16] Y. Sun and K.J.R. Liu, Scalable Hierarchical Access Control inSecure Group Communications, Proc. IEEE INFOCOM 04, 2004.

[17] Q. Zhang and Y. Wang, A Centralized Key Management Schemefor Hierarchical Access Control, Proc. IEEE Global Telecomm. Conf.(GLOBECOM 04), pp. 2067-2071, 2004.

[18] J. Benaloh, Key Compression and Its Application to DigitalFingerprinting, technical report, Microsoft Research, 2009.

[19] B. Alomair and R. Poovendran, Information Theoretically SecureEncryption with Almost Free Authentication, J. UniversalComputer Science, vol. 15, no. 15, pp. 2937-2956, 2009.

[20] D. Boneh and M.K. Franklin, Identity-Based Encryption from theWeil Pairing, Proc. Advances in Cryptology (CRYPTO 01),vol. 2139, pp. 213-229, 2001.

[21] A. Sahai and B. Waters, Fuzzy Identity-Based Encryption, Proc.22nd Intl Conf. Theory and Applications of Cryptographic Techniques(EUROCRYPT 05), vol. 3494, pp. 457-473, 2005.

[22] S.S.M. Chow, Y. Dodis, Y. Rouselakis, and B. Waters, PracticalLeakage-Resilient Identity-Based Encryption from Simple As-sumptions, Proc. ACM Conf. Computer and Comm. Security,pp. 152-161, 2010.

[23] F. Guo, Y. Mu, and Z. Chen, Identity-Based Encryption: How toDecrypt Multiple Ciphertexts Using a Single Decryption Key,Proc. Pairing-Based Cryptography Conf. (Pairing 07), vol. 4575,pp. 392-406, 2007.

[24] M. Chase and S.S.M. Chow, Improving Privacy and Security inMulti-Authority Attribute-Based Encryption, Proc. ACM Conf.Computer and Comm. Security, pp. 121-130. 2009,

[25] T. Okamoto and K. Takashima, Achieving Short Ciphertexts orShort Secret-Keys for Adaptively Secure General Inner-ProductEncryption, Proc. 10th Intl Conf. Cryptology and Network Security(CANS 11), pp. 138-159, 2011.


[26] R. Canetti and S. Hohenberger, Chosen-Ciphertext Secure ProxyRe-Encryption, Proc. 14th ACM Conf. Computer and Comm.Security (CCS 07), pp. 185-194, 2007.

[27] C.-K. Chu and W.-G. Tzeng, Identity-Based Proxy Re-encryptionwithout Random Oracles, Proc. Information Security Conf.(ISC 07), vol. 4779, pp. 189-202, 2007.

[28] C.-K. Chu, J. Weng, S.S.M. Chow, J. Zhou, and R.H. Deng,Conditional Proxy Broadcast Re-Encryption, Proc. 14th Austra-lasian Conf. Information Security and Privacy (ACISP 09), vol. 5594,pp. 327-342, 2009.

[29] S.S.M. Chow, J. Weng, Y. Yang, and R.H. Deng, EfficientUnidirectional Proxy Re-Encryption, Proc. Progress in Cryptology(AFRICACRYPT 10), vol. 6055, pp. 316-332, 2010.

[30] G. Ateniese, K. Fu, M. Green, and S. Hohenberger, ImprovedProxy Re-Encryption Schemes with Applications to SecureDistributed Storage, ACM Trans. Information and System Security,vol. 9, no. 1, pp. 1-30, 2006.

[31] D. Boneh, C. Gentry, and B. Waters, Collusion Resistant Broad-cast Encryption with Short Ciphertexts and Private Keys, Proc.Advances in Cryptology Conf. (CRYPTO 05), vol. 3621, pp. 258-275,2005.

[32] L.B. Oliveira, D. Aranha, E. Morais, F. Daguano, J. Lopez, and R.Dahab, TinyTate: Computing the Tate Pairing in Resource-Constrained Sensor Nodes, Proc. IEEE Sixth Intl Symp. NetworkComputing and Applications (NCA 07), pp. 318-323, 2007.

[33] D. Naor, M. Naor, and J. Lotspiech, Revocation and TracingSchemes for Stateless Receivers, Proc. Advances in Cryptology Conf.(CRYPTO 01), pp. 41-62, 2001.

[34] T.H. Yuen, S.S.M. Chow, Y. Zhang, and S.M. Yiu, Identity-BasedEncryption Resilient to Continual Auxiliary Leakage, Proc.Advances in Cryptology Conf. (EUROCRYPT 12), vol. 7237,pp. 117-134, 2012.

[35] D. Boneh, X. Boyen, and E.-J. Goh, Hierarchical Identity BasedEncryption with Constant Size Ciphertext, Proc. Advances inCryptology Conf. (EUROCRYPT 05), vol. 3494, pp. 440-456, 2005.

[36] D. Boneh, R. Canetti, S. Halevi, and J. Katz, Chosen-CiphertextSecurity from Identity-Based Encryption, SIAM J. Computing,vol. 36, no. 5, pp. 1301-1328, 2007.

Cheng-Kang Chu received the PhD degree incomputer science from National Chiao TungUniversity, Hsinchu, Taiwan. After a postdoc-toral fellowship in Singapore ManagementUniversity with Prof. Robert H. Deng, he joinedCryptography and Security Department at theInstitute for Infocomm Research as a researchscientist. He has had a long-term interest in thedevelopment of new technologies in appliedcryptography, cloud computing security, wire-

less sensor network security and smart grid security. Now, he ismainly working on a project to develop security techniques in large-scale shared storage systems. He has published many researchpapers in major conferences like PKC, CT-RSA, ACNS, etc., andreceived the best student paper award in ISC 2007. He also served asvice chair of IEEE CCNC 2012 and on the program committee of manyinternational conferences including TrustBus, WISTP, IEEE CCNC,IEEE CloudCom, etc.

Sherman S.M. Chow received the PhD degreefrom the Courant Institute of MathematicalSciences, New York University. He was aresearch fellow at the Department of Combina-torics and Optimization, University of Waterloo.He joined the Department of Information En-gineering at the Chinese University of HongKong as an assistant professor in November2012. He interned at NTT Research and Devel-opment (Tokyo), Microsoft Research (Redmond)

and Fuji Xerox Palo Alto Laboratory, and has made research visits to U.Maryland, U. Calgary, U. Texas, HKU, MIT, and Queensland Universityof Technology. These visits resulted in US patent applications and alsoin publications at major conferences such as ACM CCS and IACREUROCRYPT. His research interests include applied cryptography,privacy and distributed systems security in general. He serves on theprogram committees of several international conferences includingASIACRYPT 2012-2014, ACNS 2012-2013, ASIACCS 2013-2014,IEEE-CNS 2013, and Financial Crypt. 2013.

Wen-Guey Tzeng received the BS degree incomputer science and information engineeringfrom National Taiwan University, 1985 and theMS and PhD degrees in computer science fromthe State University of New York at Stony Brook,in 1987 and 1991, respectively. He joined theDepartment of Computer Science, NationalChiao Tung University, Taiwan, in 1991. He iscurrently serving as a chairman of the depart-ment. His current research interests include

cryptology, information security, and network security.

Jianying Zhou received the PhD degree ininformation security from the University ofLondon. He is a senior scientist at the Institutefor Infocomm Research, and heads the NetworkSecurity Group. His research interests includecomputer and network security, mobile andwireless communications security, cloud secur-ity, and smart grid security.

Robert H. Deng has been a professor atthe School of Information Systems, SingaporeManagement University since 2004. Prior to this,he was a principal scientist and a manager ofInfocomm Security Department, Institute forInfocomm Research, Singapore. His researchinterests include data security and privacy,multimedia security, network and system secur-ity. He was the associate editor of the IEEETransactions on Information Forensics and

Security from 2009 to 2012. He is currently an associate editor of theIEEE Transactions on Dependable and Secure Computing, an associateeditor of Security and Communication Networks (John Wiley), and amember of Editorial Board of Journal of Computer Science andTechnology (the Chinese Academy of Sciences). He is the cochair ofthe Steering Committee of the ACM Symposium on Information,Computer and Communications Security. He received the UniversityOutstanding Researcher Award from the National University ofSingapore in 1999 and the Lee Kuan Yew Fellow for ResearchExcellence from the Singapore Management University in 2006. Hewas named Community Service Star and Showcased Senior InformationSecurity Professional by ISC2 under its Asia-Pacific InformationSecurity Leadership Achievements program in 2010. He received theDistinguished Paper Award of the 19th Annual Network and DistributedSystem Security Symposium (NDSS 2012) and the Best Paper Award ofthe 13th Joint IFIP TC6 and TC11 Conference on Communications andMultimedia Security (CMS 2012). He is a senior member of the IEEE.

. For more information on this or any other computing topic,please visit our Digital Library at www.computer.org/publications/dlib.


/ColorImageDict > /JPEG2000ColorACSImageDict > /JPEG2000ColorImageDict > /AntiAliasGrayImages false /CropGrayImages true /GrayImageMinResolution 36 /GrayImageMinResolutionPolicy /Warning /DownsampleGrayImages true /GrayImageDownsampleType /Bicubic /GrayImageResolution 300 /GrayImageDepth -1 /GrayImageMinDownsampleDepth 2 /GrayImageDownsampleThreshold 2.00333 /EncodeGrayImages true /GrayImageFilter /DCTEncode /AutoFilterGrayImages false /GrayImageAutoFilterStrategy /JPEG /GrayACSImageDict > /GrayImageDict > /JPEG2000GrayACSImageDict > /JPEG2000GrayImageDict > /AntiAliasMonoImages false /CropMonoImages true /MonoImageMinResolution 36 /MonoImageMinResolutionPolicy /Warning /DownsampleMonoImages true /MonoImageDownsampleType /Bicubic /MonoImageResolution 600 /MonoImageDepth -1 /MonoImageDownsampleThreshold 1.00167 /EncodeMonoImages true /MonoImageFilter /CCITTFaxEncode /MonoImageDict > /AllowPSXObjects false /CheckCompliance [ /None ] /PDFX1aCheck false /PDFX3Check false /PDFXCompliantPDFOnly false /PDFXNoTrimBoxError true /PDFXTrimBoxToMediaBoxOffset [ 0.00000 0.00000 0.00000 0.00000 ] /PDFXSetBleedBoxToMediaBox true /PDFXBleedBoxToTrimBoxOffset [ 0.00000 0.00000 0.00000 0.00000 ] /PDFXOutputIntentProfile (None) /PDFXOutputConditionIdentifier () /PDFXOutputCondition () /PDFXRegistryName (http://www.color.org) /PDFXTrapped /False

/CreateJDFFile false /Description >>> setdistillerparams> setpagedevice

Key-Aggregate Cryptosystem for Scalable.pdf

Documents

Transcript of Key-Aggregate Cryptosystem for Scalable.pdf