MigrantSystems

1

Shared Authority Based Privacy-preservingAuthentication Protocol in Cloud Computing

Hong Liu, Student Member, IEEE, Huansheng Ning, Senior Member, IEEE, Qingxu Xiong, Member, IEEE,and Laurence T. Yang, Member, IEEE

Abstract—Cloud computing is emerging as a prevalent data interactive paradigm to realize users’ data remotely stored in an onlinecloud server. Cloud services provide great conveniences for the users to enjoy the on-demand cloud applications without consideringthe local infrastructure limitations. During the data accessing, different users may be in a collaborative relationship, and thus datasharing becomes significant to achieve productive benefits. The existing security solutions mainly focus on the authentication to realizethat a user’s privative data cannot be unauthorized accessed, but neglect a subtle privacy issue during a user challenging the cloudserver to request other users for data sharing. The challenged access request itself may reveal the user’s privacy no matter whetheror not it can obtain the data access permissions. In this paper, we propose a shared authority based privacy-preserving authenticationprotocol (SAPA) to address above privacy issue for cloud storage. In the SAPA, 1) shared access authority is achieved by anonymousaccess request matching mechanism with security and privacy considerations (e.g., authentication, data anonymity, user privacy, andforward security); 2) attribute based access control is adopted to realize that the user can only access its own data fields; 3) proxyre-encryption is applied by the cloud server to provide data sharing among the multiple users. Meanwhile, universal composability (UC)model is established to prove that the SAPA theoretically has the design correctness. It indicates that the proposed protocol realizingprivacy-preserving data access authority sharing, is attractive for multi-user collaborative cloud applications.

Index Terms—Cloud computing, authentication protocol, privacy preservation, shared authority, universal composability.

F

1 INTRODUCTION

C LOUD computing is a promising information tech-nology architecture for both enterprises and in-

dividuals. It launches an attractive data storage andinteractive paradigm with obvious advantages, includ-ing on-demand self-services, ubiquitous network access,and location independent resource pooling [1]. Towardsthe cloud computing, a typical service architecture isanything as a service (XaaS), in which infrastructures,platform, software, and others are applied for ubiquitousinterconnections. Recent studies have been worked topromote the cloud computing evolve towards the inter-net of services [2], [3]. Subsequently, security and privacyissues are becoming key concerns with the increasingpopularity of cloud services. Conventional security ap-proaches mainly focus on the strong authentication torealize that a user can remotely access its own datain on-demand mode. Along with the diversity of theapplication requirements, users may want to access andshare each other’s authorized data fields to achieve pro-

• H. Ning is with the School of Computer and Communication Engineering,University of Science and Technology Beijing, China, and also with theSchool of Electronic and Information Engineering, Beihang University,China. E-mail: ninghuansheng@buaa.edu.cn

• H. Liu and Q. Xiong are with the School of Electronic and Information En-gineering, Beihang University, China. E-mail: liuhongler@ee.buaa.edu.cn;qxxiong@buaa.edu.cn

• L. T. Yang is with the School of Computer Science and Technology,Huazhong University of Science and Technology, China, and also with theDepartment of Computer Science, St. Francis Xavier University, Canada.E-mail: ltyang@stfx.ca

ductive benefits, which brings new security and privacychallenges for the cloud storage.

An example is introduced to identify the main mo-tivation. In the cloud storage based supply chain man-agement, there are various interest groups (e.g., supplier,carrier, and retailer) in the system. Each group owns itsusers which are permitted to access the authorized datafields, and different users own relatively independentaccess authorities. It means that any two users fromdiverse groups should access different data fields of thesame file. Thereinto, a supplier purposely may want toaccess a carrier’s data fields, but it is not sure whetherthe carrier will allow its access request. If the carrierrefuses its request, the supplier’s access desire will berevealed along with nothing obtained towards the de-sired data fields. Actually, the supplier may not sendthe access request or withdraw the unaccepted request inadvance if it firmly knows that its request will be refusedby the carrier. It is unreasonable to thoroughly disclosethe supplier’s private information without any privacyconsiderations. Fig. 1 illustrates three revised cases toaddress above imperceptible privacy issue.

• Case 1: The carrier also wants to access the supplier’sdata fields, and the cloud server should inform eachother and transmit the shared access authority to theboth users;

• Case 2: The carrier has no interest on other users’ da-ta fields, therefore its authorized data fields shouldbe properly protected, meanwhile the supplier’saccess request will also be concealed;

IEEE TRANSACTIONS ON PARALLEL AND DISTRIBUTED SYSTEMS VOL:PP NO:99 YEAR 2014

MigrantSystems

2

I want to accessthe carrier's data fields

Retailer

Supplier Carrier

Cloud server

I want to accessthe carrier's data fields

I want to accessthe supplier's data fields

I want to accessthe carrier's data fields No access request

I want to accessthe retailer's data fields

No access request

The different data fields.

Carrier

Carrier

Supplier

Supplier

Fig. 1. Three possible cases during data accessing anddata sharing in cloud applications.

• Case 3: The carrier may want to access the retailer’sdata fields, but it is not certain whether the retailerwill accept its request or not. The retailer’s autho-rized data fields should not be public if the retailerhas no interests in the carrier’s data fields, and thecarrier’s request is also privately hidden.

Towards above three cases, security protection and pri-vacy preservation are both considered without revealingsensitive access desire related information.

In the cloud environments, a reasonable security pro-tocol should achieve the following requirements. 1) Au-thentication: a legal user can access its own data fields,only the authorized partial or entire data fields can beidentified by the legal user, and any forged or tampereddata fields cannot deceive the legal user. 2) Data anonymi-ty: any irrelevant entity cannot recognize the exchangeddata and communication state even it intercepts theexchanged messages via an open channel. 3) User privacy:any irrelevant entity cannot know or guess a user’s ac-cess desire, which represents a user’s interest in anotheruser’s authorized data fields. If and only if the bothusers have mutual interests in each other’s authorizeddata fields, the cloud server will inform the two usersto realize the access permission sharing. 4) Forward secu-rity: any adversary cannot correlate two communicationsessions to derive the prior interrogations according tothe currently captured messages.

Researches have been worked to strengthen securityprotection and privacy preservation in cloud application-s, and there are various cryptographic algorithms to ad-dress potential security and privacy problems, includingsecurity architectures [4], [5], data possession protocols[6], [7], data public auditing protocols [8]–[10], securedata storage and data sharing protocols [11]–[16], accesscontrol mechanisms [17]–[19], privacy preserving proto-cols [20]–[23], and key management [24]–[27]. However,

most previous researches focus on the authentication torealize that only a legal user can access its authorizeddata, which ignores the case that different users maywant to access and share each other’s authorized datafields to achieve productive benefits. When a user chal-lenges the cloud server to request other users for datasharing, the access request itself may reveal the user’sprivacy no matter whether or not it can obtain the dataaccess permissions. In this work, we aim to address auser’s sensitive access desire related privacy during datasharing in the cloud environments, and it is significant todesign a humanistic security scheme to simultaneouslyachieve data access control, access authority sharing, andprivacy preservation.

In this paper, we address the aforementioned priva-cy issue to propose a shared authority based privacy-preserving authentication protocol (SAPA) for the clouddata storage, which realizes authentication and autho-rization without compromising a user’s private informa-tion. The main contributions are as follows.

1) Identify a new privacy challenge in cloud storage,and address a subtle privacy issue during a userchallenging the cloud server for data sharing, inwhich the challenged request itself cannot revealthe user’s privacy no matter whether or not it canobtain the access authority.

2) Propose an authentication protocol to enhance a us-er’s access request related privacy, and the sharedaccess authority is achieved by anonymous accessrequest matching mechanism.

3) Apply ciphertext-policy attribute based access con-trol to realize that a user can reliably access itsown data fields, and adopt the proxy re-encryptionto provide temp authorized data sharing amongmultiple users.

The remainder of the paper is organized as follows.Section 2 introduces related works. Section 3 introducesthe system model, and Section 4 presents the proposedauthentication protocol. The UC model based formal se-curity analysis is performed in Section 5 Finally, Section6 draws a conclusion.

2 RELATED WORK

Dunning et al. [11] proposed an anonymous ID assign-ment based data sharing algorithm (AIDA) for multipar-ty oriented cloud and distributed computing systems. Inthe AIDA, an integer data sharing algorithm is designedon top of secure sum data mining operation, and adoptsa variable and unbounded number of iterations foranonymous assignment. Specifically, Newton’s identitiesand Sturm’s theorem are used for the data mining, adistributed solution of certain polynomials over finitefields enhances the algorithm scalability, and Markovchain representations are used to determine statistics onthe required number of iterations.

Liu et al. [12] proposed a multi-owner data sharingsecure scheme (Mona) for dynamic groups in the cloud

MigrantSystems

3

applications. The Mona aims to realize that a user cansecurely share its data with other users via the untrustedcloud server, and can efficiently support dynamic groupinteractions. In the scheme, a new granted user can di-rectly decrypt data files without pre-contacting with dataowners, and user revocation is achieved by a revocationlist without updating the secret keys of the remainingusers. Access control is applied to ensure that any userin a group can anonymously utilize the cloud resources,and the data owners’ real identities can only be revealedby the group manager for dispute arbitration. It indicatesthe storage overhead and encryption computation costare independent with the amount of the users.

Grzonkowski et al. [13] proposed a zero-knowledgeproof (ZKP) based authentication scheme for sharingcloud services. Based on the social home networks, auser centric approach is applied to enable the sharingof personalized content and sophisticated network-basedservices via TCP/IP infrastructures, in which a trustedthird party is introduced for decentralized interactions.

Nabeel et al. [14] proposed a broadcast group key man-agement (BGKM) to improve the weakness of symmetrickey cryptosystem in public clouds, and the BGKM real-izes that a user need not utilize public key cryptography,and can dynamically derive the symmetric keys duringdecryption. Accordingly, attribute based access controlmechanism is designed to achieve that a user can decryptthe contents if and only if its identity attributes satisfythe content provider’s policies. The fine-grained algo-rithm applies access control vector (ACV) for assigningsecrets to users based on the identity attributes, andallowing the users to derive actual symmetric keys basedon their secrets and other public information. The BGKMhas an obvious advantage during adding/revoking usersand updating access control policies.

Wang et al. [15] proposed a distributed storage in-tegrity auditing mechanism, which introduces the ho-momorphic token and distributed erasure-coded data toenhance secure and dependable storage services in cloudcomputing. The scheme allows users to audit the cloudstorage with lightweight communication overloads andcomputation cost, and the auditing result ensures strongcloud storage correctness and fast data error localization.Towards the dynamic cloud data, the scheme supportsdynamic outsourced data operations. It indicates that thescheme is resilient against Byzantine failure, maliciousdata modification attack, and server colluding attacks.

Sundareswaran et al. [16] established a decentralizedinformation accountability framework to track the user-s’ actual data usage in the cloud, and proposed anobject-centered approach to enable enclosing the loggingmechanism with the users’ data and policies. The JavaARchives (JAR) programmable capability is leveraged tocreate a dynamic and mobile object, and to ensure thatthe users’ data access will launch authentication. Addi-tionally, distributed auditing mechanisms are also pro-vided to strengthen user’s data control, and experimentsdemonstrate the approach efficiency and effectiveness.

User mUser 1 User 2

Data fields

... ...

TTP

Trusted third party(optional)

Data related delegation

Public auditing and dispute arbitration

Cloud server

Fig. 2. The cloud storage system model.

In the aforementioned works, various security issuesare addressed. However, a user’s subtle access requestrelated privacy problem caused by data accessing anddata sharing has not been studied yet in the literature.Here, we identify a new privacy challenge, and pro-pose a protocol not only focusing on authentication torealize the valid data accessing, but also consideringauthorization to provide the privacy-preserving accessauthority sharing. The attribute based access control andproxy re-encryption mechanisms are jointly applied forauthentication and authorization.

3 SYSTEM MODEL

Fig. 2 illustrates a system model for the cloud storagearchitecture, which includes three main network entities:users (Ux), a cloud server (S), and a trusted third party.

• User: an individual or group entity, which ownsits data stored in the cloud for online data storageand computing. Different users may be affiliatedwith a common organization, and are assigned withindependent authorities on certain data fields.

• Cloud server: an entity, which is managed by a par-ticular cloud service provider or cloud applicationoperator to provide data storage and computing ser-vices. The cloud server is regarded as an entity withunrestricted storage and computational resources.

• Trusted third party: an optional and neutral entity,which has advanced capabilities on behalf of theusers, to perform data public auditing and disputearbitration.

In the cloud storage, a user remotely stores its data viaonline infrastructures, flatforms, or software for cloudservices, which are operated in the distributed, parallel,and cooperative modes. During cloud data accessing,the user autonomously interacts with the cloud serverwithout external interferences, and is assigned with thefull and independent authority on its own data fields. Itis necessary to guarantee that the users’ outsourced datacannot be unauthorized accessed by other users, and isof critical importance to ensure the private informationduring the users’ data access challenges. In some sce-narios, there are multiple users in a system (e.g., supplychain management), and the users could have differentaffiliation attributes from different interest groups. One

MigrantSystems

4

of the users may want to access other associate users’data fields to achieve bi-directional data sharing, but itcares about two aspects: whether the aimed user wouldlike to share its data fields, and how cannot exposeits access request if the aimed user declines or ignoresits challenge. In the paper, we pay more attention onthe process of data access control and access authoritysharing other than the specific file oriented cloud datatransmission and management.

In the system model, assume that point-to-point com-munication channels between users and a cloud serverare reliable with the protection of secure shell protocol(SSH). The related authentication handshakes are nothighlighted in the following protocol presentation.

Towards the trust model, there are no trust relation-ships between a cloud server S and a user Ux.

• S is semi-honest and curious: Being semi-honest mean-s that S can be regarded as an entity that appropri-ately follows the protocol procedure. Being curiousmeans that S may attempt to obtain Ux’s private in-formation (e.g., data content, and user preferences).It means that S is under the supervision of itscloud provider or operator, but may be interestedin viewing users’ privacy. In the passive or honest-but-curious model, S cannot tamper with the users’data to maintain the system normal operation withundetected monitoring.

• Ux is rational and sensitive: Being rational means thatUx’s behavior would be never based on experienceor emotion, and misbehavior may only occur forselfish interests. Being sensitive means that Ux isreluctant to disclosure its sensitive data, but hasstrong interests in other users’ privacy.

Towards the threat model, it covers the possible secu-rity threats and system vulnerabilities during cloud datainteractions. The communication channels are exposed inpublic, and both internal and external attacks exist in thecloud applications [15]. The internal attacks mainly referto the interactive entities (i.e., S, and Ux). Thereinto, Smay be self-centered and utilitarian, and aims to obtainmore user data contents and the associated user behav-iors/habits for the maximization of commercial interests;Ux may attempt to capture other users’ sensitive datafields for certain purposes (e.g., curiosity, and maliciousintent). The external attacks mainly consider the dataCIA triad (i.e., confidentiality, integrity, and availability)threats from outside adversaries, which could compro-mise the cloud data storage servers, and subsequentlymodify (e.g., insert, or delete) the users’ data fields.

4 THE SHARED AUTHORITY BASED PRIVACY-PRESERVING AUTHENTICATION PROTOCOL

4.1 System Initialization

The cloud storage system includes a cloud server S,and users {Ux} (x = {1, ...,m}, m ∈ N∗). Thereinto, Ua

and Ub are two users, which have independent access

authorities on their own data fields. It means that a userhas an access permission for particular data fields storedby S, and the user cannot exceed its authority access toobtain other users’ data fields. Here, we consider S and{Ua, Ub} to present the protocol phases for data accesscontrol and access authority sharing with enhanced pri-vacy considerations. The main notations are introducedin TABLE 1.

Let BG = (q, g, h,G,G′, e,H) be a pairing group, inwhich q is a large prime, {G,G′} are of prime orderq, G = ⟨g⟩ = ⟨h⟩, and H is a collision-resistant hashfunction. The bilinear map e : G × G → G′ satisfies thebilinear non-degenerate properties: i.e., for all g, h ∈ Gand a, b ∈ Z∗

q , it turns out that e(ga, hb) = e(g, h)ab, ande(g, h) = 1. Meanwhile, e(g, h) can be efficiently obtainedfor all g, h ∈ G, and it is a generator of G′.

Let S and Ux respectively own the pairwise keys {pkS ,skS} and {pkUx , skUx}. Besides, S is assigned with allusers’ public keys {pkU1 , ..., pkUm}, and Ux is assignedwith pkS . Here, the public key pkτ = gskτ (mod q) (τ ∈{S,Ux}) and the corresponding privacy key skτ ∈ Z∗

q aredefined according to the generator g.

Let F(RUy

Ux(RUx

Uy)T ) = Cont ∈ Zq describe the algebraic

relation of {RUy

Ux, RUx

Uy}, which are mutually inverse

access requests challenged by {Ux, Uy}, and Cont is aconstant. Here, F(.) is a collision-resistant function, forany randomized polynomial time algorithm A, there isa negligible function p(k) for a sufficiently large value k.

Prob[{(x, x′); (y, y′)} ← A(1k) :

(x = x′, y = y′) ∧ F(RUx

Uy(R

U ′y

U ′x)T ) = Cont] ≤ p(k)

Note that RU∗U†

is a m-dimensional Boolean vector, inwhich only the ∗-th pointed-element and the †-th self-element are 1, and other elements are 0. It turns out that:

• F(RUy

Ux(RUx

Uy)T ) = F(2) = Cont means that both Ux

and Uy are interested in each other’s data fields, andthe two access requests are matched;

• F(RUy

Ux(RUx

Uy)T ) = F(RUy

Ux(RUx

Uy)T ) = F(1) means that

only one user (i.e., Ux or Uy) is interested in theother’s data fields, and the access requests are notmatched. Note that Ux/Uy represents that the useris not Ux/Uy;

• F(RUy

Ux(RUx

Uy)T ) = F(0) means that neither Ux nor

Uy is interested in each other’s data fields, and thetwo access requests are not matched.

Let A be the attribute set, there are n attributesA = {A1, A2, ..., An} for all users, and Ux has its ownattribute set AUx ⊂ A for data accessing. Let AUx and PUx

be monotone Boolean matrixes to represent Ux’s dataattribute access list and data access policy.

• Assume that Ux has AUx = [aij ]n×m, which satisfiesthat aij = 1 for Ai ∈ A, and aij = 0 for Ai /∈ A.

• Assume that S owns PUx = [pij ]n×m, which is ap-plied to restrain Ux’s access authority, and satisfiesthat pij = 1 for Ai ∈ PUx , and pij = 0 for Ai /∈ PUx . Ifaij ≤ pij∀i = {1, ..., n}, j = {1, ...,m} holds, it will be

MigrantSystems

5

TABLE 1Notations

Notation Description

S, Ux The cloud server, and a user (i.e., cloud dataowner).

PIDUx Ux’s pseudorandom identifier (pseudonym).TUx Ux’s identity token that is assigned by S.sidSx , sidUx The pseudorandom session identifier of S, Ux.α, σ, β, rUx The randomly generated numbers.R

Uy

UxThe access request pointer that represents Ux’saccess desire on Uy ’s data fields.

DUx , DUx Ux’s own authorized data fields, and Ux’s tempauthorized data fields.

AUx , LUx , PUx The data attribute access list, re-structure dataaccess list, and data access policy.

{mpk/msk} The pairwise master public/privacy keys.{pk/sk} The pairwise public/privacy keys.kΣx , kUx The aggregated keys, and the re-encryption

keys.V ℓ The locally computed value V according to the

same algorithm.CSx , CUx The ciphertexts.FSx (x, PUx ) The defined polynomial owned by S.FUx (x, LUx ) The defined polynomial owned by Ux.

regarded that AUxis within PUx

’s access authoritylimitation.

Note that full-fledged cryptographic algorithms (e.g.,attribute based access control, proxy re-encryption, andtheirs variants) can be exploited to support the SAPA.

4.2 The Proposed Protocol DescriptionsFig. 2. shows the interactions among {Ua, Ub, S}, inwhich both Ua and Ub have interests on each other’sauthorized data fields for data sharing. Note that the pre-sented interactions may not be synchronously launched,and a certain time interval is allowable.

4.2.1 {Ua, Ub}’s Access Challenges and S’s Responses{Ua, Ub} respectively generate the session identifiers{sidUa , sidUb

}, extract the identity tokens {TUa , TUb},

and transmits {sidUa∥TUa , sidUb∥TUa} to S as an ac-

cess query to initiate a new session. Accordingly, wetake the interactions of Ua and S as an example tointroduce the following authentication phase. Upon re-ceiving Ua’s challenge, S first generates a session i-dentifier sidSa , and establishes the master public keympk = (gi, h, hi,BG, e(g, h),H) and master privacy keymsk = (α, g). Thereinto, S randomly chooses α ∈ Zq , andcomputes gi = gα

i

and hi = hαi−1

(i = {1, ..., n} ∈ Z∗).S randomly chooses σ ∈ {0, 1}∗, and extracts Ua’s

access authority policy PUa = [pij ]n×m (pij ∈ {0, 1}), andUa are assigned with the access authority on its own datafields DUa within PUa ’s permission. S further defines apolynomial FSa(x, PUa) according to PUa and TUa .

FSa(x, PUa) =

n,m∏i=1,j=1

(x+ ijH(TUa))pij (mod q)

S computes a set of values {MSa0, MSa1, {MSa2i},MSa3, MSa4} to establish the ciphertext CSa =

{MSa1, {MSa2i},MSa3,MSa4}, and transmits sidSa∥CSa

to Ua.MSa0 = H(PUa∥DUa∥TUa∥σ),MSa1 = hFSa (α,PUa )MSa0 ,

MSa2i = (gi)MSa0 , (i = 1, ..., n)

MSa3 = H(e(g, h)MSa0)⊕ σ,

MSa4 = H(sidUa∥σ)⊕DUa .

Similarly, S performs the corresponding operations forUb, including that S randomly chooses α′ ∈ Zq and σ′ ∈{0, 1}∗, establishes {g′i, h′

i}, extracts {PUb, DUb

}, definesFSb

(x, PUb), and computes {MSb0, MSb1, {MSb2i}, MSb3,

MSb4} to establish the ciphertext CSbfor transmission.

4.2.2 {Ua, Ub}’s Data Access Control

Ua first extracts it data attribute access list AUa = [aij ](aij ∈ {0, 1}, aij ≤ pij) to re-structure an access list LUa =[lij ]n×m for lij = pij − aij . Ua also defines a polynomialFUa(x, LUa) according to LUa and TUa .

FUa(x, LUa) =

n,m∏i=1,j=1

(x+ ijH(TUa))lij (mod q)

It turns out that FUa(x, LUa

) satisfies the equation.

FUa(x, LUa

) =

n,m∏i=1,j=1

(x+ ijH(TUa))pij−aij

=FSa(x, PUa)/FSa(x,AUa).

Afterwards, Ua randomly chooses β ∈ Zq , and thedecryption key kAUa

for AUa can be obtained.

kAUa= (g(β+1)/FSa (α,AUa ), hβ−1)

Ua further computes a set of values {NUa1, NUa2,NUa3}. Here, fSai is used to represent xi’s coefficient inFSa(x, PUa), and fUai is used to represent xi’s coefficientin FUa(x, LUa).

NUa1 = e(MSa21,n∏

i=1

(hi)fUaihfUa0),

NUa2 = e(n∏

i=1

(MSa2i)fUai , hβ−1),

NUa3 = e(g(β+1)/FSa (α,AUa ),MSa1).

It turns out that e(g, h)MSa0 satisfies the equation.

e(g, h)MSa0 = (NUa3/(NUa1NUa2))1/fUa0

For the right side of (1), we have,

NUa1 =e(gαiMSa0 ,

n∏i=1

(hi)fUaihfUa0)

=e(g, h)αMSa0

∑ni=1(α

i−1fUai+fUa0)

=e(g, h)MSa0FUa (α,LUa ),

MigrantSystems

6

sidSa CSa

S

sidUa TUa - Generate: sidSθ, θ={a, b}

- Compute: MSθ0, MSθ1, MSθ2i, MSθ3, MSθ4

Establish: CSθ=(MSθ1, {MSθ2i}, MSθ3, MSθ4)

Ua

sidUb TUb

Ub

- Generate: sidUb

Extract: TUb

- Generate: sidUa

Extract: TUa

- Compute: LUa

- Choose: β Zq

Compute: NUa1, NUa2, NUa3, σℓ, MℓSa0

Derive: DUa

- Generate: rUa

Compute: MUa0, MUa1, MUa2, MUa3

Establish:CUa=(MUa0, MUa1, MUa2, MUa3)

sidSb CSb - Compute: LUb

- Choose: β' Zq

Compute: NUb1, NUb2, NUb3, σ'ℓ, MℓSb0

Derive: DUb

- Generate: rUb

Compute: MUb0, MUb1, MUb2, MUb3

Establish: CUb=(MUb0, MUb1, MUb2, MUb3)- Derive: RUb

Ua, RUaUb

Check: (RUbUa(RUa

Ub)T)= (2) Cont- Compute: kS, kΣθ, kUθ

Extract: DUθ

Re-encryption: M'Uθ1, M'Uθ2

Establish: C'Uθ=(M'Uθ1, M'Uθ2, MUθ3)

C'Ub kS C'Ua kS- Compute: kΣa

Check: e(M'Ub1, h) e(gkS/kΣa, MUb3)

Derive: DUb

- Compute: kΣb

Check: e(M'Ua1, h) e(gkS/kΣb, MUa3)

Derive: DUa

CUa CUb

Ub

α' Zq

g'i, h'i

σ' {0,1}*

For: Ua

Choose: α Zq

Compute: gi, hi

Choose: σ {0,1}*

˙ ˙

˙

Fig. 3. The shared authority based privacy-preserving authentication protocol (SAPA).

NUa2 =e(

n∏i=1

gαiMSa0fUai , hβ−1)

=e(g, h)MSa0(∑n

i=1 αifUai+fUa0−fUa0)(β−1)

=e(g, h)MSa0βFUa (α,LUa )−MSa0fUa0 ,

NUa3 =e(g(β+1)/FSa (α,AUa ), hfSa0MSa0

n∏i=1

(hi)fSaiMSa0)

=e(g, h)(β+1)/FSa (α,AUa )FSa (α,PUa )MSa0

=e(g, h)MSa0βFUa (α,LUa )+MSa0FUa (α,LUa ),

(NUa1NUa2/NUa3)−1/fUa0 =(e(g, h)−MSa0fUa0)−1/fUa0

=e(g, h)MSa0 .

Ua locally re-computes {σℓ, M ℓSa0}, derives its own

authorized data fields DUa , and checks whether theciphertext CSa is encrypted by M ℓ

Sa0. If it holds, Ua will

be a legal user that can properly decrypt the ciphertextCSa ; otherwise, the protocol will terminate.

σℓ = MSa3 ⊕H(e(g, h)MSa0),

M ℓSa0 = H(PUa∥TUa∥σℓ),

DUa = MSa4 ⊕H(sidUa∥σℓ).

Ua further extracts its pseudonym PIDUa , a session-sensitive access request RUb

Ua, and the public key pkUa

.Here, RUb

Uais introduced to let S know its data access

desire. It turns out that RUb

Uamakes S know the facts: 1)

Ua wants to access Ub’s temp authorized data fields DUb;

2) Ra will also agree to share its temp authorized datafields DUa with Ub in the case that Ub grants its request.

Afterwards, Ua randomly chooses rUa ∈ Z∗q , computes

a set of values {MUa0, MUa1, MUa2, MUa3} to establish aciphertext CUa , and transmits CUa to S for further accessrequest matching.

MUa0 = H(sidSa∥PIDUa

)⊕RUb

Ua,

MUa1 = gpkUarUa ,

MUa2 = e(g, h)rUa ,

MUa3 = hrUa .

Similarly, Ub performs the corresponding operations,including that Ub extracts AUb

, and determines {LUb,

FUb(x, LUb

), fUbi}. Ub further randomly chooses β′ ∈Zq , and computes the values {NUb1, NUb2, NUb3, σ′ℓ,M ℓ

Ub} to derive its own data fields DUb

. Ub also ex-tracts its pseudonym PIDUb

and an access requestRUa

Ubto establish a ciphertext CUb

with the elements{MUb0,MUb1,MUb2,MUb3}.

4.2.3 {Ua, Ub}’s Access Request Matching and DataAccess Authority SharingUpon receiving the ciphertexts {CUa , CUb

} within anallowable time interval, and S extracts {PIDUa , PIDUb

}to derive the access requests {RUb

Ua, RUa

Ub}.

RUb

Ua= H(sidSa∥PIDUa)⊕MUa0,

RUa

Ub= H(sidSb

∥PIDUb)⊕MUb0.

S checks whether {RUb

Ua, RUa

Ub} satisfy F(RUb

Ua(RUa

Ub)T ) =

F(2) = Cont. If it holds, S will learn that both Ua

and Ub have the access desires to access each other’sauthorized data, and to share its authorized data fieldswith each other. S extracts the keys {skS , pkUa , pkUb

}to establish the aggregated keys {kS , kΣθ

} by the Diffie-Hellman key agreement, and computes the available re-encryption key kUθ

for Uθ (θ ∈ {a, b}).

kS = (pkUapkUb)skS = g(skUa+skUb

)skS ,

kΣθ= (pkUθ

)skS = gskUθskS ,

kUθ= kΣθ

/pkUθ.

S performs re-encryption to obtain M ′Uθ1

. TowardsUa/Ub, S extracts Ub/Ua’s temp authorized data fieldsDUb

/DUa to compute M ′Ub2

/M ′Ua2

.

M ′Uθ1

= (MUθ1)kUθ = gkΣθ

rUθ ,

M ′Ua2 = MUa2EkΣb

(DUa),

M ′Ub2

= MUb2EkΣa(DUb

).

Thereafter, S establishes the re-structured ciphertextC ′

Uθ= (M ′

Uθ1,M ′

Uθ2,MUθ3), and respectively transmit-

s {C ′Ub∥kS , C ′

Ua∥kS} to {Ua, Ub} for access authority

sharing. Upon receiving the messages, Ua computeskΣa = (pkS)

skUa , and performs verification by comparingthe following equation.

e(M ′Ub1

, h)?= e(gkS/kΣa ,MUb3)

MigrantSystems

7

For the left side of (2), we have,

e(M ′Ub1

, h) =e(ggskUb

skS rUb , h)

For the right side of (2), we have,

e(gkS/kΣa ,MUb3) =e(g(pkS)skUb , hrUb )

=e(g, h)gskSskUb rUb

Ua derives Ub’s temp authorized data fields DUb.

DUb= E−1

kΣa(M ′

Ub2e(M ′

Ub1, h)−kΣa/kS )

Similarly, Ub performs the corresponding operations,including that Ub obtains the keys {kS , kΣb

}, checks Ub’svalidity, and derives the temp authorized data field DUa .

In the SAPA, S acts as a semi-trusted proxy to realize{Ua, Ub}’s access authority sharing. During the proxyre-encryption, {Ua, Ub} respectively establish ciphertexts{MUa1, MUb1} by their public keys {pkUa , pkUb

}, andS generates the corresponding re-encryption keys {kUa ,kUb} for {Ua, Ub}. Based on the re-encryption keys, the

ciphertexts {MUa1, MUb1} are re-encrypted into {M ′Ua1

,M ′

Ub1}, and {Ua, Ub} can decrypt the re-structured ci-

phertexts {M ′Ub1

, M ′Ua1} by their own private key {skUa

,skUb} without revealing any sensitive information.

Till now, {Ua, Ub} have realized the access authoritysharing in the case that both Ua and Ub have the accessdesires on each other’s data fields. Meanwhile, there maybe other typical cases when Ua has an interest in Ub’sdata fields with a challenged access request RUb

Ua.

1) In the case that Ub has no interest in Ua’s data fields,it turns out that Ub’s access request RUb

Uband RUb

Ua

satisfy that F(RUb

Ua(RUb

Ub)T ) = F(1). For Ua, S will

extract a dummy data fields Dnull as a response. Ub

will be informed that a certain user is interested inits data fields, but cannot determine Ua’s detailedidentity for privacy considerations.

2) In the case that Ub has an interest in Uc’s data fieldsrather than Ua’s data fields, but Uc has no interestin Ub’s data fields. It turns out that the challengedaccess requests RUb

Ua, RUc

Ub, and R

Ub

Ucsatisfy that

F(RUb

Ua(RUc

Ub)T ) = F(RUc

Ub(R

Ub

Uc)T ) = F(1), in which

Ub indicates that the user is not Ub. Dnull will betransmitted to {Ua, Ub, Uc} without data sharing.

In summary, the SAPA adopts integrative approachesto address secure authority sharing in cloud applications.

• Authentication: The ciphertext-policy attribute basedaccess control and bilinear pairings are introducedfor identification between Uθ and S, and only thelegal user can derive the ciphertexts. Additionally,Uθ checks the re-computed ciphertexts according tothe proxy re-encryption, which realizes flexible datasharing instead of publishing the interactive users’secret keys.

• Data Anonymity: The pseudonym PIDUθare hidden

by the hash function so that other entities cannotderives the real values by inverse operations. Mean-while, Uθ’s temp authorized fields DUθ

is encrypted

by kΣθfor anonymous data transmission. Hence,

an adversary cannot recognize the data, even if theadversary intercepts the transmitted data, it will notdecode the full-fledged cryptographic algorithms.

• User Privacy: The access request pointer (e.g., RUx

Uθ) is

wrapped along with H(sidSθ∥PIDUθ

) for privatelyinforming S about Uθ’s access desires. Only if bothusers are interested in each other’s data fields, Swill establish the re-encryption key kUθ

to realizeauthority sharing between Ua and Ub. Otherwise, Swill temporarily reserve the desired access requestsfor a certain period of time, and cannot accuratelydetermine which user is actively interested in theother user’s data fields.

• Forward Security: The dual session identifiers {sidSθ,

sidUθ} and pseudorandom numbers are introduced

as session variational operators to ensure the com-munications dynamic. An adversary regards the pri-or session as random even if {S, Uθ} get corrupted,or the adversary obtains the PRNG algorithm. Thecurrent security compromises cannot correlate withthe prior interrogations.

5 FORMAL SECURITY ANALYSIS WITH THE U-NIVERSAL COMPOSABILITY (UC) MODEL

5.1 PreliminariesThe universal composability (UC) model specifies anapproach for security proofs [28], and guarantees thatthe proofs will remain valid if the protocol is modularlycomposed with other protocols, and/or under arbitraryconcurrent protocol executions. There is a real-worldsimulation, an ideal-world simulation, and a simulatorSim translating the protocol execution from the real-world to the ideal-world. Additionally, the Byzantineattack model is adopted for security analysis, and allthe parties are modeled as probabilistic polynomial-timeTuring machines (PPTs), and a PPT captures whatever isexternal to the protocol executions. The adversary con-trols message deliveries in all communication channels,and may perform malicious attacks (e.g., eavesdropping,forgery, and replay), and may also initiate new commu-nications to interact with the legal parties.

In the real-world, let π be a real protocol, Pi (i ={1, ..., I} ∈ N∗) be real parties, and A be a real-worldadversary. In the ideal-world, let F be an ideal func-tionality, Pi be dummy parties, and A be an ideal-worldadversary. Z is an interactive environment, and commu-nicates with all entities except the ideal functionality F .Ideal functionality acts as an uncorruptable trusted partyto realize specific protocol functions.

Theorem 1. UC Security: The probability, that Z dis-tinguishes between an interaction of A with Pi and aninteraction of A with Pi, is at most negligible probability.We have that a real protocol π UC-realizes an idealfunctionality F , i.e., IDEALF,A,Z ≈ REALπ,A,Z .

The UC formalization of the SAPA includes the ideal-world model IDEAL, and the real-world model REAL.

MigrantSystems

8

TABLE 2Ideal data accessing functionality: FACCESS.

Initialization:� Upon input INITIALIZE at P : If P is uncorrupted, and

init(sidPθ,P) is recorded, remove the existing init(sidPθ

,P),generate a session identifier sidPθ

, record and outputinit(sidPθ

,P) to A. Else, output init(sidPθ,P) to A.

Message exchange:� Upon input SEND from P : If P is uncorrupted, and

init(sidPθ,P) is recorded, extract a message mPθ

to recordsend(sidPθ

,mPθ,P), and output send(sidPθ

,mPθ,P) to P .

Else, if P is corrupted and init(sidPθ,P) is recorded, record

and output send(sidPθ,P) to A. Else, ignore.

� Upon input RECEIVE from Uθ : If Uθ is uncorrupted, andinit(sidUθ

,Uθ) is recorded, record rec(sidSθ,mUθ

,Uθ), andoutput rec(sidUθ

,mUθ,Uθ) to Uθ . Else, if Uθ is corrupted and

init(sidUθ,Uθ) is recorded, record and output rec(sidSθ

,Uθ) toA. Else, ignore.

� Upon input RECEIVE from S: If S is uncorrupted, andinit(sidSθ

,S) is recorded, record rec(sidUθ,mSθ

,S), and out-put rec(sidSθ

,mSθ,S) to S. Else, if S is corrupted and

init(sidSθ,S) is recorded, record and output rec(sidUθ

,S) toA. Else, ignore.

Nonce generation:� Upon input GENERATE from P : If P is uncorrupted, generate a

random number rPθ, record gen(rPθ

,P), and output gen(rPθ)

to P . Else, output gen(rPθ,P) to A.

Access control:� Upon input ACCESS from Uθ : If Uθ is corrupted, ignore. Else,

if {send(PUθ,S), rec(PUθ

,Uθ), local(AUθ,Uθ)} are matched,

output valid(AUθ, PUθ

) and access(DUθ) to Uθ . Else, if

{send(PUθ,S), rec(PUθ

,Uθ), local(AUθ,Uθ)} are unmatched,

output invalid(AUθ, PUθ

) to Uθ . Else, record and outputaccess(DUθ

) to A.Adversary behaviors:� Upon request FORWARD(P) from A: If {send(sidPθ

,mPθ,P),

rec(sidSθ,mUθ

,Uθ)/rec(sidUθ,mSθ

,S)} are recorded, outputforward(sidPθ

,mPθ,P) to P .

� Upon request ACCEPT(P) from A: If init(sidUθ,Uθ) is recorded

and forward(sidUθ,mUθ

,Uθ) is recorded, output accept(Uθ) toS. If init(sidSθ

,S) is recorded and forward(sidSθ,mSθ

,S) isrecorded, output accept(S) to Uθ . Else, ignore.

� Upon request FORGE(P)/REPLAY(P) from A: If access(DUθ)

is recorded and Uθ is corrupted, output accept(Uθ) to S. Else,ignore.

• IDEAL: Define two uncorrupted idea functionalities{FACCESS, FSHARE}, a dummy party P (e.g., Uθ, S,θ ∈ {a, b}), and an ideal adversary A. Here, {P , A}cannot establish direct communications. A can arbi-trarily interact with Z , and can corrupt any dummyparty P , but it cannot modify the exchanged mes-sages.

• REAL: Define a real protocol πshare (run by a party Pincluding Uθ and S) with a real adversary A and anenvironment Z . Each real parties can communicatewith each other, and A can fully control the inter-connections of P to obtain/modify the exchangedmessages. During the protocol execution, Z is acti-vated first, and dual session identifiers shared by allthe involved parties reflects the protocol state.

5.2 Ideal FunctionalityDefinition 1. Functionality FACCESS: FACCESS is an incor-ruptible ideal data accessing functionality via available

TABLE 3Ideal authority sharing functionality: FSHARE.

Activation:� Upon input ACTIVATE at P : If init(sidPθ

,P) is recorded, re-move the existing init(sidPθ

,P), and apply FACCESS to initializeP . Else, directly apply FACCESS to initialize P .

Access request:� Upon input CHALLENGE(Ub) from Ua: If Ua is corrupted,

ignore. Else, if chall(RUxUa

) is recorded, remove the existingchall(RUx

Ua), extract RUb

Ua, record and output chall(RUb

Ua) to Ua.

Else, record and output chall(RUbUa

,Ua) to A.� Upon input CHALLENGE(Ua) from Ub: If Ub is corrupted,

ignore. Else, if chall(RUxUb

) is recorded, remove the existingchall(RUx

Ub), extract RUa

Ub, record and output chall(RUa

Ub) to Ub.

Else, record and output chall(RUaUb

,Ub) to A.Authority sharing:� Upon input SHARE(DUb

,Ua) from Ua: If Ua is corrupted,ignore. Else, if {chall(RUb

Ua,Ua), chall(RUa

Ub,Ub)} are recorded

and matched, record and output share(DUb,Ua) to Ua. Else,

if {chall(RUxUa

,Ua), chall(RUxUb

,Ub)} are not matched, recordand output share(DUa ,Ua) to Ua. Else, record and outputshare(Dnull,Ua) to A.

� Upon input SHARE(DUa ,Ub) from Ub: If Ub is corrupted, ig-nore. Else, if {chall(RUb

Ua,Ua), chall(RUa

Ub,Ub)} are recorded

and matched, record and output share(DUa ,Ub) to Ub. Else,if {chall(RUx

Ua,Ua), chall(RUx

Ub,Ub)} are not matched, record

and output share(Dnull,Ub) to Ub. Else, record and outputshare(Dnull,Ub) to A.

Adversary behaviors:� Upon request LISTEN(Uθ) from A: If chall(RUx

Uθ,Uθ) is recorded

and Uθ is corrupted, output listen(RUxUθ

,Uθ) to Uθ . Else, ignore.� Upon request FORGE(Uθ) or REPLAY(Uθ) from A: If

share(Dnull,Ua) is recorded and Ua is corrupted, outputshare(DUa ,Ub) to Ub. If share(Dnull,Ub) is recorded and Ub

is corrupted, output share(DUb,Ua) to Ua. Else, ignore.

channels, as shown in TABLE 2.In FACCESS, a party P (e.g., Uθ, S) is initialized (via

input INITIALIZE), and thereby initiates a new sessionalong with generating dual session identifiers {sidUθ

,sidSθ

}. P follows the assigned protocol procedure tosend (via input SEND) and receive (via input RECEIVE)messages. A random number rPθ

is generated by Pfor further computation (via input GENERATE). Dataaccess control is realized by checking {send(.), rec(.),local(.)} (via input ACCESS). If P is controlled by anideal adversary A, four types of behaviors may beperformed: A may record the exchanged messages onlistened channels, and may forward the intercepted mes-sages to P (via request FORWARD); A may record thestate of authentication between Uθ and S to interferein the normal verification (via request ACCEPT); A mayimpersonate an legal party to obtain the full state (viarequest FORGE), and may replay the formerly intercept-ed messages to involve the ongoing communication (viarequest REPLAY).

Definition 2. Functionality FSHARE: FSHARE is an in-corruptible ideal authority sharing functionality withanonymous interactions, as shown in TABLE 3.FSHARE is activated by P (via input ACTIVATE), and

MigrantSystems

9

the initialization is performed via INITIALIZE of FACCESS.The access request pointers {RUb

Ua, RUa

Ub} are respectively

published and challenged by {Ua, Ub} to indicate theirdesires (via input CHALLENGE). The authority sharingbetween {Ua, Ub} is realized, and the desired data fields{DUb

, DUa} are accordingly obtained by {Ua, Ub} (viainput SHARE). If P is controlled by an ideal adversary A,A may detect the exchanged challenged access requestpointer RUx

Uθ(via request LISTEN); A may record the

path pointer to interfere in the normal authority sharingbetween Ua and Ub (via request FORGE/REPLAY).

In the UC model, FACCESS and FSHARE formally definethe basic components of the ideal-world simulation.

• Party: Party P refers to multiple users Uθ (e.g., Ua,Ub), and a cloud server S involved in a session.Through a successful session execution, {Uθ, S}establish authentication and access control, and {Ua,Ub} obtain each other’s temp authorized data fieldsfor data authority sharing.

• Session identifier: The session identifiers sidUθand

sidSθare generated for initialization by the envi-

ronment Z . The ideal adversary A may control andcorrupt the interactions between Uθ and S.

• Access request pointer: The access request pointer RUx

Uθ

is applied to indicate Uθ’s access request on Ux’stemp authorized data fields DUx .

5.3 Real Protocol πSHARE

A real protocol πSHARE is performed based on the idealfunctionalities to realize FSHARE in FACCESS-hybrid model.

Upon input ACTIVATE(P) at P (e.g., Uθ, and S),P is activated via FSHARE to trigger a new session,in which INITIALIZE of FACCESS is applied for initial-ization and assignment. {init(sidUθ

,Uθ), init(sidSθ,S)}

are respectively obtained by {Uθ, S}. Message deliver-ies are accordingly performed by inputting SEND andRECEIVE. Upon input SEND from Uθ, Uθ records andoutputs send(sidUθ

,Uθ) via FACCESS. Upon input RECEIVEfrom S, S obtains rec(sidUθ

,S) via FACCESS. Upon inputGENERATE(S) from S, S randomly chooses a randomnumber rSθ

to output gen(rSθ) and to establish a ci-

phertext for access control. Upon input GENERATE(Uθ)from Uθ, Uθ generates a random number rUθ

for fur-ther checking the validity of {AUθ

, PUθ}. Upon input

ACCESS from Uθ, Uθ checks whether {send(.), rec(.),local(.)} are matched via FACCESS. If it holds, outputvalid(AUθ

, PUθ) is valid. Else, output invalid(AUθ

, PUθ)

and terminate the protocol. Upon input CHALLENGE(Ux)from Uθ, Uθ generates an access request pointer RUx

Uθ,

and outputs chall(RUx

Uθ) to Ux. Upon input SEND from

Uθ, Uθ computes a message mUθ, records and outputs

send(mUθ,Uθ) via FACCESS, in which RUx

Uθis wrapped in

mUθ. Upon input RECEIVE from S, S obtains rec(mUθ

,S)for access request matching. Upon input SHARE(DUb

,Ua)and SHARE(DUa ,Ub) from {Ua, Ub}, S checks whether{chall(RUb

Ua,Ua), chall(RUa

Ub,Ub)} are matched. If it holds,

output share(DUb,Ua) to Ua and share(DUa ,Ub) to Ub to

achieve data sharing. Else, output share(Dnull,Ua) to Uaand share(Dnull,Ub) to Ub for regular data accessing.

5.4 Security Proof of πSHARE

Theorem 3. The protocol πSHARE UC-realizes the ideal func-tionality FSHARE in the FACCESS-hybrid model.

Proof: Let A be a real adversary that interacts withthe parties running πSHARE in the FACCESS-hybrid model.Let A be an ideal adversary such that any environmentZ cannot distinguish with a non-negligible probabilitywhether it is interacting with A and πSHARE in REAL or itis interacting with A and FSHARE in IDEAL. It means thatthere is a simulator Sim that translates πSHARE proceduresinto REAL such that these cannot be distinguished by Z .

Construction of the ideal adversary A: The ideal adver-sary A acts as Sim to run the simulated copies of Z ,A, and P . A correlates runs of πSHARE from REAL intoIDEAL: the interactions of A and P is corresponding tothe interactions of A and P . The input of Z is forwardedto A as A’s input, and the output of A (after runningπSHARE) is copied to A as A’s output.

Simulating the party P : Uθ and S are activated andinitialized by ACTIVATE and INITIALIZATION, and Asimulates as A during interactions.

• Whenever A obtains {init(sidPθ,P), gen(rPθ

,P)}from FACCESS, A transmits the messages to A.

• Whenever A obtains {rec(.), send(.)} from FACCESS,A transmits the messages to A, and forwards A’sresponse forward(sidPθ

,mPθ,P) to FACCESS.

• Whenever A obtains {init(.), forward(.)} fromFACCESS, S transmits the messages toA, and forward-s A’s response accept(P) to FACCESS.

• Whenever A obtains chall(RUx

Uθ,Uθ) from FSHARE,

A transmits the message to A, and forwards A’sresponse listen(RUx

Uθ,Uθ) to FSHARE.

Simulating the party corruption: Whenever P is corrupt-ed by A, thereby A corrupts the corresponding P . Aprovides A with the corrupted parties’ internal states.

• Whenever A obtains access(DUθ) from FACCESS, A

transmits the message access(DUθ) to A, and for-

wards A’s response accept(P) to FACCESS.• Whenever A obtains chall(RUx

Uθ,Uθ) from FSHARE,

A transmits the message to A, and forwards A’sresponse share(Dnull,Uθ) to FSHARE.

IDEAL and REAL are indistinguishable: Assume that {CS ,CUθ} respectively indicate the events that corruptionsof {S, U}. Z invokes ACTIVATE and INITIALIZE tolaunch an interaction. The commands GENERATE andACCESS are invoked to transmit access(DUθ

) to A, andA responds accept(P) to A. Thereafter, CHALLENGE andSHARE are invoked to transmit share(RUx

Uθ,Uθ), and A re-

sponds share(Dnull,Uθ) to A. Note that init(.) indepen-dently generates dual session identifiers {sidUθ

, sidSθ},

and the simulations of REAL and IDEAL are consistenteven though A may intervene to prevent the data accesscontrol and authority sharing in IDEAL. The pseudoran-dom number generator (introduced in {init(.), gen(.)}),

MigrantSystems

10

and the collision-resistant hash function (introduced in{access(.), share(.)}) are applied to guarantee that theprobability of the environment Z can distinguish theadversary’s behaviors in IDEAL and REAL is at mostnegligible. The simulation is performed based on thefact that no matter the event CS or CUθ occurs ornot, Therefore, πSHARE UC-realizes the ideal functionalityFSHARE in the FACCESS-hybrid model.

6 CONCLUSION

In this work, we have identified a new privacy challengeduring data accessing in the cloud computing to achieveprivacy-preserving access authority sharing. Authenti-cation is established to guarantee data confidentialityand data integrity. Data anonymity is achieved sincethe wrapped values are exchanged during transmission.User privacy is enhanced by anonymous access requeststo privately inform the cloud server about the users’access desires. Forward security is realized by the sessionidentifiers to prevent the session correlation. It indicatesthat the proposed scheme is possibly applied for en-hanced privacy preservation in cloud applications.

REFERENCES

[1] P. Mell and T. Grance, “Draft NIST Working Definition of CloudComputing,” National Institute of Standards and Technology,USA, 2009.

[2] A. Mishra, R. Jain, and A. Durresi, “Cloud Computing: Net-working and Communication Challenges,” IEEE CommunicationsMagazine, vol. 50, no. 9, pp, 24-25, 2012.

[3] R. Moreno-Vozmediano, R. S. Montero, and I. M. Llorente,“Key Challenges in Cloud Computing to Enable the FutureInternet of Services,” IEEE Internet Computing, [online] ieeex-plore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6203493, 2012.

[4] K. Hwang and D. Li, “Trusted Cloud Computing with SecureResources and Data Coloring,” IEEE Internet Computing, vol. 14,no. 5, pp. 14-22, 2010.

[5] J. Chen, Y. Wang, and X. Wang, “On-Demand Security Architec-ture for Cloud Computing,” Computer, vol. 45, no. 7, pp. 73-78,2012.

[6] Y. Zhu, H. Hu, G. Ahn, and M. Yu, “Cooperative Provable DataPossession for Integrity Verification in Multi-cloud Storage,” IEEETransactions on Parallel and Distributed Systems, vol. 23, no, 12, pp.2231-2244, 2012.

[7] H. Wang, “Proxy Provable Data Possession in Public Cloud-s,” IEEE Transactions on Services Computing, [online] ieeex-plore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6357181, 2012.

[8] K. Yang and X. Jia, “An Efficient and Secure Dynamic Au-diting Protocol for Data Storage in Cloud Computing,” IEEETransactions on Parallel and Distributed Systems, [online] ieeex-plore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6311398, 2012.

[9] Q. Wang, C. Wang, K. Ren, W. Lou, and J. Li, “Enabling PublicAuditability and Data Dynamics for Storage Security in CloudComputing,” IEEE Transactions on Parallel and Distributed Systems,vol. 22, no. 5, pp. 847-859, 2011.

[10] C. Wang, K. Ren, W. Lou, J, Lou,“Toward Publicly AuditableSecure Cloud Data Storage Services,” IEEE Network, vol. 24, no.4, pp. 19-24, 2010.

[11] L. A. Dunning and R. Kresman, “Privacy Preserving Data SharingWith Anonymous ID Assignment,” IEEE Transactions on Informa-tion Forensics and Security, vol. 8, no. 2, pp. 402-413, 2013.

[12] X. Liu, Y. Zhang, B. Wang, and J. Yan, “Mona: Secure Multi-Owner Data Sharing for Dynamic Groups in the Cloud,” IEEETransactions on Parallel and Distributed Systems, [online] ieeex-plore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6374615, 2012.

[13] S. Grzonkowski and P. M. Corcoran, “Sharing Cloud Services:User Authentication for Social Enhancement of Home Network-ing,” IEEE Transactions on Consumer Electronics, vol. 57, no. 3, pp.1424-1432, 2011.

[14] M. Nabeel, N. Shang and E. Bertino, “Privacy Preserving Pol-icy Based Content Sharing in Public Clouds,” IEEE Trans-actions on Knowledge and Data Engineering, [online] ieeex-plore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6298891, 2012.

[15] C. Wang, Q. Wang, K. Ren, N. Cao, and W. Lou, “Toward Secureand Dependable Storage Services in Cloud Computing,” IEEETransactions on Services Computing, vol. 5, no. 2, pp. 220-232, 2012.

[16] S. Sundareswaran, A. C. Squicciarini, and D. Lin, “EnsuringDistributed Accountability for Data Sharing in the Cloud,” IEEETransactions on Dependable and Secure Computing, vol. 9, no. 4, pp.556-568, 2012.

[17] Y. Tang, P. C. Lee, J. C. S. Lui, and R. Perlman, “Secure OverlayCloud Storage with Access Control and Assured Deletion,” IEEETransactions on Dependable and Secure Computing, vol. 9, no. 6, pp.903-916, 2012.

[18] Y. Zhu, H. Hu, G. Ahn, D. Huang, and S. Wang, “Towards Tempo-ral Access Control in Cloud Computing,” in Proceedings of the 31stAnnual IEEE International Conference on Computer Communications(IEEE INFOCOM 2012), pp. 2576-2580, March 25-30, 2012.

[19] S. Ruj, M. Stojmenovic, and A. Nayak, “Decentralized Access Con-trol with Anonymous Authentication for Securing Data in Cloud-s,” IEEE Transactions on Parallel and Distributed Systems, [online]ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6463404,2013.

[20] R. Sanchez, F. Almenares, P. Arias, D. Dıaz-Sanchez, and A.Marın, “Enhancing Privacy and Dynamic Federation in IdM forConsumer Cloud Computing,” IEEE Transactions on ConsumerElectronics, vol. 58, no. 1, pp. 95-103, 2012.

[21] H. Zhuo, S. Zhong, and N. Yu, “A Privacy-Preserving RemoteData Integrity Checking Protocol with Data Dynamics and PublicVerifiability,” IEEE Transactions on Knowledge and Data Engineering,vol. 23, no. 9, pp. 1432-1437, 2011.

[22] Y. Xiao, C. Lin, Y. Jiang, X. Chu, and F. Liu, “An EfficientPrivacy-Preserving Publish-Subscribe Service Scheme for CloudComputing,” in Proceedings of Global Telecommunications Conference(GLOBECOM 2010), December 6-10, 2010.

[23] I. T. Lien, Y. H. Lin, J. R. Shieh, and J. L. Wu, “ANovel Privacy Preserving Location-Based Service Protocolwith Secret Circular Shift for K-nn Search,” IEEE Trans-actions on Information Forensics and Security, [online] ieeex-plore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6476681, 2013.

[24] A. Barsoum and A. Hasan, “Enabling Dynamic Data and Indi-rect Mutual Trust for Cloud Computing Storage Systems,” IEEETransactions on Parallel and Distributed Systems, [online] ieeex-plore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6392165, 2013.

[25] H. Y. Lin and W. G. Tzeng, “A Secure Erasure Code-Based CloudStorage System with Secure Data Forwarding,” IEEE Transactionson Parallel and Distributed Systems, vol. 23, no. 6, pp. 995-1003,2012.

[26] J. Yu, P. Lu, G. Xue, and M. Li, “Towards Secure Multi-Keyword Top-k Retrieval over Encrypted Cloud Data,” IEEETransactions on Dependable and Secure Computing, [online] ieeex-plore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6425381, 2013.

[27] K. W. Park, J. Han, J. W. Chung, and K. H. Park, “THEMIS: AMutually Verifiable Billing System for the Cloud Computing En-vironment,” IEEE Transactions on Services Computing, [online] iee-explore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6133267, 2012.

[28] R. Canetti, “Universally Composable Security: A New Paradigmfor Cryptographic Protocols,” in Proceedings of the 42nd AnnualSymposium on Foundations of Computer Science (FOCS 2001), pp.136-145, October 14-17, 2001.

[29] Helion IP Core Products: Data Security Products [Online]. Avail-able: http://www.heliontech.com/core.htm

MigrantSystems

11

Hong Liu is currently working toward a Ph.D.degree at the School of Electronic and Infor-mation Engineering, Beihang University, China.She focuses on the security and privacy issuesin radio frequency identification, vehicle-to-grid,and wireless machine-to-machine networks. Herresearch interests include authentication proto-col design, and security formal modeling andanalysis.

Huansheng Ning received the B.S. degree fromAnhui University in 1996 and Ph.D. degree inBeihang University in 2001. He is a professorin the School of Computer and CommunicationEngineering, University of Science and Technol-ogy Beijing, China (since 2013), and is also anassociate professor in the School of Electronicand Information Engineering, Beihang Univer-sity, China (since 2006). His current researchfocuses on Internet of Things, aviation securi-ty, electromagnetic sensing and computing. He

has published more than fifty papers in journals, international confer-ences/workshops.

Qingxu Xiong received the Ph.D. degree inelectrical engineering from Peking University,Beijing, China, in 1994. From 1994 to 1997, heworked in the Information Engineering Depart-ment at Beijing University of Posts and Telecom-munications as a Postdoctoral Researcher. He iscurrently a Professor in the School of Electricaland Information Engineering at Beijing Univer-sity of Aeronautics and Astronautics, Beijing,China. His research interests include schedulingin optical and wireless networks, performance

modeling of wireless networks, and satellite communication.

Laurence T. Yang received his B.E. degreein computer science from Tsinghua University,China, and his Ph.D. degree in computer sci-ence from the University of Victoria, Canada.He is a professor in the School of ComputerScience and Technology at Huazhong Universityof Science and Technology, China, and in theDepartment of Computer Science, St. Francis X-avier University, Canada. His research interestsinclude parallel and distributed computing, andembedded and ubiquitous/pervasive computing.

His research is supported by the National Sciences and EngineeringResearch Council and the Canada Foundation for Innovation.