Secure outsourcing algorithms of modular exponentiations with optimal checkability based on a single untrusted cloud server

Modular exponentiation is an expensive discrete-logarithm operation, difficult for resource-constrained users to perform locally. Fortunately, thanks to burgeoning cloud computing, users are willing to securely outsourcing modular exponentiations to cloud servers to reduce computation overhead. In this paper, we contrive a fully verifiable secure outsourcing scheme for modular exponentiation with only a single server, named MExp. MExp not only prevents users’ private information leakage during outsourcing by our new logical division method, but also eliminates collusion attacks occurring in algorithms with two untrusted servers. Moreover, our MExp allows outsourcers to detect any misbehavior with a probability of 1, which shows significant improvement in checkability when compare to other single-server-based schemes. With a view to reducing computation overhead, MExp is extended to multiple modular exponentiations, named M2Exp. The algorithm significantly diminishes the local costs of multiple modular exponentiation calculations and the checkability is still 1. Compared with existing state-of-the-art schemes, MExp and M2Exp have outstanding performance in both efficiency and checkability. Finally, MExp and M2Exp are applied to Cramer–Shoup encryptions and Schnorr signatures.     

Secure outsourcing of modular exponentiations in cloud and cluster computing

Cloud computing and cluster computing are user-centric computing services. The shared software and hardware resources and information can be provided to the computers and other equipments according to the demands of users. A majority of services are deployed through outsourcing. Outsourcing computation allows resource-constrained clients to outsource their complex computation workloads to a powerful server which is rich of computation resources. Modular exponentiation is one of the most complex computations in public key based cryptographic schemes. It is useful to reduce the computation cost of the clients by using outsourcing computation. In this paper, we propose a novel outsourcing algorithm for modular exponentiation based on the new mathematical division under the setting of two non-colluding cloud servers. The base and the power of the outsourced data can be kept private and the efficiency is improved compared with former works.     

IPad: ID-based public auditing for the outsourced data in the standard model

Cloud storage is an important cloud computing service, it allows data users to store and access their files anytime, from anywhere and with any device. To ensure the security of the outsourced data, it also must allow data user to periodically verify integrity of the data which was outsourced to an untrusted cloud server at a relatively low cost. To solve this problem, most recent auditing protocols are mainly based on the traditional-public key infrastructure. In this infrastructure, the auditor must validate the certificates of data user before auditing data integrity. Thus, it results in a large amount of computation cost and is not suitable to the multi-user setting. To overcome this problem, in this paper, we propose two efficient ID-based public auditing protocols for the outsourced data by combing Water’s signature and public auditing for the outsourced data. And the two protocols are provably secure in the standard security model. Especially, our optimized protocol has constant communication overhead and computation cost. To the best of our knowledge, it is the first ID-based auditing for data integrity in the standard security model. By comparison with Wang et al.’s scheme and Tan et al.’s scheme, our protocols have the large advantages over the other two schemes in terms of communication cost and computation cost. Simulation results show that our proposed ID-based auditing protocols are the most efficient among three schemes in terms of computation cost.     

Transparent mediation-based access to multiple yeast data sources using an ontology driven interface

Background

Over the past decade the workflow system paradigm has evolved as an efficient and user-friendly approach for developing complex bioinformatics applications. Two popular workflow systems that have gained acceptance by the bioinformatics community are Taverna and Galaxy. Each system has a large user-base and supports an ever-growing repository of application workflows. However, workflows developed for one system cannot be imported and executed easily on the other. The lack of interoperability is due to differences in the models of computation, workflow languages, and architectures of both systems. This lack of interoperability limits sharing of workflows between the user communities and leads to duplication of development efforts.

Results

In this paper, we present Tavaxy, a stand-alone system for creating and executing workflows based on using an extensible set of re-usable workflow patterns. Tavaxy offers a set of new features that simplify and enhance the development of sequence analysis applications: It allows the integration of existing Taverna and Galaxy workflows in a single environment, and supports the use of cloud computing capabilities. The integration of existing Taverna and Galaxy workflows is supported seamlessly at both run-time and design-time levels, based on the concepts of hierarchical workflows and workflow patterns. The use of cloud computing in Tavaxy is flexible, where the users can either instantiate the whole system on the cloud, or delegate the execution of certain sub-workflows to the cloud infrastructure.

Conclusions

Tavaxy reduces the workflow development cycle by introducing the use of workflow patterns to simplify workflow creation. It enables the re-use and integration of existing (sub-) workflows from Taverna and Galaxy, and allows the creation of hybrid workflows. Its additional features exploit recent advances in high performance cloud computing to cope with the increasing data size and complexity of analysis. The system can be accessed either through a cloud-enabled web-interface or downloaded and installed to run within the user's local environment. All resources related to Tavaxy are available at http://www.tavaxy.org.     

Fault tolerance and QoS scheduling using CAN in mobile social cloud computing

The performance of mobile devices including smart phones and laptops is steadily rising as prices plummet sharply. So, mobile devices are changing from being a mere interface for requesting services to becoming computing resources for providing and sharing services due to immeasurably improved performance. With the increasing number of mobile device users, the utilization rate of SNS (Social Networking Service) is also soaring. Applying SNS to the existing computing environment enables members of social network to share computing services without further authentication. To use mobile device as a computing resource, temporary network disconnection caused by user mobility and various HW/SW faults causing service disruption should be considered. Also these issues must be resolved to support mobile users and to provide user requirements for services. Accordingly, we propose fault tolerance and QoS (Quality of Services) scheduling using CAN (Content Addressable Network) in Mobile Social Cloud Computing (MSCC). MSCC is a computing environment that integrates social network-based cloud computing and mobile devices. In the computing environment, a mobile user can, through mobile devices, become a member of a social network through real world relationships. Essentially, members of a social network share cloud service or data with other members without further authentication by using their mobile device. We use CAN as the underlying MSCC to logically manage the locations of mobile devices. Fault tolerance and QoS scheduling consists of four sub-scheduling algorithms: malicious-user filtering, cloud service delivery, QoS provisioning, and replication and load-balancing. Under the proposed scheduling, a mobile device is used as a resource for providing cloud services, faults caused from user mobility or other reasons are tolerated and user requirements for QoS are considered. We simulate scheduling both with and without CAN. The simulation results show that our proposed scheduling algorithm enhances cloud service execution time, finish time and reliability and reduces the cloud service error rate.     

Attribute-Based Proxy Re-Encryption with Keyword Search

Keyword search on encrypted data allows one to issue the search token and conduct search operations on encrypted data while still preserving keyword privacy. In the present paper, we consider the keyword search problem further and introduce a novel notion called attribute-based proxy re-encryption with keyword search (), which introduces a promising feature: In addition to supporting keyword search on encrypted data, it enables data owners to delegate the keyword search capability to some other data users complying with the specific access control policy. To be specific, allows (i) the data owner to outsource his encrypted data to the cloud and then ask the cloud to conduct keyword search on outsourced encrypted data with the given search token, and (ii) the data owner to delegate other data users keyword search capability in the fine-grained access control manner through allowing the cloud to re-encrypted stored encrypted data with a re-encrypted data (embedding with some form of access control policy). We formalize the syntax and security definitions for , and propose two concrete constructions for : key-policy and ciphertext-policy . In the nutshell, our constructions can be treated as the integration of technologies in the fields of attribute-based cryptography and proxy re-encryption cryptography.     

Software quality in the clouds: a cloud-based solution

Cloud computing, an on-demand computation model that consists of large data-centers (Clouds) managed by cloud providers, offers storage and computation needs for cloud users based on service level agreements (SLAs). Services in cloud computing are offered at relatively low cost. The model, therefore, forms a great target for many applications, such as startup businesses and e-commerce applications. The area of cloud computing has grown rapidly in the last few years; yet, it still faces some obstacles. For example, there is a lack of mechanisms that guarantee for cloud users the quality that they are actually getting, compared to the quality of service that is specified in SLAs. Another example is the concern of security, privacy and trust, since users lose control over their data and programs once they are sent to cloud providers. In this paper, we introduce a new architecture that aids the design and implementation of attestation services. The services monitor cloud-based applications to ensure software quality, such as security, privacy, trust and usability of cloud-based applications. Our approach is a user-centric approach through which users have more control on their own data/applications. Further, the proposed approach is a cloud-based approach where the powers of the clouds are utilized. Simulation results show that many services can be designed based on our architecture, with limited performance overhead.     

Multi-level on-demand access control for flexible data sharing in cloud

The exponential growth of data storage and sharing in cloud demands an efficient access control mechanism for flexible data sharing. Attribute-Based Encryption (ABE) is a promising cryptographic solution to share data among users in the cloud. But it suffers from user revocation, attribute revocation, forward secrecy and backward secrecy issues. Communication and computation overhead is more due to the linear variation in the size of ciphertext and the secret key with respect to the number of attributes. In this paper, we investigate an on-demand access control for flexible sharing of secure data among randomly selected users. It is a tunable access control mechanism for the flexible sharing of ciphertext classes in the cloud. It delegates the decryption rights of any set of ciphertext classes among the users only if their attributes are satisfied with the access policy associated with ciphertext and if they should possess a compact key corresponding to the intended set of ciphertext classes. It produces a constant size ciphertext and a compact secret key to efficiently utilize the storage space and reduce the communication cost. The compact key aggregates the power of secret keys used to encrypt the outsourced data. This method flexibly shares the ciphertext classes among the randomly selected users with a specific set of attributes. All other ciphertext classes outside the set remain confidential. It allows dynamic data updates by verifying the data manipulation privilege of users with the help of claim policy. The proposed scheme provides access control of varying granularity, at user-level, at file-level, and attribute-level. Granularity levels can be chosen based on applications and user demands. Hence, it is a multi-level, tunable access control over the shared data. It is very useful for secure data storage. This scheme tackles user revocation and attribute revocation problems so that, it allows the data owner to revoke a specific user or a group of users. It prevents forward and backward secrecy issues.

     

Operational cost-aware resource provisioning for continuous write applications in cloud-of-clouds

The emergence of cloud computing has made it become an attractive solution for large-scale data processing and storage applications. Cloud infrastructures provide users a remote access to powerful computing capacity, large storage space and high network bandwidth to deploy various applications. With the support of cloud computing, many large-scale applications have been migrated to cloud infrastructures instead of running on in-house local servers. Among these applications, continuous write applications (CWAs) such as online surveillance systems, can significantly benefit due to the flexibility and advantages of cloud computing. However, with specific characteristics such as continuous data writing and processing, and high level demand of data availability, cloud service providers prefer to use sophisticated models for provisioning resources to meet CWAs’ demands while minimizing the operational cost of the infrastructure. In this paper, we present a novel architecture of multiple cloud service providers (CSPs) or commonly referred to as Cloud-of-Clouds. Based on this architecture, we propose two operational cost-aware algorithms for provisioning cloud resources for CWAs, namely neighboring optimal resource provisioning algorithm and global optimal resource provisioning algorithm, in order to minimize the operational cost and thereby maximizing the revenue of CSPs. We validate the proposed algorithms through comprehensive simulations. The two proposed algorithms are compared against each other to assess their effectiveness, and with a commonly used and practically viable round-robin approach. The results demonstrate that NORPA and GORPA outperform the conventional round-robin algorithm by reducing the operational cost by up to 28 and 57 %, respectively. The low complexity of the proposed cost-aware algorithms allows us to apply it to a realistic Cloud-of-Clouds environment in industry as well as academia.     

Enabling secure auditing and deduplicating data without owner-relationship exposure in cloud storage

The public cloud storage auditing with deduplication has been studied to assure the data integrity and improve the storage efficiency for cloud storage in recent years. The cloud, however, has to store the link between the file and its data owners to support the valid data downloading in previous schemes. From this file-owner link, the cloud server can identify which users own the same file. It might expose the sensitive relationship among data owners of this multi-owners file, which seriously harms the data owners’ privacy. To address this problem, we propose an identity-protected secure auditing and deduplicating data scheme in this paper. In the proposed scheme, the cloud cannot learn any useful information on the relationship of data owners. Different from existing schemes, the cloud does not need to store the file-owner link for supporting valid data downloading. Instead, when the user downloads the file, he only needs to anonymously submit a credential to the cloud, and can download the file only if this credential is valid. Except this main contribution, our scheme has the following advantages over existing schemes. First, the proposed scheme achieves the constant storage, that is, the storage space is fully independent of the number of the data owners possessing the same file. Second, the proposed scheme achieves the constant computation. Only the first uploader needs to generate the authenticator for each file block, while subsequent owners do not need to generate it any longer. As a result, our scheme greatly reduces the storage overhead of the cloud and the computation overhead of data owners. The security analysis and experimental results show that our scheme is secure and efficient.     

Efficient chameleon hashing-based privacy-preserving auditing in cloud storage

Cloud storage is an important application service in cloud computing, it allows data users to store and access their files anytime, from anywhere and with any device. To ensure the security of the outsourced data, data user needs to periodically check data integrity. In some cases, the identity privacy of data user must be protected. However, in the existing preserving identity privacy protocols, data tag generation is mainly based on complex ring signature or group signature. It brings a heavy burden to data user. To ensure identity privacy of data user, in this paper we propose a novel identity privacy-preserving public auditing protocol by utilizing chameleon hash function. It can achieve the following properties: (1) the identity privacy of data user is preserved for cloud server; (2) the validity of the outsourced data is verified; (3) data privacy can be preserved for the auditor in auditing process; (4) computation cost to produce data tag is very low. Finally, we also show that our scheme is provably secure in the random oracle model, the security of the proposed scheme is related to the computational Diffie–Hellman problem and hash function problem.     

SHARE-ABE: an efficient and secure data sharing framework based on ciphertext-policy attribute-based encryption and Fog computing

Attribute-based encryption (ABE) is an access control mechanism that ensures efficient data sharing among dynamic groups of users by setting up access structures indicating who can access what. However, ABE suffers from expensive computation and privacy issues in resource-constrained environments such as IoT devices. In this paper, we present SHARE-ABE, a novel collaborative approach for preserving privacy that is built on top of Ciphertext-Policy Attribute-Based Encryption (CP-ABE). Our approach uses Fog computing to outsource the most laborious decryption operations to Fog nodes. The latter collaborate to partially decrypt the data using an original and efficient chained architecture. Additionally, our approach preserves the privacy of the access policy by introducing false attributes. Furthermore, we introduce a new construction of a collaboration attribute that allows users within the same group to combine their attributes while satisfying the access policy. Experiments and analyses of the security properties demonstrate that the proposed scheme is secure and efficient especially for resource-constrained IoT devices.

     

Logistic regression over encrypted data from fully homomorphic encryption

Background

One of the tasks in the 2017 iDASH secure genome analysis competition was to enable training of logistic regression models over encrypted genomic data. More precisely, given a list of approximately 1500 patient records, each with 18 binary features containing information on specific mutations, the idea was for the data holder to encrypt the records using homomorphic encryption, and send them to an untrusted cloud for storage. The cloud could then homomorphically apply a training algorithm on the encrypted data to obtain an encrypted logistic regression model, which can be sent to the data holder for decryption. In this way, the data holder could successfully outsource the training process without revealing either her sensitive data, or the trained model, to the cloud.

Methods

Our solution to this problem has several novelties: we use a multi-bit plaintext space in fully homomorphic encryption together with fixed point number encoding; we combine bootstrapping in fully homomorphic encryption with a scaling operation in fixed point arithmetic; we use a minimax polynomial approximation to the sigmoid function and the 1-bit gradient descent method to reduce the plaintext growth in the training process.

Results

Our algorithm for training over encrypted data takes 0.4–3.2 hours per iteration of gradient descent.

Conclusions

We demonstrate the feasibility but high computational cost of training over encrypted data. On the other hand, our method can guarantee the highest level of data privacy in critical applications.

     

Trust management on user behavioral patterns for a mobile cloud computing

With the development of ubiquitous computing technology, users are using mobile devices which are for producing and accessing information. Due to the limited computing capability and storage, however, mobile cloud computing technology are emerging research issues in the architecture, design, and implementation. This paper proposes the trust management approach by analyzing user behavioral patterns for reliable mobile cloud computing. For this, we suggest a method to quantify a one-dimensional trusting relation based on the analysis of telephone call data from mobile devices. After that, we integrate inter-user trust relationship in mobile cloud environment. As a result, trustworthiness of data in data production, management, overall application, is enhanced.     

An Improvement of Robust Biometrics-Based Authentication and Key Agreement Scheme for Multi-Server Environments Using Smart Cards

In multi-server environments, user authentication is a very important issue because it provides the authorization that enables users to access their data and services; furthermore, remote user authentication schemes for multi-server environments have solved the problem that has arisen from user’s management of different identities and passwords. For this reason, numerous user authentication schemes that are designed for multi-server environments have been proposed over recent years. In 2015, Lu et al. improved upon Mishra et al.’s scheme, claiming that their remote user authentication scheme is more secure and practical; however, we found that Lu et al.’s scheme is still insecure and incorrect. In this paper, we demonstrate that Lu et al.’s scheme is vulnerable to outsider attack and user impersonation attack, and we propose a new biometrics-based scheme for authentication and key agreement that can be used in multi-server environments; then, we show that our proposed scheme is more secure and supports the required security properties.     

SNUAGE: an efficient platform-as-a-service security framework for the cloud

In this paper we present SNUAGE, a platform-as-a-service security framework for building secure and scalable multi-layered services based on the cloud computing model. SNUAGE ensures the authenticity, integrity, and confidentiality of data communication over the network links by creating a set of security associations between the data-bound components on the presentation layer and their respective data sources on the data persistence layer. SNUAGE encapsulates the security procedures, policies, and mechanisms in these security associations at the service development stage to form a collection of isolated and protected security domains. The secure communication among the entities in one security domain is governed and controlled by a standalone security processor and policy attached to this domain. This results into: (1) a safer data delivery mechanism that prevents security vulnerabilities in one domain from spreading to the other domains and controls the inter-domain information flow to protect the privacy of network data, (2) a reusable security framework that can be employed in existing platform-as-a-service environments and across diverse cloud computing service models, and (3) an increase in productivity and delivery of reliable and secure cloud computing services supported by a transparent programming model that relieves application developers from the intricate details of security programming. Last but not least, SNUAGE contributes to a major enhancement in the energy consumption and performance of supported cloud services by providing a suitable execution container in its protected security domains for a wide suite of energy- and performance-efficient cryptographic constructs such as those adopted by policy-driven and content-based security protocols. An energy analysis of the system shows, via real energy measurements, major savings in energy consumption on the consumer devices as well as on the cloud servers. Moreover, a sample implementation of the presented security framework is developed using Java and deployed and tested in a real cloud computing infrastructure using the Google App Engine service platform. Performance benchmarks show that the proposed framework provides a significant throughput enhancement compared to traditional network security protocols such as the Secure Sockets Layer and the Transport Layer Security protocols.     

Using priced timed automaton to analyse the energy consumption in cloud computing environment

According to the fact that cloud servers have different energy consumption on different running states, as well as the energy waste problem caused by the mismatching between cloud servers and cloud tasks, we carry out researches on the energy optimal method achieved by a priced timed automaton for the cloud computing center in this paper. The priced timed automaton is used to model the running behaviors of the cloud computing system. After introducing the matching matrix of cloud tasks and cloud resources as well as the power matrix of the running states of cloud servers, we design a generation algorithm for the cloud system automaton based on the generation rules and reduction rules given ahead. Then, we propose another algorithm to settle the minimum path energy consumption problem in the cloud system automaton, therefore obtaining an energy optimal solution and an energy optimal value for the cloud system. A case study and repeated experimental analyses manifest that our method is effective and feasible.     

A security mechanism based on evolutionary game in fog computing

Fog computing is a distributed computing paradigm at the edge of the network and requires cooperation of users and sharing of resources. When users in fog computing open their resources, their devices are easily intercepted and attacked because they are accessed through wireless network and present an extensive geographical distribution. In this study, a credible third party was introduced to supervise the behavior of users and protect the security of user cooperation. A fog computing security mechanism based on human nervous system is proposed, and the strategy for a stable system evolution is calculated. The MATLAB simulation results show that the proposed mechanism can reduce the number of attack behaviors effectively and stimulate users to cooperate in application tasks positively.     

Efficient cloud service ranking based on uncertain user requirements

In a cloud computing environment, there are many providers offering various services of different quality attributes. Selecting a cloud service that meets user requirements from such a large number of cloud services is a complex and time-consuming process. At the same time, user requirements are sometimes described as uncertain (sets or intervals), something which should be taken into account while selecting cloud services. This paper proposes an efficient method for ranking cloud services while accounting for uncertain user requirements. For this purpose, a requirement interval is defined to fulfill uncertain user requirements. Since there are a large number of cloud services, the services falling outside the requirement interval are filtered out. Finally, the analytic hierarchy process is employed for ranking. The results evaluate the proposed method in terms of optimality of ranking, scalability, and sensitivity analyses. According to the test results, the proposed method outperforms the previous methods.

     

Simultaneous authentication and secrecy in identity-based data upload to cloud

Most existing works to secure cloud devote to remote integrity check, search and computing on encrypted data. In this paper, we deal with simultaneous authentication and secrecy when data are uploaded to cloud. Observing that cloud is most interesting to companies in which multiple authorized employees are allowed to upload data, we propose a general framework for secure data upload in an identity-based setting. We present and employ identity-based signcryption (IBSC) to meet this goal. As it is shown that it is challenging to construct IBSC scheme in the standard model and most IBSC schemes are realized in the random oracle model which is regarded weak to capture the realistic adversaries, we propose a new IBSC scheme simultaneously performing encryption and signature with cost less than the signature-then-encryption approach. The identity based feature eliminates the complicated certificates management in signcryption schemes in the traditional public-key infrastructure (PKI) setting. Our IBSC scheme exploits Boneh et al.’s strongly unforgeable signature and Paterson et al.’s identity-based signature. The scheme is shown to satisfy semantic security and strong unforgeability. The security relies on the well-defined bilinear decision Diffie-Hellman (BDDH) assumption and the proof is given in the standard model. With our IBSC proposal, a secure data upload scheme is instantiated with simultaneous authentication and secrecy in a multi-user setting.