Secure and Efficient Data Sharing Scheme Based on Certificateless Hybrid Signcryption for Cloud Storage

Abstract

As cloud service providers are not completely trusted, people are increasingly concerned about security issues such as data confidentiality and user privacy. In many existing schemes, the private key generator (PKG) generates a full private key for each user, which means that the PKG can forge a valid signature or decrypt the ciphertext. To address the issue, we first present a novel certificateless hybrid signcryption (CL-HSC) scheme without pairing, in which the PKG only generates the partial private keys for users. It is provably secure under the Elliptic Curve Computational Diffie-Hellman (EC-CDH) assumption in the random oracle model. Then, we propose a key derivation method by which the data owner only needs to maintain the master key to get rid of the complex key management. By combining our proposed CL-HSC scheme and the key derivation method, we present a secure and efficient data-sharing scheme for cloud storage, which can resist collusion attacks, spoofing attacks, and replay attacks and makes user revocation easier. In addition, compared with some existing schemes, our scheme has a lower computational complexity.

1. Introduction

With the development in networking technology and the increasing need for data storage and computing resources, cloud storage and cloud computing are gradually popularized. Users and companies can outsource data storage and computing to remote servers (called clouds), which greatly reduces the storage pressure and the calculation pressure of users and companies.

In the public cloud, the cloud service provider supplies a platform for all users who have registered in the cloud. Each user can store data and share data with others in the cloud. By using the cloud, it can be achieved easily that users access the data anytime and anywhere.

Although cloud storage brings many benefits, there are many security issues caused by the openness of the cloud platform and the lack of security mechanisms. Much of data stored in the cloud may be sensitive, such as, social networks and medical records. Thus, it is crucial to prevent unauthorized access to these data and to realize secure data sharing. At present, most cloud service providers do not take any security measure for protecting users’ data, which means that users’ data is visible to cloud service providers. They even abuse users’ data to get more benefits. Furthermore, the attacker can attack the cloud servers to obtain users’ private data. The confidentiality of data outsourced is important to the data owner. In addition, users may share their data with friends or the requesters. Therefore, a flexible secure access control scheme is absolutely needed.

Many existing schemes utilize the private key generator (PKG), which owns the master key used to generate all users’ private keys. Therefore, the private key of any user is known to the PKG, which can decrypt the ciphertexts or can impersonate some users. To solve this problem, Al-Riyami et al. proposed an efficient method to divide the private key into two parts [1].

In this study, we present a novel certificateless hybrid signcryption scheme with a low computation and propose a secure and efficient data-sharing scheme for cloud storage. Our main contributions are as follows:

• A secure cloud storage model is proposed, which employs a semi-trusted third party (STTP) to provide services, such as user management, key management, and data processing. Cloud storage servers are physically isolated, and only the STTP can directly access them.
• A novel certificateless hybrid signcryption scheme with a low computation is proposed.
• A key derivation method is constructed by using partial iteration to release users from the complex key management.

The rest of this paper is organized as follows: Section 2 introduces related works on cloud security. The proposed system model of cloud storage and assumptions are detailed in Section 3. Our proposed scheme is described in detail in Section 4. Section 5 presents a security analysis of our scheme. We discuss the performance of our scheme in Section 6. We conclude our paper in Section 7.

2. Related Works

In Reference [2], Chen et al. presented a comprehensive analysis of data security and privacy preserving issues associated with all phases of the data life cycle in cloud computing, discussed some schemes, and showed future research work. This paper focuses on the security of data storage and data sharing in cloud storages. The following is a review of some related research work, mainly involving the application of symmetric encryption, identity-based encryption, and attribute-based encryption in cloud storage.

Wang et al. proposed to encrypt every data block with a different key to achieve a flexible cryptography-based access control in Reference [3]. This scheme uses a symmetric cryptographic algorithm to encrypt data and employs the pre-shared secret key to achieve mutual authentication. However, this scheme assumes that the data owner shares the pairwise keys with the service provider and the end users, which requires a lot of storage space. Ramesh et al. introduced a encryption/decryption method based on a secure e-stream cipher ChaCha20 to protect the user’s sensitive data for cloud storage in Reference [4].

Kumar et al. proposed a secure method based on elliptic curve cryptography (ECC) in Reference [5], which provides users secure storage and access to the data from the cloud storage servers. They adopt ECC to protect data files. Lu et al. presented a certificated-based proxy re-encryption scheme without pairing for data sharing in cloud storage, which combines the advantages of certificate-based encryption and proxy-based encryption in Reference [6]. However, this scheme does not perform user authentication. Li et al. proposed a new authentication protocol based on the identity-based hierarchical model for cloud computing in Reference [7]. Tang et al. in Reference [8] presented an inter-domain identity-based proxy re-encryption (IBPRE) scheme, which achieves secure data sharing between users in different domains. However, Han et al. proved the collusion attack against Tang’s scheme in Reference [9] and proposed an identity-based data storage scheme that prevents collusion attacks and supports intra-domain and inter-domain queries. Wang et al. presented a new IBPRE+ to achieve controlled secure social cloud data sharing in Reference [10]. In the scheme, the re-encryption keys are generated by a delegator, which can reduce the computational complexity of the data owner.

In Reference [11], Ruj et al. presented a privacy-preserving authenticated access control scheme for cloud storage, which is decentralized and can achieve the authenticity of users without knowing users’ identities. Later, they proposed a novel decentralized access control scheme for data storage in the cloud which supports anonymous authentication in Reference [12]. In this scheme, attribute-based encryption (ABE) was used to encrypt data and attribute-based signature (ABS) proposed by Maji et al. in Refrence [13] was used to achieve authentication. The existing work [14,15,16,17] on access control in data outsourcing systems uses ABE to achieve security. However, all the schemes introduced above adopt the pairing operation, which requires much computational complexity. For the shared data files with hierarchical structures, Wang et al. presented an efficient data-sharing scheme based on ciphertext-policy attribute-based encryption (CP-ABE) in Reference [18]. Huang et al. claimed that they presented an identity-based private data-sharing scheme in online social networks in Reference [19]. However, this scheme was actually a data-sharing scheme based on ABE.

Since most of the above schemes are constructed based on bilinear pairing, their computational complexity is large. Therefore, in this paper, we design a data-sharing scheme based on a certificateless hybrid signcryption scheme without pairing.

3. Background

3.1. Assumptions

Before discussing in detail, we make some assumptions as follows:

• In our cloud storage model, we employ a semi-trusted third party (STTP) to manage and maintain cloud storage servers. Thus, the STTP is interested in viewing users’ content but cannot modify it.
• Users registered can store their data in the cloud. Once the data owner verified requesters, they can read data stored in the cloud.

Elliptic Curve Computational Diffie-Hellman Problem (EC-CDH) [20]

Let $G_p$ be an ECC group of order p, where p is a prime; the point P is the generator of $G_p$. The elliptic curve computational Diffie-Hellman problem in $G_p$: Given a random instance $(P,aP,bP)\in G_p$, compute $abP$. Let ${\mathit{A}}^{EC-CDH}$ be an adversary. We define ${\mathit{A}}^{EC-CDH}$’s advantage in solving the EC-CDH by $Adv\left({\mathit{A}}^{EC-CDH}\right)=Pr[{\mathit{A}}^{EC-CDH}(P,aP,bP)=abP]$.

3.2. System Model

Figure 1 shows an overview of our cloud storage model. The model contains four entities: the STTP, cloud storage servers, the data owner, and requesters. The STTP is the cloud administrator to manage and maintain cloud storage servers and users. Cloud storage servers are used to store and backup the ciphertext of users’ data. The data owner stores the ciphertexts of data in the cloud storage servers, which can reduce the storage pressure and achieve accessing and sharing whenever and wherever. Requesters want to share the data stored in the cloud.

The STTP is mainly composed of three parts: user management center, key management center, and data processing center. The user management center is responsible for the new user registration and user revocation. It always maintains the user list UL and the revocation list RL containing all users’ identities and public keys in the cloud storage system. The key management center is in charge of generating the partial private key for each user. The data processing center takes charge of storing and reading the ciphertext from cloud storage servers.

In our cloud storage model, only the STTP can directly access cloud storage servers, which can guarantee the security of cloud storage servers. To some extent, cloud storage servers are physically isolated.

4. Secure Data Sharing Scheme

We firstly describe our key derivation method and a novel certificateless hybrid signcryption scheme. Then, we present our secure data-sharing scheme based on the proposed CL-HSC algorithm and the re-encryption protocol in detail. The proposed scheme can provide data confidentiality, user authentication, message integrity, and non-repudiation.

4.1. Key Derivation Algorithm

Here, we employ the Advanced Encryption Standard (AES) algorithm for data encryption, which is mature, fast, and strongly secure [21]. The security of data mainly depends on the keys for the AES encryption algorithm. Due to the large number of data blocks, it is difficult for the data owner to manage encryption keys. To address this issue, we present a key derivation method, which employs a hash algorithm SHA256 to generate the encryption keys. The main flow chart of the data encryption keys generation algorithm is shown in Figure 2. We briefly describe the notations used in Figure 2 (See

Table 1. The list of notations in Figure 2.

Notation	Meaning
$V_0$	a 256-bit random number
$mk$	the master key of user
$T_i$	time stamp
‖	the concatenation operation
SHA256	a hash algorithm
$V_i$	the intermediate value
+	the operation of XOR (exclusive OR)
$K_i$	i-th data encryption key

). The mathematical description of the algorithm is as follows:

$$V_i=SHA256(mk\Vert T_i),i=1,2,\dots ,n$$

$$K_i=SHA256\left(V_{i-1}\right)\oplus V_i,i=1,2,\dots ,n$$

(1)

where n denotes the number of files.

We adopt the partial iteration method to generate encryption keys so that the adjacent keys have a correlation. The master key and time stamp are added during each key generation to enhance the security of encryption keys.

4.2. A Novel Certificateless Hybrid Signcryption

Based on the schemes of References [20,22,23,24], we present a novel certificateless hybrid signcryption scheme, which is a certificateless public key cryptography [1].

The proposed CL-HSC scheme is comprised of six probabilistic polynomial-time algorithms: setup, set secret value, extract partial private key, set private key, signcrypt, and de-signcrypt.

Setup

This algorithm takes the security parameter $\lambda$ as the input and returns the system parameters $\Omega$ and the master key msk. This algorithm is run by the STTP. Given $\lambda$, the STTP performs the following steps:

• Choose a $\lambda$-bit prime p and return the tuple $\{p,F_p,G_p,P\}$, where $G_p$ is an additive cyclic group consisting of points on an elliptic curve over the field $F_p$ and P is the generator of $G_p$.
• Choose the master key $x\in {\mathrm{Z}}_p^{\ast }$ randomly, and compute the system public key $P_{pub}=xP$.
• Choose cryptographic hash functions $H_0:{\{0,1\}}^{\ast }\times G_p\to {\mathrm{Z}}_p^{\ast }$, $H_1:G_p\times G_p\to {\{0,1\}}^n$, $H_2:G_p\times {\{0,1\}}^{\ast }\times {\{0,1\}}^{\ast }\times G_p\to {\mathrm{Z}}_p^{\ast }$ and $H_3:G_p\times {\{0,1\}}^{\ast }\times {\{0,1\}}^{\ast }\times G_p\to {\mathrm{Z}}_p^{\ast }$. Here, n represents the length of the agreed symmetric key.
• Publish $\Omega =\{F_p,G_p,P,P_{pub},H_0,H_1,H_2,H_3\}$ as the system parameters, and keep the master key x secret.

Set Secret Value

Each user executes this algorithm. The user with an identity $I{D}_i$ chooses $x_{I{D}_i}\in {\mathrm{Z}}_p^{\ast }$ randomly as his secret value and generates the public key as $P_{I{D}_i}=x_{I{D}_i}P$.

Extract Partial Private Key

The STTP runs this algorithm, which takes his master key, the identity, and the public key of the user as the input and outputs the partial private key for the user. The STTP computes $d_{I{D}_i}=x{H}_0(I{D}_i,P_{I{D}_i})modp$ as the partial private key of the user.

The user can validate the partial private key by checking whether $d_{I{D}_i}P=H_0(I{D}_i,P_{I{D}_i})P_{pub}$ holds.

Set Private Key

The user takes the pair $s{k}_{I{D}_i}=(d_{I{D}_i},x_{I{D}_i})$ as his full private key.

Signcrypt

This algorithm is executed by the sender $I{D}_s$ to compute the signature and the symmetric key for the receiver $I{D}_r$. Given the time stamp $\tau$ which is used to prevent replay attacks, the sender obtains the signature ${\phi }_{I{D}_s}$ and the symmetric key K as follows:

• Choose $l_{I{D}_s}\in {\mathrm{Z}}_p^{\ast }$ randomly, and compute $S_{I{D}_s}=l_{I{D}_s}P$.
• Compute $H=H_2(S_{I{D}_s},\tau ,I{D}_s,P_{I{D}_s})$, $H^{\prime }=H_3(S_{I{D}_s},\tau ,I{D}_r,P_{I{D}_r})$, and $W_{I{D}_s}=d_{I{D}_s}+l_{I{D}_s}·H+x_{I{D}_s}·H^{\prime }modp$.
• Compute $T_{I{D}_s}=l_{I{D}_s}·H_0(I{D}_r,P_{I{D}_r})P_{pub}$ and $K=H_1(T_{I{D}_s},l_{I{D}_s}·P_{I{D}_r})$.
• Output ${\phi }_{I{D}_s}=(S_{I{D}_s},W_{I{D}_s})$ and K.

De-signcrypt

Given the signature ${\phi }_{I{D}_s}$, the time stamp $\tau$, the signer’s identity $I{D}_s$, and full public key $p{k}_{I{D}_s}$, the signature ${\phi }_{I{D}_s}$ is verified as follows:

• Compute $H=H_2(S_{I{D}_s},\tau ,I{D}_s,P_{I{D}_s})$ and $H^{\prime }=H_3(S_{I{D}_s},\tau ,I{D}_r,P_{I{D}_r})$.
• If $W_{I{D}_s}·P=H_0(I{D}_s,P_{I{D}_s})·P_{pub}+H·S_{I{D}_s}+H^{\prime }·P_{I{D}_s}$, the signature ${\phi }_{I{D}_s}$ is valid. Then the receiver $I{D}_r$ computes the agreed symmetric key $K=H_1(T_{I{D}_s},x_{I{D}_r}·S_{I{D}_s})$, where $T_{I{D}_s}$ is computed by

  $$\begin{array}{cc}\hfill T_{I{D}_s}& =d_{I{D}_r}·S_{I{D}_s}\hfill \\ & =\left(x{H}_0(I{D}_r,P_{I{D}_r})modq\right)·l_{I{D}_s}P\hfill \\ & =l_{I{D}_s}·H_0(I{D}_r,P_{I{D}_r})P_{pub}\hfill \end{array}$$

  (2)
  Otherwise, the output is invalid.

4.3. Scheme Construction

The proposed secure scheme mainly includes six phases: user register, data store, data share, user revocation, data update, and data deletion.

User Register

• Generation of System Parameters: The STTP executes the Setup algorithm, publishes the system parameters $\Omega$, and keeps the master key x secret.
• Distribution of Keys: The STTP assigns a unique identifier $I{D}_i$ to each user and runs the Extract Partial Private Key algorithm to generate the partial private key $(s{k}_{I{D}_i},p{k}_{I{D}_i})$. Finally, the STTP generates a user list $UL$ containing identifiers and public keys of registered users. It also creates a revocation list $RL$ for managing the revoked users. In this phase, the STTP must communicate with users through a secure channel, e.g., Email.

Data Store

Once registered, users can store their data in the cloud. To protect privacy and confidentiality, users can encrypt their data and store the ciphertext to the cloud servers.

A symmetric cryptographic algorithm is relatively suitable for data encryption, which presents very good reading and writing performances. Thus, we employ the AES encryption algorithm to encrypt data. The data owner chooses the master key $mk$ to generate encryption keys by using the proposed key derivation algorithm and encrypts each file $F_i$ with encryption key $K_i$. Then, concatenate ciphertext and corresponding keyword and send the result and the signature ${\phi }_{I{D}_O}=(S_{I{D}_O},W_{I{D}_O})$ to the STTP. Adding the keywords is conducive to improving requesters’ ability to quickly retrieve the ciphertext they want. Finally, the data owner encrypts the data encryption keys and corresponding keywords by using mk, keeps the ciphertext in the local, and deletes the plaintext. The mathematical description of the process is as follows:

$$C_{F_i}=AES256(K_i,F_i)\Vert k{w}_i,i=1,2,\dots ,n$$

$$C_K=AES256(mk,{\displaystyle \bigcup _{i=1}^n}k{w}_i\Vert K_i)$$

After receiving the signature ${\phi }_{I{D}_O}$, the time stamp $\tau$, and the ciphertext $C_{F_i}(i=1,2,\dots ,n)$, the STTP verifies the signature and then sends the ciphertext to the cloud storage servers.

Data Share

Based on the proposed CL-HSC algorithm and the idea of the re-encryption method [25,26,27], we propose a secure data-sharing scheme, which can provide data confidentiality and user authentication. Meanwhile, our scheme avoids directly sending data encryption keys to requesters, which makes user revocation easy.

• The requester $I{D}_R$ indexes the keywords $k{w}_i$ in the cloud storage servers to find the corresponding ciphertext $C_{F_i}$ and obtains the identifier $I{D}_O$ and the public key $p{k}_{I{D}_O}$ of the data owner from the STTP.
• The requester $I{D}_R$ computes a signature ${\phi }_{I{D}_R}=(S_{I{D}_R},W_{I{D}_R})$ and the shared key $k_{RO}$ and sends {${\phi }_{I{D}_R}$, $I{D}_R$, $k{w}_i$} to the data owner $I{D}_O$.
• The data owner $I{D}_O$ queries $p{k}_{I{D}_R}$ from the STTP and validates the signature after receiving the request. Then, the data owner $I{D}_O$ reads $k{w}_i$ and makes a decision. If the data owner $I{D}_O$ agrees to share data $F_i$ with the requester $I{D}_R$, they compute the shared key $k_{RO}$. Otherwise, stop further operation.
• The data owner $I{D}_O$ sends a share message $Share\left(k{w}_i\right)$ to the STTP. The STTP gets the ciphertext $C_{F_i}$ from cloud storage servers and sends $C_{F_i}$ to the data owner.
• The data owner obtains $K_i$ from $C_K$ with his/her master key $mk$ and decrypts $C_{F_i}$ by using $K_i$. Then, the data is re-encrypted by using the agreed key $k_{RO}$ and sends the new ciphertext $C_{F_i}^{\prime }$ to the requester $I{D}_R$.
• The requester $I{D}_R$ receives ciphertext $C_{F_i}^{\prime }$ and decrypts it by using the agreed key $k_{RO}$ to obtain the data. Simultaneously, an acknowledgement message Acknowledge is sent to the data owner $I{D}_O$.

User Revocation

Now, we discuss how to handle user revocation. Based on the data-share scheme, we propose a simple user revocation protocol as below.

• Once a malicious user $I{D}_i$ is found, the STTP revokes the $I{D}_i$ from the user list $UL$ and adds the $I{D}_i$ to the revocation list $RL$. When a user is revoked, the STTP will reject providing any services for the $I{D}_i$. After a period of time, the STTP can delete the data of the revoked user.
• The STTP sends a revocation message {Revoke, $I{D}_i$} to other users.
• After receiving the message, users firstly validate the message. If the message is valid, users delete the agreed key and stop further operations with the revoked user $I{D}_i$.

Data Update

The data owner may need to update the data stored in the cloud servers. The data update operation is described as follows:

• The data owner $I{D}_O$ sends a data update message {Update, $k{w}_i$, $I{D}_O$, ${\phi }_{I{D}_O}$} to the STTP.
• After receiving the message, the STTP validates ${\phi }_{I{D}_O}$. If the message is valid, the STTP sends the ciphertext $C_{F_i}$ to the data owner $I{D}_O$.
• The data owner $I{D}_O$ decrypts the ciphertext $C_{F_i}$ by using $K_i$. Then, the data owner $I{D}_O$ can update the data $F_i$. After updating, the data owner encrypts the modified data again and sends the new ciphertext to the STTP.
• The STTP receives the ciphertext and stores it to the cloud servers.

Data Deletion

In addition, the data owner maybe want to delete some data stored in the cloud servers. The data deletion operation is described as follows:

• The data owner $I{D}_O$ sends a data deletion message {Delete, $k{w}_i$, $I{D}_O$, ${\phi }_{I{D}_O}$} to the STTP.
• After receiving the message, the STTP validates the ${\phi }_{I{D}_O}$. If the message is valid, the STTP deletes the ciphertext $C_{F_i}$ and sends an acknowledgement message Acknowledge to the data owner $I{D}_O$.

5. Security Analysis

In this section, we discuss the security of our data-sharing scheme, which mainly depends on data encryption keys and the proposed CL-HSC scheme. We prove that our proposed data-sharing scheme is collusion resistant and spoofing attacks resistant.

5.1. Security of Data Encryption Keys

In our proposed key derivation method, the master key, the initial vector, and the time stamp are used to generate data encryption keys. We associate the adjacent keys to enhance the security. Each key is generated by XORing two hash results, one of which is the hash result of a part of the former key.

Wang et al. introduced a key derivation method based on binary tree [3], and the mathematical description of the key derivation method is as follows:

• left child of $K(i,j)$: $K\left(\right(i+1),(2\ast j-1\left)\right)=hash\left(K\right(i,j\left)\right|\left|\right(2\ast j-1\left)\right|\left|K\right(i,j\left)\right)$.
• right child of $K(i,j)$: $K\left(\right(i+1),(2\ast j\left)\right)=hash\left(K\right(i,j\left)\right|\left|\right(2\ast j\left)\right|\left|K\right(i,j\left)\right)$.

This method cannot provide the security of data encryption keys. Once the adversary has obtained the $K(0,1)$, the other data encryption keys can be obtained by the derivation formulae. In our key generation algorithm, each data encryption key cannot be directly generated by other data encryption keys. Furthermore, data encryption keys are confidential for the STTP and requesters in our scheme.

5.2. Security of the Proposed CL-HSC Scheme

The security of our proposed CL-HSC scheme is based on the computation assumption EC-CDH. To prove the security of a CL-HSC scheme, two types of adversaries are defined in Reference [1]. We show that our proposed CL-HSC scheme without pairing operations is satisfied with an existential unforgeability against adaptive chosen messages and identity attacks (EUF-CMA), which can be guaranteed by the following theorems. The proof process is similar to the one in Reference [20,28] and will not be discussed here.

Theorem 1.

If a forger${\mathcal{F}}_{\mathrm{I}}$can break the EUF-CMA-I security of our CL-HSC scheme with a non-negligible advantage ϵ, asking$q_{ppk}$extract partial private key queries,$q_{sv}$set secret value queries, and$q_{H_i}$random oracle queries to$H_i(i=0,1,2,3)$, then an algorithm$\mathcal{C}$can be constructed that can solve the EC-CDH problem with the following advantage:

$${ϵ}^{\prime }\ge (ϵ-\frac{1}{2^{\lambda -1}})(1-\frac{q_{ppk}}{q_{H_0}})(1-\frac{q_{sv}}{q_{H_0}})\frac{1}{q_{H_0}-(q_{ppk}+q_{sv})}$$

Theorem 2.

If a forger${\mathcal{F}}_{\mathrm{II}}$can break the EUF-CMA-II security of the CL-HSC scheme with a non-negligible advantage ϵ, asking$q_{sv}$set secret value queries,$q_{rpk}$replace public key queries, and$q_{H_i}$random oracle queries to$H_i(i=0,1,2,3)$, then an algorithm$\mathcal{C}$can be constructed that can solve the EC-CDH problem with the following advantage:

$${ϵ}^{\prime }\ge (ϵ-\frac{1}{2^{\lambda -1}})(1-\frac{q_{rpk}}{q_{H_0}})(1-\frac{q_{sv}}{q_{H_0}})\frac{1}{q_{H_0}-(q_{rpk}+q_{sv})}$$

5.3. Security of Our Proposed Data-Sharing Scheme

Theorem 3.

Our proposed data-sharing scheme can resist the collusion attack.

Proof of Theorem 3.

In our cloud storage system, data are encrypted by using AES256, which can guarantee the confidentiality of users’ data. Currently, there are no known practical attacks to decrypt AES-encrypted data. The data encryption keys are encrypted by the master key, so only the data owner can obtain them. Therefore, the requester cannot collude with the STTP to decrypt the ciphertext. In addition, when sharing data, the original ciphertext is re-encrypted by the agreed key. This means that multiple requesters cannot collude to decrypt the ciphertext. □

Theorem 4.

Our proposed data-sharing scheme is spoofing attack resistant and replay attack resistant.

Proof of Theorem 4.

In our data-sharing scheme, mutual authentication is needed before undergoing a further operation. The signature ${\phi }_{I{D}_i}$ is computed by using the user $I{D}_i$’s full private key $s{k}_{I{D}_i}$, which is secret to others, even the STTP. The STTP only generates the partial public/private key pair for all users, which can prevent the STTP from forging the signature to obtain the shared key and the data. Thus, the signature cannot be forged, which can effectively resist the spoofing attacks. Meanwhile, the time stamp $\tau$ is used to generate the signature, which can ensure that our scheme is replay attack resistant. □

6. Performance Analysis

6.1. Experiment

To evaluate the performance of our proposed CL-HSC scheme, we performed experimental simulations using the PBC library [29] and the OpenSSL library. The experiments were conducted on a Windows 7 system with an Inter(R) Core(TM) i5-3470 CPU at 3.20 GHz and 4.00 GB RAM. We choose the Type A pairings to implement the three schemes. We conducted five simulation experiments for each scheme and used the average run time as the final result.

From the simulation results (shown in Figure 3), it can be seen that although our scheme requires more execution time in Unsigncrypt, our scheme has a significant advantage in KegGen, PartialKeyGen, and Signcrypt. Compared with the schemes in Reference [20,24], our scheme has a lower total running time.

6.2. Comparison with Other Existing Schemes

Table 2. The notations for different operations.

Notation	Meaning
$PM$	Scalar point multiplication on $G_p$
$T_H$	Time to a normal hash function H
$T_{H_0}$	Time to hash function $H_0$
$T_{H_1}$	Time to hash function $H_1$
$T_{H_2}$	Time to hash function $H_2$
$T_{H_3}$	Time to hash function $H_3$
$T_E$	Time to AES256 algorithm
$T_h$	Time to SHA256 algorithm
$\left|q\right|$	Length of the binary representation of q
$|C_{F_i}|$	Size of the ciphertext $C_{F_i}$
SKC	Symmetric Key Cryptography

presents the notations used in different operations.

First, we make a comparison based on the work mechanism and functions as shown in

Table 3. Comparison of Our Scheme with Other Existing Secure Schemes.

Schemes	Structure	Write/Read	Access Control	Authentication	User Revocation
[3]	Centralized	1-W-M-R	SKC	Yes	No
[12]	Decentralized	M-W-M-R	ABE	Yes	Yes
Our Scheme	Centralized	1-W-M-R	SKC	Yes	Yes

. The scheme of Reference [3] and our scheme are centralized architecture, but the scheme of Reference [12] is decentralized and has multiple key distribution centers (KDCs) or STTPs for key management. In fact, our scheme also can be extended to a multi-domain environment and each sub-domain has a STTP as a domain agent. The scheme of Reference [12] supports multiple reads and writes on the data stored in cloud. For security and copyright considerations, our scheme only allows the data owner to write data. Also, our scheme provides authentication and user revocation.

Then, we compare the computational complexity of our scheme with that of other existing schemes as shown in

Table 4. Comparison of Computational Complexity and Size of Ciphertext in the Data Store Phase.

Schemes	Data Owner	Cloud (STTP)	Size of Ciphertext
[3]	$(n+2^{\lceil {log}_2^n\rceil })T_H+(n+1)T_E$	$T_H+T_E$	$\sum |C_{F_i}|$
[12]	$(3m+1)E_0+2m{E}_T+{\tau }_H$	$(l+2t){\tau }_{\widehat{p}}+l(E_1+E_2)+{\tau }_{H^{\prime }}$	$2m|G_0|+m|G_T|+m^2+$
	$(2l+2)E_1+2t{E}_2+{\tau }_{H^{\prime }}$		$\left|MSG\right|+(l+t+2)|G_1|$
Our Scheme	$2n{T}_h+(n+1)T_E$	$T_{H_0}+T_{H_2}+T_{H_3}+3PM$	$2\left|q\right|+\sum |C_{F_i}|$
	$PM+T_{H_2}+T_{H_3}$

,

Table 5. Comparison of Computational Complexity in the Data Share Phase.

Schemes	Data Owner	Cloud (STTP)	Requester
[3]	$3T_E+3T_H$	$T_E+T_H$	$2T_E+T_H$
[12]	0	0	$2m{\tau }_p+{\tau }_H+O\left(mh\right)$
Our Scheme	$T_{H_0}+T_{H_1}+T_{H_2}+T_{H_3}+4PM+2T_E$	0	$T_{H_0}+T_{H_1}+T_{H_2}+T_{H_3}+2PM+T_E$

and

Table 6. Comparison of Computational Complexity in the Data Update Phase.

Schemes	User	Cloud (STTP)
[3]	$3T_E+T_H$ (Case1)	$T_E+T_H$
	$3T_E+3T_H$ (Case2)
[12]	$(3m+1)E_0+2m{E}_T+{\tau }_H$	$(l+2t){\tau }_{\widehat{p}}+l(E_1+E_2)+{\tau }_{H^{\prime }}$
	$(2l+2)E_1+2t{E}_2+{\tau }_{H^{\prime }}$
Our Scheme	$PM+T_{H_2}+T_{H_3}+2T_E$	$T_{H_0}+T_{H_2}+T_{H_3}+3PM$

. Here, we assume that the AES256 algorithm and a normal hash function H are used in Reference [3].

In Table 4, we show the computational complexity of different schemes in the data store phase or creating a file. The complexity of our scheme is roughly the same as that of Reference [3]. However, the scheme of Reference [12] based on bilinear maps has a high computational complexity, which is positively correlated with the dimension of the access matrix. Note that our scheme and that of Reference [3] are in the case of n files but that of Reference [12] is in the case of one file.

In Table 5, we show the computational complexity of different schemes in the data share phase. Since the scheme of Reference [12] is based on ABE, which allows users whose attributes meet the access policy to access data stored in cloud, the data owner and the STTP do not need to do anything in the data share phase. Compared with the schemes of Reference [3,12], our scheme has a high computational complexity. However, in our scheme, the data owner has strict control over data in the cloud.

In Table 6, we show the computational complexity of different schemes in the data update phase. This process is the same as the data store phase. Here, we just discuss the case of one file. Although the computational complexity of the scheme in Reference [3] is less than our scheme, the data owner needs to maintain two key trees in the block-update phase. Furthermore, the data owner sends the data encryption keys to the requesters directly in the scheme of Reference [3], which leads to much computational complexity in the phases of block deletion, block update, and revocation of access right.

7. Conclusions

In this paper, we firstly proposed a key derivation method by which the data owner just needs to maintain the master key. Then, we combined the proposed CL-HSC scheme and a re-encryption protocol to propose a secure data share scheme, which is satisfied with confidentiality, unforgeability, and user-centricity. Since the proposed CL-HSC scheme do not contain pairing operation, it is low cost and low complexity. As our future work, we will consider the problem of secure data sharing for multiple recipients.