可信执行环境赋能的云数据动态群组访问控制

Trusted execution environment enabled dynamic group access control for data in cloud

云存储服务的普及,吸引着众多用户将数据外包存储至云平台。出于个人隐私保护的需要,云外包数据多以密文形式存在,为用户通过云平台共享数据带来极大的不便。其关键挑战在于,如何设计基于密码学的群组访问控制方案,以合理的计算/存储开销,支持用户安全便捷地进行密文数据共享。针对该问题,在既有文献基础之上,提出了一种基于可信计算环境的低开销、细粒度云存储数据动态群组访问控制机制。该方案以一种融合了身份基广播加密、属性加密以及代理重加密的既有方案为基础,通过引入可信执行环境,如英特尔^(■)软件防护扩展(Intel^(■)SGX),对原方案中密码学进行了计算简化,同时通过引入子群划分的思想,近一步优化了动态群组访问控制的管理开销。仿真结果表明,与原方案相比,本方案在有效保护数据隐私、提供细粒度密文数据动态访问控制能力的同时,极大地降低了计算复杂度。

The prevalence of cloud storage service has attracted many users to outsource their data to cloud platforms.In order to protect personal privacy,data are encrypted before being outsourced to the cloud,which brings great inconvenience for data sharing through the cloud platforms.The key challenge lies in how to design a cryptography-based group access control scheme to support users to share ciphertext data safely and conveniently with reasonable computing/storage overhead.To this end,by considering the existing research efforts,and based on an existing scheme that combines identity-based broadcast encryption,attribute encryption and proxy re-encryption,a low-overhead,fine-grained cloud storage data dynamic group access control mechanism based on trusted computing environment is proposed.By introducing a trusted execution environment,such as Intel^(■)software guard extensions(SGX),the cryptographic operation within the original scheme is significantly simplified.At the same time,by introducing the idea of subgroup partition,the management overhead of dynamic group access control is further optimized.Simulation results show that,compared with the original scheme,this scheme not only effectively protects data privacy,but also provides dynamic access control capabilities for fine-grained ciphertext data,which greatly reduces computational complexity.