可信执行环境赋能的云数据动态群组访问控制  被引量：2

作　　者：李玥 宋祁朋[1,2] 贾皓 邓鑫 马建峰 LI Yue;SONG Qipeng;JIA Hao;DENG Xin;MA Jianfeng(School of Cyber Engineering,Xidian University,Xi’an 710071,China;State Key Laboratory of Integrated Services Networks,Xidian University,Xi’an 710071,China;School of Control and Computer Engineering,North China Electric Power University,Beijing 102206,China)

机构地区：[1]西安电子科技大学网络与信息安全学院,陕西西安710071 [2]西安电子科技大学空天地一体化综合业务网全国重点实验室,陕西西安710071 [3]华北电力大学控制与计算机工程学院,北京102206

出　　处：《西安电子科技大学学报》2023年第4期194-205,共12页Journal of Xidian University

基　　金：国家重点研发计划(2021YFB3101304);陕西省自然科学基础研究计划资助项目(2022JQ-658、2022JQ-621、2021JQ-207);国家自然科学基金青年项目(62002278);中央高校基本科研业务费专项资金资助(XJS211508、XJS211507、ZYTS23165)。

摘　　要：云存储服务的普及,吸引着众多用户将数据外包存储至云平台。出于个人隐私保护的需要,云外包数据多以密文形式存在,为用户通过云平台共享数据带来极大的不便。其关键挑战在于,如何设计基于密码学的群组访问控制方案,以合理的计算/存储开销,支持用户安全便捷地进行密文数据共享。针对该问题,在既有文献基础之上,提出了一种基于可信计算环境的低开销、细粒度云存储数据动态群组访问控制机制。该方案以一种融合了身份基广播加密、属性加密以及代理重加密的既有方案为基础,通过引入可信执行环境,如英特尔^(■)软件防护扩展(Intel^(■)SGX),对原方案中密码学进行了计算简化,同时通过引入子群划分的思想,近一步优化了动态群组访问控制的管理开销。仿真结果表明,与原方案相比,本方案在有效保护数据隐私、提供细粒度密文数据动态访问控制能力的同时,极大地降低了计算复杂度。The prevalence of cloud storage service has attracted many users to outsource their data to cloud platforms.In order to protect personal privacy,data are encrypted before being outsourced to the cloud,which brings great inconvenience for data sharing through the cloud platforms.The key challenge lies in how to design a cryptography-based group access control scheme to support users to share ciphertext data safely and conveniently with reasonable computing/storage overhead.To this end,by considering the existing research efforts,and based on an existing scheme that combines identity-based broadcast encryption,attribute encryption and proxy re-encryption,a low-overhead,fine-grained cloud storage data dynamic group access control mechanism based on trusted computing environment is proposed.By introducing a trusted execution environment,such as Intel^(■)software guard extensions(SGX),the cryptographic operation within the original scheme is significantly simplified.At the same time,by introducing the idea of subgroup partition,the management overhead of dynamic group access control is further optimized.Simulation results show that,compared with the original scheme,this scheme not only effectively protects data privacy,but also provides dynamic access control capabilities for fine-grained ciphertext data,which greatly reduces computational complexity.

关 键 词：身份基广播加密 SGX 动态群组访问控制 

分 类 号：TP309.2[自动化与计算机技术—计算机系统结构]