0% found this document useful (0 votes)
31 views15 pages

WebCloud Web-Based Cloud Storage For Secure Data Sharing Across Platforms

The document presents WebCloud, a web-based client-side encryption solution for secure data sharing in cloud storage, addressing major challenges such as low security, inconvenient data sharing, and poor usability. It utilizes modern web technologies like WebAssembly and the Web Cryptography API to enable cross-platform functionality without the need for additional software. WebCloud also incorporates a ciphertext-policy attribute-based encryption mechanism for fine-grained access control and efficient data processing.

Uploaded by

21r91a0592
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
31 views15 pages

WebCloud Web-Based Cloud Storage For Secure Data Sharing Across Platforms

The document presents WebCloud, a web-based client-side encryption solution for secure data sharing in cloud storage, addressing major challenges such as low security, inconvenient data sharing, and poor usability. It utilizes modern web technologies like WebAssembly and the Web Cryptography API to enable cross-platform functionality without the need for additional software. WebCloud also incorporates a ciphertext-policy attribute-based encryption mechanism for fine-grained access control and efficient data processing.

Uploaded by

21r91a0592
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 15

IEEE Transactions on Dependable and Secure Computing,Volume:19,Issue:3,Issue Date:01.May-June.

2022 1

WebCloud: Web-Based Cloud Storage


for Secure Data Sharing across Platforms
Shuzhou Sun, Hui Ma, Zishuai Song, Rui Zhang

Abstract—With more and more data moving to the cloud, privacy of user data have raised great concerns. Client-side
encryption/decryption seems to be an attractive solution to protect data security, however, the existing solutions encountered three
major challenges: low security due to encryption with low-entropy PIN, inconvenient data sharing with traditional encryption algorithms,
and poor usability with dedicated software/plugins that require certain types of terminals.
This work designs and implements WebCloud, a practical browser-side encryption solution, leveraging modern Web technologies. It
solves all the above three problems while achieves several additional remarkable features: robust and immediate user revocation, fast
data processing with offline encryption and outsourced decryption. Notably, our solution works on any device equipped with a Web
user agent, including Web browsers, mobile and PC applications. We implement WebCloud based on ownCloud for basic file
management utility, and utilize WebAssembly and Web Cryptography API for complex cryptographic operations integration. Finally,
comprehensive experiments are conducted with many well-known browsers, Android and PC applications, which indicates that
WebCloud is cross-platform and efficient.
As an interesting by-product, the design of WebCloud naturally embodies a dedicated and practical ciphertext-policy attribute-based
key encapsulation mechanism (CP-AB-KEM) scheme, which can be useful in other applications.

Index Terms—Web-Based Cloud Storage, Secure Data Sharing, Cross-Platform Encryption/Decryption Solution, Attribute-Based
Encryption

F
1 I NTRODUCTION

P UBLIC cloud storage service becomes increasingly pop-


ular due to cost reduction and good data usability for
users. This trend has prompted users and corporations to
not provide support for client-side encryption. They
adopt server-side encryption for files stored, TLS
for data at transit, and two-factor authentication for
store (unencrypted) data on public cloud, and share their user authentication. Apple iCloud supports end-to-
cloud data with others. Using a cloud for high-value data end encryption for sensitive information, e.g., iCloud
requires the user to trust the server to protect the data from Keychain, Wi-Fi passwords. For other data uploaded
unauthorized disclosures. This trust is often misplaced, be- to iCloud, only server encryption is adopted.
cause there are many ways in which confidential data leak- • Password-Based Solutions. Some products [7],
age may happen, e.g. these data breaches reported [1], [2], [8], [9] use symmetric encryption (typically AES)
[3], [4], [5], [6]. To counteract data leakage, one of the most to encrypt users’ data and then upload cipher-
promising approaches is client-side encryption/decryption. texts to clouds. However, in these schemes, the
Concretely, client-side encryption allows senders to en- cryptographic keys are derived from a pass-
crypt data before transmitting it to clouds, and decrypt the word/passphrase or even a 4-digit PIN. Relying on
data after downloading from clouds. In this way, clouds such low entropy is considered unsafe [10]. Worse
only obtain encrypted data, thus making server-side data still, most password-based solutions only deal with
exposure more difficult or impossible. At the same time, as the case of single-user file encryption and decryption,
a crucial functionality of cloud storage, flexible file sharing and do not provide any file sharing mechanism.
with multiple users or a group of users must be fully sup- Notably, [7] allows users to generate a share link for
ported. However, existing client-side encryption solutions each password-protected file. However, users must
suffer from more or less disadvantages in terms of security, manually send the share link through one channel,
efficiency and usability. and password to all receivers through another secure
Known Client-Side Encryption Solutions. We review existing channel, which is inconvenient and brittle.
solutions and point out their limitations. • Hybrid Encryption Scheme. The cloud adopts a key
encapsulation mechanism (KEM) and a data encap-
• Limited support or no support. Many cloud storage sulation mechanism (DEM), so called the KEM-DEM
providers, including Google Drive and Dropbox, do setting. Many public cloud service providers, includ-
ing Amazon [11], Tresorit [12], and Mega [13], adopt
• The authors are with the State Key Laboratory of Information Secu- the RSA-AES paradigm. Users generate RSA key
rity, Institute of Information Engineering, Chinese Academy of Sci- pairs and apply for certificates from the providers,
ences, Beijing 100093, China, and the School of Cyber Security, Uni-
versity of Chinese Academy of Sciences, Beijing 100049, China. Email: who build and maintain a Public Key Infrastructures
{sunshuzhou,mahui,songzishuai,r-zhang}@iie.ac.cn. (Shuzhou Sun and (PKI). Users encrypt data under fresh sampled AES
Hui Ma contributed equally to this paper and are labeled as co-frist keys, which are further encrypted under all recipi-
authors. Corresponding Author: Rui Zhang.)
ents’ RSA public keys. This file sharing mechanism
IEEE Transactions on Dependable and Secure Computing,Volume:19,Issue:3,Issue Date:01.May-June.2022 2

is inflexible and inefficient. A sender needs to obtain and supporting revocation [22]. However, existing CP-ABE
and specify the public keys of all receivers during schemes do not combine state-of-the-art techniques, and
encryption. Even worse, the size of the ciphertext cannot achieve efficient data encryption, robust and im-
and encryption workload are proportional to the mediate user revocation, offline encryption and outsourced
number of recipients, resulting in greater bandwidth decryption simultaneously.
and storage costs and more user expenditure.
Limitations of the Existing Solutions. Three drawbacks exist in 1.2 Our Results
above-mentioned solutions: 1) comparatively poor security, We view our contribution as the uniform design, rigorous
2) coarse-grained access control, inflexible and inefficient file analysis and efficient implementation of WebCloud, in par-
sharing, and 3) poor usability. The first two are easy to see ticular, it simultaneously achieves the following:
and we now elaborate the usability issue. Typically, users
use different terminals to upload files, including desktop, • Practical Encryption Solution for Cloud Storage.
Web and mobile applications [14]. However, almost all the We introduce WebCloud, a practical client-side en-
existing solutions require additional software or plugins, cryption solution for public cloud storage, which
thus limiting users’ devices and platforms. When switching effectively combines modern Web techniques and
to a new device, users need to repeat the boring instal- cryptographic algorithms. WebCloud involves of a
lation process, which greatly increases users’ burden thus key management mechanism, a dedicated attribute-
decreases usability. based encryption scheme and a high-speed imple-
mentation. More importantly, WebCloud is cross-
1.1 Design and Challenges platform (including major browsers, Android and
PC) and plugin-free.
In this work, we focus on designing and implementing a • Fine-Grained Access Control Mechanism with
practical, secure and cross-platform public cloud storage ABE. It is widely-accepted that attribute-based en-
system. The proposed solution, WebCloud, is a Web-based cryption (ABE) is promising for fine-grained ac-
client-side encryption solution. Users encrypt and decrypt cess control of data. However, we find that the
their data using Web agents, e.g., Web browsers. For the en- existing ABE schemes suffer from high computa-
cryption algorithm, a secure and efficient Ciphertext-Policy tional overhead, or some vital missing functional-
Attribute-Based Encryption (CP-ABE) scheme is proposed, ities, e.g., inefficient data encryption, robust and
which achieves encryption and access control simultane- immediate user revocation, offline encryption and
ously. The cloud service serves as a storage backend and outsourced decryption simultaneously. To solve this
does not handle users’ secret keys. Specifically, WebCloud problem, we propose a dedicated ciphertext-policy
admits a uniform design and addresses all the three men- attribute-based access control mechanism. The pro-
tioned limitations: 1) The security of WebCloud relies on the posed scheme can also be used in other scenarios.
security of the proposed CP-ABE and cryptographic keys; 2) • Rigorous Security Analysis. We present a secu-
The file sharing functionality is flexible and efficient, allow- rity model of WebCloud, including the adversarial
ing one ciphertext to be decrypted by many receivers; and models for the Web and the cryptographic scheme
3) WebCloud is cross-platform and works on any popular simultaneously. The security analysis is then done in
browser, without any plugin installed. the proposed model, namely, the provable security
We discuss our design rationality and point out the of the proposed CP-ABE scheme and the reliability
related challenges. Recent advances of Web technology, of the key storage in the browser side.
namely Web browsers, have greatly enhanced security and • Efficient Operation inside Browsers. We implement
usability across different platforms. On the one hand, new WebCloud based on ownCloud [23]. The function-
features such as Web Cryptography API [15] and We- alities and performances are evaluated in major
bAssembly [16] are introduced. On the other hand, to- browsers on many devices, and applications on PC
day’s personal computers and mobile devices have Web and Android devices. The benchmark result indicates
browser installed by default. Therefore, it is promising to that WebCloud is a practical solution. Most remark-
use browser as the encryption engine. However, efficient ably, in the Chrome browser on a 4-core 2.2 GHz
combination of Web techniques and cryptographic schemes Macbook machine, encrypting a 1 GB file takes 3.1
is completely nontrivial since each technique has its own seconds, while decryption costs 3.9 seconds.
suitable scenarios.
Certain cryptographic schemes have appealing proper- We describe a scenario of WebCloud. When used inside
ties to be adopted in cloud computing scenario. In par- a corporation, the company itself generates and distributes
ticular, CP-ABE [17] has many applications in cloud data secret keys, and any public cloud service can be adopted as
protection and sharing, since it provides fine-grained (non- the cloud server. When an employee joins into the company,
interactive) access control and encryption simultaneously. he/she registers with a set of attributes, e.g., (“IT Depart-
In CP-ABE, an access policy is embedded into a ciphertext, ment”, “Man”), and obtains a secret key. The employee
thus allowing many recipients to decrypt the ciphertext. shares files with others by encrypting the files under a
It should be promising to use CP-ABE as the encryption specific access policy, e.g., “IT Department and Manager”,
scheme in a client-side encryption solution. A lot of work using CP-ABE on a Web browser. The ciphertexts are then
has been done on CP-ABE, e.g., proposing new construc- uploaded to the cloud. Employees who satisfy the access
tions [18], optimizing computation efficiency [19], [20], [21] policy can download the ciphertext and decrypt on their
IEEE Transactions on Dependable and Secure Computing,Volume:19,Issue:3,Issue Date:01.May-June.2022 3

browsers. The company has no need to build its own cloud an access policy and the key to a set of attributes. A user
infrastructure and each employee can use personal com- can decrypt a ciphertext if the set of attributes satisfies the
puters or mobile devices to access the cloud. An employee access policy. In this work, CP-ABE is adopted as a building
is revoked from the system when he/she resigns from the block of WebCloud: each file has an access policy to indicate
company. the allowed receivers.
Organization. The rest of the paper is organized as follows. The complex pairing and exponentiation operations in
Section 2 recaps modern Web technologies and primitives. ABE are migrated by many works. Green et al. [19] intro-
Section 3 elaborates the design of WebCloud. Section 4 duced outsourced decryption into ABE systems such that
give detailed descriptions of the algorithms in WebCloud. the complex operations of decryption can be outsourced to
Section 5 gives rigorous security analysis and highlights nice a cloud server, only leaving one exponentiation operation
features of WebCloud. Section 6 demonstrates benchmarks for a user to recover the plaintext. Further, online/offline
of WebCloud on many devices. Section 7 gives the conclu- ABE [20] was proposed by Hohenberger and Waters, which
sion. splits the original algorithm into two phases: an offline
phase which does the majority of encryption computations
before knowing the attributes/access control policy and
1.3 Related Work
generates an intermediate ciphertext, and an online phase
In-Browser Cryptography. Both the Web community and which rapidly assembles an ABE ciphertext with the inter-
security researchers understand the importance and useful- mediate ciphertext after the attributes/access control policy
ness of in-browser cryptography and have made remarkable is fixed. Meanwhile, [20] proposed two scenarios about
efforts in this area. the offline phase: 1) the user does the offline work on his
JavaScript cryptographic libraries were developed for smartphone. 2) A high-end trusted server helps the user
ease of use of cryptography on browsers, for instance [24], with low-end device do the offline work.
[25], [26]. Many of these libraries have a large number of
downloads, e.g., 423,368 for OpenPGP.js [24] in total. The
2 P RELIMINARY
World Wide Web Consortium (W3C) noticed this trend of
using in-browser cryptography and as a solution proposed a 2.1 Modern Web Technologies
standard called Web Cryptography API [27], [15]. The stan- Web Cryptography API. The Web Cryptography API [15]
dard supports a few widely adopted standard algorithms, is a standard API for accessing cryptographic primitives in
e.g., AES and ECDSA, which is convenient for building JavaScript-based environments (e.g., browsers and Node.js).
several secure Web applications [28] including authenticated The API is only available within HTTPS. Actually, ma-
video services and encrypted communications via Web mail. jor Web browsers and operating systems already contain
Meanwhile, there are researches in the literature hav- well-verified and reviewed cryptographic algorithms. The
ing explored the idea of running cryptographic algorithms API simply exposes these algorithms to Web application
on Web browsers. [29] focused on using Identity-Based developers through a standardized interface. It contains a
Cryptography for client side security in Web applications cryptographically strong pseudo-random number generator
and presented a JavaScript implementation of their scheme. (CSPRNG) and supports a few widely used standards, e.g.,
They selected Combined Public Key cryptosystem as the en- AES and PBKDF2. Unfortunately, these primitives are still
cryption scheme to avoid complex computations involved in insufficient for building some novel cryptographic schemes,
bilinear pairing and elliptic curve. ShadowCrypt [30] allows e.g., pairing-based cryptography including Attribute-Based
users to transparently switch to encrypted input/output for Encryption. Even worse, this API does not specify storage
text-based Web applications. It requires a browser extension, mechanisms for cryptographic keys.
replacing input elements in a page with secure, isolated WebAssembly. WebAssembly [16] is a binary instruction
shadow inputs and encrypted text with secure, isolated format for stack-based virtual machine. It is designed as a
cleartext. [26] implemented several Lattice-based encryption portable target for compilation of high-level languages like
schemes and showed the speed performance on four com- C/C++/Rust, enabling deployment on the Web for client
mon Web browsers on PC. Their results demonstrated that and server applications. It can be invoked from JavaScript
some of today’s Lattice-based cryptosystems can already codes. WebAssembly aims at executing applications at na-
have efficient JavaScript implementations. Recently, [31] tive speed by taking advantage of common hardware capa-
constructed an efficient two-level homomorphic public-key bilities available on a wide range of platforms, including
encryption in prime-order bilinear groups and presented a mobile and IoT. The WebAssembly codes are shipped to
high-performance implementation using WebAssembly that users’ browsers along with other Web files (e.g., stylesheets),
allows their scheme to be run very fast on any popular Web compiled to binary codes on users’ browsers and optionally
browser, without any plugins required. cached in IndexedDB.
Attribute-Based Encryption. Attribute based encryption Web Storage. Browsers usually use Web Storage API or
(ABE) was first introduced by Sahai and Waters under the IndexedDB to store data. The Web Storage API provides
name fuzzy identity-based encryption [32]. Goyal et al. [33] mechanisms to store key/value pairs, in a much more
extended fuzzy IBE to ABE. Up to now, there are two intuitive fashion than using cookies. The API includes tem-
forms of ABE: key-policy ABE (KP- ABE) [33], [34], [35], porary storage sessionStorage (available for the duration
[36], where the key is assigned to an access policy and the of the page session) and persistent storage localStorage
ciphertext to a set of attributes, and ciphertext-policy ABE (can be persisted even when the browser is closed and
(CP-ABE) [17], [37], [38], where the ciphertext is assigned to reopened). It contains megabyte storage, usually 5 MB for
IEEE Transactions on Dependable and Secure Computing,Volume:19,Issue:3,Issue Date:01.May-June.2022 4

mobile browsers and 10 MB for desktop browsers. For 3 OVERVIEW OF W EB C LOUD


storing larger amounts of structured data, IndexedDB [39] 3.1 System Model
provides a solution, which is a low-level API for client-side
storage of significant amounts of structured data. As shown in Fig. 1, WebCloud adopts the browser and
server (B/S) architecture. There are four entities involved:
Web Workers. Typically, browsers create a single main
a private key generator (PKG), a public cloud server, data
thread for a Web page. If there are costly operations in the
owners and data consumers. The roles of each entity are as
main thread that take significant time, the user interface
follows:
may be frozen, e.g., clicking and typing have no response. A
Web Worker is a JavaScript script that runs in background • PKG generates and distributes system parameters
threads, which is more efficient to utilize multi-core CPUs. and keys to other entities, and instructs the cloud
The worker can perform time-consuming computations to revoke a user. PKG maintains a Public Key In-
without interfering the user interface. The Web Worker API frastructure (PKI) and plays as the root Certificate
provides methods for initializing and destroying workers. Authority (CA). We stress that this only increases
Once created, a worker can send messages to the main PKG’s workload marginally since certificate issuance
thread or store computed results in IndexedDB (other types and key distribution are completed at the same time.
of Web storages are not available in Web workers). • The public cloud server provides a website for ac-
cessing and storing data in Web user agents. More-
over, it runs a few services:
2.2 Multi-Factor Authenticated Key Exchange – Storage Service (SS) stores transformation keys
and encrypted data reliably.
Multi-Factor Authenticated key exchange (MFAKE) is a
– Outsourced Decryption Service (DS) checks
useful tool where a user interacts with a server to set
whether a data consumer has been revoked
up a session key where pre-registered information (aka.
and preprocesses ciphertext to ease computa-
authentication factor), such as a password or biometrics, of
tion overhead of decryption for users.
the user is stored. So far, many practical MFAKE schemes
– Key Update Service (KUS) updates cloud se-
have been proposed, e.g., [40], [41], [42], [43]. We review [43]
cret key CSK periodically or when current CSK
briefly, which is adopted as one of building component in
is leaked.
WebCloud.
– Ciphertext Update Service (CUS) updates ci-
In [43], an efficient MFAKE scheme was constructed phertexts with new CSK.
under the Decisional Diffie-Hellman (DDH) assumption,
where a user is authenticated with different factors simul- • Data owners decide access policies and encrypt data
taneously, such as passwords, biometrics (e.g., fingerprint) under these policies before uploading to the public
and hardware devices. It consists two phrases: registration cloud.
and login-Authentication. • Data consumers download encrypted data from pub-
Registration: The registration phase takes place in a lic cloud server and decrypt the data locally.
secure and reliable environment. The client generates a pass- We remark that such a trusted party (serving as PKG) is
word α, a good biometrics template W , and a random group not hard to find, for instance, e.g., government organizations
element γ ∈ Z∗Fp . The biometrics template W is sent to the or major banks.
registration center (RC) and derived to a random β using a
fuzzy extractor algorithm. RC computes Z = H α+β+γ , uses
a public key encryption scheme to encrypt Z and other user 3.2 Security Notions
information and stores the encrypted result into database. The security goal of WebCloud is to protect users’ data from
The client should store γ safely on his/her devices. disclosure on the server side for cloud storage systems.
Login-Authentication: A client with userid uses a regis- We assume the cloud is honest-but-curious [45]. The cloud
tered device and sends an authentication request to server. honestly follows the protocol, e.g., provides storage service
The server computes an authentication challenge and sends and outsource decryption service. It does not adversarily
it to client. The user inputs password α and biometrics W 0 . modify users’ data. Most of the data consumers are honest,
Meanwhile, the device reads γ and computes β from W 0 but few of them may be corrupt and share their secret keys
using fuzzy extractor algorithm. Then client computes au- in the collusion. On the contrast, PKG and data owners
thentication response and sends it to server. Both sides com- are assumed to be totally trusted. All the communications
pute authentication confirmation, and determine whether are secured by TLS [46]. Following adversary models are
this mutual authentication and key agreement is completed. considered:
WebCloud can use MFAKE [43] for secure key distri- Passive Man-in-the-Middle. The adversary reads all net-
bution. The registration center is the private key generator work traffic passively, but does not perform any active
and the registration phase happens in the key generation attacks, e.g., altering network packets.
phase of WebCloud. The device secret γ is stored on users’ Web Attacker Model. This model is the standard security
computers and can be accessed by browsers with users’ model of Web applications [47]. An adversary in this model
interactions. While [43] adopted fingerprint as the biometric can access any open Web application, learn its client-side
data and required special fingerprint scanner, WebCloud code, send emails and other messages, and can set up their
uses facial features [44] that can be extracted from cameras. own (malicious) Web applications. The adversary is unable
IEEE Transactions on Dependable and Secure Computing,Volume:19,Issue:3,Issue Date:01.May-June.2022
5

5) Cloud Secret Key Update Data owner’s browser


6) b. User revocation Access Structure (M, ρ)
CUS KUS
IT Enc.Online
Web Worker CT 0
DS SS
3) d. Ciphertext initialization 4) b. Outsource decryption Enc.Offline AES Encrypt CT AES
Key
Public Cloud Server

File

TC
1) PK, CSK, TKu

T
0
CT Upload
3) c. Online encryption
Data consumer’s browser Public cloud
1) PK 1) PK
3) a. Offline encryption 4) a. Request files
2) RKu CUS KUS
Browser Browser 4) c. User decryption
2) MFAKE RKu
PKG (root CA)
6) a. User revocation
Download SS SS
3) b. Set policy 2) MFAKE 4) d. Download files
and upload files Dec.User TCT
Dec.Out CTInit
Key
AES Decrypt CTAES
1) User registration
Data Owner Data Consumer
Storage
File

(a) System Model of WebCloud (b) Outline of WebCloud

Fig. 1: System Design of WebCloud

to forge Web origins [48], since this undermines the security • MFAKE submodule helps to establish a secure chan-
of any Web application. nel for retrieval key distribution. We implement the
Data Security against User Collusion. In this model, some MFAKE protocol proposed in [43].
users and the cloud can collude in arbitrary manner, e.g.,
they can obtain some cryptographic keys RKu , TKu and
cloud secret key CSKctr . They try to decrypt files that The storage module implements a cache storage layer
beyond their authorized access rights. We formalize it with in IndexedDB, which allows to store and obtain users’
Definition 1 in Appendix B. encrypted retrieval keys RKu . Meanwhile, it also maintains
a cache in sessionStorage, which contains intermediate
Data Security against Cloud Server. The public cloud, who
ciphertexts (generated by offline encryption).
can obtain CSKctr , the conversion key TKu of all the users,
and all the ciphertexts, cannot decrypt the ciphertexts. We M2. WebCloud Storage. This module also works in users’
formalize it with Definition 2 in Appendix B. browsers and provides access and query routines of Web
User Revocation Validity. In this model, a revoked user, storage, which is used by the storage management submod-
who can obtain his/her secret keys (SKu , TKu , RKu ), cannot ule of M1. It provides storage in browsers for the Web-
decrypt files within its authorized access rights. We formal- Cloud system, including data consumers’ retrieval keys in
ize it with Definition 3 in Appendix B. IndexedDB and intermediate ciphertexts in sessionStorage.
M3. Cloud Crypto Module. This module implements cryp-
tographic routines at the server side, which includes follow-
3.3 Deployment Architecture ing submodules.
As shown in Fig. 2, WebCloud consists of four functional
modules (M1 to M4). • CP-AB-KEM2 submodule implements the CUS, KUS,
M1. WebCloud Core. This module works in a user’s DS services in the cloud. It includes ciphertext initial-
browser and contains crypto and storage modules. The ization and outsourced decryption routines, i.e., al-
crypto module further implements following submodules. gorithms CTInit, CSKUpdate, CTUpdate, and Dec.Out.
This submodule relies on MCL-C [49].
• CP-AB-KEM1 submodule includes offline and on- • Utility submodule contains useful functionalities, in-
line encryption, i.e., algorithms Enc.Offline and cluding file processing, logging functionality.
Enc.Online. Meanwhile, the submodule implements • Serialization submodule converts bytes to ABE ci-
LSSS and converter from access policy string to ac- phertext CT0 and converts transformed ciphertext
cess structure. The converter can convert an access TCT to bytes.
policy string, e.g., “(Employee and IT department) • Revocation submodule maintains the revocation list
or Manager” to an access structure (M, ρ). To the L. It provides add, delete and query functions of the
best of our knowledge, it is the first time that LSSS list L to other submodules.
and the converter are implemented in JavaScript
environment. This submodule takes advantage of
WebAssembly by adopting MCL-WASM [49]. M4. Key Management. This module works in PKG and
• Utilization submodule packs some useful routines, contains two modules. The authentication module authenti-
e.g., encrypting users’ retrieval key RKu , deriving cates users’ identities via the multi-factor authenticated key
AES key using PBKDF2, AES encryption and decryp- exchange (MFAKE) protocol [43]. The key storage module is
tion etc. These routines invoke the Web Cryptogra- responsible to store users’ retrieval key securely and return
phy API. a user’s key on receiving an authenticated user’s request.
IEEE Transactions on Dependable and Secure Computing,Volume:19,Issue:3,Issue Date:01.May-June.2022
6

Public Cloud Server User/Browser PKG

M3. Cloud Crypto Module M1. WebCloud Core (JavaScript) M2. WebCloud Storage M4. Key Management
HTTPS HTTPS
CP-AB-KEM2 Utility IndexedDB sessionStorage
Crypto Module Utilization Storage Module
Intermediate Authentication
Serialization Revocation Key User Key Object id Key Storage
Storage Ciphertext Module
MFAKE CP-AB-KEM1 User1 Encrypted RK1 Module
Management 1 IT1 (MFAKE)
User2 Encrypted RK2
MCL-C Storage 2 IT2
Web Web … … … …
MCL-WASM
Worker Cryptography API

Developed by the authors of this paper Existing component Browser component

Fig. 2: System Architecture of WebCloud

4 A LGORITHMS IN W EB C LOUD Data Consumer’s Browser

PBKDF2 Hashing
User Master Password
4.1 Description of Algorithms (100,000 rounds)

We now elaborate the algorithms of WebCloud (cf. Fig. 1). Data Consumer
AES Key
Some acronyms are listed in Table 1. Browser
Indexed DB Memory
MFAKE
Encrypted RKu AES-128 RKu
TABLE 1: Acronyms Used in This Paper Encryption/Decryption
PKG

Acronym Description Acronym Description


PKG private key generator CUS ciphertext update service Fig. 3: Key Management of WebCloud
KUS key update service DS outsourced decryption service
SS storage service MSK master secret key
PK public key ctr current time counter
SKu a user’s secret key RKu a user’s retrieval key
CSK cloud secret key TCT transformed ciphertext
2) Key Management. To decrypt data in browsers, data
TKu a user’s transformation key IT intermediate ciphertext consumers obtain their retrieval keys from PKG as shown
in Fig. 3. To this end, the login-authentication phase of
1) System Initialization. PKG runs the algorithm Setup() the MFAKE protocol [43], is run between a user’s browser
to generate a public key PK, a master secret key MSK and and PKG to establish a secure communication channel.
a cloud secret key CSK1 . All the data consumers register The consumer’s retrieval key RKu is transmitted to the
themselves to PKG: 1) run the registration phase of MFAKE browser through the secure channel and later be used in the
protocol [43] where PKG serves as the registration center; browser’s memory. If the user remains idle for a specified
and 2) state a set of properties to indicate their identities. period of time (e.g., 30 minutes), RKu is automatically
Then, PKG runs the algorithms KG() and KG.Random() to erased from the memory and later use of RKu requires
generate TKu and RKu for each data consumer. Further, running the MFAKE protocol again.
PKG generates a certificate Tcloud for the public cloud server, The login-authentication phase of [43] requires a user
which is used to establish secure communication between to enter a few authentication factors, which may cause
the cloud server and users. Finally, PKG distributes PK to poor usability. For ease of use, another option is provided.
all the entities, CSK1 and TKu along with Tcloud to the cloud, We derive a 128-bit AES key with PBKDF2 from a user
and keeps RKu for future distributions. master password. RKu is then encrypted with AES and
The above-mentioned algorithms are as follows: stored locally in IndexedDB. When necessary, the consumer
Setup(λ, U ). On input a security parameter λ and an at- is required to provide the user master password (with salt if
tribute universe U , PKG chooses a bilinear map D = necessary) to decrypt the locally encrypted RKu . Following
(G, GT , e, p), where p ∈ Θ(2λ ) is the prime order of groups the NIST standard [50], we require that the user master
G and GT . The attribute universe U consists of elements in password must satisfy three requirements: 1) at least 8
Z∗p . It chooses random generators g, h, u, v, w ∈ G, picks two characters in length as a memorized secret, 2) not appear
random elements α, β1 ∈ Z∗p . It sets a counter ctr = 1. Fi- in known dictionaries, and 3) be updated periodically. We
nally, PKG outputs: PK = (D, g, h, u, v, w, e(g, g)α ), MSK = remark that in this manner the usage of password does
(PK, α) and CSK1 = (csk1 = β1 , ctr). not lead to low-level security as existing password-based
KG(S, MSK). On input a master secret key MSK and an solutions. The analysis is postponed to Section 5.1.
attribute set S = (A1 , A2 , . . . , Ak ) ⊆ Z∗p , PKG picks a ran-
dom element r ∈ Z∗p and computes K0 = g α wr , K1 = g r . Data Owner’s Browser Public Cloud Server

For j from 1 to k , it picks random rj ∈ Z∗p and computes Offline Encryption


(Web Worker)
Access Policy
String and File
Cloud Storage

Kj,2 = g rj , Kj,3 = (uAj h)rj · v −r . PKG outputs a secret key Data Owner CT0 and AES CTctr and AES
Indexed DB ciphertext ciphertext
SKu = (S, K0 , K1 , {Kj,2 , Kj,3 }j∈[1,k] ). IT
Online Encryption
Intermediate Ciphertext Ciphertext Initialization
KG.Random(PK, SKu ). On input a public key PK and a secret (including ABE and AES)

key SKu , PKG picks a random element τ ∈ Z∗p , then it


computes K00 = (K0 )1/τ , K10 = (K1 )1/τ . For j = 1 to Fig. 4: Data Encryption Procedure of WebCloud
0 0
k , it computes: Kj,2 = (Kj,2 )1/τ , Kj,3 = (Kj,3 )1/τ . PKG
0 0 0 0
outputs: RKu = τ, TKu = (S, K0 , K1 , {Kj,2 , Kj,3 }j∈[1,k] ). 3) Data Encryption. To improve performance, data encryp-
IEEE Transactions on Dependable and Secure Computing,Volume:19,Issue:3,Issue Date:01.May-June.2022 7

tion procedure is divided into three parts as depicted in Public Cloud Server Data Consumer’s Browser
Fig. 4. The encryption is in the KEM/DEM setting.
Cloud Storage RKu
Offline encryption in browser (before an access policy is
known): This algorithm processes almost all the costly oper- CTctr and AES
ciphertext TCT and AES
ations in the encryption algorithm of CP-AB-KEM. On open- ciphertext User Decryption
ing the WebCloud website, a Web worker (cf. Section 2.1) is Outsourced Decryption (including ABE and
created in background. During idle time, the worker runs AES)
Checks user validaty File
the algorithm Enc.Offline() to generate a few intermediate
Revocation List
ciphertexts IT and keys Key. Idle time is defined as: a) no
online encryption part is running, b) no user decryption
part is running, and c) no AES encryption or decryption Fig. 5: Data Decryption Procedure of WebCloud
is running. We store (IT, Key) in sessionStorage, which
is erased automatically by browsers after the Web page is
closed. load request, the cloud server checks that whether the user
Online encryption in browser (after an access policy string has been revoked. If revoked, the cloud rejects the request.
and a file are given): The data owner uploads a file and Otherwise, it finds the requested file from the cloud storage,
specifics an access policy string, e.g., “(Employee and IT parses CTctr from the file and transforms CTctr to TCT by
department) or Manager”. Note that the policy string is calling the algorithm Dec.Out(). The cloud packs TCT and
a flexible logic expression, which supports “and”, “or” AES ciphertext as a new file and returns the new file as a
and “()” operations. The policy string is converted to an response to the request.
access structure (M, ρ). Meanwhile, a pair of (IT, Key) is User decryption in browser: In the browser side, TCT is
obtained from sessionStorage. On input the access policy parsed from the response. If the retrieval key RKu already
(M, ρ) and the intermediate ciphertext IT, the algorithm exists in the browser memory, the key is used directly.
Enc.Online() generates ABE ciphertext CT0 . The input file Otherwise, the retrieval key RKu is obtained as in 2) Key
is encrypted with AES, using a 128-bit key derived from Management. The algorithm Dec.User() is invoked to de-
Key and a random initialization vector (IV). All necessary crypt TCT to obtain encapsulated key Key. We derive the
data including ABE ciphertext CT0 and AES ciphertext, are same AES key as in the encryption procedure. Finally, we
packed together and forms a new file before uploading to decrypt the file with AES.
the cloud server. The above-mentioned algorithms are as follows:
Ciphertext initialization in cloud: On receiving the up- Dec.Out(PK, CSKctr , TKu , CTctr ). On input a public key PK,
loaded file, the cloud parses ABE ciphertext CT0 from the a cloud secret key CSKctr = (cskctr , ctr), a conversion key
file. It processes CT0 to CTctr by calling the algorithm
0
TKu = (S, K00 , K10 , {Ki,2 0
, Ki,3 }i∈[1,k] ) for an attribute set S
CTInit() and replaces CT0 with CTctr in the file. Finally, the and a ciphertext CTctr for access structure (M, ρ), if S does
updated file is stored in the cloud. not satisfy the access structure, the cloud server outputs
The above-mentioned algorithms are as follows: ⊥. Otherwise, it calculates a set I = {i : ρ(i) ∈ S}
and computers the constants {ωi ∈ Zp }i∈I such that
Enc.Offline(PK, N 0 ). On input a PK and a maximum bound P
of N 0 rows in any LSSS access structure, the Web worker i∈I ωi · Mi = (1, 0, . . . , 0), where Mi is the i-th row of
the matrix M . It then computes:
in data owner’s browser picks 3N 0 + 1 random elements
s, {λ0i , xi , ti }i∈[1,N 0 ] ∈ Z∗p , and computes Key = e(g, g)αs , 0
P Y
B =e(w i∈I Ci,4 ωi , K10 ) · e(Ci,10
, K10 )ωi
C0 = g s . For i = 1 to N 0 , it then computes: Ci,1 = i∈I
0
wλi v ti , Ci,2 = (uxi h)−ti , Ci,3 = g ti . The Web worker out- ·
Y
0
(e(Ci,2 ·u
0
Ci,5 0
, Kj,2 ) 0
· e(Ci,3 0
, Kj,3 ))ωi
puts: IT = (s, Key, C0 , {λ0i , xi , ti , Ci,1 , Ci,2 , Ci,3 }i∈[1,N 0 ] ). i∈I
Enc.Online(PK, (M, ρ), IT). On input a public key PK, an
LSSS access structure (M, ρ) [51], where M is an l×n matrix, The cloud outputs TCT = (e(C00 , K000 )/B)cskctr =
an intermediate ciphertext IT, data owner’s browser picks e(g, g)αs/τ .
n − 1 random elements (y2 , . . . , yn ) ∈ Z∗p and constructs a Dec.User(TCT, RKu ). On input a TCT and a retrieval key
vector → −y = (s, y2 , . . . , yn )T . It then computes a vector of RKu = τ , data consumer’s browser outputs the encapsu-
shares of s as (λ1 , . . . , λl )T = M → −y . For i = 1 to k , compute lated key Key = TCTRKu = e(g, g)αs .
0
Ci,4 = λi − λi , Ci,5 = ti (xi − ρ(i)). The browser outputs:
CT0 = ((M, ρ), C0 , {Ci,1 , Ci,2 , Ci,3 , Ci,4 , Ci,5 }i∈[1,l] ). Public Cloud Server

CTInit(CT0 , CSKctr ). On input a ciphertext CT0 and a cloud CSK1 CSK Update CSK2 … CSKctr CSK Update CSKctr’

secret key CSKctr = (cskctr , ctr), the public cloud computes CSKctr ∆ctr’
1/csk 1/csk
C00 = C0 ctr . For i = 1 to l, it computes: Ci,1 0
= Ci,1 ctr , Cloud Storage CTctr Cloud Storage
1/csk 1/csk (CTctr and AES Ciphertext Update (CTctr’ and AES
0 0 0 0
Ci,2 = Ci,2 ctr , Ci,3 = Ci,3 ctr , Ci,4 = Ci,4 /cskctr , Ci,5 = ciphertexts) ciphertexts)
0 0
Ci,5 /cskctr . The cloud outputs: CTctr = ((M, ρ), C0 , {Ci,1 ,
0 0 0 0
Ci,2 , Ci,3 , Ci,4 , Ci,5 }i∈[1,l] ). Fig. 6: Cloud Secret Key Update Procedure of WebCloud
4) Data Decryption. As depicted in Fig. 5, file decryption
is divided into two parts where the cloud server performs 5) Cloud Secret Key Update. The cloud secret key CSK is
almost all heavy computation. of great importance to the revocation mechanism. If CSK
Outsourced decryption in cloud: On receiving a file down- leaks, the user revocation functionality is in vain. Therefore,
IEEE Transactions on Dependable and Secure Computing,Volume:19,Issue:3,Issue Date:01.May-June.2022
8

we update CSK periodically or in emergency situations (e.g., in [19], [20], [52], and combines the immediate user revo-
CSK is leaked or stolen). cation mechanism in [53]. For completeness, we give the
Cloud Secret Key Update: This procedure is depicted in syntax in Appendix A and elaborate the scheme in the
Fig. 6. Assume current cloud secret key is CSKctr . When supplementary material. We emphasize that this CP-AB-
CSKctr is required to be updated, the public cloud server KEM is useful in many scenarios.
invokes the algorithm CSKUpdate() to generate a new key Correctness: We require the standard correctness
CSKctr0 and an increment ∆ctr0 . The cloud then updates all property: for an attribute universe U , a user iden-
stored ABE ciphertexts CTctr to CTctr0 by calling the algo- tity U and λ, N, N 0 ∈ N, for all (PK, MSK, CSK1 ) ∈
rithm CTUpdate(). Once all ciphertexts have been updated, Setup(λ, U ), all SKu ∈ KG(S, MSK), all (RKu , TKu ) ∈
the cloud sets current secret key to CSKctr0 , and deletes KG.Random(SKu ), all IT ∈ Enc.Offline(PK, N 0 ), all CT0 ∈
CSKctr and all old ABE ciphertexts CTctr from its storage. Enc.Online(PK, (M, ρ), IT), all CTctr ∈ CTInit(CT0 ,
The above-mentioned algorithms are as follows: CSKctr ), all (CSKctr0 , ∆ctr0 ) ∈ CSKUpdate(PK, CSKctr ),
CSKUpdate(PK, CSKctr ). On input a public key PK and all CTctr0 ∈CTUpdate(ctr0 , CTctr0 −1 , ∆ctr0 ), all TCT ∈
a cloud secret key CSKctr = (cskctr , ctr) where ctr ∈ Dec.Out(PK, CSKctr , TKu , CTctr ), if S satisfies (M, ρ) and
{1, 2, . . .}, the cloud server updates the counter ctr0 = ctr+1 the user u was not revoked, Dec.User (TCT, RKu ) outputs
and picks a random element βctr0 ∈ Z∗p , computes cskctr0 = the encapsulated Key.
Qctr0
cskctr · βctr0 = Security: The security proof of the proposed CP-AB-
i=1 βi . The cloud outputs the updated
cloud secret key CSKctr0 = (cskctr0 , ctr0 ) and the increment KEM scheme is given in Appendices B and C.
∆ctr0 = βctr0 .
CTUpdate(ctr0 , CTctr0 −1 , ∆ctr0 ). On input an updated 4.3 Security Enhancement of PKG
counter ctr0 ∈ {2, 3, . . .}, a ciphertext CTctr0 −1 =
In the WebCloud system, all users’ secret key are derived
((M, ρ), C0 , {Ci,1 , Ci,2 , Ci,3 , Ci,4 , Ci,5 }i∈[1,l] ) and an in-
from the master secret key MSK, which is stored in the
crement ∆ctr0 = βctr0 , the cloud server computes
1/β trusted PKG. In reality, a single point of failure, e.g., loss of
C00 = C0 ctr0 . For j = 1 to l, the cloud computes
0 1/β 0 1/β 0 1/β 0
MSK, will immediately lead to system failure. It is of great
Ci,1 = Ci,1 ctr0 , Ci,2 = Ci,2 ctr0 , Ci,3 = Ci,3 ctr0 , Ci,4 = importance to provide simple mechanisms to enhance the
0
Ci,4 /βctr0 , Ci,5 = Ci,5 /βctr0 . It outputs: CTctr = security of MSK and the system.
((M, ρ), C00 , {Ci,10 0
, Ci,2 0
, Ci,3 0
, Ci,4 0
, Ci,5 }i∈[1,l] ). An effective way is secret sharing, i.e., splitting the MSK
6) Key and User Revocation. WebCloud supports both key into multiple pieces. Without loss of generality, we consider
and user revocation, and does not support attribute revoca- a (t, n) threshold scheme.
tion. To revoke a user key, PKG runs KG(S, MSK) to generate As shown in Fig. 7, there are 1 root PKG, n child PKGi
a new secret key SK0u and KG.Random(PK, SK0u ) to obtain (1 ≤ i ≤ n) and a combiner PKGc . PKG is responsible for
RK0u and TK0u . PKG replaces RKu with RK0u and distributes generating PK, MSK and n shares of α, and distributes the
TK0u to the public cloud, who deletes previous transforma- i-th share MSKi to PKGi . When generating a user’s secret
tion key TKu directly. The key revocation is taken effect key SKu , PKGi generates a partial secret key SKu,i using its
immediately after the cloud updates its transformation key. share. The combiner PKGc combines any t partial keys to
To revoke a user from the system, PKG sends a revocation SKu , and invokes KG.Random to obtain TKu and RKu .
request to the public cloud server to revoke a data consumer,
where the cloud inserts an entry to the revocation list L
by calling the algorithm Revoke(). The revocation is taken
effect immediately after the insertion. On receiving a user’s Cloud User
file download request, the cloud compares the user identity SK 1 TK
P K, C 𝑢
u against the list L and rejects the request if a match is RK𝑢
found. Without the help of the cloud, data consumers cannot
decrypt files individually. The size of the list L is the same MSK𝑖 SK %,'( , … , SK %,'*
as the number of revoked user in the system. Many efficient root PKG PKGi PKGc
1≤𝑖≤𝑛
algorithms exist for finding an element from a(n) (ordered)
list e.g., binary search or hash table.
Fig. 7: Secret Sharing of Master Secret Key
The above-mentioned algorithms are as follows:
Revoke(u, L). On input a user identity u, and a revocation † The root PKG exits the system after setup. Any t child PKGi , the
combiner PKGc , the cloud and optionally the user, should stay online.
list L = {(id)} where id is the user identity, the cloud server
adds an entry (u) to the list L, i.e., L0 = L ∪ {(u)}.
Note that we only change system setup and user secret
key generation phases. Other phases are processed as in
4.2 A Tailored CP-AB-KEM for WebCloud Section. 4.1. After the setup phase, the root PKG is removed
Ciphertext-policy attribute-based key encapsulation mech- from the system. To make the system work, any t out of n
anism (CP-AB-KEM) is an important component for Web- child PKGi and also the combiner PKGc should stay online.
Cloud (Section 4.1). It simultaneously achieves offline en- This makes the combiner PKGc an attractive attack target.
cryption and outsourced decryption, robust and immediate In Section 5.1, we show that compromise of PKGc does not
user revocation, while only a small number of computations reveal MSK. However, user secret keys generated after the
are left to the user. The proposed CP-AB-KEM derives from compromise may be leaked. Offline of PKGc or great than
the offline encryption and outsourced decryption techniques n − t child PKGi will affect the usability, but not the security
IEEE Transactions on Dependable and Secure Computing,Volume:19,Issue:3,Issue Date:01.May-June.2022 9

of the system, i.e., the user secret key generation service will Security of the Master Secret Key. We discuss the security of
be temporarily unavailable. the secret sharing in Section 4.3. PKG invokes the algorithm
In this work, we use Shamir’s Secret Sharing [54]. Setup0 to generate and distribute shares of α. After that, the
Qt `i (x)
Let
x−xm
denote the Lagrange polynomial: `i (x) = quantity α, all n points and the polynomial f (x) are erased
m=1 ( xi −xm ). completely. In the Combine algorithm, the combiner takes
m6=i
Following algorithms are defined: t partial user secret key where each key contains a share.
Setup0 (λ, U ). On input a security parameter λ and an at- Note that each share is given in the form (xi , g yi wri ) and
tribute universe U , PKG performs following actions: the Lagrange polynomials are computed in the exponent.
Since ri are randomly selected by PKGi , g yi wri is indistin-
1) Chooses a bilinear map D = (G, GT , e, p), where guishable from a random group element. The finally com-
p ∈ Θ(2λ ) is the prime order of groups G and GT . puted K0 = g α wr is also indistinguishable from a random
The attribute universe U consists of elements in Z∗p . element. This is actually an Elgamal ciphertext. Thus, the
2) Chooses random generators g, h, u, v, w ∈ G, picks combiner cannot extract α from its inputs. Certainly, t PKGi
two random elements α, β1 ∈ Z∗p . can corrupt to construct the polynomial f (x) to obtain α.
3) Determines the parameters n (number of child This can be migrated by increasing the value of t and letting
PKGs) and t (number of minimal PKGs to construct each PKGi be a different company.
a user secret key). Security of retrieval keys. The retrieval key RKu is ob-
4) Selects t − 1 random elements a1 , . . . , at−1 from Z∗p , tained from PKG after the user is authenticated with the
and constructs f (x) = α + a1 x + · · · + at−1 xt−1 . MFAKE protocol [43] and only used in the browser memory.
It then generates n random points (xi , yi ) (i ∈ Meanwhile, if RKu is not used for a period of time (e.g., 30
{1, . . . , n}) where xi is randomly selected from Z∗p minutes), it is erased from the memory.
and yi = f (xi ). Optionally, RKu can be encrypted with a user master
5) Erases α and also the polynomial f (x) completely. password and stored in IndexedDB. When necessary, i.e., on
6) Sets a counter ctr = 1. Finally, PKG outputs: PK = decrypting files, the user is required to input the user master
(D, g, h, u, v, w, e(g, g)α ), n partial master secret key password to decrypt RKu . Note that our usage of password
MSKi = (xi , yi ) and CSK1 = (csk1 = β1 , ctr). is different from the existing password-based solutions as
KG0 (S, MSKi ). On input an attribute set S = (A1 , . . . , Ak ) mentioned in Section 1, where the password-protected file is
and a point MSKi = (xi , yi ), PKGi picks a random element transmitted over a public channel and the password cannot
ri ∈ Z∗p and computes Ki,0 = g yi wri , Ki,1 = g ri . For j from be changed once the file is sent, where an offline brute-
1 to k , it picks random ri,j ∈ Z∗p and computes Ki,j,2 = force search is possible in that scenario. In WebCloud, we
g ri,j , Ki,j,3 = (uAj h)ri,j · v −ri . PKG outputs a partial secret only store the encrypted retrieval keys locally and require
key SKu,i = (S, xi , Ki,0 , Ki,1 , {Ki,j,2 , Ki,j,3 }j∈[1,k] ). the password to be updated periodically, e.g., 7 days. So,
Combine(SKu,i1 , . . . , SKu,it ). On input t partial user secret obtaining the ciphertexts should be difficult, and a short
keys SKu,im where m ∈ [1, t], im ∈ [1, n] and all im are dif- update period with possible usage of salt will make offline
brute-force search attach useless.
ferent, thePcombiner PKGc first computes
t Ptt quantities `im (0).
Let r = m=1 ri m · ` i m (0). Let r j = m=1 rim ,j · `im (0).
Security of the encapsulated key. During offline encryption
Qt `im (0)
It then Q computes K0 = m=1 (K im ,0 ) = g α · wr , phase, several intermediate ciphertexts IT and encapsulated
t `im (0) r key Key are generated. When encrypting a file, an AES key
K1 = m=1 (KimQ ,1 ) = g . For j from 1 to k , it
t `i (0) is derived from the encapsulated key Key. If an adversary
computes:
Qt K j,2 = m=1 (K i m ,j,2 ) m = g rj and Kj,3 =
`im (0) Aj rj −r
= (u h) · v . The user secret obtains Key, he can decrypt the file. Thus, we store IT and
m=1 (Kim ,j,3 )
key is SKu = (S, K0 , K1 , {Kj,2 , Kj,3 }j∈[1,k] ). The combiner Key in sessionStorage, which will be erased after the Web
invokes KG.Random(PK, SKu ) to generate RKu and TKu . page is closed, to avoid being persistent.
Security of AES keys. The AES algorithm is used in
WebCloud for many times. The AES keys are derived using
5 A NALYSIS OF W EB C LOUD
the Web Cryptography API with the field extractable set
5.1 Security Analysis to false, meaning that the keys cannot be obtained by
In this section, we analyze WebCloud in the security models JavaScript codes and exported outside of the browser.
defined in Section 3.2. Security of the proposed CP-ABE. The security of the pro-
Passive Man-in-the-Middle. In this attack model, the at- posed CP-ABE is given in Theorem 1 and the the security
tacker observes all network traffic, thus he may be able proof is postponed to Appendix B.
to find out the access policy of each file and notice that a
data consumer is uploading or downloading files. But due Theorem 1. The proposed ciphertext-policy attribute-based en-
to the IND-CPA property of used encryption schemes (CP- cryption mechanism can achieve Data Security Against User
AB-KEM and AES-GCM/AES-CBC), the adversary cannot Collusion in Definition 1, Data Security Against Cloud Server in
learn the content of encrypted files. Definition 2, User Revocation Validity in Definition 3, if the CP-
Web Attacker Model. It is typically impossible to prove the ABE scheme in [55] is selective Chosen Plaintext Attack (CPA)-
security of a complex Web application in the Web attacker secure.
model – even Google’s websites suffer from vulnerabilities
under this attacker model. However, in WebCloud, the main
attack target would be the cryptographic keys. We highlight 5.2 Features Analysis
the protection mechanisms of keys in WebCloud: We highlight a few nice properties of WebCloud.
IEEE Transactions on Dependable and Secure Computing,Volume:19,Issue:3,Issue Date:01.May-June.2022
10

TABLE 2: Comparison of WebCloud with Related Works.

Revocation Performance
Scheme Security Level Cross-Platform File Sharing
Mechanism Immediate Single Receiver N Receivers
Password-Based solutions Low × × × Inflexible Fast Depends on N
RSA-AES paradigm High ×
√ CRL, OCSP ×
√ Inflexible Fast Depends on N
Ours High Server-Aided Flexible Fast Fast

Data Privacy. In WebCloud, all files are encrypted and Comparing with existing solutions, WebCloud has two
decrypted locally, i.e., in browsers. The cloud only sees main innovations:
ciphertext and deals with ciphertext. 1) We propose and adopt a dedicated CP-AB-KEM
Flexible File Sharing. By assigning an access policy to scheme as the encryption algorithm. This provides
each file, an encrypted file can be decrypted by multiple WebCloud with high-level security and flexible file
data consumers as long as their attributes satisfy the access sharing.
policy. The user only encrypts a file one time and the cloud 2) We use Web context as the encryption environment.
only stores one copy of each encrypted file. In a corporation This provides WebCloud with cross-platform.
scenario, an employee can share a file with all managers of
This provides many practical advantages for WebCloud.
the sales department by setting the access policy to “Sales
Security. The security of password-based solutions relies
Department and Manager”, without the need to find out
on low-entropy passwords, thus the security level is typi-
who are the concrete receivers or their public keys as in the
cally low, i.e., tens of bits [10]. In contrast, the security of
password-based solutions and RSA-AES paradigm. If a new
RSA-AES paradigm and WebCloud bases on the crypto-
employee is hired, he can decrypt all the ciphertexts that
graphic keys. When adopting appropriate parameters and
match his/her attributes immediately. In existing schemes,
key lengths, i.e., RSA-3072 and AES-128, the security level
manually encryption and sharing to the employee are re-
achieves at least 128-bit. In above analysis, we assume the
quired.
adopted cryptographic primitives are provably secure.
User and Key Revocation. The revocation mechanism is ef-
Usability. Both the existing client-side encryption solutions
ficient and immediately effective. The cloud server revokes a
and WebCloud allow users to encrypt and decrypt on their
data consumer by adding the consumer to the revocation list
devices. However, for above mentioned client-side solu-
L. On receiving a consumer’s download request, the cloud
tions, they require addition software, browser plugins for
checks the list L and rejects revoked consumers’ requests.
each operating system and browser. In contrast, WebCloud
The key revocation is achieved by requiring PKG to regen-
doesn’t require any additional software or plugins. It effec-
erate a new SKu and related (RKu , TKu ), and distributes
tively combines state-of-the-art Web techniques, including
RKu to the user and TKu to the cloud server. Web Cryptography API, WebAssembly, thus can be accessed
Usability and Efficiency. WebCloud only requires a Web in any Web context, e.g., Web browsers in desktop comput-
user agent and does not require any additional software, ers and mobile phones, WebView in Android applications,
Java applet or browser plugin. WebCloud is fully optimized native application using Electron framework. Usually, Web
in two aspects: a) The proposed CP-AB-KEM scheme is very browsers are installed by default on today’s devices.
suitable for browser side cryptography, which moves almost Revocation. Password-based encryption schemes have no
all costly computations offline and outsourced, and b) The user management or revocation mechanisms. Relying on
implementation fully utilize power of modern Web tech- PKI, RSA-AES paradigm can adopt Certificate Revocation
niques, including WebAssembly, Web Cryptography API, List (CRL) and Online Certificate Status Protocol (OCSP)
Web Workers and Web storage. The functionalities and per- to achieve certificate revocation, i.e., user revocation. Web-
formance are tested in major browsers on different devices, Cloud adopts a server-aided revocation mechanism, which
including both laptops and mobiles (cf. Section 6.2). supports both user and key revocation. The time required
Cloud Server Key-Exposure Resistance. The cloud secret for the revocation to take effect depends on the response of
key CSK is important to the revocation mechanism. If the cloud server, which should take effect immediately in
CSK leaks, the revocation functionality is useless. Thus, most cases.
WebCloud introduces key-exposure resistance property for File Sharing. Password-based solutions have no file sharing
CSK. Concretely, the cloud updates CSK periodically (or or access control mechanisms. Users need to manually share
when key is leaked). Meanwhile, it updates all stored ABE the data to all receivers. For RSA-AES paradigm, the sender
ciphertexts and deletes old ciphertexts when the CSK is must collect all receivers’ public keys and encrypt under
updated. those keys, resulting in large storage space and increased
workload. Leveraging CP-ABE, WebCloud can encrypt a
file under a possibly complicated access policy of receivers.
5.3 Comparisons with Related Work
Even a future-joined user can decrypt the ciphertexts with-
We compare WebCloud with existing client-side cloud data out any interaction and workload of the data sender.
protection solutions in terms of security, usability, revoca- Most of research on ABE focused on theoretical aspects,
tion, and performance (cf. Table 2). The comparison of the including proposing new constructions, reducing the com-
proposed CP-ABE scheme and other CP-ABE schemes are putation complexity, etc. In this work, we aim at propos-
given in Section 6. ing a practical cloud storage solution and implementing
IEEE Transactions on Dependable and Secure Computing,Volume:19,Issue:3,Issue Date:01.May-June.2022
11

TABLE 3: Theoretical Comparison of the Proposed CP-AB-KEM Scheme.

Scheme Enc.Online Dec.User Transfer Size (KG) Transfer Size (Enc) Transfer Size (Dec) Revocable
[55] (5l + 2)Exp (|I|)Exp + (3|I| + 1)P 0 0 |A| + (3l + 1)|G| + 1|GT | ×
[20] 0 (|I| + 1)Exp+(3|I| + 2)P 0 0 |A| + (3l + 1)|G| + 2l|Zp | ×
[52] 3Exp 3Exp 0 (3 + 3l)|G| + 3l|Zp | |A| + 1|G| + 1|GT | ×
[21] 1Exp 1Exp 2((2 + 2y)|G| + (2 + 2y)|Zp |) (4 + 6l)|G| + 4l|Zp | |A| + 1|GT | ×

Ours 0 1Exp 0 0 |A| + 1|GT |
‡ Exp and P denote a module exponentiation and a pairing computation, respectively. y, l and I indicate the number of attributes, the access policy
size, and the set that satisfies decryption requirement, respectively. |A|, |G| and |GT | denote the size of an access structure, an element in G and GT ,
respectively.

a prototype to prove the effectiveness of the solution. We 6.2 Performance of WebCloud


believe that after some serious engineering work, the solu-
General Remarks. WebCloud has no specific requirement
tion and the prototype can be turned into a real application.
for the underlying cloud storage systems. It can be applied
Therefore, we require that the underlying CP-ABE is secure
to all cloud storage systems. We implement WebCloud
and efficient, and supports user revocation. For this reason,
based on ownCloud (version 10.0.10), which is an open
we combine state-of-the-art techniques to obtain a custom
source cloud collaboration platform. We carefully review
scheme, which has a few attractive properties, including
the codes of ownCloud on its PHP framework, file process,
offline encryption, outsource decryption, and user (and key)
user management and debug method. Meanwhile, we also
revocation.
investigate a few third party open source projects that used
Performance. The existing solutions and WebCloud have a
in ownCloud, mainly jQuery file upload plugin [56] and
fast encryption and decryption speed when encrypting to
sabre/dav framework [57].
a single receiver. Password-based solutions is fast and only
performs Key Derivation Function and symmetric encryp- We extended ownCloud in a few ways: We implement
tion. RSA-AES paradigm includes RSA encryption and AES a C++ module and a JavaScript module. The C++ codes
encryption. However, when encrypting to a set of users, the are compiled by clang on macOS or g++ on Ubuntu with
workload is proportional to the number of receivers. In Web- flags “-O3”. The Web server is Apache 2.4.37 with MySql
Cloud, encryption (Enc.Online()) and decryption (Dec.User()) 8.0.13 and PHP 7.2.13. The C++ module is embedded into
are fast even under hundreds of attributes (tens of mil- both the server side (as a PHP module) and browser side
liseconds, cf. Section 6.2) , and irrelevant to the number of (as a WebAssembly module). The WebAssembly codes are
receivers. compiled by emcc with flags “-s WASM=1 -O3”. Further,
we modify the user interface, file upload and download
process of ownCloud. As a Web application, WebCloud
6 E VALUATIONS gives visual feedback to users according to the actual run-
ning stage of encryption and decryption. Furthermore, we
In this section, we evaluate the performance of WebCloud.
pack WebCloud into desktop applications, with the Electron
framework [58]. The packed software supports Mac, Win-
6.1 Theoretical Analysis for CP-AB-KEM dows and Linux. We also implement WebCloud on Android
As a core component of WebCloud, the operation of CP- applications using the WebView component.
ABE-KEM is the most resource-consuming part of Web- Benchmarks. We evaluate the performances of WebCloud
Cloud. Here we evaluate its complexity and make compar- on various devices and platforms. Following the standard
isons with similar schemes. testing requirements, we turned off hardware-related op-
The online computation cost of the PKG, the data owner tions, such as Turbo Boost and hyperthreading. Table 4 lists
and the data consumer refers to the execution time of detailed information of used devices.
KG.Online, Enc.Online and Dec.User. Table 3 compares the Benchmark of WebCloud: The complexity of access pol-
numbers of modular exponentiations and pairing opera- icy affects computational and communicational cost. Thus,
tions in our construction with those in an efficient ABE we generate access policy in the form of (S1 and . . . and Sy )
scheme [55], online/offline ABE [20] and the outsourced to simulate the worst situation, where Si is an attribute. We
ABE schemes [52], [21]. set 10 distinct access policies in this from with y increasing
Our scheme is the first to achieve offline encryption, from 10 to 100, and repeat each instance 100 times and
outsourced decryption and user revocation simultaneously. take the average running time. Each instance is generated
The PKG and the users only need to perform a small number randomly. All presented time is in milliseconds (ms).
of online computations, which highly improves the overall Fig. 8 presents the benchmark result of WebCloud.
performance. During encryption, the online computation for Fig 8(a) presents running time of Enc.Offline in browsers.
users needs no exponentiations, which is less than [55], [52], Though algorithm Enc.Offline is executed offline, its per-
[21]. The work [20] also do not need modular exponenti- formance is also efficient in most browsers. For laptop
ation for encryption, but has large computational cost in browsers, the running time is about 41∼632 ms. For mobiles
decryption. During decryption, the computation is only 1 browsers, the running time is about 65∼2,661 ms. Actually,
exponentiation, which is less than [55], [20], [52] and equal except Chrome on Huawei Honor 10, other mobile browsers
to [21]. Compared with above schemes, our scheme has a have running time within 600 ms. Fig 8(b) presents running
considerable advantage in efficiency. time of Enc.Online in browsers. For laptop browsers, the run-
IEEE Transactions on Dependable and Secure Computing,Volume:19,Issue:3,Issue Date:01.May-June.2022
12

TABLE 4: Devices and Platforms in Our Experiments.

Client Device (64-bit) Browser


1 Macbook Pro Intel Core [email protected] GHz 4-core Safari/605.1.15, Google Chrome 71.0.3578.98 and Firefox 64.0
2 Dell Intel Core [email protected] GHz 4-core Microsoft EdgeHTML 17.17134
3 iPhone 6s Plus [email protected] GHz 2-core Safari/604.1, Google Chrome 71.0.3578.89 and Firefox 14.0 (12646)
4 Huawei Honor 10 4×Cortex [email protected] GHz+4×Cortex [email protected] GHz Chrome 70.0.3538.110

Server Device (64-bit) Operating System


5 Intel Xeon CPU E5-2609 [email protected] GHz 8-core Ubuntu 16.04.5 LTS
6 Macbook Pro Intel Core [email protected] GHz 4-core macOS Mojave 10.14.2

(a) Enc.Offine (b) Enc.Online (c) CTInit


5000 30 60
Chrome on macOS Chrome on iOS Chrome on macOS Chrome on iOS macOS
4000 Firefox on macOS Safari on iOS 25 Firefox on macOS Safari on iOS 50 Ubuntu
Time in milliseconds

Time in milliseconds

Time in milliseconds
Safari on macOS Firefox on iOS Safari on macOS Firefox on iOS
Edge on Windows Chrome on Android 20 Edge on Windows Chrome on Android 40
3000 Native on macOS Native on macOS
15 30
2000
10 20
1000 5 10

0 0 0
10 20 30 40 50 60 70 80 90 100 10 20 30 40 50 60 70 80 90 100 10 20 30 40 50 60 70 80 90 100
# Policy attributes # Policy attributes # Policy attributes

(d) Dec.Out (e) Dec.User (f) AES Encrypt Time (GCM)


250 30 700
macOS Chrome on macOS Chrome on iOS Chrome on macOS Chrome on iOS
25 600
200 Ubuntu Firefox on macOS Safari on iOS Firefox on macOS Safari on iOS
Time in milliseconds

Time in milliseconds

Time in milliseconds
Safari on macOS Firefox on iOS Safari on macOS Firefox on iOS
500
20 Edge on Windows Chrome on Android Edge on Windows Chrome on Android
150 Native on macOS 400 Native on macOS
15
100 300
10
200
50 5 100

0 0 0
10 20 30 40 50 60 70 80 90 100 10 20 30 40 50 60 70 80 90 100 10 20 30 40 50 60 64
# Policy attributes # Policy attributes File size (MB)

(g) AES Decrypt Time (GCM) (h) AES Encrypt Time (CBC) (i) AES Decrypt Time (CBC)
700 700 700
Chrome on macOS Chrome on iOS Chrome on macOS Chrome on iOS Chrome on macOS Chrome on iOS
600 Firefox on macOS Safari on iOS
600 Firefox on macOS Safari on iOS
600 Firefox on macOS Safari on iOS
Time in milliseconds

Time in milliseconds

Time in milliseconds

Safari on macOS Firefox on iOS Safari on macOS Firefox on iOS Safari on macOS Firefox on iOS
500 500 500
Edge on Windows Chrome on Android Edge on Windows Chrome on Android Edge on Windows Chrome on Android
400 Native on macOS 400 Native on macOS 400 Native on macOS

300 300 300

200 200 200

100 100 100

0 0 0
10 20 30 40 50 60 64 10 20 30 40 50 60 64 10 20 30 40 50 60 64
File size (MB) File size (MB) File size (MB)

Fig. 8: Experiment Results of WebCloud

ning time is about 0.46∼5.32 ms. Most notably, even when 0.73∼2.15 ms for most browsers except Microsoft Edge,
the size of access structure increases to 100, the online en- which does not support PBKDF2 key deriving mechanism.
cryption part only requires 3.31 ms in Chrome. For mobiles We instead use the SJCL library [25], resulting 151 ms
browsers, the running time is about 0.81∼11.99 ms. Fig 8(c) latency for Edge. The AES encryption and decryption per-
presents running time of CTInit on the cloud server. On formance is tested with different file sizes (1, 2, 4, 8 and 16
macOS, the running time is about 4∼37 ms. On Ubuntu, the megabyte, respectively). All files are generated randomly.
running time is about 5∼52 ms. Fig 8(d) presents running Fig 8(f) - (i) present running time of AES encryption and
time of Dec.Out on the cloud server. On macOS, the running decryption in the GCM and the CBC modes, respectively.
time is about 22∼165 ms. On Ubuntu, the running time is As for the GCM mode, encrypting 64 MB data in Safari costs
about 25∼236 ms. Fig 8(e) presents running time of Dec.User 95 ms, with only 84 ms for decryption.
in browsers. For laptop browsers, the running time is about Benchmark for Large File Operations: We further tested
1.97∼3.35 ms. For mobiles browsers, the running time is files with sizes 128, 256, 512 and 1,024 MB in the Chrome
about 3.20∼13.99 ms. Actually, except Chrome on Huawei browser on macOS with an Apache server running on
Honor 10, other browsers have running time within 4 ms. macOS. Each instance is executed 100 times and the average
Benchmark of Data Encryption/Decryption: We also result is taken. Table 5 presents the total execution time of
benchmarked the data encryption/decryption routines, encryption and decryption. Note that we only computes
namely key deriving, encryption and decryption of AES. the actually time that will be noticed by users. The file
We omit the key deriving routine in Fig 8, which is small transmission time is omitted since it mainly depends on the
and stable in different browsers. Its running time is about network. For encryption, only Enc.Online, AES key deriving
IEEE Transactions on Dependable and Secure Computing,Volume:19,Issue:3,Issue Date:01.May-June.2022
13

TABLE 5: Benchmarks for Large Files Operations.

Encryption (ms) Decryption (ms)


Size (MB) Enc.Online AES Key Derving AES-GCM Total AES-CBC Total Dec.Out Dec.User AES-GCM Total AES-CBC Total
128 1.06 0.73 407.59 409.38 506.44 508.23 1.08 2.61 399.68 403.37 346.99 350.68
256 0.98 0.78 740.03 741.79 1,017.46 1,019.22 1.05 2.68 724.40 728.13 702.13 705.86
512 1.10 0.90 1,474.53 1,476.53 2,010.03 2,012.03 1.10 2.64 1,437.93 1,441.67 1,380.45 1,384.19
1,024 1.00 0.79 3,081.71 3,083.50 4,064.27 4,066.06 1.07 2.60 3,854.04 3,857.71 2854.58 2,858.25
‡ Results obtained in Chrome on macOS with an Apache server running on macOS. The access policy contains 30 attributes, connected by “AND” (S1 ∧ S2 ∧ . . . ∧ S30 ).

and AES encryption are counted. For decryption, Dec.Out [6] M. Grant, “$93m class-action lawsuit filed against city
and Dec.User are counted. As shown in Table 5, the pro- of calgary for privacy breach,” Tech. Rep., October 2017.
[Online]. Available: http://www.cbc.ca/news/canada/calgary/
posed CP-AB-KEM scheme only adds less than 1% overhead city-calgary-class-action-93-million-privacy-breach-1.4321257
during encryption and decryption. The AES encryption and [7] (2020, April) Secure file transfer — whisply. [Online]. Available:
decryption occupy most of the execution time. Remarkably, https://whisp.ly/en
encrypt a 1 GB file uses about 3.1/4.1 seconds, while de- [8] (2020, April) Cryptomator: Free cloud encryption for dropbox
and others. [Online]. Available: https://cryptomator.org/
cryption costs 3.9/2.8 seconds, in the GCM/CBC mode.
[9] (2020, April) Whitepapers from spideroak. [Online]. Available:
Applications on Android and PCs: We pack WebCloud https://spideroak.com/whitepapers/
into a desktop application on macOS and a mobile applica- [10] W. Ma, J. Campbell, D. Tran, and D. Kleeman, “Password entropy
tion on Android. We perform the benchmark of CP-AB-KEM and password quality,” in Fourth International Conference on
and AES as above. The benchmark results have no notable Network and System Security, NSS 2010, Melbourne, Victoria,
Australia, September 1-3, 2010, Y. Xiang, P. Samarati, J. Hu,
differences with the results in the browser on the same W. Zhou, and A. Sadeghi, Eds. IEEE Computer Society, 2010, pp.
platform. This is because that the browsers use the same 583–587. [Online]. Available: https://doi.org/10.1109/NSS.2010.
engine, typically WebKit or Blink. The benchmark results 18
[11] (2020, April) Aws sdk support for amazon s3 client-side
are omitted.
encryption. [Online]. Available: https://docs.aws.amazon.com/
Comparisons with Native Libraries: We implement all general/latest/gr/aws sdk cryptography.html
algorithms in C++ using MCL-C library and OpenSSL li- [12] (2020, April) Cloud storage security - secure cloud storage from
brary. In Fig 8 (a)(b)(e)(f)(g)(h)(i), we present the running tresorit. [Online]. Available: https://tresorit.com/security
time of CP-AB-KEM and AES in C++ on macOS. Running [13] (2020, April) Mega - secure cloud storage and communication.
[Online]. Available: https://mega.nz/
algorithms natively is faster. Algorithms in CP-AB-KEM are [14] E. Bocchi, I. Drago, and M. Mellia, “Personal cloud storage: Usage,
about 7∼10 times faster than running that in browsers on performance and impact of terminals,” in 4th IEEE International
macOS. Native AES encryption is about 1.78 times faster Conference on Cloud Networking, CloudNet 2015, Niagara Falls,
and decryption is 4.75 times faster. Overall, the algorithms ON, Canada, October 5-7, 2015. IEEE, 2015, pp. 106–111. [Online].
Available: https://doi.org/10.1109/CloudNet.2015.7335291
run faster with native library, which is reasonable. [15] “Web cryptography api,” the Web Cryptography WG of
the W3C, Tech. Rep., January 2017. [Online]. Available:
https://www.w3.org/TR/WebCryptoAPI/
7 C ONCLUSION [16] A. Haas, A. Rossberg, D. L. Schuff, B. L. Titzer, M. Holman,
We propose WebCloud, a practical client-side encryption D. Gohman, L. Wagner, A. Zakai, and J. Bastien, “Bringing the
solution for public cloud storage in the Web setting, where web up to speed with webassembly,” in ACM SIGPLAN Notices,
vol. 52, no. 6. ACM, 2017, pp. 185–200.
users do cryptography with only browsers. We analyze [17] B. Waters, “Ciphertext-policy attribute-based encryption: An
the security of WebCloud and implement WebCloud based expressive, efficient, and provably secure realization,” in
on ownCloud and conduct a comprehensive performance International Workshop on Public Key Cryptography. Springer,
evaluation. The experimental results show that our solution 2011, pp. 53–70.
[18] W. Zhu, J. Yu, T. Wang, P. Zhang, and W. Xie, “Efficient attribute-
is practical. As an interesting by-product, the design of Web- based encryption from r-lwe,” Chin. J. Electron, vol. 23, no. 4, pp.
Cloud naturally embodies a dedicated CP-AB-KEM scheme, 778–782, 2014.
which is useful in many other applications. [19] M. Green, S. Hohenberger, B. Waters et al., “Outsourcing the
decryption of abe ciphertexts.” in USENIX Security Symposium,
vol. 2011, no. 3, 2011.
R EFERENCES [20] S. Hohenberger and B. Waters, “Online/offline attribute-
based encryption,” in International Workshop on Public Key
[1] “Vulnearability and threat in 2018,” Skybox Security, Tech.
Cryptography. Springer, 2014, pp. 293–310.
Rep., 2018. [Online]. Available: https://lp.skyboxsecurity.com/
WICD-2018-02-Report-Vulnerability-Threat-18 Asset.html [21] R. Zhang, H. Ma, and Y. Lu, “Fine-grained access control system
[2] D. Lewis, “icloud data breach: Hacking and celebrity based on fully outsourced attribute-based encryption,” Journal of
photos,” Duo Security, Tech. Rep., September 2014. [Online]. Systems and Software, vol. 125, pp. 344–353, 2017.
Available: https://www.forbes.com/sites/davelewis/2014/09/ [22] S. Yu, C. Wang, K. Ren, and W. Lou, “Attribute based data
02/icloud-data-breach-hacking-and-nude-celebrity-photos sharing with attribute revocation,” in Proceedings of the 5th
[3] T. Hunt, “Hacked dropbox login data of 68 million users is now for ACM symposium on information, computer and communications
sale on the dark web,” Tech. Rep., September 2016. [Online]. Avail- security, 2010, pp. 261–270.
able: https://www.troyhunt.com/the-dropbox-hack-is-real/ [23] (2020, April) owncloud - the leading opensource cloud
[4] “Amazon data leak,” ElevenPaths, Tech. Rep., November collaboration platform. [Online]. Available: https://owncloud.
2018. [Online]. Available: https://www.elevenpaths.com/ org/
amazon-data-leak/index.html [24] (2020, April) Openpgp implementation for javascript. [Online].
[5] K. Korosec, “Data breach exposes trade secrets of carmakers Available: https://github.com/openpgpjs/openpgpjs
gm, ford, tesla, toyota,” TechCrunch, Tech. Rep., July [25] E. Stark, M. Hamburg, and D. Boneh, “Symmetric cryptography in
2018. [Online]. Available: https://techcrunch.com/2018/07/20/ javascript,” in Computer Security Applications Conference, 2009.
data-breach-level-one-automakers/ ACSAC’09. Annual. IEEE, 2009, pp. 373–381.
IEEE Transactions on Dependable and Secure Computing,Volume:19,Issue:3,Issue Date:01.May-June.2022
14

[26] Y. Yuan, C.-M. Cheng, S. Kiyomoto, Y. Miyake, and T. Takagi, [47] A. Barth, C. Jackson, and J. C. Mitchell, “Securing frame commu-
“Portable implementation of lattice-based cryptography using nication in browsers,” Communications of the ACM, vol. 52, no. 6,
javascript,” International journal of networking and computing, pp. 83–91, 2009.
vol. 6, no. 2, pp. 309–327, 2016. [48] A. Barth, “The web origin concept,” Tech. Rep., 2011.
[27] H. Halpin, “The w3c web cryptography api: motivation and [49] M. Shigeo. (2020, April) A portable and fast pairing-based
overview,” in Proceedings of the 23rd International Conference cryptography library. [Online]. Available: https://github.com/
on World Wide Web. ACM, 2014, pp. 959–964. herumi/mcl
[28] A. Rangathan, “Web cryptography use-cases. working draft, w3c, [50] P. A. Grassi, J. L. Fenton, E. Newton, R. Perlner, A. Regen-
2013.” scheid, W. Burr, J. Richer, N. Lefkovitz, J. Danker, Y.-Y. Choong
[29] Z. Guan, Z. Cao, X. Zhao, R. Chen, Z. Chen, and X. Nan, “Webibc: et al., “Nist special publication 800-63b: Digital identity guide-
Identity based cryptography for client side security in web appli- lines,” Enrollment and Identity Proofing Requirements. url:
cations,” in Distributed Computing Systems, 2008. ICDCS’08. The https://pages. nist. gov/800-63-3/sp800-63a. html, 2017.
28th International Conference on. IEEE, 2008, pp. 689–696. [51] A. Beimel, “Secure schemes for secret sharing and key distribu-
tion,” Ph.D. dissertation, Technion-Israel Institute of technology,
[30] W. He, D. Akhawe, S. Jain, E. Shi, and D. Song, “Shadowcrypt: En- Faculty of computer science, 1996.
crypted web applications for everyone,” in Proceedings of the 2014 [52] H. Ma, R. Zhang, Z. Wan, Y. Lu, and S. Lin, “Verifiable and excul-
ACM SIGSAC Conference on Computer and Communications pable outsourced attribute-based encryption for access control in
Security, 2014, pp. 1028–1039. cloud computing,” IEEE Transactions on Dependable and Secure
[31] N. Attrapadung, G. Hanaoka, S. Mitsunari, Y. Sakai, K. Shimizu, Computing, vol. 14, no. 6, pp. 679–692, 2017.
and T. Teruya, “Efficient two-level homomorphic encryption in [53] H. Ma, R. Zhang, S. Sun, Z. Song, and G. Tan, “Server-aided fine-
prime-order bilinear groups and a fast implementation in we- grained access control mechanism with robust revocation in cloud
bassembly,” in Proceedings of the 2018 on Asia Conference on computing,” IEEE Transactions on Services Computing, pp. 1–1,
Computer and Communications Security, 2018, pp. 685–697. 2019.
[32] A. Sahai and B. Waters, “Fuzzy identity-based encryption,” in [54] A. Shamir, “How to share a secret,” Communications of the ACM,
Annual International Conference on the Theory and Applications vol. 22, no. 11, pp. 612–613, 1979.
of Cryptographic Techniques. Springer, 2005, pp. 457–473. [55] Y. Rouselakis and B. Waters, “Practical constructions and new
[33] V. Goyal, O. Pandey, A. Sahai, and B. Waters, “Attribute-based proof methods for large universe attribute-based encryption,” in
encryption for fine-grained access control of encrypted data,” Proceedings of the 2013 ACM SIGSAC conference on Computer &
in Proceedings of the 13th ACM conference on Computer and communications security. ACM, 2013, pp. 463–474.
communications security. Acm, 2006, pp. 89–98. [56] (2020, April) jquery file upload plugin. [Online]. Available:
[34] R. Ostrovsky, A. Sahai, and B. Waters, “Attribute-based encryption https://github.com/blueimp/jQuery-File-Upload
with non-monotonic access structures,” in Proceedings of the [57] (2020, April) Sabre/dav: the most popular webdav framework for
14th ACM conference on Computer and communications security. php. [Online]. Available: https://github.com/sabre-io/dav
ACM, 2007, pp. 195–203. [58] (2020, April) Electron: Build cross platform desktop apps
[35] A. Lewko, T. Okamoto, A. Sahai, K. Takashima, and B. Wa- with javascript, html, and css. [Online]. Available: https:
ters, “Fully secure functional encryption: Attribute-based encryp- //www.electronjs.org/
tion and (hierarchical) inner product encryption,” in Annual
International Conference on the Theory and Applications of
Cryptographic Techniques. Springer, 2010, pp. 62–91. ACKNOWLEDGMENT
[36] T. Okamoto and K. Takashima, “Fully secure functional encryption The authors would like to thank the anonymous review-
with general relations from the decisional linear assumption,” in
Annual Cryptology Conference. Springer, 2010, pp. 191–208. ers for their valuable comments. This work was par-
[37] J. Bethencourt, A. Sahai, and B. Waters, “Ciphertext-policy tially supported by National Natural Science Foundation
attribute-based encryption,” in 2007 IEEE symposium on security of China (Nos. 61772520, 61802392, 61972094, 61472416,
and privacy (SP’07). IEEE, 2007, pp. 321–334. 61632020), Key Research and Development Project of Zhe-
[38] L. Cheung and C. Newport, “Provably secure ciphertext policy
abe,” in Proceedings of the 14th ACM conference on Computer
jiang Province (Nos. 2017C01062, 2020C01078), Beijing Mu-
and communications security, 2007, pp. 456–465. nicipal Science & Technology Commission (Project Number.
[39] (2020, April) Indexeddb api. [Online]. Available: https:// Z191100007119007, Z191100007119002). Shuzhou Sun and
developer.mozilla.org/en-US/docs/Web/API/IndexedDB API Hui Ma contributed equally to this paper and are labeled
[40] A. Bhargav-Spantzel, A. C. Squicciarini, S. K. Modi, as co-frist authors. Corresponding author is Rui Zhang.
M. Young, E. Bertino, and S. J. Elliott, “Privacy
preserving multi-factor authentication with biometrics,” Journal
of Computer Security, vol. 15, no. 5, pp. 529–560,
2007. [Online]. Available: http://content.iospress.com/articles/ Shuzhou Sun received his B.E. degree in soft-
journal-of-computer-security/jcs292 ware engineering from the Nanjing University of
[41] A. P. Sabzevar and A. Stavrou, “Universal multi-factor authen- Aeronautics and Astronautics, Nanjing, China, in
tication using graphical passwords,” in 2008 IEEE International 2015. He is currently a PhD student in informa-
Conference on Signal Image Technology and Internet Based tion security with the the State Key Laboratory of
Systems. IEEE, 2008, pp. 625–632. Information Security, Institute of Information En-
[42] X. Huang, Y. Xiang, E. Bertino, J. Zhou, and L. Xu, “Robust gineering, Chinese Academy of Sciences, Bei-
multi-factor authentication for fragile communications,” IEEE jing, China. His research interests include ap-
Transactions on Dependable and Secure Computing, vol. 11, no. 6, plied cryptography and information security.
pp. 568–581, 2014.
[43] R. Zhang, Y. Xiao, S. Sun, and H. Ma, “Efficient multi-factor
authenticated key exchange scheme for mobile communications,”
IEEE Transactions on Dependable and Secure Computing, 2017.
Hui Ma received his B.E. degree in information
[44] Y. Sutcu, Q. Li, and N. Memon, “Design and analysis of fuzzy
security from Nanjing University of Aeronautics
extractors for faces,” Proceedings of SPIE - The International
and Astronautics, Nanjing, China, in 2012. He
Society for Optical Engineering, vol. 7306, 05 2009.
received his Ph.D. degree in information secu-
[45] J. Li, C. Jia, J. Li, and X. Chen, “Outsourcing encryption of rity from the Institute of Information Engineering,
attribute-based encryption with mapreduce,” in International Chinese Academy of Sciences, Beijing, China,
Conference on Information and Communications Security. in 2017. Now he is with Institute of Information
Springer, 2012, pp. 191–201. Engineering, Chinese Academy of Sciences as
[46] T. Dierks and E. Rescorla, “Rfc 5246,” The transport layer security an associate professor. His research interest in-
(TLS) protocol version, vol. 1, 2008. cludes applied cryptography and the security of
cloud computing.
IEEE Transactions on Dependable and Secure Computing,Volume:19,Issue:3,Issue Date:01.May-June.2022
15

Zishuai Song received his B.E. degree in in-


formation security from the Xidian University,
China, in 2017. He is currently pursuing the
Ph.D. degree in information security with the
Institute of Information Engineering, Chinese
Academy of Sciences. He is currently involved
in the security mechanisms in cloud computing.

Rui Zhang received his B.E. degree from Ts-


inghua University, and M.S./PhD. degrees from
the University of Tokyo, respectively. He was
a JSPS research fellow before he joined AIST,
Japan as a research scientist. Now he is with In-
stitute of Information Engineering (IIE), Chinese
Academy of Sciences as a research professor.
His research interests include applied cryptog-
raphy, network security and information theory.

You might also like