attribute based drm scheme with dynamic usage control in cloud computing

China Communications • April 2014 50

computing; usage control; attribute-based encryption; homomorphic encryption

I. INTRODUCTION

Cloud computing is a promising computing paradigm which recently has drawn extensive attention from both academia and industry. Based on the techniques of service-oriented architectures, virtualization and distributed computing, cloud computing brings a lot of benefits including reduced costs and capital expenditures, increased operational efficien-cies, scalability, and flexibility [1]. With the cloud computing systems, the enterprises no longer need to invest in hardware and software systems, and the customers can outsource their data to cloud storage due to its scalability. Moreover, the cloud computing services can be offered in the pay-as-you-use fashion at rel-atively low prices.

Although the cloud computing brings excit-ing benefits for the users, the cloud computing exists serious security problems [2]. One of the important security concerns is data secu-rity and privacy preserving [3]. As mentioned above, the data owners outsource their data to the CSP for storage and business operations. However, the data stored in the cloud may be disclosed, since the CSP is semi-trusted [4]. Moreover, during the interaction with the us-

Abstract: In order to achieve fine-grained access control in cloud computing, existing digital rights management (DRM) schemes adopt attribute-based encryption as the main encryption primitive. However, these schemes suffer from inefficiency and cannot support dynamic updating of usage rights stored in the cloud. In this paper, we propose a novel DRM scheme with secure key management and dynamic usage control in cloud computing. We present a secure key management mechanism based on attribute-based encryption and proxy re-encryption. Only the users whose attributes satisfy the access policy of the encrypted content and who have effective usage rights can be able to recover the content encryption key and further decrypt the content. The attribute based mechanism allows the content provider to selectively provide fine-grained access control of contents among a set of users, and also enables the license server to implement immediate attribute and user revocation. Moreover, our scheme supports privacy-preserving dynamic usage control based on additive homomorphic encryption, which allows the license server in the cloud to update the users’ usage rights dynamically without disclosing the plaintext. Extensive analytical results indicate that our proposed scheme is secure and efficient.Key words: digital rights management; cloud

Attribute Based DRM Scheme with Dynamic Usage Control in Cloud ComputingHUANG Qinlong1,2, MA Zhaofeng1,2, YANG Yixian1,2, NIU Xinxin1,2, FU Jingyi1,2

1Information Security Center, Beijing University of Posts and Telecommunications, Beijing 100876, China2National Engineering Laboratory for Disaster Backup and Recovery, Beijing University of Posts and Telecommunications, Beijing 100876, China

COMMUNICATIONS SYSTEM DESIGN

China Communications • April 201451

based attributed-based encryption (ABE) have been proposed recently [10-11]. Yu et al. pro-posed an access control scheme employing ABE, which adopts key-policy ABE (KP-ABE) to enforce fine-grained access control [12]. In the KP-ABE scheme, a ciphertext is associated with a set of attributes and a user’s decryption key is associated with an access structure. Only if the attributes associated with the ciphertext satisfy the access structure, can the user decrypt the ciphertext. However, this scheme falls short of flexibility in attribute management. In contrast to KP-ABE, cipher-text-policy ABE (CP-ABE) turns out to be well suited for access control in DRM due to its expressiveness in describing access policy [13]. In a CP-ABE scheme, the ciphertext is encrypted with an access structure, while the corresponding decryption key is created with respect to a set of attributes. As long as the set of attributes associated with a decryption key satisfies the access structure associated with a given ciphertext, the key can be used to de-crypt the ciphertext.

The access control is the security mech-anism which defines who can access the protected content, while the usage control in DRM systems covers the usage rights such as play period and print count, which is usually formalized with rights expression language [14]. In the traditional DRM systems, the us-age control is usually executed by the trusted DRM client. However, in the cloud computing environment, the usage rights are normally en-crypted and stored in the cloud, which allows the users to access the content anytime and anywhere [8-9]. Thus it is essential to update the usage rights timely and securely in the cloud when the users access their contents.

In this paper, we study the protection of contents stored in semi-trusted cloud, and focus on the challenging key management. In order to protect the contents stored in the semi-trusted cloud storage, content providers must encrypt the contents with content encryp-tion key (CEK) before outsourcing them to the cloud. We adopt CP-ABE and PRE to protect

ers, the CSP may collect users’ personal infor-mation and consumption profiles, which may be used for targeted advertisement. Thus, it is necessary to make sure that the data owners’ data is kept confidential and the users’ privacy is well preserved. A feasible and promising approach would be to encrypt the data before outsourcing. In this way, only the authorized users with the decryption key can recover the data, while the CSP and malicious user cannot execute decryption, even if they can obtain the ciphertext stored in the cloud [5]. Therefore, data encryption is a good way to satisfy the security requirements in cloud computing.

Digital rights management (DRM) is a popular approach to protect content copyright based on the techniques of content encryption, access control, and dynamic licensing [6-7]. The DRM systems mostly first encrypt the contents from the content providers, and then provide the users licenses, which allow the users to access the contents according to the usage rights in the license. However, the tra-ditional DRM systems are built on the trusted environment. Since the cloud computing is semi-trusted and scalable, the DRM systems in cloud computing are required to prevent the CSP from accessing the plaintext, for exam-ple, based on the proxy re-encryption (PRE) technique [8]. Moreover, the DRM systems in cloud computing also need to prevent the CSP from knowing exactly which users are access-ing certain contents [9].

Content confidentiality and privacy pre-serving are not the only security requirements, fine-grained access control is also strongly desired in DRM systems in cloud computing. The traditional access control architectures are only applicable to systems in which content providers and service providers are within the same trusted domain. This assumption no longer holds in cloud computing since content providers and service providers are usually not in the same trusted. For the purpose of allowing the content provider to enjoy fine-grained access control of content stored on semi-trusted cloud, access control schemes

In this paper, we pro-pose a novel DRM scheme with secure key management and dynamic usage control in cloud computing. We present a secure k e y m a n a g e m e n t m e c h a n i s m ba s e d on attr ibute-based encryption and proxy re-encryption.


introduce preliminaries in Section III, and provide the overview of our scheme in Section IV. We provide a construction in Section V, and analyze the correctness, security and per-formance of our scheme in Section VI. Finally we conclude this paper in Section VII.

II. RELATED WORK

In this section, we discuss the related work about DRM in cloud computing.

1) Data security and key management in cloud computing. A typical approach for data confidentiality protection is to encrypt the data with an encryption key before storing it to cloud. In order to protect the data stored in cloud computing environment, Han et al. proposed an identity-based PRE data storage scheme which is applicable to cloud com-puting as it supports both intra-domain and inter-domain queries [15]. In this scheme, the access key is bound not only to the requester’s identity but also to the requested ciphertext, and can be computed by the data owner inde-pendently without the help of the key server.

Samanthula et al. proposed an efficient and secure data sharing framework in the cloud based on homomorphic encryption and PRE that prevents the leakage of unauthorized data when a revoked user rejoins the sys-tem [16]. Upon a data request from the user, the cloud computes the re-encrypted record using the re-encryption key and performs a homomorphic addition to generate a set of attributes, and sends the results to the user for decryption. Liu et al. proposed a secure data sharing scheme in cloud computing based on time-based PRE [17], which allows a user’s access right to automatically expire after a predetermined period of time. The time-based PRE scheme enables the CSP to automatically re-encrypt data without receiving any PRE keys from the data owner. On receiving a data access request from a user, the CSP will re-en-crypt the ciphertext based on its own time, and return the re-encrypted ciphertext. Therefore, given the re-encrypted ciphertext, only the

and distribute the CEK securely and achieve fine-grained access control. We also allow the license server in the cloud to update users’ usage rights dynamically without getting the plaintext. To this end, we make the following main contributions:

(1) We present a secure key management mechanism in DRM based on CP-ABE and PRE. In the content encryption phase, the con-tent providers encrypt their contents with the CEK which is divided into two parts: content master key (CMK) and assistant key (AK). The CMK is protected using CP-ABE and distributed in the head of encrypted content, while the AK is protected using PRE and dis-tributed in the license. If a user satisfies the ac-cess policy of the ciphertext and has effective usage rights, he can retrieve the CMK and AK, and then generate the CEK and decrypt the content. Moreover, the malicious users cannot collude and decrypt the CEK that they cannot individually access.

(2) We propose an attribute based fine-grained access control framework in cloud computing. We enable the content providers to selectively provide their contents among a set of users by encrypting the CMK under the access policy. In addition, our framework del-egates the license server in the cloud to revoke the attributes and users immediately.

(3) We provide a privacy preserving dy-namic usage control model based on additive homomorphic encryption. The usage rights are encrypted by the user’s public key and stored in the cloud storage, which allows the users to consume the contents anytime and anywhere. Based on the additive homomorphic encryp-tion, the license server in the cloud can update the users’ usage rights dynamically without disclosing the plaintext.

(4) We provide a thorough analysis of the security and performance of our proposed scheme. We also compare our proposed scheme with recent content protection schemes in cloud computing.

This paper is structured as follows: we review related work in Section II. Then we


a match between his decryption key and the ciphertext [20-21]. Li et al. proposed a secure sharing of personal health records (PHR) in cloud computing [21]. This scheme leverages ABE technique to encrypt each patient’s PHR file, to achieve fine-grained and scalable data access control for PHR.

As we know, ABE schemes are classified into KP-ABE and CP-ABE, depending how attributes and access structure are associated with ciphertexts and decryption keys [22]. It is more natural to apply CP-ABE which is con-ceptually closer to traditional access control models, to enforce access control of encrypted data.

Hur et al. propose an attribute-based access control scheme using CP-ABE for data out-sourcing systems [23]. The proposed scheme enables user access control which enhances the backward/forward secrecy of outsourced data on any membership changes in attribute groups. Moreover, the user access control can be done on each attribute level rather than on system level, so that more fine-grained user access control can be possible. Wang et al. proposed hierarchical ABE to achieve fine-grained access control in cloud storage ser-vices by combining hierarchical identity-based encryption and CP-ABE [2]. This scheme supports fine-grained access control and fully delegating computation to the cloud providers.

In addition, the revocation is an essential mechanism in ABE systems, since the users may change their attributes frequently in prac-tice. Ibraimi et al. introduced a mediator which maintains a revocation list so as to implement immediate attributes revocation [24]. Yu et al. introduced the semi-trusted agent based on PRE to achieve user revocation [12]. The proxy agent re-encrypts the ciphertext by the latest proxy key, and refreshes all the private keys held by the legal users. However, these revocation schemes will cause the key update operation of large numbers of users. Using our scheme, both attribute and user revocation can be achieved immediately without the key up-date and data re-encryption operations.

users whose attributes satisfy the access struc-ture and whose access rights are effective in the access time can recover the corresponding data.

The above schemes in cloud computing protect data confidentiality and achieve secure key distribution. However, these schemes per-formed data re-encryption operations when the user accesses the content, which is not practi-cal when the data and user are large in quanti-ty. Hence, these schemes are not efficient for content protection in cloud computing.

Therefore, an ideal approach is to encrypt each data once, and distribute re-encrypted keys to different users. In the CL-PRE [18], data owner encrypts shared data in the cloud with an encryption key, which is further en-crypted and transformed by the cloud, and then distributed to legitimate recipients. Uniquely, the cloud-based transformation leverages re-encryption keys derived from the private key of data owner and public keys of the recipient, and transfers the encrypted keys into the format that can be decrypted with the recipient’s private key. The recipient can download the ciphertext from the cloud and use the keys for decryption. Our scheme only re-encrypts the AK which is part of the CEK and distributes the re-encrypted AK to the us-ers with the license.

2) ABE in cloud computing. Access con-trol is an important security mechanism to ensure content using in a controllable manner. The traditional content protection schemes based on encryption requires an efficient key management mechanism to distribute decryp-tion keys to authorized users, which may lacks scalability and flexibility. ABE turns out to be a good technique for realizing scalable, flexi-ble, and fine-grained access control solutions. The notion of ABE was first introduced by Sahai and Waters as a new method for fuzzy identity-based encryption [19]. In the ABE scheme, both ciphertexts and users’ decryption keys are associated with a set of attributes or an access structure over attributes. A user is able to decrypt a ciphertext only if there is


preserving is one of the security concerns in cloud computing. The user’s privacy includes user’s personal identification information and consumption profile. In order to preserve user privacy in cloud computing, Perlman et al. proposed a privacy-preserving DRM solution that allows users to purchase content anony-mously from a content provider and access the content without being tracked [28]. Joshi and Petrlic proposed another privacy-preserving DRM scheme in cloud computing [29]. This scheme combines ring signatures with an anonymous recipient mechanism, and employs secret sharing in a unique manner that allows the content provider to expose the user’s iden-tity if the user commits fraud.

Mishra et al. proposed a hierarchical iden-tity based encryption scheme for multiparty multilevel DRM, which addresses a commuta-tive encryption based content key acquisition protocol to achieve privacy preservation [30]. Petrlic also proposed a privacy preserving cloud DRM scheme based on PRE that allows users to stay anonymous [8].

However, not only user anonymity but also user profile building prevention must be guaranteed in DRM in cloud computing, as we achieved in our scheme.

III. PRELIMINARIES

In this section, we introduce the concepts of bilinear map, CP-ABE, PRE and full homo-morphic encryption. Table I presents the nota-tions used throughout the paper.

3.1 Bilinear map

Let G1 and G2 be two cyclic groups of some large prime order q, where G1 is an additive group and G2 is a multiplicative group. A bilinear map , satisfies the following properties:

(1) Computability. There is a polynomial time algorithm to compute , for any .

(2) Bil ineari ty. For al l and , .

3) Dynamic usage control in cloud com-puting. Data aggregation is a type of data mining process where data is gathered and presented in a summarized format. The cloud computing provides a flexible on-demand data storage service to users anywhere and anytime, and moves the application and data to the centralized large data centers, where the management of the data may not be fully trustworthy.

Corena et al. proposed an architecture based on additive homomorphic encryption and secret sharing schemes to store information securely while still allowing fast aggregation queries at an outsourced untrusted cloud serv-er [25]. Castelluccia et al. proposed a simple and provably secure additively homomorphic stream cipher that allows efficient aggregation of encrypted data [26]. The aggregation based on the additively homomorphic stream cipher can be used to efficiently compute statistical values. Ruj et al. proposed a decentralized se-curity framework for smart grids that supports data aggregation and access control [27]. Data can be aggregated by home area network, building area network, and neighboring area network based on the homomorphic encryp-tion technique, thus the privacy of customers is protected.

As we know, the dynamic usage control is actually a process of aggregation of usage rights, which enforces legitimate users to ac-cess the contents under the control of their re-al-time usage rights. The usage control covers the user’s usage rights, which is usually exe-cuted by the DRM client. However, currently there is not much work to support dynamic usage control in DRM in cloud computing. For example, in the Petrlic’s schemes [8-9], the CSP stores the license issued by content provider in the cloud, and checks the license and executes the usage control when the us-ers consumes the contents. However, these schemes cannot allow the CSP to update the user’s usage rights such as print count stored in the cloud dynamically.

4) Privacy preserving in DRM. Privacy


revoked.

3.3 Proxy re-encryption

The PRE allows a semi-trusted proxy to re-encrypt data for delivery to a specific user without requiring the data to be decrypted. We provide the definition of a unidirectional PRE scheme which consists of the following algorithms:

(1) Key generation. The algorithm takes as input a secret key SKA, a public key PKB, and outputs a re-encryption key RK.

(2) Encryption. The algorithm takes as input a public key PKA and a plaintext M, and outputs a ciphertext CT = Enc(PKA, M).

(3) Re-encryption. The algorithm takes as input the RK and a ciphertext CT under PKA, and outputs a ciphertext CT’ under PKB, denoted as CT’ = ReEnc(RK, CT).

(4) Decryption. The algorithm takes as input a secret key SKB and a ciphertext CT, and outputs a plaintext M = Dec(SKB, CT).

3.4 Full homomorphic encryption

The homomorphic encryption technique is very natural ways to construct a variety of privacy preserving protocols [31]. Formally, a full homomorphic encryption scheme consists of six algorithms as follows [32]:

(1) Key generation. The algorithm takes as input a security parameter K and outputs a public and secret key pair (PK, SK), where PK is public, SK is kept secret.

(2) Encryption. The algorithm takes as input a plaintext M and the PK and outputs a ciphertext CT, denoted as CT = Enc(PK, M).

(3) Decryption. The algorithm takes as input a ciphertext CT and the SK and outputs a plaintext M, denoted as M = Dec(SK, CT).

(4) Homomorphic addition. The algorithm takes as input two ciphertexts CT1 = Enc(PK, M1), CT2 = Enc(PK, M2), and the PK, and outputs a ciphertext CT, denoted as CT = Add(CT1, CT2, PK), such that

1 2( , )Dec SK CT M M= +

(5) Homomorphic subtraction. The algo-rithm takes as input two ciphertexts CT1 =

(3) Non-degeneracy. The map does not send all pairs in to the identity in .

3.2 Ciphertext-policy attribute-based encryption

In this section, we define the CP-ABE scheme. The scheme consists of the following four al-gorithms:

(1) System setup. The system setup algo-rithm is a randomized algorithm that takes the security parameter K as input. It outputs the public key PK and a master key MK.

(2) Key generation. The attribute key gen-eration algorithm takes as input the MK, a set of attributes AS. It outputs a set of attribute secret keys ASK for the user.

(3) Encryption. The encryption algorithm takes as input the PK, a message M, and an ac-cess policy AP over the universe of attributes. It outputs a ciphertext CT such that only a user who possesses a set of attributes that satisfy the AP will be able to decrypt the M.

(4) Decryption. The decryption algorithm takes as input the ciphertext CT which con-tains the AP, and the ASK. The decryption can be done if AS satisfies AP and the user is not

Table I NotationsNotation Description

K security parameter

PK system public key

MK system master key

PKCP public key of content provider

SKCP secret key of content provider

PKU public key of user

SKU secret key of user

AS attribute set of user

ASK attribute secret keys of user

RK re-encryption key

CID content identity

AP access policy

CEK content encryption key

CMK content master key

AK assistant key

M plain content

CT DRM protected content

UR usage rights


secure content sharing. The main idea is to divide the CEK into two parts: CMK and AK. The CMK and AK are protected and distribut-ed to the user separately. As shown in Fig.1, the system model of the proposed scheme con-sists of the following entities:

(1) Cloud storage. The cloud storage is an entity which provides a storage service based on cloud computing, and stores the outsourced contents from the content providers.

(2) Cloud service provider. The CSP is an entity that provides content outsourcing and content subscription service. Encrypted contents from the content providers are out-sourced to cloud storage through the CSP, and the CSP is also in charge of content subscrip-tion from the users and license distribution to the users.

(3) License server. The license server is an entity which generates and distributes the li-censes for the users when receiving the license acquisition from the CSP. The license includes the encrypted AK. It also refuses to distribute usage rights to the user if the user’s attributes cannot satisfy the AP or the user is revoked.

(4) Key server. The key server is an entity which generates the public and secret keys for the system. It grants different attributes to users, and issues attribute secret keys to users. It also re-encrypts the AK for users when they

Enc(PK, M1), CT2 = Enc(PK, M2), and the PK, and outputs a ciphertext CT, denoted as CT = Sub(CT1, CT2, PK), such that

1 2( , )Dec SK CT M M= −

(6) Homomorphic multiplication. The al-gorithm takes as input two ciphertexts CT1 = Enc(PK, M1), CT2 = Enc(PK, M2), and the PK, and outputs a ciphertext CT = Mult(CT1, CT2, PK), such that

1 2( , )Dec SK CT M M= ⋅

IV. PROPOSED SCHEME

4.1 Design goals

The design goals of the proposed scheme are summarized as follows:

(1) Key and content confidentiality. Un-authorized users who do not possess enough attributes satisfying the access policy should be prevented from decrypting the key and con-tent.

(2) Fine-grained access control. The content providers can specify expressive access policy for contents, and the access policy should be fl exible.

(3) Effi cient revocation. Instead of period-ically re-encrypting content and re-generating new secret keys, the key server can take ad-vantage of the abundant resources in the cloud to revoke attributes and illegal users instantly and effi ciently.

(4) Privacy-preserving dynamic usage con-trol. The usage rights encrypted by the user’s public key are stored in the cloud storage, which allows the users to consume the con-tents anytime anywhere. The license server in the cloud can be able to update the users’ us-age rights dynamically without disclosing the users’ privacy.

(5) Scalability and effi ciency. Since the set of users may be large in size and unpredict-able, the proposed scheme should be highly scalable and effi cient.

4.2 System model

The main goal of our framework is to provide

Fig.1 System model of proposed scheme

EncryptedEncryptedkey

EncryptedEncryptedcontentLicense EncryptedEncrypted

content

Re-encrypted key

Consumedusage rightsusage rights

Licenseacquisition

License serverLicense serverLicense server

Cloud service provider

Key serverKey server

User Content provider

Cloud storage

Consumedusage rightsusage rights


provider first generates the CEK with random CMK and AK, and then encrypts the content M with CEK, and generates the ciphertext CT. The content provider then defines the access policy AP, and encrypts the CMK with AP, outputs the CMKA. The content provider also takes the PKCP to encrypt the AK, outputs the AKCP and AK0.

(5) ReEncrypt(RK, AKCP): The key server uses the RK to re-encrypt the AKCP, outputs the AKU.

(6) Decrypt(PK, ASK, CT). If the user’s attributes satisfy the AP in the ciphertext, he first recovers the CMK with the ASK, and then recovers UR and AK with SKU. If the user’s UR is effective, he can generate the CEK with CMK and AK, and further recover the M.

(7) URUpdate(URU, CRU). The license server takes the usage rights URU in the cloud, and the consumed usage rights CRU to update the user’s usage rights based on homomorphic subtraction.

4.5 Working process

We will provide a system level description for the proposed scheme as follows.

(1) System setupThe key server in cloud environment runs

the Setup algorithm to generate the PK and MK.

(2) Content provider registrationWhen a content provider registers to the

CSP, the key server runs the GenKey algorithm to generate the PKCP and SKCP for the content provider, and then sends them to content provider in a secure channel.

(3) User registrationWhen a user registers to the CSP, the key

server runs the GenKey algorithm to generate the PKU and SKU for the user, and assigns a set of attributes to the user, and then generates the ASK. The content provider then runs the ReKey algorithm to generate the RK for user, and sends it to the key server. The key server sends the PKU, SKU, ASK and PK to the user in a secure channel.

(4) Content encryption

acquire the license.(5) Content provider. The content provider

is an entity who wishes to outsource their con-tents to cloud storage provided by the CSP, for the purpose of using low-cost and energy-ef-ficient storage resources. The content provid-ers encrypt their contents before outsourcing them. The head of the ciphertext includes the CMK encrypted with the access policy.

(6) User. The user is an entity who wants to access the outsourced content. If a user pos-sesses a set of attributes satisfying the AP of the ciphertext, he will be able to decrypt and consume the contents.

4.3 Security model

In this paper, we assume the CSP to be semi-trusted. That is, it will honestly execute the tasks assigned by legitimate parties in the system. However, it would like to learn infor-mation of ciphertext and license as much as possible. We also consider the license server to be semi-trusted.

In addition, each entity is associated with a public key and a secret key, with the latter be-ing kept secretly by the entity. The users may try to access contents either within or outside the scope of their access privileges, so mali-cious users may collude with each other to get contents beyond their privileges.

4.4 Scheme definition

We define the proposed scheme by describ-ing the following seven algorithms:

(1) Setup(K). The key server takes a security parameter K, the universal attribute as inputs, and outputs the PK and MK.

(2) GenKey(PK, MK). The key server generates the PKCP and SKCP for the content provider. It also generates the PKU and SKU for the user, and then assigns a set of attributes AS to the user. It takes the PK, MK, and AS as inputs, and generates ASK for the user.

(3) ReKey(SKCP, PKU). The content provider takes the secret key SKCP, user’s public key PKU as input, and outputs the RK.

(4) Encrypt(PK, AP, M). The content


crypted content. If the user’s attributes cannot satisfy the AP of the encrypted content after the revocation, the license server refuses to distribute usage rights to the user, and then the user cannot access the contents. Therefore, attribute revocation is achieved immediately after the attribute revocation request is made.

(8) User revocationWhenever there is a user to be revoked, the

key server revokes the user, and informs the li-cense server to refuse to distribute usage rights to the user when the user wants to access the encrypted content. Thus, user revocation is achieved instantly after the user is revoked.

V. CONSTRUCTION

In this section, we will provide a detailed con-struction for our scheme as followings.

5.1 System setup

The key server runs Setup algorithm to output the PK and MK as follows:

1 2 0 1 0ˆ({ } , , , ,, , , , )a a UAPK PK q p ge p q∈= G G

0 1 1({ } , , , )a a UAMK SK k k SK∈=

where UA is universal attribute, are the outputs of a BDH parameter generator, p0 and g are the random generator of G1, p1 is a random element in G1, is the initial secret key of attribute a and is the initial public key of attribute a, k0 and k1 are random elements in , and

. The key server then keeps the MK secret, and publishes the PK.

5.2 Key generation

When a content provider registers to the CSP, the key server runs GenKey algorithm to select a random and generate PKCP and SKCP for the content provider.

cpCPPK g= , CPSK cp=

When a user registers to the CSP, the key server first generates PKU and SKU for the user. The key server then assigns AS to the user, and selects a random , and takes PK, MK and AS as inputs, and generates ASK as fol-

Before outsourcing the content to the cloud, the content provider first selects a unique CID, and generates the CEK with random CMK and AK, and defines the AP, and then encrypts the blocks of the content using the Encrypt algo-rithm, and generates the CT which contains the encrypted CMK. Then content provider outsources the CT to the CSP, and sends the encrypted AK to the key server.

(5) License acquisitionThe user chooses the interesting content

from the CSP, and pays the chosen content. The CSP then sends the user’s license acqui-sition request including the purchased usage rights to the license server. The key server then runs ReEncrypt algorithm to generate the re-encrypted AK. The license server generates the license which includes the re-encrypted AK and UR, and then sends the license along with its signature to the user. On receiving the license, the user verifies the signature and keeps the license.

(6) Content decryptionWhen the user wants to access the content,

he will first make sure that his attributes satisfy the AP and he has the corresponding license. If this is the case, the user recovers the CMK from the ciphertext, and then retrieves the latest usage rights from the license server through the CSP. If the user’s usage rights are effective, he can run Decrypt algorithm to recover the AK and generate the CEK, and further decrypt the ciphertext.

In addition, it is necessary to send the consumed usage rights such as consumed time and consumed count to license server through the CSP. The license server then runs the URUpdate algorithm to update the user’s usage rights. Since the user’s usage rights are protected by the user’s public key, the license server cannot disclose the usage rights.

(7) Attribute revocationWhenever a user’s attributes revocation

event occurs, the key server revokes the attributes from the user’s AS, and notices the license server to check the user’s attributes firstly when the user wants to access the en-


5.6 Content decryption

Given the CT, the user whose attributes satisfy the ith conjunctive clause CCi, runs Decrypt algorithm to recover the CMK as follows:

0( , )

ˆ( , )

ˆi

A

a CCi

A

i

A

U i

CMK CM

ne U ASKn

ne UK

SKn

∈=∑

The user uses SKU to recover AK as fol-lows:

1/0 / USK

UAK AK AK=

If the user’s UR are effective, the user uses the CMK and AK to generate the CEK, and uses the CEK to decrypt the CT as follows:

CEK CMK AK= +

( , )M Dec CEK C=

5.7 Usage rights update

On receiving the user’s consumed usage r i g h t s C R U , t h e l i c e n s e s e r v e r r u n s URUpdate algorithm to update the usage rights URU based on additive homomorphic encryption as follows:

( , , )( ( , ), ( , ), )( , )

U U

U U

U

U

Sub UR CR PKSub Enc PK UR Enc PK CR PKEnc PK UR CRUR

=

= −′=

The license server then stores the updated usage rights .

VI. SECURITY AND PERFORMANCE

ANALYSIS

In this section, we will discuss the following analysis of our proposed scheme.

6.1 Correctness analysis

To prove the correctness of the proposed scheme, we should prove that given an en-crypted content, the users whose attributes satisfy the AP and whose usage rights are effective can successfully recover the content. We can prove that the equation is correct as follows:

lows:1 0rk p

UPK g= , 1 0USK rk p=

1 1U aASK SK rk PK= +

5.3 Re-encryption key generation

The content provider runs ReKey algorithm to output the RK as follows:

1 01/ /( ) CPSK rk p cpURK PK g= =

5.4 Content encryption

The content provider runs Encrypt algorithm to encrypt the content. The content provider first generates the CEK with random CMK and random AK, and then encrypts the content M with CEK, produces the C as follows:

CEK CMK AK= +

( , )C Enc CEK M=

The content provider then takes the PK and

1( )

N

ii

AP CC=

=∨ to encrypt the CMK, outputs

the CMKA as follows:

,

0 1ˆ( , )A Ae q tnCMK CMK p= ⋅

where t is a random element in , and N is the number of conjunctive clauses CC in AP, ni is the number of attributes in the ith conjunctive clause CCi, and nA is the lowest common multiple (LCM) of n1,…,nN.

The content provider generates the ciphertext and outsources the CT to the CSP. Then the content provider selects a random , takes PKCP to encrypt the AK, outputs the AKCP and AK0 as follows:

( )cp kCPAK g= , 0 ˆ( , )keAK A gK g= ⋅

5.5 Key update

On receiving the user’s license acquisition request, the key server runs ReEncrypt algorithm to re-encrypt the AKCP with RK, and outputs the AKU:

1 0

1 0

/

( , )

( , )(

ˆ

, )

ˆˆ

U CPrk p cpcpk

rk pk

AK e AK RK

e g ge g g

=

=

=


authorized users. The proposed scheme guar-antees confidentiality of the content against unauthorized users and the curious CSP and license server in the cloud.

Theorem 2: The key management mecha-nism is secure and collusion resistant.

Proof: The CMK is protected with CP-ABE and stored in the head of encrypted content, while AK is protected with PRE and stored in the license. If the user has effective usage rights, he can retrieve the AK from the license, and then generate the CEK and decrypt the content. We show that two or more users can-not collude and gain access to CEK that they are not individually supposed to access. The attribute authority issues the attribute secret key of each user with random r, which makes the combination of components in different users’ attribute secret keys meaningless. Even if the users calculate the CMK, they cannot generate the CEK, since the CEK is generated by CMK and AK. Thus, our key mechanism is collusion secure.

Theorem 3: The dynamic usage control model protects the privacy of users.

Proof: In the content decryption phase, the user sends encrypted usage rights to the license server. The license server then updates the user’s usage rights based on additive homomorphic encryption. The usage rights are encrypted using public key of the user. There-fore, license server cannot decrypt the user’s usage rights.

6.3 Performance analysis

We analyze the computation complexity for content encryption and content decryption in the following.

If a user is identified by n attributes, the key server execute O(n) point multiplications to generate the ASK. Assume that the size of user’s key is m and the number of conjunc-tive clauses in AP is N, the content provider needs to encrypt the content using the CEK, and compute O(N) number of exponentiation operations to output the encrypted CMK, and compute O(m) number of exponentiation oper-

0

0 1 1

1 0

0 1 0 1

1 0

0 1 1 0

( , )

( , )

( , ( ))

( , )

( , ) ( , )

( , )

(

ˆ

ˆ

ˆ

ˆ

ˆ̂

ˆ

ˆ̂ , ) ( ,

i

i

i

i

i

AU

a CCi

AU i

i

Aa

a CCi

Aa

a CCi

AA a

a CCi

Aa

a CCi

AA

A

a

A

A

a

Ai

CMK

CMK

CM

ne U ASKn

ne SK Un

ne tp SK rk PKn

ne rk p t PKn

ne tp n SK e tp rk PKn

ne rk p t PKn

ne tp n SK e rk

K

tn

C KK

Mp P

∈

∈

∈

∈

∈

=

=

+=

∑

∑

∑

∑

∑

1 0

0 1 0 1

0 0 1 0 0 1

0 0 1 0 0 1

ˆ

ˆ̂ˆ

)

( , )

( ,ˆ

) ( , )( , ) ( , )( , ) (ˆ )ˆ ,

i

i

CC

Aa

a CCi

A A

A A

A A

ne rk p t PKn

e q tn p e tp n SKe k p tn p e tp n k pe k p tn p e k

CMKCMKCMKCMK

p tn p

∈

∈

= ⋅

= ⋅

= ⋅

=

∑

∑

The users can first recover the CMK from the encrypted content. Then we can prove that the equation is correct as follows:

11 0

1 0

0

/

/

1/0

1/

1/

/ˆ̂ /ˆ( , ) ( ,

ˆ)

( , ) ( , )( , ) (

/ˆ , )ˆ /

U

Urk p c

SKU

SK

rk

pk cpk

rk p cpk cp pk

kk

e g g e g ge g g e g ge g g

AK AK

AKAKAKAK

e g g

= ⋅

= ⋅

= ⋅=The users can then decrypt the AK from the

license, and then generate the CEK with both the CMK and AK. Therefore, the proposed scheme is correct.

6.2 Security analysis

The Encrypt algorithm in our scheme is sim-ilar to the encryption algorithm in HABE [2], which has been proven to be semantically secure. Therefore, we consider that the follow-ing theorems.

Theorem 1: The proposed scheme allows access of contents only to authorized users.

Proof: We show that the user can decrypt the content if and only if it has a matching set of attributes and effective usage rights. Hence, our scheme allows access of contents only to


scheme supports fine-grained access control based on CP-ABE, and realizes immediate attribute and user revocation, and also allows the license server to dynamically update us-ers’ usage rights. On the other hand, com-pared with the fine-grained access control schemes in cloud computing [2,13,20], our scheme not only achieves immediate attri-bute and user revocation without updating the keys, but also supports privacy-preserv-ing dynamic usage control. It can be seen that our proposed scheme is more efficient, secure and practical.

VII. CONCLUSIONS

In this paper, we propose a novel DRM scheme with secure key management and dynamic usage control in cloud computing. We first present a secure key management mechanism based on CP-ABE and PRE in which the CEK is divided into two parts, CMK and AK. Each CMK is associated with an attribute-based access policy, and each user is identified by a set of attributes. The AK is protected using PRE and stored in the license. Therefore, the users who satisfy the access policy and have effective usage rights can be able to recover the CMK and AK, and generate the CEK and further decrypt the content. We also provide the attribute based fine-grained access control mechanism which allows the content provider to selectively provide contents among a set of users, and en-ables the license server to implement attribute and user revocation immediately. Moreover,

ations to output the encrypted AK.In order to decrypt the CT, the user whose

attributes satisfy the access policy and whose usage rights are effective needs to execute 2O(1) bilinear map operations to recover the CMK and AK. Assume that the size of usage rights is s, the license server needs to perform only one modular addition in average for the dynamic usage control, hence the computation complexity is O(s) bit operations. In addition, the computation complexity of attribute revocation and user revocation is both O(1).

The whole computation complexity of our scheme is shown in Table II.Table II Computation complexity of proposed scheme

Properties Complexity

Content encryption O(N)+O(m)

Content decryption 2O(1)

Dynamic usage control O(r)

Attribute revocation O(1)

User revocation O(1)

6.4 Comparison

In our DRM scheme, the content provider outsources encrypted content to the cloud, and the users who satisfy the access policy and have effective usage rights can be able to access the protected content anytime and anywhere. We compare our scheme with ex-isting content protection schemes, in terms of access control, revocation method, privacy preserving, usage control. The results are shown in Table III.

Compared with the privacy-preserving DRM schemes in cloud computing [29], our

Table III Comparison of security featuresSchemes Access control Revocation method Privacy preserving Usage control

Joshi’s scheme [29] flexible license models N/AContent privacy, user anonymity, user

profile building preventionStatic

Koo’s scheme [20] Fine-grained, access policy N/A Content privacy, user privacy Static

Yang’s scheme [13] Fine-grained, access policyAttribute and user revocation,

expiryContent privacy Static

Wang’s scheme [2] Fine-grained, access policyAttribute and user revocation,

immediateContent privacy Static

Our scheme Fine-grained, access policyAttribute and user revocation,

immediateContent privacy, user anonymity, user

profile building preventionDynamic, privacy

preserving


Proceedings of 4th International Symposium: December 12-13, 2012. Melbourne, Australia, 2012: 194-211.

[9] PETRLIC R, SORGE C. Privacy-preserving DRM for cloud computing[C]// Proceedings of 26th IEEE International Conference on Advanced In-formation Networking and Applications Work-shops: March 26-29, 2012. Fukuoka, Japan, 2012: 1286-1291.

[10] CHENG Yong, WANG Zhiying, MA Jun, et al. Efficient revocation in ciphertext-policy attri-bute-based encryption based cryptographic cloud storage[J]. Journal of Zhejiang Universi-ty-Science C, 2013, 14(2): 85-97.

[11] HUANG Qinlong, MA Zhaofeng, FU Jingyi. Attri-butebasedDRMschemewithefficientrevoca-tion in cloud computing[J]. Journal of Comput-ers, 2013, 8(11): 2776-2781.

[12] YU Shucheng, WANG Cong, REN Kui, et al. Achieving secure, scalable, and fine-grained data access control in cloud computing[C]// Proceedings of IEEE INFOCOM 2010: March 14-19, 2010. San Diego, CA, 2010: 1-9.

[13] YANG Ming, LIU Fan, HAN Jingli, et al. An efficient attribute based encryption scheme with revocation for outsourced data sharing control[C]// Proceedings of 2011 International Conference on Instrumentation, Measurement, Computer, Communication and Control: Octo-ber 21-23, 2011. Beijing, China, 2011: 516-520.

[14] LAZOUSKI A, MANCINI G, MARTINELLI F, et al. Usage control in cloud systems[C]// Proceed-ings of 2012 International Conference for Inter-net Technology and Secured Transactions: De-cember 10-12, 2012. London, United Kingdom, 2012: 202-207.

[15] HAN Jinguang, SUSILO W, MU Yi. Identi-ty-based data storage in cloud computing[J]. Future Generation Computer Systems, 2013, 29(3): 673-681.

[16] SAMANTHULA B K, HOWSER G, ELMEHDWI Y, et al. An efficient and secure data sharing framework using homomorphic encryption in the cloud[C]// Proceedings of the 1st Interna-tional Workshop on Cloud Intelligence: August 31, 2012. Istanbul, Turkey, 2012.

[17] LIU Qin, WANG Guojun, WU Jie. Time-based proxy re-encryption scheme for secure data sharing in a cloud environment[J]. Information Sciences, 2012.

[18] XU Lei, WU Xiaoxin, ZHANG Xinwen. CL-PRE: A certificateless proxy re-encryption scheme for secure data sharing with public cloud[C]// Proceedings of the 7th ACM Symposium on Information, Computer and Communications Security: May 1-3, 2012. Seoul, South Korea, 2012: 87-88.

[19] SAHAI A, WATERS B. Fuzzy identity based en-cryption[C]// Proceedings of the Acvances in

we provide a privacy-preserving dynamic usage control model based on additive homo-morphic encryption, which allows the license server in the cloud to update the users’ usage rights dynamically without disclosing the plaintext. Finally, we conduct comprehensive performance analysis, which shows that our scheme is more secure, efficient and practical than existing schemes.

ACKNOWLEDGEMENTS

This work has been supported by the National Natural Science Foundation of China under Grant No. 61272519, 61121061.

References[1] WAN Zhiguo, LIU June, DENG R H, et al. HAS-

BE: A hierarchical attribute-based solution for flexible and scalable access control in cloud computing[J]. IEEE Transactions on Information Forensics and Security, 2012, 7(2): 743-754.

[2] WANG Guojun, LIU Qun, WU Jie, et al. Hier-archical attribute-based encryption and scal-able user revocation for sharing data in cloud servers[J]. Computers and Security, 2011, 30(5): 320-331.

[3] WANG Qian, WANG Cong, REN Kui, et al. En-abling public auditability and data dynamics for storage security in cloud computing[J]. IEEE Transactions on Parallel and Distributed Sys-tems, 2011, 22(5): 847-859.

[4] CHENG Hongbing, RONG Chunming, TAN Zhenghua, et al. Identity based encryption and biometric authentication scheme for secure data access in cloud computing[J]. Chinese Journal of Electronics, 2012, 21(2): 254-259.

[5] TRAN D H, NGUYEN H L, WEI Zhao, et al. To-wards security in sharing data on cloud-based social networks[C]// Proceedings of 8th Inter-national Conference on Information, Commu-nications and Signal Processing, December 13-16, 2011. Singapore, Singapore, 2011: 1-5.

[6] MA Zhaofeng, FAN Kefeng, CHEN Ming, et al. Trusted digital rights management protocol supporting for time and space constraint[J]. Journal on Communications, 2008, 29(10): 153-164.

[7] ZHANG Zhiyong, PEI Qingqi, MA Jianfeng, et al. Establishing multi-party trust architecture for DRM by using game-theoretic analysis of se-curity policies[J]. Chinese Journal of Electronics, 2009, 18(3): 519-524.

[8] PETRLIC R. Proxy re-encryption in a privacy-pre-serving cloud computing DRM scheme[C]//


[31] YI Xun, KAOSAR M G, PAULET R, et al., “Sin-gle-database private information retrieval from fully homomorphic encryption[J]. IEEE Trans-actions on Knowledge and Data Engineering, 2013, 25(5): 1125-1134.

[32] YI Xun, OKAMOTO E. Practical Internet voting system[J]. Journal of Network and Computer Applications, 2013, 36(1): 378-387.

BiographiesHUANG Qinlong, is currently a Ph.D. candidate at Beijing University of Posts and Telecommunications, Beijing, China. He received B.S. degree in information security from Yunnan University in 2009. His research interests include information security, cloud comput-ing security and digital rights management. Email: [email protected].

MA Zhaofeng, is an associate professor in the School of Computer Sicence, Beijing University of Posts and Telecommunications. He got the Ph.D. degree from Xi’an Jiaotong University in 2004. His research inter-est includes information security, network security and digital rights management. Email: [email protected]

YANG Yixian, received the B.S. degree in Applied Mathematics from Chengdu Institute of Telecommu-nication Engineering, China, in 1983, the M.S. degree and Ph.D. degree from Beijing University of Posts and Telecommunications (BUPT), China, in 1986 and 1988, respectively. He is a professor of BUPT from 1992. He is also doctoral supervisor in school of computer science. His research interests are Information and Network Security, Cryptography, Chaos, and Fuzzy Systems. Email: [email protected]

NIU Xinxin, received the B.S. and M.S. degree from the Beijing University of Posts and Telecommunica-tions (BUPT) in 1985 and 1988, and the Ph.D. degree from the Department of Electronic Engineering of the Chinese University of Hong Kong. She is a professor and doctoral supervisor in School of Computer Sci-ence of BUPT. Her research areas include information and network security, information hiding and digital watermark, digital content security. Email: [email protected]

FU Jingyi, received B.S. degree in information securi-ty from Chongqi University of Posts and Telecommu-nications in 2012. She is currently a M.S. candidate at the School of Computer Science, Beijing University of Posts and Telecommunications. Her research interest includes information security and digital rights man-agement. Email: [email protected]

Cryptology - Eurocrypt 2005: May 22-26, 2005. Aarhus, Denmark, 2005: 457-473.

[20] KOO D, HUR J, YOON H. Secure and efficient data retrieval over encrypted data using at-tribute-based encryption in cloud storage[J]. Computers and Electrical Engineering, 2013, 39(1): 34-46.

[21] LI Ming, YU Shucheng, ZHENG Yao, et al. Scal-able and secure sharing of personal health re-cords in cloud computing using attribute-based encryption[J]. IEEE Transactions on Parallel and Distributed Systems, 2013, 24(1): 131-143.

[22] HUR J, KANGB K. Dependable and secure com-puting in medical information systems[J]. Com-puter Communications, 2012, 36(1): 20-28.

[23] HUR J, NOH D K. Attribute-based access control with efficient revocation in data outsourcing systems[J]. IEEE Transactions on Parallel and Distributed Systems, 2011, 22(7): 1214-1221.

[24] IBRAIMI L, PETKOVIC M, NIKOVA S, et al. Medi-ated ciphertext-policy attribute-based encryp-tion and its application[C]// Proceedings of the 10th International Workshop on Information Security Applications: August 25-27, 2009. Bu-san, Korea, 2009: 309-323.

[25] CORENA J C, OHTSUKI T. Secure and fast aggre-gationoffinancialdataincloud-basedexpensetracking applications[J]. Journal of Network and Systems Management, 2012, 20(4): 534-560.

[26] CASTELLUCCIAC,MYKLETUNE,TSUDIKG.Effi-cient aggregation of encrypted data in wireless sensor networks[C]// Proceedings of the Sec-ond Annual International Conference on Mobile and Ubiquitous Systems: July 17-21, 2005. San Diego, CA, USA, 2005: 109-117.

[27] RUJ S, NAYAK A. A decentralized security frame-work for data aggregation and access control in smart grids[J]. IEEE Transactions on Smart Grid, 2013, 4(1): 196-205.

[28] PERLMAN R, KAUFMAN C, PERLNER R. Priva-cy-preserving DRM[C]// Proceedings of the 9th Symposium on Identity and Trust on the Inter-net: April 13-15, 2010. Gaithersburg, MD, USA, 2010: 69-83.

[29] JOSHI N, PETRLIC R. Towards practical priva-cy-preserving digital rights management for cloud computing[C]// Proceedings of the 2013 IEEE 10th Consumer Communications and Net-working Conference: January 11-14, 2013. Las Vegas, NV, USA, 2013: 265-270.

[30] MISHRA D, MUKHOPADHYAY S. Privacy pre-serving hierarchical content distribution in mul-tiparty multilevel DRM[C]// Proceedings of the 2012 World Congress on Information and Com-munication Technologies: October 30-Noverber 2, 2012. Trivandrum, India, 2012: 525-530.