This dissertation addresses the issue of securing data sharing on untrusted storage by exploring cryptographic methods to help users

enforce data access policies only encrypted data are stored on storage servers while retaining secret key(s) to the data owner herself; user access is granted by issuing the corresponding data decryption keys. Fine-grained Access Control vs. Scalability Disclosure of sensitive data usually requires fine-grained access control in the sense that different users may have access privileges to different types/sets of data. Traditionally, access policies are enforced by data servers with mechanisms such as ACL-based access control [100], capability-based access control [101], and role-based access control [102]. For untrusted storage, one might think of enforcing the same access policies like ACL with cryptographic methods. However, ACL-based and capability-based access control, when enforced with cryptographic methods, has the scalability issue. Traditional ACL-based access control demands every data object to record the list of authorized users. When ACLs are enforced with cryptographic methods, the complexity for each data object in terms of its ciphertext size and/or the corresponding data encryption operation is linear to the number of users in the system, and thus makes the system less scalable. Capability-based access control, if enforced with cryptographic methods, has the similar scalability issue. In role-based access control [102], access is granted by the users role(s) and the data objects do not need to keep the authorized user list. Enforcing these access policies with cryptographic methods has to address various attacks such as user collusion, in which users with different roles (i.e., the corresponding decryption keys) attempt to obtain extra access privileges by piecing together their keys (i.e., roles). There are several recent work [11, 14, 29, 30] in the areas of shared cryptographic file systems and access control of outsourced data addressing the similar issue of data access control with conventional symmetric-key cryptography or public-key cryptography. When these schemes are suitable for conventional file systems, most of them are less suitable for fine-grained data access control in large-scale data centers which may have a large number users and data files. User revocation is a challenge issue in ABE as attributes are shared among unlimited number of users. Revocation of one user may involve key update for other non-revoked users and/or re-encryption of data 6 files on the data servers. To facilitate user revocation on untrusted storage, this dissertation proposes a novel scheme in which the data owner is able to revoke any user in the timely fashion. The proposed scheme makes it possible for the data owner to securely offload most computation-intensive tasks pertained to user revocation to data servers which are envisaged to be powerful. It achieves this goal by uniquely combining the proxy re-encryption technique [3] with ABE. Security of the proposed scheme is formulated and proved under standard cryptography models.

Key-Policy Attribute-Based Encryption A KP-ABE scheme consists of the following four algorithms. Setup This algorithm takes as input a security parameter . and returns the public key PK as well as a system master secret key MK. PK is used by message senders for encryption. MK is used to generate user secret keys and is known only to the authority. Encryption This algorithm takes a message M, the public key PK, and a set of attributes as input. It outputs the ciphertext E. Key Generation This algorithm takes as input an access structure T and the master secret key MK. It outputs a secret key SK that enables the user to decrypt a message encrypted under a set of attributes if and only if matches T. Decryption It takes as input the users secret key SK for access structure T and the ciphertext E, which was encrypted under the attribute set . This algorithm outputs the message M if and only if the attribute set satisfies the users access structure T.