Due to the development of 5G communication, many aspects of information technology (IT) services are changing. With the development of communication technologies such as 5G, it has become possible to provide IT services that were difficult to provide in the past. One of the services made possible through this change is cloud-based collaboration. In order to support secure collaboration over cloud, encryption technology to securely manage dynamic data is essential. However, since the existing encryption technology is not suitable for encryption of dynamic data, a new technology that can provide encryption for dynamic data is required for secure cloud-based collaboration. In this paper, we propose a new encryption technology to support secure collaboration for dynamic data in the cloud. Specifically, we propose an encryption operation mode which can support data updates such as modification, addition, and deletion of encrypted data in an encrypted state. To support the dynamic update of encrypted data, we invent a new mode of operation technique named linked-block cipher (LBC). Basic idea of our work is to use an updatable random value so-called link to link two encrypted blocks. Due to the use of updatable random link values, we can modify, insert, and delete an encrypted data without decrypt it.

Cloud is a technology that can provide various additional services by allowing users to store data in remote storage and use it anywhere [

Many services are being provided in the cloud environment, and services for providing collaboration between users in the cloud environment are also increasing. For example, some service such as the overleaf provides collaborative paper work between researchers online. In particular, papers written or edited by users are reflected in real time and shared between users, so the service enables stable real-time collaboration. For detailed explanation regarding the service, refer to the web-site “

While the importance of collaboration provided in the cloud environment is growing, technology for providing secure collaboration in current services has not been sufficiently researched and developed. The security technology, currently being applied to the cloud-based collaboration service, stores plaintext data in the server, and each client establishes a secure channel with the server to share update information with other collaborators. The current strategy for secure collaboration over cloud server with encryption can be seen in

As seen in

To solve the above described threat against collaboration over cloud environment, it seems inevitable to encrypt data stored in the cloud. So, for secure collaboration, we need a way to encrypt a data for collaboration. For collaboration, an encryption technique should support dynamic data updates, and it is the main goal of this work to give a possible candidate that can permit us to perform secure collaboration by supporting dynamic data updates. Though a number of studies aimed to support dynamic data update operations [

In cryptography, to design secure mode of operations is one of fundamental research topic. In this research direction, it is the most important requirement how to repeatedly apply a cipher’s single-block operation to securely encrypt data which are larger than a block. Though a number of mode of operations have been studied, none of them are designed to encrypt dynamic data.

For security and functionality, error propagation properties of encryption modes have been studied considering various scenarios of data modification. However, the use of dynamic data is not included in the scenarios. Recently, many modes of operation techniques are newly devised, they focus on the way of supporting confidentiality and authenticity in an efficient way, and are known as authenticated encryption modes.

Though a number of techniques have been to support stronger security and better efficiency, none of them are interested in the encryption of dynamic data. By using existing mode of operations, we may support dynamic data by decrypting an encrypted data, updating the data according to required modifications, and encrypting it again. However, it requires cost operations when the data is frequently modified. So, based on the above (brief) remind about related works, we can say that there is no encryption scheme supporting dynamic update in an encrypted form.

From now on, we will briefly review existing mode of operations in terms of dynamic update of encrypted data. Three main functions required for dynamic data are modification, insertion, and deletion. So, we will analyze existing techniques in the viewpoint of the encryption of dynamic data, i.e., the possibility of supporting update operations will be the main goal of our analysis.

There are two kinds of mode of operations. In the first case, mode of operations can support block-wise encryption in the sense that the encryption of a block is not influenced by any other plaintext or ciphertext. Two modes, electronic codebook (ECB) mode and counter (CTR) mode which can be seen in

In this section, we describe some basic concepts and definitions.

In order to provide secure collaboration on encrypted data in a cloud environment, key management technology for securely distributing and managing the secret key shared by collaborators or access right management technology for identifying legitimate users is also required. This may require additional system members. However, in this paper, we focus on the problem of storing encrypted data in a cloud server and providing dynamic data update operations for the stored data.

Since we are considering a cloud-based collaboration scenario, the system model consists of a cloud server Srv and a number of collaborators Clts. Each system member has the following roles:

From now, we will summarize functional requirements and security requirements for our technique. Before describing the requirements, I would like to note that the technique proposed in this paper is designed to support collaboration with dynamically updated data based on a cloud environment.

In order to support real-time collaboration in a cloud environment, it should be possible to update data stored in the cloud and provided to collaboration participants. The most important factor is to provide data updates in an environment where data is stored in an encrypted form for security. That is, technically, it is the most important requirement to provide data encryption technology that can support all update operations for an encrypted data without decryption.

Since the goal of the proposed technique is to support dynamic update for encrypted data, we assume that a data is stored in a remote storage server in an encrypted form. So, basically, the main security requirement for our scheme is the confidentiality. Differently from ordinary encryption techniques, our technique designed to support dynamic modifications, and so we expect reliability for update operations.

Differently from existing mode of operations for block ciphers, our scheme considers dynamic data which should be changed according to users’ modifications. In ordinary block cipher operation modes, static data is encrypted which means that an adversary cannot obtain two different ciphertexts for similar plaintexts. On the contrary, for dynamic data, an adversary can obtain two different ciphertexts of two similar plaintexts. For example, suppose that one block of a file

_{i} is not equal to _{i}

To give formal definition for the security of the proposed scheme, we define an encryption scheme supporting dynamic encryption. From now, we call the encryption scheme as dynamic encryption scheme.

–

–

–

–

In the above definition,

The confidentiality is a traditional requirement for encryption schemes since to prevent any adversary from extracting meaningful information from a target ciphertext. The integrity considered in this paper is slightly different from ordinary integrity. We are interested in ‘version integrity’ of our scheme in the sense that an adversary may try to generate a valid encrypted data even if the adversary cannot extract any information from the encrypted data. So, we will call the feature as the version-integrity. The security notion is needed since our scheme support dynamic update of encrypted data without decrypting it. Based on the above reasons, formally, we can define the security of our mode of operation supporting dynamic update as following. The first definition captures the confidentiality of a dynamic encryption.

–(^{0}^{1}) ← _{1}^{OE(sk), OD(sk),OU(sk)}(^{0}| = |^{1}|

–

–^{i})

–_{2}^{OE(sk),OD(sk),OU(sk)}(^{0}^{1}

–if

Here the adversary is defined as a tuple of polynomial-time algorithms (_{1}, _{2}). _{1} is an algorithm that chooses target plaintexts by viewing several sample plaintext-ciphertext pairs which are generated by _{2} is an algorithm that determines which plaintext is corresponding to the given ciphertext. Finally, we define the advantage of the adversary as

_{1}, _{2}), of which the advantage is negligible.

The basic idea of our construction is inspired by chains used in everyday life, and the intuitive concept of the idea is described in _{b}_{L} is the size of a plaintext in a block where _{b} is the size of block for the underlying encryption scheme and _{L} is the size of a

For update, we can change encrypted data as seen in

Here, we will describe detailed algorithms for our dynamic encryption scheme. According to formal definition of a dynamic encryption, we have the following four algorithms:

For encryption, we choose and use a secret key _{b} be the size of a block defined by the underlying block cipher. Let _{L} be the size of link values used for linking two data blocks.

Note that, for our dynamic encryption scheme, we use a secure encryption algorithm _{b} − _{L}. Let _{b} − _{L}_{b} − _{L}

1. Divide the message _{b} − _{L}-bits. When, we can see that

2. Choose _{0}, _{1}, …, and _{n−1}, and set _{0} where all values are _{L}-bits such that _{i} _{i}_{i} for

3. Encoded data

4. Encryption function

For

5. Ciphertext is computed as

_{i} _{1}′

In

Then, we choose six values _{1}, _{2}, _{3}, _{4}, and _{5} where all values are _{L}-bits such that

Then, an encoded data

An encryption function

For

Finally, the ciphertext is computed as

_{i}_{i}

To decrypt a ciphertext

We can easily recover the data from the ciphertext

Apply the decryption algorithm to each ciphertext block _{i} for all _{i}_{i}

Note that

_{i}s and get the plaintext as

Let _{i} be the message to be updated to ^{*}. To perform update operation, we prepare two new random link values _{L}_{L}_{L} and _{R} _{R}_{R}. Then, _{i} the ciphertext of _{i}_{i−1}_{i}_{i} is replaced by

We also have to modify two more ciphertext blocks _{i−1} and _{i+1}. Let

Then, two additional blocks are changed to different ciphertexts

According to the above description, it seems that the proposed technique requires two more additional operation for single modification. However, in general, a number of blocks are modified at once. So, we can see that the additional cost for one modification operation is the modification of two blocks, but the cost is not required for each block. In other words, we need to update _{m}_{m} consecutive message blocks. In other words, two more ciphertext blocks are updated for each modification query. A concrete example can be seen in

Let _{i} be the message to be deleted. Recall that, encryption of _{i−1} and _{i+1} are appended at the left and right side of the encryption of _{i} as

To perform update operation, we prepare a new random link value ^{* }^{*}^{*}. Then, _{i} the ciphertext of _{i} is removed from encrypted data, and two ciphertexts _{i−1}_{i+1}_{i−1} and _{i+1} so that we have the followings:

Then, the encrypted data ^{*} as following:

Recall that, two ciphertext blocks are linked when they have the same link values as in the above equation. So, we can see that the message _{i} is deleted and two ciphertexts are linked as defined. As in the description for modification, the additional cost for one deletion operation is the modification of two blocks. To delete _{m} consecutive message blocks, we need to update only

Let _{i} and _{i+1}, and _{i} and _{i+1} are encryption of two messages such that

To perform insertion operation, we prepare two new random link values _{L} _{L}_{L} and _{R} _{R}_{R}. Then, _{L}_{R} is inserted between _{i} and _{i+1}. We also modify two ciphertext _{i} and _{i+1} to update link values. Two ciphertext are computed as

Then, we can see that the message is inserted in the ciphertext

To insert _{m} consecutive message blocks, we need to update only

To compare our technique with existing techniques, we give the following table. As seen in

Update operation | Modification | Insertion | Deletion | Security |
---|---|---|---|---|

ECB mode | O | O | O | Low |

CBC mode | X | X | X | High |

CTR mode | Partially O | X | X | High |

Our scheme | O | O | O | High |

In the above, we examine the functionality of our scheme by comparing with existing technique. From now, we will discuss the security of our scheme. The proposed technique is designed based on a secure encryption function

In Section 2.4, we describe a definition for the security of dynamic encryption. As we in Def. 2 and Def. 3, the security of a dynamic encryption is slightly different from ordinary encryption techniques in the sense that any encrypted data are not updated in existing techniques. So, to verify the security of our scheme, we need to prove that it is still hard to guess an encrypted data even if number of update queries can be made by an adversary. From now, we will prove the security of our scheme.

Sketch of proof) Assume that our scheme is implemented using a secure block cipher such as AES. Then, we can guarantee the security of encrypted block-sized messages. The goal of the proof is to reduce the security of our scheme to the security of the underlying block cipher. For the goal, we will design an algorithm that can break the security of the underlying scheme using an adversary who can break the security of the proposed scheme.

Proof of Confidentiality) For the proof about the confidentiality, we remind the definition 2. By the definition 2, we need to guarantee there is no adversary that has non-negligible advantage against the _{1}, _{2}) that

It means that the adversarial algorithm _{2} can find out correct _{i1}||^{i}||_{i2}), ^{0}, and ^{1} with meaningful probability. For simplicity, we can assume that

^{0}_{t} ≠ ^{1}_{t} and ^{0}_{i} = ^{1}_{i} for all other

_{2}^{OE(sk),OD(sk),OU(sk)}(_{t}, ^{0}_{t}, ^{1}_{t}, _{t} = _{L}^{i}_{t}_{R})] – 1/2 is negligible.

Proof of Integrity) To prove the integrity of dynamic encryption, it is needed to guarantee there is no adversary that can construct a proper new cipher block without having the secret key. Without loss of generality, we assume that the adversary’s goal is to construct t-th cipher block. The first strategy of the adversary is to insert a random cipher block into the location of t-th block. However, decrypting the random ciphertext yields a random plaintext, so that links of the resulting plaintext (_{L}_{t}_{R}) are random information. It means that r_{L} ≠ r_{t} and r_{R} ≠ r_{t+1}, and it is easy to find out the t-th block is not proper with high probability.

The other way to generate a valid ciphertext can be re-arranging existing valid ciphertexts. In an adversary’s viewpoint, a new valid ciphertext can be made from an existing valid ciphertext only if an inserted block has valid link values. If the adversary has no information about the secret key, then the only possible strategy of an adversary is random guessing of link value. In this case, a randomly chosen link value is valid with probability 1/2^{lL}. Therefore, if we use link values with enough length to obtain the expected security level. For example, we can see that 40-bits link values are enough for our scheme.

Since we use block-wise encryption, the computational complexity of our scheme is almost identical with existing encryption modes since one block-sized message requires one block-encryption. Only the difference is the ciphertext expansion. In existing techniques, the size of ciphertext is almost identical with the data except small-sized padding values. However, our technique requires link values to support dynamic updates. Since we use 40-bits link value, we need one block to encrypt _{b}_{b} is the size of a block. Thought the space efficiency is reduced due to the use of link values, our technique is the first encryption mode in the literature, which can support dynamic encryption.

With the development of communication technologies such as 5G and social demands, the importance of cloud-based collaboration is growing. However, since the existing technology is not possible to provide encryption for dynamic data, it is difficult to provide secure cloud-based collaboration. In this paper, we proposed a dynamic encryption technology that can overcome the limitations of these existing technologies. We also proved the security of the proposed technique.

Recall that, in this work, we gave a technique that support dynamic update of encrypted data. One of fundamental requirements for the technique is a way of maintaining the correct version. Since a stored data is frequently updated, collaborators may want to check the version of the data. To guarantee the version of stored data, we need a new authenticating method for dynamically updated data. So, we thought that the most important future work is to design an efficient and effective way to prove the version of a dynamically updated data in an encrypted form. We are also interested in designing efficient technique for collaboration of multimedia data using dedicated encryption technique such as image encryption scheme [