Privacy Enhanced DigiLocker using Ciphertext-Policy Attribute-Based

Encryption

Puneet Bakshi and Sukumar Nandi

Department of Computer Science and Engineering, Indian Institute of Technology, Guwahati, Assam, India

Keywords:

DigiLocker, Privacy, CP-ABE.

Abstract:

Recently, Government of India has taken several initiatives to make India digitally strong such as to provide

each resident a unique digital identity, referred to as Aadhaar, and to provide several online e-Governance

services based on Aadhaar such as DigiLocker. DigiLocker is an online service which provides a shareable

private storage space on public cloud to its subscribers. Although DigiLocker ensures traditional security

such as data integrity and secure data access, privacy of e-documents are yet to addressed. Ciphertext-Policy

Attribute-Based Encryption (CP-ABE) can improve data privacy but the right implementation of it has always

been a challenge. This paper pressents a scheme to implement privacy enhanced DigiLocker using CP-ABE.

1 INTRODUCTION

In last decade, Government of India has taken several

e-Governance initiatives such as a unique digital iden-

tity (referred to as Aadhaar (UIDAI, 2009)) for ev-

ery resident, online Aadhaar based authentication and

several online citizen centric services such as eKYC,

eSign, and DigiLocker. At present, most of these ser-

vices are built using traditional Public Key Infrastruc-

ture (PKI) with limited data privacy in which spec-

ifying authorized entities beforehand which are per-

mitted to access data may not be possible and even if

possible, the solution may not scale.

In DigiLocker (GoI, 2015), documents of sub-

scribers are hosted on public cloud which is assumed

to be a trusted entity. However, cloud storage may

not be trustyworthy and may be susceptible to in-

sider attacks. Moreover, instead of providing a re-

active access authorization to a single requester (us-

ing OAuth2 (IETF, 2012)), a subscriber may want to

provide a proactive access authorization to multiple

requester meeting certain criteria of attributes.

Ciphertext-Policy Attribute-Based Encryption

(CP-ABE) (Bethencourt et al., 2007) is a recent

cryptogrpahic mechanism which can improve data

privacy, but the right implementation and efﬁciency

of it are still some of the major concerns for its

wide deployment. This paper presents a scheme to

implement privacy enhanced DigiLocker based on

CP-ABE.

2 RELATED WORK

Recent developments in cryptography have intro-

duced Attribute-Based Encryption (ABE) (Goyal

et al., 2006) in which encryption is done under a set

of attributes. ABE is classiﬁed in Key-Policy ABE

(KP-ABE) (Goyal et al., 2006) and CP-ABE. In KP-

ABE, access policy is encoded in subscriber’s private

key and a set of attributes are encoded in ciphertext.

In CP-ABE, access policy is encoded in ciphertext

and a set of attributes are encoded in subscriber’s pri-

vate key. In CP-ABE, only if the set of required at-

tributes encoded in receiver’s private key satisﬁes the

access policy encoded in received ciphertext, will the

receiver be able to decrypt the ciphertext. Since the

introduction of CP-ABE, researchers have proposed

innovative mechanisms to use it to improve data pri-

vacy (Zhou and Huang, 2012), (Ji et al., 2014).

3 DIGITAL LOCKERS IN INDIA

DigiLocker is an Aadhaar based online service which

facilitates subscribers to store e-documents, issuer

agencies to provide e-documents and requester appli-

cations to get access to e-documents. An e-document

is a digitally signed electronic document. Reposi-

tores are provided by issuers to host collection of e-

documents. Digital Locker is a storage space pro-

vided to each subscriber to store e-documents. Re-

quester is an application which seeks access to some

Bakshi, P. and Nandi, S.

Privacy Enhanced DigiLocker using Ciphertext-Policy Attribute-Based Encryption.

DOI: 10.5220/0009777205410546

In Proceedings of the 17th International Joint Conference on e-Business and Telecommunications (ICETE 2020) - SECRYPT, pages 541-546

ISBN: 978-989-758-446-6

541

e-document. All participating entities must adhere to

Digital Locker Technology Speciﬁcation (DLTS) (Me-

itY, 2019).

An e-document is uniquely identiﬁed by a Unique

Resource Identiﬁer (URI) which is a triplet of the form

hIssuerID :: DocType :: DocIDi, where IssuerID is a

unique identiﬁer ot the issuer, e.g., CBSE, for Central

Board of Secondary Education. DocType is a classi-

ﬁcation of e-documents as deﬁned by the issuer. For

example, CBSE may classify certiﬁcates into MSTN

for 10th mark sheet and KVYP for certiﬁcates issued

to KVPY scholarship fellow. DocType also helps is-

suers to use different repositories for different types

of e-documents. DocID is an issuer deﬁned unique

identiﬁer (an alphanumeric string) of the e-document

within a document type. Some hypothetical examples

of e-document URI are hCBSE :: MSTN :: 22636726i,

hDLSSB :: HSMS :: GJSGEJXSi. DigiLocker ensures

data integrity of e-documents by mandating that all

e-documents are digitally signed by issuers.

When an issuer is registered, it provides two APIs,

namely, PullDoc to pull an e-document based on a

given URI and PullUri to pull all URIs meeting a

given search criteria. When a requester application is

registered, it is given a unique requester identiﬁer, a

secret key which is shared between DigiLocker and

requester application and a FetchDoc API is given

to access e-documents based on URI. Based on the

URI, FetchDoc forwards the request to approprirate

issuers to retrieve the e-document. DigiLocker en-

sures secure data access of e-documents by API li-

cense keys, secure transport, an explicit authentica-

tion (if required by DocType) and all requests and re-

sponses to be digitally signed.

4 PRELIMINARIES

This section brieﬂy describes some of the necessary

background.

4.1 Bilinear Pairings (Zhang et al.,

2004)

Let G

and G

are elliptic groups of order p, G

a multiplicative group of order p, g

is a generator of

, g

is a generator of G

, P ∈ G

, Q ∈ G

and a, b

∈ Z

, then a bilinear pairing is a map e : G

× G

→

that satisﬁes the following three properties.

1 Bilinearity: e(P

) = e(P,Q)

2 Non-Degeneracy: e(g

) 6= 1

3 Computability: e(P,Q) can be computed efﬁ-

ciently.

4.2 Decision Bilinear Difﬁe-Hellman

(DBDH) Assumption (Yacobi, 2002)

Let G, G

are cyclic groups of prime order p >

where λ ∈ N, g is the generator of G, e :

G × G → G

is an efﬁciently computable sym-

metric bilinear pairing map and a,b,c,z ∈ Z

are

random numbers. The DBDH assumption states

that no probabilistic polynomial time algorithm

can distinguish between hg, g

,e(g,g)

abc

i and

hg,g

,e(g,g)

i with more than a negligible ad-

vantage.

4.3 Security Model

The security model of proposed scheme is based on

the following IND-sAtt-CPA game (Ibraimi et al.,

2009) between a challenger and an adversary A.

Init Phase. Adversary A chooses a challenge access

tree T

∗

and gives it to challenger.

Setup Phase. Challenger runs a setup procedure to

generate hASK,APKi and gives the public key APK

to adversary A.

Phase I. Adversary A makes an attribute- based pri-

vate key request to the key generation oracle for any

attribute set with the restriction that the attribute set

should not include any attribute which is part of T

∗

Challenger generates the key as described in section

5.4 and returns the same to adversary A.

Challenge Phase. Adversary A sends two equal

length messages m

and m

to challenger. Challenger

chooses a random number b ∈

{0,1}, encrypts m

using T

∗

and APK as is described in section 5.3.

Phase II. Adversary A can send multiple requests to

generate attribute-based private key with the same re-

striction as in Phase I.

Guess Phase. Adversary A outputs a guess b0 ∈

{0,1}.

The advantage of adversary A in this game is de-

ﬁned to be ε = |Pr[b0 = b] −

|. Only if any polyno-

mial time adversary A has a negligible advantage, the

scheme is considered secure against an adaptive cho-

sen plaintext attack (CPA).

4.4 Access Tree

Access tree structure is a means to specify an ac-

cess policy during encryption that must be satisﬁed by

attribute-based private keys in order to decrypt. Let T

be a tree representing an access structure. Each non-

leaf node of the tree represents a threshold gate, de-

scribed by its children and a threshold value. If num

SECRYPT 2020 - 17th International Conference on Security and Cryptography

542

is the number of children and k

is the threshold value

of a node x, then, k

= 1 represents an OR gate and

= num

represents an AND gate. Each leaf node x

of the tree is described by an attribute and a threshold

value k

= 1.

Let T

denotes the subtree rooted at node x. If a

set of attributes λ satisﬁes the subtree T

, it is repre-

sented as T

(λ) = 1. T

(λ) is computed recursively

as follows. If x is a non-leaf node, evaulate T (y) for

all children nodes y of node x. T

(λ) returns 1 if and

only if at least k

children return 1. If x is a leaf node,

then T

(λ) returns 1 if and only if attr(x) ∈ λ.

5 OUR CONSTRUCTION

The proposed scheme introduces two new roles,

namely, Attribute Authority Manager (AAM) and At-

tribute Authority (AA). AAM is an entity which man-

ages the universe of attributes and AA is an entity

which manages a set of attributes (as assigned by

AAM). DigiLocker is proposed to assume the role of

AAM and individual issuers are proposed to assume

the role of AA. A subscriber is assigned a set of at-

tributes from each issuer which holds at least one e-

document of the subscriber. Each requester applica-

tion is assigned a set of attributes from DigiLocker

based on certain criteria such as purpose of access,

for how long the data is going to be used, etc. To cre-

ate a privacy enhanced e-document for a subscriber,

issuer and susbcriber mutually creates an attribute-

based token (which will be used later in encryption)

for an access policy, generates a symmetric key, en-

crypts the document with symmetric key, encrypts the

symmetric key with attribute-based token, creates an

e-document enclosing both the encrypted symmetric

key and the encrypted document, creates a URI for

this e-document and pushes it to subscriber’s digital

locker using PushURI API. When this e-document is

shared with a requester application, the requester will

be able to decrypt the encrypted symmetric key only

if the requester is associated with a set of attributes

which satisﬁes the access policy used to encryt the

symmetric key. Only when the requester obtais the

symmetric key, will he be able to decrypt and retrieve

the document.

In Setup(κ) procedure, AAM chose a cyclic group

of large prime order p (κ deﬁnes the size of group)

on which discrete logarithm problem is assumed to be

hard, generator g, a bilinear map e : G

×G

→ G

for

which bilinear difﬁe hellman problem is assumed to

be hard, a hash function H : {0,1}

∗

→ G

which maps

a binary string encoded attribute to a group element,

chose random numbers α,β ∈

and set its private

key ASK and public key APK as below.

ASK = {β,g

}

APK = {g

,e(g,g)

,g}

5.1 Attribute Assignment

An attribute can be any characteristic of a subscriber

or requester and is represented by a binary string

{0,1}

∗

. Attribute assignement to both subscribers and

requesters is proposed to be done lazily in the back-

ground with the aim to keep the list of associated at-

tributes in DigiLocker up to date.

For subscriber’s attribute assignment and modiﬁ-

cation, two APIs are proposed to be introduced. First

is PullAttrs(ID

) which is provided by issuers and

is consumed by DigiLocker to pull updated list of at-

tributes of subscriber with Aadhaar number ID

. Sec-

ond is PushAttrs(ID

,NewAttrs) which is provided

by DigiLocker and is consumed by issuer to push any

change in attributes of subscriber with Aadhaar num-

ber ID

. For requester applications, attributes are as-

signed and updated by DigiLocker.

It is important to take appropriate measures to

handle load of a voluminous country like India. One

such measure could be to prepone part of the encryp-

tion process. This preponed encryption process gen-

erates a token with mutual cooperation between sub-

scriber and issuer. This token can be reused every

time for a given subscriber and for a given access pol-

icy.

A helper procedure encPartial(T ,r) is as-

sumed to be present which works as follows. It

choses a polynomial q

for each node x (including

the leaves) in the tree T . These polynomials are cho-

sen in the following way in a top-down manner, start-

ing from the root node R. For each node x in the

tree, set the degree d

of the polynomial q

to be one

less than the threshold value k

of that node, that is,

= k

− 1. Starting with the root node R the pro-

cedure chooses a random r ∈

and sets q

(0) = r.

Then, it chooses d

other points of the polynomial q

randomly to deﬁne it completely. For any other node

x, it sets q

(0) = q

parent(x)

(index(x)) and chooses d

other points randomly to completely deﬁne q

5.2 Token Generation

An access tree T

is comprised of access subtree T

from subscriber S

and access subtree T

from is-

suer I

(refer ﬁgure 1). If issuer I

needs to gen-

erate its part of token for subscriber S

, for access

tree T

, it generates a random number r

∈

and generates following partial-token using APK and

Privacy Enhanced DigiLocker using Ciphertext-Policy Attribute-Based Encryption

543

∨

∧

Figure 1: Example of an access policy tree.

encPartial(T

). Let Y

is the set of leaf nodes

in T

CTtok











= e(g,g)

αr

= g

βr

= g

(0)

= H(attr(y))

(0)

)

∀ y∈Y

Issuer notiﬁes subscriber to provide its part of the

token. Subscriber S

generates a random number

∈

and generates following partial-token using

APK and encPartial(T

). Let Y

is the set of leaf

nodes in T

CTtok











= e(g,g)

αr

= g

βr

= g

(0)

= H(attr(y))

(0)

)

∀ y∈Y

Subscriber provides its part of partial-token to issuer.

Issuer creates the ﬁnal token by combining the two

partial-tokens and keeps it securely with it.

CTtok











= T

∪ T

C1 = C1

.C1

= e(g,g)

αr

e(g,g)

αr

C2 = C2

.C2

= g

βr

C3 = C3

∪ C3

= g

(0)

C4 = C4

∪ C4

= H(attr(y))

(0)











∀ y∈Y

∪Y

5.3 Encryption

A new DocType PRIV is proposed to be introduced

for privacy enhanced e-documents. To create a pri-

vacy enahanced e-document, issuer creates a URI

:: PRIV :: D

i where I

is the issuer identiﬁer and

is the document identiﬁer within the document

type PRIV. Now, issuer generates a random num-

ber r

∈

, generates a symmetric key SK

ivw

, en-

crypts e-document m with SK

ivw

, encrypts SK

ivw

with

CTtok

and produces the following ciphertext.

ivw











= T

∪ T

C1 = e(g,g)

αr

e(g,g)

αr

ivw

C2 = g

βr

= g

(0))

= H(attr(y))

(0)

)

∀ y∈Y

C5 = {m}

ivw

5.4 Key Generation

A new API GenABPvtKey(ID

,IS

) is proposed to

be provided by DigiLocker to generate an attribute-

based private key for a subscriber with Aadhaar iden-

tiﬁer ID

and with attributes from issuers in the set

. Let S

is the set of all attributes assigned to S

by all issuers in set IS

. DigiLocker generates random

numbers r ∈

, r

∈

for each attribute j ∈

computes attribute-based private key ASK

as be-

low and keeps this key securely with it.

ASK







D = g

(α+r)/β

= g

.H(j)

0 = g



∀ j∈S

Note that multiple attribute based private keys can ex-

ist for a subscriber for different set of attributes. If any

one issuer set IS

is a proper subset of an other issuer

set IS

, the key corresponding to IS

is redundant and

can be removed.

5.5 Decryption

A new API FetchPrivDocURI is proposed to be

provided by DigiLocker for decryption purpose.

This API facilitates a requester with identiﬁer ID

to retrieve ciphertext CT

ivw

of e-document from

URI hI

:: PRIV :: D

i of subscriber S

. Dig-

iLocker extracts the set of attribute issuers IS

from CT

ivw

→ T

, retrieves ASK

and calls

Decrypt(CT

ivw

,ASK

). A helper procedure

DecryptNode(CT

ivw

,ASK

) is deﬁned as below.

Let S

is the set of all attributes from issuers in

set IS

. If x is a leaf node and if attr(x) /∈ S

then DecryptNode(CT

ivw

,ASK

,x) =⊥ else if

attr(x) ∈ S

, then the procedure is deﬁned as below.

DecryptNode(CT

ivw

,ASK

,x)

e(D

,C4

)

e(D

0,C5

)

e(g

.H(attr(x))

(0)

)

e(g

,H(attr(x))

(0)

)

= e(g,g)

(0)

If x is a non-leaf node, the recursive procedure is

SECRYPT 2020 - 17th International Conference on Security and Cryptography

544

deﬁned as follows. For all children nodes z of x,

DecryptNode(CT

ivw

,ASK

,x) is called and their out-

put is stored in F

. Let S

be an arbitrary k

sized set

of child nodes z such that F

6=⊥. If no such set ex-

ists then the node was not satisﬁed and the function

returns ⊥. Otherwise, F

is computed as below.

∏

z∈S

∆

i,S

(0)

where{i = index(z)

0 = {index(z) : z ∈ S

}

∏

z∈S

∆

i,S

(0)

∏

z∈S

(e(g,g)

r.r

(0)

)

∆

i,S

(0)

∏

z∈S

(e(g,g)

r.r

parent(z)

(index(z))

)

∆

i,S

(0)

∏

z∈S

e(g,g)

r.r

(i)∆

i,S

(0)

= e(g,g)

(0)(using polynomial interpolation)

Decrypt(CT

ivw

,ASK

) calls DecryptNode(

ivw

,ASK

,R) where R is root node of T

If the access tree is satisﬁed by attributes in S

set A = DecryptNode(CT

ivw

,ASK

,R) =

e(g,g)

r.r

.(r

)

. Now the procedure ob-

tains symmetric key SK

ivw

by computing

e(C2,D)

e(g,g)

αr

e(g,g)

αr

ivw

e(g

βr

(α+r)/β

)

e(g,g)

))

e(g,g)

αr

e(g,g)

αr

ivw

e(g

βr

)

(α+r)/β

)

e(g,g)

))

e(g,g)

αr

)

ivw

e(g,g)

)(α+r)

e(g,g)

))

= SK

ivw

Symmetric key SK

ivw

is now used to decrypt the en-

crypted e-document.

m = {CT

ivw

→ C5}

ivw

DigiLocker returns the decrypted document m to re-

quester.

6 SECURITY ANALYSIS

If the proposed scheme is not secure than an adver-

sary A can win IND-sAtt-CPA game and solve the

DBDH assumption with advantage ε/2. If the DBDG

assumption is solved by adversary A, a simulator β

can be built which can solve DBDH assumption with

advantage ε/2. Challenger chose a group G

, a gen-

erator g, a bilinear map e and chose random num-

bers a,b,c,θ ∈

∗

. The challenger selects at random

µ ∈

0,1 and sets Z

as below.

(

(g,g)

abc

, if µ = 0

e(g,g)

, if µ = 1

Challenger provides DBDB challenge to the simula-

tor: hg,A,B,C,Z

i hg,g

i. In IND-sAtt-

CPA game, simulator β plays the role of challenger

for adversary A.

Init Phase. The adversary chose the challenge ac-

cess tree T

∗

and gives it to simulator.

Setup Phase. The challenger chose a random num-

ber x0 ∈ Z

, sets α = ab + x0 and computes y as be-

low.

y = e(g,g)

= e(g,g)

e(g,g)

Now, challenger chose a random numbers r ∈

and r

∈

for (1 ≤ i ≤ |U|) and for all a

∈ U,

computes d

and d

0 as below.

(

r/b

H(j)

...if a

/∈ T

∗

H(j)

...if a

∈ T

∗

0 = g











(1 ≤ j ≤ |U|)

Now, challenger sends public parameters APK =

,e(g,g)

,G,g} to adversary A .

Phase 1. In this phase, adversary A sends requests

for private key for any set of attributes w

which

does not contain any attribute in T

∗

= {a

| (a

∈ U ∧ a

/∈ T

∗

)}

For each query from adversary A, challenger chose

a random number r0 ∈

, sets r = −b(r0 + a) and

computes D as below.

D = g

(α+r)/β

= (g

(α+r)

)

1/β

= (g

((ab+x0)−b(r0+a))

)

1/β

= (g

x0−br0

)

1/β

= (g

.(g

)

−r0

)

1/β

Because of restriction a

/∈ T

∗

in this phase, D

can

be computed as below.

= g

r/b

H(j)

= g

r/b

H(j)

= g

−(r

+a)

H(j)

= (g

)

−1

−r0

H(j)

Now, challenger sends private key ASK

D,(D

0) | ∀a

∈ w

to adversary A

Challenge Phase. In this phase, adversary A

submits two plaintext messages m

and m

to the

challenger. Challenger selects a random plain-

text message m

from the two messages where

b ∈

{0,1}, sets r

= 1, chose random variables

and r

such that c = r

+ r

. Now, set value of

root node T

∗

to c and assign values to leaf nodes

of T

∗

as described in section 4.4 to arrive at C3

and C4

. The ﬁnal ciphertext CT

∗

is computed

Privacy Enhanced DigiLocker using Ciphertext-Policy Attribute-Based Encryption

545

as below. The ciphertext is returned to adversary A.

∗











= T

∗

C1 = e(g,g)

αr

e(g,g)

αr

= e(g,g)

α(r

)

= e(g,g)

C2 = g

βr

= g

β(r

)

= g

(0))

= H(attr(y))

(0)

)

∀ y ∈ Y

Phase 2. In this phase, adversary A can continue to

send secret key generation requests with the same

restriction as in Phase1, i.e., a

/∈ T

∗

Guess Phase. In this phase, adversary A outputs

a guess b0 ∈ {0, 1}. If b0 = b, the simulator β

will guess that µ = 0 and Z

= e(g,g)

abc

, other-

wise will guess that µ = 1 and Z

= e(g, g)

. When

= e(g,g)

abc

the simulator β gives the perfect

simulation and c

∗

is a valid ciphertext. Therefore

the advantage of the adversary is

Pr[b0 = b | Z

= e(g,g)

abc

] =

+ ε

If µ = 1 then Z

= e(g,g)

and c

∗

is random ci-

phertext for the adversary, and the adversary does

not gain information about m

. Hence we have

Pr[b0 6= b | Z

= e(g,g)

] =

Since the simulator β guesses µ0 = 0 when b0 = b

and µ0 = 1 when b0 6= b, the overall advantage of β

to solve DBDH assumption is

Pr[µ0 = µ | µ = 0] +

Pr[µ0 = µ | µ = 1] −

If the adversary A has the above advantage ε to

win the IND-sAtt-CPA game, the challenger can

solve the DBDH assumption problem with ε/2 ad-

vantage with the help of adversary A. However,

there are no effective polynomial algorithms which

can solve the DBDH assumption problem with non-

negligible advantage according to the DBDH as-

sumption. Hence, the adversary cannot win the

IND-sAtt-CPA game with the above advantage ε,

namely the adversary having no advantage to break

through the proposed scheme.

7 CONCLUSION

This paper presented a scheme to improve data pri-

vacy in DigiLocker by using CP-ABE. The scheme

also proposed to prepone part of the encryption pro-

cess to increase performance. This preponed process

creates a token which can be reused later. The pro-

posed scheme is proved to be secure against IND-

sAtt-CPA game. The proposed scheme can further be

enhanced by using homomorphic encryption which

allows processing on encrypted data and using post-

quantum ABE schemes, for both of which, though

schemes exist but are still non-trivial and not prac-

tical.

REFERENCES

Bethencourt, J., Sahai, A., and Waters, B. (2007).

Ciphertext-policy attribute-based encryption. In 2007

IEEE symposium on security and privacy (SP’07),

pages 321–334. IEEE.

GoI (2015). Digilocker. https://digilocker.gov.in.

Goyal, V., Pandey, O., Sahai, A., and Waters, B. (2006).

Attribute-based encryption for ﬁne-grained access

control of encrypted data. In Proceedings of the 13th

ACM conference on Computer and communications

security, pages 89–98.

Ibraimi, L., Tang, Q., Hartel, P., and Jonker, W. (2009). Ef-

ﬁcient and provable secure ciphertext-policy attribute-

based encryption schemes. In International Confer-

ence on Information Security Practice and Experi-

ence, pages 1–12. Springer.

IETF (2012). The oauth 2.0 authorization framework. https:

//tools.ietf.org/rfc/rfc6749.txt.

Ji, Y.-m., Tan, J., Liu, H., Sun, Y.-p., Kang, J.-b., Kuang, Z.,

and Zhao, C. (2014). A privacy protection method

based on cp-abe and kp-abe for cloud computing.

JSW, 9(6):1367–1375.

MeitY (2019). Digital locker technical speciﬁcation

(dlts). https://img1.digitallocker.gov.in/assets/img/

technicalspeciﬁcations-dlts-ver-2.3.pdf.

UIDAI (2009). What is aadhaar. https://uidai.gov.in/

myaadhaar/about-your-aadhaar.html.

Yacobi, Y. (2002). A note on the bilinear difﬁe-hellman

assumption. IACR Cryptology ePrint Archive,

2002:113.

Zhang, F., Safavi-Naini, R., and Susilo, W. (2004). An ef-

ﬁcient signature scheme from bilinear pairings and its

applications. In International Workshop on Public Key

Cryptography, pages 277–290. Springer.

Zhou, Z. and Huang, D. (2012). Efﬁcient and secure data

storage operations for mobile cloud computing. In

2012 8th international conference on network and ser-

vice management (cnsm) and 2012 workshop on sys-

tems virtualiztion management (svm), pages 37–45.

IEEE.

SECRYPT 2020 - 17th International Conference on Security and Cryptography

546