Secure and Fine-Grained Flow Control for Subscription-Based Data Services in Cloud-Edge Computing

With the popularity of cloud computing services, an increasing number of users begin to use subscription-based services. Due to the semi-trusted cloud servers that may access the outsourced data, and malicious senders who may publish unauthorized data or junk data, access control encryption (ACE) schemes have been studied recently to enforce secure data write control as well as read control. However, their access control policies are specified by the authority or publishers, which do not apply to the subscriptions. In this paper, we propose DSFlow, a secure and fine-grained flow control system for subscription-based data services. DSFlow is designed in the cloud-edge computing architecture, which employs edge nodes to control the communications between publishers and cloud servers by sanitizing the original ciphertexts to resist malicious publishers, and allows any valid subscriber to decrypt the sanitized ciphertexts in cloud. We introduce a receiver-policy attribute-based ACE (RA-ACE) scheme for DSFlow, which embeds the fine-grained access control policy within the receiver's decryption key. We give a concrete construction of RA-ACE from key-policy attribute-based encryption, structure-preserving signature and non-interactive zero-knowledge proof, and formally prove the no-read rule and no-write rule of RA-ACE. The experiments demonstrate the efficiency of DSFlow compared with existing schemes.