Abstract
Current approaches to enforce fine-grained access control on confidential data hosted in the cloud are based on
fine-grained encryption of the data. Under such approaches, data owners are in charge of encrypting the data before uploading
them on the cloud and re-encrypting the data whenever user credentials or authorization policies change. Data owners thus
incur high communication and computation costs. A better approach should delegate the enforcement of fine-grained access
control to the cloud, so to minimize the overhead at the data owners, while assuring data confidentiality from the cloud. We
propose an approach, based on two layers of encryption, that addresses such requirement. Under our approach, the data owner
performs a coarse-grained encryption, whereas the cloud performs a fine-grained encryption on top of the owner encrypted data.
A challenging issue is how to decompose access control policies (ACPs) such that the two layer encryption can be performed.We
show that this problem is NP-complete and propose novel optimization algorithms. We utilize an efficient group key management
scheme that supports expressive ACPs. Our system assures the confidentiality of the data and preserves the privacy of users
from the cloud while delegating most of the access control enforcement to the cloud.