protecting your right: veriﬁable attribute-based keyword ... · protecting your right:...

1045-9219 (c) 2013 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. Seehttp://www.ieee.org/publications_standards/publications/rights/index.html for more information.

This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI10.1109/TPDS.2014.2355202, IEEE Transactions on Parallel and Distributed Systems

1

Protecting Your Right: Verifiable Attribute-basedKeyword Search with Fine-grained

Owner-enforced Search Authorization in theCloud

Wenhai Sun, Student Member, IEEE, Shucheng Yu, Member, IEEE, Wenjing Lou, Senior Member, IEEE,Y. Thomas Hou, Fellow, IEEE, Hui Li, Member, IEEE

Abstract —Search over encrypted data is a critically important enabling technique in cloud computing, where encryption-before-outsourcing is a fundamental solution to protecting user data privacy in the untrusted cloud server environment. Many secure searchschemes have been focusing on the single-contributor scenario, where the outsourced dataset or the secure searchable index ofthe dataset are encrypted and managed by a single owner, typically based on symmetric cryptography. In this paper, we focus on adifferent yet more challenging scenario where the outsourced dataset can be contributed from multiple owners and are searchable bymultiple users, i.e. multi-user multi-contributor case. Inspired by attribute-based encryption (ABE), we present the first attribute-basedkeyword search scheme with efficient user revocation (ABKS-UR) that enables scalable fine-grained (i.e. file-level) search authorization.Our scheme allows multiple owners to encrypt and outsource their data to the cloud server independently. Users can generate theirown search capabilities without relying on an always online trusted authority. Fine-grained search authorization is also implementedby the owner-enforced access policy on the index of each file. Further, by incorporating proxy re-encryption and lazy re-encryptiontechniques, we are able to delegate heavy system update workload during user revocation to the resourceful semi-trusted cloudserver. We formalize the security definition and prove the proposed ABKS-UR scheme selectively secure against chosen-keywordattack. To build confidence of data user in the proposed secure search system, we also design a search result verification scheme.Finally, performance evaluation shows that the efficiency of our scheme.

Keywords —Cloud Computing, Attribute-based Keyword Search, Fine-grained Owner-enforced Search Authorization, Multi-userSearch, Verifiable Search

1 INTRODUCTION

C LOUD computing has emerged as a new enter-prise IT architecture. Many companies are moving

their applications and databases into the cloud andstart to enjoy many unparalleled advantages broughtby cloud computing, such as on-demand computingresource configuration, ubiquitous and flexible access,considerable capital expenditure savings, etc. However,privacy concern has remained a primary barrier pre-venting the adoption of cloud computing by a broaderrange of users/applications. When sensitive data areoutsourced to the cloud, data owners naturally becomeconcerned with the privacy of their data in the cloudand beyond. Encryption-before-outsourcing has been re-garded as a fundamental means of protecting user data

• W. Sun is with the State Key Laboratory of Integrated Services Networks,Xidian University, Shaanxi, China and Virginia Polytechnic Institute andState University, Blacksburg, VA, USA. E-mail: [email protected].

• S. Yu is with University of Arkansas at Little Rock, Little Rock, AR, USA.E-mail: [email protected].

• W. Lou and Y. T. Hou are with Virginia Polytechnic Institute and StateUniversity, Blacksburg, VA, USA. E-mail: wjlou, [email protected].

• H. Li is with the State Key Laboratory of Integrated Services Networks, Xi-dian University, Xi’an, Shaanxi, China. E-mail: [email protected].

A preliminary version [1] of this paper was presented at the 33rd IEEE Inter-national Conference on Computer Communications (IEEE INFOCOM’14).

privacy against the cloud server [2], [3], [4]. However,how the encrypted data can be effectively utilized thenbecomes another new challenge. Significant attention hasbeen given and much effort has been made to addressthis issue, from secure search over encrypted data [5],secure function evaluation [6], to fully homeomorphicencryption systems [7] that provide generic solution tothe problem in theory but are still too far from beingpractical due to the extremely high complexity.

This paper focuses on the problem of search over en-crypted data, which is an important enabling techniquefor the encryption-before-outsourcing privacy protectionparadigm in cloud computing, or in general in anynetworked information system where servers are notfully trusted. Much work has been done, with major-ity focusing on the single-contributor scenario, i.e. thedataset to be searched is encrypted and managed bya single entity, which we call owner or contributor inthis paper. Under this setting, to enable search overencrypted data, the owner has to either share the secretkey with authorized users [5], [8], [9], or stay online togenerate the search trapdoors, i.e. the “encrypted” form ofkeywords to be searched, for the users upon request [10],[11]. The same symmetric key will be used to encryptthe dataset (or the searchable index of the dataset) and



2

to generate the trapdoors. These schemes seriously limitthe users’ search flexibility.

Consider a file sharing system that hosts a large num-ber of files, contributed from multiple owners and to beshared among multiple users (e.g. 4shared.com, mymed-wall.com). This is a more challenging multi-owner multi-user scenario. How to enable multiple owners to encryptand add their data to the system and make it search-able by other users? Moreover, data owners may desirefine-grained search authorization that only allows theirauthorized users to search their contributed data. By fine-grained, we mean the search authorization is controlled atthe granularity of per file level. Symmetric cryptographybased schemes [5], [8], [9] are clearly not suitable forthis setting due to the high complexity of secret keymanagement. Although authorized keyword search canbe realized in single-owner setting by explicitly defininga server-enforced user list that takes the responsibilityto control legitimate users’ search capabilities [12], [13],i.e. search can only be carried out by the server with theassistance of legitimate users’ complementary keys onthe user list, these schemes did not realize fine-grainedowner-enforced search authorization and thus are unableto provide differentiated access privileges for differentusers within a dataset. Asymmetric cryptography is bet-ter suited to this dynamic setting by encrypting individ-ual contribution with different public keys. For example,Hwang et al. [14] implicitly defined a user list for eachfile by encrypting the index of the file with all the publickeys of the intended users. However, extending suchuser list approach to the multi-owner setting and on aper file basis is not trivial as it would impose significantscalability issue considering a potential large numberof users and files supported by the system. Additionalchallenges include how to handle the updates of the userlists in the case of user enrollment, revocation, etc., underthe dynamic cloud environment.

In this paper, we address these open issues andpresent an authorized keyword search scheme over en-crypted cloud data with efficient user revocation in themulti-user multi-data-contributor scenario. We realizefine-grained owner-enforced search authorization by exploit-ing ciphertext policy attribute-based encryption (CP-ABE) technique. Specifically, the data owner encryptsthe index of each file with an access policy createdby him, which defines what type of users can searchthis index. The data user generates the trapdoor inde-pendently without relying on an always online trustedauthority (TA). The cloud server (CS) can search overthe encrypted indexes with the trapdoor on a user’sbehalf, and then returns matching result if and onlyif the user’s attributes associated with the trapdoorsatisfy the access policies embedded in the encryptedindexes. We differentiate attributes and keywords in ourdesign. Keywords are actual content of the files whileattributes refer to the properties of users. The systemonly maintains a limited number of attributes for searchauthorization purpose. Data owners create the index

consisting of all keywords in the file but encrypt the in-dex with an access structure only based on the attributesof authorized users, which makes the proposed schememore scalable and suitable for the large scale file sharingsystem. In order to further release the data owner fromthe burdensome user membership management, we useproxy re-encryption [15] and lazy re-encryption [16]techniques to shift the workload as much as possibleto the CS, by which our proposed scheme enjoys ef-ficient user revocation. Formal security analysis showsthat the proposed scheme is provably secure and meetsvarious search privacy requirements. Furthermore, wedesign a search result verification scheme and make theentire search process verifiable. Performance evaluationdemonstrates the efficiency and practicality of the ABKS-UR. Our contributions can be summarized as follows:

1) We design a novel and scalable authorized keywordsearch over encrypted data scheme supporting multipledata users and multiple data contributors. Comparedwith existing works, our scheme supports fine-grainedowner-enforced search authorization at the file level withbetter scalability for large scale system in that the searchcomplexity is linear to the number of attributes in thesystem, instead of the number of authorized users.

2) Data owner can delegate most of computationallyintensive tasks to the CS, which makes the user revo-cation process efficient and is more suitable for cloudoutsourcing model.

3) We formally prove our proposed scheme selectivelysecure against chosen-keyword attack.

4) We propose a scheme to enable authenticity checkover the returned search result in the multi-user multi-data-contributor search scenario.

2 RELATED WORK

2.1 Keyword Search over Encrypted Data

2.1.1 Secret key vs. Public key

Encrypted data search has been studied extensively inthe literature. Song et al. [5] designed the first searchableencryption scheme to enable a full text search overencrypted files. Since this seminal work, many securesearch schemes have been proposed to boost the effi-ciency and enrich the search functionalities based oneither secret-key cryptography (SKC) [8], [9], [10], [11] orpublic-key cryptography (PKC) [17], [18], [19]. Curtmolaet al. [8] presented an efficient single keyword encrypteddata search scheme by adopting inverted index structure.The authors in [9] designed a dynamic version of [8]with the ability to add and delete files efficiently. Toenrich search functionalities, Cao et al. [10] proposed thefirst privacy-preserving multi-keyword ranked searchscheme over encrypted cloud data using “coordinatematching” similarity measure. Later on, Sun et al. [11]presented a secure multi-keyword text search schemein the cloud enjoying more accurate search result by“cosine similarity measure” in the vector space model



3

and practically efficient search process using a tree-based secure index structure. Compared with symmetricsearch techniques, PKC-based search schemes are ableto generate more flexible and more expressive searchqueries. In [17], Boneh et al. devised the first PKC-based encrypted data search scheme supporting singlekeyword query. The scheme from [18] supports searchqueries with conjunctive keywords by explicitly indi-cating the number of encrypted keywords in an index.Predicate encryption [19], [20] is another promising tech-nique to fulfill the expressive secure search functionality.For example, the proposed scheme in [19] supportsconjunctive, subset, and range queries, and disjunctions,polynomial equations, and inner products could be re-alized in [20].

2.1.2 Authorized keyword search

To grant multiple users the search capabilities, userauthorization should be enforced. In [12], [13], the au-thors adopt a server-enforced user list containing allthe legitimate users’ complementary keys that are usedto help complete the search in the enterprise scenarioto realize search authorization. But these SKC-basedschemes only allow one data contributor in the system.Hwang et al. [14] in the public-key setting presented aconjunctive keyword search scheme in multi-user multi-owner scenario. But this scheme is not scalable under thedynamic cloud environment because the size of the en-crypted index and the search complexity is proportionalto the number of the authorized users, and to add a newuser, the data owner has to rewrite all the correspondingindexes. By exploiting hierarchical predicate encryption,Li et al. [21] proposed a file-level authorized privatekeyword search (APKS) scheme over encrypted clouddata. However, it incurs additional communication cost,since whenever users want to search, they have to resortto the attribute authority to acquire the search capa-bilities. Moreover, this scheme is more suitable for thestructured database that contains only limited numberof keywords. The search time there is proportional to thetotal number of keywords in the system, which would beinefficient for arbitrarily-structured data search, e.g., freetext search, in the case of dynamic file sharing system.

2.2 Verifiable Search based on Authenticated IndexStructure

In the plaintext information retrieval, many schemeshave been proposed to achieve verifiable search usingauthenticated data structures (e.g., Merkle hash tree andcryptographic signature) [22], [23] in case the erroneousor false search result returned by the server due to soft-ware/hardware failure, data corruption, etc. In the en-crypted data search scenario, Wang et al. [24] proposed asingle keyword search scheme with inverted index beingthe index structure, upon which they use hash chain tobuild a search result verification scheme. Recently, Sun etal. [25] presented a search result verification scheme in

the multi-keyword text search scenario by turning theproposed secure index tree into an authenticated one.Note that these works are devised for the single-usersearch setting. We cannot directly apply them in ourmulti-user multi-data-contributor scenario.

2.3 Attribute-based Encryption

There has been a great interest in developing attribute-based encryption [28], [29], [30], [31] due to its fine-grained access control property. Goyal et al. [28] de-signed the first key policy attribute-based encryption(KP-ABE) scheme, where ciphertext can be decryptedonly if the attributes that are used for encryption satisfythe access structure on the user private key. Under thereverse situation, CP-ABE allows user private key to beassociated with a set of attributes and ciphertext asso-ciated with an access structure. CP-ABE is a preferredchoice when designing an access control mechanism ina broadcast environment. Since the first constructionof CP-ABE [29], many works have been proposed formore expressive, flexible and practical versions of thistechnique. Cheung et al. [30] proposed a selectivelysecure CP-ABE construction in the standard model usingthe simple boolean function, i.e. AND gate. By adoptingproxy re-encryption and lazy re-encryption techniques,Yu et al. [31] also devised a selectively secure CP-ABEscheme with the ability of attribute revocation, which isperfectly suitable for the data-outsourced cloud model.

3 PROBLEM FORMULATION

3.1 System Model

The system framework of our proposed ABKS-URscheme involves three entities: cloud server, many dataowners, and many data users, as shown in Fig. 1. Inaddition, a trusted authority is implicitly assumed to bein charge of generating and distributing public keys, pri-vate keys and re-encryption keys. To enforce fine-grainedauthorized keyword search, the data owner generatesthe secure indexes with attribute-based access policiesbefore outsourcing them along with the encrypted datainto the CS. Note that we can encrypt data by any secureencryption technique, such as AES, which is outside thescope of this paper. To search the datasets contribut-ed from various data owners, a data user generates atrapdoor of keyword of interest using his private keyand submits it to the CS. So as to accelerate the entiresearch process, we first enforce the coarse-grained datasetsearch authorization with the per-dataset user list such thatsearch does not need to go to a particular dataset if theuser is not on the corresponding user list. Next, the fine-grained file-level search authorization is applied on theauthorized dataset in the sense that only users, who aregranted to access a particular file, can search this file forthe intended keyword. More precisely, the data ownerdefines an access policy for each uploaded file. The CSwill search the corresponding datasets and return the



4

Data user 1Data owner 1

Data owner 2

Data owner n

...

Cloud ServerData user 2

Data user m

...

Access structure for an index: attr1 AND attr2 AND ...

User attribute set:attr1, attr3, attr8, ...

Encrypted files & secure indexes Trapdoor

Access policies & user list

... ...

Fig. 1. Framework of authorized keyword search overencrypted cloud data.

valid search result to the user if and only if the attributesof the user on the trapdoor satisfy the access policies ofthe secure indexes of the returned files, and the intendedkeyword is found in these files.

3.2 Threat Model

We consider the CS honest-but-curious, which is alsoemployed by related works on secure search over en-crypted data [10], [11], [21]. We assume that the CShonestly follows the designated protocol, but curiouslyinfers additional privacy information based on the dataavailable to him. Furthermore, malicious data users maycollude to access files beyond their access privileges byusing their secret keys. Analogue to [31], as we delegatemost of the system update workload to the CS, weassume that the CS will not collude with the revokedmalicious users to help them gain unauthorized accessprivileges.

3.3 Design Goals

Our proposed ABKS-UR scheme in the cloud aims toachieve the following functions and security goals:Authorized Keyword Search: The secure search systemshould enable data-owner-enforced search authorization,i.e. only users that meet the owner-defined access policycan obtain the valid search result. Besides achieving fine-grained authorization, another challenge is to make thescheme scalable for dynamic cloud environment.Supporting Multiple Data Contributors and Data User-s: The designed scheme should accommodate many da-ta contributors and data users. Each user is able to searchover the encrypted data contributed from multiple dataowners.Efficient User Revocation: Another important designgoal is to efficiently revoke users from the current systemwhile minimizing the impact on the remaining legitimateusers.Authenticity of Search Result: To make the proposedauthorized keyword search scheme verifiable and enabledata user to check the authenticity of the returned searchresult.

Security Goals: In this paper, we are mainly concernedwith secure search related privacy requirements, anddefine them as follows. 1) Keyword semantic security:Since we present a novel attribute-based keyword searchtechnique, we will formally prove it semantically secureagainst chosen keyword attack under selective ciphertextpolicy model (IND-sCP-CKA). The related security def-inition and semantic security game used in the proofare presented in Sect. 4.4. 2) Trapdoor unlinkability: thissecurity property makes the CS unable to visually distin-guish two or more trapdoors even containing the samekeyword. Note that the attacker may launch dictionaryattack by using public key to generate arbitrary numberof indexes with keyword of his choice, and then searchthese indexes with a particular trapdoor to deduce theunderlying keyword in the trapdoor, which is referred toas predicate privacy and it cannot be protected inherentlyin the PKC-based search scenario [32]. Consistent withexisting asymmetric secure search schemes [17], [21],this paper does not consider protection of predicateprivacy. Moreover, we do not aim to hide access patternin our scheme due to the extremely high complexity,i.e. to protect it, algorithm has to “touch” the wholedataset [33].

4 THE PROPOSED AUTHORIZED KEYWORDSEARCH

We exploit the CP-ABE [30], [31] technique to achievescalable fine-grained authorized keyword search overencrypted cloud data supporting multiple data ownersand data users. Specifically, for each file, the data ownergenerates an access-policy-protected secure index, wherethe access structure is expressed as a series of AND gates.Only authorized users with attributes satisfying the ac-cess policies can obtain matching result. Moreover, weshould consider user membership management carefullyin the multi-user setting. A naıve solution is to imposethe burden on each data owner. As a result, data owneris required to be always online to promptly respond themembership update request, which is impractical andinefficient. By using proxy re-encryption [15], the dataowner can delegate most of the workload to the cloudwithout infringing search privacy.

4.1 Algorithm Definition

We define the algorithms used in our ABKS-UR schemein this subsection with main notations listed in Tab.1.Here we consider a series of AND gates

∧i∈I i.

Definition 1: An attribute-based keyword search withefficient user revocation scheme for keyword space Wand access structure space G consists of nine fundamen-tal algorithms as follows:

• Setup(λ,N ) → (PK,MK): The setup algorithmtakes as input the security parameter λ and anattribute universe descriptionN . It defines a bilineargroup G of prime order p with a generator g. Thus, a



5

TABLE 1Notations

NAn universal attribute set 1, ..., n for some naturenumber n.

G Access structure space.W Keyword space comprised of keywords w.

IAn attribute set used for an access structure GT ∈ G onan encrypted index and I ⊆ N .

S An attribute set for a user secret key SK and S ⊆ N .

iAn attribute in N either refers to a positive attribute i

or its negation ¬i.D An encrypted index for a file.Q A trapdoor for an intended keyword w ∈ W .rk A proxy re-encryption key set.PSK A user’s partial secret key.Φ An attribute set containing the attributes to be updated.

∆An attribute set including all the attributes in D’s accessstructure with the re-encryption keys not being 1 in rk.

ΩAn attribute set containing all the attributes in PSK

with the re-encryption keys not being 1 in rk.ver A version number.

bilinear map is defined as e : G×G→ G1, which hasthe properties of bilinearity, computability and non-degeneracy. It outputs the public parameters PK andthe master secret key MK . The version number veris initialized as 1.

• CreateUL(PK, ID) → UL: The user list generationalgorithm takes as input PK and the user identityID. It outputs the user list UL for a dataset.

• EncIndex(PK,GT,w) → D: The index encryptionalgorithm takes as input the current PK , the accessstructure GT ∈ G, a keyword w ∈ W and outputsthe encrypted index D.

• KeyGen(PK,MK,S) → SK: The key generationalgorithm takes as input the current PK , the currentMK , and the attribute set S associated with aparticular user. It outputs the user’s secret key SK .

• ReKeyGen(Φ,MK) → (rk,MK ′, PK ′): The re-encryption key generation algorithm takes as inputthe attribute set Φ, and the current MK . It outputsa set of proxy re-encryption keys rk for all theattributes in N , the updated MK ′ and PK ′, whereall the version numbers are increased by 1. For theattributes not in Φ, set their proxy re-encryptionkeys as 1 in rk.

• ReEncIndex(∆, rk,D) → D′: It takes as input anindex D, rk and the attribute set ∆. Then it outputsa new re-encrypted index D′.

• ReKey(Ω, rk, PSK) → PSK ′: It takes as input auser’s partial secret key PSK , rk and the attributeset Ω. Finally, it outputs a new PSK ′ for that user.

• GenTrapdoor(PK,SK,w′) → Q: The trapdoor gen-eration algorithm takes as input the current PK ,the user’s SK , a keyword of interest w′ ∈ W andoutputs the trapdoor Q for the keyword w′.

• Search(UL,D,Q) → search result or ⊥: The searchalgorithm takes as input the user list UL, the indexD and the user’s trapdoor Q. It outputs valid searchresult or returns a search failure indicator ⊥.

4.2 Construction for ABKS-UR

In this subsection, we will describe the concrete ABKS-UR construction from the viewpoint of system levelbased on the above defined algorithms. The system leveloperations include System Setup, New User Enrollment,Secure Index Generation, Trapdoor Generation, Search, andUser Revocation. Notice that each individual system leveloperation may invoke one or more low level algorithms.

System Setup The TA calls the Setup algorithm to gener-ate PK and MK . Specifically, it selects random elementst1, ..., t3n. Define a collision-resistant keyed hash functionH : 0, 1∗ → Zp, and its key is selected randomlyand securely shared between owners and users (forsimplicity, we use it without mentioning the secret keyhereafter). Let Tk = gtk for each k ∈ 1, ..., 3n suchthat for 1 ≤ i ≤ n, Ti are referred to as positiveattributes, Tn+i are for negative ones, and T2n+i arethought of as don’t care. Let Y be e(g, g)y . The publickey is PK := 〈e, g, Y, T1, ..., T3n〉 and the master key isMK := 〈y, t1, ..., t3n〉. The initial version number ver is1. The TA publishes (ver, PK) with the signature of eachcomponent of PK , and retains (ver,MK).

New User Enrollment When receiving a registrationrequest from a new legitimate user f , the TA first selectsa random xf ∈ Zp as a new MK component. Then,the TA generates a new PK component Y ′

f = Y xf andpublishes it with its signature. After that, the KeyGenalgorithm is called to create secret key SK for this user.For every i ∈ N , the TA selects random ri from Zp hence

r =∑n

i=1 ri. K is set as gy−r. For i ∈ S, set Ki = griti

and Ki = gri

tn+i otherwise. Finally, let Fi be gri

t2n+i . Thesecret key is SK := 〈ver, xf , K, Ki, Fii∈N 〉.

In addition, the server maintains a user list UL con-taining all the legitimate users’ identity information foreach dataset. Specifically, the data owner first selects arandom element s from Zp. When a new user f joins inthe system and is allowed to search the dataset, the dataowner calls CreateUL algorithm to set Df = Y ′

f−s

andasks the CS to add the tuple (IDf , Df) into the user list,where IDf is the identity of the user f .

Secure Index Generation Before outsourcing a file to theCS, the data owner calls EncIndex algorithm to generatea secure index D for this file. In particular, set D = gs

and D to be Y s. Given an access policy GT =∧

i∈I i,for each i ∈ I, let Di = T s

i if i = i and Di = T sn+i

if i = ¬i. For each i ∈ N\I, let Di = T s2n+i. For some

attribute i′ ∈ N (this fixed position can be seen as part ofpublic parameter) and a keyword w ∈ W , the data owner

sets Di′ to be Ts

H(w)

i′ where without loss of generality,attribute i′ is assumed to be positive. The encryptedindex D := 〈ver,GT, D, D, Dii∈N 〉.

Trapdoor Generation Every legitimate user in the sys-tem is able to generate a trapdoor for any keyword ofinterest by calling the algorithm GenTrapdoor. Specif-ically, user f selects random u ∈ Zp. Let Q = Ku

and Q = u + xf . Qi is denoted as Kui and Qfi =



6

Fui . Thus, for the same i′ in secure index generation

phase, Qi′ is set to be KH(w′)·ui′ , where w′ is the key-

word of interest and Qfi′ = FH(w′)·ui′ . The trapdoor

Q := 〈ver, Q, Q, Qi, Qfii∈N 〉, where ver is the versionnumber of SK used for generating this trapdoor.

Search Upon receipt of a trapdoor Q and the useridentity IDf , 1) the CS finds out if IDf exists on theuser list of the target dataset. If not, the user is notallowed to search over the dataset; 2) otherwise, theCS continues the Search algorithm with the input oftrapdoor Q, encrypted index D and Df from the user list.We call this process dataset search authorization. Then, wemove onto the fine-grained file-level search authorization,which includes three cases:

• If ver of Q is less than ver of D, it outputs ⊥.• If ver of Q is greater than ver of D, the algorithm

ReEncIndex is called to update the index first.• If ver of Q is equal to ver of D, the search process

is performed as follows. For each attribute i ∈ I, ifi = i and i ∈ S, then

e(Di, Qi) = e(gti·s, gri·u

ti ) = e(g, g)s·u·ri .

If i = ¬i and i /∈ S, then

e(Di, Qi) = e(gtn+i·s, gri·u

tn+i ) = e(g, g)s·u·ri .

For each i /∈ I,

e(Di, Qfi) = e(gt2n+i·s, gri·u

t2n+i ) = e(g, g)s·u·ri.

For the attribute i′ ∈ N , e(Di′ , Qi′) is equal toe(g, g)s·u·ri′ as well.

If the following equation holds, the user’s attributessatisfy the access structure embedded in the index andw′ = w,

DQ · Df?= e(D, Q) ·

n∏

i=1

e(Di, Q∗i ),

where Q∗i = Qi if i ∈ I and Q∗

i = Qf i otherwise.Correctness Provided that the user is authorized to accessthe file and w′ = w, then

e(D, Q) ·n∏

i=1

e(Di, Q∗i ) = e(gs, gu·y−u·r) ·

n∏

i=1

e(g, g)s·u·ri

= e(g, g)s·u·y−s·u·r · e(g, g)s·u·r

= e(g, g)s·u·y

= Y s·u

= Y s·(xf+u) · Y −s·xf = DQ · Df .

Discussion We can achieve scalable fine-grained file-levelsearch authorization by data-owner-enforced attribute-based access structure on the index of each file. Thesearch complexity is linear to the number of attributesin the system rather than the number of authorizedusers. Hence, this one-to-many authorization mechanismis more suitable for a large scale system, such as cloud.Moreover, the dataset search authorization by using a

per-dataset user list may accelerate the search process,since the CS can decide whether it should go into aparticular dataset or not. Otherwise, the CS has to searchevery file at rest.

User Revocation To revoke a user from current system,we re-encrypt the secure indexes stored on the serverand update the remaining legitimate users’ secret keys.Note that these tasks can be delegated to the CS usingproxy re-encryption technique so that user revocation isvery efficient. In particular, the TA adopts the ReKeyGenalgorithm to generate the re-encryption key set rk :=〈ver, rki,vali∈N ,val∈+,−〉. Let attribute set Φ consist ofthe attributes that need to be updated, without whichthe leaving user’s attributes will never satisfy the access

policy. If an attribute i ∈ Φ, rki,+ =t′iti

is for the positive

attribute i, and for the negative rki,− is set to bet′n+i

tn+i,

where both t′i and t′n+i are randomly selected from Zp.If i ∈ N\Φ, set rki,val = 1, where val ∈ +,−. Then theTA refines the corresponding components in MK andPK , and publishes the new PK ′ with the signatures.The TA also sends rk and its signature to the CS.

After receiving rk from the TA, the server checkswhether the version number ver in rk is equal to currentver of the system (or it can be greater than the currentsystem ver in the case of lazy re-encryption, see Discus-sion below). If not, it discards this re-encryption key set.Otherwise, the CS verifies rk. Then, the server calls theReEncIndex algorithm to re-encrypt the secure indexesin its storage with valid rk. Let ∆ be the set including allthe attributes in the access structures of secure indexeswith the re-encryption keys not being 1 in rk. For each

positive i ∈ ∆, D′i is set as D

rki,+

i , or D′i = D

rki,−

i for neg-ative ones. For i /∈ ∆, let D′

i be equal to Di. Finally, theindex is updated as D′ := 〈ver + 1, GT, D, D, D′

ii∈N 〉.Furthermore, the server is able to update the remain-

ing legitimate users’ secret keys by the ReKey algorithm.Suppose that SKL is a list stored on the CS containingall the partial secret keys PSK’s of all the legitimateusers in the system. PSK is defined as (ver, Kii∈N ).Note that the CS cannot generate a valid trapdoor withPSK . Let Ω be the set including all the attributes inPSK with the re-encryption keys not being 1 in rk.

For each attribute i in Ω, denote K ′i to be K

rk−1i,+

i if i

is positive and Krk

−1i,−

i otherwise. For each i /∈ Ω, setK ′

i = Ki. The updated PSK ′ = (ver+1, K ′ii∈N ), which

is returned to the legitimate user. User can also verifywhether his secret key is the latest version by checkinge(Ti,Ki) = (T ′

i ,K′i), where T ′

i is the attribute componentin the latest PK ′. Here we suppose all the attributes iare positive. Otherwise, use Tn+i and T ′

n+i instead in theequation.

Finally, the server may eliminate ID information ofthe revoked user f , i.e. the tuple (IDf , Df ), from all thecorresponding user lists.

Discussion To handle file index update efficiently, wecould adopt the lazy re-encryption technique [16]. The



7

CS stores the re-encryption key sets rk’s and will notre-encrypt indexes until they are being accessed. Specif-ically, the CS could “aggregate” multiple rk’s and dealwith the index update in a batch manner. For instance,ver = k in D, ver = j in the latest rk and k < j, tore-encrypt the index, the CS just calls ReEncIndex once

with∏j

ρ=k rk(ρ)i,val.

4.3 Conjunctive Keyword Search

Data user may prefer the returned files containing sev-eral intended keywords with one search request, whichis referred to as conjunctive keyword search. Similarto [13], [14], our proposed ABKS-UR scheme is ableto provide conjunctive keyword search functionality

readily as follows. Di′ is defined as g

s·ti′∏

wj∈W H(wj )or

g

s·ti′

⊗wj∈WH(wj ), where ⊗ denotes XOR operation. The com-

ponents Qi′ and Qfi′ in the trapdoor are generatedaccordingly. It is worth noting that this method hasalmost the same efficiency as the single-keyword ABKS-UR scheme, regardless of the number of simultaneouskeywords.

4.4 Security Analysis

1) Keyword semantic security: In this paper, we formallydefine a semantic security game for ABKS-UR. We firstgive the cryptographic assumption that our scheme re-lies on.

Definition 2 (The DBDH Assumption [34]): Let a, b, c, z∈ Zp be chosen at random and g be a generatorof G. The DBDH assumption is that no probabilisticpolynomial-time adversary B can distinguish the tupleA = ga, B = gb, C = gc, e(g, g)abc from the tupleA = ga, B = gb, C = gc, e(g, g)z with non-negligibleadvantage. The advantage of B is defined as follows,

|Pr[B(A,B,C, e(g, g)abc) = 0]−Pr[B(A,B,C, e(g, g)z) = 0]|

where the probability is taken over the random choiceof the generator g, the random choice of a, b, c, z in Zp,and the random bits consumed by B.

The semantic security game between an adversary Aand a challenger B is defined as follows.Init. The adversary A submits a challenge access policyGT , a version number ver∗ and ver∗ − 1 attribute setsΦ(ρ)1≤ρ≤ver∗−1 to the challenger B.Setup. The challenger B runs Setup(λ,N ) to obtainPK and MK for version 1. For each version ρ ∈1, ..., ver∗ − 1, B runs ReKeyGen(Φ,MK). Then hepublishes rk(ρ)1≤ρ≤ver∗−1 to A, where rk(ρ) is de-fined as the re-encryption key set of version ρ. Givenrk(ρ)1≤ρ≤ver∗−1, the adversary A is able to computePK for the corresponding version ρ+ 1.Phase 1. By submitting any keyword w ∈ W , the adver-sary A is allowed to request the challenger B to generatetrapdoors of any version from 1 to ver∗ polynomialtimes (in λ). The only restriction is that the attribute

set associated with each trapdoor query submitted byA does not satisfy the challenge access structure GT .Challenge. Upon receipt of challenge keyword w0, w1 ∈W of the same length from the adversary A, B flipsa random coin µ ∈ 0, 1 and get a challenge indexDµ ← EncIndex(PK,GT,wµ), where GT is the chal-lenge access structure and PK is of version ver∗. Breturns Dµ to A.Phase 2. Same as phase 1.Guess. Adversary A submits his guess µ′ of µ.

Definition 3 (IND-sCP-CKA Security): The proposedABKS-UR scheme is IND-sCP-CKA secure if forall probabilistic polynomial-time adversary A, theadvantage AdvIND−sCP−CKA

A in winning the semanticsecurity game is negligible.

AdvIND−sCP−CKAA = Pr[µ′ = µ]−

1

2.

Notice that the trapdoor query oracle in Phase 1implicitly includes the secret key query oracle, whichmay send the partial secret key (see Sect. 4.2) backto the adversary. Since the adversary A is allowed toobtain all the re-encryption keys, he is able to updateindexes, secret keys and trapdoors on his own such thatwe do not let challenger answer these queries in Phase1 and Phase 2. Moreover, in the selective model, oursemantic security game allows the adversary to queryany keywords at Phase 1 and Phase 2 as long as theattribute sets associated with the queried trapdoors donot satisfy the challenge access policy GT .

We give the following theorem, and then prove ourABKS-UR construction IND-sCP-CKA secure in the s-tandard model.

Theorem 1: If a probabilistic polynomial-time adver-sary wins the IND-sCP-CKA game with non-negligibleadvantage ǫ, then we can construct a simulator B to solvethe DBDH problem with non-negligible advantage ǫ

2 .Proof: The DBDH challenger first randomly chooses

a, b, c, z ∈ Zp and a fair coin ν ∈ 0, 1. It defines Z tobe e(g, g)abc if v = 0, and e(g, g)z otherwise. Then thesimulator B is given a tuple (A,B,C, Z) = (ga, gb, gc, Z)and asked to output ν. The simulator B now plays therole of challenger in the following game.Init. In this phase, simulator B receives the challengeaccess structure GT =

∧i∈I i, a version number ver∗ and

ver∗ − 1 attribute sets Φ(ρ)1≤ρ≤ver∗−1 from adversaryA.Setup. For PK of version 1, Simulator B sets Y to bee(A,B) = e(g, g)a·b, which implicitly defines y = a · b.Choose random x = θ ∈ Zp and define Y ′ to bee(A,B)θ = e(g, g)a·b·θ. For each i ∈ N , B selects ran-dom αi, βi, γi ∈ Zp, and outputs the following publicparameters.

For i ∈ I, Ti = gαi , Tn+i = Bβi , T2n+i = Bγi if i = i;Ti = Bαi , Tn+i = gβi , T2n+i = Bγi if i = ¬i.

For i /∈ I, Ti = Bαi , Tn+i = Bβi , T2n+i = gγi .For each attribute set Φ(ρ), 1 ≤ ρ ≤ ver∗ − 1,B generates the re-encryption key rk(ρ) and the PK



8

of that version. For each attribute i ∈ Φ(ρ), rk(ρ)i,val

where val ∈ +,−, is randomly selected from Zp.

T(ρ+1)i = (T

(ρ)i )rk

(ρ)i,+ , T

(ρ+1)n+i = T

(ρ)n+i, and T

(ρ+1)2n+i = T

(ρ)2n+i

if attribute i is positive. Otherwise, T(ρ+1)i = T

(ρ)i ,

T(ρ+1)n+i = (T

(ρ)n+i)

rk(ρ)i,− , and T

(ρ+1)2n+i = T

(ρ)2n+i. Then, for

each i /∈ Φ(ρ), set rk(ρ)i,val = 1 and the remaining public

parameters of version ρ + 1 are the same with thoseof version ρ. Finally, simulator B publishes rk(ρ) =

〈ρ, rk(ρ)i,vali∈Φ(ρ),val∈+,−〉 to A.

Phase 1. Without loss of generality, assume that adver-sary A submits a keyword wl and a set S ⊆ N to Bfor version ρ, where 1 ≤ ρ ≤ ver∗ and S does notsatisfy GT . B uses the collision-resistant hash functionto output H(wl) = hl. Since S does not satisfy GT , awitness attribute j ∈ I must exist. Thus, either j ∈ S andj = ¬j, or j /∈ S and j = j. Without loss of generality,we assume j /∈ S and j = j.

Simulator B chooses random r′i1≤i≤n ∈ Zp. Setrj = a · b + r′j · b and ri = r′i · b if i 6= j. Denoter =

∑ni=1 ri = a·b+

∑ni=1 r

′i ·b. B defines u to be a random

nubmer λ selected from Zp. As such, Q is defined to begy·u−r·u = g−

∑ni=1 r′i·b·λ = B−

∑ni=1 r′i·λ. The Q component

of the trapdoor is defined to be x+ u = θ + λ.

By defining rk(ρ)i,val = 1 where val ∈ +,− if i /∈

Φ(ρ), B could compute the followings for each i ∈ N :

for 2 ≤ ρ ≤ ver∗, T(ρ)i = (T

(1)i )rk

(1)i,+·rk

(2)i,+···rk

(ρ−1)i,+ =

(T(1)i )

∏ρ−1o=1 rk

(o)i,+ , and T

(ρ)n+i = (T

(1)n+i)

rk(1)i,−·rk

(2)i,−···rk

(ρ−1)i,− =

(T(1)n+i)

∏ρ−1o=1 rk

(o)i,− .

B denotes R(ρ)i =

∏ρ−1o=1 rk

(o)i,+ and R

(ρ)n+i =

∏ρ−1o=1 rk

(o)i,−.

Simulator B sets Qj = A

λ

βj ·R(ρ)j+1 · g

r′j ·λ

βj ·R(ρ)j+1 =

g

a·b+r′j ·b

b·βj ·R(ρ)j+1

·λ

= g

rj ·u

b·βj ·R(ρ)j+1 .

For i 6= j, 1) i ∈ S. Qi = B

r′i·λ

αi·R(ρ)i = g

ri·u

αi·R(ρ)i if i ∈ I∧i =

i; Qi = g

r′i·λ

αi·R(ρ)i = g

ri·u

b·αi·R(ρ)i if (i ∈ I ∧ i = ¬i) ∨ i /∈ I.

2) i /∈ S. Qi = B

r′i·λ

βi·R(ρ)n+i = g

ri·u

βi·R(ρ)n+i if i ∈ I ∧ i = ¬i;

Qi = g

r′i·λ

βi·R(ρ)n+i = g

ri·u

b·βi·R(ρ)n+i if (i ∈ I ∧ i = i) ∨ i /∈ I.

Similarly, let Qfj = Aλγj · g

r′j·λ

γj = ga·b+r′j·b

b·γj·λ

= grj·u

b·γj .

For Qfii6=j , we have 1) i ∈ I. Qfi = gr′i·λ

γi = gri·u

b·γi . 2)

i /∈ I. Qfi = Br′i·λ

γi = gri·u

γi .Without loss of generality, assume i′ ∈ S∩I and i′ = i′.

Simulator B sets Qi′ = B

r′i′

·λ·hl

αi′

·R(ρ)

i′ = g

ri′

·u·H(wl)

αi′

·R(ρ)

i′ .Challenge. Upon receiving the challenge keywordsw0, w1 from adversary A, simulator B flips a randomcoin µ ∈ 0, 1 and then encrypts wµ with the challengegate GT . From the collision-resistant hash function H ,simulator B obtains H(wµ) = hµ. For version ver∗ and

i ∈ I, Di is defined to be Cαi·R(ver∗)i if i = i and

Cβi·R(ver∗)n+i if i = ¬i. For i /∈ I, let Di = Cγi . Without

loss of generality, assume i′ ∈ I and i′ = i′ such that

Di′ = Cαi′

·R(ver∗)

i′

hµ . Finally, B sets D = C, D = Z andD = Z−θ.Phase 2. Same as phase 1.Guess. Adversary A submits µ′ of µ. If ν = 1, adversaryA cannot acquire any advantage in this semantic securitygame but a random guess. Therefore, we have Pr[µ 6=µ′|ν = 1] = 1

2 . When µ 6= µ′, simulator B outputs ν′ = 1,such that Pr[ν′ = ν|ν = 1] = Pr[ν′ = 1|ν = 1] = 1

2 . Ifν = 0, a valid D is given to adversary A. He can win thisgame with non-negligible advantage ǫ. Hence, Pr[µ =µ′|ν = 0] = 1

2 + ǫ. When µ = µ′, simulator B outputs ν′ =0, we have Pr[ν′ = ν|ν = 0] = Pr[ν′ = 0|ν = 0] = 1

2 + ǫ.

The advantage AdvDBDHA of simulator B in the DBDH

game is Pr[ν′ = ν] − 12 = Pr[ν′ = ν|ν = 1]Pr[ν = 1] +

Pr[ν′ = ν|ν = 0]Pr[ν = 0]− 12 = 1

2 ·12 +(12 + ǫ) · 12 −

12 = ǫ

2 .

As per the above theorem, we can conclude that ourproposed scheme is semantically secure in the selectivemodel. Note that malicious users cannot launch collusionattack to generate a new valid secret key or trapdoor,which has been implicitly proved because the adversaryA in our security game has the same capability as themalicious users, i.e. he can query different secret keys.

2) Trapdoor unlinkability: To generate a trapdoor, thedata user chooses a different random number u to ob-fuscate the trapdoor such that the CS is visually unableto differentiate two or more trapdoors even producedwith the same keyword. Thus, the ABKS-UR can providetrapdoor unlinkability property.

5 AUTHENTICATED SEARCH RESULT

Data users may desire the authenticated search resultto boost their confidence in the entire ABKS-UR searchprocess, especially when the result contains errors thatmay come from the possible storage corruption, soft-ware malfunction, and intention to save computationalresources by the server, etc. Similar to [25], we are ableto assure data user of the authenticity of the returnedsearch result by checking its correctness (the returnedsearch result indeed exist in the dataset and remainintact), completeness (no qualified files are omitted fromthe search result), and freshness (the returned result isobtained from the latest version of the dataset). Themain idea of the verification scheme is to allow theCS to return the auxiliary information containing theauthenticated data structure other than the final searchresult, upon which the data user is capable of doingresult authenticity check. In what follows, we elaborateon the concrete scheme.

Authenticated data structure preparation In order tolet the user check if he is a legitimate user for aparticular dataset, the data owner can simply sign thecorresponding user list UL. Or, to avoid disclosing otherusers’ membership information, the TA may generate thekeyed-hash value hxf

(IDf ) for each authorized user f .The data owner can insert the hash values into a bloom



9

filter BFUL [26] based on these users’ membership, andthen signs it to σ(BFUL). Next, the data owner preparesanother bloom filter BFW for the keywords appearingin the dataset to enable the data user quickly find outthe existence of the intended keyword. Specifically, theTA generates a hash key k and gives it to the dataowner. He then encrypts it with symmetric key xf foreach legitimate user. Note that the output ciphertextExf

(k) can be signed and added into the user list ULlater by the data owner. Then, the data owner obtains akeyword bloom filter BFW by inserting the keyed-hashvalue hk(w) of every keyword w in the dataset, and signsit to σ(BFW ). When preparing the encrypted indexesfor the dataset to be outsourced, the data owner usesinverted index [27] to organize the entire dataset, i.e. allthe encrypted files l with the secure indexes containingthe same keyword w are placed in the same file listLw = < Dl1,w , l1 >,< Dl2,w , l2 >, ... < Dlq,w , lq >.Upon each list Lw, the data owner generates the listsignature as follows: first, for every tuple < Dli,w , li >in Lw where 1 ≤ i ≤ q, he computes the hash valuehli = H(Dli,w ||H(li)). Then the data owner computesthe hash value hLw

for the list Lw. For example, thereare three files l1, l2 and l3 in this particular list. Thedata owner calculates h1 = hl1 , h2 = H(hl2 ||h1), andhLw

= h3 = H(hl3 ||h2). Finally, he outsources the BFUL,BFW , all the file lists Lw and their signatures σ(BFUL),σ(BFW ), σ(hLw

) to the server.

Search phase In the search phase, the CS returns thesearch result along with the auxiliary information forresult authenticity check later by the data user. Theauxiliary information includes all the user list bloomfilters BFUL of the datasets stored on the server (see thediscussion below), the keyword bloom filters BFW ofthe datasets that the user is authorized to access, the filelist L′

w for the intended keyword w if the search resultcontains files from this dataset, the tuple (Df , Exf

(k))in each related UL and all the corresponding signatures.Notably, if the search result does not contain files fromthis dataset, it is not necessary to return the correspond-ing file list. Otherwise, the CS generates L′

w as follows.For the file li in Lw but not in the search result, theCS merely computes its hash value h(li) and puts thetuple < Di,w, h(li) > in L′

w. For example, when Lw =< Dl1,w , l1 >,< Dl2,w , l2 >,< Dl3,w , l3 > and only l1 isincluded in the final search result, the CS will sends backL′w = < Dl1,w , l1 >,< Dl2,w , h(l2) >,< Dl3,w , h(l3) > to

the user.

Result authentication On receipt of the search result,the user can check its authenticity as follows. At first,the user does the membership test with all the veri-fied user list bloom filters BFUL. For each dataset thatthe user is authorized to access, he verifies the tuple(Df , Exf

(k)) from this dataset, and decrypts Exf(k) with

xf . Then, he verifies the keyword bloom filter BFW ofthis dataset and exploits the hash key k to check whetherthe keyword of interest w indeed exists. If not, the user

turns to another keyword bloom filter of the next access-granted dataset. Otherwise, he goes into the specific filelist L′

w. For simplicity, we still use the above mentionedexample. The user first computes tuple hash values hl1 ,hl2 and hl3 respectively. He then generates the hashchain to obtain the file list hash value hLw

, and verifiesσ(hLw

). Next, he can search this list with his trapdoorand corresponding Df from the CS to check if all thematching files have been returned. Thus, the data usercan ensure the authenticity of the returned search result.

Discussion Note that if it is the first time for a userf to perform search operation, the CS will send thetuples (Df , Exf

(k)) in all related UL and all the userlist bloom filters to this user and he may keep themto avoid the communication overhead in the followingsearches. To revoke a particular user, data owners willupdate the corresponding user list bloom filters and sendthem to the CS. After that, the legitimate user will replacethe corresponding bloom filters for the updated onesreceived from the CS if he requires the server to searchagain. On the other hand, if the user repeats the searchwith the keyword queried before, it is not necessaryfor the CS to return the auxiliary information1 and theuser merely needs to compare the result with the searchhistory. Otherwise, all the relevant BFW and L′

w shouldbe returned to user for result verification.

In this paper, we create an authenticated data structureusing bloom filter, inverted index, hash and signaturetechniques to organize the outsourced data in the server.The data user can search over this structure to verify thereturned search result, since all the signatures can onlybe generated by data contributors. By checking verifiedBFUL, BFW and Lw, the user is assured of the existenceand integrity of all the returned files, and search resultdoes not exclude any qualified matching files. Hence, wecan achieve the verification design goals, i.e. correctnessand completeness. Freshness can be simply realized byadding time stamp into the corresponding signatures.Thus, we make the ABKS-UR scheme verifiable and theauthenticity of the returned search result is guaranteed.

6 PERFORMANCE EVALUATION

In this section, we will evaluate the performance of ourproposed ABKS-UR scheme and search result verifica-tion mechanism by real-world dataset and asymptoticcomputation complexity in terms of the pairing opera-tion P, the group exponentiation E and the group multi-plication M in G, the group exponentiation E1, the groupmultiplication M1 in G1 and hash operation H used inbloom filters. Note that we can realize the encryptionand the signature operation by any secure symmetricencryption and signature techniques respectively, e.g.,AES encryption and RSA signature, which incur fixedcomputation overhead, and here we do not considerthem. We also ignore the hash operation for ABKS-UR as

1. This is doable since the CS is able to track the access pattern.



10

it is much more efficient than other involved computa-tions. As for search result verification, the hash operationwill be counted for it is the main computation costthere. Suppose there exist n attributes in the proposedscheme. The numerical performance evaluation is shownin Tab. 2. Moreover, to evaluate the key operations ofthe proposed scheme, we use the real-world dataset,i.e. the Enron Email Dataset [35], which contains abouthalf million files contributed from 150 users approxi-mately. In the literature, there are few existing workson attribute-structure based authorized keyword searchwith experimental results. We will compare our ABKS-UR scheme with the predicate encryption based APKSscheme [21] in terms of search efficiency. We conduct ourexperiment using C and the Pairing-Based Cryptography(PBC) Library [36] on a Linux Server with Intel Core i3Processor 3.3GHz. We adopt the type A elliptic curve of160-bit group order, which provides 1024-bit discrete logsecurity equivalently (our scheme can also be adaptedinto any secure asymmetric pairing version).

6.1 System Setup

At this initial phase, the TA defines the public parameter,and generates PK and MK . The main computationoverhead is 3n exponentiations in G, one exponentiationin G1 and one pairing operation on the TA side. Asshown in Fig.2 (a), the time cost for system setup is veryefficient and is linear to the number of attributes in thesystem.

6.2 New User Enrollment

When a new legitimate user wants to join in the system,he has to request the TA to generate the secret key SK ,which needs 2n + 1 exponentiations in G. The TA alsoneeds one exponentiation in G1 to generate a new PKcomponent for the user. A data owner may also allowthe user to access the dataset by adding him onto thecorresponding user list, which incurs one exponentiationin G1. It is obvious that the time cost to enroll a new useris proportional to the number of attributes in the system.

6.3 Secure Index Generation

The size of secure index is constant if the number ofattributes is pre-fixed in the system setup phase regard-less of the actual number of keywords in a file for bothsingle keyword and conjunctive keyword search sce-narios. Moreover, the data owner approximately needs(n + 1)E + E1 to generate a secure index for a file. Fur-thermore, we evaluate the practical efficiency of creatingsecure indexes for 10000 files, as shown in Fig.2 (b).It exhibits the expected linearity with the number ofattributes in the system. When there exist 30 attributesin the system, the data owner would spend about 8minutes encrypting the indexes for 10000 files. Note thatthis computational burden on the data owner is a one-time cost. After all the indexes outsourced to the CS, the

following index re-encryption operation is also delegatedto the server. Thus, the overall efficiency for encryptingindex is totally acceptable in practice.

6.4 Trapdoor Generation

With the secret key, data user is free to produce thetrapdoor of any keyword of interest, which requiresabout 2n+ 1 group exponentiations in G. Moreover, theexperimental result in Fig.2 (c) shows that our proposedauthorized keyword search scheme enjoys very efficienttrapdoor generation. In accordance with the numericalcomputation complexity analysis, the trapdoor genera-tion will need more time with the increased number ofattributes.

TABLE 2Numerical evaluation of ABKS-UR and result verification

Operation Computation complexitySystem Setup 3nE + E1 + PNew User Enrollment (2n+ 1)E + 2E1

Secure Index Generation (n+ 1)E + E1

Trapdoor Generation (2n+ 1)EPer-index Search (n+1)P+ (n+2)M1 +E1

ReKeyGen x(M + E), 1 ≤ x ≤ nReEncIndex yE, 1 ≤ y ≤ nReKey zE, 1 ≤ z ≤ nData preparation (ak1 + bk2 + (3q − 1)b)HSearch phase (q − t)HResult authentication1 (mk1+k2+2q+t−1)H+tS2

1 This is for a new intended keyword search over oneauthorized dataset.

2 S denotes the per-index search operation.

6.5 Search

To search over a single encrypted index, the dominantcomputation of ABKS-UR is n + 1 pairing operations,while APKS [21] needs n + 3 pairing operations. Fig.2(d) shows the practical search time of ABKS-UR andAPKS on a single secure index with different number ofattributes respectively. With the same number of systemattributes, ABKS-UR is slightly faster than APKS. More-over, compared with APKS, ABKS-UR allows users togenerate trapdoors independently without resorting toan always online attribute authority, and it has a broaderrange of applications due to the arbitrarily-structureddata search capability. Notice that the search complexityof our scheme will varies a lot for different data users,since the dataset search authorization only allows users onthe user lists to further access the corresponding dataset-s. Assume that there exist 10000 files and 30 systemattributes. In the worse case of search over every file inthe storage, the CS, with the same hardware/softworespecifications as our experiment, requires less than 5minutes to complete the search operation. Thus, witha more powerful cloud, our proposed ABKS-UR schemewould be efficient enough for practical use.



11

0 20 40 60 80 1000

0.1

0.2

0.3

0.4

0.5

Number of attributes

Syste

m s

etu

p tim

e (

s)

(a)

0 20 40 60 80 1000

200

400

600

800

1000

1200

1400

1600


Se

cure

ind

ex

ge

ne

ratio

n t

ime

(s)

(b)

0 20 40 60 80 1000

0.05

0.1

0.15

0.2

0.25


Tra

pd

oo

r g

en

era

tion

tim

e (

s)

(c)

0 20 40 60 80 1000

20

40

60

80

100


Pe

r−in

de

x s

ea

rch

tim

e (

ms)

ABKS−URAPKS

(d)

Fig. 2. Performance evaluation on ABKS-UR. (a) Time cost for system setup. (b) Secure index generation time for10000 files. (c) Trapdoor generation time. (d) Time cost for search over a single index.

6.6 User Revocation

As the server can efficiently eliminate the revoked user’sidentity information from the corresponding user lists,we do not show it in Tab.1. Instead, we calculate themain computation complexity of ReKeyGen, ReEncIn-dex and ReKey. To update the system, the TA usesthe algorithm ReKeyGen to produce the new versionof MK ′ and PK ′, and the re-encryption key set rk.Depending on the number of attributes to be updated,generating rk requires minimum M to maximum nMoperations. Likewise, the computation overhead for PK ′

is within the range from E to nE. Moreover, the CScalls the ReEncIndex algorithm to re-encrypt the secureindexes at its storage. Each index update needs E to nEoperations in G, which is also the computation overheadrange for the CS to update a legitimate user’s secret keyby algorithm ReKey.

6.7 Authenticated Search Result

Other than the computation cost for ABKS-UR, a dataowner still needs to prepare a user list bloom filter BFUL,a keyword bloom filter BFW and file lists Lw for hisoutsourced dataset. Assume for this dataset there are aauthorized users, b extracted keywords, and average qfiles in each Lw. Let k1 and k2 be the number of hashfunctions used to insert a user and a keyword into BFUL

and BFW respectively. Thus, the main computation costfor these data preparation is ak1+bk2+(3q−1)b efficienthash operations as shown in Tab. 2.

At the search phase, the CS only needs to computesfile list L′

w for each authorized dataset for the user. Tab.2 shows that every file list can be generated by q−t hashoperations, where t is the average number of matchingfiles in L′

w.If the data user queries a keyword searched before,

the CS will only return the search result and the userwill verify them by checking the search history (see thediscussion in Sect. 5). Therefore no extra communica-tion and computation overhead is introduced in thissituation. Otherwise, in the worst case, the user shouldchecking all the returned BFUL, BFW and L′

w. As shownin Tab. 2, suppose there are m datasets stored on the

server and the user is only authorized to access onedataset, the verification cost is mk1 + k2 + 2q + t − 1hash operations and t per-index search operations. Inorder to save the communication cost between the CSand the user, the user list bloom filters BFUL can bestored on the user side after he receives them from theserver (see the discussion in Sect. 5). For the BFUL of1% false positive rate and 100 outsourced datasets, thecorresponding storage cost is shown in Tab. 3. In thisworst case that 10000 authorized users are inserted toeach BFUL, the user only needs about 1 MB storagespace to keep the user list bloom filters of all the datasets.

To realize the verifiable ABKS-UR, except that theuser may need to search the verified data structure (thecomputational complexity is much smaller than that ofsearch on the server), data owner and cloud server haveminimal extra computation overhead, i.e., efficient hashfunction evaluation.

TABLE 3Storage cost for 100 BFUL of 1% false positive rate

# of inserted users 2000 4000 6000 8000 10000Size (MB) 0.24 0.48 0.72 0.96 1.19

7 CONCLUSION

In this paper, we design the first verifiable attribute-based keyword search scheme in the cloud environment,which enables scalable and fine-grained owner-enforcedencrypted data search supporting multiple data ownersand data users. Compared with existing public keyauthorized keyword search scheme [14], our schemecould achieve system scalability and fine-grainednessat the same time. Different from search scheme [21]with predicate encryption, our scheme enables a flexibleauthorized keyword search over arbitrarily-structureddata. In addition, by using proxy re-encryption andlazy re-encryption techniques, the proposed scheme isbetter suited to the cloud outsourcing model and enjoysefficient user revocation. On the other hand, we makethe whole search process verifiable and data user can



12

be assured of the authenticity of the returned searchresult. We also formally prove the proposed schemesemantically secure in the selective model.

ACKNOWLEDGMENTS

This work was supported in part by the NSFC 61272457,the National Project 2012ZX03002003-002, the 863 Project2012AA013102, the 111 Project B08038, the IRT1078, theFRF K50511010001, the NSFC 61170251, and the U.S. NSFgrants CNS-1217889 and CNS-1338102.

REFERENCES

[1] W. Sun, S. Yu, W. Lou, Y. T. Hou, and H. Li, “Protecting YourRight: Attribute-based Keyword Search with Fine-grained Owner-enforced Search Authorization in the Cloud,” in IEEE INFOCOM,pp. 226-234, 2014.

[2] S. Yu, C. Wang, K. Ren, and W. Lou, “Achieving secure, scalable,and fine-grained data access control in cloud computing,” in Proc.of IEEE INFOCOM, pp. 1-9, 2010.

[3] M. Li, S. Yu, Y. Zheng, K. Ren, and W. Lou, “Scalable and securesharing of personal health records in cloud computing usingattribute-based encryption,” IEEE TPDS, vol. 24, no. 1, pp. 131-143, 2013.

[4] S. Kamara and K. Lauter, “Cryptographic cloud storage,” in Finan-cial Cryptography and Data Security, pp. 136–149, 2010.

[5] D. Song, D. Wagner, and A. Perrig, “Practical techniques forsearches on encrypted data,” in Proc. of IEEE S&P, pp. 44-55, 2000.

[6] Y. Huang, D. Evans, J. Katz, and L. Malka, “Faster secure two-party computation using garbled circuits,” in USENIX SecuritySymposium, vol. 201, no. 1, 2011.

[7] C. Gentry, “A fully homomorphic encryption scheme,” Ph.D. dis-sertation, Stanford University, 2009.

[8] R. Curtmola, J. Garay, S. Kamara, and R. Ostrovsky, “Searchablesymmetric encryption: improved definitions and efficient construc-tions,” in Proc. of ACM CCS, pp. 79-88, 2006.

[9] S. Kamara, C. Papamanthou, and T. Roeder, “Dynamic searchablesymmetric encryption,” in Proc. of ACM CCS, pp. 965-976, 2012.

[10] N. Cao, C. Wang, M. Li, K. Ren, and W. Lou, “Privacy-preservingmulti-keyword ranked search over encrypted cloud data,” in Proc.of IEEE INFOCOM, pp. 829-837, 2011.

[11] W. Sun, B. Wang, N. Cao, M. Li, W. Lou, Y. T. Hou, and H.Li, “Privacy-preserving multi-keyword text search in the cloudsupporting similarity-based ranking,” in Proc. of ACM ASIACCS,pp. 71-82, 2013.

[12] F. Bao, R. H. Deng, X. Ding, and Y. Yang, “Private query on en-crypted data in multi-user settings,” in Information Security Practiceand Experience, Springer, pp. 71-85, 2008.

[13] Y. Yang, H. Lu, and J. Weng, “Multi-user private keyword searchfor cloud computing,” in Proc. of IEEE CloudCom, pp. 264-271, 2011.

[14] Y. H. Hwang and P. J. Lee, “Public key encryption with conjunc-tive keyword search and its extension to a multi-user system,” inProc. of Pairing, pp. 2-22, 2007.

[15] M. Blaze, G. Bleumer, and M. Strauss, “Divertible protocols andatomic proxy cryptography,” in Proc. of EUROCRYPT, pp. 127-144,1998.

[16] M. Kallahalla, E. Riedel, R. Swaminathan, Q. Wang, and K. Fu,“Plutus: Scalable secure file sharing on untrusted storage,” in Proc.of FAST, vol. 42, pp. 29-42, 2003.

[17] D. Boneh, G. Di Crescenzo, R. Ostrovsky, and G. Persiano, “Publickey encryption with keyword search,” in Proc. of EUROCRYPT, pp.506-522, 2004.

[18] P. Golle, J. Staddon, and B. Waters, “Secure conjunctive keywordsearch over encrypted data,” in Proc. of ACNS, pp. 31-45, 2004.

[19] D. Boneh and B. Waters, “Conjunctive, subset, and range querieson encrypted data,” in Theory of Cryptography, pp. 535-554, 2007.

[20] J. Katz, A. Sahai, and B. Waters, “Predicate encryption supportingdisjunctions, polynomial equations, and inner products,” in Proc.of EUROCRYPT, pp. 146-162, 2008.

[21] M. Li, S. Yu, N. Cao, and W. Lou, “Authorized private keywordsearch over encrypted data in cloud computing,” in Proc. of IEEEICDCS, pp. 383-392, 2011.

[22] H. Pang and K.-L. Tan, “Authenticating query results in edgecomputing,” in Proc. of ICDE, pp. 560-571, 2004.

[23] H. Pang and K. Mouratidis, “Authenticating the query results oftext search engines,” in Proc. VLDB Endow., vol. 1, no. 1, pp. 126-137, 2008.

[24] C. Wang, N. Cao, K. Ren and W. Lou, “Enabling secure andefficient ranked keyword search over outsourced cloud data,” IEEETPDS, vol. 23, no. 8, pp. 1467-1479, 2012.

[25] W. Sun, B. Wang, N. Cao, M. Li, W. Lou, Y. T. Hou, and H. Li,“Verifiable privacy-preserving multi-keyword text search in thecloud supporting similarity-based ranking,” IEEE TPDS, vol. 99,no. PrePrints, pp. 1, 2013.

[26] B. H. Bloom, “Space/time trade-offs in hash coding with allow-able errors,” Communications of the ACM, vol. 13, no. 7, pp. 422-426,1970.

[27] NIST, “NIST’s dictionary of algorithms and data structures: in-verted index,” [Online]. Available: http://xlinux.nist.gov/dads//HTML/invertedIndex.html.

[28] V. Goyal, O. Pandey, A. Sahai, and B. Waters, “Attribute-basedencryption for fine-grained access control of encrypted data,” inProc. of ACM CCS, pp. 89-98, 2006.

[29] J. Bethencourt, A. Sahai, and B. Waters, “Ciphertext-policyattribute-based encryption,” in Proc. of IEEE S&P, pp. 321-334, 2007.

[30] L. Cheung and C. Newport, “Provably secure ciphertext policyABE,” in Proc. of ACM CCS, pp. 456-465, 2007.

[31] S. Yu, C. Wang, K. Ren, and W. Lou, “Attribute based data sharingwith attribute revocation,” in Proc. of ACM ASIACCS, pp. 261-270,2010.

[32] E. Shen, E. Shi, and B. Waters, “Predicate privacy in encryptionsystems,” in Theory of Cryptography, pp. 457-473, 2009.

[33] B. Chor, E. Kushilevitz, O. Goldreich, and M. Sudan, “Privateinformation retrieval,” Journal of the ACM, vol. 45, no. 6, pp. 965-981, 1998.

[34] D. Boneh and M. Franklin, “Identity-based encryption from theWeil pairing,” in Proc. of CRYPTO, pp. 213-229, 2001.

[35] W. W. Cohen, “Enron Email Dataset.” [Online]. Available: https://www.cs.cmu.edu/∼enron/

[36] “Pairing-based cryptography libray.” [Online]. Available: http://crypto.stanford.edu/pbc/

Wenhai Sun (S’14) received his B.S. degreein Information Security from Xidian University,Xi’an, China, in 2007. Since 2009, he has been aPh.D. student in a combined M.S./Ph.D. programin the School of Telecommunications Engineer-ing at Xidian University. From 2011 to 2013, hewas a visiting Ph.D student in the Cyber SecurityLab at Virginia Tech. His research interests areapplied cryptography, cloud computing securityand wireless network security. He is a StudentMember of the IEEE.

Shucheng Yu (S’07-M’10) received the BS de-gree in computer science from Nanjing Univer-sity of Post & Telecommunication in China, theMS degree in computer science from TsinghuaUniversity, and the PhD degree in electrical andcomputer engineering from Worcester Polytech-nic Institute. He joined the Computer ScienceDepartment at the University of Arkansas atLittle Rock as an assistant professor in 2010.His research interests are in the general areas ofNetwork Security and Applied Cryptography. His

current research interests include secure data services in cloud comput-ing, attribute-based cryptography, and security and privacy protection incyber physical systems. He is a Member of the IEEE.



13

Wenjing Lou (M’03 - SM’08) is a professor atVirginia Polytechnic Institute and State Univer-sity. Prior to joining Virginia Tech in 2011, shewas a faculty member at Worcester PolytechnicInstitute from 2003 to 2011. She received herPh.D. in Electrical and Computer Engineeringat the University of Florida in 2003. Her currentresearch interests are in cyber security, withemphases on wireless network security and datasecurity and privacy in cloud computing. Shewas a recipient of the U.S. National Science

Foundation CAREER award in 2008. She is a Senior Member of theIEEE.

Y. Thomas Hou (S’91-M’98-SM’04-F’14) is aprofessor in the Bradley Department of Electri-cal and Computer Engineering, Virginia Tech,Blacksburg, VA, USA. His research interests arecross-layer optimization for wireless networks.He is also interested in wireless security. He haspublished extensively in leading journals andtop-tier conferences and received five best paperawards from IEEE (including IEEE INFOCOM2008 Best Paper Award and IEEE ICNP 2002Best Paper Award) and one Distinguished Paper

Award from ACM. Prof. Hou is currently serving as an Area Editor ofIEEE Transactions on Wireless Communications, an Associate Editorof IEEE Transactions on Mobile Computing, an Editor of IEEE Journalon Selected Areas in Communications (Cognitive Radio Series), andan Editor of IEEE Wireless Communications. He is the Chair of IEEEINFOCOM Steering Committee. He is a Fellow of the IEEE.

Hui Li (M’10) received B.Sc. degree from FudanUniversity in 1990, M.Sc. and Ph.D. degreesfrom Xidian University in 1993 and 1998. In2009, he was with Department of ECE, Uni-versity of Waterloo as a visiting scholar. Since2005, he has been a professor in the schoolof Telecommunications Engineering, Xidian Uni-versity, China. His research interests are in theareas of cryptography, security of cloud com-puting,wireless network security and informationtheory. He served as TPC co-chair of ISPEC

2009 and IAS 2009, general co-chair of E-Forensic 2010, ProvSec 2011and ISC 2011. He is a Member of the IEEE.

protecting your right: veriﬁable attribute-based keyword ... · protecting your right:...

Documents