Advertisement
Browse Subject Areas
?

Click through the PLOS taxonomy to find articles in your field.

For more information about PLOS Subject Areas, click here.

  • Loading metrics

Efficiently Multi-User Searchable Encryption Scheme with Attribute Revocation and Grant for Cloud Storage

Efficiently Multi-User Searchable Encryption Scheme with Attribute Revocation and Grant for Cloud Storage

  • Shangping Wang, 
  • Xiaoxue Zhang, 
  • Yaling Zhang
PLOS
x

Abstract

Cipher-policy attribute-based encryption (CP-ABE) focus on the problem of access control, and keyword-based searchable encryption scheme focus on the problem of finding the files that the user interested in the cloud storage quickly. To design a searchable and attribute-based encryption scheme is a new challenge. In this paper, we propose an efficiently multi-user searchable attribute-based encryption scheme with attribute revocation and grant for cloud storage. In the new scheme the attribute revocation and grant processes of users are delegated to proxy server. Our scheme supports multi attribute are revoked and granted simultaneously. Moreover, the keyword searchable function is achieved in our proposed scheme. The security of our proposed scheme is reduced to the bilinear Diffie-Hellman (BDH) assumption. Furthermore, the scheme is proven to be secure under the security model of indistinguishability against selective ciphertext-policy and chosen plaintext attack (IND-sCP-CPA). And our scheme is also of semantic security under indistinguishability against chosen keyword attack (IND-CKA) in the random oracle model.

I. Introduction

The fuzzy identity based encryption (IBE) which is regarded as the prototype of attribute-based cryptography was put forward by Sahai and Waters [1] in 2005. In an attribute-based encryption system, each user has a number of descriptive attributes (such as gender, age, education, occupation, etc.). Meanwhile, the users’ private key and ciphertext are link with some described attribute set and access strategy respectively. When the private key is matched with ciphertext, the user can decrypt the ciphertext.

Goyal et al. [2] put the ABE scheme into CP-ABE scheme and the key-policy attribute-based encryption (KP-ABE) scheme, and definitions are given respectively.

Bethencourt et al. [3] provided a new structure. The scheme can not only achieve a flexible access structure but also has an important characteristic of anti-collusion. That is, different users can not add their own access right by collusion their private key. Besides, there are some other outstanding articles such as the scheme proposed by Emura et al. [4] which has a certain contribution to the computational complexity and storage load.

The above-mentioned CP-ABE schemes have made outstanding contributions, but due to the constant changes of the realistic situation, the schemes still face new challenges. Once some users' attributes change, the system should timely update these users' attribute set and the corresponding private key.

A number of programs research about attribute revocation have been put forward [513]. Generally speaking, the revocation mechanism can be divide into two types: direct revocation scheme [69] and indirect revocation scheme [1013]. The big difference between them is that the direct revocation scheme is enforced by a specified revocation list and indirect revocation scheme is enforced by updating the private key of the non-revoked users (Implicitly, the revoked users' private key are revoked). Zhang et al. [8] put forward a scheme with direct revocation, which characterized by the fact that the length of the encrypted text is fixed, and the partial ciphertext update is only required when the revocation occurs. The scheme put forward by Yu et al. [10] achieves an efficient encryption update through proxy re encryption. But there is a limit to the scheme. That is the fixed strategy. Due to the high efficiency and the limitation of the scheme, Naruse et al. [13] made a further study of this article. The scheme proposed by them can be applied to a more flexible access strategy.

On the other hand, due to the continuous development of computer network and the outsourcing technology many enterprises began to establish their own local network and database. Through the establishment of a certain data encryption and an access control, they passed their database to a third party management. Since the third party is not credible, efficient search capability and secure search process are two important tasks in the present study. Some articles research on these two directions have been put forward [1417].

Bao at al. [14] put forward a scheme which can be applied to the cloud storage environment. This program can realize the multi user search process. Because of the users’ access rights in the system are different according to their own attribute set. The efficiency of system should be further improved with the increase of users’ number.

Some schemes research on highly efficient access control of multi user keyword search have been put forward [1824].

Recently, Lv et al. [18] proposed an efficient keyword searchable model. However, the scheme does not have a complete security model. When a user’s attributes in the system change, the limitations of the program appeared. Kaci et al. [23] put forward a scheme that is consistent with ACAS (Access Control Aware Search) principle and improve the level of confidentiality of outsourced data. Nonetheless, the efficiency of the proposed model is evaluated according to data size.

Most of the existing multi user attribute-based keyword searchable encryption schemes focus on efficient access control and fast search process, of which there are some articles can achieve revocation of user, for example by removing user’s search key in proxy server to achieve revocation [18].

In addition, some research on the security of information under specific scenarios are also proposed. Specifically, a first research direction focuses on the security of Vehicular and hoc network [2527]. A second research direction deal with the security communication in Internet of Things (IOT) networks [28, 29]. There are other research directions, such as file search in unstructured P2P (peer-to-peer) gird networks [3032] and WSNs (wireless sensor networks) in healthcare applications [33] etc.

A. Our Contributions

  • Our scheme supports user’s multiple attributes revocation and grant simultaneously by adding a series of attribute parameters. The attribute revocation in our scheme is a fine grain method. That is, our revocation is able to revoke some users’ some attributes, rather than to revoke a single attribute or revoke attributes in the system. The attribute grant method is similarly. In addition, the proposed scheme is proven to be IND-sCP-CPA secure.
  • We use a lazy revocation technique [34] for user’s attribute and private key update process. It is to say that only when user accesses the encrypted files, it helps to update the user's attribute and private key.
  • As keyword searchable process in [18] does not have a complete security proof. By changing the operation of search trapdoor in [18], we have proved that our proposed keyword searchable scheme is IND-CKA secure in the random oracle model under bilinear Diffie-Hellman (BDH) assumption.
  • The function of revocation of user identity in our scheme is consistent with that in [18].

B. Comparisons

We compare the function of our scheme with the existing schemes presented in [3, 13, 18] in Table 1.

II. Preliminaries

A. Mathematical Tools

We first give some of the mathematical tools will be used later in this article, the specific argument can be found in the references.

Definition 1 (Bilinear Map [2]). The definition of the two multiplication of group and , so that their order is p and the generator of is g. A bilinear map , which satisfies:

  • Bilinearity: for all and ;
  • Non-degeneracy: e(g, g) ≠ 1;
  • Computability: for all , e(u, v) is efficiently computable.

Definition 2 (Lagrange Coefficient [24]). The definition of a Lagrange coefficient is Δi,S(x), which and the elements of set S belong to . Then we have the following equation:

B. Access Tree

In this paper, we use the access tree as the access policy.

Definition 3 (Access Tree [18]). In the access tree, the number of child nodes of each interior node x is denoted as numx. The threshold value of each node is defined as (kx, numx), which is 0 < kxnumx. In particular, when kx = 1 threshold for an ′OR′ gate. When kx = numx for an ′AND′ gate. Furthermore, each leaf node are correlated and attribute. For the convenience of using access tree, we define several functions as follow.

  • parent(x): this returns the parent node of a node x except the root node.
  • index(x): assuming that the children nodes of each node are numbered from 1 to num, this returns such a number associated with the node x.
  • att(x): this returns the attribute associated with a leaf node x.

C. BDH Problem

Choose two cyclic group and , enable their order is p. And a map is a valid bilinear map. BDH problem under the tuple can be defined as: fix a generator g of , as well as ga, gb, gc for some random , compute .

BDH assumption [35]. The assumption is valid if there is no polynomial-time adversary can be non-negligible probability to solve the above BDH problem.

III. System and Security Models

A. System Model

First, define five entities of the system: an attribute authority, dada owners, a proxy server, a cloud sever, users, can be described below. The system model of our scheme is given in Fig 1.

  • Attribute authority (AA). Attribute authority is entirely credible to other entities and is responsible for the system establishment, new user register, attributes assignment and key generation. When some users’ attribute set change (that is, some attributes are revoked or granted), AA establishes a revoked and a granted user list set for each attribute respectively and updates the public parameter, master key, proxy update key and proxy grant key.
  • Data owner (DO). Data owner is responsible for uploading all the data files to cloud server. In order to ensure other legitimate users of the system can search for the corresponding file through the keyword, data owner needs to extract keywords and establish keyword indexes. Finally, along with the encrypted files upload to cloud server.
  • User (U). Legitimate users can download their interest files from the system. In order to hide the search keyword, the user generates a search trapdoor. And then sends his unique identity, attribute set, partial private key component to the proxy server for updating attribute set and private key component. After receiving the updated attribute set and private key component, he sends his trapdoor together with his unique identity to cloud server. Without revealing any information about the content of the file, proxy server to help complete most of the decryption work. And then the final message is calculated by the user.
  • Proxy server (PS). Proxy server is deployed by AA. It re-encrypts encrypted shared data and updats user's attribute set and corresponding private key by using the proxy update key and proxy grant key received from AA. It also can help the users execute most CP-ABE decryption task.
  • Cloud server (CS). This paper mainly use the large storage characteristics of CS to store the data files in the system. Besides, it also helps to generate keyword index and trapdoor. In order to achieve efficient search we use the D. Data Upload method in [18] to store and search files. Also similar to the G. User Revocation method in [18], CS can perform user revocation operation.

B. Algorithms Definitions

Our proposed efficiently multi-user searchable encryption scheme with attribute revocation and grant for cloud storage is composed of thirteen randomized polynomial time algorithms.

  • AA.Setup (λ, U)→(PP, MK, UK, GK): The setup algorithm takes a security parameter λ and an attribute universe description U as input. It outputs the public parameters PP, master private key MK, proxy update key UK and proxy grant key GK.
  • DO.Enc : The encryption algorithm takes public parameters PP, a message M, and an access structure over the universe of attributes as input. It generates a ciphertext CT.
  • AA.KenGen : The key generation algorithm takes master private key MK, a unique user identity Uid and the corresponding attribute set as input. It outputs Uid’s corresponding private key , user’s search key , and user’s search key in CS.
  • U.Dec : The decryption algorithm take a ciphertext CT, and a private key as input. If the set of attributes related to satisfies the access structure related to CT, then it successfully decrypt and output the message M
  • AA.ReKenGen (PP, MK, γ, ΔLγ, η, ΔLη,UK, GK)→(PP′, MK′, UK′, GK′, RKγ): The re-encryption key generation algorithm tekes public parameters PP, a master key MK, a set of attributes γ, the attribute in γ which is to be revoked for some users, and the corresponding revoked user list ΔLγ, a set of attribute η, the attribute in η is to be granted for some users, and the corresponding granted user list ΔLη, proxy update key UK, and proxy grant key GK as input. It generates the updated public parameters PP′, the redefined master key MK′, the redefined proxy update key UK′, the proxy grant key GK′, and the re-encryption key RKγ.
  • CS.ReEnc (γ, Cγ, rk)→RKγ: The re-encryption algorithm takes a set of attribute γ which some users be revoked, the ciphertext component Cγ = {Cx}att(x)∈γCT, the re-encryption key RKγ as input. It outputs the re-encryption ciphertext component .
  • PS.ReKey : The key regeneration algorithm takes a unique user identity Uid and the corresponding attribute set , version number , the private key component , proxy update key UK, a set of attributes γ, the attribute in γ which is to be revoked by some users as input. It outputs the updated user attribute set , version number and private key component .
  • PS.GrantAtt : The attribute grant algorithm takes a unique user identity Uid, the public parameters PP, the proxy grant key GK, a set of attribute η, the attribute in η which is to be granted by some users as input. It outputs a set of attribute which is to be granted to the user Uid and the corresponding private key component .
  • O.PreIndex (W)→(E): The pre index generation algorithm for the data owner takes keyword set W = {w1, ⋯, wm} as input. It outputs data owner’s pre keywords index set E = (E1, ⋯, Em).
  • CS.Index : The index generation algorithm for the CS takes data owner’s pre keywords index set E = (E1, ⋯, Em) and data owner’s search key in CS as input. It outputs CS’s index parameter set V = (V1, ⋯, Vm).
  • O.PostIndex : The post index generation algorithm for DO takes CS’s index parameter set V = (V1, ⋯, Vm), his own search key as input. It outputs DO’s post keywords index set .
  • U. PreTrap : The pre trapdoor generation algorithm for user takes a keyword w and his own private search key as input. It outputs user’s pre trapdoor Tw.
  • CS. PostTrap : The post trapdoor generation algorithm for CS takes user’s pre trapdoor Tw and user’s search key in CS as input. It outputs CS’s post trapdoor k′.
  • CS. Test(IW, k′)→{1, 0}: The test algorithm for the CS takes post keywords index set IW and post trapdoor k′ as input. If the match is successful, the output is 1. Otherwise, the output is 0.

C. Security Definitions

Similar to most previous works, the CS is supposed to be “curious-but-honest” [13].

We consider the security model as two games between a challenger and an adversary .

Game 1 (IND-sCP-CPA security model).

The adversary is assumed to be an outsider attracter including the receiver.

Int. declares an access structure .

Setup. takes a security parameter λ and runs the Setup algorithm. It gives the public parameter PP to and keeps the master key MK to itself.

Phase 1. adaptively issues polynomial queries as follows.

  • private key query. submits an attribute set S, where S does not satisfy the access structure , to . The challenger returns the corresponding private key SK to .
  • update private key query. is allowed to issue queries for update private key SK for the attribute in γ which is to be revoked for some users. The challenger gives the updated private key SK′.

Challenge. submits two equal length message M0 and M1. The challenger picks a random bit b ∈ {0, 1} and encrypts Mb under . The challenger gives ciphertext CT* to .

Phase 2. Repeat Phase 1 adaptively.

Guess. outputs a guess b′ of b and wins the game if b′ = b.

The advantage of the in this game is defined as .

Definition 4. The proposed scheme is IND-sCP-CPA secure if there is no polynomial time who can win the above game with non-negligible advantage.

Game 2 (IND -CKA security model).

The adversary is assumed to be CS.

Setup. Repeat game 1’s setup adaptively.

Phase 1. adaptively issues polynomial following queries.

  • H1-Query. can query the random oracle H1.
  • H2-Query. can query the random oracle H2.
  • Trapdoor Queries. can ask any keyword’s trapdoor.

Challenge. submits two keywords w0 and w1 where the keywords w0 and w1’s trapdoor have not been asked by . The challenger picks a random bit b∈{0, 1} and creates wb’s trapdoor k to .

Phase 2. Repeated phase 1 adaptively.

Guess. submits a guess b′ of b. If b′ = b, wins the game and break our scheme.

Definition 5. In the random oracle model, the proposed scheme is IND-CKA secure if all polynomial time adversaries have at most a negligible advantage in the above game.

IV. Our Proposed Scheme

A. Detail Construction of Algorithms

AA defines the universe of attributes as U = {1, 2, ⋯, n}, the unique user identity Uid ∈ {0, 1}* and three hash functions:

  • H(∙): Maps an attribute to a random element of .
  • H1(∙): Maps a strings in {0, 1}* to a random element of .
  • H2(∙): Maps a random element of to a random strings of {0, 1}l.

AA.Setup (λ, U) → (PP, MK, UK, GK): The setup algorithm takes security parameter λ and attribute universe description U = {1, 2, ⋯, n} as input. It first chooses two multiplicative cyclic groups of prime order p(p > 2λ), and a bilinear map . Then, ∀iU, it random chooses and computes a public parameter component . And it randomly chooses xZP as the search master key and three random numbers α, β, xZp, let

In addition, defines the system version number verN. The initial version number is set to ver = 0. Set a proxy re-encrypt key set as rk = {rki}i∈U, and rki = {rki,0, ⋯, rki,ver} is set of the proxy re-encrypt key under different version for attribute i. The initial value is set to rki,0 = 1.

Let L = {Li}iU represent the revoked user list set, where revocation list Li represents the users list whose attribute i needs to be revoked, and represent the granted user list set, where grant list represents the users list set to whom the attribute i needs to be granted. The revocation list Li may be empty, which means there is no user needs to be revoked for attribute i. So is grant list .

Finally, define a set R which is used to reserve the private key component later. The initial value is empty, R = ϕ. For each , calculate and output

The proxy update key UK = (ver, rk = {rki}i∈U, L = {Li}i∈U);

The proxy grant key .

Do.Enc : Similar to the encryption method in [18]. It inputs the public parameter PP, a message M and an access structure . The algorithm chooses a (kx−1) -degree polynomial qx(∙) for each node x in the tree in a top-down manner. The selected polynomial qx(∙) must satisfy the restriction that qx(0) = s if x is the root node in , otherwise qx(0) = qparent(x)(indes(x)), where s is randomly chosen from . It is worth noting that for a leaf node, because it does not have a child, so it selects constant polynomial qx(∙) = qx(0) = qparent(x)(indes(x)). Let Ψ be the set of leaf nodes in , the ciphertext CT is computed as:

Here, the function att(x) returns the attribute associated with the leaf node x and att(x)∈U. Note that, the hash function H(∙) Maps an attribute to a random element of , so .

AA.KenGen : The key generation algorithm takes master private key MK, a unique user identity Uid and the corresponding attribute set as input. It firstly defines a user version number as the current system version number . Then it chooses a random , and then chooses a random riZP for each attribute . It outputs the private key as:

It randomly chooses μZP and set as user’s search key, and computes as user’s search key in CS.

U.Dec : Similar to the decryption method in [18]. The decryption algorithm first defines a recursive algorithm , where x represents a node in . Then it is followed in a down-top manner.

  • For each leaf node x, with i = att(x), if , it computes: . Otherwise, it returns ⊥;
  • For each interior node x, Lagrange interpolation is used on at least kx such from its children {zj} to calculate .

Finally, for the root node in , let . The decryption can be computed by:

AA.ReKenGen (PP, MK, γ, ΔLγ, η, ΔLη, UK, GK)→(PP′, MK′, UK′, GK′, RKγ): The re-encryption key generation algorithm takes public parameter PP, a master key MK, a set of attributes γ (the attribute in γ which is to be revoked for some users) and the corresponding revoked user list ΔLγ, a set of attribute η (the attribute in η is to be granted for some users) and the corresponding granted user list ΔLη, the proxy update key UK, and the proxy grant key GK as input.

If γ ≠ ∅, for each attribute iγ, it chooses random as the new attribute key. Then performs the following action:

  • Master key update. Replaces the Atti in MK with , the rest of the parameters keeps unchanged;
  • Proxy update key upodate. Replaces the ver in UK as ver′ = ver + 1, calculates and adds to the set rki = {rki,0, ⋯, rki,ver}. For other attribute iU \ γ, adds rki,ver = 1 to the set rki = {rki,0, ⋯, rki,ver} to get the updated rki = {rki,0, ⋯, rki,ver,rki,ver}. Then adds the identity of users whose attribute need to be revoked in ΔLγ to the corresponding revocation user list L = {Li}i∈U;
  • Set re-encryption key RKγ = {(i, rki,ver′)}i∈γ;
  • Proxy grant key update. Replace the in GK with , the rest of the parameters keeps unchanged;
  • Public parameter update. Calculate and replace the Ti in PP with , the rest of the parameters keeps unchanged.

If η ≠ ∅, add the identity of users in ΔLη who need to be granted some attributes to the corresponding grant user list in proxy grant key.

CS.ReEnc (γ,Cγ,,RKγ)Cγ: The re-encryption algorithm takes a set of attribute γ, the attribute in γ which is to be revoked for some users, the ciphertext component Cγ = {Cx}att(x)∈γCT, the re-encryption key RKγ as input.

For each attribute iγ, find the corresponding leaf node x, with i = att(x). Denote the universe of corresponding ciphertext component Cx set as Cγ = {Cx}att(x)∈γCT. For each attribute CxCγ, calculate and output Cγ′ = {Cx′}att(x)∈γ.

PS.ReKey : The key regeneration algorithm takes a unique user identity Uid and the corresponding attribute set , version number , the private key component , proxy update key UK, a set of attributes γ, the attribute in γ which is to be revoked by some users as input. Then perform the following actions:

  • If the user has the latest version , it outputs ⊥ and exit;
  • If it satisfies the condition that ∀iγ and UidLi, denotes the attribute set . For each and UidLi, denotes the attribute set and deletes the Uid from Li;
  • For each , compute and replace the with . Then update the user version number as .

PS.GrantAtt : The attribute grant algorithm takes a unique user identity Uid, public parameters PP, proxy update key UK, proxy grant key GK, a set of attribute η, the attribute in η is to be granted for some users as input. Then perform the following actions:

  • If it satisfies the condition that ∀iη and , it outputs ⊥ and exit;
  • Then build an attribute set as the grant set for user Uid. The initial value . For each iη, if , add attribute i to the attribute set and delete the Uid from ;
  • For each , find the parameter from the list R and randomly choose riZP. Then compute , and define the grant private key component as .

DO.PreIndex (W)→(E): The pre index generation algorithm for data owner takes the keyword set W = {w1,⋯, wm} as input.

For each keyword wiW, it calculates , where is a random number.

Then, it outputs the data owner’s pre keywords index set E = (E1,⋯, Em).

CS.Index : The index generation algorithm by CS takes data owner’s pre keywords index set E = (E1,⋯, Em) and data owner’s search key in CS as input.

For each EiE, it computes .

Then, it outputs CS’s index parameter set V = (V1,⋯, Vm).

DO.PostIndex : The post index generation algorithm for data owner takes the CS’s index parameter set V = (V1,⋯, Vm), his own search key and the random parameter li which he choices before as input.

  • For each ViV, it computes ;
  • set , where denotes an encryption of a random number Qi with the secret key ki using a secure symmetric encryption algorithm, such as AES.

It builds the data owner’s post keywords index set and outputs.

U. PreTrap : The pre trapdoor generation algorithm for user takes as input a keyword w and his own search key .

It calculates the user’s pre trapdoor and outputs.

CS. PostTrap : The post trapdoor generation algorithm for CS input the pre trapdoor Tw and the user’s search key in CS.

It calculates the CS’s post trapdoor and outputs.

CS. Test(IW, k′)→{1, 0}: The test algorithm by CS takes post keywords index set and post trapdoor k′ = H2(e(H1(wi),g)x) as input. It checks the following equation holds

If the equation holds, it outputs 1. Otherwise, it outputs 0.

B. Main Construction

System Setup.

AA first asked about AA.Setup (λ, U)→(PP, MK, UK, GK) algorithm to get public parameter PP, master key MK, proxy update key UK, and proxy grant key GK. Then AA sends PP to CS and keeps UK, GK, MK secret.

Registration.

AA to register every legal user in the system.

  • Select a unique identity Uid and an attribute set to user;
  • Call algorithm AA.KenGen to compute a private key , user’s search key , and user’s search key in CS.
  • Update the set in ;

Finally, AA transmits the tuple to new user, transmits GK to PS and transmits the tuple to CS. CS adds the new user information tuple to the users information list.

Establishment of Index.

DO first extracts a set of keywords W = {w1, ⋯, wm} from the file to establish a keyword index.

  • DO calls algorithm DO.PreIndex(W)→(E). It outputs DO’s pre keywords index set E = (E1, ⋯, Em). DO sends his identity Uid together with the pre keywords index set E to the CS.
  • After receiving the request, CS first obtains the data owner’s corresponding according to Uid. Then CS calls the algorithm CS.Index . It outputs CS’s index parameter set V = (V1, ⋯, Vm). Then, CS transmits V to DO.
  • DO inputs his own private search key and the random parameter li which he choices before, and calls algorithm O.PostIndex . It outputs the DO’s post keywords index set .

File Upload.

The file upload process is similar to the D. Data Upload process in literature [18]. The final document is stored in CS as Table 2.

Here, Fid represents the file number. [DataFile]k represents the encrypt file by a symmetric encryption key k. IW represents the keywords index. CT represents the symmetric encryption key k’s ciphertext which encrypted by our proposed algorithm Do.Enc . Details of file upload process can be found in D. Data Upload in literature [18].

Attribute Alteration.

If there is no need to change any user's attributes in the system, it outputs ⊥ and exit.

If there have a set of attribute γ which some users be revoked, and a set of attribute η which some users be granted. We processes as follows.

  • AA first calls the algorithm AA.ReKenGen (PP, MK, γ, ΔLγ, η, ΔLη, UK, GK)→(PP′, MK′, UK′, GK′, RKγ) to obtain updated public parameter PP = PP′, master key MK, proxy update key UK = MK′, proxy grant key GK = GK′, and re-encryption key RKγ. Then it sends PP, γ, RKγ to CS, sends UK, GK to PS and keeps MK, UK, Gk secret.
  • On receiving PP, CS publishes it.
  • After receive the re-encryption key RKγ, CS calls algorithm CS.Enc (γ, Cγ, RKγ)→Cγ′ and updates the corresponding ciphertext.

The following steps are performed when a user needs to search for a file.

Trapdoor Generation.

First, the user set a search keyword w. Then he calls the algorithm U. PreTrap . It outputs the user’s pre trapdoor Tw.

Updating Attribute and Private Key.

  • User Uid sends his parameters to PS.
  • PS first calls algorithm PS.ReKey . It outputs updated user attribute set , version number and private key component .
  • Then PS calls the algorithm PS.GrantAtt . It outputs a set of attribute which is to be granted to user Uid and the corresponding private key component .
  • It sets the parameters .
  • PS returns parameters to user and send to CS.
  • User updates his own parameters and . CS updates tuple for user Uid’s attribute in the users information list.

Search the File by CS.

Uid sends his trapdoor and his unique identity Uid to CS. CS performs the following action.

  • according to user's identity Uid CS finds the corresponding user attribute set and user’s search key in CS from user information list tuple .
  • For the trapdoor and user’s search key , CS calls algorithm CS. PostTrap . It outputs CS’s post trapdoor k′.
  • According to attributes set , CS has to search documents by performing the Step3: search the data by the cloud server process in literature [18].
  • For all documents in the files collection that the user can decrypt, matches the keyword trapdoor with the keywords index, to find the user's interested files in the document.
  • According to the search parameter k′, it runs algorithm CS. Test(IW, k′)→{1, 0}. If the output is 1, it returns the corresponding CT and {DataFile}k to the user.

File Decryption.

User to decrypt ciphertext by calling decryption algorithm U.Dec . User to further decrypt the symmetric ciphertext {DataFile}k to get the document {DataFile}.

Similar to literature [18], we can also perform most of the calculation process by PS.

User Revocation.

Our scheme by removing user’s search key in CS to achieve user identity revocation. Because if CS to remove user's , the user will not be able to successfully search files.

C. Flowchart of Our Proposed Scheme

We set a legitimate user Uid first as a data owner to upload their own data, and then as a user access to the content of the interest files. The flowchart of our Fig 2(a), 2(b), 2(c), 2(d) and 2(e) respectively gives the process of system setup, new user registration, file upload, system version upgrade and ciphertext update, file search by user of our scheme.

V. Security

A. Security Analysis

First of all, we analyze our scheme. There are six entities in the project: AA, PS, CS, DO, U.

AA is responsible for establishing the program, and we set it to be fully trusted.

Our PS is subordinate to authority. In order to reduce the computing load of AA and ensure the efficiency of program, we grant a lot of functions to PS. One of the most important functions is to grant user's attribute and the corresponding private key, which makes our PS must be trusted. If we think about the problem of malicious PS, we have to leave granted rights to AA. Only AA can execute the private key grant rights, which can improve the security of scheme to a certain extent, but it will reduce efficiency of scheme. It introduces a new model. We aim to study the integrity of our proposed scheme, which has not made a number of analysis to this new model.

DO has no difference from other users in set the private key in addition to having the data files to be uploaded. It is to say that keyword search process of DO is equivalent to a general user. Due to the users access permissions are different according to their own attribute set. Some users may want to access more data files beyond their access permissions. So one of the attack models we consider is derived from a malicious user. He may also be a legitimate user. We will show that our scheme is secure against this attack model.

CS is an outsourced server. As in most articles, we assume CS is “curious-but-honest” [13]. It is to say that CS is curious about the encrypted data contents or the received messages, but will execute correctly the proposed tasks. It might be interested in the content of user search, so another attack models we consider is derived from a malicious CS.

B. Attack Model 1 (IND-sCP-CPA Security Model)

The adversary is assumed to be an outsider attacker including the users in the system.

Through the establishment of a security game model, we reduce the security of our scheme to Bethencourt’s scheme [3]. According to the proof of reference [3] in its appendix A (Bethencourt’s scheme is IND-sCP-CPA secure), our scheme is also IND-sCP-CPA secure in the attack model 1. The proof procedure is as follows.

Theorem 5 Suppose that the Bethencourt’s scheme is IND-sCP-CPA secure, then our scheme is also IND-sCP-CPA secure in the attack model 1.

Proof. We consider a simulator of Bethencourt’s scheme, a simulator of our scheme and a polynomial-time adversary of our scheme. It is noteworthy that the simulator of our scheme has another identity who is also an adversary of Bethencourt’s scheme. Suppose that of our scheme is able to distinguish a valid ciphertext from a random element with advantage ε. We build a simulator (namely of Bethencourt’s scheme) that can attack Bethencourt’s scheme with the same advantage. The simulation proceeds as follows.

Int. declares an access structure , which he wishes to be challenged upon. The simulator declares the same access structure.

Setup. The simulator takes a security parameter λ and runs the Setup algorithm of Bethencourt’s scheme. It gives the public parameter to the simulator . After receive the public parameter PP′, the simulator randomly chooses for ∀iU as the attribute parameter. Then for all iU, j = 1, 2, ⋯, ver, it randomly chooses and the public parameter generated as follows.

Then, it send the public parameter PP to .

Phase 1. adaptively issues polynomial following queries.

  • private key query. submits a set of attributes S where S does not satisfy the access structure to the simulator . The simulator submits the same attributes to the simulator . Then the simulator can get the from the simulator . The simulator calculates as follows. For all iS, . The is given private key .
  • update private key query. is allowed to issue queries for update private key SK for the attribute in γ which is to be revoked for some users. submits a part of the private key he asked before where Sγϕ.
    1. For all attribute iγ, the simulator randomly chooses and maintains the update key {rki}i∈γ.
    2. For all attribute iSγ in , the simulator calculates and keeps other parameters unchanged. Then returns the update private key to .

Challenge. submits two messages M0 and M1 on which he wishes to be challenged upon. outputs the same messages to . Then flips a random coin b ∈ {0, 1}, and encrypts Mb with access structure . sends the ciphertext to . The simulator calculates CT* as follows. For all x ∈ Ψ, . is given attribute key .

Phase 2. Repeated phase 1 adaptively.

Guess. submits a guess b′ of b. outputs the guess b′ to indicate that it was given the CT′. If is able to distinguish the valid ciphertext with advantage . We build the simulator that can distinguish the valid ciphertext in Bethencourt’s scheme with the same advantage.

C. Attack Model 2 (IND-CKA Security Model)

The adversary is assumed to be CS.

We will prove that our scheme of semantic security for keywords trapdoor. Notice that in the search process of our scheme the public parameter is g, the private key of the user is , the private key of CS is , the master private key of the attribute authority is Kmk = x. We assume that is a malicious CS, then the public parameters related to the search process that it can get are .

Theorem 6. Assuming the BDH (Bilinear Diffie-Hellman) assumption was founded. Then our scheme has the IND-CKA security in the random oracle model.

Proof. We consider a chosen-keywords-attack polynomial-time adversary and a simulator .

Suppose that is able to correctly distinguish keywords with advantage ε. We build a simulator that can solve the BDH problem with at least , Where ê is the base of the natural logarithm, qT > 0 is the number of pre trapdoor queries, is the number of hash queries.

Int. The simulator runs and receives a BDH challenge. It first chooses two multiplicative cyclic groups of prime order p and a bilinear map . is given , as well as u1 = gα, u2 = gβ, u3 = gγ for some random . ’s goal is to get .

Setup. The simulator announces the public parameter with the implicit assumption that . According to the above settings, we can calculate that .

Phase 1. adaptively issues polynomial following queries.

  • H1-Query: can always ask the random oracle H1 of any keyword wi ∈ {0, 1}*. answers the questions of and records the results of each answer.
    If submits a keyword wi ∈ {0, 1}* that has not been asked, does the following.
    1. generates a random coin ci ∈ {0, 1}, so that Pr[ci = 0] = 1/(qT + 1).
    2. picks a random element . If the coin ci = 0, computes . If ci = 1, computes .
    3. adds the tuple (wi, hi, ai, ci) to the list H1-list, and returns H1(wi) = hi to .
      If submits a query wi that has been asked, then finds the tuple (wi, hi, ai, ci) in the H1-list and responds to .
  • H2-Query: can always ask the random oracle H2 of any . answers the questions of and records the results of each answer.
    If submits a that has not been asked. chooses a random number H2(ti) = Vi ∈ {0, 1}log p and adds the tuple (ti, Vi) to the list H2-list. Then it returns H2(ti) = Vi to .
    If submits a query ti that has been asked, then finds the tuple (ti, Vi) in the H2-list and responds H2(ti) = Vi to .
  • Pre-trapdoor queries: can also ask the pre-trapdoor of any keyword wi ∈ {0, 1}*. answers the questions of as folloes.
    1. For a keyword wi ∈ {0, 1}*, executes H1-Query to get a tuple (wi, hi, ai, ci).
    2. If ci = 0, declares a failure and ends the game.
    3. If ci = 1, . generates and returns to as response for the query.

Challenge. submits two keywords w0 and w1 where the keywords w0 and w1’s trapdoor had not asked by .

  • initiates H1-Query twice to obtain , where H1(w0) = h0, H1(w1) = h1. If c0 = 1 and c1 = 1, then reports a failure and terminates.
  • Otherwise, we know at least one of c0 and c1 is equal to 0. If c0 = 0 and c1 = 0, picks randomly a bit b ∈ {0, 1}.
  • picks a random element k ∈ {0, 1}log p, and return {u3, k} to as a response, where k imitates the post trapdoor in our proposed scheme. Note that, if has an advantage in answer the above question. We have the implied settings:

Phase 2. Repeated phase 1 adaptively.

Guess. submits a guess b′ of b. If b′ = b, wins the game and break our scheme.

Correctness Analyses.

In the above simulation scheme, if the adversary can break the game and distinguish the keyword with a non negligible probability that means that the random element k it chooses is . Then can compute that which means it solves the DDH problem.

Probability Analyses.

We can prove that if can win the game with a non negligible probability ε, then can solve the BDH problem with the probability at least . That process in detail in [36].

Because of the BDH assumption that the BDH problem is difficult, so the probability is negligible. That is, our scheme is safe.

Taking attack model 2 (a selected keyword attack model from the cloud server) as an example, we give the specific flow chart of the game process in Fig 3.

VI. Performance Analysis and Comparison

A. Performance Analysis

The time complexity of our scheme. In the Setup phase, a public parameter and master key are generated. At this stage, the total number of attributes is defined as n. An exponentiation operation in or is defined as e. A pairing operation is defined as p. The time complexity of generating PP, MK, UK, GK is (2 + 2n)e + p, 0, 0, ne respectively. We calculate the total time complexity of Setup is (2 + 3n)e + p.

In algorithm Encrypt for d2 number of attributes that associated with access structure. In order to compute CT, the user needs to run (2+2d2)e + p operations. So the time complexity of Encrypt is (2 + 2d2)e + p.

When generating the private key for a user with number of attributes d1, AA needs to run (2 + 3d1) e addition operations in order to compute SK. So the time complexity of KeyGeneration algorithm is (2 + 3d1) e.

In algorithm re encryption for d3 number of attributes that ciphertext needs to update, CS needs to run d3e addition operations in order to update ciphertext component. So the time complexity of re encryption algorithm is d3e.

In algorithm private key re generation for d4 number of attributes that a user needs to update, the PS needs to run d4e addition operations in order to update ciphertext component. So the time complexity of private key re generation algorithm is d4e.

In algorithm attribute grant for d3 number of attributes that a user needs to granted, PS needs to run d3e addition operations in order to compute the corresponding SK. So the time complexity of attribute grant algorithm is d3e.

In algorithm pre trapdoor generation for a keyword w, the user needs to run an exponentiation operation in order to hide the keyword. So the time complexity of pre trapdoor algorithm is e.

In algorithm post trapdoor generation for CS, the user needs to run a pairing operation. So the time complexity of post trapdoor algorithm is p.

In algorithm decryption for d6 number of user’s attributes satisfying an access structure, the data owner needs to run 2e + (1 + d6)p addition operations in order to compute the message M. So the time complexity of decryption algorithm is 2e + (1 + d6)p.

B. Comparison

We compare the computational complexity of our scheme with the existing schemes presented in [3, 13, 18] for the specific process in Table 3.

C. Simulation and Evaluation

In order to evaluate the performance of our CP-ABE construction, we test the runtime of the core algorithms Key Generation, Encryption and Decryption by user with different number of attributes. Fig 4 shows the test result. The implementation uses the Pairing Based Cryptography (PBC) library [37]. We can clearly see from Fig 4 that the key generation time and the encryption time increase with the number of attributes linearly, and the decryption time keeps constant. This result is in agreement with our time complexity analysis in section Security and Performance analysis.

VI. Application

Our scheme is well suited for applications in cloud computing environments. Take search engine file management system for example. Firstly, users can become legitimate users by registered members. After the successful landing of legitimate users, users can not only search for documents of interest, but also upload local files to server.

On the one hand because of the excessive number of users and documents, the system through the outsourcing of data files to a CS.

On the other hand because the grade of membership system of the operating construction, making part of the document can only download by some VIP members. In order to facilitate the management of the system, the system can set up an interior PS to help manage user membership grade and duration.

Ordinary users can become VIP users by way of payment. The process of granting the VIP attribute does not require the system upgrade and the update of the ciphertext. AA only to issue a grand command to the PS. When a user access, PS verify that the user is required to grant the attribute according to the identity. To user who needs to be granted attributes, PS will grant the attribute and private key to the corresponding user in time.

Once the VIP attribute is invalid or expires, AA will update the system in a timely manner and send update command to PS.

VII. Conclusion

In this paper, we propose an efficiently multi-user searchable encryption with attribute revocation and grant function for cloud storage.

  • In the first scenario, we propose a CP-ABE scheme with attribute revocation and grant. Our scheme can not only support a single user attribute revocation or grant, but also to some users to grant or revoke a set of attributes.
  • In the second scenario, we propose a multi user search scheme based on a single keyword. As we focus on the user attribute update instead of the keyword search in this paper. Aiming at the problem of conjunctive keyword search is a direction that we continue to research.
  • In addition, the lazy update of the user's attribute and the private key increases the efficiency of the scheme.
  • Since PS in our scheme has the permissions granted attributes, in order to prevent a malicious PS to the user to grant a new attribute, we ask our PS must be honest and strict implementation of the tasks assigned by attribute authority. In other words, PS in strict accordance with the grant list to verify whether the user needs to grant attributes. Aiming at the problem of PS malicious attacks is another direction that we continue to research.

Acknowledgments

This work is supported by the National Natural Science Foundation of China under grants 61572019, 61173192, the Key Project of Research Foundation of Natural Science Foundation of Shaanxi Province of China under Grant No. 2016JZ001, Research Foundation of Education Department of Shaanxi Province of China under grants 2013JK1142. Thanks also go to the anonymous reviewers for their useful comments.

Author Contributions

  1. Methodology: XZ SW.
  2. Software: XZ YZ.
  3. Validation: SW XZ.
  4. Writing – original draft: SW XZ YZ.
  5. Writing – review & editing: SW XZ YZ.

References

  1. 1. Sahai A, Waters B. Fuzzy Identity-Based Encryption: Springer Berlin Heidelberg; 2005. 457–73 p.
  2. 2. Goyal V, Pandey O, Sahai A, Waters B, editors. Attribute-based encryption for fine-grained access control of encrypted data. Proceedings of the 13th ACM conference on Computer and communications security; 2006.
  3. 3. Bethencourt J, Sahai A, Waters B, editors. Ciphertext-Policy Attribute-Based Encryption. IEEE Symposium; 2007: Security and privacy; 2008.
  4. 4. Emura K, Miyaji A, Nomura A, Omote K, Soshi M. A Ciphertext-Policy Attribute-Based Encryption Scheme with Constant Ciphertext Length. International Journal of Applied Cryptography. 2009;5451(1):13–23.
  5. 5. Attrapadung N, Imai H, editors. Attribute-Based Encryption Supporting Direct/Indirect Revocation Modes. Ima International Conference on Cryptography and Coding; 2009 Dec 15–17; Cirencester, UK: Proceedings; 2009.
  6. 6. Martinez-Vara P, Barranco JS, IDLSG S, Munoz-Lopez J, Torres-Rodriguez MA, Xique RS, et al. Ciphertext-Policy Attribute-Based Threshold Decryption with Flexible Delegation and Revocation of User Attributes (extended version). Centre for Telematics & Information Technology University of Twente. 2009;13(4):325–9.
  7. 7. Wu Q, Miao Z. Adaptively Secure Attribute-Based Encryption Supporting Attribute Revocation. Wireless Communication Over Zigbee for Automotive Inclination Measurement China Communications. 2012;9(9):22–40.
  8. 8. Zhang Y, Chen X, Li J, Li H, Li F, editors. FDR-ABE: Attribute-Based Encryption with Flexible and Direct Revocation. International Conference on Intelligent NETWORKING and Collaborative Systems; 2013: IEEE Computer Society; 2013.
  9. 9. Qiuxin . A Generic Construction of Ciphertext-Policy Attribute- Based Encryption Supporting Attribute Revocation. Wireless Communication Over Zigbee for Automotive Inclination Measurement China Communications. 2014;11(A01):93–100.
  10. 10. Yu S, Wang C, Ren K, Lou W, editors. Attribute based data sharing with attribute revocation. ACM Symposium on Information; 2010 Apr; Beijing, China: Computer and Communications Security.
  11. 11. Chen JH, Wang YT, Chen KF. Attribute-Based Key-Insulated Encryption. Journal of Information Science & Engineering. 2011;27(2):437–49.
  12. 12. Li Q, Feng D, Zhang L, editors. An attribute based encryption scheme with fine-grained attribute revocation. Global Communications Conference (GLOBECOM); 2012: IEEE.
  13. 13. Naruse T, Mohri M, Shiraishi Y. Provably secure attribute-based encryption with attribute revocation and grant function using proxy re-encryption and attribute key for updating. Human-centric Computing and Information Sciences. 2015;5(1):1–13.
  14. 14. Bao F, Deng RH, Ding X, Yang Y. Private Query on Encrypted Data in Multi-user Settings. Lecture Notes in Computer Science. 2008;4991:71–85.
  15. 15. Bringer J, Chabanne H, Kindarji B, editors. Error-tolerant searchable encryption. IEEE International Conference on Communications; 2009: IEEE.
  16. 16. Rhee HS, Park JH, Susilo W, Dong HL. Trapdoor security in a searchable public-key encryption scheme with a designated tester. Journal of Systems & Software. 2010;83(5):763–71.
  17. 17. Hu C, Liu P. An Enhanced Searchable Public Key Encryption Scheme with a Designated Tester and Its Extensions. Journal of Computers. 2012;7(3):716–23.
  18. 18. Lv Z, Zhang M, Feng D, editors. Multi-user Searchable Encryption with Efficient Access Control for Cloud Storage. IEEE International Conference on Cloud Computing Technology and Science; 2014: IEEE.
  19. 19. Yang Y, Lu H, Weng J, editors. Multi-User Private Keyword Search for Cloud Computing. IEEE International Conference on Cloud Computing Technology and Science; 2011 Nov 29-Dec; Athens, Greece: Cloudcom; 2011.
  20. 20. Liu Z, Wang Z, Cheng X, Jia C, Yuan K, editors. Multi-user Searchable Encryption with Coarser-Grained Access Control in Hybrid Cloud. International Conference on Emerging Intelligent Data and Web Technologies; 2013: IEEE Computer Society; 2013.
  21. 21. Jian Y, Yang D, editors. An agent-based searchable encryption scheme in mobile computing environment. International Conference on Computing, Communication and Networking Technologies; 2014: IEEE Computer Society.
  22. 22. Wang Q, Zhu Y, Luo X, editors. Multi-user Searchable Encryption with Coarser-Grained Access Control without Key Sharing. International Conference on Cloud Computing and Big Data; 2014: IEEE.
  23. 23. Kaci A, Bouabanatebibel T, editors. Access control reinforcement over searchable encryption. IEEE International Conference on Information Reuse and Integration; 2014: IEEE.
  24. 24. Lv Z, Chi J, Zhang M, Feng D, editors. Efficiently Attribute-Based Access Control for Mobile Cloud Storage System. IEEE International Conference on Trust, Security and Privacy in Computing and Communications; 2014: IEEE.
  25. 25. Shojafar M, Cordeschi N, Baccarelli E. Energy-efficient Adaptive Resource Management for Real-time Vehicular Cloud Services. IEEE Transactions on Cloud Computing. 2016;PP(99):1–14.
  26. 26. Li W, Song H. ART: An Attack-Resistant Trust Management Scheme for Securing Vehicular Ad Hoc Networks. IEEE Transactions on Intelligent Transportation Systems. 2016;17(4):960–9.
  27. 27. Umar MM, Mehmood A, Song H. SeCRoP: secure cluster head centered multi-hop routing protocol for mobile ad hoc networks. Security & Communication Networks. 2016.
  28. 28. Butun I, Erol-Kantarci M, Kantarci B, Song H. Cloud-centric multi-level authentication as a service for secure public safety device networks. IEEE Communications Magazine. 2016;54(4):47–53.
  29. 29. Xu Q, Ren P, Song H, Du Q. Security Enhancement for IoT Communications Exposed to Eavesdroppers With Uncertain Locations. IEEE Access. 2016;4:1–12.
  30. 30. Shojafar M, Abawajy JH, Delkhah Z, Ahmadi A, Pooranian Z, Abraham A. An Efficient and Distributed file search in Unstructured Peer-to-Peer Networks. Peer-to-Peer Networking and Applications. 2015;8(1):120–36.
  31. 31. Javanmardi S, Shojafar M, Shariatmadari S, Ahrabi SS. FRTRUST: a fuzzy reputation based model for trust management in semantic P2P grids. International Journal of Grid & Utility Computing. 2014;6(1):57–66.
  32. 32. Wei W, Fan X, Song H, Fan X. Imperfect Information Dynamic Stackelberg Game Based Resource Allocation Using Hidden Markov for Cloud Computing. IEEE Transactions on Services Computing. 2016:1–13.
  33. 33. Zhang Y, Sun L, Song H, Cao X. Ubiquitous WSN for Healthcare: Recent Advances and Future Prospects. IEEE Internet of Things Journal. 2014;1(1):311–8.
  34. 34. Kallahalla M, Riedel E, Swaminathan R, Wang Q, Fu K, editors. Plutus: Scalable Secure File Sharing on Untrusted Storage. Usenix Conference on File and Storage Technologies; 2003: USENIX association; 2003.
  35. 35. Goyal V, Jain A, Pandey O, Sahai A. Bounded Ciphertext Policy Attribute Based Encryption: Automata, Languages and Programming; 2015. 579–91 p.
  36. 36. Dan B, Crescenzo GD, Ostrovsky R, Persiano G. Public Key Encryption with Keyword Search: Springer Berlin Heidelberg; 2004. 506–22 p.
  37. 37. Duquesne S, Lange T. Pairing-based cryptography. Mathiiscernetin. 2004;volume 22(3):573–90.