Attribute-Based Proxy Re-Encryption with Keyword Search

Keyword search on encrypted data allows one to issue the search token and conduct search operations on encrypted data while still preserving keyword privacy. In the present paper, we consider the keyword search problem further and introduce a novel notion called attribute-based proxy re-encryption with keyword search (), which introduces a promising feature: In addition to supporting keyword search on encrypted data, it enables data owners to delegate the keyword search capability to some other data users complying with the specific access control policy. To be specific, allows (i) the data owner to outsource his encrypted data to the cloud and then ask the cloud to conduct keyword search on outsourced encrypted data with the given search token, and (ii) the data owner to delegate other data users keyword search capability in the fine-grained access control manner through allowing the cloud to re-encrypted stored encrypted data with a re-encrypted data (embedding with some form of access control policy). We formalize the syntax and security definitions for , and propose two concrete constructions for : key-policy and ciphertext-policy . In the nutshell, our constructions can be treated as the integration of technologies in the fields of attribute-based cryptography and proxy re-encryption cryptography.


Introduction
Cloud computing platforms assemble vast computational resources and make them available to users as a service. The cloud users can outsource their heavy computation tasks and/or storage to cloud providers while still enjoying promising properties, e.g., low maintenance cost and pervasive accessing. While it is promising, cloud computing also confronts many challenges against data Editor: Cheng-Yi Xia, Tianjin University of Technology, China privacy/system vulnerabilities [1][2][3] and service quality [4,5]. One possible solution to prevent these problems is to use the private cloud, where the underlying infrastructure (i.e., servers, network and storage) is owned and operated by the cloud users themselves. However, this might depress the benefits bringing from the cloud computing, when comparing with the public cloud that is more reliable, elastic (i.e., computational resources can be increased and decreased quickly) and cost-saving. As such, individual and organizations are considering migrating from their owned infrastructure to the public cloud.
In order to preserve data privacy against any possible attacks in the public cloud, it is inevitable for data owners to encrypt their data before outsourcing it to the cloud, which might hinder the data usage. For example, how the data owner can search on their outsourced encrypted data? How the data owner can delegate his search capability to other users in a fine-grained manner? In this paper, we continue the line of keyword search on encrypted data and attempt to solve the above questions simultaneously.
To explain the motivation for solving the above questions, we consider the following motivational application: The data owner, say Alice, encrypted her personal health data that was collected by sensors attached her and outsourced the encrypted data to the cloud. In order to facilitate the examination on health condition, Alice may need to share the encrypted data with professionals, e.g. doctors that work in some specific department, so that the professionals can retrieve qualified records from the cloud. In order to assure that only certain professionals satisfying some policy can conduct keyword search and retrieve corresponding encrypted data of their interests, Alice needs to delegate keyword search capability by specifying the fine-grained access control policy.
A straightforward solution toward the above questions can work as follows: the data owner encrypts his data with attribute-based encryption, and issues proper keys to data users so that only authorized data users can access these encrypted data. Unfortunately, solutions based on attribute-based encryption in the literature do not support keyword search. That is, even satisfying the access control policy, the authorized user has to download entire encrypted data, rather than portion of encrypted data of his interest, which will bring in huge communication overhead. In light of this, we propose a novel notion, dubbed attributed-based proxy re-encryption with keyword search (ABRKS), allowing data owners to grant keyword search capability to authorized users complying with access control policies.

Our Contribution
We introduce a novel notion called attribute-based proxy re-encryption with keyword search (ABRKS), which allows a data owner to delegate keyword search capability over his encrypted data to authorized users by while complying with access control policies. We formally define its syntax and rigorously formalize the security definitions. We present two flavors of ABRKS constructions, key-policy ABRKS and ciphertext-policy ABRKS, the security of which are based on the standard Multilinear Decisional Diffie-Hellman Assumption in the random oracle model. Our solutions perfectly solve the motivation example and enjoy three distinctive properties: (i) The data owner could conduct keyword search on outsourced encrypted data; (ii) The data owner could delegate keyword search capability to users by specifying fine-grained access control policies so that only authorized users satisfying the access control policy can conduct keyword search; and (iii) There is no interaction happening between data owners and users. Moreover, the tedious work, e.g., performing keyword search and re-encrypting encrypted data, can be outsourced to the cloud without compromising data privacy.

Related Work
Here we briefly survey the works that are relevant to the problem we attempt to solve in this paper, while cannot solve it. We summarize the features of the most relevant techniques, proxy re-encryption with keyword search, attribute-based encryption, attribute-based encryption with keyword search and attribute-based proxy re-encryption, and compare them with our ABRKS solutions as shown in Table 1.

Proxy Re-encryption with Keyword Search
Proxy re-encryption with keyword search (PRES) was introduced in [6], which allows a data owner to delegate keyword search capability to other users. PRES was further revised by [7] and/or enhanced by various papers, e.g., [8][9][10][11]. However, all these PRES solutions only considered coarse-grained access control enforcement, i.e., delegating the search capability to one specific authorized user. In contrast, we consider the fine-grained access control enforcement when the data owner needs to delegate search capability in this paper.

Attribute-based Encryption
Attribute-based encryption (ABE) was first introduced by [12], which is to specify fine-grained access control on encrypted data, such that only data users with proper credentials (i.e., satisfying the access control policy) can decrypt the ciphertexts. There are two flavors of ABE depending on the manner of associating access control policy: key-policy ABE (KP-ABE) [13][14][15] associates the decryption key with the access control policy and ciphertext-policy ABE (CP-ABE) associates the ciphertext with the access control policy [16][17][18]. While ABE allows data owners to achieve fine-grained access control enforcement on encrypted data, unfortunately it cannot support keyword search.

Attribute-based Encryption with Keyword Search
The concept of attribute-based encryption with keyword search (ABKS) was introduced by [19] and [20] independently. It allows data owner to grant search capability to authorized users by specifying fine-grained access control when encrypting plaintext. However, it does not support the data owner delegating search capability to authorized users when encrypted data were stored in the cloud.

Attribute-based Proxy Re-encryption
Attribute-based proxy re-encryption (ABPRE) was introduced by [21] and enriched by [22][23][24][25][26] with various features. However, these solutions do not support the function of keyword search on encrypted data. Generally speaking, the solution in this paper can be regarded as an extension to ABPRE with the feature of keyword search on encrypted data.

Multilinear Maps
The concept of multilinear maps was introduced in [27] and came to reality thanks to [28,29]. Given a security parameter ' and an '-bit prime p, a 4-multilinear map consists of 4 cyclic groups (G 0 ,G 1 ,G 2 ,G 3 ) of order p, and 3 mappings e i : G 0 |G i ?G iz1 , i~0,1,2. The 4-multilinear map should satisfy the following properties with respect to i, i~0,1,2: (i) Given that 0 [G 0 is a generator of G 0 , then and (iii) e i can be efficiently computed.

4-Multilinear Decisional Diffie-Hellman Assumption (4-MDDH)
Given the 4-multilinear map and 0 , a there exists no probabilistic polynomial algorithm A that can determine whether abcwr 3~Z or not with a non-negligible advantage with respect to security parameter ', where the advantage is defined as

Access Control Policy
Linear Secret Sharing Scheme A linear secret sharing scheme (LSSS) can be used to represent an access control policy P via (M,p), where M~(Z p ) l|k is an l|k dimensional matrix with entries belonging to Z p and p : f1, . . . ,lg?UAtt is an injective function that maps a row into an attribute. Given an attribute set S5UAtt where UAtt is the attribute universe, we denote F(S,P)~1 if S satisfies the access control policy P. Specifically, an LSSS consists of two algorithms:

System Model
The system model of attribute-based proxy re-encryption with keyword search is shown in Fig. 1, consisting of three parties: the trusted authority, the cloud server and cloud users that can be either data owner or data users wishing to share the data owner's data. The trusted authority is responsible for initiating system public parameters and issuing private keys to cloud users with respect to their attributes. A data owner (say Alice) encrypts her data and the keyword index and outsource the encrypted data and the associated encrypted keyword index to the cloud server. Moreover, the data owner can retrieve encrypted data of her interest by issuing a search token with respect to some keyword to the cloud. On the other hand, the data owner is capable of granting search capability to other authorized users by issuing re-encryption keys (which is associated with access control policies) to the cloud. The cloud server provides storage and computation service for cloud users. Especially, the cloud server can transform the stored encrypted data with re-encryption keys from the data owner, so that the authorized data user (say Bob) is able to generate search tokens and ask the cloud server to conduct keyword search on the re-encrypted data for retrieving encrypted data of his interest. In this model, we assume that the data owner and data users require no direct interaction.

Functional Definition
We now present the formal definition of attribute-based proxy re-encryption with keyword search, which consists of two variants: key-policy ABRKS (KP -ABRKS) whose private keys are associated with access control policies, and ciphertextpolicy ABRKS (CP -ABRKS) whose ciphertexts after re-encryption are associated with access control policies. To unify the presentation, let I Enc denote the input of the encryption function ReKeyGen and I KeyGen denote the input of the key generation function KeyGen. Therefore, I Enc and I KeyGen respectively correspond to an attribute set and an access policy in KP -ABRKS, whereas I Enc and I KeyGen respectively correspond to an access policy and an attribute set in CP -ABRKS. We denote F(I KeyGen ,I Enc )~1 if and only if I Enc satisfies I KeyGen in KP-ABRKS or I KeyGen satisfies I Enc in CP-ABRKS.
To be specific, an ABRKS scheme consists of algorithms as follows: (param,mk)/Setup(1 ' ): Taking as input a security parameter ', this algorithm is run by the trusted authority to initiate the public parameter param and a master private key mk. sk I KeyGen /KeyGen(mk,param,I KeyGen ): Taking as input I KeyGen , the master key mk and public parameter param, this algorithm is run by the trusted authority to issue a private key sk I KeyGen associated with I KeyGen for a data user.
(sk uid ,pk uid )/PrivKeyGen(param,uid): Taking as input a user's identity uid, the master key mk and public parameter param, this algorithm is run by the trusted authority to generate a pair of keys (sk uid ,pk uid ).
rk uid?I Enc /ReKeyGen(sk uid ,I Enc ): Taking as input a user's private key sk uid and I Enc , this algorithm is run by the data owner to generate the re-encryption key rk uid?I Enc .
cph/Enc(kw, param,pk uid ): Given a keyword kw, the public parameter param, and the data owner's public key pk uid , this algorithm is run by the data owner to output an original ciphertext cph.
cph R /ReEnc(cph, param, rk uid?I Enc ): Given a ciphertext of uid, the public parameter param, and a re-encryption key rk uid?I Enc , this algorithm is run by the cloud server to output a re-encrypted ciphertext cph R .
token/TokenGen(sk uid , kw): This algorithm is run by the data owner to generate a token token, which can be used to conduct the search operation over original encrypted keywords.
token R /TokenGen R (sk I KeyGen ,kw): This algorithm is run by a data user to generate a token token R , which can be used to conduct the keyword operation over re-encrypted keywords.
Search(token,cph): This algorithm, run by the cloud server, returns 1 if the original encrypted keyword cph and the token token correspond to the same keyword; otherwise it returns 0.
Search R (token R ,cph R ): This algorithm, run by the cloud server, returns 1 if (i) F(I KeyGen ,I Enc )~1 and (ii) the re-encrypted keyword cph R and the token token R correspond to the same keyword; otherwise it returns 0.

Security Definitions
The security of ABRKS requires that the ciphertexts and tokens leak nothing about the underlying keywords. Informally, the adversary is allowed to query ciphertext of any plaintext and tokens except those corresponding to two keywords in the challenge phase. We expect that the adversary cannot distinguish the challenge ciphertext that is generated from one of keywords kw 0 and kw 1 . To formalize aforementioned security notion, we define the selective chosen keyword security game as follows. Note that in our corruption model, the adversary is not allowed to get the re-encryption key from uncorrupted users to corrupted users. Note that in our security model we consider the static corrupted model in the sense that the set of corrupted users has to be selected in the setup phase.

Setup
The adversary A selects a set of corrupted users denoted by CoList and I Ã Enc , and sends them to the challenger. The challenger runs Setup to produce param,mk, sends param to A and keeps mk private.

Phase 1
A can query the following oracles in polynomially many times: it returns the public key pk uid to A; otherwise uid[CoList, then it returns the key pair (pk uid ,sk uid ) to A. We assume that before querying oracles O rk , O ReEnc and O token , the user's private key sk uid has been generated. N O ReEnc (uid,I Enc ): It runs (sk uid ,pk uid )/PrivKeyGen(param,uid), rk uid?I Enc /ReKeyGen(sk uid ,I Enc ) a n d cph R /ReEnc(cph,param,rk uid?I Enc ), and returns re-encrypted keyword cph R to A.
N O token (uid,kw): It runs token/TokenGen(sk uid ,kw), and returns the token token for kw over original encrypted keyword to A.
N O token R (I KeyGen ,kw): It runs token R /TokenGen(sk I KeyGen ,kw) and returns the token token R for kw over re-encrypted keyword to A.

Challenge
A selects an uncorrupted user uid Ã [ = CoList and two equal-length keywords (kw 0 ,kw 1 ), where (i) (uid Ã ,kw 0 ) or (uid Ã ,kw 1 ) have never been queried on O token and (ii) if (I KeyGen ,kw 1 ), then (I KeyGen ,kw 0 ) and (I KeyGen ,kw 1 ) have not been queried to O token R . A sends them to the challenger. The challenger selects s / R f0,1g, runs cph Ã /Enc(kw s ,param,pk uid Ã ) and forwards cph Ã to A.

Phase 2
A queries the oracles the same as Phase 1 except that N (uid Ã ,kw 0 ) and (uid Ã ,kw 1 ) are not allowed to query on O token . N If F(I KeyGen ,I Ã Enc )~1, then (I KeyGen ,kw 0 ) and (I KeyGen ,kw 1 ) should not been queried to O token R Guess A outputs a guess s'. We say that A wins the game if s~s'.

Definition 1
We say that an ABRKS scheme achieves selective security against chosen-keyword attack if any probabilistic polynomial-time adversary A wins the selective security game defined above with a negligible advantage with respect to the security parameter ', where the advantage is defined as j Pr½s'~s{1=2j.

The Basic Idea
In our ABRKS scheme, the critical part is how to support keyword search over reencrypted ciphertexts while being able to enforce access control. In order to achieve this, our intuition (shown in Fig. 2) is to compose the re-encrypted ciphertext with two components: one is associated with the keyword and is transformed from original encrypted ciphertext; the other one is associated with the access control policy and can be derived from the re-encryption key where the access control policy is determined by the data owner.

KP -ABRKS Construction
Recall that an access control policy is represented by (M,p), where M is an l|k dimensional matrix and Max is the maximum number of attributes associated with a ciphertext. Note that let x / R X denote selecting element x from the set X uniformly at random. The KP-ABRKS scheme can be constructed as follows: Setup(1 ' ): Given the security parameter ', the algorithm generates the public parameters and the master key as follows:  Enc(kw,param,pk uid ): Given a keyword kw[f0,1g Ã , this algorithm selects r / R Z p , and sets C 1~r 0 and C 2~e2 (H(kw) r ,e 1 ( a 0 ,e 0 (pk uid , b 0 ))). It sets the original encrypted keyword as cph~(C 1 ,C 2 ): ReKeyGen(sk uid ,S): Taking as input the data owner's private key sk uid~xuid and an attribute set S, this algorithm generates the re-encryption key as follows: N Set the re-encryption key as rk uid?S~( R 1 ,R 2 ,fR at j g at j [ S ): ReEnc(cph,param,rk uid?S ): Given the original ciphertext cph~(C 1 ,C 2 ) and the re-encryption key rk uid?S , it computes C' 2~C R 1 2 and re-encrypts cph to cph R~( C 1 ,C' 2 ,R 2 ,fR at j g at j [ S ).
TokenGen(sk uid ,kw): Given the private key sk uid~xuid of data user uid and a keyword kw, this algorithm sets the token for the keyword kw over original encrypted keywords as token~H(kw) x uid : TokenGen R (sk,kw): Given the data user's private key sk, this algorithm computes A' i~e0 (H(kw),A i ) and B' i~e0 (H(kw),B i ) for i~1, . . . ,l. It sets the token for the keyword kw over re-encrypted keywords as Search(token,cph): Given the original encrypted keyword cph and a token token generated by the data owner, this algorithm outputs 1 if e 2 (token,e 1 (C 1 , e 0 (g a 0 ,g b 0 )))~C 2 , and 0 otherwise. Search R (token R ,cph R ): Given the re-encrypted keyword cph R and a token token R generated by the data users, the search can be done as follows: N If the attribute set S associated with cph R satisfies the access control policy specified by (M,p) associated with token R , compute c i such that If e 2 (K,C 1 )~C' 2 , output 1 and 0 otherwise. N Otherwise, output 0.

CP -ABRKS Construction
We also elaborate the construction of the CP-ABRKS scheme as follows. Setup (N,n max ): This algorithm takes as input N, the number of attributes in the system and n max the maximum of columns of M. It generates the public parameters and the master key as follows: N Generate a 4 multi-linear map: fe i : G 0 |G i ?G iz1 ji~0,1,2g, where (G 0 , . . . ,G 3 ) are cyclic groups of order p respectively. Let 0 [G 0 be a generator of G 0 , and iz1~ei ( 0 , i ) be a generator of G iz1 for i~0,1,2.
N Select elements h 1,1 ,h 1,2 , . . . ,h n max ,N from G 0 uniformly at random. N Let H : f0,1g Ã ?G 0 be a secure hash function modeled as a random oracle. N Select a,b,c / R Z p and set the public parameters and master key as Search R (token R ,cph R ): Given the re-encrypted keyword cph R and a token token R generated by the data users, the search can be done as follows: N If the attribute set S associated with token R satisfies the access control policy specified by (M,p) associated with cph R , compute c i such that

Correctness
The correctness of the CP-ABRKS scheme can be verified similar to that of KP-ABRKS scheme.

Theorem 1
Assume that 4-MDDH assumption holds, our KP-ABRKS scheme achieves selective security against chosen-keyword attack in the random oracle model. Proof: The proof strategy is to reduce the security of our construction to the hardness of 4-MDDH assumption. That is, we show that if there exists a probabilistic polynomial time adversary A breaking selective security game of KP-ABRKS against chosen-keyword attack with a non-negligible advantage E, then we can simulate a challenger solving 4-MDDH problem with a non-negligible advantage (1=ez1=q T ) E 2 , where q T is a polynomial large number, which should be larger than the number of oracle queries for O ReEnc ,O token and O token R .
Given an instance of 4-MDDH problem ( 0 , a 0 , b 0 , c 0 , w 0 , r 0 ,Z), where a,b,c,w,r / R Z p are unknown, the challenger simulates the game as follows:

Setup
A selects a set of corrupted users denoted by CoList and an attribute set S Ã , and sends them to the challenger. The challenger generates the public parameters and master key as follows: N Given the attribute set S Ã , let w(y)~y Max-jS Ã j : P at[S Ã (y{H 1 (at)), which can be rewritten as w(y)~P Max j~0 w j y j , where w j is the coefficient of y j and therefore w j~0 for j~0, . . . ,Max-jS Ã j. Moreover, the challenger simulates the oracles H,H 1 as follows: N O H (kw): Given a keyword kw, it proceeds as follows: -If kw has not been queried before, then select a i / R Z p and toss a random coin c i [f0,1g with the probability that Pr½c i~0 ~1=(q T z1), where q T is a polynomial large number. We require that q T should be larger than the -Otherwise, retrieve H(kw) from L H with respect to kw and return H(kw). N O H 1 (at): If the attribute at has not been queried before, select u / R Z p , set H 1 (at)~u, and add (at,H 1 (at)) to the list L H 1 . Otherwise, retrieve H 1 (at) from L H 1 with respect to at. Eventually, it returns H 1 (at).

Phase 1
A can query the following oracles in polynomially many times: N O pk,sk (uid): Given a user identity uid, the challenger proceeds as follows: -If uid has been queried before, retrieve (sk uid ,pk uid ) from L U with respect to uid and return (sk uid ,pk uid ).
-Otherwise, select x uid / R Z p . If uid[CoList, compute sk uid /x uid and pk uid / x uid 0 ; otherwise set sk uid~\ and pk uid / cx uid 0 . Finally add (uid,sk uid ,pk uid ) to L U and return (sk uid ,pk uid ).
i : v, and set A il p(i) Q(H 1 (p(i))) r i and B i~r i . * Otherwise, select r' i / R Z p and compute A i~l p(i) Q(H 1 (p(i))) r ĩ M i : ½abwzv 0 : ½aw(H 1 (p(i)))zQ(H 1 (p(i)))r ĩ M i : v 0 zaw(H 1 (p(i)))r' i zQ(H 1 (p(i)))r' i bQ(H 1 (p(i)))M i : w=w (H 1 (p(i) -Otherwise, if there exists kw i in L H such that c i~1 and e 2 (e 1 (e 0 -If c i~1 , set token~H(kw) sk uid~( a i 0 ) sk uid~p k a i uid ; -If c i~0^u id[CoList, set token~H(kw) sk uid~w x uid 0 ; -Otherwise, report failure and terminate. N O token R (P,kw): Given an access control policy P and a keyword kw, the challenger proceeds as follows: -If c i~1 , select u 2 ,u 3 , . . . ,u k / R Z p , implicitly set v~(ab,u 2 , . . . ,u k ) and l p(i)~Mi v for i~1, . . . ,l. Compute for i~1, . . . ,l, -If c i~0^F (S Ã ,P)~0, make a query P on O KeyGen to get sk, and compute -Otherwise, report failure and terminate.

Challenge
A selects an uncorrupted user uid Ã [ =CoList and two keywords (kw 0 ,kw 1 ) of equal length. Given kw 0 and kw 1 , if c 0~1^c1~1 , the challenger reports failure and terminates; otherwise, let s be a bit which is selected as follows: N If c 0~1 and c 1~0 , then set s~1, N If c 0~0 and c 1~1 , then set s~0, N Otherwise, let s / R f0,1g.
The challenger responses A with cph Ã~( C 1~r ,C 2~Z a i x uid ).

Phase 2
A executes the same as Phase 1. This completes the simulation. In what follows let us analyze the probability that the challenger will not report failure and terminate due to the following two independent events: N When A queries O token ,O token R and O ReEnc , it happens that c i~0 for some keyword. Note that for each query with respect to some keyword, Pr½c i~0 ~1=(q T z1). Therefore, as A makes at most q T oracle queries, the probability of the challenger not reporting failure and terminating can be (1{1=(q T z1)) q T §1=e.
Therefore the challenger simulates without failure with the probability at least 1=ez1=q T . Now let us analyze the advantage of the challenger solving 4-MDDH problem on condition that the simulation completes perfectly. In the challenge phase, if Z~a bcwr 3 , then cph Ã is indeed a valid ciphertext of kw s . Then the probability of A outputting s~s' is 1 2 zE. If Z is an element randomly selected from G 3 , the probability of A outputting s~s' is 1 2 . Therefore, the probability of the challenger correctly guessing Z? abcwr That is, the challenger solves the 4-MDDH problem with advantage (1=ez1=q T ) E 2 if A wins the selective security game with advantage E. %

CP -ABRKS Security
Security of the CP -ABRKS scheme can be proven as the following theorem.

Theorem 2
Assume that 4-MDDH assumption holds, our CP-ABRKS scheme achieves selective security against chosen-keyword attack in the random oracle model. Proof: The main idea is to reduce the security of our CP-ABRKS to the hardness of 4-MDDH assumption. That's, we show that if there exists a probabilistic polynomial time adversary A breaking the selective security game of our CP-ABRKS scheme against chosen-keyword attack with a non-negligible advantage E, then we can construct a challenger solving 4-MDDH problem with a non- where q T is a polynomial large number, which should be larger than the number of oracle queries for O ReEnc ,O token and O token R . In this part, P(P Ã means P is a substructure of P Ã . Given an instance of 4-MDDH problem ( 0 , a 0 , b 0 , c 0 , w 0 , r 0 ,Z) where a,b,c,w,r/Z p are unknown, the challenger simulates the game as follows: N The public parameters is set to param~(e 0 ,e 1 ,e 2 ,G 0 ,G 1 ,G 2 ,G 3 , 0 , 1 , 2 , a 0 , b 0 , h 1,1 ,h 1,2 , . . . ,h n max ,N ,H), by implicitly setting the master private key mk~(a,b). The random oracle O H is simulated as same as the proof of Theorem 1.

Phase 1
A can query the following oracles in polynomial many times: where M is an l|k matrix, the challenger proceeds as follows: -Otherwise, we consider P~P Ã first. Choose random elements d',u' 2 , . . . ,u' n max / R Z p and set ..,l,j~1,...,n max ), where by implicitly defining d~cd' andũ~(u 1~c d',cd'zu' 2 , . . . ,cd'zu' n max )[ Z n max p (We set u' 1~0 ). Note that the form of our re-encryption key is similar to that of the ciphertext of Water's CP-ABE [17]. So if P~(M,p)(P Ã~( M Ã ,p Ã ), the re-encryption key can be derived from (M Ã ,p Ã ) through the technology of ciphertext delegation proposed in [30]. -If c i~1 , select t 1 ,t 2 , . . . ,t n max / R Z p . Compute -Otherwise, report failure and terminate.

Challenge
A selects an uncorrupted user uid Ã = [CoList and two equal-length keywords (kw 0 ,kw 1 ). If c 0~1^c1~1 , the challenger reports failure and terminates; otherwise, let s be a bit which is selected as follows: N If c 0~1 and c 1~0 , then set s~1, N If c 0~0 and c 1~1 , then set s~0, N Otherwise, let s / R f0,1g.
The challenger responses A with cph Ã~( C 1~r ,C 2~Z a i x uid ).

Phase 2
A executes the same as Phase 1.

Guess
A outputs a guess s'. The challenger outputs Z~a bcwr 3 if s'~s. Otherwise, it outputs Z= abcwr 3 . This completes the simulation. We can show that the challenger solves the 4-MDDH problem with advantage (1=ez1=q T ) E 2 if A wins the selective security game of CP-ABRKS with advantage E similar to the analysis of Theorem 1. %

Application
Our ABRKS schemes fit very well for many applications in the cloud computing environment. One of the prominent applications is about Personal Health Records (PHR) for patients: The data owner encrypted his own health records and outsourced these encrypted records to the cloud which hosts the PHR service. The data owner always needs to fetch the related health records upon some keywords since it is too costly to download all encrypted records and decrypt them to get desired records. In addition, the data owner might need to share these encrypted health records with some professionals, for example, heart doctors in Emergency Room. In order to attain this goal, the data owner has to delegate the search capability. Fig. 3 shows the sequence diagram that how the entities in the PHR application make use of the proposed ABRKS schemes to achieve these goals.

Conclusions
In this paper, we propose a novel notion called attribute-based proxy reencryption with keyword search (ABRKS). Our solutions can be used in the cloud setting, such that (1) a data owner can delegate the search capability to a group of users by specifying fine-grained access control policies; (2) the data owner and data users can delegate the tedious re-encryption and search process to the cloud without compromising data confidentiality.