Efficiently Multi-User Searchable Encryption Scheme with Attribute Revocation and Grant for Cloud Storage

Cipher-policy attribute-based encryption (CP-ABE) focus on the problem of access control, and keyword-based searchable encryption scheme focus on the problem of finding the files that the user interested in the cloud storage quickly. To design a searchable and attribute-based encryption scheme is a new challenge. In this paper, we propose an efficiently multi-user searchable attribute-based encryption scheme with attribute revocation and grant for cloud storage. In the new scheme the attribute revocation and grant processes of users are delegated to proxy server. Our scheme supports multi attribute are revoked and granted simultaneously. Moreover, the keyword searchable function is achieved in our proposed scheme. The security of our proposed scheme is reduced to the bilinear Diffie-Hellman (BDH) assumption. Furthermore, the scheme is proven to be secure under the security model of indistinguishability against selective ciphertext-policy and chosen plaintext attack (IND-sCP-CPA). And our scheme is also of semantic security under indistinguishability against chosen keyword attack (IND-CKA) in the random oracle model.


I. Introduction
The fuzzy identity based encryption (IBE) which is regarded as the prototype of attributebased cryptography was put forward by Sahai and Waters [1] in 2005. In an attribute-based encryption system, each user has a number of descriptive attributes (such as gender, age, education, occupation, etc.). Meanwhile, the users' private key and ciphertext are link with some described attribute set and access strategy respectively. When the private key is matched with ciphertext, the user can decrypt the ciphertext.
Goyal et al. [2] put the ABE scheme into CP-ABE scheme and the key-policy attributebased encryption (KP-ABE) scheme, and definitions are given respectively.
Bethencourt et al. [3] provided a new structure. The scheme can not only achieve a flexible access structure but also has an important characteristic of anti-collusion. That is, different users can not add their own access right by collusion their private key. Besides, there are some other outstanding articles such as the scheme proposed by Emura et al. [4] which has a certain contribution to the computational complexity and storage load. method. That is, our revocation is able to revoke some users' some attributes, rather than to revoke a single attribute or revoke attributes in the system. The attribute grant method is similarly. In addition, the proposed scheme is proven to be IND-sCP-CPA secure.
• We use a lazy revocation technique [34] for user's attribute and private key update process.
It is to say that only when user accesses the encrypted files, it helps to update the user's attribute and private key.
• As keyword searchable process in [18] does not have a complete security proof. By changing the operation of search trapdoor in [18], we have proved that our proposed keyword searchable scheme is IND-CKA secure in the random oracle model under bilinear Diffie-Hellman (BDH) assumption.
• The function of revocation of user identity in our scheme is consistent with that in [18].

B. Comparisons
We compare the function of our scheme with the existing schemes presented in [3,13,18] in Table 1.

A. Mathematical Tools
We first give some of the mathematical tools will be used later in this article, the specific argument can be found in the references. Definition 1 (Bilinear Map [2]). The definition of the two multiplication of group G 1 and G 2 , so that their order is p and the generator of G 1 is g. A bilinear map e : G 1 Â G 1 ! G 2 , which satisfies: • Bilinearity: for all u; v 2 G 1 and a; b 2 Z p ; eðu a ; v b Þ ¼ eðu; vÞ ab ; • Non-degeneracy: e(g, g) 6 ¼ 1; • Computability: for all u; v 2 G 1 , e(u, v) is efficiently computable.
Definition 2 (Lagrange Coefficient [24]). The definition of a Lagrange coefficient is Δ i,S (x), which i 2 Z p and the elements of set S belong to Z p . Then we have the following equation:

B. Access Tree
In this paper, we use the access tree as the access policy. Definition 3 (Access Tree [18]). In the access tree, the number of child nodes of each interior node x is denoted as num x . The threshold value of each node is defined as (k x , num x ), which is 0 < k x num x . In particular, when k x = 1 threshold for an 0 OR 0 gate. When k x = num x for an 0 AND 0 gate. Furthermore, each leaf node are correlated and attribute. For the convenience of using access tree, we define several functions as follow.
• parent(x): this returns the parent node of a node x except the root node.
• index(x): assuming that the children nodes of each node are numbered from 1 to num, this returns such a number associated with the node x.
• att(x): this returns the attribute associated with a leaf node x.

C. BDH Problem
Choose two cyclic group G 1 and G 2 , enable their order is p. And a map e : G 1 Â G 1 ! G 2 is a valid bilinear map. BDH problem under the tuple < g; G 1 ; G 2 ; e > can be defined as: fix a generator g of G 1 , as well as g a , g b , g c for some random a; b; c 2 Z p , compute eðg; gÞ abc 2 G 2 .
BDH assumption [35]. The assumption is valid if there is no polynomial-time adversary can be non-negligible probability to solve the above BDH problem.

A. System Model
First, define five entities of the system: an attribute authority, dada owners, a proxy server, a cloud sever, users, can be described below. The system model of our scheme is given in Fig 1. • Attribute authority (AA). Attribute authority is entirely credible to other entities and is responsible for the system establishment, new user register, attributes assignment and key generation. When some users' attribute set change (that is, some attributes are revoked or granted), AA establishes a revoked and a granted user list set for each attribute respectively and updates the public parameter, master key, proxy update key and proxy grant key.
• Data owner (DO). Data owner is responsible for uploading all the data files to cloud server. In order to ensure other legitimate users of the system can search for the corresponding file through the keyword, data owner needs to extract keywords and establish keyword indexes. Finally, along with the encrypted files upload to cloud server.
• User (U). Legitimate users can download their interest files from the system. In order to hide the search keyword, the user generates a search trapdoor. And then sends his unique identity, attribute set, partial private key component to the proxy server for updating attribute set and private key component. After receiving the updated attribute set and private key component, he sends his trapdoor together with his unique identity to cloud server. Without revealing any information about the content of the file, proxy server to help complete most of the decryption work. And then the final message is calculated by the user.
• Proxy server (PS). Proxy server is deployed by AA. It re-encrypts encrypted shared data and updats user's attribute set and corresponding private key by using the proxy update key and proxy grant key received from AA. It also can help the users execute most CP-ABE decryption task.
• Cloud server (CS). This paper mainly use the large storage characteristics of CS to store the data files in the system. Besides, it also helps to generate keyword index and trapdoor. In order to achieve efficient search we use the D. Data Upload method in [18] to store and search files. Also similar to the G. User Revocation method in [18], CS can perform user revocation operation.

B. Algorithms Definitions
Our proposed efficiently multi-user searchable encryption scheme with attribute revocation and grant for cloud storage is composed of thirteen randomized polynomial time algorithms.
• AA.Setup (λ, U)!(PP, MK, UK, GK): The setup algorithm takes a security parameter λ and an attribute universe description U as input. It outputs the public parameters PP, master private key MK, proxy update key UK and proxy grant key GK. • DO.Enc ðPP; M; T Þ ! CT: The encryption algorithm takes public parameters PP, a message M, and an access structure T over the universe of attributes as input. It generates a ciphertext CT.
The key generation algorithm takes master private key MK, a unique user identity U id and the corresponding attribute set S U id as input. It outputs U id 's corresponding private key SK U id , user's search key A U id , and user's search key B U id in CS.
• U.Dec ðCT; SK U id Þ ! M: The decryption algorithm take a ciphertext CT, and a private key SK U id as input. If the set of attributes S U id related to SK U id satisfies the access structure T related to CT, then it successfully decrypt and output the message M The re-encryption key generation algorithm tekes public parameters PP, a master key MK, a set of attributes γ, the attribute in γ which is to be revoked for some users, and the corresponding revoked user list ΔL γ , a set of attribute η, the attribute in η is to be granted for some users, and the corresponding granted user list ΔL η , proxy update key UK, and proxy grant key GK as input. It generates the updated public parameters PP 0 , the redefined master key MK 0 , the redefined proxy update key UK 0 , the proxy grant key GK 0 , and the re-encryption key RK γ .
• CS.ReEnc (γ, C γ , rk)!RK γ : The re-encryption algorithm takes a set of attribute γ which some users be revoked, the ciphertext component the re-encryption key RK γ as input. It outputs the re-encryption ciphertext component The key regeneration algorithm takes a unique user identity U id and the corresponding attribute set S U id , version number ver U id , the private key component D U id ¼ fD i g i2g & SK U id , proxy update key UK, a set of attributes γ, the attribute in γ which is to be revoked by some users as input. It outputs the updated user attribute set S U id 0 , version number ver U id 0 and private key component • PS.GrantAtt ðU id ; PP; GK; ZÞ ! ðZ U id ; SK Z U id Þ: The attribute grant algorithm takes a unique user identity U id , the public parameters PP, the proxy grant key GK, a set of attribute η, the attribute in η which is to be granted by some users as input. It outputs a set of attribute Z U id which is to be granted to the user U id and the corresponding private key component

C. Security Definitions
Similar to most previous works, the CS is supposed to be "curious-but-honest" [13].
We consider the security model as two games between a challenger C and an adversary A. Game 1 (IND-sCP-CPA security model). The adversary A is assumed to be an outsider attracter including the receiver.

Int.
A declares an access structure T Ã . Setup. C takes a security parameter λ and runs the Setup algorithm. It gives the public parameter PP to A and keeps the master key MK to itself. Phase 1. A adaptively issues polynomial queries as follows.
• private key query. A submits an attribute set S, where S does not satisfy the access structure T Ã , to C. The challenger returns the corresponding private key SK to A.
• update private key query. A is allowed to issue queries for update private key SK for the attribute in γ which is to be revoked for some users. The challenger gives the updated private key SK 0 . The advantage of the A in this game is defined as Pr½b

Definition 4.
The proposed scheme is IND-sCP-CPA secure if there is no polynomial time A who can win the above game with non-negligible advantage.
Game 2 (IND -CKA security model). The adversary A is assumed to be CS. Setup. Repeat game 1's setup adaptively. Phase 1. A adaptively issues polynomial following queries.
• H 1 -Query. A can query the random oracle H 1 .
• H 2 -Query. A can query the random oracle H 2 .
• Trapdoor Queries. A can ask any keyword's trapdoor.

Challenge.
A submits two keywords w 0 and w 1 where the keywords w 0 and w 1 's trapdoor have not been asked by A. The challenger picks a random bit b 2 {0, 1} and creates w b 's trapdoor k to A.

IV. Our Proposed Scheme
A. Detail Construction of Algorithms AA defines the universe of attributes as U = {1, 2, Á Á Á, n}, the unique user identity U id 2 {0, 1} Ã and three hash functions: • H(Á): Maps an attribute to a random element of G 1 .
The setup algorithm takes security parameter λ and attribute universe description U = {1, 2, Á Á Á, n} as input. It first chooses two multiplicative cyclic groups G 1 ; G 2 of prime order p(p > 2 λ ), and a bilinear map e : G 1 Â G 1 ! G 2 . Then, 8i 2 U, it random chooses Att i 2 Z Ã p and computes a public parameter component And it randomly chooses x 2 Z P as the search master key and three random numbers α, β, x 2 Z p , let In addition, defines the system version number ver 2 N. The initial version number is set to ver = 0. Set a proxy re-encrypt key set as rk = {rk i } i2U , and rk i = {rk i,0 , Á Á Á, rk i,ver } is set of the proxy re-encrypt key under different version for attribute i. The initial value is set to rk i,0 = 1.
Let L = {L i } i2U represent the revoked user list set, where revocation list L i represents the users list whose attribute i needs to be revoked, and L Ã ¼ fL Ã i g i2U represent the granted user list set, where grant list L Ã i represents the users list set to whom the attribute i needs to be granted. The revocation list L i may be empty, which means there is no user needs to be revoked for attribute i. So is grant list L Ã i . Finally, define a set R which is used to reserve the private key component ðU id ; r U id Þ later. The initial value is empty, R = ϕ. For each Att i 2 Z Ã p , calculate 1 Att i ðmod pÞ and output The proxy update key UK = (ver, Do.Enc ðPP; M; T Þ ! CT: Similar to the encryption method in [18]. It inputs the public parameter PP, a message M and an access structure T . The algorithm chooses a (k x −1) -degree polynomial q x (Á) for each node x in the tree T in a top-down manner. The selected polynomial q x (Á) must satisfy the restriction that q It is worth noting that for a leaf node, because it does not have a child, so it selects constant polynomial q x (Á) = q x (0) = q parent(x) (indes(x)). Let C be the set of leaf nodes in T , the ciphertext CT is computed as: Here, the function att(x) returns the attribute associated with the leaf node x and att(x)2U. Note that, the hash function H(Á) Maps an attribute to a random element of G 1 , so The key generation algorithm takes master private key MK, a unique user identity U id and the corresponding attribute set S U id as input. It firstly defines a user version number as the current system version number ver U id ¼ ver.
Then it chooses a random r U id 2 Z P , and then chooses a random r i 2Z P for each attribute i 2 S U id . It outputs the private key as: It randomly chooses μ 2 Z P and set A U id ¼ m as user's search key, and computes as user's search key in CS. U.Dec ðCT; SK U id Þ ! M: Similar to the decryption method in [18]. The decryption algorithm first defines a recursive algorithm DecNode ðCT; SK U id ; xÞ, where x represents a node in T . Then it is followed in a down-top manner.
The reencryption key generation algorithm takes public parameter PP, a master key MK, a set of attributes γ (the attribute in γ which is to be revoked for some users) and the corresponding revoked user list ΔL γ , a set of attribute η (the attribute in η is to be granted for some users) and the corresponding granted user list ΔL η , the proxy update key UK, and the proxy grant key GK as input.
If γ 6 ¼ ;, for each attribute i 2 γ, it chooses random Att i 0 2 Z Ã p as the new attribute key. Then performs the following action: • Master key update. Replaces the Att i in MK with Att i 0 , the rest of the parameters keeps unchanged; • Proxy update key upodate. Replaces the ver in UK as ver 0 = ver + 1, calculates rk i;ver 0 ¼ Att i 0 Att i ð pÞ and adds to the set Then adds the identity of users whose attribute need to be revoked in ΔL γ to the corresponding revocation user list • Proxy grant key update. Replace the 1 Att i in GK with 1 Att i 0 ðmod pÞ, the rest of the parameters keeps unchanged; • Public parameter update. Calculate If η 6 ¼ ;, add the identity of users in ΔL η who need to be granted some attributes to the corresponding grant user list L Ã ¼ fL Ã i g i2U in proxy grant key. CS.ReEnc (γ,C γ ,,RK γ )!C γ 0 : The re-encryption algorithm takes a set of attribute γ, the attribute in γ which is to be revoked for some users, the ciphertext component the re-encryption key RK γ as input.
For each attribute i 2 γ, find the corresponding leaf node x, with i = att(x). Denote the universe of corresponding ciphertext component C The key regeneration algorithm takes a unique user identity U id and the corresponding attribute set S U id , version number ver U id , the private key component D U id ¼ fD i g i2g & SK U id , proxy update key UK, a set of attributes γ, the attribute in γ which is to be revoked by some users as input. Then perform the following actions: • If the user has the latest version ver U id ¼ ver, it outputs ? and exit; • If it satisfies the condition that 8i2γ and U id = 2 L i , denotes the attribute set S

DO.PreIndex (W)!(E):
The pre index generation algorithm for data owner takes the keyword set W = {w 1 ,Á Á Á, w m } as input.
For each keyword w i 2 W, it calculates Then, it outputs the data owner's pre keywords index set E = (E 1 ,Á Á Á, E m ). CS.Index ðE; B U id Þ ! ðVÞ: The index generation algorithm by CS takes data owner's pre keywords index set E = (E 1 ,Á Á Á, E m ) and data owner's search key in CS B U id as input.
Then, it outputs CS's index parameter set V = (V 1 ,Á Á Á, V m ). DO.PostIndex ðV; A U id Þ ! ðI W Þ: The post index generation algorithm for data owner takes the CS's index parameter set V = (V 1 ,Á Á Á, V m ), his own search key A U id and the random parameter l i which he choices before as input.
• For each V i 2V, it computes where ½Q i k i denotes an encryption of a random number Q i with the secret key k i using a secure symmetric encryption algorithm, such as AES.
It builds the data owner's post keywords index set I W ¼ fI w 1 ; Á Á Á ; I w m g and outputs. U. PreTrap ðw; A U id Þ ! ðT w Þ: The pre trapdoor generation algorithm for user takes as input a keyword w and his own search key A U id .
It calculates the user's pre trapdoor T w ¼ H 1 ðwÞ A U id and outputs. It calculates the CS's post trapdoor k

CS. Test(I
The test algorithm by CS takes post keywords index set I W ¼ fI w 1 ; Á Á Á ; I w m g and post trapdoor k 0 = H 2 (e(H 1 (w i ),g) x ) as input. It checks the following equation holds Registration. AA to register every legal user in the system.
• Select a unique identity U id and an attribute set S U id to user; • Call algorithm AA.KenGen ðMK; U id ; S U id Þ ! ðSK U id ; A U id ; B U id Þ to compute a private key SK U id , user's search key A U id , and user's search key B U id in CS. File Upload. The file upload process is similar to the D. Data Upload process in literature [18]. The final document is stored in CS as Table 2.
Here, F id represents the file number.
[DataFile] k represents the encrypt file by a symmetric encryption key k. I W represents the keywords index. CT represents the symmetric encryption key k's ciphertext which encrypted by our proposed algorithm Do.Enc ðPK; M ¼ k; T Þ ! CT. Details of file upload process can be found in D. Data Upload in literature [18].
Attribute Alteration. If there is no need to change any user's attributes in the system, it outputs ? and exit.
If there have a set of attribute γ which some users be revoked, and a set of attribute η which some users be granted. We processes as follows.
• On receiving PP, CS publishes it.
The following steps are performed when a user needs to search for a file. Trapdoor Generation. First, the user set a search keyword w. Then he calls the algorithm U. PreTrap ðw; A U id Þ ! ðT w Þ. It outputs the user's pre trapdoor T w .
Updating Attribute and Private Key.
• User U id sends his parameters ðU id ; S U id ; ver U id ; D U id Þ to PS.
• PS first calls algorithm PS.ReKey ðU id ; S U id ; ver U id ; D U id ; UKÞ ! ðS U id 0 ; ver U id 0 ; D U id 0 Þ. It outputs updated user attribute set S U id 0 , version number ver U id 0 and private key component • Then PS calls the algorithm PS.GrantAtt ðU id ; PP; GKÞ ! ðZ U id ; SK Z U id Þ. It outputs a set of attribute Z U id which is to be granted to user U id and the corresponding private key compo- • It sets the parameters • PS returns parameters ðU id ; S U id ; ver U id 0 ; D U id ; SK Z U id Þ to user and send ðU id ; S U id Þ to CS.
• User updates his own parameters S U id and SK U id . CS updates tuple ðU id ; B U id ; S U id Þ for user U id 's attribute in the users information list. • According to attributes set S U id , CS has to search documents by performing the Step3: search the data by the cloud server process in literature [18].
• For all documents in the files collection that the user can decrypt, matches the keyword trapdoor with the keywords index, to find the user's interested files in the document. Similar to literature [18], we can also perform most of the calculation process by PS. User Revocation. Our scheme by removing user's search key B U id in CS to achieve user identity revocation. Because if CS to remove user's B U id , the user will not be able to successfully search files.

C. Flowchart of Our Proposed Scheme
We set a legitimate user U id first as a data owner to upload their own data, and then as a user access to the content of the interest files. The flowchart of our Fig 2(a), 2(b), 2(c), 2(d) and 2(e) respectively gives the process of system setup, new user registration, file upload, system version upgrade and ciphertext update, file search by user of our scheme.

A. Security Analysis
First of all, we analyze our scheme. There are six entities in the project: AA, PS, CS, DO, U.
AA is responsible for establishing the program, and we set it to be fully trusted. Our PS is subordinate to authority. In order to reduce the computing load of AA and ensure the efficiency of program, we grant a lot of functions to PS. One of the most important functions is to grant user's attribute and the corresponding private key, which makes our PS must be trusted. If we think about the problem of malicious PS, we have to leave granted rights to AA. Only AA can execute the private key grant rights, which can improve the security of scheme to a certain extent, but it will reduce efficiency of scheme. It introduces a new model. We aim to study the integrity of our proposed scheme, which has not made a number of analysis to this new model. DO has no difference from other users in set the private key in addition to having the data files to be uploaded. It is to say that keyword search process of DO is equivalent to a general user. Due to the users access permissions are different according to their own attribute set. Some users may want to access more data files beyond their access permissions. So one of the attack models we consider is derived from a malicious user. He may also be a legitimate user. We will show that our scheme is secure against this attack model. CS is an outsourced server. As in most articles, we assume CS is "curious-but-honest" [13]. It is to say that CS is curious about the encrypted data contents or the received messages, but will execute correctly the proposed tasks. It might be interested in the content of user search, so another attack models we consider is derived from a malicious CS.

B. Attack Model 1 (IND-sCP-CPA Security Model)
The adversary A is assumed to be an outsider attacker including the users in the system.
Through the establishment of a security game model, we reduce the security of our scheme to Bethencourt's scheme [3]. According to the proof of reference [3] in its appendix A (Bethencourt's scheme is IND-sCP-CPA secure), our scheme is also IND-sCP-CPA secure in the attack model 1. The proof procedure is as follows.
Theorem 5 Suppose that the Bethencourt's scheme is IND-sCP-CPA secure, then our scheme is also IND-sCP-CPA secure in the attack model 1.
Proof. We consider a simulator S 0 of Bethencourt's scheme, a simulator S of our scheme and a polynomial-time adversary A of our scheme. It is noteworthy that the simulator S of our scheme has another identity who is also an adversary A 0 of Bethencourt's scheme. Suppose that A of our scheme is able to distinguish a valid ciphertext from a random element with advantage ε. We build a simulator S (namely A 0 of Bethencourt's scheme) that can attack Bethencourt's scheme with the same advantage. The simulation proceeds as follows.

Int.
A declares an access structure T Ã , which he wishes to be challenged upon. The simulator S declares the same access structure.
Setup. The simulator S 0 takes a security parameter λ and runs the Setup algorithm of Bethencourt's scheme. It gives the public parameter PP 0 ¼ ðG 1 ; g; g b ; eðg; gÞ a Þ to the simulator S. After receive the public parameter PP 0 , the simulator S randomly chooses Att i 2 Z Ã p for 8i 2U as the attribute parameter. Then for all i 2 U, j = 1, 2, Á Á Á, ver, it randomly chooses rk i;j 2 Z Ã p and the public parameter generated as follows.
Then, it send the public parameter PP to A. Phase 1. A adaptively issues polynomial following queries.
• private key query. A submits a set of attributes S where S does not satisfy the access structure T Ã to the simulator S. The simulator S submits the same attributes to the simulator S 0 .
Then the simulator S can get the SK 0 ¼ ðD ¼ g aþr=b ; 8i 2 S : D i 0 ¼ g r HðiÞ r i ; D Ã 0 i ¼ g r i Þ from the simulator S 0 . The simulator S calculates as follows. For all i 2 S, The A is given private key • update private key query. A is allowed to issue queries for update private key SK for the attribute in γ which is to be revoked for some users. A submits a part of the private keyŜK ¼ ð8i 2 S : D i ; D Ã i Þ he asked before where S \ γ 6 ¼ϕ. with access structure T Ã . S 0 sends the ciphertext CT 0 ¼ ðT Ã ;C ¼ M b Á eðg; gÞ as ; C ¼ g bs ; 8x 2 C : C x 0 ¼ g q x ð0Þ ; C Ã 0 x ¼ HðattðxÞÞ q x ð0Þ Þ to S. The simulator S calculates CT Ã as follows. For all x 2 C, C i ¼ ðC x 0 Þ T attðxÞ .A is given attribute key Repeated phase 1 adaptively. Guess. A submits a guess b 0 of b. S outputs the guess b 0 to indicate that it was given the CT 0 . If A is able to distinguish the valid ciphertext with advantage jPr½b We build the simulator S that can distinguish the valid ciphertext in Bethencourt's scheme with the same advantage.

C. Attack Model 2 (IND-CKA Security Model)
The adversary A is assumed to be CS.
We will prove that our scheme of semantic security for keywords trapdoor. Notice that in the search process of our scheme the public parameter is g, the private key of the user is A U id ¼ m, the private key of CS is B U id ¼ g x=m , the master private key of the attribute authority is K mk = x. We assume that A is a malicious CS, then the public parameters related to the search process that it can get are ðg; B U id ¼ g x=m Þ.
Theorem 6. Assuming the BDH (Bilinear Diffie-Hellman) assumption was founded. Then our scheme has the IND-CKA security in the random oracle model.
Proof. We consider a chosen-keywords-attack polynomial-time adversary A and a simulator S.
Suppose that A is able to correctly distinguish keywords with advantage ε. We build a simulator S that can solve the BDH problem with at least ε 0 ¼ 2ε=êq T q H 2 , Where ê is the base of the natural logarithm, q T > 0 is the number of pre trapdoor queries, q H 2 > 0 is the number of hash queries.
Int. The simulator S runs A and receives a BDH challenge. It first chooses two multiplicative cyclic groups G 1 ; G 2 of prime order p and a bilinear map e : G 1 Â G 1 ! G 2 . S is given g 2 G 1 , as well as u 1 = g α , u 2 = g β , u 3 = g γ for some random a; b; g 2 Z p . S's goal is to get eðg; gÞ abg 2 G 2 .
Setup. The simulator S announces the public parameter ðg; According to the above settings, we can cal- Phase 1. A adaptively issues polynomial following queries.
• H 1 -Query: A can always ask the random oracle H 1 of any keyword w i 2 {0, 1} Ã . S answers the questions of A and records the results of each answer. If A submits a keyword w i 2 {0, 1} Ã that has not been asked, S does the following.
2. S picks a random element a i 2 Z Ã p . If the coin c i = 0, S computes 3. S adds the tuple (w i , h i , a i , c i ) to the list H 1 -list, and returns H 1 (w i ) = h i to A.
If A submits a query w i that has been asked, then S finds the tuple (w i , h i , a i , c i ) in the H 1 -list and responds H 1 ðw i Þ ¼ h i 2 G 1 to A.
• H 2 -Query: A can always ask the random oracle H 2 of any t i 2 G 2 . S answers the questions of A and records the results of each answer. If A submits a t i 2 G 2 that has not been asked. S chooses a random number H 2 (t i ) = V i 2 {0, 1} log p and adds the tuple (t i , V i ) to the list H 2 -list. Then it returns H 2 (t i ) = V i to A. If A submits a query t i that has been asked, then S finds the tuple (t i , V i ) in the H 2 -list and responds H 2 (t i ) = V i to A.
• Pre-trapdoor queries: A can also ask the pre-trapdoor of any keyword w i 2 {0, 1} Ã . S answers the questions of A as folloes.
1. For a keyword w i 2 {0, 1} Ã , S executes H 1 -Query to get a tuple (w i , h i , a i , c i ).
2. If c i = 0, S declares a failure and ends the game.

If
and returns T w i to A as response for the query.

Challenge.
A submits two keywords w 0 and w 1 where the keywords w 0 and w 1 's trapdoor had not asked by A.
• Otherwise, we know at least one of c 0 and c 1 is equal to 0. If c 0 = 0 and c 1 = 0, S picks randomly a bit b 2 {0, 1}.
• S picks a random element k 2 {0, 1} log p , and return {u 3 , k} to A as a response, where k imitates the post trapdoor in our proposed scheme. Note that, if A has an advantage in answer the above question. We have the implied settings: Repeated phase 1 adaptively.

Guess.
A submits a guess b 0 of b. If b 0 = b, A wins the game and break our scheme. Correctness Analyses. In the above simulation scheme, if the adversary can break the game and distinguish the keyword with a non negligible probability that means that the random element k it chooses is H 2 ðeðg; gÞ bgðaþa b Þ Þ. Then S can compute that k u 2 u 3 g a b ¼ eðg; gÞ abg which means it solves the DDH problem. Probability Analyses. We can prove that if A can win the game with a non negligible probability ε, then S can solve the BDH problem with the probability at least 2ε=eq T q H 2 . That process in detail in [36].
Because of the BDH assumption that the BDH problem is difficult, so the probability 2ε=eq T q H 2 is negligible. That is, our scheme is safe.
Taking attack model 2 (a selected keyword attack model from the cloud server) as an example, we give the specific flow chart of the game process in Fig 3.

A. Performance Analysis
The time complexity of our scheme. In the Setup phase, a public parameter and master key are generated. At this stage, the total number of attributes is defined as n. An exponentiation operation in G 1 or G 2 is defined as e. A pairing operation is defined as p. The time complexity of generating PP, MK, UK, GK is (2 + 2n)e + p, 0, 0, ne respectively. We calculate the total time complexity of Setup is (2 + 3n)e + p.
In algorithm Encrypt for d 2 number of attributes that associated with access structure. In order to compute CT, the user needs to run (2+2d 2 )e + p operations. So the time complexity of Encrypt is (2 + 2d 2 )e + p.
When generating the private key for a user with number of attributes d 1 , AA needs to run (2 + 3d 1 ) e addition operations in order to compute SK. So the time complexity of KeyGeneration algorithm is (2 + 3d 1 ) e.
In algorithm re encryption for d 3 number of attributes that ciphertext needs to update, CS needs to run d 3 e addition operations in order to update ciphertext component. So the time complexity of re encryption algorithm is d 3 e. In algorithm private key re generation for d 4 number of attributes that a user needs to update, the PS needs to run d 4 e addition operations in order to update ciphertext component. So the time complexity of private key re generation algorithm is d 4 e.
In algorithm attribute grant for d 3 number of attributes that a user needs to granted, PS needs to run d 3 e addition operations in order to compute the corresponding SK. So the time complexity of attribute grant algorithm is d 3 e.
In algorithm pre trapdoor generation for a keyword w, the user needs to run an exponentiation operation in order to hide the keyword. So the time complexity of pre trapdoor algorithm is e.
In algorithm post trapdoor generation for CS, the user needs to run a pairing operation. So the time complexity of post trapdoor algorithm is p.
In algorithm decryption for d 6 number of user's attributes satisfying an access structure, the data owner needs to run 2e + (1 + d 6 )p addition operations in order to compute the message M. So the time complexity of decryption algorithm is 2e + (1 + d 6 )p.

B. Comparison
We compare the computational complexity of our scheme with the existing schemes presented in [3,13,18] for the specific process in Table 3.

C. Simulation and Evaluation
In order to evaluate the performance of our CP-ABE construction, we test the runtime of the core algorithms Key Generation, Encryption and Decryption by user with different number of attributes. Fig 4 shows the test result. The implementation uses the Pairing Based Cryptography (PBC) library [37]. We can clearly see from  constant. This result is in agreement with our time complexity analysis in section Security and Performance analysis.

VI. Application
Our scheme is well suited for applications in cloud computing environments. Take search engine file management system for example. Firstly, users can become legitimate users by registered members. After the successful landing of legitimate users, users can not only search for documents of interest, but also upload local files to server. On the one hand because of the excessive number of users and documents, the system through the outsourcing of data files to a CS.
On the other hand because the grade of membership system of the operating construction, making part of the document can only download by some VIP members. In order to facilitate the management of the system, the system can set up an interior PS to help manage user membership grade and duration.
Ordinary users can become VIP users by way of payment. The process of granting the VIP attribute does not require the system upgrade and the update of the ciphertext. AA only to issue a grand command to the PS. When a user access, PS verify that the user is required to grant the attribute according to the identity. To user who needs to be granted attributes, PS will grant the attribute and private key to the corresponding user in time.
Once the VIP attribute is invalid or expires, AA will update the system in a timely manner and send update command to PS.

VII. Conclusion
In this paper, we propose an efficiently multi-user searchable encryption with attribute revocation and grant function for cloud storage.
• In the first scenario, we propose a CP-ABE scheme with attribute revocation and grant. Our scheme can not only support a single user attribute revocation or grant, but also to some users to grant or revoke a set of attributes.
• In the second scenario, we propose a multi user search scheme based on a single keyword. As we focus on the user attribute update instead of the keyword search in this paper. Aiming at the problem of conjunctive keyword search is a direction that we continue to research.
• In addition, the lazy update of the user's attribute and the private key increases the efficiency of the scheme. • Since PS in our scheme has the permissions granted attributes, in order to prevent a malicious PS to the user to grant a new attribute, we ask our PS must be honest and strict implementation of the tasks assigned by attribute authority. In other words, PS in strict accordance with the grant list to verify whether the user needs to grant attributes. Aiming at the problem of PS malicious attacks is another direction that we continue to research.