Searchable attribute-based encryption scheme with attribute revocation in cloud storage

Attribute based encryption (ABE) is a good way to achieve flexible and secure access control to data, and attribute revocation is the extension of the attribute-based encryption, and the keyword search is an indispensable part for cloud storage. The combination of both has an important application in the cloud storage. In this paper, we construct a searchable attribute-based encryption scheme with attribute revocation in cloud storage, the keyword search in our scheme is attribute based with access control, when the search succeeds, the cloud server returns the corresponding cipher text to user and the user can decrypt the cipher text definitely. Besides, our scheme supports multiple keywords search, which makes the scheme more practical. Under the assumption of decisional bilinear Diffie-Hellman exponent (q-BDHE) and decisional Diffie-Hellman (DDH) in the selective security model, we prove that our scheme is secure.


Introduction
In 2005, Waters et al. [1] came up with the concept of ABE(Attribute-Based Encryption) which was much more flexible than traditional public-key encryption. With the development and deepening of ABE, the attribute revocation of ABE is concerned by more and more people. The efficient attributes revocation scheme is an integral part of ABE scheme, which is one of the difficulties for the application of ABE, and the study of ABE is inseparable from the attribute revocation scheme research. P. Traynor et al. [2] put forward a scheme which achieved the update of secret key in 2006. However, it needed that the user must kept close contact with attribute authority to get the secret key. Thereafter, Kumar et al. [3] presented a scheme with revocation of ABE, and it expanded from the IBE which they proposed before. All of these articles demand that users need to access the attribute authority for key reissuing at regular intervals.
In 2008, Jiang et al. [4] gave a scheme that solved the key misused problem of users. However, in this scheme, the third party should be included in each decryption key of users, and made it was unrealistic. After that, Kim et al. [5] inserted the users' information in the secret PLOS  key of attribute by using the black box model and sent it to the user, which was more efficient to guarantee the security of the system. Attrapadung et al. [6] put forward the two revocation models, they are direct revocation model and indirect revocation model. The direct revocation model is specified the revocation list by sender, and the indirect revocation model updates the secret key periodically by the key center. In [7] [8], the authors gave some ABE instances. However, in the above schemes, they do not relate to the keyword search issue, which makes users can not effectively search for files.
To overcome this problem, Boneth et al. [9] proposed a single keyword search scheme, namely the user can only search a single keyword. In this scheme, the data owner extracted the keywords from the file before encrypted, and used the public key to encrypt the keywords. After that, the data owner sent the file and the index of the keywords to the cloud server. The user could generate the search token about the keywords which he wanted to search and sent it to the cloud server. The cloud server used the matching algorithm to find out the cipher text and returned it if the match was successful.
Searchable encryption has many practical applications. In 2011, Kerschbaum et al. [10] proposed a secure conjunctive keyword searches for unstructured text scheme, and the scheme was proved secure in the random oracle model. At the same year, Cao et al. [11] and Chuanh et al. [12] gave schemes that the multi-keyword search over encrypted data.
In 2014, Han et al. [13] proposed an attribute based encryption (ABE) searchable scheme, in which used the homomorphic encryption technology. Sahai et al. [14] gave a outsourcing technique based on the scheme of Gentry et al. [15]. After that, Liang K et al. [16] proposed a searchable ABE mechanism with efficient and secure in cloud storage. This model can be applied to real life, such as the safety of electric power system. And the scheme is secure in the random oracle model. Later, Li et al. [17] proposed a searchable ABE scheme with attribute revocation in cloud storage.
Willy Susilo et al. [18] proposed a searchable scheme, and it supported multiple keywords search. At the same time, Li J et al. [19] made a searchable CP-ABE with revocation. In this scheme, the receivers could not steal any information from the cipher because of the access structures were partially hidden, which made the scheme more secure.
In 2016, Wen et al. [20] proposed a verifiable attribute-based keyword search scheme with fine-grained owner-enforced search authorization in the cloud. This scheme supports user revocation. Besides, it allows data owners encrypt the data and outsource to the cloud server. In the same year, Yang et al. [21] proposed a conjunctive keyword search scheme with designated tester. User can search within a specified time if he is authorized, and it is proved secure in the standard model. In 2017, Jiang et al. [22] proposed a keyword search scheme with efficiency and verification in cloud data, and it allows multi-keyword search. Finally, they gave the security analysis in the scheme. Later, Poon et al. [23] constructed a conjunctive keyword search scheme. This scheme allows phrase search, and has smaller storage cost.

Our contribution
In 2012, Qiang Li et al. [24] put forward a scheme with fine-grained attribute revocation. However, the scheme only achieves the attribute revocation, the keyword search is not involved, this problem may lead to the problem that system users cannot effectively download cipher text which they interested from the cloud server.
In this paper, we propose a keyword search attribute based encryption scheme with attribute revocation. The new scheme supports not only the attribute revocation but also keyword search. When a user wants to search the file which he interests, he sends the search token to the cloud server, and the cloud server runs the test algorithm. If the test is successful, it returns the file. In this way, the user can download the file which he interests and save the storage space at the same time. Finally, under the assumption of q-BDHE and DDH in the selective security model, we prove that our scheme is secure.

Preliminaries
A linear secret sharing scheme can be used to represent an access control policy (M, ρ), which M is an l×k matrix, and S = {att 1 , . . ., att n } be an attribute set, and for i 2 [1,l], ρ(i) ! S is a mapping function, and ρ(i) maps a row into the attribute.
Linear Secret-Sharing Scheme (LSSS) [25] A linear secret sharing scheme includes two algorithms: Share: In this step, it is dispersing the secret value s to attributes specified by ρ as follows: by selecting v 2 ; . . . ; v k ! R Z p ,settingṼ ¼ ðs; v 2 ; . . . ; v k Þ and computing l i ¼ M i ÁṼ where M i is the ith row of M,it assigns secrets share λ i to the attribute ρ(i).
Combine: In this step, it is used to collect the secret value from secret shares which related to the attributes as follows: selecting subset I = {i: ρ(i) 2 S} the attribute set {ρ(i) | i 2 I} satisfies access control strategy (M, ρ), and computing coefficients k i , i 2 I such that ∑ i2I k i M i = (1,0,. . ., 0), then we will obtain that ∑ i2I k i λ i = s.
Decisional q-BDHE assumption [24] The definition of the decisional q-BDHE exponent assumption in our article as follows: Choose a group G 1 of prime order p, let g be a generator of G 1 , and define e: G 1 × G 1 ! G 2 , the adversary is given a vector ðg; g s ; g a ; g a 2 ; . . . ; g a q ; g a qþ2 ; . . . ; g a 2q Þ 2 G 2qþ1 1 We say that the Decision q-BDHE assumption holds in G 1 if no polynomial-time algorithm has a non-negligible advantage to distinguish eðg; gÞ sa qþ1 and a random element in G 2 .
Zero Inner-product [24] The ID represents the identity of user which associated with user's private key. Define a vector X = (x 1 ,. . .,x n ) T such that x i = ID i-1 , i 2 [1, n]. To encrypt with a revoked user set R = {ID 1 ,Á Á Á, ID q }, one defines as Y = (y 1 ,. . ., y n ) T , the coefficient vector of P R [Z] from where, if q + 1 < n, the coordinates y q+2 ,Á Á Á,y n are set to 0. By doing so, we note that For example, if the user ID 1 in the revoked user set R = {ID 1 , ID 3 }, we have that Decisional DDH assumption [10] Let G 1 is a group which prime order is p, let g be a generator of G 1 , and give a tuple (g, g a , g b ) where a; b 2 R Z p , we say that the decisional DDH assumption holds if no polynomial time algorithm has a non-negligible advantage to distinguish that Z equals g ab or to a random element of G 1 .
Trapdoor (pp, W 0 , τ) !τ Ã :This algorithm is executed by user. It inputs the public parameter pp and the keywords set W 0 , and outputs the new token τ Ã .
Test (τ Ã , Ind) ! 1 or 0:This algorithm is executed by cloud storage server. It inputs the search token τ Ã and keywords index Ind and outputs 1 or 0.
Decryption (pp, ID, sk, R θ , ct) ! m: This algorithm is executed by user. It inputs public parameter pp, the user secret key sk of user ID 2 U, a revocation list R θ U of attribute θ 2 ω, a cipher text ct. And the user ID has the attribute set ω 0 as: if

Security model
(1) Selective security model of attribute revocation. Init. The adversary A chooses the attribute set ω Ã and a revocation list R Ã y ðy 2 o Ã Þ. Setup. The simulator operates this algorithm to get the public parameter pp and sends it to the adversary. Phase 1. The adversary queries the simulator for user private key sk which corresponds to the access structure (M, ρ), such that ω Ã0 will not meet the access structure (M, ρ).
Challenge. The simulator receives two messages m 0 and m 1 from adversary, and chooses a random bit b 2 {0, 1} to encrypt m b , and computes challenge cipher text ct Ã with the attribute set ω Ã and the attribute revocation list R Ã y . Phase 2. Same as Phase 1. Guess. The adversary gives a guess b 0 of b, and the advantage of the adversary in this game is defined as jPr½b 0 ¼ b À 1 2 j. Definition1. The game model of this paper is to be safe if there no polynomial time adversaries have a non-negligible advantage in the above game.
(2) Indistinguishability against chosen keyword attack (IND-CKA) model. Init. The adversary A selects a attribute set ω Ã and a user revocation list R Ã y of θ 2 ω Ã . Then B runs the algorithm to generate the public parameter pp and sends it to adversary A. Phase 1. The adversary queries the challenger as follows: 1. The index of keywords {w 1 , w 2 ,. . ., w N }.
Challenge. The challenger receives two different keywords w Ã 0 and w Ã 1 from the adversary. We require that the keywords w Ã 0 and w Ã 1 satisfies that 8j; , and give the index of keywords w Ã b to adversary. Phase 2. Same as Phase 1. Guess. The adversary gives a guess b 0 of b, and the advantage of any adversary in this game is defined as jPr½b 0 ¼ b À 1 2 j. Definition 2. We say a searchable encryption article with multiple keywords is secure based on the game IND-CKA, if the advantage of the adversary is negligible in the above game.

Implement of the algorithm
Our construction is based on the Qiang Li et al. [24], and we combine the keyword search with attribute revocation in our new scheme. User constructs the search token when he wants to search files. If the search is successful and the set of attribute satisfies the access structure, it outputs 1 in the algorithm of Test, then cloud server returns the cipher text. Our scheme adds access control in search, the user can download the files which he interests and can decrypt in this way, and save the space. We construct our scheme as follows: Setup (λ) ! msk, pp: Give that the G 1 and G 2 are two groups of prime order p, the binary size of p is λ,let g be a generator of G 1 . Define that e: G 1 × G 1 !G 2 . In this paper, we suppose the maximum number of attribute is m when encryption, and n represents the maximum number of revoked user set in the revocation list. Then randomly choose α, β, δ 2 Z p , . . . ; g a n Þ T and randomly then the master key msk and public parameter pp are: and set the private key as then send sk and τ to the user. Encryption (pp, ω, R θ , m) ! ct: Suppose that a message m is encrypted with a set of attribute ω and a revocation list R θ U which attribute θ 2 ω. Define a vector Y = (y 1 ,. . ., y n ) T as the coefficient vector of P R y ½Z, and randomly choose s 2 Z p then output Data owner encrypts the file F which is firstly encrypted by a symmetric encryption algorithm and gets cipher text F Ã , and suppose that the symmetric encryption key is m. The set of keywords W = {w 1 , w 2 ,. . ., w N } is extracted from the F, and randomly choose t 2 Z p ,and output the keywords index Ind ¼< I 0 ; I 1;j ; I 2;0 ; and send <Ind, ct, F Ã > to the cloud server. Trapdoor (pp, W 0 , τ) !τ Ã : The user constructs the search token τ Ã according to the keywords W 0 ¼ fw j 1 ; w j 2 ; . . . ; w j N 1 g; ð1 j 1 ; . . . ; j N 1 NÞ which he interests as ..;N 1 ;j q ¼1;...;N and sends search token τ Ã = < τ 1 , τ 2,0 , τ 2,1 , τ 3 > and his ID to the cloud server. Test (τ Ã , Ind) ! 1 or 0: The cloud server receives the search token from the user. First, the cloud server judges that whether the ID of user is in the revocation list R θ . If ID 2 R θ , let ω 0 = ω − {θ};otherwise, ω 0 = ω. If the set ω 0 satisfies the access structure (M, ρ), then there exists a set of constants If the equations all hold, it returns the corresponding cipher text <ct, F Ã > to the user, and user can decrypt. Otherwise, it outputs 0.
(2) When ID 2 R θ , cloud server selects N 1 keywords index from the Ind, we denote the result of selecting is fI  (2) When ID = 2 R θ , calculate so that when <X, Y> 6 ¼ 0, and then calculate

Correctness analyses
In this subsection, we show that our construction is correct with some appropriate parameters setting.
(1) In the process of search the equation holds, it means that cloud server selects N 1 keywords index from the Ind which we denote fI 1;O 1 ; I 1;O 2 ; . . .
is matching the search token of the keywords fw j 1 ; w j 2 ; . . . ; w j N 1 g; ð1 j 1 ; . . . ; j N 1 NÞ from the user, then computes that (2) The decryption process first calculates . .

Selective security model proof
Theorem1. If an adversary can break our scheme with advantage ε in the selective security model, then we can construct a simulator to solve the Decision q-BDHE problem with advantage ε 2 . Proof: This proof bases on [24]. The simulation proceeds as follows. First, the challenger sets Y ¼ ðg; g s ; g 1 ¼ g a ; g 2 ¼ g a 2 ; . . . ; g q ¼ g a q ; g qþ2 ¼ g a qþ2 ; . . . ; g 2q ¼ g a 2q Þ Then the challenger flips a fair binary coin μ: if μ = 0, the challenger sets Z = e(g 1 , g q ) s if μ = 1,then the challenger picks a random element Z from G 2 .
i. When ρ(i) 2 ω Ã , B computes that and randomly chooses r i,0 , r i,1 2 Z p and computes that D ðiÞ ii. When ρ(i) = 2 ω Ã , B computes that and randomly chooses r; fr 0 i;0 g i2½l ; fr 0 i;1 g i2½l 2 Z p , and sets r i;0 ¼ r 0 i;0 À a q m 0 ðrðiÞÞ ðM i Á pÞ and (2) When ID 2 R Ã y and sets fID ¼ ID k g k2½1;m . The simulator B randomly chooses r 0 2 Z p and sets r = r 0 − a k . Defines A = B Á Z+δ, the first term of A is a qþ1À j , and computes that a qþ1À jþk Á randomly chooses fZ i g i2½2;l 2 Z p and defines η = (α + rα 1 , η 2 , . . ., η l ) T , and for i 2 [1, p], sets As ω Ã0 does not satisfy the access structure, the simulation of D ðiÞ 1;1 and D ðiÞ 2;1 are the same as the previous case. For {K i } i2 [2,n] , the simulator B can computes K X ¼ ðK 2 ; . . . ; Challenge. The adversary A submits two messages m 0 and m 1 , B randomly chooses m b where b 2{0,1} to encrypt. Then computes Then the simulator B defines Y = (y 1 , Á Á Á, y n ) T according to the revocation list R Ã y and <X k , Y > = 0 for k 2 [1,m]. And we have that Y ¼ M X k Á γ 1 where γ 1 = (y 2 , Á Á Á, y n ) T , then Then B sends the challenge ciphertext ct Ã = (C, C 1 , C 2,0 , C 2,1 , C 3 ) to the adversary A. If μ = 0, then Z = e(g 1 , g q ) s , the challenge ciphertext ct Ã is a valid random encryption of message m b . If μ = 1, then Z is a random element of G 2 , and ct Ã is also random from the adversary's view, and ct Ã contains no information of m b .
Guess. The adversary A outputs the guess b 0 of b. B outputs μ = 0 to guess that Z = e(g 1 , g q ) s if b 0 = b; otherwise, B outputs μ = 1, and it indicates that Z is a random element in G 2 . And the advantage of simulator B to solve the q-BDHE problem is IND-CKA security proof Theorem 2. Suppose there exists a polynomial-time adversary A, which can attack our scheme with advantage ε in the IND-CKA model. We can construct a simulator B that can solve the DDH problem in G 1 with probability at lest ε 4eðMþTN 1 þ 1 2 Þ , where e is constant, and we assume the adversary A makes M index queries and T search token queries(it contains N 1 keywords) in each phase [10].
Proof: B is given an instance g, g a , g b , g c of the DDH problem in G 1 . In the following parts, we construct the cipher text by setting δ = b. The simulation proceeds as follows: Init. The adversary A selects a attribute set ω Ã and a user revocation list R Ã y of θ 2 ω Ã .B is given an instance g, g a , g b , g c of the DDH problem in G 1 . Then B runs the algorithm to generate the public parameter pp and sends it to adversary A.
Phase1. B maintains a hash list L = {w j , α j , l j } and randomly chooses α j 2 Z p for keywords w j with biased coin flip l j . The list is empty when begins and simulates the hash function as a Probability Analyses. Suppose that the adversary A makes M index queries and T search token queries in each phase, and the probability that B will not be terminated in two query phases 1 and 2 is s 2ðMþTN 1 Þ , so the probability that it will not terminated during the challenge step is 1 − σ, so that results in an overall probability that B does not abort is s 2ðMþTN 1 Þ Á ð1 À sÞ. And, through the computes that the maximum is s ¼ 1 À

Performance analyses
In this section, we give some performance analysis in our scheme. The hardware runtime environment is Intel Core i5-3470 CPU @ 3.20GHz, and RAM is 4.00GB. The software runtime environment is JDK 1.7.5, JPBC 2.0.0 and MyEclipse10.
Our scheme is also compared with the schemes of [26,27,28] in Table 2.
We can see from Table 2, our scheme has a large amount of computation in the KenGen and Encryption generation, because our scheme doesn't need to update the cipher-text and secret key when attributes revocation. However, the schemes of [26], [27] and [28] don't achieve the function of attribute revocation.
As is shown in the Fig 2, we suppose that there are 16 attributes in the policy and provide the relational graphs of keywords index building time as is shown in Fig 2(a) and search token building time as is shown in Fig 2(b).   Searchable attribute-based encryption scheme with attribute revocation in cloud storage we can find that the effect of the increase of the attributes on the time is not particularly evident in our scheme which takes less time than Zhiquan's [29].

Conclusions
In our scheme, we add the keyword search based on the attribute revocation, the search tokens generated by the attribute authority and the user. The cloud server match is divided into two cases: the user is in the revocation list and not in the revocation list, and the cloud server uses the different test according to the different case. It will return the cipher text when the attribute set meets the access structure and the search keywords exist, and the user can decrypt correctly. This scheme supports multiple keywords search at the same time which makes more flexible in the practical application.