A keyword searchable attribute-based encryption scheme with attribute update for cloud storage

Ciphertext-policy attribute-based encryption (CP-ABE) scheme is a new type of data encryption primitive, which is very suitable for data cloud storage for its fine-grained access control. Keyword-based searchable encryption scheme enables users to quickly find interesting data stored in the cloud server without revealing any information of the searched keywords. In this work, we provide a keyword searchable attribute-based encryption scheme with attribute update for cloud storage, which is a combination of attribute-based encryption scheme and keyword searchable encryption scheme. The new scheme supports the user's attribute update, especially in our new scheme when a user's attribute need to be updated, only the user's secret key related with the attribute need to be updated, while other user's secret key and the ciphertexts related with this attribute need not to be updated with the help of the cloud server. In addition, we outsource the operation with high computation cost to cloud server to reduce the user's computational burden. Moreover, our scheme is proven to be semantic security against chosen ciphertext-policy and chosen plaintext attack in the general bilinear group model. And our scheme is also proven to be semantic security against chosen keyword attack under bilinear Diffie-Hellman (BDH) assumption.


Introduction
Attribute-based encryption (ABE) [1][2][3][4] is regarded as an effective encryption method with fine grained access control in the cloud storage. Attribute-based encryption can be divided into two types of key-policy attribute-based encryption [1] (KP-ABE) and ciphertext-policy attribute-based encryption [2] (CP-ABE). The KP-ABE scheme refers to that the ciphertext is associated with an attribute set, and a user's secret key is associated with an access policy. A user can decrypt the ciphertext if and only if the ciphertext's attribute set satisfy the access policy of user's secret key. The CP-ABE scheme refers to that the ciphertext is associated with an access policy, and a user's secret key is associated with an attribute set. A user is can decrypt the ciphertext if and only if his attribute set satisfy the access policy of the ciphertext.
At present, many ABE schemes [5][6][7][8][9] have been proposed, which provide secure data access control and overcome the shortcomings of one-to-one encryption pattern in identity-based encryption scheme. However, these schemes are still defective to be used in practice, as the a1111111111 a1111111111 a1111111111 a1111111111 a1111111111 attribute of a user is dynamic, which may be changed over time. Thus the attribute revocation mechanism is necessary for ABE scheme to be used in practice.
The revocation mechanism can be divided into two types: direct revocation mechanism and indirect revocation mechanism. Imai and Attrapaduang [10] gives a clear definition of direct revocation and indirect revocation. Direct revocation is defined as: the sender specifies a revocation list when encrypting the data. Indirect revocation is defined as: the authorized institutions regularly issue key updates to non-revoked users. At present, many schemes with direct revocation [11][12][13][14] have been proposed. Li et al. [11] proposed an identity-based revocation scheme that performs directed revocation by giving the revocation rights to encipherer directly. Tu et al. [14] proposed a revocable ABE scheme. In addition, some indirect attribute revocation schemes [15][16][17][18] have also been proposed. Yu et al. [15] proposed an attribute based data sharing scheme with attribute revocation. In this scheme, user's any attribute can be revoked by proxy re-encryption technique. Li et al. [18] proposed a scheme that supports user's attribute revocation, but the scheme could only revoke a single attribute of the user, thus it could not satisfy the actual needs.
The attribute update is another significant problem in the ABE environment. In actual life, a user's attribute set may need to be updated over time when his working role may be changed. For example, assume that Alice is a company employee, then her attribute set needs to be updated when her working role is promoted from a programmer lifted to a project manager, thus her former attribute set A = "female, programmer" should be changed to a new attribute set B = "female, project manager". And the attribute authority (AA) should issue an update key to update Alice's secret key. Meanwhile, the attribute authority must ensure that the employee Alice cannot further use her previous key related to the attribute set "female, programmer" to access the ciphertexts. Thus, the attribute update is not a simple process. Some attribute update schemes [19][20][21]have been proposed. However, these schemes have a common problem, the problem is that if there is a user's an attribute is updated, and then many other user's secret key and a lot of ciphertexts related with this attribute need to be updated, which will undoubtedly waste a lot of computational resources.
To address this problem, we give a feasible solution in this paper. The main idea of our solution is that the secret key of a user is divided into two parts, one part which is irrelevant to attribute is retained by the user, and the other part which is relevant to attribute is sent to the cloud server(CS). When an attribute of any user needs to be updated, the AA issues an update key to CS. Then CS only updates the secret key of this attribute for all valid users, and other secret key of all user and the ciphertexts related with this attribute need not to be updated. This method will greatly reduce the work load of the system.
Although attribute based encryption technology provides an effective means for data confidentiality, yet it brings another new problem that the users may find it difficult to search for interesting data from a vast number of encrypted data. This problem is called keyword search problem [22]. One of the simplest searching methods is to download all encrypted data locally and then to decrypt it, finally to execute keyword search in plaintext. However, this method will waste huge computational resource and bring a vast cost for user to do the work of decryption.
Another extreme searching method is to send the secret key of the user and keywords to CS, then CS decrypts all of the ciphertexts and performs searching operation on plaintext. But this method will expose the user's secret key and privacy of search keyword to CS, this is infeasible. Some search-based encryption schemes [23][24][25][26] have been proposed. Such as Boneh et al. [23] first proposed a public key encryption with keyword search scheme. Dan and Ostrovsky [24] proposed a public key cryptographic scheme that allows privacy data retrieval (PIR), and allows multiple data contributors to upload their data with public key by encryption algorithm, and only the user with the corresponding secret key can decrypt the data.
Some search encryption schemes [27][28][29][30] focuses on search efficiency have also been proposed. Fu et al. [27] proposed a scheme that not only supports multi-keyword ranked search but also provides parallel search. Li et al. [28] put forward a scheme which supports multi-keyword search. In this scheme, users can retrieve multiple keywords at once, and which greatly improves the search efficiency and search accuracy. Sun et al. [30] proposed a verifiable attribute-based keyword search scheme that supports fine-grained search authorization scheme. In this scheme, multiple data owners and multiple users are supported, and the scheme also supports fine-grained search authorization.
In addition, some schemes focus on achieving both attribute revocation and keyword search have been proposed [31,32].The schemes [31,32]which not only support user's multiple attributes revocation but also provide keyword search. However, our new scheme is different from the schemes [31,32], and the differences between our scheme and schemes [31,32]can be described as follows: firstly, the scheme [32] is based on the key-policy(KP-ABE). The new scheme and the scheme [31] are based on the ciphertext policy (CP-ABE), where the scheme [31]makes use of the access tree as access policy, while the new scheme makes use of LSSS as access policy. So the new scheme is different from the schemes [31,32]. Secondly, the scheme [31] supports public keyword searchable, and the keyword index and trapdoor are generated with the help of the cloud server. The ciphertext and the keyword index of the scheme [32] are associated with attribute. The new scheme also supports public key keyword search, but the keyword index and trapdoor generation phase is independently realized by user. Furthermore, the based on the difficult problems of the new scheme and schemes [31,32]are different. The scheme [31] is proven to be secure under the assumption of bilinear Diffie-Hellman (BDH)in selective security model. The scheme [32] is proven to be secure under the assumption of decisional bilinear Diffie-Hellman exponent(q-BDHE) and decisional Diffie-Hellman (DDH) in the selective security model. The new scheme is proven to be secure in the general bilinear group model.

Our contributions
In this paper, we propose a keyword searchable attribute-based encryption scheme with attribute update for cloud storage. The main contributions of our scheme are summarized as follows: 1. The new scheme is a combination of ABE scheme and keyword searchable encryption scheme. So our scheme not only solves the problem of confidentiality of the data with fine -grained access control but also solves the problem of keyword search. Moreover, the scheme is proven to be semantic security against chosen ciphertext-policy and chosen plaintext attack in the general bilinear group model.

Functional comparisons
We compare the function of our scheme with some exiting schemes [13,19,21,29,31] in Table 1.

Bilinear map [33]
Let G 0 and G 1 be two multiplicative cyclic bilinear groups of prime order p. Let g be a generator of G 0 . A bilinear map is a map e : G 0 Â G 0 ! G 1 with the following properties: 1. Bilinearity: for all g 2 G 0 and a; b 2 Z p , we have e(g a ,g b ) = e(g,g) ab .

Computability:
There is an efficient algorithm to compute e(u,v) for u; v 2 G 0 .

Bilinear Diffie-Hellman assumption [34]
The BDH problem in G 0 is defined as follows: taken ðg; g a ; g b ; g c Þ 2 G 0 as input, compute eðg; gÞ abc 2 G 1 . We say that the adversary A has ε advantage in solving BDH problems in G 0 if Prj½Aðg; g a ; g b ; g c Þ ¼ eðg; gÞ abc j ! ε We say that the BDH assumption holds in G 0 if no probability polynomial adversary A has non-negligible advantage in solving the BDH problem in G 0 .

Generic bilinear group model [2]
We suppose there are two random encodings C 0 ; C 1 : Z þ p ! f0; 1g Ã , where Z p is an additive group and m > 3logp. For i = 0,1, we set G i ¼ fC i ðxÞ : x 2 Z þ p g. We are given oracles to compute the induced group action on G 0 ; G 1 and an oracle to compute a non-degenerate bilinear map e : G 0 Â G 0 ! G 1 . And we are also given a random oracle to represent the hash function H.

Linear secret sharing schemes [33]
A linear secret sharing scheme ∏ over a set of parties P is called linear (over Z p ) if 1. The shares for each party form a vector over Z p .
2. There exists a matrix M with l rows and n columns called the share-generating matrix for ∏. For all i = 1,2,Á Á Á,l, the function ρ defines the party labeling ith row of M as ρ(i). When we consider the column vector v ¼ ðs; r 2 ; Á Á Á ; r n Þ 2 Z n p , where s 2 Z p is the secret to be shared, and r 2 ; Á Á Á ; r n 2 Z n p are randomly chosen. Then Mv is the vector of 1shares of the secret s according to ∏. The share (Mv) i belongs to party ρ(i).
Suppose ∏ that is an LSSS for the access structure A. Let S 2 A be any authorized set, and I & {1,Á Á Á,l}. Then, there exist constants fo i 2 Z p g i2I such that, if {λ i } are valid shares of any secret s according to ∏, then ∑ i2I ω i λ i = s. Furthermore,there these constants {ω i } can be found in time polynomial in the size of the share -generating matrix M.

System model
A system framework of our scheme includes the main four entities is presented in Fig 1. Attribute authority (AA). The AA is a perfectly trusted entity. It takes charge of the system establishment, user registration, attributes management and secret key generation. And when an attribute of a user needs to be updated, the AA generates an updated key for the user.
Cloud server (CS). The CS is responsible for storing the data and providing data access for legitimate users. It is also responsible for keyword search when a search trapdoor is received from a user. And it also takes charge of updating the user's partial secret key which related to the updated attribute and helps legitimate users to partially decrypt the ciphertext by using partial secret key of the user. Data owner (DO). The data owner encrypts its owner data and builds keyword indexes, and then outsources them to the CS.
User (U). Each legitimate user can search their interesting the files from system. The user generates a search trapdoor to protect the privacy of the search keyword. Then the user sends his identity and search trapdoor to CS. Without revealing any information about keyword search, the CS will find the encrypted file includes the keywords and do a lot of partial decryption work to reduce the decryption load of the user. Finally, the user gets the partial decrypted files, and then decrypts the partial decrypted files by using his owner partial secret key.

Algorithm description
We proposed a keyword searchable attribute-based encryption scheme with attribute update for cloud storage includes the following eight phases.
Phase 1: System initialization. AA.Setup (λ,L) ! (PP,MSK,PK s ,SK s ). The setup algorithm inputs a security parameters λ and an attribute universe L, and outputs the public parameters PP, the master secret key MSK, the CS's public and secret key pairs (PK s ,SK s ).
Phase 2: Key generation. AA.KeyGen ðMSK; id; The key generation algorithm inputs the master secret key MSK, an user's identity id and the user's attribute set S U id , and outputs the user's secret key ðSK U id;1 ; SK U id;2 ; X U id Þ, the user's search secret and public key pairs (A priv ,B pub ).

Phase 3: File encryption and create keyword index.
To get ciphertext E k (F), the DO encrypts file F with symmetric key k by the symmetric encryption algorithm. Then DO encrypts the symmetric key k by the following encryption algorithm.
DO.Encrypt (PP,k,(M,ρ)) ! CT. The encryption algorithm inputs the public parameter PP, the symmetric key k and the LSSS access structure (M,ρ), and outputs a ciphertext CT.
DO.Index (W,B pub ) ! I W . The index generation algorithm inputs a set of keywords W and data owner's search public key B pub , and outputs the keywords index set I W .
Phase 4: Trapdoor generation. U.AuthorizationKey ðPP; PK s ; X U id Þ ! K 0 U id . The authentication information generation algorithm inputs public parameters PP, the CS's public key PK s and the user's secret key X U id , and outputs the authentication information K 0 U id . U.Trapdoor (w,PK s ,A priv ) ! T w . The trapdoor generation algorithm inputs a keyword w, the CS's public key PK s and the user's search secret key A priv , and outputs the search trapdoor T w .
Phase 5: Verification. CS.Verifing ðid; K 0 U id Þ ! ð0; 1Þ. The validation algorithm inputs user's identity id and the authentication information K 0 U id , and outputs 1or 0. Phase 6: File retrieval. CS.Test (I W ,T w ) ! (0,1). The test algorithm inputs the keywords index set I W and the user's search trapdoor T w , and outputs1or 0.
Phase 7: Data decryption. CS.PreDecrypt ðCT; SK U id;2 Þ ! CT 0 . The pre-decryption algorithm inputs the ciphertext CT for the access structure (M,ρ) and user's secret key SK U id;2 for the attribute set S U id . If the user's attribute set S U id satisfies the access structure (M,ρ). It outputs a partial decrypted ciphertext CT 0 . Otherwise, the algorithm is terminated. U.PostDecrypt ðCT 0 ; SK U id;1 Þ ! k. The post-decryption algorithm inputs the partial decrypted ciphertext CT 0 and the user's secret key SK U id;1 , and outputs symmetric key k.
Finally, the user decrypts the file E k (F) by the symmetric key k, and then the user gets the file F. Phase 8: Attribute update. Assume that a user with identity id whose an attribute j 2 S U id needs to be updated to a new attribute j 0 by the AA. The attribute update phase includes five steps: (1) The AA executes update key algorithm to generate update key UK j!j 0 and sends it to CS, and the AA informs CS that the user with identity id and his an attribute j will be updated to a new attribute j 0 ; (2)The CS finds user's attribute set S U id and secret key SK U id;2 in the SL-list; (3)The CS updates the attribute j of the user to the attribute j 0 , and sets the new attribute set as S U id ≔fS U id fjgg [ fj 0 g; (4) The CS also updates secret key fj : D j ; D 0 j g associates with attribute j to new secret key fj 0 : D j 0 ; D 0 j 0 g associates with attribute j 0 by update key UK j!j 0 ; (5) The CS retains user's new attribute set S U id and new secret key SK 0 U id;2 in the SL-list. AA.UKeyGen ðPP; MSK; j; j 0 Þ ! UK j!j 0 . The update key generation algorithm inputs the public parameter PP, the master secret key MSK, the attribute j and j 0 , and outputs the update The secret key update algorithm inputs user's secret key SK U id;2 and the update key UK j!j 0 , and outputs a new secret key SK 0 U id;2 .

Security model
(1) Selective security model for our scheme. Initialization. The adversary A submits a challenged access structure A Ã to the challenger C.
Setup. The challenger C runs the setup algorithm and sends the public parameters PP to the adversary A and keeps the master key MSK to itself. Phase 1. The adversary A adaptively issues repeated secret keys corresponding to attribute sets S 1 ,S 2 Á Á ÁS q , where none of these attribute sets satisfy the access structure A Ã .
Challenge. The adversary A submits two equal-length messages M 0 and M 1 to C. The challenger C randomly selects a bit b 2 {0,1} and encrypts the message M b for the access structure A Ã . The challenger C sends the ciphertext CT Ã to the adversary A. Phase 2. Phase1 is repeated. Guess. The adversary A outputs a guess b 0 of b. If b 0 = b, the adversary A wins this game. The advantage of the adversary A in this game is defined as Adv ¼ jPr Challenge. The adversary A submits two keywords w 0 and w 1 to the challenger C, with the restriction that the adversary A has not queried the trapdoors of keywords w 0 and w 1 . The challenger C randomly chooses a bit b 2 {0,1} and generates the index The advantage of the adversary A in this game is defined as The proposed scheme is IND-CKA secure if all polynomial time adversaries have at most a negligible advantage in the above game.

Concrete construction
In this section, we present a construction for a keyword searchable attribute-based encryption scheme with attribute update for cloud storage.

Phase 1: System initialization
The AA first defines an attribute universe as L = {1,2,Á Á Á,m} and chooses three hash functions H :  , CT,I W ,E k (F)), which are initially empty. Finally, the AA executes the setup algorithm. AA.Setup (λ,L) ! (PP,MSK,PK s ,SK s ). The setup algorithm first chooses two multiplicative cyclic groups G 0 and G 1 of prime order p, a generator g 2 G 0 and a bilinear map e : G 0 Â G 0 ! G 1 . It then chooses x s 2 Z p and lets SK s = x s as the CS's secret key. And it computes PK s ¼ g x s as the CS's public key and publishes it. And it also randomly chooses three elements a; g; m 2 Z p . In addition, it chooses a random number v j 2 Z p for each attribute j 2 L. Finally, it outputs the public parameters PP and the master secret key MSK as follows:

Phase 2: Key generation
The AA first distributes an attribute set S U id L associates with user's identity id, when a user with identity id requests a registration in the system. Secondly, the AA randomly chooses a number X U id 2 Z p for the user and calculates K U id ¼ g g X U id . Then, the AA executes key generation algorithm.

AA.KeyGen
The key generation algorithm first randomly chooses t id 2 Z p , which t id is a unique assigned to the user with identity id. For each attribute j 2 S U id , it randomly chooses v j 2 Z p . Finally, it outputs the user's secret key: Lets A priv = μ as the user's search secret key and B pub = g μ as the user's search public key. Finally, the AA sends ðX U id ; SK U id;1 ; A priv Þ to the user and publishes the user's searches public key B pub . And, the AA sends ðid; S U id ; SK U id;2 ; K U id Þ to the CS, the CS stores ðid; S U id ; SK U id;2 ; K U id Þ in the SL-list.

Phase 3: File encryption and keyword index generation
Step 1: The DO encrypts the files.
To get ciphertext E k (F), the DO encrypts file F with a symmetric key k by the symmetric encryption algorithm. Then DO encrypts the symmetric key k by the following encryption algorithm.
DO.Encrypt (PP,k,(M,ρ)) ! CT. Let M be an l × n matrix, and M i be the vector corresponding to the i th row of matrix M. The function ρ associates rows of matrix M to attributes. The encryption algorithm first chooses a random vector v ¼ ðs; y 2 ; . . . y n Þ 2 Z n p . These elements of vector v will be used to share the random encryption exponent s. For i = 1 to l, it calculates λ i = M i v T . It then randomly chooses numbers r 1 ; . . . ; r l 2 Z p and outputs the ciphertext CT: CT ¼ fðM; rÞ;C ¼ k Á eðg; gÞ as ; C ¼ g s ; Where v ρ(i) refers to the master key is associated with attribute ρ(i) 2 L.
Step2: Index generation. The DO extracts a keywords set W ¼ ðw 1 ; w 2 ; Á Á Á ; w n 0 Þ from the file F. Then DO executes the following index generation algorithm.
DO.Index (W,B pub ) ! I W . The index generation algorithm randomly chooses x i 2 Z p for each keyword w i 2 W and calculates t i ¼ eððB pub Þ x i ; H 1 ðw i ÞÞ. It then lets Finally, It outputs the keywords index set I W ¼ fI w i g i2f1;2;ÁÁÁ;n 0 g . Finally, the DO sends the file (CT,I W ,E k (F)) to the CS. When the CS receives the uploaded file (CT,I W ,E k (F)), it picks a unique identifier F Ã for the file (CT,I W ,E k (F)). The CS stores (F Ã , CT,I W ,E k (F)) in the FL-list.

Phase 4: Trapdoor generation
Step 1: Authentication information generation. U.AuthorizationKey ðPP; PK s ; X U id Þ ! K 0 U id . To generate the authentication information, the authentication information generation algorithm chooses a random number w2 Z p and Step 2: Trapdoor generation. U.Trapdoor (w,PK s ,A priv ) ! T w . The trapdoor generation algorithm randomly chooses a number Z2 Z p and calculates T 1 = g η , T 2 ¼ ðPK s Þ Z Á ðH 1 ðwÞÞ A priv . It outputs the trapdoor T w : Finally, the user sends his id, the authentication information K 0 U id and the trapdoor T w to CS.

Phase 5:Verification
CS.Verifing ðid; K 0 U id Þ ! ð0; 1Þ. The validation algorithm inputs user's identity id and the authentication information K 0 U id . The cloud server uses its own secret key SK s = x s to calculate and judges the equation K U id ¼ K 00 U id holds or not. If the equation holds, which means the user is a legitimate user, it outputs 1. Otherwise, it outputs 0 and the algorithm is terminated. Phase 6: File retrieval CS.Test (I W ,T w ) ! (0,1). The test algorithm inputs the keywords index set I W and the user's search trapdoor T w . The cloud server uses its own secret key SK s = x s and user's trapdoor T w = {T 1 ,T 2 } to calculate It then accords to keywords index I w i ¼ ½I 1 ;

Phase 7: Data decryption
Step 1: Partial decryption by CS. The CS first obtains ciphertext CT corresponding to keywords index I W in the FL-list and finds user's secret key SK U id;2 in the SL-list. If user's secret key SK U id;2 is not the SL-list, the algorithm ends. Otherwise, it executes pre-decryption algorithm.
CS.PreDecrypt ðCT; SK U id;2 Þ ! CT 0 . The pre-decryption algorithm inputs user's secret key SK U id;2 for an attribute set S U id and a ciphertexts CT for access structure (M,ρ). At present, we assume that the attribute set S U id satisfies the access structure (M,ρ) and let I be defined as I ¼ fijrðiÞ 2 S U id g. Then, let fo i 2 Z p g i2I be as set of constants such that, if {λ i } i2I are valid shares of the secret s according to M, then ∑ i2I ω i λ i = s. The pre-decryption algorithm calculates Finally, The CS sends part-ciphertext CT 0 ¼ ðC;C; AÞ and the encrypted file E k (F) to the user.
Step2 Finally, the user gets the plaintext F = D k (E k (F)) by the symmetric key k.

Phase 8: Attribute update
Step1: Update key generation. AA.UKeyGen ðPP; MSK; j; j 0 Þ ! UK j!j 0 . The update key generation algorithm inputs the public parameter PP, the master secret key MSK, the attribute j and j 0 . For attribute j 0 , the AA finds the random number v j 0 2 Z p in the master secret key MSK, and then the AA outputs the update key UK j!j 0 :

Security analysis
Selective security proof for our scheme Proof. In the IND-sCP-CPA security game, the challenge ciphertext has part-ciphertextC may be k 0 e(g,g) αs or k 1 e(g,g) αs . As in the [2], we modify ciphertext in the IND-sCP-CPA security game, now assuming the challenge ciphertextC which may be e(g,g) αs or e(g,g) θ , where y 2 Z p is randomly selected and the adversary A needs to determine which is the case. Obviously, any adversary A has advantage ε in the IND-sCP-CPA security game may be converted into A has at least ε 2 advantage in the modified IND-sCP-CPA security game (there are two situations can be considered: one in which the adversary A must distinguish between k 0 e(g,g) αs and e(g, g) θ ; another in which the adversary A must distinguish between k 1 e(g,g) αs and e(g,g) θ . Obviously, both of these are equivalent to the above modified IND-sCP-CPA security game).
Initialization. The adversary A first submits an access structure (M Ã ,ρ Ã ) to the simulator S. In order to simulate the modified IND-sCP-CPA game, and then we introduce some mathematical symbols in the general bilinear group model, and let ψ 0 (0) = g,ψ 1 (1) = e(g,g) (we will write ψ 0 (x) = g x ,ψ 1 (y) = e(g,g) y ).
Setup. The simulator S randomly chooses a; g; m 2 Z p , and calculates g μ ,g γ ,e(g,g) α . When the adversary A queries hash value of H on any attribute j, if it did not be queried, the simulator S randomly chooses x j 2 Z p , and then calculates HðjÞ ¼ g x j , and writes the results into the Hash list. Otherwise, it looks for the Hash list. For any attribute j 2 L, the simulator S randomly chooses a number v j 2 Z p . It sets the public parameter PP and the master secret key MSK as: The simulator S sends public parameter PP to the adversary A.

Phase 1. The simulator S answers secret key queries as following:
Secret key query. When A makes its m'th key generation query for the attribute set S m , with a constraint that attribute set S m does not satisfy access structure (M Ã ,ρ Ã ). The simulator S randomly chooses t m 2 Z p , and then calculates D ¼ g a Á g t m . For any attribute j 2 S m , the simulator S randomly chooses v j 2 Z p and calculates D j ¼ Hð jÞ It outputs secret key: Then, the simulator S sends SK to adversary A. Challenge. The adversary A submits two equal messages k 0 and k 1 to the simulator S. First, the simulator S executes encryption algorithm according to the access structure (M The function ρ Ã which associates rows of matrix M Ã to attributes. Secondly, the simulator S chooses a random vector v ¼ ðs; y 2 ; . . . y n Þ 2 Z n p . These elements of vector v will be used to share the encryption exponent s.
i v T is constrained by the LSSS scheme. Then, the simulator S chooses a random variable b 2 {0,1} and l random variable values r 1 ; . . . ; r l 2 Z p to get the encryption of k b 2 G 1 Finally, the simulator S sends the ciphertext CT Ã to adversary A. Phase 2. Phase1 is repeated. The adversary A terminates and returns a guess b 0 of b after many queries. At this point, the simulator S randomly chooses a value y 2 Z p to get the simulated challenge ciphertext via substitutingC ¼ eðg; gÞ y forC ¼ k b eðg; gÞ as . After the simulation, the simulator S returns the simulated challenge ciphertext to adversary A. Next, we analyze the simulator S simulation. We think that the simulator S simulation is flawless with a constraint "unexpected collision" does not occur in the querying of ψ 0 (x) = g x , ψ 1 (y) = e(g,g) y for group operation G 0 and G 1 . Thus, an "unexpected collision" occurs when two queries corresponding to two different rational functions v and v 0 , it causes that v 0 − v = 0 for some variables. (Where an oracle query is regard as a rational function v ¼ Z x [2]). Then, we make the following analysis of "unexpected collision": Before substitution. By the Schwartz-Zipple lemma [35,36], the probability of the "unexpected collision" occurs in G 0 and G 1 at most is O q 2 p .

After substitution.
We consider what the adversary's view would have been if we set θ = αs. We will show that subject to the conditioning above, the the adversary's view would have been identically distributed. Since we are in the generic group model where each group element's representation is uniformly and independently chosen [2], the only way that the adversary's view can differ in the case of θ = αs is if there are two queries v and v 0 into G 1 is v 6 ¼ v 0 but v| θ = αs = v 0 | θ = αs . We prove show that this does never happens.
Case. To structure γ 0 αs, we know that θ only exists as e(g,g) θ in this form. According to the simulation, the simulator S wants v and v 0 is related to the θ is by having some additive terms of the form γ 0 θ.Therefore, we must have v − v 0 = γ 0 αs − γ 0 θ for some constant γ 0 6 ¼ 0. Then, we artificially add the query v − v 0 + γ 0 θ = γ 0 αs to the adversary's queries. According to the conditions which we have set, we prove that adversary A cannot construct the query for eðg; gÞ g 0 as . Otherwise, a collision occurs and the theorem proves.
In order to gain a better understand of the above situation. We analyze based on the information given to the adversary A by the simulation. In Table 2, we enumerate the possibility queries of all rational function in G 1 by the adversary A. Except those in which every monomial involves the variable μ, since the variable μ is not relevant to constructing term αs. Where the variables j and j 0 represents the attribute string, and m indicates secret key queries made by the adversary A.
According to Table 2, the adversary A can construct a polynomial αs + t m s is by pairing s with α + t m . In this way, the adversary A also constructs a query term containing g 0 as þ P m2T g 0 m t m s for some collections T and constant g 0 m 6 ¼ 0. But the goal of the adversary A is to obtain a query polynomial γ 0 αs, so the adversary A must add the negative terms P m2T g 0 m t m s to cancel the terms P m2T g 0 m t m s. To construct the negative terms P m2T g 0 m t m s, the adversary A first constructs a query polynomial of the from t m s by pairing v r Ã ðiÞ l i þ x j v r Ã ðiÞ r i with t m v j with a constraint ρ Ã (i) = j, as we know s is linear combinations of λ i . For the other collections T 0 m and constant g 0 ði;m;jÞ 6 ¼ 0, the adversary A can also construct a query polynomial as: g 0 ði;m;jÞ ðl i t m þ x r Ã ðiÞ r i t m ÞÞ þ Á Á Á Therefore, we do some analysis to give the conclusion of this proof: 1. The set of secret shares L m ¼ fl i : r Ã ðiÞ ¼ j; ði; jÞ 2 T 0 m g do not reconstruct secret s for some m 2 T. Then term t m s will still be retained, and A cannot construct γ 0 αs.

2.
If for all m 2 T the set of secret shares L m ¼ fl i : r Ã ðiÞ ¼ j; ði; jÞ 2 T 0 m g allow reconstruction the secret s. In order to get γ 0 αs, the adversary A may cancel the term g 0 m t m s by the combination of the terms t m λ i , but A dose not get the term x r Ã ðiÞ t m r i by examining the Table 2, there is no term such that A can cancel this term g 0 m t m s. Therefore, the adversary A cannot construct γ 0 αs.

IND-CKA security proof
Theorem 2. Supposing that BDH assumption holds, our scheme is semantically secure against a chosen keyword attack in the random oracle model.
Proof. Suppose the adversary A is a malicious cloud server that has non-negligible advantage ε in breaking our constructed searchable encryption scheme. Suppose that the adversary A makes at most q H 2 hash function queries to H 2 and at most q T trapdoor queries(we assume q H 2 and q T are positive).We will construct a simulator B to solve BDH problem with advantage ε 0 ¼ 2ε=ðeq H 2 q T Þ, where e is the base of the natural.
Initialization. The simulator B receives a BDH challenge and chooses two multiplicative cyclic groups G 0 and G 1 of prime order p, a generator g 2 G 0 and a bilinear map e : G 0 Â G 0 ! G 1 . Then simulator B randomly chooses a; b; c 2 Z p , lets u 1 ¼ g a ; u 2 ¼ g b ; u 3 ¼ g c 2 G 0 , its aim is to compute eðg; gÞ abc 2 G 1 .
Setup. The simulator B randomly chooses a number x s 2 Z p , lets public key PK s ¼ g x s and secret key SK s = x s for the adversary A. To simulate the user's search public keys B pub and secret keys A priv , the simulator B chooses a random parameter t 1 2 Z p and sets B pub ¼ u t 1 1 , so A priv = μ = at 1 .
Phase1.The adversary A adaptively issues following queries: H 1 -Query: The adversary A can query the random oracle H 1 at any time. To answer to H 1 queries, the simulator B maintains a list of tuples (w i ,h i ,e i ,c i ) called the H 1 -list. The list is initially empty. When A queries the random oracle H 1 of any keywords w i 2 {0,1} Ã , the simulator B answers as follows: 1. If the query w i has already appeared on the If c i = 0, the simulator B calculates h i ¼ u e i 2 2 G 0 ; If c i = 1, the simulator B calculates h i ¼ g e i 2 G 0 , where the value e i 2 Z p randomly is selected. Then B adds the tuple (w i ,h i ,e i ,c i ) to the H 1 -list, and returns H 1 (w i ) = h i to the adversary A.
H 2 -Query: A can query the random oracle H 2 at any time. To answer to H 2 queries, the simulator B maintains a list of tuples (t i ,V i ) called the H 2 -list. The list is initially empty. When A queries the random oracle H 2 of any t i 2 G 1 , the simulator B answers as follows: 2. If c i = 1, h i ¼ g e i 2 G 0 . the simulator B randomly chooses a value Z 2 Z p , and calculates The simulator B sends trapdoor T Ã ¼ fT Ã 1 ; T Ã 2 g to A. Challenge: The adversary A submits a pair of keywords w 0 and w 1 , where keywords w 0 and w 1 trapdoor had not been queried by A. the simulator B generates keyword index as follows: 1. the simulator B first executes H 1 queries twice to obtain h 0 ; h 1 2 G 0 such that H 1 (w 0 ) = h 0 , H 1 (w 1 ) = h 1 . For i = 0,1, we set (w i ,h i ,e i ,c i ) corresponding to the tuple on the H 1 -list. If both c 0 = 0 and c 1 = 1, then B declares the failure and aborts.
2. we known that at least one of c 0 and c 1 is equal to 0. The simulator B chooses a bit b 2 {0,1} such that c b = 0.
3. The simulator B answers the keyword index I Ã W ¼ ðI Ã 1 ; I Ã 2 Þ. The simulator B then randomly chooses a parameter t 2 2 Z p and sets with the implied setting (x i ¼ c= t 2 ), where c is unknown, and we know u 3 = g c is a part of BDH.
Then, the simulator B randomly chooses a pair (t i ,V i ) 2 H 2 -list and outputs t e b t 1 = t 2 as its guess for e(g,g) abc . Where t 1 ,t 2 and e b are set according to the parameters of the challenge phase. Probability Analyses. We can prove that A can win the game with a non negligible probability, then B can solve the BDH problem with the probability at least 2ε eq T q H 2 . The specific probability analysis is similar to the scheme [34].
Because of the BDH assumption that the BDH problem is tough, so the probability 2ε . is negligible. So that our scheme is secure under the BDH assumption.

Computational complexity comparison
In Table 3,we give the comparison of the computational complexity of our scheme with the schemes [13,19,21,31]. As shown in Table 3, our scheme has a less amount of computation in the key generation and encryption generation compared with the schemes in [13,19,31]. Actually, our scheme needs the minimum amount of computation when the users decrypt the ciphertext. And most important is that our scheme need not update ciphertext when an attribute update occurs, which also help us greatly reduce the amount of computation. In addition, our scheme have the User. Decrypt 2e + (l 5 + 2)p 4e + (l 5 + 6)p 2e + p 2e + (1 + l 5  function of the keyword search, which can make the search more efficiently and more accurately. The schemes of [13], [19] and [21] don't achieve the function of keyword search.

Performance evaluation
To evaluate the performance of our scheme and the scheme [19], we simulate the computational time of the setup generation, key generation, encryption and decryption by user with different number of attributes. As shown in Fig 2. The implementation is executed by using of the Pairing Cryptography (PBC) library [37]. We can clearly see from Fig 2(A) that the setup generation times scales linearly in the number of attribute in attribute universe in both scheme. Fig 2(B) shows secret key times scales linearly in the number of attribute in secret key in both scheme. Fig 2(C) shows the encryption times scales linearly in the number of attribute in ciphertexts in both scheme. The setup generation time is shown in Fig 2(A). We find also that the setup generation takes higher computational time in our scheme than the scheme [19]. The key generation time is shown in Fig 2(B) and the encryption time is shown in Fig 2(C). Obviously, the encryption time and key generation time of the scheme [19] takes higher computational time than our scheme. Fig 2(D) shows that the user-decryption time of our scheme takes lesser computational time than the scheme [19].

Conclusions
In this paper, we have proposed a keyword searchable attribute-based encryption scheme with attribute update for cloud storage. Our new scheme supports both the user's attribute update and supports multi-user keywords search, as long as user's trapdoor could match keyword index stored in the cloud storage, then the user can search interesting encrypted file successfully. The performance evaluation results confirm that the proposed scheme is more efficient than other attribute based encryption schemes with attribute update. In addition, we outsource the operation with high computation cost to the cloud storage to reduce the user's computational burden. Moreover, our scheme also is proven to be semantic security against chosen ciphertext-policy and chosen plaintext attack in the general bilinear group model.