Attribute-based encryption scheme with multi-keyword search and supporting attribute revocation in cloud storage

We propose an attribute-based encryption scheme with multi-keyword search and supporting attribute revocation in cloud storage environment, in which binary attributes and AND-gate access policy are used. Our proposal enjoys several advantages. Firstly, multi-keyword search is available, and only when a data user's attribute set satisfies access policy in keyword index, and keyword token generated by data user matches index successfully, then data user can obtain ciphertext containing keywords. In this way, more accurate keyword search is achievable. Secondly, the search privacy of data user is protected owing to cloud servers cannot obtain any knowledge of keywords which data user is interested in. Meanwhile, the ciphertext is able to be decrypted when data user's attribute set satisfies access policy specified in the ciphertext, which can both improve security of encryption and achieve secure fine-grained access control. Thirdly, the proposed scheme supports attribute revocation, in our scheme when a data user's attribute is revoked, the version number of attribute, non-revoked data users' secret keys and related ciphertexts will be updated, such that data user whose attribute is revoked does not decrypt updated ciphertext anymore. In addition, based on the assumption of decisional linear (DL) and decisional Diffie-Hellman (DDH), our scheme is proved to be secure against selectively chosen-keyword attacks and selectively chosen-plaintext attacks respectively, and it also ensures token privacy security.


Introduction
With the fast development of information technology, cloud storage now plays a very crucial role [1] in our daily life. For the sake of insuring data security, the important data that are uploaded to cloud server needs to be kept confidential, which requires data owners to encrypt private files before uploading. Meanwhile, it is also necessary to quickly find required files for data users by keyword searching from a vast amount of encrypted data. Therefore, in order to enable a secure keyword search and protect data user's search privacy, setting the keyword index of file is essential. That means that, although cloud server provides a search service, it does not know any information of keyword searching by data users. Consequently, it has PLOS ONE | https://doi.org/10.1371/journal.pone.0205675 October 12, 2018 1 / 32 a1111111111 a1111111111 a1111111111 a1111111111 a1111111111 supporting multi-authority and revocation. In 2017, Liu et al. [25] proposed an attribute-based encryption scheme that was sustaining both outsourced decryption algorithm and attribute revocation, which set a randomized version number for each attribute, thus attribute revocation is effectively implemented. Recently, Wang et al. [26] proposed a CP-ABE scheme, which supported keyword searchable and attribute update in cloud storage. Our solution and scheme [26] are different in the following aspects: Firstly, access policy is different. The scheme [26] adopts linear secret sharing (LSSS) in the specific algorithm design, while our solution uses AND-gate access policy. Secondly, attribute update and revocation are different. Attribute update is used in [26], which updates a data user's original attribute to a new attribute and also updates the data user's secret key associated with the attribute. Our scheme is attribute revocation. Although scheme [26] also involves attribute revocation, it is still different from ours. We set the version number for each attribute, when the version number of revocation attribute changes, related ciphertexts and all non-revoked data users' secret keys are updated. Thirdly, the security proof method of schemes is different. The scheme [26] proves that the algorithms resist chosen-keyword attack based on the hard problem of bilinear Diffie-Hellman (BDH), and the scheme is proved to be secure against chosen-plaintext attack under the general bilinear group model. However, the security proof of our proposal is based on the hard problems. According to the assumption of decisional linear (DL) and decisional Diffie-Hellman (DDH), our scheme is proved to be secure against selectively chosen-keyword attack and selectively chosen-plaintext attack, respectively. At the same time, our solution is proved to enjoy token privacy security by using the unidirectional and collision-resistance of hash function. In addition, our scheme analyzes the forward and backward security for attribute revocation.

Our contributions
Considering that most of existing CP-ABE schemes cannot support attribute revocation and multi-keyword search, we present a CP-ABE scheme with multi-keyword search and supporting attribute revocation in cloud storage. The innovations can be summarized as follows: 1. Our scheme supports attribute revocation, when a data user's attribute is revoked, the version number of attribute, non-revoked data users' secret keys and related ciphertexts will be updated, such that data user whose attribute is revoked does not decrypt updated ciphertext anymore.
2. After data owners upload overall ciphertext of encrypted data to cloud server, the keyword search is used to quickly find required file. Compared to a single keyword search, the multikeyword search is closer to real application. For the consideration of this issue, our scheme supports multi-keyword search.

Access policy[28]
We denote by U = {attr 1 ,attr 2 ,� � �,attr n } the universe set of attributes, where n is the size of U, namely |U| = n. Let Attr be attribute set of a data user. We introduce an n-bit stringv 1v2 � � �v n to express data user's attribute set Attr ¼v 1v2 � � �v n as follows: v j ¼ v j : attr j 2 Attr v j ¼ : v j : attr j = 2 Attr j 2 ½1; n� ( For example, let n = 5, suppose a data user's attribute set is {attr 1 ,attr 3 ,attr 5 }, then it may be expressed as We adopt AND-gate access policy and introduce an n-bit stringṽ 1ṽ2 � � �ṽ n to express AND-gate access policy S ¼ṽ 1ṽ2 � � �ṽ n as follows: For example, let n = 5, suppose the access policy is {attr 1 ,attr 5 }, then it may be expressed as For a data user's attribute set Attr ¼v 1v2 � � �v n and an access policy S ¼ṽ 1ṽ2 � � �ṽ n . If for all j 2 [1,n], we havev j 2 S, that isv j ¼ṽ j (v j represents the value of j-th attribute in data user's attribute set Attr,ṽ j represents the value of j-th attribute in access policy S), we can say that the attribute set Attr of data user satisfies access policy S. For convenience, we define a function γ (Attr,S) 2 {0,1}, when γ(Attr,S) = 0, it indicates that data user's attribute set Attr does not satisfy access policy S. When γ(Attr,S) = 1, it indicates that the attribute set Attr of data user satisfies access structure S.

Complexity assumption
In our proposal, the security depends on Decisional linear (DL) assumption [29] and Decisional Diffie-Hellman (DDH) assumption [30]. The specific description is: Definition 1 (Decisional linear assumption). If for all polynomial-time adversary A who could successfully distinguish tuple ðg; f ; h; f r 1 ; g r 2 ; h r 1 þr 2 Þ from tuple ðg; f ; h; f r 1 ; g r 2 ; RÞ with a negligible advantage, and the advantage ADVðAÞ of polynomial-time adversary A can be marked as

Definition 2 (Decisional Diffie-Hellman assumption).
If for all polynomial-time adversary A who could successfully distinguish tuple ðg; g z 1 ; g z 2 ; g z 1 z 2 Þ from tuple ðg; g z 1 ; g z 2 ; QÞ with a negligible advantage, and the advantage ADVðAÞ of polynomial-time adversary A can be marked as

System framework.
Our scheme structure is shown in Fig 1. It contains following five entities: Attribute Authority (AA): The AA is attribute authority, which is responsible for system's initial establishment and the local secret key generation of data user. Simultaneously, it distributes corresponding secret key according to attribute set for data user. When an attribute is revoked, AA generates an update key and completes partial secret key update.
Cloud Server (CS): The CS stores ciphertext which containing encrypted files and keyword indexes generated by data owners. Afterwards, when a data user tends to search ciphertext, CS completes a matching of data user's token and keyword index. If matching succeeds, it sends ciphertext to data user. Additionally, in attribute revocation phase, CS is responsible for updating ciphertext.
Key Generation Server (KGS): The KGS generates data user's partial secret key, namely outsourced secret key, which effectively reduces the computational burden of AA. Besides, KGS is responsible for completing the update of outsourced secret key when attribute revocation happens.
Data Owner (DO): The DO encrypts keyword set and file to be shared, uploads ciphertext to cloud server. Only attribute set of data user who wants to access data satisfies access structure in ciphertext, that is γ(Attr,S) = 1, the encrypted data will be shared with data user. To be specific, the encryption operation to be completed by DO includes: the keyword index generation, the file encryption, and the encryption of key for encrypted file, hence ciphertext consists of three parts.
Data User (DU): When data user's attribute set satisfies access structure in ciphertext, then data user DU is able to access encrypted data and recover original plaintext. Specifically, DU generates desired keyword token and sends to cloud server CS, the CS makes a matching between search token and keyword index, if matching succeeds, DU can download corresponding ciphertext. In other words, DU is responsible for generating keyword token which he is interested in and decrypting ciphertext.
In particular, PK is public parameter published by attribute authority. Cph is ciphertext encrypted by data owner, and it includes three parts: 1) The keyword set WD is encrypted to generate keyword index, namely Index; 2) The encryption key ck is encrypted to obtain ciphertext CT 0 ; 3) The file M is symmetrically encrypted by using encryption key ck to gain E ck (M). At last, data owner uploads ciphertext Cph to cloud server. Hereafter, OK is used to denote intermediate key, which is generated by attribute authority according to attribute set of data user, and it is sent to key generation server. The key generation server calculates data user's partial secret key based on OK, namely outsourced secret key SK 1 , which is sent to attribute authority. Followed by, the attribute authority generates data user's local secret key SK 2 , and obtains data user's secret key SK = (SK 1 ,SK 2 ), which is forwarded to data user. Tok is used to denote token generated by data user based on desired keyword set, which is used to match with keyword index. The cloud server executes search algorithm, if token matches index successfully, the cloud server transmits stored ciphertext Cph to data user. Then data user first decrypts ciphertext Cph with secret key SK to gain encryption key ck, and then symmetric decrypts ciphertext with ck to obtain file M. In addition, when an attribute needs to be revoked, attribute authority sends instructions to cloud server to update ciphertext.
3.1.2 Standard definitions of our scheme. Let U be a universe set of attributes, S be an access policy, Attr be a data user's attribute set. Attribute-based encryption scheme with multikeyword search and supporting attribute revocation in cloud storage consists of 9 algorithms: Setup(U,l)!PK,MSK: The setup algorithm is executed by attribute authority AA. It inputs universe set of attributes U and security parameter l, and outputs system public key PK and master secret key MSK.
Encrypt: The encryption algorithm is run by data owner DO, including the following two parts: i) Keyword-Encrypt(PK,S,WD)!Index: This algorithm takes as inputs access policy S, public key PK and keyword set WD, and it then outputs the ciphertext Index of keyword set WD.
ii) Encryption key-Encrypt(PK,S,ck)!CT 0 : DO first symmetrically encrypts file M rely on encryption key ck to obtain E ck (M), and then encrypts encryption key ck as follows: This algorithm makes access policy S, public key PK and encryption key ck as input, it generates ciphertext CT 0 .
Finally, DO uploads overall ciphertext Cph = (Index,E ck (M),CT 0 ) to cloud server CS. In-KeyGen(PK,MSK,Attr)!OK: The intermediate key generation algorithm is executed by attribute authority AA. It makes public key PK, master secret key MSK and data user's attribute set Attr as input, then produces intermediate key OK, and sends it to key generation server KGS.
Out-KeyGen(PK,OK)!SK 1 : The outsourced secret key generation algorithm is executed by key generation server KGS. It takes public key PK and intermediate key OK as input, and outputs outsourced secret key SK 1 , then returns SK 1 to attribute authority AA.
KeyGen(PK,MSK,Attr,SK 1 )!SK: The secret key generation algorithm is executed by attribute authority AA. It makes public key PK, master secret key MSK, data user's attribute set Attr and outsourced secret key SK 1 as input, then generates data user's secret key SK, and transmits it to data user DO.
TokenGen(PK,SK 1 ,WD 0 )!Tok: The token generation algorithm is executed by data user DU. It makes public key PK, outsourced secret key SK 1 and desired keyword set WD 0 as input, and it outputs token Tok, then forwards to cloud server CS.
Search(Index,Tok)!{0,1}: The search algorithm is executed by cloud server CS. It makes index and token as input, outputs 1 if index and token can match successfully, then cloud server CS sends ciphertext Cph to data user DU, otherwise outputs 0 and terminates.
Decrypt(SK 2 ,CT 0 )!ck: The decryption algorithm is executed by data user DU. It makes local secret key SK 2 and ciphertext CT 0 of encryption key as input, generates encryption key ck, then it decrypts E ck (M) with ck, finally obtains file M.
Attribute revocation: The attribute revocation includes the following three aspects, note that only components related to revoked attribute will be updated.
(i) The attribute authority AA takes charge of generating update key: AA generates a new version number of revoked attribute according to its old version number, then obtains update key. This algorithm makes update key, public key PK and master secret key MSK as input, outputs updated public key and updated master secret key.
(ii) The non-revoked data user's secret key update: The attribute authority AA updates intermediate key OK and local secret key SK 2 with update key, sends updated intermediate key to key generation server KGS. Then, KGS completes the update of outsourced secret key SK 1 , and transmits to AA. In the end, AA returns updated secret key to non-revoked data user.
(iii) The cloud server CS is in charge of updating ciphertext: The cloud server CS executes this algorithm. It makes update key and overall ciphertext as input, outputs updated keyword index and updated ciphertext of encryption key.

Security model
Under the cloud storage environment, we suppose that attribute authority and key generation server are all trusted. But cloud server is semi-trusted, such as it can execute protocols honestly but also attempt to gain extra information from the protocol.

Selectively secure game for chosen-keyword attacks. Setup:
First of all, adversary A sends a challenge access policy S � to challenger C, the challenger C runs Setup algorithm to generate public key PK and master secret key MSK, while keeping MSK secret.
Phase 1: Before Phase 1 begins, the challenger C initializes an empty keyword set query list L W , then adversary A issues the following polynomial times adaptive queries: Outsourced secret key query: According to In-KeyGen algorithm and Out-KeyGen algorithm, the adversary A submits a query attribute set Attr � to challenger C. If attribute set Attr � does not satisfy access policy S � , the adversary A obtains outsourced secret key SK 1 , otherwise terminates.
Token query: The adversary A commits a query keyword set WD 0 . According to TokenGen algorithm, the challenger C inputs public key PK, outsourced secret key SK 1 and query keyword set WD 0 to gain token Tok. If query attribute set Attr � does not satisfy access policy S � , then challenger C adds WD 0 to list L W and sends Tok to adversary A.
Challenge: The adversary A randomly selects two keyword sets WD 0 0 and WD 0 1 that are not in list L W . The challenger C throws a fair coin to choose ξ2{0,1}, runs Keyword-Encrypt algorithm to gain the index of keyword set WD 0 x and transmits it to adversary A. Phase 2: The adversary A repeats queries in Phase 1, but keyword set WD 0 0 and WD 0 1 can no longer be queried.
Guess. Finally, the adversary A gives a guess ξ 0 of ξ. If ξ 0 = ξ, A wins game. The advantage of adversary A can be defined as

Definition 3:
If for all polynomial-time adversary who winning game with a negligible advantage, our scheme is called selectively secure against chosen-keyword attacks.

Token privacy game.
To ensure the privacy of keyword, an adversary should not infer keyword information from token. In other words, if there is no polynomial-time adversary who can obtain keyword from token, the token privacy security can be guaranteed. The game is set up as follows: Setup: The challenger C runs Setup algorithm, generates public key PK and master secret key MSK, while keeping MSK secret.
Phase 1: Similar to selectively secure game of chosen-keyword attacks, the challenger C initializes an empty key query list L K , the adversary issues the following polynomial q t times adaptive queries: Outsourced secret key query: The adversary A selects a query attribute set Attr for challenger C. The challenger C outputs outsourced secret key SK 1 by running In-KeyGen algorithm and Out-KeyGen algorithm, then returns SK 1 to adversary A, and the attribute set Attr is added to list L K .
Token query: The challenger C runs TokenGen algorithm based on public key PK, outsourced secret key SK 1 , and a query keyword set WD 0 given by adversary, then the challenger C sends token to adversary A.
Challenge: The adversary A submits an access policy S � with the restriction that the attribute set Attr in list L K does not satisfy access policy S � . Afterwards, the challenger C randomly chooses keyword set WD � , encrypts it with S � to obtain the index, and then selects an attribute set Attr � such that Attr � satisfies S � . The challenger C executes In-KeyGen algorithm, Out-Key-Gen algorithm and TokenGen algorithm to gain the token of keyword set WD � , and transmits token to adversary A.
Phase 2: Similar to Phase 1, but keyword set WD � can no longer be inquired.

Guess:
The adversary A gives a keyword set WD@ and forwards it to the challenger C. The challenger C runs Keyword-Encrypt algorithm to get the index of keyword set WD@, and makes a matching between the token of WD � and the index of WD@. If the result returned by Search algorithm is 1, then the adversary A wins game.
The advantage of adversary A can be defined at most Because the adversary A wants to gain keyword information from the index, it is necessary to analyze the structure of index. In other words, the adversary A gets information from Hðw 0 t Þ at most. Due to the unidirectional and collision-resistant properties of the hash function, we assume that the adversary A obtains the advantage of w 0 from Hðw 0 t Þ is σ, where σ is a negligible probability under the security parameter l. P is a keyword space for the selection of keyword set, |P| represents the size of keyword space and is large enough in practical applications. q t denotes the number of inquiries about outsourcing private key and token in Phase 1, and q t is finite size.
The advantage ADVðAÞ ¼ 1 jPjÀ q t þ s consists of two parts. |P|−q t is the size of the remaining keyword set in the keyword space after the phase 1 inquiry. The probability that the adversary A guesses the encrypted keyword from the remaining keyword set is 1 jPjÀ q t . σ is the probability that the adversary gets the keyword information from Hðw 0 t Þ. The advantage of adversary A is 1 jPjÀ q t þ s by summing two probabilities. Therefore, the advantage of adversary A can be defined at most ADVðAÞ ¼ 1 jPjÀ q t þ s which is a negligible advantage. Definition 4: Our proposal is token privacy secure if all polynomial-time adversary have at most a negligible advantage in above game.

Selectively secure game for chosen-plaintext attacks.
The section contains two indistinguishable games. Since the process of two games is similar, we only show the security proof of one of the games, the other game is described in detail in the specific security proof phase. The game is as follows: Initialization: The adversary A commits two challenge access policies S � 0 and S � 1 . Setup: The simulator B runs Setup algorithm, produces public key PK and master secret key MSK, while keeping MSK secret and sending PK to adversary A.
Phase 1: The adversary A chooses a query attribute set Attr to simulator B.
Secret key query: If attribute set Attr does not satisfy access policies S � 0 and S � 1 , that is gðAttr; S � 0 Þ ¼ 0LgðAttr; S � 1 Þ ¼ 0, then simulator B runs KeyGen algorithm to obtain local secret key SK 2 , and sends to adversary A.
Challenge: For access policies S � 0 and S � 1 , the adversary A submits two equal-length encryption keys ck 1 and ck 2 that are used to encrypt file. Hereafter, the simulator B randomly throws a fair coin to select b2{0,1} and runs Encryption key-Encrypt algorithm to gain the ciphertext CT 0 of encryption key ck b , then transmits CT 0 to adversary A.
Phase 2: Similar to Phase 1, the adversary A continues to query. Nevertheless, the restriction is gðAttr; The advantage of adversary A to win the game can be defined as

Definition 5:
Our scheme is selectively secure against chosen-plaintext attacks if for all polynomial-time adversary who could win the game with a negligible advantage.

Concrete construction
In this section, we take into consideration that most of CP-ABE schemes only support a few functions, which has its limitations for practical application. This motivates us to construct a scheme that supports attribute revocation and multi-keyword search. Meanwhile, our scheme is almost the same as some schemes in terms of calculation amount and calculation time, and even smaller and faster. The following is the specific structure of scheme: Setup(U,l)!PK,MSK:This algorithm takes universe set of attributes U = {attr 1 ,attr 2 ,� � �, attr n } and security parameter l as input, it selects a bilinear map e : G � G ! G T , where G; G T are two multiplicative cyclic groups with prime order p, g is a generator of group G. Let H : f0; 1g � ! Z p is a one-way hash function. The algorithm chooses a,b,c,α,{r 1 ,r 2 ,� � �,r 2n } from n]), it picks vk j 2 Z p as initial version number, then sets PK j;1 ¼ g vk j . Since the attribute attr j has two different values v j and ¬ v j , let {r 1 ,� � �,r n } and {x 1 ,� � �,x n } denote corresponding parameters when attr j is equal to v j , {r n+1 ,� � �,r 2n } and {x n+1 ,� � �,x 2n } denote corresponding parameters when attr j is equal to ¬ v j . Thus, for all j = 1,� � �,n, when attr j is equal to v j , we have The public attribute key PK j is: Where j2 [1,n], vk j 2 Z p denotes initial version number of attribute attr j . For simplicity, let Subsequently, the algorithm generates public key PK and master secret key MSK: While keeping MSK secret.
Encrypt: This algorithm defines an access policy is S ¼ṽ 1ṽ2 � � �ṽ n , denotes as The encryption algorithm includes two steps: Step one is to encrypt keyword set, that is to generate an index of keyword set, step two is to encrypt encryption key.
(i) Keyword-Encrypt(PK,S,WD)!Index This algorithm makes public key PK, access policy S and a keyword set WD = {w 1 ,w 2 ,� � �w r } extracted from file M as input, where r is the size of WD, namely |WD| = r. It randomly where w t 2WD, t2 [1,r]. Hereafter, the algorithm outputs the index of keyword set as Before uploading a file M, the algorithm encrypts the file as follows: ① It selects an encryption key ck from key space, and symmetrically encrypts the file M with encryption key ck to obtain E ck (M).
② It sets an access structure S ¼ṽ 1ṽ2 � � �ṽ n , encrypts ck and outputs the ciphertext of encryption key ck through the following steps.
This algorithm makes public key PK, access policy S and encryption key ck as input. It chooses s 2 Z p at random, computes C = ck�Y s and C 1 = g s , then picks up random value s j 2 Z p such that s ¼ X n j¼1 s j , it computes C j;1 ¼ X s j j and C j;2 ¼ u 0 j s j . Consequently, the ciphertext of encryption key ck as follows: Finally, the algorithm outputs the overall ciphertext Cph = (Index,E ck (M),CT 0 ). In-KeyGen(PK,MSK,Attr)!OK: This algorithm makes public key PK, master secret key MSK and an attribute set Attr as input. It sets v = g ac , computes σ j (j2[1,n]) according to attribute set Attr ¼v 1v2 � � �v n . Let Afterwards, the algorithm outputs the outsourced secret key as KeyGen(PK,MSK,Attr,SK 1 )!SK: This algorithm makes public key PK, master secret key MSK, attribute set Attr and outsourced secret key SK 1 as input. It randomly picks u; l j 2 Z p , where j 2 [1,n], the algorithm lets D 1 = g α+βu and D j; otherwise computes D j;2 ¼ g vk j ðuÀ r jþn l j Þ , then the local secret key as Finally, the algorithm outputs data user's secret key SK = (SK 1 ,SK 2 ). TokenGen(PK,SK 1 ,WD 0 )!Tok: This algorithm makes public key PK, outsourced secret key SK 1 and a keyword set ðg a g bHðw 0 t Þ Þ z and Tok 2 = g cz . Therefore, the algorithm generates a token of keyword set for data user as follows: Search(Index,Tok)!{0,1}: Taking as inputs the index relevant to access policy S and the token relevant to attribute set Attr, this algorithm is executed by cloud sever to test whether there is a matching between the index and the token. In other words, the cloud server determines whether the following equation holds: In above equation, it involves a matching of the index and the token. In the index generation phase, the data owner encrypts r keywords to obtain {W t } t2 [1,r] . In the token generation phase, the data user generates a token for d keywords which he is interested in, and computes Tok 1 , particularly d � r. In order to make the Eq (1) can be calculated, the cloud server is to arbitrarily select d components from fW t l g l2½1;r� and execute multiplication operations. In accordance with the theory of probability and mathematical statistics, the total number of such choices is C d Hereafter, the cloud server matches the multiplication of W t l ðl 2 ½1; d�Þ with Tok 1 . In the matching of C d r times, as long as there is one successful match, it demonstrates that the above equation holds and the search succeeds.
If and only if the Eq (1) holds, the cloud server returns 1 and transmits overall ciphertext Cph = (Index,E ck (M),CT 0 ) to data user, otherwise returns 0.
Decrypt(SK 2 ,CT 0 )!ck: This algorithm makes data user's local secret key SK 2 and ciphertext CT 0 of encryption key as input. If data user's attribute set Attr satisfies access policy S embedded in the ciphertext, the algorithm decrypts CT 0 to obtain encryption key ck as follows: Finally, a symmetric decryption algorithm is used to decrypt E ck (M) with the encryption key ck to gain the file M.
Correctness: Only when the two conditions γ(Attr,S) = 1 and WD 0 � WD are both satisfied, the search can succeed. The following is the verification process of Eq (1) Where i2 [1,2n].
Only when the attribute set of data user satisfies access structure, that is γ(Attr,S) = 1, encryption key ck is able to be computed, and the correctness of Eq (2)  Where i2 [1,2n]. Attribute revocation: For the sake of achieving attribute revocation, the revocation phase is divided into three steps: Attribute authority takes charge of generating update key, nonrevoked data user's secret key update, and cloud server is in charge of updating ciphertext. We assume that the j'-th attribute attr j 0 of data user will be revoked, where j' may be any one of 1,� � �,n.
i) The attribute authority takes charge of generating update key When an attribute needs to be revoked, the attribute authority AA inputs the current version number vk j 0 of revoked attribute attr j and chooses a new version number vk � j 0 , where vk � j 0 2 Z p ðvk � j 0 6 ¼ vk j 0 Þ, then update key generation algorithm calculates the update key as follows: Afterwards, the attribute authority AA sends UK j 0 to key generation server KGS and cloud server CS, and updates partial public attribute key that is related to revoked attribute attr j 0 at the same time: Consequently, the public attribute key associated with revoked attribute attr j 0 as At last, this algorithm generates updated public key PK � and updated master secret key MSK � : PK � ¼ ðe; G; G T ; g; g a ; g b ; g c ; Y; H; PK � j 0 ; fPK j jattr j 2 U; j 6 ¼ j 0 gÞ ii) The non-revoked data user's secret key update Firstly, attribute authority AA updates the partial intermediate key OK that is related to revoked attribute attr j 0 , this algorithm computes And transmits s � j 0 to key generation server KGS. Secondly, AA updates the partial local secret key SK 2 related to revoked attribute attr j 0 according to UK j 0 as follows: Note that only partial local secret key that is related to revoked attribute attr j 0 will be updated, others remain unchanged.
Thirdly, KGS updates the partial outsourced secret key that is related to revoked attribute attr j 0 , the algorithm computes:s Then, it returns ðs � ;ỹ � Þ to AA.
Finally, AA sends the updated secret key SK � ¼ ðSK � 1 ¼ ðv;s � ;ỹ � Þ; SK � 2 Þ to non-revoked data user. In the meanwhile, since token contains the component of secret key, then nonrevoked data user's token is updated as Tok � ¼ ðv z ;s �z ;ỹ �z ; Tok 1 ; Tok 2 Þ: iii) The cloud server is in charge of updating ciphertext ① The update of keyword index Based on updated key UK j 0 sent by AA, the cloud server updates partial keyword index that is related to revoked attribute attr j 0, this algorithm computes: Hereafter, the updated keyword index is Index � ¼ ðũ � ; W 0 ; WÞ.
② The ciphertext update of encryption key The cloud server CS updates the partial ciphertext of encryption key related to revoked attribute attr j 0 , the updated ciphertext as follows: Note that only partial ciphertext that is related to revoked attribute attr j 0 will be updated, others remain unchanged.

Selectively secure game of chosen-keyword attacks
Theorem 1. If there is an adversary A who is able to win selectively secure game of chosenkeyword attacks with advantage ε, then advantage of a challenger C to break the DL assumption can be defined as ε 2 . Poof: Supposing that a tuple ðg; f ; h; f r 1 ; g r 2 ; RÞ which is an instance of the DL problem, where g; f ; h; R 2 G, r 1 ; r 2 2 Z � p , is given to a challenger C, the challenger C performs the following selectively secure game of chosen-keyword attacks with an adversary A, we will proof that if the adversary A who can break our scheme with advantage ε, then the challenger C can solve the DL problem with advantage ε 2 . Setup. The challenger C runs Setup algorithm, selects a bilinear map e : G � G ! G T , where G; G T are two multiplicative cyclic groups with prime order p, g is a generator of group G. Let H : f0; 1g � ! Z p is a one-way hash function. It randomly picks fr 1 ; r 2 ; � � � ; r 2n g 2 Z p , fx 1 ; x 2 ; � � � ; x 2n g 2 Z p , and implicitly sets h = ga ,f = g c , it chooses d 2 Z p at random, lets f d = g b , where implies that b = cd. For each attribute attr j 2U(j2[1,n]), the challenger C chooses vk j 2 Z p as initial version number, when attr j is equal to v j , we have u j ¼ g À vk j r j , when attr j is equal to ¬ v j , we have u jþn ¼ g À vk j r jþn . Similarly, C computes y j ¼ eðx j ; gÞ vk j if attr j is equal The adversary A submits a challenge access policy S � ¼ṽ 1ṽ2 � � �ṽ n to the challenger C. Phase 1. The challenger C initializes an empty keyword set query list L W , then adversary A issues the following polynomial times adaptive queries: Outsourced secret key query: The adversary A sends a query attribute set Attr � 1 v 1v2 � � �v n to challenger C, wherev j ¼ v j orv j ¼ : v j .
Token query: The adversary A commits a query keyword set The challenger C randomly selects Z 2 Z p and generates the token of keyword set WD 0 , that is If the query attribute set Attr � does not satisfy access policy S � , then the challenger C adds WD 0 to list L W and sends Tok to adversary A.
Challenge. The adversary A randomly picks two keyword sets WD 0 ;r Þ that are not in list L W , and forwards to challenger C. The challenger C throws a fair coin to select ξ2{0,1}, runs keyword-Encrypt algorithm, and computes x; t Þr 1 ; t 2 ½1; r� which implies t 1 = r 1 ,t 2 = r 2 , where As such, the keyword index is Index ¼ ðũ; W 0 ; fW t g t2½1;r� Þ, then the challenger C returns Index to adversary A. Phase 2. Except that the keyword set WD 0 0 and WD 0 1 can no longer be queried, the other queries are similar to Phase 1.
Guess. Finally, the adversary A makes a guess ξ 0 of ξ. If ξ 0 = ξ, A wins game. The challenger C considers R ¼ h r 1 þr 2 implicitly. Because when R ¼ h r 1 þr 2 , Index is a legitimate index of keyword set WD 0 x . Afterwards, we assume that the adversary A who can break the scheme with non-negligible advantage ε, the probability is Pr½x The advantage of challenger C in solving DL assumption is defined as Therefore, our scheme will achieve selectively secure against chosen-keyword attacks.

Token privacy game
Theorem 2. If there is an adversary A who is able to break token privacy game with a non-negligible advantage, a challenger C is capable of obtaining w 0 t from Hðw 0 t Þ with a non-negligible advantage.
Proof: Here we use token privacy game to prove the theorem. Setup. The challenger C executes Setup algorithm, selects a bilinear map e : G � G ! G T , where G; G T are two multiplicative cyclic groups with prime order p, g is a generator of group G. Let H : f0; 1g � ! Z p is a one-way hash function. It randomly chooses a; b; c; fr i g i2½1;2n� Z p and fx i g i2½1;2n� G. For each attribute attr j 2U, vk j 2 Z p is initial version number, where j2 [1,n]. When attr j is equal to v j , we have u j ¼ g À vk j r j , when attr j is equal to ¬ v j , we have u jþn ¼ g À vk j r jþn . Similarly, C computes y j ¼ eðx j ; gÞ vk j if attr j is equal to v j , it computes y jþn ¼ eðx jþn ; gÞ vk j if attr j is equal to ¬ v j . The challenger C generates public key PK ¼ ðe; G; G T ; g; g a ; [1,n] ), while publishing PK and keeping MSK secret. Phase 1. Similar to selectively secure game of chosen-keyword attacks, the challenger C initializes an empty key query list L K , the adversary issues the following polynomial q t times adaptive queries: Outsourced secret key query: The adversary A selects a query attribute set Attr 1 v 1v2 � � �v n as input for In-KeyGen algorithm, wherev j ¼ v j orv j ¼ : v j , the challenger C computes v = g ac and Hereafter, it obtains the intermediate key The challenger C runs Out-KeyGen algorithm to output the outsourced secret key Then, the challenger C transmits SK 1 to adversary A, and adds Attr to list L K . Token query: The challenger C runs TokenGen algorithm based on outsourced secret key SK 1 and keyword set WD 0 ¼ ðw 0 1 ; w 0 2 ; � � � ; w 0 d Þ submitted by adversary A, then it randomly ðg a g bHðw 0 t Þ Þ z 0 and Tok 2 = g cz 0 , sends the token Tok ¼ ðv z 0 ;s z 0 ;ỹ z 0 ; Tok 1 ; Tok 2 Þ to adversary A. Challenge. The adversary A submits an access policy S � with the restriction that the attribute set Attr in list L K does not satisfy access policy S � , namely γ(Attr,S � ) = 0. The challenger C randomly selects a keyword set WD � , encrypts WD � with S � to obtain Index � , then it chooses an attribute set Attr � such that Attr � satisfies access policy S � , that is γ(Attr � ,S � ) = 1. Subsequently, the challenger C first executes In-KeyGen algorithm and Out-KeyGen algorithm to compute SK � 1 , then runs TokenGen algorithm to gain Tok � , and sends Tok � to adversary A. Phase 2. Similar to Phase 1, but keyword set WD � can no longer be queried. Guess. The adversary A outputs a keyword set WD@ and transmits to challenger C. If WD@ = WD � , adversary A wins game. In other words, the challenger C performs Keyword-Encrypt algorithm to generate the ciphertext Index@of WD@, if the result returned by Search(Index@, Tok � ) algorithm is 1, then the adversary A wins game.
Particularly, if adversary A attempts to gain keyword information from the index, it needs , where z 0 is randomly selected by challenger C, thus the adversary A gets information from Hðw 0 t Þ at most. Due to the unidirectional and collisionresistant properties of the hash function, if adversary A obtains the advantage of w 0 t from Hðw 0 t Þ is negligible σ, |P| represents the size of keyword space, q t represents the number of inquiries of Phases 1, |P|−q t is the size of the remaining keyword set in the keyword space after the phase 1 inquiry. The probability that the adversary A guesses the encrypted keyword from the remaining keyword set is 1 jPjÀ q t . Then, the advantage of adversary A to break token privacy game can be defined at most ADVðAÞ ¼ 1 jPjÀ q t þ s. In practical applications, because | P| is large enough and q t is finite size, then the advantage ADVðAÞ ¼ 1 jPjÀ q t þ s is negligible, therefore our proposal can guarantee token privacy security.

Selectively secure game of chosen-plaintext attacks
Our scheme is selective security under the assumption. For selective security, the adversary A should submit two challenge access policies S � 0 and S � 1 at the beginning of game, then the scheme is to prove that the adversary A cannot win the game with a non-negligible advantage through the indistinguishability of a series of games. In simple terms, we use ðC � ; C � 1 ; fðC � j;1 ; C � j;2 Þg j2½1;n� Þ to denote initial challenge ciphertext, then select random element Z in G T and {Z j,1 } j2 [1,n] in G. Afterwards, we define a series of games Game 0 ,� � �,Game n+1 , where Game 0 is initial game, Game 1 is to replace C � in Game 0 with Z, Game 2 ,� � �,Game n+1 are to replace C � j;1 with Z j,1 , for j2 [1,n]. The game is defined as follows:

� �
When a data user's attribute set Attr satisfies both access structures S � 0 and S � 1 , namely gðAttr; S � 0 Þ ¼ 1LgðAttr; S � 1 Þ ¼ 1, Game 1 is the same as Game 0 . When a data user's attribute set Attr does not satisfy access policies S � 0 and S � 1 , that is gðAttr; S � 0 Þ ¼ 0LgðAttr; S � 1 Þ ¼ 0, Game 1 is as defined above. Subsequently, we use the DDH assumption to prove that Game 0 and Game 1 are indistinguishable. Theorem 3. If there is an adversary A who is able to distinguish games Game 0 and Game 1 with a non-negligible advantage, a simulator B is capable of breaking DDH assumption with a non-negligible advantage.
Proof: Supposing that a tuple ðg; g z 1 ; g z 2 ; QÞ which is an instance of DDH problem, where g; Q 2 G, z 1 ; z 2 2 Z � p , is given to a simulator B, the simulator B performs the following operations: Initialization. The adversary A submits two challenge access policies S � 0 ¼ṽ 0;1ṽ0:2 � � �ṽ 0;n and S � 1 ¼ṽ 1;1ṽ1;2 � � �ṽ 1;n to simulator B, then B throws a fair coin to select b2{0,1}. Setup. The simulator B runs Setup algorithm, selects a bilinear map e : G � G ! G T , where G; G T are two multiplicative cyclic groups with prime order p, g is a generator of group G. It randomly chooses a; b; vk j 2 Z p , sets Y ¼ eðg; gÞ a ¼ eðg; g z 1 Þ ¼ eðg; gÞ z 1 , implicitly lets α = z 1 , then it computes X j ¼ g b vk j , where vk j 2 Z p as initial version number of attribute, for j2 [1,n]. Afterwards, B picks up random value fr [1,n]. The simulator B publishes public key and keeps master secret key MSK = (α,β,{vk j ,} j2 [1,n] ,{r i } i2 [1,2n] ) secret. Phase 1. The adversary A commits a query attribute set Attr ¼v 1v2 � � �v n to simulator B.
The advantage of adversary A to win the game is defined as Hence, if adversary A who is able to distinguish games Game 0 and Game 1 with a non-negligible advantage, simulator B is capable of breaking DDH assumption with a non-negligible advantage.
Ifv j belongs to ðv [1,n] is the same as initial scheme, but forv j belongs to ðv [1,n] will be replaced by random value {Z j,1 } j2 [1,n] , which is represented as our pre-defined a series of games Game 2 ,� � �,Game n ,Game n+1 . The DDH assumption is used to prove that Game l and Game l+1 are indistinguishable, for l2 [1,n]. Theorem 4. If there is an adversary A who is able to distinguish games Game l and Game l+1 with a non-negligible advantage, a simulator B is capable of breaking DDH assumption with a non-negligible advantage.

Phase 2.
The adversary A continues to query similarly to Phase 1 with the restriction that ðv j 2 S � 0 Lv j = 2S � 1 Þ or ðv j = 2S � 0 Lv j 2 S � 1 Þ. Guess. The adversary A gives a guess b 0 of b. If b 0 = b, the simulator B outputs τ = 1, it demonstrates Q ¼ g z 1 z 2 . The adversary A exactly simulates the initial game, because Otherwise the simulator B outputs τ = 0, it demonstrates that Q is a random element in G. The advantage of adversary A to win the game is defined as Therefore, if adversary A who is able to distinguish games Game l and Game l+1 with a nonnegligible advantage, simulator B is capable of breaking DDH assumption with a non-negligible advantage.
In a word, if for all polynomial-time adversary who could win the game with a negligible advantage, our scheme will achieve selective ciphertext security under chosen-plaintext attacks.

Forward and backward security
A data user's attribute set satisfies access structure, only when the search keyword set is included in the encrypted keyword set, the target ciphertext can be searched. However, an attribute attr j 0 of data user needs to be revoked at a certain time, the system will inform all non-revoked data users to update secret keys that associated with revoked attribute attr j 0 and the cloud server completes ciphertexts update. During the initial phase, we select a randomized version number for each attribute. As long as update occurs, the version number of attribute will be changed. Afterwards, an update key UK j 0 will be used to re-encrypt ciphertexts, and update secret keys relevant to revoked attribute of all non-revoked data users, the data user cannot continue performing keyword search and decryption with previous token and secret key. Because in the search phase, the updated keyword index cannot match data user's original token, namely eðũ � ; v z Þeðs z ; gÞ y z 6 ¼ eðg; gÞ Therefore, the attribute revocation in our scheme achieves backward security. A data user's attribute set satisfies access structure, when an attribute attr j 0 of data user needs to be revoked, the version number vk j 0 corresponding to attribute will be changed, namely it will be randomized by a random value vk � j 0 . Hereafter, the system will inform update secret keys that related to revoked attribute of all non-revoked data users, updated secret keys and tokens are returned to effective data users. Simultaneously, the partial ciphertexts are relevant to revoked attribute are also updated. Even if the data user saves the ciphertext before joining system, because of vk � j 0 6 ¼ vk j 0 , the previous keyword cannot be searched with the updated token and the previous ciphertext cannot be decrypted with the updated secret key. Therefore, the attribute revocation in our scheme achieves forward security.

Performance and efficiency analyses
This section mainly analyzes performance and efficiency comparisons between our scheme and literature [31][32][33][34][35]. The performance comparison is to compare functional differences between our scheme and other schemes. The efficiency comparison is to analyze operation time differences both our proposal and other schemes in a certain phase. Based on Pairing Cryptography (PBC) library [36] and group operation with prime order p, we mainly consider three kinds of operations on time complexity: exponential operation, multiplication operation and pair operation. Specifically, K represents the number of attributes that satisfy access structure and N represents the number of attributes owned by data user. (In our scheme, K = N) Table 1 shows performance comparison between our scheme and literature [31][32][33][34][35]. The literature [31] supports multi-keyword search and security proof under the hard problem, but it does not support attribute-based encryption and revocation. The literature [32][33][34][35] all support attribute-based encryption, meanwhile literature [35] also supports direct revocation, while our scheme supports attribute revocation. In addition, the literature [32] does not support security proof under the hard problem. Compared with other solutions in the Table 1, our proposal supports all functions. Table 2 shows efficiency comparison between the proposed scheme and the literature [31][32][33][34][35]. Since literature [32][33][34][35] do not support multi-keyword search, the proposed scheme and literature [31] have requirements for the number of keywords in the encryption, token generation, and search phases. For comparison, we consider that the quantity of encrypted keywords is equivalent to the quantity of search keywords, that is r = d.
Through experiments on common cryptographic algorithms, the operation time of each phase is obtained and the following operation time comparison chart is drawn. The environment of the hardware runtime is Intel Core i5-3470 CPU @ 3.20GHz, and RAM is 4.00GB. The software runtime environment is JDK 1.7.5, JPBC 2.0.0 and MyEclipse 10.
In Fig 2(A), 2(B) and 2(C) are time charts for running encryption algorithm as the number of attributes increases when keyword set contains 10, 20, and 30 keywords, respectively. Since literature [32][33][34][35] do not support multi-keyword search function, the proposed scheme is mainly compared with literature [31]. From the Fig 2, we can see that in the encryption phase, the calculation speed of our scheme is slower than literature [33], faster than literature [31,32,34,35].
In Fig 3(D), 3(E) and 3(F) are time charts for running token generation algorithm as the number of attributes increases when keyword set contains 10, 20, and 30 keywords, respectively. Since literature [32,34,35] does not involve token generation algorithm, at this phase, our scheme is mainly compared with literature [31,33], and because literature [33] does not support multi-keyword search function, the changes in the number of keywords will only lead to changes in the algorithm time of our scheme and literature [31]. As can be seen from the Fig 3, when the number of keywords is 10, the calculation time of our scheme is shortest. When the number of keywords increases and the number of attributes is small, the computation speed of the proposed scheme is slower than literature [33]. However, as the number of attributes increases, the advantage of our scheme become more significant, and the algorithm speed is superior to literature [31,33].
In Fig 4(G), 4(H) and 4(I) are the time charts for running search algorithm as the number of attributes increases when keyword set contains 10, 20, and 30 keywords, respectively. Since literature [33] does not involve the number of attributes and keywords in the search phase, the algorithm time in [33] is constant. We have focused on comparing our scheme with literature [31] [33]. Since our scheme do not involve the number of attributes in the search phase, the algorithm time of our scheme is only associated with the number of keywords. From the Fig 4, we can see that at this phase, the calculation speed of the proposed scheme is faster than literature [31].
The Fig 5 is the algorithm time figure in the decryption phase of our scheme and literature [32][33][34][35]. It can be seen from the Fig 5 that with continuous increase of the quantity of attributes, calculation time of our solution in this phase is less than literature [32][33][34][35].

Conclusion
We propose an attribute-based encryption scheme with multi-keyword search and supporting attribute revocation in cloud storage. On the one hand, based on the traditional CP-ABE schemes, our proposal uses the AND-gate access policy, adds attribute revocation and multikeyword search, which is more practical. On the other hand, we present security proof under the complexity assumption, it demonstrates that our scheme is secure. Finally, we analyze  performance and efficiency of proposed scheme and other solutions via experimental evaluation, which indicates that our scheme is more efficient.
In the future, how to achieve a dynamic search with multiple functions and direct revocation will be a project that needs further study.