Searchable and revocable multi-data owner attribute-based encryption scheme with hidden policy in cloud storage

With the development of outsourcing data services, data security has become an urgent problem that needs to be solved. Attribute-based encryption is a valid solution to data security in cloud storage. There is no existing scheme that can guarantee the privacy of access structures and achieve attribute-based encryption with keyword search and attribute revocation. In this article, we propose a new searchable and revocable multi-data owner attribute-based encryption scheme with a hidden policy in cloud storage. In the new scheme, the same access policy is used in both the keyword index and message encryption. The advantage of keyword index with access policy is that as long as a user’s attributes satisfy the access policy, the searched ciphertext can be correctly decrypted. This property improves the accuracy of the search results. The hidden policy is used in both the ciphertext and the keyword index to protect users’ privacy. The new scheme contains attribute revocation, which is suitable for the actual situation that a user’s attributes maybe changed over time. In the general bilinear group model, the security of the scheme is demonstrated, and the efficiency of the scheme is analyzed.


Introduction
With technological developments, enterprise and personal data, photos, documents, and even health records maybe outsourced to cloud storage. Jiang D et al. [1] proposed a way to solve the network routing problem in cloud computing, it can achieve higher network energy efficiency for cloud computing. Siddiqui Z et al. [2] proposed in the dynamic cloud environment, the application of telemedicine information system provides convenience for patients and doctors. Along with the many benefits that cloud storage provides, it also presents serious data security problems. The data uploaded to the cloud should be encrypted to prevent information leakage. However, traditional encryption methods cannot be used to achieve access control and keyword searches. Therefore, we ask the following question. How can the data owners encrypt their data and enable both access control and quick searching in cloud storage ? Waqar A et al. [3] proposed a framework for preservation of cloud users' data privacy using dynamic reconstruction of metadata, it can protect the cloud users' data privacy. Lin [4] proposed a scheme by use of threshold encryption and group signature mechanism to ensure the security of transmission data, it can ensure that the split and merged messages are not broken. In traditional public-key cryptography, a message is encrypted for a specific receiver using the receiver's public-key. Identity-based cryptography and in particular identity-based encryption (IBE) changed the traditional understanding of public-key cryptography by allowing the public-key to be an arbitrary string, e.g., the email address of the receiver. ABE goes one step further and defines the identity not atomic but as a set of attributes, e.g., roles, and messages can be encrypted with respect to subsets of attributes (key-policy ABE-KP-ABE) or policies defined over a set of attributes (ciphertext-policy ABE-CP-ABE). The key issue is, that someone should only be able to decrypt a ciphertext if the person holds a key for "matching attributes" (more below) where user keys are always issued by some trusted party. Attribute-based encryption technology can not only protect the privacy of data, but also solve the problem of information sharing in practical application. For attribute-based encryption scheme, data access control is an effective way to ensure data security. Attribute-based encryption enables fine-grained access control for data. A security issue in the cloud environment is the search problem. The data in cloud servers is stored in ciphertext, which guarantees the privacy of data. Once a user needs to find a relevant document containing a keyword, he will encounter the problem of how to search. The server performs a search operation, but does not know what the user is searching for. It can effectively protect the privacy of user search. Of course, in a cloud storage system, data access is not static. For example, if an employee is fired or promoted, the corresponding attribute needs to be changed. The attribute encryption technology supports multiple data owners to upload encrypted personal information records, and can conduct multiple keyword searches. It also allows data owners to search for different periods of time for multiple users.
In the existing attribute-based encryption schemes, the cloud server must know the accessing strategy to perform the keyword search operation. This requirement makes it a difficult task to simultaneously achieve searchability and protect the privacy of the access control. The hidden strategy can protect the privacy of the user's attributes, and the user's attributes may frequently change in practice. Therefore, the attribute revocation mechanism is essential. An attribute change for a single user may lead to changes of other users' private keys that are associated with the attribute and even the changes of the ciphertext corresponding to the attribute.
How to structure a searchable and revocable attribute-based encryption scheme with hidden policy for multi-data owners in cloud storage is a challenging problem.

Advantages of the scheme
In this scheme, we proposed a searchable and revocable attribute-based encryption scheme with hidden policy for multi-data owners in cloud storage. The primary advantages of the scheme are summed up as follows: • In our new scheme, the same access policy is used in message encryption and keyword index construction. The benefit of using the access policy in the construction of the keyword index is that as long as a user's attributes satisfy the access structure, when the user submits a search token containing the secret attribute key to the search server, the search server can search the documents the user is interested in. The search results can then be decrypted by the user. Thus, the access policy is considered in the search process, which improves the accuracy of the search results.
• The access policy is hidden in the ciphertext and keyword index. The hidden policy can protect the privacy of the user's attributes.
• This scheme has the function of attribute revocation. If a user's attribute changes, the index, ciphertext and private key connected with the attribute can be updated in time to ensure the security of the information.
• A search server is introduced in the system. It is used to store the keyword index. The ciphertext is stored in the cloud storage server. A keyword search is performed by the search server.
For an authenticated user, the user gives the corresponding search token to a search server, and a search server responds to the search. When his attributes satisfy the access control structure and the given keyword is matched, a search server notifies the cloud storage server to send the relevant ciphertext to the user for decryption.
• In the general bilinear group model, it is demonstrated that the keyword index is secure under the keyword guessing attack and that the ciphertext is indistinguishable under the chosen-plaintext attack.

Related research
Attribute-based encryption (ABE). Sahai and Waters [5] devised the first attribute-based encryption system, which was a historic breakthrough. Subsequently, Bethencourt, Sahai and Waters [6] in 2005 constructed an attribute encryption with ciphertext policy. The model can achieve fine-grained access control of ciphertext through attributes. There are two forms in the ABE: the ciphertext policy (CP−ABE) and the key policy (KP−ABE). In the ciphertext policy, access control policy is embedded in the encrypted ciphertext, and the private key is related to attribute set. Only when the attributes of the user meet the ciphertext policy can the ciphertext can be decrypted. In the key policy, the ciphertext is related to the description of the attribute set, and the user's private key is related to the access structure. The access policy is defined on the attribute set. When the attribute sets meet the access control, the private key of the attributes can decrypt the corresponding ciphertext. Ling and Newport [7] proposed a provable secure ciphertext policy ABE, but the access structure in their scheme can only support the gate condition. However, none of these schemes supports keyword search ( [8,9,10]).
Attribute-based encryption with keyword search (ABKS). Song et al. [11] proposed the first initial searchable encryption program. In addition to the search results, the server knew nothing about the search keyword. Miao Y et al. [12] proposed a secure cryptographic primitive called as attribute-based multi-keyword search over encrypted personal health records in multi-owner setting to support both fine-grained access control and multi-keyword search via Ciphertext-Policy Attribute-Based Encryption. In [13], the authors propose a searchable encryption scheme for keywords in the hidden strategy. If the data user's attributes do not meet the access policy, the user cannot obtain the information of the access policy and cannot search for the encrypted data. Its innovation lies in the construction of the keyword index for the concealed access structure. However, there is no attribute-based encryption, and there is only a single data owner in the scheme in this article, while in practical situations, there should be multi-data owners in the system. Zheng and Sun ([14,15]) in 2014 proposed two attributebased keyword search schemes (ABKS). A data owner grants the search ability to users through the setup of an access policy, which effectively improves the search efficiency. The cloud server sends corresponding find results to the user when the user's attributes meet the access control structure, which is specified by data owner. Tang Y et al. [16] constructed a multi-keyword search scheme that applied to the network environment, based on privacy protection and efficiency. Xia Z [17] proposed multiple keyword searches and dynamic updates in cloud storage. Zhong H et al. [18] proposed a decentralized multi-authority CP-ABE access control scheme supporting the user revocation. Guo C et al. [19] constructed the access control of individual cases stored in the cloud server, it can achieve fine-grained access control for EHR. Also it allows multiple users to search on different databases. Fan Y et al. [20] constructed a verifiable scheme to support multi-keyword search. Guo Z [21] proposed a multi-keyword sorting search and supported the sharing of search functions. However, none of these existing schemes can hide access structures [22].
Attribute-based encryption hidden policy. Lai J et al. [23][24][25][26] provided some attributebased hidden policy encryption schemes. In these schemes, access structure embedded in the ciphertext, for those attributes do not meet the access structure users cannot decrypt the ciphertext.
Attribute-based encryption revocation (ABER). Tian et al. [27] proposed a revocable attribute-based encryption project. In this project, once a user is revoked, it is necessary to assign new keys to all other users in the system, except the revoked user. Then, a new encryption key re-encrypts the ciphertext. Thus, the revoked user can no longer decrypt the ciphertext. The method is not smart, because in practice the revoked users are only a small part and the majority of users are not revoked. Therefore, the method is infeasible. Zhihua Xia [28] presented an attribute-based access control project with valid revocation in cloud computing. The revocation is implemented using the version number of the private key, and the scheme also supports the backward security and forward security. The scheme is demonstrated to be effective and secure. Chen J [29] proposed an attribute-based encryption scheme with revocation and update in the cloud storage, in which the user is directly revoked. Li X et al. [30] proposed the revocation of two factors that are based on attribute encryption under the cloud storage, combining identity and attribute. Liu Z et al. [31] proposed a solution to update the user's access rights in a timely manner once the user's attributes change, and the data owner updates access control. In addition, there are some other articles that discuss the methods of attribute revocation for attribute-based encryption scheme ( [32,33,34,35,36]).

Bilinear map
Let ðe; p; g 1 ; g 2 ; G 1 ; G 2 ; G T Þ BGenMapð1 l Þ be represented by a symmetric bilinear map e : G 1 � G 2 ! G T , where λ is a security parameter, G 1 ; G 2 ; G T are three multiplicative cyclic groups with the same order of prime p, and g 1 2 G 1 ; g 2 2 G 2 are the generators of G 1; G 2 , respectively. The bilinear e meets the following four conditions: 2. Non-degeneracy: e(g 1 ,g 2 ) 6 ¼ 1; 3. Efficiency: There is a valid polynomial time algorithm to compute e(g 1 ,g 2 ), 4. There is a valid, publicly calculated (no need reversible) isomorphism c : G 2 ! G 1 such that ψ(g 2 ) = g 1 .

Generic bilinear group model
Let ðe; p; g 1 ; g 2 ; G 1 ; G 2 ; G T Þ BGenMapð1 l Þ be defined as follows. In a general linear group model, three random codes are assumed as B 1 ; B 2 ; B T : Z þ p ! f0; 1g m . Z þ p is an addition group, and m>3logp. For i = 1,2,T, let G i ¼ fB i ðxÞjx 2 Z þ p g. There are three oracles to compute the operation in the groups G 1 ; G 2 ; G T . There are oracles to compute non-degenerate linear maps e : G 1 � G 2 ! G T .

Access structure
Definition 1. Index n attributes in the system can be denoted as U = {1,2,� � �,n}. For each attribute i2U,let S i ¼ fv i;1 ; v i;2 � � � v i;n i g denote all the possible values for this attribute, where n i is the number of possible values for this attribute i.

System entities
Above all, the system framework is described in Fig 1.The framework includes the five main entities of the trusted authority, the cloud storage server, the search server, the multi-data owners, and multi-users. Particularly, the trusted authority controls the common parameters and distributes certified users' private keys. The private key is related with the user's attribute list. The cloud storage server provides storage capabilities. Data owners encrypt messages, construct keyword indexes. Owners outsource encrypted messages to the cloud. The keyword index is outsourced to the search server, and the search server is responsible for matching. A certified data user in the system can generate a keyword search token related to his attributes' private key. A search token is presented to a search server, and the search server searches for the keyword index. If the user's attribute list meets the access structure implied in the keyword index, the successful search is returned to a cloud server. Next, the cloud storage server sends the ciphertext corresponding to the keyword index to the user.

Function definition
as described below. Setup (1 λ )!(msk,pp): The algorithm is executed by a trusted authentication attribute authority. It takes the security parameter λ as an input and outputs the public parameter pp and the master key msk.
KeyGen (msk,pp,L)!sk: The algorithm is used to produce a user's private key by a trusted authority. It takes the master key msk, the public parameter pp,and the users attribute list L as the inputs. It outputs the key sk associated with L.
Encryption (pp,m,P)!ct: A data owner executes the algorithm. It takes the common parameters pp,a message m, and one access control p as inputs. It outputs a ciphertex ct.
Encrypt-Index (pp,w,P)!Index: A data owner executes the algorithm. It takes the common parameters pp, a set of keywords w, and an access control structure p as inputs. It then exports the key Index.
GenToken (sk,w)!tok: A data user executes the algorithm to produce search tokens for queries. It takes the input private key sk and a keyword w as inputs. It then exports the keyword search token tok.
Search (tok,Index)!{0,1}: A search server runs the algorithm. It takes the keyword index Index (pp,w,P) and a search token tok (sk,w 0 ) as inputs. It then outputs 1 if L7 !P and w = w 0 . Otherwise, it outputs 0.
Decryption (CT,sk)!m: A data user executes the decryption algorithm. It takes the ciphertext ct and the decryption key sk as inputs and outputs message m.
CTUpdate ðĉ i;j;2 ; u i;j Þ !ĉ 0 i;j;2 , The cloud storage server executes the ciphertext update algorithm. It takes ciphertext ct and update operator (v i,j ,u i,j ) as inputs. It then outputs the updated ciphertext ct 0 .
SKUpdate ðK i;t i ;1 ; u i;j Þ ! K 0 i;t i ;1 : The authority executes the user's private key update algorithm. It takes the user's private key K i;t i ;1 and the update operator (v i,j ,u i,j ) as inputs. It then outputs the updated key sk 0 .
IndexUpdate ðI i;j;2 ; u i;j Þ ! I 0 i;j;2 :The search server executes the update index algorithm. It takes the update operator (v i,j ,u i,j )as an input and then exports the updated index Index 0 .

Security definition
1.The secure game of indistinguishability of keyword index under the selective keyword attack with hidden policy.
System establishment: The adversary selects two access control strategies P 0 ,P 1 .He needs to send them to the challenger. The challenger selects safety parameters λ and runs the Setup(λ) algorithm, generating public parameters pp and mask secret key msk.The challenger gives the public parameter pp to the adversary and leaves the master secret key msk. Phase 1. The adversary selects a list of attributes L such that L| 6 ¼ P 0^L | 6 ¼ P 1 . He then asks in polynomials times as follows: O KeyGen (L). The challenger generates the private key sk though KeyGen (msk,pp,L)!sk and gives it to the adversary.
O GenToken (L,w). The challenger generates sk through O KenGen (L). He then runs the tokengenerating algorithm GenToken (sk,w)!tok to get the token and return it to the adversary.
Challenge. The adversary submits two challenge keywords w 0 ,w 1 to the challenger. The condition is that the adversary has not asked for any search tokens of w 0 ,w 1 . The challenger chooses a random bit b2{0,1}. He then produces the index I b by the index generating algorithm for keyword w b under policy P b , and returns the index I b to the adversary A.
Phase 2. The adversary A can still query similar to Phase 1.The restricted condition is w 6 ¼ w 0 ,w 1 .
Guess: The adversary A outputs a guess b 0 for b. If b 0 = b, then the adversary wins this game. The adversary's advantage in the game is defined as If there is no polynomial time, the adversary can win the above game with a non-negligible advantage. Next, the scheme is called secure in the sense of the indistinguishability of keyword index under the selective keyword attack with the hidden policy.
2. The secure game of indistinguishability of ciphertext under the selective plain-text attack with the hidden policy.
System establishment. The adversary selects two access control strategies P 0 ,P 1 . He then transmits them to a challenger. The challenger selects the safety parameter λ and runs the Setup(λ) algorithm, generating public parameters pp and master secret key msk.The challenger gives the public parameter pp to the adversary and later leaves the master secret key msk. Phase 1. The adversary selects a list of attributes L such that L| 6 ¼ P 0^L | 6 ¼ P 1 and asks in polynomials times as follows O KeyGen (L).The challenger generates the private key sk though KeyGen (msk,pp,L)!sk and provides it to the adversary.
Challenge. The adversary submits two equal length messages m 0 ,m 1 to the challenger. The challenger selects a random bit b2{0,1}. He subsequently generates the ciphertext ct b by the encryption algorithm for message m b under policy P b and returns the ciphertext ct b to the adversary A.
Phase 2. The adversary A can still query similar as Phase 1.
Guess. The adversary A exports a guess b 0 for b. If b 0 = b, then he wins this game. The adversary's advantage in the game is defined as If there is no polynomial time adversary that can win the above game with a non-negligible advantage, then the scheme is called the secure model of indistinguishability of ciphertext under the selective plain-text attack with hidden policy.

Scheme construction
In this part, we will propose a searchable and revocable attribute-based encryption scheme with a hidden policy in cloud storage. Our new scheme achieves encryption and keyword search and attribute revocation. The access control policy consists of a set of AND gates. In the system we assume that there are n attributes, and all the attributes are labeled as {1,2,� � �n}.

Motivation
Authors in [13] proposed a searchable encryption scheme with the hidden strategy, and the hidden strategy is a major feature of the scheme. However, we find that the scheme is correct only if the data owner and the data user are the same one, this error is not easy to find as they use the same parameter r for the data owner and data user. Here we will give a detail analysis, in order to demonstrate this problem, we use different parameter r for the data owner and data user.
The data owner's parameters can be denoted by in which r 0 is randomly selected by the data owner, x 0 is randomly selected by attribute authority for the data owner. Data user's parameters denoted by X u ¼ Y x u ; C u u ¼ X À r u u ðx u 2 Z p Þ; T ¼ x u þ s,in which r u is randomly selected by the data user, x u is randomly selected by attribute authority for the data user. In the search algorithm, the match equation should bẽ CT � C u u ¼ Y r 0 s ¼ eðg 1 ; g 2 Þ r 0 sa , but if the data owner and the data user are not the same one, we which is not equal to Y r 0 s except for r 0 = r u . Thus the original scheme is correct only for the data owner and the data user are same one. This limits the usefulness of the scheme in [13].
To overcome these problems, we improve the scheme in reference [13].We will take the public parameter r and design a new scheme that accounts for multiple data owners. Another improvement of our new scheme is to simplify the hash function with a key [13] to a general hash function without a key to increase the practicality of the scheme. Since all users in the system share a secret key for the hash function, it is actually not secure, and the server can easily collude with a user to get the key. We also add attribute encryption and attribute revocation to make the scheme feasible and retain the advantages of the hidden access structure.

Our construction
The scheme consists of the following algorithms.
• Setup(1 λ ): Input the security parameter λ. Then, the algorithm produces the public parameters and the master secret key as follows: 1. Generateð1 l Þ ! ðe; p; g 1 ; g 2 ; G 1 ; G 2 ; G T ; HÞ, where e is a symmetric bilinear mapping e:G 1 � G 2 ! G T . g 1 ,g 2 are the generators of G It chooses a random number r R Z p and publishes it and then calculateŝ I ¼ Y r , I 0 = B r . The public parameter pp and the master secret key msk are set as follows: • KeyGen(msk,pp,L):Suppose L ¼ fL 1 ; L 2 ; � � � L n g ¼ fv 1;t 1 ; v 2;t 2 ; � � � v n;t n g is the attribute list of a user U. User U chooses one of his own x u R Z p , calculates X u ¼ Y x u , and then submits it to the attribute authority. The user saves x u .Next, for each attribute i,1�i�n, the authority chooses l i R Z p and calculates K i;t i ;1 ¼ g It finally sets the private key of the user with the attribute list L ¼ fL 1 ; L 2 ; � � � L n g ¼ fv 1;t 1 ; v 2;t 2 ; � � � v n;t n g as follows: The authority add tuples (U,I u ,L) to the list of users U List , where I u = X u −r . Next, the authority sends U List to the search server.
• Encrypt(pp,m,P):Suppose P = {P 1 ,P 2 ,� � �P n } is an access control policy, P i �S i . When outsourcing a file F to a cloud storage server, the algorithm produces a ciphertext that is related to the access control structure P as follows: 1. Above all randomly choosesr R Z p ,ĉ ¼ meðg 1 ; g 2 Þ ar , andĉ 0 ¼ Br,where m is the key to encrypt the file F by a symmetric encryption algorithm.

For each
and it calculateŝ • Encrypt−Index(pp,w,P):Suppose P = {P 1 ,P 2 ,� � �P n } is an access control policy, which is the same access control policy as it is in the encrypted ciphertext. Let w be a keyword extracted from file F. It produces a secure keyword index related to the access control policy P as follows: For each attribute i,1�i�n, above all selects r i R Z p , makes r ¼ X n i¼1 r i , and computes

Þ: ð8Þ
If the file has multiple keywords, it can be used to generate multiple security indexes. Note that here r is the public system parameter and is the same for all keyword index generations.
• GenTokenðsk;wÞ: This algorithm generates a secure search token for a keywordw. If a user U wants to search a keywordw,the user U chooses a s R Z p and then computes t ¼ • Search(tok,Index): Once the token of user U is received, the search server first checks whether the U is in U List . If it is not, the request s refused. Otherwise, it gets the tuples (U,I u , L),where L ¼ fL 1 ; L 2 ; � � � L n g ¼ fv 1;t 1 ; v 2;t 2 ; � � � v n;t n g and I u ¼ X À r u .The search server runs the matching algorithm for (tok,Index) and (U,I u ,L) as follows: Þ and E = E 1 /E 2 = e(g 1 ,g 2 ) srβ . If eðI 0 ; T 0 Þ � E À 1 ¼Î t � I u , the match is successful and returns 1.A notification is sent to the cloud server. The cloud server sends the corresponding ciphertext associated with the index to the user. Otherwise, the match is failed and returns 0.
• Decrypt(CT,sk): The decryption algorithm is run by data user U with attribute list L ¼ fL 1 ; L 2 ; � � � L n g ¼ fv 1;t 1 ; v 2;t 2 ; � � � v n;t n g to decrypt the ciphertext CT by using its secret key sk.
• AttriUpdate(v i,j ,a i,j ): When a user's attribute i is revoked, suppose that the attribute value revoked is v i,j .The authority runs this update algorithm and selects a new random value a 0 i;j instead of the old secret value a i,j corresponding to v i,j . It publishes an attribute update opera- • PPUpdate(A i,j ,u i,j ): The authority inputs the update operator (v i,j ,u i,j ) and recalculates A 0 i;j ¼ A u i;j i;j as the new system parameter to instead of the old parameter A i,j for attribute i and publishes it in the system parameter set.
• CTUpdateðĉ i;j;2 ; u i;j Þ: The ciphertext update algorithm inputs the ciphertextĉ i;j;2 and the update operator (v i,j ,u i,j ). It then outputs the new ciphertextĉ i;j;2 such that • SKUpdate(K i,1 ,u i,j ): The private key update algorithm inputs the private key K i,1 corresponding to attribute v i,j and the update operator (v i,j ,u i,j ). It then outputs the new private key K 0 i;t i ;1 as • IndexUpdate(I i,j,2 ,u i,j ): The index update algorithm inputs I i,j,2 (which is part of the index related to attribute v i,j ) and the update operator (v i,j ,u i,j ). It then outputs the new index I 0 i;j;2 as

Security analysis
The correctness of algorithm Search(tok,Index) is as follows: If L| = P, w = w 0 , and L ¼ fL 1 ; L 2 ; � � � L n g ¼ fv 1;t 1 ; v 2;t 2 ; � � � v n;t n g, ; g l i HðwÞs , the match is successful and the search server returns 1.
The correctness of the decryption algorithm is verified as follows: If L| = P and L ¼ fL 1 ; L 2 ; � � � L n g ¼ fv 1;t 1 ; v 2;t 2 ; � � � v n;t n g then Our safety analysis scheme is as follows: We will analyze and demonstrate the security of our scheme under the general bilinear mapping model ( [6,14,36]). First, we will prove that our scheme is of the indistinguishability of the keyword index under the selective keyword attack with the hidden policy. Second, we will demonstrate that our scheme is of the indistinguishability of the ciphertext under the selective plain-text attack with the hidden policy. Theorem 1. Let B 1 ; B 2 ; B T ; G 1 ; G 2 ; G T be defined as the general bilinear group model. We request that any adversary A performs up to q times oracles to ask for group G 1 ; G 2 ; G T 's calculation, including bilinear mapping. In the secure game of the indistinguishability of the keyword index under the selective keyword attack with hidden policy, the advantage of an adversary A is O(q 2 /p).
Proof: Our proof is similar to [13,24].We will design a simulator B and an adversary A to perform the indistinguishability of the keyword index under the selective keyword attack with the hidden policy as follows. A maintains 3 pairs of lists: In these equations, F τ,l (τ2{1,2,T}) is adversary A 0 s queries, B τ,l (τ2{1,2,T}) is a random string of {0,1} � for each query result, and B 1,l = B 1 (F 1,l ), The initialization definition is F 1,1 = 1,F 2,1 = 1,F T,1 = 1, and B 1,1 ,B 2,1 ,B T,1 is the initial mapping string. B 1 (1) represents g 1 , B 2 (1) represents g 2 , and B T (1) represents e(g 1 ,g 2 ). In the following query, the adversary A and the simulator B use B to represent the elements in the group. In particular, for each query, the simulator selects random real values contained in the list. Whenever A gives a query to B, B will update its list and return to the relevant random string to A. Next, we give As query as follows: Group action. Set two operand objects B τ (x),B τ (y). Additionally, x; y R Z p ; t 2 f1; 2; Tg. If B τ (x),B τ (y) are not in the list V G T , they are returned. Otherwise, B computes F = x+y mod p and checks where F is in the list V G T .If it is in it, it returns B τ (F). Otherwise, B sets a random string in {0,1} � different from the list V G T already exists in. Finally, B will be added hF,B τ (F)i to the V G T and we will have answer A with the string B τ (F).
Isomorphism. Given a string B 2 (x), if it is not in the list V G 2 , it terminates ?. Otherwise, if x already exists in the list V G 1 , it returns B 1 (x) to A. If not, B sets a random string B 1 (x) in {0,1} � that is distinct from any existing list V G 1 . Finally, B adds hx,B 1 (x)i to V G 1 , and sets B 1 (x). It then returns to A.
Bilinear pairing. Given two operations B 1 (x),B 2 (y), if B 1 (x) not in the list V G 1 and B 2 (y) not in the list V G 2 , it terminates ?. Otherwise, B calculates F = xy mod p also checks if F in the list V G T . In that case, B returns to B T (F). Otherwise, B sets a random B T (F) in {0,1} � different from any existing V G T . Finally, B will add hF,B T (F)i to the V G T and reply A with string B T (F).
Based on the basic operations of the above group, the simulation selects the security game as follows: Establishment. Adversary A selects two different challenges with access control policies P 0 , P 1 . Here, P i = {P i,1 ,P i,2 ,. . .,P i,n } where i2{0,1}, and sends them to B.B does not select the true value for the variables of the master key ða; b; b; ffa i;j g Phase1. A selects a list of attributes L ¼ fL 1 ; L 2 ; � � � ; L n g ¼ fv 1;t 1 ; v 2;t 2 � � � ; v n;t n g. For O KeyGen (L),O GenToken (L,w) queries, the premise is that A cannot ask the private key and token that satisfies the attributes of the access structure. The process is as follows: O KeyGen (L):First, B uses hα,B T (α)i instead of e(g 1 ,g 2 ) α . It adds new tuples hαx n ,B T (αx n )i of eðg 1 ; g 2 Þ ax u by the rules defined above, using variables x u to the list L G T .Next, B increasing tuples  ; g l i HðwÞs 2 g 1�i�n Þ consistent with the search token. s is the new variable. Challenge: A chooses two keywords w 0 ,w 1 . It then inputs hw 0 ,P 0 i,hw 1 ,P 1 i in the real choice of security games. The challenger chooses s R f0; 1g to encrypt w σ . Using P σ , the challenge index ciphertext of B is as follows: ðfI i;1 ; fI i;j;2 g 1�j�n i g 1�i�n Þ.
For {I i,1 } 1�i�n , B adds tuples hr i ,B 1 (r i )i to the list V G 1 , and the new variable r i satisfies ,if w 0 = w 1 and v i;t i 2 P 0;i^vi;t i 2 P 1;i , B adds tuples ha i,j r i /H(w), Phase2. A repeats phase 1 of the inquiry. The requirement is that if w 0 6 ¼ w 1 , A cannot ask O KeyGen (L),O GenToken (L,ω) when L| = P 0^L | = P 1 .
After making at most q queries, A terminates and returns to guessing σ 0 2{0,1}. At this point, B selects a random value of s R f0; 1g and obtains the real challenge ciphertext. In list V G 1 , g y 1 is replaced by g a i;j r i =Hðw s Þ 1 .Finally, B returns a list of all the updated tuples to A. Next, a detailed analysis of the B simulation is presented. The simulation of B is perfect if and only if no unexpected collisions occur. The so-called collision is for two different polynomials F τ,l ,F τ,l 0 (τ2{1,2,T}).For some l,l 0 , the corresponding random coding string of the difference cannot equal 0. Therefore, F τ,l −F τ,l 0 = 0, and this unexpected collision occurs in the following two conditions.
In front of the replacement, on this occasion, we use theorem [37,38].The probability of a collision occurring in list V G 1 ; V G 2 ; V G T is expected to be O(q 2 /p) at most. For more details, refer to [37,38].
After the replacement, it is proven that no new equations F k,l ,F k,l 0 can be created between polynomials after simulation, even if B is replaced by a i,j r i /H(w σ ) for θ. We must note that an adversary cannot construct a query for a nonzero F = F k,l −F k,l 0 . It only occurs after substitution when F = 0.
In an alternative security game, the adversary tries to distinguish g a i;j r i =Hðw 0 Þ 1 ; g a i;j r i =Hðw 1 Þ 1 between two different keyword w 0 ,w 1 queries. Given d 1 R Z p , the probability of distinguishing g a i;j r i =Hðw 0 Þ 1 and g d 1 1 is half the probability for adversary A to distinguish g a i;j r i =Hðw 0 Þ 1 and g a i;j r i =Hðw 1 Þ 1 . As a result, we revise the game in order to determine whether A would be able to structure the queries of eðg 1 ; g 2 Þ ga i;j r i for some g g 2 .Then, it can distinguish g a i;j r i =Hðw 0 Þ 1 and g d 1 1 . We prove that A cannot structure the queries for eðg 1 ; g 2 Þ ga i;j r i .
To construct a i,j r i , a i,j r i is from a i,j r i /H(w σ ) according to the simulation. When B replaces θ with a i,j r i /H(w σ ), since w 0 6 ¼ w 1 , it cannot obtain the search tokens that satisfy L| = P 0^L | = P 1 . Therefore, even if B submits a true value a i,j r i /H(w σ ) to θ, it cannot eliminate a i,j r i . We then have, as follows.
Fix any a i,j r i that arises after Bs replacement. We make the assumption that A can construct a query for e(g 1 ,g 2 ) v where v is a non-zero polynomial containing θ, which also turns into zero after B replaces a i,j r i for θ.
To construct such a v, A must cancel a i,j r i in v. To our knowledge, there may be a different attribute value v i,j 0 (j 0 6 ¼ j) of L i in the access policy. Adversary A is able to get the ciphertext g a i;j 0 r i 1 of v i,j 0 (j 0 6 ¼ j). Therefore, adversary A can obtain a i,j r i in two ways. One is by pairing does not exist. In other words, it cannot be paired, so this situation cannot be achieved.
If adversary A pairs g r i 1 ; g bþa i;j l i 2 , A will obtain combination βr i +a i,j r i λ i of the query. Adversary A wants to know ρ 0 a i,j r i . A new variable ρ@ is introduced, making ρ 0 = λ i ρ@. First, A needs to structure p@βr i . As previously known, r ¼ X n r¼1 r i .It can be converted into the construct p@βr. In the entire simulation, the only way to ask A to construct p@βr is to combine T 0 , ; g br 1 are used to get the query of the combination αrs+βrs. We need βrs, so to eliminate αrs, A combinesÎ;t. e(g 1 ,g 2 ) αr ,x u +s are used to get tuples αr(x u +s). Next, A uses −αrx u to eliminate αrx u and obtain αrs. Thus A obtains the required βrs. A new variable ρ‴ is introduced to make the ρ@ = ρ‴s. By asking for p‴s(β(r−∑ i 0 6 ¼ i r i 0 )), you can get a i,j r i . However, A cannot construct such an inquiry. The reasons are as follows.
Since s is randomly selected by the user, adversary A does not know its value. Hence, adversary A cannot find a ρ‴ to satisfy ρ@ = ρ‴s. Therefore, ρ‴ is not observed. According to the simulation challenge ciphertext, I i,j,2 has v i;t i = 2P b;i^vi;t i 2 P 1À b;i . In other words, adversary A cannot obtain the private key sk and search token for search operations. Here, at least one of the r 0 i is unknown, according to [6]. Since it is less than X i 0 6 ¼i r 0 i , we cannot get the query about ρ‴s(β(r−∑ i 0 6 ¼ i r i 0 )).
Then, it is proven that the encrypted message is secure and still operates in a general group model. The above theorem 1 is used to prove that the ciphertext is not distinguishable under the same access policy. Theorem 2. Under the condition of Theorem 1, the adversary has the advantage over the ciphertext in the scheme as O(q 2 /p).
Proof: The establishment of the system and the basic operations of the group are similar to that in the proof of theorem 1. Therefore, they are not repeated in this study. In the system setup, the attacker chooses the policy that will attack P � .
Using the above same group, we use B 1 (1) for g 1 , B 2 (1) for g 2 , and B T (1) for e(g 1 ,g 2 ). At the start of the build phase, the simulator randomly selects α,b from Z � p .The public parameters O KeyGen (L):First, B substitutes e(g 1 ,g 2 ) α with hα,B T (α)i and adds new tuples hαx n ,B T (αx n )i of eðg 1 ; g 2 Þ ax u using the rules defined above and using variables x u from the list L G T . Then, B adds tuples ðx u ; ffg bþa i;t i l i 2 ; g l i 2 g 1�j�n i g 1�i�n Þ to update the list relevant to the private key, and β,λ i are the new variables.
Ciphertext challenge: A selects two messages m 0 ,m 1 in the actual choice safety game. Challenger B selects s R f0; 1g to encrypt m σ using P � .The challenge ciphertext as follows.
The simulation starts by selecting a randomr, setting λ i for each of the relevant attributes, and λ i for the random selection in Z p . The simulation randomly selects a θ. The constructed ciphertext is as follows:ĉ ¼ eðg 1 The challenge ciphertext is sent to the adversary.
For up to q times after the inquiry, A terminates and returns a guess σ 0 2{0,1} of σ. Next, B chooses a random value of s R f0; 1g, and obtains the real challenge ciphertext in list V G 1 bŷ c ¼ m b eðg 1 ; g 2 Þ ar instead ofĉ ¼ eðg 1 ; g 2 Þ y .Finally, B returns to the list of all tuples to update A.
The challenger's task is to distinguish ciphertextĉ as m 0 eðg 1 ; g 2 Þ ar or m 1 eðg 1 ; g 2 Þ ar .We now modify the game to distinguish eðg; gÞ ar from e(g,g) θ . Here, θ is randomly selected from Z p . If the game is not modified, and assuming that the opponent has an ε advantage, then, in the modified game, any adversary has at least an ε/2 advantage. It can be seen in two cases. One is that the adversary must distinguish m 0 eðg 1 ; g 2 Þ ar from e(g 1 ,g 2 ) θ , and the other is to distinguish between m 1 eðg 1 ; g 2 Þ ar and e(g 1 ,g 2 ) θ . It is obvious that the probabilities of the two are equal. We need to calculate the advantage that the adversary wins the game in the modified game. Next, a detailed analysis of B is given. We note that B 0 s simulation is perfect if there is no unexpected collision. The collision is for two different polynomials of F τ,l ,F τ,l 0 (τ2{1,2,T}) for some l,l 0 , and all the random strings that encode the corresponding difference are not equal to 0. Therefore, F τ,l −F τ,l 0 = 0.This unexpected collision occurs in the following two situations: Before the substitution. In this scenario, using theorem [37,38], the probability of an unexpected collision occurring in list V G 1 ; V G 2 ; V G T is at most O(q 2 /p).
After the substitution. It is impossible to have a new equation that can be created between polynomials F = F k,l −F k,l 0 , even if B is replaced by a r _ for θ in the simulation. It is emphasized that adversary A cannot structure a query for a nonzero F = F k,l −F k,l 0 , and F = 0 after the substitution.
Note: If the adversary asks for the private key that satisfies the attributes of the access policy, the simulator does not give the appropriate private key. If the adversary already has the appropriate private key to access the structure, the game is terminated.
θ is only included in the e(g 1 ,g 2 ) θ in G T .We note that F = F k,l −F k,l 0 . If F = 0 after the substitution, then F ¼ rar À ry, where ρ is a constant. Note that F 6 ¼ 0, F þ ry ¼ rar. We can increase this inquiry to the artificial adversary. We will prove that the adversary cannot construct a query of eðg 1 ; g 2 Þ rar .
The only way the adversary can get ar is through pairĉ 0 ; k 0 .Sinceĉ obtains ar þ br, the adversary needs to eliminate br. To get br,the adversary needs to combine K i;1 ;ĉ i;1 and K i;2 ;ĉ i;2 . Note that K i;1 ¼ g bþa i;t i l i 2 ;ĉ i;1 ¼ g^r i 1 . Adversary A will get the br i þ a i;t i l ir i query and wants to eliminate r 0 a i;t ir i .As obtain a i;t ir i l i . We know thatr ¼ X n r¼1r i . However, we know that A cannot ask the private key of L that satisfies the access structure P � . Therefore, there exists a a i 0 ;t ir i 0 l i 0 that cannot be constructed in the above way since there are some attributes i 0 that belong to L j and L does not satisfy policy P � . Therefore, the adversary cannot get br i 0 .We know thatr ¼ X n r¼1r i ; therefore, the adversary cannot obtain the value br.

Performance evaluation
The analysis of computational complexity: As our scheme is based on bilinear model, the computational complexity of the proposed scheme mainly comes from the pairing operation and group exponentiation operations in each group, ignoring all multiplication and hashing operations. The pairing operation is denoted by P. The group exponentiation operations in each group G 1 ; G 2 ; G T are represented by E 1 ,E 2 ,E T . The implementation uses the Pairing Based Cryptography (PBC) library [39]. The computational complexity of the proposed scheme with some existing latest similar schemes is analyzed in Table 1. In the scenario, we suppose that there are n attributes. The i-th attribute has n i possible values such that i = 1,� � �,n.
Functional analysis: A functional comparison of our scheme with some existing schemes is illustrated in Table 2. It includes hidden access structures, multi-data owners, encrypted messages, keyword search, and attribute changes, from which we can see that our scheme is fully functional. Attribute-based encryption scheme with hidden policy in cloud storage The actual analysis: The actual execution time of each algorithm in the simulation experiments are as follows. We let n range from 1 to 100 in the access structure where n is the number of involved attributes. n i = 10, where n i is the possible values of the i-th attribute. We list a comparison of the average computation time for each algorithm in the scheme with the algorithm in [10,13,18] in Fig 2. From the experimental results of computation comparison shown in Fig 2, we can see that as the increase of the number of attributes, the computation times of private key generating, encryption-index time generating and encryption ciphertext time are slightly better than these schemes [10,13,18]. In our scheme, the computation times of token time generating and keyword search are close to these schemes in [10,13,18].We notice that the decryption time of our scheme is a little more than that in [18], this is caused by the fact that our scheme is multi owners while the scheme in [18] is a single data owner. The scheme [18] cannot implement the search function, and the schemes [10,13] cannot achieve encryption ciphertext and decryption function. So our scheme is much practical than the schemes in [10,13,18].

Conclusions
In this paper, we present a new keyword searchable attribute-based encryption scheme with a hidden access strategy and attribute revocation. The encrypted ciphertext are outsourced to the cloud. The hidden strategy can better secure the users' privacy. Our proposed scheme is a fully functional scheme that addressed the keyword search problem and the attribute updating problem. Theoretical analysis, complexity calculation and practical operations show that our scheme is effective and practical. Of course, the scheme also has several short comings. The security of the scheme is demonstrated under the general bilinear group model, and it would be considerably better in the standard model.