http://orcid.org/0000-0002-8964-5328
Figures
Abstract
We propose an attribute-based encryption scheme with multi-keyword search and supporting attribute revocation in cloud storage environment, in which binary attributes and AND-gate access policy are used. Our proposal enjoys several advantages. Firstly, multi-keyword search is available, and only when a data user's attribute set satisfies access policy in keyword index, and keyword token generated by data user matches index successfully, then data user can obtain ciphertext containing keywords. In this way, more accurate keyword search is achievable. Secondly, the search privacy of data user is protected owing to cloud servers cannot obtain any knowledge of keywords which data user is interested in. Meanwhile, the ciphertext is able to be decrypted when data user's attribute set satisfies access policy specified in the ciphertext, which can both improve security of encryption and achieve secure fine-grained access control. Thirdly, the proposed scheme supports attribute revocation, in our scheme when a data user's attribute is revoked, the version number of attribute, non-revoked data users' secret keys and related ciphertexts will be updated, such that data user whose attribute is revoked does not decrypt updated ciphertext anymore. In addition, based on the assumption of decisional linear (DL) and decisional Diffie-Hellman (DDH), our scheme is proved to be secure against selectively chosen-keyword attacks and selectively chosen-plaintext attacks respectively, and it also ensures token privacy security.
Citation: Wang S, Yao L, Zhang Y (2018) Attribute-based encryption scheme with multi-keyword search and supporting attribute revocation in cloud storage. PLoS ONE 13(10): e0205675. https://doi.org/10.1371/journal.pone.0205675
Editor: Muhammad Khurram Khan, King Saud University, SAUDI ARABIA
Received: June 8, 2018; Accepted: September 29, 2018; Published: October 12, 2018
Copyright: © 2018 Wang et al. This is an open access article distributed under the terms of the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original author and source are credited.
Data Availability: All relevant data are within the paper and its Supporting Information files.
Funding: This research is supported by the National Natural Science Foundation of China (No. 61572019, 61173192, http://www.nsfc.gov.cn) to S.W, the Key Project of Research Foundation of Natural Science Foundation of Shaanxi Province of China (NO.2016JZ001, http://www.sninfo.gov.cn/) to S.W. The funders had no role in study design, data collection and analysis, decision to publish, or preparation of the manuscript.
Competing interests: The authors have declared that no competing interests exist.
Introduction
With the fast development of information technology, cloud storage now plays a very crucial role [1] in our daily life. For the sake of insuring data security, the important data that are uploaded to cloud server needs to be kept confidential, which requires data owners to encrypt private files before uploading. Meanwhile, it is also necessary to quickly find required files for data users by keyword searching from a vast amount of encrypted data. Therefore, in order to enable a secure keyword search and protect data user's search privacy, setting the keyword index of file is essential. That means that, although cloud server provides a search service, it does not know any information of keyword searching by data users. Consequently, it has important theoretical value and practical significance to study secure and practical attribute-based encryption schemes that sustaining both attribute revocation and multi-keyword search.
In order to provide fine-grained access control for encrypted data, Sahai and Waters first proposed the notion of attribute-based encryption (ABE) in [2], which achieved one-to-many secure services based on public key encryption, and it ensured efficient encrypted access policy. Indeed, many attribute-based encryption (ABE) schemes have been presented, Goyal et al. [3] further defined the concept of attribute-based encryption (ABE). In general, attribute-based encryption (ABE) schemes are classified into two categories: One kind is key-policy attribute-based encryption (KP-ABE) [4–6], in which data user's secret key and ciphertext are relevant to access policy and attribute set, respectively. The other kind is ciphertext-policy attribute-based encryption (CP-ABE), which was first put forward by Bethencourt et al. in [7] that was proved to be safe under the general group model. In a CP-ABE scheme, the data user's secret key is related to attribute set and ciphertext is related to specific access policy. In 2008, Goyal et al. [8] proposed a CP-ABE scheme that was secure under the decisional bilinear Diffie-Hellman (DBDH) assumption. In 2012, cheng et al. [9] presented a CP-ABE scheme in large universe set, which introduced attribute union, and it reduced storage and computational overhead of existing CP-ABE schemes. In 2016, Li et al. [10] added a testing phase to avoid unnecessary operation in their scheme and the proposal was proved to be safe under the decisional Diffie-Hellman (DDH) assumption. For resource-constrained devices, Odelu et al. [11] proposed a scheme that had constant size ciphertexts and secret keys. Recently, Shynu et al. [12] presented a notion of attributes hierarchical, constructed a separate database system for a meaningful data user's attribute set, and it solved the problem of attributes management.
Keyword searchable encryption is an effective solution to quickly find desired files from a vast amount of encrypted data managed in cloud servers. In 2003, Dan et al. [13] proposed a public key encryption with keyword search (PEKS) scheme. In 2010, Li et al. [14] presented a fuzzy keyword search for encrypted data scheme, which enhanced system usability by approximate matching of files and keywords. Subsequently, identity-based public key encryption and keyword searchable schemes were proposed in [15]. In 2010, Kamara et al. [16] put forward three models for data encryption and search. Since most of these schemes cannot support multi-keyword search, to address this problem, Cao et al. [17] proposed an encryption and multi- keyword sequence search scheme, which allowed multiple keywords in search phase, and it returned documents in relevant order. In 2012, the public key encryption and multi-keyword search scheme was proposed in [18]. In 2016, Miao et al. [19] presented an attribute-based multi-keyword search encryption scheme for personal health records in multi-owner environment, which provided an application direction for multi-keyword searchable encryption. In 2017, Huang et al. [20] proposed a multi-sever multi-keyword searchable encryption scheme, which is proved to be secure against adaptive chosen keyword attack.
From a few years ago to today, many CP-ABE schemes that were sustaining attribute revocation have been mentioned. In 2010, Yu et al. [21] implemented a direct revocation of attributes in virtue of an agent, in which proxy key can be used to generate proxy re-encrypted ciphertext, and the scheme also had a capability of updating all corresponding secret keys of each legitimate data users. Afterwards, Yang et al. [22] presented a CP-ABE scheme that were supporting attribute revocation, in which attribute authority was responsible for updating ciphertexts and non-revoked data users' corresponding secret keys related to revoked attribute. In 2014, Xiong et al. [23] put forward a CP-ABE scheme that supporting universe attribute revocation, which was built on multiple minimum attribute sets of sharing re-encryption keys. When a universe attribute needs to be revoked, the cloud server performs the operation of re-encrypted ciphertext. In 2016, according to single authority attribute-based encryption (ABE) schemes, Chow [24] presented a scheme that was attribute-based encryption (ABE) with supporting multi-authority and revocation. In 2017, Liu et al. [25] proposed an attribute-based encryption scheme that was sustaining both outsourced decryption algorithm and attribute revocation, which set a randomized version number for each attribute, thus attribute revocation is effectively implemented.
Recently, Wang et al. [26] proposed a CP-ABE scheme, which supported keyword searchable and attribute update in cloud storage. Our solution and scheme [26] are different in the following aspects: Firstly, access policy is different. The scheme [26] adopts linear secret sharing (LSSS) in the specific algorithm design, while our solution uses AND-gate access policy. Secondly, attribute update and revocation are different. Attribute update is used in [26], which updates a data user's original attribute to a new attribute and also updates the data user's secret key associated with the attribute. Our scheme is attribute revocation. Although scheme [26] also involves attribute revocation, it is still different from ours. We set the version number for each attribute, when the version number of revocation attribute changes, related ciphertexts and all non-revoked data users' secret keys are updated. Thirdly, the security proof method of schemes is different. The scheme [26] proves that the algorithms resist chosen-keyword attack based on the hard problem of bilinear Diffie-Hellman (BDH), and the scheme is proved to be secure against chosen-plaintext attack under the general bilinear group model. However, the security proof of our proposal is based on the hard problems. According to the assumption of decisional linear (DL) and decisional Diffie-Hellman (DDH), our scheme is proved to be secure against selectively chosen-keyword attack and selectively chosen-plaintext attack, respectively. At the same time, our solution is proved to enjoy token privacy security by using the unidirectional and collision-resistance of hash function. In addition, our scheme analyzes the forward and backward security for attribute revocation.
1.1 Our contributions
Considering that most of existing CP-ABE schemes cannot support attribute revocation and multi-keyword search, we present a CP-ABE scheme with multi-keyword search and supporting attribute revocation in cloud storage. The innovations can be summarized as follows:
- Our scheme supports attribute revocation, when a data user's attribute is revoked, the version number of attribute, non-revoked data users' secret keys and related ciphertexts will be updated, such that data user whose attribute is revoked does not decrypt updated ciphertext anymore.
- After data owners upload overall ciphertext of encrypted data to cloud server, the keyword search is used to quickly find required file. Compared to a single keyword search, the multi-keyword search is closer to real application. For the consideration of this issue, our scheme supports multi-keyword search.
Preliminaries
2.1 Bilinear map[27]
Let be two multiplicative cyclic groups with prime order p, g be a generator of group
. Let
be a bilinear map with following properties:
- Bilinearity: For any
, exist e(ga,gb) = e(g,g)ab.
- Non-degeneracy: For
, such that e(g,g) ≠ 1.
- Computability: For any
, e(u,v) is efficiently computed.
2.2 Access policy[28]
We denote by U = {attr1,attr2,⋯,attrn} the universe set of attributes, where n is the size of U, namely |U| = n. Let Attr be attribute set of a data user. We introduce an n-bit string to express data user's attribute set
as follows:
For example, let n = 5, suppose a data user's attribute set is {attr1,attr3,attr5}, then it may be expressed as Attr = v1¬v2v3¬v4v5.
We adopt AND-gate access policy and introduce an n-bit string to express AND-gate access policy
as follows:
For example, let n = 5, suppose the access policy is {attr1,attr5}, then it may be expressed as S = v1¬v2¬v3¬v4v5.
For a data user's attribute set and an access policy
. If for all j ∈ [1,n], we have
, that is
(
represents the value of j-th attribute in data user's attribute set Attr,
represents the value of j-th attribute in access policy S), we can say that the attribute set Attr of data user satisfies access policy S. For convenience, we define a function γ(Attr,S) ∈ {0,1}, when γ(Attr,S) = 0, it indicates that data user's attribute set Attr does not satisfy access policy S. When γ(Attr,S) = 1, it indicates that the attribute set Attr of data user satisfies access structure S.
2.3 Complexity assumption
In our proposal, the security depends on Decisional linear (DL) assumption [29] and Decisional Diffie-Hellman (DDH) assumption [30]. The specific description is:
Definition 1 (Decisional linear assumption). If for all polynomial-time adversary who could successfully distinguish tuple
from tuple
with a negligible advantage, and the advantage
of polynomial-time adversary
can be marked as
where
,
.
Definition 2 (Decisional Diffie-Hellman assumption). If for all polynomial-time adversary who could successfully distinguish tuple
from tuple
with a negligible advantage, and the advantage
of polynomial-time adversary
can be marked as
where
,
.
Our scheme
3.1 System model
The section contains overall framework of our scheme and the construction of solution.
3.1.1 System framework.
Our scheme structure is shown in Fig 1. It contains following five entities:
Attribute Authority (AA): The AA is attribute authority, which is responsible for system's initial establishment and the local secret key generation of data user. Simultaneously, it distributes corresponding secret key according to attribute set for data user. When an attribute is revoked, AA generates an update key and completes partial secret key update.
Cloud Server (CS): The CS stores ciphertext which containing encrypted files and keyword indexes generated by data owners. Afterwards, when a data user tends to search ciphertext, CS completes a matching of data user's token and keyword index. If matching succeeds, it sends ciphertext to data user. Additionally, in attribute revocation phase, CS is responsible for updating ciphertext.
Key Generation Server (KGS): The KGS generates data user's partial secret key, namely outsourced secret key, which effectively reduces the computational burden of AA. Besides, KGS is responsible for completing the update of outsourced secret key when attribute revocation happens.
Data Owner (DO): The DO encrypts keyword set and file to be shared, uploads ciphertext to cloud server. Only attribute set of data user who wants to access data satisfies access structure in ciphertext, that is γ(Attr,S) = 1, the encrypted data will be shared with data user. To be specific, the encryption operation to be completed by DO includes: the keyword index generation, the file encryption, and the encryption of key for encrypted file, hence ciphertext consists of three parts.
Data User (DU): When data user's attribute set satisfies access structure in ciphertext, then data user DU is able to access encrypted data and recover original plaintext. Specifically, DU generates desired keyword token and sends to cloud server CS, the CS makes a matching between search token and keyword index, if matching succeeds, DU can download corresponding ciphertext. In other words, DU is responsible for generating keyword token which he is interested in and decrypting ciphertext.
In particular, PK is public parameter published by attribute authority. Cph is ciphertext encrypted by data owner, and it includes three parts: 1) The keyword set WD is encrypted to generate keyword index, namely Index; 2) The encryption key ck is encrypted to obtain ciphertext CT′; 3) The file M is symmetrically encrypted by using encryption key ck to gain Eck(M). At last, data owner uploads ciphertext Cph to cloud server. Hereafter, OK is used to denote intermediate key, which is generated by attribute authority according to attribute set of data user, and it is sent to key generation server. The key generation server calculates data user's partial secret key based on OK, namely outsourced secret key SK1, which is sent to attribute authority. Followed by, the attribute authority generates data user's local secret key SK2, and obtains data user's secret key SK = (SK1,SK2), which is forwarded to data user. Tok is used to denote token generated by data user based on desired keyword set, which is used to match with keyword index. The cloud server executes search algorithm, if token matches index successfully, the cloud server transmits stored ciphertext Cph to data user. Then data user first decrypts ciphertext Cph with secret key SK to gain encryption key ck, and then symmetric decrypts ciphertext with ck to obtain file M. In addition, when an attribute needs to be revoked, attribute authority sends instructions to cloud server to update ciphertext.
3.1.2 Standard definitions of our scheme.
Let U be a universe set of attributes, S be an access policy, Attr be a data user's attribute set. Attribute-based encryption scheme with multi-keyword search and supporting attribute revocation in cloud storage consists of 9 algorithms:
Setup(U,l)→PK,MSK: The setup algorithm is executed by attribute authority AA. It inputs universe set of attributes U and security parameter l, and outputs system public key PK and master secret key MSK.
Encrypt: The encryption algorithm is run by data owner DO, including the following two parts:
- i) Keyword-Encrypt(PK,S,WD)→Index: This algorithm takes as inputs access policy S, public key PK and keyword set WD, and it then outputs the ciphertext Index of keyword set WD.
- ii) Encryption key-Encrypt(PK,S,ck)→CT′: DO first symmetrically encrypts file M rely on encryption key ck to obtain Eck(M), and then encrypts encryption key ck as follows: This algorithm makes access policy S, public key PK and encryption key ck as input, it generates ciphertext CT′.
Finally, DO uploads overall ciphertext Cph = (Index,Eck(M),CT′) to cloud server CS.
In-KeyGen(PK,MSK,Attr)→OK: The intermediate key generation algorithm is executed by attribute authority AA. It makes public key PK, master secret key MSK and data user's attribute set Attr as input, then produces intermediate key OK, and sends it to key generation server KGS.
Out-KeyGen(PK,OK)→SK1: The outsourced secret key generation algorithm is executed by key generation server KGS. It takes public key PK and intermediate key OK as input, and outputs outsourced secret key SK1, then returns SK1 to attribute authority AA.
KeyGen(PK,MSK,Attr,SK1)→SK: The secret key generation algorithm is executed by attribute authority AA. It makes public key PK, master secret key MSK, data user's attribute set Attr and outsourced secret key SK1 as input, then generates data user's secret key SK, and transmits it to data user DO.
TokenGen(PK,SK1,WD′)→Tok: The token generation algorithm is executed by data user DU. It makes public key PK, outsourced secret key SK1 and desired keyword set WD′ as input, and it outputs token Tok, then forwards to cloud server CS.
Search(Index,Tok)→{0,1}: The search algorithm is executed by cloud server CS. It makes index and token as input, outputs 1 if index and token can match successfully, then cloud server CS sends ciphertext Cph to data user DU, otherwise outputs 0 and terminates.
Decrypt(SK2,CT′)→ck: The decryption algorithm is executed by data user DU. It makes local secret key SK2 and ciphertext CT′ of encryption key as input, generates encryption key ck, then it decrypts Eck(M) with ck, finally obtains file M.
Attribute revocation: The attribute revocation includes the following three aspects, note that only components related to revoked attribute will be updated.
- (i) The attribute authority AA takes charge of generating update key: AA generates a new version number of revoked attribute according to its old version number, then obtains update key. This algorithm makes update key, public key PK and master secret key MSK as input, outputs updated public key and updated master secret key.
- (ii) The non-revoked data user's secret key update: The attribute authority AA updates intermediate key OK and local secret key SK2 with update key, sends updated intermediate key to key generation server KGS. Then, KGS completes the update of outsourced secret key SK1, and transmits to AA. In the end, AA returns updated secret key to non-revoked data user.
- (iii) The cloud server CS is in charge of updating ciphertext: The cloud server CS executes this algorithm. It makes update key and overall ciphertext as input, outputs updated keyword index and updated ciphertext of encryption key.
3.2 Security model
Under the cloud storage environment, we suppose that attribute authority and key generation server are all trusted. But cloud server is semi-trusted, such as it can execute protocols honestly but also attempt to gain extra information from the protocol.
3.2.1 Selectively secure game for chosen-keyword attacks.
Setup: First of all, adversary sends a challenge access policy S* to challenger
, the challenger
runs Setup algorithm to generate public key PK and master secret key MSK, while keeping MSK secret.
Phase 1: Before Phase 1 begins, the challenger initializes an empty keyword set query list LW, then adversary
issues the following polynomial times adaptive queries:
Outsourced secret key query: According to In-KeyGen algorithm and Out-KeyGen algorithm, the adversary submits a query attribute set Attr* to challenger
. If attribute set Attr* does not satisfy access policy S*, the adversary
obtains outsourced secret key SK1, otherwise terminates.
Token query: The adversary commits a query keyword set WD′. According to TokenGen algorithm, the challenger
inputs public key PK, outsourced secret key SK1 and query keyword set WD′ to gain token Tok. If query attribute set Attr* does not satisfy access policy S*, then challenger
adds WD′ to list LW and sends Tok to adversary
.
Challenge: The adversary randomly selects two keyword sets
and
that are not in list LW. The challenger
throws a fair coin to choose ξ∈{0,1}, runs Keyword-Encrypt algorithm to gain the index of keyword set
and transmits it to adversary
.
Phase 2: The adversary repeats queries in Phase 1, but keyword set
and
can no longer be queried.
Guess. Finally, the adversary gives a guess ξ′ of ξ. If ξ′ = ξ,
wins game.
The advantage of adversary can be defined as
Definition 3: If for all polynomial-time adversary who winning game with a negligible advantage, our scheme is called selectively secure against chosen-keyword attacks.
3.2.2 Token privacy game.
To ensure the privacy of keyword, an adversary should not infer keyword information from token. In other words, if there is no polynomial-time adversary who can obtain keyword from token, the token privacy security can be guaranteed. The game is set up as follows:
Setup: The challenger runs Setup algorithm, generates public key PK and master secret key MSK, while keeping MSK secret.
Phase 1: Similar to selectively secure game of chosen-keyword attacks, the challenger initializes an empty key query list LK, the adversary issues the following polynomial qt times adaptive queries:
Outsourced secret key query: The adversary A selects a query attribute set Attr for challenger . The challenger
outputs outsourced secret key SK1 by running In-KeyGen algorithm and Out-KeyGen algorithm, then returns SK1 to adversary
, and the attribute set Attr is added to list LK.
Token query: The challenger runs TokenGen algorithm based on public key PK, outsourced secret key SK1, and a query keyword set WD′ given by adversary, then the challenger
sends token to adversary
.
Challenge: The adversary submits an access policy S* with the restriction that the attribute set Attr in list LK does not satisfy access policy S*. Afterwards, the challenger
randomly chooses keyword set WD*, encrypts it with S* to obtain the index, and then selects an attribute set Attr* such that Attr* satisfies S*. The challenger
executes In-KeyGen algorithm, Out-KeyGen algorithm and TokenGen algorithm to gain the token of keyword set WD*, and transmits token to adversary
.
Phase 2: Similar to Phase 1, but keyword set WD* can no longer be inquired.
Guess: The adversary gives a keyword set WD″ and forwards it to the challenger
. The challenger
runs Keyword-Encrypt algorithm to get the index of keyword set WD″, and makes a matching between the token of WD* and the index of WD″. If the result returned by Search algorithm is 1, then the adversary
wins game.
The advantage of adversary can be defined at most
Because the adversary wants to gain keyword information from the index, it is necessary to analyze the structure of index. In other words, the adversary
gets information from
at most. Due to the unidirectional and collision-resistant properties of the hash function, we assume that the adversary
obtains the advantage of w′ from
is σ, where σ is a negligible probability under the security parameter l. Π is a keyword space for the selection of keyword set, |Π| represents the size of keyword space and is large enough in practical applications. qt denotes the number of inquiries about outsourcing private key and token in Phase 1, and qt is finite size.
The advantage consists of two parts. |Π|−qt is the size of the remaining keyword set in the keyword space after the phase 1 inquiry. The probability that the adversary
guesses the encrypted keyword from the remaining keyword set is
. σ is the probability that the adversary gets the keyword information from
. The advantage of adversary
is
by summing two probabilities. Therefore, the advantage of adversary
can be defined at most
which is a negligible advantage.
Definition 4: Our proposal is token privacy secure if all polynomial-time adversary have at most a negligible advantage in above game.
3.2.3 Selectively secure game for chosen-plaintext attacks.
The section contains two indistinguishable games. Since the process of two games is similar, we only show the security proof of one of the games, the other game is described in detail in the specific security proof phase. The game is as follows:
Initialization: The adversary commits two challenge access policies
and
.
Setup: The simulator runs Setup algorithm, produces public key PK and master secret key MSK, while keeping MSK secret and sending PK to adversary
.
Phase 1: The adversary chooses a query attribute set Attr to simulator
.
Secret key query: If attribute set Attr does not satisfy access policies and
, that is
, then simulator
runs KeyGen algorithm to obtain local secret key SK2, and sends to adversary
.
Challenge: For access policies and
, the adversary
submits two equal-length encryption keys ck1 and ck2 that are used to encrypt file. Hereafter, the simulator
randomly throws a fair coin to select b∈{0,1} and runs Encryption key-Encrypt algorithm to gain the ciphertext CT′ of encryption key ckb, then transmits CT′ to adversary
.
Phase 2: Similar to Phase 1, the adversary continues to query. Nevertheless, the restriction is
.
Guess. Finally, the adversary makes a guess b′ of b. If b′ = b,
wins game.
The advantage of adversary to win the game can be defined as
Definition 5: Our scheme is selectively secure against chosen-plaintext attacks if for all polynomial-time adversary who could win the game with a negligible advantage.
Concrete construction
In this section, we take into consideration that most of CP-ABE schemes only support a few functions, which has its limitations for practical application. This motivates us to construct a scheme that supports attribute revocation and multi-keyword search. Meanwhile, our scheme is almost the same as some schemes in terms of calculation amount and calculation time, and even smaller and faster. The following is the specific structure of scheme:
Setup(U,l)→PK,MSK:This algorithm takes universe set of attributes U = {attr1,attr2,⋯,attrn} and security parameter l as input, it selects a bilinear map , where
are two multiplicative cyclic groups with prime order p, g is a generator of group
. Let
is a one-way hash function. The algorithm chooses a,b,c,α,{r1,r2,⋯,r2n} from
and, {x1,x2,⋯,x2n} from
at random, then let Y = e(g,g)α. For each attribute attrj∈U(j∈[1,n]), it picks
as initial version number, then sets
. Since the attribute attrj has two different values vj and ¬vj, let {r1,⋯,rn} and {x1,⋯,xn} denote corresponding parameters when attrj is equal to vj, {rn+1,⋯,r2n} and {xn+1,⋯,x2n} denote corresponding parameters when attrj is equal to ¬vj. Thus, for all j = 1,⋯,n, when attrj is equal to vj, we have
, when attrj is equal to ¬vj, we have
. Similarly, the algorithm computes
if attrj is equal to vj, it computes
if attrj is equal to ¬vj. Afterwards, the algorithm randomly selects
, sets
. The public attribute key PKj is:
Where j∈[1,n],
denotes initial version number of attribute attrj. For simplicity, let
Subsequently, the algorithm generates public key PK and master secret key MSK:
While keeping MSK secret.
Encrypt: This algorithm defines an access policy is , denotes as
The encryption algorithm includes two steps: Step one is to encrypt keyword set, that is to generate an index of keyword set, step two is to encrypt encryption key.
- (i) Keyword-Encrypt(PK,S,WD)→Index
This algorithm makes public key PK, access policy S and a keyword set WD = {w1,w2,⋯wr} extracted from file M as input, where r is the size of WD, namely |WD| = r. It randomly picks, computes
, then sets
and
, where wt∈WD, t∈[1,r]. Hereafter, the algorithm outputs the index of keyword set as
- (ii) Encryption key-Encrypt(PK,S,ck)→CT′
Before uploading a file M, the algorithm encrypts the file as follows:
- ① It selects an encryption key ck from key space, and symmetrically encrypts the file M with encryption key ck to obtain Eck(M).
- ② It sets an access structure
, encrypts ck and outputs the ciphertext of encryption key ck through the following steps.
This algorithm makes public key PK, access policy S and encryption key ck as input. It chooses at random, computes C = ck⋅Ys and C1 = gs, then picks up random value
such that
, it computes
and
. Consequently, the ciphertext of encryption key ck as follows:
Finally, the algorithm outputs the overall ciphertext Cph = (Index,Eck(M),CT′).
In-KeyGen(PK,MSK,Attr)→OK: This algorithm makes public key PK, master secret key MSK and an attribute set Attr as input. It sets v = gac, computes σj(j∈[1,n]) according to attribute set . Let
At last, this algorithm outputs the intermediate key as follows:
Out-KeyGen(PK,OK)→SK1: This algorithm makes public key PK and intermediate key OK as input. It first computes , then computes
based on attribute set
, where
Afterwards, the algorithm outputs the outsourced secret key as
KeyGen(PK,MSK,Attr,SK1)→SK: This algorithm makes public key PK, master secret key MSK, attribute set Attr and outsourced secret key SK1 as input. It randomly picks , where j ∈ [1,n], the algorithm lets D1 = gα+βu and
, it computes
when
, otherwise computes
, then the local secret key as
Finally, the algorithm outputs data user's secret key SK = (SK1,SK2).
TokenGen(PK,SK1,WD′)→Tok: This algorithm makes public key PK, outsourced secret key SK1 and a keyword set of interest as input, where the size of WD′ is d, namely |WD′| = d. It chooses random value
, computes
and Tok2 = gcz. Therefore, the algorithm generates a token of keyword set for data user as follows:
Search(Index,Tok)→{0,1}: Taking as inputs the index relevant to access policy S and the token relevant to attribute set Attr, this algorithm is executed by cloud sever to test whether there is a matching between the index and the token. In other words, the cloud server determines whether the following equation holds:
(1)
In above equation, it involves a matching of the index and the token. In the index generation phase, the data owner encrypts r keywords to obtain {Wt}t∈[1,r]. In the token generation phase, the data user generates a token for d keywords which he is interested in, and computes Tok1, particularly d ≤ r. In order to make the Eq (1) can be calculated, the cloud server is to arbitrarily select d components from and execute multiplication operations. In accordance with the theory of probability and mathematical statistics, the total number of such choices is
. Hereafter, the cloud server matches the multiplication of
with Tok1. In the matching of
times, as long as there is one successful match, it demonstrates that the above equation holds and the search succeeds.
If and only if the Eq (1) holds, the cloud server returns 1 and transmits overall ciphertext Cph = (Index,Eck(M),CT′) to data user, otherwise returns 0.
Decrypt(SK2,CT′)→ck: This algorithm makes data user's local secret key SK2 and ciphertext CT′ of encryption key as input. If data user's attribute set Attr satisfies access policy S embedded in the ciphertext, the algorithm decrypts CT′ to obtain encryption key ck as follows:
(2)
Finally, a symmetric decryption algorithm is used to decrypt Eck(M) with the encryption key ck to gain the file M.
Correctness: Only when the two conditions γ(Attr,S) = 1 and WD′ ⊆ WD are both satisfied, the search can succeed. The following is the verification process of Eq (1):
Where i∈[1,2n].
Only when the attribute set of data user satisfies access structure, that is γ(Attr,S) = 1, encryption key ck is able to be computed, and the correctness of Eq (2) is verified as follows:
Where i∈[1,2n].
Attribute revocation: For the sake of achieving attribute revocation, the revocation phase is divided into three steps: Attribute authority takes charge of generating update key, non-revoked data user's secret key update, and cloud server is in charge of updating ciphertext. We assume that the j'-th attribute attrj′ of data user will be revoked, where j' may be any one of 1,⋯,n.
- i) The attribute authority takes charge of generating update key
When an attribute needs to be revoked, the attribute authority AA inputs the current version number vkj′ of revoked attribute attrj and chooses a new version number , where
, then update key generation algorithm calculates the update key as follows:
Afterwards, the attribute authority AA sends UKj′ to key generation server KGS and cloud server CS, and updates partial public attribute key that is related to revoked attribute attrj′ at the same time:
Consequently, the public attribute key associated with revoked attribute attrj′ as
At last, this algorithm generates updated public key PK* and updated master secret key MSK*:
- ii) The non-revoked data user's secret key update
Firstly, attribute authority AA updates the partial intermediate key OK that is related to revoked attribute attrj′, this algorithm computes
And transmits
to key generation server KGS.
Secondly, AA updates the partial local secret key SK2 related to revoked attribute attrj′ according to UKj′ as follows:
where
Note that only partial local secret key that is related to revoked attribute attrj′ will be updated, others remain unchanged.
Thirdly, KGS updates the partial outsourced secret key that is related to revoked attribute attrj′, the algorithm computes:
Then, it returns
to AA.
Finally, AA sends the updated secret key to non-revoked data user. In the meanwhile, since token contains the component of secret key, then non-revoked data user's token is updated as
- iii) The cloud server is in charge of updating ciphertext
- ① The update of keyword index
Based on updated key UKj′ sent by AA, the cloud server updates partial keyword index that is related to revoked attribute attrj′, this algorithm computes:
Hereafter, the updated keyword index is
.
- ② The ciphertext update of encryption key
The cloud server CS updates the partial ciphertext of encryption key related to revoked attribute attrj′, the updated ciphertext as follows:
where
Note that only partial ciphertext that is related to revoked attribute attrj′ will be updated, others remain unchanged.
Finally, the updated overall ciphertext is Cph* = (Index*,Eck(M),CT′**).
Security proof
5.1 Selectively secure game of chosen-keyword attacks
Theorem 1. If there is an adversary who is able to win selectively secure game of chosen-keyword attacks with advantage ε, then advantage of a challenger
to break the DL assumption can be defined as
.
Poof: Supposing that a tuple which is an instance of the DL problem, where
,
, is given to a challenger
, the challenger
performs the following selectively secure game of chosen-keyword attacks with an adversary
, we will proof that if the adversary
who can break our scheme with advantage ε, then the challenger
can solve the DL problem with advantage
.
Setup. The challenger runs Setup algorithm, selects a bilinear map
, where
are two multiplicative cyclic groups with prime order p, g is a generator of group
. Let
is a one-way hash function. It randomly picks
,
, and implicitly sets h = ga,f = gc, it chooses
at random, lets fd = gb, where implies that b = cd. For each attribute attrj∈U(j∈[1,n]), the challenger
chooses
as initial version number, when attrj is equal to vj, we have
, when attrj is equal to ¬vj, we have
. Similarly,
computes
if attrj is equal to vj, it computes
if attrj is equal to ¬vj. The public key and master secret key are
The adversary submits a challenge access policy
to the challenger
.
Phase 1. The challenger initializes an empty keyword set query list LW, then adversary
issues the following polynomial times adaptive queries:
Outsourced secret key query: The adversary sends a query attribute set
to challenger
, where
or
.
- ① If γ(Attr*,S*) = 1, the game outputs termination.
- ② If γ(Attr*,S*) = 0, the challenger
computes v = fk′, implicitly sets k′ = a, then it computes
,
, where
Subsequently, the challenger
transmits
to adversary
.
Token query: The adversary commits a query keyword set
. The challenger
randomly selects
and generates the token of keyword set WD′, that is
If the query attribute set Attr* does not satisfy access policy S*, then the challenger adds WD′ to list LW and sends Tok to adversary
.
Challenge. The adversary randomly picks two keyword sets
and
that are not in list LW, and forwards to challenger
. The challenger
throws a fair coin to select ξ∈{0,1}, runs keyword-Encrypt algorithm, and computes
which implies t1 = r1,t2 = r2, where
As such, the keyword index is , then the challenger
returns Index to adversary
.
Phase 2. Except that the keyword set and
can no longer be queried, the other queries are similar to Phase 1.
Guess. Finally, the adversary makes a guess ξ′ of ξ. If ξ′ = ξ,
wins game. The challenger
considers
implicitly. Because when
, Index is a legitimate index of keyword set
.
Afterwards, we assume that the adversary who can break the scheme with non-negligible advantage ε, the probability is
if
, otherwise
. The advantage of challenger
in solving DL assumption is defined as
Therefore, our scheme will achieve selectively secure against chosen-keyword attacks.
5.2 Token privacy game
Theorem 2. If there is an adversary who is able to break token privacy game with a non-negligible advantage, a challenger
is capable of obtaining
from
with a non-negligible advantage.
Proof: Here we use token privacy game to prove the theorem.
Setup. The challenger executes Setup algorithm, selects a bilinear map
, where
are two multiplicative cyclic groups with prime order p, g is a generator of group
. Let
is a one-way hash function. It randomly chooses
and
. For each attribute attrj∈U,
is initial version number, where j∈[1,n]. When attrj is equal to vj, we have
, when attrj is equal to ¬vj, we have
. Similarly,
computes
if attrj is equal to vj, it computes
if attrj is equal to ¬vj. The challenger
generates public key
, master secret key MSK = (a,b,c{(ri,xi)}i∈[2n],{vkj}j∈[1,n]), while publishing PK and keeping MSK secret.
Phase 1. Similar to selectively secure game of chosen-keyword attacks, the challenger initializes an empty key query list LK, the adversary issues the following polynomial qt times adaptive queries:
Outsourced secret key query: The adversary selects a query attribute set
as input for In-KeyGen algorithm, where
or
, the challenger
computes v = gac and
Hereafter, it obtains the intermediate key
The challenger runs Out-KeyGen algorithm to output the outsourced secret key
, where
Then, the challenger
transmits SK1 to adversary
, and adds Attr to list LK.
Token query: The challenger runs TokenGen algorithm based on outsourced secret key SK1 and keyword set
submitted by adversary
, then it randomly picks
to compute
and Tok2 = gcz′, sends the token
to adversary
.
Challenge. The adversary submits an access policy S* with the restriction that the attribute set Attr in list LK does not satisfy access policy S*, namely γ(Attr,S*) = 0. The challenger
randomly selects a keyword set WD*, encrypts WD* with S* to obtain Index*, then it chooses an attribute set Attr* such that Attr* satisfies access policy S*, that is γ(Attr*,S*) = 1. Subsequently, the challenger
first executes In-KeyGen algorithm and Out-KeyGen algorithm to compute
, then runs TokenGen algorithm to gain Tok*, and sends Tok* to adversary
.
Phase 2. Similar to Phase 1, but keyword set WD* can no longer be queried.
Guess. The adversary outputs a keyword set WD″ and transmits to challenger
. If WD″ = WD*, adversary
wins game. In other words, the challenger
performs Keyword-Encrypt algorithm to generate the ciphertext Index″of WD″, if the result returned by Search(Index″,Tok*) algorithm is 1, then the adversary
wins game.
Particularly, if adversary attempts to gain keyword information from the index, it needs to analyze
, where z′ is randomly selected by challenger
, thus the adversary
gets information from
at most. Due to the unidirectional and collision-resistant properties of the hash function, if adversary
obtains the advantage of
from
is negligible σ, |Π| represents the size of keyword space, qt represents the number of inquiries of Phases 1, |Π|−qt is the size of the remaining keyword set in the keyword space after the phase 1 inquiry. The probability that the adversary
guesses the encrypted keyword from the remaining keyword set is
. Then, the advantage of adversary
to break token privacy game can be defined at most
. In practical applications, because |Π| is large enough and qt is finite size, then the advantage
is negligible, therefore our proposal can guarantee token privacy security.
5.3 Selectively secure game of chosen-plaintext attacks
Our scheme is selective security under the assumption. For selective security, the adversary should submit two challenge access policies
and
at the beginning of game, then the scheme is to prove that the adversary
cannot win the game with a non-negligible advantage through the indistinguishability of a series of games. In simple terms, we use
to denote initial challenge ciphertext, then select random element Z in
and {Zj,1}j∈[1,n] in
. Afterwards, we define a series of games Game0,⋯,Gamen+1, where Game0 is initial game, Game1 is to replace C* in Game0 with Z, Game2,⋯,Gamen+1 are to replace
with Zj,1, for j∈[1,n]. The game is defined as follows:
- Game0:The challenge ciphertext is
- Game1:The challenge ciphertext is
- Game2:The challenge ciphertext is
- ……
- Gamen+1:The challenge ciphertext is
When a data user's attribute set Attr satisfies both access structures and
, namely
, Game1 is the same as Game0. When a data user's attribute set Attr does not satisfy access policies
and
, that is
, Game1 is as defined above. Subsequently, we use the DDH assumption to prove that Game0 and Game1 are indistinguishable.
Theorem 3. If there is an adversary who is able to distinguish games Game0 and Game1 with a non-negligible advantage, a simulator
is capable of breaking DDH assumption with a non-negligible advantage.
Proof: Supposing that a tuple which is an instance of DDH problem, where
,
, is given to a simulator
, the simulator
performs the following operations:
Initialization. The adversary submits two challenge access policies
and
to simulator
, then
throws a fair coin to select b∈{0,1}.
Setup. The simulator runs Setup algorithm, selects a bilinear map
, where
are two multiplicative cyclic groups with prime order p, g is a generator of group
. It randomly chooses
, sets
, implicitly lets α = z1, then it computes
, where
as initial version number of attribute, for j∈[1,n]. Afterwards,
picks up random value
, when
, there are
and
, when
, there are
and
, where j∈[1,n]. The simulator
publishes public key
and keeps master secret key MSK = (α,β,{vkj,}j∈[1,n],{ri}i∈[1,2n]) secret.
Phase 1. The adversary commits a query attribute set
to simulator
.
Secret key query: Considering that , thus there is j″∈{1,2,⋯,n} such that
. Then, the simulator
picks up
at random, D1 and Dj,1 in the local secret key SK2 are calculated as
and
, where j∈[1,n]. For j = j″,
computes
for j ≠ j″,
computes
Afterwards, the simulator
returns SK2 = (D1,{(Dj,1,Dj,2)}j∈[1,n]) to adversary
.
Challenge. For access policies and
, the adversary
submits two equal-length encryption keys ck1 and ck2. Then, the simulator
executes Encryption key-Encrypt algorithm with
and ckb, where b∈{0,1}. It sets
, C* = ckb⋅Ys = ckb⋅e(g,g)αs = ckb⋅e(g,Q), implicitly lets s = z2. For all j∈[1,n], the simulator
arbitrarily chooses
if j ≠ j″, it computes
if j = j″.
When j ≠ j″, in the ciphertext are computed as
When j ≠ j″,
in the ciphertext is computed as
Finally, the simulator
sends
to adversary
.
Phase 2. The adversary makes queries similarly to Phase 1 with the restriction that
.
Guess. The adversary gives a guess b′ of b. If b′ = b, the simulator
outputs τ = 1, it demonstrates
. The adversary
exactly simulates the initial game, because
Otherwise the simulator
outputs τ = 1, it demonstrates that Q is a random element in
.
The advantage of adversary to win the game is defined as
Hence, if adversary who is able to distinguish games Game0 and Game1 with a non-negligible advantage, simulator
is capable of breaking DDH assumption with a non-negligible advantage.
If belongs to
or
, the ciphertext component {Cj,1}j∈[1,n] is the same as initial scheme, but for
belongs to
or
, the ciphertext component {Cj,1}j∈[1,n] will be replaced by random value {Zj,1}j∈[1,n], which is represented as our pre-defined a series of games Game2,⋯,Gamen,Gamen+1. The DDH assumption is used to prove that Gamel and Gamel+1 are indistinguishable, for l∈[1,n].
Theorem 4. If there is an adversary who is able to distinguish games Gamel and Gamel+1 with a non-negligible advantage, a simulator
is capable of breaking DDH assumption with a non-negligible advantage.
Proof: Supposing that a tuple which is an instance of DDH problem, where
,
, is given to a simulator
, the simulator
performs the following operations:
Initialization. The adversary submits two challenge access policies
and
to simulator
, then
throws a fair coin to select b∈{0,1}. When an attribute set
satisfies that
or
, Gamel and Gamel+1 are the same according to game definition. Therefore, only the case of
or
is considered below.
Setup. The simulator runs Setup algorithm, selects a bilinear map
, where
are two multiplicative cyclic groups with prime order p, g is a generator of group
. It randomly chooses
, sets Y = e(g,g,)α, it computes
, where
as initial version number of attribute, implicitly lets β = z1. Afterwards,
picks up
at random, when
, there are
and
, when
, there are
and
, where j∈[1,n]. The simulator
publishes public key
and keeps master secret key MSK = (α,β,{vkj,}j∈[1,n],{ri}i∈[1,2,n]) secret.
Phase 1. The adversary commits a query attribute set
to simulator
.
Secret key query: The simulator randomly chooses
, j∈[1,n]. The local secret key SK2 is computed as
and
,when
,
computes
, otherwise
, where j∈[1,n].
The simulator sends SK2 = (D1,{(Dj,1,Dj,2)}j∈[1,n] to adversary
.
Challenge. For access policies and
, the adversary
submits two equal-length keys ck1 and ck2. The simulator
executes Encryption key-Encrypt algorithm with
and ckb, where b∈{0,1}. It sets
and
, implicitly lets s = z2. Hereafter, for all j∈[1,n], the simulator
arbitrarily chooses
if j ≠ n, it computes
if j = n.
When j = n, in the ciphertext is computed as
When j ≠ n,
in the ciphertext is computed as
Then the simulator
transmits
to adversary
.
Phase 2. The adversary continues to query similarly to Phase 1 with the restriction that
or
.
Guess. The adversary gives a guess b′ of b. If b′ = b, the simulator
outputs τ = 1, it demonstrates
. The adversary
exactly simulates the initial game, because
Otherwise the simulator
outputs τ = 0, it demonstrates that Q is a random element in
. The advantage of adversary
to win the game is defined as
Therefore, if adversary who is able to distinguish games Gamel and Gamel+1 with a non-negligible advantage, simulator
is capable of breaking DDH assumption with a non-negligible advantage.
In a word, if for all polynomial-time adversary who could win the game with a negligible advantage, our scheme will achieve selective ciphertext security under chosen-plaintext attacks.
5.4 Forward and backward security
A data user's attribute set satisfies access structure, only when the search keyword set is included in the encrypted keyword set, the target ciphertext can be searched. However, an attribute attrj′ of data user needs to be revoked at a certain time, the system will inform all non-revoked data users to update secret keys that associated with revoked attribute attrj′ and the cloud server completes ciphertexts update. During the initial phase, we select a randomized version number for each attribute. As long as update occurs, the version number of attribute will be changed. Afterwards, an update key UKj′ will be used to re-encrypt ciphertexts, and update secret keys relevant to revoked attribute of all non-revoked data users, the data user cannot continue performing keyword search and decryption with previous token and secret key. Because in the search phase, the updated keyword index cannot match data user's original token, namely
During the decryption phase, the data user's original secret key cannot decrypt updated ciphertext, that is
Therefore, the attribute revocation in our scheme achieves backward security.
A data user's attribute set satisfies access structure, when an attribute attrj′ of data user needs to be revoked, the version number vkj′ corresponding to attribute will be changed, namely it will be randomized by a random value . Hereafter, the system will inform update secret keys that related to revoked attribute of all non-revoked data users, updated secret keys and tokens are returned to effective data users. Simultaneously, the partial ciphertexts are relevant to revoked attribute are also updated. Even if the data user saves the ciphertext before joining system, because of
, the previous keyword cannot be searched with the updated token and the previous ciphertext cannot be decrypted with the updated secret key. Therefore, the attribute revocation in our scheme achieves forward security.
Performance and efficiency analyses
This section mainly analyzes performance and efficiency comparisons between our scheme and literature [31–35]. The performance comparison is to compare functional differences between our scheme and other schemes. The efficiency comparison is to analyze operation time differences both our proposal and other schemes in a certain phase. Based on Pairing Cryptography (PBC) library [36] and group operation with prime order p, we mainly consider three kinds of operations on time complexity: exponential operation, multiplication operation and pair operation. Specifically, K represents the number of attributes that satisfy access structure and N represents the number of attributes owned by data user. (In our scheme, K = N)
Table 1 shows performance comparison between our scheme and literature [31–35]. The literature [31] supports multi-keyword search and security proof under the hard problem, but it does not support attribute-based encryption and revocation. The literature [32–35] all support attribute-based encryption, meanwhile literature [35] also supports direct revocation, while our scheme supports attribute revocation. In addition, the literature [32] does not support security proof under the hard problem. Compared with other solutions in the Table 1, our proposal supports all functions.
Table 2 shows efficiency comparison between the proposed scheme and the literature [31–35]. Since literature [32–35] do not support multi-keyword search, the proposed scheme and literature [31] have requirements for the number of keywords in the encryption, token generation, and search phases. For comparison, we consider that the quantity of encrypted keywords is equivalent to the quantity of search keywords, that is r = d.
Through experiments on common cryptographic algorithms, the operation time of each phase is obtained and the following operation time comparison chart is drawn. The environment of the hardware runtime is Intel Core i5-3470 CPU @ 3.20GHz, and RAM is 4.00GB. The software runtime environment is JDK 1.7.5, JPBC 2.0.0 and MyEclipse 10.
In Fig 2(A), 2(B) and 2(C) are time charts for running encryption algorithm as the number of attributes increases when keyword set contains 10, 20, and 30 keywords, respectively. Since literature [32–35] do not support multi-keyword search function, the proposed scheme is mainly compared with literature [31]. From the Fig 2, we can see that in the encryption phase, the calculation speed of our scheme is slower than literature [33], faster than literature [31,32,34,35].
(a) Encryption time for 10 keywords (b) Encryption time for 20 keywords. (c) Encryption time for 30 keywords.
In Fig 3(D), 3(E) and 3(F) are time charts for running token generation algorithm as the number of attributes increases when keyword set contains 10, 20, and 30 keywords, respectively. Since literature [32,34,35] does not involve token generation algorithm, at this phase, our scheme is mainly compared with literature [31,33], and because literature [33] does not support multi-keyword search function, the changes in the number of keywords will only lead to changes in the algorithm time of our scheme and literature [31]. As can be seen from the Fig 3, when the number of keywords is 10, the calculation time of our scheme is shortest. When the number of keywords increases and the number of attributes is small, the computation speed of the proposed scheme is slower than literature [33]. However, as the number of attributes increases, the advantage of our scheme become more significant, and the algorithm speed is superior to literature [31,33].
(d) Token generation time for 10 keywords (e) Token generation time for 20 keywords (f) Token generation time for 30 keywords.
In Fig 4(G), 4(H) and 4(I) are the time charts for running search algorithm as the number of attributes increases when keyword set contains 10, 20, and 30 keywords, respectively. Since literature [33] does not involve the number of attributes and keywords in the search phase, the algorithm time in [33] is constant. We have focused on comparing our scheme with literature [31], Fig 4(H) and Fig 4(I) no longer calculate the computation time of literature [33]. Since our scheme do not involve the number of attributes in the search phase, the algorithm time of our scheme is only associated with the number of keywords. From the Fig 4, we can see that at this phase, the calculation speed of the proposed scheme is faster than literature [31].
(g) Search time for 10 keywords (h) Search time for 20 keywords (i) Search time for 30 keywords.
The Fig 5 is the algorithm time figure in the decryption phase of our scheme and literature [32–35]. It can be seen from the Fig 5 that with continuous increase of the quantity of attributes, calculation time of our solution in this phase is less than literature [32–35].
Conclusion
We propose an attribute-based encryption scheme with multi-keyword search and supporting attribute revocation in cloud storage. On the one hand, based on the traditional CP-ABE schemes, our proposal uses the AND-gate access policy, adds attribute revocation and multi-keyword search, which is more practical. On the other hand, we present security proof under the complexity assumption, it demonstrates that our scheme is secure. Finally, we analyze performance and efficiency of proposed scheme and other solutions via experimental evaluation, which indicates that our scheme is more efficient.
In the future, how to achieve a dynamic search with multiple functions and direct revocation will be a project that needs further study.
Supporting information
S1 File. The runtime of cryptographic operations.
https://doi.org/10.1371/journal.pone.0205675.s001
(DOCX)
References
- 1.
Mell PM, Grance T (2011) SP 800–145. The NIST Definition of Cloud Computing: National Institute of Standards & Technology. 50–50 p.
- 2. Sahai A, Waters B. Fuzzy Identity-Based Encryption; 2005. pp. 457–473.
- 3. Goyal V, Pandey O, Sahai A, Waters B. Attribute-based encryption for fine-grained access control of encrypted data; 2006. pp. 89–98.
- 4. Shi Y, Zheng Q, Liu J, Han Z (2015) Directly revocable key-policy attribute-based encryption with verifiable ciphertext delegation. Information Sciences An International Journal 295: 221–231.
- 5. Rahulamathavan Y, Veluru S, Han J, Li F, Rajarajan M, Lu R (2016) User Collusion Avoidance Scheme for Privacy-Preserving Decentralized Key-Policy Attribute-Based Encryption. IEEE Transactions on Computers 65: 2939–2946.
- 6. Meng R, Zhou Y, Ning J, Liang K, Han J, Susilo W. An Efficient Key-Policy Attribute-Based Searchable Encryption in Prime-Order Groups; 2017. pp. 39–56.
- 7. Bethencourt J, Sahai A, Waters B. Ciphertext-Policy Attribute-Based Encryption; 2007. pp. 321–334.
- 8. Goyal V, Jain A, Pandey O, Sahai A. Bounded Ciphertext Policy Attribute Based Encryption; 2008. pp. 579–591.
- 9. Cheng Y, Ren J, Wang Z, Mei S, Zhou J (2012) Attributes Union in CP-ABE Algorithm for Large Universe Cryptographic Access Control. 180–186 p.
- 10. Li J, Wang H, Zhang Y, Shen J (2016) Ciphertext-Policy Attribute-Based Encryption with Hidden Access Policy and Testing. Ksii Transactions on Internet & Information Systems 10: 3339–3352.
- 11. Odelu V, Das AK, Rao YS, Kumari S, Khan MK, Choo KKR (2016) Pairing-based CP-ABE with constant-size ciphertexts and secret keys for cloud environment. Computer Standards & Interfaces 54: 3–9.
- 12. Shynu PG, Singh KJ (2017) An Enhanced CP-ABE Based Access Control Algorithm for Point to Multi-Point Communication in Cloud Computing. Journal of Information Science & Engineering 33.
- 13.
Dan B, Crescenzo GD, Ostrovsky R, Persiano G (2003) Public Key Encryption with Keyword Search: Springer Berlin Heidelberg. 506–522 p.
- 14. Li J, Wang Q, Wang C, Cao N, Ren K, Lou W. Fuzzy keyword search over encrypted data in cloud computing; 2010. pp. 441–445.
- 15. Shuang LI, Yuan D (2013) Anonymous identity based public key encryption with keyword search. Computer Engineering & Design 49: 506–522.
- 16. Kamara S, Lauter K. Cryptographic Cloud Storage; 2010. pp. 136–149.
- 17. Cao N, Wang C, Li M, Ren K, Lou W (2011) Privacy-Preserving Multi-Keyword Ranked Search over Encrypted Cloud Data. IEEE INFOCOM: 829–837.
- 18.
Hu C, He P, Liu P (2012) Public Key Encryption with Multi-keyword Search: Springer Berlin Heidelberg. 568–576 p.
- 19. Miao Y, Ma J, Liu X, Wei F, Liu Z (2016) m 2 -ABKS: Attribute-Based Multi-Keyword Search over Encrypted Personal Health Records in Multi-Owner Setting. Journal of Medical Systems 40: 246. pmid:27696175
- 20. Huang H, Jianpeng DU, Dai H, Wang R (2017) Multi-sever Multi-keyword Searchable Encryption Scheme Based on Cloud Storage. Journal of Electronics & Information Technology.
- 21. Yu S, Wang C, Ren K, Lou W. Achieving secure, scalable, and fine-grained data access control in cloud computing; 2010. pp. 534–542.
- 22. Yang K, Jia X, Ren K. Attribute-based fine-grained access control with efficient revocation in cloud storage systems; 2013. pp. 523–528.
- 23. Xiong AP, Xu CX, Gan QX. A CP-ABE scheme with system attributes revocation in cloud storage; 2014. pp. 331–335.
- 24. Chow SSM. A Framework of Multi-Authority Attribute-Based Encryption with Outsourcing and Revocation; 2016. pp. 215–226.
- 25. Liu H, Zhu P, Chen Z, Zhang P, Jiang ZL. Attribute-Based Encryption Scheme Supporting Decryption Outsourcing and Attribute Revocation in Cloud Storage; 2017. pp. 556–561.
- 26. Wang S, Ye J, Zhang Y (2018) A keyword searchable attribute-based encryption scheme with attribute update for cloud storage. PLOS ONE 13: e0197318. pmid:29795577
- 27. Guo W, Dong X, Cao Z, Shen J (2017) Efficient Attribute-Based Searchable Encryption on the Cloud Storage.
- 28. Guo F, Mu Y, Susilo W, Wong DS, Varadharajan V (2014) CP-ABE With Constant-Size Keys for Lightweight Devices. Information Forensics & Security IEEE Transactions on 9: 763–771.
- 29.
Dan B, Boyen X, Shacham H (2004) Short Group Signatures: Springer Berlin Heidelberg. 41–55 p.
- 30.
Shparlinski I (2011) Computational Diffie-Hellman Problem: Springer US. 240–244 p.
- 31. Li R, Zheng D, Zhang Y, Su H, Yang M, Lang P. Attribute-Based Encryption with Multi-keyword Search; 2017. pp. 172–177.
- 32. Zhong H, Zhu W, Xu Y, Cui J (2016) Multi-authority attribute-based encryption access control scheme with policy hidden for cloud storage. Soft Computing 22: 1–9.
- 33. Li J, Lin X, Zhang Y, Han J (2016) KSF-OABE: Outsourced Attribute-Based Encryption with Keyword Search Function for Cloud Storage. IEEE Transactions on Services Computing PP: 1–1.
- 34. Cui H, Deng RH, Wu G, Lai J (2016) An Efficient and Expressive Ciphertext-Policy Attribute-Based Encryption Scheme with Partially Hidden Access Structures. Computer Networks 133: 157–165.
- 35. Liu JK, Yuen TH, Zhang P, Liang K. Time-Based Direct Revocable Ciphertext-Policy Attribute-Based Encryption with Short Revocation List; 2018. pp. 516–534.
- 36. Duquesne S, Lange T (2005) Pairing-based cryptography. Mathiiscernetin volume 22: 573–590.