http://orcid.org/0000-0002-3076-471X
Figures
Abstract
Ciphertext-policy attribute-based encryption (CP-ABE) scheme is a new type of data encryption primitive, which is very suitable for data cloud storage for its fine-grained access control. Keyword-based searchable encryption scheme enables users to quickly find interesting data stored in the cloud server without revealing any information of the searched keywords. In this work, we provide a keyword searchable attribute-based encryption scheme with attribute update for cloud storage, which is a combination of attribute-based encryption scheme and keyword searchable encryption scheme. The new scheme supports the user's attribute update, especially in our new scheme when a user's attribute need to be updated, only the user's secret key related with the attribute need to be updated, while other user's secret key and the ciphertexts related with this attribute need not to be updated with the help of the cloud server. In addition, we outsource the operation with high computation cost to cloud server to reduce the user's computational burden. Moreover, our scheme is proven to be semantic security against chosen ciphertext-policy and chosen plaintext attack in the general bilinear group model. And our scheme is also proven to be semantic security against chosen keyword attack under bilinear Diffie-Hellman (BDH) assumption.
Citation: Wang S, Ye J, Zhang Y (2018) A keyword searchable attribute-based encryption scheme with attribute update for cloud storage. PLoS ONE 13(5): e0197318. https://doi.org/10.1371/journal.pone.0197318
Editor: Kim-Kwang Raymond Choo, University of Texas at San Antonio, UNITED STATES
Received: November 7, 2017; Accepted: April 29, 2018; Published: May 24, 2018
Copyright: © 2018 Wang et al. This is an open access article distributed under the terms of the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original author and source are credited.
Data Availability: All relevant data are within the paper and its Supporting Information files.
Funding: This research is supported by the National Natural Science Foundation of China (No. 61572019,61173192, http://www.nsfc.gov.cn), the Key Project of Research Foundation of Natural Science Foundation of Shaanxi Province of China (NO. 2016JZ001, http://www.sninfo.gov.cn/), and the Key Laboratory Research Project of Education Bureau of Shaanxi Province of China (No. 16JS078, http://www.snedu.gov.cn/). The funders had no role in study design, data collection and analysis, decision to publish, or preparation of the manuscript.
Competing interests: The authors have declared that no competing interests exist.
Introduction
Attribute-based encryption (ABE)[1–4] is regarded as an effective encryption method with fine grained access control in the cloud storage. Attribute-based encryption can be divided into two types of key-policy attribute-based encryption [1] (KP-ABE) and ciphertext-policy attribute-based encryption [2] (CP-ABE). The KP-ABE scheme refers to that the ciphertext is associated with an attribute set, and a user's secret key is associated with an access policy. A user can decrypt the ciphertext if and only if the ciphertext's attribute set satisfy the access policy of user’s secret key. The CP-ABE scheme refers to that the ciphertext is associated with an access policy, and a user's secret key is associated with an attribute set. A user is can decrypt the ciphertext if and only if his attribute set satisfy the access policy of the ciphertext.
At present, many ABE schemes [5–9] have been proposed, which provide secure data access control and overcome the shortcomings of one-to-one encryption pattern in identity-based encryption scheme. However, these schemes are still defective to be used in practice, as the attribute of a user is dynamic, which may be changed over time. Thus the attribute revocation mechanism is necessary for ABE scheme to be used in practice.
The revocation mechanism can be divided into two types: direct revocation mechanism and indirect revocation mechanism. Imai and Attrapaduang [10] gives a clear definition of direct revocation and indirect revocation. Direct revocation is defined as: the sender specifies a revocation list when encrypting the data. Indirect revocation is defined as: the authorized institutions regularly issue key updates to non-revoked users. At present, many schemes with direct revocation [11–14] have been proposed. Li et al. [11] proposed an identity-based revocation scheme that performs directed revocation by giving the revocation rights to encipherer directly. Tu et al. [14] proposed a revocable ABE scheme. In addition, some indirect attribute revocation schemes[15–18] have also been proposed. Yu et al.[15] proposed an attribute based data sharing scheme with attribute revocation. In this scheme, user’s any attribute can be revoked by proxy re-encryption technique. Li et al. [18] proposed a scheme that supports user’s attribute revocation, but the scheme could only revoke a single attribute of the user, thus it could not satisfy the actual needs.
The attribute update is another significant problem in the ABE environment. In actual life, a user's attribute set may need to be updated over time when his working role may be changed. For example, assume that Alice is a company employee, then her attribute set needs to be updated when her working role is promoted from a programmer lifted to a project manager, thus her former attribute set A = "female, programmer" should be changed to a new attribute set B = "female, project manager". And the attribute authority (AA) should issue an update key to update Alice's secret key. Meanwhile, the attribute authority must ensure that the employee Alice cannot further use her previous key related to the attribute set "female, programmer" to access the ciphertexts. Thus, the attribute update is not a simple process. Some attribute update schemes [19–21]have been proposed. However, these schemes have a common problem, the problem is that if there is a user's an attribute is updated, and then many other user's secret key and a lot of ciphertexts related with this attribute need to be updated, which will undoubtedly waste a lot of computational resources.
To address this problem, we give a feasible solution in this paper. The main idea of our solution is that the secret key of a user is divided into two parts, one part which is irrelevant to attribute is retained by the user, and the other part which is relevant to attribute is sent to the cloud server(CS). When an attribute of any user needs to be updated, the AA issues an update key to CS. Then CS only updates the secret key of this attribute for all valid users, and other secret key of all user and the ciphertexts related with this attribute need not to be updated. This method will greatly reduce the work load of the system.
Although attribute based encryption technology provides an effective means for data confidentiality, yet it brings another new problem that the users may find it difficult to search for interesting data from a vast number of encrypted data. This problem is called keyword search problem [22]. One of the simplest searching methods is to download all encrypted data locally and then to decrypt it, finally to execute keyword search in plaintext. However, this method will waste huge computational resource and bring a vast cost for user to do the work of decryption.
Another extreme searching method is to send the secret key of the user and keywords to CS, then CS decrypts all of the ciphertexts and performs searching operation on plaintext. But this method will expose the user's secret key and privacy of search keyword to CS, this is infeasible. Some search-based encryption schemes [23–26] have been proposed. Such as Boneh et al. [23] first proposed a public key encryption with keyword search scheme. Dan and Ostrovsky[24] proposed a public key cryptographic scheme that allows privacy data retrieval (PIR), and allows multiple data contributors to upload their data with public key by encryption algorithm, and only the user with the corresponding secret key can decrypt the data.
Some search encryption schemes [27–30] focuses on search efficiency have also been proposed. Fu et al. [27] proposed a scheme that not only supports multi-keyword ranked search but also provides parallel search. Li et al. [28] put forward a scheme which supports multi-keyword search. In this scheme, users can retrieve multiple keywords at once, and which greatly improves the search efficiency and search accuracy. Sun et al. [30] proposed a verifiable attribute-based keyword search scheme that supports fine-grained search authorization scheme. In this scheme, multiple data owners and multiple users are supported, and the scheme also supports fine-grained search authorization.
In addition, some schemes focus on achieving both attribute revocation and keyword search have been proposed[31,32].The schemes[31,32]which not only support user’s multiple attributes revocation but also provide keyword search. However, our new scheme is different from the schemes [31,32], and the differences between our scheme and schemes [31,32]can be described as follows: firstly, the scheme[32] is based on the key-policy(KP-ABE). The new scheme and the scheme [31] are based on the ciphertext policy (CP-ABE), where the scheme [31]makes use of the access tree as access policy, while the new scheme makes use of LSSS as access policy. So the new scheme is different from the schemes [31,32]. Secondly, the scheme [31] supports public keyword searchable, and the keyword index and trapdoor are generated with the help of the cloud server. The ciphertext and the keyword index of the scheme [32] are associated with attribute. The new scheme also supports public key keyword search, but the keyword index and trapdoor generation phase is independently realized by user. Furthermore, the based on the difficult problems of the new scheme and schemes [31,32]are different. The scheme [31] is proven to be secure under the assumption of bilinear Diffie-Hellman (BDH)in selective security model. The scheme [32] is proven to be secure under the assumption of decisional bilinear Diffie-Hellman exponent(q-BDHE) and decisional Diffie-Hellman (DDH) in the selective security model. The new scheme is proven to be secure in the general bilinear group model.
Our contributions
In this paper, we propose a keyword searchable attribute-based encryption scheme with attribute update for cloud storage. The main contributions of our scheme are summarized as follows:
- The new scheme is a combination of ABE scheme and keyword searchable encryption scheme. So our scheme not only solves the problem of confidentiality of the data with fine -grained access control but also solves the problem of keyword search. Moreover, the scheme is proven to be semantic security against chosen ciphertext-policy and chosen plaintext attack in the general bilinear group model.
- The new scheme supports the user's attribute update, and when a user’s attribute need to be updated, only the user's secret key related with this attribute need to be updated, while other users’ secret key and the ciphertexts related with the attribute need not to be updated. This is a more efficient attribute update method than that in existing attribute update schemes.
- In addition, the operation with high computation cost is outsourced to CS to reduce the user's computational burden.
- Our keyword search algorithm supports multi-user keywords searchable, as long as user's trapdoor could match keywords index stored in the cloud storage. Moreover, our keyword search scheme is proved to be semantic security against chosen keyword attack (IND-CKA) under bilinear Diffie-Hellman (BDH) assumption.
Preliminaries
Bilinear map [33]
Let and
be two multiplicative cyclic bilinear groups of prime order p. Let g be a generator of
. A bilinear map is a map
with the following properties:
- Bilinearity: for all
and
, we have e(ga,gb) = e(g,g)ab.
- Non-degeneracy: e(g,g) ≠ 1.
- Computability: There is an efficient algorithm to compute e(u,v) for
.
Bilinear Diffie-Hellman assumption [34]
The BDH problem in is defined as follows: taken
as input, compute
. We say that the adversary
has ε advantage in solving BDH problems in
if
We say that the BDH assumption holds in if no probability polynomial adversary
has non-negligible advantage in solving the BDH problem in
.
Generic bilinear group model [2]
We suppose there are two random encodings , where
is an additive group and m > 3logp. For i = 0,1, we set
. We are given oracles to compute the induced group action on
and an oracle to compute a non-degenerate bilinear map
. And we are also given a random oracle to represent the hash function H.
Linear secret sharing schemes [33]
A linear secret sharing scheme ∏ over a set of parties P is called linear (over ) if
- The shares for each party form a vector over
.
- There exists a matrix M with l rows and n columns called the share-generating matrix for ∏. For all i = 1,2,⋯,l, the function ρ defines the party labeling ith row of M as ρ(i). When we consider the column vector
, where
is the secret to be shared, and
are randomly chosen. Then Mv is the vector of 1shares of the secret s according to ∏. The share (Mv)i belongs to party ρ(i).
Suppose ∏ that is an LSSS for the access structure . Let
be any authorized set, and I ⊂ {1,⋯,l}. Then, there exist constants
such that, if {λi} are valid shares of any secret s according to ∏, then ∑i∈I ωi λi = s. Furthermore,there these constants {ωi} can be found in time polynomial in the size of the share -generating matrix M.
System model and security model
System model
A system framework of our scheme includes the main four entities is presented in Fig 1.
Attribute authority (AA). The AA is a perfectly trusted entity. It takes charge of the system establishment, user registration, attributes management and secret key generation. And when an attribute of a user needs to be updated, the AA generates an updated key for the user.
Cloud server (CS). The CS is responsible for storing the data and providing data access for legitimate users. It is also responsible for keyword search when a search trapdoor is received from a user. And it also takes charge of updating the user's partial secret key which related to the updated attribute and helps legitimate users to partially decrypt the ciphertext by using partial secret key of the user.
Data owner (DO). The data owner encrypts its owner data and builds keyword indexes, and then outsources them to the CS.
User (U). Each legitimate user can search their interesting the files from system. The user generates a search trapdoor to protect the privacy of the search keyword. Then the user sends his identity and search trapdoor to CS. Without revealing any information about keyword search, the CS will find the encrypted file includes the keywords and do a lot of partial decryption work to reduce the decryption load of the user. Finally, the user gets the partial decrypted files, and then decrypts the partial decrypted files by using his owner partial secret key.
Algorithm description
We proposed a keyword searchable attribute-based encryption scheme with attribute update for cloud storage includes the following eight phases.
Phase 1: System initialization.
AA.Setup (λ,L) → (PP,MSK,PKs,SKs). The setup algorithm inputs a security parameters λ and an attribute universe L, and outputs the public parameters PP, the master secret key MSK, the CS's public and secret key pairs (PKs,SKs).
Phase 2: Key generation.
AA.KeyGen . The key generation algorithm inputs the master secret key MSK, an user's identity id and the user's attribute set
, and outputs the user's secret key
, the user's search secret and public key pairs (Apriv,Bpub).
Phase 3: File encryption and create keyword index.
To get ciphertext Ek(F), the DO encrypts file F with symmetric key k by the symmetric encryption algorithm. Then DO encrypts the symmetric key k by the following encryption algorithm.
DO.Encrypt (PP,k,(M,ρ)) → CT. The encryption algorithm inputs the public parameter PP, the symmetric key k and the LSSS access structure (M,ρ), and outputs a ciphertext CT.
DO.Index (W,Bpub) → IW. The index generation algorithm inputs a set of keywords W and data owner's search public key Bpub, and outputs the keywords index set IW.
Phase 4: Trapdoor generation.
U.AuthorizationKey . The authentication information generation algorithm inputs public parameters PP, the CS's public key PKs and the user's secret key
, and outputs the authentication information
.
U.Trapdoor (w,PKs,Apriv) → Tw. The trapdoor generation algorithm inputs a keyword w, the CS's public key PKs and the user's search secret key Apriv, and outputs the search trapdoor Tw.
Phase 5: Verification.
CS.Verifing . The validation algorithm inputs user's identity id and the authentication information
, and outputs 1or 0.
Phase 6: File retrieval.
CS.Test (IW,Tw) → (0,1). The test algorithm inputs the keywords index set IW and the user's search trapdoor Tw, and outputs1or 0.
Phase 7: Data decryption.
CS.PreDecrypt . The pre-decryption algorithm inputs the ciphertext CT for the access structure (M,ρ) and user's secret key
for the attribute set
. If the user's attribute set
satisfies the access structure (M,ρ). It outputs a partial decrypted ciphertext CT′. Otherwise, the algorithm is terminated.
U.PostDecrypt . The post-decryption algorithm inputs the partial decrypted ciphertext CT′ and the user's secret key
, and outputs symmetric key k.
Finally, the user decrypts the file Ek(F) by the symmetric key k, and then the user gets the file F.
Phase 8: Attribute update.
Assume that a user with identity id whose an attribute needs to be updated to a new attribute j′ by the AA. The attribute update phase includes five steps: (1) The AA executes update key algorithm to generate update key
and sends it to CS, and the AA informs CS that the user with identity id and his an attribute j will be updated to a new attribute j′; (2)The CS finds user's attribute set
and secret key
in the SL-list; (3)The CS updates the attribute j of the user to the attribute j′, and sets the new attribute set as
; (4) The CS also updates secret key
associates with attribute j to new secret key
associates with attribute j′ by update key
; (5) The CS retains user's new attribute set
and new secret key
in the SL-list.
AA.UKeyGen . The update key generation algorithm inputs the public parameter PP, the master secret key MSK, the attribute j and j′, and outputs the update key
.
CS.KeyUpdate . The secret key update algorithm inputs user's secret key
and the update key
, and outputs a new secret key
.
Security model
(1) Selective security model for our scheme.
Initialization. The adversary submits a challenged access structure
to the challenger
.
Setup. The challenger runs the setup algorithm and sends the public parameters PP to the adversary
and keeps the master key MSK to itself.
Phase 1. The adversary adaptively issues repeated secret keys corresponding to attribute sets S1,S2⋯Sq, where none of these attribute sets satisfy the access structure
.
Challenge. The adversary submits two equal-length messages M0 and M1 to
. The challenger
randomly selects a bit b ∈ {0,1} and encrypts the message Mb for the access structure
. The challenger
sends the ciphertext CT* to the adversary
.
Phase 2. Phase1 is repeated.
Guess. The adversary outputs a guess b′ of b. If b′ = b, the adversary
wins this game.
The advantage of the in this game is defined as
.
Definition 1. The proposed scheme is selective security if all polynomial time adversaries have at most a negligible advantage in the above game.
(2) IND-CKA security model.
Setup. Repeat the above security model 's setup.
Phase1. The adversary adaptively issues polynomial following queries.
H1,H2-Query. The adversary can query the random oracle H1 or H2.
Trapdoor Queries. The adversary can query any keywords trapdoor.
Challenge. The adversary submits two keywords w0 and w1 to the challenger
, with the restriction that the adversary
has not queried the trapdoors of keywords w0 and w1. The challenger
randomly chooses a bit b ∈ {0,1} and generates the index Ib of keyword wb.
Phase 2. Phase1 is repeated.
Guess. The adversary outputs a guess b′ of b. If b′ = b, the adversary
wins this game.
The advantage of the in this game is defined as
.
Definition 2. The proposed scheme is IND-CKA secure if all polynomial time adversaries have at most a negligible advantage in the above game.
Concrete construction
In this section, we present a construction for a keyword searchable attribute-based encryption scheme with attribute update for cloud storage.
Phase 1: System initialization
The AA first defines an attribute universe as L = {1,2,⋯,m} and chooses three hash functions and
, which can be modeled as random oracles. Then the CS creates a user identity list
and a file list FL = (F*,CT,IW,Ek(F)), which are initially empty. Finally, the AA executes the setup algorithm.
AA.Setup (λ,L) → (PP,MSK,PKs,SKs). The setup algorithm first chooses two multiplicative cyclic groups and
of prime order p, a generator
and a bilinear map
. It then chooses
and lets SKs = xs as the CS's secret key. And it computes
as the CS's public key and publishes it. And it also randomly chooses three elements
. In addition, it chooses a random number
for each attribute j ∈ L. Finally, it outputs the public parameters PP and the master secret key MSK as follows:
Phase 2: Key generation
The AA first distributes an attribute set associates with user's identity id, when a user with identity id requests a registration in the system. Secondly, the AA randomly chooses a number
for the user and calculates
. Then, the AA executes key generation algorithm.
AA.KeyGen . The key generation algorithm first randomly chooses
, which tid is a unique assigned to the user with identity id. For each attribute
, it randomly chooses
. Finally, it outputs the user's secret key:
Lets Apriv = μ as the user's search secret key and Bpub = gμ as the user's search public key.
Finally, the AA sends to the user and publishes the user's searches public key Bpub. And, the AA sends
to the CS, the CS stores
in the SL-list.
Phase 3: File encryption and keyword index generation
Step 1: The DO encrypts the files.
To get ciphertext Ek(F), the DO encrypts file F with a symmetric key k by the symmetric encryption algorithm. Then DO encrypts the symmetric key k by the following encryption algorithm.
DO.Encrypt (PP,k,(M,ρ)) → CT. Let M be an l × n matrix, and Mi be the vector corresponding to the i th row of matrix M. The function ρ associates rows of matrix M to attributes. The encryption algorithm first chooses a random vector . These elements of vector v will be used to share the random encryption exponent s. For i = 1 to l, it calculates λi = MivT. It then randomly chooses numbers
and outputs the ciphertext CT:
Where vρ(i) refers to the master key is associated with attribute ρ(i) ∈ L.
Step2: Index generation.
The DO extracts a keywords set from the file F. Then DO executes the following index generation algorithm.
DO.Index (W,Bpub) → IW. The index generation algorithm randomly chooses for each keyword wi ∈ W and calculates
. It then lets
. Finally, It outputs the keywords index set
.
Finally, the DO sends the file (CT,IW,Ek(F)) to the CS. When the CS receives the uploaded file (CT,IW,Ek(F)), it picks a unique identifier F* for the file (CT,IW,Ek(F)). The CS stores (F*,CT,IW,Ek(F)) in the FL-list.
Phase 4: Trapdoor generation
Step 1: Authentication information generation.
U.AuthorizationKey . To generate the authentication information, the authentication information generation algorithm chooses a random number
and calculates
. It outputs the authentication information
:
Step 2: Trapdoor generation.
U.Trapdoor (w,PKs,Apriv) → Tw. The trapdoor generation algorithm randomly chooses a number and calculates T1 = gη,
. It outputs the trapdoor Tw:
Finally, the user sends his id, the authentication information and the trapdoor Tw to CS.
Phase 5:Verification
CS.Verifing . The validation algorithm inputs user's identity id and the authentication information
. The cloud server uses its own secret key SKs = xs to calculate
and judges the equation
holds or not. If the equation holds, which means the user is a legitimate user, it outputs 1. Otherwise, it outputs 0 and the algorithm is terminated.
Phase 6: File retrieval
CS.Test (IW,Tw) → (0,1). The test algorithm inputs the keywords index set IW and the user's search trapdoor Tw. The cloud server uses its own secret key SKs = xs and user's trapdoor Tw = {T1,T2} to calculate
It then accords to keywords index to calculate
and judges the equation H2(φ1) = I2 holds or not. If the equation holds, which means the test is successful it outputs 1. Otherwise, it outputs 0 and the algorithm is terminated.
Phase 7: Data decryption
Step 1: Partial decryption by CS.
The CS first obtains ciphertext CT corresponding to keywords index IW in the FL-list and finds user's secret key in the SL-list. If user's secret key
is not the SL-list, the algorithm ends. Otherwise, it executes pre-decryption algorithm.
CS.PreDecrypt . The pre-decryption algorithm inputs user's secret key
for an attribute set
and a ciphertexts CT for access structure (M,ρ). At present, we assume that the attribute set
satisfies the access structure (M,ρ) and let I be defined as
. Then, let
be as set of constants such that, if {λi}i∈I are valid shares of the secret s according to M, then ∑i∈I ωiλi = s. The pre-decryption algorithm calculates
Finally, The CS sends part-ciphertext and the encrypted file Ek(F) to the user.
Step2: User decryption
U.PostDecrypt . The post-decryption algorithm inputs the partial decrypted ciphertext CT′ and the user's secret key
. The user executes post-decryption algorithm to calculate symmetric k as follows:
Finally, the user gets the plaintext F = Dk(Ek(F)) by the symmetric key k.
Phase 8: Attribute update
Step1: Update key generation.
AA.UKeyGen . The update key generation algorithm inputs the public parameter PP, the master secret key MSK, the attribute j and j′. For attribute j′, the AA finds the random number
in the master secret key MSK, and then the AA outputs the update key
:
Finally, it sends user's identity id and update key to CS.
Step2:The CS executes a secret key update.
CS.KeyUpdate . The secret key update algorithm inputs user's secret key
and the update key
. The CS executes the secret key update algorithm, and outputs a new secret key
.
Security analysis
Selective security proof for our scheme
Theorem 1. Let and
be defined as in the generic bilinear group model. For any adversary
that makes a total of at most q queries to the oracles for computing the group operations in
and
, the bilinear map e and the interaction with the IND-sCP-CPA security game, then the advantage of the adversary
in the IND-sCP-CPA security game is
.
Proof. In the IND-sCP-CPA security game, the challenge ciphertext has part-ciphertext may be k0e(g,g)αs or k1e(g,g)αs. As in the [2], we modify ciphertext in the IND-sCP-CPA security game, now assuming the challenge ciphertext
which may be e(g,g)αs or e(g,g)θ, where
is randomly selected and the adversary
needs to determine which is the case. Obviously, any adversary
has advantage ε in the IND-sCP-CPA security game may be converted into
has at least
advantage in the modified IND-sCP-CPA security game (there are two situations can be considered: one in which the adversary
must distinguish between k0e(g,g)αs and e(g,g)θ; another in which the adversary
must distinguish between k1e(g,g)αs and e(g,g)θ. Obviously, both of these are equivalent to the above modified IND-sCP-CPA security game).
Initialization. The adversary first submits an access structure (M*,ρ*) to the simulator S. In order to simulate the modified IND-sCP-CPA game, and then we introduce some mathematical symbols in the general bilinear group model, and let ψ0(0) = g,ψ1(1) = e(g,g) (we will write ψ0(x) = gx,ψ1(y) = e(g,g)y).
Setup. The simulator S randomly chooses , and calculates gμ,gγ,e(g,g)α. When the adversary
queries hash value of H on any attribute j, if it did not be queried, the simulator S randomly chooses
, and then calculates
, and writes the results into the Hash list. Otherwise, it looks for the Hash list. For any attribute j ∈ L, the simulator S randomly chooses a number
. It sets the public parameter PP and the master secret key MSK as:
The simulator S sends public parameter PP to the adversary .
Phase 1. The simulator S answers secret key queries as following:
Secret key query. When makes its m'th key generation query for the attribute set Sm, with a constraint that attribute set Sm does not satisfy access structure (M*,ρ*). The simulator S randomly chooses
, and then calculates
. For any attribute j ∈ Sm, the simulator S randomly chooses
and calculates
. It outputs secret key:
Then, the simulator S sends SK to adversary .
Challenge. The adversary submits two equal messages k0 and k1 to the simulator S. First, the simulator S executes encryption algorithm according to the access structure (M*,ρ*). Where M* is an l × n matrix. The
is ith row of matrix M*. The function ρ* which associates rows of matrix M* to attributes. Secondly, the simulator S chooses a random vector
. These elements of vector v will be used to share the encryption exponent s. Where
is constrained by the LSSS scheme. Then, the simulator S chooses a random variable b ∈ {0,1} and l random variable values
to get the encryption of
as:
and
.
Finally, the simulator S sends the ciphertext CT* to adversary .
Phase 2. Phase1 is repeated.
The adversary terminates and returns a guess b′ of b after many queries. At this point, the simulator S randomly chooses a value
to get the simulated challenge ciphertext via substituting
for
. After the simulation, the simulator S returns the simulated challenge ciphertext to adversary
.
Next, we analyze the simulator S simulation. We think that the simulator S simulation is flawless with a constraint “unexpected collision” does not occur in the querying of ψ0(x) = gx, ψ1(y) = e(g,g)y for group operation and
. Thus, an “unexpected collision” occurs when two queries corresponding to two different rational functions v and v′, it causes that v′ − v = 0 for some variables. (Where an oracle query is regard as a rational function
[2]). Then, we make the following analysis of "unexpected collision":
Before substitution. By the Schwartz-Zipple lemma[35,36], the probability of the “unexpected collision” occurs in and
at most is
.
After substitution. We consider what the adversary’s view would have been if we set θ = αs. We will show that subject to the conditioning above, the the adversary’s view would have been identically distributed. Since we are in the generic group model where each group element’s representation is uniformly and independently chosen[2], the only way that the adversary’s view can differ in the case of θ = αs is if there are two queries v and v′ into is v ≠ v′ but v|θ = αs = v′|θ = αs. We prove show that this does never happens.
Case. To structure γ′αs, we know that θ only exists as e(g,g)θ in this form. According to the simulation, the simulator S wants v and v′ is related to the θ is by having some additive terms of the form γ′θ.Therefore, we must have v − v′ = γ′αs − γ′θ for some constant γ′ ≠ 0. Then, we artificially add the query v − v′ + γ′θ = γ′αs to the adversary's queries. According to the conditions which we have set, we prove that adversary cannot construct the query for
. Otherwise, a collision occurs and the theorem proves.
In order to gain a better understand of the above situation. We analyze based on the information given to the adversary by the simulation. In Table 2, we enumerate the possibility queries of all rational function in
by the adversary
. Except those in which every monomial involves the variable μ, since the variable μ is not relevant to constructing term αs. Where the variables j and j′ represents the attribute string, and m indicates secret key queries made by the adversary
.
According to Table 2, the adversary can construct a polynomial αs + tms is by pairing s with α + tm. In this way, the adversary
also constructs a query term containing
for some collections T and constant
. But the goal of the adversary
is to obtain a query polynomial γ′αs, so the adversary
must add the negative terms
to cancel the terms
. To construct the negative terms
, the adversary
first constructs a query polynomial of the from tms by pairing
with
with a constraint ρ*(i) = j, as we know s is linear combinations of λi. For the other collections
and constant
, the adversary
can also construct a query polynomial as:
Therefore, we do some analysis to give the conclusion of this proof:
- The set of secret shares
do not reconstruct secret s for some m ∈ T. Then term tms will still be retained, and
cannot construct γ′αs.
- If for all m ∈ T the set of secret shares
allow reconstruction the secret s. In order to get γ′αs, the adversary
may cancel the term
by the combination of the terms tmλi, but
dose not get the term
by examining the Table 2, there is no term such that
can cancel this term
. Therefore, the adversary
cannot construct γ′αs.
IND-CKA security proof
Theorem 2. Supposing that BDH assumption holds, our scheme is semantically secure against a chosen keyword attack in the random oracle model.
Proof. Suppose the adversary is a malicious cloud server that has non-negligible advantage ε in breaking our constructed searchable encryption scheme. Suppose that the adversary
makes at most
hash function queries to H2 and at most qT trapdoor queries(we assume
and qT are positive).We will construct a simulator
to solve BDH problem with advantage
, where e is the base of the natural.
Initialization. The simulator receives a BDH challenge and chooses two multiplicative cyclic groups
and
of prime order p, a generator
and a bilinear map
. Then simulator
randomly chooses
, lets
, its aim is to compute
.
Setup. The simulator randomly chooses a number
, lets public key
and secret key SKs = xs for the adversary
. To simulate the user's search public keys Bpub and secret keys Apriv, the simulator
chooses a random parameter
and sets
, so Apriv = μ = at1.
Phase1.The adversary adaptively issues following queries:
H1-Query: The adversary can query the random oracle H1 at any time. To answer to H1 queries, the simulator
maintains a list of tuples (wi,hi,ei,ci) called the H1-list. The list is initially empty. When
queries the random oracle H1 of any keywords wi ∈ {0,1}*, the simulator
answers as follows:
- If the query wi has already appeared on the H1-list in a tuple (wi,hi,ei,ci), the simulator
responds with
.
- Otherwise,
generates a random coin ci ∈ {0,1} so that
, where qT is a trapdoor query.
If ci = 0, the simulator calculates
;
If ci = 1, the simulator calculates
, where the value
randomly is selected. Then
adds the tuple (wi,hi,ei,ci) to the H1-list, and returns H1(wi) = hi to the adversary
.
H2-Query: can query the random oracle H2 at any time. To answer to H2 queries, the simulator
maintains a list of tuples (ti,Vi) called the H2-list. The list is initially empty. When
queries the random oracle H2 of any
, the simulator
answers as follows:
- If the query ti has already appeared on the H2-list in a tuple (ti,Vi), the simulator
responds with H2(ti) = Vi ∈ {0,1}logp.
- Otherwise, the simulator
randomly chooses a value Vi ∈ {0,1}logp, and the simulator
adds the tuple (ti,Vi) to the H2-list, and returns H2(ti) = Vi to
.
Trapdoor queries: When queries the trapdoor of any keywords wi ∈ {0,1}*, the simulator
first executes the H1 queries to obtain
such that H1(wi) = hi and (wi,hi,ei,ci) corresponding to the tuple on the H1-list. the simulator
answers as follows:
- If ci = 0, the simulator
declares the failure and aborts.
- If ci = 1,
. the simulator
randomly chooses a value
, and calculates
The simulator sends trapdoor
to
.
Challenge: The adversary submits a pair of keywords w0 and w1, where keywords w0 and w1 trapdoor had not been queried by
. the simulator
generates keyword index as follows:
- the simulator
first executes H1 queries twice to obtain
such that H1(w0) = h0, H1(w1) = h1. For i = 0,1, we set (wi,hi,ei,ci) corresponding to the tuple on the H1-list. If both c0 = 0 and c1 = 1, then
declares the failure and aborts.
- we known that at least one of c0 and c1 is equal to 0. The simulator
chooses a bit b ∈ {0,1} such that cb = 0.
- The simulator
answers the keyword index
. The simulator
then randomly chooses a parameter
and sets
with the implied setting (
), where c is unknown, and we know u3 = gc is a part of BDH.
- the simulator
randomly chooses a Z ∈ {0,1}logp, and sets
.
With the definition, is an effective keyword index for keyword wb as queried.
Phase 2. Phase1 is repeated.
Output. The adversary outputs its guess b′ of bit b.
Note the values be set with probability
in the setting of the H1 queries. Since
queries the value of the form to H2 oracle
with the same probability
in the setting of the H2-list, therefore
Then, the simulator randomly chooses a pair (ti,Vi) ∈ H2-list and outputs
as its guess for e(g,g)abc. Where t1,t2 and eb are set according to the parameters of the challenge phase.
Probability Analyses. We can prove that can win the game with a non negligible probability, then
can solve the BDH problem with the probability at least
. The specific probability analysis is similar to the scheme[34].
Because of the BDH assumption that the BDH problem is tough, so the probability . is negligible. So that our scheme is secure under the BDH assumption.
Computational complexity and performance evaluation
Computational complexity comparison
In Table 3,we give the comparison of the computational complexity of our scheme with the schemes [13,19, 21,31]. As shown in Table 3, our scheme has a less amount of computation in the key generation and encryption generation compared with the schemes in [13,19,31]. Actually, our scheme needs the minimum amount of computation when the users decrypt the ciphertext. And most important is that our scheme need not update ciphertext when an attribute update occurs, which also help us greatly reduce the amount of computation. In addition, our scheme have the function of the keyword search, which can make the search more efficiently and more accurately. The schemes of [13],[19] and [21] don’t achieve the function of keyword search.
Performance evaluation
To evaluate the performance of our scheme and the scheme [19], we simulate the computational time of the setup generation, key generation, encryption and decryption by user with different number of attributes. As shown in Fig 2. The implementation is executed by using of the Pairing Cryptography (PBC) library[37]. We can clearly see from Fig 2(A) that the setup generation times scales linearly in the number of attribute in attribute universe in both scheme. Fig 2(B) shows secret key times scales linearly in the number of attribute in secret key in both scheme. Fig 2(C) shows the encryption times scales linearly in the number of attribute in ciphertexts in both scheme. The setup generation time is shown in Fig 2(A). We find also that the setup generation takes higher computational time in our scheme than the scheme [19]. The key generation time is shown in Fig 2(B) and the encryption time is shown in Fig 2(C). Obviously, the encryption time and key generation time of the scheme[19] takes higher computational time than our scheme.Fig 2(D) shows that the user- decryption time of our scheme takes lesser computational time than the scheme [19].
(a) Setup generation time (b) Key generation time (c) Encryption time (d) Decryption time of the user.
Conclusions
In this paper, we have proposed a keyword searchable attribute-based encryption scheme with attribute update for cloud storage. Our new scheme supports both the user's attribute update and supports multi-user keywords search, as long as user's trapdoor could match keyword index stored in the cloud storage, then the user can search interesting encrypted file successfully. The performance evaluation results confirm that the proposed scheme is more efficient than other attribute based encryption schemes with attribute update. In addition, we outsource the operation with high computation cost to the cloud storage to reduce the user's computational burden. Moreover, our scheme also is proven to be semantic security against chosen ciphertext-policy and chosen plaintext attack in the general bilinear group model.
Acknowledgments
This work is supported by the National Natural Science Foundation of China under Grants 61572019,61173192, the Key Project of Research Foundation of Natural Science Foundation of Shaanxi Province of China under Grant NO.2016JZ001,the Key Laboratory Research Project of Education Bureau of Shaanxi Province of China under Grant No.16JS078.Thanks also go to the anonymous reviewer for their useful comments.
References
- 1.
Goyal V, Pandey O, Sahai A, Waters B. Attribute-based encryption for fine-grained access control of encrypted data[C]// ACM Conference on Computer and Communications Security. ACM, 2006:89–98.
- 2.
Bethencourt J,Sahai A, Waters B. Ciphertext-Policy Attribute-Based Encryption[C]// IEEE Symposium on Security and Privacy. IEEE Computer Society, 2007:321–334.
- 3.
Ostrovsky R, Sahai A, Waters B. Attribute-based encryption with non-monotonic access structures[C]// Ccs 07 Acm Conference on Computer & Communications Security. 2007:195–203.
- 4. Waters B. Ciphertext-Policy Attribute-Based Encryption: An Expressive, Efficient, and Provably Secure Realization[J]. Lecture Notes in Computer Science, 2011, 2008:321–334.
- 5.
Chase M, Chow S S M. Improving privacy and security in multi-authority attribute-based encryption[C]//ACM Conferenceon Computerand Communications Security. ACM, 2009:121–130.
- 6. Hur J. Improving Security and Efficiency in Attribute-Based Data Sharing[J]. Knowledge & Data Engineering IEEE Transactions on, 2013, 25(10):2271–2282.
- 7.
Liu X, Ma J, Xiong J, Li Q, Ma J. Ciphertext-Policy Weighted Attribute Based Encryption for Fine-Grained Access Control[C]// International Conference on Intelligent NETWORKING and Collaborative Systems. IEEE, 2014:51–57.
- 8.
Lai J, Deng R H, Li Y, Weng J. Fully secure key-policy attribute-based encryption with constant-size ciphertexts and fast decryption[C]// ACM Symposium on Information, Computer and Communications Security. ACM, 2014:239–248.
- 9.
Horváth M. Attribute-Based Encryption Optimized for Cloud Computing[M]// SOFSEM 2015: Theory and Practice of Computer Science. Springer Berlin Heidelberg, 2015:1–9.
- 10.
Attrapadung N, Imai H. Attribute-Based Encryption Supporting Direct/Indirect Revocation Modes[C]// Ima International Conference on Cryptography and Coding. Springer-Verlag, 2009:278–300.
- 11. Li Y, Zhu J, Wang X, Shao S. Optimized Ciphertext-Policy Attribute-Based Encryption with Efficient Revocation[J]. International Journal of Security & Its Applications, 2013, 7(6):385–394.,
- 12.
Zhang Y, Chen X, Li J, Li H, Li F. FDR-ABE: Attribute-Based Encryption with Flexible and Direct Revocation[C]// International Conference on Intelligent NETWORKING and Collaborative Systems. IEEE, 2013:38–45.
- 13. Wang H, Zheng Z, Wu L, Li P. New directly revocable attribute-based encryption scheme and its application in cloud storage environment [J]. Cluster Computing, 2016:1–8.
- 14. Tu S, Niu S, Li H. A fine-grained access control and revocation scheme on clouds[J]. Concurrency & Computation Practice & Experience, 2016, 28(6):1697–1714.
- 15.
Yu S, Wang C, Ren K, Lou W. Attribute based data sharing with attribute ACM revocation [C]//Symposiumon Information, Computer and Communications Security, ASIACCS 2010, Beijing, China, April. DBLP, 2010:261–270.
- 16. Qian H, Li J, Zhang Y, Han J. Privacy-preserving personal health record using multi-authority attribute-based encryption with revocation [J]. International Journal of Information Security, 2015, 14(6):487–497.
- 17.
Huang X F, Tao Q, Qin B D, Liu Z Q. Multi-Authority Attribute Based Encryption Scheme with Revocation[C]// International Conference on Computer Communication and Networks. IEEE, 2015:1–5.
- 18.
Li Q, Feng D, Zhang L. An attribute based encryption scheme with fine-grained attribute revocation[C]//Global Communications Conference. IEEE, 2012:885-89-890.
- 19.
Zhang P, Chen Z, Liang K, Wang S, Wang T. A Cloud-Based Access Control Scheme with User Revocation and Attribute Update[C]// Asian Conference on. Springer-Verlag New York, Inc. 2016:525–540.
- 20.
Liao J, Jiang C, Guo C. Data privacy protection based on sensitive attributes dynamic update[C]// International Conference on Cloud Computing and Intelligence Systems. IEEE, 2016:377–381.
- 21. Zhang P, Chen Z, Liu J K, Liang K, Liu H. An efficient access control scheme with outsourcing capability and attribute update for fog computing [J]. Future Generation Computer Systems, 2016.
- 22.
Song D X, Wagner D, Perrig A. Practical Techniques for Searches on Encrypted Data[C]// Security and Privacy, 2000. S&P 2000. Proceedings. 2000 IEEE Symposium on. IEEE, 2002:44.
- 23. Dan B, Crescenzo G D, Ostrovsky R, Persiano G. Public Key Encryption with Keyword Search[J]. Lecture Notes in Computer Science, 2003, 3027(16):506–522.
- 24.
Dan B, Waters B. Conjunctive, Subcollection, and Range Queries on Encrypted Data[C]// The Theory of Cryptography Conference. 2006:535–554.
- 25.
Cao N, Wang C, Li M, Lou W J. Privacy-preserving multi-keyword ranked search over encrypted cloud data[C]// INFOCOM, 2011 Proceedings IEEE. IEEE, 2011:829–837.
- 26. Zhen hua L, Jin miao W, Bo L. A ciphertext‐policy hidden vector encryption scheme supporting multiuser keyword search[J]. Security & Communication Networks, 2015, 8(6):879–887.
- 27. Fu Z, Sun X, Liu Q, Shu J. Achieving Efficient Cloud Search Services: Multi-Keyword Ranked Search over Encrypted Cloud Data Supporting Parallel Computing[J]. Ieice Trans Commun, 2015, 98(1):190–200.
- 28.
Li H, Liu D, Jia K, Lin X. Achieving authorized and ranked multi-keyword search over encrypted cloud data[C]// IEEE International Conference on Communications. IEEE, 2015:7450–7455.
- 29.
Lv Z, Zhang M, Feng D. Multi-user Searchable Encryption with Efficient Access Control for Cloud Storage[C]// IEEE, International Conference on Cloud Computing Technology and Science. IEEE, 2014:366–373.
- 30. Sun W, Yu S, Lou W, Hou Y T, Li H. Protecting Your Right: Verifiable Attribute-based Keyword Search with Fine-grained Owner-enforced Search Authorization in the Cloud[J]. IEEE Transactions on Parallel & Distributed Systems, 2016, 27(4):1187–1198.
- 31. Wang S, Zhang X, Zhang Y. Efficiently Multi-User Searchable Encryption Scheme with Attribute Revocation and Grant for Cloud Storage:[J]. Plos One, 2016, 11(11):e0167157. pmid:27898703
- 32. Wang S, Zhao D, Zhang Y. Searchable attribute-based encryption scheme with attribute revocation in cloud storage[J]. Plos One, 2017, 12(8):e0183459. pmid:28859125
- 33.
Zu L, Liu Z, Li J. New Ciphertext-Policy Attribute-Based Encryption with Efficient Revocation[C]// IEEE International Conference on Computer and Information Technology. IEEE, 2014:281–287.
- 34. Rhee H S, Park J H, Susilo W, Dong H L. Trapdoor security in a searchable public-key encryption scheme with a designated tester ☆[J]. Journal of Systems & Software, 2010, 83(5):763–771.
- 35.
Schwartz J. T. Fast Probabilistic Algorithms for Verification of Polynomial Identities[M]// Symbolic and Algebraic Computation. Springer Berlin Heidelberg, 1979:10–1145.
- 36.
Zippel R. Probabilistic algorithms for sparse polynomials[C]// Symbolic and Algebraic Computation, EUROSAM '79, An International Symposiumon Symbolic and Algebraic Computation, Marseille, France, June 1979, Proceedings. DBLP, 1979:216–226.
- 37. Duquesne S, Lange T. Pairing-based cryptography[J]. Math.iisc.ernet.in, 2005, 22(3):573–590.