Figures
Abstract
Cloud computing liberates enterprises and organizations from expensive data centers and complex IT infrastructures by offering the on-demand availability of vast storage and computing power over the internet. Among the many service models in practice, the public cloud for its operation cost saving, flexibility, and better customer support popularity in individuals and organizations. Nonetheless, this shift in the trusted domain from the concerned users to the third-party service providers pops up many privacy and security concerns. These concerns hindrance the wide adaptation for many of its potential applications. Furthermore, classical encryption techniques render the encrypted data useless for many of its valuable operations. The combined concept of attribute-based encryption (ABE) and searchable encryption (SE), commonly known as attribute-based keyword searching (ABKS), emerges as a promising technology for these concerns. However, most of the contemporary ABE-based keyword searching schemes incorporate costly pairing and computationally heavy secret sharing mechanisms for its realization. Our proposed scheme avoids the expensive bilinear pairing operation during the searching operation and costly Lagrange interpolation for secret reconstruction. Besides, our proposed scheme enables the updation of access control policy without entirely re-encrypting the ciphertext. The security of our scheme in the selective-set model is proved under the Decisional Bilinear Diffie-Hellmen (DBDH) assumption and collision-free. Finally, the experimental results and performance evaluation demonstrate its communication and overall efficiency.
Citation: Khan S, Khan S, Waheed A, Mehmood G, Zareei M, Alanazi F (2024) An optimized dynamic attribute-based searchable encryption scheme. PLoS ONE 19(10): e0268803. https://doi.org/10.1371/journal.pone.0268803
Editor: Pandi Vijayakumar, University College of Engineering Tindivanam, INDIA
Received: January 19, 2022; Accepted: May 7, 2022; Published: October 29, 2024
Copyright: © 2024 Khan et al. This is an open access article distributed under the terms of the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original author and source are credited.
Data Availability: All relevant data are within the paper.
Funding: This project was partially supported by the Tecnologico de Monterrey, School of Engineering and Sciences and Prince Sattam Bin Abdulaziz Univ, Coll Engn, Dept Elect Engn, Al Kharj, and and it is declared that all the funding or sources of support (whether external or internal to our organization) received during this study, and no additional external funding received for this study. It is also declared that the funders (authors) have played equal role in the design, data collection, analysis or preparation of this manuscript for publication.
Competing interests: The authors have declared that no competing interests exist.
Introduction
In today’s modern age, cloud computing presents an appealing computing infrastructure that provides ubiquitous access using the internet. Nowadays’ cloud computing architecture comes in three architecture models: public, private, and hybrid models. However, many individuals are inclined towards the public cloud as they offer easy data sharing, personalized files, finance-related information, and healthcare information. Nevertheless, the companies that provide cloud services and consumers may not belong to the same trusted domain. As a result, the privacy and confidentiality of stored data on public cloud servers become a critical problem. Generally speaking, the data can be encrypted before outsourcing to protect the confidentiality and privacy of outsourced data. As the outsourcing of encrypted data creates significant challenges [1], other data users can not directly perform computation, searching operations, the users can not get the expected data by using the keyword searching method. Furthermore, data management and access control also become critical issues [2].
Searchable Encryption (SE) has been widely adopted to overcome the problems mentioned earlier. The search operation is performed over ciphertext data without exposing the security and privacy of original data. The working mechanism of SE is depicted in Fig 1 where, first, the data owner outsources their ciphertext data to the cloud server to perform the search operation over encrypted data. The data users can send a search token to the cloud server, the cloud server having the ciphertext data and search token perform the searching operation and send back the search result to the requested data user. Another technique is known as keyword-based searchable encryption (KSE) [3] was also devised to perform the searching operation on encrypted outsourced data. Various types of models are currently available single-owner/single-user, also known as symmetric, multi-owner/single-user, and multi-owner/multi-user. Many symmetric searchable encryption (SSE) has been explored and have more properties such as data updating [4] search result verification [5], forward/backward privacy etc. Public key encryption that supports keyword searching has been explored to perform searching operations and enrich the functionality such as conjunctive, range, and subset search [6].
However, adopting the above-stated searchable encryption mechanisms, the data owners can not implement an effective access control mechanism, an essential element for every real application. To achieve both searching operation and access control simultaneously, researchers exploited the properties of attribute-based encryption (ABE) [7] technique. ABE’s access policy is an important factor, depending on how the data owner designs the access control policy during encryption. The ABE has two types which are: key-policy (KP-ABE) [8] and ciphertext-policy (CP-ABE) [9]. Using KP-ABE, the secret key is embedded inside the access policy, and data are encrypted according to user-specified attributes. Any user can decrypt if the access policy is his key matched the attribute set inside ciphertext data. While using CP-ABE, the access policy is associated with ciphertext, and the user secret key is attached with his attributes. Provided that the user attributes to meet the specified access policy, decryption can be performed successfully.
In short, the searching operation over encrypted data is an effective method to achieve privacy and confidentiality of outsourced data. Many schemes in the existing literature are available to achieve searchable encryption and access control. [10] in this paper, the author adopted only AND gate policy for access structure, authors in [11, 12] leveraged the Linear Secret Sharing Scheme (LSSS), used matrix as an access policy and based on AND, OR gates. Other schemes [13, 14] are based on bilinear pairing with a composite group order. However, the searching cost of the scheme is impractical. Most of the schemes mentioned above based on LSSS in which polynomial interpolation is used on the decryption side for reconstructing the shared secret are not efficient and flexible for resource constraint devices.
Efficiency related schemes for ABKS can broadly be categorized into:
Outsourcing schemes
Most encryption and decryption operations are outsourced to resource-rich cloud service providers to reduce the computation overhead in these schemes [15–17]. As a result, the end-users perform a less or constant number of operations. This outsourcing can be performed either for encryption or decryption or both at the same time. However, these schemes strictly depend on the underlying framework and can not be applied to all the ABKS schemes.
Online/offline schemes
The generation of index keyword and query token are divided into two phases [18, 19]. Most computations are done for index or token preparation during the first phase before knowing the exact specifics. So, when the specifics become known in the second phase, it rapidly assembles an intermediate index or token. The problem with these schemes is, the overall computation remains the same for the end-users.
Non-pairing schemes
As the name suggests, these schemes avoid the most expensive and time-consuming bilinear operation with the lighter one, i.e., Elliptic Curve Cryptography (ECC) based scalar point multiplication operation [20, 21]. However, these schemes also suffer from the underlying linearity problem of attribute-based encryption.
Our proposed scheme avoids the expensive bilinear pairing operation and costly Lagrange interpolation for secret reconstruction simultaneously for the searching and decryption phase. Our main contribution made in this paper can be listed as follows:
- The proposed scheme avoids costly bilinear pairing operation in the search phase and is free from complex Lagrange interpolation for secret reconstruction at the data user side.
- Our proposed scheme supports the updation of access control policy without the liability of complete re-encryption of already stored ciphertext on the cloud.
- The scheme also avoids the linear secret sharing scheme (LSSS) matrix and access tree construction to generate data user’s secret key components from their claimed set of attributes.
- The security proof is given in the selective-set model under the Decisional Bilinear Diffie-Hellmen (DBDH)assumption and found to be collision-free.
- The detailed experimental and informal analysis demonstrates the efficacy in terms of both communication and computation.
Related work
For the first time, Song et al. [22] introduced searchable encryption where the data owner outsources the encrypted data to a remote storage server along with encrypted keywords. To search for a specific keyword data user sends information regarding the specified keyword. Based on this information, the storage server returns the requested results. A large number of schemes based on attribute-based encryption were proposed in the literature [23–26]. These ABE schemes were adopted to construct attribute-based keyword searching schemes. The access policy determining who can perform the decryption operation was used to decide who can perform the search operation. Zheng et al. [27] were the first to propose the scheme based on ABKS. They adopted both variants of ABE: KP and CP to construct the SE scheme. The scheme also has support for the verifiability of the search result performed by the cloud server. Later on, the scheme proposed by Lv Z et al. [14] had support for the revocation of the user. However, the number of pairing operations and secret key size were directly proportional to the number of attributes associated with the access policy. As a result, these schemes incur substantial computational overhead.
Wang et al. [15] introduce delegation in which a cloud server carried out the extensive computation task to address substantial computation. As a result of delegation, the architecture became complicated, and other third parties were involved in the system. Wang et al. [17] presented a scheme requiring a fixed number of pairing operations that support fast searching operations, but the size of the secret key was directly proportional to the number of attributes involved in the system. Zheng et al. [27] presented that big data mobile healthcare networks also support the verifiability of the search result. Hence, the contemporary approaches to ABKS heavily rely on the complex secret sharing mechanism of Lagrange interpolation and costly bilinear pairing operations. Our proposed scheme aims to achieve computational efficiency, decrease the key generation time, encryption, and decryption to make it flexible for devices with low processing and storage capabilities.
Preliminaries
This section gives background knowledge about the bilinear map, access structure, and linear secret sharing scheme (LSSS).
Bilinear map
Consider three multiplicative cyclic groups , and having prime order p, where P, Q are generators of and respectively. is the bilinear map if it has below given properties:
- Bilinear:
- , and , e(xP, yQ) = e(P, Q)^{xy}
- Non-degenerate:
- .
- Commutable:
- , there must exist an algorithm to efficiently compute e(P, Q).
Access structure
- Monotone access structure: if is a set of attributes satisfying an access structure T, then any such that also satisfies . For example, let say T = X ∩ Y, then both and satisfy .
- Non-monotone access structure: there exists in such a way does not satisfy T. For example, let say T = S ⊂⌝Z. Then in the previous example, only satisfies .
Replicated secret sharing
The modular addition scheme [28], a special case of replicated secret sharing, a dealer can split a secret s into k shares and when all the shares combined, only then they can reconstruct the secret s. Sharing a secret s, where {s|s ∈ [0, p − 1]} for some integer p, the dealer randomly selects k − 1 values for s_{i} such that {s_{i}|i ∈ [0, k − 1]} and computes . Share s_{i}, where {i|i ∈ [1, k − 1]} are communicated to party p_{i}. The original secret S can only be constructed by , hence only the dealer knows the secret s and other parties do not have any information regarding the secret.
System model and security definitions
System model
Here we present the proposed system model. Specifically, there are four entities involved in the proposed system architecture, namely: Cloud Server (CS), Central Authority (CA), Data Owner (DO), and Data User (DU). As depicted in Fig 2.
- Central Authority: As shown in Fig 2, we consider a central authority (CA) to be a trusted party responsible for initializing the whole system, generating the system parameters, and distributing secret keys.
- Cloud Server: In the proposed system model, the cloud server provides storage resources. Upon receiving the authorized token from the data user (DU), it performs the searching operation and sends the DU search result. Cloud servers perform the search operation without knowing any information about the encrypted token and search result.
- Data Owner: The data owner (DO) can be those who are willing to outsource their encrypted data to the cloud server. The DO encrypts the data according to the access control policy of his choice.
- Data User: The data user (DU) are those who want to search over encrypted data. The DU executes the proposed TokGen algorithm to generate a search token for his interesting keywords and get the desired results.
Additionally, in our threat model, we consider the CS the “curious but honest” entity [29]. Most of the contemporary approaches to security also deploy this assumption. CA, DU, and DO are assumed to be fully honest and trusted entities.
Security definition
The ABKS schemes require that the encryption algorithms not reveal any underlying keyword information in the index keyword and query token to an adversary. Thus, the privacy of the DO and DU should be maintained while outsourcing their respective data. The following security definitions are given to evaluate the security requirements between adversary and challenger in the form of a security game.
Definition 1: Our EFG-KSS scheme protects the index keyword from recovery attack in the chosen Plaintext Attack (CPA) model.
At the start of the game, the challenger publishes the public parameters to . Adversary selects challenge access tree and submits it to the . repeatedly asks for private key components of attribute set S_{j} = {att_{j} ∣ att_{j} ∈ U} and the encrypted index keyword of keywords k_{1}, k_{2}, …, k_{n} such that non of the attribute set satisfies . submits two keywords w_{o} and w_{1} to . Based on the outcome of flipping a fair binary coin v = {0, 1}, encrypt w_{b} to get the index keywords. adaptability submits an attribute sets s_{j+1}, s_{j+2}… to get its corresponding private key components respectively, and the ciphertext of keywords k_{j+1}, k_{j+2}… while none of these attribute set satisfies . Finally, output its guess b′ of b. The winning advantage of is defined as = . Now, if Adv_{A} is negligible, we would confirm that our scheme protect the index keyword from recovering attack in the chosen plaintext model.
Definition 2: Our query trapdoor algorithm protects the query token from recovery attack in the eavesdrop attack model.
submits multiple queries for different keywords q_{1}, q_{2}, …, q_{n}, In response to each query, outputs the ciphertext and sends it to . submits two query keywords q_{0} and q_{1} to , which has not been queried earlier. randomly selects a bit b ∈ {0, 1} and output q_{b}, and submits it to . is allowed to ask for any number of queries, except that the query keyword q_{0} and q_{1} have not been queried before. Finally, output its guess b′ of b. The winning advantage of is defined as = . Now, if Adv_{A} is negligible, we would confirm that our scheme protect the query token from recovery attack in the eavesdrop attack model.
Definition 3: Our proposed scheme ensures that if any of the compromised users is unable to decrypt a ciphertext individually, they are still unable to succeed to decrypt it by combining more than one secret key component or attribute.
Proposed scheme
The following algorithms constitute the complete working mechanism of our proposed EFG-KSS scheme.
Setup (λ): Run by the CA for the initialization of the whole system, this algorithm proceed as follows:
- a) Generate a bilinear map , where , and are three multiplicative cyclic groups of prime order P, g is a generator of .
- b) Select a secure hash function .
- c) For some integer n, generate the universal set of attribute U = {att_{1}, att_{2}…att_{|u|}}. For each att_{i} ∈ U, select random elements t_{1}, t_{2}, …, t_{n} and .
- d) Compute Y = g^{α}, y = e(g, g)^{α}, g^{b} and {T_{i} = g^{ti}|i ∈ [1, n]}.
- e) Set the public key as: PK = (e, g, g^{b}, y, Y, {T_{i} = g^{ti}|i ∈ [1, n]}), and the master key is MK = (α, {t_{i}|i ∈ [1, n]}).
KeyGen (S, MK): This algorithm is run by CA to generate secret keys for authorized DU. On input the registered DU attribute set S = {att_{1}, att_{2}…att_{|m|}} ⊂ U, this algorithm performs the following steps:
- a) Select random values such that , and computes do
. - b) Choose a random number and computes d_{1} = g^{α−r}.
- c) For each att_{i} ∈ S, compute .
- d) Return the secret key .
EncInd (): This algorithm is executed by DO to encrypt a randomly chosen key using access control structure of his choice in the from of boolean formula. On input the public key PK of CA, the DO performs the following steps:
- a) Chooses a random secret s and and computes A_{verf} = (Y)^{s} = (g^{α})^{s}, C_{0} = g^{s} and .
- b) Given the access tree , the algorithm performs the following steps to distribute secret s according to node v in a top-down approach:
- 1) if the root node is v, (i.e., v = root), set its value to s.
- 2) Recursively, for each inner node (including the root node), do the following:
- 2.1) if the inner node v represents the AND gate, for each of its child node excluding the last child, set its value to s_{i} where s ∈ [1, p − 1], and set the value of its last child to
- 2.2) if the inner node v represents the OR gate, it sets every child node value to its parent node value.
- 3) For each attribute a_{j,i} attached to leaf node , compute .
- 4) Compute and set ,
- 5) Set the cipher-text
C_{1}, {C_{j,i}|a_{j,i} ∈ τ})
TokenGen (): This algorithm is run by DU to generates token for its interested keywords q.
- a) The DU compute tok_{1} = g^{α.H(q)} and tok_{2} = g^{α} and set
Search (): This algorithm is run by CS to securely perform the search operation over outsourced encrypted index according to the query token submitted by the DU. By secure, we mean that the stored data elements in the index token or the encrypted data itself reveal no information to the CS after completion of the search operation. By running this algorithm, the CS needs to find out if this DU possess the attributes corresponding to each leaf node of , and also check out if it has the stored index equal to the query token , w = q. More specifically, this algorithm returns 1 if and only if the below two conditions hold simultaneously:
- a) Access confirmation: Taking from CT and d_{0} from , this process needs to compute . After which the CS can find out whether it equals the A_{verf} in the ciphertext CT set by DO.
- b) Token confirmation: After ciphertext CT is accessible, i.e., , the CS needs to find out whether index keyword w is equal to the query token q, w = q, by evaluating the validity of equation , otherwise the algorithm returns ⊥ to the DU.
Dec (): This algorithm is run by DU to retrieve the symmetric key , uses to decrypt the outsourced encrypted data. This algorithm proceeds as follows:
EFG-KSS analysis
This section presents a detailed analysis of our scheme’s correctness, complexity, access control policy update, and security proof.
Correctness analysis
First of all, CS needs to confirm whether DU’s set of attributes S meets the access control policy set by the DO. In other words, the CS ensures the access authorization request of DU for the DO outsourced index keyword w. As we know from Algorithm EncInd, the DO computes and set the access verification to (1)
Hence, the CS need to compute ∏_{i∈s}(C_{j,i})^{do}, to find out whether it output the same value as required by the DO in its ciphertext.
In case of successful access authorization, the CS further needs to confirm the similarity between the keyword in the form of submitted query token against the stored index keyword by evaluating the following equation validity.
Complexity analysis
This section presents a theoretical analysis in terms of time complexity by comparing our proposed scheme with the schemes of CP-ABKS [27], and CP-ABSE [30]. Both of these schemes provide a convincing performance comparison with our proposed scheme. The notations used for this comparison are shown in Table 1.
Computation and output overhead of each algorithm for EFG-KSS, CP-ABSE, and CP-ABKS are shown in Tables 2–4, respectively. Here, we do not consider an operation like a basic arithmetic operation; multiplication, addition, and subtraction in , hash function because of its less time consumption. We also do not consider the computation cost incur due to the successful search query. As a result, the search output size is set to zero for all the schemes.
From Table 2, we observe that our scheme suffers from high storage and computation cost for the Setupphase than both the scheme CP-ABKS and CP-ABSE. However, the Setup phase runs on the resource-rich trusted authority and one-time operation, making it acceptable in real-world scenarios and resource-scarce devices.
From Tables 3 and 4, we can notice that EFG-KSS outperforms both the CP-ABSE and CP-ABKS on the KeyGen, EncInd, TokenGen, and Search algorithm complexity because of less exponentiation and pairing operation requirements.
Access control policy update
In EFG-KSS scheme, the data owner do not need to entirely re-encrypt the ciphertext in case of his access control policy updation. Our scheme utilizes access tree as access control policy. Let a data user wants to update his already defined access control policy from , shown in Fig 3. To a newly defined access control policy , shown in Fig 4.
Recall from EncInd algorithm, to encrypt a symmetric key , this algorithm in its first phase select a random number , compute C_{o} = g^{s} and .
Since only the second phase encryption is based on some access control policy , the Algorithm compute: . The final ciphertext is set to
To change the access control policy from to , we do not need to re-encrypt the first phase encryption since the access control policy is enforced only by the second phase encryption. Furthermore, during the second phase, we need to update the ciphertext components C_{j,3} and C_{j,4} only.
Hence, the updated ciphertext elements are:
As a result, the new ciphertext is
Security analysis
Theorem 1: Based on the DBDH hardness assumption, no probabilistic polynomial-time adversary (PPT) can break EncInd algorithm associated with index keyword encryption with a challenge access tree .
Proof: If can recover keyword information from EncInd algorithm in polynomial time T with non-negligible advantage ε, then we can construct an algorithm which can play Decisional-BDH game with non-negligible advantage . The challenger at the start of the game setup random elements . flips a fair binary coin μ ∈ {0, 1} and sets , when μ = 0 and if μ = 1. The challenger gives to simulator . Both and adversary play the game as follows:
Init: selects challenge access tree and sends it to the simulator.
Setup: computes the public parameter by letting , where . For all att_{j} ∈ S, checks whether , sets (here ) otherwise sets (so here t_{j} = k_{j}) where kj is a random element . Finally sends the the public parameter to .
Phase 1: repeatedly asks for private key components of attribute set S_{j} = {att_{j} ∣ att_{j} ∈ U} and the encrypted index keyword of keywords k_{1}, k_{2}, …, k_{n} such that non of the attribute set satisfies .
Now selects and set . Also these private keys must produce legal query trapdoor. The simulator sets by letting
The simulator for each att_{j} not in , computes , since t_{j} = b/k_{j} and r = ab + r′b. Where for each att_{j} ∈ S_{j} at set the valid secret key component to and can be computed by the as:
Finally, the simulator sends the to .
Challenge: encrypts two keywords ω_{0} and ω_{1} to generates the corresponding index keyword. Submit it along with access structure to . Based on the outcome of flipping a coin V = {0, 1}, the simulator output the ciphertext as follows:
. Finally, sends to .
Phase 2: adaptability sends an attribute sets s_{j+1}, s_{j+2}… to get its corresponding private key components respectively, and the ciphertext of keywords K_{j+1}, K_{j+2}… while none of these attribute set satisfies .
Guess: output its guess b′ of b. Since none of the attribute sets satisfies the , can not let the search algorithm to trivially decide b = 0 or b = 1. Therefore, can use the index keyword to recover keyword information to decide b = 0 or b = 1. The possibility for both the cases are given bellow:
- For we have μ = 0 and
Since s and α are randomly chosen for the index keyword generation, we let c = s and , the ciphertext can be denoted as
- If, then For , we have μ = 1 and the ciphertext is
Since z is a randomly selected element, which also render is a random looking element to an adversary and hence reveal no information about w_{b}. output its guess b′ ∈ {0, 1}.
If b′ = b, output μ′s guess μ′ = 0 and . When , the challenger sends a valid encryption parameter and is a valid index keyword. Therefore, the advantage of an adversary to recover H(wb) from is
If b′ = b, output μ′s guess μ′ = 1 and . When , the challenger sends a random encryption parameters and hence, is not a valid index keyword. Therefore, does not gain information about H(w_{b}) from , hence we have
The overall advantage of solving the DBDH problem is as follows:
.
Theorem 2: On the assumption of Discrete Logarithm (DL) problem, our proposed query keyword encryption is secure against token recoverable attack in eavesdropper security model.
Proof: Below security game between the the adversary and challenger is run to prove the above theorem.
Phase 1: submits multiple query for different keywords q_{1}, q_{2}, …, q_{n}, In response to each query, outputs the following ciphertext:
Challenge: receives two query keywords q_{0} and q_{1} from , which have not queried earlier. randomly selects a bit b ∈ {0, 1} and computes q_{b} as: and submit it to .
Phase 2: is allowed to sends further queries, except that the query keyword q_{0} and q_{1} have never been queried before.
Guess: output its guess b′ of b. As has no access to the encryption oracle and also without knowing α, it is not able to efficiently compute and . Thus, as long as the DL assumption is intractable, the probability that output the correct guess b′ = b is at most .
Theorem 3: Our proposed scheme provides collision resistance under the Computational Diffie-Hellmen (CDH) assumption. If any of the compromised users cannot decrypt a ciphertext, they can still decrypt it by combining more than one secret key component or attribute.
Proof: Similar to other ABKS schemes, our proposed scheme also avoids the integration of secret keys or attributes, which is the most probable attack in the ABE scenario. More specifically, our proposed scheme considers the corruption of any data used as some overlapping individuals attribute among them may exist. For example, assume a data owner perform some encryption by associating an access control policy AND university) OR (professor AND city), to its ciphertext. Bob and Carl’s data users possess secret key against these attribute sets S_{B} = {student, city} and S_{C} = {professor, carl} respectively. Given their respective set of attributes, both the data user can not decrypt the ciphertext individually.
Now even if both the data users combine their secret key for the missing attribute, they should not decrypt the ciphertext encrypted under . To avoid the collusion attack, the KeyGen algorithm of our proposed scheme randomly selects a value and R_{i} for each user independently. Hence, the resultant secret key components can not be combined since they are generated randomly.
The secret key components of our proposed scheme are
Their individual R_{i} and r are randomly selected to meet the equation and to compute respectively. Given the CDH assumption is hard, compromised data user will never be able to compute and because of R_{i} and r from different data users.
Performance analysis
To precisely evaluate and compare the performance of our proposed scheme with the two schemes mentioned above, this section presents experimental results for a series of experimental simulations. The experimental execution setting is Intel Core i5 Processor 2.4 GHz, 4GB RAM, on a Ubuntu 14. The implementation environment consists of a standard cryptographic Charm-Crypto library Version 0.42 with Spyder 2.2.5 IDE.
Storage cost evaluation
For uniformity, in the experiment, we set ∣X∣ and ∣S∣ to be 10. Fig 5 depicts the storage cost of each algorithm in CP-ABSE, CP-ABKS, and EFG-KSS. Although our scheme yield higher storage cost when compared with other schemes for the Setup algorithm. In practice, this extra storage cost is acceptable; we know the Setup algorithm is run by a trusted attribute authority and is a one-time process. As evident from Fig 5 our proposed scheme takes less storage cost for KeyGen, TokenGen, and EncInd. Here the search algorithm space is ignored for its only output values 1 or 0.
Evaluation of KeyGen algorithm
KeyGen algorithm is run by trusted attribute authority to label each claimed attribute of the data user to its secret key components, then through a secure channel transfer to its indented data users. As demonstrated in Fig 6a, the computation cost of all schemes linearly increased with the increase in the number of attributes. Compared to CP-ABSE and CP-ABKS, we can observe that our proposed scheme requires less computation time as we increase the number of attributes in the data user list. Its better performance is due to the lesser exponentiation operation for keys generation than the other two schemes.
(a) KeyGen algorithm, (b) EncInd algorithm.
Evaluation of EncInd algorithm
This algorithm is run by the data owner and output a secure keyword index accessible under access control policy sets by its data owner. This acts as a specific clue for a cloud server to relate any search query keyword from data users without revealing any underlying encrypted keyword. More specifically, the cloud server performs the search operation against the encrypted keyword to find out the relevant encrypted document. Fig 6b shows that the computation time for each algorithm linearly increases as we increase the number of attributes attached to the leaf nodes in the access control policy. We can also see from Fig 6b that our proposed scheme outperforms the two schemes because of its lesser computation burden on data users.
Evaluation of TokenGen algorithm
The data user runs this algorithm to encrypt his keyword in a trapdoor for secure searching on the cloud. Fig 7a shows the time taken by each scheme for the encryption of the query keyword. Both CP-ABSE and CP-ABKS are linearly proportional to the data user’s attributes set, which incur high computation overhead. Our proposed scheme embeds constant delegated key components instead of each individual’s attribute. In this way, our proposed scheme avoids the linearity problem of ABE and performs efficiently.
(a) TokenGen algorithm, (b) Search algorithm.
Evaluation of search algorithm
When the cloud server receives the trapdoor query from the data user, it needs to perform two kinds of checks; first, it needs to find out if this data user possesses the attributes corresponding to each leaf node of . Second, check out if it has the stored index equal to the query token . Fig 7b shows the average running time for both these steps. We run each scheme for a different value of N, where N is the set of attributes that is labeled with the access tree of the ciphertext. From Fig 7b, we can see that the running time for all the schemes linearly increases for both the index keywords and N. With only three operations in the token confirmation phase and complete avoidance of costly pairing operation in access conformation, our proposed scheme performs better in searching, which is the key performance indicator for any searching schemes.
Conclusion
This paper proposed an EFG-KSS scheme, free from costly bilinear pairing operations during the search and expensive Lagrange interpolation for secret reconstruction. Our scheme also supports the updation of the access control policy without completely re-encrypt the ciphertext. The security proof is provided under the Decisional Bilinear Diffe-Helmen (DBDH) assumption. The experimental results show that the proposed scheme gains better communication overhead along with low computation costs. As future work, we would like to make it privacy-preserving ABKS, enabling the data owner to encrypt the data without explicitly embedding the access control structure in the ciphertext.
References
- 1. Hua J, Zhu H, Wang F, Liu X, Lu R, Li H, et al. CINEMA: Efficient and privacy-preserving online medical primary diagnosis with skyline query. IEEE Internet of Things Journal. 2018;6(2):1450–1461.
- 2. Yang JJ, Li JQ, Niu Y. A hybrid solution for privacy preserving medical data sharing in the cloud environment. Future Generation Computer Systems. 2015;43:74–86.
- 3. Li H, Liu D, Dai Y, Luan TH, Shen XS. Enabling efficient multi-keyword ranked search over encrypted mobile cloud data through blind storage. IEEE Transactions on Emerging Topics in Computing. 2014;3(1):127–138.
- 4. Li J, Chen X. Efficient multi-user keyword search over encrypted data in cloud computing. Computing and Informatics. 2013;32(4):723–738.
- 5. Wang S, Zhang X, Zhang Y. Efficiently multi-user searchable encryption scheme with attribute revocation and grant for cloud storage. PloS one. 2016;11(11):e0167157. pmid:27898703
- 6. Curtmola R, Garay J, Kamara S, Ostrovsky R. Searchable symmetric encryption: improved definitions and efficient constructions. Journal of Computer Security. 2011;19(5):895–934.
- 7.
Cheung L, Newport C. Provably secure ciphertext policy ABE. In: Proceedings of the 14th ACM conference on Computer and communications security; 2007. p. 456–465.
- 8. Fan CI, Huang VSM, Ruan HM. Arbitrary-state attribute-based encryption with dynamic membership. IEEE Transactions on Computers. 2013;63(8):1951–1961.
- 9. Mao X, Lai J, Mei Q, Chen K, Weng J. Generic and efficient constructions of attribute-based encryption with verifiable outsourced decryption. IEEE Transactions on dependable and secure computing. 2015;13(5):533–546.
- 10.
Kiayias A, Oksuz O, Russell A, Tang Q, Wang B. Efficient encrypted keyword search for multi-user data sharing. In: European symposium on research in computer security. Springer; 2016. p. 173–195.
- 11. Han F, Qin J, Zhao H, Hu J. A general transformation from KP-ABE to searchable encryption. Future Generation Computer Systems. 2014;30:107–115.
- 12.
Lai J, Zhou X, Deng RH, Li Y, Chen K. Expressive search on encrypted data. In: Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security; 2013. p. 243–252.
- 13. Zhang B, Zhang F. An efficient public key encryption with conjunctive-subset keywords search. Journal of Network and Computer Applications. 2011;34(1):262–267.
- 14.
Lv Z, Hong C, Zhang M, Feng D. Expressive and secure searchable encryption in the public key setting. In: International Conference on Information Security. Springer; 2014. p. 364–376.
- 15. Wang S, Jia S, Zhang Y. Verifiable and multi-keyword searchable attribute-based encryption scheme for cloud storage. IEEE Access. 2019;7:50136–50147.
- 16. Peng T, Liu Q, Hu B, Liu J, Zhu J. Dynamic keyword search with hierarchical attributes in cloud computing. IEEE Access. 2018;6:68948–68960.
- 17. Wang S, Zhang D, Zhang Y, Liu L. Efficiently revocable and searchable attribute-based encryption scheme for mobile cloud storage. IEEE Access. 2018;6:30444–30457.
- 18.
Dong Q, Guan Z, Chen Z. Attribute-based keyword search efficiency enhancement via an online/offline approach. In: 2015 IEEE 21st International Conference on Parallel and Distributed Systems (ICPADS). IEEE; 2015. p. 298–305.
- 19.
Li X, Tian H, Ning J. Secure online/offline attribute-based encryption for IoT users in cloud computing. In: International Conference on Provable Security. Springer; 2019. p. 347–354.
- 20.
Hijawi U, Unal D, Hamila R, Gastli A, Ellabban O. Performance Evaluation of No-Pairing ECC-Based KPABE on IoT Platforms. In: 2020 IEEE International Conference on Informatics, IoT, and Enabling Technologies (ICIoT). IEEE; 2020. p. 225–230.
- 21. Khan S, Khan S, Zareei M, Alanazi F, Kama N, Alam M, et al. ABKS-PBM: Attribute-Based Keyword Search With Partial Bilinear Map. IEEE Access. 2021;9:46313–46324.
- 22.
Song DX, Wagner D, Perrig A. Practical techniques for searches on encrypted data. In: Proceeding 2000 IEEE Symposium on Security and Privacy. S&P 2000. IEEE; 2000. p. 44–55.
- 23. Fu Z, Wu X, Guan C, Sun X, Ren K. Toward efficient multi-keyword fuzzy search over encrypted outsourced data with accuracy improvement. IEEE Transactions on Information Forensics and Security. 2016;11(12):2706–2716.
- 24. Wang Q, Peng L, Xiong H, Sun J, Qin Z. Ciphertext-policy attribute-based encryption with delegated equality test in cloud computing. IEEE Access. 2017;6:760–771.
- 25. Zhu H, Wang L, Ahmad H, Niu X. Key-policy attribute-based encryption with equality test in cloud computing. IEEE Access. 2017;5:20428–20439.
- 26. Zhang Y, Deng RH, Shu J, Yang K, Zheng D. TKSE: Trustworthy keyword search over encrypted data with two-side verifiability via blockchain. IEEE Access. 2018;6:31077–31087.
- 27.
Zheng Q, Xu S, Ateniese G. VABKS: verifiable attribute-based keyword search over outsourced encrypted data. In: IEEE INFOCOM 2014-IEEE conference on computer communications. IEEE; 2014. p. 522–530.
- 28.
Menezes AJ, Van Oorschot PC, Vanstone SA. Handbook of applied cryptography. CRC press; 2018.
- 29. Yin H, Qin Z, Ou L, Li K. A query privacy-enhanced and secure search scheme over encrypted data in cloud computing. Journal of Computer and System Sciences. 2017;90:14–27.
- 30. Yin H, Zhang J, Xiong Y, Ou L, Li F, Liao S, et al. CP-ABSE: A ciphertext-policy attribute-based searchable encryption scheme. IEEE Access. 2019;7:5682–5694.