Secure and Efficient Conjunctive Keyword Search Scheme without Secure Channel

Abstract

Conjunctive keyword search encryption is an important technique for protecting sensitive data that is outsourced to cloud servers. However, the process of searching outsourced data may facilitate the leakage of sensitive data. Thus, an efficient data search approach with high security is critical. To solve this problem, an efficient conjunctive keyword search scheme based on ciphertext-policy attribute-based encryption is proposed for cloud storage environment. This paper proposes an efficient mechanism for removing the secure channel and resisting off-line keyword-guessing attacks. The storage overhead and the computational complexity are regardless of the number of keywords. This scheme is proved adaptively secure based on the decisional bilinear Diffie-Hellman assumption in the standard model. Finally, the results of theoretical analysis and experimental simulation show that the proposed scheme has advantages in security, storage overhead and efficiency, and it is more suitable for practical applications.

1. Introduction

Cloud storage is a new concept that extends and develops in the concept of cloud computing [1], and it is a new network storage technology [2]. We know that the direct control power of outsourced data is deprived from the data owners (DO). So, the data should be encrypted before stored to the cloud storage. Whatever, it may severely hinder several functionalities that users are accustomed to receiving from the cloud storage. For instance, it is impossible to search the encrypted data. One solution for this problem is the use of searchable encryption schemes.

There are two categories of searchable encryption schemes: symmetric encryption with keyword search and public key encryption with keyword search (PEKS). Song et al. [3] proposed the first symmetric encryption scheme with keyword search. Boneh et al. [4] proposed the first PEKS. For a network with too many users, PEKS is better than symmetric encryption scheme with keyword search.

In order to reduce the search scope and improve the query performance, mulit-keywords search capability is very important. Therefore, Golle et al. [5] proposed a conjunctive field keyword search scheme, which assumed that n keyword fields are associated with each document. Zhang et al. [6] proposed a conjunctive-subset keyword search algorithm that enables users to list keywords in any order. Lai et al. [7] proposed a PEKS based on the key-policy attribute-based encryption scheme, which is very efficient and has a strong expression.

The above schemes require a secure channel to transfer the trapdoor between the data users (DU) and the cloud service provider (CSP). And heavy computational and communication loads, such as a Secure Sockets Layer (SSL) between the DU and the CSP, are typically required to establish a secure channel. Aiming at solving this problem, Baek et al. [8] considered removing the secure channel and proposed a secure channel-free PEKS(SCF-PEKS). In this scheme, the CSP maintains its public key and private key. The DO generates the keyword ciphertexts based on the public key of the CSP. The CSP having the corresponding private key can run the Test algorithm.

Byun et al. [9] indicated that the scheme proposed by Baek [8] may be attacked by off-line keyword guessing attacks. It is because that the keyword space is much smaller than the password space. Then, Rhee et al. [10] constructed a new secure SCF-PEKS scheme against keyword guessing attacks. But the security proof of the scheme is not in the standard model. Yang et al. [11] proposed a scheme that supports the conjunctive keyword search and resists off-line keyword guessing attacks. However, this scheme uses a significantly complex assumption. Liang et al. [12] proposed a searchable attribute-based proxy re-encryption system, which is able to achieve fine-grained access control. At the same time, the encrypted data is also searchable.

Contribution. Based on the above analyses, an efficient conjunctive keyword search scheme without a secure channel is proposed for the cloud storage environment, which is called searchable encryption with conjunctive keyword search (SE-CKS). We propose an efficient mechanism for removing the secure channel and resisting off-line keyword guessing attacks. The DU is connected to the CSP via an unsecure communication channel, such as a GPRS network. The basic concept is for the server to maintain its private and public key pairs. By referencing the access structure [13] of ciphertext policy attribute-based encryption (CP-ABE) [14], the DO constructs the search policies using the keywords of the data files, generates keyword ciphertexts through the public keys of the server and the receiver, and the nuploads the keyword ciphertexts to the CSP. The keyword set L is used to search the data files, and the AA then generates a trapdoor for the DU. The DU can then send the trapdoor to retrieve data associated with the keyword list and send it via a public channel. After receiving the trapdoor, the CSP can test whether the provided ciphertexts match the trapdoor using its private key. Our scheme is proved adaptively secure based on the decisional bilinear Diffie-Hellman (DBDH) assumption in the standard model. The results of theoretical analysis and experimental simulation show that the proposed scheme has advantages in security, storage overhead and efficiency, and it is more suitable for practical applications.

The remainder of this paper is organized as follows: In Section 2, we describe the formal definition and security model. In Section 3, we propose the concrete SE-CKS scheme and analyse the security of the proposed generic construction. In Section 4, we describe the performance comparison. In Section 5, we present the conclusions.

2. Formal Definition and Security Model

2.1 Formal Definition of SE-CKS

The SE-CKS scheme contains six polynomial time algorithms: GlobalSetup , AASetup , CSP KeyGen , EncIndex , Trapdoor and Test . These algorithms are presented as follows:

\(\text {GlobalSetup}\left(1^{\lambda}\right) \rightarrow G P\) : The algorithm is executed by the trusted authority center (AC) and it takes the security parameter λ as input. It returns the global parameter GP .

\(A A \operatorname{Setup}(G P, U) \rightarrow(P K, M S K)\) : It takes GP and keyword set U as inputs. It returns the AA’s public key PK and master private key MSK , respectively.

\(\operatorname{Key} \operatorname{Gen}_{C S P}(G P) \rightarrow\left(p k_{C S P}, s k_{C S P}\right)\) : It takes GP as input and returns the CSP’s public key \(p k_{C S P}\) and private key\(S k_{C S P}\) , respectively.

\(\text {Enclndex}\left(G P, P K, p k_{C S P}, W\right) \rightarrow C T\) : It takes GP , PK , \(p k_{C S P}\) , the search policies W based on keywords as inputs. It returns the ciphertext CT .

\(\text {Trapdoor}\left(G P, p k_{C S P}, M S K, L\right) \rightarrow T D_{L}\) : It takes GP , CSP pk , MSK , the keyword list L asinputs and outputs a trapdoor \(T D_{L}\) .

\(\text {Test}\left(G P, s k_{C S P}, C T, T D_{L}\right) \rightarrow(0,1)\) : It takes GP . \(s k_{C S P}\) , CT , \(T D_{L}\) as inputs and determines whether L satisfies W . If L satisfies W , it returns 1; Otherwise, it returns 0.

2.2 Security Model of SE-CKS

Definition 1. Consistency [15]. Assume that the adversary \(\mathcal{A}\) wants to cause a failure inconsistency. Consistency is formally defined as follows:

Setup: The simulator \(\mathcal{B}\) executes \(\text {GlobalSetup}\left(1^{\lambda}\right), \text { AASetup}(G P, U), \text { KeyGen}_{C S P}(G P)\) .

Phase 1: \(\mathcal{A}\) submits a keyword list L and a search policies W based on keywords, where \(L | \neq W\) . Then, \(\text {Enclndex}\left(G P, P K, p k_{C S P}, W\right)\) and \(\text {Trapdoor}\left(G P, p k_{C S P}, M S K, L\right)\) are executed.

Challenge: \(\operatorname{Test}\left(G P, s k_{C S P}, C T, T D_{L}\right)\) is executed, where\(L | \neq W\) .

Guess: If \(\operatorname{Test}\left(G P, s k_{C S P}, C T, T D_{L}\right) \rightarrow 1\) , then the adversary \(\mathcal{A}\) wins the game. 

The advantage of \(\mathcal{A}\) is defined as:

\(A d v_{A}^{\mathrm{cons}}(\lambda):=\operatorname{Pr}\left[\operatorname{Test}\left(G P, s k_{C S P}, C T, T D_{L}\right) \rightarrow 1\right]\)       (1)

If the advantage of all polynomial time adversaries is negligible in above game, then the SE-CKS scheme is computationally consistent.

Compared with traditional conjunctive keyword search, our scheme is based on CP-ABE. Therefore, the security model must be redefined. According to the definition of the CP-ABE security model and the characteristics of our scheme, this paper presents a new security game model for our conjunctive keyword search scheme. Note that there are two types of adversaries in this scheme, namely CSP and the outside attacker (including the receiver). Informally, indistinguishability of secure channel free against chosen keyword attack(IND-CF-CKA) guarantees the adversary, which has not obtained the trapdoors for given keywords, cannot distinguish the keywords. When the adversary \(\mathcal{A}\) is the CSP, \(\mathcal{A}\) can obtain the CSP’s private key. When the adversary \(\mathcal{A}\) is the outside attacker, the adversary \(\mathcal{A}\) can not obtain the CSP’s private key. Therefore, the CSP has a stronger attack capability than the outside attacker. And this paper only proves that the CSP cannot attack the SE-CKS scheme. The definition of IND-CF-CKA is formalized according to a security game between the adversary \(\mathcal{A}\) and the simulator \(\mathcal{B}\) .

Definition 2. IND-CF-CKA. We consider the following game between \(\mathcal{A}\) and \(\mathcal{B}\) .

Setup: The simulator \(\mathcal{B}\) executes \(\text {GlobalSetup}\left(1^{\lambda}\right), \text { AASetup}(G P, U), \text { KeyGen_ss }(G P)\) to obtain the global parameter GP , AA’s public key PK and master private key MSK , CSP’s public key \(p k_{c s p}\) and private key \(S K_{C S P}\) . Then, \(\mathcal{B}\) provides (\(p k_{C S P}, s k_{C S P}\))  and PK to \(\mathcal{A}\) .

Phase 1: The adversary \(\mathcal{A}\) submits a keyword list L in a trapdoor query \(\text {Trapdoor}\left(G P, p k_{C S P}, M S K, L\right)\) , where \(L\left|\neq W_{0} \wedge L\right| \neq W_{1}\). The simulator \(\mathcal{B}\) answers with a trapdoor for the keyword list L . Note that these queries can be adaptively repeated.

Challenge: The simulator \(\mathcal{B}\) chooses \(w \in\{0,1\}\) and executes \(\text {Enclndex}\left(G P, P K, p k_{C S P}, W_{w}\right)\) . The simulator \(\mathcal{B}\) provides the ciphertext CT to \(\mathcal{A}\) .

Phase 2: It is the same as Phase 1.\(\mathcal{A}\) sends L′ to the simulator \(\mathcal{B}\) for a query. Thesimulator \(\mathcal{B}\) answers with a trapdoor for the keyword list. Notice that \(L^{\prime}\left|\neq W_{0} \wedge L^{\prime}\right| \neq W_{1}\) .

Guess: \(\mathcal{A}\) outputs the guess \(w^{\prime} \in\{0,1\}\) . \(\mathcal{A}\) wins if \(w^{\prime}=w\) .

The advantage of \(\mathcal{A}\) is defined as:

\(A d v_{A}(\lambda):=\left|\operatorname{Pr}\left(w^{\prime}=w\right)-1 / 2\right|\)       (2)

The SE-CKS scheme is said to be IND-CF-CKA secure if the advantage of all polynomial time adversaries is negligible in above game

Definition 3. Off-Line Keyword Guessing Attacks on SE-CKS.

Because a trapdoor is sent without a secure channel, an outside adversary is capable of capturing the trapdoor and performing off-line keyword guessing attacks. The attacker may reveal the encrypted keyword list that is used by the receiver to search for a data. Similarly, an inside adversary (malicious server) can perform the attack to reveal the keyword in the trapdoor and execute the Test algorithm to determine the ciphertext that contains the keyword list. However, the outside adversary is unable to distinguish ciphertexts from encrypting aspecific keyword list because the Test phase requires the server’s private key.

A SE-CKS scheme that is secure against keyword guessing attacks, where the attacker is the server, cannot be constructed [16]. Therefore, in this work, we do not consider the keyword guessing attacks of an inside adversary.

3. SE-CKS Scheme

3.1 Search Policy

The access policy [13] is as follows: Assume that the set of attributes in universe \(U=\left\{a t t_{1}, a t t_{2}, \cdots, a t t_{n}\right\}\) contains n attributes. Each attribute i att can take two values: 1 and 0. Assume that \(L=\left[L_{1}, L_{2}, \cdots, L_{n}\right]\) is a set of attributes for a user, which is called the attribute list. AA generates a user’s secret key through \(L=\left[L_{1}, L_{2}, \cdots, L_{n}\right]\). Assume that \(W=\left[W_{1}, W_{2}, \cdots, W_{n}\right]\) is an access policy for a ciphertext. Formally, the attribute list \(L=\left[L_{1}, L_{2}, \cdots, L_{n}\right]\) for a user and the access policy \(W=\left[W_{1}, W_{2}, \cdots, W_{n}\right]\) for a ciphertext are given. For all \(i(1 \leq i \leq n)\), if \(L_{i}=W_{i}\)or \(W_{i}=*\) , L satisfies W , which is represented by the notation \(L |=W\) . Otherwise, L does not satisfy W , which is represented by the notation \(L | \neq W\) . The wildcard “*” represents “do not care". For instance, we can let \(W=\left[W_{1}, W_{2}, \cdots, W_{n}\right]=[0, *, 1, *, 1,0]\) , where n=6 . If a user has L=[0,1,1, 0,1, 0] , he can obtain a secret key associated with L=[0,1,1, 0,1, 0] and decrypt the ciphertext encrypted with W=[0,*,1,*,1, 0]. But the user with L=[0,1,1,0,1,1] cannot decrypt the ciphertext encrypted with W=[0,*,1,*,1, 0].

Compared with the access policy [13], we let \(U=\left\{k w_{1}, k w_{2}, \cdots, k w_{n}\right\}\) represent the set of keywords of data file that replace the attributes. W is the search policy based on the keywords. For all \(i(1 \leq i \leq n)\), each keyword \(k w_{i}\) can take two or more values. More formally, assume that \(S_{i}=\left\{v_{i, 1}, v_{i, 2}, \cdots, v_{i, n_{i}}\right\}\)is the set of all possible values for \(k w_{i}\) , where\(\boldsymbol{n}_{i}\) is the number of the possible values for \(k w_{i}\) , specifically\(n_{i}=\left|S_{i}\right|\) . When the encryptor specifies a wildcard * for W_i, this action corresponds to specify \(W_{i}=S_{i}\) . We achieve keyword privacy by hiding the subset W_i for each keyword \(k w_{i}\) that is specified in the search policy of the AND-gate of all keywords.

3.2 Concrete Construction

The six polynomial time algorithms of SE-CKS are as follows:

\(\text {GlobalSetup}\left(1^{\lambda}\right) \rightarrow G P\) : The AC generates the tuple \(\mathbb{G}=\left[p, q, N=p q, G, G_{T}, e\right]\) with \(G \times G \rightarrow G_{T}\), where G and G_T are cyclic groups of order \(N=p q \cdot g_{p}\)and \(g_{q}\)are the generators of \(G_{p}\) and \(G_{q}\) , respectively. The global parameter is\(G P=\left[p, r, g_{p}, g_{q}, N=p q, G, G_{T}, e\right].\)

\(A A \operatorname{Setup}(G P, U) \rightarrow(P K, M S K)\) : Randomly choose \(\alpha \in Z_{N}^{*}, a^{\prime}, g_{2} \in G_{p}, R_{0}, R_{1} \in G_{q}\) and compute \(g_{1}=g_{p}^{\alpha}\) . For each keyword\(k w_{i} \in U\) , where \(1 \leq i \leq n\) , AA chooses random values\(\left\{a_{i, t} \in Z_{N}^{*}\right\}_{1 \leq t \leq n_{i}}\) and\(\left\{R_{i, t} \in G_{q}\right\}_{1 \leq t \leq n_{i}}\). AA’s master private key is \(M S K=\left[\alpha, a^{\prime}, g_{2},\left\{a_{i, t}\right\}_{1 \leq i \leq n, 1 \leq t \leq n_{i}}\right]\).

AA’s public key is \(P K=\left[Y=e\left(g_{1}, g_{2}\right), A_{0}=g_{p} \cdot R_{0}, A^{\prime}=a^{\prime} R_{1},\left\{A_{i, t}=g_{p}^{a_{1 j}} \cdot R_{i, t}\right\}_{1 \leq i \leq n, 1 \leq t \leq n_{i}}\right].\)

\(\operatorname{Key} \operatorname{Gen}_{C S P}(G P) \rightarrow\left(p k_{C S P}, s k_{C S P}\right)\) : Uniformly and randomly choose \(\beta \in Z_{N}^{*}\) and compute \(B=g_{p}^{\beta}\). The CSP’s public key is\(p k_{C S P}=[B]\) . The CSP’s private key is \(s k_{C S P}=[\beta].\)
\(\text {Enclndex}\left(G P, P K, p k_{C S P}, W\right) \rightarrow C T\) : Choose a search policy based on the keywords \(W=\left[W_{1}, \cdots, W_{n}\right]\) . The DO selects random values \(\boldsymbol{S} \in Z_{N}^{*}\) and \(R_{0}^{\prime}, R_{1}^{\prime} \in G_{q}\) , then the ciphertext is \(C T=\left[C=Y^{s}, C_{0}=A_{0}^{s} \cdot B^{s} \cdot R_{0}^{\prime}, C_{1}=\left(A^{\prime} \Pi_{v, s \in W} A_{i, t}\right)^{s} \cdot R_{1}^{\prime}\right].\)

\(\text {Trapdoor}\left(G P, p k_{C S P}, M S K, L\right) \rightarrow T D_{L}\) : The DU uses \(L=\left[L_{1}, \cdots, L_{n}\right]=\left[v_{1, i_{1}}, \cdots, v_{n, t_{n}}\right]\) to obtain the corresponding secret key for searching, which is regarded as the searching trapdoor. The AA selects a value \(r \in Z_{N}^{*}\) . The searching trapdoor is: \(T D_{L}=\left[D_{0}=g_{p}^{r} \cdot B^{r}, D_{1}=g_{2}^{\alpha}\left(a^{\prime} \cdot g_{p}^{\sum_{v, s t} a_{i j}}\right)^{r}\right]\)

\(\operatorname{Test}\left(G P, s k_{C S P}, C T, T D_{L}\right) \rightarrow(0,1)\) : The DU sends \(T D_{L}\) to the CSP for implementing the search request. Then, the CSP tests whether \(e\left(D_{0}, C_{1}\right) \cdot C^{\beta+1}=e\left(D_{1}, C_{0}\right)\) is true. If it is true, then return 1; Otherwise, return 0.

Note that in Trapdoor algorithm, this paper assumes , \(\forall L, L^{\prime}\left(L \neq L^{\prime}\right), \sum_{v_{i, j e L}} a_{i, t} \neq \sum_{v_{i, j e l}}, a_{i, t}\) . Emura et al. [17] gave the result that this assumption holds with overwhelming probability \(P_{\text {assump}}\left(>1-N_{0}^{2} / N\right), \text { where } N_{0}=\left|S_{i}\right|^{n}\) .

Correctness. Let the ciphertext be \(C T=\left[C, C_{0}, C_{1}\right]\) , which is associated with the search policy \(W=\left[W_{1}, W_{2}, \cdots, W_{n}\right]\) based on keywords. The trapdoor is \(T D_{L}=\left[D_{0}, D_{1}\right]\) . This process produces the equation:

\(\begin{aligned} &\frac{e\left(D_{0}, C_{1}\right) \cdot C^{\beta+1}}{e\left(D_{1}, C_{0}\right)}\\ &=\frac{e\left(g_{p}^{r} \cdot B^{r},\left(A^{\prime} \prod_{\eta_{i}, \mathrm{EW}} A_{i, t}\right)^{s} \cdot R_{1}^{\prime}\right) \cdot C^{\beta+1}}{e\left(g_{2}^{\alpha}\left(a^{\prime} \cdot g_{p}^{\sum_{w_{p c} a} a_{i j}}\right)^{r}, A_{0}^{s} \cdot B^{s} \cdot R_{0}^{\prime}\right)}\\ &\begin{array}{l} =\frac{e\left(g_{p}^{r} \cdot g_{p}^{\beta r},\left(a^{\prime} R_{1,} \prod_{n, \in W} g_{p}^{a_{1}} \cdot R_{i, t}\right)^{s} \cdot R_{1}^{\prime}\right) \cdot C^{\beta+1}}{e\left(g_{2}^{\alpha}\left(a^{\prime} \cdot g_{p}^{\sum_{m_{1}} a c^{a_{1}}}\right)^{r},\left(g_{p} \cdot R_{0}\right)^{s} \cdot g_{p}^{\beta s} \cdot R_{0}^{\prime}\right)} \\ =\frac{e\left(g_{p}^{r} \cdot g_{p}^{\beta r},\left(a^{\prime}\right)^{s}\right) \cdot e\left(g_{p}^{r} \cdot g_{p}^{\beta r}, \prod_{v_{1}, E^{\prime} W} g_{p}^{a_{u}, s}\right) \cdot e\left(g_{1}, g_{2}\right)^{s(\beta+1)}}{e\left(\left(a^{\prime} \cdot g_{p}^{\sum_{w_{j} c t}^{a_{j}}}\right)^{r},\left(g_{p}\right)^{s} \cdot g_{p}^{\beta s}\right) \cdot e\left(g_{2}^{\alpha},\left(g_{p}\right)^{s} \cdot g_{p}^{\beta s}\right)} \\ =\frac{e\left(g_{p}^{r} \cdot g_{p}^{\beta r},\left(a^{\prime}\right)^{s}\right) \cdot e\left(g_{p}^{r} \cdot g_{p}^{\beta r}, \prod_{w_{i} \in \mathbb{V}} g_{p}^{a, s}\right)}{e\left(\left(a^{\prime}\right)^{r},\left(g_{p}\right)^{s} \cdot g_{p}^{\beta s}\right) \cdot e\left(\left(g_{p}^{\sum_{w_{j} c^{a_{i j}}}}\right)^{r},\left(g_{p}\right)^{s} \cdot g_{p}^{\beta s}\right)}=1 \end{array} \end{aligned}\)       (3)

That is \(e\left(D_{0}, C_{1}\right) \cdot C^{\beta+1}=e\left(D_{1}, C_{0}\right)\) ⋅ .

3.3 Security Analysis

Theorem 1. SE-CKS is computationally consistent.

Proof: Assume that an adversary \(\mathcal{A}\) can attack the computational consistency of SE-CKS. Let \((W, L)\) denote the search policy based on keywords and the keyword list for the DU. At the same time, assume that L does not satisfy W . The the consistency game is as follows:

Select random values \(s \in Z_{N}^{*} \text { and } R_{0}^{\prime}, R_{1}^{\prime} \in G_{q}\) . Compute \(C=Y^{s}, \quad C_{0}=A_{0}^{s} \cdot B^{s} \cdot R_{0}^{\prime}, C_{1}=\left(A^{\prime} \Pi_{v, s \in W} A_{i, t}\right)^{s} \cdot R_{1}^{\prime}, D_{0}=g_{p}^{r} \cdot B^{r}, D_{1}=g_{2}^{\alpha}\left(a^{\prime} \cdot g_{p}^{\sum_{n, s t} a_{1 j}}\right)^{r},\), where \(r \in Z_{N}^{*}\) .

If L does not satisfy W and \(e\left(D_{0}, C_{1}\right) \cdot C^{\beta+1}=e\left(D_{1}, C_{0}\right)\) holds, then \(\mathcal{A}\) wins the game. Assume that \(L_{k} \not \vDash W_{k}\) , then \(a_{k, t_{1}}=z_{1}\) in \(L_{k}\) and \(a_{k, t_{2}}=z_{2}\) in \(W_{k}\) .

\(\begin{aligned} &e\left(D_{0}, C_{1}\right) \cdot C^{\beta+1}=e\left(D_{1}, C_{0}\right)\\ &\Leftrightarrow e\left(g_{p}^{r} \cdot g_{p}^{\beta r},\left(a^{\prime} R_{1} \prod_{n, e W} g_{p}^{a_{1}}, R_{i, t}\right)^{s} \cdot R_{1}^{\prime}\right) \cdot e\left(g_{1}, g_{2}\right)^{s(\beta+1)}=e\left(g_{2}^{\alpha}\left(a^{\prime} \cdot g_{p}^{\sum_{\eta_{j e l}} a_{i j}}\right)^{r},\left(g_{p} \cdot R_{0}\right)^{s} \cdot g_{p}^{\beta s} \cdot R_{0}^{\prime}\right)\\ &\Leftrightarrow e\left(g_{p}^{r} \cdot g_{p}^{\beta r},\left(a^{\prime}\right)^{s}\right) \cdot e\left(g_{p}^{r} \cdot g_{p}^{\beta r}, \prod_{v_{i} \in W} g_{p}^{a_{1} s}\right)=e\left(\left(a^{\prime} \cdot g_{p}^{\left.\sum_{w_{j} c} a^{a_{i}}\right)}\right)^{r},\left(g_{p}\right)^{s} \cdot g_{p}^{\beta s}\right)\\ &\begin{array}{l} \Leftrightarrow e\left(g_{p}^{r} \cdot g_{p}^{\beta r},\left(a^{\prime}\right)^{s}\right) \cdot e\left(g_{p}^{r} \cdot g_{p}^{\beta r}, \prod_{v_{i}, \epsilon^{\prime} W} g_{p}^{a_{1}, s}\right)=e\left(\left(a^{\prime}\right)^{r},\left(g_{p}\right)^{s} \cdot g_{p}^{\beta s}\right) \cdot e\left(\left(g_{p}^{\left.\sum_{\eta_{p} c t}^{a_{i}}\right)}\right)^{r},\left(g_{p}\right)^{s} \cdot g_{p}^{\beta s}\right) \\ \Leftrightarrow e\left(g_{p}^{r} \cdot g_{p}^{\beta r}, \prod_{v_{i}, \in W} g_{p}^{a_{u}, s}\right)=e\left(\left(g_{p}^{\sum_{w_{j} c c} a_{i j}}\right)^{r},\left(g_{p}\right)^{s} \cdot g_{p}^{\beta s}\right) \end{array}\\ &\Leftrightarrow e\left(g_{p}, g_{p}^{\sum_{w, \text { ar }} a_{i j}}\right)^{\mathrm{rs}(\beta+1)}=e\left(g_{p}^{\sum_{n y t} a_{i j}}, g_{p}\right)^{\mathrm{rs}(\beta+1)}\\ &\Leftrightarrow \sum_{v_{1}, \in W} a_{i, t}-\sum_{v_{1}, \epsilon L L} a_{i, t}=0\\ &\Leftrightarrow z_{1}-z_{2}=0 \end{aligned}\)       (4)

Because the DU does not know the secret value \(z_{1} \quad \text { and } \quad z_{2} \quad \text { in } \quad Z_{N}^{*}\) . Hence, \(\operatorname{Pr}\left[z_{1}=z_{2}\right]=1 /(N-1)\) , where N − 1 is the total number of all elements in\(Z_{N}^{*}\) . When \(L \not \vDash W\)and \(\text {Test}\left(G P, s k_{C S P}, C T, T D_{L}\right) \rightarrow 1\) , the advantage of the adversary \(\mathcal{A}\) winning the above game is:

\(A d v_{A}^{c o n s}(\lambda)=\operatorname{Pr}\left[z_{1}=z_{2}\right] \leq 1 /(N-1)\)       (5)

Theorem 2. If the \(\left(1-N_{0}^{2} / N\right)(\varepsilon / 16(n+1) \theta)\) DBDH assumption holds, then SE-CKS is \((t, \theta, \varepsilon)\)-IND-CF-CKA secure in the standard model, where \(N_{0}=\left|S_{i}\right|^{n}\) is the number of all possible expressed search policies.

Proof: If an \((t, \theta, \varepsilon)\) adversary \(\mathcal{A}\) can break through SE-CKS, then a simulator \(\mathcal{B}\) can be constructed to solve the DBDH problem with the advantage no less than \(\left(1-N_{0}^{2} / N\right)(\varepsilon / 16(n+1) \theta)\) . The DBDH challenger \(\mathcal{C}\) selects \(a, b, c \in Z_{N}^{*}, \quad v \in\{0,1\}, g_{p}, g_{q}, \)  where \(\left\langle g_{p}\right\rangle=G_{p},\left\langle g_{q}\right\rangle=G_{q}\) . If \(v=0\) , then \(Z=e\left(g_{p}, g_{p}\right)^{a b c}\) ; if \(v=1\) , then \(Z=e\left(g_{p}, g_{p}\right)^{2}\) . The security game based on the tuple \(\left[g_{p}, g_{r}, g_{p}^{a}, g_{p}^{b}, g_{p}^{c}, Z\right]\) is simulated between the adversary \(\mathcal{A}\) and the simulator \(\mathcal{B}\) .

Setup: \(\mathcal{B}\) computes \(u=4 \theta\) and randomly chooses an value \(k \in\{0, \cdots, n\}\) . Then \(\mathcal{B}\) chooses, \(\left\{x_{i, t}\right\}_{1 \leq i \leq n, 1 \leq t \leq n_{i}}\) , where , \(x_{i, t} \in(0, \cdots, u-1), \quad x^{\prime} \in(0, \cdots, u-1)\) . Additionally, \(\mathcal{B}\) chooses \(y^{\prime} \in Z_{N}^{*}\) and\(\left\{\mathrm{Y}_{i, t}\right\}_{1 \leq i \leq n, 1 \leq t \leq n_{i}}\) , where \(y_{i, t} \in Z_{N}^{*}\) .

Define functions \(F(L)=(N-u k)+x^{\prime}+\sum_{v_{i} \in L L} x_{i, t}(\bmod N)\) and \(J(L)=y^{\prime}+\sum_{v_{i} \in L} y_{i, t}(\bmod N)\) for the attribute list L . Then, if \(x^{\prime}+\sum_{v_{i, t} \in L} x_{i, t} \equiv 0(\bmod u)\) , we define a binary function \(B(L)=0\) ; Otherwise, \(B(L)=1\) .

\(\mathcal{B}\) assigns \(g_{1}=g_{p}^{a}, g_{2}=g_{p}^{b}\) and chooses \(r^{\prime} \in Z_{N}^{*}, r_{i, t} \in Z_{N}^{*}, R_{1} \in G_{r}\). Then it outputs the AA’s PK parameters \(\left\{A_{i, t}=g_{2}^{x_{i}} g_{p}^{y_{i t}} g_{q}^{n_{i}}\right\}_{1 \mathrm{s} i \mathrm{s} n, 1} \mathrm{s} t_{1 s n_{i}} \quad, \quad Y=e\left(g_{1}, g_{2}\right) \quad, \quad A_{0}=g_{p} \cdot R_{1}, A^{\prime}=g_{2}^{p-u k+x^{\prime}} g_{p}^{y^{\prime}} g_{q}^{r^{\prime}}\) . Here PK implies that\(a_{i, t}=b x_{i, t}+y_{i, t}\) . \(\mathcal{B}\) selects \(\delta \in Z_{N}\) and computes \(B=g_{p}^{\delta}\). Establish the CSP’s public key \(p k_{C S P}=(B)\) and the CSP’s private key \(s k_{C S P}=(\delta)\). Finally, \(\mathcal{B}\) provides \(\left(P K, p k_{C S P}, s k_{C S P}\right)\) to \(\mathcal{A}\) .

Phase 1: \(\mathcal{A}\) submits the keyword list \(L=\left[L_{1}, \cdots, L_{n}\right]\) in a trapdoor query. If \(B(L)=0\) ,\(\mathcal{B}\) stops the game and outputs a random value v′ as the guess of v . Otherwise, \(\mathcal{B}\) chooses \(r \in Z_{N}^{*}\) and computes:

\(D_{0}=\left(g_{1}^{\frac{-1}{F(L)}} g_{p}^{r}\right)^{\delta+1}, D_{1}=g_{1}^{\frac{-J(L)}{F(L)}}\left(a^{\prime} \cdot g_{p}^{\sum_{\eta_{j c l}} a_{i j}}\right)^{r}\)       (6)

where \(a^{\prime}=g_{2}^{F(L)-\sum_{n, t \in \iota}^{x_{i, t}}} g_{p}^{y^{\prime}}\) .

Let \(\tilde{r}=r-a / F(L)\) . Then we have:

\(\begin{aligned} D_{1} &=g_{1}^{\frac{-J(L)}{F(L)}}\left(a^{\prime} \cdot g_{p}^{\sum_{n, s c} a_{i t}}\right)^{r} \\ &=g_{1}^{\frac{-J(L)}{F(L)}}\left(g_{2}^{F(L)} g_{p}^{J(L)}\right)^{r} \\ &=g_{2}^{a}\left(g_{2}^{F(L)} g_{p}^{J(L)}\right)^{\frac{-a}{F(L)}}\left(g_{2}^{F(L)} g_{p}^{J(L)}\right)^{r} \\ &=g_{2}^{a}\left(g_{2}^{F(L)} g_{p}^{J(L)}\right)^{r-\frac{a}{F(L)}} \\ &=g_{2}^{a}\left(a^{\prime} \cdot g_{p}^{\sum_{v, s e t}^{a_{i t}}}\right)^{\hat{r}} \end{aligned}\)       (7)

Then verify if \(D_{0}=\left(g_{1}^{\frac{-1}{F(L)}} g_{p}^{r}\right)^{\delta+1}=\left(g_{p}^{r-\frac{a}{F(L)}}\right)^{\delta+1}=\left(g_{p}^{\tilde{r}}\right)^{\delta+1}=g_{p}^{\tilde{r}} \cdot\left(g_{p}^{\delta}\right)^{\tilde{r}}=g_{p}^{\tilde{r}} \cdot B^{\tilde{r}}\) .

Iff \(F(L) \neq 0 \bmod N\) , \(\mathcal{B}\) can complete the above calculation process. And only when \(B(L) \neq 0(B(L) \neq 0 \text { implies } F(L) \neq 0)\), the game continues.

Challenge: \(\mathcal{A}\) submits two search policies \(W_{0}, W_{1}\) . \(\mathcal{B}\) randomly selects \(w \in\{0,1\}\) . If\(x^{\prime}+\sum_{v_{i, t} \in W_{w_{i}}} x_{i, t} \neq u k\) , \(\mathcal{B}\) stops the game and outputs a random value v′ ; Otherwise, \(F\left(W_{w}\right) \equiv 0(\bmod N)\) holds. Next, \(\mathcal{B}\) chooses \(R_{0} \in G_{r}, r_{c} \in Z_{N}^{*} \cdot r_{c}\)can be written in the form\(r_{c}=c r^{\prime \prime}+r_{0}\) for some unknown r₀ , where \(c, r^{\prime \prime} \in Z_{N}^{*}, r^{\prime \prime}=r^{\prime}+\sum_{v_{j} \in W_{w}} r_{i, t}\) . We let \(g_{q}^{\prime \prime}=R_{1}^{\prime}\) , then the ciphertext is \(C T=\left[C=Z, C_{0}=\mathrm{C}^{\beta+1} \cdot R_{0}, C_{1}=C^{J\left(W_{w}\right)} g_{q}^{k}\right]\) .

The correctness of the ciphertext is verified as follows:

\(C_{0}=\mathrm{C}^{\beta+1} R_{0}=g_{p}^{c(\beta+1)} R_{0}=g_{p}^{c} \cdot g_{p}^{\beta c} \cdot R_{0}=g_{p}^{c} \cdot B^{c} \cdot R_{0}\)       (8)

 

\(\begin{aligned} C_{1} &=C^{J\left(W_{*}\right)} g_{r}^{r c}=\left(\mathrm{g}_{2}^{F\left(W_{*}\right)} \mathrm{g}_{p}^{J\left(W_{*}\right)} \mathrm{g}_{q}^{r^{*}}\right)^{c} \mathrm{R}_{1}^{\prime} \\ &=\left(\mathrm{g}_{2}^{F\left(W_{v}\right)-\sum_{\eta_{j} d \sigma^{\prime} \sigma_{v}}^{x_{j}}} \mathrm{g}_{p}^{\prime \prime} \mathrm{g}_{q}^{\prime} \prod_{v_{j, t} \in W_{w}}\left(\mathrm{g}_{p}^{a_{i j}} \mathrm{g}_{q}^{\eta_{j}}\right)\right)^{c} \mathrm{R}_{1}^{\prime} \\ &=\left(a^{\prime} \mathrm{g}_{q}^{\prime} \Pi_{v_{j, \epsilon} \in W_{w}} A_{i, t}\right)^{c} \mathrm{R}_{1}^{\prime}=\left(A^{\prime} \Pi_{v_{j, \epsilon} W_{w}} A_{i, t}\right)^{c} \mathrm{R}_{1}^{\prime} \end{aligned}\)      (9)

Phase 2: It is the same as Phase 1.

Guess: \(\mathcal{A}\) outputs the guess \(w^{\prime} \in\{0,1\}\) . If \(w^{\prime}=w\) , \(\mathcal{B}\) outputs v^' = 0; Otherwise, \(\mathcal{B}\) outputs v^' = 1.

Analysis. If \(Z=e\left(g_{p}, g_{p}\right)^{a b c}\) then \(C=\left(g_{p}^{a}, g_{p}^{b}\right)^{c}\) . The CT is a valid ciphertext index based on \(W_{w}\) . So, \(\mathcal{A}\) has the advantage ε to solve the problem. Hence, \(\operatorname{Pr}\left[w^{\prime}=w | e\left(g_{p}, g_{p}\right)^{a b c}\right]=1 / 2+\varepsilon\) . If \(Z=e\left(g_{p}, g_{p}\right)^{2}\) , the adversary \(\mathcal{A}\) cannot distinguish w . Hence, \(\operatorname{Pr}\left[w^{\prime}=w | e\left(g_{p}, g_{p}\right)^{z}\right]=1 / 2\) . We can see that the game will not abort if\(x^{\prime}+\sum_{v_{i, t} \in L} x_{i, t} \neq 0(\bmod u)\) and\(x^{\prime}+\sum_{v_{j} \in W_{w}} x_{i, t}=u k(\bmod N)\) hold.

Inspired by literature [18], \(\mathcal{B}\) ’s advantage is at least \(\left(1-N_{0}^{2} / N\right)(\varepsilon / 16(n+1) \theta)\) in the above game.

Theorem 3. SE-CKS is secure against off-line keyword guessing attacks.

Proof: Suppose the outside adversary \(\mathcal{A}\) exists who can intercept and capture the trapdoor \(T D_{L}\) . \(\mathcal{A}\) can obtain the parameter GP , AA’s public key PK and CSP’s public key \(p k_{C S P}=(B)\) from the public network.

Aiming at obtaining the encrypted keywords, \(\mathcal{A}\) selects the keyword list \(\hat{L}\) and initiates the keyword guessing attacks as follows:

\(\begin{aligned} &Y \cdot e\left(D_{0}, \Pi A^{\prime} \hat{A}_{i, t}\right)=e\left(g_{p}, D_{1}\right)\\ &e\left(g_{1}, g_{2}\right) e\left(g_{p}^{r} B^{r}, \prod a^{\prime} R_{1} g_{p}^{\hat{a}_{1}, R} R_{i, t}\right)=e\left(g_{p}, g_{2}^{\alpha}\left(a^{\prime} \cdot g_{p}^{\sum_{n_{j} c c} a_{i j}}\right)^{r}\right)\\ &\begin{array}{c} e\left(g_{1}, g_{2}\right) e\left(g_{p}^{r} g_{p}^{r \beta}, \prod a^{\prime} g_{p}^{\dot{a}_{1}}\right)=e\left(g_{p}, g_{2}^{\alpha}\right) e\left(g_{p},\left(a^{\prime} \cdot g_{p}^{\sum_{\eta_{j} c L} a_{i j}}\right)^{r}\right) \\ e\left(g_{p}^{r(\beta+1)}, \prod a^{\prime} g_{p}^{\hat{a}_{i, j}}\right)=e\left(g_{p},\left(a^{\prime} \cdot g_{p}^{\sum_{\eta_{j, c L}} a_{i, j}}\right)^{r}\right) \end{array}\\ &e\left(g_{p}^{r(\beta+1)}, a^{\prime}\right) e\left(g_{p}^{r(\beta+1)}, \prod g_{p}^{\dot{a}_{\mu}}\right)=e\left(g_{p},\left(a^{\prime}\right)^{r}\right) e\left(g_{p},\left(g_{p}^{\sum_{\eta, c t}^{a_{i j}}}\right)^{r}\right)\\ &e\left(g_{p}^{r(\beta+1)}, a^{\prime}\right) e\left(g_{p}^{r(\beta+1)}, g_{p}^{\sum_{a_{1}, t_{1}}}\right)^{\prime}=e\left(g_{p}^{r}, a^{\prime}\right) e\left(g_{p}^{r}, g_{p}^{\sum_{n_{1}, c c} a_{i,}}\right)\\ &\left(e\left(g_{p}^{r}, a^{\prime}\right) e\left(g_{p}^{r}, g_{p}^{\sum \hat{a}_{i j}}\right)\right)^{(\beta+1)}=e\left(g_{p}^{r}, a^{\prime}\right) e\left(g_{p}^{r}, g_{p}^{\sum_{n, c c} a_{i, j}}\right) \end{aligned}\)       (10)

In these derivations, \(\mathcal{A}\) does not know the AA’s private key β. So, \(\mathcal{A}\) cannot break SE-CKS through initiating keyword guessing attacks.

4. Performance Comparison

This section compares SE-CKS with other schemes in terms of the features, storage overhead and computational efficiency. In the comparison process, let |p| be the size of the element in \(Z_p\) , let |N| be the size of the element in \(Z_N\), let |λ| be the size of the security parameter λ, let |S| be the number of attributes in an attribute set, let |g| and | g_T| be the size of the element in G and G_T , respectively ( |g₁| and |g₂| are denoted by |g|). Let n indicate the total number of keywords in the system, let l indicate the row number of M in the scheme [7].

4.1 Features Comparison

Table 1 shows a comparison of the features of certain aspects of the system. The schemes of Zhang and Liang are based on the prime order bilinear group. Lai’s scheme and our scheme are based on the composite order bilinear group. Under the same security, the computational efficiency of the composite order group is lower than that of the prime order group. The security of Zhang’s scheme and Liang’s scheme is based on the strong assumptions of p-DDHI, q-BDHEA, respectively. The security of Lai’s scheme is based on the static assumption of the composite order group. Our scheme’s security is based in the simple assumption of DBDH.

Zhang’s scheme does not provide proof of security. Liang’s scheme is selective security in the random oracle model (ROM). Lai’s scheme and our scheme are adaptive security in the standard model. Therefore, our scheme is stronger than the other three schemes in terms of security. Liang’s scheme does not support the multi-keywords search, which is supported in the other three schemes. In addition, our scheme removes the secure channel and can resist off-line keyword guessing attacks. The establishment of a secure channel requires a lot of computing resources.

Table 1. Features Comparison Features

 

4.2 Storage Overhead

Table 2 shows the comparison of the storage overhead on each entity in the system. To achieve the multi-user search, Liang’s scheme and our scheme require the AA to generate a master private key, which generates a trapdoor for each receiver. The main storage overhead on the AA is generated by the master key. In our scheme, the AA must generate a master key for each keyword value. Liang’s scheme only generates two elements in \(Z_p^{*}\) and two elements in G₁ . All public parameters contribute to the storage overhead on the owner. The storage overhead of all schemes is almost the same, it is \(\mathcal{O}(n)|g|+\mathcal{O}(1)\left|g_{T}\right|\) . The CSP is required to store the ciphertext. In our scheme, the CSP also needs to store a private key. In Zhang and Lai's schemes, the size of the ciphertext is linearly related to the number of keywords. Since Liang's scheme is based on the KP-ABE, the size of ciphertext is positively related to the size| | S of the attribute set. Our scheme is based on the CP-ABE, but the ciphertext length is a fixed value. Although the CSP requires an additional private key in our scheme, the storage overhead of the CSP is a fixed value \(\mathcal{O}(1)|g|+\mathcal{O}(1)\left|g_{r}\right|\) . The storage overhead of each receiver is associated with the trapdoor in the four scenarios. As with the situation of the ciphertext, the size of the trapdoor is linearly related to the number of keywords in Zhang and Lai's schemes. The size of trapdoor is positively related to the row number l of M in Liang'sscheme. The size of the trapdoor is a fixed value \(\mathcal{O}(1)|g|\) in our scheme. So the receiver has a smaller storage burden in our scheme.

Table 2. Comparison of Storage Overhead

 

4.3 Computational Efficiency

Experiment Setup: We conducted the experiment on a 64-bit Ubuntu 14.04 operating system with an Intel CoreTM i5-6200U (2.3 GHz) processor and 8 G RAM. The experimental codeuses the Pairing-based Cryptography Library (PBC-0.5.14) and cpabe-0.11 to implement the schemes. We employ the 160-bit elliptic curve group in the hyper-singular curves \(y^{2}=x^{3}+x\)based on 512-bit finite fields. Specifically, the pairing operation time of the PBC library is approximately 1.27s, and the exponential operation times of G and G_T are approximately 0.33s and 0.18s, respectively.

Table 3 shows a comparison of the execution time of Encryption, Trapdoor and Test. Because the time required for the multiplication operation is significantly smaller than the exponential operation, the multiplication time is omitted in Table 3. Assume that the keywords in the access structure are used for the phase of Test. The execution times of Encryption, Trapdoor and Test increase with an increase in the number of keywords in Lai ’s scheme. The time complexity of the Encryption, Trapdoor and Test in our scheme is a constant order. But Lai et al.’s scheme supports arbitrary monotone boolean predicates based on the linear secret sharing schemes (LSSS). And LSSS is a strong expressive access structure. Our scheme supports AND-gate access structure with multiple values. And the AND-gate access structure is a weak expressive access structure. In other words, Lai et al.’s scheme supports AND, OR and the threshold of keywords. Our scheme only supports AND of the keywords.

Table 3. Comparison of Computational Efficiency

 

The simulation experiment system is built, and the operation time is tested in the system. In the simulation process, the relationship between the number of keywords and the execution time of Encryption, Trapdoor and Test is tested. We select a 1 MB file and encrypt the file with a different number of keywords. We test the execution time of the Encryption, Trapdoor and Test processes as the number of keywords changes (from 1 to 20). All simulation results are the mean of 30 trials. According to this method, Lai’s scheme is simulated. The relationships are shown in Fig. 1. The horizontal axis represents the number of keywords in the search, and the vertical axis represents the execution time of Encryption, Trapdoor and Test.

 

Fig. 1. Comparison of Time with Different Number of Keywords

Fig. 1(a) plots the executed time of Encryption, which is executed by the data owner. Fig. 1(b) shows the execution time of Trapdoor. Fig. 1(c) shows the execution time of Test, whichis executed by the CSP. In Lai’s scheme, the executed times of Encryption, Trapdoor and Testincrease with the number of keywords. When the number of keywords changes from 1 to 20, the executed time is approximately linearly. But the executed time of Encryption, Trapdoorand Test is a fixed value in our scheme, which is not related to the number of keywords. It is consistent with the theoretical analysis in Table 3.

Through the experimental comparison, our scheme is superior to other schemes in terms of security. Our scheme is proved adaptively secure based on the simple assumption DBDH in the standard model. In terms of storage, the public key length of our scheme and other schemesis similar. But the sizes of ciphertext and trapdoor are smaller than other schemes, they are the fixed value in our scheme. In terms of efficiency, our scheme is constructed based on the composite order group, which is less efficient than the scheme based on the prime order group. But the operations of the Encryption, Trapdoor and Test are constant level, regardless of the number of keywords. When the keywords are more, the advantage of our scheme will be highlighted.

5. Conclusion

In this paper, we propose an efficient conjunctive keyword search scheme without a secure channel for the cloud storage environment, which is called SE-CKS. This scheme implements conjunctive keyword search based on CP-ABE. At the same time, we propose an efficient mechanism for removing the secure channel and resisting off-line keyword guessing attacks. The storage overhead of the CSP and DU are the fixed value and the amount of calculations of Encryption, Trapdoor and Test are constant level, regardless of the number of keywords. This scheme is proved adaptively secure based on the DBDH assumption in the standard model.

Finally, the results of theoretical analysis and experimental simulation show that the proposed scheme has advantages in security, storage overhead and efficiency, and it is more suitable for practical application.