1. Introduction
Cloud storage is a new concept that extends and develops in the concept of cloud computing [1], and it is a new network storage technology [2]. We know that the direct control power of outsourced data is deprived from the data owners (DO). So, the data should be encrypted before stored to the cloud storage. Whatever, it may severely hinder several functionalities that users are accustomed to receiving from the cloud storage. For instance, it is impossible to search the encrypted data. One solution for this problem is the use of searchable encryption schemes.
There are two categories of searchable encryption schemes: symmetric encryption with keyword search and public key encryption with keyword search (PEKS). Song et al. [3] proposed the first symmetric encryption scheme with keyword search. Boneh et al. [4] proposed the first PEKS. For a network with too many users, PEKS is better than symmetric encryption scheme with keyword search.
In order to reduce the search scope and improve the query performance, mulit-keywords search capability is very important. Therefore, Golle et al. [5] proposed a conjunctive field keyword search scheme, which assumed that n keyword fields are associated with each document. Zhang et al. [6] proposed a conjunctive-subset keyword search algorithm that enables users to list keywords in any order. Lai et al. [7] proposed a PEKS based on the key-policy attribute-based encryption scheme, which is very efficient and has a strong expression.
The above schemes require a secure channel to transfer the trapdoor between the data users (DU) and the cloud service provider (CSP). And heavy computational and communication loads, such as a Secure Sockets Layer (SSL) between the DU and the CSP, are typically required to establish a secure channel. Aiming at solving this problem, Baek et al. [8] considered removing the secure channel and proposed a secure channel-free PEKS(SCF-PEKS). In this scheme, the CSP maintains its public key and private key. The DO generates the keyword ciphertexts based on the public key of the CSP. The CSP having the corresponding private key can run the Test algorithm.
Byun et al. [9] indicated that the scheme proposed by Baek [8] may be attacked by off-line keyword guessing attacks. It is because that the keyword space is much smaller than the password space. Then, Rhee et al. [10] constructed a new secure SCF-PEKS scheme against keyword guessing attacks. But the security proof of the scheme is not in the standard model. Yang et al. [11] proposed a scheme that supports the conjunctive keyword search and resists off-line keyword guessing attacks. However, this scheme uses a significantly complex assumption. Liang et al. [12] proposed a searchable attribute-based proxy re-encryption system, which is able to achieve fine-grained access control. At the same time, the encrypted data is also searchable.
Contribution. Based on the above analyses, an efficient conjunctive keyword search scheme without a secure channel is proposed for the cloud storage environment, which is called searchable encryption with conjunctive keyword search (SE-CKS). We propose an efficient mechanism for removing the secure channel and resisting off-line keyword guessing attacks. The DU is connected to the CSP via an unsecure communication channel, such as a GPRS network. The basic concept is for the server to maintain its private and public key pairs. By referencing the access structure [13] of ciphertext policy attribute-based encryption (CP-ABE) [14], the DO constructs the search policies using the keywords of the data files, generates keyword ciphertexts through the public keys of the server and the receiver, and the nuploads the keyword ciphertexts to the CSP. The keyword set L is used to search the data files, and the AA then generates a trapdoor for the DU. The DU can then send the trapdoor to retrieve data associated with the keyword list and send it via a public channel. After receiving the trapdoor, the CSP can test whether the provided ciphertexts match the trapdoor using its private key. Our scheme is proved adaptively secure based on the decisional bilinear Diffie-Hellman (DBDH) assumption in the standard model. The results of theoretical analysis and experimental simulation show that the proposed scheme has advantages in security, storage overhead and efficiency, and it is more suitable for practical applications.
The remainder of this paper is organized as follows: In Section 2, we describe the formal definition and security model. In Section 3, we propose the concrete SE-CKS scheme and analyse the security of the proposed generic construction. In Section 4, we describe the performance comparison. In Section 5, we present the conclusions.
2. Formal Definition and Security Model
2.1 Formal Definition of SE-CKS
The SE-CKS scheme contains six polynomial time algorithms: GlobalSetup , AASetup , CSP KeyGen , EncIndex , Trapdoor and Test . These algorithms are presented as follows:
\(\text {GlobalSetup}\left(1^{\lambda}\right) \rightarrow G P\) : The algorithm is executed by the trusted authority center (AC) and it takes the security parameter λ as input. It returns the global parameter GP .
\(A A \operatorname{Setup}(G P, U) \rightarrow(P K, M S K)\) : It takes GP and keyword set U as inputs. It returns the AA’s public key PK and master private key MSK , respectively.
\(\operatorname{Key} \operatorname{Gen}_{C S P}(G P) \rightarrow\left(p k_{C S P}, s k_{C S P}\right)\) : It takes GP as input and returns the CSP’s public key \(p k_{C S P}\) and private key\(S k_{C S P}\) , respectively.
\(\text {Enclndex}\left(G P, P K, p k_{C S P}, W\right) \rightarrow C T\) : It takes GP , PK , \(p k_{C S P}\) , the search policies W based on keywords as inputs. It returns the ciphertext CT .
\(\text {Trapdoor}\left(G P, p k_{C S P}, M S K, L\right) \rightarrow T D_{L}\) : It takes GP , CSP pk , MSK , the keyword list L asinputs and outputs a trapdoor \(T D_{L}\) .
\(\text {Test}\left(G P, s k_{C S P}, C T, T D_{L}\right) \rightarrow(0,1)\) : It takes GP . \(s k_{C S P}\) , CT , \(T D_{L}\) as inputs and determines whether L satisfies W . If L satisfies W , it returns 1; Otherwise, it returns 0.
2.2 Security Model of SE-CKS
Definition 1. Consistency [15]. Assume that the adversary \(\mathcal{A}\) wants to cause a failure inconsistency. Consistency is formally defined as follows:
Setup: The simulator \(\mathcal{B}\) executes \(\text {GlobalSetup}\left(1^{\lambda}\right), \text { AASetup}(G P, U), \text { KeyGen}_{C S P}(G P)\) .
Phase 1: \(\mathcal{A}\) submits a keyword list L and a search policies W based on keywords, where \(L | \neq W\) . Then, \(\text {Enclndex}\left(G P, P K, p k_{C S P}, W\right)\) and \(\text {Trapdoor}\left(G P, p k_{C S P}, M S K, L\right)\) are executed.
Challenge: \(\operatorname{Test}\left(G P, s k_{C S P}, C T, T D_{L}\right)\) is executed, where\(L | \neq W\) .
Guess: If \(\operatorname{Test}\left(G P, s k_{C S P}, C T, T D_{L}\right) \rightarrow 1\) , then the adversary \(\mathcal{A}\) wins the game.
The advantage of \(\mathcal{A}\) is defined as:
\(A d v_{A}^{\mathrm{cons}}(\lambda):=\operatorname{Pr}\left[\operatorname{Test}\left(G P, s k_{C S P}, C T, T D_{L}\right) \rightarrow 1\right]\) (1)
If the advantage of all polynomial time adversaries is negligible in above game, then the SE-CKS scheme is computationally consistent.
Compared with traditional conjunctive keyword search, our scheme is based on CP-ABE. Therefore, the security model must be redefined. According to the definition of the CP-ABE security model and the characteristics of our scheme, this paper presents a new security game model for our conjunctive keyword search scheme. Note that there are two types of adversaries in this scheme, namely CSP and the outside attacker (including the receiver). Informally, indistinguishability of secure channel free against chosen keyword attack(IND-CF-CKA) guarantees the adversary, which has not obtained the trapdoors for given keywords, cannot distinguish the keywords. When the adversary \(\mathcal{A}\) is the CSP, \(\mathcal{A}\) can obtain the CSP’s private key. When the adversary \(\mathcal{A}\) is the outside attacker, the adversary \(\mathcal{A}\) can not obtain the CSP’s private key. Therefore, the CSP has a stronger attack capability than the outside attacker. And this paper only proves that the CSP cannot attack the SE-CKS scheme. The definition of IND-CF-CKA is formalized according to a security game between the adversary \(\mathcal{A}\) and the simulator \(\mathcal{B}\) .
Definition 2. IND-CF-CKA. We consider the following game between \(\mathcal{A}\) and \(\mathcal{B}\) .
Setup: The simulator \(\mathcal{B}\) executes \(\text {GlobalSetup}\left(1^{\lambda}\right), \text { AASetup}(G P, U), \text { KeyGen_ss }(G P)\) to obtain the global parameter GP , AA’s public key PK and master private key MSK , CSP’s public key \(p k_{c s p}\) and private key \(S K_{C S P}\) . Then, \(\mathcal{B}\) provides (\(p k_{C S P}, s k_{C S P}\)) and PK to \(\mathcal{A}\) .
Phase 1: The adversary \(\mathcal{A}\) submits a keyword list L in a trapdoor query \(\text {Trapdoor}\left(G P, p k_{C S P}, M S K, L\right)\) , where \(L\left|\neq W_{0} \wedge L\right| \neq W_{1}\). The simulator \(\mathcal{B}\) answers with a trapdoor for the keyword list L . Note that these queries can be adaptively repeated.
Challenge: The simulator \(\mathcal{B}\) chooses \(w \in\{0,1\}\) and executes \(\text {Enclndex}\left(G P, P K, p k_{C S P}, W_{w}\right)\) . The simulator \(\mathcal{B}\) provides the ciphertext CT to \(\mathcal{A}\) .
Phase 2: It is the same as Phase 1.\(\mathcal{A}\) sends L′ to the simulator \(\mathcal{B}\) for a query. Thesimulator \(\mathcal{B}\) answers with a trapdoor for the keyword list. Notice that \(L^{\prime}\left|\neq W_{0} \wedge L^{\prime}\right| \neq W_{1}\) .
Guess: \(\mathcal{A}\) outputs the guess \(w^{\prime} \in\{0,1\}\) . \(\mathcal{A}\) wins if \(w^{\prime}=w\) .
The advantage of \(\mathcal{A}\) is defined as:
\(A d v_{A}(\lambda):=\left|\operatorname{Pr}\left(w^{\prime}=w\right)-1 / 2\right|\) (2)
The SE-CKS scheme is said to be IND-CF-CKA secure if the advantage of all polynomial time adversaries is negligible in above game
Definition 3. Off-Line Keyword Guessing Attacks on SE-CKS.
Because a trapdoor is sent without a secure channel, an outside adversary is capable of capturing the trapdoor and performing off-line keyword guessing attacks. The attacker may reveal the encrypted keyword list that is used by the receiver to search for a data. Similarly, an inside adversary (malicious server) can perform the attack to reveal the keyword in the trapdoor and execute the Test algorithm to determine the ciphertext that contains the keyword list. However, the outside adversary is unable to distinguish ciphertexts from encrypting aspecific keyword list because the Test phase requires the server’s private key.
A SE-CKS scheme that is secure against keyword guessing attacks, where the attacker is the server, cannot be constructed [16]. Therefore, in this work, we do not consider the keyword guessing attacks of an inside adversary.
3. SE-CKS Scheme
3.1 Search Policy
The access policy [13] is as follows: Assume that the set of attributes in universe \(U=\left\{a t t_{1}, a t t_{2}, \cdots, a t t_{n}\right\}\) contains n attributes. Each attribute i att can take two values: 1 and 0. Assume that \(L=\left[L_{1}, L_{2}, \cdots, L_{n}\right]\) is a set of attributes for a user, which is called the attribute list. AA generates a user’s secret key through \(L=\left[L_{1}, L_{2}, \cdots, L_{n}\right]\). Assume that \(W=\left[W_{1}, W_{2}, \cdots, W_{n}\right]\) is an access policy for a ciphertext. Formally, the attribute list \(L=\left[L_{1}, L_{2}, \cdots, L_{n}\right]\) for a user and the access policy \(W=\left[W_{1}, W_{2}, \cdots, W_{n}\right]\) for a ciphertext are given. For all \(i(1 \leq i \leq n)\), if \(L_{i}=W_{i}\)or \(W_{i}=*\) , L satisfies W , which is represented by the notation \(L |=W\) . Otherwise, L does not satisfy W , which is represented by the notation \(L | \neq W\) . The wildcard “*” represents “do not care". For instance, we can let \(W=\left[W_{1}, W_{2}, \cdots, W_{n}\right]=[0, *, 1, *, 1,0]\) , where n=6 . If a user has L=[0,1,1, 0,1, 0] , he can obtain a secret key associated with L=[0,1,1, 0,1, 0] and decrypt the ciphertext encrypted with W=[0,*,1,*,1, 0]. But the user with L=[0,1,1,0,1,1] cannot decrypt the ciphertext encrypted with W=[0,*,1,*,1, 0].
Compared with the access policy [13], we let \(U=\left\{k w_{1}, k w_{2}, \cdots, k w_{n}\right\}\) represent the set of keywords of data file that replace the attributes. W is the search policy based on the keywords. For all \(i(1 \leq i \leq n)\), each keyword \(k w_{i}\) can take two or more values. More formally, assume that \(S_{i}=\left\{v_{i, 1}, v_{i, 2}, \cdots, v_{i, n_{i}}\right\}\)is the set of all possible values for \(k w_{i}\) , where\(\boldsymbol{n}_{i}\) is the number of the possible values for \(k w_{i}\) , specifically\(n_{i}=\left|S_{i}\right|\) . When the encryptor specifies a wildcard * for Wi, this action corresponds to specify \(W_{i}=S_{i}\) . We achieve keyword privacy by hiding the subset Wi for each keyword \(k w_{i}\) that is specified in the search policy of the AND-gate of all keywords.
3.2 Concrete Construction
The six polynomial time algorithms of SE-CKS are as follows:
\(\text {GlobalSetup}\left(1^{\lambda}\right) \rightarrow G P\) : The AC generates the tuple \(\mathbb{G}=\left[p, q, N=p q, G, G_{T}, e\right]\) with \(G \times G \rightarrow G_{T}\), where G and GT are cyclic groups of order \(N=p q \cdot g_{p}\)and \(g_{q}\)are the generators of \(G_{p}\) and \(G_{q}\) , respectively. The global parameter is\(G P=\left[p, r, g_{p}, g_{q}, N=p q, G, G_{T}, e\right].\)
\(A A \operatorname{Setup}(G P, U) \rightarrow(P K, M S K)\) : Randomly choose \(\alpha \in Z_{N}^{*}, a^{\prime}, g_{2} \in G_{p}, R_{0}, R_{1} \in G_{q}\) and compute \(g_{1}=g_{p}^{\alpha}\) . For each keyword\(k w_{i} \in U\) , where \(1 \leq i \leq n\) , AA chooses random values\(\left\{a_{i, t} \in Z_{N}^{*}\right\}_{1 \leq t \leq n_{i}}\) and\(\left\{R_{i, t} \in G_{q}\right\}_{1 \leq t \leq n_{i}}\). AA’s master private key is \(M S K=\left[\alpha, a^{\prime}, g_{2},\left\{a_{i, t}\right\}_{1 \leq i \leq n, 1 \leq t \leq n_{i}}\right]\).
AA’s public key is \(P K=\left[Y=e\left(g_{1}, g_{2}\right), A_{0}=g_{p} \cdot R_{0}, A^{\prime}=a^{\prime} R_{1},\left\{A_{i, t}=g_{p}^{a_{1 j}} \cdot R_{i, t}\right\}_{1 \leq i \leq n, 1 \leq t \leq n_{i}}\right].\)
\(\operatorname{Key} \operatorname{Gen}_{C S P}(G P) \rightarrow\left(p k_{C S P}, s k_{C S P}\right)\) : Uniformly and randomly choose \(\beta \in Z_{N}^{*}\) and compute \(B=g_{p}^{\beta}\). The CSP’s public key is\(p k_{C S P}=[B]\) . The CSP’s private key is \(s k_{C S P}=[\beta].\)
\(\text {Enclndex}\left(G P, P K, p k_{C S P}, W\right) \rightarrow C T\) : Choose a search policy based on the keywords \(W=\left[W_{1}, \cdots, W_{n}\right]\) . The DO selects random values \(\boldsymbol{S} \in Z_{N}^{*}\) and \(R_{0}^{\prime}, R_{1}^{\prime} \in G_{q}\) , then the ciphertext is \(C T=\left[C=Y^{s}, C_{0}=A_{0}^{s} \cdot B^{s} \cdot R_{0}^{\prime}, C_{1}=\left(A^{\prime} \Pi_{v, s \in W} A_{i, t}\right)^{s} \cdot R_{1}^{\prime}\right].\)
\(\text {Trapdoor}\left(G P, p k_{C S P}, M S K, L\right) \rightarrow T D_{L}\) : The DU uses \(L=\left[L_{1}, \cdots, L_{n}\right]=\left[v_{1, i_{1}}, \cdots, v_{n, t_{n}}\right]\) to obtain the corresponding secret key for searching, which is regarded as the searching trapdoor. The AA selects a value \(r \in Z_{N}^{*}\) . The searching trapdoor is: \(T D_{L}=\left[D_{0}=g_{p}^{r} \cdot B^{r}, D_{1}=g_{2}^{\alpha}\left(a^{\prime} \cdot g_{p}^{\sum_{v, s t} a_{i j}}\right)^{r}\right]\)
\(\operatorname{Test}\left(G P, s k_{C S P}, C T, T D_{L}\right) \rightarrow(0,1)\) : The DU sends \(T D_{L}\) to the CSP for implementing the search request. Then, the CSP tests whether \(e\left(D_{0}, C_{1}\right) \cdot C^{\beta+1}=e\left(D_{1}, C_{0}\right)\) is true. If it is true, then return 1; Otherwise, return 0.
Note that in Trapdoor algorithm, this paper assumes , \(\forall L, L^{\prime}\left(L \neq L^{\prime}\right), \sum_{v_{i, j e L}} a_{i, t} \neq \sum_{v_{i, j e l}}, a_{i, t}\) . Emura et al. [17] gave the result that this assumption holds with overwhelming probability \(P_{\text {assump}}\left(>1-N_{0}^{2} / N\right), \text { where } N_{0}=\left|S_{i}\right|^{n}\) .
Correctness. Let the ciphertext be \(C T=\left[C, C_{0}, C_{1}\right]\) , which is associated with the search policy \(W=\left[W_{1}, W_{2}, \cdots, W_{n}\right]\) based on keywords. The trapdoor is \(T D_{L}=\left[D_{0}, D_{1}\right]\) . This process produces the equation:
\(\begin{aligned} &\frac{e\left(D_{0}, C_{1}\right) \cdot C^{\beta+1}}{e\left(D_{1}, C_{0}\right)}\\ &=\frac{e\left(g_{p}^{r} \cdot B^{r},\left(A^{\prime} \prod_{\eta_{i}, \mathrm{EW}} A_{i, t}\right)^{s} \cdot R_{1}^{\prime}\right) \cdot C^{\beta+1}}{e\left(g_{2}^{\alpha}\left(a^{\prime} \cdot g_{p}^{\sum_{w_{p c} a} a_{i j}}\right)^{r}, A_{0}^{s} \cdot B^{s} \cdot R_{0}^{\prime}\right)}\\ &\begin{array}{l} =\frac{e\left(g_{p}^{r} \cdot g_{p}^{\beta r},\left(a^{\prime} R_{1,} \prod_{n, \in W} g_{p}^{a_{1}} \cdot R_{i, t}\right)^{s} \cdot R_{1}^{\prime}\right) \cdot C^{\beta+1}}{e\left(g_{2}^{\alpha}\left(a^{\prime} \cdot g_{p}^{\sum_{m_{1}} a c^{a_{1}}}\right)^{r},\left(g_{p} \cdot R_{0}\right)^{s} \cdot g_{p}^{\beta s} \cdot R_{0}^{\prime}\right)} \\ =\frac{e\left(g_{p}^{r} \cdot g_{p}^{\beta r},\left(a^{\prime}\right)^{s}\right) \cdot e\left(g_{p}^{r} \cdot g_{p}^{\beta r}, \prod_{v_{1}, E^{\prime} W} g_{p}^{a_{u}, s}\right) \cdot e\left(g_{1}, g_{2}\right)^{s(\beta+1)}}{e\left(\left(a^{\prime} \cdot g_{p}^{\sum_{w_{j} c t}^{a_{j}}}\right)^{r},\left(g_{p}\right)^{s} \cdot g_{p}^{\beta s}\right) \cdot e\left(g_{2}^{\alpha},\left(g_{p}\right)^{s} \cdot g_{p}^{\beta s}\right)} \\ =\frac{e\left(g_{p}^{r} \cdot g_{p}^{\beta r},\left(a^{\prime}\right)^{s}\right) \cdot e\left(g_{p}^{r} \cdot g_{p}^{\beta r}, \prod_{w_{i} \in \mathbb{V}} g_{p}^{a, s}\right)}{e\left(\left(a^{\prime}\right)^{r},\left(g_{p}\right)^{s} \cdot g_{p}^{\beta s}\right) \cdot e\left(\left(g_{p}^{\sum_{w_{j} c^{a_{i j}}}}\right)^{r},\left(g_{p}\right)^{s} \cdot g_{p}^{\beta s}\right)}=1 \end{array} \end{aligned}\) (3)
That is \(e\left(D_{0}, C_{1}\right) \cdot C^{\beta+1}=e\left(D_{1}, C_{0}\right)\) ⋅ .
3.3 Security Analysis
Theorem 1. SE-CKS is computationally consistent.
Proof: Assume that an adversary \(\mathcal{A}\) can attack the computational consistency of SE-CKS. Let \((W, L)\) denote the search policy based on keywords and the keyword list for the DU. At the same time, assume that L does not satisfy W . The the consistency game is as follows:
Select random values \(s \in Z_{N}^{*} \text { and } R_{0}^{\prime}, R_{1}^{\prime} \in G_{q}\) . Compute \(C=Y^{s}, \quad C_{0}=A_{0}^{s} \cdot B^{s} \cdot R_{0}^{\prime}, C_{1}=\left(A^{\prime} \Pi_{v, s \in W} A_{i, t}\right)^{s} \cdot R_{1}^{\prime}, D_{0}=g_{p}^{r} \cdot B^{r}, D_{1}=g_{2}^{\alpha}\left(a^{\prime} \cdot g_{p}^{\sum_{n, s t} a_{1 j}}\right)^{r},\), where \(r \in Z_{N}^{*}\) .
If L does not satisfy W and \(e\left(D_{0}, C_{1}\right) \cdot C^{\beta+1}=e\left(D_{1}, C_{0}\right)\) holds, then \(\mathcal{A}\) wins the game. Assume that \(L_{k} \not \vDash W_{k}\) , then \(a_{k, t_{1}}=z_{1}\) in \(L_{k}\) and \(a_{k, t_{2}}=z_{2}\) in \(W_{k}\) .
\(\begin{aligned} &e\left(D_{0}, C_{1}\right) \cdot C^{\beta+1}=e\left(D_{1}, C_{0}\right)\\ &\Leftrightarrow e\left(g_{p}^{r} \cdot g_{p}^{\beta r},\left(a^{\prime} R_{1} \prod_{n, e W} g_{p}^{a_{1}}, R_{i, t}\right)^{s} \cdot R_{1}^{\prime}\right) \cdot e\left(g_{1}, g_{2}\right)^{s(\beta+1)}=e\left(g_{2}^{\alpha}\left(a^{\prime} \cdot g_{p}^{\sum_{\eta_{j e l}} a_{i j}}\right)^{r},\left(g_{p} \cdot R_{0}\right)^{s} \cdot g_{p}^{\beta s} \cdot R_{0}^{\prime}\right)\\ &\Leftrightarrow e\left(g_{p}^{r} \cdot g_{p}^{\beta r},\left(a^{\prime}\right)^{s}\right) \cdot e\left(g_{p}^{r} \cdot g_{p}^{\beta r}, \prod_{v_{i} \in W} g_{p}^{a_{1} s}\right)=e\left(\left(a^{\prime} \cdot g_{p}^{\left.\sum_{w_{j} c} a^{a_{i}}\right)}\right)^{r},\left(g_{p}\right)^{s} \cdot g_{p}^{\beta s}\right)\\ &\begin{array}{l} \Leftrightarrow e\left(g_{p}^{r} \cdot g_{p}^{\beta r},\left(a^{\prime}\right)^{s}\right) \cdot e\left(g_{p}^{r} \cdot g_{p}^{\beta r}, \prod_{v_{i}, \epsilon^{\prime} W} g_{p}^{a_{1}, s}\right)=e\left(\left(a^{\prime}\right)^{r},\left(g_{p}\right)^{s} \cdot g_{p}^{\beta s}\right) \cdot e\left(\left(g_{p}^{\left.\sum_{\eta_{p} c t}^{a_{i}}\right)}\right)^{r},\left(g_{p}\right)^{s} \cdot g_{p}^{\beta s}\right) \\ \Leftrightarrow e\left(g_{p}^{r} \cdot g_{p}^{\beta r}, \prod_{v_{i}, \in W} g_{p}^{a_{u}, s}\right)=e\left(\left(g_{p}^{\sum_{w_{j} c c} a_{i j}}\right)^{r},\left(g_{p}\right)^{s} \cdot g_{p}^{\beta s}\right) \end{array}\\ &\Leftrightarrow e\left(g_{p}, g_{p}^{\sum_{w, \text { ar }} a_{i j}}\right)^{\mathrm{rs}(\beta+1)}=e\left(g_{p}^{\sum_{n y t} a_{i j}}, g_{p}\right)^{\mathrm{rs}(\beta+1)}\\ &\Leftrightarrow \sum_{v_{1}, \in W} a_{i, t}-\sum_{v_{1}, \epsilon L L} a_{i, t}=0\\ &\Leftrightarrow z_{1}-z_{2}=0 \end{aligned}\) (4)
Because the DU does not know the secret value \(z_{1} \quad \text { and } \quad z_{2} \quad \text { in } \quad Z_{N}^{*}\) . Hence, \(\operatorname{Pr}\left[z_{1}=z_{2}\right]=1 /(N-1)\) , where N − 1 is the total number of all elements in\(Z_{N}^{*}\) . When \(L \not \vDash W\)and \(\text {Test}\left(G P, s k_{C S P}, C T, T D_{L}\right) \rightarrow 1\) , the advantage of the adversary \(\mathcal{A}\) winning the above game is:
\(A d v_{A}^{c o n s}(\lambda)=\operatorname{Pr}\left[z_{1}=z_{2}\right] \leq 1 /(N-1)\) (5)
Theorem 2. If the \(\left(1-N_{0}^{2} / N\right)(\varepsilon / 16(n+1) \theta)\) DBDH assumption holds, then SE-CKS is \((t, \theta, \varepsilon)\)-IND-CF-CKA secure in the standard model, where \(N_{0}=\left|S_{i}\right|^{n}\) is the number of all possible expressed search policies.
Proof: If an \((t, \theta, \varepsilon)\) adversary \(\mathcal{A}\) can break through SE-CKS, then a simulator \(\mathcal{B}\) can be constructed to solve the DBDH problem with the advantage no less than \(\left(1-N_{0}^{2} / N\right)(\varepsilon / 16(n+1) \theta)\) . The DBDH challenger \(\mathcal{C}\) selects \(a, b, c \in Z_{N}^{*}, \quad v \in\{0,1\}, g_{p}, g_{q}, \) where \(\left\langle g_{p}\right\rangle=G_{p},\left\langle g_{q}\right\rangle=G_{q}\) . If \(v=0\) , then \(Z=e\left(g_{p}, g_{p}\right)^{a b c}\) ; if \(v=1\) , then \(Z=e\left(g_{p}, g_{p}\right)^{2}\) . The security game based on the tuple \(\left[g_{p}, g_{r}, g_{p}^{a}, g_{p}^{b}, g_{p}^{c}, Z\right]\) is simulated between the adversary \(\mathcal{A}\) and the simulator \(\mathcal{B}\) .
Setup: \(\mathcal{B}\) computes \(u=4 \theta\) and randomly chooses an value \(k \in\{0, \cdots, n\}\) . Then \(\mathcal{B}\) chooses, \(\left\{x_{i, t}\right\}_{1 \leq i \leq n, 1 \leq t \leq n_{i}}\) , where , \(x_{i, t} \in(0, \cdots, u-1), \quad x^{\prime} \in(0, \cdots, u-1)\) . Additionally, \(\mathcal{B}\) chooses \(y^{\prime} \in Z_{N}^{*}\) and\(\left\{\mathrm{Y}_{i, t}\right\}_{1 \leq i \leq n, 1 \leq t \leq n_{i}}\) , where \(y_{i, t} \in Z_{N}^{*}\) .
Define functions \(F(L)=(N-u k)+x^{\prime}+\sum_{v_{i} \in L L} x_{i, t}(\bmod N)\) and \(J(L)=y^{\prime}+\sum_{v_{i} \in L} y_{i, t}(\bmod N)\) for the attribute list L . Then, if \(x^{\prime}+\sum_{v_{i, t} \in L} x_{i, t} \equiv 0(\bmod u)\) , we define a binary function \(B(L)=0\) ; Otherwise, \(B(L)=1\) .
\(\mathcal{B}\) assigns \(g_{1}=g_{p}^{a}, g_{2}=g_{p}^{b}\) and chooses \(r^{\prime} \in Z_{N}^{*}, r_{i, t} \in Z_{N}^{*}, R_{1} \in G_{r}\). Then it outputs the AA’s PK parameters \(\left\{A_{i, t}=g_{2}^{x_{i}} g_{p}^{y_{i t}} g_{q}^{n_{i}}\right\}_{1 \mathrm{s} i \mathrm{s} n, 1} \mathrm{s} t_{1 s n_{i}} \quad, \quad Y=e\left(g_{1}, g_{2}\right) \quad, \quad A_{0}=g_{p} \cdot R_{1}, A^{\prime}=g_{2}^{p-u k+x^{\prime}} g_{p}^{y^{\prime}} g_{q}^{r^{\prime}}\) . Here PK implies that\(a_{i, t}=b x_{i, t}+y_{i, t}\) . \(\mathcal{B}\) selects \(\delta \in Z_{N}\) and computes \(B=g_{p}^{\delta}\). Establish the CSP’s public key \(p k_{C S P}=(B)\) and the CSP’s private key \(s k_{C S P}=(\delta)\). Finally, \(\mathcal{B}\) provides \(\left(P K, p k_{C S P}, s k_{C S P}\right)\) to \(\mathcal{A}\) .
Phase 1: \(\mathcal{A}\) submits the keyword list \(L=\left[L_{1}, \cdots, L_{n}\right]\) in a trapdoor query. If \(B(L)=0\) ,\(\mathcal{B}\) stops the game and outputs a random value v′ as the guess of v . Otherwise, \(\mathcal{B}\) chooses \(r \in Z_{N}^{*}\) and computes:
\(D_{0}=\left(g_{1}^{\frac{-1}{F(L)}} g_{p}^{r}\right)^{\delta+1}, D_{1}=g_{1}^{\frac{-J(L)}{F(L)}}\left(a^{\prime} \cdot g_{p}^{\sum_{\eta_{j c l}} a_{i j}}\right)^{r}\) (6)
where \(a^{\prime}=g_{2}^{F(L)-\sum_{n, t \in \iota}^{x_{i, t}}} g_{p}^{y^{\prime}}\) .
Let \(\tilde{r}=r-a / F(L)\) . Then we have:
\(\begin{aligned} D_{1} &=g_{1}^{\frac{-J(L)}{F(L)}}\left(a^{\prime} \cdot g_{p}^{\sum_{n, s c} a_{i t}}\right)^{r} \\ &=g_{1}^{\frac{-J(L)}{F(L)}}\left(g_{2}^{F(L)} g_{p}^{J(L)}\right)^{r} \\ &=g_{2}^{a}\left(g_{2}^{F(L)} g_{p}^{J(L)}\right)^{\frac{-a}{F(L)}}\left(g_{2}^{F(L)} g_{p}^{J(L)}\right)^{r} \\ &=g_{2}^{a}\left(g_{2}^{F(L)} g_{p}^{J(L)}\right)^{r-\frac{a}{F(L)}} \\ &=g_{2}^{a}\left(a^{\prime} \cdot g_{p}^{\sum_{v, s e t}^{a_{i t}}}\right)^{\hat{r}} \end{aligned}\) (7)
Then verify if \(D_{0}=\left(g_{1}^{\frac{-1}{F(L)}} g_{p}^{r}\right)^{\delta+1}=\left(g_{p}^{r-\frac{a}{F(L)}}\right)^{\delta+1}=\left(g_{p}^{\tilde{r}}\right)^{\delta+1}=g_{p}^{\tilde{r}} \cdot\left(g_{p}^{\delta}\right)^{\tilde{r}}=g_{p}^{\tilde{r}} \cdot B^{\tilde{r}}\) .
Iff \(F(L) \neq 0 \bmod N\) , \(\mathcal{B}\) can complete the above calculation process. And only when \(B(L) \neq 0(B(L) \neq 0 \text { implies } F(L) \neq 0)\), the game continues.
Challenge: \(\mathcal{A}\) submits two search policies \(W_{0}, W_{1}\) . \(\mathcal{B}\) randomly selects \(w \in\{0,1\}\) . If\(x^{\prime}+\sum_{v_{i, t} \in W_{w_{i}}} x_{i, t} \neq u k\) , \(\mathcal{B}\) stops the game and outputs a random value v′ ; Otherwise, \(F\left(W_{w}\right) \equiv 0(\bmod N)\) holds. Next, \(\mathcal{B}\) chooses \(R_{0} \in G_{r}, r_{c} \in Z_{N}^{*} \cdot r_{c}\)can be written in the form\(r_{c}=c r^{\prime \prime}+r_{0}\) for some unknown r0 , where \(c, r^{\prime \prime} \in Z_{N}^{*}, r^{\prime \prime}=r^{\prime}+\sum_{v_{j} \in W_{w}} r_{i, t}\) . We let \(g_{q}^{\prime \prime}=R_{1}^{\prime}\) , then the ciphertext is \(C T=\left[C=Z, C_{0}=\mathrm{C}^{\beta+1} \cdot R_{0}, C_{1}=C^{J\left(W_{w}\right)} g_{q}^{k}\right]\) .
The correctness of the ciphertext is verified as follows:
\(C_{0}=\mathrm{C}^{\beta+1} R_{0}=g_{p}^{c(\beta+1)} R_{0}=g_{p}^{c} \cdot g_{p}^{\beta c} \cdot R_{0}=g_{p}^{c} \cdot B^{c} \cdot R_{0}\) (8)
\(\begin{aligned} C_{1} &=C^{J\left(W_{*}\right)} g_{r}^{r c}=\left(\mathrm{g}_{2}^{F\left(W_{*}\right)} \mathrm{g}_{p}^{J\left(W_{*}\right)} \mathrm{g}_{q}^{r^{*}}\right)^{c} \mathrm{R}_{1}^{\prime} \\ &=\left(\mathrm{g}_{2}^{F\left(W_{v}\right)-\sum_{\eta_{j} d \sigma^{\prime} \sigma_{v}}^{x_{j}}} \mathrm{g}_{p}^{\prime \prime} \mathrm{g}_{q}^{\prime} \prod_{v_{j, t} \in W_{w}}\left(\mathrm{g}_{p}^{a_{i j}} \mathrm{g}_{q}^{\eta_{j}}\right)\right)^{c} \mathrm{R}_{1}^{\prime} \\ &=\left(a^{\prime} \mathrm{g}_{q}^{\prime} \Pi_{v_{j, \epsilon} \in W_{w}} A_{i, t}\right)^{c} \mathrm{R}_{1}^{\prime}=\left(A^{\prime} \Pi_{v_{j, \epsilon} W_{w}} A_{i, t}\right)^{c} \mathrm{R}_{1}^{\prime} \end{aligned}\) (9)
Phase 2: It is the same as Phase 1.
Guess: \(\mathcal{A}\) outputs the guess \(w^{\prime} \in\{0,1\}\) . If \(w^{\prime}=w\) , \(\mathcal{B}\) outputs v' = 0; Otherwise, \(\mathcal{B}\) outputs v' = 1.
Analysis. If \(Z=e\left(g_{p}, g_{p}\right)^{a b c}\) then \(C=\left(g_{p}^{a}, g_{p}^{b}\right)^{c}\) . The CT is a valid ciphertext index based on \(W_{w}\) . So, \(\mathcal{A}\) has the advantage ε to solve the problem. Hence, \(\operatorname{Pr}\left[w^{\prime}=w | e\left(g_{p}, g_{p}\right)^{a b c}\right]=1 / 2+\varepsilon\) . If \(Z=e\left(g_{p}, g_{p}\right)^{2}\) , the adversary \(\mathcal{A}\) cannot distinguish w . Hence, \(\operatorname{Pr}\left[w^{\prime}=w | e\left(g_{p}, g_{p}\right)^{z}\right]=1 / 2\) . We can see that the game will not abort if\(x^{\prime}+\sum_{v_{i, t} \in L} x_{i, t} \neq 0(\bmod u)\) and\(x^{\prime}+\sum_{v_{j} \in W_{w}} x_{i, t}=u k(\bmod N)\) hold.
Inspired by literature [18], \(\mathcal{B}\) ’s advantage is at least \(\left(1-N_{0}^{2} / N\right)(\varepsilon / 16(n+1) \theta)\) in the above game.
Theorem 3. SE-CKS is secure against off-line keyword guessing attacks.
Proof: Suppose the outside adversary \(\mathcal{A}\) exists who can intercept and capture the trapdoor \(T D_{L}\) . \(\mathcal{A}\) can obtain the parameter GP , AA’s public key PK and CSP’s public key \(p k_{C S P}=(B)\) from the public network.
Aiming at obtaining the encrypted keywords, \(\mathcal{A}\) selects the keyword list \(\hat{L}\) and initiates the keyword guessing attacks as follows:
\(\begin{aligned} &Y \cdot e\left(D_{0}, \Pi A^{\prime} \hat{A}_{i, t}\right)=e\left(g_{p}, D_{1}\right)\\ &e\left(g_{1}, g_{2}\right) e\left(g_{p}^{r} B^{r}, \prod a^{\prime} R_{1} g_{p}^{\hat{a}_{1}, R} R_{i, t}\right)=e\left(g_{p}, g_{2}^{\alpha}\left(a^{\prime} \cdot g_{p}^{\sum_{n_{j} c c} a_{i j}}\right)^{r}\right)\\ &\begin{array}{c} e\left(g_{1}, g_{2}\right) e\left(g_{p}^{r} g_{p}^{r \beta}, \prod a^{\prime} g_{p}^{\dot{a}_{1}}\right)=e\left(g_{p}, g_{2}^{\alpha}\right) e\left(g_{p},\left(a^{\prime} \cdot g_{p}^{\sum_{\eta_{j} c L} a_{i j}}\right)^{r}\right) \\ e\left(g_{p}^{r(\beta+1)}, \prod a^{\prime} g_{p}^{\hat{a}_{i, j}}\right)=e\left(g_{p},\left(a^{\prime} \cdot g_{p}^{\sum_{\eta_{j, c L}} a_{i, j}}\right)^{r}\right) \end{array}\\ &e\left(g_{p}^{r(\beta+1)}, a^{\prime}\right) e\left(g_{p}^{r(\beta+1)}, \prod g_{p}^{\dot{a}_{\mu}}\right)=e\left(g_{p},\left(a^{\prime}\right)^{r}\right) e\left(g_{p},\left(g_{p}^{\sum_{\eta, c t}^{a_{i j}}}\right)^{r}\right)\\ &e\left(g_{p}^{r(\beta+1)}, a^{\prime}\right) e\left(g_{p}^{r(\beta+1)}, g_{p}^{\sum_{a_{1}, t_{1}}}\right)^{\prime}=e\left(g_{p}^{r}, a^{\prime}\right) e\left(g_{p}^{r}, g_{p}^{\sum_{n_{1}, c c} a_{i,}}\right)\\ &\left(e\left(g_{p}^{r}, a^{\prime}\right) e\left(g_{p}^{r}, g_{p}^{\sum \hat{a}_{i j}}\right)\right)^{(\beta+1)}=e\left(g_{p}^{r}, a^{\prime}\right) e\left(g_{p}^{r}, g_{p}^{\sum_{n, c c} a_{i, j}}\right) \end{aligned}\) (10)
In these derivations, \(\mathcal{A}\) does not know the AA’s private key β. So, \(\mathcal{A}\) cannot break SE-CKS through initiating keyword guessing attacks.
4. Performance Comparison
This section compares SE-CKS with other schemes in terms of the features, storage overhead and computational efficiency. In the comparison process, let |p| be the size of the element in \(Z_p\) , let |N| be the size of the element in \(Z_N\), let |λ| be the size of the security parameter λ, let |S| be the number of attributes in an attribute set, let |g| and | gT| be the size of the element in G and GT , respectively ( |g1| and |g2| are denoted by |g|). Let n indicate the total number of keywords in the system, let l indicate the row number of M in the scheme [7].
4.1 Features Comparison
Table 1 shows a comparison of the features of certain aspects of the system. The schemes of Zhang and Liang are based on the prime order bilinear group. Lai’s scheme and our scheme are based on the composite order bilinear group. Under the same security, the computational efficiency of the composite order group is lower than that of the prime order group. The security of Zhang’s scheme and Liang’s scheme is based on the strong assumptions of p-DDHI, q-BDHEA, respectively. The security of Lai’s scheme is based on the static assumption of the composite order group. Our scheme’s security is based in the simple assumption of DBDH.
Zhang’s scheme does not provide proof of security. Liang’s scheme is selective security in the random oracle model (ROM). Lai’s scheme and our scheme are adaptive security in the standard model. Therefore, our scheme is stronger than the other three schemes in terms of security. Liang’s scheme does not support the multi-keywords search, which is supported in the other three schemes. In addition, our scheme removes the secure channel and can resist off-line keyword guessing attacks. The establishment of a secure channel requires a lot of computing resources.
Table 1. Features Comparison Features
4.2 Storage Overhead
Table 2 shows the comparison of the storage overhead on each entity in the system. To achieve the multi-user search, Liang’s scheme and our scheme require the AA to generate a master private key, which generates a trapdoor for each receiver. The main storage overhead on the AA is generated by the master key. In our scheme, the AA must generate a master key for each keyword value. Liang’s scheme only generates two elements in \(Z_p^{*}\) and two elements in G1 . All public parameters contribute to the storage overhead on the owner. The storage overhead of all schemes is almost the same, it is \(\mathcal{O}(n)|g|+\mathcal{O}(1)\left|g_{T}\right|\) . The CSP is required to store the ciphertext. In our scheme, the CSP also needs to store a private key. In Zhang and Lai's schemes, the size of the ciphertext is linearly related to the number of keywords. Since Liang's scheme is based on the KP-ABE, the size of ciphertext is positively related to the size| | S of the attribute set. Our scheme is based on the CP-ABE, but the ciphertext length is a fixed value. Although the CSP requires an additional private key in our scheme, the storage overhead of the CSP is a fixed value \(\mathcal{O}(1)|g|+\mathcal{O}(1)\left|g_{r}\right|\) . The storage overhead of each receiver is associated with the trapdoor in the four scenarios. As with the situation of the ciphertext, the size of the trapdoor is linearly related to the number of keywords in Zhang and Lai's schemes. The size of trapdoor is positively related to the row number l of M in Liang'sscheme. The size of the trapdoor is a fixed value \(\mathcal{O}(1)|g|\) in our scheme. So the receiver has a smaller storage burden in our scheme.
Table 2. Comparison of Storage Overhead
4.3 Computational Efficiency
Experiment Setup: We conducted the experiment on a 64-bit Ubuntu 14.04 operating system with an Intel CoreTM i5-6200U (2.3 GHz) processor and 8 G RAM. The experimental codeuses the Pairing-based Cryptography Library (PBC-0.5.14) and cpabe-0.11 to implement the schemes. We employ the 160-bit elliptic curve group in the hyper-singular curves \(y^{2}=x^{3}+x\)based on 512-bit finite fields. Specifically, the pairing operation time of the PBC library is approximately 1.27s, and the exponential operation times of G and GT are approximately 0.33s and 0.18s, respectively.
Table 3 shows a comparison of the execution time of Encryption, Trapdoor and Test. Because the time required for the multiplication operation is significantly smaller than the exponential operation, the multiplication time is omitted in Table 3. Assume that the keywords in the access structure are used for the phase of Test. The execution times of Encryption, Trapdoor and Test increase with an increase in the number of keywords in Lai ’s scheme. The time complexity of the Encryption, Trapdoor and Test in our scheme is a constant order. But Lai et al.’s scheme supports arbitrary monotone boolean predicates based on the linear secret sharing schemes (LSSS). And LSSS is a strong expressive access structure. Our scheme supports AND-gate access structure with multiple values. And the AND-gate access structure is a weak expressive access structure. In other words, Lai et al.’s scheme supports AND, OR and the threshold of keywords. Our scheme only supports AND of the keywords.
Table 3. Comparison of Computational Efficiency
The simulation experiment system is built, and the operation time is tested in the system. In the simulation process, the relationship between the number of keywords and the execution time of Encryption, Trapdoor and Test is tested. We select a 1 MB file and encrypt the file with a different number of keywords. We test the execution time of the Encryption, Trapdoor and Test processes as the number of keywords changes (from 1 to 20). All simulation results are the mean of 30 trials. According to this method, Lai’s scheme is simulated. The relationships are shown in Fig. 1. The horizontal axis represents the number of keywords in the search, and the vertical axis represents the execution time of Encryption, Trapdoor and Test.
Fig. 1. Comparison of Time with Different Number of Keywords
Fig. 1(a) plots the executed time of Encryption, which is executed by the data owner. Fig. 1(b) shows the execution time of Trapdoor. Fig. 1(c) shows the execution time of Test, whichis executed by the CSP. In Lai’s scheme, the executed times of Encryption, Trapdoor and Testincrease with the number of keywords. When the number of keywords changes from 1 to 20, the executed time is approximately linearly. But the executed time of Encryption, Trapdoorand Test is a fixed value in our scheme, which is not related to the number of keywords. It is consistent with the theoretical analysis in Table 3.
Through the experimental comparison, our scheme is superior to other schemes in terms of security. Our scheme is proved adaptively secure based on the simple assumption DBDH in the standard model. In terms of storage, the public key length of our scheme and other schemesis similar. But the sizes of ciphertext and trapdoor are smaller than other schemes, they are the fixed value in our scheme. In terms of efficiency, our scheme is constructed based on the composite order group, which is less efficient than the scheme based on the prime order group. But the operations of the Encryption, Trapdoor and Test are constant level, regardless of the number of keywords. When the keywords are more, the advantage of our scheme will be highlighted.
5. Conclusion
In this paper, we propose an efficient conjunctive keyword search scheme without a secure channel for the cloud storage environment, which is called SE-CKS. This scheme implements conjunctive keyword search based on CP-ABE. At the same time, we propose an efficient mechanism for removing the secure channel and resisting off-line keyword guessing attacks. The storage overhead of the CSP and DU are the fixed value and the amount of calculations of Encryption, Trapdoor and Test are constant level, regardless of the number of keywords. This scheme is proved adaptively secure based on the DBDH assumption in the standard model.
Finally, the results of theoretical analysis and experimental simulation show that the proposed scheme has advantages in security, storage overhead and efficiency, and it is more suitable for practical application.
References
- Q. Yan, R. Yu, Q. Gong and et al, "Software-defined networking (SDN) and distributed denial of service (DDoS) attacks in cloud computing environments: A survey, some research issues, and challenges," IEEE Communications Surveys and Tutorials, vol. 18, no. 1, pp. 602-622, 2016. https://doi.org/10.1109/COMST.2015.2487361
- F. Chen, T. Xiang, Y. Yang and et al, "Secure cloud storage meets with secure network coding," IEEE Transactions on Computers, vol. 65, no. 6, pp. 1936-1948, 2016. https://doi.org/10.1109/TC.2015.2456027
- D. X. Song, D. Wagner and A. Perrig, "Practical techniques for searches on encrypted data," in Proc. of IEEE Symposium on Security and Privacy, pp. 44-55, May 14-17, 2000.
- D. Boneh, G. D. Crescenzo, R Ostrovsky and et al, "Public key encryption with keyword search," in Proc. of International Conference on the Theory and Applications of Cryptographic Techniques, pp. 506-522, May 2-6, 2004.
- P. Golle, J. Staddon and B. Waters, "Secure conjunctive keyword search over encrypted data," in Proc. of the 2th International Conference on Applied Cryptography and Network Security, pp. 31-45, June 8-11, 2004.
- B. Zhang and F. Zhang, "An efficient public key encryption with conjunctive-subset keywords search," Journal of Network and Computer Application, vol. 34, no. 1, pp. 262-267, 2011. https://doi.org/10.1016/j.jnca.2010.07.007
- J. Lai, X. Zhou, R. H. Deng and et al, "Expressive search on encrypted data," in Proc. of the ACM SIGSAC symposium on Information, computer and communications security, pp. 243-252, May 8-10, 2013.
- J. Baek, R. Safavinaini and W. Susilo, "Public key encryption with keyword search revisited," in Proc. of International Conference on Computational Science and Its Applications, pp. 1249-1259, June 30-July 3, 2008.
- J. Byun, H. Rhee, H. Park and et al, "Off-line keyword guessing attacks on recent keyword search schemes over encrypted data," in Proc. of Workshop on Secure Data Management, pp. 75-83, September 10-11, 2006.
- H. Rhee, W. Susilo and H. Kim, "Secure searchable public key encryption scheme against keyword guessing attacks," IEICE Electron. Express, vol. 6, no. 5, pp. 237-243, 2009. https://doi.org/10.1587/elex.6.237
- Y. Yang and M. Ma, "Conjunctive keyword search with designated tester and timing enabled proxy re-encryption function for e-health clouds," IEEE Transactions on Information Forensics and Security, vol. 11, no. 4, pp. 746-759, 2016. https://doi.org/10.1109/TIFS.2015.2509912
- K. Liang and W. Susilo, "Searchable attribute-based mechanism with efficient data sharing for secure cloud storage," IEEE Transactions on Information Forensics and Security, vol. 10, no. 9, pp. 1981-1992, 2015. https://doi.org/10.1109/TIFS.2015.2442215
- L. Cheung and C. Newport, "Provably secure ciphertext policy ABE," in Proc. of the 14th ACM conference on Computer and communications security, pp. 456-465, October 29-November 02, 2007.
- J. Bethencourt, A. Sahai and B. Waters, "Ciphertext-policy attribute-based encryption," in Proc. of IEEE symposium on security and privacy, pp. 321-334, May 20-23, 2007.
- M. Abdalla, M. Bellare, D. Catalano and et al, "Searchable encryption revisited: Consistency properties, relation to anonymous IBE, and extensions," in Proc. of the 25th Annual International Cryptology Conference, pp. 205-222, August 14-18, 2005.
- L. Fang, W. Susilo, C. Ge and et al, "Public key encryption with keyword search secure against keyword guessing attacks without random oracle," Information Sciences, vol. 238, no. 7, pp. 221-241, 2013. https://doi.org/10.1016/j.ins.2013.03.008
- K. Emura, A. Miyaji, A. Nomura and et al, "A ciphertext-policy attribute-based encryption scheme with constant ciphertext length," International Journal of Applied Cryptography, vol. 2, no. 1, pp. 46-59, 2010. https://doi.org/10.1504/IJACT.2010.033798
- B. Waters, "Efficient identity-based encryption without random oracles," in Proc. of the 24th International Conference on the Theory and Applications of Cryptographic Techniques, pp. 114-127, May 22-26, 2005.