2016_Efficiently Multi-User Searchable Encryption.pdf

RESEARCH ARTICLE
Efficiently Multi-User Searchable Encryption
Scheme with Attribute Revocation and Grant
for Cloud Storage
Shangping Wang1
, Xiaoxue Zhang1
*, Yaling Zhang2
1 School of Science, Xi’an University of Technology, Xi’an, Shaanxi, China, 2 School of Computer Science
and Engineering, Xi’an University of Technology, Xi’an, Shaanxi, China
* iszhangxiaoxue@163.com
Abstract
Cipher-policy attribute-based encryption (CP-ABE) focus on the problem of access control,
and keyword-based searchable encryption scheme focus on the problem of finding the files
that the user interested in the cloud storage quickly. To design a searchable and attribute-
based encryption scheme is a new challenge. In this paper, we propose an efficiently multi-
user searchable attribute-based encryption scheme with attribute revocation and grant for
cloud storage. In the new scheme the attribute revocation and grant processes of users are
delegated to proxy server. Our scheme supports multi attribute are revoked and granted
simultaneously. Moreover, the keyword searchable function is achieved in our proposed
scheme. The security of our proposed scheme is reduced to the bilinear Diffie-Hellman
(BDH) assumption. Furthermore, the scheme is proven to be secure under the security
model of indistinguishability against selective ciphertext-policy and chosen plaintext attack
(IND-sCP-CPA). And our scheme is also of semantic security under indistinguishability
against chosen keyword attack (IND-CKA) in the random oracle model.
I. Introduction
The fuzzy identity based encryption (IBE) which is regarded as the prototype of attribute-
based cryptography was put forward by Sahai and Waters [1] in 2005. In an attribute-based
encryption system, each user has a number of descriptive attributes (such as gender, age, edu-
cation, occupation, etc.). Meanwhile, the users’ private key and ciphertext are link with some
described attribute set and access strategy respectively. When the private key is matched with
ciphertext, the user can decrypt the ciphertext.
Goyal et al. [2] put the ABE scheme into CP-ABE scheme and the key-policy attribute-
based encryption (KP-ABE) scheme, and definitions are given respectively.
Bethencourt et al. [3] provided a new structure. The scheme can not only achieve a flexible
access structure but also has an important characteristic of anti-collusion. That is, different
users can not add their own access right by collusion their private key. Besides, there are some
other outstanding articles such as the scheme proposed by Emura et al. [4] which has a certain
contribution to the computational complexity and storage load.
PLOS ONE | DOI:10.1371/journal.pone.0167157 November 29, 2016 1 / 23
a11111
OPEN ACCESS
Citation: Wang S, Zhang X, Zhang Y (2016)
Efficiently Multi-User Searchable Encryption
Scheme with Attribute Revocation and Grant for
Cloud Storage. PLoS ONE 11(11): e0167157.
doi:10.1371/journal.pone.0167157
Editor: Houbing Song, West Virginia University,
UNITED STATES
Received: July 30, 2016
Accepted: November 9, 2016
Published: November 29, 2016
Copyright: © 2016 Wang et al. This is an open
access article distributed under the terms of the
Creative Commons Attribution License, which
permits unrestricted use, distribution, and
reproduction in any medium, provided the original
author and source are credited.
Data Availability Statement: All relevant data are
within the paper.
Funding: This work is supported by the National
Natural Science Foundation of China under grants
61572019, 61173192, the Key Project of Research
Foundation of Natural Science Foundation of
Shaanxi Province of China under Grant No.
2016JZ001, the Research Foundation of Education
Department of Shaanxi Province of China under
grants 2013JK1142, and the Research Foundation
of science and technology of Xi’an Beilin district of
China under grants GX1407.

The above-mentioned CP-ABE schemes have made outstanding contributions, but due to
the constant changes of the realistic situation, the schemes still face new challenges. Once
some users’ attributes change, the system should timely update these users’ attribute set and
the corresponding private key.
A number of programs research about attribute revocation have been put forward [5–13].
Generally speaking, the revocation mechanism can be divide into two types: direct revocation
scheme [6–9] and indirect revocation scheme [10–13]. The big difference between them is that
the direct revocation scheme is enforced by a specified revocation list and indirect revocation
scheme is enforced by updating the private key of the non-revoked users (Implicitly, the
revoked users’ private key are revoked). Zhang et al. [8] put forward a scheme with direct revo-
cation, which characterized by the fact that the length of the encrypted text is fixed, and the
partial ciphertext update is only required when the revocation occurs. The scheme put forward
by Yu et al. [10] achieves an efficient encryption update through proxy re encryption. But
there is a limit to the scheme. That is the fixed strategy. Due to the high efficiency and the limi-
tation of the scheme, Naruse et al. [13] made a further study of this article. The scheme pro-
posed by them can be applied to a more flexible access strategy.
On the other hand, due to the continuous development of computer network and the out-
sourcing technology many enterprises began to establish their own local network and database.
Through the establishment of a certain data encryption and an access control, they passed
their database to a third party management. Since the third party is not credible, efficient
search capability and secure search process are two important tasks in the present study. Some
articles research on these two directions have been put forward [14–17].
Bao at al. [14] put forward a scheme which can be applied to the cloud storage environment.
This program can realize the multi user search process. Because of the users’ access rights in
the system are different according to their own attribute set. The efficiency of system should be
further improved with the increase of users’ number.
Some schemes research on highly efficient access control of multi user keyword search have
been put forward [18–24].
Recently, Lv et al. [18] proposed an efficient keyword searchable model. However, the
scheme does not have a complete security model. When a user’s attributes in the system
change, the limitations of the program appeared. Kaci et al. [23] put forward a scheme that is
consistent with ACAS (Access Control Aware Search) principle and improve the level of confi-
dentiality of outsourced data. Nonetheless, the efficiency of the proposed model is evaluated
according to data size.
Most of the existing multi user attribute-based keyword searchable encryption schemes
focus on efficient access control and fast search process, of which there are some articles can
achieve revocation of user, for example by removing user’s search key in proxy server to
achieve revocation [18].
In addition, some research on the security of information under specific scenarios are also
proposed. Specifically, a first research direction focuses on the security of Vehicular and hoc
network [25–27]. A second research direction deal with the security communication in Inter-
net of Things (IOT) networks [28, 29]. There are other research directions, such as file search
in unstructured P2P (peer-to-peer) gird networks [30–32] and WSNs (wireless sensor net-
works) in healthcare applications [33] etc.
A. Our Contributions
• Our scheme supports user’s multiple attributes revocation and grant simultaneously by add-
ing a series of attribute parameters. The attribute revocation in our scheme is a fine grain
Multi-User Searchable Encryption Scheme with Attribute Revocation and Grant
Competing Interests: The authors have declared
that no competing interests exist.

method. That is, our revocation is able to revoke some users’ some attributes, rather than to
revoke a single attribute or revoke attributes in the system. The attribute grant method is
similarly. In addition, the proposed scheme is proven to be IND-sCP-CPA secure.
• We use a lazy revocation technique [34] for user’s attribute and private key update process.
It is to say that only when user accesses the encrypted files, it helps to update the user’s attri-
bute and private key.
• As keyword searchable process in [18] does not have a complete security proof. By changing
the operation of search trapdoor in [18], we have proved that our proposed keyword search-
able scheme is IND-CKA secure in the random oracle model under bilinear Diffie-Hellman
(BDH) assumption.
• The function of revocation of user identity in our scheme is consistent with that in [18].
B. Comparisons
We compare the function of our scheme with the existing schemes presented in [3, 13, 18] in
Table 1.
II. Preliminaries
A. Mathematical Tools
We first give some of the mathematical tools will be used later in this article, the specific argu-
ment can be found in the references.
Definition 1 (Bilinear Map [2]). The definition of the two multiplication of group G1 and
G2, so that their order is p and the generator of G1 is g. A bilinear map e : G1 G1 ! G2,
which satisfies:
• Bilinearity: for all u; v 2 G1 and a; b 2 Zp; eðua
; vb
Þ ¼ eðu; vÞab
;
• Non-degeneracy: e(g, g) 6¼ 1;
• Computability: for all u; v 2 G1, e(u, v) is efficiently computable.
Definition 2 (Lagrange Coefficient [24]). The definition of a Lagrange coefficient is Δi,S(x),
which i 2 Zp and the elements of set S belong to Zp. Then we have the following equation:
Di;SðxÞ ¼
Y
j2S;j6¼i
x j
i j
Table 1. Comparisons of Our Scheme with the Main References.
scheme access control keyword searchable attribute revocation for some
user
attribute grant for some
user
user revocation lazy revocation
[3] LSSS ✘ ✘ ✘ ✘ ✘
[18] access tree ✓ ✘ ✘ ✓ ✘
[13] LSSS ✘ ✓ ✓ ✘ ✘
Ours access tree ✓ ✓ ✓ ✓ ✓
✓: The scheme has the function.
✘: The scheme does not have this function.
doi:10.1371/journal.pone.0167157.t001

B. Access Tree
In this paper, we use the access tree as the access policy.
Definition 3 (Access Tree [18]). In the access tree, the number of child nodes of each inte-
rior node x is denoted as numx. The threshold value of each node is defined as (kx, numx),
which is 0 kx numx. In particular, when kx = 1 threshold for an 0
OR0
gate. When kx =
numx for an 0
AND0
gate. Furthermore, each leaf node are correlated and attribute. For the con-
venience of using access tree, we define several functions as follow.
• parent(x): this returns the parent node of a node x except the root node.
• index(x): assuming that the children nodes of each node are numbered from 1 to num, this
returns such a number associated with the node x.
• att(x): this returns the attribute associated with a leaf node x.
C. BDH Problem
Choose two cyclic group G1 and G2, enable their order is p. And a map e : G1 G1 ! G2 is a
valid bilinear map. BDH problem under the tuple g; G1; G2; e can be defined as: fix a
generator g of G1, as well as ga
, gb
, gc
for some random a; b; c 2 Zp, compute eðg; gÞ
abc
2 G2.
BDH assumption [35]. The assumption is valid if there is no polynomial-time adversary can
be non-negligible probability to solve the above BDH problem.
III. System and Security Models
A. System Model
First, define five entities of the system: an attribute authority, dada owners, a proxy server, a
cloud sever, users, can be described below. The system model of our scheme is given in Fig 1.
• Attribute authority (AA). Attribute authority is entirely credible to other entities and is
responsible for the system establishment, new user register, attributes assignment and key
generation. When some users’ attribute set change (that is, some attributes are revoked or
granted), AA establishes a revoked and a granted user list set for each attribute respectively
and updates the public parameter, master key, proxy update key and proxy grant key.
• Data owner (DO). Data owner is responsible for uploading all the data files to cloud server.
In order to ensure other legitimate users of the system can search for the corresponding file
through the keyword, data owner needs to extract keywords and establish keyword indexes.
Finally, along with the encrypted files upload to cloud server.
• User (U). Legitimate users can download their interest files from the system. In order to
hide the search keyword, the user generates a search trapdoor. And then sends his unique
identity, attribute set, partial private key component to the proxy server for updating attri-
bute set and private key component. After receiving the updated attribute set and private key
component, he sends his trapdoor together with his unique identity to cloud server. Without
revealing any information about the content of the file, proxy server to help complete most
of the decryption work. And then the final message is calculated by the user.
• Proxy server (PS). Proxy server is deployed by AA. It re-encrypts encrypted shared data and
updats user’s attribute set and corresponding private key by using the proxy update key and
proxy grant key received from AA. It also can help the users execute most CP-ABE decryp-
tion task.

• Cloud server (CS). This paper mainly use the large storage characteristics of CS to store the
data files in the system. Besides, it also helps to generate keyword index and trapdoor. In
order to achieve efficient search we use the D. Data Upload method in [18] to store and
search files. Also similar to the G. User Revocation method in [18], CS can perform user revo-
cation operation.
B. Algorithms Definitions
Our proposed efficiently multi-user searchable encryption scheme with attribute revocation
and grant for cloud storage is composed of thirteen randomized polynomial time algorithms.
• AA.Setup (λ, U)!(PP, MK, UK, GK): The setup algorithm takes a security parameter λ and
an attribute universe description U as input. It outputs the public parameters PP, master pri-
vate key MK, proxy update key UK and proxy grant key GK.
Fig 1. System model of the proposed scheme.
doi:10.1371/journal.pone.0167157.g001

• DO.Enc ðPP; M; T Þ ! CT: The encryption algorithm takes public parameters PP, a mes-
sage M, and an access structure T over the universe of attributes as input. It generates a
ciphertext CT.
• AA.KenGen ðMK; Uid; SUid
Þ ! ðSKUid
; AUid
; BUid
Þ: The key generation algorithm takes mas-
ter private key MK, a unique user identity Uid and the corresponding attribute set SUid
as
input. It outputs Uid’s corresponding private key SKUid
, user’s search key AUid
, and user’s
search key BUid
in CS.
• U.Dec ðCT; SKUid
Þ ! M: The decryption algorithm take a ciphertext CT, and a private key
SKUid
as input. If the set of attributes SUid
related to SKUid
satisfies the access structure T
related to CT, then it successfully decrypt and output the message M
• AA.ReKenGen (PP, MK, γ, ΔLγ, η, ΔLη,UK, GK)!(PP0
, MK0
, UK0
, GK0
, RKγ): The re-encryp-
tion key generation algorithm tekes public parameters PP, a master key MK, a set of attri-
butes γ, the attribute in γ which is to be revoked for some users, and the corresponding
revoked user list ΔLγ, a set of attribute η, the attribute in η is to be granted for some users,
and the corresponding granted user list ΔLη, proxy update key UK, and proxy grant key GK
as input. It generates the updated public parameters PP0
, the redefined master key MK0
, the
redefined proxy update key UK0
, the proxy grant key GK0
, and the re-encryption key RKγ.
• CS.ReEnc (γ, Cγ, rk)!RKγ: The re-encryption algorithm takes a set of attribute γ which
some users be revoked, the ciphertext component Cγ = {Cx}att(x)2γ CT, the re-encryption
key RKγ as input. It outputs the re-encryption ciphertext component Cg
0
¼ fC
x gattðxÞ2g.
• PS.ReKey ðUid; SUid
; verUid
; DUid
; UK; gÞ ! ðSUid
0
; verUid
0
; DUid
0
Þ: The key regeneration algo-
rithm takes a unique user identity Uid and the corresponding attribute set SUid
, version num-
ber verUid , the private key component DUid ¼ fDigi2g SKUid , proxy update key UK, a set of
attributes γ, the attribute in γ which is to be revoked by some users as input. It outputs the
updated user attribute set SUid
0
, version number verUid
0
and private key component
DUid
0
¼ fDi
0
gi2g SKUid
.
• PS.GrantAtt ðUid; PP; GK; ZÞ ! ðZUid
; SKZUid
Þ: The attribute grant algorithm takes a unique
user identity Uid, the public parameters PP, the proxy grant key GK, a set of attribute η, the
attribute in η which is to be granted by some users as input. It outputs a set of attribute ZUid
which is to be granted to the user Uid and the corresponding private key component
SKZUid
¼ fDi; D
i gi2ZUid
.
• O.PreIndex (W)!(E): The pre index generation algorithm for the data owner takes key-
word set W = {w1, , wm} as input. It outputs data owner’s pre keywords index set E =
(E1, , Em).
• CS.Index ðE; BUid
Þ ! ðVÞ: The index generation algorithm for the CS takes data owner’s
pre keywords index set E = (E1, , Em) and data owner’s search key in CS BUid
as input. It
outputs CS’s index parameter set V = (V1, , Vm).
• O.PostIndex ðV; AUid
Þ ! ðIW Þ: The post index generation algorithm for DO takes CS’s
index parameter set V = (V1, , Vm), his own search key AUid
as input. It outputs DO’s post
keywords index set IW ¼ ðIw1
; ; Iwm
Þ.
• U. PreTrap ðw; AUid
Þ ! ðTwÞ: The pre trapdoor generation algorithm for user takes a key-
word w and his own private search key AUid
as input. It outputs user’s pre trapdoor Tw.

• CS. PostTrap ðTw; BUid
Þ ! ðk0
Þ: The post trapdoor generation algorithm for CS takes user’s
pre trapdoor Tw and user’s search key BUid
in CS as input. It outputs CS’s post trapdoor k0
.
• CS. Test(IW, k0
)!{1, 0}: The test algorithm for the CS takes post keywords index set IW
and post trapdoor k0
as input. If the match is successful, the output is 1. Otherwise, the
output is 0.
C. Security Definitions
Similar to most previous works, the CS is supposed to be “curious-but-honest” [13].
We consider the security model as two games between a challenger C and an adversary A.
Game 1 (IND-sCP-CPA security model). The adversary A is assumed to be an outsider
attracter including the receiver.
Int. A declares an access structure T
.
Setup. C takes a security parameter λ and runs the Setup algorithm. It gives the public
parameter PP to A and keeps the master key MK to itself.
Phase 1. A adaptively issues polynomial queries as follows.
• private key query. A submits an attribute set S, where S does not satisfy the access structure
T
, to C. The challenger returns the corresponding private key SK to A.
• update private key query. A is allowed to issue queries for update private key SK for the attri-
bute in γ which is to be revoked for some users. The challenger gives the updated private key
SK0
.
Challenge. A submits two equal length message M0 and M1. The challenger picks a random
bit b 2{0, 1} and encrypts Mb under T
. The challenger gives ciphertext CT
to A.
Phase 2. Repeat Phase 1 adaptively.
Guess. A outputs a guess b0
of b and wins the game if b0
= b.
The advantage of the A in this game is defined as
Pr½b
0
¼ bŠ
1
2
.
Definition 4. The proposed scheme is IND-sCP-CPA secure if there is no polynomial time
A who can win the above game with non-negligible advantage.
Game 2 (IND -CKA security model). The adversary A is assumed to be CS.
Setup. Repeat game 1’s setup adaptively.
Phase 1. A adaptively issues polynomial following queries.
• H1-Query. A can query the random oracle H1.
• H2-Query. A can query the random oracle H2.
• Trapdoor Queries. A can ask any keyword’s trapdoor.
Challenge. A submits two keywords w0 and w1 where the keywords w0 and w1’s trapdoor
have not been asked by A. The challenger picks a random bit b 2 {0, 1} and creates wb’s trap-
door k to A.
Phase 2. Repeated phase 1 adaptively.
Guess. A submits a guess b0
of b. If b0
= b, A wins the game and break our scheme.
Definition 5. In the random oracle model, the proposed scheme is IND-CKA secure if all
polynomial time adversaries have at most a negligible advantage in the above game.

IV. Our Proposed Scheme
A. Detail Construction of Algorithms
AA defines the universe of attributes as U = {1, 2, , n}, the unique user identity Uid 2 {0, 1}
and three hash functions:
• H(): Maps an attribute to a random element of G1.
• H1(): Maps a strings in {0, 1}
to a random element of G1.
• H2(): Maps a random element of G2 to a random strings of {0, 1}l
.
AA.Setup (λ, U) ! (PP, MK, UK, GK): The setup algorithm takes security parameter λ and
attribute universe description U = {1, 2, , n} as input. It first chooses two multiplicative
cyclic groups G1; G2 of prime order p(p 2λ
), and a bilinear map e : G1 G1 ! G2. Then, 8i
2 U, it random chooses Atti 2 Z
p and computes a public parameter component
Ti ¼ gAtti 2 G1. And it randomly chooses x 2 ZP as the search master key and three random
numbers α, β, x 2 Zp, let
PP ¼ ðG1; g; gb
; eðg; gÞ
a
; T1; ; TnÞ
MK ¼ ðx; b; ga
; Att1; ; AttnÞ
In addition, defines the system version number ver 2 N. The initial version number is set to
ver = 0. Set a proxy re-encrypt key set as rk = {rki}i2U, and rki = {rki,0, , rki,ver} is set of the
proxy re-encrypt key under different version for attribute i. The initial value is set to rki,0 = 1.
Let L = {Li}i2U represent the revoked user list set, where revocation list Li represents the
users list whose attribute i needs to be revoked, and L
¼ fL
i gi2U
represent the granted user
list set, where grant list L
i represents the users list set to whom the attribute i needs to be
granted. The revocation list Li may be empty, which means there is no user needs to be revoked
for attribute i. So is grant list L
i .
Finally, define a set R which is used to reserve the private key component ðUid; rUid
Þ later.
The initial value is empty, R = ϕ. For each Atti 2 Z
p , calculate 1
Atti
ðmod pÞ and output
The proxy update key UK = (ver, rk = {rki}i2U, L = {Li}i2U);
The proxy grant key GK ¼ R; 1
Att1
; ; 1
Attn
; L
¼ fL
i gi2U

.
Do.Enc ðPP; M; T Þ ! CT: Similar to the encryption method in [18]. It inputs the public
parameter PP, a message M and an access structure T . The algorithm chooses a (kx−1)
-degree polynomial qx() for each node x in the tree T in a top-down manner. The selected
polynomial qx() must satisfy the restriction that qx(0) = s if x is the root node in T , otherwise
qx(0) = qparent(x)(indes(x)), where s is randomly chosen from Z
p . It is worth noting that for a
leaf node, because it does not have a child, so it selects constant polynomial qx() = qx(0) =
qparent(x)(indes(x)). Let C be the set of leaf nodes in T , the ciphertext CT is computed as:
CT ¼ ðT ; ~
C ¼ M eðg; gÞ
as
; C ¼ gbs
; 8x 2 C : Cx ¼ gqxð0ÞTattðxÞ ; C
x ¼ HðattðxÞÞ
qxð0Þ
Þ
Here, the function att(x) returns the attribute associated with the leaf node x and att(x)2U.
Note that, the hash function H() Maps an attribute to a random element of G1, so
HðattðxÞÞ 2 G1.
AA.KenGen ðMK; Uid; SUid
Þ ! ðSKUid
; AUid
; BUid
Þ: The key generation algorithm takes mas-
ter private key MK, a unique user identity Uid and the corresponding attribute set SUid
as input.
It firstly defines a user version number as the current system version number verUid
¼ ver.

Then it chooses a random rUid
2 ZP, and then chooses a random ri2ZP for each attribute
i 2 SUid
. It outputs the private key as:
SKUid
¼ verUid
; D ¼ g
aþrUid
b ; 8i 2 SUid
: Di ¼ g
rUid
Atti HðiÞ
ri
Atti ; D
i ¼ gri

It randomly chooses μ 2 ZP and set AUid
¼ m as user’s search key, and computes BUid
¼
g
x
AUid ¼ g
x
m as user’s search key in CS.
U.Dec ðCT; SKUid
Þ ! M: Similar to the decryption method in [18]. The decryption algo-
rithm first defines a recursive algorithm DecNode ðCT; SKUid
; xÞ, where x represents a node in
T . Then it is followed in a down-top manner.
• For each leaf node x, with i = att(x), if i 2 SUid
, it computes:
DecNode ðCT; SKUid
; xÞ ¼ eðDi;CxÞ
eðD
i ;C
x Þ ¼ eðg; gÞrUid
qxð0Þ
. Otherwise, it returns ?;
• For each interior node x, Lagrange interpolation is used on at least kx such eðg; gÞrUid
qzj ð0Þ
from its children {zj} to calculate
eðg; gÞrUid
qxð0Þ
.
Finally, for the root node RT in T , let A ¼ eðg; gÞ
rUid
qRT
ð0Þ
¼ eðg; gÞ
rUid
s
. The decryption can
be computed by:
Dec ðCT; SKUid
Þ ¼ ~
C=ðeðC; DÞ=AÞ ¼ M
AA.ReKenGen (PP, MK, γ, ΔLγ, η, ΔLη, UK, GK)!(PP0
, MK0
, UK0
, GK0
, RKγ): The re-
encryption key generation algorithm takes public parameter PP, a master key MK, a set of
attributes γ (the attribute in γ which is to be revoked for some users) and the corresponding
revoked user list ΔLγ, a set of attribute η (the attribute in η is to be granted for some users) and
the corresponding granted user list ΔLη, the proxy update key UK, and the proxy grant key GK
as input.
If γ 6¼ ;, for each attribute i 2 γ, it chooses random Atti
0
2 Z
p as the new attribute key. Then
performs the following action:
• Master key update. Replaces the Atti in MK with Atti
0
, the rest of the parameters keeps
unchanged;
• Proxy update key upodate. Replaces the ver in UK as ver0
= ver + 1, calculates rki;ver0 ¼ Atti
0
Atti
ð pÞ
and adds to the set rki = {rki,0, , rki,ver}. For other attribute i2U γ, adds rki,ver0 = 1 to the set
rki = {rki,0, , rki,ver} to get the updated rki = {rki,0, , rki,ver,rki,ver0}. Then adds the identity
of users whose attribute need to be revoked in ΔLγ to the corresponding revocation user list
L = {Li}i2U;
• Set re-encryption key RKγ = {(i, rki,ver0)}i2γ;
• Proxy grant key update. Replace the 1
Atti
in GK with 1
Atti
0 ðmod pÞ, the rest of the parameters
keeps unchanged;
• Public parameter update. Calculate T
0
i ¼ Ti
rki;ver
0
¼ gAtti
0
and replace the Ti in PP with T
0
i , the
rest of the parameters keeps unchanged.

If η 6¼ ;, add the identity of users in ΔLη who need to be granted some attributes to the cor-
responding grant user list L
¼ fL
i gi2U
in proxy grant key.
CS.ReEnc (γ,Cγ,,RKγ)!Cγ
0
: The re-encryption algorithm takes a set of attribute γ, the attri-
bute in γ which is to be revoked for some users, the ciphertext component Cγ = {Cx}att(x)2γ CT,
the re-encryption key RKγ as input.
For each attribute i 2 γ, find the corresponding leaf node x, with i = att(x). Denote the uni-
verse of corresponding ciphertext component Cx set as Cγ = {Cx}att(x)2γ CT. For each attri-
bute Cx2Cγ, calculate Cx
0
¼ Cx
rki;ver0
and output Cγ
0
= {Cx
0
}att(x)2γ.
PS.ReKey ðUid; SUid
; verUid
; DUid
; UK; gÞ ! ðSUid
0
; verUid
0
; DUid
0
Þ: The key regeneration algo-
rithm takes a unique user identity Uid and the corresponding attribute set SUid
, version number
verUid
, the private key component DUid
¼ fDigi2g SKUid
, proxy update key UK, a set of attri-
butes γ, the attribute in γ which is to be revoked by some users as input. Then perform the fol-
lowing actions:
• If the user has the latest version verUid
¼ ver, it outputs ? and exit;
• If it satisfies the condition that 8i2γ and Uid =
2 Li, denotes the attribute set S
0
Uid
¼ SUid
. For
each i 2 SUid
g and Uid 2 Li, denotes the attribute set S
0
Uid
¼ SUid
n fig and deletes the Uid
from Li;
• For each i 2 SUid
g, compute D
i
0
¼ D
i
ðrki;ðverUid
þ1Þrki;verÞ 1
and replace the D
i with D
i
0
. Then
update the user version number as verUid
0
¼ ver.
PS.GrantAtt ðUid; PP; GK; ZÞ ! ðZUid
; SKZUid
Þ: The attribute grant algorithm takes a unique
user identity Uid, public parameters PP, proxy update key UK, proxy grant key GK, a set of
attribute η, the attribute in η is to be granted for some users as input. Then perform the follow-
ing actions:
• If it satisfies the condition that 8i 2 η and Uid =
2 L
i , it outputs ? and exit;
• Then build an attribute set ZUid
as the grant set for user Uid. The initial value ZUid
¼ ;. For
each i 2 η, if Uid 2 L
i , add attribute i to the attribute set ZUid
and delete the Uid from L
i ;
• For each i 2 ZUid
, find the parameter ðUid; rUid
Þ from the list R and randomly choose ri 2 ZP.
Then compute Di ¼ g
rUid
Atti HðiÞ
ri
Atti ; D
i ¼ gri
, and define the grant private key component as
SKZUid
¼ fDi; D
i gi2ZUid
.
DO.PreIndex (W)!(E): The pre index generation algorithm for data owner takes the key-
word set W = {w1, , wm} as input.
For each keyword wi 2 W, it calculates Ei ¼ H1ðwiÞ
li
2 G1, where li 2 Z
p is a random
number.
Then, it outputs the data owner’s pre keywords index set E = (E1, , Em).
CS.Index ðE; BUid
Þ ! ðVÞ: The index generation algorithm by CS takes data owner’s pre
keywords index set E = (E1, , Em) and data owner’s search key in CS BUid
as input.
For each Ei 2 E, it computes Vi ¼ eðEi; BUid
Þ ¼ e H1ðwiÞ
li
; g
x
AUid

.
Then, it outputs CS’s index parameter set V = (V1, , Vm).
DO.PostIndex ðV; AUid
Þ ! ðIWÞ: The post index generation algorithm for data owner takes
the CS’s index parameter set V = (V1, , Vm), his own search key AUid
and the random param-
eter li which he choices before as input.

• For each Vi 2V, it computes
ki ¼ H2 Vi
AUid
li

¼ H2 e H1ðwiÞli
; g
x
AUid
AUid
li
!
¼ H2ð eðH1ðwiÞ; gÞx
Þ 2 f0; 1gl
;
• set Iwi
¼ ðQi; ½QiŠki
Þ, where ½QiŠki
denotes an encryption of a random number Qi with the
secret key ki using a secure symmetric encryption algorithm, such as AES.
It builds the data owner’s post keywords index set IW ¼ fIw1
; ; Iwm
g and outputs.
U. PreTrap ðw; AUid
Þ ! ðTwÞ: The pre trapdoor generation algorithm for user takes as
input a keyword w and his own search key AUid
.
It calculates the user’s pre trapdoor Tw ¼ H1ðwÞ
AUid and outputs.
CS. PostTrap ðTw; BUid
Þ ! ðk
0
Þ: The post trapdoor generation algorithm for CS input the
pre trapdoor Tw and the user’s search key BUid
in CS.
It calculates the CS’s post trapdoor k
0
¼ H2ðeðTw; BUid
ÞÞ ¼ H2 e H1ðwÞ
AUid ; g
x
AUid

¼
H2ð eðH1ðwiÞ; gÞ
x
Þ and outputs.
CS. Test(IW, k0
)!{1, 0}: The test algorithm by CS takes post keywords index set IW ¼
fIw1
; ; Iwm
g and post trapdoor k0
= H2(e(H1(wi),g)x
) as input. It checks the following equa-
tion holds
9Iwi
¼ ðQi; ½QiŠki
Þ 2 IW; such that ½QiŠk
0 ¼ ½QiŠki
If the equation holds, it outputs 1. Otherwise, it outputs 0.
B. Main Construction
System Setup. AA first asked about AA.Setup (λ, U)!(PP, MK, UK, GK) algorithm to get
public parameter PP, master key MK, proxy update key UK, and proxy grant key GK. Then AA
sends PP to CS and keeps UK, GK, MK secret.
Registration. AA to register every legal user in the system.
• Select a unique identity Uid and an attribute set SUid
to user;
• Call algorithm AA.KenGen ðMK; Uid; SUid
Þ ! ðSKUid
; AUid
; BUid
Þ to compute a private key
SKUid
, user’s search key AUid
, and user’s search key BUid
in CS.
• Update the set R ¼ R [ fðUid; rUid
Þg in GK ¼ R; 1
Att1
; ; 1
Attn
; L
¼ fL
i gi2U

;
Finally, AA transmits the tuple ðUid; AUid
; SUid
; SKUid
Þ to new user, transmits GK to PS and
transmits the tuple ðUid; BUid
; SUid
Þ to CS. CS adds the new user information tuple to the users
information list.
Establishment of Index. DO first extracts a set of keywords W = {w1, , wm} from the
file to establish a keyword index.
• DO calls algorithm DO.PreIndex(W)!(E). It outputs DO’s pre keywords index set E =
(E1, , Em). DO sends his identity Uid together with the pre keywords index set E to the CS.
• After receiving the request, CS first obtains the data owner’s corresponding BUid
according
to Uid. Then CS calls the algorithm CS.Index ðE; BUid
Þ ! ðVÞ. It outputs CS’s index parame-
ter set V = (V1, , Vm). Then, CS transmits V to DO.

• DO inputs his own private search key AUid
and the random parameter li which he choices
before, and calls algorithm O.PostIndex ðV; AUid
; liÞ ! ðIW Þ. It outputs the DO’s post key-
words index set IW ¼ ðIw1
; ; Iwm
Þ.
File Upload. The file upload process is similar to the D. Data Upload process in literature
[18]. The final document is stored in CS as Table 2.
Here, Fid represents the file number. [DataFile]k represents the encrypt file by a symmetric
encryption key k. IW represents the keywords index. CT represents the symmetric encryption
key k’s ciphertext which encrypted by our proposed algorithm Do.Enc
ðPK; M ¼ k; T Þ ! CT. Details of file upload process can be found in D. Data Upload in litera-
ture [18].
Attribute Alteration. If there is no need to change any user’s attributes in the system, it
outputs ? and exit.
If there have a set of attribute γ which some users be revoked, and a set of attribute η which
some users be granted. We processes as follows.
• AA first calls the algorithm AA.ReKenGen (PP, MK, γ, ΔLγ, η, ΔLη, UK, GK)!(PP0
, MK0
,
UK0
, GK0
, RKγ) to obtain updated public parameter PP = PP0
, master key MK, proxy update
key UK = MK0
, proxy grant key GK = GK0
, and re-encryption key RKγ. Then it sends PP, γ,
RKγ to CS, sends UK, GK to PS and keeps MK, UK, Gk secret.
• On receiving PP, CS publishes it.
• After receive the re-encryption key RKγ, CS calls algorithm CS.Enc (γ, Cγ, RKγ)!Cγ
0
and
updates the corresponding ciphertext.
The following steps are performed when a user needs to search for a file.
Trapdoor Generation. First, the user set a search keyword w. Then he calls the algorithm
U. PreTrap ðw; AUid
Þ ! ðTwÞ. It outputs the user’s pre trapdoor Tw.
Updating Attribute and Private Key.
• User Uid sends his parameters ðUid; SUid
; verUid
; DUid
Þ to PS.
• PS first calls algorithm PS.ReKey ðUid; SUid
; verUid
; DUid
; UKÞ ! ðSUid
0
; verUid
0
; DUid
0
Þ. It out-
puts updated user attribute set SUid
0
, version number verUid
0
and private key component
DUid
0
¼ fDi
0
gi2g SKUid
.
• Then PS calls the algorithm PS.GrantAtt ðUid; PP; GKÞ ! ðZUid
; SKZUid
Þ. It outputs a set of
attribute ZUid
which is to be granted to user Uid and the corresponding private key compo-
nent SKZUid
¼ fDi; D
i gi2ZUid
.
• It sets the parameters SUid
¼ S
0
Uid
[ ZUid
.
• PS returns parameters ðUid; SUid
; verUid
0
; DUid
; SKZUid
Þ to user and send ðUid; SUid
Þ to CS.
• User updates his own parameters SUid
and SKUid
. CS updates tuple ðUid; BUid
; SUid
Þ for user
Uid’s attribute in the users information list.
Table 2. File Storage Format in CS.
Fid IW CT [DataFile]k

Search the File by CS. Uid sends his trapdoor Tw ¼ H1ðwÞ
AUid and his unique identity Uid
to CS. CS performs the following action.
• according to user’s identity Uid CS finds the corresponding user attribute set SUid
and user’s
search key BUid
in CS from user information list tuple ðUid; BUid
; SUid
Þ.
• For the trapdoor Tw ¼ H1ðwÞAUid and user’s search key BUid
, CS calls algorithm CS. Post-
Trap ðTw; BUid
Þ ! ðk
0
Þ. It outputs CS’s post trapdoor k0
.
• According to attributes set SUid
, CS has to search documents by performing the Step3: search
the data by the cloud server process in literature [18].
• For all documents in the files collection that the user can decrypt, matches the keyword trap-
door with the keywords index, to find the user’s interested files in the document.
• According to the search parameter k0
, it runs algorithm CS. Test(IW, k0
)!{1, 0}. If the output
is 1, it returns the corresponding CT and {DataFile}k to the user.
File Decryption. User to decrypt ciphertext by calling decryption algorithm U.Dec
ðCT; SKUid
Þ ! M ¼ k. User to further decrypt the symmetric ciphertext {DataFile}k to get the
document {DataFile}.
Similar to literature [18], we can also perform most of the calculation process by PS.
User Revocation. Our scheme by removing user’s search key BUid
in CS to achieve user
identity revocation. Because if CS to remove user’s BUid
, the user will not be able to successfully
search files.
C. Flowchart of Our Proposed Scheme
We set a legitimate user Uid first as a data owner to upload their own data, and then as a user
access to the content of the interest files. The flowchart of our Fig 2(a), 2(b), 2(c), 2(d) and 2(e)
respectively gives the process of system setup, new user registration, file upload, system version
upgrade and ciphertext update, file search by user of our scheme.
V. Security
A. Security Analysis
First of all, we analyze our scheme. There are six entities in the project: AA, PS, CS, DO, U.
AA is responsible for establishing the program, and we set it to be fully trusted.
Our PS is subordinate to authority. In order to reduce the computing load of AA and
ensure the efficiency of program, we grant a lot of functions to PS. One of the most important
functions is to grant user’s attribute and the corresponding private key, which makes our PS
must be trusted. If we think about the problem of malicious PS, we have to leave granted rights
to AA. Only AA can execute the private key grant rights, which can improve the security of
scheme to a certain extent, but it will reduce efficiency of scheme. It introduces a new model.
We aim to study the integrity of our proposed scheme, which has not made a number of analy-
sis to this new model.
DO has no difference from other users in set the private key in addition to having the data
files to be uploaded. It is to say that keyword search process of DO is equivalent to a general
user. Due to the users access permissions are different according to their own attribute set.
Some users may want to access more data files beyond their access permissions. So one of the
attack models we consider is derived from a malicious user. He may also be a legitimate user.
We will show that our scheme is secure against this attack model.

CS is an outsourced server. As in most articles, we assume CS is “curious-but-honest” [13].
It is to say that CS is curious about the encrypted data contents or the received messages, but
will execute correctly the proposed tasks. It might be interested in the content of user search,
so another attack models we consider is derived from a malicious CS.
B. Attack Model 1 (IND-sCP-CPA Security Model)
The adversary A is assumed to be an outsider attacker including the users in the system.
Through the establishment of a security game model, we reduce the security of our scheme
to Bethencourt’s scheme [3]. According to the proof of reference [3] in its appendix A (Bethen-
court’s scheme is IND-sCP-CPA secure), our scheme is also IND-sCP-CPA secure in the
attack model 1. The proof procedure is as follows.
Theorem 5 Suppose that the Bethencourt’s scheme is IND-sCP-CPA secure, then our
scheme is also IND-sCP-CPA secure in the attack model 1.
Proof. We consider a simulator S0
of Bethencourt’s scheme, a simulator S of our scheme
and a polynomial-time adversary A of our scheme. It is noteworthy that the simulator S of our
scheme has another identity who is also an adversary A0
of Bethencourt’s scheme. Suppose
that A of our scheme is able to distinguish a valid ciphertext from a random element with
advantage ε. We build a simulator S (namely A0
of Bethencourt’s scheme) that can attack
Bethencourt’s scheme with the same advantage. The simulation proceeds as follows.
Fig 2. Flowchart of Our Proposed Scheme.

Int. A declares an access structure T
, which he wishes to be challenged upon. The simula-
tor S declares the same access structure.
Setup. The simulator S0
takes a security parameter λ and runs the Setup algorithm of
Bethencourt’s scheme. It gives the public parameter PP0
¼ ðG1; g; gb
; eðg; gÞ
a
Þ to the simulator
S. After receive the public parameter PP0
, the simulator S randomly chooses Atti 2 Z
p for 8i
2U as the attribute parameter. Then for all i 2 U, j = 1, 2, , ver, it randomly chooses rki;j 2
Z
p and the public parameter generated as follows.
PP ¼ ðG1; g; gb
; eðg; gÞ
a
; T1 ¼ gAtt1
; ; Tn ¼ gAttn
Þ
MK0
¼ ðver; Att1; ; Attn; rk ¼ frkigi2U Þ
Then, it send the public parameter PP to A.
• private key query. A submits a set of attributes S where S does not satisfy the access structure
T
to the simulator S. The simulator S submits the same attributes to the simulator S0
.
Then the simulator S can get the SK0
¼ ðD ¼ gaþr=b
; 8i 2 S : Di
0
¼ gr
HðiÞri
; D0
i ¼ gri
Þ
from the simulator S0
. The simulator S calculates as follows. For all i 2 S, Di ¼ ðDi
0
Þ1=Atti
.
The A is given private key SK ¼ ðD ¼ gaþr=b
; 8i 2 S : Di ¼ ðDi
0
Þ1=Atti
; D
i ¼ D0
i Þ.
• update private key query. A is allowed to issue queries for update private key SK for the attri-
bute in γ which is to be revoked for some users. A submits a part of the private key ^
SK ¼
ð8i 2 S : Di; D
i Þ he asked before where S γ 6¼ϕ.
1. For all attribute i 2 γ, the simulator S randomly chooses rki 2 Z
p and maintains the
update key {rki}i2γ.
2. For all attribute i 2 S γ in ^
SK, the simulator S calculates Di
0
¼ D
1
rki
i and keeps other
parameters unchanged. Then returns the update private key ^
SK0 to A.
Challenge. A submits two messages M0 and M1 on which he wishes to be challenged upon.
S outputs the same messages to S0
. Then S0
flips a random coin b 2 {0, 1}, and encrypts Mb
with access structure T
. S0
sends the ciphertext CT0
¼ ðT
; ~
C ¼ Mb eðg; gÞ
as
; C ¼ gbs
; 8x 2
C : Cx
0
¼ gqxð0Þ
; C0
x ¼ HðattðxÞÞ
qxð0Þ
Þ to S. The simulator S calculates CT
as follows. For all x
2 C, Ci ¼ ðCx
0
Þ
TattðxÞ
.A is given attribute key
CT
¼ ðT
; ~
C ¼ M eðg; gÞ
as
; C ¼ gbs
; 8x 2 C : Ci ¼ ðCx
0
Þ
TattðxÞ
; C
x ¼ C0
x Þ.
of b. S outputs the guess b0
to indicate that it was given the CT0
.
If A is able to distinguish the valid ciphertext with advantage jPr½b
0
¼ bŠ 1
2
j ¼ ε. We build
the simulator S that can distinguish the valid ciphertext in Bethencourt’s scheme with the
same advantage.
C. Attack Model 2 (IND-CKA Security Model)
The adversary A is assumed to be CS.
We will prove that our scheme of semantic security for keywords trapdoor. Notice that in
the search process of our scheme the public parameter is g, the private key of the user is
AUid
¼ m, the private key of CS is BUid
¼ gx=m
, the master private key of the attribute authority is

Kmk = x. We assume that A is a malicious CS, then the public parameters related to the search
process that it can get are ðg; BUid
¼ gx=m
Þ.
Theorem 6. Assuming the BDH (Bilinear Diffie-Hellman) assumption was founded. Then
our scheme has the IND-CKA security in the random oracle model.
Proof. We consider a chosen-keywords-attack polynomial-time adversary A and a simula-
tor S.
Suppose that A is able to correctly distinguish keywords with advantage ε. We build a simu-
lator S that can solve the BDH problem with at least ε0
¼ 2ε=^
eqTqH2
, Where ê is the base of the
natural logarithm, qT 0 is the number of pre trapdoor queries, qH2
0 is the number of hash
queries.
Int. The simulator S runs A and receives a BDH challenge. It first chooses two multiplica-
tive cyclic groups G1; G2 of prime order p and a bilinear map e : G1 G1 ! G2. S is given
g 2 G1, as well as u1 = gα
, u2 = gβ
, u3 = gγ
for some random a; b; g 2 Zp. S’s goal is to get
eðg; gÞ
abg
2 G2.
Setup. The simulator S announces the public parameter ðg; BUid
¼ u3Þ with the implicit
assumption that Kmk ¼ x ¼ b g; AUid
¼ m ¼ b. According to the above settings, we can cal-
culate that BUid
¼ gx=m
¼ gg
¼ u3.
• H1-Query: A can always ask the random oracle H1 of any keyword wi 2 {0, 1}
. S answers
the questions of A and records the results of each answer.
If A submits a keyword wi 2 {0, 1}
that has not been asked, S does the following.
1. S generates a random coin ci 2 {0, 1}, so that Pr[ci = 0] = 1/(qT + 1).
2. S picks a random element ai 2 Z
p . If the coin ci = 0, S computes hi ¼ u1 gai
2 G1. If ci
= 1, S computes hi ¼ gai
2 G1.
3. S adds the tuple (wi, hi, ai, ci) to the list H1-list, and returns H1(wi) = hi to A.
If A submits a query wi that has been asked, then S finds the tuple (wi, hi, ai, ci) in the
H1-list and responds H1ðwiÞ ¼ hi 2 G1 to A.
• H2-Query: A can always ask the random oracle H2 of any ti 2 G2. S answers the questions
of A and records the results of each answer.
If A submits a ti 2 G2 that has not been asked. S chooses a random number H2(ti) =
Vi 2 {0, 1}log p
and adds the tuple (ti, Vi) to the list H2-list. Then it returns H2(ti) = Vi to A.
If A submits a query ti that has been asked, then S finds the tuple (ti, Vi) in the H2-list and
responds H2(ti) = Vi to A.
• Pre-trapdoor queries: A can also ask the pre-trapdoor of any keyword wi 2 {0, 1}
. S
answers the questions of A as folloes.
1. For a keyword wi 2 {0, 1}
, S executes H1-Query to get a tuple (wi, hi, ai, ci).
2. If ci = 0, S declares a failure and ends the game.
3. If ci = 1, H1ðwiÞ ¼ hi ¼ gai
2 G1. S generates Twi
¼ u2
ai
¼ ðgai
Þb
and returns Twi
to A
as response for the query.
Challenge. A submits two keywords w0 and w1 where the keywords w0 and w1’s trapdoor
had not asked by A.

• S initiates H1-Query twice to obtain h0; h1 2 G1, where H1(w0) = h0, H1(w1) = h1. If c0 = 1
and c1 = 1, then S reports a failure and terminates.
• Otherwise, we know at least one of c0 and c1 is equal to 0. If c0 = 0 and c1 = 0, S picks ran-
domly a bit b 2 {0, 1}.
• S picks a random element k 2 {0, 1}log p
, and return {u3, k} to A as a response, where k imi-
tates the post trapdoor in our proposed scheme. Note that, if A has an advantage in answer
the above question. We have the implied settings:
k ¼ H2ðeðTw; BUid
ÞÞ
¼ H2ðeð H1ðwiÞ
b
; u3ÞÞ
¼ H2ðeð H1ðwiÞ
b
; u3ÞÞ
¼ H2ðeðgðaþabÞ b
; gg
ÞÞ
¼ H2ðeðg; gÞ
bgðaþabÞ
Þ
of b. If b0
= b, A wins the game and break our scheme.
Correctness Analyses. In the above simulation scheme, if the adversary can break the
game and distinguish the keyword with a non negligible probability that means that the ran-
dom element k it chooses is H2ðeðg; gÞ
bgðaþabÞ
Þ. Then S can compute that k
u2u3gab
¼ eðg; gÞ
abg
which means it solves the DDH problem.
Probability Analyses. We can prove that if A can win the game with a non negligible
probability ε, then S can solve the BDH problem with the probability at least 2ε=eqTqH2
. That
process in detail in [36].
Because of the BDH assumption that the BDH problem is difficult, so the probability
2ε=eqTqH2
is negligible. That is, our scheme is safe.
Taking attack model 2 (a selected keyword attack model from the cloud server) as an exam-
ple, we give the specific flow chart of the game process in Fig 3.
VI. Performance Analysis and Comparison
A. Performance Analysis
The time complexity of our scheme. In the Setup phase, a public parameter and master key
are generated. At this stage, the total number of attributes is defined as n. An exponentiation
operation in G1 or G2 is defined as e. A pairing operation is defined as p. The time complexity
of generating PP, MK, UK, GK is (2 + 2n)e + p, 0, 0, ne respectively. We calculate the total time
complexity of Setup is (2 + 3n)e + p.
In algorithm Encrypt for d2 number of attributes that associated with access structure. In
order to compute CT, the user needs to run (2+2d2)e + p operations. So the time complexity of
Encrypt is (2 + 2d2)e + p.
When generating the private key for a user with number of attributes d1, AA needs to run
(2 + 3d1) e addition operations in order to compute SK. So the time complexity of KeyGenera-
tion algorithm is (2 + 3d1) e.
In algorithm re encryption for d3 number of attributes that ciphertext needs to update, CS
needs to run d3e addition operations in order to update ciphertext component. So the time
complexity of re encryption algorithm is d3e.

Fig 3. Flowchart of attack model 2.

In algorithm private key re generation for d4 number of attributes that a user needs to
update, the PS needs to run d4e addition operations in order to update ciphertext component.
So the time complexity of private key re generation algorithm is d4e.
In algorithm attribute grant for d3 number of attributes that a user needs to granted, PS
needs to run d3e addition operations in order to compute the corresponding SK. So the time
complexity of attribute grant algorithm is d3e.
In algorithm pre trapdoor generation for a keyword w, the user needs to run an exponenti-
ation operation in order to hide the keyword. So the time complexity of pre trapdoor algo-
rithm is e.
In algorithm post trapdoor generation for CS, the user needs to run a pairing operation. So
the time complexity of post trapdoor algorithm is p.
In algorithm decryption for d6 number of user’s attributes satisfying an access structure,
the data owner needs to run 2e + (1 + d6)p addition operations in order to compute the mes-
sage M. So the time complexity of decryption algorithm is 2e + (1 + d6)p.
B. Comparison
We compare the computational complexity of our scheme with the existing schemes presented
in [3, 13, 18] for the specific process in Table 3.
C. Simulation and Evaluation
In order to evaluate the performance of our CP-ABE construction, we test the runtime of the
core algorithms Key Generation, Encryption and Decryption by user with different number of
attributes. Fig 4 shows the test result. The implementation uses the Pairing Based Cryptogra-
phy (PBC) library [37]. We can clearly see from Fig 4 that the key generation time and the
encryption time increase with the number of attributes linearly, and the decryption time keeps
Table 3. Comparisons of Computational Complexity.
Schemes [3] [18] [13] Ours
PP 2e+p 2e+p (2 + 2n)e+p (2 + 2n)e+p
SK (2 + 3d1)e (2 + 3d1)e (2 + d1)e (2 + 3d1)e
CT (2 + 2d2)e+p (2 + 2d2)e+p (1 + 2d2)e+p (2 + 2d2)e+p
CT Update ✘ ✘ d3e d3e
SK Update ✘ ✘ d4e d4e
SK Grant ✘ ✘ d3e d3e
Tr by user ✘ e ✘ e
Tr by CS ✘ p ✘ p
DK 2e+(1 + d6)p 2e+(1 + d6)p (1 + 2d6)e+(2 + 2d6)p 2e+(1 + d6)p
e: an exponentiation operation in G1 or G2;
p: a pairing operation;
d1: number of attributes that a user possess;
d2: number of attributes that associated with access structure;
d3: the number of attributes that ciphertext need to update;
d4: number of attributes that a user needs to update;
d5: number of attributes that a user needs to grant;
d6: the number of user’s attributes satisfying an access structure;
✘: there is no corresponding function or process in the literature.

constant. This result is in agreement with our time complexity analysis in section Security and
Performance analysis.
VI. Application
Our scheme is well suited for applications in cloud computing environments. Take search
engine file management system for example. Firstly, users can become legitimate users by reg-
istered members. After the successful landing of legitimate users, users can not only search for
documents of interest, but also upload local files to server.
On the one hand because of the excessive number of users and documents, the system
through the outsourcing of data files to a CS.
On the other hand because the grade of membership system of the operating construction,
making part of the document can only download by some VIP members. In order to facilitate
the management of the system, the system can set up an interior PS to help manage user mem-
bership grade and duration.
Ordinary users can become VIP users by way of payment. The process of granting the VIP
attribute does not require the system upgrade and the update of the ciphertext. AA only to
issue a grand command to the PS. When a user access, PS verify that the user is required to
grant the attribute according to the identity. To user who needs to be granted attributes, PS
will grant the attribute and private key to the corresponding user in time.
Once the VIP attribute is invalid or expires, AA will update the system in a timely manner
and send update command to PS.
VII. Conclusion
In this paper, we propose an efficiently multi-user searchable encryption with attribute revoca-
tion and grant function for cloud storage.
• In the first scenario, we propose a CP-ABE scheme with attribute revocation and grant. Our
scheme can not only support a single user attribute revocation or grant, but also to some
users to grant or revoke a set of attributes.
• In the second scenario, we propose a multi user search scheme based on a single keyword.
As we focus on the user attribute update instead of the keyword search in this paper. Aiming
at the problem of conjunctive keyword search is a direction that we continue to research.
• In addition, the lazy update of the user’s attribute and the private key increases the efficiency
of the scheme.
Fig 4. The performance of CP-ABE.

• Since PS in our scheme has the permissions granted attributes, in order to prevent a mali-
cious PS to the user to grant a new attribute, we ask our PS must be honest and strict imple-
mentation of the tasks assigned by attribute authority. In other words, PS in strict
accordance with the grant list to verify whether the user needs to grant attributes. Aiming at
the problem of PS malicious attacks is another direction that we continue to research.
Supporting Information
S1 Appendix.
(DOCX)
Acknowledgments
This work is supported by the National Natural Science Foundation of China under grants
61572019, 61173192, the Key Project of Research Foundation of Natural Science Foundation
of Shaanxi Province of China under Grant No. 2016JZ001, Research Foundation of Education
Department of Shaanxi Province of China under grants 2013JK1142. Thanks also go to the
anonymous reviewers for their useful comments.
Author Contributions
Methodology: XZ SW.
Software: XZ YZ.
Validation: SW XZ.
Writing – original draft: SW XZ YZ.
Writing – review editing: SW XZ YZ.
References
1. Sahai A, Waters B. Fuzzy Identity-Based Encryption: Springer Berlin Heidelberg; 2005. 457–73 p.
2. Goyal V, Pandey O, Sahai A, Waters B, editors. Attribute-based encryption for fine-grained access con-
trol of encrypted data. Proceedings of the 13th ACM conference on Computer and communications
security; 2006.
3. Bethencourt J, Sahai A, Waters B, editors. Ciphertext-Policy Attribute-Based Encryption. IEEE Sympo-
sium; 2007: Security and privacy; 2008.
4. Emura K, Miyaji A, Nomura A, Omote K, Soshi M. A Ciphertext-Policy Attribute-Based Encryption
Scheme with Constant Ciphertext Length. International Journal of Applied Cryptography. 2009; 5451
(1):13–23.
5. Attrapadung N, Imai H, editors. Attribute-Based Encryption Supporting Direct/Indirect Revocation
Modes. Ima International Conference on Cryptography and Coding; 2009 Dec 15–17; Cirencester, UK:
Proceedings; 2009.
6. Martinez-Vara P, Barranco JS, IDLSG S, Munoz-Lopez J, Torres-Rodriguez MA, Xique RS, et al.
Ciphertext-Policy Attribute-Based Threshold Decryption with Flexible Delegation and Revocation of
User Attributes (extended version). Centre for Telematics Information Technology University of
Twente. 2009; 13(4):325–9.
7. Wu Q, Miao Z. Adaptively Secure Attribute-Based Encryption Supporting Attribute Revocation. Wireless
Communication Over Zigbee for Automotive Inclination Measurement China Communications. 2012; 9
(9):22–40.
8. Zhang Y, Chen X, Li J, Li H, Li F, editors. FDR-ABE: Attribute-Based Encryption with Flexible and Direct
Revocation. International Conference on Intelligent NETWORKING and Collaborative Systems; 2013:
IEEE Computer Society; 2013.

9. Qiuxin. A Generic Construction of Ciphertext-Policy Attribute- Based Encryption Supporting Attribute
Revocation. Wireless Communication Over Zigbee for Automotive Inclination Measurement China
Communications. 2014; 11(A01):93–100.
10. Yu S, Wang C, Ren K, Lou W, editors. Attribute based data sharing with attribute revocation. ACM Sym-
posium on Information; 2010 Apr; Beijing, China: Computer and Communications Security.
11. Chen JH, Wang YT, Chen KF. Attribute-Based Key-Insulated Encryption. Journal of Information Sci-
ence Engineering. 2011; 27(2):437–49.
12. Li Q, Feng D, Zhang L, editors. An attribute based encryption scheme with fine-grained attribute revoca-
tion. Global Communications Conference (GLOBECOM); 2012: IEEE.
13. Naruse T, Mohri M, Shiraishi Y. Provably secure attribute-based encryption with attribute revocation
and grant function using proxy re-encryption and attribute key for updating. Human-centric Computing
and Information Sciences. 2015; 5(1):1–13.
14. Bao F, Deng RH, Ding X, Yang Y. Private Query on Encrypted Data in Multi-user Settings. Lecture
Notes in Computer Science. 2008; 4991:71–85.
15. Bringer J, Chabanne H, Kindarji B, editors. Error-tolerant searchable encryption. IEEE International
Conference on Communications; 2009: IEEE.
16. Rhee HS, Park JH, Susilo W, Dong HL. Trapdoor security in a searchable public-key encryption scheme
with a designated tester. Journal of Systems Software. 2010; 83(5):763–71.
17. Hu C, Liu P. An Enhanced Searchable Public Key Encryption Scheme with a Designated Tester and Its
Extensions. Journal of Computers. 2012; 7(3):716–23.
18. Lv Z, Zhang M, Feng D, editors. Multi-user Searchable Encryption with Efficient Access Control for
Cloud Storage. IEEE International Conference on Cloud Computing Technology and Science; 2014:
IEEE.
19. Yang Y, Lu H, Weng J, editors. Multi-User Private Keyword Search for Cloud Computing. IEEE Interna-
tional Conference on Cloud Computing Technology and Science; 2011 Nov 29-Dec; Athens, Greece:
Cloudcom; 2011.
20. Liu Z, Wang Z, Cheng X, Jia C, Yuan K, editors. Multi-user Searchable Encryption with Coarser-Grained
Access Control in Hybrid Cloud. International Conference on Emerging Intelligent Data and Web Tech-
nologies; 2013: IEEE Computer Society; 2013.
21. Jian Y, Yang D, editors. An agent-based searchable encryption scheme in mobile computing environ-
ment. International Conference on Computing, Communication and Networking Technologies; 2014:
IEEE Computer Society.
22. Wang Q, Zhu Y, Luo X, editors. Multi-user Searchable Encryption with Coarser-Grained Access Control
without Key Sharing. International Conference on Cloud Computing and Big Data; 2014: IEEE.
23. Kaci A, Bouabanatebibel T, editors. Access control reinforcement over searchable encryption. IEEE
International Conference on Information Reuse and Integration; 2014: IEEE.
24. Lv Z, Chi J, Zhang M, Feng D, editors. Efficiently Attribute-Based Access Control for Mobile Cloud Stor-
age System. IEEE International Conference on Trust, Security and Privacy in Computing and Commu-
nications; 2014: IEEE.
25. Shojafar M, Cordeschi N, Baccarelli E. Energy-efficient Adaptive Resource Management for Real-time
Vehicular Cloud Services. IEEE Transactions on Cloud Computing. 2016; PP(99):1–14.
26. Li W, Song H. ART: An Attack-Resistant Trust Management Scheme for Securing Vehicular Ad Hoc
Networks. IEEE Transactions on Intelligent Transportation Systems. 2016; 17(4):960–9.
27. Umar MM, Mehmood A, Song H. SeCRoP: secure cluster head centered multi-hop routing protocol for
mobile ad hoc networks. Security Communication Networks. 2016.
28. Butun I, Erol-Kantarci M, Kantarci B, Song H. Cloud-centric multi-level authentication as a service for
secure public safety device networks. IEEE Communications Magazine. 2016; 54(4):47–53.
29. Xu Q, Ren P, Song H, Du Q. Security Enhancement for IoT Communications Exposed to Eavesdrop-
pers With Uncertain Locations. IEEE Access. 2016; 4:1–12.
30. Shojafar M, Abawajy JH, Delkhah Z, Ahmadi A, Pooranian Z, Abraham A. An Efficient and Distributed
file search in Unstructured Peer-to-Peer Networks. Peer-to-Peer Networking and Applications. 2015; 8
(1):120–36.
31. Javanmardi S, Shojafar M, Shariatmadari S, Ahrabi SS. FRTRUST: a fuzzy reputation based model for
trust management in semantic P2P grids. International Journal of Grid Utility Computing. 2014; 6
(1):57–66.
32. Wei W, Fan X, Song H, Fan X. Imperfect Information Dynamic Stackelberg Game Based Resource Allo-
cation Using Hidden Markov for Cloud Computing. IEEE Transactions on Services Computing. 2016:1–
13.

33. Zhang Y, Sun L, Song H, Cao X. Ubiquitous WSN for Healthcare: Recent Advances and Future Pros-
pects. IEEE Internet of Things Journal. 2014; 1(1):311–8.
34. Kallahalla M, Riedel E, Swaminathan R, Wang Q, Fu K, editors. Plutus: Scalable Secure File Sharing
on Untrusted Storage. Usenix Conference on File and Storage Technologies; 2003: USENIX associa-
tion; 2003.
35. Goyal V, Jain A, Pandey O, Sahai A. Bounded Ciphertext Policy Attribute Based Encryption: Automata,
Languages and Programming; 2015. 579–91 p.
36. Dan B, Crescenzo GD, Ostrovsky R, Persiano G. Public Key Encryption with Keyword Search:
Springer Berlin Heidelberg; 2004. 506–22 p.
37. Duquesne S, Lange T. Pairing-based cryptography. Mathiiscernetin. 2004; volume 22(3):573–90.

2016_Efficiently Multi-User Searchable Encryption.pdf

Recommended

More Related Content

Similar to 2016_Efficiently Multi-User Searchable Encryption.pdf (20)

Recently uploaded (20)

2016_Efficiently Multi-User Searchable Encryption.pdf