Verifiable Keyword Search Encryption Scheme That Supports Revocation of Attributes

Abstract

In recent years, searchable encryption technology and attribute encryption technology have been widely used in cloud storage environments, and attribute-based searchable encryption schemes can both achieve the retrieval of encrypted data and effectively solve the access control problem. Considering that existing attribute-based searchable encryption schemes for cloud storage only support keyword search and do not support attribute revocation, most of the schemes that support attribute revocation only consider the computational overhead of users and ignore the large amount of computational resources consumed by attribute authorization centers when updating keys. In addition, keyword search may lead to partial errors in the returned search results, leading to the wastage of computational and broadband resources. To solve these issues, this paper proposes an attribute-based searchable encryption scheme that supports attribute revocation and is verifiable. To realize fine-grained ciphertext search of encrypted data, support scenarios of dynamic changes of user attributes, and ensure that third-party servers perform the search process reliably and honestly while minimizing computation and storage costs, first, this paper implements attribute revocation with the attribute authorization center by creating a user revocation list and an attribute key revocation list. At the same time, the system updates the attribute key at the time of user search request, which effectively reduces the computational overhead. Second, a third-party auditor is introduced to ensure the correctness of the search results. Finally, the security of this paper is verified by theoretical analysis, and the efficiency and practicality of this paper are verified by comparing it to other schemes through simulation experiments.

1. Introduction

With the wide application of cloud computing technology, traditional industries are also changing along with the current trends, and informatization and intelligence of traditional industries are the general trends. Cloud storage technology combined with traditional industries can not only improve the service efficiency of mobile applications but also reduce the storage cost of data and realize data-sharing services such as upload and download of various data. However, the personal data generated by users in the relevant application systems usually include a large amount of private information, and cloud servers are mostly untrustworthy or semi-trustworthy, so there may exist a security risk of privacy leakage if user data is stored in the cloud. Therefore, to safeguard sensitive information in user data from leakage and misuse, users must control their data. Attribute encryption technology has been maturely applied in cloud storage and can be used to achieve access control of user data. To improve the security of data, more and more users choose to outsource their data to cloud servers after encryption, and when users want to search relevant data, the traditional plaintext-based retrieval method cannot be directly applied to ciphertext search. Searchable encryption technology can realize keyword search in ciphertext data, but data owners do not want just anyone retrieving their data. An attribute-based searchable cryptographic scheme combining searchable cryptography and attribute-based technology can realize both the retrieval of encrypted data and effectively solve the access control problem. However, in the currently used attribute-based searchable encryption scheme, there are problems, such as dynamic changes of user attributes and lack of flexibility, so an attribute revocation mechanism can be introduced to change the access rights of authorized users, thus realizing a more fine-grained access control. To address the above problems, this paper proposes an attribute-based searchable encryption scheme that supports attribute revocation and can be verified.

2. Related Work

In 2000, Song et al. [1] constructed the first searchable encryption (SE) scheme for retrieving data in ciphertext data without disclosing sensitive information during the retrieval process, which protects the privacy of user data. To address different application requirements, there are two main searchable encryption schemes: public key encryption with keyword search (PEKS) [2] and symmetric key searchable encryption (SSE) [3]. Compared with SSE, PEKS has become a hot research topic for searchable encryption because it does not require complex key management and enables data sharing. When a large amount of data is stored in the cloud, a large number of keyword index duplication problems occur, i.e., the performance of single-keyword searchable encryption schemes reaches a bottleneck. To overcome this problem, in 2012, Premasathian et al. [4] proposed the first multi-keyword searchable encryption scheme, which splices multiple keywords through “and gates” to achieve multi-keyword encryption index and search trapdoor matching to protect the privacy of data.

In 2005, Sahai and Waters [5] proposed an ABE scheme extending identity-based encryption (IBE), the core of which is to split the user identity into multiple attributes and then encrypt and decrypt the data to achieve confidentiality protection and fine-grained access control of data in cloud storage. Based on this, two different ABE schemes have been extended to provide more complex access control, namely, key policy attribute-based encryption (KP-ABE) [6] and ciphertext policy attribute-based encryption, (CP-ABE) [7]. These two schemes differ mainly in terms of access policies; in KP-ABE, the data owner cannot formulate access policies, whereas in CP-ABE it can, so the CP-ABE scheme is widely used in the access control scenario of data in cloud storage. When a data owner stores ciphertext in the cloud for sharing, he does not want to allow the data to be searchable by everyone and only wants to set who can search his encrypted data with some permission. To achieve the search as well as access control functions in ciphertext data, the ABSE concept was first proposed by Zheng et al. in 2014 [8], which achieved secure search and verifiability on outsourced encrypted data. Qiu et al. [9] proposed a ciphertext policy attribute cryptographic primitive based on a keyword search for hidden policies. Zhang et al. [10] proposed a multi-keyword search scheme, and Liu et al. [11] proposed a verifiable attribute-based keyword search encryption scheme while generating a data tag for each shared file to accomplish deduplication. Zhang et al. [12] proposed a blockchain-based expressive with trusted verification and support for a full policy hiding CP-ABE scheme. Yin et al. [13] proposed an attribute-based keyword search scheme considering multiple data owners in a cloud-assisted industrial IoT environment. Liu et al. [14] proposed a multi-keyword attribute-based searchable encryption scheme based on cloud edge collaboration which uploads the corresponding encryption index to the nearest edge node for multi-keyword search and assisted decryption.

In practical applications, user attributes are constantly and dynamically changing, and illegal users who lose some attributes are still able to retrieve and decrypt encrypted messages; this is prone to data leakage and undermines the security of ciphertexts in cloud environments. In 2014, Sun et al. [15] proposed an attribute-based keyword search scheme with a user revocation function that can achieve scalable fine-grained search authorization. As for the research on attribute revocation, Yu et al. [16] extended the concept of outsourcing to outsource complex computations such as re-encryption to achieve attribute revocation. Hur et al. [17] encrypted the key tree with symmetric keys to achieving fine-grained attribute revocation. Li et al. [18] proposed a CP-ABE scheme to achieve attribute revocation by updating the attribute version number. Huang et al. [19] proposed a searchable encryption scheme using LSSS as the access structure to support multi-keyword search and user attribute revocation. Miao et al. [20] proposed a searchable encryption scheme based on hierarchical data and supporting attribute revocation to efficiently share and search encrypted data. Zheng et al. [21] proposed a scheme to construct an identical tree on the cloud server based on the access control tree, thereby supporting user attribute revocation. Zhang et al. [22] proposed a revocable decentralized data-sharing framework for secure data sharing in fog-assisted IoT systems. Ge et al. [23] proposed a revocable attribute-based encryption scheme with integrity protection where the cloud server can directly revoke the access policy and if the cloud server returns an incorrect revocation ciphertext, it will also be detected. In summary, a series of improvement schemes have been proposed to achieve fine-grained attribute revocation. However, the vast majority of current schemes only consider the computational overhead of users, ignoring the large amount of computational resources consumed by attribute authorization centers. To address the above problems, this paper proposes a CP-ABE-based attribute key update method that supports fine-grained attribute revocation. At the same time, a verifiable search encryption scheme is proposed in combination with auditing the ideas to improve the accuracy of the search.

Contributions

The main contributions and innovations of this paper include:

• Support for multi-keyword search: this paper proposes an attribute-based searchable encryption scheme;
• Support for attribute revocation: to address the problem that most of the current attribute-based searchable encryption schemes do not support attribute revocation, this paper maintains the user revocation list and attribute key revocation list by the attribute authorization center and realizes system attribute revocation by updating the version number;
• Introduction of third-party auditing and proposal of a verifiable searchable encryption scheme, which improves the correctness of the search;
• An experiment using Java, which proves the correctness and practicality of this paper’s scheme.

3. Preliminaries

3.1. Bilinear Mapping

Let $G$ and $G_T$ be two $p-order$ multiplicative cyclic groups, and $p$ is a prime number. It can be pointed out that $g$ is the generator of $G$. The bilinear map $e:G\times G\to G_T$ simultaneously satisfies the following properties:

(1)

Bilinearity: $\forall a,b\in Z_p:e(g^a,g^b)={e(g,g)}^{ab}$.

(2)

Non-degeneracy: the existence of $g\in G$ makes $e(g,g)\ne 1$.

(3)

Computability: $\forall u,v\in G,e(u,v)$ all can be computed efficiently.

3.2. Access Tree

Suppose that there exists $T$ representing an access tree, and each non-leaf node $x$ in $T$ can be represented as a gate structure as $({num}_x,k_x)$, where ${num}_x$ denotes the number of child nodes of $x$, and $k_x$ denotes the threshold value, where $k_x\in [0,{num}_x]$. When $k_x=1$, $x$ is denoted as an “or” gate, whereas $k_x={num}_x$ indicates that $x$ is an “and” gate. The leaf node $x$ is used to describe the attribute and specify its threshold value $k_x=1$.

The common representation used in access trees is as follows: function $parent\left(x\right)$ represents the parent node of node $x$, $att\left(x\right)$ denotes the attribute described by leaf node $x,$ and the node is an attribute in $T$ is defined. $index\left(x\right)$ denotes the number of node $x$ among its siblings, $T$ is the access tree with $t$ as the root node, and the subtree in $T$ whose root is node $x$ is denoted by $T_x$.

If a collection of attributes $S$ satisfies the access tree $T_x$, then it can be expressed as $T_x\left(S\right)=1$.

(1)

If $x$ is a non-leaf node, compute $T_{x^{\prime }}\left(S\right)$ for all children $x^{\prime }$ of $x$. $T_x\left(S\right)=1$ is obtained if and only if at least $k_x$ children nodes return 1.

(2)

If $x$ is a leaf node, there is a leaf node when and only when $att\left(x\right)\in S$, there is $T_x\left(S\right)=1$.

3.3. Difficult Assumptions

The DBDH (decisional bilinear Diffie–Hellman assumption) assumption can be defined as follows. Given multiplicative cyclic groups $G_1,G_2$ of order prime $p,$ and $e:G_1\times G_1\to G_2$ is a bilinear mapping. Randomly selected generating elements $g\in G_1$ and numbers $a,b,c\in Z_p$, and given two tuples $(g,g^a,g^b,g^c,{e(g,g)}^{abc})$ and $(g,g^a,g^b,g^c,{e(g,g)}^z)$, the DBDH assumption holds if there does not exist an algorithm that can distinguish ${e(g,g)}^{abc}$ and ${e(g,g)}^z$ in polynomial time with a non-negligible advantage.

$$Ad{v}_{DBDH}=Pr[A(g,g^a,g^b,g^c,e{(g,g)}^{abc})=1]-Pr[A(g,g^a,g^b,g^c,e{(g,g)}^z)=1].$$

(1)

4. Program Design

4.1. System Model

The system includes six types of entities, which are data owner (DO), data user (DU), cloud server (CS), proxy server (PS), attribute authorization center (AA), and third party auditor (TPA).

DO: The data owner first encrypts the data, then uploads the encrypted data to the cloud server and uploads the encryption keyword and encryption key to the proxy server for storage.

DU: The user generates a search trapdoor and submits it to PS for keyword search and obtains the corresponding search result, i.e., the storage address of the ciphertext. The encrypted data be effectively searched and shared with the user only if the user’s attributes satisfy the access policy set by the data owner and the keywords of the query match the keywords set by the data owner.

CS: The cloud server is responsible for storing the encrypted data files and generating the cipher text storage address to the PS. The cloud server is honest and curious, i.e., the cloud server performs the tasks submitted by the user honestly but is also curious about the encrypted data.

PS: The proxy server is semi-trusted, and when it receives a request from a user searching for a trapdoor, it verifies that it returns the storage address of the corresponding ciphertext to the user after the user revokes the list URL.

AA: The attribute authorization center is a fully trusted entity responsible for system establishment, key generation, generation of user identity UIDs, revocation of attributes, etc.

TPA: A fully trusted TPA is used to verify the correctness of search results.

The system model and its flow are shown in Figure 1.

4.2. Security Model

A secure solution must meet the IND-CKA security of its indexed keywords. Attacker $\mathcal{A}$ and Challenger $\mathcal{B}$ describe the security model of the scheme in this paper by playing the following game.

Definition: If $\mathcal{A}$ cannot win by a non-negligible margin within the PPT, then this paper’s scheme implements IND-CKA security for its indexed keywords.

Initialization $.\mathcal{B}$ runs the system to build the algorithm to output the common parameters. $\mathcal{A}$ defines a challenge access tree $T^{*}$.

Stage 1. $\mathcal{A}$ adapts to polynomially bounded subsets of the following queries.

Private key queries. $\mathcal{A}$ adaptively asks $\mathcal{B}$ about the private key ${SK}_{\mathcal{A}}^{S_1}$, ${SK}_{\mathcal{A}}^{S_2}$, …, ${SK}_{\mathcal{A}}^{S_n}$ corresponding to the set of attributes $S_1,S_2,...,S_n$.

Keyword ciphertext queries. $\mathcal{A}$ adaptively asks $\mathcal{B}$ for the ciphertext $I_{w_1},I_{w_2},...,I_{w_m}$ corresponding to the keywords $w_1,w_2,...,w_m$.

All sets of attributes $S_1,S_2,...,S_n$ embedded in the corresponding private key do not satisfy the query $T^{*}$.

Challenge. $\mathcal{A}$ submits two challenge keywords $w_0$ and $w_1$ to $\mathcal{B}$.$\mathcal{B}$ chooses a random bit $b\in \{0,1\}$ from $Z_p^{*}$ and generates a ciphertext $I_{w_b}^{*}$ and sends it to $\mathcal{A}$.

Stage 2. $\mathcal{A}$ repeats Stage 1 several times and continues to initiate a series of queries corresponding to the set of attributes $S_{n+1},S_{n+2},...$, requiring that none of the interrogated private keys satisfy the access tree $T^{*}$.

Guess. Finally, $\mathcal{A}$ outputs $b$ of the guess bits $b^{\prime }$. If $b=b^{\prime }$, then $\mathcal{A}$ wins the game. In the game, let the advantage of $\mathcal{A}$ winning be defined as ${Adv}_{\mathcal{A}}^{IND-CKA}=|Pr[b=b^{\prime }]-\frac{1}{2}|$.

If for a PPT attacker $\mathcal{A}$, the ${Adv}_{\mathcal{A}}^{IND-CKA}$ can be ignored, then the scheme in this paper achieves IND-CKA security for its indexed keywords.

5. The Detailed Implementation of the Scheme

$\mathrm{S}\mathrm{e}\mathrm{t}\mathrm{U}\mathrm{p}(\mathsf{\lambda },\mathrm{U})\to (\mathrm{P}\mathrm{K},\mathrm{M}\mathrm{S}\mathrm{K})$. The algorithm is executed by the AA. The algorithm inputs the security parameters $\lambda$, the set $U$ of all attributes of the system. The AA generates a bilinear mapping $e:G_0\times G_0\to G_1$, $G_0$ and $G_1$ are two cyclic groups of order $p$, and $g$ is the generating element of $G_0$. AA defines two hash functions $H_1:{\{0,1\}}^{*}\to Z_P^{*},H_2:{\{0,1\}}^{*}\to G_0$. AA randomly selects $\alpha ,\beta \in Z_p^{*},g_0\in G_0$ and a unique version number $V_x\in Z_p^{*}$; then, AA outputs public parameter

$$PK=\{e,p,g,g_0,G_0,G_1,H_1,H_2,e{(g,g)}^{\alpha },P{K}_x={\left\{g^{V_x}\right\}}_{(x\in U)}.$$

(2)

The system master key

$$MSK=\{\alpha ,\beta ,{\left\{V_x\right\}}_{x\in U}\}.$$

(3)

At the same time, users in the system will obtain a globally unique identity $\mathrm{U}\mathrm{I}\mathrm{D}$ after completing authentication at AA.

$\mathrm{K}\mathrm{e}\mathrm{y}\mathrm{G}\mathrm{e}\mathrm{n}(\mathrm{P}\mathrm{K},\mathrm{M}\mathrm{S}\mathrm{K},\mathrm{S},\mathrm{U}\mathrm{I}\mathrm{D})\to \mathrm{S}\mathrm{K}$. The algorithm is executed by AA and generates the private key $SK$ for the user with the corresponding attributes based on the attribute set $S$ of the user $UID$. AA randomly selects $r,r^{\prime }\in Z_p^{*}$ to the user $UID$, and computes

$$K_1=g^{\frac{\alpha +r}{\beta }},K_2=g^{\frac{1}{\beta }},K_3=g^r.$$

(4)

For each of the attributes

$$\begin{array}{l}\forall x\in S,K_x=K_3\cdot g^{H_2(x)V_x}=g^r{g}^{H_2(x)V_x}.\end{array}$$

(5)

Then, AA sends $SK=\{K_1,K_2,K_3,{\left\{K_x\right\}}_{x\in S}$} to the user over a secure communication channel while setting the public–private key pair $({pk}_0,{sk}_0)=(g^{r^{\prime }},r^{\prime })$ of DO. Finally, the hash value of this attribute key $SK$ is uploaded to the attribute key revocation list $\mathrm{K}\mathrm{R}\mathrm{L}$ after receiving the search completion message from PS.

$\mathrm{E}\mathrm{n}\mathrm{c}\mathrm{r}\mathrm{y}\mathrm{p}\mathrm{t}(\mathrm{P}\mathrm{K},\mathrm{T},\mathrm{F},\mathrm{W})\to {(\mathrm{I}}_{\mathrm{W}},\mathrm{C}\mathrm{T})$. The algorithm is executed by DO. The algorithm inputs the public parameter $PK$, the access tree structure $T$, given the set of data $F=\{f_1,f_2,...,f_p\}$ to be encrypted, and the corresponding identity set $ID=\{{ID}_1,{ID}_2,...,{ID}_p\}$ and the set of keywords $W=\{w_1,w_2,...,w_m\}$.

Data encryption: DO randomly chooses a symmetric key $k$, then encrypts the data $F$ to obtain ${CF=Enc}_k\left(F\right)$, upload $\mathrm{C}\mathrm{F}$ to $\mathrm{C}\mathrm{S}$, and obtain the returned data file address $M$.

Keyword encryption: DO first calculates

$$I_1=e{(g,g)}^{\alpha s}e(g^{H_1(w)s},g),I_2=g^{\beta s}.$$

(6)

For each node $x$ of the access tree $T$, DO selects a polynomial $q_x$ of order $d_x$ and the threshold value $k_x=d_x-1$. For each root node of the access tree $T$, DO randomly selects a secret value $s\in Z_p^{*}$, sets $q_{root}\left(0\right)=s$, and then randomly selects the other $d_{root}$ nodes to fully define the polynomial $q_{root}$. For the other non-root nodes $x$ in the tree, DO sets $q_x\left(0\right)=q_{parent\left(x\right)}\left(index\right(x\left)\right)$, then randomly selects the other $d_x$ nodes to fully define the polynomial $q_x$. For each leaf node $x$ in the set $X$ of leaves in $T$, DO computes

$$A_x=g^{q_x(0)},B_x=g^{H_2(att(x))q_x(0)V_x}.$$

(7)

Then, the encryption keyword index $I_{w_j}=\{T,I_1,I_2,{\{A_x,B_x\}}_{x\in X}\}$ of data $f_j$. Additionally, DO generates a signature ${sig}_j={\left(H_1\right(c_j\left){g_0}^{H_2\left({id}_j\right)}\right)}^{r^{\prime }}$ for each data $f_j$.

Data encryption key and data address encryption: DO calculates the symmetric key $k$ for encryption as $C_k=k·{e(g,g)}^{\alpha s}$, the encrypted data address $M$ is $C_M=M·{e(g,g)}^{\alpha s}$, and $CT=\{T,C_k,C_M,I_2,{\{A_x,B_x\}}_{x\in X}\}$.

Finally, DO will upload $\mathrm{C}\mathrm{F}$ and $\mathrm{s}\mathrm{i}\mathrm{g}$ to CS, and the $CT$ and $I_w$ to PS.

$\mathrm{T}\mathrm{r}\mathrm{a}\mathrm{p}\mathrm{G}\mathrm{e}\mathrm{n}(\mathrm{P}\mathrm{K},\mathrm{S}\mathrm{K},\mathrm{q})\to {\mathrm{T}}_{\mathrm{q}}.$ The algorithm is executed by DU. The algorithm inputs the public parameter $PK$, the DU’s attribute key $SK$, and the query key $q$. DU computes

$$T_0={(K_2)}^{H_2(w)}=g^{\frac{H_2(w)}{\beta }},T(q)=K_1\cdot T_0=g^{\frac{\alpha +r+H_2(q)}{\beta }},$$

(8)

For each attribute $x\in S$, DU calculates

$$T_x=K_1\cdot g^{H_2(att(x))V_x}=g^r\cdot g^{H_2(att(x))V_x},$$

(9)

Then, the query trapdoor for the query keyword $q$ is $T_q=\left(T\right(q),{{\{T}_x\}}_{x\in S})$.

$\mathrm{S}\mathrm{e}\mathrm{a}\mathrm{r}\mathrm{c}\mathrm{h}(\mathrm{P}\mathrm{K},{\mathrm{T}}_{\mathrm{q}},{\mathrm{I}}_{\mathrm{w}},\mathrm{S})\to \mathrm{S}\mathrm{R}$. The algorithm is executed by PS. The algorithm inputs the public parameter $PK$, query trapdoor $T_q$, and the index keyword of the current encryption $I_w$. PS checks whether the user’s attribute set $S$ satisfies the access tree $T$ embedded in the ciphertext index $I_w$. If $S$ does not exist, the algorithm returns 0; otherwise, it is calculated as follows.

If node $x$ is a leaf node in the access tree $T$, then calculate

$$E_x=\frac{e(T_x,A_x)}{e(g,B_x)}=\frac{e(g^r\cdot g^{H_2(att(x))V_x}),g^{q_x(0)})}{e(g,g^{H_2(att(x))q_x(0)V_x})}=e{(g,g)}^{r{q}_x(0)}.$$

(10)

For each non-leaf node $x$ in the access tree $T$, the following operation is performed: let node $z$ denotes all child nodes of node $x$, assuming that $S_x$ denotes the set of any $k_x$ children of node $x$. If no such set exists, then $E_z=\perp$; otherwise, $i=index\left(z\right),{S_x}^{\prime }=\left\{index\right(z),z\in S_x\}$. Calculate the following formula:

$$\begin{array}{l}{E}_x={\displaystyle \prod _{z\in S_x}{E}_z^{\Delta i,S_{x^{\prime }}(0)}}={{\displaystyle \prod _{z\in S_x}(e{(g,g)}^{r{q}_z(0)})}}^{\Delta i,S_{x^{\prime }}(0)}\\ ={{\displaystyle \prod _{z\in S_x}(e{(g,g)}^{r{q}_{parent(z)}(index(z))})}}^{\Delta i,S_{x^{\prime }}(0)}\\ ={{\displaystyle \prod _{z\in S_x}(e{(g,g)}^{r{q}_x(0)})}}^{\Delta i,S_{x^{\prime }}(0)}\\ =e{(g,g)}^{r{q}_x(0)}.\end{array}$$

(11)

(c) If node $x$ is a root node in access tree $T$, compute

$$E_{root} = e{(g,g)}^{r{q}_{\mathit{root}}(0)} = e{(g,g)}^{rs}.$$

(12)

Finally, calculate

$$I_1=\frac{e\left(I_2,T\left(q\right)\right)}{E_{root}}$$

to determine whether the index and trapdoor match. If it holds, the search is successful and returns $CT$ to DU, otherwise return $\perp$.

$$\frac{e(I_2,T(q))}{E_{root}}=\frac{e(g^{\beta s},g^{\frac{\alpha +r+H_2(q)}{\beta }})}{e{(g,g)}^{rs}}e{(g,g)}^{\alpha s}e{(g,g)}^{H_1(q)s}.$$

(13)

$\mathrm{V}\mathrm{e}\mathrm{r}\mathrm{i}\mathrm{f}\mathrm{y}(\mathrm{P}\mathrm{K},{\mathrm{p}\mathrm{k}}_0,\mathrm{C}\mathrm{F},\mathrm{s}\mathrm{i}\mathrm{g})$. The algorithm is performed by TPA. After receiving the search results $CF=(c_1,c_2,...,c_{\tau })$, the TPA randomly selects ${\delta }_l\in Z_p^{*}$ for the ciphertext $c_l$ with identity ${id}_l$. The TPA firstly sends the $(l,{\delta }_l)$ to CS, which calculates $\sigma ={\prod }_{l=1}^{\tau }{(sig}_l{)}^{{\delta }_l}$ and $\theta ={\sum }_{l=1}^{\tau }{\delta }_l{H}_2\left({id}_l\right)$ and then sends it to the TPA, which determines whether the search result $\mathrm{C}\mathrm{F}$ is correct according to the following equation.

$$e(\sigma ,g)=e(p{k}_0,g_0^{\theta },{\displaystyle \prod _{l=1}^{\tau }{H}_1 {(c_j)}^{{\delta }_l}}).$$

(14)

$\mathrm{D}\mathrm{e}\mathrm{c}\mathrm{r}\mathrm{y}\mathrm{p}\mathrm{t}(\mathrm{P}\mathrm{K},\mathrm{S}\mathrm{K},\mathrm{C}\mathrm{T})\to \mathrm{F}$. The algorithm is performed by DU. Input the attribute key $SK$, search for the returned $CT$, and output the decrypted data file $F$.

Calculate data file address $M$:

$$\frac{C_k}{\frac{e(I_2,K_1)}{E_{root}}}=\frac{M\cdot e{(g,g)}^{\alpha s}}{\frac{e(g^{\beta s},g^{\frac{\alpha +r}{\beta }})}{e{(g,g)}^{rs}}}=\frac{M\cdot e{(g,g)}^{\alpha s}}{e{(g,g)}^{\alpha s}}=M.$$

(15)

Calculate symmetric key $k$:

$$\frac{C_k}{\frac{e(I_2,K_1)}{E_{root}}}=\frac{k\cdot e{(g,g)}^{\alpha s}}{\frac{e(g^{\beta s},g^{\frac{\alpha +r}{\beta }})}{e{(g,g)}^{rs}}}=\frac{k\cdot e{(g,g)}^{\alpha s}}{e{(g,g)}^{\alpha s}}=k.$$

(16)

Finally, DU accesses the file address $M$ in CS and decrypts it with symmetric key $k$ to obtain the data $F$.

User and property revocation

User revocation: In this scheme, the user revocation list URL is updated by the AA. When the system revokes a user, AA first looks for the identity $\mathrm{U}\mathrm{I}\mathrm{D}$ that proves the user and then adds its hash value to the URL. When the revoking user sends a search request to the PS, the PS verifies its identity by the URL and refuses to return the search result, thus realizing the user’s revocation.

User partial attribute revocation: Because user attributes are updated more frequently, there may exist a problem where the user’s attribute key has been updated several times during the corresponding period when the user has not requested a search. Therefore, in this scheme, the attribute key revocation list KRL is updated by the AA. When the PS verifies the user’s identity, it requests the one-time attribute key $SK$ of that user from the AA and sends its hash value to CS. The authentication is performed by KRL, and the CS returns the encrypted file address $C_M$ to the PS, and then PS sends it to DU and sends a message to AA that $C_M$ has been returned. AA will put the hash of $SK$ into KRL to prevent PS from using the key again for the search result return operation. By updating the attribute key when the user applies for search again, the user’s partial attribute revocation operation is realized.

System property revocation: In this scheme, the system attribute revocation is implemented by updating the version number. When an attribute att is revoked in the system, the corresponding attribute version is $V_x$, AA generates a new attribute version number $V_x^{\prime },V_x^{\prime }\in Z_p^{*}$ and updates ${PK}_x^{\prime }=g^{V_x^{\prime }}$. AA generates an upgrade key $UUK=g^{(V_x^{\prime }-V_x)H_2\left(x\right)}$ for all DUs with attribute att. AA updates the key component $K_x$ of the revoked attribute in each user private key of the attribute set containing att to $K_x^{\prime }=K_x\times UUK$, and the other components remain unchanged, i.e., $SK$ = $\{K_1$, $K_2$, $K_3$, ${\left\{K_x\right\}}_{x\in S}\}$. Additionally, the component $T_x$ = $g^r·g^{H_2\left(att\right(x\left)\right)V_x}$ of the revoked attribute is updated to $T_x^{\prime }=g^r·g^{H_2\left(att\right(x\left)\right)V_x^{\prime }}$ in the trapdoor of all users who have the attribute att, and the other components are left unchanged, i.e., $T_q=\left(T\right(q),{\left\{T_x^{\prime }\right\}}_{x\in S})$. AA generates upgrade keys $CUK=g^{{(V}_x^{\prime }-V_x\left)H_2\right(att\left(x\right)\left)q_x\right(0)}$ for all ciphertexts containing attribute $att$ in the access structure and sends it to CS to update the ciphertext component $B_x$ of the corresponding attribute att to $B_x^{\prime }=B_x\times CUK$, leaving the other components unchanged, i.e., $\{T,I_1,I_2,{\{A_x,B_x^{\prime }\}}_{x\in X}\}$.

6. Safety Analysis and Proof

Theorem 1.

If the DBDH problem is difficult, the index keyword of this paper’s scheme satisfies IND-CKA security.

Proof. 

$\mathcal{A}$ is an attempt to break the keyword ciphertext security attacker, the challenger $\mathcal{B}$ solves the DBDH problem by building algorithms. □

Initialization. $\mathcal{B}$ selects one bit at random $v\in \{0,1\},A=g^a,B=g^b,C=g^c,Z_0={e(g,g)}^{abc},Z_1={e(g,g)}^z$, where $a,b,c\in Z_p^{*}$, and $t_0=(g,A,B,C,Z_0),t_1=(g,A,B,C,Z_1)$.

Stage 1. $\mathcal{B}$ calculates the public parameters $Y=e(B,C)={e(g,g)}^{bc}$ and sends it to $\mathcal{A}$, and $\mathcal{A}$ defines the challenged access tree $T^{*}$.

Private key queries $:\mathcal{A}$ adaptively asks $\mathcal{B}$ about the private key ${SK}_{\mathcal{A}}^{S_1},{SK}_{\mathcal{A}}^{S_2},...,{SK}_{\mathcal{A}}^{S_n}$ corresponding to attribute set $S_1,S_2,...,S_n$. The set of all attributes $S_1,S_2,...,S_n$ embedded in the corresponding private key do not satisfy the query $T^{*}$, and all private keys can be used to generate legitimate query trapdoors.

Keyword ciphertext queries: $\mathcal{A}$ adaptively asks $\mathcal{B}$ for the ciphertext $I_{w_1},I_{w_2},...,I_{w_m}$ corresponding to the keywords $w_1,w_2,...,w_m$.

Trapdoor queries: Given a private key ${SK}_{\mathcal{A}}^{S_i},i\in \{1,n\}$ and a query keyword $q$, generate a search trapdoor $T_{\mathcal{A}}^{S_i}(q)$ by executing $\mathrm{T}\mathrm{r}\mathrm{a}\mathrm{p}\mathrm{G}\mathrm{e}\mathrm{n}(\mathrm{P}\mathrm{K},{\mathrm{S}\mathrm{K}}_{\mathcal{A}}^{{\mathrm{S}}_{\mathrm{i}}},\mathrm{q})\to {\mathrm{T}}_{\mathcal{A}}^{{\mathrm{S}}_{\mathrm{i}}}(\mathrm{q})$. There exists a keyword-encrypted index $I_{w_j},j\in \{1,m\}$. From $\mathrm{S}\mathrm{e}\mathrm{a}\mathrm{r}\mathrm{c}\mathrm{h}(\mathrm{P}\mathrm{K},{\mathrm{T}}_{\mathcal{A}}^{{\mathrm{S}}_{\mathrm{i}}}(\mathrm{q}),{\mathrm{I}}_{{\mathrm{w}}_{\mathrm{j}}},\mathrm{S})\to \mathrm{S}\mathrm{R}$, we know that $T_{w_j}$ is searched successfully only when $q=w_j$ and the set of attributes $S_i$ are satisfied.

Challenge. $\mathcal{A}$ submits two challenge keywords to $\mathcal{B}$ and sends the challenge access tree $T^{*}$ to $\mathcal{B}$. Select a random bit $b\in \{0,1\}$ from the $Z_p^{*}$ and generate a ciphertext $I_{w_b}^{*}=\{T^{*},{I_1}^{*}=Z·e(A^{H_1\left(w\right)},g),{I_2}^{*}=A^{\beta },{\{{A_x}^{*}=g^{q_x\left(0\right)},{B_x}^{*}=g^{H_2\left(att\right(x\left)\right)q_x\left(0\right)V_x}\}}_{x\in X^{*}}\}$ to send to $\mathcal{A}$, where $X^{*}$ denotes the set of leaf nodes of the challenge access tree $T^{*}$.

Stage 2. Similar to Stage 1, $\mathcal{A}$ adaptively interrogates the private key ${SK}_{\mathcal{A}}^{S_{n+1}},{SK}_{\mathcal{A}}^{S_{n+2}},...$ corresponding to the set of attributes $S_{n+1},S_{n+2},...$ and ciphertext $I_{w_{m+1}},I_{w_{m+2}},...$ corresponding to the keywords $w_{m+1},w_{m+2},...$, requiring that neither attribute set $S_{n+1},S_{n+2},...$ embedded into the corresponding key satisfies the challenge access tree $T^{*}$.

Guess. $\mathcal{A}$ outputs $b$′s guess bits $b^{\prime }$. Because none of the attributes sets interrogated by $\mathcal{A}$ satisfies the access tree $T^{*}$, it is not possible to determine $b=0$ or $b=1$ with the search algorithm $\mathrm{S}\mathrm{e}\mathrm{a}\mathrm{r}\mathrm{c}\mathrm{h}(\mathrm{P}\mathrm{K},{\mathrm{T}}_{\mathcal{A}}^{{\mathrm{S}}_{\mathrm{i}}}({\mathrm{w}}_{\mathrm{v}}),{\mathrm{I}}_{{\mathrm{w}}_{\mathrm{b}}},\mathrm{S})\to \mathrm{S}\mathrm{R}$. Therefore, $\mathcal{A}$ must recover the keyword information from $I_{w_b}^{*}$ to determine $b=0$ or $b=1$.

If $v=0,Z=Z_0$, the index keyword ciphertext can be expressed as $I_{w_b}^{*}=\{T^{*},{I_1}^{*}={e(g,g)}^{abc}e(A^{H_1(w)},g),{I_2}^{*}=g^{a\beta },{\{{A_x}^{*}=g^{q_x(0)},{B_x}^{*}=g^{H_2(att(x))q_x(0)V_x}\}}_{x\in X^{*}}\}$. Because $\alpha ,s$ is chosen randomly in indexed keyword encryption such that $bc=\alpha ,a=s$, then the indexed keyword ciphertext can be expressed as $I_{w_b}^{*}=\{T^{*},{I_1}^{*}={e(g,g)}^{\alpha s}e(g^{{sH}_1(w)},g),{I_2}^{*}=g^{\beta s},{\{{A_x}^{*}=g^{q_x(0)},{B_x}^{*}=g^{H_2(att(x))q_x(0)V_x}\}}_{x\in X^{*}}\}$

If $v=1,Z=Z_1$, the index keyword ciphertext can be expressed as $I_{w_b}^{*}=\{T^{*},{I_1}^{*}={e(g,g)}^{z}e(g^{{sH}_1(w)},g),{I_2}^{*}=g^{s\beta },{\{{A_x}^{*}=g^{q_x(0)},{B_x}^{*}=g^{H_2(att(x))q_x(0)V_x}\}}_{x\in X^{*}}\}$. Because $z$ is a random element,$I_{w_b}^{*}$ is also a random element for attacker $\mathcal{A}$.

$\mathcal{A}$ outputs $b$′s guess bits $b^{\prime }$. If $b=b^{\prime }$, $\mathcal{B}$ outputs $v$′s the guess $v^{\prime }=0$. Because $\mathcal{A}$ has the advantage of recovering $H(w_b)$ from $I_{w_b}^{*}$, the probability that $\mathcal{A}$ outputs $b=b^{\prime }$ is $1/2+\epsilon$. If $b\ne b^{\prime }$, $\mathcal{B}$ outputs $v$′s guess $v^{\prime }=1$.The probability of $\mathcal{A}$ outputs $b=b^{\prime }$ is $1/2$.

Therefore, the overall advantage of $\mathcal{B}$ in solving the DBDH problem in the above game is

$$Ad{v}_A^{DBDH}=|\frac{1}{2}Pr[v=v^{\prime }|v=0]+\frac{1}{2}Pr[v=v^{\prime }|v=1]-\frac{1}{2}|=|[\frac{1}{2}(\frac{1}{2}+¦\epsilon )+\frac{1}{2}\cdot \frac{1}{2}]-\frac{1}{2}|=\frac{\epsilon }{2}$$

If $\epsilon$ is not negligible, then ${Adv}_{\mathcal{A}}^{DBDH}$ is also non-negligible, so $\mathcal{B}$ can crack the DBDH problem by a non-negligible advantage, which contradicts the assumption of the DBDH problem.

7. Analysis of Performance

7.1. Functional Comparison

The proposed scheme in this paper is analyzed and compared with other schemes in terms of multi-keyword query, attribute revocation, and verifiable results. From

Table 1. Functional comparison.

Programs	Access Structure	Multi-Keyword Search	Attribute Revocation	Verifiable Result
Qiu et al. [9]	$\mathrm{L}\mathrm{S}\mathrm{S}\mathrm{S}$	√	×	×
Zhang et al. [10]	$\mathrm{L}\mathrm{S}\mathrm{S}\mathrm{S}$	√	×	√
Miao et al. [20]	Access Tree	√	√	×
Ours	Access Tree	√	√	√

, we can conclude that the scheme in this paper achieves all the following features at the same time and is more functional, so the proposed scheme in this paper is more suitable in practical scenarios.

7.2. Comparison of Storage Costs

The definitions of some symbols for storing the cost are as follows: $\left|G\right|$ denotes the length of the bits of the elements in the group, $G$. denotes the length of the bits of the elements in the domain, $\left|Z_P\right|$ denotes the number of user-owned attributes in the system $Z_P$, $\left|S\right|$ indicates the number of all attributes in the system, $N$ denotes the number of keywords in the file, and $m$ denotes the number of revoked attributes.

Table 2. Comparison of storage costs.

Programs	User Key	Encrypted Data	Encrypted Keyword Index	Attribute Revocation
Qiu et al. [9]	$(2|S|+2)\left|G\right|+\left|Z_P\right|$	$(2+2|S|)\left|G\right|$	$(1+2|S|)\left|G\right|$	$-$
Zhang et al. [10]	$(2|S|+3)\left|G\right|+\left|Z_P\right|$	$(|S|+3)\left|G\right|$	$(1+3|S|+m)\left|G\right|$	$-$
Miao et al. [20]	$(2|S|+2)\left|G\right|$	$(2+2|S|)\left|G\right|$	$(2+2|S|+m)\left|G\right|$	$(2n+2)\left|G\right|$
Ours	$(|S|+3)\left|G\right|$	$(4+2|S|)\left|G\right|$	$(2+2|S|+m)\left|G\right|$	$3n\left|G\right|$

gives the storage cost comparison.

7.3. Computational Cost Comparison

For the comparison of computational cost, $E$ denotes the exponential operation time of the group, and $P$ denotes the bilinear pairing computation time. The computational cost of the encryption phase algorithm, the trapdoor generation phase algorithm, the decryption phase algorithm, the search phase algorithm, and the attribute revocation phase algorithm are mainly provided in

Table 3. Comparison of computational costs.

Programs	Encrypt	TrapGen	Search	Decrypt	Revocation
Qiu et al. [9]	$(4|S|+2)E+P$	$(2|S|+1)E$	$E+2NP$	$-$	$-$
Zhang et al. [10]	$(2|S|+2)E$	$(2N+1)E$	$E+(2N+2)P$	$\left|S\right|P+3E$	$-$
Miao et al. [20]	$(4|S|)E$	$(2|S|+3)E$	$(2|S|+3)P+2\left|S\right|E$	$(2+|S|)P+E$	$(2n+2)E$
Ours	$(2|S|+3)E+P$	$(|S|+1)E$	$(2|S|+1)P+\left|S\right|E$	$2P$	$3nE$

. In the decryption phase, the description of the decryption phase is not covered in [9], so it is not involved in the comparison.

8. Experiments

To analyze the actual performance of the scheme in this paper and related literature schemes, this paper conducted a series of simulation experiments using the JPBC (Java Pairing-Based Cryptography) library on the Java platform and ran under IntelliJ IDEA, selecting class A curves $y^2=x^3+x$. The simulation environment is Windows 10 operating system Inter Core i7-7500 CPU @ 2.70 GHz. The number of user attributes selected in this paper is $\left|S\right|=N\in [10,50]$.

The experiments provide the results of the computational cost of the three main algorithms of the scheme, encryption, trapdoor generation, and search algorithms, and the results are shown in Figure 2. According to the experimental results in Figure 2a,c, it can be seen that the computational cost of the algorithms grows linearly with the number of attributes. In general, the use of an LSSS access structure is more efficient than that of a tree access structure, but the computational cost of the scheme in this paper is also smaller in overhead than a similar scheme [20] that uses a tree access structure. From Figure 2a, it can be seen that scheme [20] takes 0.698 s when $N=30$, whereas our scheme takes 0.583 s. From Figure 2c, it can be seen that scheme [20] takes 0.448 s when $N=30,$ whereas our scheme takes 0.393 s. According to the experimental results in Figure 2b, it can be seen that the scheme in this paper always maintains the lowest total computational overhead in the trapdoor generation phase. When $N=30$, the time spent in the scheme [10] is almost twice as long as that in our scheme. At the same time, the time required for the decryption phase of the scheme in our scheme is a very small constant, independent of the number of attributes, which greatly reduces the computational overhead. In summary, the scheme in this paper is efficient and feasible in practical scenarios.

9. Conclusions

In this paper, we propose an attribute-based searchable encryption scheme, which not only realizes multi-keyword search, but also verifies the correctness of search results by introducing TPA and realizes the function of attribute revocation. First, the scheme in this paper achieves attribute revocation by creating a user revocation list as well as an attribute key revocation list. To reduce the large computation overhead of the attribute authorization center within a certain period, the scheme in this paper shifts the key update method from frequent changes to on-demand single changes when a user partially revokes an attribute to achieve more fine-grained user and attribute revocation. Second, the scheme was proven with security analysis, which shows that the scheme is secure in the cloud environment, and the experimental analysis was compared with other schemes to prove the feasibility and efficiency of the scheme. Finally, with the need for practical applications and further research, the implementation of richer keyword search functions, such as fuzzy keyword search, semantic keyword search, etc., while ensuring security and high efficiency, is an issue to be considered in future work.