Lightweight and Privacy-Preserving Multi-Keyword Search over Outsourced Data

Abstract

In cloud computing, documents can be outsourced to the cloud server to achieve flexible access control and efficient sharing among multiple users. The outsourced documents can be intelligently searched according to some keywords with the help of cloud server. During the search process, some private information of outsourced documents may be leaked since the keywords may contain sensitive information of users. However, existing privacy-preserving keyword search schemes have high computation complexity, which are not suitable for resource-constrained end devices—that is, the data processing and search trapdoor generation procedures require users to take resource-intensive computations, e.g., high-dimensional matrix operations, exponentiations and bilinear pairings, which are unaffordable by resource-constrained devices. To address the issues of efficiency and privacy for realizing sorted multi-keyword search over outsourced data in clouds, this paper proposes a lightweight privacy-preserving ranked multi-keyword search (PRMS) scheme, which is further extended to allow each outsourced document to be associated with multiple types of keywords. The searched documents can be sorted according to their similarity scores between the search query and the keyword index of documents, so that only when the similarity score exceeds a given threshold, the corresponding searched document will be returned. The security analysis demonstrates that the proposed PRMS schemes can guarantee the privacy of outsourced documents and keywords, and provides unlinkability for search trapdoors. Performance analysis and comparison show the practicality of the proposed PRMS schemes.

1. Introduction

With cloud computing technology, users with limited local resources do not need to purchase expensive hardware to support massive data storage [1]. Thus, for economic savings, individuals and enterprises can engage cloud servers to maintain big data, for example, videos, animations, and images. However, some sensitive information of outsourced data may be leaked, since the data owner would lose control of these data [2,3]. Therefore, to protect the privacy of user data, they should be properly processed before being outsourced, so that only the data in ciphertext format are maintained at the cloud server side.

When retrieving the interested data, users can request the cloud server to search over outsourced dataset with some specific keywords [4,5,6,7]. However, there are two issues to be addressed in the keyword search scenarios for outsourced data: data privacy and efficiency. For example, in the Internet of Things (IoT) scenario, the keywords of the collected data may contain sensitive information of outsourced data, which means the search keywords cannot be submitted to the cloud server in plaintext format. Otherwise, the users’ private information could be deduced by the cloud server from outsourced documents. To support privacy-preserving data search, and many single/multiple keywords search schemes have been proposed [8,9,10,11].

However, existing keyword search solutions in private/public key settings require heavy computations in both data processing and search trapdoor generation phases at the user side. For example, in [12], users need to perform high-dimensional matrix operations, such as multiplication and inversion operations, where the matrix dimension is determined by the cardinality of the keyword set. Furthermore, in [13,14], users have to compute heavy exponentiation operations for generating searchable indexes and search trapdoor. However, these resource-intensive computation operations cannot be afforded by resource-constrained devices, thus, those existing keyword search constructions are not applicable to IoT-related application scenarios.

1.1. Our Contributions

This paper aims to provide a solution to protect the privacy of outsourced data, which supports privacy-preserving keyword search and does not require resource-intensive computations. Specifically, this paper proposes lightweight privacy-preserving ranked multi-keyword intelligent search (PRMS) schemes over outsourced documents, where the search results are determined by the similarity score between the search query and the keyword index of each document. The searched documents can be sorted by the cloud server according to their similarity scores. Only the top-ranked documents whose similarity scores exceed the target threshold should be returned.

With the basic PRMS scheme, which was previously presented in the preliminary version [15], each outsourced document can be processed with a group of keywords so that it can be searched according to multiple keywords. Only when the number of search keywords contained in the outsourced document exceeds the given search threshold, the outsourced document will be returned. With the extended PRMS scheme, each outsourced document can have multiple different types of keywords, so that the document can be searched and retrieved based on any type of keywords.

Security analysis shows that the proposed PRMS schemes can guarantee the privacy of searchable index of outsourced documents and queries. Specifically, the cloud server cannot deduce any private information of outsourced documents from the encrypted index and queries. Furthermore, the proposed PRMS schemes offer the unlinkability of search trapdoors—that is, the cloud server is unable to identify whether two search trapdoors are generated for the same query.

In both PRMS schemes, the data processing and query generation phases only take lightweight computing operations at user side. Performance analysis demonstrates that our PRMS schemes are much more efficient than existing technologies; thus, they can be deployed in an IoT setting to support resource-constrained devices.

Compared with the preliminary version [15], this paper provides an extended PRMS scheme to support multiple types of keywords for each outsourced document, in which security and performance are also analyzed. Moreover, the experiments on the basic PRMS scheme are tested on a new platform as in evaluating the extension scheme.

1.2. Related Works

The first single keyword searchable encryption scheme over outsourced encrypted data was proposed by Song et al. [16] in the symmetric key setting. Subsequently, many schemes supporting single keyword searching [17,18,19,20] were designed. Cash et al. [21] proposed a scheme supporting single-keyword boolean search over large outsourced dataset. However, the single keyword search mechanism cannot provide accurate search results. Since the cloud server usually stores massive amounts of data, there would be many pieces of matched data satisfying the search condition of a single keyword, and most of the search results may have no relation with the expected data.

To support more sophisticated outsourcing search methods, many multi-keyword search schemes have been proposed [12,22,23,24]. Such multi-keyword search mechanism has many advantages over the single keyword search. With the multi-keyword search method, users are able to implement more complicated search conditions on outsourced data, in such a way that the accuracy of search results could be greatly improved. Furthermore, the efficiency can be enhanced, since the users do not need to carry out multiple rounds of single keyword search to achieve the same effect of multi-keyword search. Thus, the multi-keyword search schemes can allow the cloud server to return the most relevant data, which are more practical than the single keyword search mechanism in supporting real-world applications. For example, the works [25,26] support multi-keyword search with fully homomorphic encryption, refs. [22,23,27] conjunctive keyword search, ref. [24] multi-keyword fuzzy search, and [12] ranked multi-keyword search.

In the public-key setting, the first searchable encryption scheme was proposed by Boneh et al. [13], where anyone can outsource encrypted data to the cloud server, but only the user holding the private key can issue search queries. Xu et al. [28] constructed a searchable public-key ciphertexts scheme with hidden structures to achieve fast search. Hu et al. [29] presented a public-key encryption scheme with keyword search from obfuscation, where the cloud server is given an obfuscated simple decrypt-then-compare circuit with the secret key to perform keyword search. Xu et al. [30] designed a public-key multi-keyword searchable encryption scheme with a hidden structures model, which also supports boolean search over encrypted e-mails. Wang et al. [31] proposed a tree-based public-key multi-dimensional range searchable encryption scheme from the predicate encryption method and leakage function. For Olakanmi and Odeyemi’s certificateless lightweight keyword searchable encryption scheme [32], it was proved to secure against inside keyword guessing attacks in Industrial Internet of Things setting.

To enrich the functionality of searching over remote data, various practical schemes have been designed. He and Ma [33] proposed a fuzzy search scheme over encrypted data using bloom filter. Zhang et al. [34] noticed that He and Ma’s proposal [33] cannot resist the sparse non-negative matrix factorization based attacks and further presented a multi-keyword fuzzy search scheme using random redundancy method. Fu et al. [11] designed a semantic-aware search scheme, where both the index and search trapdoor contain two vectors. Yang, Liu and Deng [35] proposed a multi-keyword ranked searchable encryption scheme in multi-user setting, which does not require the keyword set to be predefined and supports keywords in arbitrary language and flexible search authorization. Ding et al. [36] constructed a multi-keyword search scheme in wireless body area networks, which also supports access control on electronic health records. Deebak et al. [37] designed a privacy-preservation phrase with multi-keyword ranked searching scheme, which employs optimized filtering and binary tree index structure to improve the search efficiency.

Cao et al. [12] proposed an efficient multi-keyword ranked search scheme over encrypted cloud data, where coordinate matching was introduced to capture the relevance between data documents and the search query. In Raghavendra et al.’s solution [38], the index for keywords was generated using split factor, and to save computation overheads, the index tree was constructed to store keywords. Ren et al. [14] studied multi-keyword ranked search, where the search trapdoor is generated using a polynomial function. Ding et al. [39] constructed a keyword set using k-grams and Jaccard coefficient, and also built searchable index of small size. Zhao et al. [40] developed a privacy-preserving ranked multi-keyword search scheme over outsourced data, which supports the verifiability of the search results. In Liu et al.’s scheme [8], the user is allowed to update the outsourced data and verify the search result. However, these existing schemes require resource-intensive matrix operations or cryptography operations, which cannot be afforded by the end devices in IoT application scenario. The comparison of these related schemes is shown in

Table 1. Comparison with related works.

Scheme	Search Mechanism	Setting	Application	Advantage
Cao et al. [12]	Multi-keyword	Private key	Cloud computing	Ranked search; coordinate matching
Boneh et al. [13]	Single keyword	Public key	Email gateway	Semantically secure
Ren et al. [14]	Multi-keyword	Private key	Cloud computing	Ranked search; lightweight
Liu et al. [15]	Multi-keyword	Private key	Cloud computing; IoT	Ranked search; lightweight
Song et al. [16]	Single keyword	Private key	Cloud storage	Provably secure; controlled searching; hidden queries
Chang and Mitzenmacher [17]	Single keyword	Private key	Distributed file system	File update
Bellare, Boldyreva and O’Neil [18]	Single keyword	Public key	Database	Deterministic; CCA security
Li et al. [19]	Multi-keyword	Private key	Cloud computing	Fuzzy keyword search
Wang et al. [20]	Multi-keyword	Private key	Cloud computing	Ranked search
Cash et al. [21]	Single keyword	Private key	Large database; arbitrarily-structured data	conjunctive search; general Boolean queries
Golle, Staddon and Waters [22]	Multi-keyword	Private key	Email system	Conjunctive keyword search
Hwang and Lee [23]	Multi-keyword	Public key	Remote storage system	Conjunctive keyword search; Multi-user
Fu et al. [24]	Multi-keyword	Private key	Cloud computing	Fuzzy search; ranked search
Liu, Han and Wang [25]	Multi-keyword	Multikey	Cloud computing	Multiple data source
Anand and Satapath [26]	Single keyword	Public key	Cloud computing	Ranked search
Chenam and Ali [27]	Single keyword	Public key	Medical Internet of Things	Designated tester; conjunctive keyword search; certificateless; dynamical
Xu et al. [28]	Single keyword	Public key	Large-scale databases	Hidden structures; semantic security
Hu et al. [29]	Single keyword	Public key	Cloud computing	Resist of off-line keyword guessing attacks
Xu et al. [30]	Multi-keyword	Public key	Large encrypted email database	Boolean search
Wang et al. [31]	Multi-keyword	Private key	Cloud computing	Scalable; multi-dimensional range search
Olakanmi and Odeyemi [32]	Single keyword	Public key	Industrial Internet of Things	Certificateless; resist inside keyword guessing attacks
Zhang et al. [34]	Multi-keyword	Private key	Cloud storage	Fuzzy search; resist sparse non-negative matrix factorization based attacks
Yang, Liu and Deng [35]	Multi-keyword	Public key	Cloud storage	Ranked search; multi-user; time-controlled revocation
Deebak et al. [37]	Multi-keyword	Private key	Sustainable edge-cloud networks	Ranked search; conjunctive search
Raghavendra et al. [38]	Multi-keyword	Private key	Cloud computing	Fuzzy search; synonym based search
Zhao et al. [40]	Multi-keyword	Private key	Cloud computing	Ranked search; verifiability

.

1.3. Paper Organization

The remainder of this paper is organized as follows. Section 2 describes the system model, threat model and design goals of PRMS. Section 3 presents basic PRMS construction, which is extended to support multiple types of keywords in Section 4. The security and performance of the proposed PRMS schemes are evaluated and compared in Section 5. Section 6 concludes the paper.

2. System Model and Security Requirements

2.1. System Model

As shown in Figure 1, a PRMS system consists of three types of entities, namely, data owner, data user and cloud server. There is a secure communication channel between data owner and data user for key sharing. The data owner outsources a collection of documents to the cloud server. Since the documents may contain sensitive information, they cannot be directly uploaded to the cloud server. Thus, to protect the privacy of outsourced documents, they should be outsourced in ciphertext format.

To facilitate data searching, the outsourced documents should be attached with a list of keywords or multiple types of keywords. The keywords of the same type constitutes a keyword dictionary. To guarantee that the keywords cannot leak the privacy of outsourced documents, the data processing phase would produce encrypted searchable indexes for each document. The searchable indexes are outsourced to the cloud server together with the document.

In the search phase, data user can generate a search trapdoor of its query vector with multiple keywords to enable the cloud server to search over outsourced documents. The keywords in the query vector are also contained in the keyword dictionary, which should be transformed into search trapdoor to protect the privacy of outsourced data. Upon receiving the search trapdoor, the cloud server computes the similarity score between each encrypted searchable index and the search trapdoor, and returns the document if its similarity score satisfies the given search threshold.

2.2. Security Requirements

The cloud server holds the encrypted documents and ciphertext indexes of users. In the honest-but-curious model, the cloud server can perform multi-keyword search according to the user’s request, but it may be curious about the sensitive information of outsourced documents. That is, the cloud server may try to deduce some information from the outsourced documents, ciphertext indexes, and search trapdoors.

A secure PRMS scheme needs to satisfy the following requirements.

• Data privacy: The documents should be outsourced in ciphertext format, so that the cloud server cannot infer any sensitive information about outsourced documents.
• Keyword privacy: The cloud server should not be able to determine whether a specific keyword is relevant to an outsourced document according to encrypted document, encrypted index and search trapdoors.
• Trapdoor unlinkability: The cloud server should not be able to identify whether two search trapdoors are generated from the same query.
• Multiple types of keywords: Each document can be associated with multiple types of keywords, and can be searched according to each type of keywords.
• Efficiency: Due to the limited computation capability of data owner and data user, the data processing and query generation phases cannot contain resource-intensive computations.

2.3. Framework

A PRMS scheme consists of four efficient procedures, namely, Setup, Index, Trapdoor, and Search.

• Setup (${\mathit{\lambda }}_{\mathbf{1}},{\mathit{\lambda }}_{\mathbf{2}},{\mathit{\lambda }}_{\mathbf{3}},{\mathit{\lambda }}_{\mathbf{4}}$): With input security parameters ${\lambda }_1,{\lambda }_2,{\lambda }_3,{\lambda }_4$, data owner generate public parameter $para$  and secret key S.
• Index ($\mathit{F},\mathit{para},\mathit{D}$): For each document $F_i$$(i=1,\cdots ,m)$, data owner generates ciphertext document ${\overline{F}}_i$, constructs plaintext index vector ${\overline{I}}_i$, and produces ciphertext index vector ${\widehat{I}}_i$. Data owner uploads the ciphertext document set $\overline{F}=\{{\overline{F}}_i:i=1,\cdots ,m\}$  and ciphertext index vector set $\widehat{I}=\{{\widehat{I}}_i:i=1,\cdots ,m\}$  to the cloud server.
• Trapdoor ($\mathit{W},\mathit{para},\mathit{D}$): From the given search keyword set W, data user generates encrypted search trapdoor $\widehat{Q}$, and sets a search threshold $\tau$. The search trapdoor $\widehat{Q}$  and search threshold $\tau$  are sent to the cloud server.
• Search ($\widehat{\mathit{I}},\widehat{\mathit{Q}},\mathit{\tau },\mathit{para}$): With the received search trapdoor $\widehat{Q}$, the cloud server compute similarity score with each ciphertext index vector in $\widehat{I}$  and return the document if the similarity score is larger than $\tau$.

3. Basic PRMS Construction

This section introduces a basic PRMS scheme based on the inner product similarity computing technology [41], where the procedures are summarized in Figure 2. The frequently used notations are summarized in

Table 2. Notations.

Notations	Descriptions
${\lambda }_i$  $(i=1,2,3,4)$	Security parameters
s	Secret key of data owner
p	Large prime
H	One-way hash function
N	The filename of document F
d	The size of document F
F	Document
$\overline{F}$	Encrypted document
D	Keyword dictionary
n	Number of keywords in D
$\mathbf{D}$	Dictionary set $\mathbf{D}=\{D_1,D_2,\cdots ,D_z\}$
W	A set of search keywords
$\overrightarrow{I}$	A plaintext index vector $\overrightarrow{I}=(I_1,I_2,\cdots )$
$\widehat{I}$	A ciphertext index vector $\widehat{I}=({\widehat{I}}_1,{\widehat{I}}_2,\cdots )$
$\overrightarrow{Q}$	Query vector $\overrightarrow{Q}=(Q_1,Q_2,\cdots )$  constructed from W
$\widehat{Q}$	Search trapdoor in ciphertext format
$\gamma$	The hash value with regard to document F
$m_i,t_i$	Random numbers for $1\le i\le n+2$
$\delta$	Random number
$\tau$	Search threshold

.

• System setup: With input security parameters ${\lambda }_1,{\lambda }_2,{\lambda }_3,{\lambda }_4$, the data owner constructs a dictionary D, which contains n keywords. The data owner randomly picks a large prime p such that $\left|p\right|={\lambda }_2$, an element $s{\in }_R{Z}_p^{*}$, and a cryptographic one-way hash function $H:{\{0,1\}}^{*}\to {\{0,1\}}^{{\lambda }_1}$. Thus, the system public parameters are $para=({\lambda }_1,{\lambda }_2,{\lambda }_3,{\lambda }_4,p,n,H)$. The data owner keeps D and s secret.
• Index generation: For each document F, the data owner encrypts it as ciphertext document $\overline{F}$  using some secure symmetric encryption algorithm, randomly picks a unique file name N, and calculates the length d of document F. The data owner computes $\gamma =H(N,d)$  and constructs the index vector $\overrightarrow{I}$  such that if the document F contains the ith keyword in the dictionary D, then $I_i=1$, otherwise $I_i=0$. The data owner further sets $I_{n+1}=I_{n+2}=0$, chooses $n+2$  random number $m_i$  such that $\mid m_i\mid ={\lambda }_3$  for $1\le i\le n+2$, and encrypts each $I_i$  as follows:

  $${\widehat{I}}_i=s·(I_i·\gamma +m_i)modp$$

  (1)
  Then for document F, the data owner outsources the ciphertext index vector $\widehat{I}=({\widehat{I}}_1,{\widehat{I}}_2,\cdots ,{\widehat{I}}_{n+2})$  and the processed file $\widehat{F}=(\overline{F},\gamma )$  to the cloud server, and keeps $(N,d)$  at local.
• Trapdoor generation: Data user picks a large random number $\delta$  such that $\mid \delta \mid ={\lambda }_1$, and computes $s^{-1}modp$. From the query keyword set W, data user constructs query vector $\overrightarrow{Q}$, where $Q_i=1$  if the query keyword set W contains the i-th keyword in the dictionary D, otherwise $Q_i=0$. The data user then sets $Q_{n+1}=Q_{n+2}=0$, and randomly chooses $n+2$  numbers $t_i$  such that $\mid t_i\mid ={\lambda }_4$  for $1\le i\le n+2$. The data user constructs the search trapdoor $\widehat{Q}=({\widehat{Q}}_1,{\widehat{Q}}_2,\cdots ,{\widehat{Q}}_{n+2})$, where

  $${\widehat{Q}}_i=s^{-1}·(Q_i·\delta +t_i)modp$$

  (2)
  The data user sets the search threshold, $\tau$, and submits the search trapdoor $\widehat{Q}$  and $(\tau ,\delta )$  to the cloud server.
• Search: Once received, the encrypted search trapdoor $\widehat{Q}$, the cloud server computes the similarity score $\mathsf{Score}(\overrightarrow{I},\overrightarrow{Q})$  with each $\widehat{I}$  of outsourced documents as follows. The cloud server computes

  $$\begin{array}{c}\hfill E=\mathsf{Score}(\widehat{I},\widehat{Q})=\widehat{I}\odot \widehat{Q}modp\end{array}$$

  (3)

  where “⊙” denotes the modular vector inner product operation. By properly choosing the elements under the given security parameters ${\lambda }_1,{\lambda }_2,{\lambda }_3,{\lambda }_4$, both the following conditions can be satisfied

  $$\widehat{I}\odot \widehat{Q}<p$$

  (4)

  and

  $$\begin{array}{cc}\hfill \rho & =\sum _{i=1,I_i\ne 0,Q_i\ne 0}^{n+2}(\gamma t_i{I}_i+m_i\delta Q_i+m_i{t}_i)+\hfill \\ \hfill & \sum _{i=1,I_i=0,Q_i\ne 0}^{n+2}(m_i\delta Q_i+m_i{t}_i)+\sum _{i=1,I_i\ne 0,Q_i=0}^{n+2}(\gamma t_i{I}_i+m_i{t}_i)+\sum _{i=1,I_i=0,Q_i=0}^{n+2}{m}_i{t}_i\hfill \\ \hfill & <\gamma \delta .\hfill \end{array}$$

  (5)
  Then, the cloud server computes

  $$\begin{array}{c}\hfill \mathsf{Score}(\overrightarrow{I},\overrightarrow{Q})=\sum _{i=1}^n{I}_i·Q_i=\frac{E-(Emod\delta ·\gamma )}{\delta ·\gamma }\end{array}$$

  (6)
  If the following search condition is satisfied

  $$\mathsf{Score}(\overrightarrow{I},\overrightarrow{Q})\ge \tau$$

  (7)

  then the corresponding document $\overline{F}$  is returned. According to the similarity score $\mathsf{Score}(\overrightarrow{I},\overrightarrow{Q})$, the searched documents can be sorted. In this way, the searched documents would be returned if their similarity scores are greater than the given search threshold.

A flow chart of the proposed basic PRMS scheme is depicted in Figure 3.

Theorem 1.

The proposed basic PRMS scheme is correct.

Proof. 

To compute the similarity score $\mathsf{Score}(\overrightarrow{I},\overrightarrow{Q})$, it is required that both $I_i\ne 0$  and $Q_i\ne 0$  are satisfied for $1\le i\le n$. Let

$$E^{\prime }=\sum _{i=1,I_i\ne 0,Q_i\ne 0}^{n+2}\gamma \delta I_i{Q}_{i}modp$$

Note that

$$\begin{array}{cc}\hfill E& =\widehat{I}\odot \widehat{}Q\hfill \\ \hfill & =\sum _{i=1,I_i\ne 0,Q_i\ne 0}^{n+2}(\gamma \delta I_i{Q}_i+\gamma t_i{I}_i+m_i\delta Q_i+m_i{t}_i)+\hfill \\ \hfill & \sum _{i=1,I_i=0,Q_i\ne 0}^{n+2}(m_i\delta Q_i+m_i{t}_i)+\sum _{i=1,I_i\ne 0,Q_i=0}^{n+2}(\gamma t_i{I}_i+m_i{t}_i)+\sum _{i=1,I_i=0,Q_i=0}^{n+2}{m}_i{t}_i\hfill \\ \hfill & =E^{\prime }+\rho modp\hfill \end{array}$$

If $E<p$  and $\rho <\gamma \delta$  hold, then we have

$$\begin{array}{ccc}\hfill \mathsf{Score}(\overrightarrow{I},\overrightarrow{Q})& =& \frac{E-(Emod\delta ·\gamma )}{\delta ·\gamma }\hfill \\ & =& \frac{E-\rho }{\delta ·\gamma }\hfill \\ & =& \frac{{\sum }_{i=1,I_i\ne 0,Q_i\ne 0}^{n+2}\left(\gamma \delta I_i{Q}_i\right)}{\delta ·\gamma }\hfill \\ & =& \sum _{i=1,I_i\ne 0,Q_i\ne 0}^{n+2}\left(I_i{Q}_i\right)\hfill \\ & =& \overrightarrow{I}\odot \overrightarrow{Q}modp\hfill \end{array}$$

Thus, the proposed basic PRMS scheme is correct. □

As shown in Equation (2), each element $Q_i$  in the query vector $\overrightarrow{Q}$  is randomized with a randomly chosen value $t_i$. Therefore, even when the i-th keyword does not exist in the dictionary D, the privacy of the query keyword set at i-th position can still be guaranteed, which means $Q_i=0$  would not be leaked from the search trapdoor element ${\widehat{Q}}_i$.

4. Extension

This section presents an extended PRMS construction, which allows the outsourced document to be attached with multiple types of keywords.

• System setup: With input security parameters ${\lambda }_1,{\lambda }_2,{\lambda }_3,{\lambda }_4$, the data owner constructs a dictionary set $\mathbf{D}=\{D_1,D_2,\cdots ,D_z\}$, where $D_{\ell }$$(1\le \ell \le z)$  represents a dictionary of some type of keywords. Without loss of generality, it is assumed that each dictionary $D_{\ell }$  contains n keywords. The data owner randomly picks a large prime p such that $\left|p\right|={\lambda }_2$, z elements $s_{\ell }{\in }_R{Z}_p^{*}$$(1\le \ell \le z)$, and a cryptographic one-way hash function $H:{\{0,1\}}^{*}\to {\{0,1\}}^{{\lambda }_1}$. Thus, the public parameters are $para=({\lambda }_1,{\lambda }_2,{\lambda }_3,{\lambda }_4,p,n,H)$, and the data owner keeps $\mathbf{D}$ and $\{s_{\ell }:1\le \ell \le z\}$  secret.
• Index generation: For each document F, the data owner encrypts it as ciphertext document $\overline{F}$  using some secure symmetric encryption algorithm, randomly picks a unique file name N, and calculates the length d of document F.
  For each dictionary $D_{\ell }$$(1\le \ell \le z)$, the document F is processed as follows. The data owner computes ${\gamma }_{\ell }=H(N,d,\ell )$  and constructs an index vector ${\overrightarrow{I}}_{\ell }$  such that if the document F contains the i-th keyword in dictionary $D_{\ell }$, then $I_{\ell ,i}=1$, otherwise $I_{\ell ,i}=0$. The data owner further sets $I_{\ell ,n+1}=0$  and $I_{\ell ,n+2}=0$, chooses $n+2$  random number $m_j$  such that $\mid m_{\ell ,i}\mid ={\lambda }_3$  for $1\le i\le n+2$, and encrypts each $I_{\ell ,i}$  as follows:

  $${\widehat{I}}_{\ell ,i}=s_{\ell }·(I_{\ell ,i}·{\gamma }_{\ell }+m_{\ell ,i})modp$$

  (8)
  At last, the data owner outsources the ciphertext index set $\hat{\overrightarrow{I}}=\{{\widehat{I}}_1,{\widehat{I}}_2,\cdots ,{\widehat{I}}_z\}$  and the processed document $\widehat{F}=(\overline{F},{\gamma }_1,{\gamma }_2,\cdots ,{\gamma }_z)$  to the cloud server, where ${\widehat{I}}_{\ell }=({\widehat{I}}_{\ell ,1},{\widehat{I}}_{\ell ,2},\cdots ,{\widehat{I}}_{\ell ,n+2})$  is a ciphertext index vector corresponding to dictionary $D_{\ell }$, and keeps $(N,d)$  at local.
• Trapdoor generation: Suppose the data user would like to search the outsourced documents with the keywords in dictionary $D_{\ell }\in \mathbf{D}$. Data user picks a large random number $\delta$  such that $\mid \delta \mid ={\lambda }_1$, and computes $s^{-1}modp$. From the query keyword set W, data user constructs query vector $\overrightarrow{Q}$, where $Q_i=1$  if the query keyword set W contains the i-th keyword in the dictionary $D_{\ell }$, otherwise $Q_i=0$. Data user then sets $Q_{n+1}=Q_{n+2}=0$, and randomly chooses $n+2$  numbers $t_i$  such that $\mid t_i\mid ={\lambda }_4$  for $1\le i\le n+2$. Data user constructs the search trapdoor $\widehat{Q}=({\widehat{Q}}_1,{\widehat{Q}}_2,\cdots ,{\widehat{Q}}_{n+2})$, where

  $${\widehat{Q}}_i=s_{\ell }^{-1}·(Q_i·\delta +t_i)modp$$

  (9)
  Data user sets the search threshold $\tau$, and submits the search trapdoor $\widehat{Q}$  and $(\ell ,\tau ,\delta )$  to the cloud server, where ℓ denotes the type of keywords in searching documents.
• Search: Once received the encrypted search trapdoor $\widehat{Q}$, the cloud server computes the similarity score $\mathsf{Score}({\overrightarrow{I}}_{\ell },\overrightarrow{Q})$  with the ciphertext index vector ${\widehat{I}}_{\ell }$  of each outsourced document $\overline{F}$  as follows. The cloud server computes

  $$\begin{array}{c}\hfill E=\mathsf{Score}({\widehat{I}}_{\ell },\widehat{Q})={\widehat{I}}_{\ell }\odot \widehat{Q}modp\end{array}$$

  (10)
  By properly choosing the elements under the given security parameters ${\lambda }_1,{\lambda }_2,{\lambda }_3,{\lambda }_4$, it is assumed that both the following conditions

  $${\widehat{I}}_{\ell }\odot \widehat{Q}<p$$

  (11)

  and

  $$\begin{array}{cc}\hfill \rho & =\sum _{i=1,I_{\ell ,i}\ne 0,Q_i\ne 0}^{n+2}({\gamma }_{\ell }{t}_i{I}_{\ell ,i}+m_{\ell ,i}\delta Q_i+m_{\ell ,i}{t}_i)+\hfill \\ \hfill & \sum _{i=1,I_{\ell ,i}=0,Q_i\ne 0}^{n+2}(m_{\ell ,i}\delta Q_i+m_{\ell ,i}{t}_i)+\sum _{i=1,I_{\ell ,i}\ne 0,Q_i=0}^{n+2}({\gamma }_{\ell }{t}_i{I}_{\ell ,i}+m_{\ell ,i}{t}_i)+\hfill \\ \hfill & \sum _{i=1,I_{\ell ,i}=0,Q_i=0}^{n+2}{m}_{\ell ,i}{t}_i\hfill \\ \hfill & <{\gamma }_{\ell }\delta .\hfill \end{array}$$

  (12)

  hold for $1\le \ell \le z$. Then, the cloud server computes

  $$\begin{array}{c}\hfill \mathsf{Score}({\overrightarrow{I}}_{\ell },\overrightarrow{Q})=\sum _{i=1}^n{I}_{\ell ,i}·Q_i=\frac{E-(Emod\delta ·{\gamma }_{\ell })}{\delta ·{\gamma }_{\ell }}\end{array}$$

  (13)
  Note that these similarity scores can be sorted according to their values. If the following search condition is satisfied

  $$\mathsf{Score}({\overrightarrow{I}}_{\ell },\overrightarrow{Q})\ge \tau$$

  (14)

  then the corresponding document $\overline{F}$  would be returned.

A flow chart of the extended PRMS scheme is depicted in Figure 4 and Figure 5.

Theorem 2.

The proposed extended PRMS scheme is correct.

Proof. 

Suppose the outsourced documents are searched according to the ℓ-th type of keywords. To compute the similarity score $\mathsf{Score}({\overrightarrow{I}}_{\ell },\overrightarrow{Q})$, it is required that both ${\widehat{I}}_{\ell ,i}\ne 0$  and $Q_i\ne 0$  are satisfied for $1\le i\le n$. Let

$$E^{\prime }=\sum _{i=1,I_{\ell ,i}\ne 0,Q_i\ne 0}^{n+2}{\gamma }_{\ell }\delta I_{\ell ,i}{Q}_{i}modp$$

Note that

$$\begin{array}{cc}\hfill E& ={\widehat{I}}_{\ell }\odot \widehat{}Q\hfill \\ \hfill & =\sum _{i=1,I_{\ell ,i}\ne 0,Q_i\ne 0}^{n+2}({\gamma }_{\ell }\delta I_{\ell ,i}{Q}_i+{\gamma }_{\ell }{t}_i{I}_{\ell ,i}+m_{\ell ,i}\delta Q_i+m_{\ell ,i}{t}_i)+\hfill \\ \hfill & \sum _{i=1,I_{\ell ,i}=0,Q_i\ne 0}^{n+2}(m_{\ell ,i}\delta Q_i+m_{\ell ,i}{t}_i)+\sum _{i=1,I_{\ell ,i}\ne 0,Q_i=0}^{n+2}({\gamma }_{\ell }{t}_i{I}_{\ell ,i}+m_{\ell ,i}{t}_i)+\hfill \\ \hfill & \sum _{i=1,I_{\ell ,i}=0,Q_i=0}^{n+2}{m}_{\ell ,i}{t}_i\hfill \\ \hfill & =E^{\prime }+\rho modp\hfill \end{array}$$

If $E<p$  and $\rho <{\gamma }_{\ell }\delta$  hold, then we have

$$\begin{array}{ccc}\hfill \mathsf{Score}({\overrightarrow{I}}_{\ell },\overrightarrow{Q})& =& \frac{E-(Emod\delta ·{\gamma }_{\ell })}{\delta ·{\gamma }_{\ell }}\hfill \\ & =& \frac{E-\rho }{\delta ·{\gamma }_{\ell }}\hfill \\ & =& \frac{{\sum }_{i=1,I_{\ell ,i}\ne 0,Q_i\ne 0}^{n+2}\left({\gamma }_{\ell }\delta I_{\ell ,i}{Q}_i\right)}{\delta ·{\gamma }_{\ell }}\hfill \\ & =& \sum _{i=1,I_{\ell ,i}\ne 0,Q_i\ne 0}^{n+2}{I}_{\ell ,i}{Q}_i\hfill \\ & =& {\overrightarrow{I}}_{\ell }\odot \overrightarrow{Q}modp\hfill \end{array}$$

Thus, the proposed extended PRMS scheme is correct. □

5. Analysis and Comparison

5.1. Security Analysis

Theorem 3.

If the symmetric encryption algorithm chosen by data owner is secure, then the proposed basic and extended PRMS schemes guarantee the privacy of outsourced documents against the server.

Proof. 

As shown in the proposed PRMS schemes of Section 3 and Section 4, the outsourced documents are encrypted with some symmetric encryption algorithm. Thus, if such symmetric encryption algorithm is secure, then the encrypted documents would not leak the contents of these documents. □

Theorem 4.

The proposed basic and extended PRMS schemes guarantee the privacy of keywords for outsourced documents against the server.

Proof. 

In the index generation phase of the basic PRMS scheme, each element $I_i$  in the index vector $\overrightarrow{I}$  is randomized using one-time random value $m_i$. Thus, if all these elements $m_i$$(1\le i\le n+2)$  are uniformly distributed and independently chosen from $Z_{{\lambda }_3}$, then all encrypted indexes ${\widehat{I}}_i$$(1\le i\le n+2)$  would have the same distribution, which means $Pr\left[{\widehat{I}}_{i_1}\right]=Pr\left[{\widehat{I}}_{i_2}\right]$  for different $i_1$  and $i_2$. Therefore, the cloud server cannot deduce the content of index vector. For the index generation phase of the extended PRMS scheme, the elements in each index vector ${\overrightarrow{I}}_{\ell }$  are processed in the similar way. Thus, the encrypted index vectors would not leak the private information of outsourced documents. □

Theorem 5.

The proposed basic and extended PRMS schemes guarantee the privacy of trapdoors against the server.

Proof. 

In the trapdoor generation phase of the basic PRMS scheme, each element $Q_i$  in the query vector $\overrightarrow{Q}$  is randomized using one-time random value $t_i$. Furthermore, for the whole query vector $\overrightarrow{Q}$, $\delta$  is also randomly chosen. Thus, if all these elements $t_i$$(1\le i\le n+2)$  and $\delta$  are uniformly distributed and independently chosen from $Z_{{\lambda }_3}$  and $Z_{{\lambda }_1}$, respectively, then all encrypted trapdoor entries ${\widehat{Q}}_i$$(1\le i\le n+2)$  would have the same distribution, which means $Pr\left[{\widehat{Q}}_{i_1}\right]=Pr\left[{\widehat{Q}}_{i_2}\right]$  for different $i_1$  and $i_2$. Therefore, the cloud server cannot deduce the content of query vector. For the trapdoor generation phase of the extended PRMS scheme, the elements in the query vector $\overrightarrow{Q}$  with regard to each keyword dictionary $D_{\ell }$  are processed in the similar way. Thus, the encrypted search trapdoor vectors would not leak the private information of trapdoor and outsourced documents. □

Theorem 6.

The proposed basic and extended PRMS schemes offer unlinkability of trapdoors against the server.

Proof. 

As analyzed in the proof of Theorem 5, if all elements $t_i$$(1\le i\le n+2)$  and $\delta$  are uniformly distributed and independently chosen from $Z_{{\lambda }_3}$  and $Z_{{\lambda }_1}$, respectively, then all entries ${\widehat{Q}}_i$$(1\le i\le n+2)$  in the encrypted trapdoor would have the same distribution, which means $Pr\left[{\widehat{Q}}_{i_1}\right]=Pr\left[{\widehat{Q}}_{i_2}\right]$  for different $i_1$  and $i_2$. Hence, the cloud server would not be able to determine whether two search trapdoors are generated for the same query. Furthermore, for the trapdoor generation phase of the extended PRMS scheme, the elements in the query vector $\overrightarrow{Q}$  with regard to each keyword dictionary $D_{\ell }$  are processed in the similar way. Thus, the encrypted search trapdoor vectors enjoys unlinkability. □

5.2. Theoretical Analysis

As shown in

Table 3. Theoretical comparison.

Scheme	Setup	Index	Trapdoor	Search	Setting
	—	Generation	Generation	Process
Cao et al.’s scheme [12]	—	$O\left(\mu n^2\right)$	$O\left(n^2\right)$	$O\left(\mu n\right)$	Private key
Ding et al.’s scheme [9]	—	$O\left(\alpha b\mu n^2\right)$	$O\left(n^2\right)$	$O(\theta \mu logn)$	Private key
Xia et al.’s scheme [42]	—	$O\left(\mu n^3\right)$	$O\left(n^2\right)$	$O(\theta \mu logn)$	Private key
Boneh et al.’s scheme [13]	1$Expo$	$O\left(\mu n\right)$	$O\left(n\right)$	$O\left(\mu n^2\right)$	Public key
Basic PRMS scheme (Section 3 and [15])	—	$O\left(\mu n\right)$	$O\left(n\right)$	$O\left(\mu n\right)$	Private key
Extended PRMS scheme (Section 4)	—	$O\left(\mu zn\right)$	$O\left(n\right)$	$O\left(\mu n\right)$	Private key

, the performance of the proposed basic and extended PRMS schemes are theoretically compared with related ones [9,12,13,42] in three phases, namely, ciphertext index generation, trapdoor generation and search process. Note that among these schemes, Boneh et al.’s scheme [13] was designed in the public key setting. Let $\mu$  denote the number of documents. It can be seen that in the system setup phase, only the keyword search scheme proposed in the public key setting has to perform resource-intensive operations—that is, in Boneh et al.’s scheme [13], one exponentiation operation in bilinear group should be taken in this phase, where the exponentiation operation takes much more computing time than that of addition and multiplication.

In the process of the ciphertext index generation for a document, both proposed PRMS schemes only require the data owner to take modular multiplication and addition operations. Thus, the time complexity of this phase in the proposed PRMS schemes are $O\left(\mu n\right)$  and $O\left(\mu zn\right)$, respectively, which depend on the length n of index vector and the number $\mu$  of documents. Since each document would be attached with z types of keywords, the time complexity of the extended PRMS scheme also relies on z. In Cao et al.’s scheme [12], the generation of ciphertext index involves two matrix multiplications between the split index vectors and the transposed matrices of $(n+2)\times (n+2)$, which means the time complexity is $O\left(\mu n^2\right)$.

In Ding et al.’s scheme [9], the time cost of ciphertext index generation includes building a tree-based index group, constructing indexes for documents, and encrypting all nodes in the index tree. There are total $O\left(\alpha \mu b\right)$  nodes in the index tree, where $\alpha$  is a decimal and b represents the number of invertible matrices for each group. The encryption for each node needs to perform two multiplication operations of $n\times n$  matrix. Thus, the time complexity of this phase [9] is $O\left(\alpha \mu b{n}^2\right)$. In Xia et al.’s scheme [42], the data owner needs to construct a $KBB$  index tree with $O\left(n\right)$  nodes before performing encryption, where the encryption requires the multiplications of $n\times n$  matrices. Hence, the total time complexity is $O\left(\mu n^3\right)$. In Boneh et al.’s scheme [13], each keyword in the index vector for each document should be separately encrypted, which requires two exponentiations and one bilinear pairing operation. Thus, their scheme has the time complexity of $O\left(\mu n\right)$.

For the trapdoor generation, the proposed PRMS schemes only involve modular multiplication and addition operations. Thus, the time complexity of both proposed PRMS schemes is $O\left(n\right)$. In Cao et al.’s scheme [12], the trapdoor generation includes the query vector splitting and encryption, where the encryption is realized by matrix multiplications of $(n+2)\times (n+2)$  inverse matrices. Thus, the time complexity of their scheme is $O\left(n^2\right)$. Both Ding et al.’s scheme [9] and Xia et al.’s scheme [42] mainly include the split process and matrix multiplication operations, thus the time complexity is $O\left(n^2\right)$. In Boneh et al.’s scheme [13], each keyword in the trapdoor should be separately processed, which requires one map-to-point hash evaluation and one exponentiation. Thus, the time complexity of trapdoor generation for Boneh et al.’s scheme [13] is $O\left(n\right)$.

In the search process of our PRMS schemes and Cao et al.’s scheme [12], to compute the similarity score with each document, the cloud server needs to perform inner product operations. Thus, the total time complexity is $O\left(\mu n\right)$, while Xia et al.’s scheme [42] and Ding et al.’s scheme [9] need to generate $\theta$  leaf nodes, where the height of the index tree is $logn$. Hence, the total time complexity is $O(\theta \mu logn)$. In the search process of Boneh et al.’s scheme [13], each keyword in the trapdoor should be individually compared with each encrypted keyword in the index vector for every document, which requires one bilinear pairing operation. Thus, for the worst case, the time complexity of searching in Boneh et al.’s scheme [13] is $O\left(\mu n^2\right)$. Therefore, it can be seen that all phases of the proposed PRMS schemes only require lightweight computations, which are more efficient than existing proposals.

5.3. Performance Evaluation

We conducted experimental evaluation of the proposed PRMS constructions and compared with Cao et al.’s scheme [12]. The experiments were implemented using JAVA programming language on a platform with Windows 10 operating system, Intel(R) Core(TM) i5-7500 CPU 3.71 GHz and 8 GB memory. In experiments, all procedures were compared—that is, ciphertext index construction, search trapdoor generation and cloud search. Note that the encryption on documents of the proposed PRMS constructions are only determined by the employed symmetric encryption scheme. Thus, the performance of document encryption was not considered in experiments. The chosen parameters satisfy $n\le 2^{32}$, $\mid \gamma \mid =\mid {\gamma }_{\ell }\mid =\mid \delta \mid ={\lambda }_1=200$, $\mid p\mid ={\lambda }_2=512$, $\mid m_i\mid ={\lambda }_3=128$, and $\mid t_i\mid ={\lambda }_4=128$.

As shown in Figure 6, the size of index vector varies from 10 to 100 to evaluate the performance of generating ciphertext index. It can be seen that the time costs of the proposed basic PRMS construction are less than 1 ms for all cases in processing one document, while the costs of Cao et al.’s scheme [12] rapidly increase as the number of keywords increases.

For processing a document with multiple types of keywords with the proposed extended PRMS scheme, different number of keyword types were considered, that is, $z=5,10,\cdots ,30$. The performance of the extended PRMS construction for processing one document is shown in Figure 7. It can be seen from Figure 6 and Figure 7 that the cost of processing a document with the extended PRMS construction is roughly z times of that with the basic PRMS construction.

For the query generation and search phases, both the basic and extended PRMS constructions enjoy the same performance. As shown in Figure 8, the time costs of all these schemes are linear with the number of keywords in the query. Note that Cao et al.’s scheme [12] needs to perform matrix multiplications in generating search trapdoor. Thus, the proposed PRMS constructions are more efficient than their scheme [12] in all cases.

For the search by the cloud server, the proposed PRMS constructions do not involve complicated computation operations. In the experiments, the cloud server was considered to search over $\mu =200$  outsourced documents. The performance is shown in Figure 9 for the proposed PRMS constructions and Cao et al.’s scheme [12]. It can be seen that the performance of keyword search with all these schemes enjoy roughly linear relation with the number of keywords in the query for all cases. Furthermore, the performance of Cao et al.’s scheme [12] would decrease greatly when the number of keywords in the query vector increases. Thus, the search procedure of the proposed PRMS schemes are more efficient than that in Cao et al.’s scheme [12].

6. Conclusions

Existing privacy-preserving multi-keyword search schemes cannot be deployed on resource-constrained devices due to the complicated computation operations at user side. To address this issue, this paper presented lightweight multi-keyword search (PRMS) constructions to allow resource-constrained devices to process data and generate search trapdoors for outsourcing documents. The extended PRMS construction allows each outsourced document to be attached with different types of keywords, and can be searched according to any type of keywords. Security analysis showed that the proposed PRMS constructions can protect the privacy of outsourced documents, indexes and search trapdoors, and guarantee unlinkability on search trapdoors. A performance analysis demonstrated that the proposed PRMS constructions are more efficient than existing proposals and can be deployed on weak devices. Note that in the private key setting, it is difficult to realize data sharing among multiple users without leaking any private parameters. Thus, it is necessary to develop lightweight public key encryption schemes supporting multi-keyword search in our future works, especially without using bilinear groups.