Protecting Your Right: Verifiable Attribute-based Keyword Search with Fine-grained Owner-enforced Search Authorization in the Cloud

Transcription

1 1 Protectng Your Rght: Verfable Attrbute-based Keyword Search wth Fne-graned Owner-enforced Search Authorzaton n the Cloud Wenha Sun, Student Member, IEEE, Shucheng Yu, Member, IEEE, Wenjng Lou, Senor Member, IEEE, Y. Thomas Hou, Fellow, IEEE, Hu L, Member, IEEE Abstract Search over encrypted data s a crtcally mportant enablng technque n cloud computng, where encrypton-beforeoutsourcng s a fundamental soluton to protectng user data prvacy n the untrusted cloud server envronment. Many secure search schemes have been focusng on the sngle-contrbutor scenaro, where the outsourced dataset or the secure searchable ndex of the dataset are encrypted and managed by a sngle owner, typcally based on symmetrc cryptography. In ths paper, we focus on a dfferent yet more challengng scenaro where the outsourced dataset can be contrbuted from multple owners and are searchable by multple users,.e. mult-user mult-contrbutor case. Inspred by attrbute-based encrypton (ABE), we present the frst attrbute-based keyword search scheme wth effcent user revocaton (ABKS-UR) that enables scalable fne-graned (.e. fle-level) search authorzaton. Our scheme allows multple owners to encrypt and outsource ther data to the cloud server ndependently. Users can generate ther own search capabltes wthout relyng on an always onlne trusted authorty. Fne-graned search authorzaton s also mplemented by the owner-enforced access polcy on the ndex of each fle. Further, by ncorporatng proxy re-encrypton and lazy re-encrypton technques, we are able to delegate heavy system update workload durng user revocaton to the resourceful sem-trusted cloud server. We formalze the securty defnton and prove the proposed ABKS-UR scheme selectvely secure aganst chosen-keyword attack. To buld confdence of data user n the proposed secure search system, we also desgn a search result verfcaton scheme. Fnally, performance evaluaton shows that the effcency of our scheme. Keywords Cloud Computng, Attrbute-based Keyword Search, Fne-graned Owner-enforced Search Authorzaton, Mult-user Search, Verfable Search 1 INTRODUCTION CLOUD computng has emerged as a new enterprse IT archtecture. Many companes are movng ther applcatons and databases nto the cloud and start to enjoy many unparalleled advantages brought by cloud computng, such as on-demand computng resource confguraton, ubqutous and flexble access, consderable captal expendture savngs, etc. However, prvacy concern has remaned a prmary barrer preventng the adopton of cloud computng by a broader range of users/applcatons. When senstve data are outsourced to the cloud, data owners naturally become concerned wth the prvacy of ther data n the cloud and beyond. Encrypton-before-outsourcng has been regarded as a fundamental means of protectng user data W. Sun s wth the State Key Laboratory of Integrated Servces Networks, Xdan Unversty, Shaanx, Chna and Vrgna Polytechnc Insttute and State Unversty, Blacksburg, VA, USA. E-mal: whsun@xdan.edu.cn. S. Yu s wth Unversty of Arkansas at Lttle Rock, Lttle Rock, AR, USA. E-mal: sxyu1@ualr.edu. W. Lou and Y. T. Hou are wth Vrgna Polytechnc Insttute and State Unversty, Blacksburg, VA, USA. E-mal: {wjlou, thou}@vt.edu. H. L s wth the State Key Laboratory of Integrated Servces Networks, Xdan Unversty, X an, Shaanx, Chna. E-mal: lhu@mal.xdan.edu.cn. A prelmnary verson [1] of ths paper was presented at the 33rd IEEE Internatonal Conference on Computer Communcatons (IEEE INFOCOM 14). prvacy aganst the cloud server [2], [3], [4]. However, how the encrypted data can be effectvely utlzed then becomes another new challenge. Sgnfcant attenton has been gven and much effort has been made to address ths ssue, from secure search over encrypted data [5], secure functon evaluaton [6], to fully homeomorphc encrypton systems [7] that provde generc soluton to the problem n theory but are stll too far from beng practcal due to the extremely hgh complexty. Ths paper focuses on the problem of search over encrypted data, whch s an mportant enablng technque for the encrypton-before-outsourcng prvacy protecton paradgm n cloud computng, or n general n any networked nformaton system where servers are not fully trusted. Much work has been done, wth majorty focusng on the sngle-contrbutor scenaro,.e. the dataset to be searched s encrypted and managed by a sngle entty, whch we call owner or contrbutor n ths paper. Under ths settng, to enable search over encrypted data, the owner has to ether share the secret key wth authorzed users [5], [8], [9], or stay onlne to generate the search trapdoors,.e. the encrypted form of keywords to be searched, for the users upon request [10], [11]. The same symmetrc key wll be used to encrypt the dataset (or the searchable ndex of the dataset) and

2 2 to generate the trapdoors. These schemes serously lmt the users search flexblty. Consder a fle sharng system that hosts a large number of fles, contrbuted from multple owners and to be shared among multple users (e.g. 4shared.com, mymedwall.com). Ths s a more challengng mult-owner multuser scenaro. How to enable multple owners to encrypt and add ther data to the system and make t searchable by other users? Moreover, data owners may desre fne-graned search authorzaton that only allows ther authorzed users to search ther contrbuted data. By fnegraned, we mean the search authorzaton s controlled at the granularty of per fle level. Symmetrc cryptography based schemes [5], [8], [9] are clearly not sutable for ths settng due to the hgh complexty of secret key management. Although authorzed keyword search can be realzed n sngle-owner settng by explctly defnng a server-enforced user lst that takes the responsblty to control legtmate users search capabltes [12], [13],.e. search can only be carred out by the server wth the assstance of legtmate users complementary keys on the user lst, these schemes dd not realze fne-graned owner-enforced search authorzaton and thus are unable to provde dfferentated access prvleges for dfferent users wthn a dataset. Asymmetrc cryptography s better suted to ths dynamc settng by encryptng ndvdual contrbuton wth dfferent publc keys. For example, Hwang et al. [14] mplctly defned a user lst for each fle by encryptng the ndex of the fle wth all the publc keys of the ntended users. However, extendng such user lst approach to the mult-owner settng and on a per fle bass s not trval as t would mpose sgnfcant scalablty ssue consderng a potental large number of users and fles supported by the system. Addtonal challenges nclude how to handle the updates of the user lsts n the case of user enrollment, revocaton, etc., under the dynamc cloud envronment. In ths paper, we address these open ssues and present an authorzed keyword search scheme over encrypted cloud data wth effcent user revocaton n the mult-user mult-data-contrbutor scenaro. We realze fne-graned owner-enforced search authorzaton by explotng cphertext polcy attrbute-based encrypton (CP- ABE) technque. Specfcally, the data owner encrypts the ndex of each fle wth an access polcy created by hm, whch defnes what type of users can search ths ndex. The data user generates the trapdoor ndependently wthout relyng on an always onlne trusted authorty (TA). The cloud server (CS) can search over the encrypted ndexes wth the trapdoor on a user s behalf, and then returns matchng result f and only f the user s attrbutes assocated wth the trapdoor satsfy the access polces embedded n the encrypted ndexes. We dfferentate attrbutes and keywords n our desgn. Keywords are actual content of the fles whle attrbutes refer to the propertes of users. The system only mantans a lmted number of attrbutes for search authorzaton purpose. Data owners create the ndex consstng of all keywords n the fle but encrypt the ndex wth an access structure only based on the attrbutes of authorzed users, whch makes the proposed scheme more scalable and sutable for the large scale fle sharng system. In order to further release the data owner from the burdensome user membershp management, we use proxy re-encrypton [15] and lazy re-encrypton [16] technques to shft the workload as much as possble to the CS, by whch our proposed scheme enjoys effcent user revocaton. Formal securty analyss shows that the proposed scheme s provably secure and meets varous search prvacy requrements. Furthermore, we desgn a search result verfcaton scheme and make the entre search process verfable. Performance evaluaton demonstrates the effcency and practcalty of the ABKS- UR. Our contrbutons can be summarzed as follows: 1) We desgn a novel and scalable authorzed keyword search over encrypted data scheme supportng multple data users and multple data contrbutors. Compared wth exstng works, our scheme supports fne-graned owner-enforced search authorzaton at the fle level wth better scalablty for large scale system n that the search complexty s lnear to the number of attrbutes n the system, nstead of the number of authorzed users. 2) Data owner can delegate most of computatonally ntensve tasks to the CS, whch makes the user revocaton process effcent and s more sutable for cloud outsourcng model. 3) We formally prove our proposed scheme selectvely secure aganst chosen-keyword attack. 4) We propose a scheme to enable authentcty check over the returned search result n the mult-user multdata-contrbutor search scenaro. 2 RELATED WORK 2.1 Keyword Search over Encrypted Data Secret key vs. Publc key Encrypted data search has been studed extensvely n the lterature. Song et al. [5] desgned the frst searchable encrypton scheme to enable a full text search over encrypted fles. Snce ths semnal work, many secure search schemes have been proposed to boost the effcency and enrch the search functonaltes based on ether secret-key cryptography (SKC) [8], [9], [10], [11] or publc-key cryptography (PKC) [17], [18], [19]. Curtmola et al. [8] presented an effcent sngle keyword encrypted data search scheme by adoptng nverted ndex structure. The authors n [9] desgned a dynamc verson of [8] wth the ablty to add and delete fles effcently. To enrch search functonaltes, Cao et al. [10] proposed the frst prvacy-preservng mult-keyword ranked search scheme over encrypted cloud data usng coordnate matchng smlarty measure. Later on, Sun et al. [11] presented a secure mult-keyword text search scheme n the cloud enjoyng more accurate search result by cosne smlarty measure n the vector space model

3 3 and practcally effcent search process usng a treebased secure ndex structure. Compared wth symmetrc search technques, PKC-based search schemes are able to generate more flexble and more expressve search queres. In [17], Boneh et al. devsed the frst PKCbased encrypted data search scheme supportng sngle keyword query. The scheme from [18] supports search queres wth conjunctve keywords by explctly ndcatng the number of encrypted keywords n an ndex. Predcate encrypton [19], [20] s another promsng technque to fulfll the expressve secure search functonalty. For example, the proposed scheme n [19] supports conjunctve, subset, and range queres, and dsjunctons, polynomal equatons, and nner products could be realzed n [20] Authorzed keyword search To grant multple users the search capabltes, user authorzaton should be enforced. In [12], [13], the authors adopt a server-enforced user lst contanng all the legtmate users complementary keys that are used to help complete the search n the enterprse scenaro to realze search authorzaton. But these SKC-based schemes only allow one data contrbutor n the system. Hwang et al. [14] n the publc-key settng presented a conjunctve keyword search scheme n mult-user multowner scenaro. But ths scheme s not scalable under the dynamc cloud envronment because the sze of the encrypted ndex and the search complexty s proportonal to the number of the authorzed users, and to add a new user, the data owner has to rewrte all the correspondng ndexes. By explotng herarchcal predcate encrypton, L et al. [21] proposed a fle-level authorzed prvate keyword search (APKS) scheme over encrypted cloud data. However, t ncurs addtonal communcaton cost, snce whenever users want to search, they have to resort to the attrbute authorty to acqure the search capabltes. Moreover, ths scheme s more sutable for the structured database that contans only lmted number of keywords. The search tme there s proportonal to the total number of keywords n the system, whch would be neffcent for arbtrarly-structured data search, e.g., free text search, n the case of dynamc fle sharng system. 2.2 Verfable Search based on Authentcated Index Structure In the plantext nformaton retreval, many schemes have been proposed to acheve verfable search usng authentcated data structures (e.g., Merkle hash tree and cryptographc sgnature) [22], [23] n case the erroneous or false search result returned by the server due to software/hardware falure, data corrupton, etc. In the encrypted data search scenaro, Wang et al. [24] proposed a sngle keyword search scheme wth nverted ndex beng the ndex structure, upon whch they use hash chan to buld a search result verfcaton scheme. Recently, Sun et al. [25] presented a search result verfcaton scheme n the mult-keyword text search scenaro by turnng the proposed secure ndex tree nto an authentcated one. Note that these works are devsed for the sngle-user search settng. We cannot drectly apply them n our mult-user mult-data-contrbutor scenaro. 2.3 Attrbute-based Encrypton There has been a great nterest n developng attrbutebased encrypton [28], [29], [30], [31] due to ts fnegraned access control property. Goyal et al. [28] desgned the frst key polcy attrbute-based encrypton (KP-ABE) scheme, where cphertext can be decrypted only f the attrbutes that are used for encrypton satsfy the access structure on the user prvate key. Under the reverse stuaton, CP-ABE allows user prvate key to be assocated wth a set of attrbutes and cphertext assocated wth an access structure. CP-ABE s a preferred choce when desgnng an access control mechansm n a broadcast envronment. Snce the frst constructon of CP-ABE [29], many works have been proposed for more expressve, flexble and practcal versons of ths technque. Cheung et al. [30] proposed a selectvely secure CP-ABE constructon n the standard model usng the smple boolean functon,.e. AND gate. By adoptng proxy re-encrypton and lazy re-encrypton technques, Yu et al. [31] also devsed a selectvely secure CP-ABE scheme wth the ablty of attrbute revocaton, whch s perfectly sutable for the data-outsourced cloud model. 3 PROBLEM FORMULATION 3.1 System Model The system framework of our proposed ABKS-UR scheme nvolves three enttes: cloud server, many data owners, and many data users, as shown n Fg. 1. In addton, a trusted authorty s mplctly assumed to be n charge of generatng and dstrbutng publc keys, prvate keys and re-encrypton keys. To enforce fne-graned authorzed keyword search, the data owner generates the secure ndexes wth attrbute-based access polces before outsourcng them along wth the encrypted data nto the CS. Note that we can encrypt data by any secure encrypton technque, such as AES, whch s outsde the scope of ths paper. To search the datasets contrbuted from varous data owners, a data user generates a trapdoor of keyword of nterest usng hs prvate key and submts t to the CS. So as to accelerate the entre search process, we frst enforce the coarse-graned dataset search authorzaton wth the per-dataset user lst such that search does not need to go to a partcular dataset f the user s not on the correspondng user lst. Next, the fnegraned fle-level search authorzaton s appled on the authorzed dataset n the sense that only users, who are granted to access a partcular fle, can search ths fle for the ntended keyword. More precsely, the data owner defnes an access polcy for each uploaded fle. The CS wll search the correspondng datasets and return the

4 4 Fg. 1. Framework of authorzed keyword search over encrypted cloud data. vald search result to the user f and only f the attrbutes of the user on the trapdoor satsfy the access polces of the secure ndexes of the returned fles, and the ntended keyword s found n these fles. 3.2 Threat Model We consder the CS honest-but-curous, whch s also employed by related works on secure search over encrypted data [10], [11], [21]. We assume that the CS honestly follows the desgnated protocol, but curously nfers addtonal prvacy nformaton based on the data avalable to hm. Furthermore, malcous data users may collude to access fles beyond ther access prvleges by usng ther secret keys. Analogue to [31], as we delegate most of the system update workload to the CS, we assume that the CS wll not collude wth the revoked malcous users to help them gan unauthorzed access prvleges. 3.3 Desgn Goals Our proposed ABKS-UR scheme n the cloud ams to acheve the followng functons and securty goals: Authorzed Keyword Search: The secure search system should enable data-owner-enforced search authorzaton,.e. only users that meet the owner-defned access polcy can obtan the vald search result. Besdes achevng fnegraned authorzaton, another challenge s to make the scheme scalable for dynamc cloud envronment. Supportng Multple Data Contrbutors and Data Users: The desgned scheme should accommodate many data contrbutors and data users. Each user s able to search over the encrypted data contrbuted from multple data owners. Effcent User Revocaton: Another mportant desgn goal s to effcently revoke users from the current system whle mnmzng the mpact on the remanng legtmate users. Authentcty of Search Result: To make the proposed authorzed keyword search scheme verfable and enable data user to check the authentcty of the returned search result. Securty Goals: In ths paper, we are manly concerned wth secure search related prvacy requrements, and defne them as follows. 1) Keyword semantc securty: Snce we present a novel attrbute-based keyword search technque, we wll formally prove t semantcally secure aganst chosen keyword attack under selectve cphertext polcy model (IND-sCP-CKA). The related securty defnton and semantc securty game used n the proof are presented n Sect ) Trapdoor unlnkablty: ths securty property makes the CS unable to vsually dstngush two or more trapdoors even contanng the same keyword. Note that the attacker may launch dctonary attack by usng publc key to generate arbtrary number of ndexes wth keyword of hs choce, and then search these ndexes wth a partcular trapdoor to deduce the underlyng keyword n the trapdoor, whch s referred to as predcate prvacy and t cannot be protected nherently n the PKC-based search scenaro [32]. Consstent wth exstng asymmetrc secure search schemes [17], [21], ths paper does not consder protecton of predcate prvacy. Moreover, we do not am to hde access pattern n our scheme due to the extremely hgh complexty,.e. to protect t, algorthm has to touch the whole dataset [33]. 4 THE PROPOSED AUTHORIZED KEYWORD SEARCH We explot the CP-ABE [30], [31] technque to acheve scalable fne-graned authorzed keyword search over encrypted cloud data supportng multple data owners and data users. Specfcally, for each fle, the data owner generates an access-polcy-protected secure ndex, where the access structure s expressed as a seres of AND gates. Only authorzed users wth attrbutes satsfyng the access polces can obtan matchng result. Moreover, we should consder user membershp management carefully n the mult-user settng. A naïve soluton s to mpose the burden on each data owner. As a result, data owner s requred to be always onlne to promptly respond the membershp update request, whch s mpractcal and neffcent. By usng proxy re-encrypton [15], the data owner can delegate most of the workload to the cloud wthout nfrngng search prvacy. 4.1 Algorthm Defnton We defne the algorthms used n our ABKS-UR scheme n ths subsecton wth man notatons lsted n Tab.1. Here we consder a seres of AND gates I. Defnton 1: An attrbute-based keyword search wth effcent user revocaton scheme for keyword space W and access structure space G conssts of nne fundamental algorthms as follows: Setup(λ,N) (PK,MK): The setup algorthm takes as nput the securty parameter λ and an attrbute unverse descrpton N. It defnes a blnear groupgof prme orderpwth a generatorg. Thus, a

5 5 TABLE 1 Notatons An unversal attrbute set {1,..., n} for some nature N number n. G Access structure space. W Keyword space comprsed of keywords w. An attrbute set used for an access structure GT G on I an encrypted ndex and I N. S An attrbute set for a user secret key SK and S N. An attrbute n N ether refers to a postve attrbute or ts negaton. D An encrypted ndex for a fle. Q A trapdoor for an ntended keyword w W. rk A proxy re-encrypton key set. PSK A user s partal secret key. Φ An attrbute set contanng the attrbutes to be updated. An attrbute set ncludng all the attrbutes n D s access structure wth the re-encrypton keys not beng 1 n rk. An attrbute set contanng all the attrbutes n PSK Ω wth the re-encrypton keys not beng 1 n rk. ver A verson number. blnear map s defned as e : G G G 1, whch has the propertes of blnearty, computablty and nondegeneracy. It outputs the publc parameters P K and the master secret key MK. The verson number ver s ntalzed as 1. CreateUL(PK,ID) UL: The user lst generaton algorthm takes as nput PK and the user dentty ID. It outputs the user lst UL for a dataset. EncIndex(P K, GT, w) D: The ndex encrypton algorthm takes as nput the current PK, the access structure GT G, a keyword w W and outputs the encrypted ndex D. KeyGen(P K, M K, S) SK: The key generaton algorthm takes as nput the current PK, the current M K, and the attrbute set S assocated wth a partcular user. It outputs the user s secret key SK. ReKeyGen(Φ,MK) (rk,mk,pk ): The reencrypton key generaton algorthm takes as nput the attrbute set Φ, and the current MK. It outputs a set of proxy re-encrypton keys rk for all the attrbutes n N, the updated MK and PK, where all the verson numbers are ncreased by 1. For the attrbutes not n Φ, set ther proxy re-encrypton keys as 1 n rk. ReEncIndex(,rk,D) D : It takes as nput an ndex D, rk and the attrbute set. Then t outputs a new re-encrypted ndex D. ReKey(Ω,rk,PSK) PSK : It takes as nput a user s partal secret key PSK, rk and the attrbute set Ω. Fnally, t outputs a new PSK for that user. GenTrapdoor(PK,SK,w ) Q: The trapdoor generaton algorthm takes as nput the current P K, the user s SK, a keyword of nterest w W and outputs the trapdoor Q for the keyword w. Search(UL,D,Q) search result or : The search algorthm takes as nput the user lst UL, the ndex D and the user s trapdoor Q. It outputs vald search result or returns a search falure ndcator. 4.2 Constructon for ABKS-UR In ths subsecton, we wll descrbe the concrete ABKS- UR constructon from the vewpont of system level based on the above defned algorthms. The system level operatons nclude System Setup, New User Enrollment, Secure Index Generaton, Trapdoor Generaton, Search, and User Revocaton. Notce that each ndvdual system level operaton may nvoke one or more low level algorthms. System Setup The TA calls the Setup algorthm to generate P K and M K. Specfcally, t selects random elements t 1,...,t 3n. Defne a collson-resstant keyed hash functon H : {0,1} Z p, and ts key s selected randomly and securely shared between owners and users (for smplcty, we use t wthout mentonng the secret key hereafter). Let T k = g t k for each k {1,...,3n} such that for 1 n, T are referred to as postve attrbutes, T n+ are for negatve ones, and T 2n+ are thought of as don t care. Let Y be e(g,g) y. The publc key s PK := e,g,y,t 1,...,T 3n and the master key s MK := y,t 1,...,t 3n. The ntal verson number ver s 1. The TA publshes (ver,pk) wth the sgnature of each component of PK, and retans (ver,mk). New User Enrollment When recevng a regstraton request from a new legtmate user f, the TA frst selects a random x f Z p as a new MK component. Then, the TA generates a new PK component Y f = Y x f and publshes t wth ts sgnature. After that, the KeyGen algorthm s called to create secret key SK for ths user. For every N, the TA selects random r from Z p hence r = n =1 r. ˆK s set as g y r. For S, set K = g r t and K = g r t n+ otherwse. Fnally, let F be g r t 2n+. The secret key s SK := ver,x f, ˆK,{K,F } N. In addton, the server mantans a user lst UL contanng all the legtmate users dentty nformaton for each dataset. Specfcally, the data owner frst selects a random element s from Z p. When a new user f jons n the system and s allowed to search the dataset, the data owner calls CreateUL algorthm to set D f = Y f s and asks the CS to add the tuple (ID f, D f ) nto the user lst, where ID f s the dentty of the user f. Secure Index Generaton Before outsourcng a fle to the CS, the data owner calls EncIndex algorthm to generate a secure ndex D for ths fle. In partcular, set ˆD = g s and D to be Y s. Gven an access polcy GT = I, for each I, let D = T s f = and D = Tn+ s f =. For each N\I, let D = T2n+ s. For some attrbute N (ths fxed poston can be seen as part of publc parameter) and a keyword w W, the data owner sets D to be T s H(w) where wthout loss of generalty, attrbute s assumed to be postve. The encrypted ndex D := ver,gt, ˆD, D,{D } N. Trapdoor Generaton Every legtmate user n the system s able to generate a trapdoor for any keyword of nterest by callng the algorthm GenTrapdoor. Specfcally, user f selects random u Z p. Let ˆQ = ˆKu and Q = u + x f. Q s denoted as K u and Qf =

6 6 F u. Thus, for the same n secure ndex generaton phase, Q s set to be K H(w ) u, where w s the keyword of nterest and Qf = F H(w ) u. The trapdoor Q := ver, ˆQ, Q,{Q,Qf } N, where ver s the verson number of SK used for generatng ths trapdoor. Search Upon recept of a trapdoor Q and the user dentty ID f, 1) the CS fnds out f ID f exsts on the user lst of the target dataset. If not, the user s not allowed to search over the dataset; 2) otherwse, the CS contnues the Search algorthm wth the nput of trapdoorq, encrypted ndexd and D f from the user lst. We call ths process dataset search authorzaton. Then, we move onto the fne-graned fle-level search authorzaton, whch ncludes three cases: If ver of Q s less than ver of D, t outputs. If ver of Q s greater than ver of D, the algorthm ReEncIndex s called to update the ndex frst. If ver of Q s equal to ver of D, the search process s performed as follows. For each attrbute I, f = and S, then e(d,q ) = e(g t s,g r u t ) = e(g,g) s u r. If = and / S, then e(d,q ) = e(g tn+ s,g r u t n+) = e(g,g) s u r. For each / I, e(d,qf ) = e(g t2n+ s,g r u t 2n+) = e(g,g) s u r. For the attrbute N, e(d,q ) s equal to e(g,g) s u r as well. If the followng equaton holds, the user s attrbutes satsfy the access structure embedded n the ndex and w = w, D Q D? f = e(ˆd, ˆQ) n e(d,q ), where Q = Q f I and Q = Qf otherwse. Correctness Provded that the user s authorzed to access the fle and w = w, then e(ˆd, ˆQ) n n e(d,q ) = e(g s,g u y u r ) e(g,g) s u r =1 =1 =1 = e(g,g) s u y s u r e(g,g) s u r = e(g,g) s u y = Y s u = Y s (x f+u) Y s x f = D Q D f. Dscusson We can acheve scalable fne-graned fle-level search authorzaton by data-owner-enforced attrbutebased access structure on the ndex of each fle. The search complexty s lnear to the number of attrbutes n the system rather than the number of authorzed users. Hence, ths one-to-many authorzaton mechansm s more sutable for a large scale system, such as cloud. Moreover, the dataset search authorzaton by usng a per-dataset user lst may accelerate the search process, snce the CS can decde whether t should go nto a partcular dataset or not. Otherwse, the CS has to search every fle at rest. User Revocaton To revoke a user from current system, we re-encrypt the secure ndexes stored on the server and update the remanng legtmate users secret keys. Note that these tasks can be delegated to the CS usng proxy re-encrypton technque so that user revocaton s very effcent. In partcular, the TA adopts the ReKeyGen algorthm to generate the re-encrypton key set rk := ver,{rk,val } N,val {+, }. Let attrbute set Φ consst of the attrbutes that need to be updated, wthout whch the leavng user s attrbutes wll never satsfy the access polcy. If an attrbute Φ, rk,+ = t t s for the postve attrbute, and for the negatve rk, s set to be t n+ t n+, where both t and t n+ are randomly selected from Z p. If N\Φ, set rk,val = 1, where val {+, }. Then the TA refnes the correspondng components n M K and PK, and publshes the new PK wth the sgnatures. The TA also sends rk and ts sgnature to the CS. After recevng rk from the TA, the server checks whether the verson number ver n rk s equal to current ver of the system (or t can be greater than the current system ver n the case of lazy re-encrypton, see Dscusson below). If not, t dscards ths re-encrypton key set. Otherwse, the CS verfes rk. Then, the server calls the ReEncIndex algorthm to re-encrypt the secure ndexes n ts storage wth vald rk. Let be the set ncludng all the attrbutes n the access structures of secure ndexes wth the re-encrypton keys not beng 1 n rk. For each postve, D s set asdrk,+, ord = Drk, for negatve ones. For /, let D be equal to D. Fnally, the ndex s updated as D := ver+1,gt, ˆD, D,{D } N. Furthermore, the server s able to update the remanng legtmate users secret keys by the ReKey algorthm. Suppose that SKL s a lst stored on the CS contanng all the partal secret keys PSK s of all the legtmate users n the system. PSK s defned as (ver,{k } N ). Note that the CS cannot generate a vald trapdoor wth P SK. Let Ω be the set ncludng all the attrbutes n P SK wth the re-encrypton keys not beng 1 n rk. For each attrbute n Ω, denote K,+ to be Krk 1 f s postve and K rk 1, otherwse. For each / Ω, set K = K. The updatedpsk = (ver+1,{k } N), whch s returned to the legtmate user. User can also verfy whether hs secret key s the latest verson by checkng e(t,k ) = (T,K ), where T s the attrbute component n the latest PK. Here we suppose all the attrbutes are postve. Otherwse, use T n+ and T n+ nstead n the equaton. Fnally, the server may elmnate ID nformaton of the revoked user f,.e. the tuple (ID f, D f ), from all the correspondng user lsts. Dscusson To handle fle ndex update effcently, we could adopt the lazy re-encrypton technque [16]. The

7 7 CS stores the re-encrypton key sets rk s and wll not re-encrypt ndexes untl they are beng accessed. Specfcally, the CS could aggregate multple rk s and deal wth the ndex update n a batch manner. For nstance, ver = k n D, ver = j n the latest rk and k < j, to re-encrypt the ndex, the CS just calls ReEncIndex once wth j ρ=k rk(ρ),val. 4.3 Conjunctve Keyword Search Data user may prefer the returned fles contanng several ntended keywords wth one search request, whch s referred to as conjunctve keyword search. Smlar to [13], [14], our proposed ABKS-UR scheme s able to provde conjunctve keyword search functonalty readly as follows. D s defned as g s t s t w j W H(w j ) g wj W H(w j ), where denotes XOR operaton. The components Q and Qf n the trapdoor are generated accordngly. It s worth notng that ths method has almost the same effcency as the sngle-keyword ABKS- UR scheme, regardless of the number of smultaneous keywords. 4.4 Securty Analyss 1) Keyword semantc securty: In ths paper, we formally defne a semantc securty game for ABKS-UR. We frst gve the cryptographc assumpton that our scheme reles on. Defnton 2 (The DBDH Assumpton [34]): Let a,b,c,z Z p be chosen at random and g be a generator of G. The DBDH assumpton s that no probablstc polynomal-tme adversary B can dstngush the tuple A = g a,b = g b,c = g c,e(g,g) abc from the tuple A = g a,b = g b,c = g c,e(g,g) z wth non-neglgble advantage. The advantage of B s defned as follows, Pr[B(A,B,C,e(g,g) abc ) = 0] Pr[B(A,B,C,e(g,g) z ) = 0] where the probablty s taken over the random choce of the generator g, the random choce of a,b,c,z n Z p, and the random bts consumed by B. The semantc securty game between an adversary A and a challenger B s defned as follows. Int. The adversary A submts a challenge access polcy GT, a verson number ver and ver 1 attrbute sets {Φ (ρ) } 1 ρ ver 1 to the challenger B. Setup. The challenger B runs Setup(λ, N) to obtan P K and M K for verson 1. For each verson ρ {1,...,ver 1}, B runs ReKeyGen(Φ,MK). Then he publshes {rk (ρ) } 1 ρ ver 1 to A, where rk (ρ) s defned as the re-encrypton key set of verson ρ. Gven {rk (ρ) } 1 ρ ver 1, the adversary A s able to compute PK for the correspondng verson ρ+1. Phase 1. By submttng any keyword w W, the adversary A s allowed to request the challenger B to generate trapdoors of any verson from 1 to ver polynomal tmes (n λ). The only restrcton s that the attrbute or set assocated wth each trapdoor query submtted by A does not satsfy the challenge access structure GT. Challenge. Upon recept of challenge keyword w 0,w 1 W of the same length from the adversary A, B flps a random con µ {0, 1} and get a challenge ndex D µ EncIndex(PK,GT,w µ ), where GT s the challenge access structure and PK s of verson ver. B returns D µ to A. Phase 2. Same as phase 1. Guess. Adversary A submts hs guess µ of µ. Defnton 3 (IND-sCP-CKA Securty): The proposed ABKS-UR scheme s IND-sCP-CKA secure f for all probablstc polynomal-tme adversary A, the advantage Adv IND scp CKA A n wnnng the semantc securty game s neglgble. Adv IND scp CKA A = Pr[µ = µ] 1 2. Notce that the trapdoor query oracle n Phase 1 mplctly ncludes the secret key query oracle, whch may send the partal secret key (see Sect. 4.2) back to the adversary. Snce the adversary A s allowed to obtan all the re-encrypton keys, he s able to update ndexes, secret keys and trapdoors on hs own such that we do not let challenger answer these queres n Phase 1 and Phase 2. Moreover, n the selectve model, our semantc securty game allows the adversary to query any keywords at Phase 1 and Phase 2 as long as the attrbute sets assocated wth the quered trapdoors do not satsfy the challenge access polcy GT. We gve the followng theorem, and then prove our ABKS-UR constructon IND-sCP-CKA secure n the s- tandard model. Theorem 1: If a probablstc polynomal-tme adversary wns the IND-sCP-CKA game wth non-neglgble advantageǫ, then we can construct a smulator B to solve the DBDH problem wth non-neglgble advantage ǫ 2. Proof: The DBDH challenger frst randomly chooses a,b,c,z Z p and a far con ν {0,1}. It defnes Z to be e(g,g) abc f v = 0, and e(g,g) z otherwse. Then the smulator B s gven a tuple (A,B,C,Z) = (g a,g b,g c,z) and asked to output ν. The smulator B now plays the role of challenger n the followng game. Int. In ths phase, smulator B receves the challenge access structure GT = I, a verson number ver and ver 1 attrbute sets {Φ (ρ) } 1 ρ ver 1 from adversary A. Setup. For PK of verson 1, Smulator B sets Y to be e(a,b) = e(g,g) a b, whch mplctly defnes y = a b. Choose random x = θ Z p and defne Y to be e(a,b) θ = e(g,g) a b θ. For each N, B selects random α,β,γ Z p, and outputs the followng publc parameters. For I, T = g α, T n+ = B β, T 2n+ = B γ f = ; T = B α, T n+ = g β, T 2n+ = B γ f =. For / I, T = B α, T n+ = B β, T 2n+ = g γ. For each attrbute set Φ (ρ),1 ρ ver 1, B generates the re-encrypton key rk (ρ) and the PK

8 8 of that verson. For each attrbute Φ (ρ), rk (ρ),val where val {+, }, s randomly selected from Z p. T (ρ+1) = (T (ρ) ) rk(ρ) (ρ+1),+, T n+ = T (ρ) n+, and T(ρ+1) 2n+ = T (ρ) 2n+ f attrbute s postve. Otherwse, T (ρ+1) = T (ρ) T (ρ+1) n+ = (T (ρ) )rk(ρ) (ρ+1), n+, and T 2n+, = T (ρ) 2n+. Then, for = 1 and the remanng publc each / Φ (ρ), set rk (ρ),val parameters of verson ρ + 1 are the same wth those of verson ρ. Fnally, smulator B publshes rk (ρ) = ρ,{rk (ρ),val } Φ,val {+, } to A. (ρ) Phase 1. Wthout loss of generalty, assume that adversary A submts a keyword w l and a set S N to B for verson ρ, where 1 ρ ver and S does not satsfy GT. B uses the collson-resstant hash functon to output H(w l ) = h l. Snce S does not satsfy GT, a wtness attrbute j I must exst. Thus, ether j S and j = j, or j / S and j = j. Wthout loss of generalty, we assume j / S and j = j. Smulator B chooses random {r } 1 n Z p. Set r j = a b + r j b and r = r b f j. Denote r = n =1 r = a b+ n =1r b. B defnes u to be a random nubmer λ selected from Z p. As such, ˆQ s defned to be g y u r u = g n =1 r b λ = B n =1 r λ. The Q component of the trapdoor s defned to be x+u = θ +λ. By defnng rk (ρ),val = 1 where val {+, } f / Φ (ρ), B could compute the followngs for each N : for 2 ρ ver, T (ρ) = (T (1) ) rk(1),+ rk(2),+ rk(ρ 1) (T (1) ) ρ 1 o=1 rk(o) (ρ),+, and T n+ = (T (1) )rk(1), rk(2), rk(ρ 1) n+ (T (1) ρ 1 n+ ) o=1 rk(o),. g B denotes R (ρ) = ρ 1 o=1 rk(o),+ and R(ρ) n+ = ρ 1 Smulator B sets Q j = A a b+r j b b β (ρ) λ j R j+1 = g r j u b β j R (ρ) j+1. For j, 1) S.Q = B ; Q = g r λ α R (ρ) 2) / S. Q = B r λ β (ρ) R = g r u r λ α R (ρ) λ β (ρ) j R = g j+1 g r u,+ =, = o=1 rk(o),. r j λ β j R (ρ) j+1 = α R (ρ) f I = b α R (ρ) f ( I = ) / I. r λ β (ρ) R b β R (ρ) n+ = g r u n+ = g r u β R (ρ) n+ f I = ; Q = g n+ f ( I = ) / I. Smlarly, let Qf j = A λ r j λ a b+r j b γ j g γ j b γ = g j For {Qf } j, we have 1) I. Qf = g r λ γ / I. Qf = B r λ γ = g r u γ. Wthout loss of generalty, assume S I and =. r λ h l α R (ρ) r u H(w l ) α R (ρ). λ = g r j u b γ j. = g r u b γ. 2) Smulator B sets Q = B = g Challenge. Upon recevng the challenge keywords w 0,w 1 from adversary A, smulator B flps a random con µ {0,1} and then encrypts w µ wth the challenge gate GT. From the collson-resstant hash functon H, smulator B obtans H(w µ ) = h µ. For verson ver and I, D s defned to be C α R(ver ) f = and C β R(ver ) n+ f =. For / I, let D = C γ. Wthout loss of generalty, assume I and = such that α R (ver ) D = C hµ. Fnally, B sets ˆD = C, D = Z and D = Z θ. Phase 2. Same as phase 1. Guess. Adversary A submts µ of µ. If ν = 1, adversary A cannot acqure any advantage n ths semantc securty game but a random guess. Therefore, we have Pr[µ µ ν = 1] = 1 2. When µ µ, smulator B outputs ν = 1, such that Pr[ν = ν ν = 1] = Pr[ν = 1 ν = 1] = 1 2. If ν = 0, a vald D s gven to adversary A. He can wn ths game wth non-neglgble advantage ǫ. Hence, P r[µ = µ ν = 0] = 1 2 +ǫ. When µ = µ, smulator B outputs ν = 0, we have Pr[ν = ν ν = 0] = Pr[ν = 0 ν = 0] = 1 2 +ǫ. The advantage Adv DBDH A of smulator B n the DBDH game s Pr[ν = ν] 1 2 = Pr[ν = ν ν = 1]Pr[ν = 1] + Pr[ν = ν ν = 0]Pr[ν = 0] 1 2 = (1 2 +ǫ) = ǫ 2. As per the above theorem, we can conclude that our proposed scheme s semantcally secure n the selectve model. Note that malcous users cannot launch colluson attack to generate a new vald secret key or trapdoor, whch has been mplctly proved because the adversary A n our securty game has the same capablty as the malcous users,.e. he can query dfferent secret keys. 2) Trapdoor unlnkablty: To generate a trapdoor, the data user chooses a dfferent random number u to obfuscate the trapdoor such that the CS s vsually unable to dfferentate two or more trapdoors even produced wth the same keyword. Thus, the ABKS-UR can provde trapdoor unlnkablty property. 5 AUTHENTICATED SEARCH RESULT Data users may desre the authentcated search result to boost ther confdence n the entre ABKS-UR search process, especally when the result contans errors that may come from the possble storage corrupton, software malfuncton, and ntenton to save computatonal resources by the server, etc. Smlar to [25], we are able to assure data user of the authentcty of the returned search result by checkng ts correctness (the returned search result ndeed exst n the dataset and reman ntact), completeness (no qualfed fles are omtted from the search result), and freshness (the returned result s obtaned from the latest verson of the dataset). The man dea of the verfcaton scheme s to allow the CS to return the auxlary nformaton contanng the authentcated data structure other than the fnal search result, upon whch the data user s capable of dong result authentcty check. In what follows, we elaborate on the concrete scheme. Authentcated data structure preparaton In order to let the user check f he s a legtmate user for a partcular dataset, the data owner can smply sgn the correspondng user lst U L. Or, to avod dsclosng other users membershp nformaton, the TA may generate the keyed-hash value h xf (ID f ) for each authorzed user f. The data owner can nsert the hash values nto a bloom

9 9 flter BF UL [26] based on these users membershp, and then sgns t to σ(bf UL ). Next, the data owner prepares another bloom flter BF W for the keywords appearng n the dataset to enable the data user quckly fnd out the exstence of the ntended keyword. Specfcally, the TA generates a hash key k and gves t to the data owner. He then encrypts t wth symmetrc key x f for each legtmate user. Note that the output cphertext E xf (k) can be sgned and added nto the user lst UL later by the data owner. Then, the data owner obtans a keyword bloom flter BF W by nsertng the keyed-hash valueh k (w) of every keywordw n the dataset, and sgns t to σ(bf W ). When preparng the encrypted ndexes for the dataset to be outsourced, the data owner uses nverted ndex [27] to organze the entre dataset,.e. all the encrypted fles l wth the secure ndexes contanng the same keyword w are placed n the same fle lst L w = {< D l1,w,l 1 >,< D l2,w,l 2 >,... < D lq,w,l q >}. Upon each lst L w, the data owner generates the lst sgnature as follows: frst, for every tuple < D l,w,l > n L w where 1 q, he computes the hash value h l = H(D l,w H(l )). Then the data owner computes the hash value h Lw for the lst L w. For example, there are three fles l 1,l 2 and l 3 n ths partcular lst. The data owner calculates h 1 = h l1, h 2 = H(h l2 h 1 ), and h Lw = h 3 = H(h l3 h 2 ). Fnally, he outsources the BF UL, BF W, all the fle lsts L w and ther sgnatures σ(bf UL ), σ(bf W ), σ(h Lw ) to the server. Search phase In the search phase, the CS returns the search result along wth the auxlary nformaton for result authentcty check later by the data user. The auxlary nformaton ncludes all the user lst bloom flters BF UL of the datasets stored on the server (see the dscusson below), the keyword bloom flters BF W of the datasets that the user s authorzed to access, the fle lst L w for the ntended keyword w f the search result contans fles from ths dataset, the tuple ( D f,e xf (k)) n each related U L and all the correspondng sgnatures. Notably, f the search result does not contan fles from ths dataset, t s not necessary to return the correspondng fle lst. Otherwse, the CS generates L w as follows. For the fle l n L w but not n the search result, the CS merely computes ts hash value h(l ) and puts the tuple < D,w,h(l ) > n L w. For example, when L w = {< D l1,w,l 1 >,< D l2,w,l 2 >,< D l3,w,l 3 >} and only l 1 s ncluded n the fnal search result, the CS wll sends back L w = {< D l 1,w,l 1 >,< D l2,w,h(l 2 ) >,< D l3,w,h(l 3 ) >} to the user. Result authentcaton On recept of the search result, the user can check ts authentcty as follows. At frst, the user does the membershp test wth all the verfed user lst bloom flters BF UL. For each dataset that the user s authorzed to access, he verfes the tuple ( D f,e xf (k)) from ths dataset, and decrypts E xf (k) wth x f. Then, he verfes the keyword bloom flter BF W of ths dataset and explots the hash key k to check whether the keyword of nterest w ndeed exsts. If not, the user turns to another keyword bloom flter of the next accessgranted dataset. Otherwse, he goes nto the specfc fle lst L w. For smplcty, we stll use the above mentoned example. The user frst computes tuple hash values h l1, h l2 and h l3 respectvely. He then generates the hash chan to obtan the fle lst hash value h Lw, and verfes σ(h Lw ). Next, he can search ths lst wth hs trapdoor and correspondng D f from the CS to check f all the matchng fles have been returned. Thus, the data user can ensure the authentcty of the returned search result. Dscusson Note that f t s the frst tme for a user f to perform search operaton, the CS wll send the tuples ( D f,e xf (k)) n all related UL and all the user lst bloom flters to ths user and he may keep them to avod the communcaton overhead n the followng searches. To revoke a partcular user, data owners wll update the correspondng user lst bloom flters and send them to the CS. After that, the legtmate user wll replace the correspondng bloom flters for the updated ones receved from the CS f he requres the server to search agan. On the other hand, f the user repeats the search wth the keyword quered before, t s not necessary for the CS to return the auxlary nformaton 1 and the user merely needs to compare the result wth the search hstory. Otherwse, all the relevant BF W and L w should be returned to user for result verfcaton. In ths paper, we create an authentcated data structure usng bloom flter, nverted ndex, hash and sgnature technques to organze the outsourced data n the server. The data user can search over ths structure to verfy the returned search result, snce all the sgnatures can only be generated by data contrbutors. By checkng verfed BF UL, BF W and L w, the user s assured of the exstence and ntegrty of all the returned fles, and search result does not exclude any qualfed matchng fles. Hence, we can acheve the verfcaton desgn goals,.e. correctness and completeness. Freshness can be smply realzed by addng tme stamp nto the correspondng sgnatures. Thus, we make the ABKS-UR scheme verfable and the authentcty of the returned search result s guaranteed. 6 PERFORMANCE EVALUATION In ths secton, we wll evaluate the performance of our proposed ABKS-UR scheme and search result verfcaton mechansm by real-world dataset and asymptotc computaton complexty n terms of the parng operaton P, the group exponentaton E and the group multplcaton M n G, the group exponentaton E 1, the group multplcaton M 1 n G 1 and hash operaton H used n bloom flters. Note that we can realze the encrypton and the sgnature operaton by any secure symmetrc encrypton and sgnature technques respectvely, e.g., AES encrypton and RSA sgnature, whch ncur fxed computaton overhead, and here we do not consder them. We also gnore the hash operaton for ABKS-UR as 1. Ths s doable snce the CS s able to track the access pattern.

10 10 t s much more effcent than other nvolved computatons. As for search result verfcaton, the hash operaton wll be counted for t s the man computaton cost there. Suppose there exst n attrbutes n the proposed scheme. The numercal performance evaluaton s shown n Tab. 2. Moreover, to evaluate the key operatons of the proposed scheme, we use the real-world dataset,.e. the Enron Emal Dataset [35], whch contans about half mllon fles contrbuted from 150 users approxmately. In the lterature, there are few exstng works on attrbute-structure based authorzed keyword search wth expermental results. We wll compare our ABKS- UR scheme wth the predcate encrypton based APKS scheme [21] n terms of search effcency. We conduct our experment usng C and the Parng-Based Cryptography (PBC) Lbrary [36] on a Lnux Server wth Intel Core 3 Processor 3.3GHz. We adopt the type A ellptc curve of 160-bt group order, whch provdes 1024-bt dscrete log securty equvalently (our scheme can also be adapted nto any secure asymmetrc parng verson). 6.1 System Setup At ths ntal phase, the TA defnes the publc parameter, and generates P K and M K. The man computaton overhead s 3n exponentatons n G, one exponentaton n G 1 and one parng operaton on the TA sde. As shown n Fg.2 (a), the tme cost for system setup s very effcent and s lnear to the number of attrbutes n the system. 6.2 New User Enrollment When a new legtmate user wants to jon n the system, he has to request the TA to generate the secret key SK, whch needs 2n + 1 exponentatons n G. The TA also needs one exponentaton n G 1 to generate a new PK component for the user. A data owner may also allow the user to access the dataset by addng hm onto the correspondng user lst, whch ncurs one exponentaton n G 1. It s obvous that the tme cost to enroll a new user s proportonal to the number of attrbutes n the system. 6.3 Secure Index Generaton The sze of secure ndex s constant f the number of attrbutes s pre-fxed n the system setup phase regardless of the actual number of keywords n a fle for both sngle keyword and conjunctve keyword search scenaros. Moreover, the data owner approxmately needs (n+1)e+e 1 to generate a secure ndex for a fle. Furthermore, we evaluate the practcal effcency of creatng secure ndexes for fles, as shown n Fg.2 (b). It exhbts the expected lnearty wth the number of attrbutes n the system. When there exst 30 attrbutes n the system, the data owner would spend about 8 mnutes encryptng the ndexes for fles. Note that ths computatonal burden on the data owner s a onetme cost. After all the ndexes outsourced to the CS, the followng ndex re-encrypton operaton s also delegated to the server. Thus, the overall effcency for encryptng ndex s totally acceptable n practce. 6.4 Trapdoor Generaton Wth the secret key, data user s free to produce the trapdoor of any keyword of nterest, whch requres about 2n+1 group exponentatons n G. Moreover, the expermental result n Fg.2 (c) shows that our proposed authorzed keyword search scheme enjoys very effcent trapdoor generaton. In accordance wth the numercal computaton complexty analyss, the trapdoor generaton wll need more tme wth the ncreased number of attrbutes. TABLE 2 Numercal evaluaton of ABKS-UR and result verfcaton Operaton Computaton complexty System Setup 3nE+E 1 + P New User Enrollment (2n+1)E+2E 1 Secure Index Generaton (n+1)e+e 1 Trapdoor Generaton (2n + 1)E Per-ndex Search (n+1)p+(n+2)m 1 + E 1 ReKeyGen x(m+e),1 x n ReEncIndex ye,1 y n ReKey ze,1 z n Data preparaton (ak 1 +bk 2 +(3q 1)b)H Search phase (q t)h Result authentcaton 1 (mk 1 +k 2 +2q+t 1)H+tS 2 1 Ths s for a new ntended keyword search over one authorzed dataset. 2 S denotes the per-ndex search operaton. 6.5 Search To search over a sngle encrypted ndex, the domnant computaton of ABKS-UR s n + 1 parng operatons, whle APKS [21] needs n + 3 parng operatons. Fg.2 (d) shows the practcal search tme of ABKS-UR and APKS on a sngle secure ndex wth dfferent number of attrbutes respectvely. Wth the same number of system attrbutes, ABKS-UR s slghtly faster than APKS. Moreover, compared wth APKS, ABKS-UR allows users to generate trapdoors ndependently wthout resortng to an always onlne attrbute authorty, and t has a broader range of applcatons due to the arbtrarly-structured data search capablty. Notce that the search complexty of our scheme wll vares a lot for dfferent data users, snce the dataset search authorzaton only allows users on the user lsts to further access the correspondng datasets. Assume that there exst fles and 30 system attrbutes. In the worse case of search over every fle n the storage, the CS, wth the same hardware/softwore specfcatons as our experment, requres less than 5 mnutes to complete the search operaton. Thus, wth a more powerful cloud, our proposed ABKS-UR scheme would be effcent enough for practcal use.

11 11 System setup tme (s) Number of attrbutes (a) Secure ndex generaton tme (s) Number of attrbutes (b) Trapdoor generaton tme (s) Number of attrbutes (c) Per ndex search tme (ms) ABKS UR APKS Number of attrbutes Fg. 2. Performance evaluaton on ABKS-UR. (a) Tme cost for system setup. (b) Secure ndex generaton tme for fles. (c) Trapdoor generaton tme. (d) Tme cost for search over a sngle ndex. (d) 6.6 User Revocaton As the server can effcently elmnate the revoked user s dentty nformaton from the correspondng user lsts, we do not show t n Tab.1. Instead, we calculate the man computaton complexty of ReKeyGen, ReEncIndex and ReKey. To update the system, the TA uses the algorthm ReKeyGen to produce the new verson of MK and PK, and the re-encrypton key set rk. Dependng on the number of attrbutes to be updated, generatng rk requres mnmum M to maxmum nm operatons. Lkewse, the computaton overhead for PK s wthn the range from E to ne. Moreover, the CS calls the ReEncIndex algorthm to re-encrypt the secure ndexes at ts storage. Each ndex update needs E to ne operatons n G, whch s also the computaton overhead range for the CS to update a legtmate user s secret key by algorthm ReKey. 6.7 Authentcated Search Result Other than the computaton cost for ABKS-UR, a data owner stll needs to prepare a user lst bloom flterbf UL, a keyword bloom flter BF W and fle lsts L w for hs outsourced dataset. Assume for ths dataset there are a authorzed users, b extracted keywords, and average q fles n each L w. Let k 1 and k 2 be the number of hash functons used to nsert a user and a keyword nto BF UL and BF W respectvely. Thus, the man computaton cost for these data preparaton s ak 1 +bk 2 +(3q 1)b effcent hash operatons as shown n Tab. 2. At the search phase, the CS only needs to computes fle lst L w for each authorzed dataset for the user. Tab. 2 shows that every fle lst can be generated by q t hash operatons, where t s the average number of matchng fles n L w. If the data user queres a keyword searched before, the CS wll only return the search result and the user wll verfy them by checkng the search hstory (see the dscusson n Sect. 5). Therefore no extra communcaton and computaton overhead s ntroduced n ths stuaton. Otherwse, n the worst case, the user should checkng all the returnedbf UL,BF W andl w. As shown n Tab. 2, suppose there are m datasets stored on the server and the user s only authorzed to access one dataset, the verfcaton cost s mk 1 + k 2 + 2q + t 1 hash operatons and t per-ndex search operatons. In order to save the communcaton cost between the CS and the user, the user lst bloom flters BF UL can be stored on the user sde after he receves them from the server (see the dscusson n Sect. 5). For the BF UL of 1% false postve rate and 100 outsourced datasets, the correspondng storage cost s shown n Tab. 3. In ths worst case that authorzed users are nserted to each BF UL, the user only needs about 1 MB storage space to keep the user lst bloom flters of all the datasets. To realze the verfable ABKS-UR, except that the user may need to search the verfed data structure (the computatonal complexty s much smaller than that of search on the server), data owner and cloud server have mnmal extra computaton overhead,.e., effcent hash functon evaluaton. TABLE 3 Storage cost for 100 BF UL of 1% false postve rate # of nserted users Sze (MB) CONCLUSION In ths paper, we desgn the frst verfable attrbutebased keyword search scheme n the cloud envronment, whch enables scalable and fne-graned owner-enforced encrypted data search supportng multple data owners and data users. Compared wth exstng publc key authorzed keyword search scheme [14], our scheme could acheve system scalablty and fne-granedness at the same tme. Dfferent from search scheme [21] wth predcate encrypton, our scheme enables a flexble authorzed keyword search over arbtrarly-structured data. In addton, by usng proxy re-encrypton and lazy re-encrypton technques, the proposed scheme s better suted to the cloud outsourcng model and enjoys effcent user revocaton. On the other hand, we make the whole search process verfable and data user can

12 12 be assured of the authentcty of the returned search result. We also formally prove the proposed scheme semantcally secure n the selectve model. ACKNOWLEDGMENTS Ths work was supported n part by the NSFC , the Natonal Project 2012ZX , the 863 Project 2012AA013102, the 111 Project B08038, the IRT1078, the FRF K , the NSFC , and the U.S. NSF grants CNS and CNS REFERENCES [1] W. Sun, S. Yu, W. Lou, Y. T. Hou, and H. L, Protectng Your Rght: Attrbute-based Keyword Search wth Fne-graned Ownerenforced Search Authorzaton n the Cloud, n IEEE INFOCOM, pp , [2] S. Yu, C. Wang, K. Ren, and W. Lou, Achevng secure, scalable, and fne-graned data access control n cloud computng, n Proc. of IEEE INFOCOM, pp. 1-9, [3] M. L, S. Yu, Y. Zheng, K. Ren, and W. Lou, Scalable and secure sharng of personal health records n cloud computng usng attrbute-based encrypton, IEEE TPDS, vol. 24, no. 1, pp , [4] S. Kamara and K. Lauter, Cryptographc cloud storage, n Fnancal Cryptography and Data Securty, pp , [5] D. Song, D. Wagner, and A. Perrg, Practcal technques for searches on encrypted data, n Proc. of IEEE S&P, pp , [6] Y. Huang, D. Evans, J. Katz, and L. Malka, Faster secure twoparty computaton usng garbled crcuts, n USENIX Securty Symposum, vol. 201, no. 1, [7] C. Gentry, A fully homomorphc encrypton scheme, Ph.D. dssertaton, Stanford Unversty, [8] R. Curtmola, J. Garay, S. Kamara, and R. Ostrovsky, Searchable symmetrc encrypton: mproved defntons and effcent constructons, n Proc. of ACM CCS, pp , [9] S. Kamara, C. Papamanthou, and T. Roeder, Dynamc searchable symmetrc encrypton, n Proc. of ACM CCS, pp , [10] N. Cao, C. Wang, M. L, K. Ren, and W. Lou, Prvacy-preservng mult-keyword ranked search over encrypted cloud data, n Proc. of IEEE INFOCOM, pp , [11] W. Sun, B. Wang, N. Cao, M. L, W. Lou, Y. T. Hou, and H. L, Prvacy-preservng mult-keyword text search n the cloud supportng smlarty-based rankng, n Proc. of ACM ASIACCS, pp , [12] F. Bao, R. H. Deng, X. Dng, and Y. Yang, Prvate query on encrypted data n mult-user settngs, n Informaton Securty Practce and Experence, Sprnger, pp , [13] Y. Yang, H. Lu, and J. Weng, Mult-user prvate keyword search for cloud computng, n Proc. of IEEE CloudCom, pp , [14] Y. H. Hwang and P. J. Lee, Publc key encrypton wth conjunctve keyword search and ts extenson to a mult-user system, n Proc. of Parng, pp. 2-22, [15] M. Blaze, G. Bleumer, and M. Strauss, Dvertble protocols and atomc proxy cryptography, n Proc. of EUROCRYPT, pp , [16] M. Kallahalla, E. Redel, R. Swamnathan, Q. Wang, and K. Fu, Plutus: Scalable secure fle sharng on untrusted storage, n Proc. of FAST, vol. 42, pp , [17] D. Boneh, G. D Crescenzo, R. Ostrovsky, and G. Persano, Publc key encrypton wth keyword search, n Proc. of EUROCRYPT, pp , [18] P. Golle, J. Staddon, and B. Waters, Secure conjunctve keyword search over encrypted data, n Proc. of ACNS, pp , [19] D. Boneh and B. Waters, Conjunctve, subset, and range queres on encrypted data, n Theory of Cryptography, pp , [20] J. Katz, A. Saha, and B. Waters, Predcate encrypton supportng dsjunctons, polynomal equatons, and nner products, n Proc. of EUROCRYPT, pp , [21] M. L, S. Yu, N. Cao, and W. Lou, Authorzed prvate keyword search over encrypted data n cloud computng, n Proc. of IEEE ICDCS, pp , [22] H. Pang and K.-L. Tan, Authentcatng query results n edge computng, n Proc. of ICDE, pp , [23] H. Pang and K. Mouratds, Authentcatng the query results of text search engnes, n Proc. VLDB Endow., vol. 1, no. 1, pp , [24] C. Wang, N. Cao, K. Ren and W. Lou, Enablng secure and effcent ranked keyword search over outsourced cloud data, IEEE TPDS, vol. 23, no. 8, pp , [25] W. Sun, B. Wang, N. Cao, M. L, W. Lou, Y. T. Hou, and H. L, Verfable prvacy-preservng mult-keyword text search n the cloud supportng smlarty-based rankng, IEEE TPDS, vol. 99, no. PrePrnts, pp. 1, [26] B. H. Bloom, Space/tme trade-offs n hash codng wth allowable errors, Communcatons of the ACM, vol. 13, no. 7, pp , [27] NIST, NIST s dctonary of algorthms and data structures: nverted ndex, [Onlne]. Avalable: /HTML/nvertedIndex.html. [28] V. Goyal, O. Pandey, A. Saha, and B. Waters, Attrbute-based encrypton for fne-graned access control of encrypted data, n Proc. of ACM CCS, pp , [29] J. Bethencourt, A. Saha, and B. Waters, Cphertext-polcy attrbute-based encrypton, n Proc. of IEEE S&P, pp , [30] L. Cheung and C. Newport, Provably secure cphertext polcy ABE, n Proc. of ACM CCS, pp , [31] S. Yu, C. Wang, K. Ren, and W. Lou, Attrbute based data sharng wth attrbute revocaton, n Proc. of ACM ASIACCS, pp , [32] E. Shen, E. Sh, and B. Waters, Predcate prvacy n encrypton systems, n Theory of Cryptography, pp , [33] B. Chor, E. Kushlevtz, O. Goldrech, and M. Sudan, Prvate nformaton retreval, Journal of the ACM, vol. 45, no. 6, pp , [34] D. Boneh and M. Frankln, Identty-based encrypton from the Wel parng, n Proc. of CRYPTO, pp , [35] W. W. Cohen, Enron Emal Dataset. [Onlne]. Avalable: https: // enron/ [36] Parng-based cryptography lbray. [Onlne]. Avalable: crypto.stanford.edu/pbc/ Wenha Sun (S 14) receved hs B.S. degree n Informaton Securty from Xdan Unversty, X an, Chna, n Snce 2009, he has been a Ph.D. student n a combned M.S./Ph.D. program n the School of Telecommuncatons Engneerng at Xdan Unversty. From 2011 to 2013, he was a vstng Ph.D student n the Cyber Securty Lab at Vrgna Tech. Hs research nterests are appled cryptography, cloud computng securty and wreless network securty. He s a Student Member of the IEEE. Shucheng Yu (S 07-M 10) receved the BS degree n computer scence from Nanjng Unversty of Post & Telecommuncaton n Chna, the MS degree n computer scence from Tsnghua Unversty, and the PhD degree n electrcal and computer engneerng from Worcester Polytechnc Insttute. He joned the Computer Scence Department at the Unversty of Arkansas at Lttle Rock as an assstant professor n Hs research nterests are n the general areas of Network Securty and Appled Cryptography. Hs current research nterests nclude secure data servces n cloud computng, attrbute-based cryptography, and securty and prvacy protecton n cyber physcal systems. He s a Member of the IEEE.

13 13 Wenjng Lou (M 03 - SM 08) s a professor at Vrgna Polytechnc Insttute and State Unversty. Pror to jonng Vrgna Tech n 2011, she was a faculty member at Worcester Polytechnc Insttute from 2003 to She receved her Ph.D. n Electrcal and Computer Engneerng at the Unversty of Florda n Her current research nterests are n cyber securty, wth emphases on wreless network securty and data securty and prvacy n cloud computng. She was a recpent of the U.S. Natonal Scence Foundaton CAREER award n She s a Senor Member of the IEEE. Y. Thomas Hou (S 91-M 98-SM 04-F 14) s a professor n the Bradley Department of Electrcal and Computer Engneerng, Vrgna Tech, Blacksburg, VA, USA. Hs research nterests are cross-layer optmzaton for wreless networks. He s also nterested n wreless securty. He has publshed extensvely n leadng journals and top-ter conferences and receved fve best paper awards from IEEE (ncludng IEEE INFOCOM 2008 Best Paper Award and IEEE ICNP 2002 Best Paper Award) and one Dstngushed Paper Award from ACM. Prof. Hou s currently servng as an Area Edtor of IEEE Transactons on Wreless Communcatons, an Assocate Edtor of IEEE Transactons on Moble Computng, an Edtor of IEEE Journal on Selected Areas n Communcatons (Cogntve Rado Seres), and an Edtor of IEEE Wreless Communcatons. He s the Char of IEEE INFOCOM Steerng Commttee. He s a Fellow of the IEEE. Hu L (M 10) receved B.Sc. degree from Fudan Unversty n 1990, M.Sc. and Ph.D. degrees from Xdan Unversty n 1993 and In 2009, he was wth Department of ECE, Unversty of Waterloo as a vstng scholar. Snce 2005, he has been a professor n the school of Telecommuncatons Engneerng, Xdan Unversty, Chna. Hs research nterests are n the areas of cryptography, securty of cloud computng,wreless network securty and nformaton theory. He served as TPC co-char of ISPEC 2009 and IAS 2009, general co-char of E-Forensc 2010, ProvSec 2011 and ISC He s a Member of the IEEE.