Efficient keyword search over encrypted data in multi-cloud setting

Transcription

1 SECURITY AND COMMUNICATION NETWORKS Security Comm. Networks 2016; 9: Published online 19 July 2016 in Wiley Online Library (wileyonlinelibrary.com) SPECIAL ISSUE PAPER Efficient keyword search over encrypted data in multi-cloud setting Yinbin Miao 1, Jiajia Liu 2 * and Jianfeng Ma 2,3 1 School of Telecommunication Engineering, Xidian University, Xi an, China 2 School of Cyber Engineering, Xidian University, Xi an, China 3 School of Computer Science and Technology, Xidian University, Xi an, China ABSTRACT With the emergence of cloud storage, enabling cloud clients to securely store and efficiently retrieve ciphertext is a fundamental issue in cloud computing as data outsourcing can greatly ease heavy computation and management burden locally. Unfortunately, two challenging issues (i.e., data security and privacy) dramatically impede the adaption and practicability of cloud storage due to honest-but-curious cloud service provider (CSP). Furthermore, data encryption mechanism seriously makes the information retrieval over ciphertext extremely difficult. Besides, dealing with single CSP is predicted to become less popular with cloud customers for fear of risks of single-point failure threats and potential malicious insiders. To this end, we propose two efficient keyword search over encrypted data in multi-cloud setting schemes which exploit Identity-Based Encryption (IBE) and Key-Policy Attribute-Based Encryption (KP-ABE), respectively. Formal security analysis proves that our schemes can guarantee data privacy and reliability. As a further contribution, experimental results over real-world dataset show that our proposed schemes are feasible and efficient in practical applications. Copyright 2016 John Wiley & Sons, Ltd. KEYWORDS cloud storage; multi-cloud; identity-based encryption; key-policy attribute-based encryption *Correspondence Jiajia Liu, School of Cyber Engineering, Xidian University, Xi an, China. liujiajia@xidian.edu.cn 1. INTRODUCTION With a long list of unprecedented advantages provided by cloud computing, cloud storage has gained a remarkable popularity among considerable amount of enterprises and individuals due to its appealing advantages (such as on-demand computing resources, flexible, and ubiquitous accesses, considerable management cost savings, etc.). From cloud clients perspectives, outsourcing data to honest-but-curious cloud service provider (CSP) can greatly reduce the computational costs and management burden, while it also brings new and challenging security breaches [1] during data outsourcing. The cloud clients lose direct control over their sensitive data and face more privacy preservation problems as CSP is a separated and honest-but-curious administrative entity [2], thereby privacy protection and data security [3] are still two challenging issues in cloud computing [4]. Although encryption-before-outsourcing mechanism can protect data security and privacy, it makes information retrieval over encrypted data extremely difficult. In practice, simply downloading all ciphertext locally is not a practical solution due to heavy computational burden and high transmission costs across network. To tackle earlier problems, developing an efficient and secure searchable encryption (SE) scheme which allows cloud clients to securely search over ciphertext through keywords and selectively retrieve files of interest is of paramount importance. Another significant concern in cloud storage is cloud service availability. For example, Amazon web service might be unavailable if the physical damage occurs or the single CSP fails. Additionally, both Google Mail and Hotmail [5] have experienced services down-time which results in cloud data unavailability due to single CSP. Aiming at avoiding service failure, in such case these companies supporting cloud storage services have tried to employ multiple CSPs [6] to ensure data availability. To enable data users (DU), to search the most relevant information quickly, and improve user search 3808 Copyright 2016 John Wiley & Sons, Ltd.

2 Y. Miao, J. Liu and J. Ma SCN-SI-Cyber security, crime and forensics of wireless network and application experience in a broad range of actual applications, it is crucial for SE scheme to support multi-keyword (conjunctive/disconjunctive keyword search) or expressive search (monotone/non-monotone keyword search). Along these directions, we extend Identity-Based Encryption (IBE) and Key-Policy Attribute-Based Encryption (KP-ABE) schemes to SE scheme and devise two distinct cryptographic primitives called as basic and enhanced schemes which are to be applied in different applications. Besides, we store each file block to different CSPs to avoid singlepoint failure through Shamir s (t, n) secret scheme [7]. Specifically, the main contributions of this work can be summarized as follows: (1) Supporting multi-cloud setting and ensuring data availability even though certain CSP ceases service. (2) Supporting single keyword search and expressive search in various applications through our proposed basic scheme and enhanced scheme, respectively. (3) Extending secret sharing scheme into our proposed schemes so as to avoid time delay and collusion attacks to some extent. (4) Formal security analysis proves that our proposed schemes are secure, and the empirical experiments over real-world dataset indicate that our proposed schemes are efficient and feasible in practice. Organization. The remainder of this paper is organized as follows. Section 2 shows some previous work associated with our proposed schemes. Section 3 introduces the system and threat models as well as design goals. Section 4 gives a detailed overview about the preliminaries and constructions of our proposed schemes. The security and performance analyses are shown in Section 5. Finally, Section 6 presents the conclusion remark of the whole paper. 2. RELATED WORK Over these years, considerable amount of SE schemes enriched with various functionalities have been put forth in different settings. To the best of our knowledge, most of the existing SE schemes [8 15] mainly focus on improving the efficiency and security, while few work concentrates on CSP reliability. Because Song et al. [8] proposed the first symmetric key-based scheme for retrieving encrypted data, vast subsequent SE schemes [16 18] have been proposed to support multi-keyword search through using vector space model, edit distance, or multi-way trie-tree. However, these schemes cannot support expressive search like boolean search or non-monotone search. Besides, the existing SE schemes mainly depend on the reliability of single CSP which may result in single-point failure threats and potential malicious insiders attacks. However, aforementioned SE schemes which are based on single CSP model still have some other limitations, such as data corruption, lack of availability, and privacy protection. Even though separated CSP can protect data privacy and provide better services, relying upon single CSP is not very promising due to server crashes. Therefore, the focus of SE technique has turned to multi-cloud, inter-cloud, or cloud-of-cloud [19 21]. In this paper, we explore to address earlier issues through dividing encrypted data into slices and distributing them into multiple available CSPs [19], and no less than a threshold number of CSPs can restore the original ciphertext; thus, the possibilities of single-point failure and privacy disclosure can be ruled out so as to ensure data integrity and availability with a better quality of service. In addition, in this way, we can guarantee data security as the sole malicious CSP cannot successfully obtain the sensitive information from the encrypted slices. Therefore, the DU are still able to retrieve original ciphertext even though one of CSPs suffers from service outage or bankrupt. Consider an system [9], in which sender encrypts the s and builds indexes for them, then outsources ciphertext to gateway, finally, receiver can perform search over encrypted s through issuing multi-keyword search queries [10,12] (such as Theme= urgent" and Subject= sport"). However, these schemes cannot obtain expressive search like boolean search or non-monotone search (such as Theme= urgent" and Data= 2014/1 2014/3" or Data= 2014/6 2014/8"). In order to address the aforementioned limitations, we design two effective and scalable cryptographic primitives called as basic and enhanced schemes in multi-cloud setting through utilizing IBE scheme [22] and KP-ABE scheme [23], respectively. The basic scheme can support single keyword search over encrypted data, while there exists one key limitation that only one keyword is allowed in a single query, thereby it cannot be applied in a broad range of applications. In addition, it inevitably returns many irrelevant results and incurs great computational burden, especially when one search query consists of multiple keywords. To achieve fine-grained access control over encrypted data, abundant ABE schemes [24 26] can be extended to our enhanced scheme to avoid unauthorized accesses. In ABE, the private key and ciphertext are associated with attributes or access policy, respectively, only there is a match between attributes and access policy DU can decrypt ciphertext. According to the access policy, ABE schemes can be roughly categorized into keypolicy ABE (KP-ABE, i.e., the key is associated with access policy and ciphertext is embedded with attributes) and ciphertext-policy ABE (CP-ABE, contrary to KP- ABE). Therefore, our proposed enhanced scheme can support expressive keyword search through exploiting KP- ABE. To avoid time delay and improve efficiency, both schemes can be further equipped with Shamir s (t, n) secret scheme [7] to achieve data availability and robustness. 3. PROBLEM STATEMENT In this section, we first present our system and threat models, then formally describe the problem statement that we are going to address in this paper. Note that the terms file and record (search token and trapdoor) are interchangeable in this paper. Security Comm. Networks 2016; 9: John Wiley & Sons, Ltd. 3809

3 SCN-SI-Cyber security, crime and forensics of wireless network and application Y. Miao, J. Liu and J. Ma 3.1. System and threat models We consider a cryptographic cloud storage system supporting information retrieval over encrypted records. There are four entries involved in this system, namely, data owner (DO), DU, key generator server (KGS), and CSPs (In this paper, the number of CSPs is N.). DO first encrypts sensitive files and creates indexes for them, then outsources ciphertext and indexes to CSPs. DU needs to generate a search token for interested keywords and submit it to CSPs. Finally, CSPs perform search over ciphertext and return the relevant records. Notice that KGS is considered to be fully trusted and is responsible for distributing keys, CSPs provide data storage and retrieval services for cloud clients. The framework of our proposed schemes is illustrated in Figure 1. DO relies on CSPs for data storage and maintenance so as to reduce the capital and computational costs, and DU needs to frequently interact with CSPs to issue search queries over encrypted data. As DO loses direct control over his sensitive records, it is critically important to guarantee data security and avoid privacy leakage. We assume that the data security and privacy threats come from both internal and external attacks, such as single-point failure threats, potential malicious insiders, and collusion attacks. To the best of our knowledge, CSPs are honest-but-curious. Specifically, the CSPs honestly follow the established protocols, but they are still anxious to know sensitive or crucial information. Note that in our system model, the availability and credibility of CSPs are our primary concerns in multi-cloud setting. Then we use an example in Figure 2 to illustrate the malicious threats caused by CSPs. Assume that there exist several CSPs which are used to store the encrypted files. Cloud clients can retrieve their sensitive records from CSPs when necessary. If certain CSP crashes, the valuable information stored in this CSP will be lost and cannot be accessed again. Moreover, this kind of threat may lead to significant economic losses. To avoid single-point failure and achieve data availability, we distribute ciphertext Figure 2. The example of security threat. in multiple CSPs and ensure the robustness of CSPs. Another severe threat (collusion attack) must be eliminated as several CSPs can collude with each other to reconstruct the original ciphertext through exchanging the parts of encrypted data. Next, we formally demonstrate the problem that we will address. Given N CSPs, each CSP stores an encrypted file slice. Our proposed schemes are committed to solve the secure data storage in distributed CSPs in such a way that no less than a threshold number of CSPs can reconstruct original ciphertext Design goals Because of data corruption and single-point failure threats, our proposed schemes should achieve the following security and performance requirements to enable data security and reliability in multi-cloud setting under aforementioned model. (1) Supporting multi-cloud. To overcome the limitations of single-cloud, we should store encrypted ciphertext and indexes in distributed CSPs so as to avoid the threats of service availability failures and collusion attacks to some extent. (2) Preserving data privacy and robustness. The sensitive files which are encrypted by IBE or KP-ABE should be available even though certain CSP crashes. (3) Expressive search. As single keyword query will return many irrelevant results and incur heavy computational burden, our proposed schemes should support expressive search in practical applications. (4) Less computational burden. To enable scalable and feasible in actual applications, our proposed schemes should be efficient and available without incurring additional computational burden. 4. THE PROPOSED SCHEMES Figure 1. Framework of our proposed schemes. In this section, we demonstrate two SE schemes which provide single-keyword or expressive search over encrypted data in multi-cloud setting, respectively. After introduc Security Comm. Networks 2016; 9: John Wiley & Sons, Ltd.

4 Y. Miao, J. Liu and J. Ma SCN-SI-Cyber security, crime and forensics of wireless network and application ing some preliminaries and definitions associated with our proposed schemes, we first give an overview of specific constructions of two schemes and discuss their demerits, then, we show how to extent the secret sharing scheme [7] to our basic and enhanced schemes in order to improve the efficiency and reliability Preliminaries In this section, we present some cryptographic background associated with our proposed SE schemes. Definition 1 (Access Structure [23]). Given a set of parties: {P 1,..., P n }.For8B, C, if B 2 A and B C then C 2 A, the collection A 2 {P 1,...,P n } is monotone. An access structure (resp., monotone access structure) is a collection (resp., monotone collection) of non-empty subsets of {P 1,..., P n }, i.e., A 2 {P 1,...,P n } \{;}. The sets in A are called the authorized entities, while the sets which are not in A are called the unauthorized entities. Where B, C are arbitrary party sets. Definition 2 (Linear Secret Sharing Scheme(LSSS) [26]). If the following two properties are satisfied, the secret sharing scheme over a set of parties P is called linear. (1) The shares for each party form a vector over Z q. (2) There exists a matrix A called the share-generating matrix for. Suppose the matrix A has m rows and n columns, (i) is the i th row of matrix A. Given a column vector! v =(s, r 2,..., r n ), where s 2 Z q is the secret to be shared and r 2,..., r n 2 Z q are randomly chosen, then A! v is the vector of m shares of the secret s according to, and the share (A! v ) i belongs to a party (i). The linear reconstruction property is represented as follows. Suppose that is an LSSS for access structure A and S is an authorized set, then I {1,..., m} is defined as I {i (i) 2 S}. Thus, there exist constants {! i 2 Z q } i2i, such that for any valid share { i } of a secret s we can have P i2i! i i = s according to. These constants can be found in polynomial time of the size of sharegenerating matrix A, while no such constants {! i } i2i exist for unauthorized sets. Definition 3 (Composite order bilinear groups [27]). Given a security parameter k, the bilinear group generator G() outputs two cyclic groups G 1, G 2 of order q. Where q = q 1 q 2 q 3 q 4 (q 1, q 2, q 3, q 4 are distinct primes), e : G 1 G 1! G 2 is the bilinear map, and G q1, G q2, G q3, G q4 are the subgroups of order q 1, q 2, q 3, q 4, respectively. The following features will be satisfied: (1) Bilinearity: 8g, h 2 G 1,a, b 2 Z q,e(g a, h b ) = e(g, h) ab. (2) Non-degeneracy: 9g 2 G 1 such that e(g, g) has order qing 2. (3) Orthogonality: 8h i 2 G qi and 8h j 2 G qj,i j, e(h i, h j )=1, where 1 is the identity element in G 2. Definition 4 (Bilinear Diffie-Hellman (BDH) Problem). Let G 1 and G 2 be two multiplicative cyclic groups of prime order q. Let g be a generator of G 1 and e be the bilinear map, e: G 1 G 1! G 2. The BDH Problem in hg 1, G 2, ei is to compute e(g, g) abc when hg, g a, g b, g c i is given, where a, b, c 2 Z q. There exists an algorithm A which has an advantage in solving BDH Problem in hg 1, G 2, ei if Pr[A(g, g a, g b, g c )=e(g, g) abc ]. Where the probability is over the random choice of a, b, c 2 Z q, the random choice of g 2 G 1 and the random bits of A. With the destructive attacks and intrusions, maintaining the security of CSP becomes increasingly difficult. The natural solution is to encrypt outsourced data in order to reduce the vulnerability on the case that CSP is compromised. Especially, when taking the scalability and survivability into consideration, this concern is exacerbated in distributed system. Therefore, it is necessary to resolve the previous challenges and ensure the robust even when certain CSP crashes. In the multi-cloud model, certain CSP may collude with other CSPs to analyze and deduce sensitive information. Thus, we propose a basic scheme to preserve data privacy and security against above threats, and it is appropriate for common applications. In actual scenarios, in order to accurately locate the relevant files and reduce unnecessary computational burden, DUs need to submit several keywords. Therefore, in our enhanced scheme which is based on KP-ABE, we can make up the flaws of basic scheme and achieve expressive search over encrypted data Basic scheme In our basic scheme, certain keyword can be treated as an identity, which means the ciphertext is encrypted according to certain keyword Security model of basic scheme. To ensure the security of our basic scheme, this scheme should leak no valuable information about potential keyword even though the trapdoor is available. In other words, the adversary who can obtain the trapdoor T w 0 for any keyword w 0 of his choice should not be able to distinguish the trapdoor T w0 from T w1. Therefore, our basic scheme can achieve indistinguishability against chosen-keyword attack (IND-CKA) secure. Definition 5 (IND-CKA game). contains the following five steps: The IND-CPA game Setup: Given a security parameter k, the challenger C runs the Setup algorithm and sends the public Security Comm. Networks 2016; 9: John Wiley & Sons, Ltd. 3811

5 SCN-SI-Cyber security, crime and forensics of wireless network and application Y. Miao, J. Liu and J. Ma parameters to adversary A, while the master key msk is owned by himself. Phase 1: A issues queries q 1,..., q n, where the each query q i is: KeyGen hw i i. C first runs the KeyGen algorithm to generate the private key sk i corresponding to keyword w i, then sends it to A. As these queries may be asked adaptively, namely, each query q i may depend on the responses to q 1,..., q i 1. Challenge: After the Phase 1 is over, A outputs two target keywords w 0 0, w0 1 2 W to be challenged on, the only constraint is that keywords w 0 0, w0 1 are not be queried in Phase 1. Then C picks a random bit b 2 {0, 1} and sends I b to A. Phase 2: A issues more queries q n+1,..., q m, where each q i is: KeyGen hw i i. C responds as in Phase 1, while it is required that w 0 0, w0 1 w i. Guess: Finally, A outputs a guess b 0 2 {0, 1} and wins the game if b 0 = b. We call A as an IND-CKA adversary, and the advantage of A in successfully attacking the basic scheme (BS) is given as Adv BS,A IND CKA ˇ (k) = ˇPr[b = b 0 ] 1 ˇ 2 ˇ Construction of basic scheme. Before presenting the concrete construction of our basic scheme, some notations are first presented in Table I. Setup(1 k ): Given a secure parameter k, KGS first runs this algorithm to output two multiplication cyclic groups G 1, G 2 of order q and two hash functions H 1 : {0, 1} *! G 1, H 2 : G 2! {0, 1} n. Let g be a generator of G 1 and e be the bilinear map, e: G 1 G 1! G 2. The master secret 2 Z q and the element r j 2 Z q (1 j N) are randomly chosen, then this algorithm outputs the public parameters PP and master key msk as follows: PP =(G 1, G 2, H 1, H 2, e, g, g 1 = g, g r 1,..., g r N ) msk ={ } Where msk ={ } is only owned by KGS, {r 1,..., r N } are sent to DO and authorized DUs. Notations Table I. Notations in basic scheme. Descriptions F ={f i } File set N Number of CSPs f i ={f i,j,, f i,n } i-th file w i Keyword w i extracted from f i f i,j j-th file slice in f i c i ={c i,j,, c i,n } Ciphertext for f i c i,j Ciphertext for f i,j I i Index for w i w 0 Queried keyword T w 0 Trapdoor for w 0 KeyGen(w i,, H 1 ): To generate the private key for the single keyword w i which is extracted from file f i, KGS utilizes master key and hash function H 1 to generate secret key sk = H 1 (w i ) for DU. Enc(f i, H 1, g 1, w i ): Before encrypting the plaintext f i 2 {0, 1} n, DO first divides f i into N chunks f i ={f i,1,...f i,n }, and each chunk has the same length as file f i such that f i = f i,1... f i,n. Next, he or she selects a random element r j 2 Z q for each CSP and computers g w = e(h 1 (w i ), g 1 ). Finally, the tuple (c i,j, I i ) is sent to j-th(1 j N) CSP, where c i,j, I i are defined by Eq. (1) c i,j = hg r j, f i,j H 2 (g r j w)i, I i = H 1 (w i ) (1) Search (w 0, H 1, r j, c i,j, I i ): DU first generates the trapdoor T w 0 = H 1 (w 0 ) r j for keyword w 0, and submits it to the j-th CSP. When receiving the trapdoor T w 0, the j-th CSP verifies whether Eq. 2 holds. If w i = w 0, then the equation holds and CSP returns the relevant ciphertext c i,j = ha, Bi to DU. Otherwise?. e(h 1 (w 0 ) r j, g) =e(g r j, I i ) (2) Dec(c i,j, pk): After performing an interaction with KGS to obtain sk = H 1 (w 0 ), DU can decrypts the ciphertext c i,j through Eq. (3). f i,j = B H 2 (e(sk, A)) (3) Discussion. With the basic scheme, we can easily solve the problems of single-point failure threats and collusion attacks to some extent. As the ciphertext stored in every CSP is confused by different parameter r j,even though several CSPs collaborate with each other they cannot decrypt the ciphertext. Therefore, we can ensure data security and availability in basic scheme. However, one shortcoming of basic scheme is that it cannot be applied in practical applications and achieve fine-grained access control. To address the above drawbacks, we give an enhanced scheme which is based on KP-ABE Enhanced scheme Although there are many SE schemes focusing on multikeyword or boolean search [28 33], the need of expressive search is still urgent in practical applications. Based on KP- ABE, the ciphertext in the enhanced scheme is defined by a set of attributes, while the private key is described by an access matrix. As a result, the vicious collusion attacks can be efficiently avoided. For example, even though the malicious CSP gains the access structure A AND B" and B AND C", it cannot decrypt the ciphertext associated with attribute A AND C". In addition, our enhanced scheme effectively supports expressive search Security Comm. Networks 2016; 9: John Wiley & Sons, Ltd.

6 Y. Miao, J. Liu and J. Ma SCN-SI-Cyber security, crime and forensics of wireless network and application Security assumptions of enhanced scheme. In this part, we state some security assumptions associated with the security of our enhanced scheme. Definition 6 (Assumption 1). Suppose the tuple {q, G 1, G 2, e} is defined as Definition 3. Then the elements a 1 2 G q1,a 3 2 G q3,a 4 2 G q4 are randomly chosen. Given the tuple {q, G 1, G 2, e, a 1, a 3, a 4 }, there exists no probabilistic polynomial algorithm B that can distinguish the random elements in G q1 and G q1 q 2 with non-negligible advantage. Definition 7 (Assumption 2). Suppose the tuple {q, G 1, G 2, e} is defined as Definition 3. Then, the elements a 1, b 1 2 G q1, a 2, b 2 2 G q2, a 3, b 3 2 G q3, a 4 2 G q4 are randomly chosen. Given the tuple {q, G 1, G 2, e, a 1, b 1 a 2, b 2 a 3, a 3, a 4 }, there exists no probabilistic polynomial algorithm B that can distinguish the random elements in G q1 q 2 q 3 and G q1 q 3 with non-negligible advantage. Definition 8 (Assumption 3). Suppose the tuple {q, G 1, G 2, e} is defined as Definition 3. Then the elements r 2 Z q,a 1, b 1 2 G q1,a 2, b 2 2 G q2,a 3 2 G q3,a 4, b 4 2 G q4,a 24, b 24 2 G q2 q 4 are randomly chosen. Given the tuple {q, G 1, G 2, e, a 1, a 1, b 2, b 1 b 4, a r 1 a 24, a 3, a 4 }, there exists no probabilistic polynomial algorithm B that can distinguish b r 1 b 24 and the random elements in G q1 q 2 q 4 and G q1 q 3 with non-negligible advantage Construction of enhanced scheme. We also give some different notations used in our enhanced scheme in Table II. Setup(1 k, U): Given a secret parameter k, KGS outputs the public parameters {G 1, G 2, e, G q1, G q2, G q3, G q4 }. Where G 1, G 2 are two cyclic groups of order q, e: G 1 G 1! G 2 is the bilinear map, q = q 1 q 2 q 3 q 4, and G qi is the subgroup of order q i in G 1. Let U = {1,..., n} be an attribute set, for each attribute i 2 U, KGS randomly chooses element t i 2 Z q. And then it selects random elements 2 Z q, g 1, 1 2 G q1, g 4, 4 2 G q4, where g 1, g 4 are the generators of G q1, G q4, respectively, = 1 4. Finally, it chooses a random element s j 2 Z q,(1 j N) for each CSP, and returns the public key pk and master key msk as follows: Table II. Notations in enhanced scheme. Notations Descriptions U ={1,, n} Attribute set W ={w 1,, w m } Keyword field set w r r-th keyword in W W 0 ={w 1,, w l } Queried keyword set w l l-th keyword in W 0 A Access matrix Mapping function T Trapdoor for W 0 pk = n q, g 1, g 4, e(g 1, g 1 ),, ˇi = g t i 1, 8i 2 U o msk ={ 1, } Where the tuple {s 1,..., s N } is sent to DO and authorized DUs. Enc(f i, s j, pk, W): Unlike the file chunk in the basic scheme, each file chunk f i,j contains m keyword fields, namely W ={w 1,..., w m }. DO chooses 1, 2 2 G q4, then takes the keyword set as attributes to encrypt file f i,j. The ciphertext is defined as c i,j = {c, c 0, c r, 8w r 2 W,1 r m}. Finally, the tuple (c i,j,1 j N) is sent to the j-th(1 j N) CSP, where c, c 0, c r are denoted as by Eq. (4). c = f i,j e(g 1, g 1 ) s j, c 0 = g s j 1 1, c r =(ˇr) s j 2 (4) Trapdoor(A,, pk, msk): A access matrix will be derived from submitted keyword set W 0 ={w 1,..., w l lm } when DU performs search requirements. Suppose A be the m n access matrix, each row A (i) represents a keyword field, where is a function from {1,..., l} to {1,..., m}, i 2 {1,..., l}. DU first selects a random vector! v 2 Z n q such that 1! v =, where 1 = (1, 0,..., 0). Then he or she randomly chooses (i) 2 Z q, ' (i),1, ' (i),2 2 G q3, and computes the trapdoor as T ={T(i) 1, T2 (i) }. Finally, this algorithm sends T to each CSP, where T(i) 1, T2 (i) are computed through Eq. (5). T(i) 1 = ga (i)! v 1 ( 1ˇ(i) ) (i) ' (i),1 (5) T(i) 2 = g (i) 1 ' (i),2 Test(c i,j, pk, T): If the keyword set W embedded in ciphertext satisfies the access matrix of DU, CSP chooses a constant! (i), such that P A (i) 2W 0(! (i)a (i) ) = 1. Then CSP computers Eq. 6 as follows: YA(i) 2W 0 e c 0, T(i) 1!(i) /e c (i), T(i) 2!(i) = Y A (i) 2W 0 e(g 1, g 1 ) s ja (i)! v!(i) = e(g 1, g 1 ) s j Finally, the plaintext is returned as f i,j = 4.4. Extension c e(g 1,g 1 ) s j. Although our proposed schemes have functional advantages which are shown in Table III through comparing with other analogous schemes [19,20,34,35], DU cannot reconstruct the original file until N file slices have been gained from CSPs. In addition, in actual applications DU cannot restore the whole file f i because of single-point failure. (6) Security Comm. Networks 2016; 9: John Wiley & Sons, Ltd. 3813

7 SCN-SI-Cyber security, crime and forensics of wireless network and application Y. Miao, J. Liu and J. Ma Table III. Comparison of scheme functions. Schemes Expressive search Multi-cloud SCMS [19] X PPMS [20] X ESED [34] X ESPK [35] X Basic X Enhanced X X Furthermore, searching all file chunks inevitably leads to time delay which seriously impacts the availability and robustness of our schemes. To tackle this problem, the Shamir s secret sharing scheme [7] can be adopted to improve the efficiency and reliability of our schemes, Namely, the each file chunk will be encrypted with a (t 1)- order polynomial before re-encrypted by DO. The specific steps are shown as follows: (1) After file f i has been divided into N chunks, a random (t-1)-order function will be chosen by DO for each file as Eq. (7): F i (x) =c t 1 x t c 1 x 1 + f i (7) (2) Before encrypting the file chunk f i,j, DO first preprocesses the file chunks through Eq. 8. F i (f i,1 )=c t 1 f t 1 i,1 + + c 1f 1 i,1 + f i F i (f i,2 )=c t 1 fi,2 t c 1fi,2 1 + f i. F i (f i,n )=c t 1 f t 1 i,n + + c 1f 1 i,n + f i (8) (3) DU can employ any t ciphertext gained from N CSPs to reconstruct the original file. Based on the efficient and secure multiple CSPs mechanism, DU can reconstruct the original file even though the {n t} CSPs have been compromised, where the t is the predefined threshold value. However, the search pattern may be leaked when more than t CSPs collude with each other. Therefore, our proposed schemes combined with Shamir s secret sharing can ensure data security and privacy to some extent. 5. SECURITY AND PERFORMANCE ANALYSIS In this section, we first analyze the security of our proposed schemes and demonstrate that these schemes satisfy the required security requirements which are presented in Section 3.2. Then, we theoretically show the computational complexity among our proposed schemes and other analogous schemes. Moreover, we conduct empirical study over a real-world dataset to show the efficiency and feasibility of our proposed schemes through comparing with ESED [34], ESPK [35] schemes Security analysis To proof the security of our proposed basic and enhanced schemes, respectively, we first analyze their fulfillments of designed security requirements, then we notice that data security and robustness can be guaranteed through outsourcing encrypted files to multiple CSPs in both schemes. Besides, our proposed schemes can avoid collusion attacks to some extent as each file slice is encrypted as c i,j = hg r j, f i,j H 2 (g r j w)i and c i,j = {c = f i,j e(g 1, g ) s j 1, c 0 = g s j 1 1, c r = (ˇr) s j 2, 8w r 2 W,1 r m} in the basic and enhanced schemes, respectively. And the trapdoor is obscured by random elements {r 1,..., r N }or {s 1,..., s N } which are owned by authorized DO and DUs, thereby the unauthorized entities cannot generate the valid search tokens. To ensure the scheme secure, malicious CSPs must not infer any valuable information except the search results. Specifically, if there exists no probabilistic polynomial time adversary A who can deduce any valuable information, the security of our proposed schemes can be proved through the following theorems. Theorem 1. Our proposed basic scheme is semantically IND-CKA secure assuming that the BDH problem is intractable. Proof. Let A be an adversary with an advantage in breaking our basic scheme. Assume that A issues at most q H2 operations to hash function H 2 and at most q T trapdoor queries, then we construct a simulator B which can solve the BDH problem with advantage at least 0 = /eq H2 q T, where e is defined as the base of the nature logarithm. Given the bilinear map parameters (G 1, G 2, g, e), B first sets $ 1 = g, $ 2 = gˇ, $ 3 = g, then his goal is to output = e(g, g) ˇ. The simulation between B and A is shown as follows: KeyGen. B first sends public parameters (g, $ 1, g r j ) to A. H 1, H 2 queries. Before A issues H 1 queries, B has prepared a H 1 -list (w i, i, a i, b i ) which is initially empty. When A makes the random oracle H 1 query at the point w j 2 {0, 1}, B responds with the following steps: Step 1: Ifw j is in the H 1 -list, B returns H 1 (w j )= j 2 G 1. Otherwise, B outputs a random bit b j 2 {0, 1} such that Pr[b j =0]= q 1 T +1. Step 2: B first selects a random element a j 2 Z q, if b j = 0, he outputs j = $ 2 g a j 2 G 1. Otherwise, he returns j = g a j 2 G Security Comm. Networks 2016; 9: John Wiley & Sons, Ltd.

8 Y. Miao, J. Liu and J. Ma SCN-SI-Cyber security, crime and forensics of wireless network and application Step 3: B first adds the tuple (w j, j, a j, b j ) to H 1 -list, then he responds to A through outputting H 1 (w j ) = j. It should be noted that j is uniform in G 1 and is independent of A s view in either way. When A issues H 2 queries, B responds it through selecting a random element 2 {0, 1} n such that H 2 (t) =. To keep track of the whole H 2 queries, B adds the tuple (t, ) toh 2 -list as the same as H 1 -list, where t = g r j w. Trapdoor queries. When A makes the trapdoor queries, B responds it with the following steps: Step 1: B first conducts H 1 queries to gain an j 2 G 1 such that H 1 (w j )= j. Assume that the tuple (w j, j, a j, b j ) belongs to the H 1 -list, B will report failure and terminate if b j =0. Step 2: Ifb j = 1, then j = g a j 2 G 1. B sets T wj = $ a j 1 = ga j = j = H 1 (w j ) and sends it to A. Challenge. A outputs two target keywords w 0 0, w0 1 to be challenged on, then B responds it with the following steps: Step 1: B first conducts the aforementioned algorithm to gain 0, 1 2 G 1 through responding the H 1 queries twice, where 0 = H 1 (w 0 0 ), 1 = H 1 (w 0 1 ). For j =0,1,Badds the tuple (w 0 j, j, a j, b j ) to the H 1 -list. If b 0 =1,b 1 = 1, then B aborts this process. As at least one of b 0, b 1 is equal to 0, B chooses a random bit % 2 {0, 1} such that b % =0. Step 2: B answers this challenge through returning ($ 3, ), where = H 2 (e(h 1 (w 0 % ), $ 1) r j ) 2 {0, 1} n. More trapdoor queries. A continues to conduct the search query for keyword w j, but there exists one restriction that w j w 0 0, w0 1, and B responds these queries as the Trapdoor queries phase. Guess. Finally, A returns its guess % 0 2 {0, 1} which indicates whether the tuple ($ 3, ) is the encryption for keywords w 0 0, w0 1. And B randomly selects a pair (t, ) from H 2 -list and returns t/e($ 1, $ 3 ) a % which is considered as the guess of e(g, g) ˇ. Besides, A must have made the query for either H 2 (e(h 1 (w 0 0 ), $ 1 )) or H 2(e(H 1 (w 0 1 ), $ 1 )), and H 2- list should include the pair (t, ) such that t = e(h 1 (w 0 % ), $ 1 ) = e(g, g) (ˇ+a %). If this tuple is chosen by B, then he can gain t/e($ 1, $ 3 ) a % = e(g, g) ˇ. Although earlier analysis can describe the simulation of B, it remains to prove that B can correctly return e(g, g) ˇ with an advantage at least 0. Next, we discuss the advantage that B does not terminate during aforementioned simulation, and present two events: 1 : B does not terminate during A s Trapdoor queries phase. 2 : B does not terminate during the Challenge phase. Finally, we analyze the probability of both events through the following Claims. Claim 1. The probability that B does not terminate during A s Trapdoor queries phase is at least 1/e, namely Pr[ 1 ] 1/e. Claim 2. The probability that B does not terminate during the Challenge phase is at least 1/e, namely Pr[ 2 ] 1/q T. Claim 3. During Challenge phase, A makes H 2 queries for either H 2 (e(h 1 (w 0 0 ), $ 1 )) or H 2(e(H 1 (w 0 1 ), $ 1 )) with an advantage at least 2 in the real attack game. Concerning the proofs of Claim 1, Claim 2, Claim 3, please refer to literature [22]. According to Claim 3, A should have made a query for for either H 2 (e(h 1 (w 0 0 ), $ 1 )) or H 2(e(H 1 (w 0 1 ), $ 1 )) with an advantage at least 2, then we have that A makes a query for H 2 (e(h 1 (w 0 % ), $ 1 )) with an advantage at least. And B can select the correct pair from H 2 -list such that t = e(h 1 (w 0 % ), $ 1 )=e(g(ˇ+a%), g) with an advantage at least 1/q H2. On one hand, B can output the correct response if he does not terminate during aforementioned simulation with an advantage at least /q H2.On the other hand, B does not terminate with an advantage at least 1/eq T. Therefore, B can solve the BDH problem with an advantage at least 0 = /eq T q H2. In the basic scheme, the reliability of outsourced records can be guaranteed through distributing the encrypted data in multiple CSPs. Although the traditional SE schemes allow DUs to perform search queries over encrypted data, the fundamental limitation of these schemes is that only specified DUs have access to encrypted files. With KP-ABE scheme, we can achieve the fine-grained access control and expressive search capability. Next, we present the security proof of our enhanced scheme through Theorem 2. Theorem 2. If the aforementioned assumptions 1,2,3 hold, then our enhanced scheme is secure. Proof. With the composite order bilinear groups, the different subgroups of G 1 will play different roles. The elements in group G q1 are used to perform encryption operation, the subgroup G q2 is treated as semi-functional space and utilized to proof process, the G q3 is used to generate random elements, and the anonymity of ciphertext can be ensured by subgroup G q4. Keys and ciphertext will be considered to semi-functional if the elements of subgroup G q2 are included in them. Because of the orthogonality, the elements of G q2 will be canceled when pairing normal keys with semi-functional ciphertext or semifunctional key with normal ciphertext. But these elements Security Comm. Networks 2016; 9: John Wiley & Sons, Ltd. 3815

9 SCN-SI-Cyber security, crime and forensics of wireless network and application Y. Miao, J. Liu and J. Ma of G q2 cannot be canceled when pairing semi-functional key with semi-functional ciphertext, thereby the Test algorithm fails. If the cancellation occurs and the Test algorithm succeeds, then the key is semi-functional. Next, we define the semi-functional key and ciphertext in the following. Let g 1, g 2 be the generators of G q1, G q2, respectively. There exist two kinds of semi-functional keys, the first type is generated as follows. First, a random vector! v 2 is chosen, then set (i) = A (i)! v 2, finally, a set of random elements (i) are chosen, the key is defined by Eq. (9). K 1 (i) = ga (i)! v 1 K(i) 2 = g (i) 1 ' (i),2 g (i) 2 1ˇ(i) (i) ' (i),1 g (i)+ (i) r (i) 2 The second type is generated through Eq. 10 and very similar to type 1. (9) K(i) 1 = ga (i)! v 1 ( 1ˇ(i) ) (i) ' (i),1 g (i) 2 (10) K(i) 2 = g (i) 1 ' (i),2 Suppose 1, 2 2 G q4 and x, r i are both random elements, W is the challenged keyword set, then the semifunctional ciphertext is denoted as c 0 = g s j 1 gx 2 1, c ib = (ˇib ) s j g xr i b 2 2, 8w ib 2 W, and the semi-functional ciphertext is formed by Eq. (11). c 0 = g s j 1 gx 2 1, c ib =(ˇib ) s j g xr i b 2 2 (11) It is worth noting that we can obtain the following equation when using the semi-functional key to decrypt a semi-functional ciphertext. If! v 2 1 = 0, the first semifunctional key is calledp nominally semi-functional key, and the equation e(g 2, g 2 ) (i)2w xw (i) (i) = e(g2, g 2 ) x! v 2 1 holds, where 1 represents the first term in the vector! v 2, and the others are 0. Based on aforementioned three assumptions, a sequence of games is given in the following. Game real is the real security game, in which the challenged ciphertext and all keys are all normal. While in Game 0, the keys are normal, and the ciphertext is semi-functional. Where n represents the number of trapdoor key queries made by the adversary, for t 2 {1,...n}, these games are defined as follows: Game t,1 : the first t 1 trapdoor keys are the second semi-functional, and the rest of trapdoor keys are normal. In addition, the challenged ciphertext is semi-functional. Game t,2 : the first t 1 trapdoor keys are the first semifunctional, and the rest of trapdoor keys are normal. In addition, the challenged ciphertext is semi-functional. Notice that in Game n,2, all trapdoor keys are the second semi-functional. Game final : the whole trapdoor keys are the second semi-functional, the ciphertext C ={c i,j, c 0, c i }isa semi-functional encryption of random message and is independent of above two challenged ciphertext. Thus, we draw a conclusion that the advantage of adversary in Game final is 0. To proof the security of our proposed enhanced scheme, we exploit the following lemmas to show these games are distinguishable. Lemma 1. Let A which has an advantage Adv A Game real Adv A Game = be a polynomial time algorithm, then we 0 construct a polynomial algorithm B which can break the Assumption 1 with an advantage. Proof. Given the tuple {g 1, 1 = g $ 1, g 3, g 4, s j ( = 1 g 4 ), ˇ}, B simulates either Game real or Game 0 with A, where $, s j 2 Z q are randomly selected and g 3 is the generator of G q3. B first sends the public parameters to A through choosing random elements, r 2 Z q, then B who knows msk answers A s key requests through issuing the usual key generation algorithm to generate the normal keys. To generate the challenged ciphertext for fi,j which includes the challenged keyword set W, B first selects random elements 1 = g % 1 4, 1 = g % 2 4 and implicitly sets s j such that g s j 1 is the G q 1 part of ˇ. Where % 1, % 2 2 Z q, ˇ is the product of g s j 1 and an element of G q 2. The challenged ciphertext is formed by the Eq. (12). c = f i,j e(g 1, g 1 ) s j = f i,j e(g 1, ˇ) c 0 = ˇ 1, c r = sjˇr 2, r 2 {1,, m} (12) If the equation ˇ = g s j 1 holds, then the above challenged ciphertext is normal. If ˇ = g s j 1 2, it is semi-functional ciphertext, where 2 2 G q2. Therefore, B can break the Assumption 1 with an advantage through simulating with A. Lemma 2. Let A which has an advantage Adv A Game t 1,2 Adv A Game = be a polynomial time algorithm, then we t,1 construct a polynomial algorithm B which can break the Assumption 2 with an advantage. Lemma 3. Let A which has an advantage Adv A Game t,1 Adv A Game = be a polynomial time algorithm, then we t,2 construct a polynomial algorithm B which can break the Assumption 2 with an advantage. Lemma 4. Let A which has an advantage Adv A Game n,2 Adv A Game = be a polynomial time algorithm, then we final 3816 Security Comm. Networks 2016; 9: John Wiley & Sons, Ltd.

10 Y. Miao, J. Liu and J. Ma SCN-SI-Cyber security, crime and forensics of wireless network and application construct a polynomial algorithm B which can break the Assumption 3 with an advantage. With regard to the concrete proofs of Lemma 2, Lemma 3, Lemma 4, please refer to literature [34]. If the aforementioned three assumptions hold, then, we can know that the Game real is indistinguishable from Game final according to above lemmas, and the adversary cannot deduce which message is encrypted. Thus, there exist no adversaries who can gain a non-negligible advantage in breaking the security of our proposed enhanced scheme Performance analysis In this part, we exploit the Type A curves within the Paring Based Cryptography (PBC) library to evaluate the efficiency of our proposed schemes in terms of asymptotic computation complexity and its actual execution time. The experiments are implemented on an Ubuntu Server with Intel Core i5 Processor 2.3 GHz using C language and PBC Library. In PBC Library, the Type A is denoted as E(F q ) : y 2 = x 3 + x, G 1 is a subgroup of E(F q ), and the cyclic group is a subgroup of E(F q ) 2, where q is a large prime number. The group order of G 1 is 160 bits, and the base field is 512 bits. The asymptotic computational complexity mainly depends on pairing operation (p), exponentiation operation (e) and hash operations (h 1, h 2 ) in the Encryption (Enc), Trapdoor (Trap) and Test algorithms, where h 1 maps a string to the point in G 1, h 2 maps the point in G 2 to a string, and the values of m, N represent the number of keyword fields and the number of CSPs, respectively. The theoretical analysis of computational complexity is shown in Table IV. From Table IV, we notice that our basic scheme has less computational costs than other schemes in Enc algorithm when setting 1 N 10, as the computational burden of other three scheme varies with increasing m, where 1 m Although our enhanced scheme has heavier computational burden than other schemes, it can support multi-cloud setting and not bring in additional computational costs. In Trap algorithm, our proposed schemes are obviously superior to other two schemes as the value N is very small. And in Test algorithm, the computational complexity of our proposed schemes is sim- Table IV. Asymptotic performance analysis. Schemes Enc Trap Test ESED [34] 2(m +2)e 4le 2lp + le ESPK [35] (m +2)e + p 4le le +3lp Basic h 1 + p+n(h 2 + e) h 1 + Ne 2Np Enhanced N(m +2)e 3le Ne m: Number of keyword fields; N: Number of CSPs; l: Number of submitted keywords. Figure 3. Computational cost of encryption algorithm in different schemes. Figure 4. Computational cost of trapdoor generation in different schemes. ilar to that of ESED, ESPK schemes when the values of m, N are very small, while our proposed schemes have less computational costs than other two schemes as the value of l increases. Therefore, our schemes are efficient and scalable in a broad range of actual applications. Moreover, we also conduct empirical study over a realworld dataset, namely Enron dataset, to evaluate the actual performance of the earlier four schemes. The dataset contains half million files and has been also used in much other work. We first randomly select 1000 files from the dataset, then set 1 N 10, 1 m 1000 and run experiments for 100 times, finally, it demonstrate the actual performance evaluation of aforementioned schemes with the variables m, N and the number of submitted keywords (1 l 100). In Figure 3, we demonstrate that the computational costs of Enc algorithm vary with the variables m and N. For comparison, we set N = 10. The experimental results Security Comm. Networks 2016; 9: John Wiley & Sons, Ltd. 3817

11 SCN-SI-Cyber security, crime and forensics of wireless network and application Y. Miao, J. Liu and J. Ma Figure 5. Computational cost of test algorithm in different schemes. show that the computational complexities of ESED [34] and ESPK [35] schemes are slightly less than those of our proposed schemes when the value of m is small. However, our basic scheme is much efficient than ESED and ESPK schemes as m increases. Therefore, our proposed schemes are acceptable as these schemes can support multi-cloud setting and not incur extra computational burden. In addition, because the computational operation imposed on DO is one-time cost and does not affect user search experience, the computational costs of Enc algorithm are completely acceptable in actual scenarios. Next, we show the computational costs of Trap algorithm in Figure 4. For convenience, we still set N = 10. The computational costs of ESED scheme are similar to those of ESPK scheme in Trap algorithm, while our proposed schemes both have less computational burden than other schemes. Especially, the computational complexity of our basic scheme changes litter when increasing the value of l. Finally, the computational costs of Test algorithm are given in Figure 5. We notice that the computational burden of ESED, ESPK schemes is affected by the variable l, while that of our proposed schemes varies with increasing the value of N. To meet the demands of practical applications, we set 1 l 100, 1 N 10. Because of N l, our proposed schemes are more effective than other two schemes in Test algorithm. From the earlier figures, we notice that the actual performance evaluation is in complete accord with theoretical study of computation complexity shown in Table IV. Therefore, our proposed schemes are feasible and scalable in practical applications. 6. CONCLUSION AND FUTURE WORK Different from existing SE schemes, we have proposed two efficient schemes in a more challenging multi-cloud model to admit a wide range of practical applications. Based on IBE and KP-ABE, respectively, our proposed basic scheme and enhanced scheme can meet distinct application requirements. Our basic scheme just suits for general scenarios and supports single keyword searching, while our enhanced scheme can support expressive search and fine-grained access control to avoid illegal accesses. To eliminate threats (such as single-point failure) caused by single CSP, we divide files into N slices and distribute each encrypted file slice to different CSP to ensure data availability. Furthermore, we extend Shamir s (t, n) secret scheme into our proposed schemes to improve robustness. Formal security analysis proves that our proposed schemes are secure, and experimental results over real-world dataset show the efficiency and feasibility of our proposed schemes in practice. As part of our future work, we need to further improve the performance of SE schemes to achieve more efficient and expressive search over encrypted data. ACKNOWLEDGEMENTS This work was supported by the National High Technology Research and Development Program (863 Program) (No. 2015AA and No. 2015AA011704), the Key Program of NSFC (No. U and No. U ), the Changjiang Scholars and Innovation Research Team in University (No. IRT1078), the Fundamental Research Funds for the Center Universities (No. JY ) and the Major Nature Science Foundation of China (No and No ). REFERENCES 1. He J, Dong M, Ota K, Fan M, Wang G. NetsecCC: A scalable and fault-tolerant architecture for cloud computing security. Peer-to-Peer Networking and Application 2016; 9(1): Wang C, Cao N, Li J, Ren K, Lou W. Secure ranked keyword search over encrypted cloud data. Proceedings of the 30th IEEE International Conference on Distribute Computing systems(icdcs 10), Italy, July 2010; Gheorghe G, Cigno R, Montresor A. Security and privacy issues in P2P streaming systems A survey. Peer-to-Peer Network and Applications 2011; 4 (2): Wei L, Zhu H, Cao Z, et al. Security and privacy for storage and computation in cloud computing. Information Sciences 2014; 258: Cachin C, Keidar I, Shraer A. Trusting the cloud. SIGACT News 2009; 40(2): Dong M, Li H, Ota K, Yang L, Zhu H. Multicloud- Based Evacuation services for emergency management. IEEE Cloud Computing 2014; 1(4): Security Comm. Networks 2016; 9: John Wiley & Sons, Ltd.