Searchable attribute-based encryption scheme with attribute ... - PLOS

RESEARCH ARTICLE

Searchable attribute-based encryption scheme with attribute revocation in cloud storage Shangping Wang1, Duqiao Zhao1*, Yaling Zhang2 1 School of Science, Xi’an University of Technology, Xi’an, Shaanxi, China, 2 School of Computer Science, Xi’an University of Technology, Xi’an, Shaanxi, China * [email protected]

a1111111111 a1111111111 a1111111111 a1111111111 a1111111111

OPEN ACCESS Citation: Wang S, Zhao D, Zhang Y (2017) Searchable attribute-based encryption scheme with attribute revocation in cloud storage. PLoS ONE 12 (8): e0183459. https://doi.org/10.1371/journal. pone.0183459 Editor: Yeng-Tseng Wang, Kaohsiung Medical University, TAIWAN

Abstract Attribute based encryption (ABE) is a good way to achieve flexible and secure access control to data, and attribute revocation is the extension of the attribute-based encryption, and the keyword search is an indispensable part for cloud storage. The combination of both has an important application in the cloud storage. In this paper, we construct a searchable attribute-based encryption scheme with attribute revocation in cloud storage, the keyword search in our scheme is attribute based with access control, when the search succeeds, the cloud server returns the corresponding cipher text to user and the user can decrypt the cipher text definitely. Besides, our scheme supports multiple keywords search, which makes the scheme more practical. Under the assumption of decisional bilinear Diffie-Hellman exponent (q-BDHE) and decisional Diffie-Hellman (DDH) in the selective security model, we prove that our scheme is secure.

Received: October 19, 2016 Accepted: August 6, 2017 Published: August 31, 2017 Copyright: © 2017 Wang et al. This is an open access article distributed under the terms of the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original author and source are credited. Data Availability Statement: All relevant data are within the paper and its Supporting Information files. Funding: This work is supported by the National Natural Science Foundation of China under grants 61572019, 61173192, and the Key Project of Research Foundation of Natural Science Foundation of Shaanxi Province of China under Grant No. 2016JZ001. Competing interests: The authors have declared that no competing interests exist.

Introduction In 2005, Waters et al.[1] came up with the concept of ABE(Attribute-Based Encryption) which was much more flexible than traditional public-key encryption. With the development and deepening of ABE, the attribute revocation of ABE is concerned by more and more people. The efficient attributes revocation scheme is an integral part of ABE scheme, which is one of the difficulties for the application of ABE, and the study of ABE is inseparable from the attribute revocation scheme research. P. Traynor et al.[2] put forward a scheme which achieved the update of secret key in 2006. However, it needed that the user must kept close contact with attribute authority to get the secret key. Thereafter, Kumar et al.[3] presented a scheme with revocation of ABE, and it expanded from the IBE which they proposed before. All of these articles demand that users need to access the attribute authority for key reissuing at regular intervals. In 2008, Jiang et al.[4] gave a scheme that solved the key misused problem of users. However, in this scheme, the third party should be included in each decryption key of users, and made it was unrealistic. After that, Kim et al.[5] inserted the users’ information in the secret

PLOS ONE | https://doi.org/10.1371/journal.pone.0183459 August 31, 2017

1 / 20

Searchable attribute-based encryption scheme with attribute revocation in cloud storage

key of attribute by using the black box model and sent it to the user, which was more efficient to guarantee the security of the system. Attrapadung et al.[6] put forward the two revocation models, they are direct revocation model and indirect revocation model. The direct revocation model is specified the revocation list by sender, and the indirect revocation model updates the secret key periodically by the key center. In [7] [8], the authors gave some ABE instances. However, in the above schemes, they do not relate to the keyword search issue, which makes users can not effectively search for files. To overcome this problem, Boneth et al. [9] proposed a single keyword search scheme, namely the user can only search a single keyword. In this scheme, the data owner extracted the keywords from the file before encrypted, and used the public key to encrypt the keywords. After that, the data owner sent the file and the index of the keywords to the cloud server. The user could generate the search token about the keywords which he wanted to search and sent it to the cloud server. The cloud server used the matching algorithm to find out the cipher text and returned it if the match was successful. Searchable encryption has many practical applications. In 2011, Kerschbaum et al.[10] proposed a secure conjunctive keyword searches for unstructured text scheme, and the scheme was proved secure in the random oracle model. At the same year, Cao et al.[11] and Chuanh et al.[12] gave schemes that the multi-keyword search over encrypted data. In 2014, Han et al. [13] proposed an attribute based encryption (ABE) searchable scheme, in which used the homomorphic encryption technology. Sahai et al. [14] gave a outsourcing technique based on the scheme of Gentry et al.[15]. After that, Liang K et al. [16] proposed a searchable ABE mechanism with efficient and secure in cloud storage. This model can be applied to real life, such as the safety of electric power system. And the scheme is secure in the random oracle model. Later, Li et al. [17] proposed a searchable ABE scheme with attribute revocation in cloud storage. Willy Susilo et al.[18] proposed a searchable scheme, and it supported multiple keywords search. At the same time, Li J et al.[19] made a searchable CP-ABE with revocation. In this scheme, the receivers could not steal any information from the cipher because of the access structures were partially hidden, which made the scheme more secure. In 2016, Wen et al. [20] proposed a verifiable attribute-based keyword search scheme with fine-grained owner-enforced search authorization in the cloud. This scheme supports user revocation. Besides, it allows data owners encrypt the data and outsource to the cloud server. In the same year, Yang et al. [21] proposed a conjunctive keyword search scheme with designated tester. User can search within a specified time if he is authorized, and it is proved secure in the standard model. In 2017, Jiang et al. [22] proposed a keyword search scheme with efficiency and verification in cloud data, and it allows multi-keyword search. Finally, they gave the security analysis in the scheme. Later, Poon et al.[23] constructed a conjunctive keyword search scheme. This scheme allows phrase search, and has smaller storage cost.

Our contribution In 2012, Qiang Li et al.[24] put forward a scheme with fine-grained attribute revocation. However, the scheme only achieves the attribute revocation, the keyword search is not involved, this problem may lead to the problem that system users cannot effectively download cipher text which they interested from the cloud server. In this paper, we propose a keyword search attribute based encryption scheme with attribute revocation. The new scheme supports not only the attribute revocation but also keyword search. When a user wants to search the file which he interests, he sends the search token to


2 / 20


the cloud server, and the cloud server runs the test algorithm. If the test is successful, it returns the file. In this way, the user can download the file which he interests and save the storage space at the same time. Finally, under the assumption of q-BDHE and DDH in the selective security model, we prove that our scheme is secure.

Preliminaries A linear secret sharing scheme can be used to represent an access control policy (M, ρ), which M is an l×k matrix, and S = {att1, . . ., attn} be an attribute set, and for i 2 [1,l], ρ(i) ! S is a mapping function, and ρ(i) maps a row into the attribute.

Linear Secret-Sharing Scheme (LSSS) [25] A linear secret sharing scheme includes two algorithms: Share: In this step, it is dispersing the secret value s to attributes specified by ρ as follows: by R ~ ¼ ðs; v2 ; . . . ; vk Þ and computing li ¼ Mi V ~ where Mi is the selecting v2 ; . . . ; vk! Zp ,setting V ith row of M,it assigns secrets share λi to the attribute ρ(i). Combine: In this step, it is used to collect the secret value from secret shares which related to the attributes as follows: selecting subset I = {i: ρ(i) 2 S} the attribute set {ρ(i) | i 2 I} satisfies access control strategy (M, ρ), and computing coefficients ki, i 2 I such that ∑i2I kiMi = (1,0,. . ., 0), then we will obtain that ∑i2I kiλi = s.

Decisional q-BDHE assumption [24] The definition of the decisional q-BDHE exponent assumption in our article as follows: Choose a group G1 of prime order p, let g be a generator of G1, and define e: G1 × G1 ! G2, the adversary is given a vector q

2

qþ2

2q

ðg; g s ; g a ; g a ; . . . ; g a ; g a ; . . . ; g a Þ 2 G2qþ1 1 We say that the Decision q-BDHE assumption holds in G1 if no polynomial-time algorithm has a non-negligible advantage to distinguish eðg; gÞ

saqþ1

and a random element in G2.

Zero Inner-product [24] The ID represents the identity of user which associated with user’s private key. Define a vector X = (x1,. . .,xn)T such that xi = IDi-1, i 2 [1, n]. To encrypt with a revoked user set R = {ID1, , IDq}, one defines as Y = (y1,. . ., yn)T, the coefficient vector of PR[Z] from qþ1 X

PR ½Z ¼

yi Z i

i¼1

1

Y ¼

ðZ

IDj Þ

IDj 2R

where, if q + 1 < n, the coordinates yq+2, ,yn are set to 0. By doing so, we note that PR[ID] = = 0 iff ID 2 R. For example, if the user ID1 in the revoked user set R = {ID1, ID3}, we have that Y PR ½ID1 ¼< X; Y >¼ ðID1 IDj Þ ¼ 0. IDj 2R

Decisional DDH assumption [10] Let G1 is a group which prime order is p, let g be a generator of G1, and give a tuple (g, ga, gb) R

where a; b 2 Zp , we say that the decisional DDH assumption holds if no polynomial time


3 / 20


Fig 1. System model of our scheme https://doi.org/10.1371/journal.pone.0183459.g001

algorithm has a non-negligible advantage to distinguish that Z equals gab or to a random element of G1.

Algorithm model and security model Algorithm model. Denote U = {ID1, , IDQ} to be the universe of all the users, we consider a scheme that searchable attribute-based encryption scheme with attribute revocation in cloud storage, as described in Fig 1. There are seven algorithms in our scheme: Setup (λ) ! msk, pp: This algorithm is executed by attribute authority. It inputs a security parameter λ and outputs the master secret key msk and public parameter pp. KeyGen (ID, (M, ρ), pp, msk) ! sk, τ:This algorithm is executed by attribute authority. It inputs a user’s identity ID 2 U, an access structure (M, ρ), public parameter pp, the msk and outputs the secret key sk and the part of search token τ. Encryption (pp, ω, Rθ, m) ! ct: This algorithm is executed by data owner. It inputs public parameter pp, the attribute set ω, a revocation list Rθ U which attribute θ 2 ω,a message m and outputs a cipher text ct. Index (pp, ω, Rθ, W) ! Ind: This algorithm is executed by data owner. It inputs public parameter pp, the attribute set ω,a revocation list Rθ U which attribute θ 2 ω,the keywords set from the uploaded files W and outputs keywords index Ind.


4 / 20


Trapdoor (pp, W0 , τ) !τ :This algorithm is executed by user. It inputs the public parameter pp and the keywords set W0 , and outputs the new token τ . Test (τ , Ind) ! 1 or 0:This algorithm is executed by cloud storage server. It inputs the search token τ and keywords index Ind and outputs 1 or 0. Decryption (pp, ID, sk, Rθ, ct) ! m: This algorithm is executed by user. It inputs public parameter pp, the user secret key sk of user ID 2 U, a revocation list Rθ U of attribute θ 2 ω, a cipher text ct. And the user ID has the attribute set ω0 as: if ID 2 Rθ, let ω0 = ω − {θ};otherwise, ω0 = ω. It computes the message m if and only if the attribute set ω0 satisfies the access structure. And the user can decrypt the file with m. Finally, the system model of our scheme is shown in Fig 1.

Security model (1) Selective security model of attribute revocation. Init. The adversary A chooses the attribute set ω and a revocation list Ry ðy 2 o Þ. Setup. The simulator operates this algorithm to get the public parameter pp and sends it to the adversary. Phase 1. The adversary queries the simulator for user private key sk which corresponds to the access structure (M, ρ), such that ω0 will not meet the access structure (M, ρ). Challenge. The simulator receives two messages m0 and m1 from adversary, and chooses a random bit b 2 {0, 1} to encrypt mb, and computes challenge cipher text ct with the attribute set ω and the attribute revocation list Ry . Phase 2. Same as Phase 1. Guess. The adversary gives a guess b0 of b, and the advantage of the adversary in this game is defined as jPr½b0 ¼ b 12 j. Definition1. The game model of this paper is to be safe if there no polynomial time adversaries have a non-negligible advantage in the above game. (2) Indistinguishability against chosen keyword attack (IND-CKA) model. Init. The adversary A selects a attribute set ω and a user revocation list Ry of θ 2 ω . Then B runs the algorithm to generate the public parameter pp and sends it to adversary A. Phase 1. The adversary queries the challenger as follows: 1. The index of keywords {w1, w2,. . ., wN}. 2. The search token of fwj1 ; wj2 ; . . . ; wjN1 g, and 1 j1 ; . . . ; jN1 N . Challenge. The challenger receives two different keywords w0 and w1 from the adversary. We require that the keywords w0 and w1 satisfies that 8j; wj 6¼ w0 ^ wj 6¼ w1 . The challenger chooses a random keyword wb , b 2 {0,1}, and give the index of keywords wb to adversary. Phase 2. Same as Phase 1. Guess. The adversary gives a guess b0 of b, and the advantage of any adversary in this game is defined as jPr½b0 ¼ b 12 j. Definition 2. We say a searchable encryption article with multiple keywords is secure based on the game IND-CKA, if the advantage of the adversary is negligible in the above game.

Implement of the algorithm Our construction is based on the Qiang Li et al.[24], and we combine the keyword search with attribute revocation in our new scheme. User constructs the search token when he wants to search files. If the search is successful and the set of attribute satisfies the access structure, it


5 / 20


outputs 1 in the algorithm of Test, then cloud server returns the cipher text. Our scheme adds access control in search, the user can download the files which he interests and can decrypt in this way, and save the space. We construct our scheme as follows: Setup (λ) ! msk, pp: Give that the G1 and G2 are two groups of prime order p, the binary size of p is λ,let g be a generator of G1. Define that e: G1× G1 !G2. In this paper, we suppose the maximum number of attribute is m when encryption, and n represents the maximum number of revoked user set in the revocation list. Then randomly choose α, β, δ 2 Zp, T T T A ¼ ða1 ; a2 ; . . . ; an Þ 2 Zpn , set H ¼ ðh1 ; h2 ; . . . ; hn Þ ¼ ðg a1 ; g a2 ; . . . ; g an Þ and randomly Ym ðxi Þ Ym ðxi Þ choose {k0,i, k1,i 2 G1|i = 1,. . .,m},let K0 ðxÞ ¼ k ; K1 ðxÞ ¼ k . Then i¼1 0;i i¼1 1;i randomly choose that {t0,i, t1,i 2 G1|i = 1,. . .,m},and then define two functions Tf(x): Zp ! Ym ðxi Þ G1,Tf ðxÞ ¼ t where f = {0, 1}. Let hash H be H:{0, 1} ! G1, then the master key msk i¼1 f ;i and public parameter pp are: msk ¼< a; a1 ; b; fk0;i ; k1;i ; t0;i ; t1;i gi¼1;...;m > T

a

pp ¼< g; eðg; gÞ ; H ¼ ðh1 ; h2 ; . . . ; hn Þ ; g b ; d; H; K0 ðxÞ; K1 ðxÞ > KeyGen (ID, (M, ρ), pp, msk) ! sk, τ : Let M be an l × k matrix corresponding to access policy (M, ρ). Define a vector X = (x1,. . .,xn)T such that xi = IDi−1, i 2 [1, n]. Randomly choose r, {zi,0, zi,1}i2[2,. . .k] 2 Zp, define a vector v0 = (α + rα1, z2,0,. . ., zk,0)T, v1 = (α, z2,1,. . ., zk,1)T. For i = 1 to l, and compute that λi,0 = Miv0 and λi,1 = Miv1. Randomly choose {ri,0, ri,1}i2[1,. . .l] 2 Zp, and set the private key as sk ¼< D1;0 ; D1;1 ; D2;0 ; D2;1 ; D3 ; KX > where r

li;0 D1;0 ¼ fDðiÞ T0 ðrðiÞÞ i;0 gi2½1;...;l 1;0 ¼ g

ri;0 D2;0 ¼ fDðiÞ 2;0 ¼ g gi2½1;...;l

r

li;1 D1;1 ¼ fDðiÞ T1 ðrðiÞÞ i;1 gi2½1;...;l 1;1 ¼ g

ri;1 D2;1 ¼ fDðiÞ 2;1 ¼ g gi2½1;...;l

xi x

r

D3 ¼ g r ; KX ¼ fKi ¼ ðh1 1 hi Þ gi2½2;...;n T

Then calculate that KX ¼ ðK2 ; . . . ; Kn Þ ¼ g rMX A , where MX 2 (Zp)n×(n−1) is defined by 0 x x3 xn 1 2 x1 A. MX ¼ @ x1 x1 In 1 T Randomly choose fv2 ; . . . ; vk g 2 Zpk 1 and set v ¼ ðb; v2 ; . . . ; vk Þ 2 Zpk . For i = 1 to l, compute λi = Miv. Randomly choose ξi 2 Zp, then denote that t ¼< t1 ; t2;0 ; t2;1 >


6 / 20


where t1 ¼ ft1;i ¼ g li gi¼1;...l x

i t2;0 ¼ ftrðiÞ 2;0 ¼ K0 ðrðiÞÞgi¼1;...l

xi t2;1 ¼ ftrðiÞ 2;1 ¼ K1 ðrðiÞÞgi¼1;...l

then send sk and τ to the user. Encryption (pp, ω, Rθ, m) ! ct: Suppose that a message m is encrypted with a set of attribute ω and a revocation list Rθ U which attribute θ 2 ω. Define a vector Y = (y1,. . ., yn)T as the coefficient vector of PRy ½Z, and randomly choose s 2 Zp then output ct ¼ hC; C1 ; C2;0 ; C2;1 ; C3 i where as

C ¼ m eðg; gÞ ; C1 ¼ g s s

ðxÞ C2;0 ¼ fC2;0 ¼ T0 ðxÞ g

s

x2o

ðxÞ ; C2;1 ¼ fC2;1 ¼ T1 ðxÞ g

x2o fyg

C3 ¼ ðhy11 hynn Þ

s

Index (pp, ω, Rθ, W) ! Ind: A revocation list Rθ U which attribute θ 2 ω. Data owner encrypts the file F which is firstly encrypted by a symmetric encryption algorithm and gets cipher text F , and suppose that the symmetric encryption key is m. The set of keywords W = {w1, w2,. . ., wN} is extracted from the F, and randomly choose t 2 Zp,and output the keywords index Ind ¼< I0 ; I1;j ; I2;0 ; I2;1 > where I0 ¼ g t d

I1;j ¼ g b Hðwj Þ ; j 2 ½1; N ðxÞ ðxÞ I2;0 ¼ fI2;0 ¼ K0t ðxÞgx2o ; I2;1 ¼ fI2;1 ¼ K1t ðxÞgx2o

y

and send to the cloud server. Trapdoor (pp, W0 , τ) !τ : The user constructs the search token τ according to the keywords W 0 ¼ fwj1 ; wj2 ; . . . ; wjN g; ð1 j1 ; . . . ; jN1 NÞ which he interests as 1

d

t3 ¼ ft1;jq ¼ g b Hðwjq Þ gq¼1;...;N1 ;jq ¼1;...;N and sends search token τ = < τ1, τ2,0, τ2,1, τ3> and his ID to the cloud server. Test (τ , Ind) ! 1 or 0: The cloud server receives the search token from the user. First, the cloud server judges that whether the ID of user is in the revocation list Rθ. If ID 2 Rθ, let ω0 = ω − {θ};otherwise, ω0 = ω. If the set ω0 satisfies the access structure (M, ρ), then there exists P a set of constants {μi 2 Zp}i2I, such that i2I mi Mi ¼ ð1; 0; . . . ; 0Þ. (1) When ID 2 = Rθ, cloud server selects N1 keywords index from the Ind, we denote the result of selecting as fI1;O1 ; I1;O2 ; . . . I1;ON g,where 1 O1 ; . . . ; ON1 N. Then cloud server tests the 1

selected index set fI1;O1 ; I1;O2 ; . . . I1;ON g with the search token τ = < τ1, τ2,0, τ2,1, τ3> with the 1


7 / 20


following equation YN1 q¼1

?

eðI1 ; t1;jq Þ ¼

YN1 s¼1

eðI1 ; I1;Os Þ

If the equation holds, it turns to next step; otherwise, it outputs 0. Y mi eðI0 ; i2I ðt1;i trðiÞ 2;0 Þ Þ ? Y ¼ eðI0 ; I1 Þ m rðiÞ i eð i2I ðI2;0 Þ ; gÞ If the equations all hold, it returns the corresponding cipher text to the user, and user can decrypt. Otherwise, it outputs 0. (2) When ID 2 Rθ, cloud server selects N1 keywords index from the Ind, we denote the result of selecting is fI1;O1 ; I1;O2 ; . . . I1;ON g,where 1 O1 ; . . . ; ON1 N. Then cloud server tests 1

the selected index set fI1;O1 ; I1;O2 ; . . . I1;ON g with the search token τ = < τ1, τ2,0, τ2,1, τ3> with 1

the following equation YN1

?

eðI1 ; t1;jq Þ ¼ q¼1

YN1 s¼1

eðI1 ; I1;Os Þ

If the equation holds, it turns to next step; otherwise, it outputs 0. Y mi eðI0 ; i2I ðt1;i trðiÞ 2;1 Þ Þ ? Y ¼ eðI0 ; I1 Þ rðiÞ mi eð i2I ðI2;1 Þ ; gÞ If the equations all hold, it returns the corresponding cipher text to the user, and user can decrypt. Otherwise, it outputs 0. Decryption (pp, ID, sk, Rθ, ct) ! m: User can decrypt according to the returned cipher text. If ID 2 Rθ, ω0 = ω − {θ};otherwise, ω0 = ω, and then: (1) When ID 2 Rθ, let I = {i: ρ(i) 2 ω0 }, and there exists a set of constants {μi 2 Zp}i2I, such that ∑i2I μi Mi = (1,0,. . ., 0),then ∑i2I μiλi,1 = α. It calculates !m i Y eðC1 ; DðiÞ sa 1;1 Þ φ¼ ¼ eðg; gÞ rðiÞ i2I eðC2;1 Þ; DðiÞ 2;1 and m = C / φ, user can decrypt F to get F with m. (2) When ID 2 = Rθ, calculate n Y

KX ¼

yi i

K ¼

h1

x1

i¼2

n Y

!r yi i

h i¼1

so that when 6¼ 0, and then calculate ¼

eðK; C1 Þ eðC3 ; D3 Þ

x1

¼ eðg; gÞ

rsa1

Let I = {i: ρ(i) 2 ω0 }, and there exists a set of constants {μi 2 Zp}i2I, such that ∑i2I μi Mi = (1,0,. . ., 0),then ∑i2I μλi,0 = α+ rα1. Thus we have !mi Y eðC1 ; DðiÞ sðaþra1 Þ 1;0 Þ g¼ ¼ eðg; gÞ rðiÞ eðC2;0 ; DðiÞ 2;0 Þ i2I and m = C / A, user can decrypt F to get F with m.


8 / 20


Correctness analyses In this subsection, we show that our construction is correct with some appropriate parameters setting. (1) In the process of search the equation holds, it means that cloud server selects N1 keywords index from the Ind which we denote fI1;O1 ; I1;O2 ; . . . I1;ON g,where 1 O1 ; . . . ; ON1 N 1

is matching the search token of the keywords fwj1 ; wj2 ; . . . ; wjN g; ð1 j1 ; . . . ; jN1 NÞ from 1

the user, then computes that YN1 q¼1

¼ ¼ ¼

YN1 q¼1

YN1 q¼1

YN1 s¼1

eðI1 ; t1;jq Þ eðg b ; g b Hðwjq ÞÞ eðg b ; I1 Hðwjq ÞÞ eðI1 ; I1;Os Þ

a. When ID 2 = Rθ, compute that Y

m

i ðt1;i trðiÞ 2;0 Þ Þ Y i2I rðiÞ mi eð i2I ðI2;0 Þ ; gÞ X lm Y t eðg ; g i2I i i i2I K0xi mi ðrðiÞÞÞ Y ¼ eð i2I K0txi mi ðrðiÞÞ; gÞ Y t eðg t ; g b Þ eðg; i2I K0xi mi ðrðiÞÞÞ Y ¼ t xm eð i2I K0 i i ðrðiÞÞ; gÞ

eðI0 ;

¼ eðg t ; g b Þ ¼ eðI0 ; I1 Þ b. When ID 2 Rθ, compute that Y

¼

¼


m

i ðt1;i trðiÞ 2;1 Þ Þ Y i2I rðiÞ mi eð i2I ðI2;1 Þ ; gÞ X lm Y t eðg ; g i2I i i i2I K1xi mi ðrðiÞÞÞ Y eð i2I K1txi mi ðrðiÞÞ; gÞ Y t eðg t ; g b Þ eðg; i2I K1xi mi ðrðiÞÞÞ Y t eð i2I K1xi mi ðrðiÞÞ; gÞ

eðI0 ;

¼

eðg t ; g b Þ

¼

eðI0 ; I1 Þ

9 / 20


(2) The decryption process first calculates

0

1r xi Ki ¼ @h1 x1 hi A

¼

!r xi a1 a g x1 g i

x i a1 þ ai x1 ¼g 0 x x3 2 ... M ¼ @ x1 x1 r

xn 1 x1 A

X

0 B B B B B B B B B B B B B B @

1

x2 x1

In

1

0 C 0 1 C a1 B C C B C B C B C B C B a2 C B C B C B B C B In 1 C CB . C¼B C B .. C B C B C B C @ A B B C @ C an A

x3 x1 .. . xn x1

1 x2 a1 þ a2 x1 C C C x3 a1 þ a3 C C x1 C C ¼ MXT A C .. C C . C A xn a1 þ an x1

T

KX ¼ fK2 ; ; Kn g ¼ g rMX A

(3) The decryption process calculates: a. When ID 2 Rθ

Y φ ¼ i2I

eðC1 ; DðiÞ 1;1 Þ

!m i

rðiÞ eðC2;1 ; DðiÞ 2;1 Þ

Yeðg s ; g li;1 T ðrðiÞÞri;1 Þmi 1 ¼ s eðT1 ðrðiÞÞ ; g ri;1 Þ i2I Yeðg s ; g li;1 Þ eðg s ; T ðrðiÞÞri;1 ÞÞmi 1 ¼ s eðT ðrðiÞÞ ; g ri;1 Þ 1 i2I Y mi ¼ ðeðg s ; g li;1 ÞÞ i2I

Y eðg; gÞ

¼ i2I


sli;1 mi

P

¼ eðg; gÞ

sð

¼ eðg; gÞ

sa

l m Þ i2I i;1 i

10 / 20


b. When ID 2 = Rθ KX

¼

n Y Kiyi i¼2

0 x 1ryi i n Y @h1 x1 hi A ¼ i¼2 n ðx2 y2 þþxnx1yn Þ Y yi h1 x1 hi

¼

!r

i¼2 n ðx2 y2 þþxnx1yn Þ Y yi h1 x1 hi h1

¼

!r y1

i¼1 n ðx2 y2 þþxnx1yn Þ Y yi h1 x1 hi h1

¼

i¼1

h1

¼

ð

x1 y1 xn yn x1 þþ x1

n Þ Y yi hi

!r y1 x1 x1

!r

i¼1

h1

¼

x1

Y hiyi n

!r

i¼1

eðK; C1 Þ ¼ eðC3 ; D3 Þ 0

x1

x1

n Y hiyi

h1

x1

i¼1

! !

0 Be B ¼B B @

h1

x1

¼ e g

n Y

! !1

x1 rs

hyi i ; g C C i¼1 C C y y eððh11 hnn Þ; gÞ A ;g

¼ e h1 x1 ; g


!1

; gs C C C s C eððhy11 hynn Þ ; g r Þ A

Be B ¼B B @

¼ eðg; gÞ

!r

x1 a1

e

x1 rs

;g

x1 rs

rsa1

11 / 20


Y g¼ i2I

eðC1 ; DðiÞ 1;0 Þ

!mi

rðiÞ eðC2;0 ; DðiÞ 2;0 Þ

Yeðg s ; g li;0 T ðrðiÞÞri;0 Þmi 0 s eðT ðrðiÞÞ ; g ri;0 Þ 0 i2I Yeðg s ; g li;0 Þ eðg s ; T ðrðiÞÞri;0 ÞÞmi 0 ¼ s eðT0 ðrðiÞÞ ; g ri;0 Þ i2I Y mi ¼ ðeðg s ; g li;0 ÞÞ ¼

i2I

Y eðg; gÞ

¼ i2I

sli;0 mi

P

¼ eðg; gÞ

Sð

¼ eðg; gÞ

sðaþra1 Þ

l m Þ i2I i;0 i

Let A = γ / ϕ = e(g, g)sα.

Security analyses Selective security model proof Theorem1. If an adversary can break our scheme with advantage ε in the selective security model, then we can construct a simulator to solve the Decision q-BDHE problem with advantage ε2. Proof: This proof bases on [24]. The simulation proceeds as follows. First, the challenger sets 2

q

qþ2

2q

Y ¼ ðg; g s ; g1 ¼ g a ; g2 ¼ g a ; . . . ; gq ¼ g a ; gqþ2 ¼ g a ; . . . ; g2q ¼ g a Þ Then the challenger flips a fair binary coin μ: if μ = 0, the challenger sets Z = e(g1, gq)s if μ = 1,then the challenger picks a random element Z from G2. Init. The simulator B runs adversary A. A selects an attribute set ω and a user revocation list Ry ,where θ 2 ω , which it wishes to be challenged upon. Setup. The simulator B proceeds as follows: (1) The simulator B randomly chooses α 0 , β, δ, 2 Zp, and then simulator B sets that a

q

a0

eðg; gÞ ¼ eðg a ; g a Þ eðg; gÞ ,implicitly has that α = α 0 + αq+1. Then it randomly chooses fk00;i ; k01;i 2 G1 ji¼1;...;m g, and computes Ym 0ðxi Þ Ym 0ðxi Þ K0 ðxÞ ¼ k ; K ðxÞ ¼ k 0;i 1 i¼1 i¼1 1;i (2) It sets Ry ¼ fID1 ; ; IDm g where m Q. For k 2 [1, m], simulator B sets Xk ¼ ðxk;1 ; . . . ; xk;n Þ ¼ ð1; IDk ; ID2k ; . . . ; IDnk 1 Þ, randomly chooses bk 2 Zp and has that 0 x xk;n 1 k;2 . . . xk;1 A ¼ 0 bTk MXk ¼ bTk @ xk;1 In 1 T x xk;n and bk ¼ 1; xk;2 ; . . . . The simulator B sets the n×q matrix B = (b1|. . .|bm|0|. . .|0), x k;1 k;1 for k 2 [1, m], it consists by bk, and q − m columns are 0. Sets Z = (z1, ,zq)T 2 Zn and


12 / 20


R

zi = aq+1−i, g z ¼ ðg aq ; ; g a Þ and implicitly has that A = BZ + δ where δ 2 Zpn . Define T

H = (h1, h2,. . .,hn)T = gBZgδ, for k 2 [1, m], we have that MXT k B 2 ðZp Þ ¼ 0, so it q+1−k doesn’t have zk = a . (3) It sets ω0 = ω − {θ}, randomly chooses two polynomials f0(x) and f1(x) of degree m and computes two polynomials as follows: ðn 1Þq

u0 ðxÞ ¼ xm

jo j

Y

u1 ðxÞ ¼ xm

iÞ

ðx i2o

Y

jo fygj

ðx

iÞ

i2o fyg

For i 2 [0, m], let c0,i and c1,i be the ith term of f0(x) and f1(x), d0,i and d1,i be the ith term of u0(x) and u1(x). B defines T0 ðxÞ ¼ g au0 ðxÞþf0 ðxÞ and T1 ðxÞ ¼ g au1 ðxÞþf1 ðxÞ ,at the same time, B simulates {t0,i, t1,i}i = 1,. . .,m where d

d

t0;i ¼ ðg a Þ 0;i g c0;i ; t1;i ¼ ðg a Þ 1;i g c1;i Finally, B gives the public parameters T

a

pp ¼< g; eðg; gÞ ; H ¼ ðh1 ; h2 ; . . . ; hn Þ ; g b ; d; K0 ðxÞ; K1 ðxÞ > to A. Phase 1. Let M be a p×l matrix, ω0 doesn’t satisfy the access structure (M, ρ). If ID 2 Rθ, there is ω0 = ω − {θ}; otherwise, ω0 = ω . The simulator B generates the secret key sk as follows. (1) When ID 2 = Rθ (in this case, we have ω0 = ω ), and ω0 doesn’t satisfy the access structure, T B first defines p ¼ ðp1 ; ; pl Þ 2 Zpn where π1 = 1 We have Miπ = 0 for each i when ρ(i) 2 ω . Then the simulator B defines two vectors η0 = (r, η0,2,. . .,η0,l)T and η1 = (0, η1,2,. . .,η1,l)T, and defines that u0 = α1 η0 + απ and u1 = η1 + απ, we can compute the first term of u0 and u1 are α + rα1 and α. i. When ρ(i) 2 ω , B computes that g li;0 ¼ g Mi m0 ¼ ðg a1 Þ

Mi Z0

; g li;1 ¼ g Mi Z1

and randomly chooses ri,0, ri,1 2 Zp and computes that r

li;0 ri;0 DðiÞ T0 ðrðiÞÞ i;0 ; DðiÞ 1;0 ¼ g 2;0 ¼ g

r


ii. When ρ(i) 2 = ω , B computes that g li;0 ¼ g Mi u0 ¼ g a1 Mi Z0 þaMi p ; g li;1 ¼ g Mi u1 ¼ g Mi Z1 þaMi p 0 0 0 and randomly chooses r; fri;0 gi2½l ; fri;1 gi2½l 2 Zp , and sets ri;0 ¼ ri;0


aq m0 ðrðiÞÞ

ðMi pÞ and

13 / 20


0 ri;1 ¼ ri;1

aq m1 ðrðiÞÞ

ðMi pÞ, then r

DðiÞ 1;0

¼ g li;0 T0 ðrðiÞÞ i;0 aq f0 ðrðiÞÞ ðMi pÞ u0 ðrðiÞÞ ¼ g a1 Mi Z0 þaMi p T0 ðrðiÞÞ g 0 ri;0

r0

ri;0 DðiÞ ¼ g i;0 2;0 ¼ g

aq ðM pÞ i m0 ðrðiÞÞ

r

DðiÞ 1;1

¼ g li;1 T1 ðrðiÞÞ i;1 aq f1 ðrðiÞÞ ðMi pÞ r0 u1 ðrðiÞÞ ¼ g Mi Z1 þaMi p T1 ðrðiÞÞ i;1 g

r

ri;1 DðiÞ ¼ g i;1 2;1 ¼ g

aq ðM pÞ i m1 ðrðiÞÞ

xi x

r

Then B computes that D3 = gr, KX ¼ fKi ¼ ðh1 1 hi Þ gi2½2;...;n . (2) When ID 2 Ry and sets fID ¼ IDk gk2½1;m . The simulator B randomly chooses r 0 2 Zp m X and sets r = r 0 − ak. Defines A = B Z+δ, the first term of A is a1 ¼ d1 þ aqþ1 j , and comj¼1

putes that m X d1 þ

g aþra1

¼ g

a0 þaqþ1

aqþ1

j¼1

ðg

Þ m X

¼ ga

0

d1 a k

j

0

g a1 r g

r 0 ak

aqþ1

jþk

j¼1;j6¼k

randomly chooses fZi gi2½2;l 2 Zp and defines η = (α + rα1, η2, . . ., ηl)T, and for i 2 [1, p], sets Mi = (xi,1, xi,2, . . ., xi,l), then computes l X

Zj xi;j x

g li;0 ¼ g Mi η ¼ ðg aþra1 Þ i;1 g

j¼2

randomly chooses ri,0 2 Zp, then r


ðiÞ As ω0 does not satisfy the access structure, the simulation of DðiÞ 1;1 and D2;1 are the same as the T

previous case. For {Ki}i2[2,n], the simulator B can computes KX ¼ ðK2 ; . . . ; Kn Þ ¼ g rMX A by MXT A ¼ MXT B Z þ MXT δ.


14 / 20


Challenge. The adversary A submits two messages m0 and m1, B randomly chooses mb where b 2{0,1} to encrypt. Then computes 0

C ¼ mb Z eðg s ; g a Þ; C1 ¼ g s s

f ðxÞ

ðxÞ ðxÞ C2;0 ¼ fC2;0 jC2;0 ¼ T0 ðxÞ ¼ ðg s Þ 0 ; x 2 o g

s

f ðxÞ

ðxÞ ðxÞ C2;1 ¼ fC2;1 jC2;1 ¼ T1 ðxÞ ¼ ðg s Þ 1 ; x 2 o

fygg

Then the simulator B defines Y = (y1, , yn)T according to the revocation list Ry and = 0 for k 2[1,m]. And we have that Y ¼ MXk γ1 where γ1 = (y2, , yn)T, then < Y; B Z >¼ Y T B Z ¼

m X

zk Y T bk ¼ 0

k¼1

and computes s

C3 ¼ ðhy11 . . . hynn Þ ¼ ðg s Þ

¼ ðg s Þ

Then B sends the challenge ciphertext ct = (C, C1, C2,0, C2,1, C3) to the adversary A. If μ = 0, then Z = e(g1, gq)s, the challenge ciphertext ct is a valid random encryption of message mb. If μ = 1, then Z is a random element of G2, and ct is also random from the adversary’s view, and ct contains no information of mb. Phase2. Same as Phase1. Guess. The adversary A outputs the guess b0 of b. B outputs μ = 0 to guess that Z = e(g1, gq)s if b0 = b; otherwise, B outputs μ = 1, and it indicates that Z is a random element in G2. And the advantage of simulator B to solve the q-BDHE problem is

¼ ¼

1 1 Pr½m0 ¼ mjm ¼ 0 þ Pr½m0 ¼ mjm ¼ 1 2 2 1 1 1 1 1 ð þ εÞ þ 2 2 2 2 2 ε 2

1 2

IND-CKA security proof Theorem 2. Suppose there exists a polynomial-time adversary A, which can attack our scheme with advantage ε in the IND-CKA model. We can construct a simulator B that can solve the ε DDH problem in G1 with probability at lest 4eðMþTN , where e is constant, and we assume the þ1Þ 1

2

adversary A makes M index queries and T search token queries(it contains N1 keywords) in each phase[10]. Proof: B is given an instance g, ga, gb, gc of the DDH problem in G1. In the following parts, we construct the cipher text by setting δ = b. The simulation proceeds as follows: Init. The adversary A selects a attribute set ω and a user revocation list Ry of θ 2 ω .B is given an instance g, ga, gb, gc of the DDH problem in G1. Then B runs the algorithm to generate the public parameter pp and sends it to adversary A. Phase1. B maintains a hash list L = {wj, αj, lj} and randomly chooses αj 2 Zp for keywords wj with biased coin flip lj. The list is empty when begins and simulates the hash function as a


15 / 20


random oracle. And if the random oracle is queried for a hash of w,B searches the hush list L if the w exists in the list. 1. If lj = 0,the B gives that gaj ; 2. If lj = 1,the algorithm aborts; 3. If the keyword w does not exist in the list, the B flips a random coin l 2 {0,1} so that Pr [coin0 = 0] = σ and σ will be calculated later. a. If l = 0, the B randomly chooses α 2 Zp,and adds < w, α, 0 > to the hush list; b. If l = 1, the B adds < w, ?, 1 > to the hush list. c. The B repeat the above process. Keywords index query. If the adversary A asks the keyword wj of index information, B searches the hush list L. If lj = 1, B aborts; and if lj = 0, B randomly chooses t 2 Zp, let Hðwj Þ ¼ g aj and generates that I0 ¼ g t d

I1;j ¼ g b Hðwj Þ ¼ g b ðg b Þ

aj

ðxÞ ðxÞ I2;0 ¼ fI2;0 ¼ K0t ðxÞgx2o ; I2;1 ¼ fI2;1 ¼ K1t ðxÞgx2o

y

Search token query. If the adversary A asks the keyword wjq of searching token with the access structure (M, ρ), Let M be a p×l matrix, ω0 doesn’t satisfy the access structure (M, ρ). If ID 2 Ry , there is ω0 = ω − {θ}; otherwise, ω0 = ω .B searches the hush list L. If ljq ¼ 1,B aborts; and if ljq ¼ 0,let Hðwjq Þ ¼ g aj . For i = 1 to l, randomly choose ξi 2 Zp and B generates that d

t1

¼

ft1;i;jq ¼ g li Hðwjq Þ gi2½1;l;q2½1;N1 ;jq 2½1;N

t2;0

¼

xi ftrðiÞ 2;0 ¼ K0 ðrðiÞÞgi2½1;l

t2;1

¼

xi ftrðiÞ 2;1 ¼ K1 ðrðiÞÞgi2½1;l

Challenge. The adversary A outputs two keywords w0 and w1 ,B randomly chooses b 2 {0,1} and searches the hush list L that < wb ; a; l >. If l = 0,B aborts; if l = 1, let Hðwb Þ ¼ g a and computes I0 ¼ g t ; I1 ¼ g b g c ðxÞ ðxÞ I2;0 ¼ fI2;0 ¼ K0t ðxÞgx2o ; I2;1 ¼ fI2;1 ¼ K1t ðxÞgx2o

y

Phase2. Same as Phase1. Guess. The adversary A outputs the guess b0 of b, B outputs gc = gab if b0 = b; otherwise gc is a random group element in G1. Correctness Analyses. In the above simulation scheme, if the adversary A has the advantage of attack our scheme, and then it will be given the keyword wj of hush value is H(wj) = ga rather than the random value H(wj) = gaj. Then it can compute that I1 = gβH(w)δ = gβ(gb)a, that is I1 = gβgc = gβgab, and B computes that gc = gab which means it solves the DDH problem.


16 / 20


Table 1. Performance analyses. Scheme

Fine-grained

Attribute revocation

Keyword search

Do not update cipher-text when attribute revocation

[26]

×

×

×

[21]

× p

× p

× p

[27]

×

×

×

_

[28]

× p

× p

× p

_ p

[24]

Our scheme

× p

×

https://doi.org/10.1371/journal.pone.0183459.t001

Probability Analyses. Suppose that the adversary A makes M index queries and T search token queries in each phase, and the probability that B will not be terminated in two query phases 1 and 2 is s2ðMþTN1 Þ , so the probability that it will not terminated during the challenge step is 1 − σ, so that results in an overall probability that B does not abort is s2ðMþTN1 Þ ð1 sÞ. 1 And, through the computes that the maximum is s ¼ 1 2ðMþTN , so the maximum proba1 Þþ1 1 bility is 2eðMþTN . Thus, if our scheme can be attacked by the adversary A with the advantage þ1Þ 1

2

ε ε, and the B can resolve the DDH problem with advantage 4eðMþTN . þ1Þ 1

2

Performance analyses In this section, we give some performance analysis in our scheme. The hardware runtime environment is Intel Core i5-3470 CPU @ 3.20GHz, and RAM is 4.00GB. The software runtime environment is JDK 1.7.5, JPBC 2.0.0 and MyEclipse10. Our scheme is compared with the schemes of [21, 24, 26, 27, 28] in Table 1. Our scheme is also compared with the schemes of [26, 27, 28] in Table 2. We can see from Table 2, our scheme has a large amount of computation in the KenGen and Encryption generation, because our scheme doesn’t need to update the cipher-text and secret key when attributes revocation. However, the schemes of [26], [27] and [28] don’t achieve the function of attribute revocation. As is shown in the Fig 2, we suppose that there are 16 attributes in the policy and provide the relational graphs of keywords index building time as is shown in Fig 2(a) and search token building time as is shown in Fig 2(b). From the Fig 2(a) and 2(b), we can see that the time cost is nearly linear with the index building and token building. In the Fig 2(c), we give the relational graph of the number of attributes in the policy and time cost. As is shown in the Fig 2(c), Table 2. Calculation analyses. Scheme

KeyGen

Encryption

Pairings in Decryption

[26]

(2 + 2l)ex

(3 + | S |)ex

2 + 2| I |

[27]

3lex

(2 + | S |)ex

1 + 3| I |

[28]

2lex

(6 + | S |)ex

1 + 2| I |

Our scheme

(2 + 4l)ex

(3 + 2 | S |)ex

1 + 2| I |

| S |: The size of the attributes set of a decryption key. l: The number of rows of the matrix in access policy(M,ρ). ex: An exponentiation operation. | I |: The number of attributes for a decryption key to satisfy a cipher-text policy. https://doi.org/10.1371/journal.pone.0183459.t002


17 / 20


Fig 2. (a) Index building time (b) Token building time (c) The number of attributes in policy and index building time https://doi.org/10.1371/journal.pone.0183459.g002


18 / 20


we can find that the effect of the increase of the attributes on the time is not particularly evident in our scheme which takes less time than Zhiquan’s[29].

Conclusions In our scheme, we add the keyword search based on the attribute revocation, the search tokens generated by the attribute authority and the user. The cloud server match is divided into two cases: the user is in the revocation list and not in the revocation list, and the cloud server uses the different test according to the different case. It will return the cipher text when the attribute set meets the access structure and the search keywords exist, and the user can decrypt correctly. This scheme supports multiple keywords search at the same time which makes more flexible in the practical application.

Supporting information S1 Appendix. (RAR)

Acknowledgments This work is supported by the National Natural Science Foundation of China under grants 61572019, 61173192, the Key Project of Research Foundation of Natural Science Foundation of Shaanxi Province of China under Grant No. 2016JZ001. Thanks also go to the anonymous reviewers for their useful comments.

Author Contributions Writing – original draft: Shangping Wang, Duqiao Zhao. Writing – review & editing: Yaling Zhang.

References 1.

Sahai Amit, and Waters B.. Fuzzy Identity-Based Encryption. Advances in Cryptology–EUROCRYPT 2005. Springer Berlin Heidelberg, 2005:457–473.

2.

Pirretti M, Traynor P, Mcdaniel P, et al. Secure attribute-based systems. IOS Press, 2006:99–112.

3.

Boldyreva A, Goyal V, Kumar V. Identity-based encryption with efficient revocation. ACM Conference on Computer and Communications Security. ACM, 2008:417–426.

4.

Hinek MJ, Jiang S, Safavi-Naini R, Shahandashti SF. Attribute-based encryption with key cloning protection. Bulletin of the Korean Mathematical Society. 2008; 2008(4):803–19.

5.

Li J, Ren K, Kim K. A2BE: Accountable Attribute-Based Encryption for Abuse Free Access Control. Iacr Cryptology Eprint Archive. 2009; 2009.

6.

Attrapadung N, Imai H. Conjunctive Broadcast and Attribute-Based Encryption. Pairing-Based Cryptography—Pairing 2009, Third International Conference, Palo Alto, CA, USA, August 12–14, 2009, Proceedings. DBLP, 2009:248–265.

7.

Touati L, Challal Y. Batch-based CP-ABE with attribute revocation mechanism for the Internet of Things. International Conference on Computing, NETWORKING and Communications. IEEE, 2015:1044–1049.

8.

Wang PP, Feng DG, Zhang LW. CP-ABE Scheme Supporting Fully Fine-Grained Attribute Revocation. Journal of Software. 2012; 23(10):2805–2816.

9.

Boneh D, Crescenzo G D, Ostrovsky R, et al. Public Key Encryption with Keyword Search. Advances in Cryptology—EUROCRYPT 2004. Springer Berlin Heidelberg, 2004:506–522.

10.

Kerschbaum F. Secure conjunctive keyword searches for unstructured text. International Conference on Network and System Security, Nss 2011, Milan, Italy, September. DBLP, 2011:285–289.


19 / 20


11.

Cao N, Wang C, Li M, Ren K, Lou W. Privacy-Preserving Multi-Keyword Ranked Search over Encrypted Cloud Data. IEEE Transactions on Parallel & Distributed Systems. 2014; 25(1):222–233. https://doi. org/10.1016/j.jbiomech.2005.09.015

12.

Chuah M, Hu W. Privacy-Aware BedTree Based Solution for Fuzzy Multi-keyword Search over Encrypted Data. International Conference on Distributed Computing Systems Workshops. IEEE Computer Society, 2011:273–281.

13.

Han F, Qin J, Zhao H, Hu J. A general transformation from KP-ABE to searchable encryption. Future Generation Computer Systems. 2014; 30(1):107–115.

14.

Chung KM, Kalai Y, Vadhan S. Improved Delegation of Computation Using Fully Homomorphic Encryption: Springer Berlin Heidelberg; 2010. 483–501 p.

15.

Gentry C. Fully Homomorphic Encryption Using Ideal Lattices. Proceedings of the Annual Acm Symposium on Theory of Computing. 2009; 9(4):169–78.

16.

Liang K, Susilo W. Searchable Attribute-Based Mechanism with Efficient Data Sharing for Secure Cloud Storage. IEEE Transactions on Information Forensics and Security. 2015; 10(9):1981–92. https://doi.org/10.1109/TIFS.2015.2442215

17.

Li H, Yang Y, Luan TH, Liang X, Zhou L, Shen XS. Enabling Fine-Grained Multi-Keyword Search Supporting Classified Sub-Dictionaries over Encrypted Cloud Data. IEEE Transactions on Dependable and Secure Computing. 2016; 13(3):312–25. https://doi.org/10.1109/TDSC.2015.2406704

18.

Liang K, Susilo W. Searchable Attribute-Based Mechanism with Efficient Data Sharing for Secure Cloud Storage. IEEE Transactions on Information Forensics & Security. 2015; 10 (9):1981–1992.

19.

Li J, Shi Y, Zhang Y. Searchable ciphertext-policy attribute-based encryption with revocation in cloud storage. International Journal of Communication Systems. 2017, 30 (1).

20.

Sun W, Yu S, Lou W, Hou YT, Li H. Protecting Your Right: Verifiable Attribute-Based Keyword Search with Fine-Grained Owner-Enforced Search Authorization in the Cloud. IEEE Transactions on Parallel and Distributed Systems. 2016; 27(4):1187–98. https://doi.org/10.1109/TPDS.2014.2355202

21.

Yang Y, Ma M. Conjunctive Keyword Search with Designated Tester and Timing Enabled Proxy ReEncryption Function for E-Health Clouds. IEEE Transactions on Information Forensics and Security. 2016; 11 (4):746–759. https://doi.org/10.1109/TIFS.2015.2509912

22.

Jiang X, Yu J, Yan J, Hao R. Enabling efficient and verifiable multi-keyword ranked search over encrypted cloud data. Information Sciences. 2017; s 403–404:22–41.

23.

Poon HT, Miri A, editors. A Combined Solution for Conjunctive Keyword Search, Phrase Search and Auditing for Encrypted Cloud Storage. Ubiquitous Intelligence & Computing, Advanced and Trusted Computing, Scalable Computing and Communications, Cloud and Big Data Computing, Internet of People, and Smart World Congress; 2017.

24.

Li Q, Feng D, Zhang L. An attribute based encryption scheme with fine-grained attribute revocation. Global Communications Conference (GLOBECOM), 2012 IEEE. 2012:885–890.

25.

Shi Y, Zheng Q, Liu J, Han Z. Directly revocable key-policy attribute-based encryption with verifiable ciphertext delegation. Information Sciences. 2015; 295:221–231.

26.

Zhang M, Du W, Yang X, Han Y. A fully secure KP-ABE scheme in the standard model. Journal of Computer Research & Development. 2015.

27.

Li Z, Chen X. Attribute-based encryption with fast decryption on prime order groups. Computer application. 2016; 36 (3):637–641.

28.

Ma S, Lai J, Deng RH, Ding X. Adaptable key-policy attribute-based encryption with time interval. Soft Computing. 2016:1–10.

29.

Lv Z, Zhang M, Feng D. Multi-user Searchable Encryption with Efficient Access Control for Cloud Storage. IEEE International Conference on Cloud Computing Technology and Science. IEEE, 2015:366– 373.


20 / 20