TY - JOUR
AU1 - Zeng,, Ming
AU2 - Zhang,, Kai
AU3 - Qian,, Haifeng
AU4 - Chen,, Xiaofeng
AU5 - Chen,, Jie
AB - Abstract Cloud computing is a new promising technology paradigm that can provide clients from the whole network with scalable storage resources and on-demand high-quality services. However, security concerns are raised when sensitive data are outsourced. Searchable encryption is a kind of cryptographic primitive that enables clients to selectively retrieve encrypted data, the existing schemes that support for sub-linear boolean queries are only considered in symmetric key setting, which makes a limitation for being widely deployed in many cloud applications. In order to address this issue, we propose a novel searchable asymmetric encryption scheme to support for sub-linear boolean query over encrypted data in a multi-client model that is extracted from an important observation that the outsourced database in cloud is continuously contributed and searched by multiple clients. For the purpose of introducing the scheme, we combine both the ideas of symmetric searchable encryption and public key searchable encryption and then design a novel secure inverted index. Furthermore, a detailed security analysis for our scheme is given under the simulation-based security definition. Finally, we conduct experiments for our construction on a real dataset (Enron) along with a performance analysis to show its practicality. 1. INTRODUCTION Cloud computing is a promising computing model that can provide seemly limitless computation and storage resources to clients from the whole network. Owing to the convenience and flexibility, it becomes more and more prevalent in daily lives, people usually depend on cloud to store or share documents. However, as a service provider, cloud is not fully trusted by its clients and has raised many secure concerns [1–7], particularly, data are out of the physical control of its owner after outsourcing. To protect the privacy of clients, the custom is that data should be encrypted prior to outsource, in such a way, how to search over encrypted data is a challenging problem. Searchable encryption was initialized by Song et al. [8], which is a useful cryptographic solution for securely searching on encrypted data and has been intensively researched in recent years [9–13]. However, most of the schemes focus on the basic single keyword search (e.g. given a keyword ‘ w1’, to retrieve all the documents that associated with ‘ w1’), when working with complex queries (e.g. boolean queries), the schemes may incur a huge amount of bandwidth and computation overhead, since clients should firstly download all the documents that associated with the searched keyword, and then find the actually desired documents. In recent, Cash et al. [14] designed the first searchable encryption scheme that supports for sub-linear boolean queries,1 given a boolean query (e.g. w1∧ψ(w2,…,wn) ⁠, where ψ is a boolean formula over keywords (w2,…,wn) ⁠), the scheme is able to fetch the documents whose associated keywords can match the query, and the search complexity is independent of the total number of stored documents. Nevertheless, the scheme is constructed under the single-client case, in which the outsourced database can be contributed and searched by only its owner. Imagine a common scenario of cloud computing, most of the databases are contributed and searched by multiple clients. In the case, the scheme may not work effectively, since sharing the secret key among a group of clients will raise the risk of privacy disclosure. Later on, the works [15, 16] extended the scheme [14] to a new application scenario in which the outsourced database can be searched by multiple clients but contributed from only its owner. In cloud computing, sharing data with others is a common and indispensable business, particularly, in a lot of applications, the outsourced database must be contributed from multiple clients. Take e-mail systems as an example, any client in the system is able to not only send e-mails to others but also receive e-mails from others. This case is similar to the multi-client model that considered by the first public key searchable encryption scheme [9], which will be also focused on in this paper. The above sub-linear boolean query schemes suffer from providing a convincing solution for it. In the multi-client model, for a client, its public key can be used by others to encrypt a document for appending to the outsourced database; its secret key can be used to generate search tokens for queries. After receiving a search token, the cloud server can search on the database to return results for the query. It is noteworthy that how to realize sub-linear boolean query over encrypted data in the model is still remaining unexplored in previous researches. 1.1. Our contributions In this work, aiming at providing a practical privacy-preserving selectively data retrieve manner under the above mentioned multi-client model for cloud applications, we design a searchable asymmetric encryption scheme that can support boolean queries with sub-linear search complexity. To realize this, we employ not only symmetric key techniques but also a public key strategy. Specifically, we equip each client with a public key and secret key pair, and introduce a new secure inverted index to organize the outsourced database in a non-trivial way. Generally, our contributions can be summarized as follows: We are the first to propose a novel searchable asymmetric encryption scheme that supports for boolean queries with sub-linear search complexity in the multi-client model, which still retains the functionality and efficiency as previous symmetric key instantiation [14–16]. Moreover, our scheme enjoys the following two desirable features: Compared with other works [15, 16] that support for boolean queries, no any interaction between a data sender and a data receiver is needed during the system running process. In addition, by involving an identity-based encryption mechanism as a strategy in our construction, the clients can decrypt the encrypted document indices that returned by the cloud server after searching without any assistance of others. To analyze the security of our scheme, we formalize a leakage profile as the leakage function. With it we show that our scheme is adaptive semantically secure against an adversary cloud server under the simulation-based security definition [17] with a formal security analysis. We simulate our construction via a series of experiments on a real dataset Enron2 to demonstrate its practicality. The experimental results illustrate that our scheme is practically efficient from both the time cost side and storage cost side. Organization. Section 2 introduces preliminaries and Section 3 introduces the definition of system and security model. We present our construction that supports for conjunctive search and boolean queries in Section 4 and prove its security in Section 5. An implementation along with its results analysis is provided in Section 6. Section 7 presents a further enhancement of the proposed scheme, Section 8 outlines the related works and Section 9 concludes our work. 2. PRELIMINARIES In this section, we list some notations and background knowledge. Firstly, we define some notions that used in this paper as in Table 1. TABLE 1. Notations. Notation Meaning [n] The set of positive integers not larger than n ⁠, i.e.   {1,…,n} ∣A∣ The length of an array A A[i] The ith component of array A and the minimum  of i is 1 x∣∣y The concatenation of x and y ind A unique indice of a document id A unique identity of a client w A keyword Wind A set of keywords contained in the document  labeled with ind 𝖣𝖡 The outsourced database D A plain text document (𝖤𝖣𝖡,𝖷𝖲𝖾𝗍) An encrypted index of a document 𝖣𝖡[w] The set of indices of documents that contain  keyword w 𝖣𝖡[w,id] The indices of documents in 𝖣𝖡[w] with the  receiver is id Q A boolean query over keywords token A search token of a query s-term The least frequent keyword among keywords in a  query xterm Any queried keyword in a query r←RR The operation of randomly selecting an element r  from a set R ψ A boolean expression over some keywords negl(κ) A negligible function in the security parameter κ Notation Meaning [n] The set of positive integers not larger than n ⁠, i.e.   {1,…,n} ∣A∣ The length of an array A A[i] The ith component of array A and the minimum  of i is 1 x∣∣y The concatenation of x and y ind A unique indice of a document id A unique identity of a client w A keyword Wind A set of keywords contained in the document  labeled with ind 𝖣𝖡 The outsourced database D A plain text document (𝖤𝖣𝖡,𝖷𝖲𝖾𝗍) An encrypted index of a document 𝖣𝖡[w] The set of indices of documents that contain  keyword w 𝖣𝖡[w,id] The indices of documents in 𝖣𝖡[w] with the  receiver is id Q A boolean query over keywords token A search token of a query s-term The least frequent keyword among keywords in a  query xterm Any queried keyword in a query r←RR The operation of randomly selecting an element r  from a set R ψ A boolean expression over some keywords negl(κ) A negligible function in the security parameter κ View Large TABLE 1. Notations. Notation Meaning [n] The set of positive integers not larger than n ⁠, i.e.   {1,…,n} ∣A∣ The length of an array A A[i] The ith component of array A and the minimum  of i is 1 x∣∣y The concatenation of x and y ind A unique indice of a document id A unique identity of a client w A keyword Wind A set of keywords contained in the document  labeled with ind 𝖣𝖡 The outsourced database D A plain text document (𝖤𝖣𝖡,𝖷𝖲𝖾𝗍) An encrypted index of a document 𝖣𝖡[w] The set of indices of documents that contain  keyword w 𝖣𝖡[w,id] The indices of documents in 𝖣𝖡[w] with the  receiver is id Q A boolean query over keywords token A search token of a query s-term The least frequent keyword among keywords in a  query xterm Any queried keyword in a query r←RR The operation of randomly selecting an element r  from a set R ψ A boolean expression over some keywords negl(κ) A negligible function in the security parameter κ Notation Meaning [n] The set of positive integers not larger than n ⁠, i.e.   {1,…,n} ∣A∣ The length of an array A A[i] The ith component of array A and the minimum  of i is 1 x∣∣y The concatenation of x and y ind A unique indice of a document id A unique identity of a client w A keyword Wind A set of keywords contained in the document  labeled with ind 𝖣𝖡 The outsourced database D A plain text document (𝖤𝖣𝖡,𝖷𝖲𝖾𝗍) An encrypted index of a document 𝖣𝖡[w] The set of indices of documents that contain  keyword w 𝖣𝖡[w,id] The indices of documents in 𝖣𝖡[w] with the  receiver is id Q A boolean query over keywords token A search token of a query s-term The least frequent keyword among keywords in a  query xterm Any queried keyword in a query r←RR The operation of randomly selecting an element r  from a set R ψ A boolean expression over some keywords negl(κ) A negligible function in the security parameter κ View Large 2.1. Cryptographic background Definition 2.1 (DDH assumption) Let Gbe a cyclic group with prime order p ⁠, the Decision Diffie–Hellman problem is to distinguish (g,ga,gb,gab)from (g,ga,gb,gr) ⁠, where gis an element randomly selected from Gand a,b,rare randoms selected from Zp ⁠. For any probabilistic polynomial time (PPT) distinguisher D ⁠, the advantage is defined as AdvD,GDDH(κ)=∣Pr[D(g,ga,gb,gab)]−Pr[D(g,ga,gb,gr)]∣, The DDH assumption says AdvD,GDDH(κ) is negligible in κ for any PPT distinguisher D ⁠. Definition 2.2 (SXDH assumption) Let G1 ⁠, G2and GTbe three cyclic groups and each with prime order p ⁠, aand bare random elements selected from Zp ⁠, there exists an efficient asymmetric bilinear pairing e: G1×G2→GTwith satisfying: Non-degenerate: if g1 and g2 are the generators of G1 and G2 respectively, then e(g1,g2) is a generator of GT ⁠. Bilinear: e(g1a,g2b)=e(g1b,g2a)=e(g1,g2)ab ⁠. The SXDH [18] assumption says that the above three cyclic groups G1 ⁠, G2 and GT are DDH groups. Definition 2.3 (Pseudo-random function (PRF) [19]) A PRF Fis polynomial time computable function that cannot be distinguished from random functions fby any PPT adversary A ⁠. To be formally, for any PPT adversary A ⁠, the advantage is defined as AdvF,APRF(κ)=∣Pr[AF(K,·)(1κ)]−Pr[Af(·)(1κ)]∣, where K←R{0,1}κ ⁠. The F is a PRF if AdvF,APRF(κ) is negligible for any PPT adversary A ⁠. Definition 2.4 (Identity-based encryption (IBE) [20]) In general, an identity-based encryption scheme is composed of the following four algorithms: IBE. 𝖲𝖾𝗍𝗎𝗉(κ) ⁠. Takes as input a secure parameter κ ⁠, outputs a public key and master secret key pair (mpk,msk) ⁠. IBE. 𝖤𝗑𝗍𝗋𝖺𝖼𝗍(msk,id) ⁠. Takes as input msk and an identity id ⁠, outputs a secret key skid ⁠. IBE. 𝖤𝗇𝖼(mpk,m,id) ⁠. Inputs mpk ⁠, a message m and an identity id ⁠, outputs a ciphertext Cid ⁠. IBE. 𝖣𝖾𝖼(skid,Cid′) ⁠. Takes as input a secret key skid′ and a ciphertext Cid′ ⁠, if id is equal to id′ ⁠, this algorithm successfully decrypts the ciphertext. 3. SYSTEM ARCHITECTURE AND SECURITY MODEL 3.1. System architecture As shown in Fig. 1, the system architecture involves three kinds of different entities: Key Generation Center (KGC), Cloud and Clients. KGC: It is a trusted entity who initializes the system, generates the public parameter and the master secret key, it is also in charge of client’s enrollment. Cloud: It is a entity who provides data storage services and has rich computation and storage resources. Through the cloud storage service, clients can upload their data and send search requests to the cloud who provides services through honestly performing the proposed algorithms. Clients: A client wishes to share its documents to others and be shared by others. When encrypting a document, the client is responsible for defining someone as the receiver of the document. When searching documents, the client generates a search token for its query, and sends it to the cloud. FIGURE 1. View largeDownload slide System model. FIGURE 1. View largeDownload slide System model. A client firstly sends registration information to KGC and will obtain a secret key and public key pair if this enrollment is admitted. After a successful registration, the client is able to upload documents to the cloud and search over the cloud. When there is a desire of uploading a document, the client encrypts it by using its secret key and the receiver’s public key before sending to the cloud, when performing a search task, the client generates a search token for its query by using its secret key and forwards the token to cloud. After receiving a search token, the cloud is able to search over encrypted data and then return results. Definition 3.1 A searchable asymmetric encryption scheme with support for sub-linear boolean queries consists of the following six algorithms: 𝖲𝖾𝗍𝗎𝗉 ⁠, 𝖪𝖾𝗒𝖦𝖾𝗇 ⁠, 𝖤𝖣𝖡𝖲𝖾𝗍𝗎𝗉 ⁠, 𝖳𝗋𝖺𝗉𝖦𝖾𝗇 ⁠, 𝖲𝖾𝖺𝗋𝖼𝗁 and 𝖱𝖾𝗍𝗋𝗂𝖾𝗏𝖾 ⁠. Specifically, these algorithms are described as follows: (pp,msk)←𝖲𝖾𝗍𝗎𝗉(1κ): The setup algorithm takes as input a secure parameter κ ⁠, generates a public parameter pp and a master secret key msk ⁠. (pk,sk)←𝖪𝖾𝗒𝖦𝖾𝗇(pp,msk,id): The key generation algorithm takes as input the public parameter pp ⁠, the master secret key msk and a client’s identity id ⁠, generates a public key and secret key pair (pk,sk) for the client. (𝖤𝖣𝖡,𝖷𝖲𝖾𝗍)←𝖤𝖣𝖡𝖲𝖾𝗍𝗎𝗉(pp,D,pk′,sk): The encryption algorithm inputs the public parameter pp ⁠, a document D ⁠, a receiver’s public key pk′ and the secret key sk of the client who is encrypting the document, outputs (𝖤𝖣𝖡,𝖷𝖲𝖾𝗍) ⁠. token←𝖳𝗋𝖺𝗉𝖦𝖾𝗇(Q,sk): The token generation algorithm inputs a boolean query Q and a secret key sk of the issuing client, generates a search token token for the query. R←𝖲𝖾𝖺𝗋𝖼𝗁(token): The search algorithm inputs a search token token ⁠, it searches on the outsourced encrypted database and returns encrypted search results R ⁠. D←𝖱𝖾𝗍𝗋𝗂𝖾𝗏𝖾(R,sk): The document retrieves algorithm inputs encrypted search results R and a client’s secret key sk ⁠, it retrieves the corresponding original documents. 3.2. Security model In the security model, we assume that cloud and clients are semi-honest. This is, cloud honestly performs the protocols but curious about the private information of data and queries. The clients also honestly perform the protocols but can try to gain the documents that the corresponding receiver is not her/him. The security model assumes that cloud and clients will not collude with each other. In the case of cloud, we follow the semantic security definition of simulation-based security from [14, 16] as well as consider only the security analysis of storing data and processing search. For simplicity, the simulator will ignore the simulation of retrieving original documents. The security is parameterized by a leakage function L ⁠, which describes the information of encrypted data and queries that allowed to be known by cloud. Simply speaking, security says that the view of cloud during an adaptive attack can be simulated given only the outputs of leakage function L ⁠. Definition 3.2 Let Πbe a scheme that described in Section3.1. For two efficient algorithms Aand S ⁠, we define the security via the following two experiments RealAΠ(κ)and IdealA,SΠ(κ) ⁠. RealAΠ(κ): A(1κ)repeatedly chooses an encryption tuple (⁠ D ⁠, id′ ⁠, id ⁠)3or a query tuple (⁠ Q ⁠, id ⁠).4If it chooses an encryption tuple, the experiment runs (𝖤𝖣𝖡,𝖷𝖲𝖾𝗍)←𝖤𝖣𝖡𝖲𝖾𝗍𝗎𝗉(pp,D,pk′,sk)and returns (𝖤𝖣𝖡,𝖷𝖲𝖾𝗍)to A ⁠, where the pk′is the public key of the receiver and the skis the secret key of the client who encrypts the document; otherwise the game runs token←𝖳𝗋𝖺𝗉𝖦𝖾𝗇(Q,sk)with inputting (Q,sk)and R←𝖲𝖾𝖺𝗋𝖼𝗁(token)with inputting the search token, where the skis the secret key of the issuing client, then gives the transcript and the issuing client’s outputs to A ⁠. Finally, Areturns a bit as an output of the experiment. IdealA,SΠ(κ):The game initializes two empty arrays dand q ⁠, sets two counters i=1and j=1 ⁠. A(1κ)repeatedly chooses an encryption tuple (⁠ D ⁠, id′ ⁠, id ⁠) or a query tuple (⁠ Q ⁠, id ⁠), if it chooses an encryption tuple, Arecords this tuple as d[i]and computes i=i+1 ⁠, the experiment runs (𝖤𝖣𝖡,𝖷𝖲𝖾𝗍)←S(L(d,q))and returns (𝖤𝖣𝖡,𝖷𝖲𝖾𝗍)to A ⁠, otherwise the experiment records the query tuple as q[j] ⁠, computes j=j+1and runs S(L(d,q))to output transcript to A ⁠. In the end, Areturns a bit as the output of the experiment. We say the Π is L-semantically secure against an adaptive adversary if there exists an algorithm S s.t. Pr[RealAΠ(κ)=1]−Pr[IdealA,SΠ(κ)=1]≤negl(κ). Next, we formalize the security against a semi-honest client who may try to gain the documents that the corresponding receiver is not her/him. In our setting, each client is only permitted to access the documents that the corresponding receiver is her/him. Loosely speaking, the security requires that a client cannot forge a valid search token of other clients. To formalize this, We indicate the following game 𝖦𝖺𝗆𝖾tokenUF between a challenger and an adversary. Init. The challenger runs 𝖲𝖾𝗍𝗎𝗉(1κ) to get (pp,msk) ⁠, and returns public parameter to the adversary. Query. When receiving a key query request for id ⁠, the challenger runs 𝖪𝖾𝗒𝖦𝖾𝗇(pp,msk,id) to get (pk,sk) ⁠, and returns the key pair to the adversary. Challenge. The adversary chooses a fresh identity id ⁠, the challenger runs 𝖪𝖾𝗒𝖦𝖾𝗇(pp,msk,id) to get (pk,sk) ⁠, and returns pk to the adversary. Output. The adversary outputs a search token for the challenging identity id ⁠, and the challenger outputs one if the search token is valid. Definition 3.3 The search token is said to be unforgeable in Πif for all PPT adversary its advantage Pr[𝖦𝖺𝗆𝖾tokenUF(κ)=1]is negligible. 4. THE PROPOSED SCHEME In this section, we first give a high level description of our techniques, and then present the proposed searchable encryption scheme to deal with conjunctive search in the form of (⁠ w1∧⋯∧wn ⁠), followed by an extension of supporting other boolean queries. 4.1. Overview Inverted index (Fig. 2) is a kind of data structure that has been extensively adopted to organize data files in many systems. To demonstrate the practicality of it for processing boolean queries, let have an example of processing query (w1∧w2∧w3) issued by id1 ⁠. In the traditional index method, the time complexity of processing this query is linear to the total of documents, one should scan all the documents for finding which match the query. In the inverted index method, to process the query, one needs to just fetch the lists of keywords w1 ⁠, w2 and w3 ⁠, and then find the documents of id1 after making a conjunctive operation over the indices between the lists, therefore, the time complexity is not relevant to the total of documents. FIGURE 2. View largeDownload slide The inverted index. FIGURE 2. View largeDownload slide The inverted index. Although the inverted index method is practical for processing boolean queries, it cannot be directly deployed in ciphertext domain to achieve our purpose, this is because the conjunctive operations will disclose the information about the database. To solve this, we design a new secure inverted index, as shown in Fig. 3. Our key idea is as follows. First, we map entries in the traditional inverted index into the secure index by computing locations using pseudo-random functions, in each location of the secure index, we put the processed content of its corresponding entry. In order to avoid the conjunctive operations during search processes, we technically record the relations between keyword, indice and identity in an encrypted form (please see the figure for an example). FIGURE 3. View largeDownload slide Our secure index method. FIGURE 3. View largeDownload slide Our secure index method. Afterwards, boolean queries can be performed over the secure index by using search tokens. Let us take the process of a query (w1∧w2∧w3) from the client id1 as an example. After receiving the search token, the cloud can find the locations of entries in the list of w1 ⁠, these entries are obviously associated with w1 ⁠, the remaining task is to discriminate the entries that are also associated with the other two keywords and belong to the client. To achieve this, the cloud computes the tags of relations by using search tokens and the content, and then checks whether the tags exist in the secure index or not. However, as well known, updating the database is hard when inverted index is deployed. Fortunately, inspired by dynamic symmetric searchable schemes [21, 22], we set up a dictionary δ to record the state about the size of 𝖣𝖡[w] for each keyword. The dictionary can be easily stored at a cloud server in ciphertext form, and be retrieved by clients when encrypting documents. We define two kinds of functions of δ as follows: c←𝖦𝖾𝗍(w,δ): It takes as input a keyword w and the dictionary δ ⁠, outputs c which is a counter that records the current size of 𝖣𝖡[w] ⁠. If w does not exist in δ ⁠, it outputs 0. 𝖴𝗉𝖽𝖺𝗍𝖾(δ,w,c): It takes as input the dictionary δ ⁠, a keyword w and a number c ⁠, updates the recorded size of 𝖣𝖡[w] in δ to c ⁠. If w does not exist in δ ⁠, it inserts (w,c) into δ ⁠. As a further enhancement, we will discuss in Section 7 on how to remove this building block from our construction. 4.2. Our construction Let G1 ⁠, G2 and GT be three groups with prime order p and a bilinear map e:G1×G2→GT ⁠, where g1 and g2 are the generators of G1 and G2 respectively. Let F be a pseudo-random function (PRF) with range in {0,1}* ⁠, Fp be a PRF with range in Zp ⁠, H:{0,1}*→G2 is a cryptographic collision-resistant hash function, IBE=(𝖲𝖾𝗍𝗎𝗉,𝖤𝗑𝗍𝗋𝖺𝖼𝗍,𝖤𝗇𝖼,𝖣𝖾𝖼) be an identity-based encryption scheme, we assume the keyword space is big enough. 𝖲𝖾𝗍𝗎𝗉(1κ)̲: Takes as input a secure parameter κ ⁠, KGC runs (mpk′,msk′)←IBE.𝖲𝖾𝗍𝗎𝗉(1κ) and selects two keys Kx,Kz←R{0,1}n for the PRF Fp and a key Kl←R{0,1}n for F ⁠. Sets the public parameter as pp=(G1,G2,GT,p,e,g1,g2,F,Fp,H,mpk′) and the master secret key as msk=(msk′,Kx,Kz,Kl). The algorithm outputs the public parameter pp and the master secret key msk ⁠. 𝖪𝖾𝗒𝖦𝖾𝗇(pp,msk,id)̲: Takes as input pp ⁠, msk and a client’s identity id ⁠, KGC selects s1←RZp and computes s2←IBE.𝖤𝗑𝗍𝗋𝖺𝖼𝗍(msk′,id). The algorithm outputs the public key and secret pair for the client as pk=(g1s1,id) and sk=(s1,s2,Kx,Kz,Kl) ⁠. 𝖤𝖣𝖡𝖲𝖾𝗍𝗎𝗉(pp,D,pk′,sk)̲: The main process of encrypting a document is shown in Algorithm 1. Takes as input a document D uniquely labeled with ind ⁠, the client extracts all of the distinct keywords and construct a keyword set Wind ⁠, and then encrypts the document by running a symmetric key encryption algorithm (e.g. AES) with a randomly selected secret key Kind ⁠. Algorithm 1 𝖤𝖣𝖡𝖲𝖾𝗍𝗎𝗉 ⁠. Input: pp,D,pk′,sk Output: 𝖤𝖣𝖡,𝖷𝖲𝖾𝗍 1: functionEDBSetup(⁠ pp,D,pk′,sk ⁠) 2:   𝖤𝖣𝖡←{} ⁠, 𝖷𝖲𝖾𝗍←{} 3:   pk′=(g1s1′,id′),sk=(s1,s2,Kx,Kz,Kl) 4:  for w∈Winddo 5:    cw←𝖦𝖾𝗍(w,δ) ⁠, cw=cw+1 6:    𝖴𝗉𝖽𝖺𝗍𝖾(δ,w,cw) 7:  end for 8:   xind←Fp(Kx,ind) 9:  for w∈Winddo 10:    l←F(Kl,w∣∣cw) ⁠, z←Fp(Kz,w∣∣cw) 11:    e0←IBE.𝖤𝗇𝖼(mpk′,ind∣∣Kind,id′) 12:    e1←g1xind·z 13:    𝗑𝗍𝖺𝗀←e(g1s1′,H(w)xind) 14:    𝖤𝖣𝖡[l]=(e0,e1) ⁠, 𝖷𝖲𝖾𝗍←𝖷𝖲𝖾𝗍∪𝗑𝗍𝖺𝗀 15:  end for 16:  return 𝖤𝖣𝖡 ⁠, 𝖷𝖲𝖾𝗍 17: end function. Input: pp,D,pk′,sk Output: 𝖤𝖣𝖡,𝖷𝖲𝖾𝗍 1: functionEDBSetup(⁠ pp,D,pk′,sk ⁠) 2:   𝖤𝖣𝖡←{} ⁠, 𝖷𝖲𝖾𝗍←{} 3:   pk′=(g1s1′,id′),sk=(s1,s2,Kx,Kz,Kl) 4:  for w∈Winddo 5:    cw←𝖦𝖾𝗍(w,δ) ⁠, cw=cw+1 6:    𝖴𝗉𝖽𝖺𝗍𝖾(δ,w,cw) 7:  end for 8:   xind←Fp(Kx,ind) 9:  for w∈Winddo 10:    l←F(Kl,w∣∣cw) ⁠, z←Fp(Kz,w∣∣cw) 11:    e0←IBE.𝖤𝗇𝖼(mpk′,ind∣∣Kind,id′) 12:    e1←g1xind·z 13:    𝗑𝗍𝖺𝗀←e(g1s1′,H(w)xind) 14:    𝖤𝖣𝖡[l]=(e0,e1) ⁠, 𝖷𝖲𝖾𝗍←𝖷𝖲𝖾𝗍∪𝗑𝗍𝖺𝗀 15:  end for 16:  return 𝖤𝖣𝖡 ⁠, 𝖷𝖲𝖾𝗍 17: end function. Algorithm 1 𝖤𝖣𝖡𝖲𝖾𝗍𝗎𝗉 ⁠. Input: pp,D,pk′,sk Output: 𝖤𝖣𝖡,𝖷𝖲𝖾𝗍 1: functionEDBSetup(⁠ pp,D,pk′,sk ⁠) 2:   𝖤𝖣𝖡←{} ⁠, 𝖷𝖲𝖾𝗍←{} 3:   pk′=(g1s1′,id′),sk=(s1,s2,Kx,Kz,Kl) 4:  for w∈Winddo 5:    cw←𝖦𝖾𝗍(w,δ) ⁠, cw=cw+1 6:    𝖴𝗉𝖽𝖺𝗍𝖾(δ,w,cw) 7:  end for 8:   xind←Fp(Kx,ind) 9:  for w∈Winddo 10:    l←F(Kl,w∣∣cw) ⁠, z←Fp(Kz,w∣∣cw) 11:    e0←IBE.𝖤𝗇𝖼(mpk′,ind∣∣Kind,id′) 12:    e1←g1xind·z 13:    𝗑𝗍𝖺𝗀←e(g1s1′,H(w)xind) 14:    𝖤𝖣𝖡[l]=(e0,e1) ⁠, 𝖷𝖲𝖾𝗍←𝖷𝖲𝖾𝗍∪𝗑𝗍𝖺𝗀 15:  end for 16:  return 𝖤𝖣𝖡 ⁠, 𝖷𝖲𝖾𝗍 17: end function. Input: pp,D,pk′,sk Output: 𝖤𝖣𝖡,𝖷𝖲𝖾𝗍 1: functionEDBSetup(⁠ pp,D,pk′,sk ⁠) 2:   𝖤𝖣𝖡←{} ⁠, 𝖷𝖲𝖾𝗍←{} 3:   pk′=(g1s1′,id′),sk=(s1,s2,Kx,Kz,Kl) 4:  for w∈Winddo 5:    cw←𝖦𝖾𝗍(w,δ) ⁠, cw=cw+1 6:    𝖴𝗉𝖽𝖺𝗍𝖾(δ,w,cw) 7:  end for 8:   xind←Fp(Kx,ind) 9:  for w∈Winddo 10:    l←F(Kl,w∣∣cw) ⁠, z←Fp(Kz,w∣∣cw) 11:    e0←IBE.𝖤𝗇𝖼(mpk′,ind∣∣Kind,id′) 12:    e1←g1xind·z 13:    𝗑𝗍𝖺𝗀←e(g1s1′,H(w)xind) 14:    𝖤𝖣𝖡[l]=(e0,e1) ⁠, 𝖷𝖲𝖾𝗍←𝖷𝖲𝖾𝗍∪𝗑𝗍𝖺𝗀 15:  end for 16:  return 𝖤𝖣𝖡 ⁠, 𝖷𝖲𝖾𝗍 17: end function. The client takes as input its secret key sk=(s1,s2,Kx,Kz,Kl) ⁠, the public parameter pp ⁠, the receiver’s public key pk′=(g1s1′,id′) ⁠, builds two empty sets 𝖤𝖣𝖡 and 𝖷𝖲𝖾𝗍 ⁠. For each keyword w∈Wind ⁠, the client gets the current size of 𝖣𝖡[w] by cw←𝖦𝖾𝗍(w,δ) ⁠, computes cw=cw+1, and runs 𝖴𝗉𝖽𝖺𝗍𝖾(δ,w,cw). The client computes xind←Fp(Kx,ind) ⁠. Then, for each keyword w∈Wind ⁠, it does the following: Compute l←F(Kl,w∣∣cw),z←Fp(Kz,w∣∣cw). Set 𝖤𝖣𝖡[l]=(e0,e1) ⁠, where e0←IBE.𝖤𝗇𝖼(mpk′,ind∣∣Kind,id′) and e1←g1xind·z. Add a tag 𝗑𝗍𝖺𝗀←e(g1s1′,H(w)xind) of the relation (⁠ w ⁠, ind ⁠, id′ ⁠) to 𝖷𝖲𝖾𝗍 ⁠. The client outsources (𝖤𝖣𝖡,𝖷𝖲𝖾𝗍) and the encrypted original document to the cloud. 𝖳𝗋𝖺𝗉𝖦𝖾𝗇(Q,sk)̲: The main process of generating a search token is shown in Algorithm 2. The client takes as input a query Q=(w1∧⋯∧wn) and a secret key sk=(s1,s2,Kx,Kz,Kl) ⁠, where we assume that w1 is the s-term of the query. Algorithm 2 𝖳𝗋𝖺𝗉𝖦𝖾𝗇 ⁠. Input: Q,sk Output: token 1: function TrapGen(⁠ Q,sk ⁠) 2:   Q=(w1∧⋯∧wn) ⁠, sk=(s1,s2,Kx,Kz,Kl) 3:  for i=1,2,… until cloud server sends stop do 4:    li←F(Kl,w1∣∣i),zi←Fp(Kz,w1∣∣i) 5:   for j∈[n]do 6:     𝖳𝗋𝖺𝗉[i][j]=H(wj)s1/zi 7:   end for 8:   Send (⁠ li,𝖳𝗋𝖺𝗉[i] ⁠) to the cloud. 9:  end for 10:  return token=((li)i=1cw1,𝖳𝗋𝖺𝗉) 11: end function. Input: Q,sk Output: token 1: function TrapGen(⁠ Q,sk ⁠) 2:   Q=(w1∧⋯∧wn) ⁠, sk=(s1,s2,Kx,Kz,Kl) 3:  for i=1,2,… until cloud server sends stop do 4:    li←F(Kl,w1∣∣i),zi←Fp(Kz,w1∣∣i) 5:   for j∈[n]do 6:     𝖳𝗋𝖺𝗉[i][j]=H(wj)s1/zi 7:   end for 8:   Send (⁠ li,𝖳𝗋𝖺𝗉[i] ⁠) to the cloud. 9:  end for 10:  return token=((li)i=1cw1,𝖳𝗋𝖺𝗉) 11: end function. Algorithm 2 𝖳𝗋𝖺𝗉𝖦𝖾𝗇 ⁠. Input: Q,sk Output: token 1: function TrapGen(⁠ Q,sk ⁠) 2:   Q=(w1∧⋯∧wn) ⁠, sk=(s1,s2,Kx,Kz,Kl) 3:  for i=1,2,… until cloud server sends stop do 4:    li←F(Kl,w1∣∣i),zi←Fp(Kz,w1∣∣i) 5:   for j∈[n]do 6:     𝖳𝗋𝖺𝗉[i][j]=H(wj)s1/zi 7:   end for 8:   Send (⁠ li,𝖳𝗋𝖺𝗉[i] ⁠) to the cloud. 9:  end for 10:  return token=((li)i=1cw1,𝖳𝗋𝖺𝗉) 11: end function. Input: Q,sk Output: token 1: function TrapGen(⁠ Q,sk ⁠) 2:   Q=(w1∧⋯∧wn) ⁠, sk=(s1,s2,Kx,Kz,Kl) 3:  for i=1,2,… until cloud server sends stop do 4:    li←F(Kl,w1∣∣i),zi←Fp(Kz,w1∣∣i) 5:   for j∈[n]do 6:     𝖳𝗋𝖺𝗉[i][j]=H(wj)s1/zi 7:   end for 8:   Send (⁠ li,𝖳𝗋𝖺𝗉[i] ⁠) to the cloud. 9:  end for 10:  return token=((li)i=1cw1,𝖳𝗋𝖺𝗉) 11: end function. The client sets i=1 and incrementally increases it until the cloud sends stop. For each i ⁠, it does the following: Compute li←F(Kl,w1∣∣i),zi←Fp(Kz,w1∣∣i). For j=1,…,n ⁠, compute 𝖳𝗋𝖺𝗉[i][j]=H(wj)s1/zi. Send token[i]=(li,𝖳𝗋𝖺𝗉[i]) to the cloud. 𝖲𝖾𝖺𝗋𝖼𝗁(token)̲: The main process of searching is shown in Algorithm 3. Upon receiving a search request, the cloud sets a empty set R ⁠. Algorithm 3 𝖲𝖾𝖺𝗋𝖼𝗁 ⁠. Input: token Output: R 1: functionSearch(⁠ token ⁠) 2:   token=((l1,𝖳𝗋𝖺𝗉[1]),(l2,𝖳𝗋𝖺𝗉[2]),…) ⁠, R←{} 3:   i=1 4:  while 𝖤𝖣𝖡[li] exists do 5:    (e0,e1)←𝖤𝖣𝖡[li] 6:   if e(e1,𝖳𝗋𝖺𝗉[i][j])∈𝖷𝖲𝖾𝗍 for all jthen 7:     R←R∪e0 8:   end if 9:    i=i+1 10:  end while 11:  Send stop 12:  return R 13: end function Input: token Output: R 1: functionSearch(⁠ token ⁠) 2:   token=((l1,𝖳𝗋𝖺𝗉[1]),(l2,𝖳𝗋𝖺𝗉[2]),…) ⁠, R←{} 3:   i=1 4:  while 𝖤𝖣𝖡[li] exists do 5:    (e0,e1)←𝖤𝖣𝖡[li] 6:   if e(e1,𝖳𝗋𝖺𝗉[i][j])∈𝖷𝖲𝖾𝗍 for all jthen 7:     R←R∪e0 8:   end if 9:    i=i+1 10:  end while 11:  Send stop 12:  return R 13: end function Algorithm 3 𝖲𝖾𝖺𝗋𝖼𝗁 ⁠. Input: token Output: R 1: functionSearch(⁠ token ⁠) 2:   token=((l1,𝖳𝗋𝖺𝗉[1]),(l2,𝖳𝗋𝖺𝗉[2]),…) ⁠, R←{} 3:   i=1 4:  while 𝖤𝖣𝖡[li] exists do 5:    (e0,e1)←𝖤𝖣𝖡[li] 6:   if e(e1,𝖳𝗋𝖺𝗉[i][j])∈𝖷𝖲𝖾𝗍 for all jthen 7:     R←R∪e0 8:   end if 9:    i=i+1 10:  end while 11:  Send stop 12:  return R 13: end function Input: token Output: R 1: functionSearch(⁠ token ⁠) 2:   token=((l1,𝖳𝗋𝖺𝗉[1]),(l2,𝖳𝗋𝖺𝗉[2]),…) ⁠, R←{} 3:   i=1 4:  while 𝖤𝖣𝖡[li] exists do 5:    (e0,e1)←𝖤𝖣𝖡[li] 6:   if e(e1,𝖳𝗋𝖺𝗉[i][j])∈𝖷𝖲𝖾𝗍 for all jthen 7:     R←R∪e0 8:   end if 9:    i=i+1 10:  end while 11:  Send stop 12:  return R 13: end function When receiving a token[i]=(li,𝖳𝗋𝖺𝗉[i]) ⁠, the cloud checks whether 𝖤𝖣𝖡[li] is existed or not. If it does not exist, then sends stop to the client, otherwise, it does the following: Fetch (e0,e1)←𝖤𝖣𝖡[li] ⁠. Check whether e(e1,𝖳𝗋𝖺𝗉[i][j])∈𝖷𝖲𝖾𝗍 or not for all j ⁠, if it is, then R←R∪e0 ⁠. The cloud returns the results R to the client. 𝖱𝖾𝗍𝗋𝗂𝖾𝗏𝖾(R,sk)̲: To retrieve the original documents, the client proceeds as follows: For each e0 in R ⁠, recover (ind∣∣Kind)←IBE.𝖣𝖾𝖼(s2,e0) ⁠. Send ind s to the cloud server for fetching the corresponding encrypted original documents. Decrypt the encrypted original documents with the corresponding secret key Kind ⁠. 4.3. Processing boolean queries We continue to discuss how to extend our scheme to work with other boolean queries, i.e. ‘ w1∧ψ(w2,…,wn)’, where ψ is an arbitrary boolean formula over (w2,…,wn) ⁠. Similar to [14, 16], the client computes token as same as in processing a conjunctive search in addition to send it with a boolean formula ψ¯ to the cloud, where ψ¯ is the same as ψ except that the keywords are replaced by (v2,…,vn) ⁠. After receiving a search token, the cloud server uses li to retrieve the tuples (e0,e1) that associated with w1 ⁠, where the difference with the conjunctive search is the way to determine which tuples (e0,e1) match ψ¯ ⁠. For each tuple (e0,e1)←𝖤𝖣𝖡[li] ⁠, the cloud computes (v2,…,vn) as vj=1,ife(e1,𝖳𝗋𝖺𝗉[i][j])∈𝖷𝖲𝖾𝗍;0,otherwise. where j=2,…,n ⁠. The value of ψ¯ is true and e(e1,𝖳𝗋𝖺𝗉[i][1])∈𝖷𝖲𝖾𝗍 indicate that the tuple matches this query, then e0 can be added to R ⁠. The time complexity of a search process for a boolean query is also determined by the number of documents associated with s-term, which is as same as in the processing of conjunctive search. The leakage information is also as same as the case of processing a conjunctive search except ψ¯ is known by the cloud. 5. SECURITY ANALYSIS 5.1. Leakage analysis The constructions that we discuss in this work leak limited information, we will analyze the leakage of the conjunctive keyword search scheme, since it can be easily extended to support boolean queries with the same security guarantees. We proceed to describe and formalize these leakages below. Let d be a array records the encryption tuples and q be a array records query tuples, we write q[i]=(s[i],x[i],id[i]) as the ith query in array q ⁠, where s[i] represents the s-term, x[i] is an array includes all xterms in this query and id[i] is the issuing client’s identity. Takes as input d and q ⁠, the leakage function L(d,q) outputs the following items: 𝗈𝗉 is an array records the type of each operation, its length is ∣𝗈𝗉∣=∣d∣+∣q∣ and the type of each operation is either ‘encrypt’ or ‘search’. 𝗋𝖨𝖣 is an array that records the receiver’s identity in each encryption tuple. 𝗊𝖨𝖣 is an array that records the issuing client’s identity in each query tuple. 𝖭 is an array that records the number of keywords in each document, namely, the size of each 𝖤𝖣𝖡 and 𝖷𝖲𝖾𝗍 ⁠. s¯ is an array records the equality pattern of the s-terms, indicating which queries have the same s-term. Roughly speaking, if s=(a,b,a,c,b) ⁠, then we have s¯=(1,2,1,3,2) ⁠. 𝖱𝖯 reveals the indices with the receiver is id[i] in the intersection of the s-term with any xterm in the same query, it conforms to 𝖱𝖯[i,α]=𝖣𝖡[s[i],id[i]]∩𝖣𝖡[x[i,α]] ⁠. Furthermore, we let 𝖱𝖯[i,α,d] denote the ind in 𝖱𝖯[i,α] that contained in d[d] ⁠. 𝖲𝖱𝖯 is the search results pattern, in which the i-th element is the matching results of s-term in the i-th query, this is 𝖲𝖱𝖯[i]=𝖣𝖡[s[i]] ⁠. Due to the fact that our scheme supports for dynamically adding documents to the outsourced database, so the matching results of the same s-terms in different queries may be different. 𝖨𝖯 is the conditional intersection pattern, it behaves as 𝖨𝖯[i1,i2,α,β]=𝖣𝖡[s[i1]]∩𝖣𝖡[s[i2]](a)∅(b) ⁠. Here, 𝖨𝖯[i1,i2,α,β] holds the case (a) when s[i1]≠s[i2],x[i1,α]=x[i2,β] and 𝗊𝖨𝖣[i1]=𝗊𝖨𝖣[i2] ⁠, otherwise it is an empty set. 𝖽𝖱𝖯 is a 2D array in which 𝖽𝖱𝖯[i][j]==1 implies a 𝖤𝖣𝖡[l] generated by d[i] is retrieved by the s-term s[j] ⁠, otherwise it equals to 0. 𝗑𝗍[𝗂]=∣x[i,·]∣ records the number of xterms in the i-th query. Understanding leakage. We explain the above leakage in below. 𝗈𝗉 is directly known by the cloud server, following the fact that the cloud knows what it is doing in each operation. 𝗋𝖨𝖣 indicates the identity of receiver in each encryption tuple, which can be easily uncovered via anonymous IBE techniques, but we admit it for designing security proof as well as the 𝗊𝖨𝖣 that records the issuing client’s identity in each search operation. 𝖭 shows the size of each 𝖤𝖣𝖡 and 𝖷𝖲𝖾𝗍 ⁠, a simple way to prevent it from being leaked is to add some dummy entries. The equality pattern s¯ indicates that whether some queries have a same s-term, which is the result of taking inverted index to guarantee optimal search complexity. 𝖱𝖯 captures the intersection of s-term with any xterm in a same query, 𝖲𝖱𝖯 denotes the document indices related to s-terms and 𝖨𝖯 reveals the part results of the intersection between every two s-terms under a specified condition. We state that the leakage in 𝖱𝖯 ⁠, 𝖲𝖱𝖯 and 𝖨𝖯 are overstated as in [14–16] for designing security proof. The components 𝖽𝖱𝖯 and 𝗑𝗍 are straightforward to be known. The comparison of leakage among the previous works is shown in Table 2. TABLE 2. Leakage comparison among searchable encryption schemes that support for boolean queries. Leakage items [14] [15] [16] Our 𝗈𝗉 ⁠, 𝖭 ⁠, s¯ ⁠, 𝖱𝖯 ⁠, 𝖲𝖱𝖯 ⁠, 𝖨𝖯 ⁠, 𝗑𝗍 √ √ √ √ 𝗋𝖨𝖣 ⁠, 𝗊𝖨𝖣 ⁠, 𝖽𝖱𝖯 - - - √ Leakage items [14] [15] [16] Our 𝗈𝗉 ⁠, 𝖭 ⁠, s¯ ⁠, 𝖱𝖯 ⁠, 𝖲𝖱𝖯 ⁠, 𝖨𝖯 ⁠, 𝗑𝗍 √ √ √ √ 𝗋𝖨𝖣 ⁠, 𝗊𝖨𝖣 ⁠, 𝖽𝖱𝖯 - - - √ ‘-’ means the scheme does not have this component. View Large TABLE 2. Leakage comparison among searchable encryption schemes that support for boolean queries. Leakage items [14] [15] [16] Our 𝗈𝗉 ⁠, 𝖭 ⁠, s¯ ⁠, 𝖱𝖯 ⁠, 𝖲𝖱𝖯 ⁠, 𝖨𝖯 ⁠, 𝗑𝗍 √ √ √ √ 𝗋𝖨𝖣 ⁠, 𝗊𝖨𝖣 ⁠, 𝖽𝖱𝖯 - - - √ Leakage items [14] [15] [16] Our 𝗈𝗉 ⁠, 𝖭 ⁠, s¯ ⁠, 𝖱𝖯 ⁠, 𝖲𝖱𝖯 ⁠, 𝖨𝖯 ⁠, 𝗑𝗍 √ √ √ √ 𝗋𝖨𝖣 ⁠, 𝗊𝖨𝖣 ⁠, 𝖽𝖱𝖯 - - - √ ‘-’ means the scheme does not have this component. View Large 5.2. Security proof In this section, we prove the security of the conjunctive keyword search scheme. Similar to [14–16], we firstly sketch a security analysis for the proposed scheme against non-adaptive attacks by designing a simulator, and then discuss the security against adaptive attacks. At final, we analyze the unforgeability of a search token. Theorem 5.1 Our scheme is L-semantically secure against non-adaptive attacks where Lis the leakage function defined in Section5.1, assuming that the SXDH assumption holds in G1 ⁠, G2and GT ⁠, Fand Fpare secure PRFs and the underlying IBE scheme is IND-sID-CPA secure. Proof The non-adaptive means the adversary submits the completed encryption tuple array d and query tuple array q at the same time. Given the leakage function L(d,q)=(𝗈𝗉,𝗋𝖨𝖣,𝗊𝖨𝖣,𝖭,s¯,𝖱𝖯,𝖲𝖱𝖯,𝖽𝖱𝖯,𝖨𝖯,𝗑𝗍), we can construct a simulator as follows. (The details of simulator are given in Algorithm 4 at appendix.) The simulator firstly computes a restricted equality pattern x¯ to describe which xterms are ‘known’ to be equal by the cloud. Assuming the existences of ind,t1 and t2 such that (ind∈𝖣𝖡[s[t1]]∩𝖣𝖡[s[t2]])∧(𝗊𝖨𝖣[t1]=𝗊𝖨𝖣[t2]) ⁠, then the cloud is able to learn whether x[t1,α] is equal to x[t2,β] or not from the value ‘ e(e1,𝖳𝗋𝖺𝗉[i][j])’ which is computed in search phase and determined by a relation (w,ind,id) ⁠. Therefore, the simulator could define a 2D array x¯[t,α] to indicate which xterms are equal. This is, the simulator sets x¯[t1,α]=x¯[t2,β] if 𝖨𝖯[t1,t2,α,β]≠∅ ⁠. Particularly, we have (x¯[t1,α]=x¯[t2,β])⇒x[t1,α]=x[t2,β] and (x[t1,α]=x[t2,β])∧(𝖣𝖡[s[t1]]∩𝖣𝖡[s[t2]]≠∅)∧(𝗊𝖨𝖣[t1]=𝗊𝖨𝖣[t2])⇒x¯[t1,α]=x¯[t2,β]. In the first, the simulator sets up two arrays H2 and H3 that indexed by relations (w,ind,id)∈(x¯,𝖱𝖯∪𝖱𝖯,𝗋𝖨𝖣) ⁠, where H2[w,ind,id] is a random element from G2 and H3[w,ind,id] is computed as e(g1,H2[w,ind,id]) ⁠. After that, the simulator generates transcripts according to the order of operations in 𝗈𝗉 ⁠, that described in the 𝖨𝗇𝗂𝗍𝗂𝖺𝗅𝗂𝗓𝖾 function of Algorithm 4. To simulate the process of encrypting a document, the simulator performs the 𝖤𝖣𝖡𝖲𝖾𝗍𝗎𝗉 and 𝖷𝖲𝖾𝗍𝖲𝖾𝗍𝗎𝗉 functions in Algorithm 4. It fills out the entries of 𝖤𝖣𝖡 with random tuples (e0,e1) ⁠. Note that the simulator records the exponent part of e1 in an array H1 ⁠, if it will be accessed in search phase. The 𝖷𝖲𝖾𝗍 is crammed with random elements except the 𝗑𝗍𝖺𝗀 s are generated by using H3 if it will be accessed in search phase. To simulate a search token for a query, the simulator performs the 𝖳𝗋𝖺𝗇𝖦𝖾𝗇 function of Algorithm 4. Recall that, (1) a 𝗑𝗍𝖺𝗀 determined by a relation (w,ind,id) will be accessed if ind matches a conjunction within the query that issued by a client id and uses a keyword w ⁠, (2) the value e(e1,𝖳𝗋𝖺𝗉[i][j]) corresponds to a relation (w,ind,id) will be repeated if ind will be accessed by a client id with a same keyword w in later queries. To make the same reads for the adversary, the simulator calculates a set R which contains the document indices that matching the above two cases, this is, the indices match (1) are calculated by using 𝖱𝖯 and those that match (2) are by using 𝖨𝖯 ⁠. To complete the outputs, the simulator computes 𝖱𝖾𝗌𝖨𝗇𝖽𝗌 by using 𝖱𝖯 instead of decrypting the invalid ciphertexts in 𝖱𝖾𝗌 ⁠. □ By the simulator, we can conclude that Pr[RealAΠ(κ)=1]−Pr[IdealA,SΠ(κ)=1]≤AdvG1,B1DDH(κ)+AdvG2,B2DDH(κ)+AdvGT,B3DDH(κ)+2·AdvFp,B4PRF(κ)+ploy(·)·AdvIBE,B5IND-ID-CPA(κ), where ploy(·) says the IBE is operated for polynomial times of encryption. Here, we assume three adversaries B1 ⁠, B2 and B3 can break the DDH assumption in G1 ⁠, G2 and GT with advantage AdvG1,B1DDH(κ) ⁠, AdvG2,B2DDH(κ) and AdvGT,B3DDH(κ) ⁠, respectively, an adversary B4 can break the PRF Fp with advantage AdvFp,B4PRF(κ) and an adversary B5 can break the IBE scheme with advantage AdvIBE,B5IND-ID-CPA(κ) ⁠. Theorem 5.2 Let Lbe the leakage function defined in Section5.1, our scheme is L-semantically secure against adaptive attacks, assuming that the SXDH assumption holds in G1,G2and GT ⁠, the PRFs Fand Fpare secure PRFs and the underlying IBEis IND-sID-CPA secure. Proof Inspired by [14–16], we prove the scheme is L-semantically secure against adaptive attacks. In sample terms, the adaptively means an adversary selects an encryption tuple or a query tuple step by step as in the Definition 3.2. To simulate 𝖤𝖣𝖡 and 𝖷𝖲𝖾𝗍 ⁠, the simulator randomly chooses y for generating entries in 𝖤𝖣𝖡 and selects random values from G2 to generate xtag s in 𝖷𝖲𝖾𝗍 ⁠. To simulate the response for each query, the simulator could adaptively assign the above values to H1 ⁠, H2 and H3 ⁠. Thus, the core technique of the proof is that: add random values to generate 𝖤𝖣𝖡 and 𝖷𝖲𝖾𝗍 at first, then initialize hash functions H1,H2 and H3 ⁠.□ Theorem 5.3 The search token is unforgeable, if the SXDH assumption holds in G1,G2and GT ⁠. Proof The proof is straightforward, due to the fact that SXDH assumption holds and the component s1 in a client’s secret key is randomly selected. Therefore, in the game the adversary A can win with a negligible advantage since it cannot resolve s1 from g1s1 as long as DDH assumption holds in G1 ⁠. We can observe that no one can generate a valid search token beyond its identity, e.g. Bob generates a search token of Alice’s, except that Bob can succeed to guess the s1 of Alice’s. □ 6. PERFORMANCE 6.1. Theoretical analysis Compared with the previous works [14–16] that support for sub-linear boolean queries and rely on the simple symmetric key operations, we give a searchable encryption scheme that has a lot of desirable features via symmetric key operations and a public key strategy. To achieve this, we leverage an asymmetric bilinear map in our construction which may bring about a little more expensive time cost than [14–16]. On the other hand, the document indices are encrypted by using an IBE primitive rather than symmetric encryption. The IBE-type ciphertext also brings about some storage costs to the cloud. But with involving such an IBE primitive in our scheme, a client is able to achieve flexible control on its documents. Hence, the caused additional costs are quite acceptable since ours realize a more advanced model: multi-client model. Concretely, we summarize a comparison in Table 3. We then compare their computation costs in terms of generating a search token for a conjunctive search (e.g. Q=(w1∧w2∧⋯∧wn) ⁠, where w1 is s-term), as shown in Table 4. TABLE 3. Features comparison among searchable encryption schemes with support for boolean queries. Sch. Multi-clienta Non-interactionb Dynamicc [14] No No [15] No No No [16] No Yes No Ours Yes Yes Yes Sch. Multi-clienta Non-interactionb Dynamicc [14] No No [15] No No No [16] No Yes No Ours Yes Yes Yes aMultiple clients can store documents to the outsourced database, and multiple clients can search over the outsourced database. bWhen generating a search token, a client needs not to interact with the senders (data owners). cThe outsourced database supports clients to dynamically add documents at any time point during its whole lifetime. View Large TABLE 3. Features comparison among searchable encryption schemes with support for boolean queries. Sch. Multi-clienta Non-interactionb Dynamicc [14] No No [15] No No No [16] No Yes No Ours Yes Yes Yes Sch. Multi-clienta Non-interactionb Dynamicc [14] No No [15] No No No [16] No Yes No Ours Yes Yes Yes aMultiple clients can store documents to the outsourced database, and multiple clients can search over the outsourced database. bWhen generating a search token, a client needs not to interact with the senders (data owners). cThe outsourced database supports clients to dynamically add documents at any time point during its whole lifetime. View Large TABLE 4. Computation overhead in generating a search token for a conjunctive query Q=(w1∧w2∧⋯∧wn) ⁠, where w1 is the s-term. In the table, 𝖤𝗑𝗉 denotes a exponentiation operation in a group, 𝖧𝖺𝗌𝗁 is a hash function operation. The symbol ‘-’ means the computation costs is null. Scheme Data owner’s computation costs Client’s computation costs [14] ∣𝖣𝖡[w1]∣(n−1)𝖤𝗑𝗉 - [15] (n−1)𝖤𝗑𝗉 ∣𝖣𝖡[w1]∣(n−1)𝖤𝗑𝗉 [16] 3𝖤𝗑𝗉 (∣𝖣𝖡[w1]∣(n−1)+(n+1))𝖤𝗑𝗉 Ours - ∣𝖣𝖡[w1]∣n𝖤𝗑𝗉 + n𝖧𝖺𝗌𝗁 Scheme Data owner’s computation costs Client’s computation costs [14] ∣𝖣𝖡[w1]∣(n−1)𝖤𝗑𝗉 - [15] (n−1)𝖤𝗑𝗉 ∣𝖣𝖡[w1]∣(n−1)𝖤𝗑𝗉 [16] 3𝖤𝗑𝗉 (∣𝖣𝖡[w1]∣(n−1)+(n+1))𝖤𝗑𝗉 Ours - ∣𝖣𝖡[w1]∣n𝖤𝗑𝗉 + n𝖧𝖺𝗌𝗁 View Large TABLE 4. Computation overhead in generating a search token for a conjunctive query Q=(w1∧w2∧⋯∧wn) ⁠, where w1 is the s-term. In the table, 𝖤𝗑𝗉 denotes a exponentiation operation in a group, 𝖧𝖺𝗌𝗁 is a hash function operation. The symbol ‘-’ means the computation costs is null. Scheme Data owner’s computation costs Client’s computation costs [14] ∣𝖣𝖡[w1]∣(n−1)𝖤𝗑𝗉 - [15] (n−1)𝖤𝗑𝗉 ∣𝖣𝖡[w1]∣(n−1)𝖤𝗑𝗉 [16] 3𝖤𝗑𝗉 (∣𝖣𝖡[w1]∣(n−1)+(n+1))𝖤𝗑𝗉 Ours - ∣𝖣𝖡[w1]∣n𝖤𝗑𝗉 + n𝖧𝖺𝗌𝗁 Scheme Data owner’s computation costs Client’s computation costs [14] ∣𝖣𝖡[w1]∣(n−1)𝖤𝗑𝗉 - [15] (n−1)𝖤𝗑𝗉 ∣𝖣𝖡[w1]∣(n−1)𝖤𝗑𝗉 [16] 3𝖤𝗑𝗉 (∣𝖣𝖡[w1]∣(n−1)+(n+1))𝖤𝗑𝗉 Ours - ∣𝖣𝖡[w1]∣n𝖤𝗑𝗉 + n𝖧𝖺𝗌𝗁 View Large 6.2. Experimental results Experiment setup. To evaluate our scheme, we implement it and run the codes on an Ubuntu 16.04 operating system with an Intel(R) Core(TM) i3-4130 CPU of 3.40 GHz and 4.00GB RAM, where the code was written in Python three language using Charm 0.43 library [23] (a widely used open-source library), we take the Waters’ IBE [20] as the underlying IBE scheme and employ the MySQL 5.7.11 as the database to store data items and use ‘SS512’ elliptic curves for group operations. To further illustrate the practicality, we take a real-world dataset: Enron dataset5 as the experimental dataset. Results analysis. We implement to compare our conjunctive keyword search scheme with the well-known public key searchable encryption scheme [9], which is also under the mentioned multi-client model, the experimental results are mainly shown from the following two aspects: encrypted data generation and query process. In order to obtain the performance of encrypting documents, we randomly select 1000 documents from the Enron dataset and then extract keywords, each document is associated with no more than 50 keywords, we run our scheme and the scheme in [9] to encrypt these documents respectively, the results are shown in Fig. 4. In Fig. 4a, we show the comparison of time cost between the schemes in terms of encrypting a document. It indicates that the time cost is linear to the number of keywords in the schemes. Specifically, our scheme incurs a little more expensive cost, this is from that we take the secure index as the basic data structure to organize the encrypted documents, in the process of encrypting a document, in addition to generate the encrypted data, the client should also compute to add the encrypted data into the secure index, however, the time cost is still acceptable since 2 s is enough to encrypt a document with the keyword number is 40. In Fig. 4b, we show the comparison of storage cost between the schemes in terms of storing an encrypted document. It also indicates the cost is linear to the number of keywords, and our scheme still incurs a little more expensive cost, this is because we take IBE techniques into the construction to eliminate the interactions between a sender and a receiver. In fact, the storage cost is acceptable by a cloud since 20KB is enough to stored an encrypted document with the number of keyword is 50. FIGURE 4. View largeDownload slide Performance of encrypting an document. (a) Time cost of encrypting an document and (b) storage cost of storing an encrypted document. FIGURE 4. View largeDownload slide Performance of encrypting an document. (a) Time cost of encrypting an document and (b) storage cost of storing an encrypted document. In order to obtain the performance of processing queries, which includes generating token and searching over encrypted data, we run both the two schemes on the conjunctive keyword queries in the from of Q=(w1∧w2∧⋯∧wn) ⁠, where we assume w1 is the s-term, the running results are shown in Fig. 5. In our scheme, we take the secure index to organize the encrypted documents, which can guarantee the search complexity has nothing to do with the total of documents. In [9], to process such a conjunctive query, the cloud should scan all the encrypted documents for finding which match the query. Further, form the construction in Section 4.2, we can easily obtain that the time cost of processing a query mainly depends on the number of keywords in the query and the number of documents associated with s-term, which is also proved by the experimental results. In Fig. 5a, we show the time cost of processing queries with different number of keywords, it tells us that our scheme extremely outperforms the comparing scheme, this is because the later needs to scan all the encrypted documents for finishing a query, by the secure index, our construction needs only to find results from the documents associated with s-term, thus can greatly save the time cost. An other observation is that the time cost of processing a query in our scheme is linear to the number of keywords in the query when the number of documents associated with s-term is stable. In Fig. 5b, we give the time cost of processing queries with different s-term, when the number of documents associated with s-term increases, the time cost also increases. However, our scheme is still superior to the comparing scheme. In Fig. 5c, we show the results of how the time cost of processing a query changes with different total of encrypted documents, we observe that the time cost of our scheme is stable even though the total of encrypted documents is greatly increased, thus, we conclude that our scheme is highly scalable even for a very large database. FIGURE 5. View largeDownload slide Performance of processing a query which includes generating search tokens and searching over encrypted data. (a) The number of documents is 1000, the number of documents associated with s-term is 40. (b) The number of documents is 1000, the number of keywords in the queries is 6. (c) The number of keywords in the queries is 6, the number of documents associated with s-term is 40. FIGURE 5. View largeDownload slide Performance of processing a query which includes generating search tokens and searching over encrypted data. (a) The number of documents is 1000, the number of documents associated with s-term is 40. (b) The number of documents is 1000, the number of keywords in the queries is 6. (c) The number of keywords in the queries is 6, the number of documents associated with s-term is 40. 7. FURTHER ENHANCEMENT In the above constructions, a client is required to retrieve the dictionary each time when encrypting a document, which may reduce the efficiency. To avoid this, we show how to remove the dictionary in below. The basic idea is to utilize a local server to maintain the state about the size of 𝖣𝖡[w] for each keyword, the local server honestly performs protocols and will not collude with others. Deploying such a local server is a widely considered architecture in cloud computing [24], for example, a company might host its applications to Amazon S3, but still has a local server to maintain operational data. Specifically, the local server plays the role of the dictionary δ ⁠, and maintains tuples (F(Kw,w),c^) for each keyword rather than (w,c) as same as δ ⁠, where c^ is a ciphertext of the counter c that encrypted by a symmetric encryption algorithm with the secret key is Kske ⁠. To get a counter for a keyword w ⁠, a client computes F(Kw,w) and sends it to the local server for (F(Kw,w),c^) ⁠, if this tuple does not exist, the local server returns 0. To update the counter of keyword w to c ⁠, a client encrypts c to c^ by using Kske and sends (F(Kw,w),c^) to the local server for replacing the older one or inserting. Thus, a client’s secret key has two additional components: Kw and Kske ⁠. To make the local server has no idea of which tuples are accessed, the client can request some extra tuples (F(Kw,w),c^) randomly, and only performs a simple operation of decrypting c^ to c and then encrypts c to a new c^ for the extra tuples before updating. Due to the security of F and symmetric encryption algorithm, the local server cannot know the information of counters as well as which tuples are actually accessed. 8. RELATED WORK Searchable encryption is a kind of cryptographic primitive that enables clients to search over encrypted data, in recent years, it has been widely researched by more and more researchers, we review some recent related works about it in terms of symmetric searchable encryption and public key searchable encryption. 8.1. Symmetric searchable encryption In the symmetric key setting, Song et al. [8] designed the first searchable encryption scheme, which is based on a special two-layered encryption method and the time complexity of searching is linear to the total of documents. Chang and Mitzenmacher [25] gave two index schemes, the first scheme needs clients to maintain a prebuilt dictionary and the second needs two interactions between clients and server, which decreases client’s experience. Curtmola et al. [17] formalized the secure definition of symmetric searchable encryption, and given a scheme based on the inverted index method, the proposed scheme realizes sub-linear search complexity, the search cost is proportional with the number of documents that match the quired keyword. Subsequently, Kamara et al. [19] designed the first dynamic symmetric searchable encryption scheme, which supports for adding or deleting documents efficiently, the scheme is secure against adaptive chosen keyword attacks. After that, based on a red-black tree, Kamara and Papamanthou [26] proposed a new dynamic symmetric searchable encryption scheme which is also secure against adaptive chosen keyword attacks while has an improved efficiency. In recent, Bost [27] considered the forward security of symmetric searchable encryption, which focuses on preventing the server from knowing whether a newly inserted element matches previous queries or not, the scheme relies on trapdoor permutations. Kim et al. [22] designed a new forward-secure symmetric searchable encryption by combining both the inverted and the forward indexes at the same time, compared with previous schemes, it has better efficiency in terms of updating files. The first symmetric searchable encryption scheme that considers backward security was proposed by Bost et al. [28]. Demertzis and Papamanthou [29] proposed the first symmetric searchable encryption with tunable locality and linear space, where locality is the number of non-continuous reads that the server makes for each query, Miers and Mohassel [30] designed a new scheme that has significant reduction in IO cost. To achieve a more efficient search function, Cash et al. [14] presented the first symmetric searchable scheme that can support for boolean queries while the search complexity is sub-linear. Following it, Stanislaw et al. [15] given a novel searchable encryption scheme that can support sub-linear boolean queries in a richer setting, in which a data owner outsources its encrypted database to a cloud server and the encrypted database can be searched by multiple clients, the scheme needs clients to interact with the data owner when want to search the database, and Sun et al. eliminated the interaction in [16]. However, in the boolean query schemes, the encrypted database stores the documents from only the data owner and it cannot be written anymore once it was outsourced, this prevents the schemes from being deployed in many cloud applications. While considering other functions, Wang et al. [31] given a scheme to search over encrypted feature-rich data. Zuo et al. [32] constructed a symmetric searchable encryption scheme, which can support range quires, they also considered the dynamic property and the forward security. Wang et al. [33] constructed a verifiable conjunctive keyword search scheme, the scheme can not only ensure verifiability of search result even if an empty set is returned but also support efficient conjunctive keyword search with sub-linear overhead. By adopting a structure named as inverted matrix, Jiang et al. [34] designed a encrypted keyword search scheme that can support occurrence queries and dynamic user management, Jiang et al. [35] designed the first multi-keyword search scheme that can support not only search result ranking but also verifiable search, the scheme provides a practical solution for encrypted keyword search in cloud computing. Ge et al. [36] designed a verifiable exact keyword search scheme, and then extended this scheme to the fuzzy keyword search scheme. 8.2. Public key searchable encryption The notion of public key searchable encryption was introduced by Boneh et al. [9], which is more suitable for the cloud computing setting, and it has been widely researched in recent years. In [37], Abdalla et al. showed public key searchable encryption schemes can be extracted from anonymous IBE schemes. Some works consider more powerful search functions, Boneh and Waters [38] designed a scheme that focused on conjunctive keyword search, in which the client can design its query as a disjunctive normal form of a set keywords to search the documents which contain the keywords, and fuzzy keyword search is considered in [39], which can return the closest possible matching files based on keyword similarity semantics. Some works consider various attacks for public key searchable encryption, Xu et al. [40] proposed a public key encryption scheme with support for fuzzy keyword search, their scheme needs the receiver to locally find the matching ciphertext by using the exact trapdoor to filter out the non-matching ones from the set returned from the server. Fang et al. [41] presented a scheme to against the keyword guessing attacks in the standard model. By using smooth projective hash functions, Chen et al. [42] given a practical framework for quickly constructing public key searchable encryption scheme with against keyword guessing attacks. By setting a aided server, Chen et al. [24] given a framework that can be used to offer any public key searchable encryption scheme the ability of againsting keyword guessing attacks. Hu et al. [43] considered the security of verifiable public key searchable encryption against the continual memory attacks which allow the adversary to obtain some leakage information of the secret key. Ma et al. [13] designed a certificateless searchable public key searchable scheme to against the adversary who is able to learn the system master secret key. He et al. [44] presented a public key searchable encryption scheme for industrial internet of things, the scheme is secure when meeting keyword guessing attacks, this is because the data owner is allowed to not only encrypt each keyword but also authenticate it, so the third party cannot encrypt a keyword without the data owners private key. Xu et al. [45] constructed a lightweight public key searchable encryption scheme for cloud-assisted wireless sensor networks, which reduces a large number of computation-intensive operations that are adopted in previous works. In the background of cloud computing, Cui et al. [46] designed an attribute-based searchable encryption scheme that supports for efficient revocation, Han et al. [47] proposed an attribute-based searchable encryption that has constant-size ciphertext and supports AND and NOT gates. 9. CONCLUSION In this paper, we propose a novel searchable encryption scheme for cloud applications, which supports for boolean queries with sub-linear search complexity. Compared with previous works, our scheme additionally has some important features: (i) the multi-client mechanism; (ii) no interaction process that needed between clients; and (iii) the practical property of dynamically adding documents to the outsourced database is considered. We still prove the security of our scheme, and conduct experiments on a real-world dataset to show its practicality. FUNDING This work was supported by National Natural Science Foundation of China (61571191, 61472142, 61632012, 61802248, U1705264), the ‘Dawn’ Program of Shanghai Municipal Education Commission (16SG21), the Open Foundation of State Key Laboratory of Integrated Services Networks (ISN17-11), the Young Elite Scientists Sponsorship Program by China Association for Science and Technology (2017QNRC001) and the Open Foundation of Co-Innovation Center for Information Supply & Assurance Technology (ADXXBZ201701). REFERENCES 1 Shen , W. , Qin , J. , Yu , J. , Hao , R. and Hu , J. ( 2019 ) Enabling identity-based integrity auditing and data sharing with sensitive information hiding for secure cloud storage . IEEE Trans. Inf. Forensics Secur. , 14 , 331 – 346 . Google Scholar Crossref Search ADS 2 Cui , J. , Zhang , J. , Zhong , H. and Xu , Y. ( 2017 ) SPACF: a secure privacy-preserving authentication scheme for VANET with cuckoo filter . IEEE Trans. Vehicular Technol. , 66 , 10283 – 10295 . Google Scholar Crossref Search ADS 3 Zhong , H. , Wen , J. , Cui , J. and Zhang , S. ( 2016 ) Efficient conditional privacy-preserving and authentication scheme for secure service provision in VANET . Tsinghua Sci. Technol. , 21 , 620 – 629 . Google Scholar Crossref Search ADS 4 Shen , J. , Shen , J. , Chen , X. , Huang , X. and Susilo , W. ( 2017 ) An efficient public auditing protocol with novel dynamic structure for cloud data . IEEE Trans. Inf. Forensics Secur. , 12 , 2402 – 2415 . Google Scholar Crossref Search ADS 5 Zhong , H. , Zhu , W. , Xu , Y. and Cui , J. ( 2018 ) Multi-authority attribute-based encryption access control scheme with policy hidden for cloud storage . Soft Comput. , 22 , 243 – 251 . Google Scholar Crossref Search ADS 6 Cui , J. , Wei , L. , Zhang , J. , Xu , Y. and Zhong , H. ( 2018 ) An efficient message-authentication scheme based on edge computing for vehicular ad hoc networks . IEEE Trans. Intell. Transportation Syst. , 1 – 12 . doi: 10.1109/TITS.2018.2827460 7 Liu , J.K. , Liang , K. , Susilo , W. , Liu , J. and Xiang , Y. ( 2016 ) Two-factor data security protection mechanism for cloud storage system . IEEE Trans. Comput. , 65 , 1992 – 2004 . Google Scholar Crossref Search ADS 8 Song , D.X. , Wagner , D. and Perrig , A. ( 2000 ) Practical Techniques for Searches on Encrypted Data. 2000 IEEE Symp. Security and Privacy, Oakland, 14–17 May, pp. 44–55, IEEE, USA. 9 Boneh , D. , Di Crescenzo , G. , Ostrovsky , R. and Persiano , G. ( 2004 ) Public Key Encryption with Keyword Search. Advances in Cryptology—EUROCRYPT 2004, Interlaken, Switzerland, 2–6 May, pp. 506–522, Springer, Berlin. 10 Cui , H. , Wan , Z. , Deng , R.H. , Wang , G. and Yingjiu , L. ( 2018 ) Efficient and expressive keyword search over encrypted data in cloud . IEEE Trans. Depend. Secure Comput. , 15 , 409 – 422 . Google Scholar Crossref Search ADS 11 Fu , Z. , Wu , X. , Wang , Q. and Ren , K. ( 2017 ) Enabling central keyword-based semantic extension search over encrypted outsourced data . IEEE Trans. Inf. Forensics Secur. , 12 , 2986 – 2997 . Google Scholar Crossref Search ADS 12 Zhang , W. , Lin , Y. , Xiao , S. , Wu , J. and Zhou , S. ( 2016 ) Privacy preserving ranked multi-keyword search for multiple data owners in cloud computing . IEEE Trans. Comput. , 65 , 1566 – 1577 . Google Scholar Crossref Search ADS 13 Ma , M. , He , D. , Kumar , N. , Choo , K.-K.R. and Chen , J. ( 2018 ) Certificateless searchable public key encryption scheme for industrial Internet of things . IEEE Trans. Ind. Inform. , 14 , 759 – 767 . Google Scholar Crossref Search ADS 14 Cash , D. , Jarecki , S. , Jutla , C. , Krawczyk , H. , Roşu , M.-C. and Steiner , M. ( 2013 ) Highly-Scalable Searchable Symmetric Encryption with Support for Boolean Queries. Advances in Cryptology—CRYPTO 2013, Santa Barbara, CA, 18–22 August, pp. 352–373, Springer, Berlin. 15 Jarecki , S. , Jutla , C. , Krawczyk , H. , Rosu , M. and Steiner , M. ( 2013 ) Outsourced Asymmetric Private Information Retrieval. 2013 ACM SIGSAC Conf. Computer and Communications Security, Berlin, Germany, 4–8 November, pp. 875–888, ACM, USA. 16 Sun , S.-F. , Liu , J.K. , Sakzad , A. , Steinfeld , R. and Yuen , T.H. ( 2016 ) An Efficient Non-interactive Multi-client Searchable Encryption with Support for Boolean Queries. 21st European Symposium on Research in Computer Security, Heraklion, Greece, 26–30 September, pp. 154–172, Springer, Berlin. 17 Curtmola , R. , Garay , J. , Kamara , S. and Ostrovsky , R. ( 2011 ) Searchable symmetric encryption: improved definitions and efficient constructions . J. Comput. Secur. , 19 , 895 – 934 . Google Scholar Crossref Search ADS 18 Chen , J. , Lim , H.W. , Ling , S. , Wang , H. and Wee , H. ( 2012 ) Shorter IBE and Signatures via Asymmetric Pairings. 5th Int. Conf.—Pairing-Based Cryptography—Pairing 2012, Cologne, Germany, 16–18 May, pp. 122–140, Springer, Berlin. 19 Kamara , S. , Papamanthou , C. and Roeder , T. ( 2012 ) Dynamic Searchable Symmetric Encryption. Proc. 2012 ACM Conf. Computer and Communications Security, Raleigh, NC, 16–18 October, pp. 965–976, ACM, USA. 20 Waters , B. ( 2005 ) Efficient Identity-Based Encryption Without Random Oracles. Advances in Cryptology—EUROCRYPT 2005, Aarhus, Denmark, 22–26 May, pp. 114–127, Springer, Berlin. 21 Cash , D. , Jaeger , J. , Jarecki , S. , Jutla , C.S. , Krawczyk , H. , Rosu , M.-C. and Steiner , M. ( 2014 ) Dynamic Searchable Encryption in Very-Large Databases: Data Structures and Implementation. 21st Annual Network and Distributed System Security Symposium, San Diego, CA, 23–26 February, pp. 23–26, The Internet Society, USA. 22 Kim , K.S. , Kim , M. , Lee , D. , Park , J.H. and Kim , W.-H. ( 2017 ) Forward Secure Dynamic Searchable Symmetric Encryption with Efficient Updates. Proc. 2017 ACM SIGSAC Conf. Computer and Communications Security, Dallas, TX, 30 October 03 November, pp. 1449–1463, ACM, USA. 23 Akinyele , J.A. , Garman , C. , Miers , I. , Pagano , M.W. , Rushanan , M. , Green , M. and Rubin , A.D. ( 2013 ) Charm: a framework for rapidly prototyping cryptosystems . J. Cryptogr. Eng. , 3 , 111 – 128 . Google Scholar Crossref Search ADS 24 Chen , R. , Mu , Y. , Yang , G. , Guo , F. , Huang , X. , Wang , X. and Wang , Y. ( 2016 ) Server-aided public key encryption with keyword search . IEEE Trans. Inf. Forensics Secur. , 11 , 2833 – 2842 . Google Scholar Crossref Search ADS 25 Chang , Y.-C. and Mitzenmacher , M. ( 2005 ) Privacy Preserving Keyword Searches on Remote Encrypted Data. The 3rd Int. Conf. Applied Cryptography and Network Security, New York, USA, 7–10 June, pp. 442–455, Springer, Berlin. 26 Kamara , S. and Papamanthou , C. ( 2013 ) Parallel and Dynamic Searchable Symmetric Encryption. 17th Int. Conf. Financial Cryptography and Data Security, Okinawa, Japan, 1–5 April, pp. 258–274, Springer, Berlin. 27 Bost , R. ( 2016 ) Σoφoς: Forward Secure Searchable Encryption. Proc. 2016 ACM SIGSAC Conf. Computer and Communications Security, Vienna, Austria, 24–28 October, pp. 1143–1154, ACM, USA. 28 Bost , R. , Minaud , B. and Ohrimenko , O. ( 2017 ) Forward and Backward Private Searchable Encryption from Constrained Cryptographic Primitives. Proc. 2017 ACM SIGSAC Conf. Computer and Communications Security, Dallas, USA, 30 October 03 November, pp. 1465–1482, ACM, USA. 29 Demertzis , I. and Papamanthou , C. ( 2017 ) Fast Searchable Encryption With Tunable Locality. Proc. 2017 ACM Int. Conf. Management of Data, Chicago, IL, 14–19 May, pp. 1053–1067, ACM, USA. 30 Miers , I. and Mohassel , P. ( 2017 ) IO-DSSE: Scaling Dynamic Searchable Encryption to Millions of Indexes By Improving Locality. 24th Annual Network and Distributed System Security Symposium, San Diego, CA, 26 February–1 March, pp. 1–13, The InternetSociety, USA. 31 Wang , Q. , He , M. , Du , M. , Chow , S.S.M. , Lai , R.W.F. and Zou , Q. ( 2018 ) Searchable encryption over feature-rich data . IEEE Trans. Depend. Secure Comput. , 15 , 496 – 510 . Google Scholar Crossref Search ADS 32 Zuo , C. , Sun , S. , Liu , J.K. , Shao , J. and Pieprzyk , J. ( 2018 ) Dynamic Searchable Symmetric Encryption Schemes Supporting Range Queries with Forward (and Backward) Security. 23rd European Symposium on Research in Computer Security, Barcelona, Spain, 3–7 September, pp. 228–246, Springer, Berlin. 33 Wang , J. , Chen , X. , Sun , S. , Liu , J.K. , Au , M.H. and Zhan. , Z.-H. ( 2018 ) Towards Efficient Verifiable Conjunctive Keyword Search for Large Encrypted Database. 23rd European Symposium on Research in Computer Security, Barcelona, Spain, 3–7 September, pp.83–100, Springer, Berlin. 34 Jiang , X. , Ge , X. , Yu , J. , Kong , F. , Cheng , X. and Hao , R. ( 2017 ) An efficient symmetric searchable encryption scheme for cloud storage . J. Internet Serv. Inf. Secur. , 7 , 1 – 18 . 35 Jiang , X. , Yu , J. , Yan , J. and Hao , R. ( 2017 ) Enabling efficient and verifiable multi-keyword ranked search over encrypted cloud data . Inf. Sci. (Ny) , 403 , 22 – 41 . Google Scholar Crossref Search ADS 36 Ge , X. , Yu , J. , Hu , C. , Zhang , H. and Hao , R. ( 2018 ) Enabling efficient verifiable fuzzy keyword search over encrypted data in cloud computing . IEEE Access , 6 , 45725 – 45739 . Google Scholar Crossref Search ADS 37 Abdalla , M. , Bellare , M. , Catalano , D. , Kiltz , E. , Kohno , T. , Lange , T. , Malone-Lee , J. , Neven , G. , Paillier , P. and Shi , H. ( 2008 ) Searchable encryption revisited: consistency properties, relation to anonymous IBE, and extensions . J. Cryptology , 21 , 350 – 391 . Google Scholar Crossref Search ADS 38 Boneh , D. and Waters , B. ( 2007 ) Conjunctive, Subset, and Range Queries on Encrypted Data. 4th Theory of Cryptography Conf., Amsterdam, The Netherlands, 21–24 February, pp. 535–554, Springer, Berlin. 39 Li , J. , Wang , Q. , Wang , C. , Cao , N. , Ren , K. and Lou , W. ( 2010 ) Fuzzy Keyword Search over Encrypted Data in Cloud Computing. 29th IEEE Int. Conf. Computer Communications, San Diego, CA, 15–19 March, pp. 441–445, IEEE, USA. 40 Xu , P. , Jin , H. , Wu , Q. and Wang , W. ( 2013 ) Public-key encryption with fuzzy keyword search: a provably secure scheme under keyword guessing attack . IEEE Trans. Comput. , 62 , 2266 – 2277 . Google Scholar Crossref Search ADS 41 Fang , L. , Susilo , W. , Ge , C. and Wang , J. ( 2013 ) Public key encryption with keyword search secure against keyword guessing attacks without random oracle . Inf. Sci. (Ny) , 238 , 221 – 241 . Google Scholar Crossref Search ADS 42 Chen , R. , Mu , Y. , Yang , G. , Guo , F. and Wang , X. ( 2016 ) Dual-server public-key encryption with keyword search for secure cloud storage . IEEE Trans. Inf. Forensics Secur. , 11 , 789 – 798 . 43 Hu , C. , Li , Z. , Liu , P. , Yang , R. , Guo , S. and Zhang , H. ( 2018 ) Verifiable Public-Key Encryption with Keyword Search Secure against Continual Memory Attacks. Mobile Networks and Applications. https://doi.org/10.1007/s11036-018-1101-4 44 He , D. , Ma , M. , Zeadally , S. , Kumar , N. and Liang , K. ( 2018 ) Certificateless public key authenticated encryption with keyword search for industrial Internet of things . IEEE Trans. Ind. Inform. , 14 , 3618 – 3627 . Google Scholar Crossref Search ADS 45 Xu , P. , He , S. , Wang , W. , Susilo , W. and Jin , H. ( 2018 ) Lightweight searchable public-key encryption for cloud-assisted wireless sensor networks . IEEE Trans. Ind. Inform. , 14 , 3712 – 3723 . Google Scholar Crossref Search ADS 46 Cui , J. , Zhou , H. , Zhong , H. and Xu , Y. ( 2018 ) AKSER: attribute-based keyword search with efficient revocation in cloud computing . Inf. Sci. (Ny) , 423 , 343 – 352 . Google Scholar Crossref Search ADS 47 Han , J. , Yang , Y. , Liu , J.K. , Li , J. , Liang , K. and Shen , J. ( 2018 ) Expressive attribute-based keyword search with constant-size ciphertext . Soft Comput. , 22 , 5163 – 5177 . Google Scholar Crossref Search ADS Algorithm 4 Simulator. Algorithm 4 Simulator. Footnotes 1 The search complexity of processing a boolean query is independent of the total of documents in database. 2 http://www.cs.cmu.edu/~./enron/ 3 For an encryption tuple (⁠ D ⁠, id′ ⁠, id ⁠), id′ is the identity of the receiver of the document, id is the identity of the client who encrypts the document. 4 For a query tuple (⁠ Q ⁠, id ⁠), id is the identity of the client who issues the query. 5 http://www.cs.cmu.edu/~./enron/ © The British Computer Society 2018. All rights reserved. For permissions, please e-mail: journals.permissions@oup.com This article is published and distributed under the terms of the Oxford University Press, Standard Journals Publication Model (https://academic.oup.com/journals/pages/open_access/funder_policies/chorus/standard_publication_model)
TI - A Searchable Asymmetric Encryption Scheme with Support for Boolean Queries for Cloud Applications
JF - The Computer Journal
DO - 10.1093/comjnl/bxy134
DA - 2019-04-01
UR - https://www.deepdyve.com/lp/oxford-university-press/a-searchable-asymmetric-encryption-scheme-with-support-for-boolean-0Y0rLEKssP
SP - 563
VL - 62
IS - 4
DP - DeepDyve
ER -