Abstract
In cloud computing model, the data are usually encrypted before outsourced to the cloud server, which protects the data privacy, but also leaves keyword searches over ciphertext data a challenging problem. A keyword search scheme over encrypted data should achieve both index privacy and query privacy; moreover, verification of search results is desirable because the incorrectf results can be returned owing to system defects or the cloud server’s motivation to save computation recourses. Many multi-keyword search schemes have been proposed; however, few of these schemes are verifiable and adaptively index-hiding and adaptively query-hiding. In this paper, a semantically secure multi-keyword search scheme is constructed, which is adaptively index-hiding and adaptively query-hiding, also supports the correctness verification of search results. We provide a detailed performance comparison and give a thorough security proof by a sequence of games. The combined results demonstrate that our scheme is secure and practical.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Boneh, D., Di Crescenzo, G., Ostrovsky, R., Persiano, G.: Public key encryption with keyword search. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 506–522. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24676-3_30
Song, D., Perrig, A.: Practical techniques for searches on encrypted data. In: Proceeding of the IEEE Symposium on Security and Privacy, (S&P 2000), Berkeley, USA, pp. 3–10 (2000)
Zhang, L.L., Zhang, Y.Q., Liu, X.F., Quan, H.Y.: Efficient conjunctive keyword search over encrypted medical records. J. Softw (in Chin.) 27(6), 1577–1591 (2015)
Zhang, L.L., Zhang, Y.Q., Ma, H.: Privacy-preserving and dynamic multi-attribute conjunctive keyword search over encrypted cloud data. IEEE Access 6(1), 34214–34225 (2018)
Golle, P., Staddon, J., Waters, B.: Secure conjunctive keyword search over encrypted data. In: Jakobsson, M., Yung, M., Zhou, J. (eds.) ACNS 2004. LNCS, vol. 3089, pp. 31–45. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24852-1_3
Li, M., Yu, S., Cao, N., Lou, W.J.: Authorized private keyword search over encrypted data in cloud computing. In: Proceeding of the International Conference on Distributed Computing Systems (ICDCS), Minneapolis, MO, USA, pp. 383–392 (2011)
Katz, J., Sahai, A., Waters, B.: Predicate encryption supporting disjunctions, polynomial equations, and inner products. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 146–162. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78967-3_9
Okamoto, T., Takashima, K.: Hierarchical predicate encryption for inner-products. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 214–231. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-10366-7_13
Wang, C., Ren, K., Yu, S., Mahendra, K., Urs, R.: Achieving usable and privacy-assured similarity search over outsourced cloud data. In: Proceedings of the IEEE INFOCOM, Orlando, FL, USA (2012)
Hwang, Y.H., Lee, P.J.: Public key encryption with conjunctive keyword search and its extension to a multi-user system. In: Takagi, T., Okamoto, T., Okamoto, E., Okamoto, T. (eds.) Pairing 2007. LNCS, vol. 4575, pp. 2–22. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-73489-5_2
Boneh, D., Waters, B.: Conjunctive, subset, and range queries on encrypted data. In: Vadhan, S.P. (ed.) TCC 2007. LNCS, vol. 4392, pp. 535–554. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-70936-7_29
Shen, E., Shi, E., Waters, B.: Predicate privacy in encryption systems. In: Reingold, O. (ed.) TCC 2009. LNCS, vol. 5444, pp. 457–473. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-00457-5_27
Lewko, A., Okamoto, T., Sahai, A., Takashima, K., Waters, B.: Fully secure functional encryption: attribute-based encryption and (hierarchical) inner product encryption. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 62–91. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-13190-5_4
Ballard, L., Kamara, S., Monrose, F.: Achieving efficient conjunctive keyword searches over encrypted data. In: Qing, S., Mao, W., López, J., Wang, G. (eds.) ICICS 2005. LNCS, vol. 3783, pp. 414–426. Springer, Heidelberg (2005). https://doi.org/10.1007/11602897_35
Waters, B.: Dual system encryption: realizing fully secure IBE and HIBE under simple assumptions. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 619–636. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03356-8_36
Lai, J., Li, Y., Deng, R.: Towards semantically secure outsourcing of association rule mining on categorical data. Inf. Sci. 267, 267–286 (2014)
Li, F., Hadjieleftheriou, M., Kollios, G., Reyzin, L.: Dynamic authenticated index structures for outsourced databases. In: Proceedings of the SIGMOD, New York, USA, pp. 121–132 (2013)
Fu, A.M., Yu, S., Zhang, Y.Q.: NPP: a new privacy-aware public auditing scheme for cloud data sharing with group users. IEEE Trans. Big Data (2017). https://doi.org/10.1109/TBDATA.2017.2701347
Wang, C., Ren, K., Yu, S., Mahendra, K., Urs, R.: Achieving usable and privacy-assured similarity search over outsourced cloud data. In: Proceedings of the IEEE INFOCOM, Orlando, FL, USA (2010)
Sun, W., et al.: Privacy-preserving multi-keyword text search in the cloud supporting similarity-based ranking. In: Proceedings of the ASIACCS, Hangzhou, China, pp. 71–82 (2013)
Chen, C., Zhu, X., Shen, P., Hu, J., Guo, S.: An efficient privacy-preserving ranked keyword search method. IEEE Trans. Parallel Distrib. Syst. 27(4), 951–963 (2016)
Li, X.X., Hua, L.F., Song, C.G.: Public key generation with multi-keyword search. J. Xidian U. 42(5), 20–26 (2015)
Acknowledgement
National Key Research and Development Program of China (2016YFB0800703), Chinese National Natural Science Foundation (\(Grant \,U1836210\), Grant 61572460, Grant 61772174 and Grant 61370220), in part by the National Information Security Special Projects of theNational Development and Reform Commission of China under Grant (2012)1424, and in part by the Open Project Program of the State Key Laboratory of Information Security under Grant 2017-ZD-01.
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
Appendices
Appendix A.1 Dual System Encryption
The scheme security is proved by dual system encryption, in which both ciphertext and keys present two states: standard and semi-functional. The trapdoor generated by GenTrapdooris called the normal trapdoor, and the encrypted index generated by EncIndexis called the standard ciphertext. We define the semi-function index ciphertext and the semi-function trapdoor, which are only employed in the proof of the scheme.
We use to denote the normal index ciphertext of \(\overrightarrow{X} , (K_\mathrm{{1}}^{*(norm)},K_\mathrm{{2}}^{*(norm)})\) to denote the normal trapdoor of \(\overrightarrow{Y}\), to denote the semi-functional index ciphertext of \(\overrightarrow{X} = \{ {x_1}, \ldots ,{x_n}\} \).
We use to denote the semi-functional index ciphertext of \(\overrightarrow{X} = \{ {x_1}, \ldots ,{x_n}\} \).
We use \((K_\mathrm{{1}}^{*(semi)},K_\mathrm{{2}}^{*(semi)})\) to denote the semi-functional trapdoor of \(\overrightarrow{Y} = \{ {y_1}, \ldots ,{y_n}\} \).
where \(\overrightarrow{V} = ({v_1}, \ldots ,{v_n}),{v_j}(1 \le j \le n) \leftarrow {F_q}\) and \(\overrightarrow{W} = ({w_1}, \ldots ,{w_n}),{w_i}(1 \le i \le n) \leftarrow {F_q},\) other parameters are the same as those in \( K_\mathrm{{1}}^{*(norm)}\) and \( K_\mathrm{{2}}^{*(norm)}\).
If \(\overrightarrow{X} {.}\overrightarrow{Y} = 0\), we can observe that
are uniformly and independently distributed over \({G_T}\). From the Formula (1) and (2), we can observe that the decryption fails when the semi-functional ciphertext is decrypted with the semi-functional key.
Appendix A.2 The Proof of the Scheme Security
Index privacy game: it is a game between the challenger B and the PPT adversary A. This game is also called game 0.
-
1.
B executes \(Setup({1^\lambda })\) to generate PK and secret keys \(SK = \{ S{K_1},S{K_2}\} \), and PK is given to the adverdary. The private key is safely kept and \(S{K_1}\) is also safely kept by the data owner. Note B generates \(S{K_1}\) by acting as both parties in the the Diffie-Hellman key exchange protocol.
-
2.
A may adaptively issue queries, where each query can be ciphertext query or trapdoor query. On the j-th ciphertext query, A issues an index vector \(\overrightarrow{{X_j}} \) and receives the corresponding ciphertext \({C_{\overrightarrow{{X_j}} }} \leftarrow EncIndex(SK,\overrightarrow{{X_j}} )\). On the j-th trapdoor query, A issues a query vector \(\overrightarrow{{Y_j}} \) and receives the corresponding trapdoor \(T{D_{\overrightarrow{{Y_j}} }} \leftarrow GenTrapdoor(SK,\mathrm{{ }}\overrightarrow{{Y_j}} )\).
-
3.
A issues two challenge index vectors \((\overrightarrow{{X^0}} ,\overrightarrow{{X^1}} )\), subject to the restriction \({\overrightarrow{X} ^{(0)}}{.}\overrightarrow{Y} \ne 0\) and \({\overrightarrow{X} ^{(1)}}{.}\overrightarrow{Y} \ne 0\) for the entire query vector \(\overrightarrow{Y} \) issued by A. B randomly chooses a random bit \(b \in \{ 0,1\} ,\) A is given \({C_{{{\overrightarrow{X} }^{(b)}}}} \leftarrow EncIndex(SK,{\overrightarrow{X} ^{(b)}})\).
-
4.
A may continue to submit additional queries as in step (2), with the same restriction as that in step 3.
-
5.
A outputs one bit b’ , and it will win the game if \(b' = b\).
Game 1: A really random function substitutes \({\mathrm{{F}}_{{K_1}}}\)in game 0, which has the same range and domain.
Game 2: A really random function substitutes \({\mathrm{{F}}_{{K_2}}}\)in game 1, which has the same range and domain.
Game 3: Semi-functional challenge ciphertext for the index is given to the adversary.
Game 4-t: the challenge index ciphertext is semi-functional, and the first t trapdoors are semi-functinal.
Game 5: The challenge index ciphertext and all the trapdoors are semi-functional.
Theorem 1
If the advantages for Assumptions 2 and 3 are negligible, then the proposed scheme is adaptively index-hiding against CPA.
Proof:
In game 5, since the index ciphertext and trapdoor are semi-functional, so for any PPT adversary, he can’t attain any advantage in game 5. So, if the index privacy game can be proved to be computationally indistinguishable with the game 5, then we also prove the advantage for the original index privacy is negligible. Below we will prove that the index privacy game and game 5 are computationally indistinguishable by 5 lemmas.
Lemma 1
Game0 and game 1 is computationally indistinguishable.
Proof
For convenience of proving of Lemma 1, we construct a PPT machine B that uses the adversary A to distinguish pseudorandom function and random function. The processing is as follows. (1) B returns the system public parameters to A and keeps \(SK = (r,{K_1},{K_2},{B^*})\).
(2) A issues a ciphertext query on the attribute vector \( \overrightarrow{X} \) to B, B queries its oracle on DID (the identifier of \( \overrightarrow{X} \) ) and set the result as \(\alpha \). When \(f = {F_{{K_1}}}\), then \(\alpha = {F_{{K_1}}}(DID)\), otherwise, \(\alpha \) is distributed uniformly at random. As response, B answers a ciphertext\({C_{\overrightarrow{X} }} = r({\varepsilon _1}(\sum \limits _{i = 1}^n {{x_i}{b_i}} ) + \alpha {b_{2n + 1}} + {\varepsilon _2}{b_{2n + 3}})\) , where \({\varepsilon _1},{\varepsilon _2} \in {F_q}\) uniformly at random.
(3) A issues a query, B answers a normal trapdoor computed by using \({B^*}\) and \({K_2}\).
(4) When B gets the challenge index vector \((\overrightarrow{{X^0}} ,\overrightarrow{{X^1}} )\), B chooses a random bit \(b \in \{ 0,1\} ,\) and sends a ciphertext index \({C_{\overrightarrow{{X^b}} }} = s({\varepsilon _1}(\sum \limits _{i = 1}^n {x_i^b{b_i}} ) + \alpha {\mathrm{{b}}_{2n + 1}} + {\varepsilon _2}{b_{2n + 3}})\).
(5) A and B continues to operate as the step (2) and (3). In fact, when \(f = {F_{{K_1}}}\), B has simulated game 0, when f is random function with the domain \(D = {(0,1)^{{l_t}}}\) and the range \(R = {F_q}\), and then B simulated game 1.
(6) A outputs bit b’, if \(b' = b\), which means that A can distinguish game 0 from game 1, then B can distinguish pseudorandom function and random function, which contradicts with the property of the pseudorandom function. Therefore, game 0 and game 1 are computationally indistinguishable.
Lemma 2
Game1 and game 2 is computationally indistinguishable.
We omit this proof of the Lemma 2, because it is similar to proof of Lemma 1.
Lemma 3
Assuming the advantage for Assumption 2 is negligible, and then game 2 and 3 are computationally indistinguishable.
Proof
For convenience of proving of this lemma, we construct a PPT machine B that uses the adversary A against Assumption 2.
After receiving Assumption 2 instance , B tries his best to decide \(\beta = 1\) or \(\beta = 0\). B runs A to break Assumption 2. The processing is as follows.
-
(1)
B returns the system public parameters to A and keeps \(SK = (s,{K_1},{K_2},{B^*})\).
-
(2)
A submits a ciphertext query on the index vector \(\overrightarrow{X} \), B answers a normal ciphertext \({C_{\overrightarrow{X} }} = s({\varepsilon _1}(\sum \limits _{i = 1}^n {{x_i}{b_i}} ) + \alpha {\mathrm{{b}}_{2n + 1}} + {\varepsilon _2}{b_{2n + 3}})\) omputed by \(\widehat{B}\) and S.
-
(3)
A issues a trapdoor query on all the query keywords, B answers a normal trapdoor computed by \(\widehat{{B^*}}\) and S .
-
(4)
Getting the challenge index vector \((\overrightarrow{{X^0}} ,\overrightarrow{{X^1}} )\), B selects a random bit \( b \in \{ 0,1\}\), parses \(\overrightarrow{{X^b}} = \{ x_1^b, \ldots ,x_n^b\}\), and computes \({C_{\overrightarrow{{X^b}} }} = s(\sum \limits _{i = 1}^n {x_i^b{d_{\beta ,i}}} + \alpha '{b_{2n + 1}})\), where \(\alpha ' \in {F_q}\) uniformly at random.
-
(5)
A continues to adaptively submit additional queries as in steps (2) and (3).
When \(\beta = 0\), then \({C_{\overrightarrow{{X^b}} }} = r(\sum \limits _{i = 1}^n {x_i^b{d_{0,i}}} + \alpha '{b_{2n + 1}}) = r({\varepsilon _1}\sum \limits _{i = 1}^n {x_i^b{b_i}} + \alpha '{b_{2n + 1}} + (\sum \limits _{i = 1}^n {x_i^b{\varepsilon _{2,i}}} ){b_{2n + 3}})\), B has simulated game 2.
When \(\beta = 1\), then \(_{\overrightarrow{{X^b}} }^{} = r(\sum \limits _{i = 1}^n {x_i^b{d_{1,i}}} + \alpha '{b_{2n + 1}}) = r({\varepsilon _1}\sum \limits _{i = 1}^n {x_i^b{b_i}} + \sum \limits _{i = 1}^n {(\sum \limits _{t = 1}^n \rho x_t^b{u_{t,i}}} ){b_{n + i}} + \alpha '{b_{2n + 1}} + (\sum \limits _{i = 1}^n {x_i^b{\varepsilon _{2,i}}} ){b_{2n + 3}}),\) B has simulated game 3.
-
(6)
A outputs bit b’, if \(b' = b\), which means that A can distinguish game 3 and game 2, then B can decide \(\beta = 0\mathrm{{ or 1}}\). This means that B’s advantage of breaking Assumption 2 is non-negligible. This contradicts \(ADV_\mathrm{{A}}^{A{p_2}}(\lambda )\) = \(ADV_\mathrm{{A}}^{n - eDDH}(\lambda ) \), which has been proved in []. Therefore, if the advantage for Assumption 2 is negligible, game 3 and game 2 are computationally indistinguishable.
Lemma 4
Assuming the advantage for Assumption 3 is negligible, then game 4-(t-1) and game 4-t are computationally indistinguishable for \(1 \le \vartheta \le t\). where \(\vartheta \) denotes the number of trapdoor queries the adversary makes.
Proof
To For the sake of proving this Lemma 4, we construct a PPT machine B that uses the adversary A against Assumption 3.
Receiving \((q,G,{G^T},g,e,V,\widehat{B},\widehat{{B^*}},{\{ h_{\beta ,i}^*,\mathrm{{ }}{d_i}\} _{(1 \le i \le n}})\), B tries to decide if \(\beta = 0\mathrm{{ or 1}}\). B runs A as a subroutine to break Assumption 3. The processing is as follows.
-
(1)
B returns the system returns the system Parameter to A, and keeps .
-
(2)
A issues a ciphertext query for the index vector \(\overrightarrow{X}\), B answers a normal ciphertext \({C_{\overrightarrow{X} }} = s({\varepsilon _1}(\sum \limits _{i = 1}^n {{x_i}{b_i}} ) + \alpha {\mathrm{{b}}_{2n + 1}} + {\varepsilon _2}{b_{2n + 3}})\) computed by s and .
-
(3)
A issues the -th trapdoor query on the query vector \( \overrightarrow{Y} = \{ {y_1}, \ldots ,{y_n}\} \), B answers query ciphertext according to the following rules.
If \(1 \le v \le k - 1\), B creates a semi-functional trapdoor for \(\overrightarrow{Y} = \{ {y_1}, \ldots ,{y_n}\} \) by using s and \({\mathrm{{B}}^*}\).
If \(v > k\), B answers a normal trapdoor by using s and \({\mathrm{{B}}^*}\).
If \(v =k\), B calculates \( K_1^* = {s^{ - 1}}(\rho (\sum \limits _{i = 1}^n {{y_i}} h_{\beta ,i}^*) + \rho 'b_{2n + 2}^*),K_2^* = {s^{ - 1}}(\theta (\sum \limits _{i = 1}^n {{y_i}} h_{\beta ,i}^*) + \eta 'b_{_{2n + 1}}^* + \theta 'b_{2n + 2}^*)\), where \(\rho ,\rho ',\theta ,\mathrm{{ }}\theta ',\eta ' \in {F_q}\) uniformly at random.
-
(4)
Getting the challenge attribute vector \( (\overrightarrow{{X^0}} ,\overrightarrow{{X^1}} )\), B selects a random bit \(b \in \{ 0,1\} \), parses \(\overrightarrow{{X^b}} = \{ x_1^b, \ldots ,x_n^b\}\). B chooses \({\varepsilon _2}',\alpha ' \in {F_q}\) and \(DID \in {\{ 0,1\} ^{{l_t}}}\) uniformly at random, computes \( \alpha = {F_{{K_1}}}(FID),\mathrm{{ }}{C_{\overrightarrow{{X^b}} }} = r(\sum \limits _{i = 1}^n {x_i^b{d_i}} + \alpha '{b_{2n + 1}} + {\varepsilon _2}'{b_{2n + 3}}),\) B sends \((\alpha ,C_{\overrightarrow{{X^b}} }^{})\) to A.
-
(5)
A continues to adaptively issue additional queries as in steps (2) C(3).
In fact, when \(\beta = 0\), B has simulated game 4-(t-1). when \(\beta = 1\), then B simulated game 4-t.
-
(6)
A outputs b’, if \(b' = b\), which means that A can distinguish game 4-(t-1) and game 4-t, then B can decide \(\beta = 0\ \mathrm {or}\ 1\). This means that B’s advantage for Assumption 2 is non-negligible. This conflicts \(ADV_\mathrm{{A}}^{A{p_3}}(\lambda )\) = \(ADV_\mathrm{{A}}^{n - eDDH}(\lambda ) \), which has been proved in []
So game 4-(t -1) and game 4-t are computationally indistinguishable.
Lemma 5
Game 4-\(\vartheta \) and game 5 are essentially equivalent.
Proof
For convenience of proving of Lemma 5, we prove distribution
in game 4-\(\vartheta \) and that in Game 5 are equivalent, where x and y denote the number of ciphertext queries and trapdoor queries the adversary issues, respectively.
Set \({d_i}{ = }{\mathrm{{b}}_i}\mathrm{{,\,}}{\mathrm{{d}}_{n + i}}{\,=\,}{b_{n + i}}\mathrm{{ - }}\sum \limits _{s = 1}^n {{z_{i,s}}} {b_s}\mathrm{{ - }}{\theta _i}{b_{2n + 1}}\mathrm{{ ( i = 1,}} \ldots \mathrm{{,\,n),\, }}{d_{2n + i}}\mathrm{{\,=\,}}{b_{2n + i}}\mathrm{{ ( i =}}1\mathrm{{,\,}}2\mathrm{{,\,}}3)\),
Set \(\mathrm{{D}}: = ({d_1}, \ldots ,{d_{2n + 3}}), {\mathrm{{D}}^*}: = (d_1^*, \ldots ,d_{2n + 3}^*)\).
In the game 4-t, the trapdoor for the j-th query, the index ciphertext for the first index, and the challenge ciphertext can be represented by B and \({B^*}\) as follows.
We notice that can be represented by D and \({D^*}\).
where is \(v_t^{(j)'} = v_t^{(j)} - \rho _1^{(j)}\sum \limits _{i = 1}^n {y_i^{(j)}{z_{t,i}}}\) uniformly and independly distributed.
where \(w_t^{(j)'} = w_t^{(j)} - \theta _1^{(j)}\sum \limits _{i = 1}^n {y_i^{(j)}{z_{t,i}} - } {\beta ^{(j)}}{\theta _t}\) are uniformly and independently distributed
\({\varepsilon _x} = {\varepsilon _1}x_t^* + \sum \limits _{i = 1}^n {{u_i}} {z_{i,t}},{\alpha _x} = {\alpha ^*} + \sum \limits _{i = 1}^n {{u_i}} {\theta _i}\) are uniformly and independently distributed.
Therefore, can be represented as trapdoor and index ciphertext with two methods, in Game 4-\(\vartheta \) over bases \(\mathrm{{B}},{\mathrm{{B}}^*})\) in Game 5 over bases \(\mathrm{{D}},{\mathrm{{D}}^*})\). Thus, Game 4-\(\vartheta \) can be conceptually changed to Game 5.
In conclusion, if the function is paseudorandom function and the advantages for Assumptions 2 and 3 are negligible, the index privacy game and game 5 are computationally indistinguishable. Moreover, any PPT adversary has no advantage for game 5. At this point, Theorem 1 is proved.
Index privacy game game 0: it is the origal query privacy game between the challenger B and the adaversary A. We describe the original query privacy game can be described by the similar method with the original index privacy game.
Theorem 2
If the advantages for Assumptions 4 and 5 are negligible, then the proposed scheme is adaptively query-hiding against CPA.
The proof ofthe Theorem 2 is similar to the proof of the Theorem 1.
Appendix A.3 The Proof of Unforgeability of the Results
Theorem 3
The proposed scheme achieves unforgeability of the results.
Aftering receiving the trapdoor \(T{D_{\overrightarrow{Y} }} = (K_1^*,K_2^*)\), the cloud server searches all the encrypted index and sends \((({\alpha _1},p{f_1}),({\alpha _2},p{f_2}), \ldots )\) to the user, where \(p{f_i}\) is the proof that \({d_i}\) with the \(DI{D_i}\) matches with Q. \(p{f_i} = e({C_{\overrightarrow{{X_i}} }},\mathrm{{ K}}_2^*)\)
If \(\overrightarrow{{X_i}} \) matchs with \(\overrightarrow{Y} = ({\mathrm{{y}}_1}, \ldots ,{\mathrm{{y}}_n})\), then \(\overrightarrow{{X_i}} {.}\overrightarrow{Y} = 0\), i.e., \(\sum \limits _{j = 1}^n {{x_{i,j}}} .{y_j} = 0\), then \(p{f_i} = e({C_{\overrightarrow{{X_i}} }},\mathrm{{ K}}_2^*) = e{(\mathrm{{g,g}})^{{\alpha _i}\gamma }}\), here \({\alpha _i} = {F_{{K_1}}}(DI{D_i}),\gamma = {\gamma _1}, \ldots ,{\gamma _d},{\gamma _i} = {F_{{K_2}}}(KI{D_i})\) Otherwise, \(p{f_i}\) are uniformly and independently distributed in \({G_T}\). So, If \(\overrightarrow{{X_i}}\) doesnt matchs with \(\overrightarrow{Y} = ({\mathrm{{y}}_1}, \ldots ,{\mathrm{{y}}_n})\), the probability that an adversary outputs \( p{f_i} = e{(\mathrm{{g,g}})^{{\alpha _i}\gamma }}\) is negligible. So, we prove that the proposed scheme achieves unforgeability of the results.
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Zhang, L., Wang, W., Zhang, Y. (2019). Semantically Secure and Verifiable Multi-keyword Search in Cloud Computing. In: Chen, X., Huang, X., Zhang, J. (eds) Machine Learning for Cyber Security. ML4CS 2019. Lecture Notes in Computer Science(), vol 11806. Springer, Cham. https://doi.org/10.1007/978-3-030-30619-9_15
Download citation
DOI: https://doi.org/10.1007/978-3-030-30619-9_15
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-30618-2
Online ISBN: 978-3-030-30619-9
eBook Packages: Computer ScienceComputer Science (R0)