Abstract
Cloud storage over the internet gives opportunities for easy data sharing. To preserve the privacy of sharing data, the outsourced data is usually encrypted. The searchable encryption technique provides a solution to find the target data in the encrypted form. And the publickey encryption with keyword search is regarded as a major approach for the searchable encryption technique. However, there are still several privacy leakage challenges for the further adoption of these major schemes. One is how to resist the keyword guessing attack which still leaks data user’s keywords privacy. Another is how to construct the access control policy to prevent illegal access of outsourced data sharing since illegal access always leak the privacy of user’s attribute. In our paper, we firstly try to design a novel secure keyword index to resist the keyword guessing attack from access pattern and search pattern. Second, we propose an attributebased encryption scheme which supports an enhanced finegrained access control search. This allows the authenticated users to access different data although their searching request contains the same queried keywords, and meanwhile unauthenticated users cannot get any attribute privacy information. Third, we give security proofs to show that the construction of keyword index is against keyword guessing attack from the access pattern and search pattern, and our scheme is proved to be INDCPA secure (the indistinguishability under chosen plaintext attack) under the standard model. Finally, theoretical analyses and a series of experiments are conducted to demonstrate the efficiency of our scheme.
This is a preview of subscription content, log in to check access.
References
 1.
Armbrust, M., Fox, A., Griffith, R., et al.: A view of cloud computing clearing the clouds away from the true potential and obstacles posed by this computing capability. Commun. ACM 53(4), 50–58 (2010). https://doi.org/10.1145/1721654.1721672
 2.
Song, D.X., Wagner, D., Perrig, A.: Practical techniques for searches on encrypted data. In: Proceedings of IEEE Symposium on Security and Privacy, pp 44–55. IEEE Computer Society (2000), https://doi.org/10.1109/SECPRI.2000.848445
 3.
Kim, K.S., Kim, M., et al.: Forward secure dynamic searchable symmetric encryption with efficient updates. In: ACM Sigsac Conference, pp 1449–1463. ACM (2017), https://doi.org/10.1145/3133956.3133970 https://doi.org/10.1145/3133956.3133970
 4.
Kamara, S., Moataz, T.: Boolean searchable symmetric encryption with worstcase sublinear complexity. In: Proceedings International Conference on the Theory and Applications of Cryptographic Techniques, pp 94–124 (2017), https://doi.org/10.1007/9783319566177_4
 5.
Li, H.W., Yang, Y., Dai, Y.S., et al.: Achieving secure and efficient dynamic searchable symmetric encryption over medical cloud data. IEEE Trans Cloud Comput. https://doi.org/10.1109/TCC.2017.2769645 https://doi.org/10.1109/TCC.2017.2769645 (2017)
 6.
Boneh, D., Crescenzo, G.D., et al.: Public key encryption with keyword search. Eurocrypt 3027(16), 506–522 (2004). https://doi.org/10.1007/9783540246763_30
 7.
Boneh, D., Waters, B.: Conjunctive, subset, and range queries on encrypted data. In: Theory of Cryptography Conference, pp 535–54. Springer, Berlin (2007), https://doi.org/10.1007/9783540709367_29
 8.
Noroozi, M., Eslami, Z., Pakniat, N.: Comments on a chaosbased public key encryption with keyword search scheme. Nonlinear Dyn. 3, 1–6 (2018). https://doi.org/10.1007/s1107101844139
 9.
Yu, S.C., Wang, C., Ren, K., et al.: Achieving secure, scalable, and fine grained data access control in cloud computing. IEEE INFCOM 29(16), 1–9 (2010)
 10.
Sun, W.H., Yu, S.C., Lou, W.J., et al.: Protecting your right: verifiable attributebased keyword search with finegrained ownerforced search authorization in the cloud. IEEE Trans. Parallel Distrib. Syst. 27(4), 1187–1198 (2016). https://doi.org/10.1109/TPDS.2014.2355202
 11.
Yang, Y., Ma, M.: Conjunctive keyword search with designated tester and timing enabled proxy reencryption function for ehealth clouds. IEEE Trans. Inf. Forensics Secur. 11(4), 746–759 (2017). https://doi.org/10.1109/TIFS.2015.2509912
 12.
Miao, Y.B., Ma, J.F., Liu, X.M., et al.: Attributebased keyword search over hierarchical data in cloud computing. IEEE Trans. Serv. Comput. 60(12), 1–14 (2017). https://doi.org/10.1109/TSC.2017.2757467
 13.
Alderman, J., Martin, K., Renwick, S. L.: Multilevel access in searchable symmetric Encryption. In: Proceedings of International Conference on Financial Cryptography and Data Security, vol. 3494, pp 35–52. Springer, Cham (2017), https://doi.org/10.1007/9783319702780_3
 14.
Fan, Y.D., Wu, X.P., Wang, J.S.: Multiauthority attributebased encryption access control scheme with hidden policy and constant length ciphertext for cloud storage. In: Proceedings of IEEE Second International Conference on Data Science in Cyberspace, pp 205–212 (2017), https://doi.org/10.1109/DSC.2017.10
 15.
Li, M., Yu, S., Cao, N., et al.: Authorized private keyword search over encrypted data in cloud computing. In: Proceedings of the 31st International Conference Distributed Computing Systems, pp 383–392 (2011), https://doi.org/10.1109/ICDCS.2011.55
 16.
Sun, W.H., Liu, X.F., Lou, W.J., et al.: Catch you if you lie to me: efficient verifiable conjunctive keyword search over large dynamic encrypted cloud data. In: IEEE Computer Communications, pp 2110–2118 (2015), https://doi.org/10.1109/INFOCOM.2015.721859
 17.
Liu, Q., Nie, X.H., Liu, X.H., et al.: Verifiable ranked search over dynamic encrypted data in cloud computing. In: Proceedings of IEEE/ACM International Symposium on Quality of Service, pp 1–6 (2017), https://doi.org/10.1109/IWQoS.2017.7969156
 18.
Fuhr, T., Paillier, P.: Decryptable searchable encryption. In: Proceedings. Provable Security, 1st International Conference, DBLP, vol. 4784, pp 228–236 (2007), https://doi.org/10.1007/9783540756705_17
 19.
Fang, L.M., Wang, J.D., Ge, C.P., et al.: Decryptable public key encryption with keyword search schemes. Int. J. Digit. Content Technol. Appl. 4(9), 141–150 (2010). https://doi.org/10.4156/jdcta.vol4.issue9
 20.
Shen, Z.R., Shu, J.W., Xue, W.: Preferred search over encrypted data. Front. Comput. Sci. 4, 1–15 (2018). https://doi.org/10.1007/s1170401662445
 21.
Yang, Y., Liu, X.M., Deng, R.H.: Expressive query over outsourced encrypted data. Inf. Sci. 442–443, 33–53 (2018). https://doi.org/10.1016/j.ins.2018.02.017
 22.
Saito, T., Nakanishi, T.: Designatedsenders publickey searchable encryption secure against keyword guessing attacks. In: International Symposium on Computing & Networking IEEE Computer Society, pp 496–502 (2017)
 23.
Xie, R., Xui, C.X., Li, F.G., et al.: Ciphertext retrieval against insider attacks for cloud storage. In: IEEE International Conference on Computer and Communications, pp 202–206 (2017), https://doi.org/10.1109/CompComm.2016.7924693
 24.
Sun, L.X., Xu, C.X., Zhang, M.W., et al.: Secure searchable public key encryption against insider keyword guessing attacks from indistinguishability obfuscation. Sci. China (Inf. Sci.) 3(038106), 61 (2018). https://doi.org/10.1007/s1143201791240
 25.
Islam, M.S., Kuzu, M., Kantarcioglu, M.: Access pattern disclosure on searchable encryption: ramification. In: Proceedings in Network and Distributed System Security Symposium (2012)
 26.
Liu, C., Zhu, L.H., Wang, M., et al.: Search pattern leakage in searchable encryption: attacks and new construction. Inf. Sci. 265(5), 176–188 (2014). https://doi.org/10.1016/j.ins.2013.11.021
 27.
Naveed, M., Prabhakaran, M., Gunter, C.A.: Dynamic searchable encryption via blind storage. In: Proceedings of IEEE Symposium on Security Privacy IEEE Computer Society, pp 639–654 (2015), https://doi.org/10.1109/SP.2014.47
 28.
Huang, Q., Li, H.B.: An efficient publickey searchable encryption scheme secure against inside keyword guessing attacks. Inf. Sci. 403–404, 1–14 (2017). https://doi.org/10.1016/j.ins.2017.03.038
 29.
Sahai, A., Waters, B.: Fuzzy identitybased encryption. In: Proceedings of International Conference on Theory and Applications of Cryptographic Techniques, vol. 3494, pp 457–473. Springer, Berlin (2005), https://doi.org/10.1007/1142663927
 30.
Nishide, T., Yoneyama, K., Ohta, K.: Attributebased encryption with partially hidden encryptorspecified access structures. In: Proceedings of International Conference on Applied Cryptography and Network Security, vol. 5037, pp 111–123. Springer, Berlin (2008), https://doi.org/10.1007/9783540689140_7
 31.
Yousefipoor, V., Ameri, M.H., Mohajeri, J., et al.: A secure attribute based keyword search scheme against keyword guessing attack. In: 2016 8th International Symposium on Telecommunications (IST), pp 124–128 (2016), https://doi.org/10.1109/ISTEL.2016.7881795
 32.
Jiang, P., Guo, F.C., Susilo, W., et al.: Keyword attacks and privacy preserving in publickeybased searchable encryption. Encyclopedia of Big Data Technologies. Springer, Cham (2018). https://doi.org/10.1007/9783319639628_2321
 33.
Zheng, Q.J., Xu, S., Ateniese, G.: VABKS: verifiable attributebased keyword search over outsourced encrypted data. In: IEEE INFOCOM, pp 522–530 (2014), https://doi.org/10.1109/INFOCOM.2014.6847976
Acknowledgements
This work was partly supported by the National Natural Science Foundation of China under Grant 61802243, 61572246, the Scientific Research Foundation for the Returned Overseas Chinese Scholars of MOHRSS, the Innovation Fund Designated for Graduate Students of Shaanxi Normal University 2017CSY001 supported by the Fundamental Research Funds for the Central Universities, the Fundamental Research Funds for the Central Universities under Grant GK201803005, Shaanxi Province Natural Science Basic Research Program Funded Project 2016JQ6029, the Foundation of Guizhou Provincial Key Laboratory of Public Big Data 2018BDKFJJ004, the Major Scientific and Technological Special Project of Guizhou Province 20183001.
Author information
Additional information
Publisher’s note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
This article belongs to the Topical Collection: Special Issue on Security and Privacy in Network Computing
Guest Editors: Xiaohong Jiang, Yongzhi Wang, Tarik Taleb, and Hua Wang
Appendices
Appendix A: Construction algorithms of γ, A, C
In this part, the construction algorithms about the γ, A, C are given, that is, the keywords encryption and generation of empty array B[N_{1}] (Algorithm 1), the construction of TKFT (Algorithm 2), the construction of GIP (Algorithm 3) and the files encryption of CPABE (Algorithm 4). We give these 4 detailed subalgorithms respectively below.
In Algorithm 1, the keyword entry pair (KEP) is obtained by keywords encryption, and the “B[N_{1}]” is a empty array with size N_{1} which will be used to indicate the containing relationships between each keyword in M^{′} and true files in F_{1}. This algorithm will output \(KEP=\left \{{I_{1}},{I_{2}},\cdots ,{I_{m^{\prime }}}\right \}\) and \(B[N_{1}]=\left \{{B_{1}[N_{1}]},{B_{2}[N_{1}]},\cdots ,{B_{m^{\prime }}[N_{1}]}\right \}\).
In Algorithm 2, we show the detailed construction of true keywordfiles table (e.g., Table 1 in Section 3). First, we should point out that the identifier f_{μ} in Algorithm 2 is only an identifier instead of the file content. Second, step 1 to 19 in Algorithm 2 indicate the construction of TKFT, where N_{2} means that we need to add N_{2} fake files so that the generated GIP is of resistance to KGA from access pattern; Third, we get the second empty array “C[N_{2}]” with size N_{2} that will be used in the next Algorithm 3. By Algorithm 2, we can get TKFT (\(P=\left \{{P_{1}},{P_{2}},\cdots ,{P_{m^{\prime }}}\right \}\)) and empty array C[N_{2}] (\(C[N_{2}]=\left \{{C_{1}[N_{2}]},{C_{2}[N_{2}]},\cdots ,{C_{m^{\prime }}[N_{2}]}\right \}\)).
In Algorithm 3, we present the specific steps of constructing the GIP. According to each keyword w_{j}’s d(w_{j}), we randomly find (d_{1} − d(w_{j})) fake file identifiers and choose (d_{1} − d(w_{j})) elements of C_{j}[N_{2}], 1 ≤ j ≤ m^{′}. Next, the fake file identifiers substitute the initial elements of C_{j}[N_{2}]. In this way, all keywords’ d(w) are equal, where the clearly results of these four steps can be found in Tables 2, 3 and 4 of Section 3. By Algorithm 3, it will return the final GIP (\(\gamma =\left \{{\gamma _{1}},{\gamma _{2}},\cdots ,{\gamma _{m^{\prime }}}\right \}\)).
In Algorithm 4, we give the detailed attributebased encryption scheme which supports the enhanced finegrained access control. By steps in algorithm 4, we can get the attributefile identifier list A (A = {AF^{ϕ(1)}, AF^{ϕ(2)},⋯ ,AF^{ϕ(m)}}), and the files ciphertexts C (C = {C_{1}, C_{2},⋯ ,C_{N}}).
Appendix B: Security proofs
In this part, we will give detailed security proofs for Theorem 1 and Theorem 2.
Theorem 1
By the construction of global index pair, the advantage of adversary inkeyword guessing attack from access pattern and search pattern is less than\(\frac {4}{N^{2}}\)and\(\frac {1}{2^{y}}+negl(\lambda )\),respectively, wherenegl(⋅) is a negligible function.
Proof
By the above search process, we can get a conclusion that the CSP or any unauthenticated entities learn nothing about keywords from the view of access pattern and search pattern simultaneously.
 The security of access pattern :

We analyze security about resisting the inside KGA from access pattern in our proposed scheme. Since we add some fake files to F which make the frequencies of keyword d(w_{j})(1 ≤ j ≤ m^{′}) all the same, the CSP cannot get any true high frequency terms by statistical attacks as well as true containing relationships between these real top keywords and the related files from the DO’s access pattern. Suppose the insider attacker CSP wants to get the keywords privacy from DO’s access pattern, we define the advantage of the CSP in this inside attack Pr[success].
Clearly, if the CSP initiates this inside KGA if and only if the following events E_{0}, E_{1} and E_{2} hold in the same time:
 E_{0}::

he knows exactly the value of N_{1}, where N = N_{1} + N_{2}, \(N>N_{1}>N_{2}\geqslant \)1;
 E_{1}::

he can distinguish N_{1} true files from N stored files;
 E_{2}::

he gets each keyword’s d(w), where w is in M^{′} and M^{′} = m^{′}.
Hence, the advantage Pr[success] = Pr[E_{0} ∧ E_{1} ∧ E_{2}]. Furthermore,
$$\begin{array}{@{}rcl@{}} \text{Pr}[E_{0}\wedge E_{1}\wedge E_{2}] &=&\text{Pr}[E_{0}\wedge E_{1}]\cdot Pr[E_{2}E_{0}\wedge E_{1}]\\ &=&\text{Pr}[E_{0}\wedge E_{1}]\\ &=&\text{Pr}[E_{0}]\cdot Pr[E_{1}E_{0}]\\ \end{array} $$Since N = N_{1} + N_{2}, \(N>N_{1}>N_{2}\geqslant \)1, we can get that 2N_{1} > N, Pr[E_{0}]\(< \frac {1}{\lfloor \frac {N}{2}\rfloor }\) and Pr[E_{1}E_{0}]=\(\frac {1}{\binom {N}{N_{1}}}\). Furthermore,
$$\begin{array}{@{}rcl@{}} \binom{N}{N_{1}}={\frac{N!}{N_{1}!\cdot(NN_{1})!}} &=&{\frac{N!}{N_{1}!\cdot N_{2}!}}\\ &=&\frac{N(N1){\cdots} (N_{1}+ 1)}{N_{2}!}\\ &=&\frac{(N_{1}+N_{2})(N_{1}+N_{2}1)\cdots(N_{1}+ 1)}{N_{2}!}> \frac{(N_{1})^{N_{2}}}{N_{2}!}\\ \end{array} $$Thus, we have \(\text {Pr[success]}=\text {Pr} [E_{0}\wedge E_{1}\wedge E_{2}] < \frac {1}{\lfloor \frac {N}{2}\rfloor }\cdot \frac {{N_{2}}^{N_{2}1}}{(N_{1})^{N_{2}}} < \frac {1}{\lfloor \frac {N}{2}\rfloor }\cdot \frac {{N_{1}}^{N_{2}1}}{(N_{1})^{N_{2}}} < \frac {1}{\lfloor \frac {N}{2}\rfloor }\cdot \frac {1}{N_{1}} < \frac {1}{\lfloor \frac {N}{2}\rfloor }\cdot \frac {1}{\lfloor \frac {N}{2}\rfloor } \approx \frac {4}{N^{2}}\).
According to the security analyses above, the advantage of the adversary launches a successful inside KGA from the access pattern is less than \(\frac {4}{N^{2}}\). That is, the advantage of insider attacker learns keywords privacy from the access pattern is negligible especially in the actual scenario (i.e., N is much larger) and the proposed scheme is secure against the KGA from access pattern.
 The security of Search pattern :

We analyze security of the proposed scheme to resist the inside KGA from search pattern. Assume a probabilistic polynomialtime (PPT) adversary \(\mathcal {A}\), who may be an unauthorized DU. In this attack \(\mathcal {A}\) has a valid search token and he knows the set of all keywords. He wants to find a keyword corresponding to a search token. The adversary \(\mathcal {A}\) runs the following KGA algorithm for each keyword:

1)
\(\mathcal {A}\) encrypts the keyword, generates a keyword ciphertext and then uploads the keyword ciphertext to the CSP;

2)
\(\mathcal {A}\) sends the valid search token to the CSP;

3)
The CSP then sends search results to \(\mathcal {A}\).
If the search results match the ciphertext of some keyword, \(\mathcal {A}\) returns the related keyword.
In the most previous PEKS schemes, \(\mathcal {A}\) can easily runs the above algorithm and find the correct keyword with high probability [33], because in these schemes a search token corresponds to a special keyword and the algorithm only outputs the encrypted keyword. So the adversary \(\mathcal {A}\) ensures that the KGA algorithm outputs the correct keyword. In our proposed scheme, we have mitigated this drawback by using fuzzy search token f_{tk} and true search token t_{tk}. Assume that the adversary \(\mathcal {A}\) has a valid fuzzy search token f_{tk} about a keyword and knows the set of all keywords \(M^{\prime }=\left \{ {w_{1}},{w_{2}},\cdots ,{w_{m^{\prime }}}\right \}\). \(\mathcal {A}\) implements the KGA algorithm as follows:

1)
\(\mathcal {A}\) sets i = 1;

2)
\(\mathcal {A}\) generates the corresponding keyword ciphertext I_{i} to the keyword w_{i} by using hash function h(x),g(x). Then he outsources I_{i} to the CSP, 1 ≤ i ≤ m^{′};

3)
\(\mathcal {A}\) sends f_{tk} about only one queried keyword to the CSP;

4)
The CSP then sends search results q_{1} to \(\mathcal {A}\). If \(C_{w_{i}} \in R\), \(\mathcal {A}\) returns w_{i}, else i = i + 1 and returns to step 2). If i = m and \(C_{w_{i}} \notin R\), \(\mathcal {A}\) returns ⊥.
Because the f_{tk} is valid, any adversary \(\mathcal {A}\) never returns ⊥. Assume that for an index j ∈{1, 2,⋯ ,m^{′}}, \(\mathcal {A}\) returns w_{j}. Then according to the definition of fuzzy search token and true search token, he also returns w_{j− 1} or w_{j+ 1}. Now in order to successfully attack, \(\mathcal {A}\) must make a correct guess between j and j − 1 (or j + 1). So the probability of success in this attack for \(\mathcal {A}\) is Pr[Success] = Pr[guess].
According to the definition of search algorithm and decryption algorithm, the DU only submits the fuzzy search token to the CSP, and then the CSP returns a part of global index pair (i.e., q_{1}) as queryindex where there is a bundled relationship between each queried keyword and a pair of entries in this returned index. Upon receiving the queryindex from the CSP, only the DU can extract one of each pair of query entries according to the remainder true search token g(t_{w}), where the extracted query entries have onetoone correspondence to this queried keyword. However, the CSP or any unauthenticated entities cannot judge whether two queries are for the same queried keyword or not, since they cannot find the correspondence between the real query entries and queried keyword on the condition that \(\mathcal {A}\) has no information about the true search token. So \(\text {Pr[Success]} \leqslant \frac {1}{2}\), when the value y = 1. So the probability of the adversary successfully getting keywords privacy by the inside KGA from search pattern for y queried keywords is
$$\text{Pr[Success]}\leqslant \frac{1}{2^{y}}+negl(\lambda) $$for some negligible function negl(⋅). Hence, the proposed scheme is more secure against the inside KGA from search pattern with the larger y. In conclusion, the CSP or other unauthenticated entities cannot get any keywords privacy by effectively launching the inside KGA from access pattern and search pattern.

1)
□
Theorem 2
Assume that there is a PPT adversary \(\mathcal {A}\) breaking our CPABE game with nonnegligible advantage ε , then a simulator \(\mathcal {S}\) can be constructed which can solve a DBDH instance with a nonnegligible advantage \(\frac {\varepsilon }{2}\) .
Proof
We now demonstrate the chosen plaintext attack (CPA) security of our scheme under the decisional bilinear DiffieHellman (DBDH) assumption. Given a DBDH problem [\(g,g^{z_{1}},g^{z_{2}},g^{z_{3}},Z\)], the simulator \(\mathcal {S}\) interacts with adversary \(\mathcal {A}\) as following simulation.
 Init::

\(\mathcal {A}\) submits the challenge access structures policies \(W^{*}=[W_{1}^{*},W_{2}^{*},{\cdots } W_{i}^{*},\cdots ,W_{n}^{*}]\) to \(\mathcal {S}\).
Setup: \(\mathcal {S}\) runs Setup to generate global parameter GP and master key Msk. That is, \(\mathcal {S}\) sets \(Y_{2}=e(g^{z_{1}},g^{z_{2}})=e(g,g)^{z_{1}z_{2}}\) which implies α = z_{1}z_{2}. For each attribute i, 1 ≤ i ≤ n, \(\mathcal {S}\) computes \(A_{it}=g^{a_{it}}\) if \(v_{it}\in W_{i}^{*}\) and \(A_{it}=(g^{z_{1}})^{a_{it}}\) otherwise, where \({\left \{{a_{it}\in {Z_{q}}^{*}}\right \}}_{1\leqslant t\leqslant n_{i}}\) are random. Then \(\mathcal {S}\) publishes GP in the real scheme.
 Phase1::

\(\mathcal {A}\) submits the attribute list L for a Genprivatekey query. If L does not satisfy W^{∗}, \(\mathcal {S}\) will return secret key sk_{L}. That is, there must be k ∈ {1, 2,⋯ ,n} such that \(L_{k}=v_{kt_{k}}\not \in W_{k}^{*}\). Then for 1 ≤ i ≤ n, \(\mathcal {S}\) selects randomly \({\alpha ^{\prime }_{ui}}\in Z_{q}^{*}\) and \(a_{it_{i}}^{\prime }\in Z_{q}^{*}\). Next, \(\mathcal {S}\) computes \(D_{0}=g^{\alpha \alpha _{u}}=g^{z_{1}z_{2}\alpha _{u}}=(g^{z_{2}})^{{\sum }_{i = 1}^{n} \alpha ^{\prime }_{ui}}\). For the computation of D_{1}, \(\mathcal {S}\) carries out the following computations. For i = k, \(\mathcal {S}\) computes \(D_{1k}=g^{\frac {\alpha _{uk}}{a_{kt_{k}}}}=g^{\frac {z_{1}z_{2}+z_{2}\cdot \alpha ^{\prime }_{uk}}{z_{2}\cdot a_{kt_{k}}^{\prime }}}=(g^{z_{1}})^{\frac {1}{a_{kt_{k}}^{\prime }}}\cdot g^{\frac {\alpha ^{\prime }_{uk}}{a_{kt_{k}}^{\prime }}}\) and for i≠k, \(D_{1i}=g^{\frac {\alpha _{ui}}{a_{it_{i}}}}=(g^{z_{2}})^{\frac {\alpha ^{\prime }_{ui}}{a_{it_{i}}^{\prime }}}\). It is noted that, from the construction of D_{0}, D_{1}, \(\alpha _{uk}=z_{1}z_{2}+z_{2}\cdot {\alpha ^{\prime }_{uk}}\), \(a_{kt_{k}}=z_{2}\cdot a_{kt_{k}}^{\prime }(i=k)\), and \(\alpha _{ui}=\alpha ^{\prime }_{ui}\cdot z_{2}\), \(a_{it_{i}}=a_{it_{i}}^{\prime }\) (i≠k) and so \(\alpha _{u}={\sum }_{i = 1,i\neq k}^{n} \alpha _{ui}+\alpha _{uk}=z_{1}z_{2}+{\sum }_{i = 1}^{n} \alpha ^{\prime }_{ui}\cdot z_{2}\).
 Challenge::

\(\mathcal {A}\) submits two equal length challenge values k_{0}, k_{1} to \(\mathcal {S}\). \(\mathcal {S}\) chooses a value μ, μ ∈ {0, 1} and sets \(C_{0}=k_{\mu }\cdot Z, C_{1}=g^{z_{3}}\) which implies s_{μ} = z_{3}, and computes the corresponding ciphertext \(\left \{{C_{i,2,t}}\right \}_{{1\leqslant i\leqslant n,1\leqslant t \leqslant n_{i}}}\) for W^{∗} as follows: if \(v_{it}\in W_{i}^{*}\), \(C_{i,2,t}=(A_{it})^{z_{3}}=(g^{z_{3}})^{a_{it}}\) (wellformed); if \(v_{it}\not \in W_{i}^{*}\), C_{i,2,t} are random (malformed). Finally, these challenge ciphertexts are sent to \(\mathcal {A}\).
 Phase2::

Phase1 is repeated under the premise that the adversary cannot submit such L which L does satisfy W^{∗}.
 Guess::

After the PPT queries in phase 1 and 2, \(\mathcal {A}\) is asked to output a guess μ^{′} of μ. If μ^{′} = μ, \(\mathcal {S}\) outputs 1 and returns 0 otherwise. If \(Z=e(g,g)^{z_{1}z_{2}z_{3}}\), then challenge ciphertexts are valid, and the advantage of \(\mathcal {A}\) is ε, i.e., the advantage in winning game is \(\left  \text {Pr}[\mathcal {S}\rightarrow 1]\textit {Z}=\textit {e}(\textit {g},\textit {g})^{\textit {z}_{1}\textit {z}_{2}\textit {z}_{3}}\right =\left \text {Pr}[\mu ^{\prime }=\mu ]\textit {Z}=\textit {e}(\textit {g},\textit {g})^{\textit {z}_{1}\textit {z}_{2}\textit {z}_{3}}\right =\frac {1}{2}+\varepsilon \). If Z is random, then the challenge ciphertexts are random from the view of \(\mathcal {A}\), and the advantage of \(\mathcal {A}\) is \(\left \text {Pr}[\mathcal {S}\rightarrow 1]\textit {Z}\right =\frac {1}{2}\).
Hence, we can get the conclusion that the simulator \(\mathcal {S}\) has the advantage \(\frac {\varepsilon }{2}\) to solve a given DBDH instance based on the following inference.
□
Rights and permissions
About this article
Cite this article
Cao, Q., Li, Y., Wu, Z. et al. Privacypreserving conjunctive keyword search on encrypted data with enhanced finegrained access control. World Wide Web (2019). https://doi.org/10.1007/s11280019006713
Received:
Revised:
Accepted:
Published:
Keywords
 Access control
 Access pattern
 Keyword guessing attack
 Privacypreserving
 Searchable encryption
 Search pattern