Springer Nature is making SARS-CoV-2 and COVID-19 research free. View research | View latest news | Sign up for updates

Privacy-preserving conjunctive keyword search on encrypted data with enhanced fine-grained access control

  • 243 Accesses

  • 1 Citations


Cloud storage over the internet gives opportunities for easy data sharing. To preserve the privacy of sharing data, the outsourced data is usually encrypted. The searchable encryption technique provides a solution to find the target data in the encrypted form. And the public-key encryption with keyword search is regarded as a major approach for the searchable encryption technique. However, there are still several privacy leakage challenges for the further adoption of these major schemes. One is how to resist the keyword guessing attack which still leaks data user’s keywords privacy. Another is how to construct the access control policy to prevent illegal access of outsourced data sharing since illegal access always leak the privacy of user’s attribute. In our paper, we firstly try to design a novel secure keyword index to resist the keyword guessing attack from access pattern and search pattern. Second, we propose an attribute-based encryption scheme which supports an enhanced fine-grained access control search. This allows the authenticated users to access different data although their searching request contains the same queried keywords, and meanwhile unauthenticated users cannot get any attribute privacy information. Third, we give security proofs to show that the construction of keyword index is against keyword guessing attack from the access pattern and search pattern, and our scheme is proved to be IND-CPA secure (the indistinguishability under chosen plaintext attack) under the standard model. Finally, theoretical analyses and a series of experiments are conducted to demonstrate the efficiency of our scheme.

This is a preview of subscription content, log in to check access.

Figure 1
Figure 2
Figure 3
Figure 4
Figure 5
Figure 6
Figure 7
Figure 8


  1. 1.

    Armbrust, M., Fox, A., Griffith, R., et al.: A view of cloud computing clearing the clouds away from the true potential and obstacles posed by this computing capability. Commun. ACM 53(4), 50–58 (2010). https://doi.org/10.1145/1721654.1721672

  2. 2.

    Song, D.X., Wagner, D., Perrig, A.: Practical techniques for searches on encrypted data. In: Proceedings of IEEE Symposium on Security and Privacy, pp 44–55. IEEE Computer Society (2000), https://doi.org/10.1109/SECPRI.2000.848445

  3. 3.

    Kim, K.S., Kim, M., et al.: Forward secure dynamic searchable symmetric encryption with efficient updates. In: ACM Sigsac Conference, pp 1449–1463. ACM (2017), https://doi.org/10.1145/3133956.3133970 https://doi.org/10.1145/3133956.3133970

  4. 4.

    Kamara, S., Moataz, T.: Boolean searchable symmetric encryption with worst-case sub-linear complexity. In: Proceedings International Conference on the Theory and Applications of Cryptographic Techniques, pp 94–124 (2017), https://doi.org/10.1007/978-3-319-56617-7_4

  5. 5.

    Li, H.W., Yang, Y., Dai, Y.S., et al.: Achieving secure and efficient dynamic searchable symmetric encryption over medical cloud data. IEEE Trans Cloud Comput. https://doi.org/10.1109/TCC.2017.2769645 https://doi.org/10.1109/TCC.2017.2769645 (2017)

  6. 6.

    Boneh, D., Crescenzo, G.D., et al.: Public key encryption with keyword search. Eurocrypt 3027(16), 506–522 (2004). https://doi.org/10.1007/978-3-540-24676-3_30

  7. 7.

    Boneh, D., Waters, B.: Conjunctive, subset, and range queries on encrypted data. In: Theory of Cryptography Conference, pp 535–54. Springer, Berlin (2007), https://doi.org/10.1007/978-3-540-70936-7_29

  8. 8.

    Noroozi, M., Eslami, Z., Pakniat, N.: Comments on a chaos-based public key encryption with keyword search scheme. Nonlinear Dyn. 3, 1–6 (2018). https://doi.org/10.1007/s11071-018-4413-9

  9. 9.

    Yu, S.C., Wang, C., Ren, K., et al.: Achieving secure, scalable, and fine grained data access control in cloud computing. IEEE INFCOM 29(16), 1–9 (2010)

  10. 10.

    Sun, W.H., Yu, S.C., Lou, W.J., et al.: Protecting your right: verifiable attribute-based keyword search with fine-grained owner-forced search authorization in the cloud. IEEE Trans. Parallel Distrib. Syst. 27(4), 1187–1198 (2016). https://doi.org/10.1109/TPDS.2014.2355202

  11. 11.

    Yang, Y., Ma, M.: Conjunctive keyword search with designated tester and timing enabled proxy re-encryption function for e-health clouds. IEEE Trans. Inf. Forensics Secur. 11(4), 746–759 (2017). https://doi.org/10.1109/TIFS.2015.2509912

  12. 12.

    Miao, Y.B., Ma, J.F., Liu, X.M., et al.: Attribute-based keyword search over hierarchical data in cloud computing. IEEE Trans. Serv. Comput. 60(12), 1–14 (2017). https://doi.org/10.1109/TSC.2017.2757467

  13. 13.

    Alderman, J., Martin, K., Renwick, S. L.: Multi-level access in searchable symmetric Encryption. In: Proceedings of International Conference on Financial Cryptography and Data Security, vol. 3494, pp 35–52. Springer, Cham (2017), https://doi.org/10.1007/978-3-319-70278-0_3

  14. 14.

    Fan, Y.D., Wu, X.P., Wang, J.S.: Multi-authority attribute-based encryption access control scheme with hidden policy and constant length ciphertext for cloud storage. In: Proceedings of IEEE Second International Conference on Data Science in Cyberspace, pp 205–212 (2017), https://doi.org/10.1109/DSC.2017.10

  15. 15.

    Li, M., Yu, S., Cao, N., et al.: Authorized private keyword search over encrypted data in cloud computing. In: Proceedings of the 31st International Conference Distributed Computing Systems, pp 383–392 (2011), https://doi.org/10.1109/ICDCS.2011.55

  16. 16.

    Sun, W.H., Liu, X.F., Lou, W.J., et al.: Catch you if you lie to me: efficient verifiable conjunctive keyword search over large dynamic encrypted cloud data. In: IEEE Computer Communications, pp 2110–2118 (2015), https://doi.org/10.1109/INFOCOM.2015.721859

  17. 17.

    Liu, Q., Nie, X.H., Liu, X.H., et al.: Verifiable ranked search over dynamic encrypted data in cloud computing. In: Proceedings of IEEE/ACM International Symposium on Quality of Service, pp 1–6 (2017), https://doi.org/10.1109/IWQoS.2017.7969156

  18. 18.

    Fuhr, T., Paillier, P.: Decryptable searchable encryption. In: Proceedings. Provable Security, 1st International Conference, DBLP, vol. 4784, pp 228–236 (2007), https://doi.org/10.1007/978-3-540-75670-5_17

  19. 19.

    Fang, L.M., Wang, J.D., Ge, C.P., et al.: Decryptable public key encryption with keyword search schemes. Int. J. Digit. Content Technol. Appl. 4(9), 141–150 (2010). https://doi.org/10.4156/jdcta.vol4.issue9

  20. 20.

    Shen, Z.R., Shu, J.W., Xue, W.: Preferred search over encrypted data. Front. Comput. Sci. 4, 1–15 (2018). https://doi.org/10.1007/s11704-016-6244-5

  21. 21.

    Yang, Y., Liu, X.M., Deng, R.H.: Expressive query over outsourced encrypted data. Inf. Sci. 442–443, 33–53 (2018). https://doi.org/10.1016/j.ins.2018.02.017

  22. 22.

    Saito, T., Nakanishi, T.: Designated-senders public-key searchable encryption secure against keyword guessing attacks. In: International Symposium on Computing & Networking IEEE Computer Society, pp 496–502 (2017)

  23. 23.

    Xie, R., Xui, C.X., Li, F.G., et al.: Ciphertext retrieval against insider attacks for cloud storage. In: IEEE International Conference on Computer and Communications, pp 202–206 (2017), https://doi.org/10.1109/CompComm.2016.7924693

  24. 24.

    Sun, L.X., Xu, C.X., Zhang, M.W., et al.: Secure searchable public key encryption against insider keyword guessing attacks from indistinguishability obfuscation. Sci. China (Inf. Sci.) 3(038106), 61 (2018). https://doi.org/10.1007/s11432-017-9124-0

  25. 25.

    Islam, M.S., Kuzu, M., Kantarcioglu, M.: Access pattern disclosure on searchable encryption: ramification. In: Proceedings in Network and Distributed System Security Symposium (2012)

  26. 26.

    Liu, C., Zhu, L.H., Wang, M., et al.: Search pattern leakage in searchable encryption: attacks and new construction. Inf. Sci. 265(5), 176–188 (2014). https://doi.org/10.1016/j.ins.2013.11.021

  27. 27.

    Naveed, M., Prabhakaran, M., Gunter, C.A.: Dynamic searchable encryption via blind storage. In: Proceedings of IEEE Symposium on Security Privacy IEEE Computer Society, pp 639–654 (2015), https://doi.org/10.1109/SP.2014.47

  28. 28.

    Huang, Q., Li, H.B.: An efficient public-key searchable encryption scheme secure against inside keyword guessing attacks. Inf. Sci. 403–404, 1–14 (2017). https://doi.org/10.1016/j.ins.2017.03.038

  29. 29.

    Sahai, A., Waters, B.: Fuzzy identity-based encryption. In: Proceedings of International Conference on Theory and Applications of Cryptographic Techniques, vol. 3494, pp 457–473. Springer, Berlin (2005), https://doi.org/10.1007/1142663927

  30. 30.

    Nishide, T., Yoneyama, K., Ohta, K.: Attribute-based encryption with partially hidden encryptor-specified access structures. In: Proceedings of International Conference on Applied Cryptography and Network Security, vol. 5037, pp 111–123. Springer, Berlin (2008), https://doi.org/10.1007/978-3-540-68914-0_7

  31. 31.

    Yousefipoor, V., Ameri, M.H., Mohajeri, J., et al.: A secure attribute based keyword search scheme against keyword guessing attack. In: 2016 8th International Symposium on Telecommunications (IST), pp 124–128 (2016), https://doi.org/10.1109/ISTEL.2016.7881795

  32. 32.

    Jiang, P., Guo, F.C., Susilo, W., et al.: Keyword attacks and privacy preserving in public-key-based searchable encryption. Encyclopedia of Big Data Technologies. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-63962-8_232-1

  33. 33.

    Zheng, Q.J., Xu, S., Ateniese, G.: VABKS: verifiable attribute-based keyword search over outsourced encrypted data. In: IEEE INFOCOM, pp 522–530 (2014), https://doi.org/10.1109/INFOCOM.2014.6847976

Download references


This work was partly supported by the National Natural Science Foundation of China under Grant 61802243, 61572246, the Scientific Research Foundation for the Returned Overseas Chinese Scholars of MOHRSS, the Innovation Fund Designated for Graduate Students of Shaanxi Normal University 2017CSY001 supported by the Fundamental Research Funds for the Central Universities, the Fundamental Research Funds for the Central Universities under Grant GK201803005, Shaanxi Province Natural Science Basic Research Program Funded Project 2016JQ6029, the Foundation of Guizhou Provincial Key Laboratory of Public Big Data 2018BDKFJJ004, the Major Scientific and Technological Special Project of Guizhou Province 20183001.

Author information

Correspondence to Yanping Li.

Additional information

Publisher’s note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

This article belongs to the Topical Collection: Special Issue on Security and Privacy in Network Computing

Guest Editors: Xiaohong Jiang, Yongzhi Wang, Tarik Taleb, and Hua Wang


Appendix A: Construction algorithms of γ, A, C

In this part, the construction algorithms about the γ, A, C are given, that is, the keywords encryption and generation of empty array B[N1] (Algorithm 1), the construction of TKFT (Algorithm 2), the construction of GIP (Algorithm 3) and the files encryption of CP-ABE (Algorithm 4). We give these 4 detailed sub-algorithms respectively below.

In Algorithm 1, the keyword entry pair (KEP) is obtained by keywords encryption, and the “B[N1]” is a empty array with size N1 which will be used to indicate the containing relationships between each keyword in M and true files in F1. This algorithm will output \(KEP=\left \{{I_{1}},{I_{2}},\cdots ,{I_{m^{\prime }}}\right \}\) and \(B[N_{1}]=\left \{{B_{1}[N_{1}]},{B_{2}[N_{1}]},\cdots ,{B_{m^{\prime }}[N_{1}]}\right \}\).

In Algorithm 2, we show the detailed construction of true keyword-files table (e.g., Table 1 in Section 3). First, we should point out that the identifier fμ in Algorithm 2 is only an identifier instead of the file content. Second, step 1 to 19 in Algorithm 2 indicate the construction of TKFT, where N2 means that we need to add N2 fake files so that the generated GIP is of resistance to KGA from access pattern; Third, we get the second empty array “C[N2]” with size N2 that will be used in the next Algorithm 3. By Algorithm 2, we can get TKFT (\(P=\left \{{P_{1}},{P_{2}},\cdots ,{P_{m^{\prime }}}\right \}\)) and empty array C[N2] (\(C[N_{2}]=\left \{{C_{1}[N_{2}]},{C_{2}[N_{2}]},\cdots ,{C_{m^{\prime }}[N_{2}]}\right \}\)).

In Algorithm 3, we present the specific steps of constructing the GIP. According to each keyword wj’s d(wj), we randomly find (d1d(wj)) fake file identifiers and choose (d1d(wj)) elements of Cj[N2], 1 ≤ jm. Next, the fake file identifiers substitute the initial elements of Cj[N2]. In this way, all keywords’ d(w) are equal, where the clearly results of these four steps can be found in Tables 23 and 4 of Section 3. By Algorithm 3, it will return the final GIP (\(\gamma =\left \{{\gamma _{1}},{\gamma _{2}},\cdots ,{\gamma _{m^{\prime }}}\right \}\)).

In Algorithm 4, we give the detailed attribute-based encryption scheme which supports the enhanced fine-grained access control. By steps in algorithm 4, we can get the attribute-file identifier list A (A = {AFϕ(1), AFϕ(2),⋯ ,AFϕ(m)}), and the files ciphertexts C (C = {C1, C2,⋯ ,CN}).


Appendix B: Security proofs

In this part, we will give detailed security proofs for Theorem 1 and Theorem 2.

Theorem 1

By the construction of global index pair, the advantage of adversary inkeyword guessing attack from access pattern and search pattern is less than\(\frac {4}{N^{2}}\)and\(\frac {1}{2^{y}}+negl(\lambda )\),respectively, wherenegl(⋅) is a negligible function.


By the above search process, we can get a conclusion that the CSP or any un-authenticated entities learn nothing about keywords from the view of access pattern and search pattern simultaneously.

The security of access pattern :

We analyze security about resisting the inside KGA from access pattern in our proposed scheme. Since we add some fake files to F which make the frequencies of keyword d(wj)(1 ≤ jm) all the same, the CSP cannot get any true high frequency terms by statistical attacks as well as true containing relationships between these real top keywords and the related files from the DO’s access pattern. Suppose the insider attacker CSP wants to get the keywords privacy from DO’s access pattern, we define the advantage of the CSP in this inside attack Pr[success].

Clearly, if the CSP initiates this inside KGA if and only if the following events E0, E1 and E2 hold in the same time:


he knows exactly the value of N1, where N = N1 + N2, \(N>N_{1}>N_{2}\geqslant \)1;


he can distinguish N1 true files from N stored files;


he gets each keyword’s d(w), where w is in M and |M| = m.

Hence, the advantage Pr[success] = Pr[E0E1E2]. Furthermore,

$$\begin{array}{@{}rcl@{}} \text{Pr}[E_{0}\wedge E_{1}\wedge E_{2}] &=&\text{Pr}[E_{0}\wedge E_{1}]\cdot Pr[E_{2}|E_{0}\wedge E_{1}]\\ &=&\text{Pr}[E_{0}\wedge E_{1}]\\ &=&\text{Pr}[E_{0}]\cdot Pr[E_{1}|E_{0}]\\ \end{array} $$

Since N = N1 + N2, \(N>N_{1}>N_{2}\geqslant \)1, we can get that 2N1 > N, Pr[E0]\(< \frac {1}{\lfloor \frac {N}{2}\rfloor }\) and Pr[E1|E0]=\(\frac {1}{\binom {N}{N_{1}}}\). Furthermore,

$$\begin{array}{@{}rcl@{}} \binom{N}{N_{1}}={\frac{N!}{N_{1}!\cdot(N-N_{1})!}} &=&{\frac{N!}{N_{1}!\cdot N_{2}!}}\\ &=&\frac{N(N-1){\cdots} (N_{1}+ 1)}{N_{2}!}\\ &=&\frac{(N_{1}+N_{2})(N_{1}+N_{2}-1)\cdots(N_{1}+ 1)}{N_{2}!}> \frac{(N_{1})^{N_{2}}}{N_{2}!}\\ \end{array} $$

Thus, we have \(\text {Pr[success]}=\text {Pr} [E_{0}\wedge E_{1}\wedge E_{2}] < \frac {1}{\lfloor \frac {N}{2}\rfloor }\cdot \frac {{N_{2}}^{N_{2}-1}}{(N_{1})^{N_{2}}} < \frac {1}{\lfloor \frac {N}{2}\rfloor }\cdot \frac {{N_{1}}^{N_{2}-1}}{(N_{1})^{N_{2}}} < \frac {1}{\lfloor \frac {N}{2}\rfloor }\cdot \frac {1}{N_{1}} < \frac {1}{\lfloor \frac {N}{2}\rfloor }\cdot \frac {1}{\lfloor \frac {N}{2}\rfloor } \approx \frac {4}{N^{2}}\).

According to the security analyses above, the advantage of the adversary launches a successful inside KGA from the access pattern is less than \(\frac {4}{N^{2}}\). That is, the advantage of insider attacker learns keywords privacy from the access pattern is negligible especially in the actual scenario (i.e., N is much larger) and the proposed scheme is secure against the KGA from access pattern.

The security of Search pattern :

We analyze security of the proposed scheme to resist the inside KGA from search pattern. Assume a probabilistic polynomial-time (PPT) adversary \(\mathcal {A}\), who may be an unauthorized DU. In this attack \(\mathcal {A}\) has a valid search token and he knows the set of all keywords. He wants to find a keyword corresponding to a search token. The adversary \(\mathcal {A}\) runs the following KGA algorithm for each keyword:

  1. 1)

    \(\mathcal {A}\) encrypts the keyword, generates a keyword ciphertext and then uploads the keyword ciphertext to the CSP;

  2. 2)

    \(\mathcal {A}\) sends the valid search token to the CSP;

  3. 3)

    The CSP then sends search results to \(\mathcal {A}\).

If the search results match the ciphertext of some keyword, \(\mathcal {A}\) returns the related keyword.

In the most previous PEKS schemes, \(\mathcal {A}\) can easily runs the above algorithm and find the correct keyword with high probability [33], because in these schemes a search token corresponds to a special keyword and the algorithm only outputs the encrypted keyword. So the adversary \(\mathcal {A}\) ensures that the KGA algorithm outputs the correct keyword. In our proposed scheme, we have mitigated this drawback by using fuzzy search token ftk and true search token ttk. Assume that the adversary \(\mathcal {A}\) has a valid fuzzy search token ftk about a keyword and knows the set of all keywords \(M^{\prime }=\left \{ {w_{1}},{w_{2}},\cdots ,{w_{m^{\prime }}}\right \}\). \(\mathcal {A}\) implements the KGA algorithm as follows:

  1. 1)

    \(\mathcal {A}\) sets i = 1;

  2. 2)

    \(\mathcal {A}\) generates the corresponding keyword ciphertext Ii to the keyword wi by using hash function h(x),g(x). Then he outsources Ii to the CSP, 1 ≤ im;

  3. 3)

    \(\mathcal {A}\) sends ftk about only one queried keyword to the CSP;

  4. 4)

    The CSP then sends search results q1 to \(\mathcal {A}\). If \(C_{w_{i}} \in R\), \(\mathcal {A}\) returns wi, else i = i + 1 and returns to step 2). If i = m and \(C_{w_{i}} \notin R\), \(\mathcal {A}\) returns ⊥.

Because the ftk is valid, any adversary \(\mathcal {A}\) never returns ⊥. Assume that for an index j ∈{1, 2,⋯ ,m}, \(\mathcal {A}\) returns wj. Then according to the definition of fuzzy search token and true search token, he also returns wj− 1 or wj+ 1. Now in order to successfully attack, \(\mathcal {A}\) must make a correct guess between j and j − 1 (or j + 1). So the probability of success in this attack for \(\mathcal {A}\) is Pr[Success] = Pr[guess].

According to the definition of search algorithm and decryption algorithm, the DU only submits the fuzzy search token to the CSP, and then the CSP returns a part of global index pair (i.e., q1) as query-index where there is a bundled relationship between each queried keyword and a pair of entries in this returned index. Upon receiving the query-index from the CSP, only the DU can extract one of each pair of query entries according to the remainder true search token g(tw), where the extracted query entries have one-to-one correspondence to this queried keyword. However, the CSP or any un-authenticated entities cannot judge whether two queries are for the same queried keyword or not, since they cannot find the correspondence between the real query entries and queried keyword on the condition that \(\mathcal {A}\) has no information about the true search token. So \(\text {Pr[Success]} \leqslant \frac {1}{2}\), when the value y = 1. So the probability of the adversary successfully getting keywords privacy by the inside KGA from search pattern for y queried keywords is

$$\text{Pr[Success]}\leqslant \frac{1}{2^{y}}+negl(\lambda) $$

for some negligible function negl(⋅). Hence, the proposed scheme is more secure against the inside KGA from search pattern with the larger y. In conclusion, the CSP or other un-authenticated entities cannot get any keywords privacy by effectively launching the inside KGA from access pattern and search pattern.

Theorem 2

Assume that there is a PPT adversary \(\mathcal {A}\) breaking our CP-ABE game with non-negligible advantage ε , then a simulator \(\mathcal {S}\) can be constructed which can solve a DBDH instance with a non-negligible advantage \(\frac {\varepsilon }{2}\) .


We now demonstrate the chosen plaintext attack (CPA) security of our scheme under the decisional bilinear Diffie-Hellman (DBDH) assumption. Given a DBDH problem [\(g,g^{z_{1}},g^{z_{2}},g^{z_{3}},Z\)], the simulator \(\mathcal {S}\) interacts with adversary \(\mathcal {A}\) as following simulation.


\(\mathcal {A}\) submits the challenge access structures policies \(W^{*}=[W_{1}^{*},W_{2}^{*},{\cdots } W_{i}^{*},\cdots ,W_{n}^{*}]\) to \(\mathcal {S}\).

Setup: \(\mathcal {S}\) runs Setup to generate global parameter GP and master key Msk. That is, \(\mathcal {S}\) sets \(Y_{2}=e(g^{z_{1}},g^{z_{2}})=e(g,g)^{z_{1}z_{2}}\) which implies α = z1z2. For each attribute i, 1 ≤ in, \(\mathcal {S}\) computes \(A_{it}=g^{a_{it}}\) if \(v_{it}\in W_{i}^{*}\) and \(A_{it}=(g^{z_{1}})^{a_{it}}\) otherwise, where \({\left \{{a_{it}\in {Z_{q}}^{*}}\right \}}_{1\leqslant t\leqslant n_{i}}\) are random. Then \(\mathcal {S}\) publishes GP in the real scheme.


\(\mathcal {A}\) submits the attribute list L for a Gen-private-key query. If L does not satisfy W, \(\mathcal {S}\) will return secret key skL. That is, there must be k ∈ {1, 2,⋯ ,n} such that \(L_{k}=v_{kt_{k}}\not \in W_{k}^{*}\). Then for 1 ≤ in, \(\mathcal {S}\) selects randomly \({\alpha ^{\prime }_{ui}}\in Z_{q}^{*}\) and \(a_{it_{i}}^{\prime }\in Z_{q}^{*}\). Next, \(\mathcal {S}\) computes \(D_{0}=g^{\alpha -\alpha _{u}}=g^{z_{1}z_{2}-\alpha _{u}}=(g^{z_{2}})^{-{\sum }_{i = 1}^{n} \alpha ^{\prime }_{ui}}\). For the computation of D1, \(\mathcal {S}\) carries out the following computations. For i = k, \(\mathcal {S}\) computes \(D_{1k}=g^{\frac {\alpha _{uk}}{a_{kt_{k}}}}=g^{\frac {z_{1}z_{2}+z_{2}\cdot \alpha ^{\prime }_{uk}}{z_{2}\cdot a_{kt_{k}}^{\prime }}}=(g^{z_{1}})^{\frac {1}{a_{kt_{k}}^{\prime }}}\cdot g^{\frac {\alpha ^{\prime }_{uk}}{a_{kt_{k}}^{\prime }}}\) and for ik, \(D_{1i}=g^{\frac {\alpha _{ui}}{a_{it_{i}}}}=(g^{z_{2}})^{\frac {\alpha ^{\prime }_{ui}}{a_{it_{i}}^{\prime }}}\). It is noted that, from the construction of D0, D1, \(\alpha _{uk}=z_{1}z_{2}+z_{2}\cdot {\alpha ^{\prime }_{uk}}\), \(a_{kt_{k}}=z_{2}\cdot a_{kt_{k}}^{\prime }(i=k)\), and \(\alpha _{ui}=\alpha ^{\prime }_{ui}\cdot z_{2}\), \(a_{it_{i}}=a_{it_{i}}^{\prime }\) (ik) and so \(\alpha _{u}={\sum }_{i = 1,i\neq k}^{n} \alpha _{ui}+\alpha _{uk}=z_{1}z_{2}+{\sum }_{i = 1}^{n} \alpha ^{\prime }_{ui}\cdot z_{2}\).


\(\mathcal {A}\) submits two equal length challenge values k0, k1 to \(\mathcal {S}\). \(\mathcal {S}\) chooses a value μ, μ ∈ {0, 1} and sets \(C_{0}=k_{\mu }\cdot Z, C_{1}=g^{z_{3}}\) which implies sμ = z3, and computes the corresponding ciphertext \(\left \{{C_{i,2,t}}\right \}_{{1\leqslant i\leqslant n,1\leqslant t \leqslant n_{i}}}\) for W as follows: if \(v_{it}\in W_{i}^{*}\), \(C_{i,2,t}=(A_{it})^{z_{3}}=(g^{z_{3}})^{a_{it}}\) (well-formed); if \(v_{it}\not \in W_{i}^{*}\), Ci,2,t are random (mal-formed). Finally, these challenge ciphertexts are sent to \(\mathcal {A}\).


Phase1 is repeated under the premise that the adversary cannot submit such L which L does satisfy W.


After the PPT queries in phase 1 and 2, \(\mathcal {A}\) is asked to output a guess μ of μ. If μ = μ, \(\mathcal {S}\) outputs 1 and returns 0 otherwise. If \(Z=e(g,g)^{z_{1}z_{2}z_{3}}\), then challenge ciphertexts are valid, and the advantage of \(\mathcal {A}\) is ε, i.e., the advantage in winning game is \(\left | \text {Pr}[\mathcal {S}\rightarrow 1]|\textit {Z}=\textit {e}(\textit {g},\textit {g})^{\textit {z}_{1}\textit {z}_{2}\textit {z}_{3}}\right |=\left |\text {Pr}[\mu ^{\prime }=\mu ]|\textit {Z}=\textit {e}(\textit {g},\textit {g})^{\textit {z}_{1}\textit {z}_{2}\textit {z}_{3}}\right |=\frac {1}{2}+\varepsilon \). If Z is random, then the challenge ciphertexts are random from the view of \(\mathcal {A}\), and the advantage of \(\mathcal {A}\) is \(\left |\text {Pr}[\mathcal {S}\rightarrow 1]|\textit {Z}\right |=\frac {1}{2}\).

Hence, we can get the conclusion that the simulator \(\mathcal {S}\) has the advantage \(\frac {\varepsilon }{2}\) to solve a given DBDH instance based on the following inference.

$$\begin{array}{@{}rcl@{}} \varepsilon^{\prime}=\left\lvert \text{Pr}[\mu^{\prime}=\mu]-\frac{1}{2}\right\rvert&=&\left\lvert \text{Pr}[\mu^{\prime}=\mu|\mu= 1]\cdot \text{Pr}[\mu= 1]+\text{Pr}[\mu^{\prime}=\mu|\mu= 0]\vphantom{\frac{1}{2}}\right.\\ &&\left.\cdot\text{Pr}[\mu= 0]-\frac{1}{2}\right\rvert=(\varepsilon+\frac{1}{2})\cdot\frac{1}{2}+\frac{1}{2}\cdot\frac{1}{2}-\frac{1}{2}=\frac{\varepsilon}{2} \end{array} $$

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Cao, Q., Li, Y., Wu, Z. et al. Privacy-preserving conjunctive keyword search on encrypted data with enhanced fine-grained access control. World Wide Web (2019). https://doi.org/10.1007/s11280-019-00671-3

Download citation


  • Access control
  • Access pattern
  • Keyword guessing attack
  • Privacy-preserving
  • Searchable encryption
  • Search pattern