R-OO-KASE: Revocable Online/Offline Key Aggregate Searchable Encryption

The existing Key Aggregate Searchable Encryption (KASE) schemes allow searches on the encrypted dataset using a single query trapdoor, with a feature to delegate the search rights of multiple files using a constant size key. However, the operations required to generate the ciphertext and decrypt it in these schemes incur higher computational costs, due to the computationally expensive pairing operations in encryption/decryption. This makes the use of such schemes in resource-constrained devices, such as Radio Frequency Identification Devices, Wireless Sensor Network nodes, Internet of Things nodes, infeasible. Motivated with the goal to reduce the computational cost, in this paper, we propose a Revocable Online/Offline KASE (R-OO-KASE) scheme, based on the idea of splitting the encryption/decryption operations into two distinct phases: online and offline. The offline phase computes the majority of costly operations when the device is on an electrical power source. The online phase generates final output with the minimal computational cost when the message (or ciphertext) and keywords become known. In addition, the proposed scheme R-OO-KASE also offers multi-keyword search capability and allows the data owners to revoke the delegated rights at any point in time, the two features are not supported in the existing schemes. The security analysis and empirical evaluations show that the proposed scheme is efficient to use in resource-constrained devices and provably secure as compared to the existing KASE schemes.


Introduction
Cloud computing services are often resorted to, with an aim to reduce the overhead of data management and data processing at the user side. However, when the data are outsourced and stored on a remote cloud, it is often desired to encrypt the same in order to protect the data from unauthorized access. One of the issues associated with encryption is that the accessibility and usability of encrypted data are definitely lowered since the latter would require the decryption of data before being put to use. There are two distinct threads of research pursued in the literature with respect to addressing this issue of improving the usability of the encrypted data viz. (1) carrying out arbitrary computations on the encrypted data using homomorphic encryption [8] or (2) devising operation by which the encrypted data can, at least, be searched for the desired keyword value, to be present or not. Our focus in this paper is on the latter, i.e., on Searchable Encryption (SE) [28]. The SE schemes, typically consist of three distinct entities with distinct roles as shown in Fig. 1. An SE cryptosystem allows a server to search given query keyword(s) on encrypted data on behalf of the user without learning information about the plaintext data.
However, secure sharing of the search rights for the selected dataset is not an easy task for the data owner, since it is often desired to encrypt different document sets using different encryption keys, for confidentiality and privacy considerations. Therefore, the sharing of search rights of the dataset using the existing SE methods [2,5,9,[28][29][30] require efficient management and distribution of more than one key. Specifically, to delegate the search and access rights 1 3 over set S of files encrypted under different keys, a data owner is required to share |S| number of keys. This solution is not practically deployable for two major reasons. Firstly, the number of secret keys grows linearly with the number of files, and it incurs storage as well as communication overhead of O(|S|) . Therefore, a data owner is required to store, manage and distribute a large number of keys, proportional to the number of shared files. In addition, an authorized user is required to generate and submit multiple trapdoors in order to search through all of the shared data. Secondly, if a key assigned to a user needs to be revoked later, then the data owner is required to re-encrypt the corresponding subset of data and distribute a new set of keys to the authorized users. This makes the scheme inefficient and difficult to scale.
The most efficient proposition pertaining to our problem statement, to the best of our knowledge, is made in [4]. Key-Aggregate Searchable Encryption (KASE) [4] combines the searchable encryption scheme with group data sharing. KASE [4] is proposed to reduce the number of keys required to be shared for the delegation of search rights over the set of data. KASE inherits the property of Key Aggregate Encryption (KAE) [3], i.e., to delegate search rights on dataset S, the data owner requires to share a single aggregate key with a user. In addition, a user is required to submit a single aggregate trapdoor (instead of a group of trapdoors) to the cloud server for searching a keyword over |S| number of shared files. Despite the advantage of the secure delegation of search rights using a key of constant size, the existing KASE schemes [4, 13, 18-24, 31, 32, 34, 35] still face issues when deploying them into real-time scenarios, as we discuss further, here.

Motivation
In a practical data sharing system based on cloud storage, the user can upload or retrieve the data from a different possible devices such as Personal Computer (PC), mobile device, sensor nodes (especially in the Internet of Things (IoT) applications) [4]. The constant size of the aggregate key makes the KASE scheme more suitable for devices having limited storage resources, such as smart cards, IoT sensors. However, the existing KASE schemes [4,13,[18][19][20][21]31] use two pairing operations to generate a keyword ciphertext for each keyword to be attached with the document. Similarly, for decryption of ciphertext pairing operations are required. The authors of [25] show that for different security levels (i.e., for 80 bits, 112 bits and 128 bits) and prime order groups, the pairing operation (on random group elements) requires significantly more time and power resource as compared to the group exponentiation (of a random group element with a random exponent) and multiplication operation. Therefore, the limited power resource of sensor nodes in IoT deployment does not support the expensive computational cost of the existing KASE schemes [4,13,[18][19][20][21]31]. The expensive computational cost of encryption and decryption phases make the existing KASE [4,13,[18][19][20][21]31] schemes infeasible to use in power-constrained devices. Therefore, the KASE schemes [22,34,35] propose different solutions to generate keyword ciphertext without using expensive pairing operations and make the schemes practical for the Steps: (1) The data owner uploads a ciphertext (i.e., encrypted message + related keywords list) onto the storage server. (2) The data owner shares a searchable secret key with the user. (3) The data user constructs a searchable trapdoor using a secret key. The data user sends a trapdoor to the server. (4) The search server applies a trapdoor on the ciphertext. The server returns the search results to the query requesting user In addition, the existing KASE schemes [4, 13, 18-22, 24, 31, 32, 34] do not support revocation of delegated rights. The revocation refers to the process of taking away the delegated privileges. As the access of users in the system changes dynamically, and it requires KASE to support user revocation securely while not affecting the legitimate users' access to the shared files. If the receiver of delegated rights leaves the system, or if the data is used differently than the data owner agreed, the delegated rights need to be revoked by the data owner. Therefore, Zhou et al. [35] propose the solution for revocable KASE. However, the KASE scheme proposed in [35] requires the data owner to generate and distribute the new set of keys to the non-revoked users in each time period. Specifically, the data owner maintains a list of authorized users. The authorized users registered in the data owner's list can receive a new pair of authorized keys from the data owner. Therefore, it consumes more overhead at the data owner side to generate as well as distribute keys periodically to each authorized user of the system. This paper also aims to design revocable KASE scheme which will be efficient for resource-limited environment.
There are different revocation schemes proposed in the literature viz. strong and weak revocations, cascading and non-cascading revocations, rule-based, role-based and userbased revocations, direct and indirect revocations (for further details see [33]). However, in the previous revocation schemes, if the shared documents are modified or if the delegated rights for the shared documents needs to be revoked, the data owner is required to outsource the list of revoked users (or the list of revocation rule or revocation policy) and the corresponding revoked document id (docID) set. However, the idea of uploading the revocation list in the plain form on the cloud server can trigger security threats (one can change docID or revoked user's identity in the list). We cannot ignore the user's privacy and security of the revocation list in the public cloud storage system. Furthermore, the existing KASE schemes only support a single keyword search. To perform a conjunctive keyword search using the existing KASE schemes [4, 13, 18-22, 31, 32, 34, 35], the user requires to submit different trapdoors for each individual keyword to the server. The server performs a search for each of the keywords separately and returns the intersection of all the results. This approach leaks information about which documents contain each individual keyword and may allow the server to learn information about the documents and it's related keywords. Specifically, for searching a set of keywords �� ⃗ Q = {Q 1 , … , Q p } over shared dataset, the existing KASE schemes [4, 13, 18-22, 31, 32, 34, 35] require | �� ⃗ Q| = p number of trapdoors. This results in a communication cost of O(| �� ⃗ Q|) and a computational cost of O(| �� ⃗ Q|) at both the cloud server and user (query generator) sides. Therefore, to improve the system usability, query expressiveness and system performance (in terms of accuracy, communication and computational cost), KASE must support multiple keywords search using a single query trapdoor.
The issues in the existing KASE schemes makes it nontrivial to design a KASE scheme that meets the following requirements viz. : revocation of delegated rights, multikeyword search using a single trapdoor and minimal online computational overhead with minimal energy usage at both the data owner and the users' sides simultaneously.

Our Contributions
The contributions of this paper are summarized as follows: • Energy Efficient KASE Utilizing the notion of KASE, we design a KASE scheme that is suitable for resource-constrained devices, as we split costly operations of encryption and decryption into two phases: online and offline. In the offline phase, the user performs expensive pairing and exponentiation operations required in the encryption/ decryption. In the online phase, i.e., when the device is moving on (not connected to power source), the user can generate the final output with the minimal computational cost. Additionally, instead of using expensive pairing operation, we use exponentiation operation to generate the keyword ciphertext. • Multi-Keyword Search We enhance the existing KASE schemes and improve their query expressiveness by supporting multi-keyword searches over the shared dataset using a trapdoor of constant size. • Revocation With the proposed scheme, we offer the revocation of delegated rights, without affecting other users in the system. The user is not allowed to search the encrypted data by the old trapdoor computed from the old secret key if his search privileges are revoked. The proposed scheme supports fine-grained revocation of the 1 3 delegated rights on document level, instead of coarsegrained all-or-nothing access. • Improve Query Performance The proposed KASE scheme allows searching over the shared dataset S using a single trapdoor Tr that a query requester submits to the cloud server. The existing KASE schemes [4, 13, 18-21, 31, 32, 34, 35] require |S| number of trapdoors to search over shared dataset S, as the existing KASE schemes generate Tr l for each l ∈ S using the given trapdoor Tr.
Here, Tr l is the adjusted trapdoor that is used to search over document doc l in the KASE schemes [4, 13, 18-21, 31, 32, 34, 35]. (Detailed comparison of performance analysis is done in Sect. 7) • Efficiency In the proposed R-OO-KASE scheme, the size of the aggregate key is constant, i.e., it consists of single-group elements irrespective of the number of shared documents. Similarly, the query trapdoor and keyword ciphertext are also of constant size irrespective of the number of keywords.
To the best of our knowledge, ours is the first scheme which offers all the above-mentioned features all together.

Outline of the Paper
The rest of the paper is organized as follows: First, we review some background knowledge and related work in Sect. 2. The preliminaries are given in Sect. 3. The problem statement and overview of the proposed scheme, framework, the system model and the security model are defined in Sect. 4. We give a concrete construction of the proposed R-OO-KASE scheme in Sect. 5. The security analysis of the R-OO-KASE scheme is discussed in Sect. 6. The theoretical and empirical analysis is made in Sects. 7 and 8, respectively. Conclusion and future extensions are provided in Sect. 9. References are at the end.

Related Work
Key Aggregate Encryption (KAE) [3], derives its roots from the seminal work on broadcast encryption by Boneh et.al. [1]. KAE may essentially be considered as a dual notion of broadcast encryption [1]. In broadcast encryption, a single ciphertext is broadcast among multiple users, each of whom may decrypt the same using their own individual private keys. In KAE, a single aggregate key is distributed among multiple users in order to delegate access rights on the dataset. For broadcast encryption, the focus is on having shorter ciphertexts and low overhead individual decryption keys, while in KAE, the focus is on having short ciphertexts and low overhead aggregate keys.
In KAE, ciphertexts are associated with an index i, given by data owner at the time of encryption. Therefore, if data owner wants to delegate access rights of set S (set of ciphertexts' indices) of ciphertexts, then he can generate a single key k agg of constant size by aggregating secret keys of all the ciphertexts in the set S. The user can decrypt any ciphertext using a single aggregate key if the index of ciphertext is within set S.
Further, to retrieve selected data from outsourced dataset and simultaneously delegate the search rights of selected dataset using a single aggregate key, the first solution for KASE is proposed in [4]. In a KASE scheme, the data owner requires sharing a single aggregate key to a user for delegating search rights over a set of documents and the user requires submitting a single trapdoor for searching over the shared dataset.
The CLW16 scheme proposed in [4] is the first solution for KASE. However, the formal security proof against keyword guessing attack (to prove trapdoor privacy) and chosen keyword attack (to prove keyword ciphertext privacy) are not given for the CLW16 scheme. Moreover, the CLW16 scheme is insecure against cross-pairing attack and do not provide trapdoor privacy, as discussed in [14]. Zhou et al. in [34] show the attack on CLW16 scheme, in which the attacker can guess the authorized user's key with the help of insider adversary. Further, the CLW16 scheme is not scalable because the system parameters in the Cui's scheme [4] are strictly bounded by the value of n (number of documents belong to the data owner). Specifically, if the data owner generates ciphertexts beyond predefined limit n, he must request additional key pairs in such case. If the data owner wants to delegate the search rights of ciphertexts { C 1 , C n , C n+1 }, then he is required to share two different aggregate keys, i.e., k agg1 for { C 1 , C n } and k agg2 for C n+1 . Therefore, the predefined bound on the maximum number of possible ciphertext classes at the time of system setup makes the CLW16 scheme impractical for real-time use. In the CLW16 scheme, when a user submits aggregate trapdoor Tr to the cloud server to carry out searching over a set S of files, the server first requires to run Adjust algorithm. The adjust algorithm generates trapdoor Tr l for each index l ∈ S using submitted trapdoor Tr before searching. Here, Tr l is the actual trapdoor that is used to search over document doc l . This trapdoor transformation adds additional computational cost at server side before searching over dataset S. The CLW16 scheme does not support searching over multiowner data using a single key of constant size. Formally, in a multi-owner setting, a user can have multiple aggregate keys {k agg 1 , … , k agg } received from different data owners. Therefore, to search across multi-owner dataset, the CLW16 scheme requires user to submit {Tr 1 , … , Tr } different trapdoors to the cloud server. This results in a system with O( ) communication overhead on the user side and O( ) storage as well as computational overhead on the server side.
The TZPCZJ16 scheme proposed in [19] provides the solution to search over multi-owners' data using a single trapdoor and also allows verification of search result using an aggregate key. However, TZPCZJ16 scheme requires the auxiliary values having size in linear with the number of data owners while searching over multi-owner data. Further, the formal security proof against keyword guessing attack and chosen keyword attack are not given for the TZPCZJ16 scheme. The TZPCZJ16 scheme follows the same construction as the CLW16 scheme. Therefore, the cross-pairing attack is possible on the TZPCZJ16 scheme as well.
The TZCZJ18 scheme proposed in [18] also provides the solution to search over multi-owners' data using a single trapdoor. However, TZCZJ18 scheme requires the auxiliary values having size in linear with the number of data owners while searching over multi-owner data. Further, the TZCZJ18 scheme is not scalable and requires trapdoor transformation at server side before searching on requested dataset. Additionally, if the data owner wants to attach a set of keywords ������ ⃗ KW = {KW 1 , … KW q } with a document doc l , then the computational cost of the encryption algorithm in the existing KASE [4,18,19] schemes increase linearly with the number of keywords attached with the ciphertext. Formally, to attach a set of keywords ������ ⃗ KW with a document doc l , the storage overhead of resultant ciphertext . The user has to store | ������ ⃗ KW| number of keyword ciphertexts to the cloud server [36]. The expensive pairing operations used to generate a keyword ciphertext in the existing KASE [4,18,19] schemes drain more energy and makes the schemes infeasible to use in power-constrained devices.
The ZZDWYG18 scheme proposed in [34] consider Industrial IoT (IIoT) application and propose KASE scheme in the file-centric framework for the IIoT application. The sensors in IIoT deployment usually have extremely limited hardware resource and do not support computation cost of pairing operations. Therefore, Zhou et al. [34] propose KASE scheme without using pairing computation operations in the encryption phase. However, the KASE scheme proposed in [34] suffers from low performance. In this scheme, each user's public key has 3n + 1 elements and secret has n + 3 elements. Here, n is the maximum number of documents held by a data owner.
The ZZWYL18 scheme proposed in [35] provides solution for fine-grained right revocation at document level in IoT environment. The ZZWYL18 scheme prove the keyword confidentiality, query privacy and forward secrecy. The ZZWYL18 scheme generates keyword ciphertext without using expensive pairing operations and makes the scheme practical for resource limited environment.
The PJ18 scheme proposed in [22] supports search over multi-owners' data using a single trapdoor of constant size. The PJ18 scheme also overcomes security issues of the existing KASE schemes [4,18,19] and prove the security against cross-pairing attack. Furthermore, the PJ18 scheme is scalable in such a way that the value n is kept variable and an aggregate key is independent of the value of n. The PJ18 scheme allows searching over the shared dataset S using a single trapdoor Tr that a query requester submits to the cloud server. The scheme does not use Adjust algorithm for trapdoor transformation at the server side. The PJ18 scheme generates keyword ciphertext without using expensive pairing operations and makes the scheme practical for resource limited environment. The PJ18 scheme also discuss the scenario of federated cloud and shows how to use their scheme for delegation of search rights if data are stored on the federated cloud.
The ZY18 scheme proposed in [21] provides solution for verification of search result using an aggregate key and user authentication. The cloud server can verify the legality of data user by authenticating whether data user's identity is contained in the authorized users' identity set. However, the solution proposed in [21] is not secure against impersonation attack. The ZY18 scheme does not give any formal proof to prove the security of the scheme. The ZY18 scheme is not scalable as the system parameters are bounded by the value of n. Further, the usage of Adjust algorithm in the ZY18 scheme increases server search time because of trapdoor transformation process. The ZY18 scheme uses two pairing operations to generate a keyword ciphertext for each keyword to be attached with the document, which makes the scheme impractical to be used in resource constraint environment.
The ZTPCJ18 scheme proposed in [20] provides verification of search result using an aggregate key and also allows search over multi-owner data using a single trapdoor of constant size. However, the ZTPCJ18 is suffering from same limitation as TZPCZJ16 scheme. The ZTPCJ18 scheme requires the auxiliary values having size in linear with the number of data owners while searching over multi-owner data. Further, the formal security proof against keyword guessing attack and chosen keyword attack are not given for the ZTPCJ18 scheme.
Yao et al. propose the first lattice-based KASE scheme in [32]. The lattice-based KASE [32] scheme provides security against quantum computing attacks and potential efficiency. Padhya et al. [23] propose a revocable KASE scheme with Break-The-Glass access control. The KASE [23] scheme provides a mechanism that can handle emergency situations where no authorized user exists to perform (or to delegate) a time-critical task. The KASE scheme proposed in [24] supports the conjunctive range and sort query on the encrypted dataset and enhances the query expressiveness of the existing KASE [4, 13, 18-22, 32, 34, 35] schemes. As compared to the previous solutions, the KASE [24] scheme supports multi-dimensional, multi-keyword searches on the encrypted dataset using a single trapdoor. Wang et al. propose the verifiable KASE scheme in [31].
To the best of our knowledge, none of the existing KASE schemes is practically applicable for resource-constrained environment.

Preliminaries
In this section, we review some basic assumptions and cryptology concepts that we use throughout the paper.

Bilinear Map
A pairing is a bilinear map defined over elliptic curve subgroups. Let G 1 and G 2 be two multiplicative cyclic elliptic curve subgroups of the same prime order p. Let G T be a multiplicative group, also of order p with identity element 1. A mapping e : G 1 × G 2 → G T is said to be a bilinear map if it satisfies the following properties: Non-degeneracy if P and Q be the generators for G 1 and G 2 respectively, then e(P, Q) ≠ 1.

Computational Assumption
Definition 1 DDH assumption The DDH problem in group G of prime order p (according to the security parameter) is a problem for input of a tuple ( g, g a , g b , g c , R ) where, a, b, c ∈ Z p be chosen at random and g be a generator of G, then to decide whether R= g abc or not. An algorithm A has advantage in solving DDH prob- We say that the DDH assumption holds in G if no Probabilistic Polynomial Time (PPT) algorithm has an advantage of at least in solving the DDH problem in G.

Notations
The list of notations used throughout the paper is given in Table 1.

System Architecture and Security Model
In this section, we begin by discussing the overview of the proposed scheme. Then, we define the system model of the proposed R-OO-KASE scheme. We formally define the framework of the proposed scheme. Finally, we outline the game-based framework for formally proving the security of the proposed scheme.

Problem Statement and Overview
For reducing the computation burden at both data owners and users' side, several techniques for outsourcing computation of encryption and decryption operations are proposed in [10,[15][16][17]37]. However, for outsourcing computations, the required communication cost is high, especially The set of revoked users' identities for lth document U QR Identity of query requester Multiplicative notation for resource-limited devices. Therefore, this paper aims to design a secure and efficient KASE scheme that allows the user to perform encryption and decryption operations on power-constrained devices.
In this paper, we propose a KASE scheme to reduce the computational overhead at both the data owners and users' side, by splitting the encryption and decryption operations into two phases: online and offline, as shown in Fig. 2. The proposed scheme allows ciphertext preparation work done offline. Formally, in the proposed scheme, the resource-limited devices perform the expensive pairing and exponentiation operations in offline mode (when devices are on electrical power source), whereas performing the multiplication operations in online mode (when devices are deployed at real-time applications). In the proposed system, the offline phase will generate the intermediate ciphertext for each keyword in the system using the only public key. When the encryption algorithm later needs to encrypt a set ������ ⃗ KW of keywords, it selects keyword ciphertext for each KW i ∈ ������ ⃗ KW from the precomputed intermediate ciphertext and aggregates it to generate a keyword ciphertext C ���⃗ KW . The keyword ciphertext in the proposed scheme is having a constant size. The online encryption requires one multiplication in Z p for each keyword to be attached with the ciphertext instead of costly pairing operations. We remark that the work done in the offline phase is roughly equivalent to the work of the regular encryption algorithm in the existing KASE schemes [4, 18-22, 34, 35]. Moreover, in the proposed KASE scheme, the communication cost of ciphertext is constant and independent of number of keywords attached with the ciphertext. The constant communication cost of the ciphertext makes the proposed R-OO-KASE scheme practically applicable in the resource-constrained environment, with the battery as the only source of power. In a similar way, we reduce the computation overhead at the user side by precomputing the aggregate key with other user(s). (5) Using an aggregate key, the data user can precompute the parameters that are required to decrypt the ciphertexts within a range of the shared dataset. (6) To search over the shared dataset, the data user generates a query trapdoor using an aggregate key and a set of query keywords. The data user sends the query trapdoor to the search server. (7) The server performs a search over stored encrypted data using a given query trapdoor. The server returns search results to the query requester. The user retrieves matching documents that are satisfying given the search query from the storage server. (8) In the online phase, the data user decrypts the ciphertexts using an aggregate key and precomputed parameters (which are generated in the offline phase) parameters required for decryption in the offline phase and keeping the online computation task very less. In the proposed R-OO-KASE scheme, the online phase of the decryption requires three pairing operations to be done.
Another potential advantage of splitting work this way is that in some applications, the online and offline work can be performed on different devices. Hence, one might perform the offline tasks for several encryptions on a high-end server and store these intermediate ciphertexts on a sensor device such that the resource-constrained device is not required to perform full encryption.
The proposed scheme also allows the data owner to revoke delegated rights of selected users within set U l over lth document, without affecting the users' rights over the rest of the shared documents. The data owner generates the revocation list RL l for lth document using his master-secret key msk and set of revoked users' identities U l . The cloud server checks the user's authorization each time when he receives search and data access requests for any stored document. If the identity of the query requester U QR matches with the revocation list RL l , then the failure state is returned to the user, otherwise, the cloud server performs the search process over lth document. Furthermore, the proposed scheme supports fine-grained revocation of the delegated rights on document level, instead of coarse-grained all-or-nothing access. Additionally, the data owner generates a revocation list using the master-secret key, and there is a very negligible probability that an adversary can get the master-secret key of the data-owner. Thus, any malicious user without having the master-secret key cannot modify or generate a new revocation list. The revocation in the proposed scheme does not affect the non-revoked users, as they do not require to update their corresponding delegated keys, which greatly reduces the expensive cost of key updates and the overhead of key delegate authority. The proposed scheme also preserves user privacy along with the revocation of delegated rights.

Assumptions
The keyword space contains m different keywords, i.e., KS = {w 1 , w 2 , … , w m } . Each keyword w i contains N i possible values and w i,j represents the jth value of keyword w i . However, the number of keywords are not bounded, one can add new keywords after system initialization. Let we assume that there are total X users in the system and U = {U 1 , … , U X } is a set of all users' identities. Therefore, each cloud user can be uniquely identified by his assigned identity U id ∈ U . Additionally, U l ⊂ U represents the set of revoked users' identities for lth document, where U l i ∈ U l represents an identity of user whose delegated rights needs to be revoked over lth document. The revocation list U l may be empty, which means there is no user whose delegated rights needs to be revoked over lth document.

System Model
The proposed R-OO-KASE scheme mainly consists of four parties: (i) the trusted authority, (ii) the cloud server, (iii) the data owner and (iv) the users (Fig. 3).
The interactions among involved parties in the proposed R-OO-KASE scheme are as follows: (1) The data owner who wants to outsource his data { doc 1 , … , doc n } on the cloud server and share multiple files with others through the cloud server, first performs Setup() to initialize the system parameters.
At the time of system initialization, the trusted authority assigns every cloud user a unique identity U id ∈ U . The data owner executes KeyGen() to generate a public-master secret key pair (pk, msk). The public key pk is used for encrypting keywords and message. The master-secret key msk for delegation of search rights is kept private by the owner. (2) In the offline phase (when the resource-limited device is connected to the power source), the data owner executes Offline_Encrypt() algorithm using a public key and generates intermediate ciphertexts {IC l } l∈ [1,n] , without knowing the message and keyword(s) to be encrypted. The intermediate ciphertext (4) The data owner is capable to grant search and access rights of the selected set S of documents to other user(s) by sharing an aggregate key of constant size. The aggregate key k agg is the single secret key using which an authorized user can retrieve and access all the shared documents. As k agg is having a constant size, it is easy for the data owner to share an aggregate key with other user through a secure communication channel and with small communication costs. (5) The data owner can revoke delegated rights of selected users within set U l ⊂ U over lth document by generating encrypted revocation list RL l . The data owner uploads the revocation list on the cloud server. If and only if the privileges of the query requester have not been revoked, he can search and access the ciphertext C l from the cloud server to obtain plaintext. (6) An authorized user can search over shared dataset S within scope of an aggregate key k agg using a single trapdoor Tr. The user can generate a query trapdoor Tr using the shared aggregate key k agg and set of query keyword(s) �� ⃗ Q . A query trapdoor Tr represents search query within set �� ⃗ Q to the server. The user submits the trapdoor Tr to the cloud server. (7) The cloud server provides massive storage and computation resources to the users. At the time of receiving data access or search request for any document l stored on the cloud server, the server checks the user's authorization using a revocation list RL l . If the identity of the query requester U QR matches with the revocation list RL l , then the failure state is returned to the user, otherwise, the cloud server performs the search process over lth document. With the failure state, the user will not be able to proceed further and search (or access) the document l. If a user U l i ∈ U l was previously authorized to access documents within set S using an aggregate key k agg , now, he cannot further access document l ∈ S , due to the published revocation list. However, the user can search over other shared documents within set S − {l}. (8) The cloud server performs the keyword search on behalf of the user, using the submitted trapdoor Tr and returns the search results to the user. The search result contains a true or false value for each document l ∈ S , indicating whether a document contains keywords within the query set �� ⃗ Q or not. Then, the query requester only requires to download matching documents that are satisfying search query, instead of downloading all the shared documents. (9) In the offline mode, the resource-constrained device used by the data user executes Offline_ Decr ypt() and generates the parameters pub = ({pub 1_l , pub 2_l } l∈S , pub 3 , pub 4 ) , that are used to decrypt the ciphertexts within set S. (10) An authorized user runs Online_Decrypt() algorithm to decrypt the ciphertext, using an aggregate key k agg and parameters pub generated by Offline_Decrypt().

The R-OO-KASE Framework
The proposed R-OO-KASE scheme is an ensemble of randomized polynomial-time algorithms, as discussed in this section. The data owner first sets up an account on the cloud server and establishes the public system parameters via Setup(). At the time of registering in the system, the Trusted Authority (TA) assigns a unique identity to the user. TA manages users in the system, and it is fully trusted by entities in the system. The data owner generates a public/mastersecret key pair via KeyGen(). Messages can be encrypted via Offline_Encrypt() and Online_Encrypt() algorithms by anyone who has the public key of the data owner. To delegate the search and access rights to a specific subset of data, the data owner uses the master-secret key and generates a constant size aggregate key via Extract(). The generated key can be passed to the delegatees securely (via secure e-mails or secure devices). The data owner can take away the delegated privileges via the Revocation() algorithm. Finally, any user with an aggregate key can search over the shared dataset by generating a query trapdoor via Trapdoor-Gen(). On receiving a query trapdoor from the user, the cloud server runs the Test() algorithm to retrieve matching documents and sends it further to the query requester. The user can decrypt the ciphertext and access the plaintext via Offline_Decrypt() and Online_Decrypt() algorithms, provided the ciphertext is within the scope of an aggregate key. We now describe each of the algorithms involved in R-OO-KASE: • SP ←Setup(1 , n ): Takes as input the security parameter and n the number of documents held by a data owner. Outputs the public system parameters SP, which are omitted from the input of the other algorithms for brevity. • (pk, msk) ←KeyGen(): Outputs a public and mastersecret key pair (pk, msk) for a data owner registering in the system. • {IC l } l∈ [1,n] ←Offline_Encrypt(pk): Takes as input the public key pk and outputs the intermediate ciphertext [1,n] . • C l ←Online_Encrypt(pk, IC l , l, M, ������ ⃗ KW ): Takes as input the public key pk, lth intermediate ciphertext IC l , document index l, message M, and a set of related keyword(s) ������ ⃗ KW . Outputs the corresponding ciphertext word-ciphertext and C l M data ciphertext. Then, the data owner stores the ciphertext C l on the cloud server. • k agg ←Extract(msk, S): Takes as input the master-secret key msk of the data owner and subset of data classes S ⊆ {1, 2, … , n} . Outputs the aggregate key k agg which aggregates the search and access rights of all encrypted messages within set S. • RL l ←Revocation(U l , msk, l ): Takes as input the set of users' identities U l whose delegated rights needs to be revoked over lth document and, master-secret key msk of the data owner. Outputs the revocation list RL l = ( RL l 1 , RL l 2 ).
• Tr ←TrapdoorGen(k agg , �� ⃗ Q ): Takes as input an aggregate key k agg and a set of query keywords �� ⃗ Q . Outputs a single trapdoor Tr. This algorithm is run by the user who holds an aggregate key k agg for document set S and wants to perform search over documents within set S. Then, the user should submit Tr and S to the server. • R ←Test(Tr, S, l, U QR ): Takes as input a query trapdoor Tr, a set of shared documents' indices S, document index l, and identity of the query requester U QR ∈ U . The Test algorithm outputs true (1) or false (0) to denote whether the document doc l contains the set of keywords �� ⃗ Q . If U QR is not the revoked user and l ∈ S, Test algorithm returns the search result R ∈ {0,1} by following the rules shown below: Otherwise, the algorithm returns NULL. Let Here, p is the number of keywords in the search query and q is the number of keywords attached with the ciphertext.
Test(Tr, S, l, _Decrypt(k agg , S ): Takes as input the aggregate key k agg corresponding to the set S and generates the parameters pub = ({pub 1_l , pub 2_l } l∈S , pub 3 , pub 4 ) . The parameters pub are further used in Online_Decrypt() to decrypt {C l } l∈S . For efficiency consideration, the parameters pub for the set S is computed only once. • M ← _Decrypt(k agg , S, l, C l , pub ): Takes as input the ciphertext C l , ciphertext index l, the aggregate key k agg corresponding to the set S, and parameters pub generated from Offline_Decrypt(). The algorithm outputs the decrypted result M iff l ∈ S.

Security and Functional Goals
The proposed KASE scheme aims to achieve the following security and functional goals: The compactness of the scheme is to ensure that the size of the aggregate key should be independent of the number of documents in the scope of the key. Similarly, the size of the query trapdoor should be independent of the number of keywords in the query set. For the correctness, the proposed scheme should get correct result, whether ciphertext C l of any message M with an index l contain keyword(s) �� ⃗ Q or not, when giving trapdoor Tr which represents query for keyword(s) within set �� ⃗ Q . The privacy of the scheme ensures that the cloud server or any third party should not get any additional information for which they are not authorized. The revocation property of the scheme ensures that if delegated rights of any user are revoked on the document, then he is no longer permitted to search or access the same. The controlled searching ensures that an authorized user or the cloud server cannot perform searches on the documents for which search or access rights are not delegated. Moreover, an authorized user cannot create new aggregate keys for another set of documents from the known one. For the efficiency, the above-mentioned goals of privacy and functionality should be achieved with lower bandwidth, computation and storage overhead. The proposed R-OO-KASE scheme must be secure against the collision resistance attack. In order to get additional information other than each aggregate key individually contains, a collision attack is carried out by combining multiple aggregate keys.

Definition 2 (Compactness)
The proposed R-OO-KASE scheme is compact if for any set of documents |S| = x having indices of x different ciphertexts, then k agg ⟵ Extract(S, msk) outputs a single aggregate key having constant size. Moreover, for any set of query keywords �� ⃗ Q, Tr ⟵ TrapdoorGen(k agg , �� ⃗ Q ) outputs a single trapdoor having constant size.

Definition 3 (Correctness)
The proposed R-OO-KASE scheme is correct if for any document doc l containing set of query keywords �� ⃗ Q, C l ⟵ Online_Encrypt(pk, IC l , l, M, ������ ⃗ KW) a n d Tr ⟵ Tr a p d o o r G e n (k agg , �� ⃗ Q ) , t h e n 1 ⟵ Test(Tr, S, l,

Definition 5 (Revocation)
The proposed R-OO-KASE scheme is revocable if for a set of revoked users' identities U l and document index l, the data owner having master-secret key generates a revocation list RL l ⟵ Revocation(U l , msk, l) and any query requester having user id U QR ∈ U l submits the trapdoor to the cloud server Tr ⟵ TrapdoorGen(k agg , �� ⃗ Q ), then ⟂⟵ Test(Tr, S, l, U QR ).

Security Model
We consider the cloud servers and the data users to be honest but curious, i.e., they follow the given protocols honestly, but try to get some additional information beyond their authorization. However, the capacity of the data user in the system is limited by both the storage space and the computing power. Moreover, communication channels involving the server are assumed to be insecure.
The goals of an adversary considered for the proposed scheme are as follows: • Retrieve the information about the keywords related to the ciphertext. • Gain the information about the query keyword(s) �� ⃗ Q by looking at the search trapdoor Tr. • Retrieve the plaintext or try to search over the ciphertext using a single or combination of aggregate keys such that none of them have rights for it.
To prove the privacy of the proposed R-OO-KASE scheme against defined attacks, we consider two security notions: ciphertext privacy and trapdoor privacy. We introduce the games between an attack algorithm A and a challenger, both of whom are given input of n, the total number of documents.

IND-CKA Model
We need to ensure that Test(Tr, S, l, U QR ) does not reveal any information about keywords ������ ⃗ KW labeled with the ciphertext C l �� ⃗ KW unless trapdoor Tr is available. We define security against an active adversary A who is able to obtain trapdoor Tr for any set of keywords �� ⃗ Q of his choice. Even under such attack the attacker should not be able to distinguish an encryption of a keyword ������� ⃗ KW 0 from an encryption of a keyword ������� ⃗ KW 1 for which he did not obtain the trapdoor. We say that the proposed R-OO-KASE scheme hold the privacy for keyword if no polynomial bounded adversary A has a nonnegligible advantage against the challenger in the following IND-CKA game. The game proceeds as follows: Init Phase The adversary A selects a challenge index i c for which he wishes to be challenged upon.

Setup
The challenger runs Setup(1 , n ) to generate the system parameters and KeyGen() to obtain a public/ master-secret key pair (pk, msk) . It issues public key pk to the adversary A.
Query Phase 1 The adversary A adaptively queries q 1 , … , q n � to following oracles and oracle answers in polynomial time.
• Aggregate key generation oracle O k agg On giving inputs of (msk, S) by the adversary, where msk is master secret key corresponding to pk, oracle returns an aggregate key k agg ← Extract(msk, S). The restriction is that an adversary cannot ask for the aggregate key for challenge index, i.e., if i c ∈ S , then O k agg returns null. The oracle adds aggregate key (k agg , S) in table T k agg . • Offline_Encryption oracle O Off _Encrypt On giving input of pk by the adversary, the oracle generates intermediate ciphertext {IC l } l∈ [1,n] using the Offline_Encrypt(pk) algorithm. • Revocation oracle O RL On giving inputs of ( U l , msk, l ) by the adversary, where msk is master secret key corresponding to pk and document index l ≤ n , then oracle returns a revocation list RL l ←Revocation(U l , msk, l ) to the A. • Trapdoor generation oracle O Tr On giving inputs of ( k agg , �� ⃗ Q ), the challenger checks k agg occurs in The adversary A asks for more queries q n � +1 , … , q n � 2 to oracles and oracle answers in polynomial time. The oracles are identical to that in the query phase 1 except the following: • Trapdoor generation oracle O Tr On giving inputs of ( k agg , �� ⃗ Q ) by the adversary, the challenger answers same as that in phase 1, except the following cases: • The adversary had previously ask for the trapdoor corresponding to a set of keywords ������� ⃗ KW 0 or ������� ⃗ If one of the above condition holds, then challenger returns null.
• Test oracle O test On input of Test(Tr, S, l, U QR ), if i c = l or i c ∈ S , then the challenger returns null. Otherwise, the challenger responds as that in phase 1

Guess
The adversary A outputs its guess

IND-KGA Model
We need to ensure that Tr does not reveal any information about the corresponding query keywords �� ⃗ Q to the attacker who does not possess the authorization key k agg . We define security against an active adversary A who is able to obtain almost all the trapdoor Tr except the two specified set of query keywords ���� ⃗ Q 0 and ���� ⃗ Q 1 . Even under such attack the attacker cannot find the relationship of the challenge trapdoor and the corresponding keyword. We say that the proposed R-OO-KASE scheme hold the security against keyword guessing attack if no polynomial bounded adversary A has a non-negligible advantage against the challenger in the following IND-KGA game. The game proceeds as follows: Init Phase The adversary A selects a challenge index i c for which he wishes to be challenged upon.

Setup
The challenger runs Setup(1 , n ) to generate the system parameters and KeyGen() to obtain a public/ master-secret key pair (pk, msk) . It issues public key pk to the adversary A.
Query Phase 1 The adversary A adaptively queries q 1 , … , q n � to oracles and oracle answers in polynomial time. The oracles are identical to that in the IND-CKA security model except the following: • Online_Encryption oracle O On_Encrypt The attacker A sends the challenger a set of keywords ������ ⃗ KW along with an index l, a message M from the message space, a public key pk. If l ≠ i c , then the challenger runs Online_ Encrypt(pk, IC l , l, M, ������ ⃗ KW ) and returns ciphertext C l to the adversary. • Test oracle O test On giving input of ( Tr, S, l, U QR ), the challenger checks i c ∉ S and l ≠ i c , the oracle returns output of Test(Tr, S, l, U QR ) to the adversary. Otherwise, it returns null.

Challenge Phase
The attacker A sends the challenger two equal length of query keyword ���� ⃗ Q 0 ; ���� ⃗ Q 1 on which it wishes to be challenged along with an index i c , and an aggregate key k c agg corresponding to a set S which includes an index i c . Here, the restriction is that the attacker had not previously asked for the ciphertext corresponding to keyword ���� ⃗ Q 0 ; ���� ⃗ Q 1 to the oracle O On_Encrypt . The challenger chooses randomly from {0,1} and runs TrapdoorGen(k c agg , ���� ⃗ Q ) and returns query trapdoor Tr * to the adversary.

Query Phase 2
The adversary A asks for more queries q n � +1 , … , q n � 2 to oracles and oracle answers in polynomial time. The oracles are identical to that in the query phase 1 except the following: • The adversary A cannot ask for the aggregate key corresponding to a set S which includes an index i c • Ciphertext query on set of keywords ���� ⃗ Q 0 or ���� ⃗ Q 1 under challenge index i c is not allowed

Guess
The adversary A outputs its guess � ∈ {0,1} for and wins the game if = � . The advantage of the adversary in this game is defined as where the probability is taken over the random bits used by the challenger and the adversary.

A,KG
| ≤ is negligible with respect to the security parameter for any polynomial time adversary.

R-OO-KASE : Revocable Online/offline Key Aggregate Multi-Keyword Searchable Encryption over Multi-owners' Data
In this section, we discuss the construction of the proposed scheme. In the following discussion, Z p is a group of large prime order p. Group G and G T are cyclic multiplicative group of prime order p. The other notations used in the forthcoming discussion are already introduced in Sect. 3. The detailed construction of the proposed R-OO-KASE scheme is as follows: A. System Initialization The data owner first sets up an account on the cloud server. At the time of system initialization, TA assigns a unique user identity U id ∈ G to each cloud user. Let we assume that there are total X users in the system and U = {U 1 , … U X } is a set of all users' identities. For each U id ∈ U, where ∈ Z p . If a new user gets registered in the system, a unique user identity U X+1 = g X+1 will be assigned to him and U X+1 will be added to the set U . The data owner establishes the public system parameter via Setup() and generates a public/master-secret key pair via KeyGen().

1.
Setup ( 1 , n ) The data owner runs this algorithm and publishes the system parameters SP = (B, PubK, H). In the following discussion, bilinear map group system B=(p, G, G T , e(., .)) , where p is the order of G and 2 ≤ p ≤ 2 +1 . g is a generator of group G. n is the number of documents D= ( doc 1 , doc 2 , ..., doc n ) that belongs to the data owner. The random secret element ∈ Z p .
in the public parameters PubK. Therefore, an attacker cannot compute the value of e (C l 1 , g n+1 ) to get the value of e (g 1 , g n ) t l . An attacker cannot get any information related to message M.
Algorithm 3 clearly indicates that the Online_ Encrypt() requires only multiplication operations in linear with the number of keywords attached with the ciphertext. C. Sharing Scenario In order to delegate search and access rights on the selected set of documents S to other users, the data owner generates an aggregate key (refer to Extract()). Using an aggregate key an authorized user can retrieve and access all the shared documents.

5.
Extract (msk, S) The data owner runs this algorithm using master-secret key msk = , subset S ⊆ {1, … , n} which contains documents' indices. The algorithm outputs aggregate key k agg by computing: The data owner securely sends k agg and a set S to the user in order to delegate the keyword search rights of ciphertexts in the range of set S. D. Revocation Scenario If the shared documents are modified or if the delegated rights for the shared documents need to be revoked, the data owner can generate revocation list (refer to Revocation()).

6.
Revocation(U l , msk, l ) The proposed scheme allows the data owner to revoke delegated rights of selected users within set U l over lth document, without affecting the users' rights over rest of the shared documents. The data owner generates the revocation list RL l for lth document using his master-secret key msk and set of revoked users' identities U l . The cloud server checks the user's authorization each time when he received a search and data access request for any stored document. If the identity of the query requester U QR matches with the revocation list RL l , then the failure state is returned to the user, otherwise, the cloud server performs the search process over lth document. Suppose, after storing the revocation list RL l on the cloud server, the data owner wants to revoke rights of users within set U ′ l along with the users in set U l . The

2.
KeyGen() The data owner runs this algorithm to generate a key pair (pk, msk) The public key pk is used for encrypting keywords and messages. The master-secret key msk for delegation of search rights is kept private by the owner. B. Storage Scenario The data owner executes offline encryption algorithm (refer to Offline_Encrypt()) using only public key and perform the majority of costly operations before knowing a message and keywords to be encrypted. Further, the online encryption (refer to Online_Encrypt()) is performed once the message and keywords to be encrypted are known.

3.
Offline_Encrypt (pk) The data owner gives public key pk = v = g as input and generates intermediate ciphertext {IC l } l∈ [1,n] using the following offline encryption algorithm.

4.
Online_Encrypt ( pk, IC l , l, M, ������ ⃗ KW ) In the online phase, the data owner selects lth intermediate ciphertext IC l to generate the ciphertext C l for lth document.
The data ciphertext C l M is generated by multiplying message M with the term e (g 1 , g n ) t l . The term g n+1 = g n+1 is missing data owner will generate new revocation list RL ′ l considering revoked users set U l ⋃ U ′ l . The data owner will upload a new revocation list RL ′ l to the cloud server. On receiving new revocation list for lth document from the data owner, the cloud server will store a new revocation list RL ′ l and discard the old one RL l .

E. Search Scenario
The user who holds an aggregate key k agg for dataset S and wants to retrieve documents having a set of keywords �� ⃗ Q from the shared dataset, generates the trapdoor Tr for query keywords (refer to TrapdoorGen()). Then, the user submits the trapdoor Tr and S to the server. The cloud server performs the keyword search on behalf of the user, using the submitted trapdoor Tr and returns the search results to the user (refer to Test()).

7.
TrapdoorGen(k agg , �� ⃗ Q ) The user who wants to perform the keyword search over the shared data runs this algorithm and generates a single aggregate trapdoor Tr. If the set S of documents are in the scope of an aggregate key k agg , then the user having trapdoor Tr can search over any document in the range of set S.

8.
Test ( Tr, S, l, U QR ) On receiving the trapdoor Tr from the query requester, the cloud server runs Test() algorithm to check if document doc l contains query keyword(s) �� ⃗ Q or not. In the following discussion, U QR ∈ U is an identity of query requester and U l is a set of revoked users' identities corresponding to list RL l .

Correctness:
The correctness of Test algorithm can be realized as follows: If the query requester U QR is revoked user, then the shared documents. The user having an aggregate key can decrypt the retrieved data. The offline phase of the decryption (refer to Offline_Decrypt() ) computes the parameters pub = ({pub 1_l , pub 2_l } l∈S , pub 3 , pub 4 ) , which are used to decrypt {C l } l∈S . In the online phase (refer to Online_Decrypt() ), the ciphertext is decrypted with minimal computation overhead. 9.
Offline_Decrypt ( k agg , S ) The user who holds an aggregate key k agg for dataset S can precompute the parameters that are required to decrypt ciphertexts within range of set S, in offline mode. This algorithm generates the parameters pub = ({pub 1_l , pub 2_l } l∈S , pub 3 , pub 4 ) . For efficiency consideration, the parameters ({pub 1_l , pub 2_l } l∈S , pub 3 , pub 4 ) for the set S is computed only once.

Correctness:
C l 4 e(k agg pub 1_l pub 2_l , C l 1 ) / e( pub 3 , C l 2 ) e(pub 4 , C l 1 ) = C l 4 e(k agg ⋅ j∈S g j+l ⋅ j∈S,j≠l g n+1−j+l , g t l ) e( j∈S g j , (v ⋅ g l ) t l )e( j∈S g n+1−j+l , g t l ) = C l 4 e( j∈S g j+l , g t l ) e( j∈S,j≠l g n+1−j+l , g t l ) e( j∈S g j , g t l l ) e( j∈S g n+1−j+l , g t l ) = M e(g 1 , g n ) t l e( j∈S g n+1−j+l ,g t l ) e(g n+1 ,g t l ) e( j∈S g n+1−j+l , g t l ) = M e(g 1 , g n ) t l e(g n , g 1 ) t l = M

Security Analysis
We prove the security of the proposed scheme against the IND-CKA, IND-KGA and cross-pairing attack in the generic group model using the DDH hardness assumption.

Theorem 1 The proposed R-OO-KASE scheme is IND-CKA secure, assuming that the DDH problem is hard to solve.
Proof We consider a challenger C , a simulator SIM and a polynomial-time adversary A . We assume that the adversary A has a non-negligible advantage to break the privacy of our scheme.
Then, we can construct a simulator SIM that breaks the decisional DDH problem = ( g, g a , g b , g c , R ) with the advantage 2 (1 − N 2 p ). Here, we assume that for trapdoors Tr � ⃗ Q which denotes search query of keyword set �� ⃗ Q and Tr � ⃗ Q ′ which denotes query of keyword set �� ⃗ This assumption hold with the probability where N is number of possible keywords in the system and p is the order of group G.
On DDH input (g, g a , g b , g c , R) , simulator SIM aims to decide if R = g abc .
The challenger C generates a, b, c, z ∈ R Z p , bilinear groups G, G T with prime order p and the mapping G × G → G T . g is a generator of group G. The challenger C computes v as follows: The challenger gives instance ( g, g a , g b , g c , R)∈ G T to simulator SIM.
SIM interacts with A ( SIM simulates the C for A ) and starts the simulation as follows.

Init Phase
The adversary A selects a challenge index i c for which he wishes to be challenged upon.
Moreover, SIM simulates the hash oracles for keyword as follows: • O H (w i,j ) ∶ Given a keyword w i , having value w i,j , the hash function proceeds as follows: • If w i,j has not been queried before, then SIM toss a random coin c i ∈ {0, 1} with the probability that Pr|c i = 0| = 1∕(q T + 1) , where q T is very large number.
We require that q T should be larger than the number of oracle queries for O k agg , O Tr , O test . If c i = 0 , then selects f ∈ Z p and computes T *  Table T k is used to records the tuple < pk, u > and these records will be used in other oracles to response the queries. The simulator SIM sends the public key pk to A.

Query phase 1
The simulator SIM constructs following oracles and adversary A can adaptively queries q 1 , … , q n � to these oracles in polynomial for multiple times.
• Aggregate key generation oracle O k agg On giving inputs of (msk, S) by the adversary, where msk is master secret key corresponding to pk, the simulator checks that key pair (pk, msk) occurs in , then SIM simply aborts and takes a random guess. The probability that the simulator SIM aborts is Pr[abort] = N 2 ∕p Otherwise, SIM randomly chooses a bit b ∈ {0,1} and compute keyword-ciphertext for ������� ⃗ KW b . Challenger C sets t = a and computes ciphertext by running Online_Encrypt(pk, The adversary A asks for more queries q n � +1 , … , q n � 2 to oracles and oracle answers in polynomial time. The oracles are identical to that in the query phase 1 except the following: • Trapdoor generation oracle O Tr On giving inputs of ( k agg , �� ⃗ Q ) by the adversary, the challenger answers same as that in phase 1, except the following cases: • The adversary had previously ask for the trapdoor corresponding to a set of keywords ������� ⃗ If one of the above condition holds, then challenger returns null.
• Test oracle O test On input of Test(Tr, S, l, U QR ), if i c = l or i c ∈ S , then the challenger returns null. Otherwise, the challenger responds as that in phase 1 Based on this, there will be two cases as follows: case (i) if v = 0 , then Z = g abc , and hence, challenge ciphertext is a correct ciphertext of keyword KW b .
From (i) and (ii), it follows that SIM 's advantage in this DDH game can be computed as: Because the event "abort" is independent of DDH challenge, we have Therefore, if the A has a non-negligible advantage in the above game, then we can build a simulator ( SIM ) which can break the DDH problem with non-negligible quantity = 2 (1 − N 2 p ) , which is an intractable problem. ◻

Theorem 2 The proposed R-OO-KASE scheme is IND-KGA secure under the DDH assumption, assuming that the DDH problem is hard to solve.
Proof We consider a challenger C , a simulator SIM and a polynomial-time adversary A . We assume that the adversary A has a non-negligible advantage (l) to break the privacy of our scheme. Then, we can construct simulator SIM that breaks the decisional DDH problem = ( g, g a , g b , g c , R ) with the advantage (l)∕2 On DDH input (g, g a , g b , g c , R) , simulator SIM aims to decide if R = g abc .
The challenger C generates a, b, c, z ∈ R Z p , bilinear groups G, G T with prime order p and the mapping G × G → G T . g is a generator of group G. The challenger C computes v as follows: The challenger gives instance ( g, g a , g b , g c , R)∈ G T to simulator SIM. SIM interacts with A ( SIM simulates the C for A ) and starts the simulation as follows.

Init Phase
The adversary A selects a challenge index i c for which he wishes to be challenged upon.
Moreover, SIM simulates the hash oracle to map the given keyword with unique value. The hash oracle is identical to that in the IND-CKA security model. SIM sets public key pk = v = (g c ) u where u ∈ R Z p . Finally, SIM records the tuple < pk, u > in table T k . Table  T k is used to records the tuple < pk, u > , and these records will be used in other oracles to response the queries. The simulator SIM sends the public key pk to A.

Query Phase 1
The adversary A adaptively queries q 1 , … , q n � to oracles and oracle answers in polynomial time. The oracles are identical to that in the IND-CKA security model except the following: • Online_Encryption oracle O On_Encrypt The attacker A sends the challenger set of keywords ������ ⃗ KW along with an index l, a message M from message space, a public key pk. If l ≠ i c , then the challenger runs Online_ Encrypt(pk, IC l , l, M, ������ ⃗ KW ) and returns ciphertext C l to the adversary. • Test oracle O test On giving input of ( Tr, S, l, U QR ), the challenger checks i c ∉ S and l ≠ i c , the oracle returns output of Test(Tr, S, l, U QR ) to the adversary. Otherwise, it returns null.

Challenge Phase
The attacker A sends the challenger two equal length of query keyword ���� ⃗ Q 0 ; ���� ⃗ Q 1 on which it wishes to be challenged along with an index i c , and an aggregate key k c agg corresponding to a set S which includes an index i c . Here, the restriction is that the attacker had not previously asked for the ciphertext corresponding to keyword ���� ⃗ Q 0 ; ���� ⃗ Q 1 to the oracle O On_Encrypt .
Otherwise, SIM randomly chooses a bit u ∈ {0,1} and computes Trapdoor Tr * u . The challenger runs TrapdoorGen(k c agg , ���� ⃗ Q u ) and computes trapdoor Tr * u for ���� ⃗ Q u as follows: The adversary A asks for more queries q n � +1 , … , q n � 2 to oracles and oracle answers in polynomial time. The oracles are identical to that in the query phase 1 except the following: • The adversary A cannot ask for the aggregate key corresponding to a set S which includes an index i c • Ciphertext query on set of keywords ���� ⃗ Q 0 or ���� ⃗ Q 1 under challenge index i c is not allowed Guess A outputs a guess u � ∈ R {0, 1}.
If u � = u (Z = g abc ) , then SIM outputs v � = 0 . If u ′ ≠ u , then SIM outputs v � = 1 to indicate trapdoor is a random element. Therefore, A gains no information about v, in turn, If v = 0 , then A is able to view the valid trapdoor components with advantage (l), a negligible quantity in security parameter in l. Therefore, The overall advantage of the simulator in DDH game is Therefore, if the A has a non-negligible advantage (l) in the above game, then we can build a simulator ( SIM ) which can break the DDH problem with non negligible quantity (l)∕2 , which is an intractable problem. ◻

Theorem 3 The proposed KASE is secure against crosspairing attack.
Proof An attacker A (the curious cloud server or an authorized user) may try to learn more information from the stored encrypted data beyond their authorization. With the knowledge of public parameters PubK=(g, g 1 , … , g n , g n+2 , … , g 2n ) ∈ G and public information l = ( C l 1 , C l 2 ) where C l 1 = g t l , C l 2 = (v ⋅ g l ) t l ; A may try to get information about message M by performing the cross-pairing attack on data ciphertext C l 4 = M * e(g 1 , g n ) t l . The adversary A may try to compute the value of e(g 1 , g n ) t l . However, the term g n+1 = g n+1 is missing in the public parameters PubK. Therefore, an attacker cannot compute the value of e (C 1 , g n+1 ) to get the value of e (g 1 , g n ) t l . Notice that A cannot get the value of e(g 1 , g n ) t l by cross-paring the available public information PubK and l . Moreover, data-ciphertext C M is secured with value of t l , A is unable to get the value of t l as per the discrete logarithm problem. In addition, using the keyword-ciphertext and public information an attacker cannot launch cross-paring attack to learn whether doc l contains keyword value w i,j or not. Furthermore, in the proposed KASE scheme, both the parameters of trapdoor Tr = (Tr 0 , Tr 1 ) are protected using same value b ∈ R Z p . Therefore, cross-paring of two different trapdoors Tr and Tr ′ is not possible, as the value of b is used different to generate each trapdoor. Cross-pairing of different trapdoors can generate incompatibility. Additionally, in the proposed scheme, the aggregate key contains single group element. Therefore, an adversary cannot extract the individual secret keys or keyword from the single aggregate key and trapdoor. Hence, different users cannot collide to decrypt or search over ciphertext(s) not in the scope of their respective aggregate keys. Even an authorized user cannot try to generate new aggregate key or trapdoor from the known ones. Therefore, the proposed KASE is secure against crosspairing attack. ◻

Performance and Efficiency Analysis
In this section, we analyze and compare the theoretical space, computational and communicational complexities of the proposed R-OO-KASE scheme with other related KASE schemes [4, 13, 18-24, 31, 32, 34, 35]. Our observations from the theoretical analysis are as follows: • Storage Overhead • The comparison of storage overhead is shown in Table 2. The size of intermediate ciphertext generated from the Offline_Encrypt() algorithm in the R-OO-KASE scheme depends on the number of keywords in the keywords space and the total number of documents belonging to a data owner. If we use a curve E(F 2 271 ) × E(F 2 271 ) → F 2 271 over the binary field F 2 271 , which is equivalent to the 80-bit security level [11]. The size of an element in group G is 542 bits using an elliptic curve with 252 bits p. The size of an element in group G can be reduced to 34 bytes using a compression technique proposed in the paper [26]. Therefore, if there are 10000 keywords in the system and data owner owns n =1000 documents, then also intermediate ciphertext requires less than 0.24GB storage space. Further, the size of final ciphertext generated after Online_Encrypt() remains constant in our scheme, whereas in the existing KASE schemes [4, 13, 18-22, 24, 31, 32, 34, 35] the size of ciphertext is linear in the number of keywords to be attached with the ciphertext. • In the existing KASE schemes [4, 13, 18-22, 24, 31, 32, 34, 35], the storage overhead of trapdoor is linear in the number of keywords in the search query. On the other hand, the storage overhead of trapdoor in the R-OO-KASE is constant and independent of the number of keywords in the search query set. • The size of the revocation list in the proposed scheme is constant, i.e., two group elements, and it is independent of the number of revoked users. The storage complexity of each individual revocation list RL l (i.e., revocation list for lth document) is O (1) . However, the proposed approach generates a revocation list document-wise, so there will be a total n revocation list in the system if the data owner held n documents. The total storage cost of all the revocation list in the system is linear with the number of documents that a data owner holds. Even though the proposed revocation solution brought linear storage cost of O(n) by generating revocation list document-wise, the idea of direct revocation used in the proposed approaches eliminates the expensive cost of updated key distribution among all the non-revoked users, as the revocation is realized by publishing the revocation list. The revocation in the proposed scheme does not affect the non-revoked users, as they do not require updating their corresponding delegated keys, which greatly reduces the expensive cost of key update and the overhead of key delegate authority. Especially, to realize search right revocation, re-encryption operations on keyword ciphertexts are not needed in our scheme. The KASE [35] scheme supports the revocation of delegated rights by distributing the new set of keys to the non-revoked users in each time period. The revocable KASE scheme proposed in [35] requires the data owner to maintain a user list to generate authorized keys for all the non-revoked users. The authorized users registered in the data owner's list can receive a new pair of authorized keys from the data owner. Therefore, the existing revocable KASE scheme [35] consumes more overhead at the data owner side to generate as well as distribute keys periodically to each authorized user of the system.

• Computation Overhead
• The comparison of computation overhead is shown in Table 3. The computational cost of revocation in the proposed scheme is linear in the number of revoked users, whereas verification of the user's authorization with the revocation list only requires two pairing operations. • In the proposed R-OO-KASE scheme, Offline_ Encrypt() algorithm requires only one pairing operation along with the exponentiation operations proportional to the number of keywords in the system. Additionally, Online_Encrypt() algorithm in the proposed scheme requires only multiplication operations linearly dependent on the number of keywords to be attached with the ciphertext. The existing KASE methods [4,13,[18][19][20][21]31] use two pairing operations to generate a keyword ciphertext for each keyword to be attached with the document, whereas in the proposed scheme, we are using exponentiation to generate the keyword ciphertext. The authors of [25] shows that for different security levels (i.e., for 80 bits, 112 bits and 128 bits) and prime order groups, the group exponentiation (of a random group element with a random exponent) requires significantly less time compared to the pairing operations (on random group elements). We remark that the work done in the offline phase in the R-OO-KASE scheme is roughly equivalent to the work of the regular encryption algorithm in the existing KASE schemes [4, 13, 18-22, 24, 31, 32, 34, 35]. Therefore, the proposed R-OO-KASE scheme reduces the online computation cost of the existing KASE methods [4, 13, 18-22, 24, 31, 32, 34, 35] substantially. • The computational cost of trapdoor generation in case of multi-keyword search is same for all the considered KASE schemes [4, 13, 18-24, 31, 32, 34, 35] including the proposed KASE scheme. However, in case of multi-keyword search, the number of resultant trapdoors are | �� ⃗ Q| in the existing KASE schemes [4, 13, 18-22, 24, 31, 32, 34, 35], whereas in the proposed scheme, one can perform a multi-keyword search using a single trapdoor of constant size. We are not focusing on the query expressiveness, but our aim is to support multiple keyword searches using a single trapdoor. The proposed scheme supports only the case in which �� ⃗ Q = ������ ⃗ KW , i.e, the set of queried keywords are the same as the set of keywords encrypted. Moreover, the proposed approach provides trapdoor privacy in contrast to the existing KASE schemes [4,[18][19][20][21] that leak data related to keyword from the trapdoor as discussed in [14]. • The computational cost of Test() algorithm in the existing schemes [4, 13, 18-22, 24, 31, 32, 34, 35] scales linearly with the number of keywords in the search query set. In contrast, in the proposed KASE scheme, the computational cost of the Test() algorithm is constant and independent of the number of keywords in the query set. Moreover, in the existing KASE schemes [4, 13, 18-21, 31, 34, 35], when an authorized user submits the trapdoor to the cloud server in order to perform search; the total time required to search a keyword at the cloud server is: Time required to transform aggregate trapdoor Tr to generate actual trapdoor Tr l for searching over lth document + Time required to execute Test () algorithm. This trapdoor transformation process used in the existing KASE schemes [4, 13, 18-21, 31, 34, 35] adds extra computational and storage overhead at the server-side. The proposed R-OO-KASE scheme allows searching over shared documents using aggregate trapdoor without requiring to generate individual trapdoor Tr l from the aggregate trapdoor. In this way, we overcome the extra overhead of trapdoor transformation required on the server-side. With such constant computational overhead of Test() algorithm, the proposed scheme performs better than the existing KASE schemes [4, 13, 18-21, 31, 34, 35]. • In the proposed KASE scheme, the Online_Decrypt() only requires three pairing operations and most of the costly computation of the decryption work is shifted to the offline phase. In this way, we reduce the computation overhead at both data owners and users' sides.
• Communication Overhead • We compare the communication overhead of ciphertext and query trapdoor as shown in Table 4. • The communication overhead of query trapdoor in the existing KASE [4, 13, 18-22, 24, 31, 32, 34, 35] schemes is linear in the number of keywords in the query set. The communication overhead of ciphertext in the existing KASE schemes [4, 13, 18-22, 24, 31, 32, 34, 35] is linear in the number of keywords attached with the ciphertext. • The proposed scheme reduces communication cost as compared to the existing KASE schemes [4, 13, 18-22, 24, 31, 32, 34, 35]. The communication cost of the trapdoor in the R-OO-KASE scheme is independent of the number of keywords in the query set. Similarly, the communication cost of ciphertext in the R-OO-KASE scheme is independent of the number of keywords attached with the ciphertext. • If we use 80-bit [6] security level, then the size of an element in group G is 542 bits using an elliptic curve with 252 bits p. The size of an element in group G can be reduced to 34 bytes using a compression technique proposed in the paper [26]. Therefore, in the proposed scheme, the size of ciphertext is 3|G| + |G T | = 3*34 + 34bytes= 136bytes and trapdoor size is |G| = 34 bytes. The MICA2 equipped with an ATmega128 8-bit processor clocked at 7.3728MHz, 4-KB RAM, and 128-KB ROM requires 3*27*8/12400 = 0.052 mJ to transmit one-byte message, as discuss in [27]. Therefore, communication energy consumptions of the sensor in the R-OO-KASE scheme to send ciphertext are 0.052*136 =7.072 mJ and trapdoor is 0.052*34=1.768 mJ.

Evaluation of KASE Schemes
In this section, we compare the proposed R-OO-KASE scheme with the existing KASE schemes [4, 13, 18-24, 31, 32, 34, 35] in the security, efficiency and functional respects. The comparison results are summarized in Table 5.   [32], mXn size of matrix in lattice-based KASE scheme [32], |G| size of a element in group G, |G T | size of a element in group G T
In contrast, the proposed KASE scheme supports multikeyword searches using a single trapdoor. The proposed R-OO-KASE scheme allows the data owner to revoke delegated rights. Additionally, the proposed scheme reduces the computation overhead of encryption and decryption, to make the scheme practically applicable in the resource-limited environment. Furthermore, the proposed KASE scheme does not require trapdoor transformation and reduces overhead at the server side at the time of keyword searching. The proposed approach is also scalable and the aggregate key is independent of the maximum number of documents held by a data owner. The proposed R-OO-KASE scheme provides security against the IND-KGA, IND-CKA and cross-pairing attack.

Implementation Details
We implement a prototype of the proposed R-OO-KASE scheme and conduct the experiments on two different platforms: the computer and the mobile device, using Java Pairing-Based Cryptographic (JPBC) library [7]. The experiments are conducted as follows: client implementations were executed in a personal computer with 64 bit Intel(R) Core(TM) i5 -7200U CPU @ 2.50 GHz with Windows10 OS; server implementations were deployed in the Amazon AWS cloud, using an EC2 M5 large instance. Communications were performed on a 10MB/s connection, with 26.932ms round-trip time. In order to evaluate computational cost on the resource-constrained device, we simulate client implementations on Xiaomi Redmi 3S mobile device with Android OS 6. For evaluation, the official Medicare. gov Hospital Compare datasets provided by the Centers for Medicare and Medicaid Services [12] are used. Type A pairing is used for the evaluation, and it is the fastest (symmetric) pairing among all types of curves. The Type A pairings are constructed on the curve y 2 = x 3 + x over the field F q for some prime q = 3 mod 4.
In the proposed scheme, the Setup(), KeyGen(), Encrypt(), Extract(), Revocation(), TrapdoorGen() algorithms are executed at client-side and the Test() algorithm on the server-side. The running time is measured in milliseconds. The results represent an average of five executions.

Experimental Results
In this section, we evaluate and analyze the computational cost of different algorithms of the proposed scheme.
The time cost of Setup() is linear in the maximum number of documents belonging to the data owner (Fig. 4a). Figure 4b shows the computational cost of KeyGen() approximate to a constant. The results given in Fig. 4c show that the computational overhead of Online_Encrypt() is linear in the number of keywords to be attached with the ciphertext. The results are given in Fig. 4d, clearly indicate that when the number of keywords is greater than 500, only 10% of the work remains to be done in online encryption phase and more than 90% of the work in the keyword and message encryption is shifted to the offline phase. The computational cost of Revocation() is linear in the number of revoked users, as shown in Fig. 4e. Figure 4f shows that the computational time of Extract() is linear in the number of shared documents. Figure 4g shows the computational time of TrapdoorGen() is linear in the number of keywords within the search query set. The execution time of Test() is linear in the number of shared documents (Fig. 4i), whereas in the case of multi-keyword search, the computational time of Test() remains constant with respect to the number of keywords in the query set (Fig. 4h). Figure 4j, k shows that in the online decryption phase only 3 pairing operations are required to perform and more than 80% of the decryption work is shifted to the offline phase. This observation from empirical analysis implies that we reduce the computation overhead at both data owners and users' sides.

Comparative Analysis Results
In this section, to show the trade-off in performance of the proposed R-OO-KASE scheme, the proposed solution is evaluated against the existing KASE [20,22] schemes.
In the proposed scheme as well as in the existing KASE schemes [20,22], the Setup(), KeyGen(), Encrypt(), Extract(), Revocation(), TrapdoorGen() algorithms are executed at client-side and the Test() algorithm on the serverside. To calculate the computation cost of the proposed Test() algorithm for the multi-keyword query, the conjunctive search queries are given. The total time required by the proposed Test() algorithm to get the results after he sends out the query with multiple keywords is measured. The running time is measured in milliseconds. The results represent an average of five executions.
Our observations from the empirical analysis are as follows: • Time cost of Setup() for the proposed R-OO-KASE is lesser as compared to the existing KASE [20,22] schemes and it is in linear with the maximum number of documents belonging to the data owner (Fig. 4l). • The results given in Fig. 4m show that the computational overhead of Encrypt() is in linear with the number of keywords attached with the ciphertext. However, the encryption cost of the proposed R-OO-KASE and the MULKASE [22] scheme is lesser as compared to the MO-VKASE [20] scheme, since the cost of pairing is much more heavy than the multiplication and exponentiation operations. The MO-VKASE uses two pairing operations to generate a keyword ciphertext, whereas, the MULKASE uses multiplication and exponentiation to generate a keyword ciphertext. The proposed Encrypt() algorithm uses one pairing operation to generate a ciphertext. • Figure 4n shows that the computational time of Extract() is in linear with the number of shared documents for the proposed R-OO-KASE and the existing KASE schemes [20,22]. The computational time of Extract() is same for all the considered KASE schemes.  Figure 4o shows that the computational time of Trap-doorGen() is linear with the number of keywords in the search query set for the proposed R-OO-KASE and the existing KASE [20,22] schemes. However, the MUL-KASE [22] and the MO-VKASE [20] only support the exact keyword match query on a single keyword. • Figure 4p shows the comparison result of the time cost required to send and execute a search query with multiple keywords. The total time considered for comparison is: Communication cost required to send trapdoor(s) for a query with multiple keywords + Computation cost required to execute Test() for multi-keyword query + Communication cost to receive search results. The dataset size considered for this comparison is 10, i.e., 10 documents are in the range of given query trapdoor. Therefore, the results shown in the comparison graph are the total time after executing Test() for multi-keyword query over 10 documents. Additionally, the time cost for the existing VKASE [20] scheme also includes computation cost of Adjust() algorithm, as VKASE [20] scheme requires trapdoor transformation by executing Adjust() before running Test(). The proposed R-OO-KASE and the existing MULKASE [22] schemes do not use Adjust() algorithm for trapdoor transformation before searching. Therefore, R-OO-KASE and the existing MULKASE [22] schemes take lesser computation time for Test() as compared to the VKASE [20]. Further, the existing KASE [20,22] schemes do not support multikeyword searches using a single trapdoor. Therefore, the total time cost required to send and execute search query with multiple keywords is less in the proposed R-OO-KASE scheme as compared to the existing KASE [20,22] schemes. In the existing KASE [4, 18-22, 34, 35] schemes, the user requires to submit different trapdoors for each individual keyword to the server. The server performs a search for each of the keywords separately and returns the intersection of all the results. Specifically, for searching a set of keywords �� ⃗ Q = {Q 1 , … , Q p } over shared dataset, the existing KASE schemes [4, 18-22, 34, 35] require | �� ⃗ Q| = p number of trapdoors. Similarly, the cloud server requires to perform O(| �� ⃗ Q|) pairing operations to execute the multi-keyword query. Additionally, the cloud server must perform a search query over all the shared dataset. In the considered scenario, as the dataset is 10 the cloud server requires to perform O(| �� ⃗ Q|) pairing operations over all the 10 documents to execute the multi-keyword query. Therefore, the time cost increases drastically in the existing KASE [20,22] schemes as compared to the proposed approach. In the proposed R-O-KASE scheme, the communication and computation cost required to execute multi-keyword query is independent of the size of keywords in the query set.

Findings
• The encryption cost of the proposed R-OO-KASE scheme is lesser as compared to the MO-VKASE [20] scheme. The reason for the lesser computation cost of the R-OO-KASE scheme is that the proposed Encrypt() algorithm mainly uses the multiplication and exponentiation operations whereas the MO-VKASE [20] uses pairing operations in Encrypt() algorithm (Fig. 4m). • The existing MO-VKASE [20] scheme takes more computation time for Test() as compared to the proposed R-OO-KASE for the exact keyword match query on non-numeric keywords. The reason for the same is the MO-VKASE [20] uses Adjust() algorithm for trapdoor transformation before running Test() algorithm and it increases search time. On the other hand, the proposed KASE scheme does not use the Adjust() algorithm. The proposed R-OO-KASE scheme allows searching over the shared dataset S using a single trapdoor Tr that a query requester submits to the cloud server (Fig. 4p). • The computation cost of the proposed Test() is independent of the number of keywords in the search query, however, the computation cost of Test() is linear with the number of shared documents (Fig. 4h, i).

Conclusions and Future Extensions
In this paper, we propose the R-OO-KASE (Revocable Online/Offline KASE) scheme that is suitable for the resource-constrained environment, as we split costly operations of encryption and decryption into two phases: online and offline. In the offline phase, the user performs expensive pairing and exponentiation operations required in the encryption/decryption. In the online phase, i.e., when the device is moving on (not connected to the power source), the user can generate the final output with the minimal computational cost. We provide the performance estimates that showed over 90% of the computation operations of encryption/decryption are shifted to the offline phase. The proposed KASE scheme also supports the revocation of delegated rights in the cloud environment, realizing the key aggregation and user access control effectively. The proposed scheme supports fine-grained revocation of the delegated rights on document level, instead of coarse-grained all-ornothing access. The idea of direct revocation used in the proposed approach eliminates the expensive cost of updated key distribution among all the non-revoked users, as the revocation is realized by publishing the revocation list. The other contribution of the proposed approach is that it offers multi-keyword searches over a shared dataset using a constant size query trapdoor. We also proved that the proposed scheme is secure against defined IND-CKA, IND-KGA and cross-pairing attacks. In addition, the empirical analysis confirms that the proposed scheme is suitable for resource-constrained devices and improves query performance as compared to the existing KASE schemes. Overall, the proposed R-OO-KASE scheme helps to reduce the cost of bringing KASE into practice on the power-constrained device.
In the future, one can extend the scheme and enhance the system usability by providing fuzzy, semantic and ranked search on the encrypted dataset using a single trapdoor. Research on query expressiveness needs to move toward closing the gap between existing SE schemes and plaintext searches.
Funding Funding information is not applicable. No funding was received. The experiments and research comply with the current laws of the country.
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article's Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article's Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creat iveco mmons .org/licen ses/by/4.0/.