Efficient Multi-Function Data Sharing and SearchingMechanism for Cloud-Based Encrypted Data

Kaitai LiangDepartment of Computer

ScienceAalto University, Finlandkaitai.liang@aalto.fi

Chunhua SuSchool of Information ScienceJapan Advanced Institute of

Science and Technology1-1 Asahidai, Nomi, Ishikawa

923-1292, Japanchsu@jaist.jp

Jiageng ChenComputer School

Central China NormalUniversity

Wuhan 430079, Chinajiageng.chen@mail.ccnu.edu.cn

Joseph K. LiuFaculty of Information

TechnologyMonash University

Melbourne, Australiajoseph.liu@monash.edu

ABSTRACTOutsourcing a huge amount of local data to remote cloudservers that has been become a significant trend for indus-tries. Leveraging the considerable cloud storage space, in-dustries can also put forward the outsourced data to cloudcomputing. How to collect the data for computing withoutloss of privacy and confidentiality is one of the crucial secu-rity problems. Searchable encryption technique has beenproposed to protect the confidentiality of the outsourceddata and the privacy of the corresponding data query. Thistechnique, however, only supporting search functionality,may not be fully applicable to real-world cloud comput-ing scenario whereby secure data search, share as well ascomputation are needed. This work presents a novel en-crypted cloud-based data share and search system withoutloss of user privacy and data confidentiality. The new sys-tem enables users to make conjunctive keyword query overencrypted data, but also allows encrypted data to be effi-ciently and multiply shared among different users withoutthe need of the “download-decrypt-then-encrypt” mode. Asof independent interest, our system provides secure keywordupdate, so that users can freely and securely update data’skeyword field. It is worth mentioning that all the abovefunctionalities do not incur any expansion of ciphertext size,namely, the size of ciphertext remains constant during be-ing searched, shared and keyword-updated. The system isproven secure and meanwhile, the efficiency analysis showsits great potential in being used in large-scale database.

.

KeywordsOutsourced encrypted data; privacy; secure data search andshare; efficiency;

1. INTRODUCTIONOutsourcing a great amount of local data to remote clouds

that has been become a popular trend over the past fewyears. The cloud-based data storage services offer great con-venience to Internet users and industries to move beyondthe bottleneck of local (big) data maintenance and analysis[18, 29]. To fully make use of a shared pool of configurablecomputing resources, industries would like to request cloudservers to perform massive and sophisticated computationover their outsourced data. Although being able to pro-vide powerful data computing support for industries, cloudcomputing services inherently incur potential risks for userprivacy and data confidentiality.

To guarantee the confidentiality of the outsourced data,one may directly and simply employ cryptographic encryp-tion technology. The traditional encryption technique, how-ever, hinders a significant ability of data owner - data search.Before proceeding to (outsourced) data computation, oneshould first request cloud servers to identify/locate of whichdata are about to be computed. This type of data searchoperation (in the cloud side) immediately rises up a concernon the privacy of search/query.

Searchable encryption [35] is designed to eliminate theabove concern. A data owner is allowed to only issue asearch token (generated with some secret information be-longing to the data owner) to a cloud server (with which thedata owner may not share necessary trust), such that theserver can effectively locate the corresponding (encrypted)outsourced data from its storage back end. The server,nevertheless, knows nothing about search/query contents aswell as the underlying data. This technology is widely usedin many real-world cloud applications/platforms, such as Ci-pherCloud (http://www.ciphercloud.com/).

To date only offering search ability over remote encrypteddata to cloud service clients that might not be flexible enough

in the practical point of view. In some cases, a data ownermay choose to share his/her data with others whereby theencrypted data to be shared is stored in a remote cloud [28].Here, we may need a secure encrypted data sharing mecha-nism. Proxy re-encryption [30], therefore, has been proposedto enable the data owner to share an encrypted data storedin clouds with others without loss of data confidentiality.But the secure data share functionality cannot become a

hindrance for data search. In other words, both share andsearch abilities must be compatible and built within a sys-tem. For instance, a company A may choose to share an en-crypted folder f stored in a cloud with another company Bdue to some business cooperation purpose. Before and afterthe data sharing operation, the folder f still needs to be eas-ily searched/archived by both A and B. As discussed in [24],there are some gaps between current searchable encryptionsystems and proxy re-encryption systems that bring difficul-ties for one to straightforwardly and trivially integrate thetwo types of systems into the whole one. This motivates theresearcher work of [24].Motivation. Even though [24] invents the first attribute-

based searchable encryption supporting proxy re-encryptionin the literature1, it suffers from some limitations that shouldbe addressed for practical use. First of all, the system is builton top of an attribute-based encryption [15], such that it isunavoidable to yield heavy computation and communicationcost in the phases of data search and share. Specifically, thesize of system public key, re-encryption key and search tokenare linear in the number of attribute (or the size of attributeset) and furthermore, data share operation may lead to theexpansion of ciphertext size. Meanwhile, the linear compu-tational cost exists in the generation of ciphertext, searchtoken and re-encryption key. In addition, since keywordfield is embedded into an element in GT (i.e. a pairing el-ement) in [24], the conjunctive search will result in seriousciphertext size expansion as well.A novel functionality invented by [24] (compared to the

existing proxy re-encryption with keyword search systems)is the update of keyword field, in which a data owner (gener-ally indicating the system user with valid decryption rights)is able to freely update the keyword description of his/herciphertext. Nonetheless, this ability is limited in the phasedof data share only, namely, the keyword field of an encryptedfile can be updated while it is about to be shared with oth-ers. We state that this might not scale well because the dataowner may prefer to update keyword at anytime of the datalifetime.In [24], the same attribute-based encryption technique is

reused twice - one is for encryption/proxy re-encryption, andthe other is for secure data search purpose. The buildingblock Liang et al. made use of has been only proved selec-tively secure in the standard model [15]. Accordingly, it canbe seen that the system proposed in [24] is proved in a se-lectively security model. This may not be practical enoughdue to a fact that malicious attackers are restricted to choosetheir attacking targets before the attacks.

1.1 Contributions1We note that there exist some research works called proxyre-encryption with keyword search before the introductionof [24]. However, they are restricted to some security risksand functionality disadvantages that will be introduced inthe related work later.

In this paper, we concentrate on designing a novel securepublic key based system that eliminates the above practi-cal obstacles brought by [24]. We first start with the com-bination of two well-studied identity-based encryption sys-tems [36] and [12], in which we respectively use the formerfor data encryption and the latter for keyword search. Toguarantee the privacy of keyword field (in ciphertext andsearch token) as well as better efficiency, we further con-vert the system into asymmetric pairing group, such that anidentity-based encryption is turned into an anonymous one.We next combine identity-based proxy re-encryption tech-nology into the above resulting system to achieve secure datashare functionality. For each data share phase, we make useof a trusted private key generator to construct re-encryptionkey so as to remove computation burden from data owner aswell as to maintain the size of the shared ciphertext. To ob-tain secure data search functionality, we employ searchableencryption technique (much like [6]). Meanwhile, we extendthe bidirecitonal encryption technique introduced in [8] tosupport flexible and efficient keyword update in our system.

The contributions of this work are described as follows.

1. Inspired by the security notion of [24], we define a newsystem framework and security notion supporting en-crypted data share and search functionalities with flex-ible keyword update in the context of cryptographicidentity-based encryption.

2. We propose the first and only efficient concrete con-struction to satisfying our new notion and meanwhile,we prove the system to achieve (payload) data securityand (search/query) keyword privacy in generic pairinggroup model.

3. Our new system supports conjunctive keyword search,but also allows an encrypted data to be efficientlyshared multiple times among different system users (wecall this multiple data share property).

4. Our system achieves constant size in public key, re-encryption key, search token and ciphertext, and nolinearly cost exists in the construction phases of re-encryption key and search token.

5. No matter how many times an encrypted ciphertextis shared/re-encrypted, its size still remains constantand the same as that of original ciphertext (i.e. no ci-phertext size expansion); the secure keyword update isavailable at anytime of an encrypted data lifetime. Theefficiency analysis shows that out system has a greatpotential in the deployment of large scale database.

1.2 Related WorkSearchable encryption is first formalized in [35] for the pur-

pose of permitting text search over encrypted data. Basedon the usage of either symmetric or asymmetric encryptiontechnique, searchable encryption is classified into symmetricsearchable encryption (e.g. [9]) and public key based search-able encryption (e.g. [6]). They actually share the same ideaand construction roadmap whereby an encrypted search in-dex structure is generated along with an encrypted database,and only a user with valid decryption rights is able to issue asearch token to a cloud server who finally performs the key-word search and returns the corresponding encrypted file(s).The two types of searchable encryption have respective pros

and cons. For instance, symmetric searchable encryptionusually outperforms the public key based one, because theformer only leverages lightweight cryptographic primitives,such as pseudorandom function; while the latter may pro-vide stronger security and more expressive query ability thanthe former, for example, public key based systems supportciphertext integrity check. This paper deals with the caseof public key based searchable encryption.The notion of public key based searchable encryption is

initially defined by Boneh et al. [6]. After that, some vari-ants supporting single keyword equality search have beenproposed, such as [2]. In 2008, Abdalla et al. [1] proposed ageneric construction for (public key based) searchable en-cryption on top of anonymous identity-based encryption.Subsequently, many systems with expressive search/queryhave been constructed in the literature, such as authorizedkeyword search [17], verifiable keyword search [3], fuzzy key-word search [37], conjunctive keyword search [13], rangequery [34], and [7] supporting conjunctive, subset, and rangesearch queries. In INFOCOM 2014, Zheng at el. [38] de-signed an attribute-based keyword search by exploring the(single/conjunctive) keyword searchable encryption techniqueinto the context of cryptographic attribute-based contextwithout loss of search privacy.The notion of Proxy re-encryption [4] is inspired by the

concept of decryption rights delegation [30]. In a proxy re-encryption system, a data owner (usually called delegator)is allowed to issue a special key (referred to as re-encryptionkey) to a cloud server (acting as a semi-trusted proxy), sothat the server can convert a ciphertext intended for thedata owner to the encryption of the same message for an-other user. The server, however, knows nothing about theunderlying message. If an encrypted ciphertext can be mul-tiply converted among different users, the system is calledmulti-hop proxy re-encryption. This paper deals with themulti-hop case. Over the past decade, many variants ofproxy re-encryption have been invented to be implementedin practical applications. Combining traditional public keytechnique with proxy re-encryption, we have the traditionalproxy re-encryption systems [8, 26, 25]. To extend proxyre-encryption in the context of identity-based encryption,identity-based proxy re-encryption, e.g., [14, 21, 23], hasbeen defined; while functional proxy re-encryption, e.g., [19,20, 22], is built on top of attribute-based/functional encryp-tion.However, all the aforementioned systems fail to simulta-

neously support secure data search and share. To solve theproblem in a concrete way, Proxy re-encryption with keywordsearch (PREKS), a new cryptographic primitive combiningproxy re-encryption technology with searchable encryptiontechnique, was proposed by Shao et al. [33]. Later on, a“search-only”PREKS scheme was proposed in [16], in whichthe scheme only provides search as well as re-encryptionfunctionalities but not decryption ability (for system users).These PREKS systems all support the bidirectional2 andmulti-hop properties by designing a re-encryption key as“sk1/sk2”, where sk1, sk2 are the secret keys for a delegatorand a delegatee, respectively. Recall that a re-encryptionkey will be given to a proxy. The above PREKS systems,accordingly, suffer from an attack in the sense that the se-

2A proxy re-encryption is bidirectional if a server can useone re-encryption key (but not distinct two) to transformA’s ciphertexts to B, and the other way round.

cret key of a delegator (resp. delegatee) is easily compro-mised by the collusion between a proxy and a delegatee(resp. delegator). In 2012, Fang et al. [11] proposed anew PREKS scheme holding against the above attack. Butit comes at a price that the scheme only allows a cipher-text to be re-encrypted once (i.e. single-hop) and mean-while, re-encrypted ciphertext can provide searchability nomore. More recently, an attribute-based searchable proxy re-encryption system, which is the first of its type, has been in-troduced in [24]. Compared to the previous PREKS schemes,the recent one may be regarded as the best solution forcloud-based secure data share and search. Unfortunately, itencounters with efficiency limitations due to its attribute-based construction technique, such that it might not bescale well in practice. Much like [38], putting searchablefeature into the attribute-based settings (without regardingattribute as keyword field) that seems to be an “over-kill”for data search. This is so because even a simple search to-ken (such as for single keyword equality search) as well asits search operation are both linearly in the size of attributeset, in which the attribute set is unrelated to the search for-mula (but to system users’ privilege). This paper targetsto build up a novel secure scheme to conquer the efficiencybottleneck without degrading security, privacy and searchexpressiveness levels3.

Table 1 summarizes the comparison among our systemwith an efficient public key based searchable encryption [6],a cost-effective identity-based proxy re-encryption (but notsupporting searchability) [14] and the attribute-based search-able proxy re-encryption [24]4 in the merits of functionalityand storage cost. Note the efficiency analysis of our systemwill be presented in Section 4.2. The table shows that ourscheme is the first to achieve keyword search and multipledata share with constant cost. Note we use ⊥ to denote “notapplicable”, rk denote re-encryption key, and token denotesearch token, respectively. By ciphertext expansion we meanthe ciphertext size will be expanded after being shared.

Table 1: Comparison with [6, 14, 24]Data rk/token ciphertext MultiShare size size/expansion -hop

[6] ⊥ ⊥/ constant/ ⊥constant #

[14] ! constant/ constant/ !

⊥ !

[24] ! linear/ linear/ #

linear !

Ours ! constant/ constant/ !

constant #

2. PROBLEM STATEMENT

2.1 System EntitiesAn encrypted cloud-based data share and search system

consists of four main entities:3Our system achieves conjunctive keyword search as [24]does.4The linear cost of [24] relies on the size of attributeset/policy.

• Data encryptor: a data encryptor first specifies a key-word description field for a data (which to be uploadedto a cloud server), next puts the keyword field as wellas the data in an encrypted format, and finally uploadsthe encryption to a cloud server.

• Data receiver: (1) a data receiver is able to fully gainaccess to the underlying data of all ciphertexts (storedin the cloud) intended for him/her and meanwhile,the receiver (with the corresponding decryption rights)can construct a special token to search the cipher-texts (he/she can decrypt). (2) The receiver is allowedto delegate the decryption rights of his/her encrypteddata to specified system user(s) with help of a trustedkey issue center. (3) A valid data receiver is also able toupdate the keyword description field of his/her cipher-texts by delivering the cloud server a special keywordupdate token.

• Trusted key issue center (trusted authority): a key is-sue center is responsible for generating a secret key foreach system user. It also takes part in the generationof a special key for decryption rights delegation.

• Cloud Server: a cloud server stores system users’ en-crypted data in its storage back end. Given a searchtoken, it can locate and return the corresponding ci-phertext(s) matching the token. Specifically, if thereis a match, it outputs 1 and returns the ciphertext(s);otherwise, it outputs 0 and ⊥.

Remarks. A data encryptor can be any valid system usersand meanwhile, it can be also a data receiver, i.e. encryptingdata and outsourcing the encryption to the cloud for itself.

2.2 System AlgorithmsThe system definition is somewhat similar to those of the

previous definitions introduced in [33, 24].

Definition 1. An Encrypted Cloud-based Data Share andSearch system consists of the following algorithms:

1. (mpk,msk)← Setup(1k). On input a security param-eter k, the system setup algorithm outputs a masterpublic key mpk and a master secret key msk, wherek ∈ N. Hereafter, we implicitly regard mpk as an in-put for the following algorithms.

2. (pkID, skID) ← KeyGen(msk, ID). On input mskand an identity ID, the key pair generation algorithmoutputs a public key and secret key pair (pkID, skID)for a system user with identity ID ∈ {0, 1}k. Here-after, we assume that pkID implicitly includes the iden-tity ID.

3. CT ← Enc(pkID, w,m). On input the public key pkIDof the user ID, a keyword description w ∈ {0, 1}∗ anda message m, the data encryption algorithm outputs aciphertext CT . We state that w may be either a singlekeyword or a conjunctive keywords description. Forconvenience, we denote it as “a keyword description”.

4. TK ← TKGen(skID, w). On input a secret key skIDof a user ID, and w, the search token generation al-gorithm outputs a search token TK, which is used tosearch user ID’s ciphertext(s) with keyword field w.

5. rkIDi→IDj ,wi→wj ← ReKeyGen(msk, IDi, IDj, wi,wj). On input msk, a user’s identity IDi and its mostupdated keyword description wi tagged with the en-crypted data to be shared, another user’s identity IDj

and a new keyword description wj , the re-encryptionkey generation algorithm outputs a re-encryption keyrkIDi→IDj ,wi→wj , which is used to convert a cipher-text under IDj to the one under IDj as well as toupdate the description from wi to wj. We note thatwj can be initially set to be a “null” value (for privacy-preserving purpose), such that the user IDj can replaceit with some specified value later.

6. uptkwi→wj ← UpTKGen(skID, wi, wj). On input auser’s secret key skID, an old keyword description wi

and a new one wj, the keyword update token generationalgorithm outputs a update token uptkwi→wj which canbe used to update a ciphertext (intended for ID) withthe old description wi to the same ciphertext with thenew description wj.

7. CT ← ReEnc(rkIDi→IDj ,wi→wj , CT ). On input a re-encryption key rkIDi→IDj ,wi→wj and a ciphertext CT ,the ciphertext re-encryption algorithm converts a ci-phertext under IDi and wi into another ciphertext ofthe same message under IDj and wj. We note thatthis conversion will not hinder the new ciphertext’s fu-ture keyword description update. In addition, we statethat the user IDi cannot obtain the decryption andsearch rights of the new (re-encrypted) ciphertext anymore.

8. CT ← Update(uptkwi→wj , CT ). On input a keywordupdate token uptkwi→wj and a ciphertext CT (with anold keyword description wi), the keyword update algo-rithm outputs a ciphertext with a new keyword descrip-tion wj.

9. 1/0← Search(TK,CT ). On input a search token TKgenerated by a system user with decryption rights onCT , and the ciphertext CT , the ciphertext search al-gorithm outputs 1 if they match, and 0 otherwise. Wefurther note that a cloud server will choose to returneither the matching ciphertext(s) or nothing to the userbased on the outputs of the algorithm.

10. Dec(skID, CT ). On input a user’s secret key skID anda ciphertext CT , the ciphertext decryption algorithmoutputs a message m.

The system work flow is as follows (see Fig. 1 and 2).

Figure 1: Secure Data Upload, Search and Decrypt

Figure 2: Cloud-based Encrypted Data Share, Update and Search

• The setup phase. A trusted authority first runs thealgorithm Setup to generate the public parameter mpkfor system users, trusted key issue center and a cloudserver, to initialize the system and to keep the mastersecret key msk only for the key issue center.

• The key pair generation phase. The trusted key issuecenter generates a key pair for a system user (e.g., Bob,Alice) via running the algorithm KeyGen (as in Step1, Fig. 1). The user publishes the public key pkID andkeeps skID secret.

• The data encryption phase. A data encryptor, say Al-ice, runs the algorithm Enc to generate a ciphertextCT for a specified data receiver, say Bob, with the cor-responding keyword description string W1, and furtheruploads the ciphertext to the cloud server (as in Step2, Fig. 1).

• The data search phase.1. When needing to search a ciphertext withW1 storedin the server, the search issuer, Bob, (i.e. the systemuser with the decryption rights of the ciphertext) runsthe algorithm TKGen and delivers the search tokenTK to the server (as in Step 3, Fig. 1).2. The server then intakes the token TK and the ci-phertext into the algorithm Search to run a search inits storage system. If finding a match, the server out-puts 1 and returns the corresponding ciphertext, andoutputs 0 and returns nothing otherwise (as in Step 4and 5, Fig. 1).3. If receiving a successful return from the server, theuser runs the algorithm Dec with its secret key to re-cover the underlying message (as in Step 6, Fig. 1).

• The keyword description update phase.1. When needing to update the keyword description,say from Null to W2, the keyword update issuer, Al-ice, (i.e. the user with the decryption rights of the ci-phertext) runs the algorithm UpTKGen to constructa keyword update token uptkNull→W2 , and next deliv-ers it to the server (as in Step 4, Fig. 2).2. The server runs the algorithm Update intaking the

token and the ciphertext to update the keyword de-scription (as in Step 5, Fig. 2).

• The ciphertext share phase.1. When needing to share a ciphertext tagged withW1 to another user Alice, the ciphertext share issuer,Bob, (i.e. the user with the decryption rights of the ci-phertext) sends a request to the key issue center, suchthat the center helps the user generate a re-encryptionkey by running the algorithm ReKeyGen (as in Step1 and 2, Fig. 2).2. After receiving the re-encryption key, the serverruns the algorithm ReEnc to convert the ciphertext’sdecryption rights to the specified user Alice (as in Step3, Fig. 2).3. Alice is able to update the keyword description ofthe ciphertext but also to search the updated cipher-text as in Step 4, 5, 6, 7 and 8, Fig. 2.

2.3 Threat ModelsWe define the data confidentiality model and the key-

word privacy model for encrypted cloud-based data shareand search system5. Generally speaking, the first model isused to check if a Probabilistic Polynomial Time (PPT) ad-versary can compromise the information of a message bygiven an encryption of the message (which can be either anoriginal encryption of the message without any share, or ashared ciphertext), while the second model is to see if a PPTadversary can tell a given ciphertext (either an original ci-phertext or a ciphertext shared to others) is associated witha specific known keyword. Furthermore, given any keywordupdate token and search token, the adversary cannot acquireany knowledge related to the keyword description from thetokens. This can be captured in the keyword privacy modelas well.

Assumption. We assume that the cloud server, data en-cryptor and data receiver are honest-but-curious, while theauthority for system initialization and the key issue centerare fully trusted. We further assume either data encryptoror data receiver does not collude with the server to reveal the

5The search and access pattern will be considered in futurework.

underlying keyword description. By honest-but-curious (i.e.semi-honest) we mean that one will honestly run a protocolby following the specification of the protocol but curiouslycollecting some interesting information during the period ofprotocol execution. Below we present the threat model ofdata confidentiality in mathematical expression.

Definition 2. An encrypted cloud-based data share andsearch system achieves chosen plaintext security if the ad-vantage AdvCPA

A is negligible for any PPT adversary A in

|Pr[b = b′ :(mpk,msk)← Setup(1k);

(m0,m1, w∗, ID∗, state)← AO(mpk);

b ∈R {0, 1};CT ∗ ← Enc(pkID∗ , w∗,m∗b);

b′ ← AO(CT ∗, state)]− 1

2|,

where state is the state information, m0, m1 are two equal-length messages, w∗ is the challenge keyword, ID∗ is thechallenge identity, O = {Opk,Osk,Ork,Ouptk,OTK}. Byquerying the public key oracle Opk, A is given the corre-sponding public key of the system user (it issues). For thesecret key oracle Osk, intaking ID, the oracle outputs skIDfor A, where ID = ID∗ indicating the challenge identitycannot be corrupted by A. For the re-encryption key oracleOrk, intaking a tuple (IDi, IDj, wi, wj), the oracle outputsrkIDi→IDj ,wi→wj . If IDi (resp. IDj) is in an honest re-

encryption path including ID∗6 and meanwhile, IDj (resp.IDi) is in a corrupted re-encryption path, Ork outputs ⊥.By a re-encryption path (of a given ciphertext) we mean apath that is used to record the re-encryption history of the ci-phertext among different system users (in which the nodes ofthe path stands for users), for example, a re-encryption path(of a ciphertext) between user A and user C could be A - B- C. If one of the users is corrupted, then the path is definedas a corrupted one; otherwise, it is an honest path. For thekeyword update token oracle Ouptk, intaking a tuple (ID, wi,wj), the oracle outputs a token uptkwi→wj for keyword de-scription update. For the search token oracle OTK , intakinga tuple (ID, w), the oracle outputs a search token TK. Wehere do not offer re-encryption, update and search oraclesto A. A, however, can run the corresponding re-encryption,update and search algorithms with the re-encryption keys,keyword update tokens and search tokens given by the abovedefined oracles.

Definition 3. An encrypted cloud-based data share andsearch system achieves keyword privacy if the advantage AdvKP

Ais negligible for any PPT adversary A in

|Pr[b = b′ :(mpk,msk)← Setup(1k);

(m,w∗0 , w

∗1 , ID

∗, state)← AO(mpk);

b ∈R {0, 1};CT ∗ ← Enc(pkID∗ , w∗b ,m);

b′ ← AO(CT ∗, state)]− 1

2|,

where state is the state information, m is the challenge mes-sage, w∗

0 , w∗1 are two challenge distinct keywords, ID∗ is the

challenge identity, and O = {Opk,Osk,Ork,Ouptk,OTK}.The oracle Opk returns public keys for A. For the secretkey oracle Osk, intaking ID, the oracle outputs skID, whereID = ID∗. For the re-encryption key oracle Ork, intaking a

6Here IDi may be equal to ID∗.

tuple (IDi, IDj, wi, wj), the oracle outputs rkIDi→IDj ,wi→wj .If IDi (resp. IDj) is in an honest re-encryption path includ-ing ID∗ and meanwhile, IDj (resp. IDi) is in a corruptedre-encryption path, Ork outputs ⊥. For the keyword updatetoken oracle Ouptk, intaking a tuple (ID, wi, wj), the oracleoutputs a token uptkwi→wj for keyword description update.For the search token oracle OTK , intaking a tuple (ID, w),the oracle outputs a search token TK. If ID = ID∗ andw is in a keyword update path including at least one of thechallenge keywords7, OTK outputs ⊥. If ID = ID∗ is in are-encryption path including ID∗ and meanwhile, w is in akeyword update path including at least one of the challengekeywords, OTK outputs ⊥ as well. By a keyword updatepath we mean a path records all the keywords (of a givenciphertext) which have been updated so far, e.g., w1 - w2 -w3.

Remarks. The above defined models are sufficient for guar-anteeing the chosen plaintext security for both original en-cryption and shared (re-encrypted) ciphertext levels in thispaper. Since our present system supports multiple sharing(re-encryption) for a ciphertext (e.g. Alice to Bob, Bob toCarol), a PPT A is able to convert a challenge ciphertextmultiple times by running re-encryption algorithm with there-encryption keys issued by the challenger. In this case, giv-ing an original encryption as challenge that does not differfrom the case of giving a shared (re-encrypted) ciphertext,because two ciphertexts can be easily converted from one tothe other in the security games.

2.4 Design GoalsOur system is designed to achieve the following features.

• Publicly encryption: to allow each system user to pro-duce ciphertexts associated with keyword descriptionfor either himself/herself or others.

• Search token generation: to allow any system userwith valid decryption rights of an encrypted data togenerate a search token for the corresponding privacy-preserving data search.

• Match verification: to allow a cloud server to locate thematching ciphertext(s) by using a given search token.

• Keyword update: to allow any system user with validdecryption rights of an encrypted data to update thekeyword description for the data at anytime of the datalife cycle.

• Data sharing: to allow any system user with valid de-cryption rights of an encrypted data to share his/herencrypted data to others efficiently and securely.

• Secure data share, search and keyword update are com-patible within the whole system. A given ciphertextcan be freely searched, shared and keyword updatedby the corresponding valid data decryptor.

• Privacy preservation: to guarantee the following as-pects of privacy. (1) Given either a search token orkeyword update token, a cloud server does not knowany knowledge of the keyword(s) embedded into the

7w may be equal to one of the challenge keywords.

token8. (2) Given an original ciphertext/shared (re-encrypted) ciphertext, a cloud server does not knowany information of the underlying message as well asthe keyword description tagged with the ciphertext.

3. SYSTEM CONSTRUCTION

3.1 A Concrete ConstructionLet a bilinear map tuple be (q, g, g, G1, G2, GT , e), where

G1, G2 (G1 and G2 are not the same group) and GT aremultiplicative cyclic groups of prime order q, |q| = k, andg is a random generator of G1, g is a random generator ofG2. The mapping e : G1 × G2 → GT has three properties:(1) Bilinearity : for all a, b ∈R Z∗

q , e(ga, gb) = e(g, g)ab; (2)

Non-degeneracy : e(g, g) = 1GT , where 1GT is the unit of GT ;(3) Computability : e can be efficiently computed.A concrete encrypted cloud-based data share and search

construction is presented as follows. Below we assume thatw ∈ Z∗

q . In practice, we may put w ∈ {0, 1}∗ in a Tar-get Collision Resistant (TCR) hash function [10] to yield anelement in Z∗

q before using it.

• Setup(1k): A trusted authority initializes the systemby publishing the public parameters and storing themaster secret key secretly for Private Key Generator(PKG) - a trusted key issue center.

1. Choose an asymmetric pairing group (q, g, g, G1,G2, GT , e).

2. Choose θ, α1, α2, α3, β1 ∈R Z∗q , and set h1 = gβ1 ,

g1 = gα1 , g2 = gα2 , g3 = gα3 , K = gθ, h1 = gβ1 ,g1 = gα1 , g2 = gα2 , g3 = gα3 , and K = gθ.

3. Choose a TCR hash function H1 : GT → G1.

4. Set the master secret key as msk = (gα12 , h1, K),

and the master public key as mpk = (q, h1, g, g,g1, g1, g2, g2, g3, g3, K, H1).

• KeyGen(msk, ID): the key generation algorithm isrun by a trusted PKG.

1. Choose an r ∈R Z∗q , and set (gα1

2 (hID1 g3)

r, gr) forthe user ID.

2. Set h2 = gβ2 , g4 = gα4 , g5 = gα54 , h2 = gβ2 ,

g4 = gα4 , g5 = gα54 , where β2, α4, α5 ∈R Z∗

q .

3. Make use of a list Listsk to store the tuple (ID,

gα12 (hID

1 g3)r, gr, r, h2, g5, α4, α5).

4. Output skID as (gα12 (hID

1 g3)r, gr, h2, g5, α4, α5),

and pkID as (h2, g4, g4, g5).

• Enc(pkID, w,m): the encryption algorithm is run bya data encryptor who would like to encrypt a messagem with a description w for a system user ID.

8Note that we here only consider the case of giving the searchtoken to the server for guessing the embedded keyword(s).Of course, the server can construct a ciphertext with an ar-bitrarily chosen keyword description w (via the encryptionalgorithm) to test if a given search token matches the ci-phertext. If yes, the server knows the keyword tagged in thetoken. This is called off-line keyword guessing attack. Weso far do not consider this type of attack but regard it as apart of future work.

1. Set C1 = m · e(g2, g1)t, C2 = gt, C3 = (hID1 g3)

t,C4 = (g5g

−w4 )t, C5 = e(g4, g4)

t, C6 = H1(e(h2, g4)t),

C7 = Kt, where m ∈ GT , and t ∈R Z∗q .

2. Output the original ciphertext CT = (C1, C2, C3,C4, C5, C6, C7).

• UpTKGen(skID, wi, wj). A user ID can generate atoken to update its encrypted data’s description fromwi to wj . To do so, the user leverages a list Listup tostore tuples (z, ∗ → ID, wi → wi+1, δi → δi+1, σ),where z ∈ [1, |Listup|], ∗ is wildcard, δi ∈R Z∗

q is usedto randomize the i-th keyword update token (chosenby the user), and σ will be introduced later. Notethat each user maintains his/her own Listup in thesystem. The Listup records a keyword update path;each keyword description wi is tagged with a “fresh”random factor δi; a given tuple in the list also indicatesa re-encryption path from an identity ∗ to ID - if ⊥→ID, ID does not have any delegator, and σ is equal to1. Accordingly, if a ciphertext of ID is tagged with akeyword that has not been updated yet by a keywordupdate token, the tuple stored in Listup is (z, ∗ → ID,wi →⊥ or ∗ → wi, δi →⊥, ∗), in which we say wi (withits random factor δi) is the starting node of the currentkeyword update path (held by ID), and we hereaftermay use δ∗i to specify such a δi. To generate the tokenuptkwi→wj , the user first recovers δi (corresponding tothe current keyword description wi) from Listup andnext chooses a new δj ∈R Z∗

q for wj . It finally outputs(α5 − wj)δj/(α5 − wi)δi.

• ReKeyGen(msk, IDi, wi, IDj, wj). When an en-crypted data stored in the server needs to be sharedfrom a user IDi to another IDj , a re-encryption keyis generated and delivered to the server as follows.

1. The PKG sets rk1 = (hIDi1 g3)

ri(hIDj

1 g3)−rj Kξ,

rk2 = gri−rj and rk3 = gξ, where ξ ∈R Z∗q , ri

and rj are stored in the Listsk corresponding toIDi and IDj , respectively.

2. Upon sharing an encrypted data with a systemuser IDj , the data owner IDi also delegates thekeyword description update and search abilities toIDj , so that the shared (re-encrypted) data canbe only further updated and searched by IDj . Toget rid of the re-encryption key construction cost,the user IDi can choose to share Listup with thePKG. The PKG constructs a list Listrk to store

tuples (z, IDi → IDj , w(IDi)i → w

(IDj)

j , σi→j),where z is the index for a tuple, σi→j ∈R Z∗

q ischosen by the PKG and will be set to 1 for thecase where a user does not have delegator. ThePKG here maintains re-encryption path in Listrk.Note the two pieces of keyword description maybe separately sent to the PKG by IDi and IDj .

3. The PKG verifies if IDi has a single delegator, sayIDo, in all the re-encryption paths. We will con-sider the case where IDi has multiple delegators

later. If yes, set rk4 = (σi→j/σo→i)(α(IDj)

4 α(IDj)

5 −α(IDj)

4 w(IDj)

j )/((α(IDi)4 α

(IDi)5 −α(IDi)

4 w(IDi)i )(δi/δ

∗i ));

if no, construct rk4 as above except for settingσo→i = 1, where δi is related to the current key-word wi embedded in the ciphertext (of IDi), and

δ∗i can be traced back in Listup with knowledge ofIDi and wi. The PKG then may encrypt σi→j forthe corresponding delegatee IDj via a simple IBEencryption9 and next to publish the encryption toa bulletin board, so that the delegatee can down-load the ciphertext, recover the σi→j and store itinto Listup. Note that the encryption does notneed to be seen as a part of re-encryption key.

4. Finally, the re-encryption key rkIDi→IDj ,wi→wj

is set to be (rk1, rk2, rk3, rk4).

• TKGen(skID, wi). A user ID can construct a searchtoken TK for a cloud server, so that the server cansearch and return the user’s encrypted data from thecloud. To generate a TK, the user first searches Listupto recover the starting random factor δ∗i of the key-word update path including wi, the current keyword wi

and its random factor δi, and recovers σx→y from there-encryption relationship remark IDx → IDy = ID(suppose ID has a delegator only; the multi-delegatorcase will be discussed later). Note that if there isno keyword update (via ID’s keyword update token)yet, δi = δ∗i ; if ⊥→ ID, the value of σ is equal to1. The user then sets the token TK as tk1 = rtk,

tk2 = (h2g−rtk4 )

δ∗i(α5−wi)δiσx→y , where rtk ∈R Z∗

q .

• Update. The algorithm Update is used to fulfill en-crypted data sharing and data description update. Thisupdate functionality will not expand the size of cipher-text. In other words, no matter how many times aciphertext is updated, its size still keeps constant.

1. Encrypted data sharing, i.e. proxy re-encryption,ReEnc(rkIDi→IDj ,wi→wj , CT ): the server sets

C1 = C1 · e(C2, rk1)−1 · e(C3, rk2) · e(C7, rk3)

=m · e(g2, g1)t · e(gt, (h1

IDjg3)

rj )

e((hIDi1 g3)t, grj )

,

and C4 = Crk44 , and outputs a new ciphertext

CT = (C1, C2, C3, C4, C5, C6, C7). We statethat the ciphertext CT can be shared multipletimes without the expansion of its size.

2. Update keyword description without any data shar-ing Update(uptkwi→wj , CT ): the cloud server sets

C4 = Cuptkwi→wj

4 , and outputs a new cipher-text CT = (C1, C2, C3, C4, C5, C6, C7). Westate that the description can be updated multi-ple times as above without the expansion of theciphertext size.

• Search(TK,CT ): The cloud server checks whether

the equation H1(e(C4, tk2)Ctk15 ) = C6 holds. If yes,

output 1 indicating a match, otherwise output 0.

• Dec(skID, CT ). A valid user is able to recover thedata from a given ciphertext as follows.

1. The user recovers sk1 = gα12 (hID

1 g3)r, sk2 = gr

from skID.

9The encryption may be as C0 = σi→j · H0(Y ), C1 = Y ·e(g2, g1)

t, C2 = gt, C3 = (hIDj

1 g3)t, where Y ∈ GT , t ∈R Z∗

q ,and H0 : GT → Z∗

q .

2. The user further recovers the message as m =C1 · e(C3, sk2)/e(C2, sk1).

4. SYSTEM ANALYSIS

4.1 Security AnalysisWe prove the security of our construction in the following

aspects: one is chosen plaintext security, and the other iskeyword privacy. We make use of the generic bilinear groupmodel and the random oracle model to prove that no efficientadversary can break the security of our system. As of [5], weconsider three random encodings δ1, δ2, δT of the additivegroup Fq with injective maps δ1, δ2, δT : Fq → {0, 1}k, wherek > 3log(q). For i = 1, 2, T , set Gi = {δi(x) : x ∈ Fq}. Weassume the game simulator to be given oracles to computethe induced group action on G1,G2,GT and an oracle tocompute a non-degenerate bilinear map e : G1 × G2 → GT .The simulator is given a random oracle for representing hashfunction as well.

Theorem 1. Let Q1 be a bound on the total number ofgroup elements an adversary A receives from queries of hashfunction, groups G1, G2, GT and the bilinear map e, andfrom interactions with the chosen plaintext security game.We have that the advantage of A in winning the game isO(Q2

1/q).

Proof. Our proof is actually a straightforward hybrid ar-gument from the followings. In the normal chosen plaintextsecurity game defined in 1, a challenge ciphertext includesC1 = mb · e(g, g)α1α2t, where b ∈ {0, 1}. We can slightlyrevise the game in the sense that C1 is either e(g, g)ξ ore(g, g)α1α2t instead, where ξ ∈R Fq. We state that anyadversary with advantage ϵ in the normal game can be con-verted into an adversary with advantage ϵ/2 in the revisedgame. It is not difficult to see that the adversary is requiredto distinguish m0e(g, g)

α1α2t from e(g, g)ξ, and e(g, g)ξ fromm1e(g, g)

α1α2t. Below we let gx, gy, and e(g, g)z denoteδ1(x), δ2(y) and δT (z), respectively. Note B will maintainListsk, Listrk and Listup as in the real scheme.

• Setup Phase. The simulator B chooses θ, α1, α2, α3,β1 ∈R Fq, and further sets h1, g1, g1, g2, g2, g3, g3, Kas in the real scheme. B sends the master public keympk to A, in which the hash functions are simulatedvia random oracles as follows.

• Random Oracle Queries. When A queries H1 on a GT

element, B chooses a random s ∈ Fq and outputs gs.

• Phase 1.

1. Public key and Secret Key Queries. For an iden-tity ID, B chooses r, β2, α4, α5 ∈R Fq, and next

computes gα12 (hID

1 g3)r, gr, h2 = gβ2 , g4 = gα4 ,

g5 = gα54 , h2 = gβ2 , g4 = gα4 , g5 = gα5

4 . B sends

the secret key tuple (gα12 (hID

1 g3)r, gr, h2, g5, α4,

α5) as well as the corresponding public key to A.Finally, B stores (ID, gα1

2 (hID1 g3)

r, gr, r, h2, g5,α4, α5) into Listsk.

2. Re-Encryption Key Queries. A issues the tuple(IDi, IDj , wi, wj) to B. B then recovers (IDi,

gα12 (hIDi

1 g3)rIDi , grIDi , rIDi , αIDi

4 , αIDi5 ) and

(IDj , gα12 (h

IDj

1 g3)rIDj , g

rIDj , rIDj , αIDj

4 , αIDj

5 )

from Listsk, and next computes rk2 = grIDi

−rIDj ,

rk1 = (hIDi1 g3)

rIDi (hIDj

1 g3)−rIDj Kν , rk3 = gν ,

rk4 = (σi→j/σo→i)(αIDj

4 αIDj

5 − αIDj

4 wIDj

j )/

((αIDi4 αIDi

5 − αIDi4 wIDi

i )(δi/δ∗i )) as in the real

scheme, where ν ∈R Fq and the values of σ and δare from Listrk and Listup. Finally, B sends thetuple (rk1, rk2, rk3, rk4) to A. Besides, B willpublicly publish an encryption of σi→j , and addσi→j to the corresponding tuple stored in Listup.

3. Keyword Update Token Queries. A issues a tuple(ID, wi, wj) to B. B returns uptkwi→wj = (α5 −wj)δj/(α5 − wi)δi, where α4, α5 and δi, δj arerecovered from Listsk and Listup correspondingto the ID item, respectively.

4. Search Token Queries. After receiving the querytuple (ID, wi), B recovers h2, α5 from Listsk andthe values of δ, σ from Listup, and further com-

putes tk1 = rtk and tk2 = (h2g−rtk4 )

δ∗i(α5−wi)δiσ ,

where rtk ∈R Fq.

• Challenge Phase. A commits to m0, m1, w∗ and ID∗.

B chooses ξ, t ∈R Fq, and computes CT ∗ as C1 =

e(g, g)ξ, C2 = gt, C3 = (hID∗1 g3)

t, C4 = (g∗5g∗−w∗

4 )t,C5 = e(g∗4 , g

∗4)

t, C6 = H1(e(h∗2, g

∗4)

t), and C7 = Kt,where h∗

2, g∗4 , g∗4 , g∗5 are the public key elements ofID∗ generated by B as in the real scheme.

• Phase 2. Same as Phase 1 but with the restrictions.

• Guess. A outputs a guess bit b′.

Before proceeding, we assume the followings: A can querythe group oracles by using its responses from the simulationsand some intermediate values obtains from the oracles; thereare q distinct values in the ranges of δ1,2,T with probability1− O(1/q). We seen an oracle query as a rational functionf = x/y in the variables ξ, βz, αl, θ, t, ν, the randomfactors δ and σ, where z ∈ {1, 2} and l ∈ [1, 5]. We hereconsider a collision event where two queries for two distinctrational functions f = x/y and f ′ = x′/y′ with two setsof random choices of variables that yields the same output.For any query pair (in G1, G2, or GT ) corresponding totwo distinct f and f ′, the collision will happen only if thenon-zero polynomial xy′−x′y leads to zero, where the totaldegree of the equation is at most 7. By the Schwartz-Zippellemma [32, 39], we have that the probability of the collisionis at most O(1/q). By a union bound, we have O(Q2

1/q).Therefore, our simulations do not have collision event withprobability 1−O(Q2

1/q).We here consider the view of A in the case where ξ =

α1α2t. Since there is no any collision for queries to ora-cles (with overwhelming probability) and each group ele-ment (responded by B) is uniformly chosen, the view of Ashould be identically distributed. However, one remainingpossibility that A’s view is distinct in the above case is thatthere are two distinct queries f and f ′ to GT but yieldingthe same output. Since the ξ is an exponent of the elementin GT , we can have some additive computation to output anexponent γξ with a non-zero γ. Similarly, we have γ′α1α2tas well. Accordingly, we have f − f ′ = γξ − γ′α1α2t, andthen f − f ′ − γξ = γ′α1α2t. To hold the equation, A hasto obtain the element with exponent γ′α1α2t from queries

to GT . Namely, if A can achieve the element, it can tell thedifference so as to win the game.

We show thatA cannot construct a query for e(g, g)γ′α1α2t

for some constant γ′. Since our system is built on top ofasymmetric pairing groups, it is much easier to make obser-vation on oracle queries. By observation, only group G1 pro-vides elements with exponent t, namely, gt, gθt, g(β1ID+α3)t

and g(α4α5−α4w)t. Since there are no factors 1/θ, 1/β1 and1/α3 existing in group G2 for the elimination of the corre-sponding exponents, A may consider the elements gt andg(α4α5−α4w)t. Recall that α4, α5 ∈ Fq are designed for key-word description field that is unrelated to the target compo-nent. A should only concentrate on gt. We note that A isalso given an element e(gα4 , gα4)t in GT . However, it is nothelpful for A to break the game as it can be only used toperformed additive operations (we will later show that thiselement fails to help A to win the game).

Given gt, A needs the elements with exponent kα1α2 ingroup G2. There is a gα1α2+(IDβ1+α3)r satisfying the re-quirement. A accordingly has a K1 = t(α1α2 + (IDiβ1 +α3)rIDi) = α1α2t + IDiβ1rIDit + α3rIDit, where i is theindex for i-th query. To cancel out the part IDiβ1rIDit +α3rIDit, A needs to find a gt and the elements with ex-ponents β1rIDi and α3rIDi in G2. By observation, A hasK2 = (β1IDi +α3)rIDi − (β1IDj +α3)rIDj + θν, such thatit can create a query α1α2t+ tβ1IDjrIDj + tα3rIDj −θνt bysubtracting K1 with tK2. We can see that the computationindicates that the given ciphertext under IDi is re-encryptedto IDj . We set K3 = α1α2t + ∆ − θδt. Since A is givengθt and gν , it can cancel out the last part of K3 to haveK4 = α1α2t+∆.

If A finds a way to eliminate ∆, it can recover α1α2t fromK4. It can be seen that A only needs to require a querybetween g(β1IDj+α3)t and a “special” g

rIDj . Recall that apair of identities IDi, IDj in a re-encryption key cannot becorrupted by A in the security game if one of them has a re-encryption path with ID∗ (see Definition 2). In addition, itis not difficult to see that K4 is computed from the elementsof the challenge ciphertext. Therefore, the special elementgrIDj , one of the secret key skIDj elements, will not be given

to A. There is no any other term A gains access to that cancancel out the part ∆ of K4. Therefore, A cannot construct

a query for e(g, g)γ′α1α2t with some constant γ′.

Theorem 2. Let Q2 be a bound on the total number ofgroup elements an adversary A receives from queries of hashfunction, groups G1, G2, GT and the bilinear map e, andfrom interactions with the keyword privacy game. We havethat the advantage of A in winning the game is O(Q2

2/q).

Due to limited space, we omit the proof details.

4.2 Theoretical Efficiency AnalysisTheoretical Analysis. We first present the efficiency anal-

ysis in the theoretical level, and further show the practicalimplementation analysis in the next section. For the com-putational cost analysis, we consider exponent cost in G1,G2 and GT , pairing cost in GT in terms of system user side,trusted PKG side and cloud server side; while we take groupelements consumption in G1,G2,GT in the communicationchannels among user to server, trusted PKG to user, andtrusted PKG to server for communication cost analysis.

Before proceeding, we define the following notations. Welet e1, e2 and e3 represent one exponent cost in G1, G2 and

GT , p denote one pairing cost in GT , pk denote public keyof a system user, sk denote secret key, TK denote searchtoken, rk denote re-encryption key, uptk denote a keywordupdate token, and CT denote a ciphertext.From Table 2 and Table 3, we can see that at least half

of the system complexity is offloaded to a trusted PKG andthe cloud server, such that a system user is only requiredreasonable and acceptable complexity, 9e1 + 2e2 + 5p forcomputation cost and 2Zq + 5G1 + 1G2 +GT for communi-cation cost, to fulfill data search, share and keyword updatetasks. Since we employ asymmetric pairing groups in ourconstruction, the practical efficiency outperforms those sys-tems built in the symmetric pairing groups. The numbershown in the two tables are summed up in a general level.A specific practical implementation is given in the next sec-tion.

Table 3: Theoretical Communication Cost

Communication CostGroups pk sk TK rk uptk CT

Zq 0 3 1 1 1 0G1 3 0 0 0 0 5G2 1 4 1 3 0 0GT 0 0 0 0 0 2

Trusted PKG → User 3Zq + 3G1 + 5G2

Trusted PKG → Server 2Zq + 4G2

User → Server 2Zq + 5G1 + 1G2 +GT

Total 6Zq + 8G1 + 9G2 +GT

4.3 Practical SimulationWe further implement our scheme using PBC library [27]

which is one of the most famous and widely used libraryfor pairing computation. We choose the asymmetric pair-ing which is constructed on ordinary curves with embed-ding degree 6, and its orders are prime or a prime multi-plied by a small constant. It was first discovered by Miyaji,Nakabayashi and Takano [31], and it is usually more efficientcompared with other curves. The simulation is performedon a mac pro with 2.2GHz Intel Core i7 and 16GB 1600MHz DDR3 memory. Similar to the theoretical analysis, wedemonstrate our practical simulation result in Table 4.

Table 4: Practical Computational Cost (second)Server Side 0.00632

Trusted Authority Side 0.074575User Side 0.133137

Total 0.214032

From Table 4, it is clear that we verified our theoreticalanalysis through simulation that the workload of the user in-deed reduced significantly. In Table 4 (computational cost),the server takes charge of the update and search algorithmwith the running time 0.00632 second. The trusted author-ity is responsible of the key generation algorithm, and therunning time for it is 0.074575 second. Finally, users willperform operations on encryption, token generation, rekeygeneration, token update and decryption algorithms, and alltogether it takes about 0.133137 second.

As for the communication cost, we need to find out thelength of elements in groups G1, G2, GT and Zn. Accordingto the implementation of the MNT curve, the group elementshave 40, 120, 120 and 20 bytes in length accordingly. As aresult, from the trusted authority to user, 810 bytes key datais sent. and another 520 bytes data is sent from the trustedauthority to the server side. The data communication costfrom user to server comes from the ciphertext and tokendelivery as well as the search query, which costs about 480bytes. In total the practical communication cost is about1810 bytes.

Table 5: Practical Communication Cost (bytes)Trusted Authority→ User 810Trusted Authority→ Server 520

User → Server 480Total 1810

Furthermore, we design a scenario to especially demon-strate the searching efficiency (in Figure 3.), which is cru-cial in the cloud environment. In this scenario, for a fixedID, we prepare many messages and the corresponding de-scriptions. For each of the message and its description, weperform the encryption and token generation procedure, andupload them to the server. We randomly pick one of the mes-sage and the corresponding token as the query target andsimulate the searching. For the accuracy of the computing,the searching time is computed by averaging 500 times calcu-lations. Notice that we just use the linear searching strategyhere for the simplicity. If more advanced data structure isused, the exact searching time could be improved.

From the figure, we can clearly see the trend of the search-ing time as the number of files grow large, which shows theapproximately linear relationship. Even under the linearsearching simulation, the time cost is rather efficient. Forlarge number of files say 1000, it takes less than 3 seconds.We can perform simulation on even larger file size, but sincethe simulation has demonstrated the linear relationship, weomit the case here. The linear relationship provides us witha confident evidence that our scheme is capable of dealingwith files on the cloud with large scale in size. Note thatsophisticated data structure and searching algorithm mayimprove the exact speed dramatically.

Our scheme can also support one ciphertext tagged withmultiple keywords rather than one in the above experiment.The corresponding experiment can be easily designed as be-fore. With careful observation, we find that the basic com-putational cost for each ciphertext and token component isnot changed. On the other hand, the number of componentis increased linearly with the number of keywords. As a re-sult, our scheme is still efficient under this situation, anddue to the simple linear relationship, we omit the furtherexperiment on this scenario.

5. CONCLUSIONSWe defined an encrypted cloud-based data share and search

(with keyword update) framework as well as its securitynotion. We proposed a novel system satisfying the notionby leveraging identity-based encryption, asymmetric pairinggroup conversion, identity-based proxy re-encryption andsearchable encryption technologies. We proved the systemin the generic bilinear group model. Our system is cost-

Table 2: Theoretical Computation CostComputation Cost

Cost KeyGen TKGen ReKeyGen UpTKGen Enc Re-Enc Update Search Dece1 3 0 0 0 9 1 1 0 0e2 6 2 4 0 0 0 0 0 0e3 0 0 0 0 0 0 0 1 0p 0 0 0 0 3 3 0 1 2

Server Side 2e1 + 4pTrusted PKG Side 3e1 + 10e2

User Side 9e1 + 2e2 + 5pTotal 14e1 + 12e2 + e3 + 9p

Figure 3: Time complexity for large scale searching

effective and allows system users to update keyword field atanytime. The efficiency analysis showed its great potentialin the applications of large scale database. We will takeverifiable feature, the privacy of search and access patterninto account in our future work. We will consider how tohold against off-line keyword guessing attacks in the contextof public-key based encryption. We also strongly encouragefurther research that can place our security proof on a firmertheoretical foundation.

6. ACKNOWLEDGMENTSWe acknowledge the anonymous reviewers and Prof. G.

Ateniese’s helpful comments. K. Liang is supported by privacy-aware retrieval and modelling of genomic data (PRIGENDA,No. 13283250), the Academy of Finland. C. Su is partlysupported by JSPS KAKENHI 15K16005. Joseph K. Liu issupported by National Natural Science Foundation of China(61472083). This work was partially supported by COSTAction IC1306.

7. REFERENCES[1] M. Abdalla, M. Bellare, D. Catalano, E. Kiltz,

T. Kohno, T. Lange, J. Malone-Lee, G. Neven,P. Paillier, and H. Shi. Searchable encryption revisited:Consistency properties, relation to anonymous ibe,and extensions. J. Cryptology, 21(3):350–391, 2008.

[2] M. Bellare, A. Boldyreva, and A. O’Neill.Deterministic and efficiently searchable encryption. In

CRYPTO 2007, volume 4622 of LNCS, pages 535–552.Springer, 2007.

[3] S. Benabbas, R. Gennaro, and Y. Vahlis. Verifiabledelegation of computation over large datasets. InP. Rogaway, editor, CRYPTO 2011, volume 6841 ofLNCS, pages 111–131. Springer, 2011.

[4] M. Blaze, G. Bleumer, and M. Strauss. Divertibleprotocols and atomic proxy cryptography. InEUROCRYPT ’98, pages 127–144. Springer, 1998.

[5] D. Boneh, X. Boyen, and E.-J. Goh. Hierarchicalidentity based encryption with constant sizeciphertext. In EUROCRYPT ’05, volume 3494 ofLNCS, pages 440–456. Springer, 2005.

[6] D. Boneh, G. D. Crescenzo, R. Ostrovsky, andG. Persiano. Public key encryption with keywordsearch. In EUROCRYPT 2004, volume 3027 of LNCS,pages 506–522. Springer, 2004.

[7] D. Boneh and B. Waters. Conjunctive, subset, andrange queries on encrypted data. In TCC 2007,volume 4392 of LNCS, pages 535–554. Springer, 2007.

[8] R. Canetti and S. Hohenberger. Chosen-ciphertextsecure proxy re-encryption. In CCS 2007, pages185–194. ACM, 2007.

[9] M. Chase and S. Kamara. Structured encryption andcontrolled disclosure. In ASIACRYPT 2010, volume6477 of LNCS, pages 577–594. Springer, 2010.

[10] R. Cramer and V. Shoup. Design and analysis ofpractical public-key encryption schemes secure againstadaptive chosen ciphertext attack. SIAM J. Comput.,33(1):167–226, January 2004.

[11] L. Fang, W. Susilo, C. Ge, and J. Wang.Chosen-ciphertext secure anonymous conditionalproxy re-encryption with keyword search. Theor.Comput. Sci., 462:39–58, 2012.

[12] C. Gentry. Practical identity-based encryption withoutrandom oracles. In EUROCRYPT ’06, volume 4004 ofLNCS, pages 445–464. Springer, 2006.

[13] P. Golle, J. Staddon, and B. R. Waters. Secureconjunctive keyword search over encrypted data. InACNS 2004, volume 3089 of LNCS, pages 31–45.Springer, 2004.

[14] M. Green and G. Ateniese. Identity-based proxyre-encryption. In ACNS ’07, volume 4512 of LNCS,pages 288–306. Springer, 2007.

[15] S. Hohenberger and B. Waters. Attribute-basedencryption with fast decryption. In PKC 2013, volume7778 of LNCS, pages 162–179. Springer, 2013.

[16] C. Hu and P. Liu. An enhanced searchable public keyencryption scheme with a designated tester and itsextensions. Journal of Computers, 7(3):716–723, 2012.

[17] Y. Hwang and P. Lee. Public key encryption withconjunctive keyword search and its extension to amulti-user system. In Pairing 2007, volume 4575 ofLNCS, pages 2–22. Springer, 2007.

[18] T. Jiang, X. Chen, J. Li, D. S. Wong, J. Ma, and J. K.Liu. TIMER: secure and reliable cloud storage againstdata re-outsourcing. In ISPEC 2014, volume 8434 ofLNCS, pages 346–358. Springer, 2014.

[19] K. Liang, M. H. Au, J. K. Liu, W. Susilo, D. S. Wong,G. Yang, T. V. X. Phuong, and Q. Xie. A DFA-basedfunctional proxy re-encryption scheme for securepublic cloud data sharing. IEEE Transactions onInformation Forensics and Security, 9(10):1667–1680,2014.

[20] K. Liang, M. H. Au, W. Susilo, D. S. Wong, G. Yang,and Y. Yu. An adaptively cca-secure ciphertext-policyattribute-based proxy re-encryption for cloud datasharing. In ISPEC 2014, volume 8434 of LNCS, pages448–461, 2014.

[21] K. Liang, C. Chu, X. Tan, D. S. Wong, C. Tang, andJ. Zhou. Chosen-ciphertext secure multi-hopidentity-based conditional proxy re-encryption withconstant-size ciphertexts. Theor. Comput. Sci.,539:87–105, 2014.

[22] K. Liang, L. Fang, D. S. Wong, and W. Susilo. Aciphertext-policy attribute-based proxy re-encryptionscheme for data sharing in public clouds. Concurrencyand Computation: Practice and Experience,27(8):2004–2027, 2015.

[23] K. Liang, J. K. Liu, D. S. Wong, and W. Susilo. Anefficient cloud-based revocable identity-based proxyre-encryption scheme for public clouds data sharing.In ESORICS 2014, Part I, volume 8712 of LNCS,pages 257–272, 2014.

[24] K. Liang and W. Susilo. Searchable attribute-basedmechanism with efficient data sharing for secure cloudstorage. IEEE Transactions on Information Forensicsand Security, 10(9):1981–1992, 2015.

[25] K. Liang, W. Susilo, J. K. Liu, and D. S. Wong.Efficient and fully CCA secure conditional proxyre-encryption from hierarchical identity-basedencryption. Comput. J., 58(10):2778–2792, 2015.

[26] B. Libert and D. Vergnaud. Unidirectionalchosen-ciphertext secure proxy re-encryption. InPKC’08, volume 4939 of PKC’08, pages 360–379.Springer, 2008.

[27] P. Library. http://crypto.stanford.edu/pbc, 2006.Online; accessed 18-Sep-2015.

[28] J. K. Liu, M. H. Au, W. Susilo, K. Liang, R. Lu, andB. Srinivasan. Secure sharing and searching forreal-time video data in mobile cloud. IEEE Network,29(2):46–50, 2015.

[29] J. K. Liu, C. Chu, S. S. M. Chow, X. Huang, M. H.Au, and J. Zhou. Time-bound anonymousauthentication for roaming networks. IEEETransactions on Information Forensics and Security,10(1):178–189, 2015.

[30] M. Mambo and E. Okamoto. Proxy cryptosystems:

Delegation of the power to decrypt ciphertexts. IEICETransactions, E80-A(1):54–63, 1997.

[31] A. Miyaji, M. Nakabayashi, and S. Takano. Newexplicit conditions of elliptic curve traces forFR-reduction. IEICE transactions on fundamentals ofelectronics, communications and computer sciences,84(5):1234–1243, 2001.

[32] J. T. Schwartz. Fast probabilistic algorithms forverification of polynomial identities. J. ACM,27(4):701–717, 1980.

[33] J. Shao, Z. Cao, X. Liang, and H. Lin. Proxyre-encryption with keyword search. Inf. Sci.,180(13):2576–2587, 2010.

[34] E. Shi, J. Bethencourt, H. T. Chan, D. X. Song, andA. Perrig. Multi-dimensional range query overencrypted data. In 2007 IEEE Symposium on Securityand Privacy (S&P 2007), pages 350–364. IEEEComputer Society, 2007.

[35] D. X. Song, D. Wagner, and A. Perrig. Practicaltechniques for searches on encrypted data. In 2000IEEE Symposium on Security and Privacy, pages44–55. IEEE Computer Society, 2000.

[36] B. Waters. Efficient identity-based encryption withoutrandom oracles. In EUROCRYPT 2005, volume 3494of LNCS, pages 114–127, 2005.

[37] P. Xu, H. Jin, Q. Wu, and W. Wang. Public-keyencryption with fuzzy keyword search: A provablysecure scheme under keyword guessing attack. IEEETrans. Computers, 62(11):2266–2277, 2013.

[38] Q. Zheng, S. Xu, and G. Ateniese. VABKS: verifiableattribute-based keyword search over outsourcedencrypted data. In INFOCOM 2014, pages 522–530.IEEE, 2014.

[39] R. Zippel. Probabilistic algorithms for sparsepolynomials. In EUROSAM 1979, volume 72 of LNCS,pages 216–226. Springer, 1979.