About the Authors:

Shangping Wang

Roles Writing – review & editing

Affiliation: School of Science, Xi’an University of Technology, Xi’an, Shaanxi, China

Tingting Gao

Roles Writing – original draft

* E-mail: [email protected]

Affiliation: School of Science, Xi’an University of Technology, Xi’an, Shaanxi, China

ORCID logo http://orcid.org/0000-0003-2485-9541

Yaling Zhang

Roles Software

Affiliation: School of Computer Science and Engineering, Xi’an University of Technology, Xi’an, Shaanxi, China

Abstract

With the development of outsourcing data services, data security has become an urgent problem that needs to be solved. Attribute-based encryption is a valid solution to data security in cloud storage. There is no existing scheme that can guarantee the privacy of access structures and achieve attribute-based encryption with keyword search and attribute revocation. In this article, we propose a new searchable and revocable multi-data owner attribute-based encryption scheme with a hidden policy in cloud storage. In the new scheme, the same access policy is used in both the keyword index and message encryption. The advantage of keyword index with access policy is that as long as a user’s attributes satisfy the access policy, the searched ciphertext can be correctly decrypted. This property improves the accuracy of the search results. The hidden policy is used in both the ciphertext and the keyword index to protect users’ privacy. The new scheme contains attribute revocation, which is suitable for the actual situation that a user’s attributes maybe changed over time. In the general bilinear group model, the security of the scheme is demonstrated, and the efficiency of the scheme is analyzed.

Figures

Fig 2

Fig 1

Table 1

Table 2

Fig 2

Fig 1

Table 1

Table 2

Citation: Wang S, Gao T, Zhang Y (2018) Searchable and revocable multi-data owner attribute-based encryption scheme with hidden policy in cloud storage. PLoS ONE 13(11): e0206126. https://doi.org/10.1371/journal.pone.0206126

Editor: Feng Lin, University of Colorado Denver, UNITED STATES

Received: March 14, 2018; Accepted: October 8, 2018; Published: November 1, 2018

Copyright: © 2018 Wang et al. This is an open access article distributed under the terms of the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original author and source are credited.

Data Availability: All relevant data are within the paper and its Supporting Information files.

Funding: This research is supported by the National Natural Science Foundation of China (No. 61572019, http://www.nsfc.gov.cn) to SW, the Key Project of Research Foundation of Natural Science Foundation of Shaanxi Province of China (NO. 2016JZ001, http://www.sninfo.gov.cn/) to SW. The funders had no role in study design, data collection and analysis, decision to publish, or preparation of the manuscript.

Competing interests: The authors have declared that no competing interests exist.

1. Introduction

With technological developments, enterprise and personal data, photos, documents, and even health records maybe outsourced to cloud storage. Jiang D et al. [1] proposed a way to solve the network routing problem in cloud computing, it can achieve higher network energy efficiency for cloud computing. Siddiqui Z et al. [2] proposed in the dynamic cloud environment, the application of telemedicine information system provides convenience for patients and doctors. Along with the many benefits that cloud storage provides, it also presents serious data security problems. The data uploaded to the cloud should be encrypted to prevent information leakage. However, traditional encryption methods cannot be used to achieve access control and keyword searches. Therefore, we ask the following question. How can the data owners encrypt their data and enable both access control and quick searching in cloud storage?

Waqar A et al. [3] proposed a framework for preservation of cloud users' data privacy using dynamic reconstruction of metadata, it can protect the cloud users’ data privacy. Lin H Y et al. [4] proposed a scheme by use of threshold encryption and group signature mechanism to ensure the security of transmission data, it can ensure that the split and merged messages are not broken.

In traditional public-key cryptography, a message is encrypted for a specific receiver using the receiver’s public-key. Identity-based cryptography and in particular identity-based encryption (IBE) changed the traditional understanding of public-key cryptography by allowing the public-key to be an arbitrary string, e.g., the email address of the receiver. ABE goes one step further and defines the identity not atomic but as a set of attributes, e.g., roles, and messages can be encrypted with respect to subsets of attributes (key-policy ABE—KP-ABE) or policies defined over a set of attributes (ciphertext-policy ABE—CP-ABE). The key issue is, that someone should only be able to decrypt a ciphertext if the person holds a key for “matching attributes” (more below) where user keys are always issued by some trusted party. Attribute-based encryption technology can not only protect the privacy of data, but also solve the problem of information sharing in practical application. For attribute-based encryption scheme, data access control is an effective way to ensure data security. Attribute-based encryption enables fine-grained access control for data. A security issue in the cloud environment is the search problem. The data in cloud servers is stored in ciphertext, which guarantees the privacy of data. Once a user needs to find a relevant document containing a keyword, he will encounter the problem of how to search. The server performs a search operation, but does not know what the user is searching for. It can effectively protect the privacy of user search. Of course, in a cloud storage system, data access is not static. For example, if an employee is fired or promoted, the corresponding attribute needs to be changed. The attribute encryption technology supports multiple data owners to upload encrypted personal information records, and can conduct multiple keyword searches. It also allows data owners to search for different periods of time for multiple users.

In the existing attribute-based encryption schemes, the cloud server must know the accessing strategy to perform the keyword search operation. This requirement makes it a difficult task to simultaneously achieve searchability and protect the privacy of the access control. The hidden strategy can protect the privacy of the user's attributes, and the user's attributes may frequently change in practice. Therefore, the attribute revocation mechanism is essential. An attribute change for a single user may lead to changes of other users’ private keys that are associated with the attribute and even the changes of the ciphertext corresponding to the attribute.

How to structure a searchable and revocable attribute-based encryption scheme with hidden policy for multi-data owners in cloud storage is a challenging problem.

1.1 Advantages of the scheme

In this scheme, we proposed a searchable and revocable attribute-based encryption scheme with hidden policy for multi-data owners in cloud storage. The primary advantages of the scheme are summed up as follows:

* In our new scheme, the same access policy is used in message encryption and keyword index construction. The benefit of using the access policy in the construction of the keyword index is that as long as a user’s attributes satisfy the access structure, when the user submits a search token containing the secret attribute key to the search server, the search server can search the documents the user is interested in. The search results can then be decrypted by the user. Thus, the access policy is considered in the search process, which improves the accuracy of the search results.

* The access policy is hidden in the ciphertext and keyword index. The hidden policy can protect the privacy of the user's attributes.

* This scheme has the function of attribute revocation. If a user’s attribute changes, the index, ciphertext and private key connected with the attribute can be updated in time to ensure the security of the information.

* A search server is introduced in the system. It is used to store the keyword index. The ciphertext is stored in the cloud storage server. A keyword search is performed by the search server. For an authenticated user, the user gives the corresponding search token to a search server, and a search server responds to the search. When his attributes satisfy the access control structure and the given keyword is matched, a search server notifies the cloud storage server to send the relevant ciphertext to the user for decryption.

* In the general bilinear group model, it is demonstrated that the keyword index is secure under the keyword guessing attack and that the ciphertext is indistinguishable under the chosen-plaintext attack.

1.2 Related research

Attribute-based encryption (ABE).

Sahai and Waters [5] devised the first attribute-based encryption system, which was a historic breakthrough. Subsequently, Bethencourt, Sahai and Waters [6] in 2005 constructed an attribute encryption with ciphertext policy. The model can achieve fine-grained access control of ciphertext through attributes. There are two forms in the ABE: the ciphertext policy (CP−ABE) and the key policy (KP−ABE). In the ciphertext policy, access control policy is embedded in the encrypted ciphertext, and the private key is related to attribute set. Only when the attributes of the user meet the ciphertext policy can the ciphertext can be decrypted. In the key policy, the ciphertext is related to the description of the attribute set, and the user's private key is related to the access structure. The access policy is defined on the attribute set. When the attribute sets meet the access control, the private key of the attributes can decrypt the corresponding ciphertext. Ling and Newport [7] proposed a provable secure ciphertext policy ABE, but the access structure in their scheme can only support the gate condition. However, none of these schemes supports keyword search ([8, 9, 10]).

Attribute-based encryption with keyword search (ABKS).

Song et al. [11] proposed the first initial searchable encryption program. In addition to the search results, the server knew nothing about the search keyword. Miao Y et al.[12] proposed a secure cryptographic primitive called as attribute-based multi-keyword search over encrypted personal health records in multi-owner setting to support both fine-grained access control and multi-keyword search via Ciphertext-Policy Attribute-Based Encryption. In [13], the authors propose a searchable encryption scheme for keywords in the hidden strategy. If the data user's attributes do not meet the access policy, the user cannot obtain the information of the access policy and cannot search for the encrypted data. Its innovation lies in the construction of the keyword index for the concealed access structure. However, there is no attribute-based encryption, and there is only a single data owner in the scheme in this article, while in practical situations, there should be multi-data owners in the system. Zheng and Sun ([14, 15]) in 2014 proposed two attribute-based keyword search schemes (ABKS). A data owner grants the search ability to users through the setup of an access policy, which effectively improves the search efficiency. The cloud server sends corresponding find results to the user when the user's attributes meet the access control structure, which is specified by data owner. Tang Y et al. [16] constructed a multi-keyword search scheme that applied to the network environment, based on privacy protection and efficiency. Xia Z [17] proposed multiple keyword searches and dynamic updates in cloud storage. Zhong H et al.[18] proposed a decentralized multi-authority CP-ABE access control scheme supporting the user revocation. Guo C et al. [19] constructed the access control of individual cases stored in the cloud server, it can achieve fine-grained access control for EHR. Also it allows multiple users to search on different databases. Fan Y et al. [20] constructed a verifiable scheme to support multi-keyword search. Guo Z [21] proposed a multi-keyword sorting search and supported the sharing of search functions. However, none of these existing schemes can hide access structures [22].

Attribute-based encryption hidden policy.

Lai J et al. [23–26] provided some attribute-based hidden policy encryption schemes. In these schemes, access structure embedded in the ciphertext, for those attributes do not meet the access structure users cannot decrypt the ciphertext.

Attribute-based encryption revocation (ABER).

Tian et al. [27] proposed a revocable attribute-based encryption project. In this project, once a user is revoked, it is necessary to assign new keys to all other users in the system, except the revoked user. Then, a new encryption key re-encrypts the ciphertext. Thus, the revoked user can no longer decrypt the ciphertext. The method is not smart, because in practice the revoked users are only a small part and the majority of users are not revoked. Therefore, the method is infeasible. Zhihua Xia[28] presented an attribute-based access control project with valid revocation in cloud computing. The revocation is implemented using the version number of the private key, and the scheme also supports the backward security and forward security. The scheme is demonstrated to be effective and secure. Chen J [29] proposed an attribute-based encryption scheme with revocation and update in the cloud storage, in which the user is directly revoked. Li X et al. [30] proposed the revocation of two factors that are based on attribute encryption under the cloud storage, combining identity and attribute. Liu Z et al. [31] proposed a solution to update the user's access rights in a timely manner once the user's attributes change, and the data owner updates access control. In addition, there are some other articles that discuss the methods of attribute revocation for attribute-based encryption scheme ([32, 33, 34, 35, 36]).

2. Preliminaries

2.1 Bilinear map

Let be represented by a symmetric bilinear map , where λ is a security parameter, are three multiplicative cyclic groups with the same order of prime p, and are the generators of , respectively. The bilinear e meets the following four conditions:

1. Bilinearity: ;

2. Non-degeneracy: e(g1,g2) ≠ 1;

3. Efficiency: There is a valid polynomial time algorithm to compute e(g1,g2), ;

4. There is a valid, publicly calculated (no need reversible) isomorphism such that ψ(g2) = g1.

2.2 Generic bilinear group model

Let be defined as follows. In a general linear group model, three random codes are assumed as . is an addition group, and m>3logp. For i = 1,2,T, let . There are three oracles to compute the operation in the groups . There are oracles to compute non-degenerate linear maps .

2.3 Access structure

Definition 1. Index n attributes in the system can be denoted as U = {1,2,⋯,n}. For each attribute i∈U,let denote all the possible values for this attribute, where ni is the number of possible values for this attribute i. Suppose that L = {L1,L2⋯Ln} is a list of a user’s attributes, where Li∈Si. P = {P1,P2⋯Pn} is an access structure, where Pi⊆Si. Define L| = P if the attribute list L = {L1,L2⋯Ln} meets the access structure P = {P1,P2⋯Pn}. In other words Li∈Si, for all i,1≤i≤n.

System model and security model

3.1 System entities

Above all, the system framework is described in Fig 1.The framework includes the five main entities of the trusted authority, the cloud storage server, the search server, the multi-data owners, and multi-users. Particularly, the trusted authority controls the common parameters and distributes certified users’ private keys. The private key is related with the user's attribute list. The cloud storage server provides storage capabilities. Data owners encrypt messages, construct keyword indexes. Owners outsource encrypted messages to the cloud. The keyword index is outsourced to the search server, and the search server is responsible for matching. A certified data user in the system can generate a keyword search token related to his attributes’ private key. A search token is presented to a search server, and the search server searches for the keyword index. If the user’s attribute list meets the access structure implied in the keyword index, the successful search is returned to a cloud server. Next, the cloud storage server sends the ciphertext corresponding to the keyword index to the user.

[Figure omitted. See PDF.]

Fig 1. System model.

https://doi.org/10.1371/journal.pone.0206126.g001

3.2 Function definition

Definition 2: Our scheme contains a set of polynomial time algorithms(1)as described below.

Setup (1λ)→(msk,pp): The algorithm is executed by a trusted authentication attribute authority. It takes the security parameter λ as an input and outputs the public parameter pp and the master key msk.

KeyGen (msk,pp,L)→sk: The algorithm is used to produce a user's private key by a trusted authority. It takes the master key msk, the public parameter pp,and the users attribute list L as the inputs. It outputs the key sk associated with L.

Encryption (pp,m,P)→ct: A data owner executes the algorithm. It takes the common parameters pp,a message m, and one access control p as inputs. It outputs a ciphertex ct.

Encrypt-Index (pp,w,P)→Index: A data owner executes the algorithm. It takes the common parameters pp, a set of keywords w, and an access control structure p as inputs. It then exports the key Index.

GenToken (sk,w)→tok: A data user executes the algorithm to produce search tokens for queries. It takes the input private key sk and a keyword w as inputs. It then exports the keyword search token tok.

Search (tok,Index)→{0,1}: A search server runs the algorithm. It takes the keyword index Index←(pp,w,P) and a search token tok←(sk,w′) as inputs. It then outputs 1 if L↦P and w = w′. Otherwise, it outputs 0.

Decryption (CT,sk)→m: A data user executes the decryption algorithm. It takes the ciphertext ct and the decryption key sk as inputs and outputs message m.

CTUpdate , The cloud storage server executes the ciphertext update algorithm. It takes ciphertext ct and update operator (vi,j,ui,j) as inputs. It then outputs the updated ciphertext ct′.

SKUpdate : The authority executes the user's private key update algorithm. It takes the user's private key and the update operator (vi,j,ui,j) as inputs. It then outputs the updated key sk′.

IndexUpdate :The search server executes the update index algorithm. It takes the update operator (vi,j,ui,j)as an input and then exports the updated index Index′.

3.3 Security definition

1.The secure game of indistinguishability of keyword index under the selective keyword attack with hidden policy.

System establishment: The adversary selects two access control strategies P0,P1.He needs to send them to the challenger. The challenger selects safety parameters λ and runs the Setup(λ) algorithm, generating public parameters pp and mask secret key msk.The challenger gives the public parameter pp to the adversary and leaves the master secret key msk.

Phase 1. The adversary selects a list of attributes L such that L| ≠ P0∧L| ≠ P1. He then asks in polynomials times as follows:

OKeyGen(L). The challenger generates the private key sk though KeyGen (msk,pp,L)→sk and gives it to the adversary.

OGenToken(L,w). The challenger generates sk through OKenGen(L). He then runs the token-generating algorithm GenToken (sk,w)→tok to get the token and return it to the adversary.

Challenge. The adversary submits two challenge keywords w0,w1 to the challenger. The condition is that the adversary has not asked for any search tokens of w0,w1. The challenger chooses a random bit b∈{0,1}. He then produces the index Ib by the index generating algorithm for keyword wb under policy Pb, and returns the index Ib to the adversary .

Phase 2. The adversary can still query similar to Phase 1.The restricted condition is w ≠ w0,w1.

Guess: The adversary outputs a guess b′ for b. If b′ = b, then the adversary wins this game.

The adversary's advantage in the game is defined as(2)

If there is no polynomial time, the adversary can win the above game with a non-negligible advantage. Next, the scheme is called secure in the sense of the indistinguishability of keyword index under the selective keyword attack with the hidden policy.

2. The secure game of indistinguishability of ciphertext under the selective plain-text attack with the hidden policy.

System establishment. The adversary selects two access control strategies P0,P1. He then transmits them to a challenger. The challenger selects the safety parameter λ and runs the Setup(λ) algorithm, generating public parameters pp and master secret key msk.The challenger gives the public parameter pp to the adversary and later leaves the master secret key msk.

Phase 1. The adversary selects a list of attributes L such that L| ≠ P0∧L| ≠ P1 and asks in polynomials times as follows OKeyGen(L).The challenger generates the private key sk though KeyGen (msk,pp,L)→sk and provides it to the adversary.

Challenge. The adversary submits two equal length messages m0,m1 to the challenger. The challenger selects a random bit b∈{0,1}. He subsequently generates the ciphertext ctb by the encryption algorithm for message mb under policy Pb and returns the ciphertext ctb to the adversary .

Phase 2. The adversary can still query similar as Phase 1.

Guess. The adversary exports a guess b′ for b. If b′ = b, then he wins this game. The adversary's advantage in the game is defined as(3)

If there is no polynomial time adversary that can win the above game with a non-negligible advantage, then the scheme is called the secure model of indistinguishability of ciphertext under the selective plain-text attack with hidden policy.

4. Scheme construction

In this part, we will propose a searchable and revocable attribute-based encryption scheme with a hidden policy in cloud storage. Our new scheme achieves encryption and keyword search and attribute revocation. The access control policy consists of a set of AND gates. In the system we assume that there are n attributes, and all the attributes are labeled as {1,2,⋯n}.

4.1 Motivation

Authors in [13] proposed a searchable encryption scheme with the hidden strategy, and the hidden strategy is a major feature of the scheme. However, we find that the scheme is correct only if the data owner and the data user are the same one, this error is not easy to find as they use the same parameter r for the data owner and data user. Here we will give a detail analysis, in order to demonstrate this problem, we use different parameter r for the data owner and data user.

The data owner’s parameters can be denoted by in which r0 is randomly selected by the data owner, x0 is randomly selected by attribute authority for the data owner. Data user’s parameters denoted by ,in which ru is randomly selected by the data user, xu is randomly selected by attribute authority for the data user. In the search algorithm, the match equation should be , but if the data owner and the data user are not the same one, we find that , which is not equal to except for r0 = ru. Thus the original scheme is correct only for the data owner and the data user are same one. This limits the usefulness of the scheme in [13].

To overcome these problems, we improve the scheme in reference [13].We will take the public parameter r and design a new scheme that accounts for multiple data owners. Another improvement of our new scheme is to simplify the hash function with a key [13] to a general hash function without a key to increase the practicality of the scheme. Since all users in the system share a secret key for the hash function, it is actually not secure, and the server can easily collude with a user to get the key. We also add attribute encryption and attribute revocation to make the scheme feasible and retain the advantages of the hidden access structure.

4.2 Our construction

The scheme consists of the following algorithms.

* Setup(1λ): Input the security parameter λ. Then, the algorithm produces the public parameters and the master secret key as follows:

1. , where e is a symmetric bilinear mapping e:. g1,g2 are the generators of , respectively. are three multiplicative cyclic groups of prime orders p. is a secure hash function.

2. For each attribute i,1≤i≤n. Let be a set of all possible values of attribute i. It generates a random values set for attribute i and calculates .It chooses , and calculates , and . It chooses a random number and publishes it and then calculates , I0 = Br. The public parameter pp and the master secret key msk are set as follows:(4)(5)

* KeyGen(msk,pp,L):Suppose is the attribute list of a user U. User U chooses one of his own , calculates , and then submits it to the attribute authority. The user saves xu.Next, for each attribute i,1≤i≤n, the authority chooses and calculates . It finally sets the private key of the user with the attribute list as follows:(6)

The authority add tuples (U,Iu,L) to the list of users UList, where Iu = Xu−r. Next, the authority sends UList to the search server.

* Encrypt(pp,m,P):Suppose P = {P1,P2,⋯Pn} is an access control policy, Pi⊆Si. When outsourcing a file F to a cloud storage server, the algorithm produces a ciphertext that is related to the access control structure P as follows:

1. Above all randomly chooses , , and ,where m is the key to encrypt the file F by a symmetric encryption algorithm.

2. For each i,1≤i≤n, it first selects such that and it calculates . For all vi,j∈Si, if vi,j∈Pi, set .If vi,j∉Pi, it sets to a random value within . It sets the ciphertext as(7)

* Encrypt−Index(pp,w,P):Suppose P = {P1,P2,⋯Pn} is an access control policy, which is the same access control policy as it is in the encrypted ciphertext. Let w be a keyword extracted from file F. It produces a secure keyword index related to the access control policy P as follows:

For each attribute i,1≤i≤n, above all selects , makes , and computes . For all vi,j∈Si, if vi,j∈Pi, is set. If vi,j∉Pi, Ii,j,2 is set to a random value in . The keyword index of the keyword w is(8)

If the file has multiple keywords, it can be used to generate multiple security indexes.

Note that here r is the public system parameter and is the same for all keyword index generations.

* : This algorithm generates a secure search token for a keyword . If a user U wants to search a keyword ,the user U chooses a and then computes for each i,1≤i≤n. It computes . Finally, it sets the search Token as(9)

* Search(tok,Index): Once the token of user U is received, the search server first checks whether the U is in UList. If it is not, the request s refused. Otherwise, it gets the tuples (U,Iu,L),where and .The search server runs the matching algorithm for (tok,Index) and (U,Iu,L) as follows:

1. It computes .

2. For each i,1≤i≤n, if , it chooses and computes and E = E1/E2 = e(g1,g2)srβ. If , the match is successful and returns 1.A notification is sent to the cloud server. The cloud server sends the corresponding ciphertext associated with the index to the user. Otherwise, the match is failed and returns 0.

* Decrypt(CT,sk): The decryption algorithm is run by data user U with attribute list to decrypt the ciphertext CT by using its secret key sk. For each i,1≤i≤n and , it chooses and computes ,(10)

* AttriUpdate(vi,j,ai,j): When a user's attribute i is revoked, suppose that the attribute value revoked is vi,j.The authority runs this update algorithm and selects a new random value instead of the old secret value ai,j corresponding to vi,j. It publishes an attribute update operator (vi,j,ui,j), where .

* PPUpdate(Ai,j,ui,j): The authority inputs the update operator (vi,j,ui,j) and recalculates as the new system parameter to instead of the old parameter Ai,j for attribute i and publishes it in the system parameter set.

* : The ciphertext update algorithm inputs the ciphertext and the update operator (vi,j,ui,j). It then outputs the new ciphertext such that(11)

* SKUpdate(Ki,1,ui,j): The private key update algorithm inputs the private key Ki,1 corresponding to attribute vi,j and the update operator (vi,j,ui,j). It then outputs the new private key as(12)

* IndexUpdate(Ii,j,2,ui,j): The index update algorithm inputs Ii,j,2 (which is part of the index related to attribute vi,j) and the update operator (vi,j,ui,j). It then outputs the new index as(13)

5. Security analysis

The correctness of algorithm Search(tok,Index) is as follows:

If L| = P, w = w′, and ,

If is equal to , the match is successful and the search server returns 1.

The correctness of the decryption algorithm is verified as follows:

If L| = P and then(14)(15)

Our safety analysis scheme is as follows:

We will analyze and demonstrate the security of our scheme under the general bilinear mapping model ([6, 14, 36]). First, we will prove that our scheme is of the indistinguishability of the keyword index under the selective keyword attack with the hidden policy. Second, we will demonstrate that our scheme is of the indistinguishability of the ciphertext under the selective plain-text attack with the hidden policy.

Theorem 1. Let be defined as the general bilinear group model. We request that any adversary performs up to q times oracles to ask for group ‘s calculation, including bilinear mapping. In the secure game of the indistinguishability of the keyword index under the selective keyword attack with hidden policy, the advantage of an adversary is O(q2/p).

Proof: Our proof is similar to [13,24].We will design a simulator and an adversary to perform the indistinguishability of the keyword index under the selective keyword attack with the hidden policy as follows. maintains 3 pairs of lists:(16)

In these equations, Fτ,l(τ∈{1,2,T}) is adversary queries, ςτ,l(τ∈{1,2,T}) is a random string of {0,1}* for each query result, and ς1,l = ς1(F1,l),ς2,l = ς2(F2,l),ςT,l = ςT(FT,l).

The initialization definition is F1,1 = 1,F2,1 = 1,FT,1 = 1, and ς1,1,ς2,1,ςT,1 is the initial mapping string. ς1(1) represents g1, ς2(1) represents g2, and ςT(1) represents e(g1,g2). In the following query, the adversary and the simulator use ς to represent the elements in the group. In particular, for each query, the simulator selects random real values contained in the list. Whenever gives a query to , will update its list and return to the relevant random string to . Next, we give query as follows:

Group action. Set two operand objects ςτ(x),ςτ(y). Additionally, . If ςτ(x),ςτ(y) are not in the list , they are returned. Otherwise, computes F = x+y mod p and checks where F is in the list .If it is in it, it returns ςτ(F). Otherwise, sets a random string in {0,1}* different from the list already exists in. Finally, will be added ⟨F,ςτ(F)⟩ to the and we will have answer with the string ςτ(F).

Isomorphism. Given a string ς2(x), if it is not in the list , it terminates ⊥. Otherwise, if x already exists in the list , it returns ς1(x) to . If not, sets a random string ς1(x) in {0,1}* that is distinct from any existing list . Finally, adds ⟨x,ς1(x)⟩ to , and sets ς1(x). It then returns to .

Bilinear pairing. Given two operations ς1(x),ς2(y), if ς1(x) not in the list and ς2(y) not in the list , it terminates ⊥. Otherwise, calculates F = xy mod p also checks if F in the list . In that case, returns to ςT(F). Otherwise, sets a random ςT(F) in {0,1}* different from any existing . Finally, will add ⟨F,ςT(F)⟩ to the and reply with string ςT(F).

Based on the basic operations of the above group, the simulation selects the security game as follows:

Establishment. Adversary selects two different challenges with access control policies P0,P1. Here, Pi = {Pi,1,Pi,2,…,Pi,n} where i∈{0,1}, and sends them to . does not select the true value for the variables of the master key , and just maintains it in the corresponding list. Then, updates the list by adding a random string representation of tuples consistent with each common parameter. Finally, sets up a new update list to .

Phase1. selects a list of attributes . For OKeyGen(L),OGenToken(L,w) queries, the premise is that cannot ask the private key and token that satisfies the attributes of the access structure. The process is as follows:

OKeyGen(L):First, uses ⟨α,ςT(α)⟩ instead of e(g1,g2)α. It adds new tuples ⟨αxn,ςT(αxn)⟩ of by the rules defined above, using variables xu to the list .Next, increasing tuples to update the list consistent with the private key, where β,λi is the new variable.

OGenToken(L,w): runs OKeyGen(L).The list is then updated by adding tuples consistent with the search token. s is the new variable.

Challenge: chooses two keywords w0,w1. It then inputs ⟨w0,P0⟩,⟨w1,P1⟩ in the real choice of security games. The challenger chooses to encrypt wσ. Using Pσ, the challenge index ciphertext of is as follows: .

For {Ii,1}1≤i≤n, adds tuples ⟨ri,ς1(ri)⟩ to the list , and the new variable ri satisfies .

For ,if w0 = w1 and , adds tuples ⟨ai,jri/H(w),ς1(ai,jri/H(w))⟩ to list .Otherwise, if , adds tuples ⟨ri,j,ς1(ri,j)⟩ to list with a new variable ri,j.If or , increases tuples ⟨θ,ς1(θ)⟩ with a new variable θ to the list .

Phase2. repeats phase 1 of the inquiry. The requirement is that if w0 ≠ w1, cannot ask OKeyGen(L),OGenToken(L,ω) when L| = P0∧L| = P1.

After making at most q queries, terminates and returns to guessing σ′∈{0,1}. At this point, selects a random value of and obtains the real challenge ciphertext. In list , is replaced by .Finally, returns a list of all the updated tuples to .

Next, a detailed analysis of the simulation is presented. The simulation of is perfect if and only if no unexpected collisions occur. The so-called collision is for two different polynomials Fτ,l,Fτ,l′(τ∈{1,2,T}).For some l,l′, the corresponding random coding string of the difference cannot equal 0. Therefore, Fτ,l−Fτ,l′ = 0, and this unexpected collision occurs in the following two conditions.

In front of the replacement, on this occasion, we use theorem [37, 38].The probability of a collision occurring in list is expected to be O(q2/p) at most. For more details, refer to [37, 38].

After the replacement, it is proven that no new equations Fk,l,Fk,l′ can be created between polynomials after simulation, even if is replaced by ai,jri/H(wσ) for θ. We must note that an adversary cannot construct a query for a nonzero F = Fk,l−Fk,l′. It only occurs after substitution when F = 0. In an alternative security game, the adversary tries to distinguish between two different keyword w0,w1 queries. Given , the probability of distinguishing and is half the probability for adversary to distinguish .

As a result, we revise the game in order to determine whether would be able to structure the queries of for some .Then, it can distinguish and . We prove that cannot structure the queries for .

To construct ai,jri, ai,jri is from ai,jri/H(wσ) according to the simulation. When replaces θ with ai,jri/H(wσ), since w0 ≠ w1, it cannot obtain the search tokens that satisfy L| = P0∧L| = P1. Therefore, even if submits a true value ai,jri/H(wσ) to θ, it cannot eliminate ai,jri. We then have, as follows.

Fix any ai,jri that arises after replacement. We make the assumption that can construct a query for e(g1,g2)v where v is a non-zero polynomial containing θ, which also turns into zero after replaces ai,jri for θ.

To construct such a v, must cancel ai,jri in v. To our knowledge, there may be a different attribute value vi,j′(j′ ≠ j) of Li in the access policy. Adversary is able to get the ciphertext of vi,j′(j′ ≠ j). Therefore, adversary can obtain ai,jri in two ways. One is by pairing , and the other is by pairing .

If adversary pairs , then adversary needs to get information about . However, in the entire simulation, the user knows and does not know .Therefore, does not exist. In other words, it cannot be paired, so this situation cannot be achieved.

If adversary pairs , will obtain combination βri+ai,jriλi of the query. Adversary wants to know ρ′ai,jri. A new variable ρ″ is introduced, making ρ′ = λiρ″. First, needs to structure p″βri. As previously known, .It can be converted into the construct p″βr. In the entire simulation, the only way to ask to construct p″βr is to combine T0,I0. are used to get the query of the combination αrs+βrs. We need βrs, so to eliminate αrs, combines . e(g1,g2)αr,xu+s are used to get tuples αr(xu+s). Next, uses −αrxu to eliminate αrxu and obtain αrs. Thus obtains the required βrs. A new variable ρ‴ is introduced to make the ρ″ = ρ‴s. By asking for p‴s(β(r−∑i′ ≠ iri′)), you can get ai,jri. However, cannot construct such an inquiry. The reasons are as follows.

Since s is randomly selected by the user, adversary does not know its value. Hence, adversary cannot find a ρ‴ to satisfy ρ″ = ρ‴s. Therefore, ρ‴ is not observed. According to the simulation challenge ciphertext, Ii,j,2 has . In other words, adversary cannot obtain the private key sk and search token for search operations. Here, at least one of the is unknown, according to [6]. Since it is less than , we cannot get the query about ρ‴s(β(r−∑i′ ≠ iri′)).

Then, it is proven that the encrypted message is secure and still operates in a general group model. The above theorem 1 is used to prove that the ciphertext is not distinguishable under the same access policy.

Theorem 2. Under the condition of Theorem 1, the adversary has the advantage over the ciphertext in the scheme as O(q2/p).

Proof: The establishment of the system and the basic operations of the group are similar to that in the proof of theorem 1. Therefore, they are not repeated in this study. In the system setup, the attacker chooses the policy that will attack P*.

Using the above same group, we use ς1(1) for g1, ς2(1) for g2, and ςT(1) for e(g1,g2). At the start of the build phase, the simulator randomly selects α,b from .The public parameters are sent to the adversary.

Query for private key OKeyGen(L): The premise is that cannot ask for the private key of L that satisfies the access structure P*.

OKeyGen(L):First, substitutes e(g1,g2)α with ⟨α,ςT(α)⟩ and adds new tuples ⟨αxn,ςT(αxn)⟩ of using the rules defined above and using variables xu from the list . Then, adds tuples to update the list relevant to the private key, and β,λi are the new variables.

Ciphertext challenge: selects two messages m0,m1 in the actual choice safety game. Challenger selects to encrypt mσ using P*.The challenge ciphertext as follows.

The simulation starts by selecting a random , setting λi for each of the relevant attributes, and λi for the random selection in . The simulation randomly selects a θ. The constructed ciphertext is as follows: , , , and . The challenge ciphertext is sent to the adversary.

For up to q times after the inquiry, terminates and returns a guess σ′∈{0,1} of σ. Next, chooses a random value of , and obtains the real challenge ciphertext in list by instead of .Finally, returns to the list of all tuples to update .

The challenger's task is to distinguish ciphertext as or .We now modify the game to distinguish from e(g,g)θ. Here, θ is randomly selected from . If the game is not modified, and assuming that the opponent has an ε advantage, then, in the modified game, any adversary has at least an ε/2 advantage. It can be seen in two cases. One is that the adversary must distinguish from e(g1,g2)θ, and the other is to distinguish between and e(g1,g2)θ. It is obvious that the probabilities of the two are equal. We need to calculate the advantage that the adversary wins the game in the modified game.

Next, a detailed analysis of is given. We note that simulation is perfect if there is no unexpected collision. The collision is for two different polynomials of Fτ,l,Fτ,l′(τ∈{1,2,T}) for some l,l′, and all the random strings that encode the corresponding difference are not equal to 0. Therefore, Fτ,l−Fτ,l′ = 0.This unexpected collision occurs in the following two situations:

Before the substitution. In this scenario, using theorem [37,38], the probability of an unexpected collision occurring in list is at most O(q2/p).

After the substitution. It is impossible to have a new equation that can be created between polynomials F = Fk,l−Fk,l′, even if is replaced by for θ in the simulation. It is emphasized that adversary cannot structure a query for a nonzero F = Fk,l−Fk,l′, and F = 0 after the substitution.

Note: If the adversary asks for the private key that satisfies the attributes of the access policy, the simulator does not give the appropriate private key. If the adversary already has the appropriate private key to access the structure, the game is terminated.

θ is only included in the e(g1,g2)θ in .We note that F = Fk,l−Fk,l′. If F = 0 after the substitution, then , where ρ is a constant. Note that F ≠ 0, . We can increase this inquiry to the artificial adversary. We will prove that the adversary cannot construct a query of .

The only way the adversary can get is through pair .Since obtains , the adversary needs to eliminate . To get ,the adversary needs to combine and . Note that . Adversary will get the query and wants to eliminate .As , will obtain . We know that . However, we know that cannot ask the private key of L that satisfies the access structure P*. Therefore, there exists a that cannot be constructed in the above way since there are some attributes i′ that belong to Lj and L does not satisfy policy P*. Therefore, the adversary cannot get .We know that ; therefore, the adversary cannot obtain the value .

6. Performance evaluation

The analysis of computational complexity: As our scheme is based on bilinear model, the computational complexity of the proposed scheme mainly comes from the pairing operation and group exponentiation operations in each group, ignoring all multiplication and hashing operations. The pairing operation is denoted by P. The group exponentiation operations in each group are represented by E1,E2,ET. The implementation uses the Pairing Based Cryptography (PBC) library[39]. The computational complexity of the proposed scheme with some existing latest similar schemes is analyzed in Table 1. In the scenario, we suppose that there are n attributes. The i-th attribute has ni possible values such that i = 1,⋯,n.

[Figure omitted. See PDF.]

Table 1. Computational complexity.

https://doi.org/10.1371/journal.pone.0206126.t001

Functional analysis: A functional comparison of our scheme with some existing schemes is illustrated in Table 2. It includes hidden access structures, multi-data owners, encrypted messages, keyword search, and attribute changes, from which we can see that our scheme is fully functional.

[Figure omitted. See PDF.]

Table 2. Functional comparison.

https://doi.org/10.1371/journal.pone.0206126.t002

The actual analysis: The actual execution time of each algorithm in the simulation experiments are as follows. We let n range from 1 to 100 in the access structure where n is the number of involved attributes. ni = 10, where ni is the possible values of the i-th attribute. We list a comparison of the average computation time for each algorithm in the scheme with the algorithm in [10, 13, 18] in Fig 2.

[Figure omitted. See PDF.]

Fig 2. Computation comparison.

https://doi.org/10.1371/journal.pone.0206126.g002

From the experimental results of computation comparison shown in Fig 2, we can see that as the increase of the number of attributes, the computation times of private key generating, encryption-index time generating and encryption ciphertext time are slightly better than these schemes [10,13,18]. In our scheme, the computation times of token time generating and keyword search are close to these schemes in [10,13,18].We notice that the decryption time of our scheme is a little more than that in [18], this is caused by the fact that our scheme is multi owners while the scheme in [18] is a single data owner. The scheme [18] cannot implement the search function, and the schemes [10,13] cannot achieve encryption ciphertext and decryption function. So our scheme is much practical than the schemes in [10,13,18].

7. Conclusions

In this paper, we present a new keyword searchable attribute-based encryption scheme with a hidden access strategy and attribute revocation. The encrypted ciphertext are outsourced to the cloud. The hidden strategy can better secure the users’ privacy. Our proposed scheme is a fully functional scheme that addressed the keyword search problem and the attribute updating problem. Theoretical analysis, complexity calculation and practical operations show that our scheme is effective and practical. Of course, the scheme also has several short comings. The security of the scheme is demonstrated under the general bilinear group model, and it would be considerably better in the standard model.

Supporting information

[Figure omitted. See PDF.]

S1 File. The runtime of cryptographic operations.

https://doi.org/10.1371/journal.pone.0206126.s001

(DOCX)

Acknowledgments

Thanks to the anonymous reviewer for their useful comments.

Citation: Wang S, Gao T, Zhang Y (2018) Searchable and revocable multi-data owner attribute-based encryption scheme with hidden policy in cloud storage. PLoS ONE 13(11): e0206126. https://doi.org/10.1371/journal.pone.0206126