Enabling Dynamic Multi-Client and Boolean Query in Searchable Symmetric Encryption Scheme for Cloud Storage System

Abstract

Searchable symmetric encryption (SSE) provides a safe and effective solution for retrieving encrypted data on cloud servers. However, the existing SSE schemes mainly focus on single keyword search in single client, which is inefficient for multiple keywords and cannot meet the needs for multiple clients. Considering the above drawbacks, we propose a scheme enabling dynamic multi-client and Boolean query in searchable symmetric encryption for cloud storage system (DMC-SSE). DMC-SSE realizes the fine-grained access control of multi-client in SSE by attribute-based encryption (ABE) and novel access control list (ACL), and supports Boolean query of multiple keywords. In addition, DMC-SSE realizes the full dynamic update of client and file. Compared with the existing multi-client schemes, our scheme has the following advantages: 1) Dynamic. DMC-SSE not only supports the dynamic addition or deletion of multiple clients, but also realizes the dynamic update of files. 2) Non-interactivity. After being authorized, the client can query keywords without the help of the data owner and the data owner can dynamically update client's permissions without requiring the client to stay online. At last, the security analysis and experiments results demonstrate that our scheme is safe and efficient.

1. Introduction

The development of cloud computing has brought great convenience for the public, more and more users outsource their data to the cloud. The advantages of the cloud storage, such as mobile access, stability and reliability, make the users can access data anytime and anywhere, which greatly improves work efficiency and realize resource sharing while ensuring data security.

To ensure the confidentiality and integrity of cloud storage, the data is encrypted before it is uploaded to the cloud. But unfortunately, performing keyword search on ciphertext is a difficult task for the user. When searching for a particular protocol to achieve the user must download the cipher-text and decrypt it after searching. It is extremely inefficient and impractical when the scale of the data is very large. Therefore, searchable encryption (SE) ([1], [2], [3], [4]) came into being.

SE allows the user to search keywords on the ciphertext without revealing their privacy. SE performs queries on the ciphertext, and files to be searched is transparent to the server, which helps to achieve the integrity and confidentiality of the data on the cloud. And furthermore, it is conducive to protecting user privacy.

Searchable symmetric encryption (SSE) ([5], [6], [7], [8]) is an efficient and secure SE. Assisting with the inverted index and symmetric encryption primitives, the SSE achieves efficient ciphertext retrieval in sublinear time. Although SSE is an efficient means of ciphertext retrieval, but now most of the existing SSE schemes mainly focus on the search of a single-keyword in a single-client setting, which limits the expansion of SSE in practice. The multi-client SSE scheme was first proposed by Curtmola [9] in 2006, and then multi-client schemes were proposed one after another. However, the existing multi-client SSE schemes are mostly interactive (the client interacts with the data owner when performing keyword retrieval), and do not support the dynamic update of the client (dynamic addition and deletion of the client) or the dynamic update of files.

Related works. Searchable encryption was proposed by Song [1] in 2000, which is a full text search, the search cost grows linearly with the size of the database. To improve query efficiency, Curtmola [9] proposes a symmetric searchable encryption scheme with inverted index to achieve optimal search time. Chase and Kamara [10] propose a similar scheme but costs higher storage. In addition to search efficiency, many works have been done to improve query expression ([13], [14], [15], [16], [17]) and advanced security ([20], [24], [25], [26], [27], [28]).

The original SSE scheme was mainly for single-keyword, to enrich the search function, some research focus on multi- keyword SSE scheme. Golle [13] and Ballard [14] proposed efficient conjunctive keyword searches over encrypted data, these two schemes can realize multi-keyword queries, but the communication cost is linear in the number of documents. To provide a truly practical search capability, Cash [15] proposed a highly-scalable searchable symmetric encryption with support for Boolean queries, which constructs the OXT protocol to achieve Boolean query. Based on OXT protocol, Lai [16] proposed a result pattern hiding SSE scheme supporting conjunctive queries. Xu [17] proposed EGRQ, a range query scheme to achieve secure and efficient query on encrypted spatial data. The above SSE schemes support multi-keyword query, but only supports single-client scenarios. The concept of multi-client symmetric searchable encryption (MSSE) was first proposed by Curtmola [9], which uses broadcast encryption on top of a single-client scheme. Raykova [18] improves the efficiency of Curtmola by employing a deterministic encryption and achieves a linear search time. These two schemes are interactive and have a large communication cost. Jarecki [19] extends the OXT scheme proposed by Cash [15] to the multi-client by the utilization of homomorphic signature and oblivious pseudorandom functions (PRFs), and realizes the Boolean query in the multi-client setting. Faber [21] extends the query type of OXT, supporting for range, substring, wildcard, and phrase queries. However, both these two schemes are interactive. Du [23] presented a multi-client SSE scheme that supports Boolean queries, which incorporates a client’s authorization information into search tokens and indexes. The scheme proposed by Du supports dynamic update of client permissions, however, the data owner regenerates the search index every time a new client joins, which becomes very inefficient when the index scale is large.

Contributions. We propose a dynamic multi-client searchable symmetric encryption scheme supporting Boolean query, which extends SSE from the single-client setting to multiple clients, while realizing dynamic update of clients and fine-grained access control. In addition, our scheme supports Boolean query with multiple keywords. The main contributions are summarized as follows:

1. We use attribute-based encryption (ABE) to extend SSE from single client to multi-client, and implement Boolean query of multiple keywords. We construct a hybrid encryption that symmetric encryption is used to encrypt files and ABE is used to encrypt the symmetric key, only the client meeting the access policy can decrypt the key so as to decrypt files, an efficient SSE scheme in multi-client is implemented.

2. We implement efficient dynamic update (add/delete) of clients, and the time cost is for O(1) N clients. By constructing the access control list (ACL), our scheme only allows authorized clients to access keywords, so as to prevent malicious clients from illegal access.

3. We have realized the dynamic update of files, and the data owner can update files independently without affecting other clients. Furthermore, in our scheme, the deleted files can be filtered by judging the operation (add/delete) when the server performs a search, and only valid files are sent back to the client, which improves the search efficiency and reduces the communication load.

2. Preliminaries

2.1 System model

The system model of DMC-SSE is shown in Fig. 1, there are three entities in the system: data owner D, client C_i and the cloud sever. The server provides cloud storage services and is honest-but-curious, also it is not trusted. The data owner encrypts the plaintext DB (a database including a list of d identifier-keyword pairs (id_i, W_id=1)^d_i=1 to ciphertext EDB, and sends it to the cloud. To perform a query Q with keywords (\(\begin{aligned}\bar{W}=\left\{w_{1}, w_{2}, \ldots, w_{n}\right\}\end{aligned}\)) from the server, the client C_i needs to register to the data owner D first, and then D will returns an authorization certificate Ω_i to the client, with which the client C_i generates a search token TK_i,Q and sends it to the server. On receiving TK_i,Q, the server will search the EDB and returns the results R that satisfies the requirement to the client C_i, finally C_i decrypts the files in R locally.

Fig. 1. System model

2.2 Attribute-based encryption (ABE)

Attribute-based encryption (ABE) is developed from the encryption scheme based on fuzzy identity, which can be divided into two types: key strategy ABE (KP-ABE) and ciphertext strategy ABE (CP-ABE). KP-ABE allows the private key to correspond to an access structure, and the ciphertext corresponds to an attribute set; while CP-ABE, on the contrary, allows the private key to correspond to an attribute set, and the ciphertext corresponds to an access structure. Whether KP-ABE or CP-ABE, only the attribute set satisfy the access policy can decrypt the ciphertext. ABE is very effective in encrypting data sharing, since it can realize data access control while encrypting data. In this paper, we use CP-ABE attribute encryption scheme, which contains the following four algorithms:

• ABE.Setup(λ) : takes secret parameter λ as the input and outputs the system parameter mpk and master key msk.

• ABE.KeyGen(msk, mpk, A) : takes the system parameter mpk, master key msk and the attribute set A as the input and outputs a private key skⁱ_A.

• ABE.Enc(mpk, msg, U) : takes the message msg, system parameter mpk and the access structure U as the input and outputs the ciphertext msg*.

• ABE.Dec(skⁱ_A, msg*) : takes the ciphertext msg* and the private key skⁱ_A as the input, msg* contains an access structure U and skⁱ_A is associated with a set of attribute A , this algorithm outputs the decrypted information msg if A ∈ U.

3. Overview

The multi-client SSE scheme in our system combines attribute-based encryption with searchable symmetric encryption. First, files in DB are encrypted by the symmetric key K_c, and then K_c is encrypted by attribute-based encryption. Only clients who meet the attribute policy can decrypt the symmetric key and decrypt the ciphertext.

3.1 Access Control List (ACL)

The access control list (ACL) is owned by the data owner to control the permission of other clients. Assume that the client C_i will joins our system, it registers with the data owner D. To identify the client C_i, D generates a tag α_i for C_i, α_i ∈ Z*_p. For legitimate keywords (w₁, w₂,..., w_n) that can be accessed by C_i, Dcomputes c_j ← α_iㆍw_j, j = 1, 2, …, n, and adds c_j to ACL, at last, D sends the updated ACL to the cloud server.

Assume that there are three clients (C₁, C₂, C₃) with the tag (α₁, α₂, α₃) and the corresponding authorization keywords are (w₁, w₂), (w₂, w₃) and (w₁, w₃),the structure of ACL is shown in Fig. 2.

Fig. 2. The structure of ACL

When the client performs a query, it calculates c_i as above, and the server checks whether c_i is in ACL, if so, the query is legal and can be continued, else the query is illegal and the query will be stopped.

\(\begin{aligned}\mathrm{c}_{i}\left\{\begin{array}{l}\mathrm{c}_{i} \in A C L, \text { query is legal,continue } \\ \mathrm{c}_{i} \notin A C L, \text { query is illegal,stop }\end{array}\right.\end{aligned}\)

The structure of the ACL is a one-way list, and the ACL is updated dynamically according to the change of client's search permission. When a new client joins, the c_j of the client are added at the tail of the ACL while the values will be removed when the client is revoked.

3.2 Scheme Definition

Our scheme mainly includes the following algorithms :

• KeyGen(1^λ): takes the system parameterλ as input, and outputs the system master key msk and public key mpk. It is performed by the data owner D.

• EDBSetup(DB, msk, mpk, U): takes the database DB, system master key msk, master public key mpk and an attribute universe U as input, and outputs the encrypted database EDB.

• ClientAuth(msk, mpk, A_i, ACL): the client C_i submits its attribute A_i to the data owner D, D generates the private key skⁱ_A of C_i with msk , mpk and C_i’s attributes A_i, meanwhile, D assigns the client C_i an identity α_i, which will be encrypted by enr_i ← ABE.Enc(α_i) ,the skⁱ_A and enr_i will be sent back to the client. In addition, D will calculates c_i ← α_iㆍw_i for legal keywords of client and adds c_i to ACL. At last, D sends the updated ACL to the server.

• TokenGen(skⁱ_A, enr_i , W): the client C_i takes private key skⁱ_A , encrypted identity enr_i and keywords W to query as input, and generates the token TK_i,Q as output.

• Search (TK_i,Q, EDB): the sever takes the token TK_i,Q as input, and outputs results R that satisfy the query requirements to the client.

• Retrieve( skⁱ_A , R):the client C_i gets the identifiers of documents by decrypting the returned results R with her private key skⁱ_A . With the identifiers and decryption key , the client will retrieve the original documents.

3.3 Security Definition

In our scheme, we consider the security against adversarial server, it’s the design goal of our scheme to reveal as little information as possible to the server in a query. The less information leaked to the server, the more difficult it is for the server to guess the information of the token or file, so as to better protect the privacy of users.

Security against adversarial server. A loss function L is used to represent the information leaked to the adversary during a query, let ∏ = {KeyGen, EDBSetup, ClientAuth, TokenGen, Search} be our DMC-SSE scheme, we define the security of ∏ by two experiments: Real^∏_A(λ) and Ideal^∏_A,S(λ) :

Real^∏_A(λ) : Then adversary A chooses a series of queries adaptively and repeatedly to trigger the experiment runs KeyGen, ClientAuth, TokenGen and Search and the experiment outputs a bit b that A returns to the experiment.

Ideal^∏_A,S(λ) : Adversary A chooses a database DB and a series of queries Q, the experiment runs S(L(DB,Q)) and output a bit b.

Definition 1. We say that ∏ is L-semantically-secure if for any probabilistic, polynomial-time (PPT) adversaries A ,there exists a PPT simulator S, such that :

| Pr[Real^∏_A(λ)=1]-Pr[Ideal^∏_A,S(λ)=1]| ≤ negl(λ)

Now we describe the loss function L in our scheme. As ref [23], for simplicity of analysis, we consider a simple setting that all queries are conjunctive queries. We use Q = (s,x) to denote a series of conjunctive queries, where Q[k] = (s[k], x[k, 1], x[k, 2], …, x[k, n]) is an individual query, s[k] and x[k,ㆍ] denote sterm (the least frequent keyword among all keywords in a query) and xterm (the other keywords except sterm in a query), respectively. The leakage function L (DB, Q) can be defined as below:

• N=Σ^d_i=1 | W_i |, the number of the (w_i, id_i) pairs.

• \(\begin{aligned}\overline{\mathrm{S}} \in \mathbf{N}^{T}\end{aligned}\), the equality pattern of sterms s, indicating which queries have the same sterm.

• SN, the number of files matching the sterm, obviously, SN[k] =|DB[k]|.

• AN, the number of files matching the entire conjunction query, AN[k] = DB(s[k])∩ DB(x[k,α]) , α = {1, 2,… ,n}

• IP is the conditional intersection pattern, which is formally defined by

\(\begin{aligned}\operatorname{IP}\left[k_{1}, k_{2}, \alpha, \beta\right]=\left\{\begin{array}{ll}\mathrm{DB}\left(\mathrm{s}\left[k_{1}\right]\right) \cap \mathrm{DB}\left(\mathrm{s}\left[k_{2}\right]\right) \text { if } k_{1} \neq k_{2} \text { and } \mathrm{x}\left[k_{1}, \alpha\right]=\mathrm{x}\left[k_{2}, \beta\right] \\ \phi & \text { otherwise }\end{array}\right.\end{aligned}\)

• DBT is the search result pattern of the sterm in the k-th query, DBT[k] = DB[s[k]]

• XN is the number of xterms in the k-th query.

4. Dynamic multi-client SSE

In this section, we give our multi-client searchable symmetric encryption scheme ∏ = {KeyGen, EDBSetup, ClientAuth, TokenGen, Search}. Let H_i : {0,1}* → {0,1}^λ , be hash functions, and F : {0,1}^λ × {0,1}^λ → {0,1}^λ be PRFs.

4.1 Our construction

KeyGen(1^λ): with the system parameter λ ,the data owner generates the master key msk and public key mpk, where (mpk, msk) ← ABE.Setup(1^λ).

EDBSetup(DB, mpk, U): As shown in algorithm 1, data owner takes the database DB=(id_i, W_i)^d_i=1 , public key mpk and an attribute set U as input, and outputs the encrypted database EDB = (T, X). It chooses big primes p, q, random keys K_I, K_z for a PRF F_p and K_w for a PRF F, \(\begin{aligned}F, g \stackrel{s}{\leftarrow} G\end{aligned}\). To improve the efficiency of DB encryption and decryption, symmetric encryption primitives are used in our scheme. To share the symmetric key K_id with legitimate users, D encrypts K_id with the attribute set U, op represents the operation (add/delete) of the files.

EDB consists of a TSet T and a XSet X, these two sets are stored in dictionary structure, EDB uses inverted index to store the identifiers of all documents. Like most other MSSE schemes, identifiers of files in DB is encrypted and stored in T.

Algorithm 1 EDBSetup

Input: DB, mpk, U

Output: EDB

1: function EDBSetup (DB, mpk, U)

2: T ← {};X ← {};cnt ← 0

3: for w ∈ W do

4: cnt ← 1 ; stag_w ← F(K_w, W)

5: for id ∈ DB[w] do

6: l ← H(stag_w || count) ; u ← ABE.Enc(mpk, id || K_id, U)

7: eid ← F_p (K_I, id) ; z ← F_p(K_z, w)

8: v ← eidㆍz^-1 ; o ← op⊕ l

9: x ← g^{F_p(K_x,w)ㆍeid}; X ← X ∪ x;

10: T[l ]←(u, v, o) ; cnt ← cnt + 1

11: end for

12: end for

13: EDB ← {T,X}

14: end function

Algorithm 2 ClientAuth

Input: msk, mpk, ACL

Output: Ω ,ACL’

1: function ClientAuth (msk, mpk, ACL)

2: skⁱ_A ← ABE.KeyGen(msk, mpk, A_i)

3: r_i ← {0,1}^λ ; α_i ← F(K_k, r_i)

4: enr ← ABE.Enc(α_i)

5: for \(\begin{aligned}\mathrm{W} \in \overline{\mathrm{W}}\end{aligned}\) do

6: c_i ← α_iㆍw ; ACL ← ACL ∪ c_i

7: end for

8: ACL'← ACL ; Ω_i ← {skⁱ_A, K_w, K_z, K_x, mpk, enr}

9: return Ω_i

10: end function

ClientAuth(msk, mpk, A_i, ACL) : When a client with attribute set A_i performs a query on the encrypted database for the first time, he needs to authenticate with the data owner. The data owner D generates a corresponding private key skⁱ_A according to the properties A_i of the client C_i, where skⁱ_A ← ABE.KeyGen(msk, mpk, A_i) , D sends the private key skⁱ_A to the client. To ensure that legitimate clients can only access the authorized keywords, the data owner D first generates an identity α_i for client C_i, then uses α_i and legal keywords w to generate a blind factor c_i which will be added to ACL, keywords only that in ACL can be accessed by the client. At last, D sends the Ω_i ← (skⁱ_A, K_w, K_z, K_x, mpk, enr) back to the client C_i, where enr ← ABE.Enc(α_i) and send the updated access control list ACL' to the server.

Algorithm 3 TokenGen

Input: Ω_i, Q= {w₁, w₂, …,W_n }

Output: TK_i,Q

1: function TokenGen(Ω_i, Q)

2: acf_w ← F(K_w, w₁) ; α_i ← ABE.Dec(enr)

3: for c = 1,2, …. until the server stops do

4: for j = 2, …., n do

5: xtoken[c, j] ← g^{F_p(K_z, w₁∥c)·F_p(K_x, w_j)} ; ctl[j] ← α_i · w_j

6: end for

7: TK_{i, Q} ← {acf_w, xtoken[2], …, xtoken[n], ctl[2], …ctl[n]}

8: end for

9: return TK_{i, Q}

10: end function

TokenGen(Ω_i, Q) : When the client C_i wants to perform a boolean search on the EDB with a set of keyword \(\begin{aligned}\bar{w}=\left\{w_{1}, w_{2}, \ldots, w_{n}\right\}\end{aligned}\), he first choose a sterm who is the keyword with lowest-frequency from \(\begin{aligned}\bar{w}\end{aligned}\), for simplicity, we assume that w₁ is the sterm and assume that we take the conjunctive query Q = {w₁ ∧ w₂ ∧…∧ w_n). The client C_i generates a blind factor ctl[i] ← α_iㆍw_i for each keyword w_i(i = 2, ......, n) in xterms, where α_i ← ABE.Enc(enr) , and the token will be generated by the algorithm 3.

Algorithm 4 Search

Input: TKQ, EDB, ACL

Output: R

1: function Search (TK_Q, EDB, ACL)

2: R ← {} ; c ← 0

3: while true do

4: l ← H(acf_w || c)

5: if T[l]=null then

6: return R

7: else

8: (u, v, o) ← T[l] ; op ←u⊕l

9: if op = "add" then

10: if xtoken[i]^v ∈ X and ctl[i] ∈ ACL, i = 2, …,n then

11: R ← R ∪ e

12: else if op = "del" then

13: R ← R - e

14: c ← c+1

15: end if

16: end while

17: end function

Search (TK_i,Q EDB, ACL): On receiving the search token TK_i,Q sent by the client C_i, the server will perform a search in EDB to find the matching files for TK_i,Q, and returns the file set R to the C_i, as is shown in algorithm 4.

To ensure the legitimate access of a query Q, the blind factor ctl[i] of the client is checked during the search, and only the keywords that the blind factor in the ACL are allowed to be accessed. Furthermore, only data owner D can perform op (add or delete) in function EDBSetup, and other clients can only query keywords. If op = "add", it indicates that the file is added and the corresponding id is valid, but for op = "del", it indicates that the file is deleted, and the corresponding id is invalid.

After the client C_i retrieves the ciphertext R, it decrypts the symmetric key K_id with the algorithm K_id ← ABE.Dec(skⁱ_A, e). Due to K_id is encrypted by attributes, only clients that satisfy the attribute encryption policy can decrypt it. With the symmetric key K_id, C_i can decrypt files efficiently.

4.2 Dynamic Update of Clients

In the multi-client SSE scheme, the dynamic update of the client is worth considering, since in practice, new clients may join the system at any time, and the clients in the system may be revoked at any time, too. In the scheme proposed by Du [23], when there is a client, the data owner D not only needs to update ACL, but also needs to update the encrypted database and regenerate the encrypted index according to the pk of the client, time cost is O(n) for n clients, which is obviously inefficient when clients update frequently. However, in our scheme, due to the use of ABE, only the client whose attributes satisfy the access control policy can decrypt the ciphertext, therefore, the access rights of the file rely on the attributes of the client, and have nothing to do with the pk of the client, so the search index does not need to be regenerated no matter how many clients are added, the only thing that D has to do is updating the ACL, so time cost is O(1) for n clients. The process of client revocation is similar, the difference is that the ACL update changes from adding to deleting. Therefore, our scheme is more efficient than Du [23] when clients update dynamically.

4.3 Dynamic Update of Files

In addition to the dynamic update of the client, another problem worth considering is the dynamic update of files. Because the files stored in the cloud are not immutable, the data owner may add new files or delete expired files, so the dynamic update of files is also necessary. We construct a novel dynamic operator op that denotes “add” or “delete” operation of files and op is encrypted together with the identifier when the data owner D updates the file. For query on the EDB, the server checks op and filters the documents whose op = "delete", thus only valid files are reserved. The general SSE scheme returns all the matching files found, but there are some invalid files that are expired or to be deleted. In our scheme, the data owner D filters these invalid files through dynamic update of files, so that only valid files are returned, which reduces the communication load and improves the communication efficiency.

4.4 Supporting for Boolean queries

Given a query Q with keywords (w₁, w₂, …, w_n), to support Boolean query, we use Boolean formula φ to construct the searchable form : w₁∧φ(w₂, …, w_n). To perform a Boolean query, the client C_i sends the token TK_i,Q to the server along with the Boolean formula φ. It’s the same with the algorithm 4 except that for a tuple (u, v, o), instead of using xtoken[i]^v ∈ X, the server gets a binary value bv_i for each keywords in (w₂, w₃, …, w_n), where bv_i = 1 if the xtoken[i]^v ∈ X corresponding to the keyword w_i, else bv_i = 1. After getting all the binary values, the server calculates the expression φ based on the values of bv₂, bv₃, …,bv_n and forwards u to R if the result is true.

4.5 Security Analysis

Theorem 1. Our scheme ∏ is L -semantically secure against adaptive attacks, where L is the leakage function defined in Definition 1, assuming that the DDH (Decisional Diffie-Hellman) assumption holds in G, F and F_p are secure PRFs and that ∑ = (Enc,Dec) is an IND-CPA scheme.

Algorithm 5 G₀, G₁

Proof: The proof can be conducted by constructing a sequence of games. Among these games, G₀ is designed to have the same distribution as Real^∏_A(λ) and the last game G₈ is designed to simulate easily for the simulator S. In the proof of Theorem 1, the indistinguishability of the distribution between games proves that the simulator S satisfies the Definition 1, and the proof of the theorem is completed.

Game G₀. As is shown in algorithm 5, G₀ is the real game with minor modifications for easy analysis. It takes ( ACL, DB, s, x ) as input to simulate EDBSetup in algorithm 1 by using function INITIALIZE. INITIALIZE is identical to EDBSetup except that X is separated as a subfunction, XSetup.

G₀ generates the transcript by using the function TransGen , before that, G₀ generates the secret key Ω_i by running function ClientAuth that simulates the ClientAuth algorithm as defined in algorithm 2, specifically, \(\begin{aligned}\overline{\mathrm{W}}\end{aligned}\)  is the set of the authorized keywords, and the order of keywords are recorded in WPerms. For k ∈ [T], G₀ runs function TransGen (EDB,Ω_i,s[k], x[k,·],c[k,·]) to output transcript t[k] ,the transcript is similarly as in the real game except the generation of ResInds : it gets ResInds by calculating DB(s[k])∩ DB(x[k,1])∩ DB(c[k,1])…∩ DB(x[k,n])∩ DB(c[k,n]). G₀ has the same distribution with Real^H_A(λ) assuming that no false positives happening, it’s easy to get:

Pr[G₀ = 1] - Pr[Real^∏_adv = 1] ≤ negl(λ)

Game G₁ . G₁ is identical to G₀ except the calculation of stag and α, the difference between G₁ and G₀ is shown in the boxed codes in algorithm 5. The values of stag and α will be recorded after being computed for the first time, and will be directly looked up instead of being computed again when used later. So we can get:

Pr[G₁ = 1 ] = Pr[G₀ = 1]

Algorithm 6 G₃, G₄

Game G₂. The difference between G₂ and G₁ is that G₂ uses random functions instead of PRFs Fand F_p, the details are shown in algorithm 6. Since F(K_w, ·) and F(K_k, ·) are calculated once for the same input, so we can replace them with random strings. F_p(K_I, ·) , F_p(K_z, ·) and F_p(K_x, ·) are replaced by f_I, f_z, f_x, respectively. Note that, TransGen takes A as input so that CLIENTAUTH can be omitted. We can get that there exist adversaries B_1,1 and B_1,2 such that:

Pr[G₂ = 1] - Pr[G₁ = 1] ≤ 2Adv^PRF_F,B1.1(λ) + 3Adv^PRF_F,B1.2(λ)

Game G₃ . G₃ is same as G₂ except for the code in the box, the details are shown in algorithm 6. G₃ uses an encryption of the constant string 0^λ to replace the encryption of file identifiers. Since the encryption operation is executed m times, so we can get that there exists an adversary B₂ which satisfies:

Pr[G₃ = 1] - Pr[G₂ = 1] ≤ m · Adv^ind-cpa_Σ.B2(λ)

Game G₄. As shown in algorithm 7, G₄ is same as G₃ except the way of generating X and xtoken. Different from G₃, in G₄, elements X_Elem = g^{f_x(w)·f_I(id)} in X are precomputed and recorded in array H(id, w) though the keyword w and the corresponding id. In G₄, elements in X are generated in such a way: for a given w ∈ W and id ∈ DB(w), G₄ adds the value H(id, w) form the array H to the set X. Recall that the value added to X is calculated by g^{f_x(w)·f_I(id)}, which is same as G₃.

As for the value in xtoken, in G₃, the xtoken is computed as g^{f_z(S_t|||cnt)·f_x(x[k,β])}, in G₄, TransGen looks up(id₁,....,id_Ts) ← DB(s_k), σ ← WPerms[s_k] and y ← f_I[id_σ[cnt]] · f_z[s || cnt], the xtoken[β] is set H[id_σ[cnt], x[t,β]]^1/v = g^{f_x(x[k,β]·f_z(s_t||cnt)} ,which is same as in G₃. It’s easy to see that:

Pr[G₄= 1] = Pr[G₃ = 1]

Game G₅. G₅ and G₄ are almost the same except the code in box in algorithm 7. Simplify, G₅ selects vform Z*_p randomly instead of computing it. It is easy to see that:

Pr[G₅ = 1] = Pr[G₄ = 1]

Game G₆. G₆ is almost identical to G₅, the difference is that instead of computing values of H and Y as the previous game G₅, G₆ selects them form G randomly, the details are shown in algorithm 7 with the double boxed codes. Under the DDH assumption, we can get that there exists an efficient adversary B₅ :

Pr[G₆ = 1] - Pr[G₅ = 1] ≤ Adv^DDH_G.B5(λ)

Intuitively, in G₅ ,the value of XTemp[w] is g^f_x(w) ,which is the form of g^a if we replace f_X(w) with a. The element in H is XTemp[w]^eid, that is g^f_X(w)·eid it is the form of g^ab if we replace eid with b. With the above replacement, the distribution of H is indistinguishable from a random element in G under the DDH assumption. In the same way, Y is indistinguishable from a random element in G.

Game G₇. G₇ is almost same as G₆ except that it changes way in generating X, the details are shown in algorithm 8. In G₇, only elements in H that are used or accessed for multiple are added to X, otherwise, a random element in G is added to X. Furthermore, after H is generated,

Algorithm 7 G₄, G₅. G₆

XSETUP will just access H once, only the function TransGen access elements in H. However, elements that are accessed by TransGen satisfy that id ∈ DB[s_k] and w = x[k,β]=. As for others, it is indistinguishable with random selection. Therefore, the distribution of G₇ is the same as G₆ ,so we get:

Pr[G₇ = 1] = Pr[G₆ = 1]

Game G₈. G₈ is almost same as G₇ except the way to access H in function TransGen, as shown in algorithm 8. To test a possible repeated access to elements in H, the check is necessary that if either XSETUP will access the index or the function TransGen will read it again. In this case, XSETUP only access an index if id ∈ DB(s_k) and x[k,β] = w in G₇, which meets the purpose of the first “if” in G₈. However, it is also possible in TransGen when there are two different queries, k and k'. For this situation, it should ensure ' id ∈ DB[s_k]∩ DB[s_k] and w = k[k,β] ∈ x_k, that is what the “else if” statement in G₈. Obviously,

Pr[G₈ =1] = Pr[G₇ =1]

Simulator: Simulator S takes L(DB,s,x) = (N,\(\begin{aligned}\bar{S}\end{aligned}\),SN,AN,IP,XN) as input and outputs a simulated EDB=(T,X) and a transcript array t. We prove that the simulator S and G₈ are indistinguishable, so we can prove that the simulator S satisfies theorem 1 through the transitivity of trust between games.

Algorithm 8 G₇, G₈

Firstly, S computes \(\begin{aligned}\bar{x}\end{aligned}\), which is a restricted equality pattern of x, it denotes the server knows which xtrems are equal. With the elements in X, it is possible for the server to infer some certain xterms are equal because if there is a id that satisfies id ∈ DB[s[k₁]]∩DB[s[k₂]], in which k₁ and k₂ are two different queries, then the server can infer x[k₁,β] is equal to x[k₂,δ] due to the repeating values of elements in X that xtemp[x[k₁,β], id] and xtemp[x[k₂,δ], id]. This can be formulated equivalently in terms of the leakage IP by \(\begin{aligned}\overline{\mathrm{x}}[k, \beta]\end{aligned}\) such that \(\begin{aligned}\overline{\mathrm{x}}\left[k_{1}, \beta\right]=\overline{\mathrm{x}}\left[k_{2}, \delta\right]\end{aligned}\) iff IP[k₁, k₂]≠ 𝜙 . Particularly, we have: \(\begin{aligned}\overline{\mathrm{x}}\left[k_{1}, \beta\right]=\overline{\mathrm{x}}\left[k_{2}, \delta\right] \quad \Rightarrow \quad \mathrm{x}\left[t_{1}, \beta\right]=\mathrm{x}\left[t_{2}, \delta\right]\end{aligned}\) and \(\begin{aligned}\left(\mathrm{x}\left[k_{1}, \beta\right]=\mathrm{x}\left[k_{2}, \delta\right]\right) \wedge\left(\mathrm{DB}\left[\mathrm{s}\left[k_{1}\right]\right] \cap \mathrm{DB}\left[\mathrm{s}\left[k_{2}\right]\right] \neq \phi\right) \Rightarrow \overline{\mathrm{x}}\left[k_{1}, \beta\right]=\overline{\mathrm{x}}\left[k_{2}, \delta\right]\end{aligned}\).

To show that the distribution of S is same as G₈, we prove the distribution of EDB, X and xtoken is the same as that of G₈, respectively, the details of EDB in S are shown in algorithm 9. In S ,the generation of EDB is same as for G₈, in which \(\begin{aligned}w \in \overline{\mathrm{s}}\end{aligned}\) and \(\begin{aligned}|\bar{s}|<N\end{aligned}\) which is obvious by the definition of \(\begin{aligned}\overline{\mathrm{s}}\end{aligned}\), so S fills out the additional random elements of EDB. In both G₈ and S, the elements in EDB are computed in the same way, so the distribution of S and G₈ is indistinguishable.

The X in simulator S is generated by algorithm 10. In both simulator and G₈ the elements in X are randomly chosen from group G. For the Σ_w∈W DB[w] , there are N elements, in G₈, the elements are added to X for w ∈ W and ind ∈ DB(w). InS, this is done by keeping track of each

Algorithm 9 Generation of EDB in Simulator

 

Algorithm 10 Generation of X in Simulator

 

Algorithm 11 Generation of t in Simulator

addition with k₂, and adding additional (N − k₂) elements at last. For the distribution the X, we show that with the xtoken.

The transcript t including the xtokens in simulator S are generated by algorithm 11. They y and σ are being uniformly random , hence distributed identically both in G₈ and S. The reuse of σ is almost same in these two games, σ are reused when an sterm is repeated, while in S σ are reused when \(\begin{aligned}\overline{\mathrm{S}}\end{aligned}\) repeats.

Next, we observe that in calculating xtokens in G₈, the H is accessed either the id satisfies a conjunction query that id ∈ DB[s_k] ∩ DB[x[k,β]] or the id is in another query with the same xterm. The simulator S has the same logic by reading the σ(cnt)-th identifier in R which contains these two conditions.

Finally, we show that the reusage of H is same in G₈ and S when H is used for multiple times. Consider two elements of H that (id₁, x[k₁,β]) and (id₂, x[k₂,β]) are read in different queries in G₈, so id₁ either satisfies the conjunction query or another query with the same xtrem, so as to id₂. In S ,the simulator will read values from RP or IP where the indices are same with (id₁, \(\begin{aligned}\overline{\mathrm{x}}\left[k_{1}, \beta\right]\end{aligned}\))and (id₂, \(\begin{aligned}\overline{\mathrm{x}}\left[k_{2}, \beta\right]\\\end{aligned}\)) in H. We claim that:

\(\begin{aligned}\left(\mathrm{id}_{1}, \mathrm{x}\left[k_{1}, \beta\right]\right)=\left(\mathrm{id}_{2}, \mathrm{x}\left[k_{2}, \beta\right]\right) \Leftrightarrow\left(\mathrm{id}_{1}, \overline{\mathrm{x}}\left[k_{1}, \beta\right]\right)=\left(\mathrm{id}_{2}, \overline{\mathrm{x}}\left[k_{2}, \beta\right]\right)\end{aligned}\)       (1)

The left direction ⇐ of (1) is easy since that for \(\begin{aligned}\bar{x}\end{aligned}\), we have

\(\begin{aligned}\overline{\mathrm{x}}\left[k_{1}, \beta\right]=\overline{\mathrm{x}}\left[k_{2}, \delta\right] \Rightarrow \mathrm{x}\left[k_{1}, \beta\right]=\mathrm{x}\left[k_{2}, \delta\right]\end{aligned}\),

and \(\begin{aligned}\bar{x}\end{aligned}\) has another property that \(\begin{aligned}\left(\mathrm{x}\left[k_{1}, \beta\right]=\mathrm{x}\left[k_{2}, \beta\right]\right) \wedge\left(\mathrm{DB}\left[\mathrm{s}\left[k_{1}\right]\right] \cap \mathrm{DB}\left[\mathrm{s}\left[k_{2}\right]\right] \neq \phi\right) \Rightarrow\end{aligned}\)\(\begin{aligned}\overline{\mathrm{x}}\left[k_{1}, \beta\right]=\overline{\mathrm{x}}\left[k_{2}, \delta\right]\mathrm{DB}\left[\mathrm{s}\left[k_{1}\right]\right] \cap \mathrm{DB}\left[\mathrm{s}\left[k_{2}\right]\right] \neq \phi\end{aligned}\), if DB[s[k₁]]∩DB[s[k₂]]≠𝜙 ,then the direction ⇒ will be proven. Suppose that (id₁,x[k₁,β]) = (id₂,x[k₂,β]) ,we have id₁=id₂ ,but this means the id is in DB[s[k₁]]∩DB[s[k₂]] and the intersection is not empty, thus we have \(\begin{aligned}\overline{\mathrm{x}}\left[k_{1}, \beta\right]=\overline{\mathrm{x}}\left[k_{2}, \beta\right]\end{aligned}\).

5. Performance Analysis

To evaluate the performance of our DMC-SSE scheme, we conduct experiments based on real data set, and compared it with multi-client schemes Du [23] and Jarecki [19] that with similar functions from two aspects of function and performance.

5.1 Functional Analysis

First of all, we conduct a functional comparative analysis as shown in Table 1, although all three schemes implement multi-client SSE and support Boolean queries, but Du [23] and our scheme can better update the clients dynamically. As for the dynamic update of the client, both ACL and index are needed to be updated in the scheme proposed by Du, unlike this, only ACL is updated in our scheme. At last, our scheme supports dynamic updates of files, which is not supported by the other two schemes.

Table 1. Comparison of functionality features

As for computing overhead, only the most time-consuming operations are considered: exponential operation (denoted by ep) and bilinear pairing (denoted by bp), therefore, only the calculation cost of EDBSetup, TokenGen and Search algorithms are compared, other algorithms that use fewer of these operations are omited, i.e., ClientAuth. The comparison results are shown in Table 2, in which N_c denotes the number of clients and N_f denotes the number of files corresponding to the keyword w, besides, N_pis the total number of keyword-identifier pairs, Np =| DB(w)|. In our scheme, EDBSetup needs to computes 1 exponentiation to realize the attribute encryption of the symmetric key and the file identification, thus there are 2 ep in one keyword-identifier pair.

Table 2. Comparison of computing cost

Since the communication cost mainly depends on the size of the data transmitted in the network, the size of the data can be used to evaluate the communication cost. In our scheme, the data transmitted in the network is mainly the encrypted database and the search token generated during keyword query, so we use the size of them to evaluate the communication cos like Du [23], the comparison result is shown in Table 3. In which |·| denotes the size of a set or group and N_q is the number of keywords to query.

Table 3. Comparison of communication cost

5.2 Performance Analysis

We deploy our experiments on a local machine with an operating system of Ubuntu 18.04, Intel(R) Core (TM) i7-8550U CPU and 8 GB of RAM. We use python 3.6 to compile our programs on Pycharm 2020.2. We use charm-crypto library to implement cryptographic and group operations. For PRFs and hash functions, we use AES-128 and HMAC-MD5 respectively, also NIST 224p elliptic curves is used for group operations.

For dataset, we adopt Enron Email Dataset in our experiments. Enron Email Dataset has about 517401 email files from about 150 users. Keywords are extracted by the jieba library in python, and about 1672878 keywords are extracted and we generate an inverted index based on the extracted keywords, our experiments are mainly based on this index.

We analyze the experimental results of the three algorithms of EDBSetup, TokenGen, and Search, which are computationally expensive, to evaluate the performance of our scheme.

Fig. 3 shows the comparison results of the time cost in EDBSetup. In Fig. 3 (a), the scheme proposed by Du grows linearly with the number of clients, however, it has almost no impact on our scheme and the scheme proposed by Jarecki [19]. The reason is that Du [23] performs bilinear map operation for each client, which is not needed in our scheme. In Fig. 3 (b), all three schemes grow linearly with the number of keyword-identifier pairs, but our scheme takes less time than Jarecki [23].

Fig. 3. The time cost in EDBSetup. (a) the number of keyword-identifier is fixed at 6000 with various clients. (b) the number of clients is fixed at 10 with various keyword-identifier.

Fig. 4 shows the comparison results of the time cost in TokenGen. Our scheme and Jarecki [19] cost more time than Du [23] since the use bilinear mapping makes the number of tokens only depends on the number of keywords in Du [23]. The time cost of our scheme is almost the same as that of Jarecki [19], but it is more because our scheme needs to calculate the blind factor ctl[j] ← α_i · w_j when generating the token.

Fig. 4. The time cost in TokenGen. (a) the number of keyword-identifier is fixed at 200 with various keywords. (b) the number of keywords is fixed at 100 with various keyword-identifier.

Fig. 5 shows the time cost spent on a Boolean query in the three schemes, which grows linearly with the number of keywords and files in the above three schemes. The scheme of Du [23] has the highest time cost due to expensive bilinear pairing operation, since our scheme performs file filtering operations, our solution takes more time than Jarecki [19].

Fig. 5. The time cost in Search. (a) the number of keyword-identifier is fixed at 1000 with various keywords. (b) the number of keywords is fixed at 20 with various keyword-identifier.

6. Conclusion

In this paper, we propose a searchable symmetric encryption scheme for multi-client that supports Boolean queries, DMC-SSE, which realizes multi-keyword search in multi-client scenario and supports fine-grained access control of client, in addition, our scheme realizes full dynamic update of client and file. Experimental results and security analysis show that our scheme is correct, efficient and secure.