Keywords

1 Introduction

Internet of Things (IoT) introduces an emerging data collection paradigm that aims to obtain IoT data from pervasive things through distributed networks. The emerging paradigm creates new growth of economy, and more researchers pay close attention to the technology. In practical IoT, massive physical devices are connected with each other through wireless or wired network to collect data, such as smart homes and cities, smart vehicle networks, industrial manufacturing and smart environment monitoring. Moreover, data analysis is essential to enhance IoT service, for example the process optimization in industrial manufacturing. Therefore, to meet the requirement of data analysis, data sharing is deployed in IoT. However, with the growth-up scale of IoT, it is not efficient to store and search data directly from each resource-constrained IoT device.

To handle the lack of computing and storage power in IoT device, cloud-assisted method is introduced. This provides an economic and practicable platform with rich computing and storage resource and low cost in data sharing. Each IoT device, which is controlled by data owner, uploads shared data to the cloud server in encrypted format. The cloud server receives a search query which is submitted by an authorized user, and does query match and responds the corresponding encrypted data to the user.

Moreover, for a practical data sharing application in IoT, the users, who are authorized to search and access data, always update their search right dynamically. Therefore, dynamical right update has become a concern in date sharing. The authorization operation can be completed easily, and most studies paid close attention to the right revocation in the cloud assisted system. Especially, to maintain the property of data forward security, the users could not search the encrypted data by the old trapdoors computed from the old secret keys if their search privileges are withdrawn.

In the past, user’s right revocation in IoT data sharing scheme generally is not done at fine-grained level. Such schemes [19, 21,22,23] are not suitable for many cases. For example, a user transfers between different projects inside the same company. The manager might wish to reclaim the search right of project A from the staffs who have transferred to project B. Previous data sharing schemes can not meet this need, because after the search right revocation, the user is not able to search all the documents any more. To meet the requirement, search right revocation at document level is needed, where the data owner can reclaim each users’ search privilege in document level.

Our Contribution. In this paper, we aim to solve the fine-grained search right revocation problem for IoT data in keyword searchable encryption system, where forward secrecy is met. We proposed a new keyword searchable encryption scheme with fine-grained search right revocation at document level. The main contributions include:

  • We analyze the security requirements of public key keyword searchable encryption scheme with dynamic right revocation in an IoT data sharing system. To achieve forward secrecy for IoT data, we propose a new keyword searchable encryption scheme, which prompts a fine-grained search right revocation at document level.

  • We give a concrete construction to complete the search right revocation function for IoT data sharing system. In the construction, we design an user right revocation method without re-encryption operations on keyword ciphertexts, which is more efficient.

  • We analyze the performance evaluation of our scheme. The evaluation result shows that the scheme is practical for IoT applications.

1.1 Related Work

Since cloud-assisted technology is provided to improve IoT, the researchers are focus on data management stored in cloud server server. Moreover, data privacy becomes the concern in IoT data storage system. To ensure data security, the data owner needs to encrypt the data before sending it to the cloud server. In order to crease the quality of service, data manager needs to share IoT data with authorized users for data analysis. Keyword searchable encryption, which meets the requirement in data management, is proposed for secure data sharing. Therefore, the design of lightweight keyword searchable encryption construction is a challenge in IoT data sharing application.

To reduce the cost of massive key management in searchable symmetric encryption construction [1], the concept of public key encryption with keyword search (PEKS) is introduced by [2]. Moreover, multi-key searchable encryption and forward secrecy searchable encryption are presented to complete the functions of fine-grained document sharing and user right revocation in practical system.

Multi-key Searchable Encryption. The multi-key searchable encryption framework is designed by Popa et al. [5], and the first web application are built on Mylar in [6]. Only one trapdoor is provided to server, and keyword search match is completed by in different documents, which is encrypted by different keys. Moreover, an new security model for multi-owner searchable encryption are proposed by Tang [7] in this framework. Liu et al. [8] design a scheme in data sharing. Unfortunately, low performance problem is inevitable, because the trapdoor size is linear with the number of documents, in their scheme. To complete provable security, Rompay et al. [9] constructed a new scheme on proxy method. However, heavy overhead does not be ignored on proxy.

Combining with the study of [10], Cui et al. [11] proposed a new key-aggregate searchable encryption scheme, where an aggregation method on file keys is introduced to compute authorization key generation. One user generates a trapdoor to complete keyword search in all authorized file set to this user. However, Kiayias et al. [12] design two key guessing attacks to the study of [11]. Li et al. [14] and Liu et al. [15] proposed their two improved schemes to maintain data verification and multi-owner functions. However, in [14] and [15], the similar drawbacks as in [11] can be found. Kiayias et al. [12] proposed their improved scheme for the study of [11], and more communication and computation are inevitable. To reduce the computation and communication cost, [13] designs a new scheme.

Forward Secrecy Searchable Encryption. In recent studies [16,17,18], to achieve the function of fine-grained access control in searchable encryption, many schemes, in different scenario, are proposed based on attribute-based encryption. The study [17] implements user revocation in a practical multi-user and multi-owner scenario. In [18], a key-policy and a ciphertext-policy key searchable encryption scheme, where the data owner manages users’ search right, are proposed. To meet fine-grained search right management, Shi et al. [16] proposed an attribute-based keyword searchable encryption scheme.

However, all above schemes are constructed applying attribute based encryption, and the search right revocation is achieved from the attribute revocation, where re-encryption is needed to generate new keyword ciphertexts.

To adapt to more practical application, researchers introduced the random number method in computing the keys in each discrete time period without attribute-based encryption. The first scheme [19] is constructed using BLS short signature [20], and the keyword encryption is separated two phases. The first one is completed using a corresponding complementary key maintained by the server. The other one is executed by data sender to generate keyword ciphertexts. Dong et al. [21, 22] separated a search key to two parts, where one is users’ secret keys and the other one is re-encryption key stored on the server. To reduce the communication and computation cost on proxy, Wang et al. [23] designed a new forward secrecy searchable encryption without proxy, which is similar with the study of [22]. However, this scheme is used in the peer-to-peer scenario. Moreover, the above constructions can not provide the user revocation in fine-grained right management at document level.

2 Preliminaries

2.1 Bilinear Pairing

Bilinear Map. Let two multiplicative cyclic groups \(\mathbb {G}_1\) and \(\mathbb {G}_2\) be of the same prime order p, and gh be the generators of \(\mathbb {G}_1\). A bilinear pairing e is a map \(e: \mathbb {G}_1\times \mathbb {G}_1\rightarrow \mathbb {G}_2\) with the following properties:

  1. 1.

    Bilinearity: \(e(g^{r_1},h^{r_2})=e(g,h)^{r_1r_2}\) for all \(g,h\in \mathbb {G}_1\) and \(r_1,r_2\in \mathbb {Z}^{*}_{p}\).

  2. 2.

    Non-degeneracy: \(e(g,g)\ne 1\).

  3. 3.

    Computability: for any \(g,h\in \mathbb {G}_1\), e(gh) can be computed efficiently.

2.2 Complexity Assumptions

Computational Diffie-Hellman (CDH) Assumption. Let \(\mathbb {G}_1\) be bilinear groups of prime order p, given \(g,g^{Z_1},g^{Z_2}\in \mathbb {G}_1\) as input, it is infeasible to compute \(g^{Z_1Z_2}\in \mathbb {G}_1\), where \(Z_1,Z_2 \in \mathbb {Z}_p^*\).

Variational Computational Diffie-Hellman (CDH) Assumption. Let \(\mathbb {G}_1\) be bilinear groups of prime order p, given \(g,g^{Z_3},g^{Z_1Z_5},g^{Z_1Z_4},g^{Z_2Z_4},g^{Z_1Z_3Z_5}\in \mathbb {G}_1\) as input, it is infeasible to compute \(g^{Z_2Z_4Z_5}\in \mathbb {G}_1\), where \(Z_1,Z_2,Z_3,Z_4,Z_5 \in \mathbb {Z}_p^*\).

3 System Model

3.1 System Architecture

The Fig. 1 shows the system architecture, which is consisted of data owner, cloud server, user and IoT nodes. The system role of each party is described as follows.

Data Owner. The data owner is keys generator and data manager in the system. The data owner maintains a users list to generate and distribute all authorized keys to each user and encryption secret key to IoT nodes. Users’ search right managements are maintained to achieve the function of fine-grain right revocation.

Cloud Server. The cloud server provides the storage and search service for IoT data management. Especially, the cloud server is “honest but curious”, which completes search queries honestly and does not modify stored information maliciously. Moreover, it does not collude with other parties to guess the keyword information from ciphertexts and search queries.

Users. The users are registered in the data owner’s list and receive authorized keys from the data owner. The users can generate query trapdoor to search the data on the cloud server.

IoT Nodes. The IoT nodes are data collection nodes for a IoT system. Real-time data to the cloud server for data storage are handled and sent to the cloud server by the IoT nodes. To maintain the data privacy, the IoT nodes achieve the function of encryption for collection data. Moreover, in most actual scenes, encryption operations are executed in resource constrained IoT nodes. Therefore, designed scheme is focus on less computation cost in the system for IoT nodes.

Fig. 1.
figure 1

The fine-grained revocation searchable encryption system

Full size image

3.2 System Definition

Definition 1

As shown in Fig. 1, the keyword searchable encryption system definition with revocation capability in data sharing consists of the following eight algorithms:

  • \(\mathbf {Param}(\xi )\) : The algorithm takes security parameter \(\xi \) as input, and generates system global parameter \(\mathcal GP\).

  • \(\mathbf {KeyGen_S}(\mathcal GP)\) : The cloud server takes system parameter \(\mathcal GP\) as input, and outputs server’s public and secret key pair \((pk_Q,sk_Q)\).

  • \(\mathbf {KeyGen_{DO}}(\mathcal GP, \tau )\) : The data owner takes system parameter \(\mathcal GP\), time period \(\tau _b\) as input, and outputs his/her public and secret key pair (pksk) and IoT node secret key ek.

  • \(\mathbf {Authorize}(\mathcal{GP},\tau ,sk,S)\) : The data owner takes the system parameter \(\mathcal GP\), time period \(\tau _b\), data owner’s private key sk and authorized document set S as input, and outputs authorization key \(k_{au}\). The data owner sends \((k_{au}, S)\) to each corresponding user through a secure channel.

  • \(\mathbf {Encrypt}(\mathcal{GP},F_i,pk_Q,ek,w)\) : For a document \(F_i\) \((i\in \{1,\cdots ,n\})\), IoT node takes system parameter \(\mathcal GP\), IoT node secret key ek, server’s public key \(pk_Q\), the document number \(F_i\), keywords w as input, and generates ciphertexts C.

  • \(\mathbf {Query}(\mathcal{GP},\tau ,k_{au},pk,sk_Q,w)\) : An authorized user takes system parameter \(\mathcal GP\), time period \(\tau \), authorization key \(k_{au}\), data owner’s public key pk, server’s public key \(pk_Q\), a keyword w as input, and generates query trapdoor \(Tr_w\).

  • \(\mathbf {Adjust}(\mathcal{GP},\tau ,pk,S,Tr_w)\) : The cloud server takes system parameter \(\mathcal GP\), data owner’s public key PK, authorized document set S, query trapdoor \(Tr_w=\mathsf {Query}(\mathcal{GP},k_{au},w)\) as input, and outputs each adjust trapdoor \(Tr_i\) for each \(F_i\) in S.

  • \(\mathbf {Match}(\mathcal{GP},\tau ,pk,sk_Q,S,Tr_i,C)\) : A deterministic algorithm runs by the cloud server, which takes system parameter \(\mathcal GP\), time period \(\tau \), data owner’s public key pk, server’s private key \(sk_Q\), authorized document set S, an adjust trapdoor \(Tr_i=\mathsf {Adjust}(\mathcal{GP},pk,S,Tr_w)\), a ciphertext \(C=\mathsf {Encrypt}(\mathcal{GP},F_i, pk_Q,sk,w)\) as input, and outputs a symbol “True” if C contains w; Otherwise, “False”.

3.3 Security Requirement

To maintain the security of keyword searchable encryption system, keyword confidentiality and trapdoor privacy must be considered. Further, a keyword searchable encryption construction with user search right revocation function has the ability to distinguish the unrevoked users and revoked users. The correctness is satisfied for unrevoked users and the forward secrecy is maintained for revoked user.

Correctness. A keyword searchable encryption system is correct if it satisfies that each authorized user who has the authorized key can perform a successful keyword search.

Keyword Confidentiality. A keyword searchable encryption system maintains keyword confidentiality if it satisfies that only the authorized users can complete the keyword search, and unauthorized users are incapable of learning the privacy information of the stored keyword ciphertexts.

Query Privacy. A keyword searchable encryption system maintains query privacy if it satisfies that only the authorized users can generate a trapdoor from a keyword, and unauthorized users and the honest-but-curious cloud server are incapable to determine a keyword from the submitted query trapdoor.

Forward Secrecy. A keyword searchable encryption system is forward secrecy if it satisfies that the data owner can delete a user and revoke his ability from the system. Moreover, for each revoked user, the data owner can support more fine-grained search right revocation, which is corresponding to every document.

4 The Designed Scheme and Security Analysis

4.1 The Designed Scheme

Param\((\xi )\). The algorithm works as follows:

  1. 1.

    Take the security parameter \(\xi \) as input and generate a bilinear group parameters \((p,\mathbb {G}_1,\mathbb {G}_2,e)\);

  2. 2.

    Set the maximum number of documents as n for a data owner and the keyword space as m.

  3. 3.

    Choose a generator \(g\in \mathbb {G}_1\) and a collision resistant hash function \(H:\{0,1\}^*\rightarrow \mathbb {Z}_p^*\).

The system parameters are published as \((p,\mathbb {G}_1,\mathbb {G}_2,e,g,n,m,H:\{0,1\}^*\rightarrow \mathbb {Z}_p^*)\).

\(\mathbf {KeyGen_S}\). The cloud server randomly chooses a random secret key \(\beta _1\in \mathbb {Z}_p^*\) and computes \(u=g^{\beta _1}\in \mathbb {G}_1\). The server’s private key and public key are \((sk_Q,pk_Q)=(\beta _1,u)\).

\(\mathbf {KeyGen_{DO}}(\mathcal GP)\). At time period \(\tau _b\) \((b=1,\cdots ,\rho )\), the data owner randomly chooses \(d_b\in {\mathbb Z}_q^*\). The algorithm performs the following steps:

  1. 1.

    Randomly choose an element \(\alpha \in \mathbb {Z}_p^*\), and compute secret keys \(g_i=g^{(\alpha )^i} \in \mathbb {G}_1\) for \(i=(1,2,\dots ,n)\).

  2. 2.

    Randomly choose secret keys \(\beta _2,\gamma _1,\gamma _2\in \mathbb {Z}_p^*\), and compute the public parameters \(v=g^{\beta _2}\in \mathbb {G}_1\), \(h_{1,i,b}=g_i^{\gamma _1 \cdot d_b} \in \mathbb {G}_1\) for \(i=(1,2,\dots ,n)\), and \(h_{2,i,b}=g_i^{\gamma _2 \cdot d_b} \in \mathbb {G}_1\) for \(i=(1,2,\dots ,n,n+1,\dots ,2n)\).

  3. 3.

    Compute IoT node secret key \(ek=(ek_1,ek_2)=(u^{\gamma _1},v^{\gamma _1})\).

  4. 4.

    Destroy \(\alpha \).

The data owner’s private key \(sk=(\beta _2,\gamma _1,\gamma _2,{\lbrace g_i\rbrace }_{i=1,2,\dots ,n})\) is kept secretly and public key \(pk=(v, {\lbrace h_{1,i,b}\rbrace }_{i=1,2,\dots ,n},{\lbrace h_{2,i,b}\rbrace }_{i=1,2,\dots ,n,n+1,\dots ,2n})\) is stored on cloud server, respectively. Moreover, the data owner distributes the secret key ek to each IoT node.

\(\mathbf {Authorize}(sk,S)\). The data owner takes document subset \(S\subseteq \lbrace {1,\dots ,n}\rbrace \) as input, computes the authorized key: \(k_{au,b}=\prod _{j\in S}g_{n+1-j}^{\beta _2\cdot d_b}\). The data owner securely sends \((k_{au,b},S)\) to users.

\(\mathbf {Encrypt}(pk_Q,pk,ek,F_i,l)\). Each encryption node encrypts keyword \(w_l\), \((l\in \lbrace {1,\dots ,m}\rbrace )\) to the corresponding document \(F_i,(i\in \lbrace {1,\dots ,n}\rbrace )\), and uploads the ciphertexts to the cloud server. The encrypt node randomly chooses \(t_{i,l}\in \mathbb {Z}_p^*\) and computes ciphertext C as:

$$\begin{aligned} C&=(c_{1,i,l},c_{2,i,l},c_{3,i,w_{l}})\\&=(ek_1^{t_{i,l}},ek_2^{t_{i,l}},{(v^{H(w_l)}h_{2,i})^{t_{i,l}}})\\&=(g^{\gamma _1 {\beta _1t_{i,l}}},g^{\beta _2 \gamma _1 t_{i,l}},{(g^{\beta _2H(w_l)}g^{\gamma _2}_{i})^{t_{i,l}}}) \end{aligned}$$

\(\mathbf {Query}(k_{au,b},u,v,w_l)\). User chooses a random \(x\in Z_p^*\), and generates query trapdoor \(Tr_b=(Tr_{1,b},Tr_2)=({k_{au,b}}^{H(w_l)} v^x, u^x)\). The user sends \((Tr_b,S)\) to the cloud server.

\(\mathbf {Adjust}(pk,i,S,Tr)\). The cloud server runs the adjust algorithm to compute the discrete trapdoors \(Tr_{1,i}\) for each document \(F_i\) as:

$$Tr_{1,i,b}=Tr_{1,b}\cdot \prod _{j\in S,j\ne i}h_{2,(n+1-j+i),b}=Tr_{1,b}\cdot \prod _{j\in S,j\ne i}g^{\gamma _2\cdot d_b}_{n+1-j+i}.$$

\(\mathbf {Match}(Tr_{1,i,b},Tr_2,S,pk,sk_Q,C)\). The cloud server does keyword search match as follows:

  1. 1.

    Compute \(pub_b=\prod _{j\in S}h_{1,(n+1-j),b}=\prod _{j\in S}g^{\gamma _1\cdot d_b}_{n+1-j}\) for the subset S;

  2. 2.

    Check the equation:

    $$\displaystyle \frac{e(pub_{b},c_{3,i,w_{l}})^{\beta _1}\cdot e(c_{2,i,l},Tr_2)}{e(Tr_{1,i,b},c_{1,i,l})} \overset{?}{=} e(h_{2,n+1,b},c_{1,i,l})$$

    If the result holds, outputs “True”. Otherwise, “False”.

If only one document \(F_j\) is authorized in S, \(k_{au}=g_j^{\beta _2 d_b}\). The cloud server does not run the \(\mathbf {Adjust}\) algorithm.

4.2 Security Analysis

Assuming that the public cloud server is “honest-but-curious” and does not colludes with the the revoked users. We analyze the security properties of our scheme including correctness, keyword confidentiality, query privacy and forward secrecy.

Theorem 1

\(\mathbf {Correctness}\): Each authorized user is able to retrieve the encrypted documents, which are authorized to search.

Proof

We show the correctness of our construction in the time period \(\tau _b\) \((b=1,\cdots ,\rho )\) as

$$\begin{aligned}&\displaystyle \frac{e(pub_b,c_{3,i,w_{l}})^{\beta _1}\cdot e(c_{2,i,l},Tr_2)}{e(Tr_{1,i,b},c_{1,i,l})}\\ =&\displaystyle \frac{e(\prod _{j\in S}g^{\gamma _1\cdot d_b}_{n+1-j},(g^{\beta _2 H(w_l)}\cdot g^{\gamma _2}_i)^{t_{i,l}})^{\beta _1}\cdot e(g^{\beta _2 \gamma _1 t_{i,l}},g^{\beta _1x})}{e(Tr_{1,b}\cdot \prod _{j\in S,j\ne i}g^{\gamma _2\cdot d_b}_{n+1-j+i},g^{\gamma _1\beta _1t_{i,l}})}\\ =&\displaystyle \frac{e(\prod _{j\in S}g^{\gamma _1\cdot d_b}_{n+1-j},g^{\beta _2 H(w_l) \beta _1t_{i,l}})\cdot e(\prod _{j\in S}g^{\gamma _1\cdot d_b}_{n+1-j},g_i^{\gamma _2\beta _1t_{i,l}})\cdot e(g^{\beta _2 \gamma _1t_{i,l}},g^{\beta _1x})}{e((\prod _{j\in S}g_{n+1-j}^{\beta _2\cdot d_b})^{H(w_l)}\cdot v^x\cdot \prod _{j\in S,j\ne i}g^{\gamma _2\cdot d_b}_{n+1-j+i},g^{\gamma _1\beta _1t_{i,l}})}\\ =&\displaystyle \frac{e(\prod _{j\in S}g^{\gamma _1\cdot d_b}_{n+1-j},g^{\beta _2 H(w_l) \beta _1t_{i,l}})\cdot e(\prod _{j\in S}g^{\gamma _1\cdot d_b}_{n+1-j},g_i^{\gamma _2\beta _1t_{i,l}})\cdot e(g^{{\beta _2 \gamma _1 t_{i,l}}},g^{\beta _1x})}{e((\prod _{j\in S}g_{n+1-j}^{\beta _2\cdot d_b})^{H(w_l)},g^{\gamma _1\beta _1t_{i,l}})\cdot e(g^{\beta _2 x},g^{\gamma _1\beta _1t_{i,l}})\cdot e(\prod _{j\in S,j\ne i}g^{\gamma _2\cdot d_b}_{n+1-j+i},g^{\gamma _1\beta _1t_{i,l}})}\\ =&\displaystyle \frac{e(\prod _{j\in S}g_{n+1-j+i},g)^{\gamma _1\cdot d_b\gamma _2\beta _1t_{i,l}}}{e(\prod _{j\in S,j\ne i}g_{n+1-j+i},g)^{\gamma _2\cdot d_b\gamma _1\beta _1t_{i,l}}}\\ =&e(g_{n+1},g)^{\gamma _1\gamma _2\cdot d_b\beta _1t_{i,l}}\\ =&e(g^{\gamma _2\cdot d_b}_{n+1},g^{\gamma _1\beta _1t_{i,l}})\\ =&e(h_{2,n+1,b},c_{1,i,l}). \end{aligned}$$

Theorem 2

\(\mathbf {Keyword \ Confidentiality}\): The proposed scheme is security on keyword confidentiality to resist the attack from unauthorized users.

Proof

The unauthorized users are curious to the keyword in keyword ciphertexts C and become attacker \(A_1\). It may obtain some information to launch an attack. \(A_1\) can obtain the stored information including public parameters, other documents search keys \(k_{j} (i\ne j)\), keyword ciphertexts C.

Assuming that the unauthorized users want to guess the keyword \(w_\theta \) from keyword ciphertexts \(C=(c_{1,i,{\theta }},c_{2,i,{\theta }},c_{3,i,w_{\theta }})=(u^{\gamma _1t_{i,{\theta }}},g^{\beta _2 \gamma _1 t_{i,{\theta }}},{(g^{\beta _2H(w_\theta )}g^{\gamma _2}_{i})^{t_{i,{\theta }}}})\) of document \(F_i\).

  • \(A_1\) retrieves the partial number \((g_i^{\gamma _2})^{t_{i,{\theta }}}\) from C. \(A_1\) maintains \(u^{t_{i,{\theta }}\gamma _1},v^{t_{i,{\theta }}\gamma _1}\), \(u,v,g_i^{\gamma _2},g_i^{\gamma _1}\) and wants to obtain \(g_i^{\gamma _2t_{i,{\theta }}}\). \(u,v,g_i \in \mathbb {G}_1\) and \(v=u^{z_1}, g_i=u^{z_2}\), where \(z_1,z_2 \in \mathbb {Z}_p^*\). \(A_1\) maintains \(u^{t_{i,{\theta }}\gamma _1},u^{z_1t_{i,{\theta }}\gamma _1},u,u^{z_1},u^{z_2\gamma _2},u^{z_2\gamma _1}\) and wants to obtain \(u^{z_2\gamma _2t_{i,{\theta }}}\). Therefore, if \(A_1\) can obtain the value of \(g_i^{\gamma _2t_{i,{\theta }}}\) in this case, \(A_1\) can solve Variational Computational Diffie-Hellman problem.

  • \(A_1\) retrieves the partial number \((g^{\beta _2H(w_\theta )})^{t_{i,{\theta }}}=(g^{\beta _2t_{i,{\theta }}})^{H(w_\theta )}\) from C. \(A_1\) needs the value of \(g^{\beta _2t_{i,{\theta }}}=v^{t_{i,{\theta }}}\). \(A_1\) maintains \(v^{t_{i,{\theta }}\gamma _1},v\) and wants to obtain \(v^{t_{i,{\theta }}}\). \(v\in \mathbb {G}_1\) and \(v=z^{\gamma _1^{-1}}\), where \(z\in \mathbb {G}_1\). \(A_1\) maintains \(z^{t_{i,{\theta }}},z^{\gamma _1^{-1}}\) and wants to obtain \(z^{t_{i,{\theta }}\gamma _1^{-1}}\). Therefore, if \(A_1\) can obtain the value of \(v^{t_{i,{\theta }}}\) in this case, \(A_1\) can solve Computational Diffie-Hellman problem.

Therefore, the attacker \(A_1\) does not distinguish \(w_\theta \) to achieve the attack goal.

Theorem 3

\(\mathbf {Query \ Privacy}\): The proposed scheme is security on query trapdoor privacy to resist the attack from honest-but-curious cloud server and unauthorized users, who do not have search right of attacked document \(F_i\).

Proof

(1) The honest-but-curious cloud server is curious to the keyword information in query trapdoor and becomes an attacker \(A_2\). It may obtain some information to launch an attack. \(A_2\) can obtain the stored information including public parameters, server secret key \(\beta _1\), other documents search keys \(k_{j} (i\ne j)\), submitted query trapdoor \(Tr_b\).

Assuming that the server wants to guess the keyword \(w_\theta \) from trapdoor \(Tr_b=(Tr_{1,b},Tr_2)=({k_{au,b}}^{H(w_\theta )} v^x, u^x)\), where S is the authorized search set and \(F_i\in S\), and becomes a attacker \(A_2\). \(A_2\) does the guess attacks as following:

  • \(A_2\) retrieve the partial number \(v^x\) from the \(Tr_b\). \(A_2\) maintains \(u,u^x,v\) and wants to obtain \(v^x\). \(u,v \in \mathbb {G}_1\) and \(v=u^z\), where \(z \in \mathbb {Z}_p^*\). \(A_1\) maintains \(u,u^x,u^z\) and wants to obtain \(u^{xz}\). Therefore, if \(A_2\) can obtain the value of \(v^x\) in this case, \(A_2\) can solve Computational Diffie-Hellman problem.

  • \(A_2\) computes the \({k_{au,b}}^{H(w_\theta )}\) from the secret key \(g_{n+1-i}^{\beta _2\cdot d_b}\). However, for \(F_i\), \(A_2\) only has a negligible probability to get the secret search key \(g_{n+1-i}^{\beta _2\cdot d_b}\), and the data owner’s private keys \(\beta _2, \gamma _1, \gamma _2\). Moreover, \(A_2\) computes \(Tr_{1,i,b}=Tr_{1,b}\cdot \prod _{j\in S,j\ne i}h_{2,(n+1-j+i),b}\), and get the discrete trapdoor \(Tr_{1,i,b}\) for the file \(F_i\). The computation is executed by the cloud server and leak no any information to \(A_2\) to determine \(w_{\theta }\) in the query trapdoor.

Therefore,\(A_2\) does not distinguish \(w_\theta \) to achieve the attack goal.

(2) The unauthorized users are curious to the keyword in submitted trapdoor and become attacker \(A_1\). It may obtain some information to launch an attack. \(A_1\) can obtain the stored information including public parameters, other documents search keys \(k_{j} (i\ne j)\), submitted query trapdoor \(Tr_b\).

Comparing with \(A_2\), \(A_1\) has weak capability because of the lack of server secret key. Therefore, \(A_1\) does not achieve the attack goal.

Theorem 4

\(\mathbf {Forward \ Secrecy}\): To maintain the fine-grained forward secrecy, the system manages the search right for each document. Each revoked user can not retrieve the special encrypted documents, which are revoked from his search right.

Proof

In the time period \(\tau _{bb}\), the revoked users could not get the new short time authorized key from our scheme. Therefore, he only has the ability to generate and send the old trapdoor \(Tr_b=(Tr_{1,b},Tr_2)\) from the old short time authorized key in time period \(\tau _b\) (\(b\ne bb\)). The server does the adjust and match algorithms as follows:

  1. 1.

    Compute \(Tr_{1,i,bb}'=Tr_{1,b}\cdot \prod _{j\in S,j\ne i}h_{2,(n+1-j+i),bb}=Tr_{1,b}\cdot \prod _{j\in S,j\ne i}g^{\gamma _2\cdot d_{bb}}_{n+1-j+i}\)

  2. 2.

    Compute the \(pub_{bb}=\prod _{j\in S}h_{1,(n+1-j),bb}=\prod _{j\in S}g^{\gamma _1\cdot d_{bb}}_{n+1-j}\) based on subset S.

  3. 3.

    Test the equation:

    $$\displaystyle \frac{e(pub_{bb},c_{3,i,w_{l}})^{\beta _1}\cdot e(c_{2,i,l},Tr_2)}{e(Tr_{1,i,bb}',c_{1,i,l})} \overset{?}{=} e(h_{2,n+1,bb},c_{1,i,l})$$

Due to \(Tr_{1,i,bb}'\ne Tr_{1,i,bb}\), the test equation does not hold.

From the above analysis, we show that the revoked users could not search the specific encrypted document by submitting the trapdoor generated from an old short time authorized key. Therefore, the forward secrecy is achieved in our scheme.

5 Performance Analysis

5.1 Implementation Details

The performance is constructed by the basic cryptographic operations in pairing computation. Two different settings are considered: one is in JAVA on smart phone, which has a 64-bit 8 core CPU processor (4 core processor runs at 1.5 GHz and 4 core processors runs at 1.2 GHz), 3 GB RAM with Android 5.1.1. The other is in C on computer, which has Intel Core i3-2120 CPU @3.30 GHz, 4.00 GB RAM with windows7 64-bits operation system. JPBC and PBC library [3] are used to implement the cryptographic operations for smart phone and computer, respectively. We choose the type A elliptic curve, which is shown as \(E : y^2 = x^3 + x\). To maintain the security and efficiency, our experiment is conducted as \(|Z_p|\) = 160 bits, \(|\mathbb {G}_1|\) = 1024 bits and \(|\mathbb {G}_2|\) = 1024 bits. Some useful experiment results [4] about pair computation are shown in Table 1.

Table 1. The computation time on different platforms (ms)
Full size table

5.2 Experiment Evaluation

In the IoT data sharing system simulation, the cloud server is considered as computer. Moreover, two different simulations are implemented for data owners on smart phone and computer. Smart phone and computer are instantiated on user, encryption node and data owner. \(\mathbf {Param}\), \(\mathbf {KeyGen_S}\), \(\mathbf {Adjust}\) and \(\mathbf {Match}\) run on the cloud server. \(\mathbf {KeyGen_{DO}}\) and \(\mathbf {Authorize}\) run on the data owner and \(\mathbf {Encrypt}\) runs on encryption node. \(\mathbf {Query}\) runs on user. Next, we discuss the performance evaluation of our construction on cloud server, data owner, encryption node and user.

The simulation results show in Fig. 2. The time cost of algorithms on cloud server, data owner, encryption node and user are matched to the Fig. 2(a)–(d), Fig. 2(e) and (f), Fig. 2(g) and Fig. 2(h), respectively. The evaluation analysis is shown as follows:

Fig. 2.
figure 2

The execution time of the algorithm in the system

Full size image

  • \(\mathbf {Param}\): Fig. 2(a) shows that the time cost of \(\mathbf {Param}\) is a constant size. Moreover, the operations are consisted of bilinear group generation and hash function setting.

  • \(\mathbf {KeyGen_S}\): Fig. 2(b) shows that the time cost of \(\mathbf {KeyGen_S}\) is a constant size. For instance, 9.22 ms is used on computer. Moreover, the operation only contains once exponentiation on group \(\mathbb {G}_1\).

  • \(\mathbf {Adjust}\): Fig. 2(c) shows that the time cost of \(\mathbf {Adjust}\) is linear in the number of authorized search documents for one submitted keyword search query. For instance, when S contains 1000 authorized documents, 359640 ms is used on computer.

  • \(\mathbf {Match}\): Fig. 2(d) shows that the time cost of \(\mathbf {Match}\) is linear in the number of authorized search documents for one submitted keyword search query. For instance, when S contains 1000 authorized documents, 77360 ms is used on computer.

  • \(\mathbf {KeyGen_{DO}}\): Fig. 2(e) shows that the time cost of \(\mathbf {KeyGen_{DO}}\) is linear in the maximum number of documents. For instance, when \(n=1000\), 28067 ms and 283620 ms are used on computer and smart phone, respectively. Therefore, the smart phone and computer meet the computation cost requirement in the system, because the \(\mathbf {KeyGen_{DO}}\) runs in system idle excepting the first key generation phase.

  • \(\mathbf {Authorzie}\): Fig. 2(f) shows that the time cost of \(\mathbf {Authorzie}\) is linear in the number of authorized search documents for one user. For instance, when the set S contains 1000 authorized documents, 368.82 ms and 4186.02 ms are used on computer and smart phone, respectively.

  • \(\mathbf {Encrypt}\): Fig. 2(g) shows that the time cost of \(\mathbf {Encrypt}\) is linear in the number of keywords for each document. Moreover, for each keyword, the time cost of \(\mathbf {Encrypt}\) is a constant size. For instance, 37.5 ms and 360.4 ms are used on computer and smart phone, respectively. Moreover, the operation only contains fourth exponentiations on group \(\mathbb {G}_1\) for each encryption node. Therefore, \(\mathbf {Encrypt}\) can be efficiently executed by resource constrained encryption nodes in IoT.

  • \(\mathbf {Query}\): Fig. 2(h) shows that the time cost of \(\mathbf {Trapdoor}\) is a constant size. For instance, 27.39 ms and 271.03 ms are used on computer and smart phone, respectively. Moreover, the operation only contains third exponentiations on group \(\mathbb {G}_1\) for every query.

6 Conclusion

In this paper, we propose a fine-grained search privilege revocation construction to maintain forward secrecy for IoT data. Our scheme achieves the proposal of user search right revocation at document level. We implement a practical construction and our evaluation shows that our scheme is efficient.