Abstract
The development of Internet of things (IoT) makes data exchange more frequently, and the cloud computing can provide stable storage and efficient computation for data users. To ensure the security and functionality of data, the efficiency of decryption and keyword search should be taken into consideration in resource-constrained IoT scenarios. In order to solve the above problems, a flexible keyword search scheme in IoT is proposed over encrypted data with outsourced decryption. First, the attribute-based encryption technology is applied, by which only users whose attributes meet the access control structure can access the sharing data. Second, the reciprocal mapping of Lagrange polynomials technology is employed to implement keyword search in a large number of ciphertext data. Third, the decryption of ciphertext is outsourced to improve the efficiency of decryption on the client side. The security and performance analysis indicates that the proposed scheme is secure and efficient.
Avoid common mistakes on your manuscript.
1 Introduction
The development of Internet of things (IoT) makes data exchange more frequently. In the IoT scenario, information security is related to enterprises [1] and individuals [2]. In addition, the cloud computing can provide stable storage and efficient computation for data users (smart phones, smart watches, etc). Information stored on cloud servers is exposed to distributed and dynamic network environment [3]. In an open network environment, the security and privacy of data [4] will be greatly threatened in the data storage [5,6,7,8,9], data access [10, 11], data search [12,13,14,15], data processing [16], data transmission [17,18,19] and data sharing [20]. It is a good solution to encrypt data before uploading data. Furthermore, the sharing of data is another very interesting topic. In order to access the data more efficiently, the notion of attribute-base encryption (ABE) [21] is proposed.
In ABE system, the secret key does not involve the identity of users. To prevent the abuse of the secret key, traceable ABE schemes [22,23,24] are proposed. When a large amount of ciphertext data is stored on the server, data access control [25] and finding the data that users need [26] are problems that have to be taken into consideration. Fortunately, searchable ABE [27, 28] can solve these problems well. ABE, however, requires a lot of computation, especially in the decryption stage. In the ABE system, some work [29, 30] is done to improve the efficiency of ABE. In order to further improve efficiency and make full use of cloud computing technology, a lot of computation can be outsourced to cloud servers to reduce the computational pressure of terminals [31,32,33,34]. Therefore, the outsourcing decryption of ABE [35, 36] can break the bottleneck of the efficiency of ABE.
In order to solve the above problems, we put forward the flexible keyword search scheme over encrypted data with outsourced decryption for IoT. Our scheme has the following three advantages: First, the attribute-based encryption technology is applied, by which only users whose attributes meet the access control structure can access the sharing data. Second, the reciprocal mapping of Lagrange polynomials technology is employed to implement keyword search in a large number of ciphertext data. Third, the decryption of ciphertext is outsourced to improve the efficiency of decryption on the client side.
2 Preliminaries
We give the relevant knowledge that will be used in the construction and proof of the following scheme in this section.
2.1 Bilinear pairing
Let G1 and G2 represent the multiplicative cyclic groups with the prime order p. The generator of G1 is g. A bilinear pair e : G1 × G1 → G2 has the following properties [37]:
-
1.
Bilinear: e(ua, vb) = e(u, v)ab, where a, b ∈ Zp, u, v ∈ G1.
-
2.
Non-degenerate: ∃u, v ∈ G1, make e(u, v) ≠ 1.
-
3.
Computability: ∀u, v ∈ G1, e(u, v) can be calculated in the polynomial time.
2.2 Access control tree
Let x express a node in an access control tree T. For each non-leaf node, there is a relationship between the threshold value kx and its m child nodes 0 < kx ≤ m. kx = 1 and kx = m represent an or gate and an and gate, respectively. For each leaf node x that is regarded as an attribute, its threshold value is 1. The function pa(x) is defined as the parent of node x. the function att(x) is defined as the attribute value for the leaf node x. The function index(x) returns the number that the node x is numbered from 1 to m.
2.3 Satisfying an access control tree
Let Tx be the subtree of the root node t at node x. Hence, T and Tt are the same. When the attribute set Y satisfies the access control tree Tx, Tx(Y ) = 1. Tx(Y ) is obtained by the following recursive algorithm: For a leaf node, when att(x) ∈ Y, Tx(Y ) = 1. For a non-leaf node x, if there are at least kx child nodes returning 1, Tx(Y ) = 1.
2.4 Lagrange interpolation polynomials
In the following, we can get k polynomials of degree k − 1 from k different numbers xi, where i = 1,2,...,k [38].
Then, \(F_{t}(x_{i})=x^{t-1}_{i}\), 1 ≤ i ≤ k can be obtained from the constant t(1 ≤ t ≤ k) and polynomial \(F_{t}(x)=\sum \limits _{i = 1}^{k}x_{i}^{t-1}f_{i}(x)\). Obviously, for the two functions Ft(x) and xt− 1 with the same k points, their maximum degree is k − 1, and we have
then
The two mappings \(\hat {r}\) and \(\hat {R}\) on \({G^{k}_{1}}\) can be constructed from the definition of fi(x) as follows.
\(\hat {r}\): \({G_{1}^{k}}\rightarrow {G_{1}^{k}}\) is defined as follows: (r1,⋯,rk) → (R1,⋯,Rk), where \(R_{j}=\prod \limits _{i = 1}^{k}r^{a_{i,j}}_{i}\), j = 1,2,⋯,k.
\(\hat {R}\): \({G_{1}^{k}}\rightarrow {G_{1}^{k}}\) is defined as follows: (R1,⋯,Rk) → (r1,⋯,rk), where \(r_{j}=\prod \limits _{j = 1}^{k}R^{x_{i}^{j-1}}_{j}\), i = 1,2,⋯,k.
\(\hat {R}\) and \(\hat {r}\) are reciprocal: If G1, fi(x), \(\hat {R}\) and \(\hat {r}\) are as defined above, then \(\hat {R}(\hat {r})= 1\), \(\hat {r}(\hat {R})= 1\). Let \(\hat {R}_{i}\) denote the i-th component of \(\hat {R}\), then \(\hat {R}_{i}(R_{1},{\cdots } ,R_{k})=r_{i}\).
2.5 The truncated (t, q, ε)-ABDHE assumption
Given \((g,g^{a},g^{a^{2}},\cdots ,g^{a^{q}},g^{\prime },g^{\prime a^{q + 2}},T)\), where T ∈ G2, g′ = gz, z ∈ Zp. If \(T=e(g,g^{\prime })^{a^{q + 1}}\), output 1, otherwise output 0 [39]. Define an arbitrary polynomial-time adversary B’s advantage function \(Adv^{q-ABDHE}_{B}\) as
If in time t, \(Adv^{q-ABDHE}_{B}<\varepsilon \), then the (t, q, ε)-ABDHE assumption is said to hold on (G1, G2).
2.6 Decisional BDH assumption
Randomly choose a, b, c, z ∈ Zp. Suppose g is a generator of G1. The advantage \(Adv_{B}^{DBHD}\) [40] of an arbitrary polynomial time adversary B is defined as
If \(Adv_{B}^{DBHD}\) is negligible, the DBDH assumption holds.
3 Model and definition
We mainly introduce the system architecture, the system scheme and the security model in this part.
3.1 System architecture
The system architecture is shown in Fig. 1. CT is the ciphertext, I is the keyword index, T is the trapdoor, PT is the partial ciphertext, TK is the transformation key, and SK is the secret key. The following entities are involved in this system.
-
Data owner (DO): DO provides shared data and specifies the attribute set when encrypting. DO is a terminal device of IoT, such as a smart phone and a smart watch, etc.
-
Data user (DU): DU is a data consumer in the system. When the attributes of DU satisfy the access control structure, he can access data. DU is a terminal device of IoT, such as a smart phone and a smart watch, etc.
-
Attribute Authority (AA): AA manages DO and DU. At the same time, AA is responsible for the distribution of the secret key and the transformation key. AA is a credible entity.
-
Cloud server (CS): CS is responsible for storing the shared ciphertext.
-
Computing server (OS): OS is a computing server that can decrypt the ciphertext partially.
3.2 System scheme
Our scheme is composed of the following algorithms:
-
Setup(U) → PK, MK: The algorithm takes the global attributes U as input with public parameters PK and the master key MK as output.
-
KeyGen(MK, T) → TK, SK: The algorithm takes the master key MK and the access control structure T as input with the transformation key TK and the secret key SK as output.
-
Enc(Y, m, W1, W2,⋯ ,Wk) → CT, I: The algorithm takes the attribute Y and the message m containing the keywords W1, W2,⋯ ,Wk as input with the ciphertext CT and the keyword index I as output.
-
Trapdoor(SK, W) → TW: The algorithm takes the secret key SK and the keyword W as input with the keyword trapdoor TW as output.
-
Test(I, TW, x) → 0,1: The algorithm takes the keyword index I, the keyword trapdoor TW and the node of user x as input with 0 or 1 as output.
-
Dec(CT, SK, x) → m: The algorithm takes the ciphertext CT, the secret key SK and the node of user x as input with the plaintext m as output.
3.3 Security model
The security model of the scheme is divided into the security model of keywords and the security model of the scheme.
The security model of keywords: A secure model interactive game between an adversary A and a challenger C is as follows:
-
Setup: C calls the algorithm Setup(U) → PK, MK and returns the PK to A.
-
Trapdoor queries: A adaptively asks the C for the trapdoor TW. C calls the algorithm Trapdoor(SK, W) → TW, and returns TW to A.
-
Challenge: A sends a message m containing k + 1 keywords W0, W1,⋯ ,Wk to C. C selects b ∈{0,1} randomly, and then calls the algorithm Enc(Y, m, Wb, W2,⋯ ,Wk) → CT, I. C then returns the I to A. In this process, A cannot ask the key trapdoors of W0 and W1.
-
Phase 2: A does the same inquiry at this stage as the Phase 1.
-
Guess: The result guessed b′∈{0,1} is outputted.
The advantage of the adversary A in the game is defined as follows:
Definition 1
Suppose that an arbitrary polynomial time adversary A in the time t, does inquiries at least qw times. And A can win the above game with the at most 𝜖 advantage. Then our scheme is the (t, qw, 𝜖) semantic security.
The security model of the scheme: A secure model interactive game between an adversary A and a challenger C is as follows:
-
Init: A declares attributes Y to challenge
-
Setup: C calls the algorithm Setup(U) → PK, MK and returns the PK to A.
-
Phase 1: A queries to C the secret key SK related to the access structure T. C calls the algorithm KeyGen(MK, T) → TK, SK and returns SK to A, where Y ∉T.
-
Challenge: A sends two messages m1, m2 containing k keywords W1, W2,⋯ ,Wk to C. C selects b ∈{0,1} randomly, and then calls the algorithm Enc(Y, mb, W1, W2,⋯ ,Wk) → CT, I. C then returns the CT to A.
-
Phase 2: A does the same inquiry at this stage as the Phase 1.
-
Guess: The result guessed b′∈{0,1} is outputted.
The advantage of the adversary A in the game is defined as follows:
Definition 2
Suppose that an arbitrary polynomial time adversary A can win the above game with at most a negligible advantage. Then our scheme is secure in the Selective-Set model.
4 Secure and flexible keyword search over encrypted data in IoT
Our scheme consists of the following six algorithms: System Initialization, Secret Key Distribution, Data Uploading, Trapdoor Generation, Keyword Search, and Data Decryption. In the system initialization phase, AA calls the algorithm Setup(U), then announces the system parameters PK, and saves the system master secret key MK. When users join in the system, the user sends an access control tree to AA, and then AA calls algorithm KeyGen(MK, T) to generate the transformation key TK and the secret key SK. When an user collects data or has data that he wants to share, he calls the algorithm Enc(Y, m, W1, W2,⋯ ,Wk), then uploads the ciphertext CT and the keyword index I to CS. When DU wants to retrieve data, he calls the algorithm Trapdoor(SK, W) to generate a keyword trapdoor TW and sends it to CS. When CS receives the keyword trapdoor TW, it will call the algorithm Test(I, TW, x) to check whether the file that the user wants to search exists. When the searched file exists, CS sends CT to OS, and DU sends TK to OS, then OS carries out the partial decryption, returns the partial ciphertext to DU. Finally, DU decrypts the partial ciphertext again.
4.1 System initialization
AA calls the algorithm Setup(U) → PK, MK, and the concrete process is as follows: Randomly choose \(\alpha ,y\in \mathbb {Z}_{p}\), g2 ∈ G1 and t1, t2,⋯ ,tn+ 1 ∈ G1. Compute g0 = gα, \(g_{1}=g^{^{y}}\), and g2 is randomly chosen from \(\mathbb {G}_{1}\). Let N = {1,2,⋯ ,n + 1}. A function F is defined as follows:
The system’s public parameters PK and the master secret key MK are as follows:
4.2 Secret key distribution
In the secret key generation stage, the interaction between AA and users is shown in Fig. 2. When AA receives the access control tree T from the user, AA calls the algorithm KeyGen(MK, T) → TK, SK. Then, TK and SK are returned to users. The concrete algorithm is as follows:
For every node of the access control tree T, select a polynomial p(x). Here’s the equation dx + 1 = kx, where dx is the degree of p(x) and kx is the threshold value of nodes. For the root node, pt(0) = y. The other points are chosed randomly. For other nodes, px(0) = ppa(x)(index(x)). The other points are chosed randomly. In this way, the polynomials of each node are determined. The transformation key TK is as follows:
where rx is randomly selected from \(\mathbb {Z}_{p}\). The user’s private key is
4.3 Data uploading
In the encryption stage, the interaction between CS and DO is shown in Fig. 3. DO calls the algorithm Enc(Y, m, W1, W2,⋯ ,Wk) → CT, I, and then uploads the ciphertext CT and the keyword trapdoor I to CS. The concrete process of the algorithm is as follows:
First compute H(Wi) = ωi, where i = 1,2⋯ ,k. Next, the mappings \(\hat {r}_{1}\) and \(\hat {R}_{1}\) from \({G^{k}_{1}}\) to \({G^{k}_{1}}\) and the mappings \(\hat {r}_{2}\) and \(\hat {R}_{2}\) from \({G^{k}_{2}}\) to \({G^{k}_{2}}\) will be constructed. Randomly choose sj, c ∈ Zp, compute \(u_{j}=g_{0}^{s_{j}}g^{-s_{j}\omega _{j}}\), \(v_{j}=e(g,g)^{s_{j}}\), \(m_{j}=e(g,g_{2})^{s_{j}}\), and set \((U_{1},\cdots ,U_{k})=\hat {r}_{1}(u_{1},\cdots ,u_{k})\), \((V_{1},\cdots , V_{k})=\hat {r}_{2}(v_{1},\cdots , v_{k})\), \((M_{1},\cdots , M_{k})=\hat {r}_{2}(m_{1},\cdots , m_{k})\).
Finally, the ciphertext and keyword index are set as follows:
4.4 Trapdoor generation
In the trapdoor generation phase, the interaction between CS and DU is shown in Fig. 4. DU calls the algorithm Trapdoor(SK, W) → TW, then uploads the keyword trapdoor TW to CS. The keyword Trapdoor TW is generated as follows:
where ω = H(W), rw ∈ Zp, and \(h_{W}=(g_{2},g^{-r_{W}})^{\frac {1}{z-\omega }}\).
4.5 Keyword search
When CS receives the keyword trapdoor TW from DU x, the CS calls algorithm Test(I, TW, x) → 0,1. The concrete process is as follows: First compute the value of U, V, M, where j = 1,2,⋯ ,k:
If the equation
holds, the searched file containing the keyword exists; otherwise, it does not exist.
The correctness of the test phase is shown as follows.
Correctness
If Wi ∈ W1, W2,⋯ ,Wk, then according to the mappings \(\hat {r}\) and \(\hat {R}\), we have
Similarly, \(U=g_{0}^{s_{i}}g^{-s_{i}\omega _{i}}\), \(V=e(g,g)^{s_{i}}\). Therefore,
4.6 Data decryption
In the decryption stage, the interaction between CS, OS, and DU is shown in Fig. 5. The decryption stage is divided into two parts: outsourcing decryption and local decryption. DU sends a keyword trapdoor T to CS. If the file exists, CS sends the ciphertext to OS, and DU uploads the transformation key TK to OS. OS decrypts CT partially, and then returns partial ciphertext PT to DU. The concrete process is as follows:
-
Decout(CT, TK, x) → PT: The function Dec(CT, TK, x) is defined as follows:
When x is a leaf node, where i = att(x), then,
$$ Dec(CT,TK,x)=\left\{\begin{array}{llll} \frac{e(D_{x},C^{\prime\prime})}{e(R_{x},C_{i})}, & i\in Y\\ \perp, & \text{otherwise} \end{array}\right. $$(6)If W ∈ W1, W2,⋯ ,Wk, we know
$$\begin{array}{@{}rcl@{}} \frac{e(D_{x},C^{\prime\prime})}{e(R_{x},C_{i})} &=& \frac{e(g_{2}^{\frac{p_{x}(0)}{\beta}}\cdot F(i)^{\frac{r_{x}}{\beta}},g^{c})}{e(g^{\frac{r_{x}}{\beta}},F(i)^{c})} \\ &=& \frac{e(g_{2}^{\frac{p_{x}(0)}{\beta}}\cdot g^{c})\cdot e(F(i)^{\frac{r_{x}}{\beta}},g^{c})}{e(g^{\frac{r_{x}}{\beta}},F(i)^{c})} \\ &=& e(g,g_{2})^{\frac{c\cdot p_{x}(0)}{\beta}}. \end{array} $$When x is a non-leaf node, Dec(CT, TK, x) is performed as follows: For each child node x′, let \(D_{x^{\prime }}=Dec(CT,TK,x^{\prime })\). If there are k such child nodes, the following operation is performed, otherwise the algorithm will be terminated.
$$\begin{array}{@{}rcl@{}} D_{x} &=&\left( \prod\limits_{x^{\prime}\in S_{x}}D_{x^{\prime}}^{\bigtriangleup_{i,S^{\prime}_{x}(0)}}\right) \\ &=&\left( \prod\limits_{x^{\prime}\in S_{x}}\left( e(g,g_{2})^{\frac{c\cdot p_{x^{\prime}}(0)}{\beta}}\right)^{\bigtriangleup_{i,S^{\prime}_{x}(0)}}\right)\\ &=&\left( \prod\limits_{x^{\prime}\in S_{x}}\left( e(g,g_{2})^{\frac{c\cdot p_{pa(x^{\prime})}(index(x^{\prime}))}{\beta}}\right)^{\bigtriangleup_{i,S^{\prime}_{x}(0)}}\right) \\ &=&\left( \prod\limits_{x^{\prime}\in S_{x}}e\left( g,g_{2}\right)^{\frac{c\cdot p_{x}(i)\cdot \bigtriangleup_{i,S^{\prime}_{x}(0)}}{\beta}}\right) \\ &=&e(g,g_{2})^{\frac{c\cdot p_{x}(0)}{\beta}}, \end{array} $$where \(i=index(x), S^{\prime }_{x}=\{index(x^{\prime }):x^{\prime }\in S_{x}\}\).
Then, OS can get the partial ciphertext \(PT=Dec(CT,TK,t)=e(g,g_{2})^{\frac {c\cdot y}{\beta }}=e(g_{1},g_{2})^{\frac {c}{\beta }}\) by calling Dec(CT, TK, t), where t is the root node, if and only if the ciphertext satisfies the access control tree.
-
Dec(PT, SK): When receiving the partial ciphertext sent by OS, DU decrypts the partial ciphertext as follows:
$$m=\frac{C^{\prime}}{PT^{SK}}. $$
5 Analysis of our scheme
The security model of the scheme is divided into the security analysis of keywords and the security analysis of the scheme.
5.1 Security analysis of keywords
Theorem 1
Suppose that the (t, q, ε)-ABDHEassumption holds on (G1, G2),then our scheme has semantic security, whereqW = q − 1,ε′ = ε + 2/p,t′ = t − O(texp ⋅ q2),texpis the time of the exponential operation onG1.
Proof
The security of our scheme can be reduced to that of the scheme [15], which is denoted by \({\prod }_{L}=(Setup_{L}, KeyGen_{L}, Enc_{L}, Trap_{L}, Test_{L}, Dec_{l})\). Note that the security of the scheme in [15] is based on the (t, q, ε)-ABDHE assumption. The game among adversary A, simulator B and challenger C in [15] is as follows:
- Init: :
-
B calls the C running algorithm SetupL to get the system public parameters PK = (g0, g1, g2, t1, t2,...,tn+ 1). Then, B returns PK to A.
- Trapdoor queries: :
-
When A inquires about the trapdoor of W ∈{0,1}∗, B makes the same inquires to C. C executes the algorithm TrapL. Then, C returns \(T_{W}=(\omega ,f_{1}(\omega ),g^{F_{W}(a)},D_{x},R_{x})\) to B. Finally, B returns \(T_{W}=(\omega ,f_{1}(\omega ),g^{F_{W}(a)})\) to A.
- Challenge: :
-
A sends k + 1 keywords W0, W1,⋯ ,Wk. If a ∈ H(Wj), where j = 1,2,⋯ ,k, then B makes the same inquires to C. C executes the algorithm EncL. Then, C returns IL = (Cu, Cv, Cm) to B. B returns I = IL = (Cu, Cv, Cm) to A.
- Phase 2: :
-
A does the same inquiry at this stage as the Phase 1.
- Guess: :
-
The result guessed b′∈{0,1} is outputted.
Therefore, if the adversary A breaks our scheme with the advantage that can not be ignored, the simulator B will be able to call the challenger C in [15] to break the (t, q, ε)-ABDHE assumption. □
5.2 Security analysis of the scheme
Theorem 2
Our scheme has semantic security under the Decisional BDH assumption.
If the adversary A breaks our system with a non-negligible advantage, the simulator B will break the DecisionalBDH assumption with a non-negligible advantage.
Proof
The interaction between A and B is as follows:
- Init: :
-
A selects the attribute set Y to challenge and sends Y to B.
- Setup: :
-
B randomly generates a, b ∈ Zp, then let g0 = ga, g1 = gb, where g is the generator of G, and a polynomial f1(x) of degree n will be randomly selected. Make the polynomial f1(x) to satisfy: if x ∈ Y, u(x) = −xn, otherwise u(x) ≠ − xn. After that, let \(t_{i}=g_{2}^{u(i)}g^{f_{1}(i)}\), where i = 1,2,⋯ ,n + 1, then \(F(i)=g^{i^{n}+u(i)}_{2}g^{f_{1}(i)}\). Then, the public parameter is PK = (g0, g1, t1, t2,⋯ ,tn+ 1). Finally B returns PK to A.
- Phase 1: :
-
A inquires the secret key related to an access structure tree T, where T(Y ) = 0. For each node in T, an polynomial Qx of degree dx is determined by B. We use \(Poly(T_{x},Y,g^{\lambda _{x}})\) to determine the process of accessing the polynomial of node x in T, where Tx expresses the access subtree of the root node, Y is the attribute set and \(\lambda _{x}\in \mathbb {Z}_{p}\). qx is defined the polynomial of the root node x, where qx(0) = λx. If the number hx of children of x satisfies attribute Y , where hx < dx, then for each satisfied child x′ of x, let \(q_{x}(index(x^{\prime }))=\lambda _{x}^{\prime }\). The procedure randomly selects dx − hx points which do not satisfy the attribute. Then, we can recursively call \(Poly(T_{x},Y,g^{\lambda _{x}})\) to determine all polynomials.
For each node in the tree T, Poly(Tx, Y, A) is called to define the polynomial qx. For each leaf node x in T, where T(Y ) = 1, qx is known. Otherwise \(g^{q_{x}(0)}\) is known. Now B defines Qx(⋅) = qx(⋅), Qr(0) = qr(0) = y = c for each node x in T. The secret key of each leaf node is defined as follows:
If i ∈ Y,
where \(r_{x}\in \mathbb {Z}_{p}\)
If i∉Y, where \(g_{3}=g^{Q_{x}(0)}=g^{q_{x}(0)}\),
where \(r^{\prime }_{x}\in \mathbb {Z}_{p}\)
Let \(r_{x}=r_{x}^{\prime }-\frac {q(0)}{i+u(i)}\), then
where
After that, B randomly selects z, β ∈ Zp, then calculates \(D^{\prime }_{x}=D_{x}^{\frac {1}{\beta }}\), \(R^{\prime }_{x}=R_{x}^{\frac {1}{\beta }}\), and finally returns \(TK=(D^{\prime }_{x},R^{\prime }_{x})\) and SK = (z, β) to A.
- Challenge: :
-
A sends two messages \(m^{\ast }_{0}\) and \(m^{\ast }_{1}\) with the same length to B. B randomly selects b ∈{0,1} to encrypt \(m^{\ast }_{b}\). The ciphertext is as follows:
$$CT=(C^{\prime}=m^{\ast}_{b}\cdot Z, C^{\prime\prime}=g^{c}),\{C_{i}=F(i)^{c}\}_{i\in Y}, $$where c ∈ Zp is selected randomly. Finally, the ciphertext CT is sent to A.
- Phase 2: :
-
A makes the same query as Phase 1.
- Challenge: :
-
A outputs the guess b ∈{0,1}.
If Z = e(g1, g2)c = e(g, g)abc, the ciphertext is a valid ciphertext. Otherwise, Z = e(g1, g2)z is a random number. Therefore, if A can break through our system with the advantage that can not be ignored, then B can solve the Decisional BDH assumption. □
5.3 Efficiency analysis
The proposed scheme can realize one-to-many encryption and multi-keyword search. We compare our scheme with Zhang et al’s scheme [41]. Let tg represent the time of an exponent operation in G. Let tt represent the time for an exponent operation in GT. Let p represent the time of a pairing operation. n is the total number of keywords. k is the number of keywords carried by the ciphertext. The multiplication and hash operation are ignored. The comparison results are displayed in Table 1. For more accurate comparisons, we conducted efficiency tests on the same platform, and the results are shown in Figs. 6 and 7.
As shown in Figs. 6 and 7, the performance of our scheme is better than that of the scheme [41] in the threshold generation and keyword matching phases. In addition, the outsourcing technology is used in our scheme. The efficiency of decryption stage does not increase with the increase of the number of attributes. In general, our scheme is feasible in the IoT scenario.
6 Conclusion
In this paper, in order to solve the ciphertext retrieval and the efficiency bottleneck in the IoT scenario, the flexible keyword search scheme over encrypted data with outsourced decryption for IoT is presented. The scheme has the following three features: First, the attribute-based encryption technology is applied, by which only users whose attributes meet the access control structure can access the sharing data. Second, the reciprocal mapping of Lagrange polynomials technology is employed to implement keyword search in a large number of ciphertext data. Third, the decryption of ciphertext is outsourced to improve the efficiency of decryption on the client side. In general, our scheme is feasible in the IoT scenario. In the future work, in order to deal with dishonest calculations in cloud computing, we will verify the correctness of outsourcing calculations.
References
Jhaveri RH, Patel NM, Zhong Y, Sangaiah AK (2018) Sensitivity analysis of an attack-pattern discovery based trusted routing scheme for mobile ad-hoc networks in industrial iot. IEEE Access 6:20085–20103
Shen J, Wang C, Li T, Chen X, Huang X, Zhan ZH (2018) Secure data uploading scheme for a smart home system. Inform Sci 453:186–197
Wu A, Zheng D, Zhang Y, Yng M (2018) Hidden policy attribute-based data sharing with direct revocation and keyword search in cloud computing. Sensors 18(7):1–17. https://doi.org/10.3390/s18072158
Zhang Y, Wu A, Zheng D (2018) Efficient and privacy-aware attribute-based data sharing in mobile cloud computing. J Ambient Intell Humaniz Comput 9(4):1039–1048
Chen X, Li J, Weng J, Ma J, Lou W (2016) Verifiable computation over large database with incremental updates. IEEE Trans Comput 65(10):3184–3195
Li J, Liu Z, Chen X, Xhafa F, Tan X, Wong DS (2015) L-encdb: a lightweight framework for privacy-preserving data queries in cloud computing. Knowl-Based Syst 79:18–26
Zhang Y, Zheng D, Deng RH (2018) Security and privacy in smart health: e policy-hiding attribute-based access control. IEEE Internet Things J 5(3):2130–2145
Wang J, Chen X, Huang X, You I, Xiang Y (2015) Verifiable auditing for outsourced database in cloud computing. IEEE Trans Comput 64(11):3293–3303
Zhang Y, Yang M, Zheng D, Lang P, Wu A, Chen C (2018) Efficient and secure big data storage system with leakage resilience in cloud computing. Soft Comput 22(23):7763–7772
Zhang Y, Zheng D, Guo R, Lan Q (2018) Fine-grained access control systems suitable for resource-constrained users in cloud computing. Comput Inf 37(2):327–348
Zhang Y, Deng RH, Han G, Zheng D (2018) Secure smart health with privacy-aware aggregate authentication and access control in Internet of Things. J Netw Comput Appl 123:89–100
Li H, Liu D, Dai Y, Luan TH, Shen XS (2015) Enabling efficient multi-keyword ranked search over encrypted mobile cloud data through blind storage. IEEE Trans Emerging Topics Comput 3(1):127–138
Wang J, Chen X, Li J, Zhao J, Shen J (2017) Towards achieving flexible and verifiable search for outsourced database in cloud computing. Futur Gener Comput Syst 67:266–275
Zhang Y, Deng RH, Jiangang S, Kan Y, Dong Z (2018) Tkse: trustworthy keyword search over encrypted data with two-side verifiability via blockchain. IEEE Access 6:31077–31087
Li R, Zheng D, Zhang Y, Su H, Yang M, Lang P (2017) Attribute-based encryption with multi-keyword search. In: IEEE 2nd international conference on data science in cyberspace, pp 172–177
Li P, Li T, Ye H, Li J, Chen X, Xiang Y (2018) Privacy-preserving machine learning with multiple data providers. Futur Gener Comput Syst 87:341–350
Zhang Y, Lang P, Dong Z, Yang M, Guo R (2018) A secure and privacy-aware smart health system with secret key leakage resilience. Secur Commun Netw 2018:1–13. https://doi.org/10.1155/2018/7202598
Wang C, Shen J, Liu Q, Ren Y, Li T (2018) A novel security scheme based on instant encrypted transmission for internet of things. Secur Commun Netw 2018(2):1–7
Zhang Y, Deng RH, Ximeng L, Dong Z (2018) Blockchain based efficient and robust fair payment for outsourcing services in cloud computing. Inf Sci 462:262–277
Zheng D, Wu A, Hui Y, Lang Q (2018) Efficient and privacy-preserving medical data sharing in Internet of Things with limited computing power. IEEE Access 6:28019–28027
Sahai A, Waters B (2005) Fuzzy identity-based encryption. In: Annual international conference on the theory and applications of cryptographic techniques. Springer, Berlin, pp 457–473
Ning J, Dong X, Gao Z, Wei L, Lin X (2015) White-box traceable ciphertext-policy attribute-based encryption supporting flexible attributes. IEEE Trans Inf Forensics Secur 10(6):1274–1288
Ning J, Gao Z, Dong X, Wei L (2018) White-box traceable CP-ABE for cloud storage service: how to catch people leaking their access credentials effectively. IEEE Trans Dependable Secure Comput 15(5):883–897
Ning J, Gao Z, Dong X, Wei L, Lin X (2014) Large universe ciphertext-policy attribute-based encryption with white-box traceability. European Symposium on Research in Computer Security 15(5):55–72
Li J, Chen X, Chow SSM, Huang Q, Wong DS, Liu Z (2018) Multi-authority fine-grained access control with accountability and its application in cloud. J Netw Comput Appl 112:89–96
Li H, Liu D, Dai Y, Luan TH, Yu S (2018) Personalized search over encrypted data with efficient and secure updates in mobile clouds. IEEE Transactions on Emerging Topics in Computing 6(1):97–109
Sun W, Yu S, Lou W, Hou YT, Li H (2014) Protecting your right: attribute-based keyword search with fine-grained owner-enforced search authorization in the cloud. In: 2014 Proceedings IEEE INFOCOM, pp 226–234
Zheng Q, Xu S, Ateniese G (2014) Vabks: Verifiable attribute-based keyword search over outsourced encrypted data. In: IEEE INFOCOM, pp 522–530
Li J, Zhang Y, Chen X, Xiang Y, Li J, Zhang Y, Chen X, Xiang Y (2018) Secure attribute-based data sharing for resource-limited users in cloud computing. Comput Secur 72:1–12
Zhang Y, Zheng D, Li Q, Li J, Li H (2016) Online/offline unbounded multi-authority attribute-based encryption for data sharing in mobile cloud computing. Secur Commun Netw 9(16):3688–3702
Li J, Li J, Chen X, Jia C, Lou W (2015) Identity-based encryption with outsourced revocation in cloud computing. IEEE Trans Comput 64(2):425–437
Zhang Y, Deng R H, Liu X, Zheng D (2018) Outsourcing service fair payment based on blockchain and its applications in cloud computing, IEEE transactions on services computing. https://doi.org/10.1109/TSC20182864191
Li J, Huang X, Li J, Chen X, Xiang Y (2014) Securely outsourcing attribute-based encryption with checkability. IEEE Trans Parallel Distrib Syst 25(8):2201–2210
Zhang Y, Chen X, Li J, Wong D S, Li H, You I (2017) Ensuring attribute privacy protection and fast decryption for outsourced data security in mobile cloud computing. Inform Sci 379:42–61
Green M, Hohenberger S, Waters B (2014). In: Usenix conference on security, pp 34–34
Ning J, Gao Z, Dong X, Ma K Liang H, Wei L (2018) Auditable σ-time outsourced attribute-based encryption for access control in cloud computing. IEEE Trans Inf Forensics Secur 13(1):94–105
Menezes A (2009) An introduction to pairing-based cryptography. Recent trends in cryptography 477:47–65
Haoxing L, Fenghua L, Chenggen S, Mang S, Xin L (2015) Public key encryption with multi-keywords search. Journal of Xidian University 42(5):20–25
Gentry C (2006) Practical identity-based encryption without random oracles. Lect Notes Comput Sci 4004:445–464
Dan B, Boyen X (2004) Efficient selective-ID secure identity-based encryption without random oracles. Springer, Berlin, pp 223–238
Zhang B, Zhang F (2011) An efficient public key encryption with conjunctive-subset keywords search. J Netw Comput Appl 34(1):262–267
Funding
This work is supported by National Key R&D Program of China (No. 2017YFB0802000), National Natural Science Foundation of China (No. 61772418, 61472472, 61402366), Natural Science Basic Research Plan in Shaanxi Province of China (No. 2018JZ6001, 2015JQ6236), and the Youth Innovation Team of Shaanxi Universities. Yinghui Zhang is supported by New Star Team of Xi’an University of Posts and Telecommunications (No. 2016-02).
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Zhang, Y., Wu, A., Zhang, T. et al. Secure and flexible keyword search over encrypted data with outsourced decryption in Internet of things. Ann. Telecommun. 74, 413–421 (2019). https://doi.org/10.1007/s12243-018-0694-8
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s12243-018-0694-8