3.2.1 Setup

Taking a security parameter λ and a universe attribute set {A₁,A₂,...,A_n} as input, the setup algorithm outputs a public key PK and a master secret key MSK. For a random number α ε Z_p, the keys are respectively set as:

PK=(h,e( g,h ),BG, H 1 , H 2 , H 3 , H 4 , ∀i=1,2,…,n, v i = g α i , h i = h α i ) (2)

MSK=( α,g ) (3)

In (2), BG stands for the bilinear pairing that is described above with generators g ε G₁ and h ε G₂. Moreover, H_i for i=1,2,3,4 are hash functions.

3.2.2 Key generation

Taking an attribute set A a public key PK and a master secret key MSK as input, the key generation algorithm outputs a key which is identified with respect to A . Without loss of generality, let’s focus on A= a 1 a 2 … a n which is an attribute string. Pick a random number s εZ_p, compute

f( α,A )= Π i=1 n ( α+ H 1 ( i ) ) 1− a i (4)

and generate the secret key for A as

SK=( g s f( α,A ) , h s−1 α ) (5)

From the definitions of the function f( α,A ) and the parameter g s f( α,A ) , it is easy to check that SK is independent of the number of involved attributes.

3.2.3 Encrypt

Taking an access structure ℙ (also represented in binary form), a public key PK and a message M as input, the encryption algorithm encrypts a message M under an access structure ℙ (also represented in binary form), a public key PK and a message M as input, the encryption algorithm encrypts a message M under an access structure ℙ . Let ℙ =b₁ b₂…b_n be the policy string. Pick a random number σ. Compute

r= H 4 ( ℙ,M,σ ) (6)

and

f( x,ℙ )= Π i=1 n ( x+ H 1 ( i ) ) 1− b i . (7)

Finally, the ciphertext CT is outputted as:

CT=(ℙ, C 1 = ( h f( α,ℙ ) ) r = ( h f 0 Π i=1 n−1 h i f i ) r , (8)

∀i=1,2,…,n−| ℙ |+1, C 2,i = v i r (9)

C 3 = H 2 (e( g,h ) r )⊕σ (10)

C 4 = H 3 ( σ )⊕M) (11)

According to the definitions of polynomial functions f( α,A ) given in (4), and f( x,ℙ ) f( x,ℙ ) , given in (7), we know that

should be a polynomial, if ℙ⊆A . This can be used to verify the validity of the attribute set.

3.2.4 Decrypt

Taking a ciphertext CT, a public key PK and a secret key SK as input, the decrypt algorithm outputs the message M or ⊥ (the empty set). The decryption algorithm first computes

F( x )=F( x,A,ℙ )= f( x,ℙ ) f( x,A ) = Π i=1 n (x+ H 1 ( i )) c i (13)

We define F_iε Z_p to be the coefficient of xⁱ and set F₀≠0. Second, we compute (U,V,W) as

U=e( C 2,1 , Π i=1 n−| ℙ | h i−1 F i )=e (g,h) rF( α )−r F 0 (14)

V=e( Π i=1 n−| ℙ |+1 C 2,i F i−1 , h s−1 α )=e (g,h) rsF( α )−rF( α ) (15)

W=e( g s f( α,A ) , C 1 )=e ( g,h ) rsF( α ) (16)

Third, we get e(g,h)^r by the function

e ( g,h ) r = ( W U⋅V ) 1 F 0 (17)

Then, we compute the random number σ by

σ= H 2 ( e ( g,h ) r )⊕ C 3 (18)

Finally, we extract the message M by the function

M= H 3 ( σ )⊕ C 4 (19)

4.2.1 System Setup

At the beginning, a trusted authority calls Setup to obtain a public key PK and a master secret key MSK. Then he chooses a random number β ε Z_p and sets K_mk= β as the search master key. After the generation of these three keys, the trusted authority sends the public key PK to a Cloud server and keeps the master secret key MSK and the search master key K_mk in secret.

4.2.2 New User Grant

When a user wants to join the system, the granting procedure is as follows:

1. The trusted authority needs to select a unique identity ID for the user. Then, he has to assign and verify an attribute set associated with the user. The verification of attributes which are claimed by the user cannot be done automatically. Normally, it will be granted by asking the user to provide some proofs of his identity, such as student ID card number or organization's identity card number.
2. After verifying of the attributes, the trusted authority calls Key Gen to generate a secret key SK for the user. For restricting the key size of the user, on the basis of the user ID, the trusted authority computes the control parameters A_ID and B_ID, which are ID and action-dependent (i.e., they are upload and/or search dependent), and also computes an attribute-set-dependent secret key SKA for the proxy server.
3. The trusted authority randomly chooses a number μ ε Z_p, and sets A_ID=μ.
4. After getting A_ID, the trusted authority uses the search master key K_mk and A_ID to compute the other control parameter B_ID by

   B ID =  g K mk / A ID = g β/μ (20)

5. Finally, the trusted authority transmits the tuple (ID,A_ID,SK) to the user and (ID,B_ID) to the proxy server. We can see that the tuple (ID,A_ID,SK), sent to the user, is independent of the number of involved attributes.

4.2.3 Keyword Index Building

Before uploading the encrypted file, a data owner has to build an encrypted keyword index with the help of the proxy server to let other users be able to search the files. The index building procedure is as follows.

1. We assume D={d₁,d₂,…,d_n} is the keyword set which is extractable from the stored files.
2. For all d_i ε D, data owner calculates

   T i = H 5 ( d i ) y i (21)

   where y_i ε Z_p is a random number and H₅ is a hash function that maps a keyword to a random element in G₁.

3. Data owner sends his ID and the tuple (T₁,T₂,…,T_n) to the proxy server.
4. After receiving the search request, proxy server finds the corresponding B_ID associated with the received ID.
5. For all T_i, proxy server computes

   L i =e( T i ,  B ID ) (22)

   and then transmits all L_i back to the data owner.

6. Data owner computes

   k i = H 6 ( L i A ID / y i ) (23)

   and then sets

   I d i =( R i ,[ R i ] k i ) (24)

7. Where R_i is a random number and [ R i ] k i stands for using a secure symmetric encryption algorithm, such as AES, to encrypt R_i with the secret key k_i. H₆ is a hash function that maps an element of G_T to another element of G_T.
8. Finally, the keyword index set is set to be I D ={ I d 1 , I d 2 ,…, I d n }. .

4.2.4 Data Upload

After building the keyword index set, data owner randomly selects a symmetric key and encrypts the file by using a symmetric encryption algorithm such as AES. Then, data owner assigns an access structure and encrypts the key by running Encrypt. At last, he uploads the keyword index I_D, the encrypted files, and the ciphertext of the symmetric key to Cloud server.

4.2.5 Search in the Encrypted Domain

When a request for searching the encrypted files, stored on the Cloud server, is received he has to do the following three steps (in sequence):

Step 1: Trapdoor Generation

We assume d is the keyword that the user wants to search, he should generate a trapdoor with the help of the proxy server. This step is executed as follows.

1. For the keyword d, the user calculates

   Q d = H 5 (d) A ID (25)

   then sends ID and Q_d to the proxy server.

2. After receiving the request, proxy server finds the corresponding B_ID according to ID.
3. Proxy server computes

   k ′ = H 6 ( e( Q d , B ID ) ) (26)

   and returns k' to the user.

Step 2: Attributes Verification

On receiving the request from a user, the cloud server has to verify the validity of attributes of the user. To verify attributes, the method we mentioned in Section 3 is applied. That is

f( x,ℙ ) f( x,A ) =  Π i=1 n (x+ H i ( i )) a i − b i (27)

should be a polynomial, if ℙ⊆A . We know that if the user has the right to access the file, the access structure ℙ of the file should be one of the subsets of the user’s attribute set A .

Step 3: Search a Keyword

To search a keyword, Cloud server gets [ R i ] k ′ by using k' as the symmetric key and encrypts the random number R_i, which is generated by data owner while building the keyword index. Then, Cloud server checks whether [ R i ] k i is the same as [ R i ] k ′ . If they are the same, k_i and k' are referring to the same word, and the searching target is found. Otherwise, they are different and the searching job failed.

4.2.6 File Decryption

After receiving the result from Cloud server, the user running Decrypt to extract the symmetric key, SK, which is used to encrypt the file. Then, the user can decrypt the file with the symmetric key.

4.2.7 User Revocation

Because of graduation, retirement or something else, when a user wants to leave the system, his search privilege should be revoked. After completing the verification by the trusted authority, he instructs the proxy server deleting the corresponding tuple (ID,B_ID). Without B_ID, the user is no longer able to search files stored on the Cloud server.

5.1.1 Data Confidentiality

Data confidentiality is an important property of protected data, usually resulting from legislative measures, which prevents it from unauthorized disclosure. In our scheme, data must be confidential against Cloud server, unauthorized users and proxy server. Two encryption algorithms are adopted in our scheme. One is the symmetric encryption algorithm, such as AES, and another is CPABE with Constant-Size Keys for Lightweight Devices 0. AES has been proved that it is secure and 0 has also proved its security in the paper. Therefore, it is our belief that the proposed scheme is secure.

5.1.2 Keywords Confidentiality

The keyword must be kept confidential against any entity except for the data owner or the requesting user. Before sending ID and the tuple (T₁,T₂,…,T_n ) to proxy server while building keyword index, data owner calculates

T i = H 5 ( d i ) y i (28)

Moreover, before sending ID and Q_d to proxy server while generating trapdoor function, the user computes

Q d = H 5 (d) A ID (29)

for the keyword d. Because of the using of one-way hash function, proxy server or any other attackers cannot get any information about the stored keywords.

5.2.1 Implementation Details

In our implementation, jpbc library is used to implement cryptographic operations. We select the Type-A Bilinear pairing. Type-A Bilinear pairing is the fastest pairing among all types of Elliptical curves, which is constructed on the curve Y²=X³+X over the field F_p for some prime p= 3 mod 4. Our system is realized by Java on a personal computer equipped with Intel(R) Core(TM) i7-4770 CPU @ 3.40GHz CPU under Windows10 OS.

5.2.2 Experimental Results

Clearly, from the above figure, timing cost for search depends on the total number of searched keywords. In Figure 2, the line “files” stands for the results of the data set which consists of 10000 files with 1 keyword per file, while the line “keywords” represents the data set which consists of only 1 file with 10000 keywords. While searching, we first locate the position of each file from the table. Then, we search keywords corresponding to the file. Due to the way of searching, the speed of the line “keywords” is a little bit faster than the line “files”. The higher cost for the upper case comes from the fact that it ran the search loop much more times than the bottom one. Take 10000 keywords as an example, the former just needs to find the position of the file one time but the latter needs to find it 10000 times. There is a point laying between the two lines, it stands for the data set which consists of 1000 files with 10 keywords. We can see that the speed of that point is in between of the two lines. In Figure 3, we see the timing cost for searching in the ciphertext domain is linearly proportional to the number of searched files while the timing costs for searching in the plaintext domain behaves almost the same. Notice that, the line “User cost” stands for the timing cost spent by the user. It is only a small and negligible portion of the total cost. In Fig. 3, the user is an authorized one and he is searching for all files. That is to say, he has searched 100000 files with 1 keyword by using 24494 milliseconds. It would be faster if the user doesn't have to or doesn't have the authority to search all 100000 files.

Figure 2: Timing costs for searching various number of keywords (from 1 to 10000).

Figure 3: Timing costs for searching various number of files (from 20000 to 100000), in different domains.