A Secure Key Aggregate Searchable Encryption with Multi Delegation in Cloud Data Sharing Service

Abstract

As the amount of data generated in various distributed environments is rapidly increasing, cloud servers and computing technologies are attracting considerable attention. However, the cloud server has privacy issues, including personal information and requires the help of a Trusted Third Party (TTP) for data sharing. However, because the amount of data generated and value increases, the data owner who produces data must become the subject of data sharing. In this study, we use key aggregate searchable encryption (KASE) technology, which enables keyword search, to efficiently share data without using TTP. The traditional KASE scheme approach only discusses delegation of authority from the data owner to another user. However, if the delegated entity cannot perform time-critical tasks because the shared data are unavailable, the delegate must further delegate the rights given to other users. Consequently, this paper proposes a new KASE scheme that enables multi-delegation without TTP and includes an authentication technique between the user and the server. After that, we perform informal and formal analysis using BAN logic and AVISPA for security evaluation, and compare the security and performance aspects with existing schemes.

1. Introduction

As a hyper-connected world is realized due to the development of the Internet, data production is increasing in various distributed environments such as medical care, finance, and vehicles. As per a study published by Statista Research Department [1], the total amount of data generated per year is expected to reach 149$ZB$ by 2024 as the amount of data generated worldwide increases exponentially. The generated data can be used as an input for financial, medical, and artificial intelligence development, and cloud storage and computing technologies have been introduced to manage vast amounts of data [2,3,4]. Cloud computing services provide large-capacity storage and computing resources to resource-constrained computing devices.

However, privacy issues arise because the generated data includes personal information. Research and policies are being developed worldwide to protect the privacy of such data. “Midata” in the UK [5] and “Smart disclosure” in the US are policies for individuals to use and protect personal information as subjects, and have been implemented to date. However, these policies are being implemented with the help of a Trusted Third Party (TTP) because it is difficult to provide services based on personal information. Because the amount and value of the data generated increases, the data owner who produces the data should be the data sharer, and not the TTP.

For the subject of data to manage data without the help of TTP, the following are considered: (i) Key management for data access control must also be performed by the data owner (DO). (ii) The efficiency of the key for data management should be considered. This is because as the data increases, the key also increases. (iii) The data owner must store the data in an encrypted form in order to maintain the confidentiality and integrity of the data, and the data access policy is required for sharing with data users (DUs).

DO outsources data or computational work to cloud servers. In addition, DOs can optionally share outsourced data with DU groups with the help of cloud computing services through access control. For this purpose, research on cryptosystems such as user-based access control cryptosystem [6], role-based access control cryptosystem [7], and attribute-based access control cryptosystem [8] was studied. However, the computation overhead of encryption and key generation increases with the number of attributes or users in these user-centric data sharing methods. When DO grants a new user access to their data, the DO must either generate a new ciphertext or modify the ciphertext stored in the cloud. Furthermore, because the TTP defines and manages the user’s rules and attributes, the DO cannot be the subject of data management. To address these limitations, a data-centric shared encryption scheme called Key Aggregate Encryption (KAE) [9] has beenproposed. In KAE, the DO first defines the document set S to which the data that the DO intends to share to users of data belongs, and then aggregates the secret keys of all documents in the set S. Then, DO shares a single key, known as the aggregate key, with the user to grant access to S. Moreover, an extended encryption scheme called Key Aggregate Searchable Encryption (KASE) [10] was proposed, which allows DOs to use aggregation keys to delegate search authority over selected data sets and allow users to retrieve shared data by submitting a single aggregation trapdoor to the cloud. In addition to delegating search rights to data users by data owners, it is also important to consider when the delegated users may need to transfer rights to other users for time-sensitive tasks, processing and creation of various information, and smooth data management.

However, there is no KASE structure given that an authorized user needs to further delegate privileges to other users. Therefore, this paper proposes a KASE cloud data sharing scheme that simultaneously provides user authentication and delegation functions without using TTP. To analyze the safety verification of the proposed scheme, we conduct informal security analysis and formal security analysis using “Burrows-Abadi-Needham (BAN) logic” [11] and “Automated Validation of Internet Security Protocols and Applications (AVISPA)” [12]. We use the ”Multiprecision Integer and Rational Arithmetic Cryptographic Library (MIRACL)” [13] to build a test bed and calculate the cost of cryptographic operations. Finally, we compare security and performance with other existing schemes.

1.1. Motivation

Existing KASE schemes only discuss delegating data access rights to other DUs by DO. However, there are cases where the delegated user needs to delegate further the delegated rights to another user because the shared data are unavailable to the delegated user:

• The first is a case in which time-critical work such as immediate life-threatening, bodily harm, and property benefits of the DO is required. For example, in the event of an emergency involving the DO’s life and body, the DU must delegate the authority to another DU when the DU who has been authorized to access information such as the DO’s health information management is absent.
• In addition, it is necessary to use various information and generate revenue through information sharing. A DU who has received information rights can use the information to make a profit. However, it is difficult to expect visible revenue generation from a single user. In this case, the DU can create new services and revenue by delegating limited access rights to other DUs.
• DUs authorized to provide services by data owners often struggle to manage large amounts of data. In this case, the DU should be able to perform load balancing by assigning limited administrative privileges to some users.

Therefore, we propose a KASE data sharing scheme that can delegate access rights for these cases.

1.2. Contribution

Our proposed scheme is an access control for DOs to share data with DUs without the help of TTP. We also consider cases where DUs may delegate limited data access rights to other users, which is not considered by existing KAEs and KASEs. The detailed contributions of our proposed scheme are as follows:

• Group data sharing with a keyword search: In the proposed scheme, DOs can delegate access to and retrieval of data in an encrypted state for data sets requested by DUs. Additionally, each ciphertext in the shared set can be retrieved as a trapdoor of constant size generated using the aggregate key. Furthermore, the proposed system can confirm whether keywords exist in the data set to be searched using a bloom filter [14].
• Multi-access prevention and privacy preservation: The authentication of the proposed scheme prevents unauthorized DUs from accessing the trapdoor multiple times. In particular, if an unauthenticated user attempts to intercept and submit a trapdoor, the system prevents it. The identity submitted for authentication is a pseudonym identity which is masked and sent to protect the privacy of the DU. Moreover, keyword ciphertext, the hidden access policy defined by DO, and trapdoor does not disclosure information about related keywords.
• Fine-grained delegation: In the proposed scheme, the DO provides authentication credentials to delegators and delegates. When a delegator wants to delegate authority, it authenticates with the delegate through the authentication credential. If authentication is valid, delegates can delegate the rights they have received to another users in fine-grained manner.

The rest of the paper is organized as follows: The related works are given in Section 2. In Section 2, we briefly describe studies on KAE and KASE that have been studied. We also provide preliminaries for the proposed scheme. The system model and threat model are defined in Section 3.

2. Related Works

In this section, we review the literature regarding the previously studied of KAE and KASE. This section also provides preliminaries about cryptology concepts that we use throughout the paper.

2.1. Literature Reviews

In 2016, Chu et al. [9] proposed the notion of KAE scheme that can reduce the number of distributed data encryption keys for data sharing system environments. The KAE allows documents or data sets encrypted with different keys to be decrypted with a single aggregate key. In 2018, Guo et al. [15] proposed a scheme for sharing encrypted data with other users through public cloud storage. Their approach involves an authentication process, and they argue that the authentication process can solve the key leak problem of data sharing. However, Alimohmmadi et al. [16] proved that Guo et al.’s scheme does not have security against impersonation and forging authentication key attacks. They demonstrated that the proposed Guo et al.’s scheme could allow anyone to forge an authentication key and access an arbitrary set of files stored in the cloud. Therefore, they proposed a new KASE scheme to solve the problems of Guo et al.

However, since there was no search function for keywords in documents at [9,15,16], Cui et al. [10] proposed a KASE scheme that enables group keyword search in the existing KAE. The scheme of [10], which first proposed the KASE method, provides the searchable group data sharing function, i.e., all users can selectively share selected groups of users and selected groups of files, the latter can perform keyword searches against the former. Unfortunately, Zhou et al. [17] proved that Cui et al.’s scheme is insecure against insider attack. They demonstrated that the adversary can guess the valid user’s key with the insider attacker. Furthermore, Cui et al.’s scheme [10] did not support searching over multi-owner data using a single key of constant size.

To address this problem, Li et al. [18] proposed the scheme for searching over multi-owner’s data using a single trapdoor. Their scheme allows verification of search results using an aggregate key. They also offered advance planning in multi-owner settings.

Zhou et al. [17] proposed a KASE scheme of data-centric framework in an Industrial Internet of Things (IIoT) environment.Sensors in IIoT do not support the computational power of pairing operations as their hardware resources are very limited. Therefore, Zhou et al. proposed a KASE scheme that does not use the pairing operation in the encryption phase.

Padhya et al. [19] also proposed a KASE scheme for multi-owner data. Padhya et al.’s scheme is a practical way to generate keyword ciphertext without the use of expensive pairing operations given resource-constrained environments. They also discussed scenarios for federated clouds and proposed methods for delegating search authority when data are stored in federated clouds.

Liu et al. [20] proposed a scheme to validate keyword search results using a single aggregation key. The KASE method of Liu et al. also provides user authentication. In their scheme, the cloud server can verify the legitimacy of a sub-user by verifying that the authorized user’s identity set includes the sub-user’s identity. However, Li et al.’s protocol is insecure against user impersonation attacks.

In addition to delegating the searchable authority to the user, it is also necessary to consider the case where the delegated user must delegate the authority to another user for time-sensitive tasks, processing and creation of various information, and managing a large amount of data. However, there are many KASE schemes dealing with data sharing between DOs and DUs, but none dealing with cases where DU delegates to other DUs without help of the TTP. Furthermore, no KASE scheme works out the problem of user authentication and fine-grained multi-delegation at the same time. Authentication is one of the basic security services absolutely necessary to provide secure services in various network environments [21,22,23,24,25,26,27,28].

2.2. Preliminaries

In this section, we briefly discuss the cryptographic concepts used in this paper: bilinear map and bloom filter.

2.2.1. Bilinear Map

Pairing is a bilinear map defined for a subgroup of elliptic curves. Assume that $G_1$ and $G_2$ are two multiplicative circular elliptic curve subgroups of the same prime order p. A mapping $e:G_1\times G_1\to G_2$ is a bilinear map if it satisfies the following [29]:

• Bilinearity: For all $u,v\in G_1$, and $x,y\in Z_q^{*}$, we have $e(u^x,v^y)=e(u,v^{xy})$.
• Non-degeneracy: If u and v are generators of $G_1$, $e(u,v)\ne 1$.
• Computability: there is an efficient algorithm to compute $e(u,v)$ for any $u,v\in G_1$.

2.2.2. Bloom Filter

An m-bit bloom filter [14] can be viewed as an array of m bits, all initialized to zero. For verification in bloom filter, k independent hash functions $H_1$, …, $H_k$ with the ranges {0, …, $m-1$} is designed. During the generation phase, each element $s\in S=\{s_1,s_2,\dots ,s_n\}$ and each $H_j\left(s\right)$-bit in the array is set to 1, where $1\le j\le k$. The value of $H_j\left(s\right)$ bit can be determined in the verification phase whether the elements s belongs to S. If the value is 0 then it must be $s\notin S$, ohterwise it is highly probable that it is $s\in S$. Assuming the hash function is completely random, the false positive rate is ${(1-{(1-\frac{1}{m})}^{kn})}^k\approx {(1-e^{-kn/m})}^k$. The $k=\frac{\left(ln2\right)m}{n}$ hash function leads to a minimum false positive rate $\frac{\left(0.6185\right)m}{n}$. Two algorithms are included in the m-bit bloom filter.

• $BFGen$: $BFGen$ hashes the data set S to $\{H_1,\dots ,H_k\}$ for producing an m-bit bloom filter.
• $BFVerify$: $BFVerify$ returns 0 if $s\notin S$ and 1 otherwise.

3. System Model and Threat Model

In this section, we describe the system model of our proposed scheme and provide threat model and notations that we use throughout the paper.

3.1. System Model

Our proposed system model is represented in Figure 1 and has three entities:

• Data Owner (DO): $DO$ is an entity that independently manages data as an owner of data and information without TTP. When data are requested from $DU$, $DO$ encrypts data and related keywords and stores them in the cloud server, delivering a single aggregate key of a fixed size. $DO$ encrypts the group identity $GID$ for delegation of authority of delegatee and delegator to define delegation of authority.
• Data User (DU): $DU$ receives aggregate key when requesting data from the user. $DU$ generates a trap door to retrieve data from $CS$ using aggregate key and keyword, receives encrypted data through authentication with $CS$, and then decrypts to receive data.
• Cloud Server (CS): Since $CS$ is an honest but curious entity, it may legitimately try to learn all the information from a received message. $CS$ provides $DO$ with storage and computing power. In addition, $CS$ searches data through the trapdoor received from $DU$ and performs keyword verification.

$DO$ creates public parameters to be used in the system and publishes them to entities. Then, $DO$ creates a bloom filter for keyword verification, encrypts data, and uploads it to $CS$. $DU$ sends a data request to $DO$, and $DO$ returns a single aggregate key for the data received from $DU$, an authentication credential for authentication with $CS$, and a $GID$ for verifying authorization. The authentication credential is delivered it to $CS$ at this time. Subsequently, $DU$ creates a single trapdoor using aggregate and keywords from $CS$ and requests a search query. After $CS$ authenticates with $DU$, $CS$ searches the data and confirms the keyword using the trap door. After that, $CS$ generates a data search result and proof set for decryption and sends it to $DU$. $DU$ uses the bloom filter to decrypt the data after verification. In addition, if a $DU$ wants to delegate authority to another $DU$, mutual authentication is performed. If the authentication is valid, $DU$ can delegate the aggregate key and some of the keywords he/she has.

3.2. Threat Model

In this paper, we adopt the universally accepted Dolev-Yao (DY) threat model [30] for security analysis of the proposed scheme. In accordance with the DY model, an attacker is able to seize transmitted messages through an open channel, and eavesdrop, delete, inject or modify on the seized messages.

• The attacker has full control over and learns from messages sent over open channels. The attacker can then insert, modify, or remove valid messages.
• Because guessing more than one value at a time is a “computationally infeasible operation”, the attacker can only guess one value in polynomial time.

In addition, this paper additionally adopts the assumptions of the “Canetti and Krawczyk model (CK model)” [31]. It is a more powerful threat model compared to the DY model and is considered the de facto standard for modeling key exchange protocols.

3.3. Notations

Table 1. Notations used in this paper.

Notations	Meanings
$D{U}_j,I{D}_j$	jth data user and their identity, respectively,
$DO$	Data owner
$CS$	Cloud server
$HI{D}_j$	The hidden identity of jth data user
$G_1,G_2$	Bilinear groups
$P{K}_{do}$	The $DO$’s public key for encrypt data
$DP{K}_{do}$	The $DO$’s public key for authentication
$r_{do},{\rho }_{do}$	Master secret key and secret key of $DO$
$P{K}_j,P{K}_{cs}$	The public key of data user and cloud server, respectively
$GI{D}_l,HGI{D}_l$	The group identity defined by data owner and its hidden identity
$T_1,T_2,T_3$	Current timestamps
$\Delta T$	Maximum transmission delay
$R_{du},R_{cs},r_A,r_B$	Random nonces
W	The keyword
$CK$	The encrypted keyword
$Tr$	The trapdoor
$\left|\right|$	Data concatenation operator
$h_1,h_2$	The hash function ${\{0,1\}}^{*}\to Z_q$
$h_2$	The map-to-point hash function ${\{0,1\}}^{*}\to G_1$,
⊕	Bitwise exclusive-or operator

specifies the symbols used in this paper.

4. Our Proposed Scheme

We propose a key aggregate scheme for multi-delegation and authentication without TTP in this section. The proposed scheme consists of six phases, namely setup phase, data upload phase, aggregation key generation phase, trapdoor generation and retrieve phase, authentication for delegation, and group identity revocation phase.

4.1. Setup Phase

For data sharing and upload data, a data owner $DO$ have to generate bilinear map and public system parameters. $DO$ also generates hash functions for encrypted information and bloom filter. The detailed steps of the setup phase are summarized in Figure 2 and discussed below.

Step 1:$DO$ generates a bilinear map $B=(q,G_1,G_2,e)$, where q is the order of $G_1$ and $e:G_1\times G_1\to G_2$. $G_1$ and $G_2$ are multiplicative elliptic curve groups. Then $DO$ picks random generator $g\in G_1$ and random nonce $\alpha \in Z_q$, and computes $g_i=G^{\left({\alpha }_i\right)}$, where $1\le i\le 2n$.

Step 2: After that, $DO$ chooses his/hear master secret key $r_{do}\in Z_q^{*}$, secret key ${\rho }_{do}\in Z_q^{*}$. $DO$ generates hash functions $h_1:{\{0,1\}}^{*}\to Z_q$ and $h_2:{\{0,1\}}^{*}\to G_1$ for hashing information. Furthermore, $DO$ also generates k independent universal hash functions $\{H_1^{{}^{\prime }},\dots ,H_k^{{}^{\prime }}\}$ which are used to set up a m-bit bloom filter.

Step 3: Then, $DO$ computes public key $P{K}_{do}=g^{r_{do}}$ for encrypting data and public key $DP{K}_{do}=g^{{\rho }_{do}}$ for authentication. At last, $DO$ publishes $B,(g,g_1,\dots ,g_n),DP{K}_{do},$$P{K}_{do},h_1,h_2$ and $\{H_1^{{}^{\prime }},\dots ,H_k^{{}^{\prime }}\}$.

4.2. Data Upload Phase

In this phase, $DO$ encrypts the data and uploads it to the cloud server. At this time, $DO$ creates a bloom filter to verify whether the keyword is included in the document set. $DO$ encrypts the keyword set $C{K}_i$, generates a public auxiliary value ${▿}_i$ for index, and sends them to the cloud server. This phase is briefed in Figure 3 and detailed steps are given below.

Step 1: First, $DO$ picks a random number $t\in Z_q$ as the actual searchable encryption key and generates a bloom filter for keyword set $W_i$, where $i\in \{1,\dots ,n\}$ is file index. The bloom filter is computed as $B{F}_i=BFGen(\{H_1^{{}^{\prime }},\dots ,H_k^{{}^{\prime }}\},W_i)$.

Step 2: Then, $DO$ randomly chooses a $M\in G_2$ and computes a public auxiliary value ${▿}_i$ for index i. The ${▿}_i$ comprises $c_1,c_2,c_3$ and $c_4$. They are computed as $c_1=g^t$, $c_2={(g_i·P{K}_{do})}^t$, $c_3=h_2\left(M\right)\oplus B{F}_i$, and $c_4=M·e{(g_1,g_n)}^t$. Then, $DO$ computes $C{K}_i=\frac{e{(g,h_1\left(w\right))}^t}{e{(g_1,g_n)}^t}$ for each keyword w in this set’s keyword set $W_i$.

Step 3: At last, $DO$ sends ${▿}_i,C{K}_i$ to the cloud server.

4.3. Data Request Phase

If $D{U}_j$ wants to data set $S_i$, $D{U}_j$ calculates $HI{D}_j$ and $P{K}_j$ and requests data from $DU$. $DO$ computes the aggregate key $k_s$ corresponding data set. After that, $DO$ creates $GI{D}_l$ by defining groups that can delegate or receive authority. $DO$ can manage the list of $DU$s belonging to $GI{D}_l$ when a new $D{U}_j$ is added or an existing $DU$ wants to leave the group. After that, $DO$ creates an authentication credential that allows $D{U}_j$ and $CS$ to authenticate each other. $DO$ generates $TI{D}_j$ and transmits it with $k_s,HGI{D}_l$ securely to $D{U}_j$, and generates and transmits $HI{D}_j$ and $A_{cs}$ securely to $CS$. $CS$ uses this value to calculate $AC{S}_j$, which is for the authentication credential, and stores it in its own database. Figure 4 summarizes this phase. The detailed steps involved in this phase are given below.

Step 1:$D{U}_j$ generates a secret key $b_j\in Z_q^{*}$ and chooses an unique identity $I{D}_j$. Then, $D{U}_j$ computes pseudo identity $HI{D}_j=h_1(I{D}_j\left|\right|b_j)$ and public key $P{K}_j=g^{b_j}$. $D{U}_j$ sends $\langle HI{D}_j,P{K}_j,S_i\rangle$ securely to $DO$, where $S_i$ is a document set.

Step 2: After receiving data request from $D{U}_j$, $DO$ generates an aggregate key $k_s={\Pi }_{j\in s}{g}_{n+1-j}^{r_{do}}$ which is corresponding document set $S_i$. $DO$ then creates $GI{D}_l$ by defining groups to determine which users can delegate or receive privileges from each other. $DO$ computes $TI{D}_j={\left(DP{K}_{do}\right)}^{HI{D}_j·{\rho }_{do}}$ for authentication credential. Furthermore, $DO$ computes $HGI{D}_j=h_2(GI{D}_l\left|\right|r_{do}\left|\right|{\rho }_{do})$ and $A_{cs}=h_2(r_{do}\left|\right|{\rho }_{do})$. After that, $DO$ sends $\langle k_s,TI{D}_j,HGI{D}_l\rangle$ to securely $D{U}_j$ and sends $\langle HI{D}_j,A_{cs}\rangle$ to securely $CS$.

Step 3:$CS$ computes $AC{S}_i=h_2(HI{D}_j\left|\right|A_{cs})$ and public key $P{K}_{cs}=g^{A_{cs}}$ after receiving messages from $DO$. Then, $CS$ stores $AC{S}_i$ in $CS$’s database.

4.4. Data Retrieve Phase

$D{U}_j$ generate a trapdoor of keyword w using their aggregate key. $D{U}_j$ sends the trapdoor to $CS$ for a search query and an authentication credential for mutual authentication. $CS$ authenticates with $D{U}_j$, then $CS$ determine whether the encrypted keyword is $CK$ using $D{U}_j$’s trapdoor. After verification of keyword, $CS$ generates a result set and proof set. After $D{U}_j$ receives result set and proof set from $CS$, $D{U}_j$ authenticate with $CS$ and conducts the verification proofs that the keyword exists in owner’s document set. Figure 5 describes this phase, and the detailed steps are as follows.

Step 1:$D{U}_j$ generates a single aggregate trapdoor $T{r}_j=k_s·h_1\left(w\right)$. A trapdoor relates to a set of all documents related to the aggregate key. Then, $D{U}_j$ generates timestamp $T_1$ and random nonce $R_{du}$. Furthermore, $D{U}_j$ computes $V_j=P{K}_j^{R_{du}}$, $Veri{f}_j=P{K}_{cs}^{b_j·R_{du}}$, $M_j=h_1(I{D}_j\left|\right|b_j)\oplus Veri{f}_j$, $M{A}_j=h_1(Veri{f}_j\left|\right|HI{D}_j\left|\right|T_1)$, and $HHI{D}_j=TI{D}_j^{M{A}_j}$. After that, $D{U}_j$ sends $M_j,V_j,HHI{D}_j,T_1,T{r}_j,S_i$ via an insecure channel.

Step 2: After receiving messages from $D{U}_j$, $CS$ computes $Veri{f}_j=V_j^{A_{cs}}$ and $HI{D}_j^{{}^{\prime }}=Veri{f}_j\oplus M_j$. Furthermore, $CS$ checks if $h_1(HI{D}_j^{{}^{\prime }}\left|\right|A_{cs})=AC{S}_i$. If it is valid, $CS$ computes $M{A}_j^{{}^{\prime }}=h_1(Veri{f}_j\left|\right|HI{D}_j^{{}^{\prime }})$ and checks if $e(HHI{D}_j,P{K}_{cs})=e(DP{K}_{do}^{HI{D}_j·A_{cs}},DP{K}_{do}^{M{A}_j})$. If it is valid, $CS$ computes as follows for index i: $pu{b}_1={\pi }_{z\in s,z\ne =i}{g}_{n+1-z+i}$, $T{r}_i=T{R}_j·pu{b}_1$, $pu{b}_2={\pi }_{z\in s}{g}_{n+1-z}$, and $p_1=c_4·\frac{e(pu{b}_1,c_1)}{e(pu{b}_2,c_2}$. Then, $CS$ checks $ck=\frac{e(T{r}_i,c_1)}{e(pu{b}_2,c_2)}$, where encrypted keyword is $ck\in C{K}_i$. $CS$ adds the identity of results which is corresponding document to $Resul{t}_i$. Furthermore, $CS$ sets $PR{F}_i=(c_1,p_1,c_3)$. Then, $CS$ generates a random nonce $R_{cs}$ and computes $V{A}_{cs}=P{K}_{cs}^{R_{cs}}$, $Veri{f}_{cs}=P{K}_j^{A_{cs}·R_{cs}}$$AUT{H}_{cs}=h_1(M{A}_j\left|\right|Veri{f}_j\left|\right|Veri{f}_{cs})$. $CS$ sends set $Result$, $PRF$, $V{A}_{cs}$ and $AUT{H}_{cs}$ over an open channel to $D{U}_j$.

Step 3: After receiving sets from $CS$, $D{U}_j$ computes $Veri{f}_{cs}=V{A}_{cs}^{b_j}$. Then, $D{U}_j$ checks if $AUT{H}_{cs}^{{}^{\prime }}=h_1(M{A}_j\left|\right|Veri{f}_j\left|\right|Veri{f}_{cs})$. If it is valid, $D{U}_j$ computes for each i as follows: $M^{{}^{\prime }}=p_1·e(k_s,c_1)$, $B{F}_i^{{}^{\prime }}=h_1\left(M^{{}^{\prime }}\right)\oplus c_3$, $AC{C}_i=BFverfiy(\{H_1^{{}^{\prime }},\dots ,H_k^{{}^{\prime }}\},$$B{F}_i^{{}^{\prime }},W)$. If the keyword w exists in the document, $AC{C}_i=1$. Otherwise, $AC{C}_i=0$.

4.5. Authentication for Delegation Phase

If $D{U}_A$ wants to delegate their aggregate key, $D{U}_A$ and $D{U}_B$ conduct mutual authentication using $HGI{D}_l$. If they have same $HGI{D}_l$, they compute the same session key $SK$. After that, $D{U}_A$ can send their own aggregate key and keyword using $SK$. In this case, $D{U}_A$ can delegate limited access rights by sending only some of the keywords which $D{U}_A$ have. The detailed steps are illustrated in Figure 6 and are as follows.

Step 1:$D{U}_A$ generates a random nonce $r_A$ and timestamp $T_2$. Then, $D{U}_A$ computes $R_A=P{K}_a^{r_A}$, $V_A=P{K}_B^{b_a·r_A}$, and $L_{AB}=h_1(V_A\left|\right|T_2)$. $D{U}_A$ sends $R_A,L_{AB},T_2$ to $D{U}_B$.

Step 2: After receiving messages from $D{U}_A$, $D{U}_B$ computes $V_A=R_A^{B_b}$, and checks if $L_{AB}=h_1(V_A\left|\right|T_2)$. If it is valid, $D{U}_B$ generates a random nonce $r_B$ and computes $R_B=P{K}_B^{r_B}$, $V_B=P{K}_A^{b_b·r_B}$, $L_{BA}=h_1(V_A\left|\right|HGI{D}_l\left|\right|T_3\left|\right|V_B)$, $AGI{D}_l=h_1(V_A\left|\right|HGI{D}_l)$, and session key $SK=h_1(V_A\left|\right|V_B\left|\right|AGI{D}_l\left|\right|T_3)$. After that, $D{U}_B$ sends $R_B$, $L_{BA}$, $T_3$ to $D{U}_A$.

Step 3:$D{U}_A$ computes $V_B=R_B^{b_a}$ and checks if $L_{BA}=h_1(V_A\left|\right|HGI{D}_l\left|\right|T_3\left|\right|V_B)$. If it is same value, $D{U}_A$ computes the session key $SK$. At the end, $D{U}_A$ and $D{U}_B$ authenticate each other and compute the same $SK$ for their secure communication.

4.6. Group Identity Revocation Phase

When $D{U}_j$ wants to leave the group, $DO$ updates the group ID list to which $D{U}_j$ belongs. $DO$ updates $GID$ with $GI{D}^{new}$ and issues new $HGI{D}^{new}$ calculated as $GI{D}^{new}$ to data users corresponding to the existing $GID$ list to send in bulk.

5. Security Analysis

In this phase, we present the non-mathematical (informal) security analysis and formal security analysis. We use broadly accepted “BAN logic” to show that the proposed scheme can provide the mutual authentication and use “Automated Validation of Internet Security Protocols and Applications (AVISPA) simulation tool” for proving of security protocols from man-in-the-middle and replay attacks.

5.1. Informal Analysis

We conduct the informal analysis to analyze security capabilities and the security against various attacks.

5.1.1. Correctness

The $D{U}_j$ should obtain the bloom filter by decrypting the corresponding ciphertext of the i-th document with the aggregation key. For correctness, the M can be obtained by:

$$\begin{array}{cc}\hfill p_1·e(k_s,c_1)& =c_4·\frac{e(pu{b}_1,c_1)}{e(pu{b}_2,c_2)}·e(k_s,c_1)\hfill \\ \hfill & =c_4·\frac{e(k_s·pu{b}_1,c_1)}{e(pu{b}_2,c_2)}\hfill \\ \hfill & =c_4·\frac{e(k_s·{\Pi }_{z\in s,z\ne i}{g}_{n+1-z+i},g^t)}{e({\Pi }_{z\in s}{g}_{n+1-z},{(g_i·P{K}_{do})}^t)}\hfill \\ \hfill & =\frac{c_4·e(k_s,g^t)·e({\Pi }_{z\in s,z\ne i}{g}_{n+1-z+i},g^t)}{e({\Pi }_{z\in s}{g}_{n+1-z},g^{r_{do}·t})·e({\Pi }_{z\in s}{g}_{n+1-z},g_i^t)}\hfill \\ \hfill & =\frac{c_4·e(k_s,g^t)}{e({\Pi }_{z\in s}{g}_{n+1-z},g^{r_{do}·t})·e(g_{n+1},g^t)}\hfill \\ \hfill & =\frac{M·e{(g_1,g_n)}^t·e({\Pi }_{z\in s}{g}_{n+1-z}^{r_{do}},g^t)}{e({\Pi }_{z\in s}{g}_{n+1-z},g^{r_{do}·t})·e(g_1,g_n^t)}\hfill \\ \hfill & =M\hfill \end{array}$$

5.1.2. Impersonation Attacks

If an adversary attempts to impersonate a legitimate $DU$, the adversary must be able to compute the legitimate message $M_j,V_j,HHI{D}_j,T_1,T{r}_j,S_i$. However, the attacker cannot compute $HHI{D}_j$ because $TI{D}_j$ is computes using secret identity $HI{D}_j$. Furthermore, $CS$ checks $e(HHI{D}_j,P{K}_{cs})=e(DP{K}_{do}^{HI{D}_j·A_{cs}},DP{K}_{do}^{M{A}_j})$. If it is not valid, then the impersonation attack is aborted by $CS$. Therefore, our proposed scheme can protect data user impersonation attacks.

5.1.3. Data User Anonymity

The real identity $I{D}_j$ of $D{U}_j$ is calculated as the pseudo identity $HI{D}_j$, which depends on the random secret key $b_j$. In addition, the data user is provided with $TI{D}_j$ to be used for authentication in the data retrieve phase from $DO$. Since $TI{D}_j$ is dependent on the $DO$’s secret key $rh{o}_{do}$, the attacker cannot know $I{D}_j$, which is the real identity of the data user. Therefore, we can say that we guarantee the anonymity of data users.

5.1.4. Perfect Forward Secrecy

In the data retrieve phase, suppose that an adversary obtains secret key $A_{cs}$ of the cloud server. Then, the adversary is able to compute $Veri{f}_j$ and $HI{D}_j$. However, the adversary cannot compute $V{A}_{cs}$ and $AUT{H}_{cs}$ since the adversary cannot know a random nonce $R_{cs}$. Thus, the data retrieve phase provides perfect forward secrecy. In the authentication for delegation phase, suppose that an adversary obtains secret key $b_a$ or $b_b$ of $D{U}_A$ or $D{U}_B$. The adversary cannot compute session key $SK$ because the adversary cannot compute $V_A$ or $V_B$, which is dependent on random nonces $r_A$ and $r_B$. Therefore, our proposed scheme ensures perfect forward secrecy.

5.1.5. Privileged-Insider Attacks

If an adversary is a privileged insider, the adversary is able to obtain $HI{D}_j$ and $A_{cs}$ during the data request phase. Then, the attacker can compute $Veri{f}_j$ and $M{A}_j$. However, $CS$ generates a random nonce $R_{CS}$ in the data retrieve session, and the adversary cannot compute $Veri{f}_{cs}=P{K}_j^{A_{cs}·R_{cs}}$ without $R_{cs}$. Therefore, the proposed scheme is secure against the privileged-insider attacks.

5.1.6. Replay and Man-In-The-Middle Attacks

An adversary can learn about transmitted messages over open wireless channels according to Section 3.2. However, in our proposed scheme, the adversary cannot conduct replay and man-in-the-middle attacks because every transmitted message contains timestamp or random nonce. Timestamps or random nonces $T_1$, $T_2$, $T_3$, $R_{cs}$, and $r_A$ are generated by $D{U}_j$ or $CS$ and included in the message $M{A}_j=h_1(Veri{f}_j\left|\right|HI{D}_j\left|\right|T_1)$, $AUT{H}_{cs}=h_1(M{A}_j\left|\right|Veri{f}_j\left|\right|R_{cs})$, $R_A=P{K}_a^{r_A}$, $L_{AB}=h_1(V_A\left|\right|T_2)$, and $L_{BA}=h_1(V_A\left|\right|HGI{D}_l\left|\right|T_3)$. Therefore, the proposed scheme can successfully prevent against replay and man-in-the-middle attacks.

5.1.7. Known Session-Specific Temporary Information Attacks

If an adversary obtains random numbers $r_A$ and $r_B$ according to CK-threat model mentioned in Section 3.2 in authentication for delegation phase, then the attacker can compute $R_A$ or $R_B$. However, the adversary cannot compute $V_A$ or $V_B$ without obtaining data user’s secret key $b_a$ or $b_b$. Therefore, the attacker cannot compute $SK=h_1(V_A\left|\right|V_B\left|\right|AGI{D}_l\left|\right|T_3)$. Thus, we can say that our proposed scheme can prevent against the known session-specific temporary information attacks.

5.1.8. Ephemeral Secret Leakage (ESL) Attacks

In the authentication for delegation phase, $D{U}_A$ and $D{U}_B$ establish the same session key $SK=h_1(V_A\left|\right|V_B\left|\right|AGI{D}_l\left|\right|T_3)$. Based on the CK-threat model Section 3.2, the short term ephemeral secrets $r_A$, $r_B$ can be leaked. However, the adversary still cannot compute $SK$ because the adversary does not have $b_a$ and $b_b$. Furthermore, assuming that the long-term secret keys $b_a$ and $b_b$ have been leaked, the adversary cannot calculate the session key because $r_A$ and $r_B$ cannot be known. $SK$ can be computed only when both short term and long term are leaked, and since this is a computationally infeasible problem, our scheme can resist ESL attacks.

5.1.9. Session Key Disclosure Attacks

An adversary tries to obtain sensitive information by calculating a legitimate session key $SK$. However, as discussed in Section 5.1.4, Section 5.1.7 and Section 5.1.8, the adversary cannot compute $SK$ because of the computationally infeasible problem. Therefore, our proposed scheme is safe against session key disclosure attacks.

5.1.10. Mutual Authentication

After receiving the message from $D{U}_j$ in the data retrieve phase, $CS$ checks

$$\begin{array}{cc}\hfill e(DP{K}_{do}^{HI{D}_j·A_{cs}},DP{K}_{do}^{M{A}_j})& =e(DP{K}_{do}^{HI{D}_j·A_{cs}},DP{K}_{do}^{M{A}_j})\hfill \\ & =e(g^{{\rho }_{do}·HI{D}_j·A_{cs}},g^{{\rho }_{do}·M{A}_j})\hfill \\ & =e{(g,g)}^{{\rho }_{do}·HI{D}_j·A_{cs}·{\rho }_{do}·M{A}_j}\hfill \\ & =e(g^{{\rho }_{do}·HI{D}_j·{\rho }_{do}·M{A}_j},g^{A_{cs}})\hfill \\ & =e(HHI{D}_j,P{K}_{cs})\hfill \end{array}$$

According to Section 5.1.2 and Section 5.1.3, an adversary cannot impersonate legitimate $D{U}_j$. Moreover, $D{U}_j$ also checks $AUT{H}_{cs}^{{}^{\prime }}=h_1(M{A}_j\left|\right|Veri{f}_j\left|\right|Veri{f}_{cs})$.

In addition, in the authentication for delegation phase, $D{U}_A$ and $D{U}_B$ check $L_{AB}=h_1(V_A\left|\right|T_2)$ and $L_{BA}=h_1(V_A\left|\right|HGI{D}_l\left|\right|T_3\left|\right|V_B)$. Therefore, our scheme provides mutual authentication.

5.2. BAN Logic Analysis

This section uses BAN logic [11] to prove that the proposed scheme provides mutual authentication in the data retrieve phase and authentication for delegation phase.

Table 2. The basic BAN logic notations.

Notations	Meaning
$SK$	The used session key in current authentication session
$\#ST$	The statement $ST$ is fresh
$\omega ⊲ST$	$\omega$sees the statement $ST$
$\omega |\equiv ST$	$\omega$believes the statement $ST$
$\omega |\sim ST$	$\omega$ once said $ST$
$<ST{>}_{For}$	Formula $SR$ is united with formula $For$
${\left\{ST\right\}}_{Key}$	Encrypt the formula $ST$ encrypted the key $Key$
$\omega \stackrel{Key}{\leftrightarrow }\sigma$	$\omega$ and $\sigma$ uses $Key$ as shared key for communicating
$\omega \Rightarrow ST$	$\omega$controls the statement $ST$

provides a description of the notation of BAN logic and we also describe the rules, goals, assumptions and ideal form of ban logic [32,33].

5.2.1. Logical Rules of BAN Logic

The Logical rules of the BANlogic are:

1. 

Jurisdiction rule :

$$\frac{\omega \left|\equiv \sigma \right|⟹S,\omega \left|\equiv \sigma \right|\equiv ST}{\omega |\equiv S}$$

2. 

Nonce verification rule :

$$\frac{\omega \left|\equiv \#\left(ST\right),\omega \right|\equiv \sigma |\sim ST}{\omega \left|\equiv \sigma \right|\equiv ST}$$

3. 

Message meaning rule :

$$\frac{\omega |\equiv \omega \stackrel{K}{\leftrightarrow }\sigma ,\sigma ⊲{\left\{S\right\}}_K}{\omega \left|\equiv B\right|\sim ST}$$

4. 

Belief rule :

$$\frac{\omega |\equiv \left(ST,For\right)}{\omega |\equiv ST}$$

5. 

Freshness rule :

$$\frac{\omega |\equiv \#(ST)}{\omega |\equiv \#\left(ST,For\right)}$$

5.2.2. Goals for Data Retrieve Phase

The following goals are presented to demonstrate that the proposed scheme achieves a mutual authentication :

Goal 1:

$CS|\equiv (R_{du})$,

Goal 2:

$CS|\equiv D{U}_j|\equiv \left(R_{du}\right)$,

Goal 3:

$D{U}_j| \equiv \left(R_{cs}\right)$,

Goal 4:

$D{U}_j| \equiv CS|\equiv \left(R_{cs}\right)$,

5.2.3. Idealized Forms for Data Retrieve Phase

The idealized forms are as following :

M₁ :

$D{U}_j\to CS:{(HI{D}_j,T_1,R_{du},DP{K}_{do})}_{g^{b_j·A_{cs}}}$

M₂ :

$CS\to D{U}_j:{(HI{D}_j,T_1,R_{cs})}_{g^{b_j·A_{cs}}}$

5.2.4. Assumptions for Data Retrieve Phase

The following assumptions are the initial state of the proposed scheme to achieve BAN logic proof.

A₁ :

$CS|\equiv (CS\stackrel{g^{b_j·A_{cs}}}{⟷}D{U}_j)$

A₂ :

$D{U}_j|\equiv (D{U}_j\stackrel{g^{b_j·A_{cs}}}{⟷}CS)$

A₃ :

$CS|\equiv \#(R_{du})$

A₄ :

$D{U}_j|\equiv \#\left(R_{cs}\right)$

A₅ :

$CS|\equiv D{U}_j\Rightarrow \left(R_{du}\right)$

A₆ :

$D{U}_j|\equiv CS\Rightarrow \left(R_{cs}\right)$

5.2.5. Proof Using BAN Logic for Data Retrieve Phase

Main proofs using rules and assumptions of the BAN logic are as the following steps :

Step 1:

$S_1$ can be obtained from $M_1$

$S_1$ : $CS⊲{(HI{D}_j,T_1,R_{du},DP{K}_{do})}_{g^{b_j·A_{cs}}}$.

Step 2:

For obtaining $S_2$, we apply the message meaning rule with $A_1$

$S_2$ : $CS|\equiv D{U}_j|\sim (HI{D}_j,T_1,R_{du},DP{K}_{do})$.

Step 3:

For obtaining $S_3$, we apply the freshness rule with $A_3$

$S_3$ : $CS|\equiv \#(HI{D}_j,T_1,R_{du},DP{K}_{do})$.

Step 4:

For obtaining $S_4$, we apply the nonce verification rule with $S_2$ and $S_3$

$S_4$ : $CS|\equiv D{U}_j\equiv (HI{D}_j,T_1,R_{du},DP{K}_{do})$.

Step 5:

For obtaining $S_5$, we apply the belief rule

$S_5$ : $CS|\equiv D{U}_j|\equiv \left(R_{du}\right)$. (Goal 2)

Step 6:

For obtaining $S_6$, we apply the jurisdiction rule with $A_5$

$S_6$ : $CS|\equiv R_{du}$. (Goal 1)

Step 7:

$S_7$ can be obtained from $M_2$

$S_7$ : $D{U}_j⊲{(HI{D}_j,T_1,R_{cs})}_{g^{b_j·A_{cs}}}$.

Step 8:

For obtaining $S_8$, we apply the message meaning rule with $A_2$

$S_8$ : $D{U}_j|\equiv CS|\sim (HI{D}_j,T_1,R_{cs})$.

Step 9:

For obtaining $S_9$, we apply the freshness rule with $A_4$

$S_9$ : $D{U}_j|\equiv \#(HI{D}_j,T_1,R_{cs})$.

Step 10:

For obtaining $S_4$, we apply the nonce verification rule with $S_8$ and $S_9$

$S_{10}$ : $D{U}_j|\equiv CS|\equiv (HI{D}_j,T_1,R_{cs})$.

Step 11:

For obtaining $S_{11}$, we apply the belief rule

$S_{11}$ : $D{U}_j|\equiv CS|\equiv \left(R_{cs}\right)$. (Goal 4)

Step 6:

For obtaining $S_{12}$, we apply the jurisdiction rule with $A_6$

$S_{12}$ : $D{U}_j|\equiv R_{cs}$. (Goal 3)

Thus, our scheme has completed the proof that it provides mutual authentication for data retrieve phase. BAN logic proof of authentication for delegation phase is similar to the above proof. Therefore, our scheme can provide secure mutual authentication.

5.3. AVISPA Simulation Analysis

We adopt the “Automated Validation of Internet Security Protocols and Applications (AVISPA) Simulation Tools” [12] to perform validation of security protocols against replay and man-in-the-middle attacks. AVISPA includes four backends: “Tree Automata based on Automatic Approximations for the Analysis of Security Protocols (TA4SP)”, “SAT-based Model Checker (SATMC)”, “Constraint-logic-based Attack Searcher (CL-AtSe)”, and “On-the-fly mode-checker (OFMC)”. Neither the SATMC nor T theA4SP backends currently support “bitwise exclusive OR (XOR)” operations. Therefore, official security validation-based simulations rely on two backends: CL-AtSe and OFMC.

We use “High-Level Protocol Specification Language (HLPSL)” to implement the proposed scheme for the primary roles of data owner DO, data user DU, and cloud server CS, and also mandatory “Sessions and Goals and Environments”. It is worth noting that AVISPA uses the DY threat model for validation. Figure 7 provides simulation results of OFMC and CL-ATse backends in the data retrieve phase and authentication for delegation phase, and clearly shows that the proposed protocol is safe from “replay and man-in-the-middle attacks” [34,35].

6. Security and Efficiency Features Comparison

We compare the proposed scheme with the existing competing schemes in the domain of KASE such as Cui et al. [10] and Liu et al. [20], in terms of security functions, computational and communication overhead.

6.1. Functionality and Security Features Comparison

We compare the proposed scheme with the existing competing scheme in terms of various security features, such as replay, man-in-the-middle, impersonation, privileged-insider, session key disclosure attacks. Moreover, we compare various functional aspects such as user anonymity, mutual authentication, multi-access and delegation.

Table 3. Security Properties.

Security Properties	Cui et al. [10]	Liu et al. [20]	Ours
Man-in-the-middle attack	o	o	o
Replay attack	o	o	o
Impersonation attack	x	x	o
User anonymity	o	o	o
Privileged-insider attack	x	o	o
Session key disclosure attack	x	o	o
Mutual authentication	x	x	o
Multi-access	-	-	o
Multi-delegation	-	-	o

x: Insecure. o: Secure. -: Not concerned.

shows that existing schemes do not meet all security requirements. Moreover, unlike existing schemes, our proposed scheme additionally provides multi-access and delegation functions, and it is worth noting that DO or DU can perform various functions without TTP assistance.

6.2. Comparison of Computation Costs

This section performs a testbed experiment on cryptographic computation of the data retrieve phase using the popular “Multiprecision Integer and Rational Arithmetic Cryptographic Library (MIRACL)” [13] on two platforms:

• Platform 1: The platform 1 is general personal computer environment, and the detailed performance of the personal computer is as follows: “Ubuntu 18.04.4 LTS with memory 8 GiB, processor: Intel Core i7-4790 @ 3.60GHz × 4, CPU Architecure: 64-bit.” The experiments are executed for “one-way-hash-function $\left(T_h\right)$”, “Bilinear pairing operation $\left(T_b\right)$”, “Scalar point multiplication $\left(T_{spm}\right)$”, and “Exponentiation operation $\left(T_e\right)$” for 100 runs. After that the average run-time in milliseconds are recorded for these operations or functions from 100runs, which are 0.003 ms, 6.575 ms, 2.373 ms, and 0.819 ms, respectively.
• Platform 2: The platform 2 is Raspberry PI environment for considering mobile device, and the detailed performance of the Raspberry PI is as follows: “Model: Raspberry PI 3 B, with CPU 64-bit, Processor: 1.2 GHz Quad-core, Memory: 1 GiB, and OS: Ubuntu 20.04.2 LTS 64-bit.” Figure 8 shows the setting of Raspberry PI environment. The experiments are executed for “one-way-hash-function $\left(T_h\right)$”, “Bilinear pairing operation $\left(T_b\right)$”, “Scalar point multiplication $\left(T_{spm}\right)$”, and “Exponentiation operation $\left(T_e\right)$” for 100 runs. After that the average run-time in milliseconds are recorded for these operations or functions from 100runs, which are 0.020 ms, 21.348 ms, 5.686 ms, and 2.973 ms, respectively.

Table 4. Comparison of computation costs.

Protocol	Computation Cost		Total Cost
	Data User	Cloud Server	Personal Computer	Raspberry Pi
Cui et al. [10]	$1T_h+1T_{spm}$	$\left(2n\right)T_{spm}+2T_b$	$(4.746n+15.526)$ ms	$(11.372n+48.402)$ ms
Li et al. [20]	$2T_h+2T_{spm}+1T_b$	$(2n+1)T_{spm}+4T_b$	$(4.746n+40)$ ms	$(11.372n+123.838)$ ms
Ours	$5T_h+3T_{spm}+4T_e+1T_b$	$3T_h+(2n+2)T_{spm}+3T_e+6T_b$	$(4.746n+63.647$ ms)	$(11.372n+198.837)$ ms

reveals the message computation costs of data user and cloud server entities in the data retrieval phase. As a result of comparing Cui et al., Liu et al., and ours, respectively, it can be seen that our scheme has a higher total cost compared to the existing schemes. However, the proposed scheme has the strength of showing that it is safe against various attacks.

6.3. Comparison of Computation and Communication Complexity

The number of keywords in the ciphertext and the number of keywords in the search query set affect computation and communication costs. In our scheme, the pairing operation between the user and the cloud server is additionally calculated compared to other schemes, but authentication is performed only once regardless of the number of keyword value. Therefore, according to $\left(O\right)$ asymptotic notation, our scheme has the same computational and communication costs as other existing KASE schemes. A comparative analysis in

Table 5. Comparison of complexity.

Protocol	Computation Cost			Communication Cost
	Encryption	Trapdoor	Retrieve ofCS	Aggregate Key	Trapdoor	Ciphertext
Cui et al. [10]	$O\left(\right|KW\left|P\right)$	$\left(O\right|Q\left|M\right)$	$O\left(\right|Q\left|P\right)$	$O\left(1\right)$	$O\left(\right|Q\left|\right)$	$O\left(\right|KW\left|\right)$
Li et al. [20]	$O\left(\right|KW\left|P\right)$	$\left(O\right|Q\left|M\right)$	$O\left(\right|Q\left|P\right)$	$O\left(1\right)$	$O\left(\right|Q\left|\right)$	$O\left(\right|KW\left|\right)$
Ours	$O\left(\right|KW\left|P\right)$	$\left(O\right|Q\left|M\right)$	$O\left(\right|Q\left|P\right)$	$O\left(1\right)$	$O\left(\right|Q\left|\right)$	$O\left(\right|KW\left|\right)$

$\left|KW\right|$: number of keywords with the ciphertext, $\left|Q\right|$: number of keywords in the query set, P: pairing.

shows that the complexity of computational and communication costs for the different features of the proposed scheme are comparable to those of the other schemes.

6.4. Discussion of Comparison

We can see from a comparative analysis that the computation costs demonstrate that the proposed protocol is expensive compared to other schemes. As per the asymptotic notation, the proposed scheme’s calculation complexity and communication consumption cost are the same as those of other schemes such as Cui et al. [10] and Liu et al. [20]. Furthermore, as shown in Table 3, our scheme outperforms other schemes in terms of security and features.

7. Conclusions and Future Works

In this paper, we designed a novel KASE scheme for data sharing without assistance of TTP, considering multi-delegation. The proposed scheme provides mutual authentication to secure data sharing. Moreover, our protocol can provide keyword verification through a bloom filter technique, and can resist various security attacks such as impersonation, privileged-insider and session key disclosure attacks. Moreover, our proposed scheme satisfies user anonymity property. We performed BAN logic to prove that the scheme can provide mutual authentication, and we also applied AVISPA simulation tool to demonstrate that the proposed scheme is secure from man-in-the-middle and replay attacks. Our scheme has higher computation cost compared to existing schemes, but the complexity according to the number of keywords and data sets is the same as existing schemes, proving that it is more secure than existing schemes. In the future, we will build a test-bed that simulates the real environment for efficient data sharing in real cloud services environment. After that, we will apply our scheme to the test-bed and improve it to a more efficient scheme.