Efficient Public Key Encryption with Disjunctive Keywords Search Using the New Keywords Conversion Method

Abstract

Public key encryption with disjunctive keyword search (PEDK) is a public key encryption scheme that allows disjunctive keyword search over encrypted data without decryption. This kind of scheme is crucial to cloud storage and has received a lot of attention in recent years. However, the efficiency of the previous scheme is limited due to the selection of a less efficient converting method which is used to change query and index keywords into a vector space model. To address this issue, we design a novel converting approach with better performance, and give two adaptively secure PEDK schemes based on this method. The first one is built on an efficient inner product encryption scheme with less searching time, and the second one is constructed over composite order bilinear groups with higher efficiency on index and trapdoor construction. The theoretical analysis and experiment results verify that our schemes are more efficient in time and space complexity as well as more suitable for the mobile cloud setting compared with the state-of-art schemes.

1. Introduction

Searchable encryption has attracted tremendous research attention in recent years. This field can be applied in many situations, such as email system, database management system and document management system. Constructing such a scheme supporting complex query conditions like boolean keyword search is an important issue. For creating a public key encryption system supporting boolean keyword search, we need to study public key encryption with conjunctive keyword search (PECK) and public key encryption with disjunctive keyword search (PEDK) first. The concept and security models of PECK are first defined by Park et al. [1]. In their work, they also gave two constructions based on these models. After this, Hwang and Lee [2] designed a more efficient PECK scheme under the multi-users setting. However, all of these schemes need keyword fields. To eliminate the keyword fields, a hidden vector encryption (HVE) scheme supporting conjunctive keyword search and range search over the encrypted data was proposed [3].

For the conjunctive keyword search, designers only need to consider whether all query keywords are included in the index keyword set, which means that the search algorithm only needs to consider the situation of keyword matching. However, for the disjunctive keyword search, designers should consider whether a part of keywords in the query are contained in the index keyword set, which means that the search algorithm needs to recognize the situation of both keyword matching and keyword non-matching at the same time. As a result, constructing an efficient PEDK scheme is more difficult than a PECK one. The first solution of PEDK was proposed by Katz et al. [4]. They proposed a function encryption paradigm called inner product encryption (IPE) that supports more advanced search functions including disjunctive keyword search. In the IPE scheme, each secret key and ciphertext are associated with a predicate vector $\overrightarrow{v}$ and an attribute vector $\overrightarrow{x}$, respectively. If and only if $\overrightarrow{v}·\overrightarrow{x}=0$, the secret key can decrypt the corresponding ciphertext. By applying a keyword conversion method which changes the index and query keywords into attribute and predicate vectors respectively, a PEDK scheme can be created according to IPE. However, the PEDK scheme introduced in their work is not very practical. Specifically, the keyword conversion method used in [4] relies on a polynomial $F={\prod }_{i=1}^n(x_i-y_1)(x_i-y_2)\dots (x_i-y_m)$ which contains ${(n+1)}^m$ terms, where $X=\{x_1,x_2,\dots ,x_n\}$ and $Y=\{y_1,y_2,\dots ,y_m\}$ are denoted as an index and a query keyword set, respectively. Note that each term in F consists of two parts: the attribute part, which is the product of some elements in $X\cup \{1\}$, and the predicate part, which is the product of some elements in $Y\cup \{1\}$. By using the attribute part and the predicate part in each term, an attribute vector $\overrightarrow{x}$ and a predicate vector $\overrightarrow{y}$ can be created. Obviously, if $X\cap Y\ne \varnothing$, there is $F=0$, which means $\overrightarrow{x}·\overrightarrow{y}=0$. Since the dimensions of predicate and attribute vector are ${(n+1)}^m$, the space and time complexity of the obtained PEDK scheme increases in exponential order. To construct a more efficient PEDK scheme supporting conjunctive keyword search simultaneously, Zhang and Lu proposed an approach that changes an IPE scheme to a scheme called public key encryption with conjunctive and disjunctive keyword search (PECDK), and gave a concrete construction [5]. In this scheme, the size of trapdoor and each document’s index are both linear with $O(N_D)$. Moreover, the number of times of pairing operations in the search algorithm is still linear with $O(N_D)$, where $N_D$ is the number of keywords in all indices. Thus, there is still a great room to improve the efficiency for disjunctive keyword search.

In addition, IPE is not designed only for creating a searchable encryption scheme supporting disjunctive keyword search. Thus, in order to obtain a highly efficient PEDK scheme, one should utilize alternative methods.

In this paper, we aim to create efficient PEDK schemes with less time and space cost. The contributions are listed as follows.

(1)

A new method for converting the index and query keywords into a vector space model is proposed. The dimension of the vectors generated by the proposed method is more small than that generated by the previous methods. Moreover, our scheme is based on an equation of degree n with one unknown. The coefficients of this equation is composed of the index keyword set, while the roots of this equation is composed of the query keyword set. The coefficients and roots create the attribute vectors and predicate vectors, respectively. Thus, our method can easily be combined with other techniques, such as IPE scheme and composite bilinear order groups. By combining the new approach with an efficient IPE scheme, we propose a more efficient IPE-based PEDK scheme with a better time and space complexity (We denote this PEDK scheme by PEDK-1).

(2)

We also demonstrate that a construction of PEDK does not rely on IPE. Applying techniques of dual system encryption and composite order group, a new PEDK scheme without IPE, denoted by PEDK-2, is given. We show that this scheme can largely reduce the complexity of index building and key generation compared with our former proposal.

Moreover, we design a experiment to show the efficiency of the previous PEDK schemes and two proposed schemes. The experiment results show that the efficiency of proposed schemes is more practical than the previous ones. We also give a detailed comparison between PEDK-1 and PEDK-2. The theoretical analysis and experiment results show that the key generation, index building and trapdoor generation operations in PEDK-2 are more efficient than that in PEDK-1, except for the test operation. In addition, the space cost in PEDK-2 is less than that in PEDK-1. In practice, client device, e.g., a mobile device, has less storage space and limited computation capacity. Thus, compared with PEDK-1, PEDK-2 is much more suitable for the resource constrained environment.

Related work. There are two classes of searchable encryption schemes in terms of different cryptography primitives: public key system and symmetric key system.

Song et al. first introduced the definition of searching symmetric encryption and gave a specific scheme [6]. Then, Goh gave the concept and security definition of multi-keyword query on encrypted data [7], and gave a more practical scheme by using a Bloom filter. Based on this concept, improved schemes [8,9] were proposed to reduce computation and communication costs. However, the time cost of search in these schemes is linear with the number of documents. To optimize the query speed, some works utilize tree structure, such as r-tree and kd-tree, to obtain a sub-linear search efficiency [10,11]. Since the query results in these works are not sorted, all related documents will be returned, which will lead to a large network traffic problem. Based on the order-preserving encryption (OPE) scheme [12], rank search schemes [13,14] were proposed, which can quickly search top-k related documents. However, works mentioned above only support single keyword query. Recently, some schemes were proposed to achieve multi-keywords rank search [15,16].

The first searchable public key encryption solution called public-key encryption with keyword search (PEKS) is designed by Boneh et al. [17], which is related to the identity-based encryption (IBE) proposed in [18]. Based on this, Abdalla et al. gave the computational and statistical consistency of PEKS, and gave a concrete scheme [19]. However, these works fail to support multi-keyword search. The framework and security model of PECK are proposed by Park et al. [1]. They also gave two schemes in their work. One needs more bilinear pairing operations, while the other needs more private keys. Then, Hwang and Lee designed a more effective solution for multi-user setting [2]. The PECK schemes mentioned above were using keyword field as an additional information which are not practical in many applications. In order to avoid using a keyword field, a hidden vector encryption (HVE) scheme supporting conjunctive keyword search and range search over the encrypted data was proposed [3]. To achieve disjunctive keyword search, Katz et al. constructed the first IPE scheme [4], which is related to the attribute-based encryption (ABE) [20]. Fully secure IPE schemes with better decryption efficiency were proposed in [21,22].

In recent years, the work of searchable public-key encryption (SPE) has focused on two aspects. On the one hand, it focuses on improving the efficiency of traditional SPE; on the other hand, it adds special abilities on the traditional SPE, such as extra security mechanism and faster search rate. We use

Table 1. Summary of previous searchable public key encryption schemes.

Type	Ref.	Query Condition	Additional Security Measures	Fast Search
Standard SPE	[23]	Conjunctive keyword search	-	-
	[24]	Conjunctive keyword search	-	-
	[22]	Disjunctive keyword search	-	-
	[3]	Range, conjunctive keywords, subset search	-	-
	[5]	Conjunctive and disjunctive keyword search	-	-
	[25]	Range search	-	-
Special SPE	[26]	Conjunctive keyword search	Verifiable	-
	[27]	Conjunctive keyword search	Verifiable	-
	[28]	Single keyword search	Verifiable and Access control	-
	[29]	Single keyword search	-	Yes
	[30]	Single keyword search	-	Yes
	[31]	Fuzzy keyword search	Access control	-

The query condition represents the search mode supported by the scheme; the additional security mechanism added in the scheme involves access control and the verification of query results; fast search means that the work is committed to building a scheme whose search speed is similar to the searchable symmetric encryption scheme.

to show main works for SPE in the last ten years. According to Table 1, we found that PEDK studies are relatively few, so this paper is devoted to building a more efficient PEDK scheme.

Organization. We organize this paper as follows: in Section 2, the model of PEDK and its security model are defined, and briefly review the concept of composite order bilinear groups and complexity assumption. In Section 3, we introduce our keyword conversion method, and then propose two concrete PEDK scheme based on our approach. The security proof of proposed schemes are given in Section 4. The theoretical and experimental analysis are given in Section 5. Section 6 covers the conclusion.

2. Preliminaries

In this section, we first introduce the definition of PEDK’s framework. Then, we present the security definition of PEDK. Finally, we briefly review some techniques adopted in our work, including complexity assumption and bilinear groups of composite order.

2.1. Model of PEDK

We suppose that $pk$ is the public key, and $sk$ is the secret key, where $pk$ can be accessed by anyone and $sk$ can be only held by the receiver. A sender can send an encrypted plaintext M with an encrypted index generated by using keywords $w_1,w_2,\dots ,w_n$ of M and $pk$ to a server. When the receiver would like to retrieve the messages containing a specific list of keywords, the receiver can use $sk$ and query keywords to construct a trapdoor, and sends the trapdoor to the server. After receiving the trapdoor, the server adopts the test algorithm to determine which documents match the trapdoor, and returns the matched documents to the receiver. The architecture of this process is described in Figure 1.

According to this architecture, we give the formal model of PEDK inspired by the model proposed in [1] as follows.

Definition 1.

The PEDK scheme involves four polynomial time algorithms, which are KenGen, IndexBuild, Trapdoor and Test:

(1) 

KeyGen(γ): The algorithm takes a security parameter γ as input, and outputs a key pair $(pk,sk)$, where “pk” and “sk” represent public key and secret key, respectively.

(2) 

IndexBuild(pk,W): By taking advantage of “pk” and a keyword set $W=\{w_1,w_2,\dots ,w_n\}$, the sender applies the algorithm to create an encrypted index $I_W$.

(3) 

Trapdoor(sk,Q): By utilizing the keyword query $Q=\{q_1,q_2,\dots ,q_m\}$ and “sk”, the receiver adopts this algorithm to generate a trapdoor $T_Q$, where $m\le n$.

(4) 

Test(pk, $T_Q$, $I_W$): The server executes this algorithm to test whether the encrypted index $I_W$ and the trapdoor $T_Q$ contain at least one same keyword. It takes $T_Q$, $I_W$ and “pk” as input. If $Q\cap W\ne \varphi$, then it outputs 1; otherwise, 0 .

2.2. Security Definition of PEDK

The proposed schemes must be proven to be secure under a formal security definition. Similar to the definition introduced in [1], we present the security definition as follows.

Definition 2.

If an PEDK scheme can resist chosen plaintext attacks and is adaptively index-hiding, then it must have that, for any probabilistic polynomial-time (PPT) adversary A, under a security parameter k, the A’s advantage for winning the following game is negligible:

(1) 

Setup: The challenger C performs the KeyGen($1^{\gamma }$) algorithm to generate $pk$ and $sk$. Then, C sends $pk$ to the attacker A.

(2) 

Phase 1: The attacker A can adaptively ask C for any trapdoor $T_Q$ of query Q he wants.

(3) 

Challenge: A randomly chooses two keyword sets $W^0$ and $W^1$, and gives them to C. Suppose that $Q_1,Q_2,\dots ,Q_t$ are the keyword sets which are queried to construct trapdoors in phase 1, where t is the number of trapdoors queried in phase 1, there is a restriction in which $Q_i\cap W^0=\varnothing$ and $Q_i\cap W^1=\varnothing$ for each $i\in [1,t]$. Then, C picks a random bit $\beta \in \{0,1\}$, and creates $I_{\beta }=IndexBuild(pk,W^{\beta })$. After that, A sends $\{I_{\beta },W^0,W^1\}$ to A.

(4) 

Phase 2: Under the restriction mentioned above, A can continue to issue any query Q he wants. C responds the corresponding trapdoor.

(5) 

Response: A outputs ${\beta }^{\prime }\in \{0,1\}$. If ${\beta }^{\prime }=\beta$, then A wins the game.

According to the game mentioned above, A’s advantage in the above game is defined as:

$$Ad{v}_{Game}^A=|Pr[{\beta }^{\prime }=\beta ]-\frac{1}{2}|.$$

Generally speaking, the key is to ensure that the encrypted form of $W^0$ and that of $W^1$ are computationally indistinguishable to the adversary.

2.3. Composite Order Bilinear Groups and Complexity Assumption

Boneh et al. [32] firstly uses the composite order bilinear groups to create cryptographic algorithms. In our paper, we will adopt groups of order N that is a product of four (distinct) prime. Moreover, by using a security parameter $1^k$, we apply a generator $\mathfrak{g}$ to generate a description $I=(p_1,p_2,p_3,p_4,G,G_T,\widehat{e})$; where $p_1,p_2,p_3,p_4$ are distinct primes, $G_T$ and G are cyclic groups of order $N=p_1{p}_2{p}_3{p}_4$, and $\widehat{e}:G\times G\to G_T$ is a non-degenerate bilinear map such that:

• Bilinear: $\widehat{e}(g^a,h^b)=\widehat{e}{(g,h)}^{ab}$,where $g,h\in G$ and $a,b\in Z_N$;
• Non-degenerate: $\widehat{e}(g,g)$ is a generator of $G_T$ if g is a generator of G;
• Computable: For any $g,h\in G$, an efficient algorithm must exist to compute $\widehat{e}(g,h)$.

In addition, we also further require that the group operations in G and $G_T$ is computable in deterministic polynomial time under the security parameter k. Furthermore, we suppose that the descriptions of G and $G_T$ contain generators of G and $G_T$, respectively. For $S\subseteq \{1,2,3,4\}$, the subgroup of order ${\prod }_{i\in S}{p}_i$ is denoted by $G_{{\prod }_{i\in S}{p}_i}$. Suppose that $h_1\in G_{{\prod }_{i\in S_1}{p}_i}$ and $h_2\in G_{{\prod }_{i\in S_2}{p}_i}$, where $S_1,S_2\subseteq \{1,2,3,4\}$, it is easy to verify that $\widehat{e}(h_1,h_2)=1$ if $gcd({\prod }_{i\in S_1}{p}_i\times {\prod }_{i\in S_2}{p}_i|N^2,N)=N$. We call this property as the orthogonality property, which is very important in our construction.

For proving the security of our construction, we introduce a complexity assumption called General Subgroup Decision (GSD) Assumption [33] as follows.

GSD Assumption. Let $S_0,S_1,S_2,\dots ,S_k$ be non-empty subsets of $\{1,2,3,4\}$ in which, for each $j\in [2,k]$, either $S_j\cap S_0$, $S_j\cap S_1$ are both empty or $S_j\cap S_0$, $S_j\cap S_1$ are both non-empty. Choosing a group generator $\mathfrak{g}$, we can define the distribution as follows:

$$\mathbb{G}=(N=p_1{p}_2{p}_3{p}_4,G,G_T,\widehat{e})\stackrel{R}{\leftarrow }\mathfrak{g},$$

$$T_0\stackrel{R}{\leftarrow }{G}_{{\prod }_{i\in S_0}{p}_i},T_1\stackrel{R}{\leftarrow }{G}_{{\prod }_{i\in S_1}{p}_i},$$

$$Z_2\stackrel{R}{\leftarrow }{G}_{{\prod }_{i\in S_2}{p}_i},\dots ,Z_k\stackrel{R}{\leftarrow }{G}_{{\prod }_{i\in S_k}{p}_i},$$

$$D=(\mathbb{G},Z_2,Z_3,\dots ,Z_k).$$

The algorithm A’s advantage in breaking GSD Assumption is defined as:

$$\begin{array}{c}\hfill Ad{v}_{\mathfrak{g},A}(k)=Pr[A(D,T_0)=1]-Pr[A(D,T_1)=1].\end{array}$$

(1)

According to the description above, the definition of GSD assumption is given as follows.

Definition 3.

For all PPT algorithms A, if the function $Ad{v}_{\mathfrak{g},A}(k)$ is negligible of k, then we can say that, for, generator $\mathfrak{g}$, GSD Assumption holds.

3. Proposed PEDK Schemes

In this section, we first introduce the conversion method that changes an index and a query keyword set into a attribute vector and a set of predicate vectors, respectively. Then, we combine this method into an efficient IPE scheme to construct the PEDK-1 scheme. Finally, we build the PEDK-2 scheme based on a composite bilinear order group.

3.1. Conversion Method

The key idea of this method is to first construct an equation of degree n with one unknown by using the index and query keyword sets, where n is the number of keywords. Then, by using the relationship between the roots and coefficients in this equation, an attribute vector for the index keyword set and a set of predicate vectors for the query keyword set can be created. The concrete steps are shown below.

Suppose that any keyword w can be expressed as a string in ${\{0,1\}}^{*}$, and we define a function $H_1:{\{0,1\}}^{*}\to Z_p^{*}$. Since p is a large prime and is larger than the number of the all words, $H_1$ can be collision-resistance. This means that, if $i\ne j$, then $H_1(w_i)\ne H_1(w_j)$, where $w_i$ and $w_j$ are two distinct keywords.

We first construct an equation of degree n with one unknown by using the index and query keyword sets. After that, we use the roots and coefficients of the equation to create a set of query vectors and an index vector. Let $W=\{w_1,w_2,\dots ,w_n\}$ and $Q=\{q_1,q_2,\dots ,q_m\}$ are two keyword sets, where $m<n$. The approach is described as follows:

(1)

For the keyword set $W=\{w_1,w_2,\dots ,w_n\}$, constructing a function:

$$\begin{array}{c}\hfill \begin{array}{cc}\hfill f(x)& =(x-H_1(w_1))(x-H_1(w_2))\dots (x-H_1(w_n))\hfill \\ & =a_n{x}^n+a_{n-1}{x}^{n-1}+\dots +a_0{x}^0.\hfill \end{array}\end{array}$$

(2)

According to the coefficient of the $f(x)$, a vector $\overrightarrow{a}=\{a_0,a_1,\dots ,a_n\}$ can be obtained.

(2)

For each keyword $q_i$ in the keyword set Q, we construct $\overrightarrow{q_i}=\{H_1{(q_i)}^0,H_1{(q_i)}^1,\dots ,H_1{(q_n)}^n\}$, and output a vector set $\{\overrightarrow{q_1},\overrightarrow{q_2},\dots ,\overrightarrow{q_m}\}$.

Note that, if there is a keyword $q_i\in Q$ such that $q_i\in W$, where $i\in [1,m]$, according to the Equations (2), it is not difficult to verify that $\overrightarrow{a}·\overrightarrow{q_i}=0$.

As a result, we can test each $q_i\in Q$ with W to make a disjunctive keyword search. If $Q\cap W\ne \varnothing$, then it must exist an $i\in [1,m]$ such that $\overrightarrow{a}·\overrightarrow{q_i}=0$. Based on this, two concrete PEDK schemes will be proposed in the rest of this section.

3.2. PEDK-1

By using the method given in Section 3.1, we can give a new PEDK scheme based on the IPE scheme.

Construction. In the IPE scheme, there are four algorithms: $Setu{p}_{IPE}$, $En{c}_{IPE}(p{k}_{IPE},\overrightarrow{x},M)$, $KeyGe{n}_{IPE}(p{k}_{IPE},ms{k}_{IPE},\overrightarrow{v})$, and $De{c}_{IPE}(p{k}_{IPE},c,s{k}_{\overrightarrow{v}})$. We denote the public key and the master secret key by $p{k}_{IPE}$ and $ms{k}_{IPE}$, respectively. $\overrightarrow{x}$ and $\overrightarrow{v}$ represent the attribute and predicate vectors, respectively. The ciphertext and secret key are denoted by c and $s{k}_{\overrightarrow{v}}$, respectively. By combining the conversion method and an efficient IPE scheme introduced in [22], the PEDK-1 scheme works as follows:

-

KeyGen: it runs $Setu{p}_{IPE}$ to generate a key pair $\{p{k}_{IPE},ms{k}_{IPE}\}$, and then sets $pk=p{k}_{IPE}$ and $sk=ms{k}_{IPE}$.

-

IndexBuild: For the keyword set W, it uses the Equation (2) to create an vector $\overrightarrow{a}$. After this, it outputs $I_W=En{c}_{IPE}(pk,\overrightarrow{a},message)$ as the index of W. Note that it sets the $message$ to 1.

-

Trapdoor: For the query Q, it generates a group of vectors $\{\overrightarrow{q_1},\overrightarrow{q_2},\dots ,\overrightarrow{q_m}\}$. By applying $KeyGe{n}_{IPE}$ to each vector, it creates a trapdoor $T_Q=\{t_1,t_2,\dots ,t_m\}$, where $t_i=KeyGe{n}_{IPE}(pk,msk,\overrightarrow{q_i})$ and $i\in [1,m]$.

-

Test: Given $I_W$ and $T_Q$, it runs $De{c}_{IPE}(I_W,t_i,pk)$ for each $i\in [1,m]$. If there is at least one $i\in [1,m]$ such that $De{c}_{IPE}$ outputs 1, then it outputs 1. Otherwise, it outputs 0.

Correctness. If $q_i\in W$, then there is $\overrightarrow{a}·\overrightarrow{q_i}=0$. Let $I_W$ and $T_Q$ be as the above. It exists that $t_i$ can decrypt the index $I_W$. As a result, according to the property of IPE, the $De{c}_{IPE}$ algorithm outputs 1 (Note that the $message$ is set to be 1 in the IndexBuild algorithm.). This means that the Test algorithm also outputs 1.

Security. The security of this scheme depends on that of the IPE scheme. The detailed security proof is given in Section 1.

3.3. PEDK-2

The previous PEDK schemes are based on the IPE scheme. Considering the reason that IPE is a general encryption prototype which is not designed only for disjunctive keyword search on encrypted data, in this subsection, we aim to create a non-IPE PEDK scheme by using the composite order bilinear groups.

Construction. The PEDK-2 scheme works as follows:

-

KeyGen: Randomly selecting a bilinear group G of order $N=p_1{p}_2{p}_3{p}_4$ (where $p_1$,$p_2$,$p_3$,$p_4$ are distinct primes), ${\alpha }_i,{\beta }_i\in Z_N^{*}$, $U_1,A_1\in G_{p_1}$ and $A_{4i},B_{4i},U_4$ and $g_4\in G_{p_4},$ where $i\in [0,n]$, pk is published as:

$$pk=\{N,U_1{U}_4,{A_1}^{{\beta }_i}{A}_{4i},{A_1}^{{\alpha }_i}{B}_{4i},g_4,H_1\}.$$

The secret key $sk$ is $\{{\alpha }_i,{\beta }_i,U_1,A_1,g_3\},$ where $g_3$ is a generator of $G_{p_3}$.

-

IndexBuild: Given a keyword set $W=\{w_1,w_2,\dots ,w_n\}$, the algorithm uses the Equation (2) to create an vector $\overrightarrow{a}=\{a_0,a_1,a_2,\dots ,a_n\}$. Choosing $n+3$ random elements $s,c_0,c_1,c_2,\dots ,c_n,c_{n+1}\in Z_N^{*}$, for the vector $\overrightarrow{a}$, the encryption algorithm creates the index $I_W=(C_{10},C_{11},C_{12},\dots ,C_{1n},C_2)$ as:

$$\begin{array}{c}\hfill \begin{array}{cc}\hfill C_{1i}& ={({A_1}^{{\beta }_i}{A}_{4i})}^{s{a}_i}\times {({A_1}^{{\alpha }_i}{B}_{4i})}^s\times {g_4}^{c_i}\hfill \\ & ={A_1}^{s({\beta }_i{a}_i+{\alpha }_i)}{C}_{4i},\hfill \end{array}\end{array}$$

$$\begin{array}{c}\hfill \begin{array}{cc}\hfill C_2& ={(U_1{U}_4)}^s\times g_4^{c_{n+1}},\hfill \\ & =U_1^s{C}_4\hfill \end{array}\end{array}$$

where $C_{4i}=A_{4i}^{s{a}_i}{B}_{4i}^s{g_4}^{c_i},C_4=U_4^s{g}_4^{c_{n+1}}$ and $i\in [0,n]$.

-

Trapdoor: Given a keyword set $Q=\{q_1,q_2,\dots ,q_m\}$ where $m\le n$, the trapdoor generation algorithm chooses $r\in Z_N^{*}$ and generates random elements $R_{3ji}$ where $i\in [0,n]$, $j\in [1,m]$ and $R_{3j}$ by using $g_3$ and raising it to the random exponents modulo N. Then, it chooses random elements $r_1,r_2,\dots ,r_m\in Z_N^{*}$ and two random orthogonal vector bases $B={(\overrightarrow{b_1},\dots ,\overrightarrow{b_m})}^T$, and $B^{*}={({\overrightarrow{b_1}}^{*},\dots ,{\overrightarrow{b_m}}^{*})}^T\in Z_N^{m\times m}$ in which $\overrightarrow{b_i}·{\overrightarrow{b_j}}^{*}=0(modN)$ whenever $i\ne j$ and $\overrightarrow{b_i}·{\overrightarrow{b_i}}^{*}=\lambda (modN)$ for all $i\in m$ where $\lambda$ is a random elements in $Z_N^{*}$. Suppose that $\overrightarrow{b_t}=\{b_{t1},b_{t2},\dots ,b_{tm}\}$ and ${\overrightarrow{b_t}}^{*}=\{b_{t1}^{*},b_{t2}^{*},\dots ,b_{tm}^{*}\}$ where $t\in [1,m]$, it computes:

$$K_{ji}={U_1}^{\frac{r_1{b}_{1j}{H}_1{(q_1)}^i+r_2{b}_{2j}{H}_1{(q_2)}^i+\dots +r_m{b}_{mj}{H}_1{(q_m)}^i}{{\beta }_i}}{R}_{3ji},$$

$$K_j={A_1}^{{\sum }_{i=0}^n\frac{{\alpha }_i(r_1{b}_{1j}{H}_1{(q_1)}^i+r_2{b}_{2j}{H}_1{(q_2)}^i+\dots +r_m{b}_{mj}{H}_1{(q_m)}^i)}{{\beta }_i}}{R}_{3j},$$

where $i\in [0,n],j\in [1,m]$. The trapdoor of keyword set Q is :

$$T_Q=\left(\begin{array}{cccccc}{K}_{10}& K_{11}& \dots & K_{1n}& K_1& {\overrightarrow{b_1}}^{*}\\ K_{20}& K_{21}& \dots & K_{2n}& K_2& {\overrightarrow{b_2}}^{*}\\ ⋮& ⋮& \ddots & ⋮& ⋮& ⋮\\ K_{m0}& K_{m1}& \dots & K_{mn}& K_m& {\overrightarrow{b_m}}^{*}\end{array}\right).$$

-

Test: After receiving a trapdoor $T_Q$ and a secure index $I_W$, the algorithm works as follows:

(a)

The algorithm computes $M_j=\frac{{\prod }_{i=0}^n\widehat{e}(C_{1i},K_{ji})}{\widehat{e}(C_2,K_j)}$ for each $j\in [1,m]$.

(b)

Choosing a counter k, and setting $k=1$.

(c)

If $k>m$, then go to step d), otherwise the algorithm computes: $D_k={\prod }_{j=1}^m{M}_j^{b_{kj}^{*}}$. If $D_k=1$, then the algorithm outputs 1 and ends. Otherwise, it sets $k=k+1$ and goes to the step c).

(d)

The algorithm outputs 0 and ends.

Correctness. Let $I_W$ and $T_Q$ be as the above. Then, we have the following two equations:

$$\begin{array}{c}\hfill \begin{array}{cc}\hfill \widehat{e}(C_2,K_j)& =\widehat{e}(U_1^s{C}_4,{A_1}^{{\sum }_{i=0}^n\frac{{\alpha }_i(r_1{b}_{1j}{H}_1{(q_1)}^i+\dots +r_m{b}_{mj}{H}_1{(q_m)}^i)}{{\beta }_i}}{R}_3)\hfill \\ & =\widehat{e}{(U_1,A_1)}^{s{\sum }_{i=0}^n\frac{{\alpha }_i(r_1{b}_{1j}{H}_1{(q_1)}^i+\dots +r_m{b}_{mj}{H}_1{(q_m)}^i)}{{\beta }_i}},\hfill \end{array}\end{array}$$

(3)

$$\begin{array}{c}\hfill \begin{array}{c}\hfill \prod _{i=0}^n\widehat{e}(C_{1i},K_{ji})=\widehat{e}{(A_1,U_1)}^{s{\sum }_{i=0}^n\frac{{\alpha }_i(r_1{b}_{1j}{H}_1{(q_1)}^i+\dots +r_m{b}_{mj}{H}_1{(q_m)}^i)}{{\beta }_i}}\\ \hfill \times \widehat{e}{(A_1,U_1)}^{s(r_1{b}_{1j}{\sum }_{i=0}^n{a}_i{H}_1{(q_1)}^i+\dots +r_m{b}_{mj}{\sum }_{i=0}^n{a}_i{H}_1{(q_m)}^i)}.\end{array}\end{array}$$

(4)

According to the Equations (3) and (4), we know:

$$\begin{array}{c}\hfill M_j=\widehat{e}{(A_1,U_1)}^{s(r_1{x}_1{b}_{1j}+r_2{x}_2{b}_{2j}+\dots +r_m{x}_m{b}_{mj})}.\end{array}$$

(5)

In Equation (5), we can find:

$$\begin{array}{c}\hfill x_k=\sum _{i=0}^n{a}_i{H}_1{(q_k)}^i,wherek\in [1,m].\end{array}$$

(6)

Since $\overrightarrow{b_i}·{\overrightarrow{b_j}}^{*}=0(modN)$ whenever $i\ne j$ and $\overrightarrow{b_i}·{\overrightarrow{b_i}}^{*}=\lambda (modN)$ for all $i\in m$, there is:

$$\begin{array}{c}\hfill \begin{array}{cc}\hfill D_k& =\prod _{j=1}^m{M}_j^{b_{kj}^{*}}\hfill \\ & =\widehat{e}{(A_1,U_1)}^{s(r_1{x}_1\overrightarrow{b_1}{\overrightarrow{b_k}}^{*}+\dots +r_k{x}_k\overrightarrow{b_k}{\overrightarrow{b_k}}^{*}+\dots +r_m{x}_m\overrightarrow{b_m}{\overrightarrow{b_k}}^{*})}\hfill \\ & =\widehat{e}{(A_1,U_1)}^{s{r}_k{x}_k\lambda }.\hfill \end{array}\end{array}$$

Note that there is $x_k=0$ if the keyword $q_k$ in the trapdoor is also contained in the index. Thus, $D_k=1$ if $q_k\in W$.

Security. The security of this scheme depends on the assumption introduced in Section 2.3. The detailed security proof is given in Section 4.2.

4. Security Analysis

4.1. Security of PEDK-1

The PEDK-1 scheme is based on the fully secure IPE scheme. Thus, we give the following proposition.

Proposition 1.

The PEDK-1 scheme is secure if the IPE scheme that PEDK-1 is based on is secure.

Proof Sketch.

If it exists an PPT algorithm $\mathbb{A}$ that can break the PEDK-1 scheme, then the IPE scheme on which PEDK-1 is based can be broken by $\mathbb{A}$. For the setup phase, $\mathbb{C}$ applies the $Setu{p}_{IPE}$ algorithm to creat $p{k}_{IPE}$ and $s{k}_{IPE}$, and sets $pk=p{k}_{IPE}$, $sk=s{k}_{IPE}$. For the phase 1, $\mathbb{A}$ can adaptively query trapdoors of keyword set $\{Q_1,Q_2,\dots ,Q_t\}$. These trapdoors are composed of a set of decryption keys of IPE. For the challenge phase, under a constraint that $Q_i\cap W^0=\varnothing$ and $Q_i\cap W^1=\varnothing$, $\mathbb{A}$ randomly chooses two challenge keyword sets $W^0$ and $W^1$, where $i\in [1,t]$. After this, $\mathbb{C}$ randomly chooses a $\beta \in \{0,1\}$, and sends an index $I_{W^{\beta }}$ to $\mathbb{A}$. This index is composed of a set of challenge ciphertexts of IPE. For the phase 2, $\mathbb{A}$ still asks for trapdoors which he wants under the restriction mentioned above. For the response phase, $\mathbb{A}$ issues a guess ${\beta }^{\prime }$. If $\mathbb{A}$ can break the PEDK-1 scheme, the value of $|Pr[{\beta }^{\prime }=\beta ]-\frac{1}{2}|$ can not negligible. It means that the two challenge indices can be distinguished. Because the challenge indices in the PEDK-1 scheme is equal to the challenge ciphertexts in the IPE scheme, we can reckon that $\mathbb{A}$ can break the IPE scheme according to the security definition for IPE.

4.2. Security of PEDK-2

To prove the security of the PEDK-2 system, according to the dual system encryption, we first introduce the concept of semi-functional trapdoor and index. The semi-functional trapdoor and index will be adopted in the proof, but not in the real PEDK-2 system. This is similar to those introduced in [34].

Semi-functional index: We denote the generator of the subgroup $G_2$ by $g_2$, and create the Semi-functional index as follows. The encryption algorithm generates a normal index $C_{10}^{\prime },C_{11}^{\prime },C_{12}^{\prime },\dots ,C_{1n}^{\prime },C_2^{\prime }$. Choosing $n+2$ random elements $x,z_{c0},z_{c1},\dots ,z_{cn}$ and $z_c\in Z_N$, $C_{1i}$ is set to be $C_{1i}^{\prime }{g}_2^{x{z}_{ci}}$ for each $i\in [0,n]$ and $C_2$ is set to be $C_2^{\prime }{g}_2^{x{z}_c}$. The semi-functional index is $\{C_{10},C_{11},\dots ,C_{1n},C_2\}$.

Semi-functional trapdoor: We denote the generator of the subgroup $G_2$ by $g_2$, and create the semi-functional trapdoor as follows. A normal trapdoor $K_{j0}^{\prime },K_{j1}^{\prime },\dots ,K_{jn}^{\prime },K_j^{\prime }$ is constructed by the encryption algorithm, where $j\in [1,m]$. Choosing $(n+2)m+1$ random elements $\xi ,z_{kj0},z_{kj1},\dots ,z_{kjn}$ and $z_{kj}\in Z_N$, $K_{ji}$ is set to be $K_{ji}^{\prime }{g}_2^{\xi z_{kji}}$ for each $i\in [0,n]$ and $K_j$ is set to be $K_j^{\prime }{g}_2^{\xi z_{kj}}$. The semi-functional trapdoor is $\{K_{j0},K_{j1},\dots ,K_{jn},K_j\}$.

If we want to decrypt the semi-functional index by utilizing the semi-functional trapdoor, an additional factor $M_j^{\prime }=\widehat{e}{(g_2,g_2)}^{x\xi (z_c{z}_{kj}-{\sum }_{i=0}^n{z}_{ci}{z}_{kji})}$ will be generated for each $j\in [1,m]$.

The security of PEDK-2 depends on GSD Assumption. The proof process is based a hybrid method in which a set of games will be proven to be undistinguishable. We list these games as follows.

• $Gam{e}_{Real}:$ This game is the original security game.
• $Gam{e}_{Restricted}:$ Suppose that the keyword set $W=\{w_1,w_2,\dots ,w_n\}$ is one of the challenge keyword sets. We construct an n-degree polynomial $f(x)=(x-H_1(w_1))(x-H_1(w_2))\dots (x-H_1(w_n))=a_n{x}^n+a_{n-1}{x}^{n-1}+\dots +a_{1}x+a_0$. This game is identical to the real game except that the attacker is not allowed to obtain a trapdoor in which the corresponding keyword set does not contain any keyword w which satisfies ${\sum }_{i=0}^n{a}_i{H}_1{(w)}^i=0mod{p}_2$. This restriction will be kept throughout the following games.
• $Gam{e}_k:$ For each $k\in [0,q]$, we define $Gam{e}_k$ identical to $Gam{e}_{Restricted}$ except that A is given the semi-functional index. Moreover, the first k trapdoors are semi-functional and the rest are normal. In $Gam{e}_0$, the trapdoors sent to A are normal, but the index is semi-functional. In $Gam{e}_q$, both trapdoor and index are in the semi-functional form.
• $Gam{e}_{Fina{l}_k}:$ Letting the keyword set $W=\{w_1,w_2,\dots ,w_n\}$ be one of the challenge keyword sets, we construct an n-degree polynomial $f(x)$ mentioned above. Compared with $Gam{e}_q$, the index in this game is a semi-functional encryption of a challenge vector that its first k elements are random and the rest of the elements are $\{a_k,a_{k+1},\dots ,a_n\}$, where $k\in [0,n]$.

Obviously, $Gam{e}_{Fina{l}_0}$ is a game in which the index is a semi-functional encryption of a normal keyword set, while $Gam{e}_{Fina{l}_n}$ is a game in which the index is a semi-functional encryption of a random keyword set. The essence of the security proof is applying the following lemmas to verify that these games are indistinguishable.

Lemma 1.

If there is a probabilistic polynomial time algorithm A such that $Ad{v}_{Gam{e}_{Real}}^A-Ad{v}_{Gam{e}_{Restricted}}^A=ϵ$, then a PPT algorithm B with advantage ≥ $\frac{ϵ}{3}$ in breaking GSD Assumption can be created.

Lemma 2.

If there is a PPT algorithm A such that $Ad{v}_{Gam{e}_{Restricted}}^A-Ad{v}_{Gam{e}_0}^A=ϵ$, then a PPT algorithm B with advantage ϵ in breaking a GSD Assumption can be created.

Lemma 3.

For each $k\in [0,q]$, if there is a PPT algorithm A such that $Ad{v}_{Gam{e}_{k-1}}^A-Ad{v}_{Gam{e}_k}^A=ϵ$, then a PPT algorithm B with advantage ϵ in breaking the GSD Assumption can be created.

Lemma 4.

For each $k\in [0,n]$, suppose that there exists a PPT algorithm A such that $Ad{v}_{Gam{e}_{Fina{l}_{k-1}}}^A-Ad{v}_{Gam{e}_{Fina{l}_k}}^A=ϵ$. Then, a PPT algorithm B with advantage ϵ in breaking GSD Assumption can be created.

Considering the length of the article and the coherence of the article structure, the proofs of Lemmas 1–4 are given in Appendix A.

Theorem 1.

PEDK-2 scheme is secure if Assumptions 1, 2, 3, and 4 hold.

Proof. 

If Assumptions 1, 2, 3, and 4 hold, $Gam{e}_{Real}$ is indistinguishable from $Gam{e}_{Fina{l}_n}$ based on the previous lemmas that have been proved. In $Gam{e}_{Fina{l}_n}$, $\beta$ value is information-theoretically concealed from the attacker. According to this, we argue that the attacker fails to obtain any advantage in breaking PEDK-2 scheme. □

5. Performance Evaluation

5.1. Theoretical Analysis

According to Table 1, there are two previous PEDK schemes needed to be compared. One can be regarded as a combination of the conversion approach described in Section 1 and the most efficient IPE scheme given in [22] (For simplicity, we denote this scheme with PEDK-0.). The other PECDK is introduced in [5]. In the rest of this subsection, we will compare the proposed schemes (PEDK-1 and PEDK-2) with PEDK-0 and PECDK.

Let $|T_e|$ and $|T_{4e}|$ be the time cost for a pairing operation [33] on G and $G4$, and $|T_G|$ and $|T_{4G}|$ be the time cost for the power operation on G and $G4$, where G and $G4$ are a group of a prime order and a composite group of an order $N_4=p_1{p}_2{p}_3{p}_4$, respectively. For evaluating the time complexity, we only take these two operations into account since the time cost of these two operations is much more than that of other operations like group add operation. The theoretical analysis of time complexity is shown in

Table 2. Comparison with the previous schemes in time complexity.

	PEDK-0	PECDK	PEDK-1	PEDK-2
Key Generation	$O({(n+1)}^m)|T_G|+|T_e|$	$O(N_D^2)|T_G|$	$O(n^2)|T_G|+|T_e|$	$O(n)|T_{4G}|+|T_{4e}|$
Index Building	$O({(n+1)}^m)|T_G|$	$O(N_D)|T_G|$	$O(n^2)|T_G|$	$O(n)|T_{4G}|$
Trapdoor Generation	$O({(n+1)}^m)|T_G|$	$O(N_D)|T_G|$	$O(n^2·m)|T_G|$	$O(n·m)|T_{4G}|$
Testing	$O({(n+1)}^m)|T_e|$	$O(N_D)|T_G|$	$O(n^2)|T_e|$	$O(n)|T_{4e}|$

.

We denote the size of an element of G and $G4$ by $|G|$ and $|G4|$, and that of $G_T$ and $G_{4T}$ by $|G_T|$ and $|G_{4T}|$ respectively. The comparison result of space complexity is shown in

Table 3. Comparison with the previous schemes in space complexity.

	PEDK-0	PECDK	PEDK-1	PEDK-2
PK size	$O({(n+1)}^m)|G|+|G_T|$	$O(N_D^2)|G|$	$O(n^2)|G|+|G_T|$	$O(n)|G4|+|G_{4T}|$
SK size	$O({(n+1)}^m)|G|$	$O(N_D^2)|G|$	$O(n^2)|G|$	$O(n)|G4|$
Trapdoor size	$O({(n+1)}^m)|G|$	$O(N_D)|G|$	$(4n+2)|G|$	$(n+1)|G4|$
Index size	$O({(n+1)}^m)|G|+|G_T|$	$O(N_D)|G|$	$(4n+2)|G|+|G_T|$	$(n+1)|G4|+|G_{4T}|$

.

According to the Table 2 and Table 3, it is easy to find that the efficiency of the proposed schemes is better than PEDK-0. Note that $N_D$ is a large integer and seen as the number of keywords in a dictionary, and $N_D$ is much bigger than n in general. Therefore, we argue that the proposed schemes has better performance on time and space complexity than PECDK one.

5.2. Experimental Results

In our experiments, we build a group of artificial keyword sets with a different number of keywords in each set (i.e., $n=5;10;15;20;25$), where each keyword set can be seen as an index of a document. In each keyword set, we denote each keyword as a unique integer in the range $[0,5000]$, where 5000 can be regarded as the number of different words in artificial keyword sets. We encrypted each keyword set with PEDK-1 and PEDK-2, respectively, and stored these encrypted indices on our machine. After this, we randomly performed some queries over the stored indices. In addition, we use the IPE scheme introduced in [22] to quantify the efficiency of PEDK-0 and PECDK. We applied the Java Pairing Based Cryptography library (JPBC) [35] to realize our schemes. The experimental environment is under 8 GB memory and Intel(R) Core(TM) [email protected] CPU (Xinyang, Henan province, China). Moreover, our construction is based on the Type A pairing whose base field size is 512-bit. The security level is identical to 1024-bit DLOG [35].

A. Performance of PEDK-0 and PECDK.

According to the analysis in Section 1, we know that the main method for constructing PEDK-0 is converting the index and query keywords into a predicate and attribute vector, respectively. By using predicate and attribute vectors, we can apply an IPE scheme to build a PEDK-0 scheme. Note that the length of predicate and attribute vectors is linear with $O({(n+1)}^m)$. Even if $m=5$ and $n=5$, the length of vector is $6^5$. In addition, the PECDK scheme [5] is also based on the IPE scheme, where the the length of predicate and attribute vectors is linear with $O(N_D)$. For the sake of simplicity, we test the performance of the IPE scheme [22] under $N=\{5,10,15,\dots ,50\}$, where N denotes the dimension of the predicate and attribute vectors, and then inferred that the efficiency of PEDK-0 and PECDK needed to be improved.

From Figure 2a, we find that the time cost of key generation, index building and trapdoor generation is linear with $O(N^2)$, and that of testing is linear with $O(N)$. From Figure 2b, the space cost of indices and trapdoors is linear with $O(N)$, and that of keys is linear with $O(N)$. Even if N is very small, the time and space consumptions cannot be ignored. When n and m are very large, N will become very large (Note that N is linear with $O({(n+1)}^m)$), which makes PEDK-0 ineffective. Moreover, the vocabulary size ($N_D$) is commonly linear with $O({10}^6)$ [36]. Considering that $N=N_D$ in this case, we think the efficiency of PECDK is relatively low.

B. Performance Comparison between PEDK-1 and PEDK-2

B.1: Time Overhead. Impact of the keyword size (n). For a query with five keywords, Figure 3 shows that:

(1)

Figure 3a–c show that the execution time of key generation, index building and trapdoor generation is linear with $O(n^2)$ in PEDK-1, while $O(n)$ in PEDK-2. Since the PEDK-1 scheme is based on the dual pairing vector space DPVS, the PEDK-2 has a better performance in the key generation, index building and trapdoor generation phase; and

(2)

Figure 3d indicate that the running time of testing in PEDK-1 and PEDK-2 is linear with $O(n)$, and the time cost in PEDK-2 is nearly four times more than that in PEDK-1 since the pairing operations in a composite group are more time-consuming than that in a prime one.

Impact of the keyword size (m). According to the analysis in Section 5.1, we know that m only affects algorithms of trapdoor generation and testing. For an index with 25 keywords ($n=25$), Figure 4 shows that the time consumption in trapdoor generation and testing are linear with $O(m)$. Specifically, the execution time of trapdoor generation in the PEDK-2 scheme is less than that in the PEDK-1 scheme, while the time cost for testing in the PEDK-2 scheme is more than that in the PEDK-1 scheme.

B.2: Storage Overhead.

As shown in Figure 5, we can argue that:

(1)

Figure 5a–c show the impact of n on the storage size of keys (pk and sk), indices and trapdoors. Figure 5a verifies that the storage size of keys is linear with $O(n^2)$ in PEDK-1, while $O(n)$ in PEDK-2. Given a fixed parameter m, Figure 5b,c show that the storage size of indices and trapdoors is linear with $O(n)$, and PEDK-2 needs less space overhead than PEDK-1 since PEDK-2 needs less group elements in the index and trapdoor.

(2)

Because the parameter m only affects the phases of trapdoor and test, we only present Figure 5d to show the impact of m on the storage size of trapdoors. Given a fixed parameter n, both the trapdoor size in PEDK-1 and that in PEDK-2 are linear with $O(m)$. Due to owning less elements in the trapdoor, the space consumption in PEDK-2 is still less than that in PEDK-1.

6. Conclusions

In this paper, we proposed a new approach that can convert the operation of disjunctive keyword search into inner product operations among vectors. Based on this approach, we give two concrete schemes which are better than previous schemes and proven to be secure under an adaptive security model.

To justify the efficiency of the proposed schemes, we present detailed theoretical analysis and experimental results. These results show that: (1) compared with previous PEDK schemes, the proposed two schemes are more efficient; (2) the first proposed scheme based on the IPE has better performance in testing phase; and (3) the second one achieves better time and space complexities on key generation, index building and trapdoor generation by taking advantage of the composite order bilinear groups. Moreover, because each document has its own encrypted index, we can easily accelerate the search process by utilizing the technique of parallel computation. The search process is preformed by the cloud server, which has strong computing power. Considering this actual situation and the experimental result, we argue that our scheme is more practical in the cloud platform.

In conclusion, our proposed schemes are beneficial for applications with computation and memory limitations. The future work is to create efficient encryption schemes supporting more complex query condition, e.g., simple boolean keyword search like $q_1\vee q_2\wedge q_3$.