Upload
others
View
27
Download
0
Embed Size (px)
Citation preview
RESEARCH ARTICLE
Searchable attribute-based encryption
scheme with attribute revocation in cloud
storage
Shangping Wang1, Duqiao Zhao1*, Yaling Zhang2
1 School of Science, Xi’an University of Technology, Xi’an, Shaanxi, China, 2 School of Computer Science,
Xi’an University of Technology, Xi’an, Shaanxi, China
Abstract
Attribute based encryption (ABE) is a good way to achieve flexible and secure access con-
trol to data, and attribute revocation is the extension of the attribute-based encryption, and
the keyword search is an indispensable part for cloud storage. The combination of both has
an important application in the cloud storage. In this paper, we construct a searchable attri-
bute-based encryption scheme with attribute revocation in cloud storage, the keyword
search in our scheme is attribute based with access control, when the search succeeds,
the cloud server returns the corresponding cipher text to user and the user can decrypt
the cipher text definitely. Besides, our scheme supports multiple keywords search, which
makes the scheme more practical. Under the assumption of decisional bilinear Diffie-Hell-
man exponent (q-BDHE) and decisional Diffie-Hellman (DDH) in the selective security
model, we prove that our scheme is secure.
Introduction
In 2005, Waters et al.[1] came up with the concept of ABE(Attribute-Based Encryption) which
was much more flexible than traditional public-key encryption. With the development and
deepening of ABE, the attribute revocation of ABE is concerned by more and more people.
The efficient attributes revocation scheme is an integral part of ABE scheme, which is one of
the difficulties for the application of ABE, and the study of ABE is inseparable from the attri-
bute revocation scheme research.
P. Traynor et al.[2] put forward a scheme which achieved the update of secret key in 2006.
However, it needed that the user must kept close contact with attribute authority to get the
secret key. Thereafter, Kumar et al.[3] presented a scheme with revocation of ABE, and it
expanded from the IBE which they proposed before. All of these articles demand that users
need to access the attribute authority for key reissuing at regular intervals.
In 2008, Jiang et al.[4] gave a scheme that solved the key misused problem of users. How-
ever, in this scheme, the third party should be included in each decryption key of users, and
made it was unrealistic. After that, Kim et al.[5] inserted the users’ information in the secret
PLOS ONE | https://doi.org/10.1371/journal.pone.0183459 August 31, 2017 1 / 20
a1111111111
a1111111111
a1111111111
a1111111111
a1111111111
OPENACCESS
Citation: Wang S, Zhao D, Zhang Y (2017)
Searchable attribute-based encryption scheme with
attribute revocation in cloud storage. PLoS ONE 12
(8): e0183459. https://doi.org/10.1371/journal.
pone.0183459
Editor: Yeng-Tseng Wang, Kaohsiung Medical
University, TAIWAN
Received: October 19, 2016
Accepted: August 6, 2017
Published: August 31, 2017
Copyright: © 2017 Wang et al. This is an open
access article distributed under the terms of the
Creative Commons Attribution License, which
permits unrestricted use, distribution, and
reproduction in any medium, provided the original
author and source are credited.
Data Availability Statement: All relevant data are
within the paper and its Supporting Information
files.
Funding: This work is supported by the National
Natural Science Foundation of China under grants
61572019, 61173192, and the Key Project of
Research Foundation of Natural Science
Foundation of Shaanxi Province of China under
Grant No. 2016JZ001.
Competing interests: The authors have declared
that no competing interests exist.
key of attribute by using the black box model and sent it to the user, which was more efficient
to guarantee the security of the system.
Attrapadung et al.[6] put forward the two revocation models, they are direct revocation
model and indirect revocation model. The direct revocation model is specified the revocation
list by sender, and the indirect revocation model updates the secret key periodically by the key
center. In [7] [8], the authors gave some ABE instances. However, in the above schemes, they
do not relate to the keyword search issue, which makes users can not effectively search for
files.
To overcome this problem, Boneth et al. [9] proposed a single keyword search scheme,
namely the user can only search a single keyword. In this scheme, the data owner extracted the
keywords from the file before encrypted, and used the public key to encrypt the keywords.
After that, the data owner sent the file and the index of the keywords to the cloud server. The
user could generate the search token about the keywords which he wanted to search and sent it
to the cloud server. The cloud server used the matching algorithm to find out the cipher text
and returned it if the match was successful.
Searchable encryption has many practical applications. In 2011, Kerschbaum et al.[10] pro-
posed a secure conjunctive keyword searches for unstructured text scheme, and the scheme
was proved secure in the random oracle model. At the same year, Cao et al.[11] and Chuanh
et al.[12] gave schemes that the multi-keyword search over encrypted data.
In 2014, Han et al. [13] proposed an attribute based encryption (ABE) searchable scheme,
in which used the homomorphic encryption technology. Sahai et al. [14] gave a outsourcing
technique based on the scheme of Gentry et al.[15]. After that, Liang K et al. [16] proposed a
searchable ABE mechanism with efficient and secure in cloud storage. This model can be
applied to real life, such as the safety of electric power system. And the scheme is secure in the
random oracle model. Later, Li et al. [17] proposed a searchable ABE scheme with attribute
revocation in cloud storage.
Willy Susilo et al.[18] proposed a searchable scheme, and it supported multiple keywords
search. At the same time, Li J et al.[19] made a searchable CP-ABE with revocation. In this
scheme, the receivers could not steal any information from the cipher because of the access
structures were partially hidden, which made the scheme more secure.
In 2016, Wen et al. [20] proposed a verifiable attribute-based keyword search scheme with
fine-grained owner-enforced search authorization in the cloud. This scheme supports user rev-
ocation. Besides, it allows data owners encrypt the data and outsource to the cloud server. In
the same year, Yang et al. [21] proposed a conjunctive keyword search scheme with designated
tester. User can search within a specified time if he is authorized, and it is proved secure in the
standard model. In 2017, Jiang et al. [22] proposed a keyword search scheme with efficiency
and verification in cloud data, and it allows multi-keyword search. Finally, they gave the secu-
rity analysis in the scheme. Later, Poon et al.[23] constructed a conjunctive keyword search
scheme. This scheme allows phrase search, and has smaller storage cost.
Our contribution
In 2012, Qiang Li et al.[24] put forward a scheme with fine-grained attribute revocation. How-
ever, the scheme only achieves the attribute revocation, the keyword search is not involved,
this problem may lead to the problem that system users cannot effectively download cipher
text which they interested from the cloud server.
In this paper, we propose a keyword search attribute based encryption scheme with attri-
bute revocation. The new scheme supports not only the attribute revocation but also keyword
search. When a user wants to search the file which he interests, he sends the search token to
Searchable attribute-based encryption scheme with attribute revocation in cloud storage
PLOS ONE | https://doi.org/10.1371/journal.pone.0183459 August 31, 2017 2 / 20
the cloud server, and the cloud server runs the test algorithm. If the test is successful, it returns
the file. In this way, the user can download the file which he interests and save the storage
space at the same time. Finally, under the assumption of q-BDHE and DDH in the selective
security model, we prove that our scheme is secure.
Preliminaries
A linear secret sharing scheme can be used to represent an access control policy (M, ρ), which
M is an l×k matrix, and S = {att1, . . ., attn} be an attribute set, and for i 2 [1,l], ρ(i)! S is a
mapping function, and ρ(i) maps a row into the attribute.
Linear Secret-Sharing Scheme (LSSS) [25]
A linear secret sharing scheme includes two algorithms:
Share: In this step, it is dispersing the secret value s to attributes specified by ρ as follows: by
selecting v2; . . . ; vk!R Zp,setting ~V ¼ ðs; v2; . . . ; vkÞ and computing li ¼ Mi �
~V where Mi is the
ith row of M,it assigns secrets share λi to the attribute ρ(i).Combine: In this step, it is used to collect the secret value from secret shares which related
to the attributes as follows: selecting subset I = {i: ρ(i) 2 S} the attribute set {ρ(i) | i 2 I} satis-
fies access control strategy (M, ρ), and computing coefficients ki, i 2 I such that ∑i2I kiMi =
(1,0,. . ., 0), then we will obtain that ∑i2I kiλi = s.
Decisional q-BDHE assumption [24]
The definition of the decisional q-BDHE exponent assumption in our article as follows:
Choose a group G1 of prime order p, let g be a generator of G1, and define e: G1 × G1! G2,
the adversary is given a vector
ðg; gs; ga; ga2
; . . . ; gaq ; gaqþ2
; . . . ; ga2qÞ 2 G2qþ1
1
We say that the Decision q-BDHE assumption holds in G1 if no polynomial-time algorithm
has a non-negligible advantage to distinguish eðg; gÞsaqþ1
and a random element in G2.
Zero Inner-product [24]
The ID represents the identity of user which associated with user’s private key. Define a
vector X = (x1,. . .,xn)T such that xi = IDi-1, i 2 [1, n]. To encrypt with a revoked user set
R = {ID1,� � �, IDq}, one defines as Y = (y1,. . ., yn)T, the coefficient vector of PR[Z] from
PR½Z� ¼Xqþ1
i¼1
yiZi� 1 ¼
Y
IDj2R
ðZ � IDjÞ
where, if q + 1 < n, the coordinates yq+2,� � �,yn are set to 0. By doing so, we note that
PR[ID] = <X, Y> = 0 iff ID 2 R.
For example, if the user ID1 in the revoked user set R = {ID1, ID3}, we have that
PR½ID1� ¼< X;Y >¼Y
IDj2R
ðID1 � IDjÞ ¼ 0.
Decisional DDH assumption [10]
Let G1 is a group which prime order is p, let g be a generator of G1, and give a tuple (g, ga, gb)
where a; b2RZp, we say that the decisional DDH assumption holds if no polynomial time
Searchable attribute-based encryption scheme with attribute revocation in cloud storage
PLOS ONE | https://doi.org/10.1371/journal.pone.0183459 August 31, 2017 3 / 20
algorithm has a non-negligible advantage to distinguish that Z equals gab or to a random ele-
ment of G1.
Algorithm model and security model
Algorithm model. Denote U = {ID1,� � �, IDQ} to be the universe of all the users, we con-
sider a scheme that searchable attribute-based encryption scheme with attribute revocation in
cloud storage, as described in Fig 1. There are seven algorithms in our scheme:
Setup (λ)!msk, pp: This algorithm is executed by attribute authority. It inputs a security
parameter λ and outputs the master secret key msk and public parameter pp.
KeyGen (ID, (M, ρ), pp, msk)! sk, τ:This algorithm is executed by attribute authority. It
inputs a user’s identity ID 2 U, an access structure (M, ρ), public parameter pp, the msk and
outputs the secret key sk and the part of search token τ.
Encryption (pp, ω, Rθ, m)! ct: This algorithm is executed by data owner. It inputs public
parameter pp, the attribute set ω, a revocation list Rθ� U which attribute θ 2 ω,a message mand outputs a cipher text ct.
Index (pp, ω, Rθ, W)! Ind: This algorithm is executed by data owner. It inputs public
parameter pp, the attribute set ω,a revocation list Rθ� U which attribute θ 2 ω,the keywords
set from the uploaded files W and outputs keywords index Ind.
Fig 1. System model of our scheme
https://doi.org/10.1371/journal.pone.0183459.g001
Searchable attribute-based encryption scheme with attribute revocation in cloud storage
PLOS ONE | https://doi.org/10.1371/journal.pone.0183459 August 31, 2017 4 / 20
Trapdoor (pp, W0, τ)!τ�:This algorithm is executed by user. It inputs the public parame-
ter pp and the keywords set W0, and outputs the new token τ�.Test (τ�, Ind)! 1 or 0:This algorithm is executed by cloud storage server. It inputs the
search token τ�and keywords index Ind and outputs 1 or 0.
Decryption (pp, ID, sk, Rθ, ct)!m: This algorithm is executed by user. It inputs public
parameter pp, the user secret key sk of user ID 2 U, a revocation list Rθ� U of attribute θ 2 ω,
a cipher text ct. And the user ID has the attribute set ω0 as: if ID 2 Rθ, let ω0 = ω − {θ};otherwise,
ω0 = ω. It computes the message m if and only if the attribute set ω0 satisfies the access struc-
ture. And the user can decrypt the file with m.
Finally, the system model of our scheme is shown in Fig 1.
Security model
(1) Selective security model of attribute revocation.
Init. The adversary A chooses the attribute set ω� and a revocation list R�yðy 2 o�Þ.
Setup. The simulator operates this algorithm to get the public parameter pp and sends it to
the adversary.
Phase 1. The adversary queries the simulator for user private key sk which corresponds to
the access structure (M, ρ), such that ω�0will not meet the access structure (M, ρ).Challenge. The simulator receives two messages m0 and m1 from adversary, and chooses a
random bit b 2 {0, 1} to encrypt mb, and computes challenge cipher text ct� with the attribute
set ω� and the attribute revocation list R�y.
Phase 2. Same as Phase 1.
Guess. The adversary gives a guess b0 of b, and the advantage of the adversary in this game
is defined as jPr½b0 ¼ b� � 1
2j.
Definition1. The game model of this paper is to be safe if there no polynomial time adver-
saries have a non-negligible advantage in the above game.
(2) Indistinguishability against chosen keyword attack (IND-CKA) model.
Init. The adversary A selects a attribute set ω� and a user revocation list R�y
of θ 2 ω�. Then Bruns the algorithm to generate the public parameter pp and sends it to adversary A.
Phase 1. The adversary queries the challenger as follows:
1. The index of keywords {w1, w2,. . ., wN}.
2. The search token of fwj1 ;wj2 ; . . . ;wjN1g, and 1 � j1; . . . ; jN1
� N .
Challenge. The challenger receives two different keywords w�0
and w�1
from the adversary.
We require that the keywords w�0
and w�1
satisfies that 8j;wj 6¼ w�0^ wj 6¼ w�
1.
The challenger chooses a random keyword w�b, b 2 {0,1}, and give the index of keywords w�bto adversary.
Phase 2. Same as Phase 1.
Guess. The adversary gives a guess b0 of b, and the advantage of any adversary in this game
is defined as jPr½b0 ¼ b� � 1
2j.
Definition 2. We say a searchable encryption article with multiple keywords is secure based
on the game IND-CKA, if the advantage of the adversary is negligible in the above game.
Implement of the algorithm
Our construction is based on the Qiang Li et al.[24], and we combine the keyword search with
attribute revocation in our new scheme. User constructs the search token when he wants to
search files. If the search is successful and the set of attribute satisfies the access structure, it
Searchable attribute-based encryption scheme with attribute revocation in cloud storage
PLOS ONE | https://doi.org/10.1371/journal.pone.0183459 August 31, 2017 5 / 20
outputs 1 in the algorithm of Test, then cloud server returns the cipher text. Our scheme adds
access control in search, the user can download the files which he interests and can decrypt in
this way, and save the space. We construct our scheme as follows:
Setup (λ)!msk, pp: Give that the G1 and G2 are two groups of prime order p, the binary
size of p is λ,let g be a generator of G1. Define that e: G1× G1!G2. In this paper, we suppose
the maximum number of attribute is m when encryption, and n represents the maximum
number of revoked user set in the revocation list. Then randomly choose α, β, δ 2 Zp,
A ¼ ða1; a2; . . . ; anÞT2 Zn
p , set H ¼ ðh1; h2; . . . ; hnÞT¼ ðga1 ; ga2 ; . . . ; ganÞ
Tand randomly
choose {k0,i, k1,i 2 G1|i = 1,. . .,m},let K0ðxÞ ¼Ym
i¼1kðx
iÞ0;i ;K1ðxÞ ¼
Ym
i¼1kðx
iÞ1;i . Then
randomly choose that {t0,i, t1,i 2 G1|i = 1,. . .,m},and then define two functions Tf(x): Zp!
G1,Tf ðxÞ ¼Ym
i¼1tðx
iÞf ;i where f = {0, 1}. Let hash H be H:{0, 1}� ! G1, then the master key msk
and public parameter pp are:
msk ¼< a; a1; b; fk0;i; k1;i; t0;i; t1;igi¼1;...;m >
pp ¼< g; eðg; gÞa;H ¼ ðh1; h2; . . . ; hnÞT; gb; d;H;K0ðxÞ;K1ðxÞ >
KeyGen (ID, (M, ρ), pp, msk)! sk, τ : Let M be an l × k matrix corresponding to access pol-
icy (M, ρ). Define a vector X = (x1,. . .,xn)T such that xi = IDi−1, i 2 [1, n]. Randomly choose r,{zi,0, zi,1}i2[2,. . .k] 2 Zp, define a vector v0 = (α + rα1, z2,0,. . ., zk,0)T, v1 = (α, z2,1,. . ., zk,1)T. For
i = 1 to l, and compute that λi,0 = Mi�v0 and λi,1 = Mi�v1. Randomly choose {ri,0, ri,1}i2[1,. . .l] 2 Zp,
and set the private key as
sk ¼< D1;0;D1;1;D2;0;D2;1;D3;KX >
where
D1;0 ¼ fDðiÞ1;0 ¼ gli;0T0ðrðiÞÞ
ri;0gi2½1;...;l�
D2;0 ¼ fDðiÞ2;0 ¼ gri;0gi2½1;...;l�
D1;1 ¼ fDðiÞ1;1 ¼ gli;1T1ðrðiÞÞ
ri;1gi2½1;...;l�
D2;1 ¼ fDðiÞ2;1 ¼ gri;1gi2½1;...;l�
D3 ¼ gr;KX ¼ fKi ¼ ðh�
xix1
1 � hiÞrgi2½2;...;n�
Then calculate that KX ¼ ðK2; . . . ;KnÞ ¼ gr�MTX
A, where MX 2 (Zp)n×(n−1) is defined by
MX ¼�x2
x1
�x3
x1
� � � �xnx1
In� 1
0
@
1
A.
Randomly choose fv2; . . . ; vkg 2 Zk� 1p and set v ¼ ðb; v2; . . . ; vkÞ
T2 Zk
p . For i = 1 to l, com-
pute λi = Mi�v. Randomly choose ξi 2 Zp, then denote that
t ¼< t1; t2;0; t2;1 >
Searchable attribute-based encryption scheme with attribute revocation in cloud storage
PLOS ONE | https://doi.org/10.1371/journal.pone.0183459 August 31, 2017 6 / 20
where
t1 ¼ ft1;i ¼ gligi¼1;...l
t2;0 ¼ ftrðiÞ2;0 ¼ Kxi
0 ðrðiÞÞgi¼1;...l
t2;1 ¼ ftrðiÞ2;1 ¼ Kxi
1 ðrðiÞÞgi¼1;...l
then send sk and τ to the user.
Encryption (pp, ω, Rθ, m)! ct: Suppose that a message m is encrypted with a set of attri-
bute ω and a revocation list Rθ� U which attribute θ 2 ω. Define a vector Y = (y1,. . ., yn)T as
the coefficient vector of PRy½Z�, and randomly choose s 2 Zp then output
ct ¼ hC;C1;C2;0;C2;1;C3i
where
C ¼ m � eðg; gÞas;C1 ¼ gs
C2;0 ¼ fCðxÞ2;0¼ T0ðxÞ
sgx2o;C2;1 ¼ fC
ðxÞ2;1¼ T1ðxÞ
sgx2o� fyg
C3 ¼ ðhy11 � � � hyn
n Þs
Index (pp, ω, Rθ, W)! Ind: A revocation list Rθ� U which attribute θ 2 ω. Data owner
encrypts the file F which is firstly encrypted by a symmetric encryption algorithm and gets
cipher text F�, and suppose that the symmetric encryption key is m. The set of keywords
W = {w1, w2,. . ., wN} is extracted from the F, and randomly choose t 2 Zp,and output the key-
words index
Ind ¼< I0; I1;j; I2;0; I2;1 >
where
I0 ¼ gt
I1;j ¼ gb � HðwjÞd; j 2 ½1;N�
I2;0 ¼ fIðxÞ2;0 ¼ Kt
0ðxÞgx2o
; I2;1 ¼ fIðxÞ2;1 ¼ Kt
1ðxÞgx2o� y
and send <Ind, ct, F�> to the cloud server.
Trapdoor (pp, W0, τ)!τ�: The user constructs the search token τ� according to the key-
words W 0 ¼ fwj1;wj2
; . . . ;wjN1g; ð1 � j1; . . . ; jN1
� NÞ which he interests as
t3 ¼ ft1;jq¼ gb � Hðwjq
Þdgq¼1;...;N1 ;jq¼1;...;N
and sends search token τ� =< τ1, τ2,0, τ2,1, τ3> and his ID to the cloud server.
Test (τ�, Ind)! 1 or 0: The cloud server receives the search token from the user. First,
the cloud server judges that whether the ID of user is in the revocation list Rθ. If ID 2 Rθ, let
ω0 = ω − {θ};otherwise, ω0 = ω. If the set ω0 satisfies the access structure (M, ρ), then there exists
a set of constants {μi 2 Zp}i2I, such thatP
i2Imi �Mi ¼ ð1; 0; . . . ; 0Þ.
(1) When ID =2 Rθ, cloud server selects N1 keywords index from the Ind, we denote the result
of selecting as fI1;O1; I1;O2
; . . . I1;ON1g,where 1 � O1; . . . ;ON1
� N. Then cloud server tests the
selected index set fI1;O1; I1;O2
; . . . I1;ON1g with the search token τ� =< τ1, τ2,0, τ2,1, τ3> with the
Searchable attribute-based encryption scheme with attribute revocation in cloud storage
PLOS ONE | https://doi.org/10.1371/journal.pone.0183459 August 31, 2017 7 / 20
following equation
YN1
q¼1eðI1; t1;jq
Þ¼?YN1
s¼1eðI1; I1;Os
Þ
If the equation holds, it turns to next step; otherwise, it outputs 0.
eðI0;Y
i2Iðt1;i � t
rðiÞ2;0 Þ
miÞ
eðY
i2IðIrðiÞ
2;0 Þmi; gÞ
¼? eðI0; I1Þ
If the equations all hold, it returns the corresponding cipher text<ct, F�> to the user, and
user can decrypt. Otherwise, it outputs 0.
(2) When ID 2 Rθ, cloud server selects N1 keywords index from the Ind, we denote the
result of selecting is fI1;O1; I1;O2
; . . . I1;ON1g,where 1 � O1; . . . ;ON1
� N. Then cloud server tests
the selected index set fI1;O1; I1;O2
; . . . I1;ON1g with the search token τ� =< τ1, τ2,0, τ2,1, τ3> with
the following equation
YN1
q¼1eðI1; t1;jq
Þ ¼?YN1
s¼1eðI1; I1;Os
Þ
If the equation holds, it turns to next step; otherwise, it outputs 0.
eðI0;Y
i2Iðt1;i � t
rðiÞ2;1 Þ
miÞ
eðY
i2IðIrðiÞ
2;1 Þmi; gÞ
¼? eðI0; I1Þ
If the equations all hold, it returns the corresponding cipher text<ct, F�> to the user, and
user can decrypt. Otherwise, it outputs 0.
Decryption (pp, ID, sk, Rθ, ct)!m: User can decrypt according to the returned cipher text.
If ID 2 Rθ, ω0 = ω − {θ};otherwise, ω0 = ω, and then:
(1) When ID 2 Rθ, let I = {i: ρ(i) 2 ω0}, and there exists a set of constants {μi 2 Zp}i2I, such
that ∑i2I μi �Mi = (1,0,. . ., 0),then ∑i2I μiλi,1 = α. It calculates
φ ¼Y
i2I
eðC1;DðiÞ1;1Þ
eðCrðiÞ2;1 Þ;D
ðiÞ2;1
!mi
¼ eðg; gÞsa
and m = C / φ, user can decrypt F� to get F with m.
(2) When ID =2 Rθ, calculate
KX ¼Yn
i¼2
Kyii ¼ h
�<X;Y>
x11
Yn
i¼1
hyii
!r
so that when <X, Y> 6¼ 0, and then calculate
� ¼eðK;C1Þ
eðC3;D3Þ
� �� x1<X;Y>
¼ eðg; gÞrsa1
Let I = {i: ρ(i) 2 ω0}, and there exists a set of constants {μi 2 Zp}i2I, such that ∑i2I μi �Mi =
(1,0,. . ., 0),then ∑i2I μλi,0 = α+ rα1. Thus we have
g ¼Y
i2I
eðC1;DðiÞ1;0Þ
eðCrðiÞ2;0 ;D
ðiÞ2;0Þ
!mi
¼ eðg; gÞs�ðaþra1Þ
and m = C / A, user can decrypt F � to get F with m.
Searchable attribute-based encryption scheme with attribute revocation in cloud storage
PLOS ONE | https://doi.org/10.1371/journal.pone.0183459 August 31, 2017 8 / 20
Correctness analyses
In this subsection, we show that our construction is correct with some appropriate parameters
setting.
(1) In the process of search the equation holds, it means that cloud server selects N1 key-
words index from the Ind which we denote fI1;O1; I1;O2
; . . . I1;ON1g,where 1 � O1; . . . ;ON1
� N
is matching the search token of the keywords fwj1;wj2
; . . . ;wjN1g; ð1 � j1; . . . ; jN1
� NÞ from
the user, then computes that
YN1
q¼1eðI1; t1;jq
Þ
¼YN1
q¼1eðgb; gb � Hðwjq
ÞÞ
¼YN1
q¼1eðgb; I1 � Hðwjq
ÞÞ
¼YN1
s¼1eðI1; I1;Os
Þ
a. When ID =2 Rθ, compute that
eðI0;Y
i2Iðt1;i � t
rðiÞ2;0 Þ
miÞ
eðY
i2IðIrðiÞ
2;0 Þmi; gÞ
¼eðgt; g
X
i2Ilimi �
Y
i2IKximi
0 ðrðiÞÞÞ
eðY
i2IKtximi
0 ðrðiÞÞ; gÞ
¼eðgt; gbÞ � eðg;
Y
i2IKximi
0 ðrðiÞÞÞt
eðY
i2IKximi
0 ðrðiÞÞ; gÞt
¼ eðgt; gbÞ
¼ eðI0; I1Þ
b. When ID 2 Rθ, compute that
eðI0;Y
i2Iðt1;i � t
rðiÞ2;1 Þ
miÞ
eðY
i2IðIrðiÞ
2;1 Þmi; gÞ
¼eðgt; g
X
i2Ilimi �
Y
i2IKximi
1 ðrðiÞÞÞ
eðY
i2IKtximi
1 ðrðiÞÞ; gÞ
¼eðgt; gbÞ � eðg;
Y
i2IKximi
1 ðrðiÞÞÞt
eðY
i2IKximi
1 ðrðiÞÞ; gÞt
¼ eðgt; gbÞ
¼ eðI0; I1Þ
Searchable attribute-based encryption scheme with attribute revocation in cloud storage
PLOS ONE | https://doi.org/10.1371/journal.pone.0183459 August 31, 2017 9 / 20
(2) The decryption process first calculates
Ki ¼ h�
xix1
1 � hi
0
@
1
A
r
¼ g�
xix1� a1� gai
!r
¼ gr� �
xix1� a1 þ ai
� �
MX ¼�
x2
x1�
x3
x1. . . �
xnx1
In� 1
0
@
1
A
�x2
x1
�x3
x1
..
.
�xnx1
In� 1
0
BBBBBBBBBBBBBB@
1
CCCCCCCCCCCCCCA
�
a1
a2
..
.
an
0
BBBBBBBB@
1
CCCCCCCCA
¼
�x2
x1� a1 þ a2
�x3
x1� a1 þ a3
..
.
�xnx1� a1 þ an
0
BBBBBBBBBBB@
1
CCCCCCCCCCCA
¼ MTX�A
KX ¼ fK2; � � � ;Kng ¼ gr�MTX�A
(3) The decryption process calculates:
a. When ID 2 Rθ
φ ¼Y
i2I
eðC1;DðiÞ1;1Þ
eðCrðiÞ2;1 ;D
ðiÞ2;1Þ
!mi
¼Y
i2I
eðgs; gli;1T1ðrðiÞÞri;1Þ
eðT1ðrðiÞÞs; gri;1Þ
� �mi
¼Y
i2I
eðgs; gli;1Þ � eðgs;T1ðrðiÞÞri;1ÞÞ
eðT1ðrðiÞÞs; gri;1Þ
� �mi
¼Y
i2I
ðeðgs; gli;1ÞÞmi
¼Y
i2I
eðg; gÞs�li;1 �mi
¼ eðg; gÞs�ðP
i2Ili;1 �miÞ
¼ eðg; gÞsa
Searchable attribute-based encryption scheme with attribute revocation in cloud storage
PLOS ONE | https://doi.org/10.1371/journal.pone.0183459 August 31, 2017 10 / 20
b. When ID =2 Rθ
KX ¼Yn
i¼2
Kyii
¼Yn
i¼2
h�
xix1
1 � hi
0
@
1
A
r�yi
¼ h�
x2y2x1þ���þ
xnynx1ð Þ
1 �Yn
i¼2
hiyi
!r
¼ h�
x2y2x1þ���þ
xnynx1ð Þ
1 �Yn
i¼1
hiyi � h1
� y1
!r
¼ h�
x2y2x1þ���þ
xnynx1ð Þ
1 �Yn
i¼1
hiyi � h1
�y1x1x1
!r
¼ h�
x1y1x1þ���þ
xnynx1ð Þ
1 �Yn
i¼1
hiyi
!r
¼ h�<X;Y>
x11 �
Yn
i¼1
hyii
!r
� ¼eðK;C1Þ
eðC3;D3Þ
� �� x1<X;Y>
¼
e h�<X;Y>
x1
1 �Yn
i¼1
hyii
!r
; gs !
eððhy1
1� � � hyn
nÞs; grÞ
0
BBBB@
1
CCCCA
�x1
<X;Y>
¼
e h�<X;Y>
x1
1
!
; g
!
� eYn
i¼1
hyii
!
; g
!
eððhy1
1� � � hyn
nÞ; gÞ
0
BBBB@
1
CCCCA
�x1
<X;Y>�r�s
¼ e h�<X;Y>
x1
1
� �; g
� �� �� x1<X;Y>
�r�s
¼ e g �<X;Y>
x1�a1
� �; g
� �� �� x1<X;Y>
�r�s
¼ eðg; gÞrsa1
Searchable attribute-based encryption scheme with attribute revocation in cloud storage
PLOS ONE | https://doi.org/10.1371/journal.pone.0183459 August 31, 2017 11 / 20
g ¼Y
i2I
eðC1;DðiÞ1;0Þ
eðCrðiÞ2;0 ;D
ðiÞ2;0Þ
!mi
¼Y
i2I
eðgs; gli;0T0ðrðiÞÞri;0Þ
eðT0ðrðiÞÞs; gri;0Þ
� �mi
¼Y
i2I
eðgs; gli;0Þ � eðgs;T0ðrðiÞÞri;0ÞÞ
eðT0ðrðiÞÞs; gri;0Þ
� �mi
¼Y
i2I
ðeðgs; gli;0ÞÞmi
¼Y
i2I
eðg; gÞs�li;0 �mi
¼ eðg; gÞS�ðP
i2Ili;0�miÞ
¼ eðg; gÞs�ðaþra1Þ
Let A = γ / ϕ = e(g, g)sα.
Security analyses
Selective security model proof
Theorem1. If an adversary can break our scheme with advantage ε in the selective security
model, then we can construct a simulator to solve the Decision q-BDHE problem with advan-
tage ε2.
Proof: This proof bases on [24].
The simulation proceeds as follows. First, the challenger sets
Y ¼ ðg; gs; g1 ¼ ga; g2 ¼ ga2
; . . . ; gq ¼ gaq ; gqþ2 ¼ gaqþ2
; . . . ; g2q ¼ ga2qÞ
Then the challenger flips a fair binary coin μ: if μ = 0, the challenger sets Z = e(g1, gq)s if
μ = 1,then the challenger picks a random element Z from G2.
Init. The simulator B runs adversary A. A selects an attribute set ω� and a user revocation
list R�y,where θ 2 ω�, which it wishes to be challenged upon.
Setup. The simulator B proceeds as follows:
(1) The simulator B randomly chooses α 0, β, δ, 2 Zp, and then simulator B sets that
eðg; gÞa ¼ eðga; gaqÞ � eðg; gÞa0
,implicitly has that α = α 0 + αq+1. Then it randomly chooses
fk00;i; k
01;i 2 G1ji¼1;...;mg, and computes
K0ðxÞ ¼Ym
i¼1k0ðx
iÞ0;i ;K1ðxÞ ¼
Ym
i¼1k0ðx
iÞ1;i
(2) It sets R�y¼ fID1; � � � ; IDmg where m� Q. For k 2 [1, m], simulator B sets
Xk ¼ ðxk;1; . . . ; xk;nÞ ¼ ð1; IDk; ID2k; . . . ; IDn� 1
k Þ, randomly chooses bk 2 Zp and has that
bTk �MXk
¼ bTk �
�xk;2xk;1
. . . �xk;nxk;1
In� 1
0
@
1
A ¼ 0
and bk ¼ 1;xk;2xk;1; . . .
xk;nxk;1
� �T. The simulator B sets the n×q matrix B = (b1|. . .|bm|0|. . .|0),
for k 2 [1, m], it consists by bk, and q −m columns are 0. Sets Z = (z1,� � �,zq)T 2 Zn and
Searchable attribute-based encryption scheme with attribute revocation in cloud storage
PLOS ONE | https://doi.org/10.1371/journal.pone.0183459 August 31, 2017 12 / 20
zi = aq+1−i, gz ¼ ðgaq ; � � � ; gaÞT
and implicitly has that A = B�Z + δ where δ2RZn
p . Define
H = (h1, h2,. . .,hn)T = gB�Z�gδ, for k 2 [1, m], we have that MTXk�B 2 ðZpÞ
ðn� 1Þ�q¼ 0, so it
doesn’t have zk = aq+1−k.
(3) It sets ω�0 = ω� − {θ}, randomly chooses two polynomials f0(x) and f1(x) of degree m and
computes two polynomials as follows:
u0ðxÞ ¼ xm� jo�jY
i2o�
ðx � iÞ
u1ðxÞ ¼ xm� jo�� fygjY
i2o�� fyg
ðx � iÞ
For i 2 [0, m], let c0,i and c1,i be the ith term of f0(x) and f1(x), d0,i and d1,i be the ith term of
u0(x) and u1(x). B defines T0ðxÞ ¼ ga�u0ðxÞþf0ðxÞ and T1ðxÞ ¼ ga�u1ðxÞþf1ðxÞ,at the same time, B sim-
ulates {t0,i, t1,i}i = 1,. . .,m where
t0;i ¼ ðgaÞ
d0;i gc0;i ; t1;i ¼ ðgaÞ
d1;i gc1;i
Finally, B gives the public parameters
pp ¼< g; eðg; gÞa;H ¼ ðh1; h2; . . . ; hnÞT; gb; d;K0ðxÞ;K1ðxÞ >
to A.
Phase 1. Let M be a p×l matrix, ω�0 doesn’t satisfy the access structure (M, ρ). If ID 2 Rθ,
there is ω�0 = ω� − {θ}; otherwise, ω�0 = ω�. The simulator B generates the secret key sk as
follows.
(1) When ID =2 Rθ (in this case, we have ω�0 = ω�), and ω�0doesn’t satisfy the access structure,
B first defines p ¼ ðp1; � � � ; plÞT2 Zn�
p where π1 = 1 We have Mi�π = 0 for each i when ρ(i) 2 ω�.Then the simulator B defines two vectors η0 = (r, η0,2,. . .,η0,l)
T and η1 = (0, η1,2,. . .,η1,l)T, and
defines that u0 = α1 η0 + απ and u1 = η1 + απ, we can compute the first term of u0 and u1 are
α + rα1 and α.
i. When ρ(i) 2 ω�, B computes that
gli;0 ¼ gMi �m0 ¼ ðga1ÞMi �Z0 ; gli;1 ¼ gMi �Z1
and randomly chooses ri,0, ri,1 2 Zp and computes that
DðiÞ1;0 ¼ gli;0T0ðrðiÞÞri;0 ;DðiÞ2;0 ¼ gri;0
DðiÞ1;1 ¼ gli;1T1ðrðiÞÞri;1 ;DðiÞ2;1 ¼ gri;1
ii. When ρ(i) =2 ω�, B computes that
gli;0 ¼ gMi�u0 ¼ ga1 �Mi�Z0þa�Mi �p; gli;1 ¼ gMi �u1 ¼ gMi �Z1þa�Mi�p
and randomly chooses r; fr0i;0gi2½l�; fr0i;1gi2½l� 2 Zp, and sets ri;0 ¼ r0i;0 �
aqm0ðrðiÞÞ
ðMi � pÞ and
Searchable attribute-based encryption scheme with attribute revocation in cloud storage
PLOS ONE | https://doi.org/10.1371/journal.pone.0183459 August 31, 2017 13 / 20
ri;1 ¼ r0i;1 �aq
m1ðrðiÞÞðMi � pÞ, then
DðiÞ1;0 ¼ gli;0T0ðrðiÞÞri;0
¼ ga1 �Mi �Z0þa�Mi�pT0ðrðiÞÞr0i;0g
�
aq � f0ðrðiÞÞ � ðMi � pÞ
u0ðrðiÞÞ
DðiÞ2;0 ¼ gri;0 ¼ gr0i;0 �aq
m0ðrðiÞÞðMi �pÞ
DðiÞ1;1 ¼ gli;1T1ðrðiÞÞri;1
¼ gMi �Z1þa�Mi �pT1ðrðiÞÞr0i;1g
�
aq � f1ðrðiÞÞ � ðMi � pÞ
u1ðrðiÞÞ
DðiÞ2;1 ¼ gri;1 ¼ gri;1 � aqm1ðrðiÞÞ
ðMi �pÞ
Then B computes that D3 = gr, KX ¼ fKi ¼ ðh�
xix1
1 � hiÞrgi2½2;...;n�.
(2) When ID 2 R�y
and sets fID ¼ IDkgk2½1;m�. The simulator B randomly chooses r 0 2 Zp
and sets r = r 0 − ak. Defines A = B � Z+δ, the first term of A is a1 ¼ d1 þXm
j¼1
aqþ1� j, and com-
putes that
gaþra1 ¼ ga0þaqþ1
� ðgd1þ
Xm
j¼1
aqþ1� j
Þr0 � ak
¼ ga0 � d1ak � ga1r0 � g�
� Xm
j¼1;j6¼k
aqþ1� jþk�
randomly chooses fZigi2½2;l� 2 Zp and defines η = (α + rα1, η2, . . ., ηl)T, and for i 2 [1, p], sets
Mi = (xi,1, xi,2, . . ., xi,l), then computes
gli;0 ¼ gMi�η ¼ ðgaþra1Þxi;1g
Xl
j¼2
Zj � xi;j
randomly chooses ri,0 2 Zp, then
DðiÞ1;0 ¼ gli;0T0ðrðiÞÞri;0 ;DðiÞ2;0 ¼ gri;0
As ω�0 does not satisfy the access structure, the simulation of DðiÞ1;1 and DðiÞ2;1 are the same as the
previous case. For {Ki}i2[2,n], the simulator B can computes KX ¼ ðK2; . . . ;KnÞ ¼ gr�MTX
A by
MTXA ¼ MT
X�B � ZþMT
X� δ.
Searchable attribute-based encryption scheme with attribute revocation in cloud storage
PLOS ONE | https://doi.org/10.1371/journal.pone.0183459 August 31, 2017 14 / 20
Challenge. The adversary A submits two messages m0 and m1, B randomly chooses mb
where b 2{0,1} to encrypt. Then computes
C ¼ mb � Z � eðgs; ga0 Þ;C1 ¼ gs
C2;0 ¼ fCðxÞ2;0jC
ðxÞ2;0 ¼ T0ðxÞ
s¼ ðgsÞf0ðxÞ; x 2 o�g
C2;1 ¼ fCðxÞ2;1jC
ðxÞ2;1 ¼ T1ðxÞ
s¼ ðgsÞ
f1ðxÞ; x 2 o� � fygg
Then the simulator B defines Y = (y1, � � �, yn)T according to the revocation list R�y
and
<Xk, Y > = 0 for k 2[1,m]. And we have that Y ¼ MXk� γ1 where γ1 = (y2, � � �, yn)T, then
< Y;B � Z >¼ YTB � Z ¼Xm
k¼1
zk �YT�bk ¼ 0
and computes
C3 ¼ ðhy11 . . . hyn
n Þs¼ ðgsÞ<Y;A>
¼ ðgsÞ<Y;δ>
Then B sends the challenge ciphertext ct� = (C, C1, C2,0, C2,1, C3) to the adversary A. If
μ = 0, then Z = e(g1, gq)s, the challenge ciphertext ct� is a valid random encryption of message
mb. If μ = 1, then Z is a random element of G2, and ct�is also random from the adversary’s
view, and ct� contains no information of mb.
Phase2. Same as Phase1.
Guess. The adversary A outputs the guess b0 of b. B outputs μ = 0 to guess that Z = e(g1, gq)s
if b0 = b; otherwise, B outputs μ = 1, and it indicates that Z is a random element in G2. And the
advantage of simulator B to solve the q-BDHE problem is
1
2Pr½m0 ¼ mjm ¼ 0� þ
1
2Pr½m0 ¼ mjm ¼ 1� �
1
2
¼1
2ð1
2þ εÞ þ
1
2�1
2�
1
2
¼ε2
IND-CKA security proof
Theorem 2. Suppose there exists a polynomial-time adversary A, which can attack our scheme
with advantage ε in the IND-CKA model. We can construct a simulator B that can solve the
DDH problem in G1 with probability at lest ε4eðMþTN1þ
12Þ, where e is constant, and we assume the
adversary A makes M index queries and T search token queries(it contains N1 keywords) in
each phase[10].
Proof: B is given an instance g, ga, gb, gc of the DDH problem in G1. In the following parts,
we construct the cipher text by setting δ = b. The simulation proceeds as follows:
Init. The adversary A selects a attribute set ω� and a user revocation list R�y
of θ 2 ω�.B is
given an instance g, ga, gb, gc of the DDH problem in G1. Then B runs the algorithm to generate
the public parameter pp and sends it to adversary A.
Phase1. B maintains a hash list L = {wj, αj, lj} and randomly chooses αj 2 Zp for keywords
wj with biased coin flip lj. The list is empty when begins and simulates the hash function as a
Searchable attribute-based encryption scheme with attribute revocation in cloud storage
PLOS ONE | https://doi.org/10.1371/journal.pone.0183459 August 31, 2017 15 / 20
random oracle. And if the random oracle is queried for a hash of w,B searches the hush list L if
the w exists in the list.
1. If lj = 0,the B gives that gaj ;
2. If lj = 1,the algorithm aborts;
3. If the keyword w does not exist in the list, the B flips a random coin l 2 {0,1} so that Pr
[coin0 = 0] = σ and σ will be calculated later.
a. If l = 0, the B randomly chooses α 2 Zp,and adds< w, α, 0> to the hush list;
b. If l = 1, the B adds < w,?, 1> to the hush list.
c. The B repeat the above process.
Keywords index query. If the adversary A asks the keyword wj of index information, Bsearches the hush list L. If lj = 1, B aborts; and if lj = 0, B randomly chooses t 2 Zp, let HðwjÞ ¼
gaj and generates that
I0 ¼ gt
I1;j ¼ gbHðwjÞd¼ gbðgbÞaj
I2;0 ¼ fIðxÞ2;0 ¼ Kt
0ðxÞgx2o�
; I2;1 ¼ fIðxÞ2;1 ¼ Kt
1ðxÞgx2o�� y
Search token query. If the adversary A asks the keyword wjqof searching token with the
access structure (M, ρ), Let M be a p×l matrix, ω�0doesn’t satisfy the access structure (M, ρ). If
ID 2 R�y, there is ω�0 = ω� − {θ}; otherwise, ω�0 = ω�.B searches the hush list L. If ljq ¼ 1,B
aborts; and if ljq ¼ 0,let HðwjqÞ ¼ gaj . For i = 1 to l, randomly choose ξi 2 Zp and B generates
that
t�1¼ ft1;i;jq
¼ gliHðwjqÞ
dgi2½1;l�;q2½1;N1 �;jq2½1;N�
t2;0 ¼ ftrðiÞ2;0 ¼ Kxi
0 ðrðiÞÞgi2½1;l�
t2;1 ¼ ftrðiÞ2;1 ¼ Kxi
1 ðrðiÞÞgi2½1;l�
Challenge. The adversary A outputs two keywords w�0
and w�1,B randomly chooses b 2 {0,1}
and searches the hush list L that< w�b; a; l >. If l = 0,B aborts; if l = 1, let Hðw�bÞ ¼ ga and com-
putes
I0 ¼ gt; I1 ¼ gbgc
I2;0 ¼ fIðxÞ2;0 ¼ Kt
0ðxÞgx2o� ; I2;1 ¼ fI
ðxÞ2;1 ¼ Kt
1ðxÞgx2o�� y
Phase2. Same as Phase1.
Guess. The adversary A outputs the guess b0 of b, B outputs gc = gab if b0 = b; otherwise gc is
a random group element in G1.
Correctness Analyses. In the above simulation scheme, if the adversary A has the advan-
tage of attack our scheme, and then it will be given the keyword wj of hush value is H(wj) = ga
rather than the random value H(wj) = gaj. Then it can compute that I1 = gβH(w)δ = gβ(gb)a, that
is I1 = gβgc = gβgab, and B computes that gc = gab which means it solves the DDH problem.
Searchable attribute-based encryption scheme with attribute revocation in cloud storage
PLOS ONE | https://doi.org/10.1371/journal.pone.0183459 August 31, 2017 16 / 20
Probability Analyses. Suppose that the adversary A makes M index queries and T search
token queries in each phase, and the probability that B will not be terminated in two query
phases 1 and 2 is s2ðMþTN1Þ, so the probability that it will not terminated during the challenge
step is 1 − σ, so that results in an overall probability that B does not abort is s2ðMþTN1Þ � ð1 � sÞ.
And, through the computes that the maximum is s ¼ 1 � 1
2ðMþTN1Þþ1, so the maximum proba-
bility is 1
2eðMþTN1þ12Þ. Thus, if our scheme can be attacked by the adversary A with the advantage
ε, and the B can resolve the DDH problem with advantage ε4eðMþTN1þ
12Þ.
Performance analyses
In this section, we give some performance analysis in our scheme. The hardware runtime envi-
ronment is Intel Core i5-3470 CPU @ 3.20GHz, and RAM is 4.00GB. The software runtime
environment is JDK 1.7.5, JPBC 2.0.0 and MyEclipse10.
Our scheme is compared with the schemes of [21, 24, 26, 27, 28] in Table 1.
Our scheme is also compared with the schemes of [26, 27, 28] in Table 2.
We can see from Table 2, our scheme has a large amount of computation in the KenGen
and Encryption generation, because our scheme doesn’t need to update the cipher-text and
secret key when attributes revocation. However, the schemes of [26], [27] and [28] don’t
achieve the function of attribute revocation.
As is shown in the Fig 2, we suppose that there are 16 attributes in the policy and provide
the relational graphs of keywords index building time as is shown in Fig 2(a) and search token
building time as is shown in Fig 2(b). From the Fig 2(a) and 2(b), we can see that the time cost
is nearly linear with the index building and token building. In the Fig 2(c), we give the rela-
tional graph of the number of attributes in the policy and time cost. As is shown in the Fig 2(c),
Table 1. Performance analyses.
Scheme Fine-grained Attribute revocation Keyword search Do not update cipher-text when attribute revocation
[26] × × × ×[21] × ×
p×
[24]p p
×p
[27] × × × _
[28] × × × _
Our schemep p p p
https://doi.org/10.1371/journal.pone.0183459.t001
Table 2. Calculation analyses.
Scheme KeyGen Encryption Pairings in Decryption
[26] (2 + 2l)ex (3 + | S |)ex 2 + 2| I |
[27] 3lex (2 + | S |)ex 1 + 3| I |
[28] 2lex (6 + | S |)ex 1 + 2| I |
Our scheme (2 + 4l)ex (3 + 2 | S |)ex 1 + 2| I |
| S |: The size of the attributes set of a decryption key.
l: The number of rows of the matrix in access policy(M,ρ).
ex: An exponentiation operation.
| I |: The number of attributes for a decryption key to satisfy a cipher-text policy.
https://doi.org/10.1371/journal.pone.0183459.t002
Searchable attribute-based encryption scheme with attribute revocation in cloud storage
PLOS ONE | https://doi.org/10.1371/journal.pone.0183459 August 31, 2017 17 / 20
Fig 2. (a) Index building time (b) Token building time (c) The number of attributes in policy and index
building time
https://doi.org/10.1371/journal.pone.0183459.g002
Searchable attribute-based encryption scheme with attribute revocation in cloud storage
PLOS ONE | https://doi.org/10.1371/journal.pone.0183459 August 31, 2017 18 / 20
we can find that the effect of the increase of the attributes on the time is not particularly evi-
dent in our scheme which takes less time than Zhiquan’s[29].
Conclusions
In our scheme, we add the keyword search based on the attribute revocation, the search tokens
generated by the attribute authority and the user. The cloud server match is divided into two
cases: the user is in the revocation list and not in the revocation list, and the cloud server uses
the different test according to the different case. It will return the cipher text when the attribute
set meets the access structure and the search keywords exist, and the user can decrypt cor-
rectly. This scheme supports multiple keywords search at the same time which makes more
flexible in the practical application.
Supporting information
S1 Appendix.
(RAR)
Acknowledgments
This work is supported by the National Natural Science Foundation of China under grants
61572019, 61173192, the Key Project of Research Foundation of Natural Science Foundation
of Shaanxi Province of China under Grant No. 2016JZ001. Thanks also go to the anonymous
reviewers for their useful comments.
Author Contributions
Writing – original draft: Shangping Wang, Duqiao Zhao.
Writing – review & editing: Yaling Zhang.
References1. Sahai Amit, and Waters B.. Fuzzy Identity-Based Encryption. Advances in Cryptology–EUROCRYPT
2005. Springer Berlin Heidelberg, 2005:457–473.
2. Pirretti M, Traynor P, Mcdaniel P, et al. Secure attribute-based systems. IOS Press, 2006:99–112.
3. Boldyreva A, Goyal V, Kumar V. Identity-based encryption with efficient revocation. ACM Conference
on Computer and Communications Security. ACM, 2008:417–426.
4. Hinek MJ, Jiang S, Safavi-Naini R, Shahandashti SF. Attribute-based encryption with key cloning pro-
tection. Bulletin of the Korean Mathematical Society. 2008; 2008(4):803–19.
5. Li J, Ren K, Kim K. A2BE: Accountable Attribute-Based Encryption for Abuse Free Access Control. Iacr
Cryptology Eprint Archive. 2009; 2009.
6. Attrapadung N, Imai H. Conjunctive Broadcast and Attribute-Based Encryption. Pairing-Based Cryptog-
raphy—Pairing 2009, Third International Conference, Palo Alto, CA, USA, August 12–14, 2009, Pro-
ceedings. DBLP, 2009:248–265.
7. Touati L, Challal Y. Batch-based CP-ABE with attribute revocation mechanism for the Internet of
Things. International Conference on Computing, NETWORKING and Communications. IEEE,
2015:1044–1049.
8. Wang PP, Feng DG, Zhang LW. CP-ABE Scheme Supporting Fully Fine-Grained Attribute Revocation.
Journal of Software. 2012; 23(10):2805–2816.
9. Boneh D, Crescenzo G D, Ostrovsky R, et al. Public Key Encryption with Keyword Search. Advances in
Cryptology—EUROCRYPT 2004. Springer Berlin Heidelberg, 2004:506–522.
10. Kerschbaum F. Secure conjunctive keyword searches for unstructured text. International Conference
on Network and System Security, Nss 2011, Milan, Italy, September. DBLP, 2011:285–289.
Searchable attribute-based encryption scheme with attribute revocation in cloud storage
PLOS ONE | https://doi.org/10.1371/journal.pone.0183459 August 31, 2017 19 / 20
11. Cao N, Wang C, Li M, Ren K, Lou W. Privacy-Preserving Multi-Keyword Ranked Search over Encrypted
Cloud Data. IEEE Transactions on Parallel & Distributed Systems. 2014; 25(1):222–233. https://doi.
org/10.1016/j.jbiomech.2005.09.015
12. Chuah M, Hu W. Privacy-Aware BedTree Based Solution for Fuzzy Multi-keyword Search over
Encrypted Data. International Conference on Distributed Computing Systems Workshops. IEEE Com-
puter Society, 2011:273–281.
13. Han F, Qin J, Zhao H, Hu J. A general transformation from KP-ABE to searchable encryption. Future
Generation Computer Systems. 2014; 30(1):107–115.
14. Chung KM, Kalai Y, Vadhan S. Improved Delegation of Computation Using Fully Homomorphic Encryp-
tion: Springer Berlin Heidelberg; 2010. 483–501 p.
15. Gentry C. Fully Homomorphic Encryption Using Ideal Lattices. Proceedings of the Annual Acm Sympo-
sium on Theory of Computing. 2009; 9(4):169–78.
16. Liang K, Susilo W. Searchable Attribute-Based Mechanism with Efficient Data Sharing for Secure
Cloud Storage. IEEE Transactions on Information Forensics and Security. 2015; 10(9):1981–92.
https://doi.org/10.1109/TIFS.2015.2442215
17. Li H, Yang Y, Luan TH, Liang X, Zhou L, Shen XS. Enabling Fine-Grained Multi-Keyword Search Sup-
porting Classified Sub-Dictionaries over Encrypted Cloud Data. IEEE Transactions on Dependable and
Secure Computing. 2016; 13(3):312–25. https://doi.org/10.1109/TDSC.2015.2406704
18. Liang K, Susilo W. Searchable Attribute-Based Mechanism with Efficient Data Sharing for Secure
Cloud Storage. IEEE Transactions on Information Forensics & Security. 2015; 10 (9):1981–1992.
19. Li J, Shi Y, Zhang Y. Searchable ciphertext-policy attribute-based encryption with revocation in cloud
storage. International Journal of Communication Systems. 2017, 30 (1).
20. Sun W, Yu S, Lou W, Hou YT, Li H. Protecting Your Right: Verifiable Attribute-Based Keyword Search
with Fine-Grained Owner-Enforced Search Authorization in the Cloud. IEEE Transactions on Parallel
and Distributed Systems. 2016; 27(4):1187–98. https://doi.org/10.1109/TPDS.2014.2355202
21. Yang Y, Ma M. Conjunctive Keyword Search with Designated Tester and Timing Enabled Proxy Re-
Encryption Function for E-Health Clouds. IEEE Transactions on Information Forensics and Security.
2016; 11 (4):746–759. https://doi.org/10.1109/TIFS.2015.2509912
22. Jiang X, Yu J, Yan J, Hao R. Enabling efficient and verifiable multi-keyword ranked search over
encrypted cloud data. Information Sciences. 2017; s 403–404:22–41.
23. Poon HT, Miri A, editors. A Combined Solution for Conjunctive Keyword Search, Phrase Search and
Auditing for Encrypted Cloud Storage. Ubiquitous Intelligence & Computing, Advanced and Trusted
Computing, Scalable Computing and Communications, Cloud and Big Data Computing, Internet of Peo-
ple, and Smart World Congress; 2017.
24. Li Q, Feng D, Zhang L. An attribute based encryption scheme with fine-grained attribute revocation.
Global Communications Conference (GLOBECOM), 2012 IEEE. 2012:885–890.
25. Shi Y, Zheng Q, Liu J, Han Z. Directly revocable key-policy attribute-based encryption with verifiable
ciphertext delegation. Information Sciences. 2015; 295:221–231.
26. Zhang M, Du W, Yang X, Han Y. A fully secure KP-ABE scheme in the standard model. Journal of Com-
puter Research & Development. 2015.
27. Li Z, Chen X. Attribute-based encryption with fast decryption on prime order groups. Computer applica-
tion. 2016; 36 (3):637–641.
28. Ma S, Lai J, Deng RH, Ding X. Adaptable key-policy attribute-based encryption with time interval. Soft
Computing. 2016:1–10.
29. Lv Z, Zhang M, Feng D. Multi-user Searchable Encryption with Efficient Access Control for Cloud Stor-
age. IEEE International Conference on Cloud Computing Technology and Science. IEEE, 2015:366–
373.
Searchable attribute-based encryption scheme with attribute revocation in cloud storage
PLOS ONE | https://doi.org/10.1371/journal.pone.0183459 August 31, 2017 20 / 20