Searchable attribute-based encryption scheme with ... · bute-based encryption scheme with attribute revocation in cloud storage, the keyword search in our scheme is attribute based

RESEARCH ARTICLE

Searchable attribute-based encryption

scheme with attribute revocation in cloud

storage

Shangping Wang1, Duqiao Zhao1*, Yaling Zhang2

1 School of Science, Xi’an University of Technology, Xi’an, Shaanxi, China, 2 School of Computer Science,

Xi’an University of Technology, Xi’an, Shaanxi, China

* [email protected]

Abstract

Attribute based encryption (ABE) is a good way to achieve flexible and secure access con-

trol to data, and attribute revocation is the extension of the attribute-based encryption, and

the keyword search is an indispensable part for cloud storage. The combination of both has

an important application in the cloud storage. In this paper, we construct a searchable attri-

bute-based encryption scheme with attribute revocation in cloud storage, the keyword

search in our scheme is attribute based with access control, when the search succeeds,

the cloud server returns the corresponding cipher text to user and the user can decrypt

the cipher text definitely. Besides, our scheme supports multiple keywords search, which

makes the scheme more practical. Under the assumption of decisional bilinear Diffie-Hell-

man exponent (q-BDHE) and decisional Diffie-Hellman (DDH) in the selective security

model, we prove that our scheme is secure.

Introduction

In 2005, Waters et al.[1] came up with the concept of ABE(Attribute-Based Encryption) which

was much more flexible than traditional public-key encryption. With the development and

deepening of ABE, the attribute revocation of ABE is concerned by more and more people.

The efficient attributes revocation scheme is an integral part of ABE scheme, which is one of

the difficulties for the application of ABE, and the study of ABE is inseparable from the attri-

bute revocation scheme research.

P. Traynor et al.[2] put forward a scheme which achieved the update of secret key in 2006.

However, it needed that the user must kept close contact with attribute authority to get the

secret key. Thereafter, Kumar et al.[3] presented a scheme with revocation of ABE, and it

expanded from the IBE which they proposed before. All of these articles demand that users

need to access the attribute authority for key reissuing at regular intervals.

In 2008, Jiang et al.[4] gave a scheme that solved the key misused problem of users. How-

ever, in this scheme, the third party should be included in each decryption key of users, and

made it was unrealistic. After that, Kim et al.[5] inserted the users’ information in the secret

PLOS ONE | https://doi.org/10.1371/journal.pone.0183459 August 31, 2017 1 / 20

a1111111111

a1111111111

a1111111111

a1111111111

a1111111111

OPENACCESS

Citation: Wang S, Zhao D, Zhang Y (2017)

Searchable attribute-based encryption scheme with

attribute revocation in cloud storage. PLoS ONE 12

(8): e0183459. https://doi.org/10.1371/journal.

pone.0183459

Editor: Yeng-Tseng Wang, Kaohsiung Medical

University, TAIWAN

Received: October 19, 2016

Accepted: August 6, 2017

Published: August 31, 2017

Copyright: © 2017 Wang et al. This is an open

access article distributed under the terms of the

Creative Commons Attribution License, which

permits unrestricted use, distribution, and

reproduction in any medium, provided the original

author and source are credited.

Data Availability Statement: All relevant data are

within the paper and its Supporting Information

files.

Funding: This work is supported by the National

Natural Science Foundation of China under grants

61572019, 61173192, and the Key Project of

Research Foundation of Natural Science

Foundation of Shaanxi Province of China under

Grant No. 2016JZ001.

Competing interests: The authors have declared

that no competing interests exist.

https://doi.org/10.1371/journal.pone.0183459

http://crossmark.crossref.org/dialog/?doi=10.1371/journal.pone.0183459&domain=pdf&date_stamp=2017-08-31








http://creativecommons.org/licenses/by/4.0/

key of attribute by using the black box model and sent it to the user, which was more efficient

to guarantee the security of the system.

Attrapadung et al.[6] put forward the two revocation models, they are direct revocation

model and indirect revocation model. The direct revocation model is specified the revocation

list by sender, and the indirect revocation model updates the secret key periodically by the key

center. In [7] [8], the authors gave some ABE instances. However, in the above schemes, they

do not relate to the keyword search issue, which makes users can not effectively search for

files.

To overcome this problem, Boneth et al. [9] proposed a single keyword search scheme,

namely the user can only search a single keyword. In this scheme, the data owner extracted the

keywords from the file before encrypted, and used the public key to encrypt the keywords.

After that, the data owner sent the file and the index of the keywords to the cloud server. The

user could generate the search token about the keywords which he wanted to search and sent it

to the cloud server. The cloud server used the matching algorithm to find out the cipher text

and returned it if the match was successful.

Searchable encryption has many practical applications. In 2011, Kerschbaum et al.[10] pro-

posed a secure conjunctive keyword searches for unstructured text scheme, and the scheme

was proved secure in the random oracle model. At the same year, Cao et al.[11] and Chuanh

et al.[12] gave schemes that the multi-keyword search over encrypted data.

In 2014, Han et al. [13] proposed an attribute based encryption (ABE) searchable scheme,

in which used the homomorphic encryption technology. Sahai et al. [14] gave a outsourcing

technique based on the scheme of Gentry et al.[15]. After that, Liang K et al. [16] proposed a

searchable ABE mechanism with efficient and secure in cloud storage. This model can be

applied to real life, such as the safety of electric power system. And the scheme is secure in the

random oracle model. Later, Li et al. [17] proposed a searchable ABE scheme with attribute

revocation in cloud storage.

Willy Susilo et al.[18] proposed a searchable scheme, and it supported multiple keywords

search. At the same time, Li J et al.[19] made a searchable CP-ABE with revocation. In this

scheme, the receivers could not steal any information from the cipher because of the access

structures were partially hidden, which made the scheme more secure.

In 2016, Wen et al. [20] proposed a verifiable attribute-based keyword search scheme with

fine-grained owner-enforced search authorization in the cloud. This scheme supports user rev-

ocation. Besides, it allows data owners encrypt the data and outsource to the cloud server. In

the same year, Yang et al. [21] proposed a conjunctive keyword search scheme with designated

tester. User can search within a specified time if he is authorized, and it is proved secure in the

standard model. In 2017, Jiang et al. [22] proposed a keyword search scheme with efficiency

and verification in cloud data, and it allows multi-keyword search. Finally, they gave the secu-

rity analysis in the scheme. Later, Poon et al.[23] constructed a conjunctive keyword search

scheme. This scheme allows phrase search, and has smaller storage cost.

Our contribution

In 2012, Qiang Li et al.[24] put forward a scheme with fine-grained attribute revocation. How-

ever, the scheme only achieves the attribute revocation, the keyword search is not involved,

this problem may lead to the problem that system users cannot effectively download cipher

text which they interested from the cloud server.

In this paper, we propose a keyword search attribute based encryption scheme with attri-

bute revocation. The new scheme supports not only the attribute revocation but also keyword

search. When a user wants to search the file which he interests, he sends the search token to

Searchable attribute-based encryption scheme with attribute revocation in cloud storage



the cloud server, and the cloud server runs the test algorithm. If the test is successful, it returns

the file. In this way, the user can download the file which he interests and save the storage

space at the same time. Finally, under the assumption of q-BDHE and DDH in the selective

security model, we prove that our scheme is secure.

Preliminaries

A linear secret sharing scheme can be used to represent an access control policy (M, ρ), which

M is an l×k matrix, and S = {att1, . . ., attn} be an attribute set, and for i 2 [1,l], ρ(i)! S is a

mapping function, and ρ(i) maps a row into the attribute.

Linear Secret-Sharing Scheme (LSSS) [25]

A linear secret sharing scheme includes two algorithms:

Share: In this step, it is dispersing the secret value s to attributes specified by ρ as follows: by

selecting v2; . . . ; vk!R Zp,setting ~V ¼ ðs; v2; . . . ; vkÞ and computing li ¼ Mi �

~V where Mi is the

ith row of M,it assigns secrets share λi to the attribute ρ(i).Combine: In this step, it is used to collect the secret value from secret shares which related

to the attributes as follows: selecting subset I = {i: ρ(i) 2 S} the attribute set {ρ(i) | i 2 I} satis-

fies access control strategy (M, ρ), and computing coefficients ki, i 2 I such that ∑i2I kiMi =

(1,0,. . ., 0), then we will obtain that ∑i2I kiλi = s.

Decisional q-BDHE assumption [24]

The definition of the decisional q-BDHE exponent assumption in our article as follows:

Choose a group G1 of prime order p, let g be a generator of G1, and define e: G1 × G1! G2,

the adversary is given a vector

ðg; gs; ga; ga2

; . . . ; gaq ; gaqþ2

; . . . ; ga2qÞ 2 G2qþ1

1

We say that the Decision q-BDHE assumption holds in G1 if no polynomial-time algorithm

has a non-negligible advantage to distinguish eðg; gÞsaqþ1

and a random element in G2.

Zero Inner-product [24]

The ID represents the identity of user which associated with user’s private key. Define a

vector X = (x1,. . .,xn)T such that xi = IDi-1, i 2 [1, n]. To encrypt with a revoked user set

R = {ID1,� � �, IDq}, one defines as Y = (y1,. . ., yn)T, the coefficient vector of PR[Z] from

PR½Z� ¼Xqþ1

i¼1

yiZi� 1 ¼

Y

IDj2R

ðZ � IDjÞ

where, if q + 1 < n, the coordinates yq+2,� � �,yn are set to 0. By doing so, we note that

PR[ID] = <X, Y> = 0 iff ID 2 R.

For example, if the user ID1 in the revoked user set R = {ID1, ID3}, we have that

PR½ID1� ¼< X;Y >¼Y

IDj2R

ðID1 � IDjÞ ¼ 0.

Decisional DDH assumption [10]

Let G1 is a group which prime order is p, let g be a generator of G1, and give a tuple (g, ga, gb)

where a; b2RZp, we say that the decisional DDH assumption holds if no polynomial time




algorithm has a non-negligible advantage to distinguish that Z equals gab or to a random ele-

ment of G1.

Algorithm model and security model

Algorithm model. Denote U = {ID1,� � �, IDQ} to be the universe of all the users, we con-

sider a scheme that searchable attribute-based encryption scheme with attribute revocation in

cloud storage, as described in Fig 1. There are seven algorithms in our scheme:

Setup (λ)!msk, pp: This algorithm is executed by attribute authority. It inputs a security

parameter λ and outputs the master secret key msk and public parameter pp.

KeyGen (ID, (M, ρ), pp, msk)! sk, τ:This algorithm is executed by attribute authority. It

inputs a user’s identity ID 2 U, an access structure (M, ρ), public parameter pp, the msk and

outputs the secret key sk and the part of search token τ.

Encryption (pp, ω, Rθ, m)! ct: This algorithm is executed by data owner. It inputs public

parameter pp, the attribute set ω, a revocation list Rθ� U which attribute θ 2 ω,a message mand outputs a cipher text ct.

Index (pp, ω, Rθ, W)! Ind: This algorithm is executed by data owner. It inputs public

parameter pp, the attribute set ω,a revocation list Rθ� U which attribute θ 2 ω,the keywords

set from the uploaded files W and outputs keywords index Ind.

Fig 1. System model of our scheme

https://doi.org/10.1371/journal.pone.0183459.g001





Trapdoor (pp, W0, τ)!τ�:This algorithm is executed by user. It inputs the public parame-

ter pp and the keywords set W0, and outputs the new token τ�.Test (τ�, Ind)! 1 or 0:This algorithm is executed by cloud storage server. It inputs the

search token τ�and keywords index Ind and outputs 1 or 0.

Decryption (pp, ID, sk, Rθ, ct)!m: This algorithm is executed by user. It inputs public

parameter pp, the user secret key sk of user ID 2 U, a revocation list Rθ� U of attribute θ 2 ω,

a cipher text ct. And the user ID has the attribute set ω0 as: if ID 2 Rθ, let ω0 = ω − {θ};otherwise,

ω0 = ω. It computes the message m if and only if the attribute set ω0 satisfies the access struc-

ture. And the user can decrypt the file with m.

Finally, the system model of our scheme is shown in Fig 1.

Security model

(1) Selective security model of attribute revocation.

Init. The adversary A chooses the attribute set ω� and a revocation list R�yðy 2 o�Þ.

Setup. The simulator operates this algorithm to get the public parameter pp and sends it to

the adversary.

Phase 1. The adversary queries the simulator for user private key sk which corresponds to

the access structure (M, ρ), such that ω�0will not meet the access structure (M, ρ).Challenge. The simulator receives two messages m0 and m1 from adversary, and chooses a

random bit b 2 {0, 1} to encrypt mb, and computes challenge cipher text ct� with the attribute

set ω� and the attribute revocation list R�y.

Phase 2. Same as Phase 1.

Guess. The adversary gives a guess b0 of b, and the advantage of the adversary in this game

is defined as jPr½b0 ¼ b� � 1

2j.

Definition1. The game model of this paper is to be safe if there no polynomial time adver-

saries have a non-negligible advantage in the above game.

(2) Indistinguishability against chosen keyword attack (IND-CKA) model.

Init. The adversary A selects a attribute set ω� and a user revocation list R�y

of θ 2 ω�. Then Bruns the algorithm to generate the public parameter pp and sends it to adversary A.

Phase 1. The adversary queries the challenger as follows:

1. The index of keywords {w1, w2,. . ., wN}.

2. The search token of fwj1 ;wj2 ; . . . ;wjN1g, and 1 � j1; . . . ; jN1

� N .

Challenge. The challenger receives two different keywords w�0

and w�1

from the adversary.

We require that the keywords w�0

and w�1

satisfies that 8j;wj 6¼ w�0^ wj 6¼ w�

1.

The challenger chooses a random keyword w�b, b 2 {0,1}, and give the index of keywords w�bto adversary.

Phase 2. Same as Phase 1.

Guess. The adversary gives a guess b0 of b, and the advantage of any adversary in this game

is defined as jPr½b0 ¼ b� � 1

2j.

Definition 2. We say a searchable encryption article with multiple keywords is secure based

on the game IND-CKA, if the advantage of the adversary is negligible in the above game.

Implement of the algorithm

Our construction is based on the Qiang Li et al.[24], and we combine the keyword search with

attribute revocation in our new scheme. User constructs the search token when he wants to

search files. If the search is successful and the set of attribute satisfies the access structure, it




outputs 1 in the algorithm of Test, then cloud server returns the cipher text. Our scheme adds

access control in search, the user can download the files which he interests and can decrypt in

this way, and save the space. We construct our scheme as follows:

Setup (λ)!msk, pp: Give that the G1 and G2 are two groups of prime order p, the binary

size of p is λ,let g be a generator of G1. Define that e: G1× G1!G2. In this paper, we suppose

the maximum number of attribute is m when encryption, and n represents the maximum

number of revoked user set in the revocation list. Then randomly choose α, β, δ 2 Zp,

A ¼ ða1; a2; . . . ; anÞT2 Zn

p , set H ¼ ðh1; h2; . . . ; hnÞT¼ ðga1 ; ga2 ; . . . ; ganÞ

Tand randomly

choose {k0,i, k1,i 2 G1|i = 1,. . .,m},let K0ðxÞ ¼Ym

i¼1kðx

iÞ0;i ;K1ðxÞ ¼

Ym

i¼1kðx

iÞ1;i . Then

randomly choose that {t0,i, t1,i 2 G1|i = 1,. . .,m},and then define two functions Tf(x): Zp!

G1,Tf ðxÞ ¼Ym

i¼1tðx

iÞf ;i where f = {0, 1}. Let hash H be H:{0, 1}� ! G1, then the master key msk

and public parameter pp are:

msk ¼< a; a1; b; fk0;i; k1;i; t0;i; t1;igi¼1;...;m >

pp ¼< g; eðg; gÞa;H ¼ ðh1; h2; . . . ; hnÞT; gb; d;H;K0ðxÞ;K1ðxÞ >

KeyGen (ID, (M, ρ), pp, msk)! sk, τ : Let M be an l × k matrix corresponding to access pol-

icy (M, ρ). Define a vector X = (x1,. . .,xn)T such that xi = IDi−1, i 2 [1, n]. Randomly choose r,{zi,0, zi,1}i2[2,. . .k] 2 Zp, define a vector v0 = (α + rα1, z2,0,. . ., zk,0)T, v1 = (α, z2,1,. . ., zk,1)T. For

i = 1 to l, and compute that λi,0 = Mi�v0 and λi,1 = Mi�v1. Randomly choose {ri,0, ri,1}i2[1,. . .l] 2 Zp,

and set the private key as

sk ¼< D1;0;D1;1;D2;0;D2;1;D3;KX >

where

D1;0 ¼ fDðiÞ1;0 ¼ gli;0T0ðrðiÞÞ

ri;0gi2½1;...;l�

D2;0 ¼ fDðiÞ2;0 ¼ gri;0gi2½1;...;l�

D1;1 ¼ fDðiÞ1;1 ¼ gli;1T1ðrðiÞÞ

ri;1gi2½1;...;l�

D2;1 ¼ fDðiÞ2;1 ¼ gri;1gi2½1;...;l�

D3 ¼ gr;KX ¼ fKi ¼ ðh�

xix1

1 � hiÞrgi2½2;...;n�

Then calculate that KX ¼ ðK2; . . . ;KnÞ ¼ gr�MTX

A, where MX 2 (Zp)n×(n−1) is defined by

MX ¼�x2

x1

�x3

x1

� � � �xnx1

In� 1

0

@

1

A.

Randomly choose fv2; . . . ; vkg 2 Zk� 1p and set v ¼ ðb; v2; . . . ; vkÞ

T2 Zk

p . For i = 1 to l, com-

pute λi = Mi�v. Randomly choose ξi 2 Zp, then denote that

t ¼< t1; t2;0; t2;1 >




where

t1 ¼ ft1;i ¼ gligi¼1;...l

t2;0 ¼ ftrðiÞ2;0 ¼ Kxi

0 ðrðiÞÞgi¼1;...l


1 ðrðiÞÞgi¼1;...l

then send sk and τ to the user.

Encryption (pp, ω, Rθ, m)! ct: Suppose that a message m is encrypted with a set of attri-

bute ω and a revocation list Rθ� U which attribute θ 2 ω. Define a vector Y = (y1,. . ., yn)T as

the coefficient vector of PRy½Z�, and randomly choose s 2 Zp then output

ct ¼ hC;C1;C2;0;C2;1;C3i

where

C ¼ m � eðg; gÞas;C1 ¼ gs

C2;0 ¼ fCðxÞ2;0¼ T0ðxÞ

sgx2o;C2;1 ¼ fC

ðxÞ2;1¼ T1ðxÞ

sgx2o� fyg

C3 ¼ ðhy11 � � � hyn

n Þs

Index (pp, ω, Rθ, W)! Ind: A revocation list Rθ� U which attribute θ 2 ω. Data owner

encrypts the file F which is firstly encrypted by a symmetric encryption algorithm and gets

cipher text F�, and suppose that the symmetric encryption key is m. The set of keywords

W = {w1, w2,. . ., wN} is extracted from the F, and randomly choose t 2 Zp,and output the key-

words index

Ind ¼< I0; I1;j; I2;0; I2;1 >

where

I0 ¼ gt

I1;j ¼ gb � HðwjÞd; j 2 ½1;N�

I2;0 ¼ fIðxÞ2;0 ¼ Kt

0ðxÞgx2o

; I2;1 ¼ fIðxÞ2;1 ¼ Kt

1ðxÞgx2o� y

and send <Ind, ct, F�> to the cloud server.

Trapdoor (pp, W0, τ)!τ�: The user constructs the search token τ� according to the key-

words W 0 ¼ fwj1;wj2

; . . . ;wjN1g; ð1 � j1; . . . ; jN1

� NÞ which he interests as

t3 ¼ ft1;jq¼ gb � Hðwjq

Þdgq¼1;...;N1 ;jq¼1;...;N

and sends search token τ� =< τ1, τ2,0, τ2,1, τ3> and his ID to the cloud server.

Test (τ�, Ind)! 1 or 0: The cloud server receives the search token from the user. First,

the cloud server judges that whether the ID of user is in the revocation list Rθ. If ID 2 Rθ, let

ω0 = ω − {θ};otherwise, ω0 = ω. If the set ω0 satisfies the access structure (M, ρ), then there exists

a set of constants {μi 2 Zp}i2I, such thatP

i2Imi �Mi ¼ ð1; 0; . . . ; 0Þ.

(1) When ID =2 Rθ, cloud server selects N1 keywords index from the Ind, we denote the result

of selecting as fI1;O1; I1;O2

; . . . I1;ON1g,where 1 � O1; . . . ;ON1

� N. Then cloud server tests the

selected index set fI1;O1; I1;O2

; . . . I1;ON1g with the search token τ� =< τ1, τ2,0, τ2,1, τ3> with the




following equation

YN1

q¼1eðI1; t1;jq

Þ¼?YN1

s¼1eðI1; I1;Os

Þ

If the equation holds, it turns to next step; otherwise, it outputs 0.

eðI0;Y

i2Iðt1;i � t

rðiÞ2;0 Þ

miÞ

eðY

i2IðIrðiÞ

2;0 Þmi; gÞ

¼? eðI0; I1Þ

If the equations all hold, it returns the corresponding cipher text<ct, F�> to the user, and

user can decrypt. Otherwise, it outputs 0.

(2) When ID 2 Rθ, cloud server selects N1 keywords index from the Ind, we denote the

result of selecting is fI1;O1; I1;O2

; . . . I1;ON1g,where 1 � O1; . . . ;ON1

� N. Then cloud server tests

the selected index set fI1;O1; I1;O2

; . . . I1;ON1g with the search token τ� =< τ1, τ2,0, τ2,1, τ3> with

the following equation

YN1

q¼1eðI1; t1;jq

Þ ¼?YN1

s¼1eðI1; I1;Os

Þ

If the equation holds, it turns to next step; otherwise, it outputs 0.

eðI0;Y

i2Iðt1;i � t

rðiÞ2;1 Þ

miÞ

eðY

i2IðIrðiÞ

2;1 Þmi; gÞ

¼? eðI0; I1Þ

If the equations all hold, it returns the corresponding cipher text<ct, F�> to the user, and

user can decrypt. Otherwise, it outputs 0.

Decryption (pp, ID, sk, Rθ, ct)!m: User can decrypt according to the returned cipher text.

If ID 2 Rθ, ω0 = ω − {θ};otherwise, ω0 = ω, and then:

(1) When ID 2 Rθ, let I = {i: ρ(i) 2 ω0}, and there exists a set of constants {μi 2 Zp}i2I, such

that ∑i2I μi �Mi = (1,0,. . ., 0),then ∑i2I μiλi,1 = α. It calculates

φ ¼Y

i2I

eðC1;DðiÞ1;1Þ

eðCrðiÞ2;1 Þ;D

ðiÞ2;1

!mi

¼ eðg; gÞsa

and m = C / φ, user can decrypt F� to get F with m.

(2) When ID =2 Rθ, calculate

KX ¼Yn

i¼2

Kyii ¼ h

�<X;Y>

x11

Yn

i¼1

hyii

!r

so that when <X, Y> 6¼ 0, and then calculate

� ¼eðK;C1Þ

eðC3;D3Þ

� �� x1<X;Y>

¼ eðg; gÞrsa1

Let I = {i: ρ(i) 2 ω0}, and there exists a set of constants {μi 2 Zp}i2I, such that ∑i2I μi �Mi =

(1,0,. . ., 0),then ∑i2I μλi,0 = α+ rα1. Thus we have

g ¼Y

i2I

eðC1;DðiÞ1;0Þ

eðCrðiÞ2;0 ;D

ðiÞ2;0Þ

!mi

¼ eðg; gÞs�ðaþra1Þ

and m = C / A, user can decrypt F � to get F with m.




Correctness analyses

In this subsection, we show that our construction is correct with some appropriate parameters

setting.

(1) In the process of search the equation holds, it means that cloud server selects N1 key-

words index from the Ind which we denote fI1;O1; I1;O2

; . . . I1;ON1g,where 1 � O1; . . . ;ON1

� N

is matching the search token of the keywords fwj1;wj2

; . . . ;wjN1g; ð1 � j1; . . . ; jN1

� NÞ from

the user, then computes that

YN1

q¼1eðI1; t1;jq

Þ

¼YN1

q¼1eðgb; gb � Hðwjq

ÞÞ

¼YN1

q¼1eðgb; I1 � Hðwjq

ÞÞ

¼YN1

s¼1eðI1; I1;Os

Þ

a. When ID =2 Rθ, compute that

eðI0;Y

i2Iðt1;i � t

rðiÞ2;0 Þ

miÞ

eðY

i2IðIrðiÞ

2;0 Þmi; gÞ

¼eðgt; g

X

i2Ilimi �

Y

i2IKximi

0 ðrðiÞÞÞ

eðY

i2IKtximi

0 ðrðiÞÞ; gÞ

¼eðgt; gbÞ � eðg;

Y

i2IKximi

0 ðrðiÞÞÞt

eðY

i2IKximi

0 ðrðiÞÞ; gÞt

¼ eðgt; gbÞ

¼ eðI0; I1Þ

b. When ID 2 Rθ, compute that

eðI0;Y

i2Iðt1;i � t

rðiÞ2;1 Þ

miÞ

eðY

i2IðIrðiÞ

2;1 Þmi; gÞ

¼eðgt; g

X

i2Ilimi �

Y

i2IKximi

1 ðrðiÞÞÞ

eðY

i2IKtximi

1 ðrðiÞÞ; gÞ

¼eðgt; gbÞ � eðg;

Y

i2IKximi

1 ðrðiÞÞÞt

eðY

i2IKximi

1 ðrðiÞÞ; gÞt

¼ eðgt; gbÞ

¼ eðI0; I1Þ




(2) The decryption process first calculates

Ki ¼ h�

xix1

1 � hi

0

@

1

A

r

¼ g�

xix1� a1� gai

!r

¼ gr� �

xix1� a1 þ ai

� �

MX ¼�

x2

x1�

x3

x1. . . �

xnx1

In� 1

0

@

1

A

�x2

x1

�x3

x1

..

.

�xnx1

In� 1

0

BBBBBBBBBBBBBB@

1

CCCCCCCCCCCCCCA

�

a1

a2

..

.

an

0

BBBBBBBB@

1

CCCCCCCCA

¼

�x2

x1� a1 þ a2

�x3

x1� a1 þ a3

..

.

�xnx1� a1 þ an

0

BBBBBBBBBBB@

1

CCCCCCCCCCCA

¼ MTX�A

KX ¼ fK2; � � � ;Kng ¼ gr�MTX�A

(3) The decryption process calculates:

a. When ID 2 Rθ

φ ¼Y

i2I

eðC1;DðiÞ1;1Þ

eðCrðiÞ2;1 ;D

ðiÞ2;1Þ

!mi

¼Y

i2I

eðgs; gli;1T1ðrðiÞÞri;1Þ

eðT1ðrðiÞÞs; gri;1Þ

� �mi

¼Y

i2I

eðgs; gli;1Þ � eðgs;T1ðrðiÞÞri;1ÞÞ


� �mi

¼Y

i2I

ðeðgs; gli;1ÞÞmi

¼Y

i2I

eðg; gÞs�li;1 �mi

¼ eðg; gÞs�ðP

i2Ili;1 �miÞ

¼ eðg; gÞsa




b. When ID =2 Rθ

KX ¼Yn

i¼2

Kyii

¼Yn

i¼2

h�

xix1

1 � hi

0

@

1

A

r�yi

¼ h�

x2y2x1þ��þ

xnynx1ð Þ

1 �Yn

i¼2

hiyi

!r

¼ h�

x2y2x1þ��þ

xnynx1ð Þ

1 �Yn

i¼1

hiyi � h1

� y1

!r

¼ h�

x2y2x1þ��þ

xnynx1ð Þ

1 �Yn

i¼1

hiyi � h1

�y1x1x1

!r

¼ h�

x1y1x1þ��þ

xnynx1ð Þ

1 �Yn

i¼1

hiyi

!r

¼ h�<X;Y>

x11 �

Yn

i¼1

hyii

!r

� ¼eðK;C1Þ

eðC3;D3Þ

� �� x1<X;Y>

¼

e h�<X;Y>

x1

1 �Yn

i¼1

hyii

!r

; gs !

eððhy1

1� � � hyn

nÞs; grÞ

0

BBBB@

1

CCCCA

�x1

<X;Y>

¼

e h�<X;Y>

x1

1

!

; g

!

� eYn

i¼1

hyii

!

; g

!

eððhy1

1� � � hyn

nÞ; gÞ

0

BBBB@

1

CCCCA

�x1

<X;Y>�r�s

¼ e h�<X;Y>

x1

1

� �; g

� �� x1<X;Y>

�r�s

¼ e g �<X;Y>

x1�a1

� �; g

� �� x1<X;Y>

�r�s

¼ eðg; gÞrsa1




g ¼Y

i2I

eðC1;DðiÞ1;0Þ

eðCrðiÞ2;0 ;D

ðiÞ2;0Þ

!mi

¼Y

i2I

eðgs; gli;0T0ðrðiÞÞri;0Þ


� �mi

¼Y

i2I

eðgs; gli;0Þ � eðgs;T0ðrðiÞÞri;0ÞÞ


� �mi

¼Y

i2I

ðeðgs; gli;0ÞÞmi

¼Y

i2I

eðg; gÞs�li;0 �mi

¼ eðg; gÞS�ðP

i2Ili;0�miÞ

¼ eðg; gÞs�ðaþra1Þ

Let A = γ / ϕ = e(g, g)sα.

Security analyses

Selective security model proof

Theorem1. If an adversary can break our scheme with advantage ε in the selective security

model, then we can construct a simulator to solve the Decision q-BDHE problem with advan-

tage ε2.

Proof: This proof bases on [24].

The simulation proceeds as follows. First, the challenger sets

Y ¼ ðg; gs; g1 ¼ ga; g2 ¼ ga2

; . . . ; gq ¼ gaq ; gqþ2 ¼ gaqþ2

; . . . ; g2q ¼ ga2qÞ

Then the challenger flips a fair binary coin μ: if μ = 0, the challenger sets Z = e(g1, gq)s if

μ = 1,then the challenger picks a random element Z from G2.

Init. The simulator B runs adversary A. A selects an attribute set ω� and a user revocation

list R�y,where θ 2 ω�, which it wishes to be challenged upon.

Setup. The simulator B proceeds as follows:

(1) The simulator B randomly chooses α 0, β, δ, 2 Zp, and then simulator B sets that

eðg; gÞa ¼ eðga; gaqÞ � eðg; gÞa0

,implicitly has that α = α 0 + αq+1. Then it randomly chooses

fk00;i; k

01;i 2 G1ji¼1;...;mg, and computes

K0ðxÞ ¼Ym

i¼1k0ðx

iÞ0;i ;K1ðxÞ ¼

Ym

i¼1k0ðx

iÞ1;i

(2) It sets R�y¼ fID1; � � � ; IDmg where m� Q. For k 2 [1, m], simulator B sets

Xk ¼ ðxk;1; . . . ; xk;nÞ ¼ ð1; IDk; ID2k; . . . ; IDn� 1

k Þ, randomly chooses bk 2 Zp and has that

bTk �MXk

¼ bTk �

�xk;2xk;1

. . . �xk;nxk;1

In� 1

0

@

1

A ¼ 0

and bk ¼ 1;xk;2xk;1; . . .

xk;nxk;1

� �T. The simulator B sets the n×q matrix B = (b1|. . .|bm|0|. . .|0),

for k 2 [1, m], it consists by bk, and q −m columns are 0. Sets Z = (z1,� � �,zq)T 2 Zn and




zi = aq+1−i, gz ¼ ðgaq ; � � � ; gaÞT

and implicitly has that A = B�Z + δ where δ2RZn

p . Define

H = (h1, h2,. . .,hn)T = gB�Z�gδ, for k 2 [1, m], we have that MTXk�B 2 ðZpÞ

ðn� 1Þ�q¼ 0, so it

doesn’t have zk = aq+1−k.

(3) It sets ω�0 = ω� − {θ}, randomly chooses two polynomials f0(x) and f1(x) of degree m and

computes two polynomials as follows:

u0ðxÞ ¼ xm� jo�jY

i2o�

ðx � iÞ

u1ðxÞ ¼ xm� jo�� fygjY

i2o�� fyg

ðx � iÞ

For i 2 [0, m], let c0,i and c1,i be the ith term of f0(x) and f1(x), d0,i and d1,i be the ith term of

u0(x) and u1(x). B defines T0ðxÞ ¼ ga�u0ðxÞþf0ðxÞ and T1ðxÞ ¼ ga�u1ðxÞþf1ðxÞ,at the same time, B sim-

ulates {t0,i, t1,i}i = 1,. . .,m where

t0;i ¼ ðgaÞ

d0;i gc0;i ; t1;i ¼ ðgaÞ

d1;i gc1;i

Finally, B gives the public parameters

pp ¼< g; eðg; gÞa;H ¼ ðh1; h2; . . . ; hnÞT; gb; d;K0ðxÞ;K1ðxÞ >

to A.

Phase 1. Let M be a p×l matrix, ω�0 doesn’t satisfy the access structure (M, ρ). If ID 2 Rθ,

there is ω�0 = ω� − {θ}; otherwise, ω�0 = ω�. The simulator B generates the secret key sk as

follows.

(1) When ID =2 Rθ (in this case, we have ω�0 = ω�), and ω�0doesn’t satisfy the access structure,

B first defines p ¼ ðp1; � � � ; plÞT2 Zn�

p where π1 = 1 We have Mi�π = 0 for each i when ρ(i) 2 ω�.Then the simulator B defines two vectors η0 = (r, η0,2,. . .,η0,l)

T and η1 = (0, η1,2,. . .,η1,l)T, and

defines that u0 = α1 η0 + απ and u1 = η1 + απ, we can compute the first term of u0 and u1 are

α + rα1 and α.

i. When ρ(i) 2 ω�, B computes that

gli;0 ¼ gMi �m0 ¼ ðga1ÞMi �Z0 ; gli;1 ¼ gMi �Z1

and randomly chooses ri,0, ri,1 2 Zp and computes that

DðiÞ1;0 ¼ gli;0T0ðrðiÞÞri;0 ;DðiÞ2;0 ¼ gri;0


ii. When ρ(i) =2 ω�, B computes that

gli;0 ¼ gMi�u0 ¼ ga1 �Mi�Z0þa�Mi �p; gli;1 ¼ gMi �u1 ¼ gMi �Z1þa�Mi�p

and randomly chooses r; fr0i;0gi2½l�; fr0i;1gi2½l� 2 Zp, and sets ri;0 ¼ r0i;0 �

aqm0ðrðiÞÞ

ðMi � pÞ and




ri;1 ¼ r0i;1 �aq

m1ðrðiÞÞðMi � pÞ, then

DðiÞ1;0 ¼ gli;0T0ðrðiÞÞri;0

¼ ga1 �Mi �Z0þa�Mi�pT0ðrðiÞÞr0i;0g

�

aq � f0ðrðiÞÞ � ðMi � pÞ

u0ðrðiÞÞ

DðiÞ2;0 ¼ gri;0 ¼ gr0i;0 �aq

m0ðrðiÞÞðMi �pÞ

DðiÞ1;1 ¼ gli;1T1ðrðiÞÞri;1

¼ gMi �Z1þa�Mi �pT1ðrðiÞÞr0i;1g

�

aq � f1ðrðiÞÞ � ðMi � pÞ

u1ðrðiÞÞ

DðiÞ2;1 ¼ gri;1 ¼ gri;1 � aqm1ðrðiÞÞ

ðMi �pÞ

Then B computes that D3 = gr, KX ¼ fKi ¼ ðh�

xix1

1 � hiÞrgi2½2;...;n�.

(2) When ID 2 R�y

and sets fID ¼ IDkgk2½1;m�. The simulator B randomly chooses r 0 2 Zp

and sets r = r 0 − ak. Defines A = B � Z+δ, the first term of A is a1 ¼ d1 þXm

j¼1

aqþ1� j, and com-

putes that

gaþra1 ¼ ga0þaqþ1

� ðgd1þ

Xm

j¼1

aqþ1� j

Þr0 � ak

¼ ga0 � d1ak � ga1r0 � g�

� Xm

j¼1;j6¼k

aqþ1� jþk�

randomly chooses fZigi2½2;l� 2 Zp and defines η = (α + rα1, η2, . . ., ηl)T, and for i 2 [1, p], sets

Mi = (xi,1, xi,2, . . ., xi,l), then computes

gli;0 ¼ gMi�η ¼ ðgaþra1Þxi;1g

Xl

j¼2

Zj � xi;j

randomly chooses ri,0 2 Zp, then


As ω�0 does not satisfy the access structure, the simulation of DðiÞ1;1 and DðiÞ2;1 are the same as the

previous case. For {Ki}i2[2,n], the simulator B can computes KX ¼ ðK2; . . . ;KnÞ ¼ gr�MTX

A by

MTXA ¼ MT

X�B � ZþMT

X� δ.




Challenge. The adversary A submits two messages m0 and m1, B randomly chooses mb

where b 2{0,1} to encrypt. Then computes

C ¼ mb � Z � eðgs; ga0 Þ;C1 ¼ gs

C2;0 ¼ fCðxÞ2;0jC

ðxÞ2;0 ¼ T0ðxÞ

s¼ ðgsÞf0ðxÞ; x 2 o�g

C2;1 ¼ fCðxÞ2;1jC

ðxÞ2;1 ¼ T1ðxÞ

s¼ ðgsÞ

f1ðxÞ; x 2 o� � fygg

Then the simulator B defines Y = (y1, � � �, yn)T according to the revocation list R�y

and

<Xk, Y > = 0 for k 2[1,m]. And we have that Y ¼ MXk� γ1 where γ1 = (y2, � � �, yn)T, then

< Y;B � Z >¼ YTB � Z ¼Xm

k¼1

zk �YT�bk ¼ 0

and computes

C3 ¼ ðhy11 . . . hyn

n Þs¼ ðgsÞ<Y;A>

¼ ðgsÞ<Y;δ>

Then B sends the challenge ciphertext ct� = (C, C1, C2,0, C2,1, C3) to the adversary A. If

μ = 0, then Z = e(g1, gq)s, the challenge ciphertext ct� is a valid random encryption of message

mb. If μ = 1, then Z is a random element of G2, and ct�is also random from the adversary’s

view, and ct� contains no information of mb.

Phase2. Same as Phase1.

Guess. The adversary A outputs the guess b0 of b. B outputs μ = 0 to guess that Z = e(g1, gq)s

if b0 = b; otherwise, B outputs μ = 1, and it indicates that Z is a random element in G2. And the

advantage of simulator B to solve the q-BDHE problem is

1

2Pr½m0 ¼ mjm ¼ 0� þ

1

2Pr½m0 ¼ mjm ¼ 1� �

1

2

¼1

2ð1

2þ εÞ þ

1

2�1

2�

1

2

¼ε2

IND-CKA security proof

Theorem 2. Suppose there exists a polynomial-time adversary A, which can attack our scheme

with advantage ε in the IND-CKA model. We can construct a simulator B that can solve the

DDH problem in G1 with probability at lest ε4eðMþTN1þ

12Þ, where e is constant, and we assume the

adversary A makes M index queries and T search token queries(it contains N1 keywords) in

each phase[10].

Proof: B is given an instance g, ga, gb, gc of the DDH problem in G1. In the following parts,

we construct the cipher text by setting δ = b. The simulation proceeds as follows:

Init. The adversary A selects a attribute set ω� and a user revocation list R�y

of θ 2 ω�.B is

given an instance g, ga, gb, gc of the DDH problem in G1. Then B runs the algorithm to generate

the public parameter pp and sends it to adversary A.

Phase1. B maintains a hash list L = {wj, αj, lj} and randomly chooses αj 2 Zp for keywords

wj with biased coin flip lj. The list is empty when begins and simulates the hash function as a




random oracle. And if the random oracle is queried for a hash of w,B searches the hush list L if

the w exists in the list.

1. If lj = 0,the B gives that gaj ;

2. If lj = 1,the algorithm aborts;

3. If the keyword w does not exist in the list, the B flips a random coin l 2 {0,1} so that Pr

[coin0 = 0] = σ and σ will be calculated later.

a. If l = 0, the B randomly chooses α 2 Zp,and adds< w, α, 0> to the hush list;

b. If l = 1, the B adds < w,?, 1> to the hush list.

c. The B repeat the above process.

Keywords index query. If the adversary A asks the keyword wj of index information, Bsearches the hush list L. If lj = 1, B aborts; and if lj = 0, B randomly chooses t 2 Zp, let HðwjÞ ¼

gaj and generates that

I0 ¼ gt

I1;j ¼ gbHðwjÞd¼ gbðgbÞaj


0ðxÞgx2o�

; I2;1 ¼ fIðxÞ2;1 ¼ Kt

1ðxÞgx2o�� y

Search token query. If the adversary A asks the keyword wjqof searching token with the

access structure (M, ρ), Let M be a p×l matrix, ω�0doesn’t satisfy the access structure (M, ρ). If

ID 2 R�y, there is ω�0 = ω� − {θ}; otherwise, ω�0 = ω�.B searches the hush list L. If ljq ¼ 1,B

aborts; and if ljq ¼ 0,let HðwjqÞ ¼ gaj . For i = 1 to l, randomly choose ξi 2 Zp and B generates

that

t�1¼ ft1;i;jq

¼ gliHðwjqÞ

dgi2½1;l�;q2½1;N1 �;jq2½1;N�


0 ðrðiÞÞgi2½1;l�


1 ðrðiÞÞgi2½1;l�

Challenge. The adversary A outputs two keywords w�0

and w�1,B randomly chooses b 2 {0,1}

and searches the hush list L that< w�b; a; l >. If l = 0,B aborts; if l = 1, let Hðw�bÞ ¼ ga and com-

putes

I0 ¼ gt; I1 ¼ gbgc


0ðxÞgx2o� ; I2;1 ¼ fI

ðxÞ2;1 ¼ Kt

1ðxÞgx2o�� y

Phase2. Same as Phase1.

Guess. The adversary A outputs the guess b0 of b, B outputs gc = gab if b0 = b; otherwise gc is

a random group element in G1.

Correctness Analyses. In the above simulation scheme, if the adversary A has the advan-

tage of attack our scheme, and then it will be given the keyword wj of hush value is H(wj) = ga

rather than the random value H(wj) = gaj. Then it can compute that I1 = gβH(w)δ = gβ(gb)a, that

is I1 = gβgc = gβgab, and B computes that gc = gab which means it solves the DDH problem.




Probability Analyses. Suppose that the adversary A makes M index queries and T search

token queries in each phase, and the probability that B will not be terminated in two query

phases 1 and 2 is s2ðMþTN1Þ, so the probability that it will not terminated during the challenge

step is 1 − σ, so that results in an overall probability that B does not abort is s2ðMþTN1Þ � ð1 � sÞ.

And, through the computes that the maximum is s ¼ 1 � 1

2ðMþTN1Þþ1, so the maximum proba-

bility is 1

2eðMþTN1þ12Þ. Thus, if our scheme can be attacked by the adversary A with the advantage

ε, and the B can resolve the DDH problem with advantage ε4eðMþTN1þ

12Þ.

Performance analyses

In this section, we give some performance analysis in our scheme. The hardware runtime envi-

ronment is Intel Core i5-3470 CPU @ 3.20GHz, and RAM is 4.00GB. The software runtime

environment is JDK 1.7.5, JPBC 2.0.0 and MyEclipse10.

Our scheme is compared with the schemes of [21, 24, 26, 27, 28] in Table 1.

Our scheme is also compared with the schemes of [26, 27, 28] in Table 2.

We can see from Table 2, our scheme has a large amount of computation in the KenGen

and Encryption generation, because our scheme doesn’t need to update the cipher-text and

secret key when attributes revocation. However, the schemes of [26], [27] and [28] don’t

achieve the function of attribute revocation.

As is shown in the Fig 2, we suppose that there are 16 attributes in the policy and provide

the relational graphs of keywords index building time as is shown in Fig 2(a) and search token

building time as is shown in Fig 2(b). From the Fig 2(a) and 2(b), we can see that the time cost

is nearly linear with the index building and token building. In the Fig 2(c), we give the rela-

tional graph of the number of attributes in the policy and time cost. As is shown in the Fig 2(c),

Table 1. Performance analyses.

Scheme Fine-grained Attribute revocation Keyword search Do not update cipher-text when attribute revocation

[26] × × × ×[21] × ×

p×

[24]p p

×p

[27] × × × _

[28] × × × _

Our schemep p p p

https://doi.org/10.1371/journal.pone.0183459.t001

Table 2. Calculation analyses.

Scheme KeyGen Encryption Pairings in Decryption

[26] (2 + 2l)ex (3 + | S |)ex 2 + 2| I |

[27] 3lex (2 + | S |)ex 1 + 3| I |

[28] 2lex (6 + | S |)ex 1 + 2| I |

Our scheme (2 + 4l)ex (3 + 2 | S |)ex 1 + 2| I |

| S |: The size of the attributes set of a decryption key.

l: The number of rows of the matrix in access policy(M,ρ).

ex: An exponentiation operation.

| I |: The number of attributes for a decryption key to satisfy a cipher-text policy.







Fig 2. (a) Index building time (b) Token building time (c) The number of attributes in policy and index

building time






we can find that the effect of the increase of the attributes on the time is not particularly evi-

dent in our scheme which takes less time than Zhiquan’s[29].

Conclusions

In our scheme, we add the keyword search based on the attribute revocation, the search tokens

generated by the attribute authority and the user. The cloud server match is divided into two

cases: the user is in the revocation list and not in the revocation list, and the cloud server uses

the different test according to the different case. It will return the cipher text when the attribute

set meets the access structure and the search keywords exist, and the user can decrypt cor-

rectly. This scheme supports multiple keywords search at the same time which makes more

flexible in the practical application.

Supporting information

S1 Appendix.

(RAR)

Acknowledgments

This work is supported by the National Natural Science Foundation of China under grants

61572019, 61173192, the Key Project of Research Foundation of Natural Science Foundation

of Shaanxi Province of China under Grant No. 2016JZ001. Thanks also go to the anonymous

reviewers for their useful comments.

Author Contributions

Writing – original draft: Shangping Wang, Duqiao Zhao.

Writing – review & editing: Yaling Zhang.

References1. Sahai Amit, and Waters B.. Fuzzy Identity-Based Encryption. Advances in Cryptology–EUROCRYPT

2005. Springer Berlin Heidelberg, 2005:457–473.

2. Pirretti M, Traynor P, Mcdaniel P, et al. Secure attribute-based systems. IOS Press, 2006:99–112.

3. Boldyreva A, Goyal V, Kumar V. Identity-based encryption with efficient revocation. ACM Conference

on Computer and Communications Security. ACM, 2008:417–426.

4. Hinek MJ, Jiang S, Safavi-Naini R, Shahandashti SF. Attribute-based encryption with key cloning pro-

tection. Bulletin of the Korean Mathematical Society. 2008; 2008(4):803–19.

5. Li J, Ren K, Kim K. A2BE: Accountable Attribute-Based Encryption for Abuse Free Access Control. Iacr

Cryptology Eprint Archive. 2009; 2009.

6. Attrapadung N, Imai H. Conjunctive Broadcast and Attribute-Based Encryption. Pairing-Based Cryptog-

raphy—Pairing 2009, Third International Conference, Palo Alto, CA, USA, August 12–14, 2009, Pro-

ceedings. DBLP, 2009:248–265.

7. Touati L, Challal Y. Batch-based CP-ABE with attribute revocation mechanism for the Internet of

Things. International Conference on Computing, NETWORKING and Communications. IEEE,

2015:1044–1049.

8. Wang PP, Feng DG, Zhang LW. CP-ABE Scheme Supporting Fully Fine-Grained Attribute Revocation.

Journal of Software. 2012; 23(10):2805–2816.

9. Boneh D, Crescenzo G D, Ostrovsky R, et al. Public Key Encryption with Keyword Search. Advances in

Cryptology—EUROCRYPT 2004. Springer Berlin Heidelberg, 2004:506–522.

10. Kerschbaum F. Secure conjunctive keyword searches for unstructured text. International Conference

on Network and System Security, Nss 2011, Milan, Italy, September. DBLP, 2011:285–289.



http://www.plosone.org/article/fetchSingleRepresentation.action?uri=info:doi/10.1371/journal.pone.0183459.s001


11. Cao N, Wang C, Li M, Ren K, Lou W. Privacy-Preserving Multi-Keyword Ranked Search over Encrypted

Cloud Data. IEEE Transactions on Parallel & Distributed Systems. 2014; 25(1):222–233. https://doi.

org/10.1016/j.jbiomech.2005.09.015

12. Chuah M, Hu W. Privacy-Aware BedTree Based Solution for Fuzzy Multi-keyword Search over

Encrypted Data. International Conference on Distributed Computing Systems Workshops. IEEE Com-

puter Society, 2011:273–281.

13. Han F, Qin J, Zhao H, Hu J. A general transformation from KP-ABE to searchable encryption. Future

Generation Computer Systems. 2014; 30(1):107–115.

14. Chung KM, Kalai Y, Vadhan S. Improved Delegation of Computation Using Fully Homomorphic Encryp-

tion: Springer Berlin Heidelberg; 2010. 483–501 p.

15. Gentry C. Fully Homomorphic Encryption Using Ideal Lattices. Proceedings of the Annual Acm Sympo-

sium on Theory of Computing. 2009; 9(4):169–78.

16. Liang K, Susilo W. Searchable Attribute-Based Mechanism with Efficient Data Sharing for Secure

Cloud Storage. IEEE Transactions on Information Forensics and Security. 2015; 10(9):1981–92.

https://doi.org/10.1109/TIFS.2015.2442215

17. Li H, Yang Y, Luan TH, Liang X, Zhou L, Shen XS. Enabling Fine-Grained Multi-Keyword Search Sup-

porting Classified Sub-Dictionaries over Encrypted Cloud Data. IEEE Transactions on Dependable and

Secure Computing. 2016; 13(3):312–25. https://doi.org/10.1109/TDSC.2015.2406704

18. Liang K, Susilo W. Searchable Attribute-Based Mechanism with Efficient Data Sharing for Secure

Cloud Storage. IEEE Transactions on Information Forensics & Security. 2015; 10 (9):1981–1992.

19. Li J, Shi Y, Zhang Y. Searchable ciphertext-policy attribute-based encryption with revocation in cloud

storage. International Journal of Communication Systems. 2017, 30 (1).

20. Sun W, Yu S, Lou W, Hou YT, Li H. Protecting Your Right: Verifiable Attribute-Based Keyword Search

with Fine-Grained Owner-Enforced Search Authorization in the Cloud. IEEE Transactions on Parallel

and Distributed Systems. 2016; 27(4):1187–98. https://doi.org/10.1109/TPDS.2014.2355202

21. Yang Y, Ma M. Conjunctive Keyword Search with Designated Tester and Timing Enabled Proxy Re-

Encryption Function for E-Health Clouds. IEEE Transactions on Information Forensics and Security.

2016; 11 (4):746–759. https://doi.org/10.1109/TIFS.2015.2509912

22. Jiang X, Yu J, Yan J, Hao R. Enabling efficient and verifiable multi-keyword ranked search over

encrypted cloud data. Information Sciences. 2017; s 403–404:22–41.

23. Poon HT, Miri A, editors. A Combined Solution for Conjunctive Keyword Search, Phrase Search and

Auditing for Encrypted Cloud Storage. Ubiquitous Intelligence & Computing, Advanced and Trusted

Computing, Scalable Computing and Communications, Cloud and Big Data Computing, Internet of Peo-

ple, and Smart World Congress; 2017.

24. Li Q, Feng D, Zhang L. An attribute based encryption scheme with fine-grained attribute revocation.

Global Communications Conference (GLOBECOM), 2012 IEEE. 2012:885–890.

25. Shi Y, Zheng Q, Liu J, Han Z. Directly revocable key-policy attribute-based encryption with verifiable

ciphertext delegation. Information Sciences. 2015; 295:221–231.

26. Zhang M, Du W, Yang X, Han Y. A fully secure KP-ABE scheme in the standard model. Journal of Com-

puter Research & Development. 2015.

27. Li Z, Chen X. Attribute-based encryption with fast decryption on prime order groups. Computer applica-

tion. 2016; 36 (3):637–641.

28. Ma S, Lai J, Deng RH, Ding X. Adaptable key-policy attribute-based encryption with time interval. Soft

Computing. 2016:1–10.

29. Lv Z, Zhang M, Feng D. Multi-user Searchable Encryption with Efficient Access Control for Cloud Stor-

age. IEEE International Conference on Cloud Computing Technology and Science. IEEE, 2015:366–

373.



https://doi.org/10.1016/j.jbiomech.2005.09.015

https://doi.org/10.1016/j.jbiomech.2005.09.015


https://doi.org/10.1109/TDSC.2015.2406704

https://doi.org/10.1109/TPDS.2014.2355202



Documents

Searchable attribute-based encryption scheme with ... · bute-based encryption scheme with attribute revocation in cloud storage, the keyword search in our scheme is attribute based