privacy preserving attribute-based encryption with

ISeCureThe ISC Int'l Journal ofInformation Security

July 2021, Volume 13, Number 2 (pp. 87–100)

http://www.isecure-journal.org

Privacy PreservingAttribute-Based Encryption with Conjunctive

Keyword Search for E-health Records in Cloud

Aniseh Najafi 1, Majid Bayat 2, and Hamid Haj Seyyed Javadi 1,∗1Department of Mathematics and Computer Science, Shahed university, Tehran, Iran.2Department of Computer Engineering, Shahed University, Tehran, Iran.

A R T I C L E I N F O.

Article history:

Received: April 18, 2020

Revised: October 3, 2020

Accepted: April 8, 2021

Published Online: May 8, 2021

Keywords:Attribute-Based Searchable

Encryption, Hidden Policy,

Keyword Guessing Attack, SecureChannel Free, Standard Model

Type: Research Article

doi: 10.22042/isecure.2021.227562.542

dor: 20.1001.1.20082045.2021.

13.2.1.6

A B S T R A C T

The advent of cloud computing in the healthcare system makes accuracy and

speed increased, costs reduced, and health services widely used. However, system

users are always seriously concerned about the security of outsourced data.

The ciphertext-policy attribute-based encryption (CP-ABE) is a promising

way to ensure the security of and facilitate access control over outsourced data.

However, conventional CP-ABE schemes have security flaws such as lack of

attribute privacy and resistance to the keywords guessing attacks as well as the

disability to multi-keyword searches. To meet such shortcomings, we present

a scheme supporting multi-keyword search and fine-grained access control,

simultaneously. The proposed scheme is resistant to the offline keywords

guessing attack. Privacy-preserving in the access structure is another feature

of the proposed scheme. The security analysis indicates that our scheme is

selectively secure in the standard model. Finally, the performance evaluation

of the proposed scheme shows the efficiency is reasonable despite the added

functionalities.

c© 2020 ISC. All rights reserved.

1 Introduction

C loud computing along with the internet of things(IoT) as a kind of fundamental technologies in

smart cities are applied in the electronic healthcareindustry to develop health systems, health monitor-ing, and health management[1]. Electronic health sys-tems are developed to realize remote diagnosis, im-prove treatment accessibility and quality, and shareand store patient information [2]. With the rapid de-velopment of IoT technologies and cloud computing,the e-health industry is expected to quickly reachthe point of the desired service. However, there are

∗ Corresponding author.

Email addresses: [email protected],[email protected], [email protected]

ISSN: 2008-2045 c© 2020 ISC. All rights reserved.

still many unresolved problems, especially the simul-taneous realization of privacy and accessibility. Inthe e-health system, electronic health record (EHR)contains patient sensitive information, such as demo-graphics, medical history, medication and allergies,immunization status, laboratory test results, radiol-ogy images, personal statistics like age and weight,and billing information. Suppose a patient decides tosubmit his EHR to the number of sightly experts. Forthis purpose, there are two problems: on the one hand,he must use encryption and access control methodsto protect privacy; On the other hand, to easy accessthe desired EHRs among the large volume of datasets,the ability of search over encrypted data is a necessityof e-health systems. Although the most patients ex-pects only authorized professional health caregiversto access his encrypted EHR, most of the available

ISeCure

88 Privacy Preserving ABE with Conjunctive Keyword Search for E-health Records in Cloud — Najafi et al.

access control methods violate the patient’s privacyin the fine grained-access control. In addition, encryp-tion methods with hidden access control usually donot allow searching over encrypted datasets.Attribute-based encryption (ABE) presents a promis-ing solution to privacy-preserving of outsourced elec-tronic health records [3]. ABE schemes are placed intoone of KP-ABE (Key Policy-ABE) [4] and CP-ABE(ciphertext policy-ABE) [5] categories depending onthe access policy’s placement in the ciphertext or se-cret key. In healthcare systems, the CP-ABE schemeis applicable because the patient needs to exert accesspolicies over his EHR. Access policy is actually an ac-cess structure that is built based on patient attributesand is explicitly accessible to anyone who has accessto encrypted EHR. Therefore, in most ABE schemes,the privacy of the attributes used in the access struc-ture has not been realized [4–14], however, disclosureof access policies can leak sensitive information to ma-licious viewers. For example, if the access policy of anEHR consist of statement (“hospital A” AND “expertB”), the malicious viewer can detect the informationabout the residence area and the disease of the EHRowner, by observing the hospital name and the typeof expert, which leads to information leakage and vio-lation of patient privacy. On the other hand, althoughencrypting and then outsourcing EHRs would pre-serve data privacy, all data must be downloaded anddecrypted to obtain some part of the data. Clearly, thecomputation and communication costs of this methodare not affordable.Hidden access policies can solve the privacy problemof attribute-based encryption. Hiding the attributesin the access structure can be done in two ways: par-tial hiding and full hiding. In CP-ABE with partiallyhidden access policies, the name of the attribute is ob-vious and its value is hidden, while in CP-ABE withfully hidden access policies, both the name and thevalue of the attributes are hidden. However, there isa trade-off between privacy and efficiency: the CP-ABE schemes with partially hidden access policieshave better efficiency and instead have more privacyleaks, while the CP-ABE schemes with fully hiddenaccess policies provide less efficiency despite the moreprivacy.The promising method to solve the secure accessibilityproblem is searchable encryption as a paradigm thatprovides search functionality over the encrypted data[15, 16]. Using searchable encryption, the data ownercan extract indicator keywords from his dataset andsend the encrypted forms along with the encrypteddata to the cloud server. Using an encrypted form ofquery keywords named trapdoor, the data user de-mands searching over encrypted data from the cloudserver. The cloud server sends the search results tothe data user after a secure search on the encrypted

data. Searchable encryption methods are divided intotwo categories: symmetric and asymmetric. Symmet-ric searchable encryption (SSE) schemes provide onlycoarse-grained access control by sending the owner’sprivate key through a secure channel [17]. Therefore,using these schemes in health systems is not effi-cient. In the traditional asymmetric searchable encryp-tion (or public-key encryption with keyword search(PEKS)), in particular ABE providing fine-grainedaccess control, the malicious adversary can launch anoffline keyword guessing attack (KGA) [18, 19]. Tothis end, the adversary makes the ciphertext of all key-words in the dictionary. This is possible because of thekeyword space polynomial size. The data user sendsthe cloud server a trapdoor that the adversary grabsthrough eavesdropping the channel. It then searchesover the encrypted keywords and extracts the contentsof the trapdoor. For this reason, public-key encryptionwith keyword search schemes vulnerable to keywordguessing attack requires a secure channel for trapdoortransmission. A designated server technique is appliedin some PEKS schemes to prevent this attack so thatit is only the server that can execute the search al-gorithm [13, 20–23]. However, most attribute-basedencryptions with keyword search (ABKS) schemes[10, 24–28] do not support other featheres such as hid-den access policy, secure multi-keyword search in thestandard model, and security against keyword guess-ing attack, simultaneously.

1.1 Our Contribution

In this paper, based on inner product encryption, wepresent an attribute-based encryption scheme withkeyword search for the healthcare system that is resis-tant to offline keyword guessing attacks in the stan-dard model. In the proposed scheme, hidden accesspolicy along with multi-keyword search are the fea-tures required to outsource large volume sensitive datasuch as health information, which provides privacypreserving and selective recovery, simultaneously. Tothe best of our knowledge, there is no secure ABKSscheme with multi-keyword search and fully hiddenaccess policy, in the standard model. The main con-tribution of this paper is summarized as follows.

• Attribute privacy: In our scheme, attributesof access structure are hidden in prime ordergroup so that malicious viewers do not under-stand sensitive information about the electronichealth record and its privileged data users.

• Search functionality: The proposed schemesupports searching over encrypted data thatlead to efficient and secure storage and selectiveretrieval of health information. For healthcaresystem, our scheme is the first proper securechannel free ABKS scheme with a hidden access

ISeCure

July 2021, Volume 13, Number 2 (pp. 87–100) 89

policy secured in the standard model in compar-ison to the previous ones.

• Multi-keyword search: we add conjunctivekeyword search functionality to our scheme toimprove search quality. The data user can receiveall results including all query keywords withonce sending the trapdoor.

• Security against keyword guessing attack:Using the designated cloud server, we design ascheme that is secure against KGA in standardmodel. In this way, the data user can send thetrapdoor securely through the public channel tothe cloud server.

• And gate policies withwildcard: Access pol-icy is defined by and-gate with positive, nega-tive and wildcard values for attributes, in ourscheme. So far, none of the proposed searchableencryption schemes support and-gate with wild-card using only one group element to representan attribute with three possible values.

1.2 Organization

The paper is organized as follows: Section 2 deals withthe related work. Section 3 is entitled preliminaries as-sociated with problem statement and basic definitionsrequired for designing the proposed scheme. Section 4provides the proposed model. Section 5 presents thesecurity and performance analysis of our scheme. Thefinal Section covers the conclusion.

2 RelatedWork

Authorization is an essential requirement of many in-formation systems, especially healthcare. Applyingattribute-based encryption primitive fulfills this re-quirement by providing fine-grained access control.However, the security and functionalities of most ofthe ABE schemes presented so far do not meet thenecessities of the real world. Therefore, researcherswere encouraged to add features to ABE schemes suchas hierarchical access structure, hidden policy, searchfunctionality, and traceability.

Using CP-ABE in healthcare systems, the attributesin the access structure may carry user sensitive in-formation although the content of the data remainsunknown, indicating that the attribute privacy ismore important than other functionalities of an ABEscheme. Nishide et al. [29] proposed the first partiallyhidden CP-ABE with AND-gate policies. Presentingthe fully hidden access policy scheme where the sizeof the ciphertext grows based on the number of at-tributes, Lai et al. [30] and Phuong et al. [31] developedNishides work. Overcoming the problem of ciphertextsize, Jin et al. [32] presented a fully secure schemein the standard model where the access structure is

defined using AND-gate with positive, negative andwildcard. In addition, Zhang et al. [33] introduce afully secure privacy-aware smart health access controlsystem with partially hidden access policy in the stan-dard model. Then, some efforts have been made toimprove efficiency and functionality, considering thepossibility of a hidden access policy [34–39]. However,none of these schemes support keyword searches.

Large volume of sensitive healthcare data requiresthe privacy of data along with efficiency of their recov-ery. For the first time, the authors of [40] presentedCP-ABKS schemes to realize fine-grained access con-trol and keyword search, at the same time. In [41],the authors design an anonymous attribute basedsearchable encryption that is secure under the selec-tive ciphertext-policy with chosen plaintext attackand under the selective ciphertext-policy with chosenkeyword attack. However, the structure of CP-ABKSschemes is vulnerable against keyword guessing at-tack [18, 19]. Keyword space polynomial-size leads theattacker to generate all ciphertexts. Then, attackerlaunches offline keyword guessing attack over all ci-phertexts, captures trapdoor, and then obtains thecontent of the trapdoor. Miao et al, [42] proposed averifiable KGA secure scheme with keyword search,fine-grained access control and data-owner updating,in standard model. Furthermore, Qiu et al. [43] pre-sented the first CP-ABKS scheme supporting keywordsearch and hidden access structure resistant againstKGA. Adding shared multi-owner and traceabilityfunctionalities, the proposed scheme in [24] improvedthe work presented by Qiu et al. [43]. Recently, Chaud-hari and Das [44] proposed a KGA secure CP-ABKSscheme with hidden access policy that performs thesearch operation efficiently. This scheme takes con-stant time complexity for single-index and linear timecomplexity for multi-index dataset. Nevertheless, therecent reviewed schemes do not support multi-keywordsearch and security in the standard model.

To search over encrypted personal health records,Miao et al. [26] design a secure cryptographic primi-tive called ciphertext policy attribute based on multi-keyword searchable encryption which is selectivelysecure against chosen keyword attack. In other work,Miao et al. [10] proposed a scheme with a hierarchicaldata structure and multi-keyword search functional-ity non resistant against KGA. For big data-basedmobile healthcare networks, Chen et al. [11] presenta verifiable keyword search scheme with fine-grainedaccess control. Recently, Xu et al. [13] design an ef-ficient multi-keyword searchable scheme supportingonline/offline encryption and outsourcing decryption.Based on inner product encryption, Chen et al. [45]enhance an ABKS scheme with conjunctive keywordsearch functionality and security against KGA. Un-

ISeCure


Table 1. Notations

Notation Description

U The set of attribute universe

L The number of attribute universe

N1 Maximum number of wildcard attributes in

access structure

N2 Maximum number of positive attributes in

access structure

N3 Maximum number of negative attributes in

access structure

l Maximum number of extracted keyword from

a ducument

bR←− B Random selection b of set B

[n] {1, . . . n}

fortunately, none of the recent schemes supports theattributes privacy in the access structure.

In [46], the secure proposed scheme provide at-tribute privacy and search functionality using a se-cure channel. However, compared to access controlin our proposal, these schemes do not support andgate policies with wildcard. In addition, Wang et al.[47] design a scheme with almost the capabilities of[46], in which, despite being more efficient, it is notsecure channel free and secure in the standard model.A secure channel free and policies hiding searchableencryption scheme with conjunctive keyword searchproposed in [48] that is secure in the standard model.Unfortunately, the cloud server and the user can col-lude for searching without access permission. More-over, these scheme leaks some sensitive informationfrom the index and the trapdoor.

3 Preliminaries

This section presents some required preliminaries intwo basic definition and problem statement subsec-tions.

3.1 Basic Definition

Notations: Table 1 presents the notations of thepaper.

Bilinear Map: Let G and GT be cyclic groups ofprime order p and g ∈ G is generator of G. A bilinearpairing is a map e : G×G→ GT with the followingproperties:

• Bilinearity: e(ga1 , gb2) = e(g1, g2)ab for all g1, g2 ∈

G, a, b ∈ Z,• Non-degeneracy: e(g, g) 6= 1, in which 1 is iden-

tity element of GT ,• Computability: There is an efficient algorithm

to compute e(g1, g2) for any g1, g2 ∈ G.

Decisional Deffi-Hellman (DDH) Assumption:Pick random generator g ∈ G and random elementsa, b ∈ Zq. The DDH assumption is defined as: Given(g, ga, gb, gab, Z), distinguish whether Z = gab or

ZR←− Zq with the non-negligible advantage in the

polynomial time.

Viete Formula: Let J = {j1, . . . , jn} ⊂ {1, . . . , L}.Based on J , we consider identity polynomial

∏j∈J(i−

j) =∑nk=0 λki

k. The coefficients of this polynomialare constructed according to the viete’s formula asfollows:

λn−k =∑

1≤i1<i2<···<ik≤n

ji1 . . . jik , 0 ≤ k ≤ n, (1)

where n = |J |.

Inner Product Predicate: Functional encryption[49] as a new paradigm allows the data owner to specifya policy describing how data users can decrypt theciphertext without knowing the information of theseusers. Predicate encryption is a functional encryptionsub-class in which the user gains a plaintext function,decrypting the ciphertext. If user attributes satisfythe ciphertext access policy or, in other words, theevaluation of the predicate is 1, decryption will befulfilled.

The access policy is public in some of the function-alities proposed for predicate encryption so far suchas ID-based encryption [50] and attribute-based en-cryption [3]. However, in most applications such ashealthcare and military, access policy leaks sensitiveinformation. Some suggested predicate encryption sys-tems such as anonymous identity-based encryption[16], hidden vector encryption [5], and inner productpredicate [49] have been used to make the access pol-icy hidden. In our scheme, we apply the inner prod-uct predicate. Evaluation of inner product predicatewill be 1 if a dot product operation is equal to 0 andotherwise is 0.

Access Structure: Let {Att1, . . . , AttL} be the or-dered set of system attributes. AND-gate with wild-card access policy is represented by P = {P1, . . . , PL},where each Pi can have one of +, − and ∗ values.The positive and negative values for Pi, respectively,mean requisiteness of the presence and absence of theattribute in the user attribute set. The wildcard ∗ im-plicates both positive and negative accepted valuesfor attributes. On the other hand, each user in the sys-tem is identified by the set S = {S1, . . . , SL} wherevalue of any Si is + or −. The user attribute set willsatisfy the access policy if the value of attributes cor-responding to the positive values in the access policyis positive, and that corresponding to the negative

ISeCure


Figure 1. Architecture of the secure outsourcing of EHRs in

an e-health system

values in the access policy is negative.

3.2 Problem Statement

System Model: There are four entities in the pro-posed scheme as follows: the trusted authority (TA),cloud server provider, data owner or patient, and datauser - a physician, surgeon, researcher, etc. Figure 1depicts the overview of the secure outsourcing processto the cloud, the entities, and their relationships toimplement the process.

TA is responsible for initializing the system andgranting fine-grained access privilege to data usersbased on their attributes.

The cloud server has abundant storage and compu-tational resources and stores the EHRs and the corre-sponding indexes. It is also responsible for searchingoperations on encrypted data.

Using the traditional encryption algorithm such asAES or DES, the patient encrypts his EHRs to preserveprivacy. The owner of records defines a different accesspolicy for the keyword set extracted from each EHRand encrypts the extracted keyword set as the indexform. Then, she/he sends the encrypted EHRs andindexes to the cloud server.

To get the desired encrypted data, the data usersends her/his attributes to the TA and receives the se-cret key corresponding to the attributes. The data userthen sends the trapdoor corresponding to requestedkeywords to the cloud server. The cloud server returnsthe resulted files after searching on the encryptedEHRs. The records selected in the search phase, inaddition to including the requested keywords have anaccess policy satisfied by the user attributes.

Threat Model: In the proposed scheme, the cloudserver is an honest-but-curious entity that executingthe search algorithm honestly can infer some sensi-tive information of the patients out of curiosity. Onthe other hand, outside adversary intends to inferprivacy information by eavesdropping and analyzing

the indexes and trapdoors transmitted on a publicchannels. Regarding attribute privacy, the adversary(cloud server or outside attacker) may obtain sensitiveinformation through attributes in the access structure.Patients, TA, and data users are fully trusted. Thecloud server is assumed not to collude with the outsideattacker.

Design Goal: Our proposed scheme for the e-healthcloud aims to achieve the following goals.

• EHR Confidentiality: Due to the high sensitivityof healthcare data, EHRs and the extractedkeywords should be protected from unauthorizedaccess.

• Fine-grained Access Control: To eliminate theinherent drawback of public-key cryptography,we aim to apply fine-grained access structure inour scheme to provide one-to-many rather thanone-to-one searchable encryption and to leadflexible access control over EHRs.

• Conjunctive Keyword Search: By a single searchquery, the data user can receive records contain-ing multiple keywords simultaneously. Searchingwith multiple keywords reduces the computa-tion and communication overhead significantly.In addition, the data user can receive the mostrelevant documents instead of many documents,which may be unrelated.• Attribute Privacy Protection: Access policy,

which is visible to anyone with access to ci-phertext, may reveal sensitive information toattackers in the healthcare cloud system. Pro-tecting the privacy of the access structure toImprove the privacy of patients is one of ourgoals in the proposed scheme.

• Security against Keyword Guessing Attack: Thesmall size of the keyword space, index generat-ing only using public parameters and keywordsand, the public check ability of the index andtrapdoor adaptability or non-adaptability makethe outside attacker succeed in index generatingall the keywords and adaptability checking allof them with the trapdoor to launch the offlinekeyword guessing attack. For this reason, thePEKS schemes use the secure channel to sendthe trapdoor for security against KGA. We aimto design a scheme where the use of a publicchannel does not threaten the security of querykeywords.

• Secure Channel Free: In a secure channel freesearchable encryption system, a cloud servermust be designated as a tester and only thedesignated server can run the search algorithm.This eliminates the need to transmit trapdoorskeywords through a secure channel.

ISeCure


4 Construction

In this section, we first present the framework of ourscheme and security model of it. Then, we explainhow an attribute-based encryption scheme enhancesto a secure channel free scheme with fully hidden ac-cess control and search functionality, simultaneously.Finally, we prove that our proposal is policy hidingABKS scheme and secure resistance selectively key-word guessing attack based on the standard model.

4.1 Overview of Our Scheme

• Setup(k, U) → (PP,MSK). The setup algo-rithm takes security parameter k and attributeuniverse set as input. It outputs public parame-ters PP and master secret key MSK.

• KeyGenU (PP,MSK,S)→ SKU . TheKeyGenUalgorithm takes public parameters PP , mastersecret key MSK and attribute set S ⊂ U fromdata user. It outputs secret key SK, related toS.

• KeyGenS(k) → (PKS , SKS). The KeyGenSalgorithm takes the security parameter of thesystem as an input. It output a secret key(PKS , SKS) for the cloud server.

• IndGen(PP,W ) → CT . The BuildInd algo-rithm takes keyword set W and public param-eters PP as input. It output index CT as theciphertext of the keyword set.

• TrapGen(PP, SK,Q) → T . The TrapGen al-gorithm takes public parameter PP , secret keySK, and query keyword set Q as input. It gen-erates trapdoor T related to Q.

• Search(PP,CT, T )→ {0, 1}. The Search algo-rithm takes public parameter PP , index CTand trapdoor T as input. If there are all querykeywords in the index, It outputs 1, otherwise, 0.

4.1.1 Security Model

The main challenge in the security of our scheme isto investigate the indistinguishability of the indexesand the hidden access policies. To solve this challenge,we apply the following game between an adversary Aand a challenger B.

• Init. A outputs the challenge access policiesP0, P1 and the extracted keyword sets W0,W1.

• Setup. The B runs the setup algorithm and givespublic parameters PP to the A.

• Phase 1. A submits attribute set L adaptivelyto generate a secret key with the condition thatattribute set L does not satisfy access policiesP0, P1. Moreover, A submits the access policy Pand keyword setW . B returns ciphertextCTP,Wto A. A can repeat these queries polynomial

time.• Challenge. Once the adversary A decides that

phase 1 is over, the challenger B flips a randomcoin b ∈ {0, 1} and returns CTPb,Wb

to A.• Phase 2. A continues to adaptively query the

challenger for secret keys and ciphertexts corre-sponding to sets of attributes and access policiesalong with keyword sets, respectively. Non ofthe attribute sets related to the received secretkeys matches P0 or P1.

• Guess. The adversary A outputs a guess bit b′ ∈{0, 1} and wins the game if b′ = b. The advantageofA is defined

∣∣Pr[b′ = b]− 12

∣∣ and the proposedscheme with hidden access policy is selectivelysecure if for any probabilistic polynomial-timeadversary A

AdvA(k) =

∣∣∣∣Pr[b′ = b]− 1

2

∣∣∣∣ < ε,

where ε is negligible.

4.2 Concrete Construction

The proposed scheme is defined with six randomizedalgorithms as follows:

• Setup(k, U) → (PK,MSK). Let G and GTare the cyclic groups of prime order q and gbe a random generator of G. Moreover, let e :G × G → GT be a bilinear pairing and n =N1 + l+ 4. According to the security parameterk and universe attribute set U , for i ∈ [n], TA

randomly selects u1,i, u2,i, w1,i, w2,i, γ, θR←− Zq,

so that γ(u2,i − u1,i) and η(w2,i −w1,i) is equalto the constant random numbers ∆1,∆2 ∈ Zq,respectively. In the end, TA obtains the publicparameters PP and the master secret keyMSKas

PP =(g,G,GT , p, e,H, {U1,i, U2,i}ni=1 ,

{W1,i,W2,i}ni=1 , V, Y ),

MSK =({u1,i, u2,i}ni=1 , {w1,i, w2,i}ni=1 , γ, θ

),

Where, for i ∈ [n], U1,i = gu1,i , U2,i = gu2,i ,W1,i = gw1,i , W2,i = gw2,i , V = gγ and Y = gθ.

• KeyGenU (PP,MSK,S) → SKU . Let V ′ ⊂{1, . . . , L} concludes locations of the positiveattributes and Z ′ ⊂ {1, . . . , L} concludes loca-tions of the negative attribute in S. TA con-structs two vectors

−→xV = (xvi) =(v′0, . . . , v

′N1, 1, 0

),

−→xZ = (xzi) =(z′0, . . . , z

′N1, 0, 1

),

in which

ISeCure


v′k = −∑i∈V ′

ik, k = 0, . . . , N1,

z′k = −∑i∈Z′

ik, k = 0, . . . , N1.

using PP and MSK, TA generates user secretkey related to the attribute set S as follows

{K1,i,K2,i}N1+3i=1 =

{gf1u2,ixvi , g−f1u1,ixvi

}N1+3

i=1,

{K3,i,K4,i}N1+3i=1 =

{gf2w2,ixzi , g−f2w1,ixzi

}N1+3

i=1,{

K′1,i,K′2,i

}ni=N1+4

={gf1u2,i , g−f1u1,i

}ni=N1+4

,{K′3,i,K

′4,i

}ni=N1+4

={gf2w2,i , g−f2w1,i

}ni=N1+4

.

Then, the secret key SKU associated with theattribute set S is set as

SKU = ( {K1,i,K2,i,K3,i,K4,i}N1+3i=1 ,{

K ′1,i,K′2,i,K

′3,i,K

′4,i

}ni=N1+4

).

• KeyGenS(k, PP ) → (PKS , SKS). The cloudserver generates the random number x ∈ Zqand creates PKS and SKS for the cloud server,where PKS = gx and SKS = x.• IndGen(PK,W )→ CT . Let W =

{w1, . . . , wl1

},

l1 ≤ l, be extracted keywords from EHR, andf =

∑l1t=0 ηtx

t be a polynomial such that,H(w1), . . . ,H(wl1) as the roots of f and ηt = 0,l1 < t ≤ l. Suppose P = {P1, . . . , PL} tobe the access structure with n1 < N1 wild-card, n2 < N2 positive and n3 < N3 negativepositions. Let J , V and Z be the sets of at-tributes positions with wildcard, positive andnegative values, respectively. To constructthe index corresponding to the access policyand keyword set W , data owner firstly com-putes Γ

V= +

∑i∈V

∏tj∈J (i− tj) and Γ

Z=

−∑i∈Z

∏tj∈J (i− tj) values and based on vi-

ete formula obtains the polynomial coefficientsrelated to the position of wildcards in the accesspolicy, namely {a0, . . . an1

}. The index vector is

v = (a0, . . . , an1, 0n1+1, . . . , 0N1

,ΓV,Γ

Z, (2)

η0, . . . , ηl).

To encrypt index vector v = (vi), data ownerselects random elements s, s1, s2, α, β ∈ Zq and,using the public parameters and public key ofthe cloud server, generates ciphertext as follows:

C1 = XsV s1 , C2 = XsY s2 , C3 = gs,

{C1,i, C2,i}ni=1 ={Us11,iV

viα, Us12,iVviα}ni=1

,

{C3,i, C4,i}ni=1 ={W s2

1,iYviβ ,W s2

2,iYviβ}ni=1

.

The encrypted index vector is as follows

CT = (C1, C2, C3, {C1,i, C2,i}ni=1 ,

{C3,i, C4,i}ni=1).

• TrapGen(PK,SK,Q)→ T. To generate the trap-door related to query keywords {wi1 , . . . , wim},data user generates the random numbursr1,i, r2,i ∈ Zq, i ∈ [n], computes qj =m−1

∑mt=1H(wit)

j , for 0 ≤ j ≤ l, and, usingthe public parameters and her/his secret key,creates trapdoor as

T1,i =

{A−1i K1,i, 1 ≤ i ≤ N1 + 3

A−1i

(K′1,i

)qi−N1−3 , N1 + 3 < i ≤ n,

T2,i =

{AiK2,i, 1 ≤ i ≤ N1 + 3

Ai(K′2,i

)qi−N1−3 , N1 + 3 < i ≤ n,

T3,i =

{B−1i K3,i, 1 ≤ i ≤ N1 + 3

B−1i

(K′3,i

)qi−N1−3 , N1 + 3 < i ≤ n,

T4,i =

{BiK4,i, 1 ≤ i ≤ N1 + 3

Bi(K′4,i

)qi−N1−3 , N1 + 3 < i ≤ n,

T ′1,i = g−u2,ir1,i , T ′1,i = gu1,ir1,i ,

T ′1,i = g−w2,ir2,i , T ′1,i = gw1,ir2,i ,

where Ai = V r1,i , Bi = Y r2,i and ti = ti.The trapdoor related to query keywords{wi1 , . . . , wim} is set as

T = ( {T1,i, T2,i, T3,i, T4,i}ni=1 ,{T ′1,i, T

′2,i, T

′3,i, T

′4,i

}ni=1

).

• Search(PP,CT,T)→ {0,1}. Applying public pa-rameters, each index associated with EHRs andtrapdoor, the cloud server checks equation

2∏j=1

n∏i=1

e(C1, T′j,i)e(C2, T

′j+2,i) (3)

4∏j=1

n∏i=1

e(Cj,i, Tj,i) = e(C3,

4∏j=1

n∏i=1

T ′j,i)x.

If Equation 3 is true, the output of the searchalgorithm will be 1, otherwise, 0.

4.3 Correctness

We now show the correctness of the test Equation 3:the cloud server check whether the attributes of thetrapdoor sender T satisfies the access structure embed-ded in the given encrypted index CT and CT containsall of the keywords specified by T.

e(C1, T′1,i) = e(XsV s1 , g−u2,ir1,i)

= e(gsx, T ′1,i)e(gs1γ , g−u2,ir1,i),

e(C1, T′2,i) = e(XsV s1 , gu1,ir1,i)

= e(gsx, T ′2,i)e(gs1γ , gu1,ir1,i),

e(C2, T′3,i) = e(XsY s2 , g−w2,ir2,i)

= e(gsx, T ′3,i)e(gs2θ, g−w2,ir2,i),

ISeCure


e(C2, T′4,i) = e(XsY s2 , gw1,ir2,i)

= e(gsx, T ′4,i)e(gs2θ, gw1,ir2,i),

Then, we have

2∏j=1

n∏i=1

e(C1, T′j,i)e(C2, T

′j+2,i) =

4∏j=1

n∏i=1

e(gsx, T ′j,i),

n∏i=1

e(g, g)s1γ r1,i(u1,i−u2,i)e(g, g)s2θ r2,i(w1,i−w2,i) =

e(g, g)−s1γ ∆1

∑n

i=1r1,i ·

e(g, g)−s2θ ∆2

∑n

i=1r2,ie(C3,

4∏j=1

n∏i=1

T ′j,i).

For 1 ≤ i ≤ N1 + 3,

e(C1,i, T1,i) = (Us11,iVviα, V −r1,igf1u2,ixvi ),

e(C2,i, T2,i) = (Us12,iVviα, V r1,ig−f1u1,ixvi ).

e(C3,i, T1,i) = (W s21,iY

viβ , Y −r2,igf2w2,ixzi ),

e(C2,i, T2,i) = (W s22,iY

viβ , Y r2,ig−f2w1,ixzi ).

and for N1 + 3 < i ≤ n,

e(C1,i, T1,i) = (Us11,iVviα, V −r1,igf1u2,iqi),

e(C2,i, T2,i) = (Us12,iVviα, V r1,ig−f1u1,iqi).

e(C3,i, T1,i) = (W s21,iY

viβ , Y −r2,igf2w2,iqi),

e(C2,i, T2,i) = (W s22,iY

viβ , Y r2,ig−f2w1,iqi).

Then,

4∏j=1

n∏i=1

e(Cj,i, Tj,i) =

N1+3∏i=1

e(g, g)s1γ r1,i(u2,i−u1,i)·

e(g, g)γ viαf1xvi(u2,i−u1,i)

=

N1+3∏i=1

e(g, g)s2θ r2,i(w2,i−w1,i)·

e(g, g)θ viβf2xzi(w2,i−w1,i)

=

n∏i=N1+4

e(g, g)s1γ r1,i(u2,i−u1,i)

e(g, g)γ viαf1qi(u2,i−u1,i)· (4)

=

n∏i=N1+4

e(g, g)s2θ r2,i(w2,i−w1,i)·

e(g, g)θ viβf2qi(w2,i−w1,i)

= e(g, g)s1γ ∆1

∑n

i=1r1,i ·

e(g, g)s2θ ∆2

∑n

i=1r2,i ·

e(g, g)γ αf1∆1(

∑N1+3

i=0vixvi

+∑n

i=N1+4viqi)·

e(g, g)θ βf2∆2(

∑N1+3

i=0vixzi

+∑n

i=N1+4viqi)

So if the attributes satisfy the access policies andquery keywords existed in an extracted keywordfrom the associated EHR or, in other words, theinner product values of < v, (xv||q0||. . . ||ql) > and< v, (xz||q0||. . . ||ql) > will be zero, the left-hand

Equation 3 equals to e(C3,∏4j=1

∏ni=1 T

′j,i).

5 Security and Performance Analysis

In this section, we analyze the security and perfor-mance of the proposed scheme.

5.1 Security Analysis

Theorem 1. Let the decisional Diffie-Hellman as-sumption hold in group G, then our proposed schemewith public parameters

PP = (g,G,GT , p, e,H, {U1,i, U2,i}ni=1 ,

{W1,i,W2,i}ni=1 , V, Y ),

be policy hiding ABKS scheme and secure resistanceselectively keyword guessing attack in the standardmodel.

Assume adversary A outputs v = (P0,W0) and x =(P1,W1) as challenge access policies and keyword sets.To proof the selective security of the proposed scheme,we apply a sequence of games and reduce each gameto the next. We can prove the indistinguishability ofthe encrypted form of v and x as follows:

• Game0. The challenge ciphertext in this gameis normal as follow:

CT ∗ = (XsV s1 , XsY s2 , gs,{Us11,iV


,{W s2

1,iYviβ ,W s2

2,iYviβ}ni=1

),

in which the access policy and keyword set are{v = (P0,W0), v = (P0,W0)}.

• Game1. Challenge ciphertext in this game is asfollows:



,{W s2

1,i,Ws22,i

}ni=1

),

in which the access policy and extracted key-word are {v = (P0,W0), (0, 0)}.• Game2. The challenge ciphertext in this game

is as follows:



,{W s2

1,iYxiβ ,W s2

2,iYxiβ}ni=1

),

in which the access policy and extracted key-word are {v = (P0,W0), x = (P1,W1)}.• Game3. The challenge ciphertext in this game

is as follows

CT ∗ = (XsV s1 , XsY s2 , gs,{Us11,i, U

s12,i

}ni=1

,{W s2

1,iYxiβ ,W s2

2,iYxiβ}ni=1

),

ISeCure


in which the access policy and extracted keywordare {v = (0, 0), x = (P1,W1)}.

• Game4. The challenge ciphertext in this gameis as follows


xiα, Us12,iVxiα}ni=1

,{W s2

1,iYxiβ ,W s2

2,iYxiβ}ni=1

),

in which the access policy and extracted key-word are {v = (P1,W1), x = (P1,W1)}.

Lemma 1. Let the decisional DDH assumption holds,there is no PPT adversary with non-negligible advan-tage to distinguish Game0 and Game1.

Proof. Suppose there exists an adversaryA such thatdistinguishes between Game0 and Game1 with non-negligible advantage ε, we construct a simulator Bwith advantage ε in breaking Assumption 3.1. On in-put (g, ga, gb, gab, Z), B simulates the following gamefor A.

• Setup. B selects random elements ∆1,∆2, γ, θ ∈Zq and u1,i, u2,i, w1,i, w2,i ∈ Zq for i ∈ [n] sothat ∆1 = γ(u2,i−u1,i) and ∆2 = θ(w2,i−w1,i).Then, for i ∈ [n], it sets

U1,i = gu1,i , U2,i = gu2,i

W1,i = gw1,i(gb)θvi ,W2,i = gw2,i(gb)θvi

V = gγ , Y = gθ.

In the end, B sends the public parameters


{W1,i,W2,i}ni=1 , V, Y ),

to A.• Phase1. B can generate normal keys in response

to requested attributes of A by using the keygeneration algorithm and normal trapdoor inresponse to requested keywords of A by usingthe trapdoor generation algorithm.

• Challenge. To generate the challenge cipher-text, B considers random elements as

s2 = a, β = b,

and selects s1 ∈ Zq. Then, B sets

C1 = XsV s1 , C2 = Xs(gb)θvi , C3 = gs,

{C1,i, C2,i}ni=1 ={Us11,iV


,

{C3,i, C4,i}ni=1 ={(ga)w1,iZviθ, (ga)w2,iZviθ

}ni=1

.

• Phase2. B does as in phase 1.• Guess. If Z = gab, then B simulates Game1 as

follows

{C3,i, C4,i}ni=1 ={(ga)w1,i (gab)viθ, (ga)w2,i (gab)viθ

}ni=1

={(gw1,i (gθ)vib)a, (gw2,i (gθ)vib)a

}ni=1

={W s2

1,i,Ws22,i

}ni=1

.

If Z = gabgr for r selected randomly in Zq,then B simulates Game0 with β = r as follows

{C3,i, C4,i}ni=1 ={(ga)w1,i(gabgr)viθ, (ga)w2,i(gabgr)viθ

}ni=1

={(gw1,i(gθ)vib)a(gθ)vir, (gw2,i(gθ)vib)a(gθ)vir

}ni=1

={W s2

1,iYviβ ,W s2

2,iYviβ}ni=1

.

Therefore, if A distinguishes Game0 andGame1, B can solve the DDH problem.

Lemma 2. Let decisional DDH assumption holds,there is no PPT adversary with non-negligible advan-tage to distinguish Game1 and Game2.

Proof. Suppose there is an adversary A such thatdistinguishes between Game0 and Game1 withnon-negligible advantage ε, we construct a simu-lator B with advantage ε in breaking Assumption3.1. B simulates the following game for A on input(g, ga, gb, gab, Z),.

• Setup. B selects random elements ∆1,∆2, γ, θ ∈Zq and u1,i, u2,i, w1,i, w2,i ∈ Zq for i ∈ [n] sothat ∆1 = γ(u2,i−u1,i) and ∆2 = θ(w2,i−w1,i).Then for i ∈ [n], it sets

U1,i = gu1,i , U2,i = gu2,i ,

W1,i = gw1,i(gb)θvi ,W2,i = gw2,i(gb)θxi ,

V = gγ , Y = gθ.

In the end, B sends the public parameters


{W1,i,W2,i}ni=1 , V, Y ),

to A.• Phase1. Using the key and trapdoor generation

algorithms, B generates normal keys and nor-mal trapdoors in response to As requested at-tributes and keywords, respectively.

• Challenge. To generate challenge ciphertext, Bconsiders random elements as

s2 = a, β = b,

and selects s1 ∈ Zq. Then, B sets

C1 = XsV s1 , C2 = Xs(gb)θvi , C3 = gs,

{C1,i, C2,i}ni=1 ={Us11,iV


{C3,i, C4,i}ni=1 ={(ga)w1,iZviθ, (ga)w2,iZviθ

}ni=1

.

• Phase2. B does as in phase 1.

ISeCure


• Guess. If Z = gab, then B simulates Game1 asfollows

{C3,i, C4,i}ni=1 ={(ga)w1,i(gab)viθ, (ga)w2,i(gab)xiθ

}ni=1

={(gw1,i(gθ)vib)a, (gw2,i(gθ)xib)a

}ni=1

={W s2

1,i,Ws22,i

}ni=1

.

If Z = gabgr for r randomly selected in Zq,then B simulates Game2 with β = r as follows

{C3,i, C4,i}ni=1 ={(ga)w1,i (gabgr)viθ, (ga)w2,i (gabgr)xiθ

}ni=1

={(gw1,i (gθ)vib)a(gθ)vir, (gw2,i (gθ)vib)a(gθ)xir

}ni=1

={W s2

1,iYviβ ,W s2

2,iYxiβ}ni=1

.

Therefore, if A can distinguish Game1 andGame2, B can solve the DDH problem.

The rest of distinguishablities are as follows: Dis-tinguishably between game2 to game3 is provedin the same way as Lemma 2. Distinguishably be-tween game3 to game4 is proved in the same way asLemma 1.

5.2 Performance Analysis

In this section, we compare our scheme firstly in thefunctionalities and then in the efficiency with theprevious related works.

5.2.1 Functionality comparison

Table 2. Comparison of previous ABKS schemes with the proposed

schemes in terms of security, efficiency and functionality

Schemes [43] [24] [10, 25, 26, 45] [48] [13] [51] Ours

Prime Order X X X X X X X

Access Structure AG LSSS T AG MBF AG AG

Hidden Policy PH FH - PH - PH FH

Wildcard - - - X - X X

Searchability X X X X X X X

Multi-Keyword - - X X X X X

Designated server - - - - X - X

Standard Model - - - X - X X

Note: AG=AND-Gate, LSSS=Linear Secret Sharing Schemes,T=Tree, MBF=Monotone Boolean Function, FH=Fully Hidden,

PH= Partially Hidden.

Table 2 compares the functionalities of the proposedscheme with that of the state-of-the-art schemes [10,13, 24–26, 43, 45, 48, 51] that support fine-grained ac-cess control and search over encrypted data. In[10, 13,25, 26, 45, 48, 51], we observe that the schemes canprovide multi-keyword search in prime order groups.

However, the proposed scheme in [10, 13, 25, 26, 45]do not support the security in the standard modeland the privacy of the attributes in the access struc-ture. Moreover, the only secure channel free scheme isproposed in [13]. According to the above comparisonsindicated in Table 2, none of the previous state-of-the-art schemes has all the features of our scheme at thesame time.

To compare the performance of our scheme withthat of the previous related ones, we use python pro-gramming in windows 10 operation system. The ex-perimental results are obtained by the processor In-tel(R) Core(TM) i7-7500U CPU @ 2.70 GHz 2.90 GHz.We evaluate the performance of our scheme, the CP-ABKS scheme in [26], the ABKS-UR scheme in [25],and ABKS-SM scheme in [24] . For the theoreticalanalysis, we focus on the computational cost and onlyon costly operations, i.e., bilinear pairing operation P,hash operation H, exponentiation operation E (resp.ET ) in group G (resp. GT ), in Table 3. In Figure 2 (a)and (b), the diagrams depict the efficiency of the keygeneration algorithm and the ciphertext generation al-gorithm for various number of attributes, respectively.We observe that as the number of attributes increases,the running time of both algorithms in the CP-ABKSscheme increases almost linearly, while the runningtime increasing of these algorithms in the other threeschemes is not significant. So, our scheme performanceis almost similar to that of the ABKS-UR and ABKS-SM schemes and better than the CP-ABKS scheme.Figure 3 (a) compares the time cost of the trapdoorgeneration algorithm in the four schemes. As the num-ber of attributes increases, the running time of theCP-ABKS, ABKS-UR, and ABKS-SM schemes in-creases almost linearly, while increasing the numberof attributes has no multiplier effect in the runningtime of this algorithm in our scheme. Furthermore, ifthe number of attributes is greater than about 45, ourscheme performance is better than the previous threeones.

5.2.2 Experimental evaluation

Figure 3 (b) confirms that increasing the number of at-tributes has less effect on our scheme than the increas-ing running time of the search algorithm, compared tothe three previous schemes. Despite the functionalitiesand privacy provided, the efficiency of the proposedscheme is reasonable compared to three previous ones.

6 Conclusion

In this paper, we proposed an attribute-based en-cryption scheme with keyword search and designatedserver. Supporting hidden access policy and multi-keyword search, our scheme is suitable for secure out-

ISeCure


sourcing large volume of sensitive data such as elec-tronic health records in the healthcare system. Sincethe attributes in the access policy may leak informa-tion about encrypted data and data users privilege,the hidden access policy can play an important rolein protecting sensitive data. To the best of our knowl-edge, there is no secure channel free ABE scheme withmulti-keyword search and hidden access policy, at thesame time. Furthermore, in comparison to the pre-vious works, our scheme is the first multi-keywordsearchable encryption that is selectively secure againstKGA in the standard model. Finally, we demonstratedthat despite the added functionalities, performance ofour scheme is reasonable.

(a) Key generation algorithm for different number of at-tributes

(b) Ciphertext generation algorithm for different number ofattributes

Figure 2. Time cost of two algorithms

References

[1] Parvaneh Asghari, Amir Masoud Rahmani, andHamid Haj Seyyed Javadi. Internet of thingsapplications: A systematic review. ComputerNetworks, 148:241–261, 2019.

[2] Parvaneh Asghari, Amir Masoud Rahmani, andHamid Haj Seyyed Javadi. A medical monitoringscheme and health-medical service compositionmodel in cloud-based iot platform. Transactionson Emerging Telecommunications Technologies,30(6):e3637, 2019.

(a) Key generation algorithm for different number of at-tributes

(b) Ciphertext generation algorithm for different number ofattributes

Figure 3. Time cost of two algorithms

[3] Amit Sahai and Brent Waters. Fuzzy identity-based encryption. In Annual International Con-ference on the Theory and Applications of Cryp-tographic Techniques, pages 457–473. Springer,2005.

[4] Vipul Goyal, Omkant Pandey, Amit Sahai, andBrent Waters. Attribute-based encryption forfine-grained access control of encrypted data. InProceedings of the 13th ACM conference on Com-puter and communications security, pages 89–98.Acm, 2006.

[5] John Bethencourt, Amit Sahai, and Brent Waters.Ciphertext-policy attribute-based encryption. In2007 IEEE symposium on security and privacy(SP’07), pages 321–334. IEEE, 2007.

[6] Zhiguo Wan, Jun’e Liu, and Robert H Deng.Hasbe: A hierarchical attribute-based solutionfor flexible and scalable access control in cloudcomputing. IEEE transactions on informationforensics and security, 7(2):743–754, 2011.

[7] Majid Bayat and Mohammad Reza Aref. Anattribute-based tripartite key agreement protocol.International Journal of Communication Systems,28(8):1419–1431, 2015.

[8] Majid Bayat, Hamid Reza Arkian, and Moham-

ISeCure


Table 3. Computational cost comparison

Schemes CP-ABKS [26] ABKS-UR [25] ABKS-SM [24] Ours

KeyGen (2n+ 2)E + nH (2n+ 1)E + ET (2n+ 4)E + ET +H (8n+ 1)E

IndGen (2n+ 4)E + nH (n+ 1)E + ET (n+ 5)E + 3ET (4(n+ w + l1) + 13)E

TrapGen (2n+ 4)E (2n+ 1)E (2n+ 1)E (4(n−N1)− 5)E

Search (2n+ 3)P + nET (n+ 1)P + ET (2n+ 1)P + ET (12n+ 1)P + E

mad Reza Aref. A revocable attribute based datasharing scheme resilient to dos attacks in smartgrid. Wireless Networks, 21(3):871–881, 2015.

[9] Zhenhua Liu, Shuhong Duan, Peilin Zhou,and Baocang Wang. Traceable-then-revocableciphertext-policy attribute-based encryptionscheme. Future Generation Computer Systems,2017.

[10] Yinbin Miao, Jianfeng Ma, Ximeng Liu, XinghuaLi, Qi Jiang, and Junwei Zhang. Attribute-basedkeyword search over hierarchical data in cloudcomputing. IEEE Transactions on Services Com-puting, pages –, 2017.

[11] Zehong Chen, Fangguo Zhang, Peng Zhang,Joseph K Liu, Jiwu Huang, Hanbang Zhao, andJian Shen. Verifiable keyword search for securebig data-based mobile healthcare networks withfine-grained authorization control. Future Gen-eration Computer Systems, 87:712–724, 2018.

[12] Saeid Rezaei, M Ali Doostari, and Majid Bayat. Alightweight and efficient data sharing scheme forcloud computing. International Journal of Elec-tronics and Information Engineering, 9(2):115–131, 2018.

[13] Qian Xu, Chengxiang Tan, Wenye Zhu, Ya Xiao,Zhijie Fan, and Fujia Cheng. Decentral-ized attribute-based conjunctive keyword searchscheme with online/offline encryption and out-source decryption for cloud computing. FutureGeneration Computer Systems, 97:306–326, 2019.

[14] Kobra Alimohammadi, Majid Bayat, andHamid HS Javadi. A secure key-aggregate au-thentication cryptosystem for data sharing indynamic cloud storage. Multimedia Tools andApplications, 79(3):2855–2872, 2020.

[15] Dawn Xiaoding Song, David Wagner, and AdrianPerrig. Practical techniques for searches on en-crypted data. In Security and Privacy, 2000.S&P 2000. Proceedings. 2000 IEEE Symposiumon, pages 44–55. IEEE, 2000.

[16] Dan Boneh, Giovanni Di Crescenzo, Rafail Os-trovsky, and Giuseppe Persiano. Public key en-cryption with keyword search. In Internationalconference on the theory and applications of cryp-tographic techniques, pages 506–522. Springer,2004.

[17] Aniseh Najafi, Hamid Haj Seyyed Javadi, and

Majid Bayat. Verifiable ranked search over en-crypted data with forward and backward privacy.Future Generation Computer Systems, 101:410–419, 2019.

[18] Jin Wook Byun, Hyun Suk Rhee, Hyun-A Park,and Dong Hoon Lee. Off-line keyword guessingattacks on recent keyword search schemes overencrypted data. In Workshop on Secure DataManagement, pages 75–83. Springer, 2006.

[19] Wei-Chuen Yau, Raphael C-W Phan, Swee-HuayHeng, and Bok-Min Goi. Keyword guessing at-tacks on secure searchable public key encryptionschemes with a designated tester. InternationalJournal of Computer Mathematics, 90(12):2581–2587, 2013.

[20] Joonsang Baek, Reihaneh Safavi-Naini, and WillySusilo. Public key encryption with keywordsearch revisited. In International conferenceon Computational Science and Its Applications,pages 1249–1259. Springer, 2008.

[21] Hyun Sook Rhee, Jong Hwan Park, Willy Susilo,and Dong Hoon Lee. Trapdoor security in asearchable public-key encryption scheme with adesignated tester. Journal of Systems and Soft-ware, 83(5):763–771, 2010.

[22] Chengyu Hu and Pengtao Liu. An enhancedsearchable public key encryption scheme with adesignated tester and its extensions. J. Comput,7(3):716–723, 2012.

[23] Yang Yang and Maode Ma. Conjunctive keywordsearch with designated tester and timing enabledproxy re-encryption function for e-health clouds.IEEE Transactions on Information Forensics andSecurity, 11(4):746–759, 2016.

[24] Yinbin Miao, Ximeng Liu, Kim-Kwang RaymondChoo, Robert H Deng, Jiguo Li, Hongwei Li, andJianfeng Ma. Privacy-preserving attribute-basedkeyword search in shared multi-owner setting.IEEE Transactions on Dependable and SecureComputing, 2019.

[25] Wenhai Sun, Shucheng Yu, Wenjing Lou,Y Thomas Hou, and Hui Li. Protecting your right:Verifiable attribute-based keyword search withfine-grained owner-enforced search authorizationin the cloud. IEEE Transactions on Parallel andDistributed Systems, 27(4):1187–1198, 2014.

[26] Yinbin Miao, Jianfeng Ma, Ximeng Liu, Fushan

ISeCure


Wei, Zhiquan Liu, and Xu An Wang. m2-abks:Attribute-based multi-keyword search over en-crypted personal health records in multi-ownersetting. Journal of medical systems, 40(11):246,2016.

[27] Yinbin Miao, Jianfeng Ma, Ximeng Liu, JianWeng, Hongwei Li, and Hui Li. Lightweight fine-grained search over encrypted data in fog comput-ing. IEEE Transactions on Services Computing,2018.

[28] Yinbin Miao, Jianfeng Ma, Ximeng Liu, XinghuaLi, Zhiquan Liu, and Hui Li. Practical attribute-based multi-keyword search scheme in mobilecrowdsourcing. IEEE Internet of Things Journal,5(4):3008–3018, 2017.

[29] Takashi Nishide, Kazuki Yoneyama, and KazuoOhta. Attribute-based encryption with partiallyhidden encryptor-specified access structures. InInternational conference on applied cryptographyand network security, pages 111–129. Springer,2008.

[30] Junzuo Lai, Robert H Deng, and Yingjiu Li. Fullysecure cipertext-policy hiding cp-abe. In Interna-tional conference on information security practiceand experience, pages 24–39. Springer, 2011.

[31] Tran Viet Xuan Phuong, Guomin Yang, andWilly Susilo. Hidden ciphertext policy attribute-based encryption under standard assumptions.IEEE transactions on information forensics andsecurity, 11(1):35–45, 2015.

[32] Cancan Jin, Xinyu Feng, and Qingni Shen. Fullysecure hidden ciphertext policy attribute-basedencryption with short ciphertext size. In Proceed-ings of the 6th International Conference on Com-munication and Network Security, pages 91–98.ACM, 2016.

[33] Yinghui Zhang, Dong Zheng, and Robert HDeng. Security and privacy in smart health: Effi-cient policy-hiding attribute-based access control.IEEE Internet of Things Journal, 5(3):2130–2145,2018.

[34] Fawad Khan, Hui Li, Liangxuan Zhang, and JianShen. An expressive hidden access policy cp-abe.In 2017 IEEE Second International Conferenceon Data Science in Cyberspace (DSC), pages 178–186. IEEE, 2017.

[35] Hong Zhong, Wenlong Zhu, Yan Xu, and JieCui. Multi-authority attribute-based encryptionaccess control scheme with policy hidden for cloudstorage. Soft Computing, 22(1):243–251, 2018.

[36] Hu Xiong, Hao Zhang, and Jianfei Sun. Attribute-based privacy-preserving data sharing for dy-namic groups in cloud computing. IEEE SystemsJournal, 2018.

[37] Sana Belguith, Nesrine Kaaniche, MarylineLaurent, Abderrazak Jemai, and Rabah Attia.

Phoabe: Securely outsourcing multi-authority at-tribute based encryption with policy hidden forcloud assisted iot. Computer Networks, 133:141–156, 2018.

[38] Leyou Zhang, Yilei Cui, and Yi Mu. Improvingsecurity and privacy attribute based data shar-ing in cloud computing. IEEE Systems Journal,pages –, 2019.

[39] Hassan Nasiraee and Maede Ashouri-Talouki.Anonymous decentralized attribute-based accesscontrol for cloud-assisted iot. Future GenerationComputer Systems, 2020.

[40] Qingji Zheng, Shouhuai Xu, and Giuseppe Ate-niese. Vabks: verifiable attribute-based keywordsearch over outsourced encrypted data. In IEEEINFOCOM 2014-IEEE Conference on ComputerCommunications, pages 522–530. IEEE, 2014.

[41] Payal Chaudhari and Manik Lal Das. A 2 bse:Anonymous attribute based searchable encryp-tion. In 2017 ISEA Asia Security and Privacy(ISEASP), pages 1–10. IEEE, 2017.

[42] Yinbin Miao, Jianfeng Ma, Ximeng Liu, ZhiquanLiu, Limin Shen, and Fushan Wei. Vmkdo: Veri-fiable multi-keyword search over encrypted clouddata for dynamic data-owner. Peer-to-Peer Net-working and Applications, 11(2):287–297, 2018.

[43] Shuo Qiu, Jiqiang Liu, Yanfeng Shi, and RuiZhang. Hidden policy ciphertext-policy attribute-based encryption with keyword search againstkeyword guessing attack. Science China Infor-mation Sciences, 60(5):052105, 2017.

[44] Payal Chaudhari and Manik Lal Das. Keysea:Keyword-based search with receiver anonymityin attribute-based searchable encryption. IEEETransactions on Services Computing, 2020.

[45] Yang Chen, Wenmin Li, Fei Gao, KaitaiLiang, Hua Zhang, and Qiaoyan Wen. Practi-cal attribute-based conjunctive keyword searchscheme. The Computer Journal, 2019.

[46] Laicheng Cao, Yifan Kang, Qirui Wu, Rong Wu,Xian Guo, and Tao Feng. Searchable encryptioncloud storage with dynamic data update to sup-port efficient policy hiding. China Communica-tions, 17(6):153–163, 2020.

[47] Haijiang Wang, Xiaolei Dong, and Zhenfu Cao.Multi-value-independent ciphertext-policy at-tribute based encryption with fast keyword search.IEEE Transactions on Services Computing, 2017.

[48] Lixue Sun and Chunxiang Xu. Hidden policyciphertext-policy attribute based encryption withconjunctive keyword search. In 2017 3rd IEEEInternational Conference on Computer and Com-munications (ICCC), pages 1439–1443. IEEE,2017.

[49] Jonathan Katz, Amit Sahai, and Brent Waters.Predicate encryption supporting disjunctions,

ISeCure


polynomial equations, and inner products. In an-nual international conference on the theory andapplications of cryptographic techniques, pages146–162. Springer, 2008.

[50] Adi Shamir. Identity-based cryptosystems andsignature schemes. In Workshop on the theoryand application of cryptographic techniques, pages47–53. Springer, 1984.

[51] Mukti Padhya and Devesh Jinwala. A novelapproach for searchable cp-abe with hiddenciphertext-policy. In International Conferenceon Information Systems Security, pages 167–184.Springer, 2014.

Aniseh Najafi recieved the Ph.D.degree in mathematics and computerSciences at Shahed University inTehran, Iran. She received her B.S.and M.S. degrees from the Depart-ment of Mathematics and ComputerSciences at Tehran University and

Shahed University, respectively. Her interested area iscryptography.

Majid Bayat is an assistant profes-sor of computer engineering of Sha-hed University, Tehran, Iran. His re-search interests include IoT, E-health,smart grid, VANET and V2G. He hasauthored over 30 papers in interna-tional journals and conferences in theabove areas.

Hamid Haj Seyyed Javadi re-ceived the B.S., M.S., and Ph.D. de-grees from Amir Kabir University. Heis currently a full-time faculty mem-ber and a professor of Shahed Univer-sity. His research interests are alge-bra, computer algebra, and wireless

networks and security.

ISeCure

privacy preserving attribute-based encryption with

Documents