secure and efficient searchable public key encryption for...

Research ArticleSecure and Efficient Searchable Public Key Encryption forResource Constrained Environment Based on Pairings underPrime Order Group

Yu Zhang 1 Yin Li 1 and Yifan Wang2

1School of Computer and Information Technology Xinyang Normal University Xinyang 464000 China2Wayne State University 42 WWarren Ave Detroit MI 48202 USA

Correspondence should be addressed to Yu Zhang willow1223126com

Received 20 December 2018 Revised 25 February 2019 Accepted 28 April 2019 Published 13 May 2019

Academic Editor Stelvio Cimato

Copyright copy 2019 Yu Zhang et alThis is an open access article distributed under theCreative CommonsAttribution License whichpermits unrestricted use distribution and reproduction in any medium provided the original work is properly cited

Searchable public key encryption scheme is a key technique for protecting data confidentiality in todayrsquos cloud environmentSpecifically public key encryption with conjunctive and disjunctive keyword search (PECDK) can provide flexible search optionswithout sacrificing keywords security and thus attracts a lot of attention nowadays However the most effective PECDK scheme isbased on the inner product encryption (IPE) which needs more time and space cost In this paper by utilizing the bilinear pairingwith a prime order group we propose an efficient PECDK scheme needing less time and storage consumptionTheproposed schemeis proven to be secure under a rigorous security definition The theoretical analysis and experimental results demonstrate that ourproposed scheme can significantly improve the time and space efficiency over the state-of-the-art scheme

1 Introduction

In the era of big data more and more companies andindividuals are willing to share their data over the cloudplatform If the data is stored in plaintext form the cloudservice providers can easily access and analyze the dataillegally which may lead to a big threaten to some sensitivedata eg electronic health and personal credit records Toprotect data privacy encrypting data before outsourcingit to the cloud server is a common approach But thisbrings a new issue of how to perform keyword searchover these unreadable ciphertext A straightforward solutionis to download all the encrypted data to the client anddecrypt it After obtaining all unencrypted data users canutilize the common information retrieval technique usedon the plaintext to perform keywords query However thisapproach requires a very high communication storage andcomputing costs which are not applicable for large scalenetworks This issue put forward a new challenge how toeffectively search for encrypted data without decrypting itfirst

Searchable encryption (SE) is a promising method toaddress this problem SE can be classified into two cate-gories according to its applications searchable symmetrickey encryption (SSE) and searchable public key encryption(SPE) Based on many researchersrsquo work these years SSE cansupport advanced query conditions like Boolean keywordssearch multikeywords rank search and top-119896 similaritykeywords search Works [1ndash3] dealt with multikeywordssearch where the query condition contains more than onekeyword Considering the fact that it is not practical to returnall the search results more recent works like [4ndash6] focusedon the multikeywords rank search Sometimes users want tosearch documents related to their query keywords rather thanthe documents that precisely match those keywords The SSEschemes supporting similarity keywords search were createdto address this issue [7 8]

Conversely SPE is difficult to support advanced searchfunction without sacrificing security as anyone who has thepublic key (119901119896) can create encrypted index or ciphertextand easily perform chosen keywords attack In addition theSSE scheme is generally more efficient than the SPE scheme

HindawiSecurity and Communication NetworksVolume 2019 Article ID 5280806 14 pageshttpsdoiorg10115520195280806

2 Security and Communication Networks

Semi-trusted CloudServer

Data Senders(Data Owners)

Encrypted Document

Encrypted Index

Trapdoor

Public key

Search ResultData Receiver(Data User)

Figure 1 Architecture of searchable public key encryption (SPE)

Although the SPE scheme has these weaknesses it still holdssome advantages for many applications Specifically for theapplication in which there are many data senders and onlyone data receiver (Figure 1) SSE needs that all senders andthe receiver hold the same symmetric key to generate theencrypted data So if one of the senders is compromised byan adversary then the data for all senders will be leakedCompared with SSE in SPE the public key can be accessedby all senders and the private key is only given to the receiverThus SPE can naturally solve the security problem of keymanagement in this application [9] and is an irreplaceablesolution

The first SPE named as public key encryption withkeyword search (PEKS) was introduced in [10] in whichsenders who hold 119901119896 can send their encrypted documentswith encrypted indexes to a server and the receiver holdingsecret key (119904119896) canmake a keyword search over the encrypteddata However this scheme only supports a single keywordsearch How to construct a public key encryption schemesupporting a complex query conditions such as the Booleankeyword search is a significant problem Specifically as twotypical Boolean keyword search schemes conjunctive anddisjunctive keyword search over encrypted data in the publickey setting are needed to be developed

Park et al [11] first proposed the public key encryptionwith conjunctive keyword search (PECK) scheme that sup-ports keywords search like 1199081 and 1199082 and 1199083 where 1199081 1199082and 1199083 are query words After that many PECK schemes[12 13] were proposed to improve the efficiency and securityThe first public key encryption with disjunctive keywordsearch (PEDK) scheme was proposed by Katz et al [14] Intheir work they proposed an inner product encryption (IPE)scheme and converted this IPE scheme into a PEDK scheme

which supports keywords search like 1199081 or1199082 or1199083 In an IPEscheme the secret key corresponding to a predicate vector 997888rarrVcan decrypt the ciphertext associated with an attribute vector997888rarr119909 if and only if 997888rarr119909 sdot 997888rarrV = 0 According to this property weknow that by converting index and query keyword set into anattribute and a predicate vector respectively an IPE schemecan be changed into a SPE scheme supportingmultikeywordssearch

In the practical cloud environment the user usuallyperform conjunctive and disjunctive keywords search simul-taneously In [15] Zhang and Lu proposed an approachof converting an IPE scheme into a public key encryptionwith conjunctive and disjunctive keyword search (PECDK)scheme and gave a concrete scheme In their scheme thesize of each documentrsquos index the size of a trapdoor andthe time cost of pairing operations in the test process are all119874(119873) Since119873 is the number of keywords in a dictionary theprevious PECDK scheme is impractical if119873 is a large integerInspired by this problem we proposed a new approach tobuild an efficient PECDK scheme with less time and spaceoverhead [16] However these two PECDK schemes are basedon the IPE scheme [17] which is a costly cryptographicprototype In this paper we aim to build an efficient PECDKscheme using an alternative method

Main Works In the scheme introduced in [17] the userfirst converts an index and a query keyword set into anattribute and a predicate vector respectively After this theuser can construct encrypted index and trapdoor by applyingthe attribute and predicate vectors to the encryption and keygeneration algorithms of IPE The keyword search processcan be executed by adopting the decryption algorithm ofIPE However this scheme is constructed by utilizing manygroup operations due to being based on the IPE scheme The

Security and Communication Networks 3

IPE scheme adopts a technique called dual pairing vectorspace (DPVS) which generates 1198992 group elements to createthe public key and secret key By using these keys both thestorage size of the obtained indices and the time cost of thesearch process are linear with119874(1198992) To address this issue weaim to create an efficient PECDK scheme without using IPEas the infrastructure We take advantage of the conversionmethod similar to the one introduced in [16] for creating agroup of vectorsThen by applying these vectors to the primeorder pairing groups a PECDK scheme with a better timeand space complexity than the previous schemes is presentedSecurity of our construction is based ondecision linearDiffie-Hellman (DLIN) assumption in the random oracle model Inaddition we design an experiment that verifies the efficiencyof the proposed scheme and give a detailed comparison withthe previous scheme The experiment result shows that thekey generation index building trapdoor generation andtesting algorithms in our scheme aremore efficient than thosein the previous one Besides the space cost for indices in ourscheme is also less than that in the previous one In practiceclient device eg a mobile device has less storage spaceand limited computation capacity Thus compared with theprevious scheme ours is much more suitable for the resourceconstrained environment

RelatedWork There are two classes of searchable encryp-tion schemes in terms of different cryptography primitivessearchable symmetric key encryption (SSE) and searchablepublic key encryption (SPE)

SSE Song et al [18] introduced the definition of searchingon encrypted data and gave a concrete scheme Then Goh[19] defined a formal security definition for SSE and presentedan effective conjunctive keywords search scheme by using atechnique called Bloom Filter Soon afterward many works[20 21] were constructed to improve the search efficiencyand security levelThese schemes failed to achieve a sublinearsearch speed To address this issue by taking advantage oftree structures such as r-tree and kd-tree SSE schemes withsublinear search time were released in [22 23] The SSEscheme supporting Boolean keywords search with sublinearsearch time was given in [24] In order to support querieswith rich expressiveness SSE schemes supporting media dataand similarity keywords search are introduced in [25 26]More important these works also support dynamic updateIn practical application the search engine should returnthe top-119896 related documents to users instead of returningall the search results Some SSE schemes supporting ranksearch are proposed in [4ndash6] to obtain more accurate queryresults

SPE The first SPE scheme is called public key encryptionwith keyword search (PEKS) which was proposed by Bonehet al [10] Then Abdalla et al [27] defined the compu-tational and statistical consistency in PEKS and presenteda statistically consistent scheme However this work onlysupports a single keyword search The concept of PECK wasfirst proposed in [11] They defined the security model ofthis mechanism and gave two constructions One requiresmany bilinear pairing operations while the other needsmore private keys Hwang and Lee [28] designed a more

efficient scheme in amultiple users setting However all theseconstructions use the keyword field as additional informationfor keyword search The keyword field may leak more infor-mation to the public To eliminate the keyword field Bonehand Waters [29] presented a public key encryption schemecalled hidden vector encryption (HVE) which supports aconjunctive search comparison queries (119909 ge 119886) and subsetqueries (119909 isin 119878) on encrypted data

In order to create a SPE scheme supporting disjunctivekeyword search katz et al [14] proposed a public keyencryption scheme called inner product encryption (IPE)which is related to the attribute-based encryption (ABE)[30 31] Recently in order to better utilize the encrypteddata and improve the security some public key schemeswhich can support verifiable attribute-based search overoutsourced encrypted data are proposed in [32ndash37] Forsupporting advanced keywords search function Zhang andLu proposed the first PECDK scheme [15] by combiningan efficient IPE scheme [17] and a keyword conversionmethod However their scheme is a costly solution due tousing an IPE scheme In fact the PECDK scheme basedon an IPE scheme needs more computation and storagecost than the one without utilizing an IPE scheme as afoundation Therefore in this paper we will find a newmethod irrelevant to IPE to construct amore efficient PECDKscheme

Organization The remainder of the paper is organized asfollows The model and security definitions of PECDK aredefined in Section 2 In Section 3 we propose our PECDKscheme and give the security proof for the scheme Theanalysis of the presented PECDK scheme is described inSection 4 Section 5 presents some conclusions

2 Preliminaries

In this section we will give a formal definition of the PECDKmodel and the corresponding security model Our schemeis based on this model and proven to be secure under thissecurity model Moreover we also briefly introduce somebasic ingredients used to create our scheme including thebilinear pairing and the complexity assumption

21 Model of PECDK In PECDK let 119901119896 119904119896 be the receiverrsquospublic key and secret key When a sender wants to send amessage 119872 to a receiver with keywords 1199081 1199082 119908119899 sheuses the standard public key encryption system to encrypt119872 and uses 119901119896 and keywords 1199081 1199082 119908119899 to construct theencrypted index of 119872 After that she sends the encryptedmessage119872 and the encrypted index of119872 to the serverWhenthe receiver wants to retrieve messages including a specificlist of keywords he takes the 119904119896 a symbol and keyword set119876 as input to construct a trapdoor 119879119876 and sends 119879119876 to theserver Note that the symbol is used to refer to the type ofquery eg conjunctive form or disjunctive form When theserver receives the trapdoor it tests each encrypted index byusing the trapdoor and returns the matched messages to thereceiver


According to the description above we give the model ofPECDK based on the previous definition introduced in [16]

Definition 1 There are four probabilistic polynomial timealgorithms in the PECDK scheme There are KenGenIndexBuild Trapdoor and Test

(1) KeyGen(1120574) choosing a security parameter 120574 thisalgorithm outputs the key pair (119901119896 119904119896) in which 119901119896is the public key and 119904119896 is the secret key

(2) IndexBuild(119901119896W) the algorithm is performed by thesender to produce an encrypted index 119868119882 by using akeyword set119882 = 1199081 1199082 119908119899 and 119901119896

(3) Trapdoor(119904119896119876 119904119910119898) the receiver runs this algo-rithm to produce a trapdoor It takes 119904119896 119904119910119898 isinor and and the keyword query 119876 = 1199021 1199022 119902119898as input to generate a trapdoor 119879119876 where 119898 le 119899 orandand represent disjunctive and conjunctive keywordssearch respectively

(4) Test(119901119896119879119876 119868119882) it takes the trapdoor 119879119876 = 119905119876 119904119910119898the secure index 119868119882 and the public key 119901119896 as input If119904119910119898 is and it means that the trapdoor is for conjunctivekeywords search In this case the output is 1 if 119876 sube119882 or 0 otherwise If 119904119910119898 is or disjunctive keywordssearch should be performed In this case if119876cap119882 = 120601it outputs 1 or 0 otherwise

Correctness Property Let 119876 119904119910119898 and 119882 be a query and akeyword set respectively Suppose that 119901119896 119904119896 119868119882 and 119879119876are correctly generated by 119870119890119910119866119890119899(120574) 119868119899119889119890119909119861119906119894119897119889(119901119896119882)and 119879119903119886119901119889119900119900119903(119904119896 119876 119904119910119898) respectively The correctnessproperty of PECDK involves two situations described asfollows

(1) When there is a conjunctive keywords search (119904119910119898 isand) 119879119890119904119905(119901119896 119879119876 119868119882) = 1 holds if 119876 sube 119882 Otherwiseit holds with negligible probability

(2) When there is a disjunctive keywords search (119904119910119898is or) 119879119890119904119905(119901119896 119879119876 119868119882) = 1 holds if 119876 cap 119882 = 120601Otherwise it holds with negligible probability

In practical use if a sender would like to send a message119872 with keyword set 119882 a ciphertext with the form of119864119899119888(119901119896119872) 119868119899119889119890119909119861119906119894119897119889(119901119896119882) will be created where119864119899119888(sdot) is a frequently used public key encryption scheme egRSA Similarwith other relatedworks [10 11 28] the proposalonly concentrate on searchable encryption part which isPECDK in this paper

22 Security Definition of PECDK Since previous PECDKschemes are based on the IPE scheme the security defini-tion also depends on the security of IPE For the PECDKscheme without using IPE we need to give a new securitydefinition Inspired by the previous security definition calledindistinguishability of ciphertext from random (IND-CR-CKA) introduced in [28] we define a security game underthe PECDK model

The security game is described as follows

(1) Setup the challenger C runs the KeyGen(1120574) algo-rithm to generate the public key 119901119896 and the secret key119904119896 Then C gives 119901119896 to the attacker A

(2) Phase 1 the attacker A can adaptively ask the chal-lenger C for the trapdoor 119879119876 for any query 119876 of hischoice

(3) Challenge A selects a target keyword set 119882lowast andsends it to C After receiving 119882lowast C selects a randomkeyword set 119877 and sets 1198820 = 119882lowast and 1198821 = 119877Suppose that 1198761 1199041199101198981 1198762 1199041199101198982 119876119905 119904119910119898119905are queries which are asked to construct trapdoors inPhase 1 where 119905 is the number of trapdoors queriedin Phase 1 For each 119894 isin [1 119905] the only restrictionis that |119876119894 cap 1198820| = 0 = |119876119894 cap 1198821| where thenumber of the keywords in 119876119894 cap 1198820 and 119876119894 cap 1198821

is denoted by |119876119894 cap 1198820| and |119876119894 cap 1198821| respectivelyThen C picks a random bit 120573 isin 0 1 produces119868120573 = 119868119899119889119890119909119861119906119894119897119889(119901119896119882120573) and sends 11986812057311988201198821 toA

(4) Phase 2 A can continue to ask for trapdoor 119879119876 forany query 119876 of his choice and subject to the samerestriction as before

(5) Response A outputs 1205731015840 isin 0 1 and wins the game if1205731015840 = 120573Arsquos advantage can be expressed as a function of the securityparameter (1120574)119860119889V119866119886119898119890119860 (1120574) = 1003816100381610038161003816100381610038161003816119875119903 [1205731015840 = 120573] minus 12 1003816100381610038161003816100381610038161003816 (1)

Then we have the following definition

Definition 2 According to the game above a PECDK issemantic secure if for any probabilistic polynomial timeattacker A the function 119860119889V119866119886119898e

119860 (1120574) is negligible23 Bilinear Pairings Let 1198661 1198662 be two cyclic groups ofprime order 119902 There are three properties in the bilinearpairings map 119890 1198661 times 1198661 997888rarr 1198662

(1) Bilinear 119890(119886119906 bV) = 119890(119886 119887)119906V where 119886 119887 isin 1198661 and119906 V isin 119885lowast119902 (2) Nondegenerate if 119892 isin 1198661 then 119890(119892 119892) isin 1198662(3) Computable for any 119886 119887 isin 1198661 119890(119886 119887) can be

efficiently computable

An efficient bilinearmap can be obtained by applying theWeilpairing or the Tate pairing [38]

24 Complexity Assumption We review the complexity as-sumption named Decision 119897 Bilinear Diffie-Hellman Inver-sion (Decision 119897-BDHI) assumption [11] which is related tothe bilinear pairing The security of our scheme is based onthis assumption


Decision 119897-BDHI Assumption Given a tuple 119863 = 119892 1198921199091198921199092 119892119909119897 with the random choice of 119909 isin 119885lowast119902 and 119892 isin 1198661it is argued that an algorithm C outputting 119887 isin 0 1 hasadvantage 120576 in solving the decision l-BDHI problem in 1198661 if119860119889V119863minus119897minus119861119863119867119868119861= 100381610038161003816100381610038161003816119875119903 [119861 (119863 119890 (119892 119892)1119909) = 1] minus 119875119903 [119861 (119863 119877) = 1]100381610038161003816100381610038161003816ge 120576 (2)

where the probability (119875119903[sdot]) is over the random choice 119877 isin1198662 and random bits chosen by C

Definition 3 The Decision l-BDHI assumption holds in 1198661if no probabilistic polynomial time algorithm has advantageat least 120576 in solving the Decision l-BDHI problem in 11986613 PECDK Scheme

Based on previous definitions and notations in this sectionwe give our PECDK scheme without using IPE Our schememainly involves three steps Initially we utilize a keywordconversion method inspired by the approach introduced in[16] to convert the index and query keywords into a set ofvectors Moreover by applying the bilinear pairing under theprime order group we encrypt these vectors to constructencrypted index and trapdoor Eventually a test algorithm isbuilt to perform secure keywords queryThemethod adoptedin the first step is described in Section 31 and the algorithmsused in the second and third steps are given in Section 32

31 Keywords Conversion Method The keywords in queryand index are strings thus we need to change all thekeywords to a group of integers Moreover in order to verifywhether the query matches the index or not the integersbetween the query and index must hold some relationshipsAccording to these concerns we introduce a method thatcan convert the index and query set into a matrix and avector

This method is based on the relationship between theroots and coefficients in an equation of degree 119899 with oneunknown Specifically the roots and coefficients are used tocreate a matrix of index keywords and a vector of querykeywords respectively By adopting a prime order group toencrypt the matrix and vector an encrypted index and querycan be built The relationship between the matrix and vectorcan be utilized to construct the test algorithm

Suppose that any keyword 119908 can be expressed as 0 1lowastwe define a function 1198671 0 1lowast 997888rarr 119885lowast119901 Since 119901 is alarge prime and is larger than the number of all words 1198671

can be collision-resistance This means that if 119894 = 119895 then1198671(119908119894) = 1198671(119908119895) where119908119894 and119908119895 are two distinct keywordsLet 119882 = 1199081 1199082 119908119899 and 119876 = 1199021 1199022 119902119898 be twokeyword sets where 119898 lt 119899 The method can be listed intothree steps and described as follows

(1) For the keyword set 119882 = 1199081 1199082 119908119899 weconstruct a matrix for119882

((

1198671 (1199081)0 1198671 (1199081)1 sdot sdot sdot 1198671 (1199081)1198991198671 (119908119894)0 1198671 (119908119894)1 sdot sdot sdot 1198671 (119908119894)119899 d1198671 (119908119899)0 1198671 (119908119899)1 sdot sdot sdot 1198671 (119908119899)119899

))

(3)

Note that 1198671(1199081)1198671(1199082) 1198671(119908119899) can be seen asthe roots of equation119891 (119909) = (119909 minus 1198671 (1199081)) (119909 minus 1198671 (1199082)) (119909 minus 1198671 (119908119899)) (4)

(2) For the query 1199021 1199022 119902119898 we create an equation119891 (119909) = (119909 minus 1198671 (1199021)) (119909 minus 1198671 (1199022)) (119909 minus 1198671 (119902119898))= 119886119898119909119898 + 119886119898minus1119909119898minus1 + + 11988601199090 (5)

According to the coefficient of the 119891(119909) a vector 997888rarr119886 =1198860 1198861 119886119898 can be obtained

(3) Suppose that 997888rarr119908 119894 = 1198671(119908119894)0 1198671(119908119894)1 1198671(119908119894)119898 isfrom the 119894-th row of the matrix (3) we can infer thatif there is a keyword 119908119894 isin 119882 such that 119908119894 isin 119876 where119894 isin [1119898] according to (5) it is not difficult to verifythat 997888rarr119886 sdot 997888rarr119908119894 = 0 Based on this property we can buildthe test algorithm

32 Construction of PECDK By combining the keyword con-version method and the bilinear pairing under prime ordergroup we propose a PECDK scheme which allows the userto perform conjunctive and disjunctive keyword search overencrypted data Our key idea is as follows First by adoptingthe keyword conversion method introduced in Section 31we change the index and query keyword set into an indexmatrix and a query vector respectivelyThen by using a set ofelements randomly chosen from the prime order group weencrypt the index matrix to the secure index and the queryvector to the trapdoor respectively Specifically in order toguarantee the schemersquos security the encryption process reliesstrictly on the complexity assumption given in Section 24Finally by taking advantage of the properties of the bilinearpairing both conjunctive and disjunctive keywords searchcan be achieved Specifically for the conjunctive keywordssearch the matched documents are returned if and only if allthe keywords in the query are including in the index keywordset For the disjunctive logic query the matched documentsare returned if and only if the intersection between the indexand the query keyword set is not an empty set

According to the above ideas the concrete constructionis proposed in the following paragraphs Because of makinguse of the prime order group the proposed scheme is moreefficient than the previous scheme adopting the IPE crypto-system on the time and space complexities Experimentalresults showing the advantages of our scheme can be foundin Section 4


(i) KeyGen(1120574) given a security parameter 120574 the algo-rithm generates two cyclic groups 11986611198662 of primeorder 119902 and a bilinear pairing 119890 1198661 times 1198661 997888rarr1198662 It picks a random generator 119892 of 1198661 and twohash functions 1198671 0 1lowast 997888rarr 119885lowast119902 and 1198672 1198662 997888rarr 0 1log2119902 Choosing 2119899 + 3 random numbers1205720 1205721 120572119899 1205730 1205731 120573119899 120579 isin 119885lowast119902 it computes1198830 = 1198921205720 1198831 = 1198921205721 119883119899 = 119892120572119899 1198840 = 1198921205730 1198841 = 1198921205731 119884119899 = 119892120573119899 119885 = 119892120579 120583 = 119890(119892119892) After this it outputs the public key 119901119896 =1198830 1198831 119883119899 1198840 1198841 119884119899 119885 120583 11989211986711198672 119890 andthe secret key 119904119896 = 1205720 1205721 120572119899 1205730 1205731 120573119899 120579where 119901119896 is also open to the public

(ii) IndexBuild(119901119896119882) the algorithm generates 1198992 + 2119899random numbers 1199031 1199032 119903119899 and 119906119894119895 isin 119885lowast119902 where119894 isin [1 119899] 119895 isin [0 119899] Given a keyword set 119882 =1199081 1199082 119908119899 and the public key 119901119896 for each word119908119894 isin 119882 it computes 119860 119894119895 = 119883119903119894

119895 times 1198921199031198941198671(119908119894)119895+119906119894119895 119861119894119895 =119884119906119894119895119895 119862119894 = 119885119903119894 = 119892120579119903119894 and119863119894 = 1198672(120583119903119894) where 119894 isin [1 119899]and 119895 isin [0 119899] The index of the keyword set119882 is119868119882

= (11986010 11986011 1198601119899 11986110 11986111 1198611119899 1198621 119863111986020 11986021 1198602119899 11986120 11986121 1198612119899 1198622 1198632 1198601198990 1198601198991 119860119899119899 1198611198990 1198611198991 119861119899119899 119862119899 119863119899

) (6)

Note that the secure index can be seen as an encryptedversion of matrix (3)

(iii) Trapdoor(119904119896119876 119904119910119898) when the algorithm receivesa keyword query 119876 = 1199021 1199022 119902119898 where 119898 le119899 it will construct a vector 997888rarr119886 = 119886119898 119886119898minus1 1198860by utilizing (5) Given a vector 997888rarr119886 and 119904119896 1199051119895 =119892119886119895(sum119898119895=0 120572119895119886119895+sum119898119895=0 119886119895119906120579) and 1199052119895 = 11990511205731198951119895 can be com-puted where 119906 is a random number in 119885119902 and119895 isin [0119898] Let 1199053 = 119906 and 119904119910119898 isin or andthe trapdoor for the keyword query 119876 is 119879119876 =(11990510 11990511 1199051119898 11990520 11990521 1199052119898 1199053 119904119910119898)

(iv) Test(119901119896 119879119876 119868119882) when the algorithm receives atrapdoor119879119876 and a secure index 119868119882 it works as follows

(1) If the symbol in 119879119876 is or(a) The algorithm chooses a counter 119894 and sets119894 = 1(b) If 119894 gt 119899 then it goes to step (c) otherwise

it checks whether 1198672(11990511989011990411990511989411199051198901199041199051198942) = 119863119894where 1199051198901199041199051198941 = prod119898

119895=0119890(1199051119895 119860 1198941198951198621199053119894 ) 1199051198901199041199051198942 =prod119898119895=0119890(1199052119895 119861119894119895) If so the algorithm outputs1 and ends Otherwise it sets 119894 = 119894 + 1 and

goes to step (b)(c) The algorithm outputs 0 and ends

(2) If the symbol in 119879Q is and(a) The algorithm chooses two counters 119894 and 119895

and sets 119894 = 1 and 119895 = 1(b) If 119894 gt 119899 then it goes to step (c) otherwise

it tests whether 1198672(11990511989011990411990511989411199051198901199041199051198942) = 119863119894where 1199051198901199041199051198941 = prod119898

119895=0119890(1199051119895 119860 1198941198951198621199053119894 ) 1199051198901199041199051198942 =prod119898119895=0119890(1199052119895 119861119894119895) If so then the algorithm sets119895 = 119895 + 1 Otherwise it does nothing

After that it sets 119894 = 119894 + 1 and goes tostep (b)

(c) If 119895 = 119898 the algorithm outputs 1and ends Otherwise it outputs 0 andends

Correctness The key idea of disjunctive keywords search isto determine whether there exists an 119894 isin [1 119899] such that119908119894 isin 119876 For the conjunctive keywords search we need tocheck whether there are 119898 keywords 119908120601(1) 119908120601(2) 119908120601(119898)such that 119908120601(119895) isin 119876 where 120601(119895) isin [1 119899] and 119895 isin[1119898] According to these ideas we know that the essenceof test algorithm is to verify whether 119908119894 isin 119876 In theproposed scheme it is can be verified that 11990511989011990411990511989411199051198901199041199051198942 =119890(119892 119892)119903119894+119903119894 sum119898119895=0 1198861198951198671(119908119894)119895(sum119898119895=0 120572119895119886119895+sum119898119895=0 119886119895119906120579) If 119908119894 isin 119876 there issum119898119895=0 1198861198951198671(119908119894)119895 = 0 Thus it must be 11990511989011990411990511989411199051198901199041199051198942 = 119890(119892 119892)119903119894

and 1198672(11990511989011990411990511989411199051198901199041199051198942) = 119863119894 Based on this we argue that ourscheme is correct

33 Security Analysis

Theorem 4 The proposed PECDK scheme is secure accordingto security definition in the randommodel if Decision (119902119879+1)-BDHI is hard

Proof Suppose that an algorithmA has advantage 120576 in break-ing the PECDK under the security definition Suppose A

makes atmost 119902119879 trapdoor queries we can build an algorithmC which solves the decision (119902119879 + 1)-BDHI assumptionwith a probability at least 1205761015840 = 120576119890(119899119902119879 + 1) where 119890 isthe base of the natural logarithm and 119899 is the number ofkeywords in an index Let 119892 be a generator of 1198661 Given119892 119892119909 1198921199092 119892119909119902119879+1 119877 if 119877 = 119890(119892 119892)1119909 the algorithm C

outputs 1 0 otherwiseThe interaction between the algorithmC and the algorithm A is as follows

(i) Setup the algorithm C works as follows(1) The algorithm C randomly chooses 119902119879 numbers1205881 1205882 120588119902119879 isin 119885lowast119902 and returns119891(119911) = prod119902119879119894=1(119911+120588119894) = sum119902119879

119894=0 119888119894119911119894(2) C computes 119880 = 119892119891(119909) = 119892sum119902119879119894=0 119888119894119909119894 119881 = 119892119909119891(119909) =119892sum119902119879119894=0 119888119894119909119894+1 and 119891119894(119911) = (1(119911 + 120588119894))119891(119911) =sum119902119879minus1119894=0 119889119894119911119894 where 119894 isin [1 119902119879] Then C gets1198801(119909+120588119894) = 119892119891119894(119909) = 119892sum119902119879minus1119894=0 119889119894119909

119894

and stores thepairs 120588119894 119892119891119894(119909) in a list named S-list where 119894 isin[1 119902119879]

Security and Communication Networks 7(3) C computes (119891(119911) minus 1198880)119911 = sum119902119879119894=1 119888119894119911119894minus1 and

sets 119877119880 = 119890(119892sum119902119879119894=1 119888119894119909119894minus1 119892sum119902119879119894=0 119888119894119909119894+1198880) times 11987711988820 If 119877 =119890(119892 119892)1119909 119877119880 = 119890(119892sum119902119879119894=1 119888119894119909119894minus1 119892sum119902119879119894=0 119888119894119909119894+1198880) times 11987711988820 =119890(119892(119891(119909)minus1198880)119909 119892119891(119909)+1198880)times11987711988820 = 119890(119892 119892)(1198912(119909)minus11988820 )119909times119890(119892 119892)11988820 119909 = 119890(119892 119892)1198912(119909)119909 = 119890(119880119880)1119909(4) C randomly chooses 2119899 + 4 numbers 1199040 1199041 119904119899 1199050 1199051 119905119899 120578 120582 isin 119885lowast119902 and constructs119883119894 = 119881119904119894 times 119880minus120578119894 119884119894 = 119880119905119894 for each 119894 isin[0 119899] Let 119885 = 119881120582 C gives A the public key119901119896 = 1198801198830 1198831 119883119899 1198840 1198841 119884119899 119885 120583 =119890(119880119880) 1198921198671 1198672 119890 The corresponding 119904119896 is1199040119909minus1205780 1199041119909minus1205781 119904119899119909minus120578119899 1199050 1199051 119905119899 120582119909where the values 1199040119909 minus 1205780 1199041119909 minus 1205781 119904119899119909 minus120578119899 120582119909 are unknown to C

(ii) 1198671 1198672minusqueries the random oracles 1198671 or 1198672 can bequeried by A at any time To answer 1198671-queries Ckeeps a list of tuples (119908119895 ℎ119895 120590119895) called 1198671minuslist whichis empty initially When A queries the random oracle1198671 at a point 119908119894 isin 0 1lowast algorithm C answers asfollows1198671minusqueries(1) If the query 119908119894 is already in a tuple (119908119894 ℎ119894 120590119894)

on 1198671-list then C responds with 1198671(119908119894) = ℎ119894where ℎ119894 isin 119885lowast119902 (2) Otherwise C generates a random coin 120590119894 isin[0 119899119902119879] so that 119875119903[120590119894 = 0] = 1(119899119902119879 + 1)(3) If 120590119894 = 0 C sets ℎ119894 = 120578 Otherwise C picks arandom 119886119894 isin 119885lowast119902 and sets ℎ119894 = 119886119894(4) C adds the tuple (119908119894 ℎ119894 120590119894) to 1198671-list andanswers A with1198671(119908119894) = ℎ1198941198672minusqueries are similar to1198671minusqueries To answer 1198672

queries fromA C holds a list of tuples (120593119895 120595119895) called1198672minuslist which is initially empty When A queries therandom oracle 1198672 at a point 120593119894 isin 1198662 algorithm C

responds as follows1198672minusqueries(1) If the query 120593119894 already appears on 1198672-list in atuple (120593119894 120595119894) thenC responds with1198672(120593119894) = 120595119894where 120595119894 isin 0 1log2119902(2) Otherwise C picks a random 119887119894 isin 0 1log2119902 andsets 120595119894 = 119887119894(3) C adds the tuple (120593119894 120595119894) to1198672-list and respondsA with1198672(120593119894) = 120595119894

(iii) Trapdoor queries when A queries a trapdoor of thekeyword set 119876119894 = 1199021198941 1199021198942 119902119894119898 and 119904119910119898 thealgorithm C answers as follows(1) C runs 1198671minusqueries algorithm to obtain ℎ119894119895

where ℎ119894119895 = 1198671(119902119894119895) for each 119895 isin [1119898] Let

(119908119894119895 ℎ119894119895 120590119894119895) be the corresponding tuples on1198671-list for each 119895 isin [1119898] if 120590119894119895 = 0 then C reportsfailure and terminates(2) Otherwise C constructs a trapdoor for query119876119894 119904119910119898 C first computes 1198911015840(1199091015840) = prod119898

119894=1(1199091015840 +ℎ119894119895) = 11988610158401198981199091015840119898 + 1198861015840119898minus11199091015840119898minus1 + + 119886101584011199091015840+11988610158400 Then for each 119895 isin [0119898] C can compute119897119894119895 = minus(sum119898119895=0 1198861015840119895120578119895)1198861015840119895120588119894 and ]119894 = minus(sum119898

119895=0 1198861015840119895120578119895+120588119894sum119898119895=0 1198861015840119895119904119895)120588119894120582sum119898

119895=0 1198861015840119895 through an equality of1(1199091015840 + 120588119894) = 1198861015840119895119897119894119895(sum119898119895=0 1198861015840119895(1199041198951199091015840 minus 120578119895)+

]119894120582sum119898119895=0 11988610158401198951199091015840) Obviously (1198801(1199091015840+120588119894)1198971198940 1198801(1199091015840+120588119894)1198971198941 1198801(1199091015840+120588119894)119897119894119898 1198801(1199091015840+120588119894)11989711989401199050 1198801(1199091015840+120588119894)11989711989411199051 1198801(1199091015840+120588119894)119897119894119898119905119898 ]119894 119904119910119898) is the trapdoor for the

keyword query 119876119894(3) C searches S-list to obtain the tuple 120588119894 119892119891119894(1199091015840)Then C sends (119892119891119894(1199091015840)1198971198940 119892119891119894(1199091015840)1198971198941 119892119891119894(1199091015840)119897119894119898 119892119891119894(1199091015840)11989711989401199050 119892119891119894(1199091015840)11989711989411199051 119892119891119894(1199091015840)119897119894119898119905119898 ]119894 119904119910119898) tothe algorithm A as the correct trapdoor for thequery 119876119894

(iv) Challenge algorithm A produces a keyword set119882lowast = 11990801 11990802 1199080119899 which is what A wantsto challenge Then A sends the target keywordset 119882lowast to C C chooses a random keyword set1198771015840 = 11990811 11990812 1199081119899 and sets 1198820 = 119882lowast and1198821 = 1198771015840 The only restriction is that the previoustrapdoor queries cannot distinguish 1198820 and 1198821 Ifthere is any previous trapdoor that can break therestriction C regenerates the keyword set 1198821 ThenC selects a random bit 120573 isin 0 1 and runs theabove algorithm for responding to 1198671minusqueries toobtain the values ℎ1205731 ℎ1205732 ℎ120573119899 where 1198671(119908120573119894) =ℎ120573119894 119908120573119894 isin 119882120573 119894 isin [1 119899] Let (119908120573119894 ℎ120573119894 120590120573119894) be thecorresponding tuples on1198671minuslist if there is no 120590120573119894 = 0for all 119894 isin [1 119899] then C terminates Otherwise Cgenerates the challenge PECDK index 119868120573 of 119882120573 asfollows

(1) If 120590120573119894 = 0 C computes 119860120573119894119895 = 119880119903120573119894119904119895+119910120573119894119895 119861120573119894119895 = 119880119905119895119910120573119894119895 119862120573119894 = 119880119903120573119894120582 and 119863120573119894 = 1198672(119877119903120573119894119880 )where 119895 isin [0 119899] Observe that if 119877 = 119890(119892 119892)1119909then 119877119880 = 119890(119880119880)1119909 So the above values areequivalent to119860120573119894119895 = 119883119895

119903120573119894119909 times119880119903120573119894120578119895119909+119910120573119894119895 119861120573119894119895 =119884119895119910120573119894119895 119862120573119894 = 119885119903120573119894119909 and 119863120573119894 = 1198672(119890(119880119880)119903120573119894119909)

where 119895 isin [0 119899] It means that this is a validPECDK encryption of keyword 119908120573119894 when 119877 =119890(119892 119892)1119909(2) Otherwise C computes 119860120573119894119895 = 119881119903120573119894119904119895 times119880119903120573119894ℎ

119895

120573119894+119910120573119894119895minus119903120573119894120578

119895

119861120573119894119895 = 119880119905119895119910120573119894119895 119862120573119894 = 119881119903120573119894120582 119863120573119894 =1198672(119890(119880119880)119903120573119894) where 119895 isin [0 119899]

8 Security and Communication Networks(3) C sends119868120573= ((

11986012057310 11986012057311 1198601205731119899 11986112057310 11986112057311 1198611205731119899 1198621205731 119863120573111986012057320 11986012057321 1198601205732119899 11986112057320 11986112057321 1198611205732119899 1198621205732 1198631205732 1198601205731198990 1198601205731198991 119860120573119899119899 1198611205731198990 1198611205731198991 119861120573119899119899 119862120573119899 119863120573119899

))

(7)

and two keyword sets1198820 and1198821 to A

(v) More queries A continues to inquire trapdoorqueries The restriction is similar to the challengephase

(vi) Response A outputs a guess 1205731015840 isin 0 1C will output1 if 1205731015840 = 120573 Otherwise C will output 0Now we show that the algorithm C can solve the decision(119902119879 + 1)-BDHI assumption with probability at least 1205761015840 =120576119890(119899119902119879 + 1) First of all we should analyze the probability

that C does not abort in trapdoor queries phase and challengephase We define two events1205961 C does not abort due to any of Arsquos trapdoor queries1205962 C does not abort in challenge phase for generating 119868120573

Suppose that 119902119879 is large enoughTherefore the probabilityof the event 1205961 is at least (1 minus 1(119899119902119879 + 1))119899119902119879 ge 1119890 Theprobability of the event 1205962 is 1(119899119902119879 + 1)

If 119877 = 119890(119892 119892)1119909 Arsquos view is identical to its view in a realattack game Since we assume that A can break the PECDKscheme with an advantage 120576 it must satisfy |119875119903[1205731015840 = 120573] minus12| ge 120576 If 119877 is a random number where 119877 isin 1198662 then|119875119903[1205731015840 = 120573]| = 12 since Amade a random guess

Therefore let 119863 = 119892 119892119909 1198921199092 119892119909119902119879+1 we have that100381610038161003816100381610038161003816119875119903 [119861 (119863 119890 (119892 119892)1119909) = 1] minus 119875119903 [119861 (119863 119877) = 1]100381610038161003816100381610038161003816ge 120576119890 (119899119902119879 + 1) (8)

Then we conclude the theorem

4 Performance Analysis

In this section we first give a detailed theoretical analysis forthe previous scheme and then compare it with the proposedone After that we set up an experiment to show that ourscheme has better performance than the previous one Forsimplicity we denote the proposed scheme and the previousone by PECDK-1 and PECDK-2 respectively

41 Theoretical Analysis In an IPE scheme each ciphertextassociated with an attribute vector 997888rarr119909 can be decrypted by thesecret keys corresponding to the predicate vector 997888rarrV if andonly if 997888rarrV sdot 997888rarr119909 = 0 The PECDK-2 is based on the approachof converting an IPE scheme into a PECDK scheme In orderto analyze the efficiency of the previous one wewill introducethe conversion method which is described as follows

Suppose that 119876 = 1199021 1199022 119902119898 and 119882 = 1199081 1199082 119908119899 are two keyword sets By utilizing an IPE scheme(1198881 1198882 119888119899) is the index of 119882 where 119888119894 is a ciphertext ofthe vector 119908119898119894 119908119898minus1119894 1199080119894 and 119894 isin [1 119899] Suppose that119891(119909) = 119886119898119909119898 + 119886119898minus1119909119898minus1 + + 1198861119909 + 1198860 = (119909 minus1198671(1199021))(119909 minus1198671(1199022)) (119909minus1198671(119902119898)) the trapdoor of119876 is 119896119886 119904119910119898 where119896119886 is a secret key of the vector 119886119898 119886119898minus1 1198860 Let thedecryption algorithm be119863119864119862(119901119896 119862119879 119870119864119884) where119901119896 is thepublic key 119862119879 is the ciphertext and 119870119864119884 is the secret keyFor each 119894 isin [1 119899] the test algorithm can be performed byimplementing 119863119864119862(119901119896 119888119894 119896119886) According to different searchfunction there are two situations

(1) For 119904119910119898 is or if there is at least one 119894 isin [1 119899] suchthat the decryption algorithm119863119864119862(119901119896 119888119894 119896119886) outputs1 the test algorithm outputs 1 otherwise 0

(2) For 119904119910119898 is and the test algorithm will verify whetherthere are119898 119888119894 that can be decrypted by the decryptionalgorithm 119863119864119862(119901119896 119888119894 119896119886) If so the test algorithmoutputs 1 otherwise 0

PECDK-2 is based on the IPE presented in [17] Forthis IPE scheme the time cost of setup encryption keygeneration and decryption are all linear with 119874(1198732)119874(1198732)119874(1198732) and 119874(119873) respectively where 119873 is the length of thepredicate or attribute vector Moreover the space overhead ofpublic key master secret key (119898119904119896) ciphertext and secret keyis linear with 119874(1198732) 119874(1198732) 119874(119873) and 119874(119873) respectivelyAccording to the conversion method mentioned above wehave the following results

(1) The 119901119896 and 119904119896 in the previous scheme are the same asthe 119901119896 and119898119904119896 in the IPE schemeThus the time andspace cost of 119901119896 and 119904119896 are both linear with 119900(1198992)

(2) Since the index of the previous scheme contains 119899ciphertexts of IPE the time and space cost of indexare linear with 119874(1198993) and119874(1198992) respectively Becausethe algorithm of trapdoor generating is similar withthat of the index building the time and space costof trapdoor is also linear with 119874(1198993) and 119874(1198992)respectively

(3) The test algorithm needs to perform 119899 times decryp-tion algorithm Thus the time cost of test is propor-tional to the square of 119899

For our scheme 119901119896 contains 2119899 + 3 elements in group 1198661and one element in 1198662 and 119904119896 involves 2119899 + 3 elements in119885lowast119901 Thus we know that the time and space cost of KeyGenalgorithm in our scheme are both linear with 119874(119899) Becausethe IndexBuild algorithm generates 21198992 + 3119899 elements ingroup 1198661 and 119899 elements in 1198662 the time and space cost ofIndexBuild algorithm are both linear with 119874(1198992) The timecost and space cost of Trapdoor algorithm are both 119874(119898)since this algorithm creates 2119898 + 2 elements in group 1198661Whether 119904119910119898 = and or 119904119910119898 = or the test algorithm executesat most 119874(119898119899) pairing operations Therefore we can reckonthat the time cost of test algorithm is less than 119874(119898119899)

According to the above analysis we will give two tablesto demonstrate the comparison Let |119879119890| be the time cost for


Table 1 Comparison with the previous PECDK scheme in time complexity

PECDK-1 PECDK-2Key Generation 119874 (1198992) 100381610038161003816100381610038161198791198661 10038161003816100381610038161003816 + 10038161003816100381610038161198791198901003816100381610038161003816 (2119899 + 3) 100381610038161003816100381610038161198791198661 10038161003816100381610038161003816 + 10038161003816100381610038161198791198901003816100381610038161003816Index Building (41198992 + 2119899) 100381610038161003816100381610038161198791198661 10038161003816100381610038161003816 + 119899 100381610038161003816100381610038161198791198662 10038161003816100381610038161003816 (31198992 + 4119899) 100381610038161003816100381610038161198791198661 10038161003816100381610038161003816 + 119899 100381610038161003816100381610038161198791198662 10038161003816100381610038161003816Trapdoor Generation (4119898 + 2) 100381610038161003816100381610038161198791198661 10038161003816100381610038161003816 (2119898 + 2) 100381610038161003816100381610038161198791198661 10038161003816100381610038161003816Testing 2119899 (2119898 + 1) 10038161003816100381610038161198791198901003816100381610038161003816 2119899 (119898 + 1) 10038161003816100381610038161198791198901003816100381610038161003816

Table 2 Comparison with the previous PECDK scheme in space complexity

PECDK-1 PECDK-2PK size 119874(1198992) 100381610038161003816100381611986611003816100381610038161003816 + 100381610038161003816100381611986621003816100381610038161003816 (2119899 + 3)|1198661| + |1198662|SK size 119874(1198992) 100381610038161003816100381611986611003816100381610038161003816 (2119899 + 3)|119885119901|Trapdoor size (4119898 + 2) 100381610038161003816100381611986611003816100381610038161003816 (2119898 + 2)|1198661| + |119885119901|Index size (41198992 + 2119899) 100381610038161003816100381611986611003816100381610038161003816 + 100381610038161003816100381611986621003816100381610038161003816 (21198992 + 4119899)|1198661| + |1198662|a pairing operation [15] on 1198661 and |1198791198661 | and |1198791198662 | be thetime cost for the exponential operation on 1198661 and 1198662 where1198661 and 1198662 are two groups of a prime order For evaluatingthe time complexity we only take these two operations intoaccount since the time cost of these two operations is muchmore than the time cost of other operations like group addoperation The theoretical analysis of time complexity isshown in Table 1

Wedenote the size of an element of119885119901 1198661 and1198662 by |119885119901||1198661| and |1198662| respectively The comparison result of spacecomplexity is shown in Table 2

42 Experimental Results We implement our construction inJAVA with Java Pairing Based Cryptography (JPBC) library[39] In our implementation the bilinear map is instantiatedas Type A pairing (base field size is 128 bits) which offersa level of security equivalent to 1024-bit DLOG [16] Ourexperiment was run on Intel(R) Core(TM) i7-4570 CPUat 360GHz processor with 8GB memory size Such anexperiment is based on a group of artificial keyword setswith different number of keywords in each set (ie 119899 =5 10 15 20 25) where each keyword set can be seen as anindex of a document In each keyword set we denote eachkeyword as an unique integer in the range of [0 1000] where1000 can be regarded as the number of different words inthe artificial keyword sets We encrypt each keyword set withPECDK-1 and PECDK-2 schemes and the encrypted indiceswere stored onourmachine and then execute randomqueriesover these encrypted indices (the number of documents andqueries is denoted by 119863 and 119876119905 respectively) In additionfor simplicity we denote the conjunctive and disjunctivekeyword search by CKS (conjunctive keywords search) andDKS (disjunctive keywords search) respectively

421 Time Overhead Figure 2 shows that the impact of 119899on the time consumption The statements of Figure 2 aredescribed as follows

(1) Figure 2(a) shows that the execution time of keygeneration in PECDK-2 is linear with 119874(1198992) while

that in PECDK-1 is linear with 119899 The time cost of thekey generation algorithm in PECDK-2 is nearly 100times than that in PECDK-1 since PECDK-2 needsto generate a pair of orthogonal matrices and moreexponential operations on 1198661

(2) In Figure 2(b) we can find that the time cost ofcreating index in PECDK-2 is much more than thatin PECDK-1 though the time complexities of indexbuilding in PECDK-1 and PECDK-2 are both linearwith 119874(1198992) The reason for this situation is that theDPVS structure used in PECDK-2 is based on apair of orthogonal matrices which will bring moreexponential operations on 1198661 and some additionalmatrix operations

(3) The time consumption of testing in PECDK-1 andPECDK-2 is illustrated in Figure 2(c) In Figure 2(c)we can find that time cost of CKS and DKS inPECDK-1 is much less than that in PECDK-2 Inaddition whether PECDK-1 or PECDK-2 the timecost in DKS is slightly less than that in CKS since DKSmay test fewer keywords than CKS

(4) The time complexity of trapdoor generation inPECDK-1 is independent with 119899 while that inPECDK-2 is linear with 119874(119899) The trapdoor gener-ation algorithm in PECDK-1 still needs much lesstime cost than that in PECDK-2 with the same reasondescribed in (2)

Figure 3 shows the impact of119898 on the time consumptionBecause the key generation and index algorithms are notrelated to the parameter 119898 we only focus on the trapdoorgeneration and test algorithms The comparison is stated asfollows

(1) The time costs of trapdoor generation in PECDK-1 and PECDK-2 are both linear with 119874(119898) whichis shown in Figure 3(a) However the time cost ofcreating trapdoor in PECDK-2 is nearly 10 times thanthat in PECDK-1The reason for this is that PECDK-2needs more exponential operations on 1198661


time c

ost o

f key

gen

erat

ion

(103 m

s)

5 10 15 20 25

of dimensions

000

001

002

003

004

010

2030

40

Scheme NamePECDK-1PECDK-2

(a)

time c

ost o

f ind

ex b

uild

ing

(103 m

s)

5 10 15 20 25

of dimensions

050

100

150

050

0010

000

1500

0


(b)

time c

ost o

f tes

ting

(103 m

s)

5 10 15 20 25 of dimensions

010

020

030

040

0

010

0020

0030

0040

00

Scheme Name Search ModePECDK-1 DKSPECDK-1 CKS

PECDK-2 DKSPECDK-2 CKS

(c)

time c

ost o

f tra

pdoo

r gen

erat

ion

(103 m

s)


00

02

04

06

010

2030

4050

60


(d)

Figure 2 Impact of 119899 on the time cost of key generation (a) index building (b) testing (c) and trapdoor generation (d) (blue and red scaleare for PECDK-1 and PECDK-2 respectively and119863 = 100119898 = 5 119876119905 = 10 119899 = 5 10 15 20 25)

(2) Figure 3(b) shows that the time cost of testing inPECDK-1 is linear with 119874(119898) while that in PECDK-2 is not related with 119898 The reason is that the pred-icate vector and attribute vector must have the samedimension in an IPE scheme So we must convert thequery keyword set into a predicate vector having thesame length as the attribute vector generated from theindex keyword set According to this the time cost oftesting in PECDK-2 is independent to 119898 actually Inaddition the time cost in DKS is also slightly less thanthat in CKS since DKS needs less test operations

422 Storage Overhead The storage cost of 119901119896 and 119904119896indices and trapdoors are illustrated in Figure 4 The com-parison results are listed as follows

(1) Figures 4(a) and 4(b) show that the storage cost of 119901119896and 119904119896 in PECDK-2 increases with 119874(1198992) while thatin PECDK-1 is linear with119874(119899) Moreover the storagecost in PECDK-2 is more than 100 times than that inPECDK-1 The reason is that the PECDK-2 needs tostore two matrices

(2) In Figure 4(c) we know that the storage costs ofindices in PECDK-1 and PECDK-2 are both linearwith 119874(1198992) However the storage cost in PECDK-2 is also nearly two times than that in PECDK-1since PECDK-2 needs to storemore1198661 elements thanPECDK-1

(3) In Figure 4(d) the storage cost of trapdoors inPECDK-1 is independent to 119899 while that in PECDK-2


time c

ost o

f tra

pdoo

r gen

erat

ion

(103 m

s)


00

02

04

06

08

10

020

4060

8010

0


(a)

5 10 15 20 25

010

0020

0030

0040

0050

00

of documents

time c

ost o

f tes

ting

(103 m

s)

Scheme Name Search Mode

PECDK-1 DKSPECDK-1 CKSPECDK-2 DKSPECDK-2 CKS

(b)

Figure 3 Impact of 119898 on the time cost of trapdoor generation (a) and testing (b) (blue and red scale are for PECDK-1 and PECDK-2respectively and 119863 = 100 119899 = 25 119876119905 = 10119898 = 5 10 15 20 25)Table 3 Impact of 119898 on storage consumption of trapdoor genera-tion (n=25 D=100 119876119905 = 10)Size of119898 5 10 15 20 25PECDK-1(kb) 6 10 14 19 23PECDK-2(kb) 46 46 46 46 46

is linear with 119874(119899) The storage cost in PECDK-2 isstill more than that in PECDK-1

Because the size of 119901119896 119904119896 and indices are not related tothe parameter119898 we only analyze the impact of parameter119898on the storage cost of trapdoor According to Table 3 we findthat the size of trapdoor in PECDK-2 is independent with 119898since the query keywords must be converted into a predicatevector owing the same length to the attribute vector generatedfrom the index keywords The trapdoor size in PECDK-1 islinear with119898 and less than that in PECDK-2

According to the experimental results described abovewe can find that these results are consistent with our theo-retical analysis

423 More Comments Generally speaking the number ofkeywords in a document (119899) is usually only 3 sim 5 (egthe research paper) and the number of keywords in a query(119898) is often less than 10 [40] According to above results wecan reckon that both 119899 and 119898 are less than 10 in the actualprocess of retrieval According to the experiment result with119899 = 10 and 119898 = 5 for the PECDK-1 the generation time of asingle index and a single trapdoor is nearly 100ms and 20msrespectively and the test time of a single document is 15ms

Compared with the PECDK-2 it is more practical Moreoverthe time and storage cost of trapdoor in PECDK-1 scheme isvery low which means that the proposed scheme is fit for themobile setting where the client has limited computation andstorage resources

Many applications require that the client cannot only adda group of documents to the server but also remove a set ofdocuments from the server Considering this situation weneed that the proposed scheme supports dynamic updateIt means that users can update the encrypted indices andfiles securely Many previous works can achieve this goal[24 25] In our scheme we adopt the forward index structurein which each file has its index Thus it can support dynamicupdate naturally For example when a client wants to add adocument heshe will generate an encrypted document andits corresponding secure index and send them to the server Ifa client wants to delete a document heshe will send a requestto the server The server will remove the related documentand the associated index according to the request

In addition because each document has its ownencrypted index we can easily accelerate the search processby utilizing the technique of parallel computation [6] Thuswe argue that our scheme is more practical in the cloudplatform which has strong computing power

5 Conclusion

In this paper we propose an efficient PECDK scheme basedon a prime order group which has better performance thanthe previous PECDK scheme Our scheme is proven to besecure under the security definition


Stor

age c

ost o

f pk

(kb)


01

23

45

010

020

030

040

050

0


(a)

Stor

age c

ost o

f sk

(kb)

5 10 15 20 25

of dimensions

01

23

45

010

020

030

040

050

0


(b)

5 10 15 20 25

05

1015

of dimensions

Stor

age c

ost o

f ind

ex (m

b)


(c)

5 10 15 20 25

010

2030

4050

of dimensions

Stor

age c

ost o

f tra

pdoo

r (kb

)


(d)

Figure 4 Impact of 119899 on the storage cost of pk (a) sk (b) index (c) and trapdoor (d) (blue and red scale are for PECDK-1 and PECDK-2respectively and 119863 = 100119898 = 5 119876119905 = 10 119899 = 5 10 15 20 25)

To justify the efficiency of the proposed scheme wepresent detailed theoretical analysis and experimental resultsThese results show that the proposed scheme ismore practicalthan the most efficient PECDK scheme based on the IPEscheme In the future we will focus on building a SPE schemesupporting more advanced search function

Data Availability

The artificial data used to support the findings of this studyare available from the corresponding author upon request

Conflicts of Interest

The authors declare that they have no conflicts of interest

Acknowledgments

We gratefully acknowledge the support of the National Natu-ral Science Foundation of China under Grant Nos 61402393and 61601396 and Shanghai Key Laboratory of IntegratedAdministration Technologies for Information Security (noAGK201607)

References

[1] Y Zhu D Ma and S Wang ldquoSecure data retrieval of out-sourced data with complex query supportrdquo in Proceedings of the2012 32nd International Conference on Distributed ComputingSystems Workshops (ICDCS Workshops) pp 481ndash490 IEEEComputer Society Macau China June 2012


[2] M Raykova A Cui B Vo et al ldquoUsable secure private searchrdquoIEEE Security amp Privacy vol 10 no 5 pp 53ndash60 2012

[3] Z Fu K Ren J Shu X Sun and F Huang ldquoEnabling person-alized search over encrypted outsourced data with efficiencyimprovementrdquo IEEE Transactions on Parallel and DistributedSystems vol 27 no 9 pp 2546ndash2559 2016

[4] C Wang N Cao K Ren and W Lou ldquoEnabling secure andefficient ranked keyword search over outsourced cloud datardquoIEEE Transactions on Parallel and Distributed Systems vol 23no 8 pp 1467ndash1479 2012

[5] Z Fu X Sun Q Liu L Zhou and J Shu ldquoAchieving effi-cient cloud search services multi-keyword ranked search overencrypted cloud data supporting parallel computingrdquo IEICETransactions on Communications vol E98B no 1 pp 190ndash2002015

[6] Z Xia X Wang X Sun Q Liu and Q Wang ldquoA secure anddynamic multi-keyword ranked search scheme over encryptedcloud datardquo IEEE Transactions on Parallel and DistributedSystems vol 27 no 2 pp 340ndash352 2016

[7] M KuzuM S Islam andM Kantarcioglu ldquoEfficient similaritysearch over encrypted datardquo in Proceedings of the IEEE 28thInternational Conference on Data Engineering (ICDE rsquo12) pp1156ndash1167 IEEE Washington DC USA April 2012

[8] Z Fu X Wu C Guan X Sun and K Ren ldquoToward efficientmulti-keyword fuzzy search over encrypted outsourced datawith accuracy improvementrdquo IEEE Transactions on InformationForensics and Security vol 11 no 12 pp 2706ndash2716 2016

[9] P Xu S He W Wang W Susilo and H Jin ldquoLightweightsearchable public-key encryption for cloud-assisted wirelesssensor networksrdquo IEEE Transactions on Industrial Informaticsvol 14 no 8 pp 3712ndash3723 2018

[10] D Boneh G Di Crescenzo R Ostrovsky and G PersianoldquoPublic key encryption with keyword searchrdquo in Proceedingsof the International Conference on the Theory and Applicationsof Cryptographic Techniques EUROCRYPT 2004 vol 3027 ofLecture Notes in Computer Science pp 506ndash522 SpringerInterlaken Switzerland May 2004

[11] D Park K Kim and P Lee ldquoPublic key encryption withconjunctive field keyword searchrdquo in Proceedings of the Inter-national Workshop on Information Security Applications WISA2004 vol 3325 of Lecture Notes in Computer Science pp 73ndash86Springer Jeju Island Korea August 2004

[12] B Zhang and F Zhang ldquoAn efficient public key encryption withconjunctive-subset keywords searchrdquo Journal of Network andComputer Applications vol 34 no 1 pp 262ndash267 2011

[13] C Song X Liu and Y Yan ldquoEfficient public key encryptionwith field-free conjunctive keywords searchrdquo in Proceedings ofthe 6th International Conference on Trusted Systems (INTRUSTrsquo14) vol 9473 ofLectureNotes in Computer Science pp 394ndash406Springer International Publishing Beijing China December2014

[14] J Katz A Sahai and B Waters ldquoPredicate encryption support-ing disjunctions polynomial equations and inner productsrdquo inProceedings of the 27th Annual International Conference on theTheory and Applications of Cryptographic Techniques vol 4965of Lecture Notes in Computer Science pp 146ndash162 SpringerIstanbul Turkey April 2008

[15] Y Zhang and S Lu ldquoPOSTER efficient method for disjunctiveand conjunctive keyword search over encrypted datardquo inProceedings of the ACM SIGSAC Conference on Computer andCommunications Security pp 1535ndash1537 Hong Kong ChinaDecember 2014

[16] Y Zhang Y Li and Y Wang ldquoConjunctive and disjunctivekeyword search over encrypted mobile cloud data in publickey systemrdquo Mobile Information Systems vol 2018 Article ID3839254 11 pages 2018

[17] T Okamoto and K Takashima ldquoAchieving short ciphertexts orshort secret-keys for adaptively secure general inner-productencryptionrdquo in Designs Codes and Cryptography vol 77 pp725ndash771 2015

[18] D X Song D Wagner and A Perrig ldquoPractical techniquesfor searches on encrypted datardquo in Proceedings of the IEEESymposium on Security and Privacy (SampP rsquo00) pp 44ndash55 IEEEBerkeley Calif USA May 2000

[19] E J Goh ldquoIACR cryptology eprint archive secure indexesrdquoTech Rep 2003216 2003

[20] PGolle J Staddon andBWaters ldquoSecure conjunctive keywordsearch over encrypted datardquo in Proceedings of the 2nd Interna-tional Conference (ACNS rsquo04) M Jakobsson M Yung and JZhou Eds vol 3089 of Lecture Notes in Computer Science pp31ndash45 Springer YellowMountain China June 2004

[21] L Ballard S Kamara and FMonrose ldquoAchieving efficient con-junctive keyword searches over encrypted datardquo in Proceedingsof the 7th International Conference (ICICS rsquo05) S Qing WMao J Lopez and G Wang Eds vol 3783 of Lecture Notesin Computer Science pp 414ndash426 Springer Beijing ChinaDecember 2005

[22] B Wang M Li and H Wang ldquoGeometric range searchon encrypted spatial datardquo IEEE Transactions on InformationForensics and Security vol 11 no 4 pp 704ndash719 2016

[23] H Ren H Li H Chen M Kpiebaareh and L Zhao ldquoEfficientprivacy-preserving circular range search on outsourced spatialdatardquo in Proceedings of the IEEE International Conference onCommunications (ICC rsquo16) pp 1ndash7 IEEE Malaysia May 2016

[24] Q Wang M He M Du S S M Chow R W F Lai andQ Zou ldquoSearchable encryption over feature-rich datardquo IEEETransactions on Dependable and Secure Computing vol 15 no3 pp 496ndash510 2018

[25] M Du Q Wang M He and J Weng ldquoPrivacy-preservingindexing and query processing for secure dynamic cloud stor-agerdquo IEEE Transactions on Information Forensics and Securityvol 13 no 9 pp 2320ndash2332 2018

[26] S Kamara and T Moataz ldquoBoolean searchable symmetricencryption with worst-case sub-linear complexityrdquo in Pro-ceedings of the 36th Annual International Conference on theTheory and Applications of Cryptographic Techniques vol 10212of Lecture Notes in Computer Science pp 94ndash124 SpringerInternational Publishing Paris France April 2017

[27] M Abdalla M Bellare D Catalano et al ldquoSearchable encryp-tion revisited consistency properties relation to anonymousIBE and extensionsrdquo in Proceedings of the Annual InternationalCryptology Conference CRYPTO 2005 vol 3621 of Lecture Notesin Computer Science pp 205ndash222 Springer Santa BarbaraCalif USA August 2005

[28] Y H Hwang and P J Lee ldquoPublic key encryption with conjunc-tive keyword search and its extension to amulti-user systemrdquo inProceedings of the 1st International Conference on Pairing-BasedCryptography vol 4575 of Lecture Notes in Computer Sciencepp 2ndash22 Springer Tokyo Japan July 2007

[29] D Boneh and B Waters ldquoConjunctive subset and rangequeries on encrypted datardquo in Proceedings of the 4th Theory ofCryptography Conference (TCC rsquo07) vol 4392 of Lecture Notesin Computer Science pp 535ndash554 Springer Amsterdam TheNetherlands February 2007


[30] J Li Y Wang Y Zhang and J Han ldquoFull verifiability foroutsourced decryption in attribute based encryptionrdquo IEEETransactions on Services Computing p 1 2017

[31] J Li W Yao J Han Y Zhang and J Shen ldquoUser collusionavoidance CP-ABE with efficient attribute revocation for cloudstoragerdquo IEEE Systems Journal vol 12 no 2 pp 1767ndash1777 2018

[32] J Li Q Yu Y Zhang and J Shen ldquoKey-policy attribute-based encryption against continual auxiliary input leakagrdquoInformation Sciences vol 470 pp 175ndash188 2019

[33] J G Li W Yao Y C Zhang H L Qian and J G HanldquoFlexible and fine-grained attribute-based data storage in cloudcomputingrdquo IEEE Transactions on Services Computing vol 10no 5 pp 785ndash796 2017

[34] J Li H Yan and Y Zhang ldquoCertificateless public integritychecking of group shared data on cloud storagerdquo IEEE Trans-actions on Services Computing p 1 2017

[35] H L Qian J G Li Y C Zhang and J G Han ldquoPrivacy-preserving personal health record using multi-authorityattribute-based encryption with revocationrdquo InternationalJournal of Information Security vol 14 no 6 pp 487ndash497 2015

[36] J G Li X N Lin Y C Zhang and J G Han ldquoKSF-OABEoutsourced attribute-based encryption with keyword searchfunction for cloud storagerdquo IEEE Transactions on ServicesComputing vol 10 no 5 pp 715ndash725 2017

[37] J G Li Y R Shi andY C Zhang ldquoSearchable ciphertext-policyattribute-based encryption with revocation in cloud storagerdquoInternational Journal of Communication Systems vol 30 no 1Article ID e2942 2017

[38] A Joux ldquoThe Weil and Tate pairings as building blocks forpublic key cryptosystemsrdquo in Proceedings of the AlgorithmicNumber Theory Lecture Notes in Computer Science C Fiekerand D R Kohel Eds vol 2369 of Lecture Notes in ComputerScience pp 20ndash32 Springer Sydney Australia July 2002

[39] AD Caro ldquoThe java pairing based cryptography library (jpbc)rdquo2013 httpgasdiaunisaitprojectsjpbc

[40] H Cui Z Wan R H Deng et al ldquoEfficient and expressivekeyword search over encrypted data in the cloudrdquo IEEE Trans-actions on Dependable and Secure Computing vol PP no 99 p1 2016

International Journal of

AerospaceEngineeringHindawiwwwhindawicom Volume 2018

RoboticsJournal of

Hindawiwwwhindawicom Volume 2018


Active and Passive Electronic Components

VLSI Design



Shock and Vibration


Civil EngineeringAdvances in

Acoustics and VibrationAdvances in



Electrical and Computer Engineering

Journal of

Advances inOptoElectronics

Hindawiwwwhindawicom

Volume 2018

Hindawi Publishing Corporation httpwwwhindawicom Volume 2013Hindawiwwwhindawicom

The Scientific World Journal

Volume 2018

Control Scienceand Engineering

Journal of



Journal ofEngineeringVolume 2018

SensorsJournal of



RotatingMachinery


Modelling ampSimulationin EngineeringHindawiwwwhindawicom Volume 2018


Chemical EngineeringInternational Journal of Antennas and

Propagation




Navigation and Observation


Hindawi

wwwhindawicom Volume 2018

Advances in

Multimedia

Submit your manuscripts atwwwhindawicom


Semi-trusted CloudServer

Data Senders(Data Owners)

Encrypted Document

Encrypted Index

Trapdoor

Public key

Search ResultData Receiver(Data User)

Figure 1 Architecture of searchable public key encryption (SPE)

Although the SPE scheme has these weaknesses it still holdssome advantages for many applications Specifically for theapplication in which there are many data senders and onlyone data receiver (Figure 1) SSE needs that all senders andthe receiver hold the same symmetric key to generate theencrypted data So if one of the senders is compromised byan adversary then the data for all senders will be leakedCompared with SSE in SPE the public key can be accessedby all senders and the private key is only given to the receiverThus SPE can naturally solve the security problem of keymanagement in this application [9] and is an irreplaceablesolution

The first SPE named as public key encryption withkeyword search (PEKS) was introduced in [10] in whichsenders who hold 119901119896 can send their encrypted documentswith encrypted indexes to a server and the receiver holdingsecret key (119904119896) canmake a keyword search over the encrypteddata However this scheme only supports a single keywordsearch How to construct a public key encryption schemesupporting a complex query conditions such as the Booleankeyword search is a significant problem Specifically as twotypical Boolean keyword search schemes conjunctive anddisjunctive keyword search over encrypted data in the publickey setting are needed to be developed

Park et al [11] first proposed the public key encryptionwith conjunctive keyword search (PECK) scheme that sup-ports keywords search like 1199081 and 1199082 and 1199083 where 1199081 1199082and 1199083 are query words After that many PECK schemes[12 13] were proposed to improve the efficiency and securityThe first public key encryption with disjunctive keywordsearch (PEDK) scheme was proposed by Katz et al [14] Intheir work they proposed an inner product encryption (IPE)scheme and converted this IPE scheme into a PEDK scheme

which supports keywords search like 1199081 or1199082 or1199083 In an IPEscheme the secret key corresponding to a predicate vector 997888rarrVcan decrypt the ciphertext associated with an attribute vector997888rarr119909 if and only if 997888rarr119909 sdot 997888rarrV = 0 According to this property weknow that by converting index and query keyword set into anattribute and a predicate vector respectively an IPE schemecan be changed into a SPE scheme supportingmultikeywordssearch

In the practical cloud environment the user usuallyperform conjunctive and disjunctive keywords search simul-taneously In [15] Zhang and Lu proposed an approachof converting an IPE scheme into a public key encryptionwith conjunctive and disjunctive keyword search (PECDK)scheme and gave a concrete scheme In their scheme thesize of each documentrsquos index the size of a trapdoor andthe time cost of pairing operations in the test process are all119874(119873) Since119873 is the number of keywords in a dictionary theprevious PECDK scheme is impractical if119873 is a large integerInspired by this problem we proposed a new approach tobuild an efficient PECDK scheme with less time and spaceoverhead [16] However these two PECDK schemes are basedon the IPE scheme [17] which is a costly cryptographicprototype In this paper we aim to build an efficient PECDKscheme using an alternative method

Main Works In the scheme introduced in [17] the userfirst converts an index and a query keyword set into anattribute and a predicate vector respectively After this theuser can construct encrypted index and trapdoor by applyingthe attribute and predicate vectors to the encryption and keygeneration algorithms of IPE The keyword search processcan be executed by adopting the decryption algorithm ofIPE However this scheme is constructed by utilizing manygroup operations due to being based on the IPE scheme The









2 Preliminaries







































((


))

(3)











= (11986010 11986011 1198601119899 11986110 11986111 1198611119899 1198621 119863111986020 11986021 1198602119899 11986120 11986121 1198612119899 1198622 1198632 1198601198990 1198601198991 119860119899119899 1198611198990 1198611198991 119861119899119899 119862119899 119863119899

) (6)























119894












119895=0 1198861015840119895120578119895+120588119894sum119898119895=0 1198861015840119895119904119895)120588119894120582sum119898






119903120573119894119909 times119880119903120573119894120578119895119909+119910120573119894119895 119861120573119894119895 =119884119895119910120573119894119895 119862120573119894 = 119885119903120573119894119909 and 119863120573119894 = 1198672(119890(119880119880)119903120573119894119909)


119895

120573119894+119910120573119894119895minus119903120573119894120578

119895

119861120573119894119895 = 119880119905119895119910120573119894119895 119862120573119894 = 119881119903120573119894120582 119863120573119894 =1198672(119890(119880119880)119903120573119894) where 119895 isin [0 119899]


11986012057310 11986012057311 1198601205731119899 11986112057310 11986112057311 1198611205731119899 1198621205731 119863120573111986012057320 11986012057321 1198601205732119899 11986112057320 11986112057321 1198611205732119899 1198621205732 1198631205732 1198601205731198990 1198601205731198991 119860120573119899119899 1198611205731198990 1198611205731198991 119861120573119899119899 119862120573119899 119863120573119899

))

(7)





































time c

ost o

f key

gen

erat

ion

(103 m

s)

5 10 15 20 25

of dimensions

000

001

002

003

004

010

2030

40


(a)

time c

ost o

f ind

ex b

uild

ing

(103 m

s)

5 10 15 20 25

of dimensions

050

100

150

050

0010

000

1500

0


(b)

time c

ost o

f tes

ting

(103 m

s)


010

020

030

040

0

010

0020

0030

0040

00



(c)

time c

ost o

f tra

pdoo

r gen

erat

ion

(103 m

s)


00

02

04

06

010

2030

4050

60


(d)








time c

ost o

f tra

pdoo

r gen

erat

ion

(103 m

s)


00

02

04

06

08

10

020

4060

8010

0


(a)

5 10 15 20 25

010

0020

0030

0040

0050

00

of documents

time c

ost o

f tes

ting

(103 m

s)



(b)









5 Conclusion



Stor

age c

ost o

f pk

(kb)


01

23

45

010

020

030

040

050

0


(a)

Stor

age c

ost o

f sk

(kb)

5 10 15 20 25

of dimensions

01

23

45

010

020

030

040

050

0


(b)

5 10 15 20 25

05

1015

of dimensions

Stor

age c

ost o

f ind

ex (m

b)


(c)

5 10 15 20 25

010

2030

4050

of dimensions

Stor

age c

ost o

f tra

pdoo

r (kb

)


(d)



Data Availability




Acknowledgments


References













































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia










2 Preliminaries







































((


))

(3)











= (11986010 11986011 1198601119899 11986110 11986111 1198611119899 1198621 119863111986020 11986021 1198602119899 11986120 11986121 1198612119899 1198622 1198632 1198601198990 1198601198991 119860119899119899 1198611198990 1198611198991 119861119899119899 119862119899 119863119899

) (6)























119894












119895=0 1198861015840119895120578119895+120588119894sum119898119895=0 1198861015840119895119904119895)120588119894120582sum119898






119903120573119894119909 times119880119903120573119894120578119895119909+119910120573119894119895 119861120573119894119895 =119884119895119910120573119894119895 119862120573119894 = 119885119903120573119894119909 and 119863120573119894 = 1198672(119890(119880119880)119903120573119894119909)


119895

120573119894+119910120573119894119895minus119903120573119894120578

119895

119861120573119894119895 = 119880119905119895119910120573119894119895 119862120573119894 = 119881119903120573119894120582 119863120573119894 =1198672(119890(119880119880)119903120573119894) where 119895 isin [0 119899]


11986012057310 11986012057311 1198601205731119899 11986112057310 11986112057311 1198611205731119899 1198621205731 119863120573111986012057320 11986012057321 1198601205732119899 11986112057320 11986112057321 1198611205732119899 1198621205732 1198631205732 1198601205731198990 1198601205731198991 119860120573119899119899 1198611205731198990 1198611205731198991 119861120573119899119899 119862120573119899 119863120573119899

))

(7)





































time c

ost o

f key

gen

erat

ion

(103 m

s)

5 10 15 20 25

of dimensions

000

001

002

003

004

010

2030

40


(a)

time c

ost o

f ind

ex b

uild

ing

(103 m

s)

5 10 15 20 25

of dimensions

050

100

150

050

0010

000

1500

0


(b)

time c

ost o

f tes

ting

(103 m

s)


010

020

030

040

0

010

0020

0030

0040

00



(c)

time c

ost o

f tra

pdoo

r gen

erat

ion

(103 m

s)


00

02

04

06

010

2030

4050

60


(d)








time c

ost o

f tra

pdoo

r gen

erat

ion

(103 m

s)


00

02

04

06

08

10

020

4060

8010

0


(a)

5 10 15 20 25

010

0020

0030

0040

0050

00

of documents

time c

ost o

f tes

ting

(103 m

s)



(b)









5 Conclusion



Stor

age c

ost o

f pk

(kb)


01

23

45

010

020

030

040

050

0


(a)

Stor

age c

ost o

f sk

(kb)

5 10 15 20 25

of dimensions

01

23

45

010

020

030

040

050

0


(b)

5 10 15 20 25

05

1015

of dimensions

Stor

age c

ost o

f ind

ex (m

b)


(c)

5 10 15 20 25

010

2030

4050

of dimensions

Stor

age c

ost o

f tra

pdoo

r (kb

)


(d)



Data Availability




Acknowledgments


References













































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia






































((


))

(3)











= (11986010 11986011 1198601119899 11986110 11986111 1198611119899 1198621 119863111986020 11986021 1198602119899 11986120 11986121 1198612119899 1198622 1198632 1198601198990 1198601198991 119860119899119899 1198611198990 1198611198991 119861119899119899 119862119899 119863119899

) (6)























119894












119895=0 1198861015840119895120578119895+120588119894sum119898119895=0 1198861015840119895119904119895)120588119894120582sum119898






119903120573119894119909 times119880119903120573119894120578119895119909+119910120573119894119895 119861120573119894119895 =119884119895119910120573119894119895 119862120573119894 = 119885119903120573119894119909 and 119863120573119894 = 1198672(119890(119880119880)119903120573119894119909)


119895

120573119894+119910120573119894119895minus119903120573119894120578

119895

119861120573119894119895 = 119880119905119895119910120573119894119895 119862120573119894 = 119881119903120573119894120582 119863120573119894 =1198672(119890(119880119880)119903120573119894) where 119895 isin [0 119899]


11986012057310 11986012057311 1198601205731119899 11986112057310 11986112057311 1198611205731119899 1198621205731 119863120573111986012057320 11986012057321 1198601205732119899 11986112057320 11986112057321 1198611205732119899 1198621205732 1198631205732 1198601205731198990 1198601205731198991 119860120573119899119899 1198611205731198990 1198611205731198991 119861120573119899119899 119862120573119899 119863120573119899

))

(7)





































time c

ost o

f key

gen

erat

ion

(103 m

s)

5 10 15 20 25

of dimensions

000

001

002

003

004

010

2030

40


(a)

time c

ost o

f ind

ex b

uild

ing

(103 m

s)

5 10 15 20 25

of dimensions

050

100

150

050

0010

000

1500

0


(b)

time c

ost o

f tes

ting

(103 m

s)


010

020

030

040

0

010

0020

0030

0040

00



(c)

time c

ost o

f tra

pdoo

r gen

erat

ion

(103 m

s)


00

02

04

06

010

2030

4050

60


(d)








time c

ost o

f tra

pdoo

r gen

erat

ion

(103 m

s)


00

02

04

06

08

10

020

4060

8010

0


(a)

5 10 15 20 25

010

0020

0030

0040

0050

00

of documents

time c

ost o

f tes

ting

(103 m

s)



(b)









5 Conclusion



Stor

age c

ost o

f pk

(kb)


01

23

45

010

020

030

040

050

0


(a)

Stor

age c

ost o

f sk

(kb)

5 10 15 20 25

of dimensions

01

23

45

010

020

030

040

050

0


(b)

5 10 15 20 25

05

1015

of dimensions

Stor

age c

ost o

f ind

ex (m

b)


(c)

5 10 15 20 25

010

2030

4050

of dimensions

Stor

age c

ost o

f tra

pdoo

r (kb

)


(d)



Data Availability




Acknowledgments


References













































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia






= (11986010 11986011 1198601119899 11986110 11986111 1198611119899 1198621 119863111986020 11986021 1198602119899 11986120 11986121 1198612119899 1198622 1198632 1198601198990 1198601198991 119860119899119899 1198611198990 1198611198991 119861119899119899 119862119899 119863119899

) (6)























119894












119895=0 1198861015840119895120578119895+120588119894sum119898119895=0 1198861015840119895119904119895)120588119894120582sum119898






119903120573119894119909 times119880119903120573119894120578119895119909+119910120573119894119895 119861120573119894119895 =119884119895119910120573119894119895 119862120573119894 = 119885119903120573119894119909 and 119863120573119894 = 1198672(119890(119880119880)119903120573119894119909)


119895

120573119894+119910120573119894119895minus119903120573119894120578

119895

119861120573119894119895 = 119880119905119895119910120573119894119895 119862120573119894 = 119881119903120573119894120582 119863120573119894 =1198672(119890(119880119880)119903120573119894) where 119895 isin [0 119899]


11986012057310 11986012057311 1198601205731119899 11986112057310 11986112057311 1198611205731119899 1198621205731 119863120573111986012057320 11986012057321 1198601205732119899 11986112057320 11986112057321 1198611205732119899 1198621205732 1198631205732 1198601205731198990 1198601205731198991 119860120573119899119899 1198611205731198990 1198611205731198991 119861120573119899119899 119862120573119899 119863120573119899

))

(7)





































time c

ost o

f key

gen

erat

ion

(103 m

s)

5 10 15 20 25

of dimensions

000

001

002

003

004

010

2030

40


(a)

time c

ost o

f ind

ex b

uild

ing

(103 m

s)

5 10 15 20 25

of dimensions

050

100

150

050

0010

000

1500

0


(b)

time c

ost o

f tes

ting

(103 m

s)


010

020

030

040

0

010

0020

0030

0040

00



(c)

time c

ost o

f tra

pdoo

r gen

erat

ion

(103 m

s)


00

02

04

06

010

2030

4050

60


(d)








time c

ost o

f tra

pdoo

r gen

erat

ion

(103 m

s)


00

02

04

06

08

10

020

4060

8010

0


(a)

5 10 15 20 25

010

0020

0030

0040

0050

00

of documents

time c

ost o

f tes

ting

(103 m

s)



(b)









5 Conclusion



Stor

age c

ost o

f pk

(kb)


01

23

45

010

020

030

040

050

0


(a)

Stor

age c

ost o

f sk

(kb)

5 10 15 20 25

of dimensions

01

23

45

010

020

030

040

050

0


(b)

5 10 15 20 25

05

1015

of dimensions

Stor

age c

ost o

f ind

ex (m

b)


(c)

5 10 15 20 25

010

2030

4050

of dimensions

Stor

age c

ost o

f tra

pdoo

r (kb

)


(d)



Data Availability




Acknowledgments


References













































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia












119895=0 1198861015840119895120578119895+120588119894sum119898119895=0 1198861015840119895119904119895)120588119894120582sum119898






119903120573119894119909 times119880119903120573119894120578119895119909+119910120573119894119895 119861120573119894119895 =119884119895119910120573119894119895 119862120573119894 = 119885119903120573119894119909 and 119863120573119894 = 1198672(119890(119880119880)119903120573119894119909)


119895

120573119894+119910120573119894119895minus119903120573119894120578

119895

119861120573119894119895 = 119880119905119895119910120573119894119895 119862120573119894 = 119881119903120573119894120582 119863120573119894 =1198672(119890(119880119880)119903120573119894) where 119895 isin [0 119899]


11986012057310 11986012057311 1198601205731119899 11986112057310 11986112057311 1198611205731119899 1198621205731 119863120573111986012057320 11986012057321 1198601205732119899 11986112057320 11986112057321 1198611205732119899 1198621205732 1198631205732 1198601205731198990 1198601205731198991 119860120573119899119899 1198611205731198990 1198611205731198991 119861120573119899119899 119862120573119899 119863120573119899

))

(7)





































time c

ost o

f key

gen

erat

ion

(103 m

s)

5 10 15 20 25

of dimensions

000

001

002

003

004

010

2030

40


(a)

time c

ost o

f ind

ex b

uild

ing

(103 m

s)

5 10 15 20 25

of dimensions

050

100

150

050

0010

000

1500

0


(b)

time c

ost o

f tes

ting

(103 m

s)


010

020

030

040

0

010

0020

0030

0040

00



(c)

time c

ost o

f tra

pdoo

r gen

erat

ion

(103 m

s)


00

02

04

06

010

2030

4050

60


(d)








time c

ost o

f tra

pdoo

r gen

erat

ion

(103 m

s)


00

02

04

06

08

10

020

4060

8010

0


(a)

5 10 15 20 25

010

0020

0030

0040

0050

00

of documents

time c

ost o

f tes

ting

(103 m

s)



(b)









5 Conclusion



Stor

age c

ost o

f pk

(kb)


01

23

45

010

020

030

040

050

0


(a)

Stor

age c

ost o

f sk

(kb)

5 10 15 20 25

of dimensions

01

23

45

010

020

030

040

050

0


(b)

5 10 15 20 25

05

1015

of dimensions

Stor

age c

ost o

f ind

ex (m

b)


(c)

5 10 15 20 25

010

2030

4050

of dimensions

Stor

age c

ost o

f tra

pdoo

r (kb

)


(d)



Data Availability




Acknowledgments


References













































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia



11986012057310 11986012057311 1198601205731119899 11986112057310 11986112057311 1198611205731119899 1198621205731 119863120573111986012057320 11986012057321 1198601205732119899 11986112057320 11986112057321 1198611205732119899 1198621205732 1198631205732 1198601205731198990 1198601205731198991 119860120573119899119899 1198611205731198990 1198611205731198991 119861120573119899119899 119862120573119899 119863120573119899

))

(7)





































time c

ost o

f key

gen

erat

ion

(103 m

s)

5 10 15 20 25

of dimensions

000

001

002

003

004

010

2030

40


(a)

time c

ost o

f ind

ex b

uild

ing

(103 m

s)

5 10 15 20 25

of dimensions

050

100

150

050

0010

000

1500

0


(b)

time c

ost o

f tes

ting

(103 m

s)


010

020

030

040

0

010

0020

0030

0040

00



(c)

time c

ost o

f tra

pdoo

r gen

erat

ion

(103 m

s)


00

02

04

06

010

2030

4050

60


(d)








time c

ost o

f tra

pdoo

r gen

erat

ion

(103 m

s)


00

02

04

06

08

10

020

4060

8010

0


(a)

5 10 15 20 25

010

0020

0030

0040

0050

00

of documents

time c

ost o

f tes

ting

(103 m

s)



(b)









5 Conclusion



Stor

age c

ost o

f pk

(kb)


01

23

45

010

020

030

040

050

0


(a)

Stor

age c

ost o

f sk

(kb)

5 10 15 20 25

of dimensions

01

23

45

010

020

030

040

050

0


(b)

5 10 15 20 25

05

1015

of dimensions

Stor

age c

ost o

f ind

ex (m

b)


(c)

5 10 15 20 25

010

2030

4050

of dimensions

Stor

age c

ost o

f tra

pdoo

r (kb

)


(d)



Data Availability




Acknowledgments


References













































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia


















time c

ost o

f key

gen

erat

ion

(103 m

s)

5 10 15 20 25

of dimensions

000

001

002

003

004

010

2030

40


(a)

time c

ost o

f ind

ex b

uild

ing

(103 m

s)

5 10 15 20 25

of dimensions

050

100

150

050

0010

000

1500

0


(b)

time c

ost o

f tes

ting

(103 m

s)


010

020

030

040

0

010

0020

0030

0040

00



(c)

time c

ost o

f tra

pdoo

r gen

erat

ion

(103 m

s)


00

02

04

06

010

2030

4050

60


(d)








time c

ost o

f tra

pdoo

r gen

erat

ion

(103 m

s)


00

02

04

06

08

10

020

4060

8010

0


(a)

5 10 15 20 25

010

0020

0030

0040

0050

00

of documents

time c

ost o

f tes

ting

(103 m

s)



(b)









5 Conclusion



Stor

age c

ost o

f pk

(kb)


01

23

45

010

020

030

040

050

0


(a)

Stor

age c

ost o

f sk

(kb)

5 10 15 20 25

of dimensions

01

23

45

010

020

030

040

050

0


(b)

5 10 15 20 25

05

1015

of dimensions

Stor

age c

ost o

f ind

ex (m

b)


(c)

5 10 15 20 25

010

2030

4050

of dimensions

Stor

age c

ost o

f tra

pdoo

r (kb

)


(d)



Data Availability




Acknowledgments


References













































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia



time c

ost o

f tra

pdoo

r gen

erat

ion

(103 m

s)


00

02

04

06

08

10

020

4060

8010

0


(a)

5 10 15 20 25

010

0020

0030

0040

0050

00

of documents

time c

ost o

f tes

ting

(103 m

s)



(b)









5 Conclusion



Stor

age c

ost o

f pk

(kb)


01

23

45

010

020

030

040

050

0


(a)

Stor

age c

ost o

f sk

(kb)

5 10 15 20 25

of dimensions

01

23

45

010

020

030

040

050

0


(b)

5 10 15 20 25

05

1015

of dimensions

Stor

age c

ost o

f ind

ex (m

b)


(c)

5 10 15 20 25

010

2030

4050

of dimensions

Stor

age c

ost o

f tra

pdoo

r (kb

)


(d)



Data Availability




Acknowledgments


References













































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia



Stor

age c

ost o

f pk

(kb)


01

23

45

010

020

030

040

050

0


(a)

Stor

age c

ost o

f sk

(kb)

5 10 15 20 25

of dimensions

01

23

45

010

020

030

040

050

0


(b)

5 10 15 20 25

05

1015

of dimensions

Stor

age c

ost o

f ind

ex (m

b)


(c)

5 10 15 20 25

010

2030

4050

of dimensions

Stor

age c

ost o

f tra

pdoo

r (kb

)


(d)



Data Availability




Acknowledgments


References













































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia













































RoboticsJournal of




VLSI Design



Shock and Vibration







Journal of



Volume 2018



Volume 2018


Journal of




SensorsJournal of



RotatingMachinery





Propagation






Hindawi


Advances in

Multimedia


secure and efficient searchable public key encryption for...

Documents