Searchable Encryption with Access Control on Keywords in Multi-User Setting

: Searchable encryption technology makes it convenient to search encrypted data with keywords for people. A data owner shared his data with other users on the cloud server. For security, it is necessary for him to build a fine-grained and flexible access control mechanism. The main idea of this paper is to let the owner classify his data and then authorizes others according to categories. The cloud server maintains a permission matrix, which will be used to verify whether a trapdoor is valid or not. In this way we can achieve access control and narrow the search range at the same time. We prove that our scheme can achieve index and trapdoor indistinguishability under chosen keywords attack security in the random oracles.


Introduction
Cloud service brings great convenience to people due to its powerful computing power and rich storage resources. Nowadays more and more people are used to storing their files on the cloud server to save limited local storage. However, the cloud server cannot be fully trusted. In order to prevent personal data from leaking, users need to encrypt their data before uploading to the server. Soon people find it difficult to search over ciphertext. It seems that one solution is to let the cloud server decrypt all ciphertext and do the search work. It is equivalent to exposing all plaintext to the administrator of the server. Another solution is to download all data, decrypt them and search one by one, which needs a huge local storage space. Obviously, neither of them is feasible. Thus searchable encryption technology emerges as the times requires. Searchable encryption enables people to directly search over ciphertext with keywords, leaking little information [Li, Zhao, Jiang et al. (2017); Xiong and Shi (2018) ;Liu, Peng and Wang (2018)]. In the multi-user environment, for security [Xia, Xiong, Vasilakos et al. (2017)], people should have different access rights to data in the cloud server [Xia, Lu, Qiu et al. (2019)]. We take the electronic medical system as an instance. To protect a patient's privacy, we prescribe that physicians can only retrieve medical records about internal medicine and ophthalmologists can only retrieve medical records about ophthalmology. One should not be accessible to his unauthorized data. Thus we proposed a searchable encryption. The purpose is to improve search efficiency and protect privacy at the same time. Actually, in some traditional searchable encryption schemes, due to the indistinguishability of trapdoor, the server is not able to deduce any information about the keyword. So it cannot determine whether a user has access to the keyword he wants to search for, unless attaching extra information to the indexes. However, in this way, once people change, it needs to reconstruct almost all indexes. In our scheme, to set access control for one's data, he should first classify his data into categories. For each category, he extracts a keyword as a subject heading. When a user initiates a search request to the cloud server, his trapdoor includes not only the keyword but also a subject heading. After receiving a trapdoor, the cloud server checks whether it is a valid request. In other words, the server needs to know if this user has access to the data where his trapdoor refers to. If the judgement result is "Yes", then the server will directly search within that subject. Otherwise, the server rejects this request. In general, the contributions of this paper are listed as follows: 1. Flexible access control: Administrators can flexibly modify the access rights of other users by maintaining a permission matrix. When the user staff changes, there is no need to reconstruct indexes and change the keys. 2. Decentration: In our scheme, every user keeps the private key by himself, we do not need a third party to do the key management. 3. High efficiency: To determine the validity of a search query, the server does not need to match it with those indexes one by one. Instead, only a small amount of operations can the server to accept or refuse it. The remaining part of this paper is arranged as follows. In the second section, we introduce some related contents of access control based on multi-user setting in searchable encryption schemes. In the third section, we introduce some preparatory work of this scheme. The fourth section will introduce our searchable encryption scheme in detail. And finally, we provide the security analysis of our scheme.

Related work
In 2000, Song et al. [Song, Wagner and Perrig (2000)] introduced the routing problem of untrusted server and proposed the scheme SWP, which has low efficiency but can be viewed as a primitive searchable encryption scheme. To solve this problem, in 2004, Boneh et al. [Boneh, Crescenzo and Ostrovsky (2004)] firstly introduced the public key cryptosystem into searchable encryption. In 2011, Curtmola et al. [Curtmola, Garay, Kamara et al. (2006)] proposed a searchable encryption scheme based on multi-user setting for the first time, which is much more practical than the single-user mode. Some schemes have improved the searchable encryption scheme based on multi-user setting [Raza, Rashid and Awan (2017); Goyal, Pandey, Sahai et al. (2006); Tang (2014); Yang (2013) ;Li, Yu, Cao et al. (2011) etc.] everyone classifies his or her documents and then sets access control for each level of the data. Finally, all the users generate a permission matrix together and only those who have been granted are able to pass the authentication of the server. In their scheme, each user can be granted autonomously and select his search scope independently. Also their scheme weakens the role of a third party and provides a scheme for efficient key distribution. In Bao et al. [Bao, Robert and Ding (2008)], an administrator is responsible for managing and distributing keys for all users. In the key generation algorithm, he also generates an auxiliary key, which is used for checking the validity of a search query. In this way, the administrator can achieve access control dynamically. Wang et al. [Wang, Mu, Chen et al. (2016)] implemented an efficient searchable encryption scheme for sharing data among users in a decentralized group. Each member's public key is needed when generating an index and any user is able to generate a trapdoor by using his or her own secret key. Moreover, their scheme can adapt to the dynamic change of the group by adjusting the user's search authorities in time. Wang et al. [Wang, Wang and Pieprzyk (2008)] put forward the concept of threshold access control based on Shamir Secret Sharing ideas [Rong (2015); Tartary and Wang (2006)]. In a group of n users, only more than t persons can collaborate to generate a valid trapdoor. Later, Zirtol et al. [Zirtol, Noroozi and Eslami (2016)] changed the scheme by supporting general access structure. Instead of the threshold limit, only the group that meets the pre-defined condition can collaborate to search the desired data. Many other schemes set access control based on identity [Boneh, Boyen and Goh (2005); Ma, Dui and Yang (2016); Boneh and Franklin (2003); Yang (2011)] added the authorization information into each index. After receiving a trapdoor, the server starts to match it with indexes one by one. Note that at this moment, the server not only needs to determine whether an index matches the trapdoor, but also needs it to make sure whether this user is granted to search the file. The server would return the corresponding files if and only if both conditions are met. Although their scheme can achieve fine-grained access control, the complex indexes bring too much computation. Once the group changes, they need to rebuild all indexes.

Preliminaries
In this section we will introduce some preliminary knowledge related to our scheme.

Bilinear mapping
3. Computability. There is an efficient algorithm such that for any 1 u ∈  and 2 v ∈  , computing ( , ) e u v is available.

Difficulty hypothesis
Definition 3.2 Let x be a primitive root for a finite field ( ) n GF p and z is a non-zero element in ( ) n GF p . The discrete logarithm problem (DLP) is to find an exponent α such that ( ) n x z mod p α ≡ , here α is called the discrete logarithm of z to the base x.

Definition 3.3 (Bilinear Diffie-Hellman Variant assumption [Lu (2017)])
There is a negligible function negl such that for any PPT adversary  and for every sufficiently large security parameter k, the following equation is hold: Pr g g g g e g g Pr Adv g g g g R negl k = − = =  (1)

Definition 3.4 (External Diffie-Hellman Variant assumption [Lu (2017)])
There exists a negligible function negl such that for any PPT adversary  and for every sufficiently large security parameter k, the following equation is hold: Pr g g g g g g Pr Adv g g R g g g negl k = − = =  (2)

Model of scheme 4.1 Notation
The following table shows some notations used in this paper:

Test ( ( , )
i T w t , M): This algorithm is run by the cloud server. After receiving a trapdoor, the server tests it with the permission matrix M. If the server determines a trapdoor is valid, then it will be used for the following steps. Otherwise, the server rejects the followup operations and prompts "Unauthorized Access!". Search ( w C , w T ): Once the server accepts a trapdoor, it will perform the subsequent matching work to find those files relevant to the keyword.

Security model 4.3.1 Index indistinguishability under chosen keyword attack
This requirement is aimed to protect all indexes stored on the cloud server. Neither an internal nor external adversary is able to deduce any information about any keyword even if he gets the index. In order to prove this, we firstly define a challenger  and a PPT adversary  , then we define a game between them.
-Setup. The challenger  initializes the setup algorithm to generate the public parameters param and sends them to  .

Trapdoor indistinguishability under chosen keyword attack
This requirement is aimed to protect the trapdoor generated by a user. Even an adversary eavesdrops a trapdoor, he is not able to deduce any information about the keyword and the subject it contains. To prove it, we also define a game between the challenger  and the adversary  .
-Setup. The challenger  initializes the system to generate the public parameters param and sends them to  . T w t to  .
-Adaptive ask.  can ask  adaptively. Every time  provides the corresponding index k w C and trapdoor ( , ) , he wins.
Our scheme satisfies trapdoor indistinguishability under chosen keyword attack if for all sufficiently large k and for all PPT adversaries  , there is a negligible function negl such that:

Construction
Setup (1 k ): The data owner takes the security paramter k as input to initialize the setup algorithm, it outputs public parameters We define the element As long as the keyword k w belongs to subject j t indeed, the value above must belong to j ψ , which means user i u passes the authentication.
We require that the intersection of any two classes be empty, so we know that for any , , m n m n ψ ψ ∩ = ∅, which indicates there is no way to search the same keyword with other subjects and only by being granted can a user to search data he wants.

Correctness in test algorithm
Once the server accepts a query in last algorithm, it is going to search with the new

Index indistinguishability under chosen keyword attack
Index stored in the cloud service should not leak any information about the corresponding keywords. Even an adversary is given the most powerful ability, he still can't distinguish any two encrypted indexes with non-negligible probability. Proof. In order to prove that our scheme can achieve IND-CKA security, we take use of several hybrid games, which starts from the one defined in the security model (4.3.1) to the last. It's easy to see that the adversary wins the last game with probability 1/2. Our proofs are based on the random oracle model and 1 H is a programmable random oracle. Game 0 is defined as follows: (2). "Trapdoor for keyword k w and subject 1 t of user j u ": The challenger 0  returns 2 1 ( ) 1 1 2 1 1 1 ( , ) ( , ) ( , -Guess. 0  outputs b′ , if b b′ = , he wins.
Finally, when 0  successfully distinguishes Game 2 from Game 1, 1  is able to break the EDHV assumption. In Game 2, all the information about keys are useless, so the adversary can win the game just with the probability 1/4.

Comparison
We compare our scheme with some others and show the details in the following table.
Here P denotes a pairing operation, E denotes an exponential operation and H denotes a hash operation. From the table, we can see that our work can achieve a balance between computation and storage cost. Also, with JPBC library in Java language, we have carried out our experiments on computer (Intel (R) Core (TM) i5-3210 M CPU 2.5 GHz).

Conclusion
In this paper, we proposed a searchable encryption scheme which supports fine-grained access control. By maintaining a permission matrix, a user can manage the access rights about his data flexibly. There still remains a lot of problems to be solved in the multi-user setting, dynamic security being one of them. We are going to focus our research on it.