Authorized Attribute-Based Encryption Multi-Keywords Search with Policy Updating

: Attribute-based encryption is cryptographic techniques that provide flexible data access control to encrypted data content in cloud storage. Each trusted authority needs proper management and distribution of secret keys to the user’s to only authorized user’s attributes. However existing schemes cannot be applied multiple authority that supports only a single keywords search compare to multi keywords search high computational burden or inefficient attribute’s revocation. In this paper, a ciphertext policy attribute-based encryption (CP-ABE) scheme has been proposed which focuses on multi-keyword search and attribute revocation by new policy updating feathers under multiple authorities and central authority. The data owner encrypts the keywords index under the initial access policy. Moreover, this paper addresses further issues such as data access, search policy, and confidentiality against unauthorized users. Finally, we provide the correctness analysis, performance analysis and security proof for chosen keywords attack and search trapdoor in general group model using DBDH and DLIN assumption.


Introduction
Reflecting on the new trend and repaid development in information technology and the Internet of Things (IoT) a large amount of data is generated and related to our lives. For such kind of large data, cloud computing enables us to share, access, and save these data for saving costs. Along with such facilities, there are many threats and issues such as data storage, data processing, data accessing, and data search. Where different parties would like to share their data for user's attributes to access and achieve hidden access policy. Traditionally, the outsource data usually encrypted to find out a significant access control technique to achieve fine-grained access control i.e., attribute-based encryption (ABE) can be classified into two categories one is KP-ABE key policy attribute-based encryption in which secret key is attached to the access policy and ciphertext attached to the attribute set. The other one is CP-ABE ciphertext policy attribute-based encryption in CP-ABE a secret key is attached to attribute set and ciphertext attached to access policy. Li et al. [1] proposed a scheme that combines both CP-ABE ciphertext policy attribute-based encryption and KP-ABE key policy attribute-based encryption an application scenario of personal health records (PHR) where the users are divided into public and personal domain according to their roles. Meng et al. [2] proposed a key policy attribute-based encryption scheme using the prime order group to show the scheme efficiency. In CP-ABE scheme of Bethencourt et al. [3] which is public-key cryptography that resolves the issue of fine-grained access control of shared data. In Cheng et al. [4] proposed a CP-ABE scheme for a large universe of attributes set, which reduces the storage and computational overhead of the existing CP-ABE scheme. Since the existing scheme cannot support the multi-keywords search, in order to address this problem Miao et al. [5] proposed the ABE scheme personal health records with multi-keywords searches directional application for searchable 2) The define CP-ABE scheme provides a secure transformation of the secret keys to users and data owner through each trusted attribute authorities with a low computation burden.
3) The proposed multiple authorities (CP-ABE) scheme needs verification to gives better security proof in the existence of the central authority further the user's attribute's revocation the number of all non-revoked user's attribute's keys and revoked user's attributes related ciphertext can be updated through a new access policy generate new index set such that data user whose attribute is revoked does not decrypt an updated ciphertext with the previous key, our scheme resists against to prevent collision attack with different global identity to preserve ciphertext policy. 4) Our scheme is provably secure under the standard model that formulate a reasonable security model and provide formal security proofs for chosen keywords and search trapdoor.
The rest of this paper is organized as follows. The preliminaries definition of our scheme construction in Section 2. The system model and security model are describing in Section 3. Scheme concrete construction and security proof for chosen keywords attack (CKA) and search trapdoor proven in Sections 4 and 5. The details of correctness analysis proof, theoretical, and performance comparison analysis are shown in Section 6. Finally, we have drawn and conclude the paper in Section 7.

Preliminaries
In this section, we review some basic cryptographic definitions Bilinear maps, Decisional Linear assumption (DLIN) Access Structure, and Linear Secret Sharing Scheme as follows.

Bilinear Maps [20]
Defination 1: Bilinear maps: Let , be two multiplicative cyclic groups with prime order p and g is a generator of the group . let e: × → be bilinear map satisfies the following properties. 1) Bi-linearity 2) Non-degeneracy and 3) Computability.

Access Structure [18]
Defination 3: Access structure: Let = { } =1… be the set of attributes a collection ⊆ 2 { 1 , 2 ,…, } is monotonic ∀ , if, B∈ , B⊆ then ∈ . An access structure is a collection of a non-empty subset i.e., set ⊆ 2 { 1 , 2 ,…, } . We mean a monotonic access structure the set in is called authorized set where the set not in is called an unauthorized set. The access structure can be converted into a Boolean function. The Boolean function works as an access tree the attribute set present in leaf nodes the intermediate and root nodes of an access tree are the logical operator AND/OR gate.

Linear Secret Sharing Scheme [19]
Defination 4: (LSSS) Linear secret sharing scheme: A linear sharing scheme over a set of attributes ={ } =1… is called linear over ℤ with row and column that called the sharing generating matrix of Π with ∀ =1,…, of matrix M. We let a function define the attributes labeling row of a matrix to attributes is ( ). Where we consider column vector = ( , 1 , … , ) and ∈ ℤ p is a share of a secret to be shared. Chosen randomly

System Model Definitions Overview and Security Model
In this section, we provide a system model, access control framework and our security model for our proposed CP-ABE scheme under policy updating.

System Model
As shown in Fig.1 our CP-ABE scheme with keywords and attribute's revocation in the existing central authority, multiple authorities, cloud server, data owner and the multi user's for large attribute universe consists of the following five entities.
1) Central-Authority (CA): The CA is a trusted certificate authority responsible for both the users and each attribute authority registration, user's authentication to reduce security issues like correctness fraud error. Note that it does not participate in any kind of the attribute's related operation.
2) Attribute-Authority (AA): Each attribute authority ( ) is a trusted authority that is responsible for system initialization, secret key generation, and distribution to the user's attribute, according to the user's rule or identity. During revocation of users attributes each attribute authority ( ) update the secret keys of non-revoked users and data owner under the secure channel.
3) Cloud-Service-Provider (CSP): The (CSP) provide the data storage for the data owner and data access service for the data users. It provides search facilities on encrypted keyword index and ciphertext if, the matching succeeds to users request it, send the ciphertext, and searched keywords to respective users otherwise deny. The CSP updates the ciphertext after the attribute's revocation based on updated keys.

4) Data-Owner (DO):
The (DO) first defines the access policy for the set of users attributes symmetrically encipher the data under hidden access policy upload the keyword search index along with ciphertext to CSP. Only those data users will be able to search and decrypt the uploaded index that satisfies the access structure embedded in the ciphertext. The data owner creates a new attribute users index set under a new access policy in revocation phase.

5) Data-Users (DU):
The (DU) is an authorized set in which each user identifies with a unique identity and certificates that satisfy the access structure embedded in the ciphertext. The data users generate search token and send to CSP while CSP compare the token with keywords query to the encrypted index and successful return search result in an interesting keyword search w � ′ to respective attributes, users satisfy the access structure of access policy.

High Level Overview
In our scheme, there is the number of attribute authorities = { 1 , 2 , … , } each authority manages a set of attributes = { } =1,… and choose randomly , ∈ ℤ * for ∈ [ ] and for the attributes revocation. Generate the public-key as the attribute set embedded in the ciphertext with a public key . In order to resolve the issue of collision resistance to create a secret key for the user's using to relative attributes the authority ( ) first, compute ( , ) = ∏ �. ∈ then authenticate the certificate CA sk . If, any user combing their secret key component using different global identities can appear in the form of ( , ( , ) � ∑ ∈ ) otherwise, it can be traced during the process of decryption ( * , ( , ) � * ∑ ∈ ) using different global identities we can prevent collision resistance in this way. The keywords index and ciphertext policy can be protected using a random number chosen ∈ ℤ * by the data owner encrypting the keywords index u � = ∏ ′ =1 as along with ciphertext choose , , ∈ ℤ and compute = p � hence the privacy policy can be implemented that preserved in the access policy. In the process of the user's attribute's revocation, the central authority issues the list of revoke user's send to each authority to update the secret key for the user's attribute in the system. The data owner defines a new access policy to update and generates a new attribute user's index.

Security Model
The cloud server executes the operation on encrypted data but the server is also curious about the encrypted data content. However, we define the security model for our CP-ABE scheme under central authority none adaptive security game procedure between the and Adversary and allow the with corrupt authority AAC a certain set of attribute authorities ( ) by getting the system parameter and send the entire queries to the challenger as follow.
(Adversary Queries) The Adversary submit his queries choose a random bit ′ ∈ (0,1) * to the as authorities ( − AAC ) remaining authorities are corrupt. The advantages of to win the game successfully show in the end the flip a random bit ∈ (0,1) reply to the adversary queries.
The run the setup algorithm for CA all corrupt authorities (AAC) to obtain the public key, a master key by giving the public key to the and kept the master key secret. The corrupt authority for which adversary query on * ⊆ to issues public-key query.
b) (AA-Public-Key) The adversary makes a query for none corrupt authority public key ( ) as = − AAC = AuthN by himself and send it to the challenger. For non-corrupt authority AuthN the send the public key to the and keep master key, secret.
c) (Secret-Key-Query) ( , * , * , * , * , * , ( * ) ) → ( * ) Adversary makes a secret key query for the corrupt authority with pairs of keys, challenge access policy and system parameter with the illegal certificate registers from CA which does not issue secret key for the * entitled as unauthorized attributes. Because create the secret key as the difference ( − AAC) so for corrupt AAC the create ( * , * ) query by himself and submit to the challenger. The reply on access policy * and run a secret key generation algorithm with the query ≠ * , ∈ because authenticate and verify the certificate that does not exist in the list of legal users. Where * is an illegal global identity for * are the unauthorized attributes of to attribute authority which cannot satisfy himself as a non-corrupt authority. d) (Keyword-query) Adversary select an access policy * = 1 * , 0 * for selected keywords with access structure p � * and w � * = w � 0, * , w � 1, * for * if, ( * , 0 * ) = 0 ⋀ ( * , 1 * )=0 not satisfied the adversary get * otherwise, terminate. The adversary chooses another query keyword set w � ′ * with p � * for w � ′ send to the challenger . Finally, the Challenger replies with the keyword encrypt algorithm for chosen keywords set w � * and w � ′ * . The adversary cannot be longer queried for the authorized and legitimate keywords index w � and w � because does not satisfy himself as a non-corrupt authority. e) (TK-Query) For the chosen keyword set w � ′ * the adversary run the token generation algorithm for attribute's set which cannot match to the legitimately interested keywords set w � ′ of the data owner. Challenger reply to run Key-Gen algorithm on the public key, secret key, keyword set w � ′ * and * submit by and restrict * with p � * , * does not satisfies the access policy the challenger generates a token for the keywords set w � ′ * and send to the adversary.
(Guess): The advantage of an adversary in the above game output guess 0 of ′ with negligible probability.

An Authorized Attribute-Based Encryption Multi Keywords Search with Policy Updating
In this section, we describe the concrete construction of our CP-ABE including multiple user's attribute revocations with policy updating consist of the following eleven algorithms.

System Setup and Access Control Framework
In this, the system initialization consists of two main algorithms one is central authority (CA) setup and another one is an attribute authority ( ) setup as shown below.
The Central authority taking each authority identity along with its secret key for all legal authority and users who want to join in the system. Randomly choose , ∈ ℤ to return its public key system parameter for ( ). The CA first, assign users with global identity generates the public key = and issues certificate using its secret key CA sk = ( , , 1 ) to each user. The input the public key, access policy, attributes set, master secret key, system parameter, and user's certificate output outsource private key, content key, and secret key for each legal user. First, compute � = and for each ∈

6) Gen-TK(
, , , w � ′ ) → ( ) Each user inputs its public key, access policy, secret key, search query keyword index w � ′ the authorized users verify the access policy if search token matches the secret key of users CSP successfully return , ∈ [1, ] for ∈ , ∈ � , . Randomly choose , , ∈ ℤ generates the search token as The users can search send in interested query keyword w � ′ to CSP. For search server make a check if, the keyword index can match to the search the CSP output 1 to transmit the keywords to users must satisfy the following Eq. (1.3).
The data owner encrypts keywords as u � = ∏ ′ =1 ∈ generate an index set . The keywords index = ∈ [1, ] is a set of extracted keywords from files. Using statistical probability formula to execute the number of selected query keywords to the number of total query keywords.

Policy-Updating [19]
Our CP-ABE scheme for attribute's user's data owner dynamically updated the policy to achieve an efficient revocation by the following main three algorithms. 9) Attribute's-Users-Index-Update 10) Key-Update 11) Ciphertext-Update.

Choose two random vectors
then (0, ) ∈ ′ are the newly updated index set for the non-revoke user's attribute's generated by the data owner. Let = ( , ) and ′ = ( ′ , ′ ) represent an initial access policy/new access policy to generate a new index set by the following algorithm operation on a matrix of size × .
i) Input = ( , ) and ′ = ( ′ , ′ ) ii) adding ( , ) remove attribute's from while output ′ iii) where In attribute users revocation each input unrevoke attributes updated index, public key, master key, new access policy updating keys for non-revoked user's attributes. Randomly choose , , ′ , ′ , ′ ∈ ℤ and ′ , ′ ∈ return public key ′ , master ). The first, update the outsource private key ′ = ( , ) � ′ ( ′ − ) = ( � ′ , , ) using the outsource private key the attribute authorities update content key Then update the secret key ′ = ′ = � + ′ � of non-revoked users, attribute's under new access policy ′ while the identity of the revoke users will be deleted from the system.

11) CT-Update
The DO input non-revoke users list ′ get the updated key ′ from the collection the th block of ciphertext under new access policy ′ . Update those components of ciphertext related to revoke user's attributes. Choose randomly , ′ , ′ , ′ ∈ ℤ , ′ , ′ ∈ compute and update ciphertext.

Security Proof and Analysis
In this section we provide the security proof for our design CP-ABE scheme with the main security theorem, for CKA with search trapdoor in the standard model depends on Decisional Bilinear Diffie-Hellman (DBDH) and Decisional Linear (DLIN) assumption.

Decisional Bilinear Diffie-Hellman (DBDH) Assumption [14]
Defination5: Decisional Bilinear Diffie-Hellman assumption (DBDH) Let , be two multiplicative groups of a group and is bilinear pairing map. For the given elements , , , ∈ ℤ * and , , , ∈ , ( , ) = ( , ) ∈ the DBDH assumption is defined as no probabilistic polynomial-time(PPT) adversary can decide the tuple = ( , ) ) or ( , ) with non-negligible advantage. An algorithm that output ∈ (0,1) has advantages in solving the DBDH problem in . Theorem1. The PPT adversaries has at most non-negligible advantages to broke our scheme in existing of DBDH and DLIN assumption, un-recoverable security against chosen keywords index and search token with non-negligible advantages 2 .
Proof: Suppose there exists PPT adversary who wants to break our scheme with none-negligible advantage . We build a challenger which have the same non-negligible advantages in existing of DBDH and DLIN assumption. Challenger choose , , , ∈ ℤ , ∈ let = the give ( , , , , ( , ) ) from ( , , , , ( , ) ) query of to return random bit ∈ (0,1). The answer to this challenge the challenger play the security game as follow.
(Setup) The challenger run setup algorithm for both CA(Setup), each attribute authority using bilinear map give to an adversary. The adversary randomly choose * ⊂ for the corrupt authority ℎ = − * the reaming authority are non-corrupt the challenger sends public key of noncorrupt authority to . The randomly choose , ∈ ℤ * , , ∈ ℤ for the set of user's attribute's ( , ) = ( , ) − p � i compute public key and the master key kept secret as follow. . An Adversary cannot satisfy the access policy for unauthorized attribute set * ⊂ � the challenger add them to the keyword list w � and send the tokens to the adversary.
restraint the challenge attribute set * ∈ cannot verify the access structure. The need to distinguish from ( 1 + 2 ) ( ) for w � 0, and w � 1, the send keywords index set to an adversary. (Phase2) The adversary submits similar queries to phase1 at most q times with restriction no such keywords for the selected and legitimates keywords index can be existing. The probability to get from is same as the probability of = ′ . No such collision occurs in and in the general group model and hence the probability of collision is negligible.
(Gauss) The adversary makes a gauss at last ′ ∈ [0,1] where ≠ ′ the adversary consider = ℎ 1 + 2 is legitimate keywords search index the probability to solve the DBDH problem and recover � ′ � form is negligible with non-negligible advantages of probability 2 as follow. Theorm2: Our proposed scheme un-revocable secure against cloud server, unauthorized user's attribute to provide privacy-preserving for data confidentiality, collision resistance in the system.

Correctness Verification of Keywords Search and Ciphertext Decryption
In this section, we provide the details of correctness analyses, the comparison of theoretical analysis, performance analysis, and complexity computation for our proposed CP-ABE scheme. This section consists of the correctness proof of successful keywords search and ciphertext decryption. We first analyze the correctness of matching keywords index with a search token the Eq.  control supports privacy preservation against collusion resistance. It also supports to achieves multi keywords search and the efficient user's attribute's revocation issue to related attribute authority through policy updating operation with minimal computational, communication load on data owner. Our scheme provides the details of security analysis of chosen keywords attack, search token, correctness verification and, performance analysis compare to the existing scheme. The security proofs related condition of our scheme for encrypted keywords index and search token are proven in a standard model using DBDH and DLIN assumption.