A. Contribution

Based on the issues discussed, we propose a blockchain-assisted multi-keyword searchable encryption scheme in the IoT environment, named BAMKSE. By leveraging blockchain, a distributed ledger, we aim to mitigate the risks associated with centralized key distribution. Additionally, we integrate CP-ABE and KP-ABE technologies to achieve more fine-grained access control. Cloud servers provide a pre-decryption feature, significantly reducing decryption overhead on the user end. Our contributions are as follows.

• Combining CP-ABE technology with KP-ABE technology: In this paper, user access policy and revocation access policy are embedded in the ciphertext and ciphertext access policy is embedded in the key, respectively.

• Fine-grained access control: The scheme realizes the mutual authentication between the user and the data, enhances the security of the data, and achieves more fine-grained access control. Meanwhile, this scheme uses blockchain to solve a single point of failure.

• Supporting pre-decryption: By utilizing CSP’s powerful computing capability, it can perform pre-decryption and send the pre-decrypted ciphertext to data users, which reduces the computation and time overhead required for data users to decrypt the ciphertext locally.

• Supporting for multi-keyword search: This paper proposes an attribute-based multi-keyword searchable encryption scheme and it is safe in the security game.

B. Organization

In Section II introduces related work. In Section III presents the cryptographic knowledge relevant to this paper. Next, we design the system model and security model in Section IV. In Section V presents the specific details for implementing this scheme. Then, in Section VI, we conduct a correctness deduction and security analysis, verifying the effectiveness and security of the scheme. In Section VII compares the performance of this scheme with other schemes through a comparative analysis. In Section VIII, we evaluate and compare the time overhead of this scheme with other schemes. Section IX summarizes the entire paper.

A. Searchable Encryption

Due to the explosive growth of IoT devices, massive amounts of data are stored on cloud servers. Quickly and accurately retrieving required data while ensuring its security has become a critical issue. Searchable encryption technology allows for the retrieval of ciphertext stored in the cloud, and is categorized into symmetric searchable encryption (SSE) [12] and asymmetric searchable encryption (ASE) [13]. Song et al. [1] first proposed a symmetric searchable encryption scheme, which encrypts a single file into a series of ciphertext words. During the search phase, the retrieval is executed through the XOR operation between the keyword trapdoor and the index. However, this scheme is inefficient in terms of search speed.

Due to the inherent inefficiencies of single-keyword searchable encryption, most researchers have shifted their focus to multi-keyword searchable encryption. The paper [14] introduced fast searchable encryption schemes using multiplication and simultaneous congruences. Liang et al. [15] presented a dynamic multi-keyword searchable encryption scheme (DMSE). This scheme, based on multi-keyword retrieval, classifies outsourced data by privacy before constructing an inverted index structure, thereby significantly enhancing retrieval efficiency. Although DMSE is strong in terms of applicability and security, it generates a large number of keys and trapdoors without distributed key management, posing a single point of failure risk. Liu et al. [16] realized that existing SE schemes lack flexibility, efficiency, and robustness, thus proposing a matrix-based multi-keyword fuzzy search scheme. In this scheme, each query is encoded into a matrix, its size linear increasing with the number of keywords. The matrix-based construction offers flexibility but results in a performance decline. Li et al. [17] noted that cloud servers return all matching files without ranking them for relevance, and the update mechanism incurs high communication and computational costs, making it insufficient for dynamic real-world scenarios. Therefore, they proposed an efficient two-server ranked dynamic searchable encryption scheme (TS-RDSE). This scheme establishes a dynamic secure index and supports dynamic updates such as inserting and deleting files.

B. Attribute-Based Encryption

Although SE allows for the retrieval of encrypted data in cloud environments, a significant limitation of this technology is that any user possessing the keywords can retrieve the data. This mechanism does not achieve the objective of sharing data with specific users, indicating a lack of effective access control.

ABE technology can meet the aforementioned requirements, achieving the objective of sharing secrets with individuals possessing specific attributes. The attribute-based encryption scheme was first introduced by Shamir and Waters [2] collaboratively. Ciphertext policy attribute-based encryption (CP-ABE) [18] and key policy attribute-based encryption (KP-ABE) [19] are two different forms of ABE. These two forms are interconnected yet distinct in their approaches. CP-ABE embeds the access policy within the ciphertext, while attributes are embedded within the user’s key. Conversely, KP-ABE incorporates the access policy within the user’s key, with attributes being embedded within the ciphertext. Irrespective of the ABE variant, decryption of the ciphertext is contingent upon a match between the policy and the user’s attributes, ensuring that only users whose attributes satisfy the policy can decrypt the information.

C. Attribute-Based Searchable Encryption

Obviously, the combination of ABE and SE technology will enhance the security and retrieval efficiency of data in the cloud environment. An increasing number of researchers are dedicating efforts towards integrating SE with ABE to meet the security requirements of cloud storage.

Yin et al. [20] proposed a ciphertext-policy attribute-based searchable encryption scheme. They point out that granting authorized data users search permissions is an effective method to enhance data access control. The main idea of the scheme is that the data owner encrypts the data and indexes under specific access policies, and only data users who meet these access policies can perform retrieval. Liu et al. [21] proposed a multiple keywords searchable encryption scheme based on the coordination of cloud servers and edge nodes (EMK-ABSE). EMK-ABSE adopts an offline/online hybrid mode for encryption and leverages edge nodes for pre-decryption in the decryption process, collectively alleviating the computational burden on the client. Zhao et al. [22] presented a new attribute-based collaborative search encryption scheme (ABCSE-MU) in a multi-user environment. This scheme realizes the function of multi-user collaborative search by introducing collaborative nodes, which solves the problem of insufficient search privileges when users need to search. Sun et al. [23] proposed a third-party auditing-based multi-keyword attribute-searchable encryption scheme with data verifiability and attribute revocation, which introduces a validation algorithm to ensure that the search results are correct. However, this scheme still incurs high computational overhead. Yan et al. [24] proposed an access control scheme based on blockchain and attribute-searchable encryption in cloud computing environment. The scheme realizes fine-grained access and secure search of cloud data while supporting policy hiding and attribute revocation. Proxy encryption and decryption are also introduced to reduce the computational cost of users. Zou et al. [25] proposed a blockchain-assisted multi-keyword fuzzy search encryption (BCFSE) scheme for secure data sharing. BCFSE supports ciphertext search while realizing fine-grained access control. In addition, the security features of blockchain are utilized to ensure the correctness of search results.

However, while utilizing blockchain to achieve attribute management and maintenance, it also exposes the user’s attribute information to a certain extent. Xiang and Zhao [26] designed a blockchain-assisted searchable attribute encryption scheme for eHealth systems. The scheme not only provides secure outsourcing and fast search services for medical data stored in CSPs, but also enables lightweight decryption of data for users, and data owners can achieve fine-grained authorization of data users under specified access policies. However, this scheme does not consider authentication between data and users and is inefficient in searching. Liang et al. [15] proposed a dynamic multi-keyword searchable encryption scheme using inverted index. This approach improves the retrieval efficiency of ciphertexts on cloud servers by leveraging the inverted index. However, the scheme does not address authentication between data and users. Wang et al. [27] proposed a blockchain-based pairing-free publicly verifiable searchable encryption scheme. They started with linear pairing operations to reduce the computational overhead. Guo et al. [28] has designed a secure and efficient range query scheme specifically designed to handle outsourced cryptographically indeterminate data, such as those originating from IoT systems.

D. Blockchain

The decentralized nature of blockchain means that it can distribute a large number of keys without the risk of a single point of failure. Additionally, each transaction record in the blockchain requires verification by multiple nodes within the network, and once recorded, it is almost immutable.

An increasing number of researchers are exploring the integration of blockchain with access control technologies. Qin et al. [29] proposed a lightweight access control solution for the IoT that leverages attribute-based encryption and blockchain technology, utilizing smart contracts to verify the accuracy of outsourced decrypted data within the IoT environment. Li et al. [30] proposed an access control scheme for Smart Home (S-home) environments. This approach employs multiple smart contracts to facilitate fine-grained access control over data, while concurrently recording transactions in a distributed ledger for auditing purposes. Ding et al. [31] and Chaudhry et al. [32] introduced the access control scheme based on Iot system. Zhonghua et al. [33] proposed a blockchain-based access control model for the IoT. Leveraging blockchain technology, the model designs an access control mechanism for terminal devices and resources through IoT edge nodes. It aims to provide a novel solution to the shortcomings in current research on access control within edge computing and blockchain in IoT security systems. However, the scheme focuses solely on the access control of edge data in IoT and does not address the data in the existing environment. Han et al. [34] proposed an auditable access control model based on attributes, utilizing blockchain to manage private data access via logs and records. Additionally, a blockchain-based system ensures the security and auditable access of private data in IoT environments. Cui et al. [35] introduced a novel data sharing framework that integrates both cloud and edge computing paradigms. Positioned centrally, the edge server oversees all communications, enforcing predefined access policies to detect and prevent unauthorized data exchanges. Zhang et al. [36] proposed an attribute-based access control scheme aimed at furnishing IoT devices with decentralized, flexible, and fine-grained authorization capabilities.

Based on the above discussion, we compare several different searchable encryption schemes with ours scheme. The Table 1 for specific comparison details.

TABLE 1 Comparison of Different Searchable Encryption Schemes

A. Bilinear Mapping

Suppose there are two multiplicative cyclic groups $G_{1}$ and $G_{T}$ of prime order p. The bilinear map $e: G_{1} \times G_{1} \rightarrow G_{T}$ simultaneously satisfies the following properties:

• Bilinear: $\forall x,y\in G_{1}$ and $a,b\in \mathbb {Z}_{p}$ , $e(x^{a},y^{b})=e(x,y)^{ab}$ .

• Non-degeneracy: $\exists x,y\in G_{1}$ , $e(x,y)\neq 1$ .

• Computability: $\forall x,y\in G_{1}$ , $e(x,y)$ can be computed efficiently.

B. Access Structure

Consider an entity set $P = \{P_{1}, P_{2}, \ldots , P_{n}\}$ comprising n participants, where A is a subset of the power set $2^{P}$ . If for any subsets B and C, such that if $B \in A$ and $B \subseteq C$ , have $C \in A$ , then A is deemed monotonic. Furthermore, if A is non-empty and $A \in 2^{P}$ , it constitutes an access structure. The sets contained within A are referred to as authorized sets, while those not included in A are labeled as unauthorized sets.

C. Linear Secret Sharing Scheme

Linear secret sharing scheme (LSSS) is utilized to divide a secret into multiple shares, where only specific combinations of shares can reconstruct the original secret. The secret is represented as a vector of coefficients, while each share is computed as a linear combination of these coefficients. Let $\Pi$ denote a linear secret sharing scheme.

There is a matrix P, comprising r rows and c columns, is designated as the shared matrix on $\Pi$ . The column vector $v=(s,l_{2},l_{3},\ldots ,l_{c})^{T}$ comprises a secret $s\in \mathbb {Z}_{p}$ and $l_{2},l_{3},\ldots ,l_{c}\in \mathbb {Z}_{p}$ . $l_{2},l_{3},\ldots ,l_{c}$ are used to encrypt s. The mapping function $\rho :\{1,2,\ldots ,r\}\rightarrow ~(P\vec {v})$ be mapped to the vector $(P\vec {v})_{i}$ , where $i\in \ (1,2,3,\ldots ,r)$ represents the row index of P. When $\lambda _{i}=(P\vec {v})_{i}$ represents a participant in the r-th row association, holding one of the fragments of the secret. Q is an authorized collection, and $I \subseteq (1,2,3,\ldots ,r)$ is defined as $I=\{i:\rho (i) \in Q\}$ . Then there is a set of constants $z=\{z_{i}\in \mathbb {Z}_{p} \}_{_{i}\in \ I}$ such that condition $\sum _{_{i}\in \ I}z_{i}{P_{i}}=(1,0,0,\ldots 0)$ holds. If $\lambda _{i}$ is the set of valid secret fragments on $\Pi$ , then The following equation is satisfied: $$\begin{align*} \sum _{i\in I}z_{i}\lambda _{i} & = \sum _{i\in I}z_{i}(P\vec {v})_{i} \\ & = (1,0,\ldots ,0) \cdot (s,l_{2},l_{3},\ldots ,l_{c})^{T} \\ & = s. \tag {1}\end{align*}$$ View Source\begin{align*} \sum _{i\in I}z_{i}\lambda _{i} & = \sum _{i\in I}z_{i}(P\vec {v})_{i} \\ & = (1,0,\ldots ,0) \cdot (s,l_{2},l_{3},\ldots ,l_{c})^{T} \\ & = s. \tag {1}\end{align*}

D. Difficult Assumption

The problem known as Decisional Linear (DL) can be stated in the following manner. Given multiplicative cyclic group $G_{0}$ of prime order p. The generating element $\ g\in G_{0}$ and five numbers $a, b, c_{1}, c_{2}, Z\in \mathbb {Z}_{p}^{*}$ are randomly selected. Given tuples $X=(g, g^{a}, g^{b}, g^{ac_{1}}, g^{bc_{2}}, Q=g^{c_{1}+c_{2}})$ and $Y=(g, g^{a}, g^{b}, g^{ac_{1}}, g^{bc_{2}}, Q=g^{Z})$ . Arbitrary polynomial time attacker $\mathcal {A}$ has to distinguish random elements $g^{Z}$ and $g^{c_{1}+c_{2}}$ in $G_{0}$ after obtaining $(g,g^{a},g^{b},g^{ac_{1}},g^{bc_{2}})$ . Define the advantage of attacker $\mathcal {A}$ in breaching the DLP to be $\boldsymbol {\varepsilon }$ . If the following equation holds, then we have Definition 1. $$\begin{align*} & \left |{{ \Pr \left [{{ \mathcal {A}(g,g^{a},g^{b},g^{ac_{1}},g^{bc_{2}},Q=g^{c_{1}+c_{2}})=1 }}\right ] }}\right . \\ & \quad - \left .{{ \Pr \left [{{ \mathcal {A}(g,g^{a},g^{b},g^{ac_{1}},g^{bc_{2}},Q=g^{Z})=1 }}\right ] }}\right | \geq \varepsilon . \tag {2}\end{align*}$$ View Source\begin{align*} & \left |{{ \Pr \left [{{ \mathcal {A}(g,g^{a},g^{b},g^{ac_{1}},g^{bc_{2}},Q=g^{c_{1}+c_{2}})=1 }}\right ] }}\right . \\ & \quad - \left .{{ \Pr \left [{{ \mathcal {A}(g,g^{a},g^{b},g^{ac_{1}},g^{bc_{2}},Q=g^{Z})=1 }}\right ] }}\right | \geq \varepsilon . \tag {2}\end{align*}

Decisional Bilinear Diffie-Hellman (DBDH) assumptions for prime-order bilinear groups. The bilinear map $e: G_{0} \times G_{0} \rightarrow G_{1}$ . Given multiplicative cyclic group $G_{0}$ of prime order p. The generating element $\ g\in G_{0}$ and five numbers $a, b, c, Z\in \mathbb {Z}_{p}^{*}$ are randomly selected. Given tuples $X=(g, g^{a}, g^{b}, g^{c}, Z)$ and $Y=(g, g^{a}, g^{b}, g^{c}, e(g,g)^{abc})$ . Arbitrary polynomial time attacker $\mathcal {A}$ has to distinguish random elements Z and $e(g,g)^{abc}$ in $G_{0}$ after obtaining $(g,g^{a},g^{b},g^{c})$ . Define the advantage of attacker $\mathcal {A}$ in breaching the DBDH to be $\boldsymbol {\varepsilon }$ . If the following equation holds, then we have Definition 2. $$\begin{align*} & \left |{{ \Pr \left [{{ \mathcal {A}(g,g^{a},g^{b},g^{c},Z)=1 }}\right ] }}\right . \\ & \quad - \left .{{ \Pr \left [{{ \mathcal {A}(g,g^{a},g^{b},g^{c},e(g,g)^{abc})=1 }}\right ] }}\right | \geq \varepsilon . \tag {3}\end{align*}$$ View Source\begin{align*} & \left |{{ \Pr \left [{{ \mathcal {A}(g,g^{a},g^{b},g^{c},Z)=1 }}\right ] }}\right . \\ & \quad - \left .{{ \Pr \left [{{ \mathcal {A}(g,g^{a},g^{b},g^{c},e(g,g)^{abc})=1 }}\right ] }}\right | \geq \varepsilon . \tag {3}\end{align*}

A. System Model

The BAMKSE includes four participants. The system model is shown in Fig. 2.

• DO: The data owner sets the user access policy and the revocation access policy for the data, encrypts the shared data and multi-keyword indexes, and uploads them to the CSP.

• DU: In instances where a DU exhibits interest in specific datasets provided by a DO, the DU is enabled to generate a search trapdoor, subsequently uploading it to the CSP for the purpose of data retrieval. The CSP plays a pivotal role in facilitating this process by executing pre-decryption techniques to derive an intermediate form of ciphertext, which is then transmitted to the DU. Crucially, if the attributes of the DU are in alignment with the user access structure embedded within the ciphertext by the DO, the DU’s attribute-based private key can effectively be utilized to decrypt the intermediate ciphertext, culminating in the acquisition of the plaintext.

• CSP: The CSP is responsible for storing encrypted data and indexing multi-keyword ciphertext for DO, and providing search and revocation services for ciphertext. It also provides pre-decryption service for DU that meet the privileges and returns the pre-decrypted ciphertext to the DU. The cloud server is honest and curious, meaning that it faithfully executes tasks submitted by users but also exhibits curiosity towards encrypted data.

• BC: The BC is comprised of trustworthy nodes. The current leader node of the blockchain receives the attributes of DU to be added to the system and generates the user’s private key on the chain based on its attributes.The leader node returns the user’s private key to the user through a secure channel. This is shown in Fig. 3.

FIGURE 2.

System model.

Show All

FIGURE 3.

Blockchain-based key generation and distribution process.

Show All

B. Scheme Definition

Our scheme is mainly divided into ten algorithms, including Setup, KeyGen, Encrypt, IndexGen, Trapdoor, Search, Predecrypt, Decrypt, TokenGen and Revoke. The workflow diagram of this scheme is shown in Fig. 4. The definitions of these algorithms are as follows.

FIGURE 4.

The workflow diagram of this scheme.

Show All

Setup($1^{\lambda }$ ) $\rightarrow$ (GP, MSK): The algorithm is executed by the current blockchain leader node, which inputs safety parameter $\lambda$ and outputs global parameters and main key of system.

KeyGen(GP, UID) $\rightarrow ~\boldsymbol {K}$ : The algorithm inputs the global parameters GP, user identity UID and outputs the key components K.

Encrypt(GP, UID, USK, M, $(\mathbb {P},\rho)$ , $(\mathbb {A},\pi)$ , $\boldsymbol {\Lambda }$ ) $\rightarrow ~\boldsymbol {C}$ : The algorithm inputs the global parameters GP, the user private key USK, user identity UID, plaintext M, user access policy $(\mathbb {P},\rho)$ , revocation access policy $(\mathbb {A},\pi)$ , ciphertext attribute set $\boldsymbol {\Lambda }$ and outputs the ciphertext components C.

IndexGen(GP, USK, W) $\rightarrow$ KI: The algorithm inputs the global parameters GP, the user private key USK, multiple keywords set W and outputs keywords index KI.

Trapdoor(GP, USK, $W^{\prime }$ ) $\rightarrow ~\boldsymbol {D}$ : The algorithm inputs the global parameters GP, the user private key USK, set of multiple keywords $W^{\prime }$ to be searched and outputs trapdoor D, where $W^{\prime }$ contains $n^{\prime }$ keywords.

Search(KI, D) $\rightarrow$ CT or $\perp$ : The algorithm inputs the keyword index KI and trapdoor D, and outputs the search results. After receiving the search request from DU, the CSP matches D with KI. If the match is successful, the corresponding ciphertext CT is returned to the DU. If the search fails, $\perp$ .

Predecrypt(GP, USK, K, CT) $\rightarrow$ ICT: The algorithm inputs the global parameters GP, the user private key USK, the key components K and ciphertext CT. If the attributes of the DU meet the user access policy in the ciphertext and the ciphertext attributes meet the ciphertext access policy, the CSP predecrypts the ciphertext to obtain the intermediate ciphertext ICT and sends the ICT to the DU.

Decrypt(GP, C, K, ICT) $\rightarrow ~\boldsymbol {M}$ : The algorithm inputs the global parameters GP, the ciphertext components C, the key components K and the intermediate ciphertext ICT. DU decrypts the ciphertext locally and obtains the plaintext M.

TokenGen(GP, C, K, USK) $\rightarrow$ RT: The algorithm inputs the global parameters GP, the ciphertext components C, the key components K and the user private key USK. If the revocation attribute of DU meets the revoke access policy in ciphertext and the ciphertext attribute meets the ciphertext access policy, the revoke token RT is generated for DU.

Revoke(C, K, RT) $\rightarrow$ 1 or 0: The algorithm inputs the ciphertext components C, the key components K and ciphertext revocation token RT. If $RK=RT$ , it is successfully revoked, output 1, otherwise output 0.

C. Security Model

In a secure ABSE scheme, the keywords index must satisfy indistinguishability security under a CKA. According to this criterion, the security model of this scheme is described as a game between attacker $\mathcal {A}$ and challenger $\mathcal {C}$ , where $\mathcal {C}$ attempts to compromise security through the outputs of $\mathcal {A}$ .

Initialization: $\mathcal {A}$ sets a challenge user access policy $(\mathbb {P}^{\prime },\boldsymbol {\rho }^{\prime })$ and a set of challenge ciphertext attributes $\boldsymbol {\Lambda }^{\prime }$ . $\mathcal {C}$ runs the Setup algorithm and sends GP and USK to $\mathcal {A}$ .

Query Phase 1: Adversary $\mathcal {A}$ queries the following queries adaptively.

• KeyGen Query: Adversary $\mathcal {A}$ submits UID to challenger $\mathcal {C}$ . $\mathcal {C}$ runs KeyGen algorithm to generate key component K and sends them to $\mathcal {A}$ .

• Index Query: In this process, the adversary $\mathcal {A}$ sends the key component K and a set of keywords collections W to the challenger $\mathcal {C}$ . Subsequently, $\mathcal {C}$ executes the IndexGen algorithm to generate the keywords index KI.

• Trapdoor Query: Challenger $\mathcal {C}$ randomly choose $v \in \mathbb {Z}_{p}^{*}$ and executes the Trapdoor algorithm to generate the trapdoor D.

• Challenge: Adversary $\mathcal {A}$ chooses two unchallenged keywords sets $W_{0}=w_{i_{0}},i\in [1,n]$ and $W_{1}=w_{i_{1}},i\in [1,n]$ of the same length as a challenge and sends them to challenger $\mathcal {C}$ . In the subsequent phase, $\mathcal {C}$ randomly selects $b \in \{0,1\}$ and executes the IndexGen algorithm to generate a challenge index $I_{w_{i_{b}}}^{*}=\prod _{i=1}^{n}I_{w_{i_{b}}}$ with a challenge user access structure $(\mathbb {P}^{\prime },\boldsymbol {\rho }^{\prime })$ and a set of challenge ciphertext attributes $\boldsymbol {\Lambda }^{\prime }$ . Finally, send the challenge index $I_{w_{i_{b}}}^{*}$ to the adversary $\mathcal {A}$ .

Query Phase 2: Adversary $\mathcal {A}$ adaptively repeats the Query Phase 1, querying the trapdoor for the set of keywords other than $W_{0}$ and $W_{1}$ .

• Guess: Finally, $\mathcal {A}$ outputs b as the guessed bits $b'$ . If $b = b'$ , then $\mathcal {A}$ wins the game. The advantage of winning is defined as $Adv_{\mathcal {A}} = \left |{{Pr[b' = b] - \frac {1}{2}}}\right |$ .

A. Correctness Deduction

• Correctness Deduction of Searching keywords

  The CSP assesses the match of a query ciphertext by checking if a specific equation is satisfied. $$\begin{equation*} e(D_{1},I_{1})e(D_{3},I_{3}) = e(D_{2},I_{2})e\left ({{\prod _{i=1}^{n^{\prime }}I_{w_{i}},D_{4}}}\right ).\end{equation*}$$ View Source\begin{equation*} e(D_{1},I_{1})e(D_{3},I_{3}) = e(D_{2},I_{2})e\left ({{\prod _{i=1}^{n^{\prime }}I_{w_{i}},D_{4}}}\right ).\end{equation*}

  Initially, one can compute the left side of the equation as described below: $$\begin{equation*} e(D_{1},I_{1})e(D_{3},I_{3}) = e(g^{\beta v},g^{r_{1}})e\left ({{\prod _{i^{\prime }=1}^{n^{\prime }}g^{H_{2}\left ({{w_{i^{\prime }}}}\right )\beta },g^{\mu r}}}\right ).\end{equation*}$$ View Source\begin{equation*} e(D_{1},I_{1})e(D_{3},I_{3}) = e(g^{\beta v},g^{r_{1}})e\left ({{\prod _{i^{\prime }=1}^{n^{\prime }}g^{H_{2}\left ({{w_{i^{\prime }}}}\right )\beta },g^{\mu r}}}\right ).\end{equation*}

  Subsequently, the right side of the equation can be determined through the calculation outlined next: $$\begin{equation*} e(D_{2},I_{2})e\left ({{\prod _{i=1}^{n^{\prime }}I_{w_{i}},D_{4}}}\right )\!=\!e(g^{v},g^{\beta r_{1}})e\left ({{\prod _{i=1}^{n^{\prime }}g^{H_{2}(w_{i})\beta r},g^{\mu }}}\right ).\end{equation*}$$ View Source\begin{equation*} e(D_{2},I_{2})e\left ({{\prod _{i=1}^{n^{\prime }}I_{w_{i}},D_{4}}}\right )\!=\!e(g^{v},g^{\beta r_{1}})e\left ({{\prod _{i=1}^{n^{\prime }}g^{H_{2}(w_{i})\beta r},g^{\mu }}}\right ).\end{equation*} It can be verified that the equation holds.

• Correctness Deduction of Pre-descryption $$\begin{align*} ICT & = \prod _{i\in \boldsymbol {\Psi }}\left [{{\frac {C_{i}^{1}\cdot e\left ({{H_{1}(\textit {UID}),C_{i}^{3}}}\right )}{e(K_{\rho (i)},C_{i}^{2})}}}\right ]^{h_{i}} \cdot \\ & \quad \prod _{j\in \boldsymbol {\Lambda }}\left [{{\frac {K_{j}^{1}\cdot e\left ({{H_{1}(\textit {UID}),K_{j}^{3}}}\right )}{e(C_{\eta (j)},K_{j}^{2})}}}\right ]^{f_{j}} \\ & = e(g,g)^{\varphi }\cdot e(g,g)^{s}. \tag {17}\end{align*}$$ View Source\begin{align*} ICT & = \prod _{i\in \boldsymbol {\Psi }}\left [{{\frac {C_{i}^{1}\cdot e\left ({{H_{1}(\textit {UID}),C_{i}^{3}}}\right )}{e(K_{\rho (i)},C_{i}^{2})}}}\right ]^{h_{i}} \cdot \\ & \quad \prod _{j\in \boldsymbol {\Lambda }}\left [{{\frac {K_{j}^{1}\cdot e\left ({{H_{1}(\textit {UID}),K_{j}^{3}}}\right )}{e(C_{\eta (j)},K_{j}^{2})}}}\right ]^{f_{j}} \\ & = e(g,g)^{\varphi }\cdot e(g,g)^{s}. \tag {17}\end{align*}

  Substituting $C_{i}^{1} = e(g,g)^{\vartheta _{i}}e(g,g)^{\alpha _{\rho (i)}\delta _{i}}$ , $C_{i}^{2} = g^{\delta _{i}}$ , $C_{i}^{3} = g^{\alpha _{\rho (i)}\delta _{i}}$ , $K_{j}^{1}=e(g,g)^{\lambda _{j}}e(g,g)^{\beta _{\eta (j)}\mu _{j}}$ , $K_{\rho (i)}=g^{\alpha _{\rho (i)}} \cdot H_{1}(\textit {UID})^{\alpha _{\rho (i)}}$ , $K_{j}^{3} = g^{\beta _{\eta (j)}\mu _{j}}$ , $K_{j}^{2} = g^{\mu _{j}}$ and $C_{\eta (j)} = g^{\beta _{\eta (j)}} \cdot H_{1}(\textit {UID})^{\beta _{\eta (j)}}$ into equation (17) yields the final result $e(g,g)^{\varphi } \cdot e(g,g)^{s}$ .

• Correctness Deduction of Revocation $$\begin{align*} RT & = \prod _{m\in \boldsymbol {\Omega }}\left [{{\frac {C_{m}^{1}\cdot e\left ({{H_{1}(\textit {UID}),C_{m}^{3}}}\right )}{e(K_{\pi (m)},C_{m}^{2})}}}\right ]^{l_{m}} \cdot \\ & \quad \prod _{j\in \boldsymbol {\Lambda }}\left [{{\frac {K_{j}^{1}\cdot e\left ({{H_{1}(\textit {UID}),K_{j}^{3}}}\right )}{e(C_{\eta (j)},K_{j}^{2})}}}\right ]^{f_{j}} \\ & = e(g,g)^{\chi }\cdot e(g,g)^{s}. \tag {18}\end{align*}$$ View Source\begin{align*} RT & = \prod _{m\in \boldsymbol {\Omega }}\left [{{\frac {C_{m}^{1}\cdot e\left ({{H_{1}(\textit {UID}),C_{m}^{3}}}\right )}{e(K_{\pi (m)},C_{m}^{2})}}}\right ]^{l_{m}} \cdot \\ & \quad \prod _{j\in \boldsymbol {\Lambda }}\left [{{\frac {K_{j}^{1}\cdot e\left ({{H_{1}(\textit {UID}),K_{j}^{3}}}\right )}{e(C_{\eta (j)},K_{j}^{2})}}}\right ]^{f_{j}} \\ & = e(g,g)^{\chi }\cdot e(g,g)^{s}. \tag {18}\end{align*}

Substituting $C_{m}^{1} = e(g,g)^{\psi _{m}} e(g,g)^{\gamma _{\pi (m)}\omega _{m}}$ , $C_{m}^{2} = g^{\omega _{m}}$ , $C_{m}^{3} = g^{\gamma _{\pi (m)}\omega _{m}}$ , $C_{\pi (m)} = g^{\gamma _{\pi (m)}} \cdot H_{1}(\textit {UID})^{\gamma _{\pi (m)}}$ , $K_{j}^{1} = e(g,g)^{\lambda _{j}}e(g,g)^{\beta _{\eta (j)}\mu _{j}}$ , $K_{j}^{2} = g^{\mu _{j}}$ , $K_{j}^{3} = g^{\beta _{\eta (j)}\mu _{j}}$ and $C_{\eta (j)} = g^{\beta _{\eta (j)}} \cdot H_{1}(\textit {UID})^{\beta _{\eta (j)}}$ into equation (18) yields the final result $e(g,g)^{\chi } \cdot e(g,g)^{s}$ .

B. Security Analysis

Initialization: $\mathcal {A}$ defines a challenge user access policy $(\mathbb {P}^{\prime },\boldsymbol {\rho }^{\prime })$ and a set of challenge ciphertext attributes $\boldsymbol {\Lambda }^{\prime }$ . Challenger $\mathcal {C}$ runs the Setup algorithm in this scheme and sends the global parameters GP and the user private key USK to $\mathcal {A}$ .

Query Phase 1: The adversary $\mathcal {A}$ queries the following queries adaptively.

KeyGen Query: The adversary $\mathcal {A}$ submits UID to challenger $\mathcal {C}$ . $\mathcal {C}$ runs KeyGen algorithm to generate key components K and sends K to $\mathcal {A}$ .

Index Query: In this process, the adversary $\mathcal {A}$ sends the key components K and a set of keywords collections W to the challenger $\mathcal {C}$ . Subsequently, $\mathcal {C}$ executes the IndexGen algorithm to generate the keywords index KI.

Trapdoor Query: The challenger $\mathcal {C}$ randomly chooses $v \in \mathbb {Z}_{p}^{*}$ and executes the Trapdoor algorithm to generate the trapdoor D. $\mathcal {C}$ sends D to $\mathcal {A}$ .

Challenge: The adversary $\mathcal {A}$ chooses two unchallenged keywords sets $W_{0}=w_{i_{0}}$ and $W_{1}=w_{i_{1}}$ , $i \in [1,n]$ of the same length as a challenge and sends them to challenger $\mathcal {C}$ . In the subsequent phase, $\mathcal {C}$ randomly selects $b \in \{0,1\}$ and executes the IndexGen algorithm to generate a challenge index ${I_{w_{i_{b}}}}^{*}=\prod _{i=1}^{n}{I_{w_{i_{b}}}}= g^{(H_{2}(w_{1_{b}}+w_{2_{b}}+\ldots +w_{n_{b}}))\beta r}$ with a challenge user access policy $(\mathbb {P}^{\prime },\boldsymbol {\rho }^{\prime })$ and a set of challenge ciphertext attributes $\boldsymbol {\Lambda }^{\prime }$ . Finally, send the challenge index $I_{w_{i_{b}}}^{*}$ to the adversary $\mathcal {A}$ .

The strengths of $\mathcal {A}$ are analyzed as follows:

When $\varpi =0$ , $Q=g^{c_{1}+c_{2}}$ . We define $a=\beta r$ , $b=\beta$ , $c_{1}=H_{2}(w_{1})+H_{2}(w_{2})+\cdots +H_{2}(w_{n})$ and $c_{2}=H_{2}(w_{1})+H_{2}(w_{2})+\cdots +H_{2}(w_{n^{\prime }})$ . Then, $I_{w_{i_{b}}}^{*}=g^{c_{1}a}$ , $D_{3}=g^{c_{2}b}$ . When $\varpi =1$ , $Q=g^{Z}$ . As a result of the randomness of Z, the index remains unpredictable to the adversary $\mathcal {A}$ and does not reveal any information about b.

Query Phase 2: The dversary $\mathcal {A}$ adaptively repeats the Query Phase 1, querying the trapdoor for the set of keywords other than $W_{0}$ and $W_{1}$

Guess: Finally, $\mathcal {A}$ outputs b of the guess bits $b^{\prime }$ . In the game, let the advantage of winning be defined as $Adv_{\mathcal {A}}=|Pr[b^{\prime }=b]-1/2|=\varepsilon$ . If this advantage $\varepsilon$ is negligible, then this program is considered CKA safe.

The advantage of $\mathcal {C}$ in the security game to successfully crack the DL problem is: $$\begin{align*} Adv& =1/2(\Pr [\mathcal {C}(g,g^{a},g^{b},g^{ac_{1}},g^{bc_{2}},Q=g^{c_{1}+c_{2}})=0]) \\ & \quad +\Pr [\mathcal {C}(g,g^{a},g^{b},g^{ac_{1}},g^{bc_{2}},Q=g^{Z})=0]-1/2 \\ & =1/2\left ({{1/2+\varepsilon +1/2}}\right .)-1/2=\varepsilon /2. \tag {19}\end{align*}$$ View Source\begin{align*} Adv& =1/2(\Pr [\mathcal {C}(g,g^{a},g^{b},g^{ac_{1}},g^{bc_{2}},Q=g^{c_{1}+c_{2}})=0]) \\ & \quad +\Pr [\mathcal {C}(g,g^{a},g^{b},g^{ac_{1}},g^{bc_{2}},Q=g^{Z})=0]-1/2 \\ & =1/2\left ({{1/2+\varepsilon +1/2}}\right .)-1/2=\varepsilon /2. \tag {19}\end{align*}

Given the difficult nature of the DL problem, it is reasonable to infer that any $\mathcal {A}$ has a negligible advantage $\varepsilon /2$ in breaking our scheme. In other words, the probability of an adversary $\mathcal {A}$ realizing a keywords security attack in the face of our scheme is extremely low, ensuring the robustness of our scheme with respect to selected security metrics.

Query Phase 1: The adversary $\mathcal {A}$ queries the following queries adaptively.

Encrypt Query: The adversary $\mathcal {A}$ submits plaintext M to challenger $\mathcal {C}$ . $\mathcal {C}$ runs Encrypt algorithm to generate ciphertext components C and sends C to $\mathcal {A}$ . The challenge attributes used for encryption do not satisfy the access policy.

Challenge: The adversary $\mathcal {A}$ chooses two plaintext of equal length $M_{0}$ and $M_{1}$ . $M_{b}$ is sent to challenger $\mathcal {C}$ . $\mathcal {C}$ randomly selects $b \in \{0,1\}$ and executes the Encrypt algorithm to generate a challenge ciphertext $C^{*}$ with a challenge user access policy $(\mathbb {P}^{\prime },\boldsymbol {\rho }^{\prime })$ and a set of challenge ciphertext attributes $\boldsymbol {\Lambda }^{\prime }$ . Finally, send the challenge ciphertext $C^{*}$ to the adversary $\mathcal {A}$ .

Query Phase 2: The adversary $\mathcal {A}$ adaptively repeats the Query Phase 1, querying the plaintext other than $M_{0}$ and $M_{1}$ . Similarly, $\mathcal {A}$ cannot query the ciphertext encrypted with attributes that meet the access policy.

Guess: Finally, $\mathcal {A}$ outputs b of the guess bits $b^{\prime }$ . If $b^{\prime }=b$ , $\varpi =0$ , then $Q=e(g,g)^{abc}$ . The tuple received by $\mathcal {C}$ is $(g,g^{a},g^{b},g^{c},Q=e(g,g)^{abc})$ . Otherwise, $\varpi =1$ , the tuple received by $\mathcal {C}$ is $(g,g^{a},g^{b},g^{c},Q=Z)$ . When $b^{\prime }=b$ , $Adv_{\mathcal {A}}=|Pr[b^{\prime }=b]-1/2|=\varepsilon$ . When $b=0$ , let the advantage of winning be defined as $Adv_{\mathcal {A}}=Pr[b^{\prime }=b| b=0]=1/2+\varepsilon$ . When $b=1$ , $Adv_{\mathcal {A}}=Pr[b^{\prime }=b| b=1]=1/2$ .

The advantage of $\mathcal {C}$ in the security game to successfully crack the DBDH is: $$\begin{align*} Adv & = \Pr [\mathcal {C}(b^{\prime }=b)] - \frac {1}{2} \\ & = \frac {1}{2} \left ({{ \Pr [\mathcal {C}(b^{\prime }=b \mid b=1)] }}\right ) \\ & \quad + \frac {1}{2} \left ({{ \Pr [\mathcal {C}(b^{\prime }=b \mid b=0)] }}\right ) - \frac {1}{2} \\ & = \frac {\varepsilon }{2} \tag {20}\end{align*}$$ View Source\begin{align*} Adv & = \Pr [\mathcal {C}(b^{\prime }=b)] - \frac {1}{2} \\ & = \frac {1}{2} \left ({{ \Pr [\mathcal {C}(b^{\prime }=b \mid b=1)] }}\right ) \\ & \quad + \frac {1}{2} \left ({{ \Pr [\mathcal {C}(b^{\prime }=b \mid b=0)] }}\right ) - \frac {1}{2} \\ & = \frac {\varepsilon }{2} \tag {20}\end{align*}

If $\mathcal {A}$ can solve the proposed scheme with a non-negligible advantage $\varepsilon$ in PPT, then $\mathcal {C}$ can solve the DBDH problem with a non-negligible advantage $\varepsilon /2$ . However, DBDH is difficult, so this scheme can be backderived as IND-CPA safe.

A. Theoretical Storage Costs Comparison

The length of the element in $G_{1}$ can be defined as $\lvert G \rvert$ . Total number of keywords can be defined as d. $\lvert G_{T} \rvert$ indicates the length of the element in $G_{T}$ . $\lvert S \rvert$ represents the number of attributes owned by a user in the system. The number of search terms submitted by the user can be defined as t. Table 3 gives the theoretical storage costs comparison.

TABLE 3 Theoretical Storage Costs Comparison

B. Theoretical Computation Costs Comparison

Let $T_{e}$ represents the time taken for the exponential operation in the group, and $T_{p}$ denote the computation time for bilinear pairing. The encryption, index generation, trapdoor generation, search and decryption phase algorithm primarily incur theoretical computational costs, as detailed in Table 4.

TABLE 4 Theoretical Computation Costs Comparison

C. Comparison of Time Complexity

In Table 5, we compare and analyze the time complexity of BAMKSE against other schemes. Here, n represents the number of attributes, k denotes the number of keywords, and $k'$ indicates the number of keywords to be searched by the DU. As observed from Table 5, the overall time complexity of our BAMKSE algorithm is relatively low.

TABLE 5 Comparison of Time Complexity