Open AccessArticle

Towards Secure Data Retrieval for Multi-Tenant Architecture Using Attribute-Based Key Word Search

Hanshu Hong

¹,

Yunhao Xia

¹ and

Zhixin Sun

^1,2,*

Key Lab of Broadband Wireless Communication and Sensor Network Technology, Ministry Education, Nanjing University of Posts and Telecommunications, Nanjing 210003, China

Institute of Modern Posts, Nanjing University of Posts and Telecommunications, Nanjing 210003, China

Author to whom correspondence should be addressed.

Symmetry 2017, 9(6), 89; https://doi.org/10.3390/sym9060089

Submission received: 29 March 2017 / Revised: 20 May 2017 / Accepted: 13 June 2017 / Published: 16 June 2017

Download

Browse Figure

Versions Notes

Abstract

Searchable encryption mechanism and attribute-based encryption (ABE) are two effective tools for providing fine-grained data access control in the cloud. Researchers have also taken their advantages to present searchable encryption schemes based on ABE and have achieved significant results. However, most of the existing key word search schemes based on ABE lack the properties of key exposure protection and highly efficient key updating when key leakage happens. To better tackle these problems, we present a key insulated attribute-based data retrieval scheme with key word search (KI-ABDR-KS) for multi-tenant architecture. In our scheme, a data owner can make a self-centric access policy of the encrypted data. Only when the possessing attributes match with the policy can a receiver generate a valid trapdoor and search the ciphertext. The proposed KI-ABDR-KS also provides full security protection when key exposure happens, which can minimize the damage brought by key exposure. Furthermore, the system public parameters remain unchanged during the process of key updating; this will reduce the considerable overheads brought by parameters synchronization. Finally, our KI-ABDR-KS is proven to be secure under chosen-keyword attack and achieves better efficiency compared to existing works.

Keywords:

attribute-based data retrieval; key word search; key exposure protection; multi-tenant architecture

1. Introduction

With the rapid development of computer science and telecommunication, users can now enjoy various services via the Internet such as online shopping, remote medical monitoring, etc. These services produce massive data, which may contain a great amount of sensitive data like cellphone numbers, accommodation addresses, etc. Thus, the confidentiality of these data should be highly protected [1]. Encryption is a promising method to provide security protection for these sensitive data. Through encryption, these data are transformed into ciphertexts and stored securely in data clusters. However, traditional encryption techniques will prevent some common operations on ciphertexts—especially in terms of searching. For instance, a data owner wants to share some important data with some receivers in the multi-tenant data center, but data receivers do not know the exact location where these data have been stored. Since these data have been transferred into ciphertexts, it is inconvenient for them to search these encrypted data and determine the exact file they want. Thus, how to enable data owners to encrypt their data and make them searchable is a challenging and practical problem. The key word search mechanism is a promising tool to satisfy this demand. A keyword search protocol usually involves the participation of three parties: uploader, storage server, and receiver. The interaction process of a keyword search usually involves three steps:

Firstly, the uploader generates the search index for the corresponding keywords and uploads them with the ciphertexts to the storage server.

Secondly, the receiver computes the trapdoor for the desired keywords and sends the trapdoor to the storage server.

Thirdly, the storage server checks if the trapdoor generated by the receiver corresponds with the search index. The ciphertexts are returned to the receiver on the condition that the trapdoor and the search index are matched.

The first keyword search scheme based on PKC (Public Key Cryptography) was presented by Boneh et al. [2] in 2004. Afterwards, many studies [3,4,5] have been presented to provide better performances, higher security level, and more advanced functions. Aside from these properties, fine-grained access managements are also important because an uploader can take this advantage to make self-centric access policies on their private data [6,7,8,9]. To better satisfy this demand, Sahai et al. presented attribute-based encryption (ABE) [10,11,12] which efficiently brings flexible access control. Researchers have also taken the advantages of ABE [13,14] and keyword search to present attribute-based keyword search schemes [15,16,17,18]. Until now, several schemes have achieved keyword search based on ABE, but the performance can still be further optimized. To begin with, although the proposed scheme can provide flexible revocation, they cannot minimize the damage when key exposure occurs. In multi-tenant architecture environments, the number of users is very large and key exposure seems inevitable. If key leakage happens, the confidentiality of the whole system will no longer exist. Further, in most of the existing schemes, there exist additional transmission overheads of key updating. Consequently, an attribute-based keyword search with key exposure protection mechanism and efficient key refreshing [8] urgently needs to be proposed.

In this paper, we aim to tackle the above problems and present a key insulated attribute-based data retrieval with key word search (KI-ABDR-KS) scheme for multi-tenant architecture. We achieve flexible self-centric search management by utilizing a CP-ABE (Ciphertext Policy Attribute Based Encryption) [12] mechanism. The data owner generates the index for ciphertext using a self-centric access policy, indicating what kinds of receivers are given the privileges to gain access to these encrypted data. The receiver generates the trapdoor for the desired keyword using the private key she owns [19,20]. The cloud server checks if the trapdoor generated by receiver corresponds with the search index. The ciphertexts are returned to the receiver on the condition that the trapdoor and the search index are matched. A key insulation mechanism [21] is introduced to guarantee full security if key leakage occurs and helps to realize highly efficient key updating [22].

The detailed contributions established in the article are as follows:

(1): We present a novel keyword search based on ABE with key exposure protection. In our scheme, a data owner can make self-centric access policy of the encrypted data. Only if the possessing attributes match with the policy can a receiver generate a valid trapdoor and search the ciphertext.
(2): The proposed scheme provides secure key exposure protection as well as both backward and forward security.
(3): In our scheme, the system lifespan is split up into several time periods. The public parameters of the cryptosystem remain unvaried during the whole lifespan, and users’ private keys are refreshed termly. When key leakage occurs, a user’s private keys shall be updated in a timely fashion to minimize the damage brought by key exposure.
(4): Our scheme achieves keyword semantic security under chosen keyword attack. Meanwhile, it is shown to be superior in terms of computation efficiency compared to existing works.

2. Related Works

2.1. Attribute-Based Cryptosystem

In a classical PKC mechanism, a user is given the right to make secure data shared with others in a private way based on their identities. However, it is not fully practical when data sharing is conducted via a more expressive access policy. In some scenarios (e.g., cloud computing), the amount of users and private data may be enormous. Assuming that a data owner wants to share some sensitive data with certain users using traditional encryption methods, she may run encrypt algorithms many times, since each user’s public key is unique and the encryption is inefficient.

ABE is a cryptographic notion supporting flexible data access control, and is equipped with many advantages. In ABE, the concept of “access policy” is introduced; only if the user’s attributes suit with the policy can she complete decryption. A file owner may set a data-centric access policy without concern about the specific identity of each user in the system (note that the amount of users in the system may be very large). Consequently, ABE is a more effective tool for data protection in large data outsource platforms. Existing literatures related to ABE have achieved many results in terms of fine-grained access control [7,13], revocation [6], key abuse protection [9], etc. Researchers have also implemented ABE in several practical scenarios such as wireless communications, cloud computing [14], etc.

2.2. Attribute-Based Keyword Search

Attribute-based keyword search (ABKS) combines the advantages of ABE and searchable encryption and has been given attention from researchers all over the world. Han et al. in [15] proposed an attribute-based searchable encryption with key policy. Their scheme achieves flexible access control on the search indexes of ciphertext. However, the proposed scheme directly sends the users’ private keys to the file server as the trapdoor. This results in key exposure to the file server. If the server becomes dishonest or is being attacked, all of the legal private keys will be obtained by the attackers, which will bring huge damage to the whole cryptosystem. Yang in [16] designed a keyword search scheme based on ABE and applied it to an electronic health system. The proposed scheme supports fine-grained authorization and flexible revocation in the semi-trusted cloud server. However, the scheme generates a unique additional key pair for each user in the system. The generation of a search index also involves the public key of each user; this will bring a considerable computation burden when the amount of users is large. Sun et al. in [17] presented a novel searchable encryption for cloud computing based on CP-ABE. Their scheme provides self-centric search authorization as well as authenticity check over the encrypted data. The proposed scheme also achieves selective confidentiality under chosen keyword attack and secure revocation. Zheng et al. in [18] proposed a verifiable keyword search scheme. Their scheme permits users with promising credentials to search the ciphertext using the generated trapdoor. Their scheme can also distinguish if a server has honestly carried out the tasks which are sent by users. Miao et al. in [23] applied ABKS to modern medical systems and demonstrated the high efficiency and security of their scheme. Zhou et al. in [24] presented a novel type of ABKS which supports both online and offline decryption; thus, it was equipped with better flexibility. Wang et al. in [25] did some path breaking work in terms of introducing the attribute and keywords vector to optimize the decryption efficiency. Dong et al. in [26] proposed a lightweight ABKS scheme, the application of which is very appropriate to networks with constrained computation resources (e.g., mobile networks). Li et al. in [27] tackled the search authorization issue in the cloud and designed a secure ABKS scheme which not only achieves trapdoor unlinkability and confidentiality, but also resists collusion attack. Vahid et al. in [28] combined attribute-based cryptography with fuzzy search token techniques and presented a novel ABKS scheme. They also proved it to be secure under keyword guessing attack.

The existing works mentioned above have achieved significant progress in attribute-based cryptosystems and keyword search mechanisms. However, these schemes lack the security protection mechanism when key exposure happens. In a large data outsourcing system with multiple users, key exposure seems unavoidable. Once it is leaked, any user obtaining the private key can generate a legal trapdoor and the confidentiality of the whole system will no longer exist. Thus, it is essential to carryout key exposure protection for attribute-based keyword search schemes.

3. Models and Definitions

3.1. Framework of KI-ABDR-KS

The system framework of our scheme is illustrated in Figure 1. It contains four entities: attribute authority (AA), multi-tenant server, data owner, and data receiver. AA manages universal attributes and distributes users’ private keys. It is also responsible for updating users’ temporal private keys when the cryptosystem enters into a new time period. The data owner generates a secure index for each ciphertext using a self-centric policy, while the data receiver generates a trapdoor for the required ciphertext according to the desired keywords. The multi-tenant server provides secure storage services for the encrypted data and responses to receivers’ requests if the trapdoors are valid.

3.2. Formulized Definitions of KI-ABDR-KS

In this section, we will give the interactions between entitites illustrated in Figure 1 and the formulized definitions of the algorithms. The proposed scheme contains seven algorithms, as below:

S e t u p

: This algorithm is run by AA. It takes a security number as input and outputs system public parameters as well as master keys.

K e y g e n e r a t i o n

: This algorithm is run by AA. It takes system parameters, the initial time period, and the attribute set a user owns as input; it outputs the master key of key helper and the initial private key for a user.

K e y u p d a t e

: This algorithm is run by AA. It takes system parameters and the newest time period as input. It outputs the key updating component for a user.

U s e r u p d a t e

: This algorithm is run by the users. It takes the temporal private key of the previous period and key updating component as input, and it outputs the temporal private key at the latest version.

S e a r c h i n d e x g e n e r a t i o n :

This algorithm is run by the data owner. It takes system parameters, an access structure, and key words as input; it outputs an index for a ciphertext.

T r a p d o o r :

This algorithm is run by the users. It takes users’ private keys and key word as input; it outputs a trapdoor.

T e s t :

This algorithm is run by the server. It takes users’ trapdoor as input and outputs the corresponding ciphertext.

3.3. Security Requirements

(1) Keyword semantic security: This security property guarantees that an

A d v e r s a r y

cannot obtain the ciphertext without the valid trapdoor. In this paper, the requirement of key semantic security can be proved by a game described as follows:

Step 1

S e t u p :

C h a l l e n g e r

runs

S e t u p

to obtain the related parameters in the game.

A d v e r s a r y

claims an access structure

γ_{i c}

and

{A_{i c}}

is the attribute set involved.

Step 2

T r a p d o o r q u e r i e s :

T r a p d o o r q u e r i e s :

query:

C h a l l e n g e r

can obtain the trapdoor of several keywords for attribute set

S

by running

T r a p d o o r

algorithm and sends the results back to

A d v e r s a r y .

Note that

| S \cap^{​} {A_{i c}} | < t h r_{x} .

Note that the trapdoor queries contain the implication of private key generation query.

Step 3

C h a l l e n g e :

At the current time period

T P_{n}

A d v e r s a r y

picks

w_{0}

and

w_{1}

, which have not been queried before.

C h a l l e n g e r

picks

σ \in {0, 1}

and runs

S e a r c h i n d e x g e n e r a t i o n

algorithm to obtain

S I_{σ}

A d v e r s a r y

outputs

σ^{*}

as a guess of

σ

. If

σ^{*} = σ

, then

A d v e r s a r y

wins the game.

The advantage of

A d v e r s a r y

can be denoted by

A d v (A) = | \Pr [σ^{*} = σ] - \frac{1}{2} |

(2) Backward and forward security: This security property guarantees the system’s security and confidentiality when key exposure happens.

4. Concrete Constructions

In this section, we will provide the concrete algorithms from the system level viewpoint. These algorithms are the concrete and detailed expansions of the formulized definitions in Section 3.2 based on the above defined algorithms.

S e t u p :

Define two

p

order groups

G_{1}, G_{2}

. Let

\hat{e} : G_{1} \times G_{1} \to G_{2}

be a bilinear pairing and

g

is a generator of

G_{1}

. Define a global attribute set

{A_{i}}

. Define hash functions:

H_{1} : {0, 1}^{*} \to G_{1}

H_{2} : {0, 1}^{*} \to Z_{p}

. AA randomly chooses secret numbers

y, h \in Z_{p}^{*}

and computes

Y = \hat{e} {(g, g)}^{y}, g^{h}

. The system masker keys are

{g^{y}, h}

while system public parameters are

{g, p, G_{1}, G_{2}, \hat{e}, H_{1}, H_{2}, Y, g^{h}}

K e y g e n e r a t i o n :

At the initial time period

l_{0}

, for a user possessing attribute set

{A_{i}}

, AA picks

r \in Z_{p}^{*}

and calculates

D_{1} = g^{\frac{y - r}{h}}, D_{i, 0} = g^{r} H_{1} {(A_{i}, l_{0})}^{h}

. The initial private key of a user is denoted by

{D_{1}, D_{i, 0}}

. Note that

D_{1}

remains unchanged throughout the whole system lifetime, while

D_{i, m}

updates when system enters a new time period.

K e y u p d a t e :

When the system arrives in a new period from

l_{m}

l_{m + 1}

, AA computes the key updating component

U P_{m + 1} = {(\frac{H_{1} (A_{i}, l_{m + 1})}{H_{1} (A_{i}, l_{m})})}^{h}

and sends the result to the user. Then, a user updates her temporal private key by calculating

D_{i, m + 1} = D_{i, m} \cdot U P_{m + 1} = g^{r} H_{1} {(A_{i}, l_{m})}^{h} \cdot {(\frac{H_{1} (A_{i}, l_{m + 1})}{H_{1} (A_{i}, l_{m})})}^{h} = g^{r} H_{1} {(A_{i}, l_{m + 1})}^{h}

(

D_{1}

remains unchanged).

S e a r c h i n d e x g e n e r a t i o n :

Data owner picks

s \in Z_{p}^{*}

and chooses a polynomial

q_{x}

for each node

x

in the access control structure

γ

. Let the threshold value of the node be one more than the degree of

q_{x}

. For the root node, the data owner sets

q_{r o o t} (0) = s

. For others, let

q_{x} (0) = q_{p a r e n t (x)} i n d e x (x) .

Denote

{i}

to be the leaf nodes in

γ

, then the search index

S I

is constructed as:

I N_{0} = Y^{s H_{2} (w)}, I N_{1} = g^{h s}, I N_{2, i} = g^{q_{i} (0)}, I N_{3, i} = H_{1} {(A_{i}, l_{m})}^{q_{i} (0) H_{2} (w)} S I : {I N_{0}, I N_{1}, I N_{2, i}, I N_{3, i}}

(1)

T r a p d o o r :

For the desired keyword

w

, the data receiver picks a random number

x \in Z_{p}^{*}

and calculates the trapdoor

T R

as Equation (2):

T R_{1} = {(D_{1} \cdot g^{- x})}^{H_{2} (w)} = g^{(\frac{y - r}{h} - x) H_{2} (w)} T R_{2, i} = {(D_{i, m} \cdot g^{h x})}^{H_{2} (w)} = g^{(r + h x) H_{2} (w)} H_{1} {(A_{i}, l_{m})}^{h H_{2} (w)}

(2)

Then, the data receiver sends

T R = {T R_{1}, T R_{2, i}}

to the cloud server.

T e s t :

The cloud server tests:

\hat{e} (I N_{1}, T R_{1}) \cdot \prod_{i \in γ} \frac{\hat{e} (T R_{2, i}, I N_{2, i})}{\hat{e} (I N_{3, i}, g^{h})} = I N_{0}

(3)

If Equation (3) is set up, the cloud server sends the corresponding ciphertext to the data receiver.

Correctness proof:

\hat{e} (I N_{1}, T R_{1}) \cdot \prod_{i \in γ} \frac{\hat{e} (T R_{2, i}, I N_{2, i})}{\hat{e} (I N_{3, i}, g^{h})} = \hat{e} (g^{h s}, g^{(\frac{y - r}{h} - x) H_{2} (w)}) \cdot \prod_{i \in γ} \frac{\hat{e} (g^{(r + h x) H_{2} (w)} H_{1} {(A_{i}, l_{m})}^{h H_{2} (w)}, g^{q_{i} (0)})}{\hat{e} (H_{1} {(A_{i}, l_{m})}^{q_{i} (0) H_{2} (w)}, g^{h})} = \hat{e} {(g, g)}^{s y H_{2} (w)} \hat{e} {(g, g)}^{- (s r + s h x) H_{2} (w)} \cdot \hat{e} {(g, g)}^{s r H_{2} (w) + s h x H_{2} (w)} = \hat{e} {(g, g)}^{s y H_{2} (w)} = I N_{0}

(4)

5. Discussion

5.1. Keyword Semantic Security

Before giving our proof, we first give the hardness assumption [17] that our scheme relies on:

Decision bilinear Diffie–Hellman assumption (DBDH): Picks random numbers

a, b, c, z \in Z_{q}^{*}

, assuming that the value of (

𝑔, g^{a}, g^{b}, g^{c}, z

) are given, no probabilistic polynomial-time algorithm can distinguish the tuples (

A = g^{a}, B = g^{b}, C = g^{c}, \hat{e} {(g, g)}^{a b c}

) and (

A = g^{a}, B = g^{b}, C = g^{c}, \hat{e} {(g, g)}^{z}

) with a non-negligible probability.

Theorem 1.

Our KI-ABDR-KS is keyword semantic secure if the DBDH hardness assumption holds.

Proof.

If our scheme can be broken by an

A d v e r s a r y

with advantage of

ε

, then a simulator can be constructed to break the DBDH hardness assumption with an advantage of

\frac{ε}{2}

. The challenge game is described as follows:

S e t u p :

Let

G_{1}

and

G_{2}

be two cyclic groups with prime order

p

. Denote g as the generator of

G_{1}

. Let

\hat{e} : G_{1} \times G_{1} \to G_{2}

be a bilinear pairing. Define a global attribute set

{A_{i}}

. Define hash functions

H_{1} : {0, 1}^{*} \to G_{1}

H_{2} : {0, 1}^{*} \to Z_{p}

C h a l l e n g e r

picks

σ \in {0, 1}

a, b, c \in Z_{p}^{*}

and sets:

{\begin{matrix} (A, B, C, Z) = (g^{a}, g^{b}, g^{c}, \hat{e} {(g, g)}^{a b c}) i f σ = 0 \\ (A, B, C, Z) = (g^{a}, g^{b}, g^{c}, \hat{e} {(g, g)}^{z}) i f σ = 1 \end{matrix}

(5)

The aim of the simulator is to guess the value of

σ .

A d v e r s a r y

claims a challenging access structure

γ

(containing attribute set

S

) and plays the game on it.

T r a p d o o r q u e r i e s :

When

A d v e r s a r y

makes a trapdoor query for keyword

w_{q}

on attribute set

{A_{q}}

, the simulator responds as follows:

Simulator picks

h, r, u \in Z_{p}^{*}

, sets:

{\begin{matrix} D_{1}^{'} = g^{\frac{a b - r}{h}}, D_{i, m}^{'} = g^{r} H_{1} {(A_{i}, l_{m})}^{h}, i f A_{q} \in S \\ D_{1}^{'} = g^{\frac{u - r}{h}}, D_{i, m}^{'} = g^{r} H_{1} {(A_{i}, l_{m})}^{h}, i f A_{q} \notin S \end{matrix}

(6)

Then, the trapdoor is constructed as:

{\begin{matrix} T R_{1}^{'} = g^{(\frac{a b - r}{h} - x) H_{2} (w_{q})}, T R_{2, i}^{'} = {(D_{i, m}^{'} \cdot g^{h x})}^{H_{2} (w_{q})}, if A_{q} \in S \\ T R_{1}^{'} = g^{(\frac{u - r}{h} - x) H_{2} (w_{q})}, T R_{2, i}^{'} = {(D_{i, m}^{'} \cdot g^{h x})}^{H_{2} (w_{q})}, if A_{q} \notin S \end{matrix}

(7)

Note that the trapdoor queries contain the implication of private key generation query.

C h a l l e n g e

A d v e r s a r y

picks key words

w_{0}

w_{1}

. Simulator chooses

\in {0, 1}

, picks

s \in Z_{p}^{*}

, and calculates the following information:

σ = 0

, sets:

I N_{0, σ} = \hat{e} {(g, g)}^{a b s H_{2} (w_{σ})}, I N_{1} = g^{s}, I N_{2, i} = g^{q_{i} (0)}, I N_{3, i} = H_{1} {(A_{i}, l_{m})}^{q_{i} (0) H_{2} (w)}

(8)

σ = 1

, sets:

I N_{0, σ} = \hat{e} {(g, g)}^{z H_{2} (w_{σ})}, I N_{1} = g^{s}, I N_{2, i} = g^{q_{i} (0)}, I N_{3, i} = H_{1} {(A_{i}, l_{m})}^{q_{i} (0) H_{2} (w)}

(9)

Simulator sends the above indexes

I N_{0, σ}

A d v e r s a r y

Let

g^{s} = g^{c}

, so we have:

I N_{0, σ} = {\begin{matrix} \hat{e} {(g, g)}^{a b c H_{2} (w_{σ})} i f σ = 0 \\ \hat{e} {(g, g)}^{z H_{2} (w_{σ})} i f σ = 1 \end{matrix}

(10)

A d v e r s a r y

outputs a value

σ^{*} .

σ^{*} = σ

A d v e r s a r y

wins the game.

Next, we will analyze the simulator’s advantage in distinguishing the tuples in DBDH assumption.

σ = 1, E

is an invalid search index and

A d v e r s a r y

guesses randomly,

P r (σ^{*} \neq σ | σ = 1) = \frac{1}{2}

(11)

σ = 0, E

is a valid index. According to the definition,

A d v e r s a r y

has an advantage

ε .

P r (σ^{*} = σ | σ = 0) = \frac{1}{2} + ε

(12)

From what has been discussed, the simulator’s advantage can be denoted by:

\frac{1}{2} P r (σ^{*} = σ | σ = 0) + \frac{1}{2} P r (σ^{*} = σ | σ = 1) - \frac{1}{2} = \frac{1}{2} (\frac{1}{2} + ε) + \frac{1}{2} \times \frac{1}{2} - \frac{1}{2} = \frac{ε}{2}

(13)

☐

5.2. Users’ Privacy and Trapdoor Unlinkability

In our scheme, the users’ privacy can be highly protected. According to the

T r a p d o o r

algorithm in our KI-ABDR-KS, a secret component

x

is embedded into the trapdoor. Thus, the service provider cannot obtain any sensitive information of the private key. Besides, since the secret component

x

is chosen by different users at random, it is computationally infeasible for cloud severs to distinguish different trapdoors containing the same key words, which meets the security demand of trapdoor unlinkability.

5.3. Forward and Backward Security

Our scheme can provide protection when key exposure happens. When key exposure happens at period

l_{m - 1}

, the system can still maintain its security by updating users’ temporal private keys to

l_{m}

version. A user’s private key leakage during

l_{m}

will not harm the security in the rest time periods. Our scheme also supports random access key updating, since attribute authority is capable of updating users’ temporal private keys from any previous time periods (denote these time periods by

l_{f}

) to the last version in just one step by calculating

D_{i, m} = g^{r} H_{1} {(A_{i}, l_{f})}^{h} \cdot {(\frac{H_{1} (A_{i}, l_{m})}{H_{1} (A_{i}, l_{f})})}^{h} = g^{r} H_{1} {(A_{i}, l_{m})}^{h}

5.4. Efficient Key Updating with Constant Size of Parameters

The process of key updating in the proposed KI-ABDR-KS is very efficient because when a new time period arrives, only partial key components have to be refreshed. According to the

K e y u p d a t e

algorithm, the calculation of key updating component

U P_{m}

only takes one exponentiation. More importantly, though users’ private keys are updated periodically, the system public parameters remain the same throughout the whole lifetime. This will reduce the considerable computation cost which parameter synchronization brings about.

5.5. Performance Evaluation

We compare our scheme with schemes in [17,23,28], which also implement attribute-based cryptosystem to achieve flexible key word search. The comparison is conducted with regard to the computation cost of each algorithm. Denote “Pair”, “Exp” to be the bilinear pairing and exponential operations, respectively, and “n” is the amount of attributes involved. The results are listed in Table 1.

From comparison, it can be seen that efficiency of

S e t u p

K e y g e n e r a t i o n

T r a p d o o r

, and

K e y u p d a t e

are higher in our scheme. The

T e s t

algorithm takes more exponential operations in our scheme, but it is run by the cloud server which has large computation capacity. Thus, this will not add a computation burden on the user side. In the scheme found in Reference [17], the access structure only supports AND gate, but our scheme provides a more flexible access structure which supports AND along with OR gate; thus, the

S e a r c h I n d e x g e n e r a t i o n

algorithm in our scheme takes more exponential operations. Furthermore, unlike [23,28], our scheme is equipped with the function of highly efficient key updating. The system public parameters remain constant regardless of the number of attributes in the system and do not need to be changed during the process of key updating; this will reduce the considerable overheads brought by parameters synchronization. Consequently, our scheme has a better performance from the prospective of the overall efficiency.

6. Conclusions

In this paper, we propose a novel key insulated attribute-based data retrieval with keyword search mechanism. The proposed scheme can provide self-centric search indexes for the encrypted data. The proposed scheme also provides secure key exposure protection and full security when key exposure happens. By performance analysis, our scheme is of high-level security and is superior with respect to computation efficiency.

Acknowledgments

This research is supported by the National Natural Science Foundation of China (61373135 and 61672299).

Author Contributions

Hanshu Hong carries out the research of this paper. Yunhao Xia and Zhixin Sun check and revise the paper.

Conflicts of Interest

The authors declare no conflict of interest.

References

Kim, S.-H.; Lee, I.-Y. Study on user authority management for safe data protection in cloud computing environments. Symmetry 2015, 7, 269–283. [Google Scholar] [CrossRef]
Boneh, D.; Di Crescenzo, G.; Ostrovsky, R.; Persiano, G. Public key encryption with keyword search. In Proceedings of the 23rd Annual International Conference on the Theory and Applications of Cryptographic Techniques, Interlaken, Switzerland, 2–6 May 2004; pp. 506–522. [Google Scholar]
Sun, W.H.; Wang, B.; Cao, N.; Li, M.; Lou, W.; Hou, Y.T.; Li, H. Privacy-preserving multi-keyword text search in the cloud supporting similarity-based ranking. In Proceedings of the ACM 8th Symposium on Information, Computer and Communications Security, Hangzhou, China, 8–10 May 2013; pp. 71–82. [Google Scholar]
Li, M.; Yu, S.C.; Cao, N.; Lou, W. Authorized private keyword search over encrypted data in cloud computing. In Proceedings of the IEEE 31th International Conference on Distributed Computing Systems, Minneapolis, MN, USA, 20–24 June 2011; pp. 383–392. [Google Scholar]
Li, J.; Liu, C.; Zhou, R.; Wang, W. Top-k keyword search over probabilistic XML data. In Proceedings of the IEEE 27th International Conference on Data Engineering, Hannover, Germany, 11–16 April 2011; pp. 673–684. [Google Scholar]
Fu, X.B.; Nie, X.Y.; Li, F.G. Black box traceable ciphertext policy attribute-based encryption scheme. Information 2015, 6, 481–493. [Google Scholar] [CrossRef]
Ying, Z.B.; Li, H.; Ma, J.F.; Zhang, J.; Cui, J. Adaptively secure ciphertext-policy attribute-based encryption with dynamic policy updating. Sci. China Inform. Sci. 2016, 59, 1–16. [Google Scholar] [CrossRef]
Hong, H.S.; Sun, Z. High efficient key-insulated attribute based encryption scheme without bilinear pairing operations. Springerplus 2016, 5, 131. [Google Scholar] [CrossRef] [PubMed]
Wang, Y.T.; Chen, K.F.; Long, Y. Accountable authority key policy attribute-based encryption. Sci. China Inform. Sci. 2012, 55, 1631–1638. [Google Scholar] [CrossRef]
Jiang, S.R.; Zhu, X.Y.; Wang, L.M. EPPS: Efficient and privacy-preserving personal health information sharing in mobile healthcare social networks. Sensors 2015, 15, 22419–22438. [Google Scholar] [CrossRef] [PubMed]
Goyal, V.; Pandey, O.; Sahai, A.; Waters, B. Attribute based encryption for fine-grained access control of encrypted data. In Proceedings of the ACM 13th conference on Computer and Communications Security, Alexandria, VA, USA, 30 October–3 November 2006; pp. 89–98. [Google Scholar]
Waters, B. Ciphertext policy attribute based encryption: An expressive, efficient, and provably secure realization. In Proceedings of the 14th International Conference on Practice and Theory in Public Key Cryptography, Taormina, Italy, 6–9 March 2011; pp. 53–70. [Google Scholar]
Lewko, A.; Okamoto, T.; Sahai, A.; Takashima, K.; Waters, B. Fully secure functional encryption: Attribute-based encryption and (hierarchical) inner product encryption. In Proceedings of the 29th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Riviera, French, 30 May–3 June 2010; pp. 62–91. [Google Scholar]
Yu, S.C.; Wang, C.; Ren, K.; Lou, W. Achieving secure, scalable, and fine-grained data access control in cloud computing. In Proceedings of the IEEE 29th International Conference on Infocom, San Diego, CA, USA, 14–19 March 2010; pp. 1–9. [Google Scholar]
Han, F.; Qin, J.; Zhao, H.W.; Hu, J. A general transformation from KP-ABE to searchable encryption. Future Gener. Comput. Syst. 2014, 30, 107–115. [Google Scholar] [CrossRef]
Yang, Y. Attribute-based data retrieval with semantic keyword search for e-health cloud. J. Cloud Comput. 2015, 4, 16. [Google Scholar] [CrossRef]
Sun, W.H.; Yu, S.C.; Lou, W.J.; Hou, Y.T.; Li, H. Protecting your right: Verifiable attribute-based keyword search with fine-grained owner-enforced search authorization in the cloud. IEEE Trans. Parallel Distrib. Systm. 2016, 27, 1187–1198. [Google Scholar] [CrossRef]
Zheng, Q.J.; Xu, S.H.; Ateniese, G. Vabks: Verifiable attribute-based keyword search over outsourced encrypted data. In Proceedings of the IEEE 33rd International Conference on Infocom, Toronto, ON, Canada, 27 April–2 May 2014; pp. 522–530. [Google Scholar]
Gao, N.; Deng, Z.H.; Lü, S.L. XDist: An effective XML keyword search system with re-ranking model based on keyword distribution. Sci. China Inform. Sci. 2014, 57, 1–17. [Google Scholar] [CrossRef]
Li, Q.; Liu, X.M.; Ma, J.F.; Li, R.; Xiong, J. Provably secure unbounded multi-authority ciphertext-policy attribute-based encryption. Secur. Commun. Netw. 2015, 8, 4098–4109. [Google Scholar] [CrossRef]
Wen, J.; Li, X.X.; Chen, K.F.; Ma, C. Identity-based parallel key-insulated signature without random oracles. J. Inform. Sci. Eng. 2008, 24, 1143–1157. [Google Scholar]
Li, J.Z.; Zhang, L. Attribute-based keyword search and data access control in cloud. In Proceedings of the IEEE 10th International Conference on Computational Intelligence and Security, Kunming, China, 15–16 November 2014; pp. 382–386. [Google Scholar]
Miao, Y.; Ma, J.F.; Liu, X.M.; Wei, F.; Liu, Z.; Wang, X.A. m2-ABKS: Attribute-based multi-keyword search over encrypted personal health records in multi-owner setting. J. Med. Syst. 2016, 40, 246. [Google Scholar] [CrossRef] [PubMed]
Zhou, P.L.; Liu, Z.H.; Duan, S.H. Flexible attribute-based keyword search via two access policies. In Proceedings of the BWCCA 2016, Advances on Broad-Band Wireless Computing, Communication and Applications, Asan, Korea, 5–7 November 2016; pp. 815–822. [Google Scholar]
Wang, H.W.; Li, J.Q.; Yang, Y.L.; Ming, Z. Attribute-based and keywords vector searchable public key encryption. In Proceedings of the Smart Computing and Communication, SmartCom, Shenzhen, China, 17–19 December 2016; pp. 317–326. [Google Scholar]
Dong, Q.X.; Guan, Z.; Chen, Z. Attribute-based keyword search efficiency enhancement via an online/offline approach. In Proceedings of the IEEE 21st International Conference on Parallel and Distributed Systems, Melbourne, VIC, Australia, 14–17 December 2015; pp. 298–305. [Google Scholar]
Li, H.W.; Liu, D.X.; Jia, K.; Lin, X. Achieving authorized and ranked multi-keyword search over encrypted cloud data. In Proceedings of the IEEE International Conference on Communications, London, UK, 8–12 June 2015; pp. 7450–7455. [Google Scholar]
Yousefipoor, V.; Ameri, M.H.; Mohajeri, J.; Eghlidos, T. A secure attribute based keyword search scheme against keyword guessing attack. In Proceedings of the IEEE Communication and Information Systems Security Symposium, Tehran, Iran, 27–28 September 2016; pp. 124–128. [Google Scholar]

Figure 1. Framework of our scheme. AA: attribute authority.

Table 1. Comparison results. KI-ABDR-KS: key insulated attribute-based data retrieval with key word search.

Algorithm	Scheme in [17]	Scheme in [23]	Scheme in [28]	Our KI-ABDR-KS
Setup	(3n + 1) Exp + 1 Pair	3 Exp	3 Exp	2 Exp + 1 Pair
Key generation	(2n + 3) Exp	(2n + 2) Exp	(2n + 1) Exp	(n + 2) Exp
Search index generation	(n + 2) Exp	(2n + 3) Exp	(2n + 6) Exp	(2n + 2) Exp
Trapdoor	(2n + 1) Exp	(2n + 2) Exp	(2n + 6) Exp	(n + 3) Exp
Test	(n + 1) Pair + 1 Exp	(2n + 2) Pair	(2n + 2) Pair	(2n + 1) Pair
Key update	2n Exp	-	-	n Exp

© 2017 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).

Share and Cite

MDPI and ACS Style

Hong, H.; Xia, Y.; Sun, Z. Towards Secure Data Retrieval for Multi-Tenant Architecture Using Attribute-Based Key Word Search. Symmetry 2017, 9, 89. https://doi.org/10.3390/sym9060089

AMA Style

Hong H, Xia Y, Sun Z. Towards Secure Data Retrieval for Multi-Tenant Architecture Using Attribute-Based Key Word Search. Symmetry. 2017; 9(6):89. https://doi.org/10.3390/sym9060089

Chicago/Turabian Style

Hong, Hanshu, Yunhao Xia, and Zhixin Sun. 2017. "Towards Secure Data Retrieval for Multi-Tenant Architecture Using Attribute-Based Key Word Search" Symmetry 9, no. 6: 89. https://doi.org/10.3390/sym9060089

APA Style

Hong, H., Xia, Y., & Sun, Z. (2017). Towards Secure Data Retrieval for Multi-Tenant Architecture Using Attribute-Based Key Word Search. Symmetry, 9(6), 89. https://doi.org/10.3390/sym9060089

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Menu

Towards Secure Data Retrieval for Multi-Tenant Architecture Using Attribute-Based Key Word Search

Abstract

1. Introduction

2. Related Works

2.1. Attribute-Based Cryptosystem

2.2. Attribute-Based Keyword Search

3. Models and Definitions

3.1. Framework of KI-ABDR-KS

3.2. Formulized Definitions of KI-ABDR-KS

3.3. Security Requirements

4. Concrete Constructions

5. Discussion

5.1. Keyword Semantic Security

5.2. Users’ Privacy and Trapdoor Unlinkability

5.3. Forward and Backward Security

5.4. Efficient Key Updating with Constant Size of Parameters

5.5. Performance Evaluation

6. Conclusions

Acknowledgments

Author Contributions

Conflicts of Interest

References

Share and Cite

Article Metrics

Article Access Statistics

Further Information

Guidelines

MDPI Initiatives

Follow MDPI