Received June 22, 2018, accepted July 22, 2018, date of publication July 31, 2018, date of current

version August 20, 2018.

Digital Object Identifier 10.1109/ACCESS.2018.2861424

Verifiable Public Key Encryption With Keyword

Search Based on Homomorphic Encryption
in Multi-User Setting
D. N. WU, Q. Q. GAN, AND X. M. WANG
Department of Computer Science, Jinan University, Guangzhou 510632, China
Corresponding author: X. M. Wang ([email protected])
This work was supported in part by the National Natural Science Foundation of China under Grant 61070164 and Grant 61272415, in part
by the Natural Science Foundation of Guangdong Province, China, under Grant S2012010008767, in part by the Science and Technology
Planning Project of Guangdong Province, China, under Grant 2013B010401015, and in part by the Zhuhai Top Discipline–Information
Security

ABSTRACT Data security and privacy concerns are important issues in cloud storage. In this paper,
we propose a verifiable public key encryption with keyword search based on homomorphic encryption in
multi-user setting. By employing van Dijk, Gentry, Halevi, and Vaikuntanathan homomorphic encryption,
the proposed scheme enables the cloud server to generate an inverted encryption index structure without using
a query trapdoor, which significantly improves the efficiency of search. On the other hand, the proposed
scheme presents a new authenticated data structure based on the inverted encryption index structure, and
shows how to apply it to verify the correctness and completeness of search results. Moreover, the proposed
scheme allows multiple users to perform encrypted keyword search over encrypted data. Finally the proposed
scheme is proved secure based on the approximate-GCD problem. The experiment results demonstrate the
proposed scheme has less computation overhead than the existing schemes.

INDEX TERMS Searchable encryption, homomorphic encryption, verification, multi-user setting.

I. INTRODUCTION schemes cannot guarantee the completeness of the search

Cloud has been widely used not only by individuals but also results done by the cloud server. If no verification for the
by entrepreneurs because it allows people to manage their completeness of search results is guaranteed, the cloud server
data conveniently and at low cost. But meanwhile it incurs might return incomplete search results to save computational
some problems in security. The outsourced data have strong resources. The consequence of making decisions based on
privacy and business value, while cloud service provider incompleteness search results could be very serious or even
is semi-trusted. To protect data from leakage, data owners catastrophic.
encrypt the data and then store them in cloud. However, Because the files and indexes with keywords are encrypted,
the encryption greatly restricts the ability of cloud servers the cloud server can simply store the encrypted files and
to handle users’ requests, such as searching over encrypted indexes in the order as they are received. Considering that a
data. file has more than one keyword, data owners typically encrypt
To resolve this problem, the notion of the public key each keyword for each file and upload it. When a user submits
encryption with keyword search (PEKS) was proposed by a query trapdoor, the cloud server needs to traverse the entire
Boneh et al. [1]. In the PEKS scheme, a sender uploads an indexes to find the target files, thus its time complexity is
encrypted email to an email server along with an encrypted O(n ∗ m), where n represent the number of files, m represent
list of keywords. The receiver sends the desired keyword the number of keywords for all files in the system. As a result,
(denoted as a trapdoor) to the email server, which then tests the efficiency of search is quite low, and it may incur the cloud
the encrypted emails for the presence of this trapdoor. Soon server not to traverse the entire indexes and return the incom-
afterwards, many intuitions have been proposed to improve plete search results to save computational cost. Therefore,
upon this construction, and expanded it to the cloud environ- the index structure should be optimized at the cloud server
ment (e.g., [2]–[12]). However, most of the existing PEKS to improve the efficiency of search. However, in the PEKS

2169-3536 2018 IEEE. Translations and content mining are permitted for academic research only.
VOLUME 6, 2018 Personal use is also permitted, but republication/redistribution requires IEEE permission. 42445
See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
 D. N. Wu et al.: Verifiable PEKS Based on Homomorphic Encryption in Multi-User Setting

schemes, the user must give the server a query trapdoor, The scheme performance is evaluated in Section 6. Finally,
the server can test whether the one of the encrypted indexes we conclude this paper in Section 7.
associated with the files is equal to the query trapdoor. In the
absence of a trapdoor, the server is unable to test whether the II. PRIOR WORKS
keywords contained in the two encrypted index are consis- To enable users search over encrypted outsourced data
tent, so that the server cannot rearrange the encrypted index through keywords without decrypting the data at first,
structure. the notion of public key encryption with keyword
In the environment of cloud storage, the data owner is eager search (PEKS) was first put forth by Boneh et al. [1] and its
to share his data with multiple users. In this case, the search- construction makes use of the construction of identity-based
able encryption works for multiple users. However, the most encryption (IBE). Subsequently Boneh et al. [2] presented a
existing PEKS schemes are constructed in single-user set- more practical scheme which supported arbitrary conjunctive
ting. It is very clear that the schemes proposed for using in queries (such as comparison search, subset search, etc.).
single-user setting cannot be directly and effectively used in Baek et al. [3] proposed a PEKS scheme with a designated
multi-user setting because of the increased requirements of server to remove a secure channel. Camenisch et al. [4] pro-
the latter. In PEKS schemes that are constructed in single-user posed oblivious generation of the keyword search trapdoor
setting, data owner can only shares his data with a single to maintain the privacy of the keyword against a curious trap-
user and also only permits a single user to perform encrypted door generator. Cao et al. [5] presented ranked searches using
keyword search over encrypted data. While in multi-user multi-keyword over encrypted cloud data and established a
setting, such as cloud storage, data owners hope to share variety of privacy requirements. So far, a lot of work has
their data with multiple users and also permit the multiple been done to enhance the security and the efficiency of PEKS
users to perform encrypted keyword search over encrypted scheme (e.g. [6]–[13]).
data. With the development of encryption search technology,
To tackle above problems, we propose a verifiable public the risk of privacy leakage in the outsourced data has been
key encryption with keyword search based on homomorphic improved. However the problem of providing secure inquiry
encryption in multi-user setting. Specifically, our main con- service has become another new challenge. Due to the system
tribution can be summarized as follows: may occur malfunction or the cloud server might return an
(1) We optimize the encryption index structure by employ- incomplete search results to save computational resources,
ing DGHV(van Dijk, Gentry, Halevi and Vaikuntanathan) the receiver may receive some incorrect and incomplete
homomorphic encryption. In our scheme, the cloud server can search results, so that the receiver may make a wrong deci-
generate an inverted encryption index structure without using sion based on the incorrect and incomplete search results.
a query trapdoor, which significantly improves the efficiency It could be very serious or even catastrophic. Therefore,
of search. we should consider the verifiability of search result. So far,
(2) We propose a new authenticated data structure for there are many schemes to address this issue, such as the
verifying the completeness of search results based on the schemes [14]–[22]. However, most of the existing schemes
inverted encryption index structure, and apply it to generate mainly focus on the integrity verification of plaintext data,
verification proof for verifying the correctness and complete- while there are few verifiable search schemes over encrypted
ness of search results. data. When the schemes are migrated to the ciphertext,
(3) Our scheme is constructed in multi-user setting, and the schemes are no longer applicable since the ciphertext
allows multiple users to perform encrypted keyword search contains the data owner’s private key and the random number.
over encrypted data. To the best of our knowledge, there are not many verifiable
(4) Our scheme is proved to be secure based on the search schemes over encrypted data, and these schemes are
Approximate-GCD problem. devised to verify the correction of search results in single-user
(5) We evaluate the performance of our scheme and com- setting, and do not consider the completeness verification
pare our scheme with the previous schemes in terms of time of search result in multi-user setting. Chai and Gong [23]
complexity and functions. The time complexity of single key- gave the first verifiable keyword search in symmetric set-
word search is reduced to O(m) in our scheme. Experiment ting. Schemes [24], [25] presented the fine-grained keyword
results demonstrate the efficiency of search in our scheme is search schemes through utilizing attribute-based encryp-
higher than the existing schemes. tion. Sun et al. [26] presented a search result verifica-
The following sections are described briefly as follows. tion scheme in the multi-keyword text search scenario by
We introduce some important prior works in this domain in turning the proposed secure index tree into an authenti-
Section 2. After that, we introduce some preliminaries used cated one. Guo et al. [27] put forward a multi-phrase ranked
in the paper in Section 3. In the Section 4, we give the formal search scheme over encrypted data, which can verify the
model of our scheme and a security model as well as the ranked results and support dynamic update operations. Spe-
specific construction about our scheme. Then in Section 5, cially, the aforementioned works are devised in single-user
we prove our scheme is secure under the security model. setting.

42446 VOLUME 6, 2018

D. N. Wu et al.: Verifiable PEKS Based on Homomorphic Encryption in Multi-User Setting

III. PRELIMINARIES
A. APPROXIMATE-GCD PROBLEM
Let λ be a security parameter, ρ = λ, η = O(λ2 ), and
γ = O(λ5 ). The (ρ, η, γ )-Approximate-GCD problem is
defined as follows [28]:
• The (ρ, η, γ )-Approximate-GCD problem: Given poly-
nomially many samples from Dγ ,ρ (p) for a randomly
chosen η-bit odd integer p, output p, where
Dγ ,ρ (p) = {choose q ← Z ∩ [0, 2γ /p),
R

r ← Z ∩ (−2ρ , 2ρ ) :
R

output x = pq + r}. (1)

B. DGHV HOMOMORPHIC ENCRYPTION

The DGHV homomorphic encryption algorithm is described
as follows [28]:
• ParamGen(λ): Input λ as a security parameter,
the parameter generation algorithm sets ρ = λ, ρ 0 = 2λ, FIGURE 1. System model.

η = O(λ2 ), γ = O(λ5 ), τ = γ + λ, and outputs public

parameters as params = hρ, ρ 0 , η, γ , τ i.
• KeyGen(λ): The key generation algorithm first chooses a
• Key-generation center. The key-generation cen-
random odd η-bit integer p where p ∈ [2η−1 , 2η ]. Then it ter (KGC) refers to a fully-trusted center who is respon-
draws (τ + 1) samples x0 , . . . , xτ from Dγ ,ρ (p), relabels sible for generating public/secret keys and then sending
so that x0 is the largest and restarts unless x0 is odd. them to data owners, cloud servers and users.
Finally the secret key is sk = p and the public key is • Data owners. The data owners refer to a special type of
pk = hx0 , x1 , . . . , xτ i. users who create the private/confidential data and then
• Encrypt(pk, m): To encrypt a bit m ∈ {0, 1}, outsource them to cloud servers in an encrypted form so
the encryption algorithm chooses a random subset S ⊆ that it can be shared with authorized users.
(−2ρ , 2ρ ), and Cloud servers. The cloud servers have a huge storage
0 0
{1, 2, . . . , τ } and a random integer r inP •

sets the ciphertext as c = [m + 2r + 2 i∈S xi ]x0 . space and a strong computing power to handle and main-
• Evaluate(pk, C, c1 , . . . , ct ): For a (binary) circuit Cε
tain data owner’s data. The cloud servers are responsible
with t inputs, and t ciphertexts ci , the evaluate algorithm for producing search results over the encrypted data
applies the (integer) addition and multiplication gates of according to the users’ search requirements and then
Cε to the ciphertexts, performs all the operations over sending the search results to the users.
the integers, and outputs the resulting integer. • Users. Users generally refer to those who have registered
• Decrypt(sk, c): Input the secret key sk and ciphertext c,
to search for encrypted keywords in the encrypted data.
the decryption algorithm outputs ((c mod p) mod 2). Note that every user in this paper has an identity belong-
ing to the public domain.
C. HOMOMORPHIC HASH FUNCTION
Let G be a multiplicative cyclic group of order p, B. THREAT MODEL
and (g1 , g2 , . . . , gn ) be generators. For a vector b = We define that KGC and authorized users are hon-
(b1 , b2 , .Q
. . bn ), its homomorphic hash function is defined as est but regard the cloud server as ‘‘honest-but-curious,’’
H (b) = ni=1 gbi i . Then H (b) satisfies the following proper- which is adopted in related schemes on secure cloud data
ties [29]: search [5], [26]. ‘‘honest-but-curious’’ means that the cloud
Homomorphic: For any two vectors b1 , b2 , and random server executes the scheme honestly, but it also tries to
integers r1 , r2 , then H (r1 b1 + r2 b2 ) = H (b1 )r1 H (b2 )r2 . analyze the receiving data to obtain extra information with
Collision Free: For any polynomial time algorithm, it is curiosity. According to the available information that the
hard to find b1 , b2 , b3 , r1 and r2 (b3 6 = r1 b1 + r2 b2 ), which cloud server can gain, we consider the threat model as
satisfies H (b3 ) = H (b1 )r1 H (b2 )r2 . follows:
• Known Ciphertext Model. In this model, the cloud
IV. A VERIFIABLE PUBLIC KEY ENCRYPTION SCHEME server can only access the ciphertexts, which is intended
WITH KEYWORD SEARCH IN MULTI-USER SETTING to protect the keywords against the cloud server. To be
A. SYSTEM MODEL specific, cloud server achieve keyword search on cipher-
The system model is depicted in Figure 1. There are four texts for data users. As for our scheme, the server uses
major entities in this system: key-generation center, data the ciphertexts to build a Z -index structure based on
owners, cloud servers, and data users. the inverted encryption index structure, which can be

VOLUME 6, 2018 42447

 D. N. Wu et al.: Verifiable PEKS Based on Homomorphic Encryption in Multi-User Setting

employed for keyword search and verification. How- completeness of the search results. If the results are
ever, the server do not know the user’s secret key so correct and complete, output 1; Otherwise output 0.
that the server cannot obtain the keywords from the
ciphertexts. D. SCHEME CONSTRUCTION
Let ParamGen0 and KeyGen0 be the parameter genera-
C. DEFINITION tion algorithm and the key generation algorithm from the
When a data owner wants to outsource his data to cloud DGHV homomorphic encryption [28]. A verifiable public
server, he will first encrypt his file (E(file)) using a standard key encryption scheme with keyword search in multi-user
proxy re-encryption public key algorithm. After appending to setting is constructed as follows.
the ciphertext PEKS(wi , pk) of each keyword, the data owner • Setup(1λ ). The key-generation center (KGC) firstly runs
will send the following message to cloud server: ParamGen0 to obtain the public parameters params0 =
hρ, ρ 0 , η, γ , τ i, and runs KeyGen0 to obtain sk 0 =
E(file)||PEKS(w1 , pk)|| . . . ||PEKS(wm , pk), p, pk 0 = hx0 , x1 , . . . , xτ i. Then the KGC picks a homo-
morphic hash H and a collision-resistant hash H1 :
Where PEKS is an encrypted algorithm with properties dis- {0, 1}∗ → {0, 1}Q (Q  η). Finally the KGC sets the
cussed below. This paper focuses on addressing how the cloud public key pk = (params0 , pk 0 , H , H1 ) and sends the
server searches all files containing a keyword-search query secret key sk = sk 0 = p to server through a secure
w = (w1 , w2 , . . . , wt ), and user verifies the correctness and channel.
completeness of the search result. We omit the discussion of • KeyGen(1λ , id). When a user submit his identity id for
proxy re-encryption. registration, KGC will choose a random number ki and
Definition 1: A verifiable public key encryption scheme computer qid = H1 (id ⊕ ki ) and sends skid = qid to the
with keyword search in multi-user setting consists of the user through a secure channel.
following algorithms: • PEKS(wi , pk). Given a keyword wi of the W -bit file,
• Setup(1λ ): After input a secure parameter λ, Setup(1λ ) satisfying W  η, a user chooses a random subset
algorithm outputs a pair of secret key sk and public S ⊆ {1, 2, . . . , τ } and a random integer ri , and computes
key pk. a searchable ciphertexts of wi by using the public key pk
• KeyGen(1λ , id): The KeyGen algorithm takes as input a and the user’s secret key qid as follows.
user identity id and 1λ , then generates a secret key skid X
Ci1 = [wi + ri qid + ri qid xi ]x0 ,
for the user.
i∈S
• PEKS(wi , pk): The PEKS algorithm produces a search-
Ci2 = H (ri qid ). (2)
able ciphertext CTi with keyword wi by a pubic
key pk. Thus, the searchable ciphertexts of the keyword wi is
• Test(CTi , CTj ): After input two searchable ciphertexts CTi = (Ci1 , Ci2 ).
CTi and CTj , the Test algorithm verifies whether the • Test(CTi , CTj ). After receiving the two ciphertexs
keywords contained in the two ciphertexts are the (CTi , CTj ), the server verifies whether the two cipher-
same. If they are the same, output 1; Otherwise, texts contain the same keyword by the following
output 0. way.
• Z-Index(CTi (i = 1, 2, . . . , m)): After input a set of H (Ci1 mod p) × Cj2
searchable ciphertext CTi (i = 1, 2, . . . , m), the Z-Index = 1. (3)
H (Cj1 mod p) × Ci2
algorithm outputs a Z -Index structure.
• Query(w1 , w2 , . . . , wt , skid ): Given a keyword-search If wi = wj , it outputs 1; Otherwise it outputs 0.
query w = (w1 , w2 , . . . , wt ), the Query algorithm calls
the PEKS algorithm to generate a ciphertext for each
keyword using the secret keys (skid ), and outputs the
ciphertext CTi (i = 1, 2, . . . , t).
• RPGen(CTi (i = 1, 2, . . . , t)): Given the ciphertexts
CTi (i = 1, 2, . . . , t) from a user, the server returns
a set of encrypted files Rf , where each encrypted file
E(filei )) ∈ Rf contains all keywords from w =
FIGURE 2. An inverted encryption index structure.
(w1 , w2 , . . . , wt ). Afterwards, the server computes a
proof so that a user can verify that all encrypted files
included in Rf contain (w1 , w2 , . . . , wt ) and ensure • Z-IndexBuild (CTi (i = 1, 2, . . . , m)). Given the
that no encrypted files that satisfies query keywords ciphertexts CTi (i = 1, 2, . . . , m), the server calls
(w1 , w2 , . . . , wt ) is omitted from Rf . Test(CTi , CTj ) algorithm to determine whether the key-
• Verify(Rf , proof ): The Verify algorithm takes as input words in the two ciphertexs (CTi , CTj ) are consistent,
the Rf and proof , and checks the correction and where PEKS(wi ) = CTi , so that the server can put

42448 VOLUME 6, 2018

D. N. Wu et al.: Verifiable PEKS Based on Homomorphic Encryption in Multi-User Setting

1) Check whether each subset vector value(vwi ) is

correct as follows.
H (value(vwi )) = preproof (wi )(i = 1, 2, . . . l). (5)
If the equation holds, move to next step. If not, abort.
2) Use Rf = E(filei )(i = 1, 2, . . . , l) to build a
vector v0 . If i ∈ [1, l], vi = 1; otherwise, vi = 0.
3) Check the completeness of search result:
FIGURE 3. A Z -Index structure.
v0 = binary(value(vw1 )) & . . . & binary(value(vwl )).
(6)
the ciphertexts with the same keyword in one line, If the equation holds, output 1. If not, output 0. Where
and build an inverted encryption index structure (see given a decimal number, binary(x) is a function to output
Figure 2). Based on the inverted encryption index struc- its binary format.
ture, an authenticated data structure is constructed and Example: A user sends the query ciphertexts (CT1 , CT2 )
initially empty, shown as Figure 3. The row of the struc- of corresponding keywords (w1 , w2 ) to the server, the server
ture denotes the encrypted keyword PEKS(wi ) (where finds the corresponding PEKS(w1 ), PEKS(w2 ) in the
i ∈ [1, m], PEKS(wi ) = CTi ). The column of the Z -IndexBuild by running the Test(CTi , CTj ) algorithm. Thus
structure denotes the encrypted file E(filei )(i ∈ [1, n]). the server obtains the corresponding vectors vw1 = 101 . . .
Each row has a vector vwi = [vi1 , vi2 , . . . , vin ] (i ∈ . . . 011 and vw2 = 110 . . . . . . 111, and uses the bit oper-
[1, m]) and a verification proof preproof (vwi ). If the ation & to compute vresult = vw1 &vw2 = 100 . . . ..011.
E(filej )(j ∈ [1, n]) contains the keyword wi , then set In the vresult , the first bit is 1, the last two bits are 1, so the
vij = 1(j ∈ [1, n]). Otherwise, set vij = 0 (see Figure 3). corresponding Rf = {E(file1 ), E(filen−1 ), E(filen )} and the
Namely, each ‘‘1’’ in the vwi is mapped to a encrypted verification proof = value(vw1 )||value(vw2 ) are returned to
file that contains the keyword wi . And for a vector vwi , the user.
then preproof (vwi ) = H (value(vwi )), where value(x) is a After receiving (Rf , poof ), the user can obtain value(vw1 )
function that converts x to a decimal number. Finally the and value(vw2 ) from proof , and preproof (w1 ) = H (value(101
authenticated data structure is formed, which is called . . . . . . 011)) and preproof (w2 ) = H (value(110 . . . . . . 111))
Z -IndexBuild, and published as shown in Figure 3. from the published Z -Index structure (see Figure 3). Thus the
• Query(w1 , w2 , . . . , wt , skid ): Given a keyword-search user can check
query w = (w1 , w2 , . . . , wt ), a user executes the PEKS
algorithm to generate the ciphertexts CTi (i = 1, 2, .., t) H (value(vw1 )) = prepoof (w1 ),
for each search keyword wi (i = 1, 2, . . . , t) by the H (value(vw2 )) = prepoof (w2 ).
user’s secret key skid , and sends the ciphertexts CTi (i =
1, 2, .., t) to the server. If the above equations hold, then the user builds v0 =
• RPGen(CTi (i = 1, 2, . . . , t)): After receiving the 100 . . . . . . 011 according Rf , and checks
ciphertexts CTi (i = 1, 2, . . . , t), the server tests 0
v = binary(value(vw1 )) & binary(value(vw2 )).
which PEKS(wj ) in the Z -Index structure is equal to
CTi by running the Test(CTi , CTj ) algorithm, where If the above equation holds, output 1. If not, output 0.
PEKS(wj ) = CTj . Once the server finds t correspondent
PEKS(wi ) in the Z -Index structure, the server obtains E. CORRECTNESS AND COMPLETENESS
the subset vectors vwi (i = 1, 2, . . . , t), and uses the bit According to the definition in [30]: For sets S1 , S2 , S3 , . . . , Sl ,
operation & to compute completeness witnesses if I = S1 ∩ S2 ∩ S3 ∩ . . . ∩ Sl is correct and complete, if and
only if the following two conditions hold.
vresult = vw1 &vw2 & . . . &vwt . (4) • subset condition: I ⊆ S1 ∧ I ⊆ S2 ∧ . . . ∧ I ⊆ Sl ;
• completeness: (S1 − I ) ∩ (S2 − I ) ∩ . . . ∩ (Sl − I ) = ∅.
According to the vresult , the server returns a set of Thus, the two conditions in our scheme can be described as
encrypted files Rf , where each encrypted file E(filei )) ∈ follows:
Rf is mapped to 1 in the vresult . Namely, each encrypted • subset condition: vresult ⊆ vw1 ∧ . . . ∧ vresult ⊆ vwt ;
file E(filei )) ∈ Rf contains all keywords w = • completeness: (vw1 − vresult ) ∩ . . . ∩ (vw1 − vresult ) = ∅.
(w1 , w2 , . . . , wt ). If Rf = {E(file1 ), E(file2 ), . . . , Subset Condition: In our scheme, the verification of the
E(filel )}(l ≤ t), then the server returns a verification equation (3) ensures the satisfaction of subset condition.
proof = value(vw1 )||value(vw2 )|| . . . ||value(vwl ) to the Because if the equation(3) is equal to 1, then the two cipher-
user. texts CTi and CTj contain the same keyword, so that the
• Verify(Rf , proof ). After receiving Rf and proof , number of ‘‘1’’ in the subset vector vwi is the number of
the user finishes the following verification steps. encrypted file with the same keyword wi . Meanwhile the

VOLUME 6, 2018 42449

 D. N. Wu et al.: Verifiable PEKS Based on Homomorphic Encryption in Multi-User Setting

number of ‘‘1’’ in vresult is the number of encrypted file with security parameter λ). Any attack A with advantage ε on the
all keywords from w = (w1 , w2 , . . . , wt ). proposed scheme can be converted into an algorithm B for
Specially, assuming CTi and CTj are the ciphertexts for the solving (ρ, η, γ )-Approximate-GCD with success probabil-
keywords wi and wj respectively. If wi = wj , then ity at least ε/2. The running time of B is polynomial in the
running time of A, and in λ and 1/ε.
H (Ci1 mod p) × Cj2 H (wi + ri qi ) × H (qj )rj Proof: Now we use the same way as [28] to show how
=
H (Cj1 mod p) × Ci2 H (wj + rj qj ) × H (qi )ri the challenger B to recover p with the success probability.
H (wi ) × H (qi )ri × H (qj )rj We use qp (z) and rp (z) to denote the quotient and remainder
=
H (wj ) × H (qj )rj × H (qi )ri of z with respect to p, hence z = qp (z)p + rp (z).
H (wi ) • Step 1. First the challenger B draws (τ + 1) samples
= (7) x0 , . . . , xτ from Dγ ,ρ (p). It relabels so that x0 is the
H (wj )
largest. It restarts unless x0 is odd. B outputs a public
Obviously, the equation (3) is true. key pk =< x0 , x1 , . . . , xτ > to the adversary A.
Completeness: In our scheme, given a query keyword • Step 2. B produces a sequence of integers, and attempts
w = (w1 , w2 , . . . , wt ) from a user, the server returns a set to recover p by utilizing A to learn the least significant
of encrypted files according to the vresult . Namely the server bit of the quotients of these integers with respect to p.
returns all encrypted files whose corresponding positions in For this, B uses the following Subroutine Learn-LSB
the vresult are equal to 1, and does not return the encrypted Algorithm:
files whose corresponding positions in the vresult are equal
to 0. If the vresult is correct, then the completeness is satisfied. Algorithm 1 Subroutine Learn-LSB(z, pk)
The correction of the vresult is guaranteed by the equations Input: z ∈ (0, 2λ ) with |rp (z)| < 2ρ and pk =< x0 , x1 , . . . , xτ >
(3) and (4). Meanwhile, the verification of the equations (5) Output: The least-significant-bit of qp (z)
and (6) ensures that a user can verify the completeness of
search results. Because if the equation (5) holds, it shows that 1. For j = 1 to ploy(λ)/ do:
R R
2. choose noise rj ← (−2ρ , 2ρ ), a bit wj ← {0, 1}
0 0
the returned value(vwi ) is correct since the preproof (wi ) is
published in the Z -IndexBuild. Meanwhile according to the and a random subset Sj ⊆R {1, 2, . . . , τ }
Rf = E(filei )(i = 1, 2, . . . , l) returned by the server, the user 3. set CTj ← [z + wj + rj + rj 6k∈Sj xk ]x0
0
can reconstruct v . If the equation (6) holds, it shows that 4. aj ← A(pk, CTj )
0
the reconstructed v is correct, which is equal to the vresult . 5. set bj ← aj ⊕ parity(z) ⊕ wj
Therefore, our scheme can verify the completeness of search 6. Output the majority vote among the bj ’s
results.
• Step 3. Once we turned A into an oracle for the
V. SECURITY ANALYSIS least-significant bit of qp (z), recovering p is rather
As for security aspect, we reduce our scheme from straightforward. Perhaps the simplest way of doing it
Section 4 to the hardness of the Approximate-GCD prob- is using the Binary GCD Algorithm: Given any two
lem. In other words, randomly chosen a set of integers integers z1 = qp (z1 )·p+rp (z1 ) and z2 = qp (z2 )·p+rp (z2 ),
x0 , x1 , . . . , xτ , which are all close to multiples of a large B uses the following Binary GCD Algorithm:
integer p, try to find this ‘‘common near divisor’’ p. In order
to get a reliable oracle for the least-significant bit through the Algorithm 2 Binary GCD(z1 , z2 )
promised adversary, we describe a random-self-reduction and Input: z1 = qp (z1 ) · p + rp (z1 ) and z2 = qp (z2 ) · p + rp (z2 )
accuracy-amplification step as in [28]. Therefore, a Binary- Output: The odd part of GCD(qp (z1 ), qp (z2 ))
GCD algorithm can employ the obtained reliable oracle to
1. If z2 > z1 then z1 ↔ z2
find p.
2. call Learn-LSB( ) output b1 = [qp (z1 )]2 and b2 = [qp (z2 )]2
Considering the technical details, our random self-
3. If both qp (z1 ) and qp (z2 ) are odd then replace z1 by (z1 −z2 )
reduction implies a loss in parameters. In particular, the obvi-
and set b1 ← 0
ous advantage in guessing the encrypted bit in a random
4. For each zi with bi = 0, replace zi by zi ← (zi −
‘‘high ρ 0 -bits noise ciphertext’’ can be transformed into the
parity(zi ))/2
ability to predict reliably the parity bit of the quotient in an
arbitrary ‘‘low ρ-bits noise integer’’. By adding extra noise R
we can ‘‘wipe out the traces’’ of the non-random noise in • Step 4. To recover p, B draws a pair of elements z∗1 , z∗2 ←
the arbitrary input integer. That means the security of our Dγ ,ρ (p). According to [28], with probability at least
scheme in ‘‘high-noise’’ can be reduced to the hardness of Pr[GCD(qp (z∗1 ), qp (z∗2 )) = 1] = π 2 /6 ≈ 0.6. That is,
Approximate-GCD problem in ‘‘low-noise,’’ where the dif- B will get a element e z = 1 · p + r. Finally, B recovers
ference between ‘‘high noise’’ and ‘‘low noise’’ is quite small. p = bz∗1 /qp (z∗1 )e.
Theorem 1: Fix the parameters (ρ, ρ 0 , η, γ , τ ) as in the This is contradictory to the condition that the approximate-
proposed scheme from Section 4 (all polynomial in the gcd problem is difficult.

42450 VOLUME 6, 2018

D. N. Wu et al.: Verifiable PEKS Based on Homomorphic Encryption in Multi-User Setting

Although the server has the secret key p, it can learn schemes used the cryptography technology, such as bilinear
nothing else about theP keyword. For the ciphertexts {Ci1 = pairing operations.
[wi + ri qid + ri qid i∈S xi ]x0 , Ci2 = H (ri qid )}, since the
server does not know the secret key skid = qid , it cannot TABLE 3. Index-based searchable encryption schemes comparison.
obtain any information about the keyword wi . Furthermore,
ri is uniformly random and independent over Zp∗ from server’s
view, which can ensure the ciphertexts’ indistinguishability
and enhance the keywords’ privacy one step further. There-
fore, the server learns nothing more about the keyword wi .

VI. PERFORMANCE ANALYSIS

This section mainly evaluates the performance of our scheme
inculding the functions, computational cost, index-based
searchable encryption schemes comparison and experiment To demonstrate the search efficiency with index structure,
results. Suppose |DO| represent the number of the authorized we make comparisons with several related searchable encryp-
data owners, n represent the number of data files, and m tion schemes [9], [34]–[36] and the results are displayed
represent the number of search keywords, t represent the in Table 3. In general, the index structure can be divided into
number of queried keywords, d denote the number of search two types: file-keyword and keyword-file, the latter one also
results. named the inverted index. From Table 3, we can see the search
Firstly, we show the functions and computational complex- complexity in schemes [9], [36] and our scheme is smaller
ity of our scheme through comparing with other analogous than schemes [34], [35] due to the index structure. In our
schemes [31]–[33] in Table 1 and Table 2. scheme, we introduce an index structure named Z -Index,
which can support keyword search and results verification
TABLE 1. Functionality comparison. to ensure correctness and completeness of search results.
By comparison, it shows that our scheme has better efficiency
when weighing all the factors in Table 3.
To access the actual performance of our scheme in compu-
tational time, we perform the comparison experiments with
VMKDO16 [33] over a real-world dataset named Enron
email dataset. The experiments are implemented on windows
10 with Inter Core i5 and Processor 2.6 GHz. We set E(Fq ) :
y2 = x 3 + x and G1 is a subgroup of E(Fq ), where q is a large
TABLE 2. Computational cost comparison.
prime number. The group order of G1 is 160-bit, and the base
field is 512-bit. The experiment results are shown in Figure 4,
Figure 5 and Figure 6.

Obviously, our scheme enriches the search functionali-

ties over encrypted data. As illustrated in Table 1, it can
achieve aforementioned functionalities simultaneously, while
the other three cannot. Our scheme allows the cloud server
to generate an inverted encryption index structure without a
query trapdoor, which significantly improves the efficiency FIGURE 4. KeyGen algorithm comparison.
of searching.
From Table 2, we can see that KeyGen, PEKS, Test and From Figure 4, we can see that the computational time of
Verify algorithms in our scheme have lower computational KeyGen algorithm in two schemes almost linearly increases
overhead than those of other schemes. Because our scheme with the number of DOs (Here we set |DO| ∈ [1, 5000]).
adopts a homomorphic encryption and some simple addi- We also see that our scheme needs less computational time
tion, multiplication and division operations, while other three than the scheme VMKDO16 since our scheme only needs a

VOLUME 6, 2018 42451

 D. N. Wu et al.: Verifiable PEKS Based on Homomorphic Encryption in Multi-User Setting

Hash operation to generate the private key, while the scheme set t ∈ [150, 750]). But the computational time in our scheme
VMKDO16 needs to select 2 random numbers for each data linearly increases with the number of t, while that of the
owner and do 2 exponentiation operations to obtain a pair of scheme VMKDO16 is almost constant. This is because the
public-private key of the data owner. scheme VMKDO16 is constructed based on attribute encryp-
In the PEKS phase, the scheme VMKDO16 firstly needs to tion algorithm, so that the number of searching keywords
encrypt file set F through the traditional public key encryp- mainly affects the time of trapdoor generation. In the Test
tion algorithm, and generate the signatures for the encrypted phase, no matter the number of keywords, the Test algorithm
file set(Here we set m ∈ [1, 1000]). The computational cost only needs 3 power exponential operations and 2 bilin-
of generating the signature for each encrypted file block is ear pairing operations. Our scheme is constructed based
an exponential operation. Following the index is built for file on Homomorphic encryption algorithm, and the encrypted
set according to the given keyword set. The process mainly indexes include keywords, so it will increase linearly with
involves multiple bilinear pairing and exponential operations. the increase of the number of queried keywords. Therefore,
However, our scheme only needs 2 multiplications, 2 addi- when t is large enough, the scheme VMKDO16 will perform
tions and a Hash operation to finish PEKS algorithm. There- better than our scheme. Fortunately, users generally submit
fore, the computational burden of PEKS algorithm in the the number of searching keyword is not big. Thus, our scheme
scheme VMKDO16 is much heavier than our schemes. The is still acceptable in practice, and perform better than the
experiment result showed in Figure 5 is consistent with our scheme VMKDO16 when there are fewer search keywords.
analysis. Actually, the PEKS algorithm is affected by the
keyword number m, and its computational burden becomes VII. CONCLUSION
heavier with increasing m. However, the performance of our A verifiable public key encryption with keyword search based
scheme is almost unaffected because the computation burden on homomorphic encryption in multi-user setting is proposed.
of addition and multiplication is negligible. Our scheme allows the server to build an inverted encryption
index structure without a query trapdoor, so that the time
complexity of single keyword search is reduced to O(m).
Experiments demonstrate it has an obvious advantage than
others. Moreover, our scheme can verify the correctness and
completeness of searching results in multi-user setting and
allow multiple users to perform encrypted keyword queries
over encrypted data. Security analysis show it is secure based
on the Approximate-GCD problem under random oracle.

REFERENCES
[1] D. Boneh, G. Di Crescenzo, R. Ostrovsky, and G. Persiano, ‘‘Pub-
lic key encryption with keyword search,’’ in Advances in Cryptology—
EUROCRYPT. Berlin, Germany: Springer, 2004, pp. 506–522.
[2] D. Boneh and B. Water, ‘‘Conjunctive, subset, and range queries on
encrypted data,’’ in Theory of Cryptography. Berlin, Germany: Springer,
FIGURE 5. PEKS algorithm comparison. 2007, pp. 535–554.
[3] J. Baek, R. Safavi-Naini, and W. Susilo, ‘‘Public key encryption with key-
word search revisited,’’ in Computational Science and Its Applications—
ICCSA. Berlin, Germany: Springer, 2008, pp. 1249–1259.
[4] J. Camenisch, M. Kohlweiss, A. Rial, and C. Sheedy, ‘‘Blind and anony-
mous identity-based encryption and authorised private searches on public
key encrypted data,’’ in Public Key Cryptography—PKC. Berlin, Germany:
Springer, 2009, pp. 196–214.
[5] N. Cao, C. Wang, M. Li, K. Ren, and W. Lou, ‘‘Privacy-preserving multi-
keyword ranked search over encrypted cloud data,’’ IEEE Trans. Parallel
Distrib. Syst., vol. 25, no. 1, pp. 222–233, Jan. 2014.
[6] M. Li, S. Yu, N. Cao, and W. Lou, ‘‘Authorized private keyword search
over encrypted data in cloud computing,’’ in Proc. IEEE 31st Int. Conf.
Distrib. Comput. Syst. (ICDCS), Jun. 2011, pp. 383–392.
[7] C. Gu, Y. Guang, Y. Zhu, and Y. Zheng, ‘‘Public key encryption with
keyword search from lattices,’’ Int. J. Inf. Technol., vol. 19, no. 1, pp. 1–10,
2013.
[8] C. Hou, F. Liu, H. Bai, and L. Ren, ‘‘Public-key encryption with keyword
search from lattice,’’ in Proc. IEEE 8th Int. Conf. P2P, Parallel, Grid, Cloud
Internet Comput. (3PGCIC), Oct. 2013, pp. 336–339.
[9] B. Wang, W. Song, W. Lou, and Y. T. Hou, ‘‘Inverted index based multi-
FIGURE 6. Test algorithm comparison.
keyword public-key searchable encryption with strong privacy guarantee,’’
in Proc. IEEE Conf. Comput. Commun. (INFOCOM), Apr./May 2015,
In Test phase, Figure 6 shows that our scheme has pp. 2092–2100.
[10] Z. Xia, X. Wang, X. Sun, and Q. Wang, ‘‘A secure and dynamic multi-
much less computational overhead than the scheme keyword ranked search scheme over encrypted cloud data,’’ IEEE Trans.
VMKDO16 when there are fewer search keywords(Here we Parallel Distrib. Syst., vol. 27, no. 2, pp. 340–352, Jan. 2016.

42452 VOLUME 6, 2018

D. N. Wu et al.: Verifiable PEKS Based on Homomorphic Encryption in Multi-User Setting

[11] R. Chen et al., ‘‘Server-aided public key encryption with keyword search,’’ [31] L. Guo, B. Lu, X. Li, and H. Xu, ‘‘A verifiable proxy re-encryption with
IEEE Trans. Inf. Forensics Security, vol. 11, no. 12, pp. 2833–2842, keyword search without random oracle,’’ in Proc. Int. Conf. Comput. Intell.
Dec. 2016. Secur., 2013, pp. 474–478.
[12] J. Li, X. Lin, Y. Zhang, and J. Han, ‘‘KSF-OABE: Outsourced attribute- [32] Y. Yang and M. Ma, ‘‘Conjunctive keyword search with designated
based encryption with keyword search function for cloud storage,’’ IEEE tester and timing enabled proxy re-encryption function for e-health
Trans. Services Comput., vol. 10, no. 5, pp. 715–725, Sep./Oct. 2017. clouds,’’ IEEE Trans. Inf. Forensics Security, vol. 11, no. 4, pp. 746–759,
[13] K. Emura, G. Hanaoka, K. Nuida, G. Ohtake, T. Matsuda, and S. Yamada, Apr. 2016.
‘‘Chosen ciphertext secure keyed-homomorphic public-key cryptosys- [33] Y. Miao, J. Ma, X. Liu, Z. Liu, L. Shen, and F. Wei, ‘‘VMKDO: Verifiable
tems,’’ Des., Codes Cryptogr., vol. 86, no. 8, pp. 1623–1683, 2018. multi-keyword search over encrypted cloud data for dynamic data-owner,’’
[14] R. C. Merkle, ‘‘A certified digital signature,’’ in Proc. Int. Conf. Adv. Peer-Peer Netw. Appl., vol. 11, no. 2, pp. 287–297, 2016.
Cryptol., 1989, pp. 218–238. [34] E.-J. Goh, ‘‘Secure indexes,’’ Cryptol. ePrint Arch., Tech. Rep. 2003/216,
[15] L. Che, L. Xu, S. Zhou, and X. Huang, ‘‘Data dynamics for remote data 2003. [Online]. Available: http://eprint.iacr.org/2003/216
possession checking in cloud storage,’’ Comput. Elect. Eng., vol. 39, no. 7, [35] Y.-C. Chang and M. Mitzenmacher, ‘‘Privacy preserving keyword searches
pp. 2413–2424, 2013. on remote encrypted data,’’ in Proc. Int. Conf. Appl. Cryptogr. Netw. Secur.
[16] X. Wang and D. Yuan, ‘‘A query verification scheme for dynamic out- Berlin, Germany: Springer, 2005, pp. 442–455.
sourced databases,’’ J. Comput., vol. 37, no. 1, pp. 156–160, 2013. [36] R. Zhang, R. Xue, T. Yu, and L. Liu, ‘‘Dynamic and efficient private
[17] Y. Yu, Y. Zhang, J. Ni, M. H. Au, L. Chen, and H. Liu, ‘‘Remote data keyword search over inverted index–based encrypted data,’’ ACM Trans.
possession checking with enhanced security for cloud storage,’’ Future Internet Technol., vol. 16, no. 3, 2016, Art. no. 21.
Gener. Comput. Syst., vol. 52, pp. 77–85, Nov. 2015.
[18] K. Yang and X. Jia, ‘‘An efficient and secure dynamic auditing protocol
for data storage in cloud computing,’’ IEEE Trans. Parallel Distrib. Syst.,
vol. 24, no. 9, pp. 1717–1726, Sep. 2013.
[19] S. De Capitani di Vimercati, S. Foresti, S. Jajodia, G. Livraga, D. N. WU received the M.Sc. degree in computer
S. Paraboschi, and P. Samarati, ‘‘Integrity for distributed queries,’’ in Proc. engineering from Jinan University, China, in 2017.
IEEE Conf. Commun. Netw. Secur., Oct. 2014, pp. 1–9. Her research interests include security and privacy
[20] C. Guo et al., ‘‘Key-aggregate authentication cryptosystem for data sharing in cloud computing.
in dynamic cloud storage,’’ Future Gener. Comput. Syst., vol. 84, no. 7,
pp. 190–199, 2018.
[21] M. Sookhak, A. Gani, M. K. Khan, and R. Buyya, ‘‘Dynamic remote
data auditing for securing big data storage in cloud computing,’’ Inf. Sci.,
vol. 380, pp. 101–116, Feb. 2017.
[22] J. Shen, J. Shen, X. Chen, X. Huang, and W. Susilo, ‘‘An efficient public
auditing protocol with novel dynamic structure for cloud data,’’ IEEE
Trans. Inf. Forensics Security, vol. 12, no. 10, pp. 2402–2415, Oct. 2017.
[23] Q. Chai and G. Gong, ‘‘Verifiable symmetric searchable encryption
for semi-honest-but-curious cloud servers,’’ in Proc. IEEE Int. Conf.
Commun. (ICC), Jun. 2012, pp. 917–922. Q. Q. GAN received the M.Sc. degree in software
[24] C. Guo, R. Zhuang, Y. Jie, Y. Ren, T. Wu, and K. Choo, ‘‘Fine-grained engineering from Jinan University, China, in 2016,
database field search using attribute-based encryption for e-healthcare where she is currently pursuing the Ph.D. degree.
clouds,’’ J. Med. Syst., vol. 40, no. 11, pp. 235–242, 2016. Her research interests include security and privacy
[25] Q. Zheng, S. Xu, and G. Ateniese, ‘‘VABKS: verifiable attribute- in cloud computing.
based keyword search over outsourced encrypted data,’’ in Proc. IEEE
INFOCOM, Apr./May 2014, pp. 522–530.
[26] W. Sun et al., ‘‘Verifiable privacy-preserving multi-keyword text search
in the cloud supporting similarity-based ranking,’’ IEEE Trans. Parallel
Distrib. Syst., vol. 25, no. 11, pp. 3025–3035, Nov. 2014.
[27] C. Guo, X. Chen, Y. Jie, F. Zhang, M. Li, and B. Feng, ‘‘Dynamic
multi-phrase ranked search over encrypted data with symmetric search-
able encryption,’’ IEEE Trans. Services Comput., pp. 1–12, Oct. 2017.
[Online]. Available: https://ieeexplore.ieee.org/document/8089767/, doi: X. M. WANG received the B.Sc. degree from the
10.1109/TSC.2017.2768045. Harbin Institute of Technology, China, and the
[28] M. van Dijk, C. Gentry, S. Halevi, and V. Vaikuntanathan, ‘‘Fully homo-
Ph.D. degree from Nankai University, China. She
morphic encryption over the integers,’’ in Annu. Int. Conf. Theory Appl.
is currently a Professor with the Department of
Cryptograph. Techn. Berlin, Germany: Springer, 2010, pp. 24–43.
[29] M. N. Krohn, M. J. Freedman, and D. Mazières, ‘‘On-the-fly verification Computer Science, Jinan University, China. Her
of rateless erasure codes for efficient content distribution,’’ in Proc. IEEE research interests include security and privacy in
Symp. Secur. Privacy, May 2004, pp. 226–240. network and distributed systems, such as wireless
[30] M. T. Goodrich et al., ‘‘Efficient verification of Web-content searching sensor networks and cloud computing with a focus
through authenticated Web crawlers,’’ Proc. VLDB Endowment, vol. 5, on security protocol designs and access control.
no. 10, pp. 920–931, 2012.

VOLUME 6, 2018 42453