Searchable Encryption Scheme for Personalized Privacy in IoT-Based Big Data

Abstract

The Internet of things (IoT) has become a significant part of our daily life. Composed of millions of intelligent devices, IoT can interconnect people with the physical world. With the development of IoT technology, the amount of data generated by sensors or devices is increasing dramatically. IoT-based big data has become a very active research area. One of the key issues in IoT-based big data is ensuring the utility of data while preserving privacy. In this paper, we deal with the protection of big data privacy in the data storage phase and propose a searchable encryption scheme satisfying personalized privacy needs. Our proposed scheme works for all file types including text, audio, image, video, etc., and meets different privacy needs of different individuals at the expense of high storage cost. We also show that our proposed scheme satisfies index indistinguishability and trapdoor indistinguishability.

1. Introduction

Internet of Things (IoT) has become a significant part of our daily life over the past few years. A huge number of sensors or intelligent devices have been integrated together to interconnect people with the physical world, which also generates massive sensing data. Data generated by IoT devices are collected, disseminated, and exchanged among different people, business, and societies. With the development of IoT, the amount of data generated by organizations or individuals is increasing dramatically [1].

Although the massive data generated in the IoT environment is of significant value, exploring and using the extraordinary value of IoT data will increase the risk of privacy breach [2]. To obtain profits, the collection, storage, and reuse of our personal data poses a serious threat to our privacy. Consequently, researchers are faced with the challenge of ensuring the utility of data while preserving privacy. Various techniques have been developed to protect data privacy. Generally, these techniques for data privacy can be grouped based on the stages of big data life cycle, as follows [3].

• Data generation: In the data generation phase, access restriction, and falsifying data techniques are used.
• Data storage: The approaches in the data storage phase are mainly based on encryption techniques.
• Data processing: Anonymization techniques as well as clustering, classification, and association rule mining-based techniques are used in the data processing phase.

In this paper, we will focus on the protection of big data privacy in the data storage phase of the big data life cycle. In the IoT environment, the sensing data generated by various sensors and devices will be collected and uploaded to cloud servers, where cloud servers can provide massive storage and cloud computing services. We know that encryption techniques are used for the protection of big data privacy in the data storage phase. When a large amount of encrypted data is stored in cloud servers, the first consideration is confidentiality of the data, which can be ensured by secure and efficient encryption schemes. However, when the data user wants to retrieve the data containing a specific keyword, the cloud server cannot respond to the data user’s retrieval request, because it cannot decrypt the encrypted data. All these problems can be solved by searchable encryption schemes [4,5], such as searchable symmetric encryption [6], public key encryption with keyword search [7], etc. The searchable encryption scheme mainly includes three entities—data owner, data user, and cloud server. The data owner outsources the encrypted data to the cloud server. The data user queries the encrypted data containing a specific keyword to the cloud server. The cloud server stores and retrieves the encrypted data.

In existing searchable encryption schemes, the data user can access all the data owned by the data owner, which can result in a privacy breach for the data owner. On the one hand, the data owner may be willing to share the data with some specific data users, but not with other data users. On the other hand, the data owner may be willing to share specific data with the data user, but not willing to share other data. Therefore, the data user accesses all the data owned by the data owner, which can result in a privacy breach for the data owner. Furthermore, additional information in the data owned by the data owner can also result in a privacy breach for the data owner. Privacy is subjective, and different people have different privacy needs. For example, the hidden text in a typical Word file includes a lot of sensitive personal information [8]. However, this additional information, which may disclose the privacy of the data owner, is useless for some data users. In data mining, data preprocessing is used to transform raw data into an understandable format [9]. In natural language processing, text feature extraction is used to transform a list of words into a feature set that is usable by a classifier [10]. In speech recognition and image recognition, feature extraction is a key step [11,12]. It means that this additional information may be discarded by the data user in the feature extraction phase. In summary, the data user accessing all the data owned by the data owner will result in a privacy breach for the data owner, but will not improve the utility of the data.

In this paper, we will propose a searchable encryption scheme for personalized privacy protection in IoT-based big data. The main contributions of our proposed scheme are as follows:

• In our proposed scheme, the data owner generates the file features at different levels, and uploads the encrypted file features to the cloud server.
• The proposed scheme makes a trade-off between ensuring the utility of the data and preserving the privacy, and meets the different privacy needs of different individuals.

The rest of this paper is as follows. Section 2 discusses the recent searchable encryption scheme. Section 3 presents necessary notations and definitions. Section 4 formalizes the searchable encryption scheme for meeting the personalized privacy needs in big data and presents main security definition. Section 5 describes the detailed construction of our proposed scheme. Section 6 discusses the security of our proposed scheme. Section 7 performs real time experimental results and makes a comparison of our proposed scheme with the existing schemes. The last section is the conclusion of this paper.

2. Related Work

Several different searchable encryption schemes have been proposed to allow the data user to retrieve the encrypted data [4,5]. In this section, we give a simple review on the existing work of the searchable encryption schemes.

In 2000, Song et al. [6] first proposed a searchable encryption scheme based on the symmetric encryption algorithm, which is called searchable symmetric encryption (SSE). However, their scheme has the following limitations: it is not proven to be a secure searchable encryption scheme; the distribution of the underlying plaintexts is vulnerable to statistical attacks; and the search time is linear to the length of the document collection. To overcome these limitations, Goh et al. [13] and Chang and Mitzenmacher [14] deployed a masked index table for SSE and introduced the notion of security for indexes. Curtmola et al. [15] generalized the security definitions of SSE and proposed two SSE schemes which are secure under the new security definitions. The search time of their schemes is linear to the number of documents. Subsequently, several SSE schemes were proposed for improvement. For example, Cash et al. [16] proposed an SSE scheme that supports conjunctive search and general Boolean queries on outsourced symmetrically encrypted data; Salam et al. [17] proposed a privacy-preserving data storage and retrieval system in cloud computing; Li et al. [18] proposed three different SSE schemes that can guard against a coercer by using the deniable encryption idea; Soleimanian et al. [19] proposed an SSE scheme to be publicly verifiable.

Although SSE schemes have high efficiency, they suffer from complicated secret key distribution. To resolve this problem, Boneh et al. [7] introduced a searchable encryption scheme based on public key cryptography, namely public key encryption with keyword search (PEKS). Waters et al. [20] showed that the PEKS schemes based on bilinear map could be applied to build encrypted and searchable auditing logs. However, the bilinear pairing operation is very complicated. Di et al. [21] introduced a PEKS scheme without bilinear pairing. The original PEKS scheme in [7] requires a secure channel to transmit the trapdoors. To overcome this limitation, Baek et al. [22] proposed a new PEKS scheme without requiring a secure channel. Byun et al. [23] introduced the off-line keyword-guessing attack (KGA) and pointed out that the original PEKS scheme in [7] was susceptible to KGA. Rhee et al. [24] proposed the notion of trapdoor indistinguishability and showed that trapdoor indistinguishability is a sufficient condition for preventing outside KGAs. Jeong et al. [25] showed that constructing secure PEKS schemes against inside KGA is impossible under the original PEKS framework in [7]. Xu et al. [26] proposed a PEKS scheme to against inside KGA. More recently, various improved PEKS schemes have been proposed. For example, Liang et al. [27] proposed a searchable attribute-based proxy re-encryption system to achieve privacy-preserving keyword search and encrypted data sharing as well as keyword update; Chen et al. [28] proposed a dual-server PEKS scheme to against inside KGA launched by the malicious server; Yang et al. [29] proposed a semantic key word searchable proxy re-encryption scheme for secure cloud storage using lattice-based cryptographic primitives; Wu et al. [30] designed an efficient and secure searchable encryption protocol using the trapdoor permutation function for cloud-based IoT; Yin et al. [31] proposed a ciphertext-policy attribute-based searchable encryption scheme to achieve keyword-based search and fine-grained access control over encrypted data.

Table 1. A comparison of some existing searchable encryption schemes.

Type	Limitation	Characteristic	Literature
SSE	need key distribution	masked index	[13,14]
		boolean queries	[16]
		against the coercer	[18]
		publicly verifiable	[19]
PEKS	lower search efficiency	without bilinear pairing	[21]
		without secure channel	[22]
		keyword update	[27]
		against inside KGA	[28]
		synonym keyword search	[29]
		fine-grained access control	[31]

shows a simple comparison of some existing searchable encryption schemes. In the design of searchable encryption scheme, privacy is a key concern. However, in all the existing searchable encryption schemes, the data user can access all the data owned by the data owner, which can result in a privacy breach for the data owner.

3. Preliminaries

A summary of the notations used in this paper is presented in

Table 2. Summary of notations.

Notation	Description
$\lambda$	The security parameter
$\mathbb{G}$	A cyclic group of order q
g	A generator of $\mathbb{G}$
$\mathbf{negl}(\lambda )$	A negligible function with respect to $\lambda$
$\mathbb{G}$	A cyclic group of order q
g	A generator of $\mathbb{G}$
$(p{k}_o,s{k}_o)$	The public/private key pairs for the data owner
$(p{k}_u,s{k}_u)$	The public/private key pairs for the data user
n	The number of the file of the data owner
$F_i$	The i-th file of the data owner ($1\le i\le n$)
$n_f+1$	The number of the file feature level
l	A file feature level ($0\le l\le n_f$)
$L_i$	The set of the authorized file feature level of $F_i$
$F_{il}$	The file feature of $F_i$ at level l
$\mathcal{F}$	The file features set $\{F_{il}:1\le i\le n,0\le l\le n_f\}$
${\mathcal{F}}^{\prime }$	The encrypted file features set
$W_{l_0}$	The keyword set of the file features set $\{F_{i{l}_0}:1\le i\le n\}$
w	A keyword in $W_{l_0}$
$Ind$	The index set
$In{d}^{\prime }$	The encrypted index set
$T_{w,l}$	The trapdoor with respect to w and l

.

The set of all binary strings of length n is denoted as ${\{0,1\}}^n$, and the set of all finite binary strings is denoted as ${\{0,1\}}^{\ast }$.

An index table (or dictionary) denotes the data structure of the form $I[key]=value$. Given a $key$, the $value$ matching the $key$ is returned.

A function $\mu :\mathbb{N}\to \mathbb{N}$ is negligible if for every positive polynomial $p(·)$ and all sufficiently large $\lambda$, $\mu (\lambda )<\frac{1}{p(\lambda )}$. We similarly write $f(\lambda )=\mathbf{negl}(\lambda )$ to mean that there exists a negligible function $\mu (·)$ such that $f(\lambda )\le \mu (\lambda )$ for all sufficiently large $\lambda$.

The following basic cryptographic primitives can be found in [32].

A symmetric encryption scheme is a tuple $\mathcal{E}=(Gen,Enc,Dec)$ of probabilistic, polynomial-time (PPT) algorithms, where $Gen$ takes the security parameter $\lambda$ as input, and outputs a secret key k; $Enc$ takes a key k and a message $m\in {\{0,1\}}^{\ast }$ as input, and outputs a ciphertext $c=Enc(k,m)$; $Dec$ takes a key k and a ciphertext c as input, and outputs m if $c=Enc(k,m)$.

For any symmetric encryption scheme $\mathcal{E}=(Gen,Enc,Dec)$, any adversary A and any value $\lambda$ for the security parameter, the chosen-plaintext attack (CPA) indistinguishability experiment $S{E}_{A,\mathcal{E}}^{cpa}(\lambda )$ is defined as:

• A random key k is generated by running $Gen(\lambda )$.
• The adversary A is given input $\lambda$ and oracle access to $Enc(k,·)$, and outputs a pair of messages $m_0$, $m_1$ of the same length.
• A random bit $b\in \{0,1\}$ is chosen, and then a ciphertext $c=Enc(k,m_b)$ is computed and given to A. c is called the challenge ciphertext.
• The adversary A continues to have oracle access to $Enc(k,·)$, and outputs a bit $b^{\prime }$.
• The output of the experiment is defined to be 1 if $b^{\prime }=b$, and 0 otherwise. In the case $S{E}_{A,\mathcal{E}}^{cpa}(\lambda )=1$, we say that A succeeded.

Definition 1.

A symmetric encryption scheme $\mathcal{E}=(Gen,Enc,Dec)$ is CPA-secure if for all PPT adversaries A there exists a negligible function $\mathbf{negl}$ such that

$$\begin{array}{c}\hfill Pr[S{E}_{A,\mathcal{E}}^{cpa}(\lambda )=1]\le \frac{1}{2}+\mathbf{negl}(\lambda ),\end{array}$$

where the probability is taken over the random coins used by A, as well as the random coins used in the CPA indistinguishability experiment.

For any adversary A and any value $\lambda$ for the security parameter, the computational Diffie-Hellman (CDH) experiment $CD{H}_{A,Setup}(\lambda )$ is defined as:

• Run $Setup(\lambda )$ to obtain output $(\mathbb{G},q,g)$, where $\mathbb{G}$ is a cyclic group of order q (with bit length $\lambda$) and g is a generator of $\mathbb{G}$.
• Randomly choose a, $b\in {\mathbb{Z}}_q$.
• A is given $\mathbb{G}$, q, g, $g^a$, $g^b$ and outputs $h\in \mathbb{G}$.
• The output of the experiment is defined to be 1 if $h=g^{ab}$, and 0 otherwise.

Definition 2.

The CDH problem is hard relative to $Setup$ if for all PPT adversaries A there exists a negligible function $\mathbf{negl}$ such that

$$\begin{array}{c}\hfill Pr[CD{H}_{A,Setup}(\lambda )=1]\le \mathbf{negl}(\lambda ).\end{array}$$

4. System Model

The searchable encryption scheme for personalized privacy protection mainly includes three entities, i.e., the data owner, the data user, and cloud server. The data owner outsources the encrypted file features to the cloud server. The data user queries the encrypted file features containing a specific keyword to the cloud server. The cloud server stores and retrieves the encrypted file features. As the existing searchable encryption schemes, in this paper, the data owner is considered fully trusted. The data user is considered malicious, which means it may attempt to learn more information than it can retrieve. The cloud server is considered honest but curious in the sense that it may try to learn as much information as possible from the stored encrypted data and correctly execute the searchable encryption protocol.

Given n files $F_i$, $1\le i\le n$, and a non-negative integer l, let $F_{il}$ denote the file feature of $F_i$ at level l. Specially, let $F_{i0}=F_i$, i.e., the file feature of $F_i$ at level 0 is still $F_i$.

Let $n_f+1$ denote the number of the file feature level (FFL). The data owner wishes to store the file features set $\mathcal{F}=\{F_{il}:1\le i\le n,0\le l\le n_f\}$ on the cloud server. The objectives of the data owner are as follows:

• For $1\le i\le n$, $0\le l\le n_f$, the file feature $F_{il}$ are stored on the cloud server such that the confidentiality of $F_{il}$ is preserved.
• The data user queries for a keyword w and an FFL l to retrieve all authorized file features $F_{il}$ such that $w\in F_{i{l}_0}$ for a given $l_0$ in a secure and efficient way.

4.1. Formal Definition

The searchable encryption scheme for meeting the personalized privacy needs consists of the following algorithms:

• $Setup(\lambda )$: This algorithm is run by the data owner. It takes the security parameter $\lambda$ as input, and outputs the global parameter $\mathsf{\Lambda }$.
• $KeyGen(\mathsf{\Lambda })$: This algorithm is run by the data owner and the data user, respectively. It takes the global parameter $\mathsf{\Lambda }$ as input, and outputs public/private key pairs $(p{k}_o,s{k}_o)$ and $(p{k}_u,s{k}_u)$ for the data owner and the data user, respectively.
• $Store(\mathcal{F},p{k}_u,s{k}_o)$: This algorithm is run by the data owner. It takes the file features set $\mathcal{F}$, the data user’s public key $p{k}_u$ and the data owner’s private key $s{k}_o$ as input, and outputs the encrypted file features set ${\mathcal{F}}^{\prime }$ and the encrypted index set $In{d}^{\prime }$.
• $Trapdoor(w,l,p{k}_o,s{k}_u)$: This algorithm is run by the data user. It takes a keyword w, an FFL l, the data owner’s public key $p{k}_o$, and the data user’s private key $s{k}_u$ as input, and outputs the trapdoor $T_{w,l}$.
• $Search({\mathcal{F}}^{\prime },In{d}^{\prime },T_{w,l})$: This algorithm is performed interactively between the cloud server and the data user. It takes the encrypted file features set ${\mathcal{F}}^{\prime }$, the encrypted index set $In{d}^{\prime }$, and the trapdoor $T_{w,l}$ as input, and outputs all authorization file features $F_{il}$ such that $w\in F_{i{l}_0}$ for a given $l_0$.

4.2. Security Definition

The searchable encryption scheme for meeting the personalized privacy needs must satisfy the index indistinguishability and the trapdoor indistinguishability under chosen keyword-FFL pair attack. As per literature [15], we define two challenge-response games $Gam{e}_I$ and $Gam{e}_T$ between the adversary A and the challenger C to show the index indistinguishability and the trapdoor indistinguishability under chosen keyword-FFL pair attack, respectively.

The adversary A plays $Gam{e}_I$ with the challenger C and attempts to distinguish an encrypted index of the given keyword-FFL pair from some encrypted indexes. If A wins $Gam{e}_I$, then A has obtained some useful information from some encrypted indexes.

  $Gam{e}_I$:

Setup: 

Challenger C runs $Setup(\lambda )$ and $KeyGen(\mathsf{\Lambda })$ to generate the global parameter $\mathsf{\Lambda }$ and the public/private key pairs $(p{k}_o,s{k}_o)$ and $(p{k}_u,s{k}_u)$ of the data owner and the data user respectively, and sends $\mathsf{\Lambda }$, $p{k}_o$ and $p{k}_u$ to A.

Adaptive query:

The adversary A makes the following queries to C:

-

The adversary A adaptively selects the keyword-FFL pair $(w,l)$ for the encrypted index query. C responds with $In{d}^{\prime }[w^{\prime }]$.

-

The adversary A adaptively selects the keyword-FFL pair $(w,l)$ for the trapdoor query. C responds with $T_{w,l}$.

Challenge: 

The adversary A sends two challenged keyword-FFL pairs $(w_0,l_0)$, $(w_1,l_1)$ to C. C picks a random number $b\in \{0,1\}$ and sends the encrypted index $In{d}^{\prime }[w_b^{\prime }]$ of the keyword-FFL pair $(w_b,l_b)$ to A.

Guess: 

The adversary A outputs $b^{\prime }\in \{0,1\}$ and wins the game if $b^{\prime }=b$.

Definition 3.

We say the searchable encryption scheme for meeting the personalized privacy needs satisfies the index indistinguishability under chosen keyword-FFL pair attack if for all PPT adversaries A there exists a negligible function $\mathbf{negl}$ such that

$$Pr[AwinsGam{e}_I]\le \frac{1}{2}+\mathbf{negl}(\lambda ).$$

Adversary A plays $Gam{e}_T$ with challenger C and attempts to distinguish a trapdoor of the given keyword-FFL pair from some trapdoors. If A wins $Gam{e}_T$, then A has obtained some useful information from some trapdoors.

  $Gam{e}_T$:

Setup: 

C runs $Setup(\lambda )$ and $KeyGen(\lambda )$ to generate the global parameter $\mathsf{\Lambda }$ and the public/private key pairs $(p{k}_o,s{k}_o)$ and $(p{k}_u,s{k}_u)$ of the data owner and the data user respectively, and sends $\mathsf{\Lambda }$, $p{k}_o$ and $p{k}_u$ to A.

Adaptive query:

A makes the following queries to C:

-

Adversary A adaptively selects the keyword-FFL pair $(w,l)$ for the encrypted index query. C responds with $In{d}^{\prime }[w^{\prime }]$.

-

Adversary A adaptively selects the keyword-FFL pair $(w,l)$ for the trapdoor query. C responds with $T_{w,l}$.

Challenge: 

Adversary A sends two challenged keyword-FFL pairs $(w_0,l_0)$, $(w_1,l_1)$ to C. C picks a random number $b\in \{0,1\}$ and sends the trapdoor $T_{w_b,l_b}$ of the keyword-FFL pair $(w_b,l_b)$ to A.

Guess: 

Adversary A outputs $b^{\prime }\in \{0,1\}$ and wins the game if $b^{\prime }=b$.

Definition 4.

We say the searchable encryption scheme for meeting the personalized privacy needs satisfies the trapdoor indistinguishability under chosen keyword-FFL pair attack if for all PPT adversaries A there exists a negligible function $\mathbf{negl}$ such that

$$Pr[AwinsGam{e}_T]\le \frac{1}{2}+\mathbf{negl}(\lambda ).$$

5. Proposed Scheme

In this section, we present our proposed searchable encryption scheme for meeting the personalized privacy needs. It consists of the following algorithms.

$Setup(\lambda )$ is run by the data owner. It takes the security parameter $\lambda$ as input, and performs the following:

• Choose a cyclic group $\mathbb{G}$ of prime order q and a generator g of $\mathbb{G}$.
• Choose a symmetric encryption scheme $\mathcal{E}=(Gen,Enc,Dec)$.
• Choose two collision-resistant hash functions $H_1:\mathbb{G}\to {\{0,1\}}^{\lambda }$ and $H_2:{\{0,1\}}^{\ast }\to {\{0,1\}}^{\lambda }$.
• Set the global parameter $\mathsf{\Lambda }=(\mathbb{G},q,g,\mathcal{E},H_1,H_2)$.

$KeyGen(\mathsf{\Lambda })$ is run by the data owner and the data user, respectively. It takes the global parameter $\mathsf{\Lambda }$ as input, and performs the following:

• Randomly select two elements $k_o$ and $k_u$ in ${\mathbb{Z}}_q$ as the private keys of the data owner and the data user, respectively.
• Compute $g^{k_o}$ and $g^{k_u}$ in $\mathbb{G}$ as the public keys of the data owner and the data user, respectively.

$Store(\mathcal{F},p{k}_u,s{k}_o)$ is run by the data owner. It takes the file features set $\mathcal{F}$, the data user’s public key $p{k}_u=g^{k_u}$ and the data owner’s private key $s{k}_o=k_o$ as input, and performs the following:

• Compute $k_1=H_1({(g^{k_u})}^{k_o})$.
• For $1\le i\le n$, $0\le l\le n_f$, randomly select $i{d}_{il}\in {\{0,1\}}^{\lambda }$ as the identifier of $F_{il}$, run algorithm $Gen(\lambda )$ to generate the encryption key $e{k}_{il}$ of $F_{il}$, and compute $i{d}_{il}^{\prime }=Enc(k_1,i{d}_{il})$, $e{k}_{il}^{\prime }=Enc(k_1,e{k}_{il})$, $F_{il}^{\prime }=Enc(e{k}_{il},F_{il})$.
• Create the index table ${\mathcal{F}}^{\prime }$ such that ${\mathcal{F}}^{\prime }[i{d}_{il}]=F_{il}^{\prime }$ for every $1\le i\le n$ and $0\le l\le n_f$.
• Given an FFL $l_0$, create the keyword set $W_{l_0}$ of the file features set $\{F_{i{l}_0}:1\le i\le n\}$.
• For $w\in W_{l_0}$, compute $w^{\prime }=Enc(k_1,H_2(w))$.
• For $0\le l\le n_f$, compute $l^{\prime }=Enc(k_1,H_2(l))$.
• For $1\le i\le n$, construct the set $L_i$ of the authorized FFL of the file $F_i$. In other words, $l\in L_i$ implies the date user has authorization to access the file feature $F_{il}$.
• Create the index table $In{d}^{\prime }$ such that $In{d}^{\prime }[w^{\prime }]=\{(i{d}_{il}^{\prime },e{k}_{il}^{\prime },l^{\prime }):w\in F_{i{l}_0},l\in L_i,1\le i\le n\}$ for every $w\in W_{l_0}$.
• Send ${\mathcal{F}}^{\prime }$ and $In{d}^{\prime }$ to the cloud server.

$Trapdoor(w,l,p{k}_o,s{k}_u)$ is run by the data user. It takes a keyword w, an FFL l, the data owner’s public key $p{k}_o=g^{k_o}$ and the data user’s private key $s{k}_u=k_u$ as input, and performs the following:

• Compute $k_2=H_1({(g^{k_u})}^{k_o})$.
• Compute $T_{w,l}=Enc(k_2,H_2(w)),Enc(k_2,H_2(l))$.

$Search({\mathcal{F}}^{\prime },In{d}^{\prime },T_{w,l})$ is performed interactively between the cloud server and the data user. It takes the encrypted file features set ${\mathcal{F}}^{\prime }$, the encrypted index set $In{d}^{\prime }$ and the trapdoor $T_{w,l}$ as input, and performs the following:

• The cloud server: Given $T_{w,l}=(T_1,T_2)$, search $In{d}^{\prime }[T_1]$ to obtain the set $\mathcal{S}=\{(s_1,s_2,s_3)\in In{d}^{\prime }[T_1]:s_3=T_2\}$ and send $\mathcal{S}$ to the data user.
• The data user: Given $\mathcal{S}$, create two index tables $S_1$ and $S_2$ such that $S_1[r_s]=Dec(k_2,s_1)$, $S_2[r_s]=Dec(k_2,s_2)$ for every $s=(s_1,s_2,s_3)\in \mathcal{S}$, where $k_2=H_1({(g^{k_u})}^{k_o})$ and $r_s$ ($s\in \mathcal{S}$) are randomly selected in ${\{0,1\}}^{\lambda }$. Send ${\mathcal{S}}_1$ to the cloud server and store ${\mathcal{S}}_2$.
• The cloud server: Given ${\mathcal{S}}_1$, create the index table $\mathcal{R}$ such that $\mathcal{R}[r_s]={\mathcal{F}}^{\prime }[{\mathcal{S}}_1[r_s]]$ for every $key$ $r_s$ in ${\mathcal{S}}_1$ and send $\mathcal{R}$ to the data user.
• The data user: Given ${\mathcal{S}}_2$ and $\mathcal{R}$, compute $Dec({\mathcal{S}}_2[r_s],\mathcal{R}[r_s])$ for every $key$ $r_s$ in ${\mathcal{S}}_2$.

Remark 1.

Please note that $k_1=H_1({(g^{k_u})}^{k_o})=H_1({(g^{k_u})}^{k_o})=k_2$, then $T_1=w^{\prime }$, $T_2=l^{\prime }$. Thus, $s_1=i{d}_{il}^{\prime }$, $s_2=e{k}_{il}^{\prime }$, ${\mathcal{S}}_1[r_s]=i{d}_{il}$, ${\mathcal{S}}_2[r_s]=e{k}_{il}$, $\mathcal{R}[r_s]={\mathcal{F}}^{\prime }[{\mathcal{S}}_1[r_s]]=F_{il}^{\prime }$ for every $s=(s_1,s_2,s_3)\in \mathcal{S}$, where $w\in F_{i{l}_0}$, $l\in L_i$, $1\le i\le n$. Therefore, our proposed scheme is correct.

Given an FFL $l_0$, creating the keyword set $W_{l_0}$ of the file features subset $\{F_{i{l}_0}:1\le i\le n\}$ means that $F_{i{l}_0}$, $1\le i\le n$ must be text. Thus, our proposed scheme works for all file types including text, audio, image, video, etc. as long as there exists an FFL $l_0$ such that the file feature of the file at $l_0$ is text.

If the authorized FFL set of the ordinal file is only created by the data owner, then the data user cannot access to the unauthorized file features, thus our proposed scheme meets the different privacy needs of different individuals.

Our proposed scheme can be extended to the multi-user scenario. Let $n_o$ and $n_u$ be the number of the data owners and the data users, respectively. In the multi-user scenario, the public/private key pairs are first generated for every data owner and the data user; the file features stored on the cloud server is an $n_o$-ary vector, where the i-th element is the encrypted file features set of the i-th data owner; the index stored on the cloud server is an $n_o\times n_u$ matrix, where the i-th row and j-th column element is the encrypted index set that the i-th data owner created for the j-th data user.

It is obvious that our proposed scheme needs increasing storage space when $n_f$ is getting bigger. In particular, our proposed scheme has similar storage space to the existing searchable encryption schemes when $n_f=0$.

6. Security Analysis

In this section, we show that our proposed scheme satisfies the index indistinguishability and the trapdoor indistinguishability under chosen keyword-FFL pair attack.

Theorem 1.

If $\mathcal{E}=(Gen,Enc,Dec)$ is CPA-Secure and the CDH problem is hard relative to $Setup$, then our proposed scheme satisfies the index indistinguishability under chosen keyword-FFL pair attack.

Proof. 

If there exists a PPT, and adversary A wins $Gam{e}_I$, then there exists a simulator B such that $S{E}_{B,\mathcal{E}}^{cpa}(\lambda )=1$ or $CD{H}_{B,Setup}^{cpa}(\lambda )=1$.

In the setup phase, C runs $Setup(\lambda )$ and $KeyGen(\mathsf{\Lambda })$ to generate the global parameter $\mathsf{\Lambda }=(\mathbb{G},q,g,\mathcal{E},H_1,H_2)$, and the public/private key pairs $(p{k}_o=g^{k_o},s{k}_o=k_o)$ and $(p{k}_u=g^{k_u},s{k}_u=k_u)$ of the data owner and the data user respectively. Then, C sends $\mathsf{\Lambda }$, $p{k}_o=g^{k_o}$ and $p{k}_u=g^{k_u}$ to A.

In the adaptive query phase, assume A makes $n_q-1$ queries to C adaptively. The q-th query can be:

-

A adaptively selects the keyword-FFL pair $(w_q,l_q)$ for the encrypted index query. C responds with $In{d}^{\prime }[w_q^{\prime }]=\{(i{d}_{i{l}_q}^{\prime },e{k}_{i{l}_q}^{\prime },l_q^{\prime }):w_q\in D_i,l_q\in L_i,1\le i\le n\}$, where $L_i$ is the authorized FFL set of $F_i$, $i{d}_{i{l}_q}^{\prime }=Enc(k_1,i{d}_{i{l}_q})$, $e{k}_{i{l}_q}^{\prime }=Enc(k_1,e{k}_{i{l}_q})$, $l_q^{\prime }=Enc(k_1,H_2(l_q))$, $k_1=H_1({(g^{k_o})}^{k_u})$.

-

A adaptively selects the keyword-FFL pair $(w_q,l_q)$ for the trapdoor query. C responds with $T_{w_q,l_q}=(Enc(k_2,H_2(w_q)),Enc(k_2,H_2(l_q))$, where $k_2=H_1({(g^{k_u})}^{k_o})$.

In the challenge phase, A sends two challenged keyword-FFL pairs $(w_0,l_0)$, $(w_1,l_1)$ to C. C picks a random number $b\in \{0,1\}$ and sends the encrypted index $In{d}^{\prime }[w_b]=\{(i{d}_{i{l}_b}^{\prime },e{k}_{i{l}_b}^{\prime },l_b):w_b\in D_i,l_b\in L_i,1\le i\le n\}$ of the keyword-FFL pair $(w_b,l_b)$ to A, where $i{d}_{i{l}_b}^{\prime }=Enc(k_1,i{d}_{i{l}_b})$, $e{k}_{i{l}_b}^{\prime }=Enc(k_1,e{k}_{i{l}_b})$, $l_b^{\prime }=Enc(k_1,H_2(l_b))$ and $k_2=H_1({(g^{k_1})}^{k_u})$.

In the guess phase, A outputs its guess $b_1\in \{0,1\}$ indicating whether the challenge $In{d}^{\prime }[w_b]$ is the encrypted index of $(w_0,l_0)$ or $(w_1,l_1)$.

From the perspective of A, $i{d}_{i{l}_q}^{\prime }=Enc(k_1,i{d}_{i{l}_q})$ and $e{k}_{i{l}_q}^{\prime }=Enc(k_1,e{k}_{i{l}_q})$ are random values in ${\{0,1\}}^{\lambda }$ for every $1\le i\le n$ and $2\le q\le n_q$. Please note that $k_1=H_1({(g^{k_u})}^{k_o})=H_1({(g^{k_o})}^{k_u})=k_2$. Then the information obtained by the adversary A in $Gam{e}_I$ was the same as the information obtained by a simulator B in the CPA indistinguishability experiment $S{E}_{A,\mathcal{E}}^{cpa}(\lambda )$ and in the CDH experiment $CD{H}_{A,Setup}(\lambda )$. Thus, if A wins $Gam{e}_I$ then $S{E}_{B,\mathcal{E}}^{cpa}(\lambda )=1$ or $CD{H}_{B,Setup}(\lambda )=1$, i.e.,

$$\begin{array}{ccc}\hfill Pr[\mathrm{A}\mathrm{wins}Gam{e}_I]& \le & S{E}_{B,\mathcal{E}}^{cpa}(\lambda )+CD{H}_{B,setup}(\lambda )\hfill \\ & \le & \frac{1}{2}+\mathbf{negl}(\lambda ).\hfill \end{array}$$

Therefore, our proposed scheme satisfies the index indistinguishability under chosen keyword-FFL pair attack if $\mathcal{E}=(Gen,Enc,Dec)$ is CPA-Secure and the CDH problem is hard relative to $Setup$. □

Similarly, we can prove the following theorem:

Theorem 2.

If $\mathcal{E}=(Gen,Enc,Dec)$ is CPA-Secure and the CDH problem is hard relative to $Setup$, then our proposed scheme satisfies the trapdoor indistinguishability under chosen keyword-FFL pair attack.

7. Performance Analysis

As shown in

Table 3. Computation cost: a comprehensive comparison.

Scheme	Computation
	Storage Phase	Trapdoor Phase	Search Phase
Boneh et al. [7]	$T_{bp}+2T_h+2T_{exp}$	$T_h+T_{exp}$	$T_{bp}+T_h$
Rhee et al. [24]	$T_{bp}+2T_h+2T_{exp}$	$2T_h+3T_{exp}$	$T_{bp}+2T_h+2T_{exp}+T_{mul}$
Xu et al. [26]	$2T_{bp}+4T_h+4T_{exp}$	$2T_h+2T_{exp}$	$2T_{bp}+2T_h$
Chen et al. [28]	$T_h+4T_{exp}+2T_{mul}$	$T_h+4T_{exp}+2T_{mul}$	$7T_{exp}+3T_{mul}$
Our scheme	$T_{exp}+3T_h+5T_{enc}$	$T_{exp}+3T_h+2T_{enc}$	$T_{exp}+T_h+2T_{dec}$

, we present a comprehensive comparison of the computation cost between our proposed scheme and some existing searchable encryption schemes. The notations used in Table 3 are as follows:

• $T_{bp}$: Time cost for a bilinear pairing.
• $T_h$: Time cost for a hash function.
• $T_{exp}$: Time cost for an exponentiation operation in $\mathbb{G}$.
• $T_{mul}$: Time cost for a multiplication operation in $\mathbb{G}$.
• $T_{enc}$: Time cost for an encryption process of $\mathcal{E}$.
• $T_{dec}$: Time cost for a decryption process of $\mathcal{E}$.

To meet the basic security level for comparison, SHA-256 and AES-256 is selected as the collision-resistant hash function and the symmetric encryption scheme, respectively. The cyclic group $\mathbb{G}$ of order q is generated by a point on an elliptic curve $E(F_p)$, where q and p are the 256-bits and 521-bits prime numbers, respectively. To evaluate the efficiency of the five schemes, we perform our experiments on a computer with 2.4 GHz Intel Core i7 and 8 GB RAM.

As shown in Figure 1, Figure 2 and Figure 3, our proposed scheme is the most efficient in storage phase and search phase. In trapdoor phase, our proposed scheme has a higher computational cost than that of Boneh et al. [7], although it is still lower than other schemes. In summary, the performance of our proposed scheme is more efficient than four schemes studied in [7,24,26,28].

8. Conclusions

In this paper, we have proposed a searchable encryption scheme for meeting personalized privacy needs. Our proposed scheme mainly includes three entities, i.e., the data owner, the data user, and cloud server. The data owner outsources the encrypted file features to the cloud server. The data user queries the encrypted file features containing a specific keyword to the cloud server. The cloud server stores and retrieves the encrypted file features. Compared with the existing searchable encryption schemes, our proposed scheme works for all file types including text, audio, image, video, etc., and meets different privacy needs of different individuals at the expense of high storage cost. We also show that our proposed scheme satisfies index indistinguishability and trapdoor indistinguishability under chosen keyword-FFL pair attack. In other words, our proposed scheme is secure against inside KGA. Performance analysis shows that our proposed scheme is efficient in storage phase, trapdoor phase, and search phase.

Considering the decreasing costs of storage, storage cost is not a problem if $n_f+1$, i.e., the number of the FFL is small in our proposed scheme. However, storage cost is still a problem if $n_f$ is too large in our proposed scheme. Thus, choosing an appropriate $n_f$ is an important work in the future.