Towards Secure Data Retrieval for Multi-Tenant Architecture Using Attribute-Based Key Word Search

Searchable encryption mechanism and attribute-based encryption (ABE) are two effective tools for providing fine-grained data access control in the cloud. Researchers have also taken their advantages to present searchable encryption schemes based on ABE and have achieved significant results. However, most of the existing key word search schemes based on ABE lack the properties of key exposure protection and highly efficient key updating when key leakage happens. To better tackle these problems, we present a key insulated attribute-based data retrieval scheme with key word search (KI-ABDR-KS) for multi-tenant architecture. In our scheme, a data owner can make a self-centric access policy of the encrypted data. Only when the possessing attributes match with the policy can a receiver generate a valid trapdoor and search the ciphertext. The proposed KI-ABDR-KS also provides full security protection when key exposure happens, which can minimize the damage brought by key exposure. Furthermore, the system public parameters remain unchanged during the process of key updating; this will reduce the considerable overheads brought by parameters synchronization. Finally, our KI-ABDR-KS is proven to be secure under chosen-keyword attack and achieves better efficiency compared to existing works.


Introduction
With the rapid development of computer science and telecommunication, users can now enjoy various services via the Internet such as online shopping, remote medical monitoring, etc.These services produce massive data, which may contain a great amount of sensitive data like cellphone numbers, accommodation addresses, etc.Thus, the confidentiality of these data should be highly protected [1].Encryption is a promising method to provide security protection for these sensitive data.Through encryption, these data are transformed into ciphertexts and stored securely in data clusters.However, traditional encryption techniques will prevent some common operations on ciphertexts-especially in terms of searching.For instance, a data owner wants to share some important data with some receivers in the multi-tenant data center, but data receivers do not know the exact location where these data have been stored.Since these data have been transferred into ciphertexts, it is inconvenient for them to search these encrypted data and determine the exact file they want.Thus, how to enable data owners to encrypt their data and make them searchable is a challenging and practical problem.The key word search mechanism is a promising tool to satisfy this demand.A keyword search protocol usually involves the participation of three parties: uploader, storage server, and receiver.The interaction process of a keyword search usually involves three steps: Firstly, the uploader generates the search index for the corresponding keywords and uploads them with the ciphertexts to the storage server.
Secondly, the receiver computes the trapdoor for the desired keywords and sends the trapdoor to the storage server.
Thirdly, the storage server checks if the trapdoor generated by the receiver corresponds with the search index.The ciphertexts are returned to the receiver on the condition that the trapdoor and the search index are matched.
The first keyword search scheme based on PKC (Public Key Cryptography) was presented by Boneh et al. [2] in 2004.Afterwards, many studies [3][4][5] have been presented to provide better performances, higher security level, and more advanced functions.Aside from these properties, fine-grained access managements are also important because an uploader can take this advantage to make self-centric access policies on their private data [6][7][8][9].To better satisfy this demand, Sahai et al. presented attribute-based encryption (ABE) [10][11][12] which efficiently brings flexible access control.Researchers have also taken the advantages of ABE [13,14] and keyword search to present attribute-based keyword search schemes [15][16][17][18].Until now, several schemes have achieved keyword search based on ABE, but the performance can still be further optimized.To begin with, although the proposed scheme can provide flexible revocation, they cannot minimize the damage when key exposure occurs.In multi-tenant architecture environments, the number of users is very large and key exposure seems inevitable.If key leakage happens, the confidentiality of the whole system will no longer exist.Further, in most of the existing schemes, there exist additional transmission overheads of key updating.Consequently, an attribute-based keyword search with key exposure protection mechanism and efficient key refreshing [8] urgently needs to be proposed.
In this paper, we aim to tackle the above problems and present a key insulated attribute-based data retrieval with key word search (KI-ABDR-KS) scheme for multi-tenant architecture.We achieve flexible self-centric search management by utilizing a CP-ABE (Ciphertext Policy Attribute Based Encryption) [12] mechanism.The data owner generates the index for ciphertext using a self-centric access policy, indicating what kinds of receivers are given the privileges to gain access to these encrypted data.The receiver generates the trapdoor for the desired keyword using the private key she owns [19,20].The cloud server checks if the trapdoor generated by receiver corresponds with the search index.The ciphertexts are returned to the receiver on the condition that the trapdoor and the search index are matched.A key insulation mechanism [21] is introduced to guarantee full security if key leakage occurs and helps to realize highly efficient key updating [22].
The detailed contributions established in the article are as follows: (1) We present a novel keyword search based on ABE with key exposure protection.In our scheme, a data owner can make self-centric access policy of the encrypted data.Only if the possessing attributes match with the policy can a receiver generate a valid trapdoor and search the ciphertext.(2) The proposed scheme provides secure key exposure protection as well as both backward and forward security.(3) In our scheme, the system lifespan is split up into several time periods.The public parameters of the cryptosystem remain unvaried during the whole lifespan, and users' private keys are refreshed termly.When key leakage occurs, a user's private keys shall be updated in a timely fashion to minimize the damage brought by key exposure.(4) Our scheme achieves keyword semantic security under chosen keyword attack.Meanwhile, it is shown to be superior in terms of computation efficiency compared to existing works.

Attribute-Based Cryptosystem
In a classical PKC mechanism, a user is given the right to make secure data shared with others in a private way based on their identities.However, it is not fully practical when data sharing is conducted via a more expressive access policy.In some scenarios (e.g., cloud computing), the amount of users and private data may be enormous.Assuming that a data owner wants to share some sensitive data with certain users using traditional encryption methods, she may run encrypt algorithms many times, since each user's public key is unique and the encryption is inefficient.
ABE is a cryptographic notion supporting flexible data access control, and is equipped with many advantages.In ABE, the concept of "access policy" is introduced; only if the user's attributes suit with the policy can she complete decryption.A file owner may set a data-centric access policy without concern about the specific identity of each user in the system (note that the amount of users in the system may be very large).Consequently, ABE is a more effective tool for data protection in large data outsource platforms.Existing literatures related to ABE have achieved many results in terms of fine-grained access control [7,13], revocation [6], key abuse protection [9], etc.Researchers have also implemented ABE in several practical scenarios such as wireless communications, cloud computing [14], etc.

Attribute-Based Keyword Search
Attribute-based keyword search (ABKS) combines the advantages of ABE and searchable encryption and has been given attention from researchers all over the world.Han et al. in [15] proposed an attribute-based searchable encryption with key policy.Their scheme achieves flexible access control on the search indexes of ciphertext.However, the proposed scheme directly sends the users' private keys to the file server as the trapdoor.This results in key exposure to the file server.If the server becomes dishonest or is being attacked, all of the legal private keys will be obtained by the attackers, which will bring huge damage to the whole cryptosystem.Yang in [16] designed a keyword search scheme based on ABE and applied it to an electronic health system.The proposed scheme supports fine-grained authorization and flexible revocation in the semi-trusted cloud server.However, the scheme generates a unique additional key pair for each user in the system.The generation of a search index also involves the public key of each user; this will bring a considerable computation burden when the amount of users is large.Sun et al. in [17] presented a novel searchable encryption for cloud computing based on CP-ABE.Their scheme provides self-centric search authorization as well as authenticity check over the encrypted data.The proposed scheme also achieves selective confidentiality under chosen keyword attack and secure revocation.Zheng et al. in [18] proposed a verifiable keyword search scheme.Their scheme permits users with promising credentials to search the ciphertext using the generated trapdoor.Their scheme can also distinguish if a server has honestly carried out the tasks which are sent by users.Miao et al. in [23] applied ABKS to modern medical systems and demonstrated the high efficiency and security of their scheme.Zhou et al. in [24] presented a novel type of ABKS which supports both online and offline decryption; thus, it was equipped with better flexibility.Wang et al. in [25] did some path breaking work in terms of introducing the attribute and keywords vector to optimize the decryption efficiency.Dong et al. in [26] proposed a lightweight ABKS scheme, the application of which is very appropriate to networks with constrained computation resources (e.g., mobile networks).Li et al. in [27] tackled the search authorization issue in the cloud and designed a secure ABKS scheme which not only achieves trapdoor unlinkability and confidentiality, but also resists collusion attack.Vahid et al. in [28] combined attribute-based cryptography with fuzzy search token techniques and presented a novel ABKS scheme.They also proved it to be secure under keyword guessing attack.
The existing works mentioned above have achieved significant progress in attribute-based cryptosystems and keyword search mechanisms.However, these schemes lack the security protection mechanism when key exposure happens.In a large data outsourcing system with multiple users, key exposure seems unavoidable.Once it is leaked, any user obtaining the private key can generate a legal trapdoor and the confidentiality of the whole system will no longer exist.Thus, it is essential to carryout key exposure protection for attribute-based keyword search schemes.

Framework of KI-ABDR-KS
The system framework of our scheme is illustrated in Figure 1.It contains four entities: attribute authority (AA), multi-tenant server, data owner, and data receiver.AA manages universal attributes and distributes users' private keys.It is also responsible for updating users' temporal private keys when the cryptosystem enters into a new time period.The data owner generates a secure index for each ciphertext using a self-centric policy, while the data receiver generates a trapdoor for the required ciphertext according to the desired keywords.The multi-tenant server provides secure storage services for the encrypted data and responses to receivers' requests if the trapdoors are valid.
Symmetry 2017, 9, 89 4 of 10 The system framework of our scheme is illustrated in Figure 1.It contains four entities: attribute authority (AA), multi-tenant server, data owner, and data receiver.AA manages universal attributes and distributes users' private keys.It is also responsible for updating users' temporal private keys when the cryptosystem enters into a new time period.The data owner generates a secure index for each ciphertext using a self-centric policy, while the data receiver generates a trapdoor for the required ciphertext according to the desired keywords.The multi-tenant server provides secure storage services for the encrypted data and responses to receivers' requests if the trapdoors are valid.

Formulized Definitions of KI-ABDR-KS
In this section, we will give the interactions between entitites illustrated in Figure 1 and the formulized definitions of the algorithms.The proposed scheme contains seven algorithms, as below: : This algorithm is run by AA.It takes a security number as input and outputs system public parameters as well as master keys.
: This algorithm is run by AA.It takes system parameters, the initial time period, and the attribute set a user owns as input; it outputs the master key of key helper and the initial private key for a user.
: This algorithm is run by AA.It takes system parameters and the newest time period as input.It outputs the key updating component for a user.
: This algorithm is run by the users.It takes the temporal private key of the previous period and key updating component as input, and it outputs the temporal private key at the latest version.
ℎ  : This algorithm is run by the data owner.It takes system parameters, an access structure, and key words as input; it outputs an index for a ciphertext.
: This algorithm is run by the users.It takes users' private keys and key word as input; it outputs a trapdoor.
: This algorithm is run by the server.It takes users' trapdoor as input and outputs the corresponding ciphertext.

Formulized Definitions of KI-ABDR-KS
In this section, we will give the interactions between entitites illustrated in Figure 1 and the formulized definitions of the algorithms.The proposed scheme contains seven algorithms, as below: Setup: This algorithm is run by AA.It takes a security number as input and outputs system public parameters as well as master keys.
Key generation: This algorithm is run by AA.It takes system parameters, the initial time period, and the attribute set a user owns as input; it outputs the master key of key helper and the initial private key for a user.
Key update: This algorithm is run by AA.It takes system parameters and the newest time period as input.It outputs the key updating component for a user.
User update: This algorithm is run by the users.It takes the temporal private key of the previous period and key updating component as input, and it outputs the temporal private key at the latest version.
Search index generation : This algorithm is run by the data owner.It takes system parameters, an access structure, and key words as input; it outputs an index for a ciphertext.
Trapdoor : This algorithm is run by the users.It takes users' private keys and key word as input; it outputs a trapdoor.
Test : algorithm is run by the server.It takes users' trapdoor as input and outputs the corresponding ciphertext.

Security Requirements
(1) Keyword semantic security: This security property guarantees that an Adversary cannot obtain the ciphertext without the valid trapdoor.In this paper, the requirement of key semantic security can be proved by a game described as follows: Step 1 Setup : Challenger runs Setup to obtain the related parameters in the game.
Adversary claims an access structure γ ic and {A ic } is the attribute set involved.
Step 2 Trapdoor queries : Trapdoor queries : query: Challenger can obtain the trapdoor of several keywords for attribute set S by running Trapdoor algorithm and sends the results back to Adversary.Note that |S ∩ {A ic }| < thr x .
Note that the trapdoor queries contain the implication of private key generation query.
Step 3 Challenge : At the current time period TP n , Adversary picks w 0 and w 1 , which have not been queried before.Challenger picks σ ∈ {0, 1} and runs Search index generation algorithm to obtain SI σ .
Adversary outputs σ * as a guess of σ.If σ * = σ, then Adversary wins the game.The advantage of Adversary can be denoted by (2) Backward and forward security: This security property guarantees the system's security and confidentiality when key exposure happens.

Concrete Constructions
In this section, we will provide the concrete algorithms from the system level viewpoint.These algorithms are the concrete and detailed expansions of the formulized definitions in Section 3.2 based on the above defined algorithms.Setup : Define two p order groups G 1 , G 2 .Let ê : G 1 × G 1 → G 2 be a bilinear pairing and g is a generator of G 1 .Define a global attribute set {A i }.Define hash functions: H 1 : {0, 1} * → G 1 , H 2 : {0, 1} * → Z p .AA randomly chooses secret numbers y, h ∈ Z * p and computes Y = ê(g, g) y , g h .The system masker keys are {g y , h} while system public parameters are Key generation : At the initial time period l 0 , for a user possessing attribute set {A i }, AA picks r ∈ Z * p and calculates D 1 = g y−r h , D i,0 = g r H 1 (A i , l 0 ) h .The initial private key of a user is denoted by {D 1 , D i,0 }.Note that D 1 remains unchanged throughout the whole system lifetime, while D i,m updates when system enters a new time period.
Key update : When the system arrives in a new period from l m to l m+1 , AA computes the key and sends the result to the user.Then, a user updates her temporal private key by calculating Search index generation : Data owner picks s ∈ Z * p and chooses a polynomial q x for each node x in the access control structure γ.Let the threshold value of the node be one more than the degree of q x .For the root node, the data owner sets q root (0) = s.For others, let q x (0) = q parent(x) index(x).Denote {i} to be the leaf nodes in γ, then the search index SI is constructed as: Trapdoor : For the desired keyword the data receiver picks a random number x ∈ Z * p and calculates the trapdoor TR as Equation (2): Then, the data receiver sends TR = {TR 1 , TR 2,i } to the cloud server.
Test : The cloud server tests: If Equation ( 3) is set up, the cloud server sends the corresponding ciphertext to the data receiver.

Keyword Semantic Security
Before giving our proof, we first give the hardness assumption [17] that our scheme relies on: Decision bilinear Diffie-Hellman assumption (DBDH): Picks random numbers a, b, c, z ∈ Z * q , assuming that the value of (g, g a , g b , g c , z) are given, no probabilistic polynomial-time algorithm can distinguish the tuples (A = g a , B = g b , C = g c , ê(g, g) abc ) and (A = g a , B = g b , C = g c , ê(g, g) z ) with a non-negligible probability.
Theorem 1.Our KI-ABDR-KS is keyword semantic secure if the DBDH hardness assumption holds.
Proof.If our scheme can be broken by an Adversary with advantage of ε, then a simulator can be constructed to break the DBDH hardness assumption with an advantage of ε 2 .The challenge game is described as follows: Setup : Let G 1 and G 2 be two cyclic groups with prime order p. Denote g as the generator of G 1 .Let ê : G 1 × G 1 → G 2 be a bilinear pairing.Define a global attribute set {A i }.Define hash functions p and sets: The aim of the simulator is to guess the value of σ.
Adversary claims a challenging access structure γ (containing attribute set S) and plays the game on it.
Trapdoor queries : When Adversary makes a trapdoor query for keyword w q on attribute set A q , the simulator responds as follows: Simulator picks r, u ∈ Z * p , sets: Then, the trapdoor is constructed as: Note that the trapdoor queries contain the implication of private key generation query.
Let g s = g c , so we have: Adversary outputs a value σ * .If σ * = σ, Adversary wins the game.
Next, we will analyze the simulator's advantage in distinguishing the tuples in DBDH assumption.
If σ = 1, E is an invalid search index and Adversary guesses randomly, If σ = 0, E is a valid index.According to the definition, Adversary has an advantage ε.
From what has been discussed, the simulator's advantage can be denoted by:

Users' Privacy and Trapdoor Unlinkability
In our scheme, the users' privacy can be highly protected.According to the Trapdoor algorithm in our KI-ABDR-KS, a secret component x is embedded into the trapdoor.Thus, the service provider cannot obtain any sensitive information of the private key.Besides, since the secret component x is chosen by different users random, it is computationally infeasible for cloud severs to distinguish different trapdoors containing the same key words, which meets the security demand of trapdoor unlinkability.

Forward and Backward Security
Our scheme can provide protection when key exposure happens.When key exposure happens at period l m−1 , the system can still maintain its security by updating users' temporal private keys to l m version.A user's private key leakage during l m will not harm the security in the rest time periods.Our scheme also supports random access key updating, since attribute authority is capable of updating users' temporal private keys from any previous time periods (denote these time periods by l f ) to the last version in just one step by calculating

Efficient Key Updating with Constant Size of Parameters
The process of key updating in the proposed KI-ABDR-KS is very efficient because when a new time period arrives, only partial key components have to be refreshed.According to the Key update algorithm, the calculation of key updating component UP m only takes one exponentiation.More importantly, though users' private keys are updated periodically, the system public parameters remain the same throughout the whole lifetime.This will reduce the considerable computation cost which parameter synchronization brings about.

Performance Evaluation
We compare our scheme with schemes in [17,23,28], which also implement attribute-based cryptosystem to achieve flexible key word search.The comparison is conducted with regard to the computation cost of each algorithm.Denote "Pair", "Exp" to be the bilinear pairing and exponential operations, respectively, and "n" is the amount of attributes involved.The results are listed in Table 1.From comparison, it can be seen that efficiency of Setup, Key generation, Trapdoor, and Key update are higher in our scheme.The Test algorithm takes more exponential operations in our scheme, but it is run by the cloud server which has large computation capacity.Thus, this will not add a computation burden on the user side.In the scheme found in Reference [17], the access structure only supports AND gate, but our scheme provides a more flexible access structure which supports AND along with OR gate; thus, the Search Index generation algorithm in our scheme takes more exponential operations.Furthermore, unlike [23,28], our scheme is equipped with the function of highly efficient key updating.The system public parameters remain constant regardless of the number of attributes in the system and do not need to be changed during the process of key updating; this will reduce the considerable overheads brought by parameters synchronization.Consequently, our scheme has a better performance from the prospective of the overall efficiency.

Conclusions
this paper, we propose a novel key insulated attribute-based data retrieval with keyword search mechanism.The proposed scheme can provide self-centric search indexes for the encrypted data.The proposed scheme also provides secure key exposure protection and full security when key exposure happens.By performance analysis, our scheme is of high-level security and is superior with respect to computation efficiency.

Table 1 .
Comparison results.KI-ABDR-KS: key insulated attribute-based data retrieval with key word search.