A Secure Key Aggregate Searchable Encryption with Multi Delegation in Cloud Data Sharing Service

: As the amount of data generated in various distributed environments is rapidly increasing, cloud servers and computing technologies are attracting considerable attention. However, the cloud server has privacy issues, including personal information and requires the help of a Trusted Third Party (TTP) for data sharing. However, because the amount of data generated and value increases, the data owner who produces data must become the subject of data sharing. In this study, we use key aggregate searchable encryption (KASE) technology, which enables keyword search, to efﬁciently share data without using TTP. The traditional KASE scheme approach only discusses the authority delegation from the data owner to another user. The traditional KASE scheme approach only discusses delegation of authority from the data owner to another user. However, if the delegated entity cannot perform time-critical tasks because the shared data are unavailable, the delegate must further delegate the rights given to other users. Consequently, this paper proposes a new KASE scheme that enables multi-delegation without TTP and includes an authentication technique between the user and the server. After that, we perform informal and formal analysis using BAN logic and AVISPA for security evaluation, and compare the security and performance aspects with existing schemes.


Introduction
As a hyper-connected world is realized due to the development of the Internet, data production is increasing in various distributed environments such as medical care, finance, and vehicles. As per a study published by Statista Research Department [1], the total amount of data generated per year is expected to reach 149ZB by 2024 as the amount of data generated worldwide increases exponentially. The generated data can be used as an input for financial, medical, and artificial intelligence development, and cloud storage and computing technologies have been introduced to manage vast amounts of data [2][3][4]. Cloud computing services provide large-capacity storage and computing resources to resource-constrained computing devices.
However, privacy issues arise because the generated data includes personal information. Research and policies are being developed worldwide to protect the privacy of such data. "Midata" in the UK [5] and "Smart disclosure" in the US are policies for individuals to use and protect personal information as subjects, and have been implemented to date. However, these policies are being implemented with the help of a Trusted Third Party (TTP) because it is difficult to provide services based on personal information. Because the amount and value of the data generated increases, the data owner who produces the data should be the data sharer, and not the TTP.
For the subject of data to manage data without the help of TTP, the following are considered: (i) Key management for data access control must also be performed by the data owner (DO). (ii) The efficiency of the key for data management should be considered. This is because as the data increases, the key also increases. (iii) The data owner must store the data in an encrypted form in order to maintain the confidentiality and integrity of the data, and the data access policy is required for sharing with data users (DUs).
DO outsources data or computational work to cloud servers. In addition, DOs can optionally share outsourced data with DU groups with the help of cloud computing services through access control. For this purpose, research on cryptosystems such as user-based access control cryptosystem [6], role-based access control cryptosystem [7], and attribute-based access control cryptosystem [8] was studied. However, the computation overhead of encryption and key generation increases with the number of attributes or users in these user-centric data sharing methods. When DO grants a new user access to their data, the DO must either generate a new ciphertext or modify the ciphertext stored in the cloud. Furthermore, because the TTP defines and manages the user's rules and attributes, the DO cannot be the subject of data management. To address these limitations, a data-centric shared encryption scheme called Key Aggregate Encryption (KAE) [9] has beenproposed. In KAE, the DO first defines the document set S to which the data that the DO intends to share to users of data belongs, and then aggregates the secret keys of all documents in the set S. Then, DO shares a single key, known as the aggregate key, with the user to grant access to S. Moreover, an extended encryption scheme called Key Aggregate Searchable Encryption (KASE) [10] was proposed, which allows DOs to use aggregation keys to delegate search authority over selected data sets and allow users to retrieve shared data by submitting a single aggregation trapdoor to the cloud. In addition to delegating search rights to data users by data owners, it is also important to consider when the delegated users may need to transfer rights to other users for time-sensitive tasks, processing and creation of various information, and smooth data management.
However, there is no KASE structure given that an authorized user needs to further delegate privileges to other users. Therefore, this paper proposes a KASE cloud data sharing scheme that simultaneously provides user authentication and delegation functions without using TTP. To analyze the safety verification of the proposed scheme, we conduct informal security analysis and formal security analysis using "Burrows-Abadi-Needham (BAN) logic" [11] and "Automated Validation of Internet Security Protocols and Applications (AVISPA)" [12]. We use the "Multiprecision Integer and Rational Arithmetic Cryptographic Library (MIRACL)" [13] to build a test bed and calculate the cost of cryptographic operations. Finally, we compare security and performance with other existing schemes.

Motivation
Existing KASE schemes only discuss delegating data access rights to other DUs by DO. However, there are cases where the delegated user needs to delegate further the delegated rights to another user because the shared data are unavailable to the delegated user: • The first is a case in which time-critical work such as immediate life-threatening, bodily harm, and property benefits of the DO is required. For example, in the event of an emergency involving the DO's life and body, the DU must delegate the authority to another DU when the DU who has been authorized to access information such as the DO's health information management is absent. • In addition, it is necessary to use various information and generate revenue through information sharing. A DU who has received information rights can use the information to make a profit. However, it is difficult to expect visible revenue generation from a single user. In this case, the DU can create new services and revenue by delegating limited access rights to other DUs.
• DUs authorized to provide services by data owners often struggle to manage large amounts of data. In this case, the DU should be able to perform load balancing by assigning limited administrative privileges to some users.
Therefore, we propose a KASE data sharing scheme that can delegate access rights for these cases.

Contribution
Our proposed scheme is an access control for DOs to share data with DUs without the help of TTP. We also consider cases where DUs may delegate limited data access rights to other users, which is not considered by existing KAEs and KASEs. The detailed contributions of our proposed scheme are as follows: • Group data sharing with a keyword search: In the proposed scheme, DOs can delegate access to and retrieval of data in an encrypted state for data sets requested by DUs. Additionally, each ciphertext in the shared set can be retrieved as a trapdoor of constant size generated using the aggregate key. Furthermore, the proposed system can confirm whether keywords exist in the data set to be searched using a bloom filter [14]. • Multi-access prevention and privacy preservation: The authentication of the proposed scheme prevents unauthorized DUs from accessing the trapdoor multiple times. In particular, if an unauthenticated user attempts to intercept and submit a trapdoor, the system prevents it. The identity submitted for authentication is a pseudonym identity which is masked and sent to protect the privacy of the DU. Moreover, keyword ciphertext, the hidden access policy defined by DO, and trapdoor does not disclosure information about related keywords. • Fine-grained delegation: In the proposed scheme, the DO provides authentication credentials to delegators and delegates. When a delegator wants to delegate authority, it authenticates with the delegate through the authentication credential. If authentication is valid, delegates can delegate the rights they have received to another users in fine-grained manner.
The rest of the paper is organized as follows: The related works are given in Section 2. In Section 2, we briefly describe studies on KAE and KASE that have been studied. We also provide preliminaries for the proposed scheme. The system model and threat model are defined in Section 3.

Related Works
In this section, we review the literature regarding the previously studied of KAE and KASE. This section also provides preliminaries about cryptology concepts that we use throughout the paper.

Literature Reviews
In 2016, Chu et al. [9] proposed the notion of KAE scheme that can reduce the number of distributed data encryption keys for data sharing system environments. The KAE allows documents or data sets encrypted with different keys to be decrypted with a single aggregate key. In 2018, Guo et al. [15] proposed a scheme for sharing encrypted data with other users through public cloud storage. Their approach involves an authentication process, and they argue that the authentication process can solve the key leak problem of data sharing. However, Alimohmmadi et al. [16] proved that Guo et al.'s scheme does not have security against impersonation and forging authentication key attacks. They demonstrated that the proposed Guo et al.'s scheme could allow anyone to forge an authentication key and access an arbitrary set of files stored in the cloud. Therefore, they proposed a new KASE scheme to solve the problems of Guo et al.
However, since there was no search function for keywords in documents at [9,15,16], Cui et al. [10] proposed a KASE scheme that enables group keyword search in the existing KAE. The scheme of [10], which first proposed the KASE method, provides the searchable group data sharing function, i.e., all users can selectively share selected groups of users and selected groups of files, the latter can perform keyword searches against the former. Unfortunately, Zhou et al. [17] proved that Cui et al.'s scheme is insecure against insider attack. They demonstrated that the adversary can guess the valid user's key with the insider attacker. Furthermore, Cui et al.'s scheme [10] did not support searching over multi-owner data using a single key of constant size.
To address this problem, Li et al. [18] proposed the scheme for searching over multiowner's data using a single trapdoor. Their scheme allows verification of search results using an aggregate key. They also offered advance planning in multi-owner settings.
Zhou et al. [17] proposed a KASE scheme of data-centric framework in an Industrial Internet of Things (IIoT) environment.Sensors in IIoT do not support the computational power of pairing operations as their hardware resources are very limited. Therefore, Zhou et al. proposed a KASE scheme that does not use the pairing operation in the encryption phase.
Padhya et al. [19] also proposed a KASE scheme for multi-owner data. Padhya et al.'s scheme is a practical way to generate keyword ciphertext without the use of expensive pairing operations given resource-constrained environments. They also discussed scenarios for federated clouds and proposed methods for delegating search authority when data are stored in federated clouds.
Liu et al. [20] proposed a scheme to validate keyword search results using a single aggregation key. The KASE method of Liu et al. also provides user authentication. In their scheme, the cloud server can verify the legitimacy of a sub-user by verifying that the authorized user's identity set includes the sub-user's identity. However, Li et al.'s protocol is insecure against user impersonation attacks.
In addition to delegating the searchable authority to the user, it is also necessary to consider the case where the delegated user must delegate the authority to another user for time-sensitive tasks, processing and creation of various information, and managing a large amount of data. However, there are many KASE schemes dealing with data sharing between DOs and DUs, but none dealing with cases where DU delegates to other DUs without help of the TTP. Furthermore, no KASE scheme works out the problem of user authentication and fine-grained multi-delegation at the same time. Authentication is one of the basic security services absolutely necessary to provide secure services in various network environments [21][22][23][24][25][26][27][28].

Preliminaries
In this section, we briefly discuss the cryptographic concepts used in this paper: bilinear map and bloom filter.

Bilinear Map
Pairing is a bilinear map defined for a subgroup of elliptic curves. Assume that G 1 and G 2 are two multiplicative circular elliptic curve subgroups of the same prime order p. A mapping e : G 1 × G 1 → G 2 is a bilinear map if it satisfies the following [29]:

3.
Computability: there is an efficient algorithm to compute e(u, v) for anyu, v ∈ G 1 .

Bloom Filter
An m-bit bloom filter [14] can be viewed as an array of m bits, all initialized to zero. For verification in bloom filter, k independent hash functions H 1 , . . . , H k with the ranges {0, . . . , m − 1} is designed. During the generation phase, each element s ∈ S = {s 1 , s 2 , . . . , s n } and each H j (s)-bit in the array is set to 1, where 1 ≤ j ≤ k. The value of H j (s) bit can be determined in the verification phase whether the elements s belongs to S. If the value is 0 then it must be s / ∈ S, ohterwise it is highly probable that it is s ∈ S. Assuming the hash function is completely random, the false positive rate is ( hash function leads to a minimum false positive rate (0.6185)m n . Two algorithms are included in the m-bit bloom filter.

System Model and Threat Model
In this section, we describe the system model of our proposed scheme and provide threat model and notations that we use throughout the paper.

System Model
Our proposed system model is represented in Figure 1 and has three entities: • Data Owner (DO): DO is an entity that independently manages data as an owner of data and information without TTP. When data are requested from DU, DO encrypts data and related keywords and stores them in the cloud server, delivering a single aggregate key of a fixed size. DO encrypts the group identity GID for delegation of authority of delegatee and delegator to define delegation of authority. • Data User (DU): DU receives aggregate key when requesting data from the user. DU generates a trap door to retrieve data from CS using aggregate key and keyword, receives encrypted data through authentication with CS, and then decrypts to receive data. • Cloud Server (CS): Since CS is an honest but curious entity, it may legitimately try to learn all the information from a received message. CS provides DO with storage and computing power. In addition, CS searches data through the trapdoor received from DU and performs keyword verification.  DO creates public parameters to be used in the system and publishes them to entities. Then, DO creates a bloom filter for keyword verification, encrypts data, and uploads it to CS. DU sends a data request to DO, and DO returns a single aggregate key for the data received from DU, an authentication credential for authentication with CS, and a GID for verifying authorization. The authentication credential is delivered it to CS at this time. Subsequently, DU creates a single trapdoor using aggregate and keywords from CS and requests a search query. After CS authenticates with DU, CS searches the data and confirms the keyword using the trap door. After that, CS generates a data search result and proof set for decryption and sends it to DU. DU uses the bloom filter to decrypt the data after verification. In addition, if a DU wants to delegate authority to another DU, mutual authentication is performed. If the authentication is valid, DU can delegate the aggregate key and some of the keywords he/she has.

Threat Model
In this paper, we adopt the universally accepted Dolev-Yao (DY) threat model [30] for security analysis of the proposed scheme. In accordance with the DY model, an attacker is able to seize transmitted messages through an open channel, and eavesdrop, delete, inject or modify on the seized messages. • The attacker has full control over and learns from messages sent over open channels. The attacker can then insert, modify, or remove valid messages. • Because guessing more than one value at a time is a "computationally infeasible operation", the attacker can only guess one value in polynomial time.
In addition, this paper additionally adopts the assumptions of the "Canetti and Krawczyk model (CK model)" [31]. It is a more powerful threat model compared to the DY model and is considered the de facto standard for modeling key exchange protocols. Table 1 specifies the symbols used in this paper.

Notations
Meanings DU j , ID j jth data user and their identity, respectively, DO Data owner CS Cloud server H ID j The hidden identity of jth data user The DO's public key for encrypt data DPK do The DO's public key for authentication r do , ρ do Master secret key and secret key of DO PK j , PK cs The public key of data user and cloud server, respectively GID l , HGID l The group identity defined by data owner and its hidden identity The encrypted keyword Tr The trapdoor || Data concatenation operator The map-to-point hash function {0, 1} * → G 1 , ⊕ Bitwise exclusive-or operator

Our Proposed Scheme
We propose a key aggregate scheme for multi-delegation and authentication without TTP in this section. The proposed scheme consists of six phases, namely setup phase, data upload phase, aggregation key generation phase, trapdoor generation and retrieve phase, authentication for delegation, and group identity revocation phase.

Setup Phase
For data sharing and upload data, a data owner DO have to generate bilinear map and public system parameters. DO also generates hash functions for encrypted information and bloom filter. The detailed steps of the setup phase are summarized in Figure 2 and discussed below.
Step 1: DO generates a bilinear map B = (q, G 1 , G 2 , e), where q is the order of G 1 and e : G 1 × G 1 → G 2 . G 1 and G 2 are multiplicative elliptic curve groups. Then DO picks random generator g ∈ G 1 and random nonce α ∈ Z q , and computes Step 2: After that, DO chooses his/hear master secret key r do ∈ Z * q , secret key ρ do ∈ Z * q . DO generates hash functions h 1 : {0, 1} * → Z q and h 2 : {0, 1} * → G 1 for hashing information. Furthermore, DO also generates k independent universal hash functions {H 1 , . . . , H k } which are used to set up a m-bit bloom filter.
Step 3: Then, DO computes public key PK do = g r do for encrypting data and public key DPK do = g ρ do for authentication. At last, DO publishes B, (g, g 1 , . . . , g n ), DPK do , PK do , h 1 , h 2 and {H 1 , . . . , H k }.

Setup Phase
Data owner (DO) Pick a random generator g ∈ G 2 and a random nonce α ∈ Z q and computes Then chooses master secret key r do ∈ Z * q and chooses secret key ρ do ∈ Z * q Then generate hash functions h 1 : {0, 1} * → Z q , and k independent universal hash {H 1 , . . . , H k } Then computes, for encrypt data public key PK do = g r do for authentication public key DPK do = g ρ do

Data Upload Phase
In this phase, DO encrypts the data and uploads it to the cloud server. At this time, DO creates a bloom filter to verify whether the keyword is included in the document set. DO encrypts the keyword set CK i , generates a public auxiliary value i for index, and sends them to the cloud server. This phase is briefed in Figure 3 and detailed steps are given below.
Step 1: First, DO picks a random number t ∈ Z q as the actual searchable encryption key and generates a bloom filter for keyword set W i , where i ∈ {1, . . . , n} is file index. The bloom filter is computed as Step 2: Then, DO randomly chooses a M ∈ G 2 and computes a public auxiliary value i for index i. The i comprises c 1 , c 2 , c 3 and c 4 . They are computed as c 1 = g t , c 2 = (g i · PK do ) t , c 3 = h 2 (M) ⊕ BF i , and c 4 = M · e(g 1 , g n ) t . Then, DO computes CK i = e(g,h 1 (w)) t e(g 1 ,g n ) t for each keyword w in this set's keyword set W i .
Step 3: At last, DO sends i , CK i to the cloud server.

Data Upload Phase
Data owner (DO) Cloud server (CS) Pick a random number t ∈ Z q .
Generate a bloom filter for keyword set W i

Data Request Phase
If DU j wants to data set S i , DU j calculates H ID j and PK j and requests data from DU. DO computes the aggregate key k s corresponding data set. After that, DO creates GID l by defining groups that can delegate or receive authority. DO can manage the list of DUs belonging to GID l when a new DU j is added or an existing DU wants to leave the group. After that, DO creates an authentication credential that allows DU j and CS to authenticate each other. DO generates TID j and transmits it with k s , HGID l securely to DU j , and generates and transmits H ID j and A cs securely to CS. CS uses this value to calculate ACS j , which is for the authentication credential, and stores it in its own database. Figure 4 summarizes this phase. The detailed steps involved in this phase are given below.
Step 1: DU j generates a secret key b j ∈ Z * q and chooses an unique identity ID j . Then, DU j computes pseudo identity H ID j = h 1 (ID j ||b j ) and public key PK j = g b j . DU j sends H ID j , PK j , S i securely to DO, where S i is a document set.
Step 2: After receiving data request from DU j , DO generates an aggregate key k s = Π j∈s g r do n+1−j which is corresponding document set S i . DO then creates GID l by defining groups to determine which users can delegate or receive privileges from each other. DO computes TID j = (DPK do ) H ID j ·ρ do for authentication credential. Furthermore, DO computes HGID j = h 2 (GID l ||r do ||ρ do ) and A cs = h 2 (r do ||ρ do ). After that, DO sends k s , TID j , HGID l to securely DU j and sends H ID j , A cs to securely CS.
Step 3: CS computes ACS i = h 2 (HID j ||A cs ) and public key PK cs = g A cs after receiving messages from DO. Then, CS stores ACS i in CS's database.

Data user (DU j )
Data owner (DO) Cloud server (CS) Store ACS j in the database

Data Retrieve Phase
DU j generate a trapdoor of keyword w using their aggregate key. DU j sends the trapdoor to CS for a search query and an authentication credential for mutual authentication. CS authenticates with DU j , then CS determine whether the encrypted keyword is CK using DU j 's trapdoor. After verification of keyword, CS generates a result set and proof set. After DU j receives result set and proof set from CS, DU j authenticate with CS and conducts the verification proofs that the keyword exists in owner's document set. Figure 5 describes this phase, and the detailed steps are as follows.
Step 1: DU j generates a single aggregate trapdoor Tr j = k s · h 1 (w). A trapdoor relates to a set of all documents related to the aggregate key. Then, DU j generates timestamp After that, DU j sends M j , V j , HH ID j , T 1 , Tr j , S i via an insecure channel.
Step 2: After receiving messages from DU j , CS computes Veri f j = V A cs j and H ID j = Veri f j ⊕ M j . Furthermore, CS checks if h 1 (HID j ||A cs ) = ACS i . If it is valid, CS computes MA j = h 1 (Veri f j ||HID j ) and checks if e(HH ID j , PK cs ) = e(DPK H ID j ·A cs do , DPK MA j do ). If it is valid, CS computes as follows for index i: pub 1 = π z∈s,z ==i g n+1−z+i , Tr i = TR j · pub 1 , pub 2 = π z∈s g n+1−z , and p 1 = c 4 · e(pub 1 ,c 1 ) e(pub 2 ,c 2 . Then, CS checks ck = e(Tr i ,c 1 ) e(pub 2 ,c 2 ) , where encrypted keyword is ck ∈ CK i . CS adds the identity of results which is corresponding document to Result i . Furthermore, CS sets PRF i = (c 1 , p 1 , c 3 ). Then, CS generates a random nonce R cs and computes VA cs = PK R cs cs , Veri f cs = PK A cs ·R cs j AUTH cs = h 1 (MA j ||Veri f j ||Veri f cs ). CS sends set Result, PRF, VA cs and AUTH cs over an open channel to DU j .
Step 3: After receiving sets from CS, DU j computes Veri f cs = VA b j cs . Then, DU j checks if AUTH cs = h 1 (MA j ||Veri f j ||Veri f cs ). If it is valid, DU j computes for each i as follows: M = p 1 · e(k s , c 1 ), BF i = h 1 (M ) ⊕ c 3 , ACC i = BFver f iy({H 1 , . . . , H k }, BF i , W). If the keyword w exists in the document, ACC i = 1. Otherwise, ACC i = 0.

Data user (DU j )
Cloud server (CS) Generate a trapdoor Tr j = k s · h 1 (w), where w is a keyword over appreciates document set Generate Timestamp T 1 and random nonce R du If it is valid, then compute Check e(HH ID j , PK cs ) = e(DPK H ID j ·A cs do , DPK MA j do ) ? Compute for index i pub 1 = Π z∈s,z =i g n+1−z+i Tr i = TR j * pub 1 pub 2 = Π z∈s g n+1−z p 1 = c 4 · e(pub 1 ,c 1 ) e(pub 2 ,c 2 ) Check ck = e(Tr i ,c 1 ) e(pub 2 ,c 2 ) for encrypted keyword ck ∈ CK i Add the identity of the corresponding document to Result i Set PRF i = (c 1 , p 1 , c 3 ) Generate a random nonce R cs Compute VA cs = PK R cs cs Veri f cs = PK A cs ·R cs

Authentication for Delegation Phase
If DU A wants to delegate their aggregate key, DU A and DU B conduct mutual authentication using HGID l . If they have same HGID l , they compute the same session key SK. After that, DU A can send their own aggregate key and keyword using SK. In this case, DU A can delegate limited access rights by sending only some of the keywords which DU A have. The detailed steps are illustrated in Figure 6 and are as follows.
Step 1: DU A generates a random nonce r A and timestamp T 2 . Then, DU A computes Step 2: After receiving messages from DU A , DU B computes V A = R B b A , and checks if L AB = h 1 (V A ||T 2 ). If it is valid, DU B generates a random nonce r B and computes Step 3: . If it is same value, DU A computes the session key SK. At the end, DU A and DU B authenticate each other and compute the same SK for their secure communication.

Data user (DU A )
Data user (DU B ) Generate a random nonce r A and timestamp T 2 If valid, Generate a random nonce r B Then, compute

Group Identity Revocation Phase
When DU j wants to leave the group, DO updates the group ID list to which DU j belongs. DO updates GID with GID new and issues new HGID new calculated as GID new to data users corresponding to the existing GID list to send in bulk.

Security Analysis
In this phase, we present the non-mathematical (informal) security analysis and formal security analysis. We use broadly accepted "BAN logic" to show that the proposed scheme can provide the mutual authentication and use "Automated Validation of Internet Security Protocols and Applications (AVISPA) simulation tool" for proving of security protocols from man-in-the-middle and replay attacks.

Informal Analysis
We conduct the informal analysis to analyze security capabilities and the security against various attacks.

Correctness
The DU j should obtain the bloom filter by decrypting the corresponding ciphertext of the i-th document with the aggregation key. For correctness, the M can be obtained by: M · e(g 1 , g n ) t · e(Π z∈s g r do n+1−z , g t ) e(Π z∈s g n+1−z , g r do ·t ) · e(g 1 , g t n ) = M

Impersonation Attacks
If an adversary attempts to impersonate a legitimate DU, the adversary must be able to compute the legitimate message M j , V j , HH ID j , T 1 , Tr j , S i . However, the attacker cannot compute HH ID j because TID j is computes using secret identity H ID j . Furthermore, CS checks e(HH ID j , PK cs ) = e(DPK H ID j ·A cs do , DPK MA j do ). If it is not valid, then the impersonation attack is aborted by CS. Therefore, our proposed scheme can protect data user impersonation attacks.

Data User Anonymity
The real identity ID j of DU j is calculated as the pseudo identity H ID j , which depends on the random secret key b j . In addition, the data user is provided with TID j to be used for authentication in the data retrieve phase from DO. Since TID j is dependent on the DO's secret key rho do , the attacker cannot know ID j , which is the real identity of the data user. Therefore, we can say that we guarantee the anonymity of data users.

Perfect Forward Secrecy
In the data retrieve phase, suppose that an adversary obtains secret key A cs of the cloud server. Then, the adversary is able to compute Veri f j and H ID j . However, the adversary cannot compute VA cs and AUTH cs since the adversary cannot know a random nonce R cs . Thus, the data retrieve phase provides perfect forward secrecy. In the authentication for delegation phase, suppose that an adversary obtains secret key b a or b b of DU A or DU B . The adversary cannot compute session key SK because the adversary cannot compute V A or V B , which is dependent on random nonces r A and r B . Therefore, our proposed scheme ensures perfect forward secrecy.

Privileged-Insider Attacks
If an adversary is a privileged insider, the adversary is able to obtain H ID j and A cs during the data request phase. Then, the attacker can compute Veri f j and MA j . However, CS generates a random nonce R CS in the data retrieve session, and the adversary cannot compute Veri f cs = PK A cs ·R cs j without R cs . Therefore, the proposed scheme is secure against the privileged-insider attacks.

Replay and Man-In-The-Middle Attacks
An adversary can learn about transmitted messages over open wireless channels according to Section 3.2. However, in our proposed scheme, the adversary cannot conduct replay and man-in-the-middle attacks because every transmitted message contains timestamp or random nonce. Timestamps or random nonces T 1 , T 2 , T 3 , R cs , and r A are generated by DU j or CS and included in the message . Therefore, the proposed scheme can successfully prevent against replay and man-in-themiddle attacks.

Known Session-Specific Temporary Information Attacks
If an adversary obtains random numbers r A and r B according to CK-threat model mentioned in Section 3.2 in authentication for delegation phase, then the attacker can compute R A or R B . However, the adversary cannot compute V A or V B without obtaining data user's secret key b a or b b . Therefore, the attacker cannot compute SK = h 1 (V A ||V B ||AGID l ||T 3 ). Thus, we can say that our proposed scheme can prevent against the known session-specific temporary information attacks.

Ephemeral Secret Leakage (ESL) Attacks
In the authentication for delegation phase, DU A and DU B establish the same session key SK = h 1 (V A ||V B ||AGID l ||T 3 ). Based on the CK-threat model Section 3.2, the short term ephemeral secrets r A , r B can be leaked. However, the adversary still cannot compute SK because the adversary does not have b a and b b . Furthermore, assuming that the longterm secret keys b a and b b have been leaked, the adversary cannot calculate the session key because r A and r B cannot be known. SK can be computed only when both short term and long term are leaked, and since this is a computationally infeasible problem, our scheme can resist ESL attacks.

Session Key Disclosure Attacks
An adversary tries to obtain sensitive information by calculating a legitimate session key SK. However, as discussed in Sections 5.1.4, 5.1.7 and 5.1.8, the adversary cannot compute SK because of the computationally infeasible problem. Therefore, our proposed scheme is safe against session key disclosure attacks.

Mutual Authentication
After receiving the message from DU j in the data retrieve phase, CS checks = e(g ρ do ·HID j ·A cs , g ρ do ·MA j ) = e(g, g) ρ do ·HID j ·A cs ·ρ do ·MA j = e(g ρ do ·HID j ·ρ do ·MA j , g A cs ) = e(HH ID j , PK cs ) According to Sections 5.1.2 and 5.1.3, an adversary cannot impersonate legitimate DU j . Moreover, DU j also checks AUTH cs = h 1 (MA j ||Veri f j ||Veri f cs ).
In addition, in the authentication for delegation phase, DU A and DU B check L AB = h 1 (V A ||T 2 ) and L BA = h 1 (V A ||HGID l ||T 3 ||V B ). Therefore, our scheme provides mutual authentication.

BAN Logic Analysis
This section uses BAN logic [11] to prove that the proposed scheme provides mutual authentication in the data retrieve phase and authentication for delegation phase. Table 2 provides a description of the notation of BAN logic and we also describe the rules, goals, assumptions and ideal form of ban logic [32,33].

SK
The used session key in current authentication session #ST The statement ST is fresh Encrypt the formula ST encrypted the key Key ω Key ↔ σ ω and σ uses Key as shared key for communicating ω ⇒ ST ω controls the statement ST

Logical Rules of BAN Logic
The Logical rules of the BANlogic are: 1. Jurisdiction rule : Nonce verification rule :

Goals for Data Retrieve Phase
The following goals are presented to demonstrate that the proposed scheme achieves a mutual authentication :

Idealized Forms for Data Retrieve Phase
The idealized forms are as following :

Assumptions for Data Retrieve Phase
The following assumptions are the initial state of the proposed scheme to achieve BAN logic proof.

Proof Using BAN Logic for Data Retrieve Phase
Main proofs using rules and assumptions of the BAN logic are as the following steps : Step 1: S 1 can be obtained from M 1 Step 2: For obtaining S 2 , we apply the message meaning rule with A 1 S 2 : CS| ≡ DU j | ∼ (HID j , T 1 , R du , DPK do ).
Step 3: For obtaining S 3 , we apply the freshness rule with A 3 S 3 : CS| ≡ #(H ID j , T 1 , R du , DPK do ).
Step 4: For obtaining S 4 , we apply the nonce verification rule with S 2 and S 3 S 4 : CS| ≡ DU j ≡ (HID j , T 1 , R du , DPK do ).
Step 5: For obtaining S 5 , we apply the belief rule Step 6: For obtaining S 6 , we apply the jurisdiction rule with A 5 S 6 : CS| ≡ R du . (Goal 1) Step 7: S 7 can be obtained from M 2 S 7 : DU j (HID j , T 1 , R cs ) g b j ·Acs .
Step 8: For obtaining S 8 , we apply the message meaning rule with A 2 S 8 : DU j | ≡ CS| ∼ (HID j , T 1 , R cs ).
Step 9: For obtaining S 9 , we apply the freshness rule with A 4 S 9 : DU j | ≡ #(H ID j , T 1 , R cs ).
Step 10: For obtaining S 4 , we apply the nonce verification rule with S 8 and S 9 S 10 : DU j | ≡ CS| ≡ (HID j , T 1 , R cs ).
Step 11: For obtaining S 11 , we apply the belief rule Step 6: For obtaining S 12 , we apply the jurisdiction rule with A 6 S 12 : DU j | ≡ R cs . (Goal 3) Thus, our scheme has completed the proof that it provides mutual authentication for data retrieve phase. BAN logic proof of authentication for delegation phase is similar to the above proof. Therefore, our scheme can provide secure mutual authentication.

AVISPA Simulation Analysis
We adopt the "Automated Validation of Internet Security Protocols and Applications (AVISPA) Simulation Tools" [12] to perform validation of security protocols against replay and man-in-the-middle attacks. AVISPA includes four backends: "Tree Automata based on Automatic Approximations for the Analysis of Security Protocols (TA4SP)", "SATbased Model Checker (SATMC)", "Constraint-logic-based Attack Searcher (CL-AtSe)", and "On-the-fly mode-checker (OFMC)". Neither the SATMC nor T theA4SP backends currently support "bitwise exclusive OR (XOR)" operations. Therefore, official security validation-based simulations rely on two backends: CL-AtSe and OFMC.
We use "High-Level Protocol Specification Language (HLPSL)" to implement the proposed scheme for the primary roles of data owner DO, data user DU, and cloud server CS, and also mandatory "Sessions and Goals and Environments". It is worth noting that AVISPA uses the DY threat model for validation. Figure 7 provides simulation results of OFMC and CL-ATse backends in the data retrieve phase and authentication for delegation phase, and clearly shows that the proposed protocol is safe from "replay and man-in-themiddle attacks" [34,35].

Security and Efficiency Features Comparison
We compare the proposed scheme with the existing competing schemes in the domain of KASE such as Cui et al. [10] and Liu et al. [20], in terms of security functions, computational and communication overhead.

Functionality and Security Features Comparison
We compare the proposed scheme with the existing competing scheme in terms of various security features, such as replay, man-in-the-middle, impersonation, privilegedinsider, session key disclosure attacks. Moreover, we compare various functional aspects such as user anonymity, mutual authentication, multi-access and delegation. Table 3 shows that existing schemes do not meet all security requirements. Moreover, unlike existing schemes, our proposed scheme additionally provides multi-access and delegation functions, and it is worth noting that DO or DU can perform various functions without TTP assistance.

Comparison of Computation Costs
This section performs a testbed experiment on cryptographic computation of the data retrieve phase using the popular "Multiprecision Integer and Rational Arithmetic Cryptographic Library (MIRACL)" [13] on two platforms: • Platform 1: The platform 1 is general personal computer environment, and the detailed performance of the personal computer is as follows: "Ubuntu 18.04.4 LTS with memory 8 GiB, processor: Intel Core i7-4790 @ 3.60GHz × 4, CPU Architecure: 64-bit." The experiments are executed for "one-way-hash-function (T h )", "Bilinear pairing operation (T b )", "Scalar point multiplication (T spm )", and "Exponentiation operation (T e )" for 100 runs. After that the average run-time in milliseconds are recorded for these operations or functions from 100runs, which are 0.003 ms, 6.575 ms, 2.373 ms, and 0.819 ms, respectively. • Platform 2: The platform 2 is Raspberry PI environment for considering mobile device, and the detailed performance of the Raspberry PI is as follows: "Model: Raspberry PI 3 B, with CPU 64-bit, Processor: 1.2 GHz Quad-core, Memory: 1 GiB, and OS: Ubuntu 20.04.2 LTS 64-bit." Figure 8 shows the setting of Raspberry PI environment. The experiments are executed for "one-way-hash-function (T h )", "Bilinear pairing operation (T b )", "Scalar point multiplication (T spm )", and "Exponentiation operation (T e )" for 100 runs. After that the average run-time in milliseconds are recorded for these operations or functions from 100runs, which are 0.020 ms, 21.348 ms, 5.686 ms, and 2.973 ms, respectively.  Table 4 reveals the message computation costs of data user and cloud server entities in the data retrieval phase. As a result of comparing Cui et al., Liu et al., and ours, respectively, it can be seen that our scheme has a higher total cost compared to the existing schemes. However, the proposed scheme has the strength of showing that it is safe against various attacks.

Comparison of Computation and Communication Complexity
The number of keywords in the ciphertext and the number of keywords in the search query set affect computation and communication costs. In our scheme, the pairing operation between the user and the cloud server is additionally calculated compared to other schemes, but authentication is performed only once regardless of the number of keyword value. Therefore, according to (O) asymptotic notation, our scheme has the same computational and communication costs as other existing KASE schemes. A comparative analysis in Table 5 shows that the complexity of computational and communication costs for the different features of the proposed scheme are comparable to those of the other schemes. |KW|: number of keywords with the ciphertext, |Q|: number of keywords in the query set, P: pairing.

Discussion of Comparison
We can see from a comparative analysis that the computation costs demonstrate that the proposed protocol is expensive compared to other schemes. As per the asymptotic notation, the proposed scheme's calculation complexity and communication consumption cost are the same as those of other schemes such as Cui et al. [10] and Liu et al. [20]. Furthermore, as shown in Table 3, our scheme outperforms other schemes in terms of security and features.

Conclusions and Future Works
In this paper, we designed a novel KASE scheme for data sharing without assistance of TTP, considering multi-delegation. The proposed scheme provides mutual authentication to secure data sharing. Moreover, our protocol can provide keyword verification through a bloom filter technique, and can resist various security attacks such as impersonation, privileged-insider and session key disclosure attacks. Moreover, our proposed scheme satisfies user anonymity property. We performed BAN logic to prove that the scheme can provide mutual authentication, and we also applied AVISPA simulation tool to demonstrate that the proposed scheme is secure from man-in-the-middle and replay attacks. Our scheme has higher computation cost compared to existing schemes, but the complexity according to the number of keywords and data sets is the same as existing schemes, proving that it is more secure than existing schemes. In the future, we will build a test-bed that simulates the real environment for efficient data sharing in real cloud services environment. After that, we will apply our scheme to the test-bed and improve it to a more efficient scheme.

Conflicts of Interest:
The authors declare no conflict of interest.