Multi-User Searchable Symmetric Encryption with Dynamic Updates for Cloud Computing

: With the advent of cloud computing, more and more users begin to outsource encrypted ﬁles to cloud servers to provide convenient access and obtain security guarantees. Searchable encryption (SE) allows a user to search the encrypted ﬁles without leaking information related to the contents of the ﬁles. Searchable symmetric encryption (SSE) is an important branch of SE. Most of the existing SSE schemes considered single-user settings, which cannot meet the requirements for data sharing. In this work, we propose a multi-user searchable symmetric encryption scheme with dynamic updates. This scheme is applicable to the usage scenario where one data owner encrypts sensitive ﬁles and shares them among multiple users, and it allows secure and efﬁcient searches/updates. We use key distribution and re-encryption to achieve multi-user access while avoiding a series of issues caused by key sharing. Our scheme is constructed based on the index structure where a bit matrix is combined with two static hash tables, pseudorandom functions and hash functions. Our scheme is proven secure in the random oracle model.


Introduction
In recent years, more and more users have chosen to outsource files to cloud servers with the popularization of mobile devices (e.g., wireless sensors) and the development of cloud computing, since this can alleviate the local storage pressures and achieve convenient access to data.However, the cloud server is semi-trusted, and users' files may contain sensitive information.To ensure personal privacy and data security, users will encrypt files and outsource the ciphertexts to the cloud server.This is a problem about how to retrieve the ciphertexts stored on the cloud server.
Searchable encryption (SE) provides the possibility of solving such problems, and it is currently being considered for cloud computing and wireless sensor networks.In an SE mechanism, a user (or sensor) first encrypts files with the SE algorithm and then stores the ciphertexts on the cloud server.For the search, the corresponding search token generated by the user (sensor) is sent to the cloud server.With the token, the cloud server executes relevant retrieval operations and returns the matching ciphertexts.The user (sensor) decrypts the ciphertexts to obtain the required files.In the above process, the files are stored in the encrypted form, which reveals no information about the contents of the files.Therefore, SE not only ensures data confidentiality, but also utilizes the powerful computing power of the cloud server.Research on SE mainly include public key encryption with keyword search (PEKS) and searchable symmetric encryption (SSE), which correspond to public-key cryptography and symmetric-key cryptography, respectively.SSE was first proposed in 2000 [1], then it became one of the important research directions in SE due to its fast computing speeds and small calculation overheads.
A practical SSE scheme should have desirable properties such as dynamism, high efficiency and security.The dynamic scheme is a scheme in which one can update the encrypted file collection.Common dynamic operations include insertion, modification and deletion.In recent years, there have been many dynamic searchable symmetric encryption (DSSE) schemes [2][3][4][5][6][7][8][9] addressing this issue.Efficiency is the focus of all SSE schemes, because overhead is one of the decisive factors in judging whether a scheme is practical or not.There are many factors affecting efficiency, which can be roughly divided into two types: computational complexity and communication complexity.For computational complexity, an SSE scheme should provide fast searches and updates.In addition, due to the rapid development of multi-core processors, a scheme can be parallelizable to improve efficiency.Non-interactive operations are beneficial to reduce communication complexity.A fully-secure SE scheme should meet two requirements as follows: the first is that no information about the contents of the files can be derived from the ciphertexts; the second requirement is that no information be leaked in the retrieval process.It is difficult for SSE to guarantee the above two points.Since the first SSE scheme [1] was proposed, the security definitions have been continuously improved [10][11][12][13].Two security models proposed by Curtmola et al. [12] are widely used as the standard security models for SSE.We use the adaptive model called semantic security (indistinguishability) against adaptive chosen-keyword attacks (IND-CKA2).In addition, the research on security may involve multiple aspects such as trust management [14], data deduplication [15], access control [16] and cloud auditing [17].
Since its introduction, SSE has become more and more important in the cloud environment.A basic function of the cloud platform is data sharing, which enables multiple users to access the files shared by the data owner.Existing SSE schemes mostly focus on single-user access, which means that only one data owner is allowed to access the ciphertexts.Therefore, to solve the problem, multi-user searchable encryption [12] was proposed, which enables a group of users to search and decrypt all the encrypted files stored on the cloud.In early relevant studies, researchers wanted to realize multi-user management and data decryption by sharing the search key and the decrypt key, respectively.However, the users who leave the group still possess the keys, which can cause serious damage if they leak the keys.The keys need to be updated and the files need to be re-encrypted each time the group members change, which brings about significant overheads.

Related Work
In 2000, Song et al. [1] proposed the first practical SSE scheme, which achieved the target by sequentially scanning ciphertexts.This scheme is vulnerable to adversaries' statistical attacks, and its search complexity is linear in the overall size of files.To increase search efficiency, Goh [10] proposed a secure index scheme, which introduced the Bloom filter [18] as the index of a file.The Bloom filter is the binary data structure that can efficiently and quickly determine whether an element belongs to a collection, but it may draw wrong judgments.With the help of the indexes, the search complexity is linear in the number of files.In addition, Goh introduced a security definition for his scheme, namely IND1-CKA.IND1-CKA ensures the security of indexes, so that attackers do not obtain useful information from the indexes.Unlike the forward index used by Goh, Curtmola et al. [12] proposed a scheme based on the inverted index.The scheme creates an index for each keyword and thus achieves the sublinear and optimized search time.However, it is difficult for the inverted indexes to obtain dynamic updates.
In 2010, van Liesdonk et al. [2] proposed two SSE schemes supporting dynamic updates.Their one scheme requires interactive searches and updates, which increases the amount of data transfers while making processing delay larger.The other scheme is non-interactive, but the overhead grows with update operations.Based on the inverted index, Kamara et al. [3] presented a dynamic scheme, which achieved optimized search time.However, the scheme will leak information related to search tokens and does not support parallel processing.Subsequently, Kamara and Papamanthou [4] presented a dynamic scheme with a red-black tree as the index.This scheme was parallelizable, and the search complexity was logarithmic in the number of files.However, the scheme has interactive update operations.Recently, there have been several schemes aiming at improving the security performance of DSSE.Stefanov et al. [6] presented a DSSE scheme that supported forward privacy, which had small information leakage.Unlike any of the above schemes, Naveed et al. [7] presented a DSSE scheme based on blind storage.In the scheme, the server can only store and transmit data and cannot perform search operations, so it has better security.In order to achieve security against a malicious server, with the notion of universal composability (UC) [19], Kurosawa and Ohtaki [20] proposed a UC-secure SSE scheme.Then, Kurosawa and Ohtaki [5] proposed a UC-secure DSSE scheme, and the scheme was verifiable.On this basis, Kurosawa et al. [8] achieved better efficiency and security.
In 2006, Curtmola et al. [12] first presented multi-user searchable encryption.Their approach combined broadcast encryption [21] with single-user searchable symmetric encryption.Legitimate users access data with the shared key.Since the keys are the same, there are many problems in practical applications.Unlike key sharing, key distribution [22][23][24] can provide different keys, which is more suitable for data sharing in multi-user settings.In 2008, Bao et al. [25] designed a PEKSscheme that supports multi-user access, which avoids the use of the same keys.Their scheme uses a bilinear map and hash functions to re-encrypt the search tokens, but a bilinear map requires high overheads.Therefore, Dong et al. [26,27] successively presented two multi-user searchable encryption schemes based on RSA and Elgamal.Those are two PEKS schemes based on proxy cryptography [28].Subsequent schemes [29][30][31][32] have made further studies on multi-user searchable encryption.
To show the advantages of our scheme, we give the comparisons between our scheme and other schemes in Tables 1 and 2.

Our Contributions
In this work, we propose a multi-user searchable symmetric encryption scheme, which also achieves efficient updates for encrypted files.The scheme aims at the application scenario where a single data owner encrypts files and shares them among multiple users, and we use key distribution rather than key sharing to authorize users.Each authorized user has its own search key and decrypt key.The search and decrypt operations can be performed, combined with the complementary keys stored on the cloud server.Our index structure is the combination of a bit matrix and two static hash tables.Such a structure can support secure and efficient searches/updates.In addition, our scheme is parallelizable.We make the contributions as follows: (1) Our scheme avoids key sharing.For the search process, a search token generated by the search key is processed via re-encryption technology to obtain a new token, which can be used to search in the encrypted index.For the decryption process, we encrypt the key used for encrypting data and upload it to the cloud server.When the ciphertexts are decrypted, with re-encryption technology, the encrypted key is converted into the key that a user can employ.(2) Our scheme enables efficient searches.To improve efficiency, we use pseudo-random functions and hash functions instead of a bilinear map, which has low efficiency (a bilinear map is often used in multi-user searchable encryption schemes).Searching for a keyword takes O(n/p) parallel time.(3) Our scheme enables efficient updates.For the update process, the data owner simply sends an update token to the cloud server.Updating a file takes O(m/p) parallel time.(4) Our scheme meets the security requirements for query privacy, search unforgeability and revocability.
The remainder of this paper is structured as follows.We show some notations and define our system and security requirements in Section 2. Our construction is presented in Section 3. We provide the relevant security analysis and the performance analysis in Section 4 and Section 5, respectively.Finally, we give the conclusion in Section 6.

Notations
A symmetric encryption scheme is a triplet that contains polynomial-time algorithms (Gen, Enc, Dec).The algorithm Gen(1 k ) takes a security parameter k and outputs a secret key K; Enc(K, f ) takes a secret key K and a file f and outputs a ciphertext c; Dec(K, c) takes a secret key K and a ciphertext c and outputs a file f .Let be a symmetric encryption scheme and ε be another symmetric encryption scheme.Note that and ε are secure (indistinguishable) against chosen-plaintext attacks (IND-CPA).Table 3 gives some notations used in our scheme.
In our scheme, UL is the authorized user list stored on the cloud server, and the entries of the list are tuples (ui, a si , d si ), where ui denotes a user identifier and a si and d si denote the user's complementary keys.(a ui , d ui ) belongs to a user ui, where a ui and d ui denote the user's search key and decrypt key, respectively.We use a pseudorandom function , f id } is the query operation received by the cloud server, where q = w and q = f id denote the search query for keyword w and the update query for file f id , respectively.We write Q t = (q 1 , ..., q t ) to represent a collection of t queries, let U q = (u q1 , ..., u qt ) be the set of users who make a search query q = w, and let W t = (w 1 , ..., w t ) be the set of queried keywords and Γ t = (Υ 1 , ..., Υ t ) the set of t replies.an additive group (modulo q) Ω = (w 1 , ..., w m ) the set of all m keywords F = ( f id 1 , ..., f id n ) the set of n files C = (c id 1 , ..., c id n ) the collection of n corresponding ciphertexts

Architecture
Figure 1 shows the architecture of our scheme.The data owner outsources his/her own files to the cloud.To assure data security, the files must be stored in the encrypted form.The data owner authorizes a group of users to access the encrypted files stored on the cloud server, and he/she is responsible for updating the encrypted files and managing the group.Each user in the group generates search tokens and decrypts the ciphertexts with his/her own unique search key and decrypt key, respectively.The cloud server executes the retrieval operations with the search token and returns the results.2. UL ← AddUser(ui, MK): It is run by the data owner to authorize a new user ui.Using a user identifier ui and a master secret key MK, the data owner produces two key pairs (a si , a ui ) and (d si , d ui ).Then, (ui, a si , d si ) is sent securely to the cloud server, and (a ui , d ui , s 1 ) is sent securely to the user ui.The cloud server updates its authorized user list UL = UL ∪ (ui, a si , d si ). 3. (C, γ) ← Enc(MK, F, δ): Given a master secret key MK, the files F and an index δ, the data owner generates the ciphertexts C and the encrypted index γ.Then, C and γ are uploaded to the cloud server.4. K ← KeyEnc(d, K): It is run by the data owner to encrypt the secret key K.It outputs the encrypted secret key K for the cloud server.5. T ui (w) ← SrchToken(a ui , w): Given the user's search key a ui and a keyword w, a user ui generates a corresponding search token T ui (w).6. C w ← Search(T ui (w), γ): Given a search token T ui (w) and an encrypted index γ, the cloud server returns the results C w , which contain the keyword w. 7. K ← KeyDec(d si , d ui , K ): It is run by the cloud server and a user ui.It takes the user's decrypt key pair (d si , d ui ) and the encrypted secret key K as input.It outputs the secret key K for the user ui. 8.
f j ← Dec(K, c j ): Given the secret key K and a ciphertext c j , a user ui gets the file f j .9. T f ← U pdToken(MK, β, f id ): Given a master secret key MK, the type β and a file f id , the data owner generates an update token T f .10. (C , γ ) ← U pdate(T f , C, γ): Given an update token T f , the ciphertexts C and an encrypted index γ, the cloud server generates the new ciphertexts C and the new encrypted index γ .11. UL ← RevokeUser(ui): Given a user identifier ui, the cloud server updates its authorized user list UL = UL \ (ui, a si , d si ).
Correctness: A multi-user searchable symmetric encryption scheme is correct if for all security parameters k, for all parameters Params and keys MK from Gen(1 k ), for all F, for all tuples (C, γ) from Enc(MK, F, δ) and for all successive search/update operations on γ, a legitimate user ui always gets the correct files F w , which contain the search keyword w.

Security Requirements
In our scheme, the cloud server is considered to be semi-trusted, which means that it will gather as much information as possible while complying with the protocol.In addition, we do not consider the case of user-server collusion.Ideally, a secure scheme should leak no information about the plaintexts and queries to malicious attackers.However, a practical scheme will inevitably leak the search pattern and access pattern.Definition 2. Search pattern P(δ, q, t): Given a search query q = w at time t, the search pattern is a binary vector of length t with a one at location i if the search at time i ≤ t was for w; and zero otherwise.The search pattern determines whether the same keyword was searched in the past.Definition 3. Access pattern ∆(F, δ, w, t): Given a search query q = w at time t, the access pattern is the identifiers from F w at time t.
We define the following leakage functions [13] for our scheme.1.
1 (F, δ): It takes the files F (containing their identifiers) and the index δ as input. 1 outputs the maximum number of keywords m, the maximum number of files n, the identifiers id of files and the size of each file 2 (F, δ, w, t): It takes as input the files F, the index δ and a queried keyword w at time t. 2 outputs the search pattern P(δ, q, t), the access pattern ∆(F, δ, w, t) and the number of authorized users |UL|.Specifically, 2 (F, δ, w, t) = (P(δ, q, t), ∆(F, δ, w, t), |UL|).Definition 5. View of an adversary V t : Given t queries, the view of an adversary is the transcript of the interactions.Specifically, V t = (C, γ, id 1 , ..., id n , Q t , U q , Γ t , UL).
We first consider the security requirement for query privacy.Apart from the information derived from the view, the adversary should obtain no extra information.We define query privacy as a simulation-based game between an adversary and the challenger.The view of an adversary V t is from the interactions with the challenger in a real situation, and V * t is from the interactions with a simulator in the ideal status.The scheme achieves query privacy if V * t and V t are computationally indistinguishable.Now, we use the notions of dynamic IND-CKA2 [3,4] and give our security definition for query privacy.Definition 6.Let MSSEbe a multi-user searchable symmetric encryption scheme as defined in Definition 1.Consider the following probabilistic experiments, where A is a stateful adversary and S is a stateful simulator: Real A (k): The challenger generates Params and MK by Gen(1 k ).Then, A generates (F, δ) and obtains (C, γ) ← Enc(MK, F, δ) from the challenger.A makes a polynomial number of adaptive queries q ∈ {w, f id }.If q = w, then A obtains a search token T ui (w) ← SrchToken(a ui , w) from the challenger.If q = f id with the type β, the challenger generates an update token T f ← U pdToken(MK, β, f id ) for A. Eventually, A returns a bit b as the output of the experiment.
Ideal A,S (k): Given 1 (F, δ), S produces (C * , γ * ) for A. A makes a polynomial number of adaptive queries q * ∈ {w, f id }.For each adaptive query, S is given 2 (F, δ, w, t).If q * = w, S generates a search token T * ui (w).If q * = f id with the type β, then S returns an update token T * f .Eventually, A returns a bit b as the output of the experiment.
We say that MSSE is ( 1 , 2 )-secure against adaptive dynamic chosen-keyword attacks if for all probabilistic polynomial-time (PPT) adversaries A, there exists a PPT simulator S such that: Compared with the previous SSE, the multi-user scheme should not only achieve query privacy, but also meet the security requirements for search unforgeability and revocability.
In the multi-user scheme, each user ui makes search queries by his/her unique search key.We require that the malicious user A U or the cloud server A S cannot produce a valid search token T ui (w) on behalf of ui.This property is referred to as search unforgeability.For a user ui, his/her valid search queries are defined as Q ui = {T ui (w)|T ui (w) ← SrchToken(a ui , w), w ∈ Ω}.Thus, search unforgeability is defined as that for each authorized user ui, adversaries cannot produce T ui (w) ∈ Q ui without the search key a ui .
For the multi-user application, it is a basic requirement to revoke the access authorities of users as needed.The revoked user cannot access the encrypted files stored on the cloud, which implies he/she is incapable of distinguishing the indexes.Therefore, revocability is defined based on index indistinguishability.

Index Structure
The index δ is an m × n matrix, and I is another m × n matrix.We store the encrypted δ[i, j] in I[i, j], where δ[i, j] ∈ {0, 1}, I[i, j] ∈ {0, 1} for i = 1, ..., m and j = 1, ..., n.Two static hash tables are used to uniquely map each keyword-file pair (w, f id ) to the indices (i, j) in δ and I.A hash table is composed of tuples (key, value).The key is a k-bit binary string, and key indicates the location in the table.The value in the hash table can be accessed in O(1) time.We use a static hash table α w , which has the tuple (λ w x , i), where λ w x = H(h ϕ wx ), ϕ w x = P s 1 (w x ) for keyword w x , i ∈ {1, ..., m}, x ∈ {1, ..., m}.
The access operations can be represented as i ← α w (λ w x ).We use another static hash table α f , which has the tuple (λ f y , j), where λ f y = R s 2 (id y ) for the identifier id y of file f id y , j ∈ {1, ..., n}, y ∈ {1, ..., n}.Similarly, the access operations can be represented as j ← α f (λ f y ).Our encrypted index γ includes the matrix I and the hash table α w .Figure 2 shows the index structure.
Note that we write I[i, * ] and I[ * , j] to represent all elements in the i-th row and the j-th column of the matrix I, respectively.I T denotes the transpose of the matrix I.

Concrete Scheme
The construction of our scheme is as follows:

•
(Params, MK) ← Gen(1 k ): Given a security parameter k, the data owner generates the master public parameters Params = (G, g, q, h = g a , P, R, H) and a master secret key MK = (a ∈ Z q , d ∈ Z q , s 1 , s 2 , K), where K = g µ , g µ R ← − G. • UL ← AddUser(ui, MK): Given a user identifier ui and a master secret key MK, the data owner generates two key pairs (a si Then, (ui, a si , d si ) is sent securely to the cloud server, and (a ui , d ui , s 1 ) is sent securely to the user ui.The cloud server updates its authorized user list UL = UL ∪ (ui, a si , d si ).The data owner keeps the master secret key MK.
The data owner generates the ciphertexts C and an encrypted index γ as follows: (1) Initialize two matrices δ and I; all elements are set to zero.Extract all distinct keywords (w 1 , ..., w m ) from the files F = ( f id 1 , ..., f id n ), where m ≤ m and n ≤ n.
The data owner generates the encrypted secret key K = K d = g µd .Then, K is sent to the cloud server.

•
T ui (w) ← SrchToken(a ui , w): With a random number r R ← − Z q , a user ui produces a search token T ui (w) = (τ 1 , τ 2 ), where τ 1 = g −r g ϕ w , τ 2 = h r g −a ui r g a ui ϕ w , ϕ w = P s 1 (w) for the given keyword w.
• C w ← Search(T ui (w), γ): On receiving a search token T ui (w) = (τ 1 , τ 2 ), the cloud server generates the results C w as follows: (1) If (ui, a si ) can be found in authorized user list UL, compute where c j denotes the ciphertext associated with j.
(3) Output C w .The cloud server returns C w to the user ui.
• K ← KeyDec(d si , d ui , K ): Given the encrypted secret key K , the cloud server finds the corresponding (ui, d si ) for a user ui and computes K = (K ) For K , the user ui uses the decrypt key The data owner generates an update token T f for a file f id as follows: (1) Initialize two arrays δ[i] and Ī[i] for i = 1, ..., m; all elements are set to zero.Compute (2) If the type β is insertion or modification: a) Extract all distinct keywords (w 1 , ..., w β ) from the file f id .
(2) Output the new ciphertexts C and the new encrypted index γ = (I, α w ).
• UL ← RevokeUser(ui): Given a user identifier ui, the cloud server updates its authorized user list UL = UL \ (ui, a si , d si ).

Correctness
Theorem 1.Our scheme as described above is correct.
Proof.Given an encrypted index γ = (I, α w ), then I[i, j] ← ε.Enc(h ϕ w , δ[i, j]) and i ← α w (H(h ϕ w )), ϕ w = P s 1 (w).With the search key a ui , a user ui generates a search token T ui (w ) = (τ 1 , τ 2 ) for a keyword w .The cloud server uses the complementary key a si to compute τ w = τ a si 1 • τ 2 = h ϕ w .We use a collision-resistant hash function H.If w = w, then H(h ϕ w ) = H(h ϕ w ).With i ← α w (H(h ϕ w )), the cloud server gets the decrypted index I [i, j] ← ε.Dec(h ϕ w , I[i, j]).Thus, the algorithm Search(T ui (w), γ) generates the correct results C w by properly decrypting row i.Finally, with the decrypt key pair (d si , d ui ), the user ui gets the secret key K to decrypt C w .

Security Analysis
4.1.Query Privacy Theorem 2. Our scheme as described above is ( 1 , 2 )-secure in the random oracle model according to Definition 6.
Proof.During the interactions with the challenger, an adversary A generates a view V t , and a simulator S can also simulate a view V * t by using the information that will be allowed to leak.Now, we show that V * t is computationally indistinguishable from V t .
For the real view of A, V t = (C, γ, id 1 , ..., id n , Q t , U q , Γ t , UL), S simulates the view ← − Z q for each user.The security of the ciphertexts is based on symmetric encryption, so C * is computationally indistinguishable from C. Symmetric encryption and pseudorandom functions ensure the indistinguishability between γ * and γ.During the construction of the authorized user list, the complementary keys are randomly assigned to each user, so UL * and UL are also computationally indistinguishable.
For t > 0, given 2 (F, δ, w, t) = (P(δ, q, t), ∆(F, δ, w, t), |UL|), S simulates the view V * t = (C * , γ * , id 1 , ..., id n , Q * t , U * q , Γ * t , UL * ) as follows.Note that all queries in Q t are issued by different users, and they may make a search query for the same keyword.The query operation q * ∈ {w, f id } includes the search query q * = w and the update query q * = f id .For q * = w, S randomly selects a user ui * with its search key a * ui = a * − a * si and its random number r * R ← − Z q .With the corresponding key ϕ * w , S generates a search token w .The randomly selected key ϕ * w and pseudorandom function ϕ w = P s 1 (w) are computationally indistinguishable, so T * ui (w) is computationally indistinguishable from T ui (w).The user ui * is randomly selected to generate T * ui (w), so U * q and U q are also computationally indistinguishable.For q * = f id , if the type β is insertion or modification, S simulates the ciphertext c * by using the symmetric encryption .With m randomly selected keys ϕ * w , S constructs the array δ * [i] for i = 1, ..., m and encrypts δ * : ).Then, S generates an update token T * f = (c * , j, Ī * ), where j can be derived from α * f and f id .Therefore, we can see that T * f is computationally indistinguishable from T f .• Γ * t : For q * = w, if w appears in ∆(F, δ, w, t), it outputs the corresponding results.Otherwise, A performs the algorithm Search(T * ui (w), γ * ) to generate the corresponding results.Therefore, Γ * t and Γ t are computationally indistinguishable.
In conclusion, V * t is computationally indistinguishable from V t .Therefore, for all PPT adversaries A, the outputs of Real A (k) and of Ideal A,S (k) are negligibly close:

Search Unforgeability
Theorem 3. Our scheme as described above achieves search unforgeability.
Proof.For the malicious user A U : Consider the search token T ui (w) = (τ 1 , τ 2 ), where τ 1 = g −r g ϕ w , τ 2 = h r g −a ui r g a ui ϕ w = h r g a ui (ϕ w −r) , ϕ w = P s 1 (w), r R ← − Z q and all authorized users know (g, h = g a , s 1 , P).For a user ui, if A U wants to generate T ui (w) ∈ Q ui without the search key a ui , then A U has to compute the discrete logarithm for τ 2 = h r g −a ui r g a ui ϕ w = h r g a ui (ϕ w −r) .We can consider the equation: y = g x mod p.Given (y, g, p), it is very hard to obtain x in polynomial time.That means A U cannot generate T ui (w) ∈ Q ui without the search key a ui .
For the cloud server A S : A S can make a search query q = w with τ w = τ a si 1 • τ 2 = h ϕ w , and A S knows (a si , g, h = g a , P).However, without s 1 , A S would not compute ϕ w = P s 1 (w).Therefore, if A S wants to make a search query q = w, A S has to generate a search token T ui (w) = (τ 1 , τ 2 ), where τ 1 = g −r g ϕ w , τ 2 = h r g −a ui r g a ui ϕ w = g a si r g a ui ϕ w .That means A S needs to compute the discrete logarithm for τ 1 and τ 2 .Now, there is no proper algorithm to find the discrete logarithm.Hence, A S cannot generate T ui (w) ∈ Q ui without the search key a ui and s 1 .
Proof.In the algorithm Enc(MK, F, δ), the index δ is encrypted: I[i, j] ← ε.Enc(h ϕ w , δ[i, j]), where i ← α w (H(h ϕ w )).An authorized user ui does not have the hash table α w , so for keyword w, he/she cannot find the corresponding position in I without the assistance of the cloud server.Hence, if the cloud server deletes (ui, a si , d si ) from UL, the revoked user ui is incapable of distinguishing keywords w 1 and w 2 in I.

Performance Evaluation
Let M be the length of modulus q, L the length of the outputs for the hash function, E a symmetric encryption operation, e a modular exponentiation, b a bilinear operation, v an inversion operation, n the maximum number of files, m the maximum number of keywords and p the number of parallel processors, respectively.We compare our scheme with several multi-user searchable encryption schemes in Table 4. Compared to the schemes in [25,26] that require bilinear operations, which have high overheads, our scheme has better search efficiency.For the encryption process, our scheme takes less time than [27].From the above table, the search time of all schemes is asymptotically O(n).However, our scheme is parallelizable because it involves the operations for independent vector positions.Thus, the search time for a keyword is O(n/p) parallel time, and the update time for a file is O(m/p) parallel time.

Conclusions
Many previous SSE schemes are limited to single-user settings, which cannot meet the needs of data sharing.For this reason, we presented a multi-user searchable symmetric encryption scheme that uses key distribution and re-encryption to achieve multi-user access.In our scheme, each user performs search operations via his/her unique search key, and others are prevented from searching on behalf of a user.We use a simple and practical index structure, namely the combination of a bit matrix and two static hash tables.With the index structure, our scheme allows efficient searches and updates.Specifically, the search time for a keyword is O(n/p) parallel time, and the update time for a file is O(m/p) parallel time.Our scheme obtains revocation operations.For security, we prove that our scheme is IND-CKA2-secure.
Our scheme only supports single-keyword search.In our future work, we will consider how to make our scheme support multi-keyword search, which can achieve expressive search operations in multi-user settings.In addition, we will consider the verifiability of search results.

Figure 1 .
Figure 1.Architecture of multi-user searchable symmetric encryption with dynamic updates.

Table 1 .
Comparison of different dynamic searchable symmetric encryption (DSSE) schemes.Let n be the maximum number of files, n the number of files that contain a search keyword, m the maximum number of keywords, m the number of unique keywords in a file, ι the number of update operations and p the number of parallel processors, respectively.

Table 2 .
Feature comparison of multi-user searchable encryption schemes.
id 1 , ..., id n , UL * ) is generated as follows.S simulates the ciphertexts C * by using the symmetric encryption .To generate the encrypted index γ * = (I * , α * w ), S first constructs the hash table α * f and the index δ * , where all elements of δ * are randomly set to zero or one.With m randomly selected keys ϕ * w , S constructs the hash table α * w and encrypts δ * for j = 1, ..., n: I * [α * w (H(h ϕ * w )), j] ← ε.Enc(h ϕ * To construct the authorized user list UL * based on the number of authorized users |UL|, S generates a random user identifier and the complementary keys a w , δ * [α * w (H(h ϕ * w )), j]).

Table 4 .
Performance comparison of several multi-user searchable encryption schemes.