Privacy-Preserving and Efﬁcient Public Key Encryption with Keyword Search Based on CP-ABE in Cloud

: In the area of searchable encryption, public key encryption with keyword search (PEKS) has been a critically important and promising technique which provides secure search over encrypted data in cloud computing. PEKS can protect user data privacy without affecting the usage of the data stored in the untrusted cloud server environment. However, most of the existing PEKS schemes concentrate on data users’ rich search functionalities, regardless of their search permission. Attribute-based encryption technology is a good method to solve the security issues, which provides ﬁne-grained access control to the encrypted data. In this paper, we propose a privacy-preserving and efﬁcient public key encryption with keyword search scheme by using the ciphertext-policy attribute-based encryption (CP-ABE) technique to support both ﬁne-grained access control and keyword search over encrypted data simultaneously. We formalize the security deﬁnition, and prove that our scheme achieves selective indistinguishability security against an adaptive chosen keyword attack. Finally, we present the performance analysis in terms of theoretical analysis and experimental analysis, and demonstrate the efﬁciency of our scheme.


Introduction
With the rise and popularity of cloud computing technology, more and more data users are motivated to outsource their data to cloud for storage, and start to enjoy the various advantages brought by cloud computing, such as large storage capacity, flexible accessibility and vast computationality. By outsourcing data to the cloud, data users are relieved from the heavy burden of local storage and management costs. However, as the cloud server is not fully trusted and the outsourced data may contain sensitive information, sensitive data privacy and security in the cloud naturally become a primary concern for users. In order to address this issue, sensitive data should be encrypted before outsourcing to the cloud. Typical practical applications include cloud-based storage systems, such as electronic medical record systems where electronic health record data-sharing can help doctors to effectively assess patients' conditions and make correct treatments. To prevent the leakage of patient information, we store the encrypted medical data on the cloud. Although encryption can ensure the confidentiality of data, it brings the inconvenience of data access and processing. For example, when doctors want to query the required medical data, the cloud server needs to perform search functions without knowing the content of the data. However, the conventional information retrieval methods based on plaintext can not directly be used on ciphertext. Therefore, how to search over encrypted data is of importance and becomes a new challenge.
Homomorphic encryption [1,2] can operate on encrypted data, it can be used to search the keyword over encrypted data theoretically. However, constructions based on homomorphic encryption needs large key sizes and brings huge communication costs. To better solve the keyword search problem over encrypted data, searchable encryption (SE) was proposed as an efficient solution. SE not only enables users to search queries over encrypted data stored on an untrusted server but also protects data privacy and search privacy. Compared with homomorphic encryption, SE is designed for keyword search, which is more efficient.
Song et al. [3] seminally proposed the notion of searchable encryption, which was the first concrete symmetric searchable encryption (SSE) construction. Subsequently, a number of efficient SSE schemes [4][5][6][7][8][9][10] have been proposed. However, data users have to securely share key for encryption in SSE schemes due to the property of symmetric cryptography. Therefore, most SSE schemes inevitably suffer from secret key distribution and management problems. Later, at Eurocrypt'04, Boneh et al. [11] first introduced the concept of public key searchable encryption based on the public key encryption algorithm, namely public key encryption with keyword search (PEKS). PEKS solved the secret key management and distribution yield by SSE, so PEKS has aroused great attention in research and has a broader application prospect.
PEKS is a critically important and promising technique, and this paper concentrates on PEKS. At present, various PEKS schemes have been proposed in the literature [12][13][14][15][16][17][18][19][20], and PEKS has been rapidly developed [21]. Most existing PEKS schemes focus on data users' rich search functionalities, such as conjunctive keyword search [14] and multi-keyword search [20]. In the above schemes, all search users can be regarded as authorized users, who can have unrestricted access to the system. However, it is not suitable for practical requirements. For example, only the mail receiver is allowed to search on the encrypted emails in the cloud-based email system, while other users have no such permissions. To solve this problem, CP-ABE technology is widely adopted as a viable tool to achieve flexible data access control over encrypted data, which can gain one-to-many encryption instead of one-to-one.
Zheng et al. [22] constructed an attribute-based keyword search scheme on the basis of CP-ABE, however, computation and storage costs grow linearly with the number of system attributes. Yin et al. [23] improved the work of Zheng, but encryption and key generation operations also lead to much higher computational overheads. Thus, in this paper, we propose a new privacy-preserving and efficient public key encryption with keyword search scheme based on ciphertext-policy attribute-based encryption (PEKS-CPABE) to support both fine-grained access control and keyword search over encrypted data simultaneously. Specifically, the main contributions of this paper can be summarized as follows.

•
We propose an efficient and privacy-preserving PEKS-CPABE scheme, which enables the data owner to control the search and use of its outsourced encrypted data in the cloud according to its access control policy. Our scheme can achieve keyword search queries over encrypted data with fine-grained access control;

•
We formalize the security definition, and prove that our scheme achieves selective indistinguishability security against an adaptive chosen keyword attack and can also ensure keyword privacy; • We present the performance analysis in terms of theoretical analysis and experimental analysis, and demonstrate the efficiency of our scheme. Finally, the experimental results show that our PEKS-CPABE scheme performs better than the CP-ABKS scheme proposed in [22] and CP-ABSE scheme proposed in [23].
The remainder of this paper is organized as follows: Section 2 presents an overview of related work. Section 3 reviews some necessary and basic preliminary notions used in this paper. Section 4 defines the system model, algorithm description and security model of our proposed scheme. Section 5 introduces the concrete construction of our proposed scheme. Section 6 provides detailed security proof of our proposed scheme. Section 7 shows the performance analysis of our proposed scheme in terms of theoretical analysis and experimental analysis. Finally, Section 8 summarizes this paper.

Related Work
In 2004, Boneh et al. [11] devised the first public key searchable encryption scheme based on a standard public key encryption algorithm. In this scheme, multiple users are allowed to encrypt data using the public key, but only the private key holder can search the keyword over encrypted data. Inspired by Boneh et al. pioneering work, more and more researchers have been working on the public key searchable encryption to achieve various functionalities. Park et al. [13] first proposed a PEKS scheme to support conjunctive keyword search on encrypted data. Subsequently, Boneh and Waters [14] extended PEKS to support conjunctive, subset, and range queries on encrypted data. Later on, Lv et al. [18] proposed an expressive and secure PEKS scheme based on composite-order groups to support conjunctive, disjunctive and negation search operations that can be extended to support a range search. Huang and Li [19] proposed a public key authenticated encryption with keyword search scheme that can resist the inside keyword guessing attack, in which the data user can use the secret key to authenticate the data. Recently, Zhang et al. [20] constructed a novel PEKS scheme supporting semantic multi-keyword search by leveraging an efficient inner product encryption technology. These schemes guarantee that data users are able to efficiently perform search queries and prevent the untrusted cloud server from infringing data confidentiality and search privacy.
Attribute-based encryption (ABE), as a useful data encryption tool to address the problem of fine-grained data sharing and decentralized access control, was first proposed by Sahai and Waters [24]. This kind of new cryptographic technology enables users to achieve access control over encrypted data by using an access control policy associated with the private key or ciphertext. There are two types of attribute-based encryption, depending on whether the private key or ciphertext is associated with the access control policy, namely key-policy attribute-based encryption (KP-ABE) and ciphertext-policy attribute-based encryption (CP-ABE). Goyal et al. [25] proposed the first KP-ABE scheme, where the private key is associated with an access control policy and the ciphertext is associated with attributes. A user can decrypt a ciphertext only if the attributes that are used for encryption satisfy the access policy on the user private key. Bethencourt et al. [26] proposed the first CP-ABE scheme, where the ciphertext is associated with an access control policy and the key is associated with attributes. A user can decrypt a ciphertext only if the attributes on the user private key satisfy the access policy associated with the ciphertext. Compared with KP-ABE, CP-ABE is a preferred choice for designing an access control mechanism, because it is conceptually closer to traditional role-based access control.
Based on the special features of ABE, Zheng et al. [22] proposed a ciphertext-policy attribute-based keyword search (CP-ABKS) scheme, in which keywords are encrypted with an access control policy so that only data users with a legitimate credential can generate the trapdoor used to search over encrypted data. Dong et al. [27] introduced an enhanced attribute-based keyword search scheme via an online/offline approach. Their schemes mainly consider resource-constrained mobile devices, and allow data owners and data users to perform related operations online and offline. However, two encryption and decryption operations incur huge computational costs. Li et al. [28] proposed an attribute-based keyword search scheme with outsourcing key-issuing and outsourcing decryption, which is shown to be secure against chosen-plaintext attack, but it introduces three cloud storage providers and needs a number of expenses. Sun et al. [29] designed an authorized keyword search scheme with user revocation by utilizing CP-ABE technology, however, the computational costs in the trapdoor generation grow linearly with the number of system attributes. Qiu et al. [30] proposed a hidden policy attribute-based keyword search scheme to protect the privacy of the access control policy, which incurs abundant computational costs at the same time. Recently, Yin et al. [23] proposed a ciphertext-policy attribute-based searchable encryption scheme, and improved the scheme of Zheng et al. Inspired by both the work of Zheng and Yin, in this paper, we propose a new privacy-preserving and efficient public key encryption with a keyword search scheme based on ciphertext-policy attribute-based encryption (PEKS-CPABE) to support both fine-grained access control and keyword search over encrypted data simultaneously.

Preliminaries
In this section, we review some necessary and basic preliminary notions used in this paper.

Bilinear Map
Let G and G T be two multiplicative cyclic groups with the same prime order, p. g is a generator of G. Letê : G × G → G T be a computable bilinear map. The mapê has the following properties: • Bilinearity: Given a, b ∈ Z * p and for all g ∈ G, there existsê(g a , g b ) =ê(g, g) ab ; • Non-degeneracy:ê(g, g) = 1; • Computability: Given a, b ∈ Z * p and for all g ∈ G, there is an efficient algorithm to computê e(g a , g b ) ∈ G T .

Decisional Bilinear Diffie-Hellman Assumption
Decisional Bilinear Diffie-Hellman (DBDH) Assumption is given as follows: Let G be a cyclic group with prime order p. g is a generator of G.ê : G × G → G T is a bilinear map. We define the advantage as of a PPT adversary A to solve the DBDH problem as Adv DBDH We say that the DBDH assumption holds if the PPT adversary has a negligible advantage in solving the DBDH problem.

Access Structure
Access structure is defined by the concepts of an authorized access subset and unauthorized access subset. Let P = {P 1 , P 2 , · · · , P n } be a set of parties. A collection A ⊆ 2 P is monotone if ∀B, C: if B ∈ A and B ⊆ C, then C ∈ A. A monotone access structure is a monotone collection A which is a non-empty subset for {P 1 , P 2 , · · · , P n }, i.e., A ⊆ 2 P \{∅}. The set in A is called an authorized set, and the set not in A is called an unauthorized set.

Access Tree
An access tree is usually used to represent an access control policy. Let T be an access tree, and each non-leaf represents a threshold gate described by a threshold value and the number of its children nodes. Let num x represent the number of children of node x, and the children be labeled from the left to the right as {1, · · · , num x }. Let k x represent the threshold value of x with 1 ≤ k x ≤ num x . If k x = 1, the logic gate of node x is an "OR" gate. If k x = num x , the logic gate of node x is an "AND" gate. In an access tree T, a leaf is associated with an attribute, so each leaf node of T is described by an attribute and a threshold value k x = 1.
Let parent(x) denote the parent of node x, att(x) denote the attribute associated with leaf node x, and lvs(T) denote the set of leaves of the access tree T. Let index(x) denote the label of the node x, and T x represent the subtree of T rooted at node x (thus, T root = T). If an attribute set γ meets the access tree T x , we denotes it as T x (γ) = 1. Otherwise, T x (γ) = 0. When x is a leaf node, if and only if att(x) ∈ γ, then T x (γ) = 1. When x is a non-leaf node, we can compute T x (γ) for each child node x of node x. If at least k x children of the node x return 1, then T x (γ) = 1.

System Model
In this section, we present the system model, the algorithm description of our proposed scheme and the security model.

System Model
The system model for our proposed scheme is shown as Figure 1, which involves four types of entities, namely Trusted Authority (TA), Data Owner (DO), Data User (DU) and Cloud Service Provider (CSP). First, the DO extracts the keywords from each data file and builds a secure-searchable keyword index with an attribute-based access policy before outsourcing them into the CSP. The CSP is responsible for many services, such as data storage, computation and search. When a DU wants to issue a search query over encrypted data, he will generate a search trapdoor according to his interested keyword by using his private key and submit it to the CSP. Having received the trapdoor, the CSP attempts to check whether the specified search keyword matches with the index, without knowing the content of the encrypted data and the search keyword. Finally, the CSP returns the corresponding search results to the DU if and only if the attributes of the data user on the trapdoor satisfy the access policies of secure-searchable indexes, and the search trapdoor matches the keyword index. In addition, a TA is in charge of generating and distributing public keys and master keys.

Algorithm Description of PEKS-CPABE Scheme
In this section, we present an overview of our proposed scheme, which is a tuple of five algorithms.

•
Setup(1 λ ): The setup algorithm is invoked by the TA, which takes as input the security parameter λ, and outputs the public parameter pp and the master private key msk; • KeyGen(pp, msk, S U ): The key generation algorithm is invoked by the TA, which takes as input the public parameter pp, the master private key msk and the data user's attribute set S U , and outputs the private key of the data user SK U ; • Encryption(pp, T, w): The encryption algorithm is invoked by the DO, which takes as input the public parameter pp, the access tree T and the index keyword w, and outputs the encrypted index I w ; • TrapGen(pp, SK U , w ): The trapdoor generation algorithm is called the DU, which takes as input the public parameter pp, the private key of the data user SK U and the search query for keyword w , and outputs the trapdoor for query keyword T w ; • Search(pp, I w , T w , S U ): The search query algorithm is called the CSP, which takes as input the public parameter pp, the encrypted index I w , the trapdoor for query keyword T w and the data user's attribute set S U . If the attributes of the data user on the trapdoor satisfy the access policies of secure searchable indexes, and the search trapdoor matches the keyword index, the algorithm returns 1. Otherwise, it returns 0.

Security Model
To demonstrate the security of our scheme, we design a security game: indistinguishability security against an adaptive chosen keyword attack (IND-CKA) game.
The IND-CKA security game between an adversary A and a challenger C is defined as follows.
• Init: The adversary A chooses a challenging access tree T * , which is sent to the challenger C; • Setup: The challenger C runs the Setup(1 λ ) algorithms to generate public parameters pp and master key msk. It gives pp to adversary A and keeps master key msk; • Phase 1: A can adaptively ask the simulator B for the trapdoors T w i of a series of keywords w i , and issue private key query and trapdoor query as follows: Private key query: The adversary A can adaptively ask the challenger C for a group of private keys SK U of some attributes. The challenger C runs the KeyGen(pp, msk, S U ) to generate a set of private keys SK U , and sends to the adversary A. The only restriction is that the responding private key does not satisfy T * , and the C maintains a list L SK U of private keys; Trapdoor query: The adversary A can adaptively ask the challenger C for the trapdoors T w of a series of keywords w . The challenger C runs the Trapdoor(pp, SK U , w ) to generate the trapdoor, and sends to the adversary A; • Challenge: The adversary A sends the challenger C two keywords w 0 , w 1 on which it wishes to be challenged. The challenger C randomly selects a bit b ∈ {0, 1} to encrypt and sends the encrypted keyword to the adversary A ;

PEKS-CPABE Construction
In this section, we give a concrete construction of the proposed PEKS-CPABE scheme. •

Setup(1 λ ):
The setup algorithm is called by the TA, which takes as input the security parameter λ, and outputs the public parameter pp and the master private key msk, which is processed as follows: -The TA first chooses two cyclic groups G and G T of order p, which is a λ bit prime, g is the generator of G, and selects a bilinear mapê : G × G → G T ; -Let H 1 : {0, 1} * → Z * p and H 2 : {0, 1} * → G be two secure hash functions; -Then, the TA selects a random element α, β ∈ Z * p and sets pp = (G, G T , p,ê, g, g α , g β , H 1 , H 2 ), msk = (α, β); •

KeyGen(pp, msk, S U ):
The key generation algorithm is invoked by the TA, which takes as input the public parameter pp, the master private key msk and the data user's attribute set S U , and outputs the private key of the data user SK U , which is processed as follows: -The TA randomly selects r ∈ Z * p and computes K = g α+r β , K = g r ; -For each attribute at j ∈ S U , compute K at j = K g H 1 (at j ) ; -Set the private key of the data user as The encryption algorithm is invoked by the DO, which takes as input the public parameter pp, the access tree T and the index keyword w, and outputs the encrypted index I w , which is processed as follows: -The DO first computes I 1 =ê(g, g) αsê (g sβ , H 2 (w)), I 2 = g sβ ; -For each node x in the access tree T, the DO chooses a d x degree polynomial q x in a top-down manner, where d x = k x − 1, where k x is the threshold value of node x; -For the root node root of access tree T, the DO randomly picks up a secret key s ∈ Z * p and sets q root (0) = s. Then, the DO randomly chooses d root other points of to define the polynomial q root completely; -For other non-root node x, the DO sets q x (0) = q parent(x) (index(x)), and randomly chooses d x other points to define the polynomial q x completely; -Finally, for each node x ∈ lvs(T), compute A x = g q x (0) and B x = g H 1 (att(x))q x (0) . The encrypted index is given as TrapGen(pp, SK U , w ): The trapdoor generation algorithm is called the DU, which takes as input the public parameter pp, the private key of the data user SK U and the search query for keyword w , and outputs the trapdoor T w , which is processed as follows: -The DU computes T 0 = K 1 H 2 (w ) = g α+r β H 2 (w ); -For each at j ∈ S U , compute T at j = K at j . The trapdoor is given as The search query algorithm is called by the CSP, which takes as input the public parameter pp, the encrypted index I w , the trapdoor for query keyword T w and the data user's attribute set S U . The CSP selects a data user's attribute set S U that satisfies the access tree T contained the encrypted index. If S U does not exist, the algorithm returns 0. Otherwise, it computes as follows: -If the node x is a leaf node in the T, for each attribute at j ∈ S U , then e(g,B x ) =ê (g r g H 1 (at j ) ,g qx (0) ) e(g,g H 1 (att(x))qx (0) ) =ê(g, g) rq x (0) , att(x) = at j , x ∈ lvs(T).
-If the node x is a non-leaf node in the T, we get the E x by computing E x in a recursive manner, where x is the children nodes of x. Let S x represent an arbitrary k x set of children nodes x, if no such set exists, E x = ⊥; otherwise, compute as follows -If x is a root node in T, E root =ê(g, g) rq root (0) =ê(g, g) rs . Finally, ifê(I 2 , T 0 ) = E root I 1 , the search algorithm returns 1; otherwise, it returns 0.
Correctness. I 1 and I 2 are generated by the encryption algorithm, and T 0 is generated in the trapdoor generation algorithm. The proposed PEKS-CPABE scheme is correct when the following equation holds.

Security Proof
In this section, we give the security proof of the proposed PEKS-CPABE scheme. Based on the aforementioned security model, we provide a detailed security proof that our scheme achieves selective indistinguishability security against an adaptive chosen keyword attack.

Theorem 1. PEKS-CPABE scheme achieves IND-CKA security on the condition that DBDH problem is intractable.
Proof. Assume that A is an adversary that can break our proposed scheme, then we can construct a simulator B, and the goal is to distinguish between the DBDH tuple (g a , g b , g c , Z =ê(g, g) abc ) and a random tuple (g a , g b , g c , Z =ê(g, g) z )) where a, b, c, z ∈ Z * p . The IND-CKA security game between the adversary A and the simulator B is conducted as follows.
• Init: The adversary A first chooses an access tree T * to be challenged, which is sent to the simulator B; • Setup: The simulator B randomly chooses α, β ∈ Z * p , and computes g α ,g β ,ê(g, g) α . Then, B returns the public parameter pp = (G, G T , p,ê, g, g α , g β , H 1 , H 2 ) which is sent to adversary A. H 2 (w i ) is simulated as follows. If the w i has not been queried before, the simulator B randomly chooses ρ i ∈ Z * p , adds (w i , ρ i ) to the list O H 2 and outputs g ρ i ; otherwise, the simulator B returns g ρ i by searching ρ i from O H 2 ; • Phase 1: A can adaptively ask the simulator B for the trapdoors T w i of a series of keywords w i , and issue the O KeyGen and O Trapdoor oracles as follows.
O KeyGen : The adversary A can adaptively ask the simulator B for a group of private keys SK U 1 , · · · , SK U n of some attributes S U 1 , · · · , S U n . The attribute sets embedded into corresponding private keys do not satisfy T * . The simulator B randomly selects r ∈ Z * p and computes K = g α+r β . For each attribute at j ∈ S U , compute K at j = g r g H 1 (at j ) . The simulator B sends the private key SK U = (K, K at j ) to A, and maintains a list L SK U of private keys.
O Trapdoor : The simulator B first searches the O KeyGen oracle to obtain the secret key as For each at j ∈ S U , compute T at j = K at j . Finally, B generates the trapdoor as T w i = (T 0 , {(T at j )|∀at j ∈ S U }), and B sends T w i to the adversary A; • Challenge: The adversary A sends the simulator B two keywords w 0 , w 1 on which it wishes to be challenged. The simulator B randomly selects a bit b ∈ {0, 1} to encrypt and generates the encrypted keyword index as follows: where a ∈ Z * p . Then, B sends I w b to the adversary A; • Phase 2: The adversary A can repeat query in Phase 1 and continue to ask for any keyword of his choice, except for the w 0 ,w 1 ; • Guess: The adversary A outputs its guess b of b. If b = b, B outputs 1; otherwise B randomly outputs 0 or 1.
There are two conditions, as follows: 1.
If Z =ê(g, g) abc , a valid ciphertext I w b is given to the adversary A, and the adversary A has an advantage to win this game.
If Z =ê(g, g) abc , I w b is a random ciphertext. A has nothing to do with the guess, so the adversary A cannot acquire any advantage in this IND-CKA security game but a random guess. Therefore, we have Pr[B(g, g a , g b , g c , Z =ê(g, g) z ) = 1] = 1 2 .
Finally, the overall advantage that B can solve the DBDH problem in the IND-CKA security is as follows: Adv I ND−CKA B (λ) = 1 2 ( 1 2 + ) + 1 2 · 1 2 − 1 2 = 2 Thus, we have a conclusion that if the probabilistic polynomial time adversary A has a non-negligible advantage in breaking IND-CKA security, then we can construct a simulator B to solve the DBDH problem with the non-negligible advantage 2 . From the above analysis, we know that our proposed PEKS-CPABE scheme is IND-CKA secure on the condition that the DBDH problem is intractable. This completes the proof.

Performance Analysis
In this section, we show the performance analysis of our proposed PEKS-CPABE scheme in terms of theoretical analysis and experimental analysis, and further compare our proposed scheme with the state-of-the-art CP-ABKS [22] scheme and CP-ABSE [23] scheme. Table 1 shows the notations of the performance analysis. For the theoretical analysis, we mainly focus on the computation cost and storage cost. For convenience of comparison, we mainly consider several time-consuming operations, as follows: the bilinear pairing operation Pair mapping two elements in group G to group G T , the hash function operation H mapping the arbitrary string to an element in group G, a modular exponentiation operation E G in G and a modular exponentiation operation E G T in G T . We ignore the multiplication operations and hash operations mapping the arbitrary string to an element in group Z * p because of the increased efficiency.

Theoretical Analysis
In Table 2, we evaluate the computation cost of KeyGen algorithm, Encryption algorithm, TrapGen algorithm and Search algorithm under the same access control policy tree, respectively. We observe that our scheme is much more efficient than the CP-ABKS [22] scheme and CP-ABSE [23] scheme in the KeyGen algorithm and Encryption algorithm. Although we notice that our scheme has a higher computational overhead than the CP-ABSE [23] scheme in the TrapGen algorithm, the hash function operation time is minimal. In the Search algorithm, our scheme performs similarly to that of CP-ABSE [23] scheme, and the PEKS-CPABE scheme has a better performance than the CP-ABKS [22] scheme.
In Table 3, we show the storage cost comparison. We observe that the storage cost of our scheme outperforms the CP-ABKS [22] scheme and CP-ABSE [23] scheme in the KeyGen algorithm. In the execution Encryption algorithm and TrapGen algorithm, the storage cost of our scheme is the same as that of the CP-ABSE [23] scheme, but much less than that of the CP-ABKS [22] scheme. Although the CP-ABSE scheme has better search performance than the CP-ABKS scheme, the cost of KeyGen algorithm and Encryption algorithm bring in a much higher overhead. Our scheme solves this problem at the same time, with greater efficiency, therefore, with respect to theoretical analysis, our scheme is acceptable in the cloud.

Experimental Analysis
To evaluate the actual performance of our scheme, we implement CP-ABKS [22], CP-ABSE [23] and our scheme using Java language based on the Java Pairing Based Cryptography Library (JPBC) [31]. Our experimental platform is based on a Windows 10 server with Intel(R) Core(TM) i7-8565U CPU @ 1.80 GHz and 8.00GB RAM. The running environment of our experiment is Java Runtime Environment 1.8 (JRE1.8). In our experiment, we instantiated the bilinear map with Type A: For comparison convenience, we set the access policy tree as "AND" access tree "at 1 AND at 2 AND, · · · , AND at N ", and the number of a data user's attributes S is equal to the number of attributes that are involved in the access policy, from 1 to 50 with step length 10, namely, N = S ∈ [1, 50]. We conduct each experiment many times to obtain the average execution time under the same access control policy. Figure 2 shows the performance comparison of various schemes.
As shown in Figure 2a, we can find that the time of key generation in our scheme is more efficient than the CP-ABKS scheme and CP-ABSE scheme. For example, when setting N = 50, our scheme needs 1061 ms to generate keys, however, both CP-ABKS scheme and CP-ABSE scheme need 4333 and 4314 ms, respectively. As illustrated in Figure 2b, in our scheme, the time cost to generate ciphertexts is the lowest out of the three schemes. For example, when setting N = 50, our scheme needs 3074 ms to generate ciphertexts, however, both the CP-ABKS scheme and CP-ABSE scheme need 4375 and 4277 ms, respectively. From Figure 2c,d, we can show that our scheme has the better search performance. In the execution of trapdoor generation and search, our scheme and the CP-ABSE scheme outperform the CP-ABKS scheme. Therefore, our scheme is acceptable in practice and suitable for the cloud.

Conclusions
In this paper, we propose a privacy-preserving and efficient public key encryption with a keyword search scheme based on CP-ABE to support both fine-grained access control and keyword search over encrypted data simultaneously. Then, we show that our scheme achieves selective indistinguishability security against an adaptive chosen keyword attack on the condition that the DBDH problem is intractable. Meanwhile, we also analyzed the performance of our proposed scheme from the aspects of theoretical analysis and experimental analysis. At last, the experimental results further demonstrate that our scheme performs better than the CP-ABKS scheme proposed in [22] and CP-ABSE scheme proposed in [23]. Besides, our work only considers single keyword search. For the part of the future work, we try to enhance the search functionality and further explore an attribute-based multi-keyword search.