Lightweight Fine-Grained Multiowner Search over Encrypted Data in Cloud-Edge Computing

Liu, XueYan; Huan, LiJuan; Sun, RuiRui; Wang, Jing

doi:https://doi.org/10.1155/2023/1701874

Security and Communication Networks

On this page

Abstract Introduction Related Work Preliminaries System Model Conclusion Data Availability Conflicts of Interest Acknowledgments References Copyright Related Articles

Research Article | Open Access

Volume 2023 | Article ID 1701874 | https://doi.org/10.1155/2023/1701874

Lightweight Fine-Grained Multiowner Search over Encrypted Data in Cloud-Edge Computing

XueYan Liu,¹LiJuan Huan,²RuiRui Sun,¹and Jing Wang¹

Academic Editor: Jie Cui

Received27 Sept 2022

Revised19 Dec 2022

Accepted20 Dec 2022

Published06 Jan 2023

Abstract

Edge computing, as an extension of cloud computing, outsources encrypted sensitive data to edge nodes to decrease latency and improve broadband efficiency. Although attribute-based keyword search (ABKS) can ensure the security of outsourced data and promote fine-grained access control of data, deficiencies still exist under the general ABKS scheme in the cloud, as follows: shared files owned by a single data owner, inflexible access control, key escrow problem, and high computational overhead. We propose an attribute-based multidata owner searchable encryption scheme in cloud-edge computing with effective policy update to address these problems. The two-level access control is used to realize the common management and fine-grained sharing of data by the multidata owner. All user keys are jointly generated by the central authority and attribute authority, and a key escrow is no longer required. Moreover, partial encryption and decryption calculations are shifted from resource-constrained data owners and users to edge nodes. Furthermore, our scheme not only supports policy update but also realizes the dynamic updating of the index. The security proof and performance analysis show that the scheme has strong security and practicality in the edge computing environment.

1. Introduction

Cloud computing [1, 2] can provide services for massive resources and enable cloud clients to reduce the burden of local storage and computing. However, some new industries, such as smart cities, smart medicine, smart homes, and online education systems, in China start to emerge. Other smart devices, such as wearable medical devices, Internet of things (IoT) sensors, and smartphones, are also updated iteratively. The popularity of these applications poses a great challenge to centralised cloud computing, resulting in transmission delay and service degradation between users and the cloud. In particular, a large amount of data generated by IoT applications are usually stored in the cloud. Edge computing [3, 4] paradigm, which is an extension of cloud computing services to the network edge, has recently been studied to reduce delay and improve transmission efficiency. Edge computing is a distributed computing mode in which data storage is closer to the required location. It is mainly or completely executed on distributed device nodes. Edge computing can provide various services for users with limited resources. The edge nodes are closer to the user than the cloud, as shown in Figure 1. When sensitive data are outsourced to honest but curious edge nodes, the data security and privacy issues [5] are still drawbacks that hinder the application of edge computing because data owners lose physical control over their data in edge nodes or in the cloud.

Encryption is a preferred method to protect data confidentiality and reduce data privacy leakage risks, but the retrieval of encrypted data becomes very difficult. The searchable encryption (SE) technology enables the user to securely and selectively retrieve the files containing the encrypted data according to the keywords specified by the user. In addition, access control on encrypted data is an essential function in practical applications. Attribute-based encryption (ABE) [6] is an effective option to provide fine-grained access control and realizes data security. Therefore, combining the advantages of the two aspects, attribute-based keyword search (ABKS) [7–10] has received extensive attention in industrial and academic fields, such as online education. In the ABKS scheme, a user can access shared information if and only if the submitted token matches the index, and the attribute set satisfies the access policy embedded in the ciphertext.

ABKS is the most useful cryptographic tool for implementing fine-grained access control and keyword search functionalities, but most ABKS only consider the scenario of a single data owner, which is not suitable for many practical applications nowadays. In addition, there are also some issues to be concerned about: (1) the computing and storage overhead is proportional to the complexity of the access policy and the computing cost of the data owner and data user is too high. (2) When the attribute authority is maliciously attacked, the user’s key is at risk of leakage. (3) Data owners cannot support the update of the access policy when the encrypted data are stored in the cloud.

Therefore, we design a lightweight and fine-grained multidata owner encryption scheme in cloud-edge computing to address existing issues and realize keyword search and policy update. The proposed scheme uses two-level access control to encrypt shared resources and generate index information to ensure data security. Miao et al. [11] also proposed a verifiable fine-grained keyword search scheme by multiple data owners in cloud environment, which realizes multidata owner sharing of resources. Compared with this scheme, our proposed scheme avoids key escrow, provides outsourcing encryption, and realizes policy update. Secondly, edge computing is introduced into our scheme. It allows edge computing to undertake part of the calculation, storage, and operation of search work, which not only reduces the computing burden of data owners and data users but also improves the transmission speed. In this way, the cloud server is also prevented from obtaining any information about the keywords submitted by the user, and the connection between the obtained file and the keyword cannot be inferred, thereby improving the privacy protection of the searchable encryption mechanism. Furthermore, compared with the previous CP-ABKS solution, our proposed scheme allows edge nodes to directly update the index information related to the access policy when the policy changes. Specifically, the main contributions of this paper are as follows:

1.1. Secure Multidata Owner Authorisation

Shared data are co-owned by multidata owners, and a two-level access structure is used to control the user’s access ability. The combination of these technologies strengthens authorization management and data access control.

1.2. Fast Data Retrieval

Edge nodes possess some storage and computing abilities; they can reduce the delay caused by transmission in cloud computing. Thus, the index is stored on edge nodes, and the search work is carried out on edge nodes, thereby improving the search efficiency.

1.3. Lightweight Encryption and Decryption

Most calculations of data encryption, index generation, and decryption are shifted to the edge nodes due to the introduction of edge computing, greatly reducing the amount of calculation of resource limited data owners and data users.

1.4. Flexible Policy Update

Dynamic policy update is supported in our scheme to enrich the expression ability of access policy and maintain the freshness of the algorithm, and it is only carried out by edge notes.

The remainder of the paper is organized as follows: the literature review for the system is presented in Section 2. Section 3 introduces the necessary background information of the paper. Section 4 defines the system model and security analysis for the system. Section 5 presents our construction and proves its correctness. Section 6 analyzes the security of the scheme. In Section 7, the performance and experiment of the proposed method are analyzed. Section 8 concludes this paper.

2.1. Attribute-Based Searchable Encryption

ABKS scheme has attracted much attention because of its fine-grained access control and search functions. Song et al. [12] first proposed the concept of searchable encryption in 2000 and implemented a searchable encryption scheme under the symmetric encryption system. Boneh et al. [13] proposed the first public key searchable encryption (PEKS) scheme in 2004, which can realize a single keyword search. In 2005, Park et al. [14] first proposed a multikeyword PEKS scheme. Kaushik et al. [15] combined attribute encryption and searchable encryption for the first time and proposed attribute-based keyword search (ABKS). Only data users whose attributes conform to the tree access structure can search for keywords. To enrich the functionality of ABKS scheme, Wang et al. [16] proposed a searchable and revocable encryption scheme based on multidata owner attributes, but the scheme did not realize the claimed multidata owner authorization function. Moreover, in most of the existing ABKS schemes, there are still some open problems that urgently need to be resolved, for example, the decryption and encryption overhead is very high. It makes them impractical for many applications, for example, smart devices have limited resources. As a remedy for this problem, Green et al. [17] proposed the first content-based outsourcing decryption scheme, and the decryption process is safely transferred to the cloud server. From then on, large numbers of outsourcing schemes have been proposed to achieve lightweight, Ali and Sadeghi [18] proposed an attribute-based keyword search scheme in cloud computing and outsourced some encryption and decryption work to cloud servers. In 2021, Meng et al. [19] proposed an attribute-based dynamic keyword search encryption in fog computing and outsourced part of the encryption and decryption work to fog nodes. Miao et al. [20] proposed a lightweight encryption and fine-grained search scheme for data in fog computing, which outsources part of the encryption and decryption calculation to fog nodes and supports conjunctive keyword search and attribute update. Unfortunately, this scheme reduces the load on data owners and users, but the interaction between fog nodes and data users increases the transmission load. However, although these schemes realize keyword search and support outsourcing encryption and decryption, they do not satisfy the practical requirements in the actual situation to realize the sharing of data by multidata owners, and the computing burden of encryption and decryption in cloud/fog computing is very heavy. With the development of 5G and IoT technology, edge computing is regarded as a new data resource, which can provide many high-quality outsourcing services. In edge computing, enabling multidata owners to share data and reducing the computational overhead of encryption and decryption is the first challenge.

2.2. Key Escrow

In general attribute-based encryption schemes and ABKS schemes, such as schemes in [21–23], the keys of the data users are generated by attribute authority, so it has the decryption ability of the data users. However, when attribute authority is maliciously attacked, the key of the data user will be leaked, which makes the data owner’s data face great challenges in terms of data privacy and confidentiality. Therefore, Liu et al. [24] proposed an anonymous hierarchical attribute encryption scheme in the electronic medical sharing environment, which introduces multiple authority attribute-based encryption technology to achieve fine-grained data access control and avoid the bottleneck of key escrow under a single authority. However, because multiple authorities have to communicate with each other, the system’s performance is significantly reduced. To sum up, solving the problem of key generation and distribution and realizing key-free escrow is the second challenge.

2.3. Policy Update

In a practical application, when the data owner needs to update the access policy, he needs to fetch back the resourced data and reencrypt it with the new access policy, which easily causes large communication and computing overhead. Therefore, Sahai et al. [25] proposed a support dynamic certificate and ciphertext authorization scheme. The idea of policy update is proposed for the first time, and the ciphertext is updated by the proxy method. Lai et al. [26] proposed an attribute-based ciphertext conversion scheme, in which the proxy server can update the access policy in the ciphertext without decryption. Li et al. [27] proposed a CP-ABE scheme in edge computing based on the CP-ABE scheme with dynamically updated access policies proposed by Yang et al. [28] and also provided an efficient online policy update method to manage attribute information. Besides, in schemes [29, 30], data owners can flexibly update access control policies and ciphertext. He will generate an update key and send it to the cloud. Using the update key, the cloud can update the access policy in the ciphertext to a new one. However, in these schemes, the issue of updating the index related to the new access policy is not concerned. Therefore, implementing policy updates and index updating is the third challenge.

3. Preliminaries

3.1. Bilinear Pairing

Let and to be two cyclic groups of prime order and is a generator of . A bilinear map is a function with the following properties:(1)Bilinearity: for any and (2)Nondegeneracy: there exists such that (3)Computability: there exists a polynomial-time algorithm to compute , for any

3.2. Decisional Bilinear Diffie–Hellman (DBDH) Assumption

Given the tuple . The DBDH assumption is that no polynomial time (PPT) algorithm is to be able to distinguish the tuple from the tuple with negligible advantage.

3.3. Decisional Parallel Diffie–Hellman (BDHE) Assumption

The decisional parallel bilinear Diffie–Hellman exponent (BDHE) problem is that for any PPT algorithm, given , , and . It is difficult to distinguish from , where are chosen independently and uniformly at random.

3.4. Access Structure

Let there be attributes in the system, and each attribute has a set of possible values . First, let be a user attribute list, where . Then, the access policy is represented as , where . If the attribute list matches with the access policy , namely, , then the ciphertexts embedded with can be decrypted by the data user with .

4. System Model and Security Analysis

4.1. System Model

In this scheme, we consider a retrieval scenario in cloud-edge computing, which mainly involves six entities, namely, central authority (CA), attribute authority (AA), multidata owners (m-DOs), cloud server (CS), edge node (EN), and data user (DU), which are shown in Figure 2. Assuming that AA, CS, and EN are semihonest, CA is a fully trusted entity, and the specific functions of each entity are as follows:(1)Central authority (CA): CA generates the identity key for the user and the transformation public key and private key. It is also responsible for the registration of the data owner.(2)Attribute authority (AA): AA generates attribute keys for users.(3)Multidata owners (m-DOs): they work together to generate the ciphertext and index, respectively, using the access matrix and access policy.(4)Cloud server (CS): CS provides storage services. When a qualified query is received, the corresponding ciphertext will be returned.(5)Edge node (EN): EN has storage and computing capabilities, filling the gap between users and CS. It processes the ciphertext and index uploaded by m-DOs, reencrypts the ciphertext and index, and uploads the ciphertext to CS. Next, EN processes the search request of DU, retrieves the ciphertext from adjacent nodes and CS, predecrypts, and returns the results to DU. In addition, when the access policy is updated, EN updates the index.(6)Data user (DU): DU issues search queries according to his attribute private key. Moreover, DU makes a bit decryption computation to obtain shared data.

4.2. Scheme Definition

The system model includes seven stages, as follows:(1)System initialization phase: : given the security parameters and system attribute set , outputs public key and master key of CA and AA, and public-private key pair of the m-DOs.(2)Key generation phase: : the algorithm is jointly executed by CA and AA to generate the user key. CA inputs the master key and authenticated the user, AA inputs secret value and authenticated the user, and CA calculates a secret value . : CA inputs the identity of the user and outputs the identity transformation key of the user. : AA inputs the random number and the user’s attribute set and outputs the user’s attribute key.(3)Encryption phase: : input the public-private key pairs, access matrix , keywords and access policy , and output the ciphertext and index .(4)Outsourcing encryption phase: : input the ciphertext , index and access policy , and output the ciphertext and index .(5)Retrieval phase: : DU runs the algorithm, inputs the user’s private key , attribute set and keywords , and outputs the token . : EN runs the algorithm, inputs index , token and the user’s attribute set . If the user’s attribute set satisfies the access policy and the verification equation is established, it continues; otherwise, it aborts.(6)Outsourcing decryption and the user decryption phase: : EN runs the algorithm, inputs ciphertext and transformation public key , and outputs part of the ciphertext. : DU runs the algorithm, inputs part of the ciphertext and transformation private key , and outputs plaintext .(7)Policy update phase: : EN runs the algorithm, inputs the new access policy , and outputs the updated index .

4.3. Security Model

4.3.1. Indistinguishability of Ciphertext

The ciphertext indistinguishability security under chosen-plaintext attacks of a multidata owner ABKS scheme is defined by the game between a challenger and a probabilistic polynomial time (PPT) adversary : Setup: runs the Setup algorithm according to system parameters , outputs public key of CA to , and retains master secret key . Query Phase 1: submits attribute set with identity to , runs the key extraction query, and returns the private key to . Challenge: submits two messages and with the same length with access matrix to . randomly chooses a bit and encrypts . Finally, sends the challenge ciphertext to . Query Phase 2: continues to submit a series of attribute sets to and still can make queries adaptively as in Query Phase 1. Guess: outputs a guess for and if , wins the game. The advantage of the adversary for winning this confidentiality game is defined as .

Definition 1. A multidata owner ABKS scheme without key escrow is secure under chosen-plaintext attacks, if the probability of the adversary winning the game is negligible in a PPT.

4.3.2. Chosen Keyword Indistinguishability

The chosen keyword indistinguishability security of a multidata owner ABKS scheme is defined by the game between a challenger and a PPT adversary : Setup: selects the challenging access policy and sends to challenger . runs Setup algorithm to return the public key to and retain the master secret key . Query Phase 1: adaptively selects the attribute set and queries to the following queries:(i)Private key query: returns the associated private key to by calling KeyGen if the attribute set satisfies access policy .(ii)Token query: submits attribute set and to for Token query. Then, outputs the associated Token to by calling Token. Challenge: submits two challenging keywords with the same length, attribute set to . If the attribute set satisfies the access policy defined in query phase 1, can get the access . We define , and then randomly selects to generate the index ciphertext and finally sends the index information to . Query Phase 2: continues to issue private key queries and token queries, and if the keywords are not equal , cannot query the attribute set to satisfy the selected access policy . Guess: outputs a guess for . If , wins the game. The advantage of the adversary for winning this confidentiality game is defined as .

Definition 2. A multidata owner ABKS scheme without key escrow is secure under chosen keywords attacks, if the advantage defined above for any PPT adversary is negligible.
In addition, this scheme also satisfies the security requirements of data privacy:
Data privacy: for each file shared by the data owners, they sign with public-private key pairs and encrypt the file with two-level access control. If and only if the first-level access control is met, second-level access control can be requested. This is particularly important to ensure the security and confidentiality of data.

5. Our Construction

With low latency and high efficiency provided by edge computing, resource-limited DU and m-DOs can outsource partial computational burden to EN, leaving a small part of the operations to be performed by themselves. Compared with existing CP-ABKS schemes, our scheme can not only achieve fine-grained access control but also alleviate the computational burden on EN by adding a middle layer called EN. Thus, we consider the case of multiple owners where each file is co-owned by a group of DOs and give a general description for the system in Figure 3. In step (1), the authorities distribute the keys to m-DOs, DU, and EN. We refer to the scheme [31] and design a two-level access control over encrypted files with step (2). File encryption is based on a access matrix, in which each row of the matrix corresponds to an owner. Its purpose is to realize m-DOs authorization for DUs based on LSSS technology, the LSSS matrix has been illustrated in [32], which is the second-level access control for users. The first-level of access control occurs in the search phase. EN receives the ciphertext and index information sent by m-DOs and continues to reencrypt them. EN saves the index information and uploads the ciphertext to CS finally. In order to filter users who want to obtain shared documents, m-DOs define access policies according to requirements and generate indexes embedded in access policies. DU must provide tokens embedded with their own attributes and identities for matching. Note that DU can request the second-level access control, if and only if, he satisfies the first-level access control. EN processes the search request of DU and retrieves the ciphertext from adjacent nodes and CS by step (3); after gaining the search results, EN first conducts the majority of operations to predecrypt with step (4) and returns partial ciphertext to DU. When the access policy used by m-DOs for encryption changes, which is shown by step (5). It is only necessary to send the new access policy to the ENs, and they will update the index. In the following, we show the main phase algorithms in the scheme, namely, system initialization phase, key generation phase, encryption and index generation phase, outsourcing encryption and index generation phase, retrieval phase, outsourcing decryption and user decryption phase, and policy update phase.

5.1. System Initialization Phase

(i): on input the security parameters and the system attributes , for each attribute value , , there are a series of possible values and . and are two groups of prime order and is a generator of . is the bilinear map, and is anticollision hash functions . Output system common parameters:(ii): CA selects randomly, then the master key and public key of CA is .(iii): AA selects , randomly and calculates , and generates the master key and public key of AA, where :(iv): m-DOs send their identity information to CA, and CA generates public-private key pairs for them.

5.2. Key Generation Phase

(i): AA selects randomly for authenticated users, which is unique to each user. AA and CA run two-party security protocols, AA inputs and CA inputs . Under the condition that the two parties do not disclose any private information, CA obtains . This is achieved by using two-party secure computing protocol [33] and can also be achieved by the construction in the literature [34]. CA randomly selects , then calculates , and sends to AA. After AA receives , it calculates and returns it to CA. Finally, CA calculates .(ii): CA outputs the user’s identity key for identified user . CA randomly selects as the transformation private key and calculates the transformation public key , . Last outputs user identity transformation key is , .(iii): AA is based on the random number selected in and inputs the user’s attribute set . Then, it selects randomly and output the attribute key: Finally, the user can get his whole key , and is uploaded to the edge node.

5.3. Encryption and Index Generation Phase

Given file and keywords , m-DOs generated file ciphertext and index:(i): m-DOs first generate identity signatures for files using public-private key pairs . For file , m-DOs first encrypt the file with a symmetric encryption key as . Then, m-DOs encrypt the symmetric key with the attribute cryptography technology. is a matrix, a function maps each row of to a DO. m-DOs select a column vector , compute , and is a secret value. We set ciphertext: m-DOs output ciphertext:(ii): m-DOs define access policies firstly. For keywords , m-DOs select and compute . We set index . Output index . Finally, we upload and to the edge node.

5.4. Outsourcing Encryption and Index Generation Phase

(i): inputs public key, ciphertext , signatures , and EN selects randomly. We set ciphertext: Output ciphertext:(ii): EN runs the algorithm and inputs index . According to the defined access policy and . For each , EN selects randomly and sets Output index . Finally, we upload to CS for storage and save by themselves.

5.5. Retrieval Phase

(i): let be keywords set, DU with attribute sets first selects randomly and sets token Output token .(ii): inputs user’s attribute set , access policy , index and token. First, EN checks whether the user’s attribute set satisfies access policy. If not, the algorithm aborts. Otherwise, we judge whether the following equation holds . If the equation holds, we output the storage address, otherwise abort.

5.6. Outsourcing Decryption and User Decryption Phase

(i): Suppose is a matrix access structure and is an authorization set with , there are a set of constant which makes the equation hold and . EN computes . Finally, outputs partial ciphertext and sends it to DU.(ii): DU performs simple calculation by using the transformation private key to obtain symmetric key and gets .

5.7. Policy Update Phase

5.7.1. UPdatepolicyIndes

When the access policy is updated, m-Dos only need to send the new access policy to EN, and EN updates corresponding index.

First, the EN runs algorithm and compares the old and new policies. Output new index information and store it in . Let represent the number of attributes in the old/new access policy , respectively. There are three cases:(a)When the number of attributes in the access policy is reduced to , and . EN updates the index as follows: Then, updated index information is stored in the .(b)When the number of attributes in the access policy is added to , and . EN updates the index as follows: Then, updated index information is stored in the .(c)In the access policy , when the number of attributes changes in part and remains unchanged in part, EN randomly selects and updates the index as follows: Then, updated index information is stored in the . Output updated index .

In this process, m-DOs only need to send a new access policy to EN, and EN uses the new access policy to update the index. Therefore, it reduces the calculation burden of DOs and ensures the security of the index.

5.8. Correctness

Correctness of the search phase: Correctness of the part decryption phase: Correctness of the user decryption phase:

6. Security Analysis

Theorem 1. Under the assumption of Parallel BDHE, the multidata owner ABKS scheme without key escrow is secure against indistinguishable chosen-plaintext attacks.

Proof. Assume that there is a PPT adversary who can win the ciphertext indistinguishability security game with nonnegligible advantage : Setup: runs the Setup algorithm according to system common parameters , outputs public key to , and retains master secret key . Query Phase 1: queries the key to the challenger . The key generated by the two-party secure computing protocol is secure and will not disclose private information. submits attribute set with identity to , randomly selects running algorithm , sets identity key , , and returns the private key to . Challenge: submits two messages and with the same length with access matrix to . randomly chooses a bit and sets and randomly selects vectors that are calculated by sharing secret value and computes , . Finally, sends the challenge ciphertext to . Note that the security of the shared challenge ciphertext is guaranteed by the embedded access matrix information. Query Phase 2: makes queries adaptively as in Query Phase 1. Guess: outputs a guess for and if , wins the game. In other words, it is effective to under the assumption of Parallel BDHE. The advantage of the adversary for winning this confidentiality game is defined as . Then, the scheme is proved to achieve selective plaintext security.

Theorem 2. The multidata owner ABKS scheme without key escrow is secure under chosen keyword attack if the DBDH problem is hard.

Proof. defines a challenging access policy before the system establishment stage. In the security game of nonselective identity, can submit an attribute set and satisfy two access strategies at the same time, and then can obtain the corresponding search results. During this period, in addition to the returned search results, cannot obtain information about the access policy , which corresponds to the access policy to be updated later: Setup: selects the challenging access policy and sends to . runs Setup algorithm to return public key to and retain master secret key . Query Phase 1: adaptively selects the attribute set and queries to the following queries:(i)Private key query: if the attribute set satisfies the selected access policy and runs the key generation algorithm. Under the two-party security protocol, AA and CA randomly select to jointly generate user attribute private key and send it to .(ii)Token query: submits attribute set and to for token query. Then, randomly selects , sets token Challenge: submits two challenging keywords with the same length, attribute set to . If the attribute set satisfies the access policy defined in query phase 1, can get the access . We define , and then randomly selects to set token , , , and and finally sends the token information to . Query Phase 2: continues to issue private key queries and token queries, If the keywords are not equal , cannot query the attribute set to satisfy the selected access policy . Guess: outputs a guess for . If , wins the game. Outputs . Otherwise, outputs . Thus, the adversary of solving the DBDH problem is In addition, our scheme also satisfies the security and privacy requirements of data privacy under the assumption of DBDH. Data privacy: first, we encrypt sensitive data to prevent data leakage. Secondly, we use two layers of access control to prevent unauthorized users from leaking secrets (the first layer is to filter users’ identities and attribute sets, and the second layer is to satisfy the authorization of multiple data owners). Thirdly, although outsourcing decryption is adopted, the most critical calculations are completed by users to prevent EN from leaking secrets.

7. Performance Analysis

7.1. Theoretical Analysis

7.1.1. Function Comparison

Table 1 shows the comparison between our scheme and related schemes [29, 31, 34–36] in terms of the number of data owners, policy updates, without key escrow, computing outsourcing, and searchability. Our scheme realizes multikeyword search; schemes [31, 35] only support single keyword search, whereas schemes [29, 34, 36] do not provide a search function. Our scheme and scheme [31] realize the multidata owner authorization management of shared files, but scheme [31] does not discuss access policy updating. Our scheme avoids the problem of key escrow, as well as scheme [34]. However, other schemes fail to solve this problem. In terms of computing outsourcing, our scheme introduces edge computing, so most encryption and decryption works are outsourced to edge nodes, whereas the data owners and users only perform few calculations. In scheme [35], only the decryption is outsourced to the cloud, and the encryption calculation is still performed by the data owner. However, other schemes do not consider outsourcing calculations. Therefore, our scheme is functional.

7.1.2. The Storage Cost

In this subsection, a storage cost comparison between our scheme and related schemes [29, 31, 35, 36] is presented in terms of the public key, transformation key, DO side ciphertext, cloud/fog/edge side ciphertext, side ciphertext, and token storage size, as shown in Table 2. The public key, transformation key, DO side ciphertext, and cloud/fog/edge side ciphertext occupy less storage space in our scheme. In terms of token storage, our scheme is independent of the number of attributes and related to the number of keywords, whereas the token storage in schemes [31, 35] increases linearly with the increase in the number of attributes. By contrast, our scheme has less storage overhead.

7.1.3. The Computational Cost

The computational overhead mainly involves bilinear pairing and modular exponential operations. Let represent the number of system attributes, represents the size of the element in the , indicates the number of the user attributes. represents the number of keywords used in token generation, represents the number of attributes in the access policy, and represents the number of data owners. Respectively, represent the exponential operation in and pairing operation.

For convenience, as shown in Table 3, we divide the encryption stage into two parts: DO encryption and CS/Fog/EN encryption. In the DO encryption stage, DO has completed all encryption operations in schemes [31, 35]. Thus, the amount of calculation is larger than that of other schemes. In schemes [29, 36] and our scheme, part of the encryption work has been outsourced from a third party, so the calculation load of DOs is relatively low. In our scheme, edge computing is introduced; the amount of calculation at the DO end is , and the calculation amount at the EN end is . Similarly, the decryption phase is divided into two parts: CS/Fog/EN decryption and the user decryption. In these schemes, although the user decryption computation is one operation, the outsourcing decryption computation is evidently different. The amount of computation required by EN to predecrypt the ciphertext is in our scheme, whereas the amounts of computation in scheme [29, 36] are and , respectively. In schemes [31, 36], the decryption is completed by the user. Therefore, the overall encryption/decryption computation of our scheme is relatively low.

In the search stage, the amount of token calculation in schemes [31, 35] increases linearly with the increase in the number of attributes and only realizes a single keyword search. If these schemes perform multiple keyword searches, then the calculation amount is also related to the number of keywords. However, in our scheme, the token generation is only related to the number of keywords, and multiple keyword search is implemented. In particular, the search work in our scheme is carried out by EN, and the amount of calculation is , which is smaller than those in schemes [31, 35].

The theoretical analysis indicates that the calculation amount of our scheme is relatively low in the data user side (DO and user) and the outsourcing end.

7.2. Experimental Simulation

To further evaluate the performance of our scheme, we conducted a series of simulation experiments. Experiments are implemented on a platform Windows 10 with 2.70 GHz Intel (R) Core I i5-7200u CPU, 8 GB RAM by using paring-based cryptography (PBC) [37] with a large prime of 512 bits.

Figure 4shows the computational cost of encryption on DO side, as well as the outsourcing encryption and decryption. The experimental simulation diagram is no longer provided here given that the decryption cost of the user is the same. Figure 4(a) shows that the computational cost in schemes [29, 31, 35, 36] increases linearly with the number of attributes, whereas our scheme is independent of the number of attributes, which means that the time cost remains constant and is lower than that in other schemes. Figures 4(b) and 4(c) introduce the comparison of computational cost in outsourcing encryption and outsourcing decryption, respectively. The computational cost of outsourcing encryption and decryption time in schemes [29, 36] continues to increase linearly with the increase in the number of attributes, whereas the computational cost of our scheme is almost unchanged as the number of attributes increases. Schemes [29, 36] use cloud servers and fog nodes for outsourcing, respectively, whereas edge nodes are used to undertake the outsourcing work in our scheme. Therefore, the encryption and decryption computation of our scheme is lower.

(a)

(b)

(c)

Figure 5(a) shows the time cost of token generation, and Figure 5(b) shows the search time. When the token is generated, the number of attributes is fixed to 5, and only the number of keywords changes. Figure 5(a) shows that the token generation time of our scheme is evidently lower than that in other schemes [31, 35]. Although the search time is constant in our scheme and scheme [35], the time cost in our scheme is lower. The time in scheme [31] increases with the number of attributes.

(a)

(b)

In conclusion, the experimental results are consistent with the theoretical analysis, and our scheme has better performance.

8. Conclusion

In the article, we present an ABKS scheme with multidata owner supporting policy updates. On the one hand, when encrypting shared messages, m-DOs adopt two-level access control, which realizes not only access control for multiple users through users’ attribute sets and identities, but also the joint authorization management of multiple data owners, thereby improving the security of shared messages. On the contrary, based on the characteristics of low latency and low bandwidth operation, our scheme introduces edge computing. The edge node replaces the cloud server to complete the search task. As a result, the cloud cannot obtain keywords and other sensitive information, and the delay caused by data transmission is reduced. When the access policy needs to be updated, m-DOs only send the updated access policy to EN, whereas index updating is undertaken by EN, greatly saving calculation and communication costs of DOs. We also outsourced some encryption and decryption calculations to edge nodes to reduce the computational burden of data owners and users. Theoretical analysis and experimental simulation show that the scheme is effective and practical in the edge computing environment.

As a part of our future work, we will continue to consider the hidden access policy to ensure the integrity and confidentiality of shared data and realize the secure storage of resources.

Data Availability

The data used to support the findings of this study are available from the corresponding author upon request.

Conflicts of Interest

The authors declare that they have no conflicts of interest.

Acknowledgments

The work was supported by the National Natural Science Foundation of China (nos. 62262060 and 61662071) and the Industrial Support Plan Project of Gansu Provincial Department of Education (2022CYZC-17).

References

C. P. Ge, W. Susilo, Z. Liu, J. Xia, P. Szalachowski, and F. Liming, “Secure keyword search and data sharing mechanism for cloud computing,” IEEE Transactions on Dependable and Secure Computing, vol. 18, no. 6, pp. 1–2800, 2020.
View at: Publisher Site | Google Scholar
J. Shen, T. Q. Zhou, and Z. F. Cao, “Protection methods for cloud data security,” Journal of Computer Research and Development, vol. 58, no. 10, pp. 2079–2098, 2021.
View at: Google Scholar
D. Z. Liu, Y. Zhang, D. Jia, Q. S. Zhang, X. F. Zhao, and H. Rong, “Toward secure distributed data storage with error locating in blockchain enabled edge computing,” Computer Standards & Interfaces, vol. 79, Article ID 103560, 2022.
View at: Publisher Site | Google Scholar
Y. N. Li, Y. Yu, W. Susilo, Z. Y. Hong, and M. Guizani, “Security and privacy for edge intelligence in 5G and beyond networks: challenges and solutions,” IEEE Wireless Communications, vol. 28, no. 2, pp. 63–69, 2021.
View at: Publisher Site | Google Scholar
L. Zhang, H. Xiong, Q. Huang, J. G. Li, K. K. R. Choo, and J. T. Li, “Cryptographic solutions for cloud storage: challenges and research opportunities,” IEEE Transactions on Services Computing, vol. 15, no. 1, pp. 567–587, 2022.
View at: Publisher Site | Google Scholar
A. Sahai and B. Waters, “Fuzzy identity-based encryption,” in Proceedings of the Annual International Conference on the Theory and Applications of Cryptographic Techniques, Aarhus, Denmark, May 2005.
View at: Publisher Site | Google Scholar
H. Y. Wang, Y. Li, W. Susilo, D. H. Duong, and F. Luo, “A fast and flexible attribute-based searchable encryption scheme supporting multi-search mechanism in cloud computing,” Computer Standards & Interfaces, vol. 82, Article ID 103635, 2022.
View at: Publisher Site | Google Scholar
Z. Liu, Y. Liu, J. Xu, and W. Baocang, “Verifiable attribute-based keyword search encryption with attribute revocation for electronic health record system,” International Journal on Network Security, vol. 22, no. 5, pp. 845–856, 2020.
View at: Publisher Site | Google Scholar
M. Ali, M. R. Sadeghi, X. M. Liu, Y. B. Miao, and A. V. Vasilakos, “Verifiable online/offline multi-keyword search for cloud-assisted Industrial Internet of Things,” Journal of Information Security and Applications, vol. 65, Article ID 103101, 2022.
View at: Publisher Site | Google Scholar
K. Zhang, Y. P. Li, and L. F. Lu, “Privacy-preserving attribute-based keyword search with traceability and revocation for cloud-assisted iot,” Security and Communication Networks, vol. 2021, Article ID 9929663, 13 pages, 2021.
View at: Publisher Site | Google Scholar
Y. B. Miao, R. H. Deng, K. K. R. Choo, X. M. Liu, J. T. Ning, and H. W. Li, “Optimized verifiable fine-grained keyword search in dynamic multi-owner settings,” IEEE Transactions on Dependable and Secure Computing, vol. 18, no. 4, pp. 1–1820, 2019.
View at: Publisher Site | Google Scholar
D. X. Song, W. David, and P. Adrian, “Practical Techniques for Searches on Encrypted Data,” in Proceedings of the IEEE Symposium on Security and Privacy, pp. 44–55, Berkeley, CA, USA, May 2000.
View at: Publisher Site | Google Scholar
D. Boneh, G. Di. Crescenzo, R. Ostrovsky, and G. Persiano, “Public key encryption with keyword search,” in Proceedings of the International Conference On the Theory And Applications Of Cryptographic Techniques, pp. 506–522, Berlin, Heidelberg, May 2004.
View at: Publisher Site | Google Scholar
D. J. Park, K. Kim, and P. J. Lee, “Public key encryption with conjunctive field keyword search,” in Proceedings of the International Workshop On Information Security Applications, pp. 73–86, Springer, Berlin, Heidelberg, May 2004.
View at: Publisher Site | Google Scholar
K. Kaushik, V. Varadharajan, and R. Nallusamy, “Multi-user attribute based searchable encryption,” in Proceedings of the 2013 IEEE 14th International conference on Mobile Data Management, pp. 200–205, Milan, Italy, June 2013.
View at: Publisher Site | Google Scholar
S. P. Wang, T. T. Gao, and Y. l. Zhang, “Searchable and revocable multi-data owner attribute-based encryption scheme with hidden policy in cloud storage,” PLoS One, vol. 13, no. 11, Article ID 0206126, 2018.
View at: Publisher Site | Google Scholar
M. Green, S. Hohenberger, and B. Waters, “Outsourcing the decryption of ABE ciphertexts,” in Proceedings of the 20th USENIX conference on Security, vol. 3, San Francisco, CA, USA, Augest 2011.
View at: Google Scholar
M. Ali and M. R. Sadeghi, “Provable secure lightweight attribute-based keyword search for cloud-based Internet of Things networks,” Transactions on Emerging Telecommunications Technologies, vol. 32, no. 5, Article ID e3905, 2021.
View at: Publisher Site | Google Scholar
F. Meng, L. X. Cheng, and M. Q. Wang, “ABDKS: attribute-based encryption with dynamic keyword search in fog computing,” Frontiers of Computer Science, vol. 15, no. 5, Article ID 155810, 2021.
View at: Publisher Site | Google Scholar
Y. B. Miao, J. F. Ma, X. M. Liu, J. Weng, H. W. Li, and H. Li, “Lightweight fine-grained search over encrypted data in fog computing,” IEEE Transactions on Services Computing, vol. 12, no. 5, pp. 772–785, 2019.
View at: Publisher Site | Google Scholar
L. Sun, Z. Y. Zhao, J. H. Wang, and Z. Q. Zhu, “Attribute-based encryption scheme supporting attribute revocation in cloud storage environment,” Journal on Communications, vol. 40, no. 5, pp. 47–56, 2019.
View at: Google Scholar
C. Payal and M. L. Das, “Keysea: Keyword-based search with receiver anonymity in attribute-based searchable encryption,” IEEE Transactions on Services Computing, vol. 15, no. 213, 2020.
View at: Google Scholar
J. Ren, L. Y. Zhang, and B. C. Wang, “Decentralized multi-authority attribute-based searchable encryption scheme,” International Journal on Network Security, vol. 23, no. 2, pp. 332–342, 2021.
View at: Google Scholar
X. Y. Liu, X. T. Yang, Y. K. Luo, L. Wang, and Q. Zhang, “Anonymous electronic health record sharing scheme based on decentralized hierarchical attribute-based encryption in cloud environment,” IEEE Access, vol. 8, Article ID 200180, 2020.
View at: Publisher Site | Google Scholar
A. Sahai, H. Seyalioglu, and B. Waters, “Dynamic credentials and ciphertext delegation for attribute-based encryption,” in Proceedings of the Annual Cryptology Conference, pp. 199–217, Santa Barbara, CA, USA, Augest 2012.
View at: Publisher Site | Google Scholar
J. Z. Lai, R. H. Deng, Y. J. Yang, and J. Weng, “Adaptable Ciphertext-Policy Attribute-Based Encryption,” in Proceedings of the International Conference On Pairing-Based Cryptography, pp. 199–214, Beijing, China, Augest 2013.
View at: Google Scholar
Y. H. Z. Li, Z. Y. Dong, K. W. Sha, C. F. Jiang, J. Wan, and Y. Wang, “TMO: time domain outsourcing attribute-based encryption scheme for data acquisition in edge computing,” IEEE Access, vol. 7, Article ID 40240, 2019.
View at: Publisher Site | Google Scholar
K. Yang, X. H. Jia, K. Ren, R. T. Xie, and L. S. Huang, “Enabling efficient access control with dynamic policy updating for big data in the cloud,” in Proceedings of the IEEE INFOCOM 2014-IEEE Conference on Computer Communications, pp. 2013–2021, London, UK, May 2014.
View at: Google Scholar
Y. F. Tu, G. Yang, J. Wang, and Q. J. Su, “A secure, efficient and verifiable multimedia data sharing scheme in fog networking system,” Cluster Computing, vol. 24, no. 1, pp. 225–247, 2021.
View at: Publisher Site | Google Scholar
X. X. Yan, Y. Liu, Z. C. Li, and Y. L. Tang, “Tabe-D A C: Multi-authority attribute-based encryption scheme with policy dynamic updating,” Journal on Communications, vol. 38, no. 10, 2017.
View at: Google Scholar
Y. B. Miao, X. M. Liu, K. K. R. Choo et al., “Privacy-preserving attribute-based keyword search in shared multi-owner setting,” IEEE Transactions on Dependable and Secure Computing, vol. 18, no. 3, pp. 1080–1094, 2021.
View at: Publisher Site | Google Scholar
A. Beimel, “Secure schemes for secret sharing and key distribution,” 1996, https://www.cs.bgu.ac.il/%7Ebeimel/Papers/thesis.pdf.
View at: Google Scholar
S. S. M. Chow, “Removing escrow from identity-based encryption,” in Proceedings of the International Workshop on Public Key Cryptography, pp. 256–276, Irvine, CA, USA, May 2009.
View at: Publisher Site | Google Scholar
S. Song and X. L. Zhang, “Attribute-based encryption scheme without key escrow supporting attribute revocation in cloud environment,” Netinfo Security, vol. 20, no. 8, pp. 62–70, 2020.
View at: Google Scholar
M. S. Cao, L. H. Wang, Z. G. Qin, and C. W. Lou, “A lightweight fine-grained search scheme over encrypted data in cloud-assisted wireless body area networks,” Wireless Communications and Mobile Computing, vol. 2019, Article ID 9340808, 12 pages, 2019.
View at: Publisher Site | Google Scholar
K. Fan, T. T. Liu, K. Zhang, H. Li, and Y. Yang, “A secure and efficient outsourced computation on data sharing scheme for privacy computing,” Journal of Parallel and Distributed Computing, vol. 135, pp. 169–176, 2020.
View at: Publisher Site | Google Scholar
L. Ben, “PBC library manual,” 2006, https://crypto.stanford.edu/pbc/manual/.
View at: Google Scholar

Copyright

Copyright © 2023 XueYan Liu et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Security and Communication Networks

Lightweight Fine-Grained Multiowner Search over Encrypted Data in Cloud-Edge Computing

Abstract

1. Introduction

1.1. Secure Multidata Owner Authorisation

1.2. Fast Data Retrieval

1.3. Lightweight Encryption and Decryption

1.4. Flexible Policy Update

2. Related Work

2.1. Attribute-Based Searchable Encryption

2.2. Key Escrow

2.3. Policy Update

3. Preliminaries

3.1. Bilinear Pairing

3.2. Decisional Bilinear Diffie–Hellman (DBDH) Assumption

3.3. Decisional Parallel Diffie–Hellman (BDHE) Assumption

3.4. Access Structure

4. System Model and Security Analysis

4.1. System Model

4.2. Scheme Definition

4.3. Security Model

4.3.1. Indistinguishability of Ciphertext

4.3.2. Chosen Keyword Indistinguishability

5. Our Construction

5.1. System Initialization Phase

5.2. Key Generation Phase

5.3. Encryption and Index Generation Phase

5.4. Outsourcing Encryption and Index Generation Phase

5.5. Retrieval Phase

5.6. Outsourcing Decryption and User Decryption Phase

5.7. Policy Update Phase

5.7.1. UPdatepolicyIndes

5.8. Correctness

6. Security Analysis

7. Performance Analysis

7.1. Theoretical Analysis

7.1.1. Function Comparison

7.1.2. The Storage Cost

7.1.3. The Computational Cost

7.2. Experimental Simulation

8. Conclusion

Data Availability

Conflicts of Interest

Acknowledgments

References

Copyright