Multiuser Searchable Encryption with Token …downloads.hindawi.com/journals/scn/2017/6435138.pdfMultiuser Searchable Encryption with Token Freshness Verification ... DataUser

Research ArticleMultiuser Searchable Encryption withToken Freshness Verification

Dhruti Sharma1 and Devesh C Jinwala2

1Sarvajanik College of Engineering and Technology Surat Gujarat India2Sardar Vallabhbhai National Institute of Technology Surat Gujarat India

Correspondence should be addressed to Dhruti Sharma sharmadhruti77gmailcom

Received 2 May 2017 Revised 25 September 2017 Accepted 25 October 2017 Published 26 November 2017

Academic Editor Sherali Zeadally

Copyright copy 2017 Dhruti Sharma and Devesh C Jinwala This is an open access article distributed under the Creative CommonsAttribution License which permits unrestricted use distribution and reproduction in any medium provided the original work isproperly cited

AMultiuser Searchable Encryption (MUSE) can be defined with the notion of Functional Encryption (FE) where a user constructsa search token from a search key issued by an Enterprise Trusted Authority (ETA) In such scheme a user possessing search keyconstructs search token at any time and consequently requests the server to search over encrypted data Thus an FE based MUSEscheme is not suitable for the applications where a log of search activities is maintained at the enterprise site to identify dishonestsearch query from any user In addition none of the existing searchable schemes provides security against token replay attack toavoid reuse of the same token In this paper therefore we propose an FE based scheme Multiuser Searchable Encryption withToken Freshness Verification (MUSE-TFV) In MUSE-TFV a user prepares one-time usable search token in cooperation with ETAand thus every search activity is logged at the enterprise site Additionally by verifying the freshness of a token the server preventsreuse of the token With formal security analysis we prove the security of MUSE-TFV against chosen keyword attack and tokenreplay attack With theoretical and empirical analysis we justify the effectiveness of MUSE-TFV in practical applications

1 Introduction

With the cloud storage infrastructure one can easily sharedata with multiple users at a low cost However maintainingsecurity and privacy of such data located on the untrustedremote server is nontrivial [1ndash3] Therefore a common trendis to upload the encrypted data onto a third-party cloudserver However extraction of partial information from thestored encrypted data is indeed difficult The notion ofSearchable Encryption (SE) is used to resolve the issue InSE a Data Owner prepares a ciphertext by associating a listof encrypted keywords (to be searched) with an encryptedpayload message and uploads it onto the Storage ServerSubsequently a Data User asks the server to search overencrypted data by issuing a search token (of keyword(s))Theserver applies a token over available ciphertexts and extractsthe data containing that keyword(s) (Figure 1) However theserver learns nothing else about the data while searchingHere a payload message is encrypted using any standardencryption algorithm whereas keywords are encrypted withthe defined Searchable Encryption algorithm

There exist numerous Searchable Encryption schemesfor a single user [4ndash8] as well as for multiple users [9ndash13]Practically any single-user Searchable Encryption schemecan be adapted to define a multiuser Searchable Encryptionscheme at the cost of a ciphertext size linear to the number ofusers in the system Formally when a single-user searchablescheme is extended to support multiple users its ciphertextsize becomes 119874(119880) for 119880 users that subsequently raises to119874(|119863| sdot 119880) for119863 = 1198891 1198892 119889119898 data items in the systemThis ultimately outputs an impractical system with119874(|119863| sdot119880)computational overhead at the Data Owner site and 119874(|119863| sdot119880) storage overhead at the server site As solution severalSearchable Encryption schemes in [9 10 14ndash20] with a built-in support of multiple users are devised in recent yearsAmongst them the scheme proposed by Hwang and Lee [9]is a simple extension of a single-user Searchable Encryptionwith the ciphertext size 119874(|119863| + |119882| sdot 119880) where |119882| is thenumber of keywords to be searched However this schemeworks for the prefixed set of users In contrast the schemesin [10 14ndash16] support the dynamic groups of users wherejoiningleaving a group by a member is entirely controlled

HindawiSecurity and Communication NetworksVolume 2017 Article ID 6435138 16 pageshttpsdoiorg10115520176435138

2 Security and Communication Networks

Searchable EncryptionStorageServer

T

T

C

CM

List+ =

1

2

3

4

5Searchresult

Data Owner Data User

Ciphertext (C)

Figure 1 System model of Searchable Encryption (SE) Steps (1)Data Owner uploads a ciphertext119862 (ie encrypted payloadmessage+ list of encrypted keywords) onto the Storage Server (2)Data Userconstructs a search token 119879 using a secret key (3) Data User sends119879 to the server (4) Storage Server applies 119879 on 119862 (5) Storage Serverreturns the result to the requesting user

by a Data Owner In addition the recent schemes in [17ndash20]provide Multiuser Searchable Encryption with the notion ofFunctional Encryption (FE) (Section 21) where an EnterpriseTrusted Authority (ETA) is responsible for the System Setupand amaster public key setupThemost notable characteristicof FE is that a systemrsquos master public key is utilized toprepare the searchable ciphertexts and a single ciphertext canserve multiple search tokens (may be issued by differentusers) Therefore such FE based searchable schemes cansupportmultiple users in the systemwith the optimal storage-computational overhead (ie 119874(|119863|)) for the ciphertextsAdditionally in the schemes [17ndash20] a separate search key(related to the master public key) is issued (either by anETA or by a Data Owner) to each user Subsequently auser constructs a search token with an available search keyThe downside is that once a user has a search key he canprepare a search token at any time As a result a dishonestuser colluding with the untrusted cloud server can mali-ciously search the valid data and the system administrator(ie ETA) is completely unaware about such adversarialactivity Moreover with the existing Searchable Encryptionmechanisms there is no provision for the token freshnesschecking at the server site As a result if an unauthorizeduser masquerading as an authorized user has a valid tokenhe can use the token to make search queries in the future Inpractice there exist applications wherein every search queryfrom the users should be logged to the enterprise trusted sitein order to identify any dishonest activity performed by anyuser (authorized or unauthorized) In addition there shouldbe a provision against token replay attack to avoid misuseof a valid token Let us take one of such applications as anexample

(i) Consider an Online Banking System where the cus-tomersrsquo transaction records are stored at the Bankrsquoscloud Storage Server Practically these records are uti-lized by several official users (ie managers officersclerks etc) of the Bank Let us assume that the Bankrsquoscentralized processing server (trusted authority) uses

any of the existing FE based searchable schemesand accordingly issues a separate search key to eachauthorized user of the Bank

In such a setup let us take a case of a managerwho is responsible for generating a daily reportfor the ATM transactions with a specific ATM-ID To perform this activity every day themanager constructs a search token (using hissearch key) for a query that is ldquolist all ATMtransactions for ATM-ID todayrdquo He issues thistoken to the server and collects the result Inthis scenario what happens if a peon steals thesearch token and masquerades as an officer tosend this token to the server In any FE basedsearchable scheme the server only checks theauthorization of a user In this case since a peonimpersonates an authorized officer of the Bankhe passes the authorization test conducted bythe server and gets the search result In factperforming such token replay attack (by reusingthe token) and leaking the information aboutATM transactions to the intruder (outsider) ona daily basis the peonmay provoke the criminalactivities near that ATM

From the above scenario we say that in the Bankingsystem since every search result involves critical financialinformation the search activity by each user should be loggedat the Bankrsquos centralized processing server In addition toavoid misuse of any valid token it is desirable to preventtoken replay attack in such system

With the existing FE based searchable schemes [17ndash20] auser possessing a search key can ask the server to execute asearch operation at any time and therefore the search activityof a user cannot be tracked The problem can be resolved byan interactive scheme where a search token is constructedby the centralized trusted authority on request from anauthorized user However such solution raises the demandof secure token transmission along the entire path from thetrusted authority up to the server through a user Moreovera token replay attack should be prevented by verifying thefreshness of each search token at the server site In additionit is desirable to have a search operation with the support ofconjunctive queries in such system

11 Related Work The notion of Searchable Encryption isintroduced by Song et al in [4] where the authors considersearch over encrypted keywords within a file However thisfirst practical scheme leaks the search keywords to the serverand suffers from the communication overhead linear to thefile size In fact the scheme in [4] is not secure againststatistical analysis across multiple queries To resolve theproblems Goh et al [5] andChang andMitzenmacher [24] intheir separate work construct the secure searchable schemesby proposing an encrypted index for a document Thoughthe schemes in [4 5 24] perform efficient search operationsthey introduce storage overhead linear to the size of anindex for each document Curtmola et al [25] propose the

Security and Communication Networks 3

first symmetric searchable encryption scheme with a formalsecurity model The first public key Searchable Encryptionscheme is given by Boneh et al [6] wherein a user withhis private key can search over data encrypted with thecorresponding public key However none of the schemes [4ndash6 24] support conjunctive keyword search

Conjunctive Keyword Searchable Schemes To narrow downthe scope of searching and get optimal results several search-able schemes exist with conjunctive keyword search oper-ation In the symmetric key settings Golle et al [26] haveconstructed two schemes for a conjunctive keyword searchHowever in the first construction of [26] the size of a capa-bility (search token) is linear to the number of documentsavailable on the server and so the scheme is impractical Onthe other hand the second construction of [26] is practicalwith a constant size capability The other constructionsbased on the secret sharing and bilinear map are given byBallard et al [27] but they are still inefficient in terms ofa size of a token linear to the number of documents beingsearched In public key settings a first conjunctive keywordsearchable scheme is defined by Park et al [8] Subsequentlythe schemes with the improved communication and storageefficiency are proposed in [9 28] Boneh and Waters havegiven a generalized scheme [29] for conjunction as well asfor subset queries Later on a scheme with a refined formof a token (that is independent of specifying the keywordfield position) is devised by Wang et al [13] SubsequentlyB Zhang and F Zhang [21] have improved the security flawsof [13] and defined a conjunctive-subset keyword searchOther efficient constructions with the support of conjunctivekeyword search operation are given in [22 23 30]

Multiuser Searchable Schemes In public key settings Hwangand Lee [9] have first introduced a storage efficient multiuserscheme Subsequently several other schemes [10 11 13 1416] have proposed managing a group of users However ascheme in [11] supports the static groups of users whereas theschemes discussed in [10 13 14] work for the dynamic groupsof users Apart from this the scheme in [14] provides a singlekeyword search whereas the schemes in [10 13] handle theconjunctive search queries Recently a multiuser multikey-word search scheme is proposed by Huang et al [16] but itsinverted index based construction cannot support an efficientconjunctive search In addition a scheme in [16] leaks useraccess control information to the server Few other multiuserschemes [17ndash20] are based on the notion of FE wherein anETA is responsible for the System Setup and a master publickey setup In these schemes a ciphertext is prepared by aData Owner using a master public key A search token isconstructed by a user with his own search key issued eitherby the ETA as in [18ndash20] or by the Data Owner as in [17] Ascheme in [17] offers a constant size ciphertext and a constantsize token However the scheme [17] is computationallyinefficient since to encrypt an index for a document theencryption algorithm involves a computational complexitylinear to the number of authorized users for that documentIn a scheme of [18] the Storage Server has a list of authorizedusers (U List) and thus each enrollmentrevocation of a user

is known to the server This indeed leaks information aboutusers (ie a number of users in the system the usersrsquo activity)to the Storage Server The other two schemes [19 20] useCPABE (Ciphertext Policy Attribute Based Encryption) tomanage access control of users However amongst all theseschemes only the schemes in [9 10 13 16] support multi-keyword (specifically conjunctive) search and multiple usersat the same time There is no FE based scheme proposing aconjunctive keyword based search

Secure Channel-Free Searchable Schemes There exist search-able schemes in [7 31 32] with secure channel-free archi-tecture for a token transmission However these schemessupport a single keyword searchThemost recent conjunctivesearch schemes [30 33] provide a secure channel-free tokentransmission

To the best of our knowledge none of the existingschemes define a secure channel-free conjunctive keywordbased Searchable Encryption that prevents token replayattack in multiuser environment

12 Our Contributions In this paper we propose a MultiuserSearchable Encryption with Token Freshness Verification(MUSE-TFV) In MUSE-TFV a user constructs a searchtoken in cooperation with the ETA and thus every searchactivity from each user is logged at the enterprise trustedsite Moreover each search token is one-time usable tokenThe server avoids reuse of the same token by verifying thefreshness of the token using a verification key given by theETA Our main contributions are as follows

(i) Multiuser Support Utilizing the notion of FE wedevise a Searchable Encryption scheme that supportsmultiple users with a constant size ciphertext (ieindependent of the number of users) Our schemehas an optimal computational overhead at the DataOwner site and an optimal storage overhead at theserver site

(ii) Token Freshness Verification We propose a tokenfreshness verification at the server site by adaptingHallerrsquos SKey One-Time Password System [34] andprevent token replay attack from the system

(iii) Conjunctive Keyword Search With the proposedscheme we offer a conjunctive keyword search witha constant sized search token

(iv) Secure Channel-Free Architecture We offer a securechannel-free architecture to transfer a token securelyvia any public channel without channel setup over-head

(v) Theoretical Analysis and Empirical Evaluation Wepresent a detailed theoretical analysis to show theefficiency of the proposed scheme Additionally withexperimental evaluation of MUSE-TFV for differentsize system (with a different number of keywords) anddifferent number of users we justify its effectiveness

13 Organization of the Rest of the Paper The rest of the paperis organized as follows In Section 2 we briefly discuss the


Functional Encryption

StorageServer

1

2

3

4

5

6


Encrypteddata (C)

Fi

Function result(RF)

TF

Function token(TF)

Function (F)

Trusted authority (TA)

Figure 2 System model of Functional Encryption (FE) Steps (1)Data Owner uploads ciphertext 119862 onto the Storage Server (2) DataUser requests TA for a token of a function (F) (3) TA issues a token119879119865 to the user (4) Data User sends 119879119865 to the Storage Server (5)Storage Server runs 119865 on available 119862 (6) Storage Server forwardsthe result 119877119865 to the user

preliminaries required for the proposed scheme In Section 3we define the formal model of MUSE-TFV the proposedalgorithms and the attackmodel with security definitionWeelaborated the algorithms with a detailed security analysisin Section 4 Further in Section 5 we present a theoreticalanalysis and empirical evaluation of MUSE-TFV Finally weput the concluding remarks in Section 6

2 Preliminaries

In this section we present an overview of a FunctionalEncryption a cryptographic primitive (ie Bilinear Map)and a hardness assumption associated with the proposedscheme

21 Functional Encryption (FE) FE is a generalization of theexisting access control mechanisms namely Identity BasedEncryption (IBE) [35 36] Attribute Based Encryption (ABE)[37ndash39] and Predicate Encryption (PE) [29 40] In FE apartfrom the Data Owner Data User and the Storage Serverthere exists an additional centralized trusted authority (TA)that is responsible for the System Setup and generation ofa master public-private key pair A Data Owner preparesthe ciphertexts with a master public key and stores them tothe Storage Server To execute a predefined function at theserver site a user asks the TA for the corresponding token Inresponse the TA constructs a token utilizing a master privatekey and issues it to the user The server runs the function onthe availability of a token from a user and sends the result tothe user (Figure 2) In such a setup any user who possessesa token can ask the server for the function execution Sincethe server could use the same set of ciphertexts to execute afunction with different tokens (may be from different users)we say that the FE supports multiple users in the system

22 Bilinear Map Bilinear map is a mathematical tool forpairing based cryptography It is defined using suitablecryptographic groups Let 1198661 and 1198662 be two multiplicative

C

C T

List+ =

Ciphertext (C)W

Storage Server (SS)

Result

TVK2Data User (DU)

TokenRequest

Enterprise Trusted Authority (ETA)

Data Owner (DO)

1

2

3

4

5

6

6

7

8

T = (T TVK1)

PT = (PT TVK1)

M

Figure 3 System model of MUSE-TFV

cyclic groups of prime order 119901 For these groups a bilinearmap 119890 1198661 times 1198661 rarr 1198662 must satisfy the following properties

(1) Bilinear given random 119875119876 isin 1198661 and 119886 119887 isin 119885lowast119901 we

have 119890(119886119875 119887119876) = 119890(119875 119876)119886119887(2) Nondegenerate if 119875 is a generator of 1198661 then 119890(119875 119875)

is a generator of 1198662(3) Computable given 119875119876 isin 1198661 there exists a polyno-

mial time algorithm to compute 119890(119875 119876) isin 1198662

23 Hardness Assumption

Decisional Diffie-Hellman (DDH) Assumption Let 1198661 be acyclic group of prime order 119901 and 119875 is a generator of 1198661 TheDecisional Diffie-Hellman problem is to distinguish the tuple(119886119875 119887119875 119886119887119875) from (119886119875 119887119875 119888119875) for any random 119886 119887 119888 isin 119885lowast

119901Let us assume that theDDHproblem is (120598 119905)-hard in1198661Thenthere does not exist any polynomial time (119905) adversaryA thatcan solve the DDH problem with a nonnegligible advantage120598 if |119875119903[A(119886119875 119887119875 119886119887119875)] minus 119875119903[A(119886119875 119887119875 119888119875)]| le 1205983 Proposed Multiuser SearchableEncryption with Token FreshnessVerification (MUSE-TFV)

We list out the notations used throughout the paper inNotations sectionWe include a systemmodel the associatedalgorithms and the attack model with the security definitionfor the proposed scheme

31 System Model The proposed MUSE-TFV involves fourentities (i) Data Owner (DO) (ii) Data User (DU) (iii)Storage Server (SS) and (iv) Enterprise Trusted Authority(ETA) (Figure 3)

The interactive actions amongst these entities are asfollows

(1) Initially the ETA sets up the systemrsquos public parame-ters and a master secret key


(2) Using public parameters the SS computes a public-private key pair (119884 119910) and publishes 119884 while keeping119910 secret

(3) Using public parameters the DU computes a public-private key pair (119883 119909) and publishes119883 while keeping119909 secret

(4) A DO prepares a ciphertext (119862) by associating anencrypted payload (1198721015840) with a list 119882 of encryptedkeywords and uploads it onto the SS All the keywordsin the list are encrypted with an Encryption() algo-rithm of proposed MUSE-TFV

(5) To execute a search operation the DO requests theETA for a token of a conjunctive query

(6) The ETA computes a token (1198751198791015840) and correspond-ing token verification keys (1198791198811198701 1198791198811198702) The ETAissues a partial token 119875119879 = (1198751198791015840 1198791198811198701) to the DUand 1198791198811198702 to the SS

(7) The DU constructs a search token (1198791015840) from 1198751198791015840 andissues a final token 119879 = (1198791015840 1198791198811198701) to the SS over apublic channel

(8) The proposed Search() algorithm is executed on theserver SS With the available (1198791198811198701 1198791198811198702) the SSchecks the token freshness The SS applies the freshtoken 1198791015840 on the available 119862 If 119862 satisfies the token119879 the algorithm outputs a result 119877 = (119864119910(119864119883(1198721015840)))otherwise it outputs perp The algorithm applies 119879 on allavailable 119862 and generates the corresponding 119877

Note Steps (2) (3) and (4) can run in parallel

Assumptions (i) The payload 1198721015840 = 119864119896119890119910(119872) where 119864 isany symmetric encryption cipher with a symmetric key 119896119890119910(ii) All DUs are authorized by the ETA At the time ofauthorization ETA issues (119901119901 119896119890119910) to the DU (iii) Beforeissuing a partial token 119875119879 the ETA checks the authenticity ofaDUwith any standard authentication protocol (iv)The SS isa semihonest server that is it follows the system protocol buttries to breach data privacy (v) There exists a secure channelbetween the ETA and the SS (vi) The 1198791198811198702 is stored in asystem table of the SS The size of the system table is linear tothe number of DUs

32 Algorithms The proposed MUSE-TFV involves the fol-lowing polynomial time algorithms

(1) Setup(120572 119899) The Setup algorithm runs by the ETAThe algorithm takes a security parameters 120572 and 119899as inputs The algorithm outputs the systemrsquos publicparameter 119901119901 and a master secret key 119898119904119896 It definesa keyword spaceKS for 119899 keywords

(2) SKeyGen(119901119901) The Server Key Generation algorithmruns by the server SSThe algorithm takes the systemrsquospublic parameter 119901119901 as inputs It selects a random 119910 isin119885119901

lowast and computes the public-private key pair (119884 119910)for the server SS

(3) UKeyGen(119901119901) The User Key Generation algorithmruns by the DU The algorithm takes the systemrsquos

public parameter 119901119901 as inputs It selects a random119909 isin 119885119901lowast and computes the public-private key pair(119883 119909) for the Data User DU

(4) Encryption(119901119901119882 1198841198721015840) The Encryption algorithmruns by theDOThe algorithm constructs a ciphertext1198621015840 from the list of keywords 119882 = 1199081 1199082 119908119899using 119901119901 and 119884 It associates 1198621015840 with an encryptedpayload1198721015840 and outputs a ciphertext 119862 = (11986210158401198721015840)

(5) TokGen(119901119901119898119904119896 119876119883 119909 119884) The Token Generationis an interactive algorithm where initially a DUsupplies a conjunctive query 119876 = (1198821015840 1198681015840) to theETA Here1198821015840 = 1199081015840

1 11990810158402 1199081015840

119905 is a set of keywordsand 1198681015840 = 1198681 1198682 119868119905 shows their positions in KSFor each new query the ETA assigns a unique tokenidentification string (119879119874119870119868119863) in order to generate thetoken verification keys (1198791198811198701 1198791198811198702) Subsequentlythe ETA constructs a token1198751198791015840 using119898119904119896 and119883TheETA then issues a partial token 119875119879 = (1198751198791015840 1198791198811198701)to the DU and (1198791198811198702) to the SS With an available119875119879 the DU constructs 1198791015840 and outputs a final token119879 = (1198791015840 1198791198811198701)

(6) Search(119862 119879 119910) The Search algorithm runs by the SSThe algorithm utilizes (1198791198811198701 1198791198811198702) to verify thefreshness of 119879 If 119879 is fresh the algorithm performsa conjunctive search using (1198791015840 1198621015840 119910) It returns theresult 119877 = (119864119910(119864119883(1198721015840))) to the DU if 1198621015840 satisfies theconjunctive query119876within1198791015840 otherwise it returnsperpThe algorithm applies1198791015840 on all the ciphertexts At lastthe algorithm updates the system table entry of1198791198811198702for the requestingDU to prevent a token replay attack

The algorithms involved in the verification key generationand token verification as well as system table update arediscussed in Section 42

33 Flowchart To show the process of the proposed MUSE-TFVwe define four phases (i) SystemSetup (ii)DataUpload(iii) Token Generation and (iv) Search The sequence of theproposed algorithms utilized by the entities (ie ETA DODU SS) during each of these phases is given as a flowchartin Figure 4 As shown in Figure 4(a) all four entities areinvolved in System Setup phase where a public parame-ter (pp) and various keys (ie 119898119904119896 119896119890119910 (119883 119909) (119884 119910)) aredefined On the other hand Data Upload phase (Figure 4(b))includes only DO and SS since during this phase a DOprepares a ciphertext 119862 and uploads it on to the SS Theinteractive steps amongst DU ETA and SS during TokenGeneration phase are shown in Figure 4(c) wherein initiallya DU sends a conjunctive query 119876 to the ETA In responsethe ETA sends a partial token along with a token verificationkey (ie (119875119879 1198791198811198701)) to the DU In addition the ETAsends a token verification key (ie TVK2) to the SS Withthe available (119875119879 1198791198811198701) the DU prepares a final token 119879During Search phase the DU sends 119879 to the SS as shownin Figure 4(d) In response the SS finds the results 119877 forthe available ciphertexts and forwards these results to theDU


ETA DO DU

Calls Setup()(i) Constructs

Public parameter (pp)Master secret key (msk)Data encryption key (key)

(pp key) (pp key)

System Setup

Calls SSetup()(i) Sets public-private

Calls USetup()(i) Sets public-private

SS

(pp)

key pair (X x) using pp key pair (Y y) using pp

(a)

DO SSData Upload

(C)

(i) It takes a set of keywords and a payload inputasMmessage

(iii) Calls Encryption() where

keywords and outputs C = (WM)

(ii) Performs EＥＳ(M)rarrM

it constructs a list W of encrypted

(b)

SSDU

(i) Calls TokGen() whereDU selects a conjunctive query Q

ETA

(ii) Prepares token verification keys (TVK1 TVK2)

(i) Prepares a final token

(TVK2)

(Q)

Token Generation

(i)Prepares a partial token (P４) using (pp msk Q X)

(PT TVK1)

T = (T TVK1)

(c)

SSDU

(i) Updates system table entry for TVK2 to avoid token replay attack

(R)

(T)

Search

(i) It applies T on C

(i) It calls Search() (ii) It verifies token T

using (TVK1 TVK2)

T is fresh

Yes

No

Repeatfor all C (ii) it returns R = (M)

(i) Returns R = (NULL)

(d)

Figure 4 Flowchart of MUSE-TFV

34 Attack Model and Security Definitions First we reem-phasize that the principal motivation of the proposedMUSE-TFV is to overcome the limitation in the existing SearchableEncryption schemes that allow replay of tokens and thuslack verification of token freshness Thus MUSE-TFV isaimed at supporting a Searchable Encryption scheme withthe novel provision for verification of the token freshnessand thereby avoiding replay attacks Therefore in the attackmodel described here we consider only token replay attacksand assume that any other attack against the scheme can bemitigated by using already existing mitigation approaches

We assume that an adversary A has the capabilities toperform the following attacks

(1) The server SS as an adversaryA can perform chosenkeyword attack to deduce the plaintext (keywords)from the available ciphertexts (lists of encryptedkeywords) and tokens

(2) The Data User DU as an adversary A can performtoken replay attack to reuse the maliciously capturedtoken

With SS as an adversary we define semantic security(aka indistinguishability against chosen keyword attack

(IND-CKA)) for the proposed conjunctive keyword searchscheme based on the security game ICLR (Indistinguishabil-ity of Ciphertext from Limited Random) [26 41] as follows

Definition 1 (ICLR) Let A be a polynomial bounded adver-sary and B be a challenger With ICLR when A has issueda keyword set119882 and a subset 119879 sube 1 2 119899 B respondswith two encrypted keyword sets associated with 119879 in sucha way thatA cannot distinguish the encrypted keyword setscreated with 119879 Thus with this game we achieve our securitygoal where we require that A should not be able to deducethe plaintext from other keyword sets The following are thesteps for the game ICLR [26 41]

(1) A adaptively requests B for the Encryption (1199011199011198821198941198841198721015840) of any keyword set119882119894 and any search token

(2) A selects a keyword set119882 a subset 119879 sube 1 2 119899and 119905 isin 119879 in such a way that none of the tokensgiven in Step (1) are distinguishing for 119877119886119899119889(119882 119879)and 119877119886119899119889(119882 119879 minus 119905) Here 119877119886119899119889(119882 119879) outputs aset119882 where the keywords indexed by 119879 (ie the set119908119894 | 119894 isin 119879) are replaced by random values A thensends (119882 119879 119905) to the challengerB


(3) B constructs two keyword sets1198820 = 119877119886119899119889(119882 119879minus119905)and1198821 = 119877119886119899119889(119882 119879)B then randomly chooses 119887 isin0 1 and returns Encryption (119901119901119882119887 1198841198721015840) toA

(4) A again makes requests for encrypted keyword setsand search tokens with the restriction that he cannotask for the token that is distinguishing for1198820 and1198821

(5) A outputs a bit 1198871015840 isin 0 1 and wins the ICLR game if1198871015840 = 119887We say that the polynomial time adversary A has an advan-tage 120598 in this attack game if

119860119889VA (1120572) = 1003816100381610038161003816100381610038161003816119875119903 [1198871015840 = 119887] minus 121003816100381610038161003816100381610038161003816 gt 120598 (1)

Additionally we define the security against token replayattack based on the following actions performed by a DataUser DU as an adversaryA

(1) A intercepts a token 119879 = (1198791015840 119888 = 119864119884(1198791198811198701))transmitted from the ETA to the DU (or from a DUto the SS) and stores it

(2) To reuse the token 119879 A replaces its verification keypart that is 119888 = 119864119884(1198791198811198701) with 1198881015840 in such a way thatthe SS considers a forged 119879 = (1198791015840 1198881015840) as a fresh tokenand returns a result 119877

(3) A repeats Step (2) till he does not receive the result 119877We say that an adversaryA is successful in token replay attackif he gets the result 119877 using a forged value of 1198884 Construction of MUSE-TFV

In this section we give the formal construction for theproposed algorithms of MUSE-TFV We also present a tokenverification procedure used in the design of the MUSE-TFVAdditionally we provide a security analysis for the proposedscheme

41 Formal Construction The concrete constructions for theproposed algorithms are as follows

(1) Setup(120572 119899) Let1198661 and1198662 be bilinear groups of primeorder 119901 where a security parameter 120572 defines thegroup size Let 119890 1198661 times 1198661 rarr 1198662 be a bilinearpairing and1198671 0 1lowast rarr 119885119901

lowast is a hash function Let119867 0 1lowast rarr 0 1119887 be any standard hash function(eg SHA2) that outputs amessage digest of 119887 bits Let119875 be a generator of 1198661 The algorithm initializes thekeyword spaceKS of total 119899 keywords For each 119895thkeyword it randomly selects 119896119895 isin 119885119901

lowast and computes119870119895 = 119896119895119875 Finally the algorithm sets the publicparameter 119901119901 = 1198671 119867 1198661 1198662 119875 119890 1198701198951le119895le119899 and amaster secret key119898119904119896 = 1198961198951le119895le119899

(2) SKeyGen(119901119901) The algorithm selects a random 119910 isin119885119901lowast and computes 119884 = 119910119875 It sets the public-private

key pair for the server SS as (119884 119910)(3) UKeyGen(119901119901) The algorithm selects a random 119909 isin119885119901

lowast and computes 119883 = 119909119875 It sets the public-privatekey pair for the user DU as (119883 119909)

(4) Encryption(119901119901119882 1198841198721015840) The algorithm takes asinput a list of keywords 119882 = 1199081 1199082 119908119899It chooses a random 1199031 isin 119885119901

lowast and constructsa ciphertext 1198621015840 = 1198621119895 11986221le119895le119899 where 1198621119895 =1199031(1198671(119908119895)119875 + 119870119895) + 1199031119884 1198622 = 1199031119875 Finally it outputsa ciphertext 119862 = (11986210158401198721015840) where1198721015840 is an encryptedpayload

(5) TokGen(119901119901119898119904119896 119876119883 119909 119884) This interactive algo-rithm works in 3 phases(a) A DU sends a conjunctive query 119876 = (1198821015840 1198681015840)

to the ETA where1198821015840 = 11990810158401 1199081015840

2 1199081015840119905 is a set

of keywords and 1198681015840 = 1198681 1198682 119868119905 is a set ofpositions of keywords inKS

(b) In response the ETA chooses a unique tokenidentification string 119879119900119896119868119863 isin 0 1ℓ and asecret random integer 119873 The ETA uses119879119900119896119881119890119903119870119890119910(119879119900119896119868119863119873119867()) rarr (1198791198811198701 1198791198811198702)algorithm to construct the token verificationkeys The ETA selects 1199051 isin 119885lowast

119901 randomly Ituses 119898119904119896 and 119883 to construct a token com-ponent 1198751198791015840 = 1198751198791 1198751198792 where 1198751198791 =1199051(sum119868119905

119895=1198681(1198671(119908119895) + 119896119895))119875 + 1199051119883 1198751198792 = 1199051119875At last the ETA sends a partial token119875119879 = (1198751198791015840 119864119884(1198791198811198701)) to the DU At thesame time it forwards (119864119884(1198791198811198702)) to the SS

(c) The DU selects a random element 1198861015840 isin 119885lowast119901

Using 119909 and 119884 the DU computes 1198791015840 = 1198791 11987921198793 1198794 as follows1198791 = 120591 + 1198861015840119884 1198792 = 1198751198792 = 1199051119875 1198793 = 1198861015840119875 1198794 = 1198681015840Where 120591 = 1198751198791 minus 1199091198751198792 = 1199051(sum119868119905

119895=1198681(1198671(119908119895) +119896119895))119875Finally the algorithm outputs a token 119879 =(1198791015840 119864119884(1198791198811198701))

(6) Search(119862119879119910)The algorithmapplies119863119910(119864119884(1198791198811198701))and 119863119910(119864119884(1198791198811198702)) to get the original verificationkey (1198791198811198701 1198791198811198702) from the encrypted values usinga private key 119910 of the SS The algorithm then calls119879119900119896119881119890119903(1198791198811198701 1198791198811198702) to verify the freshness of theinput token119879 If a token is fresh (ie119879119900119896119881119890119903(sdot) rarr 1)it applies 1198791015840 of 119879 on an available ciphertext 1198621015840 from 119862as follows

The algorithm computes

1205911 = 119868119905sum119895=1198681

(1198621119895 minus 1199101198622)

= 119868119905sum119895=1198681

(1199031 (1198671 (119908119895) 119875 + 119870119895) + 1199031119884 minus 1199101199031119875)

= 1199031( 119868119905sum119895=1198681

(1198671 (119908119895) 119875 + 119870119895))


1205912 = 1198791 minus 1199101198793= 1199051( 119868119905sum

119895=1198681

(1198671 (119908119895) + 119896119895))119875 + 1198861015840119884 minus 1199101198861015840119875

= 1199051( 119868119905sum119895=1198681

(1198671 (119908119895) + 119896119895))119875(2)

Then it checks the following correctness

119890 (1205911 1198792) = 119890 (1205912 1198622) (3)

If (3) is satisfied then the algorithm outputs theassociated payload message 1198721015840 as a result 119877 =119864119910(119864119883(1198721015840)) Here encryption with a public key 119883of DU provides confidentiality and signature with theprivate key 119910 of SS maintains integrity of a result 119877during transitThe algorithm repeatedly applies1198791015840 oneach available ciphertext at the server SS At last thealgorithm updates the current entry of 1198791198811198702 in thesystem table with 119879119880119901119889119886119905119890(1198791198811198702 1198791198811198701)

Note (i) The algorithms 119879119900119896119881119890119903119870119890119910() 119879119900119896119881119890119903() and119879119880119901119889119886119905119890() are described in Section 42 (ii) The query 119876from a DU to the ETA is in plaintext format It does notimpact the security of token as even if any unauthorized DUmaliciously captures a partial token he is unable to constructa final token unless having secret key 119909 (iii) The 119864119863 forthe verification keys is any standard encryptiondecryptioncipherThe encryption of the verification keys with the publickey 119884 of SS prevents their modification by a malicious DU

Correctness LHS of (3)

119890 (1205911 1198792) = 119890(1199031( 119868119905sum119895=1198681

(1198671 (119908119895) 119875 + 119870119895)) 1199051119875)

= 119890( 119868119905sum119895=1198681

(1198671 (119908119895) 119875 + 119870119895) 119875)11990311199051

= 119890( 119868119905sum119895=1198681

(1198671 (119908119895) 119875 + 119896119895119875) 119875)11990311199051

= 119890 (119875 119875)11990311199051Δ

(4)

RHS of (3)

119890 (1205912 1198622) = 119890(1199051( 119868119905sum119895=1198681

(1198671 (119908119895) + 119896119895))119875 1199031119875)= 119890 (119875 119875)11990311199051Δ

(5)

Here Δ = sum119868119905119895=1198681(1198671(119908119895) + 119896119895) From (4) and (5) the correct-

ness is proved

42 Token Verification Procedure To define a token verifi-cation procedure we borrow the idea from Hallerrsquos SKeyOne-Time Password System [34]The SKey scheme providesa technique to construct a one-time password at the clientsite and its verification at the host site The scheme workson 3 parameters (119904 119877119873119867()) where 119904 is a secret string 119877119873represents the number of times the hash is applied on 119904 and119867() is any standard cryptographic hash function We adoptsimilar parameters to define a token verification procedurefor the proposedMUSE-TFVThe token freshness verificationinvolves three algorithms

(1) TokVerKey(sRNH()) the token verification keygeneration algorithm outputs two keys (1198701 1198702)where 1198701 = 119867119877119873(119904) and1198702 = 119867119877119873minus1(119904)

(2) TokVer(K1K2) the token verification algorithm ver-ifies the freshness of a token by checking 1198701 =119867(1198702) If condition is true the algorithm outputs ldquo1rdquootherwise ldquo0rdquo

(3) TUpdate(K1K2) the token update algorithmupdatesthe current memory location of1198701 with1198702 that is itperforms1198701 = 1198702

The original SKey mechanism is defined with the traditionalhash function that is MD4 For MUSE-TFV we prefer SHA-2 to avoid collision attack

43 Security Analysis We analyze the semantic security ofMUSE-TFV against chosen keyword attack (IND-CKA)under DDH assumption Additionally we prove that theproposed MUSE-TFV provides security against token replayattack

Theorem 2 The proposed MUSE-TFV is semantically secureagainst a server SS as an adversary according to the game ICLRassuming DDH is intractable

Proof Let us assume a server SS as an adversaryA can attackthe proposed scheme in a polynomial time SupposeAmakesat most 119902119896 token queries where 119902119896 lt 119901 and has the advantage120598 in solving DDH problem in 1198661 Let 1198661 and 1198662 be twogroups of prime order 119901 and 119875 be the generator of 1198661 Webuild a simulator B as a challenger that has the advantage1205981015840 = 120598119890119899119902119896119899 to simulate the game where 119890 is base of naturallogarithm

Suppose an instance (119886119875 119887119875 119888119875) of the DDH problemin 1198661 is the Brsquos challenge information where 119886 119887 119888 isin 119885lowast

119901The goal of B is to distinguish 119888119875 = 119886119887119875 from randomelement in 1198661 One restriction is that the random element 119911is independent of the location 119905 selected in ICLR game thenthe simulation game is demonstrated as follows

(1) Setup An adversaryA randomly selects 119910 isin 119885lowast119901 and

computes119884 = 119910119875A then defines a public-private keypair (119884 119910) Let (119883 = 119909119875 119909) be the Brsquos public-privatekey pair

(2) Encryption Queries An adversary A issues thequeries for the ciphertext of the keyword set 119882119894 =1199081198941 1199081198942 119908119894119899 In response challenger B simu-lates Encryption(119901119901119882119894 119884) as follows


(i) B selects 120574119895 isin 119885lowast119901 for each keyword 119908119894119895 isin 119882119894

where 1 le 119895 le 119899(ii) B chooses a random value 1199031119894 isin 119885lowast

119901 and con-structs a ciphertext 119862119894 = (1198621119895)119894 (1198622)1198941le119895le119899where

(11986211)119894 = 1199031119894 (1205741119875 + 1198701) + 1199031119894119884(11986212)119894 = 1199031119894 (1205742119875 + 1198702) + 1199031119894119884

(1198621119911)119894 = 1198871199031119894 (120574119911119875 + 119870119911) + 1199031119894119884

(1198621119899)119894 = 1199031119894 (120574119899119875 + 119870119899) + 1199031119894119884

(1198622)119894 = 1199031119894119875

(6)

(3) Token Queries To evaluate Search() algorithmA issues the token queries by sending 119876119894 =(1198821015840

119894 1198681015840119894 ) where 1198821015840119894 = 1199081015840

1198941198681 11990810158401198941198682 1199081015840

119894119868119905 and1198681015840119894 = 1198681 1198682 119868119905 to B B takes a partial token1198751198791015840 = 1198751198791 1198751198792 from the ETA where 1198751198791 =1199051(sum119868119905119895=1198681(1198671(119908119895) + 119896119895))119875 + 1199051119883 1198751198792 = 1199051119875 B then

selects a random 1198861015840 isin 119885lowast119901 and computes final token119879119894 = 1198791119894 1198792119894 1198793119894 1198794119894 as follows1198791119894 = 120591 + 1198861015840119884 1198792119894 = 1199051119875 1198793119894 = 1198861015840119875 1198794119894 = 1198681015840 where120591 = 1198751198791 minus 1199091198751198792 = 1199051(sum119868119905

119895=1198681(1198671(119908119895) + 119896119895))119875At lastB sends this token 119879119894 toA

(4) ChallengeA issues a tuple (119882119894 119879 119905) toB where 119879 sube1 119899 and 119905 isin 119879If 119911 = 119905 B sends a random guess as the response tothe DDH challengeIf 119911 = 119905B responses are as follows

(a) It first sets ℎ119905 = 119888(120574119905119875 + 119870119905) + 119888119884(b) It sets ℎ1119895 = ℓ119895 for 119895 = 119905 119895 isin 119879 where ℓ119895 isin 119885lowast

119901(c) It sets ℎ1119895 = 119886(120574119895119875 + 119870119895) + 119886119884 for 119895 = 119905 119895 notin 119879(d) It sets ℎ2 = 119886119875

Finally B sends ℎ1119895 ℎ2 for 1 le 119895 le 119899 as challengeciphertext toAIf 119911 = 119905 then B wins the security game The cipher-text for every position 119895 notin 119879 is the encryption of119882and ciphertext in position 119905 where 119888 = 119886119887 is also anencryption of119882 Otherwise for other position it isnot

(5) More Queries A queries encryption of other key-word sets and tokens that A has not asked beforeB responds in the same way as in Step (2) andStep (3) The restriction is that A cannot issue theaforementioned queries for location 119905

(6) Guess At the end A outputs the guess 1198871015840 isin 0 1If 1198871015840 = 1 and B outputs ldquoYesrdquo then (119886119875 119887119875 119888119875) isconsidered as a DDH tuple Thus for 119911 = 119905 we canprove that (119886119875 119887119875 119888119875) is a DDH tuple as followsWe know from (3) that

119890 (1205911 1198792) = 119890 (1205912 1198622) (7)

This can be represented as

119890 (1205911 1198792) = 119890 (1198871199031 (120591119911119875 + 119870119911) 1199051119875)= 119890 (119875 119875)1198871199031(120591119911+119870119911)1199051

119890 (1205912 1198622) = 119890 (11990511198671 (119908119911 + 119896119911) 119875 1199031119875)= 119890 (119875 119875)11990311198671(119908119911+119896119911)1199051

(8)

From (8) we get

119890 (119875 119875)1198871199031(120591119911+119870119911)1199051 = 119890 (119875 119875)11990311198671(119908119911+119896119911)1199051 (9)

Now from the challenge ciphertext

119890 (1205911 1198792) = 119890 (119888 (120591119905119875 + 119870119905) 1199051119875) = 119890 (119875 119875)119888(120591119905+119870119905)1199051 119890 (1205912 1198622) = 119890 (11990511198671 (119908119905 + 119896119905) 119875 119886119875)

= 119890 (119875 119875)1198861198671(119908119905+119896119905)1199051 (10)

From (10) we get

119890 (119875 119875)119888(120591119905+119870119905)1199051 = 119890 (119875 119875)1198861198671(119908119905+119896119905)1199051 (11)

Now from (9) and (11)

119890 (119875 119875)1198871199031(120591119911+119870119911)1199051

119890 (119875 119875)11990311198671(119908119911+119896119911)1199051= 119890 (119875 119875)119888(120591119905+119870119905)1199051

119890 (119875 119875)1198861198671(119908119905+119896119905)1199051

there4 119890 (119875 119875)1198871199031(120591119911+119870119911)1199051 119890 (119875 119875)1198861198671(119908119905+119896119905)1199051

= 119890 (119875 119875)119888(120591119905+119870119905)1199051 119890 (119875 119875)11990311198671(119908119911+119896119911)1199051

there4 119890 (119875 119875)1198861198871199031(120591119911+119870119911)1199051 119890 (119875 119875)1198671(119908119911+119896119911)1199051

= 119890 (119875 119875)1198881199031(120591119911+119870119911)1199051 119890 (119875 119875)1198671(119908119911+119896119911)1199051

119890 (119875 119875)1198861198871199031(120591119911+119870119911)1199051 = 119890 (119875 119875)1198881199031(120591119911+119870119911)1199051

119890 (119875 119886119887119875) = 119890 (119875 119888119875)119886119887 = 119888

(12)

On the other hand if 1198871015840 = 0 we cannot provethat the challenge (119888119875 119887119875 119888119875) is a DDH tuple sinceencryption at position 119895 is random and it cannotconfirm (12) However the advantage ofA to win thegame ICLR is same as that of theB which solves theDDH challenge


Now the following are the two simulations of Brsquosadvantages

(i) 1198781 B responds to the search token queries for119899 keyword issued byA(ii) 1198782B is not aborted in the challenge phase

For large enough 119902119896 the probability of 1198781 and 1198782 canbe defined as

119875119903 [1198781] = 1119890119899 119875119903 [1198782] = 1119902119896119899

(13)

Thus the Brsquos advantage 1205981015840 in solving the DDHproblem is 1205981015840 = 120598 sdot 119875119903[1198781 cap 1198782] ge 120598119890119899119902119896119899

According to Propositions 1 and 2 of [26] if there existsan adversary with nonnegligible advantage to win ICC gamethen there exists another adversary with a nonnegligibleadvantage to win the ICLR game However as per theabove proof the advantage of B is 120598119890119899119902119896119899 isin [0 12119890119899119902119896119899]which is negligible Thus the proposed MUSE-TFV schemeis at least (1 minus 12119890119899119902119896119899) secure under the ICLR game ifDDH assumption is intractable This completes the proof forTheorem 2

Theorem 3 The proposed MUSE-TFV provides securityagainst token replay attack

Proof Let us assume a DU as an adversaryA can perform atoken replay attack as follows

(1) An adversary A maliciously captures a valid token119879 = (1198791015840 119888 = 119864119884(1198791198811198701)) and stores it(2) To reuse the token 119879 an adversary A replaces its

verification key part that is 119888 = 119864119884(1198791198811198701) with 1198881015840in such a way that the further execution of TokVer()(at the site of SS) outputs ldquo1rdquo and so the SS returns aresult 119877

If 119862119904119894119911119890 is the size of a ciphertext generated byan encryption algorithm 119864 then an adversaryA required 2119862119904119894119911119890 attempts to forge a valueldquo119888rdquo With any standard secure algorithm (ie160-bit ECEL (ECC based Elgamal Encryption)(as public key 119884 of SS is an element from agroup of points of an elliptic curve any ECCbased encryption algorithmmust be used)) theprobability of an adversary A to guess a valid(1198881015840 = 119888) is 1(2160)Additionally the adversary A is completelyunaware about the other verification key 1198791198811198702available at the site of the SS Thus a tokenwith the replaced verification key that is 119879 =(1198791015840 1198881015840) must be issued to the SS to checkthe output of 119879119900119896119881119890119903(1198791198811198701 1198791198811198702) algorithmDenoting 119862119862 as a communication cost (from a

Table 1 Comparative analysis significant characteristics

Schemes MU MKC MKQ SCF TFVHwang and Lee 2007 [9] times timesKiayias et al 2016 [17] times times times timesZhang et al 2016 [18] times times timesWang et al 2016 [19] times times times timesB Zhang and F Zhang 2011 [21] times times timesDing et al 2012 [22] times timesChen et al 2012 [23] times times timesMUSE-TFV MU multiuser support MKC multiple keywords in ciphertext MKQmultiple keywords in query SCF secure channel-free architecture and TFVtoken freshness verification

DU to SS) of a single message we find 119874(119862119862 sdot2160) communication complexity in the systemfor 2160 attempts potentially performed by anadversaryA to forge a value of 119888

However with a communication link of 100Mbps anda Maximum Transmission Unit (MTU) of 1500 bytes(Ethernet) it requires about 57 sdot 1030 years to attemptall the possible values of 119888 Thus for any adversaryAthe probability of getting the result 119877 by forging thevalue 119888 is negligible

Thus we say that the proposed scheme MUSE-TFV is secureagainst token replay attack

5 Theoretical Analysis andEmpirical Evaluation

In this section we first present theoretical analysis of the pro-posed MUSE-TFV Subsequently we show the performanceefficiency ofMUSE-TFVwith a detailed empirical evaluation

51 Theoretical Analysis We highlight the significant char-acteristics of MUSE-TFV in comparison with the existingmultiuser searchable schemes [9 17ndash19] and conjunctivesearch schemes [21ndash23] in Table 1 As the other multiusersearchable schemes [10 11 13 16] utilize inverted index searchstructure (in inverted index based Searchable Encryptiona single common index (list of keywords) is defined forthe entire set of encrypted documents) their comparisonwith the simple index based MUSE-TFV (in simple indexsearchable scheme a separate index of keywords is associatedwith each encrypted document) is inapplicable here

From Table 1 we observe that no scheme amongst thelisted multiuser schemes provides a secure channel-freearchitecture for a token transmission On the other handa conjunctive search scheme discussed in [22] offers sucharchitecture but it does not support multiple users in thesystem In contrast the proposed MUSE-TFV provides aconjunctive keyword based search with secure channel-free token transmission in multiuser settings AdditionallyMUSE-TFV has provision to verify the freshness of token toprevent token replay attack


Table 2 Comparative analysis storage-computational complexity

Schemes Storage overhead Computational overheadCiphertext Token Encryption() TokGen() Search()

Hwang and Lee 2007 [9] (119899 + 119906)1198661 31198661 (2 + 2119899 + 119906)119864 + 119875 21199051198721015840 + 3119864 1199051198721015840 + 3119875Kiayias et al 2016 [17] 101198661 51198661 22119864 + (4 + 2119906119896)1198721015840 + 2119875 81198721015840 + 13119864 (1 + 119906119896)1198721015840 + 3119875Zhang et al 2016 [18] 119899119867 1198661 2119864 + (1 + 119899)119875 1119864 119864 + 2119875 + 119880Wang et al 2016 [19] (119902 + 119862)119899 1119867 2119899119864 + 2119899119875 1119864 1119875 + 119899119863B Zhang and F Zhang 2011 [21] (1 + 119899)1198661 + 1198662 (2 + 119905)1198661 (2 + 2119899)119864 + 119875 (2 + 3119905)119864 (1 + 2119905)119875Ding et al 2012 [22] (1 + 119899)1198661 1198661 (2 + 2119899)119872 119872 + 119864 3119872 + 2119875Chen et al 2012 [23] 51198661 41198662 (4 + 119899)119864 4119864 4119875MUSE-TFV (1 + n)G1 3G1 + V (2 + 2n)M 6M 2M + 2Pn number of keywords in the system t number of keywords in a query u number of users in the system uk number of users accessing an associated fileHsize of a message digest output by the used hash function (G1G2) size of an element from bilinear groups1198661 and1198662V ciphertext size of the used encryptionroutine q size of a random integer P pairing E exponentiationM scalar multiplicationM1015840 modular multiplicationD data comparison andU set unionoperation

We compare the performance of MUSE-TFV with theexisting schemes in terms of the storage overhead (ie sizeof a ciphertext (excluding payload) and size of a token)and computational overhead (for the proposed Encryption()TokGen() and Search() algorithms) in Table 2

511 Storage Complexity To show the storage overhead wepresent the ciphertexttoken size in terms of the size of anelement from the bilinear groups (1198661 1198662) Observing Table 2we say that the constructions given in [17 23] are storageefficient with the constant ciphertext and token size (ie119874(1)) In contrast the proposed MUSE-TFV has a ciphertextsize linear to the number of keywords in the system (ie(119874(119899)) that is same as ciphertext storage complexity of theexisting schemes [18 19 21 22]

The significant characteristic of MUSE-TFV is its con-stant (ie119874(1)) token storage complexityThis constant over-head makes the proposed scheme as efficient as the existingschemes [9 17 18 22] In fact the actual token size for theMUSE-TFV is three times higher than the token constructedby the schemes [18 22] However with such increased tokensize we offer a secure token transmission over any publicchannel without channel setup overhead Moreover with anadded component 119881 to the token (where 119881 is the size ofa ciphertext for an encrypted verification key 1198791198811198701) weprevent the token replay attack

512 Computational Complexity We present the computa-tional overhead in terms of the major operations namelymodular multiplication (1198721015840) scalar multiplication (119872)exponentiation (119864) and pairing (119875) involved in the listedschemes From our experiments we observe that a scalarmultiplication an exponentiation and a pairing operation arecostlier (involving more CPU cycles) than a modular multi-plication operation Therefore from Table 2 we say that thecomputational cost of the proposed Encryption() algorithm(ie (2 + 2119899)119872) is almost same as the encryption cost of thelisted multikeyword schemes [9 21 22] We note that thisencryption overhead is double as compared to the encryptionoverhead involved in the schemes [18 23]

On the other hand similar to the scheme in [18] MUSE-TFV has a constant computational complexity ie (119874(119899))(independent of the number of users 119906) for Encryption()algorithm Such computational cost is far more better thanthe existing schemes [9 17] with119874(119899 + 119906) and 119874(119906119896) encryp-tion overhead respectively Therefore we say that with mod-erate computational overhead for the proposed Encryption()algorithm MUSE-TFV supports multiple keyword basedsearch as well as multiple users in the system

From Table 2 we observe that the computational com-plexity of the proposed TokGen() algorithm of MUSE-TFV issame as the token construction cost of the existing schemes[18 22 23] ie 119874(1) With such constant computationaloverhead MUSE-TFV performs better than the existingschemes [9 21] having 119874(119905) token construction overheadAdditionally we note that TokGen() algorithm of MUSE-TFV consumes more CPU cycles as compared to the TokenGeneration algorithm of the schemes [18 22 23] due toits interactive token construction steps However with suchadded overhead MUSE-TFV supports multiple users in thesystem

We also note that the computational cost of a Search()algorithm of MUSE-TFV (ie (2119872 + 2119875)) is almost sameas the existing schemes [18 22 23] This constant searchcomplexity (ie 119874(1)) is better than the search complexity(ie 119874(119905)) involved in [9 21] Moreover as a multiuserscheme the MUSE-TFV offers constant computational cost119874(1) (ie independent from 119906) during search phaseThis costis much more better than the search computational overhead(ie 119874(119906119896)) involved in the scheme [17] It is worth notingthat with similar search complexity as the existing schemes[18 22 23] the proposed MUSE-TFV provides an additionaltoken freshness verification feature

513 Communication Complexity In Table 3 we presentthe communication complexity of the proposed MUSE-TFVduring Data Upload Token Generation and Search phasesas compared to the existing multiuser schemes [9 17ndash19]We note that with 119878 as a message a scheme in [19] sufferswith the highest communication overhead (ie 3119888119878 for 119888


Table 3 Comparative analysis communication complexity

Schemes Data Upload Token Generation SearchHwang and Lee 2007 [9] 119888119878 mdash (1 + 119888)119878Kiayias et al 2016 [17] 119888119878 mdash (3 + 119888)119878Zhang et al 2016 [18] 119888119878 mdash 2119878Wang et al 2016 [19] 3119888119878 mdash (1 + 119888)119878MUSE-TFV cS 2qS (1 + c)SS a message c number of ciphertexts available at the server and q numberof queries

ciphertexts) duringData Upload phase wherein uploading ofa single ciphertext involves three messages (ie a preindexmessage from aDataOwner to the server an index parametermessage from the server to the Data Owner and a ciphertextmessage from the Data Owner to the server) In contrastthe proposed MUSE-TFV has an optimal communicationoverhead of a single message per ciphertext (ie 119888119878messagesfor 119888 ciphertexts) from a Data Owner to the server Withsuch overhead the proposed scheme performs similar to theexisting schemes discussed in [9 17 18]

A scheme in [17] uses two servers (119878main and 119878aid) toperform a search operation where a communication over-head is (3 + 119888)119878 messages (ie a token message from a userto 119878main a token message from a user to 119878aid an additionalmessage from 119878aid to 119878main and 119888 result messages from 119878mainto the requesting user) In contrast the proposedMUSE-TFVinvolves (1+119888)119878messages (ie a tokenmessage from a user tothe Storage Server and 119888 resultmessages from the server to theuser) during Search phase The scheme of [18] has the lowestcommunication overhead during search operation that is2119878 (a token message from a user to the server and a resultmessage from the server to the user) However in the scheme[18] the server suffers with the additional computationaloverhead (for set union operations) in order to incorporate119888 result messages into a single message

Table 3 shows that the Token Generation phase of theproposed MUSE-TFV suffers with the communication over-head of 2119902119878 for 119902 queries This overhead is due to theinteractive Token Generation algorithm that involves twomessage exchanges between a DU and the ETA that is aToken Request message from a DU and a response messagefrom the ETA However with such added communicationoverhead we achieve a more secure system wherein everyToken Generation activity is logged at the trusted site andthus any dishonest activity from a DU can easily be trackedMoreover with such interactive TokenGeneration algorithmthe proposed scheme provides a token freshness verificationto prevent a token replay attack Thus MUSE-TFV is indeedan effective multiuser scheme for the applications wheresecurity of each search activity is a prime requirement

52 Empirical Evaluation To evaluate the performance weconduct the experiments on 32-bit 210GHz Pentium Core 2Duo CPU withWindows 7 machine using Java Pairing basedCryptographic (JPBC) Library [42] From JPBC Library weutilize Type A pairing (ie 1198661 times 1198661 rarr 1198662) which is based on

Table 4 Simulation parameters

Parameters Values for simulation119899 50 100 150 200 250 300119906 1000 2000 3000 4000 5000119905 10 20 30 40 50

an elliptic curve 119864(119865119902) 1199102 = 1199093 + 119909 Here the group 1198661 is asubgroup of 119864(119865119902) and the cyclic group 1198662 is a subgroup of119864(119865119902)2 where 119902 is a large prime number The group order of1198661 is 160 bits and the base field is 512 bits

To systematically compare the performance of theMUSE-TFV with other schemes we consider three significantparameters that is (i) number of keywords in the system (119899)(ii) number of keywords in a query (119905) and (iii) number ofusers in the system (119906) (Table 4)We perform experiments fordifferent size systems with 119899 isin 50 100 150 200 250 300For each system we simulate the Encryption() TokGen() andSearch() algorithmsmultiple times and consider their averageresults To show the efficiency of MUSE-TFV as a multiuserscheme we consider a different number of users that is119906 isin 1000 2000 3000 4000 5000 in the system Addition-ally during Token Generation experiments we select theconjunctive queries with the variable number of keywordsthat is 119905 isin 10 20 30 40 50 As a large number of keywordsin conjunction make a query complex and impractical weselect comparatively small values for 119905

From Table 2 we identify that the computational costof Encryption() algorithms for all multikeyword schemes(119872119870119862) [21ndash23] depends upon 119899 whereas for all multiuserschemes [9 17 18] it depends upon 119899 or 119906 or 119906119896 Thus wesimulate Encryption() algorithms for all the listed schemeswith different values of 119899 and 119906 separately and show theirresponses in Figures 5(a) and 5(b) respectively Note that forsimulation purpose we consider the worst case scenario for ascheme [17] where 119906119896 = 119906

From the results in Figure 5(a) we note that the encryp-tion time of the proposed MUSE-TFV is linearly increasingwith the number of keywords (ie 119899) However this timeoverhead is same as the encryption time overhead of [921 22] but larger than the overhead involved in [18 23]Additionally from Figure 5(b) we observe that the existenceof multiple users in the system does not affect the timeconsumption of encryption algorithm of MUSE-TFV Thischaracteristic makes the MUSE-TFVmore practical than theexisting multiuser schemes [9 17] where the encryption timeoverhead is linearly increasing with the number of usersHere we say that with the constant encryption overhead (ieindependent of the number of users (119906)) the Encryption()algorithm of MUSE-TFV supports multiple keywords in aciphertext and multiple users in the system

We present the empirical results for TokGen() algorithmof MUSE-TFV and other multikeyword (MKQ) schemes inFigure 6 From these results we say that theMUSE-TFV takesalmost constant time to construct a token regardless of thenumber of keywords in a query With this characteristicMUSE-TFV resembles the schemes [22 23] and performs


Hwang and Lee 2007 [9]Zhang et al 2016 [18]B Zhang and F Zhang 2011 [21]

Ding et al 2012 [22]Chen et al 2012 [23]MUSE-TFV

50 100 150 200 250 3000n (number of keywords in the system)

0

5

10

15

20

25

Tim

e (s)

(a)

Hwang and Lee 2007 [9]Kiayias et al 2016 [17]

Zhang et al 2016 [18]MUSE-TFV

100

101

102

103

Tim

e (s)

1000 2000 3000 4000 50000u (number of users)

(b)

Figure 5 Simulation results for Encryption() algorithm

Hwang and Lee 2007 [9]B Zhang and F Zhang 2011 [21]Ding et al 2012 [22]

Chen et al 2012 [23]MUSE-TFV

001

01

1

10

Tim

e (s)

10 20 30 40 500t (number of keywords in a query)

Figure 6 Simulation results for TokGen() algorithm

better than the other multikeyword schemes [9 21] having119874(119905) token computational overhead However MUSE-TFVtakes more time as compared to [22 23] because of itsinteractive nature

According to Table 2 the computational overhead for theSearch() algorithm of the listed schemes is either constantor otherwise depending upon 119905 or 119906119896 Thus we simulatethe listed schemes for their Search() algorithm with differentvalues of 119905 and 119906 separately and show their responses inFigures 7(a) and 7(b) respectively

Observing the results in Figure 7(a) we note that thesearch time overhead for MUSE-TFV is almost constant andindependent of the number of keywords in a query (119905) Withthis characteristic the MUSE-TFV performs a conjunctivesearch withmuch less computational time as compared to theexisting conjunctive search schemes [9 21] where the searchtime is affected by the number of keywords in query (119905)From the results in Figure 7(b) we note that with constantsearch time overhead the proposed MUSE-TFV supportsmultiple users in the system as efficiently as the scheme[18] In addition we say that with the search time linear tothe number of users (119906) the scheme of [17] is indeed lesspractical In contrast with the constant search time overheadthe MUSE-TFV performs a conjunctive keyword search inresponse to a query coming from any user in the multiusersettings

At last we claim that our empirical results are completelyin accordance with the theoretically measured computa-tional complexity presented in Table 2 From the theoreticalanalysis and empirical evaluation we conclude that withthe moderate storage-computational overhead the proposedMUSE-TFV is an elegant multiuser searchable scheme with aprovision of conjunctive keyword search and token freshnessverification

6 Concluding Remarks

In this paper we discuss the proposed MUSE-TFV a Mul-tiuser Searchable Encryption with Token Freshness Verifica-tion that is based on the concept of Functional EncryptionUnlike the existing Functional Encryption based multiusersearchable schemes wherein a user generates a search tokenusing his own search key in the proposedMUSE-TFV a DataUser DU constructs a search token in cooperation with the




01

1

10Ti

me (

s)


For n = 100

(a)



01

1

10

100

Tim

e (s)

1000 2000 3000 4000 50000u (number of users)

For n = 100 amp t = 100

(b)

Figure 7 Simulation results for Search() algorithm

ETA With such interactive Token Generation mechanismevery search activity of each DU is logged at the enterprisetrusted site and thus dishonest activity can be easily capturedMoreover in the MUSE-TFV each constructed token is validfor one-time use and its freshness is checked at the SS usinga verification key issued by the ETA Such token verificationprocedure prevents the reuse of the same token and sothe MUSE-TFV avoids token replay attack Additionally weprovide a secure channel-free token transmission as well as aconjunctive keyword search with the proposed scheme

With a security analysis we prove the correctness of theproposed MUSE-TFV against chosen keyword attack andtoken replay attack With a detailed theoretical analysis wejustify the efficiency of the proposed scheme Additionallywe evaluate the performance of the proposed scheme basedon three significant parameters number of users numberof keywords in the system and the number of keywords inconjunctive query Our experimental evaluation shows thatwith almost same computational-storage overhead as theexisting conjunctive keyword search schemes the proposedMUSE-TFV provides the additional features of multiusersupport and token freshness verification

Notations

119901119901 Systemrsquos public parameters119898119904119896 Master secret key119899 Number of keywords in the system119906 Number of users in the systemKS Keyword space that involves 119899

keywords(119884 119910) Serverrsquos public-private key pair(119883 119909) Userrsquos public-private key pair

1198721015840 = 119864119896119890119910(119872) Encrypted payload message where119864 is any symmetric key cipher witha key 119896119890119910119882 = 119908119895 | 1 le 119895 le 119899 A list of 119899 keywords associated witha ciphertext119862 A ciphertext119875119879 A partial token119879 A token119905 Number of keywords in aconjunctive query1198761015840 = 1198821015840 1198681015840 A conjunctive query that involvestwo sets (1198821015840 1198681015840) where1198821015840 = 1199081015840

119895119895isin1198681015840 is a list of 119905 keywordsand 1198681015840 = ℓ1 ℓ2 ℓ119905 is a list ofpositions of keywords inKS119862119894 119894th ciphertext(1198791198811198701 1198791198811198702) Token verification keys119877 A search result

Conflicts of Interest

The authors declare that they have no conflicts of interest

References

[1] M Abdalla M Bellare D Catalano et al ldquoSearchable encryp-tion revisited consistency properties relation to anonymousIBE and extensionsrdquo in Advances in cryptologymdashCRYPTO2005 vol 3621 of Lecture Notes in Comput Sci pp 205ndash222Springer Berlin 2005

[2] S Shin and K Kobara ldquoTowards secure cloud storagerdquo Demofor CloudCom 2010 vol 2 p 8 2010


[3] G Brunette RMogull and et al ldquoSecurity guidance for criticalareas of focus in cloud computing v2 1rdquoCloud Security Alliancepp 1ndash76 2009

[4] D X Song D Wagner and A Perrig ldquoPractical techniques forsearches on encrypted datardquo inProceedings of the in Security andPrivacy 2000 SP2000 IEEE Symposiumon 1em plus 05emminus04em IEEE pp 44ndash55 2000

[5] E-J Goh ldquoSecure indexesrdquo IACRCryptology ePrint Archive vol2003 p 216 2003

[6] D Boneh G Di Crescenzo R Ostrovsky and G PersianoldquoPublic key encryption with keyword searchrdquo in Advances inCryptologymdashEUROCRYPT 2004 vol 3027 of Lecture Notesin Computer Science pp 506ndash522 Springer Berlin Germany2004

[7] J Baek R Safavi-Naini and W Susilo ldquoPublic key encryptionwith keyword search revisitedrdquo in Proceedings in ComputationalScience and Its ApplicationsndashICCSA International ConferencePart I 2008 1em plus 05emminus 04em vol 30 pp 1249ndash1259Springer Perugia Italy 2008

[8] D J Park K Kim and P J Lee ldquoPublic Key Encryption withConjunctive Field Keyword Searchrdquo in Information SecurityApplications vol 3325 of Lecture Notes in Computer Science pp73ndash86 Springer Berlin Heidelberg Berlin Heidelberg 2005

[9] Y H Hwang and P J Lee ldquoPublic key encryption with conjunc-tive keyword search and its extension to amulti-user systemrdquo inPairing-based cryptographymdashPairing 2007 vol 4575 of LectureNotes in Comput Sci pp 2ndash22 Springer Berlin 2007

[10] P Wang H Wang and J Pieprzyk ldquoCommon secure indexfor conjunctive keyword-based retrieval over encrypted datardquoSecure Data Management pp 108ndash123 2007

[11] PWang HWang and J Pieprzyk ldquoThreshold privacy preserv-ing keyword searchesrdquo in Proceedings of the International Con-ference on Current Trends in Theory and Practice of ComputerScience 1em plus 05em minus 04em 2008 pp 646ndash658 pp646ndash658 Springer 2008

[12] P Wang H Wang and J Pieprzyk ldquoAn Efficient Schemeof Common Secure Indices for Conjunctive Keyword-BasedRetrieval on Encrypted Datardquo in Information Security Applica-tions vol 5379 pp 145ndash159 Springer Berlin Heidelberg 2009

[13] P Wang H Wang and J Pieprzyk ldquoKeyword Field-Free Con-junctive Keyword Searches on Encrypted Data and Extensionfor Dynamic Groupsrdquo in Cryptology and Network Security vol5339 pp 178ndash195 Springer Berlin Heidelberg 2008

[14] F Bao R H Deng X Ding and Y Yang ldquoPrivate query onencrypted data in multi-user settingsrdquo in Information securitypractice and experience vol 4991 of Lecture Notes in ComputSci pp 71ndash85 Springer Berlin 2008

[15] J Li and X Chen ldquoEfficient multi-user keyword search overencrypted data in cloud computingrdquo Computing and Informat-ics vol 32 no 4 pp 723ndash738 2013

[16] H Huang J Du H Wang and R Wang ldquoA multi-keywordmulti-user searchable encryption scheme based on cloud stor-agerdquo in Proceedings of the Joint 15th IEEE International Con-ference on Trust Security and Privacy in Computing and Com-munications 10th IEEE International Conference on Big DataScience and Engineering and 14th IEEE International Symposiumon Parallel and Distributed Processing with Applications IEEETrustComBigDataSEISPA 2016 pp 1937ndash1943 August 2016

[17] A Kiayias O Oksuz A Russell Q Tang and B Wang in Pro-ceedings of the European Symposium on Research in ComputerSecurity 1em plus 05em minus 04em pp 173ndash195 Springer2016

[18] Y Zhang L Liu and SWang ldquoMulti-User and Keyword-BasedSearchable Encryption Schemerdquo in Proceedings of the 201612th International Conference on Computational Intelligence andSecurity (CIS) pp 223ndash227 Wuxi China December 2016

[19] S Wang X Zhang and Y Zhang ldquoEfficiently multi-usersearchable encryption scheme with attribute revocation andgrant for cloud storagerdquo PLoS ONE vol 11 no 11 Article IDe0167157 2016

[20] J Ye J Wang J Zhao J Shen and K-C Li ldquoFine-grainedsearchable encryption in multi-user settingrdquo Soft Computingpp 1ndash12 2016

[21] B Zhang and F Zhang ldquoAn efficient public key encryption withconjunctive-subset keywords searchrdquo Journal of Network andComputer Applications vol 34 no 1 pp 262ndash267 2011

[22] M Ding F Gao Z Jin and H Zhang ldquoAn efficient public keyencryption with conjunctive keyword search scheme based onpairingsrdquo Proceedings in 2012 3rd IEEE International Conferenceon Network Infrastructure and Digital Content 1em plus 05emminus 04em IEEE pp 526ndash530 2012

[23] Z Chen C Wu and D Wang ldquoConjunctive keywords search-able encryption with efficient pairing constant ciphertext andshort trapdoorrdquo PAISI pp 176ndash189 2012

[24] Y-C Chang and M Mitzenmacher ldquoPrivacy Preserving Key-word Searches on Remote Encrypted Datardquo inApplied Cryptog-raphy and Network Security 1em plus 05em minus 04em vol3531 pp 442ndash455 Springer Berlin Heidelberg 2005

[25] R Curtmola J Garay S Kamara and R Ostrovsky ldquoSearch-able symmetric encryption improved definitions and efficientconstructionsrdquo Journal of Computer Security vol 19 no 5 pp895ndash934 2011

[26] P Golle J Staddon andBWaters ldquoSecure conjunctive keywordsearch over encrypted datardquo in Applied Cryptography andNetwork Security Second International Conference ACNS 2004Yellow Mountain China June 8ndash11 2004 Proceedings vol 3089of LectureNotes in Computer Science pp 31ndash45 Springer BerlinGermany 2004

[27] L Ballard S Kamara and F Monrose ldquoAchieving efficient con-junctive keyword searches over encrypted datardquo Lecture Notesin Computer Science (including subseries Lecture Notes in Arti-ficial Intelligence and Lecture Notes in Bioinformatics) Prefacevol 3783 pp 414ndash426 2005

[28] J W Byun D H Lee and J Lim ldquoEfficient Conjunctive Key-word Search on Encrypted Data Storage Systemrdquo in Public KeyInfrastructure 1em plus 05em minus 04em vol 4043 pp 184ndash196 Springer Berlin Heidelberg 2006

[29] D Boneh and B Waters ldquoConjunctive subset and rangequeries on encrypted datardquo in Theory of Cryptography Con-ference TCC 2007 1em plus 05em minus 04em pp 535ndash554Springer Berlin Germany 2007

[30] M-S Hwang S-T Hsu and C-C Lee ldquoA new public keyencryption with conjunctive field keyword search schemerdquoInformation Technology and Control vol 43 no 3 pp 277ndash2882014

[31] H S Rhee J H Park W Susilo and D H Lee ldquoTrapdoorsecurity in a searchable public-key encryption scheme with adesignated testerrdquo The Journal of Systems and Software vol 83no 5 pp 763ndash771 2010

[32] Y ZhaoHMa X ChenQ Tang andH Zhu ldquoA new trapdoor-indistinguishable public key encryption with keyword searchrdquoJournal ofWirelessMobile Networks Ubiquitous Computing andDependable Applications vol 3 no 1-2 pp 72ndash81 2012


[33] Y Miao J Ma F Wei Z Liu X A Wang and C Lu ldquoVCSEVerifiable conjunctive keywords search over encrypted datawithout secure-channelrdquo Peer-to-Peer Networking and Applica-tions vol 10 no 4 pp 995ndash1007 2017

[34] NHaller ldquoTheSKEYOne-TimePassword Systemrdquo RFCEditorRFC1760 1995

[35] D Boneh andM Franklin ldquoIdentity-based encryption from theWeil pairingrdquo in Advances in CryptologymdashCRYPTO 2001 vol2139 of Lecture Notes in Computer Science pp 213ndash229 2001

[36] A Shamir ldquoIdentity-based cryptosystems and signatureschemesrdquo in Advances in Cryptology Proceedings of (CRYPTOrsquo84) vol 196 of Lecture Notes in Computer Science pp 47ndash53Springer Berlin Germany 1985

[37] J Bethencourt A Sahai and B Waters ldquoCiphertext-policyattribute-based encryptionrdquo in Proceedings of the IEEE Sympo-sium on Security and Privacy (SP rsquo07) pp 321ndash334 May 2007

[38] V Goyal O Pandey A Sahai and B Waters ldquoAttribute-basedencryption for fine-grained access control of encrypted datardquoin Proceedings of the 13th ACM Conference on Computer andCommunications Security (CCS rsquo06) pp 89ndash98 November2006

[39] A Sahai and B Waters ldquoFuzzy identity-based encryptionrdquoin Advances in Cryptology ndash EUROCRYPT 2005 vol 3494of Lecture Notes in Computer Science pp 457ndash473 SpringerBerlin Germany 2005

[40] J Katz A Sahai and B Waters ldquoPredicate encryption support-ing disjunctions polynomial equations and inner productsrdquoin Advances in CryptologymdashEUROCRYPT 2008 vol 4965 ofLecture Notes in Computer Science pp 146ndash162 Springer BerlinGermany 2008

[41] C-C Lee S-T Hsu and M-S Hwang ldquoA study of conjunctivekeyword searchable schemesrdquo IJ Network Security vol 15 no 5pp 321ndash330 2013

[42] A de Caro and V Iovino ldquojPBC Java pairing based cryptogra-phyrdquo in Proceedings of the 16th IEEE Symposium on Computersand Communications (ISCC rsquo11) pp 850ndash855 July 2011

RoboticsJournal of

Hindawi Publishing Corporationhttpwwwhindawicom Volume 2014


Active and Passive Electronic Components

Control Scienceand Engineering

Journal of


International Journal of

RotatingMachinery


Hindawi Publishing Corporation httpwwwhindawicom

Journal of

Volume 201

Submit your manuscripts athttpswwwhindawicom

VLSI Design



Shock and Vibration


Civil EngineeringAdvances in

Acoustics and VibrationAdvances in



Electrical and Computer Engineering

Journal of

Advances inOptoElectronics


Volume 2014

The Scientific World JournalHindawi Publishing Corporation httpwwwhindawicom Volume 2014

SensorsJournal of


Modelling amp Simulation in EngineeringHindawi Publishing Corporation httpwwwhindawicom Volume 2014


Chemical EngineeringInternational Journal of Antennas and

Propagation




Navigation and Observation



DistributedSensor Networks



Searchable EncryptionStorageServer

T

T

C

CM

List+ =

1

2

3

4

5Searchresult


Ciphertext (C)

Figure 1 System model of Searchable Encryption (SE) Steps (1)Data Owner uploads a ciphertext119862 (ie encrypted payloadmessage+ list of encrypted keywords) onto the Storage Server (2)Data Userconstructs a search token 119879 using a secret key (3) Data User sends119879 to the server (4) Storage Server applies 119879 on 119862 (5) Storage Serverreturns the result to the requesting user

by a Data Owner In addition the recent schemes in [17ndash20]provide Multiuser Searchable Encryption with the notion ofFunctional Encryption (FE) (Section 21) where an EnterpriseTrusted Authority (ETA) is responsible for the System Setupand amaster public key setupThemost notable characteristicof FE is that a systemrsquos master public key is utilized toprepare the searchable ciphertexts and a single ciphertext canserve multiple search tokens (may be issued by differentusers) Therefore such FE based searchable schemes cansupportmultiple users in the systemwith the optimal storage-computational overhead (ie 119874(|119863|)) for the ciphertextsAdditionally in the schemes [17ndash20] a separate search key(related to the master public key) is issued (either by anETA or by a Data Owner) to each user Subsequently auser constructs a search token with an available search keyThe downside is that once a user has a search key he canprepare a search token at any time As a result a dishonestuser colluding with the untrusted cloud server can mali-ciously search the valid data and the system administrator(ie ETA) is completely unaware about such adversarialactivity Moreover with the existing Searchable Encryptionmechanisms there is no provision for the token freshnesschecking at the server site As a result if an unauthorizeduser masquerading as an authorized user has a valid tokenhe can use the token to make search queries in the future Inpractice there exist applications wherein every search queryfrom the users should be logged to the enterprise trusted sitein order to identify any dishonest activity performed by anyuser (authorized or unauthorized) In addition there shouldbe a provision against token replay attack to avoid misuseof a valid token Let us take one of such applications as anexample

(i) Consider an Online Banking System where the cus-tomersrsquo transaction records are stored at the Bankrsquoscloud Storage Server Practically these records are uti-lized by several official users (ie managers officersclerks etc) of the Bank Let us assume that the Bankrsquoscentralized processing server (trusted authority) uses

any of the existing FE based searchable schemesand accordingly issues a separate search key to eachauthorized user of the Bank

In such a setup let us take a case of a managerwho is responsible for generating a daily reportfor the ATM transactions with a specific ATM-ID To perform this activity every day themanager constructs a search token (using hissearch key) for a query that is ldquolist all ATMtransactions for ATM-ID todayrdquo He issues thistoken to the server and collects the result Inthis scenario what happens if a peon steals thesearch token and masquerades as an officer tosend this token to the server In any FE basedsearchable scheme the server only checks theauthorization of a user In this case since a peonimpersonates an authorized officer of the Bankhe passes the authorization test conducted bythe server and gets the search result In factperforming such token replay attack (by reusingthe token) and leaking the information aboutATM transactions to the intruder (outsider) ona daily basis the peonmay provoke the criminalactivities near that ATM

From the above scenario we say that in the Bankingsystem since every search result involves critical financialinformation the search activity by each user should be loggedat the Bankrsquos centralized processing server In addition toavoid misuse of any valid token it is desirable to preventtoken replay attack in such system

With the existing FE based searchable schemes [17ndash20] auser possessing a search key can ask the server to execute asearch operation at any time and therefore the search activityof a user cannot be tracked The problem can be resolved byan interactive scheme where a search token is constructedby the centralized trusted authority on request from anauthorized user However such solution raises the demandof secure token transmission along the entire path from thetrusted authority up to the server through a user Moreovera token replay attack should be prevented by verifying thefreshness of each search token at the server site In additionit is desirable to have a search operation with the support ofconjunctive queries in such system

11 Related Work The notion of Searchable Encryption isintroduced by Song et al in [4] where the authors considersearch over encrypted keywords within a file However thisfirst practical scheme leaks the search keywords to the serverand suffers from the communication overhead linear to thefile size In fact the scheme in [4] is not secure againststatistical analysis across multiple queries To resolve theproblems Goh et al [5] andChang andMitzenmacher [24] intheir separate work construct the secure searchable schemesby proposing an encrypted index for a document Thoughthe schemes in [4 5 24] perform efficient search operationsthey introduce storage overhead linear to the size of anindex for each document Curtmola et al [25] propose the

















StorageServer

1

2

3

4

5

6


Encrypteddata (C)

Fi

Function result(RF)

TF

Function token(TF)

Function (F)




2 Preliminaries




C

C T

List+ =

Ciphertext (C)W

Storage Server (SS)

Result

TVK2Data User (DU)

TokenRequest


Data Owner (DO)

1

2

3

4

5

6

6

7

8

T = (T TVK1)

PT = (PT TVK1)

M
































1 11990810158402 1199081015840






ETA DO DU



(pp key) (pp key)

System Setup



SS

(pp)


(a)

DO SSData Upload

(C)






(b)

SSDU


ETA



(TVK2)

(Q)

Token Generation


(PT TVK1)

T = (T TVK1)

(c)

SSDU


(R)

(T)

Search



using (TVK1 TVK2)

T is fresh

Yes

No



(d)















119860119889VA (1120572) = 1003816100381610038161003816100381610038161003816119875119903 [1198871015840 = 119887] minus 121003816100381610038161003816100381610038161003816 gt 120598 (1)
















to the ETA where1198821015840 = 11990810158401 1199081015840

2 1199081015840119905 is a set










1205911 = 119868119905sum119895=1198681

(1198621119895 minus 1199101198622)

= 119868119905sum119895=1198681

(1199031 (1198671 (119908119895) 119875 + 119870119895) + 1199031119884 minus 1199101199031119875)

= 1199031( 119868119905sum119895=1198681

(1198671 (119908119895) 119875 + 119870119895))


1205912 = 1198791 minus 1199101198793= 1199051( 119868119905sum

119895=1198681

(1198671 (119908119895) + 119896119895))119875 + 1198861015840119884 minus 1199101198861015840119875

= 1199051( 119868119905sum119895=1198681

(1198671 (119908119895) + 119896119895))119875(2)


119890 (1205911 1198792) = 119890 (1205912 1198622) (3)




119890 (1205911 1198792) = 119890(1199031( 119868119905sum119895=1198681

(1198671 (119908119895) 119875 + 119870119895)) 1199051119875)

= 119890( 119868119905sum119895=1198681

(1198671 (119908119895) 119875 + 119870119895) 119875)11990311199051

= 119890( 119868119905sum119895=1198681

(1198671 (119908119895) 119875 + 119896119895119875) 119875)11990311199051

= 119890 (119875 119875)11990311199051Δ

(4)

RHS of (3)

119890 (1205912 1198622) = 119890(1199051( 119868119905sum119895=1198681

(1198671 (119908119895) + 119896119895))119875 1199031119875)= 119890 (119875 119875)11990311199051Δ

(5)


ness is proved


















(11986211)119894 = 1199031119894 (1205741119875 + 1198701) + 1199031119894119884(11986212)119894 = 1199031119894 (1205742119875 + 1198702) + 1199031119894119884

(1198621119911)119894 = 1198871199031119894 (120574119911119875 + 119870119911) + 1199031119894119884

(1198621119899)119894 = 1199031119894 (120574119899119875 + 119870119899) + 1199031119894119884

(1198622)119894 = 1199031119894119875

(6)


119894 1198681015840119894 ) where 1198821015840119894 = 1199081015840

1198941198681 11990810158401198941198682 1199081015840










119890 (1205911 1198792) = 119890 (1205912 1198622) (7)


119890 (1205911 1198792) = 119890 (1198871199031 (120591119911119875 + 119870119911) 1199051119875)= 119890 (119875 119875)1198871199031(120591119911+119870119911)1199051

119890 (1205912 1198622) = 119890 (11990511198671 (119908119911 + 119896119911) 119875 1199031119875)= 119890 (119875 119875)11990311198671(119908119911+119896119911)1199051

(8)

From (8) we get

119890 (119875 119875)1198871199031(120591119911+119870119911)1199051 = 119890 (119875 119875)11990311198671(119908119911+119896119911)1199051 (9)


119890 (1205911 1198792) = 119890 (119888 (120591119905119875 + 119870119905) 1199051119875) = 119890 (119875 119875)119888(120591119905+119870119905)1199051 119890 (1205912 1198622) = 119890 (11990511198671 (119908119905 + 119896119905) 119875 119886119875)

= 119890 (119875 119875)1198861198671(119908119905+119896119905)1199051 (10)

From (10) we get

119890 (119875 119875)119888(120591119905+119870119905)1199051 = 119890 (119875 119875)1198861198671(119908119905+119896119905)1199051 (11)


119890 (119875 119875)1198871199031(120591119911+119870119911)1199051

119890 (119875 119875)11990311198671(119908119911+119896119911)1199051= 119890 (119875 119875)119888(120591119905+119870119905)1199051

119890 (119875 119875)1198861198671(119908119905+119896119905)1199051

there4 119890 (119875 119875)1198871199031(120591119911+119870119911)1199051 119890 (119875 119875)1198861198671(119908119905+119896119905)1199051

= 119890 (119875 119875)119888(120591119905+119870119905)1199051 119890 (119875 119875)11990311198671(119908119911+119896119911)1199051

there4 119890 (119875 119875)1198861198871199031(120591119911+119870119911)1199051 119890 (119875 119875)1198671(119908119911+119896119911)1199051

= 119890 (119875 119875)1198881199031(120591119911+119870119911)1199051 119890 (119875 119875)1198671(119908119911+119896119911)1199051

119890 (119875 119875)1198861198871199031(120591119911+119870119911)1199051 = 119890 (119875 119875)1198881199031(120591119911+119870119911)1199051

119890 (119875 119886119887119875) = 119890 (119875 119888119875)119886119887 = 119888

(12)






119875119903 [1198781] = 1119890119899 119875119903 [1198782] = 1119902119896119899

(13)















































0

5

10

15

20

25

Tim

e (s)

(a)



100

101

102

103

Tim

e (s)

1000 2000 3000 4000 50000u (number of users)

(b)




001

01

1

10

Tim

e (s)












01

1

10Ti

me (

s)


For n = 100

(a)



01

1

10

100

Tim

e (s)

1000 2000 3000 4000 50000u (number of users)

For n = 100 amp t = 100

(b)




Notations







References













































RoboticsJournal of





Journal of



RotatingMachinery



Journal of

Volume 201


VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation

























StorageServer

1

2

3

4

5

6


Encrypteddata (C)

Fi

Function result(RF)

TF

Function token(TF)

Function (F)




2 Preliminaries




C

C T

List+ =

Ciphertext (C)W

Storage Server (SS)

Result

TVK2Data User (DU)

TokenRequest


Data Owner (DO)

1

2

3

4

5

6

6

7

8

T = (T TVK1)

PT = (PT TVK1)

M
































1 11990810158402 1199081015840






ETA DO DU



(pp key) (pp key)

System Setup



SS

(pp)


(a)

DO SSData Upload

(C)






(b)

SSDU


ETA



(TVK2)

(Q)

Token Generation


(PT TVK1)

T = (T TVK1)

(c)

SSDU


(R)

(T)

Search



using (TVK1 TVK2)

T is fresh

Yes

No



(d)















119860119889VA (1120572) = 1003816100381610038161003816100381610038161003816119875119903 [1198871015840 = 119887] minus 121003816100381610038161003816100381610038161003816 gt 120598 (1)
















to the ETA where1198821015840 = 11990810158401 1199081015840

2 1199081015840119905 is a set










1205911 = 119868119905sum119895=1198681

(1198621119895 minus 1199101198622)

= 119868119905sum119895=1198681

(1199031 (1198671 (119908119895) 119875 + 119870119895) + 1199031119884 minus 1199101199031119875)

= 1199031( 119868119905sum119895=1198681

(1198671 (119908119895) 119875 + 119870119895))


1205912 = 1198791 minus 1199101198793= 1199051( 119868119905sum

119895=1198681

(1198671 (119908119895) + 119896119895))119875 + 1198861015840119884 minus 1199101198861015840119875

= 1199051( 119868119905sum119895=1198681

(1198671 (119908119895) + 119896119895))119875(2)


119890 (1205911 1198792) = 119890 (1205912 1198622) (3)




119890 (1205911 1198792) = 119890(1199031( 119868119905sum119895=1198681

(1198671 (119908119895) 119875 + 119870119895)) 1199051119875)

= 119890( 119868119905sum119895=1198681

(1198671 (119908119895) 119875 + 119870119895) 119875)11990311199051

= 119890( 119868119905sum119895=1198681

(1198671 (119908119895) 119875 + 119896119895119875) 119875)11990311199051

= 119890 (119875 119875)11990311199051Δ

(4)

RHS of (3)

119890 (1205912 1198622) = 119890(1199051( 119868119905sum119895=1198681

(1198671 (119908119895) + 119896119895))119875 1199031119875)= 119890 (119875 119875)11990311199051Δ

(5)


ness is proved


















(11986211)119894 = 1199031119894 (1205741119875 + 1198701) + 1199031119894119884(11986212)119894 = 1199031119894 (1205742119875 + 1198702) + 1199031119894119884

(1198621119911)119894 = 1198871199031119894 (120574119911119875 + 119870119911) + 1199031119894119884

(1198621119899)119894 = 1199031119894 (120574119899119875 + 119870119899) + 1199031119894119884

(1198622)119894 = 1199031119894119875

(6)


119894 1198681015840119894 ) where 1198821015840119894 = 1199081015840

1198941198681 11990810158401198941198682 1199081015840










119890 (1205911 1198792) = 119890 (1205912 1198622) (7)


119890 (1205911 1198792) = 119890 (1198871199031 (120591119911119875 + 119870119911) 1199051119875)= 119890 (119875 119875)1198871199031(120591119911+119870119911)1199051

119890 (1205912 1198622) = 119890 (11990511198671 (119908119911 + 119896119911) 119875 1199031119875)= 119890 (119875 119875)11990311198671(119908119911+119896119911)1199051

(8)

From (8) we get

119890 (119875 119875)1198871199031(120591119911+119870119911)1199051 = 119890 (119875 119875)11990311198671(119908119911+119896119911)1199051 (9)


119890 (1205911 1198792) = 119890 (119888 (120591119905119875 + 119870119905) 1199051119875) = 119890 (119875 119875)119888(120591119905+119870119905)1199051 119890 (1205912 1198622) = 119890 (11990511198671 (119908119905 + 119896119905) 119875 119886119875)

= 119890 (119875 119875)1198861198671(119908119905+119896119905)1199051 (10)

From (10) we get

119890 (119875 119875)119888(120591119905+119870119905)1199051 = 119890 (119875 119875)1198861198671(119908119905+119896119905)1199051 (11)


119890 (119875 119875)1198871199031(120591119911+119870119911)1199051

119890 (119875 119875)11990311198671(119908119911+119896119911)1199051= 119890 (119875 119875)119888(120591119905+119870119905)1199051

119890 (119875 119875)1198861198671(119908119905+119896119905)1199051

there4 119890 (119875 119875)1198871199031(120591119911+119870119911)1199051 119890 (119875 119875)1198861198671(119908119905+119896119905)1199051

= 119890 (119875 119875)119888(120591119905+119870119905)1199051 119890 (119875 119875)11990311198671(119908119911+119896119911)1199051

there4 119890 (119875 119875)1198861198871199031(120591119911+119870119911)1199051 119890 (119875 119875)1198671(119908119911+119896119911)1199051

= 119890 (119875 119875)1198881199031(120591119911+119870119911)1199051 119890 (119875 119875)1198671(119908119911+119896119911)1199051

119890 (119875 119875)1198861198871199031(120591119911+119870119911)1199051 = 119890 (119875 119875)1198881199031(120591119911+119870119911)1199051

119890 (119875 119886119887119875) = 119890 (119875 119888119875)119886119887 = 119888

(12)






119875119903 [1198781] = 1119890119899 119875119903 [1198782] = 1119902119896119899

(13)















































0

5

10

15

20

25

Tim

e (s)

(a)



100

101

102

103

Tim

e (s)

1000 2000 3000 4000 50000u (number of users)

(b)




001

01

1

10

Tim

e (s)












01

1

10Ti

me (

s)


For n = 100

(a)



01

1

10

100

Tim

e (s)

1000 2000 3000 4000 50000u (number of users)

For n = 100 amp t = 100

(b)




Notations







References













































RoboticsJournal of





Journal of



RotatingMachinery



Journal of

Volume 201


VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation











StorageServer

1

2

3

4

5

6


Encrypteddata (C)

Fi

Function result(RF)

TF

Function token(TF)

Function (F)




2 Preliminaries




C

C T

List+ =

Ciphertext (C)W

Storage Server (SS)

Result

TVK2Data User (DU)

TokenRequest


Data Owner (DO)

1

2

3

4

5

6

6

7

8

T = (T TVK1)

PT = (PT TVK1)

M
































1 11990810158402 1199081015840






ETA DO DU



(pp key) (pp key)

System Setup



SS

(pp)


(a)

DO SSData Upload

(C)






(b)

SSDU


ETA



(TVK2)

(Q)

Token Generation


(PT TVK1)

T = (T TVK1)

(c)

SSDU


(R)

(T)

Search



using (TVK1 TVK2)

T is fresh

Yes

No



(d)















119860119889VA (1120572) = 1003816100381610038161003816100381610038161003816119875119903 [1198871015840 = 119887] minus 121003816100381610038161003816100381610038161003816 gt 120598 (1)
















to the ETA where1198821015840 = 11990810158401 1199081015840

2 1199081015840119905 is a set










1205911 = 119868119905sum119895=1198681

(1198621119895 minus 1199101198622)

= 119868119905sum119895=1198681

(1199031 (1198671 (119908119895) 119875 + 119870119895) + 1199031119884 minus 1199101199031119875)

= 1199031( 119868119905sum119895=1198681

(1198671 (119908119895) 119875 + 119870119895))


1205912 = 1198791 minus 1199101198793= 1199051( 119868119905sum

119895=1198681

(1198671 (119908119895) + 119896119895))119875 + 1198861015840119884 minus 1199101198861015840119875

= 1199051( 119868119905sum119895=1198681

(1198671 (119908119895) + 119896119895))119875(2)


119890 (1205911 1198792) = 119890 (1205912 1198622) (3)




119890 (1205911 1198792) = 119890(1199031( 119868119905sum119895=1198681

(1198671 (119908119895) 119875 + 119870119895)) 1199051119875)

= 119890( 119868119905sum119895=1198681

(1198671 (119908119895) 119875 + 119870119895) 119875)11990311199051

= 119890( 119868119905sum119895=1198681

(1198671 (119908119895) 119875 + 119896119895119875) 119875)11990311199051

= 119890 (119875 119875)11990311199051Δ

(4)

RHS of (3)

119890 (1205912 1198622) = 119890(1199051( 119868119905sum119895=1198681

(1198671 (119908119895) + 119896119895))119875 1199031119875)= 119890 (119875 119875)11990311199051Δ

(5)


ness is proved


















(11986211)119894 = 1199031119894 (1205741119875 + 1198701) + 1199031119894119884(11986212)119894 = 1199031119894 (1205742119875 + 1198702) + 1199031119894119884

(1198621119911)119894 = 1198871199031119894 (120574119911119875 + 119870119911) + 1199031119894119884

(1198621119899)119894 = 1199031119894 (120574119899119875 + 119870119899) + 1199031119894119884

(1198622)119894 = 1199031119894119875

(6)


119894 1198681015840119894 ) where 1198821015840119894 = 1199081015840

1198941198681 11990810158401198941198682 1199081015840










119890 (1205911 1198792) = 119890 (1205912 1198622) (7)


119890 (1205911 1198792) = 119890 (1198871199031 (120591119911119875 + 119870119911) 1199051119875)= 119890 (119875 119875)1198871199031(120591119911+119870119911)1199051

119890 (1205912 1198622) = 119890 (11990511198671 (119908119911 + 119896119911) 119875 1199031119875)= 119890 (119875 119875)11990311198671(119908119911+119896119911)1199051

(8)

From (8) we get

119890 (119875 119875)1198871199031(120591119911+119870119911)1199051 = 119890 (119875 119875)11990311198671(119908119911+119896119911)1199051 (9)


119890 (1205911 1198792) = 119890 (119888 (120591119905119875 + 119870119905) 1199051119875) = 119890 (119875 119875)119888(120591119905+119870119905)1199051 119890 (1205912 1198622) = 119890 (11990511198671 (119908119905 + 119896119905) 119875 119886119875)

= 119890 (119875 119875)1198861198671(119908119905+119896119905)1199051 (10)

From (10) we get

119890 (119875 119875)119888(120591119905+119870119905)1199051 = 119890 (119875 119875)1198861198671(119908119905+119896119905)1199051 (11)


119890 (119875 119875)1198871199031(120591119911+119870119911)1199051

119890 (119875 119875)11990311198671(119908119911+119896119911)1199051= 119890 (119875 119875)119888(120591119905+119870119905)1199051

119890 (119875 119875)1198861198671(119908119905+119896119905)1199051

there4 119890 (119875 119875)1198871199031(120591119911+119870119911)1199051 119890 (119875 119875)1198861198671(119908119905+119896119905)1199051

= 119890 (119875 119875)119888(120591119905+119870119905)1199051 119890 (119875 119875)11990311198671(119908119911+119896119911)1199051

there4 119890 (119875 119875)1198861198871199031(120591119911+119870119911)1199051 119890 (119875 119875)1198671(119908119911+119896119911)1199051

= 119890 (119875 119875)1198881199031(120591119911+119870119911)1199051 119890 (119875 119875)1198671(119908119911+119896119911)1199051

119890 (119875 119875)1198861198871199031(120591119911+119870119911)1199051 = 119890 (119875 119875)1198881199031(120591119911+119870119911)1199051

119890 (119875 119886119887119875) = 119890 (119875 119888119875)119886119887 = 119888

(12)






119875119903 [1198781] = 1119890119899 119875119903 [1198782] = 1119902119896119899

(13)















































0

5

10

15

20

25

Tim

e (s)

(a)



100

101

102

103

Tim

e (s)

1000 2000 3000 4000 50000u (number of users)

(b)




001

01

1

10

Tim

e (s)












01

1

10Ti

me (

s)


For n = 100

(a)



01

1

10

100

Tim

e (s)

1000 2000 3000 4000 50000u (number of users)

For n = 100 amp t = 100

(b)




Notations







References













































RoboticsJournal of





Journal of



RotatingMachinery



Journal of

Volume 201


VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation



























1 11990810158402 1199081015840






ETA DO DU



(pp key) (pp key)

System Setup



SS

(pp)


(a)

DO SSData Upload

(C)






(b)

SSDU


ETA



(TVK2)

(Q)

Token Generation


(PT TVK1)

T = (T TVK1)

(c)

SSDU


(R)

(T)

Search



using (TVK1 TVK2)

T is fresh

Yes

No



(d)















119860119889VA (1120572) = 1003816100381610038161003816100381610038161003816119875119903 [1198871015840 = 119887] minus 121003816100381610038161003816100381610038161003816 gt 120598 (1)
















to the ETA where1198821015840 = 11990810158401 1199081015840

2 1199081015840119905 is a set










1205911 = 119868119905sum119895=1198681

(1198621119895 minus 1199101198622)

= 119868119905sum119895=1198681

(1199031 (1198671 (119908119895) 119875 + 119870119895) + 1199031119884 minus 1199101199031119875)

= 1199031( 119868119905sum119895=1198681

(1198671 (119908119895) 119875 + 119870119895))


1205912 = 1198791 minus 1199101198793= 1199051( 119868119905sum

119895=1198681

(1198671 (119908119895) + 119896119895))119875 + 1198861015840119884 minus 1199101198861015840119875

= 1199051( 119868119905sum119895=1198681

(1198671 (119908119895) + 119896119895))119875(2)


119890 (1205911 1198792) = 119890 (1205912 1198622) (3)




119890 (1205911 1198792) = 119890(1199031( 119868119905sum119895=1198681

(1198671 (119908119895) 119875 + 119870119895)) 1199051119875)

= 119890( 119868119905sum119895=1198681

(1198671 (119908119895) 119875 + 119870119895) 119875)11990311199051

= 119890( 119868119905sum119895=1198681

(1198671 (119908119895) 119875 + 119896119895119875) 119875)11990311199051

= 119890 (119875 119875)11990311199051Δ

(4)

RHS of (3)

119890 (1205912 1198622) = 119890(1199051( 119868119905sum119895=1198681

(1198671 (119908119895) + 119896119895))119875 1199031119875)= 119890 (119875 119875)11990311199051Δ

(5)


ness is proved


















(11986211)119894 = 1199031119894 (1205741119875 + 1198701) + 1199031119894119884(11986212)119894 = 1199031119894 (1205742119875 + 1198702) + 1199031119894119884

(1198621119911)119894 = 1198871199031119894 (120574119911119875 + 119870119911) + 1199031119894119884

(1198621119899)119894 = 1199031119894 (120574119899119875 + 119870119899) + 1199031119894119884

(1198622)119894 = 1199031119894119875

(6)


119894 1198681015840119894 ) where 1198821015840119894 = 1199081015840

1198941198681 11990810158401198941198682 1199081015840










119890 (1205911 1198792) = 119890 (1205912 1198622) (7)


119890 (1205911 1198792) = 119890 (1198871199031 (120591119911119875 + 119870119911) 1199051119875)= 119890 (119875 119875)1198871199031(120591119911+119870119911)1199051

119890 (1205912 1198622) = 119890 (11990511198671 (119908119911 + 119896119911) 119875 1199031119875)= 119890 (119875 119875)11990311198671(119908119911+119896119911)1199051

(8)

From (8) we get

119890 (119875 119875)1198871199031(120591119911+119870119911)1199051 = 119890 (119875 119875)11990311198671(119908119911+119896119911)1199051 (9)


119890 (1205911 1198792) = 119890 (119888 (120591119905119875 + 119870119905) 1199051119875) = 119890 (119875 119875)119888(120591119905+119870119905)1199051 119890 (1205912 1198622) = 119890 (11990511198671 (119908119905 + 119896119905) 119875 119886119875)

= 119890 (119875 119875)1198861198671(119908119905+119896119905)1199051 (10)

From (10) we get

119890 (119875 119875)119888(120591119905+119870119905)1199051 = 119890 (119875 119875)1198861198671(119908119905+119896119905)1199051 (11)


119890 (119875 119875)1198871199031(120591119911+119870119911)1199051

119890 (119875 119875)11990311198671(119908119911+119896119911)1199051= 119890 (119875 119875)119888(120591119905+119870119905)1199051

119890 (119875 119875)1198861198671(119908119905+119896119905)1199051

there4 119890 (119875 119875)1198871199031(120591119911+119870119911)1199051 119890 (119875 119875)1198861198671(119908119905+119896119905)1199051

= 119890 (119875 119875)119888(120591119905+119870119905)1199051 119890 (119875 119875)11990311198671(119908119911+119896119911)1199051

there4 119890 (119875 119875)1198861198871199031(120591119911+119870119911)1199051 119890 (119875 119875)1198671(119908119911+119896119911)1199051

= 119890 (119875 119875)1198881199031(120591119911+119870119911)1199051 119890 (119875 119875)1198671(119908119911+119896119911)1199051

119890 (119875 119875)1198861198871199031(120591119911+119870119911)1199051 = 119890 (119875 119875)1198881199031(120591119911+119870119911)1199051

119890 (119875 119886119887119875) = 119890 (119875 119888119875)119886119887 = 119888

(12)






119875119903 [1198781] = 1119890119899 119875119903 [1198782] = 1119902119896119899

(13)















































0

5

10

15

20

25

Tim

e (s)

(a)



100

101

102

103

Tim

e (s)

1000 2000 3000 4000 50000u (number of users)

(b)




001

01

1

10

Tim

e (s)












01

1

10Ti

me (

s)


For n = 100

(a)



01

1

10

100

Tim

e (s)

1000 2000 3000 4000 50000u (number of users)

For n = 100 amp t = 100

(b)




Notations







References













































RoboticsJournal of





Journal of



RotatingMachinery



Journal of

Volume 201


VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation










ETA DO DU



(pp key) (pp key)

System Setup



SS

(pp)


(a)

DO SSData Upload

(C)






(b)

SSDU


ETA



(TVK2)

(Q)

Token Generation


(PT TVK1)

T = (T TVK1)

(c)

SSDU


(R)

(T)

Search



using (TVK1 TVK2)

T is fresh

Yes

No



(d)















119860119889VA (1120572) = 1003816100381610038161003816100381610038161003816119875119903 [1198871015840 = 119887] minus 121003816100381610038161003816100381610038161003816 gt 120598 (1)
















to the ETA where1198821015840 = 11990810158401 1199081015840

2 1199081015840119905 is a set










1205911 = 119868119905sum119895=1198681

(1198621119895 minus 1199101198622)

= 119868119905sum119895=1198681

(1199031 (1198671 (119908119895) 119875 + 119870119895) + 1199031119884 minus 1199101199031119875)

= 1199031( 119868119905sum119895=1198681

(1198671 (119908119895) 119875 + 119870119895))


1205912 = 1198791 minus 1199101198793= 1199051( 119868119905sum

119895=1198681

(1198671 (119908119895) + 119896119895))119875 + 1198861015840119884 minus 1199101198861015840119875

= 1199051( 119868119905sum119895=1198681

(1198671 (119908119895) + 119896119895))119875(2)


119890 (1205911 1198792) = 119890 (1205912 1198622) (3)




119890 (1205911 1198792) = 119890(1199031( 119868119905sum119895=1198681

(1198671 (119908119895) 119875 + 119870119895)) 1199051119875)

= 119890( 119868119905sum119895=1198681

(1198671 (119908119895) 119875 + 119870119895) 119875)11990311199051

= 119890( 119868119905sum119895=1198681

(1198671 (119908119895) 119875 + 119896119895119875) 119875)11990311199051

= 119890 (119875 119875)11990311199051Δ

(4)

RHS of (3)

119890 (1205912 1198622) = 119890(1199051( 119868119905sum119895=1198681

(1198671 (119908119895) + 119896119895))119875 1199031119875)= 119890 (119875 119875)11990311199051Δ

(5)


ness is proved


















(11986211)119894 = 1199031119894 (1205741119875 + 1198701) + 1199031119894119884(11986212)119894 = 1199031119894 (1205742119875 + 1198702) + 1199031119894119884

(1198621119911)119894 = 1198871199031119894 (120574119911119875 + 119870119911) + 1199031119894119884

(1198621119899)119894 = 1199031119894 (120574119899119875 + 119870119899) + 1199031119894119884

(1198622)119894 = 1199031119894119875

(6)


119894 1198681015840119894 ) where 1198821015840119894 = 1199081015840

1198941198681 11990810158401198941198682 1199081015840










119890 (1205911 1198792) = 119890 (1205912 1198622) (7)


119890 (1205911 1198792) = 119890 (1198871199031 (120591119911119875 + 119870119911) 1199051119875)= 119890 (119875 119875)1198871199031(120591119911+119870119911)1199051

119890 (1205912 1198622) = 119890 (11990511198671 (119908119911 + 119896119911) 119875 1199031119875)= 119890 (119875 119875)11990311198671(119908119911+119896119911)1199051

(8)

From (8) we get

119890 (119875 119875)1198871199031(120591119911+119870119911)1199051 = 119890 (119875 119875)11990311198671(119908119911+119896119911)1199051 (9)


119890 (1205911 1198792) = 119890 (119888 (120591119905119875 + 119870119905) 1199051119875) = 119890 (119875 119875)119888(120591119905+119870119905)1199051 119890 (1205912 1198622) = 119890 (11990511198671 (119908119905 + 119896119905) 119875 119886119875)

= 119890 (119875 119875)1198861198671(119908119905+119896119905)1199051 (10)

From (10) we get

119890 (119875 119875)119888(120591119905+119870119905)1199051 = 119890 (119875 119875)1198861198671(119908119905+119896119905)1199051 (11)


119890 (119875 119875)1198871199031(120591119911+119870119911)1199051

119890 (119875 119875)11990311198671(119908119911+119896119911)1199051= 119890 (119875 119875)119888(120591119905+119870119905)1199051

119890 (119875 119875)1198861198671(119908119905+119896119905)1199051

there4 119890 (119875 119875)1198871199031(120591119911+119870119911)1199051 119890 (119875 119875)1198861198671(119908119905+119896119905)1199051

= 119890 (119875 119875)119888(120591119905+119870119905)1199051 119890 (119875 119875)11990311198671(119908119911+119896119911)1199051

there4 119890 (119875 119875)1198861198871199031(120591119911+119870119911)1199051 119890 (119875 119875)1198671(119908119911+119896119911)1199051

= 119890 (119875 119875)1198881199031(120591119911+119870119911)1199051 119890 (119875 119875)1198671(119908119911+119896119911)1199051

119890 (119875 119875)1198861198871199031(120591119911+119870119911)1199051 = 119890 (119875 119875)1198881199031(120591119911+119870119911)1199051

119890 (119875 119886119887119875) = 119890 (119875 119888119875)119886119887 = 119888

(12)






119875119903 [1198781] = 1119890119899 119875119903 [1198782] = 1119902119896119899

(13)















































0

5

10

15

20

25

Tim

e (s)

(a)



100

101

102

103

Tim

e (s)

1000 2000 3000 4000 50000u (number of users)

(b)




001

01

1

10

Tim

e (s)












01

1

10Ti

me (

s)


For n = 100

(a)



01

1

10

100

Tim

e (s)

1000 2000 3000 4000 50000u (number of users)

For n = 100 amp t = 100

(b)




Notations







References













































RoboticsJournal of





Journal of



RotatingMachinery



Journal of

Volume 201


VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation













119860119889VA (1120572) = 1003816100381610038161003816100381610038161003816119875119903 [1198871015840 = 119887] minus 121003816100381610038161003816100381610038161003816 gt 120598 (1)
















to the ETA where1198821015840 = 11990810158401 1199081015840

2 1199081015840119905 is a set










1205911 = 119868119905sum119895=1198681

(1198621119895 minus 1199101198622)

= 119868119905sum119895=1198681

(1199031 (1198671 (119908119895) 119875 + 119870119895) + 1199031119884 minus 1199101199031119875)

= 1199031( 119868119905sum119895=1198681

(1198671 (119908119895) 119875 + 119870119895))


1205912 = 1198791 minus 1199101198793= 1199051( 119868119905sum

119895=1198681

(1198671 (119908119895) + 119896119895))119875 + 1198861015840119884 minus 1199101198861015840119875

= 1199051( 119868119905sum119895=1198681

(1198671 (119908119895) + 119896119895))119875(2)


119890 (1205911 1198792) = 119890 (1205912 1198622) (3)




119890 (1205911 1198792) = 119890(1199031( 119868119905sum119895=1198681

(1198671 (119908119895) 119875 + 119870119895)) 1199051119875)

= 119890( 119868119905sum119895=1198681

(1198671 (119908119895) 119875 + 119870119895) 119875)11990311199051

= 119890( 119868119905sum119895=1198681

(1198671 (119908119895) 119875 + 119896119895119875) 119875)11990311199051

= 119890 (119875 119875)11990311199051Δ

(4)

RHS of (3)

119890 (1205912 1198622) = 119890(1199051( 119868119905sum119895=1198681

(1198671 (119908119895) + 119896119895))119875 1199031119875)= 119890 (119875 119875)11990311199051Δ

(5)


ness is proved


















(11986211)119894 = 1199031119894 (1205741119875 + 1198701) + 1199031119894119884(11986212)119894 = 1199031119894 (1205742119875 + 1198702) + 1199031119894119884

(1198621119911)119894 = 1198871199031119894 (120574119911119875 + 119870119911) + 1199031119894119884

(1198621119899)119894 = 1199031119894 (120574119899119875 + 119870119899) + 1199031119894119884

(1198622)119894 = 1199031119894119875

(6)


119894 1198681015840119894 ) where 1198821015840119894 = 1199081015840

1198941198681 11990810158401198941198682 1199081015840










119890 (1205911 1198792) = 119890 (1205912 1198622) (7)


119890 (1205911 1198792) = 119890 (1198871199031 (120591119911119875 + 119870119911) 1199051119875)= 119890 (119875 119875)1198871199031(120591119911+119870119911)1199051

119890 (1205912 1198622) = 119890 (11990511198671 (119908119911 + 119896119911) 119875 1199031119875)= 119890 (119875 119875)11990311198671(119908119911+119896119911)1199051

(8)

From (8) we get

119890 (119875 119875)1198871199031(120591119911+119870119911)1199051 = 119890 (119875 119875)11990311198671(119908119911+119896119911)1199051 (9)


119890 (1205911 1198792) = 119890 (119888 (120591119905119875 + 119870119905) 1199051119875) = 119890 (119875 119875)119888(120591119905+119870119905)1199051 119890 (1205912 1198622) = 119890 (11990511198671 (119908119905 + 119896119905) 119875 119886119875)

= 119890 (119875 119875)1198861198671(119908119905+119896119905)1199051 (10)

From (10) we get

119890 (119875 119875)119888(120591119905+119870119905)1199051 = 119890 (119875 119875)1198861198671(119908119905+119896119905)1199051 (11)


119890 (119875 119875)1198871199031(120591119911+119870119911)1199051

119890 (119875 119875)11990311198671(119908119911+119896119911)1199051= 119890 (119875 119875)119888(120591119905+119870119905)1199051

119890 (119875 119875)1198861198671(119908119905+119896119905)1199051

there4 119890 (119875 119875)1198871199031(120591119911+119870119911)1199051 119890 (119875 119875)1198861198671(119908119905+119896119905)1199051

= 119890 (119875 119875)119888(120591119905+119870119905)1199051 119890 (119875 119875)11990311198671(119908119911+119896119911)1199051

there4 119890 (119875 119875)1198861198871199031(120591119911+119870119911)1199051 119890 (119875 119875)1198671(119908119911+119896119911)1199051

= 119890 (119875 119875)1198881199031(120591119911+119870119911)1199051 119890 (119875 119875)1198671(119908119911+119896119911)1199051

119890 (119875 119875)1198861198871199031(120591119911+119870119911)1199051 = 119890 (119875 119875)1198881199031(120591119911+119870119911)1199051

119890 (119875 119886119887119875) = 119890 (119875 119888119875)119886119887 = 119888

(12)






119875119903 [1198781] = 1119890119899 119875119903 [1198782] = 1119902119896119899

(13)















































0

5

10

15

20

25

Tim

e (s)

(a)



100

101

102

103

Tim

e (s)

1000 2000 3000 4000 50000u (number of users)

(b)




001

01

1

10

Tim

e (s)












01

1

10Ti

me (

s)


For n = 100

(a)



01

1

10

100

Tim

e (s)

1000 2000 3000 4000 50000u (number of users)

For n = 100 amp t = 100

(b)




Notations







References













































RoboticsJournal of





Journal of



RotatingMachinery



Journal of

Volume 201


VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation










1205912 = 1198791 minus 1199101198793= 1199051( 119868119905sum

119895=1198681

(1198671 (119908119895) + 119896119895))119875 + 1198861015840119884 minus 1199101198861015840119875

= 1199051( 119868119905sum119895=1198681

(1198671 (119908119895) + 119896119895))119875(2)


119890 (1205911 1198792) = 119890 (1205912 1198622) (3)




119890 (1205911 1198792) = 119890(1199031( 119868119905sum119895=1198681

(1198671 (119908119895) 119875 + 119870119895)) 1199051119875)

= 119890( 119868119905sum119895=1198681

(1198671 (119908119895) 119875 + 119870119895) 119875)11990311199051

= 119890( 119868119905sum119895=1198681

(1198671 (119908119895) 119875 + 119896119895119875) 119875)11990311199051

= 119890 (119875 119875)11990311199051Δ

(4)

RHS of (3)

119890 (1205912 1198622) = 119890(1199051( 119868119905sum119895=1198681

(1198671 (119908119895) + 119896119895))119875 1199031119875)= 119890 (119875 119875)11990311199051Δ

(5)


ness is proved


















(11986211)119894 = 1199031119894 (1205741119875 + 1198701) + 1199031119894119884(11986212)119894 = 1199031119894 (1205742119875 + 1198702) + 1199031119894119884

(1198621119911)119894 = 1198871199031119894 (120574119911119875 + 119870119911) + 1199031119894119884

(1198621119899)119894 = 1199031119894 (120574119899119875 + 119870119899) + 1199031119894119884

(1198622)119894 = 1199031119894119875

(6)


119894 1198681015840119894 ) where 1198821015840119894 = 1199081015840

1198941198681 11990810158401198941198682 1199081015840










119890 (1205911 1198792) = 119890 (1205912 1198622) (7)


119890 (1205911 1198792) = 119890 (1198871199031 (120591119911119875 + 119870119911) 1199051119875)= 119890 (119875 119875)1198871199031(120591119911+119870119911)1199051

119890 (1205912 1198622) = 119890 (11990511198671 (119908119911 + 119896119911) 119875 1199031119875)= 119890 (119875 119875)11990311198671(119908119911+119896119911)1199051

(8)

From (8) we get

119890 (119875 119875)1198871199031(120591119911+119870119911)1199051 = 119890 (119875 119875)11990311198671(119908119911+119896119911)1199051 (9)


119890 (1205911 1198792) = 119890 (119888 (120591119905119875 + 119870119905) 1199051119875) = 119890 (119875 119875)119888(120591119905+119870119905)1199051 119890 (1205912 1198622) = 119890 (11990511198671 (119908119905 + 119896119905) 119875 119886119875)

= 119890 (119875 119875)1198861198671(119908119905+119896119905)1199051 (10)

From (10) we get

119890 (119875 119875)119888(120591119905+119870119905)1199051 = 119890 (119875 119875)1198861198671(119908119905+119896119905)1199051 (11)


119890 (119875 119875)1198871199031(120591119911+119870119911)1199051

119890 (119875 119875)11990311198671(119908119911+119896119911)1199051= 119890 (119875 119875)119888(120591119905+119870119905)1199051

119890 (119875 119875)1198861198671(119908119905+119896119905)1199051

there4 119890 (119875 119875)1198871199031(120591119911+119870119911)1199051 119890 (119875 119875)1198861198671(119908119905+119896119905)1199051

= 119890 (119875 119875)119888(120591119905+119870119905)1199051 119890 (119875 119875)11990311198671(119908119911+119896119911)1199051

there4 119890 (119875 119875)1198861198871199031(120591119911+119870119911)1199051 119890 (119875 119875)1198671(119908119911+119896119911)1199051

= 119890 (119875 119875)1198881199031(120591119911+119870119911)1199051 119890 (119875 119875)1198671(119908119911+119896119911)1199051

119890 (119875 119875)1198861198871199031(120591119911+119870119911)1199051 = 119890 (119875 119875)1198881199031(120591119911+119870119911)1199051

119890 (119875 119886119887119875) = 119890 (119875 119888119875)119886119887 = 119888

(12)






119875119903 [1198781] = 1119890119899 119875119903 [1198782] = 1119902119896119899

(13)















































0

5

10

15

20

25

Tim

e (s)

(a)



100

101

102

103

Tim

e (s)

1000 2000 3000 4000 50000u (number of users)

(b)




001

01

1

10

Tim

e (s)












01

1

10Ti

me (

s)


For n = 100

(a)



01

1

10

100

Tim

e (s)

1000 2000 3000 4000 50000u (number of users)

For n = 100 amp t = 100

(b)




Notations







References













































RoboticsJournal of





Journal of



RotatingMachinery



Journal of

Volume 201


VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation













(11986211)119894 = 1199031119894 (1205741119875 + 1198701) + 1199031119894119884(11986212)119894 = 1199031119894 (1205742119875 + 1198702) + 1199031119894119884

(1198621119911)119894 = 1198871199031119894 (120574119911119875 + 119870119911) + 1199031119894119884

(1198621119899)119894 = 1199031119894 (120574119899119875 + 119870119899) + 1199031119894119884

(1198622)119894 = 1199031119894119875

(6)


119894 1198681015840119894 ) where 1198821015840119894 = 1199081015840

1198941198681 11990810158401198941198682 1199081015840










119890 (1205911 1198792) = 119890 (1205912 1198622) (7)


119890 (1205911 1198792) = 119890 (1198871199031 (120591119911119875 + 119870119911) 1199051119875)= 119890 (119875 119875)1198871199031(120591119911+119870119911)1199051

119890 (1205912 1198622) = 119890 (11990511198671 (119908119911 + 119896119911) 119875 1199031119875)= 119890 (119875 119875)11990311198671(119908119911+119896119911)1199051

(8)

From (8) we get

119890 (119875 119875)1198871199031(120591119911+119870119911)1199051 = 119890 (119875 119875)11990311198671(119908119911+119896119911)1199051 (9)


119890 (1205911 1198792) = 119890 (119888 (120591119905119875 + 119870119905) 1199051119875) = 119890 (119875 119875)119888(120591119905+119870119905)1199051 119890 (1205912 1198622) = 119890 (11990511198671 (119908119905 + 119896119905) 119875 119886119875)

= 119890 (119875 119875)1198861198671(119908119905+119896119905)1199051 (10)

From (10) we get

119890 (119875 119875)119888(120591119905+119870119905)1199051 = 119890 (119875 119875)1198861198671(119908119905+119896119905)1199051 (11)


119890 (119875 119875)1198871199031(120591119911+119870119911)1199051

119890 (119875 119875)11990311198671(119908119911+119896119911)1199051= 119890 (119875 119875)119888(120591119905+119870119905)1199051

119890 (119875 119875)1198861198671(119908119905+119896119905)1199051

there4 119890 (119875 119875)1198871199031(120591119911+119870119911)1199051 119890 (119875 119875)1198861198671(119908119905+119896119905)1199051

= 119890 (119875 119875)119888(120591119905+119870119905)1199051 119890 (119875 119875)11990311198671(119908119911+119896119911)1199051

there4 119890 (119875 119875)1198861198871199031(120591119911+119870119911)1199051 119890 (119875 119875)1198671(119908119911+119896119911)1199051

= 119890 (119875 119875)1198881199031(120591119911+119870119911)1199051 119890 (119875 119875)1198671(119908119911+119896119911)1199051

119890 (119875 119875)1198861198871199031(120591119911+119870119911)1199051 = 119890 (119875 119875)1198881199031(120591119911+119870119911)1199051

119890 (119875 119886119887119875) = 119890 (119875 119888119875)119886119887 = 119888

(12)






119875119903 [1198781] = 1119890119899 119875119903 [1198782] = 1119902119896119899

(13)















































0

5

10

15

20

25

Tim

e (s)

(a)



100

101

102

103

Tim

e (s)

1000 2000 3000 4000 50000u (number of users)

(b)




001

01

1

10

Tim

e (s)












01

1

10Ti

me (

s)


For n = 100

(a)



01

1

10

100

Tim

e (s)

1000 2000 3000 4000 50000u (number of users)

For n = 100 amp t = 100

(b)




Notations







References













































RoboticsJournal of





Journal of



RotatingMachinery



Journal of

Volume 201


VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation













119875119903 [1198781] = 1119890119899 119875119903 [1198782] = 1119902119896119899

(13)















































0

5

10

15

20

25

Tim

e (s)

(a)



100

101

102

103

Tim

e (s)

1000 2000 3000 4000 50000u (number of users)

(b)




001

01

1

10

Tim

e (s)












01

1

10Ti

me (

s)


For n = 100

(a)



01

1

10

100

Tim

e (s)

1000 2000 3000 4000 50000u (number of users)

For n = 100 amp t = 100

(b)




Notations







References













































RoboticsJournal of





Journal of



RotatingMachinery



Journal of

Volume 201


VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation







































0

5

10

15

20

25

Tim

e (s)

(a)



100

101

102

103

Tim

e (s)

1000 2000 3000 4000 50000u (number of users)

(b)




001

01

1

10

Tim

e (s)












01

1

10Ti

me (

s)


For n = 100

(a)



01

1

10

100

Tim

e (s)

1000 2000 3000 4000 50000u (number of users)

For n = 100 amp t = 100

(b)




Notations







References













































RoboticsJournal of





Journal of



RotatingMachinery



Journal of

Volume 201


VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation



























0

5

10

15

20

25

Tim

e (s)

(a)



100

101

102

103

Tim

e (s)

1000 2000 3000 4000 50000u (number of users)

(b)




001

01

1

10

Tim

e (s)












01

1

10Ti

me (

s)


For n = 100

(a)



01

1

10

100

Tim

e (s)

1000 2000 3000 4000 50000u (number of users)

For n = 100 amp t = 100

(b)




Notations







References













































RoboticsJournal of





Journal of



RotatingMachinery



Journal of

Volume 201


VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation













0

5

10

15

20

25

Tim

e (s)

(a)



100

101

102

103

Tim

e (s)

1000 2000 3000 4000 50000u (number of users)

(b)




001

01

1

10

Tim

e (s)












01

1

10Ti

me (

s)


For n = 100

(a)



01

1

10

100

Tim

e (s)

1000 2000 3000 4000 50000u (number of users)

For n = 100 amp t = 100

(b)




Notations







References













































RoboticsJournal of





Journal of



RotatingMachinery



Journal of

Volume 201


VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation












01

1

10Ti

me (

s)


For n = 100

(a)



01

1

10

100

Tim

e (s)

1000 2000 3000 4000 50000u (number of users)

For n = 100 amp t = 100

(b)




Notations







References













































RoboticsJournal of





Journal of



RotatingMachinery



Journal of

Volume 201


VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation



















































RoboticsJournal of





Journal of



RotatingMachinery



Journal of

Volume 201


VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation




















RoboticsJournal of





Journal of



RotatingMachinery



Journal of

Volume 201


VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation









RoboticsJournal of





Journal of



RotatingMachinery



Journal of

Volume 201


VLSI Design



Shock and Vibration







Journal of



Volume 2014


SensorsJournal of





Propagation









Documents

Multiuser Searchable Encryption with Token …downloads.hindawi.com/journals/scn/2017/6435138.pdfMultiuser Searchable Encryption with Token Freshness Verification ... DataUser