1) Vector Space Model

The vector space model [19] adopting TF-IDF model [27] is widely adopted in secure multi-keyword search [5], [6], [11]–​[13]. We also use such models in this paper. TF and IDF are the term frequency (TF) and inverse document frequency (IDF). The former is the number of times a given keyword or term exists in documents while the later is calculated by dividing the total number of all documents by the number of documents having the given keyword or term. Each document $d_{i}$ is described by a $n$ -dimensional vector where $n$ is the scale of the keyword dictionary. $V_{d_{i}}[j] $ stores the normalized TF value of the keyword $w_{j}$ as shown in Eq. (1). For a query $Q$ having multiple searched keywords, the $n$ -dimensional vector $V_{Q}$ stores the normalized IDF values of the searched keywords in $Q$ . The calculation of $V_{Q}[j]$ is shown in Eq. (2).\begin{align*} V_{d_{i}}[j]=&T\!F_{d_{i},w_{j}}/\sqrt {\sum _{w_{j} \in d_{i} \wedge d_{i} \in D}(T\!F_{d_{i},w_{j}})^{2}}\tag{1}\\ V_{Q}[j]=&I\!D\!F_{w_{j}}/\sqrt {\sum _{w_{j}\in Q}(IDF_{w_{j}})^{2}}\tag{2}\end{align*} View Source\begin{align*} V_{d_{i}}[j]=&T\!F_{d_{i},w_{j}}/\sqrt {\sum _{w_{j} \in d_{i} \wedge d_{i} \in D}(T\!F_{d_{i},w_{j}})^{2}}\tag{1}\\ V_{Q}[j]=&I\!D\!F_{w_{j}}/\sqrt {\sum _{w_{j}\in Q}(IDF_{w_{j}})^{2}}\tag{2}\end{align*}

2) Relevance Score Measurement

We adopt the same calculations in [13] to measure the relevance scores between documents and the search requests in this paper. We assume that $d_{i}$ is a document and $Q$ is a query request having multiple searched keywords, the relevance score between $d_{i}$ and $Q$ is calculated by the inner product between the corresponding document vector $V_{d_{i}}$ and the query vector $V_{Q}$ , i.e.\begin{equation*}score(V_{d_{i}},V_{Q})=V_{d_{i}}\cdot V_{Q} =\sum _{j=1}^{n}V_{d_{i}}[j]\times V_{Q}[j]\tag{3}\end{equation*} View Source\begin{equation*}score(V_{d_{i}},V_{Q})=V_{d_{i}}\cdot V_{Q} =\sum _{j=1}^{n}V_{d_{i}}[j]\times V_{Q}[j]\tag{3}\end{equation*}

3) Secure Inner Product Operation

The secure inner product operation [20] is adopted in this paper. The operation is capable of computing the inner product of two encrypted vectors even their plaintext values are unknown. We assume that $p$ and $q$ are two $n$ -dimensional vectors and $M$ is a random $n\times n$ -dimensional invertible matrix. Here, $M$ is used as the secure key. We denote $\widetilde {p}$ and $\widetilde {q}$ as the the encrypted form of plaintext vectors $p$ and $q$ respectively. And $\widetilde {p}$ and $\widetilde {q}$ is calculated by $\widetilde {p}=pM^{-1} $ and $\widetilde {q}=qM^{T}$ . Then we have \begin{align*} \widetilde {p}\cdot \widetilde {q}=&(pM^{-1})\cdot (qM^{T}) \\=&pM^{-1}(qM^{T})^{T} \\=&pM^{-1}Mq \\=&p\cdot q\tag{4}\end{align*} View Source\begin{align*} \widetilde {p}\cdot \widetilde {q}=&(pM^{-1})\cdot (qM^{T}) \\=&pM^{-1}(qM^{T})^{T} \\=&pM^{-1}Mq \\=&p\cdot q\tag{4}\end{align*}

Therefore, $\widetilde {p}\cdot \widetilde {q}=p\cdot q$ holds which indicates that the inner product of two encrypted vectors equals the inner product of the corresponding plaintext vectors.

4) Normalized Google-Distance

Given two keywords $w_{i}$ and $w_{j}$ , the Normalized Google-Distance [3] between them is denoted as $Dist(w_{i}, w_{j})$ where \begin{equation*} Dist(w_{i},w_{j})= \frac {max\{log_{2}F_{i},log_{2}F_{i,j}\}-log_{2}F_{i,j}} {log_{2}m-min\{log_{2}F_{i},log_{2}F_{j} \}}\tag{5}\end{equation*} View Source\begin{equation*} Dist(w_{i},w_{j})= \frac {max\{log_{2}F_{i},log_{2}F_{i,j}\}-log_{2}F_{i,j}} {log_{2}m-min\{log_{2}F_{i},log_{2}F_{j} \}}\tag{5}\end{equation*}

In Eq. (5), $F_{i}$ and $F_{j}$ are the total frequencies of $w_{i}$ and $w_{j}$ appearing in the documents of $D$ respectively, $F_{i,j}$ is the number of documents where $w_{i}$ and $w_{j}$ both appear in the same documents, $m$ is the number of documents of $D$ and $min\{X\}$ is to get the minimum from the set $X$ . According to [3], the distance can be used to represent the relevance between keywords. The relevance between $w_{i}$ and $w_{j}$ increases as $Dist(w_{i}, w_{j})$ decreases. The Normalized Google-Distance in the paper is only used for calculating the relevance between keywords.

1) Multi-Keywords Ranked Search

The proposed scheme is designed that Pub-Cloud can determine the ranked $k$ encrypted documents which have the $k$ highest relevance scores to the searched keywords through the cooperation with Pri-Cloud.

2) Search Efficiency

The proposed scheme is able to perform efficient multi-keyword ranked searches by using a special index constructed on the basis of the given keyword partition vector model and the complete binary tree structure. The index can filter out candidate documents and prune a large number of irrelevant documents.

3) Privacy-Preserving

The proposed scheme is able to preserve privacy from the curious Pub-Cloud. Particularly, the plaintext of documents, index and queried keywords should be kept in private and the trapdoor unlinkability [5], [6], [11]–​[13] should be protected.

Observation 1:

According to Algorithm 1, we have the following two properties about the generated keyword partitions.

1. $\bigcup _{P_{i} \in PL} P_{i} =W$

2. $\forall P_{i},P_{j} \in PL \rightarrow P_{i} \cap P_{j} = \emptyset $

Definition 1 (Involved Partitions):

Given a document $d_{i} \in D$ , the involved partitions of $d_{i}$ are the partitions that have at least a keyword of $d_{i}$ . We denote the set of involved partitions of $d_{i}$ as $I\!P\!S(d_{i})$ , then we have \begin{equation*} I\!P\!S(d_{i})=\{p_{j}|p_{j}\cap d_{i} \neq \emptyset \wedge P_{j} \in PL \}\tag{6}\end{equation*} View Source\begin{equation*} I\!P\!S(d_{i})=\{p_{j}|p_{j}\cap d_{i} \neq \emptyset \wedge P_{j} \in PL \}\tag{6}\end{equation*}

Definition 2 (Covered Documents):

Given a keyword partition $P_{i} \in PL$ , the covered documents of $P_{i}$ are the documents that have at least a keyword of $P_{i}$ . We denote the set of covered documents of $P_{i}$ as $C\!D\!S(P_{i})$ , then we have \begin{equation*} C\!D\!S(P_{i})=\{d_{j}|d_{j}\cap P_{i} \neq \emptyset \wedge d_{j} \in D \}\tag{7}\end{equation*} View Source\begin{equation*} C\!D\!S(P_{i})=\{d_{j}|d_{j}\cap P_{i} \neq \emptyset \wedge d_{j} \in D \}\tag{7}\end{equation*}

Observation 2:

Given a document $d_{i}$ and a keyword partition $P_{j}$ , if $d_{i}$ is in the covered documents of $P_{j}$ , then $P_{j}$ is in the involved partitions of $d_{i}$ , and vice versa.\begin{equation*} d_{i} \in C\!D\!S(P_{j}) \leftrightarrow P_{j} \in I\!P\!S(d_{i})\tag{8}\end{equation*} View Source\begin{equation*} d_{i} \in C\!D\!S(P_{j}) \leftrightarrow P_{j} \in I\!P\!S(d_{i})\tag{8}\end{equation*}

Definition 3 (Target Partitions):

Given a query $Q$ with multi-keyword, the target partitions of $Q$ is the keyword partitions that have at least one queried keywords of $Q$ . We denote the set of target partitions of $Q$ as $T\!P\!S(Q)$ , then we have \begin{equation*} T\!P\!S(Q)=\{P_{i}| Q \cap P_{i} \neq \emptyset \wedge P_{i} \in PL \}\tag{9}\end{equation*} View Source\begin{equation*} T\!P\!S(Q)=\{P_{i}| Q \cap P_{i} \neq \emptyset \wedge P_{i} \in PL \}\tag{9}\end{equation*}

Definition 4 (Candidate Documents):

Given a query $Q$ , the candidate documents of $Q$ are the covered documents of the target partitions of $Q$ . We denote the candidate documents of $Q$ as $C\!Docs(Q)$ , then we have \begin{equation*} C\!Docs(Q)=\bigcup _{P_{i}\in T\!P\!S(Q)} C\!D\!S(P_{i})\tag{10}\end{equation*} View Source\begin{equation*} C\!Docs(Q)=\bigcup _{P_{i}\in T\!P\!S(Q)} C\!D\!S(P_{i})\tag{10}\end{equation*}

Example 1:

FIGURE 2 illustrates an example of keyword partitions generated by $GenPartitions$ . As shown in the figure, we assume that document collection $D$ has 10 documents and the threshold of keyword partitions e.g. $\tau $ is set to be 5. The list of keyword partitions is $PL=\{P_{1}, P_{2}, P_{3}, P_{4}, P_{5}\}$ and the detailed descriptions are shown in the figure. According to Definition 1, the involved partitions of $D$ are described as $I\!P\!S(d_{1})=\{P_{1}, P_{2}, P_{3}\}$ , $I\!P\!S(d_{2})=\{P_{2}, P_{3}, P_{4}\}$ , $I\!P\!S(d_{3})=\{P_{3}, P_{4}, P_{5}\}$ , etc. According to Definition 2, the covered documents of $P_{1}$ , $P_{2}$ , $P_{3}$ , $P_{4}$ and $P_{5}$ are expressed as $C\!D\!S(P_{1})=\{d_{1}, d_{4}, d_{9}\}$ , $C\!D\!S(P_{2})=\{d_{1}, d_{2}, d_{4}, d_{9}\}$ , etc. Suppose the query $Q =\{w_{1}, w_{4}, w_{7}, w_{16}\}$ , according to Definition 3 and 4, then we have the target partitions $T\!P\!S(Q)=\{P_{1}, P_{2}\}$ and the corresponding candidate documents $C\!Docs(Q)=C\!D\!S(P_{1})\cup C\!D\!S(P_{2})=\{d_{1}, d_{2}, d_{4}, d_{9}\}$ . Obviously, the query result must be in $C\!Docs(Q)$ and the other documents could be out of consideration directly.

Definition 5 (Document Filtering Bit Vector (DFB-Vector)):

Given a document $d_{i} \in D$ , the DFB-vector of $d_{i}$ is a $\tau $ -dimensional bit vector which is denoted as $V\!F_{d_{i}}$ . If there is a keyword in $d_{i}$ belongs to a partition $P_{j} \in PL$ , then $V\!F_{d_{i}} [j]=1$ otherwise $V\!F_{d_{i}}[j]=0$ , i.e.\begin{equation*} V\!F_{d_{i}}[j]= \begin{cases} 1,& \exists w_{P} \in d_{i}(w_{P} \in P_{j})\\ 0,& Else \end{cases}j \in \{1,2,\ldots,\tau \}\tag{11}\end{equation*} View Source\begin{equation*} V\!F_{d_{i}}[j]= \begin{cases} 1,& \exists w_{P} \in d_{i}(w_{P} \in P_{j})\\ 0,& Else \end{cases}j \in \{1,2,\ldots,\tau \}\tag{11}\end{equation*}

Definition 6 (Query Filtering Bit Vector (QFB-Vector)):

Given a query $Q$ with multiple keywords, the QFB-vector of $Q$ is $\tau $ -dimensional bit vector which is denoted as $V\!F_{Q}$ . If there is a keyword in $Q$ belongs to a partition $P_{i} \in PL$ , then $V\!F_{Q}[i]=1$ otherwise $V\!F_{Q}[i]=0$ , i.e.\begin{equation*} V\!F_{Q}[i]= \begin{cases} 1,& \exists w_{P} \in Q(w_{P} \in P_{i})\\ 0,& Else \end{cases}i \in \{1,2,\ldots,\tau \}\tag{12}\end{equation*} View Source\begin{equation*} V\!F_{Q}[i]= \begin{cases} 1,& \exists w_{P} \in Q(w_{P} \in P_{i})\\ 0,& Else \end{cases}i \in \{1,2,\ldots,\tau \}\tag{12}\end{equation*}

Observation 3.

Given a query $Q$ , we have \begin{equation*} C\!Docs(Q)=\{d_{i} | V\!F_{d_{i}}\& V\!F_{Q} \neq \{0\}^\tau \wedge d_{i} \in D\}\tag{13}\end{equation*} View Source\begin{equation*} C\!Docs(Q)=\{d_{i} | V\!F_{d_{i}}\& V\!F_{Q} \neq \{0\}^\tau \wedge d_{i} \in D\}\tag{13}\end{equation*} where ”&” is the bitwise AND operator and $\{0\}^\tau $ represents a $\tau $ -dimensional zero bit vector.

1) $SK \leftarrow GenKey(1^{l(n)})$

DO generates the secure key $S\!K=\{S, M_{1}, M_{2}, g\}$ where $S$ is a random generated $n$ -dimensional bit vector, $M_{1}$ and $M_{2}$ are random $n\times n$ -dimensional invertible matrices, and $g$ is the key for document encryption. $SK$ is shared by DO and DU.

2) $PL \leftarrow GenPartitions(W, \tau)$

This algorithm is given in Algorithm 1 in detail. It is on the basis of the bisecting $k$ -means clustering and the Normalized Google-Distance measurement. After performing the algorithm, keywords with high relevance in the keyword dictionary are clustered into partitions and the partition list $P\!L=\{P_{1}, P_{2}, \ldots, P_\tau \}$ is generated where $\tau $ is a threshold to control the number of output partitions.

3) $\{V_{D}, VF_{D}\} \leftarrow GenVectors(D, PL)$

For each $d_{i} \!\in \!D$ , DO generates the corresponding document vector $V_{d_{i}}$ according to Eq. (1), and then generates the corresponding DFB-vector $V\!F_{d_{i}}$ according to Definition 5. The sets of generated document vectors and DFB-vectors are $V_{D}=\{V_{d_{1}},V_{d_{2}},\ldots,V_{d_{m}}\}$ and $V\!F_{D}=\{V\!F_{d_{1}},V\!F_{d_{2}},\ldots,V\!F_{d_{m}}\}$ respectively. Here, the generated DFB-vectors will be utilized as the index in our scheme to filter out the candidate documents and speed the ranked searches.

4) $\{\tilde{D}, \tilde{V}_{D} \} \leftarrow EncData(D, V_{D}, SK)$

For each $d_{i} \in D$ and the corresponding document vector $V_{d_{i}}\in V_{D} $ , DO first encrypts $d_{i}$ into $\widetilde {d}_{i} $ by a symmetric encryption (such as DES, AES, et al.) with the secret key $g$ in $S\!K$ . Second, DO generates two random ${n}$ -dimensional vectors $\{V_{d_{i}}^{1},V_{d_{i}}^{2}\}$ according to the random bit vector $S$ in $S\!K$ . Specifically, if $S[j]=0$ , then $V_{d_{i}}^{1} [j]=V_{d_{i}}^{2}[j]=V_{d_{i}}[j]$ ; otherwise $V_{d_{i}}^{1}[j]=GenRand()$ and $V_{d_{i}}^{2}[j]=V_{d_{i}}[j]-V_{d_{i}}^{1}[j]$ where $GenRand()$ is a random value generator. Then, the encrypted document vector $\widetilde {V}_{d_{i}} $ is calculated,$\widetilde {V}_{d_{i}}=\{V_{d_{i}}^{1}\!M_{1}^{T},V_{d_{i}}^{2}\!M_{2}^{T}\} $ . Through the above operations, the encrypted documents $\widetilde {D}=\{\widetilde {d}_{1},\widetilde {d}_{2},\ldots,\widetilde {d}_{m}\}$ and the corresponding encrypted document vectors $\widetilde {V}_{D}=\{\widetilde {V}_{d_{1}},\widetilde {V}_{d_{2}},\ldots,\widetilde {V}_{d_{m}}\} $ are generated.

5) $StoreData(VF_{D}, \tilde{D}, \tilde{V}_{D})$

After the above steps, DO outsources the encrypted documents $\widetilde {D}$ and the corresponding encrypted document vectors $\widetilde {V}_{D}$ to Pub-Cloud. And then DO uploads the DFB-vectors $V\!F_{D}$ to Pri-Cloud. It is noticeable that the corresponding document IDs are both stored in Pub-Cloud and Pri-Cloud. Obviously, the shared data between Pub-Cloud and Pri-Cloud are only the document IDs.

After the five steps, the setup stage is finished and the system is prepared for the multi-keyword search over encrypted documents.

1) $\tilde{V}_{Q} \leftarrow GenTrapdoor(Q, SK)$

Once a query $Q$ with multi-keywords is applied, DU generates the query vector $V_{Q}$ according to Eq. (2) and two random $n$ -dimensional vectors $\{V_{Q}^{1}, V_{Q}^{2}\}$ according to the random bit vector $S$ in $SK$ . Specifically, if $S[i]=1$ , then $V_{Q}^{1} [i]=V_{Q}^{2}[i]=V_{Q}[i]$ ; otherwise $V_{Q}^{1}[i]=GenRand()$ and $V_{Q}^{2}[i]=V_{Q}[i]-V_{Q}^{1} [i]$ . Then, the encrypted query vector $\widetilde {V}_{Q}$ is calculated, $\widetilde {V}_{Q}=\{V_{Q}^{1}\!M_{1}^{-1},V_{Q}^{2}\!M_{2}^{-1}\}$ , which is the trapdoor of $Q$ and submitted to Pub-Cloud.

2) $VF_{Q} \leftarrow GenQFBVector(Q, PL)$

According to Definition 6, DU generates the QFB-vector of $Q$ , $V\!F_{Q}$ , which indicates the target partitions of $Q$ . And then DU transmits $V\!F_{Q}$ to Pri-Cloud.

3) $CID \leftarrow Filtering(VF_{Q}, VF_{D})$

Pri-Cloud utilizes the DFB-vectors as the index to filter out the candidate documents for the query. It performs the bitwise AND operation between each DFB-vector and the received QFB-vector and then find out the corresponding IDs of the candidate documents for the query $Q$ according to Observation 3. Specifically, for each $V\!F_{d_{i}} \in V\!F_{D}$ , if $V\!F_{d_{i}}\& V\!F_{Q}$ is not a zero-vector, then $Identity(d_{i})$ is added in the ID set $C\!I\!D$ . Here, $Identity(d_{i})$ is the ID of $d_{i}$ . After processing all the DFB-vectors of $V\!F_{D}$ , Pri-Cloud only transmits $C\!I\!D$ to Pub-Cloud. $CID$ is the only shared data between Pri-Cloud and Pub-Cloud. The complexity of this algorithm is $O(m\ast \tau)$ since there are $m\ast \tau $ bitwise AND operations.

4) $\Re \leftarrow Searching(\tilde{D}, \tilde{V}_{D}, \tilde{V}_{Q}, CID, k)$

Pub-Cloud computes the inner products between the trapdoor $\widetilde {V}_{Q}$ and the encrypted document vectors $\{\widetilde {V}_{d_{i}}| \widetilde {V}_{d_{i}} \in \widetilde {V}_{D} \wedge Identity(d_{i}) \in C\!I\!D \}$ . According to Lemma 1, the inner products between the trapdoor and the encrypted document vectors equal the inner products between the corresponding plaintext query vector and document vectors respectively, and the inner products represent the relevance scores between the queried keywords and the documents according to the relevance score measurement in the Preliminaries Section. The ranked $k$ encrypted documents with the highest $k$ inner products are the result encrypted documents R which is returned to DU. The complexity of this algorithm is $O(|C\!I\!D|*n + k*|C\!I\!D|)\approx O(|C\!I\!D|*n)$ since $k \ll n$ holds generally. $|X|$ represents the item number of the set $X$ .

At last, when DU receives the result encrypted documents $\Re $ from Pub-Cloud, it uses the shared secure key to decrypts the encrypted documents and get the plaintext result documents.

In the above algorithms, DU transforms the query request into two vectors, one is the trapdoor (the encrypted query vector) generated in $GenTrapdoor$ and the other is the QFB-vector generated in $GenQFBVector$ . The latter is submitted to Pri-Cloud and Pri-Cloud uses it and the DFB-vectors of documents to filter out the candidate document IDs in $Filtering$ . According to the received candidate document IDs, Pub-Cloud determines the result encrypted documents and return them to DU in $Searching$ . Since the searching space is shrunk in the candidate documents, the ranked search efficiency is improved. We will give the performance evaluation on search efficiency in Section VIII.

1) Document Confidentiality

In the scheme, the documents and the corresponding vectors are encrypted and then outsourced in Pub-Cloud. The encryption procedures are given in the $EncData$ algorithm. Documents are encrypted by a symmetric encryption algorithm (such as AES) with the secret key $g$ in $S\!K$ while the corresponding vectors are encrypted by the secure inner product operation with one random bit vector and two random invertible matrix in $S\!K$ . Since $S\!K$ generated by DO is only shared with the authorized DU, Pub-Cloud has no idea of those secret keys in $S\!K$ . Thus, it is computation infeasible for Pub-Cloud to obtain the plaintext information from the encrypted documents and vectors and document confidentiality is guaranteed.

2) Index and Trapdoor Privacy

In the scheme, the index is the CBP-Tree stored in Pri-Cloud which is isolated from Pub-Cloud. Trapdoors are generated by performing secure inner product operation on the query vectors with the secret key SK which is only shared by DO and DU. Additionally, several random items are added in the trapdoor generation process, which increases the randomness of values in vectors. Without the secret key and the phantom item addition method, it is hard for Pub-Cloud to get the plaintext query vectors. As a result, the scheme can protect the privacy of the index and the trapdoor.

3) Trapdoor Unlinkability

In this scheme, the probability that $GenTrapdoor$ algorithm generates the same trapdoor by the same query is extremely low and can be considered negligible. We analyze the reason under the known background model. According to the phantom item addition procedures in Section VII.C, the original query vector is extended into $n+L+1$ -dimensional, has $n+L+1$ bits after adding $L+1$ dimensions in the o for adding phantom items. $r$ is the noise parameter for enhancing trapdoors by performing multiplication between $r$ and each dimension of trapdoor. The length of $r$ is denoted as $l_{r}$ . The former $n$ bits of the extended trapdoor has $2^{n}$ possibilities.

The possibility of the same query generates the same trapdoor $p=\frac {1}{x \times 2^{l_{r}}}$ , and the larger the denominator, the smaller the $p$ . In other words, the bigger the parameters, the smaller the probability of generating the same trapdoor, the safer the scheme. For example, we assume $r$ is a 1024 bit parameter, then we have $p \lt {\frac {1}{2^{1024}}}$ which is considered negligible. Therefore, trapdoor is unlinkability in this scheme.