Toward Forward Secure SSE Supporting Conjunctive Keyword Search

The primitive of Searchable Symmetric Encryption (SSE) allows a server to perform search directly over encrypted documents. Recently, forward secure SSE (FSSE) has attracted significant attention due to its secure property for document update. That is, it can prevent the server from learning whether the newly updated document contains previously queried keywords. Most of the existing FSSE schemes are designed for single keyword search. For the case of conjunctive keyword search, prior dedicated FSSE constructions either require inefficient tools or suffer from significant leakage (i.e., it leaks the documents matching each queried keywords). To deal with this challenge, we propose a general framework to design efficient conjunctive keyword FSSE schemes without significant leakage: a basic scheme FOXT-B and an enhanced one FOXT-E. Specifically, in our basic scheme, we combine XSet structure in the Oblivious Cross-Tags protocol (CRYPTO 2013) with a single keyword FSSE to support conjunctive keyword search. However, this simple combination is limited to support document update. That is, the user cannot perform search until all the keyword-document pairs in a document have been updated. To support flexible keyword-document update, we design a new XSet for our enhanced scheme, in which the user can perform search at any time. Finally, we present a formal security analysis and implement our schemes on a real-world database, which demonstrates that our proposed schemes can achieve the desired security goals with practical efficiency.


I. INTRODUCTION
Cloud computing provides seemly unbounded computation and storage resources over the internet in the matter of pay-asyou-go basis. More and more users prefer to outsource their data to the cloud server for enjoying superior data storage and computing services. However, outsourcing data to remote server suffers from security and privacy concerns [1]- [5]. For example, famous social networking Facebook may have leaked data for millions of users to a political firm Cambridge Analytica. Simple encryption can provide confidentiality of the outsourced data, however, it is a hindrance to search over the encrypted data.
The associate editor coordinating the review of this manuscript and approving it for publication was S. K. Hafizul Islam . Searchable Symmetric Encryption (SSE), as a promising solution, enables to search over the encrypted data while protecting the confidentiality of the data and queries. Specifically, a user first encrypts the data and generates a search index, which are together outsourced to the server. Latter, the user submits a query to the server, and then the server performs search on the search index and finally returns results to the user. Since song et al. [6] proposed the seminal SSE scheme, a lot of progress [7]- [11] has been made in efficiency, security and expressiveness. Recently, an important line of work focuses on the security of SSE schemes. For example, a passive attacker in [12] and [13] can leverage the common leakages in SSE schemes to reveal the user's query. Recently, Zhang et al. [14] proposed an even more powerful attack, in which the attacker can adaptively inject new documents. With this power, the attacker can recover the content of user's query by learning which added documents match it.
This work emphasizes the necessity of constructing forward secure SSE scheme, in which the former queries cannot be used to search in the newly added documents. The notion of forward secure SSE was first introduced by Stefanov et al. [15] who also designed an FSSE scheme. However, their ORAM-like construction results in large communication overhead for an update. Recently, Bost et al. [16] only used simple cryptography tool (a public key primitive trapdoor permutation) to propose an efficient FSSE scheme named oφoς with an optimal update and search complexity. Following, Song et al. [17] transformed the trapdoor permutation from a public key primitive to a symmetric key one, which further improved the search and update efficiency. Other researchers also focused on how to improve the efficiency of FSSE scheme [18]- [20]. However, all the above FSSE schemes are severely limited to perform single keyword search.
In practice, a single keyword query always retrieves a large number of documents, and then the user herself has to filter the desired ones. To provide more practical query, conjunctive keyword search should be supported. That is, the returned documents contain all the queried keywords. A trivial way to design a conjunctive keyword FSSE scheme is that the server conducts intersection between the resultant document sets for each queried keyword. However, this naive solution results in inefficiency (e.g., if the resultant document set is very large for a keyword) and significant leakage (e.g., it reveals the resultant document sets for each queried keyword 1 ) [9].
Very recently, some researchers have focused on constructing non-trivial conjunctive keyword FSSE schemes. Hu et al. [21] adopted function-hiding Inner Product Encryption (IPE) to propose an elegant conjunctive keyword FSSE scheme without significant leakage. The main idea is that the server first retrieves the search results for a keyword in a single keyword forward structure, and then uses IPE to test which result contains all the other queried keywords. However, this method does not have the significant leakage at the cost of degrading much search and update efficiency, because of the primitive of IPE. Wu and Li [22] constructed a tree-based structure to achieve forward secure conjunctive keyword search efficiently. The server can top-down perform conjunctive keyword search and return a leaf as the search result when all the nodes from the leaf to the root contain all the queried keywords. Nevertheless, the server can directly obtain the significant leakage by performing search for each queried keyword. To the best of our knowledge, how to design an efficient conjunctive keyword FSSE scheme without significant leakage is still a challenge. 1 Specifically, for conjunctive keyword search w 1 , · · · , w n , the significant leakage means that the proposed scheme leaks the search results for each queried keyword, DB(w i ) for 1 ≤ i ≤ n, where DB(w i ) denotes the document set containing keyword w i .

A. OUR CONTRIBUTION
In this paper, we focus on constructing efficient conjunctive keyword FSSE schemes without significant leakage. Our contribution can be summarized as follows: • We design a general framework to construct two conjunctive keyword FSSE schemes: a basic scheme FOXT-B and an enhanced one FOXT-E. The main idea is that we can combine any single keyword FSSE scheme with a similar structure XSet in Cash et al's conjunctive keyword scheme to design conjunctive keyword FSSE schemes. Both of our proposed schemes are based on simple cryptographic primitives, which do not reveal the significant leakage while enjoying good efficiency.
• The basic scheme FOXT-B is somewhat a trivial combination, which is limited to update a document. That is, the user is not allowed to perform search until all the keyword-document pairs in a document have been updated. This limitation comes from the structure of XSet. To this end, we construct a new structure of XSet in our enhanced scheme FOXT-E which can support more flexible keyword-document pair update. That is, the user can perform search at any time.
• We present a formal security analysis and provide a thorough implementation on a real-world database. The results demonstrate that our proposed schemes can achieve the desired goals with a comparable computation overhead.

B. RELATED WORK
The first SSE scheme was introduced by Song et al. [6], in which the encryption is based on the documents and thus the search complexity is linear in the number of documents. Then Curtmola et al. [7] constructed a new SSE scheme based on inverted index achieving sublinear search complexity, and gave a formal security definition. After that, a line of work [9], [23]- [26] has been done for SSE security, expressiveness, and performance. There have been plenty of works on enriching query expressiveness [9], [27]- [31]. The first SSE scheme supporting conjunctive keyword search was proposed by Golle et al. [27], however, the search complexity is linear in the whole number of documents. Subsequently, Cash et al. [9] proposed a notable conjunctive keyword search scheme named OXT, with support for sublinear search complexity. Thus it can be well applied in large database. Since then, several extensions of OXT have been made. Sun et al. [28] made an extension to multi-user setting, in which only the authorized users are allowed to perform search. Following, Wang et al. [29] further improved decryption efficiency. Considering the malicious model, Wang et al. [30] proposed a verifiable scheme based on a simulator to verify the correctness and completeness of the conjunctive search results. Recently, Lai et al. [31] reduced the leakage of OXT and improved the security.
In dynamic setting, an SSE scheme should support data addition and deletion. Kamara et al. [32] proposed the first VOLUME 7, 2019 sublinear dynamic SSE scheme. The forward and backward security for addition and deletion was introduced by Stefanov et al. [15], and they proposed the first ORAM-inspired forward secure scheme. A powerful fileinjection attack [14] leveraged some leakage information during addition operation to efficiently recover the queried keywords, which further motivates the study of forward security. Bost et al. [16] constructed a forward secure SSE scheme based on trapdoor permutation (a public key primitive) with an optimal update and search complexity. Song et al. [17] replaced the trapdoor permutation by symmetric cryptographic primitives to improve efficiency. Kim et al. [20] further improved efficiency when considering document deletion. Note that all the above FSSE constructions support only single keyword search. Very recently, some researchers have focused on conjunctive keyword FSSE schemes. Hu et al. [21] constructed a conjunctive keyword FSSE scheme based on function-hiding IPE. Although this scheme does not have significant leakage, it is inefficient because of the IPE operation. Wu and Li [22] proposed a virtual binary tree structure to design a new conjunctive keyword FSSE scheme. It is efficient for search and update operation, however, it has significant leakage.

C. ORGANIZATION
The rest of this paper is organized as follows. In Section II, we present some preliminaries. In Section III, we propose new forward secure SSE schemes supporting conjunctive keyword search. The security and comparison analysis of the proposed schemes are given in Section IV, and the performance evaluation is presented in Section V. Finally, conclusions will be made in Section VI.

II. PRELIMINARIES
In this section, we present some notations (as shown in Table 1) and basic primitives which are used in this work.
A. TRAPDOOR PERMUTATIONS Similar to oφoς [16], we adopt a trapdoor permutation (TDP) to generate a chained forward structure. Specifically, a TDP π is a permutation over a set D. It is easy to evaluate π (resp. π −1 ) based on the secret key sk (resp. pk). π is one way while for every x ∈ D π pk (π −1 sk (x)) = x and π −1 sk (π pk (x)) = x.

B. SYMMETRIC SEARCHABLE ENCRYPTION
An SSE scheme consists of two entities, a user and a server. The user wants to outsource documents to the server. In order to protect the document and preserve search ability, the user encrypts the documents and generates a search index. Then the user outsources the encrypted documents and search index to the server. When the user wants to perform a query, she summits a search token to the server. Once receiving the search token, the server performs search over the search index and returns the search results to the user. In dynamic SSE scheme, the user is allowed to update a document or a keyword-document pair to the server. In the following, we give the details of a dynamic SSE scheme. A dynamic searchable encryption scheme = (Setup, Search, Update) consists of one algorithm and two protocols.
• Setup(1 λ , DB): this is an algorithm which takes as input a security parameter λ and a database DB, and outputs (EDB, K, σ ), where EDB is the encrypted database, K is a secret key and σ is the state of client.
• Search(K,w, σ ; EDB): this is a protocol between the client and server. If the client would like to perform a conjunctive searchw = w 1 ∧ · · · ∧ w n , she takes as input the (K,w, σ ), and outputs the search token. The server performs search over the EDB based on the search token, and then returns the matching results R to the client. Each document in the results R contains all the queried keywords w i for 1 ≤ i ≤ n.
• Update(K, σ, op, in; EDB): this is a protocol between the server with input EDB and the client with input (K, σ, op, in), where op is the update operation of adding or deleting a document (or a keyword-document pair) and in is an input (id, W(id)) or (w, id).

C. SECURITY OF SSE
The security of SSE is defined by a real-world and idealworld based on a leakage function L. The definition expresses that an adversary can get no more information about the database other than the information inferred from the leakage function. Specifically, the leakage function L is parameterized as L = (L Stp , L Srch , L Updt ), the components of which express the leakages from Setup, Search and Update algorithm, respectively. We define two games Real and Ideal, and the goal of the adversary is to distinguish them. In the following, we give a formal definition.
where Real A (λ) and Ideal A,S (λ) is defined as follows:

D. FORWARD SECURITY OF SSE
The notion of forward secure SSE was first introduced by Stefanov et al. [15] and formalized by Bost [16]. Loosely speaking, forward security means the updated keywords cannot be revealed during an update. That is, the server cannot learn whether the updated document contains a specific keyword queried before. At a starting point, we give an example of forward secure SSE scheme in Figure 1. Specifically, the user first outsources three encrypted documents to the server, in which only the document F 1 contains keyword w. Thus the server returns F 1 with the search token for w 1 . Latter, the user adds a new document F 4 which also contains w. However, the server cannot find out the new document F 4 with the previous search token for w. In the following, we borrow the formal definition of forward secure SSE scheme from [16].
where L is a stateless function.

III. THE FORWARD SECURE FSSE CONSTRUCTION
In this section, we present a general framework to construct conjunctive keyword FSSE scheme. In essence, our framework can extend any single keyword FSSE scheme to a conjunctive keyword FSSE scheme without significant leakage. The main idea is that we combine any single keyword FSSE scheme with a structure XSet from the OXT protocol [9]. Specifically, we construct two forward secure conjunctive keyword FSSE schemes: the basic scheme FOXT-B and the enhanced one FOXT-E. The basic scheme is a simple combination, which is limited to only support the update of a whole document (id, W(id)). That is, the user is allowed to perform search if all the keyword-document pairs in the document are updated. To support more flexible update, we modify the structure of XSet to support keyword-document pair (w, id) update. Thus the user can perform search at any time.

A. GENERAL IDEAS
For simplicity, we adopt the idea of forward secure scheme in [16] to construct a forward secure structure TSet which is used to perform single keyword search. The TSet is a state-based chain to perform single keyword search. In the following, we take keyword w with a list of matching documents (id 1 , · · · , id n w ) as an example to describe the update and search operation. Specifically, when the client wants to update document id c , she first uses trapdoor permutation π and secret key sk to generate a new state ST c (w) from ST c−1 (w). Then she encrypts id c as (e c , y c ) which stores at location UT c (w) derived from the state ST c (w). When performing search on keyword w, given state ST c (w) as a search token, the server can generate all the former ones ST i (w) for 1 ≤ i < c with public key pk, and thus retrieve all the results stored in UT i (w) for 1 ≤ i < c. Note that with ST c (w), the server cannot generate the latter ones ST i (w) for i > c. In this way, the server cannot perform search in the newly updated documents id i with a previous search token ST c (w) for c < i.
To extend this single keyword FSSE scheme to a conjunctive keyword FSSE scheme, we combine the forward secure structure TSet with structure XSet in [9]. The main idea is that the server can first retrieve the search results DB(w 1 ) for the least frequent keyword w 1 from TSet, then filter the ones which contain the other queried keywords based on XSet. In essence, XSet contains a function of each pair (w, id), representing as g f (w,id) . The server can use a token xtoken[i, j] to obviously test whether id i contains the keyword w j . If xtoken[i, j] y i ∈ XSet, the answer is yes. 2 It is worth noting that this method can only support document update. That is, the user cannot perform search until all the (id, W(id)) pairs are updated. Otherwise, the server can test whether a result document id for w 1 is a newly added document for keyword w i . A detailed example will be presented in the basic construction.
Our enhanced scheme FOXT-E is designed to support more flexible (w, id) pair update. The idea is to prevent the server from testing the membership of (w i , id) in XSet if id is the newly added document for w i . On one hand, we change the XSet structure from a set to a map . 3 That is, only with a correct location, the server can find the right element in the XSet to be tested. On the other hand, we design a shell for each element in the XSet. Only with a proper value, the server can peel the shell. Instead of sending all the correct locations and values used to peel the retrieved elements, we construct a map CR. For each keyword w i , 2 ≤ i ≤ n, wr i servers as a part of search token. With wr i , the server can iteratively generate desired locations and retrieve all the corresponding elements in XSet, then peel off the elements, and finally add the peeled elements in a set XSubSet. The XSubSet is used to test the membership of xtoken y . In this way, without the latest wr i for w i , the server cannot test the membership of (w i , id) in the XSubSet, if the id is a newly added document for w i . Thus we guarantee the forward privacy when updating pairs. Figure 2 gives an example of our proposed schemes. We take a query w 1 ∧ w 2 as an example. The basic scheme is presented in (a). The server first retrieves the results of w 1 based on TSet, {(e 1 , y 1 ), · · · , (e c , y c )}, and filters the 3 In a map, each element is associated with a location. ones containing w 2 based on XSet. The enhanced scheme is presented in (b). The server uses wr 2c to iteratively find out the elements in XSet and peels them. The peeled elements generate a new set XSubSet which is used to filter the desired results.

B. BASIC CONSTRUCTION
In this section, we give the construction of our basic forward secure FSSE scheme, FOXT-B. The main idea is that we combine the single keyword FSSE scheme oφoς [16] with the set XSet in the OXT [9]. Specifically, when adding a document id, we add encrypted tuple (e, y) for each pair (w, id) in the single keyword forward structure TSet, and stores a function of (w, id) in the set XSet. In this basic scheme, the client cannot perform search until the updates for all the (w, id) pairs are completed, where w ∈ W(id). The details of our basic scheme are given in Algorithm 1.
• Setup(1 λ ): on input a security parameter λ, the client generates (pk, sk) for the trapdoor permutation π , chooses keys K S , K D , K X , K I , K Z , and initializes empty maps , TSet and empty set XSet, where is in the client side, TSet and XSet are in the server side. At last, the client outputs K = (K S , K D , K X , K I , K Z , sk), EDB = (pk, TSet, XSet) and σ = .
• Update(add, id, σ ; EDB): to insert a new document id, all the entries (w, id) in the id need to be updated, where w ∈ W(id). Specifically, for each keyword w, client uses a new state ST c+1 to generate a location UT c+1 . Then client updates the TSet by adding the encrypted tuple (e, y) in the location UT c+1 . In addition, the client updates XSet by adding xtag in it. This basic scheme only supports to update a document. That is, the user cannot perform search until all the keyworddocument pairs in the document are updated. The following example shows the reason. First, the user outsourced id 1 and id 2 to the server, where DB(w 1 ) = (id 1 ) and DB(w 2 ) = (id 1 , id 2 ). Then, the user wants to update a document id 3 , where W(id 3 ) = (w 1 , w 2 ). In the following, we will show how the forward privacy is compromised, if the server performs search before updating all the pairs. Specifically, when the pair (w 1 , id 3 ) is updated, the user first submits (ST 2 (w 1 ), 2, xtoken [1,2], xtoken [2,2]) to perform search w 1 ∧ w 2 . Then the server uses (ST 2 (w 1 ), 2) to retrieve (e 1 , y 1 ), (e 2 , y 2 ), and tests whether xtoken[1, 2] y 1 , xtoken[2, 2] y 2 belong to the XSet. In this case, only xtoken[1, 2] y 1 ∈ XSet and then e 1 is the search result. After the user updates pair (w 2 , id 3 ), the server can test the previous search token xtoken [2,2] y 2 belongs to the updated XSet. Thus the server learns that the newly inserted document id 3 matches the previous query w 1 ∧w 2 . As a result, the forward security is compromised.

C. ENHANCED CONSTRUCTION
In our enhanced construction, it is flexible to support a pair (w, id) update. That is, the user is allowed to Algorithm 2 FOXT-E: Forward Secure Conjunctive SSE With Pair Update Setup() 1: (sk, pk) ← KeyGen(1 λ ) 2: Select keys K S and K D for PRF s F 1 and F 2 3: Select keys K X , K I , K Z , K R for PRF F p 4: K = {K S , K D , K X , K I , K Z , K R } 5: , TSet, XSet, CR ← empty map 6: return((TSet, XSet, CR, pk), (K, sk), ) Search(w = (w 1 , · · · , w n ), σ ; EDB) Client: end for 9: Set xtoken[i] = xtoken[i, 2], · · · , xtoken[i, n] 10: end for 11: xtoken = (xtoken [1], · · · , xtoken[c]) 12: for 2 ≤ i ≤ n do 13: c i ← (w i ) 14: 15: end for 16: wr = (wr 2 , · · · , wr n ) 17 ST i ← π pk (ST i ) 37: end for 38: Send R to the client Update(add, w, id, σ ; EDB) Client: [w] ← (ST c+1 , c + 1) 10: wr c+1 ← F p (K r , w c + 1) 11 perform search at any time. On one hand, we change the structure of XSet from a set to a map. On the other hand, we design a shell for each element in XSet. Only with correct locations, the server can find proper elements in XSet and then peel them. Instead of sending all the locations, we design a map CR which is stored in the server side. With search token, the server can use CR to iteratively locate proper elements in XSet and peel them. Finally, the peeled elements generate a XSubSet set which serves as the XSet in our basic construction. The details are in Algorithm 2. The differences between the basic one are of blue color.
• Setup(1 λ ): we additionally generates a key K R for F p and initialize a map CR. Besides, we change the set XSet to a map.
• Search(w = (w 1 , · · · , w n ), σ ; EDB): the search token contains an extra part, wr i , for each non-frequent keyword w i . On one hand, each wr i = F p (K r , w i c i ) is used to find a location of XSet and retrieve the xtag.
On the other hand, the wr i is used to remove the shell of xtag and get xtag which is stored in a set XSubSet. Then the server uses the wr i and CR to get the historical wr i−1 = F p (K r , w i c i −1), and obtains the corresponding xtag . After retrieving all the xtag , the server obtains   30: if (e i , y i ) ∈ RP[s t , x t,j ] then 31: Parse RP[s t , x t,j ] = ((e i , y i ), u 1 , u 2 ) 32  • Update(add, id, σ ; EDB): to insert a new pair (w, id), the client assists the server to update the TSet, XSet and CR.

IV. ANALYSIS OF OUR PROPOSED SCHEME A. SECURITY ANALYSIS
In this section, we give the formal security analysis of our enhanced scheme FOXT-E. Before going ahead, we present the leakage function L of our scheme . There is nothing leaked during the Setup and Update function. That is, L Stp = ⊥ and L Updt = ⊥. In the following, we give the leakage function L Srch during search. Assuming that a sequence of T conjunctive queries q = (s, x) are performed. Specifically, s t and x t,· denote the sterm (least frequent keyword) and xterms (not least frequent keywords) in the t-th query, t ∈ [T ]. In the following, we present the outputs of the leakage function.
• SRP[t] is the access pattern for the sterm of the t-th query, SRP[t] = R(s t ).  • IP[t 1 , t 2 , α, β] is the condition insertion pattern. If s t 1 = s t 2 and . Otherwise, IP[t 1 , t 2 , α, β] = ∅. The main difference from the static conjunctive keyword search scheme is that this dynamic one reveals the timestamps of updating. Besides, our scheme additionally reveals the number of the search results for the xterms, which comes from the size of XSubSet during the search. In the following, we give formal security analysis.
Theorem 1: Let F 1 , F 2 and F p be secure PRFs, π be a secure one-way trapdoor permutation, and H , H 1 , H 2 and H 3 be secure hash functions modeled as random oracles. Then our FOXT-E scheme is L-semantically secure against adaptive attacks.
Proof: The proof works by a sequence of indistinguishable games. The first game is the real-world game and the last one is the ideal-world game which is simulated by an efficient simulator. Here we mainly introduce how the simulator works. The goal of the simulator is to use the leakages to simulate the transcripts between the user and the cloud, including the update items of TSet, XSet, CR and the search token for a query. In the Update protocol, the simulator randomly generates locations and elements for TSet, XSet and CR. In the Search protocol, the simulator uses the leakage function to simulate the search token. On the one hand, we program the hash functions H , H 1 , H 2 and H 3 . It is easy to program H , H 1 and H 3 using the timestamps. For programming H 2 , we leverage the timestamps and the elements in CR to program. On the other hand, we need to simulate xtoken. There are three types of element (e i , y i ) in the Hist. For the one belonging to RP, we use the timestamps to locate the corresponding xtage and wr, and then compute the xtoken. For the one belonging to IP, we need to randomly select xtoken and record it. For the one which is neither in RP nor in IP, the xtoken is randomly selected from the group G. In this way, the xtoken is simulated. The details of the simulator are presented in Algorithm 3. We omit the search operation in the server side, because it is easy for the server to perform search using the simulated search token.
Then we construct successive indistinguishable games. The first one is designed to have the same distribution as the Real A (κ), and the last one has the same distribution as the Ideal A (κ) which is generated by the simulator. In the games, we model the hash functions as random oracles, replace pseudo-random functions by random functions. By showing that the distributions of all games are distinguishable, our scheme meets the security goals. Since the games can be constructed easily, we omit the details here.

B. COMPARISON
In this section, we compare our proposed schemes with some related constructions [9], [16], [21], [22]. In general, our schemes can be seen as a combination of single keyword FSSE scheme [16] and a conjunctive keyword SSE scheme [9] to efficiently achieve conjunctive keyword search with forward privacy. Specifically, both forward secure single keyword search and conjunctive keyword search are well studied in [16] and [9]. Recently, non-trivial conjunctive keyword FSSE schemes have also attracted considerable attention. Hu et al.'s conjunctive FSSE scheme is designed based on the primitive of Inner Product Encryption. Their scheme can successfully avoid the significant leakage. However, plenty of bilinear paring operations result in inefficiency of the scheme. Wu and Li's tree-based scheme can also achieve conjunctive keyword search with forward security. Unfortunately, this scheme leaks the undesired significant leakage. Compared with these two schemes, our proposed conjunctive keyword FSSE schemes are efficient without significant leakage. Our basic scheme only supports document update like Hu et al.'s scheme. To support more flexible update, our enhanced scheme can support keyword-document pair update. Table 2 provides a detailed comparison of all the schemes. Note that, for the update time, we consider the efficiency for updating a keyword-document pair in all the compared schemes.

V. PERFORMANCE EVALUATION
In this section, we provide a thorough experimental evaluation of our proposed schemes. We mainly focus on the size of EDB, the efficiency of search and update process. First, we give a description of the prototype to implement the algorithms. Second, we analyze the experimental results and compare them with VBTree scheme in [22].
We leverage crypto++ 4 to realize the cryptographic primitives. Specifically, we use AES in CTR mode for the PRFs, SHA256 for the hash functions. For all those schemes, we use Rocksdb 5 to store the data in the client and server. We evaluate our scheme using two LINUX machines, one is a service node and the other is a client node. Both of them have 4 cores  with 8 threads (Intel Xeon E5-1620 v3, 3.50 GHz), 16 GB RAM and 1 TB disk, running on Ubuntu 14.04 LTS. We consider the real-world database from Wikimedia Download 6 to implement. The size of database (the number of distinct keyword-document pairs) ranges from 2 15 to 2 20 . Note that both schemes in [22] and [21] are conjunctive keyword FSSE schemes. Here we just compare our proposed schemes with Wu and Li's scheme [22]. Because it is obvious that our schemes are superior to Hu et al.'s scheme [21] in efficiency. Besides, our framework can extend any single keyword FSSE scheme, so we adopt Song et al.'s scheme [17] as the single keyword FSSE scheme to implement because of its good efficiency.
First, we focus on the size of search index EDB which is stored in the server side and used to perform search. As shown in Figure 3, the size of EDB increases with the size of database for the three compared schemes. The size of EDB in FOXT-E is larger than the FOXT-B, because we additionally introduce a CR map in FOXT-E scheme. The size of EDB in the VBTree is the largest among the compared schemes. The reason is that the number of encrypted keyword-document pairs in the EDB is much more than that in the database.
Then, we focus on the search efficiency in the compared schemes. We perform arbitrary two keywords conjunctive search in the real-world database to evaluate the search efficiency. As shown in Figure 4, the search time is not linear in the size of database. Specifically, all the three schemes have sublinear search efficiency. Even though our FOXT-E is slower than the other two, it is also very efficient and acceptable in practice. 6 https://dumps.wikimedia.org Finally, we focus on the update efficiency in our compared schemes. As shown in Figure 5, the time costs for an update in the three schemes increase with the number of update pairs. Our proposed schemes are a little less efficient than VBTree, because of the modular exponential operation. Fortunately, we can see that it is very efficient for all the three schemes to update a keyword-document pair.

VI. CONCLUSION
In this paper, we focus on the forward secure conjunctive keyword search over encrypted database. The main contribution is to present a general framework to construct two FSSE schemes supporting conjunctive keyword search. Our schemes can simultaneously achieve conjunctive search and forward privacy. Both of our schemes, FOXT-B and FOXT-E, reduce the significant leakage which exists in almost all existing schemes. That is, our schemes do not reveal the set of document matching each queried keyword. In our basic scheme, FOXT-B, we can extend a single keyword FSSE scheme to support conjunctive keyword search by combining an XSet structure in an Oblivious Cross-Tags protocol (a conjunctive keyword search protocol). This simple combination results in inflexible document update. That is, the user cannot perform search until all the pairs in a document are updated. In the enhanced scheme, FOXT-E, we change the structure of XSet to support more flexible pair update, in which the user can perform search at any time. We provide a formal security proof and thorough experiment on a real-world database, which demonstrates that our scheme can achieve the desired security goals with practical efficiency. SHIFENG SUN received the Ph.D. degree in computer science and technology from Shanghai Jiao Tong University, in 2016. During the Ph.D. degree, he was a Visiting Scholar with The University of Melbourne for more than one year. His research interests include cryptography and data privacy, particularly in provably secure cryptosystems, data privacy-preserving technology in cloud storage, and privacy-enhancing technology in blockchain.
MEIXIA MIAO received the Ph.D. degree in computer science from Xidian University, China, in 2018. She is currently with the Xi'an University of Posts and Telecommunications. Her research interests include cloud computing and data security.
XIAOFENG CHEN received the B.S. and M.S. degrees in mathematics from Northwest University, China, in 1998 and 2000, respectively, and the Ph.D. degree in cryptography from Xidian University, in 2003. He is currently a Professor with Xidian University. He has published over 100 research articles in refereed international conferences and journals which have been cited more than 7000 times at Google Scholar. His research interests include applied cryptography and cloud computing security.