Key-Aggregate Searchable Encryption, Revisited: Formal Foundations for Cloud Applications, and Their Implementation

In the use of a cloud storage, sharing of data with efficient access control is an important requirement in addition to data security and privacy. Cui et al. (IEEE Trans. on Comp. 2016) proposed key-aggregate searchable encryption (KASE), which allows a data owner to issue an aggregate key that enables a user to search in an authorized subset of encrypted files by generating an encrypted keyword called trapdoor. While the idea of KASE is elegant, to the best of our knowledge, its security has never been discussed formally. In this paper, we discuss the security of KASE formally and propose provably secure schemes. We first introduce our provably secure scheme, named first construction, with respect to encrypted files and aggregate keys in a single-server setting. In comparison with the scheme of Cui et al., the first construction is secure without increased computational costs. Then, we introduce another provably secure scheme, named main construction, with respect to trapdoors in a two-server setting. The main construction guarantees the privacy of a search, encrypted files, and aggregate keys. Considering 5,000 encrypted keywords, the first construction can finish search within three seconds and the main construction can finish search within six seconds.


A. BACKGROUND
A cloud storage service provides a solution for storing, accessing, and sharing files over the Internet.However, such a service may be vulnerable and hence leak stored data without the permission or knowledge of the data owners.To prevent this leakage, data owners would want to encrypt their files before uploading them to a cloud storage.Searchable encryption [1] allows users to search over encrypted data with a chosen keyword without decryption of the encrypted data.Searchable encryption is suitable for a storage of data even in a vulnerable cloud storage service.In particular, even if control of a storage is exploited by an adversary, leakage of the stored data can be prevented by virtue of encrypting the data.To maximize the capabilities of the cloud and features of cloud storage, data owners should also be able to share their files to intended recipients.In recent years, several researchers [2]- [4] created schemes that authorize other users to search over encrypted data, therefore sharing the data without decryption in the multi-user setting as well as encrypted search.
On this background, this paper aims to introduce a scheme that authorizes for search in encrypted data, i.e., the searchability, efficiently.More specifically, suppose that a data owner who owns a set of original data can issue a key that enables other users to search in a subset of its encrypted data without decryption.In such setting, the following features are desirable: (1) the data owner issues only a single short key that is independent of both the number of encrypted data and the number of users who the encrypted data by the data FIGURE 1: Overview of Key-Aggregate Searchable Encryption (KASE) owner, (2) and the encrypted data can be shared with users without changing or reproducing the encrypted data.These features can make the operations of a cloud storage service efficient because the keys and encrypted data become easier to manage for both a data owner and users.We note that these features are not implied in previous systems, namely, multiuser searchable encryption [5]- [8] and multi-key searchable encryption [2], [4], which do not include efficient management described above in their scope.Therefore, achieving the features described above is a non-trivial problem.
Cui et al. [9] proposed key-aggregate searchable encryption (KASE) for the underlying purpose.An overview of KASE is shown in Figure 1.In KASE, a data owner issues aggregate keys that allow data users to search in authorized data only, i.e., data users generate trapdoors to search in encrypted data.The data sizes of ciphertexts and aggregate keys are independent of the number of data users the ciphertexts will be shared to, and the data size of ciphertexts is independent of the number of users.Therefore, KASE can improve the efficiency of the operations of a cloud storage service under the problem setting described above.
However, Cui et al. did not provide formal definitions of the security of KASE and its security proofs.Moreover, Kiayias et al. [3] introduced an attack against the scheme of Cui et al. in which encrypted keywords in ciphertexts are distinguishable for an adversary.To the best of our knowledge, no KASE scheme with formal security definitions and proofs has been introduced, even in subsequent works [10], [11], making it an open problem.

B. OUR CONTRIBUTIONS
In this paper, we propose KASE schemes with provable security.To the best of our knowledge, these schemes are the first provably secure constructions.We also define a syntax and its security formally.We note that constructing a provably secure KASE scheme is non-trivial.As will be described in Section III-D in details, KASE requires a data owner to control the searchability via only a single short key and without changing ciphertexts for each user.The algebraic structures that can be used to construct a KASE scheme are limited by the use of the single short key and keeping encrypted keywords.we will newly show that the scheme of Cui et al. becomes insecure under our security definitions.
In contrast, by shedding light on the mathematical features of the cryptographic primitives used to construct KASE, we construct a provably secure KASE scheme by tactically combining the existing instantiations of these cryptographic primitives.As will be described in Section IV in details, some instantiations of broadcast encryption [12], [13] and aggregate signatures [14] are generally combined as basics.A simple combination called first construction can provide keyword privacy that guarantees the confidentiality of encrypted keywords and aggregate key unforgeability that authorizes the searchability of keywords from a data owner to users.In addition to these two primitives, i.e., achieving the keyword privacy and the aggregate key unforgeability, the use of secret sharing [15] can provide trapdoor privacy that guarantees the privacy of search for the users.We call the construction with secret sharing as main construction.
Notably, computational cost and the size of ciphertexts in the first construction are identical to those of the scheme by Cui et al. [9], but the first construction is provably secure.Considering 5,000 keywords, our two constructions can encrypt all keywords within one second, the first construction can perform search within three seconds, and the main construction can perform search within six seconds.We leave the construction of a generic scheme based on any instantiation of the primitives we used as an open problem.

C. POTENTIAL APPLICATIONS
KASE has many potential applications.We describe cloudassisted content-sharing networks with cryptography [16] and privacy-preserving authenticated communication in smart home environment [18] as example applications below.
Content sharing networks are networks that are scalable in terms of the number of users, storage size, and network bandwidth.Cloud-assisted content sharing networks with cryptography mainly aim to enable both a service provider and users to control the privacy of data flexibly and scalably.According to Wu et al. [16], cloud-assisted content sharing networks with cryptography allows: (1) an individual to freely produce any number and any kind of online media, such as texts, images, and videos; (2) an individual to grant any access to his/her media to anyone at any time; (3) an individual to reveal a large number of attributes (e.g., age, address, and gender), some of which can be dynamic; and (4) an individual to share contents using various devices and bandwidths, and hence demand different access privileges for the same media.Wu et al. proposed an instanton of cloud-assisted content sharing networks with cryptography by utilizing attributebased encryption [17].However, attribute-based encryption does not provide the searchability for ciphertexts, and hence the content of ciphertexts cannot be searched without decryption.This limitation make may lose the users' attention due to the lack of the searchability for encrypted contents.Moreover, attribute-based encryption requires a trusted thirdparty to generate secret keys, creating a potential single point of failure in the entire system.Furthermore, the number of secret keys increases with the number of attributes, and thus the size of a storage and management cost of the keys also increases with the number of users and the management of authorization for content sharing.In contrast, KASE provides searchability of contents of ciphertexts and a fixed size of keys for both a data owner and users, solving the problems of cloud-assisted content-sharing networks described above.Therefore, KASE is desirable for use in cloud-assisted content-sharing networks.
The privacy-preserving authenticated communication in smart home environment by Poh et al. [18] is an application where a user can securely utilize smart devices that accumulate private information, such as sleeping patterns and medical information.Poh et al. realized such an application in the single-user setting by integrating searchable encryption and authenticated key-establishment protocol.However, smart devices are continuously becoming more popular, and thus the use of smart devices in the multi-user setting should be considered.For example, in a case with a large number of users, e.g., employees in a workplace, each employee has a separated data access per device.KASE can be used to control access of each employee to devices and their data by the use of a single key.Thus, a more efficient and attractive usage of device management can be expected by virtue of KASE.

D. RELATED WORKS
Following the original KASE proposed by Cui et al. [9], many KASE schemes have been proposed in [10], [11], [19].We note that the both schemes are essentially the same as the construction by Cui et al. and their security have never been proven.Liu et al. [11] introduced the verifiability of search results, and Li et al. [10] discussed situations with multiple data owners.Meanwhile, Mukti et al. [19] proposed KASE with multiple data owners and discussed its security formally.Unfortunately, their definitions are incomplete and their proofs are wrong.In particular, in their syntax, any keyword can be searched as long as the keyword is included as a part of ciphertexts, even if its searched documents are the outside of his/her authorized documents.Moreover, in their proposed construction, the bilinear maps are nested for the test algorithm, which is an unworkable setting for bilinear maps.
As a special research alleviating the conditions of KASE, Zhou et al. [20] proposed a searchable and secure scheme in the situation where remote sensor devices encrypt data.This scheme individually changes the key for aggregate key issuance and the key for data encryption.However, this feature raises an issue of increased key management for a data owner.Patranabis et al. [21] also considered variants of KASE, but their scheme has no search delegation to other users.Therefore, the situation that KASE normally handles is different, so it can be said that it is different from the problem dealt with in this paper.
In a framework of conventional searchable encryption, the multi-user setting [5]- [8], [22], [23] and the multi-key setting [2], [4], [24] have been known to control the searchability for each document.However, an efficient control of the searchability, such as issuance of aggregate keys which is one of the main problems in KASE, is out of the scope of such settings.
Searchable attribute-based encryption (SABE) [25]- [29] is an encryption scheme similar to KASE.SABE is a searchable encryption scheme in which documents corresponding to attributes are searchable for users who own secret keys of the attributes.While SABE provides searchability along with attributes for each document, the size of secret keys depends on the number of attributes, i.e., the key size is linear.This problem in SABE is a different problem from KASE.
As additional related works, key-aggregate cryptosystems [30]- [32] outsource the decryption of data.Among them, Patranabis et al. [32] showed a provably secure scheme.However, the searchability for ciphertexts is out of the scope in these works.Since the searchability is not implied generally, constructing a provably secure KASE remains an open problem.

1) Paper Organization
The rest of this paper is organized as follows.The mathematical background to understanding this work is described in Section II, and then a definition of KASE and the technical difficulty in constructing a KASE scheme is presented in Section III.The main idea to overcome the difficulty and the proposed KASE schemes are discussed in Section IV, and then their security proofs are presented in Section V. Implementation, evaluation, and analysis are discussed in Section VI.Finally, the conclusion and future direction are presented in Section VII.

II. PRELIMINARIES
In this section, we present the background to groups with bilinear maps and their security assumptions.

A. BILINEAR MAPS
The proposed schemes are based on bilinear maps and bilinear groups.In this paper, we recall the standard description defined in [33].Here, let G, H, and G T be groups with the same prime order p.We then define bilinear groups (G, H, G T ) and bilinear maps e : G × H → G T as follows: 1) Bilinear groups (G, H, G T ) are two cyclic groups with a prime order p. c) Computability.For any value u ∈ G and h ∈ H, e(u, v) can be calculated efficiently.When G = H, bilinear groups are said to be symmetric and denoted by (G, G T ) for the sake of convenience.Likewise, G = H, bilinear groups are said to be asymmetric and denoted by (G, H, G T ).

B. COMPLEXITY ASSUMPTIONS
In this section, we define security assumptions utilized in the proposed schemes.
Definition 1 (( , l)-BDHE Assumption in (G, G T )).We say the l-BDHE problem in (G, G T ) with a security parameter 1 k as, for a given (g, h, g α , g α 2 , ..., g α l , g α l+2 , ..., g α 2l , Z) with uniformly random (g, h) ∈ G, α ∈ Z * p and (G, G T ) as input, determining whether Z ∈ G T is e(g α l+1 , h) or a random value R. We say that a polynomial time algorithm A can solve the l-BDHE problem in (G, G T ) with an advantage if the following relation holds: where y g,α,l = (g α , g α 2 , ..., g α l , g α l+2 , ..., g α 2l ).We say the ( , l)-BDHE assumption holds in (G, G T ) if there is no polynomial-time algorithm that can solve the l-BDHE problem in (G, G T ) with .

2) DHE Assumption in G
The Diffie-Hellman exponentiation (DHE) assumption in G is an assumption introduced by Herranz et al. [34].
Definition 2 (( , l)-DHE Assumption in G).We say the l-DHE problem with a security parameter 1 k as, for a given (g, g α , g α 2 , ..., g α l , g α l+2 , ..., g α 2l ) with uniformly random g ∈ G, α ∈ Z * p and (G, G T ) as input, computing g α l+1 .We say that a polynomial time algorithm A can solve the l-DHE problem in G with an advantage if the following relation holds: where y g,α,l = (g α , g α 2 , ..., g α l , g α l+2 , ..., g α 2l ).We say the ( , l)-DHE assumption holds in G if there is no polynomialtime algorithm that can solve the l-DHE problem in G with .
3) XDH Assumption in (G, H) The external Diffie-Hellman (XDH) assumption in (G, H) is an assumption introduced in [35], [36].Note that, unlike the BDHE assumption and the DHE assumption described above, the XDH assumption holds on only asymmetric bilinear groups (G, H, G T ).
Definition 3 ( -XDH Assumption in (G, H)).We say the XDH problem in (G, H) as, for a given (g, h, g a , g b , Z) with uniformly random g ∈ G, h ∈ H, (a, b) ∈ Z * p and (G, H, G T ) as input, determining whether Z ∈ G is g ab or is a random value R. We say that a polynomial time algorithm A can solve XDH problem in (G, H) with advantage if the following relation holds: |P r[A(g, h, g a , g b , g ab , G, H, G T ) = 0] We say -XDH assumption holds in (G, H) if there is no polynomial-time algorithm that can solve the XDH problem in (G, H) with .

III. KEY-AGGREGATE SEARCHABLE ENCRYPTION(KASE)
In this section, we describe the main problem statement of key-aggregate searchable encryption (KASE) [9].Then, we newly define a syntax of algorithms and the security for KASE.These definitions are our contributions.

A. PROBLEM STATEMENT
In key-aggregate searchable encryption (KASE) [9], a data owner provides a "single-and-short" aggregate key that enables a user to access documents for authorization of search.Each user, which we call data user for the sake of convenience, is given an aggregate key as secret information and then generates a "single-and-short" trapdoor to search for a keyword from the documents.In doing so, the following requirements should be satisfied by KASE: • Searchability: A user can generate trapdoors for any keyword to search in encrypted documents.• Compactness: The size of both aggregate keys and trapdoors should be independent of the number of documents and number of users.In addition, the size of encrypted keywords should be independent of the number of users.• Keyword Privacy: An adversary cannot extract information about the original keywords from encrypted documents.That is, a person who does not have an aggregate key corresponding to indexes of the documents cannot get any information from the encrypted keyword.• Aggregate Key Unforgeability: An adversary cannot search for any keyword without authorization from a data owner.That is, an adversary cannot perform keyword search over the documents that are not related to the known aggregate key and it cannot generate new aggregate keys for other sets of documents from the known keys.These requirements are also shown in the original work of KASE [9].The compactness and the searchability are functionality for KASE while the keyword privacy and the aggregate key unforgeability are security for KASE.
As described above, the compactness must be satisfied because the main motivation of KASE is to keep aggregate keys and trapdoors short while providing the searchability.We note that the size of encrypted keywords may depend on the number of documents because the data size of the encrypted keywords with respect to the number of users is the out of the scope of efficient.The keyword privacy is a requirement that prevents an adversary from getting information contained in encrypted documents.Meanwhile, aggregate key is a new notion required in KASE and has not been discussed in general searchable encryption.However, because documents outside the scope of authorization should be unsearchable, the aggregate key unforgeability should be discussed.Even if the keyword privacy is satisfied, there is a possibility that an adversary can search documents outside the scope of authorization.Thus, both the keyword privacy and the aggregate key unforgeability should be discussed.
As another security requirement, the following should be considered: • Trapdoor Privacy: An adversary cannot determine a keyword embedded in the given trapdoor.That is, even when a user asks an untrusted cloud server to search, the server cannot obtain the keyword except for the search result.We note that the trapdoor privacy is an additional security requirement, i.e., only a few schemes [3], [37], [38] satisfy the trapdoor privacy even in the conventional searchable encryption.However, satisfying the trapdoor privacy is an important feature.When keywords embedded in trapdoors are revealed, the original keywords can be analyzed from encrypted documents by looking up the search results.In other words, if the trapdoor privacy is unsatisfied, then the keyword privacy may be threatened.Thus, we consider that a KASE scheme should satisfy all requirements described above.
To the best of our knowledge, no provably secure KASE scheme or formal security definitions have been proposed.Thus, in this paper, we define the requirements above formally.

B. ALGORITHMS
The algorithms of KASE are defined as follows: • params ← Setup(1 λ , n): This algorithm is run by a cloud service provider to set up the scheme.On input of a security parameter 1 λ and the maximum number n of possible documents owned by a data owner, the algorithm outputs a public parameter params.• sk ← KeyGen(params): This algorithm is run by a data owner to generate a secret key sk.• c i,l ← Encrypt(params, sk, i, w l ): This algorithm is run by a data owner to encrypt a keyword which belongs to the ith document and generate an encrypted keyword.On input of the data owner's secret key sk, an document index i and a keyword w l ∈ KS where KS is a keyword space, the algorithm outputs an encrypted keyword c i,l .• k agg ← Extract(params, sk, S): This algorithm is run by a data owner to generate an aggregate key for delegating the keyword search capability for a certain set of documents to other data users.On input of the data owner's secret key sk and a set S of indexes of documents, the algorithm outputs an aggregate key k agg .• T r ← T rapdoor(params, k agg , S, w l ): This algorithm is run by a data user who performs the keyword search.On input of an aggregate key k agg and a keyword w l , the algorithm outputs a single trapdoor T r. • T r i ← Adjust(params, i, S, T r, {f 1,i } i∈ [1,m1] ): This algorithm is run by a cloud server to adjust the given aggregate trapdoor for each document.On input of a set S of indexes of documents, the index i of the target document, an aggregate trapdoor T r and auxiliary functions {f i } i∈ [1,m1] (m 1 ∈ N) possibly, the algorithm outputs each trapdoor T r i for the ith target document in S.
• b ← T est(params, T r i , S, c i,l , {f 2,i } i∈ [1,m2] ): This algorithm is run by a cloud server to perform keyword search over an encrypted document.On input of a trapdoor T r i , the document index i and auxiliary functions possibly, the algorithm outputs true or f alse to denote whether the ith document contains the keyword w l .We note that the syntax above represents a multi-server setting that includes multiple cloud servers.The syntax can contain multiple servers by setting auxiliary functions separately for each cloud server in the Adjust and Test algorithms.
We define the correctness of the syntax of KASE as follows: Definition 4 (Correctness).For any document containing the keyword w l with index i ∈ S, We say that a KASE scheme satisfies the correctness if the following statement holds: for all 1 λ , n ∈ N, i ∈ [1, n], w l ∈ KS, when a public parameter params ← Setup(1 λ , n) and a secret key sk ← KeyGen(params), c i,l ← Encrypt(params, sk, i, w l ) are used, T est(params, T r i , S, c i,l , {f 2,i } i∈ [1,m2] ) = true if T r ← T rapdoor(params, k agg , S, w l ) and T r i ← Adjust(params, i, S, T r, {f 1,i } i∈ [1,m1] ).
The correctness defined above imposes the searchability of KASE because the correctness guarantees that a data user can search for any keyword without decryption.Moreover, the syntax described above is identical to the abstraction of the algorithms proposed in the original work of KASE [9] except that the symmetric key setting instead of the public key setting in [9].
We define the compactness of KASE as follows: Definition 5 (Compactness).We say that KASE satisfies the compactness if the sizes of both aggregate keys and trapdoors are independent of the number n of encrypted documents and the number m of data users, i.e., O(1) with respect to n and m, and the size of encrypted keywords is independent of m, i.e., O(n) with respect to n and m.

C. SECURITY DEFINITIONS
In this section, we define three security requirements for KASE, namely, the keyword privacy, the aggregate key unforgeability, and the trapdoor privacy.• Forge: A outputs S * ⊆ [1, n] and k * agg , where S * includes i * , i.e., i * ∈ S * .We say KASE satisfies the ( , n)-aggregate key unforgeability if the following relation holds for A's advantage with any probabilistic polynomial time algorithm, keyword w l and 1 λ with any sufficiently large size: Adv := P r[T est(params, Adjust(params, i * , S * , T rapdoor(params, k * agg , S * , w l ))) = T est(params, Adjust(params, i * , S * , T rapdoor(params, Extract (params, sk, S * ), S * , w l )))] < Definition 8 (( , n)-Trapdoor Privacy).In this game, an adversary A tries to distinguish a challenge keyword or a random keyword from the given challenge trapdoor.
We say KASE satisfies the ( , n)-trapdoor privacy if the following relation holds for A's advantage with any probabilistic polynomial time algorithm and 1 λ with any sufficiently large size: Although one might think that the conventional searchable encryption [1], [39], [40] can perform the same search as KASE, the number of secret keys possessed to a data user and the number of trapdoors are proportional to the number of documents stored in cloud.Thus, the compactness cannot be satisfied.
The intuition of KASE's difficulty lies in the trade-off between security and features.That is, there is a possibility that security cannot be satisfied if the focus is only satisfying the compactness.In the case of KASE, the algebraic structure is limited because the sizes of aggregate key and trapdoor need to be O(1) regardless of the number of documents and the number of users.Therefore, potential configurations that satisfy searchability are limited, and it has been shown that the KASE scheme of Cui et al. does not satisfy keyword privacy [3].Furthermore, for the trapdoor privacy, the aggregate key must already have a concrete algebraic structure, and thus a trapdoor that uses only the aggregate key necessarily has more restrictive algebraic structures.This makes the trapdoor privacy even more difficult to satisfy.The KASE scheme of Cui et al. also does not satisfy the trapdoor privacy (see the Appendix for details).

IV. CONSTRUCTIONS
In this section, we propose two constructions, namely, the first construction and the main construction, following the security requirements described in Section III-C.The first construction satisfies the keyword privacy and the aggregate key unforgeability.The main construction satisfies the trapdoor privacy in addition to the keyword privacy and the aggregate key unforgeability.

A. IDEA
Our main idea of KASE is to combine broadcast encryption (BE) [12], [13] and aggregate signatures (AS) [14].BE is an encryption scheme that allows a specified set of users to decrypt ciphertext whereby a set of indexes corresponding to the user index is embedded in ciphertexts.Intuitively, the searchability can be realized by treating a decryption algorithm of BE as a test algorithm of KASE.The keyword privacy can then be satisfied by utilizing the ciphertext security of BE.Furthermore, we construct an aggregate key in the form of AS [14].The signature size can be aggregated to a fixed length regardless of the number of users, and hence the compactness can be satisfied by keeping the construction of AS in aggregate keys.This also implies that the aggregate key unforgeability can be satisfied via the unforgeability of AS.
When we considered the idea of combining BE and AS, we found that the BE proposed by Boneh et al. [12] and the AS proposed by Boneh et al. [14] could be combined.Our first construction is close to a simple combination and can be constructed by a single server.However, trapdoor is out of the scope in this construction, i.e., the trapdoor privacy is unsatisfied.
For this reason, we also propose the main construction that satisfies the trapdoor privacy.In our main construction, we embed random values in trapdoors to make the trapdoors probabilistic.In doing so, to satisfy the searchability with the trapdoors, it is necessary to embed the same random values in encrypted keywords on a cloud.However, if the random values are sent to the cloud, the cloud can also extract the original keywords from the given trapdoor.Thus, we further utilize the idea of secret sharing for these random values.We also prepare for two servers that do not collude with each other.A data user distributes the random values embedded in the trapdoors into two shares, and then sends the shares to each server individually.By constructing the test algorithm in a way such as n-out-of -n threshold decryption [41], [42], the random values can be embedded in encrypted keywords and public parameters without knowing the original random values themselves.The approach described above allows search in ciphertexts and satisfies the trapdoor privacy.
• sk ← KeyGen(params): Pick a random β ∈ Z p and output a secret key sk = β.• c i,l ← Encrypt(params, sk, i, w l ): Pick a random t i,l ∈ Z p and output an encrypted keyword c i,l = (c 1,i,l , c 2,i,l , c 3,i,l ) by computing the following: • k agg ← Extract(params, sk, S): For the given subset S ⊆ [1, n] which contains the indexes of documents, output an aggregate key k agg by computing the following: • T r ← T rapdoor(params, k agg , S, w l ): For all documents relevant to the given aggregate key k agg , generate a single trapdoor T r for the keyword w l by computing the following: T r = k agg • H(w l ).
• T r i ← Adjust(params, i, S, T r): For each document in the given set S, output trapdoor T r i by computing the following: T r i = T r • Π j∈S,j =i g n+1−j+i .
• b ← T est(params, T r i , S, c i,l ): For the ith document and the keyword embedded in T r i , output true or f alse by judging whether the following equation holds or not: where pub = Π j∈S g n+1−j .The first construction described above satisfies the correctness, i.e., the searchability, because equation (1) holds.
Furthermore, the sizes of an aggregate key and a trapdoor are |G| independent of the number of indexes in S because k agg = Π j∈S g β n+1−j ∈ G and T r = k agg • H(w l ) ∈ G.A search over encrypted keywords can be executed without changing the encrypted keywords themselves for any keyword.Hence, the first construction satisfies the compactness.
We will show that the first construction satisfies the keyword privacy and the aggregate key unforgeability in Section V-A.The first construction does not satisfy the trapdoor privacy because trapdoors are deterministic with respect to keywords.In other words, an adversary can extract keywords from trapdoors when the keywords used-so-far are sent again.e(Π j∈S g β n+1−j • H(w l ) • Π j∈S,j =i g n+1−j+i , g t i,l ) e((g β • g i ) t i,l , Π j∈S g n+1−j ) = e(Π j∈S g β n+1−j , g t i,l ) • e(H(w l ), g t i,l ) • e(Π j∈S,j =i g n+1−j+i , g t i,l ) e(g βt i,l , Π j∈S g n+1−j ) • e(g t i,l i , Π j∈S g n+1−j ) = e(Π j∈S g n+1−j , g βt i,l ) • e(H(w l ), g t i,l ) • e(Π j∈S,j =i g n+1−j+i , g t i,l ) e(Π j∈S g n+1−j , g βt i,l ) • e(Π j∈S g n+1−j+i g t i,l ) = e(H(w l ), g t i,l ) • e(Π j∈S,j =i g n+1−j+i , g t i,l ) e(Π j∈S g n+1−j+i , g t i,l ) = e(H(w l ), g t i,l ) • e(Π j∈S g n+1−j+i , g t i,l ) e(Π j∈S g n+1−j+i , g t i,l ) • e(g n+1 .gt i,l ) = e(H(w l ), g t i,l ) e(g n+1 .gt i,l ) = e(H(w l ), g) t i,l e(g 1 .gn)t i,l .
In the next subsection, we will introduce the main construction, which satisfies the trapdoor privacy, under a two-server setting.

C. MAIN CONSTRUCTION
To construct a scheme that satisfies the trapdoor privacy, random values should be embedded in trapdoors.Likewise, the same random values should be embedded in the encrypted keyword and public parameters to satisfy the correctness.
Intuitively, the approach to use random values in trapdoors seems to require a data user to send the same random values to a cloud.However, if the data user sends the same random value as those in trapdoors, the cloud can extract k agg •H(w l ) from the given trapdoors and the random values.Consequently, the trapdoor privacy is unsatisfied.
To overcome this limitation, instead of sending random values to a cloud, we aim to send the random values in a manner that nobody except for a data user itself can extract.Simultaneously, embedding the random values in encrypted keywords and a public parameter on the cloud without revealing the random values themselves.To do this, we construct trapdoors by using secret sharing.Consider a data user that distributes random values into two shares and then sends the shares to two servers.By utilizing these shares, a cloud can embed the random values in encrypted keywords and a public parameter without knowing the random values themselves.
In the main construction that will be described below, two servers C main and C aid are assumed to be semi-honest and to not collude with each other without loss of generality.Both servers store the same encrypted keywords.When a data user generates a trapdoor, he/she also generates a random value r and embeds r in the resulting trapdoor.The data user then distributes r into two shares and sends either of the shares to C main and C aid , respectively.After receiving the trapdoor and the share, C main and C aid embed the received share in the stored encrypted keyword and public parameter provisionally.Then, these values are gathered on the C main side.C main then combines the encrypted keywords and the public parameter with the shares to recover r.That is, C main can obtain the encrypted keywords and the public parameter where the random r is embedded without knowing r itself.Consequently, C main is able to search in encrypted files and return the search results to the data user.
The main construction is described as follows.The asymmetric bilinear map is used in the main construction to satisfy the trapdoor privacy.Furthermore, in the Adjust and Test algorithms, we instantiate a function f : Z p × G → G and f T : Z p × G T → G T as auxiliary functions of the input defined in Section III-B.f is a function that takes two arbitrary inputs x ∈ Z p , g ∈ G and outputs g x ∈ G. f T is a function that takes two arbitrary inputs x ∈ Z p , g T ∈ G T and outputs g x T ∈ G T .• params ← Setup(1 λ , n): Generate a bilinear map group system B = (p, G, H, G T , e(•, •)), where p is the order of G, H and 2 λ < p < 2 λ+1 .Set n as the maximum possible number of documents that belong to a data owner.Pick a generator g ∈ G, h ∈ H and a random α ∈ Z p , and then compute Select a one-way hash function H : {0, 1} * → G. Finally, output a public parameter params = (B, P ubK, H), where P ubK = (g, g 1 , ..., g n , g n+2 , ..., g 2n , h, h 1 , ..., h n ) ∈ (G 2n × H n+1 ).• sk ← KeyGen(params): Pick a random β ∈ Z p and output a secret key sk = β.• c i,l ← Encrypt(params, sk, i, w l ): Pick a random t i,l ∈ Z p and output an encrypted keyword c i,l = (c 1,i,l , c 2,i,l , c 3,i,l ) by computing the following: ,i,l = e(H(w l ),h) t i,l e(g1,hn) t i,l ∈ G T .
• k agg ← Extract(params, sk, S): For the given subset S ⊆ [1, n] which contains the indexes of documents, output an aggregate key k agg by computing the following: • T r ← T rapdoor(params, k agg , S, w l ): Randomly generate r ∈ Z p and calculate T r = (k agg • H(w l )) r ∈ G.Then, r is broken into r = r main + r aid , and T r main = (T r, r main ), T r aid = r aid .• T r i ← Adjust(params, i, S, T r, f (r main , pub i ), f (r aid , pub i )): • b ← T est(params, T r i , S, c i,l , f T (r main , c # 2,i,l ), f T (r aid , c # 2,i,l ), f T (r main , c 3,i,l ), f T (r aid , c 3,i,l )): Calculate pub = Π j∈S h n+1−j ∈ H and c # 2,i,l = e(c 2,i,l , pub) on the two servers.C aid sends f T (r aid , c # 2,i,l ) = e(c 2,i,l , pub) r aid to C main .Next, C main calculates (f T (r main , c # 2,i,l )) • (f T (r aid , c # 2,i,l )) = e(c 2,i,l , pub) rmain •e(c 2,i,l , pub) r aid = e(c 2,i,l , pub) r .In addition, C aid sends f T (r aid , c 3,i,l ) = c r aid 3,i,l to C main .Then, C main calculates (f T (r main , c 3,i,l ))• (f T (r aid , c 3,i,l )) = c rmain 3,i,l • c r aid 3,i,l = c r 3,i,l and outputs true or f alse by judging whether the following equation holds or not: e(T r i , c 1,i,l ) e(c 2,i,l , pub) r = ?c r 3,i,l .
The main construction satisfies the correctness, i.e., the searchability, as shown in equation (2).
Furthermore, similar to the first construction, the sizes of an aggregate key and a trapdoor are |G| independent of the number n of indexes in S. In addition, the data size of encrypted keywords is independent of the number of users because the algorithms do not change the encrypted keywords themselves.Thus, the main construction also satisfies the compactness.

V. SECURITY PROOFS
In this section, we will show the security proofs of the first construction and main construction.The security of the main construction is proved in the two-server setting because it uses to servers.The proof statement is consistent with the security definitions because our definitions have captured the multi-server setting by applying an auxiliary function individually for each server.

A. PROOFS OF THE FIRST CONSTRUCTION
The first construction satisfies the ( , n)-keyword privacy and the ( , n)-aggregate key unforgeability.In this section, we prove these two securities.
Theorem 1 (( , n)-Keyword Privacy).The first construction satisfies the ( , n)-keyword privacy under the ( , n)-BDHE Assumption, where ≥ .P roof.Suppose there exists an adversary A, whose advantage is , against the first construction.We then build an algorithm B that solves the BDHE problem.Let C be a challenger for the BDHE problem.Algorithm B proceeds as follows.
• Query: When A queries for O Extract , B responds as follows: -If an aggregate key for i * ∈ S is queried, return ⊥.
-If an aggregate key for i * ∈ S is queried, return n+1−j .If j = i * , (Π j∈S g n+1−j+i * ) −1 cannot be calculated, but it can be calculated because of i * ∈ S. When A queries for O Encrypt , B randomly generates t i,l ∈ Z * p , calculates the following c i,l = (c 1,i,l , c 2,i,l , c 3,i,l ) and responds to A (c 1,i,l = g t i,l , c 2,i,l = (v • g i ) t i,l , c 3,i,l = e(H(w l ),g) t i,l e(g1,gn) t i,l ).Z .Here, we define h = g t (t is a random value).Then, when Z = e(g n+1 , h), c P roof.Suppose there exists as adversary A, whose advantage is , against the first construction.We then build an algorithm B that solves the DHE problem.Let C be a challenger for the DHE problem.Algorithm B proceeds as follows.
• Query: When A queries for O Extract , B responds as follows: -If an aggregate key for i * ∈ S is queried, return ⊥.
-If an aggregate key for i * ∈ S is queried, return Here, if j = i * , then (Π j∈S g n+1−j+i * ) −1 cannot be calculated, but it can be calculated because of i * ∈ S. When A queries for O Encrypt , B randomly generates t i,l ∈ Z * p , calculates c i,l = (c 1,i,l , c 2,i,l , c 3,i,l ) and responds to A (c 1,i,l = g t i,l , c 2,i,l = (v • g i ) t i,l , c 3,i,l = e(H(w l ),g) t i,l e(g1,gn) t i,l ).
• Forge: A outputs S * , k * agg and sends them to B. - . By using this k * agg , B calculates (3) and outputs results.The result in the above ( , n)-aggregate key unforgeability game is identical to the answer of the ( , n)-DHE problem.That is, the advantage of the ( , n)-aggregate key unforgeability game is equal to the advantage of the ( , n)-DHE problem.Thus, if the ( , n)-DHE assumption holds, the first construction satisfies the ( , n)-aggregate key unforgeability.

B. PROOFS OF THE MAIN CONSTRUCTION
In this section, we prove that the main construction satisfies the ( , n)-trapdoor privacy.Note that the ( , n)-keyword privacy and the ( , n)-aggregate key unforgeability can be proved similarly to the proofs for the first construction except for the use security assumptions in asymmetric bilinear groups (see the Appendix for details).As described in the previous section, the main construction is based on two servers.In our security proof, a challenge ciphertext and a challenge trapdoor for both C main and C aid are simulated by a reduction algorithm.
Theorem 3 (( , n)-Trapdoor Privacy).Let a hash function H be modeled as a random oracle.The main construction satisfies the ( , n)-trapdoor privacy under the -XDH assumption, where ≥ .P roof.Suppose there exists as adversary A, whose advantage is , against the main construction.We then build an algorithm B that solves the XDH problem.Let C be a challenger for the XDH problem.Algorithm B proceeds as follows.
• Init: A declares challenge file index set S * ⊆ U and challenge keyword w l * and sends them to C. • Setup: C sends (g, h, g a , g b , Z) to B. B randomly generates α, ω, r main ∈ Z * p and calculates ω is used to generate both a response from the random oracle H and the challenge trapdoor.Simultaneously, r main corresponds to r main of the challenge trapdoor.In this proof, the random value r of challenge trapdoor is mapped to the challenge a of g a .In doing so, calculating r aid = a − r main is necessary in accordance with the Trapdoor algorithm.However, since B does not know a, B cannot calculate r aid itself.Then, instead of calculating r aid as behavior for C aid in the challenge phase, B calculates the value including r aid as C aid .Specifically, B calculates g a • g −r main = g a−r main = g r aid and generates the value including g r aid as the behavior of C aid .This implicitly means that, in the main construction, C aid , who receives r aid , embeds r aid in e(c 2,i,l , pub), pub i and c 3,i,l in the Adjust and Test algorithms.To execute the Adjust and Test algorithms correctly for the challenge trapdoor, C aid is also considered to use the following values: ,i,l , pub * ), B = e((g r aid ) ω ,h) e(g r aid ,hn+1) = ( e(g ω ,h) e(g1,hn) ) r aid .
These values are used to calculate encrypted keywords, which satisfy the correctness for the challenge trapdoor.
B sends params = (g, g 1 , g 2 , ..., g n , g n+2 , ..., g 2n , h, h 1 , h 2 , ..., h to A. Here, B does not know sk = b because it is a part of the secret of the challenge.• Hash: When A queries for random oracle model, B responds as follows.Note that B has a hash list L(w l , y l ).
In the initial state, L is an empty set.
-If w l is in L, return the corresponding y l stored in L.
-If w l is not in L, setting y l as follows, add (w l , y l ) to L and return y l .* If w l = w l * , let y l = g ω .* If w l = w l * , choose x ∈ Z * p uniformly randomly and let y l = g x .
• Query: If A queries for O Encrypt , B returns as follows: -If A queries for a keyword which satisfies w l = w l * ∨ i ∈ S * , return ⊥. -If A queries for a keyword which satisfies w l = w l * ∧ i ∈ S * , randomly generate t i,l ∈ Z * p and return c i,l = (c 1,i,l , c 2,i,l , c 3,i,l ) (c 1,i,l = h t i,l , c 2,i,l = (g b • g i ) t i,l , c 3,i,l = e(H(w l ),h) t i,l e(g1,hn) t i,l ) If A queries for O T rapdoor , B randomly generate r ∈ Z * p and calculate T r (Π j∈S g b n+1−j • H(w l )) r .Then, B randomly generates r main ∈ Z * p and calculates r aid = r − r main .B returns (T r, r main ) to A.
• Guess: B calculates the challenge trapdoor as T r * = Π j∈S * Z α n+1−j • (g a ) ω .At this time, if Z = g ab , T r = Π j∈S * (g ab ) α n+1−j • (g a ) ω = (Π j∈S * g b n+1−j • g ω ) a holds.From the simulation of the hash phase, H(w l * ) = g ω holds, and therefore T r = (Π j∈S * g b n+1−j •H(w l * )) a holds.Therefore, T r has the same distribution as that calculated by the Trapdoor algorithm in the main construction.B sends T r * and r main to A. A then chooses θ ∈ {0, 1} and returns it to B. Finally, B returns the received θ to C as a guess of θ.Note that if Z = g ab , not only the trapdoor generated in the query phase but also the challenge trapdoor satisfies the correctness.
In the guess phase, if Z is a random value, then P r[θ = θ ] = 1/2.On the other hand, if Z = g ab , then |P r[θ = θ ]−1/2| = Adv > .This indicates that B has an advantage over for solving the -XDH problem.Thus, if the -XDH assumption holds, the main construction satisfies the ( , n)trapdoor privacy.

VI. DISCUSSION
In this section, we discuss performance of our proposed schemes.We first implement the proposed schemes to measure their actual performance.Next, we theoretically compare the computational cost and the storage cost of the proposed schemes with those of related works.We also compare the security features with related works.

A. IMPLEMENTATION AND PERFORMANCE
We implement the first construction and the main construction to evaluate the performance of each algorithm.The implementation environment and performance evaluation are as follows: 1) Implementation Environment In our implementation, we use the mcl library version 0.94 2 , which is a C++ library for pairing computation.We also use the BLS12-381 curves.The curves are asymmetric bilinear maps, and hence the parameters in the first construction are dually generated for each input group of the bilinear maps.We also evaluate each cryptographic operation in the C++ platform with Mac OS named Mojave.In our environment, CPU is 1.4 GHz Intel Core i5-4260U and memory is 4 GB 1600 MHz DDR3.We note that the communication latency 2 mcl library: https://github.com/herumi/mclto interact between C main and C aid in the main construction is not measured because the communication process between C main and C aid is not implemented due to the lack of communication function in the mcl library.

2) Performance Evaluation
The results of the performance evaluation of our schemes are shown in Figures 2-7.Among the KASE algorithms, the Setup, Encrypt, and Extract algorithms are common to the first construction and the main construction because the mcl library supports asymmetric bilinear maps.Thus, the evaluation of these algorithms, i.e., Figures 2-4, contains only the first construction.The results shown in Figures 2-4 are common also for those in the main construction.On the other hand, the results of the Adjust and Test algorithms listed in Figures 6-7 do not include the communication latency between the two servers in the main construction.
The execution time of the Setup algorithm is linear with respect to the maximum number of documents belonging to a single owner.When the number of documents increases to 5,000, the Setup algorithm only needs one millisecond of execution time and therefore remains reasonable.
The execution time of the Encrypt algorithm is linear with respect to the number of keywords.The execution time of the Encrypt algorithm is larger than those of other algorithms because of the use of bilinear maps with heavy calculations.Nevertheless, when the number of documents increases to 5,000, the execution time of the Encrypt algorithm finishes within one second and is therefore still practical .
The execution time of the Extract algorithm is linear with respect to the number of shared documents.When the number of documents increases to 5,000, the Extract algorithm needs only 0.07 milliseconds of execution time.The Extract algorithm can be performed faster than the other algorithms.
The execution time of the Trapdoor algorithm is constant with respect to the number of documents, i.e., 0.07 milliseconds in the first construction and 0.2 milliseconds in the main construction.The difference in the execution time depends on the number of scalar multiplications.In particular, the first construction does not utilize scalar multiplication, whereas the main construction utilizes a single scalar multiplication.Since the data sizes of r main and r aid are small because of integers, the entire execution time can be minimized even when the communication latency is included.
The execution time of the Adjust algorithm is linear with respect to the number of documents.When the number of documents increases to 5,000, the Adjust algorithm takes only 0.06 milliseconds in the first construction and only 0.18 milliseconds in the main construction.Similar to the Extract    algorithm, the Adjust algorithm in the first construction can be performed faster than the other algorithms.In the main construction, the Adjust algorithm includes scalar multiplications and hence the computation is slightly heavy.However, we note that the computations for C main and C aid can be done in parallel to improve the performance.Although we did not implement the parallelization, this could improve the performance twice faster.The execution time of the Test algorithm is linear with respect to the number of encrypted keywords.When the number of documents increases to 5,000, the algorithm takes three seconds in the first construction and six seconds in the main construction.Similar to the Encrypt algorithm, the high cost is caused by the use of bilinear maps, which is a bottleneck in all algorithms that use it.However, the search process can be fully parallelized because it is individual for each encrypted keyword.Thus, the performance can be improved by parallelization, e.g., by the use of the OpenMP library 3 .
Finally, search for any keyword is a summation of the execution times of the Trapdoor, Adjust, and Test algorithms.For instance, a search in 5,000 encrypted keywords is executed within about three seconds in the first construction and about six seconds in the main construction.

B. COMPUTATIONAL AND STORAGE COST ANALYSIS
In this section, we compare the computational cost and the storage cost of our schemes with other schemes [9], [11], [20] of KASE.The results are shown in Tables 1 and 2. Li et al. [11] proposed two constructions, i.e., the single-owner setting and the multi-owner setting.Therefore, we only compare our schemes in the single-owner setting because our schemes have a single-owner setting.
The computational cost and the storage size for the first construction are less-than-or-equal to those of the schemes by Cui et al. [9] and by Li et al. [11] in spite of achieving the provable security, which is an open problem in these works.
Even in the main construction, the computational cost for the Encrypt algorithm is identical to that of the scheme by Cui et al. [9], and the computational cost for the Trapdoor algorithm is smaller than that of the scheme by Zhou et al. [20].Although the computational costs for the Adjust and Test algorithms are greater than those of other schemes, the number of scalar multiplications in G and exponentiations in G T , whose computations are heavy, are constant with respect to the number of documents.Thus, the computational cost of the main construction can be considered to be practical.Moreover, for the storage cost, in spite of two additional components in Z p , the storage size is fairly identical to that of the scheme by Zhou et al.In particular, an element in G is constructed by two integers on an elliptic curve, i.e., x-  The computational cost of KASE: The operation time of hash operations, scalar multiplication, point addition, exclusive or in G T , exponentiation in G T , multiplication in G T , and pairing operation are identified as T h , T sm , T a , T x , T exp , T mul , and T p , respectively.Li et al. [11] uses a Bloom filter to verify whether the keyword really exists in the document set.The time taken for the operation is represented as T bf .The random generation and integer addition are ignored.The time of Adjust + T est refers to the computational cost that takes file per one index.coordinate and y-coordinate, whose bit lengths are the same as the bit length of an element in Z p .Thus, the entire bit length of 2Z p is equal to that of G.The main construction can achieve a similar storage size as other works.
As will be discussed in detail in the next subsection, the performance of the proposed schemes described above has been achieved as well as the provable security, which is the open problem in the existing works.

C. SECURITY
In this section, we discuss the security required in KASE.The results are shown in Table 3.
In Table 3, the schemes by Cui et al. [9] and by Li et al. [11] do not satisfy the keyword privacy, the aggregate key unforgeability, and the trapdoor privacy.On the other hand, the scheme by Zhou et al. [20], the first construction, and the main construction satisfy the keyword privacy.Although Cui et al. and Li et al. have discussed the keyword privacy informally, their discussions do not include the provable security with reduction algorithms.As a result, the security can be broken through our oracle-based definitions (see the Appendix for details).
Although the scheme by Zhou et al. satisfies the keyword privacy and the trapdoor privacy, it does not satisfy the compactness.Zhou et al.'s scheme assumes a special situation where a remote sensor device encrypts its sensing data.This requires each sensor device to have an extra key for encryption, and the number of keys increases linearly with respect to the number of sensors when viewed across the system.Thus, the compactness cannot be satisfied.We also note that the scheme by Zhou et al. deals with a problem different from ours.Moreover, the aggregate key unforgeability has not been discussed explicitly in other works.

VII. CONCLUSION
In this paper, we proposed provably secure KASE scheme and defined the security of KASE formally.To the best of our knowledge, this is the first paper to provide a formal security discussion of KASE.Our main idea was to combine broadcast encryption and aggregate signatures, and we proposed the scheme called first construction by combining the broadcast encryption scheme by Boneh et al. and the aggregate signature scheme by Boneh et al.The security is provably secure with respect to the keyword privacy under the BDHEassumption and the aggregate key unforgeability under the DHE assumption.Furthermore, by constructing trapdoors that utilize random numbers distributed via secret sharing, we proposed another scheme called main construction that satisfies the trapdoor privacy.We then implemented the proposed schemes and showed that both schemes could encrypt 5,000 keywords within one second.Moreover, a search in the 5,000 keywords can be executed within about three seconds in the first construction and about six seconds in the main construction.These results show that the proposed schemes are practical while achieving provably security.As future work, we plan to propose a generic construction through any broadcast encryption and any aggregate signatures because the proposed schemes in this paper are based on the specific constructions described above.We also plan to optimize implementation, e.g., parallelization of processes, to improve the performance of the proposed schemes.

APPENDIX. VULNERABILITY OF THE SCHEME BY CUI ET AL.
The scheme by Cui et al. [9] does not satisfy the keyword privacy because random values embedded in encrypted keywords are common for every keywords.We show an example where the scheme by Cui et al. is broken under our definition of the keyword privacy below.In the game of the keyword privacy, an adversary can request an encrypted keyword to the encrypt oracle before receiving a challenge encrypted keyword.Then, the adversary chooses a keyword w l before the guess phase, and requests c i * ,l = (c 1,i * ,l , c 2,i * ,l , c 3,i * ,l ) for encrypt oracle.After that, by receiving the challenge encrypted keyword c i * ,θ = (c 1,i * ,θ , c 2,i * ,θ , c 3,i * ,θ ), the adversary can extract the keyword from the challenge encrypted keyword as follows: c 3,i * ,θ /c 3,i * ,l = e(H(w θ ), g)/e(H(w l ), g) Because the adversary knows the challenge keyword and its resulting H(w l * ) and H(w l ), the adversary can know whether either one of the challenge keyword or the random keyword is encrypted by calculating e(H(w l * ), g)/e(H(w l ), g).Thus, when a common random value is embedded in multiple encrypted keywords, i.e., the construction of the scheme by Cui et al., keywords can be extracted from the encrypted keywords.
Moreover, the scheme by Cui et al. does not satisfy the trapdoor privacy because trapdoor is deterministic with respect to a given keyword.We show an example where the scheme by Cui et al. is broken under the definition of the trapdoor privacy.In the game of the trapdoor privacy, an adversary can request trapdoors to the trapdoor oracle before receiving a challenge trapdoor.Then, the adversary chooses a keyword w l before the guess phase, and requests T r = k * agg • H(w l ) to the trapdoor oracle.After that, by receiving the challenge trapdoor T r * = k * agg • H(w θ ), the adversary can extract the keyword from the challenge trapdoor as follows: (T r * • H(w l ))/T r = H(w θ ) Thus, if trapdoors are deterministic, keywords can be extract from multiple trapdoors.

2 )
g ∈ G and h ∈ H are generators of G and H, respectively.3) A bilinear map e : G × H → G T is a map with the following properties: a) Bilinearity.For any value u ∈ G, v ∈ H and a, b ∈ Z * p , e(u a , v b ) = e(u, v) ab holds.b) Non-degeneracy.e(g, h) = 1 holds, where 1 means an identity element over G T .
FIGURE 2: Time cost of Setup

FIGURE 5 :
FIGURE 5: Time cost of Trapdoor

FIGURE 6 :
FIGURE 6: Time cost of Adjust

FIGURE 7 :
FIGURE 7: Time cost of Test Encrypt : by taking i ∈[1, n], w l ∈ KS as input, return c i,l ← Encrypt(params, sk, i, w l ).• O T rapdoor : by taking S ⊆ [1, n], w l ∈ KS as input, return T r ← T rapdoor(params, Extract(params, sk, S), S, w l ).We say KASE satisfies the ( , n)-keyword privacy if the following relation holds for A's advantage with any probabilistic polynomial time algorithm and 1 λ with any sufficiently large size: The security requirements are defined by the following game between an adversary A and a challenger C. For each game, both C and A are given (1 λ , n) as input, A is allowed to get aggregate keys, encrypted keywords, and trapdoors in the query phase by accessing the key extraction oracle O Extract , the encryption oracle O Encrypt , and the trapdoor oracle O T rapdoor , respectively.In particular, A accesses each oracle as follows:• O Extract : by taking S ⊆ [1, n] as input, return k agg ← Extract(params, sk, S). • O Definition 6 (( , n)-Keyword Privacy).In this game, an adversary A tries to distinguish a challenge keyword or a random keyword from a challenge encrypted keyword.• Init: A declares the index i * ∈ [1, n] of a challenge document used in the guess phase and sends it to C. • Setup: C generates params ← Setup(1 λ , n) and sk ← KeyGen(params), and sends params to A. • Query: A can query to O Extract at most n − 1 times 1 and can query to O Encrypt at arbitrary times.Here, when A queries to O Extract , it imposes the constraint S ⊆ [1, n] \ {i * }. • Guess: A declares a challenge keyword w l * and sends it to C. C randomly chooses θ ∈ {0, 1}.If θ = 0, then C sets w θ = w l * .Otherwise, i.e., θ = 1, C sets a random keyword as w θ , where |w 0 | = |w 1 |.C sends c i * ,θ ← Encrypt(params, sk, i * , w θ ) to A. A then selects θ ∈ {0, 1}.
Aggregate Key Unforgeability).In this game, an adversary A tries to forge a valid aggregate key where A can search encrypted documents with the aggregate key.
• Setup: C randomly chooses i * ∈ [1, n].C generates params ← Setup(1 λ , n) and sk ← KeyGen(params), and then sends params, i * to A. • Query: A can query to O Extract at most n−1 times and can query to O Encrypt at arbitrary times.Here, when A queries to O Extract , it imposes the constraint i * ∈ S.

•
Init: A declares a set S * ⊆ [1, n] of indexes and a challenge keyword w l * used in the guess phase, and sends it to C.
• Setup: C generates params ← Setup(1 λ , n) and sk ← KeyGen(params), and then sends params to A. • Query: A can query to O T rapdoor at most n−|S * | times and can query to O Encrypt at arbitrary times.Here, when A queries to O Encrypt , it imposes the constraint Ta+ 2Tp + T mul + Texp T h + 2Tsm + 2Ta + 2Tp+ T mul + 2Texp + Tx + T bf T h + 4Tsm + Ta T h + 2Tsm + Ta+ 2Tp + T mul + Texp T h + 2Tsm + Ta+ 2Tp + T mul + Texp T rapdoor T h + Ta T h + Ta T h + 3Tsm + Ta T h + Ta T h + Ta + Tsm

TABLE 2 :
The storage cost of KASE: |G|, |G T | refers to the size of G, G T .