An Efficient Attribute-Based Multi-Keyword Search Scheme in Encrypted Keyword Generation

With the growing popularity of cloud computing in recent years, data owners (DOs) now prefer to outsource their data to cloud servers and allow the specific data users (DUs) to retrieve the data. Searchable encryption is an important tool to provide secure search over the encrypted cloud data without infringing data confidentiality and data privacy. In this work, we consider a secure search service providing fine-grained and search functionality, called attribute-based multiple keyword search (ABMKS), which can be seen as an extension of searchable encryption. In the existing ABMKS schemes, the computation operations in the encrypted keyword index generation are time-consuming modular exponentiation, and the number of which is linearly growing with the factor $m$ . Here $m$ is the number of keywords embedded in a file. To reduce the computation overhead, in this paper, we propose an ABMKS with only multiplication operations in encrypted keyword index generation. As a result, the computation cost of the encrypted keyword index generation is more efficient than the existing schemes. In addition, the encrypted keyword indexes are aggregated into one item, which is regardless of the number of underlying keywords in a file data. Finally, the security and the performance analysis demonstrate that our scheme is both efficient and secure.


I. INTRODUCTION
With the flexibility and benefits provided by the cloud storage [1], [2] and cloud computing [3], [4], data owners (DOs) prefer to outsource the management of their data to the cloud service provider (CSP) and rent the strong computation ability of CSP. Because DOs pay more attention and consideration to the privacy of data, DOs will encrypt their sensitive data before outsourcing it to the CSP. However, data encryption will cause a huge cost in terms of data usability, as the existing solutions of keyword-based information retrieval on plaintext data cannot be applied directly to the encrypted data. It is impractical to download all the encrypted data from CSP and decrypt it locally.
The associate editor coordinating the review of this manuscript and approving it for publication was Longxiang Gao .
To realize the keyword search over encrypted data, some solutions are proposed using fully-homomorphic encryption [5] or oblivious RAMs [6], but these techniques will bring huge computation overhead on both CSP and users. On the contrary, searchable encryption [7] is a practical solution, which allows the CSP to search over encrypted data on behalf of the authorized users with a keyword search trapdoor provided by the users, and the CSP can retrieve the matching data without learning information about the underlying plaintext.
Searchable encryption (SE) can be realized in both symmetric and asymmetric encryption settings. Abound of research works [8], [9], [11]- [14] have been proposed to realize various search functionalities, such as single keyword search, multiple keywords search, ranked search etc. In the symmetric searchable encryption (SSE) schemes, DOs have to distribute a session key to DUs, which brings complicated secret key distribution/management overhead to DOs.
Boneh et al. [15] first introduced the definition of searchable encryption in public-key setting, which can resolve the issue of distributing the session key in the SSE. Zheng et al. [16] proposed new primitive called attribute-based keyword search (ABKS) by integrating SE and attribute-based encryption [17]- [24]. ABKS is extended on basis of SE to realize keyword search and access control simultaneously. Followup [25], [26] are proposed to achieve multiple keyword search based on [16]. Among the public-key encryption with keyword search schemes, attribute-based multi-keyword search (ABMKS) achieves more and more attention for its practical applicability [25].
In ABMKS, DOs can realize the access control on their data, which means only the authorized DUs can access to it. More precisely, DOs encrypt their data based on an access policy with attribute-based encryption and build encrypted keyword indexes corresponding to the keyword extracted from the data. If the data users' attributes satisfy the access policy and the trapdoor maths with the encrypted keyword indexes simultaneously, they can retrieve and decrypt the matching data. The existing ABMKS scheme [26] can support keyword search and comparable attributes through utilizing 0-encoding and 1-encoding. However, in [26], the computation operations in the encrypted keyword index generation are mainly modular exponentiations, which are timeconsuming compared to multiplication.
In this paper, we design an efficient ABMKS scheme, called attribute-based multiple keyword search scheme with only multiplication (ABMKS-WM) in encrypted keyword generation by using Binary Vector and Polynomial (the details of them shown as in Sections III-C-III-D), thus the time cost of the encrypted keyword index generation is more efficient compared to existing schemes, e.g., [25]- [27]. In addition, the encrypted keyword indexes are aggregated into one item, which is regardless of the number of underlying keywords in a file. The contribution of this paper are summarized as follows: 1) We design a secure ABMKS without exponentiation in the encrypted keyword index generation. Unlike the existing ABMKS schemes, e.g., [25]- [27], the computation operations in index generation are only multiplication, which is more efficient than exponentiation. In addition, the encrypted keyword indexes are aggregated into one item, which is regardless of the number of underlying keywords in a file. To our best knowledge, our design is the first of its type that achieves the encrypted keyword index generation without exponentiation in the model of ABMKS. 2) We prove that our design is secure against the chosenkeyword attacks via the formal security analysis, and our performance evaluation proves that the scheme is efficient in terms of both the computation and communication overhead, in particular, the time cost of the ciphertext generation and data retrieval are more efficient than that of the existing ABMKS schemes.
The remainder of this paper is organized as follows.
We briefly review related work in Section 2. In Section 3, we present some basic primitives used in this paper and the main building blocks for our construction. We describe the system and threat models, the construction, and the security model of our scheme in Section 4. In Section 5, we give the design of our scheme. Section 6 presents the security analysis of the proposed scheme. The experimental analysis and the comparison with some related works are presented in Section 7. We conclude the paper in Section 8.

II. RELATED WORK
Searchable encryption enables DOs or DUs to execute keyword search over encrypted data. Based on the different cryptography primitives, searchable encryption can be roughly classified into symmetric SE and asymmetric ones. Song et al. [7] first proposed the notion of symmetric SE and presented a construction of it. Subsequently, a variety of symmetric SE schemes have been proposed. Goh [28] put forward the security definitions for SSE and proposed a construction based on Bloom filter. Bao et al. [10] proposed a SSE scheme in multi-user model. Boneh et al. [15] first put forward the notion of public-key encryption with keyword search (PKES), and Abdalla et al. [30] enhance the foundations of PEKS. Abundant of PEKS schemes [31]- [38] are proposed to achieve various functionalities. Li et al. [38] proposed a scheme which supports both abilities and provides flexible keyword update service. Yin et al [39] proposed an ingenious secure query scheme to guarantee data security and system flexibility in the multiple data owners model, which allows each DO to adopt randomly chosen temporary keys to build secure indexes for different files. By leveraging the attribute-based encryption primitive, Yin et al. [41] put forward a fine-grained authorized keyword secure search scheme in which the access policy supports AND, OR, and threshold gates and Yin et al. [42] proposed a ABE scheme allows the DO to conduct a fine-grained search authorization for a DU. Liang and Susilo [40]present an ABE with keyword search schemes which allow DO to warrant keyword search capability to authorized DU.
Chen et al. [36] proposed a public key encryption with keyword search in dual-server model, which can resist the inside keyword guessing attack [43]. In order to check the correctness of retrieving results from the semi-trusted CSP, Liu et al. [35] and Miao et al. [26] presented the verifiable SE schemes, respectively.
To realize the access control and keyword search on the data at the same time, Zheng et al. [16] proposed a new search service called attribute-based keyword search (ABKS), which formed by combining of attribute-based encryption (ABE) and SE. And later [25], [26] were proposed to achieve extended functionalities based on [16]. For example, Miao et al. [25] proposed an ABKS with user revocation in multiowner settings.
Golle et al. [29] proposed the concept of conjunctive keyword search in the SE system. Later on, Park et al. [44] extended the notion into public key system. Attribute-Based Multiple Keyword Searchable supports multi-keyword search and access control on encrypted data simultaneously. However, in most existing ABMKS schemes, e.g., [25], [26], the computation operations in encrypted keyword index generation are time-consuming exponentiation, and the number of which is growing linearly with the factor m. Here m is the number of keyword in a file. Li et al. [27] proposed Towards Privacy-Preserving and Efficient Attribute-Based Multi-Keyword Search (TPPE-ABMKS) through utilizing keyword dictionary tree and the subset cover, which can achieve multi-keyword search with fine-grained access control, and the number of the encrypted keyword index is relatively small. However, the computation operations in the encrypted keyword index generation are pairing operations, which are also time-consuming.

III. PRELIMINARY
We present a brief review of some basic primitives used in this work in III-A and III-B. We also define the main building blocks for constructing our scheme in Sections III-C and III-D.

A. BILINEAR MAP
As in [17], [18], we let G and G T be two multiplicative cyclic groups of prime order p, g a generator of the group G and a bilinear mapping e: G × G −→ G T satisfies following properties: • Bilinearity: e(g a , g b ) = e(g, g) ab , ∀g ∈ G, ∀a, b ∈ Z * p . • Nondegeneracy: e(g, g) = 1. • Computability: the e(g a , g b ) can be computed by an efficient algorithm, ∀g ∈ G, ∀a, b ∈ Z * p B. ACCESS TREE T Let T be a tree representing an access policy [17], [18]. In an access policy T , each non-leaf of T represents a threshold gate, each non-leaf is described by its children and a threshold value. Let num v denote the number of children of a node v, and the children from left to right are labeled as 1, . . . , num v , while k v (k v ≤ num v ) denotes the threshold value associated with the node v, when k v = 1, the threshold gate is an OR gate and when k v = num v , it is an AND gate. Each leaf node of T is described by an attribute and a threshold value k v = 1.
To better understand the access tree, we define a few functions as follow, let parent(v) represent the parent of node v. If v is a leaf node, att(v) represents the attribute associated with the leaf node v. Let index(v) denote the label of the node v, and T v represent the subtree of T rooted at node v.
Let T v (γ ) = 1 indicate that the attribute set γ satisfies the access tree T v . If v is a non-leaf node, we can compare T v (γ ) recursively as follows, compute T v (γ ) for all children v of the node v, if at least k v children of the node v return 1, then T v (γ ) = 1. If v is a leaf node and att(v) ∈ γ , then T v (γ ) = 1.

C. KEYWORD DICTIONARY AND BINARY VECTOR
Let W = [w 1 , . . . , w n ] be the keywords dictionary in the system, and W Q be the query keywords set chosen by DU, e.g., W Q = {w 1 , w 3 , w 5 , w 7 }. We represent W Q with a binary vector → Q based on the keyword dictionary W as follows: Before building the encrypted keyword indexes for the keywords set W D of a file f , DO first randomizes the order of keyword in the keyword dictionary W to get the new keyword dictionary W = [ w 1 , . . . , w n ], then obtains the permutation σ .
We give an example of permutation generation as shown in Fig. 1 ] means w 5 = w 1 , w 6 = w 5 , w 1 = w 6 , it's to say that the keyword w 1 in W is shifted to the 5-th position of W , keyword w 5 in W is shifted to the 6-th position of W , keyword w 6 in W is shifted to the 1-th position of W . [2,4] and [3,8,7] follow the same rule as [1,5,6], and where [2,4] means w 4 = w 2 , w 2 = w 4 ; where [3,8,7] means w 8 = w 3 , w 7 = w 8 and w 3 = w 7 . We can see that the total number of possible σ is n! = n×(n−1)×. . .×2×1. As a result, an adversary has the probability of 1/n! to guess it, e.g., when n = 500, then the probability is negligible. The DO will generate the encrypted keyword indexes for the keywords set W D with W and σ as follows: First, as shown in Section III-C, DO will generate a binary vector where H is hash function, K is a random symmetric key which is used to encrypt the file f . Note that the operations At last, DO chooses an access policy tree T and encrypts the permutation σ and K based on the access policy tree by using ABE scheme.

2) TRAPDOOR GENERATION
If a data user's attributes set satisfies the access policy tree T , then he/she can get the permutation σ and the symmetric key K . Then the DU can generate the new keyword dictionary W by using the σ .
As shown in Section III-C, let W D be the query keywords set chosen by a DU, and DU then generates the binary vector Then, DU can compute the function f (x, → Q) and the trapdoor T corresponding to keywords set W Q as follows: where H is a hash function, K is a random symmetric key which is used to encrypt the file f . Note that the operation is multiplication but not modular multiplication.

3) MATCH PROCESS
We can note that f (x, is a integer, it means that I can be exactly divisible by T , then I mod T = 0. Remark: Based on the method above to generate encrypted keyword indexes, the sizes of the encrypted keyword indexes and the trapdoor are aggregated into one item. In addition, the computation operations in encrypted keyword index and the trapdoor generation are multiplications. As described above, the encrypted keyword index is I , which is a large number. We give the theorem of the bit long for the I as follow.
Theorem 1: Let H be the hash function H : here m is the number of the keyword in W D , |Z * p | is the bit length of an element in Z * p . Proof: First, as shown in the Fig. 2, we prove that if a s-bit number multiply by a t-bit number, then the bit length of the product is at most s+t.
The Fig. 2 describes the rule of the binary multiplication, the * denotes 0 or 1. We give a example of the 4-bit number (1010) multiply by a 5-bit number (11100) in Fig. 3, the computing rule of binary multiplication is the same as the decimal VOLUME 8, 2020 multiplication, the product of (0×0) is 0, the product of (1×1) is 1, the product of (0 × 1) is 0, we can see that the bit length of the product of (4-bit) and (5-bit) is at most 9-bit. As the computing rule in the Fig. 3, we can note that the bit length of product of s-bit number × t-bit number is at most s+t when the red * is 1.
Note that I is the product of m |Z * p |-bit numbers multiply continuously, then the bit length of I is at most m · |Z * p |.

IV. PROBLEM FORMULATIONS
In this section, we present the system model, the threat model, the scheme definition, and the security model, respectively.

A. SYSTEM AND THREAT MODEL
We present the system model of our scheme in Fig. 4, which is the same as the one in [25]. Our scheme involves four entities: DO, DU, CSP and Authority. The DO will encrypt the data files set F as well as corresponding keyword sets with an access policy before uploading them to the CSP. The CSP provides the storage services and executes keyword search operations on behalf of the DU. When a DU wants to make a search query over the encrypted data, he/she generates a trapdoor by his/her specified query keywords and submits it to CSP. On receiving the trapdoor, CSP retrieves the appropriate data file by using the trapdoor, if the user's attributes satisfy the access policy and the trapdoor matches the encrypted keyword index I . The role of Authority is to issue credentials (PK/SK) to the data owners/users, the credentials are sent over secure communication channel. The threat model of our system is as follows: DO, Authority and the authorized data users are trusted, but the CSP is a trusted-but-curious entity which honestly executes the protocol but attempts to learn some sensitive information, e.g., the query keyword information.

B. THE CONSTRUCTION OF ABMKS-WM SCHEME
In this section, we present the overview of our scheme, it is composed of eight algorithms as follows: • Setup(λ) Take as input the security parameter λ, output the master key MSK and the public key PK .
• KeyGen(PK , MSK , S) Take as input user's attribute set S, MSK and PK , output the private key SK for the user.
• Encrypt(PK , T , F, W D ) Take as input a files set F = f 1 , . . . , f N . Let W D be the keywords set of the file f . For each file f ∈ F, DO generates a permutation σ respect to the file f , and then generates ciphertexts C of the file f and index I of the keywords set W D according to the symmetric key K and the access tree T , respectively. At last sends the ciphertext CT = {C, I } to the CSP.
• GenTK(PK , SK ) Take as input public key PK and the private key SK for user's attribute set S, output the transformation key TK and the corresponding retrieving key RK .
• Transform(CT , TK ) Take as input the ciphertext CT and the transformation key TK , output a partially decrypted ciphertext CT .
• Decrypt(CT , RK ) Take as input the transformed ciphertext CT and the retrieving key RK , output the permutation σ and the symmetric key K .
• Trapdoor(PK , SK , RK , W Q , σ, K ) Take as input the public key PK , private key SK and corresponding key RK , query keywords set W Q , the permutation σ , output the trapdoor T for the query keyword W Q .
• Retrieve(PK , CT , T ) Take as input the ciphertext CT and the trapdoor T W Q for query keywords set W Q . CSP checks whether T W Q satisfies the ciphertext CT , if it holds, then returns the search results C to user, otherwise, outputs ⊥.

C. SECURITY MODEL
In this section, we present the security model of our scheme as follows.
The one goal of our scheme is that it can resist the chosen-keyword attack (CKA) [26]. As described in threat model, only the CSP is honest-but-curious. Intuitively, CKA means that the CSP (an adversary A) cannot learn anything information about plaintext keywords set from the keywords set ciphertext except for the search tokens and the results. We present the security model by utilizing the chosenkeyword attack (CKA) game as follows: Definition 2: Chosen-Keyword Attack Game: • Setup: The challenger C executes the Setup algorithm to get the public parameters PK and master key MSK , then sends the public parameters PK to the adversary A. The adversary A chooses an access tree T , which is sent to the challenger.
• Phase 1: A can adaptively query the following oracles for polynomially many times, and the challenger C initializes an empty keyword list L kw and an empty set D. The another security goal of our scheme is that the adversary cannot obtain the keyword information from the query trapdoor generated by data user, we give formal security definition of it based on a game between a adversary A and a challenger C as in the state-of-the-art work [41].

V. OUR CONSTRUCTION
We present some notations used in our construction in Table 1, and introduce our technical construction details below. algorithm. Given a DU's attribute set S, the authority chooses a random number r ∈ Z * p , and chooses r i for each attribute i ∈ S. Finally, the authority generates the private key SK for the DU as follows: . . , f N } be the file set, to easy understand the encrypt algorithm, we give an example of encrypting one file f ∈ F. Let W = [w 1 , . . . , w n ] be the keyword dictionary, W D be the keywords set that appears in a file f . DO will encrypt the file f using the corresponding symmetric key K to generate the ciphertext C, e.g., using AES to encrypt the file f , but the exact algorithm is out of the scope of our discusses. After that, DO will generate the permutation σ and the binary vector → D for the keywords set W D as follows: VOLUME 8, 2020 1) By randomizing the order of elements in the keyword dictionary W to get the new keyword dictionary W and then obtaining permutation σ described in Section III-D. Let Y be the set of leaf nodes in the access tree T , then DO computes θ 1 = e(g, g) H (θ 0 ) · e(g, g) α 1 s , θ 2 = θ 0 ⊕ H 2 (e(g, g) H (θ 0 ) ), θ 3 = h s , θ y = g q y (0) , θ y = H 1 (att(y)) q y (0) , ∀y ∈ Y .

2) Generate the binary vector
where θ 0 = Encode(σ ||K ). 2) With the permutation σ and the → D corresponding file f i , compute f (x, → D) and the encrypted keyword index I for W D as follows: where f (x, → D) is a polynomial function and the degree of it is at most (n−1). Finally, DO generates the specific ciphertexts CT for the file f as follows: CT = (C, I , {T , θ 1 , θ 2 , θ 3 , θ y , θ y }) • GenTK(PK , SK ) → TK : DU executes this algorithm.
Given the public key PK and the private key SK = {D = g (α 1 +r)/α 2 , D i = g r H 1 (i) r i , D i = g r i }. DU chooses a random value u ∈ Z * p , and computes transformation key TK and the corresponding retrieving key RK as follows: • Transform(TK , CT ) → CT : CSP executes this algorithm. On receiving the TK from DU, CSP then checks whether DU's attributes set S satisfies the access tree T . If S does not satisfy T , the algorithm outputs ⊥; otherwise, CSP continues to run the algorithm as follows: 1) If the node x is a leaf node in T . We let i=att(x).
If i ∈ S, then compute φ x as 2) If node x is not a leaf node in T , we get φ x by computing φ x using a recursive algorithm, where x is child node of x. Let S x be an arbitrary k x set of children nodes x; if no such set exists, set If the tree is satisfied by S, we set A = φ root = e(g, g) ru·q R (0) = e(g, g) rus , and compute the partially-decrypted ciphertext pct as follow.
• Decrypt(RK , CT ) → σ ||K : DU executes this algorithm. On receiving the CT from CSP, DU obtains σ and K as follows.
Return the permutation σ and the symmetric key K corresponding to the file f .
where mod represents integer modular operation. On receiving all the search results from CSP, the user can decrypt them with the corresponding symmetric key K . Correctness Analysis: Assume that the submitted attributes set S satisfies the access policy tree T and Then, we state that Eq.(12) holds if

VI. SECURITY ANALYSIS
In this section, we present the security analysis of our scheme which is proved to be secure by using the following theorem. Theorem 2: Given the oracle H 1 , H 2 and the one-way hash function H , and support that the CP-ABE scheme [18] is selectively CPA-secure, then the ABMKS-WM scheme is SCKA secure.
Proof: To prove this theorem, we present the two games as follows: • Game 0: The Selectively Chosen-Keyword Attack Game of ABMKS-WM scheme.
• Game 1: Same as Game 0 except for the way that the challenger generates the challenge ciphertext CT * = (I , {T , θ 1 , θ 2 , θ 3 , θ y , θ y }), where the item I is a random integer and the bit length of I is about |Z * p |m-bit, the rest items of CT * are generated as in Game 0. We prove this theorem by the following two lemmas. Lemma 1 proves that Game 0 and Game 1 are indistinguishable; Lemma 2 proves that the advantage of the adversary in Game 1 is negligible. Therefore, we state that the advantage of the adversary in Game 0 is negligible and the Theorem 2 is completed.
Lemma 1: Support that the CP-ABE scheme [18] is selectively CPA-secure, then the Game 0 and Game 1 are computationally indistinguishable.
Proof: We state that if there exists an adversary A who can distinguish the Game 0 and Game 1 with a nonnegligible advantage , we then can build an algorithm B that can break of the CP-ABE scheme [18] with a non-negligible advantage at least .
Let C be the challenger corresponding to B in the secure game of CP-ABE scheme [18]. The B runs A by executing the following steps.
• Init: A gives B a challenge access policy T * . B sends the T * to C as its challenge access policy and is given the public key PK of the CP-ABE scheme [18]. PK = {G, g, h = g α 2 , e(g, g) α 1 , H 1 } • Setup: B chooses two hash functions H : {0, 1} * → Z * p , H 2 : G T → {0, 1} * , then chooses a pair of encode and decode functions (Encode, Decode) and a keyword dictionary W , then sends the public key PK ={G, g, h = g α 2 , e(g, g) α 1 , H 1 , H 2 , H , Encode, Decode} to A.
• Phase 1: The adversary A issues private key, transformation key and trapdoor generations generations to the following oracles, respectively. 1) When A adaptively issues a private key query for a set of attributes S, B calls the key generation oracle of C on S to obtain the private key SK . Then, returns the SK to A. VOLUME 8, 2020 2) When A adaptively issues a transformation key query for a set of attributes S, chooses a random u ∈ Z * p and computes TK = SK U . Then, returns the TK to A.
3) When A adaptively issues a trapdoor query for S and keywords set W Q , chooses a random permutation σ of the keyword dictionary W , computes T = f (x, → Q W Q ) |x=H (Encode(σ ||K )) , where K is a random symmetric encryption key. If S satisfies T , B stores the keywords set W Q in the keyword list L W Q .
• Phase 2: This phase is similar to Phase 1, with the restriction that W D0 and W D1 have not been issued in Phase 1.
• Guess: The adversary outputs a guess δ for δ. B also outputs δ for β.
Note that, if δ = β, then B has properly simulated Game 0; otherwise, has properly simulated Game 1. Thus, if A can distinguish Game 0 and Game 1 with non-negligible advantage , we can build B algorithm to break the CP-ABE scheme [18] with non-negligible advantage . Lemma 2: Assume that the CP-ABE scheme [18] is selectively CPA-secure, then the advantage of the adversary in Game 1 is negligible.
Proof: We state that if there exists an adversary A who can win the Game 1 with a non-negligible advantage , we then can build an algorithm B that can break the CP-ABE scheme [18] with a non-negligible advantage at least .
Let C be the challenger corresponding to B in the secure game of CP-ABE scheme [18]. B runs A by executing the following steps.
• Init: The A gives B a challenge access policy T * . B sends the T * to C as its challenge access policy and is given the public key PK of the CP-ABE scheme [18]. PK = {G, g, h = g α 2 , e(g, g) α 1 , H 1 } • Setup: B chooses two hash functions H : {0, 1} * →Z * p , H 2 : G T → {0, 1} * , then chooses a pair of encode and decode functions (Encode, Decode) and a keyword dictionary W , then sends the public key PK = {G, g, h = g α 2 , e(g, g) α 1 , H 1 , H 2 , H , Encode, Decode} to A.
• Phase 1: The adversary T issues private key, transformation key and trapdoor generations generations to the following oracles, respectively.
1) When the adversary A adaptively issues a private key query for a set of attributes S (chose by A), B calls the key generation oracle of C on S to obtain the private key SK . Then, returns the SK to A.
2) When the adversary A adaptively issues a transformation key query for a set of attributes S, chooses a random u ∈ Z * p and computes TK = SK U . Then, returns the TK to A.
3) When the adversary A adaptively issues a trapdoor query for S and keywords set W Q (chose by A), chooses a random permutation σ of the keyword dictionary W , where K is a random symmetric encryption key. If S satisfies the T , B stores the keywords set W Q in the keyword list L W Q .
• Challenge: A summits two keyword sets W D0 and W D1 to be challenged on, with the restriction that W D0 and W D1 have not been queried in L W Q . B chooses a random bit δ ∈ {0, 1}, two random symmetric keys K 0 and K 1 , and two random permutations σ 0 and σ 1 , and sends σ 0 , σ 1 , K 0 , K 1 and T * to C. C chooses a random bit β ∈ {0, 1}, and encrypts σ β and K β under the public key PK and T * by using the encryption algorithm of CP-ABE scheme [18], and sends the resulting ciphertext CT * = {T , θ 1 , θ 2 , θ 3 , θ y , θ y } to B. Then randomly generate I , where I is a random integer and the big long of I is about |Z * p |m. Finally, B sets CT * = (I , {T , θ 1 , θ 2 , θ 3 , θ y , θ y }), and sends CT * to A as its challenge ciphertext.
• Phase 2: This phase is similar to Phase 1, with the restriction that W Q0 and W Q1 have not been issued in Phase 1.
• Guess: The adversary outputs a guess δ for δ. B also outputs δ for β. We can see that B has properly simulated Game 1. Thus, if A win Game 1 with non-negligible advantage , we can build an algorithm B to break the CP-ABE scheme [18] with nonnegligible advantage at least .
Theorem 3: Given the one-way hash function H , and support that the CP-ABE scheme [18] is selectively CPA-secure, then achieves query trapdoor unrecoverable security against eavesdropper attack model. Proof: Our proof is similar to the proof in the scheme [16], [41], we prove the Theorem 3 by using the game as follows: Setup: Let CT W D denote the ciphertext corresponding to a keyword set W D , which are generated based on the W D ,σ and K . And then sent the CT to adversary A.
(1) The adversary A queries the following oracles for polynomially-many times. O Trapdoor (SK , W Q ): On input a set of keyword W Q and the SK , the challenger C runs the Trapdoor algorithm to get T W Q and sets L kw = L kw W Q , if the attributes set adversary's S satisfies the policy tree T in CT . It then returns H (σ ||j)) q j and → Q are generated based on the W Q and σ .   (2) The adversary chooses two query keywords set W Q0 and W Q1 and sent them to challenger C, the restriction is that the W Q0 and W Q1 is in L kw .
(3) Challenger C chooses δ ∈ R {0, 1}, and generate the trapdoor T W δ as in the Trapdoor algorithm. Then set the T W δ to adversary.
(4) The adversary can query the oracles as in step (1) with the restriction that the query keywords set other than W Q0 and W Q1 .
(5) The adversary outputs the guess b of b. Because the CP-ABE scheme [18] is selectively CPA-secure, then the adversary cannot recovery the σ ||K from CT W D , thus the adversary cannot effectively compute T W 0 and T W 1 without σ ,K .
It means that the adversary only has 1/2 + 1/n! advantage to guess b = b. If the CP-ABE scheme [18] is selectively, as Theorem 2, the adversary cannot decrypt out the σ ||K from CT W D , in addition, as description in Section III-D, the adversary has 1/n! to guess out the σ , then the adversary has 1/2 + 1/n! advantage to compute the valid trapdoors T W 0 and T W 1 .

VII. PERFORMANCE ANALYSIS
In this section, we compare the performance of our scheme with the related work [26], [27]. Table 2 presents the notations used in this performance analysis.

A. COMPUTATION COMPLEXITY
We compare the schemes [26], [27] with our scheme in terms of computation complexity in Table 3. The time-consuming operations mainly consist of P, E G , E G T and M , we ignore the hash functions H 1 , H and the XOR ( ) for that these operations are more efficient than the above operations.
As shown in Table 3, the computation cost in KeyGen algorithm of our scheme is as efficient as [26], [27]. Compared with [26], [27], the computation cost in the Encryption, Trapdoor and Retrieve algorithms of our scheme are more efficient than [26] and [27], respectively. For example, in the Encryption algorithm, the computation cost of [26] and [27] are (2|Y | + 3 + m)E G and (2|Y | + 1)E G + (t + 1)E G T , respectively, while the computation cost is (2|Y |+1)E G +mM +E G T in our scheme. Due to the multiplication operation M is more efficient than the modular exponentiations E G and E G , we can VOLUME 8, 2020 note that the computation cost in encryption algorithm of our scheme is more efficient than [26] and [27].

B. STORAGE COMPLEXITY
We compare the schemes [26], [27] with our scheme in terms of storage complexity in Table 4.

C. EXPERIMENTAL PERFORMANCE
In this section, we implement the schemes [26], [27] and our scheme by using Python language on the Ubuntu 16.04 LTS with Intel Core i3 Processor 4170 CPU @3.70GHZ with 10.0 GB of RAM. Because these three schemes are highly dependent on the basic cryptographic operations in the pairing computation, we implement these three schemes in software based on the libfenc library [45] and choose a 224-bit MNT cure (|G| = G T | = 224-bit) from the Stanford Pairing-Based Crypto library.
For the comparison, we assume that these three schemes have the same policy tree T : ((A 1 or A 2 ) and (A 3 or A 4 ) and . . . and (A |Y |−1 or A |Y | )). We set the number of DU's attributes s ∈ [10,20,30,40,50], the number of leaf nodes in policy tree |Y | ∈ [20,40,60,80, 100], the number of keyword in keyword dictionary n = 500, the number of keyword appeared in a file m = 100, the |Z * p | = 160 and the number of query keywords m ∈ [3,5,7,9,11].
As shown in Fig. 5(a), the computation cost in ciphertext generation of our scheme is efficient than [26], [27]. As described in Table 3, the computation cost ciphertext generation of the scheme [26], [27] and our scheme are (2|Y |+3+m)E G , (2|Y |+1)E G +(t+1)E G T and (2|Y |+1)E G + mM + E G T , respectively. Due to the multiplication M is efficient than exponentiation E G and E G T . Thus our scheme is more efficient than [26], [27] in the ciphertext generation. For example, when |Y | = 40, m = 100, n = 1000, the schemes [26] and [27] need 945.48 ms and 107.68 ms, respectively, while our scheme needs 86.87 ms.
As shown in Fig. 5(b), the computation cost in trapdoor algorithm of our scheme is slightly efficient than [26], [27]. As described in Table 3, the computation cost in the trapdoor algorithm of our scheme are (2s+3)E G , (2s+1)E G +m lognM and (2s+1)E G +m M , respectively. Due to the multiplication M is more efficient than exponentiation E G and E G T . Thus our scheme is efficient than [26], [27]. For example, when s = 50, m = 100, n = 1000, as for the trapdoor algorithm, the schemes [26], [27] need 907.67 ms and 847.41 ms, respectively, while our scheme needs 828.78 ms.

VIII. CONCLUSION
In this paper, we have designed an ABMKS with only multiplication operations in encrypted keyword index generation which provides secure multi-keyword search service with fine-grained access control. The computation operations in the index generation are only multiplication, which is more efficient than modular exponentiation and pairing. In addition, the encrypted keyword indexes are aggregated into one item, being independent on the number of underlying keyword in a file. The formal security analysis shows that our scheme is secure. Moreover, the performance evaluation demonstrates that the ABMKS-WM scheme is better than the current works in terms of both the computation and communication overhead.  He is currently an Assistant Professor with the Department of Computer Science, University of Surrey, U.K. His research interests include applied cryptography and information security, in particular, encryption, network security, big data security, privacy enhancing technology, blockchain, latticebased crypto, and security in cloud computing.