Outsourcing Attributed-Based Ranked Searchable Encryption With Revocation for Cloud Storage

With the rapid growth of the cloud computing and strengthening of security requirements, encrypted cloud services are of importance and benefit. For the huge ciphertext data stored in the cloud, many secure searchable methods based on cryptography with keywords are introduced. In all the methods, attribute-based searchable encryption is considered as the truthful and efficient method since it supports the flexible access policy. However, the attribute-based system suffers from two defects when applied in the cloud storage. One of them is that the huge data in the cloud makes the users process all the relevant files related to the certain keyword. For the other side, the users and users’ attributes inevitably change frequently. Therefore, attribute revocation is also an important problem in the system. To overcome these drawbacks, an attribute-based ranked searchable encryption scheme with revocation is proposed. We rank the ciphertext documents according to the TF ${\times }$ IDF principle, and then only return the relevant top- $k$ files. Besides the decryption sever, an encryption sever is also introduced. And a large number of computations are outsourced to the encryption server and decryption server, which reduces the computing overhead of the client. In addition, the proposed scheme uses a real-time revocation method to achieve attribute revocation and delegates most of the update tasks to the cloud, which also reduces the calculation overhead of the user side. The performance evaluations show the scheme is feasible and more efficient than the available ones.


I. INTRODUCTION
With the development of social network and communication technology [1], data is showing explosive growth, which is a great challenge for devices with limited storage and computing resources. Therefore cloud service technologies [3] is rising rapidly. Increasingly, businesses and users are outsourcing their data to the cloud, greatly reducing local overhead. However, at the same time, data owners lose direct management of their data. And the data stored in the cloud is inevitable suffering from security threats. Therefore, for protecting the privacy and integrity of the data, the data owner must encrypt the data before outsourcing to prevent the leakage of private information to illegal users and the cloud.
The associate editor coordinating the review of this manuscript and approving it for publication was Jing Bi .
But encrypted data will also greatly limit the availability of data. For example, how do data owners share their data with other legitimate users? The traditional encryption scheme can only realize one-to-one communication mode, and there is no doubt that the coarse-grained access mode cannot meet the development needs of today's society. The attribute-based encryption proposed by Sahai and Waters, while protecting the confidentiality of data, implements a one-to-many access control mode, which is regarded as a very promising cryptography technology. Besides, how data users retrieve specific interested data files from encrypted data becomes a problem to be considered. The easiest way is to download all the ciphertext from the cloud, decrypt them into plaintext, and then find the required data. Obviously this requires a lot of storage and computing costs, which cannot meet the needs of users and the convenience of cloud computing.
Searchable encryption is a very effective method. The data user can generate query trapdoor based on the keyword of interest and match with ciphertext index without decryption. If the match is successful, all encrypted files containing the keyword will be returned to the user. However, not all the returned results match the user's request. In a healthcare system, for example, the attending physician may want to know more about the patient's physical health than mental or other conditions. Therefore, it is necessary to design a ranked searchable encryption. The cloud ranks the query results according to the relevant scores of the query keyword and the file. Only the k files closest to the user's request are returned, which not only saves the consumption of network bandwidth, but also reduces the time cost of users, in line with today's accelerating life style. In addition, the user's attribute may change frequently, so attribute revocation must be considered.

A. CONTRIBUTIONS OF THE SCHEME
To address the above problems, we present a scheme which supports ranked keyword search and attribute revocation in this paper. The highlights of the programme are shown below: • Efficient search: Since the traditional single-keyword search may return a large number of redundant files, the search accuracy cannot meet the needs of users. We adopt the TF×IDF principle to rank the search results and only return the relevant top-k files, greatly improving the accuracy of the search.
• Low computational overhead on the client side: To solve the problem of the high computing cost for the client, we introduce the Encryption-Server Providers (E-SP) and the Decryption Server Providers (D-SP), and outsource a large number of computational tasks in the encryption and decryption phases, respectively, which lightens the computing burden of the client.
• Attribute revocation: For the dynamic characteristics of the system, we use a real-time attribute revocation method. The private key component related to the attribute is outsourced to D-SP, and the user only stores the private key component that is not related to the attribute, which reduces the storage overhead of the user side. Besides, when the user's attribute is revoked, a large number of update calculations will be transferred to the cloud, reducing the computational overhead on the user side.

B. ORGANIZATION
The remaining of the paper is shown as follows. We first introduce some related works about ranked keyword search, attribute-based encryption and attribute revocation in Section 2. We review some basic knowledge in Section 3, which include bilinear map, access structure, linear secret-sharing scheme, relevance score function and the complexity assumption. In Section 4, the symbols used in the scheme will be introduced first, followed by the definition of the scheme as well as the system and security model. In Section 5, we show the specific structure of the scheme. The security of the algorithm is proved in Section 6. The performance evaluation is shown in Section 7. And we give a brief summary at the end of this paper.

II. RELATED WORK A. RANKED KEYWORD SEARCH
Searchable encryption(SE) is an important method of securely and efficiently searching for ciphertext in the cloud. Song et al. [4] first introduced a symmetric keyword search encryption algorithm in 2000 that implements the function of retrieving ciphertext. Dan et al. [5] constructed an asymmetric searchable encryption algorithm in 2004. Subsequently, Sun et al. [6] introduced an attribute-based encryption scheme with authorized search. And users are allowed to access and search encrypted data in a fine-grained way, which greatly increases the application scenarios of ciphertext retrieval. Han et al. [7] proposed an attribute-based keyword search scheme in which the size of trapdoors generated by legitimate users is constant, and the computational cost of the encryption stage is kept at a constant level. Later, Miao et al. [8] proposed a data sharing system supporting online/offline encryption in 2019, which supports the outsourcing of complex computing tasks in the decryption phase to cloud servers. But for keyword search, not all returned results are within the user's needs. Hence, the query results should be ranked according to certain conditions, and only the top-k files that best meet the user's request are returned. In 2015, Revathy et al. [9] introduced an attribute-based searchable encryption based on KNN technology, which can rank the search results and return the top-k query results. Subsequently, Jiang et al. [10] constructed a ranked searchable algorithm based on TF× IDF rules to sort the query results, but the scheme does not support user fine-grained access control over encrypted data. Liu et al. [11] proposed a verifiable ranked searchable encryption scheme which supports search result verification while avoiding redundant results.

B. ATTRIBUTE-BASED ENCRYPTION
Sahai and Waters [17] first introduced an attribute-based encryption(ABE) system in 2005, which can support fine-grained access control over the ciphertext data. Sahai [19] and ciphertext policy attribute-based encryption (CP-ABE) [20].
In the KP-ABE scheme, the users' private key corresponds to an access structure, and the ciphertext corresponds to an attribute set. The decryption will be successful if and only if the attribute set satisfies the access policy. The algorithm idea of CP-ABE is opposite to that of KP-ABE. Therefore, the KP-ABE scheme is applicable to query scenarios, like Digital Rights Management System, the CP-ABE scheme is applicable to access control scenarios, like electronic medical systems. Since then, some scholars have extended the classic ABE scheme in different aspects according to actual needs, so that it can meet different application needs, such as searchable encryption, security outsourcing, attribute revocation in [30]- [35].

C. ATTRIBUTE REVOCATION
To ensure the practicability and security of cloud storage, attribute revocation is a problem that must be considered. Attribute revocation means that the user has lost the corresponding access control rights. In 2006, Pirretti et al. [21] first proposed an attribute revocation scheme for ABE. By setting the expiration date for the attribute, the authority periodically updates the attribute version and revokes the user attribute by revoking the latest version of the attribute. Subsequently, Ibraimi et al. [22] introduced a ciphertext policy attribute-based encryption scheme with instant attribute revocation. Wang et al. [23] constructed an attribute revocation scheme that assigns a random number, called the version number, to the ciphertext and the user's secret key. When the revocation occurs, the trusted authority randomly assigns a new version number. Then the cloud and the user perform ciphertext and key update algorithms with the new version number. Hur and Noh [24] proposed a CP-ABE scheme with immediate attribute revocation, which distributes the KEK binary tree to users, but the scheme has a large maintenance overhead. In 2018, Liu et al. [25] proposed a large universe attribute-based encryption scheme that supports both policy update and attribute revocation. Wang et al. [26] introduced an efficient attribute revocation scheme, which greatly reduced the computational overhead of the client by entrusting the ciphertext and user secret key update tasks to the cloud. The problem of attribute revocation has been widely concerned and studied. The majority of scholars are committed to improving efficiency and security in the revocation process.

III. PRELIMINARIES
Some preliminaries will be introduced in this section, including bilinear map, access structures, linear secret sharing schemes(LSSS), relevance score function, generic bilinear group and complexity assumptions.
A. BILINEAR MAP G 1 and G T are given two cyclic groups which enjoy the same prime order p. e : G 1 × G 1 −→ G T is a bilinear map if it has the properties below.

B. ACCESS STRUCTURE
Given a group of t participants, denoted as = {P 1 , P 2 , . . . , P t }. A collection C ⊆ 2 is monotone if X ∈ C and X ⊆ Y then Y ∈ C for all X , Y . An access structure is a collection C of non-empty subsets of = {P 1 , P 2 , . . . , P t }, Simply speaking C ⊆ 2 \{∅}. The sets in C are considered as an authorized sets, the sets not in C are treated as unauthorized sets.

C. LINEAR SECRET SHARING SCHEMES(LSSS)
A linear secret-sharing scheme defined upon the group has two properties below: 1) The share of the secret s for each participant forms a vector on Z p ; 2) There is a shared-matrix A with l rows and n columns.
Let ρ be a function which maps from {1, . . . , l} to , namely ρ maps every row of matrix A to a participant. We choose the column vector r = (s, s 2 , . . . , s n ) randomly, where s ∈ Z p is the shared secret value, and s 2 , . . . , s n are selected in Z p randomly, then A r denotes the vector of l shares of the secret s according to . Let A i represent the ith row of A, then λ i = A i r denotes the share belonging to party ρ(i).
Linear reconstruction: Each LSSS enjoys the property of linear reconstruction. Assume that pairing (A, ρ) represents an access structure C for LSSS and S is an authorized set in C, i.e., C contains S. There must exist constants w i ∈ Z p such that i∈I w i λ i = s for shares {λ i } of secret s, where

D. RELEVANCE SCORE FUNCTION
We consider using a widely used statistical metric to implement the ranking function. Generally, we think that the more frequently the query keyword arises in the file, the more relevant it is to the file. Actually not. Because the importance of distinct keywords varies in the file collection. Some very basic keywords can not convey the meaning of the file correctly, but appear frequently in the document. Compared with these keywords, We should give more weight to keywords that can correctly express the meaning of the documents. The most basic common keywords should be given the least weight. Here we adopt the Term Frequency-Inverse Document Frequency technique to measure the relationship between keywords and files, where Term Frequency(TF) means the frequency of a query keyword arises in the file and the Inverse Document Frequency(IDF) can be computed by dividing the number of file collections by the number of files matching the certain keyword. When gaining the TF and IDF values, we multiply these two values to obtain the TF×IDF value of the specified keyword, called the relevance score. The larger the TF×IDF value of a certain keyword, the more relevant it is to the document.
In the proposed scheme, we choose a general calculation method for correlation scores and redefine TF and IDF. The IDF value of any keyword w τ in file F is computed as |F | , where f τ, represents the number of the keyword w τ in F , and |F | is a normalization factor gained by Then, the relevance score between an interested keyword w τ and the file F is defined as Suppose ψ 1 , ψ 2 are two random encodings of the group Z p . And ψ 1 , ψ 2 are injective functions which map from Z p to where G 1 represents a generic bilinear group. Let g indicates ψ 1 (1), and g η means ψ 1 (η), e(g, g) indicates ψ 2 (1) and e(g, g) η means ψ 2 (η).

F. COMPLEXITY ASSUMPTION
The definition of the decisional q-parallel bilinear Diffie-Hellman exponent problem (q-DBDHE) is given first below. Suppose g is a generator of group G 1 . Given There is no polynomial time algorithm A which can effectively distinguish tuples e(g, g) a q+1 s and element Z with a non-negligible advantage 1 , where Z is selected in G T randomly. In short, A's advantage Adv A in solving the q-DBDHE problem is negligilble, which can be denoted as follows.

Definition 1(q-DBDHE Assumption):
We say if the advantage of the probabilistic polynomial time algorithm in solving the q-DBDHE problem can be negligible, the q-DBDHE assumption holds.

IV. SYSTEM AND SECURITY MODEL
A. NOTATIONS

B. SYSTEM MODEL
As illustrated in Fig.1, there exists six types of entities in the proposed scheme: a trusted authority, a cloud server provider, a encryption-server provider, a decryption-server provider, data owners, data users.
• Trusted Authority (TA): The TA is fully trusted by other entities. And it is responsible for generating the system public parameters and master keys. Besides, the TA is responsible for revoking users' attributes based on his dynamic roles.
• Data Owner (DO): The DO is responsible for local encryption and uploading the ciphertext data to the VOLUME 8, 2020 cloud. In the meantime, the DO uses the text processing system to obtain the key dictionary and generate the keyword index array, which are uploaded to the cloud together with ciphertext.
• Cloud Server Provider (CSP): The CSP stores encrypted data and performs data search. Once the CSP receives a query trapdoor for any specified keyword, it will test whether the query trapdoor and the keyword index match. The CSP is also responsible for a large number of calculation tasks in the revocation phase, such as ciphertext update tasks.
• Encryption-Server Provider (E-SP): The E-SP has powerful computing ability. It uses the system public keys and the access policy specified by the DO to perform initial encryption to generate the intermediate ciphertext, and returns it to the DO. In addition, it is also responsible for updating users' delegated sercet key in the revocation phase.
• Data User (DU): The DU performs local decryption with his private key component, and finally obtains the top-k files he/she is interested in.

C. FORMAL DEFINITION
The formal definition of outsourcing attribute-based ranked searchable encryption with revocation is shown below. Setup(1 λ , U) → (PK , MSK ): Inputting a security parameter 1 λ and an attribute universe U, TA generates the system public keys PK and the master keys MSK .
KeyGen(MSK , S) → SK : TA executes the algorithm for gaining the user's secret key. It inputs MSK and S to generates a private key SK = {SK s , SK u }, where SK s will be sent to D-SP, and SK u will be sent to DU.
File encryption(PK , CT , F) → CT : The encryption algorithm is executed by DO. Inputting PK , the intermediate ciphertext CT and the file sets F = {F 1 , F 2 , . . . , F d }, DO outputs the ciphertext CT , where d represents the number of files.
Index generation(PK , ) → I : The algorithm is performed by DO. Inputting PK and the keyword dictionary , DO outputs the indexes I and sends it to CSP along with the ciphertext.
Trapdoor generation(w, SK u ) → TD w : The algorithm is performed by DU. Inputting an interested keyword w and the private key component SK u , DU obtains a query trapdoor TD w .
Search(I , TD w ) → 1õr ⊥: Inputing the index I and the query trapdoor TD w , the server calls the search algorithm.
If it is matched, this algorithm outputs 1 and sends the corresponding index array to D-SP, otherwise ⊥.
Outsource decryption(CT ABE , SK s ) → E: The outsource decryption algorithm is performed by D-SP. Inputting the public parameters PK , private key component SK s associated with an attribute set S and CT ABE related to the access policy (A, ρ), it generates the partially decrypted ciphertext E if and only if S satisfies (A, ρ).
Decryption(E, SK u ) → F : Inputting the partially decrypted ciphertext E and the private key component SK u , DO performs local decryption to get the file F he/she is interested in.
The algorithm is excuted by TA. It takes PK , MSK and the canceled attribute ϑ as input and outputs updated attribute version key AVK ϑ and updated attribute public key APK ϑ . Then TA sends AVK ϑ and RL ϑ to D-SP and CSP to perform updates of sercet key and ciphertext.
SKUpdate(SK s , AVK ϑ ) → (SK s ) : D-SP performs the algorithm to update the delegate sercet key component SK s . It takes SK s and updated attribute version key AVK ϑ as input and generates an updated sercet key component SK s .
CTUpdate(CT ABE , AVK ϑ ) → CT ABE : CSP executes the ciphertext update algorithm. Inputting CT ABE related to the canceled attribute ϑ and updated attribute version key AVK ϑ , it generates an updated ciphertext CT ABE .

D. SECURITY MODEL
Assumed that in the system, the CSP, E-SP and D-SP are honest but curious. To be brief, they will strictly follow the user's instructions, but they will do everything possible to get more information. So we consider two types of adversaries in the proposed scheme.
• Type-I adversary is defined as the curious user colluding with D-SP and CSP. They are allowed to interrogate the private key components SK s and the private keys SK of dishonest users. The main purpose of such adversaries is to obtain some interested information from ciphertext that do not belong to them.
• Type-II adversary is defined as the curious user colluding with E-SP, which can obtain encryption parameters information and ciphertext for malicious users.
The proposed outsourcing attribute-based ranked searchable encryption with attribute revocation is indistinguishability against selective ciphertext-policy and chosen plaintext attack(IND-sCP-CPA) secure and indistinguishability against the selective chosen keyword attack (IND-CKA) secure. To describe the security, we define the following interactive games between the challenger B and an adversary A.
The security game for the type-I adversary is denoted below.
Init. The adversary A announces a challenging access policy A * , and passes it to the challenger B.
Setup. B first runs the Setup algorithm to outputs the public keys PK and the master keys MSK , then transmits PK to A.
Phase I. A can make queries to the following oracles: • O SK (S): A can make any private key queries about attribute S which can not satisfy the specified access policy A * .
• O UK (ϑ ): A can make any queries for updated key related to the canceled attribute ϑ . Challenge. A chooses two messages R 1 , R 2 randomly which are equal length. B picks r ∈ {0, 1} randomly, then performs encryption algorithm for R r under A * to obtain the challenge ciphertext CT * . Finally, B return CT * to A.
Phase II. A makes queries similar to phase I, B answers like phase I.
Guess. A returns a guess r and wins this game if r = r. The A's advantage of breaking the game is set as The game for the type-II adversary is similar to the above game.
Definition 2: If the advantage of winning the above game for any polynomial time adversary is negligible, then outsourcing attributed-based ranked searchable encryption with revocation scheme is IND-sCP-CPA secure.
For the security of the keyword index, we define the indistinguishability against the selective chosen keyword attack (IND-CKA) game below.
Setup. B performs the Setup algorithm to gain PK , then transmits it to A.
Phase I. A can inquire the O SK u and O TD w for the secret key and the trapdoor in polynomial time.
• O SK u (PK , MSK ): Inputting PK and MSK , B generates the secret key SK u and transmits to A.
• O TD w (PK , w * , SK u ): A submits an interested keyword w * for trapdoor query. B uses PK , SK u and w * to generate trapdoor and sends it to A. Challenge. A picks two equal-size keywords w 0 , w 1 with the restriction that w 0 and w 1 were not previously used for trapdoor queries. B picks r ∈ {0, 1}, then gets the challenge index I w r and sends it to A.
Phase II. A makes queries similar to phase I, but the only limitation is w = w 0 , w 1 , and B answers like phase I.

Guess.
A gives a guess r and wins this game if r = r. The A's advantage of winning the above game is set as Definition 3: If the advantage of winning the above game for any polynomial time adversary is negligible, then outsourcing attributed-based ranked searchable encryption with revocation scheme is IND-CKA secure.

V. CONCRETE CONSTRUCTION
Aiming to reduce the computational overhead of the clients, the encryption server and the decryption server were introduced in the system. In addition, to solve the resource consumption caused by single-keyword search, we rank the search results according to the TF×IDF principle and only return the top-k files. The concrete structure of the proposed scheme is shown as follows:

A. SYSTEM INITIALIZATION
Setup (1 λ , U) → (PK , MSK ): Inputting a security parameter 1 λ and the universe set of attribute U = {ϑ 1 , . . . , ϑ n }, TA chooses two cyclic groups G 1 and G T with the same prime order p. Then it defines a bilinear map e: G 1 × G 1 → G T and four collusion reistant hash functions: 1} n H 2 where M denotes the plaintext space, n H 0 and n H 2 are the output-sizes of hash functions H 0 and H 2 , respectively. TA randomly selects numbers a, x,x ∈ Z p and computes Y = e(g, g) x , B 0 = g a , B 1 = gx where g is the generator of G 1 . Then it randomly selects v ϑ ∈ Z p for each ϑ ∈ U as the attribute version key, that is AVK ϑ = v ϑ . And it computes the attribute public key APK ϑ = g v ϑ . Finally the algorithm generates the following system public keys PK and master keys MSK .
KeyGen (MSK , S) → SK : Taking MSK and an attribute set S = {ϑ 1 , . . . , ϑ y } as input, the algorithm generates the private key SK . Firstly, TA chooses two numbers x 1 , x 2 ∈ Z p randomly such that x = x 1 + x 2 mod p. Then it selects t, u ∈ Z p and sets the secret key as SK = {SK s , SK u }, where SK s = {K s,1 = g x 2 /u , K s,2 = g t/u , 1 = g x 1 g at , K u,2 = u, K = g ax } Then SK s will be sent to D-SP and SK u to the user.

C. ENCRYPTION
Outsource Encryption (PK , (A, ρ)) → CT : The algorithm inputs PK and the access policy (A, ρ), where ρ is a function which maps rows of the matrix A to attributes. It selects r i ∈ Z p randomly for each i ∈ {1, . . . , l} and sets [1,l] .

Finally the algorithm generates the intermediate ciphertext
File Encryption (PK , CT , F) → CT : The algorithm consists of the following two steps: (A.) DO inputs PK , CT and a message R, where R is selected randomly from plaintext space M. And DO chooses a vectorr = {s, s 2 , . . . , s n } ∈ Z p where s is the shared secret value. A i stands for the ith row of A and it calculates λ i = A i ·r for ∀i ∈ {1, . . . , l}. The algorithm calculates:  where C 0 = R · e(g, g) xs , The algorithm computes R 0 = H 0 (R) as well as symmetric key $ sym = H 1 (R). Subsequently, it encrypts the file sets F = {F 1 , F 2 , . . . , F d } through a symmetric encryption algorithm such as CT sym (F ) = ENC sym ($ sym , F ) and calculates the verification key VK = H 2 (R 0 ||CT sym (F )).
Finally, it gets the ciphertext document CT = {CT ABE , CT sym (F )} and the verification key VK .

D. INDEX GENERATION
IndexGen (PK , ) → I : Do sends the file set F = {F 1 , F 2 , . . . , F d } to the text processing system(TPS). Then TPS scans and analyzes the files to generate a keyword dictionary , and calculates the relevant scores of keywords and files. Finally, the relevant score table(RST) is returned to the user in the following form.
Then DO builds secure indexes table by following these steps: 1. Setup: 1). For any keyword w τ ∈ , build a list F(w τ ), and set 2). For every file identifier id(F ) ∈ F(w τ ), compute the relevance score of the file F to the keyword w τ .

Constructe the query arrays:
As shown in Fig.3, for every keyword w τ ∈ , let max be the maximum size of each array A i .
where id(F τ ) is the th file identifier in F(w τ ). TF − IDF τ,τ is the relevant score of the keyword w τ and the file F τ . r τ, denotes a λ-length random string. ζ ∈ {0, 1} represents whether id(F τ ) is the last file in F(w τ ).
• when o < max, let the rest max − o entries of A i to be random values in order to ensure the same size as other items of A i . Next DO encrypts the arrays through a symmetric encryption algorithm such as AES.

E. TRAPDOOR GENERATION
TrapGen (w, SK u ) → TD w : DU inputs SK u and a query keyword w which he/she is interested in to generate a query trapdoor TD w . DU selects α ∈ Z p randomly and calculates: The algorithm outputs the trapdoor as TD w = {T 1 , T 2 , T 3 }. If the above formula holds, it outputs 1 and sends the array to D-SP. D-SP decrypts the array using the AES algorithm, retrieves the top-k matching documents based on the TF×IDF rule and then sends the file identifier to CSP. Finally CSP sends the search results to D-SP for partial decryption.

G. DECRYPTION
Outsource Decryption (CT , SK s ) → E: The algorithm inputs the system public parameters PK , private key component SK s associated with the attribute set S and CT ABE related to access policy (A, ρ). When S can not satisfies (A, ρ), it outputs ⊥ and terminates request. Otherwise D-SP performs the algorithm as shown below.
The algorithm defines I ⊂ {1, 2, . . . , l} as I = {i : ρ(i) ∈ S}, and then selects a tuple of constants {w i ∈ Z p } i∈I such that i∈Iw i λ i = s for shares {λ i } of any secrets s. It computes: Finally, D-SP obtains the partially decrypted ciphertext E and returns it to DU.
Decryption (E, SK u ) → F : Once receiving E from D-SP, DU inputs the secret key component SK u . And the random message R is computed as: Then DU computes R 0 = H 0 (R) and checks whether H 2 (R 0 ||CT sym (F )) = VK is established. If the equation holds, DU computes $ sym = H 1 (R 0 ). Finally, DU obtains the top-k files F = DEC sym ($ sym , CT sym ). Otherwise the algorithm outputs ⊥.

H. ATTRIBUTE REVOCATION
If any users' attribute ϑ is revoked in the system, TA first puts those identities whose attribute is canceled into RL ϑ . And then it executes the following algorithm.
1) UkeyGen(PK , MSK , ϑ ) → (AVK ϑ , APK ϑ ): Inputting PK , MSK as well as the canceled attribute ϑ , TA chooses a new value v ϑ ∈ Z p (v ϑ = v ϑ ) randomly for the canceled attribute ϑ , and calculates the updated attribute version key as In addition, TA computes the updated attribute public key as Finally, TA declares the updated attribute public key APK ϑ . Then, TA passes the updated attribute version key AVK ϑ and the attribute revocation list RL ϑ to D-SP and CSP to perform the update tasks of delegated key components and ciphertext. 2) SKUpdate(SK s , AVK ϑ ) → (SK s ) : Inputting the the delegate secret key component SK s and the updated attribute version key AVK ϑ , D-SP updates the new key SK s as K s,1 = K s,1 = g x 2 /u , K s,2 = K s,2 = g t/u , Inputting CT ABE associated with the canceled attribute ϑ and AVK ϑ , CSP updates CT ABE as It's worth noting that: (1) Only the attribute-related delegate secret key components SK s need to be updated, and the user's private key components SK u remain unchanged, greatly reducing the burden on the client.
(2) CSP stores the updated attribute version key AVK ϑ . When the user accesses the ciphertext, CSP first checks whether any attribute embedded in the ciphertext is revoked. If attribute revocation occurs, CSP performs ciphertext update algorithm. And the private key that has not been updated can no longer decrypt the ciphertext.

VI. SECURITY PROOF A. CORRECTNESS
The correctness of outsourcing decryption is shown below.
The correctness of decryption is shown below.

B. SECURITY PROOF
The first thing we should pay attention to is to prevent illegal users from colluding with D-SP. However, since each user's master key is randomly divided, this collusion attack can be avoided. Specifically, suppose two users are requesting their private keys. TA randomly selects two sets of numbers (x 1 , x 2 ) and (x 3 , x 4 ), provided that x 1 + x 2 = x mod p and x 3 + x 4 = x mod p holds. Where x 1 and x 3 are used to generate private key components SK s 1 and SK s 2 , x 2 and x 4 are used to generate local private key components SK u 1 and SK u 2 . The ciphertext can only be decrypted correctly if SK s 1 and SK u 1 match. Therefore, even if a group of curious users collude with D-SP to obtain all SK s , they cannot forge valid private keys to successfully perform decryption outside their scope. VOLUME 8, 2020 Next, we prove that the security of the scheme can resist Type-II adversary.
Theorem 1: Assume that the q-DBDHE assumption holds in G 1 and G T , then the advantage of all polynomial time adversaries who can win the IND-sCP-CPA game is negligible.
proof: assume the advatage of distinguishing a valid ciphertext from a random element for a polynomial time There is a simulator B who can break the q-DBDHE assumption with non-negligible advantage 1 /2.
Init: B is granted a q-DBDHE challenge instance ( , Z ). A announces a challenging access policy (A * , ρ * ), and transmits it to B.
Setup: The simulator B selects a number x in Z p randomly, then sets e(g, g) x = e(g a , g a q ) · e(g, g) x to make x = x + a q+1 implicitly. To simulate elements APK ϑ , the simulator B selects a random value v ϑ for each attribute ϑ and sets APK ϑ = g v ϑ .If ρ * (i) = ϑ establishes, B randomly selects z ϑ ∈ Z p , and processes as: where J means the set of indices i. If J = ∅ then B sets H (ϑ) = g z ϑ , and the value of H (ϑ) is distributed at random owing to the value g z ϑ . Finally B gives partial public parameters to A. Phase I: B builds a list of tuples (S, SK ) which is represented as L SK and empty initially. A can make any inqueries as follows: • O SK (S) : Assume that A gives private key inquiries about attribute set S which can not match (A * , ρ * ), B performs the following operations. If A has previously asked for S, B retrieves SK from the list L SK and sends it to A; Otherwise, B selects a vector ϒ = (ϒ 1 , . . . , ϒ N * ) ∈ Z p with ϒ 1 = −1 and A * i · ϒ = 0 for every i where ρ(i) * ∈ S. B selects x 1 , x 2 ∈ Z p randomly such that x 1 + x 2 = x mod p, and sets x 1 = x 1 + a q+1 , x 2 = x 2 . Then B calculates K s,1 as: B picks an element σ ∈ Z p randomly, then denotes t implicitly as Then B can calculate K s,2 as: We can see that g at contains the following forms g a q+1 from the definition of t, which can be ignored with the unknown terms in g x 1 when calculating K u,1 . B computes K u,1 as: . However, B can't simulate K ϑ for the attribute ϑ ∈ S used in A * since K ϑ includes terms with the form g a q+1 /b i . But B has A * · ϒ = 0 so that all terms of the form g a q+1 /b i are canceled. B sets K ϑ as: puts the secret key SK into list L SK and sends it to A.
• O UK (ϑ ) : A sends a canceled attribute ϑ to make the updated attribute version key query. B selects a new random number v ϑ ∈ Z p for the canceled attribute ϑ , and sets the updated attribute version key AVK ϑ = v ϑ /v ϑ , then returns it to A. Challenge: A selects two equal-length message R 0 , R 1 to B. Then B picks r ∈ {0, 1} randomly, and sets C * 0 below.
Since the component C * i includes terms g a j s , how to simulate C * i for B is difficult. To overcome the difficulty, B selects y 2 , . . . , y n * ∈ Z p randomly, then distributes s through the following vector v = s, sa + y 2 , sa 2 + y 3 , . . . , sa n * −1 + y n * ∈ Z n * p Let Q i be the set for all ι = i which satisfies ρ * (i) = ρ * (ι) for i ∈ [1, l]. B also picks a series of random numbers r 1 , . . . , r l ∈ Z p . B sets D * i and C * i by setting r i = −r i − sb i implicitly as:   Phase II: A makes queries similar to phase I, and B answers like phase I.
Guess: A gives a guess r . If r = r, B will output γ = 1 to indicate that Z is random element in group G T . Otherwise, B will output γ = 0 showing that Z = e(g, g) a q+1 s . If Z = e(g, g) a q+1 s , it shows that A will win the game with a non-negligible 1 by definition above. And B's advantage of solving the q-DBDHE problem is Adv B = 1/2 + 1 . Otherwise Adv B = 1/2. Hence, the B's advantage of solving the q-DBDHE problem is computed as follows.
Theorem 2: The proposed scheme is secure against selectively chosen keyword attack based on the given one-way hash function H .
Proof: In the interactive game below, A aims to distinguish A from B. Selecting a random value f ∈ Z p , the advantage of A in distinguishing g f from g a(ξ τ +π) g ξ τ H (w 0 ) is the same as that of differentiating between g f and g a(ξ τ +π) g ξ τ H (w 1 ) . For brevity, assume that A can distinguish g f from g a(ξ τ +π) . Then we define an secure interactive game between A and B below.
Setup. B selects a,x ∈ Z p randomly, then returns public keys PK = (g, g a , gx) to A. And B owns MSK = {x}.
Phase I. A can inquire the O SK u and O TD w for the secret key and query trapdoor in polynomial time.
• O SK u (PK , MSK ): B calculates K = g ax , then transmits K to A.
Phase II. A makes queries similar to phase I with the restriction w = w 0 , w 1 , and B answers like phase I.
If A obtains e(g, g) h a(ξ τ +π) with the term g h returned by the query, then A can distinguish g a(ξ τ +π) from g f . But we also need to prove that the A's advantage of obtaining e(g, g) h a(ξ τ +π ) with the term g h is negligible in the game.
Firstly, we think about that how to obtain e(g, g) h a(ξ τ +π) from g h . Since only the itemxξ τ contains the ξ τ , the item h must includex to obtain e(g, g) h a(ξ τ +π) . A will try to build e(g, g) h xa(ξ τ +π) based on h = h x. But A also needs to obtain h xaπ with the terms π and ax. Since only B owns the master keyx, A cannot get e(g, g) h xa(ξ τ +π) anyway.
Finally, we can see that A can not distinguish g a(ξ τ +π) from g f . So A cannot distinguish between g a(ξ τ +π) g ξ τ H (w 0 ) and g a(ξ τ +π) g ξ τ H (w 1 ) . That is to say, A cannot break the proposed scheme with a non-negligible advantage.

VII. PERFORMANCE ANALYSIS A. FUNCTIONAL COMPARISON
The proposed scheme has the following functions: keyword search, result ranking, decryption verification, attribute revocation. Table 2 providers the functional comparison between our scheme and other existing schemes, [23], [26], [36].

B. THEORETICAL ANALYSIS
In this subsection, we compared our scheme with some existing schemes. E means the modular exponentiation operation in group G 1 and E T represents the modular exponentiation operation in G T . P means the pairing operation, H means hash operation. Moreover, for comparing the storage overhead of different schemes, we use |G 1 |, |G T |, |Z P | to represent the size of elements in G 1 , G T , Z p respectively. And |PK |, |MSK |, |SK |, |CT |, |TD| mean the size of system public keys, master secret key, private key, ciphertext and trapdoor, respectively. The comparison of different schemes can be seen in Table 3 and Table 4.

C. EXPERIMENTAL ANALYSIS
It is important to note that we separately illustrate the overhead generated by the index generation process. In the scheme, DO establishes keyword indexes, which consists of two parts: index table and many query arrays. The calculation complexity of index table is O(m), where m means the number of keywords. Each query array stores all the file identifiers containing corresponding keywords, so the calculation cost of generating each array is different. The computational complexity of generating all arrays is O( ), where = m τ =1 |F(w τ )| represents the number of all files which are associated with the certain keyword w τ . Hence, the time cost in the index generation phase depends on the size of the dictionary and the file list F(w τ ) containing the corresponding keywords.
Besides, we compared the computational overhead with other existing schemes in the phases of system initialization, private key generation, trap generation and search. Figure 4 (a) indicates the computational cost of our scheme in setup phase is lower than that of the ABKS-UR scheme. From Figure 4 (b), the computing overhead of the scheme increases linearly with the increase of the number of attributes in KenGen phase, but the computational overhead of the scheme is lower under the same number of attributes. From figure 4(c) and 4(d), the computational overhead of the VKSE and ABKS-UR schemes increases linearly with the number of attributes in TrapdoorGen stage and search stage respectively, but the computational overhead of our scheme remains at a low level.
As for the comparison of storage cost of the scheme, we command |G| = 1024 bit and |Z p | = 160 bit in the actual simulation environment. The comparison results are shown in Figure 5.
we can see that the storage overhead of our scheme is lower than that of the ABKS-UR scheme in the generation of system public parameters, master keys and user secret keys from Figure 5(a), (b), and (c). Besides, Figure 5 (d) shows that in the ABKS-UR scheme, the storage overhead of the trapdoor increases linearly with the number of user attributes, while the storage overhead of the trapdoor remains at a low level in our scheme.

VIII. CONCLUSION
Although searchable encryption technology allows users to retrieve ciphertext without decryption, not all query results are within interest for DU. Therefore, this paper proposes a ranked keyword search scheme that can be based on the keyword of the query. Ranking the relevant scores of keywords and files and returning the top-k files, which greatly saves network bandwidth and resource consumption, and improves the user's retrieval experience. The proposed scheme also supports attribute revocation. In the end, we show the proposed scheme achieves IND-sCP-CPA security and IND-CKA security.
In order to further improve the accuracy of the search, we consider that in the future we will extend the ranking function to a multi-keyword system with the same fuatures as the proposed scheme. However, when the user submits an interested keyword sets, they can not guarantee that each file contains these keywords. Therefore, how to apply ranking function to multi-keyword search is a difficulty, and our next stage will focus on this.