Efficient SSE With Forward ID-Privacy and Authentication in the Multi-Data-Owner Settings

Based on Sun et al.’s multi-client symmetric searchable encryption (SSE) scheme (at ESORICS 2016), and combining Zhao’s identity-concealed authenticated encryption (CCS 2016), a new SSE scheme with multi-data-owner functionalities is proposed. By setting two key generation centers, our scheme first implements multi-data-owner SSE. In particular, compared with Sun et al.’s scheme, the new scheme not only meets the same security requirements stated by them, but also further strengthens the securities of the same category relevant scheme by providing identity-concealment, authentication of data user to server and confidentiality of search token. The identity-concealment aims to provide privacy protection (Forward ID-Privacy) for data users by hiding their identity information, while the authentication is to resist the camouflage attack by applying certificate-based mechanism to our scheme. In particular, the confidentiality of the search token provides replay-attack-resistant by encrypting the plaintext search token generated by data user. While in other works, the adversary can employ the previously generated plaintext search tokens to force the server to perform the same search queries. Furthermore, by efficiency analysis, our scheme reaches almost the same level of efficiency as Sun et al.’s scheme.


I. INTRODUCTION
As people generate more and more data every day, cloud storage technology has been widely practiced and reveals its promising future. However, when the cloud server undertakes outsourcing tasks of the data, the privacy and security problem face enormous challenges. One intuitive solution is The associate editor coordinating the review of this manuscript and approving it for publication was Sedat Akleylek . uploading the encrypted data to the cloud server, then decrypt the entire file when a data user wants to use the data. This kind of operations led to huge computational power costs in the data user side, especially when the size of file is huge. Searchable encryption(SE) is a cryptosystem that can migrate the time-consuming search task to the server side and support keyword search on the ciphertexts directly.
According to the key used in a system, searchable encryption(SE) can be classified into two categories: symmetric VOLUME 9, 2021 This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/ searchable encryption (SSE) [23], [29] [1], [34] [2], [3] and asymmetric searchable encryption (ASE) [4]- [6] In SSE, the key used in creating encrypted database is the same as or highly related with that used to decrypt the encrypted database, while in ASE, the key used in creating encrypted database is the public key and the key used to decrypt is the private key and the two key is different. Since SSE is characterized by low computational overhead, simple algorithm and high speed, this article will mainly focus on the SSE cryptosystem.
According to the number of data users or owners that use or own databases, symmetric searchable encryption is typically divided into 4 flavours: single-data-owner/single-data-user (sDO-sDU), single-data-owner/multi-data-user (sDO-mDU), multi-data-owner/single-data-user (mDO-sDU), multi-dataowner/multi-data-user (mDO-mDU). The sDO-sDU SSE is the simplest where only one data owner is allowed to use a specified encryption algorithm to convert a plaintext database into a ciphertext database and outsource its storage and service. After that only allowing one data user (including the data owner) to make queries on the database. More concretely, the data user first gets a search key on an authorized keyword set decided by the data owner, and then generates a search token (which is then sent to the server) using this key and an authorized keyword subset. After receiving the token, the server sent the ciphertext set to the data user who then decrypts the result set to get the final query document indexes using his search key. In the mDO-mDU setting, a database can be divided into multiple sub-databases and the search query on these databases can be executed by multiple data users. Thanks to the powerful capabilities of the mDO-mDU SSE, in the rest of this article, we concentrate on researching it.

A. MOTIVATIONS
In [34], Sun et al. proposed an efficient non-interactive sDO-mDU SSE, which improved the scheme in [29] by enhancing the communication efficiency between the data owner and the data user. Concretely, the scheme in [29] requires the data user to make interaction with the data owner every time once she prepares a search on an encrypted database, while in Sun et al.' scheme [34], no matter how many times a data user executes a query, he only interacts with the owner once, as long as the query keywords are in the authorized keyword set. Nevertheless, despite the advantages in [34], there are still many other problems not resolved in their article. For example, their scheme only works in the sDO-sDU setting, and how to design a scheme working in the mDO-mDU settings is still an open problem. Especially, in their scheme, since the identity information of data user is transmitted publicly to the server and no authentication from the data user to the server is provided when the data user is interacting with the server, the above scheme is easily subject to disguised attacks. In addition, since the search token generated by the data user is transmitted in a clear text and authentication is also not provided to the server, their scheme is vulnerable to the replay search attack on the plaintext token. Based on the above analysis, we put forward the following questions.

Motivation 1:
Can we propose an SSE scheme that supports the mDO-mDU setting and shares the same efficiency advantage as Sun et al's scheme?
The authentication protocol with identity-concealment is an efficient cryptographic tool for achieving secure end-to-end communication over the Internet. Implementing authentication and identity-concealment in searchable encryption is important for enhancing the security and privacy. However, existing searchable encryption schemes, especially the SSE scheme in [34], does not provide authentication, data protection and identity-concealment for client-sever communication, which can lead to serious security risks. For example, an adversary can pretend to be a client to initiate a large number of search queries to the server so as to result in the disguised attack and DoS attack. Moreover, if no protection is provided to search token, an adversary can use a previously generated one to launch a large-scale search query against the server thereby lead to a replay search attack. In addition, without identity concealment, the adversary can obtain more sensitive information about the data user through the identity information (through human flesh search, etc.), which will seriously compromise the privacy of the data user. Intuitively, we should use standard protocols like TLS1.3 or Google's QUIC to solve above problems. However, these protocols provide too many functions we do not need, which will deteriorate the efficiency problem of SSE and make our scheme less practical. In the public-key setting, authenticated encryption refers to signcryption [8], which is functionally equivalent to one-pass authenticated key-exchange [9], [10] [11] and has applications in asymmetrical key-exchange settings [12]. Zheng's signcrytion [8], [14] [15] and one-pass HMQV (HOMQV) [12], [13] are potential solutions for our problems, but they did not consider the ID concealment issue and their efficiency is still not satisfactory. Identity is a fundamental privacy concern and implementing identity-confidentiality is now mandated by a list of prominent standards such as TLS1.3 [17], EMV [18], QUIC [19], and the 5G telecommunication standard [20] by 3GPP, etc, and is enforced by General Data Protection Regulation (GDPR) of EU.
Higncryption is a cryptographic primitive proposed by Zhao [37], which implements identity-concealment, authentication and confidentiality simultaneously in a system. Compare to signcryption and HOMQV, higncryption has similar efficiency, but achieves higher security (such as CMIM, UKS, KCI, CNM, PFS, x-disclosure, etc. The reader can refer to [37] for details.) and provides more functionalities. Moreover, higncryption fits perfectly to TLS1.3 [17] and QUIC [19]. Based on these, we propose the following question.

Motivation 2:
Can we propose a symmetric searchable encryption that also simultaneously supports identity-concealment, authentication and confidentiality?

B. CONTRIBUTIONS
Concretely, our contributions are listed below.
• Multi-data-owner functionality:Building on the work presented in [34], we propose an SSE scheme which supports any boolean queries and mDO-mDU setting by introducing multi-data-owner functionality. We achieve this by firstly setting up a data owner key generation center (DWK-KGC) to generate an encrypted database public/private key pair for each data owner. Then we use each data owner's key pair to convert his plaintext database into a ciphertext database.
• Identity-concealment, authentication and confidentiality of search token: In particular, compared with Sun's scheme [34], our scheme not only meets the same security requirements stated by them, but also further strengthens the securities of the same category relevant scheme by providing identity-concealment, authentication of data user to server and confidentiality of search token. We implement them by modifying and integrating Zhao's higncryption scheme [37] into our scheme. The identity-concealment aims to provide privacy protection for data users by hiding their identity information, while the authentication is to resist the camouflage attack by applying certificate-based mechanism to our scheme. The confidentiality of the search token provides replayattack-resistant by encrypting the plaintext search token. While in other similar works, the adversary can employ the previously generated plaintext search tokens to force the server to perform the same search queries many times.
• Forward ID-privacy: Our scheme provides forward ID-privacy properties, which means one client's identity-privacy (i.e., ID-privacy) preserves even when his long-term private key is revealed. Please note that neither signcryption nor HOMQV can achieve ID concealment and forward ID-privacy.
• Efficiency analysis: Our scheme achieves the comparable performance with Sun's scheme except that the computation cost for each data user in our scheme is 2.5 exponent operations more than that of theirs. In addition, like Zhao's higncryption scheme [37], our scheme can also directly apply to 0-RTT protocol, showing that our scheme is compatible well with the QUIC and OPTLS-based SSE scheme.

C. RELATED WORKS
In 2000, Song et al. [33] gave an scheme for searching on ciphertext for the first time, but because the scheme needs to scan the full document, the algorithm is less efficient and vulnerable to statistical attacks. To improve search efficiency and security, Goh [26] proposed the concept of secure indexing and IND-CKA security model for SE. In the process of querying, the server only searches the index without directly operating on the ciphertext, which greatly improves the efficiency. In 2006, a strong security notion IND-CKA2 is proposed by Curtmola et al. [25]. Later, Kurosawa and Ohtaki [30] proposed the IND-CKA2 security notion in the UC framework. In order to overcome the accuracy rate problem caused by Bloom filter, Chang and Mitzenmacher [24] introduced the concept of key dictionary and proposed the first deterministic SE scheme.
Since the SE with single-keyword query is non-adaptable with the multi-keyword search in real life application. In 2004, Golle et al. [27] gave two SSE schemes for connection keyword search with linear time complexity. To improve search efficiency, the first SSE scheme that supports boolean queries and logarithmic time complexity was proposed by Cash et al. [23]. In 2003, Cash et al. [23] first proposed multi-client (i.e., multi-data-user) SSE with linear communication overhead in the number of queries between data user and data owner. In 2016, Sun et al. [34] proposed a non-interactive mDO-sDU SSE that supports boolean queries, which improved the scheme in [29] to obtain constant communication overhead and is independent of the number of queries. In 2017, Rompay et al. [31] proposed an mDO-sDU SSE scheme that can resist leakage attacks.
In 2007, using Attribute-Base Encryption(ABE), Identitybased encryption(IBE), Boneh and Waters [21] proposed a new SE scheme for privacy search. In 2014, Sun et al. [35] and Shi et al. [32] presented an Attribute-Base SE schemes that supports withdraw and keyword combination queries under certain conditions, respectively. In 2015, Zheng et al. [28] gave two searchable ABE schemes. These two schemes not only realized keyword retrieval but also provided verifiability of query results. In 2018, using fine-grained access control properties of ABE, Wan and Deng [36] gave an SE scheme with multi-keyword searchable encryption that has fine-grained access control functionalities. In 2020, Leilei Du et al. [38] proposed a dynamic multi-client searchable symmetric encryption with support for boolean queries which allowed multiple clients to perform boolean queries over an encrypted database. In 2019, Zarezadeh et al. [39] put forward a multi-keyword ranked searchable encryption scheme with access control for cloud storage which solved the problems in index construction, trapdoor generation and search procedures existed in [45] by proposing a new multi-keyword ranked search encryption scheme. In 2019, Kermanshahi et al. [40] gave a multi-client cloud-based symmetric searchable encryption that removed the need for a constant online presence of the data owner to provide services to the users with supporting the property of the user key-exposure-resilience. In 2019, Cong Zuo et al. [41] proposed a dynamic searchable symmetric encryption with forward and stronger backward privacy with one roundtrip. In 2019, Jin Li et al. [43] put forward an SSE scheme in a new forward search privacy security model, in which, the search operation over freshly search document does not leak sensitive information to the past queried. In 2020, Jing Chen et al. [44] proposed a dynamic searchable symmetric encryption with forward security and low storage overhead. However, all the above schemes are implemented in the single-data-owner setting, and do not provide identity-concealment, authentication of data user to server and confidentiality of search token.

D. ORGANIZATION
This article is structured as follows: Section II gives some important notations and definitions, Section III, IV and V present our scheme and provide a security analysis. Section VI gives a performance Analysis. Section VII shows some concluding remarks and possible future directions.

II. PRELIMINARY
In this section, we list a series of notations, assumptions, terminologies and cryptographic components that will be used in our construction. : {1, · · · , T }; sterm: the least frequent term among the queried terms/keywords in a search query; xterm: other queried terms in a search query except the sterm. For X = g x , Y = g y with respect to the basis g, we define dh(X , Y ) = g xy .

B. GROUP DESCRIPTION
We use G to denote group generator, which acts as follows: where G 1 is an abelian group of order N , G 1 =< g > is a unique subgroup of G 1 with generator g of prime order q . G denotes a random group generator, which acts as below: takes as input a security parameter λ, and generates (G 2 , g, n, p, q) ← G(1 λ ), where G 2 is a cyclic group with order n, n = pq; p, q be two security primes of λ-bit, and g is a random generator of G 2 of order n.

C. CRYPTOGRAPHIC ASSUMPTIONS
Definition 1 (Decisional Diffie-Hellman (DDH) Assumption [16]): Let G 2 is a cyclic group of prime order p, the DDH problem is to distinguish a DDH tuple (g, g a , g b , g ab ) from a non-DDH tuple (g, g a , g b , g z ), where g ← $ G 2 , a, b, c ← $ Z p . Formally, the advantage that a PPT adversary A distinguish the DDH problem is defined as: . The DDH assumption holds if the advantage of the adversary A is negligible in λ.
Definition 2 (Strong RSA Assumption [42]): Let n = pq, where p and q are two λ-bit security prime numbers and p = 2p + 1, q = 2q + 1 for some primes p , q . Sample g ← $ Z * n . For any PPT adversary A, we define its advantage Adv sRSA A,n (λ) = Pr[A(n, g) = (z, e) : z e = g mod n]. The strong RSA holds for any PPT adversary A, if its advantage is negligible in λ.
Definition 3 (GapDiffie-Hellman(GDH)Assumption [22]): Define G 1 to be a multiplicative group with prime order p . For any PPT adversary A, we define the advantage function as Adv GDH A,G 1 (λ) = Pr[A O DDH (·,·,·) (g , g a , g b ) = g ab ], with the DDH oracle O DDH (·, ·, ·) is defined as: it takes as input input (U , V , Z ) ∈ G 3 1 and outputs 1 if and only if Z = dh(U , V ). For instance, the oracle outputs 1 when (U , V , Z ) = (g a , g b , g ab ), and 0 when (U , V , Z ) = (g a , g b , g ab ). The GDH assumption holds for any above adversary A with access to a DDH oracle, if its advantage Adv GDH A,G 1 (λ) is negligible in λ.

D. PSEUDORANDOM FUNCTIONS
Define F : {0, 1} λ ×X → Y to be a function with the domain {0, 1} λ ×X and range Y. F is a pseudorandom function (PRF) if for any probabilistic polynomial-time (PPT) adversaries A, the advantage specified as Adv

E. PARTICULAR MAP FROM KEYWORDS TO Primes[26]
Here we review a deterministic, memory-efficient mapping family H from a keyword set W to a 2λ-bit prime integer set P 2λ . In [34], the keyword-to-prime mapping H is designed based on a collision-resistance hash (CRH) functionH and a pseudorandom function F λ . Here, to save space, we omit the detailed implementation of H (refer to [34]) and directly apply it into our scheme. In particular, for convenience, we still use the keyword presentation instead of its prime presentation in our scheme, but by default, we assume that the keywords used in our scheme have been mapped to the corresponding primes.
F. AUTHENTICATED ENCRYPTION WITH ASSOCIATED DATA (AEAD) [29] We review the AEAD scheme and its security definition from [37]. We hereby stress that all properties of the scheme follow that of the scheme in [37].
Roughly speaking, an AEAD scheme provides both the authentication and confidentiality in a scheme by encrypting a message M and a (public) header information H (or called associated data). Note that the H may vary as the context changes in which it works. More specifically, an AEAD scheme contains the following three PPT algorithms AEAD = (AEAD.Gen, AEAD.Enc, AEAD.Dec).
• Key Generation algorithm AEAD.Gen(1 λ ): This algorithm (probabilistic) takes as input a security parameter 1 λ and outputs an AEAD symmetric key K AEAD , where K AEAD ← $ K AEAD and K AEAD is the AEAD key space.
• Encryption algorithm AEAD.Enc(K AEAD , H , M ): This algorithm (may be probabilistic) takes as input an AEAD key K AEAD , an public header H , and a plaintext M .
It outputs a ciphertext c AE or ⊥. Note that for convenience, in the text, we sometimes denote the encryption algorithm as AEAD.Enc K AEAD (H , M ) with K AEAD as the subscript (applied in Figure 1). The case is the same for the decryption algorithm as follows.
• Decryption algorithm AEAD.Dec(K AEAD , H , c AE ): This algorithm (deterministic) takes as input an AEAD key K AEAD , an public header H and a ciphertext c AE . It finally outputs a message M or ⊥. Security. The security game for the scheme AEAD played between a PPT adversary A and a challenger C is shown in Table 1. The advantage function of A is defined as Adv ae-sec The AEAD scheme is ae-secure, if the adversary A's advantage is negligible in λ.
G. ATTRIBUTE-BASED ENCRYPTION (ABE) [7] An ABE scheme [7] is typically classified into two categories: the CP-ABE and KP-ABE. The CP-ABE means that the ciphertext is related to an access control policy determined by an attribute set and each decryption key is related to the attribute set; while the KP-ABE is defined oppositely. We hereby only review the CP-ABE definition. Concretely, a CP-ABE contains the following four PPT algorithms: which are defined as follows.
• Setup algorithm ABE.Setup(1 λ ): This algorithm takes as input 1 λ and outputs a key pair (mpk, msk) which denotes the master public key and master secret key.
• Key generation algorithm ABE.KeyGen(msk, S): This algorithm takes as input the master secret key msk and an attribute set S. It outputs a private key sk S associated with the attribute set S.
• Encryption algorithm ABE.Enc(mpk, M , A): This algorithm takes as input the master public key mpk, a message M and an access control policy A. It outputs a ciphertext e.
• Decryption algorithm ABE.Dec(sk S , e): This algorithm takes as input a private key sk S and a ciphertext c, it outputs a message M or ⊥.

III. DEFINITION OF IDENTITY-CONCEALED MULTI-DATA-OWNER SSE WITH AUTHENTICATION
In the following, we give the definition of identity-concealed SSE with authentication in the multi-data owner settings (icSSE for short). Our icSSE scheme contains eight PPT algorithms = (Setup, LKeyGen, DWKeyGen, EDBGen, SKeyGen, ETokenGen, Search, Retrieve).
• Setup(1 λ ): This algorithm is the responsibility of the data owner. It takes as input 1 λ , and outputs a long-term key generation public parameter par L and an encrypted database identifier generation public parameter par E .
• LKeyGen(par L , id U ): This algorithm is the responsibility of a long-term key generation center LK-KGC.
It takes as input a long-term key generation public parameter par L and a user identity id U ∈ {0, 1} * . It outputs a key pair (pk U , sk U ) which denotes the user U 's long-term public key and long private key, respectively.
• DWKeyGen(1 λ , id DW ): This algorithm is the responsibility of a data owner key generation center DWK-KGC. It takes as input a security parameter 1 λ and a data owner identity id DW . It outputs an encrypted database public/secret key pair (EPK DW , ESK DW ) for data owner id DW .
• EDBGen(par E , EPK DW , ESK DW , DB, A): This algorithm is the responsibility of a data owner id DW . It takes as input an encrypted database identifier generation public parameter par E , a data owner's encrypted database public key EPK DW and encrypted database secret key ESK DW , a plaintext database DB, an access control structure A. The algorithm encrypts the database DB to a ciphertext database EDB DW and sends EDB DW to the server.
• SKeyGen(EPK DW , ESK DW , S, w, id U ): This algorithm is the responsibility of a data owner DW . It takes as input a data owner's encrypted database public key EPK DW and an encrypted database secret key ESK DW , an attribute set S, an authorized keyword set w and a data user identity id U ∈ {0, 1} * . It produces a search private key SK U = (SK MS,U , SK S,U ) for the data user id U , where SK U consists of a master search private key SK MS,U and a partial search private key SK S,U .
• ETokenGen(SK U , sk U , pid U , pid V , Q, id EDB DW ): This algorithm is the responsibility of a data user id U . It takes as input the data user's search private key SK U , long-term private key sk U and public identity information pid U = (id U , pk U = U = g u , cert U ), and the server public identity information pid V = (id V , pk V = V = g v , cert V ), a query Q and the identifier id EDB DW of an encrypted database EDB DW . It outputs an encrypted search token est. Note that the token est does not contain the public identity information pid U and pid V , where pid V denotes the public identity information of the server.
This algorithm is the responsibility of the server. It takes as input the server's long-term private key sk V and public identity information pid V , a data user id U 's public identity information pid U , an encrypted search token est and the current full encrypted database EDB. Note that the encrypted database EDB contains all the partial encrypted database EDB DW generated by a data owner DW . It finally generates the matching results and sends R to the data user id U .
• Retrieve(SK U , R): This algorithm is the responsibility of the data user id U . It takes as input a search private key SK U and a search result set R. It produces the document indexes matching the search keywords w given by the data user id U . VOLUME 9, 2021 Compared with the primitive by Sun et al. [34] (short for Sun), our prototype can be used in both multi-data-user and multi-data-owner environments. The multiple-data-owner means that multiple data owners are allowed exist simultaneously in an SSE system. In addition, this primitive can also prevent data users from performing any search query on an unauthorized keywords. In particular, it also captures the authentication of a data user to the server aiming to prevent the adversary from launching a DoS attacks (i.e., denial of service attacks). Besides, both the identity-concealment and confidentiality of search token are also implemented in our primitive aiming to resist impersonation and token replay attacks respectively.

A. SECURITY DEFINITION
We give the security definition and security analysis of icSSE primitive by modifying the security definition in [23]. In particular, comparing with the security model in previous work [23], we add authentication and identity-concealment security requirements which further strengthens the security of the proposed scheme. More specifically, for the proof of the L-simulation security, we adopt a method similar [23] to simulate the transcript of the search process. While for the proof of authentication and identity-concealment security, we directly coprrespond them to the outsider unforgeability and insider confidentiality of Zhao's higncryption scheme in [37], respectively.

Let
= (Setup, LKeyGen, DWKeyGen, EDBGen, SKeyGen, ETokenGen, Search, Retrieve) be an identityconcealed symmetric SSE scheme with authentication in the multi-data-owner settings, EDB be an encrypted database and Sim be a simulator. Let EPK DW and ESK DW be the encrypted database public/secret key of a data owner id DW , SK U be the search private key for a data user id U . The simulation security with respect to the server id V is defined via the following two probabilistic games played among a PPT adversary A, a simulator Sim and a challenger C: • Real game: In this game, A first selects a database DB, then C performs Setup(1 λ ), LKeyGen(par L , id U ), DWKeyGen(1 λ , id DW ) and EDBGen(par E , EPK DW , ESK DW , DB, A) to generate a ciphertext database EDB DW and sends it to A. A chooses an authorized keyword set w for a data user id U and makes multiple queries q, where the keywords with respect to q are assumed always falls over the authorized keyword set w. Next, the challenger C continues to run the rest algorithms (i.e., SKeyGen, ETokenGen, Search and Retrieve) to obtain the transcript. It then sends the transcript and data user output to A. We stress that in this game A may get partial search private key SK S,U generated by the algorithm SKeyGen. Finally, the challenger outputs that A outputs. For simplicity, the advantage function of A in the real game is defined as Real A (λ).
• Ideal game: This game first sets an empty list q and a counter i = 0. A picks a database DB DW associated with a data owner DW , and the game runs Sim(L(DB)) and returns the encrypted database EDB DW . Next the game records the i-th query as q[i], and runs Sim(L(DB, q)) and outputs the generated transcript to A. Note that the simulation here includes the simulation of the partial search private key SK S,U for some data user id U . A returns a bit b ∈ {0, 1} at the end of the game. For simplicity, the advantage of A in the ideal game is denoted as Ideal A,Sim (λ).

Definition 4:
The scheme is said to be L-simulation secure (SS) if for any PPT adversary A there exists a PPT simulator Sim such that the following advantage is negligi- The SS security of the identity-concealed SSE with authentication in the multi-data-owner settings against adversarial server is to efficiently perform search on the encrypted database while revealing little information about private data. Following with [23] and [34], the SS security of the icSSE primitive and the corresponding leakage function is defined as follows.
Let q = (s, x) denote a query list, where s denotes the sterm component of q and x denotes the xterm component of ) denotes the i-th query. Taking as input DB and q, the leaking information of the leakage function L are listed as follows: W i means the total number of keywords in the database DB. • RP is the result pattern, namely, the common items of sterm and xterm in the same query.
• IP is the conditional intersection pattern such that In fact, the authentication of an icSSE scheme corresponds to the outer unforgeability of Zhao's higncryption scheme. Informally, the goal of an authentication adversary A aut is to fabricate a valid ciphertext generated by an uncorrupted honest data user id U * for the uncorrupted server id V * . Towards this goal, the adversary A aut may make some queries to oracles HO, UHO, EXO and Corrupt. Finally, A aut returns (pid V * , C * ) as its forgery, where pid V * is required honest, while H * is contained in clear text in C * . The advantage of A aut in the authentication game is denoted by Adv AUT A aut , if the following conditions hold.
• A aut has not queried Corrupt(pid U * ) or Corrupt(pid V * ). But A aut may query EXO(C * ) to get the randomness used in creating C * .
• C * was not allowed to be the value that A aut got by querying the oracle HO(pid U * , pid V * , H * , M * ). Definition 5: An identity-concealed multi-data-owner symmetric searchable encryption with authentication (icSSE) meets authentication if for all PPT adversary A aut , the function value Adv AUT ,A aut (λ) is negligible in λ. The purpose of the identity-concealment is to protect the privacy of data user identity. The confidentiality of search token aims to prevent replay search attacks. These properties exactly correspond to the insider confidentiality of Zhao's higncryption scheme. In other words, the goal of the adversary A con in the identity-concealment and confidentiality is to break the private identity information of the challenge data user and the confidentiality of the challenge search token encrypted to an uncorrupted honest server, though the sender is allowed to expose the intermediate randomness used for creating the ciphertexts. Formally, the adversary breaks the identity-concealment and confidentiality by the following experiment.
• Query 1: The adversary A con may make queries to the oracles HO, UHO, EXO and Corrupt.
• Challenge: The adversary A con submits a search token pair (st 0 , st 1 ), a challenge public header H * , and two identity information pairs (pid U * 0 , pid V * ) and (pid U * 1 , pid V * ) where pid U * 0 , pid U * 1 and pid V * are honest. It then submits them to the challenger. The challenger C picks a bit b ← $ {0, 1}, and generates a cipheretext ). • Query 2: A con continues the same query as in Query 1, but with the exception that it is not allowed to query UHO(pid V * , C * ) or EXO(C * ) or Corrupt(pid V * ), since these queries will cause the adversary A con to trivially win the experiment. In addition, this security allows A con to make Corrupt(pid U * 0 ) and Corrupt(pid U * 1 ) queries.
• Guess: Finally, A con returns a guess b of the challenge bit b. The experiment outputs We define the advantage of a PPT adversary A con as Adv Ic-Con ,A con (λ) = |Pr[b = b] − 1/2|. Definition 6: An icSSE scheme has identity-concealment and confidentiality security, if for any PPT adversary A con , the adversary's advantage Adv Ic-Con ,A con (λ) defined above is negligible in λ.

IV. CONSTRUCTION
We give a concrete construction of identity-concealed SSE with authentication in the multi-data-owner settings. First we list some basic cipher suites used in constructing this scheme.
• AEAD = (AEAD.Gen, AEAD.Enc, AEAD.Dec) is a secure authentication encryption with associated data. We assume K AEAD is the key space of the AEAD scheme where the algorithm AEAD.Gen generates the secret key K AEAD by sampling K AEAD ← $ K AEAD .
• F and F p are pseudorandom functions. • Setup(1 λ ): On input 1 λ , this algorithm generates a long-term key generation public parameter par L = (G 1 , N , G 1 , g , q ) ← G (1 λ ) used in producing long-term public/private key which specifies the underlying group over which GDH assumption holds (as defined in Section II-B and Definition 3), and an encrypted database identifier generation public parameter par E = H, where H is a compression function. The algorithm finally outputs par L and par E .
• LKeyGen(par L , id U ): This algorithm is run by LK-KGC. It takes as input a long-term key generation public parameter par L . For each honest user id U ∈ {0, 1} * , this algorithm samples u ← $ Z * q , sets pk U = U = g u and sk U = u and outputs the key pair (pk U , sk U ). The realtion between a user identity id U and its public-key U is certified by the cert A issued by CA. In addition, the CA also performs a checking pk U ∈ G 1 \1 G 1 .
• DWKeyGen(1 λ , id DW ): This algorithm is run by DWK-KGC. It takes as input 1 λ and a data owner identity id DW . VOLUME 9, 2021 It generates (G 2 , g, n, p, q) ← $ G(1 λ ), where G is a random group generator, G 2 is a multiplicative cyclic group, and g ← $ G 2 is a random generator of order n and n = pq, p and q are two large primes. Then it checks whether (p, q) has been in table Tab, if it does, DWK-KGC reruns G(1 λ ) until (p, q) is not in Tab and stores (p, q) into Tab. Next, it selects K X , K I , K Z , K E ← $ K, g 1 , g 2 , g 3 ← $ G 2 , and computes (mpk, msk) ← $ ABE.Setup(1 λ ). The encrypted database secret key and public key for the data owner DW are set as ESK DW ← (K X , K I , K Z , K E , p, q, g 1 , g 2 , g 3 , msk) and EPK DW = (n, mpk) respectively.
• EDBGen(par E , EPK DW , ESK DW , DB, A) : This algorithm is run by a data owner id DW . It inputs a database identifier generation parameter par E = H, an encrypted database public key EPK DW = (n, mpk), secret key ESK DW = (K X , K I , K Z , K E , p, q, g 1 , g 2 , g 3 , msk), a database DB, and an access control structure A. It returns an encrypted database EDB DW = (TSet DW , XSet DW , id EDB DW , L DW ), where id EDB DW denotes the identifier of the encrypted database EDB DW . The detailed description is demonstrated in algorithm 1. for ind ∈ DB[w] do 7: xind ← F p (K I , ind); 8: z ← F p (K Z , g 1/w 2 mod n||c); 9: l ← F(stag w , c); L DW ← L DW ∪ {l}; 10: e ← ABE.Enc(mpk, ind, A); y ← xind · z −1 //where A refers to the access control structure.

11:
TSet DW [l] = (e, y) 12: xtag ← g F p (K X ,g 1/w 3 mod n)·xind ; 13: XSet DW ← XSet ∪ {xtag} 14: c ← c + 1 15: This algorithm is performed by a data owner id DW . It inputs an encrypted database public key EPK DW = (n, mpk) and secret key ESK DW = (K X , K I , K Z , K E , p, q, g 1 , g 2 , g 3 , msk), a set of keywords w, a data owner identity id DW , a data user identity id U and an encrypted database identifier id DB DW (assume that once a data owner generates an encrypted database, it immediately records the corresponding identifier). Assuming that the data user id U may run a search over the authorized keyword set w = {w 1 , · · · , w N }.
The data owner id DW first computes sk (i) w = (g 1/ N j=1 w j i mod n) for i = {1, 2, 3} and an attribute key sk S ← ABE.KeyGen(msk, S), where S ∈ U is the attribute set of authorized data users and U is the attribute universe. Next, the data owner id DW sends the search private key SK U = (SK MS,U , SK S,U ) to the data user id U , where SK MS,U = (K E , K X , K Z , sk w , id EDB DW ) and SK S,U = sk S respectively denotes the master and partial search private key for the data user id U , and sk w = (sk (1) w , sk (2) w , sk (3) w ). In particular, note that the identifier id EDB DW of the encrypted database EDB DW is also included in the master search private key SK MS,U so that the data user id U easily locates the encrypted database with the help of id EDB DW .
• ETokenGen(SK U , sk U , pid U , pid V , w, id EDB DW ): This algorithm inputs a search private key SK U = (K E , K X , K Z , sk w , id EDB DW , sk S ), a long-term private key sk U = u, public identity information pid U = (id U , U , cert U ) and pid V = (id V , V , cert V ), a set of authorized keywords w, and an encrypted database identifier id EDB DW . When a data user id U intends to carry out a queryw ⊆ w, he first determines the s-termss ⊆w. Assuming thatw = (w 1 , · · · , w d ) and w 1 is the chosen s-term, then the detailed encrypted search token (i.e., est = (H , X , c AE )) code for this query refers to Algorithm 2.
• Search(sk V , pid V , pid U , est, EDB): This algorithm inputs the long-term private key sk V , a public identity information pid V of server id V , the identity information pid U of a data user U , an encrypted search token est = (H , X , c AE ) and the current full encrypted database EDB = where DW denotes the set of data owners registered on the cloud server. With the long-term private key sk V and the public identity information pid V and pid U , the algorithm first performs an authentication process, and then recovers the search token st and the database identifier id EDB DW from the encrypted search token est. Next, with the identifier id EDB DW , the encrypted database EDB DW is screened. Then, the server uses the search token st = (stag w 1 , xtoken) to carry out a single keyword search, and gets an encrypted document index set R that match the search criteria. The detailed search procedure is described in Algorithm 3.
• Retrieve(SK U , R): This algorithm inputs a search private key SK U and an encrypted document index set R. It first uses the partial private key sk S (contained in the secret key SK U ) to decrypt each element in R to get the authorized part of the document indexes. Concretely, for each e ∈ R, compute ind = ABE.Dec(sk S , e) if S ∈ U matches A associated with the ciphertext e that encrypts the index ind matching the queryw.
Remark 1: Note that in our data model, we assume that each data owner id DW has only one encrypted database mod n) 5: for c = 1, 2, · · · until the server stops do 6: Authenticationphase : 12: cert U , u ← $ Z * q , U = g u // Assume that these values have been precomputed. 13: // where u is the data user id U 's long-term private key and U corresponds to the long-term public key; cert U and cert V are respectively the data user id U 's and the server id V 's certificates generated by the CA by signing on the public keys U and V with CA's signing key. 14: X = UX d , PS = V u+xd 15: K AEAD = KDF(PS, X ||cert V ) 16: M ← st||id EDB DW //where id EDB DW denotes the the database identifier associated with the query w. 17: c AE ← AEAD.Enc K AEAD (H , cert U ||X ||M , ts) //where H denotes the associated data of the encryption algorithm for AEAD and ts denotes the current time. 18: est ← (H , X , c AE ) 19: return est EDB DW , and the encrypted database EDB DW for the data owner is indexed by a unique and public identifier id EDB DW which makes our solution easily applied to a multi-database environment or a multi-data-owner scenario.

V. SECURITY PROOF
We first prove the security against attacks with respect to server, which aims to break the simulation security of the SSE scheme, and then give the security against attacks associated with an adversarial data user where it aims to compute a valid private key. Finally, we give the authentication, identityconcealment, and confidentiality of the scheme against the where v is the server's private key, V corresponds to its public key, and cert V is its certificate generated by the CA (certificate authority) by signing on the public key V with CA's signing key. Also assume that these values have been recomputed beforehand. 3 6: if ts − ts > δ reject and abort // ts is the current time and δ is a constant 9: if cert U is valid and X = UX d then accept 10: Otherwise, reject and abort SearchPhase : 11: use id EDB DW to search the target encrypted database EDB DW from the full encrypted database EDB. 12: Parse EDB DW = (TSet DW , XSet DW , id EDB DW , L DW ) 13: (stag w 1 , xtoken [1], xtoken [2], · · · ) ← st 14: c ← 1; l ← F(stag w 1 , c) 15: while l ∈ L DW do 16 impersonation attacks of data user to server, the privacy of data user identity information, and the replay search attacks for previously generated search token.
Theorem 1: Assuming that the DDH problem holds in G 2 . Let F and F p be secure, and ABE is CPA secure, then is L-semantically secure, where L follows the definition in Section III-A2.
Proof: The theorem is proved via a series of games from G 0 to G 11 and three simulated games: simulated TSet, XSet and transcript t. We stress that in the first 12 games, i.e., G 0 -G 11 , the adversary provides an unencrypted database DB and a search query set q at the beginning of the game. Note that G 0 is equal to the real game (assuming no false positives), except a slightly modification but with the exactly identical distribution as in the real settings. G 11 have the same distribution as the simulation game so that it can be easily modeled by a simulator Sim. We show that the simulator is designed correctly and satisfies the theorem by proving the distribution indistinguishability of any two adjacent games. For clarity, the key changes between any two adjacent games are described in TABLE 2. The detailed proof is as below.
G 0 : This game is almost the same as the real game but with the only difference is that we make some minor changes to make the analysis easier to deal with, the detailed description is demonstrated in Algorithm 4. With (1 λ , par L , par E , EDB, DB DW , w, s, x, id U , id DW ) as input, we compute the encrypted database components TSet and XSet by performing Initialize algorithm, which shares the EDBGen code in Algorithms 1 with the only difference is that we compute XSet as a single function XSetSetup to demonstrate changes between adjacent games. Then generate the transcript t by running the Initialize function and transGen function. Concretely, the Initialize function first employs par L to compute two long-term public/private key pairs (pk U , sk U ) and (pk V , sk V ) for data user id U and server id V which are used for implementing authentication from id U to id V . To construct a transcript array t, for t ∈ [T ] (where T is the total number of queries), it sets t[t] to be the returned value by the function transGen on inputs (DB DW , EDB DW , SK U , sk U , sk V , pid U , pid V , id EDB DW , s[t], x[t, ·], query_stag), which generates a transcript that is identical to the real settings but with the difference is that it calculates ResInds in another way: it directly locates the answers for the query from the plaintext database rather than decrypting the ciphertexts Res returned by the server, i.e., it screens out the document identifiers in both sets 3]], · · · ) may be alternatively defined for t ∈ [T ].
Beyond that, we also made other changes: the order of the document indexes for each keyword w are saved in a list WPerms [w]. For the sake of keeping consistent with the real game, the order is chosen at random and uniformly from a random permutation family.
Conditioned on no false positives, this game is equally distributed with the real experiment Real A (λ). So the following holds G 1 : Same as G 0 but with the exception that some changes were made in G 1 line of  (G 1 , N , G 1 , g , q ) ←  16: for c ∈ T w do 17: l ← F(stag, c) 18: xind ← F p (K I , id σ [c] ); 21: z ← F p (K Z , g 1/w 2 mod n||c) 22: y ← xind · z −1

23:
TSet DW [l] = (e, y) 24: end for 25: end for 26: (pk U , sk U ) ← LKeyGen(par L , id U ) 27: (pk V , sk V ) ← LKeyGen(par L , id V ) 28: (PK DW , MK DW ) ← EDBKeyGen(par, MK, id DW ) 29: XSet DW ← XSetSetup(n, K X , K I , DB) 30: .],query_stag) 38: end for 39: return (EDB DW , t) 40:end function 41:function XSetSetup(n, K X , K I , DB DW ) 43: for w ∈ W and ind ∈ DB DW [w] do 44: xind ← F p (K I , ind) 45: xtag ← g F p (K X ,g 1 end for 75: end for 76: st t ← (query_stag, xtoken) Authenticationphase : return ((H , X , c AE ), Res, ResInds) 86:end function F(K E , ·) can be chosen from the range of the PRF F instead of calculating it on its inputs since its output is only executed on the same input once. For F p (K X , ·), F p (K I , ·) and F p (K Z , ·), they are replaced with random functions f X , f I and f Z respectively. By a standard hybrid argument, we can see that there exists two efficient adversaries A 1,1 and A 1,2 such that This game is the same as G 2 except that we encrypt 0 λ instead of document indexes, which is demonstrated in G 3 line of TABLE 2. By the CPA security of the ABE scheme and a standard hybrid argument, we can observe that there exists an efficient adversary B 2 satisfying the following inequality The reduction is easily got from the CPA security poof of the ABE scheme. To save space, we hereby omit the proof details.
G 4 : Same as G 3 but with the exception is that the XSet and xtoken functions are defined in a different way which are demonstrated in the G 4 line of TABLE 2. Roughly speaking, we recompute each possible values in set XSet as H(ind i , w) = g f X (g 1/w 3 mod n).f I (ind i ) for each index ind i and keyword w ∈ W and place them in the array H. In addition, for xtoken not matching w are saved in another array Y .
In G 4 , XSetSetup assigns the values in H to the elements in the set XSet. Specifically, for a specified w ∈ W and ind ∈ DB DW [w], we set the result H(ind, w) as g f X (g 1/w 3 mod n).f I (ind) during the INITIALIZE procedure. It is easy to see that this presentation is the same as that in game G 3 . Moreover, note that the outputs of TransGen have the same value as game G 3 if both games have the same values in xtoken. Hence, we only pay attention to how to generate xtoken.
In game G 3 , we compute xtoken as in the real game.
To prove this conclusion, we can construct a reduction in which an adversary A could break the indistinguishability of G 5 and G 6 , then a reduction algorithm A DDH can be built using A to break the DDH assumptions. Roughly speaking, we set the values of X array in game G 5 as g a , and xind as b of DDH tuple. Therefore, H and Y in G 5 have the value of the form g ab , while in G 6 , they are randomly and uniformly. Thus, the indistinguishability between the two games is easy to reduce to the DDH assumption.
G 7 : Same as G 6 but with the exception that we only include the elements of H in XSetSetup and the difference is demonstrated in the G 7 line of  [α]] and w = x t [α] are true, which is precisely seized by the first ''if'' statement in the TransGen function in game G 8 . Whereas, it maybe have another possibility that TransGen accesses the same element twice. Observe that this case only appears when TransGen is invoked for two distinct queries since one running of the function only visits a single element of H. For simplicity, we set the current t as an input argument of this function. In more details, for an element of index (ind, w) that will be visited two times, it requires that both conditions ind ∈ DB[s t ] ∩ DB[s t ] and w = x t [α] ∈ x t are satisfied simultaneously for some t = t, which is precisely captured by the second ''if'' statement. When both do not hold, we set the xtoken as a random value from its range. By a simple argument, we have Pr G 9 : Almost the same as G 8 but with the difference is that the Search algorithm is substituted with the algorithm SearchRes, which is shown in the G 9 line of TABLE 2. In particular, the function SearchRes does not need any private key of the server, which can be defined by taking (EDB, query_stag, xtoken, id EDB DW ) as input and running the codes in the lines 11-21 in Algorithm 3. It is easy to see that the two functions have the same outputs in both games G 9 and G 8 . Thus we have Pr[G 9 ] = Pr[G 8 ].
G 10 : This game is the same as G 9 except that the secret key of the AEAD scheme K AEAD ← $ K AEAD is selected randomly and uniformly from its key space K AEAD (see G 10 line of TABLE 2), while in game G 10 , K AEAD is computed as K AEAD ← KDF(PS, X ||cert V ). In particular, since the KDF function can be seen as a random oracle, so its output is random and uniform. By a simple argument, the following equations hold G 11 : Almost the same as G 10 with the only difference is that the AEAD ciphertext c AE is substituted with the encryption of a constant message 0 l AEAD , where l AEAD denotes the message length of the scheme AEAD. We show the differences in the G 11 line of TABLE 2. By the security of the scheme AEAD and a simple reduction, we conclude that the current generated ciphertext is indistinguishable from the encryption of the message cert U ||X ||M . More specifically, we assume a PPT adversary A can distinguish the two games, then another PPT adversary A AEAD can be constructed to break the AEAD security of the scheme AEAD via employing the former. Particularly, except the AEAD ciphertext are generated from the challenger of the adversary A AEAD , the rest values can be produced by the adversary itself. Thus, we have the following inequality hold Simulator. The simulator is first constructed by taking a leakage L leak (DB, s, x) = (DW , N ,s, SP, RP, SRP, IP, XT) as input and a simulated encrypted database EDB and transcript t as output. Then we prove that the simulator generates the identical distribution as G 8 . By the indistinguishability between any two adjacent games, the simulator is proved structurally correct according to the requirements in the theorem. The simulator starts by generating a restricted equality patternx of x as in [34]. For completeness, we describe it again in details. Concretely, in the simulation model, we construct the simulated TSet, XSet and transcript t respectively in Algorithms 5.
Given an encrypted database EDB, a restricted equality pattern can be inferred as the server can decide which xterms are equal according to the elements in the set XSet with a overwhelming probability. This leakage can be represented by the IP structure. When there exists a document index ind and two different queries t 1 Note that the elementx[t 2 , β] is defined asx[t 1 , α] if both conditions (t 1 , α) < (t 2 , β) and IP[t 1 , t 2 , α, β] = φ hold. The simulated encrypted database component is constructed as in TSet in Algorithm 5. The main difference between the Game G 11 and simulated TSet code is that game G 11 fills out TSet with w ∈ W , but the simulator fills out only with i ∈s. By the structure ofs, we conclude |s| < |W |. Because N is the number of the elements in the set TSet, the simulator fills out the other N − |s| positions with random entries. In both cases, the keys in TSet are indistinguishable, and each of its corresponding values is the tuple (e, y) consisting of the ABE ciphertext e ← ABE.Enc(mpk, 0 λ , A) and the random value y ← $ G 2 . So it is easy to see that the distributions of TSet in game G 11 and the simulator are indistinguishable.
The simulated XSet is constructed according to Algorithm 5, we prove that its distribution including the set TSet and xtokens is identical to that in game G 11 . It is easy to see that all entries in XSet in both cases are random values with the only difference is that in game G 11 , it is done by traversing every pair of (w ∈ W , ind ∈ DB[w]) and completely producing w∈W DB[w], while in the simulation game, it is processed by keeping track of every element in XSet with a counter j until N elements are added in. Next, we prove that the elements in TSet and xtokens have the same distributions.
To prove the above claim, we will demonstrate how the xtokens are generated. We describe the construction of the simulated transcript t and xotokes in Algorithm 5. First, it is easy to see that the values y and σ in G 11 and the simulated t (see Algorithm 5) have the same distributions since these values are all chosen uniformly and randomly. In addition, in both G 11 and the simulation games, the re-usage of the permutation, σ , is the same, both according to the values that are reused ins.
Furthermore, we show that both G 11 and the simulator use the same H array when generating xtoken. In game G 11 , H is used in the following two cases: first, ind matches a conjunction within the query that uses w conditioned on ∃α with ind ∈ DB[s t ] ∩ x t [α] = w; second, the value is reused in the the subsequent queries. The same operation is done in the simulation mode.
Next, we show that when some elements at the same locations in H are used for multiple times, the process is the same in both G 11 and the simulation algorithm. Concretely, when two tuples satisfy (ind 1 , x t 1 (α)) = (ind 2 , x t 2 (β)) in game G 11 , then there exists two tuples satisfying (ind 1 ,x t 1 (α)) = (ind 2 ,x t 2 (β)) in the simulation algorithm. More formally, we have (ind 1 , x t 1 (α)) = (ind 2 , x t 2 (β)) ⇐⇒ (ind 1 ,x t 1 (α)) = (ind 2 ,x t 2 (β)) Now we show the above equivalent formula. First, by the construction of the tablex, it is easy to see that the equation (ind 1 , x t 1 (α)) = (ind 2 , x t 2 (β)) ⇐ (ind 1 ,x t 1 (α)) = (ind 2 ,x t 2 (β)) holds, so the ⇐ relation holds. For the ⇒ relation, by the previous description, we know that the statement (x t 1  The detailed proof about this Theorem is omitted here. We could guide the reader to the outsider unforgeability part of Theorem 4 in Section 6 in [37]. In the following, we give an overview. Overview. Note that the authentication here includes the unforgeability of a plaintext st for some non-authorized w and the unforgeability of the signcryption ciphertext est (i.e., encrypted search token). In particular, it also includes the authentication from data user to the server. First, for the unforgeability of plaintext search token, assume that a PPT adversary can forge a st for some non-authorized w , then the value (g 1/w j mod n) for j ∈ [3] could be correctly guessed. If so, a PPT adversary A sRSA could be constructed via A to solve the sRSA problem (i.e., strong RSA problem). We omit the detailed reduction here and the reader can refer to [34] for further description.
For the unforgeability of a signcryption ciphertext (i.e., an encrypted search token), we can reduce it to the GDH assumption on the cyclic group G 1 . At the beginning of the reduction, we first assume that there exists an honest data user id U * and server id V * participating in this game, and they could be correctly predicted with probability at least 1/n 2 where n is the total number of users (which contains data owners, data users and server). Then, assume a PPT adversary A could successfully forge a tuple (pid V * , (H ,X , c AE )) and (H ,X , c AE ) denotes the signcryption ciphertext on the plaintext search token st * , public identity information pid U * and id V * . Then using A, an efficient algorithm A GDH could be constructed to break the GDH assumption with the aid of the DDH oracle. For the detailed description about the reduction, the reader can refer to the proof of outsider unforgeability of Theorem 4 in Section 6 in [37].
The authentication of data user to server is proved by combining certificate-based mechanism and the outside unforgeability of signcryption ciphertext. In other words, as long as the certificate generated by the CA is unforgeable and signcryption ciphertext generated by the data user has outside unforgeability security, then our scheme provides the authentication of data user to server. Please refer to [37] for the detailed reduction.
Theorem 3 (Identity-Concealment and Confidentiality): Assuming the GDH in G 1 holds and the AEAD scheme is ae-sec, then the scheme proposed in section IV satisfies identity-concealment (forward ID-privacy) and confidentiality in the RO model.
Proof. Since the proof is similar to that of the insider confidentiality part of Theorem 4 in Section 6 in [37], we ignore the details.
Overview. The proof includes the identity-concealment and the confidentiality of search tokens. According to Theorem 4 in [37], the identity-concealment is implicitly included in the insider confidentiality. Thus, we only prove the insider confidentiality here. The reduction is outlined below. At the beginning, we first choose a random pair (id U * , id V * ) as the challenge identities, where id U * and id V * are used for simulating the challenge data user and server respectively. Then we construct a reduction that reduce the security of the scheme to the GDH assumption. The detailed reduction is omitted here.
Remark 2: In fact, our scheme also achieves adaptive security according to Theorem 3 in Section 5 in [34] under the assumption of the DDH over the cyclic group G 2 and the CPA secure ABE scheme.

VI. PERFORMANCE ANALYSIS
Besides our scheme has all advantages as Sun et al.'s scheme (short for Sun's scheme), our scheme also strengthens the privacy of the data users which additionally provides identityconcealment, authentication of the data users to the server, and confidentiality of the search token besides hiding the exact queried values from the data owners, (see TABLE 3 for the comparison). Furthermore, in our solusion the ABE scheme only encrypts the document index instead of the document identifier and the retrieval key. Fortunately, this difference does not result in a lack of efficiency and on the contrary, our scheme is more efficient at this point. In TABLE 3, we list the comparison results in security among our scheme and those in [23], [29], [34]. Since our scheme is designed based on Sun's scheme [34], in functionality, like their scheme, our scheme also supports boolean queries, non-interaction, multi-data-user and access control, but beyond that, our solution also supports multidata-owner functionality. For the sake of intuition, we give a comparison on the functionalities among our scheme and those in [23], [29] [34] in TABLE 4, Note that in this table, the notations ''N'', ''Y'' and ''−'' mean ''No'', ''Yes'' and ''non-comparability'', respectively.

A. EFFICIENCY ANALYSIS
Note that in our and Sun et al.'s scheme, the storage costs and computational costs incurred by the ABE scheme are also the same. Furthermore, although one Setup algorithm and two KGC algorithms are additionally included in our scheme, luckily, as each output of the three algorithms for each participant appears only once and forever, it does not affect the total communication and computation costs. Due to one time of the storage capacity for each data owner to the server, so, like Sun's scheme, we only consider the communication overhead and the computation cost between the data owner and the data user, and we only focus on the main communication overheads and omit the less contributed part, VOLUME 9, 2021   such as data generated by attribute-based schemes. We also assume that for each conjunctive query executed by a data user, there are m authorized keywords. For more intuitive, we summarize the total communication overheads between the data owner and the data user and their computation costs for each query in TABLE 5.
• Communication overheads: The main communication overheads between the data owner and the data user are generated by SKeyGen. Like Sun's scheme, the size of sk w is 3log|Z * n |, but our scheme has an additional id EDB DW , which is generated by a hash function H. So the total communication overheads of our scheme is 3log|Z * n | + |H|. • computation costs: In Sun's scheme, each data owner needs to compute 3 exponents and an attribute-based secret key, while our scheme requires the same calculation costs as them.
We conclude that the performances in our and Sun's scheme are almost identical except that in our scheme, the computation cost for each data user is 2.5 exponent operations more than that of Sun's scheme. This extra overhead is mainly resulted by the authentication procedure between data user and server, which is not provided in sun's solution. In additon, since in Zhao's higncryption scheme [37], the calculation of hash function output d in authentication phase is |q |/2 bits, it only takes 0.5 exponent operation to compute X . In this way a sender only needs 2.5 exponent operations totally to finish the protocol. In particular, our extra overhead is independent from the number of authorized keywords m, the additional cost does not affect the efficiency of the scheme largely.

VII. CONCLUSION
In this article, we propose a new symmetric searchable encryption (SSE) scheme in the multi-data-user and multidata-owner settings. Compare to Sun et al.'s multi-client SSE scheme proposed at ESORICS 2016, our solution not only supports multi-data-owner functionalities, but also further strengthens the securities by implementing extra securities such as identity-concealment, authentication and confidentiality. The final results suggest that our scheme reaches almost the same level of efficiency as Sun et al.'s scheme. The next work we will do is how to design symmetric searchable encryption schemes that can resist post-quantum attacks.