ABKS-PBM: Attribute-Based Keyword Search With Partial Bilinear Map

The way services offered by cloud computing gets its unprecedented and undisputed popularity, so its security concerns. Among them the storage as service model (SaaS) is of the forefront of these concerns. SaaS liberates individuals and enterprises from management of IT infrastructure and data centers to concentrate on their core business. Because of untrusted and out-of-premise architecture users are reluctant to outsource their personal and important data. Encryption before outsourcing addresses some of these issues but at the same time strips the data of its useful operation such as sharing and searching. Now to address this issue, the combination of keyword based searchable encryption (KSE) and attribute-based encryption (ABE) leads to an attribute-based keyword searching (ABKS). The resultant combined concept is capable of fine-grained search operation in the multi-owner/multi-user (M/M) setting. However, the underlying costly pairing operation and complex secret sharing mechanism of ABE makes it unsuitable in practical application for resource-limited devices. On top of it, in most of the existing ABKS schemes the size of the secret key and its associated pairing operation linearly expands to the number of attributes. This paper aims at presenting a novel ABKS scheme with pairing-free access verification and constant size secret key based on AND gate access structure and ciphertext-policy (CP) framework. The security of the proposed work is reduced to the standard Decisional Diffie-Hellmen (DDH) assumption, and also collision free and error tolerant. Finally, the performance evaluation and experimental results shows that the proposed scheme improved the overall efficiency and communication overhead.


I. INTRODUCTION
Nowadays cloud computing provides an attractive computing architecture, enabling the on-demand computing allocation and ubiquitous access over the Internet. This computing paradigm relieves individuals and enterprises from establishing their own IT infrastructure and proprietary data centers to focus on their core business. In practice, cloud computing comes into three architectures models, including the private, the public cloud, and the hybrid cloud. Public cloud is usually regarded as a better choice for individuals and organizations because of greater capital expenditure saving, flexibility and better customer support. Since, the trusting domain of public cloud storage servers is out of user control premises, and The data owner uploads their encrypted data to the untrusted remote server. Where one or more data users submits the search trapdoor corresponding to its intended content to the remote server. As a result, the server performs the searching operation over encrypted data on behalf of the data user. Currently there are four KSE architectures: One-to-one (O/O), also called symmetric searchable scheme (SSE); Many-to-One (M/O); One-to-Many (O/M); Many-to-Many (M/M). All of these schemes were intensively researched in [4]- [9]. However, they are either relay on the risky third party server or involve sophisticated key management, which burden both the data owner and data user with high computation overhead.
To counter the above mentioned problems, the combination of keyword-based searchable encryption (KSE) and attribute-based encryption (ABE) [10]- [13] comes into being. This combined concept resulted in an attribute-based keyword search (ABKS) technique, which equips the M/M setting with fine-grained search capability. However, when the underlying costly pairing operations and complex secret sharing mechanism of attribute-based encryption combine with the fine-grained search, which is itself an intense computation task, increases its complexity many folds. Furthermore, in most of the existing work the running time for an index generation and trapdoor generation scale with the number of attributes. This makes the resulting technique unsuitable for mobile computing devices, especially the mobile phones, which has limited resources such as memory and battery life. However, nowadays for most people mobile phones are the most essential cloud computing gadget. Therefore, the existing approach for searchable encryption using pairing operation in its primitive form may not be suitable, owing to its complexity and intense computation demand. Our proposed scheme liberates the end users from this intense bilinear operation. The resource rich cloud server requires only two bilinear operations for keyword matching. We term this concept as a partial bilinear map in this work, which is the prime contribution of this paper along with constant size secret keys. The benefit of having these features is two-fold; first, it reduces transmission on secure channels and second, it significantly minimizes the computation overhead.

II. RELATED WORK
Here, we give a brief overview of how the traditional ABE has evolved into the attribute based keyword searching (ABKS).

A. ATTRIBUTE-BASED SEARCHABLE ENCRYPTION
Sahai and water [14] were the first to introduce ABE for encryption and fine grained access control. This idea was based on identity based encryption (IBE) in which users email ID, phone number used as a set of expressive attributes and any user can be identified using these attribute sets. The ABE schemes are categorized into two variants: ciphertext-policy (CP-ABE) and key-policy (KP-ABE). Using CP-ABE the data owner embed access policy inside ciphertext and the private key of the end user is attached to the attribute set. Anyone can perform the decryption operation if his/her attributes matched with specified access policy.
While in KP-ABE, private keys are attached with the access control policy, and ciphertext are attached with the attribute set [15].
The data owner in the searchable encryption (SE) scheme encrypts the keywords and documents before outsourcing it to the cloud service provider. Xiaoding Song et al. [4] was the first to introduce an SE scheme to allow data users to access the encrypted data stored on cloud servers. Liu et al. [16] presented a novel scheme to verify the result acquired from the cloud service provider using KP-ABSE, correctness and integrity of search result can be verified. Further the offline keyword guessing attack can be thwarted. This paper [17] introduced a ciphertext-policy attribute-based searchable encryption (CP-ABSE) scheme to attain access control policy along user revocation ability and also achieve efficient attribute-based searching capability. To enhance the efficiency, [18] proposed a new verifiable attribute-based search scheme to overcome the problem of curious cloud servers to verify the search result such as whether the server executed the operation faithfully, for access control this scheme was based on access tree. Though this scheme fails the sharing capability of encrypted data. For keyword updating and well organized data sharing Liang and Susilo [19] used proxy re encryption and attribute-based keyword scheme, using this integration, anyone can share their encrypted data among those who match the specified access policy.
Another scheme by Miao et al. [20] that has the capability to check the accuracy of search results over encrypted data. The scheme attains attribute-based priority tree and also fine-grained access control, that can control access on the same data. Furthermore the scheme prevents chosen keyword attack (CKA). However, the tree structure used in the scheme is computationally expensive. To support multiple user and multiple owners models and improving efficiency Sun et al. [9] scheme runs in linear search along fine-grained authentication at file level to provide scalability. The data owner has the capability to control most of the important operations of the cloud server as a result user revocation is computationally efficient. The scheme prevents CKA attack, however not satisfactory for other security attacks. Miao et al. [21] adopted CP-ABE technique to introduce a sample attribute-based keyword search on hierarchical data. Because the desirable requirements cannot be satisfied by the basic scheme in cloud, they proposed two improvements to support revocation and multi keyword search. However, they did not consider any attack models for the proposed scheme. In [22] proposed a privacy preserving scheme using CP-ABE technique including hidden policy and selective security is achieved in generic bilinear group model, the scheme is capable of preventing offline keyword guessing attack. Another scheme by [23] is based on KP-ABE, their scheme creates constant size user secret keys and trapdoor. It also performs pairing operations which vary in other schemes and is based on attributes attached with them. It also supports user revocation and delegation.
In [24] the scheme is capable of updating the access tree, named as dynamic policy which also creates constant size secret keys. The author also presents a multi-keyword scheme which has same features as the proposed scheme and also supports fast search and generates a constant size trapdoor. Wang et al. in [25] presented a scheme that is capable of verifying the searched keyword through integrating privacy preserving search technique and Message Authentication Code (MAC), homomorphic technique to get verifiability and privacy. The result can be verified without storing it locally to construct index and query as they used bit vector. Data users can encrypt their data then authentication is done using MAC. The encrypted data is then outsourced to a cloud using authenticated trapdoor, which can perform search operations.
Hence, with the introduction of bilinear pairing many unrealistic problem in the field of cryptography being solved [26]- [28]. One of the bottleneck of all the contemporary attribute-based keyword searching (ABKS) is that its efficiency is based on computation speed of bilinear pairing operations. As a result a large number of research has been directed toward the optimization of these operations [29]- [32]. A more direct way is to replace intense computational bilinear pairing operations with more light and efficient basic arithmetic operations. In this work, we achieve the implementation of this basic idea with the help of Fermit's principle along with single a multiplicative group.

B. MOTIVATION AND CONTRIBUTION
Existing literature reveals that a large number of the contemporary Attribute-based Keyword Searching (ABKS) schemes use access tree or linear secret sharing scheme (LSSS) for their access control mechanism. While incorporating the access control policy, secret sharing scheme is the de-facto standard for these schemes, which are dependent on costly bilinear pairing operations. Furthermore, for their practical realization the number of pairing operations increases linearly with the attributes increase, hence, they always demand intensive computing resources to execute the encryption and decryption algorithms. This frequent pairing operations present a new challenge is how to incorporate wireless resource constrained devices, especially light weight sensors and mobile phones, into the cloud computing. This motivates us to develop a pairing free control access mechanism for ABKS. Our contribution is based on Fermat's principle [33]. In this work our contribution can be stated as follows: 1) Our constructed (ABKS-PBM) scheme is free from costly bilinear pairing operations for access control mechanisms. The design still inherits all the expected advantages of (ABKS) architecture including fine-grained data access control and security. 2) The proposed scheme reduces the transmission overhead of the secret channel as trusted attribute authority (TAA) needs to securely send one constant-size secret key for each user instead of one against each data user (DU) attribute. To our knowledge, aggregation of secret key into one item is the first of its types in the model of (ABKS) schemes.
3) The proposed scheme also avoids access tree and LSSS matrix, pairing-based construction for extraction of secret keys from the specified set of attributes of the data users. 4) The security proof is given in more preferable security assumptions, namely Decisional Bilinear Diffie-Hellman assumption (DBDH) instead of hypothetical random oracle model (ROM). 5) Also the detailed performance analysis demonstrates the better computational efficiency, especially for resource-constraint devices.

III. PRELIMINARIES
This section presents discussion about the cryptographic assumptions and techniques being utilized in the design of our proposed scheme.

A. BILINEAR MAP
Let G 1 and G 2 be two multiplicative cyclic groups of identical order p, having generator g. We define a bilinear map is a map e : G 1 × G 2 −→ G T with the following three conditions: 1) Bilinear. holds.

B. ACCESS STRUCTURE
Definition 1 (Access Structure): Let U = {att 1 , att 2 , . . . , att n } be the set of attributes. An access structure is a set of When we confine the access structure to the threshold setting, it is termed as threshold access structure.

Definition 2 (Computational Diffe-Hellmen Assumption):
It is computationally intractable for a probabilistic polynomial time (PPT ) adversaryA, to compute the value of g ab from a given tuple (g, g a , g b ), where g is a randomly chosen generator of a cyclic group G of order p and a, b ∈ {0, . . . , p − 1}. The advantage of an adversaryA, to solve the CDH assumptions is given as

Definition 3 (Decisional Bilinear Diffe-Hellmen (DBDH) Assumption):
For PPT adversary A, it is computationally intractable to distinguish between the tuple (g a , g b , g c , e(g) abc ) and the tuple (g a , g b , g c ), for a given bilinear map tuple (G 1 , G 2 , p, e, g), where G 1 and G 2 are two multiplicative groups with order p and three random elements (a, b, c) ∈ Z * p . To solve the DBDH assumptions the advantage of an adversary A is given as follows: Definition 4: For a group G p , let p be a prime number, k be any integer in Z * p and φ(p) be a totient function of G, we have g k×φ(p) +1 ≡ g (mod p). This is deduce directly from the Fermat's little theorem, which can be defined as: for any positive integer a, that is not divisible by p then, We exploit this concept in our proposed ABKS-PBM scheme in multiplication group.

IV. SYSTEM MODEL AND SECURITY DEFINITION A. SYSTEM MODEL
Proposed ABKS-PBM system model is shown in Fig 1, which comprises four participants: data owner (DO), data user (DU), cloud service provider (CSP) and trusted attribute authority (TAA). The trusted attribute authority role is to generate and issue credentials public key PK or secret key SK to interested users. These credentials are sent over open and secure communication channel respectively. Multiple DO encrypt the data files along with their corresponding keyword set before outsourcing them to the CSP. When multiple DU wants to search over the outsource data according to some specific trapdoor, they submit it to the CSP. After the CSP check out whether the DU attribute satisfy the chosen set of attributes of DO and the keyword index matches to the trapdoor, retrieves and send the encrypted data file to the interested DU. In our threat model, we take the CSP to be a trusted entity but curious about user personal information. The CSP will honestly run the protocol but attempt to infer some additional personal details from the data available to it. Most of the previous work on secure search over encrypted data also employed this assumption. Besides DO, DU and TAA are considered to be fully trusted entities.

B. SECURITY MODEL
Similar to basic ABKS, the proposed scheme should satisfy data confidentiality and collision resistance in addition to the privacy of the index keyword and query trapdoor. Thus, the privacy of the DO and DU in terms of their respective data are protected. We formalize the security of ABKS-PBM by following a given security game between an adversary A and challenger C. After challenger C publishes the public parameters, A defines the challenge set of attributes W * . A can repeatedly asks for a number of key-extraction queries k The only restriction is that none of the extracted private keys satisfies the challenge set of attributes W * . A sends two challenge index keywords w 0 and w 1 to C. Which flips a fair binary coin b ∈ {0, 1} and compute the ciphertext W b , which is submit to A. A can repeatedly asks for a number of key-extraction k w n+1 A , k w n+2 A , . . . corresponding to the attribute set w n+1 , w n+2 , . . . and none of them satisfies W * . A submits b's guess b . In this game, we define the advantage of A by Adv is negligible, hence our proposed ABKS-PBM keyword encryption is also secure against CKA-CPA attack model. Definition 6: The trapdoor generation algorithm is secure against Trapdoor Recoverable Attack (TRA) in eavesdropper attack model. Adversary A query the challenger C corresponding ciphertext. Then A, submits two challenge keywords q 0 and q 1 to C, which has never been submitted earlier. C flips a fair binary coin b ∈ {0, 1} and compute ciphertext of q b and sends it to A. A can repeatedly asks C for any ciphertext of keywords except for keywords q 1 and q 0 . Finally, A submits b's guess b . We define the advantage of A by Adv tra−evs is negligible. Hence we say that our proposed trapdoor encryption is secure against trapdoor recoverable attack in eavesdropper attack model. Definition 7: Our proposed scheme ensures that if many unauthorized data user integrate their secret keys for the decryption of ciphertext they cannot succeed in decryption, if none of them can individually succeed in decrypting it in polynomial time T . 46316 VOLUME 9, 2021

V. SYSTEM OVERVIEW AND CONSTRUCTION
Here, we first present system level view of our scheme then give description of each algorithm in detail.

A. SYSTEM OVERVIEW
This section presents an abstraction of our ABKS-PBM scheme as follows: Definition 8: Propose scheme construction consists of five polynomial time algorithms as follows: • Setup (λ) → (PK, MK). This algorithm is invoked by trusted attribute authority (TAA). It takes as input the security parameter λ while output the authority public key PK and master key MK.
• KeyGen (MK, S u ) → (SK u ). This algorithm is run by TAA and generates a secret key SK u for DU according to an attribute set S u . It takes as input the authority master key MK along with a data user set of attributes S u and output data user secret key SK u .
• EncInd (T , PK, w) → (I w ). This algorithm is executed at the data owner side. The algorithm takes keyword w as input and TAA public key PK, encrypt it under chosen set of attribute T and output w s ciphertext I w .
• TokenGen (SK u , q) → T u (q) This algorithm is invoked by a data user. It takes as input the query keyword q and u's secret key SK u and output a trapdoor T u (q).
• Search (T , T u (q), CT ) → {0, 1} Cloud server executes this algorithm. It takes the data owner ciphertext CT and data user encrypted index keyword T u (q). It outputs 1 if u's attribute set S u satisfy the chosen set of attributes T and T u .q = CT .I w simultaneously otherwise output 0.

B. CONSTRUCTION
This section present working mechanism of each algorithm of our proposed ABKS-PBM scheme.

1) SETUP PHASE
This phase is implemented in the system setup algorithm, which is run by the TAA. It will create a running environment for ABKS-PBM scheme. It takes a security parameter λ and a set of attributes U = 1, 2, . . . , n ∈ Z * as input. It defines a symmetric bilinear group G with order p, which is a k−bit prime with generator g and H : {0, 1} * → Z as a one-way hash function. Then, chooses randomly (α, b, y, t 1 , t 2 , . . . , t n ) ∈ (Z) n+3 and finally the authority set PK and MK as follows T 2 = g t 2 , . . . , T n = g t n } MSK = {α, b, y, t 1 , t 2 , . . . , t n } for all i ∈ U .

2) KeyGen PHASE
This phase is implemented in attribute-based secret key generation algorithm, run by TAA to generates private key SK for a given data user according to an attribute set S. First the Algorithm After that, it compute and sets R = [(p − 1).n + 1], where n ∈ Z * . Then, the decryption key is computed as

3) EncInd PHASE
This phase is called in the encrypt index algorithm, invoked by the DO to generate a secure index keyword for searching. The DO randomly chooses K ∈ Z * as a symmetric key to encrypt its data file E k (File) using symmetric encryption (AES etc) cipher. Then it masks the K by multiplying it with the common secret g y+s ; which is only re-constructable at the DU side having valid attributes as specified by the DO in its policy.

4) TokenGen PHASE
This phase is called in the token generation algorithm, executed by the DU. The DU compute the token tok 1 = g bH (w) , tok 2 = g α and send the T u (q) = (tok 1 , tok 2 , {D }) to the untrusted cloud server. Compute E i ← Exponentiation (T i , s) 8: Set E ← {E} ∪ E i 9: end for 10: Set A verf ← (Y ) s 11: Compute I w = e(g r .g bsH (w) ), I w = g αs 12: return CT = {T , I w , I w , K enc , A verf , E} Algorithm 4 TokenGen Input: DU secret key component and query keyword q. Output: q s token query T u (q).

5) SEARCH PHASE
The cloud server invokes this phase in ABKS-PBM search algorithm. The CS performs the search over an outsourced encrypted index according to the submitted token by the DU, without gaining any useful information about either of them. In response to the interested DU, the CS will return the encrypted data, if and only if the two conditions (i) the DU's attribute set S satisfies the chosen set of attribute T by the DO and (ii) the query token is equal to the index keyword, true simultaneously.
On other hand, there may arise two situations where the CS returns 0 to DU. One is that the DU is not authorized to perform searching on encrypted data, technically, the DU attribute set S does not satisfy the chosen attribute set T, during which the algorithm will terminate in advance. The other is, when the DU meets the access criteria, however the query keyword is not the same as the index keyword. This phase is called in the decryption algorithm of ABKS-PBM, DU runs this phase for the retrieval of symmetric key K. The retrieved key K is then used by receiver to decrypt D k (File).

Algorithm 6 Decryption
Input: DU key SK and ciphertext CT Output: Symmetric key K . 1: Set Y = 1 2: for each attribute i ∈ S do 3:

VI. ABKS-PBM ANALYSIS A. CORRECTNESS ANALYSIS
We first analyze the correctness of access authorization of DU searching with respect to the DO outsourced index keyword w. CS needs to find out whether S satisfies T . The CS computes i∈s (E i ) D i , to check out weather it constitute the same access verification A verf as set by the data owner in ciphertext We now analyze the matching conformation between an encrypted index I w and its corresponding token T w . Algorithm 5 tells us that after the access authorization, the CS needs to find out whether w is equal to q or not by check out whether equation 2 is true or not. e(I w , tok 1 ) × e(g, g) αr = e(I w , tok 2 ) LHS = e(I , tok 1 ) × e(g, g) αr 2 = e(g sα , g bH (q) × e(g, g) αr ) = e(g, g) αsbH (q) × e(g, g) αr RHS = e(I w , tok 2 ) = e(g r .g sbH (w) , g α ) = e(g, g) αsbH (w) × e(g, g) αr w = q LHS (2)

B. COMPLEXITY ANALYSIS
To present the features of our proposed ABKS-PBM scheme, we theoretically analyze and compare it with Hui Yin et al. CP-ABSE scheme [34]. The reason for selection is its convincing performance along with suitability for resource constraint devices. The necessary notations we used in this comparison are defined in Table 1.
For clarity, we tabulate each algorithm construction cost and output size for ABKS-PBM and CP-ABSE in Table 2 and  Table 3, individually. It is important to note that we are not considering the less time consuming operations such as hash function, basic arithmetic operation; multiplication, addition and subtraction in Z * . In case of successful search query, its transmission cost is also ignored, thus in both cases the output size of search algorithm is set to zero. Table 3 shows that CP-ABSE costs the least in the setup phase as its computation cost and output overhead does not depend on the number of users attribute. However, in practice it is acceptable since setup phase is one time cost and runs on resource rich TAA. In CP-ABSE this is shifted to the resource constrained data owner and hence insufficiently handle it.
As given in Table 2, it can be verified that our proposed scheme has only one pairing operation in EncInd phase and at most two pairing operations in search phase as opposed to the CP-ABSE scheme where it is proportional to the minimum set of attributes (N). Hence replacing time-consuming bilinear pairing operation with scalar multiplication, we can verify from Table 2 that our proposed scheme provides significant improvement in terms of key generation, trapdoor generation and search complexity.

C. COMMUNICATION OVERHEAD ANALYSIS
In our scheme, the TAA needs to send a constant-size secret key for each DU through secure secret channel rather than one for each attribute, which significantly reduces not only its computation but also communication overhead of the secret channel. More precisely suppose the central authority has K number of users, where each user having t number of attributes, then TAA needs to transmit (K × t) elements through secure channel and the computation time On the other hand the TAA of our proposed scheme requires to transmit only K random group elements through secure channel and the computation time is (K ×Z * q )ms. Thus, significantly minimizes the communication overhead.

D. SECURITY ANALYSIS 1) INDISTINGUISHABILITY UNDER CHOSEN-PLAINTEXT ATTACK MODEL (IND-CPA)
Here in this section, we provide the security proofs of ABKS-PBM in chosen plaintext model reduces to the hardness problem of the Decisional Bilinear Diffie-Hellman (DBDH) assumption.
Theorem 1: If Decisional BDH is intractable problem, then our constructed keyword encryption algorithm provide security against chosen-keyword attack (CKA) in chosen plaintext attack model (CKA-CPA).
Proof: Let there is an adversary A, who can attack ABKS-PBM index keyword encryption with a non-negligible advantage , then there exist a simulator B for solving the decisional BDH problem with a non-negligible advantage /2. The simulation proceed as follows: We let the challenger C generate a group G with generator g. The challenger C then flips a fair binary coin µ ∈ {0, 1} VOLUME 9, 2021  outside of B's view, send t µ to the simulator B. The selection of random elements (a, b, c, z) ∈ Z * for the outcome of µ is given below.
• Case 1: if µ = 0, then C sets input t µ of algorithm B as (a, b, c, z) = (g a , g b , g c , e(g, g) abc ).
• Case 2: if µ = 1, then C sets input t µ of algorithm B as (a, b, c, z) = (g a , g b , g c , e(g, g) z ) Init: adversary A chooses an attributes set W * that it wishes to be challenged upon.
Setup: B sets the public parameter Y = e(A, B) = e(g, g) ab and gives it to A.
Phase 1: A can repeatedly asks for a number of key-extraction queries k of attribute sets w 1 , w 2 , . . . w n and the ciphertext I w 1 , I w 2 , . . . I w m of index keyword w 1 , w 2 , . . . w m . These key-extraction and ciphertext returned by B need to satisfy the following conditions: • All the extracted private keys from the set of attributes w 1 , w 2 , . . . w n do not satisfies the challenge set of attributes W * ; |S| = (|W ∩ W * |) < d • All the extracted private keys can be used to create valid trapdoor. Challenge: A, sends two challenge index keywords w 0 and w 1 to B. The simulator B flips a fair binary coin ν ∈ {0, 1} and computes the ciphertext is output as:
Guess: A outputs its guess b of b. obviously, A cannot trivially decide b = 1 or b = 0 using the search algorithm, since none of the queried set of attributes satisfies the W * . To decide b = 1 or b = 0, the adversary A has only I * w b get information about the index keyword. The probability for both the choices is given: • if µ = 0, then Z = e(g, g) abc and t 0 is sent as input to B and I * w b = (W * , (I w b ) * = e(g bH (w b ) , g a )e(g, g) abc , (I w ) * = g a , (E * i = {E i } ∀i∈W * ) Since r and α are randomly chosen from Z * p in the index keyword generation, we let a = α and b = r, the ciphertext can be denoted as • if µ = 1, then Z = e(g, g) z and t 1 is sent to B and the ciphertext is output as Since the Z is random, the ciphertext contain no information about index keyword, I * w b will be a random element of target group from the view of A.
A outputs its guess b of b, if b = b then the simulator will output µ s guess µ = 0, to indicate that the challenger C sends a valid BDH-tuple, to B. The adversary's advantage to recover H (wb) from I * w b is ε by definition. Therefore the probability in this situation is 1 2 + ε. If b = b the simulator will output µ s guess µ = 1, to indicate that the challenger C sends a random 4−tuple to B and the possibility in this case is 1 2 . For solving the decisional BDH problem the advantage of B is as follows: If discrete logarithm DL problem is hard to compute, our constructed token generation algorithm is secure against trapdoor recoverable attack (TRA) in eavesdropper attack model.
Proof: With the help of security game between the challenger C and adversary A, the proof of the above theorem is as follows: Phase 1: A query the challenger C for multiple keywords q 1 , q 2 . . . q n , where 1 ≤ i ≤ n. In response to A, the challenger C sends the following ciphertext: Challenge: A sends two challenge keywords q 0 and q 1 to C, which have never been submitted earlier. C flips a fair binary coin b ∈ {0, 1} and compute and sends it to adversary A.
Phase 2: A acts the same as it did in Phase 1, except for keyword q 0 and q 1 Guess: A outputs its guess b of b. By definition of security game, A can't access the encryption oracle, it cannot efficiently compute T * A (q 1 ) and T * A (q 0 ) without knowing b. Given that the discrete log problem (DL) is intractable, the correct guess b = b probability for A, is at most 1 2 . Theorem 3: If Computational Diffe-Hellman (CDH) problem is intractable, our proposed scheme is secure against collusion attack. That is, even if one or more than one malicious DU collude to decrypt the ciphertext by integrating more than one secret key or attributes, they are unable to succeed if none of them can independently succeed in decryption.
Proof: For decryption of ciphertext, malicious DU must obtain the attribute secret keys for the corresponding ciphertext. Apparently, the most probable attack scenario, is the collusion attack (i.e., an integration of attributes or secret keys) as there may be some overlapping set of attributes among the malicious DU's.
Let us assume that some DU's have already got their secret keys corresponding to their respective attribute set. Now, they want to collude against some ciphertext which is encrypted under some attribute S that intersects with their respective attribute set. More specifically, that they possess some individual decryption keys which constitute the required decryption key corresponding to the common attribute in the form of D i = g R i t i . Now, even though they themselves construct the secret key against the required set of attributes, still they are not capable of decryption as their individuals R i s are randomly chosen to meet the equation Given that the CDH problem is intractable, malicious DU's will never construct (y × |S| i=1 t i ) because of their individual random selection for R i . Hence, the proposed scheme is secure against the collusion attack under the CDH problem assumption.

2) INDISTINGUISHABILITY UNDER CHOSEN-CIPHERTEXT ATTACK MODEL (IND-CCA)
The security proof of the proposed scheme is given in chosen-pliantext attack in a selective model. The security of the proposed scheme can be further enhanced to IND-CCA by incorporating the one-time-signature scheme of [35] in its security proofs. This transformation from CPA-secure ABKS-PBM scheme to CCA-secure ABKS-PBM scheme requires two more algorithms, namely sign algorithm S and verifier algorithm V in our basic construction. We also need a sign key S k and verification key V k from TAA. The sign algorithm generates a signature σ while taking the message m and signing key S k as input. The verifier algorithm V takes m, V k , and σ as input, and outputs its guess b ∈ {0, 1}.
Accordingly, the security game between an adversary A and challenger C proceeds as follows. First the challenger runs keyGen algorithm and returns to A the signing key S k and the verifier key V k . Adversary A chooses m * a signing query that it wishes to be challenged upon. The challenger compute σ * = S(m * , S k ) and gives it to A. A outputs its guess (σ, m). We say A sends the valid forge message m if V (m, σ, V k ) = 1, while (m * , σ * ) = (m, σ ). In other words, the adversary A will be given access to the decryption algorithm to decrypt randomly chosen ciphertext. However, the signature of the ciphertext will make the adversary A unable to temper with the ciphertext. For more insight the reader may refer to [35], [36].

E. PERFORMANCE ANALYSIS
This section briefly presents experimental results and performance evaluation of our proposed ABKS-PBM scheme. The hardware execution environment is a CPU: Intel Core I3 4005 with 4GB RAM, with Ubuntu 14. The software execution environment is a Charm-crypto version 0.42 and Spyder 2.2.5 is used to evaluate the performance of each algorithm such as Setup, KeyGen, EncInd and Trapdoor generation.

1) EVALUATION OF STORAGE COST
To compare the storage cost of our proposed scheme, we implemented the existing CP-ABKS scheme proposed in [34]. The following figure 2 demonstrates the storage VOLUME 9, 2021 cost. We reduced the storage size of KeyGen by generating a constant-size key for data owner, EncInd and Trapdor algorithm, used to generate keyword query by data user. The size of the Setup algorithm takes more space in ABKS-PBM scheme, however, in practice it is acceptable since Setup phase is a one time cost and runs on resource rich TAA.

2) EVALUATION OF KeyGen ALGORITHM
KeyGen algorithm associates the attribute list with the secret key for a particular data user by the TAA. Figure 3 shows the execution time of KeyGen algorithm. We can see that the execution time of both algorithms are linearly proportional to the associated attribute list for corresponding data users. We observe that our proposed scheme requires lesser execution time when we increase the number of attributes, since the proposed scheme consists of lesser exponentiation operation as compared to CP-ABSE scheme.

3) EVALUATION OF EncInd ALGORITHM
The EncInd algorithm generates the encrypted keyword index, which is related to the data user access control policy. This encrypted version of keyword makes the data user search operation possible on cloud server (CS). Figure 4 demonstrates the time cost taken by the CP-ABSE and our proposed algorithm to encrypt one index keyword. Both algorithms take linear time as the number of chosen set of attributes by  the data user increases, however, we observe that because of lesser computation overhead our ABKS-PBM performs efficiently.

4) EVALUATION OF TRAPDOR ALGORITHM
The Trapdor algorithm is executed by the authorized data user to generate a query trapdor for its interested keyword. The following figure 5 shows the time cost of running Trapdor algorithms for CP-ABSE and our proposed scheme. The time cost of CP-ABSE scheme is linearly proportional to the number of data user attributes while the proposed scheme has constant computation overhead, as it has nothing to do with the data user attribute list.

5) EVALUATION OF SEARCH ALGORITHM
The cloud server (CS) in response to the data user submitted query trapdor performs search operation on its stored index keywords to find its matched keyword. The average running time for search algorithm is depicted in figure 6. We run both algorithms for |N | = 2 and |N | = 4, where N represents the minimum attribute that is associated with the given access control policy. We can see that the running time for both algorithms linearly expends with the minimum attribute set N satisfying an access control policy and the number of index keywords. Free from costly bilinear pairing operation in access control conformation, which are utmost expensive operations, our scheme achieves better time cost for