Achieving Secure and Efficient Dynamic

This article has been accepted for publication in a future issue of this journal, but has not been
fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TCC.2017.2769645, IEEE
Transactions on Cloud Computing
Achieving Secure and Efficient Dynamic

Searchable Symmetric Encryption over Medical
Cloud Data
Hongwei Li, Member, IEEE, Yi Yang, Student Member, IEEE, Yuanshun Dai, Member, IEEE,
Shui Yu, Senior Member, IEEE, and Yong Xiang, Senior Member, IEEE
Abstract—In medical cloud computing, a patient can remotely outsource her medical data to the cloud server. In this case, only
authorized doctors are allowed to access the data since the medical data is highly sensitive. Encrypting the data before outsourcing
is a commonly used approach, where the patient only needs to send the corresponding encryption key to the authorized doctors.
This, however, significantly limits the usability of outsourced medical data due to the difficulty of searching over the encrypted data. In
this paper, we propose two Secure and Efficient Dynamic Searchable Symmetric Encryption (SEDSSE) schemes over medical cloud
data. Firstly, we leverage the secure k-Nearest Neighbor (kNN) and Attribute-Based Encryption (ABE) techniques to propose a dynamic
searchable symmetric encryption scheme, which can achieve two important security features, i.e., forward privacy and backward privacy
which are very challenging in the area of dynamic searchable symmetric encryption. Then, we propose an enhanced scheme to solve
the key sharing problem which widely exists in the kNN based searchable encryption scheme. Compared with existing proposals, our
schemes are better in terms of storage, search and updating complexity. Extensive experiments demonstrate the efficiency of our
schemes on storage overhead, index building, trapdoor generating and query.
Index Terms—Health care, Searchable encryption, Dynamic updating, Attribute-based encryption
1 INTRODUCTION literature as a fundamental approach to enabling keyword

Health care service has been extensively studied to improve search over encrypted cloud data [8]. The existing searchable
medical quality and reduce the cost of medical services [1], encryption schemes can achieve fuzzy keyword search, ranked
[2]. With a large amount of medical data, a health care system keyword search, multi-keyword search, and so on [9]–[11].
must extend its scale to provide efficient and secure services Recently, many k-Nearest Neighbor (kNN) based SSE
[3]. Media cloud computing, which treats computing as a schemes (e.g., [11]) have been proposed to search over en-
utility, leases out the computing and storage capacities to the crypted data. However, in such schemes every search shares
public patients and doctors. It is a revolutionary computing the same secret key among users, which may cause disclosure
paradigm which enables dynamic resource allocation, self- of privacy. On the other hand, it is a challenging issue,
demand services, measurement of service, transparency of especially in the health care system, to develop a dynamic
resource, etc [4]–[7]. As such, a patient can remotely store version of SSE (DSSE) in which encrypted keyword search
her data on the cloud server, namely data outsourcing, and should be supported even if data is arbitrarily inserted into
then open her cloud data to the doctors. a collection (forward privacy) or deleted from a collection
Note that the outsourced medical data may contain sensitive (backward privacy). Stefanov et al. [12] proposed an efficient
and private information (e.g., medical case and diagnostic DSSE scheme, which can achieve forward privacy, but cannot
report). It is often necessary to encrypt the medical data before ensure backward privacy. Some researchers [13], [14] use
it is uploaded to the cloud. However, the encrypted data cannot the Oblivious Random Access Memory (ORAM) technique
provide good usability due to the difficulty of searching over to achieve the forward privacy and backward privacy in
encrypted data. To address this issue, Searchable Symmet- DSSE. However, these approaches significantly increase the
ric Encryption (SSE) technology has been proposed in the complexity in storage, search and updating processes.
To address the above issues, in this paper, we propose a
Secure and Efficient Dynamic Searchable Symmetric Encryp-
• H. Li, Y. Yang and Y. Dai are with the School of Computer Science
and Engineering, University of Electronic Science and Technology of tion (SEDSSE) scheme over medical cloud data. This work
China, Chengdu, Sichuan, China (e-mail: hongweili@uestc.edu.cn; yangy- extends and improves our previous research [15]. Specifically,
i.buku@gmail.com; dai@cloudian.org). this paper addresses two new issues: the collusion between
• H. Li is with State Key Laboratory of Information Security (Institute of the cloud server and search users as well as different secret
Information Engineering, Chinese Academy of Sciences, Beijing 100093) key distribution among search users. In addition, we apply the
(e-mail: hongweili@uestc.edu.cn). new design to the health care system. Furthermore, the security
• S. Yu and Y. Xiang are with the School of Information Technology, and performance are analyzed. The original contributions of
Deakin University, Geelong, Australia (e-mail: syu@deakin.edu.au; yxi- the paper are:
ang@deakin.edu.au)
• Firstly, we combine the k-Nearest Neighbor (kNN) and
2168-7161 (c) 2017 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TCC.2017.2769645, IEEE
using the secret key of the secure kNN scheme. After

( Q FU \S W HG L QG H [ 7 U DS GR R U that, the patient sends the encrypted documents, and the
corresponding indexes to the cloud server, and submits
. H\ ZR UG V R I &ORXGVHUYHU
HD FK GR FX P HQ W the secret key to the search doctors.
6 HD UF K N H\ Z RU G VH W
• Cloud server: A cloud server is an intermediary entity
( QF U \S WH G G RF XP H QW V 6H DU F K UH V XO W
which stores the encrypted documents and the corre-
sponding indexes received from patients, and then pro-
vides data access and search services to authorized search
3DWLHQW 6\ P PH WU L F NH \ D QG V H FU HW NH \
'RFWRUV doctors. When a search doctor sends a trapdoor to the
cloud server, it would return a collection of matching
Fig. 1: System Model
documents based on certain operations.
• Doctor: An authorized doctor can obtain the secret key
Attribute-Based Encryption (ABE) techniques to propose from the patient, where this key can be used to generate
a Secure and Efficient Dynamic Searchable Symmetric trapdoors. When she needs to search the outsourced
Encryption scheme, named SEPSSE I. The proposed documents stored in the cloud server, she will generate
scheme can achieve forward privacy, backward privacy, a search keyword set. Then according to the keyword
and collusion resistance between the cloud server and set, the doctor uses the secret key to generate a trapdoor
search users. and sends it to the cloud server. Finally, she receives
• Secondly, based on the scheme, we further propose an the matching document collection from the cloud server
enhanced scheme, named SEPSSE II to solve the key and decrypts them with the ABE key received from the
sharing problem which widely exists in the kNN based trusted authority. After getting the health information of
searchable encryption schemes. Compared with the exist- the patient, the doctor can also outsource medical report
ing DSSE schemes, our proposed schemes are have less to the cloud server by the same way. For simplicity, we
storage costs, search and updating complexity. Extensive just consider one-way communication in our schemes.
experiments demonstrate the efficiency of our schemes
in term of storage overhead, index building, trapdoor 2.2 Security Requirements
generating and query.
The remainder of this paper is organized as follows. Section In this paper, the cloud server is considered as semi-trusted,
2 outlines the system model, security requirements and design i.e., it may try to attain sensitive information from the queries
goals and Section 3 describes the preliminaries of the proposed of search doctors when performing the keyword-based search.
schemes. The developed schemes and updating operations We define the security requirements as follows.
are presented in Section 4 and Section 5, respectively. An • Privacy protection of documents, indexes and trapdoors:
enhanced scheme is proposed in Section 6 to address the key It is the most basic security feature in general searchable
sharing problem. The security analysis and performance eval- encryption schemes. Without considering privacy protec-
uation are conducted in Section 7 and Section 8, respectively. tion, searchable encryption is out of the question. Namely,
Section 9 presents the related works and finally Section 10 our schemes should meet this security requirement. In
concludes the paper. particular, in terms of document privacy, ours is safer
than general searchable encryption schemes because of
2 SYSTEM MODEL, SECURITY the use of ABE technique [16].
• Unlinkability of trapdoors: We define the unlinkability
REQUIREMENTS AND DESIGN GOALS
of trapdoors in a harsh model, Known Background
2.1 System Model Model [11], to study more comprehensive security of our
As shown in Fig. 1, our schemes consist of four entities (For schemes. In this case, the cloud server is more powerful
simplicity, we do not mark the trusted authority in Fig. 1). and can possess more statistical information from a
• Trusted authority: A trusted authority (TA) is a trusted known comparable dataset, such as the information of
third party. We use it to generate attribute-based en- all indexes, trapdoors and even some keywords leaked.
cryption (ABE) key to encrypt the medical documents. • Collusion resistance between the cloud server and search
Patients’ documents will be encrypted and only some users: General searchable encryption schemes encrypt all
doctors satisfying the corresponding access policy can outsourced documents with the same key. If the cloud
decrypt them. server conspires with one search user then it can decrypt
• Patient: A patient outsources her documents to the cloud all documents outsourced. Therefore, in our schemes, we
server to provide convenient and reliable data access to use ABE technique to encrypt the oursourced documents,
the corresponding search doctors. To protect the data so that one search user can only access a given number of
privacy, the patient encrypts the original documents under documents if and only if she satisfies the corresponding
an access policy using attribute-based encryption. To access policy.
improve the search efficiency, she also generates some • Key non-sharing in search: In our general kNN based
keyword for each outsourced document. The correspond- searchable encryption schemes, all search users share the
ing index is then generated according to the keywords same secret key (S, M1 , M2 ). Therefore, the trapdoor
generated by one search user can be decrypted by other encrypted documents will be decrypted by the cloud
search users, which causes disclosure of user privacy. server. Therefore, we introduce the ABE technique to
In our basic scheme, one doctor’s search request can solve this problem.
be decrypted by other doctors, hence we propose an
enhanced scheme to solve this problem. 3 PRELIMINARIES
• Forward privacy and backward privacy: In DSSE, the
3.1 Relevance Score
documents outsourced to a cloud server may need to
be updated frequently. For strong security requirement, The relevance score between a keyword and a document
we consider whether the cloud server can deduce that represents the frequency that the keyword appears in the
the new added document has a keyword we searched document. It can be used in searchable encryption for returning
for in the past. We call it f orward privacy, and ex- ranked results. A prevalent metric for evaluating the relevance
pect to achieve it. Compared with f orward privacy, score is TF × IDF, where TF (term frequency) represents
backward privacy is also an important security require- the frequency of a given keyword in a document and IDF
ment in DSSE, it can be defined as: queries cannot be (inverse document frequency) represents the importance of
executed over deleted documents. Due to the semi-trust of keyword within the whole document collection. Without loss
the cloud server, it may be curious about the information. of generality, we select a widely used expression in [19] to
It may spare the documents which should be deleted in its evaluate the relevance score as
storage space, and further match the new queries for its ∑ 1 N
Score(Te , Fj ) = · (1 + lnfj,t ) · ln(1 + ), (1)
own wishes. Therefore, we propose a scheme to achieve |Fj | ft
t∈Te
both f orward privacy and backward privacy.
• Access pattern: Access pattern is the retrieval of se- where fj,t denotes the TF of keyword t in document Fj ; ft
quential searches, consisting of the returned identity sets denotes the number of documents containing keyword t; N
according to the corresponding search keyword sets. denotes the number of documents in the collection; and |Fj |
Some searchable encryption proposals, e.g., [17], have denotes the length of Fj , obtained by counting the number of
been proposed to hide the access pattern using private indexed keywords.
information retrieval (PIR) technique [18]. However, our
proposal is not specifically designed to protect the access 3.2 Notation
pattern, because any PIR based technique must “touch”
• F - the document collection to be outsourced, denoted
the whole dataset outsourced on the server which is
as a set of N documents F = (f1 , f2 , · · · , fN ).
inefficient in the large scale cloud system.
• C - the encrypted document collection according to F,
denoted as a set of N documents C = (C1 , C2 , · · · , CN ).
2.3 Design Goals • T - the keyword dictionary, including m keywords,
In order to realize secure and efficient dynamic searchable denoted as T = (t1 , t2 , · · · , tm ).
symmetric encryption schemes over medical cloud data, the • I - the index collection stored in cloud server, which is
following goals should be achieved: built from the keywords of each document, denoted as
I = (I1 , I2 , · · · , IN ).
• Strong security: In health care system, privacy-
• Te - the search keyword set generated by a search doctor,
preservation is very important. Therefore, the first goal
which is a subset of T .
is to achieve the security requirements mentioned in 2.2.
• QTe - the trapdoor for keyword set Te .
Without this, searchable encryption is out of the question.
• D - a number collection, initialized as {1, 2, 3, · · · , d},
• Multi-keyword search: The second goal is to achieve
where d is set as possible maximum size of the out-
multi-keyword search over encrypted cloud data. Com-
sourced document collection.
pared with the general single keyword search, multi-
• D - a number collection, initialized as ∅.
keyword search can better meet the requirements of
search doctors and achieve better search efficiency.
• Efficient updating: It may do more frequent updating 3.3 Access Policy
operations than general searchable encryption schemes, In ciphertext policy attribute-based encryption, access policy is
e.g., delete operation and insert operation. However, associated with ciphertext specifying who can decrypt the ci-
all indexes are encrypted and outsourced to the cloud phertext. In our schemes, we use AND-gates on multi-valued
server. Considering cloud environment, the number of attributes, negative attributes and wildcards. Negative attribute
indexes may be huge. Hence the updating efficiency is is used to specify that the doctor doesn’t have this attribute.
very important in this case. The optimal solution is not to Wildcard means the attribute does not need consideration in
update the outsourced indexes while executing updating decryption [16].
operations. In this paper, we propose a scheme to achieve Definition. Let U = {att1 , · · · , attn } be a set of attributes.
constant updating cost. For each atti ∈ U , Si = {vi,1 , · · · , vi,ni } is a set of
• Access control: In our previous design [15], we send the possible values where ni = |Si | is the number of possible
symmetric secret key to the authorized doctors directly. values of atti . Let Ū = {¬atti , · · · , ¬attn } be a set of
If a doctor conspires with the cloud server, then all negative attributes for U. Let L = [L1 , · · · , Ln ], where
Li ∈ Si ∪ {¬atti }, be an attribute list for a doctor; and the vector Vj (j = 1, 2, · · · , N ) can be generated using
W = [W1 , · · · , Wn ] where Wi ∈ Si ∪{¬atti , ∗}, be an access Algorithm 1, where β ∗ represents the arbitrary integer
policy. multiples of β. Therefore, the type of Vj is as follows.
The notation L |= W means that an attribute list L satisfies
V1 = (β ∗ , β ∗ , · · · , a1 , β ∗ , · · · , β ∗ , −a1 )
an access policy W , namely, for all i = 1, · · · , n, Li = Wi or
Wi = ∗. Otherwise, we use notation L ̸= W to indicate that V2 = (β ∗ , β ∗ , a2 , · · · , β ∗ , · · · , β ∗ , −a2 )
(3)
L does not satisfy W . V3 = (β ∗ , β ∗ , · · · , β ∗ , a3 , · · · , β ∗ , −a3 )
···
4 PROPOSED SEDSSE I SCHEME The vector Pj′ will be encrypted using the secure kNN
In this section, based on the secure k-nearest neighbor (kNN) scheme: the patient uses vector S to split Pj′ into two
scheme [20], we present our scheme to achieve the searchable (m+d+1)-dimensional vectors (pa , pb ), where the vector
encryption over encrypted data. Meanwhile, we use the ABE S functions as a splitting indicator. Namely, if S[i] = 0
technique to encrypt the symmetric secret key ski , to encrypt (i = 1, 2, · · · , m + d + 1), pa [i] and pb [i] are both set as
the documents outsourced to the cloud server. For realization Pj′ [i]; if S[i] = 1 (i = 1, 2, · · · , m + d + 1), the value of
of ABE, we let G be a bilinear group of prime order p with Pj′ [i] will be randomly split into pa [i] and pb [i] (P ′ [i] =
a generator g. In addition, let e : G × G → G1 denote the pa [i] + pb [i]). Then, the index of encrypted document Cj
bilinear map. Let E : G → G1 be an encoding between G can be calculated as
and G1 . A security parameter, k ,will determine the size of
the groups. Let U = {att1 , · · · , attn } be a set of attributes; Ij = (M1T pa , M2T pb ). (4)
Si = {vi,1 , · · · , vi,ni } be a set of possible values associated
Finally, a key tuple (K, D) will be sent to the authorized
with atti and ni = |Si |; L = [L1 , · · · , Ln ] be an attribute
search doctors through secret channels, and skj (j =
list for a doctor; and W = [W1 , · · · , Wn ] be an access policy.
1, 2, · · · , N ) will be sent to encryptor, where skj is the
Our algorithms are as follows:
symmetric key used to encrypt documents outsourced to
k
• Gen(1 ). A patient randomly generates the secret key the cloud server. The patient publishes β and stores D in
K = (S, M1 , M2 ), where S is an (m+d+1)-dimensional her own storage space.
binary vector, M1 and M2 are two (m+d+1)×(m+d+1)
invertible matrices, respectively. The binary vector S is Algorithm 1 Generation algorithm of Vj
a splitting indicator to split plaintext vector into two Input: D,D
random vectors, which confuses the value of plaintext Output: (V1 , V2 , · · · , VN ),D, D
vector. M1 and M2 are used to encrypt the split vectors. 1: for j = 1 to N do
The correctness and security can be referred to [20]. 2: randomly choose an element vj from D: vj ←R D
For ABE, a trusted authority (TA) generates a tuple 3: randomly choose aj ←R Z∗q
G = [p, G, G1 , g ∈ G, e] ← Gen(1k ), y ∈R Zp and 4:
g2 , g3 ∈R G. The algorithm for generating bilinear groups 
Gen takes a security parameter k as an input and outputs  aj , if i = vj ,

the tuple G, where log(p) = Θ(k). For each attribute atti Vj = {Vj [i]} = −aj , if i = d + 1,

 ∗
(1 6 i 6 n), TA generates values {ti,j ∈R Zp }16j6ni β , other.
and {ai , bi ∈R Zp }. Next TA computes g1 = g y ,
Y = e(g1 , g2 ), {{Ti,j = g ti,j }16j6ni , Ai = g ai , Bi = 5: D = D − {vj }
g bi }16i6n . The public key P K is published as 6: D = D + {vj }
7: end for
P K = ⟨e, g, g1 , g2 , g3 , Y, {{Ti,j }16j6ni , Ai , Bi }16i6n ⟩. 8: return (V1 , V2 , · · · , VN ),D,D
(2)
The master key M K = ⟨y, {{ti,j }16j6ni , ai , bi }16i6n ⟩. • KeyGen(M K, L). Let L = [L1 , L2 , · · · , Ln ] be the
• GenIndex(F,K). The patient generates an m- attribute list for the doctor who obtains the corresponding
dimensional vector Pj according to the encrypted secret
∑key. TA chooses ri ,ri′ ,ri′′ ∈R Zp for 1 6 i 6 n, sets
n
document fj (j = 1, 2, · · · , N ), where each bit Pj [i] r = i=1 ri and computes D0 = g2y−r . TA computes Di
indicates the relevance score of keyword ti in Fj , and Fi for 1 6 i 6 n as

i.e., Pj [i] = Score(ti , Fj ). Then the patient extends  (g ri T ri′ , g ri′ )(if L = v )
2 i,ki i i,ki r ′′ ′′
the vector Pj to an (m + d + 1)-dimensional vector Di = , F = (g2ri Bi i , g ri ).
Pj′ = Pj ||Vj , where Vj is a (d + 1)-dimensional vector.  (g ri Ari′ , g ri′ ) (if L = ¬att ) i
2 i i i
To achieve certain scalability of document collection, (5)
d should be set as the possible maximum size of the Then TA will output the secret key SKL =
outsourced document collection. Assuming the possible ⟨L, D0 , {Di , Fi }16i6n ⟩ to the doctor.
maximum relevance score between a search keyword • Encrypt(P K, M, W ). To encrypt the medical document
set and a document is maxS , the patient chooses a fj ∈ G1 under the access policy W , an encryptor chooses
random parameter β, where β > maxS . Therefore, s ∈R Zp , computes C̃ = fj · Y s and C0 = g s , C0′ = g3s .
After that, the encryptor computes Ci for 1 6 i 6 n as the value of Q′ [i] will be randomly split into qa [i] and
follow:  s qb [i]; if S[i] = 1 (i = 1, 2, · · · , m + d + 1), qa [i] and
 Ti,ki (if W = vi,ki )
 qb [i] are both set as Q′ [i]. Thus, the trapdoor QTe can be
Ci = Asi (if Wi = ¬atti ) (6) generated as

 s
Bi (if Wi = ∗).
QTe = (M1−1 qa , M2−1 qb ). (10)
The encryptor outputs the ciphertext CTW =
⟨W, C̃, C0 , C0′ , {Ci }16i6n ⟩ to the server, where CTW • Search(Ij ,QTe ). Before searching, the cloud server will
will be combined with encrypted document Cj , and store all indexes previously obtained. After receiving a
then the patient outsources the combination to the cloud trapdoor, it can calculate the relevance score as follows:
server. Score(Te , Fj ) = Pj · Q
• ReKGen(SKL , W ). Let SKL denote a valid secret key,
= (Pj′ · Q′ ) mod β
and W denote an access policy. To generate a re-
encryption key for W , choose d ∈R Zp and compute g d , = (pa · qa + pb · qb ) mod β
Di′ = (Di,1 g3d , Di,2 ), Fi′ = (Fi,1 g3d , Fi,2 ). Set D0′ = D0 = (M1T pa , M2T pb ) · (M1−1 qa , M2−1 qb ) mod β
and compute C which is the ciphertext of E(g d ) under = (Ij · QTe ) mod β.
the access policy W , i.e., C = Encrypt(P K, E(g d ), W ). (11)
Then the re-encryption key for W is RKL→W =
⟨L, W, D0′ , {Di′ , Fi′ }16i6n , C⟩. A larger score indicates the corresponding document Fj
• Reencrypt(RKL→W ′ , CTW ). Let RKL→W ′ be a valid is more relevant to the search keyword set Te , hence the
re-encryption key for access policy W ′ and CTW encrypted documents with top scores will be returned to
be a well-formed ciphertext ⟨W, C̃, C0 , C0′ , {Ci }16i6n ⟩. the search doctor. But at this point, the search doctor
Check W to find whether L |= W or not. If L ̸= W , cannot decrypt the documents Cj without skj .
return ⊥; otherwise, for 1 6 i 6 n, compute: • Decrypt(CTW , SKL ). Upon receiving the encrypted
 ′  documents with top scores, the decryptor will check W
 e(C0 , Di,1 ) 
 ′  to know whether L |= W . If L |= W , she can proceed.
 e(Ci , D′ ) (if Wi ̸= ∗) 
 
Ei =
i,2
= e(g, g2 )sri e(g, g3 )sd . Then the decryptor decrypts the CT by using her SKL
′

 e(C 0 , F i,1 ) 
 as follows.
 ′ 
 ′ ) (if Wi = ∗)
e(Ci , Fi,2 1) If CT is an original well-formed ciphertext, then
∏n (7) 1. for 1 6 i 6 n, compute
Afterwards, compute C̄ = e(C0 , D0′ ) i=1 Ei = { {
e(g s , g2y−r )e(g, g2 )sr e(g, g3 )nsd = e(g, g2 )ys e(g, g3 )nsd ′ Di,1 (if Wi ̸= ∗) ′′ Di,2 (if Wi ̸= ∗)
Di = , Di = ,
and outsource a re-encrypted ciphertext Fi,1 (if Wi = ∗) Fi,2 (if Wi = ∗)
(12)
CT ′ = ⟨W ′ , C̃, C0′ , C̄, C⟩. (8) 2. ∏ fj (j = 2, · · · , N )
1, ∏ =
n n
Note that C can be re-encrypted again. In the following C̃ i=1 e(Ci , Di′′ )/(e(C0 , D0 ) i=1 e(C0 , Di′ )).
Decrypt algorithm we can see that the recipient only 2) Else if CT is a re-encrypted well-formed ciphertext,
needs g d to decrypt the re-encrypted ciphertext. Thus, then
we would obtain CT ′′ = ⟨W ′′ , C̃, C0′ , C̄, C′ ⟩, where C′ 1. decrypt E(g d ) from C using the secret key SKL
is obtained from the Reencrypt algorithm with the input and decodes it to g d ,
of another RKL′ →W ′′ and C. The decryption cost and 2. fj = C̃ · e(C0′ , g d )n /C̄.
size of ciphertext grow linearly with the re-encryption 3) Else if CT is a multi-time re-encrypted well-formed
time. As stated in [14], it seems to be inevitable for a ciphertext, decryption is similar to the above phases.
non-interactive scheme. After obtaining the skj , the search doctor can decrypt the
• GenTrapdoor(Te ,K,D). Firstly, the search doctor gener- encrypted documents. The decryptor locates on the server
ates the keyword set Te for searching. Then, she creates side.
an m-dimensional binary vector Q according to Te , where
Q[i] indicates whether the i-th keyword of dictionary ti is
in Te , i.e., Q[i] = 1 indicates yes, and Q[i] = 0 represents 5 DYNAMIC UPDATING
no. Then the search doctor also extends the vector Q to In a DSSE scheme, updating operations may be used
an (m + d + 1)-dimensional vector Q′ = Q||V ′ , where more frequently than general searchable encryption schemes,
V ′ is a (d + 1)-dimensional vector and can be generated e.g., delete operation and insert operation. Such opera-
as { tions may cause privacy disclosure of the outsourced docu-
′ ′ 1, if i ∈ D ∪ {d + 1}, ments. In this section, we present the updating operations of
V = {V [i]} = (9)
0, other. our scheme which can achieve both f orward privacy and
backward privacy. Note that, when executing the updating
Hence the search doctor can split Q′ into two (m+d+1) operations over some documents, the indexes of other doc-
vectors (qa , qb ): if S[i] = 0 (i = 1, 2, · · · , m + d + 1), uments do not need any change, i.e., the cost of updating
is constant. Therefore, our scheme achieves extremely high in the query phase of the basic searchable encryption scheme,
efficiency in the updating phase. pa · qaT can be computed as
• Delete (Fj ) When a patient deletes a document Fj from
pa M1 · M1−1 qaT mod g = pa · qaT mod g. (14)
the cloud server, she needs to send vj to the search doc-
tors through secret channels. The operations are shown in In the enhanced scheme, it can be replaced as
Algorithm 2. For the cloud server, it deletes the encrypted
document Cj , the corresponding index Ij and ciphertext pa M1 N1 · N1−1 Mi′ qaT + pa M1 N2 · N2−1 Mi′′ qaT mod g
CTW from its storage space. = pa M1 · Mi′ qaT + pa M1 · Mi′′ qaT mod g
= pa (M1 · Mi′ + M1 · Mi′′ )qaT mod g (15)
Algorithm 2 delete algorithm
= pa (M1 · M1−1 )qaT mod g
Input: D,D,vj
Output: D,D = pa · qaT mod g.
1: D = D + {vj } Similar to M1, the matrix M2 can also be re-
2: send vj to the search doctors placed by (M2 N3 , M2 N4 ) in a patient’s secret key and
3: D = D − {vj } (N3−1 Mi′′′ , N4−1 Mi′′′′ ) in each doctor’s secret key, where
4: return D,D (N3 , N4 ) are all (m + d + 1) × (m + d + 1) invertible matrices.
The improved point is that we achieve the keyword search
• Insert (Fl ): When a patient needs to add a document secretly while each search doctor Ui uses a different secret key,
Fl , firstly she generates its index Il , ciphertext CTW i.e., (N1−1 Mi′ , N2−1 Mi′′ , N3−1 Mi′′′ , N4−1 Mi′′′′ ), which is gener-
and encrypted document Cl , then sends them to the ated by the patient and sent to the corresponding search doctor.
cloud server. After receiving, the cloud server saves them The search doctor Uj with secret key (N1−1 Mj′ , N2−1 Mj′′ ) can-
in its own storage space. The operations are shown in not decrypt the trapdoor (N1−1 Mi′ qaT , N2−1 Mi′′ qaT ) generated
Algorithm 3. by Ui .
Algorithm 3 insert algorithm

Input: D,D
7 SECURITY ANALYSIS
Output: Vl ,D, D
1: randomly choose an element vl from D: vl ←R D In this section, we analyse the security properties of our
2: randomly choose al ←R Z∗ q proposed scheme.
3: 
 al , if i = vl ,

Vl = {Vl [i]} = −al , if i = d + 1, (13)

 ∗ 7.1 Privacy protection of documents, indexes and
β , other. trapdoors
4: D = D − {vl }
For safety consideration, only encrypted documents are out-
5: send vl to the search doctors
sourced to the cloud server. Thus we use the symmetric en-
6: D = D + {vl }
cryption algorithm (e.g., AES [21]) to encrypt documents, but
7: return Vl ,D,D
due to the introduction of ABE technique, the corresponding
symmetric secret key sk generated by the patient will not be
sent to the authorized doctors immediately. Only the doctors
6 ENHANCED SEDSSE II SCHEME who have the attributes set L satisfying the corresponding
access policy W can obtain the secret key sk. It prevents
WITHOUT KEY SHARING the unauthorized doctors from accessing the documents. The
In our basic searchable encryption system, each search doctor confidentiality of indexes and trapdoors is based on the se-
shares the same secret key K = (S, M1 , M2 ). This causes a curity of kNN scheme. Even though the keyword sets of two
security issue, i.e., key sharing. The trapdoor generated by documents (or two search keyword sets) are the same, the
a search doctor can be decrypted by other search doctors, indexes (or trapdoors) are different. That is because kNN is a
which will disclose the privacy information of the search non-deterministic algorithm. In our previous design, the same
doctor. Therefore, we propose an enhanced scheme to solve secret key K is shared by all authorized doctors, which would
this problem. cause key sharing security issue. The doctor can decrypt the
For a patient, based on the secret key K = (S, M1 , M2 ), we trapdoor generated by another doctor using the shared secret
do not change the binary vector S, but M1 and M2 . For M1 , key K. In order to solve this problem, we make M multiply a
we replace it as (M1 N1 , M1 N2 ) where (N1 , N2 ) are all (m + matrix N used to confuse M , and add the randomness property
d+1)×(m+d+1) invertible matrices. For a search doctor Ui , to M which would be split into two randomly chosen matrices.
the corresponding M1−1 in its secret key K = (S, M1−1 , M2−1 ) By using the above method, the key sharing security issue
will be replaced as (N1−1 Mi′ , N2−1 Mi′′ ) where Mi′ and Mi′′ are could be avoided, and the trapdoor privacy would be protected.
two randomly chosen matrices and Mi′ + Mi′′ = M1−1 . Hence, More discussions about security can be found in [20], [16].
7.2 Unlinkability of trapdoors the deleted documents. In our schemes, for legitimate search,
Under Known Background Model, we further consider the there will be:
linkability of trapdoors which may also cause the disclosure
of privacy information, such as: 1) whether two trapdoors Score(Te , Fj ) = (Ij · QTe ) mod β
search the same keyword; 2) whether two keywords are = (Pj′ · Q′ ) mod β
simultaneously searched in a trapdoor.
d+1
∑
Known Background Model: In this model, the cloud
= (Pj · Q + Vj [i] · V ′ [i]) mod β (16)
server can possess the statistical information from a known
i=1
comparable dataset which is similar in nature to the targeting
= (Pj · Q + aj + β ∗ − aj ) mod β
dataset.
For the first problem, even though the search keyword sets = Pj · Q.
are the same, the trapdoors are different due to the non- However, when the previous queries (or the new queries)
deterministic secure kNN computation, i.e., Q′ is randomly “touch” the new documents (or the deleted documents), there
split into two vectors (qa , qb ) according to the splitting in- will be:
dicator S. For the second problem, the vectors (qa , qb ) are
encrypted by two matrices (M1−1 , M2−1 ). Even if a keyword Score(Te , Fj ) = (Ij · Q e ) mod β T
d+1
∑
information Q′ [i] is leaked, it is impossible to calculate the
other keyword information. Such strong security is proven in = (Pj · Q + Vj [i] · V ′ [i]) mod β
(17)
i=1
[20]. Therefore, it is also impossible to deduce whether two ∗
keywords are simultaneously searched in a trapdoor. Hence, = (Pj · Q + β − aj ) mod β
our schemes achieve the unlinkability of trapdoors. = (Pj · Q − aj ) mod β.
Because of the randomization of the parameter aj , the correct
7.3 Collusion resistance between the cloud server relevance score cannot be obtained. Therefore, our schemes
and search users can achieve both f orward privacy and backward privacy.
In general searchable encryption scheme, all outsourced docu-
ments are encrypted by the same key. That is very dangerous, TABLE 1: Comparison of Security Level (where I and II
i.e., if the cloud server conspires with one search user then represents SEDSSE I and SEDSSE II, respectively.)
it can decrypt all documents outsourced. Therefore, in our [9]–[11]
√ [22]
√ [13],√[14] I
√ II
√
schemes, we use ABE technique to encrypt the oursourced Privacy protection √ √ √ √ √
Unlinkability
documents, so that one search user can only touch a part of √ √ √ √
Collusion resistance
documents if and only if she satisfies the corresponding access Forward privacy
√ √ √ √
policy. The effect of collusion between the cloud server and Backward privacy
√ √ √
search users can be drastically reduced. Namely, we achieve
√
Key non-sharing
the goal of controlling the risk of collusion between the cloud
server and search users . In summary, we present the comparison results of security
level in TABLE 1. It can be seen that all DSSE schemes
7.4 Key non-sharing in search can achieve privacy protection of documents, indexes and
trapdoors as well as unlinkability of trapdoors. Only the
In our normal kNN based searchable encryption scheme, all ORAM schemes [13], [14] and ours can achieve both of
search users share the same secret key (S, M1 , M2 ). Therefore, f orward privacy and backward privacy. In addition, the
the trapdoor generated by one search user can be decrypted proposed SEDSSE II solves the key sharing problem existed
by any other search users, which causes disclosure of user’s in general secure kNN based search schemes.
privacy. In our basic scheme, one doctor’s search request
can be decrypted by other doctors, hence we propose an
enhanced scheme to solve this problem. In such scheme, 8 PERFORMANCE EVALUATION
the patient’s index is still encrypted by one secret key In this section, we evaluate the performance of the proposed
(M1 N1 , M1 N2 ), and every doctor Ui uses a different secret schemes compared with other SSE schemes. Specifically, we
(N1−1 Mi′ , N2−1 Mi′′ , N3−1 Mi′′′ , N4−1 Mi′′′′ ). With this, one doc- compare the performance of our schemes with DSSE schemes
tor cannot decrypt trapdoors of the other doctors, which is and SSE schemes, respectively, in terms of storage complexity,
more acceptable in the medical data search scheme. updating complexity and the complexity of Index building,
Trapdoor generating and Query.
7.5 Forward privacy and backward privacy
8.1 Comparing with DSSE
Due to the semi-trust property of the cloud server, some
historical information may be saved in its own storage space, 8.1.1 Update complexity
such as previous queries and deleted documents. Our goal is In the ORAM schemes [13], [14], we can see the updating
that the new documents inserted cannot be searched by the complexity is high, as shown in TABLE 2. The general SSE
previous queries and the new queries cannot be executed over schemes [9], [11] cannot support dynamic updating operations.
100
Storage complexity (2x) 80
60
40 SEDSSE_I, SEDSSE_II
64
ORAM [13],[14] λ=2
ORAM [13],[14] λ=280

20
10 15 20 25 30
x
Number of documents (2 )
Fig. 2: Comparison of Storage Complexity
100
80
Fig. 4: Size of index/trapdoor
Search complexity (2x)
60
40 SEDSSE_I, SEDSSE_II
2.5
64
ORAM [13],[14] λ =2
Time (s)
ORAM [13],[14] λ =280 2
20
10 15 20 25 30
x 1.5
Number of documents (2 )
1
Fig. 3: Comparison of Search Complexity
0.5
2000 4000 6000 8000 10000
Size of dictionary
On the contrary, the updating complexity of our schemes is (a) (b)

just O(1). When a patient wants to update some documents, Fig. 5: Time for calculating relevance score. (a) For the
the other documents outsourced in the cloud server will not different size of dictionary with the same number of
be affected. documents, N =6000. (b) For the different number of
documents with the same size of dictionary, |W| = 6000.
8.1.2 Storage complexity
As shown in TABLE 2, the storage complexity of our schemes
and ORAM schemes [13], [14] are O(N 2 ) and O(N + λ),
our schemes can achieve high efficiency. In contrast, since
respectively. In fact, the value of security parameter λ should
TRSE [10] needs to encrypt each dimension of index/trapdoor
be large enough to achieve corresponding security. As shown
using full homomorphic encryption, its index/trapdoor size is
in Fig. 2, when we choose λ = 264 and λ = 280 , we
enormous. Note that, in Trapdoor generating and Query
can see even though the number of documents is 230 , the
phases, the computation and communication overheads are
storage complexity of our schemes is lower. In practice, the
not affected by the number of query keywords. Thus, our
ORAM schemes store the data in both the search user and
schemes are more efficient compared with some multiple-
the cloud server, which may cause high storage cost of search
keyword search schemes [23], [24], as their cost is linear with
users. While in the SEDSSE I and SEDSSE II, most data is
the number of query keywords.
outsourced to the cloud server, which can be embedded in
large storage. Only the number collection D is stored in the
search user, and the cost is low. 8.2.2 Indexbuild time
8.1.3 Search complexity In our schemes, each dimension of vector Pj is a relevance

Further, the search complexity of our schemes and ORAM score of keyword, i.e., Pj [i] = Score(ti , Fj ). As shown in
schemes [13], [14] are O(N 2 ) and O(λ·log2 N ), respectively. Fig. 5, both the size of keyword dictionary and the number of
As shown in Fig. 3, even though the number of documents is documents will influence the calculation time. We introduce
230 , our schemes have lower search complexity than ORAM the number collection D to extend Pj , so the time is related
schemes. to the generation of extended vector Vj . Then, with the
corresponding relevance score vector, our schemes can build
the index using secure kN N computation. Moreover, from
8.2 Comparing with SSE
Fig. 6, we can see the time for building index is dominated
8.2.1 Storage overhead by both the size of dictionary and the number of documents.
As shown in Fig. 4, for our schemes, the size of each Compared with MRSE [11] and TRSE [10], our schemes also
index/trapdoor is linear with the size of dictionary. Hence, achieve computation efficiency.
TABLE 2: Comparison of Performance (Where N is the number of documents, and λ is a security parameter.)
Dynamism Storage complexity Search complexity Updating complexity
SSE [9], [11] static O(|W | · N ) O(|W | · N ) N/A
ORAM [13] dynamic O(N + λ) O(λ · log2 N ) O(λ3 · log2 N )
ORAM [14] dynamic O(N + λ) O(λ · log2 N ) O(λ2 · log2 N )
2 2
SEDSSE I and SEDSSE II dynamic O(N ) O(N ) O(1)
(a) (b) (a) (b)
Fig. 6: Time for building index. (a) For the different size of Fig. 8: Time for query. (a) For the different size of
dictionary with the same number of documents, N =6000. (b) dictionary with the same number of documents, N =6000. (b)
For the different number of documents with the same size of For the different number of documents with the same size of
dictionary, |W| = 6000. dictionary, |W| = 6000.
8.2.4 Query time

As both MRSE [11] and our basic scheme adopt the secure
kN N computation scheme, the time for query is the same.
The computation overhead in query phase, as shown in Fig. 8,
is greatly affected by the size of dictionary and the number
of documents, and almost has no relation to the number of
query keywords. We can see that our schemes can also achieve
efficiency in the query phase.
Overall, our schemes are efficient in terms of storage
(a) (b)
complexity, updating complexity and the complexity of Index
Fig. 7: Time for generating trapdoor. (a) For the different building, Trapdoor generating and Query. Specifically, the
size of dictionary with the same number of query keywords, updating overhead of our schemes can be almost negligible,
f
|W|=20. (b) For the different number of query keywords which is more practical than other SSE or DSSE schemes.
with the same size of dictionary, |W| = 6000. Discussions: It is a promising idea to develop the approx-
imation algorithm to help hide the key information from the
aspect of privacy-preserving data mining. However, as a work
mainly focuses on the encrypted searching, in this paper, we
8.2.3 Trapdoorgen time mostly pay our attention to privacy-preserving search, search
functionality and search efficiency. Such a setting has been
In trapdoor generating phase, MRSE [11] firstly creates a widely used in many recent related works [8], [9], [11], [25].
vector according to the search keyword set Te , then encrypts With an in-depth study on the problem of encrypted searching
the vector by the secure kN N computation scheme. Similarly, in current step, it is our intention to release the assumptions in
TRSE [10] generates a vector and uses homomorphic encryp- the future to make the work applicable to privacy-preserving
tion to encrypt each dimension. In comparison, our schemes data mining.
also firstly generate the query vector Q. The time to generate
the extended vector Q′ is related with the number collection 9 RELATED WORKS
D. Even if the vectors are the same for multiple queries,
the trapdoors will not be the same due to the security of 9.1 Static SSE
kN N computation scheme. Therefore, the computation costs The concept of SPE was first proposed by Boneh et al.
of MRSE [11] and our basic scheme in trapdoor generating [26], which supports single keyword search on encrypted data
phase are the same. As shown in Fig. 7, the time for generating but the computation overhead is heavy. Curtmola et al. [27]
trapdoor is dominated by the size of dictionary, instead of the refined the definition of SSE later. After this work, Boneh
number of query keywords. Hence, our schemes are also very et al. [24] proposed conjunctive, subset, and range queries
efficient in trapdoor generating phase. on encrypted data. Recently in static searchable symmetric
10
encryption, Wang et al. have developed the ranked keyword R EFERENCES

search scheme in [8] and proposed a novel scheme supporting
similarity search in [25]. However, these schemes cannot [1] M. Li, S. Yu, K. Ren, and W. Lou, “Securing personal health records in
cloud computing: Patient-centric and fine-grained data access control
efficiently support multi-keyword search. To overcome this in multi-owner settings,” in Security and Privacy in Communication
problem, Sun et al. [9] proposed a multi-keyword scheme Networks. Springer, 2010, pp. 89–106.
which also considers the relevance scores of keywords, and it [2] A. M.-H. Kuo, “Opportunities and challenges of cloud computing to
improve health care services,” Journal of medical Internet research,
can achieve efficient query by utilizing the multidimensional vol. 13, no. 3, 2011.
tree technique. In [10], Yu et al. proposed a multi-keyword top- [3] M. Li, S. Yu, Y. Zheng, K. Ren, and W. Lou, “Scalable and secure shar-
k retrieval scheme with fully homomorphic encryption, which ing of personal health records in cloud computing using attribute-based
can return ranked results and achieve high security. Cao et al. encryption,” IEEE Transactions on Parallel and Distributed Systems,
vol. 24, no. 1, pp. 131–143, 2013.
[11] proposed a multi-keyword ranked search scheme, which [4] L. M. Vaquero, L. Rodero-Merino, J. Caceres, and M. Lindner, “A break
can return ranked results of searching according to the number in the clouds: towards a cloud definition,” ACM SIGCOMM Computer
of matching keywords and its extended versions achieve higher Communication Review, vol. 39, no. 1, pp. 50–55, 2008.
[5] H. Liang, L. X. Cai, D. Huang, X. Shen, and D. Peng, “An smdp-
efficiency. As mentioned by Ren et al. [28], there still exists based service model for interdomain resource allocation in mobile cloud
many security challenges for public clouds. networks,” IEEE Transactions on Vehicular Technology, vol. 61, no. 5,
pp. 2222–2232, 2012.
9.2 Dynamic SSE [6] M. M. Mahmoud and X. Shen, “A cloud-based scheme for protecting
source-location privacy against hotspot-locating attack in wireless sensor
The concept of DSSE can be referred to Song et al. [29], networks,” IEEE Transactions on Parallel and Distributed Systems,
which explicitly considers the problem of searchable encryp- vol. 23, no. 10, pp. 1805–1818, 2012.
[7] Q. Shen, X. Liang, X. Shen, X. Lin, and H. Luo, “Exploiting geo-
tion and can support insertions/deletions of documents in a distributed clouds for e-health monitoring system with minimum service
straightforward way. However, the straightforward way causes delay and privacy preservation,” IEEE Journal of Biomedical and Health
heavy overhead of updating. Kamara et al. [22] proposed Informatics, vol. 18, no. 2, pp. 430–439, 2014.
a dynamic scheme which achieves security against adaptive [8] C. Wang, N. Cao, K. Ren, and W. Lou, “Enabling secure and efficient
ranked keyword search over outsourced cloud data,” IEEE Transactions
chosen-keyword attacks and can add and delete documents on Parallel and Distributed Systems, vol. 23, no. 8, pp. 1467–1479,
efficiently. Two schemes with sublinear search and updating 2012.
time were developed in [12], [30], and such schemes have [9] W. Sun, B. Wang, N. Cao, M. Li, W. Lou, Y. T. Hou, and H. Li,
“Verifiable privacy-preserving multi-keyword text search in the cloud
better security property, i.e., forward privacy. Besides, some supporting similarity-based ranking,” IEEE Transactions on Parallel and
ORAM schemes [13], [14] seem to be the most secure way Distributed Systems, vol. 25, no. 11, pp. 3025–3035, 2014.
to query encrypted data, which can achieve both forward and [10] J. Yu, P. Lu, Y. Zhu, G. Xue, and M. Li, “Towards secure multi-
keyword top-k retrieval over encrypted cloud data,” IEEE Transactions
backward privacy but they are of high updating complexity on Dependable and Secure Computing, vol. 10, no. 4, pp. 239–250,
which limits their application in practice. Recently, Yuan et 2013.
al. [31] have made several significant contributions in the area [11] N. Cao, C. Wang, M. Li, K. Ren, and W. Lou, “Privacy-preserving multi-
keyword ranked search over encrypted cloud data,” IEEE Transactions
of image-centric social discovery. on Parallel and Distributed Systems, vol. 25, no. 1, pp. 222–233, 2014.
[12] E. Stefanov, C. Papamanthou, and E. Shi, “Practical dynamic searchable
10 C ONCLUSION encryption with small leakage,” in Proceedings of NDSS, 2014.
In this paper, we propose two dynamic searchable encryption [13] M. T. Goodrich and M. Mitzenmacher, “Privacy-preserving access of
outsourced data via oblivious ram simulation,” in Automata, Languages
schemes with high security level. The first one can not only and Programming. Springer, 2011, pp. 576–587.
achieve collusion resistance between the cloud server and [14] D. Cash, A. Küpçü, and D. Wichs, “Dynamic proofs of retrievability via
search users, but also can achieve both forward privacy and oblivious ram,” in Advances in Cryptology–EUROCRYPT. Springer,
2013, pp. 279–295.
backward privacy. The second one further solves the key [15] Y. Yang, H. Li, L. Wenchao, H. Yang, and W. Mi, “Secure dynamic
sharing problem which widely exists in the kNN based search- searchable symmetric encryption with constant document update cost,”
able encryption scheme. Performance evaluation demonstrates in Proceedings of GLOBECOM. IEEE, 2014, pp. 775–780.
[16] S. Luo, J. Hu, and Z. Chen, “Ciphertext policy attribute-based proxy re-
that the proposed schemes can achieve better efficiency than encryption,” in Information and Communications Security. Springer,
the existing works in terms of storage, search and updating 2010, pp. 401–415.
complexity. Extensive experiments demonstrate the efficiency [17] R. Brinkman, Searching in encrypted data. University of Twente, 2007.
of our schemes in term of storage overhead, index building, [18] Y. Ishai, E. Kushilevitz, R. Ostrovsky, and A. Sahai, “Cryptography
from anonymity,” in 47th Annual IEEE Symposium on Foundations of
trapdoor generating and query. Computer Science, 2006, pp. 239–248.
[19] J. Zobel and A. Moffat, “Exploring the similarity space,” in ACM SIGIR
ACKNOWLEDGMENT Forum, vol. 32, no. 1, 1998, pp. 18–34.
[20] W. K. Wong, D. W.-l. Cheung, B. Kao, and N. Mamoulis, “Secure knn
This work is supported by the National Natural Science computation on encrypted databases,” in Proceedings of ACM SIGMOD
Foundation of China under Grants 61472065, U1233108, International Conference on Management of data, 2009, pp. 139–152.
U1333127, and 61272525, the International Science and [21] N. Ferguson, R. Schroeppel, and D. Whiting, “A simple algebraic
representation of rijndael,” in Selected Areas in Cryptography. Springer,
Technology Cooperation and Exchange Program of Sichuan 2001, pp. 103–111.
Province, China under Grant 2014HH0029, China Post- [22] S. Kamara, C. Papamanthou, and T. Roeder, “Dynamic searchable
doctoral Science Foundation funded project under Grants symmetric encryption,” in Proceedings of the ACM conference on
2014M552336 and 2015T80972, and State Key Laboratory of Computer and communications security. ACM, 2012, pp. 965–976.
[23] P. Golle, J. Staddon, and B. Waters, “Secure conjunctive keyword search
Information Security foundation Open Foundation under Grant over encrypted data,” in Applied Cryptography and Network Security.
2015-MS-02. Springer, 2004, pp. 31–45.
11
[24] D. Boneh and B. Waters, “Conjunctive, subset, and range queries on

encrypted data,” in Theory of cryptography. Springer, 2007, pp. 535–
554.
[25] C. Wang, K. Ren, S. Yu, and K. M. R. Urs, “Achieving usable
and privacy-assured similarity search over outsourced cloud data,” in
Proceedings of IEEE INFOCOM, 2012, pp. 451–459.
[26] D. Boneh, G. Di Crescenzo, R. Ostrovsky, and G. Persiano, “Public key
encryption with keyword search,” in Advances in Cryptology–Eurocrypt.
Springer, 2004, pp. 506–522.
[27] R. Curtmola, J. Garay, S. Kamara, and R. Ostrovsky, “Searchable
symmetric encryption: improved definitions and efficient constructions,”
in Proceedings o ACM CCS, 2006, pp. 79—88.
[28] K. Ren, C. Wang, and Q. Wang, “Security challenges for the public
cloud,” IEEE Internet Computing, vol. 16, no. 1, pp. 69–73, Jan 2012.
[29] D. X. Song, D. Wagner, and A. Perrig, “Practical techniques for searches
on encrypted data,” in IEEE Symposium on Security and Privacy, 2000,
pp. 44–55.
[30] F. Hahn and F. Kerschbaum, “Searchable encryption with secure and
efficient updates,” in Proceedings of CCS. ACM, 2014, pp. 310–320.
[31] X. Yuan, X. Wang, C. Wang, A. Squicciarini, and K. Ren, “Enabling
privacy-preserving image-centric social discovery,” in Proceedings of
IEEE ICDCS, 2014, pp. 198–207.

Achieving Secure and Efficient Dynamic

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Achieving Secure and Efficient Dynamic

Uploaded by

Copyright:

Available Formats

This article has been accepted for publication in a future issue of this journal, but has not been

Achieving Secure and Efficient Dynamic

Index Terms—Health care, Searchable encryption, Dynamic updating, Attribute-based encryption

1 INTRODUCTION literature as a fundamental approach to enabling keyword

using the secret key of the secure kNN scheme. After

Algorithm 3 insert algorithm

Storage complexity (2x) 80

ORAM [13],[14] λ=280

Fig. 2: Comparison of Storage Complexity

On the contrary, the updating complexity of our schemes is (a) (b)

8.1.3 Search complexity In our schemes, each dimension of vector Pj is a relevance

(a) (b) (a) (b)

8.2.4 Query time

encryption, Wang et al. have developed the ranked keyword R EFERENCES

[24] D. Boneh and B. Waters, “Conjunctive, subset, and range queries on

You might also like