It is common nowadays for data owners to outsource their data to the cloud. Since the cloud cannot be fully trusted, the outsourced data should be encrypted. This however brings a range of problems, such as: How should a data owner grant search capabilities to the data users? How can the authorized data users search over a data owner's outsourced encrypted data? How can the data users be assured that the cloud faithfully executed the search operations on their behalf? Motivated by these

more »

... s, we propose a novel cryptographic solution, called verifiable attribute-based keyword search (VABKS). The solution allows a data user, whose credentials satisfy a data owner's access control policy, to (i) search over the data owner's outsourced encrypted data, (ii) outsource the tedious search operations to the cloud, and (iii) verify whether the cloud has faithfully executed the search operations. We formally define the security requirements of VABKS and describe a construction that satisfies them. Performance evaluation shows that the proposed schemes are practical and deployable. Attribute-Based Encryption (ABE). ABE is a popular method for enforcing access control policies via cryptographic means. Basically, this technique allows entities with proper credentials to decrypt a ciphertext that was encrypted according to an access control policy [1] . Depending on how the access control policy is enforced, there are two variants: KP-ABE (key-policy ABE) where the decryption key is associated to the access control policy [2], and CP-ABE (ciphertext-policy ABE) where the ciphertext is associated to the access control policy [3] . ABE has been enriched with various features (e.g., [4]-[7]). In this paper, we use ABE to construct a new primitive called attribute-based keyword search (ABKS), by which keywords are encrypted according to an access control policy and data users with proper cryptographic credentials can generate tokens that can be used to search over the outsourced encrypted data. This effectively prevents a data owner from knowing the keywords a data user is searching for, while requiring no interactions between the data users and the data owners/trusted authorities. This is in contrast to [8] , where the data users interact with the data owners/trusted authorities to obtain search tokens. Keyword Search over Encrypted Data. This technique allows a data owner to generate some tokens that can be used by a data user to search over the data owner's encrypted data. Existing solutions for keyword search over encrypted data can be classified into two categories: searchable encryption in the symmetric-key setting (e.g., [9]-[18]) and searchable encryption in the public-key setting (e.g., [8], [19]-[22]). Several variants (e.g., [23]-[26]) have been proposed to support complex search operations. Moreover, searchable encryption in the multi-users setting has been investigated as well [12], [27], where the data owner can enforce an access control policy by distributing some (stateful) secret keys to the authorized users. However, all these solutions do not solve the problem we study, because (i) some of these solutions require interactions between the data users and the data owners (or a trusted proxy, such as a trapdoor generation entity [8]) to grant search capabilities, and (ii) all these solutions (except [18]) assume that the server faithfully executed search operations. In contrast, our solution allows a data user with proper credentials to issue search tokens by which the cloud can perform keyword search operations on behalf of the user, without requiring any interaction with the data owner. Moreover, the data user can verify whether or not the cloud has faithfully executed the keyword search operations. This is true even for the powerful technique called predicate encryption [28], [29], which does not offer the desired verifiability. Verifiable Keyword Search. Recently, verifiable keyword search solutions have been proposed in [30]-[32] , where each keyword is represented as a root of some polynomial. It is possible to check whether a keyword is present by evaluating the polynomial on the keyword and verifying whether the output is zero or not. However, these approaches work only when keywords are sent in plaintext to the cloud, and are not suitable for our purpose because the cloud should not learn anything about the keywords. It is worth mentioning that the secure verifiable keyword search in the symmetric-key setting [18] can be insecure in the public-key setting because the attacker can infer keywords in question via an off-line keyword guessing attack (in lieu of the off-line dictionary attack against passwords). Paper Organization: Section II reviews some cryptographic preliminaries. Section III defines ABKS and its security properties, presents KP-ABKS and CP-ABKS schemes and analyzes their security properties. Section IV defines VABKS and its security properties, presents the VABKS construction and analyzes its security. Section V evaluates the performance of the ABKS and VABKS schemes. Section VI concludes the paper. II. PRELIMINARIES Let a ← S denote selecting an element a from a set S uniformly at random, || denote the concatenation operation and string(S) denote the concatenation of elements of S ordered by their hash values. Let U = {at 1 , . . . , at n } be a set of attributes that are used to specify access control policies.