Attribute-Based Encryption with Expressive and Authorized Keyword Search

To protect data security and privacy in cloud storage systems, a common solution is to outsource data in encrypted forms so that the data will remain secure and private even if storage systems are compromised. The encrypted data, however, must be pliable to search and access control. In this paper, we introduce a notion of attribute-based encryption with expressive and authorized keyword search (ABE-EAKS) to support both expressive keyword search and fine-grained access control over encrypted data in the cloud. In ABE-EAKS, every data user is associated with a set of attributes and is issued a private attribute-key corresponding to his/her attribute set, and each data owner encrypts the message using attribute-based encryption and attaches the encrypted message with encrypted keywords related with the message, and then uploads the encrypted message and keywords to the cloud. To access encrypted messages containing certain keywords satisfying a search policy, a data user generates a trapdoor for the search policy using his/her private attribute-key and sends it to the cloud server equipped to the cloud. The cloud server searches over encrypted data stored in the cloud for the encrypted messages containing keywords satisfying the search policy and sends back the results to the data user who then decrypts the returned ciphertexts to obtain the underlying messages. We present a generic construction for ABE-EAKS, formally prove its security, give a concrete construction, and then extend the concrete ABE-EAKS scheme to support user revocation. Also, we implement the proposed ABE-EAKS scheme and its extension and study their performance through experiments.