Conjunctive and Disjunctive Keyword Search over Encrypted Mobile Cloud Data in Public Key System

The searchable encryption scheme can perform keywords search operation directly over encrypted data without decryption, which is crucial to cloud storage, and has attracted a lot of attention in these years. However, it is still an open problem to develop an eﬃcient public key encryption scheme supporting conjunctive and a disjunctive keyword search simultaneously. To achieve this goal, we introduce a keyword conversion method that can transform the query and index keywords into a vector space model. Through applying a vector space model to a predicate encryption scheme supporting inner product, we propose a novel public key encryption scheme with conjunctive and disjunctive keyword search. The experiment result demonstrates that our scheme is more eﬃcient in both time and space as well as more suitable for the mobile cloud compared with the state-of-art schemes.


Introduction
With the rapid development of the cloud computation accompanied by the boosting amount of data, more and more enterprises and individuals are willing to share their own data on the cloud platform.Because the data stored in the cloud may be sensitive, such as medical records, the popularity of the cloud storage inevitably brings its users security concern.Specifically, hacker attack and administrator theft can lead to data leakage.In order to protect the data privacy, encrypting data before outsourcing it on the cloud server is a common way.However, users still confront the problem of how to search the encrypted data stored on the cloud efficiently.A straightforward approach is to download all the encrypted data to the clients and then decrypt them all.After obtaining all the unencrypted data, users can search the document by using common information retrieval technical.Nevertheless, this strategy needs tremendous cost of transportation, storage, and computation, which brings a new issue: how to search encrypted data efficiently without decrypting it first.
Many searchable encryption (SE) schemes were proposed to realize keyword search over encrypted data with various search functions.ere are two main categories of SE according to its applications: searchable public key encryption and searchable symmetric key encryption.Over the last few years, many searchable symmetric key encryption schemes have been proposed, which achieve complex search conditions such as Boolean keyword search, personal keyword search, and query result ranking [1][2][3][4].However, the development of searchable public key encryption is relatively slow since it is difficult to support advanced search function without sacrificing security.Specifically, a scheme supporting Boolean keyword search in the public key setting is still in urgent demand.To meet this need, one should solve two subproblems: public key encryption with conjunctive keyword search (PECK) and public key encryption with disjunctive keyword search (PEDK).Park et al. presented the formal model and the security definition of PECK followed by two constructions [6].
en Hwang and Lee [5] introduced a concept of multiuser PECK as well as a more efficient scheme with less search time.But all these schemes require keyword fields.To eliminate the keyword fields, Boneh and Waters [11] presented a hidden vector encryption (HVE) scheme supporting conjunctive search, comparison queries, and subset queries on encrypted data.Recently, Zhang and Zhang proposed a new PECK scheme with less storage space and query time [12].
However, the research process of PEDK is very slow.In order to support disjunction formulae, Katz et al. gave a predicate encryption supporting inner product (IPE) scheme [7]. is scheme enables more complex evaluations on disjunction, conjunction, and polynomial formulae.In an IPE scheme, the secret key corresponding to a predicate vector v → can decrypt the ciphertext associated with an attribute vector x → if and only if x → • v → � 0. Unfortunately, the IPE scheme mentioned above was proved in a selective security model.To improve its security level, Lewko et al. presented a fully secure IPE scheme [23] by using dual system encryption introduced in [13].
Although we can create an PEDK scheme by making use of an IPE scheme and a trivial method presented in [6], the time complexities of the encryption and the test in this PEDK scheme are both O(2 n ), where n is the number of the keywords in a document.In addition, the storage cost of an index also encounters exponential increase.erefore, this scheme is not practical when n is large.Besides, if a user wants to perform a conjunctive and a disjunctive keyword query simultaneously, a PEDK and a PECK scheme should be constructed and maintained together.To construct a more efficient PEDK scheme supporting conjunctive keyword search simultaneously, Zhang and Lu proposed an approach of converting an IPE scheme into a public key encryption with conjunctive and disjunctive keyword search (PECDK) scheme and gave a concrete scheme [15].In their scheme, the size of each document's index, the size of a trapdoor, and the time cost of pairing operations in the test process are all O(N).Since N is a large integer and seen as the number of keywords in a dictionary, there is still a great room to improve the efficiency of the previous PECDK scheme.
In this paper, we first propose a new method that can change an IPE scheme into a PECDK scheme and then give an instance.Our contributions are summarized as follows.
(1) We design a new approach, which converts an index keyword set and a query keyword set into an attribute matrix and a predicate vector, respectively.Technically, we first use the index keyword set to construct an equation of degree n with one unknown.en, we apply coefficients and the roots of the equation to create a predicate vector and an attribute matrix, respectively.
(2) We propose a construction of PECDK based on the method mentioned in (1) and an efficient IPE scheme proposed in [23].We also prove the security of our PECDK scheme according to the security definition introduced in [15].e experiment shows that compared with the previous PECDK scheme, the time complexity of keyword search and that of index construction are both reduced from O(N) to O(n 2 ), where n ≪ �� N √ , so is the space cost of encrypted index.Since N is much larger than n, for example, n is less than 20 while N is large than 10000, we can argue that the proposal is suitable for the mobile setting.

Organization.
e rest of this paper is organized as follows.Related work is discussed in Section 2, and Section 3 gives the model of PECDK together with its security model.Section 4 firstly introduces our transformation method, then proposes a concrete PECDK scheme based on our approach, and finally presents its security proof.We present the theoretical and experimental analysis in Section 5. Section 6 covers the conclusion.

Related Work
Searchable encryption schemes enable the clients to store the encrypted data to the cloud and execute keyword search over ciphertext domain.us, our solution belongs to this field.Due to different cryptography primitives, searchable encryption schemes can be classified into public key system and symmetric key system.
Song et al. first introduced the definition of searchable symmetric encryption and proposed a concrete scheme [1].
en Goh defined the concept of conjunctive keyword search over encrypted data and presented an effective scheme by taking advantage of the Bloom filter [2].In addition, he also gave a formal security definition of searchable symmetric encryption.According to this scheme, some improved schemes with less computation and communication cost were proposed in [3][4][5].However, the search time cost in these schemes is linear with the number of the documents in a dataset since each document needs an encrypted keyword index.To reduce the time cost of search, some works utilized the tree structure, such as R-tree and kd-tree, to obtain a sublinear search efficiency [8,9].Considering the issues that returning all related documents will bring network traffic and the previous schemes fail to sort search results, rank search schemes realizing a quick search of top-k relevant documents were proposed in [16][17][18].ese works only supported single keyword search due to using order-preserving encryption (OPE) [14].Recently, some schemes achieving multikeywords rank search were presented in [19,20].
With slower development than searchable symmetric encryption, searchable public key encryption is also difficult to support complex query condition.Boneh et al. brought up the new concept of PEKS and provided several constructions [10] related to the Identity-Based Encryption (IBE) presented in [21].Based on that, Abdalla et al. specified the computational and statistical consistency of PEKS and proposed a statistically consistent scheme [22].However, their works only supported a single keyword search.Park et al. raised a concept of PECK in [6].ey defined the security model of this mechanism followed by two constructions.One needs more bilinear pairing operations, while the other needs more private keys.en Hwang and Lee designed a more efficient scheme as well as introduced a multiuser PECK scheme that enables multiusers keyword search [5].To avoid the usage of keyword field just like all the constructions mentioned above did, Boneh and Waters presented the hidden vector encryption (HVE), a public key system supporting conjunctive keyword search, comparison queries, and subset queries on encrypted data [11].For achieving disjunctive keyword search without keyword field, 2 Mobile Information Systems Katz et al. proposed an IPE scheme [7].To improve the security level and the decryption e ciency, fully secure IPE schemes were proposed in [23,24].In addition, the previous schemes fail to support conjunctive keyword search and disjunctive keyword search at the same time.Addressing this issue, Zhang and Lu proposed a PECDK scheme [15].Another class of searchable encryption is called range search over encrypted data.It can be used to test whether a multidimension point is inside in a hyperrectangle.Related works were presented in [25][26][27].

e System Model.
Consider a data storage service in cloud, where a data owner has a set of documents D to be outsourced to the cloud server in an encrypted form.To enable e cient query over encrypted documents, we consider the keyword-based index structure for storing the outsourced les.Speci cally, the data owner builds an encrypted searchable index set C with each document's keywords, and then both the encrypted index set C and the encrypted document set Enc(D) are outsourced to the cloud server.For each query of an arbitrary keyword set Q, a data user computes a search token TK Q of the query Q and sends it to the cloud server.Upon receiving TK Q from the data user, the cloud server queries over the encrypted index set C and returns the candidate encrypted documents.Finally, the data user decrypts the candidate documents and veri es each document by checking the existence of the keyword.
e application scene of the searchable public key encryption involves three roles: data senders, a data receiver, and a cloud server, as illustrated in Figure 1.In this scene, the data receiver performs keyword search, generates a public key (pk) and a secret key (sk), and sends the pk to the public.Anyone who can access the pk is recognized as a data sender.Data senders send their encrypted documents with the related encrypted index to the cloud server.e cloud server stores the encrypted documents and the encrypted searchable indexes for data senders.In addition, we assume that the cloud server is "honest-but-curious" employed by many works on searchable encryption.When the data receiver processes keywords search, one generates a trapdoor of these keywords and sends it to the cloud server.Upon receiving trapdoor from the data receiver, the cloud server queries over each document's encrypted index and returns the candidate encrypted documents.
In this paper, we focus on the searchable public key encryption supporting conjunctive and disjunctive keyword search.Strictly speaking, we present a formal de nition PECDK model derived from the model proposed in [15].

De nition 1.
ere are four polynomial time algorithms in the PECDK scheme: KeyGen, IndexBuild, Trapdoor, and Test: (i) KeyGen(c): Choosing a security parameter c, the algorithm outputs the parameter (pk, sk), where pk is the public key and sk is the secret key.(ii) IndexBuild(pk, W): e algorithm is performed by the sender to produce an encrypted index I W by using a keyword set W w 1 , w 2 , . . ., w n and pk.(iii) Trapdoor(sk, Q, sym): e receiver runs this algorithm to produce a trapdoor.It takes sk and the keyword query Q, sym as input to generate a trapdoor , the secure index I W , and the public key pk as input.If sym is ∧, it means that the trapdoor is for conjunctive keyword search.In this case, the output is Mobile Information Systems 3

Security Model.
Generally speaking, the security of a searchable encryption means that the cloud server can infer as little information as possible from the encrypted data and the search process without sacrificing the search ability.Before introducing the adaptive security definition of our scheme, we first define the privacy leakage, which is revealed to the cloud server inevitably.

Size Pattern.
Since the encrypted documents and queries are submitted to the cloud server, the cloud server can obtain the basic size information of these encrypted data easily.is is called the leakage of size pattern.

Access Pattern.
For each query, the cloud server can obtain the identifiers of data records that match this query.is is called the leakage of access pattern.
, cloud server can create a n × t matrix, where the element in the ith row and jth column is 1, if the record D i matches the query Q j .e matrix can be seen as the leakage of search pattern.
Actually, Oblivious RAM can be utilized to preserve access and search pattern, but this technique is too inefficient to be used in the real applications.In this paper, we do not consider the problem of how to protect access pattern and search pattern in our scheme.

Query Privacy.
e leakage of query privacy means that keywords in the encrypted query will be revealed to the cloud server.It commonly exists in the public key setting since anyone can construct an encrypted index for arbitrary keywords.Because of belonging to public key encryption category, our scheme fails to protect query privacy.
As previous works, we denote the information leakage including size pattern, access pattern, search pattern, and query privacy as leakage function L(D, I, Q), where D is a record set, I is a secure index, and Q is a query set.

Adaptive Security.
With the leakage function mentioned above, we introduce an adaptive security definition of the PECDK scheme related to the one proposed in [15] as follows.
Definition 2. A PECDK scheme is adaptively index-hiding against chosen plaintext attacks if for all probabilistic polynomial time adversaries A, the advantage of A in the following game is negligible. ( en, C picks a random bit β ∈ 0, 1 { }, produces I β � IndexBuild (pk, W β ), and sends I β , W 0 , W 1    to A. (4) Phase 2: A can continue to ask for trapdoors for any query of his choice, and these trapdoors subject to the same restriction as before.(5) Response: A outputs β ′ ∈ 0, 1 { } and wins the game if β ′ � β.
We define A's advantage in the above game as Generally speaking, as long as the information leakage of W 0 and that of W 1 are the same under the leakage function L(D, I, Q), we should insure that the encrypted form of W 0 and that of W 1 are computationally indistinguishable to the adversary.

Proposed PECDK Scheme
Based on the system and security model descried in the previous section, in this section, we present the method that converting index and query keyword sets into a vector space model.is model can be applied to an IPE scheme easily.

Conversion Method.
We suppose that any keyword w can be expressed as 0, 1 { } * and define a function Since p is a large prime and is larger than the number of the all words, H 1 can be collision-resistance. is means that, if i ≠ j, then H 1 (w i ) ≠ H 1 (w j ), where w i and w j are two distinct keywords.
We first construct an equation of degree n with one unknown by using the index and query keyword sets.After that, we use the roots and coefficients of the equation to create a query vector and an index matrix.Let W � w 1 , w 2 , . . ., w n   and Q � q 1 , q 2 , . . ., q m   are two keyword sets, where m < n. e approach is described as follows: (1) For the keyword set Q � q 1 , q 2 , . . ., q m  , the following function can be constructed: According to the coefficient of the f(x), a vector a → � a 0 , a 1 , . . ., a m   can be obtained.
(2) For the keyword set W � w 1 , w 2 , . . ., w n  , the following function can be constructed: Mobile Information Systems It is not difficult to find that the roots of the equation g(x) � 0 are H 1 (w 1 ),H 1 (w 2 ), . . ., H 1 (w n ).According to the above roots, a matrix can be constructed: (3) Note that if there is a keyword As a result, if we can make sure there is a → • M i � �→ � 0 for each i or some i, a conjunctive or disjunctive query can be obtained when applying the method above.Based on this, a concrete PECDK scheme will be proposed in next section.

Construction Details.
According to the definition of IPE [13] en it outputs a trapdoor T Q � t Q , sym  .(iv) Test: Given a T Q , a I W , and the pk, there are two situations.
(1) If the symbol in T Q is ∨, the algorithm works as follows.
(a) Choosing a counter i and setting i � 1.(b) If i > n, then go to step (c), otherwise the algorithm computes R � Dec (pk, I W , T Q ).
If R � 1, then the algorithm outputs 1 and ends.Otherwise, it sets i � i + 1 and goes to the step (b).(c) e algorithm outputs 0 and ends.
(2) If the symbol in T Q is ∧, the algorithm works as follows.
(a) Choosing two counters i and j and setting i � 1 and j � 1.(b) If i > n, then go to step (c), otherwise the algorithm computes R � Dec (pk, I W , T Q ).
If R � 1, then the algorithm sets j � j + 1.Otherwise, it does nothing.After that, it sets i � i + 1 and goes to the step (b).(c) If j � m, the algorithm outputs 1 and ends.
Otherwise, it outputs 0 and ends.

Security Proof.
e proposed PECDK scheme can be constructed by making use of the fully secure IPE scheme.erefore, we have the following proposition.
Proposition 1.If the IPE scheme is secure, then our PECDK scheme is secure.
Proof Sketch: If there is a PPT algorithm A which can break the PECDK scheme, we can say that A can break the IPE scheme.To create pk and sk in the PECDK scheme, the challenger C uses the Setup IPE algorithm to generate pk IPE , sk IPE , and sets pk � pk IPE and sk � sk IPE .A can adaptively query trapdoors of keyword set Q 1 , Q 2 , . . ., Q t  .It is not difficult to find that these trapdoors can be seen as a group of decryption keys for the IPE scheme.en A outputs two challenge keyword sets W 0 and W 1 , under a constraint that { } and gives an index I W β to A. is index can be seen as a set of challenge ciphertexts of IPE.After this, A can continue querying trapdoors which subject to the restriction described above.ese trapdoors can still be seen as a group of decryption keys for IPE.Finally, A gives a guess β ′ .Note that if A can break the PECDK scheme, the value of |Pr[β ′ � β] − (1/2)| is not negligible.It means that the two challenge indices can be distinguished.Because the challenge indices in the PECDK scheme is equal to the challenge ciphertext in the IPE scheme, according to the security definition for IPE, it means that A can break the IPE scheme.

Cost Analysis.
We denote the previous PECDK scheme [15] as PECDK-2 and the proposal as PECDK-1.Let F � f 1 , f 2 , . . ., f D   be the file set, and W i be the keyword set for the corresponding file f i , where i ∈ [1, D].For each keyword set W i , we build an index of file f i .We assume that n is the number of keywords in W i , m is the number of keywords in a query Q, and N is a large number such as the number of keywords in a dictionary, where N ≫ n. e index and query structures for PECDK-1 and PECDK-2 are illustrated in Figures 2(a) and 2(b), respectively.Note that the index Mobile Information Systems structure in Figure 2 is only for one le f i , and the index for whole les is a simple combination for each le's index.
From Figure 2(a), we can nd that W i is converted into a matrix in which each column is associated with a keyword w ij in W i and represented by a vector w ij → , where j ∈ [1, n].
Correspondingly, the query Q is changed to a vector Q → based on the approach introduced in Section 4. e test algorithm is to verify whether there exists at least one j such that w ij → • Q → equals 0. erefore, PECDK-1 is independent with the vocabulary length N. According to the above analysis, we know that the time complexity for index building, trapdoor generation, and testing is O(n 2 ), O(m), and O(m • n), respectively.From Figure 2(b), we suppose that the vocabulary is de ned as w 1 , w 2 , . . ., w N .For the keyword set W i , the index of W i is initialed by a zero vector with length N which is denoted as W i → .After initialization, if w ij w k , the k-th position of W i → is set to be 1, where j ∈ [1, n] and k ∈ [1, N].Moreover, the vector building process for query Q is the same as that for W i .e test process in PECDK-2 is to check whether W i → • Q → equals 0. According to the above description, it is clear that the time complexities of index building, trapdoor generation and testing are all O(N).
Let |G| represents the size of an element in G, |T e | be the time cost for a pairing operation [28], and |T G | be the time cost for the power operation on G.
e results of the comparison with the PECDK-2 scheme are shown in Table 1.
Since, in the encryption and test phrase, the time cost of the pairing and the power operation are much more than other operations, we do not take account of other operations.According to Table 1, we can argue that compared with the previous PECDK (PECDK-2) scheme, the proposed one (PECDK-1) has better performance on time and space complexity when N > n 2 .
In the following, we will argue that our statement where N ≫ n is true in real world.We investigate data collections used in recent works [31,32] for information retrieval.e statistical information for these data sets are shown in Table 2. From this table, we found that the vocabulary size (N) is commonly linear Table 1: Comparison with the previous PECDK scheme.).However, the number of keywords in a document (n) is usually only 3∼5 (e.g., the scienti c paper).Even if the abstract eld is used as keywords, the number of keywords in a single document is approximately 200.So we can empirically think that N is much bigger than n.Moreover, we have investigated the OHSUMED collection [30] that was created for information retrieval research.In this collection, each document contains several elds, such as title, abstract, sequential identi er, and so on.In our experiment, we use the eld of "title" and "abstract," as well as a le ( le name: ohsumed.87)containing more than 54000 documents for statistics.
e results of this experiment are described in Table 3. Whether we use the "title" or "abstract" eld as keywords, the keywords size n is far less than the vocabulary size N.In conclusion, we think that the statement of N ≫ n is true.
In addition, since PECDK-1 needs to test each keyword w ij in the W i against the query Q one by one, it will leak the information of the keyword set Q ∩ W i .erefore, the proposed scheme is proven to be secure under a weaker security de nition (De nition 2) than the previous one [15].

Experiment Results.
For our experiments, we build arti cial plaintext index with di erent number of keywords in a dictionary (i.e., N 50, 100, 150, 200), di erent number of documents (i.e., D 500, 1000, 1500, 2000), and di erent number of keywords in a document (i.e., n 5,10,15,20).In this index, we denote each keyword as a unique integer in a range [0, N].We encrypted the indices with PECDK-1 and PECDK-2, respectively, and the encrypted indices were stored on our machine.We then executed random queries over these encrypted indices.We implemented our constructions in JAVA with Java Pairing Based Cryptography library (JPBC) [29].Our experiments were run on Intel(R) Core(TM) i7-3520M CPU at 2.90 GHz processor and 3537 MB memory size.In our implementation, the bilinear map is instantiated as Type A pairing (base eld size is 512bit), which o ers a level of security equivalent to 1024-bit DLOG [29].

Performance Comparison Between PECDK-1 and PECDK-2.
For a query with ve keywords, Figures 3 and 4 show the following: According to the item (4), since n and N are two di erent parameters, we need to investigate the in uence extent of the time and space complexity from these two parameters.

Key Generation.
e running time of key generation in PECDK-1 is less than O(n 2 ) while in PECDK-2 is less than O(N 2 ).Since n is much less than N, PECDK-1 is more e cient than PECDK-2 in key generation phase.According to this, we can conclude that the PECDK-1 scheme is more suitable and practical since n is always less than 20 and N is always larger than 10000.

5.2.4.
Trapdoor Generation.Tables 4 and 5 show that the time of trapdoor generation in PECDK-1 is linear with n, while that in PECDK-2 is linear with N. Since n is much less than N, the time cost of building a trapdoor in PECDK-1 is less than that in PECDK-2.e trapdoor generation, unlike the key generation, is not a one-time cost and is performed by the data receiver.erefore, the PECDK-1 scheme is more suitable on mobile cloud where data users possess little computation capacity.3(c) and 4(c) indicate that the time cost of conjunctive keyword search and that of disjunctive keyword search in PECDK-1 are both increasing with n 2 , while those in PECDK-2 are both linearly increasing with N. Speci cally, when n 5, N 200 and D 1000, it takes around 2220 seconds to make a conjunctive or disjunctive keyword search in PECDK-2.According to the property that search time is linear with N, we can also conclude that the time cost of keyword search needs 2220 * 500 seconds when N 10000 and D 1000.But the PECDK-1 scheme only costs approximately 5000 seconds to realize the conjunctive or disjunctive keyword search when n 20 and D 1000.As the same reason mentioned above, the PECDK-1 scheme is more practical than the PECDK-2 one.5(a) and 5(b), we put forward the following arguments:

Storage Overhead. As shown in Figures
(1) e parameters N and n are independent with the storage cost of the index in PECDK-1 and that in PECDK-2, respectively.(2) e storage of the index in PECDK-1rises with the square of n while that in PECDK-2 is linearly related to N. Due to the reason that n is less than 20 and N is larger than 10000 in common, we deem that the proposal is more useful in practice.As illustrated in Figure 5(c), we can nd that both storage overhead in PECDK-1 and that in PECDK-2 are linear with D.
Because n is signi cantly less than N and the increase rate in PECDK-1 is larger than that in PECDK-2, the storage cost in the proposed scheme is less than the previous one when D is large.Mobile Information Systems 5.3.More Comments.Although the index structure, such as inverted document and R-tree, can raise the search efficiency, it fails to support dynamic operations in the public key system.Because anyone who can access the pk can construct an index in this system as well, it is difficult to combine indices obtained from data senders into a structured index.Our proposal can dynamically support document update in nature since each document is associated with an encrypted index.
In addition, because of the simple index structure, we can easily accelerate the search process by utilizing the technique of parallel computation.us, we argue that our scheme is practical in the cloud platform.

Conclusion
In this paper, we proposed a new approach to construct an efficient PECDK scheme with better performance in time and space complexity under an adaptive security model.To reveal the efficiency of the proposed scheme, we compared it with the existing PECDK scheme presented in [15] through theoretical analysis and experimental results.
Since n and m are much smaller than N, we think that the proposed scheme is beneficial for mobile applications with computation and memory limitations.In the future, we plan to create a new index structure to reduce the time cost of search and index construction.

Figure 1 :
Figure 1: Architecture of the search over encrypted cloud data.

Figure 2 :
Figure 2: Index structure for a single le f i 's keyword set W i , query structure for a query keyword set Q, and testing process for W i and Q in PECDK-1 (a) and PECDK-2 (b), where i ∈ [1, D].

Figure 3 :
Figure 3: Impact of n, N, and D on the time cost of key generation, index construction, conjunctive keyword search (CKS), and disjunctive keyword search (DKS) in PECDK-1 (a) for di erent sizes of n with D 1000 and N 100, (b) for di erent numbers of N with D 1000 and n 5, and (c) for di erent numbers of D with N 100 and n 5.

Figure 4 :
Figure 4: Impact of n, N, and D on the time cost of key generation, index construction, conjunctive keyword search (CKS), and disjunctive keyword search (DKS) in PECDK-2 (a) for di erent sizes of n with D 1000 and N 100, (b) for di erent numbers of N with D 1000 and n 5, and (c) for di erent numbers of D with N 100 and n 5.

5 N
: the number of keywords in an dictionary Total size (kb)

Figure 5 :
Figure 5: Impact of n, N, and D on the storage cost of the index in PECDK-1 and PECDK-2 (a) for di erent sizes of n with D 1000 and N 100, (b) for di erent numbers of N with D 1000 and n 5, and (c) for di erent numbers of D with N 100 and n 5.
1) Setup: e challenger C runs KeyGen(c) algorithm to generate the public key pk and the secret key sk.en C gives pk to the attacker A. Q 2 , sym 2  ,. .., Q t , sym t   are the keyword queries in Phase 1, the only restriction is that, for each (2)Phase 1: e attacker A can adaptively ask the challenger C for the trapdoor T Q for any query Q, sym   of his choice.(3) Challenge: A selects two keyword sets W 0 and W 1 and sends them to C. Suppose that Q 1 , sym 1  , , suppose that Setup IPE , Enc IPE (pk IPE , M, x By using the Setup IPE algorithm, pk IPE and msk IPE can be obtained.e algorithm sets pk � pk IPE and sk � msk IPE and outputs pk and sk.(ii) IndexBuild: Given a keyword set W � {w 1 , w 2 , . . ., w n }, the algorithm generates a matrix M � {M 1 , c 2 , . . ., c n } in which c i � Enc IPE (pk, 1, M i

Table 2 :
Statistics for data collections used in the domain of information retrieval.

Table 3 :
Statistics for documents' information in the OHSUMED collection (#w denotes the number of words per document).

Table 4 :
Impact of n on time consumption of trapdoor generation (m 5, N 100).

Table 5 :
Impact of N time consumption of trapdoor generation (m 5, n 5).
* 500 seconds, which is signi cantly longer than the time of index construction in PECDK-1 with n 20 and D 1000.