Multiuser Searchable Encryption with Token Freshness Verification

AMultiuser Searchable Encryption (MUSE) can be defined with the notion of Functional Encryption (FE) where a user constructs a search token from a search key issued by an Enterprise Trusted Authority (ETA). In such scheme, a user possessing search key constructs search token at any time and consequently requests the server to search over encrypted data. Thus, an FE based MUSE scheme is not suitable for the applications where a log of search activities is maintained at the enterprise site to identify dishonest search query from any user. In addition, none of the existing searchable schemes provides security against token replay attack to avoid reuse of the same token. In this paper, therefore we propose an FE based scheme, Multiuser Searchable Encryption with Token Freshness Verification (MUSE-TFV). In MUSE-TFV, a user prepares one-time usable search token in cooperation with ETA and thus every search activity is logged at the enterprise site. Additionally, by verifying the freshness of a token, the server prevents reuse of the token. With formal security analysis, we prove the security of MUSE-TFV against chosen keyword attack and token replay attack. With theoretical and empirical analysis, we justify the effectiveness of MUSE-TFV in practical applications.


Introduction
With the cloud storage infrastructure, one can easily share data with multiple users at a low cost.However, maintaining security and privacy of such data located on the untrusted remote server is nontrivial [1][2][3].Therefore, a common trend is to upload the encrypted data onto a third-party cloud server.However, extraction of partial information from the stored encrypted data is indeed difficult.The notion of Searchable Encryption (SE) is used to resolve the issue.In SE, a Data Owner prepares a ciphertext by associating a list of encrypted keywords (to be searched) with an encrypted payload message and uploads it onto the Storage Server.Subsequently, a Data User asks the server to search over encrypted data by issuing a search token (of keyword(s)).The server applies a token over available ciphertexts and extracts the data containing that keyword(s) (Figure 1).However, the server learns nothing else about the data while searching.Here, a payload message is encrypted using any standard encryption algorithm, whereas keywords are encrypted with the defined Searchable Encryption algorithm.
There exist numerous Searchable Encryption schemes for a single user [4][5][6][7][8] as well as for multiple users [9][10][11][12][13].Practically, any single-user Searchable Encryption scheme can be adapted to define a multiuser Searchable Encryption scheme at the cost of a ciphertext size linear to the number of users in the system.Formally, when a single-user searchable scheme is extended to support multiple users, its ciphertext size becomes () for  users that subsequently raises to (|| ⋅ ) for  = {1, 2, . . ., } data items in the system.This ultimately outputs an impractical system with (|| ⋅ ) computational overhead at the Data Owner site and (|| ⋅ ) storage overhead at the server site.As solution, several Searchable Encryption schemes in [9,10,[14][15][16][17][18][19][20] with a builtin support of multiple users are devised in recent years.Amongst them, the scheme proposed by Hwang and Lee [9] is a simple extension of a single-user Searchable Encryption with the ciphertext size (|| + || ⋅ ), where || is the number of keywords to be searched.However, this scheme works for the prefixed set of users.In contrast, the schemes in [10,[14][15][16] support the dynamic groups of users where joining/leaving a group by a member is entirely controlled by a Data Owner.In addition, the recent schemes in [17][18][19][20] provide Multiuser Searchable Encryption with the notion of Functional Encryption (FE) (Section 2.1) where an Enterprise Trusted Authority (ETA) is responsible for the System Setup and a master public key setup.The most notable characteristic of FE is that a system's master public key is utilized to prepare the searchable ciphertexts and a single ciphertext can serve multiple search tokens (may be issued by different users).Therefore, such FE based searchable schemes can support multiple users in the system with the optimal storagecomputational overhead (i.e., (||)) for the ciphertexts.Additionally, in the schemes [17][18][19][20], a separate search key (related to the master public key) is issued (either by an ETA or by a Data Owner) to each user.Subsequently, a user constructs a search token with an available search key.
The downside is that once a user has a search key, he can prepare a search token at any time.As a result, a dishonest user colluding with the untrusted cloud server can maliciously search the valid data and the system administrator (i.e., ETA) is completely unaware about such adversarial activity.Moreover, with the existing Searchable Encryption mechanisms, there is no provision for the token freshness checking at the server site.As a result, if an unauthorized user masquerading as an authorized user has a valid token, he can use the token to make search queries in the future.In practice, there exist applications wherein every search query from the users should be logged to the enterprise trusted site in order to identify any dishonest activity performed by any user (authorized or unauthorized).In addition, there should be a provision against token replay attack to avoid misuse of a valid token.Let us take one of such applications as an example.
(i) Consider an Online Banking System, where the customers' transaction records are stored at the Bank's cloud Storage Server.Practically, these records are utilized by several official users (i.e., managers, officers, clerks, etc.) of the Bank.Let us assume that the Bank's centralized processing server (trusted authority) uses any of the existing FE based searchable schemes and accordingly issues a separate search key to each authorized user of the Bank.
In such a setup, let us take a case of a manager who is responsible for generating a daily report for the ATM transactions with a specific ATM-ID.To perform this activity, every day the manager constructs a search token (using his search key) for a query, that is, "list all ATM transactions for ATM-ID today."He issues this token to the server and collects the result.In this scenario, what happens if a peon steals the search token and masquerades as an officer to send this token to the server?In any FE based searchable scheme, the server only checks the authorization of a user.In this case, since a peon impersonates an authorized officer of the Bank, he passes the authorization test conducted by the server and gets the search result.In fact, performing such token replay attack (by reusing the token) and leaking the information about ATM transactions to the intruder (outsider) on a daily basis, the peon may provoke the criminal activities near that ATM.
From the above scenario, we say that, in the Banking system, since every search result involves critical financial information, the search activity by each user should be logged at the Bank's centralized processing server.In addition, to avoid misuse of any valid token, it is desirable to prevent token replay attack in such system.
With the existing FE based searchable schemes [17][18][19][20], a user possessing a search key can ask the server to execute a search operation at any time and therefore the search activity of a user cannot be tracked.The problem can be resolved by an interactive scheme where a search token is constructed by the centralized trusted authority on request from an authorized user.However, such solution raises the demand of secure token transmission along the entire path from the trusted authority up to the server through a user.Moreover, a token replay attack should be prevented by verifying the freshness of each search token at the server site.In addition, it is desirable to have a search operation with the support of conjunctive queries in such system.[4] where the authors consider search over encrypted keywords within a file.However, this first practical scheme leaks the search keywords to the server and suffers from the communication overhead linear to the file size.In fact, the scheme in [4] is not secure against statistical analysis across multiple queries.To resolve the problems, Goh et al. [5] and Chang and Mitzenmacher [24] in their separate work construct the secure searchable schemes by proposing an encrypted index for a document.Though the schemes in [4,5,24] perform efficient search operations, they introduce storage overhead linear to the size of an index for each document.Curtmola et al. [25] propose the first symmetric searchable encryption scheme with a formal security model.The first public key Searchable Encryption scheme is given by Boneh et al. [6] wherein a user with his private key can search over data encrypted with the corresponding public key.However, none of the schemes [4][5][6]24] support conjunctive keyword search.

Related Work. The notion of Searchable Encryption is introduced by Song et al. in
Conjunctive Keyword Searchable Schemes.To narrow down the scope of searching and get optimal results, several searchable schemes exist with conjunctive keyword search operation.In the symmetric key settings, Golle et al. [26] have constructed two schemes for a conjunctive keyword search.However, in the first construction of [26], the size of a capability (search token) is linear to the number of documents available on the server and so the scheme is impractical.On the other hand, the second construction of [26] is practical with a constant size capability.The other constructions based on the secret sharing and bilinear map are given by Ballard et al. [27] but they are still inefficient in terms of a size of a token linear to the number of documents being searched.In public key settings, a first conjunctive keyword searchable scheme is defined by Park et al. [8].Subsequently, the schemes with the improved communication and storage efficiency are proposed in [9,28].Boneh and Waters have given a generalized scheme [29] for conjunction as well as for subset queries.Later on, a scheme with a refined form of a token (that is independent of specifying the keyword field position) is devised by Wang et al. [13].Subsequently, B. Zhang and F. Zhang [21] have improved the security flaws of [13] and defined a conjunctive-subset keyword search.Other efficient constructions with the support of conjunctive keyword search operation are given in [22,23,30].
Multiuser Searchable Schemes.In public key settings, Hwang and Lee [9] have first introduced a storage efficient multiuser scheme.Subsequently, several other schemes [10,11,13,14,16] have proposed managing a group of users.However, a scheme in [11] supports the static groups of users, whereas the schemes discussed in [10,13,14] work for the dynamic groups of users.Apart from this, the scheme in [14] provides a single keyword search whereas the schemes in [10,13] handle the conjunctive search queries.Recently, a multiuser multikeyword search scheme is proposed by Huang et al. [16] but its inverted index based construction cannot support an efficient conjunctive search.In addition, a scheme in [16] leaks user access control information to the server.Few other multiuser schemes [17][18][19][20] are based on the notion of FE wherein an ETA is responsible for the System Setup and a master public key setup.In these schemes, a ciphertext is prepared by a Data Owner using a master public key.A search token is constructed by a user with his own search key issued either by the ETA as in [18][19][20] or by the Data Owner as in [17].A scheme in [17] offers a constant size ciphertext and a constant size token.However, the scheme [17] is computationally inefficient since, to encrypt an index for a document, the encryption algorithm involves a computational complexity linear to the number of authorized users for that document.In a scheme of [18], the Storage Server has a list of authorized users (U List), and thus each enrollment/revocation of a user is known to the server.This indeed leaks information about users (i.e., a number of users in the system, the users' activity) to the Storage Server.The other two schemes [19,20] use CPABE (Ciphertext Policy Attribute Based Encryption) to manage access control of users.However, amongst all these schemes, only the schemes in [9,10,13,16] support multikeyword (specifically conjunctive) search and multiple users at the same time.There is no FE based scheme proposing a conjunctive keyword based search.
Secure Channel-Free Searchable Schemes.There exist searchable schemes in [7,31,32] with secure channel-free architecture for a token transmission.However, these schemes support a single keyword search.The most recent conjunctive search schemes [30,33] provide a secure channel-free token transmission.
To the best of our knowledge, none of the existing schemes define a secure channel-free conjunctive keyword based Searchable Encryption that prevents token replay attack in multiuser environment.

Our Contributions.
In this paper, we propose a Multiuser Searchable Encryption with Token Freshness Verification (MUSE-TFV).In MUSE-TFV, a user constructs a search token in cooperation with the ETA and thus every search activity from each user is logged at the enterprise trusted site.Moreover, each search token is one-time usable token.The server avoids reuse of the same token by verifying the freshness of the token using a verification key given by the ETA.Our main contributions are as follows.
(i) Multiuser Support.Utilizing the notion of FE, we devise a Searchable Encryption scheme that supports multiple users, with a constant size ciphertext (i.e., independent of the number of users).Our scheme has an optimal computational overhead at the Data Owner site and an optimal storage overhead at the server site.
(ii) Token Freshness Verification.We propose a token freshness verification at the server site by adapting Haller's S/Key One-Time Password System [34] and prevent token replay attack from the system.
(iii) Conjunctive Keyword Search.With the proposed scheme, we offer a conjunctive keyword search with a constant sized search token.
(iv) Secure Channel-Free Architecture.We offer a secure channel-free architecture to transfer a token securely via any public channel without channel setup overhead.
(v) Theoretical Analysis and Empirical Evaluation.We present a detailed theoretical analysis to show the efficiency of the proposed scheme.Additionally, with experimental evaluation of MUSE-TFV for different size system (with a different number of keywords) and different number of users, we justify its effectiveness.preliminaries required for the proposed scheme.In Section 3, we define the formal model of MUSE-TFV, the proposed algorithms, and the attack model with security definition.We elaborated the algorithms with a detailed security analysis in Section 4. Further, in Section 5, we present a theoretical analysis and empirical evaluation of MUSE-TFV.Finally, we put the concluding remarks in Section 6.

Preliminaries
In this section, we present an overview of a Functional Encryption, a cryptographic primitive (i.e., Bilinear Map), and a hardness assumption associated with the proposed scheme.

Functional Encryption (FE)
. FE is a generalization of the existing access control mechanisms, namely, Identity Based Encryption (IBE) [35,36], Attribute Based Encryption (ABE) [37][38][39], and Predicate Encryption (PE) [29,40].In FE, apart from the Data Owner, Data User, and the Storage Server, there exists an additional centralized trusted authority (TA) that is responsible for the System Setup and generation of a master public-private key pair.A Data Owner prepares the ciphertexts with a master public key and stores them to the Storage Server.To execute a predefined function at the server site, a user asks the TA for the corresponding token.In response, the TA constructs a token utilizing a master private key and issues it to the user.The server runs the function on the availability of a token from a user and sends the result to the user (Figure 2).In such a setup, any user who possesses a token can ask the server for the function execution.Since the server could use the same set of ciphertexts to execute a function with different tokens (may be from different users), we say that the FE supports multiple users in the system.

Bilinear Map.
Bilinear map is a mathematical tool for pairing based cryptography.It is defined using suitable cryptographic groups.Let  1 and  2 be two multiplicative cyclic groups of prime order .For these groups, a bilinear map :  1 ×  1 →  2 must satisfy the following properties: (1) Bilinear: given random ,  ∈  1 and ,  ∈  *  we have (, ) = (, )  .
(2) Nondegenerate: if  is a generator of  1 , then (, ) is a generator of  2 .

Hardness Assumption
Decisional Diffie-Hellman (DDH) Assumption.Let  1 be a cyclic group of prime order  and  is a generator of  1 .The Decisional Diffie-Hellman problem is to distinguish the tuple (, , ) from (, , ) for any random , ,  ∈  *  .Let us assume that the DDH problem is (, )-hard in  1 .Then there does not exist any polynomial time () adversary A that can solve the DDH problem with a nonnegligible advantage

Proposed Multiuser Searchable Encryption with Token Freshness Verification (MUSE-TFV)
We list out the notations used throughout the paper in Notations section.We include a system model, the associated algorithms, and the attack model with the security definition for the proposed scheme.

System Model.
The proposed MUSE-TFV involves four entities: (i) Data Owner (DO), (ii) Data User (DU), (iii) Storage Server (SS), and (iv) Enterprise Trusted Authority (ETA) (Figure 3).The interactive actions amongst these entities are as follows: (1) Initially, the ETA sets up the system's public parameters and a master secret key.
(2) Using public parameters, the SS computes a publicprivate key pair (, ) and publishes  while keeping  secret.
(3) Using public parameters, the DU computes a publicprivate key pair (, ) and publishes  while keeping  secret.
(4) A DO prepares a ciphertext () by associating an encrypted payload (  ) with a list  of encrypted keywords and uploads it onto the SS.All the keywords in the list are encrypted with an Encryption() algorithm of proposed MUSE-TFV.
(5) To execute a search operation, the DO requests the ETA for a token of a conjunctive query.
(6) The ETA computes a token (  ) and corresponding token verification keys (1, 2).The ETA issues a partial token  = (  , 1) to the DU and 2 to the SS.(7) The DU constructs a search token (  ) from   and issues a final token  = (  , 1) to the SS over a public channel.
(8) The proposed Search() algorithm is executed on the server SS.With the available (1, 2), the SS checks the token freshness.The SS applies the fresh token   on the available .If  satisfies the token , the algorithm outputs a result  = (  (  (  ))); otherwise it outputs ⊥.The algorithm applies  on all available  and generates the corresponding .
Assumptions.(i) The payload   =   (), where  is any symmetric encryption cipher with a symmetric key .
(ii) All DUs are authorized by the ETA.At the time of authorization, ETA issues (, ) to the DU.(iii) Before issuing a partial token , the ETA checks the authenticity of a DU with any standard authentication protocol.(iv) The SS is a semihonest server; that is, it follows the system protocol but tries to breach data privacy.(v) There exists a secure channel between the ETA and the SS.(vi) The 2 is stored in a system table of the SS.The size of the system table is linear to the number of DUs.

Algorithms. The proposed MUSE-TFV involves the following polynomial time algorithms:
(1) Setup(, ).The Setup algorithm runs by the ETA.The algorithm takes a security parameters  and  as inputs.The algorithm outputs the system's public parameter  and a master secret key .It defines a keyword space KS for  keywords.
(2) SKeyGen().The Server Key Generation algorithm runs by the server SS.The algorithm takes the system's public parameter  as inputs.It selects a random  ∈   * and computes the public-private key pair (, ) for the server SS.
(3) UKeyGen().The User Key Generation algorithm runs by the DU.The algorithm takes the system's public parameter  as inputs.It selects a random  ∈   * and computes the public-private key pair (, ) for the Data User, DU.
For each new query, the ETA assigns a unique token identification string () in order to generate the token verification keys (1, 2).Subsequently, the ETA constructs a token   using  and .The ETA then issues a partial token  = (  , 1) to the DU and (2) to the SS.With an available , the DU constructs   and outputs a final token  = (  , 1).The algorithm utilizes (1, 2) to verify the freshness of .If  is fresh, the algorithm performs a conjunctive search using (  ,   , ).It returns the result  = (  (  (  ))) to the DU if   satisfies the conjunctive query  within   ; otherwise it returns ⊥.
The algorithm applies   on all the ciphertexts.At last, the algorithm updates the system table entry of 2 for the requesting DU to prevent a token replay attack.
The algorithms involved in the verification key generation and token verification as well as system table update are discussed in Section 4.2.

Flowchart.
To show the process of the proposed MUSE-TFV, we define four phases: (i) System Setup, (ii) Data Upload, (iii) Token Generation, and (iv) Search.The sequence of the proposed algorithms utilized by the entities (i.e., ETA, DO, DU, SS) during each of these phases is given as a flowchart in Figure 4.As shown in Figure 4(a), all four entities are involved in System Setup phase where a public parameter (pp) and various keys (i.e., , , (, ), (, )) are defined.On the other hand, Data Upload phase (Figure 4(b)) includes only DO and SS since, during this phase, a DO prepares a ciphertext  and uploads it on to the SS.The interactive steps amongst DU, ETA, and SS during Token Generation phase are shown in Figure 4(c) wherein initially a DU sends a conjunctive query  to the ETA.In response, the ETA sends a partial token along with a token verification key (i.e., (, 1)) to the DU.In addition, the ETA sends a token verification key (i.e., TVK2) to the SS.With the available (, 1), the DU prepares a final token .
During Search phase, the DU sends  to the SS as shown in Figure 4(d).In response, the SS finds the results  for the available ciphertexts and forwards these results to the DU.Token Generation (i)Prepares a partial token (P４  ) using (pp, msk, Q, X)

SS DU (i) Updates system table entry for TVK2
to avoid token replay attack (R) (T) Figure 4: Flowchart of MUSE-TFV.

Attack Model and Security
Definitions.First, we reemphasize that the principal motivation of the proposed MUSE-TFV is to overcome the limitation in the existing Searchable Encryption schemes that allow replay of tokens and thus lack verification of token freshness.Thus, MUSE-TFV is aimed at supporting a Searchable Encryption scheme with the novel provision for verification of the token freshness and thereby avoiding replay attacks.Therefore in the attack model described here we consider only token replay attacks and assume that any other attack against the scheme can be mitigated by using already existing mitigation approaches.We assume that an adversary A has the capabilities to perform the following attacks: (1) The server SS as an adversary A can perform chosen keyword attack to deduce the plaintext (keywords) from the available ciphertexts (lists of encrypted keywords) and tokens.(2) The Data User, DU, as an adversary A can perform token replay attack to reuse the maliciously captured token.
With SS as an adversary, we define semantic security (a.k.a.indistinguishability against chosen keyword attack (IND-CKA)) for the proposed conjunctive keyword search scheme based on the security game ICLR (Indistinguishability of Ciphertext from Limited Random) [26,41] as follows.
Definition 1 (ICLR).Let A be a polynomial bounded adversary and B be a challenger.With ICLR, when A has issued a keyword set  and a subset  ⊆ {1, 2, . . ., }, B responds with two encrypted keyword sets associated with  in such a way that A cannot distinguish the encrypted keyword sets created with .Thus, with this game, we achieve our security goal where we require that A should not be able to deduce the plaintext from other keyword sets.The following are the steps for the game ICLR [26,41].
(1) A adaptively requests B for the Encryption (,   , ,   ) of any keyword set   and any search token.
(4) A again makes requests for encrypted keyword sets and search tokens, with the restriction that he cannot ask for the token that is distinguishing for  0 and  1 .(5) A outputs a bit   ∈ {0, 1} and wins the ICLR game if   = .
We say that the polynomial time adversary A has an advantage  in this attack game, if Additionally, we define the security against token replay attack based on the following actions performed by a Data User, DU, as an adversary A.
(1) A intercepts a token  = (  ,  =   (1)) transmitted from the ETA to the DU (or from a DU to the SS) and stores it.(2) To reuse the token , A replaces its verification key part, that is,  =   (1), with   in such a way that the SS considers a forged  = (  ,   ) as a fresh token and returns a result .(3) A repeats Step (2) till he does not receive the result .
We say that an adversary A is successful in token replay attack if he gets the result  using a forged value of .

Construction of MUSE-TFV
In this section, we give the formal construction for the proposed algorithms of MUSE-TFV.We also present a token verification procedure used in the design of the MUSE-TFV.Additionally, we provide a security analysis for the proposed scheme.

Formal Construction.
The concrete constructions for the proposed algorithms are as follows.
(6) Search(, , ).The algorithm applies   (  (1)) and   (  (2)) to get the original verification key (1, 2) from the encrypted values using a private key  of the SS.The algorithm then calls (1, 2) to verify the freshness of the input token .If a token is fresh (i.e., (⋅) → 1), it applies   of  on an available ciphertext   from  as follows.
The algorithm computes Then, it checks the following correctness: If ( 3) is satisfied, then the algorithm outputs the associated payload message   ; as a result  =   (  (  )).Here, encryption with a public key  of DU provides confidentiality and signature with the private key  of SS maintains integrity of a result  during transit.The algorithm repeatedly applies   on each available ciphertext at the server SS.At last, the algorithm updates the current entry of 2 in the system table with (2, 1).
Note. (i) The algorithms (), (), and () are described in Section 4.2.(ii) The query  from a DU to the ETA is in plaintext format.It does not impact the security of token as even if any unauthorized DU maliciously captures a partial token, he is unable to construct a final token unless having secret key .(iii) The / for the verification keys is any standard encryption/decryption cipher.The encryption of the verification keys with the public key  of SS prevents their modification by a malicious DU.

Token Verification Procedure.
To define a token verification procedure, we borrow the idea from Haller's S/Key One-Time Password System [34].The S/Key scheme provides a technique to construct a one-time password at the client site and its verification at the host site.The scheme works on 3 parameters (, , ()), where  is a secret string,  represents the number of times the hash is applied on , and () is any standard cryptographic hash function.We adopt similar parameters to define a token verification procedure for the proposed MUSE-TFV.The token freshness verification involves three algorithms: (1) TokVerKey(s, RN, H()): the token verification key generation algorithm outputs two keys ( 1 ,  2 ), where  1 =   () and  2 =  −1 ().
The original S/Key mechanism is defined with the traditional hash function, that is, MD4.For MUSE-TFV, we prefer SHA-2 to avoid collision attack.

Security Analysis.
We analyze the semantic security of MUSE-TFV against chosen keyword attack (IND-CKA) under DDH assumption.Additionally, we prove that the proposed MUSE-TFV provides security against token replay attack.
Theorem 2. The proposed MUSE-TFV is semantically secure against a server SS as an adversary according to the game ICLR, assuming DDH is intractable.
Proof.Let us assume a server SS as an adversary A can attack the proposed scheme in a polynomial time.Suppose A makes at most   token queries where   <  and has the advantage  in solving DDH problem in  1 .Let  1 and  2 be two groups of prime order  and  be the generator of  1 .We build a simulator B as a challenger that has the advantage   = /     to simulate the game where  is base of natural logarithm.Suppose an instance (, , ) of the DDH problem in  1 is the B's challenge information where , ,  ∈  *  .The goal of B is to distinguish  =  from random element in  1 .One restriction is that the random element  is independent of the location  selected in ICLR game; then the simulation game is demonstrated as follows.
(2) Encryption Queries.An   If  = , then B wins the security game.The ciphertext for every position  ∉  is the encryption of  and ciphertext in position  where  =  is also an encryption of .Otherwise, for other position, it is not.
(5) More Queries.A queries encryption of other keyword sets and tokens that A has not asked before.B responds in the same way as in Step (2) and Step (3).The restriction is that A cannot issue the aforementioned queries for location .
If   = 1 and B outputs "Yes," then (, , ) is considered as a DDH tuple.Thus, for  = , we can prove that (, , ) is a DDH tuple as follows.
We know from (3) that This can be represented as From ( 8), we get Now, from the challenge ciphertext, From (10), we get Now, from ( 9) and ( 11) On the other hand, if   = 0, we cannot prove that the challenge (, , ) is a DDH tuple, since encryption at position  is random and it cannot confirm (12).However, the advantage of A to win the game ICLR is same as that of the B which solves the DDH challenge.

Security and Communication Networks
Now, the following are the two simulations of B's advantages.
(i) 1: B responds to the search token queries for  keyword issued by A. (ii) 2: B is not aborted in the challenge phase.
For large enough   , the probability of 1 and 2 can be defined as Thus, the B's advantage   in solving the DDH problem is According to Propositions 1 and 2 of [26], if there exists an adversary with nonnegligible advantage to win ICC game, then there exists another adversary with a nonnegligible advantage to win the ICLR game.However, as per the above proof, the advantage of B is /     ∈ [0, 1/2    ] which is negligible.Thus, the proposed MUSE-TFV scheme is at least (1 − 1/2    ) secure under the ICLR game if DDH assumption is intractable.This completes the proof for Theorem 2.

Theorem 3. The proposed MUSE-TFV provides security against token replay attack.
Proof.Let us assume a DU as an adversary A can perform a token replay attack as follows.
(2) To reuse the token , an adversary A replaces its verification key part, that is,  =   (1), with   in such a way that the further execution of TokVer() (at the site of SS) outputs "1" and so the SS returns a result .
If  is the size of a ciphertext generated by an encryption algorithm , then an adversary A required 2  attempts to forge a value "."With any standard secure algorithm (i.e., 160-bit ECEL (ECC based Elgamal Encryption) (as public key  of SS is an element from a group of points of an elliptic curve, any ECC based encryption algorithm must be used)), the probability of an adversary A to guess a valid (  = ) is 1/(2 160 ).Additionally, the adversary A is completely unaware about the other verification key 2 available at the site of the SS.Thus, a token with the replaced verification key, that is,  = (  ,   ), must be issued to the SS to check the output of (1, 2) algorithm.
Denoting  as a communication cost (from a DU to SS) of a single message, we find ( ⋅ 2 160 ) communication complexity in the system for 2 160 attempts potentially performed by an adversary A to forge a value of .
However, with a communication link of 100 Mbps and a Maximum Transmission Unit (MTU) of 1500 bytes (Ethernet), it requires about 57 ⋅ 10 30 years to attempt all the possible values of .Thus, for any adversary A, the probability of getting the result  by forging the value  is negligible.
Thus, we say that the proposed scheme MUSE-TFV is secure against token replay attack.

Theoretical Analysis and Empirical Evaluation
In this section, we first present theoretical analysis of the proposed MUSE-TFV.Subsequently, we show the performance efficiency of MUSE-TFV with a detailed empirical evaluation.

Theoretical Analysis.
We highlight the significant characteristics of MUSE-TFV in comparison with the existing multiuser searchable schemes [9,[17][18][19] and conjunctive search schemes [21][22][23] in Table 1.As the other multiuser searchable schemes [10,11,13,16] utilize inverted index search structure (in inverted index based Searchable Encryption, a single common index (list of keywords) is defined for the entire set of encrypted documents), their comparison with the simple index based MUSE-TFV (in simple index searchable scheme, a separate index of keywords is associated with each encrypted document) is inapplicable here.
From Table 1, we observe that no scheme amongst the listed multiuser schemes provides a secure channel-free architecture for a token transmission.On the other hand, a conjunctive search scheme discussed in [22] offers such architecture, but it does not support multiple users in the system.In contrast, the proposed MUSE-TFV provides a conjunctive keyword based search with secure channelfree token transmission in multiuser settings.Additionally, MUSE-TFV has provision to verify the freshness of token to prevent token replay attack.We compare the performance of MUSE-TFV with the existing schemes in terms of the storage overhead (i.e., size of a ciphertext (excluding payload) and size of a token) and computational overhead (for the proposed Encryption(), TokGen(), and Search() algorithms) in Table 2.

Storage Complexity.
To show the storage overhead, we present the ciphertext/token size in terms of the size of an element from the bilinear groups ( 1 ,  2 ).Observing Table 2, we say that the constructions given in [17,23] are storage efficient with the constant ciphertext and token size (i.e., (1)).In contrast, the proposed MUSE-TFV has a ciphertext size linear to the number of keywords in the system (i.e., (()) that is same as ciphertext storage complexity of the existing schemes [18,19,21,22].
The significant characteristic of MUSE-TFV is its constant (i.e., (1)) token storage complexity.This constant overhead makes the proposed scheme as efficient as the existing schemes [9,17,18,22].In fact, the actual token size for the MUSE-TFV is three times higher than the token constructed by the schemes [18,22].However, with such increased token size, we offer a secure token transmission over any public channel without channel setup overhead.Moreover, with an added component  to the token (where  is the size of a ciphertext for an encrypted verification key 1), we prevent the token replay attack.

Computational Complexity.
We present the computational overhead in terms of the major operations, namely, modular multiplication (  ), scalar multiplication (), exponentiation (), and pairing () involved in the listed schemes.From our experiments, we observe that a scalar multiplication, an exponentiation, and a pairing operation are costlier (involving more CPU cycles) than a modular multiplication operation.Therefore, from Table 2, we say that the computational cost of the proposed Encryption() algorithm (i.e., (2 + 2)) is almost same as the encryption cost of the listed multikeyword schemes [9,21,22].We note that this encryption overhead is double as compared to the encryption overhead involved in the schemes [18,23].
On the other hand, similar to the scheme in [18], MUSE-TFV has a constant computational complexity, i.e., (()) (independent of the number of users ), for Encryption() algorithm.Such computational cost is far more better than the existing schemes [9,17] with ( + ) and (  ) encryption overhead, respectively.Therefore, we say that with moderate computational overhead for the proposed Encryption() algorithm MUSE-TFV supports multiple keyword based search as well as multiple users in the system.
From Table 2, we observe that the computational complexity of the proposed TokGen() algorithm of MUSE-TFV is same as the token construction cost of the existing schemes [18,22,23], i.e.,  (1).With such constant computational overhead, MUSE-TFV performs better than the existing schemes [9,21] having () token construction overhead.Additionally, we note that TokGen() algorithm of MUSE-TFV consumes more CPU cycles as compared to the Token Generation algorithm of the schemes [18,22,23] due to its interactive token construction steps.However, with such added overhead, MUSE-TFV supports multiple users in the system.
We also note that the computational cost of a Search() algorithm of MUSE-TFV (i.e., (2 + 2)) is almost same as the existing schemes [18,22,23].This constant search complexity (i.e., (1)) is better than the search complexity (i.e., ()) involved in [9,21].Moreover, as a multiuser scheme, the MUSE-TFV offers constant computational cost (1) (i.e., independent from ) during search phase.This cost is much more better than the search computational overhead (i.e., (  )) involved in the scheme [17].It is worth noting that, with similar search complexity as the existing schemes [18,22,23], the proposed MUSE-TFV provides an additional token freshness verification feature.

Communication Complexity.
In Table 3, we present the communication complexity of the proposed MUSE-TFV during Data Upload, Token Generation, and Search phases, as compared to the existing multiuser schemes [9,[17][18][19].We note that, with  as a message, a scheme in [19] suffers with the highest communication overhead (i.e., 3 for  ciphertexts) during Data Upload phase wherein uploading of a single ciphertext involves three messages (i.e., a preindex message from a Data Owner to the server, an index parameter message from the server to the Data Owner, and a ciphertext message from the Data Owner to the server).In contrast, the proposed MUSE-TFV has an optimal communication overhead of a single message per ciphertext (i.e.,  messages for  ciphertexts) from a Data Owner to the server.With such overhead, the proposed scheme performs similar to the existing schemes discussed in [9,17,18].A scheme in [17] uses two servers ( main and  aid ) to perform a search operation where a communication overhead is (3 + ) messages (i.e., a token message from a user to  main , a token message from a user to  aid , an additional message from  aid to  main , and  result messages from  main to the requesting user).In contrast, the proposed MUSE-TFV involves (1+) messages (i.e., a token message from a user to the Storage Server and  result messages from the server to the user) during Search phase.The scheme of [18] has the lowest communication overhead during search operation, that is, 2 (a token message from a user to the server and a result message from the server to the user).However, in the scheme [18], the server suffers with the additional computational overhead (for set union operations) in order to incorporate  result messages into a single message.
Table 3 shows that the Token Generation phase of the proposed MUSE-TFV suffers with the communication overhead of 2 for  queries.This overhead is due to the interactive Token Generation algorithm that involves two message exchanges between a DU and the ETA, that is, a Token Request message from a DU and a response message from the ETA.However, with such added communication overhead, we achieve a more secure system wherein every Token Generation activity is logged at the trusted site and thus any dishonest activity from a DU can easily be tracked.Moreover, with such interactive Token Generation algorithm, the proposed scheme provides a token freshness verification to prevent a token replay attack.Thus, MUSE-TFV is indeed an effective multiuser scheme for the applications where security of each search activity is a prime requirement.

Empirical Evaluation.
To evaluate the performance, we conduct the experiments on 32-bit, 2.10 GHz Pentium Core 2 Duo CPU with Windows 7 machine using Java Pairing based Cryptographic (JPBC) Library [42].From JPBC Library, we utilize Type A pairing (i.e.,  1 ×  1 →  2 ) which is based on an elliptic curve (  ) :  2 =  3 + .Here, the group  1 is a subgroup of (  ), and the cyclic group  2 is a subgroup of (  ) 2 where  is a large prime number.The group order of  1 is 160 bits, and the base field is 512 bits.
To systematically compare the performance of the MUSE-TFV with other schemes, we consider three significant parameters, that is, (i) number of keywords in the system (), (ii) number of keywords in a query (), and (iii) number of users in the system () (Table 4).We perform experiments for different size systems with  ∈ {50, 100, 150, 200, 250, 300}.
For each system, we simulate the Encryption(), TokGen(), and Search() algorithms multiple times and consider their average results.To show the efficiency of MUSE-TFV as a multiuser scheme, we consider a different number of users, that is,  ∈ {1000, 2000, 3000, 4000, 5000} in the system.Additionally, during Token Generation experiments, we select the conjunctive queries with the variable number of keywords, that is,  ∈ {10, 20, 30, 40, 50}.As a large number of keywords in conjunction make a query complex and impractical, we select comparatively small values for .
From Table 2, we identify that the computational cost of Encryption() algorithms for all multikeyword schemes () [21][22][23] depends upon  whereas for all multiuser schemes [9,17,18], it depends upon , or  or   .Thus, we simulate Encryption() algorithms for all the listed schemes with different values of  and  separately and show their responses in Figures 5(a) and 5(b), respectively.Note that for simulation purpose we consider the worst case scenario for a scheme [17], where   = .
From the results in Figure 5(a), we note that the encryption time of the proposed MUSE-TFV is linearly increasing with the number of keywords (i.e., ).However, this time overhead is same as the encryption time overhead of [9,21,22] but larger than the overhead involved in [18,23].Additionally, from Figure 5(b), we observe that the existence of multiple users in the system does not affect the time consumption of encryption algorithm of MUSE-TFV.This characteristic makes the MUSE-TFV more practical than the existing multiuser schemes [9,17] where the encryption time overhead is linearly increasing with the number of users.Here, we say that with the constant encryption overhead (i.e., independent of the number of users ()) the Encryption() algorithm of MUSE-TFV supports multiple keywords in a ciphertext and multiple users in the system.
We present the empirical results for TokGen() algorithm of MUSE-TFV and other multikeyword (MKQ) schemes in Figure 6.From these results, we say that the MUSE-TFV takes almost constant time to construct a token regardless of the number of keywords in a query.With this characteristic, MUSE-TFV resembles the schemes [22,23] and performs  better than the other multikeyword schemes [9,21] having () token computational overhead.However, MUSE-TFV takes more time as compared to [22,23] because of its interactive nature.
According to Table 2, the computational overhead for the Search() algorithm of the listed schemes is either constant or otherwise depending upon  or   .Thus, we simulate the listed schemes for their Search() algorithm with different values of  and  separately and show their responses in Figures 7(a Observing the results in Figure 7(a), we note that the search time overhead for MUSE-TFV is almost constant and independent of the number of keywords in a query ().With this characteristic, the MUSE-TFV performs a conjunctive search with much less computational time as compared to the existing conjunctive search schemes [9,21] where the search time is affected by the number of keywords in query ().From the results in Figure 7(b), we note that, with constant search time overhead, the proposed MUSE-TFV supports multiple users in the system as efficiently as the scheme [18].In addition, we say that with the search time linear to the number of users () the scheme of [17] is indeed less practical.In contrast, with the constant search time overhead, the MUSE-TFV performs a conjunctive keyword search in response to a query coming from any user in the multiuser settings.
At last we claim that our empirical results are completely in accordance with the theoretically measured computational complexity presented in Table 2. From the theoretical analysis and empirical evaluation, we conclude that, with the moderate storage-computational overhead, the proposed MUSE-TFV is an elegant multiuser searchable scheme with a provision of conjunctive keyword search and token freshness verification.

Concluding Remarks
In this paper, we discuss the proposed MUSE-TFV: a Multiuser Searchable Encryption with Token Freshness Verification that is based on the concept of Functional Encryption.Unlike the existing Functional Encryption based multiuser searchable schemes wherein a user generates a search token using his own search key, in the proposed MUSE-TFV, a Data User, DU, constructs a search token in cooperation with the

Figure 1 :
Figure 1: System model of Searchable Encryption (SE).Steps: (1) Data Owner uploads a ciphertext  (i.e., encrypted payload message + list of encrypted keywords) onto the Storage Server; (2) Data User constructs a search token  using a secret key; (3) Data User sends  to the server; (4) Storage Server applies  on ; (5) Storage Server returns the result to the requesting user.

Figure 2 :
Figure 2: System model of Functional Encryption (FE).Steps: (1) Data Owner uploads ciphertext  onto the Storage Server; (2) Data User requests TA for a token of a function (F); (3) TA issues a token   to the user; (4) Data User sends   to the Storage Server; (5) Storage Server runs  on available ; (6) Storage Server forwards the result   to the user.
It takes a set of keywords and a payload input as M message (iii) Calls Encryption() where keywords and outputs C = (W, M  ) (ii) Performs E Ｅ？Ｓ (M)→M  it constructs a list W of encrypted (b) SS DU (i) Calls TokGen() where DU selects a conjunctive query Q ETA (ii) Prepares token verification keys (TVK1, TVK2) (i) Prepares a final token (TVK2) (Q)

Table 2 :
Comparative analysis: storage-computational complexity.number of keywords in the system, t: number of keywords in a query, u: number of users in the system, u k : number of users accessing an associated file, H: size of a message digest output by the used hash function, (G 1 , G 2 ): size of an element from bilinear groups  1 and  2 , V: ciphertext size of the used encryption routine, q: size of a random integer, P: pairing, E: exponentiation, M: scalar multiplication, M  : modular multiplication, D: data comparison, and U: set union operation. n:
S: a message, c: number of ciphertexts available at the server, and q: number of queries.