A Dynamic Searchable Symmetric Encryption Scheme for Multiuser with Forward and Backward Security

Dynamic Searchable Symmetric Encryption for Multiuser (M-DSSE) is an advanced form of symmetric encryption. It extends the traditional symmetric encryption to support the operations of adding and deleting the encrypted data and allow an authenticated group of data users to retrieve their respective desired encrypted data in the dynamic database. However, M-DSSE would suffer from the privacy concerns regarding forward and backward security. )e former allows an attacker to identify the keywords contained in the added data by lunching file-injection attacks, while the latter allows to utilize the search results and the deleted data to learn the content. To our knowledge, these privacy concerns for M-DSSE have not been fully considered in the existing literatures. Taking account of this fact, we focus on the dynamic searchable symmetric encryption for multiuser meeting the needs of forward and backward security. In order to propose a concrete scheme, the primitives of Pseudorandom Functions (PRF) and the Homomorphic Message Authenticator (HMAC) are employed to construct the inverted index and update the search token. )e proposed scheme is proven secure in the random model. And the performance analysis shows that the proposed scheme achieves the enhanced security guarantees at the reasonable price of efficiency.


Introduction
Searchable encryption (SE) is popular among the various cloud storage services because one can keep the ability to selectively retrieve the encrypted data that he or she stored on the cloud. And there are many traditional works [1][2][3][4][5] focusing on it. However, the traditional works cannot meet the using needs or habits of the clients. It is because frequently clients upload some new data and delete or modify some encrypted data in cloud and many clients often share data with others. For example, a regional medical center needs to update the local Electronic Health Records (EHRs) [6] periodically and share them with other medical institutions to conduct advanced research.
is means that the regional medical center should have the ability of updating the encrypted data and authorizing others to search over his data storage in cloud.
To address it, some dynamic searchable encryption schemes [7][8][9][10][11] have been proposed to support data updates. ese works are designed for the single client that means only the client itself can search on the cloud and cannot meet the requirement to share data. Data sharing is widely used by both individuals and organizations, and we introduce two forms here: one is multiwriter/multireader and the other is single writer/multireader. For ease of exposition, we call the client who owns data the data owner and the clients who share the data the data user. e former means many data owners and many data users, and there have been efforts to design schemes for fine-grained keyword search [12,13], privacy-preserving attribute-based keyword search [14], and rank keyword search in arbitrary language [15]. e latter means only one data owner and many data users who are especially popular among companies, schools, and medical institutions. It was named as dynamic searchable symmetric encryption for multiuser (M-DSSE), which was also called multiclient in [16], and it is the topic that we are interested in.
However, M-DSSE suffers from the privacy concerns regarding forward and backward security. e former is that the adversary can use the file-injection attacks to compromise the privacy of the data and keywords. is attack was proposed by Zhang et al. [17] in 2016. More specifically, one can inject the carefully selected files and trick the client into encrypting them, then identify the keyword by matching the submitted search tokens and injected files, and consequently get all files containing this keyword. is behavior seriously undermines the privacy of data, for example, the disclosure of the patient's identity information or home address in EHRs that should be kept private. e latter means that, in most searchable encryption schemes, the identifier of the deleted document still can be retrieved by the server in the subsequent search. en when the regional medical center deletes some EHRs, not only the privacy of the patients will be disclosed, but also the accuracy of the advanced research will be affected.
Both attacks are simple but destructive. erefore, M-DSSE needs stronger security from a practical and safe point of view, that is, Dynamic Searchable Symmetric Encryption for Multiuser with Forward and Backward Security (FBM-DSSE). Although there are many works concentrating on the dynamic symmetric searchable encryption schemes with forward and backward security (FB-DSSE) [18][19][20][21][22], most of them cannot be extended to FBM-DSSE directly. On the one hand, if the method used in FB-DSSE is extended to FBM-DSSE directly, the data owner may need to share the whole key with all users. And users can do more rather than search only. Specifically, users can change client's data without restrictions and destroy data's integrity and privacy. On the other hand, the existing FB-DSSE schemes adopt some special structures to achieve forward and backward security, which is not suitable to extend to multiuser setting. For example, Li et al. [23] reduce information leakage in SSE by partitioning the inverted index into disjoint partitions and generating subkeyword sets. When searching, the data owner chooses subkeyword according to his own needs and the server needs to delete all the touched blocks after each search.
is search method is complex for users in M-DSSE and may get incomplete search results due to untimely updates. erefore, it is not feasible to directly implement the methods of FB-DSSE in FBM-DSSE, and it is still a problem that how to achieve forward and backward security in M-DSSE.
Considering the serious consequences that these security issues may bring and the inflexibility of the methods from FB-DSSE to FBM-DSSE, we believe that solving security problems in FBM-DSSE is of great practical significance. Taking account of it, we focus on the Dynamic Searchable Symmetric encryption schemes supporting multiuser with Forward and Backward Security. In order to achieve this it, we give a concrete FBM-DSSE scheme based on the Pseudorandom Functions (PRF), the Homomorphic Message Authenticator (HMAC) [24], and the bitmap index [25,26].
Our contributions are summarized as follows: e proposed scheme is forward and backward secure. We combine the homomorphic MAC and the bitmap index to achieve secure and efficient updates of the search token and use PRF to hide the specific correspondence between files and indexes to protect the update information from being leaked. Specifically, we use pseudorandom functions to reorder files and the keywords in index and the server could not identify the specific relationship between them so that it could not get any private information except the current search results.
e proposed scheme has rich functionality. It is obvious that the proposed scheme supports update operations and multiuser setting. It also supports verifiability and can realize revocation of the user's access permission. Specifically, if the data owner wants to cancel someone's access right to the updated file but retain the permission for the previously searched file, he or she is not needed to send the updated search token to the user. Furthermore, our scheme is easily extended to support multifunctional search such as wildcard search [27], similarity search (including hamming distance and edit distance), fuzzy keyword search [28], and disjunctive [29] (or conjunctive [30]) keyword search.
e proposed scheme has a comprehensive security analysis. We give the correctness of the scheme and the rigorous security proof of forward and backward security according to the definitions in DSSE. And the security of the proposed scheme can be reduced to the existence of pseudorandom functions and the CPAsecure symmetric encryption system, which provides a concrete implementation favorable guarantee. e paper is organized as follows. Section 1 is the introduction. Section 2 introduces the related work. Cryptographic tools and notations are introduced in Section 3. Section 4 presents the system model, security model, and the definition of the forward security and the backward security. Section 5 mainly introduces the proposed scheme and the security analysis. Section 6 shows simply how the proposed scheme can be extended to support multifunctional search. Section 7 gives the experiment result and its analyses. At last, the paper is concluded in Section 8.

Related Works
Searchable encryption (SE) is popular among various cloud storage services because it protects plaintext information from being leaked to the compromised server while preserving the search functionality. ere are two areas in SE: public key encryption with keyword search (PEKS) [2][3][4][5] and searchable symmetric encryption (SSE). In our work, we mainly talk about the SSE. e first symmetric searchable encryption (SSE) was proposed by Song et al. [1] in 2000. ey proposed a special two-layer encryption scheme. Because this scheme needs to scan the file, the searching time is linear to the length of the files. e followed work is that of Curtmola et al. [31]. ey constructed the first inverted index and achieved that the amount of the server's work is proportional to the number of files containing the queried keyword. ere are also many SSE schemes concentrating on rich queries [32][33][34]. However, those works mainly focused on searchable encryption under static conditions, that is, there is no update of files. Due to the universality of dynamic operation, it is important and necessary to migrate it to the cloud services. erefore, the dynamic searchable encryption (DSSE) is more in line with the practical situation.
In 2012, Kamara et al. [7] constructed a DSSE scheme based on the inverted index technique and achieved sublinear search complexity and CKA2-secure. And then they [8] constructed another dynamic searchable encryption scheme based on the red-black tree index and achieved parallel search of keywords and parallel addition and deletion of files. ere are others scheme including Naveed et al. [9] based on the blind storage, Xia et al. [10] based on the tree-based index, and Guo et al. [11] based on the inverted index. At the same time, DSSE schemes leak some information such as search pattern (the pattern in search queries), size pattern [18] (the number of search results), and access pattern (how the encrypted data or indexes are accessed). ese attracted people's attention. Zhang et al. [17] proposed a file-injection attack in 2016, and the attacker can determine the keywords corresponding to the token by injecting files containing different keywords. e effective attack calls for the stronger security of DSSE. e trivial way of downloading and then decrypting the full encrypted files to obtain the needed files contradicts the purpose of search encryption. e ways of using secure twoparty computation, fully homomorphic encryption, and oblivious RAM to realize the higher level of security waste more local storage space and acquire high computational and communication complexity. Both of them are very expensive and impractical.
In 2014, the term of forward privacy and backward privacy was first proposed by Stefanov et al. [18], and it is the new secure goal that dynamic searchable encryption schemes should meet in the practical level. Since 2014, some schemes have been proposed to achieve it using different methods, including but not limited to Stefanov et al. [18] based on a hierarchical structure of logarithmic levels; Bost [19] based on trapdoor permutations, and then they proposed a forward and backward scheme relying on primitives such as constrained pseudorandom functions and puncturable encryption schemes [35]; Wang et al. [20] based on the proxy server; Sun et al. [21] based on the symmetric puncture encryption primitive; and Kim et al. [22] based on dual dictionary.
As for the DSSE for multiusers, some works have been carried out. As for multiwriter/multireader, Nair and Rajasree [13] used a bilinear accumulator to implement a fine-grained multiuser solution for search control and access control; Popa and Zeldovich [36] proposed a method for encrypting different files with different keys. As for single writer/multireader, Curtmola et al. [31] proposed the first scheme structure based on broadcast encryption; Wang et al. [20] proposed a multiuser forward secure dynamic searchable symmetric encryption in 2018; Jarecki et al. [37] used the forgotten PRF to generate keyword trapdoors. However, the research on the Dynamic Searchable Symmetric Encryption for multiusers with Forward and Backward Security (FBM-DSSE) is not enough.

Cryptographic Tools
ere are security parameter λ and κ polynomial in λ. ere are key space as the advantage of the adversary A against the pseudorandomness of F, where K is a random element in key space and ϕ: D ⟶ R is chosen in all functions from D to R. If for any PPT adversary A, the advantage Adv PRF A,F (λ) is a negligible function; then, we say that F is a negligible function.

Homomorphic MAC.
In this paper, we will use a construction of a homomorphic message authenticator scheme (HMAC) allowing for homomorphic evaluation and arbitrary composition (i.e., outputs of previously authenticated computations can be used as inputs for new ones). e scheme is simple and efficient and its security relies only on a pseudorandom function.
A HMAC is 4-tuple of algorithms working as follows: Setup: 1 λ ⟶ (sk, ek). For a security parameter 1 λ , the algorithm outputs the secret key sk and evaluation key ek needed in the scheme. Auth: (sk, τ, m) ⟶ σ. is algorithm inputs the secret key sk, a label τ, and a message m ∈ M, and it outputs the corresponding tag σ. Ver: (sk, m, P, σ) ⟶ 0 or 1.
is algorithm inputs the evaluation key sk, a circuit f: M n ⟶ M, and σ 1 , ..., σ n , and it outputs a new tag σ. We restrict that the arithmetic circuits f used in the proposed scheme only has the additive gates, so the size of the produced tags will not grow. e concrete description of the HMAC scheme is shown in [24].

Symmetric Encryption. A symmetric encryption consists of the following algorithms:
Gen: 1 λ ⟶ sk. For a security parameter 1 λ , the algorithm outputs the secret key sk needed in the scheme. Enc: (sk, m) ⟶ c. is algorithm inputs the secret key sk and a message m ∈ M, and it outputs the Security and Communication Networks corresponding ciphertext c. Since Enc may be randomized, we write this as c ⟵ Enc sk (m). Dec: (sk, c ). is algorithm inputs the secret key sk and ciphertext c, and it outputs m or⊥. We assume that Dec is deterministic, and so write m: � Dec sk (c). CPA-Secure: there is a symmetric encryption Π � (Gen, Enc, Dec), and the IND-CPA experiment is shown below.

Privk CPA
A,Π (n): (2) Send 1 n to adversary A, and A can ask the random and send it to A, where c is named to the challenge ciphertext. (4) A continues to ask the random oracle c ⟵ Enc sk (m) and outputs a bit b ′ .
for all Probability Polynomial adversary A, and there exists a negligible function negl:

Notations.
We show some notations used in the proposed scheme in Table 1. Figure 1, the system model consists of three entities: the data owner, data users, and the cloud server.

Data
Owner. e data owner extracts the keywords from files and constructs the plain index. en, he encrypts all files and the index with different private keys and uploads the encrypted EDB to the cloud server. Besides that, he is also responsible for managing users and updating files. More specifically, he distributes keys, updates tokens to users, and sends the updated encrypted files and index to the cloud server. And the data owner is assumed to be always trusted.

Cloud Server.
e main job of the cloud server is to store the encrypted files and index from data owner and perform searches for data users. When receiving the updated information from the data owner, it updates the encrypted database. Upon receiving the search requests from data users, it performs search operation over the index and returns the search results to data users. e cloud server is regarded as an honest but curious entity. at is to say, it performs algorithms honestly but will try its best to get more valuable information. Besides, the cloud server may return invalid or nonupdated search results to the data user because of computation mistakes.

Data Users.
Data users are authorized and shared with some keys needed in the scheme by the data owner. When they want to search files containing the interested keyword, they send the search token to cloud server and receive the search results. Furthermore, they can verify the validity of the results with the help of the data owner. e data users are assumed to be always trusted.

Security Model. We use two games DSSEREAL
is the same as the DSSE. And the DSSEIDEAL Γ A,S (1 λ ) is conducted by simulator S with the leakage of DSSE. e leakage of DSSE is parameterized by a function L � (L Stp , L Srch , L Updt ), which describes the information leaked to the adversary A. e adversary A will interact with DSSEREAL Γ A (1 λ ) or DSSEIDEAL Γ A,S (1 λ ) and guess. If the adversary A can correctly guess the game he interacts only with a negligible advantage, then we can say the DSSE is secure because of the leaked information limited to the leakage function L.

DSSEREAL Γ
A (1 λ ): the adversary A chooses a database DB and inputs it, then this game performs the Setup(1 λ , DB) and outputs EDB. During the search phase, the adversary A runs search query q or update query (op, in), where op is the operation and the in is the identifier of the file. e game outputs the search results by performing Search(q) or Update(op, in). Eventually, A outputs a bit. DSSEIDEAL Γ A,S (1 λ ): the adversary A chooses a database DB and inputs it; then, the simulator S performs the L Stp (1 λ , DB) and outputs EDB. During the search phase, the adversary A runs search query q or update query (op, in). e simulator S outputs the search results by performing the leakage function L Srch (q) or L Updt (op, in). Eventually, A outputs a bit.

Definition 2.
A DSSE scheme Γis L -adaptively secure only if for every PPT adversaryA, and there exists an efficient simulator S and a negligible function negl such that

Forward and Backward Security.
In 2016, Bost [19] defined the traditional forward privacy that the server cannot link the newly updated files with previously searched keywords. And in Li et al.'s work [23], they further defined the forward update privacy, strong forward search privacy, and weak forward search privacy. e forward update privacy requires that the information leaked in update operation should not be more than the identifier and the number of keywords of newly updated files. And the strong forward search privacy implies fully oblivious search operation, which is a too strong notion to achieve unless using the expensive protocols such as ORAM or PIR. e weak forward search privacy means the leaked information is the list of files containing the keyword w at the time t. Our scheme can achieve forward update privacy and weak forward search privacy, but for the consistent with most studies, we adopt the traditional forward privacy which is defined as follows.
Definition 3. A L -adaptively secure DSSE scheme Γ is forward secure if the update leakage function L Updt can be written as where (ind i , μ i ) is the set of modified documents paired with number μ i of modified keywords for the updated document ind i . Specially, the leakage function L Updt (op, w, bs) � L ′ (bs) in this paper.
In 2014, the term of backward privacy was first proposed by Stefanov et al. [18], and it was clearly defined by Bost et al. [35] in 2017. ey defined three backward privacy from Type − I to Type − III, and Zuo et al. [26] formulated the most secure definition Type − I − in 2019. Our construction will adopt the latter, which is defined as follows.
where t is a timestamp, sp(w) � t : (t, w) ∈ Q is a search pattern, rp(w) � bs represents all file identifiers that currently match w, and L ′ and L ′′ are stateless.

Overview.
We mainly consider how to achieve forward and backward security when the cloud server is semihonest and the users are honest (the collusion between the cloud server and the user is not considered here). In order to achieve such a security goal, we use a pseudorandom function to shuffle the order of files so that the cloud server cannot identify the specific relationship between the index  Security and Communication Networks and the files from the search results and cannot get any private information. First, it is necessary to ensure that the search token of the keywords will be changed after the update; otherwise, the cloud server will learn whether the newly updated documents match a previously searched keyword or not. Here, in order to reduce the computational complexity of the index update and facilitate the user to update the search token, we adopt the HMAC technology. e plain index is regarded as the message m and HMAC.Auth(m) is regarded as the symmetric key of the encrypted m. In this case, the data owner only needs to send HMAC.Auth(Δm) to the user and the user invokes the HMAC.Eval algorithm to get the latest key, which can be used to generate a search token.
Second, in order to not let the cloud server obtain the specific relationship between the index and the files, we assign a key to each column. When an update occurs, we use PRF to reorder the columns corresponding to the files and re-encrypt those files with the new key. It can be seen that our scheme is more suitable for scenarios where the ratio of file updated is relatively large.
ird, there will still be cases where the file has not been updated and the relationship with the column of the index has not changed. e adversary cannot distinguish them because the index has been updated with the CPA-secure symmetric encryption scheme.

e Bitmap Index.
In this article, we use the bitmap index which is an inverted index with O(1) search time. Specifically, we first extract keywords from the files. e bitmap index is a matrix of 0 and 1. e columns of the matrix correspond to different files. e rows of the matrix correspond to the keywords. If the number of the ith row and the jth column of the matrix is 1, it means that the keyword is included in the file, otherwise vice versa. e advantage of the bitmap is that it can easily implement the update of the index.
Take a simple example for simplicity, and there are 5 files at time t. e index of the keyword w corresponding to the ith row is represented by a binary string 01001, which indicates that the files corresponding to the 2nd and 5th column contain w. At time t + 1, the index of w is updated and become 01100, which means that the files corresponding to columns 2 and 3 now contain w, and the file corresponding to column 5 does not contain w any more. In order to update the index and search token, the data owner only needs to change the index from 01100 to 01001, which is an easy operation.

e Homomorphic Message
Authenticator. When data updates, the data owner needs to update the search token and send it to data users otherwise they cannot search on cloud any more. In order to explain clearly and simplicity, we still use the above example. e data owner updates the search token by calculating 01100 − 01001and sends the HMAC.Auth(01100 − 01001) to data users. en, users execute HMAC.Eval and get the new search token. Since only the data users have the evaluation key, the interaction does not need the secret channel. Furthermore, the communication overhead is only a HMAC tag which efficiently reduces the transmission complexity and the whole process is simple.

e Pseudorandom Functions.
e Pseudorandom Functions is mainly used to generate the bitmap index. For example, there are 5 files f 1 , f 2 , f 3 , f 4 , f 5 and 3 keywords w 1 , w 2 , w 3 . And in time t, the files are mapped to (3,4,5,1,2) and the keywords to (3, 1, 2) by pseudorandom functions. e former means the first column of index indicates f 3 , the second one is f 4 , and so on. e latter shows the first row of index indicates w 3 , the second one is w 1 , and the last is w 2 .

Concrete
Construction. Now, we are ready to give our dynamic searchable symmetric encryption scheme for multiuser with forward and backward security. See Algorithm 1 for more information. Our scheme is based on the framework of DSSE � (Setup, Update, Search) and calls HMAC � (HMAC.Setup, HMAC.Auth, HMAC.Ver, HMAC.Eval) and keyed PRF. e scheme is defined by Algorithm 1.
Setup: 1 λ ⟶ (PK, SK) e algorithm is run by the data owner. For a security parameter 1 λ , the algorithm outputs the PK and SKneeded in the scheme.
Update: (SK, EDB t , ΔF, ΔW) ⟶ (EDB t+1 , Δσ t w ) e algorithm is run by the data owner too. At the beginning, the initial index and EDB are empty, so when t � 0, it means that it is the first time for the data owner to add the file. When t ≠ 0, it means the normal update operations. It should be noted that, in order to be consistent with the DSSE structure, we have omitted the algorithm of adding users in Algorithm 1 FBM-DSSE, and the algorithm is defined as Algorithm 2: Adduser.
Search: (t, UL, w, E DB t ) ⟶ C t w is polynomial time algorithm is executed by the cloud server and the users. When data users want to search w, he runs the line 1 to 8, generates the search token Tr u (w), and sends it to cloud server. en, the cloud server verifies the legitimacy of the user and performs a search. Finally, the cloud server outputs the search results.
Actually, we have omitted the decryption and verification algorithms in Algorithm 1 FBM-DSSE for the same reason. And the algorithms are defined as Algorithm 3: Decrypt and Algorithm 4: Verify.

Security Analysis.
In this section, we first present the correctness of the proposed scheme and then give the security analysis.

Correctness.
if the user wants to search for files containing the keyword w at time t, he executes lines 1-8 of the search algorithm and then sends the search token of w to the cloud server. e ciphertext index saved in cloud is generated by the same pseudorandom function, which ensures the correctness of the searched keywords. Secondly, according to the bitmap index generation process and the Setup:1 λ ⟶ (PK, SK) (1) input a security parameter λ (2)  (1) if t � 0 then (2) extract keywords W � w { } n from the files F t (3) attach keys with column identifiers c (0 ≤ c ≤ l) (4) for each column identifier c (5) k c ⟵ H(FK, c) (6) (match files to column identifiers and encrypt files) (7) for each file f ∈ F t (8) c w1 , a w2 , . . . , a wl ): (27) forming the ΔF (28) for each file f ∈ ΔF (29) if op(f) � add or modify (30) f cloud server being semihonest, the cloud sever will search 1 in the index and return corresponding files, so the returned file does contain the keyword w.

Security analysis.
en, we will show the security analysis of the proposed scheme.  Proof. As mentioned above, the server is the semihonest adversary A who correctly follows the protocol but attempts to use the messages received to learn information that should remain private. e challenger C is responsible for generating EDB and the search tokens of w.
Game G 0 : G 0 is the same as the real world game DSSEREAL FBM−DSSE A (λ), and there is Game G 1 : in G 1 , when querying H to generate the key for a column c, the challenger C chooses a new random key if the column c is never queried before and stores it in a table Key. Otherwise, return the key corresponding to w in the table Key. e adversary A cannot be able to distinguish between G 0 and G 1 , otherwise we can build an adversary B 1 to distinguish between H and a truly random function. More formally, Game G 2 : in G 2 , we model the R as a table just like H in G 1 ; then, we can build an adversary B 2 to distinguish between R and a truly random function, and there is Similarly, we build the G 3 forP 1 and G 4 for P 2 . Game G 5 : in G 5 , as shown in Algorithm 1, in the update stage, the challenger C randomly picks a string for every keyword w as the updated index and gets the new EDB. Now, we will show that the adversary A gets more things than the new EDB is negligible.
(1) In the update stage, Q changed the order of the keywords in the new index. e two search tokens were σ t w and σ t+1 w . e adversary could not get specific information about the keywords based on them. Even if the index corresponding to the keyword has not changed, HMAC.Auth will generate a corresponding label for a string of 0. Otherwise, it would conflict with the authentication of HMAC.
(2) e probability of using the search token corresponding to the keyword w to decrypt the indexes of other keywords w is negligible. Even if the indexes are the same, because the difference among keywords decides that in corresponding keys, it is impossible to achieve Dec σ t w′ (Enc σ t w (α t w′ )), where w ′ ≠ w, otherwise it will contradict the security of symmetric encryption.
(3) Similarly, even if the file has not changed and the corresponding encryption key has not changed, it is impossible for an adversary A to obtain relevant information about the file based on the ciphertext of the index because symmetric encryption is CPAsecure.
(4) Obviously, for an adversary A who does not have the ek, even if he obtains Δσ t w , he will not be able to obtain a new key. Otherwise, there will be an adversary that can break the security of HMAC.
Simulator. We can replace the searched keyword w with sp(w) in G 5 to simulate the simulator S. And now we are ready to show that G 5 Finally, where ε is negligible, which completes the proof.

Multifunctional Search
Due to using the bitmap index, our scheme is easily extended to support multifunctional search. Specifically, Hu et al. [29] proposed an efficient and secure multifunctional searchable symmetric encryption schemes which supports wildcard search, similarity search (including hamming distance and edit distance), fuzzy keyword search, and disjunctive keyword search simultaneously. Hu's scheme builds a bloom filter for every keyword followed by a encryption index I ′ � Enc(k s , F w , w, r d), where k s is the symmetric private key and r d is the random value generated by a random function. If one replaces the encryption index in [29] with our bitmap index, the new scheme can achieve all the functional searches in [29].
As for the conjunctive keyword search, the primary schemes first search for one keyword at a time and then collect the results together. Our scheme can achieve a more effective way. First, data users provide keywords' search token to the server; then, the server decrypts the corresponding rows in the bitmap index, conducts the conjunctive operation, and finally returns the result set.

Performance Analysis
In this section, we first summarize the comparisons between our scheme and prior forward private schemes. See Table 2, where F/B in security, respectively, shows the forward privacy/backward privacy, where B1 means Type − I backward privacy, B1 − describes Type − I − backward privacy, and B3 indicates Type − III backward privacy. NA/A means the scheme is nonadaptive/adaptive indistinguishability security; D/S in dynamism column describes dynamic or static; S/M shows single/multi; R in the column of computable complexity denotes the round in search phase; Do represents the date owner; D denotes the number of documents in the document collection; N is the number of keyword/file-identifier pairs; a w /d w is the number of added/ deleted entries for keyword w; W is the collection of distinct keywords; t ma is the computational time of a modular addition; D(w) is the number of files currently matching keyword w; m means the number of subkeywords; and u w is the number of the keywords whose D(w) has changed. en, we evaluate the performance of the proposed scheme. We implement our scheme using LINUX in Windows 10 with an Intel Core i7-8550U CPU 2.00 GHz processor and 16 GB memory. We simulate the update algorithm and search algorithm on this machine to evaluate the computation overhead time cost of our scheme. In our experiment, the size of each file is 50 kB, the number of the keywords is 5,000, and the symmetric encryption scheme and public key encryption scheme are AES and RSA, respectively. We simulate the number of files on 10,000 to 100,000 by an increase of 10,000 each time.
In the update phase, the data owner needs l times (number of columns) symmetric encryption operations, |W| times index homomorphic message authentication, and |W| times symmetric encryption; Figure 2 shows the total time required to generate the index.
In the search phase, the user only needs to perform the public key encryption operation once, and if there is an update, he needs to perform another homomorphic operation (when only one keyword is searched); Figures 3 and 4 illustrate the time cost of search token generation for users and search time for the cloud server.
In the search phase, the server needs to perform a public key decryption operation and a symmetric decryption operation. Figure 5 displays that the time cost of search for server which is mainly in the RSA. ese figures illustrate that the effect of the increase in the number of files on the search phase is linear, which is reasonable but an exponential growth for index generation. e crux of our scheme is the update algorithm, so we concluded that the proposed scheme is more suitable for small databases and achieves the enhanced security guarantees at the reasonable price of efficiency.
In order to simplify the update algorithm, we propose two more efficient methods for updating at the cost of losing some security. It is a tradeoff between efficiency and security. One is a new update algorithm named the cycle Δt. For files that will not be updated in the short term, the data owner calculates the ciphertext of time t to time t + Δt and Δt is a cycle. When the data owner is updated at time t, he arranges them in the corresponding column in chronological order. If the update time is t ′ ∈ t, t + Δt { }, the data owner only needs to upload the files that need to be changed and a certain amount of dummy data without downloading the files that does not change. Taking t � 3 as an example, the specific description is as follows.
Another method is that the data owner can use a proxy server. e proxy server is semihonest in the sense that it honestly runs the protocols but is curious to obtain privacy information. Additionally, it cannot collude with the cloud server. e proxy server is mainly responsible for the update of the database. Specifically, the data owner calculates the updated ciphertext together with the proxy server and stores it on the proxy server. And then proxy server interacts with the cloud server according to the specified time period and updates the ciphertext. Moreover, it is also responsible for updating the trapdoor. And we are studying further how to construct a FBM-DSSE scheme under a proxy server or a malicious server in the future.

Conclusions
In this work, we propose a Dynamic Searchable Symmetric encryption scheme for multiuser with Forward and Backward Security (FBM-DSSE). e proposed scheme realizes the Forward and Backward Security in Dynamic Searchable Symmetric encryption for multiuser. More specifically, the proposed scheme adopts a keyed pseudorandom function to hide the correspondence between files and indexes, takes symmetric encryption to improve the efficiency of file encryption and update, and uses HMAC to improve the efficiency of updating search tokens as files are changed. Furthermore, our scheme also supports verifiability and can be extended to multifunctional search. Further research work aims to reduce the computational complexity and communication complexity of the data owner and server. It will also combine access control to achieve fine-grained user management and file search.

Data Availability
All data included in this study are available upon request from the corresponding author.   12 Security and Communication Networks