Multiauthority Attribute-Based Keyword Search over Cloud- Edge-End Collaboration in IoV

School of Communication and Information Engineering, Chongqing University of Posts and Telecommunications, Chongqing, China Advanced Network and Intelligent Interconnection Technology Key Laboratory of Chongqing Education Commission of China, China Chongqing Key Laboratory of Ubiquitous Sensing and Networking, Chongqing, China State Grid Information and Communication Industry Group Limited, Beijing, China


Introduction
IoV collects and transmits vehicle data to the network through in-vehicle sensing devices, which largely facilitates intelligent transportation system [1][2][3]. Currently, with the development of IoV technology and the increase in the number of vehicles, users' demands for intelligent access to vehicle information are increasing. Since IoV data usually includes users' private information (e.g., vehicle location), privacy protection becomes a key factor affecting IoV user search experience. However, invehicle networks exposed to unprotected environments are more vulnerable to security threats in data storage, transmission, and sharing [4,5] and have limited computation and storage capacity to effectively support secure sharing of IoV data.
Outsourcing massive amounts of data to the cloud and edge can effectively alleviate the resource-limited issue of IoV devices and facilitate data sharing, but the cloud and edge are usually perceived as "honest and curious" [6,7], meaning they will honor agreements honestly but may have unauthorized access to some sensitive data. Hence, the searchable encryption (SE) [8] is proposed to support outsourced data encryption and enable keyword search in the ciphertext domain, where special encryption algorithms are used by data owners and search users for encryption of plaintext data, indexes, and queries to perform accurate or nearaccurate keyword matching operations on the ciphertext.
Facing the massive amount of IoV data, fine-grained access control to the data in secure retrieval is of great importance to users. The CP-ABE scheme [9,10] embeds the access policy into the ciphertext; the user can decrypt the ciphertext only when the user attributes satisfy the policy; thus, the data owner can control the access to the data, which is ideal for dynamic IoV environments. However, most existing CP-ABE schemes are mainly based on cloud computing architecture [11,12] and are designed for single attribute authority scenarios [13][14][15] and have high computational complexity. Among them, centralized cloud computing imposes a heavy computation and storage burden on cloud servers, and remote cloud-oriented data transmissions cause high communication cost and large latency [16][17][18]. As user registration and key generation of single attribute authority are resource-intensive and time-consuming, which may lead to the failure of singlepoint attribute authority and serious consequences such as key and user privacy leakage, ultimately affecting the availability of search system. Besides, multiple types of sensing devices are deployed on vehicles to collect corresponding vehicle attribute data, while users may only need vehicle data for a certain attribute; traditional keyword search will return ciphertext for all attributes of the vehicle, which will bring additional computation consumption and communication overhead for users.
Compared with centralized cloud computing, cloudedge-end collaborative architecture can effectively reduce search latency and the computational load on the cloud by fusing the advantages of the edge being closer to users and the cloud having abundant resources [19][20][21]. Figure 1 illustrates the IoV cloud-edge-end collaborative architecture. Therefore, this paper designs a multiauthority attribute keyword search (CEABKS-MA) system based on cloud-edgeend collaboration, which can effectively reduce the computation and storage burden of resource-constrained parties in the system and achieve efficient and secure fine-grained keyword retrieval for IoV data. The main contributions of this paper are as follows: (i) Fine-grained keyword search with support for attribute update and lightweight encryption is extended in access control. Vehicles carrying multiple sensors are abstracted into one or more attributes to enable retrieval of specified vehicle attributes. The attribute update function effectively prevents malicious users from stealing who revoke attributes, and the online/ offline encryption method further reduces the computation burden on users (ii) A cloud-edge-end collaborative search method is proposed, where users can achieve real-time and historical search by sending a trapdoor to the nearest edge. Besides, the edge provides a ciphertext predecryption service, and the search user can obtain plaintext data by performing a simple calculation (iii) A multiauthority structure is designed to implement distributed key management, which decentralizes the expensive and time-consuming key generation and distribution tasks of the central authority to each attribute authority, which can better adapt to the spatial characteristics of vehicles and distributed IoV topology The main content of this paper is as follows. Section 2 discusses related work. Section 3 introduces preparatory knowledge. Section 4 presents the system model, formal definition, and security model. Section 5 describes in detail the construction of the CEABKS-MA system. Section 6 analyzes the security and performance of the CEABKS-MA system. Section 7 concludes this paper.

Related Work
This section includes three parts: (1) searchable encryption, (2) privacy-preserving in IoV, and (3) secure data sharing in IoV.

Searchable Encryption.
With a large number of data owners outsourcing critical private data to access rich computational and storage resources at a lower cost, the SE scheme that enables encrypted data retrieval is widely studied and applied [22][23][24]. Song et al. [8] first introduced a symmetric search encryption (SSE) scheme in 2000 to enable a single keyword search over ciphertext. Boneh et al. [25] proposed the first Public-Key Encrypted Keyword Search (PEKS) scheme, which has a broader application scenario than the SSE scheme and can support secure data sharing among multiple data owners. Sahai and Waters [26] introduced an Attribute-Based Encryption (ABE) scheme in 2005, which supports one-to-many encryption, greatly reduces the number of keys generated, and is an effective way to achieve fine-grained access control, and since then, researchers have studied the ABE scheme extensively.
The ABE scheme mainly consists of Key-Policy ABE (KP-ABE) [27] and Ciphertext-Policy ABE (CP-ABE) [28]. Bethencourt et al. [28] first proposed the CP-ABE scheme in 2007, by using attributes to express the user's authentication credentials and tokenizing the key; the user could decrypt the ciphertext if the set of attributes hidden in the user's key matched the access policy embedded in the ciphertext by the data owner, which was more suitable for dynamic scenarios than the KP-ABE scheme that embeds the access policy in the key. Keyword search is an effective way to help users rapidly filter the data they need, based   [29][30][31]. Qiu et al. [29] devised an attribute keyword search scheme that could resist keyword guessing attacks to maintain the indistinguishability of keywords and access structures. Miao et al. [30] presented an attribute-based encrypted keyword search scheme for verifiable attributes and consider the access rights of the same data based on the priority tree of the attributes. Zhang et al. [31] designed a lightweight searchable encryption protocol for industrial IoT that can provide users with connected keyword search while extending the scheme to multiauthority scenarios to efficiently generate and manage keys, but the system did not have the attribute update function and was less dynamic.

Privacy-Preserving in IoV.
With the large amount of sensitive data in IoV being collected by sensors carried by vehicles, the issue of user privacy protection involved in the collection, transmission, and storage of vehicle data has received a lot of attention from researchers. Wu et al. [32] focused on vehicle anonymity and driving privacy in IoV by designing a privacy-preserving system equipped with a priori and a posteriori countermeasures for message verification thereby improving the reliability of vehicle-tovehicle (V2V) communication. Kumar et al. [33] proposed a privacy-preserving IoV framework based on blockchain technology and built a deep learning module to detect data in the blockchain to guarantee data security. Zhou et al. [34] considered the location privacy problem of the designed EVN architecture and introduced edge computing to propose a differentiated privacy-preserving service framework. Kang et al. [35] used fog computing to achieve effective user location privacy protection and avoided high latency and cost problems. Wu et al. [36] focused on privacy leakage when computing tasks were offloaded in IoV scenarios, quantifying the potential threats when vehicle users offloaded computing tasks based on physical layer security theory. The above schemes have effectively investigated data privacy protection in IoV, but they mainly focus on vehicle location privacy or data storage privacy and do not expand much on secure retrieval and sharing of IoV data.

Secure Data Sharing in IoV.
Data sharing can further increase the value of IoV data utilization; as users are increasingly concerned about privacy protection when performing information retrieval, researchers have conducted preliminary studies on IoV data secure retrieval using existing technologies. Chen et al. [37] designed an IoV data sharing incentive mechanism based on the tamper-proof performance of blockchain to ensure the integrity of data on the chain. Cui et al. [38] designed a traceable and anonymous V2V data sharing using federated blockchain technology to track the origin of data and prevent data from being shared twice by malicious users, but the above two schemes are difficult to support the user's flexible data retrieval needs.
Several studies have improved the ABE scheme in secure retrieval of IoV data and fine-grained access control. Wang et al. [39] extended ground-based IoV scenarios to Space-Air-Ground Integrated Vehicular Networks (SAGIN); a valid keyword conversion algorithm based on a single lattice algorithm and particle encryption is proposed to achieve fuzzy retrieval, and keyword weights are calculated using dependency grammar and phrase structure tree to improve retrieval precision. Zhang et al. [40] proposed a secure retrieval scheme for IoV data based on cloud-fog collaboration, focusing on the problem of accessing sensitive data by malicious users whose attributes are revoked, proposing the concept of auditable user revocation, and giving a verifiable online/offline calculation method. Considering the problems of high computational consumption and low efficiency of serial outsourcing decryption of the ABE scheme, Feng et al. [41] introduced the edge computing to support parallel outsourcing decryption, and the designed scheme can be extended to existing ABE schemes built based on tree structure and linear secret sharing.
However, the above studies utilize the single attribute authority for complex key generation and management tasks when building a secure retrieval scheme for IoV data in combination with an ABE scheme, which is prone to the singlepoint performance bottleneck. In addition, for IoV scenarios, the computational complexity of the scheme should be minimized without sacrificing efficiency and security.

Preliminaries
3.1. Bilinear Groups. Assume that G, G T are two multiplicative cyclic groups of order p, where p is a prime, g is a generator of G, and the bilinear mapping e : G × G ⟶ G T has the following properties: (1) Bilinear. eðg a , g b Þ = eðg, gÞ ab , ∀a, b ∈ Z p (2) Nondegeneracy. eðg, gÞ ≠ 1 (3) Computability. ∀x, y ∈ G, there exists a valid polynomial-time algorithm to compute the value of eðx, yÞ 3.2. Access Structure. Let P = fP 1 , P 2 , ⋯, P n g be a set of attributes, and the access structure Λ ⊆ 2 P is monotonic. The access structure Λ is a nonempty subset of the set 2 P , the sets in Λ are authorized sets, and the sets not in Λ are unauthorized sets.

Linear Secret Sharing Scheme (LSSS).
If the following conditions both hold, an LSSS over P is linear.
(1) The sharing of each attribute forms a vector on Z P (2) Let M (l × n) be the shared matrix of LSSS to describe the access structure Λ, the ith row is defined as M i ði ∈ ½1, lÞ, and the mapping function ρð:Þ maps each row M i to a certain attribute ρðiÞ. Given a randomly chosen vector x = fs, y 1 , y 2 , ⋯, y n g ∈ Z n P ,

Wireless Communications and Mobile Computing
where s is the shared secret value, then Mx T represents the l shares of s in LSSS, where the shared M i x belongs to a attribute ρðiÞ, denoted as λ i = M i x The LSSS defined in the above way is reconfigurable: assume that ðM, ρÞ denotes the access structure Λ of the LSSS, the set of authorized users S ∈ Λ, and define I = fi, (i) Central Authority. The CA is responsible for initializing the system and registrating multiple SUs and AAs (ii) Attribute Authority. Each AA is independent of the other, and there is no intersection between the attributes managed. The AA is responsible for the generation and distribution of user keys within the domain and supports attribute updates for authorized users (iii) Vehicle Node. Different kinds of sensors carried by vehicles observe the vehicle status in real-time, and the VN obtains an attribute-based access structure from AA to encrypt and upload the collected vehicle datasets to the nearest ES (iv) Edge Server. The ES is mainly responsible for the following three tasks. First, it stores vehicle instant ciphertext and forwards vehicle historical ciphertext to CS. Second, it provides instant search service to SU and forwards trapdoor from SU to CS to realize historical search. Third, it provides ciphertext predecryption service to SU whose attributes satisfy the access structure (v) Cloud Server. The CS provides outsourced storage and search service for the vehicle historical ciphertext. In addition, the CS sends the matching ciphertext to ES for predecryption after an accurate keyword search (vi) Search User. The SU obtains the secret key from AA and wishes to freely access ciphertext resources in ES or CS without compromising privacy while reducing the computational burden of decrypting the ciphertext

System Model and Definition
In the CEABKS-MA system, the CA and multiple AAs, as fully trusted third parties, are real-time online and have sufficient computing and storage resources to perform tasks such as system initialization and key distribution. The CS and multiple ESs are "honest and curious"; they perform ciphertext storage and search services honestly but may try to obtain more private data without authorization.

Formal Definition.
Let S A = fAA 1 , AA 2 ⋯ , AA N g denote the set of multiple AAs, the AA j ðj ∈ ½1, NÞ has a set of attributes L j = fatt 1,j , att 2,j , ⋯, att U,j g, and the number of attributes managed by AA j is denoted as U j . The proposed CEABKS-MA system includes the following polynomialtime algorithms.
(1) CAsetupðκÞ ⟶ ðPP, MSKÞ. Given the security parameter κ, the CA generates the public parameters PP and the master key MSK, while generates a unique identifier uid for each authorized SU (2) AAsetupðPPÞ ⟶ ðASK j , APK j Þ. Given the public parameters PP, the AA j generates an attribute public key APK j and an attribute private key ASK j for each set of attributes it manages    (7) SearchðCT, T kw′ Þ ⟶ f0, 1g. Given the trapdoor T kw′ and the ciphertext CT, the ES or CS conducts the search algorithm, if the query is successful, outputs "1" and performs the ciphertext predecryption operation, otherwise, outputs "0" Given the ciphertext CT and the predecryption key PSK j,uid , the ES outputs the partially decrypted ciphertext CT out and sends it to SU uid (9) DecðCT out , zÞ ⟶ sk E a . Take the partially decrypted ciphertext CT out as input, and the SU uid performs this algorithm to decrypt the ciphertext lightly using the blind value z  [42], as well as the Indistinguishability of Chosen Keyword Attack (IND-CKA) [43].
In this subsection, we define the following interactive game between challenger B and adversary A.
(1) IND-CPA security Initialization. Adversary A announces a challenging access structure Λ * and sends it to challenger B.
Setup. B first runs the Setup algorithm, outputs the public key PK, and sends it to A. Phase 1. A can adaptively send any attribute set S to B, but the restriction is that all submitted attribute sets cannot satisfy Λ * . For each attribute set S, A executes the Keygen algorithm to output the key and sends it to B. Moreover, A can make any queries for updated key related to the canceled attribute v′ i .
Challenge. A selects two messages m 0 , m 1 of equal length and sends them to B; then, B randomly selects κ ∈ f0, 1g and uses Λ * to encrypt m κ . Finally, B returns the challenging ciphertext C κ to A.
Phase 2. A repeats Phase 1 for other sets of attributes, but none of them satisfy Λ * .
(2) IND-CKA security Definition 1. If the advantage of winning the above game in any polynomial-time adversary is negligible, then the CEABKS-MA system is IND-CPA security. Challenge. A selects two keywords kw 0 , kw 1 with the same length, and then, B randomly selects κ ∈ f0, 1g, generates index I kw κ , and returns it to A.
Phase 2. The process of Phase 2 is similar to that of Phase 1.
Guess. A outputs κ ′ ∈ f0, 1g, if κ ′ = κ, then wins the security game; otherwise, it fails. Assume that H : f0, 1g * ⟶Z p is a one-way hash function, and e : G × G ⟶ G T is chosen as a bilinear mapping, where G and G T are p-order cyclic groups whose generators are g and g T , respectively. The initialization process is divided into two stages, which are described in detail as follows.
(i) CAsetupðκÞ. The CA executes the algorithm using the security parameter κ, obtaining the global bilinear parameter GP = ðe, g, G T , GÞ, and then randomly selects a 0 , a 1 ∈ Z * p to compute Y = eðg, gÞ a 0 , finally obtains the public parameter PP = fGP, g a 0 , g a 1 , Yg and the master key MSK = fa 0 , a 1 g (ii) AAsetupðPPÞ. For each attribute Att i,j ∈ L j ði ∈ ½1, U j Þ, the AA j picks a random element α i ∈ Z p and computes h i = g α i , then randomly chooses v i ∈ Z p to get the attribute version key APK i,j = g v i , ASK i,j = v i . Finally, the AA j gets the attribute private key ASK j = ffα i g, fv i gg i∈½1,U j ,j∈½1,N and the attribute public key APK j = ffh i g, fAPK i,j gg i∈½1,U j ,j∈½1,N

Key Generation
(i) Keygen. The AA j computes K ′ = g a 0 a 1 , and for each attribute τ ∈ S j,uid , picks a random value t ∈ Z p and computes K 1 = g a 0 g a 1 t , K 2 = g t , finally constructs a 5 Wireless Communications and Mobile Computing private key USK j,uid = fK ′ , K 1 , K 2 g and sends it to SU uid (ii) PreKeygen. The SU uid selects a random value z ∈ Z p and sends it to the AA j , the AA j computes K′ 1 = K z 1 , K ′ 2 = K z 2 , and K ′ τ = h tz/v τ τ , then constructs a predecryption key PSK j,uid = fK ′ 1 , K ′ 2 , fK ′ τ g τ∈S j,uid ,j∈S A g and sends it to ES 5.1.3. Ciphertext and Encrypted Index Generation. In the actual IoV scenario, different types of sensors carried by vehicles collect the corresponding vehicle attribute data separately. For the different attribute states of vehicles monitored by different sensors deployed on the same vehicle, the CEABKS-MA system can achieve a fine-grained keyword search for the specified vehicle attributes. Given the vehicle attribute dataset E = fE a g and a keyword dictionary KW = fkwg, the VN uses the key sk E a to encrypt the data of each attribute of the vehicle E a ∈ E and defines the encrypted vehicle attribute dataset as C E = fEnc sk E a ðE a Þg; the symmetric key sk E a is protected by a specified access structure ðM, ρÞ, where M is the matrix of n × l; ρ is a function that associates rows of M to attributes. The specific encryption process is divided into vehicle attribute data encryption and vehicle attribute index encryption, as follows.
(i) EncryptðCT E Þ. The VN chooses two random vectors x = fs, y 1 , y 2 , ⋯, y n g ∈ Z p and r = fr 1 , ⋯, r l g ∈ Z p , where s is the secret sharing value, and computes λ i = M i x, where i ∈ ½1, l. Then, for ∀i ∈ ½1, l, the VN computes C i,1 = g a 1 λ i h −r i ρðiÞ , C i,2 = g r i v ρðiÞ , C ′ = g s , and C E a = sk E a · eðg, gÞ a 0 s and outputs the vehicle attribute ciphertext CT E a = fC ′ , C E a , fC i,1 , C i,2 g i∈½1,l g, so as to get the vehicle ciphertext set CT E = fCT E a g (ii) EncryptðI E Þ. The VN extracts keywords kw ∈ KW from different attribute dataset E a ∈ E and constructs an attribute encrypted index I E a based on the keywords in each E a . Then, the VN selects a random element π ∈ Z p , for ∀i ∈ ½1, l, computes I 0 = g a 1 π and I 1,i = g a 0 ðs+πÞ h πHðkwÞ ρðiÞ and outputs the vehicle attribute encrypted index I E a = fI 0 , fI 1,i g i∈½1,l g, so as to get the vehicle encrypted index set I E = fI E a g (iii) The VN uploads the vehicle ciphertext to ES periodically, and after the ciphertext expires (i.e., the VN uploads a new round of ciphertext), the ES uploads this vehicle historical ciphertext to CS

Trapdoor Generation.
If the SU uid uses his key and keyword set to generate a trapdoor T kw′ to search an attribute status of the vehicle that contains the query keyword kw ′ , as follows.
(i) Trapdoor. The SU uid randomly selects μ ∈ Z * p and computes T 1 = g a 1 μ and T 2 = ðK ′ Þ μ . Then, according to the query keyword kw ′ , for each attribute τ ∈ S j,uid , the SU computes T 0 = g a 0 μ Q τ∈S j,uid h μHðkw′Þ τ , finally gets the search trapdoor T kw′ = fT 0 , T 1 , T 2 g and sends it to ES 5.1.5. Search and Predecryption. After receiving the trapdoor and the attribute set S j,uid from SU uid , it is mainly divided into two processes: Search and EdgeDec.
(i) Search. The CS or ES first verifies whether the attribute set of SU uid embedded in the trapdoor T kw′ can satisfy the access structure ðM, ρÞ of the ciphertext CT and stops the search operation if it does not match; otherwise, the keyword search algorithm is executed to match the trapdoor T kw′ and the index set I E , as shown as follows: Correctness verification is as follows: Obviously, when kw′ = kw, there is ξ 1 = ξ 2 ; that is, the keyword search algorithm is successful and outputs "1," otherwise, outputs "0." (ii) EdgeDec. After the keyword search is successful, the ES will perform the ciphertext predecryption operation for SU uid . Define I ⊂ f1, 2, ⋯, lg, expressed as 6 Wireless Communications and Mobile Computing I = fi, ρðiÞ ∈ S j,uid g; there must be a set of constants fw i ∈ Z p g i∈I makes ∑ i∈I w i λ i = s, and calculates the following: The ES constructs partially decrypted ciphertext CT out = fC kw′ , ζg and returns it to SU uid .

User Decryption
(i) After receiving the partially decrypted ciphertext, the SU uses the blind value z to compute C kw′ /ζ to obtain the symmetric key sk E a and then uses sk E a to obtain the plaintext vehicle data E a 5.2. Attribute Revocation and Update. The access right change of SU requires the update of their attributes to avoid malicious users from using expired keys to access unauthorized information. Each AA in the CEABKS-MA system manages a disjoint set of attribute collections and performs attribute update operations only for users in the domain, effectively spreading the computational and storage burden of the CA and obtaining higher efficiency. When there are some attributes to be updated, the AA j first updates the attribute version key ASK i,j , APK i,j and then generates the transformation key to update SU's key and the vehicle ciphertext stored in ES or CS. Moreover, the CEABKS-MA system only updates a small portion of the attribute-related key and ciphertext; the attribute update algorithm is as follows.
(i) If the attribute att′ i of SU managed by AA j is revoked, the AA j inputs ASK i,j , APK i,j , and the revoked attribute att ′ i randomly chooses a new valuev′ i ∈ Z p ðv′ i ≠ v′ i Þ and computes the updated ES or CS (ii) Key Update. The AA j informs SU that has the attribute att′ i and has not been revoked to upload the relevant part of the key component with the revoked attribute to AA j for updating. After receiving the data uploaded by SU, the AA j computes and returns it to SU whose attributes have not been revoked (iii) Ciphertext Update. When the attribute att ′ i of SU is revoked, the AA j needs to update the ciphertext synchronously. Due to the limited computing resources of VN, updating the attribute ciphertext , gÞ a 0 s , C ′ = g s , I 0 = g a 1 π , I ′ 1 = g a 0 ðs+πÞ , and I ′′ 1,i = h π ρðiÞ . Finally, the VN generates the offline vehicle attribute ciphertext 1 , C i,2 g i∈½1,Θ g and the offline vehicle attribute encrypted index I ′ E a = fI 0 , I′ 1 , I′ ′ 1,i g i∈½1,Φ (ii) Online Encryption. The VN selects a random vector x = fs, y 1 , y 2 , ⋯, y n g ∈ Z p , s as the secret shared value of the access structure ðM, ρÞ and computes λ i = M i x, i ∈ ½1, l. Then, the VN computes C ′ i = λ i − λ ′ i and C E a = sk E a · C ′ E a and gets the complete Finally, for ∀i ∈ ½1, l, the VN computes I 1,i = I ′ 1 · I ′′ 1,i HðkwÞ and gets the complete vehicle attribute encrypted index I E a = fI 0 , fI 1,i g i∈½1,l g ρðiÞ , which can be predecrypted by using the predecryption formula (4)

Cloud-Edge-End Collaborative Search
Method. This paper designs a cloud-edge-end collaborative search method to provide a more efficient and flexible search while reducing user burden. The specific search process is shown in Figure 3.
The object task in the proposed search method has changed compared to the cloud-based search method. In the ciphertext upload phase, the vehicle carries sensors to mon-itor the vehicle state in real-time, and the VN encrypts the vehicle data and uploads the ciphertext to the nearby ES periodically for reducing communication cost and latency caused by long-distance communication toward CS. And after the VN forwards a new round of the ciphertext, the ES uploads the historical ciphertext to CS to reduce the computation and storage burden. In the search phase, the SU only needs to send the trapdoor to ES for instant and historical search; at the same time, the corresponding ciphertext after a successful query is finally returned to SU after predecryption by ES, and the SU only needs to perform marginal decryption operation to decrypt it.

Safety and Performance
Simulation Validation 6.1. Security Analysis. The CEABKS-MA system proposed in this paper can achieve IND-CPA security and IND-CKA security presented in Section 4.3 and is analyzed in detail as follows.

Theorem 3.
Under the assumption that the Decisional qparallel Bilinear Diffie-Hellman Exponent (BDHE) assumption [44] holds, that the advantage of all polynomial-time opponents who can win the IND-CPA game can be ignored.
Proof. Assume that adversary A can break the CEABKS-MA system by a nonnegligible advantage δ. A chooses a challenging matrix M * , and then, B handles the q-DBDHE problem as follows.
Setup. Given a q-DBDHE challenge instance ðϕ, RÞ, B first chooses a 0 ∈ Z p and sets a 0 = a ′ + a 1 q+1 ; then, B defines the public key component Y = eðg, gÞ a 0 = eðg a 1 , g a 1 q Þe ðg, gÞ a′ . B chooses a random value v i ∈ Z p for each i ∈ U j and sets APK i,j = g v i . To simulate the group elements h i , B picks a random element β i ∈ Z p for each i ∈ U j . Let ρ * ðιÞ = i, then B sets h i as follows: where Φ denotes the set of indices ι. If Φ = ∅, B sets h i = g β i , and the values of h i are randomly distributed due to g β i . Phase 1. In this phase, B needs to answer A's key queries. Assume that A provides an attribute set S that do not satisfy M * , and B chooses a vector x * = fx * 1 , ⋯, x * n * g such that x * 1 = −1 for all ιðρ * ðιÞ ∈ SÞ have x * ·M * ι = 0. Then, B randomly chooses an element ϑ ∈ Z p and defines t as follows: Then, B computes K′ 2 :

Wireless Communications and Mobile Computing
Based on the definition of t above, it can be inferred that g a 1 t contains g a 1 q+1 which can be cancelled by g a 0 . Thus, B computes K ′ 1 as follows: For each attribute τ ∈ S, B defines K′ τ if ρ * ðιÞ ≠ τ sets Under this condition, B cannot simulate K ′ τ for the attribute τ ∈ S in M * , since K ′ τ contains the term g a 1 q+1 /b ι . If there exists a set Φ = fιg such that ρ * ðιÞ = τ and B computes K′ τ as follows: A sends a revoked attribute att′ i to perform an updated attribute version key query. B randomly selects a new valuê v ′ i ∈ Z p ðv ′ i ≠ v ′ i Þ and computes the updated attribute version key as ASK′ i,j =v′ i /v′ i and returns it as A.
Challenge. A submits two challenging messages m 0 , m 1 to B with corresponding encryption keys sk 0 , sk 1 , and then, B randomly selects κ ∈ f0, 1g and computes C E κ = sk E κ · e ðg, gÞ a 0 s , C ′ = g s . However, since the ciphertext component C i, 1 contains some terms that should be removed, it is difficult to simulate C i,1 , where i ∈ ½1, l * . To solve this problem, B randomly chooses y * 2 , ⋯, y * n * ∈ Z p and shares the secret s as follows: x = s, sa 1 + y * 2 , sa 2 1 + y * 3 ,⋯,sa n * −1 Furthermore, B chooses random elements r * 2 , ⋯, r * n * ∈ Z p . Let Q i be the set of all ρðiÞ = ρðk′Þ satisfying i ∈ ½1, l * . Finally, B outputs C i,1 , C i,2 as follows: Phase 2. Phase 2 has the same process as Phase 1. Guess. A returns a guess bit κ ′ ∈ f0, 1g, if κ ′ = κ; B returns "0" indicating that R = eðg, gÞ a 1 q+1 s ; otherwise, B returns "1" indicating that R is a randomly chosen element of the group G T . When R is a tuple, B returns a perfect simulation, which then yields Pr½Bðϕ, R = eðg, gÞ a 1 q+1 s Þ = 0 = 1/ 2 + δ. When R is a random element in the group G T and the encryption key sk κ is completely hidden from A, then one obtains Pr½Bðϕ, RÞ = 0 = 1/2. Thus, B simulates the above security game with a nonnegligible advantage. This completes the proof of Theorem 3.

Theorem 4.
Based on a given one-way hash function H, the CEABKS-MA system prevents chosen keyword attacks.
Selecting a random value d ∈ Z p , the advantage of adversary A in distinguishing between g d and g a 0 ðs+πÞ h πHðkw 0 Þ ρðiÞ is the same as the advantage of distinguishing between g d and g a 0 ðs+πÞ h πHðkw 1 Þ ρðiÞ with the same advantage. Assume that A can distinguish between g d and g a 0 ðs+πÞ , and the defined secure interactive game is as follows.
Proof. Setup. B randomly selects a 0 , a 1 ∈ Z p and returns the public key PK = ðg, g a 0 , g a 1 Þ to A.
, T 1 = g a 1 μ , and T 2 = g a 0 a 1 μ according to query keyword kw ′ , which gives the trapdoor T kw′ = fT 0 , T 1 , T 2 g Challenge. A inputs two keywords of the same length k w 0 , kw 1 . B selects s, π ∈ Z p and picks κ ∈ f0, 1g. If κ = 0, B sets I 0 = g a 1 π , I 1 = g d , and C ′ = g s , otherwise, sets I 0 = g a 1 π , I 1 = g a 0 ðs+πÞ , and C′ = g s . Phase 2. A performs a query similar to Phase 1 but restricts kw ≠ kw 0 , kw 1 .
Assume that υ ∈ Z p and if A can construct eðg, gÞ υa 0 ðs+πÞ using the term g υ returned by the query, then A can distinguish between g d and g a 0 ðs+πÞ . Thus, it needs to be shown that A can only use the term g υ to construct eðg, gÞ υa 0 ðs+πÞ by a negligible advantage.
Let G 1 = fϕ 1 ðηÞjη ∈ Z p g, G T = fϕ 2 ðηÞjη ∈ Z p g, where ϕ 1 and ϕ 2 are two introjection functions mapped from Z p to a set with p 3 elements. In the mapping between ϕ 1 and ϕ 2 , the advantage of adversary A in distinguishing elements is negligible, so it is only necessary to consider the probability of adversary A in constructing eðg, gÞ υa 0 ðs+πÞ using g υ .
If A want to get eðg, gÞ υa 0 ðs+πÞ from g υ , since only a 1 π contains π, υ must contain a 1 to get eðg, gÞ υa 0 ðs+πÞ . A will try to construct eðg, gÞ υ′a 0 ðs+πÞ based on υ ′ = υa 1 . However, A also needs to get υ ′ a 0 a 1 s containing the term a 0 a 1 and the secret value s. Since only B has the primary key a 1 , A cannot obtain eðg, gÞ υ′a 0 ðs+πÞ .
Thus, it can be concluded that adversary A cannot distinguish g a 0 ðs+πÞ h πHðkw 0 Þ ρðiÞ and g a 0 ðs+πÞ h πHðkw 1 Þ ρðiÞ . That is, the CEABKS-MA system is secure in the chosen keyword attack game, which completes the proof of Theorem 4.

Wireless Communications and Mobile Computing
In addition, the CEABKS-MA system can resist collusion attacks by users and achieve the security of user key. (1) The CEABKS-MA system prevents user collusion attacks by assigning a global identifier uid to each DU. In Keygen, the key component is associated with a random value t, so it is difficult for a malicious user to isolate the t value from a given key to perform collusion queries in the absence of a random value t. (2) The search user uses a random value μ to blind the key when performing queries to ensure the security and confidentiality of the user's key.   10 Wireless Communications and Mobile Computing 6.2. Performance Analysis. The CEABKS-MA system implements fine-grained keyword search, multiauthority structure, and attribute update and has high efficiency in both key and trapdoor generation as well as search and decryption phases. Table 1 shows a functional comparison between the CEABKS-MA system and other existing systems [29][30][31].
The theoretical computation and storage costs of the CEABKS-MA system and the existing scheme [29] are analyzed, as shown in Tables 2 and 3, respectively. For the computation costs in Table 2, we mainly consider several more time-consuming operations, namely, bilinear pairing operation P and exponential operation E or E T in group G or G T . The number of system attributes is denoted as jU j j and jUj for the CEABKS-MA system and HP-CPABKS system, respectively, and the number of user attributes is denoted as jSj. Since the CEABKS-MA system uses a distributed key distribution structure, jSj ≪ jU j j ≪ jUj in practice, the CEABKS-MA system consumes less time than the HP-CPABKS system in Keygen and Trapdoor. The computation cost of the CEABKS-MA system in Encrypt will be higher than that of the HP-CPABKS system when setting jU j j = j Uj, but the online/offline encryption method is extended to the proposed system, and the ciphertext generation is a one-time operation. In Search, the computation cost of the CEABKS-MA system is constant, and the search efficiency is much higher than that of the HP-CPABKS system.
For the storage costs in Table 3, element lengths in G, G T , Z p are defined as jGj, jG T j, jZ p j, respectively. When jU j j = jUj, the storage cost of the CEABKS-MA system in Setup is higher due to the added attribute update

11
Wireless Communications and Mobile Computing function. Similar to the computation cost analysis, the storage cost of the CEABKS-MA system is much lower than that of the HP-CPABKS system in Keygen and Trapdoor, and the storage cost in Trapdoor is constant, which is more suitable for resource-constrained devices.
To verify the above theoretical analysis, we present an experimental analysis of the computation efficiency and storage consumption of the CEABKS-MA system and the HP-CPABKS system. The experimental simulation is Windows 10, Intel(R) Core(TM) i3-8100 CPU@3.60 GHz. The programming language is C and parsing-based cryptography (PBC) libraries. The parameters related to computation and storage costs are set as jGj = jG T j = 1024 bits, jZ p j = 160 bits, jSj ∈ ½1, 50, and jU j j = jUj ∈ ½1,100. Figure 4 shows the actual computation time comparison of different systems in each phase; in Figure 4(a), the computation cost of both systems in Setup increases with the expanding number of system attributes, and the CEABKS-MA system costs slightly more time than the HP-CPABKS system, which is consistent with the theoretical analysis, but note that jU j j < jUj in practice. The number of system attributes in Figures 4(b) and 4(c) is fixed at jUj = 50; it can be seen that the time consumption of the CEABKS-MA system in Keygen and Trapdoor increases linearly with the number of user attributes but is still much lower than that of the HP-CPABKS system, and jSj ≪ jUj, so the CEABKS-MA system has higher efficiency and application value for search users with limited computational resources. Figure 4(d) shows the comparative analysis of search time, which is constant and much lower than that of the HP-CPABKS system.  Figure 5(d), the storage cost of the CEABKS-MA system in Encrypt is slightly higher than that of the HP-CPABKS system; due to jU j j < jUj, the ciphertext storage cost of the CEABKS-MA system is still limited.

Conclusion
In this paper, we propose a secure and efficient CEABKS-MA system to support IoV data sharing. The cloud-edgeend collaborative search architecture is designed to meet the real-time search requirements of users and alleviate the severe computation and storage overload problem in the cloud. The multiauthority structure is designed to effectively avoid single-point performance bottlenecks. In addition, the proposed system implements fine-grained keyword search for specified vehicle attributes and extends lightweight encryption and decryption to support attribute updates. Then, this paper demonstrates that the CEABKS-MA system can achieve IND-CPA and IND-CKA security. Experimental simulations prove that the proposed system can effectively reduce computation and storage costs. Since the search query of users is diverse and personalized, on the basis of protecting user privacy, we will dig deeper into users' search intentions and provide users with more intelligent search results.

Data Availability
This article is based on the PBC cryptography library for verification; the real data used to support the findings of this study are available from the corresponding author upon request.

Conflicts of Interest
The authors declare that they have no conflicts of interest.