Achieving Searchable Encryption Scheme With Search Pattern Hidden

This article has been accepted for publication in a future issue of this journal, but has not been
fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TSC.2020.2973139, IEEE
Transactions on Services Computing
IEEE TRANSACTIONS ON SERVICES COMPUTING 1
Achieving Searchable Encryption Scheme with

Search Pattern Hidden
Yunling Wang, Shi-Feng Sun, Jianfeng Wang, Joseph K. Liu, and Xiaofeng Chen∗
Abstract—Searchable Encryption (SE) enables a data owner to outsource encrypted data to an untrusted server while preserving the
keyword search functionality. Typically, the server learns whether or not a query has been performed more than once, which is usually
called the search pattern. However, such kind of information leakage might be leveraged to break query privacy. To further reduce such
type of leakage and provide strong privacy guarantee, Wang et al. proposed a novel SE scheme based on the Paillier encryption
scheme in INFOCOM’15. Unfortunately, their scheme cannot perform keyword search successfully, because the additive homomorphic
property is not sufficient for their construction. In this paper, we first show that why their scheme fails to return the correct search result,
and then propose a new SE scheme by adopting a special additive homomorphic encryption scheme to achieve the multiplicative
homomorphic property efficiently. Furthermore, we enhance the security on the user side. Specifically, we use random polynomials
with an appropriate degree to guarantee that the user cannot learn anything other than the desired search result. Finally, we present a
formal security analysis and implement our scheme on a real-world database, which demonstrates that our construction can achieve
the desired security properties with good performance.
Index Terms—Searchable encryption, Conjunctive keyword search, Search pattern, Additive homomorphic encryption
1 I NTRODUCTION tant security limitations, namely, they leak search pattern

and access pattern. More precisely, the access pattern is
C LOUD computing is the delivery of on-demand com-

putation and storage resources over the internet in the
matter of pay-as-you-go basis. In order to reduce the local
defined as any information inferred from knowing which
document matches the query, while the search pattern is
defined as any information inferred from knowing whether
maintenance cost, more and more users prefer to outsource two queries are for the same keyword or not [12]. A recent
their data to the cloud server [8], [9], [10]. However, one line of attacks [6], [17], [23], [34] have demonstrated that
of the main challenges for cloud computing is the da- such access pattern and search pattern leakages can be used
ta privacy, because the cloud server may try to learn as to recover the content of queried keywords. Specifically, IKK
much information about the outsourced data as possible. attack [17] and Count attack [6] exploits access pattern and
Although the end-to-end encryption technique can protect the number of the search results respectively to recover
the confidentiality of users’ data, it leads to the loss of search the queries. Liu et al. [23] exploits the search pattern to
ability over the encrypted data. launch the query recovery attack. The powerful file injection
Searchable encryption enables the cloud server to perfor- attack [34] uses both the search pattern and access pattern to
m keyword-based search over encrypted data. Specifically, recover the queried keywords. 1 A positive way to protect
the data owner outsources his encrypted documents along the access pattern is to use the ORAM technique to retrieve
with a search index to the server, then the server performs the matched documents for a response-hiding scheme 2 [13].
search directly over the search index with the aid of search However, how to protect the search pattern is still a chal-
token, and finally returns matched results to the user. After lenge. The reason is that the search pattern not only comes
the invention of seminal SE scheme proposed by Song et from the deterministic search token for the same query, but
al. [25], a lot of progress has been made on improving the also could be inferred from other aspects [11], [19], such as
efficiency [12], the security [2], [26], [28], [30], [31] and the the access pattern and the number of search results.
expressiveness [5], [27], [32], [33]. Nevertheless, most known
One solution [19] to protect the search pattern is based
schemes with good performance always suffer from impor-
on the idea of square-root ORAM [14]. In this case, the
search token for the same queried keywords is never used
• Y. Wang, J. Wang and X. Chen are with the State Key Laboratory of repeatedly. However, after a sequence of queries, it is nec-
Integrated Service Networks (ISN), Xidian University, P.R. China, and essary for the server and client to interact to rebuild the
also with the State Key Laboratory of Cryptology, PO Box 5159, Beijing
100878, China. E-mail: ylwang0304@163.com, jfwang@xidian.edu.cn,
xfchen@xidian.edu.cn. 1. The search pattern is used to determine where to inject the ob-
• S.-F. Sun is with the Department of Computer Science & Engi- jective files and guarantee the possibility to find out them (because of
neering, Shanghai Jiao Tong University, Shanghai, P.R. China, with the deterministic search token); the access pattern is used to determine
Data61, CSIRO, Melbourne, Australia, and also with the Facul- which injected files match a query.
ty of Information Technology, Monash University, Australia. E-mail:
2. The matched results are the encrypted document identifiers (for
shifeng.sun@sjtu.edu.cn.
response-hiding schemes). The client decrypts them and gets the
• J. K. Liu is with the Faculty of Information Technology, Monash Univer-
documents identifiers which are used to retrieve the corresponding
sity, Australia. E-mail: ksliu9@gmail.com.
documents based ORAM technique.
1939-1374 (c) 2019 IEEE. Personal use is permitted, but republication/redistribution requires IEEE permission. See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
This article has been accepted for publication in a future issue of this journal, but has not been fully edited. Content may change prior to final publication. Citation information: DOI 10.1109/TSC.2020.2973139, IEEE
encrypted data stored on the server side. Another solution • We present a formal security analysis without the
in [30] is based on the private set intersection protocol. In knowledge of search pattern, which shows that our
their scheme, the server has to use both the additive and proposed scheme can provide a stronger security
multiplicative homomorphic properties of an encryption guarantee. Furthermore, we provide a thorough im-
scheme to correctly perform search. Unfortunately, Paillier plementation and the experiment results demon-
encryption used in their construction cannot achieve the strate that our scheme enjoys a better search efficien-
desired properties. A trivial way to address this issue is to cy. In our scheme, the server can perform search in
use a fully homomorphic encryption scheme. However, the a parallel way, which is independent of the whole
inefficiency of the fully homomorphic encryption makes the search index.
SE scheme not practical. In this paper, we aim to present
a new practical search pattern-hiding SE scheme by fol-
lowing their framework. Thus, how to efficiently achieve 1.2 Related Work
both additive and multiplicative homomorphic properties
is one of our main tasks. Besides, the scheme [30] would SE was first considered by Song et al. [25], in which the
leak some unexpected information to the user, excluding the encryption is based on the documents and thus the search
desired search result 3 . Specifically, after the server performs complexity is linear in the number of documents. In or-
conjunctive keyword search, the user gets a result polyno- der to improve the efficiency, Curtmola et al. [12] intro-
mial whose roots contain the desired document identifiers. duced the inverted index based on the distinct keywords
However, the result polynomial is a simple summation of and proposed the first sublinear SE scheme. For dynamic
the polynomials representing the document identifier set search setting, Kamara et al. [20] gave the first dynamic
for each queried keyword. According to [1], [21], such SE scheme. Stefanov [26] introduced the notion of forward
result polynomial would leak some information about the and backward security, and constructed the first forward
document identifier set for each queried keyword to the secure SE scheme. Subsequently, many works focusing on
user. To the best of our knowledge, it seems that there is forward and backward security have been proposed [2], [7],
no research work on SE that can hide the search pattern and [28], [35]. However, these works are almost single keyword
also supports the conjunctive keyword search. search.
Recent works on SE have focused on enriching query
expressiveness. Golle et al. [15] first proposed the conjunc-
1.1 Our Contributions tive keyword search scheme based on the documents and
In this paper, we focus on protecting the search pattern of SE thus the search complexity is linear in the number of docu-
scheme with conjunctive keyword search. Our contributions ments. A notable conjunctive keyword search scheme OXT
are summarized as follows: proposed by Cash et al. [5] can support arbitrarily structured
data including free text. Besides, as a result of following
• We point out that Wang et al.’s SE scheme [30] the idea of inverted index, it achieves sublinear search
with search pattern guarantee cannot perform search complexity. Following that, a line of work [22], [27], [32],
operation correctly at the server side. The main [33] has made extension of OXT. Note that schemes with
reason is that both additive and multiplicative ho- good efficiency always suffer from security compromise.
momorphic properties of an encryption scheme are Plenty of researchers have focused on the security of SE.
required. However, the Paillier encryption scheme Some schemes [6], [17] utilized the access pattern or the
used in their construction only supports the additive number of search results to recover the queried keyword.
homomorphic property. Fortunately, ORAM is a positive technique to protect the
• We propose the first efficient SE scheme to hide access pattern for a response-hiding scheme [13]. Search
the search pattern, while supporting conjunctive pattern is also important in SE scheme, which can be used to
keyword search. Specifically, we exploit a special break the query privacy [23], [34]. Note that how to protect
additive homomorphic encryption scheme and an the search pattern is still a challenge, since it would comes
auxiliary server to efficiently achieve the required from the deterministic search token generation function,
properties, and thus the search operation can be or be inferred from other aspects which are described in
performed successfully at the server. Moreover, the the Introduction. Cao et al. [4] aimed to protect the search
security of our scheme on the user side is enhanced pattern by randomizing the trapdoor in a multi-keyword
by leveraging random polynomials. Specifically, dur- ranked search scheme. However, the search pattern can
ing the search progress, the server selects random be deduced from the deterministic search results. Garg et
polynomials with an appropriate degree and exploits al. [13] protected the search pattern based on ORAM and
the additive homomorphic property to generate the garbled RAM, but it did not hide the number of search
result polynomial, which ensures that nothing else results. Kamara et al. [19] gave a general framework to
other than the desired search results is leaked from construct SE scheme with search pattern guarantee. This
the result polynomial. construction also adopts the idea of ORAM and thus it
needs to reconstruct the index after several queries. Wang
3. For conjunctive keyword search w1′ ∩ w2′ ∩ · · · ∩ wq′ , the desired et al. [30] constructed an inverted index to protect the
search result means the set of document identifiers which contain all search pattern and support conjunctive keyword search.
the queried keywords, that is DB(w1′ ) ∩ DB(w2′ ) ∩ · · · ∩ DB(wq′ ). Here
we say scheme [30] would leak some additional information about However, it inevitably introduces some limitations which
document identifier set for each queried keyword DB(wi′ ), 1 6 i 6 q . will be addressed in this work.
TABLE 1: Notations in this work • (pk, sk) ← BCP.KeyGen(pp). This is the key
κ a security parameter of the system generation algorithm. On input the public parameter
the document identifier of pp, it outputs the public key pk and secret key sk .
idi
the i-th file Randomly select a ∈ ZN 2 and compute h = g a
Widi the keyword set of idi mod N 2 . Then it outputs the public key pk = h and
the keyword set of the
W = ∪di=1 Widi the secret key sk = a.
whole database
wi the i-th keyword in W. • C ← BCP.Enc(pk, m). This is the encryption algo-
DB = (idi , Widi )di=1
the document-keyword pairs in the rithm. On input the message m ∈ ZN , public param-
whole database eter pp and public key pk , it outputs the ciphertext
the number of document-keyword
δ = |DB|
pairs in the whole database C = (A, B). Specifically, randomly select r ∈ ZN 2
the document identifiers which and compute
DB(w) = {id : w ∈ Wid }
contain the keyword w
the number of keywords in W, A = gr mod N 2 , B = hr (1 + mN ) mod N 2 .
M
that is M = |W|
F̂ degree of polynomial F (x) • m ← BCP.Dec1 (sk, C). This is the private de-
cryption algorithm. That is, a user can successfully
decrypt a ciphertext which is encrypted under the
1.3 Organization user’s public key. On input the public parameter pp,
The rest of this paper is organized as follows. In Section user’s secret key and the ciphertext, it outputs the
2, we present some preliminaries. In Section 3, we give plaintext as:
the system model and security definition of our proposed (B/Aa ) − 1 mod N 2
scheme. In Section 4, we give an overview of the SE scheme m= .
by Wang et al. and present some flaws of the construction.
N
Then we propose a new SE scheme without search pattern • m ← BCP.Dec2 (pk, msk, C). This is the master
leakage in Section 5. The security and comparison analysis decryption algorithm. That is, an entity with the
of the proposed scheme are given in Section 6, and the master key can decrypt any ciphertext. On input the
performance evaluation is presented in Section 7. Finally, master key msk and ciphertext C , it outputs the
conclusions will be made in Section 8. plaintext m. First it computes (a mod N ) and (r
mod N ) as:
′ ′
2 P RELIMINARIES hp q − 1 mod N 2
a mod N = · k −1 mod N
In this section, we present some notations (as shown in Table N
1) and basic primitives which are used in this paper. ′ ′
Ap q − 1 mod N 2 −1
r mod N = ·k mod N,
2.1 Additive Homomorphic Encryption N
Homomorphic encryption allows one to perform computa- where k −1 is the inverse of the k in Z∗N . Then com-
tions on the encrypted data. Generally speaking, an encryp- pute γ = ar mod N . Finally, it outputs the plaintext
tion scheme equipped with an additive homomorphic prop- m as:
′ ′
erty is that one can obtain the ciphertext of m1 + m2 from ( gBγ )p q − 1 mod N 2
the ciphertexts of m1 and m2 . Similarly, a multiplicative m= ·π mod N,
N
homomorphic property allows one to obtain the ciphertext
of m1 · m2 . where π is the inverse of p′ q ′ in Z∗N .
BCP Encryption Scheme. This is a special additive ho- Additive Homomorphic Property. Given two ciphertext
momorphic encryption with double trapdoor decryption C1 = (A1 , B1 ) and C2 = (A2 , B2 ) for plaintext m1 and m2
mechanism [3]. That is, there are two algorithms to decrypt respectively, we will show how to perform computations
a ciphertext, private decryption algorithm and master de- on the C1 and C2 to obtain the ciphertexts of m1 + m2 .
cryption algorithm. The first one is for a user to decrypt Since BCP is an additive homomorphic encryption, we can
a certain ciphertext by his private key. The second one directly achieve additive homomorphic property. Specifical-
is for an entity to decrypt any ciphertext by the master ly, the ciphertext of m1 + m2 is C = (A, B) = (A1 · A2
secret key. Specifically, BCP encryption scheme consists of mod N 2 , B1 · B2 mod N 2 ). For simplicity, we denote this
the following algorithms: additive homomorphic operation as
• (pp, msk) ← BCP.Setup(1κ ). This is the setup C = C1 +h C2 .
algorithm. On input the security parameter κ, it
outputs public parameter pp and master key msk . It is also easy to compute the ciphertext C ′ of (l · m1 )
Let N = pq be a safe prime modulus with κ bit when given the C1 , where l is a constant. Specifically, the
length, where p and q are primes. Besides, p = 2p′ +1 ciphertext of (l · m1 ) is C ′ = (A′ , B ′ ) = (Al1 mod N 2 , B1l
and q = 2q ′ + 1, where p′ and q ′ are also primes. mod N 2 ). We denote this operation as
Randomly select g ∈ Z∗N 2 of order p′ q ′ pq such that
′ ′ C ′ = l ∗h C1 .
g p q mod N 2 = 1+kN , where k ∈ [1, N −1]. Final-
ly this setup algorithm outputs the public parameter Multiplicative Homomorphic Property. Given two cipher-
pp = (N, k, g) and master secret key msk = (p′ , q ′ ). text C1 = (A1 , B1 ) and C2 = (A2 , B2 ) for plaintext m1 and
m2 respectively, we will show how to perform computations over Rγ [x] for γ = 2L − |S1 ∩ S2 |. On one hand, B is the
on the C1 and C2 to obtain the ciphertexts of m1 · m2 . Since polynomial representing the multiset S1 ∩ S2 . The reason
BCP is not a multiplicative homomorphic encryption, we is that element s is the root of gcd(FS1 , FS2 ) only if s ∈
cannot directly achieve multiplicative homomorphic prop- S1 ∩ S2 . Besides, the roots of G are not an element in U
erty. Fortunately, BCP is a special additive homomorphic with an overwhelming probability, since G is distributed
encryption with double trapdoor decryption mechanism. randomly over Rγ [x]. On the other hand, B does not leak
Therefore, we additionally introduce an honest-but-curious any information about S1 and S2 other than that of S1 ∩ S2 .
auxiliary server to achieve the desired multiplicative homo- This is because that G is distributed randomly over Rγ [x].
morphic property. For more details, please refer to Section Note that this method of intersection for two multisets can
5.1. Here we denote this multiplicative homomorphic oper- be extended to multiple number of multisets similarly.
ation as
Homomorphic Operations on Encrypted Polynomial. In
C = C1 ·h C2 .
order to protect the elements in a multiset, we will
encrypt the polynomial F to an encrypted polynomi-
2.2 Polynomial Representation of Sets al Enc(F ) by encrypting its coefficients ai . That is,
In this section, we recall the technique of representing a Enc(F ) = {Enc(aF̂ ), · · · , Enc(a0 )}. Here Enc is an en-
multiset and performing set intersection [21]. Let there be cryption scheme with homomorphic property. Let F1 , F2
n multisets Si and |Si | = L for 1 ≤ i ≤ n. We denote and F be three polynomials from R[x] with coefficients a1,i ,
the domain of the elements in these multisets by U, that is a2,i and ai respectively. Then let Enc(F1 ), Enc(F2 ) and
sij ∈ U ⊂ R for 1 ≤ i ≤ n 1 ≤ j ≤ L, where sij is the j th Enc(F ) be their encrypted polynomials. In the following,
element of set Si and R is a ring. It is required that R should we describe how to perform operations on the encrypted
be sufficiently large such that a random element from R polynomials using the homomorphic properties of the BCP
represents an element from U with a negligible property. encryption Enc.
Polynomial ring R[x] means a collection of polynomials,
the coefficients of which are from R. That is, F ∈ R[x] is (1) Sum of two encrypted polynomials: Given Enc(F1 ) and
∑F̂ i Enc(F2 ), compute the encryption of the polynomial
denoted as F (x) = i=0 ai x , where F̂ is the degree of
polynomial F (x), and ai is the coefficient of xi and ai ∈ R. F = F1 + F2 as: Enc(ai ) = Enc(a1,i ) +h Enc(a2,i )
For F, G ∈ R[x], F + G denotes the addition of F and G for 0 ≤ i ≤ max{Fˆ1 , Fˆ2 }. We denote this operation
and F · G denotes the multiplication of F and G. as:
Enc(F1 ) +h Enc(F2 ).
Polynomial Representation of Multiset. In this section, we
describe the technique of polynomial representing a multi- (2) Product of an unencrypted polynomial and an encrypt-
set. For a multiset S = {si }1≤i≤L , we denote ed polynomial: Given F1 and E(F2 ), compute the
∏the polynomial encryption of the polynomial F = F1 · F2 as:
FS ∈ R[x] representing S as: FS (x) = 1≤i≤L (x − si ).
Besides, given a polynomial F ∈ R[x], we denote the Enc(ai ) = a1,i ∗h Enc(a2,0 )+h · · ·+h a1,0 ∗h Enc(a2,i ),
multiset S represented by F as: s ∈ S iff F (s) = 0 and for 0 ≤ i ≤ Fˆ1 + Fˆ2 . We denote this operation as
s ∈ U. F1 ∗h Enc(F2 ).
Intersection of Multisets. In this section, we introduce how (3) Product of an encrypted scalar and an encrypted polyno-
to generate the intersection of two multisets. Let S1 and S2 mial: Given C = Enc(r) (r ∈ R) and Enc(F1 ), com-
be two multisets with the same size L, FS1 and FS2 be their pute F = r · F1 as: Enc(ai ) = Enc(r) ·h Enc(a1,i ),
polynomials. We define the polynomial B representing the
for 0 ≤ i ≤ Fˆ1 . We denote this operation as
multiset S1 ∩ S2 as:
C ·h Enc(F1 ).
B = FS1 · G1 + FS2 · G2
Remark 1. The operations of Enc(F1 ) +h Enc(F2 ) and
where both G1 and G2 are randomly selected from RL [x].
F1 ∗h Enc(F2 ) just require the additive homomorphic prop-
Here RL [x] denotes the set of all the polynomials of degree
erty of Enc. The operation of C ·h Enc(F1 ) requires the
less than L + 1, the coefficients of which are from R uni-
multiplicative homomorphic property of Enc.
formly and independently. In the following, we show that
B is the polynomial representing the multiset S1 ∩S2 . Before
going ahead, we first recall a useful lemma [21]. 3 P ROBLEM F ORMULATION
In this section, we first present the system model, and then
Lemma 1. Fix a ring R and two polynomials F1 (x), F2 (x) we present the formal security definition.
of degree α over R[x], and gcd(F1 (x), F2 (x)) = 1.
∑β i
∑β i
Let G1 (x) = i=0 a1,i x , and G2 (x) = i=0 a2,i x ,
$ 3.1 System Model
where a1,i , a2,i ←
− R for 0 ≤ i ≤ β , and β ≥ α. Let
∑ Our system model consists of four entities: the data owner,
B(x) = F1 (x)G1 (x) + F2 (x)G2 (x) = α+β i
i=0 ai x . In this the users, the cloud server C1 and the auxiliary server C2 .
way, ai for 0 ≤ i ≤ α + β is distributed uniformly and
The architecture of our scheme is shown in the Fig. 1.
independently over R.
• Data Owner. The data owner has a number of docu-
From the above lemma, we know that B = FS1 ·G1 +FS2 · ments and wants to outsource them to the cloud serv-
G2 = gcd(FS1 , FS2 ) · G, where G is distributed uniformly er C1 . The data owner first encrypts the documents
Search Result Enc(P¢ (x)) • Search Pattern reveals whether or not two queries are
Data User
the same. It is referred as a binary t × t matrix SP
such that SP [i, j] = 1 if Qi = Qj and SP [i, j] = 0 if
Non-collusion
Server C 1 Qi ̸= Qj .
Queried Set ×
Search • Access Pattern reveals the document identifiers for
Server C 2 each query. It is referred as {DB(Q1 ), · · · , DB(Qt )}.
Search Token T r
Data Owner • Response Equality Pattern reveals whether or not two
responses are the same. It is also referred as a binary
Encrypted Se ch
Search t × t matrix REP such that REP [i, j] = 1 if Ri = Rj
Document Index and REP [i, j] = 0 if Ri ̸= Rj .
• Response Length Pattern reveals the number of doc-
Fig. 1: Architecture of our scheme
ument identifiers for each query. It is referred as
{|DB(Q1 )|, · · · , |DB(Qt )|}. Note that both the re-
and generates a search index, and then outsources sponse length pattern and equality pattern can be
the encrypted documents along with the search in- obtained from access pattern.
dex to the cloud server C1 .
Similar to the work [5], [19], our work considers only the
• Data User. If one user is interested in some keywords,
storage and processing of the metadata, and does not model
the user sends them to the data owner. Then the data
the retrieval of encrypted documents. This is why the access
owner generates the search token and sends it to the
pattern usually refers to the document identifiers matching
server C1 . After the server completes the search, the
a query in the literature. In general, searchable encryption
user will get the search results, decrypt them and get
schemes are classified into two forms: response-revealing
the document identifiers.
and response-hiding. The former reveals the matched doc-
• Cloud Server C1 . Upon receiving the search token
ument identifiers in plaintext, whereas the latter does not.
from the data owner, the cloud server C1 performs
Thus, when not considering the retrieval of the encrypted
search operation with the help of auxiliary server C2 .
payloads, the response-hiding searchable encryption pro-
Finally, C1 returns the search results to the user.
tects the access pattern, as pointed out by Kamara et al. [19].
• Auxiliary Server C2 . The main task of the auxiliary
However, if we further consider the retrieval of matched
server C2 is to help the cloud server C1 to perform
payloads based on the corresponding document identifiers,
search operation.
the techniques e.g., ORAM and blind storage have to be
In our system model, we assume that both the cloud employed for protecting the access pattern, as indicated in
server C1 and the auxiliary server C2 are honest-but-curious. [30]. This is out of the scope of this paper.
That is, they will honestly follow the protocol, but try to
obtain some valuable information from the transcripts of the
protocol. In addition, we assume that there is no collusion 3.3 Security Definition
between them. In this section, we give the security definition of our scheme
from two sides, the server side and the user side. For the
3.2 Searchable Encryption server side, similar to [5], [27], we use a real game RealΠ A
and an ideal game IdealΠ A,S to formalize the security, where
In this section, we give a detailed description of search-
able encryption scheme and then introduce some well-
A is an adversary and S is a simulator. Generally, we define
a leakage function L to describe the leakages of the pro-
known leakage patterns. Specifically, a searchable encryp-
posed protocol. The security definition means the protocol
tion scheme Π = (Setup, TGen, Search, Decrypt) is
leaks nothing else other than the information inferred by
comprised of four algorithms.
the leakage function. Similar to [5], [27], we do not consider
• (sk, I) ← Setup(1κ , DB). This algorithm is per- how to retrieve the documents and only focus on the storage
formed by the data owner. It takes as input the and processing of the metadata.
security parameter κ and database DB, and outputs
(sk, I), where sk is a secret key and I is the encrypt- RealΠA (κ). The adversary A first chooses a database
ed search index. DB. Then the experiment runs the Setup algorithm and
• T r ← TGen(sk, Q). This algorithm is performed by returns the index I to A. After that, A adaptively chooses a
the data owner. It takes as input the secret key sk , the polynomial-size sequence of search queries. For each query
queried keyword set Q, and outputs the trapdoor T r . Q, the experiment runs TGen and Search algorithms, and
• R ← Search(T r, I). This algorithm is performed by then gives the transcript to A. Finally, this game outputs a
the cloud server. It takes as input the trapdoor T r bit from {0, 1} that A returns.
and index I , outputs the search results R.
IdealΠA,S (κ). The adversary A first chooses a database
• id′ s ← Decrypt(sk, R). This algorithm is per-
DB. Then the experiment runs the S(L(DB)) algorithm
formed by the data owner. It takes as input the secret
and returns the index I to A. After that, A adaptively
key sk and response R, outputs the plaintext of the
chooses a polynomial-size sequence of search queries. For
document identifiers id′ s for the query Q.
each query Q, A receives the transcript by running the
Next, we recall the leakage patterns [19] and assume t simulator S(L(DB, Q)). Finally, this game outputs a bit
queries are performed. from {0, 1} that A returns.
We define the searchable encryption scheme as L- Pwi (x) based on the Paillier encryption Enc
adaptively-secure if for any PPT adversary A, there exists a and obtains Enc(Pwi (x)). In this way,
simulator such that A can distinguish whether he is interact-
ing with the real game or the ideal game with only negligible I = (Enc(Pw1 ), Enc(Pw2 ), · · · , Enc(PwM ))T .
probability. We give the formal definition as follows.
– The data owner then generates matrix
Definition 1. The scheme Π is L-adaptively-secure if for all
PPT adversaries A there exists a simulator S such that  
w1M w2M ··· M
wM
 M −1 M −1 
|Pr[RealΠ
A (κ) = 1] − Pr[IdealA,S (κ) = 1]| ≤ negl(κ).
Π
w1 w2M −1 ··· wM 
MD = 
 .. .. .. .. 

In the following, we give the description of leakage  . . . . 
function L in our scheme. We represent a sequence of T w1 w2 ··· wM
conjunctive queries as Q = (Q1 , Q2 , · · · , QT ). With the DB
′
and Q as input, the leakage function outputs the following and computes MD = MK · MD . Note that here
items: we also denote that wi ∈ R.
• M = |W | is the total number of keywords in the Finally, the data owner outsources the search index
′
whole database. I and the matrix MD to the server.
• L = maxwi ∈W {|DB(wi )|} is the largest number of • TGen(Q, MK ). Receiving the query
matching documents for all keywords. Q = {w1′ , w2′ , · · · , wq′ } from the user,
The leakages in our scheme are easy to understand. The the data∏ owner generates
∏ polynomial
parameter M is leaked from the number of rows in the index PQ (x) = wi ∈W (x − w i )/ wi ∈Q (x − wi ) and
I or the size of the search token. L can be obtained from the an M -degree polynomial
number of columns in the index I .
For the user side security, we need to show that the user ∏q
cannot learn any other information than the search results, PQ′ (x) = PQ (x) · (x − ri )
i=1
which will be argued formally in the security analysis part. = aM xM + aM −1 xM −1 + · · · + a0
′
where ri is randomly selected from R. PQ (x) has the
4 A NALYSIS OF WANG ET AL .’ S S CHEME ′
property that for each wi ∈ W, PQ (wi ) ̸= 0 if wi ∈ Q
Wang et al. [30] proposed an elegant searchable encryption ′
and PQ (wi ) = 0 if wi ∈
/ Q. In this way, the search
scheme with search pattern hidden, while supporting con- token is
junctive keyword search. Unlike the recent work [19], it is
unnecessary to rebuild the search index after a sequence of
queries. However, there exists a security flaw which makes −1
the server unable to perform a search operation successfully.
T r = {T r1 , T r2 } = {(aM , aM −1 , · · · , a1 )·MK , Enc(a0 )}.
In this section, we first review their scheme and then explain ′
why it does not work.
• Search(T r, I, MD ). Upon receiving the trapdoor
T r, the server first computes
′
4.1 Overview of the Scheme V = T r1 · MD = (v1 , v2 , · · · , vM ).
There are three entities in their scheme, the data owner, the
cloud server C1 and the users. In the following, we briefly Then it adopts the additive homomorphic property
recall their construction. of Enc to compute
• Setup(1κ , DB). It takes as input the security param-

eter κ and database DB, outputs the search index I V ′ = (Enc(v1 ) +h Enc(a0 ), · · · , Enc(vM ) +h Enc(a0 ))
′
and a matrix MD .
= (Enc(v1′ ), Enc(v2′ ), · · · , Enc(vM
′
))
– It first takes as input the security parameter κ,
outputs a public key pk and secret key sk of Finally, the server generates the response
Paillier encryption Enc. Besides, it generates
an inverse matrix MK with the size of M × M . Enc(PR (x)) =Enc(v1′ ) ·h Enc(Pw1 ) +h · · · +h
′
– Next, the data owner takes as input the Enc(vM ) ·h Enc(PwM )
database DB and public key pk , outputs the
search index I . Specifically, for each wi , the and sends it to the user.
data owner generates a L-degree polynomial
Pwi (x) with the property of Pwi (id) = 0 for • Decrypt(Enc(PR (x))). After receiving
all id ∈ DB(wi ). Note that here we assume Enc(PR (x)), the user decrypts it and reconstructs
that all the id ∈ U and U ⊂ R, where R de- PR (x) with the assistance of data owner. Then the
notes the plaintext domain of Paillier encryp- user finds out the roots of PR (x) which are in U, and
tion scheme. Then, the data owner encrypts thus obtains the matched document identifiers.
4.2 Analysis of the Scheme properties from an encryption scheme. Secondly, we have
This work is with excellent performances in two aspects. to explore new techniques to make the result polynomial
PR (x) leak no more information other than the conjunctive
• Constructing the search index is a one-time cost. That keyword search results ∩wi ∈Q DB(wi ) to the user.
is, the search index I does not need to be rebuilt
after being outsourced to the server. The reason is
that the randomness of search token comes from the 5 O UR P ROPOSED S CHEME
random elements selected in the TGen algorithm. In this section, we first introduce how to perform multi-
In contrast, after a sequence of queries, the scheme in plicative homomorphic operation efficiently based on the
[19] has to reconstruct the search index to randomize BCP encryption scheme. Then we give an overview of our
the trapdoor. Unfortunately, it takes high overheads construction and the detailed algorithms.
for the server and the data owner to interact to
rebuild the search index. Algorithm 1 Multiplicative Homomorphic Algorithm
• The search operation can be performed in a parallel
way, which benefits from the inverted search index Input: C1 = (A1 , B1 ) = BCP.Enc(pk, m1 )
I , like [12]. In detail, from the search algorithm, the C2 = (A2 , B2 ) = BCP.Enc(pk, m2 )
server can compute Enc(vi′ ) ·h Enc(Pwi ) for 1 ≤ i ≤ Output: C = (A, B) = BCP.Enc(pk, m1 · m2 )
M in parallel and then execute the homomorphic Step 1: Cloud Server C1 blinds the original messages.
addition of the results. This good performance can
$
improve the search efficiency on the server side. 1: τ, τ ′ ←
− ZN
2: Z1 ← C1 +h BCP.Enc(pk, −τ )
However, there is a design flaw in the scheme which Z2 ← C2 +h BCP.Enc(pk, −τ ′ )
makes the server unable to perform search operation suc- 3: Server C1 sends Z1 and Z2 to the server C2
cessfully. In the following, we will point out this design flaw
and security limitations of this work. Step 2: Auxiliary Server C2 decrypts and re-encrypts.
4: m′1 ← BCP.Dec2 (pk, msk, Z1 )
• We first point out the design flaw of this scheme. m′2 ← BCP.Dec2 (pk, msk, Z2 )
In the Search algorithm, the server needs to com- 5: C ′ = (A′ , B ′ ) ← BCP.Enc(pk, m′1 · m′2 )
putes Enc(PR (x)) = Enc(v1′ ) ·h Enc(Pw1 ) +h · · · +h 6: Server C2 sends C ′ to the server C1
′
Enc(vM ) ·h Enc(PwM ). Referring to the property
(3) of the homomorphic operations on encrypted Step 3: Cloud Server C1 removes the blinding factors.
polynomial (in Section 2.2), the multiplicative homo- 7: (T1 , T2 ) ← BCP.Enc(pk, −τ · τ ′ )
morphic property of Enc is necessary to compute ′ ′
8: (A, B) ← (A′ Aτ1 Aτ2 T1 mod N 2 , B ′ B1τ B2τ T2
Enc(vi′ ) ·h Enc(Pwi ), which is also explained in Re- mod N ) 2
mark 1. However, the Paillier encryption used here 9: return C = (A, B) = BCP.Enc(pk, m1 · m2 )
is just an additive homomorphic encryption, so the
server is unable to compute Enc(vi′ ) ·h Enc(Pwi ). As
a result, the server cannot perform search operation
successfully. 5.1 Multiplicative Homomorphic Operation
• The search pattern would be leaked from the T r1 In order to protect the search pattern by following Wang
in a particular case. That is, when two same queries et al.’s framework, both additive and multiplicative homo-
contain the total keywords in the W, their search morphic properties are required in our protocol. Fortunately,
tokens T r1 are the same. BCP can directly achieve additive homomorphic property,
• We then point out the security limitation of this as it is an additive homomorphic encryption. The multi-
scheme. After performing the search operation, plicative homomorphic property can be efficiently achieved
the server returns the encrypted result polynomial by adopting the double trapdoor decryption mechanism of
Enc(PR (x)) to the user. The user decrypts it and BCP and an auxiliary server, which is also used similarly
obtains the PR (x). From the generation of vi′ in in [24]. Specifically, the cloud server has the ciphertext C1
Search algorithm, we can see that vi′ = PQ′ (wi ). and C2 of m1 and m2 , and would like to compute the
′
From the property of PQ (x) in TGen algorithm, we ciphertext C of m1 · m2 . The auxiliary server has the master
can deduce that vi ̸= 0 if wi ∈ Q, otherwise vi′ = 0.
′
key of BCP encryption which can be used to decrypt any
In this way, ciphertext. By interacting between the auxiliary server and
∑
PR (x) = vi′ · Pwi (x). the cloud server, the multiplicative homomorphic operation
wi ∈Q is performed following the three steps in Algorithm 1:
We can see that PR (x) is a simple combination of the
• Step 1: The cloud server sends the ciphertexts Z1 and
Pwi (x). According to [1], [21], it would leak some
Z2 of m1 −τ and m2 −τ ′ to the auxiliary server, where
information of DB(wi ) for wi ∈ Q to the user.
the random elements τ and τ ′ are used to blind the
Therefore, our target in this work is to tackle these original messages m1 and m2 .
problems and present a new SE scheme featuring similar • Step 2: The auxiliary server obtains m1 − τ and m2 −
merits. To this end, we first need to show how to efficiently τ ′ by decrypting Z1 and Z2 and then re-encrypts the
achieve both the additive and multiplicative homomorphic message (m1 − τ ) · (m2 − τ ′ ) as C ′ with public key.
• Step 3: The cloud server removes the blinding factors – This stage is to generate the search index I
and generates the target ciphertext C of m1 ·m2 based of the dataset DB. Specifically, for each wi ,
on the additive homomorphic property. the data owner first generates a polynomial
to represent DB(wi ). It is necessary for us
Remark 2. Note that the model of auxiliary server is honest-
to select a proper number of zeros to make
but-curious, even it can decrypt any ciphertext with the
each |DB(wi )| the same as L. The reasons
powerful master decryption key. The reason is that the cloud
are presented in the Remark 2. Note that the
server blinds the original messages with random elements.
ring R in our proposed scheme denotes the
In this case, the auxiliary server can never obtain the original
plaintext domain of BCP encryption scheme
messages m1 and m2 .
(R is ZN ), and all the document identifiers
id are in the domain U (id ∈ U ⊂ R). Then,
5.2 Overview of Our Construction the data owner encrypts Pwi (x) based on BCP
Similar to Wang et al. [30], we aim to protect the search pat- encryption algorithm and stores them in I . In
tern while supporting conjunctive keyword search function- this case, I is an M × L matrix and it will be
ality. The main idea is to use the polynomial representation sent to the server C1 . The details of generating
of multiset. Generally, for each keyword wi , we compute the I are in Algorithm 2.
polynomial representation Pwi (x) from DB(wi ). In order
to protect the polynomials, they are encrypted by the BCP Algorithm 2 Index I Generation Algorithm
cryptosystem Enc. In this way, all the encrypted polynomi- Input: DB
als Enc(Pwi (x)) construct the search index I . For the trap- Output: I
door generation, there is an encrypted scalar corresponding
1: I ← ϕ, C ← ϕ
to each keyword in the W. That is, if the keyword wi belongs
2: for w ∈ W do
to the query Q, the scalar ri is a random number and the ∏
trapdoor for this keyword is Ei = Enc(ri ). Otherwise, the 3: Pw (x) = xL−|DB(w)| · id∈DB(w) (x − id)
scalar ri is zero and thus the trapdoor is Ei = Enc(0). In = aL xL + aL−1 xL−1 · · · a1 x + a0
this way, the trapdoor is T r = {E1 , E2 , · · · , EM }. Upon 4: for L ≥ i ≥ 0 do
receiving the trapdoor, the server C1 performs search op- 5: ci ← BCP.Enc(pk, ai ); C ← ci
eration under the help of the server C2 . First, C1 computes 6: end for
Enc(qi ) = Ei ·h Enc(Pwi (x)) using the multiplicative ho- 7: Parse C = {cL , cL−1 , · · · , c1 , c0 }; Store C to the I
momorphic property under the help of C2 . Then C1 selects 8: end for
a random polynomial vi (x) with appropriate degree and 9: return I
computes Enc(Qi (x)) = vi (x) ∗h Enc(qi (x)) using the ad-
ditive homomorphic property. Finally, server C1 returns the
encrypted polynomial Enc(P∆ (x)) = Enc(Q1 (x))+h · · ·+h • T r ← TGen(W, Q, PP): This algorithm is run be-
Enc(QM (x)) based on the additive homomorphic property tween the data owner and the data user. Specifically,
to the user. By decrypting the encrypted coefficients, the if a user wants to perform the conjunctive keywords
user reconstructs the polynomial P∆ (x), finds out its roots search, w1′ ∩ w2′ ∩ · · · ∩ wq′ , the queried keyword set
and thus obtains the corresponding document identifiers. Q = {w1′ , w2′ , · · · , wq′ } is sent to the data owner.
The overview of our scheme is in Fig. 2. Then the data owner generates the trapdoor T r .
Independent of the number of queried keywords q ,
the trapdoor T r consists of M encrypted scalars Ei ,
5.3 The Concrete Construction where M is the size of W. That is
In this section, we present our SE scheme with search
pattern guarantee, which consists of four algorithms Π = T r = {E1 , E2 , · · · , EM }.
(Setup, TGen, Search, Decrypt). The details of the pro- More precisely, the data owner tests whether or not
posed scheme are as follows: each keyword wi ∈ W belongs to the Q. If wi ∈ Q,
• (PP, SKC2 , SKO , I) ← Setup(1κ , DB): the data the data owner randomly selects an element r in ZN ,
$
owner takes as input the security parameter κ and r← − ZN , and then encrypts r using BCP encryption
the whole database DB, it outputs the system pa- algorithm, Ei ← BCP.Enc(pk, r). Otherwise, the
rameter PP, the secret key SKC2 , SKO , and the index data owner sets r = 0 and Ei ← BCP.Enc(pk, 0).
I. Finally, the data owner sends the trapdoor T r to the
server C1 . We stress that no one but the data owner
– This stage is to generate the system pa-
can generate the T r, because the keyword set W is
rameter PP, the secret key SKC2 and SKO .
kept secret in the side of data owner. Although the
Specifically, it runs the BCP.Setup and
user can obtain the content of some keywords, he still
BCP.KeyGen algorithms to get the param-
cannot get their order in W.
eters (pp, msk, pk, sk). Then it publishes the
system parameter PP = (pp, pk), sends the • Enc(P∆ (x)) ← Search(T r, I, PP, SKC2 ): This is
secret key SKC2 = msk to the server C2 and run by the cloud server C1 with the assistance of the
keeps the secret key SKO = sk in the data auxiliary server C2 . Specifically, C2 has to take part
owner side. in computing Enc(qi (x)) because of the necessary of
0 1 0 1 0 1
DB(w1) polynomial Pw1 (x) Enc(Pw1 (x))
B DB(w2) C representation B Pw (x) C encryptionB Enc(Pw (x)) C
B ... C B 2. C B ...
2 C
@ A @ .. A @ A
Data Owner DB(wM ) PwM (x) Enc(PwM (x)) Search Index
search query Q from data user
wi 2
= Q ri = 0
0 1 0 1
E1
0 1
w1 Enc(r1)
$
Search B w2 C wi 2 Q ri Ã
¡R B Enc(r2) C B E2 C
Token
B . C
@ .. A
B
@ ... C
A
B . C
@ .. A
wM Enc(rM ) EM
with server C2 Ei ¢h Enc(Pwi (x)) vi(x) ¤h Enc(qi(x)) Enc(Q1) +h ¢ ¢ ¢ +h Enc(QM )
0 1 0 1
Enc(q1 (x)) Enc(Q1(x))
0 10
E1
1
Enc(Pw1 (x)) multiplicative additive additive
B E2 CB Enc(Pw (x)) C homomorphic B Enc(q2 (x)) ChomomorphicB Enc(Q2(x)) Chomomorphic
Server C 1
B . CB
@ .. A@ ...
2 C
A
B
@ ... C
A
B
@ ... C
A Enc(P¢(x))
EM Enc(PwM (x)) Enc(qM (x)) Enc(QM (x))
decrypt find out

Enc(P¢(x)) P¢(x) P¢(x) = 0 and x 2 U
Data User
Fig. 2: Overview of our scheme
the multiplicative homomorphic property. While C1 data user reconstructs the polynomial
is able to generate Enc(Qi (x)) and Enc(P∆ (x)) by
itself, since it only needs the additive homomorphic P∆ (x) = σ2L x2L + σ2L−1 x2L−1 + · · · + σ0
property. The details are in Algorithm 3. After per- and finds out its roots. The search results for the
forming search, the server C1 returns the encrypted queried keywords are the roots which are also in the
polynomial Enc(P∆ (x)) to the user. domain U.
Algorithm 3 Search Algorithm Remark 3. There are two reasons to make DB(wi ) have
the same size L (in the Setup algorithm). On the one
Input: T r, I , PP, SKC2 hand, the response length pattern leakage can be used to
Output: Enc(P∆ (x)) infer the search pattern. In our scheme, the response length
Server C1 pattern cannot be leaked, as we make DB(wi ) have the same
size L. On the other hand, this operation is the necessary
1: Parse T r = {E1 , E2 , · · · , EM }.
condition to guarantee the searched polynomial P∆ (x) leaks
2: for 1 ≤ i ≤ M do
nothing other than the desired search result for the query.
3: Enc(qi (x)) ← Ei ·h Enc(Pwi (x))
Specifically, from lemma 1, ensuring this security property
4: Randomly select vi (x) from RL [x]
of polynomial B requires that the polynomials F1 and F2
5: Enc(Qi (x)) ← vi (x) ∗h Enc(qi (x))
have the same degree. This is because the degree of G1 and
6: end for
G2 depends on the degree of F1 and F2 . Therefore, it is
7: Enc(P∆ (x)) = Enc(Q1 (x)) +h · · · +h Enc(QM (x))
necessary to make DB(wi ) have the same length, and thus
8: return the encrypted polynomial Enc(P∆ (x))
it can select random polynomials vi with an appropriate
degree.
• id′ s ← Decrypt(SKO , Enc(P∆ (x))): This is run by Remark 4. We note that the auxiliary server C2 never learns
the data user with the assistance of the data owner. the original data, despite owning the powerful master secret
Upon receiving the encrypted polynomial E(P∆ (x)), key. This is because (1) The original message is blinded
the data user first decrypts the encrypted coefficients by C1 based on the additive homomorphic property before
to σi with the assistance of data owner. Then, the being transmitted to C2 (cf. Section 5.1); (2) It is ensured
similarly to [24] that the auxiliary server C2 never learns msk . Firstly, C2 cannot access the transcripts (T r, I and R)
the transcripts transmitted between the data owner and the transmitted between the data owner and the C1 (cf. Remark
cloud server C1 , i.e., the search index I , the search token 3 in Section 5.3). Secondly, when offering the assistance to
T r and the search result Enc(P∆ (x)). This can be easily C1 , C2 can never get the original messages (cf. Algorithm 1).
achieved by e.g., letting the data owner and the C1 use a In this case, C2 obtains no more information than C1 . Next
shared secret key to encrypt their communication. In this we proceed to show the formal security.
case, C2 learns nothing about the transcripts. Theorem 1. Our scheme is L-semantically secure against
adaptive attacks assuming that BCP is an IND-CPA se-
6 A NALYSIS OF OUR PROPOSED SCHEME cure encryption scheme, where L is the leakage function
In this section, we first analyze the correctness and security defined above.
of our proposed scheme, and then compare with other Proof: In the following, we use a sequence of games
related works in terms of functionality and efficiency. to formally prove that our scheme is L-semantically secure
against adaptive attacks. The first game G0 is exactly the
6.1 Correctness Analysis real game, and the last game G2 is designed to be easily
In this section, we first show the correctness of our scheme. simulated by the simulator S1 and S2 . Similar to [16], we
Then we present the security analysis on the server side and design simulator S1 for the cloud server C1 , and the S2 for
the user side. the auxiliary server C2 .
Correctness: The correctness of our scheme includes two Game G0 . G0 is exactly the real game RealΠ A (κ).
aspects. Firstly, all the desired search results satisfied with
the search token should be recovered by the user. Secondly, Pr[RealΠ
A (κ) = 1] = Pr[G0 = 1].
the erroneous elements (not the desired search results for Game G1 . Instead of encrypting the coefficients of the
the query) should be easily filtered by the user. Specifically, polynomial representation Pwi of DB(wi ), we randomly
in our scheme, the trapdoor is Ei = Enc(ri ), where ri = 0 select L elements from ZN and encrypt them using BCP
if the keyword wi ∈ / Q, otherwise ri is randomly selected encryption scheme (under the same key). We claim that
from( R. The result encrypted ) polynomial
(∑ is Enc(P∆ (x)) )= there exists an efficient adversary B1 such that
∑M
Enc r
i=1 i · P wi (x) · vi = Enc wi ∈Q ri · Pwi (x) · vi .
After decrypting it, the user gets P∆ (x), and regards Pr[G1 = 1] − Pr[G0 = 1] ≤ AdvIND−CPA
Σ,B1 (κ).
the roots of P∆ (x) which are in U as the desired search
Here we need to stress that it is possible to reduce the
results. On one hand, we can learn that if Pwi (a) = 0 for
indistinguishability between them to the IND-CPA security
all wi ∈ Q, then P∆ (a) = 0. In this way, all the elements in
of BCP scheme Σ, because the decryption algorithm is never
the intersection I = ∩wi ∈Q DB(wi ) can be recovered by the
invoked in this game.
user. On the other hand, we show that the elements which
are not in I but the root of P∆ (x) can be discovered by the Game G2 . In game G2 , instead of generating the trap-
user with ∏ an overwhelming probability. By the Lemma 1, door of Q by the algorithm of TGen, we randomly select
P∆ (x) = a∈I (x − a) · S(x), where S(x) is a polynomial M elements from ZN and encrypt them by BCP encryption
under the same key. Like the game G1 , there exists an
distributed uniformly over R2L−|I| [x]. That is, the root of
efficient adversary B2 such that
S(x) representing an element in U has a negligible prob-
ability. As a result, the user is able to filter the erroneous |Pr[G2 = 1] − Pr[G1 = 1] ≤ AdvIND−CPA
Σ,B2 (κ).
elements and learns the intersection set I which can be used
to retrieve all the desired documents.
Algorithm 4 Simulator S1
6.2 Security Analysis Input: L
Before presenting the formal analysis, we give a high-level Output: I , T r, Res
intuition about the security. On the one hand, we can protect Generating I
the search pattern from C1 in 4 aspects. Firstly, the trapdoors
1: for 1 ≤ i ≤ M do
T r′ s are different for the same query Q, since the trapdoor
2: for L ≥ j ≥ 0 do
generation algorithm TGen is probabilistic. Secondly, the
$
search results are ciphertext in our scheme (respond-hiding 3: aj ←− ZN ; cj ← BCP.Enc(pk, aj ); C ← cj
scheme), so the access pattern is hidden. Thirdly, the size 4: end for
pattern is protected as we make DB(wi ) have the same 5: Parse C = {cL , cL−1 , · · · , c1 , c0 }; Store C to the I
length L. Fourthly, we protect the response equality pattern. 6: end for
That is, the search results Enc(P∆ ) are distinct for different Generating T r, Res
searches on the same query, because each time new random-
7: for 1 ≤ i ≤ T do
ly elements will be chosen for generating T r. Therefore, C1
8: for 1 ≤ j ≤ M do
can only learn the total number of keywords M and the $
response length L from search index I . This is the whole 9: ej ←
− ZN ; Ej ← BCP.Enc(pk, ej )
leakage in our scheme. 10: end for
On the other hand, the server C2 also never learns the 11: T r = {E1 , E2 , · · · , EM }; Res ← Search(I, T r, PP)
12: end for
search pattern even it has the powerful system secret key
TABLE 2: Functionality Comparison

Reference conjunctive random search token access pattern response length pattern response equality pattern rebuild
Cash et al. [5] X × X × × ×
Boneh et al. [1] X × X × X ×
Kamara et al. [18] X × X × × ×
Sun et al. [29] X × × × X ×
Sun et al. [27] X × X × × ×
Cao et al. [4] × X × X × ×
Kamara et al. [19] × X X X X X
Our scheme X X X X X ×
TABLE 3: Efficiency Comparison

Schemes Boneh et al. Scheme [1] Our Scheme
Setup M · (L + 1)(2E + M) M · (L + 1)(2E + 2M)
TGen |Q|H M (2E + 2M)
Search (|Q|L + 2L!)E M (32 + 22L)M + M (14 + 10L + 2L!)E
Simulator. In the following, we give the details of con- DB(wi ), wi ∈ W can be recovered from the P∆ (x), other
structing the simulators S1 and S2 . Specially, S1 takes as than the search results I .
input the L(DB, Q) = (L, M ), and output the simulated I
and the transaction array t = (T r, Res). Here we note that 6.3 Comparison
the transaction Res is generated under the assistance of S2 .
In this section, we present the functionality and efficiency
To simulate the search index I , S1 randomly selects
analysis of our proposed scheme. As discussed in the part
(L · M ) elements from ZN and encrypts them by BCP
of introduction, the search pattern is compromised not only
encryption scheme. The distribution of I in both game G2
from the deterministic search pattern, but also from the
and simulator S1 is indistinguishable, because the elements
access pattern, response length pattern and the response
in both are the ciphertexts of random elements in ZN .
equality pattern. It can be easily seen from the Table 2 that
To simulate the trapdoor T r , S1 selects M random
our scheme can protect the search pattern, while supporting
elements from ZN and encrypts them. We claim that there
conjunctive keyword search. We note that our work belongs
are two reasons to simulate the trapdoor in this way: (1) the
to the scope of response-hiding searchable encryption, as
distribution of the trapdoor in both game G2 and simulator
the matching document identifiers in our scheme can only
is indistinguishable because of the IND-CPA secure of BCP
be recovered by the client at last. Therefore, when not con-
encryption; (2) the search pattern is hidden in our proposed
sidering the retrieval of real documents, our work succeeds
scheme such that the trapdoors for the same two queries
to hide access pattern. The elegant OXT scheme proposed
are different, so it is unnecessary to keep consistent of the
by Cash et al. [5] can achieve conjunctive keyword search,
trapdoors. The details of simulating I and T r are present in
however, it does not consider how to protect the search
the Algorithm 4.
pattern. Some other schemes extend OXT to support more
With the trapdoor, the simulator S1 performs search
rich functionalities, e.g., verification [29], efficient disjunc-
operation on the simulated search index I under the help
tive keyword search [18] and multi-user setting [27]. Boneh
of simulator S2 , and obtains the transaction Res. For the
et al.’s scheme [1] adopts a different solution to perform
simulator S1 , it performs search as the Game G2 does (also
conjunctive keyword search. However, none of the above
as the real game does). The reason is that the simulator with
schemes take search pattern into consideration. Cao et al.’s
the public key of BCP encryption can perform search as the
scheme [4] aims to protect the search pattern, however, the
cloud server C1 does. In contrast, the simulator S2 without
access pattern and response equality pattern are leaked.
the master key of BCP encryption cannot perform search as
More recently, Kamara et al. [19] adopted the idea of square-
the auxiliary server C2 does. Thus, the simulator S2 should
root ORAM to protect the search pattern. Informally, during
simulate this process. Specifically, if the simulator S1 sends
an epoch, the same location in the search index is never ac-
Enc(m′1 ) and Enc(m′2 ) to the S2 , S2 chooses a random
cessed twice. However, once the number of queries exceeds
element r form ZN and returns the ciphertext Enc(r) to the
the epoch, it is necessary for the server and the data owner
S1 . Because of the IND-CPA secure of BCP encryption, the
to interact to rebuild the whole search index. Compared
adversary cannot distinguish Enc(m′1 · m′2 ) from Enc(r).
with [19], our proposed scheme is more practical since the
For the simplicity, we omit the details of how to simulate
search index does not need to be rebuilt.
the search operation for S1 and S2 , the process of which is
We note that both Kamara et al.’s scheme [19] and our
denoted as Search in the Algorithm 4.
scheme have a large communication overhead, but there are
Theorem 2. The user learns nothing other than the desired a lot of difference between them. The communication in the
search result I = ∩wi ∈Q DB(wi ). work [19] is between the cloud server and the user. Thus, the
Proof: It is easy to prove this theorem. From the part of user has to bear the large overhead of communication and
Correctness analysis, the user learns the polynomial
∏ of P∆ (x) computation of rebuilding. Besides, the user cannot perform
which can be represented as P∆ (x) = a∈I (x − a) · S(x). search until the rebuild phase is completed. In contrast, the
From LEMMA 1, S(x) is a polynomial distributed uni- communication in our scheme is between the cloud server
formly over R2L−|I| [x]. Thus, no more information about and the auxiliary server. It is unnecessary for the user to bare
4.5 50 120 600

128-bit 128-bit 128-bit 128-bit
4 256-bit 45 256-bit 256-bit 256-bit
1024-bit 1024-bit 100 1024-bit 500 1024-bit
40
3.5
35
3 80 400
Size of Token (KB)

Size of Index (MB)
Time Cost (ms)

Time Cost (s)
30
2.5
25 60 300
2
20
1.5 40 200
15
1
10
20 100
0.5 5
0 0 0 0
2 3 4 5 6 7 8 9 10 2 3 4 5 6 7 8 9 10 2 3 4 5 6 7 8 9 10 2 3 4 5 6 7 8 9 10
Number of Keyword-Document Pairs 104 Number of Keyword-Document Pairs 104 Number of Keyword-Document Pairs 104 Number of Keyword-Document Pairs 104
(a) (b) (c) (d)

140 4.5 45 3.5
128-bit 128-bit 128-bit 128-bit
256-bit 4 256-bit 40 256-bit 256-bit
120 1024-bit 1024-bit 1024-bit
3 1024-bit
3.5 35
Size of the Search Results (KB)

100 2.5
3 30
Time Cost (ms)

Time Cost (s)
Time Cost (s)

80 2.5 25 2
60 2 20 1.5
1.5 15
40 1
1 10
20 0.5
0.5 5
0 0 0 0
2 3 4 5 6 7 8 9 10 50 100 150 200 250 300 2 3 4 5 6 7 8 9 10 2 3 4 5 6 7 8 9 10
Number of Keyword-Document Pairs 10 4 the Max Number of DB(w) Number of Keyword-Document Pairs 104 Number of Keyword-Document Pairs 104
(e) (f) (g) (h)
Fig. 3: The performance of our proposed scheme. (a) Time cost of generating I . (b) The size of I . (c) Time cost of generating
token. (d) The size of token. (e) Time cost of searching in the whole I . (f) Time cost of searching in parallel. (g) The size of
the encrypted search results from server. (h) Time cost of finding the plaintext of the search results.
the communication and computation overhead. However, implement the server and client instance, respectively. Our
in our scheme, the communication between them brings source code is published at GitHub 7 .
certain search latency. Fortunately, the size of the ciphertext In the phase of system setup, our main computa-
needed to be transmitted is not large in our scheme, and the tion overhead is dominated by system parameters and
efficiency of communication in 4G is high. Thus, the search search index generation operations. The data owner takes
latency is acceptable in practice. 3.71, 3.89 and 12.2 seconds to generate system parameters
Then we present the efficiency features in the Table 3. (i.e., pp, msk , pk and sk ) by invoking BCP.Setup and
Because both the Boneh et al.’s scheme [1] and our proposed BCP.KeyGen algorithms for 128-bit, 256-bit and 1024-
scheme are based on the technique of polynomial represen- bit security parameter, respectively. On the other hand,
tation of a set, we mainly compare the efficiency of these the index I generations mainly consist of the encryption
two schemes. For the computation overhead, we mainly operations Enc(Pwi ) for 1 ≤ i ≤ M . We can see that both
consider the hash, multiplication and exponentiation opera- the cost of generating I in Fig. 3 (a) and the size of I in Fig. 3
tions. We denote by H a hash operation, M a multiplication (b) increase with the length of the security parameter. So the
operation and E an exponentiation operation and |Q| the user can choose a better trade-off between the efficiency and
number of queried keywords. In order to protect the search security. It should be pointed out that the above-mentioned
pattern in our scheme, it is necessary for the cloud server effort is done once and can be performed in the manner of
to perform search in the whole database. Note that the off-line.
search operation can be performed in parallel. Specifically, To retrieve the specific documents, the token of the
the search operation for each keyword is independent and searched keyword can be generated by invoking the TGen
it can be performed in parallel (cf. the (2) of the section 4.2). algorithm. As shown in Fig. 3 (c) and Fig. 3 (d), it can be seen
This good performance can be used to improve the search that the cost of token generation and the size of search token
efficiency. increase with the number of keywords in the database. We
remark that our approach can achieve randomized search
7 P ERFORMANCE E VALUATION token for the same query and thus can protect the search
pattern.
In this section, we present a thorough experimental evalua- The search cost at server side should increase with
tion of our proposed scheme. Our experiments are based the number of keyword and the corresponding documents
on an implementation using GMP 4 and NTL library 5 for each keyword in theory. The main reason is that the
on the real-world Wikimedia dataset 6 (100, 000 keyword- server requires to perform the search operations line-by-
document pairs are extracted to implement our experi- line. However, we argue that the search algorithm can be
ments). We utilize the Intel Xeon(R) Gold 5118 2.3GHz performed in a parallel way. That is, the server can perform
processors with 12 cores and 256G RAM and Intel Core search independently of the number of keywords in the
I5-6500 processors running at 3.2 GHz, 16G memory to search index I . Based on this observation, we adopt a high-
4. https://gmplib.org/
performance computer (Intel Xeon(R) Gold 5118 2.3GHz
5. https://www.shoup.net/ntl/
6. https://dumps.wikimedia.org 7. https://github.com/AuspiciousCloud/search-pattern-hidden
processors with 12 cores and 256G RAM) to be the instance introducing an auxiliary server to efficiently achieve multi-
of servers, which can perform search by multi-threading the plicative homomorphic property. Moreover, we improve the
processing. The search cost can be shown in Fig. 3 (e) based security on the user side by leveraging random polynomials.
on our experimental dataset, where the number of keywords We also implement our scheme on a real-word dataset.
is up to 100,000 and the corresponding documents for each The experimental results show that our scheme has better
keyword is range from 45 to 88. We furthermore provide as performance in terms of search efficiency.
supplementary the search efficiency for a single keyword in
Fig. 3 (f). It is easy to know that our construction can be ACKNOWLEDGMENTS
accelerated with the parallel processing method.
We show the communication and computation costs of This work was supported by the National Cryptography
the data user in Fig. 3 (g) and (h). It can be seen that the Development Fund (No. MMJJ20180110).
size of the encrypted search results is small, and there is
no interaction between the server and the user, such that it R EFERENCES
saves the communication cost between the server and the [1] D. Boneh, C. Gentry, S. Halevi, F. Wang, and D. J. Wu, “Private
user. Furthermore, as shown in Fig. 3 (h), it is very efficient database queries using somewhat homomorphic encryption,” in
for the user to decrypt the encrypted search results. 11th international Conference on Applied Cryptography and Network
Security (ACNS), 2013, pp. 102-118.
[2] R. Bost, B. Minaud and O. Ohrimenko, “Forward and backward
40 20
Rebuid Cost
20 private searchable encryption from constrained cryptographic
Kamara et al. Scheme Time Cost
35 Boneh et al. Scheme
Our Proposed Scheme
Communication Cost primitives,” in Proceedings of the 2017 ACM Conference on Computer
30 15 15 and Communications Security (CCS), 2017, pp. 1465-1482.
Communication Cost (Mb)

25 [3] E. Bresson, D. Catalano, and D. Pointcheval, “A simple public-
Time Cost (ms)
Time Cost (s)
20 10 10 key cryptosystem with a double trapdoor decryption mechanism

15 and its applications,” in International Conference on the Theory and
10 5 5
Application of Cryptology and Information Security (ASIACRYPT),
5
2003, pp. 37-54.
0 0 0
[4] N. Cao, C. Wang, M. Li, K. Ren, W. Lou, “Privacy-preserving
2 3 4 5 6 7 8
Number of Keyword-Document Pairs
9 10
104
2 3 4 5 6 7
Number of Keyword-Document Pairs
8 9 10
104 multi-keyword ranked search over encrypted cloud data,” IEEE
Transactions on parallel and distributed systems, vol. 25(1), pp. 222-
(a) (b)
233, 2014.
[5] D. Cash, S. Jarecki, C. S. Jutla, H. Krawczyk, M. Rosu, and M.
Fig. 4: Efficiency Comparison (a) Search efficiency of the Steiner, “Highly-scalable searchable symmetric encryption with
three schemes (b) Rebuild cost of Kamara et al. scheme support for boolean queries,” in Annual International Cryptology
Conference (CRYPTO), 2013, pp. 353-373.
[6] D. Cash, P. Grubbs, J. Perry and T. Ristenpart, “Leakage-Abuse
In Fig. 4, we compare the search efficiency of the Boneh Attacks Against Searchable Encryption,” in Proceedings of the 22nd
et al.’s scheme [1], Kamara et al.’s scheme [19] and our ACM SIGSAC Conference on Computer and Communications Security
proposed scheme. Boneh et al.’s scheme adopt the 256-bit (CCS), 2015, pp. 668–679.
[7] J. G. Chamani, D. Papadopoulos, C. Papamanthou and R. Jalili,
security of Paillier encryption, and our scheme adopt the “New Constructions for Forward and Backward Private Symmet-
256-bit security of BCP encryption and are implemented in ric Searchable Encryption,” in Proceedings of the 2018 ACM SIGSAC
a complete parallel way. Compared with scheme [1], our Conference on Computer and Communications Security (CCS), 2018,
pp. 1038-1055.
scheme is less efficient. The reason is that Boneh et al. do [8] X. Chen, J. Li, X. Huang, J. Ma and W. Lou, “New Publicly
not consider the search pattern, so only the additive ho- Verifiable Databases with Efficient Updates,” IEEE Transactions on
momorphic property is used in their scheme [1], while both Dependable and Secure Computing, vol. 12(5), pp. 546-556, 2015.
the additive and multiplicative homomorphic properties are [9] X. Chen, J. Li, J. Ma, Q. Tang and W. Lou, “New Algorithms for Se-
cure Outsourcing of Modular Exponentiations,” IEEE Transactions
necessary in our scheme. For Kamara et al.’s scheme, we use on Parallel and Distributed Systems, vol. 25(9), pp. 2386-2396, 2014.
256-bit security AES to encrypt the document identifiers. [10] X. Chen, J. Li, J. Weng, J. Ma and W. Lou, “Verifiable Computation
From the Fig. 4 (a). we can see that it is very efficient for over Large Database with Incremental Updates,” IEEE Transactions
on Computers, vol. 65(10), pp. 3184-3195, 2016.
the scheme [19] to perform search, since it only use the [11] S. Cui, M. R. Asghar, S. D. Galbraith and G. Russello, “Secure
binary search technique. However, the search efficiency is and Practical Searchable Encryption: A Position Paper,” in 22nd
at the cost of heavily rebuilding the encrypted data. We Australasian Conference on Information Security and Privacy (ACISP),
show the overhead 2017, pp. 266–281.
√ of rebuilding in Fig. 4 (b). Specifically, [12] R. Curtmola, J. A. Garay, S. Kamara and R. Ostrovsky, “Searchable
after retrieving δ number of search result, the data owner Symmetric Encryption: Improved Definitions and Efficient Con-
has to download all the encrypted data on the server side structions,” in Proceedings of the 13th ACM Conference on Computer
and rebuilds them. As a result, both the computation and and Communications Security (CCS), 2006, pp. 79-88.
[13] S. Garg, P. Mohassel and C. Papamanthou, “TWORAM: Efficient
communication overheads are high. In contract, the search oblivious RAM in two rounds with applications to searchable
index in our scheme does not need to be rebuilt once it is encryption,” in the 36th Annual Cryptology Conference (CRYPTO),
outsourced to the server. 2016, pp. 563-592.
[14] O. Goldreich and R. Ostrovsky, “Software Protection and Simu-
lation on Oblivious RAMs,” Journal of the ACM, vol. 43(3), pp.
8 C ONCLUSION 431-473, 1996.
[15] P. Golle, J. Staddon and B. Waters, “Secure conjunctive keyword
In this work, we point out that the scheme [30] cannot search over encrypted data,” in International Conference on Applied
perform search operation successfully. Then, we propose a Cryptography and Network Security (ACNS), 2004, pp. 31-45.
new searchable encryption scheme supporting conjunctive [16] Y. Ishai, E. Kushilevitz, S. Lu and R. Ostrovsky, “Private Large-
Scale Databases with Distributed Searchable Symmetric Encryp-
keyword query with search pattern hidden, by exploiting tion,” The Cryptographers’ Track at the RSA Conference (CT-RSA),
a special additive homomorphic encryption scheme and 2016, pp. 90-107.
[17] M. S. Islam, M. Kuzu and M. Kantarcioglu, “Access Pattern Yunling Wang received her master degree
Disclosure on Searchable Encryption: Ramification, Attack and in electronics and communication engineering
Mitigation,” in 19th Annual Network and Distributed System Security from Xidian University, China, in 2015. She is
Symposium (NDSS), 2012. currently a Ph.D candidate in Cryptography in
[18] S. Kamara and T. Moataz, “Boolean Searchable Symmetric Encryp- Xidian University. During her Ph.D study, she
tion with Worst-Case Sub-linear Complexity,” in 36th Annual In- studied as a joint Ph.D student in the Faculty
ternational Conference on the Theory and Applications of Cryptographic of Information Technology at Monash University,
Techniques (EUROCRYPT), 2017, pp. 94-124. Australia, for one year. Her research interests
[19] S. Kamara, T. Moataz and O. Ohrimenko, “Structured encryption include searchable encryption and cloud com-
and leakage suppression,” in 38th Annual International Cryptology puting.
Conference (CRYPTO), 2018, pp. 339-370.
[20] S. Kamara, C. Papamanthou and T. Roeder, “Dynamic searchable
symmetric encryption,” in Proceedings of the 2012 ACM Conference
on Computer and Communications Security (CCS), 2012, pp. 965C976.
[21] L. Kissner and D. Song, “Privacy-preserving set operations,” in
Annual International Cryptology Conference (CRYPTO), 2005, pp.
241-257.
Shi-Feng Sun received his Ph.D degree in Com-
[22] S. Lai, S. Patranabis, A. Sakzad, J. K. Liu, D. Mukhopadhyay, R.
puter Science and Technology from Shanghai
Steinfeld, S.-F. Sun, D. Liu and C. Zuo, “Result Pattern Hiding
Jiao Tong University in 2016. During his Ph.D
Searchable Encryption for Conjunctive Queries,” in Proceedings of
study, he worked as a visiting scholar at the
the 2018 ACM SIGSAC Conference on Computer and Communications
University of Melbourne for more than one year.
Security (CCS), 2018, pp. 745-762.
His research interest centers on cryptography
[23] C. Liu, L. Zhu, M. Wang and Y. Tan, “Search pattern leakage in
and data privacy, particularly on provably secure
searchable encryption: Attacks and new construction,” Information
cryptosystems, data privacy-preserving technol-
Science, vol. 265, pp. 176-188, 2014.
ogy in cloud storage, and privacy-enhancing
[24] A. Peter, E. Tews and S. Katzenbeisser, “Efficiently Outsourcing
technology in blockchain.
Multiparty Computation Under Multiple Keys,” IEEE Transactions
on Information Forensics and Security, vol. 8(12), pp. 2046-2058, 2013.
[25] D. X. Song, D. A. Wagner and A. Perrig, “Practical Techniques for
Searches on Encrypted Data,” in IEEE Symposium on Security and
Privacy (S&P), 2000, pp. 44-55.
[26] E. Stefanov, C. Papamanthou, E. Shi, “Practical Dynamic Search-
able Encryption with Small Leakage,” in 21st Annual Network and
Distributed System Security Symposium (NDSS), 2014, vol, 71, pp. Jianfeng Wang received his M.S. degree in
72-75. Mathematics from Xidian University, China. He
[27] S.-F. Sun, J. K. Liu, Amin Sakzad, R. Steinfeld and T. H. Yuen, “An got his Ph.D degree in Cryptography from Xidian
Efficient Non-Interactive Multi-client Searchable Encryption with University in 2016. Currently, he works at Xidian
Support for Boolean Queries,” in European symposium on research in University. He visited Swinburne University of
computer security (ESORICS), 2016, pp. 154-172. Technology, Australia, from December 2017 to
[28] S.-F. Sun, X. Yuan, J. K. Liu, R. Steinfeld, A. Sakzad, V. Vo and December 2018. His research interests include
S. Nepal, “Practical Backward-Secure Searchable Encryption from applied cryptography, cloud security and search-
Symmetric Puncturable Encryption,” in Proceedings of the 2018 able encryption.
ACM Conference on Computer and Communications Security (CCS),
2018, pp. 763-780.
[29] W. Sun, X. Liu, W. Lou, Y.T. Hou, H. Li, “Catch you if you lie to me:
efficient verifiable conjunctive keyword search over large dynamic
encrypted cloud data,” in Proceedings of 2015 IEEE Conference on
Computer Communications (INFOCOM), 2015, pp. 2110-2118.
[30] B. Wang, W. Song, W. Lou and Y. T. Hou, “Inverted index based
multi-keyword public-key searchable encryption with strong pri- Joseph K. Liu received the Ph.D degree in infor-
vacy guarantee,” in 2015 IEEE Conference on Computer Communica- mation engineering from the Chinese University
tions (INFOCOM), 2015, pp. 2092-2100. of Hong Kong in July 2004, specializing in cyber
[31] J. Wang, X. Chen, J. Li, J. Zhao and J. Shen, “Towards Achieving security, protocols for securing wireless network-
Flexible and Verifiable Search for Outsourced Database in Cloud s, privacy, authentication, and provable security.
Computing,” Future Generation Computer Systems, Vol. 67, 266-275, He is now an associate professor at Monash
2017. University, Australia. His current technical focus
[32] J. Wang, X. Chen, S. F. Sun, J. K. Liu and M. H. Au and Z. H. is particularly cyber security in Cloud computing
Zhan, “Towards Efficient Verifiable Conjunctive Keyword Search paradigm, smart city, lightweight security, and
for Large Encrypted Database,” in 23rd European Symposium on privacy enhanced technology.
Research in Computer Security (ESORICS), 2018, pp. 83-100.
[33] Y. Wang, J. Wang, S. F. Sun, J. K. Liu, W. Susilo and X. Chen,
“Towards Multi-user Searchable Encryption Supporting Boolean
Query and Fast Decryption,” in 11th International Conference on
Provable Security (ProvSec), 2017, pp. 24-38.
[34] Y. Zhang, J. Katz and C. Papamanthou, “All Your Queries Are
Belong to Us: The Power of File-Injection Attacks on Searchable Xiaofeng Chen received his B.S. and M.S. in
Encryption,” in 25th USENIX Security Symposium, 2016, pp. 707- Mathematics from Northwest University, China
720 in 1998 and 2000, respectively. He got his Ph.D
[35] C. Zuo, S. F. Sun, J. K. Liu, J. Shao and J. Pieprzyk, “Dynam- degree in Cryptography from Xidian University in
ic searchable symmetric encryption schemes supporting range 2003. Currently, he works at Xidian University as
queries with forward (and backward) security,” in European Sym- a professor. His research interests include ap-
posium on Research in Computer Security (ESORICS), 2018, pp. 228- plied cryptography and cloud computing securi-
246. ty. He has published over 100 research papers in
refereed international conferences and journals
which have been cited more than 8000 times at
Google Scholar.

Achieving Searchable Encryption Scheme With Search Pattern Hidden

Uploaded by

Copyright:

Available Formats

You might also like

Achieving Searchable Encryption Scheme With Search Pattern Hidden

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Achieving Searchable Encryption Scheme With Search Pattern Hidden

Uploaded by

Copyright:

Available Formats

This article has been accepted for publication in a future issue of this journal, but has not been

Achieving Searchable Encryption Scheme with

1 I NTRODUCTION tant security limitations, namely, they leak search pattern

C LOUD computing is the delivery of on-demand com-

• Setup(1κ , DB). It takes as input the security param-

search query Q from data user

with server C2 Ei ¢h Enc(Pwi (x)) vi(x) ¤h Enc(qi(x)) Enc(Q1) +h ¢ ¢ ¢ +h Enc(QM )

decrypt find out

Fig. 2: Overview of our scheme

TABLE 2: Functionality Comparison

TABLE 3: Efficiency Comparison

4.5 50 120 600

Size of Token (KB)

Time Cost (ms)

(a) (b) (c) (d)

Size of the Search Results (KB)

Time Cost (ms)

Time Cost (s)

(e) (f) (g) (h)

Communication Cost (Mb)

Time Cost (s)

20 10 10 key cryptosystem with a double trapdoor decryption mechanism

You might also like