Security and Communication Networks

Security and Communication Networks / 2019 / Article

Research Article | Open Access

Volume 2019 |Article ID 5280806 |

Yu Zhang, Yin Li, Yifan Wang, "Secure and Efficient Searchable Public Key Encryption for Resource Constrained Environment Based on Pairings under Prime Order Group", Security and Communication Networks, vol. 2019, Article ID 5280806, 14 pages, 2019.

Secure and Efficient Searchable Public Key Encryption for Resource Constrained Environment Based on Pairings under Prime Order Group

Academic Editor: Stelvio Cimato
Received20 Dec 2018
Revised25 Feb 2019
Accepted28 Apr 2019
Published13 May 2019


Searchable public key encryption scheme is a key technique for protecting data confidentiality in today’s cloud environment. Specifically, public key encryption with conjunctive and disjunctive keyword search (PECDK) can provide flexible search options without sacrificing keywords security and thus attracts a lot of attention nowadays. However, the most effective PECDK scheme is based on the inner product encryption (IPE), which needs more time and space cost. In this paper, by utilizing the bilinear pairing with a prime order group, we propose an efficient PECDK scheme needing less time and storage consumption. The proposed scheme is proven to be secure under a rigorous security definition. The theoretical analysis and experimental results demonstrate that our proposed scheme can significantly improve the time and space efficiency over the state-of-the-art scheme.

1. Introduction

In the era of big data, more and more companies and individuals are willing to share their data over the cloud platform. If the data is stored in plaintext form, the cloud service providers can easily access and analyze the data illegally, which may lead to a big threaten to some sensitive data, e.g., electronic health and personal credit records. To protect data privacy, encrypting data before outsourcing it to the cloud server is a common approach. But, this brings a new issue of how to perform keyword search over these unreadable ciphertext. A straightforward solution is to download all the encrypted data to the client and decrypt it. After obtaining all unencrypted data, users can utilize the common information retrieval technique used on the plaintext to perform keywords query. However, this approach requires a very high communication, storage, and computing costs, which are not applicable for large scale networks. This issue put forward a new challenge: how to effectively search for encrypted data without decrypting it first.

Searchable encryption (SE) is a promising method to address this problem. SE can be classified into two categories according to its applications: searchable symmetric key encryption (SSE) and searchable public key encryption (SPE). Based on many researchers’ work these years, SSE can support advanced query conditions like Boolean keywords search, multikeywords rank search, and top- similarity keywords search. Works [13] dealt with multikeywords search, where the query condition contains more than one keyword. Considering the fact that it is not practical to return all the search results, more recent works like [46] focused on the multikeywords rank search. Sometimes, users want to search documents related to their query keywords rather than the documents that precisely match those keywords. The SSE schemes supporting similarity keywords search were created to address this issue [7, 8].

Conversely, SPE is difficult to support advanced search function without sacrificing security as anyone who has the public key () can create encrypted index or ciphertext, and easily perform chosen keywords attack. In addition, the SSE scheme is generally more efficient than the SPE scheme. Although the SPE scheme has these weaknesses, it still holds some advantages for many applications. Specifically, for the application in which there are many data senders and only one data receiver (Figure 1), SSE needs that all senders and the receiver hold the same symmetric key to generate the encrypted data. So, if one of the senders is compromised by an adversary, then the data for all senders will be leaked. Compared with SSE, in SPE, the public key can be accessed by all senders, and the private key is only given to the receiver. Thus, SPE can naturally solve the security problem of key management in this application [9] and is an irreplaceable solution.

The first SPE named as public key encryption with keyword search (PEKS) was introduced in [10], in which senders who hold can send their encrypted documents with encrypted indexes to a server, and the receiver holding secret key () can make a keyword search over the encrypted data. However, this scheme only supports a single keyword search. How to construct a public key encryption scheme supporting a complex query conditions such as the Boolean keyword search is a significant problem. Specifically, as two typical Boolean keyword search schemes, conjunctive and disjunctive keyword search over encrypted data in the public key setting are needed to be developed.

Park et al. [11] first proposed the public key encryption with conjunctive keyword search (PECK) scheme that supports keywords search like , where and are query words. After that, many PECK schemes [12, 13] were proposed to improve the efficiency and security. The first public key encryption with disjunctive keyword search (PEDK) scheme was proposed by Katz et al. [14]. In their work, they proposed an inner product encryption (IPE) scheme and converted this IPE scheme into a PEDK scheme, which supports keywords search like . In an IPE scheme, the secret key corresponding to a predicate vector can decrypt the ciphertext associated with an attribute vector if and only if . According to this property, we know that, by converting index and query keyword set into an attribute and a predicate vector, respectively, an IPE scheme can be changed into a SPE scheme supporting multikeywords search.

In the practical cloud environment, the user usually perform conjunctive and disjunctive keywords search simultaneously. In [15], Zhang and Lu proposed an approach of converting an IPE scheme into a public key encryption with conjunctive and disjunctive keyword search (PECDK) scheme and gave a concrete scheme. In their scheme, the size of each document’s index, the size of a trapdoor, and the time cost of pairing operations in the test process are all . Since is the number of keywords in a dictionary, the previous PECDK scheme is impractical if is a large integer. Inspired by this problem, we proposed a new approach to build an efficient PECDK scheme with less time and space overhead [16]. However, these two PECDK schemes are based on the IPE scheme [17], which is a costly cryptographic prototype. In this paper, we aim to build an efficient PECDK scheme using an alternative method.

Main Works. In the scheme introduced in [17], the user first converts an index and a query keyword set into an attribute and a predicate vector, respectively. After this, the user can construct encrypted index and trapdoor by applying the attribute and predicate vectors to the encryption and key generation algorithms of IPE. The keyword search process can be executed by adopting the decryption algorithm of IPE. However, this scheme is constructed by utilizing many group operations due to being based on the IPE scheme. The IPE scheme adopts a technique called dual pairing vector space (DPVS), which generates group elements to create the public key and secret key. By using these keys, both the storage size of the obtained indices and the time cost of the search process are linear with . To address this issue, we aim to create an efficient PECDK scheme without using IPE as the infrastructure. We take advantage of the conversion method similar to the one introduced in [16] for creating a group of vectors. Then, by applying these vectors to the prime order pairing groups, a PECDK scheme with a better time and space complexity than the previous schemes is presented. Security of our construction is based on decision linear Diffie-Hellman (DLIN) assumption in the random oracle model. In addition, we design an experiment that verifies the efficiency of the proposed scheme and give a detailed comparison with the previous scheme. The experiment result shows that the key generation, index building, trapdoor generation, and testing algorithms in our scheme are more efficient than those in the previous one. Besides, the space cost for indices in our scheme is also less than that in the previous one. In practice, client device, e.g., a mobile device, has less storage space and limited computation capacity. Thus, compared with the previous scheme, ours is much more suitable for the resource constrained environment.

Related Work. There are two classes of searchable encryption schemes in terms of different cryptography primitives: searchable symmetric key encryption (SSE) and searchable public key encryption (SPE).

SSE. Song et al. [18] introduced the definition of searching on encrypted data and gave a concrete scheme. Then, Goh [19] defined a formal security definition for SSE and presented an effective conjunctive keywords search scheme by using a technique called Bloom Filter. Soon afterward, many works [20, 21] were constructed to improve the search efficiency and security level. These schemes failed to achieve a sublinear search speed. To address this issue, by taking advantage of tree structures, such as r-tree and kd-tree, SSE schemes with sublinear search time were released in [22, 23]. The SSE scheme supporting Boolean keywords search with sublinear search time was given in [24]. In order to support queries with rich expressiveness, SSE schemes supporting media data and similarity keywords search are introduced in [25, 26]. More important, these works also support dynamic update. In practical application, the search engine should return the top- related documents to users instead of returning all the search results. Some SSE schemes, supporting rank search, are proposed in [46] to obtain more accurate query results.

SPE. The first SPE scheme is called public key encryption with keyword search (PEKS), which was proposed by Boneh et al. [10]. Then, Abdalla et al. [27] defined the computational and statistical consistency in PEKS and presented a statistically consistent scheme. However, this work only supports a single keyword search. The concept of PECK was first proposed in [11]. They defined the security model of this mechanism and gave two constructions. One requires many bilinear pairing operations, while the other needs more private keys. Hwang and Lee [28] designed a more efficient scheme in a multiple users setting. However, all these constructions use the keyword field as additional information for keyword search. The keyword field may leak more information to the public. To eliminate the keyword field, Boneh and Waters [29] presented a public key encryption scheme called hidden vector encryption (HVE), which supports a conjunctive search, comparison queries , and subset queries on encrypted data.

In order to create a SPE scheme supporting disjunctive keyword search, katz et al. [14] proposed a public key encryption scheme called inner product encryption (IPE), which is related to the attribute-based encryption (ABE) [30, 31]. Recently, in order to better utilize the encrypted data and improve the security, some public key schemes which can support verifiable attribute-based search over outsourced encrypted data are proposed in [3237]. For supporting advanced keywords search function, Zhang and Lu proposed the first PECDK scheme [15] by combining an efficient IPE scheme [17] and a keyword conversion method. However, their scheme is a costly solution due to using an IPE scheme. In fact, the PECDK scheme based on an IPE scheme needs more computation and storage cost than the one without utilizing an IPE scheme as a foundation. Therefore, in this paper, we will find a new method irrelevant to IPE to construct a more efficient PECDK scheme.

Organization. The remainder of the paper is organized as follows: The model and security definitions of PECDK are defined in Section 2. In Section 3, we propose our PECDK scheme and give the security proof for the scheme. The analysis of the presented PECDK scheme is described in Section 4. Section 5 presents some conclusions.

2. Preliminaries

In this section, we will give a formal definition of the PECDK model and the corresponding security model. Our scheme is based on this model and proven to be secure under this security model. Moreover, we also briefly introduce some basic ingredients used to create our scheme, including the bilinear pairing and the complexity assumption.

2.1. Model of PECDK

In PECDK, let be the receiver’s public key and secret key. When a sender wants to send a message to a receiver with keywords , she uses the standard public key encryption system to encrypt and uses and keywords to construct the encrypted index of . After that, she sends the encrypted message and the encrypted index of to the server. When the receiver wants to retrieve messages including a specific list of keywords, he takes the , a symbol, and keyword set as input to construct a trapdoor and sends to the server. Note that the symbol is used to refer to the type of query, e.g., conjunctive form or disjunctive form. When the server receives the trapdoor, it tests each encrypted index by using the trapdoor and returns the matched messages to the receiver.

According to the description above, we give the model of PECDK based on the previous definition introduced in [16].

Definition 1. There are four probabilistic polynomial time algorithms in the PECDK scheme. There are KenGen, IndexBuild, Trapdoor, and Test: (1)KeyGen(): choosing a security parameter , this algorithm outputs the key pair in which is the public key and is the secret key.(2)IndexBuild(,W): the algorithm is performed by the sender to produce an encrypted index by using a keyword set and .(3)Trapdoor(,): the receiver runs this algorithm to produce a trapdoor. It takes , , and the keyword query as input to generate a trapdoor , where . and represent disjunctive and conjunctive keywords search, respectively.(4)Test(, , ): it takes the trapdoor , the secure index , and the public key as input. If is , it means that the trapdoor is for conjunctive keywords search. In this case, the output is if , or otherwise. If is , disjunctive keywords search should be performed. In this case, if , it outputs , or otherwise.

Correctness Property. Let and be a query and a keyword set, respectively. Suppose that , , , and are correctly generated by , , and , respectively. The correctness property of PECDK involves two situations described as follows.(1)When there is a conjunctive keywords search ( is ), holds if . Otherwise, it holds with negligible probability.(2)When there is a disjunctive keywords search ( is ), holds if . Otherwise, it holds with negligible probability.

In practical use, if a sender would like to send a message with keyword set , a ciphertext with the form of , will be created, where is a frequently used public key encryption scheme, e.g., RSA. Similar with other related works [10, 11, 28], the proposal only concentrate on searchable encryption part, which is PECDK in this paper.

2.2. Security Definition of PECDK

Since previous PECDK schemes are based on the IPE scheme, the security definition also depends on the security of IPE. For the PECDK scheme without using IPE, we need to give a new security definition. Inspired by the previous security definition called indistinguishability of ciphertext from random (IND-CR-CKA) introduced in [28], we define a security game under the PECDK model.

The security game is described as follows.(1)Setup: the challenger runs the KeyGen() algorithm to generate the public key and the secret key . Then, gives to the attacker .(2)Phase 1: the attacker can adaptively ask the challenger for the trapdoor for any query of his choice.(3)Challenge: selects a target keyword set and sends it to . After receiving , selects a random keyword set and sets and . Suppose that , , , are queries which are asked to construct trapdoors in Phase 1, where is the number of trapdoors queried in Phase 1. For each , the only restriction is that , where the number of the keywords in and is denoted by and , respectively. Then, picks a random bit , produces , and sends to .(4)Phase 2: can continue to ask for trapdoor for any query of his choice, and subject to the same restriction as before.(5)Response: outputs and wins the game if .

’s advantage can be expressed as a function of the security parameter (): Then, we have the following definition.

Definition 2. According to the game above, a PECDK is semantic secure if, for any probabilistic polynomial time attacker , the function is negligible.

2.3. Bilinear Pairings

Let , be two cyclic groups of prime order . There are three properties in the bilinear pairings map .(1)Bilinear: , where and .(2)Nondegenerate: if , then .(3)Computable: for any , can be efficiently computable.

An efficient bilinear map can be obtained by applying the Weil pairing or the Tate pairing [38].

2.4. Complexity Assumption

We review the complexity assumption named Decision Bilinear Diffie-Hellman Inversion (Decision -BDHI) assumption [11], which is related to the bilinear pairing. The security of our scheme is based on this assumption.

Decision -BDHI Assumption: Given a tuple with the random choice of and , it is argued that an algorithm outputting has advantage in solving the decision l-BDHI problem in if where the probability () is over the random choice and random bits chosen by .

Definition 3. The Decision l-BDHI assumption holds in , if no probabilistic polynomial time algorithm has advantage at least in solving the Decision l-BDHI problem in .

3. PECDK Scheme

Based on previous definitions and notations, in this section, we give our PECDK scheme without using IPE. Our scheme mainly involves three steps. Initially, we utilize a keyword conversion method inspired by the approach introduced in [16] to convert the index and query keywords into a set of vectors. Moreover, by applying the bilinear pairing under the prime order group, we encrypt these vectors to construct encrypted index and trapdoor. Eventually, a test algorithm is built to perform secure keywords query. The method adopted in the first step is described in Section 3.1, and the algorithms used in the second and third steps are given in Section 3.2.

3.1. Keywords Conversion Method

The keywords in query and index are strings; thus we need to change all the keywords to a group of integers. Moreover, in order to verify whether the query matches the index or not, the integers between the query and index must hold some relationships. According to these concerns, we introduce a method that can convert the index and query set into a matrix and a vector.

This method is based on the relationship between the roots and coefficients in an equation of degree with one unknown. Specifically, the roots and coefficients are used to create a matrix of index keywords and a vector of query keywords, respectively. By adopting a prime order group to encrypt the matrix and vector, an encrypted index and query can be built. The relationship between the matrix and vector can be utilized to construct the test algorithm.

Suppose that any keyword can be expressed as ; we define a function . Since is a large prime and is larger than the number of all words, can be collision-resistance. This means that, if , then , where and are two distinct keywords. Let and be two keyword sets, where . The method can be listed into three steps and described as follows.(1)For the keyword set , we construct a matrix for : Note that can be seen as the roots of equation:(2)For the query , we create an equation:According to the coefficient of the , a vector can be obtained.(3)Suppose that is from the -th row of the matrix (3); we can infer that if there is a keyword such that , where , according to (5), it is not difficult to verify that . Based on this property, we can build the test algorithm.

3.2. Construction of PECDK

By combining the keyword conversion method and the bilinear pairing under prime order group, we propose a PECDK scheme which allows the user to perform conjunctive and disjunctive keyword search over encrypted data. Our key idea is as follows. First, by adopting the keyword conversion method introduced in Section 3.1, we change the index and query keyword set into an index matrix and a query vector, respectively. Then, by using a set of elements randomly chosen from the prime order group, we encrypt the index matrix to the secure index and the query vector to the trapdoor, respectively. Specifically, in order to guarantee the scheme’s security, the encryption process relies strictly on the complexity assumption given in Section 2.4. Finally, by taking advantage of the properties of the bilinear pairing, both conjunctive and disjunctive keywords search can be achieved. Specifically, for the conjunctive keywords search, the matched documents are returned if and only if all the keywords in the query are including in the index keyword set. For the disjunctive logic query, the matched documents are returned if and only if the intersection between the index and the query keyword set is not an empty set.

According to the above ideas, the concrete construction is proposed in the following paragraphs. Because of making use of the prime order group, the proposed scheme is more efficient than the previous scheme adopting the IPE crypto-system on the time and space complexities. Experimental results showing the advantages of our scheme can be found in Section 4.(i)KeyGen(): given a security parameter , the algorithm generates two cyclic groups , of prime order and a bilinear pairing . It picks a random generator of and two hash functions and . Choosing random numbers , it computes . After this, it outputs the public key and the secret key , where is also open to the public.(ii)IndexBuild(,): the algorithm generates random numbers and , where . Given a keyword set and the public key , for each word , it computes and , where and . The index of the keyword set isNote that the secure index can be seen as an encrypted version of matrix (3).(iii)Trapdoor(,): when the algorithm receives a keyword query , where , it will construct a vector by utilizing (5). Given a vector and , and can be computed, where is a random number in and . Let and ; the trapdoor for the keyword query is .(iv)Test(, , ): when the algorithm receives a trapdoor and a secure index , it works as follows:(1)If the symbol in is ,(a)The algorithm chooses a counter and sets .(b)If , then it goes to step (c); otherwise it checks whether , where . If so, the algorithm outputs and ends. Otherwise, it sets and goes to step (b).(c)The algorithm outputs and ends.(2)If the symbol in is ,(a)The algorithm chooses two counters and and sets and .(b)If , then it goes to step (c); otherwise it tests whether , where . If so, then the algorithm sets . Otherwise, it does nothing. After that, it sets and goes to step (b).(c)If , the algorithm outputs and ends. Otherwise, it outputs and ends.

Correctness. The key idea of disjunctive keywords search is to determine whether there exists an such that . For the conjunctive keywords search, we need to check whether there are keywords such that , where and . According to these ideas, we know that the essence of test algorithm is to verify whether . In the proposed scheme, it is can be verified that . If , there is . Thus, it must be and . Based on this, we argue that our scheme is correct.

3.3. Security Analysis

Theorem 4. The proposed PECDK scheme is secure according to security definition in the random model if Decision -BDHI is hard.

Proof. Suppose that an algorithm has advantage in breaking the PECDK under the security definition. Suppose makes at most trapdoor queries, we can build an algorithm which solves the decision -BDHI assumption with a probability at least , where is the base of the natural logarithm, and is the number of keywords in an index. Let be a generator of . Given , if , the algorithm outputs , otherwise. The interaction between the algorithm and the algorithm is as follows: (i) Setup: the algorithm works as follows:The algorithm randomly chooses numbers and returns . computes , and , where . Then, gets and stores the pairs in a list named S-list, where . computes and sets . If , . randomly chooses numbers , and constructs for each . Let , gives the public key . The corresponding is , where the values are unknown to .(ii)queries: the random oracles or can be queried by at any time. To answer -queries, keeps a list of tuples called list which is empty initially. When queries the random oracle at a point , algorithm answers as follows:  queries:If the query is already in a tuple on -list, then responds with , where .Otherwise, generates a random coin so that .If , sets . Otherwise, picks a random and sets . adds the tuple to -list and answers with .  queries are similar to queries. To answer queries from , holds a list of tuples called list which is initially empty. When queries the random oracle at a point , algorithm responds as follows:  queries:If the query already appears on -list in a tuple , then responds with , where .Otherwise, picks a random and sets . adds the tuple to -list and responds with .(iii) Trapdoor queries: when queries a trapdoor of the keyword set and , the algorithm answers as follows: runs queries algorithm to obtain , where for each . Let be the corresponding tuples on -list, for each ; if , then reports failure and terminates.Otherwise, constructs a trapdoor for query . first computes . Then, for each , can compute and through an equality of . Obviously, , , is the trapdoor for the keyword query . searches S-list to obtain the tuple . Then sends , , , , , , to the algorithm as the correct trapdoor for the query (iv) Challenge: algorithm produces a keyword set , which is what wants to challenge. Then, sends the target keyword set to . chooses a random keyword set and sets and . The only restriction is that the previous trapdoor queries cannot distinguish and . If there is any previous trapdoor that can break the restriction, regenerates the keyword set . Then selects a random bit and runs the above algorithm for responding to queries to obtain the values , where . Let be the corresponding tuples on list, if there is no for all , then terminates. Otherwise, generates the challenge PECDK index of as follows:If , computes , , , and , where . Observe that if , then . So, the above values are equivalent to , , , and , where . It means that this is a valid PECDK encryption of keyword when .Otherwise, computes , , , , where . sends and two keyword sets and to .(v) More queries: continues to inquire trapdoor queries. The restriction is similar to the challenge phase.(vi) Response: outputs a guess . will output if . Otherwise, will output .Now, we show that the algorithm can solve the decision -BDHI assumption with probability at least . First of all, we should analyze the probability that does not abort in trapdoor queries phase and challenge phase. We define two events:
: does not abort due to any of ’s trapdoor queries.
: does not abort in challenge phase for generating .
Suppose that is large enough. Therefore, the probability of the event is at least . The probability of the event is .
If , ’s view is identical to its view in a real attack game. Since we assume that can break the PECDK scheme with an advantage , it must satisfy . If is a random number, where , then since made a random guess.
Therefore, let ; we have that Then we conclude the theorem.

4. Performance Analysis

In this section, we first give a detailed theoretical analysis for the previous scheme and then compare it with the proposed one. After that, we set up an experiment to show that our scheme has better performance than the previous one. For simplicity, we denote the proposed scheme and the previous one by PECDK-1 and PECDK-2, respectively.

4.1. Theoretical Analysis

In an IPE scheme, each ciphertext associated with an attribute vector can be decrypted by the secret keys corresponding to the predicate vector if and only if . The PECDK-2 is based on the approach of converting an IPE scheme into a PECDK scheme. In order to analyze the efficiency of the previous one, we will introduce the conversion method, which is described as follows.

Suppose that and are two keyword sets. By utilizing an IPE scheme, is the index of , where is a ciphertext of the vector and . Suppose that ; the trapdoor of is , where is a secret key of the vector . Let the decryption algorithm be , where is the public key, is the ciphertext, and is the secret key. For each , the test algorithm can be performed by implementing . According to different search function, there are two situations:(1)For is , if there is at least one such that the decryption algorithm outputs , the test algorithm outputs , otherwise, 0.(2)For is , the test algorithm will verify whether there are that can be decrypted by the decryption algorithm . If so, the test algorithm outputs , otherwise, 0.

PECDK-2 is based on the IPE presented in [17]. For this IPE scheme, the time cost of setup, encryption, key generation, and decryption are all linear with , , , and , respectively, where is the length of the predicate or attribute vector. Moreover, the space overhead of public key, master secret key (), ciphertext, and secret key is linear with , , , and , respectively. According to the conversion method mentioned above, we have the following results.(1)The and in the previous scheme are the same as the and in the IPE scheme. Thus, the time and space cost of and are both linear with .(2)Since the index of the previous scheme contains ciphertexts of IPE, the time and space cost of index are linear with and , respectively. Because the algorithm of trapdoor generating is similar with that of the index building, the time and space cost of trapdoor is also linear with and , respectively.(3)The test algorithm needs to perform times decryption algorithm. Thus, the time cost of test is proportional to the square of .

For our scheme, contains elements in group and one element in , and involves elements in . Thus, we know that the time and space cost of KeyGen algorithm in our scheme are both linear with . Because the IndexBuild algorithm generates elements in group and elements in , the time and space cost of IndexBuild algorithm are both linear with . The time cost and space cost of Trapdoor algorithm are both since this algorithm creates elements in group . Whether or , the test algorithm executes at most pairing operations. Therefore, we can reckon that the time cost of test algorithm is less than .

According to the above analysis, we will give two tables to demonstrate the comparison. Let be the time cost for a pairing operation [15] on , and and be the time cost for the exponential operation on and , where and are two groups of a prime order. For evaluating the time complexity, we only take these two operations into account since the time cost of these two operations is much more than the time cost of other operations like group add operation. The theoretical analysis of time complexity is shown in Table 1.


Key Generation
Index Building
Trapdoor Generation

We denote the size of an element of , , and by , , and , respectively. The comparison result of space complexity is shown in Table 2.


PK size
SK size
Trapdoor size
Index size

4.2. Experimental Results

We implement our construction in JAVA with Java Pairing Based Cryptography (JPBC) library [39]. In our implementation, the bilinear map is instantiated as Type A pairing (base field size is 128 bits), which offers a level of security equivalent to 1024-bit DLOG [16]. Our experiment was run on Intel(R) Core(TM) i7-4570 CPU at 3.60GHz processor with 8GB memory size. Such an experiment is based on a group of artificial keyword sets with different number of keywords in each set (i.e., ), where each keyword set can be seen as an index of a document. In each keyword set, we denote each keyword as an unique integer in the range of , where can be regarded as the number of different words in the artificial keyword sets. We encrypt each keyword set with PECDK-1 and PECDK-2 schemes, and the encrypted indices were stored on our machine and then execute random queries over these encrypted indices (the number of documents and queries is denoted by and , respectively). In addition, for simplicity, we denote the conjunctive and disjunctive keyword search by CKS (conjunctive keywords search) and DKS (disjunctive keywords search), respectively.

4.2.1. Time Overhead

Figure 2 shows that the impact of on the time consumption. The statements of Figure 2 are described as follows.(1)Figure 2(a) shows that the execution time of key generation in PECDK-2 is linear with , while that in PECDK-1 is linear with . The time cost of the key generation algorithm in PECDK-2 is nearly times than that in PECDK-1 since PECDK-2 needs to generate a pair of orthogonal matrices and more exponential operations on .(2)In Figure 2(b), we can find that the time cost of creating index in PECDK-2 is much more than that in PECDK-1, though the time complexities of index building in PECDK-1 and PECDK-2 are both linear with . The reason for this situation is that the DPVS structure used in PECDK-2 is based on a pair of orthogonal matrices, which will bring more exponential operations on and some additional matrix operations.(3)The time consumption of testing in PECDK-1 and PECDK-2 is illustrated in Figure 2(c). In Figure 2(c), we can find that time cost of CKS and DKS in PECDK-1 is much less than that in PECDK-2. In addition, whether PECDK-1 or PECDK-2, the time cost in DKS is slightly less than that in CKS since DKS may test fewer keywords than CKS.(4)The time complexity of trapdoor generation in PECDK-1 is independent with , while that in PECDK-2 is linear with . The trapdoor generation algorithm in PECDK-1 still needs much less time cost than that in PECDK-2 with the same reason described in .