#### Abstract

Massive data are generated and collected by devices in the industrial Internet of Things. Data sources would encrypt the data and send them to the data center through the gateway. For some supervision purpose, the gateway needs to observe the encrypted data stream and label the suspicious data. Instead of decrypting ciphertext at the gateway, which is not efficient, this paper presents a -searchable functional encryption scheme that supports inner product evaluations on encrypted data. Based on this scheme, an approach enabling various queries on the encrypted industrial data stream is proposed. The adaptive security of our proposed underlying functional encryption scheme can be proven under general subgroup decision assumptions, and our scheme has the smaller public key, the smaller secret key, and the smaller ciphertext size compared to the related schemes. In addition, the experimental results show that our proposed scheme is efficient. Especially for the gateway, querying on the encrypted data only needs less than 20ms, which is practical for industrial data stream auditing scenario.

#### 1. Introduction

##### 1.1. Motivation

While manufacturers, mobile end systems, security cameras, wearable devices, and so forth have been generating highly distributed data from various systems, devices, and applications in industrial Internet of Things (iIoT), more and more data are gathered and intensively exploited by many organizations to extract valuable information either to make marketing decisions, track specific behaviours, or detect threat attacks. Big Data gives a huge opportunity to industries and decisions-makers, but it also represents a big risk for users. Due to data breaches, private information is leaked now and then [1, 2]. It is clear that safeguarding private data to protect manufacturers, sensitive customers, or patients is paramount [3, 4]. But, for massive manufacturers and health and financial organizations, actually implementing the best controls and security is challenging, especially when troves of data originate from multiple sources and are stored across singular or multiple databases and data warehouses.

Using encryption for sensitive information can effectively protect privacy [5]. But, paradoxically, encryption will destroy the usability of data. Especially for real-time industrial application’s traffic, how to monitor or audit the encrypted data stream is a key problem. For example, as shown in Figure 1, a card payment gateway would observe the transaction stream, which often includes encrypted data between acquiring banks and issuing banks. The payment gateway needs to audit all encrypted data streams to label some suspicious transactions, say, whose value is over $10000. One solution is to encrypt all transactions under the card company’s public key and give the private key to the payment gateway, which can decrypt the transactions stream to do auditing. This solution has two obvious drawbacks. One is being not efficient, because decryption needs to be done for every transaction passing by. Another drawback is that it is bad for both security and privacy concerns, because when the gateway holds the card company’s private key, he can see everything he wants.

This work proposes a -searchable functional encryption scheme that supports various types of queries on the encrypted data such as conjunctions, disjunctions, DNFs/CNFs, polynomial equations, and inner products. By utilizing this scheme, we show an approach that can enable the auditing gateways to query or to evaluate the encrypted data stream passing by.

##### 1.2. Related Work

Querying on encrypted data is a long-term interesting open problem in applications with secure and privacy-preserved concerns. Encryption schemes supporting queries on ciphertext are called searchable encryption (SE) schemes, which have two different types of research roadmap. One is searchable symmetric encryption (SSE) [6–12]. The other is public key encryption with keyword search (PEKS) [13–16]. SSE is more efficient but less expressive, and it is hard to achieve privacy for search pattern and access pattern. PEKS is easy to support phrase search and even more complicated evaluations on encrypted data, such as conjunctive, subset, range [14–16], DNF/CNF, polynomial equation, inner product [15, 16], and negation [16]. However, PEKS often has much more computation overheads than SSE due to doing paring computations. There are more recent works for improving security [17, 18], improving functionality [19, 20], and improving performance [21] for the PEKS. Boneh et al. showed that PEKS implies IBE [13]. So, in some sense, an SE scheme is a special form of functional encryption. Brent Waters first publicly used the notion of functional encryption in his talk* Functional Encryption: Beyond Public Key Cryptography*, and Boneh et al. formally defined functional encryption [22]. There was a long-standing open feasibility problem in cryptography:* Does there exist a functional encryption scheme supporting all polynomial-size circuits?* Until 2013, Garg et al. [23] had shown a method to construct functional encryption schemes for polynomial-size circuits based on the indistinguishability obfuscation [24]. Functional encryption has most powerful expressive ability, which can express identity-based encryption (IBE) [25, 26], ABE [27, 28], predicate encryption [14, 15], and inner product encryption [15, 29]. In functional encryption systems, a user who has a decryption key can learn a function of ciphertext. Roughly speaking, in a functional encryption system for functionality , an authority holding a master secret key can generate a key in which the key attribute is encoded and that enables the computation of the function on encrypted data which encoded the ciphertext attribute . More specifically, the user can compute using from encryption of plaintext . We will show the formal definition and security notion of the functional encryption in Section 2.

##### 1.3. Our Approaches and Results

Boneh, Sahai, and Waters have firstly presented formal syntax and put forth a general framework of functional encryption [22]. They also defined two subclasses of functional encryption which are predicate encryption and predicate encryption with public index. In predicate encryption subclass, a functional encryption scheme is defined in terms of a polynomial-time predicate , where is key attributes space and is ciphertext attributes space. Formally, the functional encryption is defined asConsequently, if , decryption algorithm can recover plaintext and, otherwise, get nothing about the plaintext.

Inspired by the -searchable public key system proposed by Boneh and Waters [9], this paper describes a new functional encryption construction, that is, -searchable functional encryption system providing security against adaptive adversaries and supporting conjunctive, subset, range, DNF/CNF, polynomial equation, and inner product on encrypted data. We use the predicate encryption subclass to express our functional encryption scheme. We will show the formal definition and security notion of the -searchable functional encryption system in Section 3.

For encoding the key attribute into the secret key and encoding the ciphertext attribute into ciphertext, we follow the inner product encryption (IPE) methodology [15, 29] to realize the predicate , which means if the inner product of key attribute vector and ciphertext attribute vector is 0 and otherwise. Formally, for some and , a predicate* P* over is defined as

Thanks to “inner-product” style construction, our scheme supports any kind of inner product queries on encrypted data. Clearly, our scheme supports the equality test directly. To achieve this, for the attribute set and encrypt a message with *. *In order to generate a secret key for the attribute , set . Since if and only if , correctness and security follow. Our scheme also supports the polynomial evaluation after we encode the coefficient of a univariate polynomial into secret keys and encode the univariate into ciphertexts. As a positive result, we can use the polynomial evaluation to achieve supporting conjunctions, disjunctions, CNF, and DNF formulas. We defer the details of applications of our scheme to Section 6.

Our construction relies on general subgroup decision assumptions in composite-order groups which are described in Section 2. We follow the standard Lewko-Waters [30] proof methodology to prove adaptive security of our construction. We propose a Φ-searchable functional encryption system which supports various evaluations on encrypted data including equality, comparison, subset tests, and polynomial evaluations as well as conjunctions, disjunctions, CNF, and DNF formulas. Moreover, compared to the prior constructions that are built for inner product evaluations on encrypted data in composite-order bilinear groups [15, 31], our scheme not only has the adaptive security but also has a smaller public key, smaller secret key, and smaller ciphertext size.

From our proposed searchable encryption scheme, we present an approach enabling various queries on encrypted industrial data for general data flow structure, which includes data sources, gateway, and data center. Our proposed approach makes the gateway easily observe the encrypted data stream passing by sent by the data sources to the data center without decryption. Moreover, if the encrypted data passing by is not matching with some condition, the gateway will learn nothing about the data. From performance evaluation results, the gateway’s overhead is less than 20ms which is practical for application in the scenario of querying on the encrypted industrial data stream. We will show our proposed approach in Section 6.1.

#### 2. Preliminaries

##### 2.1. Notations

Given two vectors and , we use the notation to denote dot product . For a group element , we use to denote a vector .

##### 2.2. Syntax of Functional Encryption

We now describe the definition of functional encryption for a functionality , where denotes the ciphertext attributes space and denotes the key attributes space [22].

*Definition 1. *For , a functional encryption scheme consists of four PPT algorithms (Setup, Keygen, Enc, and Dec): for all and , the algorithm Setup generates public parameters and master secret key , the algorithm Keygen outputs secret key for , the algorithm Enc generates ciphertext for a message , and Dec uses to compute from *.*

##### 2.3. Security Notion of Functional Encryption

Before defining the security of functional encryption, we need to describe a restriction for the adversary. Observe that, after the adversary gets the secret keys he wants, he will submit two distinct messages . The challenger randomly chooses one to encrypt and sends the ciphertext to the adversary. Therefore, we need to restrict and chosen by the adversary and for all that the adversary has , we require that

Clearly, if this restriction is not satisfied, that is, if the adversary has for some , he can trivially break the semantic security of the scheme by testing whether Dec = or not.

For a functional encryption scheme , and, for an adversary , define an experiment as follows:(i)*Setup*. Run , get , and send to .(ii)*Query phase1*. adaptively makes queries by submitting , where , and receives .(iii)*Challenge*. outputs two messages satisfying the above restriction and receives .(iv)*Query phase2*. continues to make queries for some as query phase1 subject to the restriction and finally outputs a bit.

For , define

*Definition 2. *If, for all , is negligible, we say a functional encryption scheme is secure.

##### 2.4. Assumptions over Composite-Order Bilinear Groups

*Bilinear Groups of Composite Order*. Composite-order bilinear groups were first introduced by Boneh et al. [32] and used by many researchers [15, 33, 34]. Let be a group generator that takes a security parameter as input and outputs , where and are two cyclic groups of order , where are three distinct primes, and is a function satisfying the following properties:(i)*Bilinear*: , , and .(ii)*Nondegenerate*: such that has order in .(iii)*Cancellation*: let , , and be subgroups of with order , and , respectively. For some elements and from distinct subgroups, we haveTo see this, we note that and also note that if is a generator of , then generates ; generates ; generates . Hence, for some elements and from distinct subgroups (e.g., and ), (for some ) and (for some ). So, we note that .

*Cryptographic Assumptions*. Our construction relies on the general subgroup decision assumptions in composite-order groups [33]. We now give the following three assumptions.

*Assumption 3. *Let be a group generator as above, and define the following distribution:where is the subgroup of with order . Define ’s advantage in breaking Assumption 3 as

*Definition 4. *For any ppt algorithm , if ’s advantage in breaking Assumption 3 and is negligible, we say that satisfies Assumption 3.

*Assumption 5. *Let be a group generator as above, and define the following distribution:where is the subgroup of with order . Define ’s advantage in breaking Assumption 5 as

*Definition 6. *For any ppt algorithm , if ’s advantage in breaking Assumption 5 and is negligible, we say that satisfies Assumption 5.

*Assumption 7. *Let be a group generator as above, and define the following distribution:Define ’s advantage in breaking Assumption 7 as

*Definition 8. *For any ppt algorithm , if ’s advantage in breaking Assumption 7 and is negligible, we say that satisfies Assumption 7.

##### 2.5. Dual System Encryption

Brent Waters firstly introduced a methodology to build adaptively secure IBE and HIBE which is dual system encryption [35], and a lot of work relied on this powerful proof tool [33, 36–38]. In dual system encryption schemes, there are two forms of ciphertext and key: normal and semifunctional. The semifunctional ciphertext and key are only used in the hybrid security proof, while normal ciphertext and key are used in the real system. A normal ciphertext can be decrypted correctly by either normal key or semifunctional key. But semifunctional key cannot decrypt a semifunctional ciphertext, whereas only normal key can. The hybrid security games advance one by one, and the first one is real security game, while in the last one the ciphertext is replaced by encryption of a random message. The most important part of the proof is to show two consecutive games are indistinguishable.

#### 3. Definition

We first show a definition of a -searchable functional encryption system inspired by the -searchable public key system proposed by Boneh and Waters [14]. Then, we show the definition of the security notion.

##### 3.1. Φ-Searchable Functional Encryption System

We use to denote a finite set of binary strings and let be a set of predicates over attributes space . A predicate is a map: . For two attribute vectors , we use the notion to denote that satisfies which is related to . We also follow Boneh et al. [14] to use the term* GenToken* to denote the algorithm to generate a search or query token instead of the term* GenKey*, and we use the term* Query* to denote the algorithm to query rather than the term* Decrypt*.

*Definition 9. *For a predicate , a -searchable functional encryption system comprises four algorithms,* Setup*,* Encrypt*,* GenToken*, and* Query* such that(i)*Setup*: a probabilistic algorithm that takes as input a security parameter and outputs the public parameters along with the public key and the master secret key .(ii)*Encrypt*: a probabilistic algorithm that takes as input the public key and a plaintext pair . We consider as the searchable attribute vector of the data . The algorithm outputs a searchable encryption of under the public key .(iii)*GenToken*: a probabilistic algorithm that takes the secret key and a description of a predicate as input and outputs a search token .(iv)*Query*: a deterministic algorithm that takes a token and a ciphertext as input and outputs . For correctness, we require that, for all and all , all , any token * GenToken*, and all :(i)If , then .(ii)If , then with all but negligible probability.

##### 3.2. Security Notion

We now show a security notion definition of a -searchable functional encryption system.

*Definition 10. *A -searchable functional encryption system defined as above is adaptive secure if, for all PPT adversaries , the advantage of in the following game is negligible in the security parameters :(i)* Setup*. The challenger runs* Setup* and gives the adversary the and .(ii)* Query phase 1*. outputs descriptions of predicates . The challenger responds with the corresponding tokens:(iii)* Challenge*. outputs two pairs of messages subject to the following restrictions:for all in predicates list queried at query phase 1 and if then These two restrictions ensure that the tokens given to the adversary do not trivially break the challenge. The first restriction ensures that tokens given to the adversary do not directly distinguish from . The second restriction ensures that the tokens do not directly distinguish from .

The challenger randomly chooses and gives * Encrypt* to .(iv)* Query phase 2*. continues to output adaptively descriptions of predicates , subject to the two restrictions (13) and (14). The challenger responds with the corresponding tokens * GenToken*.(v)* Guess*. outputs a bit and wins if . The adversary ’s advantage in breaking is .

#### 4. Our Construction

Our construction is based on general subgroup decision assumptions in composite-order groups, that is, Assumptions 3, 5, and 7. Let be a set of predicates over (in our construction, ); for a predicate , a -searchable functional encryption scheme for is defined as follows:(i)* Setup*: this algorithm takes the security parameter as input. First, it runs and gets , where . Then, it computes as a generator of , respectively. In addition, it chooses random , , and . Finally, it outputs public parameters along with the public key:

It keeps private as the master secret key.(ii)* Encrypt*: let ; this algorithm takes the public key and a pair as input and chooses random exponent ; then it outputs as the ciphertext, where(iii)* GenToken*: let ; this algorithm takes as input master secret key and a predicate , in our case that is itself, and chooses random and . Finally, it outputs a token:(iv)* Query*: this algorithm takes a token for a predicate and a ciphertext as input; it outputs

where

*Correctness*. Let and be as above. Then whereFor all such that , which means , the data will be recovered correctly.

#### 5. Security Proof

To prove the security of our -searchable functional encryption scheme, it depends on the above-mentioned assumptions. Before that, we need to define the semifunctional ciphertext and semifunctional token. These additional structures will only be used in our proof, not in the real system.(i)* Semifunctional ciphertext*: first, we choose randomly ; then we can use the algorithm* Encrypt* to construct the normal ciphertext as follows: and we let the semifunctional ciphertext be(ii)* Semifunctional token*: we also use the algorithm* GenToken* to generate the normal token and choose a random exponent . Then we can construct the semifunctional token as follows:

*Remark*. About query (decryption) capabilities, we observe that a normal ciphertext can be decrypted correctly by either normal key or semifunctional key. But semifunctional key cannot decrypt a semifunctional ciphertext, whereas only normal key can because there is an additional blinding factor of . But if and are orthotropic, the query will still work. We use the term nominally semifunctional token following the definition used by Katz et al. [10] which has components of the subgroup .

Now following the dual system encryption methodology presented by Lewko et al. [30], the proof proceeds with a game sequence starting from , which is the real security game, followed by a restricted game which is the same as except that the adversary cannot query for the tokens for attributes that are equal to the challenge attributes . Let be the number of times of token generation queries that adversary makes. Then we define the following as follows:(i) is the real game except that the challenge ciphertext is semifunctional.(ii) is the same as except that the first token generation queries are answered by a semifunctional token, and the last token generation queries are answered by a normal token.

Following , last game is , which is identical to , but the challenge ciphertext is not for one of the two messages submitted by the adversary but semifunctional encryption of a random message instead. In the following lemmas, we will prove the indistinguishability between two consecutive games and prove that the adversary ’s view in is statistically independent of challenge bit .

Lemma 11. *If there is an algorithm that can distinguish from with advantage of , then we can build an algorithm to break Assumption 3 or Assumption 5 with advantage .*

*Proof. *If there exists an adversary whose advantage is a nonnegligible , we can find a nontrivial factor of with nonnegligible probability and break Assumption 5. The proof methodology is similar to the proof of Lemma 1 in [33].

sets up the environment for according to . Suppose that produces a ciphertext attribute such that it is not equal to the challenge attributes and . Since , there exists at least one pair of components and such that , and can be divided by , where is a component of and is a component of . can compute ; set . Note that divides and . With probability , one of these two cases must occur; that is, divides or and . In the case of dividing , is the identity. Then, given , can test whether is the identity. If not, holds. Otherwise, . Then breaks Assumption 3. In case of and , given , can verify that is the identity and determine that . Then can test whether is the identity. If not, then holds. Otherwise, . Then breaks Assumption 5.

Lemma 12. *If there is an algorithm that can distinguish from with advantage of , then we can build an algorithm to break Assumption 3 with advantage .*

*Proof. *On input and , where and , simulates as follows.*Setup*. Choose random , , and ; set and output*Token Queries*. Each time is asked to provide a token for a predicate , it chooses random and and outputs a token:*Challenge Ciphertext*. After receiving two pair of messages , chooses random and then forms the ciphertext:It sets the part of equal to implicitly. The correctness of decryption follows clearly. Observe that if , this is a normal ciphertext and we are in . If , this is a semifunctional ciphertext; then we are in .

Lemma 13. *If there is an algorithm that can distinguish from with advantage of , then we can build an algorithm to break Assumption 5 with advantage .*

*Proof. *On input and , where and , simulates as follows.*Setup*. Choose random , , and ; set and output*Token Queries*. When requests the token for the predicate , answers the tokens differently according to the following cases:(i)Case : chooses and randomly and creates the semifunctional tokens:Observe that this is an identical distribution from semifunctional tokens.(ii)Case : chooses and randomly and creates the normal tokens:(iii)Case : chooses , , and randomly and creates the normal tokens:*Challenge Ciphertext*. After receiving two pair of messages , chooses randomly and sets such that and then forms the ciphertext:Recall that and is the part in it. This implicitly sets . Furthermore, is the part in , so there exits some such that and . Then this implicitly sets . This relationship between and makes one thing happen; that is, if wants to test whether the token is semifunctional by creating a semifunctional ciphertext for predicate and trying to decrypt and finish the query, the decryption will succeed no matter what is due to . So, if , then we are in . If , then we are in .

Lemma 14. *If there is an algorithm that can distinguish from with advantage of , then we can build an algorithm to break Assumption 7 with advantage .*

*Proof. *On input , and , where and ; simulates as follows.

Setup. Choose random and ; set and output*Token Queries*. Each time is asked to provide a token for a predicate , it randomly chooses , , and and outputs a semifunctional token:*Challenge Ciphertext*. After receiving two pairs of messages , randomly chooses and forms the ciphertext:This implicitly sets and this has a proper distribution of semifunctional ciphertexts. So, if , then we are in . If , then we are in .

Theorem 15. *Under Assumptions 3, 5, and 7, our -searchable functional encryption scheme described in Section 4 is adaptively secure.*

*Proof. *When Assumptions 3, 5, and 7 hold, we have shown the indistinguishability between two consecutive games by the previous lemmas, which means that the real security game is indistinguishable from the simulated game in , in which is theoretically hidden from the adversary. So, the adversary has no advantage in breaking our scheme.

#### 6. Applications for Various Queries on Encrypted Data

In this section, we show a candidate system structure that enables the auditor to do various queries on the encrypted industrial data stream and discuss how to implement these query types.

##### 6.1. General Structure for Querying on the Encrypted Industrial Data Stream

Based on our proposed -searchable functional encryption scheme, one can easily enable the gateway to query encrypted industrial data stream. Specifically, as shown in Figure 2, data are collected from various sources such as manufactures, security cameras, and GPS chips. Data sources would send data to the data center through the gateway. The data center stores and analyzes these data, and the gateway observes and audits data stream for supervision purpose. For both security and privacy-preserving concerns, data sources encrypt the data stream under the data center’s public key with the ciphertext attribute by invoking the* Encrypt* algorithm. For a predicate , the gateway sends the key attribute to the data center, and the data center invokes the* GenToken* algorithm to delegate a query token to the gateway instead of sending its secret key to the gateway, which is a bad idea. The gateway who has the query token can make tests on the encrypted data stream by invoking the* Query* algorithm without decryption. If the output is 1, which means , that is, the encrypted data passing by is matched with the conditions, then the gateway can decrypt that data correctly and take further actions, say, label it. If the output is 0, the gateway can learn nothing about that data; this is guaranteed by the security level of our proposed scheme.

##### 6.2. Equality, Comparison, and Subset Queries

Let , , and a data ; we encrypt a pair using the* Encrypt* algorithm of our scheme. For example, is a personal bank transaction, is the transaction value, is the card expiration date, and so on. Also, let and . We interpret the predicate (i.e., if or not) for equality test. We interpret the predicate as a comparison predicate (i.e., if or not) for a comparison test. We interpret as a set and interpret the predicate as a subset predicate (i.e., if or not) for subset test. Then, to achieve above-mentioned three kinds of tests, for the attribute , set and encrypt a data using . To generate a token for the attribute , set . Since , if and only if , correctness and security follow.

##### 6.3. Polynomial Evaluation

Similar to the predicate encryption scheme presented by Katz et al. [15], we can also support the polynomial evaluation by defining the classes of predicates accordingly. A -searchable functional encryption for polynomials of degree can be defined as follows. Let key attributes space ; we map the polynomial to . For ciphertext attribute, each element is mapped onto a ciphertext attribute vector . We also need to define the predicate set , wherefor .

Then, for predicate , correctness and security of our -searchable functional encryption hold, since whenever .

##### 6.4. Conjunctions, Disjunctions, CNF, and DNF Formulas

Based on our -searchable functional encryption for , we can easily support the conjunctions, disjunctions, and their extensions CNF/DNF. We show this ability using an example of conjunctions of equality tests. To do this, for some and we define the conjunction predicate as , where if both and . This predicate can be a polynomial aswhere . If , then . Otherwise, with all but negligible probability over the choice of , it will hold that .

In a similar fashion, we can define the predicate for disjunction of equality tests. For some and , we define the disjunction predicate as , where if either or . This predicate also can be a polynomial asIf , then ; otherwise .

We can combine disjunctions, conjunctions, and Boolean variables to handle arbitrary CNF or DNF formulas.

#### 7. Comparison and Evaluation

##### 7.1. Comparison

We compare our construction to prior constructions which are built for inner product evaluations on encrypted data in composite-order bilinear groups [15, 31]. We show the comparison of the basic parameters’ performance between these schemes in Table 1.

We use KSW12 to denote the scheme proposed by Katz, Sahai, and Waters [15] and LL18 to denote the scheme proposed by Lee and Lee [31]. As shown in Table 1, our scheme has been proven to be secure against adaptive adversaries, whereas the other two schemes just have selective security. The lengths of the public key are for KSW12 and LL18, whereas for our proposal. Obviously, our construction has a smaller public key than others. For the length of the search token (i.e., the private key), our construction has nearly half elements of others. Our construction also gets smaller ciphertext size, , which has just one more group element than LL18 but nearly half elements of KSW12.

##### 7.2. Performance Evaluation

We implement the algorithms of proposed functional encryption scheme using pairing-based cryptography library pbc-0.5.14 with pbc wrapper-0.8.0 [39] on a PC with 3.3GHz Intel, i5-6600 CPU, and 8GB memory. In our implementation, we made use of parameter* a.param*, one of the standard parameter settings of pbc library. The implementation time overheads are demonstrated as shown in Figure 3. We would like to observe the impact of the dimension of ciphertext (key) attribute vector in terms of the time cost of the algorithms. Obviously, the bigger dimension of ciphertext (key) attribute will make the attributes more expressive, which means the scheme will support more complex predicates. We can see that the time consumptions of the* Setup* algorithm,* Encrypt* algorithm, and* GenToken* algorithm are linearly increasing with the increase from 1 to 50 of the dimension of ciphertext (key) attribute . The* Setup* algorithm is run by the trusted authority which usually can be executed once and offline. The* Encrypt* algorithm is run by the data source which also can be executed offline. The* GenToken* algorithm is run by the data center that has powerful computing ability. So, the time cost of these three algorithms is considerably acceptable. Fortunately, the* Query* algorithm’s time cost is nearly constant (less than 20ms) with the increase of the dimension of ciphertext (key) attribute . This merit makes the gateway able to effectively test the encrypted data passing by without a significant reduction in processing speed.

#### 8. Conclusions

In this paper, we have put forth an -searchable functional encryption scheme. We have built our scheme on the composite-order bilinear groups and have proven the adaptive security by utilizing dual system encryption proof technology. By using our proposed scheme as the underlying encryption scheme, we present an approach that supports the fact that the gateway effectively audits the encrypted data stream. According to the comparison and performance evaluation results, our proposed encryption scheme has the smaller public key, the smaller query token, and the smaller ciphertext. Moreover, our proposed approach can enable the gateway to effectively test the encrypted data stream, which is practical for industrial data stream auditing scenario.

#### Data Availability

The data used to support the findings of this study are available from the corresponding author upon request.

#### Conflicts of Interest

The authors declare that they have no conflicts of interest.

#### Acknowledgments

This work is supported by National Key R&D Program of China (no. 2017YFB0802000), the National Natural Science Foundation of China (61572303, 61772326, 61802241, and 61802242), National Cryptography Development Fund during the 13th Five-year Plan Period (MMJJ20180217), the Foundation of State Key Laboratory of Information Security (2017-MS-03), the Fundamental Research Funds for the Central Universities (no. GK201903089, no. GK201702004, and no. GK201603084), and the Natural Science Basic Research Plan in Shaanxi Province of China (2019JM-552).