At present, with the popularity of Internet of things (IoT), a huge number of datasets generated by IoT devices are being uploaded to the cloud storage in remote data management service, but a series of security and privacy defects also arises, where one of the best ways for preventing data disclosure is encryption. Among them, searchable encryption (SE) is considered to be a very attractive cryptographic technology, since it allows users to search records in an encrypted form and to protect user’s data on an untrusted server. For the sake of enhancing search permission, attribute-based keyword search (ABKS) is an efficient method to provide secure search queries and fine-grained access authentications over ciphertexts. However, most existing ABKS schemes concentrate on single keyword search, which usually returns redundant and irrelevant results, so it would cost some unnecessary computation and communication resources. Furthermore, existing work in the literature mostly only supports unshared multiowner where a specific data owner owns each file, which is not able to satisfy more desired expressive search. In this work, we propose a novel attribute-based multikeyword search for shared multiowner (ABMKS-SM) primitive in IoT to achieve enhanced access control for users; meanwhile, it can support multikeyword search over ciphertexts and give a formal security analysis in the adaptive against chosen keyword attack (IND-CKA) model. Finally, we have also implemented this prototype to show efficiency when compared with some previous schemes.

1. Introduction

With the rapid advances of Internet of things [1, 2] technology, IoT devices produce large quantities of datasets that require being securely stored and efficiently shared among different users. Such increasing extensive industrial datasets are saved on cloud servers [3] due to large storage capacity, high scalability, and flexible availability. A considerable number of individuals and organizations may be tempted to store their files on the third cloud server, reducing local data storage for convenience. Unfortunately, the cloud storage server is semihonest because it is possible to be curious about the user’s stored data in real-world applications [4], and data security concerns have become serious barriers to prevent the widespread usage of cloud storage for IoT. In order to mitigate the concern, the simple and efficient solution is to encrypt the storage of data to prevent information from being exposed to server, but one limitation is that the encryption mechanism inevitably brings about inflexibilities of data accessing when used to some extent, such as querying keywords on encrypted datasets. In addition, a naive approach is to download whole ciphertexts locally and later on decrypt them for querying, but it leads to wasting computational capabilities and storage costs. So, how to search encrypted keywords securely and efficiently is crucial in an IoT environment.

The positive approach to solve the above problem is using searchable encryption (SE) [5, 6] in which users can not only search directly over encrypted records just like on plaintext space but also preserve the data’s privacy. Although SE has paid more attention to the industrial and academic fields for many years, the research is not sufficient because most data owners wish to share their datasets with legitimate users authorized by them. Furthermore, with the purpose of protecting privacy, the traditional cloud-based access control system is not suitable anymore, because the server cannot be fully trusted. To solve this issue, attribute-based encryption (ABE) [714] achieves flexible access authentications over shared data for users, which is a promising cryptographic tool adopted in searchable encryption. Attribute-based keyword search (ABKS) inherits the advantages of SE and ABE, which not only achieves keyword search on encrypted datasets but also preserves the nature of fine-grained access control.

However, for the cloud-based storage system in an IoT environment, the only fine-grained access control is always not adequate. The existing ABKS schemes [1520] only support single keyword search functions, while it requires massive computational and broadband resources as this retrieval mode returns a lot of irrelevant results. The method to achieve multikeyword search [2123] was introduced to alleviate the issues. That is to say, when data users use multikeyword search to obtain related records containing multikeyword, the query results enjoy much more desirable accuracy than those using single keyword search. Consequently, how to efficiently construct an attribute-based multikeyword search is significant both in theory and in practice.

More importantly, a practical search system for IoT should support multiple data owners, because a huge number of data files may be shared among different data owners. According to whether a single entity owns each data file or many entities share each other, there are two types of the following multiowner, that is, unshared multiowner [24] and shared multiowner [19, 25]. Previous work in the literature mostly only concentrates on keyword search under unshared multiowner, losing sight of shared multiowner. The shared multiowner setting has many broader and practical applications compared with the unshared multiowner setting, such as cloud-based electronic health record systems. In this system, data records for some patient should be shared by different medical organizations and hospitals. Moreover, the unshared multiowner setting also brings significant computational and storage overheads as each data record is considered to be independent.

Specifically, the authorization privilege of data owners may vary from users to users when considering some practical scenarios in an IoT environment. For example, in a company system, all employees of this company should have the right to search this system. On the one hand, employees in different departments have different search permissions. The attributes of employees can be set; only employees whose attributes meet the access structure specified by a department can query its related records. On the other hand, board members could control the important files of the company in common. The ordinary staff enables decrypting and obtaining the documents with the authorizations of them. The former can use the AND-gate access structure sufficiently to achieve search access control and the latter can use the linear secret-sharing schemes (LSSS) access structure.

In this work, we first put forward an efficient attribute-based multikeyword search for shared multiowner (ABMKS-SM) scheme in Internet of things with fine-grained access control through AND-gate access structure and LSSS. Based on the AND-gate access structure, our proposed ABMKS-SM scheme achieves access control mechanism to enhance the user’s search experience, because the AND-gate access structure significantly improves the search algorithm. Based on LSSS technology, our scheme only allows data users to obtain valid authorizations from multiple data owners to decrypt the search results, which is suitable for multiowners sharing scenarios.

In a nutshell, our main contributions can be concluded as follows:(1)We first design an efficient and secure ABMKS-SM scheme for IoT environments, where multiple data owners enable controlling user’s search permissions and only legitimate users with authorizations could search for outsourced data. More importantly, it can be applied to shared multiowner settings.(2)The most important security goal of designing schemes is adaptive indistinguishable security against chosen keyword attack (IND-CKA). We present a formal security analysis in an IND-CKA model while guaranteeing the privacy of keywords.(3)In the respect of functional comparison, theoretical analysis, and experimental analysis, we evaluate our scheme’s performance and further demonstrate the efficiency and practicality of this scheme. At last, from theoretical analysis, it is shown that our ABMKS-SM scheme is superior to the previous CP-ABKS [15] and ABKS-SM scheme [19]. From experimental analysis, the obtained results further demonstrate computation costs to search which are free from attributes; meanwhile, the time costs to generate the trapdoor are not related to the number of attributes.

The remainder of this paper can be organized as follows. We recall some related work in Section 2. We describe some necessary cryptographic tools in Section 3. We give the system model, scheme definition, and security model in Section 4. We propose a new and concrete scheme in Section 5. We discuss a formal security analysis and performance analysis when compared with previous schemes in Section 6. We conclude this paper in Section 7.

In 2000, Song et al. [5] suggested symmetric searchable encryption (SSE) scheme by using symmetric cryptography, which first introduces the concept of searchable encryption. Subsequently, Boneh et al. [26] seminally designed searchable public key encryption construction exploring identity-based encryption for e-mail systems in an asymmetric setting, where the data owner extracts keywords from messages and encrypts them before outsourcing to the server, then the data user can generate his interested keyword search token under his private key, and then he sends this token to the server. Upon receipt of the user’s token, the server can perform the keyword retrieval operations and returns the related search results. Since this seminal work, many researchers have made great efforts [2735] and proposed a series of searchable encryption proposals to make them more efficient and enrich the search diversified, for example, fuzzy search [3638], conjunctive search [3941], and ranked search [4244].

To the best of our knowledge, ABE [7] implements attribute-based access control as an efficient solution. Furthermore, ABKS schemes can search keywords over encrypted documents with access control by utilizing ABE technology. In 2014, Zheng et al. [15] developed an attribute-based keyword search primitive and provided two concrete ABKS scheme constructions. In an ABKS scheme, data owners encrypt keywords and build searchable indexes embedded in an access structure, and only legitimate users can generate their search tokens for querying on outsourced datasets. Later on, Dong et al. [16] provided an efficient ABKS construction for resource-constrained mobile devices via an online/offline approach, where data owners and users are allowed to execute the related algorithm in this way. More specifically, an outsourcing key-issuing and decryption scheme was designed by Li et al. [17], where the cloud server can decrypt partial work without learning anything about the message. Recently, Qiu et al. [18] provided an enhanced scheme to achieve an access policy with hidden, where the data owner implements fine-grained authorizations for different users with a hidden structure in encrypted form. However, all the aforementioned schemes only consider searching a single keyword.

Zhang et al. [21] introduced a searchable design with ranked multikeyword under multiple owners setting where the security of keywords and documents could be protected. Accordingly, by exploring proxy re-encryption as well as lazy re-encryption technology, an authorized keyword search construction was designed by Sun et al. [22] under multiple data owners and users. And it can achieve an efficient user revocation mechanism. Subsequently, Miao et al. [24] provided a new multikeyword search proposal on medical records that is encrypted via ciphertext-policy attribute-based encryption. In their construction, it not only offers multikeyword search but also can be applied to multiowner settings. On the other hand, Liu et al. [23] presented a new improved scheme with user tracing using the AND-gate on the multivalue attribute. Although these above schemes support multikeyword search, it cannot be applied to scenarios where multiple owners could be shared. More recently, Miao et al. [19] first presented an efficient ABKS scheme which is suitable for shared multiowner setting; however, it only considers a single keyword search. Moreover, Miao et al. [25] suggested a scheme to deal with conjunctive keyword search with verification on the basis of multisignatures in shared multiowner setting again. Although their scheme is applied to a shared multiowner setting, it also fails to support multikeyword search. There are no efficient attribute-based multikeyword search schemes for shared multiowner so far. Thus, in this work, we first design an efficient attribute-based multikeyword search for shared multiowner (ABMKS-SM) scheme in IoT, and it can support the multikeyword search on ciphertexts with fine-grained access control.

3. Preliminaries

We explain some necessary cryptographic tools related to our ABMKS-SM construction.

3.1. Bilinear Map

Suppose and are two cyclic groups of same order , and is a generator of . Let represent a computable bilinear map that satisfies three conditions as below:(1)Bilinearity: for any and , there exists (2)Nondegeneracy: for , (3)Computability: given , the pairing could be computed efficiently

3.2. Access Structure

In our scheme, we define an AND-gate access structure [45, 46] based multivalue attribute. Suppose denotes an attribute list where represents the number of attributes. Each attribute , has a possible value set , where is the number of possible values of . The user’s attribute set is defined as , where . The AND-gate access policy is denoted as , where . If , the attribute set for users satisfies the AND-gate access policy . Specifically, the user’s attribute list is the same structure as the access policy when the attribute in the user’s attribute list has only one value.

3.3. Linear Secret-Sharing Schemes (LSSS)

Linear secret-sharing schemes (LSSS) [47] can convert previously used structures such as formulas (equivalently tree structures) into an LSSS representation by using standard techniques [48] and enhance the access control to multiparty requirements. Suppose is a collection of parties, a secret-sharing scheme is called linear (over ) on the condition that the following properties are satisfied.(i)A vector over is formed by the shares for each party ().(ii)There exists a linear secret-sharing structure , where denotes a sharing-generating matrix and a monotone function () can label the -th row in , where denotes an injective function from to a party. Given random elements , we consider constructing a column vector and compute the shares of secret as , where the share belongs to and represents the -th row in .

According to the above definition, every linear secret-sharing scheme satisfies linear reconstruction property. Assume is an LSSS for the access structure and represents an authorized set that satisfies (namely, ). We define as . If are the valid shares of a secret , then we can find a constant set such that via Gaussian elimination method. Consequently, the equation can be satisfied.

3.4. Decisional Bilinear Diffie–Hellman Assumption

Decisional Bilinear Diffie-Hellman (DBDH) Assumption has the following definition: given elements where and is a generator of group , the DBDH problem is to distinguish from a random group element where . It is said that the DBDH assumption holds if there no exists a probabilistic polynomial-time (PPT) algorithm who has a nonnegligible advantage solving DBDH hardness problem, where the advantage function of this algorithm can be denoted as

4. System and Security Model

We give a description of the system model, scheme definition and corresponding security model, respectively.

4.1. System Model

We discuss our ABMKS-SM system for shared multiowner settings in IoT, which consists of four participants, including cloud service provider (CSP), data users, trusted authority (TA) and multiple data owners. TA initializes the system and distributes keys for multiple data owners and users. First, multiple data owners encrypt files with symmetric keys and further encrypt symmetric keys with a random secret value. In particular, based on LSSS access structure, multiple data owners share the secret value with each other when considering shared multiowner settings. Then, multiple data owners build keyword indexes extracted keywords from each document under the AND-gate access policy before outsourcing to the CSP. Especially, the CSP provides computation, storage and search services for users. When a user wishes to request a keyword query on storage of encrypted records, he could produce a search keyword trapdoor and then submit it into the CSP. Having received a trapdoor from a data user, the CSP attempts to retrieve over encrypted data and returns relevant results to users. Finally, the user decrypts corresponding results only if he gets legitimate authorization credentials associated with multiple data owners. More specifically, our system model is presented in Figure 1.

4.2. Algorithm Definition in ABMKS-SM System

In this section, we give the algorithm defined in the ABMKS-SM system comprised the following six algorithms.Setup: TA runs the setup algorithm, which inputs the security parameter , and generates master key and public parameter .KeyGen: TA runs this key generation algorithm, which inputs the public parameter , the multiple data owners set , the user’s identity, the data user’s attribute set and the master key , and generates public key and secret key of each data owner and user’s private key .Encryption: the multiple data owners run the encryption algorithm, which inputs the keyword set , the public parameter , the file/symmetric key pair set , the AND-gate access policy used to construct keyword indexes, the public key of data owners and an access policy to multiple data owners authorizations for accredited data users, and generates ciphertexts and the encrypted indexes .Trapdoor: the data user runs this trapdoor generation algorithm, which inputs the public parameter , the attribute set , the private key and a set of the query keyword , and generates the search trapdoor .Search: the CSP runs the search query algorithm, which inputs the public parameter , the trapdoor , the attribute set and the encrypted index . When satisfies AND-gate access policy contained , and further the search trapdoor and the encrypted index contain the same keyword set, this algorithm returns 1 and sends the relevant search results to user. Otherwise, it returns 0.Decryption: the data user runs this decryption algorithm, which inputs the public parameter , private key , user’s identity and the corresponding search results . If the user’s identity is authorized by multiple data owners, it decrypts relevant search results.

4.3. Security Model

Suppose is an adversary and is a challenger, we define our ABMKS-SM scheme’s security model as adaptive indistinguishable security against chosen keyword attack (IND-CKA) game, which is conducted between and as the following steps.Setup: runs the Setup algorithm to generate and . runs the KeyGen to output , while only owns public parameters .Phase 1: is able to adaptively request the trapdoor from a tuple of keyword sets . executes the Trapdoor algorithm and generates the search trapdoor , and then returns it to .Challenge: chooses keyword sets , for challenging, and submits to . It is required that the two keyword sets are not able to query in Phase 1. Upon receipt of two keyword sets, selects a random bit to output an encrypted index , and sends it to the adversary .Phase 2: can request the queries for more trapdoors of keyword sets and the only restriction is that any keyword set of his choice except for the , .Guess: finally, outputs a guess , if , gains this game.

We define that ’s the advantage function against IND-CKA game can be denoted as

Definition 1. A privacy-preserving ABMKS-SM scheme is IND-CKA secure under the circumstance that the advantage of breaking IND-CKA game is negligible for any PPT adversary .

5. ABMKS-SM Construction

Based on the algorithm defined in the ABMKS-SM system, we present a specific construction of our proposed scheme that makes use of six algorithms. The running algorithms are described below.Setup: given the security parameter , it generates and , which works as follows:TA first randomly selects two cyclic groups, and , with same order and sets a computable bilinear pairing and is the generator of .Then, the TA selects two secure hash functions: and .Finally, TA randomly selects , computes , and sets KeyGen: given the public parameter , the multiple data owners set , the user’s identity , the attribute set , and the master key , it generates the public key and secret key of each data owner and the user’s private key , which works as follows:TA randomly chooses and sets each data owner’s public key and secret key as .The TA randomly chooses , computes , and sets .For each attribute , compute .Set the data user’s private key as Encryption: given the keyword set , the public parameter , the file/symmetric key pair set , the AND-gate access policy used to establish encrypted keyword indexes, the data owner’s public key , and an LSSS access policy to multiple data owners authorizations for accredited data users, where is an access matrix and is a function mapping each row of to a data owner, this encryption algorithm generates ciphertexts and the encrypted indexes .(i)The ciphertexts are generated as follows:For each file , one of multiple data owners (without loss of generality, assume the data owner is ) encrypts with symmetric key as , that is, .Then, encrypts each symmetric key and randomly chooses the secret value and computes .After, randomly selects values and considers to build a column vector and further computes the shares of the secret as . sends remaining to other data owners via a secure channel. Data owners compute , .Set symmetric key ciphertexts asThe ciphertexts are(ii)The encrypted indexes are generated as follows:Multiple data owners extract keyword sets from the file set and select a random element . For any keyword , multiple data owners compute .Compute .For each attribute , compute .Set the encrypted indexes as Besides, multiple data owners have authorized users’ identity list, and each data owner can generate the valid decryption authorization with his/her private key for the identity of a data user.Trapdoor: given the public parameter , the attribute set , the private key , and the search keyword set , this trapdoor generation algorithm generates the search trapdoor , which works as follows:The data user calculates .For each attribute , compute .Set the trapdoor as Search: given the public parameter , the query trapdoor , the attribute set , and the encrypted indexes , the search query algorithm returns 1 or 0, which works as follows.If satisfies the AND-gate access policy embedded in , then the CSP checks that the following equation holds:If the above condition holds, this search algorithm returns 1 and sends the relevant search results to user; otherwise, it returns 0.Decryption: given the public parameter , the user’s private key and identity , and the relevant query results , the decryption algorithm returns related file encryption key set , which works as follows.The data user first verifies whether the identity is authorized from multiple data owners. Note that there is no intersection between data users and data owners. If it is not in the authorized users’ identity list, the algorithm returns 0.Otherwise, the identity of the data user obtains the valid decrypted authorizations from multiple data owners.Assume is an LSSS matrix access policy (namely, ) and is an authorized set of data owners () with . When multiple data owners encrypted each shared file with same access structure, they get a constant set by solving the equation .According to the decrypted authorizations and the private key , the data user computes the following equation:Finally, the data user gains the file encryption key and decrypts the related search results.

6. Security and Performance

We analyze our scheme’s correctness, security, and performance.

6.1. Correctness

If satisfies the AND-gate access policy embedded in , while the search trapdoor and the encrypted index contain same keyword set, , we can verify the correctness of search algorithm indicated as where the encryption algorithm generates and and the trapdoor algorithm generates .where the encryption algorithm generates and and the trapdoor algorithm generates .

If the identity of the data user is authorized from multiple data owners, according to the decrypted authorizations and the private key , then we can verify correctness for decryption indicated as

6.2. Security Proof

In the area of public key searchable encryption, IND-CKA secure is one of the most important security goals. By the described above security model defined in Section 4.3, we formally prove the security of ABMSK-SM construction.

Theorem 1. Our ABMKS-SM scheme is IND-CKA secure provided that the DBDH assumption holds.

Proof 1. In fact, our reduction is straightforward. Intuitively, assume that there exists an adversary that can break our proposed scheme. We could build a simulator who resolves DBDH problems of distinguishing the DBDH tuple and a random tuple , where . Next, we formally show the following reduction.Init: at first, chooses an AND-gate access policy for challenging and returns to .Setup: selects random elements and calculates , . selects one hash function and sets and .The hash query is simulated as a random oracle model as below. If has not been requested previously, the simulator randomly chooses and next puts to the list and outputs ; otherwise, the simulator searches from and returns .Phase 1: can query the trapdoor for keyword set and request the queries of the following and oracles.(1): the simulator randomly selects and computes . For each attribute , compute . returns to and stores a private key’s list .(2): at the beginning, the simulator issues the oracle to gain the secret key and then calculates and for each attribute . adds to the list depending on which satisfies the access policy.Challenge: submits two keyword sets . Without loss of generality, and are not in . randomly chooses and encrypts to generate encrypted keyword index . It is shown as follows: computes for any keyword , , and for each attribute in the access policy . Finally, sends the encrypted keyword index to .Phase 2: can repeat the queries of more trapdoors for keyword sets; notice that any keyword set is of his choice except for the .Guess: finally, outputs . returns 1 if ; otherwise, it randomly returns.It has the following two conditions:(i)If , is given a ciphertext , and we suppose that wins this game with an advantage . (), whereas are random elements, , let , , , which means is a valid ciphertext.Since has an advantage with its correct guess, we make a conclusion that .(ii)Otherwise, is a random ciphertext. is not able to obtain any advantage in breaking IND-CKA game, so that we have .Therefore, in the IND-CKA security game, the overall advantages of solving DBDH problems can be denoted asIn other words, the advantage of a simulator solving DBDH problems is negligible because the advantage of a PPT adversary against the IND-CKA security game is negligible. It can be said that our ABMKS-SM scheme is IND-CKA secure provided that the DBDH assumption holds. This proves the security of our scheme.

6.3. Performance Analysis

From the aspect of functional comparison, theoretical analysis, and experimental analysis, we show our performance.

6.3.1. Functional Comparison

In terms of functionalities, mainly including attribute-based keyword search, multikeyword search, and unshared multiowner as well as shared multiowner, we compared our proposed scheme with some previous schemes, as demonstrated in Table 1. One observes that our ABMKS-SM scheme has much richer capabilities that can support all the above types of functionalities at the same time, which enables our scheme to be used in IoT.

6.3.2. Theoretical Analysis

We analyze computation and storage costs in terms of theoretical analysis. At first, we introduce several time-consuming operations, such as hash operation mapping to the element in group , pairing operation , multiplication operation in group , and modular exponentiation operation (or ) in group (or ). For ease of comparison, we ignore multiplication operation in group as well as hash operation which maps to an element in . As shown in Table 2, we give detailed notation definitions of the performance analysis.

To better assess the efficiency of our proposed ABMKS-SM scheme, we make a comparison of state-of-the-art CP-ABKS [15], ABKS-SM [19], and our ABMKS-SM scheme. Table 3 shows the computation costs of compared schemes. We take into account the computation costs by evaluating KeyGen, Encryption, Trapdoor, and Search algorithm. From Table 3, it is worth noticing that our construction has much more efficiency than other schemes, especially for KeyGen, Trapdoor, and Search algorithm. In KeyGen algorithm, our scheme just needs time, but the CP-ABKS and ABKS-SM scheme take and time, respectively. So, our scheme outperforms ABKS-SM and CP-ABKS scheme regarding the time of key generation. In Trapdoor algorithm, the computation costs of the ABKS-SM and CP-ABKS scheme increase linearly along with the number of attributes, while our ABMKS-SM construction almost remains unchanged and only takes time. Our time costs are related to the number of search keywords, but hash operation is less than exponentiation operation . Therefore, our construction is more superior to CP-ABKS and ABKS-SM scheme regarding generating the trapdoor time. In Search algorithm, our scheme just needs time, while the time of CP-ABKS and ABKS-SM scheme is subject to the number of system attributes, so our scheme offers a much better search experience. In Encryption and Search algorithm, the number of keywords also influences the time of our scheme, but it does not reduce the search experience for data users and can support more rich functionalities; therefore, our scheme is still desirable in the Internet of things environment.

As shown in Table 4, we compare storage costs by evaluating KeyGen algorithm, Encryption algorithm, and Trapdoor algorithm. From Table 4, one observed that the storage costs of Trapdoor algorithm of our ABMKS-SM scheme outperform the CP-ABKS [15] and ABKS-SM [19] scheme. Along with the number of attributes growth increased in KeyGen algorithm, the storage costs of the ABKS-SM scheme and our ABMKS-SM scheme show an upward trend as a result of supporting shared multiple data owners. More concretely, our ABMKS-SM scheme achieves higher efficiency than the ABKS-SM scheme. In Encryption algorithm, our scheme’s storage costs are on the rise with the number of keywords in the encryption phase because of supporting multikeyword search. As we all know, supporting more complex functionalities can sometimes sacrifice some efficiency, but it does not bring a great influence on user search experience. Accordingly, our ABMKS-SM scheme can be accepted for more practical applications.

6.3.3. Experimental Analysis

To validate the theoretical analysis, we implement our scheme in software by using JPBC library [49] in JRE1.8 environment. Furthermore, we simulate our experiments on the Windows 10 system with a laptop with Intel(R) Core (TM) i7-8565U CPU, 8.00 GB RAM through using Java language. In order to achieve a practical function, we choose an elliptic curve group with Type A: . For ease of description, we mainly take into account several phases, such as key generation, encryption, trapdoor generation, search, and decryption process. Further, we evaluate our performance by varying the number of keywords and attributes and set .

As illustrated in Figure 2, when the number of keywords is 10, we can see the time costs of key generation, encryption, trapdoor generation, and search process change as the number of attributes grows larger. In this case, it is shown that the computation costs of trapdoor generation, decryption, and search process have obvious advantages, which are free from the number of data user’s attributes. Moreover, the computation overheads of key generation and encryption are on the increase as the number of attributes.

Figure 3 enlarges the time cost of the search algorithm in Figure 2. As illustrated in Figure 3, the time cost of the search process has almost unchanged as the number of attributes increases when the number of keywords is 10.

As illustrated in Figure 4, we can see that as the number of keywords grows larger, the time costs of key generation, encryption, trapdoor generation, search, and decryption process change when the number of the data user’s attributes is 10. In this case, it is shown that the computation costs to generate keys, search, and decryption are minimal, while the costs of the encryption and trapdoor generation are on increase as the number of keywords.

Figure 5 enlarges the time cost of the search algorithm in Figure 4. As illustrated in Figure 5, when the number of attributes is 10, the time cost of the search process has almost unchanged as the number of keywords increases. This is because the number of keywords is not large enough and the multiplication operation in group is the lowest when compared to other operations.

In order to clearly compare the relationship between search time and keywords, we consider removing three pairings in search time due to the high cost of pairing. As illustrated in Figure 6, when the number of keywords becomes greatly larger, the computation cost of the search algorithm is proportional to the number of keywords when the attribute list satisfies the AND-gate access structure.

Furthermore, we show the time cost of decryption algorithm change as the number of data owners. As illustrated in Figure 7, when the number of data owners becomes larger, the computation overhead of the decryption algorithm is proportional to the number of data owners.

From the above figures, we can show that our search process is more efficient than other phases, and its computation costs are free from the number of attributes. Although the computation cost of the search algorithm is proportional to the number of keywords when the attribute list satisfies the AND-gate access structure, the time cost of multiplication operation in group is the lowest. At the same time, the time cost for trapdoor generation has no relation with the number of attributes. Our scheme can significantly enhance user’s search experience, which corroborates benefits for data users to take advantage of Internet of things.

7. Conclusion

In this paper, we design a novel attribute-based multikeyword search for shared multiowner (ABMKS-SM) scheme in Internet of things and it can support to search multikeyword on ciphertexts with enhancing fine-grained access control. The most important security goal of public key searchable encryption is IND-CKA secure. We give this formal model definition and achieve IND-CKA security. Finally, we evaluate our performance with respect to functional, theoretical, and experimental analysis and further show our efficiency and practicality. Results demonstrate that time costs to search are free from the number of attributes; meanwhile, the costs for trapdoor generation are not related to the number of attributes. Last but not least, our proposed scheme makes full use of the benefits brought by cloud computing and Internet of things and is acceptable in practice.

Data Availability

The simulation result files used to support the findings of this study are available from the first author upon request.

Conflicts of Interest

The authors declare that they have no conflicts of interest.


This work was supported by the Shandong Provincial Key Research and Development Program of China (no. 2018CXGC0701), the National Key Research and Development Program of China (no. 2018YFE0126000), the National Natural Science Foundation of China (NSFC) (no. 61972050), the Beijing Natural Science Foundation (no. L191012), and the 111 Project (no. B21049).