#### Abstract

A personal health record (PHR) is an electronic application which enables patients to collect and share their health information. With the development of cloud computing, many PHR services have been outsourced to cloud servers. Cloud computing makes it easier for patients to manage their personal health records and makes it easier for doctors and researchers to share and access this information. However, due to the high sensitivity of PHR, a series of security protections are needed to protect them, such as encryption and access control. In this article, we propose an attribute set-based Boolean keyword search scheme, which can realize fine-grained access control and Boolean keyword search over encrypted PHR. Compared with the existing attribute-based searchable encryption, our solution can not only improve the flexibility in specifying access policies but also perform Boolean keyword search, which can meet the needs of large-scale PHR users. Furthermore, we simulate our scheme, and the experimental results show that our scheme is practical for PHR systems in cloud computing.

#### 1. Introduction

In recent years, with the rapid development of cloud computing, it has been successfully deployed in a wide variety of real-world applications, such as the medical industry. A personal health record (PHR) is an electronic application through which patients can maintain and manage their health information in a private, secure, and confidential environment. The intention of PHR is to provide a complete and accurate summary of an individual’s medical history which is accessible online. PHR benefits in many aspects, including strengthening the connection between doctors, patients, medical researchers, and hospitals. Doctors and medical researchers can obtain patient’s information more conveniently by using PHR. At the same time, patients can better control their personal health information (PHI) since only people with necessary electronic credentials can get access to their PHR. However, PHR is under security threat such as information leakage, lack of access control, and untrusted cloud servers. A lot of security issues have happened in recent years, which have brought huge economic losses. Thus, it is very important to develop a method for protecting the security and privacy of PHR. The most common method is to encrypt the PHR before uploading them to the server. However, performing searches on encrypted PHR would be a challenge.

Searchable encryption (SE) is a well-studied method that can deal with this issue. In SE, firstly, data owners encrypt their data and upload them to the cloud server. Then, each legitimate data user can generate a trapdoor using his secret key and interested keywords where the trapdoor enables data user to search over encrypted PHR. However, due to the high sensitivity, it is desired that each user can only query the authorized PHR. That is, fine-grained access control is needed for PHR. Thus, attribute-based keyword search has been implemented by many researchers [1–12]. In these schemes, data owners can encrypt their data with predefined access control policies. A trusted authority is responsible for managing all data users and distributing secret keys to them, where the secret key is generated according to the user’s attributes. Thus, when a data user searches over encrypted PHR stored in the server with his interested keywords, the server can judge whether his attributes satisfy the access policy.

However, there are some limitations in existing schemes. Firstly, in the schemes [7–10], each user’s attributes are organized in a single set, which cannot support the compounded attributes. For example, consider a user who is a “Researcher” working in “College A” and serves as both “Director” of “Department of Medicine” and “Professor” of “Department of Chemistry,” and the above attributes are both valid and are likely to be used to describe him. A possible method is expressing above attributes as strings, like “”. Unfortunately, it becomes challenging in satisfying policies which combine some of the singleton attributes. Secondly, in the schemes [10–12], data users are only allowed to search with a single keyword, which is not flexible enough. Although the scheme [7] supports recursive attribute set structure for more flexibility in specifying policies and the scheme [3] supports Boolean keyword search, none of the schemes support both of the two functionalities.

##### 1.1. Our Contributions

In this paper, we present an attribute set-based Boolean keyword search (ASBBKS) scheme over encrypted PHR in cloud computing. In our scheme, each data user’s attributes are organized as recursive set structure, which enables more flexibility in user attribute organization and more efficiency in specifying policies than the existing ABKS schemes. Meanwhile, our scheme supports Boolean keyword search which is flexible in keyword expressivity. The ASBBKS model for encrypted PHR is shown in Figure 1. The main contributions of our paper are described in detail as follows:(i)In our scheme, each data user’s attributes can be organized as recursive set structure. That is, multiple values are assigned to an attribute in different sets. In the above example, the researcher’s attributes can be organized into a 2-depth recursive set structure as follows. For each role that a researcher has, a separate set of values {Department, Role} can be assigned. {Agency: College A, Role: Researcher, {Department: Medicine, Role: Director}, {Department: Chemistry, Role: Professor}}.(ii)All authorized users can perform Boolean keyword search which is a more flexible search mechanism. For example, the PHR users can query the PHR which contains the keywords “(Treatment time: Jun 2021 Doctor name: Mike) (Drug name: Aspirin Disease name: Neuralgia)” to the cloud server.(iii)We present the theoretical performance analysis of the ASBBKS scheme for computation and communication costs. In addition, the simulated results show that it is practical for the PHR systems.

##### 1.2. Related Works

Searchable encryption (SE) was first proposed by Sont et al. [13] which enables users to implement keyword research over the encrypted data. There are two categories for existing SE schemes: symmetric searchable encryption (SSE) [13–17] and public key encryption with keyword search (PEKS) [18–21]. SSE enables a user to encrypt his data and implement the keyword search by using his secret key. In a PEKS scheme, data owners can authorize search ability to each user by encrypting data with the user’s public key. Thus, each user can perform searches over encrypted data with his private key. However, the above two types of SE have a vulnerability that they do not support access control on data users. It means that each legitimate user can query all of the encrypted data, which may cause security issues.

To solve this problem, researchers have proposed SE schemes with access control such as attribute-based encryption with keyword search (ABKS) [22–26]. In such SE schemes, data owners can authorize search ability to data users whose attributes satisfy the access policy predefined by the data owner. There is a trusted authority in ABKS to generate public parameters. In addition, it also generates secret keys for data users. In [27], each user needs to submit his attribute structure and interested keywords to the trusted authority for generating trapdoors. Then, the data user can search over encrypted data with his trapdoors. However, it fails to preserve the privacy of interested keywords and they will be revealed to the trusted authority, which is not desired by the data user. Thus, Zheng et al. [28] proposed an improved SE scheme that makes use of an access tree to fulfill access control. In [28], each user sends an attribute set to the trusted authority for generating an attribute-related private key. The private key is used to generate trapdoors of interested keywords. Then, users can search over encrypted data with trapdoors without revealing interested keywords. However, in these schemes, user’s attributes are organized to a single set, which decreases the flexibility in specifying access policies.

In [29], the researchers proposed attribute set-based encryption (ASBE). In ASBE, the user’s attributes are organized in the form of recursive set structure which enables the data owners to encrypt data with more flexible access policies than ABE. Based on this technique, Xu et al. [7] proposed attribute set-based keyword search (ASBKS). Their scheme has better flexibility in user attribute organization and more efficiency in specifying policies. However, it only supports single keyword query, which limits the performance of searching.

To achieve multi-keyword search, Boolean keyword expression search was presented in [1]. In [1], keywords are divided into two parts: value and name, which are both organized in the form of an access tree structure. Inspired by this, we propose an ASBBKS scheme that can support Boolean keyword search, compounded attributes, and flexible search policies simultaneously.

##### 1.3. Paper Organization

The rest of the paper is organized as follows. We introduce some preliminaries in Section 2. In Section 3, the concrete construction of the ASBBKS scheme is presented and the formal security proof of the ASBBKS scheme is provided. In Section 4, we evaluate the performance of our ASBBKS scheme and conduct simulation experiments to demonstrate its efficiency and practicality. Finally, we conclude the paper in Section 5.

#### 2. Preliminaries

##### 2.1. Bilinear Pairings

Let and represent the multiplicative cyclic group of order , where represents the prime number. Assume that is the generator of group ; then, when satisfies the following conditions, we say it is a bilinear mapping [30]:(1)Bilinear: for any and , .(2)Non-degenerate: .

If there exists an efficient algorithm that can compute for all , then is called a bilinear group.

##### 2.2. Recursive Set Structure

We construct user’s attributes as the recursive structure mentioned in [29]. In this structure, each element of a set can be an associated attribute or a set. They are organized like the tree structure with the notation of depth which limits this recursion. Here, we provide an example of this kind of set structure with depth 2 in Figure 2.

At the first layer, there are attribute elements and set elements. At the second layer, there are only attribute elements. For a set with depth 2, we can denote it as where is the set of attributes at depth 1 and is the set at depth 2 for .

##### 2.3. Access Tree

In our scheme, the access tree structure is the same as that in [29], and Figure 3 shows an example of access tree . In , each inner node represents a threshold gate which has a threshold value . Assume that the set of child nodes of is represented by and the number of child nodes is represented by . In addition, each child node of is labeled from left to right as 1 to . Then, we have . When , the threshold gate transforms to a “ ” gate; when , it transforms to an “ ” gate. In addition, each leaf node of represents an attribute, denoted as . Furthermore, the parent of node is presented as , the label associated with is presented as , the set of leaf nodes of is presented as , and the subtree of rooted at the node is presented as .

For an attribute set structure . with depth 2 and an access tree , if at least one of the following conditions holds, we say that satisfies : (1) there is at least one subset of , in which the combination of its attributes satisfies ; (2) there are some translating nodes where the attributes from multiple sets in can be combined to satisfy . The translating node allows attributes from different sets to be combined to satisfy an access tree. Thus, by using some translating nodes, data users can combine attributes from multiple sets to satisfy an access tree. To make an explanation, we take the recursive set structure in Figure 2 and for example. In access tree , there are two inner nodes and one of them is a translating node. Their threshold gates are 1 and 2, respectively. For the attribute set structure in Figure 2, it can easily satisfy node . For node , subsets and can be combined together to satisfy it. However, if node is not a translating node, then there is no subset of that can satisfy node . Thus, using some translating nodes, data owners can selectively require users to combine attributes from either a single set or multiple sets to satisfy the access tree.

**Secret share:** for an access tree , each node of with associated threshold would equip with a polynomial . is generated by running the secret share algorithm mentioned in [31]. This algorithm is used for distributing a secret , and the process of this algorithm is as follows:(i)For the root node , let and then randomly select coefficients for the polynomial .(ii)For an inner node , let and then randomly select coefficients for the polynomial .(iii)For a leaf node , let the degree of be and .

After executing the algorithm, the value corresponding to each leaf node becomes the secret share of . We represent this algorithm as Share .

##### 2.4. Boolean Query

In [3], a Boolean query requires that a server can find out all the encrypted data associated with an arbitrary Boolean expression among keywords. The expression can be denoted as . While calculating a Boolean expression, let if the encrypted data contains ; otherwise, set . Then, replace corresponding in the expression with . After that, if the result of the Boolean expression is “1,” encrypted data satisfy the condition of the Boolean query. In our scheme, keywords are divided into two parts: name and value. They are organized as an access tree structure as shown in Figure 4, which is a more expressive searchable mechanism.

##### 2.5. Definition of ASBBKS

In an ASBBKS scheme, there are several participants including multiple data owners and data users, a cloud server, and a trusted authority used for authorizing and managing data owners/users. An ASBBKS scheme consists of five algorithms: , , , , and .(i): given the security parameter , the algorithm generates a public key and a master key .(ii): the algorithm uses the master key and the given attribute set structure to generate secret key corresponding to .(iii): the algorithm inputs public key , a set of keyword values , and an access tree and outputs the corresponding ciphertext .(iv): the algorithm inputs secret key and a Boolean keyword value expression and outputs the corresponding trapdoor .(v): the algorithm takes trapdoor and ciphertext as input. When the attribute set related to matches with the access tree encrypted in and a minimum subset of keyword names encrypted in satisfies the Boolean keyword expression encrypted in , it outputs 1. Otherwise, it outputs “”.

In an ASBBKS scheme, the trusted authority firstly executes to initialize the system parameters. Then, according to the user’s attribute set, it computes secret key for each user. Data owners should execute on their data using preset access control policies to generate the corresponding ciphertexts and then upload them to the server. For data users, they can execute to generate trapdoors for searching over ciphertexts. In the end, the server executes to find all the data that are authorized to a user by the policies.

##### 2.6. Security Model of ASBBKS

We will give the security definition of ASBBKS. If there is no adversary who can win the following game with a non-negligible advantage in probabilistically polynomial time (PPT), then we can say that an ASBBKS scheme is secure against selectively chosen keyword attack (INDSCKA). In the following game, adversary interacts with the game challenger as follows.(i)**Setup:** in this stage, challenger first generates through running . Then, will be sent to adversary .(ii)**Phase 1:** in this stage, adversary can make a polynomial number of queries as follows:(1)**Secret key queries:** adversary adaptively queries secret keys for recursive attribute set structures to challenger .(2)**Trapdoor queries:** adversary adaptively queries Boolean keyword value expressions to challenger and gets the corresponding trapdoors.(iii)**Challenge:** after the above queries, adversary submits two distinct keyword value sets and to challenger . These sets cannot satisfy the Boolean keyword value expression that is queried with the form of in Phase 1. Then, randomly selects a bit , constructs the challenge ciphertext , and returns it to .(iv)**Phase 2:** adversary continues to make secret key queries and trapdoor queries similar to phase 1. It requires both and to not satisfy the Boolean keyword value expression .(v)**Guess:** adversary has to guess and output a bit . It wins the game if .

#### 3. Our Construction of ASBBKS

In this section, we will provide a concrete construction of our scheme and the formal security proof. In the following construction and security proof, we assume the depth of the user’s attribute set structure to be 2.

##### 3.1. The Concrete Construction

###### 3.1.1.

Let be a bilinear pairing in which and represent two cyclic groups of prime order . Assume that is the generator of and and are two collision-resistant hash functions. Next, it randomly selects and calculates , , . The master key and the public key are set to be

###### 3.1.2.

The input recursive attribute set structure is parsed as . Assume that each has attribute members; then, there is for . Firstly, it randomly selects a value for attribute set structure . For each subset , it randomly selects values and sets . Furthermore, it randomly selects a set of values for each attribute. Finally, it calculates , and for , and for . The secret key for is set to be

At the translating node, each element in a secret key supporting of set at depth 2 translates to of set at depth 1. Elements and can be combined as to translate to at the translating nodes.

###### 3.1.3.

is a set of keyword values and is the set of the keyword names. This algorithm randomly selects values and computes , , , for . After that, it computes secret shares of through implementing . Further, for each , it computes and . We assume that the set of translating nodes in is represented as . Then, it calculates for each . Finally, the ciphertext is set to be

In user keys, elements and support translation between sets at a translating node . We will describe it later in the algorithm.

###### 3.1.4.

represents the Boolean keyword value expression which is an access tree. represents the Boolean keyword name expression which is an access tree with the same structure as . Taking and as inputs, it randomly selects a value and calculates the secret shares of by implementing . Then, this algorithm calculates and . Parsing as , it further computes , , for , and for . Finally, the trapdoor for is

###### 3.1.5.

Cloud server takes input ciphertext and the trapdoor , . The complete algorithm consists of the following 3 steps.

*Step 1. *In this step, for the given access tree and key structure , it returns a set . The elements of this set are some labels for each node within . Each label in represents a set and each set satisfies the subtree . There is for the root node and the related set is . If does not satisfy , the return of this algorithm is “0.” Otherwise, for node , it picks one label from the set , denoted as . Then, it executes a recursive function , which will return as the result. According to the type of node , the function will be computed in two different ways.(1)When is a leaf node: if , it returns “”. Otherwise, we have(2)When is not a leaf node:(i)Firstly, it calculates a set , which is composed of child nodes of . In , each node must satisfy one of the following two cases: (1) label and (2) is a translating node and there exists a label that satisfies and . If such a set does not exist, it returns “”.(ii)Execute for each node which satisfies label and then return as the result.(iii)Execute for each translating node which satisfies and and return as the result. If , elements and can be used to translate to . If , elements and together with can be used to translate to .(iv)After computing for each node in , it computes as follows:where , , and .

After the above steps, it further computes the function for root node and returns as the result as follows.In the end, it computes a value . When , it assumes . When , it computes as follows:

*Step 2. *Firstly, it computes a value with the following formula:Then, it computes with the following formula:

*Step 3. *It selects a minimum subset from the set of keyword names , which satisfies the Boolean keyword name expression . If does not exist, it returns “0.” If node is a leaf node of access tree and is related to the search token , then the keyword name associated with this node is denoted by . Further, for each keyword name , it computesIf , then there is .

When node is not a leaf node, for all child nodes of , assume that represents an arbitrary set with size consisting of children nodes and . If does not exist, then ; otherwise, it utilizes the polynomial interpolation to calculate to getAt last, for the root node of , it computes and checks whether the following equation holds:If the equation above does not hold, then the algorithm would keep finding another subset of keyword names from the set of keyword names which satisfies and repeat the checking as above. If there exists no such keyword name subset such that the above equation holds, it returns “”.

We depict the whole processing steps of our scheme in Figure 5.

*Remark 1. *For the user’s attribute set structure with depth , for each level , a value needs to be selected. supports the translations between sets at level or between a set at level and its outer set at level . Translations across multiple levels will use corresponding translating values and different .

##### 3.2. Security Proof

In this section, we will provide the formal proof of Theorem 1 to prove that our scheme is secure.

Theorem 1. *The above scheme is selectively secure against chosen keyword attack in the generic bilinear group model.*

*Proof. *In our security model, the adversary assumes to distinguish from and from , where is randomly selected from , and are two different keyword sets, , and . Since has the same probability to distinguish both of them, it is easy to distinguish from . That is, this game can be transformed to that has the advantage to distinguish from .

The challenger can be constructed in this game as follows.(i)**Setup**: the challenger selects parameters , , and sends public parameter to . After that, selects a challenge access tree and returns it to .(ii)**-Queries**: challenger would maintain an -list, which is empty at first. Given an input attribute , if has not been queried, it randomly selects and then returns to and the tuple will be added to -list. For those attributes that have been queried, will directly return to . can query this random oracle for polynomially many times.

*Phase 1. *Adversary can make the secret key and trapdoor queries for polynomially many times.(i)**Secret key queries:** firstly, for an attribute set structure where for , will randomly select a value for and compute . For each subset , it will randomly select and a value for , . Next, use these parameters to compute corresponding , , and . Finally, constructs the secret key with the above parameters and returns it to .(ii)**Trapdoor queries**: if has queried secret key , then directly runs the algorithm to get the trapdoor . Challenger randomly selects and computes the secret shares of *t* by running and computes corresponding , , , , and . Then the trapdoor for Boolean keyword value expression is , and the challenger *C* returns it to .**Challenge:** submits two distinct keyword value sets and to , and these sets are of equal size. Then, let represent the set of keyword name. For these two sets, they cannot satisfy the Boolean keyword value expression . Then, randomly selects , for and computes secret shares of by executing .

Then, randomly selects a bit and constructs the challenge ci-phertext , , , and then *C* returns it to .(i)If , it randomly selects and outputs , for , , , (ii)If , it outputs , , , , , , .

*Phase 2. *After receiving the challenge ciphertext , can perform secret key queries and trapdoor queries mentioned in phase 1. It requires both and to not satisfy the Boolean keyword value expression .**Guess:** outputs its guess, which requires to distinguish from to win this game.**Analysis:** if can construct for some , has the ability to distinguish from a random element . Thus, we continue to analyze that adversary constructs for some with negligible advantage. That means cannot win our game with a non-negligible advantage.

From the above phases, it can be easily found that and have appeared, so only needs to construct . With terms and , can construct and then needs to conceal . With terms and , can construct and needs to conceal . Then, should be constructed which will use terms *ri*, , , and because *q _{v}*(0) is the secret share of

*s*

_{0}. However, cannot be constructed since there are not enough attribute values for to satisfy the access tree .

#### 4. Performance Analysis

In the existing ABKS schemes, no scheme can support both Boolean keyword search and recursive set structure. At first, we compare the existing schemes [1, 7, 28] in Table 1 with our scheme in the aspect of their functionalities. We assume four parts to compare, search method, access structure, attribute set structure, and translating nodes. From Table 1, we can conclude that our scheme is the first one that supports compound attributes, flexible access policies' specifying, and Boolean keyword search simultaneously.

##### 4.1. Theoretical Analysis

In our scheme, three operations are the most time consuming which are, respectively, the bilinear pairing, the modular exponentiation, and the hash function . Since can be precomputed, we just consider the former two operations in the following analysis.

In theoretical analysis, we focus on the computation complexity and storage overhead of each step. Firstly, we assume a user’s 2-level recursive attribute set to be where . Let . Then, let the leaf nodes of an access tree be and translating nodes be . For the keyword set used in , we denote the number of keywords in this set to be and the leaf nodes of a Boolean keyword value expression to be . We organize the theoretical computation complexity and storage overhead of the existing schemes [1, 7, 28] and our scheme in Table 2.

**KeyGen.** For the algorithm in our scheme, its computation complexity is exponentiations in . The storage overhead is group elements in . In [28], the algorithm takes exponentiations in . The storage overhead is group elements in . In [7], the computation complexity of its algorithm is exponentiations in . The storage overhead is group elements in . In [1], the algorithm takes exponentiations in . The storage takes group elements in .

**Encrypt.** For the algorithm in our scheme, its computation complexity is exponentiations in . The storage overhead is group elements in . In [28], the algorithm takes exponentiations in . The storage overhead is group elements in . In [28], the computation complexity of its algorithm is exponentiations in . The storage overhead is group elements in . In [28], the algorithm takes exponentiations in . The storage takes group elements in .

**Trapdoor.** For the algorithm in our scheme, its computation complexity is exponentiations in . The storage overhead is group elements in . In [1], the algorithm takes exponentiations in . The storage overhead is group elements in . In [28], the computation complexity of its algorithm is exponentiations in . The storage overhead is group elements in . In [7], the algorithm takes exponentiations in . The storage takes group elements in .

**Test.** For the algorithm in our scheme, we first assume has leaf nodes satisfying and translating nodes on the path from leaf node used to the root node where , and let . In addition, we denote the number of all used nodes in as , and the computation complexity is pairings and exponentiations in . The storage overhead depends on the number of the matched ciphertexts, which we denote as . In [28], the algorithm takes pairings and exponentiations in and the storage overhead we assume is . In [7] the computation complexity of its algorithm is pairings and exponentiations in , and the storage overhead we assume is . In [1], the algorithm takes parings and exponentiations in and the storage overhead we assume is .

*Remark 2. *From the analysis, the difference in computation cost between our scheme and [28] depends linearly on the number of keywords, the number of inner sets in , and the number of translating nodes in . When there is only one set in , one keyword in the algorithm and algorithm, and no translating node in access tree , the computation cost of our scheme is the same as that of the scheme in [28]. The difference in computation cost between our scheme and [7] depends linearly on the number of keywords. When there is only one keyword in the algorithm and algorithm, the computation cost of our scheme is the same as that of the scheme in [7]. The difference in computation cost between our scheme and [1] depends linearly on the number of inner sets in and the number of translating nodes in . When there is one set in and no translating node in access tree , the computation cost of our scheme is the same as that of the scheme in [1]. In summary, our ASBBKS scheme supports compound attributes and Boolean queries by adding some computation operations, which is more suitable for practical application environments.

##### 4.2. Experiments

In the following, we have made a series of comprehensive experiments to simulate the execution of our scheme on a personal computer (the CPU is i7-8700U 3.2 GHz with a 24 GB memory and the operating system is Ubuntu 18.04 LTS) and the PBC library. We evaluate our scheme with different parameters and record the execution time of each step in our ASBBKS scheme. In these experiments, we assume that the user’s recursive attribute set has two levels. We show our experiment results of each step in Figure 6.

**(a)**

**(b)**

**(c)**

**(d)**

**KeyGen.** Figure 6(a) shows the time cost of the phase for our ASBBKS scheme. We consider two parameters that may affect the execution time of this step: the number of subsets in a user’s set structure and the number of attributes in each subset. We assume the number of subsets to be 1, 10, and 20 and the number of attributes in each subset to be 20, 40, 60, 80, and 100, respectively. As we can see, the time cost of is increased linearly with the above two parameters. It only takes 638 ms when there are 20 subsets and 100 attributes in each subset. The number of attributes in each subset influences the execution time most, while the number of subsets has a smaller impact.

**Encrypt.** Figure 6(b) shows the time cost of the phase. We consider three parameters that may affect the execution time of this step: the number of translating nodes and leaf nodes in an access tree and the number of keywords. We assume that there are 20, 40, 60, 80, and 100 leaf nodes and keywords and there are 0, 5, and 10 translating nodes, respectively. As we can see, the time cost of is increased linearly with the above parameters. It only takes 990 ms when there are 10 translating nodes and 100 leaf nodes in an access tree and 100 keywords in a document. In these parameters, the main influencing factors are the number of leaf nodes and the number of keywords, while the number of translating nodes only affects the execution time for several milliseconds.

**Trapdoor.** Figure 6(c) shows the time cost of the phase. We consider three parameters that may affect the execution time of this step: the number of subsets in a user’s set structure, the number of attributes in each subset, and the number of leaf nodes in a keyword structure. We assume the number of attributes and leaf nodes to be 20, 40, 60, 80, and 100 and the number of subsets to be 1, 10, and 20, respectively. As we can see, the execution time of the phase is increased linearly with the above parameters. It only takes 603 ms when there are 20 subsets with 100 attributes in each subset and 100 leaf nodes for the keyword structure. In these parameters, the main influencing factors are the number of attributes and the number of leaf nodes, while the number of subsets has a smaller impact.

**Test.** Figure 6(d) shows the time cost of the phase. We consider three parameters that may affect the execution time of this step: the number of keywords, the number of attributes in each subset, and the number of translating nodes. We assume that there are 20, 40, 60, 80, and 100 attributes and keywords. We also assume that there are 0, 5, and 10 translating nodes. Further, we assume that the number of subsets in a user’s set structure is fixed to 10. As we can see, the execution time of the phase is increased linearly with the above parameters. It only takes 370 ms when there are 100 attributes in each subset, 10 translating nodes in an access tree, and 100 keywords in the document. In these parameters, the main influencing factors are the number of attributes and the number of keywords, while the number of translating nodes has a certain impact on it.

From the above experiments for each algorithm in our scheme, we can conclude that it is an efficient and practical scheme for use in a PHR application.

#### 5. Conclusion

In this paper, we present an attribute set-based Boolean keyword search over encrypted PHR. In our scheme, each data user’s attributes are organized as recursive set structure, which enables more flexibility in user attribute organization and more efficiency in specifying policies than the existing ABKS schemes. Meanwhile, all authorized users can perform Boolean keyword search over the encrypted PHR. We have proved the security of our scheme formally. The experimental results show that it is feasible and practical for PHR systems.

#### Data Availability

The data used to support the findings of this study are available from the corresponding author upon request.

#### Conflicts of Interest

The authors declare that they have no conflicts of interest or personal relationships that could have appeared to influence the work reported in this paper.

#### Acknowledgments

This study was supported by the Key Areas R&D Program of Science and Technology Program of Guangzhou (202 103 010 005) and Shenzhen Science and Technology Program (JCYJ20210324100813034).