The development of cloud computing and edge computing makes it possible to store and share Internet of Vehicles (IoV) data on a large scale, which greatly contributes to traffic intelligence, but outsourced data confidentiality and user privacy cannot be guaranteed. The Ciphertext Policy Attribute-Based Encryption (CP-ABE) scheme can achieve both fine-grained access control and secure data sharing. However, existing CP-ABE schemes owns high computational complexity, and the adopted single attribute authority mode is burdensome to resource-limited IoV. Thus, this paper proposes a Multiauthority Attribute-Based Keyword Search over Cloud-Edge-End Collaboration (CEABKS-MA) system, leveraging the benefits of edge and cloud resources and effectively combining with the multiauthority structure to minimize the computation and storage pressure on resource-limited parties in the system. In addition, fine-grained keyword search with support for attribute update and lightweight encryption/decryption is extended. Finally, this paper demonstrates the security and efficiency of the CEABKS-MA system through rigorous security analysis and simulation experiments.

1. Introduction

IoV collects and transmits vehicle data to the network through in-vehicle sensing devices, which largely facilitates intelligent transportation system [13]. Currently, with the development of IoV technology and the increase in the number of vehicles, users’ demands for intelligent access to vehicle information are increasing. Since IoV data usually includes users’ private information (e.g., vehicle location), privacy protection becomes a key factor affecting IoV user search experience. However, in-vehicle networks exposed to unprotected environments are more vulnerable to security threats in data storage, transmission, and sharing [4, 5] and have limited computation and storage capacity to effectively support secure sharing of IoV data.

Outsourcing massive amounts of data to the cloud and edge can effectively alleviate the resource-limited issue of IoV devices and facilitate data sharing, but the cloud and edge are usually perceived as “honest and curious” [6, 7], meaning they will honor agreements honestly but may have unauthorized access to some sensitive data. Hence, the searchable encryption (SE) [8] is proposed to support outsourced data encryption and enable keyword search in the ciphertext domain, where special encryption algorithms are used by data owners and search users for encryption of plaintext data, indexes, and queries to perform accurate or near-accurate keyword matching operations on the ciphertext.

Facing the massive amount of IoV data, fine-grained access control to the data in secure retrieval is of great importance to users. The CP-ABE scheme [9, 10] embeds the access policy into the ciphertext; the user can decrypt the ciphertext only when the user attributes satisfy the policy; thus, the data owner can control the access to the data, which is ideal for dynamic IoV environments. However, most existing CP-ABE schemes are mainly based on cloud computing architecture [11, 12] and are designed for single attribute authority scenarios [1315] and have high computational complexity. Among them, centralized cloud computing imposes a heavy computation and storage burden on cloud servers, and remote cloud-oriented data transmissions cause high communication cost and large latency [1618]. As user registration and key generation of single attribute authority are resource-intensive and time-consuming, which may lead to the failure of single-point attribute authority and serious consequences such as key and user privacy leakage, ultimately affecting the availability of search system. Besides, multiple types of sensing devices are deployed on vehicles to collect corresponding vehicle attribute data, while users may only need vehicle data for a certain attribute; traditional keyword search will return ciphertext for all attributes of the vehicle, which will bring additional computation consumption and communication overhead for users.

Compared with centralized cloud computing, cloud-edge-end collaborative architecture can effectively reduce search latency and the computational load on the cloud by fusing the advantages of the edge being closer to users and the cloud having abundant resources [1921]. Figure 1 illustrates the IoV cloud-edge-end collaborative architecture. Therefore, this paper designs a multiauthority attribute keyword search (CEABKS-MA) system based on cloud-edge-end collaboration, which can effectively reduce the computation and storage burden of resource-constrained parties in the system and achieve efficient and secure fine-grained keyword retrieval for IoV data. The main contributions of this paper are as follows: (i)Fine-grained keyword search with support for attribute update and lightweight encryption is extended in access control. Vehicles carrying multiple sensors are abstracted into one or more attributes to enable retrieval of specified vehicle attributes. The attribute update function effectively prevents malicious users from stealing who revoke attributes, and the online/offline encryption method further reduces the computation burden on users(ii)A cloud-edge-end collaborative search method is proposed, where users can achieve real-time and historical search by sending a trapdoor to the nearest edge. Besides, the edge provides a ciphertext predecryption service, and the search user can obtain plaintext data by performing a simple calculation(iii)A multiauthority structure is designed to implement distributed key management, which decentralizes the expensive and time-consuming key generation and distribution tasks of the central authority to each attribute authority, which can better adapt to the spatial characteristics of vehicles and distributed IoV topology

The main content of this paper is as follows. Section 2 discusses related work. Section 3 introduces preparatory knowledge. Section 4 presents the system model, formal definition, and security model. Section 5 describes in detail the construction of the CEABKS-MA system. Section 6 analyzes the security and performance of the CEABKS-MA system. Section 7 concludes this paper.

This section includes three parts: (1) searchable encryption, (2) privacy-preserving in IoV, and (3) secure data sharing in IoV.

2.1. Searchable Encryption

With a large number of data owners outsourcing critical private data to access rich computational and storage resources at a lower cost, the SE scheme that enables encrypted data retrieval is widely studied and applied [2224]. Song et al. [8] first introduced a symmetric search encryption (SSE) scheme in 2000 to enable a single keyword search over ciphertext. Boneh et al. [25] proposed the first Public-Key Encrypted Keyword Search (PEKS) scheme, which has a broader application scenario than the SSE scheme and can support secure data sharing among multiple data owners. Sahai and Waters [26] introduced an Attribute-Based Encryption (ABE) scheme in 2005, which supports one-to-many encryption, greatly reduces the number of keys generated, and is an effective way to achieve fine-grained access control, and since then, researchers have studied the ABE scheme extensively.

The ABE scheme mainly consists of Key-Policy ABE (KP-ABE) [27] and Ciphertext-Policy ABE (CP-ABE) [28]. Bethencourt et al. [28] first proposed the CP-ABE scheme in 2007, by using attributes to express the user’s authentication credentials and tokenizing the key; the user could decrypt the ciphertext if the set of attributes hidden in the user’s key matched the access policy embedded in the ciphertext by the data owner, which was more suitable for dynamic scenarios than the KP-ABE scheme that embeds the access policy in the key. Keyword search is an effective way to help users rapidly filter the data they need, based on which researchers have conducted extensive research on Ciphertext Policy Attribute-Based Keyword Search (CP-ABKS) [2931]. Qiu et al. [29] devised an attribute keyword search scheme that could resist keyword guessing attacks to maintain the indistinguishability of keywords and access structures. Miao et al. [30] presented an attribute-based encrypted keyword search scheme for verifiable attributes and consider the access rights of the same data based on the priority tree of the attributes. Zhang et al. [31] designed a lightweight searchable encryption protocol for industrial IoT that can provide users with connected keyword search while extending the scheme to multiauthority scenarios to efficiently generate and manage keys, but the system did not have the attribute update function and was less dynamic.

2.2. Privacy-Preserving in IoV

With the large amount of sensitive data in IoV being collected by sensors carried by vehicles, the issue of user privacy protection involved in the collection, transmission, and storage of vehicle data has received a lot of attention from researchers. Wu et al. [32] focused on vehicle anonymity and driving privacy in IoV by designing a privacy-preserving system equipped with a priori and a posteriori countermeasures for message verification thereby improving the reliability of vehicle-to-vehicle (V2V) communication. Kumar et al. [33] proposed a privacy-preserving IoV framework based on blockchain technology and built a deep learning module to detect data in the blockchain to guarantee data security. Zhou et al. [34] considered the location privacy problem of the designed EVN architecture and introduced edge computing to propose a differentiated privacy-preserving service framework. Kang et al. [35] used fog computing to achieve effective user location privacy protection and avoided high latency and cost problems. Wu et al. [36] focused on privacy leakage when computing tasks were offloaded in IoV scenarios, quantifying the potential threats when vehicle users offloaded computing tasks based on physical layer security theory.

The above schemes have effectively investigated data privacy protection in IoV, but they mainly focus on vehicle location privacy or data storage privacy and do not expand much on secure retrieval and sharing of IoV data.

2.3. Secure Data Sharing in IoV

Data sharing can further increase the value of IoV data utilization; as users are increasingly concerned about privacy protection when performing information retrieval, researchers have conducted preliminary studies on IoV data secure retrieval using existing technologies. Chen et al. [37] designed an IoV data sharing incentive mechanism based on the tamper-proof performance of blockchain to ensure the integrity of data on the chain. Cui et al. [38] designed a traceable and anonymous V2V data sharing using federated blockchain technology to track the origin of data and prevent data from being shared twice by malicious users, but the above two schemes are difficult to support the user’s flexible data retrieval needs.

Several studies have improved the ABE scheme in secure retrieval of IoV data and fine-grained access control. Wang et al. [39] extended ground-based IoV scenarios to Space-Air-Ground Integrated Vehicular Networks (SAGIN); a valid keyword conversion algorithm based on a single lattice algorithm and particle encryption is proposed to achieve fuzzy retrieval, and keyword weights are calculated using dependency grammar and phrase structure tree to improve retrieval precision. Zhang et al. [40] proposed a secure retrieval scheme for IoV data based on cloud-fog collaboration, focusing on the problem of accessing sensitive data by malicious users whose attributes are revoked, proposing the concept of auditable user revocation, and giving a verifiable online/offline calculation method. Considering the problems of high computational consumption and low efficiency of serial outsourcing decryption of the ABE scheme, Feng et al. [41] introduced the edge computing to support parallel outsourcing decryption, and the designed scheme can be extended to existing ABE schemes built based on tree structure and linear secret sharing.

However, the above studies utilize the single attribute authority for complex key generation and management tasks when building a secure retrieval scheme for IoV data in combination with an ABE scheme, which is prone to the single-point performance bottleneck. In addition, for IoV scenarios, the computational complexity of the scheme should be minimized without sacrificing efficiency and security.

3. Preliminaries

3.1. Bilinear Groups

Assume that are two multiplicative cyclic groups of order , where is a prime, is a generator of , and the bilinear mapping has the following properties: (1)Bilinear. , (2)Nondegeneracy. (3)Computability. , there exists a valid polynomial-time algorithm to compute the value of

3.2. Access Structure

Let be a set of attributes, and the access structure is monotonic. The access structure is a nonempty subset of the set , the sets in are authorized sets, and the sets not in are unauthorized sets.

3.3. Linear Secret Sharing Scheme (LSSS)

If the following conditions both hold, an LSSS over is linear. (1)The sharing of each attribute forms a vector on (2)Let () be the shared matrix of LSSS to describe the access structure , the th row is defined as , and the mapping function maps each row to a certain attribute . Given a randomly chosen vector , where is the shared secret value, then represents the shares of in LSSS, where the shared belongs to a attribute , denoted as

The LSSS defined in the above way is reconfigurable: assume that denotes the access structure of the LSSS, the set of authorized users , and define . There exists such that , and thus, .

4. System Model and Definition

4.1. System Model

As shown in Figure 2, the system model involves six main participants, namely, central authority (CA), multiple attribute authorities (AAs), vehicle node (VN), multiple edge servers (ESs), cloud server (CS), and search user (SU). (i)Central Authority. The CA is responsible for initializing the system and registrating multiple SUs and AAs(ii)Attribute Authority. Each AA is independent of the other, and there is no intersection between the attributes managed. The AA is responsible for the generation and distribution of user keys within the domain and supports attribute updates for authorized users(iii)Vehicle Node. Different kinds of sensors carried by vehicles observe the vehicle status in real-time, and the VN obtains an attribute-based access structure from AA to encrypt and upload the collected vehicle datasets to the nearest ES(iv)Edge Server. The ES is mainly responsible for the following three tasks. First, it stores vehicle instant ciphertext and forwards vehicle historical ciphertext to CS. Second, it provides instant search service to SU and forwards trapdoor from SU to CS to realize historical search. Third, it provides ciphertext predecryption service to SU whose attributes satisfy the access structure(v)Cloud Server. The CS provides outsourced storage and search service for the vehicle historical ciphertext. In addition, the CS sends the matching ciphertext to ES for predecryption after an accurate keyword search(vi)Search User. The SU obtains the secret key from AA and wishes to freely access ciphertext resources in ES or CS without compromising privacy while reducing the computational burden of decrypting the ciphertext

In the CEABKS-MA system, the CA and multiple AAs, as fully trusted third parties, are real-time online and have sufficient computing and storage resources to perform tasks such as system initialization and key distribution. The CS and multiple ESs are “honest and curious”; they perform ciphertext storage and search services honestly but may try to obtain more private data without authorization.

4.2. Formal Definition

Let denote the set of multiple AAs, the has a set of attributes , and the number of attributes managed by is denoted as . The proposed CEABKS-MA system includes the following polynomial-time algorithms. (1). Given the security parameter , the CA generates the public parameters and the master key , while generates a unique identifier for each authorized SU(2). Given the public parameters , the generates an attribute public key and an attribute private key for each set of attributes it manages(3). denotes the set of attributes received by from , where ; then, the generates the key associated with the set of attributes for and sends it to (4). The randomly selects the blind value to send it to ; then, the executes this algorithm to generate the predecryption key according to and sends it to ES(5). Given the vehicle plaintext dataset , the vehicle attribute keywords , and the access structure , the VN outputs the ciphertext , which includes the encrypted index set and the encrypted dataset (6). Given the query keyword set , the generates the trapdoor according to the secret key and sends it to ES(7). Given the trapdoor and the ciphertext , the ES or CS conducts the search algorithm, if the query is successful, outputs “1” and performs the ciphertext predecryption operation, otherwise, outputs “0”(8). Given the ciphertext and the predecryption key , the ES outputs the partially decrypted ciphertext and sends it to (9). Take the partially decrypted ciphertext as input, and the performs this algorithm to decrypt the ciphertext lightly using the blind value (10). Given the ciphertext and the attribute update public key for key and ciphertext update

4.3. Secure Model

To protect the confidentiality of vehicle data, unauthorized CS, ESs, and SUs cannot access any plaintext information. The CEABKS-MA system proposed in this paper enables the Indistinguishability of Chosen Plaintext Attack (IND-CPA) [42], as well as the Indistinguishability of Chosen Keyword Attack (IND-CKA) [43]. In this subsection, we define the following interactive game between challenger B and adversary A. (1)IND-CPA security

Initialization. Adversary A announces a challenging access structure and sends it to challenger B.

Setup. B first runs the Setup algorithm, outputs the public key , and sends it to A.

Phase 1. A can adaptively send any attribute set to B, but the restriction is that all submitted attribute sets cannot satisfy . For each attribute set , A executes the algorithm to output the key and sends it to B. Moreover, A can make any queries for updated key related to the canceled attribute .

Challenge. A selects two messages of equal length and sends them to B; then, B randomly selects and uses to encrypt . Finally, B returns the challenging ciphertext to A.

Phase 2. A repeats Phase 1 for other sets of attributes, but none of them satisfy .

Guess. A outputs , if , then wins the security game; otherwise, it fails. (2)IND-CKA security

Definition 1. If the advantage of winning the above game in any polynomial-time adversary is negligible, then the CEABKS-MA system is IND-CPA security.

Setup. B outputs the public key and sends it to A.

Phase 1. A can query and for keys and trapdoors in polynomial time. (i). B invokes to generate the corresponding key and sends it to A(ii). A submits a keyword of interest, and B executes the algorithm to generate the trapdoor and sends it to A

Challenge. A selects two keywords with the same length, and then, B randomly selects , generates index , and returns it to A.

Phase 2. The process of Phase 2 is similar to that of Phase 1.

Guess. A outputs , if , then wins the security game; otherwise, it fails.

Definition 2. If the advantage of winning the above game in any polynomial-time adversary is negligible, then the CEABKS-MA system is IND-CKA security.

5. The Proposed CEABKS-MA System

5.1. Construction of CEABKS-MA System
5.1.1. System Initialization

Assume that is a one-way hash function, and is chosen as a bilinear mapping, where and are -order cyclic groups whose generators are and , respectively. The initialization process is divided into two stages, which are described in detail as follows. (i). The CA executes the algorithm using the security parameter , obtaining the global bilinear parameter , and then randomly selects to compute , finally obtains the public parameter and the master key (ii). For each attribute , the picks a random element and computes , then randomly chooses to get the attribute version key , . Finally, the gets the attribute private key and the attribute public key

5.1.2. Key Generation

(i)Keygen. The computes , and for each attribute , picks a random value and computes , , finally constructs a private key and sends it to (ii)PreKeygen. The selects a random value and sends it to the , the computes , , and , then constructs a predecryption key and sends it to ES

5.1.3. Ciphertext and Encrypted Index Generation

In the actual IoV scenario, different types of sensors carried by vehicles collect the corresponding vehicle attribute data separately. For the different attribute states of vehicles monitored by different sensors deployed on the same vehicle, the CEABKS-MA system can achieve a fine-grained keyword search for the specified vehicle attributes. Given the vehicle attribute dataset and a keyword dictionary , the VN uses the key to encrypt the data of each attribute of the vehicle and defines the encrypted vehicle attribute dataset as ; the symmetric key is protected by a specified access structure , where is the matrix of ; is a function that associates rows of to attributes. The specific encryption process is divided into vehicle attribute data encryption and vehicle attribute index encryption, as follows. (i). The VN chooses two random vectors and , where is the secret sharing value, and computes , where . Then, for , the VN computes , , , and and outputs the vehicle attribute ciphertext , so as to get the vehicle ciphertext set (ii). The VN extracts keywords from different attribute dataset and constructs an attribute encrypted index based on the keywords in each . Then, the VN selects a random element , for , computes and and outputs the vehicle attribute encrypted index , so as to get the vehicle encrypted index set (iii)The VN uploads the vehicle ciphertext to ES periodically, and after the ciphertext expires (i.e., the VN uploads a new round of ciphertext), the ES uploads this vehicle historical ciphertext to CS

5.1.4. Trapdoor Generation

If the uses his key and keyword set to generate a trapdoor to search an attribute status of the vehicle that contains the query keyword , as follows. (i)Trapdoor. The randomly selects and computes and . Then, according to the query keyword , for each attribute , the SU computes , finally gets the search trapdoor and sends it to ES

5.1.5. Search and Predecryption

After receiving the trapdoor and the attribute set from , it is mainly divided into two processes: Search and EdgeDec.(i)Search. The CS or ES first verifies whether the attribute set of embedded in the trapdoor can satisfy the access structure of the ciphertext and stops the search operation if it does not match; otherwise, the keyword search algorithm is executed to match the trapdoor and the index set , as shown as follows:

Correctness verification is as follows:

Obviously, when , there is ; that is, the keyword search algorithm is successful and outputs “1,” otherwise, outputs “0.” (ii). After the keyword search is successful, the ES will perform the ciphertext predecryption operation for . Define , expressed as ; there must be a set of constants makes , and calculates the following:

The ES constructs partially decrypted ciphertext and returns it to .

5.1.6. User Decryption

(i)After receiving the partially decrypted ciphertext, the SU uses the blind value to compute to obtain the symmetric key and then uses to obtain the plaintext vehicle data

5.2. Attribute Revocation and Update

The access right change of SU requires the update of their attributes to avoid malicious users from using expired keys to access unauthorized information. Each AA in the CEABKS-MA system manages a disjoint set of attribute collections and performs attribute update operations only for users in the domain, effectively spreading the computational and storage burden of the CA and obtaining higher efficiency.

When there are some attributes to be updated, the first updates the attribute version key and then generates the transformation key to update SU’s key and the vehicle ciphertext stored in ES or CS. Moreover, the CEABKS-MA system only updates a small portion of the attribute-related key and ciphertext; the attribute update algorithm is as follows. (i)If the attribute of SU managed by is revoked, the inputs , and the revoked attribute randomly chooses a new value and computes the updated attribute version key as , . Finally, the sends to ES or CS(ii)Key Update. The informs SU that has the attribute and has not been revoked to upload the relevant part of the key component with the revoked attribute to for updating. After receiving the data uploaded by SU, the computes and returns it to SU whose attributes have not been revoked(iii)Ciphertext Update. When the attribute of SU is revoked, the needs to update the ciphertext synchronously. Due to the limited computing resources of VN, updating the attribute ciphertext associated with attribute on ES or CS

5.3. Online/Offline Encryption
5.3.1. Ciphertext Online/Offline Generation

To avoid the heavy burden of encrypting computation as well as to improve the efficiency of encryption, the CEABKS-MA system is extended to support ciphertext online/offline generation, as follows. (i)Offline Encryption. Let the maximum number of lines in the access structure embedded in the vehicle ciphertext be . The VN chooses random elements and computes , , , , , , , and . Finally, the VN generates the offline vehicle attribute ciphertext and the offline vehicle attribute encrypted index (ii)Online Encryption. The VN selects a random vector , as the secret shared value of the access structure and computes , . Then, the VN computes and and gets the complete vehicle attribute ciphertext . Finally, for , the VN computes and gets the complete vehicle attribute encrypted index

5.3.2. Trapdoor Online/Offline Generation

Similarly, the trapdoor generation part is divided into the online/offline phase to improve the computation efficiency of SU. (i)Offline Generation. The SU randomly selects and computes , , and , then gets the offline part of the trapdoor . The SU saves it to avoid duplicate operations during the search(ii)Online Generation. Based on the vehicle attribute keyword , for each attribute , the SU computes and gets the online trapdoor , then gets the final trapdoor (iii)Predecryption Phase. In the predecryption phase, the CS or ES first computes and , which can be predecrypted by using the predecryption formula (4)

5.4. Cloud-Edge-End Collaborative Search Method

This paper designs a cloud-edge-end collaborative search method to provide a more efficient and flexible search while reducing user burden. The specific search process is shown in Figure 3.

The object task in the proposed search method has changed compared to the cloud-based search method. In the ciphertext upload phase, the vehicle carries sensors to monitor the vehicle state in real-time, and the VN encrypts the vehicle data and uploads the ciphertext to the nearby ES periodically for reducing communication cost and latency caused by long-distance communication toward CS. And after the VN forwards a new round of the ciphertext, the ES uploads the historical ciphertext to CS to reduce the computation and storage burden. In the search phase, the SU only needs to send the trapdoor to ES for instant and historical search; at the same time, the corresponding ciphertext after a successful query is finally returned to SU after predecryption by ES, and the SU only needs to perform marginal decryption operation to decrypt it.

6. Safety and Performance Simulation Validation

6.1. Security Analysis

The CEABKS-MA system proposed in this paper can achieve IND-CPA security and IND-CKA security presented in Section 4.3 and is analyzed in detail as follows.

Theorem 3. Under the assumption that the Decisional q-parallel Bilinear Diffie-Hellman Exponent (BDHE) assumption [44] holds, that the advantage of all polynomial-time opponents who can win the IND-CPA game can be ignored.

Proof. Assume that adversary A can break the CEABKS-MA system by a nonnegligible advantage . A chooses a challenging matrix , and then, B handles the q-DBDHE problem as follows.
Setup. Given a q-DBDHE challenge instance , B first chooses and sets ; then, B defines the public key component . B chooses a random value for each and sets . To simulate the group elements , B picks a random element for each . Let , then B sets as follows: where denotes the set of indices . If , B sets , and the values of are randomly distributed due to .
Phase 1. In this phase, B needs to answer A’s key queries. Assume that A provides an attribute set that do not satisfy , and B chooses a vector such that for all have . Then, B randomly chooses an element and defines as follows: Then, B computes : Based on the definition of above, it can be inferred that contains which can be cancelled by . Thus, B computes as follows: For each attribute , B defines if sets . Under this condition, B cannot simulate for the attribute in , since contains the term . If there exists a set such that and B computes as follows: A sends a revoked attribute to perform an updated attribute version key query. B randomly selects a new value and computes the updated attribute version key as and returns it as A.
Challenge. A submits two challenging messages to B with corresponding encryption keys , and then, B randomly selects and computes . However, since the ciphertext component contains some terms that should be removed, it is difficult to simulate , where . To solve this problem, B randomly chooses and shares the secret as follows: Furthermore, B chooses random elements . Let be the set of all satisfying . Finally, B outputs as follows: Phase 2. Phase 2 has the same process as Phase 1.
Guess. A returns a guess bit , if ; B returns “0” indicating that ; otherwise, B returns “1” indicating that is a randomly chosen element of the group . When is a tuple, B returns a perfect simulation, which then yields . When is a random element in the group and the encryption key is completely hidden from A, then one obtains . Thus, B simulates the above security game with a nonnegligible advantage. This completes the proof of Theorem 3.

Theorem 4. Based on a given one-way hash function , the CEABKS-MA system prevents chosen keyword attacks.
Selecting a random value , the advantage of adversary A in distinguishing between and is the same as the advantage of distinguishing between and with the same advantage. Assume that A can distinguish between and , and the defined secure interactive game is as follows.

Proof. Setup. B randomly selects and returns the public key to A.
Phase 1. A can query and for keys and trapdoors in polynomial time. (i). B computes and sends to A(ii). B randomly selects and computes , , and according to query keyword , which gives the trapdoor Challenge. A inputs two keywords of the same length . B selects and picks . If , B sets , , and , otherwise, sets , , and .
Phase 2. A performs a query similar to Phase 1 but restricts .
Assume that and if A can construct using the term returned by the query, then A can distinguish between and . Thus, it needs to be shown that A can only use the term to construct by a negligible advantage.
Let , where and are two introjection functions mapped from to a set with elements. In the mapping between and , the advantage of adversary A in distinguishing elements is negligible, so it is only necessary to consider the probability of adversary A in constructing using .
If A want to get from , since only contains , must contain to get . A will try to construct based on . However, A also needs to get containing the term and the secret value . Since only B has the primary key , A cannot obtain .
Thus, it can be concluded that adversary A cannot distinguish and . That is, the CEABKS-MA system is secure in the chosen keyword attack game, which completes the proof of Theorem 4.

In addition, the CEABKS-MA system can resist collusion attacks by users and achieve the security of user key. (1) The CEABKS-MA system prevents user collusion attacks by assigning a global identifier to each DU. In , the key component is associated with a random value , so it is difficult for a malicious user to isolate the value from a given key to perform collusion queries in the absence of a random value . (2) The search user uses a random value to blind the key when performing queries to ensure the security and confidentiality of the user’s key.

6.2. Performance Analysis

The CEABKS-MA system implements fine-grained keyword search, multiauthority structure, and attribute update and has high efficiency in both key and trapdoor generation as well as search and decryption phases. Table 1 shows a functional comparison between the CEABKS-MA system and other existing systems [2931].

The theoretical computation and storage costs of the CEABKS-MA system and the existing scheme [29] are analyzed, as shown in Tables 2 and 3, respectively. For the computation costs in Table 2, we mainly consider several more time-consuming operations, namely, bilinear pairing operation and exponential operation or in group or . The number of system attributes is denoted as and for the CEABKS-MA system and HP-CPABKS system, respectively, and the number of user attributes is denoted as . Since the CEABKS-MA system uses a distributed key distribution structure, in practice, the CEABKS-MA system consumes less time than the HP-CPABKS system in Keygen and Trapdoor. The computation cost of the CEABKS-MA system in Encrypt will be higher than that of the HP-CPABKS system when setting , but the online/offline encryption method is extended to the proposed system, and the ciphertext generation is a one-time operation. In Search, the computation cost of the CEABKS-MA system is constant, and the search efficiency is much higher than that of the HP-CPABKS system.

For the storage costs in Table 3, element lengths in are defined as , respectively. When , the storage cost of the CEABKS-MA system in Setup is higher due to the added attribute update function. Similar to the computation cost analysis, the storage cost of the CEABKS-MA system is much lower than that of the HP-CPABKS system in Keygen and Trapdoor, and the storage cost in Trapdoor is constant, which is more suitable for resource-constrained devices.

To verify the above theoretical analysis, we present an experimental analysis of the computation efficiency and storage consumption of the CEABKS-MA system and the HP-CPABKS system. The experimental simulation is Windows 10, Intel(R) Core(TM) i3-8100 [email protected] GHz. The programming language is C and parsing-based cryptography (PBC) libraries. The parameters related to computation and storage costs are set as bits, bits, , and .

Figure 4 shows the actual computation time comparison of different systems in each phase; in Figure 4(a), the computation cost of both systems in Setup increases with the expanding number of system attributes, and the CEABKS-MA system costs slightly more time than the HP-CPABKS system, which is consistent with the theoretical analysis, but note that in practice. The number of system attributes in Figures 4(b) and 4(c) is fixed at ; it can be seen that the time consumption of the CEABKS-MA system in Keygen and Trapdoor increases linearly with the number of user attributes but is still much lower than that of the HP-CPABKS system, and , so the CEABKS-MA system has higher efficiency and application value for search users with limited computational resources. Figure 4(d) shows the comparative analysis of search time, which is constant and much lower than that of the HP-CPABKS system.

Figure 5 shows the actual storage cost comparison of different systems in each phase, where Figures 5(a)5(c) are consistent with the reasons analyzed in Figures 4(a)4(c); in Figure 5(d), the storage cost of the CEABKS-MA system in Encrypt is slightly higher than that of the HP-CPABKS system; due to , the ciphertext storage cost of the CEABKS-MA system is still limited.

7. Conclusion

In this paper, we propose a secure and efficient CEABKS-MA system to support IoV data sharing. The cloud-edge-end collaborative search architecture is designed to meet the real-time search requirements of users and alleviate the severe computation and storage overload problem in the cloud. The multiauthority structure is designed to effectively avoid single-point performance bottlenecks. In addition, the proposed system implements fine-grained keyword search for specified vehicle attributes and extends lightweight encryption and decryption to support attribute updates. Then, this paper demonstrates that the CEABKS-MA system can achieve IND-CPA and IND-CKA security. Experimental simulations prove that the proposed system can effectively reduce computation and storage costs. Since the search query of users is diverse and personalized, on the basis of protecting user privacy, we will dig deeper into users’ search intentions and provide users with more intelligent search results.

Data Availability

This article is based on the PBC cryptography library for verification; the real data used to support the findings of this study are available from the corresponding author upon request.

Conflicts of Interest

The authors declare that they have no conflicts of interest.


This work was supported by the National Natural Science Foundation of China (61901071, 61871062, 61771082, U20A20157), the General Project of Natural Science Foundation of Chongqing (cstc2019jcyj-msxmX0303), the Science and Natural Science Foundation of Chongqing, China (cstc2020jcyj-zdxmX0024), the University Innovation Research Group of Chongqing (CXQT20017), and the Program for Innovation Team Building at Institutions of Higher Education in Chongqing (CXTDX201601020).