## 1. Introduction

With the rise and popularity of cloud computing technology, more and more data users are motivated to outsource their data to cloud for storage, and start to enjoy the various advantages brought by cloud computing, such as large storage capacity, flexible accessibility and vast computationality. By outsourcing data to the cloud, data users are relieved from the heavy burden of local storage and management costs. However, as the cloud server is not fully trusted and the outsourced data may contain sensitive information, sensitive data privacy and security in the cloud naturally become a primary concern for users. In order to address this issue, sensitive data should be encrypted before outsourcing to the cloud. Typical practical applications include cloud-based storage systems, such as electronic medical record systems where electronic health record data-sharing can help doctors to effectively assess patients’ conditions and make correct treatments. To prevent the leakage of patient information, we store the encrypted medical data on the cloud. Although encryption can ensure the confidentiality of data, it brings the inconvenience of data access and processing. For example, when doctors want to query the required medical data, the cloud server needs to perform search functions without knowing the content of the data. However, the conventional information retrieval methods based on plaintext can not directly be used on ciphertext. Therefore, how to search over encrypted data is of importance and becomes a new challenge.

Homomorphic encryption [

1,

2] can operate on encrypted data, it can be used to search the keyword over encrypted data theoretically. However, constructions based on homomorphic encryption needs large key sizes and brings huge communication costs. To better solve the keyword search problem over encrypted data, searchable encryption (SE) was proposed as an efficient solution. SE not only enables users to search queries over encrypted data stored on an untrusted server but also protects data privacy and search privacy. Compared with homomorphic encryption, SE is designed for keyword search, which is more efficient.

Song et al. [

3] seminally proposed the notion of searchable encryption, which was the first concrete symmetric searchable encryption (SSE) construction. Subsequently, a number of efficient SSE schemes [

4,

5,

6,

7,

8,

9,

10] have been proposed. However, data users have to securely share key for encryption in SSE schemes due to the property of symmetric cryptography. Therefore, most SSE schemes inevitably suffer from secret key distribution and management problems. Later, at Eurocrypt’04, Boneh et al. [

11] first introduced the concept of public key searchable encryption based on the public key encryption algorithm, namely public key encryption with keyword search (PEKS). PEKS solved the secret key management and distribution yield by SSE, so PEKS has aroused great attention in research and has a broader application prospect.

PEKS is a critically important and promising technique, and this paper concentrates on PEKS. At present, various PEKS schemes have been proposed in the literature [

12,

13,

14,

15,

16,

17,

18,

19,

20], and PEKS has been rapidly developed [

21]. Most existing PEKS schemes focus on data users’ rich search functionalities, such as conjunctive keyword search [

14] and multi-keyword search [

20]. In the above schemes, all search users can be regarded as authorized users, who can have unrestricted access to the system. However, it is not suitable for practical requirements. For example, only the mail receiver is allowed to search on the encrypted emails in the cloud-based email system, while other users have no such permissions. To solve this problem, CP-ABE technology is widely adopted as a viable tool to achieve flexible data access control over encrypted data, which can gain one-to-many encryption instead of one-to-one.

Zheng et al. [

22] constructed an attribute-based keyword search scheme on the basis of CP-ABE, however, computation and storage costs grow linearly with the number of system attributes. Yin et al. [

23] improved the work of Zheng, but encryption and key generation operations also lead to much higher computational overheads. Thus, in this paper, we propose a new privacy-preserving and efficient public key encryption with keyword search scheme based on ciphertext-policy attribute-based encryption (PEKS-CPABE) to support both fine-grained access control and keyword search over encrypted data simultaneously. Specifically, the main contributions of this paper can be summarized as follows.

We propose an efficient and privacy-preserving PEKS-CPABE scheme, which enables the data owner to control the search and use of its outsourced encrypted data in the cloud according to its access control policy. Our scheme can achieve keyword search queries over encrypted data with fine-grained access control;

We formalize the security definition, and prove that our scheme achieves selective indistinguishability security against an adaptive chosen keyword attack and can also ensure keyword privacy;

We present the performance analysis in terms of theoretical analysis and experimental analysis, and demonstrate the efficiency of our scheme. Finally, the experimental results show that our PEKS-CPABE scheme performs better than the CP-ABKS scheme proposed in [

22] and CP-ABSE scheme proposed in [

23].

The remainder of this paper is organized as follows:

Section 2 presents an overview of related work.

Section 3 reviews some necessary and basic preliminary notions used in this paper.

Section 4 defines the system model, algorithm description and security model of our proposed scheme.

Section 5 introduces the concrete construction of our proposed scheme.

Section 6 provides detailed security proof of our proposed scheme.

Section 7 shows the performance analysis of our proposed scheme in terms of theoretical analysis and experimental analysis. Finally,

Section 8 summarizes this paper.

## 2. Related Work

In 2004, Boneh et al. [

11] devised the first public key searchable encryption scheme based on a standard public key encryption algorithm. In this scheme, multiple users are allowed to encrypt data using the public key, but only the private key holder can search the keyword over encrypted data. Inspired by Boneh et al. pioneering work, more and more researchers have been working on the public key searchable encryption to achieve various functionalities. Park et al. [

13] first proposed a PEKS scheme to support conjunctive keyword search on encrypted data. Subsequently, Boneh and Waters [

14] extended PEKS to support conjunctive, subset, and range queries on encrypted data. Later on, Lv et al. [

18] proposed an expressive and secure PEKS scheme based on composite-order groups to support conjunctive, disjunctive and negation search operations that can be extended to support a range search. Huang and Li [

19] proposed a public key authenticated encryption with keyword search scheme that can resist the inside keyword guessing attack, in which the data user can use the secret key to authenticate the data. Recently, Zhang et al. [

20] constructed a novel PEKS scheme supporting semantic multi-keyword search by leveraging an efficient inner product encryption technology. These schemes guarantee that data users are able to efficiently perform search queries and prevent the untrusted cloud server from infringing data confidentiality and search privacy.

Attribute-based encryption (ABE), as a useful data encryption tool to address the problem of fine-grained data sharing and decentralized access control, was first proposed by Sahai and Waters [

24]. This kind of new cryptographic technology enables users to achieve access control over encrypted data by using an access control policy associated with the private key or ciphertext. There are two types of attribute-based encryption, depending on whether the private key or ciphertext is associated with the access control policy, namely key-policy attribute-based encryption (KP-ABE) and ciphertext-policy attribute-based encryption (CP-ABE). Goyal et al. [

25] proposed the first KP-ABE scheme, where the private key is associated with an access control policy and the ciphertext is associated with attributes. A user can decrypt a ciphertext only if the attributes that are used for encryption satisfy the access policy on the user private key. Bethencourt et al. [

26] proposed the first CP-ABE scheme, where the ciphertext is associated with an access control policy and the key is associated with attributes. A user can decrypt a ciphertext only if the attributes on the user private key satisfy the access policy associated with the ciphertext. Compared with KP-ABE, CP-ABE is a preferred choice for designing an access control mechanism, because it is conceptually closer to traditional role-based access control.

Based on the special features of ABE, Zheng et al. [

22] proposed a ciphertext-policy attribute-based keyword search (CP-ABKS) scheme, in which keywords are encrypted with an access control policy so that only data users with a legitimate credential can generate the trapdoor used to search over encrypted data. Dong et al. [

27] introduced an enhanced attribute-based keyword search scheme via an online/offline approach. Their schemes mainly consider resource-constrained mobile devices, and allow data owners and data users to perform related operations online and offline. However, two encryption and decryption operations incur huge computational costs. Li et al. [

28] proposed an attribute-based keyword search scheme with outsourcing key-issuing and outsourcing decryption, which is shown to be secure against chosen-plaintext attack, but it introduces three cloud storage providers and needs a number of expenses. Sun et al. [

29] designed an authorized keyword search scheme with user revocation by utilizing CP-ABE technology, however, the computational costs in the trapdoor generation grow linearly with the number of system attributes. Qiu et al. [

30] proposed a hidden policy attribute-based keyword search scheme to protect the privacy of the access control policy, which incurs abundant computational costs at the same time. Recently, Yin et al. [

23] proposed a ciphertext-policy attribute-based searchable encryption scheme, and improved the scheme of Zheng et al. Inspired by both the work of Zheng and Yin, in this paper, we propose a new privacy-preserving and efficient public key encryption with a keyword search scheme based on ciphertext-policy attribute-based encryption (PEKS-CPABE) to support both fine-grained access control and keyword search over encrypted data simultaneously.

## 3. Preliminaries

In this section, we review some necessary and basic preliminary notions used in this paper.

#### 3.1. Bilinear Map

Let $\mathbb{G}$ and ${\mathbb{G}}_{T}$ be two multiplicative cyclic groups with the same prime order, p. g is a generator of $\mathbb{G}$. Let $\widehat{e}:\mathbb{G}\times \mathbb{G}\to {\mathbb{G}}_{T}$ be a computable bilinear map. The map $\widehat{e}$ has the following properties:

Bilinearity: Given $a,b\in {\mathbb{Z}}_{p}^{\ast}$ and for all $g\in \mathbb{G}$, there exists $\widehat{e}({g}^{a},{g}^{b})=\widehat{e}{(g,g)}^{ab}$;

Non-degeneracy: $\widehat{e}(g,g)\ne 1$;

Computability: Given $a,b\in {\mathbb{Z}}_{p}^{\ast}$ and for all $g\in \mathbb{G}$, there is an efficient algorithm to compute $\widehat{e}({g}^{a},{g}^{b})\in {\mathbb{G}}_{T}$.

#### 3.2. Decisional Bilinear Diffie-Hellman Assumption

Decisional Bilinear Diffie–Hellman (DBDH) Assumption is given as follows: Let $\mathbb{G}$ be a cyclic group with prime order p. g is a generator of $\mathbb{G}$. $\widehat{e}:\mathbb{G}\times \mathbb{G}\to {\mathbb{G}}_{T}$ is a bilinear map. We define the advantage as $\u03f5$ of a PPT adversary $\mathcal{A}$ to solve the DBDH problem as $Ad{v}_{\mathcal{A}}^{DBDH}\left(\lambda \right)=|Pr[\mathcal{A}(g,{g}^{a},{g}^{b},{g}^{c},\widehat{e}{(g,g)}^{abc})=1]-Pr[\mathcal{A}(g,{g}^{a},{g}^{b},{g}^{c},e{(g,g)}^{z})=1]|\u03f5$, where $a,b,c,z\in {\mathbb{Z}}_{p}^{\ast}$. We say that the DBDH assumption holds if the PPT adversary has a negligible advantage $\u03f5$ in solving the DBDH problem.

#### 3.3. Access Structure

Access structure is defined by the concepts of an authorized access subset and unauthorized access subset. Let $P=\{{P}_{1},{P}_{2},\cdots ,{P}_{n}\}$ be a set of parties. A collection $\mathbb{A}\subseteq {2}^{P}$ is monotone if $\forall B,C$: if $B\in \mathbb{A}$ and $B\subseteq C$, then $C\in \mathbb{A}$. A monotone access structure is a monotone collection $\mathbb{A}$ which is a non-empty subset for $\{{P}_{1},{P}_{2},\cdots ,{P}_{n}\}$, i.e., $\mathbb{A}\subseteq {2}^{P}\setminus \{\u2300\}$. The set in $\mathbb{A}$ is called an authorized set, and the set not in $\mathbb{A}$ is called an unauthorized set.

#### 3.4. Access Tree

An access tree is usually used to represent an access control policy. Let T be an access tree, and each non-leaf represents a threshold gate described by a threshold value and the number of its children nodes. Let $nu{m}_{x}$ represent the number of children of node x, and the children be labeled from the left to the right as $\{1,\cdots ,nu{m}_{x}\}$. Let ${k}_{x}$ represent the threshold value of x with $1\le {k}_{x}\le nu{m}_{x}$. If ${k}_{x}=1$, the logic gate of node x is an “OR” gate. If ${k}_{x}=nu{m}_{x}$, the logic gate of node x is an “AND” gate. In an access tree T, a leaf is associated with an attribute, so each leaf node of T is described by an attribute and a threshold value ${k}_{x}=1$.

Let $parent\left(x\right)$ denote the parent of node x, $att\left(x\right)$ denote the attribute associated with leaf node x, and $lvs\left(T\right)$ denote the set of leaves of the access tree T. Let $index\left(x\right)$ denote the label of the node x, and ${T}_{x}$ represent the subtree of T rooted at node x (thus, ${T}_{root}=T$). If an attribute set $\gamma $ meets the access tree ${T}_{x}$, we denotes it as ${T}_{x}\left(\gamma \right)=1$. Otherwise, ${T}_{x}\left(\gamma \right)=0$. When x is a leaf node, if and only if $att\left(x\right)\in \gamma $, then ${T}_{x}\left(\gamma \right)=1$. When x is a non-leaf node, we can compute ${T}_{{x}^{\prime}}\left(\gamma \right)$ for each child node ${x}^{\prime}$ of node x. If at least ${k}_{x}$ children of the node x return 1, then ${T}_{x}\left(\gamma \right)=1$.

## 6. Security Proof

In this section, we give the security proof of the proposed PEKS-CPABE scheme. Based on the aforementioned security model, we provide a detailed security proof that our scheme achieves selective indistinguishability security against an adaptive chosen keyword attack.

**Theorem** **1.** PEKS-CPABE scheme achieves IND-CKA security on the condition that DBDH problem is intractable.

**Proof.** Assume that $\mathcal{A}$ is an adversary that can break our proposed scheme, then we can construct a simulator $\mathcal{B}$, and the goal is to distinguish between the DBDH tuple $({g}^{a},{g}^{b},{g}^{c},Z=\widehat{e}{(g,g)}^{abc})$ and a random tuple $({g}^{a},{g}^{b},{g}^{c},Z=\widehat{e}{(g,g)}^{z})$ where $a,b,c,z\in {\mathbb{Z}}_{p}^{\ast}$. The IND-CKA security game between the adversary $\mathcal{A}$ and the simulator $\mathcal{B}$ is conducted as follows.

**Init:** The adversary $\mathcal{A}$ first chooses an access tree ${T}^{\ast}$ to be challenged, which is sent to the simulator $\mathcal{B}$;

**Setup:** The simulator $\mathcal{B}$ randomly chooses $\alpha ,\beta \in {\mathbb{Z}}_{p}^{\ast}$, and computes ${g}^{\alpha}$,${g}^{\beta}$, $\widehat{e}{(g,g)}^{\alpha}$. Then, $\mathcal{B}$ returns the public parameter $pp=(\mathbb{G},{\mathbb{G}}_{T},p,\widehat{e},g,{g}^{\alpha},{g}^{\beta},{H}_{1},{H}_{2})$ which is sent to adversary $\mathcal{A}$. ${H}_{2}\left({w}_{i}\right)$ is simulated as follows. If the ${w}_{i}$ has not been queried before, the simulator $\mathcal{B}$ randomly chooses ${\rho}_{i}\in {\mathbb{Z}}_{p}^{\ast}$, adds $({w}_{i},{\rho}_{i})$ to the list ${O}_{{H}_{2}}$ and outputs ${g}^{{\rho}_{i}}$; otherwise, the simulator $\mathcal{B}$ returns ${g}^{{\rho}_{i}}$ by searching ${\rho}_{i}$ from ${O}_{{H}_{2}}$;

**Phase 1:**$\mathcal{A}$ can adaptively ask the simulator $\mathcal{B}$ for the trapdoors ${T}_{{w}_{i}}$ of a series of keywords ${w}_{i}$, and issue the ${O}_{KeyGen}$ and ${O}_{Trapdoor}$ oracles as follows.

${O}_{KeyGen}$: The adversary $\mathcal{A}$ can adaptively ask the simulator $\mathcal{B}$ for a group of private keys $S{K}_{{U}_{1}},\cdots ,S{K}_{{U}_{n}}$ of some attributes ${S}_{{U}_{1}},\cdots ,{S}_{{U}_{n}}$. The attribute sets embedded into corresponding private keys do not satisfy ${T}^{\ast}$. The simulator $\mathcal{B}$ randomly selects $r\in {\mathbb{Z}}_{p}^{\ast}$ and computes $K={g}^{\frac{\alpha +r}{\beta}}$. For each attribute $a{t}_{j}\in {S}_{U}$, compute ${K}_{a{t}_{j}}={g}^{r}{g}^{{H}_{1}\left(a{t}_{j}\right)}$. The simulator $\mathcal{B}$ sends the private key $S{K}_{U}=(K,{K}_{a{t}_{j}})$ to $\mathcal{A}$, and maintains a list ${L}_{S{K}_{U}}$ of private keys.

${O}_{Trapdoor}$: The simulator $\mathcal{B}$ first searches the ${O}_{KeyGen}$ oracle to obtain the secret key as

$(K,\left\{({K}_{a{t}_{j}},{K}_{a{t}_{j}}^{\prime})\right|\forall a{t}_{j}\in {S}_{U}\})$. Then, $\mathcal{B}$ computes ${T}_{0}=K{H}_{2}\left({w}_{i}\right)={g}^{\frac{\alpha +{r}^{\ast}}{\beta}}{g}^{{\rho}_{i}}$. For each $a{t}_{j}\in {S}_{U}$, compute ${T}_{a{t}_{j}}={K}_{a{t}_{j}}$. Finally, $\mathcal{B}$ generates the trapdoor as ${T}_{{w}_{i}}=({T}_{0},\left\{\left({T}_{a{t}_{j}}\right)\right|\forall a{t}_{j}\in {S}_{U}\})$, and $\mathcal{B}$ sends ${T}_{{w}_{i}}$ to the adversary $\mathcal{A}$;

**Challenge:** The adversary $\mathcal{A}$ sends the simulator $\mathcal{B}$ two keywords ${w}_{0}$, ${w}_{1}$ on which it wishes to be challenged. The simulator $\mathcal{B}$ randomly selects a bit $b\in \{0,1\}$ to encrypt and generates the encrypted keyword index as follows: ${I}_{1}^{\ast}=Z\widehat{e}({g}^{a\beta},{H}_{2}\left({w}_{b}\right))$, ${I}_{2}^{\ast}={g}^{a\beta}$, ${A}_{x}^{\ast}={g}^{{q}_{x}\left(0\right)}$, ${B}_{x}^{\ast}={g}^{{H}_{1}\left(att\left(x\right)\right){q}_{x}\left(0\right)},\forall x\in lvs\left({T}^{\ast}\right)$. Namely, ${I}_{{w}_{b}}=({T}^{\ast},{I}_{1}^{\ast},{I}_{2}^{\ast},\left\{({A}_{x}^{\ast},{B}_{x}^{\ast})\right|\forall x\in lvs\left({T}^{\ast}\right)\})$ where $a\in {\mathbb{Z}}_{p}^{\ast}$. Then, $\mathcal{B}$ sends ${I}_{{w}_{b}}$ to the adversary $\mathcal{A}$;

**Phase 2:** The adversary $\mathcal{A}$ can repeat query in **Phase 1** and continue to ask for any keyword of his choice, except for the ${w}_{0}$,${w}_{1}$;

**Guess:** The adversary $\mathcal{A}$ outputs its guess ${b}^{\prime}$ of b. If ${b}^{\prime}=b$, $\mathcal{B}$ outputs 1; otherwise $\mathcal{B}$ randomly outputs 0 or 1.

There are two conditions, as follows:

If $Z=\widehat{e}{(g,g)}^{abc}$, a valid ciphertext ${I}_{{w}_{b}}$ is given to the adversary $\mathcal{A}$, and the adversary $\mathcal{A}$ has an advantage $\u03f5$ to win this game.

The ciphertexts ${I}_{{w}_{b}}$ is valid. ${I}_{1}^{\ast}=Z\widehat{e}({g}^{a\beta},{H}_{2}\left({w}_{b}\right))=\widehat{e}{(g,g)}^{abc}\widehat{e}({g}^{a\beta},{H}_{2}\left({w}_{b}\right))$, ${I}_{2}^{\ast}={g}^{a\beta}$. Since $\alpha ,s$ are randomly selected, $a,b,c,\in {\mathbb{Z}}_{p}^{\ast}$, let $a=s,bc=\alpha $, ${I}_{1}^{\ast},{I}_{2}^{\ast}$ can be denoted as ${I}_{1}^{\ast}=\widehat{e}{(g,g)}^{s\alpha}\widehat{e}({g}^{s\beta},{H}_{2}\left({w}_{b}\right))$, ${I}_{2}^{\ast}={g}^{s\beta}$. This means ${I}_{{w}_{b}}$ is the valid ciphertext. Through $\u03f5$ is the advantage that the adversary $\mathcal{A}$ outputs a correct guess, therefore we have that $Pr[\mathcal{B}(g,{g}^{a},{g}^{b},{g}^{c},Z=\widehat{e}{(g,g)}^{abc})=1]=\frac{1}{2}+\u03f5$;

If $Z\ne \widehat{e}{(g,g)}^{abc}$, ${I}_{{w}_{b}}$ is a random ciphertext. $\mathcal{A}$ has nothing to do with the guess, so the adversary $\mathcal{A}$ cannot acquire any advantage in this IND-CKA security game but a random guess. Therefore, we have $Pr[\mathcal{B}(g,{g}^{a},{g}^{b},{g}^{c},Z=\widehat{e}{(g,g)}^{z})=1]=\frac{1}{2}$.

Finally, the overall advantage that $\mathcal{B}$ can solve the DBDH problem in the IND-CKA security is as follows: $Ad{v}_{\mathcal{B}}^{IND-CKA}\left(\lambda \right)=\frac{1}{2}(\frac{1}{2}+\u03f5)+\frac{1}{2}\xb7\frac{1}{2}-\frac{1}{2}=\frac{\u03f5}{2}$

Thus, we have a conclusion that if the probabilistic polynomial time adversary $\mathcal{A}$ has a non-negligible advantage $\u03f5$ in breaking IND-CKA security, then we can construct a simulator $\mathcal{B}$ to solve the DBDH problem with the non-negligible advantage $\frac{\u03f5}{2}$. From the above analysis, we know that our proposed PEKS-CPABE scheme is IND-CKA secure on the condition that the DBDH problem is intractable. This completes the proof. □

## 7. Performance Analysis

In this section, we show the performance analysis of our proposed PEKS-CPABE scheme in terms of theoretical analysis and experimental analysis, and further compare our proposed scheme with the state-of-the-art CP-ABKS [

22] scheme and CP-ABSE [

23] scheme.

Table 1 shows the notations of the performance analysis. For the theoretical analysis, we mainly focus on the computation cost and storage cost. For convenience of comparison, we mainly consider several time-consuming operations, as follows: the bilinear pairing operation

$Pair$ mapping two elements in group

$\mathbb{G}$ to group

${\mathbb{G}}_{T}$, the hash function operation

H mapping the arbitrary string to an element in group

$\mathbb{G}$, a modular exponentiation operation

${E}_{\mathbb{G}}$ in

$\mathbb{G}$ and a modular exponentiation operation

${E}_{{\mathbb{G}}_{T}}$ in

${\mathbb{G}}_{T}$. We ignore the multiplication operations and hash operations mapping the arbitrary string to an element in group

${\mathbb{Z}}_{p}^{\ast}$ because of the increased efficiency.

#### 7.1. Theoretical Analysis

In

Table 2, we evaluate the computation cost of

**KeyGen** algorithm,

**Encryption** algorithm,

**TrapGen** algorithm and

**Search** algorithm under the same access control policy tree, respectively. We observe that our scheme is much more efficient than the CP-ABKS [

22] scheme and CP-ABSE [

23] scheme in the

**KeyGen** algorithm and

**Encryption** algorithm. Although we notice that our scheme has a higher computational overhead than the CP-ABSE [

23] scheme in the

**TrapGen** algorithm, the hash function operation time is minimal. In the

**Search** algorithm, our scheme performs similarly to that of CP-ABSE [

23] scheme, and the PEKS-CPABE scheme has a better performance than the CP-ABKS [

22] scheme.

In

Table 3, we show the storage cost comparison. We observe that the storage cost of our scheme outperforms the CP-ABKS [

22] scheme and CP-ABSE [

23] scheme in the

**KeyGen** algorithm. In the execution

**Encryption** algorithm and

**TrapGen** algorithm, the storage cost of our scheme is the same as that of the CP-ABSE [

23] scheme, but much less than that of the CP-ABKS [

22] scheme. Although the CP-ABSE scheme has better search performance than the CP-ABKS scheme, the cost of

**KeyGen** algorithm and

**Encryption** algorithm bring in a much higher overhead. Our scheme solves this problem at the same time, with greater efficiency, therefore, with respect to theoretical analysis, our scheme is acceptable in the cloud.

#### 7.2. Experimental Analysis

To evaluate the actual performance of our scheme, we implement CP-ABKS [

22], CP-ABSE [

23] and our scheme using Java language based on the Java Pairing Based Cryptography Library (JPBC) [

31]. Our experimental platform is based on a Windows 10 server with Intel(R) Core(TM) i7-8565U CPU @ 1.80 GHz and 8.00GB RAM. The running environment of our experiment is Java Runtime Environment 1.8 (JRE1.8). In our experiment, we instantiated the bilinear map with Type A:

${y}^{2}={x}^{3}+x$. For comparison convenience, we set the access policy tree as “AND” access tree “

$a{t}_{1}$ AND

$a{t}_{2}$ AND, ⋯, AND

$a{t}_{N}$”, and the number of a data user’s attributes

S is equal to the number of attributes that are involved in the access policy, from 1 to 50 with step length 10, namely,

$N=S\in [1,50]$. We conduct each experiment many times to obtain the average execution time under the same access control policy.

Figure 2 shows the performance comparison of various schemes.

As shown in

Figure 2a, we can find that the time of key generation in our scheme is more efficient than the CP-ABKS scheme and CP-ABSE scheme. For example, when setting

$N=50$, our scheme needs 1061 ms to generate keys, however, both CP-ABKS scheme and CP-ABSE scheme need 4333 and 4314 ms, respectively. As illustrated in

Figure 2b, in our scheme, the time cost to generate ciphertexts is the lowest out of the three schemes. For example, when setting

$N=50$, our scheme needs 3074 ms to generate ciphertexts, however, both the CP-ABKS scheme and CP-ABSE scheme need 4375 and 4277 ms, respectively. From

Figure 2c,d, we can show that our scheme has the better search performance. In the execution of trapdoor generation and search, our scheme and the CP-ABSE scheme outperform the CP-ABKS scheme. Therefore, our scheme is acceptable in practice and suitable for the cloud.