Field of the Invention

This invention relates to a system and method for searching an encrypted database for documents satisfying an expressive keyword access structure. In particular, the invention enables encrypted documents stored in a database to be searched to determine if there are documents that contain public-key encrypted keywords that satisfy an expressive keyword access structure, which contains conjunctive, disjunctive or any monotonic Boolean formulas whereby the search process is carried out without disclosing the underlying plaintext of the keywords in the encrypted documents.

Summary of the Prior Art

Most users tend to store various types of documents, including documents that contain private and sensitive information, in remote data servers. Such data servers are typically managed and owned by an external entity. While contractual obligations would compel the external entity to take security measures to ensure that no unauthorized access of documents stored within the data servers occur, there may be little that prevents the external entity itself from accessing the sensitive information contained within these documents should they wish to do so. Further, although the external entity would have taken security measures to prevent unauthorized access to documents stored within the data servers, security breaches may still inadvertently occur resulting in access to the documents being granted accidentally.

This problem may be addressed by encrypting the information contained within the documents and storing the documents in the data servers in an encrypted format. By doing so, only the owner of the document and authorized users are able to access the information contained within the documents as the user would be the only one who would possess the secret key to decrypt the document. In order to facilitate the use and sharing of data contained within the encrypted documents with multiple authorized users, it is highly desirable to have a searchable encryption scheme which allows the database provider to search through encrypted documents stored in its database on behalf of authorized users without gleaning information about the underlying plaintext contained therein.

Searchable encryption schemes that have been proposed thus far include a method that utilizes private-key encryption. This private-key encryption scheme only allows a single user to search and retrieve their data. As such, such a scheme is not suitable for use in cases whereby the encrypted documents are to be shared and/or has to be searchable by multiple authorized data users and/or data providers. Another approach that has been proposed involves the use of private information retrieval (PIR) protocols. These protocols allow users to retrieve certain data-items from a database and the database publicly stores the data without revealing the data-item to the database administrator. This approach is not ideal as it requires the data to be made publicly available and this increases the likelihood of leaks occurring. Other searchable encryption schemes that are commonly used in the art only support single or conjunctive keyword searches. Existing schemes that are able to perform expressive keyword searches are typically computationally inefficient as these schemes are based on bilinear pairings over the composite-order groups.

For the above reasons, those skilled in the art are constantly striving to come up with a system and method that allows a user to search an encrypted database for documents containing a particular expressive keyword access structure in a computationally efficient manner. Summary of the Invention

We provide systems and methods to improve the efficiency of searchable encryption schemes for keyword search policies expressed in conjunction, disjunctive or monotonic Boolean formulas as set out by the embodiments in accordance with the invention.

A first advantage of embodiments of systems and methods in accordance with embodiments of the invention is that the proposed system and method results in a scheme that is much faster than existing solutions.

A second advantage of embodiments of systems and methods in accordance with embodiments of the invention is that encrypted documents containing an expressive keyword access structure may be retrieved from a cloud server without revealing the contents of the encrypted documents to the cloud server.

A third advantage of embodiments of systems and methods in accordance with embodiments of the invention is that keywords associated with the generated trapdoors will not be readable by unauthorized users even though the trapdoors are transmitted through public channels.

According to a first aspect of the invention, a method for querying an encrypted database for documents containing an expressive keyword access structure using a computer server comprises receiving public parameters from a trapdoor server , wherein the public parameter is constant; generating a public key g ^Y and a private key γ based on the received public parameters where g is a generator for group G and γ is a random element; receiving a trapdoor T _M,P associated with the expressive keyword access structure, wherein the trapdoor T _M,P comprises: trapdoor parameters, a Linear Secret Sharing Scheme (LSSS) matrix M having 1 rows and n columns, and a function p mapping the rows of the LSSS matrix M to generic names in a keyword set W associated with the expressive keyword access structure, wherein the keyword set W comprises the generic names and keyword values, and; processing documents in the encrypted database that are pre-tagged with corresponding generic names N and corresponding ciphertext CT, wherein the processing the documents comprises: retrieving documents from the encrypted database tagged with at least one of the generic names contained in the keyword set W; computing a search token for each retrieved document, whereby each search token is computed based on parameters obtained from the ciphertext CT tagged to each document, parameters contained in the trapdoor T _M,P , the private key γ and the public parameters; determining, for each retrieved document, if the computed search token for the document matches with a first parameter in ciphertext CT tagged to the document, whereby if a match is determined, indicating the document contains the expressive keyword access structure. In the setup phase of construction, the public parameter is constant rather than linear to the number of keywords, so the method can be used to support the search of large number of keywords. This is very meaningful in a cloud storage system, where data are from different parties. If the keyword number allowed in the system is limited, then it is difficult cover all the keywords that might appear in the documents to meet the searching requirements from all kinds of users.

With reference to the first aspect, in a first possible implementation manner of the first aspect, the public parameters received from the trapdoor server is defined by:

where H is a collision-resistant hash function mapping elements in G1 to elements in G, G is a group of prime order p with the generator g, e: G x G G1 is a symmetric bilinear pairing function, where ιι, η, ω are random group elements in

where where Z ^* are non-zero residuals of modular p.

With reference to the first possible implementation manner of the first aspect, in a second possible implementation manner of the first aspect, the received trapdoor T _M,P associated with the expressive keyword access structure is defined by the following equation: whereby the trapdoor parameters are defined as:

where whereby 1 is the total number of rows in LSSS matrix M, v _; is the value

associated with a row M _; of the LSSS matrix M, M _; is the i-th row of LSSS matrix M , ( where where are residuals of modular p.

With reference to the second possible implementation manner of the first aspect, in a third possible implementation manner of the first aspect, a ciphertext CT pre-tagged to a document in the encrypted database is defined by the following equation: whereby m is the size of the keyword set of the document, and the first value C of the ciphertext CT is defined as:

where,

where W _; is the i-th keyword value in a keyword set of the document, W _1; ... , W _m are the corresponding keyword values of the keyword set of the document, and

With reference to the third possible implementation manner of the first aspect, in a fourth possible implementation manner of the first aspect, the search token for a retrieved document is computed based on the following equation: search token

whereby where is the set of all minimum subsets satisfying (M, p) and

With reference to the first aspect, in a fifth possible implementation manner of the first aspect the public parameters received from the trapdoor server is defined by:

where G is a group of prime order p with the generator is an asymmetric bilinear pairing function, where u, h, a) are random group elements in

where wherein the public key g ^Y is replaced

by

With reference to the fifth possible implementation manner of the first aspect, in a sixth possible implementation manner of the first aspect, the received trapdoor T _M,P associated with the expressive keyword access structure is defined by the following equation:

whereby the trapdoor parameters are defined as:

where i £ {1 , . . . , 1} whereby 1 is the total number of rows in LSSS matrix M, v _; is the value associated with a row M _; of the LSSS matrix M, M _; is the i-th row of LSSS matrix M , where where Zp are non¬

zero residuals of a modular positive integer p.

With reference to the sixth possible implementation manner of the first aspect, in a seventh possible implementation manner of the first aspect, a ciphertext CT pre-tagged to a document in the encrypted database is defined by the following equation:

whereby m is a size of the keyword set of the document, and a first parameter C of the ciphertext CT is defined as: where,

where W _; is the i-th keyword value in a keyword set of the document, W _1; ... , W _m are the corresponding keyword values of the keyword set of the document, and where Zp are non-zero residuals of a modular positive

integer p.

With reference to the seventh possible implementation manner of the first aspect, in an eighth possible implementation manner of the first aspect, the search token for a retrieved document is computed based on the following equation: search token

whereby where is the set of all minimum subsets satisfying (M, p) and

With reference to the first aspect, in a ninth possible implementation manner of the first aspect, the public key g ^Y is g and the private key γ is 1 .

With reference to the fifth possible implementation of the first aspect, in a tenth possible implementation manner of the first aspect, the public key g ^Y is g and the private key γ is 1 .

Brief Description of the Drawings

The above advantages and features in accordance with this invention are described in the following detailed description and are shown in the following drawings: Figure 1 illustrating a block diagram of a system for searching an encrypted database for an expressive keyword access structure in accordance with embodiments of the invention;

Figure 2 illustrating a block diagram representative of processing systems providing embodiments in accordance with embodiments of the invention;

Figure 3 illustrating an exemplary access tree for converting a monotonic Boolean formula into an equivalent Linear Secret Sharing Scheme (LSSS) Matrix in accordance with embodiments of the invention; and

Figure 4 illustrating a flow diagram of a process for querying an encrypted database of documents containing an expressive keyword access structure in accordance with embodiments of the invention.

Detailed Description

This invention relates to a system and method for searching an encrypted database for documents satisfying an expressive keyword access structure whereby the expressive keyword access structure may include conjunctive, disjunctive or any monotonic Boolean formulas of a set of keywords. In particular, the invention enables public-key encrypted documents stored in a database to be searched for such expressive keyword access structures whereby the search process, which may be initiated by any one of a plurality of authorized users, is carried out without disclosing the underlying plaintext of the words in the encrypted documents. Figure 1 illustrates a block diagram of a system that includes modules and devices that execute processes to provide a method for searching an encrypted database for expressive keyword access structures in accordance with embodiments of the invention. System 100 as illustrated in Figure 1 comprises encryption module 1 10, cloud server 1 15, trapdoor server 120, and searching server 125. Module 1 10, servers 1 15, 120 and 125 may all be connected through wired connections or may be wirelessly connected to each other either through direct means such as fibre-network connections or indirect means - that is via the Internet. Module 1 10 may be provided within, but is not limited to, any device that is able to carry out computing and wireless communicative functions such as a smart phone, a computer, a tablet computer, a mobile computer, a netbook, a wearable electronic device such as smart watch, smart plugs, or transceivers that may be found in smart devices or Internet of Things (loT) enabled devices, and etc.

As for servers 1 15, 120 and 125, these servers may comprise secure cloud servers or remotely located secure servers which are able to communicate wirelessly with module 1 10 and multiple data owners and/or authorized users either through the Internet or through other communicative means. These communicative means may comprise wired networks or wireless networks such as, but are not limited to, cellular networks, satellite networks, telecommunication networks, Wide Area Networks (WAN), Wireless-Fidelity (Wi-Fi), Bluetooth, or Near Field Communication (NFC). In addition to being configured to carry out computing and wireless communicative functions, servers 1 15, 120 and 125 are also configured to store encrypted documents in a database and/or store private keys. In embodiments of the invention, for increased security, each of servers 1 15, 120 and 125 may be provided at different locations for increased security. Figure 2 illustrates a block diagram representative of components of module 200 that may be provided within module 1 10 and servers 1 15, 120 and 125 for implementing embodiments in accordance with embodiments of the invention. One skilled in the art will recognize that the exact configuration of each module provided within the electronic devices or the servers may be different and the exact configuration of module 200 may vary and Figure 2 is provided by way of example only.

In embodiments of the invention, module 200 comprises controller 201 and user interface 202. User interface 202 is arranged to enable manual interactions between a user and module 200 and for this purpose includes the input/output components required for the user to enter instructions to control module 200. A person skilled in the art will recognize that components of user interface 202 may vary from embodiment to embodiment but will typically include one or more of display 240, keyboard 235 and track-pad 236.

Controller 201 is in data communication with user interface 202 via bus 215 and includes memory 220, processor 205 mounted on a circuit board that processes instructions and data for performing the method of this embodiment, an operating system 206, an input/output (I/O) interface 230 for communicating with user interface 202 and a communications interface, in this embodiment in the form of a network card 250. Network card 250 may, for example, be utilized to send data from electronic device 200 via a wired or wireless network to other processing devices or to receive data via the wired or wireless network. Wireless networks that may be utilized by network card 250 include, but are not limited to, Wireless-Fidelity (Wi-Fi), Bluetooth, Near Field Communication (NFC), cellular networks, satellite networks, telecommunication networks, Wide Area Networks (WAN) and etc. Memory 220 and operating system 206 are in data communication with CPU 205 via bus 210. The memory components include both volatile and non-volatile memory and more than one of each type of memory, including Random Access Memory (RAM) 220, Read Only Memory (ROM) 225 and a mass storage device 245, the last comprising one or more solid- state drives (SSDs). Memory 220 also includes secure storage 246 for securely storing secret keys, or private keys. It should be noted that the contents within secure storage 246 are only accessible by a super-user or administrator of module 200 and may not be accessed by any user of module 200. One skilled in the art will recognize that the memory components described above comprise non-transitory computer-readable media and shall be taken to comprise all computer-readable media except for a transitory, propagating signal. Typically, the instructions are stored as program code in the memory components but can also be hardwired. Memory 220 may include a kernel and/or programming modules such as a software application that may be stored in either volatile or non-volatile memory.

Herein the term "processor" is used to refer generically to any device or component that can process such instructions and may include: a microprocessor, microcontroller, programmable logic device or other computational device. That is, processor 205 may be provided by any suitable logic circuitry for receiving inputs, processing them in accordance with instructions stored in memory and generating outputs (for example to the memory components or on display 240). In this embodiment, processor 205 may be a single core or multi-core processor with memory addressable space. In one example, processor 205 may be multi-core, comprising— for example— an 8 core CPU.

With reference to Figure 1 , before any documents may be encrypted by module 1 10 and uploaded into cloud server 1 15, trapdoor server 120 will first generate public parameters pars and master private key msk. Trapdoor server 120 then provides public parameters pars to encryption module 1 10 and searching server 125. It should be noted that the master private key msk is only kept by trapdoor server 120 and is not transmitted to any other entity.

In order to generate public parameters pars and master private key msk, trapdoor server 120 first takes the security parameter as its input and then randomly chooses a

group G of prime order p, a generator g and random group elements u, h, w e G. In addition, trapdoor server 120 also randomly chooses a , and computes ^

Finally, based on the above, trapdoor server 120 then

generates the master private key and publishes the public parameter

where H is a collision-resistant hash

function that maps an element belonging G ₁ to an element belonging G.

It should be noted at this stage, that the following computational assumptions are used in embodiments of the invention. For example, when the bracket "[ ]" is used to encapsulate a positive integer n, it shall be understood that [n] denotes the set of all positive integers less or equal to It shall also be understood that the term represents all residuals of a modular positive integer while denotes the set of all non-zero residuals of modular

Bilinear Pairing Functions:

For this function, both G and G ₁ are understood to comprise two groups of prime order p, and g is a generator of G. Hence, the function e : G x G→ G _l is understandably identified as a bilinear map if it has the following properties:

• Computable: ) can be computed efficiently.

• Bilinear:

• Non-degenerate: where 1 is the identity of group G _u

In this example, G is also identified as a bilinear group if the group operation in G is efficiently computable and there exists a group Gi and an efficiently computable bilinear map as above.

Decisional Bilinear Diffie-Hellman Assumption:

For any probabilistic polynomial-time algorithm, given it is difficult to distinguish ftom Z, where g is a generator of G, and and a, b, c∈ Z _p , are

chosen independently and uniformly at random, while is a computable

bilinear map as defined above. Decisional (q-2) Assumption:

For any probabilistic polynomial-time algorithm, given g,g ,g ,g ,g , and it js difficult to distinguish from

Z, where q is a given integer, g is a generator of G, andZ GG,, and x, y, z, b _! ,...,b _q £ Z _p , are chosen independently and uniformly at random, while e:GxG→G _l is a computable bilinear map as defined above.

Decisional Linear Assumption:

For any probabilistic polynomial-time algorithm, given and it is difficult to distinguish from Z, where q is a given integer, g is a generator of G, andZ e G _1, and

are chosen independently and uniformly at random, while e:GxG→G ₁ is

a computable bilinear map as defined above. Upon receiving the public parameter pars from trapdoor server 120, searching server 125 will then randomly choose y £ Z _p , and based on thus selected parameter, search server 125 will then compute the public and private key pair (pk _s , sk _s ) as (g ^Y ,y). Once the key pair has been computed, this key pair is then provided to trapdoor server 120 from searching server 125. Trapdoor server 120 will utilize these parameters later on in the generation of trapdoors for expressive keyword access structures as requested by authorized data users.

Before a document owner uploads an encrypted document to be stored in cloud server 1 15, the document owner will first have to append each encrypted document with encrypted keyword sets. This is accomplished with the owner first identifying key terms/phrases or index terms that may be used to identify the content of a document. These key/index terms or phrases are then appended to the document as a keyword set. In Figure 1 , documents 105 illustrate a set of documents, from Document 1 - n, that have been appended with their respective keyword sets. It should be noted that each keyword in a keyword set is divided into a generic name N = {N(1 ),...N(i)} and a keyword value W = {W(1 ),...,W(i)} whereby the value (i) illustrates the relationship between a particular generic name with a particular keyword value. For example, the keyword seti for Document 1 may be taken to contain "Affiliation = City Hospital", "Department = Medicine", "Illness = Diabetes", and "Gender = Male". The generic names N for this keyword seti would be N(1 ) = Affiliation, N(2) = Department, N(3) = Illness and N(4) = Gender while the keyword values W for this keyword seti would be W(1 ) = City Hospital, W(2) = Medicine, W(3) = Diabetes and W(4) = Male. Further, in embodiments of the invention, each keyword value in W(i) may be represented by an numerical value such as, but not limited to, the keyword's equivalent ASCII value. By dividing each keyword contained within a keyword set into a generic name and a keyword value, an authorized user of system 100 may then later on search and subsequently retrieve all encrypted documents containing certain keywords that satisfy a certain keyword access structure. An example of a monotone type keyword access structure is "Affiliation = City Hospital AND (Department = Medicine OR (Illness = Diabetes AND Gender = Male))".

In this description, any references made to a keyword access structure, an access policy or a search predicate all refer to monotone type access structures. However, it should be noted that other types of general access structures may be realized in embodiments of this invention if the attribute universe were to be split in half and by treating the attributes of one half as the negated (NOT) version of the attributes in the other half. A person skilled in the art will also note that the keyword access structures may be described in terms of monotonic Boolean formulas and these formulas may be converted into a corresponding Linear Secret Sharing Scheme (LSSS) matrix. This will be described in greater detail with reference to Figures 3 and 4 in the later sections.

Once all the keyword sets containing keywords (and their corresponding generic names and keyword values) have been appended to each respective document, documents 105 comprising Documents 1 -n with their respective appended keyword sets are then provided to encryption module 1 10. To recap, as the initial setup procedures have been completed as previously discussed, encryption module 1 10 would have received and stored the public parameters pars that were provided by trapdoor server 120. At this stage, it should be noted that the content or plaintext in Documents 1 -n may be encrypted using any encryption scheme known to a person skilled in the art and that ciphertext contained in Documents 1 -n may subsequently be decrypted using a corresponding decryption scheme known to a person skilled in the art. The encryption of the content of Documents 1 -n may take place within encryption module 1 10.

Upon receiving documents 105 (comprising Documents 1 -n with their respective appended keyword sets), encryption module 1 10 will then select a first document together with its appended keyword set, i.e. Document 1 that has been appended with Keyword Seti . As previously discussed, each keyword contained within each keyword set is divided into a generic name and a keyword value. Hence, Keyword Seti comprises of two groups of plaintext - a first group comprising of generic names and a second group comprising of the generic names' corresponding keyword values. In embodiments of the invention, only the plaintext contained in the keyword values are encrypted into ciphertext using encryption module 1 10.

In order to encrypt the keyword values in Keyword Seti into ciphertext CTi , module 1 10 will initiate the process by retrieving the public parameter pars from its records and keyword values W = {W(1 ),..., W(m)} from Keyword Seti whereby "m" represents the m ^th keyword value of W in Keyword Seti . As mentioned above, each individual keyword value may be represented by a numerical value. An integer m is then used to denote the overall size of keyword value W, and is used to represent the values of W. Module

1 10 then randomly chooses values for elements and

computes a ciphertext C for the keyword values W using the following equation:

where ( ) 2 Once ciphertext has been computed for Keyword Set _{l 5} module 1 10 will then

replace all the keyword values in Keyword Seti with ciphertext C Document 1 will then be

transmitted to cloud server 1 15 at step 132 and it should be noted that at this step, the contents of Document 1 would have been encrypted and that this Document 1 is appended with Keyword whereby Keyword Seti includes the generic names, which remain unencrypted, and ciphertext This process is then repeated for all the documents

contained within documents 105 until all the documents have been uploaded into cloud server 1 15 whereby each encrypted document stored in cloud server 1 15 would be appended with its tagged or appended keyword set whereby each keyword set contains a list of generic names and its ciphertext CT.

When an authorized user wishes to obtain all encrypted documents stored in cloud server 1 15 that contains a set of keywords SW that satisfy expressive keyword access structure 133, access structure 133 that contains keywords SW will first have to be converted into a Linear Secret Sharing Scheme (LSSS) matrix M. In this embodiment of the invention, access structure 133 comprises a monotonic Boolean formula and this Boolean formula is converted into an equivalent LSSS matrix by the authorized user.

In order to do so, it shall be assumed that the Boolean formula may be represented as an access tree, of which the interior nodes comprise "AND" and "OR" logic operators or gates, and the leaf nodes represent the corresponding attributes. The values in the vector (1 , 0, 0) are denoted as the sharing vector for the LSSS matrix. Further, it is also assumed that the root node of the tree is labeled with a vector of length 1 , which is vector (1 ), and that each node is labeled with a vector determined by the vector assigned to its parent node. In addition, there also exists a global counter variable c which is preset to 1 . If the parent node is an OR gate labelled by a vector v, then its children will be labelled by v as well, and the value of its global counter variable c remains the same. Alternatively, if the parent node is an AND gate labelled by a vector v, then v will be padded with 0s at the end, if required, in order to increase its length to c. One of its children will then be labelled with the vector v | 1 and the other with the vector (0, 0 | -1), where (0, 0) denotes the zero vector of length c. Note that these two vectors when summed equate to v|0. Once this is done, the value of c is increased by one i.e. c = c + 1. Once the labelling of the entire tree is finished, the vectors labelling the leaf nodes form the rows I of the LSSS matrix. If these vectors forming these rows are of different lengths, the shorter vectors will be padded with 0s at the end so that all the vectors will be equal in length.

For example, assume that keyword access structure 133 comprises the following: "Affiliation = City Hospital AND (Department = Medicine OR (Illness = Diabetes AND = Gender = Male))". With reference to Figure 3 and using the method described above, the LSSS matrix for this access structure 133 is generated as follows. As the parent node 302 is an AND gate labelled with the vector v=1 , the root AND node 302 of this tree will be labelled as (1 ) while its global counter variable c = 1 . For the left and right child of node 302, the global counter variable c is increased to 2. Its left child 305, the leaf node corresponding to Affiliation = City Hospital, is then labelled as (1 , 1 ) because this node is labelled with (v | 1 ), while its right child 310, the OR node, is labelled as (0, -1) because this node is labelled with (0 I -1) when c = 2.

For the left and right child of node 310, as the node 310 is an OR gate labelled with (0,-1 ), then its children will be labelled by (0,-1 ) as well, and the value of its global counter variable c remains the same at c = 2. The left child 315 of the OR node 310 corresponds to Department = Medicine and is labelled as (0, -1) while its right child 320 is an AND node that is then labelled as (0, -1 ).

For the left and right child of node 320, as node 320 is an AND gate labelled with (0- 1 ), the global counter variable c will be increased to 3. The left child 325 of the AND node 320 corresponding to Illness = Diabetes, is then labelled as (0, -1 , 1) because this node is labelled with (0,-1 | 1 ), and the right child 330, corresponding to Gender = Male, is then labelled as (0, 0, -1) because this node is labelled with (0,0 | -1).

The labelling of the entire tree is now finished and the vectors labelling the leaf nodes, i.e. nodes 305, 31 5, 325, 330, form the rows I of the LSSS matrix, which in this example I = 4. For nodes 305 and 31 5, as the vectors forming these rows are of different lengths from nodes 325 and 330, the vectors in nodes 305 and 31 5 will be padded with 0s at the end and this results in node 305 being represented as (1 , 1 , 0) and node 315 being represented as (0, -1 , 0). Hence, the resulting LSSS matrix M for this example is:

Once access structure 133 containing keywords SW has been converted into LSSS matrix M, the access structure 1 33 may then be represented as LSSS access structure instead where, p is a function that associates the rows of M to the generic

names in keywords SW, and are the corresponding keyword values in keywords SW.

For example, for row 1 in LSSS matrix M, p(l)= "Affiliation" and

The LSSS access structure is then transmitted from the authorized user to trapdoor server 120 at step 1 34. Once trapdoor server 120 confirms that the request is from a user that has been authorized to use trapdoor server 120, trapdoor server 120 shall use the public parameter pars , the server public key pk _s = g ^Y , the master private key msk and the LSSS access structure (M, p , {w _P (i)}) to generate the trapdoor associated with this LSSS access structure, where M is an 1 x n matrix over Z _p , the function p maps the rows of M to generic keyword names, and {W _p(i )} are the corresponding keyword values as previously discussed. To recap, M _; is the i-th row of M for i e {Ι , . , . , Ι} , and P (i) is the generic keyword name associated with this row by the mapping p. Trapdoor server 120 randomly chooses a vector where

and based on these parameters, trapdoor server 120 compute the trapdoor

T _{M p} using the following equation:

where

where v _; = M _; · y is the value associated with the row M _; of M. It should be noted that when the trapdoor T _{M p} is computed, trapdoor T _{M p} only includes the partial hidden access structure (M, p ) and the actual names of the keyword values are omitted.

The trapdoor T _{M p} is then transmitted at step 136 from trapdoor server 120 to the authorized user. The authorized user then transmits the trapdoor T _{M p} for LSSS access structure to searching server 125 at step 138 so that searching server 125

may search through the encrypted documents and their respective appended keyword sets for documents that contain the set of keywords SW that satisfy expressive keyword access structure 133.

Upon receiving trapdoor for LSSS access structure , searching

server 125 will retrieve documents appended with keyword sets that contain at least one of the generic names as found in the function p of the received trapdoor T _{M p} . Such an initial matching of the generic keyword names greatly reduces the overall searching time of the documents.

Searching server 125 will then use the public parameter pars, the private key sk _s , and the received trapdoor T _{M p} for the LSSS access structure to test each retrieved

document to determine if the document contains the set of keywords SW that satisfies the expressive keyword access structure 133 sought by the authorized user. Searching server 125 will initiate this process by selecting a first retrieved document together with its appended keyword set containing its ciphertext CT. A search token is then computed for this first retrieved document whereby the search token is computed using the following equation:

where the search token equals to a "0" value if this equation is not satisfied and conversely, the search token equals to a "1 " if this equation is satisfied. It should be noted that the parameters used to compute the search token are obtained from the parameters contained in the ciphertext CT that is contained in the keyword set appended to the first retrieved document. Further, it should be noted that where is the set of all

minimum subsets satisfying

In another embodiment of the invention, in order to improve the performance efficiency of system 100, the modules in system 100 may be adapted for an asymmetric bilinear pairing in which bilinear pairings may be calculated faster than the

symmetric bilinear pairings used in the previously described embodiment. In particular, system 100 may be transformed from symmetric bilinear maps to asymmetric bilinear maps.

In this embodiment of the invention, trapdoor server 120 performs the similar steps as described above except that the previously used parameters will be

replaced by and H is

removed from the public parameter pars.

In this embodiment of the invention, searching server 125 will repeat the similar steps as described above except that the public and private key pair (pk _s ,sk _s ) is computed as

Similarly, when trapdoor server 120 computes the trapdoor using the equation

described above, in this embodiment of the invention, the parameters from the above equation are replaced with the following: and the

parameter T ₀ is removed from the trapdoor T _{M p} .

In this embodiment of the invention, when module 1 10 computes the ciphertext CT, the similar equation as previously described is utilized except that the term is replaced with the term This replacement takes place in parameters D during

the computation of ciphertext CT.

Finally, in this embodiment of the invention, searching server 125 will compute the search token as described above except that the term H will be replaced by

In accordance with an embodiment of the invention, a method for querying an encrypted database for documents containing an expressive keyword access structure using a computer server, comprises the following four steps:

Step 1 , receiving public parameters from a trapdoor server;

Step 2, generating a public key g ^Y and a private key γ based on the received public parameters where g is a generator for group G and γ is a random element;

Step 3, receiving a keyword set W for the expressive keyword access structure, wherein the keyword set W comprises generic names and keyword values, and receiving a trapdoor T _M,P associated with the expressive keyword access structure, wherein the trapdoor T _M ,p comprises; trapdoor parameters, a Linear Secret Sharing Scheme (LSSS) matrix M having I rows and n columns, and a function p mapping the rows of the LSSS matrix M to the generic names in the keyword set W;

Step 4, processing documents in the encrypted database that are pre-tagged with corresponding generic names N and corresponding ciphertext CT, wherein the processing the documents comprises: retrieving documents from the encrypted database tagged with at least one of the generic names contained in the keyword set W; computing a search token for each retrieved document, whereby each search token is computed based on parameters obtained from the ciphertext CT tagged to each document, parameters contained in the trapdoor T _M,P , the private key γ and the public parameters; determining, for each retrieved document, if the computed search token for the document matches with a first parameter in ciphertext CT tagged to the document, whereby if a match is determined, indicating the document contains the expressive keyword access structure.

In order to provide such a system or method, a process is needed for querying an encrypted database for documents containing an expressive keyword access structure. The following description and Figure 4 describes embodiments of processes that provide processes in accordance with this invention.

Figure 4 illustrates process 400 that is performed by a module or computer processor installed within an electronic device or server to query an encrypted database for documents containing an expressive keyword access structure in accordance with embodiments of this invention. Process 400 begins at step 405 whereby process 400 receives the public parameters from a server. The public parameters pars are stored in a secure memory or a secure database and are only accessible by process 400. Process 400 then proceeds to generate public and private key pairs at step 410 using the parameters received at step 405. Process 400 then receives the trapdoor at step 420 for the expressive keyword access structure. A first document is then retrieved from the encrypted database by process 400 at step 425. If the generic names contained within the trapdoor matches with the generic names contained in the keyword set appended to the retrieved document at step 420, process 400 will add the retrieved document to a document list at step 435. Conversely, if the generic names contained within the trapdoor do not match with the generic names contained in the keyword set appended to the retrieved document at step 430, process 400 will proceed to step 440 instead and select a next document at this step. If at step 440 process 400 determines there is another document that has not yet been selected, process 400 will proceed to step 430 whereby steps 430 to 440 will repeat until all documents have been selected. Process 400 then proceeds to step 445.

However, at step 430, if process 400 determines that a retrieved document has been added to a document list at step 435, process 400 will then proceed to step 440 to select the next document. Process 400 repeats steps 435 to 440 until all documents have been processed by process 400.

At step 445, a first document from the retrieved document list is selected by process 400. Process 400 then proceeds to compute a search token for the selected document. If process 400 determines at step 455 that the search token matches with the first parameter in the ciphertext appended or tagged to the selected document, process 400 will proceed to step 460 where it will indicate that the selected document contains the expressive keyword access structure. Process 400 then proceeds to step 465 to select another document.

Conversely, if process 400 determines at step 455 that the search token does not match with the first parameter C, in ciphertext CT, process 400 will proceed to step 465 instead. At step 465, process 400 will select the next document and if there is another document to select, process 400 repeats from step 465 to 455. Alternatively, if all the documents have been selected, process 400 then ends.

The above is a description of embodiments of a system and process in accordance with the present invention as set forth in the following claims. It is envisioned that others may and will design alternatives that fall within the scope of the following claims.