Data stored in untrusted servers is prone to attacks by the server itself. In order to protect confiential infomation, clients store encrypted data. This makes searching on data quite challenging. A searchable symmetric encryption (SSE) scheme enables a client or data owner to store its data in a cloud server without loosing the ability to search over them. When an SSE scheme supports update, it is called a dynamic SSE (DSSE) scheme.
There are plenty of works on SSE as well as DSSE. Most of them considers the cloud server to be honest-but-curious. An honest-but-curious server follows the protocol but wants to extract information about the plaintext data and the queries. However, if the cloud itself is malicious, it does not follow the protocol correctly. In the context of search, it can return only a subset of results, instead of all the records of the search. So, there is need to verify the results returned by the cloud to the querier. An SSE scheme for static data where the query results are verifiable is called Verifiable SSE (VSSE). Similarly, if the data is dynamic the scheme is said to be a verifiable dynamic SSE (VDSSE).
There are single keyword search VSSE schemes which are either new constructions supporting verifiability or design techniques to achieve verifiability on the existing SSE schemes by proposing generic algorithm. VSSE with single keyword search has been studied in , , . In ,  etc., VSSE scheme with conjunctive query has been studied. Moreover, there are also works that gives VDSSE scheme for both single keyword search () as well as complex query search including fuzzy keyword search () and Boolean query (). However, Most of them are privately verifiable. A VSSE or VDSSE scheme is said to be privately verifiable if only querier, who receive search result, can verify it. On the other hand, a VSSE or VDSSE scheme is said to be publicly verifiable if any third party, including the database owner, can verify the search result without knowing the content of it.
There is also literature on public verifiability. Soleimanian and Khazaei  and Zhang et al.  have presented SSE schemes which are publicly verifiable. VSSE with Boolean range queries has been studied by Xu et al. . Though, their verification method is public, since the verification is based over blockchain databases, it has extra monetary cost. Besides, Monir Azraoui  presented a conjunctive search scheme that is publicly verifiable. In case of dynamic database, publicly verifiable scheme by Jiang et al.  supports Boolean Query and that by Miao et al.  supports single keyword search.
However, file-injection attack , in which the client encrypts and stores files sent by the server, recovers keywords from future queries, has forced researchers to think about dynamic SSE schemes to be forward private where adding a keyword-document pair does not reveal any information about the previous search result with that keyword. In addition, in presence of malicious cloud server, the owner can outsource the verifiabilty to a third party auditor to reduce its computational overhead. The only forward private single keyword search VSSE scheme is proposed by Yoneyama and Kimura . However, the scheme is privately verifiable and the owner requires significant amount of computation for verification.
1.1 Our Contribution
In this paper, we have contributed the followings in the literature of VSSE.
We have formally define a verifiable DSSE scheme. Then we have proposed a generic verifiable SSE scheme ( ) which is very efficient and easy to integrate.
We have proposed a generic publicly verifiable dynamic SSE scheme ( ). Our proposed scheme is forward private. This property is necessary to protect a DSSE scheme from file injection attack. However, no previous publicly verifiable scheme is forward private. In fact, only forward private scheme  is privately verifiable.
We present formal security proofs for these schemes and shows that they are adaptively secure in random oracle model.
Both of the schemes do not uses any extra storage, at owner side, than the embedded schemes. Thus, for a resource constrained client, the schemes are very effective and efficient.
In Table 1, we have compared our proposed schemes with existing ones.
We have briefly described the works related to verifiable SSE in Section 2. We have discussed the required preliminary topics in Section 3. In Section 4, we have presented a generic approach of verifiable SSE scheme. In Section 5, we present our proposed generic construction of publicly verifiable DSSE scheme in details. We have compared its complexity with similar publicly verifiable schemes in Section 6. Finally, we summaries our work in Section 7 with possible future direction of research.
2 Related Works
The term Searchable Symmetric Encryption is first introduced by Curtmola et al.  where they have given formal definition of keyword search schemes over encrypted data. Later, Chase et al.  and Liesdonk et al.  presented single keyword search SSE for static database. Thereafter, as the importance of database updating is increased, the work has been started on dynamic SSE. Kamara et al.  first have introduced a dynamic single keyword search scheme based on encrypted inverted index. There are remarkable works on single keyword search on dynamic database. However, file-injection attack, by Zhang et al.  have forced the researchers to think about dynamic SSE schemes to be forward private. It is easy to achieve forward privacy with ORAM. However, due to large cost of communication, computation and storage, ORAM based schemes are almost impractical.
In 2016 Bost  has presented a non-ORAM based forward private dynamic SSE scheme. Later, few more forward private schemes have been proposed. Though, the works ,  etc. provide backward privacy, now we are not bother about it since there is no formal attack on non-backward private DSSE schemes. Though, till now there are no formal attack on non-backward private DSSE schemes, there are works  and  that provide backward privacy. In most of the above mentioned schemes, the cloud service providers are considered to be honest-but-curious. However, the schemes fails to provide security in presence of malicious cloud server.
Chai and Gong  have introduced the first VSSE scheme. They stores the set of document identifiers in a trie like data structure where each node corresponding to some keyword stores identifiers containing it. Cheng et al.  have presented a VSSE scheme for static data based on the secure indistinguishability obfuscation. Their scheme also supports Boolean queries and provides publicly verifiability on the return result. Ogata and Kurosawa  have presented a no-dictionary generic verifiable SSE scheme. Cuckoo hash table is used here for this private verifiable scheme. With multi-owner setting, Liu et al.  have presented a VSSE with aggregate keys. Miao et al.  presented a VSSE in same multi-owner setting. However, all of the above schemes were for static database and are privately verifiable where the VSSE schemes by Soleimanian and Khazaei  and Zhang et al.  are publicly verifiable.
The above works are only for static data. There are few works also that deals with complex queries when the data is static. Conjunctive query on static data has been studied by Sun et al. , Miao et al. , Wang et al. , Li et al. , Miao et al.  etc. These schemes have private verifiability. Boolean range queries on SSE has been studied by Xu et al. . Though, their verification method is public, since the verification is based over blockchain databases it has good monetary cost. Besides, Monir Azraoui  presented a conjunctive search that is publicly verifiable.
Dynamic verifiable SSE with complex queries also has been studied. Zhu et al.  presented a dynamic fuzzy keyword search scheme which is privately verifiable and Jiang et al.  has studied Publicly Verifiable Boolean Query on dynamic database. Moreover, single keyword search scheme on dynamic data is described by Yoneyama and Kimura , Bost et al.  etc.
A publicly verifiable SSE scheme is recently also proposed by Miao et al. . Yoneyama and Kimura  presented a scheme based on Algebraic PRF which is verifiable as well as forward private that performs single keyword search. However, the scheme is privately verifiable and the owner requires significant amount of computation for verification.
Our proposed scheme is generic forward private verifiable scheme which is compatible with any existing forward private DSSE scheme. Our scheme also do not use any extra owner-storage for verifiability and has minimal search time computation for the owner.
3.1 Cryptographic Tools
3.1.1 Bilinear Map
Let and be two (multiplicative) cyclic groups of prime order . Let . A map is said to be an admissible non-degenerate bilinear map if– a) , and (bilinearity) b) (non-degeneracy) c) can be computed efficiently.
3.1.2 Bilinear Hash
Given a bilinear map and a generator , a bilinear hash maps every random string to an element of . The map is defined as .
3.1.3 Bilinear Signature (BLS)
Let be a bilinear map where , a prime and . A bilinear signature (BLS) scheme =, , is a tuple of three algorithms as follows.
: It selects . It keeps the private key . publishes the public key .
: Given , and some message , it outputs the signature where is a bilinear hash.
: Return whether
3.2 System Model
In this section, we briefly describe the system model considered in this paper. In our model of verifiable SSE, there are three entities–Owner, Auditor and Cloud. The system model is shown in the Fig. 1. We briefly describe them as follows.
Owner: Owner is the owner as well as user of the database. It is considered to be trusted. It builds an secure index, encrypts the data and then outsources both to the cloud. Later, it sends encrypted query to the cloud for searching. Therefore, it is the querier as well. It is the client who requires the service.
Cloud: Cloud or the cloud server is the storage and computation service provider. It stores the encrypted data sent from the owner and gives result of the query requested by it. The cloud is assumed to be malicious. It can deviate from protocol by not only computing on, or not storing the data but also making the querier fool by returning incorrect result.
Auditor: Auditor is an honest-but-curious authority which does not collude with the cloud. Its main role is to verify whether the cloud executes the protocol honestly. It tells the querier whether the returned result is correct or not.
3.3 Design Goals
Assuming the above system model, we aim to provide solution of the verifiability problem of existing forward private schemes. In our design, we take care to achieve the following objectives.
Confidentiality: The cloud servers should not get any information about the uploaded data. On the other hand, queries should not leak any information about the database. Otherwise the cloud may get knowledge about the plaintext information.
Efficiency: In our model, the cloud has a large amount of computational power as well as good storage. The owner is weak. So, in the scheme the owner should require significantly small amount of computation and storage cost while performing verifiability.
Scalability: Since, the owner have to pay for the service provided by the cloud, it is desirable to outsource as much data as possible. The owner should capable to outsource large amount of data to the cloud. On the other hand, the cloud should answer the queries fast using less computation power.
Forward privacy: It is observed previously that a DSSE scheme without forward privacy is vulnerable to even honest-but-curious adversary. So, our target is to make a publicly verifiable DSSE scheme without loosing its forward privacy property.
Let be a set of keywords. be the space of document identifiers and be the set of documents to be outsourced. Thus, . For each keyword , the set of document identifiers that includes is denoted by , where and . Thus, . Let where denotes the encrypted document that has identifier .
We assume that there is a one-way function that maps each identifier to certain random numbers. These random numbers is used as document name corresponding to the identifier. The function is can be computed by both the owner and cloud. However, from a document name, the identifier can not be recovered. Throughout, we use identifiers. However, when we say cloud returns documents to the owner, we assume the cloud performs the function on every identifiers before returning them.
Let, be a cryptographic hash function, be a bilinear hash, be a PRNG and be a HMAC. A stateful algorithm stores its previous states and use them to compute the current state.
3.5 Verifiable Dynamic Searchable Symmetric Encryption (VDSSE)
An SSE scheme allows a client to outsource a dataset it owns to a cloud service provider in encrypted form without loosing the ability to perform query over the data. The most popular query is the keyword search where the dataset is a collection of documents. The client can retrieve partial encrypted data without revealing any meaningful information to the cloud. Throughout we take query as single keyword search query.
A dynamic SSE (DSSE) scheme is a SSE scheme that supports updates. A Verifiable DSSE (VDSSE) scheme is a DSSE scheme together with verifiability. The verification can be done either by an external auditor or the owner. The primary reason to bring a auditor is to reduce computational costs of verifiability at owner-side. This allows an owner to be lightweight.
Though a VDSSE scheme supports update, we do not verify whether the cloud updates the database correctly or not. We only want to get the correct result with respect to current state of the database. If cloud updates the database incorrectly, it can not give the actual result. Due to verifiability, it will be failed in verification process to the auditor. We define a verifiable DSSE scheme formally as follows.
Definition 1 (Verifiable Dynamic SSE).
A verifiable dynamic SSE (VDSSE) scheme is a tuple , , , , , of algorithms defined as follows.
: It is a probabilistic polynomial-time (PPT) algorithm run by the owner. Given security parameter it outputs a key .
: The owner run this PPT algorithm. Given a key and a set of documents , it outputs the encrypted set of documents and an encrypted index .
: On input a keyword and the key , the owner runs this PPT algorithm to output a search token .
: It is a PPT algorithm run by the cloud and the auditor collaboratively that returns a set of document identifiers result to the owner with verification bit .
: It is a owner-side PPT algorithm that takes the key and a document identifier and outputs a update token .
: It is a PPT algorithm run by the cloud. It takes an update token , operation bit , the encrypted document set and the index and outputs updated .
A VDSSE scheme is said to be correct if , generated using and all sequences of search and update operations on , every search outputs the correct set of identifiers, except with a negligible probability.
, every search outputs the correct set of identifiers, except with a negligible probability.
Verifiability Note that, when we are saying a scheme is verifiable, it means that it verifies whether the search result is from the currently updated state of the database according to the owner. Verification does not include update of the database at cloud side. For example, let an owner added a document with some keywords and the cloud does not update the database. Later, if the owner searches with some keywords present in the document and it should get the identifier of the document in the result set. Then, the result can be taken as verified.
3.6 Security Definitions
We follow security definition of . There are two parts in the definition– confidentiality and soundness. We define security in adaptive adversary model where the adversary can send query depending on the previous results. Typically, most of the dynamic SSE schemes define its security in this model.
A DSSE, that does not consider verifiability, considers honest-but-curious (HbC) cloud server. In these cases, The owner of the database allows some leakage on every query made. However, it guarantees that no meaningful information about the database are revealed other than the allowed leakages. Soundness definition ensures that the results received form the cloud server are correct.
Confidentiality ensures that a scheme does not give any meaningful information other than it is allowed. In our model, we have considered the cloud to be malicious. However, the auditor is HbC. Since, verifiability has some monetary cost for the owner, it wants verifiability only when it is required. Also the auditor does not have the database and search ability. Given the proof, it only verifies the result. Thus, if the scheme is secure from cloud, it is so from auditor. Again, we have assumed that the cloud and the auditor do not collude. Hence, we do not consider the auditor in our definition of confidentiality.
Definition 2 (CKA2-Confidentiality).
Let , , , , be a verifiable DSSE scheme. Let , and be a stateful adversary, a challenger and a stateful simulator respectively. Let = be a stateful leakage algorithm. Let us consider the following two games.
The challenger generates a key .
generates and sends to .
builds and sends it to .
makes a polynomial number of adaptive queries. In each of them, it sends either a search query for a keyword or an update query for a keyword-document pair and operation bit to .
returns either a search token or an update token to depending on the query.
Finally returns a bit that is output by the experiment.
generates a set of documents and gives it to together with .
generates and sends it to
makes a polynomial number of adaptive queries . For each query, is given either or depending on the query.
returns, depending on the query , to either search token or update token .
Finally returns a bit that is output by the experiment.
We say is -secure against adaptive dynamic chosen-keyword attacks if PPT adversary , a simulator such that
where is negligible in .
The soundness property ensures that if a malicious cloud tries to make the owner fool by returning incorrect result it will be caught to the auditor. We define game-based definition of soundness as follows.
Let be a verifiable DSSE scheme with , , , , . Let us consider the following game.
The challenger generates a key .
generates and sends to .
computes and sends to .
makes a polynomial number of adaptive queries. In each of them, it sends either a search query for a keyword or an update query for a keyword-document pair and operation bit to .
returns either a search token or an update token to depending on the query.
After making polynomial number of queries, chooses a target keyword and send search query to .
returns a search token . executes and gets where is verification bit from .
generates pair for a keyword and gets verification bit .
If even when , returns as output of the game, otherwise returns .
We say that is sound if PPT adversaries , .
4 Verifiable SSE with static data
Since, in a verifiable SSE scheme, there is no update, it does not have or operation. We present a generic scheme that will make any SSE scheme verifiable. Our target is to achieve verifiability, in presence of malicious server, without loosing any other security property with minimal communication and computational costs.
4.1 Issues with the existing verifiable SSE schemes
There are papers who considered static SSE schemes and suggested authentication tag generation using MAC to protect the integrity of the search result. For each keyword , they generates a tag where is a one-way hash function. Trivially, if the tags are stored at the owner side then the scheme becomes privately verifiable. In that case, when a search is required, the owner can check integrity after receiving the result from the cloud.
However, this integrity checking does not protect the SSE scheme from malicious adversary if the tags are outsourced to the cloud. Checking integrity provides security only from honest-but curious cloud servers. Let us consider an example. Suppose a keyword is searched and cloud gets the result . Later, if some other keyword is searched, the cloud can return the same result and will pass the integrity checking.
4.2 A generic verifiable SSE scheme without client storage
Since, it is desirable to outsource the data as well as tags to the cloud, the above result shows that checking integrity in the above way can not be considered. It is easy to see that the scheme with checking integrity of the result identifiers are not enough because there is no binding of the keyword with the tags. Here, we present a generic idea that makes any SSE scheme verifiable.
Let be a result revealing static SSE scheme. We present a VSSE scheme =, , , for static database as follows.
Let be a one-way hash function and a key is chosen at random. For each keyword , a key is generated. is then used to bind the keyword with corresponding tag . Finally, for each keyword , is encrypted at build phase. Thus, while performing search with a keyword , as search result, the owner receives . The owner accepts it if the regenerated tag from the received identifiers matched with the received one.
So, the main idea of the scheme is that instead of generating tags only with identifiers, they are bound with which is dependent on and can be computed by the owner only. After search, if the cloud returns incorrect set of document identifiers then the tag won’t get matched. The scheme is shown in Fig. 2.
Note that, for static case, computing tag is enough to validate a result. Since, one-way hash computation is very efficient and requires small amount of resource, we do not consider any external authority like auditor for verifiability. So, the scheme is privately verifiable.
Cost for verifiability
The cloud storage is increased by tags. However, depending on the scheme the actual increment might be less than tags but still it is asymptotically . The communication cost for verification is only increased by one tag from cloud the owner. If we consider computation, to verify a search result, the owner only has to compute a hash value which is very little.
In case the cloud does not want to perform search properly, then it can not get the identifiers and corresponding tag. So, it has to send either random identifiers or identifiers corresponding to other searched keyword. In both case, It cannot be passed verifiability test to the owner.
The confidentiality of our proposed scheme follows from the security of the embedded SSE scheme.
5 Our Proposed Forward Secure Publicly Verifiable DSSE scheme
In this section, we propose a simple generic dynamic SSE scheme which is forward secure as well as verifiable. Let = , , , , , be a result revealing forward secure dynamic SSE scheme.
It is to be noted that any forward private SSE scheme stores the present state of the database at client side. Corresponding to each keyword, most of them stores the number of documents containing it. Let be the list of such numbers.
Since, it considers any forward secure scheme , it only adds an additional encrypted data structure to make the scheme verifiable. The algorithms of Our proposed scheme are given in Figure 3. They are divided into three phases– initialization, search and update.
Initialization phase: In this phase, secret and public keys are generated by the owner and thereafter the encrypted searchable structure is built. During key generation, three types of keys are generated– for the ; for the bilinear signature scheme; and two random strings for seed and tag generation respectively.
Thereafter, a signature table is generated, before building the secure index and encrypted database , to store the signature corresponding to each keyword-document pair. For each pair , the position is generated with a HMAC . The position is actually act as key of a key-value pair for a dictionary. The document identifier is bounded with together with . The is fixed for a keyword and is given to the server to find . The signature for the same pair is also bounded with random number which can only be generated from PRG with the seed . Then pair is added in the table as key-value pair. After the building process, the owner outsources , and to the cloud.
Search Phase: In this phase, the owner first generates a search token to search on . Then, it regenerates and the seed and then, sends them to the cloud.
The cloud performs search operation according to and use the result identifiers to gets the position in corresponding to each pair. It is not able to generate the positions if it does not search for the document identifiers. It collects the signatures stored in those positions, multiplies them and sends multiplication result to the auditor as its part of the proof. It sends the search result to the owner.
The owner first generates random numbers and regenerates aggregate message of the identifiers and sends to the auditor as , owner’s part of the proof. After receiving and , the auditor only computes . It outputs accept if signature verification returns success. We can see that the no information about the search results is leaked to the auditor during verification.
Update Phase: In our scheme, while adding a document, instead of being updated only a keyword-document pair, we assume that all such pairs corresponding to the document is added. To add a document with identifier and keyword set , the owner generates the position and the corresponding signature for each containing keyword. The cloud gets them from the owner and adds them in the table .
Correctness For correctness it is enough to check the following.
Cost for verifiability We achieve, forward privacy as well as public verifiability without client storage in . This increases the cloud-storage by , where is the number of document-keyword pairs. The proof has two parts one from the client and another from the owner. For a keyword , the sizes of them are one group element and one random -bit string only. Thus Auditor receives one element from both. The owner has to compute integer multiplication and addition, and then has to send one element.
Forward privacy We can see that while adding a document, it only adds some keyword-document pair, in the form of key-value pairs. So, During addition, the cloud server is adding key-value pairs in the dictionary. From these pairs, it can not guess the keywords present in it. Again, when it perform searches, it gets about the key (i.e., position on the table) only when it gets the identifiers. The one possibility to get the newly added key-value pair linked with the previous is if the added document gives the identifier of it. Since, the one-way function gives the document-name of the adding document, the cloud server can not linked it with the previously searched keywords.
The security of the scheme is shown in two parts– confidentiality and soundness.
Soundness The cloud server can cheat the owner in three ways by sending–
Incorrect number of identifiers– but it is not possible as the owner keeps the number of identifiers.
Same size result of other keywords– is generated with a random numbers which can be generated only with the searched keyword and signatures are bound with that. So, the signature verification will be failed.
Result with some altered identifiers– since signatures are bounded with keywords and the random number, altering any will change and similarly the signature verification will be failed.
Thus the owner always will get the correct set of document identifiers.
Let the leakage function of . Let be the leakage function of , given as follows.
We show that is -secure against adaptive dynamic chosen-keyword attacks in the random oracle model, in the following theorem.
If is a PRF, is a PRG and is -secure, then is -secure against adaptive dynamic chosen-keyword attacks.
To prove the above theorem, it is sufficient to show that there exists a simulator such that PPT adversary , the output of and are computationally indistinguishable.
We construct such a simulator which adaptively simulates the extra data structure and query tokens. Let be the simulator of the . We simulate the algorithms in Figure 4.
Since, in each entry, the signature generated in is of the form and corresponding entry in is of the form , where is pseudo-random (as is so) and is randomly taken, we can say that power of in both are indistinguishable. Hence, and are indistinguishable.
Besides, the indistinguishability of , with respect to , respectively follows from the pseudo-randomness of .
5.2 Deletion Support
can be extended to deletion support by duplicating it. Together with for addition, a duplicate can be kept for deleted files. During search, the auditor verifies both separately. The client gets result from both and , accepts only if both are verified and gets the final result calculating the difference.
6 Comparison with existing schemes
Our generic VSSE requires only one hash-value computation to verify a search which is optimal. Again, during building, the owner requires extra hash-value computation twice of the optimal. We can take that much computation to protect the scheme from malicious server without any extra client storage.
|Scheme||Forward||Public||Extra Storage||Extra Computation||Extra Communication|
|Yoneyama and Kimura ||–||–|
|Bost and Fouque ||–||–|
|Miao et al. ||–||–|
|Zhu et al. ||–||–|
|Jiang et al. ||–||–|
Where is the #keyword-doc pairs. Here extra storage is calculated over all storage, extra communication and computation are for a single search.
We have compared our verifiable DSSE scheme with verifiable dynamic schemes by Yoneyama and Kimura , Bost and Fouque , Miao et al. , Zhu et al.  and Jiang et al. . The comparison is shown in Table 2. From the table, it can be observed that is very efficient with respect to low resource owner. Extra computation needed by the owner, to verify the search, is only multiplication which very less from the others. The owner also does not require any extra storage than the built in forward secure DSSE scheme.
Throughout, we have seen that we have successfully presented a privately verifiable SSE scheme and a publicly verifiable DSSE scheme. Both of them are simple and easy to implement. Moreover, the VDSSE scheme achieves forward secrecy. In both of the scheme we have achieved our target to make efficient for low-resource owner. Due to low computational and communication cost, we do need any auditor for VSSE. However, presence of an auditor, who verifies the search result, reduces workload of the owner. Our proposed schemes are only for single keyword search queries. There are many other complex queries too. As a future work, one can design complex queried verifiable DSSE scheme. On the other hand, while designing, keeping them forward secret is also a challenging direction of research.
-  Monir Azraoui, Kaoutar Elkhiyaoui, Melek Önen, and Refik Molva. Publicly verifiable conjunctive keyword search in outsourced databases. In 2015 IEEE Conference on Communications and Network Security, CNS 2015, Florence, Italy, September 28-30, 2015, pages 619–627, 2015.
-  Raphael Bost. oo: Forward secure searchable encryption. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, Vienna, Austria, October 24-28, 2016, pages 1143–1154, 2016.
-  Raphael Bost, Pierre-Alain Fouque, and David Pointcheval. Verifiable dynamic symmetric searchable encryption: Optimality and forward security. IACR Cryptology ePrint Archive, 2016:62, 2016.
-  Raphaël Bost, Brice Minaud, and Olga Ohrimenko. Forward and backward private searchable encryption from constrained cryptographic primitives. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS 2017, Dallas, TX, USA, October 30 - November 03, 2017, pages 1465–1482, 2017.
-  Qi Chai and Guang Gong. Verifiable symmetric searchable encryption for semi-honest-but-curious cloud servers. In Proceedings of IEEE International Conference on Communications, ICC 2012, Ottawa, ON, Canada, June 10-15, 2012, pages 917–922, 2012.
-  Melissa Chase and Seny Kamara. Structured encryption and controlled disclosure. In Advances in Cryptology - ASIACRYPT 2010 - 16th International Conference on the Theory and Application of Cryptology and Information Security, Singapore, December 5-9, 2010. Proceedings, pages 577–594, 2010.
-  Rong Cheng, Jingbo Yan, Chaowen Guan, Fangguo Zhang, and Kui Ren. Verifiable searchable symmetric encryption from indistinguishability obfuscation. In Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security, ASIA CCS ’15, Singapore, April 14-17, 2015, pages 621–626, 2015.
-  Reza Curtmola, Juan A. Garay, Seny Kamara, and Rafail Ostrovsky. Searchable symmetric encryption: improved definitions and efficient constructions. In Proceedings of the 13th ACM Conference on Computer and Communications Security, CCS 2006, Alexandria, VA, USA, Ioctober 30 - November 3, 2006, pages 79–88, 2006.
-  Shunrong Jiang, Xiaoyan Zhu, Linke Guo, and Jianqing Liu. Publicly verifiable boolean query over outsourced encrypted data. In 2015 IEEE Global Communications Conference, GLOBECOM 2015, San Diego, CA, USA, December 6-10, 2015, pages 1–6, 2015.
-  Seny Kamara, Charalampos Papamanthou, and Tom Roeder. Dynamic searchable symmetric encryption. In the ACM Conference on Computer and Communications Security, CCS’12, Raleigh, NC, USA, October 16-18, 2012, pages 965–976, 2012.
-  Yuxi Li, Fucai Zhou, Yuhai Qin, Muqing Lin, and Zifeng Xu. Integrity-verifiable conjunctive keyword searchable encryption in cloud storage. Int. J. Inf. Sec., 17(5):549–568, 2018.
-  Zheli Liu, Tong Li, Ping Li, Chunfu Jia, and Jin Li. Verifiable searchable encryption with aggregate keys for data sharing system. Future Generation Comp. Syst., 78:778–788, 2018.
-  Meixia Miao, Jianfeng Wang, Sheng Wen, and Jianfeng Ma. Publicly verifiable database scheme with efficient keyword search. Inf. Sci., 475:18–28, 2019.
-  Yinbin Miao, Jianfeng Ma, Ximeng Liu, Qi Jiang, Junwei Zhang, Limin Shen, and Zhiquan Liu. VCKSM: verifiable conjunctive keyword search over mobile e-health cloud in shared multi-owner settings. Pervasive and Mobile Computing, 40:205–219, 2017.
-  Yinbin Miao, Jianfeng Ma, Ximeng Liu, Junwei Zhang, and Zhiquan Liu. VKSE-MO: verifiable keyword search over encrypted data in multi-owner settings. SCIENCE CHINA Information Sciences, 60(12):122105:1–122105:15, 2017.
-  Yinbin Miao, Jianfeng Ma, Fushan Wei, Zhiquan Liu, Xu An Wang, and Cunbo Lu. VCSE: verifiable conjunctive keywords search over encrypted data without secure-channel. Peer-to-Peer Networking and Applications, 10(4):995–1007, 2017.
-  Wakaha Ogata and Kaoru Kurosawa. Efficient no-dictionary verifiable searchable symmetric encryption. In Financial Cryptography and Data Security - 21st International Conference, FC 2017, Sliema, Malta, April 3-7, 2017, Revised Selected Papers, pages 498–516, 2017.
-  Azam Soleimanian and Shahram Khazaei. Publicly verifiable searchable symmetric encryption based on efficient cryptographic components. Des. Codes Cryptography, 87(1):123–147, 2019.
-  Shifeng Sun, Xingliang Yuan, Joseph K. Liu, Ron Steinfeld, Amin Sakzad, Viet Vo, and Surya Nepal. Practical backward-secure searchable encryption from symmetric puncturable encryption. In Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security, CCS 2018, Toronto, ON, Canada, October 15-19, 2018, pages 763–780, 2018.
-  Wenhai Sun, Xuefeng Liu, Wenjing Lou, Y. Thomas Hou, and Hui Li. Catch you if you lie to me: Efficient verifiable conjunctive keyword search over large dynamic encrypted cloud data. In 2015 IEEE Conference on Computer Communications, INFOCOM 2015, Kowloon, Hong Kong, April 26 - May 1, 2015, pages 2110–2118, 2015.
-  Peter van Liesdonk, Saeed Sedghi, Jeroen Doumen, Pieter H. Hartel, and Willem Jonker. Computationally efficient searchable symmetric encryption. In Secure Data Management, 7th VLDB Workshop, SDM 2010, Singapore, September 17, 2010. Proceedings, pages 87–100, 2010.
-  Jianfeng Wang, Xiaofeng Chen, Shifeng Sun, Joseph K. Liu, Man Ho Au, and Zhi-Hui Zhan. Towards efficient verifiable conjunctive keyword search for large encrypted database. In Computer Security - 23rd European Symposium on Research in Computer Security, ESORICS 2018, Barcelona, Spain, September 3-7, 2018, Proceedings, Part II, pages 83–100, 2018.
-  Cheng Xu, Ce Zhang, and Jianliang Xu. vchain: Enabling verifiable boolean range queries over blockchain databases. CoRR, abs/1812.02386, 2018.
-  Kazuki Yoneyama and Shogo Kimura. Verifiable and forward secure dynamic searchable symmetric encryption with storage efficiency. In Information and Communications Security - 19th International Conference, ICICS 2017, Beijing, China, December 6-8, 2017, Proceedings, pages 489–501, 2017.
-  Rui Zhang, Rui Xue, Ting Yu, and Ling Liu. PVSAE: A public verifiable searchable encryption service framework for outsourced encrypted data. In IEEE International Conference on Web Services, ICWS 2016, San Francisco, CA, USA, June 27 - July 2, 2016, pages 428–435, 2016.
-  Yupeng Zhang, Jonathan Katz, and Charalampos Papamanthou. All your queries are belong to us: The power of file-injection attacks on searchable encryption. In 25th USENIX Security Symposium, USENIX Security 16, Austin, TX, USA, August 10-12, 2016., pages 707–720, 2016.
-  Xiaoyu Zhu, Qin Liu, and Guojun Wang. A novel verifiable and dynamic fuzzy keyword search scheme over encrypted data in cloud computing. In 2016 IEEE Trustcom/BigDataSE/ISPA, Tianjin, China, August 23-26, 2016, pages 845–851, 2016.