cryptography
Article
Flexible and Efficient Multi-Keyword Ranked Searchable
Attribute-Based Encryption Schemes
Je-Kuan Lin 1 , Wun-Ting Lin 1, * and Ja-Ling Wu 1,2, *
[email protected]
(W.-T.L.);
[email protected]
(J.-L.W.)
Citation: Lin, J.-K.; Lin, W.-T.; Wu,
J.-L. Flexible and Efficient
Multi-Keyword Ranked Searchable
Attribute-Based Encryption Schemes.
Cryptography 2023, 7, 28.
https://doi.org/10.3390/
cryptography7020028
Academic Editor: Carlo Blundo
Received: 6 March 2023
Revised: 10 May 2023
Accepted: 11 May 2023
Published: 15 May 2023
Copyright: © 2023 by the authors.
Licensee MDPI, Basel, Switzerland.
This article is an open access article
distributed under the terms and
conditions of the Creative Commons
Attribution (CC BY) license (https://
creativecommons.org/licenses/by/
4.0/).
Cryptography 2023, 7, 28. https://doi.org/10.3390/cryptography7020028
1 Department of Computer Science and Information Engineering, National Taiwan University,
Taipei City 10617, Taiwan
2 Graduate Institute of Networking and Multimedia, National Taiwan University, Taipei City 10617, Taiwan
* Correspondence:
Abstract: Currently, cloud computing has become increasingly popular and thus, many people and
institutions choose to put their data into the cloud instead of local environments. Given the massive
amount of data and the fidelity of cloud servers, adequate security protection and efficient retrieval
mechanisms for stored data have become critical problems. Attribute-based encryption brings the
ability of fine-grained access control and can achieve a direct encrypted data search while being
combined with searchable encryption algorithms. However, most existing schemes only support
single-keyword or provide no ranking searching results, which could be inflexible and inefficient
in satisfying the real world’s actual needs. We propose a flexible multi-keyword ranked searchable
attribute-based scheme using search trees to overcome the above-mentioned problems, allowing
users to combine their fuzzy searching keywords with AND–OR logic gates. Moreover, our enhanced
scheme not only improves its privacy protection but also goes a step further to apply a semantic
search to boost the flexibility and the searching experience of users. With the proposed index-table
method and the tree-based searching algorithm, we proved the efficiency and security of our schemes
through a series of analyses and experiments.
Keywords: attribute-based encryption; searchable encryption; index table; fuzzy search; semantic
search; data retrieval
1. Introduction
1.1. Motivations
Cloud and IoT [1] services have become increasingly popular because of the rise in
streaming services [2] and the development of machine learning, especially in the era of
COVID-19. Outsourcing data to the cloud saves space for local storage and brings conve-
nience so that users can access and share their data without any space and time limitations.
However, since cloud service providers, or cloud servers for short, are not fully trustable,
directly uploading sensitive data to the cloud is dangerous and undermines user privacy.
Encrypting data and then uploading them seems a safer approach. Nevertheless, in many
situations, traditional public key encryption (PKE) [3] schemes can only achieve secrecy but
lack proper access controllability. For example, in some cases, we want to authorize files to
only a specified group of people. Under PKE, we must copy files many times and encrypt
them, respectively. Moreover, the management of secret keys is increasingly cumbersome
and difficult. This challenge is specifically severe for medical and financial data because
users have the right to decide who can review their sensitive medical and financial records.
With attribute-based encryption (ABE) [4–9], we can make fine-grained access control much
more manageable by only allowing some people with specified attributes (i.e., conditions)
to access and view the files.
In addition to the access control, how to fetch the required data rapidly among the
massive data stored in the cloud is also a critical issue. Downloading and decrypting all
https://www.mdpi.com/journal/cryptography
Cryptography 2023, 7, x FOR PEER REVIEW 2 of 19

Cryptography 2023, 7, 28 2 of 18
In addition to the access control, how to fetch the required data rapidly among the
massive data stored in the cloud is also a critical issue. Downloading and decrypting all
the
the data
dataand
andthenthenperforming
performingaasearch searchcan canreach
reachthethetarget,
target,butbutit itisisnot
notfeasible
feasible because
because a
massive amount of computation and storage is required on the
a massive amount of computation and storage is required on the user end. Apart from user end. Apart from the
excessive timetime
the excessive overhead, these
overhead, operations
these operationsmaymaybe unsafe.
be unsafe.Searchable
Searchable encryption
encryption (SE)(SE)
al-
gorithms [10–15] bring reasonable solutions to this problem. Go a step
algorithms [10–15] bring reasonable solutions to this problem. Go a step further; combining further; combining
the
the ABE
ABE and
and SE SE schemes
schemes allows
allows users
users toto have
have fine-grained
fine-grained access
access controls
controls and
and searching
searching
capabilities
capabilities regarding
regarding encrypted
encrypted data.data.
Many searchableattribute-based
Many searchable attribute-basedencryption
encryption schemes
schemes (ABS)
(ABS) [16–24]
[16–24] havehave provided
provided fine-
fine-grained access control, dynamic updates, and attribute revocations.
grained access control, dynamic updates, and attribute revocations. However, searching However, search-
ing capabilities
capabilities could
could be be
moremore potent
potent inin mostschemes
most schemestotofulfill
fulfillactual
actual needs.
needs. Usually,
Usually, theythey
can
can embed
embed only
only aasingle
singlekeyword
keyword into into ciphertexts,
ciphertexts, which
which could
could bebe inconvenient
inconvenient and and make
make
searching
searchingmoremorecumbersome.
cumbersome.Although Although some schemes
some schemesallow for combining
allow for combining multiple key-
multiple
words
keywordsand and
provide ranked
provide search
ranked results,
search usersusers
results, can only fetchfetch
can only files containing
files containingall theallkey-
the
words. MoreMore
keywords. complicated
complicatedrelationships
relationshipsbetween keywords
between such as
keywords such disjunctive logic “OR”
as disjunctive logic
can
“OR” usually not be not
can usually expressed. In addition,
be expressed. some advanced
In addition, designs in
some advanced searchable
designs encryp-
in searchable
tion algorithms
encryption have rarely
algorithms havebeen
rarely implemented on suchon
been implemented systems. We summarize
such systems. We summarizethe stand- the
ard advanced
standard searching
advanced modesmodes
searching in Figure 1. The1.basic
in Figure The search mode mode
basic search is the is
keyword
the keywordrank
rank search
search whichwhich
does the does thematch
exact exact of match
single ofor
single or multiple
multiple keywords. keywords.
However,However,
in practice, in
practice,
the user’sthe user’s
input input commonly
commonly contains some contains
typossome typos
or uses or uses synonyms.
synonyms. As a result,As two a result,
high-
two high-level
level search modes,search modes,
fuzzy fuzzy
search andsearch and search,
semantic semantic aresearch,
induced aretoinduced to allow
allow users users
to obtain
to obtain the results without using
the results without using the exact keyword. the exact keyword.

Figure 1.
Figure Thehierarchy
1. The hierarchyof
ofstandard
standardsearching
searching modes
modes and
and the
the concrete
concrete associated
associated examples.
examples. Unlike
Unlike
single and multi-keyword
single and multi-keywordrank
rank search,
search, fuzzy
fuzzy andand semantic
semantic search
search belong
belong to high-level
to high-level searching
searching modes.
modes.
To tackle the problems listed above, we proposed two flexible and efficient multi-
keyword ranked
To tackle thesearchable
problems attribute-based
listed above, we encryption
proposedschemes
two flexible(FEMRSABE),
and efficient which are
multi-
especiallyranked
keyword suitablesearchable
for E-health applications. encryption
attribute-based In our basicschemes
scheme, we designed a search
(FEMRSABE), which tree
are
data structure
especially to enhance
suitable the expressiveness
for E-health applications.ofInthe oursearch,
basicas shown we
scheme, in Figure 2. The
designed server
a search
matches
tree data the trapdoors
structure in leaf nodes
to enhance with index files,
the expressiveness traversing
of the search, as the tree and
shown inducing
in Figure the
2. The
searching results of parent nodes by union or intersection. Finally,
server matches the trapdoors in leaf nodes with index files, traversing the tree and induc- the aggregated search
result
ing theofsearching
the root node is of
results theparent
final result,
nodessorted
by union according to the associated
or intersection. relevance
Finally, the score.
aggregated
The cloud server can only read the user-inputted logic structure but
search result of the root node is the final result, sorted according to the associated rele- knows nothing about
what users
vance score.have searched.
The cloud serverIn addition,
can only read inspired by [25], we built
the user-inputted logicanstructure
index tablebuttoknows
boost
search efficiency.
nothing about what Weusers
replaced
havethe encryption
searched. mechanism
In addition, from symmetric
inspired by [25], wekey builtencryption
an index
with pure
table attribute-based
to boost encryption.
search efficiency. Data owners
We replaced do not needmechanism
the encryption to exchangefrom keyssymmetric
with users
key encryption with pure attribute-based encryption. Data owners do not need tofaster
in advance, making the scheme more realistic. It shows that the search speed is much ex-
than thekeys
change case with
without theinindex
users table making
advance, through theexperiments.
scheme more We also provide
realistic. fuzzy keyword
It shows that the
searching
search speedability by calculating
is much faster thanthe thefingerprints
case without of the
keywords.
index tableWe refer to the
through generating
experiments.
method and the similarity score in [11] to ensure the search range
We also provide fuzzy keyword searching ability by calculating the fingerprints of key- is manageable.
words. Moreover,
We referintoour theenhanced
generating scheme,
method weand
reorganized
the similaritythe system
score in architecture
[11] to ensureto mini-
the
mize possible
search range isdata leakages, such as the logical structure of search trees and the file list of a
manageable.
particular keyword. We further implemented the semantic search functionality with Word-
Net’s help [26]. As a consequence, we considered the actual semantics of the keywords.
Users only need to express their intention of searching without considering the constraints
on the data owners’ actual keywords and their perfect spellings. These advanced search
modes make the search procedure more flexible and easier to use. The functionality com-
Cryptography 2023, 7, 28 3 of 18

Cryptography 2023, 7, x FOR PEER REVIEW 3 of 19

parisons in later sections show that our scheme has more desirable searching capabilities
than other benchmarking searchable attribute-based encryption schemes.

Figure 2. This work uses a tree-based data structure and AND–OR gates to complete a complicated
Figure 2. This work uses a tree-based data structure and AND–OR gates to complete a complicated
keyword search
keyword search task
task in
in the
the encryption
encryption domain. This is
domain. This is an
an example
example of
of an
an E-health
E-health use
use case.
case.

Flexible and efficient multi-keyword ranked searchable attribute-based encryption

Moreover, in our enhanced scheme, we reorganized the system architecture to mini-
schemes (FEMRSABE) target the E-health use case. Users, who are equipped with IoT
mize possible data leakages, such as the logical structure of search trees and the file list of
devices that can collect body data such as heart rate and body temperature, can upload
a particular keyword. We further implemented the semantic search functionality with
their data to the server in encryption form. Doctors or other healthcare professionals
WordNet’s help [26]. As a consequence, we considered the actual semantics of the key-
can access the data with appropriate permission. Most importantly, the system does not
words. Users only need to express their intention of searching without considering the
require the accessor to input the exact identical keyword used for encryption. With the
constraints on the data owners’ actual keywords and their perfect spellings. These ad-
benefit of fuzzy and semantic search, FEMRSABE can automatically match and discover
vanced search modes make the search procedure more flexible and easier to use. The func-
the possible meaning and search. This brings flexibility in that IoT providers and healthcare
tionality comparisons in later sections show that our scheme has more desirable searching
professionals do not need to negotiate the keyword beforehand, and the different IoT
capabilities than other
devices’ cross-time canbenchmarking
also pick up searchable
a suitable attribute-based
keyword ratherencryption schemes.
than be limited to the
Flexible
previous and efficient multi-keyword ranked searchable attribute-based encryption
choice.
schemes (FEMRSABE)
In the security aspect,target
ourthe E-health use
FEMRSABE case.can
system Users, whoagainst
defend are equipped
selectivewith IoT de-
cipher-text-
vices that can collect body data such as heart rate and body temperature,
policy and chosen-plaintext attack (IND-SCP-CPA) by building it on the general bilinear can upload their
data to the server in encryption form. Doctors
map cryptographic techniques and the associated assumptions. or other healthcare professionals can access
the data with appropriate permission. Most importantly, the system does not require the
accessor to input ofthe
1.2. Contributions exact
This Workidentical keyword used for encryption. With the benefit of
fuzzyWe and
proposed a flexible FEMRSABE
semantic search, and efficientcan automatically
scheme, FEMRSABE. matchTheand discover
possible the possi-
contributions
ble meaning and search. This
of this work include the following: brings flexibility in that IoT providers and healthcare pro-
fessionals do not need to negotiate the keyword beforehand, and
Flexible Access and Searching Structure: We used linear secret-sharing schemes the different IoT devices’
cross-time
(LSSS) to buildcan also
the pick
basicup a suitable
data keyword allowing
access structure, rather than be owners
data limited to to express
the previous
their
choice.
data access policy by combining AND–OR logic gates as their wish. Furthermore, the
In the security
conventional aspect, our
multi-keyword FEMRSABE
scheme can onlysystem can defend
find documents against selective
containing cipher-
all the searching
text-policy
keywords. We anddesigned
chosen-plaintext
a much moreattackflexible
(IND-SCP-CPA)
tree structureby sobuilding it on
that users canthe general
express bi-
what
linear map cryptographic techniques and the
they want to search by both conjunctive and disjunctive logic.associated assumptions.
Ranked Searching Results: Following the techniques presented in [25], we built an
1.2. Contributions
index-table of This
structure thatWork
can diminish the searching time and make ordered searching
results
Wepossible.
proposedUsers canand
a flexible obtain the most
efficient scheme,desired search results
FEMRSABE. as soon
The possible as possible,
contributions
avoiding unnecessary file
of this work include the following:decryption or filtering among many matched results.
Fuzzy and
Flexible Semantic
Access Search Mode:
and Searching We further
Structure: We used included
linearadvanced
secret-sharingsearchschemes
mecha-
(LSSS) to build the basic data access structure, allowing data owners to express their with
nisms into the enhanced scheme, such as fuzzy and semantic search, by integrating data
fingerprints
access policyintroduced
by combining by [11].
AND–ORQuerylogickeywords
gates ascan now
their be inaccurate
wish. Furthermore, or have spelling
the conven-
errors,multi-keyword
tional making it easierscheme for users
cantoonly
obtainfind what they want.
documents containing all the searching key-
words. We designed a much more flexible tree structure so over
Multi-Authority: Allowing the central authority to take that all the can
users jobsexpress
of generating
what
user keys is neither efficient nor secure. If the
they want to search by both conjunctive and disjunctive logic. central authority shuts down, the whole
system will be
Ranked affected,Results:
Searching which isFollowing
called thethe “single-point” failure. We
techniques presented set up
in [25], wemultiple
built an
attribute authorities to spread the traffic and generate intermediate
index-table structure that can diminish the searching time and make ordered searching user keys to solve this
problempossible.
results and shorten Usersthecankey-generating
obtain the most time.desired search results as soon as possible,
avoiding unnecessary file decryption or filtering among many matched results.
Fuzzy and Semantic Search Mode: We further included advanced search mecha-
nisms into the enhanced scheme, such as fuzzy and semantic search, by integrating with
fingerprints introduced by [11]. Query keywords can now be inaccurate or have spelling
errors, making it easier for users to obtain what they want.
Cryptography 2023, 7, 28 4 of 18

1.3. Organization
This paper is organized as follows. We review some related attribute-based and search-
able encryption schemes in Section 2. Some preliminaries and cryptography backgrounds
are addressed in Section 3. Section 4 defines the problem formally and depicts the proposed
architecture, while Section 5 addresses our concrete constructions in detail. We present our
schemes’ performances and security levels through a series of experiments in Section 6.
Finally, Section 7 concludes this write-up.

2. Related Work
2.1. Attribute-Based Encryption
Attribute-based encryption (ABE) is a technique that allows data owners to declare
their access policies such as: “(Doctor OR Researcher) AND (Chest OR Surgery)”. Only
data users who meet the policy’s attribute requirements are qualified to access the files.
For instance, users with the attributes “Doctor and Surgery” can read the text, but ones
with “Doctor and Researcher” cannot. Most ABE schemes can be categorized into the
following two classes: ciphertext-policy attribute-based encryption (CP-ABE) and key-
policy attribute-based encryption (KP-ABE). Wang et al. [27] proposed a constant-size
ciphertext KP-ABE scheme, while Water et al. [4] proposed the first practical CP-ABE
scheme. The main difference between KP-ABE and CP-ABE is that CP-ABE puts the
access policy into ciphertexts while KP-ABE puts it into the users’ secret keys. In CP-ABE
schemes, data owners can easily decide who can access the files, so it is more suitable for
cloud storage applications. Hence, we adopted it to construct our systems. Over time,
more powerful ABE schemes have been developed. Li [7] proposed an attribute-revocable
scheme, and Chi et al. [5] proposed a policy-hiding scheme to protect data owners’ privacy
further. In addition, most ABE schemes involve bilinear pairing operations, which are
very time-expensive, especially for resource-restricted devices such as mobiles and IoT
devices. Han et al. [6] proposed a decentralized scheme to reduce the burden of data users
by outsourcing the corresponding computational tasks.

2.2. Searchable Encryption

The main characteristic of searchable encryption (SE) is it allows users to search over
many encrypted data without the decrypting of the documents in the dataset. High-level
concepts of SE are that data owners extract keywords from plaintext files to build a “Secure
Index” and then encrypt plaintexts with symmetric encryption schemes. Data owners
transform searching keywords into corresponding trapdoors afterward. Finally, cloud
servers match the Secure Indexes with the trapdoors to produce search results containing
the target keywords the user longs for.
For this purpose, there are many ways to build the pre-described Secure Index. Most of
the existing SE schemes involve calculating the term frequency-index document frequency
(TF-IDF) values of keywords. Cao et al. [28] and Tzouramanis et al. [12] both use the
K-nearest neighbors (KNN) method to build the Secure Index. It is effective; however, the
associated neighborhood-related matrix will be too large, and therefore, the associated
operations become time-consuming when too many keywords are involved in the system.
Other methods include secure random masking, tree-based, and secure linked-list ones.
The scheme proposed by Zhang et al. [25] used the secure linked-list method to build an
index table, which we also adopted in our work for its efficiency.
Many functional search schemes have been developed to provide a more power-
ful search capability. For example, Wang et al. [13] proposed a tree-based method to
provide range search. It is especially suitable for numerical datasets such as financial
records. Aritomo et al. [29] and Fu et al. [10] both achieved semantic-based searching, while
Zhang et al. [15] provided an efficient predicate search. Liu et al. [11] proposed a robust
scheme combining semantic and fuzzy searches using fingerprint methods, which will
also be adopted in our schemes. However, this scheme did not take any access control
mechanism into account. They used fully homomorphic encryption (FHE) schemes [30–32]
Cryptography 2023, 7, 28 5 of 18

to encrypt the index table instead. Due to complexity considerations, our work has not
considered FHE schemes in our current system implementation. However, FHE schemes
have lots of potential for constructing effective ABE schemes if the required complexity can
be handled properly. An FHE-based ABE approach is exciting and can reduce the storage
requirement of ciphertexts. We choose to put it into our future investigations.

2.3. Searchable ABE Schemes

Many ABE schemes have searching abilities. For this kind of scheme, it is crucial
to allow only the qualified files to be searched. Otherwise, malicious users may launch
keyword attacks to guess the contents of files and breach privacy. On the other hand, it
is a waste of time for users to decrypt those unqualified files with failure. Sun et al. [22]
proposed a famous searchable attribute scheme (ABKS) to hide the access policy. However,
they use AND GATE as the access structure for policy hiding, which limits the access
policy’s expressiveness. Wang et al. [23] proposed a scheme that is aimed at E-health
applications. They achieve a constant computational overhead, constant storage overhead,
and policy hiding by hashing user attributes and keywords. However, the access policy’s
flexibility and searching are restricted due to its data structures. Moreover, they directly
embed keyword hashes into ciphertexts, so it takes much time to match search results
when there are many files in the dataset or only a single keyword can be used at a time.
Miao et al. [21] and Sun et al. [33] proposed ABKS schemes with the ability for attribute
revocations. Nevertheless, the searching capabilities of these schemes are weak because
users can only use a single keyword once without any modifications to protocols.

3. Preliminaries
3.1. Bilinear Pairing
Following the definitions in [33], let G and GT be two multiplicative cyclic finite
groups of prime order p. Let g be a generator in G. The following equations hold to fulfill
the definition of the bilinear pairing equations.
Bilinearity: For all x, y ∈ G and all s, t ∈ Zp , e x s , yt = e( x, y)st holds. That is, the


1.
exponentiation operations inside pairings can be moved outside directly.
2. Non-degeneracy: e( g, g) 6= 1.
3. Computability: For all x, y ∈ G, e( x, y) and any additive or multiplicative operations
on it can be efficiently computed.

3.2. Access Structure

By definition in [4]: Let {P 1 , P2 , . . . , Pn } be a set of parties. A collection A ⊆ 2{P1 , P2 , ..., Pn }
is monotone if ∀ B, C: if B ∈ A and B ⊆ C then C ∈ A. An access structure (respectively,
monotone access structure) is a collection (respectively, monotone collection), A, of non-empty
subsets of {P 1 , P2 , . . . , Pn }, i.e., A ⊆ 2{P1 , P2 , ..., Pn } /∅. The sets in A are called the authorized
sets, and the sets not in A are called the unauthorized sets.

3.3. Linear Secret-Sharing Schemes

We choose the linear secret-sharing schemes as our access structure due to their full
expressiveness in the access policy. Some papers [16,18,19,22,23] use the AND gate to
bring efficiencies and policy-hiding capabilities. However, they do not apply to disjunctive
operators. Thus, the flexibility of the access policy is quite limited.
The definition of a linear secret-sharing scheme can be found in [34]:

Definition 1. Linear Secret-Sharing Schemes (LSSS)

A secret-sharing scheme Π over a set of parties P is called linear over (Zp ) if
1. The shares for each party form a vector over Zp .
2. There exists a matrix M with is the vector of rows and n columns called the share-generating
matrix for Π. For the i-th row of M, we let the function ρ define the party labeling row i, for
all i = 1, . . . , l, as ρ(i ). When we consider the column vector v = (s, r2 , . . . , rn ), where
Cryptography 2023, 7, 28 6 of 18

s ∈ Zp is the secret to be shared, and r2 , . . . , rn ∈ Zp are randomly chosen, then M ·v is the

vector representing the l shares of the secret s according to the scheme Π. The share (M·v)i
belongs to party ρ(i ).

3.4. Relevance Score

We use the TFxIDF measurement to express the relevance between the keyword, w,
and the document, F, which has been widely adopted in many data mining and searchable
encryption schemes. Term frequency (TF) represents the frequency of a keyword in the
file. Nevertheless, only TF values are insufficient because some common words, such as
prepositions, usually differ from what users want to search for, even if they have high
occurrence frequencies in the text. Index document frequency (IDF) brings the solution.
Engaged readers can find the definitions of TF and IDF in [11].

4. Problem Definitions
4.1. Threat Model
There are several players (or parties) in the investigated systems. Their role and the
threat model are listed below.
Central Authority (CA): The central authority (CA) sets up the system and verifies
intermediate user keys obtained from attribute authorities. After that, the CA produces the
final user keys based on the master key generated by itself. In addition, the CA delivers the
public key to the other parties. Notice that the CA is believed to be entirely trustworthy in
most schemes and our systems.
Attribute Authority (AA): An attribute authority (AA) is equipped with some neces-
sary cryptographic techniques, accepting the request of data users to generate user keys.
They verify and generate intermediate user keys according to the attributes the data users
provided. Their behavior is also honest so that they do not misbehave in the process of
KeyGen and will not collide with data users.
Data Owner (DO): Data owners may be patients in a medical application. They
extract some keywords from their medical records to build the Secure Index. After that,
they upload encrypted data and the Secure Index to the cloud server. We also assume
that DOs are fully credible. They will correctly extract keywords and perform succeeding
encryption to the accessible files themselves.
Cloud Server (CSP): The cloud server provides storage to the encrypted files and
performs encryption-domain searches. Their threat model is assumed to be honest but
curious once again. They will honestly execute protocols but may attempt to obtain
documents and keywords in plaintext form through statistical analyses. They are also
interested in finding trapdoors uploaded by users, trying to guess what users are searching
for, and tracing their search records.
Data User (DU): Data users may be doctors or researchers in an E-health application
scenario. They request the encrypted files by transforming the searching keywords into
respective trapdoors to perform searching. They may want to access or guess the contents
of unqualified data by selective keyword attacks. However, they do not leak decrypted
data to other unauthorized users.

4.2. System Architecture

Figure 3 shows the players, the functional blocks, and the detailed information flow of
the proposed system. From Figure 3, nine polynomial-time algorithms (PTAs), as listed
below, compose our system. Table 1 demonstrates the symbols used in this write-up.
 of unqualified data by selective keyword attacks. However, they do not leak decrypted
data to other unauthorized users.

4.2. System Architecture

Figure 3 shows the players, the functional blocks, and the detailed information flow
Cryptography 2023, 7, 28 7 of 18
of the proposed system. From Figure 3, nine polynomial-time algorithms (PTAs), as listed
below, compose our system. Table 1 demonstrates the symbols used in this write-up.

Figure 3.3.
Figure The players,
The players,the
thefunctional
functionalblocks,
blocks,and
and the
the detailed information
informationflow
flowof
ofthe
theproposed
proposedsystem.
sys-
tem.
Table 1. The symbols and their corresponding definitions.
Table 1. The symbols and their corresponding definitions.
Symbols Description Symbols Description
Symbols Description Symbols Description
MK Master secret key w Searching keyword
PK
MK
Public key
Master secret key W w Searching keyword
Keyword set
MKAuth PK
Authority master key Public key PF W Keyword
Plaintext files set
PKAuth Authority
MKAuthpublic keyAuthority master keyF PF A document
Plaintext files
uk User
PKAuth secret key FP F Fingerprint
Authority public key A document
ik Intermediate user secret key CT Ciphertexts
skf 𝑢𝑘
Session key User secret key RScore FP Fingerprint
Relevance score
U The universe of user attributesIntermediate StrSearch Search condition string
S
𝑖𝑘
User attribute set
CT Ciphertexts
user secret key TFP Fingerprint table
x An attribute
sk Session key Td RScore Trapdoor
Relevance score
H (.) Hashf function Treep Search tree (plaintext)
P Access The universe of Treee Search condition
𝑈 policy StrSearch Search tree (encrypted)
uid User id user attributes k string results
Maximum size of searching
aaid AttributeS authority id User attribute set SR TFP Searching results table
Fingerprint
Ind Secure index SRRanked Ranked searching results
𝑥 An attribute Td Trapdoor
𝐻(. ) Hash function Tree p Search tree (plaintext)
Setup (1K, U) → (PK, MK) : The CA runs the setup algorithm and generates
Search tree (en- the
P Access policy key, PK, to theTreee
master key pair. It delivers the public other parties and keepscrypted)the master
key, MK, for itself. Maximum size of
uid
Authority Setup (aaid,User MK)id→ (MKAuth , PKAuth 𝑘 ) : The CA executes the authority
searching results
setup algorithm
aaid to set up all the AAs.
Attribute authority idIt grants authority
SR to the master key, MK
Searching Auth, and
results
authority to the public key, PKAuth , for each AA.
Ranked searching
Ind
IntermediateKeyGen (PK, index
Secure uid, S, MKAuth , PK Auth ) → ik : The AA verifies the user
SRRanked
results
attribute set, S, and runs the intermediate key generation algorithm to generate the inter-
mediate user secret key, ik, using its authority keypair.
Setup (1K,U) (PK,MK):
→ MK, S, ik)The
→ CA runsCA
uk : The the verifies
setup algorithm andofgenerates the master
KeyGen (PK, the validity the intermediate user
key pair. It delivers the public key, PK, to the other parties and keeps the master
key, ik, and then generates the final user secret key, uk, by the key generation algorithm. key, MK,
for itself.
BuildIndex (PK, W) → (Ind, TF P) : DOs build an index table for each keyword, w,
in the keyword set, W. In addition, they run a fingerprint generation algorithm to support
fuzzy matching and build a fingerprint lookup table as one of the outputs. Figure 4 shows
the data structure used to construct our index table.
Encrypt (PK, P, W, skf , skt ) → Ct : DOs extract keywords from the plaintext to ob-
tain the keyword list, W, and then input the public key, PK, access policy, P, and the session
key, skf , to the encrypted algorithm for generating the ciphertext. Finally, it encrypts the
Cryptography 2023, 7, 28 8 of 18

tables with skt . DUs recover the session keys and decrypt files and tables associated with
this ciphertext.
Cryptography 2023, 7, x FOR PEER REVIEW 8 of 19
GenTrapdoor (PK, StrSearch , uk ) → Td : DUs use the user key, uk, the public key, PK,
and the search condition, StrSearch, to generate the trapdoor, Td, based on the trapdoor-
generating algorithm. This algorithm has two phases: DUs obtain the hash values of the
Authority Setup (aaid, MK) → (MK Auth , PK Auth ): The CA executes the authority setup
most proper keywords using the fingerprint-matching algorithm in the first phase. A search
algorithm to set up all the AAs. It grants authority to the master key, MK Auth, and author-
tree, Treep , is constructed according to StrSearch and the hash values. Each keyword, W0 , in
ity
Treeto the public key, PK Auth , for each AA.
p is converted into a corresponding trapdoor, Td. In the second phase, all leaf nodes in
(PK, uid, S, MK Auth , PK Auth ) → 𝑖𝑘 : The AA verifies the user at-
TreepIntermediateKeyGen
are replaced by Td to become an encrypted search tree, Treee .
tribute set, S, and runs the
Search (Treee , Ind, k ) → intermediate
SRranked : ThekeyCSP
generation algorithm
parses the to generate
encrypted the inter-
search tree, Treee ,
mediate user secret key, 𝑖𝑘, using its authority keypair.
and executes the search algorithm to match Td with Ind to obtain the searching result,
KeyGen
SR. The (PK, MK,
CSP sorts S, 𝑖𝑘)outputs
SR and → 𝑢𝑘: Thethe CA verifies
top-k the
files as validity
the of theresult,
final search intermediate
SRrankeduser
. In
key, 𝑖𝑘, and then generates the final user secret key, 𝑢𝑘,
our enhanced scheme, the CSP only matches the trapdoor, leaving the jobs of algorithm.
by the key generation traversing
BuildIndex
searching trees and(PK, W) → (Ind,
ranking TF P):
for DUs DOs build
to ensure betteran index
data table for each keyword, 𝑤,
privacy.
in theDecrypt
keyword(uk, W. SR
set, Ct, In addition, they run a fingerprint generation algorithm to support
ranked ) → PF : DUs input their user key, uk, ciphertext, Ct, and
fuzzy matching and build a fingerprint lookup table as one
the ranked searching result, SRranked , to the decryption algorithm to obtainof the outputs. Figure 4 shows
the plaintext
the data
files, PFs.structure used to construct our index table.

Figure 4. We use a link-list structure to construct our Index Table.

Figure 4. We use a link-list structure to construct our Index Table.
4.3. Security Model
Encrypt (PK, P, W, sk f , sk t ) → Ct: DOs extract keywords from the plaintext to obtain
The security model of the proposed system is built on general bilinear map cryp-
the keyword list, W, and then input the public key, PK, access policy, P, and the session
tographic techniques and the associated assumptions. As addressed in the following
key, sk f , to the
paragraphs, weencrypted
designed aalgorithm
security game for generating
to explorethe ourciphertext. Finally, it
system’s security encrypts
level. It showsthe
tables with sk t . DUs recover the session keys and decrypt files
that our system can defend against selective ciphertext-policy and chosen-plaintext attack and tables associated with
this ciphertext.
(IND-SCP-CPA).
GenTrapdoor
The Ciphertext-domain (PK, StrSearch , 𝑢𝑘) → Td:
Keyword use the user key, 𝑢𝑘, the public key, PK,
DUs Game.
Privacy
and the search condition,
Init: Firstly, A delivers the Str Search, to generate
challenge access matrixthe A∗ to Td,
trapdoor, B. based on the trapdoor-
generating
Setup:algorithm.
B runs theThis samealgorithm
setup algorithm has twoinphases: DUs obtain
the keyword the
private hash values of the
game.
most Phase
properI: keywords using the fingerprint-matching
B provides an oracle, OSKu , for a query. Furthermore, B builds algorithm in the first phase.key
a secret A
search tree, Tree , is constructed according
list, LstSK, to holdp the query results. The oracle functions to Str and the
Search as follows: hash values. Each key-
word,OSK w (, uid,
in Tree
S ): A p is converted
submits uid andinto thea corresponding
user attribute trapdoor, Td. In the
set, S, to obtain the corresponding
second phase,
all
userleaf nodes
key, in .Tree
SKuid,S Notice p are replaced
that S sent by A Tdcannot
to become
satisfyanthe
encrypted search tree,
access structure, A∗ .Tree
If SKe .uid,S
Search
has been in (Tree
the keyword
e , Ind, 𝑘) →
list,SR Lst
ranked
SK :
, The
B CSP
looks upparses
the the
list encrypted
and returns search
the tree,
result Tree
directly.e,
and executes
Otherwise, B the searchthe
executes algorithm
key-generatingto match 𝑇𝑑 withand
algorithm 𝐼𝑛𝑑inserts
to obtain the searching
the result result,
into the list.
SR. The CSP sortsASR
Challenge: and outputs
prepares the top-k files
two equal-length as the final
messages, m0search
and mresult, SRchallenge.
1 , for the ranked . In our B
enhanced
then decides scheme,
on a random the CSP b ∈ 0,
bit,only matches the trapdoor,
1, and encrypts leavingA∗the
them under jobs of
. Finally, traversing
B sends back
the ciphertext,
searching trees CT and∗ , ranking
to A. for DUs to ensure better data privacy.
Phase II: (𝑢𝑘,
Decrypt B can SR ranked )to→query
Ct,continue PF: DUs for input
ciphertexts afterkey,
their user receiving CT ∗ . The operation
𝑢𝑘, ciphertext, Ct, and the is
the same
ranked as Phaseresult,
searching I. SR ranked , to the decryption algorithm to obtain the plaintext files,
PFs. Guess: A makes a guess, b0 , for if the bit, b, is 0 or 1. If b = b0 , A wins the security game.

4.3. Security Model

The security model of the proposed system is built on general bilinear map crypto-
graphic techniques and the associated assumptions. As addressed in the following para-
graphs, we designed a security game to explore our system’s security level. It shows that
Cryptography 2023, 7, 28 9 of 18

The advantage of A to win the security game is Adv A = Pr [b0 = b] − 21 . Our system
is IND-SCP-CPA secure if all polynomial-time adversaries only have negligible advantages
at most in the security game above.

5. Concrete Construction
Construction of the Basic FERMSABE Scheme
With the pre-described nine PTAs, the basic FERMSABE system can be constructed
as follows.
Step 1. The CA sets up the security parameter, K, and the global parameters ( G1 , GT , e),
where pairing operations e: G1 × G1 → GT . Then, the CA generates three generators, g,
g0 , and g1 , for the finite group, G1 . The Setup algorithm randomly chooses a0 , a1 , b0 , and x
from the group Zp and chooses v x for each attribute in the universe. The rest of the public
and the master keys are organized as follows.
n o
PKg, g0 , g1 , Y = e ( g, g) x , A = g0a , B = g0b , Hx = gb0 ·vx
x ∈U

MK: a0 , a1 , b0 x, {v x } x∈U
After that, the CA publishes the master key pair to other parties. The CA further
defines a hash function, H ( x ) : {0, 1}∗ → Zp , to map keywords into elements of Zp .
Step 2. The CA sets up each AA and grants the authority key pair, PK Auth and MK Auth ,
to the authority with an identifier, aaid. The AuthoritySetup algorithm generates a random
element, t, from Zp while the authority key pair comprises PK Auth , gt and MK Auth , t.
Step 3. When a user requests the user key, the corresponding AA runs the Intermedi-
ateKeyGen algorithm to generate the intermediate user keys using his authority key pair.
The AA randomly picks an α from Zp and sends this value to the CA. The intermediate

a
user key, ik, is generated as: ik , K00 = gt 0 and K10 = gt . The AA sends this value to

α

the CA to generate the final user key.

Step 4. The CA verifies the validity of the intermediate user key, ik, and then uses
it to run the KeyGen algorithm for generating the final user secret key set, uk, which
is composed of seven components. Then, the CA chooses µ0 and u from Zp . The first
six components of uk are:

(1/α)·u a
K0 = g x1 ·K00 , K1 = K10 , K2 = gµ0 , K3 = u, K4 = g x2 /u , and K5 = g00 .g1 0
µ

Notice that x1 and x2 are random elements taken from Z p such that x1 + x2 = x.
µ
The CA generates Kx for each attribute in S, that is Kx = Hx 0 . The final user key =
K0 , K1 , K2 , K3 , K4 , K5 , {Kx } x∈S and will be sent back to the data user.
Step 5. DOs build an index table, Ind, based on keywords extracted from plaintext
files. Our BuildIndex algorithm is founded on the approach presented in [35] to build our
Ind. Figure 4 depicts the data structure of our index table, where each field in blocks of the
linked list represents:


− Id Fj : The identifier of the file, j, which contains the keyword, i.
− Sij : The relevance score of the keyword, i, and the file, j. Notice that the blocks will
not be sorted according to this score for confusion.
− rij : Random strings of the same length. We use this field to prevent producing two
identity blocks.
− Padding values: We add padding values to every linked list to make them of the same
size. This setting implies that some linked lists composed of all padding values may
also be appended to the table.
Furthermore, DOs build a fingerprint table to support fuzzy search. Figure 5 illustrates
the structure of our fingerprint table, and the corresponding generation algorithm can be
found in [15]. We store the hash value of a keyword instead of itself to prevent DUs from
 identity blocks.
− Padding values: We add padding values to every linked list to make them of the same
size. This setting implies that some linked lists composed of all padding values may
also be appended to the table.
Cryptography 2023, 7, 28 Furthermore, DOs build a fingerprint table to support fuzzy search. Figure 5 illus- 10 of 18

trates the structure of our fingerprint table, and the corresponding generation algorithm
can be found in [15]. We store the hash value of a keyword instead of itself to prevent DUs
from knowing
knowing thethe keywords
keywords of DOs
of DOs directly.
directly. OnlyOnly the hash
the hash value
value is enough
is enough forsubsequent
for the the sub-
sequent matching
matching and searching
and searching tasks. tasks.

Figure
Figure 5. Data
5. Data Structure
Structure of our
of our Fingerprint
Fingerprint Mapping
Mapping Table.
Table.
In addition to these tables, the DO needs to put some extra data into the headers of
In addition to these tables, the DO needs to put some extra data into the headers of
Ind to allow the cloud server to perform matchings. We list the additional information in
Ind to allow the cloud server to perform matchings. We list the additional information in
the following:
the following:
( 1 )
 
s s ( ) H (w) ( )B s/H (w) .
I = g , I = e ( A )
𝐼 =0𝑔 , 𝐼1 =2𝑒(𝐴 , 𝑔 0 , 0 𝐼 , =1,x
, g ) , I 𝐻 = H x = 𝐵 I3/ =
, and 𝐼, and . (1)(1)
∈ ( ) x ∈ ρ (i )
Finally,
Finally,thethe DO DOuploads
uploads thethe
encrypted
encrypted Ind
Indand
andciphertexts
ciphertexts toto
the cloud
the cloudserver.
server.
Step 6. DOs extract keywords from the plaintext files, PF, to build
Step 6. DOs extract keywords from the plaintext files, PF, to build the keyword the keyword list,list,
W,W,and input the public key, PK, access policy, P, and the session keys,
and input the public key, PK, access policy, P, and the session keys, f skf and tsk sk and sk , to, to
t
thethe
Encrypt
Encrypt
Algorithm.
Algorithm. The former
The formeris used to encrypt
is used PF,PF,
to encrypt andand
thethe
latter is used
latter to encrypt
is used TFPT by by
to encrypt FP
symmetric encryption algorithms such as AES. They choose two
symmetric encryption algorithms such as AES. They choose two elements, s and s0 , from elements, 𝑠 and 𝑠,
from 𝑍 for supporting secret sharing and, respectively, build the secret
Z p for supporting secret sharing and, respectively, build the secret sharing vectors, λ x and sharing vectors,
0 , for𝜆 x, ∈
𝜆 λand
x
forρ(𝑥i ) ∈by𝜌(𝑖)
LSSS byschemes
LSSS schemes as follows.
as follows. They further
They further compute compute
0 0
C0 = sk f ·e( g, g) , C1 = gs , Cx = g a0 ·λx x∈ρ(i) , C2 = sk t ·e( g, g) x·s , C3 = gs , and
x ·s 
n 0
o
D x = g a0 · λ x . Finally, DOs upload {{ CT = C0, C1, C2, C3, {C x }, {D x }} , Encskf (PF),
x ∈ ρ (i )
Encskt (TFP ), Encskt (Ind)} to CSP.
Step 7. DUs first download the ciphertext pack from CSP and decrypt Ind and TFP
with uk by the Decrypt algorithm. If DUs own the right user key, sk t can be obtained to
decrypt these tables correctly. Otherwise, the algorithm halts. By using a fuzzy matching
algorithm, DUs can find the fingerprint that best matches the fingerprint of the input
keyword, where we adopt the fuzzy matching algorithm presented in [15] to realize this
function. Nevertheless, we additionally set a matching threshold to 0.7. Suppose the
relevance score between the best-matched fingerprint and the query fingerprint is lower
than this threshold, the match will be discarded, and the corresponding leaf node will be
removed to prevent fetching unrelated documents. Second, DUs look up TFP to obtain the
best-matching hash value, H (w0 ). After that, DUs parse StrSearch to build a search tree, as
shown in Figure 6. Finally, DU chooses a random element, γu , from Z p to disturb all the
values on the leaf nodes. That is, using the GenTrapdoor algorithm, we compute
0
T0 = K2 · gγu and T1 = K5· gγu · ∑ x∈S (K x · Hx )1/H (w )
1
 threshold, the match will be discarded, and the corresponding leaf node will be removed
to prevent fetching unrelated documents. Second, DUs look up TFP to obtain the best-
matching hash value, 𝐻(𝑤 ) . After that, DUs parse StrSearch to build a search tree, as
shown in Figure 6. Finally, DU chooses a random element, 𝛾 , from 𝑍 to disturb all the
values on the leaf nodes. That is, using the GenTrapdoor algorithm, we compute
Cryptography 2023, 7, 28 / ( ’)
11 of 18
𝑇 =𝐾 ∙𝑔 and 𝑇 = 𝐾 ∙ ∙∑ ∈ (𝐾 ∙ 𝐻 )

Figure 6. The
Figure 6. The Query
Query keyword
keywordtree
treeininplaintext
plaintextform.
form.This
Thistable
tableisisgenerated
generated forfor
thethe
access condition
access of
condition
(breath OROR
of (breath fever) AND
fever) AND(pressure OR OR
(pressure acute). Notice
acute). that that
Notice this figure is forisdemonstration
this figure purposes
for demonstration pur-
posesIn
only. only. In actuality,
actuality, DUsnot
DUs need need
knownotwhich
know keywords
which keywords
they havetheyprecisely
have precisely
matched. matched.

DUs replace the plaintext domain to-be-searched keywords

DUs keywords with with these
these two values at
the
the corresponding
correspondinglocations locationstoto produce
produce TWTWforfor
searching. Eventually,
searching. Eventually, DUsDUs provide TW and
provide TW
the
anddecrypted
the decrypted Ind to Indthetocloud
the cloudserver.server.
Step
Step 8. 8. The CSP first
The CSP first parses
parses the the encrypted
encrypted search
search tree, Treeee.. Then,
tree, Tree Then, it it matches
matches each each
Td in Treee with each header information in Ind. In other words, it compares whether
Td in Tree e with each header information in Ind. In other words, it compares whether
𝐼I2 ·∙e𝑒( T𝑇0 , ,I0𝐼 · Π
∙𝛱 x ∈S I𝐼 ) =
∈ 1,x,
e(C1, ,𝑇T1)?)?If If
= 𝑒(𝐶 anyany index
index satisfies
satisfies the the previous
previous condition,
condition, all thealldoc-
the
document indexes stored in the latter linked list will be appended
ument indexes stored in the latter linked list will be appended to the tree node. Notice to the tree node. Notice
that
that we we onlyonly need need to to compute
compute the right-hand side
the right-hand term once
side term once because
because it it is
is fixed.
fixed. Therefore,
Therefore,
our Search algorithm
our Search algorithm is is quite
quite efficient.
efficient. AfterAfter all
all the
the leaf nodes are
leaf nodes are searched,
searched, the CSP takes
the CSP takes
the
the intersection or union of the search results’ leaf nodes to become the final search results
intersection or union of the search results’ leaf nodes to become the final search results
of
of thetheparent
parentnodes nodesdepending
dependingonon whether
whether their parents
their areare
parents AND AND node nodeor OR node.
or OR Finally,
node. Fi-
the CSP sorts the searching results, SR, in the root node and outputs the top-k files as the
nally, the CSP sorts the searching results, SR, in the root node and outputs the top-k files
final searching result, SRranked . Then, SRranked will be sent back to the DUs.
as the final searching result, SR ranked . Then, SR ranked will be sent back to the DUs.
Step 9. In the final phase, DUs use their user keys, uk, to match with the ciphertext,
Step 9. In the final phase, DUs use their user keys, 𝑢𝑘, to match with the ciphertext, αst
ωx
Ct, for finding the decryption keys. DUs will compute E = ∏ x ∈S e (Cx ,K1 ) e( g,g) µ
∏ ( , ) = ( , ) sx .
Ct, for finding the decryption keys. DUs will compute 𝐸 = ∈ e((C1 ,K4)) = e( g,g) µ2.
,
K3 ( , )
Using E, they further compute R = eC( g0 ·s∙E,K ) .
Using 𝐸, they further compute 𝑅 = ( 0 ).
Suppose the user key satisfies the access , policy. In that case, R will be identical to the

final decryption key, skf . Finally, DUs can use this key to decrypt encrypted data retrieved
in the previous step and obtain the plaintext files. We will present the correctness proofs of
searching and decryption in the next Section.

6. Analyses
6.1. Security Analyses
In this section, we explore the proofs of the security model as mentioned above and
other functional modules of our system.
Theorem 1: Assume the q-parallel bilinear Diffie–Hellman (q-BDHE) assumptions
hold in both G and GT groups. There is no probability that any polynomial-time adversary,
A, can break the security of our schemes with a non-negligible advantage.
Proof: Assume the advantage of distinguishing a valid ciphertext from a random
element for A is ε 1 = Adv I ND−sCP−CPA . We built a simulator, B, that can break the q-BDHE
assumption with a non-negligible advantage ε 1 /2.
 q-BDHE challenger, C, first selects random elements a, s, b1 , . . . , bq from Zp and sets
The 
q q+2 2q q/b j q+2/b j 2q/b j q ·s·b /b
ϕ= g, gs , . . . , ga , ga , . . . , ga , gs·bj , ga/bj , ga , ga , . . . , ga , ga·s·bi /bj , . . . , ga i j .
q +1 · s
According to the definition of q-BDHE, A is still hard to distinguish e( g, g) a even if
Cryptography 2023, 7, 28 12 of 18

he knows the above arguments. Then, C chooses a random bit, γ ∈ 0, 1. If γ = 0, C sets

q +1
T = e( g, g) a ·s . Otherwise, T is set to a random element in GT .
Init: The simulator, B, received a q-BDHE challenge instance ( ϕ, T ). The adversary, A,
announces a challenge access structure ( M∗ , ρ∗ ) and sends it to B, where M∗ is an l ∗ × n∗
matrix and l ∗ , n∗ < q.   q
Setup: B selects an element, x 0 , in Z p randomly and sets e( g, g) x = e g a , g a .
x0
e( g, g) which implicitly makes x = + x0 a q +1 .
In addition, B initializes a v x for each
attribute by choosing v x ∈ Z p at random, and also randomly selects an element, b0 , from
the same group. Finally, B sets Hx = gb0 ·vx and gives the partial public key parameters to A.
Phase I: B keeps a list of the tuple (uid, S, SK ) represented as LstSK . Initially, the list is
empty. A can query the following oracle in the polynomial form:
− OSK (uid, S): Assume that B received a secret key query for (uid, S), in which S does
not match the access structure ( M∗ , ρ∗ ). B performs the following operations: if A has
previously asked for S, B retrieves SK from the list, LstSK , directly and returns it to A.
Otherwise, B chooses a vector, γ = (γ1 , . . . , γ N ∗ ) ∈ Z p , such that γ1 = −1 and
Mi∗ ·γ = 0 for all i, ρ∗ (i ) ∈ S. This matrix must exist according to the properties of
LSSS. Then, B randomly picks σ ∈ Z p and represents t as: t = σ + γ1 aq + γ2 aq−1 + . . . +
∗
γn aq+1−n · B further selects x10 , x20 ∈ Z p at random, such that x10 + x20 = x 0 mod p,
and sets x1 = x10 + aq+1 and x2 = x20 . Then, B, respectively, calculates K1 and K4 as:
σ  q +1− i  r i t 0
K1 = g µ · ∏i=1,...,n∗ g a = g µ and K4 = g x2 /u = g x2 /u . Through the definition of t,
µ

q +1
we noticed that g at contains a term of g a  terms in g
, which can be ignored with theunknown x1
0 q+2−i γi
when calculating K0 . That is, B computes K0 as: K0 = gx1 gασ · ∏i=2,...,n∗ ga = gx1 ·gat .
Notice that K5 and Kxare irrelevant to t, x10 , and x20 , so we omit the generation of them here.
Finally, B puts SK = K0 , K1 , K2 , K3 , K4 , K5 , {K x } x∈S into LstSK and sends the keys to A.
Challenge: A prepares two equal-length messages, m0 and m1 , for the challenge. B
then decides on a random bit, b ∈ 0, 1, and encrypts them under M∗ · B computes C0∗ as
C0∗ = mb · T ·e( gs , g x ), and C1∗ is generated as C1∗ = gs .
j
It is hard for B to simulate Cx∗ since it includes the term g a s . To overcome this difficulty, B
0 0
splits the secret to eliminate the above-mentioned  terms. That is, B selects y2 , . . . , yn∗ ∈ Zp ran-
∗−1
domly, and then shares the secret vector, V = s, sa + y20 , sa2 + y30 + . . . + san + y0n∗ ∈ Zp,
with A. For i ∈ [1, l ], we describe Qi as the set of all k 6= i making ρ∗ (i ) = ρ∗ (k). B calculates
a sb
!− M∗
j i i,k
∗
Cx∗ as: Cx∗ = ∏i=2,...,n∗ ( g a ) Mi,k ·yk · ∏ x∈Ql ,k=1,...,n∗ g bl
.

We producenC2∗ , C3∗ , and Dx∗ in the similar o way. Finally, B returns the challenge
0 ∗ ∗ ∗ ∗
 ∗ ∗
ciphertext, CT = C0 , C1 , C2 , C3 , Ci , Di i∈[1,l ] , to A.
Phase II: A continues to make queries similar to Phase I.
Guess T: A outputs b0 which is a guess of b. If b0 = b, B returns γ = 0 to guess
q +1
T = e( g, g) a ·s . Otherwise, B returns γ = 1, indicating that T is a random element
chosen from GT . In this case, A won the security game and obtained an effective ciphertext.
Now, the advantage of A is Pr [b0 = b|γ = 0] = 1/2 + ε 1 . Conversely, A cannot obtain any
= 1/2. In
information about b and the ciphertext; thus, Adv B   conclusion, the advantage of
A in winning the IND-SCP-CPA security game is: 12 12 + ε 1 + 21 · 12 − 12 = ε21 . Since A only
has a negligible advantage in solving the q-DBHE problem, hence no polytime adversary,
A can break the security of our schemes with a non-negligible advantage.
As for the keyword privacy, we will prove that any polytime adversary, A, cannot
guess the input keyword, w, from the Secure Index, I, nor forge it.
(b0 ·s)
Firstly, because the secret value, s, masked the term I3 = g H (w) . Even if A has produced
(b0 ·v x )
the value g1/H (w) on its own, the only term which contains b0 is I1,x = g H (w) . A cannot
Cryptography 2023, 7, 28 13 of 18

obtain the value, v x , because it is one of the components of the master key, MK, to tell
or forge the Secure Indices. To change the keyword of a trapdoor, A needs to modify
γ γ
1/H (ω 0 )
T1 = K5 · g1 u · ∏ x∈S Kx · Hx u . However, it is hard due to the difficulty in solving the
discrete log problem.
In summary, the unmalleability of the index and trapdoor of our scheme has now
been proved.

6.2. Functional Comparisons

We compared some existing ABKS schemes with ours in terms of access control, key-
word search, multi-keyword, ranked result, fuzzy search, and semantic search capabilities,
as shown in Table 2. We use the symbol “X “ to mean that the scheme has the indicated
function, while the symbol “-“represents the lack of this kind of function. Our scheme is
the most functional from the table, providing fine-grained access control and supporting a
multi-keyword ranked search result with various powerful search modes.

Table 2. Functional Comparison between the proposed and the benchmarked ABKS schemes.

Function MABKS [21] MSDVABE [33] FSSE [11] Ours

Access control X X - X
Keyword search X X X X
Multi-keyword - X X X
Ranked result - - X X
Fuzzy search - - X X
Semantic search - - X X

6.3. Computational Complexity Analyses

Table 3 compares the theoretical computation costs with some recent ABKS schemes
and ours. Let |U| denote the universe size and |S| the size of user attributes, while we use
|L| to represent the number of attributes the DO used in the access policy. We use P to
symbolize pairing operations. E and Et represent the exponentiation operations in groups
G and GT . Hash functions are excluded from our comparison because they are much more
efficient than exponentiation and pairing operations. The table shows that our scheme is
the most efficient one most of the time, especially for searching.

Table 3. Comparisons of Theoretical Computational Costs Between Our Scheme and the Bench-
marked Ones.

Function MABKS [21] MSDVABE [33] OABRSE [11] Ours

Setup (|U | + 3) E + P + ET (|U | + 4) E + P (|U | + 2) E + P + ET (|U | + 2) E + P + ET
KeyGen (3| S | + 8) E (|S| + 4) E (|S| + 4) E (| E| + 5) E
Enc (4| L| + 3) E + P + 2ET (3| L| + 1) E + Er (| L| + 1) E + 1ET (2| L| + 2) E + 2ET
Trap (2| S | + 2) E 3E 4E (2| S | + 2) E
Search 2P 3P 3P 2P
Dec ( 2 | S | + 1 ) P + | S | ET ( 2 | S | + 1 ) P + 2 | S | ET (|S| + 2) P + (|S| + 1) ET (|S| + 2) P + (|S| + 1) ET

We concluded our theoretical storage costs compared with the above-mentioned

schemes in Table 4. | G |, | GT |, and Z p are bit lengths required to store an element in the
respective finite group. Our theoretical storage costs are similar to the MABKS [17] scheme.
However, our scheme has lower constant terms and has little relevance to the user attribute
size. Furthermore, our trapdoor size is quite reasonable compared with the other schemes.
We put extra data into ciphertexts to eliminate the need for DOs to exchange keys with
DUs. Even so, the space complexity of ciphertexts is still acceptable in actual cases.
Cryptography 2023, 7, 28 14 of 18

Table 4. Comparisons of Theoretical Storage Costs Between Our Scheme and the Benchmarked Ones.

Function MABKS [21] MSDVABE [33] OABRSE [11] Ours

(|U | + 6)| G | + | GT | + (|U | + 5)| G | + | GT | + (|U | + 3)| G | + | GT | + (|U | + 5)| G | + | GT | +
Master keypair
(|U | + 3) Z p (|U | + 1) Z p (|U | + 2) Z p (|U | + 3) Z p
User key (3|S| + 4)| G | (|S| + 4)| G | + Z p (|S| + 4)| G | + Z p (|S| + 5)| G | + Z p
Ciphertext (2| L| + 1)| G | + 2| GT | (2| L| + 2)| G | (2| L| + 1)| G | + | GT | (2| L| + 2)| G | + 2| GT |
Index (|S| + 2)| G | + | GT | 3| G | 3| G | (|S| + 2)| G | + | GT |
Trapdoor 2| G | + Z p 3| G | 3| G | 2| G |

6.4. Experimental Analyses

We designed a series of experiments to simulate the actual performance of our schemes.
We used the real Enron email dataset [35] for testing. Moreover, we tested our schemes
on a Windows machine with 2.80 GHz Intel(R) Core(TM) i7-1165G7 @ 2.80 GHz CPU and
8 GB ROM. We used JPBC (Java Pairing-Based Cryptography) as the pairing operation
library and executed the programs on Java SDK 17 and JPBC 2.0.0. According to the most
popular setting, we set Z p = 160 bit and |G| = |GT | = 1024 bit, and the Type-A elliptic
curve: y2 = x3 + x is picked. For practical uses, the universe size is between [20, 100], and
the user attribute size is between [3, 100]. In the subsequent experiments, we assumed at
least one authorized document for DUs to retrieve.
Figure 7a–d shows the simulation results of our basic scheme compared with others.
The universe and the user attribute sizes have been mentioned above. Because some of these
schemes do not support multi-keyword ranked search, we only examined one document
and one searching condition for ease of simulations. However, it is sufficient to express
the effectiveness of the proposed scheme. Figure 7a shows the setup time, demonstrating
a linear dependency on the size of the system attributes. While the encryption time is
irrelevant to the size of the system attributes, as shown in Figure 7b, our setup time is similar
to the other benchmarking schemes, but we use a much shorter time for encryption. Our
scheme shows superiority in decryption and user-key generation time, as demonstrated in
Figure 7c,d. Notice that the required key-generation time is proportional to the size of the
user attributes rather than that of the universe. Clearly, our scheme has more advantages
when massive user attributes are required. Our approaches are the most efficient compared
to the MABKS [21] and MSDVABE [33] schemes.
We constructed a practical system for the implementation of our enhanced scheme.
Figure 8a–e shows this system’s actual data retrieval and index-table building times. For
ease of simulations, we realized the same extensions on the other benchmarked schemes
to support more powerful searching modes. In these experiments, we set the universe
size to 27, and the user attributes size to 3 for simulating real scenarios. These attributes
are categorized into position, subject, and level classes. This setting does not affect the
experiment results in any case. In Figure 8a, we fixed the size of the keywords.
We set the number of Provided by DOs to 30 and the number of search conditions
selected by DUs to 5. Furthermore, we set the size of the document database to vary from
20 to 100. In this circumstance, our search time is almost constant and is similar to that
of MABKS [21]; both are better than the MSDVABE [33]. In Figure 8b, the keyword size
varies from 20 to 100 while the database size and searching conditions are fixed to 100 and
5, respectively. Our searching time is linearly proportional to the size of the keywords,
while that of the MSDVABE [33] scheme varies more dramatically than ours. The same
conclusion can be drawn from Figure 8. When the search conditions increase from 5 to 30,
our scheme performs better than the others.
 time is irrelevant to the size of the system attributes, as shown in Figure 7b, our setup time
is similar to the other benchmarking schemes, but we use a much shorter time for encryp-
tion. Our scheme shows superiority in decryption and user-key generation time, as
demonstrated in Figures 7c,d. Notice that the required key-generation time is proportional
to the size of the user attributes rather than that of the universe. Clearly, our scheme has
Cryptography 2023, 7, 28 15 of 18
more advantages when massive user attributes are required. Our approaches are the most
efficient compared to the MABKS [21] and MSDVABE [33] schemes.

(a) (b)

(c) (d)

Figure
Figure
Cryptography 2023, 7, x FOR PEER 7. Timing
7. Timing
REVIEW Performance
Performance Comparisons.
Comparisons. (a)time,
(a) Setup Setup
(b)time, (b) Encryption
Encryption time, (c)16Decryption
time, (c) Decryption of 19 time,
time,and
and(d)
(d)Time
Time cost
cost of
of user
usersecret-key
secret-keygeneration.
generation.

We constructed a practical system for the implementation of our enhanced scheme.

Figure 8a–e shows this system’s actual data retrieval and index-table building times. For
ease of simulations, we realized the same extensions on the other benchmarked schemes
to support more powerful searching modes. In these experiments, we set the universe size
to 27, and the user attributes size to 3 for simulating real scenarios. These attributes are
categorized into position, subject, and level classes. This setting does not affect the exper-
iment results in any case. In Figure 8a, we fixed the size of the keywords.

(a) (b) (c)

(d) (e)

Figure
Figure8.8.Experiment
Experiment results in Our
results Realized
in Our Practical
Realized Systems.
Practical Data retrieval
Systems. time for (a)
Data retrieval different
time for (a) different
document sizes, (b) different keyword sizes, and (c) different searching conditions. Index-Table
document sizes, (b) different keyword sizes, and (c) different searching conditions. Index-Table
building time for (d) different documents and (e) different keyword sizes.
building time for (d) different documents and (e) different keyword sizes.
We set the number of Provided by DOs to 30 and the number of search conditions
selected by DUs to 5. Furthermore, we set the size of the document database to vary from
20 to 100. In this circumstance, our search time is almost constant and is similar to that of
MABKS [21]; both are better than the MSDVABE [33]. In Figure 8b, the keyword size
varies from 20 to 100 while the database size and searching conditions are fixed to 100 and
Cryptography 2023, 7, 28 16 of 18

Figure 8d–f demonstrates the actual consuming times for building an index table.
Although the MSDVABE [33] scheme takes the shortest time in this experiment, it has a
poor performance on searching. With a similar opinion to MABKS [21], we conducted
one pairing operation in the index-building phase to prevent performing too many pairing
operations in the searching phase. Therefore, some of the performance on building index
tables is sacrificed. However, data owners usually build index tables only once, but data
users may search the database many times. Therefore, our schemes are most realistic
and practical in actual use. Furthermore, these two schemes take much more time, even
making it impossible to perform fuzzy and semantic keyword-ranked searches combined
with multiple keywords without our extensions. We proved that our schemes are efficient,
flexible, and universal to apply to other performance-oriented AMKS schemes.

7. Conclusions
In this paper, we showed that the proposed FEMRSABE scheme has a powerful search
capability that can satisfy most users’ needs. Even if the user inputs do not fully match the
keywords set up by the DO or have some minor spelling errors, users can still obtain the
desired and most-related documents. Our basic protocol competes with the state-of-the-art
schemes through the performance analyses given in the previous Section.
The state-of-the-art takes much more time to search and does not perform fuzzy and
semantic keyword ranked searches which is the main contribution of our work.
Moreover, the enhanced one brings many more functionalities with a slight efficiency
loss, which is tolerable in real-world scenarios. Moreover, we proved that our scheme
is secure under the IND-SCP-CPA and the IND-CKA security requirements. However,
there are some limitations in our system as well. For example, the attributes of users may
frequently vary in the real world, while fine-grained attribute revocation and updating
mechanisms are needed but are not included in our work currently. Furthermore, we
tackle the single-point failure problem by setting up multiple attribute authorities, but
there are probably malicious attribute authorities that can determine users’ privacy by
mis-operations.
We plan to add the attribute revocation and verification mechanisms mentioned above
to make the system more steady and secure.

Author Contributions: Formal analysis, J.-K.L.; Funding acquisition, J.-L.W.; Investigation, J.-K.L.,
W.-T.L. and J.-L.W.; Methodology, J.-K.L.; Project administration, W.-T.L. and J.-L.W.; Resources,
J.-L.W.; Software, J.-K.L.; Supervision, W.-T.L. and J.-L.W.; Writing—original draft, J.-K.L.; Writing—
review & editing, W.-T.L. and J.-L.W. All authors have read and agreed to the published version of
the manuscript.
Funding: The Minister of Science and Technology, Taiwan: MOST 111-2221-E-002-134-MY3 and
Taiwan Semiconductor Manufacturing Company: TSMC: 112H1002-D.
Data Availability Statement: Not applicable.
Conflicts of Interest: The authors declare no conflict of interest.

References
1. Saxena, A.; Shinghal, K.; Misra, R.; Agarwal, A. Automated Enhanced Learning System using IoT. In Proceedings of the 2019 4th
International Conference on Internet of Things: Smart Innovation and Usages (IoT-SIU), Ghaziabad, India, 18–19 April 2019;
pp. 1–5. [CrossRef]
2. Korupolu, M.; Jannabhatla, S.; Kommineni, V.S.; Kalyanam, H.; Vasantham, V. Video Streaming Platform Using Distributed
Environment in Cloud Platform. In Proceedings of the 2021 7th International Conference on Advanced Computing and
Communication Systems (ICACCS), Coimbatore, India, 19–20 March 2021; Volume 1, pp. 1414–1417. [CrossRef]
3. Xiong, H.; Yao, T.; Wang, H.; Feng, J.; Yu, S. A Survey of Public-Key Encryption with Search Functionality for Cloud-Assisted IoT.
IEEE Internet Things J. 2021, 9, 401–418. [CrossRef]
4. Bethencourt, J.; Sahai, A.; Waters, B. Ciphertext-Policy Attribute-Based Encryption. In Proceedings of the 2007 IEEE Symposium
on Security and Privacy (SP’07), Berkeley, CA, USA, 20–23 May 2007; pp. 321–334. [CrossRef]
5. Chi, P.-W.; Wang, M.-H.; Shiu, H.-J. How to Hide the Real Receiver Under the Cover Receiver: CP-ABE with Policy Deniability.
IEEE Access 2020, 8, 89866–89881. [CrossRef]
Cryptography 2023, 7, 28 17 of 18

6. Han, J.; Susilo, W.; Mu, Y.; Zhou, J.; Au, M.H.A. Improving Privacy and Security in Decentralized Ciphertext-Policy Attribute-
Based Encryption. IEEE Trans. Inf. Forensics Secur. 2015, 10, 665–678. [CrossRef]
7. Li, J.; Yao, W.; Han, J.; Zhang, Y.; Shen, J. User Collusion Avoidance CP-ABE with Efficient Attribute Revocation for Cloud Storage.
IEEE Syst. J. 2017, 12, 1767–1777. [CrossRef]
8. Moffat, S.; Hammoudeh, M.; Hegarty, R. A Survey on Ciphertext-Policy Attribute-based Encryption (CP-ABE) Approaches to
Data Security on Mobile Devices and its Application to IoT. In Proceedings of the ICFNDS’17: Proceedings of the International
Conference on Future Networks and Distributed Systems, Cambridge, UK, 19–20 July 2017; Association for Computing Machinery:
New York, NY, USA, 2017; p. 34. [CrossRef]
9. Yahiatene, Y.; Menacer, D.E.; Riahla, M.A.; Rachedi, A.; Tebibel, T.B. Towards a distributed ABE based approach to protect privacy
on online social networks. In Proceedings of the 2019 IEEE Wireless Communications and Networking Conference (WCNC),
Marrakesh, Morocco, 15–18 April 2019; pp. 1–7. [CrossRef]
10. Fu, Z.; Shu, J.; Sun, X.; Zhang, D. Semantic keyword search based on tree over encrypted cloud data. In Proceedings of the
SCC’14—Proceedings of the 2nd International Workshop on Security in Cloud Computing, Kyoto, Japan, 3 June 2014; Association
for Computing Machinery: New York, NY, USA, 2014; pp. 59–62. [CrossRef]
11. Liu, G.; Yang, G.; Bai, S.; Zhou, Q.; Dai, H. FSSE: An Effective Fuzzy Semantic Searchable Encryption Scheme over Encrypted
Cloud Data. IEEE Access 2020, 8, 71893–71906. [CrossRef]
12. Tzouramanis, T.; Manolopoulos, Y. Secure reverse k-nearest neighbors search over encrypted mult-dimensional databases. In
Proceedings of the IDEAS’18: Proceedings of the 22nd International Database Engineering & Applications Symposium, Calabria,
Italy, 18–20 June 2018; Association for Computing Machinery: New York, NY, USA, 2018. [CrossRef]
13. Wang, B.; Hou, Y.; Li, M.; Wang, H.; Li, H. Maple: Scalable multi-dimensional range search over encrypted cloud data with
tree-based index. In Proceedings of the 9th ACM Symposium on Information, Computer and Communications Security, Kyoto,
Japan, 4–6 June 2014; Association for Computing Machinery: New York, NY, USA, 2014; pp. 111–122. [CrossRef]
14. Yoshino, M.; Naganuma, K.; Kunihiro, N.; Sato, H. Practical Query-based Order Revealing Encryption from Symmetric Searchable
Encryption. In Proceedings of the 2020 15th Asia Joint Conference on Information Security (AsiaJCIS), Taipei, Taiwan, 20–21
August 2020; pp. 16–23. [CrossRef]
15. Zhang, M.; Wang, X.A.; Yang, X.; Cai, W. Efficient Predicate Encryption Supporting Construction of Fine-Grained Searchable
Encryption. In Proceedings of the 2013 5th International Conference on Intelligent Networking and Collaborative Systems, Xi’an,
China, 9–11 September 2013; pp. 438–442. [CrossRef]
16. Cao, L.; Kang, Y.; Wu, Q.; Wu, R.; Guo, X.; Feng, T. Searchable encryption cloud storage with dynamic data update to support
efficient policy hiding. China Commun. 2020, 17, 153–163. [CrossRef]
17. Chaudhari, P.; Das, M.L. A2BSE: Anonymous attribute based searchable encryption. In Proceedings of the 2017 ISEA Asia
Security and Privacy (ISEASP), Surat, India, 29 January–1 February 2017; pp. 1–10. [CrossRef]
18. Khan, S.; Khan, S.; Zareei, M.; Alanazi, F.; Kama, N.; Alam, M.; Anjum, A. ABKS-PBM: Attribute-Based Keyword Search with
Partial Bilinear Map. IEEE Access 2021, 9, 46313–46324. [CrossRef]
19. Li, H.; Liu, D.; Jia, K.; Lin, X. Achieving authorized and ranked multi-keyword search over encrypted cloud data. In Proceedings
of the 2015 IEEE International Conference on Communications (ICC), London, UK, 8–12 June 2015; pp. 7450–7455. [CrossRef]
20. Liu, L.; Wang, S.; He, B.; Zhang, D. A Keyword-Searchable ABE Scheme from Lattice in Cloud Storage Environment. IEEE Access
2019, 7, 109038–109053. [CrossRef]
21. Miao, Y.; Deng, R.; Liu, X.; Choo, K.-K.R.; Wu, H.; Li, H. Multi-authority Attribute-Based Keyword Search over Encrypted Cloud
Data. IEEE Trans. Dependable Secur. Comput. 2019, 18, 1667–1680. [CrossRef]
22. Sun, W.; Yu, S.; Lou, W.; Hou, Y.T.; Li, H. Protecting your right: Attribute-based keyword search with fine-grained owner-enforced
search authorization in the cloud. In Proceedings of the IEEE INFOCOM 2014—IEEE Conference on Computer Communications,
Toronto, ON, Canada, 27 April–2 May 2014; pp. 226–234. [CrossRef]
23. Wang, H.; Ning, J.; Huang, X.; Wei, G.; Poh, G.S.; Liu, X. Secure Fine-grained Encrypted Keyword Search for e-Healthcare Cloud.
IEEE Trans. Dependable Secur. Comput. 2019, 18, 1307–1319. [CrossRef]
24. Wang, S.; Zhang, D.; Zhang, Y.; Liu, L. Efficiently Revocable and Searchable Attribute-Based Encryption Scheme for Mobile Cloud
Storage. IEEE Access 2018, 6, 30444–30457. [CrossRef]
25. Zhang, L.; Su, J.; Mu, Y. Outsourcing Attributed-Based Ranked Searchable Encryption with Revocation for Cloud Storage. IEEE
Access 2020, 8, 104344–104356. [CrossRef]
26. Miller, G.A. Wordnet: A lexical database for English. Communications. ACM 1995, 38, 39–41. [CrossRef]
27. Wang, C.-J.; Luo, J.-F. A Key-policy Attribute-based Encryption Scheme with Constant Size Ciphertext. In Proceedings of the
2012 Eighth International Conference on Computational Intelligence and Security, Guangzhou, China, 17–18 November 2012;
pp. 447–451. [CrossRef]
28. Cao, N.; Wang, C.; Li, M.; Ren, K.; Lou, W. Privacy-Preserving Multi-Keyword Ranked Search over Encrypted Cloud Data. IEEE
Trans. Parallel Distrib. Syst. 2013, 25, 222–233. [CrossRef]
29. Aritomo, D.; Watanabe, C.; Matsubara, M.; Morishima, A. A Privacy-Preserving Similarity Search Scheme over Encrypted Word
Embed-Dings; Association for Computing Machinery: New York, NY, USA, 2019; pp. 403–412, iiWAS2019. [CrossRef]
30. Fan, J.; Vercauteren, F. Somewhat practical fully homomorphic encryption. IACR Cryptol. ePrint Arch. 2012, 144.
31. Gentry, C. A Fully Homomorphic Encryption Scheme. Ph.D. Thesis, Stanford University, Stanford, CA, USA, 2009; aAI3382729.
Cryptography 2023, 7, 28 18 of 18

32. Yu, J.; Lu, P.; Zhu, Y.; Xue, G.; Li, M. Toward Secure Multikeyword Top-k Retrieval over Encrypted Cloud Data. IEEE Trans.
Dependable Secur. Comput. 2013, 10, 239–250. [CrossRef]
33. Sun, J.; Ren, L.; Wang, S.; Yao, X. Multi-Keyword Searchable and Data Verifiable Attribute-Based Encryption Scheme for Cloud
Storage. IEEE Access 2019, 7, 66655–66667. [CrossRef]
34. Waters, B. Ciphertext-policy attribute-based encryption: An expressive, efficient, and provably secure realization. In International
Workshop on Public Key Cryptography; Springer: Berlin/Heidelberg, Germany, 2011; pp. 53–70.
35. William, W.; Cohen, M.L.D.C. Enron Email Dataset. Tech. Rep. 2015. Available online: https://www.cs.cmu.edu/enron/ (accessed
on 10 May 2023).

Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual
author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to
people or property resulting from any ideas, methods, instructions or products referred to in the content.