MK-SEAC: Multi-Keyword Searchable Encryption with Access Control

Riccardo Longo

1 a

, Enrico Sorbera

1 b

and Valeria Vicard

2 c

Fondazione Bruno Kessler, Center for Cybersecurity, Trento, Italy

Adverity GmbH, Vienna, Austria

Keywords:

Searchable Encryption, Attribute-Based Encryption, Multi-Keyword Search.

Abstract:

In this work we present MK-SEAC, a scheme that allows to perform outsourced keyword-based search queries

on an encrypted document batch, with native support to multi-keyword queries, ﬁne-grained access control on

the results, and full veriﬁability. The scheme conceals both the query and the results from the server, and

minimizes the information revealed about documents to which users do not have access. Compared to other

schemes, such as SEAC by Nils L

oken, MK-SEAC offers extended improved efﬁciency with a reduced leakage

proﬁle.

1 INTRODUCTION

Searchable Encryption (SE) (Song et al., 2000), in-

troduced by Song et al. in 2000, consists of a set of

algorithms that allow users to delegate the storage of

encrypted documents on a remote location while re-

taining the ability to search for speciﬁc data without

the need ﬁrst to decrypt them. Since then, various

schemes have been presented, each introducing valu-

able properties. In particular, we are going to focus on

a context in which each document is described by a set

of keywords, and the search operation is performed

utilizing these keywords. More precisely, we would

like to include multiple keywords in a single query

and ﬁnd only documents that feature all the speciﬁed

keywords. Additionally, we would like our scheme to

guarantee the veriﬁability of the search results, that is,

in response to a search query, the user receives from

the server a set of results that includes all the informa-

tion necessary to prove its completeness and correct-

ness.

Moreover, we would also like to enforce ﬁne-

grained access control on the set of results. In fact,

in several practical scenarios, the data should be ac-

cessible by a wide variety of users, with a poten-

tially vast number of different access requirements.

A common solution to this problem is provided by

Attribute-Based Encryption (ABE). This type of en-

https://orcid.org/0000-0002-8739-3091

https://orcid.org/0009-0009-0973-512X

https://orcid.org/0009-0002-4334-1641

cryption scheme was introduced in (Sahai and Waters,

2004) and is used to cryptographically enforce access

control (i.e., users can access a document if and only

if they can decrypt it) in a setting where access poli-

cies are deﬁned on a set of attributes and with for-

mulas on these attributes. The two main paradigms

of ABE are: Key-Policy Attribute-Based Encryption

(KP-ABE) (Goyal et al., 2006), where the documents

are described by sets of attributes, and the user keys

embed access policies that dictate which documents

they will be able to decrypt; and Ciphertext-Policy

Attribute-Based Encryption (CP-ABE) (Bethencourt

et al., 2007), where conversely the user keys embed

attributes that describe the users themselves, while

the ciphertexts embed an access policy that restricts

which users can access them. In our construction, we

use CP-ABE, so we will have a central trusted author-

ity that assigns attributes to users and provides them

with the corresponding keys.

1.1 Related Work

During the last decade, several attempts have been

made to combine SE and ABE, one of the most in-

teresting being (Li et al., 2020), which achieves col-

lusion resistance between the cloud server and search

users and ensures both backward and forward pri-

vacy. Unfortunately, it does not guarantee veriﬁa-

bility and has a computational complexity of O(n

where n is the number of documents. Another impor-

tant work is (Yin et al., 2023), as it supports numeric

attribute comparison in access policies. Its drawbacks

Longo, R., Sorbera, E. and Vicard, V.

MK-SEAC: Multi-Keyword Searchable Encryption with Access Control.

DOI: 10.5220/0013529200003979

In Proceedings of the 22nd International Conference on Security and Cryptography (SECRYPT 2025), pages 443-454

ISBN: 978-989-758-760-3; ISSN: 2184-7711

443

are mainly the lack of backward privacy, veriﬁability,

and fork consistency.

Considering the downsides of these results,

we took inspiration mainly from Nils L

oken’s

SEAC (L

oken, 2017), as it guarantees the veriﬁability

of the search results in a static environment.

The idea behind SEAC is to pre-compute all

search results and insert them in a structure that is

outsourced to an online cloud provider. Following the

structure’s pre-computed paths, the provider can ac-

cess only the ciphertexts of the documents the user

requested. In particular, the structure presented in

SEAC can be thought of as a series of ﬁlters, each

concealing a speciﬁc element from the server. For in-

stance, the ﬁrst one is a Hash Table (HT) where all

the utilized keywords are inserted masked through a

pseudo-random function. Each entry in HT is then

mapped to an encrypted linked list in the next struc-

ture (A), where we have the ABE policies of the doc-

uments that are described with that keyword.

SEAC has been extended by L

oken and Bl

omer to

the dynamic case (i.e., allowing the addition of doc-

uments to the initial document collection), resulting

in dSEAC (Bl

omer and L

oken, 2019), which ensures

Forward and Backward Privacy, as well as Fork Con-

sistency.

Our work aims to improve SEAC by adding native

support for searches over multiple keywords at once

and simultaneously reducing the leakage proﬁle while

retaining full veriﬁability with a reduced total number

of signatures. Intuitively, we ﬁlter immediately with

the access policy: this eliminates the leakage of docu-

ments beyond access rights and allows us to be more

expressive with keyword ﬁltering.

Organization. In Section 2 we give some prelimi-

naries and background information on the primitives

used in our construction, which is presented in detail

in Section 3. In particular, Section 3.1 describes the

supporting structures enabling the encrypted search

and their contents, Section 3.2 describes setup and

user enrollment, Section 3.3 presents how queries are

created and processed, and Section 3.4 shows how the

results can be veriﬁed. Finally, in Section 4 we draw

our conclusions, showing how MK-SEAK improves

on SEAC and some future directions.

2 PRELIMINARIES

2.1 CP-ABE with Key Customization

In a Ciphertext-Policy Attribute-Based Encryption

(CP-ABE) scheme, given a universe of attributes U,

users are associated with an identiﬁer uid and a set of

attributes S ⊆ U. A trusted entity performs the setup,

obtaining the master secret key msk and publishing

the public parameters pp and the public key pk. This

entity then gives to each user a key κ

uid

. We denote

by ABE.Enc

(r) the encryption of message r for the

policy A ⊆ P (U) \

0. A user with key κ

uid

can cor-

rectly decrypt a ciphertext and obtain r if and only if

S ∈ A (i.e. the attributes satisfy the policy).

In our MK-SEAC protocol, we use an instance of

CP-ABE that allows users to customize their keys.

In this kind of CP-ABE protocol (e.g. (Agrawal and

Chase, 2017; Rouselakis and Waters, 2015)) keys can

be seen as composed of individual keys for each at-

tribute. This allows users to easily derive less power-

ful keys that do not present every attribute, and there-

fore they can delegate some of their access privileges

without having to disclose their full key. Our con-

struction requires an IND-CPA CP-ABE scheme.

2.2 Symmetric Encryption and Digital

Signature

Since asymmetric encryption schemes (and ABE in

particular) are quite expensive, a well-established hy-

brid approach (Weber, 2013) is used: the actual con-

tents of the documents are encrypted with a symmet-

ric cipher, using a key k = KDF(r) that is derived by

applying an appropriate key derivation function on a

short random message r, and only r is encrypted with

CP-ABE. In particular, our construction uses an au-

thenticated IND-CCA2 (Sahai, 1999) symmetric ci-

pher, and we denote with Sym.Enc

(m) the encryp-

tion of the message m with the symmetric key k.

Sometimes we will consider separately the authenti-

cation tag of a message m produced with the authenti-

cated symmetric cipher and the key k, in these cases,

we denote it with tag

(m).

To ensure integrity and veriﬁability of the con-

struction (see (Bl

omer and L

oken, 2019) for more

details about veriﬁability), we exploit an EUF-

CMA (Goldwasser et al., 1988) digital signature. We

will denote with Sig

(m) the signing of message m

with secret key sk, and with Ver

(m,σ) the veriﬁca-

tion whether σ is a valid signature for the message m

and the public key pk.

2.3 Pseudo-Random Function

Let KW be a ﬁxed universe of keywords. Follow-

ing the original SEAC (L

oken, 2017), we employ a

pseudo-random function f

() which takes as input

the description of an ABE policy A, a set of keywords

L ⊆ KW (ordered lexicographically to have unique

SECRYPT 2025 - 22nd International Conference on Security and Cryptography

444

representations), and outputs two-byte strings of ﬁxed

length, in particular, the second output has the same

length of a key for the chosen symmetric encryption

scheme.

We require this function to be collision resis-

tant (Hirose, 2022), and the second output should be

indistinguishable from a byte string generated uni-

formly at random. Furthermore, we require that

some collisions on the ﬁrst outputs happen with low

probability, more precisely that, for any L

⊆ L

with

0 ̸= L

̸= L

̸=

0 and | L |≤ T , we have that

P( f

(A,L

)

= f

(A,L

)

) < ε.

Note that such a function can be constructed by

exploiting a hash function with a sufﬁciently long out-

put. In particular, if we model the pseudo-random

ﬁrst output as a uniformly random string of ℓ bytes,

then by the birthday attack (Mosteller, 2006) we

have that the collision probability given 2

inputs is

upper-bounded by 2

2T −8ℓ−1

, so it is sufﬁcient to take

ℓ >

2T −1−log

(ε)

This function is necessary to prevent the Cloud

Provider from getting the set of keywords L

doc

de-

scribing a document, as we will discuss in the next

section. This is possible as f

() can be calculated by

all enrolled users since they receive the secret key k

from the Certiﬁcation Authority, but not by the Cloud

Provider unless it corrupts a user (see Appendix A for

the formal proof of the leakage of the scheme).

3 SCHEME DESCRIPTION

First, let us describe the entities involved:

• Data Owner (DO): a user that owns the Docu-

ment Batch (DB) to be outsourced encrypted on

the cloud.

• Data User (DU): a client of the service, they

generate queries based on keywords and their at-

tributes to be executed by the service provider.

• Cloud Provider (CP): a service provider, it re-

ceives the encrypted database alongside an addi-

tional structure called Index, which allows to cor-

rectly answer the DU’s queries.

• Certiﬁcation Authority (CA): a trusted authority

that is in charge of authenticating the other entities

and distributing the cryptographic keys.

The idea behind MK-SEAC, inspired by SEAC,

is that the DO encrypts the set of documents to be

outsourced. The ﬂow of the protocol is as follows:

1. Each document is characterized by one or more

keywords and a policy that prescribes which at-

tributes are required to access the document.

2. To enable efﬁcient searches on this data, the DO

builds an index I, consisting of multiple linked

structures. Basically, the index pre-computes the

possible searches (queries) that a DU may do and

allows the CP to correctly process and answer

these queries without having access to the plain-

text data.

3. To participate, the DUs have to enroll: the CA as-

signs them the attributes that describe which doc-

uments they are entitled to access, and provides

them with the cryptographic material needed to

construct the queries and decrypt the results.

4. To search for documents, the DUs select a set of

keywords and a subset of their attributes to gener-

ate a query.

5. The CP, upon receiving a query from a DU, ex-

ploits the index to return the ciphertexts of the

documents that are associated with the selected

keywords and whose policy is satisﬁed by the

given attributes.

6. The DU can verify the correctness and complete-

ness of the results, by exploiting data given by the

CP and CA, which is signed by the DO.

3.1 The Index

As we remarked, the Index is the core structure of

our scheme, that enables searching on the encrypted

DB. We now present the building blocks of the index

(which are essentially encrypted dictionaries), in the

order they are visited by the CP when processing a

query:

1. A: the ﬁrst structure enforces attribute-based ac-

cess control. Each node in A serves as an entry

point to all documents that have a given access

policy. By placing this structure right at the begin-

ning (in contrast with SEAC), we limit the leak-

age: a DU will learn nothing about documents to

which they do not have access.

2. K: the second structure is a set of encrypted linked

lists that is in charge of ﬁltering the results de-

pending on the keywords speciﬁed in the query.

3. R: the third structure acts as a sort of router,

that enables efﬁcient multi-keyword searches and

deduplicates data by routing to the same result all

the paths that lead to ﬁles that can be searched in

multiple ways.

4. D: the fourth structure is a set of encrypted linked

lists, each item containing the index of an en-

crypted document fulﬁlling the query and the CP-

ABE encryption of the symmetric key necessary

to decrypt it.

MK-SEAC: Multi-Keyword Searchable Encryption with Access Control

445

Figure 1: High-level description of the index I.

5. Σ: the last structure contains all the signatures,

and allows the DU to verify the correctness and

completeness of CP’s answers to their queries.

Figure 1 presents a high-level scheme of the in-

dex’s structures and how they are linked.

3.1.1 Contents of the Index’s Structures

Each document doc in DB is associated with an

anonymous identiﬁer id

doc

, is described by a set of

keywords L

doc

⊆ KW (we suppose KW to be known

in advance to the DO and each of the DUs), and its ac-

cess is regulated by a policy A

doc

⊆ P (A ) \

0. Denot-

ing with ptx

doc

the actual contents of the document,

we have that the complete description is:

doc = (id

doc

,ptx

doc

). (1)

Let us now describe in detail what is contained in

each of the structures composing the Index, starting

with A, which is the ﬁrst structure to be accessed when

evaluating a query.

For each access policy A for which there is a doc-

ument doc ∈ DB such that A = A

doc

, we deﬁne an

entry in A:

= (A,ABE.Enc

), Sym.Enc

KDF(r

)



A,1



(2)

where id

A,1

is an index in K. Basically, A maps every

policy to a hybrid ABE encryption of a pointer to a

linked list inside the next structure K, more precisely

to the index of the ﬁrst element of the linked list. Note

that the CP can decrypt this index only if it is given an

ABE secret key that satisﬁes the policy: this assures

that the DUs that do not have access to the documents

with this policy will not be able to produce queries

that give the CP the ability to decrypt this index, and

thus they will not learn anything. Note that our nota-

tions explicit the link between the identiﬁer id

A,1

, a

policy A, and a set of keywords L

A,1

, but in reality,

the value of the index does not reveal anything about

this association.

The linked lists K are organized following the par-

titions on DB induced by the distinct access policies

and sets of keywords associated with the documents.

More precisely, in K there is a linked list for each dis-

tinct access policy (and we saw how A helps the CP to

navigate to the start of the linked list given a policy),

then each element inside a single list is associated to a

different set of keywords. Formally, let us enumerate

the distinct sets of keywords associated with the doc-

uments with a given access policy: {L

A,1

,. ..L

A,t

} =

{L : ∃ doc ∈ DB s.t. A

doc

= A, L

doc

= L}, then for

i ∈ {1,. .. ,t

} we have that the i-th entry of the linked

list associated to A has index id

A,i

and value:

A,i

: Sym.Enc

KDF(r

)



A,i+1

,pad

A,i

,pad

A,i



(3)

where id

A,i+1

is the identiﬁer of the next element in

the list, that is associated with another set of key-

words L

A,i+1

. To signal the end of the list we set

A,t

= ⊥, where ⊥ is a special value. The values

pad

A,i

,pad

A,i

are two randomly generated byte

strings with the same length as the pseudo-random

function f

(), they will be used to derive links and

keys to access the following structure R. Note that the

entire entry is encrypted with the same key derived

from the ABE encryption found in A.

If a DU searches for documents matching a set

of keywords L

′

, then a document associated with the

set L ⊇ L

′

should show up in the results if the user

can access the document. This means that a doc-

ument with keywords L

doc

should be found starting

from any set L ⊂ L

doc

. However, for efﬁciency rea-

sons, we want to link each doc ∈ DB only once in the

pre-computed search result characterized by the pair

doc

). This is a major difference with respect to

SEAC, which gives a consistent efﬁciency gain. In or-

der to enable the retrieval with any subset, we exploit

the routing structure R which has an entry for each

subset but then makes each of them re-converge to the

same entry in the following structure D. This allows

multiple search paths with minimal duplicate data. In

particular we exploit the pads pad

A,i

,pad

A,i

and

the pseudo-random function f

() to deﬁne for each

′

∈ P (L

A,i

) \

0 a pair (ptr

A,i

′

A,i

′

) that gives a

pointer in R and a symmetric key to decrypt the corre-

sponding entry:

(ptr

A,i

′

A,i

′

):= f



A,L

′



⊕(pad

A,i

,pad

A,i

(4)

where the xor operation ⊕ is performed component-

wise. Note that this construction implies that in-

dexes in R are byte strings of ﬁxed length and that

the properties of f

() (see Section 2.3) assure that

we derive secure keys and that, with high probability,

ptr

A,i

̸= ptr

A,i

for L

∈ P (L

A,i

0, L

̸= L

As anticipated, the third structure R routes all the

SECRYPT 2025 - 22nd International Conference on Security and Cryptography

446

different ways to obtain the documents associated

with a set of keywords as a search result (i.e., any

search that speciﬁes a subset of this set) to the same

pointer to these documents. In particular, the informa-

tion necessary to retrieve and decrypt the documents

is stored (encrypted) in D, so R maps the pointers ex-

tracted from K as in Equation (4) to the correct ele-

ments of D, simultaneously providing the key to de-

crypt it. So, for every ptr

A,i

′

where

0 ̸= L

′

⊆ L

A,i

in R we have the association:

ptr

A,i

′

: Sym.

Enc

A,i

′



ptr

A,i



, (5)

where id

doc

A,i

is the pointer to the ﬁrst element of an

encrypted linked list in D, k

A,i

is the key to decrypt the

elements of that list, and Sym.

Enc() is the symmetric

encryption function modiﬁed with the CTX construc-

tion (Chan and Rogaway, 2022) (where the authenti-

cation tag is substituted by a hash of key, nonce, and

tag) to have key commitment. This variant assures

that a valid decryption is obtained only with the cor-

rect key, in particular, we are assured that we will not

succeed in decrypting entries in R with the wrong key,

and this will allow the CP to process queries correctly

(see Section 3.3.2).

Finally, in D we have an entry for each doc ∈ DB,

organized in linked lists where each list gathers all the

documents that share the same access policy and set

of keywords (and thus a correct response to any search

query will always return either none of them or all of

them together). Formally, let us enumerate the ids of

the documents with access policy A associated with

the set of keywords L

A,i

doc

A,i

,. ..,id

doc

A,i



doc

: ∃doc ∈ DB s.t. A

doc

= A, L

doc

= L

A,i



, (6)

then for j ∈ {1,...,t

A,i

} we have that the j-th entry

of the linked list is:

doc

A,i

, j

: Sym.Enc

A,i



doc

A,i

, j+1

,abe

A,i

, j

Sym.Enc

KDF



A,i





A,i

, j





, (7)

where abe

A,i

, j

is a byte string of ﬁxed length (equal

to the longest ABE encryption among all access poli-

cies actually used in DB) that, for j > 1 is simply a

string of zeros, while for j = 1 it encodes the (possi-

bly padded) encryption ABE.Enc

doc



A,i



. A

A & read is a stricter policy enriched with the at-

tribute read that prevents the CP to decrypt the docu-

ments (see Section 3.3.1). This string serves to avoid

duplicate encryptions, and, without revealing (with

the length of the ciphertext) which entries of D are

the start of the lists, it lets the DU recover the random

value r

A,i

from which they can derive the symmetric

key to decrypt all the per-document keys in the list: in

fact in the encrypted DB we ﬁnd the documents saved

as:

doc

A,i

, j

: Sym.Enc

A,i

, j



ptx

doc

A,i

, j



. (8)

As in K, we signal the end of the list by setting

doc

A,i

= ⊥.

3.1.2 Signatures

The last structure of the index, Σ, contains the veriﬁ-

cation data, used to check the accuracy and complete-

ness of the search results. In Σ we have, for every

policy A mentioned in DB:

A : (check

,Sig

uid

(check

)), (9)

where uid

identiﬁes the DO that uploaded the DB,

uid

its private signing key, and

check

ABE.Enc

Sym.Enc

KDF

(

)



uid



A,i

,t d

[



i=1



t d

[

:= H



tag

A,i

, j

(ptx

doc

A,i

, j

)



A,i

j=1



(10)

is basically an ABE hybrid encryption that allows the

DUs to see which sets of keywords are associated with

at least one document with access policy A, and for

each of these sets gives the hash of the concatenation

of all the authentication tags of each document that

is associated to that set of keywords and policy. As

we will see in Section 3.4, these values will enable

veriﬁability. Note that a straightforward encryption

leaks the length of the plaintext, which in this case

gives away how many different sets of keywords are

associated with every policy. To avoid this we pad the

plaintexts so that the size of each check

is the same

for every A.

3.2 Enrollment

The CA is responsible for authenticating and en-

rolling the users (the DO and the DUs), and maintain-

ing a public structure (CL) that acts as a public key

infrastructure and allows the CP to authenticate users.

After running the Setup of the CP-ABE scheme (Sec-

tion 2.1, the CA initializes CL with the public param-

eters pp and the public key pk.

MK-SEAC: Multi-Keyword Searchable Encryption with Access Control

447

When a user asks to enroll in the system, ﬁrst of

all, they are associated with a unique identiﬁer uid.

The user is supposed to have autonomously generated

a signing key pair (sk

uid

,pk

uid

), and to send pk

uid

with

the enrollment request. The CA associates the user to

an appropriate set of attributes A

uid

that describes the

user’s roles and permissions and generates the user’s

ABE secret key κ

uid

∪{read}

. Finally, the CA sends

back to the user the shared user key k

and the CP-

ABE secret key κ

uid

∪{read}

, and publishes in CL the

association uid : pk

uid

The contents of CL should be signed by the CA

to ensure authenticity. A simple approach would be

to sign each entry separately, however, more complex

designs akin to Certiﬁcate Transparency Logs (Lau-

rie, 2014) may bring desirable features such as batch

signing, or monitoring and accountability (i.e., inde-

pendent monitors and co-signers can help in keeping

the CA honest).

3.3 Search Queries

Noticing that the set of used access policies {A :

∃doc ∈ DB s.t.A

doc

= A} is publicly available as the

indexes of A, we order its elements into a Policy List

PL and assume that it is distributed to every enrolled

user (signed by the CA to ensure authenticity). This

does not worsen the leakage proﬁle, since CP-ABE

ciphertexts already leak the associated policy.

At a high level, a query is characterized by a set

of keywords L ⊆ KW and the set of attributes A ⊆ U

that the DU wants to use for the search, looking for all

documents that are associated to those keywords and

that can be accessed with that attribute set:

{doc ∈ DB s.t. L ⊆ L

doc

∧ A ∈ A

doc

}. (11)

Our privacy requirements are that the CP should not

learn the contents of the documents that match the

query, nor the set of keywords L.

3.3.1 Query Generation

Let



A,i



i=1

be the list of policies that are satisﬁed

by the set of attributes A ⊆ U, taken in the same order

as they appear in PL. A query payload for the set of

keywords L ⊆ KW and the set of attributes A ⊆ U is

computed as:

Q =



uid

, f



A,1



,. .. f



A,n





, (12)

where uid is the identiﬁer of the DU that is making the

query. Note that the properties of CP-ABE (see Sec-

tion 2.1) assure that the DU is only able to generate

queries for attribute sets A such that A ⊆ A

uid

, i.e.,

users can search only for documents to which they

have access. Note also that in order to prevent the CP

from accessing the documents, we always assume that

read /∈ A . To request the search, the DU sends to the

CP the signed query: (Q,Sig

uid

(Q)).

3.3.2 Query Processing

When the CP receives a query (Q,Sig

uid

(Q)) from a

DU with identiﬁer uid, ﬁrst of all it veriﬁes that the

query comes from an authorized user. The CP obtains

from CL the veriﬁcation key pk

uid

associated with the

user (if the id is not found, the query is ignored be-

cause the user is not enrolled), then uses this key to

verify the signature Sig

uid

(Q).

Once the request has been authenticated, the CP

follows the order given by PL to visit the entries in A

and decrypt those that can be accessed with κ

uid

. Note

that usually the set of attributes A is encoded inside

the ABE private key, so it is not necessary to try to

decrypt every entry in A, and that the CP decrypts the

entries associated to (A

A,1

,. ..,A

A,n

) in order.

Each of these successful decryptions gives the in-

dex to an entry in K (see Equation (2)), which (once

decrypted) eventually gives a list of pair of pads (see

Equation (3)): one for each of the sets of keywords

associated to that policy.

Let A be the policy currently used, i.e., we

have decrypted the entry in A associated with A

and from K we have obtained the list of pairs



(pad

A,1

,pad

A,1

),. ..,(pad

A,t

,pad

A,t

)



For each of these pairs, the CP computes

(A,L) ⊕ (pad

A,i

,pad

A,i

), where f

(A,L)

is taken from Q, and interprets the result as a

pointer to an entry in R and the key to decrypt it

(see Equation (4)). Then, the CP searches in R the

entry corresponding to this pointer and (if it exists)

tries to decrypt it with the aforementioned key. By

construction of R (see Equation (5)), the CP obtains

a valid pointer and a valid decryption if and only if

L ⊆ L

A,i

(i.e. the set of keywords is a match), and the

value obtained by the decryption encodes a pointer to

an entry in D and the key to decrypt it.

By decrypting that entry (and following the linked

list), the CP obtains a CP-ABE encryption of the

key-encrypting key and a list of pairs consisting of

a pointer to an encrypted document in the DB and the

wrapping of the key to decrypt it (see Equation (7)).

The CP fetches the ciphertexts from the DB (see

Equation (8)) and appends to the list of results the CP-

ABE-wrapped Key-Encrypting Key (KEK) and all the

ciphertexts together with the corresponding wrapped

key. When all the results have been retrieved, the CP

adds, for veriﬁability reasons, all the entries in Σ cor-

responding to the visited policies (A

A,1

,. ..,A

A,n

SECRYPT 2025 - 22nd International Conference on Security and Cryptography

448

Note that the DU is able to obtain the KEK from

the CP-ABE wrapping, and with this to obtain all the

document keys, therefore to decrypt all the documents

in the results.

3.4 Veriﬁability

As previously mentioned, a desirable property is to

allow the DU to verify the completeness and correct-

ness of the results returned by the CP on processing

their search queries. In practice, the DU should be

able to verify that in response to the query Q as in

Equation (12), the CP sends a result that gives the set

of documents deﬁned in Equation (11). Let us now

prove that the data taken from Σ ensures the veriﬁa-

bility of the results.

First, note that the unforgeability of the signatures

assures that the CP cannot tamper with the data in Σ,

and that the DU knows, thanks to PL, which elements

of Σ should be returned within the query response.

Then, note that the DU should be able to correctly de-

crypt the check

, and the corresponding plaintext al-

lows to verify that it is the correct entry (CP-ABE en-

cryptions contain the policy) and that it has been cre-

ated by the DO (the symmetric encryption provides

the user identiﬁer, that can be used to get the veriﬁca-

tion key form CL).

At this point, the DU organizes the documents re-

ceived according to the partition induced by the dis-

tinct access policies and sets of keywords associated

with them. For each policy A let (L

A,1

,. ..,L

A,t

) be

the list of set of keywords given by the decryption of

check

(see Equation (10)). Now, for each L

A,i

such

that L ⊆ L

A,i

, the DU concatenates the authentication

tags (from the authenticated symmetric encryptions)

of all the documents in the results that are associated

with L

A,i

. This concatenation follows the same (arbi-

trary, but pre-determined) order of the document iden-

tiﬁers used in Equations (6), (7) and (10). This byte

string is then hashed and the result is compared with

the digest contained in check

: if the two correspond

then we are sure that the results included all the doc-

uments with policy A and set of attributes L

A,i

, and

also that these documents have not been modiﬁed af-

ter the DO has uploaded them and created the entry in

Σ. Therefore, by performing the checks for every pol-

icy and corresponding sets of attributes, the DU can

indeed check the correctness and completeness of the

results.

Finally, we require the DO to sign the whole index

and all encrypted documents. This signature will be

kept by the CA and gives to the DO full responsibility

on the data (a malicious DO could blame the CP for

data malformed at origin).

3.5 Security

MK-SEAC has a quite permissive threat model,

where only one entity is supposed truly honest.

Speciﬁcally, our assumptions are the following:

• The DO is assumed to delete its data once the en-

crypted batch and the Index have been uploaded

on the cloud. To search for data it should act as a

simple DU. Note that the DO signs everything, so

it can be blamed for a poorly computed index or

corrupted encrypted data.

• The DUs can be corrupted, the leakage proﬁle

is analyzed in Appendix A. Note that colluding

users cannot access more data than the union of

what they could read individually.

• The CP can be malicious, in the sense that any

deviation from the proscribed behaviour is de-

tectable.

• The CA is assumed to be honest. This assump-

tion could be mitigated by decentralizing this

role through secure multiparty computation tech-

niques, which are outside of our scope.

This model is stronger compared to the one

in (L

oken, 2017), where the CP has to be honest but

curious to ensure the completeness of search results,

and a malicious DO could upload corrupted data and

blame the CP for the incorrectness of search result.

4 CONCLUSIONS

We have presented a novel protocol that combines

Searchable Encryption and Attribute-Based Encryp-

tion to enable easier retrieval with ﬁne-grained pri-

vacy and access control in remote storage. Simi-

larly to SEAC, MK-SEAC allows the outsourcing of a

searchable document collection to a third party with-

out compromising data conﬁdentiality. Both static

protocols ensure the completeness of the search re-

sults and the secrecy of the keywords. The main con-

tributions of our work are native support for searches

over multiple keywords at once, rather than the single-

keyword query permitted by SEAC, while consider-

ing a stronger threat model (see Section 3.5) and re-

ducing the leakage proﬁle of the structure (see Ap-

pendix A). These improvements come at the cost of

a new structure R, whose size grows exponentially

with the number of keywords that describe a single

document, although every single entry has a quite

small size. The construction also retains full veriﬁ-

ability while reducing the total number of signatures

required. The overall efﬁciency in terms of crypto-

graphic operations needed to upload a batch, process-

MK-SEAC: Multi-Keyword Searchable Encryption with Access Control

449

ing a query operation, and verifying a set of results is

similar to the one in SEAC (see Appendix B).

Optimizations. The multi-keyword searches en-

abled by MK-SEAC are effectively queries where

the individual keywords are combined with a logi-

cal AND. In SEAC, the same result can be achieved

by making a query for each single keyword and then

combining the results by intersecting the individ-

ual responses. Besides the straightforward efﬁciency

gains offered by MK-SEAC, obtained by performing

a single query instead of multiple ones followed by

post-processing, another beneﬁt is the reduced leak-

age. In fact, MK-SEAC does not reveal anything

about which documents are associated with a single

keyword (not even in a masked form as in SEAC) un-

less a user speciﬁcally searches for a single keyword,

and also in this case the CP is not able to understand

that the search concerns a singleton instead of a big-

ger set of keywords.

When considering combined queries that use the

logical OR instead of the AND, MK-SEAC still of-

fers some advantages, but to a lesser extent. With

the OR, the individual results should be combined

with a union instead of an intersection, and indeed

this is the standard approach both for SEAC and MK-

SEAC. However, in MK-SEAC it is possible to avoid

some redundant computations by exploiting the parti-

tion on the documents induced by the policies. In fact,

since the control of the policies is performed imme-

diately in MK-SEAC (contrarily to SEAC where the

masked keyword is checked ﬁrst), we can exploit the

fact that the sets of documents associated with differ-

ent access policies are disjoint, and fully parallelize

the search over each policy. Moreover, when com-

bining searches for documents sharing the same pol-

icy A, but characterized by different sets of keywords

and L

, we can note that if, by XORing the pads

found in an entry of K with f

(A,L

), we obtain a

pointer and a key that lead to successful decryption

of an entry in R, then it is useless to xor same pads

with f

(A,L

). In fact, we would either obtain noth-

ing (if L

is not a match) or the same result as before.

Therefore it is sufﬁcient to check again only entries in

K which did not match with previously checked sets.

Future Work. The ﬁrst natural extension, on which

we are already working, is to allow the update of doc-

ument batches in a dynamic setting. While an ap-

proach similar to the one used in dSEAC would ﬁt

our case too, there are hints that many optimizations

are possible, e.g., by craftfully reusing parts of the

indexes in subsequent updates. We are also working

on a proof-of-concept implementation to empirically

test and validate the construction and compare it with

SEAC.

Another feature we would like to introduce is to

optimize searches in a scenario where there is a sec-

ond set of keywords that are supposed to be less sen-

sitive and therefore would require less protection. In

particular, less stringent privacy on these keywords

could allow for more expressive queries on them, such

as interval searches and regular expressions.

An interesting line of work could be exploring

other possibilities regarding the structures of the in-

dex, to improve the efﬁciency or reduce the overhead.

However it should be considered that improvements

are likely to come at the cost of increased leakage,

and there will be time-space tradeoffs. For example,

the aggregation of data in the encrypted linked list K

could reduce overhead but would likely leak the num-

ber of keywords per policy corresponding to at least

one document in the batch. Padding could preserve

time efﬁciency and privacy, at the cost of increased

space. We envision more possibilities in improving

the router R, e.g., by exploiting more sophisticated

cryptographic primitives or via clever tricks. How-

ever, note that currently the structure is already quite

light and the XOR operations are arguably as efﬁcient

as it gets.

Finally, one could investigate the insertion of an

LLM module to improve the labeling of documents

and aid users in generating more accurate and efﬁcient

queries by selecting the best sets of keywords.

ACKNOWLEDGEMENTS

This work was partially supported by the project

”METAfora: Metodologie e tecnologie di rap-

presentazione per il metaverso” (CUP code

B69J23000190005), funded by the Italian Ministero

delle Imprese e del Made in Italy and coordinated

by BIT4ID S.r.l., and by the project SERICS

(PE00000014), under the MUR National Recovery

and Resilience Plan funded by the European Union -

NextGenerationEU.

REFERENCES

Agrawal, S. and Chase, M. (2017). Fame: Fast attribute-

based message encryption. In Proceedings of the 2017

ACM SIGSAC Conference on Computer and Com-

munications Security, CCS ’17, page 665–682, New

York, NY, USA. Association for Computing Machin-

ery.

Bethencourt, J., Sahai, A., and Waters, B. (2007).

Ciphertext-policy attribute-based encryption. In 2007

SECRYPT 2025 - 22nd International Conference on Security and Cryptography

450

IEEE Symposium on Security and Privacy (SP ’07),

pages 321–334.

omer, J. and L

oken, N. (2019). Dynamic searchable

encryption with access control. In Foundations and

Practice of Security: 12th International Symposium,

FPS 2019, Toulouse, France, November 5–7, 2019,

Revised Selected Papers, page 308–324, Berlin, Hei-

delberg. Springer-Verlag.

Chan, J. and Rogaway, P. (2022). On committing

authenticated-encryption. In European Symposium

on Research in Computer Security, pages 275–294.

Springer.

Goldwasser, S., Micali, S., and Rivest, R. L. (1988).

A digital signature scheme secure against adaptive

chosen-message attacks. SIAM Journal on Comput-

ing, 17(2):281–308.

Goyal, V., Pandey, O., Sahai, A., and Waters, B. (2006).

Attribute-based encryption for ﬁne-grained access

control of encrypted data. CCS ’06. Association for

Computing Machinery, New York, NY, USA.

Hirose, S. (2022). Collision-resistant and pseudorandom

function based on merkle-damg

ard hash function. In

Park, J. H. and Seo, S.-H., editors, Information Se-

curity and Cryptology – ICISC 2021, pages 325–338,

Cham. Springer International Publishing.

Laurie, B. (2014). Certiﬁcate transparency: Public, veriﬁ-

able, append-only logs. Queue, 12(8):10–19.

Li, H., Yang, Y., Dai, Y., Yu, S., and Xiang, Y. (2020).

Achieving secure and efﬁcient dynamic searchable

symmetric encryption over medical cloud data. IEEE

Transactions on Cloud Computing, 8(2):484–494.

oken, N. (2017). Searchable encryption with access con-

trol. Proceedings of the 12th International Conference

on Availability, Reliability and Security.

Mosteller, F. (2006). Understanding the Birthday Problem,

pages 349–353. Springer New York, New York, NY.

Rouselakis, Y. and Waters, B. (2015). Efﬁcient statically-

secure large-universe multi-authority attribute-based

encryption. In B

ohme, R. and Okamoto, T., editors,

Financial Cryptography and Data Security, pages

315–332, Berlin, Heidelberg. Springer Berlin Heidel-

berg.

Sahai, A. (1999). Non-malleable non-interactive zero

knowledge and adaptive chosen-ciphertext security. In

40th Annual Symposium on Foundations of Computer

Science (Cat. No.99CB37039), pages 543–553.

Sahai, A. and Waters, B. (2004). Fuzzy identity based en-

cryption. Cryptology ePrint Archive, Paper 2004/086.

Song, D. X., Wagner, D., and Perrig, A. (2000). Practical

techniques for searches on encrypted data. In Pro-

ceeding 2000 IEEE Symposium on Security and Pri-

vacy. S&P 2000, pages 44–55.

Weber, S. G. (2013). Designing a hybrid attribute-based en-

cryption scheme supporting dynamic attributes. Cryp-

tology ePrint Archive, Paper 2013/219.

Yin, H., Li, Y., Deng, H., Zhang, W., Qin, Z., and Li, K.

(2023). Practical and dynamic attribute-based key-

word search supporting numeric comparisons over en-

crypted cloud data. IEEE Transactions on Services

Computing, 16(4):2855–2867.

APPENDIX

A Leakage in MK-SEAC

In this section, we want to describe the leakage that

our scheme incurs, considering an adversary that can

take control of the server and is able to corrupt users.

We describe such leakage through three leakage func-

tions.

The ﬁrst one (Equation (13)) depicts the leakage

of enrolling an honest user, that simply coincides with

the user identiﬁer uid, which is published by the CA.

In MK-SEAC the leakage of corrupting an hon-

est user or enrolling a dishonest one coincides (Equa-

tion (14)), and it contains the private information of

the user and all the data the adversary can derive.

In particular, the adversary obtains the user’s iden-

tiﬁer uid and their set of attributes A

uid

. Using the

user’s private ABE keys, the server can decrypt part

of the index, discovering the linking between a doc-

ument doc, its identiﬁer id

doc

, and its keywords L

doc

for each document doc in the batch that is accessible

by the corrupted user. Similarly, taking advantage of

the knowledge of the private key κ

uid

, the adversary

can decrypt some nodes in Σ, ﬁnding out, for each

pair of policy and set of keywords, the digest of the

concatenation of the tags of the corresponding docu-

ments. Moreover, since the adversary knows the pri-

vate key k

, it can generate the pseudo-random func-

tion f

doc

The next leakage function (Equation (15)) de-

scribes the leakage caused by the DO updating a doc-

ument batch. Here, the adversary learns the encrypted

index, and therefore the cardinality of its structures.

In particular, from the cardinality of D, the adversary

learns the number of documents in DB

The last leakage function (Equation (16)) de-

scribes the leakage caused by searches. By sending

a query, the user leaks their identiﬁer uid and the sub-

set of their attributes used in the query, A. Then, by

processing the query, the adversary discovers the eval-

uation f

) and the binding between the identi-

ﬁer of the document id

doc

and its access policy A

doc

for each document doc in the batch that satisﬁes the

query.

The proof of the following theorem is inspired

by (L

oken, 2017) and constructs a real experiment

Real and a simulated one Sim. The idea is to prove

that an adversary is unable to distinguish between

them unless it is able to break either the symmetric or

the ABE encryption. The strategy consists of having

This leakage could be mitigated by inserting dummy

entries in D.

MK-SEAC: Multi-Keyword Searchable Encryption with Access Control

451

(U) = uid (13)

COR

(uid) =







(uid, A

uid

{doc, id

doc

, L

doc

: doc ∈ DB} ∧ A

uid

satisﬁes A

doc

{A,L, H({tag

(ptx

doc

) ∈ DB : A

doc

= A, L

doc

= L}) : A

uid

satisﬁes A}

{ f

doc

), A

doc

, L

doc

: doc ∈ DB}







(14)

(DC) =



#A, #K, #R, #D, #Σ,

{A : ∃ doc ∈ DB, A

doc

= A}



(15)

(uid,A,{A

}

i∈{1,...,k}

) =





(uid, A),

{ f

) : i ∈ {1, ...,k}},

{ f

doc

), id

doc

, A

doc

: doc ∈ DB ∧ L

doc

⊃ L

∧ A

uid

sat. A

doc

}





(16)

the simulated experiment gradually take over compu-

tations originally performed by the real one, in a se-

ries of hybrid scenarios.

Theorem A.1. MK-SEAC is (L

COR

semantically secure against static adversaries if in-

stantiated with IND-CPA ciphertext-policy attribute-

based encryption, and IND-CCA2 symmetric encryp-

tion.

Proof. We start by constructing a simulator S such

that, for any polynomial-time adversary A

, if A

is able to distinguish between Real

static

MK−SEAC,A

(k)

and Sim

static

MK−SEAC,A

(k) with non-negligible proba-

bility, then A

breaks the static security of ABE or

Sym’s indistinguishability against eavesdropping at-

tacks. The simulator S can be constructed in this way:

Setup. Compute (pp, pk,msk) ← Setup(1

) and

give pp to A

Index. If no L

COR

(uid) leakage occurs, create

bit strings bs

for each set of keywords occurring

in L

(uid, A, {A

}

i∈{1,...,k}

) leakage, such that

the bit strings bs

are distinct and of length k. If

COR

(uid) leakage occurs, set bs

= L

for each key-

word in L

that occurs in L

COR

(uid). Remember the

mapping from id(L

) to bs

For each set of keywords–access structure pair

,A) that occurs in L

COR

(uid) or implicitly in

(uid, A, {A

}

i∈{1,...,k}

), create an encrypted list

DL[L

,A], using the same symmetric key through the

variation of L

. Add to this list references to docu-

ment ciphertexts from D such that the access struc-

ture of the corresponding plaintext document is A and

the document contains L

according to L

COR

(uid) or

(uid, A, {A

}

i∈{1,...,k}

). Randomly map the list

of DL nodes in an array D

′

of size |D|, and encrypt all

nodes. Remember the list head’s locations and key.

Fill empty array cells D

′

with dummy entries.

For each of the list heads in D

′

, consider the

set of keywords describing the document, L

. For

each element in the power set of L

, except the

empty set, that occurs in L

COR

or implicitly in

(uid, A, {A

,{P

}

j∈J

}

i∈{1,...,k}

), create a node

in RL[L

,A]. Using jolly pointers, map all the new

nodes in RL[L

,A] to the corresponding list head in

′

. Randomly map the list of RL nodes in an array

′

of size |R|, and encrypt all nodes. Remember the

list head’s locations and key. Fill empty array cells R

′

with dummy entries.

For each of the list heads in D

′

, consider

the set of keywords describing the document,

, that occurs in L

COR

(uid) or implicitly in

(uid, A, {A

}

i∈{1,...,k}

). Generate an encrypted

linked list KL[A] and utilize the jolly pointers to map

the list heads’ to all the nodes in RL that contained an

element of the power set of L

beside

0. Randomly

map the list of KL nodes in an array K

′

of size |K|, and

encrypt all nodes. Remember the list head’s locations

and key. Fill empty array cells K

′

with dummy entries.

For each A linked to the set of keywords L

by the

leakage functions, or implicitly publicly known, gen-

erate a node in AL and map them to the corresponding

entries of K

′

. Then randomly map the list of AL nodes

in an array A

′

that should have the exact size |A|, and

encrypt all nodes.

Set Index

′

= (A

′

Ciphertext collection: For each plaintext docu-

ment doc contained in any L

COR

(uid), encrypt doc

under policy A

doc

. For each document doc that occurs

in L

(DC) but not in any L

COR

(uid), encrypt 0

|doc|

under policy A

doc

. Let D

′

be the set of ciphertexts gen-

erated from documents or based on document lengths.

Keys: For each distinct (uid,A

uid

) in

COR

(uid) or in L

(uid,A,{A

}

i∈{1,...,k}

compute the user secret key

SECRYPT 2025 - 22nd International Conference on Security and Cryptography

452

uid

← MK-SEAC.KeyGen(pp,msk,uid,Attr

uid

Trapdoors: For each

(uid, A, {A

}

i∈{1,...,k}

) compute

(uid, L

) ← MK-SEAC.Trpdr(pp, uk

uid

,bs

where uk

uid

was created before and bs

is the same

as in the index generation.

Output: The simulator S outputs (Index

′

the set of user secret keys generated due to

COR

(uid) and the set of trapdoors generated due to

(uid, A, {A

}

i∈{1,...,k}

Hybrids. We denote game Real

static

MK−SEAC,A

(k) by

Hyb

, meaning a hybrid game, partially taken over by

the simulator. Starting in hybrid Hyb

, the simulator

S gets to compute pp. From Hyb

onward, we have S

compute corrupted user’s secret keys. Similarly, start-

ing with Hyb

, S produces the trapdoors requested by

honest users. Computations of D

′

are performed by

S from Hyb

onward. Starting with Hyb

, S gets to

compute the references to lists DL[L

,A] for RL[L

,A].

S takes over the computation of R from Hyb

on-

ward. From Hyb

onward, S takes over the compu-

tation of the references to lists RL[L

,A] for KL[A].

The remaining computations of K are performed by

S from Hyb

onward. From Hyb

onward, S com-

putes the references to list AL for KL[A]. Finally,

from Hyb

onward, S takes over the entire computa-

tion of A. Hence, hybrid Hyb

resembles experiment

Sim

static

MK−SEAC,A

(k).

Indistinguishability of Hybrids. We ﬁrst note that

does not know the key k

for the pseudo-random

function f

() unless A

corrupts some user. In case

corrupts a user, S knows all keywords occurring

in DB from the L

COR

leakage. Then, bs

= L

for

every leaked set of keywords L

. In case A

does not

corrupt a user, it cannot evaluate function f

() on its

own. Nevertheless, the unique choice and consequent

use of bs

ensures the consistency of the simulator’s

answers to queries.

Hybrids Hyb

and Hyb

cannot be distinguished

because the real experiment and S perform the same

computations. For the indistinguishability of Hyb

and Hyb

, we note that if no user is corrupted, i.e.

no L

COR

leakage occurs, the computations of both the

real experiment and S are non-existent in this step.

Otherwise, the simulator executes the same algorithm

on the same inputs as the real experiment. In either

case, Hyb

is indistinguishable from Hyb

. Hybrids

Hyb

and Hyb

are indistinguishable because the sim-

ulator in Hyb

performs the same computations as the

real experiment in Hyb

cannot distinguish D from D

′

, and thus

Hyb

from Hyb

, because, both ABE and Sym are

IND-CPA. Some documents from DB may be asso-

ciated with policies that are satisﬁed by the attributes

of some corrupt user. Such documents are directly en-

crypted in D as well as D

′

by utilizing hybrid encryp-

tion. For all other documents, their respective cipher-

texts in D are computationally indistinguishable from

the encryptions of 0-bit strings of the relevant length

that take their place in D

′

The computational indistinguishability of Hyb

from Hyb

follows, since Hyb

performs the same

computations as the real experiment in Hyb

The computational indistinguishability of Hyb

from Hyb

follows considering that Sym is IND-CPA.

If the adversary corrupts a user, there is no differ-

ence between the real experiment’s remaining compu-

tations of R in Hyb

and the simulator’s corresponding

computation of R

′

in Hyb

. In case the adversary does

not corrupt any user, the arguments for the indistin-

guishability of Hyb

and Hyb

analogously hold for

the indistinguishability of hybrids Hyb

and Hyb

Hybrids Hyb

and Hyb

are indistinguishable be-

cause the simulator in Hyb

performs the same com-

putations as the real experiment in Hyb

Hybrid Hyb

is computationally indistinguishable

from Hyb

since Sym is IND-CPA. Additionally,

() is a pseudo-random function and the bit-wise

XOR of a bit-string x with the image of a pseudo-

random function is a CPA-secure symmetric encryp-

tion scheme. Therefore, dummy entries cannot be dis-

tinguished from non-dummy entries in K and K

′

, un-

less keys for such entries, images of f

(), are known.

can obtain such images either by computing them

using the key of a corrupted user or by extracting the

image from a trapdoor. The former option requires

to corrupt a user (except with negligible proba-

bility), in which case A

can distinguish all dummy

entries from non-dummy entries for both K and K

′

and

the simulation ensures keywords underlying the la-

bels and decryption keys are exactly the same in both

cases. In case the adversary does not corrupt a user,

lacks the keys to f

(), so it cannot check that the

image it holds is an image of the keyword known to

but not to S.

For the indistinguishability of hybrids Hyb

and

Hyb

, we observe that the adversary A

performs the

same computations as the real experiment in Hyb

The computational indistinguishability of Hyb

from Hyb

follows considering that both ABE and

Sym are IND-CPA. If the adversary corrupts a user,

there is no difference between the real experiment’s

remaining computations of A in Hyb

and the simu-

lator’s corresponding computation of A

′

in Hyb

. In

case the adversary does not corrupt any user, the argu-

ments for the indistinguishability of Hyb

and Hyb

MK-SEAC: Multi-Keyword Searchable Encryption with Access Control

453

analogously hold for the indistinguishability of hy-

brids Hyb

and Hyb

In conclusion, all our hybrids are computationally

indistinguishable. Thus, for sufﬁciently large k, no

probabilistic polynomial time adversary A

can dis-

tinguish between experiments Real

static

MK−SEAC,A

(k) by

Hyb

and Sim

static

MK−SEAC,A

(k) with probability non-

negligible in k.

B Efﬁciency of Query Processing

In this section we report the cardinality of the struc-

tures composing the index and the number of crypto-

graphic operations that the DO, the DU and the CP

have to compute in order to upload a batch of docu-

ments and process a query operation respectively.

Let us introduce the following notation:

={A

doc

: doc ∈ DB},

={(A

doc

) : doc ∈ DB}

∑

i=1

| {(A

,L) ∈ A L

} |,

=|{doc ∈ DB : ∃ i s.t. (A

doc

)=(A

)}|.

Then, for what concerns the cardinality of the

structures in the index, we have:

Proposition B.1. Let A

and A L

be deﬁned as

above, then the structures of the index of MK-SEAC

have the following cardinalities:

1. | A | = | A

2. | K | = | A L

3. | D | = | DB |,

4. | Σ | = | A

5. | R | =

∑

(L,A)∈AL



|L|

− 1



Proving this proposition should be straightfor-

ward. Indeed, as previously noted, the pairs of poli-

cies and maximal set of keywords induce a partition

in the set of documents.

Proposition B.2. The number of cryptographic oper-

ations required by a DO to update a batch are:

(| A | + | A L

| + | Σ |) · E

ABE

+ (| A | + | K | + | R | +2 | D | + | DB | + | Σ |) · E

Sym

+ (| Σ |) · S

For the CP to process a query request are needed:

1 · S

+ k · D

ABE

+ (k + 2m

+ m

) · D

Sym

operations, while, for a DU to complete a search, we

require:

1 · S

+ (1 + k) · S

+ (| AL

| +k) · D

ABE

+ (m

+ k) · D

Sym

operations, where S

and S

are respectively the num-

ber of signature generations and veriﬁcations, D

Sym

the number of symmetric decryptions and D

ABE

is the

number of ABE decryptions. While E

ABE

and E

Sym

are the numbers of ABE and symmetric encryptions.

Proof. In updating a batch, the DO has to build the

index and encrypt it. Note that each node in A and

in Σ requires an ABE encryption (see Equations (2)

and (9))

. Moreover, the structure D contains the ABE

encryption of the keys required to retrieve the docu-

ments. Documents that share the same keywords and

policy also share the same key (see Equation (7)), thus

the DO has to compute an ABE encryption for each

pair of policy and set of keywords occurring in the

batch, that is | AL

Then, the DO has to symmetrically encrypt the

remaining structures. All structures require a sym-

metric encryption per node, besides D, which requires

two encryptions. The batch itself is symmetrically en-

crypted. Finally, it has to produce a signature for each

node in Σ.

When processing a query, the CP has to check

the signature of the issuer. Then, it decrypts with

ABE the entries of A corresponding to the k poli-

cies in the query. To visit the inner layers of the

index, it has to symmetrically decrypt the k identi-

ﬁers Sym.Enc

KDF(r

)



A,1



in A to access the cor-

responding lists in K. Then, it decrypts the content of

such lists in K, for a total of m

decryptions. For each

of these nodes, it tries to decrypt the pointed node in R,

which requires m

additional symmetric decryptions.

Whenever this decryption succeeds, it then decrypts

the corresponding nodes in D, for a total of m

nodes.

Finally, the DU has to sign its query. Then, upon

receiving the results, it has to check the signatures of

the CP and one signature for each of the k policies oc-

curring in the query. Then, it has to decrypt in ABE

the ﬁrst entry of the Σ nodes, which are again k, and

the ﬁnal entries of the D nodes that the CP visited dur-

ing the search, that is, abe

A,i

, j

. Finally, it has to de-

crypt a symmetric ciphertext for each node in Σ - to

retrieve the hash of the concatenations of the docu-

ment tags - and each document received.

Since we are using hybrid encryption, note that each

ABE (en/de)cryption requires a symmetric (en/de)cryption,

which are already included in Proposition B.2.

SECRYPT 2025 - 22nd International Conference on Security and Cryptography

454