Zuojie Deng,Kenli Li,Keqin Li,Jingli Zhou

DOI: https://doi.org/10.1016/j.future.2016.05.017

IF: 7.307

2017-01-01

Future Generation Computer Systems

Abstract:Multi-user searchable encryption (MSE) allows a user to encrypt its files in such a way that these files can be searched by other users that have been authorized by the user. The most immediate application of MSE is to cloud storage, where it enables a user to securely outsource its files to an untrusted cloud storage provider without sacrificing the ability to share and search over it. Any practical MSE scheme should satisfy the following properties: concise indexes, sublinear search time, security of data hiding and trapdoor hiding, and the ability to efficiently authorize or revoke a user to search over a file. Unfortunately, there exists no MSE scheme to achieve all these properties at the same time. This seriously affects the practical value of MSE and prevents it from deploying in a concrete cloud storage system. To resolve this problem, we propose the first MSE scheme to satisfy all the properties outlined above. Our scheme can enable a user to authorize other users to search for a subset of keywords in encrypted form. We use asymmetric bilinear map groups of Type-3 and keyword authorization binary tree (KABtree) to construct this scheme that achieves better performance. We implement our scheme and conduct performance evaluation, demonstrating that our scheme is very efficient and ready to be deployed.

Kai Zhang,Xiwen Wang,Jianting Ning,Xinyi Huang

DOI: https://doi.org/10.1109/tifs.2022.3224669

IF: 7.231

2022-12-10

IEEE Transactions on Information Forensics and Security

Abstract:Searchable encryption (SE) is a promising strategy for cloud-based file retrieval services, via structuring correspondences between files and keywords. Public key encryption with keyword search (PEKS) has been generally employed in file-sharing services, as compared to searchable symmetric encryption (SSE). However, PEKS is inherently vulnerable to keyword guessing attacks (KGA) launched by a malicious server. To resist such attacks, classic solutions are dual-server PEKS (DS-PEKS) [TIFS'2015] and server-aided PEKS (SA-PEKS) [TIFS'2016]. However, the query model in these two solutions only support single keyword search pattern, which inevitably limits their wide deployments in practice due to efficiency concern. In this work, we present DSB-SE, a new cloud-based file sharing & retrieval system that supports boolean queries while retaining KGA-resistance. Compared to DS-PEKS and SA-PEKS, the cost of documents searching in DSB-SE is 25, 000 times (resp. 6, 600 times) faster when and , where -term is the least frequent keyword in the query pattern. Technically, the performance gain derives from revisiting traditional boolean SSE by: (i) introducing a pairing-free DDH-based transformation key modular that allows a data reader's query pattern to be treated as a data writer's; (ii) employing the dual-server methodology to support boolean query with efficient validity checks. In particular, the client-to-cloud communication cost for retrieving index of a single document is bounded to , and the cost of sending a token ranges fro- . Nevertheless, DSB-SE is slightly slower than DS-PEKS (but faster than SA-PEKS) for key generation cost. Overall, the experiments show that the DSB-SE is practical and sufficient for real cloud applications, which is conducted over Enron dataset under a real-world cloud platform.

computer science, theory & methods,engineering, electrical & electronic

Kai Zhang,Zhe Jiang,Jianting Ning,Xinyi Huang

DOI: https://doi.org/10.1109/tifs.2022.3172627

IF: 7.231

2022-01-01

IEEE Transactions on Information Forensics and Security

Abstract:Secure cloud search service allows resource-constrained clients to effectively search over encrypted cloud storage. Towards enabling owner-enforced search authorization, the notion of attribute-based keyword search (ABKS) has been introduced and widely deployed in practice. To enhance traditional security of ABKS, two state-of-the-art solutions are presented to address keyword guessing attacks or setup inconsistency for secret key. Nevertheless, they have not simultaneously considered the following threats to a data user: (i) inconsistent secret key/cipher-index caused by outside dishonest authority and/or data owner; (ii) algorithm substitution attacks (ASA) launched by inside adversarial eavesdropping. These attacks may unfortunately lead to cloud data breach and user information exposure. To tackle such outside and inside threats, we introduce subversion-resistance and consistency for secure and fine-grained cloud document search services. In particular, we propose a consistent ABKS system with cryptographic reverse firewalls (CRF). Technically, we refer to verifiable functional encryption and employ non-interactive zero-knowledge proofs of discrete logarithm equality to ensure strong input consistency for ABKS. In addition, we build a trusted CRF zone for sanitizing algorithm outputs against ASA attacks. Moreover, we formalize the security model and formally prove security of our system. To clarify practical performance, we implement state-of-the-art solutions and our system in real cloud environment based on Enron dataset. The results show that our system achieves more enhanced security properties without obviously sacrificing performance. In particular, our system achieves comparable time and storage cost for document-index encryption and document search, as compared to state-of-the-art solutions.

Fucai Luo,Haiyan Wang,Changlu Lin,Xingfu Yan

DOI: https://doi.org/10.1109/tifs.2023.3301740

IF: 7.231

2023-08-19

IEEE Transactions on Information Forensics and Security

Abstract:The widespread adoption of cloud computing and the exponential growth of data highlight the need for secure data sharing and querying. Attribute-based keyword search (ABKS) has emerged as an efficient means of searching encrypted data stored in the cloud. However, existing ABKS schemes incur high end-to-end delay and are vulnerable to quantum computer attacks and/or (insider) keyword guessing attacks (KGA). To address these vulnerabilities, this paper introduces a new concept called attribute-based authenticated encryption with keyword search (ABAEKS) and proposes an efficient ABAEKS scheme. Our ABAEKS has low end-to-end delay, and is resistant to both quantum computer attacks and (insider) KGA. In addition, we formalize the security model of ABAEKS system and prove its security in the random oracle model. Finally, we conduct a comprehensive performance evaluation of ABAEKS, and the experimental results show that our ABAEKS is computationally efficient and outperforms current state-of-the-art ABKS schemes.

computer science, theory & methods,engineering, electrical & electronic

Kai Chen,Zhongrui Lin,Jian Wan,Lei Xu,Chungen Xu

DOI: https://doi.org/10.48550/arXiv.1908.02784

2019-08-07

Cryptography and Security

Abstract:Searchable symmetric encryption (SSE) for multi-owner model draws much attention as it enables data users to perform searches over encrypted cloud data outsourced by data owners. However, implementing secure and precise query, efficient search and flexible dynamic system maintenance at the same time in SSE remains a challenge. To address this, this paper proposes secure and efficient multi-keyword ranked search over encrypted cloud data for multi-owner model based on searching adversarial networks. We exploit searching adversarial networks to achieve optimal pseudo-keyword padding, and obtain the optimal game equilibrium for query precision and privacy protection strength. Maximum likelihood search balanced tree is generated by probabilistic learning, which achieves efficient search and brings the computational complexity close to $\mathcal{O}(\log N)$. In addition, we enable flexible dynamic system maintenance with balanced index forest that makes full use of distributed computing. Compared with previous works, our solution maintains query precision above 95% while ensuring adequate privacy protection, and introduces low overhead on computation, communication and storage.

Xu Yang,Qiuhao Wang,Saiyu Qi,Ke Li,Jianfeng Wang,Wenjia Zhao,Yong Qi

DOI: https://doi.org/10.1109/tnse.2024.3445343

IF: 6.6

2024-01-01

IEEE Transactions on Network Science and Engineering

Abstract:Data outsourcing is a key service of cloud computing. While data encryption ensures confidentiality, it limits the ability to search encrypted data. Recently, ciphertext-policy attribute-based keyword search(CP-ABKS)schemes, which combine symmetric searchable encryption (SSE) and ciphertext policy attribute-based encryption (CP-ABE), have gained attention. However, most CP-ABKS schemes depend on an independent key management server (KMS) for key distribution, risking key leakage if the KMS is compromised. Additionally, these schemes lack secure update operations and efficient search result verification. To address these issues, we propose VKSA, a verifiable encrypted keyword search scheme with authorization for cloud-based multi-client environments. VKSA features a novel policy-hidden index for proxy-free authorized searches, a state-based secure update strategy for forward and backward security, and a delegated search result verification mechanism to ensure efficient and privacy-preserving verification. We further optimize VKSA for improved computational and enclave-storage efficiency. Security analysis and experiments confirm the security and efficiency of our schemes.

Lixue Sun,Chunxiang Xu,Yuan Zhang

DOI: https://doi.org/10.1016/j.jisa.2018.03.002

IF: 4.96

2018-01-01

Journal of Information Security and Applications

Abstract:Searchable symmetric encryption (SSE) allows one to outsource a collection of encrypted documents to a remote server, and later conduct keyword searches on these encrypted documents, while revealing minimal information to the server. Most existing SSE schemes are only proved adaptively secure against the untrusted server in the random oracle model. To enhance security, we consider the security in the standard model when designing an SSE scheme. We extend the OXT protocol of Cash et al. to support arbitrary boolean query in multi-client setting while achieving update of documents. Our scheme realizes access control on documents without requiring per-query interaction between the data owner and each client. In addition, we give a new effective T-set instantiation, which supports update of the index files. Besides, our scheme achieves provable security against adaptive adversarial server and malicious clients in the standard model. Finally, performance analysis shows the applicability of our scheme. (C) 2018 Elsevier Ltd. All rights reserved.

Xi Zhang,Cheng Huang,Ye Su,Jing Qin

DOI: https://doi.org/10.1109/tsc.2024.3442558

IF: 11.019

2024-10-11

IEEE Transactions on Services Computing

Abstract:In this paper, we propose a Mergeable Searchable Symmetric Encryption (MSSE) scheme to enable secure keyword search and updates over encrypted cloud data. Particularly, MSSE allows flexible keyword merging, where users can remotely merge file identifiers associated with keywords to create new keyword-to-file identifier relationships. The function is designed for a user to manage their outsourced data conveniently. To this end, we first introduce a new encrypted index where each keyword's relevant file identifiers are grouped, encoded, and encrypted with super-increasing sequences and homomorphic encryption. With such an index, users leverage Distributed Multi-point Functions (DMPFs) to achieve secure keyword search and merge, maintaining efficiency while ensuring high privacy. To address the issue of maintaining "merging consistency" between pre-merged entries and newly updated entries, we employ the DMPF on clusters that incorporate the updated files. The approach significantly minimizes client-side computational overhead compared to re-executing the entire keyword merging process. We formally prove that MSSE can achieve parallel privacy. Extensive performance evaluation shows that MSSE is efficient in terms of computational and communication overheads.

computer science, information systems, software engineering

Zhenkui Shi,Xuemei Fu,Xianxian Li,Kai Zhu

DOI: https://doi.org/10.1109/tkde.2020.3025348

IF: 9.235

2020-01-01

IEEE Transactions on Knowledge and Data Engineering

Abstract:Symmetric Searchable Encryption(SSE) is deemed to tackle the privacy issue as well as the operability and confidentiality in data outsourcing. However, most SSE schemes assume that the cloud is honest but curious. This assumption is not always applicable. And even if some schemes supported verification, integrity or freshness checking in a malicious cloud, but the performance and security functionalities are not fully exploited. In this paper, we propose an efficient SSE scheme based on B+-Tree and Counting Bloom Filter (CBF) which supports secure verification, dynamic updating, and multi-user queries. Comparing with the previous state of the arts, we design the new data structure CBF to support dynamic updating and boost verification. We also leverage the timestamp mechanism in the scheme to prevent the malicious cloud from launching a replay attack. The new designed CBF is like a front-engine to save user's cost for query and verification. And it can achieve more efficient query and verification with negligible false positive when there is no value matching the queried keyword. The CBF supports efficient dynamic updating by combining Bloom Filter with a one-dimensional array that provides the counting capability. Furthermore, we design the authenticator for CBF. We adopt B+-Tree for it is widely used in many database engines and file systems. We also give a brief security proof of our scheme. Then we provide a detailed performance analysis. Finally, we evaluate our scheme through comprehensive experiments. The results are consistent with our analysis and show that our scheme is secure, and more efficient compared with the previous schemes with the same functionalities. The average performance can be improved by about 20 percent for both the cloud servers and users when the missing rate of the searching keywords is 20 percent. And the higher the missing rate is, the more the performance can be improved.

Shangping Wang,Xiaoxue Zhang,Yaling Zhang

DOI: https://doi.org/10.1371/journal.pone.0167157

IF: 3.7

2016-11-29

PLoS ONE

Abstract:Cipher-policy attribute-based encryption (CP-ABE) focus on the problem of access control, and keyword-based searchable encryption scheme focus on the problem of finding the files that the user interested in the cloud storage quickly. To design a searchable and attribute-based encryption scheme is a new challenge. In this paper, we propose an efficiently multi-user searchable attribute-based encryption scheme with attribute revocation and grant for cloud storage. In the new scheme the attribute revocation and grant processes of users are delegated to proxy server. Our scheme supports multi attribute are revoked and granted simultaneously. Moreover, the keyword searchable function is achieved in our proposed scheme. The security of our proposed scheme is reduced to the bilinear Diffie-Hellman (BDH) assumption. Furthermore, the scheme is proven to be secure under the security model of indistinguishability against selective ciphertext-policy and chosen plaintext attack (IND-sCP-CPA). And our scheme is also of semantic security under indistinguishability against chosen keyword attack (IND-CKA) in the random oracle model.

Zhirong Shen,Jiwu Shu,Wei Xue

DOI: https://doi.org/10.1109/jsen.2016.2634018

IF: 4.3

2016-01-01

IEEE Sensors Journal

Abstract:Cloud computing has become an increasingly popular service for data storage and processing. To keep users' data on the cloud from leaking to unauthorized users, probably including the cloud service providers, the data must be stored in an encrypted form. In the meantime, for data intended for sharing, an efficient access control must be provided. A common operation on the data is keyword search. Currently, search operation over encrypted search is performed at the cloud servers and access control for the in-cloud data is usually enforced by users. Separation of the two types of operations can lead to reduced efficiency and compromised privacy for users with a given set of access privileges to search over encrypted cloud data. In this paper, we study the problem of keyword search with access control over encrypted data in cloud computing. We first propose a scalable framework where user can use his attribute values and a search query to locally derive a search capability, and a file can be retrieved only when its keywords match the query and the user's attribute values can pass the policy check. Using this framework, we propose a novel scheme called KSAC. KSAC utilizes a recent cryptographic primitive called HPE to enforce fine-grained access control, perform multi-field query search, and support the derivation of the search capability. Intensive evaluations on real-world dataset are conducted to validate the applicability of the proposed scheme.

Chang Xu,Ruijuan Wang,Liehuang Zhu,Chuan Zhang,Rongxing Lu,Kashif Sharif

DOI: https://doi.org/10.48550/arXiv.2203.13662

2022-03-25

Cryptography and Security

Abstract:Searchable symmetric encryption (SSE) supports keyword search over outsourced symmetrically encrypted data. Dynamic searchable symmetric encryption (DSSE), a variant of SSE, further enables data updating. Most DSSE works with conjunctive keyword search primarily consider forward and backward privacy. Ideally, the server should only learn the result sets involving all keywords in the conjunction. However, existing schemes suffer from keyword pair result pattern (KPRP) leakage, revealing the partial result sets containing two of query keywords. We propose the first DSSE scheme to address aforementioned concerns that achieves strong privacy-preserving conjunctive keyword search. Specifically, our scheme can maintain forward and backward privacy and eliminate KPRP leakage, offering a higher level of security. The search complexity scales with the number of documents stored in the database in several existing schemes. However, the complexity of our scheme scales with the update frequency of the least frequent keyword in the conjunction, which is much smaller than the size of the entire database. Besides, we devise a least frequent keyword acquisition protocol to reduce frequent interactions between clients. Finally, we analyze the security of our scheme and evaluate its performance theoretically and experimentally. The results show that our scheme has strong privacy preservation and efficiency.

Haorui Du,Jianhua Chen,Ming Chen,Cong Peng,Debiao He

DOI: https://doi.org/10.1155/2022/2336685

2022-10-21

Wireless Communications and Mobile Computing

Abstract:Outsourcing data to cloud services is a good solution for users with limited computing resources. Privacy and confidentiality of data is jeopardized when data is transferred and shared in the cloud. The development of searchable cryptography offers the possibility to solve these problems. Symmetric searchable encryption (SSE) is popular among researchers because it is efficient and secure. SSE often requires the data sender and data receiver to use the same key to generate key ciphertext and trapdoor, which will obviously cause the problem of key management. Searchable encryption based on public key can simplify the key management problem. A public key encryption scheme with keyword search (PEKS) allows multiple senders to encrypt keywords under the receiver's public key. It is vulnerable to keyword guessing attacks (KGA) due to the small size of the keywords. The proposal of public key authenticated encryption with keyword search (PAEKS) is mainly to resist inside keyword guessing attacks. The previous security models do not involve the indistinguishability of the same keywords ( w 0 × × = w 1 ), which brings the user's search pattern easy to leak. The essential reason is that the trapdoor generation algorithm is deterministic. At the same time, most of the existing schemes use bilinear pair design, which greatly reduces the efficiency of the scheme. To address these problems, the paper introduces an improved PAEKS model. We design a lightweight public key authentication encryption scheme based on the Diffie-Hellman protocol. Then, we prove the ciphertext indistinguishability security and trapdoor indistinguishability security of the scheme in the improved security model. Finally, the paper demonstrates its comparable security and computational efficiency by comparing it with previous PAEKS schemes. Meanwhile, we conduct an experimental evaluation based on the cryptographic library. Experimental results show that the computational overhead of our scheme compared with the ciphertext generation algorithm, trapdoor generation algorithm and test algorithm of other schemes Our scheme reduces 274, 158 and 60 times, respectively.

computer science, information systems,telecommunications,engineering, electrical & electronic

Xiwen Wang,Kai Zhang,Jinguo Li,Mi Wen,Shengmin Xu,Jianting Ning

DOI: https://doi.org/10.1093/comjnl/bxac166

2024-01-01

Abstract:Searchable asymmetric encryption (SAE) enables a client to search over a data owner's encrypted data. Nevertheless, state-of-the-art SAE schemes allow a data owner to specify access control policy for a client, while they have not considered the threat case of a malicious data owner. To address the problem, this work presents a non-interactive SAE scheme with bilateral access control: (i) allowing data owner and client to both specify policies toward the other party; (ii) allowing client to perform arbitrary boolean queries with sub-linear search complexity. Technically, we extend Cash et al.'s highly scalable SSE into an asymmetric setting and introduce the property of data owner authenticity. By refining identity-based matchmaking encryption, we formalize the syntax and security definition of our SAE with identity-based bilateral access control. Moreover, the security of the proposed SAE can be reduced to discrete logistic assumption and decisional bilinear Diffie-Hellman assumption. As an enhanced extension, we present a non-interactive multi-client SAE scheme with fuzzy identity-based bilateral access control. In addition, we implement the proposed schemes in real cloud platform and evaluate their performance on a real-world dataset. The result confirms that our SAE schemes achieve bilateral access control for both data owner and client with highly acceptable efficiency.

Jinjiang Yang,Feng Liu,Xinyi Luo,Jianan Hong,Jian Li,Kaiping Xue

DOI: https://doi.org/10.1109/globecom48099.2022.10001146

2022-01-01

Abstract:Through Searchable Symmetric Encryption (SSE), a user can make search over encrypted documents that are stored on an untrusted cloud server. Multi-client SSE schemes require that one client can search documents contributed by other clients and upload documents. Nevertheless, existing multi- client SSE schemes implement the fine-grained access control with high complexity. Although fine-grained access control adapts to complex scenarios, it is not necessary anytime and may cause heavy costs over computation in SSE schemes. Moreover, it is crucial to support documents updating and forward privacy. To combat that, we design a multi-client SSE scheme with efficient access control over dynamic encrypted documents. Specifically, we first modify Symmetric Hidden Vector Encryption (SHVE) and utilize Bloom filter to implement the access control, which reduces much of computation overhead. We then employ Oblivious Dynamic Cross-Tag (ODXT) protocol to preserve the forward privacy of our scheme. Finally, the corresponding security and experimental evaluation demonstrate both security and practicality of our scheme, respectively.

Hua Shen,Jian Zhou,Ge Wu,Mingwu Zhang

DOI: https://doi.org/10.1109/access.2023.3334733

IF: 3.9

2023-12-20

IEEE Access

Abstract:The convenience and efficient management of cloud servers have resulted in an increasing number of users opting to store their data in the cloud. Consequently, data-outsourcing services relying on cloud servers have been extensively deployed and utilized. In this case, before outsourcing the data to cloud storage, we should ensure unauthorized users cannot access the data. In this article, we present a scheme termed MKSABE-VaAR (multi-keyword searchable attribute-based encryption with verification and attribute revocation). Aiming at the problems of inefficiency, excessive computation in the search process, and only supporting single-keyword search in most attribute-based searchable encryption schemes, first, we package multiple keywords into a polynomial to realize multi-keyword search. Based on this polynomial, MKSABE-VaAR can reduce the amount of search calculation for keyword ciphertext and improve search efficiency by reducing the number of bilinear pairing operations. At the same time, we have made some special constructs for indexing to add verification of user attributes in the keyword search process, which improves the search accuracy. Moreover, we adopt a linear secret-sharing technique to construct the attribute revocation function of MKSABE-VaAR, making a lower computational cost of attribute revocation. Furthermore, the mechanism of storing data and indexes separately greatly reduces the risk of data leakage of MKSABE-VaAR.

computer science, information systems,telecommunications,engineering, electrical & electronic

Haijiang Wang,Xiaolei Dong,Zhenfu Cao,Dongmei Li

DOI: https://doi.org/10.1093/comjnl/bxy031

2018-01-01

The Computer Journal

Abstract:Attribute-based encryption with keyword search (ABKS) is a system that supports keyword search and access control. By inheriting from attribute-based encryption technology, most current ABKS schemes incur large computation costs in encryption phase and keyword search phase. In a typical implementation, the size of ciphertext is proportional to the number of attributes associated with the access policy, so that the keyword search time and the decryption time are proportional to the number of attributes used in the access policy. To deal with the above problem, we present a new ciphertext-policy attribute-based encryption with fast keyword search scheme. Our scheme preserves the fine-grained access control inherited from the ABE system while supporting hidden policy and fast keyword search. In particular, the proposed scheme can efficiently support AND-gate access policy with multiple attribute values. Moreover, our scheme features multi-value-independent which have constant computation costs compared with the existing ABKS schemes. With the "aggregation" technique, the keyword search phase only needs three pairings, which is a great advantage over previous ABKS schemes. We offer rigorous security proof of our scheme, and the performance analysis demonstrates the efficiency of our scheme.

Wei-Ting Lu,Wei Wu,Shih-Ya Lin,Min-Chi Tseng,Hung-Min Sun

DOI: https://doi.org/10.1007/978-3-319-46298-1_19

2016-01-01

Abstract:Nowadays the cloud security becomes a significant issue: while the single user keyword search on encrypted data has been proposed, encrypting files before uploading scarifies the advantage of the convenience of sharing data with others on the cloud. We design a searchable encryption for the multi-user case. We combine the advantage of efficiency of the symmetric encryption with authentication of the asymmetric encryption to provide a secure and efficient system of shareable keyword search on encrypted data.

Ru Meng,Yanwei Zhou,Jianting Ning,Kaitai Liang,Jinguang Han,Willy Susilo

DOI: https://doi.org/10.1007/978-3-319-68637-0_3

2017-01-01

Abstract:Public key encryption with keyword search (PEKS) is a promising cryptographic mechanism to enable secure search over encrypted data in cloud. The mechanism allows a semi-trusted cloud server to return related encrypted contents without knowing what the query is and what the corresponding contents are. It has been combined with attribute based encryption (ABE) to support more expressiveness in search. Most of the existing searchable ABE schemes, however, are restricted to heavy complexity. In particular, the size of ciphertext and pairing cost in the test phase are both linear in the size of the keyword set, say O(n), where n is the number of keyword. This limitation hinders the scalability of searchable ABE in practice. To address this long-lasting open problem, this paper proposes a new key-policy attribute-based search encryption (KP-ABSE) scheme. Our construction can be regarded as a novel combination of fast decryption, anonymous-like encryption, and KP-ABE technologies. As of independent interest, the scheme is built in asymmetric bilinear groups. The scheme is further proved secure under the asymmetric decisional DBDH, decisional q-BDHE and decisional linear assumptions in the standard model. Compared with existing KP-ABSE schemes, our new scheme achieves the following properties: (1) flexible access structure for search - any monotonic access structure, (2) constant ciphertext size, (3) constant pairing operations in the test phase.

Boshen Shan,Yuanzhi Yao,Weihai Li,Xiaodong Zuo,Nenghai Yu

DOI: https://doi.org/10.1109/trustcom56396.2022.00189

2022-01-01

Abstract:Due to the increasing popularity of cloud computing and privacy preservation concerns, sensitive data should be encrypted before outsourcing to the cloud and data utilization becomes a challenging issue. Searchable encryption (SE) is a promising technique to address this problem. Most existing searchable encryption schemes only support accurate keyword but fuzzy keyword search schemes are appreciated in practice. Moreover, in some application scenarios like the video on demand systems, data owners only hope to give the access of their data to those who have payed but authenticated user identity may often change. Therefore, dynamic user attribute updating should be considered. To solve about issues, we propose a fuzzy secure keyword search scheme over encrypted cloud data with dynamic fine-grained access control. We design a novel fuzzy keyword index to retrieve corresponding documents. To reduce the computation cost, the cloud server selects most relevant top-k documents and return them to the data users. The ciphertextpolicy attribute based encryption (CP-ABE) technique is introduced to implement fine-grained access control. Meanwhile, the basic CP-ABE is improved to meet the practical need of user attribute updating. Extensive security and performance analysis demonstrates that our proposed scheme is highly efficient and can satisfy the security requirements for fuzzy keyword search over encrypted cloud data.