Research Article Multiuser Searchable Encryption with Token Freshness Verification Dhruti Sharma 1 and Devesh C. Jinwala 2 1 Sarvajanik College of Engineering and Technology, Surat, Gujarat, India 2 Sardar Vallabhbhai National Institute of Technology, Surat, Gujarat, India Correspondence should be addressed to Dhruti Sharma; sharmadhruti77@gmail.com Received 2 May 2017; Revised 25 September 2017; Accepted 25 October 2017; Published 26 November 2017 Academic Editor: Sherali Zeadally Copyright © 2017 Dhruti Sharma and Devesh C. Jinwala. Tis is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited. A Multiuser Searchable Encryption (MUSE) can be defned with the notion of Functional Encryption (FE) where a user constructs a search token from a search key issued by an Enterprise Trusted Authority (ETA). In such scheme, a user possessing search key constructs search token at any time and consequently requests the server to search over encrypted data. Tus, an FE based MUSE scheme is not suitable for the applications where a log of search activities is maintained at the enterprise site to identify dishonest search query from any user. In addition, none of the existing searchable schemes provides security against token replay attack to avoid reuse of the same token. In this paper, therefore we propose an FE based scheme, Multiuser Searchable Encryption with Token Freshness Verifcation (MUSE-TFV). In MUSE-TFV, a user prepares one-time usable search token in cooperation with ETA and thus every search activity is logged at the enterprise site. Additionally, by verifying the freshness of a token, the server prevents reuse of the token. With formal security analysis, we prove the security of MUSE-TFV against chosen keyword attack and token replay attack. With theoretical and empirical analysis, we justify the efectiveness of MUSE-TFV in practical applications. 1. Introduction With the cloud storage infrastructure, one can easily share data with multiple users at a low cost. However, maintaining security and privacy of such data located on the untrusted remote server is nontrivial [1–3]. Terefore, a common trend is to upload the encrypted data onto a third-party cloud server. However, extraction of partial information from the stored encrypted data is indeed difcult. Te notion of Searchable Encryption (SE) is used to resolve the issue. In SE, a Data Owner prepares a ciphertext by associating a list of encrypted keywords (to be searched) with an encrypted payload message and uploads it onto the Storage Server. Subsequently, a Data User asks the server to search over encrypted data by issuing a search token (of keyword(s)). Te server applies a token over available ciphertexts and extracts the data containing that keyword(s) (Figure 1). However, the server learns nothing else about the data while searching. Here, a payload message is encrypted using any standard encryption algorithm, whereas keywords are encrypted with the defned Searchable Encryption algorithm. Tere exist numerous Searchable Encryption schemes for a single user [4–8] as well as for multiple users [9–13]. Practically, any single-user Searchable Encryption scheme can be adapted to defne a multiuser Searchable Encryption scheme at the cost of a ciphertext size linear to the number of users in the system. Formally, when a single-user searchable scheme is extended to support multiple users, its ciphertext size becomes () for  users that subsequently raises to (||⋅) for ={1,2,...,} data items in the system. Tis ultimately outputs an impractical system with (||⋅) computational overhead at the Data Owner site and (||⋅ ) storage overhead at the server site. As solution, several Searchable Encryption schemes in [9, 10, 14–20] with a built- in support of multiple users are devised in recent years. Amongst them, the scheme proposed by Hwang and Lee [9] is a simple extension of a single-user Searchable Encryption with the ciphertext size (||+||⋅), where || is the number of keywords to be searched. However, this scheme works for the prefxed set of users. In contrast, the schemes in [10, 14–16] support the dynamic groups of users where joining/leaving a group by a member is entirely controlled Hindawi Security and Communication Networks Volume 2017, Article ID 6435138, 16 pages https://doi.org/10.1155/2017/6435138