5.1 Group search secrecy
Our retrieval system is the group keybased cryptographic searching method on encrypted documents. Therefore, in this section, we discuss group key secrecy. The following are group key security requirements in [26].

○ Group key secrecy: It must be computationally infeasible for a passive adversary to discover any secret group key.

○ Forward secrecy: Any passive adversary being in possession of a subset of old group keys must not be able to discover any subsequent group key.

○ Backward secrecy: Any passive adversary being in possession of a subset of subsequent group keys must not be able to discover any preceding group key.

○ Key independence: Any passive adversary being in possession of any subset of group keys must not be able to discover any other group key.

○ Forward secrecy provides security for subtractive events (leave), since it prevents former group members from computing the updated group key. Similarly, backward secrecy provides security for additive events (join), because it prevents new members from discovering the previously used group keys [27].
In this paper, the term 'negligible function' refers to a function η : N → R such that for any c ∈ N, there exists n_{
c
} ∈ N, such that \eta \left(n\right)<\frac{1}{{n}_{c}} for all n ≥ n_{
c
}[13].
However, group keybased search system should not follow the above properties because a new joiner to the group such as a company or a government office should be able to search all of the previous documents to perform their successive tasks of the group. Namely, backward secrecy must not be a security requirement for our group search system. In this paper, we define group search secrecy as follows.

Forward search secrecy : For any group {g}_{i}^{j}, the probability that a participant p\in {g}_{i}^{j} can generate valid trapdoors for (j +1)th session is negligible when the participant knows valid group search key {K}_{i}^{j}, where p\notin {g}_{i}^{j+1} and 0 < j < q. i{k}_{i}^{j} and d{k}_{i}^{j} fall under {K}_{i}^{j} in PKISI and g{k}_{i}^{j} falls under {K}_{i}^{j} in PKISII.
It means that all leaving members from a group should not access to all of the next documents of the group any more.

Backward search accessibility : For any group {g}_{i}^{j}, the probability that a participant p\in {g}_{i}^{j} can generate valid trapdoors for (j  l)th session is 1  η (n) when the participant knows valid group search key {K}_{i}^{j}, where p\notin {g}_{i}^{jl} and 0 < l < j. i{k}_{i}^{j} and d{k}_{i}^{j} fall under {K}_{i}^{j} in PKISI and g{k}_{i}^{j} falls under {K}_{i}^{j} in PKISII.
Namely, all joining members to a group can access to all of the previous documents of the group.

Group search secrecy: For a datacenter server DS, when a revelation of group search key {K}_{i}^{j} happens, the probability that DS can guess correctly the encrypted documents of group g_{
i
}at the j th session is negligible.
It must be computationally infeasible for DS to know or guess correctly the contents of the encrypted documents and trapdoors even if a leaving member or another member in a group reveals his group search keys.
5.1.1 PKISI
In PKISI, group search keys are reversely generated by the oneway hash key chain. Our scheme PKISI satisfies with Group Search Secrecy as follows.

Forward search secrecy: By the Property 2 of Definition 1, if the latest released group search key is {K}_{i}^{j}, any participant cannot know a later value {K}_{i}^{l} such that {h}^{lj}\left({K}_{i}^{l}\right)={K}_{i}^{j}. Therefore, the probability that a participant p\in {g}_{i}^{j} can generate valid trapdoors for the next (j + 1)th session is negligible, where p\notin {g}_{i}^{j+1}.

Backward search accessibility: By the Property 1 of Definition 1, if the latest released group search key is {K}_{i}^{j}, any participant can deduce an earlier value {K}_{i}^{l} by applying the later value {K}_{i}^{j} to oneway hash key chain like this; {h}^{jl}\left({K}_{i}^{j}\right)={K}_{i}^{l}. Therefore, the probability that a participant p\in {g}_{i}^{j} can generate valid trapdoors for (j  l)th session is 1  η(n), where p\notin {g}_{i}^{jl} and 0 < l < j.

Group search secrecy: In PKISI, GM reencrypts all documents and indexes including trapdoors with his secret key k_{
c
}. Although one of group members reveals his/her group search keys to a datacenter server DS, DS cannot learn anything because DS does not know GM's secret key k_{
c
}. Therefore, the probability that DS can guess correctly the encrypted documents of group g_{
i
}at the j th session is negligible when {K}_{i}^{j} is revealed to DS.
5.1.2 PKISII
Group search keys ik and dk are unchangeable in PKISII and actual group search secrecy depends on group session key gk. When a user queries GM with a keyword, the keyword is encrypted by his/her group session key. If the user is a valid member of a certain group, GM can decrypt the querying keyword and then can generate a valid trapdoor for the user with his/her group search key. In this respect, it is proper that we regard a group session key as a group search key in PKISII. Thus, group search secrecy is up to the security of a group key agreement protocol.

Forward search secrecy: If membership changes occur, a new group session key is generated and distributed securely to valid members according to a given protocol, and leaving members cannot get a new group session key. Hence, the leaving member cannot generate the valid trapdoor for a new session because GM decrypts a trapdoor with the group's newly updated session key.
We assume that a given group key agreement protocol satisfies with forward secrecy with the probability of 1  η (n). Then, the probability that a participant p\in {g}_{i}^{j} can generate valid trapdoors in the next (j +1) session is negligible (or follows negligible function) when the participant knows the j th valid group search key {K}_{i}^{j}\left(=g{k}_{i}^{j}\right).

Backward search accessibility: For joining members, a new group session key is generated and distributed securely to valid members according to a given protocol, and the new joiners can also retrieve all of the previous documents because group search keys ik and dk are unchangeable in PKISII. If a joiner is authenticated as a valid user with his/her group session key, GM queries DS with a trapdoor instead of the user. The trapdoor is encrypted by unchangeable index generation key ik.
We assume again that the given group key agreement protocol satisfies with backward secrecy with the probability of 1  η (n). Then, the probability that a participant p\in {g}_{i}^{j} can generate valid trapdoors for (j l)  th session is 1  η(n) when the participant knows valid group search key {K}_{i}^{j}\left(=g{k}_{i}^{j}\right), where p\notin {g}_{i}^{jl} and 0 < l < j.

Group search secrecy: Members of a group cannot know their group search keys ik and dk in PKISII and only GM knows them. Even if a leaving member or another malicious member reveals his group session key gk to DS, DS cannot know the contents of the documents or trapdoor because they are encrypted with the group search keys ik and dk that group members do not know. Therefore, the probability that a datacenter server DS can guess correctly the encrypted data of a group g_{
i
}at the j th session is negligible when {K}_{i}^{j}\left(=g{k}_{i}^{j}\right) is revealed to DS.
5.2 Keyword index search privacy
Song et al. [5] firstly proposed a cryptographic scheme which queries with encrypted keyword over encrypted data without decrypting anything by a server. They introduced four security requirements under an untrustworthy server. They are 'provable secrecy' (an untrustworthy server cannot learn anything about the plaintext given only the ciphertext), 'controlled searching' (an untrustworthy server cannot search for a word without the user's authorization), 'hidden queries' (an user may ask the untrustworthy server to search for a secret word without revealing the word to the server), and 'query isolation' (an untrustworthy server learns nothing more than the search result about the plaintext). However, Song's scheme is not for an index search system so that 'indistinguishability of indexes' have been considered additionally in other keyword index search schemes as well as the Song's requirements.
In our scheme, we assume an untrustworthy server as an adversary and our goal is to prevent a server from revealing or misusing users' information without users' consent. We accomplish our goal by encrypting documents and querying keywords. With relation to this goal, we define our security requirements using the term of 'Privacy'. The privacy is the ability to control private information, which includes identity and identifiers, and sensitive information [28], i.e., selfcontrol for his/her information. The following is our definition about keyword index search privacy.
5.2.1 Retrieval access control
For participants p ∈ g_{
i
} , the probability that p can search for the documents of gt is negligible, where i, t ≥ 1, t ≠ i. It means that all of the users encrypt their documents with their secret key and can retrieve only their documents. It is because only a legitimate user who has a valid key can generate valid trapdoors and decrypt the retrieved data, where valid trapdoors mean the querying keywords to GM, generated by valid users.

1)
PKISI: If a user p ∈ g_{
i
} tries to retrieve some documents of a group g_{
t
} in the second session, p should know i{k}_{t}^{1}, i{k}_{t}^{2} and d{k}_{t}^{1}, d{k}_{t}^{2}, which are encrypted with each group session keys and transferred to the group members of g_{
t
} like this: {f}_{g{k}_{t}^{1}}\left(i{k}_{t}^{1},d{k}_{t}^{1}\right), {f}_{g{k}_{t}^{2}}\left(i{k}_{t}^{2},d{k}_{t}^{2}\right). Refer to Figure 2. The only users that know the search keys i{k}_{t}^{1} and i{k}_{t}^{2} can generate valid trapdoors. Then, the users query GM with the trapdoors. Except for the members of a group g_{
t
} , nobody knows the values i{k}_{t}^{1}, i{k}_{t}^{2} and d{k}_{t}^{1}, d{k}_{t}^{2} because of the security of PRF f.
We assume that f is (t, q, e)secure PRF and a user p ∈ g_{
i
} tries to retrieve the documents of a group g_{
t
} in the j th session, where i, t ≥ 1, t ≠ i. Then, by Definition 2, we know AdvA < e^{j} , 0 < e < 1. Therefore, we can say that the probability of retrieval is negligible.
In addition, if malicious leaving members from g_{
t
} reveal their group search keys to other groups' members when a session is changed from the second to the third, other users can know only i{k}_{t}^{1}, i{k}_{t}^{2} and d{k}_{t}^{1}, d{k}_{t}^{2}. Because they cannot know new session's keys i{k}_{t}^{3}, d{k}_{t}^{3}, they cannot generate valid trapdoors for the third session so that they cannot be authenticated as valid users to GM.
This problem falls under Forward Search Secrecy.

2)
PKISII: A user p ∈ g_{
i
} should know g{k}_{t}^{j} to retrieve the documents of a group g_{
t
} in the j th session. This is because valid users generate trapdoors with their group session key and then query GM with the trapdoors in PKISII. The group session keys are distributed to the group members securely according to a given group key agreement protocol. We assume that a given group key agreement protocol is secure for key distribution with the probability of 1  η(n). Therefore, the probability that a participant p ∈ g_{
i
} can retrieve the documents of g_{
t
} follows negligible function η (n), where i, t ≥ 1, t ≠ i.
For a datacenter server DS, when DS generates trapdoors with a random selected keyword and search keys, the probability that a server succeeds in retrieving is negligible.
It is the similar concept to 'controlled searching' of [5] and 'capability' of [13]. An untrustworthy server cannot search for a word without given 'searching ability' from users. In our schemes, the concept is the same meaning as a valid trapdoor. The valid trapdoor generation requires that a user should know secret key values. Here, valid trapdoors mean the querying keywords generated by GM to a datacenter server DS.

1)
PKISI: Valid trapdoors are generated by the secret values of each session in PKISI: an index generation key ik and GM's secret key k_{
c
} . The two values are secret keys for PRF f. By Definition 2, if DS generates trapdoors with a random selected keyword and search keys, the probability that a server can succeed in retrieving is e ^{2}, negligible.

2)
PKISII: Valid trapdoors are generated by an unchanging index generation key ik. In PKISII, ik is the secret key which any user does not know but only GM knows that. The key is also a secret key for PRF f. Therefore, by Definition 2, if DS generates trapdoors with a random selected keyword and search keys, the probability that a server can succeed in retrieving is e, negligible.
5.2.2 Unobservability
Generally, unobservability means that when a user utilizes a resource or service, the others cannot know the resource or service is being used [29]. If f is a pseudorandom function, h is oneway hash function, and all processes are performed according to the given protocol, all attackers(including insiders such as a datacenter server DS) cannot learn anything about the contents of encrypted documents by querying with encrypted keywords. It is because all the search processes by DS are implemented without decrypting anything.
We assume that f is (t, q, e)secure PRF as we define earlier, h is (t, e_{
h
} ) oneway hash function such that any attack algorithm A running in time t has success probability at most e_{
h
} , and a given group key agreement protocol is secure with the probability of 1  η (n). We choose the key material as described above, and all processes are done according to the given protocol. Then, our scheme PKISI can guarantee the security at least 1  {e_{
h
} + (2e^{2} + e) + e^{2}} through whole processes in that an adversary cannot learn anything about the contents of encrypted documents except for the results.^{e} PKISII can guarantee the security at least 1  {η (n)+3e +2e}.
5.2.3 Unlinkabilityindex indistinguishability
Unlinkability means that when resources and services are used by someone, the others cannot link these being correlated or used together. In keyword index search system, it can be regarded as index indistinguishability.
Since Goh [8] formulated INDCKA for indexes known as semantic security, most researchers have followed Goh's security definition and proof in this area. 'Indistinguishability for Indexes' guarantees that an adversary cannot deduce data's contents from its index list. An adversary cannot know even the fact whether two documents have the common keyword or not. Given two word lists W_{0} and W_{1}, we say that the search scheme provides 'Index Indistinguishability' if a server S cannot distinguish the index list I_{0} from I_{1} for W_{0} and W_{1} with nonnegligible advantage.
However, our schemes do not guarantee this property. In our scheme, the common keywords in different documents for a certain group have the same index values. Even if an adversary does not know what the keywords mean, the adversary can know that the keywords have something in common. An adversary might guess that two documents have something correlated. This is because we use only deterministic symmetric functions that have the same encryption value under the same data and the same key. And we did not use any random factor in our schemes. It makes our schemes more efficient than any other schemes because we can apply the database schema of 'primary key' and 'foreign key'. The details are addressed in the next section.
Consequently, our schemes can guarantee 'Retrieval Access Control' and 'Unobservability' but not 'Unlinkability'. However, in a common real world, users would like to choose practical schemes under the appropriate control of security other than the scheme which is hard to apply a real world due to inefficiency from the high level of security.