Data publish-subscribe service is an effective approach to selectively share and selectively receive data. Towards the huge amount of data generated in our daily life, cloud systems, with economical but powerful storage and computing resources, are inevitably becoming the most appropriate platform for data publication and subscription. However, cloud server may also curious about both the published data and the interests of the subscribers. In this paper, we propose a privacy-preserving Attribute-Keyword based data Publish-Subscribe (AKPS) scheme for cloud platforms. Specifically, in order to protect the privacy of the published data against the cloud server and other none-subscribers, we employ the attribute based encryption with decryption outsourcing to encrypt the published data, such that the publishers can control the data access by themselves and the major decryption overhead can be shift from the subscribers' devices to the cloud server. To protect the subscribers' interests, we propose a new searchable encryption to enable the subscribers to selectively receive interested data. Different from existing symmetric searchable encryption methods, the AKPS can support multiple publishers and multiple subscribers, while none of two publishers/subscribers share the same secret keys. Moreover, the publishers cannot act as the subscribers, and vice versa. To avoid bypassing access/subscription policy checking procedure, the AKPS smartly ties both access policy and subscription policy by two secrets. One secret is used to bundle the ciphertext and the tags together, while the other secret is used to bundle the subscription trapdoor and the pre-decryption key together. The security proof and performance evaluation show that the proposed AKPS scheme is provable secure in random oracle model and efficient in practice. (C) 2016 Elsevier Inc. All rights reserved.
