Security analysis and secure channel-free certificateless searchable public key authenticated encryption for a cloud-based Internet of things

Abstract

With the rapid development of informatization, an increasing number of industries and organizations outsource their data to cloud servers, to avoid the cost of local data management and to share data. For example, industrial Internet of things systems and mobile healthcare systems rely on cloud computing’s powerful data storage and processing capabilities to address the storage, provision, and maintenance of massive amounts of industrial and medical data. One of the major challenges facing cloud-based storage environments is how to ensure the confidentiality and security of outsourced sensitive data. To mitigate these issues, He et al. and Ma et al. have recently independently proposed two certificateless public key searchable encryption schemes. In this paper, we analyze the security of these two schemes and show that the reduction proof of He et al.’s CLPAEKS scheme is incorrect, and that Ma et al.’s CLPEKS scheme is not secure against keyword guessing attacks. We then propose a channel-free certificateless searchable public key authenticated encryption (dCLPAEKS) scheme and prove that it is secure against inside keyword guessing attacks under the enhanced security model. Compared with other certificateless public key searchable encryption schemes, this scheme has higher security and comparable efficiency.

Introduction

The Internet of things (IoT) [1–3] is a new model that has rapidly become popular in wireless communication scenarios. The basic idea of this concept is that all items—such as actuators, radio-frequency identification tags—are connected to the Internet through information sensing devices, to exchange information. That is, objects are interconnected, to realize intelligent identification and management. IoT has opened new avenues for technology connectivity and business upgrading in industry, healthcare, and transportation, of which the industrial Internet of things (IIoT) and mobile healthcare systems (MHSs) are the most successful applications.

IIoT refers to the IoT environment applied in industrial systems. IIoT integrates various intelligent terminals and sensing devices through a ubiquitous network to efficiently and economically manage industrial production, not only improving manufacturing efficiency, but also reducing product costs, upgrading traditional industries to intelligent industries [4].

MHSs refers to the provision of medical applications and medical information at any time or place, based on the IoT [5, 6]. MHSs provide a wide range of services and applications, including patient monitoring, mobile telemedicine, real-time transmission, storage of (and access to) medical information, and customized and personalized medical service prescriptions.

Although the IIoT and MHSs have great development prospects and bring great convenience to people’s productivity and life, they still face a substantial challenge, namely, the storage and management of massive amounts of data (including both industrial and medical data).

In recent years, cloud computing technology has developed rapidly, and some typical cloud service products have been released and have received extensive attention; these include Dropbox [7], a cloud network storage tool, and Windows Azure [8], a cloud computing platform from Microsoft. Cloud computing is a business model that allows on-demand network access to configurable computing resources such as services, storage, networks, and applications. These resources can be quickly provided and released with minimal management work and interaction. The IoT generally contains small objects (things) with limited processing power and storage capabilities, whereas cloud computing has unlimited storage and processing power capabilities, which can play a supporting role in the IoT architecture, as explained in Ref. [9, 10]. Specifically, the IoT can benefit from the unlimited resources and capabilities of the cloud to make up for its technological constraints. A recent and continuing trend is the integration of the cloud and the IoT. The new model, called the cloud-based Internet of Things, has been extensively studied [11–14]. In a cloud-based IoT system, users upload data collected by various smart devices to cloud servers through the Internet, and other authorized users can retrieve data collected from different environments.

However, when outsourcing data to a cloud server, the security and privacy of the data cannot be guaranteed because the cloud server is considered honest but curious; it can fulfill its obligations, but is curious about the stored information. Before uploading sensitive data to the cloud server, the data owner needs to perform encryption to protect the privacy and confidentiality of the data. However, in this way, the existing plaintext-based keyword search technology is ineffective, because encryption usually hides the structure of the original data. To address this problem, searchable encryption (SE), which supports efficient search over ciphertext, has been widely applied, studied, and developed in recent years [15–29].

SE can be categorized into symmetric and asymmetric encryption. Symmetric searchable encryption has the characteristics of low computational overhead and high speed, but it is usually suitable for a single-user model; additionally, the encryption and decryption parties need to negotiate the key beforehand. To address this limitation, public key searchable encryption (PEKS) was first proposed by Boneh et al. [18]. It is very suitable for solving the searchable encryption problem in a multi-user system. In a PEKS system, without prior agreement between sender and receiver, the sender generates encrypted files, called PEKS ciphertext (including encrypted files body and encrypted keywords) using the receiver’s public key, and uploads the ciphertext to the cloud server. When the receiver needs to search the ciphertext for a certain keyword, it uses its own secret key to generate the search certificate of the keyword and sends it to the cloud server. The server then runs a test operation to select the ciphertext file containing the target keyword, and returns it to the receiver.

Although PEKS solves the problem of searching ciphertext, it still suffers from some privacy problems. Reference [24] pointed out that most PEKS schemes are susceptible to off-line keyword guessing attacks (KGAs). The KGAs is attributed to the fact that keyword space is very small and users usually use common keywords for retrieval, which provides a “shortcut” for an attacker to obtain data privacy information by using only dictionary attacks. Specifically, with a given trapdoor, the attacker tests every possible keyword off-line. If the test is successful, the attacker can know the potential keywords in the trapdoor. From the server’s reply, he also knows which encrypted files contain the keywords encapsulated in the trapdoor. In short, by running this off-line KGAs, malicious (inside or outside) attackers can obtain information about encrypted files and invade the user’s data privacy. Constructing a scheme to resist KGAs has attracted the attention of many researchers [30–37].

Recently, He et al. [38] proposed a new scheme, CLPAEKS, for IIoT, and Ma et al. [39] proposed a scheme, CLPEKS, for MHSs. Their schemes are both certificateless public key searchable encryption schemes, which effectively solve the problem of searching over encrypted data stored in the cloud and avoid the problems of certificate management and key escrow.

In this paper, through careful analysis, we describe security vulnerabilities that we found in the two schemes mentioned above. The security reduction of He et al.’s CLPAEKS scheme is actually incorrect for two types of adversaries. That is, an adversary cannot solve the computational bilinear Diffie-Hellman problem by using adversary ${\mathcal{A}}_{\mathcal{I}}$ (${\mathcal{A}}_{\mathcal{\text{II}}}$), which attacks the security of the CLPAEKS scheme, as a subroutine. Ma et al.’s CLPEKS scheme is not secure against off-line KGAs. Furthermore, in both CLPAEKS and CLPEKS, anyone can run test operations, which makes it easy to identify whether two search queries are generated from the same keyword; that is, the search patterns of users can be revealed to anyone. The potential risks of search pattern leakage have been studied in the literature [40]: adversaries may use searching frequency to obtain information about the plaintext.

Our contributions

• We note the security vulnerabilities of the CLPAEKS scheme proposed by He et al. and the CLPEKS scheme proposed by Ma et al.

• To protect the privacy and security of data stored in the cloud in the Internet of Things environment, we propose a dCLPAEKS scheme, which is a channel-free certificateless searchable public key encryption scheme, and present a security model for dCLPAEKS to remedy the problem mentioned above.

• Under the enhanced security model, we prove that the dCLPAEKS scheme is secure against inside keyword guessing attacks for two types of adversaries. Specifically, we formally prove that the scheme satisfies ciphertext indistinguishability and trapdoor indistinguishability. Furthermore, we prove that the scheme satisfies the security of the designated tester (specifically, only the server can perform test operations).

• We compare our scheme with other CLPEKS schemes in terms of security, computational complexity and communication overhead. We also evaluate its efficiency in experiments, and the results show that our scheme has higher security and efficiency.

Related works

In 2004, Boneh et al. first proposed the concept of public key searchable encryption [18] and proposed the construction scheme of PEKS based on anonymous identity-based cryptosystems. This scheme has been applied in a mail system to solve the mail routing problem of untrustworthy servers. In 2008, Baek et al. [23] pointed out that the scheme in [18] must be built on a secure channel. To overcome this limitation, they proposed a public key searchable encryption scheme without a secure channel by introducing a designated tester. In 2006, Bynn et al. [30] found that the scheme proposed in [18] was susceptible to off-line KGAs because keywords are selected from a much smaller space than keys and users usually use common keywords; hence, an attacker can easily crack the PEKS system through KGAs. To protect against KGAs, Rhee et al. [32] proposed a trapdoor secure dPEKS scheme, but Wang et al. [41] later pointed out that the scheme suffered from an inherent insecurity, namely, vulnerability to inside KGAs (IKGAs). Roughly speaking, given a trapdoor, a malicious server can generate the PEKS ciphertext for any keyword it chooses, and then the server can run a test operation to determine whether the keywords being guessed are the keywords underlying the trapdoor. In 2013, Xu et al. [34] proposed a fuzzy keyword public key searchable encryption scheme against IKGAs. In their scheme, the server can only perform fuzzy matching search, and accurate matching search is executed locally, so an attacker cannot obtain an accurate search trapdoor, thus ensuring the security of the scheme. In 2016, Chen et al. [35] proposed a dual-server public-key searchable encryption scheme that can resist IKGAs from malicious servers by dividing the test algorithm into two parts and letting two independent servers execute it. However, all of the schemes mentioned above encounter certificate management or key escrow problems. To address this problem, AL-piyami et al. [42] defined the concept of certificateless public key cryptography (CLPKC). Users’ private keys in certificateless public key cryptosystems consist of two parts: one is generated by the key generation center and the other is generated by users. Peng [43] proposed the first certificateless public key encryption with keyword search (CLPEKS) scheme. Subsequently, other improved certificateless public key searchable encryption schemes were proposed [44, 39]. He et al. [38] demonstrated that these schemes are vulnerable to IKGAs and proposed a certificateless public key authenticated encryption scheme with keyword search that can resist IKGAs.

Paper organization

The rest of this paper is organized as follows. In section 2, we present some preliminaries. In section 3, we review Ha et al’s scheme and Ma et al’s scheme and then point out the disadvantages of their schemes. In section 4, we introduce a new notion, dCLPAEKS, and give its security model. We construct a concrete dCLPAEKS scheme and prove its security in enhanced security models in section 5. In section 6, we present the performance analysis of our proposed scheme. Finally, we conclude the paper in section 7.

Preliminaries

Bilinear pairing

Bilinear pairing [45] plays an important role in constructing many cryptographic schemes, including our dCLPAKES scheme. Let $\mathbb{Z}$ be a set of integers. Set $\widehat{e}:{\mathbb{G}}_1\times {\mathbb{G}}_1\to {\mathbb{G}}_2$ as a bilinear map, mapping groups ${\mathbb{G}}_1$ and ${\mathbb{G}}_1$ to ${\mathbb{G}}_2$, where ${\mathbb{G}}_1$, ${\mathbb{G}}_2$ are cyclic groups with the same prime order p. This mapping satisfies the following properties:

1. Bilinearity: For any u, $v\in {\mathbb{Z}}_p^{*}$ and g, $h\in {\mathbb{G}}_1$, $\widehat{e}(g^u,h^v)=\widehat{e}{(g,h)}^{uv}$.

2. Non-degeneracy: If g is a generator of ${\mathbb{G}}_1$, then $\widehat{e}(g,g)$ is a generator of ${\mathbb{G}}_2$.

3. Computability: For any g, $h\in {\mathbb{G}}_1$, there is an efficient algorithm to calculate $\widehat{e}(g,h)$.

Computational bilinear diffie-hellman problem

Definition 1 (CBDH Problem) Let $\widehat{e}:{\mathbb{G}}_1\times {\mathbb{G}}_1\to {\mathbb{G}}_2$ be a bilinear pairing. Given (g, g^a, g^b, g^c), where $a,b,c\in {\mathbb{Z}}_p^{*}$ are unknown numbers, the goal is to compute the value of $\widehat{e}{(g,g)}^{abc}$.

Decisional bilinear diffie-hellman assumption

The decisional bilinear Diffie-Hellman (DBDH) problem is described as follows.

Given $\mathsf{Y}=(g,g^x,g^y,g^z\in {\mathbb{G}}_1,\widehat{e}:{\mathbb{G}}_1\times {\mathbb{G}}_1\to {\mathbb{G}}_2,Z\in {\mathbb{G}}_2)$, where x, y, z are randomly chosen from ${\mathbb{Z}}_p^{*}$, let η be a bit such that η = 1 if Z is randomly selected from ${\mathbb{G}}_2$, and η = 0 if $Z=\widehat{e}{(g,g)}^{xyz}$. The DBDH problem is to determine the value of η.

Definition 2 (DBDH Assumption [46, 47]) The DBDH assumption is that for any probabilistic polynomial-time (PPT) algorithm $\mathcal{A}$, the following holds:

$$\begin{array}{c}\hfill \left|\text{Pr}\right[0\leftarrow \mathcal{A}\left(\mathsf{Y}\right)|\eta =0]-\text{Pr}[0\leftarrow \mathcal{A}(\mathsf{Y}\left)\right|\eta =1\left]\right|\le negl(\lambda )\end{array}$$

where the probability is taken over the random choice of $x,y,z\in {\mathbb{Z}}_p^{*}$, $g\in {\mathbb{G}}_1$, $Z\in {\mathbb{G}}_2$.

Review and security analysis of the CLPAEKS and CLPEKS schemes

In this section, we briefly review the CLPAEKS scheme of He et al. [38] and the CLPEKS scheme of Ma et al. [39], and give the security cryptanalysis of the two schemes.

Review and security analysis of He et al.’s CLPAEKS scheme

Description of He et al.’s scheme

The CLPAEKS scheme can be described as follows:

• Setup: Input a security parameter l. The KGC selects two cyclic groups ${\mathbb{G}}_1$, ${\mathbb{G}}_2$ with the same prime order q and a bilinear pairing $\widehat{e}:{\mathbb{G}}_1\times {\mathbb{G}}_1\to {\mathbb{G}}_2$. Let P be a generator of ${\mathbb{G}}_1$; The KGC chooses a random number $s\in Z_q^{*}$ as the master key and computes P_pub = sP. The KGC selects three different hash functions: $h_1:{\{0,1\}}^{*}\times {\mathbb{G}}_1\to Z_q^{*}$, $H_2:{\{0,1\}}^{*}\to {\mathbb{G}}_1$ and $h_3:{\{0,1\}}^{*}\times {\mathbb{G}}_1\times {\mathbb{G}}_1\times {\mathbb{G}}_1\to Z_q^{*}$. Then, the KGC publishes the system parameters $prms=\{l,{\mathbb{G}}_1,{\mathbb{G}}_2,\widehat{e},P,P_{pub},h_1,H_2,h_3\}$.

• Extract-Partial-Private-Key: Input the sender’s identity ID_S ∈ {0, 1}*. The KGC selects a random number $r_{I{D}_S}\in Z_q^{*}$ and computes $R_{I{D}_S}=r_{I{D}_S}P$, ${\alpha }_{I{D}_S}=h_1(I{D}_S,R_{I{D}_S})$ and $d_{I{D}_S}=r_{I{D}_S}+s{\alpha }_{I{D}_S}\left(modq\right)$. Then, the KGC returns $(d_{I{D}_S}$ and $R_{I{D}_S})$ to the sender. In parallel, the partial private key $(d_{I{D}_R}$, $R_{I{D}_R})$ of the receiver is calculated in the same way.

• Set-Secret-Value: This takes ID_S, ID_R ∈ {0, 1}* as input. The sender and the receiver choose random numbers $x_{I{D}_S}$ and $x_{I{D}_R}$ as their secret values, respectively.

• Set-Private-Key: This sets the sender’s private key and the receiver’s private key as $S{K}_{I{D}_S}=(x_{I{D}_S},d_{I{D}_S})$ and $S{K}_{I{D}_R}=(x_{I{D}_R},d_{I{D}_R})$, respectively.

• Set-Public-Key: The sender computes $P_{I{D}_S}=x_{I{D}_S}P$ and sets $P{K}_{I{D}_S}=(P_{I{D}_S},R_{I{D}_S})$ as its public key. The receiver computes $P_{I{D}_R}=x_{I{D}_R}P$ and sets $P{K}_{I{D}_R}=(P_{I{D}_R},R_{I{D}_R})$ as its public key.

• CLPAEKS: This takes $prms,I{D}_S,I{D}_R,S{K}_{I{D}_S},P{K}_{I{D}_R}$ as input. The sender encrypts the keyword w as follows:

  1. The sender chooses a random number $r\in Z_q^{*}$.
  2. The sender computes ${\beta }_{I{D}_S}=h_3(I{D}_S,P_{pub},P_{I{D}_S},R_{I{D}_S})$, ${\beta }_{I{D}_R}=h_3(I{D}_R,P_{pub},P_{I{D}_R},R_{I{D}_R})$, $C_1=(d_{I{D}_S}+{\beta }_{I{D}_S}{x}_{I{D}_S})H_2\left(w\right)+rP$, $C_2=r({\beta }_{I{D}_R}{P}_{I{D}_R}+R_{I{D}_R}+{\alpha }_{I{D}_R}{P}_{pub})$.

  The final ciphertext for the keyword is C = (C₁, C₂).

• Trapdoor: This takes $prms,I{D}_S,I{D}_R,S{K}_{I{D}_R},P{K}_{I{D}_S}$ as input. The data receiver runs the following steps to compute the trapdoor T_w:

  1. Compute ${\beta }_{I{D}_R}=h_3(I{D}_R,P_{pub},P_{I{D}_R},R_{I{D}_R})$, ${\beta }_{I{D}_S}=h_3(I{D}_S,P_{pub},P_{I{D}_S},R_{I{D}_S})$.
  2. Compute $T_w=\widehat{e}((d_{I{D}_R}+{\beta }_{I{D}_R}{x}_{I{D}_R})H_2\left(w\right),{\beta }_{I{D}_S}{P}_{I{D}_S}+R_{I{D}_S}+{\alpha }_{I{D}_S}{P}_{pub})$.

• Test: Take prms, the trapdoor T_w and ciphertext C as input. The cloud server checks whether $T_w\widehat{e}(C_2,P)=\widehat{e}(C_1,{\beta }_{I{D}_R}{P}_{I{D}_R}+R_{I{D}_R}+{\alpha }_{I{D}_R}{P}_{pub})$ holds. If it holds, then the server outputs 1. Otherwise, it outputs 0.

Security analysis

In the random oracle model, the semantic security of the CLPAEKS scheme against IKGAs is reduced to solve the CBDH problem [38]. Here, we show that the security reduction for the CLPAEKS scheme is in fact incorrect for two types of adversaries. We use a reductionist proof for a type 1 adversary as an example to illustrate.

Given an instance (P, aP, bP, cP) of the CBDH problem, assuming that adversary ${\mathcal{A}}_{\mathcal{I}}$ intends to break the CLPAEKS scheme, $\mathcal{B}$ makes use of the advantage of ${\mathcal{A}}_{\mathcal{I}}$ to compute the value of $\widehat{e}{(P,P)}^{abc}$. $\mathcal{B}$ simulates security games for adversary ${\mathcal{A}}_{\mathcal{I}}$. After ${\mathcal{A}}_{\mathcal{I}}$ outputs a guess value in the guess stage, the simulator $\mathcal{B}$ calculates $\widehat{e}{(P,P)}^{abc}$ as follows:

$$\begin{array}{c}{\displaystyle \frac{\widehat{e}{(d_{I{D}_I}P+{\beta }_{I}cP,{\beta }_{I{D}_S}{P}_{I{D}_S}+R_{I{D}_S}+{\alpha }_{I{D}_S}aP)}^{b+{\mu }_i}}{\widehat{e}{(d_{I{D}_I}P+{\beta }_{I}cP,{\beta }_{I{D}_S}{P}_{I{D}_S}+R_{I{D}_S}+{\alpha }_{I{D}_S}aP)}^{{\mu }_i}}}\hfill \\ =\widehat{e}{(d_{I{D}_I}P+{\beta }_{I}cP,{\beta }_{I{D}_S}{P}_{I{D}_S}+R_{I{D}_S}+{\alpha }_{I{D}_S}aP)}^b\hfill \end{array}$$

$$\begin{array}{c}{\displaystyle \frac{\widehat{e}{(d_{I{D}_I}P+{\beta }_{I}cP,{\beta }_{I{D}_S}{P}_{I{D}_S}+R_{I{D}_S}+{\alpha }_{I{D}_S}aP)}^b}{\widehat{e}(d_{I{D}_I}bP,{\beta }_{I{D}_S}{P}_{I{D}_S}+R_{I{D}_S}+{\alpha }_{I{D}_S}aP)}}\hfill \\ =\widehat{e}{({\beta }_{I}cP,{\beta }_{I{D}_S}{P}_{I{D}_S}+R_{I{D}_S}+{\alpha }_{I{D}_S}aP)}^b\hfill \end{array}$$

$$\begin{array}{c}{\left({\displaystyle \frac{\widehat{e}{({\beta }_{I}cP,{\beta }_{I{D}_S}{P}_{I{D}_S}+R_{I{D}_S}+{\alpha }_{I{D}_S}aP)}^b}{\widehat{e}({\beta }_{I}cP,{\beta }_{I{D}_S}{x}_{I{D}_S}bP+r_{I{D}_S}bP)}}\right)}^{{\displaystyle \frac{1}{{\beta }_I{\alpha }_{I{D}_S}}}}\hfill \\ =\widehat{e}{(P,P)}^{abc}\hfill \end{array}$$

The core part of computing $\widehat{e}{(P,P)}^{abc}$ is the left-hand side of the first equation. For ease of description, the numerator and denominator of the fraction in the first equation are abbreviated as follows:

$$\begin{array}{c}\mathbb{M}=\widehat{e}{(d_{I{D}_I}P+{\beta }_{I}cP,{\beta }_{I{D}_S}{P}_{I{D}_S}+R_{I{D}_S}+{\alpha }_{I{D}_S}aP)}^{b+{\mu }_i}\hfill \\ \mathbb{N}=\widehat{e}{(d_{I{D}_I}P+{\beta }_{I}cP,{\beta }_{I{D}_S}{P}_{I{D}_S}+R_{I{D}_S}+{\alpha }_{I{D}_S}aP)}^{{\mu }_i}\hfill \end{array}$$

Let us see how $\mathcal{B}$ obtains $\mathbb{M}$ and $\mathbb{N}$.

$\mathbb{N}$ is calculated by $\mathcal{B}$ itself, while $\mathbb{M}$ is obtained by $\mathcal{B}$ using ${\mathcal{A}}_{\mathcal{I}}$. However, $\mathcal{B}$ is unable to use the adversary ${\mathcal{A}}_{\mathcal{I}}$ to obtain the value of $\mathbb{M}$. Specifically, in the reductionist proof for adversary ${\mathcal{A}}_{\mathcal{I}}$, $\mathbb{M}$ is the value of the trapdoor of the challenge keywords under the challenge identities and E₅ denotes the event that ${\mathcal{A}}_{\mathcal{I}}$ does not ask the hash query for the value of the trapdoor of the challenge keywords, and we show that Pr[¬E₅] ≥ 2ε, where ε denotes the advantage of ${\mathcal{A}}_{\mathcal{I}}$ breaking the CLPAEKS scheme. Thus, $\mathcal{B}$ aims to make use of the fact that ${\mathcal{A}}_{\mathcal{I}}$ has conducted a hash query on this trapdoor, namely, the value of $\mathbb{M}$, with a non-negligible probability in the interactive game, and then randomly select one from the previous query history as $\mathbb{M}$.

However, in the trapdoor algorithm design of the CLPAEKS scheme [38], no hashing operation is performed on the value of the trapdoor, that is, H_i(T_w), for some hash function H_i. Therefore, it is impossible for ${\mathcal{A}}_{\mathcal{I}}$ to make the hash query on the trapdoor of the challenge keyword. In addition, $\mathcal{B}$ has no other advantage in obtaining $\mathbb{M}$ from ${\mathcal{A}}_{\mathcal{I}}$. In short, the reduction process shows that $\mathcal{B}$ is unable to solve the CBDH problem with ${\mathcal{A}}_{\mathcal{I}}$ as a subroutine.

Review and security analysis of Ma et al.’s CLPEKS scheme

A description of Ma et al.’s scheme

The CLPEKS scheme is as follows:

• Setup: Input a security parameter k. The KGC selects two cyclic groups ${\mathbb{G}}_1$, ${\mathbb{G}}_2$ with the same prime order q, a bilinear pairing $e:{\mathbb{G}}_1\times {\mathbb{G}}_1\to {\mathbb{G}}_2$. Let P be a generator of ${\mathbb{G}}_1$; the KGC chooses a random number $s\in Z_q^{*}$ as the master key and computes $P_{pub}=sP\in {\mathbb{G}}_1$. The KGC selects four different hash functions: $h_1:{\{0,1\}}^{*}\times {\mathbb{G}}_1\to Z_q^{*}$, $h_2:{\{0,1\}}^{*}\times {\mathbb{G}}_1\times {\mathbb{G}}_1\to Z_q^{*}$, H₃: {0, 1}* → G₁ and $h_4:{\mathbb{G}}_1\to {\{0,1\}}^l$. Then, the KGC publishes public parameters $prms=\{k,{\mathbb{G}}_1,{\mathbb{G}}_2,\widehat{e},q,P,P_{pub},h_1,h_2,H_3,h_4\}$.

• Extract-Partial-Private-Key: Input a user U’s identity ID ∈ {0, 1}*. The KGC selects a random number $t_{ID}\in Z_q^{*}$ and computes T_ID = t_ID P, α_ID = h₁(ID, T_ID) and d_ID = t_ID + sα_ID(mod q). Then, the KGC sends (d_ID, T_ID) to U.

• Set-Secret-Value: Input U’s identity ID. U chooses a random number $x_{ID}\in Z_q^{*}$ as its secret value.

• Set-Private-Key: This sets U’s private key as SK_ID = (x_ID, d_ID).

• Set-Public-Key: U computes $P_{I{D}_S}=x_{I{D}_S}P$ and sets PK_ID = (P_ID, T_ID) as its public key.

• CLPAEKS: Let W = {w_i|i = 1, 2, ⋯, m} be a set of keywords. Take prms, ID, PK_ID as input. U encrypts the keyword w as follows:

  1. Compute β_ID = h₂(ID, P_ID, T_ID), choose a random number $r_i\in Z_q^{*}$ and compute U_i = r_i P, Q_i = H₃(w_i).
  2. Compute Γ_i = e(r_i Q_i, β_ID P_ID + T_ID + α_ID P_pub) and v_i = h₄(Γ_i).

  The final ciphertext for the keyword is C = {C₁, C₂, ⋯, C_m}, where C_i = (U_i, v_i).

• Trapdoor: This takes prms, ID, SK_ID, PK_ID as input. U runs the following steps to compute the trapdoor T_w:

  1. Compute β_ID = h₂(ID, P_ID, T_ID) and Q = H₃(w).
  2. Compute T_w = (d_ID + β_ID x_ID)Q.

• Test: Take prms, the trapdoor T_w and ciphertext C as input. The cloud server checks whether h₄(e(T_w, U_i)) = v_i holds. If it holds, then the server outputs 1. Otherwise, it outputs 0.

Security vulnerability

In this subsection, we show that the scheme is vulnerable to an off-line keyword guessing attack. We prove that a malicious adversary can retrieve keyword-specific information from any query message captured by the protocol.

Lemma 1 Ma et al.’s scheme is susceptible to an off-line keyword guessing attack.

Proof 1 An attacker $\mathcal{B}$ performs the following steps.

1. $\mathcal{B}$ first captures a valid trapdoor T_w. The goal of $\mathcal{B}$ is to recover w from T_w. $\mathcal{B}$ guesses an appropriate keyword w′, and computes H₃(w′), β_ID = h₂(ID, P_ID, T_ID) and α_ID = h₁(ID, T_ID).

2. $\mathcal{B}$ checks whether e(T_w, P) = e(β_ID H₃(w′), P_ID) ⋅ e(H₃(w′), T_ID + α_ID P_pub). If the equation holds, the guessed keyword is a valid keyword, namely, w′ = w. Otherwise, go to Step (1). Specifically, if w′ = w, then

   $$\begin{array}{cc}\hfill e(T_w,P)& =e(({\beta }_{ID}{x}_{ID}+d_{ID})Q,P)\hfill \\ & =e(({\beta }_{ID}{x}_{ID}+d_{ID})H_3\left(w\right),P)\hfill \\ & =e({\beta }_{ID}{x}_{ID}{H}_3\left(w\right),P)·e(d_{ID}{H}_3\left(w\right),P)\hfill \\ & =e({\beta }_{ID}{H}_3\left(w\right),P_{ID})·e(H_3\left(w\right),d_{ID}P)\hfill \\ & =e({\beta }_{ID}{H}_3\left(w\right),P_{ID})·e(H_3\left(w\right),(t_{ID}+s{\alpha }_{ID})P)\hfill \\ & =e({\beta }_{ID}{H}_3\left(w^{\prime }\right),P_{ID})·e(H_3\left(w^{\prime }\right),T_{ID}+{\alpha }_{ID}{P}_{pub})\hfill \end{array}$$

Definitions and system model

System model

We first describe the relationships and interactions among the four entities, namely, the cloud server, KGC, data sender and data receiver, in dCLPAEKS: The KGC generates the system parameters and part of the user’s private key according to the user’s identity. The sender extracts keywords from each data file and uses the sender’s secret key $S{k}_{I{D}_s}$, the receiver’s public key $P{k}_{I{D}_r}$ and the server’s public key Pk_Csvr to encrypt keywords to form the dCLPAEKS ciphertext; then, it encrypts the file by using another encryption algorithm and sends it to the cloud server along with the keyword ciphertext. To search encrypted files, the receiver uses his secret key $S{k}_{I{D}_r}$ and the sender’s public key $P{k}_{I{D}_s}$ to generate the trapdoor T_w of the keywords and sends it to the cloud server. The cloud server uses its secret key to search and return the ciphertext files containing the target keywords.

Definition of dCLPAEKS

Our dCLPAEKS scheme consists of the following (probabilistic) polynomial-time algorithms.

• Setup (λ): Given a security parameter λ, this algorithm generates a master public/secret key pair (m_pk, m_sk) and global parameter params.

• KGen_Csvr (params): Given params, it generates a public/secret key pair (PK_Csvr, SK_Csvr) for the cloud server.

• PPKGen (params, ID, m_sk): Given params, a master secret key m_sk and a user’s identity ID, it generates the user’s partial private key, referred to as PPK_ID.

• SVGen (params, ID): Given params and a user’s identity ID, it generates a secret value, referred to as SV_ID.

• SKGen (params, PPK_ID, SV_ID): Given params, a partial private key PPK_ID and a secret value SV_ID, it generates the user’s secret key, referred to as SK_ID.

• PKGen (params, SV_ID): Given params and a secret value SV_ID, it generates a public key PK_ID for the identity ID.

• PEKS (params, w, PK_Csvr, $S{K}_{I{D}_s}$, $P{K}_{I{D}_r}$, ID_s, ID_r): Given params, a keyword w, PK_Csvr, a sender’s identity ID_s and $S{K}_{I{D}_s}$, and a receiver’s identity ID_r and $P{K}_{I{D}_r}$, it generates a ciphertext C_w.

• Trapdoor (params, w, $S{K}_{I{D}_r}$, $P{K}_{I{D}_s}$, ID_r, ID_s): Given params, a keyword w, a receiver’s identity ID_r and $S{K}_{I{D}_r}$, and a sender’s identity ID_s and $P{K}_{I{D}_s}$, it generates a trapdoor T_w.

• dTest (params, SK_Csvr, C_w, T_w, ID_s, ID_r): Given params, the server’s secret key SK_Csvr, a PEKS ciphertext C_w, a trapdoor T_w, the identity ID_s of a sender and the ID_r of a receiver, it outputs 1 if C_w and T_w contain the same keyword, and 0 otherwise.

Security models

There are two types of adversaries, i.e., a Type 1 adversary ${\mathcal{A}}_{\mathcal{I}}$ and a Type 2 adversary ${\mathcal{A}}_{\mathcal{\text{II}}}$, in certificateless cryptography [43]. Adversary ${\mathcal{A}}_{\mathcal{I}}$ cannot access the master key. However, ${\mathcal{A}}_{\mathcal{I}}$ can extract partial private keys and secret keys, request public keys and replace public keys with any values he chooses. Adversary ${\mathcal{A}}_{\mathcal{\text{II}}}$ can access the system’s master key, but cannot replace the user’s public key.

We define the following five games between the adversaries ${\mathcal{A}}_{\mathcal{I}}$ (${\mathcal{A}}_{\mathcal{\text{II}}}$) and a challenger $\mathcal{B}$ to show that our scheme is semantically secure against IKGA.

For adversaries in Game 1 to Game 4, we set the following natural restrictions.

1. The adversary cannot extract the secret key for the challenge identities.

2. The adversary cannot make a ciphertext query and trapdoor query on the challenge keywords $w_0^{*}$, $w_1^{*}$ for the challenge identity $I{D}_s^{*}$ of a sender and $I{D}_r^{*}$ of a receiver.

Ciphertext indistinguishability

Game 1: Ciphertext indistinguishability for ${\mathcal{A}}_{\mathcal{I}}$

In this game, we set the semi-trusted cloud server as the adversary ${\mathcal{A}}_{\mathcal{I}}$. Ciphertext indistinguishability ensures that the ciphertext reveals no information about the underlying keyword to the cloud server.

• Setup: Given a security parameter λ, the challenger $\mathcal{B}$ generates the system parameter params, the PKG’s public/secret key (m_pk, m_sk), and the server’s public/secret key (PK_Csvr, SK_Csvr). It then invokes ${\mathcal{A}}_{\mathcal{I}}$ on the input params and (PK_Csvr, SK_Csvr).

• Phase 1: Adversary ${\mathcal{A}}_{\mathcal{I}}$ issues a sequence of queries adaptively polynomial-many times but is subject to the restrictions defined above.

  • Partial Private Key Extraction: Given the user’s identity ID, it returns the user’s partial private key PPK_ID to ${\mathcal{A}}_{\mathcal{I}}$.
  • Secret Key Queries: Given the user’s identity ID, $\mathcal{B}$ returns the user’s secret key SK_ID to ${\mathcal{A}}_{\mathcal{I}}$.
  • Public Key Queries: Given the user’s identity ID, $\mathcal{B}$ returns the user’s public key PK_ID to ${\mathcal{A}}_{\mathcal{I}}$.
  • Replace Public Key: ${\mathcal{A}}_{\mathcal{I}}$ can replace the public key with any value he chooses.
  • Ciphertext Queries: Given a keyword w, identity ID_s of a sender and identity ID_r of a receiver, $\mathcal{B}$ computes the corresponding ciphertext C_w and returns it to ${\mathcal{A}}_{\mathcal{I}}$.
  • Trapdoor Queries: Given a keyword w, identity ID_s of a sender and identity ID_r of a receiver, $\mathcal{B}$ computes the corresponding trapdoor T_w and returns it to ${\mathcal{A}}_{\mathcal{I}}$.

• Challenge: ${\mathcal{A}}_{\mathcal{I}}$ outputs two keywords $w_0^{*}$, $w_1^{*}$, the challenge identity $I{D}_s^{*}$ of a sender and $I{D}_r^{*}$ of a receiver, and $\mathcal{B}$ randomly chooses a bit b ∈ {0, 1}, computes the challenge ciphertext $C_{w_b^{*}}$ and returns it to ${\mathcal{A}}_{\mathcal{I}}$, where $C_{w_b^{*}}=PEKS(params,w_b^{*},P{K}_{Csvr},S{K}_{I{D}_s^{*}},P{K}_{I{D}_r^{*}},I{D}_s^{*},I{D}_r^{*})$.

• Phase 2: Adversary ${\mathcal{A}}_{\mathcal{I}}$ continues to issue requests to $\mathcal{B}$, as in phase 1.

• Guess: ${\mathcal{A}}_{\mathcal{I}}$ outputs a bit b′ ∈ {0, 1}, and wins the game if and only if b′ = b.

  The advantage of ${\mathcal{A}}_{\mathcal{I}}$ winning Game 1 is defined as

  $$\begin{array}{c}\hfill Ad{v}_{{\mathcal{A}}_{\mathcal{I}}}^C=|{\text{Pr}}_{[b^{\prime }=b]}-\frac{1}{2}|.\end{array}$$

Game 2: Ciphertext indistinguishability for ${\mathcal{A}}_{\mathcal{\text{II}}}$

In this game, we set the semi-trusted KGC as the adversary ${\mathcal{A}}_{\mathcal{\text{II}}}$.

• Setup: $\mathcal{B}$ generates the system public parameter params, the PKG’s public/secret key (m_pk, m_sk), and the server’s public/secret key (PK_Csvr, SK_Csvr). Then, $\mathcal{B}$ returns params and m_sk to ${\mathcal{A}}_{\mathcal{\text{II}}}$.

• Phase 1: ${\mathcal{A}}_{\mathcal{\text{II}}}$ can adaptively issue a sequence of queries polynomial-many times but obeys the restrictions defined above.

  • Secret Key Queries: Taking the identity ID as input, $\mathcal{B}$ outputs the secret key SK_ID to ${\mathcal{A}}_{\mathcal{\text{II}}}$.
  • Public Key Queries: Taking the identity ID as input, $\mathcal{B}$ outputs the public key PK_ID to ${\mathcal{A}}_{\mathcal{\text{II}}}$.
  • Ciphertext Queries: Given a keyword w, identity ID_s of a sender and ID_r of a receiver, $\mathcal{B}$ outputs the corresponding ciphertext C_w to ${\mathcal{A}}_{\mathcal{\text{II}}}$.
  • Trapdoor Queries: Given a keyword w, identity ID_s of a sender and ID_r of a receiver, $\mathcal{B}$ outputs the corresponding trapdoor T_w to ${\mathcal{A}}_{\mathcal{\text{II}}}$.

• Challenge: ${\mathcal{A}}_{\mathcal{\text{II}}}$ outputs two keywords $w_0^{*}$ and $w_1^{*}$ and the challenge identity $I{D}_s^{*}$ of a sender and $I{D}_r^{*}$ of a receiver, and $\mathcal{B}$ randomly chooses a bit b ∈ {0, 1}, computes the challenge ciphertext $C_{w_b^{*}}$ and returns it to ${\mathcal{A}}_{\mathcal{\text{II}}}$, where $C_{w_b^{*}}=PEKS(params,w_b^{*},P{K}_{Csvr},S{K}_{I{D}_s^{*}},P{K}_{I{D}_r^{*}},I{D}_s^{*},I{D}_r^{*})$.

• Phase 2: Adversary ${\mathcal{A}}_{\mathcal{\text{II}}}$ continues to issue queries to $\mathcal{B}$ as in phase 1.

• Guess: ${\mathcal{A}}_{\mathcal{\text{II}}}$ outputs a bit b′ ∈ {0, 1}, and wins the game if and only if b′ = b.

  The advantage of ${\mathcal{A}}_{\mathcal{\text{II}}}$ winning Game 2 is defined as

  $$\begin{array}{c}\hfill Ad{v}_{{\mathcal{A}}_{\mathcal{\text{II}}}}^C(\lambda )=|{\text{Pr}}_{[b^{\prime }=b]}-\frac{1}{2}|.\end{array}$$

Definition 3 We say that a $\mathsf{d}\mathsf{C}\mathsf{L}\mathsf{P}\mathsf{A}\mathsf{E}\mathsf{K}\mathsf{S}$ scheme satisfies ciphertext indistinguishability if, for any polynomial-time adversaries ${\mathcal{A}}_i(i=I,II)$, $Ad{v}_{{\mathcal{A}}_i}^C(\lambda )$ is negligible.

Trapdoor indistinguishability

Game 3: Trapdoor indistinguishability for ${\mathcal{A}}_{\mathcal{I}}$

Similar to Game 1, we set the semi-trusted cloud server as the adversary ${\mathcal{A}}_{\mathcal{I}}$. Trapdoor indistinguishability guarantees that the cloud server cannot obtain any information about the keyword from a given trapdoor. This indicates that the server cannot forge valid ciphertext and cannot perform offline inside keyword guessing attacks (IKGAs) successfully.

• Setup: Same as in Game 1.

• Phase 1: Same as in Game 1.

• Challenge: ${\mathcal{A}}_{\mathcal{I}}$ outputs two keywords $w_0^{*}$ and $w_1^{*}$ and the challenge identity $I{D}_s^{*}$ of a sender and $I{D}_r^{*}$ of a receiver, and $\mathcal{B}$ randomly chooses a bit b ∈ {0, 1}, computes the challenge trapdoor $T_{w_b^{*}}$ and returns it to ${\mathcal{A}}_{\mathcal{I}}$, where $T_{w_b^{*}}=Trapdoor(params,w_b^{*},S{K}_{I{D}_r^{*}},P{K}_{I{D}_s^{*}},I{D}_s^{*},I{D}_r^{*})$.

• Phase 2: Adversary ${\mathcal{A}}_{\mathcal{I}}$ continues to issue queries to $\mathcal{B}$, as in phase 1.

• Guess: ${\mathcal{A}}_{\mathcal{I}}$ outputs a bit b′ ∈ {0, 1}, if b′ = b, we say ${\mathcal{A}}_{\mathcal{I}}$ wins the game. The advantage of ${\mathcal{A}}_{\mathcal{I}}$ in breaking trapdoor indistinguishability in a $\mathsf{d}\mathsf{C}\mathsf{L}\mathsf{P}\mathsf{A}\mathsf{E}\mathsf{K}\mathsf{S}$ is defined as

  $$\begin{array}{c}\hfill Ad{v}_{{\mathcal{A}}_{\mathcal{I}}}^T=|{\text{Pr}}_{[b^{\prime }=b]}-\frac{1}{2}|.\end{array}$$

Game 4: Trapdoor indistinguishability for ${\mathcal{A}}_{\mathcal{\text{II}}}$

Game 4 is similar to Game 2; the difference is that $\mathcal{B}$ needs to generate a trapdoor of the challenge keywords for the challenge identity $I{D}_s^{*}$ of a sender and $I{D}_r^{*}$ of a receiver in Game 4.

Definition 4 We say that a $\mathsf{d}\mathsf{C}\mathsf{L}\mathsf{P}\mathsf{A}\mathsf{E}\mathsf{K}\mathsf{S}$ scheme satisfies trapdoor indistinguishability if for any polynomial-time adversaries ${\mathcal{A}}_i(i=I,II)$, $Ad{v}_{{\mathcal{A}}_i}^T(\lambda )$ is negligible.

Designated testability

Game 5: In this game, we assume that ${\mathcal{A}}_{\mathcal{I}}$ is an outside adversary who is allowed to obtain any user’s secret key. Designated testability aims to prevent adversaries from searching the ciphertexts while guaranteeing that only the designated server can.

• Setup: $\mathcal{B}$ generates the system public parameter params, the PKG’s public/secret key (m_pk, m_sk), and the server’s public/secret key (PK_Csvr, SK_Csvr). It invokes ${\mathcal{A}}_{\mathcal{I}}$ on input params and PK_Csvr.

• Phase1: Adversary ${\mathcal{A}}_{\mathcal{I}}$ can adaptively issue a sequence of queries polynomial-many times.

  • Secret Key Queries: Given a user’s identity ID, $\mathcal{B}$ return the user’s secret key SK_ID to ${\mathcal{A}}_{\mathcal{I}}$.
  • Public Key Queries: Given a user’s identity ID, $\mathcal{B}$ return the user’s public key PK_ID to ${\mathcal{A}}_{\mathcal{I}}$.

• Challenge: ${\mathcal{A}}_{\mathcal{I}}$ outputs two keywords $w_0^{*}$ and $w_1^{*}$ and the challenge identity $I{D}_s^{*}$ of a sender and $I{D}_r^{*}$ of a receiver, and $\mathcal{B}$ randomly chooses a bit b ∈ {0, 1}, computes the challenge ciphertext $C_{w_b^{*}}$ and returns it to ${\mathcal{A}}_{\mathcal{I}}$, where $C_{w_b^{*}}=PEKS(params,w_b^{*},P{K}_{Csvr},S{K}_{I{D}_s^{*}},P{K}_{I{D}_r^{*}},I{D}_s^{*},I{D}_r^{*})$.

• Phase 2: Adversary ${\mathcal{A}}_{\mathcal{I}}$ continues to issue queries to $\mathcal{B}$ as in phase 1.

• Guess: ${\mathcal{A}}_{\mathcal{I}}$ outputs a bit b′ ∈ {0, 1}, and if b′ = b, ${\mathcal{A}}_{\mathcal{I}}$ wins the game.

  The advantage of ${\mathcal{A}}_{\mathcal{I}}$ winning Game 5 is defined as

  $$\begin{array}{c}\hfill Ad{v}_{{\mathcal{A}}_{\mathcal{I}}}^D=|{\text{Pr}}_{[b^{\prime }=b]}-\frac{1}{2}|.\end{array}$$

Definition 5 We say that a $\mathsf{d}\mathsf{C}\mathsf{L}\mathsf{P}\mathsf{A}\mathsf{E}\mathsf{K}\mathsf{S}$ scheme satisfies designated testability if for any polynomial-time adversary ${\mathcal{A}}_I$, $Ad{v}_{{\mathcal{A}}_I}^D(\lambda )$ is negligible.

A instantiation of dCLPAEKS

Concrete $\mathsf{d}\mathsf{C}\mathsf{L}\mathsf{P}\mathsf{A}\mathsf{E}\mathsf{K}\mathsf{S}$ scheme

Here, we present a concrete $\mathsf{d}\mathsf{C}\mathsf{L}\mathsf{P}\mathsf{A}\mathsf{E}\mathsf{K}\mathsf{S}$ scheme, which is composed of nine polynomial-time algorithms.

• Setup (λ): Given a security parameter λ, this algorithm runs as follows:

  1. Select two cyclic groups ${\mathbb{G}}_1$ and ${\mathbb{G}}_2$ with the same prime order p, a bilinear pairing $\widehat{e}:{\mathbb{G}}_1\times {\mathbb{G}}_1\to {\mathbb{G}}_2$, and a cryptographic hash function $H_1:{\{0,1\}}^{*}\to {\mathbb{G}}_1$.
  2. Select a random number $\alpha \in Z_p^{*}$ as the master key m_sk and set m_pk = g^α, where g is an arbitrary generator of ${\mathbb{G}}_1$.
  3. Choose another arbitrary generator $h\in {\mathbb{G}}_1$.
  4. Choose two additional cryptographic hash functions $H:{\mathbb{G}}_2\times {\{0,1\}}^{*}\to {\mathbb{G}}_1$ and $H_2:{\{0,1\}}^{*}\times {\{0,1\}}^{*}\to {\mathbb{G}}_1$.

  The system parameters params $=({\mathbb{G}}_1,{\mathbb{G}}_2,\widehat{e},g,h,H,H_1,H_2,m_{pk})$ are publicly and authentically available, but only the KGC knows the master key m_sk. Steps (1) and (2) of the algorithm are run by the KGC.

• KGen_Csvr (params): Chooses $\nu \in Z_p^{*}$ randomly, and outputs the server’s public/secret key pair (PK_Csvr, SK_Csvr) = (g^ν, ν).

• PPKGen (params, ID_i, m_sk): Outputs the partial private key $PP{K}_{I{D}_i}=H_1{\left(I{D}_i\right)}^{\alpha }$.

• SVGen (params, ID_i): Selects ${\beta }_{I{D}_i}\in Z_p^{*}$ randomly, and outputs the secret value $S{V}_{I{D}_i}={\beta }_{I{D}_i}$.

• SKGen (params, $PP{K}_{I{D}_i}$, $S{V}_{I{D}_i}$): Outputs the secret key $S{K}_{I{D}_i}=(S{K}_{I{D}_i}^1,S{K}_{I{D}_i}^2)=(H_1{\left(I{D}_i\right)}^{\alpha },{\beta }_{I{D}_i})$.

• PKGen (params, SV_ID): Outputs the public key $P{K}_{I{D}_i}=g^{\alpha {\beta }_{I{D}_i}}$.

• PEKS (params, w, PK_Csvr, $S{K}_{I{D}_s}$, $P{K}_{I{D}_r}$, ID_s, ID_r): Selects $s\in Z_p^{*}$ randomly and computes $C_1=\widehat{e}{(H(k,w),P{K}_{Csvr})}^s$, C₂ = g^s, C₃ = h^s, where $k=\widehat{e}(S{K}_{I{D}_s}^1,H_1\left(I{D}_r\right))·\widehat{e}{(H_2(I{D}_s,I{D}_r),P{K}_{I{D}_r})}^{S{K}_{I{D}_s}^2}$ outputs the ciphertext C_w = (C₁, C₂, C₃).

• Trapdoor (params, w, $S{K}_{I{D}_r}$, $P{K}_{I{D}_s}$, ID_r, ID_s): Selects $r\in Z_p^{*}$ randomly, and computes T₁ = H(k, w) ⋅ h^r, T₂ = g^r, where $k=\widehat{e}(H_1\left(I{D}_s\right),S{K}_{I{D}_r}^1)·\widehat{e}{(H_2(I{D}_s,I{D}_r),P{K}_{I{D}_s})}^{S{K}_{I{D}_r}^2}$, and outputs the trapdoor T_w = (T₁, T₂).

• dTest (params, SK_Csvr, C_w, T_w, ID_s, ID_r): Returns 1 if $C_1·\widehat{e}(T_2^{S{K}_{Csvr}},C_3)=\widehat{e}(T_1^{S{K}_{Csvr}},C_2)$ and 0 otherwise.

Security analysis

In this subsection, we analyze the security of the above concrete construction.

$\mathsf{d}\mathsf{C}\mathsf{L}\mathsf{P}\mathsf{A}\mathsf{E}\mathsf{K}\mathsf{S}$ ciphertext indistinguishability

Theorem 1 Our $\mathsf{d}\mathsf{C}\mathsf{L}\mathsf{P}\mathsf{A}\mathsf{E}\mathsf{K}\mathsf{S}$ scheme satisfies ciphertext indistinguishability under the assumption that DBDH is intractable.

This conclusion is derived from the following two lemmas.

Lemma 2 For any polynomial-time adversary ${\mathcal{A}}_{\mathcal{I}}$, our $\mathsf{d}\mathsf{C}\mathsf{L}\mathsf{P}\mathsf{A}\mathsf{E}\mathsf{K}\mathsf{S}$ scheme satisfies ciphertext indistinguishability in Game 1 under the random oracle model assuming DBDH is intractable.

Proof 2 Assume that ${\mathcal{A}}_{\mathcal{I}}$ is a semi-trusted server that tries to break the ciphertext indistinguishability of our $\mathsf{d}\mathsf{C}\mathsf{L}\mathsf{P}\mathsf{A}\mathsf{E}\mathsf{K}\mathsf{S}$ scheme. We construct a simulator $\mathcal{B}$ to solve the DBDH problem. Given a random challenge $({\mathbb{G}}_1,{\mathbb{G}}_2,\widehat{e},g,g^x,g^y,g^z,Z)$, where Z is either equal to $\widehat{e}{(g,g)}^{xyz}$ or a random element of ${\mathbb{G}}_2$, $\mathcal{B}$ interacts with ${\mathcal{A}}_{\mathcal{I}}$ as follows:

• Setup: $\mathcal{B}$ randomly chooses h from ${\mathbb{G}}_1$ and $\nu \in Z_p^{*}$ and sets (PK_Csvr, SK_Csvr) = (g^ν, ν) and params $=({\mathbb{G}}_1,{\mathbb{G}}_2,\widehat{e},p,g,h,m_{pk}=g^z)$. $\mathcal{B}$ sends params and (PK_Csvr, SK_Csvr) to ${\mathcal{A}}_{\mathcal{I}}$.

• Phase1: ${\mathcal{A}}_{\mathcal{I}}$ is allowed to issue queries to the following oracles simulated by $\mathcal{B}$. To simplify, let us make the following assumptions: the adversary does not initiate repeated queries, and the attacker does not use an identity to perform any calculations before initiating H₁ on the identity.

  • H Queries: Upon receiving ${\mathcal{A}}_{\mathcal{I}}’s$ query on an element k and a keyword w, $\mathcal{B}$ randomly chooses an element from ${\mathbb{G}}_1$ as the output of H(k, w).
  • H₁ Queries: Suppose that ${\mathcal{A}}_{\mathcal{I}}$ makes at most $q_{H_1}$ queries. A list is maintained by $\mathcal{B}$, referred to as $L_{H_1}$. $\mathcal{B}$ randomly chooses $i,j\in \{1,2,\cdots ,q_{H_1}\}$, and guesses that the i-th and the j-th H₁ queries initiated by ${\mathcal{A}}_{\mathcal{I}}$ correspond to the sender’s challenge identity $I{D}_s^{*}$ and receiver’s challenge identity $I{D}_r^{*}$, respectively. When ${\mathcal{A}}_{\mathcal{I}}$ makes a H₁ query on identity ID, $\mathcal{B}$ responds as follows:

    1. If this is the i-th query, e.g., $ID=I{D}_s^{*}$, $\mathcal{B}$ outputs H₁(ID) = g^x and adds < ID, g^x, ⊥ > to $L_{H_1}$.
    2. If this is the j-th query, e.g., $ID=I{D}_r^{*}$, $\mathcal{B}$ outputs H₁(ID) = g^y and adds < ID, g^y, ⊥ > to $L_{H_1}$.
    3. Otherwise, $\mathcal{B}$ chooses a random number ${\mu }_{ID}\in Z_p^{*}$, outputs $H_1\left(ID\right)=g^{{\mu }_{ID}}$ and adds < ID, H₁(ID), μ_ID > to $L_{H_1}$.
  • H₂ Queries: Given a pair of identities (ID_s, ID_r), $\mathcal{B}$ randomly chooses an element from ${\mathbb{G}}_1$ as the output of H₂(ID_s, ID_r).
  • Partial Private Key Extraction: When ${\mathcal{A}}_{\mathcal{I}}$ asks for the partial private key of the ID, if $ID=I{D}_s^{*}$ or $ID=I{D}_r^{*}$, $\mathcal{B}$ outputs a random bit η′ and aborts. Otherwise, it recovers the tuple < ID, H₁(ID), μ_ID > from $L_{H_1}$, and returns the partial private key $PP{K}_{ID}={\left(g^z\right)}^{{\mu }_{ID}}$ to ${\mathcal{A}}_{\mathcal{I}}$.
  • Secret Key Queries: $\mathcal{B}$ maintains a list L_SK, which is initially empty. Taking ID as input, $\mathcal{B}$ performs the following actions:

    1. If $ID\ne I{D}_s^{*}$ and $ID\ne I{D}_r^{*}$, it recovers the tuple < ID, H₁(ID), μ_ID > from $L_{H_1}$ and chooses a random number β_ID as the secret value. Then, $\mathcal{B}$ returns the secret key $S{K}_{ID}=({\left(g^z\right)}^{{\mu }_{ID}},{\beta }_{ID})$ to ${\mathcal{A}}_{\mathcal{I}}$ and adds < ID, SK_ID > into L_SK.
    2. Otherwise, $\mathcal{B}$ randomly chooses an element ${\beta }_{ID}\in Z_p^{*}$ as a secret value and adds < ID, ⊥, β_ID > into L_SK. Then, $\mathcal{B}$ outputs a random bit η′ and aborts.
  • Public Key Queries: $\mathcal{B}$ maintains a list L_PK, which is initially empty. Given an identity ID, $\mathcal{B}$ retrieves the tuple < ID, SK_ID > from L_SK, computes the public key $P{K}_{ID}={\left(g^z\right)}^{{\beta }_{ID}}$, and then returns it to ${\mathcal{A}}_{\mathcal{I}}$ and adds < ID, PK_ID > into L_PK.
  • Replace Public Key: ${\mathcal{A}}_{\mathcal{I}}$ can replace the public key with any value he chooses.
  • Ciphertext Queries: Taking (w, ID_r, ID_s) as input, $\mathcal{B}$ randomly chooses $s\in Z_p^{*}$ and executes the following steps:

    1. If at least one of ID_r and ID_s is not equal to $I{D}_r^{*}$ or $I{D}_s^{*}$, without loss of generality, we assume that $I{D}_s\notin \{I{D}_s^{*},I{D}_r^{*}\}$. $\mathcal{B}$ recovers $<I{D}_s,H_1\left(I{D}_s\right),{\mu }_{I{D}_s}>$ from $L_{H_1}$, $<I{D}_s,S{K}_{I{D}_s}>$ from L_SK, and $<I{D}_r,P{K}_{I{D}_r}>$ from L_PK, computes $k=\widehat{e}{(g^z,H_1\left(I{D}_r\right))}^{{\mu }_{I{D}_s}}·\widehat{e}{(H_2(I{D}_s,I{D}_r),P{K}_{I{D}_r})}^{S{K}_{I{D}_s}^2}$ and returns $C_1=\widehat{e}{(H(k,w),P{K}_{Csvr})}^s$, C₂ = g^s, C₃ = h^s.
    2. Otherwise, $\mathcal{B}$ outputs a random bit η′ and aborts.
  • Trapdoor Queries: Taking (w, ID_r, ID_s) as input, $\mathcal{B}$ randomly chooses $r\in Z_p^{*}$ and responds as follows:

    1. If at least one of ID_r and ID_s is not equal to $I{D}_r^{*}$ or $I{D}_s^{*}$, without loss of generality, we assume that $I{D}_s\notin \{I{D}_s^{*},I{D}_r^{*}\}$. $\mathcal{B}$ recovers $<I{D}_s,H_1\left(I{D}_s\right),{\mu }_{I{D}_s}>$ from $L_{H_1}$, $<I{D}_r,S{K}_{I{D}_r}>$ from L_SK, and $<I{D}_s,P{K}_{I{D}_s}>$ from L_PK, computes $k=\widehat{e}{(g^z,H_1\left(I{D}_r\right))}^{{\mu }_{I{D}_s}}·\widehat{e}{(H_2(I{D}_s,I{D}_r),P{K}_{I{D}_s})}^{S{K}_{I{D}_r}^2}$ and returns T₁ = H(k, w) ⋅ h^r, T₂ = g^r.
    2. Otherwise, $\mathcal{B}$ outputs a random bit η′ and aborts.

• Challenge: ${\mathcal{A}}_{\mathcal{I}}$ issues a challenge on two different keywords $w_0^{*}$, $w_1^{*}$, a sender’s identity $I{D}_s^{*}$ and a receiver’s identity $I{D}_r^{*}$. $\mathcal{B}$ randomly selects a bit b ∈ {0, 1} and an element $s\in Z_p^{*}$, and computes the ciphertext $C_{w_b^{*}}=(C_1^{*},C_2^{*},C_3^{*})$, where $C_1^{*}=\widehat{e}{(H(Z·\widehat{e}{(H_2(I{D}_s^{*},I{D}_r^{*}),P{K}_{I{D}_r^{*}})}^{S{K}_{I{D}_s^{*}}^2},w_b^{*}),P{K}_{Csvr})}^s$ and $C_2^{*}=g^s$, $C_3^{*}=h^s$.

• Phase 2: Simulator $\mathcal{B}$ responds as in phase 1.

• Guess: ${\mathcal{A}}_{\mathcal{I}}$ outputs a bit b′ ∈ {0, 1}, and then $\mathcal{B}$ outputs η′ = 0 if b′ = b and 1 otherwise.

If $\mathcal{B}$ guesses that the challenge identities are incorrect, $\mathcal{B}$ aborts. Denote by abt the event that $\mathcal{B}$ aborts. The probability that event abt does not occur is $1/q_{H_1}·(q_{H_1}-1)$.

Assume that $\mathcal{B}$ does not abort in the game. If $Z=\widehat{e}{(g,g)}^{xyz}$, the view of ${\mathcal{A}}_{\mathcal{I}}$ is the same as in a real attack, and ${\mathcal{A}}_{\mathcal{I}}$ succeeds in the game with probability $Ad{v}_{{\mathcal{A}}_{\mathcal{I}}}^C=\Vert {\text{Pr}}_{[b^{\prime }=b]}-\frac{1}{2}\Vert$. If Z is selected from ${\mathbb{G}}_2$ randomly, then k is also a random element in ${\mathbb{G}}_1$, so ${\mathcal{A}}_{\mathcal{I}}$ wins Game 1 with probability at most $\frac{1}{2}$. Hence, the advantage of $\mathcal{B}$ in solving the DBDH problem is

$$\begin{array}{c}Ad{v}_{\mathcal{B}}^{DBDH}\hfill \\ =|{\text{Pr}}_{[{\eta }^{\prime }=\eta |abt]}·{\text{Pr}}_{\left[abt\right]}+{\text{Pr}}_{[{\eta }^{\prime }=\eta |\neg abt]}·{\text{Pr}}_{\left[\neg abt\right]}-{\displaystyle \frac{1}{2}}|\hfill \\ =|{\displaystyle \frac{1}{2}}(1-{\text{Pr}}_{[\neg abt]})+({\text{Pr}}_{[{\eta }^{\prime }=0|\neg abt\wedge \eta =0]}·{\text{Pr}}_{[\eta =0]}+{\text{Pr}}_{[{\eta }^{\prime }=1|\neg abt\wedge \eta =1]}·{\text{Pr}}_{[\eta =1]})·{\text{Pr}}_{[\neg abt]}-{\displaystyle \frac{1}{2}}|\hfill \\ \ge |{\displaystyle \frac{1}{2}}(1-{\text{Pr}}_{[\neg abt]})+{\text{Pr}}_{[\neg abt]}·({\displaystyle \frac{1}{2}}(Ad{v}_{{\mathcal{A}}_{\mathcal{I}}}^C(\lambda )+{\displaystyle \frac{1}{2}})+{\displaystyle \frac{1}{2}}·{\displaystyle \frac{1}{2}})-{\displaystyle \frac{1}{2}}|\hfill \\ ={\displaystyle \frac{1}{2}}{\text{Pr}}_{[\neg abt]}·Ad{v}_{{\mathcal{A}}_{\mathcal{I}}}^C(\lambda )\hfill \\ ={\displaystyle \frac{1}{2q_{H_1}·(q_{H_1}-1)}}·Ad{v}_{{\mathcal{A}}_{\mathcal{I}}}^C(\lambda )\hfill \end{array}$$

If $\mathcal{A}d{v}_{A_I}^C(\lambda )$ is not negligible, then $Ad{v}_{\mathcal{B}}^{DBDH}$ is not negligible.

Lemma 3 For any polynomial-time adversary ${\mathcal{A}}_{\mathcal{\text{II}}}$, our $\mathsf{d}\mathsf{C}\mathsf{L}\mathsf{P}\mathsf{A}\mathsf{E}\mathsf{K}\mathsf{S}$ scheme satisfies ciphertext indistinguishability in Game 2 under the random oracle model, assuming DBDH is intractable.

Proof 3 Assume that ${\mathcal{A}}_{\mathcal{\text{II}}}$ is a semi-trusted KGC that tries to break the ciphertext indistinguishability of our $\mathsf{d}\mathsf{C}\mathsf{L}\mathsf{P}\mathsf{A}\mathsf{E}\mathsf{K}\mathsf{S}$ scheme. Given a DBDH instance $({\mathbb{G}}_1,{\mathbb{G}}_2,\widehat{e},p,g,g^x,g^y,g^z,Z)$, we will construct an algorithm $\mathcal{B}$ to solve the DBDH problem by using ${\mathcal{A}}_{\mathcal{\text{II}}}$ as a subroutine. $\mathcal{B}$ interacts with ${\mathcal{A}}_{\mathcal{\text{II}}}$ as follows:

• Setup: $\mathcal{B}$ selects h from ${\mathbb{G}}_1$ and $\alpha \in Z_p^{*}$ randomly and sets params $=({\mathbb{G}}_1,{\mathbb{G}}_2,\widehat{e},p,g,h,m_{pk}=g^{\alpha })$ and PK_Csvr = g^x. Then, $\mathcal{B}$ sends params, PK_Csvr and m_sk = α to ${\mathcal{A}}_{\mathcal{\text{II}}}$.

• Phase 1: ${\mathcal{A}}_{\mathcal{\text{II}}}$ executes the following queries; assume that ${\mathcal{A}}_{\mathcal{\text{II}}}$ does not repeat its queries.

  • H Queries: A list is maintained by $\mathcal{B}$, referred to as L_H, which is initially empty. Taking an element k and a keyword w as input, $\mathcal{B}$ randomly chooses ${\mu }_{k,w}\in Z_p^{*}$, returns $H(k,w)=g^y{g}^{{\mu }_{k,w}}$ to ${\mathcal{A}}_{\mathcal{\text{II}}}$ and adds < (k, w), H(k, w), μ_k,w > into L_H.
  • H₁ Queries: Given an identity ID, $\mathcal{B}$ randomly selects an element from ${\mathbb{G}}_1$ as the H₁(ID) value and returns it to ${\mathcal{A}}_{\mathcal{\text{II}}}$.
  • H₂ Queries: Given a pair of identities (ID_s, ID_r), $\mathcal{B}$ randomly chooses an element from ${\mathbb{G}}_1$ as its H₂(ID_s, ID_r) value, and outputs it to ${\mathcal{A}}_{\mathcal{\text{II}}}$.
  • Secret Key Queries: $\mathcal{B}$ maintains a list L_SK that is initially empty. Taking an identity ID as input, $\mathcal{B}$ selects a random number ${\beta }_{ID}\in Z_p^{*}$ as the secret value and returns the secret key SK_ID = ((H₁(ID)^α, β_ID) to ${\mathcal{A}}_{\mathcal{\text{II}}}$. Then, $\mathcal{B}$ adds < ID, H₁(ID)^α, β_ID > into L_SK.
  • Public Key Queries: $\mathcal{B}$ maintains a list L_PK that is initially empty. Given an identity ID, $\mathcal{B}$ recovers the tuple < ID, H₁(ID)^α, β_ID > from L_SK, computes the public key $P{K}_{ID}={\left(g^{\alpha }\right)}^{{\beta }_{ID}}$, and returns it to ${\mathcal{A}}_{\mathcal{\text{II}}}$. Then, < ID, PK_ID > is added to L_PK.
  • Ciphertext Queries: Taking (w, ID_r, ID_s) as input, $\mathcal{B}$ recovers the tuple < (k, w), H(k, w), μ_k,w > from L_H, where $k=\widehat{e}(S{K}_{I{D}_s}^1,H_1\left(I{D}_r\right))·\widehat{e}{(H_2(I{D}_s,I{D}_r),P{K}_{I{D}_r})}^{S{K}_{I{D}_s}^2}$. If there is no such tuple, $\mathcal{B}$ generates it as in previous queries. Then, $\mathcal{B}$ randomly chooses $s\in Z_p^{*}$ and computes the ciphertext C_w = (C₁, C₂, C₃), where $C_1=\widehat{e}{(H(k,w),P{K}_{Csvr})}^s$ and C₂ = g^s, C₃ = h^s.
  • Trapdoor Queries: Taking (w, ID_r, ID_s) as input, $\mathcal{B}$ recovers the tuple < (k, w), H(k, w), μ_k,w > from L_H, where $k=\widehat{e}(H_1\left(I{D}_s\right),S{K}_{I{D}_r}^1)·\widehat{e}{(H_2(I{D}_s,I{D}_r),P{K}_{I{D}_s})}^{S{K}_{I{D}_r}^2}$. If there is no such tuple, $\mathcal{B}$ generates it as in previous queries. Then, $\mathcal{B}$ randomly chooses $r\in Z_p^{*}$ and computes trapdoor T_w = (T₁, T₂), where T₁ = H(k, w) ⋅ h^r, T₂ = g^r.

• Challenge: ${\mathcal{A}}_{\mathcal{\text{II}}}$ submits two challenge keywords $w_0^{*}$, $w_1^{*}$, the sender’s challenge identity $I{D}_s^{*}$ and the receiver’s challenge identity $I{D}_r^{*}$. $\mathcal{B}$ chooses a random bit b ∈ {0, 1} and recovers the tuple $<(k^{*},w_b^{*}),H((k^{*},w_b^{*}),{\mu }_{k^{*},w_b^{*}}>$, where $k^{*}=\widehat{e}(S{K}_{I{D}_s^{*}}^1,{\mathsf{H}}_{\mathsf{1}}\left(I{D}_r^{*}\right))·\widehat{e}{({\mathsf{H}}_{\mathsf{2}}(I{D}_s^{*},I{D}_r^{*}),P{K}_{I{D}_r^{*}})}^{S{K}_{I{D}_s^{*}}^2}$. If there is no such tuple, $\mathcal{B}$ generates it as in previous queries. Then, it computes the challenge ciphertext $C_{w_b^{*}}=(C_1^{*},C_2^{*},C_3^{*})$, where $C_1^{*}=Z·\widehat{e}{(g^z,g^x)}^{{\mu }_{k^{*},w_b^{*}}},C_2^{*}=g^z,C_3^{*}=h^z$.

• Phase 2: Simulator $\mathcal{B}$ responds as in phase 1.

• Guess: ${\mathcal{A}}_{\mathcal{\text{II}}}$ outputs a bit b′; if b′ = b, $\mathcal{B}$ outputs η′ = 0, and it outputs 1 otherwise.

If $Z=\widehat{e}{(g,g)}^{xyz}$, then the challenge ciphertext is a correctly distributed verifiable ciphertext, so the view of ${\mathcal{A}}_{\mathcal{\text{II}}}$ is the same as in real attack, and ${\mathcal{A}}_{\mathcal{\text{II}}}$ succeeds in Game 2 with probability $Ad{v}_{{\mathcal{A}}_{\mathcal{\text{II}}}}^C+{\displaystyle \frac{1}{2}}$. If Z is selected from ${\mathbb{G}}_2$ randomly, then $C_1^{*}$ is also a random element in ${\mathbb{G}}_1$; hence, ${\mathcal{A}}_{\mathcal{\text{II}}}$ succeeds in the game with probability at most $\frac{1}{2}$. Therefore, the advantage of $\mathcal{B}$ in solving the DBDH problem is

$$\begin{array}{c}Ad{v}_{\mathcal{B}}^{DBDH}\hfill \\ =|{\text{Pr}}_{[{\eta }^{\prime }=\eta |\eta =1]}·{\text{Pr}}_{[\eta =1]}+{\text{Pr}}_{[{\eta }^{\prime }=\eta |\eta =0]}·{\text{Pr}}_{[\eta =0]}-{\displaystyle \frac{1}{2}}|\hfill \\ \ge |{\displaystyle \frac{1}{2}}·{\displaystyle \frac{1}{2}}+{\displaystyle \frac{1}{2}}(Ad{v}_{{\mathcal{A}}_{\mathcal{\text{II}}}}^C(\lambda )+{\displaystyle \frac{1}{2}})-{\displaystyle \frac{1}{2}}|\hfill \\ ={\displaystyle \frac{1}{2}}·Ad{v}_{{\mathcal{A}}_{\mathcal{\text{II}}}}^C\hfill \end{array}$$

If ${\mathcal{A}}_{\mathcal{\text{II}}}^C(\lambda )$ is not negligible, then $Ad{v}_{\mathcal{B}}^{DBDH}$ is not negligible.

Trapdoor indistinguishability of $\mathsf{d}\mathsf{C}\mathsf{L}\mathsf{P}\mathsf{A}\mathsf{E}\mathsf{K}\mathsf{S}$

Theorem 2 Our $\mathsf{d}\mathsf{C}\mathsf{L}\mathsf{P}\mathsf{A}\mathsf{E}\mathsf{K}\mathsf{S}$ scheme satisfies trapdoor indistinguishability under the assumption that DBDH is intractable.

This conclusion is derived from the following two lemmas.

Lemma 4 For any polynomial-time adversary ${\mathcal{A}}_{\mathcal{I}}$, our $\mathsf{d}\mathsf{C}\mathsf{L}\mathsf{P}\mathsf{A}\mathsf{E}\mathsf{K}\mathsf{S}$ scheme satisfies trapdoor indistinguishability in Game 3 under the random oracle model, assuming DBDH is intractable.

The proof of Lemma 4 is similar to that of Lemma 2. The difference is that the simulator generates a challenge trapdoor in the challenge stage. We omit the proof details here.

Lemma 5 For any polynomial-time adversary ${\mathcal{A}}_{\mathcal{\text{II}}}$, our $\mathsf{d}\mathsf{C}\mathsf{L}\mathsf{P}\mathsf{A}\mathsf{E}\mathsf{K}\mathsf{S}$ scheme satisfies trapdoor indistinguishability in Game 4 under the random oracle model, assuming DBDH is intractable.

Proof 4 Assume that ${\mathcal{A}}_{\mathcal{\text{II}}}$ is a semi-trusted KGC that tries to break the trapdoor indistinguishability of our scheme. We construct a simulator $\mathcal{B}$ to solve the DBDH problem. Given a random challenge $({\mathbb{G}}_1,{\mathbb{G}}_2,\widehat{e},p,g,g^x,g^y,g^z,Z)$, $\mathcal{B}$ interacts with ${\mathcal{A}}_{\mathcal{\text{II}}}$ as follows:

• Setup: $\mathcal{B}$ selects h from ${\mathbb{G}}_1$ and $\nu ,\alpha \in Z_p^{*}$ randomly and sets params $=({\mathbb{G}}_1,{\mathbb{G}}_2,\widehat{e},p,g,h,m_{pk}=g^{\alpha })$ and (PK_Csvr, SK_Csvr) = (g^ν, ν). $\mathcal{B}$ returns params, PK_Csvr and m_sk = α to ${\mathcal{A}}_{\mathcal{\text{II}}}$.

• Phase 1: $\mathcal{B}$ responds to ${\mathcal{A}}_{\mathcal{\text{II}}}$’ inquiry as follows, assuming that ${\mathcal{A}}_{\mathcal{\text{II}}}$ does not initiate repeated queries.

  • H Queries: Given a keyword w and an element k, $\mathcal{B}$ randomly chooses an element from ${\mathbb{G}}_1$ as the output of H(k, w).
  • H₁ Queries: Given an identity ID, $\mathcal{B}$ picks a random number from ${\mathbb{G}}_1$ and returns it to ${\mathcal{A}}_{\mathcal{\text{II}}}$ as the H₁(ID) value of ID.
  • H₂ Queries: Suppose that ${\mathcal{A}}_{\mathcal{\text{II}}}$ issues at most $q_{H_2}$ queries. A list is maintained by $\mathcal{B}$, referred to as $L_{H_2}$, which is initially empty. $\mathcal{B}$ randomly selects $i\in \{1,2,\cdots ,q_{H_2}\}$ and guesses that the two identities in the i-th inquiry are the sender’s challenge identity $I{D}_s^{*}$ and receiver’s challenge identity $I{D}_r^{*}$, respectively. Taking a pair of identities (ID_s, ID_r) as input, $\mathcal{B}$ responds as follows:

    1. If this is the i-th query, e.g., $(I{D}_s,I{D}_r)=(I{D}_s^{*},I{D}_r^{*})$, it returns H₂(ID_s, ID_r) = g^z and adds < (ID_s, ID_r), g^z, ⊥ > into $L_{H_2}$.
    2. Otherwise, $\mathcal{B}$ randomly chooses ${\mu }_{r,s}\in Z_p^{*}$, returns $H_2(I{D}_s,I{D}_r)=g^{{\mu }_{r,s}}$ and adds $<(I{D}_s,I{D}_r),g^{{\mu }_{r,s}},{\mu }_{r,s}>$ into $L_{H_2}$.
  • Secret Key Queries: A list is maintained by $\mathcal{B}$, called L_SK. Given an identity ID, $\mathcal{B}$ responds as follows:

    1. If $ID\notin (I{D}_s^{*},I{D}_r^{*})$, $\mathcal{B}$ selects a random number ${\beta }_{ID}\in Z_p^{*}$ as the secret value of the identity ID and returns the secret key SK_ID = (H₁(ID)^a, β_ID) to ${\mathcal{A}}_{\mathcal{\text{II}}}$, then adds < ID, SK_ID > into L_SK.
    2. Otherwise, $\mathcal{B}$ outputs a random bit η′ and aborts.
  • Public Key Queries: $\mathcal{B}$ maintains an initially empty list L_PK. Taking an identity ID as input, $\mathcal{B}$ returns a value to ${\mathcal{A}}_{\mathcal{\text{II}}}$ according to the following conditions:

    1. If $ID=I{D}_s^{*}$, it outputs PK_ID = (g^x)^α and adds < ID, (g^x)^α > into L_PK.
    2. If $ID=I{D}_r^{*}$, it outputs PK_ID = (g^y)^α and adds < ID, (g^y)^α > into L_PK.
    3. Otherwise, $\mathcal{B}$ retrieves the tuple < ID, H₁(ID)^a, β_ID > from L_SK and computes the public key $P{K}_{ID}={\left(g^{\alpha }\right)}^{{\beta }_{ID}}$. Then, $\mathcal{B}$ returns PK_ID to ${\mathcal{A}}_{\mathcal{\text{II}}}$ and adds < ID, PK_ID > into L_PK.
  • Ciphertext Queries: Taking (w, ID_r, ID_s) as input, $\mathcal{B}$ randomly chooses $s\in Z_p^{*}$ and computes the ciphertext C_w = (C₁, C₂, C₃) as follows:

    1. If $(I{D}_r,I{D}_s)=(I{D}_r^{*},I{D}_s^{*})$ or $(I{D}_r,I{D}_s)=(I{D}_s^{*},I{D}_r^{*})$, $\mathcal{B}$ computes $C_1=\widehat{e}(H(\widehat{e}(H_1{\left(I{D}_s\right)}^{\alpha },H_1\left(I{D}_r\right))·Z^{\alpha }),w),P{K}_{Csvr}{)}^s$ and C₂ = g^s, C₃ = h^s.
    2. Otherwise, at least one of ID_r and ID_s is not equal to $I{D}_r^{*}$ or $I{D}_s^{*}$. Without loss of generality, we assume that $I{D}_s\notin \{I{D}_s^{*},I{D}_r^{*}\}$. $\mathcal{B}$ recovers $<(I{D}_s,I{D}_r),g^{{\mu }_{r,s}},{\mu }_{r,s}>$ from $L_{H_2}$ and $<I{D}_s,P{K}_{I{D}_s}>$ from L_PK, computes $k=\widehat{e}(H_1{\left(I{D}_s\right)}^{\alpha },H_1\left(I{D}_r\right))·e{(g^y,P{K}_{I{D}_s})}^{{\mu }_{r,s}}$ and returns $C_1=\widehat{e}{(H(k,w),P{K}_{Csvr})}^s$, C₂ = g^s, C₃ = h^s.
  • Trapdoor Queries: Taking (w, ID_r, ID_s) as input, $\mathcal{B}$ randomly chooses $r\in Z_p^{*}$, and computes the trapdoor T_w = (T₁, T₂) as follows:

    1. If $(I{D}_r,I{D}_s)=(I{D}_r^{*},I{D}_s^{*})$ or $(I{D}_r,I{D}_s)=(I{D}_s^{*},I{D}_r^{*})$, $\mathcal{B}$ computes $T_1=H(\widehat{e}(H_1\left(I{D}_s\right),H_1{\left(I{D}_r\right)}^{\alpha })·Z^{\alpha }),w)·h^r$ and T₂ = g^r.
    2. Otherwise, at least one of ID_r and ID_s is not equal to $I{D}_r^{*}$ or $I{D}_s^{*}$. Without loss of generality, we assume that $I{D}_s\notin \{I{D}_s^{*},I{D}_r^{*}\}$. $\mathcal{B}$ recovers $<(I{D}_s,I{D}_r),g^{{\mu }_{r,s}},{\mu }_{r,s}>$ from $L_{H_2}$ and $<I{D}_s,P{K}_{I{D}_s}>$ from L_PK, computes $k=\widehat{e}(H_1\left(I{D}_s\right),H_1{\left(I{D}_r\right)}^{\alpha })·e{(g^y,P{K}_{I{D}_s})}^{{\mu }_{r,s}}$ and returns T₁ = H(k, w) ⋅ h^r, T₂ = g^r.

• Challenge: ${\mathcal{A}}_{\mathcal{\text{II}}}$ submits two challenge keywords $w_0^{*}$, $w_1^{*}$, the sender’s challenge identity $I{D}_s^{*}$ and the receiver’s challenge identity $I{D}_r^{*}$. $\mathcal{B}$ chooses a random bit b ∈ {0, 1} and an element $r\in Z_p^{*}$, computes ciphertext $C_1^{*}=\widehat{e}(H(\widehat{e}(H_1{\left(I{D}_s^{*}\right)}^{\alpha },H_1\left(I{D}_r^{*}\right))·Z^{\alpha }),w_b^{*}),P{K}_{Csvr}{)}^s$, $C_2^{*}=g^s$, $C_3^{*}=h^s$ and returns ciphertext $C_{w_b^{*}}=(C_1^{*},C_2^{*},C_2^{*})$ to ${\mathcal{A}}_{\mathcal{\text{II}}}$.

• Phase2: $\mathcal{B}$ responds as in phase 1.

• Guess: ${\mathcal{A}}_{\mathcal{I}}$ outputs a bit b′ ∈ {0, 1}, and then $\mathcal{B}$ outputs η′ = 0 if b′ = b and 1 otherwise.

If $\mathcal{B}$ guesses that the challenge identities are incorrect, then $\mathcal{B}$ aborts. Denote by abt the event that $\mathcal{B}$ aborts. The probability that event abt does not occur is ${\displaystyle \frac{1}{q_{H_2}}}$.

Assume that $\mathcal{B}$ does not abort in the game. If $Z=\widehat{e}{(g,g)}^{xyz}$, the view of ${\mathcal{A}}_{\mathcal{\text{II}}}$ is the same as in a real attack, and ${\mathcal{A}}_{\mathcal{\text{II}}}$ succeeds in the game with probability $Ad{v}_{{\mathcal{A}}_{\mathcal{\text{II}}}}^T+{\displaystyle \frac{1}{2}}$. If Z is chosen from ${\mathbb{G}}_2$ randomly, then k is also a random element in ${\mathbb{G}}_1$; hence, ${\mathcal{A}}_{\mathcal{\text{II}}}$ would win Game 4 with probability at most ${\displaystyle \frac{1}{2}}$. Therefore, the advantage of $\mathcal{B}$ in solving the DBDH problem is

$$\begin{array}{c}Ad{v}_{\mathcal{B}}^{DBDH}\hfill \\ =|{\text{Pr}}_{[{\eta }^{\prime }=\eta |abt]}·{\text{Pr}}_{\left[abt\right]}+{\text{Pr}}_{[{\eta }^{\prime }=\eta |\neg abt]}·{\text{Pr}}_{\left[\neg abt\right]}-{\displaystyle \frac{1}{2}}|\hfill \\ =|{\displaystyle \frac{1}{2}}(1-{\text{Pr}}_{[\neg abt]})+{\text{Pr}}_{[\neg abt]}·({\text{Pr}}_{[{\eta }^{\prime }=0|\neg abt\wedge \eta =0]}·{\text{Pr}}_{[\eta =0]}+{\text{Pr}}_{[{\eta }^{\prime }=1|\neg abt\wedge \eta =1]}·{\text{Pr}}_{[\eta =1]})-{\displaystyle \frac{1}{2}}|\hfill \\ \ge |{\displaystyle \frac{1}{2}}-{\displaystyle \frac{1}{2}}·{\text{Pr}}_{[\neg abt]}+{\text{Pr}}_{[\neg abt]}·({\displaystyle \frac{1}{2}}(Ad{v}_{{\mathcal{A}}_{\mathcal{\text{II}}}}^T(\lambda )+{\displaystyle \frac{1}{2}})+{\displaystyle \frac{1}{2}}·{\displaystyle \frac{1}{2}})-{\displaystyle \frac{1}{2}}|\hfill \\ ={\displaystyle \frac{1}{2}}{\text{Pr}}_{[\neg abt]}·Ad{v}_{{\mathcal{A}}_{\mathcal{\text{II}}}}^T(\lambda )\hfill \\ ={\displaystyle \frac{1}{2}}·{\displaystyle \frac{1}{q_{H_2}}}·{d{v}_{\mathcal{A}}\mathcal{\text{II}}}^T(\lambda )\hfill \end{array}$$

If $Ad{v}_{\mathcal{A}}{\mathcal{\text{II}}}^T(\lambda )$ is not negligible, then $Ad{v}_{\mathcal{B}}^{DBDH}(\lambda )$.

Theorem 3 Our $\mathsf{d}\mathsf{C}\mathsf{L}\mathsf{P}\mathsf{A}\mathsf{E}\mathsf{K}\mathsf{S}$ scheme satisfies designated testability under the assumption that DBDH is intractable.

Proof 5 Assume that outside adversary ${\mathcal{A}}_{\mathcal{I}}$ tries to break the designated testability of our $\mathsf{d}\mathsf{C}\mathsf{L}\mathsf{P}\mathsf{A}\mathsf{E}\mathsf{K}\mathsf{S}$ scheme. We build an algorithm $\mathcal{B}$ with ${\mathcal{A}}_{\mathcal{I}}$ as a subroutine to solve the DBDH problem. Given a DBDH instance $({\mathbb{G}}_1,{\mathbb{G}}_2,\widehat{e},p,g,g^x,g^y,g^z,Z)$, $\mathcal{B}$ interacts with ${\mathcal{A}}_{\mathcal{I}}$ as follows:

• Setup: $\mathcal{B}$ selects h from ${\mathbb{G}}_1$ and $\alpha \in Z_p^{*}$ randomly and sets params $=({\mathbb{G}}_1,{\mathbb{G}}_2,\widehat{e},p,g,h,m_{pk}=g^{\alpha })$ and PK_Csvr = g^x. Then, $\mathcal{B}$ sends params and PK_Csvr to ${\mathcal{A}}_{\mathcal{I}}$.

• Phase 1: $\mathcal{B}$ answers ${\mathcal{A}}_{\mathcal{I}}’s$ inquiries as follows, assuming that ${\mathcal{A}}_{\mathcal{I}}$ does not repeat his inquiries.

  • H₁ Queries: Given an identity ID, $\mathcal{B}$ randomly chooses an element from ${\mathbb{G}}_1$ as the H₁(ID) value and returns it to ${\mathcal{A}}_{\mathcal{I}}$.
  • H₂ Queries: Given a pair of identities (ID_s, ID_r), $\mathcal{B}$ randomly selects an element from ${\mathbb{G}}_1$ as the H₂(ID_s, ID_r) value, and outputs it.
  • H Queries: A list L_H is maintained by $\mathcal{B}$ that is initially empty. Taking an element k and a keyword w as input, $\mathcal{B}$ randomly chooses ${\mu }_{k,w}\in Z_p^{*}$, returns $H(k,w)=g^y{g}^{{\mu }_{k,w}}$ to ${\mathcal{A}}_{\mathcal{I}}$ and adds < (k, w), H(k, w), μ_k,w > into L_H.
  • Secret Key Queries: $\mathcal{B}$ maintains a list L_SK that is initially empty. Taking an identity ID as input, $\mathcal{B}$ selects a random number β_ID ∈ Z_p as the secret value of identity ID and returns the secret key SK_ID = ((H₁(ID)^α, β_ID) to ${\mathcal{A}}_{\mathcal{I}}$. Then, $\mathcal{B}$ adds < ID, H₁(ID)^α, β_ID > into L_SK.
  • Public Key Queries: $\mathcal{B}$ maintains a list L_PK that is initially empty. Given an identity ID, $\mathcal{B}$ recovers the tuple < ID, H₁(ID)^α, β_ID > from L_SK, computes the public key $P{K}_{ID}={\left(g^{\alpha }\right)}^{{\beta }_{ID}}$, and returns it to ${\mathcal{A}}_{\mathcal{I}}$. Then, < ID, PK_ID > is added to L_PK.

• Challenge: ${\mathcal{A}}_{\mathcal{I}}$ submits two different challenge keywords $w_0^{*}$, $w_1^{*}$, the sender’s identity $I{D}_s^{*}$ and the receiver’s identity $I{D}_r^{*}$. $\mathcal{B}$ chooses a random bit b ∈ {0, 1} and recovers the tuple $<(k^{*},w_b^{*}),H((k^{*},w_b^{*}),{\mu }_{k^{*},w_b^{*}}>$, where $k^{*}=\widehat{e}(S{K}_{I{D}_s^{*}}^1,H_1\left(I{D}_r^{*}\right))·\widehat{e}{(H_2(I{D}_s^{*},I{D}_r^{*}),P{K}_{I{D}_r^{*}})}^{S{K}_{I{D}_s^{*}}^2}$. If there is no such tuple, $\mathcal{B}$ generates it as in previous queries. Then, $\mathcal{B}$ computes the challenge ciphertext $C_{w_b^{*}}=(C_1^{*},C_2^{*})$, where $C_1^{*}=Z·\widehat{e}{(g^z,g^x)}^{{\mu }_{k^{*},w_b^{*}}},C_2^{*}=g^z,C_3^{*}=h^z$.

• Phase 2: The simulator $\mathcal{B}$ responds as in phase 1.

• Guess: ${\mathcal{A}}_{\mathcal{I}}$ outputs a bit b′; if b′ = b, B outputs η′ = 0, otherwise 1. If $Z=\widehat{e}{(g,g)}^{xyz}$, the view of ${\mathcal{A}}_{\mathcal{I}}$ is the same as in a real attack, and ${\mathcal{A}}_{\mathcal{I}}$ succeeds in Game 5 with probability $Ad{v}_{{\mathcal{A}}_{\mathcal{I}}}^D+{\displaystyle \frac{1}{2}}$. If Z is selected from ${\mathbb{G}}_2$ randomly, then $C_1^{*}$ is also a random element in ${\mathbb{G}}_1$; hence, ${\mathcal{A}}_{\mathcal{I}}$ succeeds in the game with probability at most ${\displaystyle \frac{1}{2}}$. Therefore, the advantage of $\mathcal{B}$ in solving the DBDH problem is

  $$\begin{array}{c}Ad{v}_{\mathcal{B}}^{DBDH}\hfill \\ =|{\text{Pr}}_{[{\eta }^{\prime }=\eta |\eta =1]}·{\text{Pr}}_{[\eta =1]}+{\text{Pr}}_{[{\eta }^{\prime }=\eta |\eta =0]}·{\text{Pr}}_{[\eta =0]}-{\displaystyle \frac{1}{2}}|\hfill \\ =|{\displaystyle \frac{1}{2}}·{\displaystyle \frac{1}{2}}+{\displaystyle \frac{1}{2}}(Ad{v}_{{\mathcal{A}}_{\mathcal{I}}}^D(\lambda )+{\displaystyle \frac{1}{2}})-{\displaystyle \frac{1}{2}}|\hfill \\ ={\displaystyle \frac{1}{2}}·Ad{v}_{{\mathcal{A}}_{\mathcal{I}}}^D\hfill \end{array}$$

  If $Ad{v}_{{\mathcal{A}}_{\mathcal{I}}}^D(\lambda )$ is not negligible, then $Ad{v}_{\mathcal{B}}^{DBDH}$.

Evaluation

In this section, we evaluate the security properties, computational complexity and communication overhead of our scheme, and compare it with the schemes proposed in [17, 43, 44], and [19]. Table 1 shows the comparison between these schemes and our dCLPAEKS scheme in terms of security. As shown by Table 1, our scheme provides security against inside keyword guessing attacks and against outside keyword guessing attacks without requiring a secure channel.

Table 1. Comparison of security.

Scheme	Functionalities
	C Ind	T Ind	SCF	IKGAs
SCF-MCLPEKS+ [17]	√	×	√	×
CLPEKS [43]	√	×	√	×
SCF-MCLPEKS [44]	√	×	√	×
CL-dPAEKS [19]	√	×	√	×
Proposed scheme	√	√	√	√

C Ind: Ciphertext Indistinguishability, T Ind: Trapdoor Indistinguishability, SCF: Secure Channel Free, IKGAs: Security against Inside Keyword Guessing Attacks.

The communication overhead of the five schemes is given in Table 2. According to Table 2, the communication overhead of our dCLPAEKS scheme is almost the same as that of SCF-MCLPEKS⁺ and CL-dPAEKS.

Table 2. Comparison of communication overhead.

Scheme	communication overhead
	Size(PK)	Size(C)	Size(Tw)
SCF-MCLPEKS+ [17]	|G1|	2|G1| + |G2|	2|G1|
CLPEKS [43]	|G1|	|G1| + |Zp|	|G1|
SCF-MCLPEKS [44]	2|G1|	|G1| + |Zp|	|G1|
CL-dPAEKS [19]	2|G1|	2|G1|	2|G1| + |G2|
Proposed scheme	|G1|	2|G1| + |G2|	2|G1|

Size(PK): Size of Public Key, Size(C): Size of Ciphertext, Size(T_w): Size of Trapdoor, |G₁|: Size of an element in G₁, |G₂|: Size of an element in G₂, |Z_p|: Size of an element in Z_p.

The comparison of computational complexity is given in Table 3. We compare the computational costs of the PEKS, Trapdoor and Test algorithms of the schemes. The results show that our scheme is comparable with the other schemes.

Table 3. Computational efficiency comparison.

scheme	PEKS	Trapdoor	Test
SCF-MCLPEKS+ [17]	4E+2H+h+2P	3E+h+2A	E+2P+h+A+M
CLPEKS [43]	5E+3P+3H+2h	3E+H+h+2A	2E+P+h+4A
SCF-MCLPEKS [44])	4E+3P+3H+h+A	E+H+A	E+P+2H+h+2A
CL-dPAEKS [19]	5E+H+2h+3A	7E+H+3h+P+4A	4E+2P+M
Our scheme	3E+3H+3P	3E+3H+2P+M	E+2P+M

E: a scalar multiplication operation; P: a bilinear pairing operation; H: a Hash-to-point operation; h: a general hash function operation; A: an addition operation; M: a multiplication operation

We implemented our scheme, the SCF-MCLPEKS⁺ scheme [17], the CL-dPAEKS scheme [19] and CLPEKS [43] on a laptop with a 3.10-GHz Intel i5 CPU with a 64-GB memory and an Ubuntu Linux operating system. We used the PBC library [48], in which Type-A pairing was chosen. The pairing operation is based on the curve y² = x³ + x over the field F_p. The parameter set is |G₁| = |G₂| = 128-bit.

To compare the computational efficiency of the four schemes, including our scheme in more detail, we tested the running time of the ciphertext algorithm and trapdoor algorithm. As shown in Fig 1, the ciphertext generation of our scheme has the highest computational efficiency compared with the other schemes. According to Fig 2, as the number of keywords increases, our scheme outperforms the other two schemes in computational efficiency. Fig 1. Computation cost of ciphertext generation in different schemes. Fig 2. Computation cost of trapdoor generation in different schemes.

Fig 1.

Fig 2.

Conclusions

In a cloud-based IoT environment, protecting the privacy and security of sensitive data stored in the cloud is a major concern. An effective method is certificateless public key searchable encryption (CLPEKS), which both enables search over encrypted data and avoids the problems of certificate management and key escrow. In this paper, we demonstrated that the security reduction for the CLPAEKS scheme proposed by He et al. is incorrect under two types of adversaries, and Ma et al.’s CLPEKS scheme is susceptible to an off-line KGAs. We then proposed a new certificateless public key searchable encryption scheme, which overcomes a limitation of these two schemes—the need for a secure channel—and solves the security defect that the CLPEKS scheme cannot resist a KGAs. In addition, in comparison with the other recently proposed CLPEKS schemes, the performance analysis demonstrates that our scheme is more efficient and has higher security.

Data Availability

All relevant data are within the paper.

Funding Statement

The author(s) received no specific funding for this work.