A Certificateless Verifiable Bilinear Pair Free Conjunctive Keyword Search Encryption Scheme for IoMT

1. Related work

The initial PEKS scheme had many areas for improvement regarding efficiency and safety. Firstly, review the efforts made by numerous researchers in improving the efficiency of PEKS. Baek [9] pointed out the inefficiency of the PEKS [8] scheme due to the use of secure channels. To eliminate the requirement for security channels, Baek et al. proposed the concept of secure channel-free PEKS (SCF-PEKS), also known as PEKS, with designated servers/testers (dPEKS) [10]. The efficiency of SCF-PEKS is improved. However, the PEKS (SCF-PEKS) schemes are built based on PKI or identity-based cryptosystem and encounter certificate management issues and key escrow issues in system deployment. To avoid the problems associated with certificate and key escrow, Peng et al. [11] proposed a certificateless keyword searchable encryption scheme (CLKS) without secure channels. Subsequently, much literature has studied certificateless searchable encryption schemes with keywords, such as [12–15]. Most PEKS schemes focus on searching for a single keyword, but single keyword search inevitably produces many irrelevant results, leading to bandwidth and computational resource waste. Golle et al. [16] proposed the first conjunctive keyword searchable encryption scheme to avoid resource waste. After this, many searchable encryption schemes, such as [17–19], support conjunctive keyword search.

Because the computational complexity of bilinear pairs is much higher than that of scalar multiplication on elliptic curve groups, designing searchable encryption schemes without bilinear pair operations can significantly improve the scheme’s efficiency. However, currently, there are not many searchable encryption schemes without bilinear [11,15,20–27], and they are not perfect enough. In 2019, Lu et al. [28] proposed a pairing-free certificateless searchable public key encryption scheme, proving that this scheme achieves indistinguishability of keyword ciphertext against adaptive keyword selection attacks under the complexity assumption of computing Diffie-Hellman problems in a random oracle model. However, Ma et al. [30] found that the scheme proposed in [28] is not secure against user simulation attacks and offered a new cloud-based IIoT pairing-free dual server CLPEKS scheme. Recently, [25], [26], and [27] respectively proposed secure and effective pairing-free CLPEKS schemes, but they are all single keyword searches.

Cryptography researchers place a high value on security. Next, let’s look at what researchers have done to improve the security of PEKS. The existing SCF-PEKS scheme is susceptible to keyword guessing attacks (KGA) [28] and file injection attacks (FIA) [29]. To avoid keyword guessing attacks and file injection attacks, Hwang et al. [30] embedded random keys in the keyword ciphertext of the PKSE scheme and claim that the scheme can resist the above attacks. However Yang [40] proved Hwang et al.’s SCF-PEKS scheme [30] is insecure under external online keyword attacks. The main reason for being vulnerable to external online keyword attacks is that opponents can generate legitimate ciphertext for the keyword. In addition to being attacked by external attackers, the PEKS scheme is also vulnerable to attacks from internal attackers (usually referring to malicious cloud servers). Jeong et al. [41] demonstrated that the PEKS framework is susceptible to offline keyword attacks (i.e., internal offline keyword attacks) by malicious data storage servers. Later, Shao and Yang [37] proposed a universal attack demonstrating the inability to construct an SCF-PEKS scheme to defend against malicious internal servers. They pointed out that because malicious servers can run keyword encryption and testing algorithms, SCF-PEKS is inherently vulnerable to offline keyword-guessing attacks from malicious insider servers.

In addition, a cloud server is a semi-honest but curious third party that may perform only a small portion of search operations and return a small amount of incorrect search results to save its computing and bandwidth resources. Therefore, the PEKS scheme should be equipped with a verification mechanism to ensure the correctness of search results without decrypting the ciphertext. Reference [31] proposed the first symmetric and verifiable encryption scheme for keyword search. Subsequently, many literature studies have investigated verifiable keyword searchable encryption schemes [32–35]. In reference [34], a verifiable conjunctive keyword search scheme (VCKSM) over mobile e-health cloud in shared multi-owner settings was proposed, and it was secure against keyword guessing attacks under the standard model; In reference [35], an identity-based certificateless verifiable conjunctive keyword searchable encryption scheme (VMKS) was constructed, which avoids certificate management or key escrow restrictions and achieves indistinguishability of ciphertext and unforgeability of signatures.

1.1. Our contribution

We construct a certificateless verifiable bilinear pair-free conjunctive keyword search encryption scheme (CLVPFCKS), and it has been proven under the standard model that it can resist keyword guessing attacks (KGA), file injection attacks (FIA), and choose keyword attacks (CKA). Specifically, the main contributions are as follows:

• Search results validation: The scheme allows the signature to be attached to each file to verify the accuracy of the search results.
• No bilinear pairing: The calculation of bilinear pairing needs more time, and the scheme’s efficiency will significantly improve without bilinear pairing.
• We prove that the new scheme can resist offline keyword guessing attacks, file injection attacks, and choose keyword attacks (CKA) under the standard model.

1.2. Organization

The following is the framework for the rest of this article. We summarize some related work in section 1. We discuss preparatory knowledge in section 2. We give the scheme’s construction and security analysis (including the security model and proof) in section 3. We show the details of the CLVPFCKS scheme in section 4. We discuss the security of the CLVPFCKS scheme in section 5. We analyze the effectiveness of CLVPFCKS in section 6. Finally, we summarize this paper in section 7.

2. Preliminaries

Let $q>3$ be a large prime, $F_q$ be a prime field, and the elliptic curve E over the field $F_q$ must satisfy the equation

$$y^{2}modq=(x^3+ax+b)modq,$$

Which $a,b,x,y\in F_q$ and$(4a^3+27b^2)modq\ne 0$. All points on E and the infinite point O form a cyclic group. ECC (elliptic curve cryptosystem) has the following difficulties:

• Elliptic curve discrete logarithm problem (ECDLP): given $P,Q\in G_q$, where P is the generator of the group, and Q is the element in $G_q$. It is difficult to calculate the integer k such that $Q=kP$, where $k\in Z_{q^{*}}$.
• Elliptic curve Computational Diffie-Hellman problem (ECDCHP): for any given $a,b$ in $Z_{q^{*}}$, it is difficult to calculate $abP$, where $(P,aP,bP)\in G_q$.
• Elliptic curve Decisional Diffie-Hellman problem (ECDDDH): Given $aP,bP\in G$ where $a,b$ unknown. The DDH (Decisional Diffie-Hellman) problem is to decide whether X equals $abP$ or a random element in G.

3. The System Model and Attack Model of CLVPFCKS

3.1. System model

There exist five entities in the proposed CLVPFCKS scheme for KGC: multiple data owners (patient and his doctors), Cloud Service Provider (CSP), data user (other authorized doctors or healthcare center), and Private Audit Server (PAS), as shown in Figure 2.

KGC: It is a trusted third party, and it is responsible for generating system parameters and producing data owners, Cloud Service Providers (CSP), and data user’s partial private keys.

Multiple data owners: In reality, the cloud search system supports more shared scenarios of multiple data owners, especially in the electronic medical system. For example, one patient and several hospital staff (i.e., surgeons, physicians, etc.) share an electronic medical record jointly, and each staff member is responsible for the content of a specific part (i.e., block). If each block is an independent record, it will inevitably encounter multiple indexes, thus greatly expanding the computational and spatial overhead. Otherwise, the many data owners must have the same random elements, which is not feasible in practice. On the contrary, the scheme designed for shared multi-owner settings only requires a single index of the entire record, saving considerable time and space.

For each EHR jointly owned by the patient and its doctor, each data owner generates a signature on this record. All data users entrust user $O_j$ to establish an index based on the keywords of each EHR, and then the index and signature are sent to CSP. Note that the detailed algorithm for encrypting each EHR is beyond the discussion, and any public key encryption algorithm can be applied.

CSP: It is a semi-trusted entity. It has professional knowledge and can provide data storage and retrieval services for authorized cloud clients. After receiving a trapdoor from the data user, it returns the corresponding documents. But CSP is a semi-honest but curious third party, which many only perform a small part of the search operation and provide a small portion of the wrong search results to save its computing and bandwidth resources.

Data users: Data users obtain a partial private key from KGC generate the trapdoor of a keyword they wish to search, and then send it to the cloud server.

PAS: This fully trusted server is responsible for verifying the correctness of search results.

The CSP is assumed to be semi-honest but curious. It performs a fraction of search operations honestly but is interested in spying out the sensitive information valuable for the CSP. Furthermore, it may return false search results to save computing resources. On the other hand, the PAS is fully trusted and can guarantee the correctness of search results. Besides, the authorized data user can issue search queries without leaking valuable information to CSP.

3.2. Design Goals

We plan to achieve the following goals:

Multiple keyword search :The proposed scheme allows specific data users to send multiple keyword searches without increasing the trapdoor size and ciphertext search size, which improves the user search experience.

Search results validation: The scheme verifies the accuracy of search results by attaching a signature to each file.

Certificateless: The scheme is based on the certificateless cryptosystem to eliminate the limitations of certificate management and key escrow in existing searchable encryption schemes.

Pairing free: It takes more time to compute bilinear pairing. The efficiency will improve if it does not use bilinear pairing operations.

Free secure channel: It is necessary to eliminate the security channel in practice to reduce the costs of the system.

Supporting safe goals: We have demonstrated under the standard model that our scheme can resist keyword guessing attacks (KGA), file injection attacks (FIA), and chosen keyword attacks (CKA).

3.3. Solution Framework

Set integer k as security level, $(F,W)$ as EHR file and keyword set. Definition1 (Our proposed CLVPFCKS scheme) Our scheme is a tuple of six algorithms, as follows:

(1)SetUp($1^k$):Given the security parameter k, KGC outputs the public parameters $\Omega$ and the public/secret key pair $(PK,SK)$ for the traditional public key algorithm.

(2)KeyGen $(\Omega ,O,U,C)$:For the data owner set O , data user set U and cloud server, KGC generates the public/secret key pairs {$P{K}_i,S{K}_i$} $(1\le i\le d)$, {$P{K}_u,S{K}_u$} and {$P{K}_C,S{K}_C$}, respectively .

a)Set-Secret-Value:After inputting the public parameters $\Omega$, this probabilistic algorithm outputs Data owners, Data users, and CSP’s Secret-Value.

b)Partial-Private-Key-Extract:The KGC executes this algorithm, which accepts the identity of the data owner, data user, and CSP, then uses them in combination with the master key to generate a partial private key for the data owner, data user, and CSP.

c)Set-private-Key:Set the full secret keys of the data owner, data user, and CSP.

d)Set-Public-Key:Set the full public keys of the data owner, data user, and CSP.

(3)$Enc(\Omega ,F,W,\left\{I{D}_i\right\},ID,\left\{S{K}_i\right\},\left\{P{K}_i\right\})$:Data owners first conduct this probabilistic algorithm to generate the ciphertext set C for the set F. Then data owners generate multiple signatures Sig and index set I for ciphertext C. Then he sends the tuple $(C,I,Sig)$ to CSP.

(4)$TraGen(\Omega ,S{K}_u,W^{\prime })$:Given the keyword $W^{\prime }$ , the data user runs this algorithm to output trapdoor $T_{W^{\prime }}$ .

(5)$Test(\Omega ,T_{W^{\prime }},I)$:Using the trapdoor $T_{W^{\prime }}$ as an input, the CSP matches it with the index set I, then returns the relevant ciphertext $C^{\prime }\subseteq C$ and signature $Si{g}^{\prime }$ set to PAS.

(6)$Verify(\Omega ,Sig,C_{W\prime },P{K}_{O_i})$:PAS runs this algorithm by initiating interaction with CSP to check the correctness of the search result $C_{W\prime }$. If $C_{W\prime }$ passes the result validation, PAS will return it to the data user. Otherwise, it will abort the algorithm.

3.4. Security Model

To protect the security and privacy of the scheme, we must satisfy the following requirements:

(1)Keyword ciphertext indistinguishability: When encrypted data is stored in CSP, it will attach the corresponding keywords $\{w_{i1},w_{i2},\cdots ,w_{im}\}$. Even if keyword ciphertext is captured during transmission, no adversary can obtain keywords embedded in the ciphertext.

(2)Indistinguishability of trapdoor:Any adversary shall not obtain any information from the trapdoor.

Our scheme proves that trapdoors are indistinguishable and the keywords ciphertext are indistinguishable in the standard model. They are defined as follows:

ciphertext indistinguishability against chosen keyword ciphertext attack: We will define the definition of ciphertext indistinguishability against chosen keyword and ciphertext attack (CKCA-CIND). There are two types of adversaries: external adversaries (receivers) and internal adversaries (servers). $A_1$ and $A_2$ represent these two adversaries, and their attack methods are as follows:

$A_1$:$A_1$ doesn’t know the master key, but $A_1$ can replace any user’s public key.

$A_2$:$A_2$ knows the master key, but $A_2$ cannot replace any user’s public key.

Call them the adversary of type-1 and the adversary of type-2. There are two games to discuss the security of CKCA-CIND.

Game I. $A_1$ simulates malicious users and B is the challenger. B and $A_1$ play this game together.

Setup:B running SetUp($1^k$) program to get public parameters $\Omega$ and the public/secret key pair $(PK,SK)$.B sends the public key $PK$ to $A_1$ and keeps the master private key $SK$. Then B sets the key pair of $O_i$$(i\in \{1,2,\cdots ,d\left\}\right)$ and CSP, i.e., $(P{K}_{O_i},S{K}_{O_i})$$(i\in \{1,2,\cdots ,d\left\}\right)$ and $(P{K}_c,S{K}_c)$ .B sends the public key $P{K}_{O_i}$$(i\in \{1,2,\cdots ,d\left\}\right)$ and $P{K}_c$ to $A_1$ , while $S{K}_{O_i}$ and $S{K}_c$ are unknown to $A_1$.

Phase 1. $A_1$ executes the User-Public-Key query using date user’s identity $I{D}_u$ first and then executes other queries using the identity $I{D}_u$. Set up lists to store the above queries and answers. All lists are initially empty. $A_1$ makes the queries to the challenger B as following:

(1)User-Public-key query:When $A_1$ inputs the identity $I{D}_u$, B outputs the user’s public key $P{K}_u$ .

(2)Replace - Public - Key query: $A_1$ inputs $(I{D}_j,P{K}_j^{\prime })$ ,B replaces $P{K}_j$ with $P{K}_j^{\prime }$ .

(3)Secret-Value query:When $A_1$ inputs the identity $I{D}_j$ , B returns the secret value corresponding to the $I{D}_j$. If $P{K}_j$ is replaced, B refuses to answer.

(4)Partial-Private-Key-Extract query:When $A_1$ enters the $I{D}_j$, if $I{D}_j=I{D}_u^{◊}$($I{D}_u^{◊}$ is the challenge identity), B fails and stops. Otherwise, B returns the corresponding Partial Private Key.

(5)Keyword Ciphertext Query: $A_1$ asks B for the ciphertext of any keyword W it cares about. B runs the $Enc(\Omega ,F,W,\left\{I{D}_i\right\},ID,\left\{S{K}_i\right\},\left\{P{K}_i\right\})$ algorithm to answer W’s ciphertext $C_W$.

(6)Keyword Trapdoor Query: $A_1$ sends a keyword $W^{\prime }$ to B. B runs the $TrapGen(\Omega ,S{K}_u,W^{\prime })$ algorithm to answer $W^{\prime }$’s trapdoor $T_{W^{\prime }}$.

(7)Test Query: $A_1$ selects and sends the ciphertext $C_W$ and trapdoor $T_{W^{\prime }}$ to B. B executes the $Test(\Omega ,T_{W^{\prime }},I)$ algorithm to return the test result of whether the ciphertext and the trapdoor match.

Challenge: $A_1$ submits a tuple $(W_0,W_1,{I{D}_U}^{*},{P{K}_U}^{*})$ to B, where $W_0$ and $W_1$ are challenging keywords not asked in the previous trapdoor and ciphertext query. If $I{D}_u^{*}\ne I{D}_u^{◊}$, B aborts. Otherwise, B picks $\xi \in \{0,1\}$ randomly computes keyword trapdoor $C_{W_{\xi }}$, and returns the challenge ciphertexts $C_{W_{\xi }}$ to $A_1$.

Phase 2. $A_1$ can perform many queries like Phase 1, but $A_1$ cannot query the ciphertext and trapdoor of $W_0$ and $W_1$.

Guess: $A_1$ outputs ${\xi }^{\prime }\in \{0,1\}$. $A_1$ wins if ${\xi }^{\prime }=\xi$. Otherwise, it fails.

Game 2.$A_2$ simulates the malicious server, and B is a challenger. B and $A_2$ play this game together.

Setup:It differs from Setup of Game 1 only in the following steps. B send spublic key $P{K}_{O_i}$$(i\in \{1,2,\cdots ,d\left\}\right)$ and public/secret key pair $(PK,SK)$ to $A_2$, and $S{K}_{O_i}$ are unknown to $A_2$.

Phase 1.The steps are the same as phase 1 of Game 1, except for Secret Value and Partial Key query. The changes in them are as follows:

Secret-Value query :When $A_2$ enters the $I{D}_j$, if $I{D}_j=I{D}_u^{◊}$ ($I{D}_u^{◊}$ is the challenge identity), B fails and stops. Otherwise, B returns the secret value corresponding to $I{D}_j$.

Partial-Private-Key-Extract query: When $A_2$ inputs the identity $I{D}_j$ , B returns the partial private key corresponding to the $I{D}_j$ .If $P{K}_j$ is replaced, B refuses to answer.

Phase 2 :Same as Phase 2 of Game 1.

Definition 1(Security of CKCA-CIND) : If the probability that any adversary will win the above two games in polynomial time is negligible, then we state that the CLVPFCKS scheme is CKCA-CIND safe.

Indistinguishability of trapdoor (IND-KGA):No adversary can obtain valuable information from trapdoors. A sufficient condition for ensuring security against offline key-guessing attacks is that the trapdoors are indistinguishable. In the following, we define the concept of indiscernibility of CLVPFCKS against keyword guessing attacks. Specifically, IND-KGA ensures that adversaries (servers or the receivers) cannot observe the connection between the trapdoors and any keywords.

Game 3.$A_1$ simulates malicious users and B is the challenger. B and $A_1$ play this game together.

Setup:$A_1$ B running SetUp($1^k$) program to get public parameters $\Omega$ and the public/secret key pair $(PK,SK)$. B sends the public key PK to $A_1$ and keeps the master private key SK. Then B sets the key pair of date user and CSP, i.e., $(P{K}_u,S{K}_u)$ and $(P{K}_c,S{K}_c)$ .The challenger B sends the public key $P{K}_u$ and $P{K}_c$ to $A_1$ , while $S{K}_u$ and $S{K}_c$ are unknown to $A_1$.

Phase 1. $A_1$ executes the User-Public-Key query using data owner’s identity $I{D}_i$ first and then executes other queries using the identity $I{D}_i$. Set up lists to store the above queries and answers. All lists are initially empty. $A_1$ makes the queries to the challenger B as following:

(1)User-Public-key query:When $A_1$ inputs the identity $I{D}_j$, B outputs the user’s public key $P{K}_j$ .

(2)Replace-Public-Key query: same as that in Game 1.

(3)Secret-Value query:same as that in Game 1.

(4)Partial-Private-Key-Extract query:When $A_1$ enters the $I{D}_j$, if $I{D}_j=I{D}_i^{◊}$($I{D}_i^{◊}$ is the challenge identity), B fails and stops. Otherwise, B returns the corresponding Partial Private Key.

(5)Keyword Ciphertext Query:same as that in Game 1.

(6)Keyword Trapdoor Query:same as that in Game 1.

(7)Test Query: same as that in Game 1.

Challenge :$A_1$ submits a tuple $(W_0,W_1,{I{D}_i}^{*},{P{K}_i}^{*})$ to B, where $W_0$ and $W_1$ are challenging keywords not asked in the previous trapdoor and ciphertext query. If $I{D}_i^{◊}\notin \left\{I{D_i}^{*}\right\}$$(i\in \{1,2,\cdots d\left\}\right)$, B aborts. Otherwise, B picks $\xi \in \{0,1\}$ randomly computes keyword trapdoor $T_{W_{\xi }}$, and returns the challenge ciphertexts $T_{W_{\xi }}$ to the adversary $A_1$.

Phase 2. $A_1$ can perform many queries like Phase 1, but $A_1$ cannot query the ciphertext and trapdoor of $W_0$ and $W_1$.

Guess: $A_1$ outputs ${\xi }^{\prime }\in \{0,1\}$. Adversary $A_1$ wins if ${\xi }^{\prime }=\xi$. Otherwise, it fails.

Game 4.$A_2$ simulates the malicious server, and B is a challenger. B and $A_2$ play this game together.

Setup:It differs from Setup of Game 3 only in the following steps. B send spublic key $P{K}_u$ and public/secret key pair $(PK,SK)$ to $A_2$, and $S{K}_u$ are unknown to $A_2$.

Phase 1. The steps are the same as phase 1 of Game 3, except for Secret Value and Partial Key query. The changes in them are as follows:

Secret-Value query: When $A_2$ enters the $I{D}_j$, if $I{D}_j=I{D}_i^{◊}$ ($I{D}_i^{◊}$ is the challenge identity), B fails and stops. Otherwise, B returns the secret value corresponding to $I{D}_j$.

Partial-Private-Key-Extract query: same as that in Game 2.

Phase 2. Same as Phase 2 of Game 3.

Definition 2 (Security of IND-KGA):If the probability that any adversary will win the above two games in polynomial time is negligible, then we state that the CLVPFCKS scheme is IND-KGA safe.

4. the proposed CLVPFCKS

To better understand about our proposed scheme, we explain the pre-defined notations used throughout this paper in Table 1.

Table 1. Notation descriptions

Notations	DESCRIPTIONS
x	Master key
$P_{pub}$	system public key
$O=\{O_1,O_2,\cdots ,O_d\}$	Data Owner Collection
$I{D}_i\in {\{0,1\}}^{*}(1\le i\le d)$	identity set for data owner $O_i$
$I{D}_C$	identity set for CSP
$I{D}_u$	identity set for data user
$(P{K}_C,S{K}_C)$	Public/secret key pair for CSP
$(P{K}_{O_i},S{K}_{O_i})$	Public/secret key pair for data owner $O_i$
$(P{K}_u,S{K}_u)$	Public/secret key pair for data user
$F=\{f_1,f_2,\cdots ,f_n\}$	File set F
$C=\{c_1,c_2,\cdots ,c_n\}$	ciphertext set
$ID=\{i{d}_1,i{d}_2,\cdots ,i{d}_n\}$	identity set for F
$W_i=\{w_{i1},w_{i2},\cdots ,w_{im}\}$	Collection of keywords
$si{g}_{i,t}$	Data owner $O_i’$ signature for $c_t$
$si{g}_t$	Data owners’ multi-signatures for $c_t$
$Sig=\{si{g}_1,si{g}_2,\cdots ,si{g}_n\}$	F’s multi-signature
$I_i$	Index of $f_i$
$I=\{I_1,I_2,\cdots ,I_n\}$	Index set for F
$W^{\prime }=\{w_1^{\prime },w_2^{\prime },\cdots ,w_l^{\prime }\}$	Search keyword set
$T_{W^{\prime }}$	The trapdoor of $W^{\prime }$
$C^{\prime }=\{c_{k_1},c_{k_2},\cdots ,c_{k_s}\}$	Search results
$I{D}^{\prime }=\{i{d}_{k_1},i{d}_{k_2},\cdots ,i{d}_{k_s}\}$	Identity set for $C^{\prime }$

Table 1. Notation descriptions

Notations	DESCRIPTIONS
x	Master key
$P_{pub}$	system public key
$O=\{O_1,O_2,\cdots ,O_d\}$	Data Owner Collection
$I{D}_i\in {\{0,1\}}^{*}(1\le i\le d)$	identity set for data owner $O_i$
$I{D}_C$	identity set for CSP
$I{D}_u$	identity set for data user
$(P{K}_C,S{K}_C)$	Public/secret key pair for CSP
$(P{K}_{O_i},S{K}_{O_i})$	Public/secret key pair for data owner $O_i$
$(P{K}_u,S{K}_u)$	Public/secret key pair for data user
$F=\{f_1,f_2,\cdots ,f_n\}$	File set F
$C=\{c_1,c_2,\cdots ,c_n\}$	ciphertext set
$ID=\{i{d}_1,i{d}_2,\cdots ,i{d}_n\}$	identity set for F
$W_i=\{w_{i1},w_{i2},\cdots ,w_{im}\}$	Collection of keywords
$si{g}_{i,t}$	Data owner $O_i’$ signature for $c_t$
$si{g}_t$	Data owners’ multi-signatures for $c_t$
$Sig=\{si{g}_1,si{g}_2,\cdots ,si{g}_n\}$	F’s multi-signature
$I_i$	Index of $f_i$
$I=\{I_1,I_2,\cdots ,I_n\}$	Index set for F
$W^{\prime }=\{w_1^{\prime },w_2^{\prime },\cdots ,w_l^{\prime }\}$	Search keyword set
$T_{W^{\prime }}$	The trapdoor of $W^{\prime }$
$C^{\prime }=\{c_{k_1},c_{k_2},\cdots ,c_{k_s}\}$	Search results
$I{D}^{\prime }=\{i{d}_{k_1},i{d}_{k_2},\cdots ,i{d}_{k_s}\}$	Identity set for $C^{\prime }$

4.1. Specific construction of CLVPFCKS

This system uses traditional public key encryption algorithm to encrypt files, which we will not discuss. Therefore, the following algorithms focus on indexing and signature.

SetUp$\left(1^k\right)$ :Given a security parameter k, this deterministic algorithm outputs the global public parameters $\Omega$ and PKG’s master private key (MSK). Given k, PKG performs in the following way:

(1)Chooses a k bits prime number q and determine the tuple $\{F_q,E/F_q,G_q,P\}$, where the point P is the generator of $G_q$ .

(2) Chooses the master key $x{\in }_R{Z}_q^{*}$ and computes the system public key $P_{pub}=xP$. Let $(PK,SK)=(P_{pub},x)$.

(3) Selects five hash functions $H_0$,$H_1$,$H_2:$${\left\{0,1\right\}}^{*}\times G\times G\to Z_q^{*}$, $h_1:{\{0,1\}}^{*}\to Z_q^{*}$ ,$h_2:G_q\to Z_q^{*}$ .

(4) Let $\Omega =\{F_q,E/F_q,G_q,P,H_0,H_1,H_2,h_1,h_2,P_{pub}\}$.

KeyGen$(\Omega ,O,U,CSP)$:Each EHR has a fixed number of data owners $O=\{O_1,O_2,\cdots ,O_d\}$, then PKG generates the public/secret key pairs for CSP, data owner set O and data user U, respectively.

(1)Set-Secret-Value: The Participant with $I{D}_i(i=1,2,\cdots ,d,C,u)$ selects an element $x_i{\in }_R{Z}_q^{*}(i=1,2,\cdots ,d,C,u)$ and generates the corresponding public key $P_i=x_{i}P(i=1,2,\cdots ,d,C,u)$ .

(2))Extract-Partial-Private-Key: To get the partial private key, the user $I{D}_i$ sends $(I{D}_i,P_i)$ to the PKG and then the PKG executes the following steps.

(a)Taking the participant’s $I{D}_i(i=1,2,\cdots ,d,C,u)$ as input, KGC selects a random number $r_i\in Z_q^{*}(i=1,2,\cdots ,d,C,u)$ and calculates $R_i=r_{i}P(i=1,2,\cdots ,d,C,u)$.

(b)PKG computes $e_i=r_i+x{H}_0(I{D}_i,R_i,P_i)modq(i=1,2,\cdots ,d,C,u)$. The partial private key of the participant with $I{D}_i(i=1,2,\cdots ,d,C,u)$ is $e_i$. The participant with $I{D}_i(i=1,2,\cdots ,d,C,u)$ can verify his partial private key by checking whether the equation $Q_i=e_{i}P=R_i+l_i{P}_{pub}$ holds, where $l_i=H_0(I{D}_i,R_i,P_i)$. If the above equation is true, then the private key $I{D}_i$ will accepted.

(3)Set-Private-Key: The partial private key of the participant with $I{D}_i(i=1,2,\cdots ,d,C,u)$ takes the pair $S{K}_i=(x_i,e_i)$ as his full private key.

(4)Set-Public-Key: The participant with $I{D}_i(i=1,2,\cdots ,d,C,u)$ takes $P{K}_i=(P_i,R_i)$ as his full public key.

Enc$(\Omega ,F,W,\left\{I{D}_i\right\},ID,\left\{S{K}_i\right\},\left\{P{K}_i\right\}\}:$

Step 1: Given the EHR set $F=\{f_1,f_2,\cdots ,f_n\}$ with corresponding identities $ID=\{i{d}_1,i{d}_2,\cdots ,i{d}_n\}$, it will be encrypted as the ciphertext set $C=\{c_1,c_2,\cdots ,c_n\}$ through the traditional public key encryption algorithm. To generate the multi-signature on the encrypted file $c_t\in C(1\le t\le n)$, each signer $O_i(1\le i\le d)$ does the following:

(1) $O_i$ chooses a number $y_{i,t}{\in }_R{Z}_q^{*}$ and computes $Y_{i,t}=y_{i,t}P$.

(2)$O_i$ broadcasts $Y_{i,t}$ to other members $O_k(1\le k\le d,k\ne i)$ of the group.

(3)computes $Y_{0,t}={\displaystyle \sum _{i=1}^d}{Y}_{i,t}$, $P_0={\displaystyle \sum _{i=1}^d}{P}_i$, $Q_0={\displaystyle \sum _{i=1}^d}{Q}_i$.

(4)computes $h_t=H_1(c_t,i{d}_t,Y_{0,t},P_0)$ and $h_t^{\prime }=H_1(c_t,i{d}_t,Y_{0,t},Q_0)$ .

(5)$O_i$ computes $V_{i,t}=y_{i,t}+h_t{x}_i+h_t^{\prime }{e}_i$, generates a signature $si{g}_{i,t}=(Y_{i,t},V_{i,t})$ for $c_t$, and then sends $V_{i,t}$ to the designated clerk $O_z$.

(6)Upon receiving $V_{i,t}$, $O_z$ computes $V_{0,t}={\displaystyle \sum _{i=1}^d}{V}_{i,t}$ and outputs the signature $si{g}_t=\{Y_{0,t},V_{0,t}\}$ . Let $sig=\{si{g}_1,\cdots ,si{g}_n\}$, where $V_{0,t}P=Y_{0,t}+h_t{P}_0+h_t^{\prime }{Q}_0$.

Step 2: All users specify a user to encrypt files, for example, $O_j$. $O_j$ runs this algorithm to generate the index of file set F. Given the keyword set W, $O_j$ builds an index for each file $f_i\in F$. The index for each $f_i$ is generated based on the keyword field $W=\{w_{i1},w_{i2},\cdots ,w_{im}\}$, where m is a fixed integer. $O_j$ randomly selects $\xi \in Z_q^{*}$ and calculates $\xi +x_j$ to $O_1$ through public key encryption. $O_1$ computes $\xi +x_j+x_1$ and sends it to $O_2$ through public key encryption. $O_2$ computes $\xi +x_j+x_1+x_2$ and sends it to $O_3$ through public key encryption. ⋯, $O_d$ computes $\xi +x_j+x_1+\cdots x_{j-1}+x_{j+1}+\cdots +x_d$ and sends it to $O_j$ through public key encryption. $O_j$ calculates $x_0=\xi +x_j+x_1+\cdots x_{j-1}+x_{j+1}+\cdots +x_d-\xi =x_1+x_2+\cdots +x_d$. Calculates $e_0=e_1+e_2+\cdots +e_d$ in the same way as $O_j$.

Let $R_0={\displaystyle \sum _{t=1}^d}{R}_t$, $l_0={\displaystyle \sum _{t=1}^d}{l}_t$, Construct an m-degree polynomial by the following equation: $F\left(x\right)=b_{i,m}{x}^m+b_{i,m-1}{x}^{m-1}+\cdots +b_{i,1}x+b_{i,0}$. $h_2\left(t\right)h_1\left(w_{i,1}\right),\cdots ,h_2\left(t\right)h_1\left(w_{i,m}\right)$ is the root of equation $F\left(x\right)=1$, where $t=(x_0+e_0)P_u+x_0{R}_u+x_0{l}_u{P}_{pub}$.

Then $O_j$ selects ${\lambda }_i,{\mu }_i{\in }_R{Z_q}^{*}$ and computes $M_i={\lambda }_i{Q}_c$, set $I_{i,1}=M_i-{\mu }_{i}P$, $I_{i,2}={\lambda }_{i}P$,

• $V_{i,j}={\mu }_i{b}_{i,j}(0\le j\le m)$, and the index set is $I=\{I_1,\cdots ,I_n\}$, where $I_i=\{I_{i,1},I_{i,2},V_{i,0},V_{i,1},$$\cdots ,V_{i,m}\}$. Finally $O_j$ send I to CSP.

TrapGen$(\Omega ,S{K}_u,W^{\prime })$ :

The Data user calculates the value of $P_0,R_0,l_0$ as follows $P_0={\displaystyle \sum _{i=1}^d}{P}_i$, $R_0={\displaystyle \sum _{i=1}^d}{R}_i$, $l_0={\displaystyle \sum _{i=1}^d}{l}_i$. Given the queried keywords set $W^{\prime }=\{w_1^{\prime },w_2^{\prime },\cdots ,w_l^{\prime }\}$ , the data user U first selects an elements $\eta {\in }_{\mathrm{R}}{\mathrm{Z}}_q^{*}$ and sets $T_{{W^{\prime }}_{m+1}}=\eta P$,$T_{{W^{\prime }}_j}=l^{-1}{h}_2{\left(t\right)}^j{\displaystyle \sum _{r=1}^l}{h}_1{\left({w^{\prime }}_r\right)}^{j}P+\eta P_C$, where $0\le j\le m$ , $t=(x_u+e_u)P_0+x_u{R}_0+x_u{l}_0{P}_{pub}$. Finally, he sent $T_{w^{\prime }}=\{T_{{w^{\prime }}_0},T_{{w^{\prime }}_1},\cdots ,T_{{w^{\prime }}_m},T_{{w^{\prime }}_{m+1}}\}$ to CSP.

test$(\Omega ,T_{W^{\prime }},I,C)$ : After gaining the search token $T_{W^{\prime }}$ , the CSP first computes $M_i={\lambda }_i{Q}_C$, and verifies whether Eq.(1) holds.

$$I_{i,1}+{\displaystyle \sum _{j=0}^m}{V}_{i,j}(T_{{w^{\prime }}_j}-x_C{T}_{{w^{\prime }}_{m+1}})=M_i$$

(1)

If Eq (1) holds, the CSP returns the relevant ciphertext set $C^{\prime }=\{{\mathrm{c}}_{k_1},{\mathrm{c}}_{k_2},\cdots ,{\mathrm{c}}_{k_s}\}$ and its corresponding identity set $I{D}^{\prime }=\{i{d}_{k_1},\mathrm{i}{d}_{k_2},\cdots ,i{d}_{k_s}\}$ to PAS. Otherwise, it returns ⊥. The specific test process is shown in the Algorithm 1.

Algorithm 1 Search over encrypted data

Input: Trapdoor $T_{W^{\prime }}$ , indexes I, ciphertexts C, secret key $S{K}_C$ and public parameters $\Omega$ .

Output: Search results $C^{\prime }$ and corresponding identity set $I{D}^{\prime }$ or ⊥.

(1) $T_{{\mathrm{w}}^{\prime }}=\{T_{{\mathrm{w}}_0^{\prime }},T_{{\mathrm{w}}_1^{\prime }},\cdots ,T_{{\mathrm{w}}_m^{\prime }},T_{{\mathrm{w}}_{m+1}^{\prime }}\}$

(2)$I=\{I_1,I_2,\cdots ,I_n\}$,$I_i=\{I_{i,1},I_{i,2},V_{i,0},V_{i,1},\cdots ,V_{i,m}\}$.

(3)$M_i=e_C{I}_{i,2}$

(4)$for0\le i\le ndo$

$$I_{i,1}+{\displaystyle \sum _{j=0}^m}{V}_{i,j}(T_{{w^{\prime }}_j}-x_C{T}_{{w^{\prime }}_{m+1}})=M_i$$

(5) If Eq.(1) holds, CSP returns the ciphertext $c_{k_t}$ ; otherwise, it returns ⊥;

(6)end for

(7)CSP returns the relevant results $C^{\prime }$ and corresponding identity set $I{D}^{\prime }$ or ⊥ to PAS.

Verify$(\Omega ,C^{\prime },I{D}^{\prime },sig)$:After receiving the search results $C^{\prime }$ , CSP computes the proof information $({\varphi }_1,{\varphi }_2)$ through Eq.(2) and sends it to PAS. Finally, PAS verifies whether Eq.(3) holds.

Algorithm 2 results verification

Input: Search results $C^{\prime }$ with corresponding identity set $I{D}^{\prime }$, public keys $\left\{P{K}_i\right\}$, signature $sig=\{si{g}_1,\cdots ,si{g}_n\}$ and public parameters $\Omega$, where $si{g}_t=\{Y_{0,t},V_{0,t}\}$.

Output: "Accept" or "Reject"

()1$C^{\prime }=\{{\mathrm{c}}_{k_1},{\mathrm{c}}_{k_2},\cdots ,{\mathrm{c}}_{k_s}\},$$I{D}^{\prime }=\{i{d}_{k_1},\mathrm{i}{d}_{k_2},\cdots ,i{d}_{k_s}\}$;

(2)$\{P{K}_1,P{K}_2,\cdots ,P{K}_d\}$;

(3)$sig=\{si{g}_1,\cdots ,si{g}_n\}$, $si{g}_t=\{Y_{0,t},V_{0,t}\}$;

(4)compute $P_0={\displaystyle \sum _{t=1}^d}{P}_t$ , $Q_0={\displaystyle \sum _{t=1}^d}{Q}_t$;

(5)compute ${\varphi }_1={\displaystyle \sum _{\tau =1}^s}{H}_1(c_{k_{\tau }},i{d}_{k_{\tau }},Y_{0,k_{\tau }},P_0)$,${\varphi }_2={\displaystyle \sum _{\tau =1}^s}{H}_2(c_{k_{\tau }},i{d}_{k_{\tau }},Y_{0,k_{\tau }},Q_0),$

$$\sigma ={\displaystyle \sum _{\tau =1}^s}{V}_{0,k_{\tau }};$$

(2)

(6)Check

$$\sigma P={\displaystyle \sum _{\tau =1}^s}{Y}_{{o,k}_{\tau }}+{\varphi }_1{P}_0+{\varphi }_2{Q}_0$$

(3)

(7)If Eq.(3) holds, output "Accept" and send $C^{\prime }$ to data user; otherwise, output "Reject".

5. Security of scheme

In this section, we will analyze the security and correctness of this scheme.

5.1. Correctness

Theorem 1. Our CLVPFCKS scheme is computationally consistent.

Proof: For the correctness of Our CLVPFCKS scheme, we do two things. First, We show that CSP can correctly test whether the index of ciphertext matches the trapdoor when the keyword set $W^{\prime }\subseteq W$, where $W^{\prime }$ is a set of keywords searched by a specific user and W is the keyword set of ciphertext. Secondly, we will show that if the search results pass the result verification mechanism, data users can guarantee the correctness of the search results.

In the test phase, CSP obtains the index $I=\{I_1,I_2,\cdots ,I_n\}$ and trapdoor $T_{W^{\prime }}=\{T_{{W^{\prime }}_0}{T}_{{{\mathrm{W}}^{\prime }}_1},\cdots ,T_{W_m^{\prime }},T_{W_m^{\prime }+1}\}$. The CSP first computes

$e_C{I}_{i,2}=(r_C+x{l}_C){\lambda }_{\mathrm{i}}P={\lambda }_{\mathrm{i}}{Q}_C=M_i$ .

$I_{i,1}+{\displaystyle \sum _{j=0}^m}{V}_{i,j}(T_{{w^{\prime }}_j}-x_C{T}_{{w^{\prime }}_{m+1}})$

$=M_i-{\mu }_{i}P+{\displaystyle \sum _{j=0}^m}{\mu }_i{b}_{ij}[l^{-1}{h}_2{\left(t\right)}^j{\displaystyle \sum _{r=1}^l}{h}_1{\left(w_r^{\prime }\right)}^{j}P+\eta P_C-x_C\eta P]$

$=M_i-{\mu }_{i}P+{\displaystyle \sum _{j=0}^m}{\mu }_i{b}_{ij}\left(l^{-1}{h}_2{\left(t\right)}^j{\displaystyle \sum _{r=1}^l}{h}_1\left(w_r^{\prime }\right)P\right)$

$=M_i-{\mu }_{i}P+l^{-1}{\mu }_i{\displaystyle \sum _{j=0}^m}{b}_{ij}{h}_2{\left(t\right)}^j{\displaystyle \sum _{r=1}^l}{h}_1{\left(w_r^{\prime }\right)}^{j}P$

$=M_i-{\mu }_{i}P+l^{-1}{\mu }_i[{\displaystyle \sum _{j=0}^m}{b}_{ij}{h}_2{\left(t\right)}^j{h}_1{\left({w^{\prime }}_1\right)}^j+\cdots +{\displaystyle \sum _{j=0}^m}{b}_{ij}{h}_2{\left(t\right)}^j{h}_1{\left({w^{\prime }}_l\right)}^j]P$

If $W^{\prime }\subseteq W$, then $h_2\left(t\right)h_1\left(w_1\right),\cdots ,h_2\left(t\right)h_1\left(w_l\right)$ are the root of the equation $F\left(x\right)=1$, where $F\left(x\right){=b}_{i,m}{x}^m{+b}_{i,m-1}{x}^{m-1}{+\cdots +b}_{i,1}x+b_{i,0}$. Thus

$I_{i,1}+{\displaystyle \sum _{j=0}^m}{V}_{i,j}(T_{{w^{\prime }}_j}-x_C{T}_{{w^{\prime }}_{m+1}})$

$=M_i-{\mu }_{i}P+l^{-1}{\mu }_i[{\displaystyle \sum _{j=0}^m}{b}_{ij}{h}_2{\left(t\right)}^j{h}_1{\left({w^{\prime }}_1\right)}^j+\cdots +{\displaystyle \sum _{j=0}^m}{b}_{ij}{h}_2{\left(t\right)}^j{h}_1{\left({w^{\prime }}_l\right)}^j]P$

$=M_i-{\mu }_{i}P+l^{-1}{\mu }_i(1+1+\cdots +1)P$

$=M_i-{\mu }_{i}P+{\mu }_{i}P$

$=M_i$

Equation (1) holds so CSP can correctly test whether the index of ciphertext matches the trapdoor.

In the test phase, PAS obtains signature $sig=\{si{g}_1,si{g}_2,\cdots ,si{g}_n\}$ and ciphertext $C^{\prime }=\{{\mathrm{c}}_{k_1},{\mathrm{c}}_{k_2},\cdots ,{\mathrm{c}}_{k_s}\}$, computing

${\varphi }_1={\displaystyle \sum _{\tau =1}^s}{H}_1(c_{k_{\tau }},i{d}_{k_{\tau }},Y_{0,k_{\tau }},P_0),$

${\varphi }_2={\displaystyle \sum _{\tau =1}^s}{H}_2(c_{k_{\tau }},i{d}_{k_{\tau }},Y_{0,k_{\tau }},Q_0)$

getting the proof information $({\varphi }_1,{\varphi }_2)$, and then continuing to calculate

$\sigma P={\displaystyle \sum _{\tau =1}^s}{V}_{0,k_{\tau }}P={\displaystyle \sum _{\tau =1}^s}(Y_{0,k_{\tau }}+h_{k_{\tau }}{P}_0+h_{k_{\tau }}^{\prime }{Q}_0)$

$={\displaystyle \sum _{\tau =1}^s}{Y}_{0,k_{\tau }}+{\displaystyle \sum _{\tau =1}^s}{h}_{k_{\tau }}{P}_0+{\displaystyle \sum _{\tau =1}^s}{h^{\prime }}_{k_{\tau }}{Q}_0$

$={\displaystyle \sum _{\tau =1}^s}{Y}_{0,k_{\tau }}+{\displaystyle \sum _{\tau =1}^s}{H}_1(c_{k_{\tau }},i{d}_{k_{\tau }},Y_{0,k_{\tau }},P_0)P_0+{\displaystyle \sum _{\tau =1}^s}{H}_1(c_{k_{\tau }},i{d}_{k_{\tau }},Y_{0,k_{\tau }},Q_0)Q_0$.

• If $C^{\prime }\subseteq C$ , then

${\varphi }_1={\displaystyle \sum _{\tau =1}^s}{H}_1(c_{k_{\tau }},i{d}_{k_{\tau }},Y_{0,k_{\tau }},P_{\mathrm{t0}})={\displaystyle \sum _{\tau =1}^s}{H}_1(c_{\rho \left(\tau \right)},i{d}_{\rho \left(\tau \right)},Y_{0,\rho \left(\tau \right)},P_0)$

${\varphi }_2={\displaystyle \sum _{\tau =1}^s}{H}_1(c_{k_{\tau }},i{d}_{k_{\tau }},Y_{0,k_{\tau }},Q_0)={\displaystyle \sum _{\tau =1}^s}{H}_1(c_{\rho \left(\tau \right)},i{d}_{\rho \left(\tau \right)},Y_{0,\rho \left(\tau \right)},Q_0)$

Where $\rho \left(\tau \right)\in [1,n]$ . So we have $\sigma P={\displaystyle \sum _{\tau =1}^s}{Y}_{{o,k}_{\tau }}+{\varphi }_1{P}_0+{\varphi }_2{Q}_0$. Eq. (3) in program 2 holds. We can also make sure that the ciphertext can not modified.

5.2. Security

Lemma 1. Assuming the adversary $A_1$ can win Game 1, then an algorithm B can be constructed to solve the ECDDDH problem.

Proof: Suppose that the tuple $(P,aP,bP,X)$ is an example of ECDDDH problem. To determine whether $X=abP$, B will play the part of the challenger.

Set up : B runs the setup$\left(1^k\right)$ program to get public parameters $\Omega =\{F_q,E/F_q,G_q,P,G,H_0,H_1,H_2,P_{pub}\}$, where master private key $SK=x$ and the public key $PK=P_{pub}=xP$. Then B sends parameter $\Omega$ to $A_1$ , and the master private key SK is kept secret. B selects $x_i\in Z_q^{*}(i\in \{2,\cdots ,d,C\})$, $r_i\in Z_q^{*}(i\in \{1,2,\cdots ,d,C\})$ randomly and set

$P_i=x_{i}P$$(i\in \{2,\cdots ,d,C\left\}\right)$ ,

$P_1=aP$,$R_i=r_{i}P$$(i\in \{1,2,\cdots ,d,C\left\}\right)$ ,

$e_i=r_i+x{H}_0(I{D}_i,R_i,P_i)modq$$(i\in \{1,2,\cdots ,d,C\left\}\right)$ .

B sends the public key $P{K}_{O_i}$$(i\in \{1,2,\cdots ,d\left\}\right)$ and $P{K}_C$ to $A_1$, but $S{K}_{O_i}$$(i\in \{1,2,\cdots ,d\left\}\right)$ and $S{K}_C$ are unknown to $A_1$.

Phase 1: Executed the user’s public key query before other queries using the identity $I{D}_u$. Set up multiple lists to store the queries and answers. All lists are initially empty.

User public key query: B keeps a list $L_u$ of the tuple $(I{D}_u,x_{u}P,r_{u}P,r_u)$ and upon receiving an identity $I{D}_u$, performs the following steps.

Case1. $I{D}_u=I{D}_u^{◊}$. B picks at randomly $x_u^{◊}\in Z_q^{*}$, setting $P{K}_u^{◊}=(x_u^{◊}P,bP)$, and adds the tuple $(I{D}_u^{◊},x_u^{◊}P,x_u^{◊},bP,◊)$ to the list $L_u$, Where ◊ represents a null value.

Case2. $I{D}_u\ne I{D}_u^{◊}$. B picks at randomly $x_u,r_u\in Z_q^{*}$, setting $P{K}_u=(x_{u}P,r_{u}P)$, and adds the tuple $(I{D}_u,x_{u}P,r_{u}P,r_u)$ to the list $L_u$.

Replace-Public-Key query: B maintains a list $L_R$ of tuple $(I{D}_j,P{K}_j,P{K_j}^{\prime })$. When $A_1$ inputs $(I{D}_j,P{K_j}^{\prime })$, B replaces $P{K}_j$ with $P{K_j}^{\prime }$, and adds $(I{D}_j,P{K}_j,P{K_j}^{\prime })$ to the list $L_R$.

Secret-Value query: When $A_1$ asks the secret value for $I{D}_j$, B finds $(I{D}_j,x_{j}P,r_{j}P,r_j)$ in the list $L_u$ and returns $x_j$.If $P{K}_j$ is replaced, B refuses to answer.

Partial-Private-Key query: B establishes a list $L_e$ of tuple $(I{D}_j,e_j)$ when $A_1$ asks the partial private key of $I{D}_j$. If $I{D}_j=I{D}_u^{◊}$ , B fails and stops. Otherwise, B finds $(I{D}_j,x_{j}P,r_{j}P,r_j)$ in the list $L_u$ , running the Extract-Partial-Private-Key algorithm generating $e_j$. B output $e_j$ and adds $(I{D}_j,e_j)$ to the list $L_e$.

Keyword Ciphertext Query: When $A_1$ asks $W=\{w_{i,1},w_{i,2},\cdots ,w_{i,m}\}$ for the ciphertext, B operates the $Enc(\Omega ,F,W,\left\{I{D}_i\right\},ID,\left\{S{K}_i\right\},\left\{P{K}_i\right\}\}$ algorithm to generate ciphertext $C_W=\{I_{i,1},I_{i,2},V_{i,0},V_{i,1},\cdots ,V_{i,m}\}$.

Keyword Trapdoor Query: When $A_1$ asks $W^{\prime }=\{w_1^{\prime },w_2^{\prime },\cdots ,w_l^{\prime }\}$ for the trapdoor, B operates the $TrapGen\{\Omega ,S{K}_u,W^{\prime }\}$ algorithm to generate trapdoor $T_{w^{\prime }}=\{T_{{w^{\prime }}_0},T_{{w^{\prime }}_1},\cdots ,T_{{w^{\prime }}_m},T_{{w^{\prime }}_{m+1}}\}$.

Test Query: $A_1$ gives keyword ciphertext ${C_W}_i=\{I_{i,1},I_{i,2},V_{i,0},V_{i,1},\cdots ,V_{i,m}\}$ and keyword trapdoor $T_{w^{\prime }}=\{T_{{w^{\prime }}_0},T_{{w^{\prime }}_1},\cdots ,T_{{w^{\prime }}_m},T_{{w^{\prime }}_{m+1}}\}$, and B compares them using Algorithm 1.

Challenge: $A_1$ submits a tuple $(W_0,W_1,I{D_u}^{*},P{K}_u^{*})$ , where $W_0=\{w_{0,1},w_{0,2},\cdots ,w_{0,m}\}$ and $W_1=\{w_{1,1},w_{1,2},\cdots ,w_{1,m}\}$ are challenging keywords not requested in the previous trapdoor and ciphertext query. If $I{D}_u^{*}\ne I{D}_u^{◊}$, B aborts. Otherwise $I{D}_u^{*}=I{D}_u^{◊}$, B calculates ${l_u}^{◊}=H_0(I{D}_u^{◊},R_u^{◊},P_u^{◊})$ and picks $\xi \in \{0,1\}$ randomly. B computes

$t=({\displaystyle \sum _{k=2}^d}{x}_k+{\displaystyle \sum _{k=1}^d}{e}_k)P_u^{◊}+{\displaystyle \sum _{k=2}^d}{x}_k{R}_u^{◊}+{\displaystyle \sum _{k=2}^d}{x}_k{l}_u^{◊}{P}_{pub}+x_u^{◊}aP+l_u^{◊}xaP+X$.

Let $F\left(x\right)=(x-h_2\left(t\right)h_1\left(w_{\xi ,1}\right))(x-h_2\left(t\right)h_1\left(w_{\xi ,2}\right))\cdots (x-h_2\left(t\right)h_1\left(w_{\xi ,m}\right))-1$, which can get $F\left(x\right)=b_{\xi ,m}{x}^m+b_{\xi ,m-1}{x}^{m-1}+\cdots +b_{\xi ,1}x+b_{\xi ,0}$ by combining similar terms. Then B selects ${\lambda }_{\xi },{\mu }_{\xi }{\in }_R{Z_q}^{*}$ and computes $M_{\xi }={\lambda }_{\xi }{Q}_c$. Set $I_{\xi ,1}=M_{\xi }-{\mu }_{\xi }P,I_{\xi ,2}={\lambda }_{\xi }P$, $V_{\xi ,j}={\mu }_{\xi }{b}_{\xi ,j}(0\le j\le m)$. Thus, the corresponding ciphertext of $W_{\xi }=\{w_{\xi ,1},w_{\xi ,2},\cdots ,w_{\xi ,m}\}$ is ${C_W}_{\xi }=\{I_{\xi ,1},I_{\xi ,2},V_{\xi ,0},V_{\xi ,1},\cdots ,V_{\xi ,m}\}$. B returns the challenge ciphertexts $C_{W_{\xi }}$ to the adversary $A_1$.

Phase 2: $A_1$ can continue to execute various queries, but there is a limitation that $A_1$ is not allowed to query the keyword ciphertext or trapdoor of $W_0$ or $W_1$.

Guess: $A_1$ returns ${\xi }^{\prime }$.

Solve CDH problem: If ${\xi }^{\prime }=\xi$, B returns 1, otherwise 0. If $X=abP$, then

$t=({\displaystyle \sum _{k=2}^d}{x}_k+{\displaystyle \sum _{k=1}^d}{e}_k)P_u^{◊}+{\displaystyle \sum _{k=2}^d}{x}_k{R}_u^{◊}+{\displaystyle \sum _{k=2}^d}{x}_k{l}_u^{◊}{P}_{pub}+x_u^{◊}aP+l_u^{◊}xaP+X$

$=(x_0+e_0)P_u^{◊}+{\displaystyle \sum _{k=2}^d}{x}_k{R}_u^{◊}+x_0{l}_u^{◊}{P}_{pub}+abP$

$=(x_0+e_0)P_u^{◊}+x_0{R}_u^{◊}+x_0{l}_u^{◊}{P}_{pub}$

Therefore, ${C_W}_{\xi }$ is a valid ciphertext. Suppose that the advantage of $A_1$ wins in the above game is $\epsilon$. So

$Pr[{\xi }^{\prime }=\xi \left|X=abP\right.]=\frac{1}{2}+\epsilon$.

If $X\ne abP$, then $C_{W_{\xi }}$ is an invalid ciphertext. $A_1$ has no advantage in distinguishing $\xi =0$ from $\xi =1$. Hence

$Pr[{\xi }^{\prime }=\xi \left|X=abP\right.]=\frac{1}{2}$.

Probability: Let $q_u$, $q_r$ and $q_e$ be the number of the User public key query, Replace-Public-Key query, and Partial-Private-Key query, respectively. The two events are as follows:

${\pi }_1$ : $A_1$ did not replace of $I{D}_u^{◊}$’s public key $R_u^{◊}$ and query the partial-private-key for $I{D}_u^{◊}$.

${\pi }_2$ : $I{D}_u^{*}=I{D}_u^{◊}$.

It’s not hard to get the following results.

$Pr\left[{\pi }_1\right]=\frac{q_u-q_r-q_e}{q_u}$,

$Pr\left[{\pi }_2\left|{\pi }_1\right.\right]=\frac{1}{q_u-q_r-q_e}$ ,

$Pr[B$$success]=Pr[{\pi }_1\wedge {\pi }_2]=\frac{1}{q_u}$.

If $A_1$ win Game 1 with an advantage of $\epsilon$, then B has a probability greater than $\frac{\epsilon }{q_u}$ to determine whether $X=abP$.

Lemma 2. Assuming the adversary $A_2$ can win Game 2, an algorithm B can constructed to solve the ECDDDH problem by exploiting the adversary’s ability.

Proof: Suppose that the tuple $(P,aP,bP,X)$ is an example of an ECDDDH problem. To determine whether $X=abP$, B will play the part of the challenger.

Set up: B runs the setup$\left(1^k\right)$ program to get public parameters $\Omega =\{F_q,E/F_q,G_q,P,G,H_0,H_1,H_2,P_{pub}\}$, where master private key $SK=x$ and the public key $PK=P_{pub}=xP$. B selects $x_i\in Z_q^{*}(i\in \{1,2,\cdots ,d,C\})$, $r_i\in Z_q^{*}(i\in \{2,\cdots ,d,C\})$ randomly and set

$P_i=x_{i}P$$(i\in \{1,2,\cdots ,d,C\left\}\right)$,

$R_1=aP$,$R_i=r_{i}P$$(i\in \{2,\cdots ,d,C\left\}\right)$,

$e_1=a+x{H}_0(I{D}_1,R_1,P_1)modq$, $e_i=r_i+x{H}_0(I{D}_i,R_i,P_i)modq$$(i\in \{2,\cdots ,d,C\left\}\right)$

B sends the public parameters $\Omega$, the public key $P{K}_{O_i}$$(i\in \{1,2,\cdots ,d\left\}\right)$ and the public/secret key pair $(PK,SK)$ to $A_2$, while $S{K}_{O_i}$$(i\in \{1,2,\cdots ,d\left\}\right)$ are unknown to $A_2$.

Phase 1: Executed the user’s public key query before other queries using the identity $I{D}_u$. Set up multiple lists to store the queries and answers. All lists are initially empty.

User public key query: B maintains a list $L_u$ containing the tuple $(I{D}_u,x_{u}P,r_{u}P,r_u)$ and takes the following actions when receiving an identity $I{D}_u$:

Case1. $I{D}_u=I{D}_u^{◊}$. B chooses a number $r_u^{◊}\in Z_q^{*}$ at random, sets $P{K}_u^{◊}=(bP,r_u^{◊}P)$, and adds the tuple $(I{D}_u^{◊},bP,◊,r_u^{◊}P,r_u^{◊})$ to the list $L_u$, Where ◊ represents a null value.

Case2. $I{D}_u\ne I{D}_u^{◊}$. B chooses $x_u,r_u\in Z_q^{*}$ at random, sets $P{K}_u=(x_{u}P,r_{u}P)$, and adds the tuple $(I{D}_u,x_{u}P,r_{u}P,r_u)$ to the list $L_u$.

Replace-Public-Key query: same as that in Lemma 1

Secret-Value query: B established a list $L_s$ of tuple $(I{D}_j,x_j)$. When $A_2$ asks the secret value for $I{D}_j$. If $I{D}_j=I{D}_u^{◊}$, B fails and stops. Otherwise, B finds $(I{D}_j,x_{j}P,r_{j}P,r_j)$ in list $L_u$, returns $x_j$.

Partial-Private-Key query: When $A_2$ asks the partial private key of $I{D}_j$, B finds $(I{D}_j,x_{j}P,r_{j}P,r_j)$ in list $L_u$, running the Extract-Partial-Private-Key algorithm and returning $e_j$.If $P{K}_j$ is replaced, B refuses to answer.

Keyword Ciphertext Query: same as that in Lemma 1.

Keyword Trapdoor Query: same as that in Lemma 1.

Test Query: same as that in Lemma 1.

Challenge: $A_2$ submits a tuple $(W_0,W_1,I{D}_u^{*},P{K}_u^{*})$ that meets the requirements of Game 2, where $W_0=\{w_{0,1},w_{0,2},\cdots ,w_{0,m}\}$ and $W_1=\{w_{1,1},w_{1,2},\cdots ,w_{1,m}\}$ are challenging keywords not asked in the previous trapdoor query and ciphertext query. If $I{D}_u\ne I{D}_u^{◊}$ , B aborts. Otherwise $I{D}_u^{*}=I{D}_u^{◊}$, B computes $l_u^{◊}=H_0(I{D}_u^{◊},R_u^{◊},P_u^{◊})$, $l_1=H_0(I{D}_1,R_1,P_1)$ and picks $\xi \in \{0,1\}$ randomly. B computes

$t=({\displaystyle \sum _{k=1}^d}{x}_k+x{l}_1+{\displaystyle \sum _{k=2}^d}{e}_k)P_u^{◊}+{\displaystyle \sum _{k=1}^d}{x}_k{R}_u^{◊}+{\displaystyle \sum _{k=1}^d}{x}_k{l}_u^{◊}{P}_{pub}+X$.

Let $F\left(x\right)=(x-h_2\left(t\right)h_1\left(w_{\xi ,1}\right))(x-h_2\left(t\right)h_1\left(w_{\xi ,2}\right))\cdots (x-h_2\left(t\right)h_1\left(w_{\xi ,m}\right))-1$, which can get $F\left(x\right)=b_{\xi ,m}{x}^m+b_{\xi ,m-1}{x}^{m-1}+\cdots +b_{\xi ,1}x+b_{\xi ,0}$ by combining similar terms. Then select ${\lambda }_{\xi },{\mu }_{\xi }{\in }_R{Z_q}^{*}$ at random and compute $M_{\xi }={\lambda }_{\xi }{Q}_c$. Set $I_{\xi ,1}=M_{\xi }-{\mu }_{\xi }P,I_{\xi ,2}={\lambda }_{\xi }P$, $V_{\xi ,j}={\mu }_{\xi }{b}_{\xi ,j}(0\le j\le m)$, and thus $W_{\xi }=\{w_{\xi ,1},w_{\xi ,2},\cdots ,w_{\xi ,m}\}$’s ciphertext is $C_{W_{\xi }}=\{I_{\xi ,1},I_{\xi ,2},V_{\xi ,0},V_{\xi ,1},\cdots ,V_{\xi ,m}\}$. B returns the challenge ciphertexts $C_{W_{\xi }}$ to the adversary $A_2$.

Phase 2:The attacker $A_2$ can continue to execute various queries, but there is a limitation that the attacker $A_2$ is not allowed to query the keyword ciphertext or trap of $W_0$ or $W_1$.

Guess: $A_2$ returns ${\xi }^{\prime }$.

Solve the ECDDDH problem. If ${\xi }^{\prime }=\xi$, B returns 1. Otherwise 0. If $X=abP$, then

$t=({\displaystyle \sum _{k=2}^d}{x}_k+{\displaystyle \sum _{k=1}^d}{e}_k)P_u^{◊}+{\displaystyle \sum _{k=2}^d}{x}_k{R}_u^{◊}+{\displaystyle \sum _{k=2}^d}{x}_k{l}_u^{◊}{P}_{pub}+r_u^{◊}aP+l_u^{◊}xaP+X$

$=({\displaystyle \sum _{k=2}^d}{x}_k+e_0)P_u^{◊}+x_0{R}_u^{◊}+x_0{l}_u^{◊}{P}_{pub}+abP$

$=(x_0+e_0)P_u^{◊}+x_0{R}_u^{◊}+x_0{l}_u^{◊}{P}_{pub}$

Therefore, $C_{W_{\xi }}$ is a valid ciphertext. Suppose that the advantage of $A_2$ wins in the above game is $\epsilon$, so

$Pr[{\xi }^{\prime }=\xi \left|X=abP\right.]=\frac{1}{2}+\epsilon$.

If $X\ne abP$, then $C_{W_{\xi }}$ is an invalid ciphertext. $A_2$ has no advantage in distinguishing $\xi =0$ from $\xi =1$. Hence

$Pr[{\xi }^{\prime }=\xi \left|X=abP\right.]=\frac{1}{2}$.

Probability. Let $q_u$, $q_r$, $q_s$ be the number of User public key query, Replace-Public-Key query, and Secret-Value query, respectively. The two events are as follows:

${\pi }_1$ : $A_2$ did not replace of $I{D}_u^{◊}$’s public key $P_u^{◊}$ nor perform the Secret-Value query for $I{D}_u^{◊}$.

${\pi }_2$ : $I{D}_u^{*}=I{D}_u^{◊}$.

It’s not hard to get the following results.

$Pr\left[{\pi }_1\right]=\frac{q_u-q_r-q_s}{q_u}$,

$Pr\left[{\pi }_2\left|{\pi }_1\right.\right]=\frac{1}{q_u-q_r-q_s}$ ,

$Pr[B$$success]=Pr[{\pi }_1\wedge {\pi }_2]=\frac{1}{q_u}$.

If $A_2$ has an $\epsilon$ advantage to win Game, then B has a probability greater than $\frac{\epsilon }{q_u}$ to determine whether $X=abP$.

Theorem 2. Our CLVPFCKS scheme is CKCA-CIND secure in standard model if the ECDDDH problem is hard.

Proof: Theorem 2 holds from Lemma 1 and Lemma 2.

Lemma 3. Assuming the adversary $A_1$ can win Game 3, then an algorithm B can be constructed to solve the ECDDDH problem.

Proof: Suppose that the tuple $(P,aP,bP,X)$ is an example of ECDDDH problem. To determine whether $X=abP$, B will play the part of the challenger.

Set up: B runs the setup $\left(1^k\right)$ program to obtain the public parameters $\Omega =\{F_q,E/F_q,G_q,P,G,H_0,H_1,H_2,P_{pub}\}$, where master private key $SK=x$ ,$PK=P_{pub}=xP$, then randomly selects $r_u,x_C,r_C\in Z_q^{*}$,and set

$P_u=aP$, $R_u=r_{u}P$$P_C=x_{C}P$, $R_C=r_{C}P$,

$e_C=r_C+x{H}_0(I{D}_C,R_C,P_C)modq$,

$e_u=r_u+x{H}_0(I{D}_u,R_u,P_u)modq$ .

B sends the public key $P{K}_u$ and $P{K}_C$ to $A_1$, but $S{K}_u$ and $S{K}_C$ are unknown to $A_1$.

Phase 1: Executed the user’s public key query before other queries using the identity $I{D}_i$. Set up multiple lists to store the queries and answers. All lists are initially empty.

User public key query: B keeps a list $L_o$ of the tuple$(I{D}_i,x_{i}P,r_{i}P,r_i)$ and upon receiving an identity $I{D}_i$, performs the following steps.

Case1. $I{D}_i=I{D}_i^{◊}$, B picks at randomly $x_i^{◊}\in Z_q^{*}$, setting $P{K}_i^{◊}=(x_i^{◊}P,bP)$, and adds the tuple $(I{D}_i^{◊},x_i^{◊}P,x_i^{◊},bP,◊)$ to the list $L_o$,Where ◊ represents a null value.

Case2. $I{D}_i\ne I{D}_i^{◊}$, B picks at randomly $x_i,r_i\in Z_q^{*}$, setting $P{K}_i=(x_{i}P,r_{i}P)$, and adds the tuple $(I{D}_i,x_{i}P,r_{i}P,r_i)$ to the list $L_o$.

Replace-Public-Key query: same as that in Lemma 1.

Secret-Value query:same as that in Lemma 1.

Partial-Private-Key query: B establishes a list $L_e$ of tuple $(I{D}_j,e_j)$ when $A_1$ asks the partial private key of $I{D}_j$. If $I{D}_j=I{D}_i^{◊}$, B fails and stops. Otherwise, B finds $(I{D}_j,x_{j}P,r_{j}P,r_j)$ in the list $L_o$, running the Extract-Partial-Private-Key algorithm generating $e_j$. B output $e_j$ and adds $(I{D}_j,e_j)$ to the list $L_e$.

Keyword Ciphertext Query: same as that in Lemma 1.

Keyword Trapdoor Query: same as that in Lemma 1.

Test Query: same as that in Lemma 1.

Challenge: $A_1$ submits a tuple $(W_0^{\prime },W_1^{\prime },\{I{D_1}^{*},\cdots ,I{D_d}^{*}\},\{P{K_1}^{*},\cdots ,P{K_d}^{*}\})$, where $W_0^{\prime }=\{w_{0,1}^{\prime },w_{0,2}^{\prime },\cdots ,w_{0,l}^{\prime }\}$ and $W_1^{\prime }=\{w_{1,1}^{\prime },w_{1,2}^{\prime },\cdots ,w_{1,l}^{\prime }\}$ are challenging keywords not requested in the previous trapdoor and ciphertext query. If $I{D}_i^{◊}\notin \{I{D_1}^{*},I{D_2}^{*},\cdots ,I{D_d}^{*}\}$, B aborts. Otherwise,without losing generality, it is better to set $I{D}_1^{*}$ as $I{D}_i^{◊}$. B calculates ${l_0}^{*}={\displaystyle \sum _{i=1}^d}{H}_0(I{D}_i^{*},R_i^{*},P_i^{*})$. B picks $\xi \in \{0,1\}$ randomly, and computes

$t=e_u{\displaystyle \sum _{i=1}^d}{P_i}^{*}+{\displaystyle \sum _{i=2}^d}{x_i}^{*}aP+{\displaystyle \sum _{i=1}^d}{r_i}^{*}aP+{l_0}^{*}xaP+X$

B selects an elements ${\eta }_{\xi }{\in }_{\mathrm{R}}{\mathrm{Z}}_q^{*}$ and sets $T_{{W^{\prime }}_{\xi ,m+1}}={\eta }_{\xi }P$ ,

$T_{{W^{\prime }}_{\xi ,j}}=l^{-1}{h}_2{\left(t\right)}^j{\displaystyle \sum _{r=1}^l}{h}_1{\left({w^{\prime }}_{\xi ,j}\right)}^{j}P+{\eta }_{\xi }{P}_C$, where $0\le j\le m$. Finally, B sent $T_{W_{\xi }^{\prime }}=\{T_{{w^{\prime }}_{\xi },0},T_{{w^{\prime }}_{\xi },1},\cdots ,T_{{w^{\prime }}_{\xi },m},T_{{w^{\prime }}_{\xi ,m+1}}\}$ to the adversary $A_1$.

Phase 2: The attacker $A_1$ can continue to execute various queries, but there is a limitation that the attacker $A_1$ is not allowed to query the keyword ciphertext or trapdoor of $W_0$ or $W_1$.

Guess: $A_1$ returns ${\xi }^{\prime }$.

Solve CDH problem: If ${\xi }^{\prime }=\xi$, B returns 1, otherwise 0. If $X=abP$, then

$t=e_u{\displaystyle \sum _{i=1}^d}{P_i}^{*}+{\displaystyle \sum _{i=1}^d}{x_i}^{*}aP+{\displaystyle \sum _{i=2}^d}{r_i}^{*}aP+{l_0}^{*}xaP+X$

$=(x_u+e_u)P_0^{*}+{\displaystyle \sum _{i=2}^d}{r_i}^{*}aP+x_u{l}_0^{*}{P}_{pub}+abP$

$=(x_u+e_u)P_0^{*}+x_u{R}_0^{*}+x_u{l}_0^{*}{P}_{pub}$.

Therefore, $T_{W_{\xi }^{\prime }}$ is a valid ciphertext. Suppose that the advantage of $A_1$ wins in the above game is $\epsilon$. So

$Pr[{\xi }^{\prime }=\xi \left|X=abP\right.]=\frac{1}{2}+\epsilon$.

If $X\ne abP$, then$T_{W_{\xi }^{\prime }}$ is an invalid ciphertext. $A_1$ has no advantage in distinguishing $\xi =0$ from $\xi =1$. Hence

$Pr[{\xi }^{\prime }=\xi \left|X=abP\right.]=\frac{1}{2}$.

Probability: Let $q_o$, $q_r$ and $q_e$ be the number of the User public key query, Replace-Public-Key query, and Partial-Private-Key query, respectively. The two events are as follows:

${\pi }_1$ : $A_1$ did not replace of $I{D}_i^{◊}$’s public key $R_i^{◊}$ and query the partial-private-key for $I{D}_i^{◊}$.

${\pi }_2$ : $I{D}_1^{*}=I{D}_i^{◊}$.

It’s not hard to get the following results.

$Pr\left[{\pi }_1\right]=\frac{q_o-q_r-q_e}{q_o}$,

$Pr\left[{\pi }_2\left|{\pi }_1\right.\right]=\frac{1}{q_o-q_r-q_e}$ ,

$Pr[B$$success]=Pr[{\pi }_1\wedge {\pi }_2]=\frac{1}{q_u}$.

If $A_1$ win Game 1 with an advantage of $\epsilon$, then B has a probability greater than $\frac{\epsilon }{q_o}$ to determine whether $X=abP$.

Lemma 4. Assuming the adversary $A_2$ can win Game 4, then an algorithm B can be constructed to solve the ECDDDH problem.

Proof: Suppose that the tuple $(P,aP,bP,X)$ is an example of ECDDDH problem. To determine whether $X=abP$, B will play the part of the challenger.

Set up : B runs the setup $\left(1^k\right)$ program to obtain the public parameters $\Omega =\{F_q,E/F_q,G_q,P,G,H_0,H_1,H_2,P_{pub}\}$, where master private key $SK=x$ ,$PK=P_{pub}=xP$, then randomly selects $x_u,x_C,r_C\in Z_q^{*}$, and set

$P_u=x_{u}P$, $R_u=aP$$P_C=x_{C}P$, $R_C=r_{C}P$,

$e_C=r_C+x{H}_0(I{D}_C,R_C,P_C)modq$,

$e_u=a+x{H}_0(I{D}_u,R_u,P_u)modq$

B sends the public parameters $\Omega$, the public key $P{K}_u$, and the public/secret key pair $(PK,SK)$ to $A_2$, while $S{K}_u$ are unknown to $A_2$.

Phase 1: Executed the user’s public key query before other queries using the identity $I{D}_i$. Set up multiple lists to store the queries and answers. All lists are initially empty.

User public key query: user public key query: B keeps a list $L_o$ of the tuple$(I{D}_i,x_{i}P,r_{i}P,r_i)$ and upon receiving an identity $I{D}_i$, performs the following steps.

Case1. $I{D}_i=I{D}_i^{◊}$, B picks at randomly $r_i^{◊}\in Z_q^{*}$, setting $P{K}_i^{◊}=(bP,r_i^{◊}P)$, and adds the tuple $(I{D}_i^{◊},bP,◊,r_i^{◊}P,r_i^{◊})$ to the list $L_o$, Where ◊ represents a null value. .

Case2. $I{D}_i\ne I{D}_i^{◊}$, B picks at randomly $x_i,r_i\in Z_q^{*}$, setting $P{K}_i=(x_{i}P,r_{i}P)$, and adds the tuple $(I{D}_i,x_{i}P,r_{i}P,r_i)$ to the list $L_o$.

Replace-Public-Key query: same as that in Lemma 1.

Secret-Value query:B established a list $L_s$ of tuple $(I{D}_j,x_j)$. When $A_2$ asks the secret value for $I{D}_j$. If $I{D}_j=I{D}_i^{◊}$, B fails and stops. Otherwise, B finds $(I{D}_j,x_{j}P,r_{j}P,r_j)$ in list $L_o$, returns $x_j$.

Partial-Private-Key query: same as that in Lemma 2.

Keyword Ciphertext Query: same as that in Lemma 1.

Keyword Trapdoor Query: same as that in Lemma 1.

Test Query: same as that in Lemma 1.

Challenge: $A_2$ submits a tuple $(W_0^{\prime },W_1^{\prime },\{I{D_1}^{*},\cdots ,I{D_d}^{*}\},$$\{P{K_1}^{*},\cdots ,P{K_d}^{*}\})$ , where $W_0^{\prime }=\{w_{0,1}^{\prime },w_{0,2}^{\prime },\cdots ,w_{0,l}^{\prime }\}$ and $W_1^{\prime }=\{w_{1,1}^{\prime },w_{1,2}^{\prime },\cdots ,w_{1,l}^{\prime }\}$ are challenging keywords not requested in the previous trapdoor and ciphertext query. If $I{D}_i^{◊}\notin \{I{D_1}^{*},I{D_2}^{*},\cdots ,I{D_d}^{*}\}$, B aborts. Otherwise, without losing generality, it is better to set $I{D}_1^{*}$ as $I{D}_i^{◊}$. B calculates ${l_0}^{*}={\displaystyle \sum _{i=1}^d}{H}_0(I{D}_i^{*},R_i^{*},P_i^{*})$. B picks $\xi \in \{0,1\}$ randomly, and computes

$t=x_u{\displaystyle \sum _{i=1}^d}{P_i}^{*}+{\displaystyle \sum _{i=2}^d}{x_i}^{*}aP+l_{u}x{\displaystyle \sum _{i=1}^d}{P_i}^{*}+{\displaystyle \sum _{i=1}^d}{r_i}^{*}ap+x_u{l_0}^{*}{P}_{pub}+X$

B selects an elements ${\eta }_{\xi }{\in }_{\mathrm{R}}{\mathrm{Z}}_q^{*}$ and sets $T_{{W^{\prime }}_{\xi ,m+1}}={\eta }_{\xi }P$ ,

$T_{{W^{\prime }}_{\xi ,j}}=l^{-1}{h}_2{\left(t\right)}^j{\displaystyle \sum _{r=1}^l}{h}_1{\left({w^{\prime }}_{\xi ,j}\right)}^{j}P+{\eta }_{\xi }{P}_C$, where $0\le j\le m$ . Finally, B sent $T_{W_{\xi }^{\prime }}=\{T_{{w^{\prime }}_{\xi },0},T_{{w^{\prime }}_{\xi },1},\cdots ,T_{{w^{\prime }}_{\xi },m},T_{{w^{\prime }}_{\xi ,m+1}}\}$ to the adversary $A_2$.

Phase 2: The attacker $A_2$ can continue to execute various queries, but there is a limitation that the attacker $A_2$ is not allowed to query the keyword ciphertext or trapdoor of $W_0$ or $W_1$.

Guess: $A_2$ returns ${\xi }^{\prime }$.

Solve CDH problem: If ${\xi }^{\prime }=\xi$, B returns 1, otherwise 0. If $X=abP$, then

$t=x_u{\displaystyle \sum _{i=1}^d}{P_i}^{*}+{\displaystyle \sum _{i=2}^d}{x_i}^{*}aP+l_{u}x{\displaystyle \sum _{i=1}^d}{P_i}^{*}+{\displaystyle \sum _{i=1}^d}{r_i}^{*}aP+x_u{l_0}^{*}{P}_{pub}+X$

$=x_u{P}_0^{*}+{\displaystyle \sum _{i=2}^d}{x_i}^{*}aP+l_{u}x{\displaystyle \sum _{i=1}^d}{P_i}^{*}+x_u{R}_0^{*}+x_u{l}_0^{*}{P}_{pub}+abP$

$=x_u{P}_0^{*}+{\displaystyle \sum _{i=1}^d}{x_i}^{*}aP+l_{u}x{\displaystyle \sum _{i=1}^d}{P_i}^{*}+x_u{R}_0^{*}+x_u{l}_0^{*}{P}_{pub}$

$=x_u{P}_0^{*}+(a+l_{u}x){\displaystyle \sum _{i=1}^d}{P_i}^{*}+x_u{R}_0^{*}+x_u{l}_0^{*}{P}_{pub}$

$=(x_u+e_u)P_0^{*}+x_u{R}_0^{*}+x_u{l}_0^{*}{P}_{pub}$.

Therefore, $T_{W_{\xi }^{\prime }}$ is a valid ciphertext. Suppose that the advantage of $A_2$ wins in the above game is $\epsilon$. So

$Pr[{\xi }^{\prime }=\xi \left|X=abP\right.]=\frac{1}{2}+\epsilon$.

If $X\ne abP$, then $T_{W_{\xi }^{\prime }}$ is an invalid ciphertext. $A_2$ has no advantage in distinguishing $\xi =0$ from $\xi =1$. Hence

$Pr[{\xi }^{\prime }=\xi \left|X=abP\right.]=\frac{1}{2}$.

Probability: Let $q_o$ , $q_r$ and $q_s$ be the number of User public key query, Replace-Public-Key query, and Secret-Value query, respectively. The two events are as follows:

${\pi }_1$ : $A_2$ did not replace of $I{D}_i^{◊}$’s public key $P_i^{◊}$ and query the secret value for $I{D}_i^{◊}$.

${\pi }_2$ : $I{D}_1^{*}=I{D}_i^{◊}$.

It’s not hard to get the following results.

$Pr\left[{\pi }_1\right]=\frac{q_o-q_r-q_e}{q_u}$,

$Pr\left[{\pi }_2\left|{\pi }_1\right.\right]=\frac{1}{q_o-q_r-q_e}$ ,

$Pr[B$$success]=Pr[{\pi }_1\wedge {\pi }_2]=\frac{1}{q_u}$.

If $A_2$ win Game 4 with an advantage of $\epsilon$, then B has a probability greater than $\frac{\epsilon }{q_o}$ to determine whether $X=abP$.

Theorem 3. Our CLVPFCKS scheme is IND-KGA safe in the standard model if the ECDDDH problem is hard. Proof: Theorem 3 holds from Lemma 3 and Lemma 4.

Theorem 4. Under the ECDLP assumption, it is not computationally feasible for the CSP to forge valid proof information through the result verification mechanism.

Proof: The malicious CSP can’t forge a valid multi-signature on each returned record and pass the verification. Since it does not have the key of multiple data owners, it is computationally infeasible to forge a valid multi-signature. Therefore, the malicious CSP can only win the next security game by directly generating valid proof information according to the wrong search result $C^{*}$ instead of wining the next security game by forging multiple signatures. But after the following analysis, this is also impossible.

Assume that the correct ciphertext and its identity is $C=\{{\mathrm{c}}_1,{\mathrm{c}}_2,\cdots ,{\mathrm{c}}_n\}$ and $sig=\{si{g}_1,\cdots ,si{g}_n\}$, where $si{g}_t=\{Y_{0,t},V_{0,t}\}$. The malicious CSP may forge wrong proof information $({\varphi }_1^{*},{\varphi }_2^{*})$ on false search results $C^{*}=\{{\mathrm{c}}_{k_1}^{*},{\mathrm{c}}_{k_2}^{*},\cdots ,{\mathrm{c}}_{k_s}^{*}\}$, where

$${{\varphi }_1}^{*}={\displaystyle \sum _{\tau =1}^s}{H}_1(c_{k_{\tau }}^{*},i{d}_{k_{\tau }}^{*},Y_{0,k_{\tau }},P_0),$$

$${{\varphi }_2}^{*}={\displaystyle \sum _{\tau =1}^s}{H}_1(c_{k_{\tau }}^{*},i{d}_{k_{\tau }}^{*},Y_{0,k_{\tau }},Q_0).$$

If the forged proof information $({\varphi }_1^{*},{\varphi }_2^{*})$ can successfully pass the result verification mechanism, the malicious CSP will win the security game; Otherwise, it will fail. Suppose a malicious CSP wins the game. We then know that

$${{\varphi }_1}^{*}={\displaystyle \sum _{\tau =1}^s}{H}_1(c_{k_{\tau }}^{*},i{d}_{k_{\tau }}^{*},Y_{0,k_{\tau }},P_0),$$

$${{\varphi }_2}^{*}={\displaystyle \sum _{\tau =1}^s}{H}_1(c_{k_{\tau }}^{*},i{d}_{k_{\tau }}^{*},Y_{0,k_{\tau }},Q_0)$$

(4)

where $\sigma ={\displaystyle \sum _{\tau =1}^s}{V}_{0,k_{\tau }}$. The proof information of correct ciphertext C is $({\varphi }_1,{\varphi }_2)$, where

$${\varphi }_1={\displaystyle \sum _{\tau =1}^s}{H}_1(c_{k_{\tau }},i{d}_{k_{\tau }},Y_{0,k_{\tau }},P_0),$$

$${\varphi }_2={\displaystyle \sum _{\tau =1}^s}{H}_2(c_{k_{\tau }},i{d}_{k_{\tau }},Y_{0,k_{\tau }},Q_0).$$

The signature of the correct ciphertext can pass the verification mechanism, so we have

$$\sigma P={\displaystyle \sum _{\tau =1}^s}{Y}_{o,k_{\tau }}+{\varphi }_1{P}_0+{\varphi }_2{Q}_0$$

(5)

Subtract Formula (4) from Formula (5) to get

$$({\varphi }_1-{{\varphi }_1}^{*})P_0=({{\varphi }_2}^{*}-{\varphi }_2)Q_0$$

(6)

Because $({\varphi }_1,{\varphi }_2)$ is not equal to $({\varphi }_1^{*},{\varphi }_2^{*})$, so ${\varphi }_1\ne {\varphi }_1^{*}$ or ${\varphi }_2\ne {\varphi }_2^{*}$. Set $\Delta {\varphi }_1={\varphi }_1-{{\varphi }_1}^{*}$, $\Delta {\varphi }_2={\varphi }_2-{{\varphi }_2}^{*}$, then $\Delta {\varphi }_1\ne 0$ or $\Delta {\varphi }_2\ne 0$. Suppose $\Delta {\varphi }_1$ is not zero, then $P_0=\frac{\Delta {\varphi }_2}{\Delta {\varphi }_1}{Q}_0$. If the probability of $\Delta {\varphi }_1=0$ is $\frac{1}{q}$, then the probability that we can break the ECDLP problem is $1-\frac{1}{q}$, where q is the length of $G_q$. This means that if the malicious CSP can pass the verification, we can break the ECDLP problem.

6. Performance analysis

In this section, we compare our scheme with other certificateless or verifiable search schemes in terms of computational complexity, storage overhead and security.

First, let’s talk about security. Table 2 compares the security of the current scheme with other schemes. The CKCA-CIND, the IND-KGA, the insider KGA, the FIA, the SCF, and the VER are used to measure the scheme’s security. The CKCA-CIND means that the scheme is in differentiability of ciphertext for selected keyword ciphertext attacks, the IND-KGA means the indistinguishability of indiscernibility of trapdoors, the insider-KGA denotes that the scheme is secure against keyword-guessing attacks launched by malicious server, the FIA denotes that the scheme is resistant to file injection attack, the SCF means that the scheme has no secure channel, and the VER indicates that the scheme can prevent malicious CSP from returning wrong search results.

Table 2. COMPARISON OF SAFETY

scheme	CKCA-CIND	IND-KGA	insider-KGA	FIA	SCF	VER
VCKSM[18]	No proof	yes	no	no	yes	yes
VMKS[46]	yes	yes	No proof	No proof	yes	yes
VMKDO[33]	yes	yes	no	no	yes	yes
VCSE[46]	yes	No proof	no	no	yes	yes
CLPAEKS[12]	No proof	No proof	yes	yes	yes	No proof
CL-dPAEKS[11]	No proof	No proof	yes	yes	yes	No proof
our	yes	yes	yes	yes	yes	yes

Table 2. COMPARISON OF SAFETY

scheme	CKCA-CIND	IND-KGA	insider-KGA	FIA	SCF	VER
VCKSM[18]	No proof	yes	no	no	yes	yes
VMKS[46]	yes	yes	No proof	No proof	yes	yes
VMKDO[33]	yes	yes	no	no	yes	yes
VCSE[46]	yes	No proof	no	no	yes	yes
CLPAEKS[12]	No proof	No proof	yes	yes	yes	No proof
CL-dPAEKS[11]	No proof	No proof	yes	yes	yes	No proof
our	yes	yes	yes	yes	yes	yes

It is worth noting that no solution can simultaneously achieve result validation, conjunctive keyword search, and certificateless and bilinear pairings, as shown in Table 2. Our proposed solution can simultaneously perform four functions and is proven secure under the standard model.

Next, we compare the computational complexity. To compare the computational complexity, we use the operation time of He et al.’s scheme[47] as the benchmark. He et al. tested the time required for the relevant operations in the experimental environment of Samsung Galaxy S5 based on the Android 4.4.2 operating system, quad-core 2.45G processor, and 2G byte memory. Table 4 shows the exact running time and symbols of the various operations. The mapping $e:G_1\times G_1\to G_2$ is a bilinear pair where $G_1$ is an additive group of singular elliptic curves of order p defined on a finite field $F_q$. The lengths of p and q are 512 bits and 160 bits, respectively. G is an additive group of non-sigular elliptic curve of order q defined on the prime finite field $F_q$. The length of p and q is 160.

Table 3. Symbol definition

symbols	Definition
$T_{bp}$	Running time required for a bilinear pairing operation, $T_{bp}\approx 32.713ms$
$T_{htp}$	Running time required for a hash-to-operation,$T_{htp}\approx 33.582ms$
$T_{sm}$	Running time required for a scalar multiplication operation in $G_1,T_{sm}\approx 13.405ms$
$T_{exp}$	Running time required for an exponentiation operation in $G_2,T_{exp}\approx 2.249ms$
$T^{\prime }sm$	Running time required for a scalar multiplication operation in $G,T_{sm}\approx 3.335ms$
u	Number of data users
d	Number of data owners
m	Number of keywords in ciphertext
n	Number of ciphertext
s	Number of search keywords

Table 3. Symbol definition

symbols	Definition
$T_{bp}$	Running time required for a bilinear pairing operation, $T_{bp}\approx 32.713ms$
$T_{htp}$	Running time required for a hash-to-operation,$T_{htp}\approx 33.582ms$
$T_{sm}$	Running time required for a scalar multiplication operation in $G_1,T_{sm}\approx 13.405ms$
$T_{exp}$	Running time required for an exponentiation operation in $G_2,T_{exp}\approx 2.249ms$
$T^{\prime }sm$	Running time required for a scalar multiplication operation in $G,T_{sm}\approx 3.335ms$
u	Number of data users
d	Number of data owners
m	Number of keywords in ciphertext
n	Number of ciphertext
s	Number of search keywords

Table 4 shows the comparison results of the running time of the verifiable conjunctive keyword search encryption scheme. To be more intuitive and specific, we taking n=1000, m=100, d=100, u=50, s=50. Table 5 shows the calculation time of the three schemes. Except for the search algorithm, our scheme takes less time than the other two schemes, especially for the verification algorithm. Therefore, our scheme is the most efficient.

Table 4. Comparison of running time of various schemes

scheme	keyGen	Enc	Trap	search	verify
VCKSM[18]	$(u+d+1)T_{sm}$	[2nd + n(m + 2)]$\begin{array}{c}{T}_{sm}\hfill \\ +2n{T}_{exp}+2n{T}_{bp}\hfill \\ {+nT}_{htp}\hfill \end{array}$	$(m+3)T_{sm}$	$\begin{array}{c}(n+3)T_{sm}\hfill \\ +[n(m+1)+1]T_{bp}\hfill \end{array}$	$\begin{array}{c}(2s+1)T_{sm}\hfill \\ +s{T}_{htp}+2T_{bp}\hfill \end{array}$
VMKS[46]	$(4u+4d)T_{sm}$	$\begin{array}{c}n{T}_{htp}+\hfill \\ (6n+mn)T_{sm}\hfill \end{array}$	$(l+5)T_{sm}$	$4T_{bp}$	$\begin{array}{c}(s+2)T_{sm}\hfill \\ +s{T}_{htp}+3T_{bp}\hfill \end{array}$
our	$(2d+5)T^{\prime }\mathrm{sm}$	$[nd+n(m+4)]T^{\prime }sm$	$(m+6)T^{\prime }sm$	$2+n(m+1)]T^{\prime }sm$	$3T^{\prime }sm$

Table 4. Comparison of running time of various schemes

scheme	keyGen	Enc	Trap	search	verify
VCKSM[18]	$(u+d+1)T_{sm}$	[2nd + n(m + 2)]$\begin{array}{c}{T}_{sm}\hfill \\ +2n{T}_{exp}+2n{T}_{bp}\hfill \\ {+nT}_{htp}\hfill \end{array}$	$(m+3)T_{sm}$	$\begin{array}{c}(n+3)T_{sm}\hfill \\ +[n(m+1)+1]T_{bp}\hfill \end{array}$	$\begin{array}{c}(2s+1)T_{sm}\hfill \\ +s{T}_{htp}+2T_{bp}\hfill \end{array}$
VMKS[46]	$(4u+4d)T_{sm}$	$\begin{array}{c}n{T}_{htp}+\hfill \\ (6n+mn)T_{sm}\hfill \end{array}$	$(l+5)T_{sm}$	$4T_{bp}$	$\begin{array}{c}(s+2)T_{sm}\hfill \\ +s{T}_{htp}+3T_{bp}\hfill \end{array}$
our	$(2d+5)T^{\prime }\mathrm{sm}$	$[nd+n(m+4)]T^{\prime }sm$	$(m+6)T^{\prime }sm$	$2+n(m+1)]T^{\prime }sm$	$3T^{\prime }sm$

Table 5. Comparison of running time of various schemes

scheme	keyGen(ms)	Enc(ms)	Trap(ms)	search(ms)	verify(ms)	Total
VCKSM[18]	2024.155	4151817	1380.715	3305426.428	3098.481	7463746.779
VMKS[46]	8043	1382126	737.275	130.852	2474.349	1393511.476
our	683.675	680340	353.51	336838.335	6.67	1018222.19

Table 5. Comparison of running time of various schemes

scheme	keyGen(ms)	Enc(ms)	Trap(ms)	search(ms)	verify(ms)	Total
VCKSM[18]	2024.155	4151817	1380.715	3305426.428	3098.481	7463746.779
VMKS[46]	8043	1382126	737.275	130.852	2474.349	1393511.476
our	683.675	680340	353.51	336838.335	6.67	1018222.19

Let $\left|G_1\right|$, $\left|G_2\right|$, $\left|G\right|$ and $\left|{Z^{*}}_q\right|$ denote the size of an element in $G_1$, $G_2$, G and ${Z^{*}}_q$, respectively. For more intuitive comparison of communication costs. Table 6 uses n=100, m=10 and s=10. As shown in Figure 3, our solution has the lowest storage cost.

Table 6. Communication Comparison Of Various Schemes

scheme	Ciphertext size(bytes)	Trapdoor size(bytes)
VCKSM[18]	$n\left(m+2\right)\left|G_2\right|=1200\times 512/8=76800$	$\left|G_1\right|+\left|G_2\right|+s\left|Z_q^{*}\right|=(512+512+10\times 160)/8=328$
VMKS[46]	$\begin{array}{c}n\left(\left|G_2\right|+\left(m+2\right)\left|G_1\right|\right)\hfill \\ =100\times (512+12\times 512)/8\\ =83200\hfill \end{array}$	$\left(m+2\right)\left|G_1\right|+\left|Z_q^{*}\right|=(12\times 512+160)/8=788$
our	$n\left(m+3\right)\left|G\right|=(1300\times 160)/8=26000$	$(m+2)\left|G\right|=12\times 160/8=240$

Table 6. Communication Comparison Of Various Schemes

scheme	Ciphertext size(bytes)	Trapdoor size(bytes)
VCKSM[18]	$n\left(m+2\right)\left|G_2\right|=1200\times 512/8=76800$	$\left|G_1\right|+\left|G_2\right|+s\left|Z_q^{*}\right|=(512+512+10\times 160)/8=328$
VMKS[46]	$\begin{array}{c}n\left(\left|G_2\right|+\left(m+2\right)\left|G_1\right|\right)\hfill \\ =100\times (512+12\times 512)/8\\ =83200\hfill \end{array}$	$\left(m+2\right)\left|G_1\right|+\left|Z_q^{*}\right|=(12\times 512+160)/8=788$
our	$n\left(m+3\right)\left|G\right|=(1300\times 160)/8=26000$	$(m+2)\left|G\right|=12\times 160/8=240$

As stated in the summary, our scheme is more efficient than others in computing and communication costs. And it is also the best in security.

7. Conclusion

Searchable encryption is an essential technology for medical Internet of Things. We have constructed a certificateless verifiable bilinear pair-free conjunctive keyword search encryption scheme (CLVPFCKS) for the Internet of Medical. The performance analysis shows that the CLVPFCKS scheme proposed in this paper performs better than the verifiable conjunctive keyword searchable encryption scheme using bilinear pairing. We prove the new system can resist keyword guessing attacks, choose keyword attacks (CKA), and file injection attacks under the standard model.