Preprint

Article

Altmetrics

Downloads

99

Views

41

Comments

0

A peer-reviewed article of this preprint also exists.

This version is not peer-reviewed

The Internet of Medical Things(IoMT) has powerful cloud computing ability and efficient data collection ability, which can improve the accuracy and convenience of medical work. As most communications are over open networks, data should encrypted before uploading to ensure the confidentiality of sensitive user data. Searching for encrypted data has become a challenging problem. Public key Encryption with Keyword Search (PEKS) supports the search of encrypted data and provides data privacy protection. PEKS has become a trendy technology, but PEKS still has the following problems: 1. The cloud server, as a semi-honest but curious third party, is likely to return some wrong search results to save computing and bandwidth resources. 2. The single keyword search inevitably produces irrelevant results, wasting computing and bandwidth resources. 3. Most PEKS schemes use bilinear pairing, so the computational efficiency is relatively low. 4. PEKS schemes based on Public Key Infrastructure (PKI) or identity-based cryptography inevitably face problems with certificate management or key escrow. 5. Most PEKS schemes face serious security threats such as Keyword Guessing Attacks (KGA) and File Injection Attacks (FIA). To solve the above problems, we propose a new certificateless verifiable bilinear pair-free conjunctive keyword search encryption scheme(CLVPFCKS) for IoMT using multi-signature.

Keywords:

Submitted:

30 January 2024

Posted:

31 January 2024

You are already at the latest version

Alerts

A peer-reviewed article of this preprint also exists.

This version is not peer-reviewed

Submitted:

30 January 2024

Posted:

31 January 2024

You are already at the latest version

Alerts

The Internet of Medical Things(IoMT) has powerful cloud computing ability and efficient data collection ability, which can improve the accuracy and convenience of medical work. As most communications are over open networks, data should encrypted before uploading to ensure the confidentiality of sensitive user data. Searching for encrypted data has become a challenging problem. Public key Encryption with Keyword Search (PEKS) supports the search of encrypted data and provides data privacy protection. PEKS has become a trendy technology, but PEKS still has the following problems: 1. The cloud server, as a semi-honest but curious third party, is likely to return some wrong search results to save computing and bandwidth resources. 2. The single keyword search inevitably produces irrelevant results, wasting computing and bandwidth resources. 3. Most PEKS schemes use bilinear pairing, so the computational efficiency is relatively low. 4. PEKS schemes based on Public Key Infrastructure (PKI) or identity-based cryptography inevitably face problems with certificate management or key escrow. 5. Most PEKS schemes face serious security threats such as Keyword Guessing Attacks (KGA) and File Injection Attacks (FIA). To solve the above problems, we propose a new certificateless verifiable bilinear pair-free conjunctive keyword search encryption scheme(CLVPFCKS) for IoMT using multi-signature.

Keywords:

Subject: Computer Science and Mathematics - Other

Internet of Things is a network that connects any item to the Internet and uses information sensing devices such as radio frequency identification, infrared sensors, global positioning systems, and laser scanners to exchange and communicate information according to agreed protocols, achieving intelligent identification, positioning, tracking, monitoring, and management [1,2]. The Internet of Medical Things (IoMT) conveniently connects communication technology, medical staff, patients, various medical devices, and intelligent facilities, thus completing brilliant medical care and innovative item management. The Internet of Medical Things system can achieve real-time feedback on the health status of patients, improve medical response speed, provide 24-hour medical care, significantly reduce the work pressure of medical personnel, improve the accuracy and convenience of medical work, improve clinical medical quality, control costs, reduce efficiency, and save lives.

Electronic Medical Record (EMR) is crucial in IoMT systems. It electronically manages personal health status and healthcare information involving patient information collection, storage, transmission, processing, and utilization.The volume of medical data will inevitably surge as medical data is collected through various channels digitally. How to effectively store and manage the increasing number of electronic medical records has become an unprecedented challenge. In response to this problem, cloud computing can be a supplementary tool. With cloud computing, hospitals, and medical organizations outsource EMR to cloud servers for storage to save local data management and system maintenance costs while also achieving resource sharing with data recipients. Figure 1 shows a typical architecture of IoMT for medical IoT.

EHRs involve patients’ privacy, and are often encrypted to protect patients’ privacy and security. However, this causes great inconvenience for users to search for EMRs containing specific keywords. A simple solution to this problem is for users to download all ciphertext data fully, decrypt it, and further search locally. However, this leads to high computational and communication costs, making them impractical. To solve this problem, researchers have proposed searchable encryption (SE) [7] technology. It is an encryption primitive that enables users to search for keywords on ciphertext in a privacy-protected manner. In 2004, Boneh et al. [8] proposed the concept of public key encryption with keyword search (PEKS) to solve the problem of searching data encrypted using public key cryptosystems.

The initial PEKS scheme had many areas for improvement regarding efficiency and safety. Firstly, review the efforts made by numerous researchers in improving the efficiency of PEKS. Baek [9] pointed out the inefficiency of the PEKS [8] scheme due to the use of secure channels. To eliminate the requirement for security channels, Baek et al. proposed the concept of secure channel-free PEKS (SCF-PEKS), also known as PEKS, with designated servers/testers (dPEKS) [10]. The efficiency of SCF-PEKS is improved. However, the PEKS (SCF-PEKS) schemes are built based on PKI or identity-based cryptosystem and encounter certificate management issues and key escrow issues in system deployment. To avoid the problems associated with certificate and key escrow, Peng et al. [11] proposed a certificateless keyword searchable encryption scheme (CLKS) without secure channels. Subsequently, much literature has studied certificateless searchable encryption schemes with keywords, such as [12–15]. Most PEKS schemes focus on searching for a single keyword, but single keyword search inevitably produces many irrelevant results, leading to bandwidth and computational resource waste. Golle et al. [16] proposed the first conjunctive keyword searchable encryption scheme to avoid resource waste. After this, many searchable encryption schemes, such as [17–19], support conjunctive keyword search.

Because the computational complexity of bilinear pairs is much higher than that of scalar multiplication on elliptic curve groups, designing searchable encryption schemes without bilinear pair operations can significantly improve the scheme’s efficiency. However, currently, there are not many searchable encryption schemes without bilinear [11,15,20–27], and they are not perfect enough. In 2019, Lu et al. [28] proposed a pairing-free certificateless searchable public key encryption scheme, proving that this scheme achieves indistinguishability of keyword ciphertext against adaptive keyword selection attacks under the complexity assumption of computing Diffie-Hellman problems in a random oracle model. However, Ma et al. [30] found that the scheme proposed in [28] is not secure against user simulation attacks and offered a new cloud-based IIoT pairing-free dual server CLPEKS scheme. Recently, [25], [26], and [27] respectively proposed secure and effective pairing-free CLPEKS schemes, but they are all single keyword searches.

Cryptography researchers place a high value on security. Next, let’s look at what researchers have done to improve the security of PEKS. The existing SCF-PEKS scheme is susceptible to keyword guessing attacks (KGA) [28] and file injection attacks (FIA) [29]. To avoid keyword guessing attacks and file injection attacks, Hwang et al. [30] embedded random keys in the keyword ciphertext of the PKSE scheme and claim that the scheme can resist the above attacks. However Yang [40] proved Hwang et al.’s SCF-PEKS scheme [30] is insecure under external online keyword attacks. The main reason for being vulnerable to external online keyword attacks is that opponents can generate legitimate ciphertext for the keyword. In addition to being attacked by external attackers, the PEKS scheme is also vulnerable to attacks from internal attackers (usually referring to malicious cloud servers). Jeong et al. [41] demonstrated that the PEKS framework is susceptible to offline keyword attacks (i.e., internal offline keyword attacks) by malicious data storage servers. Later, Shao and Yang [37] proposed a universal attack demonstrating the inability to construct an SCF-PEKS scheme to defend against malicious internal servers. They pointed out that because malicious servers can run keyword encryption and testing algorithms, SCF-PEKS is inherently vulnerable to offline keyword-guessing attacks from malicious insider servers.

In addition, a cloud server is a semi-honest but curious third party that may perform only a small portion of search operations and return a small amount of incorrect search results to save its computing and bandwidth resources. Therefore, the PEKS scheme should be equipped with a verification mechanism to ensure the correctness of search results without decrypting the ciphertext. Reference [31] proposed the first symmetric and verifiable encryption scheme for keyword search. Subsequently, many literature studies have investigated verifiable keyword searchable encryption schemes [32–35]. In reference [34], a verifiable conjunctive keyword search scheme (VCKSM) over mobile e-health cloud in shared multi-owner settings was proposed, and it was secure against keyword guessing attacks under the standard model; In reference [35], an identity-based certificateless verifiable conjunctive keyword searchable encryption scheme (VMKS) was constructed, which avoids certificate management or key escrow restrictions and achieves indistinguishability of ciphertext and unforgeability of signatures.

We construct a certificateless verifiable bilinear pair-free conjunctive keyword search encryption scheme (CLVPFCKS), and it has been proven under the standard model that it can resist keyword guessing attacks (KGA), file injection attacks (FIA), and choose keyword attacks (CKA). Specifically, the main contributions are as follows:

- Search results validation: The scheme allows the signature to be attached to each file to verify the accuracy of the search results.
- No bilinear pairing: The calculation of bilinear pairing needs more time, and the scheme’s efficiency will significantly improve without bilinear pairing.
- We prove that the new scheme can resist offline keyword guessing attacks, file injection attacks, and choose keyword attacks (CKA) under the standard model.

The following is the framework for the rest of this article. We summarize some related work in section 1. We discuss preparatory knowledge in section 2. We give the scheme’s construction and security analysis (including the security model and proof) in section 3. We show the details of the CLVPFCKS scheme in section 4. We discuss the security of the CLVPFCKS scheme in section 5. We analyze the effectiveness of CLVPFCKS in section 6. Finally, we summarize this paper in section 7.

Let $q>3$ be a large prime, ${F}_{q}$ be a prime field, and the elliptic curve E over the field ${F}_{q}$ must satisfy the equation

$${y}^{2}modq=({x}^{3}+ax+b)modq,$$

Which $a,b,x,y\in {F}_{q}$ and$(4{a}^{3}+27{b}^{2})modq\ne 0$. All points on E and the infinite point O form a cyclic group. ECC (elliptic curve cryptosystem) has the following difficulties:

- Elliptic curve discrete logarithm problem (ECDLP): given $P,Q\in {G}_{q}$, where P is the generator of the group, and Q is the element in ${G}_{q}$. It is difficult to calculate the integer k such that $Q=kP$, where $k\in {Z}_{{q}^{*}}$.
- Elliptic curve Computational Diffie-Hellman problem (ECDCHP): for any given $a,b$ in ${Z}_{{q}^{*}}$, it is difficult to calculate $abP$, where $(P,aP,bP)\in {G}_{q}$.
- Elliptic curve Decisional Diffie-Hellman problem (ECDDDH): Given $aP,bP\in G$ where $a,b$ unknown. The DDH (Decisional Diffie-Hellman) problem is to decide whether X equals $abP$ or a random element in G.

There exist five entities in the proposed CLVPFCKS scheme for KGC: multiple data owners (patient and his doctors), Cloud Service Provider (CSP), data user (other authorized doctors or healthcare center), and Private Audit Server (PAS), as shown in Figure 2.

KGC: It is a trusted third party, and it is responsible for generating system parameters and producing data owners, Cloud Service Providers (CSP), and data user’s partial private keys.

Multiple data owners: In reality, the cloud search system supports more shared scenarios of multiple data owners, especially in the electronic medical system. For example, one patient and several hospital staff (i.e., surgeons, physicians, etc.) share an electronic medical record jointly, and each staff member is responsible for the content of a specific part (i.e., block). If each block is an independent record, it will inevitably encounter multiple indexes, thus greatly expanding the computational and spatial overhead. Otherwise, the many data owners must have the same random elements, which is not feasible in practice. On the contrary, the scheme designed for shared multi-owner settings only requires a single index of the entire record, saving considerable time and space.

For each EHR jointly owned by the patient and its doctor, each data owner generates a signature on this record. All data users entrust user ${O}_{j}$ to establish an index based on the keywords of each EHR, and then the index and signature are sent to CSP. Note that the detailed algorithm for encrypting each EHR is beyond the discussion, and any public key encryption algorithm can be applied.

CSP: It is a semi-trusted entity. It has professional knowledge and can provide data storage and retrieval services for authorized cloud clients. After receiving a trapdoor from the data user, it returns the corresponding documents. But CSP is a semi-honest but curious third party, which many only perform a small part of the search operation and provide a small portion of the wrong search results to save its computing and bandwidth resources.

Data users: Data users obtain a partial private key from KGC generate the trapdoor of a keyword they wish to search, and then send it to the cloud server.

PAS: This fully trusted server is responsible for verifying the correctness of search results.

The CSP is assumed to be semi-honest but curious. It performs a fraction of search operations honestly but is interested in spying out the sensitive information valuable for the CSP. Furthermore, it may return false search results to save computing resources. On the other hand, the PAS is fully trusted and can guarantee the correctness of search results. Besides, the authorized data user can issue search queries without leaking valuable information to CSP.

We plan to achieve the following goals:

Set integer k as security level, $(F,W)$ as EHR file and keyword set. Definition1 (Our proposed CLVPFCKS scheme) Our scheme is a tuple of six algorithms, as follows:

(1)SetUp(${1}^{k}$):Given the security parameter k, KGC outputs the public parameters $\Omega $ and the public/secret key pair $(PK,SK)$ for the traditional public key algorithm.

(2)KeyGen $(\Omega ,O,U,C)$:For the data owner set O , data user set U and cloud server, KGC generates the public/secret key pairs {$P{K}_{i},S{K}_{i}$} $(1\le i\le d)$, {$P{K}_{u},S{K}_{u}$} and {$P{K}_{C},S{K}_{C}$}, respectively .

a)Set-Secret-Value:After inputting the public parameters $\Omega $, this probabilistic algorithm outputs Data owners, Data users, and CSP’s Secret-Value.

b)Partial-Private-Key-Extract:The KGC executes this algorithm, which accepts the identity of the data owner, data user, and CSP, then uses them in combination with the master key to generate a partial private key for the data owner, data user, and CSP.

c)Set-private-Key:Set the full secret keys of the data owner, data user, and CSP.

d)Set-Public-Key:Set the full public keys of the data owner, data user, and CSP.

(3)$Enc(\Omega ,F,W,\left\{I{D}_{i}\right\},ID,\left\{S{K}_{i}\right\},\left\{P{K}_{i}\right\})$:Data owners first conduct this probabilistic algorithm to generate the ciphertext set C for the set F. Then data owners generate multiple signatures Sig and index set I for ciphertext C. Then he sends the tuple $(C,I,Sig)$ to CSP.

(4)$TraGen(\Omega ,S{K}_{u},{W}^{\prime})$:Given the keyword ${W}^{\prime}$ , the data user runs this algorithm to output trapdoor ${T}_{{W}^{\prime}}$ .

(5)$Test(\Omega ,{T}_{{W}^{\prime}},I)$:Using the trapdoor ${T}_{{W}^{\prime}}$ as an input, the CSP matches it with the index set I, then returns the relevant ciphertext ${C}^{\prime}\subseteq C$ and signature $Si{g}^{\prime}$ set to PAS.

(6)$Verify(\Omega ,Sig,{C}_{W\prime},P{K}_{{O}_{i}})$:PAS runs this algorithm by initiating interaction with CSP to check the correctness of the search result ${C}_{W\prime}$. If ${C}_{W\prime}$ passes the result validation, PAS will return it to the data user. Otherwise, it will abort the algorithm.

To protect the security and privacy of the scheme, we must satisfy the following requirements:

(1)Keyword ciphertext indistinguishability: When encrypted data is stored in CSP, it will attach the corresponding keywords $\{{w}_{i1},{w}_{i2},\cdots ,{w}_{im}\}$. Even if keyword ciphertext is captured during transmission, no adversary can obtain keywords embedded in the ciphertext.

(2)Indistinguishability of trapdoor:Any adversary shall not obtain any information from the trapdoor.

Our scheme proves that trapdoors are indistinguishable and the keywords ciphertext are indistinguishable in the standard model. They are defined as follows:

Call them the adversary of type-1 and the adversary of type-2. There are two games to discuss the security of CKCA-CIND.

Phase 1. ${A}_{1}$ executes the User-Public-Key query using date user’s identity $I{D}_{u}$ first and then executes other queries using the identity $I{D}_{u}$. Set up lists to store the above queries and answers. All lists are initially empty. ${A}_{1}$ makes the queries to the challenger B as following:

(1)User-Public-key query:When ${A}_{1}$ inputs the identity $I{D}_{u}$, B outputs the user’s public key $P{K}_{u}$ .

(2)Replace - Public - Key query: ${A}_{1}$ inputs $(I{D}_{j},P{K}_{j}^{\prime})$ ,B replaces $P{K}_{j}$ with $P{K}_{j}^{\prime}$ .

(3)Secret-Value query:When ${A}_{1}$ inputs the identity $I{D}_{j}$ , B returns the secret value corresponding to the $I{D}_{j}$. If $P{K}_{j}$ is replaced, B refuses to answer.

(4)Partial-Private-Key-Extract query:When ${A}_{1}$ enters the $I{D}_{j}$, if $I{D}_{j}=I{D}_{u}^{\u25ca}$($I{D}_{u}^{\u25ca}$ is the challenge identity), B fails and stops. Otherwise, B returns the corresponding Partial Private Key.

(5)Keyword Ciphertext Query: ${A}_{1}$ asks B for the ciphertext of any keyword W it cares about. B runs the $Enc(\Omega ,F,W,\left\{I{D}_{i}\right\},ID,\left\{S{K}_{i}\right\},\left\{P{K}_{i}\right\})$ algorithm to answer W’s ciphertext ${C}_{W}$.

(6)Keyword Trapdoor Query: ${A}_{1}$ sends a keyword ${W}^{\prime}$ to B. B runs the $TrapGen(\Omega ,S{K}_{u},{W}^{\prime})$ algorithm to answer ${W}^{\prime}$’s trapdoor ${T}_{{W}^{\prime}}$.

(7)Test Query: ${A}_{1}$ selects and sends the ciphertext ${C}_{W}$ and trapdoor ${T}_{{W}^{\prime}}$ to B. B executes the $Test(\Omega ,{T}_{{W}^{\prime}},I)$ algorithm to return the test result of whether the ciphertext and the trapdoor match.

Secret-Value query :When ${A}_{2}$ enters the $I{D}_{j}$, if $I{D}_{j}=I{D}_{u}^{\u25ca}$ ($I{D}_{u}^{\u25ca}$ is the challenge identity), B fails and stops. Otherwise, B returns the secret value corresponding to $I{D}_{j}$.

Partial-Private-Key-Extract query: When ${A}_{2}$ inputs the identity $I{D}_{j}$ , B returns the partial private key corresponding to the $I{D}_{j}$ .If $P{K}_{j}$ is replaced, B refuses to answer.

(1)User-Public-key query:When ${A}_{1}$ inputs the identity $I{D}_{j}$, B outputs the user’s public key $P{K}_{j}$ .

(2)Replace-Public-Key query: same as that in Game 1.

(3)Secret-Value query:same as that in Game 1.

(4)Partial-Private-Key-Extract query:When ${A}_{1}$ enters the $I{D}_{j}$, if $I{D}_{j}=I{D}_{i}^{\u25ca}$($I{D}_{i}^{\u25ca}$ is the challenge identity), B fails and stops. Otherwise, B returns the corresponding Partial Private Key.

(5)Keyword Ciphertext Query:same as that in Game 1.

(6)Keyword Trapdoor Query:same as that in Game 1.

(7)Test Query: same as that in Game 1.

Secret-Value query: When ${A}_{2}$ enters the $I{D}_{j}$, if $I{D}_{j}=I{D}_{i}^{\u25ca}$ ($I{D}_{i}^{\u25ca}$ is the challenge identity), B fails and stops. Otherwise, B returns the secret value corresponding to $I{D}_{j}$.

Partial-Private-Key-Extract query: same as that in Game 2.

To better understand about our proposed scheme, we explain the pre-defined notations used throughout this paper in Table 1.

Notations | DESCRIPTIONS |

x | Master key |

${P}_{pub}$ | system public key |

$O=\{{O}_{1},{O}_{2},\cdots ,{O}_{d}\}$ | Data Owner Collection |

$I{D}_{i}\in {\{0,1\}}^{*}(1\le i\le d)$ | identity set for data owner ${O}_{i}$ |

$I{D}_{C}$ | identity set for CSP |

$I{D}_{u}$ | identity set for data user |

$(P{K}_{C},S{K}_{C})$ | Public/secret key pair for CSP |

$(P{K}_{{O}_{i}},S{K}_{{O}_{i}})$ | Public/secret key pair for data owner ${O}_{i}$ |

$(P{K}_{u},S{K}_{u})$ | Public/secret key pair for data user |

$F=\{{f}_{1},{f}_{2},\cdots ,{f}_{n}\}$ | File set F |

$C=\{{c}_{1},{c}_{2},\cdots ,{c}_{n}\}$ | ciphertext set |

$ID=\{i{d}_{1},i{d}_{2},\cdots ,i{d}_{n}\}$ | identity set for F |

${W}_{i}=\{{w}_{i1},{w}_{i2},\cdots ,{w}_{im}\}$ | Collection of keywords |

$si{g}_{i,t}$ | Data owner ${O}_{i}\u2019$ signature for ${c}_{t}$ |

$si{g}_{t}$ | Data owners’ multi-signatures for ${c}_{t}$ |

$Sig=\{si{g}_{1},si{g}_{2},\cdots ,si{g}_{n}\}$ | F’s multi-signature |

${I}_{i}$ | Index of ${f}_{i}$ |

$I=\{{I}_{1},{I}_{2},\cdots ,{I}_{n}\}$ | Index set for F |

${W}^{\prime}=\{{w}_{1}^{\prime},{w}_{2}^{\prime},\cdots ,{w}_{l}^{\prime}\}$ | Search keyword set |

${T}_{{W}^{\prime}}$ | The trapdoor of ${W}^{\prime}$ |

${C}^{\prime}=\{{c}_{{k}_{1}},{c}_{{k}_{2}},\cdots ,{c}_{{k}_{s}}\}$ | Search results |

$I{D}^{\prime}=\{i{d}_{{k}_{1}},i{d}_{{k}_{2}},\cdots ,i{d}_{{k}_{s}}\}$ | Identity set for ${C}^{\prime}$ |

This system uses traditional public key encryption algorithm to encrypt files, which we will not discuss. Therefore, the following algorithms focus on indexing and signature.

(1)Chooses a k bits prime number q and determine the tuple $\{{F}_{q},E/{F}_{q},{G}_{q},P\}$, where the point P is the generator of ${G}_{q}$ .

(2) Chooses the master key $x{\in}_{R}{Z}_{q}^{*}$ and computes the system public key ${P}_{pub}=xP$. Let $(PK,SK)=({P}_{pub},x)$.

(3) Selects five hash functions ${H}_{0}$,${H}_{1}$,${H}_{2}:$${\left\{0,1\right\}}^{*}\times G\times G\to {Z}_{q}^{*}$, ${h}_{1}:{\{0,1\}}^{*}\to {Z}_{q}^{*}$ ,${h}_{2}:{G}_{q}\to {Z}_{q}^{*}$ .

(4) Let $\Omega =\{{F}_{q},E/{F}_{q},{G}_{q},P,{H}_{0},{H}_{1},{H}_{2},{h}_{1},{h}_{2},{P}_{pub}\}$.

(1)Set-Secret-Value: The Participant with $I{D}_{i}(i=1,2,\cdots ,d,C,u)$ selects an element ${x}_{i}{\in}_{R}{Z}_{q}^{*}(i=1,2,\cdots ,d,C,u)$ and generates the corresponding public key ${P}_{i}={x}_{i}P(i=1,2,\cdots ,d,C,u)$ .

(2))Extract-Partial-Private-Key: To get the partial private key, the user $I{D}_{i}$ sends $(I{D}_{i},{P}_{i})$ to the PKG and then the PKG executes the following steps.

(a)Taking the participant’s $I{D}_{i}(i=1,2,\cdots ,d,C,u)$ as input, KGC selects a random number ${r}_{i}\in {Z}_{q}^{*}(i=1,2,\cdots ,d,C,u)$ and calculates ${R}_{i}={r}_{i}P(i=1,2,\cdots ,d,C,u)$.

(b)PKG computes ${e}_{i}={r}_{i}+x{H}_{0}(I{D}_{i},{R}_{i},{P}_{i})modq(i=1,2,\cdots ,d,C,u)$. The partial private key of the participant with $I{D}_{i}(i=1,2,\cdots ,d,C,u)$ is ${e}_{i}$. The participant with $I{D}_{i}(i=1,2,\cdots ,d,C,u)$ can verify his partial private key by checking whether the equation ${Q}_{i}={e}_{i}P={R}_{i}+{l}_{i}{P}_{pub}$ holds, where ${l}_{i}={H}_{0}(I{D}_{i},{R}_{i},{P}_{i})$. If the above equation is true, then the private key $I{D}_{i}$ will accepted.

(3)Set-Private-Key: The partial private key of the participant with $I{D}_{i}(i=1,2,\cdots ,d,C,u)$ takes the pair $S{K}_{i}=({x}_{i},{e}_{i})$ as his full private key.

(4)Set-Public-Key: The participant with $I{D}_{i}(i=1,2,\cdots ,d,C,u)$ takes $P{K}_{i}=({P}_{i},{R}_{i})$ as his full public key.

(1) ${O}_{i}$ chooses a number ${y}_{i,t}{\in}_{R}{Z}_{q}^{*}$ and computes ${Y}_{i,t}={y}_{i,t}P$.

(2)${O}_{i}$ broadcasts ${Y}_{i,t}$ to other members ${O}_{k}(1\le k\le d,k\ne i)$ of the group.

(3)computes ${Y}_{0,t}={\displaystyle \sum _{i=1}^{d}}{Y}_{i,t}$, ${P}_{0}={\displaystyle \sum _{i=1}^{d}}{P}_{i}$, ${Q}_{0}={\displaystyle \sum _{i=1}^{d}}{Q}_{i}$.

(4)computes ${h}_{t}={H}_{1}({c}_{t},i{d}_{t},{Y}_{0,t},{P}_{0})$ and ${h}_{t}^{\prime}={H}_{1}({c}_{t},i{d}_{t},{Y}_{0,t},{Q}_{0})$ .

(5)${O}_{i}$ computes ${V}_{i,t}={y}_{i,t}+{h}_{t}{x}_{i}+{h}_{t}^{\prime}{e}_{i}$, generates a signature $si{g}_{i,t}=({Y}_{i,t},{V}_{i,t})$ for ${c}_{t}$, and then sends ${V}_{i,t}$ to the designated clerk ${O}_{z}$.

(6)Upon receiving ${V}_{i,t}$, ${O}_{z}$ computes ${V}_{0,t}={\displaystyle \sum _{i=1}^{d}}{V}_{i,t}$ and outputs the signature $si{g}_{t}=\{{Y}_{0,t},{V}_{0,t}\}$ . Let $sig=\{si{g}_{1},\cdots ,si{g}_{n}\}$, where ${V}_{0,t}P={Y}_{0,t}+{h}_{t}{P}_{0}+{h}_{t}^{\prime}{Q}_{0}$.

Let ${R}_{0}={\displaystyle \sum _{t=1}^{d}}{R}_{t}$, ${l}_{0}={\displaystyle \sum _{t=1}^{d}}{l}_{t}$, Construct an m-degree polynomial by the following equation: $F\left(x\right)={b}_{i,m}{x}^{m}+{b}_{i,m-1}{x}^{m-1}+\cdots +{b}_{i,1}x+{b}_{i,0}$. ${h}_{2}\left(t\right){h}_{1}\left({w}_{i,1}\right),\cdots ,{h}_{2}\left(t\right){h}_{1}\left({w}_{i,m}\right)$ is the root of equation $F\left(x\right)=1$, where $t=({x}_{0}+{e}_{0}){P}_{u}+{x}_{0}{R}_{u}+{x}_{0}{l}_{u}{P}_{pub}$.

Then ${O}_{j}$ selects ${\lambda}_{i},{\mu}_{i}{\in}_{R}{{Z}_{q}}^{*}$ and computes ${M}_{i}={\lambda}_{i}{Q}_{c}$, set ${I}_{i,1}={M}_{i}-{\mu}_{i}P$, ${I}_{i,2}={\lambda}_{i}P$,

- ${V}_{i,j}={\mu}_{i}{b}_{i,j}(0\le j\le m)$, and the index set is $I=\{{I}_{1},\cdots ,{I}_{n}\}$, where ${I}_{i}=\{{I}_{i,1},{I}_{i,2},{V}_{i,0},{V}_{i,1},$$\cdots ,{V}_{i,m}\}$. Finally ${O}_{j}$ send I to CSP.

The Data user calculates the value of ${P}_{0},{R}_{0},{l}_{0}$ as follows ${P}_{0}={\displaystyle \sum _{i=1}^{d}}{P}_{i}$, ${R}_{0}={\displaystyle \sum _{i=1}^{d}}{R}_{i}$, ${l}_{0}={\displaystyle \sum _{i=1}^{d}}{l}_{i}$. Given the queried keywords set ${W}^{\prime}=\{{w}_{1}^{\prime},{w}_{2}^{\prime},\cdots ,{w}_{l}^{\prime}\}$ , the data user U first selects an elements $\eta {\in}_{\mathrm{R}}{\mathrm{Z}}_{q}^{*}$ and sets ${T}_{{{W}^{\prime}}_{m+1}}=\eta P$,${T}_{{{W}^{\prime}}_{j}}={l}^{-1}{h}_{2}{\left(t\right)}^{j}{\displaystyle \sum _{r=1}^{l}}{h}_{1}{\left({{w}^{\prime}}_{r}\right)}^{j}P+\eta {P}_{C}$, where $0\le j\le m$ , $t=({x}_{u}+{e}_{u}){P}_{0}+{x}_{u}{R}_{0}+{x}_{u}{l}_{0}{P}_{pub}$. Finally, he sent ${T}_{{w}^{\prime}}=\{{T}_{{{w}^{\prime}}_{0}},{T}_{{{w}^{\prime}}_{1}},\cdots ,{T}_{{{w}^{\prime}}_{m}},{T}_{{{w}^{\prime}}_{m+1}}\}$ to CSP.

$${I}_{i,1}+{\displaystyle \sum _{j=0}^{m}}{V}_{i,j}({T}_{{{w}^{\prime}}_{j}}-{x}_{C}{T}_{{{w}^{\prime}}_{m+1}})={M}_{i}$$

If Eq (1) holds, the CSP returns the relevant ciphertext set ${C}^{\prime}=\{{\mathrm{c}}_{{k}_{1}},{\mathrm{c}}_{{k}_{2}},\cdots ,{\mathrm{c}}_{{k}_{s}}\}$ and its corresponding identity set $I{D}^{\prime}=\{i{d}_{{k}_{1}},\mathrm{i}{d}_{{k}_{2}},\cdots ,i{d}_{{k}_{s}}\}$ to PAS. Otherwise, it returns ⊥. The specific test process is shown in the Algorithm 1.

Algorithm 1 Search over encrypted data

Input: Trapdoor ${T}_{{W}^{\prime}}$ , indexes I, ciphertexts C, secret key $S{K}_{C}$ and public parameters $\Omega $ .

Output: Search results ${C}^{\prime}$ and corresponding identity set $I{D}^{\prime}$ or ⊥.

(1) ${T}_{{\mathrm{w}}^{\prime}}=\{{T}_{{\mathrm{w}}_{0}^{\prime}},{T}_{{\mathrm{w}}_{1}^{\prime}},\cdots ,{T}_{{\mathrm{w}}_{m}^{\prime}},{T}_{{\mathrm{w}}_{m+1}^{\prime}}\}$

(2)$I=\{{I}_{1},{I}_{2},\cdots ,{I}_{n}\}$,${I}_{i}=\{{I}_{i,1},{I}_{i,2},{V}_{i,0},{V}_{i,1},\cdots ,{V}_{i,m}\}$.

(3)${M}_{i}={e}_{C}{I}_{i,2}$

(4)$for\phantom{\rule{4pt}{0ex}}0\le i\le n\phantom{\rule{4pt}{0ex}}do$
$${I}_{i,1}+{\displaystyle \sum _{j=0}^{m}}{V}_{i,j}({T}_{{{w}^{\prime}}_{j}}-{x}_{C}{T}_{{{w}^{\prime}}_{m+1}})={M}_{i}$$

(5) If Eq.(1) holds, CSP returns the ciphertext ${c}_{{k}_{t}}$ ; otherwise, it returns ⊥;

(6)end for

(7)CSP returns the relevant results ${C}^{\prime}$ and corresponding identity set $I{D}^{\prime}$ or ⊥ to PAS.

Algorithm 2 results verification

Input: Search results ${C}^{\prime}$ with corresponding identity set $I{D}^{\prime}$, public keys $\left\{P{K}_{i}\right\}$, signature $sig=\{si{g}_{1},\cdots ,si{g}_{n}\}$ and public parameters $\Omega $, where $si{g}_{t}=\{{Y}_{0,t},{V}_{0,t}\}$.

Output: "Accept" or "Reject"

()1${C}^{\prime}=\{{\mathrm{c}}_{{k}_{1}},{\mathrm{c}}_{{k}_{2}},\cdots ,{\mathrm{c}}_{{k}_{s}}\},$$I{D}^{\prime}=\{i{d}_{{k}_{1}},\mathrm{i}{d}_{{k}_{2}},\cdots ,i{d}_{{k}_{s}}\}$;

(2)$\{P{K}_{1},P{K}_{2},\cdots ,P{K}_{d}\}$;

(3)$sig=\{si{g}_{1},\cdots ,si{g}_{n}\}$, $si{g}_{t}=\{{Y}_{0,t},{V}_{0,t}\}$;

(4)compute ${P}_{0}={\displaystyle \sum _{t=1}^{d}}{P}_{t}$ , ${Q}_{0}={\displaystyle \sum _{t=1}^{d}}{Q}_{t}$;

(5)compute ${\varphi}_{1}={\displaystyle \sum _{\tau =1}^{s}}{H}_{1}({c}_{{k}_{\tau}},i{d}_{{k}_{\tau}},{Y}_{0,{k}_{\tau}},{P}_{0})$,${\varphi}_{2}={\displaystyle \sum _{\tau =1}^{s}}{H}_{2}({c}_{{k}_{\tau}},i{d}_{{k}_{\tau}},{Y}_{0,{k}_{\tau}},{Q}_{0}),$

$$\sigma ={\displaystyle \sum _{\tau =1}^{s}}{V}_{0,{k}_{\tau}};$$

(6)Check

$$\sigma P={\displaystyle \sum _{\tau =1}^{s}}{Y}_{{o,k}_{\tau}}+{\varphi}_{1}{P}_{0}+{\varphi}_{2}{Q}_{0}$$

(7)If Eq.(3) holds, output "Accept" and send ${C}^{\prime}$ to data user; otherwise, output "Reject".

In this section, we will analyze the security and correctness of this scheme.

In the test phase, CSP obtains the index $I=\{{I}_{1},{I}_{2},\cdots ,{I}_{n}\}$ and trapdoor ${T}_{{W}^{\prime}}=\{{T}_{{{W}^{\prime}}_{0}}{T}_{{{\mathrm{W}}^{\prime}}_{1}},\cdots ,{T}_{{W}_{m}^{\prime}},{T}_{{W}_{m}^{\prime}+1}\}$. The CSP first computes

${e}_{C}{I}_{i,2}=({r}_{C}+x{l}_{C}){\lambda}_{\mathrm{i}}P={\lambda}_{\mathrm{i}}\phantom{\rule{4.pt}{0ex}}{Q}_{C}={M}_{i}$ .

${I}_{i,1}+{\displaystyle \sum _{j=0}^{m}}{V}_{i,j}({T}_{{{w}^{\prime}}_{j}}-{x}_{C}{T}_{{{w}^{\prime}}_{m+1}})$

$={M}_{i}-{\mu}_{i}P+{\displaystyle \sum _{j=0}^{m}}{\mu}_{i}{b}_{ij}[{l}^{-1}{h}_{2}{\left(t\right)}^{j}{\displaystyle \sum _{r=1}^{l}}{h}_{1}{\left({w}_{r}^{\prime}\right)}^{j}P+\eta {P}_{C}-{x}_{C}\eta P]$

$={M}_{i}-{\mu}_{i}P+{\displaystyle \sum _{j=0}^{m}}{\mu}_{i}{b}_{ij}\left({l}^{-1}{h}_{2}{\left(t\right)}^{j}{\displaystyle \sum _{r=1}^{l}}{h}_{1}\left({w}_{r}^{\prime}\right)P\right)$

$={M}_{i}-{\mu}_{i}P+{l}^{-1}{\mu}_{i}{\displaystyle \sum _{j=0}^{m}}{b}_{ij}{h}_{2}{\left(t\right)}^{j}{\displaystyle \sum _{r=1}^{l}}{h}_{1}{\left({w}_{r}^{\prime}\right)}^{j}P$

$={M}_{i}-{\mu}_{i}P+{l}^{-1}{\mu}_{i}[{\displaystyle \sum _{j=0}^{m}}{b}_{ij}{h}_{2}{\left(t\right)}^{j}{h}_{1}{\left({{w}^{\prime}}_{1}\right)}^{j}+\cdots +{\displaystyle \sum _{j=0}^{m}}{b}_{ij}{h}_{2}{\left(t\right)}^{j}{h}_{1}{\left({{w}^{\prime}}_{l}\right)}^{j}]P$

If ${W}^{\prime}\subseteq W$, then ${h}_{2}\left(t\right){h}_{1}\left({w}_{1}\right),\cdots ,{h}_{2}\left(t\right){h}_{1}\left({w}_{l}\right)$ are the root of the equation $F\left(x\right)=1$, where $F\left(x\right){=b}_{i,m}{x}^{m}{+b}_{i,m-1}{x}^{m-1}{+\cdots +b}_{i,1}x+{b}_{i,0}$. Thus

${I}_{i,1}+{\displaystyle \sum _{j=0}^{m}}{V}_{i,j}({T}_{{{w}^{\prime}}_{j}}-{x}_{C}{T}_{{{w}^{\prime}}_{m+1}})$

$={M}_{i}-{\mu}_{i}P+{l}^{-1}{\mu}_{i}[{\displaystyle \sum _{j=0}^{m}}{b}_{ij}{h}_{2}{\left(t\right)}^{j}{h}_{1}{\left({{w}^{\prime}}_{1}\right)}^{j}+\cdots +{\displaystyle \sum _{j=0}^{m}}{b}_{ij}{h}_{2}{\left(t\right)}^{j}{h}_{1}{\left({{w}^{\prime}}_{l}\right)}^{j}]P$

$={M}_{i}-{\mu}_{i}P+{l}^{-1}{\mu}_{i}(1+1+\cdots +1)P$

$={M}_{i}-{\mu}_{i}P+{\mu}_{i}P$

$={M}_{i}$

Equation (1) holds so CSP can correctly test whether the index of ciphertext matches the trapdoor.

In the test phase, PAS obtains signature $sig=\{si{g}_{1},si{g}_{2},\cdots ,si{g}_{n}\}$ and ciphertext ${C}^{\prime}=\{{\mathrm{c}}_{{k}_{1}},{\mathrm{c}}_{{k}_{2}},\cdots ,{\mathrm{c}}_{{k}_{s}}\}$, computing

${\varphi}_{1}={\displaystyle \sum _{\tau =1}^{s}}{H}_{1}({c}_{{k}_{\tau}},i{d}_{{k}_{\tau}},{Y}_{0,{k}_{\tau}},{P}_{0}),$

${\varphi}_{2}={\displaystyle \sum _{\tau =1}^{s}}{H}_{2}({c}_{{k}_{\tau}},i{d}_{{k}_{\tau}},{Y}_{0,{k}_{\tau}},{Q}_{0})$

getting the proof information $({\varphi}_{1},{\varphi}_{2})$, and then continuing to calculate

$\sigma P={\displaystyle \sum _{\tau =1}^{s}}{V}_{0,{k}_{\tau}}P={\displaystyle \sum _{\tau =1}^{s}}({Y}_{0,{k}_{\tau}}+{h}_{{k}_{\tau}}{P}_{0}+{h}_{{k}_{\tau}}^{\prime}{Q}_{0})$

$={\displaystyle \sum _{\tau =1}^{s}}{Y}_{0,{k}_{\tau}}+{\displaystyle \sum _{\tau =1}^{s}}{h}_{{k}_{\tau}}{P}_{0}+{\displaystyle \sum _{\tau =1}^{s}}{{h}^{\prime}}_{{k}_{\tau}}{Q}_{0}$

$={\displaystyle \sum _{\tau =1}^{s}}{Y}_{0,{k}_{\tau}}+{\displaystyle \sum _{\tau =1}^{s}}{H}_{1}({c}_{{k}_{\tau}},i{d}_{{k}_{\tau}},{Y}_{0,{k}_{\tau}},{P}_{0}){P}_{0}+{\displaystyle \sum _{\tau =1}^{s}}{H}_{1}({c}_{{k}_{\tau}},i{d}_{{k}_{\tau}},{Y}_{0,{k}_{\tau}},{Q}_{0}){Q}_{0}$.

- If ${C}^{\prime}\subseteq C$ , then

${\varphi}_{1}={\displaystyle \sum _{\tau =1}^{s}}{H}_{1}({c}_{{k}_{\tau}},i{d}_{{k}_{\tau}},{Y}_{0,{k}_{\tau}},{P}_{\mathrm{t0}})={\displaystyle \sum _{\tau =1}^{s}}{H}_{1}({c}_{\rho \left(\tau \right)},i{d}_{\rho \left(\tau \right)},{Y}_{0,\rho \left(\tau \right)},{P}_{0})$

${\varphi}_{2}={\displaystyle \sum _{\tau =1}^{s}}{H}_{1}({c}_{{k}_{\tau}},i{d}_{{k}_{\tau}},{Y}_{0,{k}_{\tau}},{Q}_{0})={\displaystyle \sum _{\tau =1}^{s}}{H}_{1}({c}_{\rho \left(\tau \right)},i{d}_{\rho \left(\tau \right)},{Y}_{0,\rho \left(\tau \right)},{Q}_{0})$

Where $\rho \left(\tau \right)\in [1,n]$ . So we have $\sigma P={\displaystyle \sum _{\tau =1}^{s}}{Y}_{{o,k}_{\tau}}+{\varphi}_{1}{P}_{0}+{\varphi}_{2}{Q}_{0}$. Eq. (3) in program 2 holds. We can also make sure that the ciphertext can not modified.

Proof: Suppose that the tuple $(P,aP,bP,X)$ is an example of ECDDDH problem. To determine whether $X=abP$, B will play the part of the challenger.

Set up : B runs the setup$\left({1}^{k}\right)$ program to get public parameters $\Omega =\{{F}_{q},E/{F}_{q},{G}_{q},P,G,{H}_{0},{H}_{1},{H}_{2},{P}_{pub}\}$, where master private key $SK=x$ and the public key $PK={P}_{pub}=xP$. Then B sends parameter $\Omega $ to ${A}_{1}$ , and the master private key SK is kept secret. B selects ${x}_{i}\in {Z}_{q}^{*}(i\in \{2,\cdots ,d,C\})$, ${r}_{i}\in {Z}_{q}^{*}(i\in \{1,2,\cdots ,d,C\})$ randomly and set

${P}_{i}={x}_{i}P$$(i\in \{2,\cdots ,d,C\left\}\right)$ ,

${P}_{1}=aP$,${R}_{i}={r}_{i}P$$(i\in \{1,2,\cdots ,d,C\left\}\right)$ ,

${e}_{i}={r}_{i}+x{H}_{0}(I{D}_{i},{R}_{i},{P}_{i})\phantom{\rule{0.277778em}{0ex}}mod\phantom{\rule{0.277778em}{0ex}}q$$(i\in \{1,2,\cdots ,d,C\left\}\right)$ .

B sends the public key $P{K}_{{O}_{i}}$$(i\in \{1,2,\cdots ,d\left\}\right)$ and $P{K}_{C}$ to ${A}_{1}$, but $S{K}_{{O}_{i}}$$(i\in \{1,2,\cdots ,d\left\}\right)$ and $S{K}_{C}$ are unknown to ${A}_{1}$.

Phase 1: Executed the user’s public key query before other queries using the identity $I{D}_{u}$. Set up multiple lists to store the queries and answers. All lists are initially empty.

User public key query: B keeps a list ${L}_{u}$ of the tuple $(I{D}_{u},{x}_{u}P,{r}_{u}P,{r}_{u})$ and upon receiving an identity $I{D}_{u}$, performs the following steps.

Case1. $I{D}_{u}=I{D}_{u}^{\u25ca}$. B picks at randomly ${x}_{u}^{\u25ca}\in {Z}_{q}^{*}$, setting $P{K}_{u}^{\u25ca}=({x}_{u}^{\u25ca}P,bP)$, and adds the tuple $(I{D}_{u}^{\u25ca},{x}_{u}^{\u25ca}P,{x}_{u}^{\u25ca},bP,\u25ca)$ to the list ${L}_{u}$, Where ◊ represents a null value.

Case2. $I{D}_{u}\ne I{D}_{u}^{\u25ca}$. B picks at randomly ${x}_{u},{r}_{u}\in {Z}_{q}^{*}$, setting $P{K}_{u}=({x}_{u}P,{r}_{u}P)$, and adds the tuple $(I{D}_{u},{x}_{u}P,{r}_{u}P,{r}_{u})$ to the list ${L}_{u}$.

Replace-Public-Key query: B maintains a list ${L}_{R}$ of tuple $(I{D}_{j},P{K}_{j},P{{K}_{j}}^{\prime})$. When ${A}_{1}$ inputs $(I{D}_{j},P{{K}_{j}}^{\prime})$, B replaces $P{K}_{j}$ with $P{{K}_{j}}^{\prime}$, and adds $(I{D}_{j},P{K}_{j},P{{K}_{j}}^{\prime})$ to the list ${L}_{R}$.

Secret-Value query: When ${A}_{1}$ asks the secret value for $I{D}_{j}$, B finds $(I{D}_{j},{x}_{j}P,{r}_{j}P,{r}_{j})$ in the list ${L}_{u}$ and returns ${x}_{j}$.If $P{K}_{j}$ is replaced, B refuses to answer.

Partial-Private-Key query: B establishes a list ${L}_{e}$ of tuple $(I{D}_{j},{e}_{j})$ when ${A}_{1}$ asks the partial private key of $I{D}_{j}$. If $I{D}_{j}=I{D}_{u}^{\u25ca}$ , B fails and stops. Otherwise, B finds $(I{D}_{j},{x}_{j}P,{r}_{j}P,{r}_{j})$ in the list ${L}_{u}$ , running the Extract-Partial-Private-Key algorithm generating ${e}_{j}$. B output ${e}_{j}$ and adds $(I{D}_{j},{e}_{j})$ to the list ${L}_{e}$.

Keyword Ciphertext Query: When ${A}_{1}$ asks $W=\{{w}_{i,1},{w}_{i,2},\cdots ,{w}_{i,m}\}$ for the ciphertext, B operates the $Enc(\Omega ,F,W,\left\{I{D}_{i}\right\},ID,\left\{S{K}_{i}\right\},\left\{P{K}_{i}\right\}\}$ algorithm to generate ciphertext ${C}_{W}=\{{I}_{i,1},{I}_{i,2},{V}_{i,0},{V}_{i,1},\cdots ,{V}_{i,m}\}$.

Keyword Trapdoor Query: When ${A}_{1}$ asks ${W}^{\prime}=\{{w}_{1}^{\prime},{w}_{2}^{\prime},\cdots ,{w}_{l}^{\prime}\}$ for the trapdoor, B operates the $TrapGen\{\Omega ,S{K}_{u},{W}^{\prime}\}$ algorithm to generate trapdoor ${T}_{{w}^{\prime}}=\{{T}_{{{w}^{\prime}}_{0}},{T}_{{{w}^{\prime}}_{1}},\cdots ,{T}_{{{w}^{\prime}}_{m}},{T}_{{{w}^{\prime}}_{m+1}}\}$.

Test Query: ${A}_{1}$ gives keyword ciphertext ${{C}_{W}}_{i}=\{{I}_{i,1},{I}_{i,2},{V}_{i,0},{V}_{i,1},\cdots ,{V}_{i,m}\}$ and keyword trapdoor ${T}_{{w}^{\prime}}=\{{T}_{{{w}^{\prime}}_{0}},{T}_{{{w}^{\prime}}_{1}},\cdots ,{T}_{{{w}^{\prime}}_{m}},{T}_{{{w}^{\prime}}_{m+1}}\}$, and B compares them using Algorithm 1.

Challenge: ${A}_{1}$ submits a tuple $({W}_{0},{W}_{1},I{{D}_{u}}^{*},P{K}_{u}^{*})$ , where ${W}_{0}=\{{w}_{0,1},{w}_{0,2},\cdots ,{w}_{0,m}\}$ and ${W}_{1}=\{{w}_{1,1},{w}_{1,2},\cdots ,{w}_{1,m}\}$ are challenging keywords not requested in the previous trapdoor and ciphertext query. If $I{D}_{u}^{*}\ne I{D}_{u}^{\u25ca}$, B aborts. Otherwise $I{D}_{u}^{*}=I{D}_{u}^{\u25ca}$, B calculates ${{l}_{u}}^{\u25ca}={H}_{0}(I{D}_{u}^{\u25ca},{R}_{u}^{\u25ca},{P}_{u}^{\u25ca})$ and picks $\xi \in \{0,1\}$ randomly. B computes

$t=({\displaystyle \sum _{k=2}^{d}}{x}_{k}+{\displaystyle \sum _{k=1}^{d}}{e}_{k}){P}_{u}^{\u25ca}+{\displaystyle \sum _{k=2}^{d}}{x}_{k}{R}_{u}^{\u25ca}+{\displaystyle \sum _{k=2}^{d}}{x}_{k}{l}_{u}^{\u25ca}{P}_{pub}+{x}_{u}^{\u25ca}aP+{l}_{u}^{\u25ca}xaP+X$.

Let $F\left(x\right)=(x-{h}_{2}\left(t\right){h}_{1}\left({w}_{\xi ,1}\right))(x-{h}_{2}\left(t\right){h}_{1}\left({w}_{\xi ,2}\right))\cdots (x-{h}_{2}\left(t\right){h}_{1}\left({w}_{\xi ,m}\right))-1$, which can get $F\left(x\right)={b}_{\xi ,m}{x}^{m}+{b}_{\xi ,m-1}{x}^{m-1}+\cdots +{b}_{\xi ,1}x+{b}_{\xi ,0}$ by combining similar terms. Then B selects ${\lambda}_{\xi},{\mu}_{\xi}{\in}_{R}{{Z}_{q}}^{*}$ and computes ${M}_{\xi}={\lambda}_{\xi}{Q}_{c}$. Set ${I}_{\xi ,1}={M}_{\xi}-{\mu}_{\xi}P,{I}_{\xi ,2}={\lambda}_{\xi}P$, ${V}_{\xi ,j}={\mu}_{\xi}{b}_{\xi ,j}(0\le j\le m)$. Thus, the corresponding ciphertext of ${W}_{\xi}=\{{w}_{\xi ,1},{w}_{\xi ,2},\cdots ,{w}_{\xi ,m}\}$ is ${{C}_{W}}_{\xi}=\{{I}_{\xi ,1},{I}_{\xi ,2},{V}_{\xi ,0},{V}_{\xi ,1},\cdots ,{V}_{\xi ,m}\}$. B returns the challenge ciphertexts ${C}_{{W}_{\xi}}$ to the adversary ${A}_{1}$.

Phase 2: ${A}_{1}$ can continue to execute various queries, but there is a limitation that ${A}_{1}$ is not allowed to query the keyword ciphertext or trapdoor of ${W}_{0}$ or ${W}_{1}$.

Guess: ${A}_{1}$ returns ${\xi}^{\prime}$.

Solve CDH problem: If ${\xi}^{\prime}=\xi $, B returns 1, otherwise 0. If $X=abP$, then

$t=({\displaystyle \sum _{k=2}^{d}}{x}_{k}+{\displaystyle \sum _{k=1}^{d}}{e}_{k}){P}_{u}^{\u25ca}+{\displaystyle \sum _{k=2}^{d}}{x}_{k}{R}_{u}^{\u25ca}+{\displaystyle \sum _{k=2}^{d}}{x}_{k}{l}_{u}^{\u25ca}{P}_{pub}+{x}_{u}^{\u25ca}aP+{l}_{u}^{\u25ca}xaP+X$

$=({x}_{0}+{e}_{0}){P}_{u}^{\u25ca}+{\displaystyle \sum _{k=2}^{d}}{x}_{k}{R}_{u}^{\u25ca}+{x}_{0}{l}_{u}^{\u25ca}{P}_{pub}+abP$

$=({x}_{0}+{e}_{0}){P}_{u}^{\u25ca}+{x}_{0}{R}_{u}^{\u25ca}+{x}_{0}{l}_{u}^{\u25ca}{P}_{pub}$

Therefore, ${{C}_{W}}_{\xi}$ is a valid ciphertext. Suppose that the advantage of ${A}_{1}$ wins in the above game is $\epsilon $. So

$\text{}Pr[{\xi}^{\prime}=\xi \left(\right)open="|"\; close>X=abP]$.

If $X\ne abP$, then ${C}_{{W}_{\xi}}$ is an invalid ciphertext. ${A}_{1}$ has no advantage in distinguishing $\xi =0$ from $\xi =1$. Hence

$\text{}Pr[{\xi}^{\prime}=\xi \left(\right)open="|"\; close>X=abP]$.

Probability: Let ${q}_{u}$, ${q}_{r}$ and ${q}_{e}$ be the number of the User public key query, Replace-Public-Key query, and Partial-Private-Key query, respectively. The two events are as follows:

${\pi}_{1}$ : ${A}_{1}$ did not replace of $I{D}_{u}^{\u25ca}$’s public key ${R}_{u}^{\u25ca}$ and query the partial-private-key for $I{D}_{u}^{\u25ca}$.

${\pi}_{2}$ : $I{D}_{u}^{*}=I{D}_{u}^{\u25ca}$.

It’s not hard to get the following results.

$Pr\left[{\pi}_{1}\right]=\frac{{q}_{u}-{q}_{r}-{q}_{e}}{{q}_{u}}$,

$Pr[{\pi}_{2}\left(\right)open="|"\; close>{\pi}_{1}]$ ,

$Pr[B$$success]=Pr[{\pi}_{1}\wedge {\pi}_{2}]=\frac{1}{{q}_{u}}$.

If ${A}_{1}$ win Game 1 with an advantage of $\epsilon $, then B has a probability greater than $\frac{\epsilon}{{q}_{u}}$ to determine whether $X=abP$.

Proof: Suppose that the tuple $(P,aP,bP,X)$ is an example of an ECDDDH problem. To determine whether $X=abP$, B will play the part of the challenger.

Set up: B runs the setup$\left({1}^{k}\right)$ program to get public parameters $\Omega =\{{F}_{q},E/{F}_{q},{G}_{q},P,G,{H}_{0},{H}_{1},{H}_{2},{P}_{pub}\}$, where master private key $SK=x$ and the public key $PK={P}_{pub}=xP$. B selects ${x}_{i}\in {Z}_{q}^{*}(i\in \{1,2,\cdots ,d,C\})$, ${r}_{i}\in {Z}_{q}^{*}(i\in \{2,\cdots ,d,C\})$ randomly and set

${P}_{i}={x}_{i}P$$(i\in \{1,2,\cdots ,d,C\left\}\right)$,

${R}_{1}=aP$,${R}_{i}={r}_{i}P$$(i\in \{2,\cdots ,d,C\left\}\right)$,

${e}_{1}=a+x{H}_{0}(I{D}_{1},{R}_{1},{P}_{1})\phantom{\rule{0.277778em}{0ex}}mod\phantom{\rule{0.277778em}{0ex}}q$, ${e}_{i}={r}_{i}+x{H}_{0}(I{D}_{i},{R}_{i},{P}_{i})\phantom{\rule{0.277778em}{0ex}}mod\phantom{\rule{0.277778em}{0ex}}q$$(i\in \{2,\cdots ,d,C\left\}\right)$

B sends the public parameters $\Omega $, the public key $P{K}_{{O}_{i}}$$(i\in \{1,2,\cdots ,d\left\}\right)$ and the public/secret key pair $(PK,SK)$ to ${A}_{2}$, while $S{K}_{{O}_{i}}$$(i\in \{1,2,\cdots ,d\left\}\right)$ are unknown to ${A}_{2}$.

Phase 1: Executed the user’s public key query before other queries using the identity $I{D}_{u}$. Set up multiple lists to store the queries and answers. All lists are initially empty.

User public key query: B maintains a list ${L}_{u}$ containing the tuple $(I{D}_{u},{x}_{u}P,{r}_{u}P,{r}_{u})$ and takes the following actions when receiving an identity $I{D}_{u}$:

Case1. $I{D}_{u}=I{D}_{u}^{\u25ca}$. B chooses a number ${r}_{u}^{\u25ca}\in {Z}_{q}^{*}$ at random, sets $P{K}_{u}^{\u25ca}=(bP,{r}_{u}^{\u25ca}P)$, and adds the tuple $(I{D}_{u}^{\u25ca},bP,\u25ca,{r}_{u}^{\u25ca}P,{r}_{u}^{\u25ca})$ to the list ${L}_{u}$, Where ◊ represents a null value.

Case2. $I{D}_{u}\ne I{D}_{u}^{\u25ca}$. B chooses ${x}_{u},{r}_{u}\in {Z}_{q}^{*}$ at random, sets $P{K}_{u}=({x}_{u}P,{r}_{u}P)$, and adds the tuple $(I{D}_{u},{x}_{u}P,{r}_{u}P,{r}_{u})$ to the list ${L}_{u}$.

Replace-Public-Key query: same as that in Lemma 1

Secret-Value query: B established a list ${L}_{s}$ of tuple $(I{D}_{j},{x}_{j})$. When ${A}_{2}$ asks the secret value for $I{D}_{j}$. If $I{D}_{j}=I{D}_{u}^{\u25ca}$, B fails and stops. Otherwise, B finds $(I{D}_{j},{x}_{j}P,{r}_{j}P,{r}_{j})$ in list ${L}_{u}$, returns ${x}_{j}$.

Partial-Private-Key query: When ${A}_{2}$ asks the partial private key of $I{D}_{j}$, B finds $(I{D}_{j},{x}_{j}P,{r}_{j}P,{r}_{j})$ in list ${L}_{u}$, running the Extract-Partial-Private-Key algorithm and returning ${e}_{j}$.If $P{K}_{j}$ is replaced, B refuses to answer.

Keyword Ciphertext Query: same as that in Lemma 1.

Keyword Trapdoor Query: same as that in Lemma 1.

Test Query: same as that in Lemma 1.

Challenge: ${A}_{2}$ submits a tuple $({W}_{0},{W}_{1},I{D}_{u}^{*},P{K}_{u}^{*})$ that meets the requirements of Game 2, where ${W}_{0}=\{{w}_{0,1},{w}_{0,2},\cdots ,{w}_{0,m}\}$ and ${W}_{1}=\{{w}_{1,1},{w}_{1,2},\cdots ,{w}_{1,m}\}$ are challenging keywords not asked in the previous trapdoor query and ciphertext query. If $I{D}_{u}\ne I{D}_{u}^{\u25ca}$ , B aborts. Otherwise $I{D}_{u}^{*}=I{D}_{u}^{\u25ca}$, B computes ${l}_{u}^{\u25ca}={H}_{0}(I{D}_{u}^{\u25ca},{R}_{u}^{\u25ca},{P}_{u}^{\u25ca})$, ${l}_{1}={H}_{0}(I{D}_{1},{R}_{1},{P}_{1})$ and picks $\xi \in \{0,1\}$ randomly. B computes

$t=({\displaystyle \sum _{k=1}^{d}}{x}_{k}+x{l}_{1}+{\displaystyle \sum _{k=2}^{d}}{e}_{k}){P}_{u}^{\u25ca}+{\displaystyle \sum _{k=1}^{d}}{x}_{k}{R}_{u}^{\u25ca}+{\displaystyle \sum _{k=1}^{d}}{x}_{k}{l}_{u}^{\u25ca}{P}_{pub}+X$.

Let $F\left(x\right)=(x-{h}_{2}\left(t\right){h}_{1}\left({w}_{\xi ,1}\right))(x-{h}_{2}\left(t\right){h}_{1}\left({w}_{\xi ,2}\right))\cdots (x-{h}_{2}\left(t\right){h}_{1}\left({w}_{\xi ,m}\right))-1$, which can get $F\left(x\right)={b}_{\xi ,m}{x}^{m}+{b}_{\xi ,m-1}{x}^{m-1}+\cdots +{b}_{\xi ,1}x+{b}_{\xi ,0}$ by combining similar terms. Then select ${\lambda}_{\xi},{\mu}_{\xi}{\in}_{R}{{Z}_{q}}^{*}$ at random and compute ${M}_{\xi}={\lambda}_{\xi}{Q}_{c}$. Set ${I}_{\xi ,1}={M}_{\xi}-{\mu}_{\xi}P,{I}_{\xi ,2}={\lambda}_{\xi}P$, ${V}_{\xi ,j}={\mu}_{\xi}{b}_{\xi ,j}(0\le j\le m)$, and thus ${W}_{\xi}=\{{w}_{\xi ,1},{w}_{\xi ,2},\cdots ,{w}_{\xi ,m}\}$’s ciphertext is ${C}_{{W}_{\xi}}=\{{I}_{\xi ,1},{I}_{\xi ,2},{V}_{\xi ,0},{V}_{\xi ,1},\cdots ,{V}_{\xi ,m}\}$. B returns the challenge ciphertexts ${C}_{{W}_{\xi}}$ to the adversary ${A}_{2}$.

Phase 2:The attacker ${A}_{2}$ can continue to execute various queries, but there is a limitation that the attacker ${A}_{2}$ is not allowed to query the keyword ciphertext or trap of ${W}_{0}$ or ${W}_{1}$.

Guess: ${A}_{2}$ returns ${\xi}^{\prime}$.

Solve the ECDDDH problem. If ${\xi}^{\prime}=\xi $, B returns 1. Otherwise 0. If $X=abP$, then

$t=({\displaystyle \sum _{k=2}^{d}}{x}_{k}+{\displaystyle \sum _{k=1}^{d}}{e}_{k}){P}_{u}^{\u25ca}+{\displaystyle \sum _{k=2}^{d}}{x}_{k}{R}_{u}^{\u25ca}+{\displaystyle \sum _{k=2}^{d}}{x}_{k}{l}_{u}^{\u25ca}{P}_{pub}+{r}_{u}^{\u25ca}aP+{l}_{u}^{\u25ca}xaP+X$

$=({\displaystyle \sum _{k=2}^{d}}{x}_{k}+{e}_{0}){P}_{u}^{\u25ca}+{x}_{0}{R}_{u}^{\u25ca}+{x}_{0}{l}_{u}^{\u25ca}{P}_{pub}+abP$

$=({x}_{0}+{e}_{0}){P}_{u}^{\u25ca}+{x}_{0}{R}_{u}^{\u25ca}+{x}_{0}{l}_{u}^{\u25ca}{P}_{pub}$

Therefore, ${C}_{{W}_{\xi}}$ is a valid ciphertext. Suppose that the advantage of ${A}_{2}$ wins in the above game is $\epsilon $, so

$Pr[{\xi}^{\prime}=\xi \left(\right)open="|"\; close>X=abP]$.

If $X\ne abP$, then ${C}_{{W}_{\xi}}$ is an invalid ciphertext. ${A}_{2}$ has no advantage in distinguishing $\xi =0$ from $\xi =1$. Hence

$Pr[{\xi}^{\prime}=\xi \left(\right)open="|"\; close>X=abP]$.

Probability. Let ${q}_{u}$, ${q}_{r}$, ${q}_{s}$ be the number of User public key query, Replace-Public-Key query, and Secret-Value query, respectively. The two events are as follows:

${\pi}_{1}$ : ${A}_{2}$ did not replace of $I{D}_{u}^{\u25ca}$’s public key ${P}_{u}^{\u25ca}$ nor perform the Secret-Value query for $I{D}_{u}^{\u25ca}$.

${\pi}_{2}$ : $I{D}_{u}^{*}=I{D}_{u}^{\u25ca}$.

It’s not hard to get the following results.

$Pr\left[{\pi}_{1}\right]=\frac{{q}_{u}-{q}_{r}-{q}_{s}}{{q}_{u}}$,

$Pr[{\pi}_{2}\left(\right)open="|"\; close>{\pi}_{1}]$ ,

$Pr[B$$success]=Pr[{\pi}_{1}\wedge {\pi}_{2}]=\frac{1}{{q}_{u}}$.

If ${A}_{2}$ has an $\epsilon $ advantage to win Game, then B has a probability greater than $\frac{\epsilon}{{q}_{u}}$ to determine whether $X=abP$.

Proof: Theorem 2 holds from Lemma 1 and Lemma 2.

Proof: Suppose that the tuple $(P,aP,bP,X)$ is an example of ECDDDH problem. To determine whether $X=abP$, B will play the part of the challenger.

Set up: B runs the setup $\left({1}^{k}\right)$ program to obtain the public parameters $\Omega =\{{F}_{q},E/{F}_{q},{G}_{q},P,G,{H}_{0},{H}_{1},{H}_{2},{P}_{pub}\}$, where master private key $SK=x$ ,$PK={P}_{pub}=xP$, then randomly selects ${r}_{u},{x}_{C},{r}_{C}\in {Z}_{q}^{*}$,and set

${P}_{u}=aP$, ${R}_{u}={r}_{u}P$${P}_{C}={x}_{C}P$, ${R}_{C}={r}_{C}P$,

${e}_{C}={r}_{C}+x{H}_{0}(I{D}_{C},{R}_{C},{P}_{C})\phantom{\rule{0.277778em}{0ex}}mod\phantom{\rule{0.277778em}{0ex}}q$,

${e}_{u}={r}_{u}+x{H}_{0}(I{D}_{u},{R}_{u},{P}_{u})\phantom{\rule{0.277778em}{0ex}}mod\phantom{\rule{0.277778em}{0ex}}q$ .

B sends the public key $P{K}_{u}$ and $P{K}_{C}$ to ${A}_{1}$, but $S{K}_{u}$ and $S{K}_{C}$ are unknown to ${A}_{1}$.

Phase 1: Executed the user’s public key query before other queries using the identity $I{D}_{i}$. Set up multiple lists to store the queries and answers. All lists are initially empty.

User public key query: B keeps a list ${L}_{o}$ of the tuple$(I{D}_{i},{x}_{i}P,{r}_{i}P,{r}_{i})$ and upon receiving an identity $I{D}_{i}$, performs the following steps.

Case1. $I{D}_{i}=I{D}_{i}^{\u25ca}$, B picks at randomly ${x}_{i}^{\u25ca}\in {Z}_{q}^{*}$, setting $P{K}_{i}^{\u25ca}=({x}_{i}^{\u25ca}P,bP)$, and adds the tuple $(I{D}_{i}^{\u25ca},{x}_{i}^{\u25ca}P,{x}_{i}^{\u25ca},bP,\u25ca)$ to the list ${L}_{o}$,Where ◊ represents a null value.

Case2. $I{D}_{i}\ne I{D}_{i}^{\u25ca}$, B picks at randomly ${x}_{i},{r}_{i}\in {Z}_{q}^{*}$, setting $P{K}_{i}=({x}_{i}P,{r}_{i}P)$, and adds the tuple $(I{D}_{i},{x}_{i}P,{r}_{i}P,{r}_{i})$ to the list ${L}_{o}$.

Replace-Public-Key query: same as that in Lemma 1.

Secret-Value query:same as that in Lemma 1.

Partial-Private-Key query: B establishes a list ${L}_{e}$ of tuple $(I{D}_{j},{e}_{j})$ when ${A}_{1}$ asks the partial private key of $I{D}_{j}$. If $I{D}_{j}=I{D}_{i}^{\u25ca}$, B fails and stops. Otherwise, B finds $(I{D}_{j},{x}_{j}P,{r}_{j}P,{r}_{j})$ in the list ${L}_{o}$, running the Extract-Partial-Private-Key algorithm generating ${e}_{j}$. B output ${e}_{j}$ and adds $(I{D}_{j},{e}_{j})$ to the list ${L}_{e}$.

Keyword Ciphertext Query: same as that in Lemma 1.

Keyword Trapdoor Query: same as that in Lemma 1.

Test Query: same as that in Lemma 1.

Challenge: ${A}_{1}$ submits a tuple $({W}_{0}^{\prime},{W}_{1}^{\prime},\{I{{D}_{1}}^{*},\cdots ,I{{D}_{d}}^{*}\},\{P{{K}_{1}}^{*},\cdots ,P{{K}_{d}}^{*}\})$, where ${W}_{0}^{\prime}=\{{w}_{0,1}^{\prime},{w}_{0,2}^{\prime},\cdots ,{w}_{0,l}^{\prime}\}$ and ${W}_{1}^{\prime}=\{{w}_{1,1}^{\prime},{w}_{1,2}^{\prime},\cdots ,{w}_{1,l}^{\prime}\}$ are challenging keywords not requested in the previous trapdoor and ciphertext query. If $I{D}_{i}^{\u25ca}\notin \{I{{D}_{1}}^{*},I{{D}_{2}}^{*},\cdots ,I{{D}_{d}}^{*}\}$, B aborts. Otherwise,without losing generality, it is better to set $I{D}_{1}^{*}$ as $I{D}_{i}^{\u25ca}$. B calculates ${{l}_{0}}^{*}={\displaystyle \sum _{i=1}^{d}}{H}_{0}(I{D}_{i}^{*},{R}_{i}^{*},{P}_{i}^{*})$. B picks $\xi \in \{0,1\}$ randomly, and computes

$t={e}_{u}{\displaystyle \sum _{i=1}^{d}}{{P}_{i}}^{*}+{\displaystyle \sum _{i=2}^{d}}{{x}_{i}}^{*}aP+{\displaystyle \sum _{i=1}^{d}}{{r}_{i}}^{*}aP+{{l}_{0}}^{*}xaP+X$

B selects an elements ${\eta}_{\xi}{\in}_{\mathrm{R}}{\mathrm{Z}}_{q}^{*}$ and sets ${T}_{{{W}^{\prime}}_{\xi ,m+1}}={\eta}_{\xi}P$ ,

${T}_{{{W}^{\prime}}_{\xi ,j}}={l}^{-1}{h}_{2}{\left(t\right)}^{j}{\displaystyle \sum _{r=1}^{l}}{h}_{1}{\left({{w}^{\prime}}_{\xi ,j}\right)}^{j}P+{\eta}_{\xi}{P}_{C}$, where $0\le j\le m$. Finally, B sent ${T}_{{W}_{\xi}^{\prime}}=\{{T}_{{{w}^{\prime}}_{\xi},0},{T}_{{{w}^{\prime}}_{\xi},1},\cdots ,{T}_{{{w}^{\prime}}_{\xi},m},{T}_{{{w}^{\prime}}_{\xi ,m+1}}\}$ to the adversary ${A}_{1}$.

Phase 2: The attacker ${A}_{1}$ can continue to execute various queries, but there is a limitation that the attacker ${A}_{1}$ is not allowed to query the keyword ciphertext or trapdoor of ${W}_{0}$ or ${W}_{1}$.

Guess: ${A}_{1}$ returns ${\xi}^{\prime}$.

Solve CDH problem: If ${\xi}^{\prime}=\xi $, B returns 1, otherwise 0. If $X=abP$, then

$t={e}_{u}{\displaystyle \sum _{i=1}^{d}}{{P}_{i}}^{*}+{\displaystyle \sum _{i=1}^{d}}{{x}_{i}}^{*}aP+{\displaystyle \sum _{i=2}^{d}}{{r}_{i}}^{*}aP+{{l}_{0}}^{*}xaP+X$

$=({x}_{u}+{e}_{u}){P}_{0}^{*}+{\displaystyle \sum _{i=2}^{d}}{{r}_{i}}^{*}aP+{x}_{u}{l}_{0}^{*}{P}_{pub}+abP$

$=({x}_{u}+{e}_{u}){P}_{0}^{*}+{x}_{u}{R}_{0}^{*}+{x}_{u}{l}_{0}^{*}{P}_{pub}$.

Therefore, ${T}_{{W}_{\xi}^{\prime}}$ is a valid ciphertext. Suppose that the advantage of ${A}_{1}$ wins in the above game is $\epsilon $. So

$\text{}Pr[{\xi}^{\prime}=\xi \left(\right)open="|"\; close>X=abP]$.

If $X\ne abP$, then${T}_{{W}_{\xi}^{\prime}}$ is an invalid ciphertext. ${A}_{1}$ has no advantage in distinguishing $\xi =0$ from $\xi =1$. Hence

$Pr[{\xi}^{\prime}=\xi \left(\right)open="|"\; close>X=abP]$.

Probability: Let ${q}_{o}$, ${q}_{r}$ and ${q}_{e}$ be the number of the User public key query, Replace-Public-Key query, and Partial-Private-Key query, respectively. The two events are as follows:

${\pi}_{1}$ : ${A}_{1}$ did not replace of $I{D}_{i}^{\u25ca}$’s public key ${R}_{i}^{\u25ca}$ and query the partial-private-key for $I{D}_{i}^{\u25ca}$.

${\pi}_{2}$ : $I{D}_{1}^{*}=I{D}_{i}^{\u25ca}$.

It’s not hard to get the following results.

$\text{}Pr\left[{\pi}_{1}\right]=\frac{{q}_{o}-{q}_{r}-{q}_{e}}{{q}_{o}}$,

$Pr[{\pi}_{2}\left(\right)open="|"\; close>{\pi}_{1}]$ ,

$Pr[B$$success]=Pr[{\pi}_{1}\wedge {\pi}_{2}]=\frac{1}{{q}_{u}}$.

If ${A}_{1}$ win Game 1 with an advantage of $\epsilon $, then B has a probability greater than $\frac{\epsilon}{{q}_{o}}$ to determine whether $X=abP$.

Proof: Suppose that the tuple $(P,aP,bP,X)$ is an example of ECDDDH problem. To determine whether $X=abP$, B will play the part of the challenger.

Set up : B runs the setup $\left({1}^{k}\right)$ program to obtain the public parameters $\Omega =\{{F}_{q},E/{F}_{q},{G}_{q},P,G,{H}_{0},{H}_{1},{H}_{2},{P}_{pub}\}$, where master private key $SK=x$ ,$PK={P}_{pub}=xP$, then randomly selects ${x}_{u},{x}_{C},{r}_{C}\in {Z}_{q}^{*}$, and set

${P}_{u}={x}_{u}P$, ${R}_{u}=aP$${P}_{C}={x}_{C}P$, ${R}_{C}={r}_{C}P$,

${e}_{C}={r}_{C}+x{H}_{0}(I{D}_{C},{R}_{C},{P}_{C})\phantom{\rule{0.277778em}{0ex}}mod\phantom{\rule{0.277778em}{0ex}}q$,

${e}_{u}=a+x{H}_{0}(I{D}_{u},{R}_{u},{P}_{u})\phantom{\rule{0.277778em}{0ex}}mod\phantom{\rule{0.277778em}{0ex}}q$

B sends the public parameters $\Omega $, the public key $P{K}_{u}$, and the public/secret key pair $(PK,SK)$ to ${A}_{2}$, while $S{K}_{u}$ are unknown to ${A}_{2}$.

Phase 1: Executed the user’s public key query before other queries using the identity $I{D}_{i}$. Set up multiple lists to store the queries and answers. All lists are initially empty.

User public key query: user public key query: B keeps a list ${L}_{o}$ of the tuple$(I{D}_{i},{x}_{i}P,{r}_{i}P,{r}_{i})$ and upon receiving an identity $I{D}_{i}$, performs the following steps.

Case1. $I{D}_{i}=I{D}_{i}^{\u25ca}$, B picks at randomly ${r}_{i}^{\u25ca}\in {Z}_{q}^{*}$, setting $P{K}_{i}^{\u25ca}=(bP,{r}_{i}^{\u25ca}P)$, and adds the tuple $(I{D}_{i}^{\u25ca},bP,\u25ca,{r}_{i}^{\u25ca}P,{r}_{i}^{\u25ca})$ to the list ${L}_{o}$, Where ◊ represents a null value. .

Case2. $I{D}_{i}\ne I{D}_{i}^{\u25ca}$, B picks at randomly ${x}_{i},{r}_{i}\in {Z}_{q}^{*}$, setting $P{K}_{i}=({x}_{i}P,{r}_{i}P)$, and adds the tuple $(I{D}_{i},{x}_{i}P,{r}_{i}P,{r}_{i})$ to the list ${L}_{o}$.

Replace-Public-Key query: same as that in Lemma 1.

Secret-Value query:B established a list ${L}_{s}$ of tuple $(I{D}_{j},{x}_{j})$. When ${A}_{2}$ asks the secret value for $I{D}_{j}$. If $I{D}_{j}=I{D}_{i}^{\u25ca}$, B fails and stops. Otherwise, B finds $(I{D}_{j},{x}_{j}P,{r}_{j}P,{r}_{j})$ in list ${L}_{o}$, returns ${x}_{j}$.

Partial-Private-Key query: same as that in Lemma 2.

Keyword Ciphertext Query: same as that in Lemma 1.

Keyword Trapdoor Query: same as that in Lemma 1.

Test Query: same as that in Lemma 1.

Challenge: ${A}_{2}$ submits a tuple $({W}_{0}^{\prime},{W}_{1}^{\prime},\{I{{D}_{1}}^{*},\cdots ,I{{D}_{d}}^{*}\},$$\{P{{K}_{1}}^{*},\cdots ,P{{K}_{d}}^{*}\})$ , where ${W}_{0}^{\prime}=\{{w}_{0,1}^{\prime},{w}_{0,2}^{\prime},\cdots ,{w}_{0,l}^{\prime}\}$ and ${W}_{1}^{\prime}=\{{w}_{1,1}^{\prime},{w}_{1,2}^{\prime},\cdots ,{w}_{1,l}^{\prime}\}$ are challenging keywords not requested in the previous trapdoor and ciphertext query. If $I{D}_{i}^{\u25ca}\notin \{I{{D}_{1}}^{*},I{{D}_{2}}^{*},\cdots ,I{{D}_{d}}^{*}\}$, B aborts. Otherwise, without losing generality, it is better to set $I{D}_{1}^{*}$ as $I{D}_{i}^{\u25ca}$. B calculates ${{l}_{0}}^{*}={\displaystyle \sum _{i=1}^{d}}{H}_{0}(I{D}_{i}^{*},{R}_{i}^{*},{P}_{i}^{*})$. B picks $\xi \in \{0,1\}$ randomly, and computes

$t={x}_{u}{\displaystyle \sum _{i=1}^{d}}{{P}_{i}}^{*}+{\displaystyle \sum _{i=2}^{d}}{{x}_{i}}^{*}aP+{l}_{u}x{\displaystyle \sum _{i=1}^{d}}{{P}_{i}}^{*}+{\displaystyle \sum _{i=1}^{d}}{{r}_{i}}^{*}ap+{x}_{u}{{l}_{0}}^{*}{P}_{pub}+X$

B selects an elements ${\eta}_{\xi}{\in}_{\mathrm{R}}{\mathrm{Z}}_{q}^{*}$ and sets ${T}_{{{W}^{\prime}}_{\xi ,m+1}}={\eta}_{\xi}P$ ,

${T}_{{{W}^{\prime}}_{\xi ,j}}={l}^{-1}{h}_{2}{\left(t\right)}^{j}{\displaystyle \sum _{r=1}^{l}}{h}_{1}{\left({{w}^{\prime}}_{\xi ,j}\right)}^{j}P+{\eta}_{\xi}{P}_{C}$, where $0\le j\le m$ . Finally, B sent ${T}_{{W}_{\xi}^{\prime}}=\{{T}_{{{w}^{\prime}}_{\xi},0},{T}_{{{w}^{\prime}}_{\xi},1},\cdots ,{T}_{{{w}^{\prime}}_{\xi},m},{T}_{{{w}^{\prime}}_{\xi ,m+1}}\}$ to the adversary ${A}_{2}$.

Phase 2: The attacker ${A}_{2}$ can continue to execute various queries, but there is a limitation that the attacker ${A}_{2}$ is not allowed to query the keyword ciphertext or trapdoor of ${W}_{0}$ or ${W}_{1}$.

Guess: ${A}_{2}$ returns ${\xi}^{\prime}$.

Solve CDH problem: If ${\xi}^{\prime}=\xi $, B returns 1, otherwise 0. If $X=abP$, then

$t={x}_{u}{\displaystyle \sum _{i=1}^{d}}{{P}_{i}}^{*}+{\displaystyle \sum _{i=2}^{d}}{{x}_{i}}^{*}aP+{l}_{u}x{\displaystyle \sum _{i=1}^{d}}{{P}_{i}}^{*}+{\displaystyle \sum _{i=1}^{d}}{{r}_{i}}^{*}aP+{x}_{u}{{l}_{0}}^{*}{P}_{pub}+X$

$={x}_{u}{P}_{0}^{*}+{\displaystyle \sum _{i=2}^{d}}{{x}_{i}}^{*}aP+{l}_{u}x{\displaystyle \sum _{i=1}^{d}}{{P}_{i}}^{*}+{x}_{u}{R}_{0}^{*}+{x}_{u}{l}_{0}^{*}{P}_{pub}+abP$

$={x}_{u}{P}_{0}^{*}+{\displaystyle \sum _{i=1}^{d}}{{x}_{i}}^{*}aP+{l}_{u}x{\displaystyle \sum _{i=1}^{d}}{{P}_{i}}^{*}+{x}_{u}{R}_{0}^{*}+{x}_{u}{l}_{0}^{*}{P}_{pub}$

$={x}_{u}{P}_{0}^{*}+(a+{l}_{u}x){\displaystyle \sum _{i=1}^{d}}{{P}_{i}}^{*}+{x}_{u}{R}_{0}^{*}+{x}_{u}{l}_{0}^{*}{P}_{pub}$

$=({x}_{u}+{e}_{u}){P}_{0}^{*}+{x}_{u}{R}_{0}^{*}+{x}_{u}{l}_{0}^{*}{P}_{pub}$.

Therefore, ${T}_{{W}_{\xi}^{\prime}}$ is a valid ciphertext. Suppose that the advantage of ${A}_{2}$ wins in the above game is $\epsilon $. So

$Pr[{\xi}^{\prime}=\xi \left(\right)open="|"\; close>X=abP]$.

If $X\ne abP$, then ${T}_{{W}_{\xi}^{\prime}}$ is an invalid ciphertext. ${A}_{2}$ has no advantage in distinguishing $\xi =0$ from $\xi =1$. Hence

$Pr[{\xi}^{\prime}=\xi \left(\right)open="|"\; close>X=abP]$.

Probability: Let ${q}_{o}$ , ${q}_{r}$ and ${q}_{s}$ be the number of User public key query, Replace-Public-Key query, and Secret-Value query, respectively. The two events are as follows:

${\pi}_{1}$ : ${A}_{2}$ did not replace of $I{D}_{i}^{\u25ca}$’s public key ${P}_{i}^{\u25ca}$ and query the secret value for $I{D}_{i}^{\u25ca}$.

${\pi}_{2}$ : $I{D}_{1}^{*}=I{D}_{i}^{\u25ca}$.

It’s not hard to get the following results.

$Pr\left[{\pi}_{1}\right]=\frac{{q}_{o}-{q}_{r}-{q}_{e}}{{q}_{u}}$,

$Pr[{\pi}_{2}\left(\right)open="|"\; close>{\pi}_{1}]$ ,

$Pr[B$$success]=Pr[{\pi}_{1}\wedge {\pi}_{2}]=\frac{1}{{q}_{u}}$.

If ${A}_{2}$ win Game 4 with an advantage of $\epsilon $, then B has a probability greater than $\frac{\epsilon}{{q}_{o}}$ to determine whether $X=abP$.

Proof: The malicious CSP can’t forge a valid multi-signature on each returned record and pass the verification. Since it does not have the key of multiple data owners, it is computationally infeasible to forge a valid multi-signature. Therefore, the malicious CSP can only win the next security game by directly generating valid proof information according to the wrong search result ${C}^{*}$ instead of wining the next security game by forging multiple signatures. But after the following analysis, this is also impossible.

Assume that the correct ciphertext and its identity is $C=\{{\mathrm{c}}_{1},{\mathrm{c}}_{2},\cdots ,{\mathrm{c}}_{n}\}$ and $sig=\{si{g}_{1},\cdots ,si{g}_{n}\}$, where $si{g}_{t}=\{{Y}_{0,t},{V}_{0,t}\}$. The malicious CSP may forge wrong proof information $({\varphi}_{1}^{*},{\varphi}_{2}^{*})$ on false search results ${C}^{*}=\{{\mathrm{c}}_{{k}_{1}}^{*},{\mathrm{c}}_{{k}_{2}}^{*},\cdots ,{\mathrm{c}}_{{k}_{s}}^{*}\}$, where
If the forged proof information $({\varphi}_{1}^{*},{\varphi}_{2}^{*})$ can successfully pass the result verification mechanism, the malicious CSP will win the security game; Otherwise, it will fail. Suppose a malicious CSP wins the game. We then know that
$${{\varphi}_{1}}^{*}={\displaystyle \sum _{\tau =1}^{s}}{H}_{1}({c}_{{k}_{\tau}}^{*},i{d}_{{k}_{\tau}}^{*},{Y}_{0,{k}_{\tau}},{P}_{0}),$$

$${{\varphi}_{1}}^{*}={\displaystyle \sum _{\tau =1}^{s}}{H}_{1}({c}_{{k}_{\tau}}^{*},i{d}_{{k}_{\tau}}^{*},{Y}_{0,{k}_{\tau}},{P}_{0}),$$

$${{\varphi}_{2}}^{*}={\displaystyle \sum _{\tau =1}^{s}}{H}_{1}({c}_{{k}_{\tau}}^{*},i{d}_{{k}_{\tau}}^{*},{Y}_{0,{k}_{\tau}},{Q}_{0}).$$

$${{\varphi}_{2}}^{*}={\displaystyle \sum _{\tau =1}^{s}}{H}_{1}({c}_{{k}_{\tau}}^{*},i{d}_{{k}_{\tau}}^{*},{Y}_{0,{k}_{\tau}},{Q}_{0})$$

where $\sigma ={\displaystyle \sum _{\tau =1}^{s}}{V}_{0,{k}_{\tau}}$. The proof information of correct ciphertext C is $({\varphi}_{1},{\varphi}_{2})$, where

$${\varphi}_{1}={\displaystyle \sum _{\tau =1}^{s}}{H}_{1}({c}_{{k}_{\tau}},i{d}_{{k}_{\tau}},{Y}_{0,{k}_{\tau}},{P}_{0}),$$

$${\varphi}_{2}={\displaystyle \sum _{\tau =1}^{s}}{H}_{2}({c}_{{k}_{\tau}},i{d}_{{k}_{\tau}},{Y}_{0,{k}_{\tau}},{Q}_{0}).$$

The signature of the correct ciphertext can pass the verification mechanism, so we have

$$\sigma P={\displaystyle \sum _{\tau =1}^{s}}{Y}_{o,{k}_{\tau}}+{\varphi}_{1}{P}_{0}+{\varphi}_{2}{Q}_{0}$$

Subtract Formula (4) from Formula (5) to get

$$({\varphi}_{1}-{{\varphi}_{1}}^{*}){P}_{0}=({{\varphi}_{2}}^{*}-{\varphi}_{2}){Q}_{0}$$

Because $({\varphi}_{1},{\varphi}_{2})$ is not equal to $({\varphi}_{1}^{*},{\varphi}_{2}^{*})$, so ${\varphi}_{1}\ne {\varphi}_{1}^{*}$ or ${\varphi}_{2}\ne {\varphi}_{2}^{*}$. Set $\Delta {\varphi}_{1}={\varphi}_{1}-{{\varphi}_{1}}^{*}$, $\Delta {\varphi}_{2}={\varphi}_{2}-{{\varphi}_{2}}^{*}$, then $\Delta {\varphi}_{1}\ne 0$ or $\Delta {\varphi}_{2}\ne 0$. Suppose $\Delta {\varphi}_{1}$ is not zero, then ${P}_{0}=\frac{\Delta {\varphi}_{2}}{\Delta {\varphi}_{1}}{Q}_{0}$. If the probability of $\Delta {\varphi}_{1}=0$ is $\frac{1}{q}$, then the probability that we can break the ECDLP problem is $1-\frac{1}{q}$, where q is the length of ${G}_{q}$. This means that if the malicious CSP can pass the verification, we can break the ECDLP problem.

In this section, we compare our scheme with other certificateless or verifiable search schemes in terms of computational complexity, storage overhead and security.

First, let’s talk about security. Table 2 compares the security of the current scheme with other schemes. The CKCA-CIND, the IND-KGA, the insider KGA, the FIA, the SCF, and the VER are used to measure the scheme’s security. The CKCA-CIND means that the scheme is in differentiability of ciphertext for selected keyword ciphertext attacks, the IND-KGA means the indistinguishability of indiscernibility of trapdoors, the insider-KGA denotes that the scheme is secure against keyword-guessing attacks launched by malicious server, the FIA denotes that the scheme is resistant to file injection attack, the SCF means that the scheme has no secure channel, and the VER indicates that the scheme can prevent malicious CSP from returning wrong search results.

scheme | CKCA-CIND | IND-KGA | insider-KGA | FIA | SCF | VER |

VCKSM[18] | No proof | yes | no | no | yes | yes |

VMKS[46] | yes | yes | No proof | No proof | yes | yes |

VMKDO[33] | yes | yes | no | no | yes | yes |

VCSE[46] | yes | No proof | no | no | yes | yes |

CLPAEKS[12] | No proof | No proof | yes | yes | yes | No proof |

CL-dPAEKS[11] | No proof | No proof | yes | yes | yes | No proof |

our | yes | yes | yes | yes | yes | yes |

It is worth noting that no solution can simultaneously achieve result validation, conjunctive keyword search, and certificateless and bilinear pairings, as shown in Table 2. Our proposed solution can simultaneously perform four functions and is proven secure under the standard model.

Next, we compare the computational complexity. To compare the computational complexity, we use the operation time of He et al.’s scheme[47] as the benchmark. He et al. tested the time required for the relevant operations in the experimental environment of Samsung Galaxy S5 based on the Android 4.4.2 operating system, quad-core 2.45G processor, and 2G byte memory. Table 4 shows the exact running time and symbols of the various operations. The mapping $e:{G}_{1}\times {G}_{1}\to {G}_{2}$ is a bilinear pair where ${G}_{1}$ is an additive group of singular elliptic curves of order p defined on a finite field ${F}_{q}$. The lengths of p and q are 512 bits and 160 bits, respectively. G is an additive group of non-sigular elliptic curve of order q defined on the prime finite field ${F}_{q}$. The length of p and q is 160.

symbols | Definition |

${T}_{bp}$ | Running time required for a bilinear pairing operation, ${T}_{bp}\approx 32.713ms$ |

${T}_{htp}$ | Running time required for a hash-to-operation,${T}_{htp}\approx 33.582ms$ |

${T}_{sm}$ | Running time required for a scalar multiplication operation in ${G}_{1},{T}_{sm}\approx 13.405ms$ |

${T}_{exp}$ | Running time required for an exponentiation operation in ${G}_{2},{T}_{exp}\approx 2.249ms$ |

${T}^{\prime}sm$ | Running time required for a scalar multiplication operation in $G,{T}_{sm}\approx 3.335ms$ |

u | Number of data users |

d | Number of data owners |

m | Number of keywords in ciphertext |

n | Number of ciphertext |

s | Number of search keywords |

Table 4 shows the comparison results of the running time of the verifiable conjunctive keyword search encryption scheme. To be more intuitive and specific, we taking n=1000, m=100, d=100, u=50, s=50. Table 5 shows the calculation time of the three schemes. Except for the search algorithm, our scheme takes less time than the other two schemes, especially for the verification algorithm. Therefore, our scheme is the most efficient.

scheme | keyGen | Enc | Trap | search | verify |

VCKSM[18] | $(u+d+1){T}_{sm}$ | [2nd + n(m + 2)]$\begin{array}{c}{T}_{sm}\hfill \\ +2n{T}_{exp}+2n{T}_{bp}\hfill \\ {+nT}_{htp}\hfill \end{array}$ | $(m+3){T}_{sm}$ | $\begin{array}{c}(n+3){T}_{sm}\hfill \\ +[n(m+1)+1]{T}_{bp}\hfill \end{array}$ | $\begin{array}{c}(2s+1){T}_{sm}\hfill \\ +s{T}_{htp}+2{T}_{bp}\hfill \end{array}$ |

VMKS[46] | $(4u+4d){T}_{sm}$ | $\begin{array}{c}n{T}_{htp}+\hfill \\ (6n+mn){T}_{sm}\hfill \end{array}$ | $(l+5){T}_{sm}$ | $4{T}_{bp}$ | $\begin{array}{c}(s+2){T}_{sm}\hfill \\ +s{T}_{htp}+3{T}_{bp}\hfill \end{array}$ |

our | $(2d+5){T}^{\prime}\mathrm{sm}$ | $[nd+n(m+4)]{T}^{\prime}sm$ | $(m+6){T}^{\prime}sm$ | $2+n(m+1)]{T}^{\prime}sm$ | $3{T}^{\prime}sm$ |

scheme | keyGen(ms) | Enc(ms) | Trap(ms) | search(ms) | verify(ms) | Total |

VCKSM[18] | 2024.155 | 4151817 | 1380.715 | 3305426.428 | 3098.481 | 7463746.779 |

VMKS[46] | 8043 | 1382126 | 737.275 | 130.852 | 2474.349 | 1393511.476 |

our | 683.675 | 680340 | 353.51 | 336838.335 | 6.67 | 1018222.19 |

Let $\left(\right)$, $\left(\right)$, $\left|G\right|$ and $\left(\right)$ denote the size of an element in ${G}_{1}$, ${G}_{2}$, G and ${{Z}^{*}}_{q}$, respectively. For more intuitive comparison of communication costs. Table 6 uses n=100, m=10 and s=10. As shown in Figure 3, our solution has the lowest storage cost.

scheme | Ciphertext size(bytes) | Trapdoor size(bytes) |

VCKSM[18] | $n\left(\right)open="("\; close=")">m+2=1200\times 512/8=76800$ | $\left(\right)open="|"\; close="|">{G}_{1}+s\left(\right)open="|"\; close="|">{Z}_{q}^{*}$ |

VMKS[46] | $\begin{array}{c}n\left(\right)open="("\; close=")">\left(\right)open="|"\; close="|">{G}_{2}+\left(\right)open="("\; close=")">m+2\left(\right)open="|"\; close="|">{G}_{1}\hfill \end{array}$ | $\left(\right)open="("\; close=")">m+2+\left(\right)open="|"\; close="|">{Z}_{q}^{*}$ |

our | $n\left(\right)open="("\; close=")">m+3$ | $(m+2)\left|G\right|=12\times 160/8=240$ |

As stated in the summary, our scheme is more efficient than others in computing and communication costs. And it is also the best in security.

Searchable encryption is an essential technology for medical Internet of Things. We have constructed a certificateless verifiable bilinear pair-free conjunctive keyword search encryption scheme (CLVPFCKS) for the Internet of Medical. The performance analysis shows that the CLVPFCKS scheme proposed in this paper performs better than the verifiable conjunctive keyword searchable encryption scheme using bilinear pairing. We prove the new system can resist keyword guessing attacks, choose keyword attacks (CKA), and file injection attacks under the standard model.

- L. AtzoriA. Iera and G. Morabito, "The Internet of Things: A survey," Comput. Netw., vol. 54, no. 15, pp. 2787-2805, 2010. [CrossRef]
- A. Zanella, N. Bui, A. Castellani, L. Vangelista and M. Zorzi, "Internet of Things for Smart Cities," Ieee Internet of Things Journal, vol. 1, no. 1, pp. 22-32, 2014. [CrossRef]
- P. Bellavista, G. Cardone, A. Corradi and L. Foschini, "Convergence of MANET and WSN in IoT Urban Scenarios," Ieee Sens. J., vol. 13, no. 10, pp. 3558-3567, 2013. [CrossRef]
- V. Jagadeeswari, V. Subramaniyaswamy, R. Logesh and V. Vijayakumar, "A study on medical Internet of Things and Big Data in personalized healthcare system," Health Information Science and Systems, vol. 6, no. 1, 2018. [CrossRef]
- D.J. He, R. Ye, S. Chan, M. Guizani and Y.P. Xu, "Privacy in the Internet of Things for Smart Healthcare," Ieee Commun. Mag., vol. 56, no. 4, pp. 38-44, 2018. [CrossRef]
- Y.Y. ChenJ.C. Lu and J.K. Jan, "A Secure EHR System Based on Hybrid Clouds," J. Med. Syst., vol. 36, no. 5, pp. 3375-3384, 2012. [CrossRef]
- D.X. SongD. Wagner and A. Perrig, Practical Techniques for Searches on Encrypted Data, Proc. IEEE Symposium on Security & Privacy, 2002, pp. 44-55.
- D. Boneh, G.D. Crescenzo, R. Ostrovsky and G. Persiano, "Public Key Encryption with Keyword Search," Eurocrypt 2004, pp. 506-522, 2004. [CrossRef]
- J. BaekR. Safiavinaini and W. Susilo, Public Key Encryption with Keyword Search Revisited, Proc. International Conference on Computational Science and Its Applications (ICCSA 2008), 2008, pp. 1249-1259. [CrossRef]
- H.S. Rhee, J.H. Park, W. Susilo and D.H. Lee, Improved searchable public key encryption with designated tester, Proc. International Symposium on Information, 2009, pp. 376. [CrossRef]
- L. Wu, Y. Zhang, M. Ma, N. Kumar and D. He, "Certificateless searchable public key authenticated encryption with designated tester for cloud-assisted medical Internet of Things," Ann. Telecommun., vol. 74, no. 7-8, pp. 423-434, 2019. [CrossRef]
- D. He, M. Ma, S. Zeadall, N. Kumar and K. Liang, "Certificateless Public Key Authenticated Encryption with Keyword Search for Industrial Internet of Things," Ieee T. Ind. Inform., pp. 1, 2017. [CrossRef]
- M.M. A, D.H.B. C, M.K.K. D and J.C. A, "Certificateless searchable public key encryption scheme for mobile healthcare system," Comput. Electr. Eng., vol. 65, pp. 413-424, 2018. [CrossRef]
- M. Ma, D. He, S. Fan and D. Feng, "Certificateless searchable public key encryption scheme secure against keyword guessing attacks for smart healthcare," Journal of Information Security and Applications, vol. 50, 2020. [CrossRef]
- Y. Lu and J. Li, "Constructing pairing-free certificateless public key encryption with keyword search," Frontiers of Information Technology & Electronic Engineering, vol. 20, no. 8, pp. 1049-1060, 2019. [CrossRef]
- P. GolleJ. Stadon and B. Waters, Secure conjunctive keyword search over encrypted data,3089, M. Jakobsson, et al., eds., 2004, pp. 31-45. [CrossRef]
- Y.H. Hwang and P.J. Lee, Public key encryption with conjunctive keyword search and its extension to a multi-user system, Book Public key encryption with conjunctive keyword search and its extension to a multi-user system, Series Public key encryption with conjunctive keyword search and its extension to a multi-user system 4575,ed., Editor ed., 2007, pp. 2. [CrossRef]
- Y.B. Miao, et al., "VCKSM: Verifiable conjunctive keyword search over mobile e-health cloud in shared multi-owner settings," Pervasive Mob. Comput., vol. 40, pp. 205-219, 2017. [CrossRef]
- Y. Yang and M.D. Ma, "Conjunctive Keyword Search With Designated Tester and Timing Enabled Proxy Re-Encryption Function for E-Health Clouds," Ieee T. Inf. Foren. Sec., vol. 11, no. 4, pp. 746-759, 2016. [CrossRef]
- S.H. Heng and K. Kurosawa, k-resilient identity-based encryption in the standard model,2964, T. Okamoto, ed., 2004, pp. 67-80. [CrossRef]
- D. Khader, Public key encryption with keyword search based on K-resilient IBE,3982, M. Gavrilova, et al., eds., 2006, pp. 298-308.
- H.M. YangC.X. Xu and H.T. Zhao, An Efficient Public Key Encryption with Keyword Scheme Not Using Pairing, Proc. First International Conference on Instrumentation, 2011.
- T.F. Vallent and H. Kim, A Pairing-Free Public Key Encryption with Keyword Searching for Cloud Storage Services, Book A Pairing-Free Public Key Encryption with Keyword Searching for Cloud Storage Services, Series A Pairing-Free Public Key Encryption with Keyword Searching for Cloud Storage Services 135,ed., Editor ed., 2014, pp. 70.
- N.B. YangS.M. Xu and Z. Quan, "An Efficient Public Key Searchable Encryption Scheme for Mobile Smart Terminal," Ieee Access, vol. 8, pp. 77940-77950, 2020. [CrossRef]
- M. Ma, M. Luo, S. Fan and D. Feng, "An Efficient Pairing-Free Certificateless Searchable Public Key Encryption for Cloud-Based IIoT," Wirel. Commun. Mob. Com., vol. 2020, 2020. [CrossRef]
- M.R. Senouci, I. Benkhaddra, A. Senouci and F.G. Li, "A provably secure free-pairing certificateless searchable encryption scheme," Telecommun. Syst., vol. 80, no. 3, pp. 383-395, 2022. [CrossRef]
- Z.Y. Hu, L.Z. Deng, Y.Y. Wu, H.Y. Shi and Y. Gao, "Secure and Efficient Certificateless Searchable Authenticated Encryption Scheme Without Random Oracle for Industrial Internet of Things," Ieee Syst. J., vol. 17, no. 1, pp. 1304-1315, 2023. [CrossRef]
- J.W. Byun, H.S. Rhee, H.A. Park and D.H. Lee, Off-line keyword guessing attacks on recent keyword search schemes over encrypted data,4165, W. Jonker and M. Petkovic, eds., 2006, pp. 75-83.
- Y. LuG. Wang and J.G. Li, "Keyword guessing attacks on a public key encryption with keyword search scheme without random oracle and its improvement," Inform. Sciences, vol. 479, pp. 270-276, 2019. [CrossRef]
- M.S. HwangS.T. Hsu and C.C. Lee, "A New Public Key Encryption with Conjunctive Field Keyword Search Scheme," Inf. Technol. Control, vol. 43, no. 3, pp. 277-288, 2014. [CrossRef]
- Q. Chai and G. Gong, Verifiable symmetric searchable encryption for semi-honest-but-curious cloud servers, Proc. IEEE International Conference on Communications, 2012.
- W. Sun, X. Liu, W. Lou, Y.T. Hou and H. Li, Catch You If You Lie to Me: Efficient Verifiable Conjunctive Keyword Search over Large Dynamic Encrypted Cloud Data, Proc. 34th IEEE Conference on Computer Communications (INFOCOM), 2015.
- Y. Miao, J. Ma, X. Liu, Z. Liu and F. Wei, "VMKDO: Verifiable multi-keyword search over encrypted cloud data for dynamic data-owner," Peer Peer Netw. Appl., vol. 11, no. 2, pp. 287-297, 2018. [CrossRef]
- Y. Miao, J. Weng, X. Liu, K. Raymond Choo, Z. Liu and H. Li, "Enabling verifiable multiple keywords search over encrypted cloud data," Inform. Sciences, vol. 465, pp. 21-37, 2018. [CrossRef]
- L. Fang, W. Susilo, C. Ge and J. Wang, "Public key encryption with keyword search secure against keyword guessing attacks without random oracle," Inform. Sciences, vol. 238, pp. 221-241, 2013. [CrossRef]
- Z.Y. Shao and B. Yang, "On security against the server in designated tester public key encryption with keyword search," Inform. Process. Lett., vol. 115, no. 12, pp. 957-961, 2015. [CrossRef]
- C. Hu and P. Liu, "An Enhanced Searchable Public Key Encryption Scheme with a Designated Tester and Its Extensions," Journal of Computers, vol. 7, no. 3, 2012. [CrossRef]
- H.S. Rhee, J.H. Park, W. Susilo and D.H. Lee, "Trapdoor security in a searchable public-key encryption scheme with a designated tester," J. Syst. Software, vol. 83, no. 5, pp. 763-771, 2010. [CrossRef]
- Y. LuG. Wang and J. Li, "On Security of a Secure Channel Free Public Key Encryption with Conjunctive Field Keyword Search Scheme," Inf. Technol. Control, vol. 47, no. 1, pp. 56-62, 2018. [CrossRef]
- I.R. Jeong, J.O. Kwon, D. Hong and D.H. Lee, "Constructing PEKS schemes secure against keyword guessing attacks is possible?" Computer Communications, vol. 32, no. 2, pp. 394-396, 2009. [CrossRef]
- P. Xu, H. Jin, Q. Wu and W. Wang, "Public-Key Encryption with Fuzzy Keyword Search: A Provably Secure Scheme under Keyword Guessing Attack," Ieee T. Comput., vol. 62, no. 11, pp. 2266-2277, 2013. [CrossRef]
- X.J. Lin, L. Sun, H.P. Qu and D.X. Liu, "On the Security of Secure Server-Designation Public Key Encryption with Keyword Search," Comput. J., vol. 61, no. 12, pp. 1791-1793, 2018. [CrossRef]
- Q. Huang and H.B. Li, "An efficient public-key searchable encryption scheme secure against inside keyword guessing attacks," Inform. Sciences, vol. 403, pp. 1-14, 2017. [CrossRef]
- L. Wu, B. Chen, S. Zeadally and D. He, "An efficient and secure searchable public key encryption scheme with privacy protection for cloud storage," Soft Comput., vol. 22, no. 23, pp. 7685-7696, 2018. [CrossRef]
- S.S. Al-Riyami and K.G. Paterson, Certificateless public key cryptography,2894, C. S. Laih, ed., 2003, pp. 452-473.
- Y.M.J.W. Miao, "VCSE: Verifiable conjunctive keywords search over encrypted data without secure-channel," Peer-to-Peer Netw, pp. 995-1007, 2017.
- D.B. He, H.Q. Wang, L.N. Wang, J. Shen and X.Z. Yang, "Efficient certificateless anonymous multi-receiver encryption scheme for mobile devices," Soft Comput., vol. 21, no. 22, pp. 6801-6810, 2017. [CrossRef]

Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content. |

© 2024 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).

Copyright: This open access article is published under a Creative Commons CC BY 4.0 license, which permit the free download, distribution, and reuse, provided that the author and preprint are cited in any reuse.

A Certificateless Verifiable Bilinear Pair Free Conjunctive Keyword Search Encryption Scheme for IoMT

Weifeng Long

et al.

,

2024

HRA-Secure Proxy Re-encryption with Re-encryption Simulatability under Lwe in Standard Model

Bimei Wang

et al.

,

2023

Provably secure ECC-based anonymous authentication and key Agreement for IoT

Shunfang Hu

et al.

,

2024

© 2024 MDPI (Basel, Switzerland) unless otherwise stated