A Certificateless Verifiable Bilinear Pair-Free Conjunctive Keyword Search Encryption Scheme for IoMT

Abstract

With superior computing power and efficient data collection capability, Internet of Medical Things (IoMT) significantly improves the accuracy and convenience of medical work. As most communications are over open networks, it is critical to encrypt data to ensure confidentiality before uploading them to cloud storage servers (CSSs). Public key encryption with keyword search (PEKS) allows users to search for specific keywords in ciphertext and plays an essential role in IoMT. However, PEKS still has the following problems: 1. As a semi-trusted third party, the CSSs may provide wrong search results to save computing and bandwidth resources. 2. Single-keyword searches often produce many irrelevant results, which is undoubtedly a waste of computing and bandwidth resources. 3. Most PEKS schemes rely on bilinear pairings, resulting in computational inefficiencies. 4. Public key infrastructure (PKI)-based or identity-based PEKS schemes face the problem of certificate management or key escrow. 5. Most PEKS schemes are vulnerable to offline keyword guessing attacks, online keyword guessing attacks, and insider keyword guessing attacks. We present a certificateless verifiable and pairing-free conjunctive public keyword searchable encryption (CLVPFC-PEKS) scheme. An efficiency analysis shows that the performance advantage of the new scheme is far superior to that of the existing scheme. More importantly, we provide proof of security under the standard model (SM) to ensure the reliability of the scheme in practical applications.

1. Introduction

The Internet of Things can connect any item to the Internet. It uses information-sensing devices such as radio frequency identification and infrared sensors to transmit data and communicate according to specific protocols, thus realizing intelligent identification, positioning, tracking, monitoring, and management functions [1,2,3]. As shown in Figure 1, as an application of Internet of Things technology in the medical field, IoMT [4] can closely connect medical staff, patients, and various medical devices to achieve real-time feedback on patient health status. It not only improves the speed of medical response and provides all-weather medical care but also alleviates the workload of medical staff. IoMT improves the precision and convenience of medical work, leading to a better quality of medical care. IoMT also plays a significant role in saving lives, helping to control costs, and improving efficiency.

Electronic medical records (EMRs) [5,6] play a crucial role in IoMT. With the acceleration of the digitization of medical data, the amount of EMR data has increased rapidly. Storing and managing EMRs has become a significant challenge. Fortunately, cloud computing technology offers a solution to this challenge. Hospitals can store EMRs in the cloud, eliminating the cost of local management and maintenance and enabling efficient data sharing and utilization.

Because EMRs contain private patient information, they often need to be encrypted to ensure patient privacy. However, this encryption method makes it inconvenient for users to search for specific keywords in EMRs. The simplest solution is for users to download all the ciphertext data, decrypt them individually, and then search among them. This approach is impractical. It leads to exceedingly high computational and communication costs. To solve this problem, researchers have proposed searchable encryption (SE) [7] technology. SE is an encryption primitive that allows users to perform keyword searches on encrypted data.

In reality, we are more likely to encounter multi-data owner scenarios, such as a patient’s EMR, that often need to be co-managed by multiple doctors, departments, or healthcare organizations. If each party independently owns some of the data in an EMR, this scenario is a non-shared multi-owner scenario [8]. If, on the other hand, multiple parties jointly own the data of an EMR, then this scenario is a shared multi-owner scenario [9]. In a non-shared multi-owner scenario, each staff member is responsible for a specific portion of the EMR. Each part of the data is a separate record, requiring independent computation of indexes and signatures. This processing will result in a linear increase in the cost of storing indexes and signatures as the number of owners increases, as well as an increase in verification and encryption time, thus significantly increasing the overall computation and storage costs. In contrast, the shared multi-owner scenario allows multiple owners to sign on the same EMR, ultimately generating a multi-signature. The size of the multi-signature is constant and independent of the number of owners. Therefore, the verification time and storage overhead of signatures are independent of the number of owners. For indexing in the shared multi-owner setup, the whole EMR is given only a single index through which the retriever can search the multi-owner EMR. In this way, the shared multi-owner significantly saves time and space costs, which makes it more advantageous in real-world applications. In recent years, some research works have also verified the advantages of the shared multi-owner setting. Miao et al. [10] proposed a keyword-searchable encryption scheme with a hidden access policy under the shared multi-owner setting. Padhya et al. [11] proposed a new key aggregation-searchable encryption scheme supporting sorted queries on encrypted datasets and a multi-keyword multidimensional search on multi-owner datasets. However, most PEKS solutions deployed in shared multi-owner scenarios face significant computational and storage costs.

The current PEKS scheme leaves much to be desired in terms of efficiency and security: PKI-based or identity-based cryptosystems encounter certificate management and key escrow problems during system deployment; the use of secure channels leads to inefficiency in the PEKS scheme; single-keyword searches inevitably produce many irrelevant results, leading to a waste of bandwidth and computational resources; CSS, as a semi-trusted third party, may provide incorrect search results to save computational and bandwidth resources; a large number of pairing operations puts a heavy computational burden on the system; the PEKS scheme is vulnerable to offline keyword-guessing attacks, online keyword-guessing attacks, and internal keyword-guessing attacks; most of the searchable encryption schemes are proven to be secure in the random oracle model (ROM) but the ROM is not suitable in the idealized model, resulting in security that cannot be fully guaranteed in practical applications; most searchable encryption schemes incur significant computational and storage costs when deploying PEKS schemes in non-shared multi-owner setups. In reality, it is necessary to solve the above problems, which provides a new direction for our research.

1.1. Our Contribution

We construct a certificateless-based, verifiable, pairing-free, conjunctive keyword search encryption scheme (CLVPFC-PEKS). Specifically, the main contributions are as follows:

• Conjunctive multi-keyword search: The new solution allows users to search for multiple keywords without increasing the number of trapdoors and ciphertexts, significantly improving the accuracy of search results.
• Verifiability of the search results: The new scheme attaches a signature to each document. The signature will then be used to verify the search results, ensuring the accuracy of the search results and preventing users from wasting time and resources on invalid results.
• Certificateless-based: The new scheme overcomes the limitations of certificate management and key escrow in existing searchable encryption schemes.
• No pairing: Pairing operations take time, so the computational efficiency can be significantly improved by not using pairing operations.
• No need for a secure channel: The new solution eliminates the need for a secure channel and reduces system construction costs.
• Shared multi-owner settings: The new scheme allows users to search for document sets shared by multiple users using a single trapdoor.
• Proven security under the standard model: The new scheme is secure against offline keyword guessing attacks and chosen keyword attacks (CKAs) in the standard model. Meanwhile, based on the security of the Diffie–Hellman shared secret keys, the new scheme can also resist online keyword guessing attacks (e.g., file injection attack (FIA)) and insider keyword guessing attacks (IKGAs).

In

Table 1. Functional comparison.

Scheme	SRV	CKS	CL	SCF	PF	SMO
[12]	×	√	×	×	×	×
VCSE [13]	√	√	×	√	×	×
VCKSM [14]	√	√	×	√	×	√
VMKDO [15]	√	√	×	×	×	×
VMKS [16]	√	√	√	×	×	×
mCLPECK [17]	×	√	√	×	×	×
CL-dPAEKS [18]	×	×	√	√	×	×
[19]	×	√	×	×	×	×
[20]	×	×	√	√	√	×
[21]	×	×	√	√	√	×
[22]	×	×	√	√	√	×
ours	√	√	√	√	√	√

SRV: verifiability of search results. CKS: conjunctive keyword search. CL: certificateless-based. SCF: secure-chanel free. PF: pairing-free. SMO: shared multi-owner. ×: not supporting this functionality. √: supporting this functionality.

, we compare the features of PKES schemes. Currently, no SE scheme can provide result verification, can provide a conjunctive keyword search, is secure channel-free, is certificateless-based, is pairing-free, and can provide support for shared multi-owners simultaneously. In particular, none of the pairing-free SE schemes support result verification and conjunctive keyword searches.

1.2. Organization

The following is the framework for the rest of this article. We summarize some related work in Section 2. We discuss preparatory knowledge in Section 3. We define the system model and the security model of the scheme in Section 4. We show the details of the CLVPFC-PEKS scheme in Section 5. We discuss the security of the CLVPFC-PEKS scheme in Section 6. We analyze the effectiveness of CLVPFC-PEKS in Section 7. Finally, we summarize this paper in Section 8.

2. Related Work

In 2004, Boneh et al. [23] first proposed the concept and construction of public key encryption with keyword search(PEKS), which laid the foundation for research in this field. However, the early PEKS schemes still had many shortcomings in efficiency and safety. Baek [24] points out that the PEKS scheme of [23] is inefficient because [23] uses safe channels. To eliminate the requirement for secure channels, Baek et al. [24] proposed PEKS without secure channels (SCF-PEKS), also known as PEKS with designated servers/testers (dPEKS) [25]. However, most SCF-PEKS schemes are PKI-based or ID-based, which inevitably incurs problems with certificate management and key escrow. To overcome these challenges, Peng et al. [18], based on the certificateless cryptosystem [26], proposed a keyword-searchable encryption scheme (CL-SCF-PEKS) without a secure channel. Since then, many papers have studied certificateless searchable encryption schemes, which inject new vitality into the development of this field. It is worth noting that most PEKS schemes [18,27,28,29,30] search for a single keyword. However, this single-keyword search method often produces irrelevant results, wasting bandwidth and computing resources. Golle et al. [31] proposed the first conjunctive keyword-searchable encryption scheme to address the issue of resource waste. Subsequently, more searchable encryption schemes that support conjunctive keywords have been proposed in recent years [14,32,33].

Given that the computational complexity of pairing is much higher than that of scalar multiplication on the group of elliptic curves, designing schemes that do not require pairing will significantly improve the computational efficiency of the schemes. Current SE schemes that do not require pairing operations are still scarce, and these schemes [21,22,34,35,36,37,38,39,40] remain to be improved. In 2019, Lu et al. [39] proposed a PEKS scheme based on the certificateless cryptosystem, which is pairing-free, and proved the indistinguishability of keyword ciphertexts (CL-PF-PEKS). However, Ma et al. [40] showed that the work of [39] is insecure under user-simulated attacks and provided a new CL-PF-PEKS scheme. Recently, [21,22] proposed CL-PF-PEKS schemes that are both secure and effective, respectively, but unfortunately, they are single-keyword-searchable.

Existing SCF-PEKS schemes have significant shortcomings in terms of security, especially their vulnerability to offline keyword guessing attacks [41], online keyword attacks (e.g., FIA) [19,42], and internal keyword attacks [43]. PEKS schemes typically use keywords from low-entropy spaces, making them vulnerable to offline keyword-guessing attacks. In this attack, both internal and external attackers can use a testing algorithm to accurately guess the keywords corresponding to the given keyword trapdoors. The attack works because the generation of trapdoors uses only keywords and public keys. Currently, the offline keyword guessing attack has become one of the most destructive attacks on PEKS schemes because it can lead to the leakage of encrypted data and information related to the keywords contained in the trapdoor. Unfortunately, Yang et al. [44] showed that even after modifying the trapdoor structure of PEKS schemes, an attacker can still perform an online keyword guessing attack(e.g., FIA). Unlike external offline keyword attacks, external online keyword guessing attacks allow attackers to guess keywords by analyzing search results in the cloud in real time. Specifically, the external attacker first generates keyword ciphers and data ciphers containing all possible keywords and data ciphers using the public keys of the cloud server and the retriever and injects these ciphers into the cloud server. Subsequently, the external attacker monitors the communication between the cloud server and the retriever. Once the attacker finds that the search results returned by the server match the previously injected ciphertexts, they can determine the keywords that the retriever is searching for. In addition, the PEKS scheme is also vulnerable to internal malicious CSS attacks. Jeong et al. [45] demonstrated that the PEKS framework is susceptible to internal offline keyword attacks initiated by malicious CSSs. Wang et al. [46] pointed out that even though the trapdoor is indistinguishable, the SCF-PEKS scheme is still not able to defend against keyword-guessing attacks by malicious CSSs. More seriously, Shao et al. [47] proposed a generic attack method and pointed out that it is almost impossible to construct a SCF-PEKS scheme that can defend against malicious CSSs. This is because malicious CSSs can perform keyword encryption and testing algorithms, making the SCF-PEKS scheme particularly vulnerable against offline keyword-guessing attacks from malicious internal servers.

In addition, CSSs, as semi-trusted entities, may selectively perform a few search operations and return some inaccurate search results to save computational and bandwidth resources. Therefore, PEKS schemes should provide an authentication mechanism to ensure the accuracy of search results without decryption. Reference [48] proposed the first keyword-searchable encryption scheme that supports authentication. Since then, numerous researchers have explored keyword-searchable encryption schemes that support authentication [15,16,49]. The authors of [16] proposed a verifiable multiple keywords search(VMKS) scheme, claiming that it resists keyword guessing attacks under the standard model.

3. Preliminaries

Let $q>3$ be a large prime, $F_q$ be a prime field, and the elliptic curve E over the field $F_q$ satisfy the equation $y^{2}modq=(x^3+ax+b)modq$, where $a,b,x,y\in F_q$ and $(4a^3+27b^2)modq\ne 0$. All points on E and the infinite point O form a cyclic group. The elliptic curve cryptosystem (ECC) has the following difficulties:

• The elliptic curve discrete logarithm problem (ECDLP): given $P,Q\in G_q$, where P is the generator of the group and Q is the element in $G_q$. It is difficult to calculate the integer k, such that $Q=kP$, where $k\in Z_{q*}$.
• The elliptic curve computational Diffie–Hellman problem (ECDCHP): for any given $a,b$ in $Z_{q*}$, it is difficult to calculate $abP$, where $(P,aP,bP)\in G_q$.
• The elliptic curve decisional Diffie–Hellman (ECDDDH) problem: given $aP,bP\in G$, where $a,b$ are unknown. The decisional Diffie–Hellman (DDH) problem is to decide whether X equals $abP$ or a random element in G.

4. The System Model and Security Model of CLVPFC-PEKS

4.1. System Model

There are five core entities involved in the new scheme: the key generation center (KGC), the data owners (DOs, including patients and their doctors), CSSs, retrievers (e.g., authorized doctors or hospitals), and a private audit server (PAS), as shown in Figure 2.

• The KGC is responsible for generating the public parameters of the system and some of the private keys for the DOs, the CSSs, and the retrievers.
• DOs have many files to store and manage, but their resources and capabilities are limited. From the perspective of resource-saving and data security, the data owner chooses to upload the encrypted data files and indexes (keyword ciphertext) to the cloud storage server.
• The CSS, as a semi-trusted entity with powerful computing and storage capabilities, provides data storage and retrieval services to authorized cloud customers. When a retriever initiates a retrieval request, the cloud storage server looks up the keyword traps and returns the corresponding data files to the retriever.
• Retrievers can initiate a ciphertext retrieval request by sending a keyword trapdoor to the cloud storage server and decrypt the received ciphertext to obtain the required information.
• The PAS, as a fully trusted entity, is responsible for validating the search results to ensure that the data files received by the searcher are accurate.

The CSS is semi-trustworthy and curious. It may selectively perform a few search operations and provide some erroneous search results to conserve its resources. At the same time, CSSs try to snoop on valuable and sensitive information. The PAS is fully trusted to ensure the accuracy of search results. In addition, authorized retrievers can confidently initiate search requests without worrying about leaking valuable information to CSSs.

4.2. Solution Framework

To better understand the notations in our proposed scheme,

Table 2. Notation descriptions.

Notations	Descriptions
x	Master secret key
$P_{pub}$	System public key
$O=\{O_1,O_2,\cdots ,O_d\}$	Data owner collection
$I{D}_i\in {\{0,1\}}^{*}(1⩽i⩽d)$	Identity set for data owner $O_i$
$I{D}_C$	Identity for CSS
$I{D}_u$	Identity for data user
$(P{K}_C,S{K}_C)$	Public/secret key pair for CSS
$(P{K}_{O_i},S{K}_{O_i})$	Public/secret key pair for data owner $O_i$
$(P{K}_u,S{K}_u)$	Public/secret key pair for data user
$F=\{f_1,f_2,\cdots ,f_n\}$	File set F
$C=\{c_1,c_2,\cdots ,c_n\}$	Ciphertext set
$ID=\{i{d}_1,i{d}_2,\cdots ,i{d}_n\}$	Identity set for F
$W_i=\{w_{i1},w_{i2},\cdots ,w_{im}\}$	Collection of keywords
$si{g}_{i,t}$	Data owner $O_i$ signature for $c_t$
$si{g}_t$	Data owners’ multi-signature for $c_t$
$Sig=\{si{g}_1,si{g}_2,\cdots ,si{g}_n\}$	F’s multi-signature
$I_i$	Index of $f_i$
$I=\{I_1,I_2,\cdots ,I_n\}$	Index set for F
$W^{\prime }=\{w_1^{\prime },w_2^{\prime },\cdots ,w_l^{\prime }\}$	Search keyword set
$T_{W^{\prime }}$	Trapdoor of $W^{\prime }$
$C^{\prime }=\{c_{k_1},c_{k_2},\cdots ,c_{k_s}\}$	Search results
$I{D}^{\prime }=\{i{d}_{k_1},i{d}_{k_2},\cdots ,i{d}_{k_s}\}$	Identity set for $C^{\prime }$

explains the pre-defined notations used throughout this paper. We set integer k as the security level and $(F,W)$ as the EMR file and the keyword set contained in EMR.

Definition 1

(CLVPFC-PEKS). Our scheme is a tuple of six algorithms, as follows:

SetUp($1^k$): Given the security parameter k, the KGC outputs the public parameters Ω, the system public key $P_{pub}$, and the master secret key $msk$ for the traditional public key algorithm.

KeyGen $(\mathsf{\Omega },O,U,CSS)$: For the data owner set O, the data user U, and the CSS, the KGC generates the public/secret key pairs $\{P{K}_{O_i},S{K}_{O_i}\}(1⩽i⩽d)$,$\{P{K}_u,S{K}_u\}$, and $\{P{K}_C,S{K}_C\}$, respectively.

Set-Secret-Value: After inputting the public parameters Ω, this probabilistic algorithm outputs data owners, data users, and CSS’s Secret-Value.

Partial-Private-Key-Extract: The KGC executes this algorithm, which accepts the identity of the data owner, data user, and CSS, then uses them in combination with the master key to generate a partial private key for the data owner, data user, and CSS.

Set-Private-Key: Set the full secret keys of the data owner, data user, and CSS.

Set-Public-Key: Set the full public keys of the data owner, data user, and CSS.

$Enc(\mathsf{\Omega },F,W,\left\{I{D}_i\right\},ID,\left\{S{K}_{O_i}\right\},\left\{P{K}_{O_i}\right\},P{K}_u)$: DOs first conduct this probabilistic algorithm to generate the ciphertext set C for the set F. Then, DOs generate multiple signatures $Sig$ and index set I for ciphertext C. Then, they send the tuple $(C,I,Sig)$ to the CSS. $TraGen(\mathsf{\Omega },S{K}_u,W^{\prime })$; given the keyword $W^{\prime }$, the DO runs this algorithm to output trapdoor $T_{W^{\prime }}$.

$Test(\mathsf{\Omega },T_{W^{\prime }},I)$: Using the trapdoor $T_{W^{\prime }}$ as an input, the CSS matches it with the index set I, then returns the relevant ciphertext $C^{\prime }\subseteq C$ and signature $Si{g}^{\prime }$ set to PAS.

Verify $(\mathsf{\Omega },C^{\prime },I{D}^{\prime },sig,\left\{P{K}_{O_i}\right)\})$: The PAS runs this algorithm by initiating interaction with the CSS to check the correctness of the search result $C_{W\prime }$. If $C_{W\prime }$ passes the result validation, the PAS will return it to the retriever. Otherwise, it will abort the algorithm.

4.3. Security Model

Our scheme primarily considers security in the following two aspects: (1) The index corresponding to the keyword has security against choice keyword attacks. (2) The trapdoor used for queries should possess security.

Because our scheme is certificateless-based, there are two different classes of adversaries: $A_1$ and $A_2$. Therefore, when discussing the security of the index and trapdoor, we must analyze and prove them from the angles of these two adversaries.

$A_1$: $A_1$ does not know the master key, but $A_1$ can replace any user’s public key.

$A_2$: $A_2$ knows the master key, but $A_2$ cannot replace any user’s public key.

We call these adversaries the adversary of type-1 and the adversary of type-2.

Mahmoud Ismail et al. [50] articulated the basic principles of the zero-trust framework, delved into the threat landscape facing IoT systems, and assessed how the zero-trust principle can effectively address these threats. Jamal A. Alenizi et al. [51] investigated various risks and vulnerabilities that may affect the operation of blockchain-based smart healthcare systems, especially ransomware, and proposed a framework for mitigating healthcare ransomware attacks. The framework proposed by Jamal A. Alenizi et al. has higher computational efficiency and lower communication overhead than similar existing frameworks.

4.3.1. Ciphertext Indistinguishability against Chosen Keyword Ciphertext Attack

A PEKS scheme with ciphertext indistinguishability against chosen keyword and ciphertext attacks (CKCA-CIND) feature can protect the data owner’s keyword ciphertext stored in the cloud from revealing relevant keyword information. When encrypted data are stored in the CSS, it will attach the corresponding keywords $\{w_{i1},w_{i2},\cdots ,w_{im}\}$. Even if the keyword ciphertext is captured during transmission, no adversary can obtain keywords embedded in the keyword ciphertext.

We will define the definition of CKCA-CIND. There are two games to discuss the security of CKCA-CIND.

Game 1.

$A_1$ simulates malicious users, and B is the challenger. B and $A_1$ play this game together.

Setup: B runs the SetUp($1^k$) program to obtain $\mathsf{\Omega }$, $P_{pub}$ and $msk$. B sends $P_{pub}$ to $A_1$ and keeps $msk$. Then, B sets the key pair of $O_i$$(i\in \{1,2,\cdots ,d\left\}\right)$ and CSS, i.e., $(P{K}_{O_i},S{K}_{O_i})$$(i\in \{1,2,\cdots ,d\left\}\right)$ and $(P{K}_c,S{K}_c)$. B sends the public keys $P{K}_{O_i}$$(i\in \{1,2,\cdots ,d\left\}\right)$ and $P{K}_c$ to $A_1$, while $S{K}_{O_i}$ and $S{K}_c$ are unknown to $A_1$.

Phase 1. $A_1$ executes the User-Public-Key query before executing other queries. It sets up lists to store the above queries and answers. All lists are initially empty. $A_1$ makes the queries to challenger B as follows:

• User-Public-Key query: When $A_1$ inputs the identity $I{D}_u$, B outputs the user’s public key $P{K}_u$.
• Replace-Public-Key query: $A_1$ inputs $(I{D}_j,P{K}_j^{\prime })$, B replaces $P{K}_j$ with $P{K}_j^{\prime }$.
• Secret-Value query: When $A_1$ inputs the identity $I{D}_j$, B returns the secret value corresponding to the $I{D}_j$. If $P{K}_j$ is replaced, B refuses to answer.
• Partial-Private-Key-Extract query: When $A_1$ enters the $I{D}_j$, if $I{D}_j=I{D}_u^{⟡}$($I{D}_u^{⟡}$ is the challenge identity), B fails and stops. Otherwise, B returns the corresponding Partial-Private-Key.
• Keyword Ciphertext Query: $A_1$ asks B for the keyword ciphertext of any keyword W it cares about. B runs the $Enc(\mathsf{\Omega },F,W,\left\{I{D}_i\right\},ID,\left\{S{K}_{O_i}\right\},\left\{P{K}_{O_i}\right\},P{K}_u)$ algorithm to answer W’s keyword ciphertext $I_W$.
• Keyword Trapdoor Query: $A_1$ sends a keyword $W^{\prime }$ to B. B runs the $TrapGen(\mathsf{\Omega },S{K}_u,W^{\prime })$ algorithm to answer $W^{\prime }$’s trapdoor $T_{W^{\prime }}$.
• Test Query: $A_1$ selects and sends the keyword ciphertext $I_W$ and trapdoor $T_{W^{\prime }}$ to B. B executes the $Test(\mathsf{\Omega },T_{W^{\prime }},I_W)$ algorithm to return the test result of whether the keyword ciphertext and the trapdoor match.

Challenge: $A_1$ submits a tuple $(W_0,W_1,{I{D}_u}^{*},P{K}_u*)$ to B, where $W_0$ and $W_1$ are challenging keywords not asked in the previous trapdoor and keyword ciphertext query. If $I{D}_u^{*}\ne I{D}_u^{⟡}$, B aborts. Otherwise, B picks $\xi \in \{0,1\}$, randomly computes the keyword ciphertext $I_{W_{\xi }}$, and returns the challenge ciphertexts $I_{W_{\xi }}$ to $A_1$.

Phase 2. $A_1$ can perform many queries like Phase 1, but $A_1$ cannot query the keyword ciphertext and trapdoor of $W_0$ and $W_1$.

Guess: $A_1$ outputs ${\xi }^{\prime }\in \{0,1\}$. $A_1$ wins if ${\xi }^{\prime }=\xi$. Otherwise, it fails.

Next, the advantages of $A_1$ in Game 1 are given as

$$Ad{v}_{CKCA-CIN{D}_{A_1}}|Pr[{\xi }^{\prime }=\xi |-\frac{1}{2}|.$$

Game 2.

$A_2$ simulates the malicious server, and B is a challenger. B and $A_2$ play this game together. Setup: It only differs from the setup of Game 1 in the following steps. B sends the public keys $P{K}_{O_i}$, $P_{pub}$, and $msk$ to $A_2$, and $S{K}_{O_i}$ is unknown to $A_2$.

Phase 1. The steps are the same as in Phase 1 of Game 1, except for the Secret-Value query and Partial-Private-Key query. The changes in them are as follows:

• Secret-Value query: When $A_2$ enters the $I{D}_j$, if $I{D}_j=I{D}_u^{⟡}$ ($I{D}_u^{⟡}$ is the challenge identity), B fails and stops. Otherwise, B returns the secret value corresponding to $I{D}_j$.
• Partial-Private-Key-Extract query: When $A_2$ inputs the identity $I{D}_j$, B returns the partial private key corresponding to the $I{D}_j$. If $P{K}_j$ is replaced, B refuses to answer.

Phase 2. Same as Phase 2 of Game 1.

Next, the advantages of $A_2$ in Game 2 are given as

$$Ad{v}_{CKCA-CIN{D}_{A_2}}|Pr[{\xi }^{\prime }=\xi |-\frac{1}{2}|.$$

Definition 2

(Security of CKCA-CIND). If the probability that any adversary will win the above two games in polynomial time is negligible, then we state that the CLVPFC-PEKS scheme is CKCA-CIND safe.

4.3.2. Safety of Trapdoor

The attack methods on the trapdoor include offline keyword-guessing attacks, online keyword-guessing attacks, and insider keyword-guessing attacks.

We first discuss how to defend against offline keyword-guessing attacks. References [46,52,53] have made efforts to resist offline keyword-guessing attacks. They modified the structure of the trapdoor and claimed that if the attacker did not know the server’s private key or the receiver’s private key, then the scheme would be resistant to offline keyword-guessing attacks by external attackers. In [53], the concept of trapdoor indistinguishability under a choose keyword attack (CKA-TIND) is proposed, and it is proven that CKA-TIND is a sufficient condition to prevent offline keyword guessing attacks. At the same time, ref. [53] proposes a dPEKS scheme with trapdoor indivisibility. The above schemes are proven safe in the random oracle model, but the proof that the scheme is safe in the random oracle model does not necessarily mean that the scheme is safe in reality. Fang et al. [54] proposed a new SCF-PEKS scheme that has no random prediction and asserts that the scheme can safely resist offline keyword guessing attacks by external attackers. However, Lu et al. [19] pointed out that Fang’s scheme is insecure under the keyword guessing attack of external attackers.

In the following, we define the concept of CKA-TIND of CLVPFC-PEKS.

Game 3.

$A_1$ simulates malicious users, and B is the challenger. B and $A_1$ play this game together.

Setup: $A_1$ B runs the SetUp($1^k$) program to obtain $\mathsf{\Omega }$,$P_{pub}$ and $msk$. B sends $P_{pub}$ to $A_1$ and keeps $msk$ secret. Then, B sets the key pair of the date user and CSS, i.e., $(P{K}_u,S{K}_u)$ and $(P{K}_c,S{K}_c)$. Challenger B sends the public key $P{K}_u$ and $P{K}_c$ to $A_1$, while $S{K}_u$ and $S{K}_c$ are unknown to $A_1$.

Phase 1. $A_1$ executes the User-Public-Key query before executing other queries. The setup lists store the above queries and answers. All lists are initially empty. $A_1$ makes the queries to challenger B as follows:

• User-Public-Key query: When $A_1$ inputs the identity $I{D}_i$, B outputs the user’s public key $P{K}_i$.
• Replace-Public-Key query: Same as in Game 1.
• Secret-Value query: Same as in Game 1.
• Partial-Private-Key-Extract query: When $A_1$ enters the $I{D}_j$, if $I{D}_j=I{D}_i^{⟡}$($I{D}_i^{⟡}$ is the challenge identity), B fails and stops. Otherwise, B returns the corresponding Partial-Private-Key.
• Keyword Ciphertext Query: Same as in Game 1.
• Keyword Trapdoor Query: Same as in Game 1.
• Test Query: Same as in Game 1.

Challenge: $A_1$ submits a tuple $(W_0,W_1,\{I{D}_i*\},\{P{K}_i*\}$) $(i\in \{1,2,\cdots d\left\}\right)$ to B, where $W_0$ and $W_1$ are challenging keywords that were not asked in the previous trapdoor and keyword ciphertext query. If $I{D}_i^{⟡}\notin \{I{D}_i*\}$$(i\in \{1,2,\cdots d\left\}\right)$, B aborts. Otherwise, B picks $\xi \in \{0,1\}$, randomly computes keyword trapdoor $T_{W_{\xi }}$, and returns the challenge trapdoor $T_{W_{\xi }}$ to the adversary $A_1$.

Phase 2. $A_1$ can perform many queries like Phase 1, but $A_1$ cannot query the keyword ciphertext or trapdoor of $W_0$ and $W_1$.

Guess: $A_1$ outputs ${\xi }^{\prime }\in \{0,1\}$. Adversary $A_1$ wins if ${\xi }^{\prime }=\xi$. Otherwise, it fails.

Next, the advantages of $A_1$ in Game 3 are given as

$$Ad{v}_{CKA-TIN{D}_{A_1}}|Pr[{\xi }^{\prime }=\xi |-\frac{1}{2}|$$

Game 4.

$A_2$ simulates the malicious server, and B is a challenger. B and $A_2$ play this game together.

Setup: This differs from the setup of Game 3 only in the following steps. B sends $P{K}_u$, $P_{pub}$, and $msk$ to $A_2$, and $S{K}_u$ is unknown to $A_2$.

Phase 1. The steps are the same as in Phase 1 of Game 3, except for the Secret-Value and Partial-Private-Key-Extract queries. The changes in them are as follows:

• Secret-Value query: When $A_2$ enters the $I{D}_j$, if $I{D}_j=I{D}_i^{⟡}$ ($I{D}_i^{⟡}$ is the challenge identity), B fails and stops. Otherwise, B returns the secret value corresponding to $I{D}_j$.
• Partial-Private-Key-Extract query: Same as in Game 2.

Phase 2. Same as Phase 2 of Game 3.

Next, the advantages of $A_2$ in Game 4 are given as

$$Ad{v}_{CKA-TIN{D}_{A_2}}|Pr[{\xi }^{\prime }=\xi |-\frac{1}{2}|$$

Definition 3

(Security of CKA-TIND). If the probability that any adversary will win the above two games in polynomial time is negligible, then we state that the CLVPFC-PEKS scheme is CKA-TIND safe.

Next, we will discuss how to resist online/insider keyword-guessing attacks. Lu et al. [19] pointed out that the main reason for vulnerability to online keyword-guessing attacks is that any opponent can generate legitimate ciphertext for keywords. Shao et al. [47] pointed out that SCF-PEKS inherently suffers from insider keyword-guessing attacks because malicious servers can run keyword encryption algorithms and test algorithms at the same time. To resist the above two attacks, Wu et al. [55] proposed a searchable public key encryption (SPE-PP) scheme with a privacy protection function. In their plan, the Diffie–Hellman shared secret key is required for the generation of the keyword ciphertext and trapdoor. Specifically, the sender uses the shared key to calculate each keyword ciphertext, while the receiver uses the shared key to generate a trapdoor. An internal adversary (such as a malicious cloud server) cannot obtain the Diffie–Hellman shared secret key, so they cannot construct legal ciphertext to match the trapdoors sent by retrievers for testing. Then, internal adversaries will not be able to implement insider keyword-guessing attacks. On the other hand, only the retriever can use the Diffie–Hellman shared secret key to generate a legitimate trapdoor for each keyword, and the adversary of online keyword guessing cannot obtain the Diffie–Hellman shared secret key. Then, they cannot construct a legal trapdoor to upload to the cloud server. Even if they monitor all the files obtained by the retriever under the public channel, they cannot obtain any keyword-related information through comparison. In conclusion, the reason why the searchable encryption scheme can resist online and insider keyword-guessing attacks is that the keyword ciphertext is embedded in the shared key generated by the sender’s private key and the receiver’s public key.

In this section, we conduct a comprehensive analysis of the security of the scheme, focusing primarily on the security of the trapdoor and keyword ciphertext. The security of the keyword ciphertext only needs to demonstrate that the scheme is resistant to chosen keyword ciphertext attacks. Trapdoor security is categorized into three aspects: security against offline keyword-guessing attacks, security against online keyword-guessing attacks, and security against internal keyword-guessing attacks. Because CKCA-CIND is a sufficient condition to prevent offline keyword guessing attacks, as long as the scheme is trapdoor-indistinguishable under the chosen keyword attack, then the scheme is secure against the offline keyword guessing attack. Also, as long as the shared key embedded in the keyword ciphertext is generated from the sender’s private key and the receiver’s public key, the PESK scheme is resistant to both online keyword attacks and internal keyword guessing attacks.

5. The Proposed CLVPFC-PEKS

This system uses a traditional public key encryption algorithm for keywords. However, we will not discuss them in detail here. Therefore, the following algorithms focus mainly on indexing and signature.

SetUp $\left(1^k\right)$: Given a security parameter k, this deterministic algorithm outputs the global public parameters $\mathsf{\Omega }$ and KGC’s master secret key ($msk$). Given k, the KGC performs as follows:

• Choose a k bit prime number q and determine the tuple $\{F_q,E/F_q,G_q,P\}$, where the point P is the generator of $G_q$.
• Choose a number $x{\in }_R{Z}_q^{*}$ and compute the system public key $P_{pub}=xP$. Set $msk=\left\{x\right\}$. Let $(PK,SK)=(P_{pub},x)$.
• Select five hash functions $H_0$,$H_1$,$H_2:$$\left\{0,1\right\}*\times G\times G\to Z_q^{*}$, $h_1:\{0,1\}*\to Z_q^{*}$, $h_2:G_q\to Z_q^{*}$.
• Let $\mathsf{\Omega }=\{F_q,E/F_q,G_q,P,H_0,H_1,H_2,h_1,h_2,P_{pub}\}$.

KeyGen $(\mathsf{\Omega },O,U,CSS)$: Let each EMR have a fixed number of data owners $O=\{O_1,O_2,\cdots ,O_d\}$. KGC generates the public/secret key pairs for the CSS, data owner $O_i$, and retriever U.

• Set-Secret-Value: The participant with $I{D}_i(i=1,2,\cdots ,d,C,u)$ selects an element $x_i{\in }_R{Z}_q^{*}(i=1,2,\cdots ,d,C,u)$ and generates the corresponding public key $P_i=x_{i}P(i=1,2,\cdots ,d,C,u)$.
• Extract-Partial-Private-Key: To obtain the partial private key, the user $I{D}_i$ sends $(I{D}_i,P_i)$ to the KGC, and then the KGC executes the extraction as in the following steps.

  –

  Taking the participant’s $I{D}_i(i=1,2,\cdots ,d,C,u)$ as input, a random number $r_i\in Z_q^{*}(i=1,2,\cdots ,d,C,u)$ is selected by KGC and calculates $R_i=r_{i}P(i=1,2,\cdots ,d,C,u)$.

  –

  The KGC computes $e_i=r_i+x{H}_0(I{D}_i,R_i,P_i)modq(i=1,2,\cdots ,d,C,u)$. The partial private key of the participant with $I{D}_i(i=1,2,\cdots ,d,C,u)$ is $e_i$. The participant with $I{D}_i(i=1,2,\cdots ,d,C,u)$ can verify their partial private key by checking whether the equation $Q_i=e_{i}P=R_i+l_i{P}_{pub}$ holds, where $l_i=H_0(I{D}_i,R_i,P_i)$. If the above equation is true, then the private key $I{D}_i$ is accepted.

• Set-Private-Key: The partial private key of the participant with $I{D}_i(i=1,2,\cdots ,d,C,u)$ takes the pair $S{K}_i=(x_i,e_i)$ as their full private key.
• Set-Public-Key: The participant with $I{D}_i(i=1,2,\cdots ,d,C,u)$ takes $P{K}_i=(P_i,R_i)$ as their full public key.

Enc$(\mathsf{\Omega },F,W,\left\{I{D}_i\right\},ID,\left\{S{K}_{O_i}\right\},\left\{P{K}_{O_i}\right\},P{K}_u)$:

Step 1: Given the EMR set $F=\{f_1,f_2,\cdots ,f_n\}$ with corresponding identities $ID=\{i{d}_1,i{d}_2,\cdots ,i{d}_n\}$, it will be encrypted as the ciphertext set $C=\{c_1,c_2,\cdots ,c_n\}$ through the traditional public key encryption algorithm. To generate the multi-signature on the encrypted file $c_t\in C(1⩽t⩽n)$, each signer $O_i(1⩽i⩽d)$ does the following:

• $O_i$ chooses a number $y_{i,t}{\in }_R{Z}_q^{*}$ and computes $Y_{i,t}=y_{i,t}P$.
• $O_i$ broadcasts $Y_{i,t}$ to other members $O_k(1⩽k⩽d,k\ne i)$ of the group.
• Computes $Y_t={\displaystyle \sum _{i=1}^d}{Y}_{i,t}$, $P_0={\displaystyle \sum _{i=1}^d}{P}_i$, $Q_0={\displaystyle \sum _{i=1}^d}{Q}_i$.
• Computes $h_t=H_1(c_t,i{d}_t,Y_t,P_0)$ and $h_t^{\prime }=H_1(c_t,i{d}_t,Y_t,Q_0)$.
• $O_i$ computes $V_{i,t}=y_{i,t}+h_t{x}_i+h_t^{\prime }{e}_i$, generates a signature $si{g}_{i,t}=(Y_{i,t},V_{i,t})$ for $c_t$, and then sends $V_{i,t}$ to the designated clerk $O_z$.
• Upon receiving $V_{i,t}$, $O_z$ computes $V_t={\displaystyle \sum _{i=1}^d}{V}_{i,t}$ and outputs the signature $si{g}_t=\{Y_t,V_t\}$. Let $sig=\{si{g}_1,\cdots ,si{g}_n\}$, where $V_{t}P=Y_t+h_t{P}_0+h_t^{\prime }{Q}_0$.

Step 2: All users specify a user to generate an index, for example, $O_d$. $O_d$ runs this algorithm to generate the index of file set F. Given the keyword set W, $O_d$ builds an index for each file $f_i\in F$. The index for each $f_i$ is generated based on the keyword field $W=\{w_{i1},w_{i2},\cdots ,w_{im}\}$, where m is a fixed integer. $O_d$ randomly selects $\xi \in Z_q^{*}$ and calculates $\xi +x_d$ to $O_1$ through public key encryption. $O_1$ computes $\xi +x_d+x_1$ and sends it to $O_2$ through public key encryption. $O_2$ computes $\xi +x_d+x_1+x_2$ and sends it to $O_3$ through public key encryption, and so on until $O_{d-1}$ computes $\xi +x_d+x_1+\cdots +x_{d-1}$ and sends it to $O_d$ through public key encryption. $O_d$ calculates $x_0=\xi +x_d+x_1+\cdots +x_{d-1}-\xi =x_1+x_2+\cdots +x_d$, and calculates $e_0=e_1+e_2+\cdots +e_d$ in the same way as $O_j$.    Let $R_0={\displaystyle \sum _{t=1}^d}{R}_t$, $l_0={\displaystyle \sum _{t=1}^d}{l}_t$. Construct an m-degree polynomial with the following equation:

$$F\left(x\right)=b_{i,m}{x}^m+b_{i,m-1}{x}^{m-1}+\cdots +b_{i,1}x+b_{i,0},$$

so $h_2\left(t\right)h_1\left(w_{i,1}\right),h_2\left(t\right)h_1\left(w_{i,2}\right),\cdots ,h_2\left(t\right)h_1\left(w_{i,m}\right)$ is the root of equation $F\left(x\right)=1$, where $t=(x_0+e_0)P_u+x_0{R}_u+x_0{l}_u{P}_{pub}$.    Then, $O_j$ selects ${\lambda }_i,{\mu }_i{\in }_R{Z_q}^{*}$ and computes $M_i={\lambda }_i{Q}_c$, set $I_{i,1}=M_i-{\mu }_{i}P$, $I_{i,2}={\lambda }_{i}P$, $V_{i,j}={\mu }_i{b}_{i,j}(0⩽j⩽m)$, and the index set is $I=\{I_1,\cdots ,I_n\}$, where $I_i=\{I_{i,1},I_{i,2},V_{i,0},V_{i,1},\cdots ,V_{i,m}\}$. Finally, $O_d$ sends I to CSS.

TrapGen$(\mathsf{\Omega },S{K}_u,W^{\prime })$: The DO calculates the value of $P_0,R_0,l_0$ as follows: $P_0={\displaystyle \sum _{i=1}^d}{P}_i$, $R_0={\displaystyle \sum _{i=1}^d}{R}_i$, $l_0={\displaystyle \sum _{i=1}^d}{l}_i$. Given the queried keywords set $W^{\prime }=\{w_1^{\prime },w_2^{\prime },\cdots ,w_l^{\prime }\}$, the DO U first select an element $\eta {\in }_{\mathrm{R}}{\mathrm{Z}}_q^{*}$ and set $T_{{W^{\prime }}_{m+1}}=\eta P$,

$T_{{W^{\prime }}_j}=l^{-1}{h}_2{\left(t\right)}^j{\displaystyle \sum _{r=1}^l}{h}_1{\left({w^{\prime }}_r\right)}^{j}P+\eta P_C$, where $0⩽j⩽m$, $t=(x_u+e_u)P_0+x_u{R}_0+x_u{l}_0{P}_{pub}$. Finally, they send $T_{w^{\prime }}=\{T_{{w^{\prime }}_0},T_{{w^{\prime }}_1},\cdots ,T_{{w^{\prime }}_m},T_{{w^{\prime }}_{m+1}}\}$ to the CSS.

Test$(\mathsf{\Omega },T_{W^{\prime }},I,C)$: After gaining the search token $T_{W^{\prime }}$, the CSS computes $M_i={\lambda }_i{Q}_C$ fist, and then verifies whether Equation (1) holds.

$$I_{i,1}+{\displaystyle \sum _{j=0}^m}{V}_{i,j}(T_{{w^{\prime }}_j}-x_C{T}_{{w^{\prime }}_{m+1}})=M_i$$

(1)

If Equation (1) holds, the CSS will return the relevant ciphertext set $C^{\prime }=\{{\mathrm{c}}_{k_1},{\mathrm{c}}_{k_2},\cdots ,{\mathrm{c}}_{k_s}\}$ and its corresponding identity set $I{D}^{\prime }=\{i{d}_{k_1},\mathrm{i}{d}_{k_2},\cdots ,i{d}_{k_s}\}$ to PAS. Otherwise, it returns ⊥. The specific test process is shown in Algorithm 1.

Algorithm 1: Search over encrypted data

Input: Trapdoor $T_{W^{\prime }}$, index I, ciphertext C, secret key $S{K}_C$, and public parameters $\mathsf{\Omega }$. Output: Search results $C^{\prime }$ and corresponding identity set $I{D}^{\prime }$ or ⊥. $T_{w^{\prime }}=\{T_{{w^{\prime }}_0},T_{{w^{\prime }}_1},\cdots ,T_{{w^{\prime }}_m},T_{{w^{\prime }}_{m+1}}\}$ $I=\{I_1,I_2,\cdots ,I_n\}$,$I_i=\{I_{i,1},I_{i,2},V_{i,0},V_{i,1},\cdots ,V_{i,m}\}$. $M_i=e_C{I}_{i,2}$ $for0⩽i⩽ndo$$I_{i,1}+{\displaystyle \sum _{j=0}^m}{V}_{i,j}(T_{{w^{\prime }}_j}-x_C{T}_{{w^{\prime }}_{m+1}})=M_i$ If Equation (1) holds, CSS returns the ciphertext $c_{k_t}$; otherwise, it returns ⊥; end for CSS returns the relevant results $C^{\prime }$ and corresponding identity set $I{D}^{\prime }$ or ⊥ to PAS.

Verify $(\mathsf{\Omega },C^{\prime },I{D}^{\prime },sig,\left\{P{K}_{O_i}\right\})$: After receiving the search results $C^{\prime }$, PAS computes the proof information $({\varphi }_1,{\varphi }_2)$ and $\sigma$. Finally, PAS verifies whether Equation () holds. The specific verify process is shown in Algorithm 2.

Algorithm 2: Results verification.

Input: Search results $C^{\prime }$ with corresponding identity set $I{D}^{\prime }$, public key set $\left\{P{K}_{O_i}\right\}$,   signature $sig=\{si{g}_1,\cdots ,si{g}_n\}$, and public parameters $\mathsf{\Omega }$, where $si{g}_t=\{Y_t,V_t\}$. Output: “Accept” or “Reject” $C^{\prime }=\{{\mathrm{c}}_{k_1},{\mathrm{c}}_{k_2},\cdots ,{\mathrm{c}}_{k_s}\}$, $I{D}^{\prime }=\{d_{k_1},\mathrm{i}{d}_{k_2},\cdots ,i{d}_{k_s}\}$; public key set $\{P{K}_{O_1},P{K}_{O_2},\cdots ,P{K}_{O_d}\}$; $sig=\{si{g}_1,\cdots ,si{g}_n\}$, $si{g}_t=\{Y_t,V_t\}$; compute $P_0={\displaystyle \sum _{t=1}^d}{P}_t$ , $Q_0={\displaystyle \sum _{t=1}^d}{Q}_t$; compute ${\varphi }_1={\displaystyle \sum _{\tau =1}^s}{H}_1(c_{k_{\tau }},i{d}_{k_{\tau }},Y_{k_{\tau }},P_0)$, ${\varphi }_2={\displaystyle \sum _{\tau =1}^s}{H}_2(c_{k_{\tau }},i{d}_{k_{\tau }},Y_{k_{\tau }},Q_0),$ $\sigma ={\displaystyle \sum _{\tau =1}^s}{V}_{k_{\tau }};$ Check $$\sigma P={\displaystyle \sum _{\tau =1}^s}{Y}_{k_{\tau }}+{\varphi }_1{P}_0+{\varphi }_2{Q}_0;\left(2\right)$$ If Equation () holds, output “Accept” and send $C^{\prime }$ to retriever; otherwise, output “Reject”.

6. Security of Scheme

We will analyze the correctness and security of the CLVPFC-PEKS scheme in this section.

6.1. Correctness

Theorem 1.

The CLVPFC-PEKS scheme is computationally consistent.

Proof. 

For the correctness of our CLVPFC-PEKS scheme, we do two things. First, we illustrate that the CSS can effectively ascertain a match between the keyword ciphertext’s index and the trapdoor when the keyword set $W^{\prime }\subseteq W$, where $W^{\prime }$ is a set of keywords searched by a specific user and W is the keyword set of ciphertext. Subsequently, we elucidate that, given that the search outcomes successfully traverse the established result verification protocol, retrievers can ascertain the accuracy of the search results.

During the test phase, the CSS obtains the index $I=\{I_1,I_2,\cdots ,I_n\}$ and trapdoor $T_{w^{\prime }}=\{T_{{w^{\prime }}_0},T_{{w^{\prime }}_1},\cdots ,T_{{w^{\prime }}_m},T_{{w^{\prime }}_{m+1}}\}$. The CSS starts performing computations.

$e_C{I}_{i,2}=(r_C+x{l}_C){\lambda }_{\mathrm{i}}P={\lambda }_{\mathrm{i}}{Q}_C=M_i$.

$I_{i,1}+{\displaystyle \sum _{j=0}^m}{V}_{i,j}(T_{{w^{\prime }}_j}-x_C{T}_{{w^{\prime }}_{m+1}})$

$=M_i-{\mu }_{i}P+{\displaystyle \sum _{j=0}^m}{\mu }_i{b}_{ij}[l^{-1}{h}_2{\left(t\right)}^j{\displaystyle \sum _{r=1}^l}{h}_1{\left(w_r^{\prime }\right)}^{j}P+\eta P_C-x_C\eta P]$

$=M_i-{\mu }_{i}P+{\displaystyle \sum _{j=0}^m}{\mu }_i{b}_{ij}\left(l^{-1}{h}_2{\left(t\right)}^j{\displaystyle \sum _{r=1}^l}{h}_1\left(w_r^{\prime }\right)P\right)$

$=M_i-{\mu }_{i}P+l^{-1}{\mu }_i{\displaystyle \sum _{j=0}^m}{b}_{ij}{h}_2{\left(t\right)}^j{\displaystyle \sum _{r=1}^l}{h}_1{\left(w_r^{\prime }\right)}^{j}P$

$=M_i-{\mu }_{i}P+l^{-1}{\mu }_i[{\displaystyle \sum _{j=0}^m}{b}_{ij}{h}_2{\left(t\right)}^j{h}_1{\left({w^{\prime }}_1\right)}^j+\cdots +{\displaystyle \sum _{j=0}^m}{b}_{ij}{h}_2{\left(t\right)}^j{h}_1{\left({w^{\prime }}_l\right)}^j]P$

If $W^{\prime }\subseteq W$, then $h_2\left(t\right)h_1\left({w^{\prime }}_1\right),\cdots ,h_2\left(t\right)h_1\left({w^{\prime }}_l\right)$ are the root of the equation $F\left(x\right)=1$, where $F\left(x\right)=b_{i,m}{x}^m+b_{i,m-1}{x}^{m-1}+\cdots +b_{i,1}x+b_{i,0}$. Thus,

$I_{i,1}+{\displaystyle \sum _{j=0}^m}{V}_{i,j}(T_{{w^{\prime }}_j}-x_C{T}_{{w^{\prime }}_{m+1}})$

$=M_i-{\mu }_{i}P+l^{-1}{\mu }_i[{\displaystyle \sum _{j=0}^m}{b}_{ij}{h}_2{\left(t\right)}^j{h}_1{\left({w^{\prime }}_1\right)}^j+\cdots +{\displaystyle \sum _{j=0}^m}{b}_{ij}{h}_2{\left(t\right)}^j{h}_1{\left({w^{\prime }}_l\right)}^j]P$

$=M_i-{\mu }_{i}P+l^{-1}{\mu }_i(1+1+\cdots +1)P$

$=M_i-{\mu }_{i}P+{\mu }_{i}P$

$=M_i$

Equation (1) is satisfied, and thereby CSS can correctly test whether the keyword ciphertext matches the trapdoor.

In the test phase, the PAS obtains signature $sig=\{si{g}_1,si{g}_2,\cdots ,si{g}_n\}$ and ciphertext $C^{\prime }=\{{\mathrm{c}}_{k_1},{\mathrm{c}}_{k_2},\cdots ,{\mathrm{c}}_{k_s}\}$, computing

${\varphi }_1={\displaystyle \sum _{\tau =1}^s}{H}_1(c_{k_{\tau }},i{d}_{k_{\tau }},Y_{k_{\tau }},P_0),$${\varphi }_2={\displaystyle \sum _{\tau =1}^s}{H}_2(c_{k_{\tau }},i{d}_{k_{\tau }},Y_{k_{\tau }},Q_0)$

obtaining the proof information $({\varphi }_1,{\varphi }_2)$, and then continuing to calculate

$\sigma P={\displaystyle \sum _{\tau =1}^s}{V}_{k_{\tau }}P={\displaystyle \sum _{\tau =1}^s}(Y_{k_{\tau }}+h_{k_{\tau }}{P}_0+h_{k_{\tau }}^{\prime }{Q}_0)$

$={\displaystyle \sum _{\tau =1}^s}{Y}_{k_{\tau }}+{\displaystyle \sum _{\tau =1}^s}{h}_{k_{\tau }}{P}_0+{\displaystyle \sum _{\tau =1}^s}{h^{\prime }}_{k_{\tau }}{Q}_0$

$={\displaystyle \sum _{\tau =1}^s}{Y}_{k_{\tau }}+{\displaystyle \sum _{\tau =1}^s}{H}_1(c_{k_{\tau }},i{d}_{k_{\tau }},Y_{k_{\tau }},P_0)P_0+{\displaystyle \sum _{\tau =1}^s}{H}_1(c_{k_{\tau }},i{d}_{k_{\tau }},Y_{k_{\tau }},Q_0)Q_0$.

If $C^{\prime }\subseteq C$, then

${\varphi }_1={\displaystyle \sum _{\tau =1}^s}{H}_1(c_{k_{\tau }},i{d}_{k_{\tau }},Y_{k_{\tau }},P_0)={\displaystyle \sum _{\tau =1}^s}{H}_1(c_{\rho \left(\tau \right)},i{d}_{\rho \left(\tau \right)},Y_{\rho \left(\tau \right)},P_0)$

${\varphi }_2={\displaystyle \sum _{\tau =1}^s}{H}_1(c_{k_{\tau }},i{d}_{k_{\tau }},Y_{k_{\tau }},Q_0)={\displaystyle \sum _{\tau =1}^s}{H}_1(c_{\rho \left(\tau \right)},i{d}_{\rho \left(\tau \right)},Y_{\rho \left(\tau \right)},Q_0)$

where $\rho \left(\tau \right)\in [1,n]$. So we have $\sigma P={\displaystyle \sum _{\tau =1}^s}{Y}_{k_{\tau }}+{\varphi }_1{P}_0+{\varphi }_2{Q}_0$. Equation (2) in program 2 holds. We can also make sure that the ciphertext cannot be modified. □

6.2. Security

Lemma 1.

Assuming that adversary $A_1$ can triumph in Game 1, then it is feasible to devise algorithm B, aimed at resolving the ECDDDH problem.

Proof. 

Let us hypothesize that the tuple $(P,aP,bP,X)$ constitutes an instance of the ECDDDH problem. In order to ascertain whether $X=abP$, algorithm B will assume the role of the challenger.

Setup: B executes the setup $\left(1^k\right)$ procedure to obtain public parameters $\mathsf{\Omega }=\{F_q,E/F_q,G_q,P,G,H_0,H_1,H_2,P_{pub}\}$ along with $msk=\left\{x\right\}$ and $P_{pub}=xP$. B then forwards the parameter $\mathsf{\Omega }$ to $A_1$ while keeping $msk$ secret. B selects $x_i\in Z_q^{*}(i\in \{2,\cdots ,d,C\})$, $r_i\in Z_q^{*}(i\in \{1,2,\cdots ,d,C\})$ randomly and sets

$P_i=x_{i}P$$(i\in \{2,\cdots ,d,C\left\}\right)$, $P_1=aP$,$R_i=r_{i}P$$(i\in \{1,2,\cdots ,d,C\left\}\right)$, and $e_i=r_i+x{H}_0(I{D}_i,R_i,P_i)modq$$(i\in \{1,2,\cdots ,d,C\left\}\right)$.

B sends $\mathsf{\Omega }$, $P{K}_{O_i}$$(i\in \{1,2,\cdots ,d\left\}\right)$, and $P{K}_C$ to $A_1$, but $S{K}_{O_i}$$(i\in \{1,2,\cdots ,d\left\}\right)$ and $S{K}_C$ are unknown to $A_1$.

Phase 1: Prior to conducting other queries, execute the user’s public key query utilizing the identity $I{D}_u$. Set up multiple lists to record the queries and corresponding responses. Each list starts off empty.

For a user public key query, B keeps a list $L_u$ of the tuple $(I{D}_u,x_{u}P,r_{u}P,r_u)$ and, upon receiving an identity $I{D}_u$, performs the following steps.

Case 1. $I{D}_u=I{D}_u^{⟡}$. $x_u^{⟡}\in Z_q^{*}$, setting $P{K}_u^{⟡}=(x_u^{⟡}P,bP)$, and adding the tuple $(I{D}_u^{⟡},x_u^{⟡}P,x_u^{⟡},bP,⟡)$ to the list $L_u$, where ⟡ represents a null value.

Case 2. $I{D}_u\ne I{D}_u^{⟡}$. B randomly chooses two different numbers $x_u,r_u\in Z_q^{*}$, setting $P{K}_u=(x_{u}P,r_{u}P)$, and adds the tuple $(I{D}_u,x_{u}P,r_{u}P,r_u)$ to the list $L_u$.

Replace-Public-Key query: B keeps a list $L_R$ of tuple $(I{D}_j,P{K}_j,P{K_j}^{\prime })$. When $A_1$ inputs $(I{D}_j,P{K_j}^{\prime })$, B replaces $P{K}_j$ with $P{K_j}^{\prime }$ and adds $(I{D}_j,P{K}_j,P{K_j}^{\prime })$ to the list $L_R$.

Secret-Value query: When $A_1$ receives the request for the secret value associated with $I{D}_j$, B finds $(I{D}_j,x_{j}P,r_{j}P,r_j)$ in the list $L_u$ and returns $x_j$. If $P{K}_j$ is replaced, B refuses to answer.

Partial-Private-Key query: B establishes a list $L_e$ of tuple $(I{D}_j,e_j)$ when $A_1$ asks for the partial private key of $I{D}_j$. If $I{D}_j=I{D}_u^{⟡}$, B fails and stops. Otherwise, B finds $(I{D}_j,x_{j}P,r_{j}P,r_j)$ in the list $L_u$, and runs the Extract-Partial-Private-Key algorithm, generating $e_j$. B outputs $e_j$ and adds $(I{D}_j,e_j)$ to the list $L_e$.

Keyword Ciphertext Query: When $A_1$ asks $W=\{w_{i,1},w_{i,2},\cdots ,w_{i,m}\}$ for the keyword ciphertext, B operates the $Enc(\mathsf{\Omega },F,W,\left\{I{D}_i\right\},ID,\left\{S{K}_{O_i}\right\},\left\{P{K}_{O_i}\right\},P{K}_u)$ algorithm to generate keyword ciphertext $I_W=\{I_{i,1},I_{i,2},V_{i,0},V_{i,1},\cdots ,V_{i,m}\}$.

Keyword Trapdoor Query: When $A_1$ asks $W^{\prime }=\{w_1^{\prime },w_2^{\prime },\cdots ,w_l^{\prime }\}$ for the trapdoor, B operates the $TrapGen\{\mathsf{\Omega },S{K}_u,W^{\prime }\}$ algorithm to generate the trapdoor $T_{w^{\prime }}=\{T_{{w^{\prime }}_0},T_{{w^{\prime }}_1},\cdots ,T_{{w^{\prime }}_m},T_{{w^{\prime }}_{m+1}}\}$.

Test Query: $A_1$ gives the keyword ciphertext $I_W$ and keyword trapdoor $T_{w^{\prime }}$, and B compares them using Algorithm 1.

Challenge: $A_1$ submits a tuple $(W_0,W_1,I{D_u}^{*},P{K}_u^{*})$ to B, where $W_0=\{w_{0,1},w_{0,2},\cdots ,w_{0,m}\}$ and $W_1=\{w_{1,1},w_{1,2},\cdots ,w_{1,m}\}$ are challenging keywords not requested in the previous trapdoor and keyword ciphertext query. If $I{D}_u^{*}\ne I{D}_u^{⟡}$, B aborts. Otherwise, $I{D}_u^{*}=I{D}_u^{⟡}$, B calculates ${l_u}^{⟡}=H_0(I{D}_u^{⟡},R_u^{⟡},P_u^{⟡})$ and picks $\xi \in \{0,1\}$ randomly. B computes

$t=({\displaystyle \sum _{k=2}^d}{x}_k+{\displaystyle \sum _{k=1}^d}{e}_k)P_u^{⟡}+{\displaystyle \sum _{k=2}^d}{x}_k{R}_u^{⟡}+{\displaystyle \sum _{k=2}^d}{x}_k{l}_u^{⟡}{P}_{pub}+x_u^{⟡}aP+l_u^{⟡}xaP+X.$

Let $F\left(x\right)=(x-h_2\left(t\right)h_1\left(w_{\xi ,1}\right))(x-h_2\left(t\right)h_1\left(w_{\xi ,2}\right))\cdots (x-h_2\left(t\right)h_1\left(w_{\xi ,m}\right))-1$, which can obtain $F\left(x\right)=b_{\xi ,m}{x}^m+b_{\xi ,m-1}{x}^{m-1}+\cdots +b_{\xi ,1}x+b_{\xi ,0}$ by combining similar terms. Then, B selects ${\lambda }_{\xi },{\mu }_{\xi }{\in }_R{Z_q}^{*}$ and computes $M_{\xi }={\lambda }_{\xi }{Q}_c$. Set $I_{\xi ,1}=M_{\xi }-{\mu }_{\xi }P,I_{\xi ,2}={\lambda }_{\xi }P$, $V_{\xi ,j}={\mu }_{\xi }{b}_{\xi ,j}(0⩽j⩽m)$. Thus, the corresponding keyword ciphertext of $W_{\xi }=\{w_{\xi ,1},w_{\xi ,2},\cdots ,w_{\xi ,m}\}$ is ${I_W}_{\xi }=\{I_{\xi ,1},I_{\xi ,2},V_{\xi ,0},V_{\xi ,1},\cdots ,V_{\xi ,m}\}$. B returns the challenge ciphertexts $I_{W_{\xi }}$ to the adversary $A_1$.

Phase 2: $A_1$ can continue to execute various queries, but there is a limitation that $A_1$ is not allowed to query the keyword ciphertext or trapdoor of $W_0$ or $W_1$.

Guess: $A_1$ returns ${\xi }^{\prime }$.

Solve CDH problem: If ${\xi }^{\prime }=\xi$, B returns 1, otherwise 0. If $X=abP$, then

$t=({\displaystyle \sum _{k=2}^d}{x}_k+{\displaystyle \sum _{k=1}^d}{e}_k)P_u^{⟡}+{\displaystyle \sum _{k=2}^d}{x}_k{R}_u^{⟡}+{\displaystyle \sum _{k=2}^d}{x}_k{l}_u^{⟡}{P}_{pub}+x_u^{⟡}aP+l_u^{⟡}xaP+X$

$=(x_0+e_0)P_u^{⟡}+{\displaystyle \sum _{k=2}^d}{x}_k{R}_u^{⟡}+x_0{l}_u^{⟡}{P}_{pub}+abP$

$=(x_0+e_0)P_u^{⟡}+x_0{R}_u^{⟡}+x_0{l}_u^{⟡}{P}_{pub}$

Therefore, ${I_W}_{\xi }$ is a valid keyword ciphertext. Suppose that the advantage of $A_1$ winning in the above game is $\epsilon$. So,

$Pr[{\xi }^{\prime }=\xi \left|X=abP\right.]=\frac{1}{2}+\epsilon$.

If $X\ne abP$, then $I_{W_{\xi }}$ is an invalid keyword ciphertext. $A_1$ has no advantage in distinguishing $\xi =0$ from $\xi =1$. Hence,

$Pr[{\xi }^{\prime }=\xi \left|X=abP\right.]=\frac{1}{2}$.

Probability: Let $q_u$, $q_r$ and $q_e$ be the number of the user public key query, Replace-Public-Key query, and the Partial-Private-Key query, respectively. The two events are as follows:

${\pi }_1$: $A_1$ did not replace $I{D}_u^{⟡}$’s public key $R_u^{⟡}$ and queried the partial-private-key for $I{D}_u^{⟡}$.

${\pi }_2$: $I{D}_u^{*}=I{D}_u^{⟡}$.

It is not hard to obtain the following results.

$Pr\left[{\pi }_1\right]=\frac{q_u-q_r-q_e}{q_u}$,

$Pr\left[{\pi }_2\left|{\pi }_1\right.\right]=\frac{1}{q_u-q_r-q_e}$, $Pr[B$$success]=Pr[{\pi }_1\wedge {\pi }_2]=\frac{1}{q_u}$.

If $A_1$ wins Game 1 with an advantage of $\epsilon$, then B has a probability greater than $\frac{\epsilon }{q_u}$ to determine whether $X=abP$. □

Lemma 2.

Assuming that adversary $A_2$ can win Game 2, algorithm B can constructed to solve the ECDDDH problem by exploiting the adversary’s ability.

Proof. 

Suppose that the tuple $(P,aP,bP,X)$ is an example of an ECDDDH problem. To determine whether $X=abP$, B will play the part of the challenger.

Setup: B runs the setup $\left(1^k\right)$ program to obtain public parameters $\mathsf{\Omega }$$msk=\left\{x\right\}$ and $P_{pub}=xP$. B selects $x_i\in Z_q^{*}(i\in \{1,2,\cdots ,d,C\})$, $r_i\in Z_q^{*}(i\in \{2,\cdots ,d,C\})$ randomly, and sets

$P_i=x_{i}P$$(i\in \{1,2,\cdots ,d,C\left\}\right)$, $R_1=aP$,$R_i=r_{i}P$$(i\in \{2,\cdots ,d,C\left\}\right)$, $e_1=a+x{H}_0(I{D}_1,R_1,P_1)modq$, $e_i=r_i+x{H}_0(I{D}_i,R_i,P_i)modq$$(i\in \{2,\cdots ,d,C\left\}\right)$

B sends $\mathsf{\Omega }$, $P{K}_{O_i}$$(i\in \{1,2,\cdots ,d\left\}\right)$, and $(PK,SK)$ to $A_2$, while $S{K}_{O_i}$$(i\in \{1,2,\cdots ,d\left\}\right)$ are unknown to $A_2$.

Phase 1: Execute the user’s public key query before other queries using the identity $I{D}_u$. Set up multiple lists to store the queries and answers. All lists are initially empty.

User public key query: B maintains a list $L_u$ containing the tuple $(I{D}_u,x_{u}P,r_{u}P,r_u)$ and takes the following actions when receiving an identity $I{D}_u$:

Case 1. $I{D}_u=I{D}_u^{⟡}$. B chooses a number $r_u^{⟡}\in Z_q^{*}$ at random, sets $P{K}_u^{⟡}=(bP,r_u^{⟡}P)$, and adds the tuple $(I{D}_u^{⟡},bP,⟡,r_u^{⟡}P,r_u^{⟡})$ to the list $L_u$, where ⟡ represents a null value.

Case 2. $I{D}_u\ne I{D}_u^{⟡}$. B chooses $x_u,r_u\in Z_q^{*}$ at random, sets $P{K}_u=(x_{u}P,r_{u}P)$, and adds the tuple $(I{D}_u,x_{u}P,r_{u}P,r_u)$ to the list $L_u$.

Replace-Public-Key query: Same as in Lemma 1.

Secret-Value query: B established a list $L_s$ of tuple $(I{D}_j,x_j)$. When $A_2$ asks the secret value for $I{D}_j$. If $I{D}_j=I{D}_u^{⟡}$, B fails and stops. Otherwise, B finds $(I{D}_j,x_{j}P,r_{j}P,r_j)$ in list $L_u$, and returns $x_j$.

Partial-Private-Key query: When $A_2$ asks the partial private key of $I{D}_j$, B finds $(I{D}_j,x_{j}P,r_{j}P,r_j)$ in list $L_u$, running the Extract-Partial-Private-Key algorithm and returning $e_j$. If $P{K}_j$ is replaced, B refuses to answer.

Keyword Ciphertext Query: Same as in Lemma 1.

Keyword Trapdoor Query: Same as in Lemma 1.

Test Query: Same as in Lemma 1.

Challenge: $A_2$ submits a tuple $(W_0,W_1,I{Du}^{*},P{K}_u^{*})$ that meets the requirements of Game 2, where $W_0=\{w_{0,1},w_{0,2},\cdots ,w_{0,m}\}$ and $W_1=\{w_{1,1},w_{1,2},\cdots ,w_{1,m}\}$ are challenging keywords not asked in the previous trapdoor query and keyword ciphertext query. If $I{D}_u^{*}\ne I{D}_u^{⟡}$, B aborts. Otherwise, $I{D}_u^{*}=I{D}_u^{⟡}$, B computes $l_u^{⟡}=H_0(I{D}_u^{⟡},R_u^{⟡},P_u^{⟡})$, $l_1=H_0(I{D}_1,R_1,P_1)$ and picks $\xi \in \{0,1\}$ randomly. B computes

$t=({\displaystyle \sum _{k=1}^d}{x}_k+x{l}_1+{\displaystyle \sum _{k=2}^d}{e}_k)P_u^{⟡}+{\displaystyle \sum _{k=1}^d}{x}_k{R}_u^{⟡}+{\displaystyle \sum _{k=1}^d}{x}_k{l}_u^{⟡}{P}_{pub}+X$.

Let $F\left(x\right)=(x-h_2\left(t\right)h_1\left(w_{\xi ,1}\right))(x-h_2\left(t\right)h_1\left(w_{\xi ,2}\right))\cdots (x-h_2\left(t\right)h_1\left(w_{\xi ,m}\right))-1$, which can obtain $F\left(x\right)=b_{\xi ,m}{x}^m+b_{\xi ,m-1}{x}^{m-1}+\cdots +b_{\xi ,1}x+b_{\xi ,0}$ by combining similar terms. Then, select ${\lambda }_{\xi },{\mu }_{\xi }{\in }_R{Z_q}^{*}$ at random and compute $M_{\xi }={\lambda }_{\xi }{Q}_c$. Set $I_{\xi ,1}=M_{\xi }-{\mu }_{\xi }P,I_{\xi ,2}={\lambda }_{\xi }P$, $V_{\xi ,j}={\mu }_{\xi }{b}_{\xi ,j}(0⩽j⩽m)$, and thus $W_{\xi }=\{w_{\xi ,1},w_{\xi ,2},\cdots ,w_{\xi ,m}\}$’s keyword ciphertext is $I_{W_{\xi }}=\{I_{\xi ,1},I_{\xi ,2},V_{\xi ,0},V_{\xi ,1},\cdots ,V_{\xi ,m}\}$. B returns the challenge ciphertexts $I_{W_{\xi }}$ to the adversary $A_2$.

Phase 2: Attacker $A_2$ can continue to execute various queries, but there is a limitation that attacker $A_2$ is not allowed to query the keyword ciphertext or trapdoor of $W_0$ or $W_1$.

Guess: $A_2$ returns ${\xi }^{\prime }$.

Solve the ECDDDH problem. If ${\xi }^{\prime }=\xi$, B returns 1. Otherwise, 0. If $X=abP$, then

$t=({\displaystyle \sum _{k=1}^d}{x}_k+x{l}_1+{\displaystyle \sum _{k=2}^d}{e}_k)P_u^{⟡}+{\displaystyle \sum _{k=1}^d}{x}_k{R}_u^{⟡}+{\displaystyle \sum _{k=1}^d}{x}_k{l}_u^{⟡}{P}_{pub}+X$

$t=({\displaystyle \sum _{k=1}^d}{x}_k+{\displaystyle \sum _{k=1}^d}{e}_k)P_u^{⟡}+{\displaystyle \sum _{k=1}^d}{x}_k{R}_u^{⟡}+{\displaystyle \sum _{k=1}^d}{x}_k{l}_u^{⟡}{P}_{pub}$

$=(x_0+e_0)P_u^{⟡}+x_0{R}_u^{⟡}+x_0{l}_u^{⟡}{P}_{pub}$

Therefore, $I_{W_{\xi }}$ is a valid keyword ciphertext. Suppose that the advantage of $A_2$ wins in the above game is $\epsilon$, so

$Pr[{\xi }^{\prime }=\xi \left|X=abP\right.]=\frac{1}{2}+\epsilon$.

If $X\ne abP$, then $I_{W_{\xi }}$ is an invalid keyword ciphertext. $A_2$ has no advantage in distinguishing $\xi =0$ from $\xi =1$. Hence,

$Pr[{\xi }^{\prime }=\xi \left|X=abP\right.]=\frac{1}{2}$.

Probability: Let $q_u$, $q_r$, $q_s$ be the number of user public key queries, Replace-Public-Key queries, and Secret-Value queries, respectively. The two events are as follows:

${\pi }_1$: $A_2$ did not replace $I{D}_u^{⟡}$’s public key $P_u^{⟡}$ nor perform the Secret-Value query for $I{D}_u^{⟡}$.

${\pi }_2$: $I{D}_u^{*}=I{D}_u^{⟡}$.

It is not hard to obtain the following results.

$Pr\left[{\pi }_1\right]=\frac{q_u-q_r-q_s}{q_u}$,

$Pr\left[{\pi }_2\left|{\pi }_1\right.\right]=\frac{1}{q_u-q_r-q_s}$,

$Pr[B$$success]=Pr[{\pi }_1\wedge {\pi }_2]=\frac{1}{q_u}$.

If $A_2$ has an $\epsilon$ advantage to win the game, then B has a probability greater than $\frac{\epsilon }{q_u}$ to determine whether $X=abP$. □

Theorem 2.

Our CLVPFC-PEKS scheme is CKCA-CIND secure in a standard model if the ECDDDH problem is hard.

Proof. 

Theorem 2 holds from Lemma 1 and Lemma 2. □

Lemma 3.

Assuming the adversary $A_1$ can win Game 3, then algorithm B can be constructed to solve the ECDDDH problem.

Proof. 

Suppose that the tuple $(P,aP,bP,X)$ is an example of an ECDDDH problem. To determine whether $X=abP$, B will play the part of the challenger.

Setup: B runs the setup $\left(1^k\right)$ program to obtain the public parameters $\mathsf{\Omega }=\{F_q,E/F_q,G_q,P,G,H_0,H_1,H_2,P_{pub}\}$, where $msk=\left\{x\right\}$ and $P_{pub}=xP$. Then, B randomly selects $r_u,x_C,r_C\in Z_q^{*}$, and sets

$P_u=aP$, $R_u=r_{u}P$$P_C=x_{C}P$, $R_C=r_{C}P$,

$e_C=r_C+x{H}_0(I{D}_C,R_C,P_C)modq$,

$e_u=r_u+x{H}_0(I{D}_u,R_u,P_u)modq$ .

B sends $\mathsf{\Omega }$, $P{K}_u$ and $P{K}_C$ to $A_1$, but $S{K}_u$ and $S{K}_C$ are unknown to $A_1$.

Phase 1: Execute the user’s public key query before other queries using the identity $I{D}_i$. Set up multiple lists to store the queries and answers. All lists are initially empty.

User public key query: B keeps a list $L_o$ of the tuple $(I{D}_i,x_{i}P,r_{i}P,r_i)$, and upon receiving an identity $I{D}_i$, performs the following steps.

Case 1. $I{D}_i=I{D}_i^{⟡}$, B randomly chooses a number $x_i^{⟡}\in Z_q^{*}$, setting $P{K}_i^{⟡}=(x_i^{⟡}P,bP)$, and adds the tuple $(I{D}_i^{⟡},x_i^{⟡}P,x_i^{⟡},bP,⟡)$ to the list $L_o$, where ⟡ represents a null value.

Case 2. $I{D}_i\ne I{D}_i^{⟡}$, B randomly chooses two different numbers $x_i,r_i\in Z_q^{*}$, setting $P{K}_i=(x_{i}P,r_{i}P)$, and adds the tuple $(I{D}_i,x_{i}P,r_{i}P,r_i)$ to the list $L_o$.

Replace-Public-Key query: Same as in Lemma 1.

Secret-Value query: Same as in Lemma 1.

Partial-Private-Key query: B establishes a list $L_e$ of tuple $(I{D}_j,e_j)$ when $A_1$ asks for the partial private key of $I{D}_j$. If $I{D}_j=I{D}_i^{⟡}$, B fails and stops. Otherwise, B finds $(I{D}_j,x_{j}P,r_{j}P,r_j)$ in the list $L_o$, and runs the Extract-Partial-Private-Key algorithm, generating $e_j$. B outputs $e_j$ and adds $(I{D}_j,e_j)$ to the list $L_e$.

Keyword Ciphertext Query: Same as in Lemma 1.

Keyword Trapdoor Query: Same as in Lemma 1.

Test Query: Same as in Lemma 1.

Challenge: $A_1$ submits a tuple $(W_0^{\prime },W_1^{\prime },\{I{D}_1*,\cdots ,I{D}_d*\},\{P{K}_1*,\cdots ,P{K}_d*\})$, where $W_0^{\prime }=\{w_{0,1}^{\prime },w_{0,2}^{\prime },\cdots ,w_{0,l}^{\prime }\}$ and $W_1^{\prime }=\{w_{1,1}^{\prime },w_{1,2}^{\prime },\cdots ,w_{1,l}^{\prime }\}$ are challenging keywords that are not requested in the previous trapdoor and keyword ciphertext query. If $I{D}_i^{⟡}\notin \{I{D}_1*,I{D}_2*,\cdots ,I{D}_d*\}$, B aborts. Otherwise, $I{D}_i^{⟡}\in \{I{D}_1*,I{D}_2*,\cdots ,I{D}_d*\}$. Without losing generality, it is better to set $I{D}_1^{*}$ as $I{D}_i^{⟡}$. B calculates ${l_0}^{*}={\displaystyle \sum _{i=1}^d}{H}_0(I{D}_i^{*},R_i^{*},P_i^{*})$. B picks $\xi \in \{0,1\}$ randomly, and computes

$t=e_u{\displaystyle \sum _{i=1}^d}{P}_i*+{\displaystyle \sum _{i=2}^d}{x}_i*aP+{\displaystyle \sum _{i=1}^d}{r}_i*aP+l_0*xaP+X$

B selects an element ${\eta }_{\xi }{\in }_{\mathrm{R}}{\mathrm{Z}}_q^{*}$ and sets $T_{{W^{\prime }}_{\xi ,m+1}}={\eta }_{\xi }P$,

$T_{{W^{\prime }}_{\xi ,j}}=l^{-1}{h}_2{\left(t\right)}^j{\displaystyle \sum _{r=1}^l}{h}_1{\left({w^{\prime }}_{\xi ,j}\right)}^{j}P+{\eta }_{\xi }{P}_C$, where $0⩽j⩽m$. Finally, B sends $T_{W_{\xi }^{\prime }}=\{T_{{w^{\prime }}_{\xi },0},T_{{w^{\prime }}_{\xi },1},\cdots ,T_{{w^{\prime }}_{\xi },m},T_{{w^{\prime }}_{\xi ,m+1}}\}$ to the adversary $A_1$.

Phase 2: Attacker $A_1$ can continue to execute various queries, but there is a limitation that attacker $A_1$ is not allowed to query the keyword ciphertext or trapdoor of $W_0$ or $W_1$.

Guess: $A_1$ returns ${\xi }^{\prime }$.

Solve CDH problem: If ${\xi }^{\prime }=\xi$, B returns 1, otherwise 0. If $X=abP$, then

$t=e_u{\displaystyle \sum _{i=1}^d}{P}_i*+{\displaystyle \sum _{i=1}^d}{x}_i*aP+{\displaystyle \sum _{i=2}^d}{r}_i*aP+l_0*xaP+X$

$=(x_u+e_u)P_0^{*}+{\displaystyle \sum _{i=2}^d}{r}_i*aP+x_u{l}_0^{*}{P}_{pub}+abP$

$=(x_u+e_u)P_0^{*}+x_u{R}_0^{*}+x_u{l}_0^{*}{P}_{pub}$.

Therefore, $T_{W_{\xi }^{\prime }}$ is a valid keyword ciphertext. Suppose that the advantage of $A_1$ winning in the above game is $\epsilon$. So,

$Pr[{\xi }^{\prime }=\xi \left|X=abP\right.]=\frac{1}{2}+\epsilon$.

If $X\ne abP$, then $T_{W_{\xi }^{\prime }}$ is an invalid trapdoor. $A_1$ has no advantage in distinguishing $\xi =0$ from $\xi =1$. Hence,

$Pr[{\xi }^{\prime }=\xi \left|X=abP\right.]=\frac{1}{2}$.

Probability: Let $q_o$, $q_r$, and $q_e$ be the number of the User public key queries, Replace-Public-Key queries, and Partial-Private-Key queries, respectively. The two events are as follows:

${\pi }_1$: $A_1$ did not replace $I{D}_i^{⟡}$’s public key $R_i^{⟡}$ and queries the partial-private-key for $I{D}_i^{⟡}$.

${\pi }_2$: $I{D}_1^{*}=I{D}_i^{⟡}$.

It is not hard to obtain the following results.

$Pr\left[{\pi }_1\right]=\frac{q_o-q_r-q_e}{q_o}$,

$Pr\left[{\pi }_2\left|{\pi }_1\right.\right]=\frac{1}{q_o-q_r-q_e}$,

$Pr[B$$success]=Pr[{\pi }_1\wedge {\pi }_2]=\frac{1}{q_u}$.

If $A_1$ wins Game 1 with an advantage of $\epsilon$, then B has a probability greater than $\frac{\epsilon }{q_o}$ to determine whether $X=abP$. □

Lemma 4.

Assuming that adversary $A_2$ can win Game 4, then algorithm B can be constructed to solve the ECDDDH problem.

Proof. 

Suppose that the tuple $(P,aP,bP,X)$ is an example of an ECDDDH problem. To determine whether $X=abP$, B will play the part of the challenger.

Setup: B runs the setup $\left(1^k\right)$ program to obtain the public parameters $\mathsf{\Omega }=\{F_q,E/F_q,G_q,P,G,H_0,H_1,H_2,P_{pub}\}$, where $msk=\left\{x\right\}$ and $P_{pub}=xP$. Then, it randomly selects $x_u,x_C,r_C\in Z_q^{*}$, and sets

$P_u=x_{u}P$, $R_u=aP$$P_C=x_{C}P$, $R_C=r_{C}P$,

$e_C=r_C+x{H}_0(I{D}_C,R_C,P_C)modq$,

$e_u=a+x{H}_0(I{D}_u,R_u,P_u)modq$

B sends $\mathsf{\Omega }$, $P{K}_u$, and $(PK,SK)$ to $A_2$, while $S{K}_u$ are unknown to $A_2$.

Phase 1: Execute the user’s public key query before other queries using the identity $I{D}_i$. Set up multiple lists to store the queries and answers. All lists are initially empty.

User public key query: B keeps a list $L_o$ of the tuple $(I{D}_i,x_{i}P,r_{i}P,r_i)$, and upon receiving an identity $I{D}_i$, performs the following steps.

Case 1. $I{D}_i=I{D}_i^{⟡}$, B randomly chooses a number $r_i^{⟡}\in Z_q^{*}$, setting $P{K}_i^{⟡}=(bP,r_i^{⟡}P)$, and adds the tuple $(I{D}_i^{⟡},bP,⟡,r_i^{⟡}P,r_i^{⟡})$ to the list $L_o$, where ⟡ represents a null value.

Case 2. $I{D}_i\ne I{D}_i^{⟡}$, B randomly chooses two different numbers, $x_i,r_i\in Z_q^{*}$, setting $P{K}_i=(x_{i}P,r_{i}P)$, and adds the tuple $(I{D}_i,x_{i}P,r_{i}P,r_i)$ to the list $L_o$.

Replace-Public-Key query: Same as in Lemma 1.

Secret-Value query: B establishes a list $L_s$ of tuple $(I{D}_j,x_j)$. When $A_2$ asks the secret value of $I{D}_j$, if $I{D}_j=I{D}_i^{⟡}$, B fails and stops. Otherwise, B finds $(I{D}_j,x_{j}P,r_{j}P,r_j)$ in the list $L_o$, and returns $x_j$. If $P{K}_j$ is replaced, B refuses to answer.

Partial-Private-Key query: Same as in Lemma 2.

Keyword Ciphertext Query: Same as in Lemma 1.

Keyword Trapdoor Query: Same as in Lemma 1.

Test Query: Same as in Lemma 1.

Challenge: $A_2$ submits a tuple $(W_0^{\prime },W_1^{\prime },\{I{D}_1*,\cdots ,I{D}_d*\},$$\{P{K_1}^{*},\cdots ,P{K_d}^{*}\})$, where $W_0^{\prime }=\{w_{0,1}^{\prime },w_{0,2}^{\prime },\cdots ,w_{0,l}^{\prime }\}$ and $W_1^{\prime }=\{w_{1,1}^{\prime },w_{1,2}^{\prime },\cdots ,w_{1,l}^{\prime }\}$ are challenging keywords not requested in the previous trapdoor and keyword ciphertext query. If $I{D}_i^{⟡}\notin \{I{D}_1*,I{D}_2*,\cdots ,I{D}_d*\}$, B aborts. Otherwise, without losing generality, it is better to set $I{D}_1^{*}$ as $I{D}_i^{⟡}$. B calculates ${l_0}^{*}={\displaystyle \sum _{i=1}^d}{H}_0(I{D}_i^{*},R_i^{*},P_i^{*})$. B picks $\xi \in \{0,1\}$ randomly, and computes

$t=x_u{\displaystyle \sum _{i=1}^d}{P}_i*+{\displaystyle \sum _{i=2}^d}{x}_i*aP+l_{u}x{\displaystyle \sum _{i=1}^d}{P}_i*+{\displaystyle \sum _{i=1}^d}{r}_i*ap+x_u{l}_0*P_{pub}+X$

B selects an element ${\eta }_{\xi }{\in }_{\mathrm{R}}{\mathrm{Z}}_q^{*}$ and sets $T_{{W^{\prime }}_{\xi ,m+1}}={\eta }_{\xi }P$,

$T_{{W^{\prime }}_{\xi ,j}}=l^{-1}{h}_2{\left(t\right)}^j{\displaystyle \sum _{r=1}^l}{h}_1{\left({w^{\prime }}_{\xi ,j}\right)}^{j}P+{\eta }_{\xi }{P}_C$, where $0⩽j⩽m$. Finally, B sends $T_{W_{\xi }^{\prime }}=\{T_{{w^{\prime }}_{\xi },0},T_{{w^{\prime }}_{\xi },1},\cdots ,T_{{w^{\prime }}_{\xi },m},T_{{w^{\prime }}_{\xi ,m+1}}\}$ to adversary $A_2$.

Phase 2: Attacker $A_2$ can continue to execute various queries, but there is a limitation that attacker $A_2$ is not allowed to query the keyword ciphertext or trapdoor of $W_0$ or $W_1$.

Guess: $A_2$ returns ${\xi }^{\prime }$.

Solve CDH problem: If ${\xi }^{\prime }=\xi$, B returns 1, otherwise 0. If $X=abP$, then

$t=x_u{\displaystyle \sum _{i=1}^d}{P}_i*+{\displaystyle \sum _{i=2}^d}{x}_i*aP+l_{u}x{\displaystyle \sum _{i=1}^d}{P}_i*+{\displaystyle \sum _{i=1}^d}{r}_i*aP+x_u{l}_0*P_{pub}+X$

$=x_u{P}_0^{*}+{\displaystyle \sum _{i=2}^d}{x}_i*aP+l_{u}x{\displaystyle \sum _{i=1}^d}{P}_i*+x_u{R}_0^{*}+x_u{l}_0^{*}{P}_{pub}+abP$

$=x_u{P}_0^{*}+{\displaystyle \sum _{i=1}^d}{x}_i*aP+l_{u}x{\displaystyle \sum _{i=1}^d}{P}_i*+x_u{R}_0^{*}+x_u{l}_0^{*}{P}_{pub}$

$=x_u{P}_0^{*}+(a+l_{u}x){\displaystyle \sum _{i=1}^d}{P}_i*+x_u{R}_0^{*}+x_u{l}_0^{*}{P}_{pub}$

$=(x_u+e_u)P_0^{*}+x_u{R}_0^{*}+x_u{l}_0^{*}{P}_{pub}$.

Therefore, $T_{W_{\xi }^{\prime }}$ is a valid keyword ciphertext. Suppose that the advantage of $A_2$ winning the above game is $\epsilon$. So,

$Pr[{\xi }^{\prime }=\xi \left|X=abP\right.]=\frac{1}{2}+\epsilon$.

If $X\ne abP$, then $T_{W_{\xi }^{\prime }}$ is an invalid keyword ciphertext. $A_2$ has no advantage in distinguishing $\xi =0$ from $\xi =1$. Hence,

$Pr[{\xi }^{\prime }=\xi \left|X=abP\right.]=\frac{1}{2}$.

Probability: Let $q_o$, $q_r$, and $q_s$ be the number of user public key queries, Replace-Public-Key queries, and Secret-Value queries, respectively. The two events are as follows:

${\pi }_1$: $A_2$ did not replace $I{D}_i^{⟡}$’s public key $P_i^{⟡}$ and queries the secret value for $I{D}_i^{⟡}$.

${\pi }_2$: $I{D}_1^{*}=I{D}_i^{⟡}$.

It is not hard to obtain the following results.

$Pr\left[{\pi }_1\right]=\frac{q_o-q_r-q_e}{q_u}$,

$Pr\left[{\pi }_2\left|{\pi }_1\right.\right]=\frac{1}{q_o-q_r-q_e}$,

$Pr[B$$success]=Pr[{\pi }_1\wedge {\pi }_2]=\frac{1}{q_u}$.

If $A_2$ wins Game 4 with an advantage of $\epsilon$, then B has a probability greater than $\frac{\epsilon }{q_o}$ to determine whether $X=abP$. □

Theorem 3.

Our CLVPFC-PEKS scheme is CKA-TIND safe in the standard model if the ECDDDH problem is hard.

Proof. 

Theorem 3 holds from Lemma 3 and Lemma 4. □

Theorem 4.

Under the ECDLP assumption, it is not computationally feasible for the CSS to forge valid proof information through the result verification mechanism.

Proof. 

The malicious CSS cannot forge a valid multi-signature on each returned record and pass the verification. Since it does not have the key of multiple data owners, it is computationally infeasible to forge a valid multi-signature. Therefore, the malicious CSS can only win the next security game by directly generating valid proof information according to the wrong search result $C^{*}$ instead of winning the next security game by forging multiple signatures. But, after the following analysis, this is also impossible.

Assume that the correct keyword ciphertext and its identity are $C=\{{\mathrm{c}}_1,{\mathrm{c}}_2,\cdots ,{\mathrm{c}}_n\}$ and $sig=\{si{g}_1,\cdots ,si{g}_n\}$, where $si{g}_t=\{Y_t,V_t\}$. The malicious CSS may forge wrong proof information $({\varphi }_1^{*},{\varphi }_2^{*})$ on false search results $C^{*}=\{\stackrel{*}{{\mathrm{c}}_{k1}},\stackrel{*}{{\mathrm{c}}_{k2}},\cdots ,\stackrel{*}{{\mathrm{c}}_{ks}}\}$, where

${{\varphi }_1}^{*}={\displaystyle \sum _{\tau =1}^s}{H}_1(c_{k_{\tau }}^{*},i{d}_{k_{\tau }}^{*},Y_{k_{\tau }},P_0)$,

${{\varphi }_2}^{*}={\displaystyle \sum _{\tau =1}^s}{H}_1(c_{k_{\tau }}^{*},i{d}_{k_{\tau }}^{*},Y_{k_{\tau }},Q_0)$.

If the forged proof information $({\varphi }_1^{*},{\varphi }_2^{*})$ can successfully pass the result verification mechanism, the malicious CSS will win the security game; otherwise, it will fail. Suppose a malicious CSS wins the game. We then know that

$$\sigma P={\displaystyle \sum _{\tau =1}^s}{Y}_{k_{\tau }}+{\varphi }_1^{*}{P}_0+{\varphi }_2^{*}{Q}_0$$

(2)

The proof information of the correct keyword ciphertext C is $({\varphi }_1,{\varphi }_2)$, where

${\varphi }_1={\displaystyle \sum _{\tau =1}^s}{H}_1(c_{k_{\tau }},i{d}_{k_{\tau }},Y_{k_{\tau }},P_0)$,

${\varphi }_2={\displaystyle \sum _{\tau =1}^s}{H}_2(c_{k_{\tau }},i{d}_{k_{\tau }},Y_{k_{\tau }},Q_0)$.

The signature of the correct keyword ciphertext can pass the verification mechanism, so we have

$$\sigma P={\displaystyle \sum _{\tau =1}^s}{Y}_{k_{\tau }}+{\varphi }_1{P}_0+{\varphi }_2{Q}_0$$

(3)

Subtract equation (2) from equation (3) to obtain

$$({\varphi }_1-{\varphi }_1*)P_0=({\varphi }_2*-{\varphi }_2)Q_0$$

(4)

Because $({\varphi }_1,{\varphi }_2)$ is not equal to $({\varphi }_1^{*},{\varphi }_2^{*})$, then ${\varphi }_1\ne {\varphi }_1^{*}$ or ${\varphi }_2\ne {\varphi }_2^{*}$. Set $∆{\varphi }_1={\varphi }_1-{{\varphi }_1}^{*}$, $∆{\varphi }_2={\varphi }_2-{{\varphi }_2}^{*}$, then $∆{\varphi }_1\ne 0$ or $∆{\varphi }_2\ne 0$. Suppose $∆{\varphi }_1$ is not zero, then $P_0=\frac{∆{\varphi }_2}{∆{\varphi }_1}{Q}_0$. If the probability of $∆{\varphi }_1=0$ is $\frac{1}{q}$, then the probability that we can break the ECDLP problem is $1-\frac{1}{q}$, where q is the length of $G_q$. This means that if the malicious CSS can pass the verification, we can break the ECDLP problem. □

7. Performance Analysis

We will compare our scheme in depth with other certificateless-based or verifiable search schemes on computational complexity, storage overhead, and security.

7.1. Security Comparison

Table 3. Comparison of security of different schemes.

Scheme	RCCA	ROFFKGA	RIKGA	RONKGA	VER	PM
[12]	yes	no	no	no	unknown	SM
VCSE [13]	yes	no	no	no	yes	ROM
VCKSM [14]	unknown	yes	unknown	unknown	yes	SM
VMKS [16]	yes	no	unknown	unknown	yes	SM
VMKDO [15]	yes	yes	no	no	yes	SM
[19]	unknown	no	no	no	-	unknown
mCLPECK [17]	yes	unknown	no	no	-	ROM
ours	yes	yes	yes	yes	yes	SM

details the comparison of our scheme with other schemes in terms of security, where RCCA denotes that the scheme resists the chosen ciphertext attack, ROFFKGA stands for resists the offline keyword guessing attack, RONKGA stands for resists the online keyword guessing attack, RIKGA denotes that the scheme protects against the insider keyword guessing attack, VER denotes that the scheme prevents malicious CSSs from returning incorrect search results, and PM denotes the model used for the proof. In Table 3, yes indicates that the scheme satisfies the property, no implies that it does not meet the property, unknown denotes that it is unknown (the scheme has neither been proven safe nor unsafe because of the lack of security proof), and “-” means that the scheme does not have the feature.

It is clear from Table 3 that our solution has significant security advantages. Specifically, Theorem 2 shows that the new scheme is resistant to the adaptive keyword selection attack in the standard model, i.e., the new scheme is ciphertext-indistinguishable. Theorem 3 shows that our scheme is secure against offline keyword-guessing attacks in the standard model. Theorem 4 shows that our scheme prevents malicious CSSs from returning incorrect search results. Wu et al. [55] constructed a PEKS scheme that can resist online keyword attacks and insider keyword guessing attacks based on the security of the Diffie–Hellman shared secret key. The new scheme’s shared key $t=(x_0+e_0)P_u+x_0{R}_u+x_0{l}_u{P}_{pub}=(x_u+d_u)P_0+x_u{R}_0+x_u{l}_0{P}_{pub}$ is only accessible to the DOs and retrievers. Therefore, any third party other than the retriever and the DO, including external attackers and malicious internal servers, cannot generate the correct keyword trapdoor and ciphertext. In other words, our scheme can resist online and insider keyword-guessing attacks.

Lu et al. [44] demonstrated that if an attacker can generate keyword ciphertext using the public keys of the CSS and the retriever, then they can perform an online keyword-guessing attack on PEKS schemes. Later, Shao et al. [47] pointed out that if the SCF-PEKS scheme can generate keyword ciphertext with only the public keys of the CSS, DO, and retriever, while the insider attacker (malicious CSS) can run both the keyword encryption algorithm and the test algorithm, then the insider attacker can try online keyword guessing attacks on SCF-PEKS scheme. Since the keyword ciphertexts in schemes [12,13,15,17,19] are all generated using public keys, all of them are insecure against insider keyword-guessing attacks and online keyword-guessing attacks.

PEKS schemes typically use keywords selected from a low-entropy keyword space. Therefore, based on this characteristic, offline keyword-guessing attacks can be launched naturally [41]. By performing this attack, any insider/outsider attacker can correctly guess the keywords in a given keyword trapdoor using a testing algorithm. Construct $E^{\prime }={\displaystyle \sum _{i=1}^t}H\left(W_i^{\prime \prime }\right)$, where $W_i^{\prime \prime }$ is the guessed keyword set. Verify that the equation $e(T_2,E^{\prime }g+P{K}_{s.1})=e(e{(P{K}_{C,2},T_1)}^t,g)$ holds. If the above equation is equal, the keyword set $W_i^{\prime }$ contained in $T_2$ in the trapdoor is the same as the guessed keyword set $W_i^{″}$. Therefore, the scheme in [13] is insecure under offline keyword attacks. According to a similar construction idea, the schemes in [12,13,16,19] are also insecure under offline keyword-guessing attacks.

From the above analysis and the security proof in Section 4, we can see that our scheme is resistant to offline keyword guessing attacks and keyword selection attacks in the standard model. Secondly, based on the security of the Diffie–Hellman shared secret key, our scheme is also secure against insider and online keyword-guessing attacks. In other words, of all the schemes, ours is the safest.

7.2. Computational Overhead Comparison

Next, we compare the computational complexity. To compare the computational complexity, we use the operation time of He et al.’s scheme [56] as the benchmark. He et al. tested the time required for the relevant operations in the experimental environment of Samsung Galaxy S5 based on the Android 4.4.2 operating system, quad-core 2.45 G processor, and 2G byte memory.

Table 4. Symbol definition.

Symbols	Definition
$T_{bp}$	Running time required for a bilinear pairing operation, $T_{bp}\approx 32.713$ ms
$T_{htp}$	Running time required for a hash-to-operation, $T_{htp}\approx 33.582$ ms
$T_{sm}$	Running time required for a scalar multiplication operation in $G_1,T_{sm}\approx 13.405$ ms
$T_{exp}$	Running time required for an exponentiation operation in $G_2,T_{exp}\approx 2.249$ ms
$T^{\prime }sm$	Running time required for a scalar multiplication operation in $G,T_{sm}\approx 3.335$ ms
u	Number of data users
d	Number of data owners
m	Number of keywords in index
l	Number of keywords contained in trapdoor
n	Number of ciphertexts
s	Number of search keywords

shows the exact running time and symbols of the various operations. The mapping $e:G_1\times G_1\to G_2$ is a bilinear pair, where $G_1$ is an additive group of singular elliptic curves of order p defined on a finite field $F_q$, and $G_2$ is a multiplicative group of order p. The lengths of p and q are 512 bits and 160 bits, respectively. G is an additive group of non-singular elliptic curves of order q defined on the prime finite field $F_q$. The length of p and q is 160.

Because no SE scheme requires pairing and supports conjunctive keywords, we selected five SE schemes with similar functionalities for comparison. The results are shown in

Table 5. Comparison of calculation complexity of various schemes.

Scheme	KeyGen	Enc	Trap	Search	Verify
VCKSM [14]	$(u+d+1)T_{sm}$	$(2nd+n(m+2))T_{sm}+2n{T}_{exp}+2n{T}_{bp}+n{T}_{htp}$	$3T_{sm}$	$(n+3)T_{sm}+(n(m+1)+1)T_{bp}$	$(2s+1)T_{sm}+s{T}_{htp}+2T_{bp}$
VMKS [16]	$(5u+5d)T_{sm}+(u+d)T_{htp}$	$n{T}_{htp}+(6n+mn)T_{sm}$	$(s+5)T_{sm}$	$4n{T}_{bp}$	$(s+2)T_{sm}+s{T}_{htp}+3T_{bp}$
VCSE [13]	$(2u+1)T_{sm}$	$n(m+2)T_{exp}+3n{T}_{sm}+2n{T}_{bp}$	$T_{sm}+T_{exp}$	$2n{T}_{sm}+3n{T}_{exp}+4n{T}_{bp}$	$2s{T}_{sm}+3s{T}_{exp}+4s{T}_{bp}$
mCLPECK [17]	$2u{T}_{sm}$	$2un{T}_{sm}+2nm{T}_{exp}+2nm{T}_{htp}$	$2s{T}_{htp}+3T_{sm}$	$3n{T}_{bp}$	—
VMKDO [15]	$(d+1)T_{sm}$	$(3nm+2n+3)T_{sm}+3n{T}_{exp}+n{T}_{htp}+3T_{bp}$	$2T_{sm}$	$2n{T}_{sm}+2n{T}_{bp}+n{T}_{exp}$	$(2s+1)T_{sm}+2T_{bp}+s{T}_{htp}$
ours	$(2d+2u+1)T^{\prime }\mathrm{sm}$	$[nd+n(m+4)]T^{\prime }sm$	$6T^{\prime }sm$	$(1+n+nm)T^{\prime }sm$	$3T^{\prime }sm$

. Because each scheme has different settings, making direct horizontal comparisons is difficult. To ensure objectivity, we have established uniform parameter standards for comparison. The details are as follows: we assume that there are d data owners, u data consumers, n ciphertexts, m keywords contained in the keyword ciphertexts, l keywords contained in the trapdoors, and s keywords contained in the keyword ciphertexts obtained after the query. For algorithms that are not involved, we mark them with “-” in Table 5.

The data presented in Table 5 are theoretical calculations, but to more accurately evaluate the actual performance of our solution, we also need to simulate real-world scenarios. In the real world, there is a larger dataset and more participants. Therefore, it is worthwhile to set the number of ciphertexts from 1 to 100,000 ($n\in [1,100000]$), the number of data owners (d), the number of keywords contained in trapdoors (l), and the number of data ciphertexts contained in query results (s) from 1 to 10,000.

The KeyGen algorithm’s computational overhead for VCKSM [14], VMKS [16], and our scheme is affected by d and u, while the computational overhead of VCSE [13] is only affected by d. This is because the VCSE scheme’s signing is performed with the system’s private key and does not utilize the user’s private key. Additionally, the computational overhead of VMKDO [15] is only influenced by u, as the keyword encryption of VCSE [13] is performed using the CSS’s public key and not the user’s public key. For comparison, assume $d=u$. Figure 3a illustrates that VMKS [16] has a much higher computational overhead in KeyGen compared to the other schemes. Our scheme and VMKDO [15] have roughly equal computational overhead in KeyGen and outperform the others.

In Figure 3b, we evaluate the computational burden of the Enc algorithm in these schemes by varying the number of ciphertexts from 1 to 100,000 ($n\in [1,100000]$), assuming $u=d=100$ and $m=n$. The computational overhead of the Enc algorithm for all the schemes almost increases with the number of n. Note that the mCLPECK [17] scheme has a much higher computational overhead in the Enc algorithm than the other schemes; our scheme and the VCSM [13] scheme have roughly equal computational overheads in the Enc algorithm, and both outperform the others.

In the Trap algorithm, the computational overhead of the VCKSM [14] scheme with the mCLPECK [17] scheme is affected by l, and both grow linearly with l, whereas the computational overheads of the other schemes are fixed values. In Figure 3c, we evaluate the computational burden of the Trap algorithm by varying the number of keywords included in the trapdoor from 1 to 10,000 ($l\in [1,10000]$). Note that the computational overheads of the VMKS scheme and the mCLPECK [17] scheme in the Trap algorithm are much higher than those of the other schemes; the computational overheads of our scheme and the VCSM [13] scheme in the Trap algorithm are roughly equal, and both outperform the others.

In the Search algorithm, the computational overhead of the VCKSM [14] scheme and our scheme is affected by n and m, while the other schemes are only affected by n. In Figure 3d, for ease of discussion, we assume $m=n$ and evaluate the computational burden of the Search algorithm by varying the number of data owners from 1 to 10,000 ($d\in [1,10,000]$). It can be seen that the computational overhead of all schemes almost always increases with n. Note that the computational overhead of the VCKSM [14] scheme with our scheme in the Search algorithm is slightly higher than that of the other schemes, which are roughly equal.

In the Verify algorithm, the computational overhead of all schemes except ours is affected by s. The computational overhead of our scheme is a fixed value, and the other schemes grow linearly with s. In Figure 3e, we evaluate the computational overhead of the Verify algorithm by varying the number of data ciphers contained in the query results from 1 to 10,000 ($s\in [1,10,000]$). Note that the computational overhead of the VCSE [13] scheme in Verify’s algorithm is higher than that of the other schemes, while the computational overhead of our scheme is fixed. As l1 becomes larger, our scheme is more advantageous.

To sum up, except for the Search algorithm, our scheme has a lower storage cost in the KeyGen, Trap, and Verify algorithms than the other five schemes, among which our scheme has a much lower storage cost in the Verify algorithm than the other schemes. Considering the storage costs of all algorithms, our solution has the lowest storage cost of all solutions.

7.3. Storage Cost Comparison

Below, we compare storage costs. Let $|G_1|$, $|G_2|$, $\left|G\right|$, and $|Z_q|$ represent the sizes of elements in $G_1$, $G_2$, G, and $Z_q$, respectively. Then $|G_1|=G_2$= 512 bytes, $\left|G\right|$ = 160 bytes, and $|Z_q|$ = 160 bytes. If the conjunctive keyword-searchable encryption scheme has no verification function, fewer signatures for the keyword ciphertext will be stored. Therefore, we select only verifiable conjunctive-keyword-searchable encryption schemes to compare the size of storage costs.

Table 6. Storage cost comparison.

Scheme	KeyGen	Trap	Search	Verify
VCKSM [14]	$(d+u+1)\left(\right|Z_p|+|G_1\left|\right)+|G_1|$	$(m+2)|G_1|+2|Z_p|$	$(m+3)|G_2|+|G_1|$	$(s+1)|Z_p|+|G_1|+2|G_2|$
VMKS [16]	$2(u+d)\left(\right|Z_p|+|G_1\left|\right)$	$(l+5)|G_1|+l|Z_p|$	$(l+2)|G_1|+4|G_2|$	$(s+2)|G_1|+(s+1)|Z_p|+3|G_2|$
VCSE [13]	$(u+1)\left(\right|Z_p|+|G_1|+|G_2\left|\right)$	$(l+1)\left(\right|Z_p|+|G_1\left|\right)+|G_1|$	$8|G_2|+2|G_1|$	$2|Z_p|+(2s+3)|G_1|+2|G_2|$
VMKDO [15]	$(2d+1)|G_1|+(d+1)|Z_p|$	$|G_1|+(l+1)|Z_p|$	$2|G_1|+3|G_2|$	$|Z_p|+(2s+1)|G_1\left|\right)+2|G_2|$
our	$(u+d+1)\left(\right|Z_p|+|G\left|\right)$	$(m+6)\left|G\right|$	$(m+2)\left|G\right|$	$3|Z_p|+6|G|$

illustrates the comparison results.

In the KeyGen algorithm, the storage costs of VCKSM [14], VMKS [16], and our scheme are all affected by d and u, while the storage cost of the VCSE scheme is only affected by d and the storage cost of VMKDO [15] is only affected by u. For the sake of discussion, we assume $d=u$. So, the storage cost for all scenarios grows linearly with u. Since $|Z_q|=|G|=\frac{1}{2}|G_1|,|G_2|=|G_1|$, our solution has the lowest storage cost of all.

In the Trap algorithm, the storage cost of VCKSM [14] and our scheme is affected by m1, while the storage cost of VMKS [16], VCSE [13], and VMKDO [15] is affected by l. For the sake of discussion, we assume $l=m$. Then, all the above schemes increase linearly with m. Since $|Z_q|=|G|=\frac{1}{2}|G_1|,|G_2|=|G_1|$, our solution, VCSE [13], and VMKDO [15] are approximately the same and much lower than VCKSM [14] and VMKS [16].

In the Search algorithm, the storage cost of VCKSM [14] and our scheme is affected by m, the storage cost of VMKS [16] is only affected by l, and the storage cost of VCSE [13] and VMKDO [15] is a fixed value. For the sake of discussion, we assume $l=m$. Then, VCKSM [14], VMKS [16], and our scheme increase linearly with l. Because $|Z_q|=|G|=\frac{1}{2}|G_1|,|G_2|=|G_1|$, VCKSM [14], and VMKS [16] have the highest storage costs, our solution is second, and VCSE [13] and VMKDO [15] have the lowest storage cost.

In the Search algorithm, the storage costs of VCKSM [14] and our scheme are affected by m, the storage cost of VMKS [16] is only affected by l, and the storage costs of VCSE [13] and VMKDO [15] are fixed. For the sake of discussion, let us assume $l=m$. Then, VCKSM [14], VMKS [16], and our scheme all increase linearly with l. Because $|Z_q|=|G|=\frac{1}{2}|G_1|,|G_2|=|G_1|$, VCKSM [14] and VMKS [16] have the highest storage costs, our solution is second, and VCSE [13] and VMKDO [15] have the lowest storage cost. In the Verify algorithm, the storage cost of all schemes except ours is affected by s. Therefore, the storage cost of their solutions increases linearly with s, and the storage cost of our solution is a fixed value. As a result, our solution has significantly lower storage costs than others.

To sum up, except for the Search algorithm, our scheme has a lower storage cost in all the algorithms (KeyGen, Trap, and Verify) than the other five schemes, among which our scheme has a much lower storage cost in the Verify algorithm than the other schemes. Considering the storage costs of all algorithms, our solution has the lowest storage cost of all solutions.

7.4. Comparison of Communication Costs

Finally, we compare the communication costs. If the conjunctive keyword-searchable encryption scheme has no verification function, the communication cost does not need to consider the signature communication cost in the communication cost. Therefore, we only select the conjunctive keyword-searchable encryption schemes that support verifiability for comparison.

Table 7. Comparison of communication costs.

Scheme	Index Size	Signature Size	Trapdoor Size	Total Size
VCKSM [14]	$n(m+2)|G_1|+n|G_2|$	$n|G_1|$	$(m+2)|G_1|+|Z_q^{*}|$	$n(m+3)|G_1|+(m+2)|G_1|+n|G_2|+|Z_q^{*}|$
VMKS [16]	$n(m+4)|G_1|$	$n|G_1|$	$5|G_1|+|Z_q^{*}|$	$n(m+5)|G_1|+5|G_1|+|Z_q^{*}|$
VCSE [13]	$n(m+2)|G_2|$	$n|G_1|$	$|G_1|+|G_2|+|Z_q^{*}|$	$n(m+2)|G_2|+(n+1)|G_1|+|G_2|+|Z_q^{*}|$
VMKDO [15]	$n(m+2)|G_1|+2n|G_2|$	$n|G_1|$	$|G_1|+2|Z_q^{*}|$	$n(m+3)|G_1\left|\right)+2n|G_2|+|G_1|+2|Z_q^{*}|$
ours	$n(m+3)\left|G\right|$	$n\left|G\right|$	$(m+2)\left|G\right|$	$n(m+4)\left|G\right|+(m+2)\left|G\right|$

shows the comparison results.

As shown in Table 7, our scheme has the shortest signature length. The signature lengths of the other schemes are the same. VMKS [16] and VMKDO [15] have the longest index lengths because they are at least 5 bytes larger than the other schemes. The index lengths of the others are roughly the same. The trapdoor lengths of VCKSM [14] are the longest, followed by our scheme, and the shortest is of the VMKDO [15] scheme. Assuming $m=n$, we compare the total communication cost of these schemes in Figure 3(f). According to Figure 3f, the total communication cost of our scheme is lower than the total communication cost of all schemes.

Overall, our solution is more efficient than others in computation, storage, and communication. Most importantly, it excels in security.

8. Conclusions

This article proposes a novel certificateless, verifiable, bilinear, pair-free, conjunctive keyword search encryption scheme (CLVPFC-PEKS), aiming to provide a secure and efficient data search method for the Internet of Things healthcare (IoMT) field. Our solution solves the problems in existing public key searchable encryption technologies, such as low computational efficiency and susceptibility to keyword guessing attacks. We have demonstrated under the standard model that the CLVPFC-PEKS scheme can resist both choosen keyword and ciphertext attacks and offline keyword guessing attacks, and based on the security of the Diffie–Hellman shared secret key to demonstrate that the CLVPFC-PEKS scheme can resist online/internal keyword guessing attacks. In addition, we also conducted a detailed analysis of the performance of the scheme. The results indicate that our scheme has significant advantages in terms of security, computational complexity, storage overhead, and communication costs compared to existing schemes. Overall, our solution provides a new solution for secure and efficient data search in the medical Internet of Things, meeting the urgent needs for data security and privacy protection.