1. Introduction
In the wake of the rapid universal application of cloud storage, a growing number of enterprises and users are choosing to preserve the data in the cloud. The cloud provides users with more efficient and flexible data services while reducing the cost of data storage. Nevertheless, the cloud storage servers are untrusted for the data owners. Therefore, the data owners may choose to encrypt the data and upload the ciphertexts to the cloud storage server. But as a result, users face the question of how to retrieve the ciphertexts. The user can choose to download all ciphertexts to the local storage, and retrieve the data plaintexts after decryption. This method is obviously inefficient. It not only requires high communication and computation overhead, but also takes up a lot of local storage space. Another method is that the user sends the storage server the decryption key, then the storage server decrypts the ciphertexts and searches on the plaintexts, which obviously loses the meaning of encryption.
In order to handle the ciphertext retrieval issue, searchable encryption was proposed [1]. Searchable encryption allows users to retrieve the ciphertexts by keywords without revealing any information about the plaintexts. It can be implemented over symmetric encryption or public key encryption. In 2000, Song et al. [1] first brought a symmetric searchable encryption scheme. Subsequently, many improved symmetric searchable encryption schemes [2-6] were devised. Although these symmetric searchable encryption schemes have high execution efficiency, they encounter the difficulty in key distribution. The mechanism of public key encryption with keyword search (PEKS), invented by Boneh et al. [7], allows a ciphertext receiver to authorize a storage server to verify whether the ciphertexts sent to them contain specific keyword(s). In PEKS, a user sends the encrypted data to a storage server. If a recipient intends to get some data ciphertexts that involve a specific keyword w, it can produce a search token Tw of the keyword w by its own secret key. Then the recipient sends the storage server the search token Tw. Once receiving Tw, the storage server can use the search token to match the ciphertexts without decryption. In the end, the storage server sends the retrieved ciphertexts to the recipient. After the concept of PEKS was put forward, various PEKS schemes and variants have been proposed [8-19]. In PEKS, the search tokens need to be conveyed over secure channels to the storage server. If the search tokens are captured by the attacker, then the indistinguishability of the keyword ciphertexts will be broken. Nevertheless, it is costly to establish a secure channel, especially over an open network. In [20], Beak et al. introduced the framework of secure channel free PEKS (SCF-PEKS) which does not require transmitting the search tokens through secure channels. In SCF-PEKS, the user needs to use both the public keys of the recipient and the designated storage server to encrypt the keyword to create the keyword ciphertext. Thus, only the designated server can execute the search operation by its secret key. Due to the characteristic of no secure channel, several SCF-PEKS schemes have also been presented [21-26]. Apart from this, some works [27-33] introduced PEKS into other public key cryptosystems.
The security of a cryptosystem mainly depends on the confidentiality of secret keys. Once a secret key is leaked, the security of entire cryptosystem may not be guaranteed. However, cryptographic computations are often performed on some relatively insecure devices which cannot guarantee the secrecy of secret keys. Therefore, key disclosure seems to be inevitable. To overcome the key disclosure issue in PEKS setting, Anada et al. [34] put froward the concept of key-updatable PEKS (KU-PEKS). They also gave a generic KU-PEKS construction that combines a PEKS scheme with a public key encryption (PKE) scheme. In KU-PEKS, each user can update his/her public and secret keys as the system runs. Once re-keying occurs, the cloud server refreshes the ciphertexts stored on it by the decrypt-then-encrypt operations. Up to now, KU-PEKS is the only framework supporting the key update function in PEKS setting.
1.1 The Motivation and Contributions
Although KU-PEKS realizes the key update function in PEKS, it suffers from three security weaknesses.
1) KU-PEKS does not provide privacy-preserving ciphertext update function on the storage server. As we know, it is required that a keyword search encryption scheme should protect the keyword privacy. However, the KU-PEKS scheme proposed in [34] completely exposes the keyword information to the storage server when implementing ciphertext update. To update the ciphertexts, the storage server in KU-PEKS should first decrypt the old ciphertexts to get the encrypted keywords, and then re-encrypt the keywords using the new public key to produce the new keyword ciphertexts. Therefore, KU-PEKS fails in protecting the privacy of keywords.
2) KU-PEKS should transmit the search tokens secretly. In order to successfully retrieve the desired ciphertext, a user in KU-PEKS should send a search token to the storage server. However, the user should use a secure channel to transmit the search token. If not, the search token may be intercepted by an adversary and then is used to break the keyword ciphertext indistinguishability. Therefore, KU-PEKS is not suitable for the scenarios where establishing a secure channel is difficult or impossible.
3) KU-PEKS did not consider the search token indistinguishability. As Rhee et al. pointed out in [24], a PEKS scheme should meet the indistinguishability of keyword ciphertext/search token. If a PEKS scheme does not have the search token indistinguishability, it can’t endure the keyword guessing attack by the outside attacker (OUT-KGA). In [34], Anada et al. constructed the KU-PEKS scheme by integrating a PEKS scheme into a PKE scheme. Unfortunately, the vast majority of PEKS schemes were not proven to be search token indistinguishable. Therefore, the KU-PEKS scheme proposed in [34] is fragile to the OUT- KGA.
In this work, a privacy-preserving key-updatable public key searchable encryption scheme is devised. The presented scheme surmounts the weaknesses in the existing KU-PEKS framework and supports the ciphertext sharing function that is not considered in Anada et al.’s KU-PEKS scheme. Specifically, the contributions are as below:
1) A new PEKS framework called key-updatable and ciphertext-sharable PEKS (KU-CS- PEKS) is proposed. Compared with KU-PEKS, the proposed framework enjoys the following three merits. Firstly, KU-CS-PEKS provides privacy-preserving ciphertext update function on the storage server. To update the ciphertexts without decryption, proxy re-encryption [36–37] is incorporated into the framework. Since the storage server is absolutely ignorant of the keywords encrypted in the keyword ciphertexts during ciphertext updating, KU-CS-PEKS effectively protects the privacy of the keywords. Secondly, KU-CS-PEKS removes the requirement of secure channel in search token transmission. KU-CS-PEKS employs a designated storage server to perform the match-testing operation by its secret key. Since the outside attacker cannot run the testing operation, it cannot break the indistinguishability of keyword ciphertext even if it intercepts the corresponding search token. Therefore, a public channel can be used to transmit the search tokens. Thirdly, KU-CS-PEKS offers the ciphertext sharing function. In KU-PEKS, only the data owner can access the ciphertexts. However, in practice, the data owner often needs to share his/her ciphertexts to other users. In KU-CS- PEKS, by authorizing the storage server to act as a re-encryption proxy, the data owner can share his/her ciphertexts with others. In this way, the authorized users also can access and retrieve the re-encrypted ciphertexts on the storage server. After giving the framework of KU- CS-PEKS, the security model of KU-CS-PEKS is formalized, which captures both the indistinguishability of keyword ciphertext and search token.
2) A concrete KU-CS-PEKS scheme is developed. The security proofs show that: i) under the hardness assumption of the bilinear Diffie-Hellman inversion (BDHI) problem [38], it satisfies the original ciphertext indistinguishability and the re-encryption ciphertext indistinguishability; ii) under the hardness assumption of the hash Diffie-Hellman (HDH) problem [39], it satisfies the data owner’s search token indistinguishability and the authorized user’s search token indistinguishability. In addition, the KU-CS-PEKS scheme is compared with the existing KU-PEKS scheme to show its merits and applicability.
2. Preliminaries
In this section, some preliminaries that used in the paper are reviewed.
Assuming that G and GT denote two multiplicative cyclic groups both with a prime order p, g denotes a random generator of G, and e: G × G → GT is a bilinear map satisfying the following characteristics:
(1) Bilinearity: ∀m, n ∈ G and x, y ∈ Z*p , e(mx, ny) = e(m, n)xy.
(2) Non-degeneracy: ∃m, n ∈ G, e(m, n) ≠ 1.
(3) Computability: ∀m, n ∈ G, e(m, n) can be calculated by an efficient algorithm.
Definition 1. The BDHI problem is: Inputting two elements (g, gα), to calculate e(g, g)1/α, where α ∈ Zq.
Definition 2. The HDH problem is: Inputting four elements (g, gα, gβ, H(gγ)) ∈ G × G × G × {0, 1}hlen and a hash function H: G → {0, 1}hlen, to output “1” if αβ = γ or “0” otherwise, where α, β, γ ∈ Z*p and hlen ∈ Z+.
3. Framework and security model of KU-CS-PEKS
3.1 Framework definition
A KU-CS-PEKS scheme includes four entities: a global parameter generator (GPG), a designated storage server, a data owner and an authorized user. The GPG is responsible for producing the global parameters for the whole system. The data owner produces the keyword ciphertext as well as the data ciphertext, then transmits the keyword ciphertext and the data ciphertext to the designated storage server. The data owner also generates both the update key and the re-encryption key which are transmit to the designated storage server. When receiving an update key or a re-encryption key, the designated storage server can update or re-encrypt the ciphertexts. When the designated storage server gets a search token from the data owner or the authorized user, it seeks out and returns all matching data ciphertexts.
Definition 3. A KU-CS-PEKS scheme is specified by ten algorithms that are shown below:
(1) GlobalSetup(λ): Given as input a security parameter λ, the GPG executes the algorithm and outputs a set of global parameters gp.
(2) KeyGenserver(gp): Given gp, the designated storage server executes this algorithm to produce a pair of public/secret keys (PKS, SKS).
(3) KeyGenuser(gp): Given gp, the user (either a data owner or an authorized user) executes the algorithm to produce a pair of public/secret keys (PKU, SKU). In the following paper, the public/secret key pairs of a data owner in two different time periods i and j are denoted by (PKDO, i, SKDO, i) and (PKDO, j, SKDO, j) respectively, the public/secret key pair of an authorized user is (PKAU, SKAU) .
(4) KWCiphertextGen(gp, w, PKS, PKDO, i): Given gp, a keyword w, the designated storage server’s public key PKS and the data owner’s public key PKDO, i, the data owner executes this algorithm to produce a keyword ciphertext CTWDO, i which is valid only in the time period i.
(5) UpdateKeyGen(gp, SKDO, i, SKDO, j): Given gp, two secret keys SKDO, i and SKDO, j in two different time periods i and j, the data owner executes this algorithm to produce an update key uki→j. The update key uki→j is then sent to the designated storage server.
(6) CiphertextUpdate(gp, uki→j, CTw DO, i ): Given gp, an update key uki→j and a keyword ciphertext CTW DO, i in the time period i, the designated storage server executes this algorithm to produce an update ciphertext CTWDO , j for the time period j.
(7) ReKeyGen(gp, SKDO, j, SKAU): Given gp, the data owner’s secret key SKDO, j and the authorized user’s secret key SKAU, the data owner and the authorized user executes this algorithm to produce a re-encryption key rkDO→AU in an interactive manner.
(8) CiphertextShare(gp, CTWDO , j , rkDO→AU): Given gp, a keyword ciphertext CTWDO , j and a reencryption key rkDO→AU, the designated storage server executes this algorithm to produce a shared keyword ciphertext CTWAU . Note that the keyword ciphertext CTWAU is encrypted under the authorized user’s public key PKAU and the designated storage server’s public key PKS.
(9) SearchTokenGen(gp, w′, PKS, SKU): Given gp, a keywordw′, the designated storage server’s public key PKS and a secret key SKU, the data owner or the authorized user executes the algorithm to produce a search token T w′, where SKU is either SKDO,j or SKAU.
(10) Test(gp, CTw, T w′, SKS): Given gp, a keyword ciphertext CTw, a search token T w′and the designated storage server’s secret key SKS, the designated storage server executes this algorithm to output 1 if CTw matches Tw′ (i.e., w = w′ )or 0 else, where CTw is either CTw is either CTWDO , j or CTWAU .
If the following formulas are satisfied for any keyword w, then a KU-CS-PEKS scheme is correct.
(1) If gp ← GlobalSetup(λ), (PKS, SKS) ← KeyGenserver(gp), (PKDO, i, SKDO, i) ←KeyGenuser(gp), (PKDO, j, SKDO, j) ← KeyGenuser(gp), CTW DO, i ← KWCiphertextGen(gp, w, PKS, PKDO, i), uki→j ← UpdateKeyGen(gp, SKDO, i, SKDO, j), CTWDO,i ← CiphertextUpdate(gp, uki→j, CTWDO,i ),rkDO→AU ← ReKeyGen(gp, SKDO, j, SKAU), CTWAU ← CiphertextShare(gp, CTWDO,i,rkDO→AU), ← SearchTokenGen(gp, w, PKS, SKDO, j), then 1 ← Test(gp, CTWDO,i , Tw, SKS);
(2) If gp ← GlobalSetup(λ), (PKS, SKS) ← KeyGenserver(gp), (PKDO, i, SKDO, i) ←KeyGenuser(gp), (PKDO, j, SKDO, j) ← KeyGenuser(gp), (PKAU, SKAU) ← KeyGenuser(gp),CTWDO,i ← KWCiphertextGen(gp, w, PKS, PKDO, i), uki→j ← UpdateKeyGen(gp, SKDO, i, SKDO, j), ← CTWDO,i ← CiphertextUpdate(gp, uki→j, CTWDO,i ), rkDO→AU ← ReKeyGen(gp, SKDO, j, SKAU), CTWDO,i ← CiphertextShare(gp, CTWDO,i , rkDO→AU), Tw ← SearchTokenGen(gp, w, PKS, SKAU), then 1 ←Test(gp, CTWAC , Tw, SKS).
3.2 Security definitions
A KU-CS-PEKS scheme should meet the indistinguishability of keyword ciphertext/search token. To formalize the security definitions of KU-CS-PEKS, four adversarial games (Game 1 ~ Game 4) between an adversary Ai (i = 1, 2, 3, 4) and a challenger B are defined, where the adversary Ai is either a malicious designated storage server or an outsider attacker. Game 1 defines the original keyword ciphertext indistinguishability under the adaptively chosen keyword attack (OKC-IND-CKA). Game 2 defines the re-encryption keyword ciphertext indistinguishability under the adaptively chosen keyword attack (RKC-IND-CKA). Game 3 defines the data owner’s search token indistinguishability under the adaptively chosen keyword attack (DOST-IND-CKA). Game 4 defines the authorized user’s search token indistinguishability under the adaptively chosen keyword attack (AUST-IND-CKA).
Game 1 (OKC-IND-CKA): In this game, B plays with A1 who models a designated storage server or an outsider attacker as below:
Setup: B generates gp and (PKS, SKS) by running GlobalSetup(λ) and KeyGenserver(gp). Then, B gives A1 {gp, PKS} if it is an outside attacker or {gp, PKS, SKS} if it is a designated storage server.
Phase 1: A1 is capable of making six oracle queries adaptively.
- Uncorrupted key generation oracle Opk: With the input of a time period index i by the adversary, the challenger runs KeyGenuser(gp) to produce a key pair (PKDO, i, SKDO, i) of the data owner and then gives PKDO, i to A1.
- Corrupted key generation oracle Osk: With the input of a time period index j by the adversary, the challenger runs KeyGenuser(gp) to produce a key pair (PKDO, j, SKDO, j) of the data owner and then gives (PKDO, j, SKDO, j) to A1. Here, it is restricted that A1 is disallowed to submit a same time period index to both Opk and Osk.
- Update key generation oracle Ouk: With the input of two distinct time period indices (k, l) by the adversary, the challenger runs UpdateKeyGen(gp, SKDO, k, SKDO, l) to produce an update key ukk→l and then returns it to A1. As in [35], it is not allowed the update key queries to occur on a corrupted time period and an uncorrupted time period.
- Update ciphertext generation oracle Ouc: With the input of two distinct time period indices(k, l) and an keyword ciphertext CTWDO,k by the adversary where either both k and l are corrupted or both are uncorrupted, the challenger runs CiphertextUpdate(gp, ukk→l, CTWDO,k ) to produce an update ciphertext CTWDO,l and then returns it to A1.
- Search token generation oracle Ost: With the input of a time period index i and a keyword w by the adversary, the challenger runs SearchTokenGen(gp, w, PKS, SKDO, i) to produce a search token Tw and outputs to A1.
- Test oracle Ote: With the input of ( CTWDO,l , TW' ) by the adversary, the challenger runs Test(gp, CTWDO,i , TW' , SKS, ) and then returns the result to A1. This oracle only allows the outside attacker to make queries.
Challenge: Once the Phase 1 is finished, A1 inputs two distinct keywords (w0, w1) where |w0| = | w1| and a time period index i* to B. The restrictions are (1) A1 has never submitted the query Osk(i*); (2) A1 has never submitted the queries Ost(i*, w0) and Ost(i*, w1) if it is the designated data storage server; (3) For any time period j, A1 has never submitted the queries Ouk(i*, j) and Ost(j, w0) or the queries Ouk(i*, j) and Ost(j, w1) if it is the designated data storage server. The challenger B randomly picks b ∈ {0, 1}, calculates the ciphertext CTWbDO,i* =KWCiphertextGen(gp, wb, PK , PKS) and sends it to A1.
Phase 2: A1 makes more oracle queries, but with the following constraints: (1) A1 is disallowed to ask Osk(i*); (2) A1 is disallowed to ask Ote( CTWbDO,i* , T1*) if it is the outside attacker, where T1*is the result of the query Ost(i*, w0) or Ost(i*, w1); (3) For any time period j, A1 is disallowed to ask Ote(Ouc(i*, j, CTWbDO,i* ),T2*)if it is the outside attacker, where T2* is the result of the query Ost(j, w0) or Ost(j, w1); (4) A1 is disallowed to ask Ost(i*, wb) if it is the designated data storage server; (5) For any time period j, A1 is disallowed to ask both Ouk(i*, j) and Ost(j, w0) or both Ouk(i*, j) and Ost(j, w1) if it is the designated data storage server; (6) For any time period j, A1 is disallowed to ask both Ouc(i*, j, CTWbDO,i* ) and Ost(j, w0) or both Ouc(i*, j, CTWbDO,i* )and Ost(j, w1) if A1 is the designated data storage server.
Guess: At last, A1 outputs a guess b′and wins if b = b′ . Its advantage is defined as AdvA1 OKC − IND − CKA( λ ) = |Pr[ b = b ′ ] − 1/2| .
Definition 4. For a KU-CS-PEKS scheme, if the advantage AdvA1 OKC − IND − CKA of any polynomial time adversary A1 is negligible, then the scheme is OKC-IND-CKA secure.
Game 2 (RKC-IND-CKA): In this game, B plays with A2 who models a designated storage server or an outsider attacker as below:
Setup: B generates gp, (PKS, SKS) and (PKDO, i, SKDO, i) by running GlobalSetup(λ), KeyGenserver(gp) and KeyGenuser(gp) respectively. Then, B gives A2 {gp, PKS, PKDO, i} if it is an outside attacker or {gp, PKS, SKS, PKDO, i} if it is a designated storage server.
Phase 1: A2 is capable of making six oracle queries adaptively.
- Uncorrupted key generation oracle Opk: When A2 queries this oracle, the challenger runs KeyGenuser(gp) to produce an authorized user’s public/secret key pair (PKAU, SKAU) and gives PKAU to A2.
- Corrupted key generation oracle Osk: When A2 queries this oracle, the challenger runs KeyGenuser(gp) to produce an authorized user’s public/secret key pair (PKAU, SKAU) and gives (PKAU, SKAU) to A2.
- Re-encryption key generation oracle Ork: With the input of (PKDO, i, PKAU) by the adversary, the challenger runs ReKeyGen(gp, SKDO, i, SKAU) to produce a re-encryption key rkDO→AU and then returns it to A2.
- Search token generation oracle Ost: With the input of (PKAU, w) by the adversary, the challenger runs SearchTokenGen(gp, w, PKS, SKAU) to produce a search token Tw and then returns it to A2.
-Test oracle Ote: With the input of ( CTWAU , Tw) by the adversary, the challenger runs Test(gp ,CTWAU , Tw, SKS) and returns the result to A2.
Challenge: Once the Phase1 is finished, A2 inputs two distinct keywords (w0, w1) where |w0| = |w1| and a public key PK*AU . The restrictions are (1) PK*AU is from Opk; (2) A2 has never submitted the queries Ost( PK*AU , w0) and Ost( PK*AU , w1). B randomly picks b ∈ {0, 1}, calculates the ciphertext C* = KWCiphertextGen(gp, wb, PKS, PK*AU ) and sends it to A2.
Phase 2: A2 makes more oracle queries. The only restriction is that A2 has never submitted the queries Ost( PK*AU , w0) and Ost(PK*AU, w1).
Guess: At last, A2 outputs a guess b′and wins if b =b′. A2’s advantage is defined to be AdvA2 RKC − IND − CKA ( λ ) = |Pr[ b = b'] − 1/2| .
Definition 5. For a KU-CS-PEKS scheme, if the advantage AdvA2 RKC − IND − CKA of any polynomial time adversary A2 is negligible, then the scheme is RKC-IND-CKA secure.
Game 3 (DOST-IND-CKA): In this game, B plays with A3 who models an outside attacker as below:
Setup: B generates gp and (PKS, SKS) by running GlobalSetup(λ) and KeyGenserver(gp) respectively. Then, B gives A3{gp, PKS}.
Phase 1: A3 is capable of make queries to Opk, Osk, Ouk, Ouc, Ost and Ote adaptively. These queries are answered as in OKC-IND-CKA-Game.
Challenge: Once the Phase1 is finished, A3 inputs two distinct keywords (w0, w1) where |w0| = |w1| and a time period index i* to B. The restrictions are (1) A3 has never submitted the query Osk(i*); (2) For any time period j, A3 has never submitted the queries Ouk(j, i*); (3) For any time period j, A3 has never submitted the queries Ouc(j, i*, CTWbDO,j ) and Ouc(j, i*, CTW1DO,j ). B randomly selects b ∈ {0, 1}, calculates a search token Twb = SearchTokenGen(gp, wb, PKS, SKDO,i* ) and sends it to A3.
Phase 2: A3 makes more oracle queries, but with the constraints: (1) A3 is disallowed to ask Osk(i*); (2) For any time period j, A3 is disallowed to ask Ouk(j, i*); (3) For any time period j, A3 is disallowed to ask Ouc(j, i*, CTWbDO,j ) and Ouc(j, i*, CTW1DO,j ).
Guess: At last, A3 outputs a guess b′and wins if b =b′. Its advantage is defined to be Adv A3DOST − IND − CKA( λ ) = |Pr[ b = b ] − 1/2| .
Definition 6. For a KU-CS-PEKS scheme, if the advantage Adv A3DOST − IND − CKA of any polynomial time adversary A3 is negligible, then the scheme is DOST-IND-CKA secure.
Game 4 (AUST-IND-CKA): In this game, B plays with A4 who models an outside attacker as below:
Setup: B generates gp, (PKS, SKS) and (PKDO, i, SKDO, i) by running GlobalSetup(λ) , KeyGenserver(gp) and KeyGenuser(gp) respectively. Then, B gives A4 {gp, PKS, PKDO, i}.
Phase 1: A4 is capable of make queries to Opk, Osk, Ork, Osc, Ost and Ote adaptively. These queries are answered as in RKC-IND-CKA-Game.
Challenge: Once the Phase1 is finished, A4 inputs two distinct keywords (w0, w1) where |w0| = |w1| and a public key PK*AU. The restrictions are that: (1) PK*AU is from Opk; (2) A4 has never submitted the queries Ork(PKDO, i, PK*AU ); (3) A4 has never submitted the queries Osc( CTW0 DO, i , rkDO→AU* ) and Osc( CTW1 DO, i , rkDO→AU* ). B randomly selects b ∈ {0, 1}, calculates a search token T wb = SearchTokenGen(gp, wb, PKS, SK*AU ) and sends it to A4.
Phase 2: A4 makes more oracle queries, but with the constraints: (1) A4 has never submitted the queries Ork(PKDO, i, PK*AU ); (2) A4 has never submitted the queries Osc( CTW0 DO, i , rkDO→AU* ) and Osc( CTW1 DO, i , rkDO→AU* ).
Guess: At last, A4 outputs a guess b′and wins if b =b′ . Its advantage is defined as AdvA4AUST − IND − CKA ( λ ) = |Pr[ b = b ′ ] − 1/2| .
Definition 7. For a KU-CS-PEKS scheme, if the advantage AdvA4AUST − IND − CKA of any polynomial time adversary A4 is negligible, then the scheme is AUST-IND-CKA secure.
4. The proposed KU-CS-PEKS scheme
4.1 Description of the proposed scheme
The proposed KU-CS-PEKS scheme is as below:
(1) GlobalSetup(λ): Inputting λ, the algorithm generates two cyclic groups (G, GT) with order p and a bilinear pairing e: G × G → GT. Additionally, it selects a generator g ∈ G and three cryptographic hash functions H: G →{0, 1}hlen, H1: {0, 1}* → G and H2: GT → {0, 1}hlen. Finally, it sets gp = {p, g, G, GT, e, H, H1, H2}.
(2) KeyGenserver(gp): Inputting gp, this algorithm picks a ∈ Z*p at random, sets SKS = a, and calculates PKS = ga . It then outputs (PKS, SKS).
(3) KeyGenuser(gp): Inputting gp, the algorithm picks xU ∈ Z* p at random, sets SKU = xU and PKU = g xU. It then outputs (PKU, SKU). In the following algorithms, the data owner’s key pairs in different time periods i and j are denoted by (PKDO, i, SKDO, i) and (PKDO, j, SKDO, j) respectively, and the authorized user’s key pair is denoted by (PKAU, SKAU).
(4) KWCiphertextGen(gp, w, PKS, PKDO, i): Inputting gp, w, PKS and PKDO, i, this algorithm randomly picks r ∈ Z* p , calculates A = PKrDO,i and B = H2(t), where t = e(PKS, H1(w))r. It then outputs CTw DO, i = (A, B).
(5) UpdateKeyGen(gp, SKDO,i, SKDO,j): Inputting gp, SKDO,i and SKDO,j, the data owner calculates a update key uki→j = SKDO,j / SKDO,i mod p.
(6) CiphertextUpdate(gp, uki→j, CTWDO,i ): Inputting gp, an update key uki→j and a keyword ciphertext CTWDO,i = (A, B) of the time period i. The algorithm calculates A′ = A uki→j = gSKDO,j·r= , PKrDO, j and creates a new keyword ciphertext w CTDO, j = ( A′ , B) for the time period j.
(7) ReKeyGen(gp, SKDO, j, SKAU): Inputting gp, SKDO, j and SKAU, this algorithm generates a re-encryption key rkDO→AU = SKAU / SKDO, j mod p as below: The data owner picks n ∈ Z*p at random and sends (nSKDO, j mod p) to the authorized user; The authorized user calculates and sends SKAU / nSKDO, j mod p to the data owner; Finally, the data owner uses can calculate rkDO→AU = SKAU / SKDO, j mod p.
(8) CiphertextShare(gp, CTWDO,j , rkDO→AU): Inputting gp, CTWDO,j and rkDO→AU, the algorithm calculates A"= ArkDO→AU= gSKAU= PKrAUand creates a shared keyword ciphertext CTWAU = ( A", B) for the authorized user.
(9) SearchTokenGen(gp, w′ , PKS, SKU): Inputting gp, w′ , PKS and SKU, the algorithm picks r′∈ Z* p at random, calculates T1 = gr′ and T2 = H1(w')1/SKU · H(PKr's). It then outputs Tw' = (T1, T2)
(10) Test(gp, CTw, Tw, SKS): Inputting gp, CTw, Tw'and SKS = a,, this algorithm first computes τ= T / H( T1a ) and then tests if B= H2(e(A, τa)). If yes, it returns 1, else, it returns 0.
Correctness: Assume the ciphertext of keyword w is CTw = ( PKrU , H2(e(ga, H1(w))r)) and the search token associated to keyword w′is T w' = ( g r', H 1( w ′)1/SKU· H ( PK sr ′)). If w = w′, then \(B=H_{2}\left(e\left(g^{a}, H_{1}(w)\right)^{r}\right)=H_{2}\left(e\left(g^{x^{\prime} r},\left(H_{1}\left(w^{\prime}\right)^{\frac{1}{x^{\prime}}}\right)^{a}\right)\right)=H_{2}\left(e\left(P K_{U}^{r},\left(T_{2} / H\left(T_{1}^{a}\right)\right)^{a}\right)\right)=H_{2}\left(e\left(A, \tau^{a}\right)\right)\)
Therefore, the KU-CS-PEKS scheme is correct.
4.2 Security proofs
Theorem 1. The KU-CS-PEKS scheme satisfies the OKC-IND-CKA security under the hardness assumption of the 1-BDHI problem in the random oracle model.
Proof: Presuming that an adversary A1 can break the OKC-IND-CKA security of the KU- CS-PEKS scheme with an advantage ε. Then an algorithm B can be created to solve BDHI problem with advantage \(\varepsilon^{\prime}=\varepsilon / e q_{s t} q_{H_{2}}\), where and qst respectively represent the largest number of A1’s queries to the oracles OH2and Ost, and e denotes the base of the natural logarithm. Given an instance {p, g, G, GT, e, u1 = gy} of the 1-BDHI problem, B’s goal is to calculate e( g, g )1/y ∈ G.
B plays with A1 as below:
Setup: B picks a ∈Z*P at ransom, sets PKS = ga and SKS = a. Then, B gives gp = {p, g, G, GT, e, H, H1, H2} and PKS to A1 if it is an outside attacker or gp = {p, g, G, GT, e, H, H1, H2} and (PKS, SKS) if it is a designated data storage server, where H, H1 and H2 are three random oracles.
Phase 1: A1 is capable of make these queries:
- Random oracle OH : B holds a list H-list that is made up of the tuples
- Random oracle O1H : B holds a list H1-list that is made up of tuples
- Random oracle O2H : B holds a list H2-list that is made up of the tuples
- Uncorrupted key generation oracle Opk: B holds a list LU that is made up of the tuples DO, i, xi>. When A1 inputs a time period index i, B responds as below: B responds with PKDO, i, if i is already in the LU with a tuple DO, i, xi>. Else, B randomly selects xi ∈ and sets PKDO, i = g xi. Then B records the tuple DO, xi> onto LU and returns PKDO, i.
- Corrupted key generation oracle Osk: B holds a list LC that is made up of tuples
Otherwise, B chooses xj ∈ Z*Pat random and sets PKDO,j = gxj . Then B records the tuple
- Update ciphertext generation oracle Ouc: With the input of two distinct time period indices (k, l) and a keyword ciphertext CTWCO,k by the adversary, PKDO,k and PKDO,l l both appear on the LU or LC. B obtains the update key ukk→l = xl /xk from Ouk and returns the update ciphertext CTWCO,l = (A, B) = ( PKrCO,l , H2(e(PKS, H1(w))r )).
- Search token generation oracle Ost: With the input of a time period index i and a keyword w by the adversary, algorithm B responds as follows:
B gets from O H1 a tuple
Else, B selects r ′∈ Z*P ,y ′∈ Z*P at random, sets T1 = gr′and T2 = (u1e)1/y-y'·
valid search token for w. B responds A1 with Tw = (T1, T2).
-Test oracle Ote: With the input of ( CTWCO,l , Tw′ ) by the adversary, the algorithm B outputs 1 if B = H2(e(A,τa ) holds or 0 otherwise.
Challenge: Once the Phase1 is finish, A1 inputs two distinct keywords (w0, w1) where |w0| = |w1| and a time period index i* to B. B asks oH1 obtain hb ∈ G such that H1(wb) = hb, where b ∈ {0, 1}. Let
If both coin0 = 1 and coin1 = 1 , B ends the game. Else, B randomly picks k′ ∈ Z *p and lets r = k ′/ a ⋅ /y∈ Z *p , and calculates A* = PKrDO, i* =( gy⋅y')r = ( gy⋅y' )r'/a·y= gy'·k'/a ; chooses Z ∈{0, 1}hlen at random and sets B* = Z. Finally, it transmits the challenge ciphertext C* = (A*, B*) to A1.
Phase 2: A1 makes more oracle queries, but with the constraints as defined in Game 1.
Guess: At last, A1 outputs its guess b ′. Clearly, A1 may have issued a query H2 ( e( PKrs , H1 ( wb ))) H2 ( e( ga , geb )k'/a·x ) . Therefore, it is possible that there exists one pair of the form ( e( ga , geb·k'/x ) , H2 e( PKrs , H1 ( wb )))) in H2-list. B picks a tuple
In order to analyze the advantage of B in solving the given 1-BDHI problem, three events are defined:
1δ: B does not terminate for A1’s search token query;
2δ: B does not terminate during Challenge Phase;
δ3: A1 does not issue a query for either H2 ( e( PKrs , H1 ( w0 ))) or H2 ( e( PKrs , H1 ( w1 ))).
Clearly, Pr[ δ1 ] = 1 − 1/( qst + 1) , since A1 makes at most qst search token queries, the probability that B does not abort as result of all search token queries is at least (1 − 1/(qst + 1)) q st≥1/ e.
In the challenge phase, Pr[ cb = 0] = 1/( qst + 1) where b ∈ {0, 1}. Therefore, Pr[ c0 = c1 = 1] = (1 − 1/( qst + 1))2 ≤ 1 − 1/ qst . Thus, the probability of event δ2 is at least 1/q st.
Assuming that A1 does not query either H2 ( e( PKrs , H1 ( w0 ))) or H2 ( e( PKrs , H1 ( w1 ))), then Pr[ b = b' | ¬ δ3 ] = 1/2 . According to the total probability formula:
Pr[ b = b' ]= Pr[ b = b'| δ3 ]Pr[ δ3 ]+ Pr[ b = b' |¬ δ ]Pr[ ¬ δ3 ]≤ Pr[ b = b' |δ3]Pr[ δ3 ] + Pr[ ¬ δ3 ] = 1/2+1/2Pr[ ¬ δ3 ].
Therefore,ε ≤ | Pr[b = b']- 1/2+1/2Pr[ ¬ δ3 ]. Consequently, Pr[ ¬ δ3]≥ 2ε
Since the probability that B chooses the right tuple from H2-list is at least 1/qH2 , B’s success probability is at least ε /(eqstqH2).
Theorem 2. The KU-CS-PEKS scheme satisfies the RKC-IND-CKA security under the hardness assumption of the 1-BDHI problem in the random oracle model.
Proof: Presuming that an adversary A2 can break the OKC-IND-CKA security of the KU- CS-PEKS scheme with an advantage ε. Then an algorithm B can be created to solve 1- BDHI problem with advantage ε′= ε / eqstqH2 , where qH2 and qst respectively denote the largest number of A2’s queries to the oracles OH2 and Ost, and e is the base of the natural logarithm. Given an instance {p, g, G, GT, e, u1 = gy} of the 1-BDHI problem, B’s goal is to calculate e( g, g )1/y ∈ G.
B plays with A2 as below:
Setup: B picks a ∈ Z*pat random, sets PKS = ga and SKS = a. Then, B gives gp = {p, g, G, GT, e, H, H1, H2} and PKS to A2 if it is an outside attacker or or gp = {p, g, G, GT, e, H, H1, H2} and (PKS, SKS) if it is a designated data storage server, where H, H1 and H2 are three random oracles.
Phase 1: A2 is capable of make these queries:
- Random oracle OH : B holds a list H-list that is made up of the tuples
- Random oracle O1H : B holds a list H1-list that is made up of tuples
- Random oracle O2H : B holds a list H2-list that is made up of the tuples
- Uncorrupted key generation oracle Opk: B holds a list LU that is made up of the tuples
B records the tuple
- Corrupted key generation oracle Osk: B holds a list LC that is made up of the tuples
- Re-encryption key generation oracle Ork: With the input of (PKDO, i, PKAU) by the adversary, B returns the re-encryption key rkDO→AU = xAU / xi.
- Share ciphertext generation oracle Osc: With the input of ( CTWDO,i , rkDO→AU) by the adversary, B returns the share ciphertext CTWAU = (A, B) = ( PKrAU , H2(e(PKS, H1(w))r)).
- Search token generation oracle Ost: With the input of (w, PKAU) by the adversary, B responds as below:
B gets from OH1 a tuple
Else, h = (u1)e . B selects r′ ∈ Z*p , y′ ∈ Z*p at random, sets T1 = gr' and T2 = (u1)1/y⋅y' · H(PKr′S) = ge/y' ·H(ga·r'). Because PKU = (u1)y' = gxi and H1(w)1/xi=(gy·e)1/y⋅y' = ge/y', Tw = (T1, T2) is a valid search token for w. B responds A2 with Tw = (T1, T2).
-Test oracle Ote: With the input of (CTWCO,l ,Tw′ ) by the adversary, B outputs 1 if B = H2(e(A, τa ) holds or 0 otherwise.
Challenge: Once the Phase1 is finished, A2 inputs two distinct keywords (w0, w1) where |w0| = |w1| and a time period index i* to B. B asks OH1 to obtain hb such that H1(wb) = hb, where b ∈ {0, 1}. Let
Phase 2: A2 makes more oracle queries, but with the constraints as defined in Game 2.
Guess: At last, A2 outputs a guess b′∈ {0, 1}. B randomly picks a tuple (t, V) from H2-list and outputs t1/eh·k' as its solution to the given 1-BDHI problem.
Similar to the proof of Theorem 1, it can be deduced that the lower bound on B’s advantage ε /( eq td q H 2 ) .
Theorem 3. The KU-CS-PEKS scheme satisfies the DOST-IND-CKA security under the is
hardness assumption of the HDH problem in the random oracle model.
Proof: Presuming that an adversary A3 breaks the DOST -IND-CKA security of the KU- CS-PEKS scheme with an advantage ε. Then an algorithm B can be created to solve the HDH problem with advantageε ′= ε . Given an instance {p, g, G, GT, e, ga, gb, η, H} of the HDH problem, where H: G → {0, 1}hlen is a hash function and η is either H(gab) or a random element of G. B’s goal is to decide whether η = H(gab).
B plays with A3 as below:
Setup: B picks a, l ∈ Z*p at random, sets PKS = gal and SKS = al. Then, B gives gp = {p, g,G, GT, e, H, H1, H2} and PKS to A3, where H, H1 and H2 are three random oracles. Phase 1: A3 is capable of make these queries:
- Random oracle OH : B holds a list H-list that is made up of the tuples
- Random oracle OH1 : B holds a list H1-list that is made up of tuples
- Random oracle OH2 : B holds a list H2-list that is made up of the tuples
- Uncorrupted key generation oracle Opk: B holds a list LU that is made up of the tuples DO, i, xi>. When A3 inputs a time period index i, B responds as below: B responds with PKDO, i, if i is already in LU with a tuple DO, i, xi>. Else, B randomly selects xi ∈ Z pand sets PKDO, i = g xi. Then B records the tuple DO, i, xi> onto LU and returns PKDO, i.
- Corrupted key generation oracle Osk: B holds a list LU of tuples
- Update key generation oracle Ouk: With the input of two distinct time period indices (k, l) by the adversary, PKDO, k and PKDO, l both appear on the LU or LC. B responds A3 with ukk→l = xl /xk.
- Update ciphertext generation oracle Ouc: With the input of two distinct time period indices (k, l) and a keyword ciphertext CT by the adversary. PKDO, k and PKDO, l both appear on the LU or LC. B obtains the update key ukk→l = xl /xk from Ouk and returns the update ciphertext CT = (A, B) = ( PK , H2(e(PKS, H1(w))r)).
- Search token generation oracle Ost: With the input of a time period index i and a keyword g r′r ′) ix 1/ w by A3, B picks r′∈ and T2 = H w ′ )· H ( PK . B
* Z p1( S at random and calculates T1 = returns A3 with Tw = (T1, T2).
Challenge: Once the Phase1 is finish, A3 inputs two distinct keywords (w0, w1) where |w0| * b/l = |w1| and a time period index i*. B picks a value c ∈ {0, 1} at random and sets = g and 1T 1/ x = H ) ⋅ η. Ifη=H(gab), then = g r*, * * * * w is a valid challenge token. If r* = b / l, then T 21( c T wcT 1 i 1/ SK 1/ SK 1/ SK 1/ x
* * al ⋅ ( b/ l ) = H w ) w ﹒H(gab) = H ﹒H( g ) = w ) DO, i *, *DO, i *
⋅ η= T 21( 1( 1( c H ) w ) H 1(DOiic c cH( PK r ′). Finally, it responds with the challenge token = ( ,* * *S T wcT 1T 2).
Phase 2: A3 makes more oracle queries, but with the constraints as defined in Game 3.
Guess: At last, A3 outputs a guess c′. If c = c′, B output 1, meaning that η= H(gab)or 0 otherwise.
The advantage of B in solving the given HDH problem is analyzed as below.
According to Game 3, whenη=H(gab), the view of the adversary A3 in common with its guess c′satisfies |Pr[c = c′]- 1/2| = ε. On the other side, whenη′is uniform over G, its guess c ′ satisfies Pr[c = c′] = 1/2. Consequently, the advantage of B in solving the given HDH problem is |Pr[B(g, ga, gb, H(gab)) = 0] - Pr[B(g, ga, gb, η′)) = 0]| |1/2±ε -1/2| = ε.
Theorem 4. The KU-CS-PEKS scheme satisfies the AUST-IND-CKA security under the≧
hardness assumption of the HDH problem in the random oracle model.
Proof: Presuming that an adversary A4 breaks the AUST -IND-CKA security of the KU- CS-PEKS scheme with an advantage ε. Then an algorithm B can be created to solve the HDH problem with advantageε ′= ε . Given an instance {p, g, G, GT, e, ga, gb, η, H} of the HDH problem, where H: G → {0, 1}hlen is a hash function and η is either H(gab) or a random element of G. B’s goal is to decide whether η = H(gab). B plays with A4 as below:
Setup: B randomly picks a, l ∈ , sets PKS = gal and SKS = al. Then, B gives gp = {p, g,*pZG, GT, e, H, H1, H2} and PKS to A4, where H, H1 and H2 are three random oracles. Phase 1: A4 is capable of make these queries:
HO : B holds a list H-list that is made up of the tuples
getting a query H(M) from A4, B outputs N if
1HO- Random oracle : B holds a list H1-list that is made up of tuples
2HO- Random oracle : B holds a list H2-list that is made up of the tuples
- Uncorrupted key generation oracle Opk: B holds a list LU that is made up of the tuples at random and sets PKAU = g xAU.*
- Corrupted key generation oracle Osk: B holds a list LC that is made up of the tuples
- Re-encryption key generation oracle Ork: With the input of (PKDO, i, PKAU) by the
- Search token generation oracle Ost: With the input of a keyword w and a public key PKAUg r′and T2 = H · H ( PK r ′).AUx1/)′1( S by the adversary, B randomly chooses and calculates T1 = w B responds A4 with Tw = (T1, T2).
Challenge: Once the Phase1 is finish, A4 inputs two distinct keywords (w0, w1) where |w0|* * b/l *= |w1 and a public key PK . B randomly picks c ∈ {0, 1} and sets = g and =AU T 1T 21/ xH w c ) ⋅ η. Ifη=H(gab) then is a valid challenge token. If r* = b / l, then = g r*, T 2* * * *1( T wcT 1AU1/ x* * ** 1/ SK 1/ al ⋅ ( b/ l ) 1/ SK= H w ⋅ η= H ﹒H(gab) = H w ﹒H( gSK) w ) ) ) = H w )1( 1( 1( c 1( c AU AU AU AUc cH( PK r ′). Finally, it responds with the challenge token = ( ,* * *S T 1T 2.cwT
Phase 2: A4 issues more queries, but with the restrictions as defined in Game 4.
Guess: At last, A4 outputs a guess c′∈ {0, 1}. If c = c′, B outputs 1, meaning thatη=
5. Performance Evaluation
We first compare the properties of the existing KU-PEKS framework [34] and the KU-CS- PEKS framework. The details are shown in Table 1. From the table, it is easy to see that the KU-CS-PEKS framework enjoys some good properties such as supporting privacy-preserving ciphertext update on the storage server and transmitting the search tokens without secure channel, while providing ciphertext sharing function.
Table 1. Properties of the KU-PEKS framework and the KU-CS-PEKS framework
Table 2. Computational efficiency of the compared schemes
Table 3. Communicational efficiency of the compared schemes
Table 4. Time cost of each basic operation and bit-length of an element/hash value
Table 2 and Table 3 respectively give the computational efficiency comparison and the communicational efficiency comparison of the KU-PEKS scheme [34] and the proposed KU- CS-PEKS scheme, where TH, TP, TMP, TE, TET, TM and TI are the running time of a cryptographic hash operation, a bilinear pairing operation, a map-to-point encoding operation, an exponent operation in G, an exponent operation in GT, a modular multiplication operation in Zp and a modular inverse operation in Zp respectively, l and |G| respectively denote the bit-size of a hash value and the bit-size of an element in G.
To evaluate the computational efficiency, the schemes are tested by the PBC library [40]. The experiments are carried out on a laptop and Linux OS with an Intel Core i5-4210U CPU of 1.7GHz and 3.0GB RAM. The bilinear pairing is simulated by the Type-A pairing, which is defined on the curve y2 = x3 + x over the finite field Fq for prime q≡3 mod 4. Besides, the hash functions are implemented by SHA-256. Table 4 gives the time cost of each basic operation and bit-length of a group element or a hash value.
The experimental results (see Fig. 1 ~ Fig. 4) show that the costs of the SearchTokenGen algorithm and the Test algorithm in the KU-CS-PEKS scheme are higher than that of the KU- PEKS scheme, but the costs of the KWCiphertextGen algorithm and the CiphertextUpdate algorithm are lower than that of the KU-PEKS scheme. Specifically, the time for encrypting a keyword in the KU-CS-PEKS scheme is about 6.113ms, while that in the KU-PEKS scheme is about 6.705ms. The time for updating a keyword ciphertext in the KU-CS-PEKS scheme is about 0.2ms, while that in the KU-PEKS scheme is about 6.907ms. The time for generating a search token in the KU-CS-PEKS scheme is about 4.905ms, while that in the KU-PEKS scheme is about 4.5ms. In addition, the time for matching a keyword ciphertext with a search token in the KU-CS-PEKS scheme is about 2.01ms, while that in KU-PEKS scheme is about 1.605ms.
Fig. 1. Time cost of keyword ciphertext generation algorithm
Fig. 2. Time cost of keyword ciphertext update algorithm
Fig. 3. Time cost of search token generation algorithm
Fig. 4. Time cost of test algorithm
Regarding the communication overhead (as illustrated in Fig. 5), the keyword ciphertext length in KU-CS-PEKS scheme is 768 bits, while the keyword ciphertext length in the KU- PEKS scheme is 1792 bits. Besides, the size of a search token in KU-CS-PEKS scheme is 1024 bits, while that in the KU-PEKS scheme is 512 bits. Compared with the KU-PEKS scheme, the KU-CS-PEKS scheme has shorter keyword ciphertext and longer search token.
Fig. 5. Bit-length of keyword ciphertext and search token
To remove secure channels and achieve search token indistinguishability, the KU-CS- PEKS scheme has to generate longer search tokens and consumes more time in search token generation and match testing. However, the additional costs are worthwhile, because the proposed scheme effectively fixes the inherent security weaknesses in the previous KU-PEKS scheme.
6. Conclusion
This paper presents a PEKS framework, named key-updatable and ciphertext-sharable PEKS (KU-CS-PEKS). After formally defining its security (including the keyword ciphertext indistinguishability and the search token indistinguishability), a concrete KU-CS-PEKS scheme that is proven secure in the random oracle model is given. The KU-CS-PEKS scheme realizes privacy-preserving ciphertext update on the storage server and ciphertext sharing functions, while removing the secure channel requirement. The experimental results and comparisons demonstrate that the KU-CS-PEKS scheme is feasible and applicable.
References
- D. X. Song, D. Wagner, and A. Perrig, "Practical techniques for searches on encrypted data," in Proc. of IEEE Symp. Secur. Privacy, pp. 44-55, May, 2000.
- P. Golle, J. Staddon, and B. Waters, "Secure conjunctive keyword search over encrypted data," in Proc. of ACNS, pp. 31-45, 2004.
- R. Curtmola, J. Garay, S. Kamara, and R. Ostrovsky, "Searchable symmetric encryption: Improved definitions and efficient constructions," in Proc. of 13th ACM Conf. Comput. Commun. Secur., pp. 79-88, Oct. 2006.
- Z. Fu, X. Wu, C. Guan, X. Sun, and K. Ren, "Toward efficient multi-keyword fuzzy search over encrypted outsourced data with accuracy improvement," IEEE Trans. Inf. Forensics Security, vol. 11, no. 12, pp. 2706-2716, July. 2016. https://doi.org/10.1109/TIFS.2016.2596138
- Z. Xia, X. Wang, X. Sun, and Q. Wang, "A secure and dynamic multi-keyword ranked search scheme over encrypted cloud data," IEEE Trans. Parallel Distrib. Syst., vol. 27, no. 2, pp. 340-352, Feb. 2015. https://doi.org/10.1109/TPDS.2015.2401003
- X. Liu, G. Yang, Y. Mu and R. H. Deng, "Multi-User Verifiable Searchable Symmetric Encryption for Cloud Storage," IEEE Trans. Dependable Secure Comput., vol. 17, no. 6, pp. 1322-1332, 2020. https://doi.org/10.1109/tdsc.2018.2876831
- D. Boneh, G. Di Crescenzo, R. Ostrovsky, and G. Persiano, "Public key encryption with keyword search," in Proc. of Int. Conf. Theory Appl. Cryptograph. Techn, pp. 506-522, 2004.
- C. Gu, Y. Zhu, and H. Pan, "Efficient public key encryption with keyword search schemes from pairings," in Proc. of Int. Conf. Inf. Secur. Cryptol, pp. 372-383, 2008.
- B. Zhang and F. Zhang, "An efficient public key encryption with conjunctive-subset keywords search," J. Netw. Comput. Appl., vol. 34, no. 1, pp. 262-267, Jan. 2011. https://doi.org/10.1016/j.jnca.2010.07.007
- D. J. Park, K. Kim, and P. J. Lee, "Public key encryption with conjunctive field keyword search," in Proc. of Int. Workshop Inf. Secur. Appl, pp. 73-86, 2004.
- J. Baek, R. Safavi-Naini, and W. Susilo, "On the integration of public key data encryption and public key encryption with keyword search," in Proc. of Int. Conf. Inf. Secur, pp. 217-232, 2006.
- Q. Tang and L. Chen, "Public-key encryption with registered keyword search," in Proc. of Eur. Public Key Infrastruct, pp. 163-178, Sep. 2009.
- Q. Dong, Z. Guan, L. Wu, and Z. Chen, "Fuzzy keyword search over encrypted data in the public key setting," in Proc. of Int. Conf. Web-Age Inf. Manage, pp. 729-740, June. 2013.
- J. Shi, J. Lai, Y. Li, R. H. Deng, and J. Weng, "Authorized keyword search on encrypted data," in Proc. of Eur. Symp. Res. Comput. Secur, pp. 419-435, 2014.
- Z. Lv, C. Hong, M. Zhang, and D. Feng, "Expressive and secure searchable encryption in the public key setting," in Proc. of Int. Conf. Inf. Secur, pp. 364-376, 2014.
- Y. Chen, J. Zhang, D. Lin, and Z. Zhang, "Generic constructions of integrated PKE and PEKS," Des. Codes Cryptogr., vol. 78, no. 2, pp. 493-526, Feb. 2016. https://doi.org/10.1007/s10623-014-0014-x
- H. Cui, Z. Wan, R. Deng, G. Wang, and Y. Li, "Efficient and expressive keyword search over encrypted data in cloud," IEEE Trans. Dependable Secure Comput., vol. 15, no. 3, pp. 409-422, May. 2018. https://doi.org/10.1109/tdsc.2016.2599883
- L. Li, C. Xu, X. Yu, B. Dou and C. Zuo, "Searchable encryption with access control on keywords in multi-user setting," Journal of Cyber Security, vol. 2, no. 1, pp. 9-23, Jan. 2020. https://doi.org/10.32604/jcs.2020.06313
- X. Li, F. Li, J. Jiang, and X. Mei, "Paillier-based fuzzy multi-keyword searchable encryption scheme with order-preserving," Computers, Materials & Continua, vol. 65, no. 2, pp. 1707-1721, Jan. 2020. https://doi.org/10.32604/cmc.2020.011227
- J. Baek, R. Safavi-Naini, and W. Susilo, "Public key encryption with keyword search revisited," in Proc. of Int. Conf. Comput. Sci. Appl, pp. 1249-1259, 2008.
- H. S. Rhee, J. H. Park, W. Susilo, and D. H. Lee, "Improved searchable public key encryption with designated tester," in Proc. of 4th Int. Symp. Inf., Comput., Commun. Secur, pp. 376-379, Jan. 2009.
- H. S. Rhee, J. H. Park, W. Susilo, and D. H. Lee, "Trapdoor security in a searchable public-key encryption scheme with a designated tester," J. Syst. Softw., vol. 83, no. 5, pp. 763-771, May. 2010. https://doi.org/10.1016/j.jss.2009.11.726
- C. Hu and P. Liu, "A secure searchable public key encryption scheme with a designated tester against keyword guessing attacks and its extension," in Proc. of Int. Conf. Comput. Sci., Environ., Ecoinform., Educ, vol. 215, pp. 131-136, 2011.
- H. S. Rhee, J. H. Park, and D. H. Lee, "Generic construction of designated tester public-key encryption with keyword search," Inf. Sci., vol. 205, no. 1, pp. 93-109, Nov. 2012. https://doi.org/10.1016/j.ins.2012.03.020
- L. Fang, W. Susilo, C. Ge, and J. Wang, "Public key encryption with keyword search secure against keyword guessing attacks without random oracle," Inf. Sci., vol. 238, pp. 221-241, July. 2013. https://doi.org/10.1016/j.ins.2013.03.008
- Y. Lu, G. Wang, and J. Li, "Keyword guessing attacks on a public key encryption with keyword search scheme without random oracle and its improvement," Inf. Sci., vol. 479, pp. 270-276, Apr. 2019. https://doi.org/10.1016/j.ins.2018.12.004
- T. Wu, T. Tsai, and Y. Tseng, "Efficient searchable id-based encryption with a designated server," Ann. Telecommun., vol. 69, no. 7-8, pp. 391-402, Aug. 2014. https://doi.org/10.1007/s12243-013-0398-z
- Y. Lu, G. Wang, J. Li, and J. Shen, "Efficient designated server identity-based encryption with conjunctive keyword search," Ann. Telecommun., vol. 72, no. 5-6, pp. 359-370, June 2017. https://doi.org/10.1007/s12243-017-0574-7
- J. Liu, J. Lai, and X. Huang, "Dual trapdoor identity-based encryption with keyword search," J. Soft Comput., vol. 21, no. 10, pp. 2599-2607, May 2017. https://doi.org/10.1007/s00500-015-1960-6
- Y. Peng, J. Cui, C. Peng, and Z. Ying, "Certificateless public key encryption with keyword search," China Commun., vol. 11, no. 11, pp. 100-113, Nov. 2014. https://doi.org/10.1109/CC.2014.7004528
- Y. Lu, J. Li, and F. Wang, "Pairing-free certificate-based searchable encryption supporting privacy-preserving keyword search function for IIoTs," IEEE. Trans. Industr. Inform., vol. 17, no. 4, pp. 2696-2706, Apr. 2021. https://doi.org/10.1109/TII.2020.3006474
- X. Yu, C. Xu, L. Xu and Y. Wang, "Lattice-based searchable encryption scheme against inside keywords guessing attack," Computers, Materials & Continua, vol. 64, no. 2, pp. 1107-1125, 2020. https://doi.org/10.32604/cmc.2020.09680
- M. Ali, C. Xu and A. Hussain, "Authorized attribute-based encryption multi-keywords search with policy updating," Journal of New Media, vol. 2, no.1, pp. 31-43, Aug. 2020. https://doi.org/10.32604/jnm.2020.09946
- H. Anada, A. Kanaoka, N. Matsuzaki, Y. Watanabe, "Key-updatable public-key encryption with keyword search: models and generic constructions," Information Security and Privacy, pp. 341-359, June. 2018.
- J. Shao, Z. Cao, X. Liang and H. Lin, "Proxy re-encryption with keyword search," Inf. Sci., vol. 180, no. 13, pp. 2576-2587, July. 2010. https://doi.org/10.1016/j.ins.2010.03.026
- R. Canetti, S. Hohenberger, "Chosen-ciphertext secure proxy re-encryption," in Proc. of ACM CCS, pp. 185-194, Oct. 2007.
- Y. Liu, Y. Ren, Q. Wang and J. Xia, "The development of proxy re-encryption," Journal of Cyber Security, vol. 2, no. 1, pp. 1-8, Jan. 2020. https://doi.org/10.32604/jcs.2020.05878
- D. Boneh, X. Boyen, "Efficient selective-ID secure identity-based encryption without random oracle," in Proc. of Int. Conf. Theory Appl. Cryptograph. Techn, pp. 223-238, 2004.
- M. Abdalla, M. Bellare, P. Rogaway, "The oracle Diffie-Hellman assumptions and an analysis of DHIES," in Proc. of Naccache, D. (ed.) CT-RSA 2001, vol. 2020, pp. 143-158. April. 2001.
- B. Lynn, PBC library: The Pairing-Based Cryptography Library, 2013. [Online]. Available: http://crypto.stanford.edu/pbc.