 Research
 Open Access
 Published:
MultiRecipient encryption with keyword search without pairing for cloud storage
Journal of Cloud Computing volume 11, Article number: 10 (2022)
Abstract
With the rapid development of cloud computing technology and communication technology, cloud storage has become a tool used by people in daily life. Cloud storage service enables users to outsource data to cloud servers and retrieve desired document efficiently. Individual privacy in outsource data are very sensitive and should be prevented from any leakage. Publickey encryption with keyword search (PEKS) scheme resolves this tension, while publickey authentication encryption with keyword search (PAEKS) scheme improve its keyword guessing attacks problem potentially. Whereas, the loss of keyword privacy, the limitation of single user interaction and low efficiency make PEKS/PAEKS schemes far from enough in practical applications.In this paper, we develop a multirecipient public key encryption scheme with keyword search without pairing (MREKS) for cloud storage under public key infrastructure. The proposed scheme has the merits of supporting multirecipient keyword search way as well as requiring no expensively bilinear pairing operations under standard model. We present a concrete and efficient construction of MREKS, and prove its security based on discrete logarithm assumptions. Furthermore, we embed the algorithm of data plaintext encryption and decryption into the scheme, which makes the scheme more practical. We show that our scheme enjoys much more efficiency than previous PEKS/PAEKS scheme in the simulation experiment, especially the keyword encryption is optimized by 79.5%.
Introduction
In recent years, the amount of electronic data generated on various platforms such as the internet has seen an explosive growth. From the view of government, enterprises or individual, the increasing amount of data creates data management issues. To store this data, the user needs to maintain the hardware, software and systems for the data storage locally. It caused great overhead on the user’s server, which has seriously affected the efficiency and flexibility of the user to utilize the data.
Cloud storage services in cloud computing technology alleviate this tension, which means users can obtain and pay for the server resources provided by cloud server without interaction largely and only need management work slightly. Due to the convenience and flexible of cloud service and varied charging properties, users are willing to store their local data in the cloud server. People can upload their data, such as email address, personal health record and financial data, into the cloud for sharing with other person or using it by themselves in anywhere. Moreover, cloud storage services are widely used in medical institutions, enterprises, schools and other application scenarios.
However, cloud storage has an inevitable drawback: users share or store data in the cloud server, so the ownership of the data is held by the cloud server. As a result, the cloud server can inadvertently obtain the data uploaded by users, leading to the divulge of sensitive privacy data without user’s authority. To avoid this case, users can only encrypt and upload document to the cloud. However, if users want to acquire target document, they download all the ciphertext data and decrypt it locally necessarily. It is unfriendly to users with large data storage capacity, which will result in huge resource waste and computing overhead. Moreover, this approach is hardly applicable to users with low broadband networks.
To address the above issue, the concept of searchable encryption has been proposed. As depicted in Fig. 1, a searchable encryption scheme works.
Therefore, the data security and privacy becomes an important issue. To date, many methods are proposed to protect privacy and security of cloud data [1–8].
Based on previous studies by researchers, searchable encryption divide into symmetric and asymmetric searchable encryption (SE). The work of Song et al. [1] is pioneering in constructing a symmetric SE scheme in 2000. His ideas were groundbreaking, but there were inevitable efficiency problems because the efficiency of finding the target document is linear length. Boneh et al. [2] constructed publickey encryption with keyword search, denoted by BDOPPEKS. It is a branch of SE that keeps the confidentiality of the encrypted data. The BDOPPEKS scheme is mainly applied in the mail routing scenario, in which three participants, namely the sender, the recipient and the mail server. The sender encrypts the message and keyword corresponding to the message via recipient’s public key, and the recipient generates the search trapdoor via private key by himself. Finally, the mail server performs data retrieval and returns the message ciphertext with corresponding keyword to recipient.
Later, Baek et al. [3] found flaws in PEKS scheme and developed a secure channel free public key encryption with keyword search based on the BDOPPEKS scheme, denoted by BSSPKE/PEKS, which solved the issue of supplying secure channel when delivering keywords to the server. BSSPKE/PEKS scheme performs via public channel, but it’s still subject to a connatural security restriction: suffering offline keyword guessing attacks (KGA). Specifically, given a keyword trapdoor, an adversary encrypts whole keyword candidates by using the recipient’s public key and identifies the ciphertext which matches the targeted trapdoor, this enables the adversary to recover the keyword hidden in keyword trapdoor to invade the users’ privacy. Public key authentication encryption with keyword search (PAEKS) was first proposed by Huang et al. [9], in which the sender’s secret key is presented into the keyword encryption, so as to achieve the keyword trapdoor privacy and resist the keyword guessing attacks. Soon afterwards, Huang’s scheme was proposed that it could not ensure the keyword ciphertext indistinguishability.
In such an architecture, previous PEKS and PAEKS schemes have been based on bilinear pairings operation, which can greatly restrict efficiency when running on devices with limited communication and computing capacity.
Traditional PEKS schemes for mail routing take into account singleuser interactions, especially PAEKS scheme, where sharing data requires generating search trapdoor for the uniform keywords for each receiver. In fact, it will greatly reduce the desire of enterprise practical application, since it still consumes a lot of storage resources to meet this search requirement. At present, the security of most PEKS schemes is not good enough to resist KGA. One reason is that the lowentropy feature of the keywords leads to KGA.
Therefore, we initiated the proposal of MREKS scheme to address the defects mentioned above.
Contribution
In this paper, we put forward a multirecipient encryption with keyword search scheme without pairing for cloud storage based on public key infrastructure in virtue of the idea of Lu et al. [10](see related work). The proposed scheme not only supports multirecipient authentication keyword search function, but also does not use the expensively bilinear pairing. We formally define the system model and security for the proposed MREKS and demonstrate the security of its under standard model. More specifically, our contributions are summarized as below:
Functionality: We construct a new multirecipient PAEKS scheme without pairing for cloud storage under public key infrastructure. Let’s consider a scenario where a user (i.e., a data sender) gathers transaction data and shares them with multiple recipients (e.g., a group of colleague in the company). Most PEKS and PAEKS schemes [2, 3, 9, 11, 12] merely support single recipient. The user has to generate a search trapdoor of same keyword for each recipient individually by using the above scheme. In this case, it will be inefficient and inconvenient awfully. To address the above issues, we create a single keyword encryption for a set of authorized recipients with high efficiency communication and computation.
Practicality: We embed message encryption and decryption to make MREKS scheme more practical. Most of PEKS and PAEKS schemes hardly support message encryption and decryption. In this case, the scheme are incompletely. In consequence, we adds this algorithm to keep the transmission of symmetric key confidentiality in the public channel and avoid transmitting the symmetric key via security channel. It is amicable for us to decrypt ciphertext commodiously. Moreover, the message decryption must match the corresponding keyword to decrypt it, which ensures the privacy of message and keyword in the transmission.
Security: The proposed of MREKS scheme provides privacypreserving keyword search and data encryption. We prove the scheme prevent keyword guessing from attack successfully under standard model and plaintext privacy security. It is worth noting that we embed the recipient’s private key in the keyword encryption process to avoid the possibility of outside adversary attack. Without the ability to produce valid ciphertext, the adversary is not able to carry out a successful keyword guessing attack. In this way, our scheme provides to resist attacks from adversary.
Efficiency: Our scheme avoids the expensively bilinear pairing. In various application scenarios, the computations are often performed on smart devices with constrained resources, such as telephone or handheld terminals. Most of the previous PEKS and PAEKS schemes [2, 3, 9, 13] were built with the bilinear pairing. If we use the without pairing scheme, the efficiency will be greatly improved. Also, it has more practical significance in the use of equipment with limited communication and computing capacity. We analyze the running overhead of MREKS theoretically and implement it utilizing C language and PBC library [14]. The analysis and experiment results show that our scheme has more efficiency running overhead with previous PEKS and PAEKS schemes.
Related work
The first asymmetric SE is presented by Boneh et al. [2] in 2004. Baek et al. addresses the Boneh’s problem of working via security channel in 2008. Soon afterwards, with kinds of functions of PEKS scheme have been proposed. The working of Byun et al. [15] and Yau et al. [16] clearly that the current PEKS program are suffering from a novel attack, calls offline keyword guessing attack. In their research, the previous program could not resist offline keyword guessing attacks from the cloud servers. Based on Baek et al’s work, Fang et al. [5] enhance security property and ensure the keyword security of the scheme under standard model. While the work of Fang et al. seems perfect, there are still keyword privacy problems. Therefore, the privacy of keywords in public key encryption with keyword search scheme has become an issue to be addressed by researchers.
The idea of “Trapdoor Indistinguishability” is proposed by Rhee et al. [6]. In their work, trapdoor indistinguishability is a sufficient condition under keyword security. Therefore, KGA under different assumption context is whether the success of determines the security of scheme. Based on various scenarios, we classify attackers as internal attackers or external attackers. In other words, an external adversary’s attacks can be considered online KGA, since the adversary can produce the keyword ciphertext to guess in testing process by intercepting the user’s search trapdoor. Similarly, an internal adversary’s attacks (denotes semihonest cloud server) can be considered offline KGA, since the adversary is able to carry out test algorithm. The authority of the semihonest cloud servers is power than the external attacker due to the cloud servers’ testing executive capability.
Later, Huang et al. [9] constructed a new public key authentication encryption with keyword search to against inside adversary’s attack. Ma et al. [17] put forward to certificateless public key encryption with keyword search in the internet of thing (denote IOT) environment. Lu et al. [18] introduced a search trapdoor via key agreement between sender and receiver, which can resist the known KGA. Later, Ma et al. [19] constructed the scheme of SCFCLSPE to achieve INDCKA security for smart healthcare. Noroozi et al. [20] put forward to a generic construction secure against online and offline KGA scheme. Qin et al. [13] aimed at the revisited of the scheme proposed by Huang et al. [9], and introduced that the keyword privacy of Huang et al.’s scheme was insufficient, that is, it could not meet the multikeyword ciphertext guessing attack securely. A verifiable public key SE was proposed after its improvement, which can achieving multikeyword ciphertext indistinguishability. Pan et al. [11] has improved the work of Qin et al., and proposed to simultaneously ensure the multikeyword ciphertext indistinguishability and multikeyword trapdoor security. Whereafter, Cheng et al. [12] point out the work of Pan et al. a serious mistake in the security proof and Qin et al. [21] improved their multikeyword ciphertext indistinguishability security model[13].
Chen et al. [22] brought up with a new type of publickey SE that can resist inside adversary’s offline keyword guessing attacks, namely serveraid publickey SE. In this scheme, blind keyword signature is provided by the server and returned to the user for keyword encryption. The key of blind signature of the server has the merit of key update for each subserver, which makes the scheme more flexible. Zhang et al. [23] promoted the public key searchable encryption scheme based on the blockchainbased public chain application and was able to resist keyword guessing attacks. He et al. [24] and Li et al. [25] came up with PAEKS into certificateless keyword search and identity based encryption settings, respectively. Li et al. [26] put forward to a new public key searchable encryption scheme for singleuser to multiuser interaction under the hierarchical identity mechanism and attribute encryption mechanism, and this scheme designed a public key searchable encryption scheme that supports transparent user access control. The scheme not only protects the privacy of keyword search, but also supports the users with private key to search ciphertext. Lu et al. [10] presented a new multirecipient cetificateless public key searchable encryption scheme for IIOT, which supporting mutiuser interaction function and no costly computation. Based on this contribution, we introduce this contribution into our scheme to better apply to cloud storage in PKI.
In addition to keyword searching, some schemes of public key cryptosystem in PEKS variants are also studied, including fuzzy keyword search [27], verifiable keyword search [28], latticebased encryption with keyword search [29] and attributebased keyword search [30].
Preliminaries
Complexity assumptions
Definition 1.(Discrete Logarithm(DL) assumption [31]) Let G be a cyclic group of prime order q with a generator g. Select a∈Z_{q}, for every arbitrary probability ε with a polynomial time t, there exists an algorithm A(t,ε) for solving DL problem, if Pr[A(g,g^{a})=a]<ε.
Definition 2. (Hash DiffieHellman(HDH) problem [32]) Let G be a cyclic group of prime q and g be a generator of G. H:{0,1}^{∗}→{0,1}^{l} is a hash function, where l is a binary number. Given hash function H and tetrad (g,g^{a},g^{b},Z)∈G^{3}×{0,1}^{l} where \(a,b\in {Z_{q}^{*}}\) and Z is a random element of {0,1}^{l}. HDH problem is to judge whether Z=H(g^{ab}).
Definition 3. (Computational DiffieHellman (CDH) Problem [32]) Let G be a cyclic group of prime q and g be a generator of G. Given a binary tuple (g^{a},g^{b})∈G^{2} for unknown integers \(a,b \in Z_{q}^{*} \), the CDH problem in the group G is to calculate g^{ab}.
System model of mREKS
The proposed of MREKS model display in Fig. 2, including six polynomial time algorithms:
1) GlobalSetup(λ): Input a security parameter λ, and output global parameter GP.
2) KeyGen(GP): Input global parameter GP, and output a secret/public key pair (sk_{u},pk_{u}) for user.
3) Encrypt(GP,sk_{S},(pk_{1},pk_{2},...,pk_{n})_{R},w,M): Input GP, sk_{S}, multirecipient’s public key (pk_{1},pk_{2},...,pk_{n})_{R}, a keyword w and a message M, where n is number of recipient. Outputs ciphertext C=(C_{w},C_{M}), where C_{w} is keyword ciphertext and C_{M} is message ciphertext.
4) Trapdoor(GP,sk_{R},pk_{S},w^{′}): Input GP, sk_{R},pk_{S}, and a search keyword w^{′}, and output a keyword trapdoor \(\phantom {\dot {i}\!}T_{w^{\prime }}\).
5) \(\phantom {\dot {i}\!}Test(GP, C_{w}, T_{w^{\prime }})\): Input GP, \(\phantom {\dot {i}\!}C_{w}, T_{w^{\prime }}\), and output a symbol “1” if w=w^{′} or “0” otherwise.
6) Decrypt(GP,w^{′},C_{M},pk_{S},sk_{R}): Input GP, C_{M}, a keyword w^{′},pk_{S} and sk_{R}. Output plaintext message M.
Security definition
This section we introduce the security definition of our proposed MREKS scheme. The security definition of ciphertext indistinguishability MREKS under the chosen keyword guessing attacks (denote CMREKSCKA), trapdoor indistinguishability MREKS under the chosen keyword guessing attacks (denote TMREKSCKA) and plaintext privacy MREKS against chosen plaintext attacks (denote PPMREKSCPA) are as follow:
CMREKSCKA game
This game is simulated between A and a challenger B, where A is inside or outside adversary.
GlobalSetup: Given security parameters λ, B produces global parameters GP, a sender and recipients’ secret/public key pair (sk_{S},pk_{S}) and (sk_{R},pk_{R}), and sends pk_{S},pk_{R} and GP to A.
Query Phase 1:A does O^{Ciphertext},O^{Trapdoor} and O^{Test} to B adaptively, then B simulates the corresponding algorithm in MREKS scheme and return the results.
Challenge:A submits two keywords (w_{0},w_{1}) to B, which he/she has not submit to O^{Ciphertext} in above Query phase 1. Finally, B returns a keyword ciphertext \(\phantom {\dot {i}\!}C_{w_{b}}\) with b∈_{R}{0,1}.
Query Phase 2:A continues to ask for B adaptively, but with the restrictions that A can not queries w_{0} or w_{1} in ciphertext or trapdoor.
Guess:A returns b^{′}∈{0,1} and A wins in this game, if b=b^{′}.
The advantage of A in CMREKSCKA Game is defined as follows:
Definition 3. An MREKS scheme achieve the CMREKSCKA security if no polynomial time adversary can obtain a nonnegligible advantage in CMREKSCKA game.
TMREKSCKA game
This game is simulated between A and a challenger B, where A is inside or outside adversary.
GlobalSetup: Same as that in CMREKSCKA Game.
Query Phase 1: Same as that in CMREKSCKA Game.
Challenge:A submits two keywords (w_{0},w_{1}) to B, which he/she has not submit to O^{Ciphertext} in above Query phase 1. Finally, B returns a keyword trapdoor \(\phantom {\dot {i}\!}T_{w_{b}}\) with b∈_{R}{0,1}.
Query Phase 2:A continues to ask for B adaptively, but with the restrictions that A can not queries w_{0} or w_{1} in ciphertext or trapdoor.
Guess:A returns b^{′}∈{0,1} and A wins in this game, if b=b^{′}.
The advantage of A in TMREKSCKA Game is defined as follows:
Definition 4. An MREKS scheme achieve the TMREKSCKA security if no polynomial time adversary can obtain a nonnegligible advantage in TMREKSCKA game.
PPMREKSCPA game
This game is simulated between A and a challenger B.
Setup: Same as that in CMREKSCKA Game.
Query Phase 1:A can issue at most q_{M} queries to the encryption oracle O^{M} below.
O^{M}: A submits plaintext M with keyword w to B, and then B returns ciphertext C.
Challenge:A submits a keyword w and two plaintext M_{0} and M_{1}. The constraint is that A cannot be submitted M_{0} or M_{1} to O^{E}. B picks a bit b∈{0,1} randomly. Next, B generates a ciphertext C. Finally, B returns ciperhetext C to A.
Query Phase 2:A issues queries to the oracle same as in Query Phase 1 with the constraints that A cannot be submitted M_{0} or M_{1} with w to O^{E}.
Guess:A returns a bit b^{′} and wins the game if b^{′}=b.
The advantage of A in PPMREKSCPA Game is defined as follows:
Definition 5. An MREKS scheme achieve the PPMREKSCKA security if no polynomial time adversary can obtain a nonnegligible advantage in PPMREKSCKA game.
The proposed mREKS scheme
This section we introduce our MREKS scheme. The scheme is described as follows.
1) GlobalSetup(λ): Given the security parameter 1^{λ}, trusted servers picks a qorder cyclic group G. Let g is the generator of G. Furthermore, it selects four hash functions \(H_{1}: G \to \{0,1\}^{l}, H_{2}: \{0,1\}^{*}\times \{0,1\}^{l}\to Z_{q}^{*}, H_{3}: G \to Z_{q}^{*}, H_{4}:\{0,1\}^{l}\times \{0,1\}^{*}\times Z_{q}^{*} \times G \times \{0,1\}^{*}\times \{0,1\}^{*}\times Z_{q}^{*}\to \{0,1\}^{l}\), where l is denotes the binary length of hash values. Finally, it outputs the global parameters GP={q,g,G,H_{1},H_{2},H_{3},H_{4}}.
2) KeyGen(GP): Takes GP as input. The user (including sender and recipients) generates its secret/public key as follow.

Selects \(\phantom {\dot {i}\!}sk_{u_{1}}, sk_{u_{2}}\in _{R} Z_{q}^{*}\);

Computes \(\phantom {\dot {i}\!}pk_{u_{1}}=g^{sk_{u_{1}}}\) and \(\phantom {\dot {i}\!}pk_{u_{2}}=g^{sk_{u_{2}}}\);

Sets \(\phantom {\dot {i}\!}sk_{u}=(sk_{u_{1}},sk_{u_{2}})\) and \(\phantom {\dot {i}\!}pk_{u}=(pk_{u_{1}},pk_{u_{2}})\) as user’s secret/public key pair.
3) Encrypt(GP,pk_{S},sk_{S},(pk_{1},pk_{2},...,pk_{n})_{R},w,M): Takes GP, pk_{S},sk_{S}, a keyword w, multirecipient’s public key (pk_{1},pk_{2},...,pk_{n})_{R} and a message M as input, where the subscript S indicates sender, the subscript R indicates recipient and n is the number of recipients. The sender selects \(r\in Z_{q}^{*}, K\in \{0,1\}^{l}\) randomly and encrypt w and M as below:

Computes \(\phantom {\dot {i}\!}\mu _{i}=H_{1}(pk_{iR_{1}}^{sk_{S_{1}}})\) and \(\phantom {\dot {i}\!}\theta _{i}=H_{1}(pk_{iR_{2}}^{sk_{S_{2}}})\) for each i=1,2,...,n and n is the number of recipients;

Selects two random integer \(\eta, \gamma \in Z_{q}^{*}\) and then define two polynomial f(x) and g(x) of degree n as follows:
\(f(x)=\prod \limits _{i=1}^{n}{(x{v_{i}})}+\gamma ={x^{n}}+{\alpha }_{n1}{x^{n1}}+\cdots +{\alpha _{1}}x+{\alpha _{0}}\), where \({\alpha _{i}}\in Z_{q}^{*}\) and \(\phantom {\dot {i}\!}v_{i}=H_{3}(g^{r{H_{2}}(w\mu _{i})})\) and the operator “ ” denotes the concatenation of two strings;
\(g(x)=\prod \limits _{i=1}^{n}{(x{s_{i}})}+\eta ={x^{n}}+{\beta }_{n1}{x^{n1}}+\cdots +{\beta _{1}}x+{\beta _{0}}\), where \({\beta _{i}}\in Z_{q}^{*}\) and \(\phantom {\dot {i}\!}s_{i}=H_{3}\left (pk_{S_{2}}^{(H_{2}(w\theta _{i})r)}\right)\);

Sets
\(\phantom {\dot {i}\!}C_{1}=K\oplus H_{1}(pk_{S_{2}}^{\eta }),\)
C_{2}=AESEnc_{K}(M),
\(\phantom {\dot {i}\!}C_{3}=r \cdot sk_{S_{1}}^{1}\),
\(\phantom {\dot {i}\!}C_{4}=g^{{sk_{S_{2}}} \cdot r}\),
C_{5}=(α_{0},α_{1},...,α_{n−1}),
C_{6}=(β_{0},β_{1},...,β_{n−1}),
C_{7}=H_{4}(C_{1},C_{2},C_{3},C_{4},C_{5},C_{6},γ);
Outputs the ciphertext C=(C_{1},C_{2},C_{3},C_{4},C_{5},C_{6},C_{7}).
4) Trapdoor(GP,sk_{iR},pk_{S},w^{′}): The recipient executes as below:

Computes \(\phantom {\dot {i}\!}\mu _{i}'=H_{1}((pk_{S_{1}})^{sk_{iR_{1}}})\);

Sets \(\phantom {\dot {i}\!}t_{1}=pk_{S_{1}}^{H_{2}(w'\mu _{i}')}\);
Outputs the search trapdoor \(\phantom {\dot {i}\!}T_{w'}=t_{1}\).
5) \(\phantom {\dot {i}\!}Test(GP, C, T_{w'})\): The cloud sever executes as below:

Parse C_{5} as (α_{0},α_{1},...,α_{n−1}) and reconstruct the polynomial f(x)=x^{n}+α_{n−1}x^{n−1}+⋯+α_{1}x+α_{0};

Computes \(\phantom {\dot {i}\!}v_{i}'=H_{3}({t_{1}}^{C_{3}})\) and γ^{′}=f(v_{i}^{′}) check whether C_{7}=H_{4}(C_{1},C_{2},C_{3},C_{4},C_{5},C_{6},γ^{′}) holds. If it does, output “1” or “0” otherwise.
6) Decrypt(GP,C,w^{′},pk_{S},sk_{R}): The recipient executes as below:

Parse C_{5} as (α_{0},α_{1},...,α_{n−1}) and reconstruct the polynomial f(x)=x^{n}+α_{n−1}x^{n−1}+⋯+α_{1}x+α_{0};

Computes \(\phantom {\dot {i}\!}v_{i}'=H_{3}({t_{1}}^{C_{3}})\) and γ^{′}=f(v_{i}^{′}) check whether C_{7}=H_{4}(C_{1},C_{2},C_{3},C_{4},C_{5},C_{6},γ^{′}) holds. If it does, turn to next phase or abort otherwise;

Parse C_{6} as (β_{0},β_{1},...,β_{n−1}) and reconstruct the polynomial g(x)=x^{n}+β_{n−1}x^{n−1}+⋯+β_{1}x+β_{0};

Computes \(\phantom {\dot {i}\!}\theta _{i}'=H_{1}((pk_{S_{2}})^{sk_{iR_{2}}})\).

Sets \(\phantom {\dot {i}\!}t_{2}=pk_{S_{2}}^{H_{2}(w\theta _{i}')}\) and si′=H_{3}(C_{4}·t_{2}).

Computes \(\phantom {\dot {i}\!}\eta '=g({s_{i}^{\prime }})\) and \(\phantom {\dot {i}\!}K=C_{1}\oplus H_{1}(pk_{S_{2}}^{\eta '})\), then returns plaintext M, where M=AESDec_{K}(C_{2}).
Remark. The decryption algorithm cannot be performed until the cloud server has passed the test algorithm and returned ciphertext C to the recipient. Otherwise, the decryption algorithm is not performed.
Correctness verification.
If the target keyword w=w^{′}, then the above equation are equal. Thus, our scheme is correct.
Security proof
This section we analysis the security of MREKS via game hopping [33].
Lemma 1(Difference Lemma [33]) Let E be some “error event” such that S_{1}¬E occurs if and only if S_{2}¬E occurs. Then
Theorem 1. The MERKS scheme realizes CMREKSCKA game security under standard model, if H_{1}∼H_{4} is the collision resistance hash function and HDH assumption is intractable.
Proof 1: Suppose that A is an internal or external adversary against the security of the proposed CMREKSCKA game in polynomial time, A_{H} is the adversary of the hash function and A_{HDH} is the adversary of breaking the HDH assumption.
We prove the theorem 1 via five subgame programs Gamej (j=0,1,2,3,4), and define Y_{j} are the events of A guessing correctly, that is b=b^{′}. Therefore, the gamehopping proof of CMREKSCKA is as follow:
Game0: Game0 is the original attack CMREKSCKA game, so A have Adv(λ)_{A}= Pr[Y_{0}]−1/2.
Game1: In this subgame, B picks \(\phantom {\dot {i}\!}sk_{S_{2}}, sk_{iR_{2}}, a, {c_{i}}\in Z_{q}^{*}\) randomly to calculate \(\phantom {\dot {i}\!}pk_{S}=(g^{a},g^{sk_{S_{2}}})\) and \(\phantom {\dot {i}\!}pk_{iR}=({g^{c_{i}}},g^{sk_{iR_{2}}})\) for each the number of recipients i=1,2,...,n, where g is the generator of group G. Other parameters is the same as Game0. Obviously, Game0 and Game1 are indistinguishable from A. So, two subgame is equal with the advantage of Pr[Y_{0}]= Pr[Y_{1}].
Game2: Game2 is similar to Game1, except that B transforms to the respond queries and challenge pattern. B does the following queries:
 O^{Ciphertext}: A submits a keyword w to B, then B picks a random integer \(r\in Z_{q}^{*}\) and returns C=(C_{1},C_{2},...,C_{7}) to A.
 O^{Trapdoor}: A submits a keyword w^{′} to B, and returns \(\phantom {\dot {i}\!}T_{w^{\prime }}=pk_{S_{1}}^{H_{2}(w'\mu _{i}')}\), where \(\phantom {\dot {i}\!}\mu _{i}'=H_{1}\left (pk_{S_{1}}^{sk_{iR_{1}}}\right)\).
 O^{Test}: A submits C and \(\phantom {\dot {i}\!}T_{w^{\prime }}\) to B, then B returns 1 if \(\phantom {\dot {i}\!}{v_{i}}'=H_{3}({t_{1}}^{C_{3}})\) and \(\phantom {\dot {i}\!}C_{7}=H_{4}(C_{1},C_{2},C_{3},C_{4},C_{5},C_{6},\gamma =f({v_{i}}'))\) or 0 otherwise.
Challenge:A submits two different keywords (w_{0},w_{1}), where w_{0} or w_{1} are not challenged in previous phase. B chooses \(r^{*} \in _{R} Z_{q}^{*}\) and b∈_{R}{0,1} and performs as follow:
a) Sets \(C_{3}^{*}=r^{*} \cdot (a^{1})\) and \(\phantom {\dot {i}\!}C_{4}^{*}=g^{{sk_{S_{2}}} \cdot r^{*}}\);
b) Computes \(\phantom {\dot {i}\!}\mu _{i}^{*}=H_{1}(({g^{c_{i}}})^{a})\).
c) Selects random integers \(s_{1}^{*}, s_{2}^{*},..., s_{n}^{*}, \eta ^{*}, \gamma ^{*} \in Z_{q}^{*} \) and define two polynomial
where \(\alpha _{i}^{*}\in Z_{q}^{*}\) and \(v_{i}^{*}=H_{3}\left (g^{r^{*}{H_{2}}(w_{b}\mu _{i}^{*})}\right)\);
where \({\beta _{i}^{*}}\in Z_{q}^{*}\);
d) Selects \(C_{1}^{*}\in \{0,1\}^{l}, C_{2}^{*} \in \{0,1\}^{l}\) randomly
e) Sets
f) Returns \(C^{*}=\left (C_{1}^{*},C_{2}^{*},...,C_{7}^{*}\right)\) to A.
Therefore, the challenge ciphertext \(C^{*}=(C_{1}^{*},...,C_{7}^{*})\) is the effective ciphertext of the keyword w_{b}.
Game1 and Game2 will be uniform, if B asks for queries and challenge correctly. It means that A guesses correctly in both subgame with the advantage of Pr[Y_{2}]= Pr[Y_{3}].
Game3: Game3 is the same as Game2, except that B will abort the subgame, if the following events occur.
Event E_{1}: A submits w to B in O^{Ciphertext}, including the keyword’s input satisfies w≠w_{b}, but
a. \(f(x)=f^{*}(x)=\prod \limits _{i=1}^{n}{\left (xv_{i}^{*}\right)}+\gamma ^{*}\) for \(C_{4}=(\alpha _{0}^{*}, \alpha _{1}^{*},...,\alpha _{n1}^{*})\), where \(\phantom {\dot {i}\!}v_{i}=v_{i_{b}}\) and \(\gamma ^{*}\in Z_{q}^{*}\).
b. \(C_{7}^{*}=H_{4}\left (C_{1}^{*},C_{2}^{*}, C_{3}^{*}, C_{4}^{*}, C_{5}^{*},C_{6}^{*}, \gamma ^{*}\right)\).
Event E_{2}: A submits w to B in O^{Trapdoor}, including the keyword’s input satisfies w≠w_{b}, but \(H_{2}(w\mu _{i})=H_{2}(w_{b}\mu _{i}^{*})\).
Remark. In the Event E_{1}, we do not consider the computation of polynomial function g(x). Even if A calculates the polynomial function \(g(x)=\prod \limits _{i=1}^{n}{\left (xs_{i}^{*}\right)}+\eta ^{*}\), where \(s_{1}^{*}, s_{2}^{*},...,s_{n}^{*}, \eta ^{*} \in Z_{q}^{*}\), the keyword ciphertext cannot be matched in the cloud server.
Obviously, Game2 and Game3 are indistinguishable to A unless the event E_{1}∨E_{2} occurs. Due to Difference Lemma, we have
Furthermore, it will be have A_{H}, if the event E_{1} occurs. Therefore, A_{H} has the advantage of winning, if
where n is the number of recipient and q is random number of \({Z_{q}^{*}}\).
Similarly, it will be have A_{H}, if the event E_{2} occurs. Therefore, A_{H} has the advantage of winning, if
Therefore, we induce the equation
Game4: Game4 is the same as Game3, except that B picks a random element Z∈{0,1}^{l} instead of \(\phantom {\dot {i}\!}H_{1}(g^{a{{c_{i}}}})\) when generating the challenge of ciphertext. Obviously, B responds queries and chanllenge via HDH tuples \(\phantom {\dot {i}\!}(H_{1},g,g^{a},{g^{c_{i}}},Z)\) without revealing the integer of a and c_{i}. In consequence, Game3 is equivalent to Game4. A_{HDH} distinguish the element of \(\phantom {\dot {i}\!}{\mu _{i}}'=H_{1}(g^{a{{c_{i}}}})\) (for i=1,2,...,n) and Z with nonnegligible advantage, if the HDH problem is addressed. Hence, A_{HDH} has the advantage to win Game4 with
Z is a random integer of G, so A has the advantage of winning with Pr[Y_{4}]=1/2.
Next, A can guess correctly in the above subgames with the advantage
Based on the triangle inequality, the above subgames induce as follow:
The collision resistance property of the hash function H and the complication of HDH problem is complicated so that Adv(λ)_{A} is negligible in theorem 1.
Theorem 2. The MERKS scheme realizes TMREKSCKA game security under standard model, if H_{1}∼H_{4} is the collision resistance hash function and HDH assumption is intractable.
Proof 2: Suppose that A is an internal or external adversary against the security of the proposed TMREKSCKA game in polynomial time, A_{H} is the adversary of the hash function and A_{HDH} is the adversary of breaking the HDH problem.
We prove the theorem 2 via five subgame programs Gamej(j=0,1,2,3,4), and define Y_{j} are the events of A guessing correctly, that is b=b^{′}. Therefore, the gamehopping proof of TMREKSCKA is as follow:
Game0: Game0 is the original attack TMREKSCKA game, so A have Adv(λ)_{A}= Pr[Y_{0}]−1/2.
Game1: This subgame is the same as the Game1 of theorem 1.
Game2: Game2 is similar to Game1, except that B transforms to the respond queries and challenge pattern. B does the following queries:
 O^{Ciphertext}: A submits a keyword w to B, then B picks a integer \(r\in _{R} Z_{q}^{*}\) and returns C=(C_{1},C_{2},...,C_{7}) to A.
 O^{Trapdoor}: A submits a keyword w^{′} to B, and returns \(\phantom {\dot {i}\!}T_{w'}=pk_{S_{1}}^{H_{2}(w'\mu _{i}')}\), where \(\phantom {\dot {i}\!}\mu _{i}'=H_{1}((pk_{S_{1}})^{sk_{iR_{1}}})\).
 O^{Test}: A submits C and \(\phantom {\dot {i}\!}T_{w'}\) to B, then B returns 1 if \(\phantom {\dot {i}\!}{v_{i}}'=H_{3}\left ({t_{1}}^{C_{3}}\right)\) and C_{7}=H_{4}(C_{1},C_{2},C_{3},C_{4},C_{5},C_{6},γ=f(v_{i}^{′})) or 0 otherwise.
Challenge:A submits two different keywords (w_{0},w_{1}) to B, where w_{0} and w_{1} are not challenged in previous phase. B chooses b∈{0,1} randomly for a keyword trapdoor \(\phantom {\dot {i}\!}T_{w_{b}}=pk_{S_{1}}^{r\cdot H_{2}(w_{b}\mu _{i}')}\), where \(\phantom {\dot {i}\!}\mu _{i}'=H_{1}(g^{a{{c_{i}}}})\). And then returns them to A.
Therefore, the challenge trapdoor is the effective trapdoor of the keyword w_{b}.
Game1 and Game2 will be uniform, if B asks for queries and challenge correctly. It means that A guesses correctly in both subgame with the same advantage Pr[Y_{2}]= Pr[Y_{1}].
Game3: This subgame is the same as the Game3 of theorem 1.
Therefore, we induce the equation
Game4: This subgame is the same as the Game4 of theorem 1.
Therefore, A has the advantage of winning with Pr[Y_{4}]=1/2.
Next, A can guess correctly in the above game with the advantage
Based on the triangle inequality, the above subgames induce as follow:
The collision resistance property of the hash function H and the complication of HDH problem is complicated so that Adv(λ)_{A} is negligible in theorem 2.
Theorem 3: The MREKS scheme realizes PPMREKSCPA game secure if AES encryption is INDCPA secure and the CDH and DL assumptions holds.
Proof 3: The MREKS scheme leverages the AES to encrypt the plaintext M and hides the session key K into C_{1}. Hence, if C_{1} does not divulge any information about the encryption key K, security of our MREKS will be based on AES. As long as we ensure the security of η is equivalent to ensuring the security of K, that is, we need to keep the keyword’s security, if the hash function is collision resistant. The following game is played between a PPT adversary A and the challenger B. Given a DL instances (G,g,g^{a}) and CDH instances (H_{1},g,g^{a},g^{η}), where \(a,\eta \in Z_{q}^{*}\), B works as follows.
GlobalSetup:B initializes the system to produce GP={q,g,G,H_{1},H_{2},H_{3},H_{4}}. B sends GP, the public key of senders and recipients \(\phantom {\dot {i}\!}pk_{S}=(g^{sk_{S_{1}}},g^{sk_{S_{2}}})=(g^{sk_{S_{1}}},g^{a})\) and \(\phantom {\dot {i}\!}pk_{iR}=({g^{sk_{iR_{1}}}},g^{sk_{iR_{2}}})\) to A, where g is the generator of group G and each recipient denotes i=1,2,...,n.
Phase 1:A can issue queries to the hash oracle and encryption oracle \(\phantom {\dot {i}\!}O^{H_1}\), \(\phantom {\dot {i}\!}O^{H_3}, O^{H_4}\) and O^{Ciphertext}, respectively.
\(\phantom {\dot {i}\!}O^{H_{1}}\): Given an element g^{∗}∈G, it returns lbit random number h^{∗} as the hash value H_{1}(g^{∗}).
\(\phantom {\dot {i}\!}O^{H_{3}}\): Given an element g^{′}∈G, it returns a random number \(h' \in Z_{q}^{*}\) as the hash value H_{3}(g^{′}).
\(\phantom {\dot {i}\!}O^{H_{4}}\): Given an arbitrary string length {0,1}^{∗}, it returns l bit string length {0,1}^{l} as the hash value H_{4}({0,1}^{∗}).
 O^{Ciphertext}: A submits a keyword w and a plaintext M to B, then B picks a random integer \(r\in Z_{q}^{*}\) and returns C=(C_{1},C_{2},...,C_{7}) to A.
Challenge:A submits to B its keyword w and two plaintexts (M_{0},M_{1}). B generates a ciphertext C_{b}, where the random bit b decides which plaintext is encrypted in this ciphertext. B chooses \(r^{*}\in Z_{q}^{*}, b\in \{0,1\}\) randomly and performs as follow:
a) Selects random integers \(v_{1}^{*}, v_{2}^{*},...,v_{n}^{*}, \gamma ^{*}, {\eta ^{*}} \in Z_{q}^{*}\).
b) Computes \(\phantom {\dot {i}\!}s_{i}^{*}={H_{3}\left (pk_{S_{2}}^{(H_{2}(w_{b}\theta _{i}^{*})r^{*})}\right)}\), where \(\phantom {\dot {i}\!}\theta _{i}^{*}=H_{1}(pk_{iR_{2}}^{sk_{S_{2}}})\) and define two polynomial
where \(\alpha _{i}^{*} \in Z_{q}^{*}\);
where \(\beta _{i}^{*} \in Z_{q}^{*}\);
c) Computes
\(\phantom {\dot {i}\!}C_{1}^{*}=K\oplus {H_{1}(pk_{S_{2}}^{\eta ^{*}})}\),
\(C_{2}^{*}=AESEnc_{K}(M_{b})\),
\(\phantom {\dot {i}\!}C_{3}^{*}=(sk_{S_{1}})^{1}r^{*}\),
\(\phantom {\dot {i}\!}C_{4}^{*}=g^{ar^{*}}\);
d) Sets
\(C_{5}^{*}=(\alpha _{0}^{*}, \alpha _{1}^{*},...,\alpha _{n1}^{*})\),
\(C_{6}^{*}=(\beta _{0}^{*}, \beta _{1}^{*},..., \beta _{n1}^{*})\),
\(C_{7}^{*}=H_{4}(C_{1}^{*},C_{2}^{*}, C_{3}^{*}, C_{4}^{*}, C_{5}^{*}, C_{6}^{*}, \gamma ^{*})\);
f) Returns the ciphertext \(C_{b} = (C_{1}^{*},...,C_{7}^{*})\) to A.
Phase 2:A still can issue queries to the oracles same as in phase 1 except that the ciphertext C_{b} cannot appears in the decrypt oracle O^{D}.
Guess:A returns a bit b^{′} and wins the game if b^{′}=b.
We define event E_{1} and E_{2}.
E_{1}: A issues h^{∗} to \(\phantom {\dot {i}\!}O^{H_{1}}\).
E_{2}: A issues \(\phantom {\dot {i}\!}g'=g^{a(H_{2}(w'\theta _{i}')r)}\) to \(\phantom {\dot {i}\!}O^{H_{3}}\),
In case E_{1} happens, the challenger B solves the CDH problem via computing g^{∗}=g^{aη}.
In case E_{2} happens, the challenger B solves the DL problem via computing \(g^{(H_{2}(w'\theta _{i}')r)}={g'}^{\frac {1}{a}}\).
If the DL and CDH assumption holds, E_{1} and E_{2} happens with a negligible probability. That is
where t is a (polynomial) upper bound on the number of queries.
In another case, E_{1} and E_{2} does not happen, the ciphertext C is random in A’s view and the session key K can be revealed with a negligible probability. That is
Therefore, A’s wining advantage is equal to or less than a negligible probability if AES encryption is INDCPA secure and the DL and CDH assumption holds in this game.
Notice. We deduce that the computation of η is approximately the computation g^{η}, since the computation of s_{i} in the polynomial g(x) is to solve the DL assumption.
Performance analysis
This section we evaluates the efficiency computation and communication cost of our scheme.
Now we present the following notions for basic operations in Table 1:
t_{h}: the cost for computing a maptopoint hash.
t_{p}: the cost for a bilinear pairing.
t_{e}: the cost for a modular exponentiation.
n: the number of recipients.
To give a more intuitive comparison, we test the time cost of the compared schemes by employing the PBC library on a laptop running Ubuntu 16.04 with Interl Core i54210U CPU @1.7GHz and 11GB RAM memory. A TypeA pairing was chosen and used to initialize the system, which owns the same security level as a 1024bit RSA encryption.
The schemes proposed in [2, 3, 9, 13] are the based on bilinear pairing operation. Let G×G→G_{T}, where G_{T} is the bilinear map group.
The computation cost of the keyword encryption algorithm, trapdoor algorithm and test algorithm in MREKS and schemes [2, 3, 9, 13]. See Fig. 3 and Table 2. We run the keyword encryption algorithm 100 times for one keyword and recipient in our scheme’s average is about 1.594 ms. When the number of recipients increases to 10, our scheme costs about 15.42 ms. Compared to scheme [9], the computation cost of MREKS is reduced by 79.5% in keyword encryption phase. If the number of recipients is infinite, the keyword encryption efficiency of MREKS scheme will be more excellent than other PEKS schemes.
In addition, the time cost of trapdoor in our scheme is fast than previous PEKS scheme. We set the recipients is 10 and the time cost of keyword testing in MREKS scheme is about 1.53 ms, while that in [2, 3, 9, 13] is about 2.1 ms, 3.1 ms, 2.9 ms and 2.13 ms, respectively.
Remark. In order to prevent indeterminate and affected by the length of the plaintext as well as making a better comparison with PEKS schemes, the encryption and decryption of AES algorithm are not included in the ciphertext computation and communication.
Communication cost
To visually display the comparison of storage length between different schemes based on PBC library’s parameters, we now describle communication costs in Table 3 with the following notations:
G: the 512 bitsize of an element in G.
G_{T}: the 1024 bitsize of element in G_{T}.
\(Z_{q}^{*}\): the 128 bitsize of integer in \(Z_{q}^{*}\).
h: the 256 bitsize of a hash value.
n: the number of recipients.
We clearly have that MREKS scheme is less than the PEKS and PAEKS schemes [2, 3, 9, 13] in the size of keyword encryption algorithm. Especially as the number of recipients n increases, our scheme is relatively more efficient. Furthermore, the size of trapdoor in MREKS scheme is smaller than schemes [2, 3, 9, 13].
Conclusion
PAEKS scheme is a useful cryptographic paradigm that supplies a feasible solution to the issue of encrypted data retrieval for cloud storage. MREKS techniques are used to simultaneously provide authentication, no costly bilinear pairing operations as well as multirecipient keyword search function. Furthermore, we embed the encryption of message to our scheme, and the decryption needs to match the corresponding keyword information, which ensures the privacy of message and keywords. We formally prove that it ensures keyword security without random oracles and plaintext security. Moreover, we evaluate the performance of the proposed of our scheme with the previous PEKS and PAEKS scheme. The results demonstrate that our scheme is much more efficient than the previous schemes, especially on the computation efficiency. It is expedite for user to search over encrypted data for cloud storage due to the feature.
Availability of data and materials
The datasets generated during and/or analyzed during the current study are available from the corresponding author on reasonable request.
References
Song DX, Wagner D, Perrig A (2000) Practical techniques for searches on encrypted data In: Proceeding 2000 IEEE Symposium on Security and Privacy. S P 2000, 44–55. https://doi.org/10.1109/SECPRI.2000.848445.
Boneh D, Di Crescenzo G, Ostrovsky R, Persiano G (2004) Public key encryption with keyword search. In: Cachin C. Camenisch JL (eds)Advances in Cryptology  EUROCRYPT 2004, 506–522.. Springer, Berlin, Heidelberg.
Baek J, SafaviNaini R, Susilo W (2008) Public key encryption with keyword search revisited. In: Gervasi O, Murgante B, Laganà A, Taniar D, Mun Y, Gavrilova ML (eds)Computational Science and Its Applications – ICCSA 2008, 1249–1259.. Springer, Berlin, Heidelberg.
Fang L, Susilo W, Ge C, Wang J (2013) Public key encryption with keyword search secure against keyword guessing attacks without random oracle. Inf Sci 238:221–241. https://doi.org/10.1016/j.ins.2013.03.008.
Fang L, Susilo W, Ge C, Wang J (2009) A secure channel free public key encryption with keyword search scheme without random oracle. In: Garay JA, Miyaji A, Otsuka A (eds)Cryptology and Network Security, 248–258.. Springer, Berlin, Heidelberg.
Rhee HS, Park JH, Susilo W, Lee DH (2010) Trapdoor security in a searchable publickey encryption scheme with a designated tester. J Syst Softw 83(5):763–771. https://doi.org/10.1016/j.jss.2009.11.726.
Baek J, SafaviNaini R, Susilo W (2006) On the integration of public key data encryption and public key encryption with keyword search. In: Katsikas SK, López J, Backes M, Gritzalis S, Preneel B (eds)Information Security, 217–232.. Springer, Berlin, Heidelberg.
Zhang L, Xiong H, Huang Q, Li J, Choo KR, LI J (2019) Cryptographic solutions for cloud storage: Challenges and research opportunities. IEEE Trans Serv Comput:1–1. https://doi.org/10.1109/TSC.2019.2937764.
Huang Q, Li H (2017) An efficient publickey searchable encryption scheme secure against inside keyword guessing attacks. Inf Sci 403404:1–14. https://doi.org/10.1016/j.ins.2017.03.038.
Lu Y, Li J, Zhang Y (2020) Privacypreserving and pairingfree multirecipient certificateless encryption with keyword search for cloudassisted iiot. IEEE Internet Things J 7(4):2553–2562. https://doi.org/10.1109/JIOT.2019.2943379.
Pan X, Li F (2021) Publickey authenticated encryption with keyword search achieving both multiciphertext and multitrapdoor indistinguishability. J Syst Archit 115:102075. https://doi.org/10.1016/j.sysarc.2021.102075.
Cheng L, Meng F (2021) Security analysis of pan et al.’s “publickey authenticated encryption with keyword search achieving both multiciphertext and multitrapdoor indistinguishability”. J Syst Archit 119:102248. https://doi.org/10.1016/j.sysarc.2021.102248.
Qin B, Chen Y, Huang Q, Liu X, Zheng D (2020) Publickey authenticated encryption with keyword search revisited: Security model and constructions. Inf Sci 516:515–528. https://doi.org/10.1016/j.ins.2019.12.063.
Lynn B, et al. (2013) Pairingbased cryptography library. https://crypto.stanford.edu/pbc/.
Byun JW, Rhee HS, Park HA, Lee DH (2006) Offline keyword guessing attacks on recent keyword search schemes over encrypted data. In: Jonker W Petković M (eds)Secure Data Management, 75–83.. Springer, Berlin, Heidelberg.
Yau WC, Heng SH, Goi BM (2008) Offline keyword guessing attacks on recent public key encryption with keyword search schemes. In: Rong C, Jaatun MG, Sandnes FE, Yang LT, Ma J (eds)Autonomic and Trusted Computing, 100–105.. Springer, Berlin, Heidelberg.
Ma M, He D, Kumar N, Choo KR, Chen J (2018) Certificateless searchable public key encryption scheme for industrial internet of things. IEEE Trans Ind Inform 14(2):759–767. https://doi.org/10.1109/TII.2017.2703922.
Lu Y, Wang G, Li J (2019) Keyword guessing attacks on a public key encryption with keyword search scheme without random oracle and its improvement. Inf Sci 479:270–276. https://doi.org/10.1016/j.ins.2018.12.004.
Ma M, He D, Fan S, Feng D (2020) Certificateless searchable public key encryption scheme secure against keyword guessing attacks for smart healthcare. J Inf Secur Appl 50:102429. https://doi.org/10.1016/j.jisa.2019.102429.
Noroozi H, Eslami X (2020) Publickey encryption with keyword search: a generic construction secure against online and offline keyword guessing attacks. J Ambient Intell Human Comput 11:879–890. https://doi.org/10.1007/s1265201901254w.
Qin B, Cui H, Zheng X, Zheng D (2021) Improved security model for publickey authenticated encryption with keyword search. In: Huang Q Yu Y (eds)Provable and Practical Security, 19–38.. Springer, Cham.
Chen R, Mu Y, Yang G, Guo F, Huang X, Wang X, Wang Y (2016) Serveraided public key encryption with keyword search. IEEE Trans Inf Forensic Secur 11(12):2833–2842. https://doi.org/10.1109/TIFS.2016.2599293.
Zhang Y, Xu C, Ni J, Li H, Shen XS (2019) Blockchainassisted publickey encryption with keyword search against keyword guessing attacks for cloud storage. IEEE Trans Cloud Comput:1–1. https://doi.org/10.1109/TCC.2019.2923222.
He D, Ma M, Zeadally S, Kumar N, Liang K (2018) Certificateless public key authenticated encryption with keyword search for industrial internet of things. IEEE Trans Ind Inform 14(8):3618–3627. https://doi.org/10.1109/TII.2017.2771382.
Li H, Huang Q, Shen J, Yang G, Susilo W (2019) Designatedserver identitybased authenticated encryption with keyword search for encrypted emails. Inf Sci 481:330–343. https://doi.org/10.1016/j.ins.2019.01.004.
Li H, Huang Q, Susilo W (2020) A secure cloud data sharing protocol for enterprise supporting hierarchical keyword search. IEEE Trans Dependable Secure Comput:1–1. https://doi.org/10.1109/TDSC.2020.3027611.
Xu P, Jin H, Wu Q, Wang W (2013) Publickey encryption with fuzzy keyword search: A provably secure scheme under keyword guessing attack. IEEE Trans Comput 62(11):2266–2277. https://doi.org/10.1109/TC.2012.215.
Miao Y, Weng J, Liu X, Choo KKR, Liu Z, Li H (2018) Enabling verifiable multiple keywords search over encrypted cloud data. Inf Sci 465:21–37. https://doi.org/10.1016/j.ins.2018.06.066.
Zhang X, Xu C, Wang H, Zhang Y, Wang S (2019) Fspeks: Latticebased forward secure publickey encryption with keyword search for cloudassisted industrial internet of things. IEEE Trans Dependable Secure Comput:1–1. https://doi.org/10.1109/TDSC.2019.2914117.
Li J, Lin X, Zhang Y, Han J (2017) Ksfoabe: Outsourced attributebased encryption with keyword search function for cloud storage. IEEE Trans Serv Comput 10(5):715–725. https://doi.org/10.1109/TSC.2016.2542813.
Sadeghi AR, Steiner M (2001) Assumptions related to discrete logarithms: Why subtleties make a real difference. In: Pfitzmann B (ed)Advances in Cryptology — EUROCRYPT 2001, 244–261.. Springer, Berlin, Heidelberg.
Abdalla M, Bellare M, Rogaway P (2001) The oracle diffiehellman assumptions and an analysis of dhies. In: Naccache D (ed)Topics in Cryptology — CTRSA 2001, 143–158.. Springer, Berlin, Heidelberg.
Dent AW (2006) A Note On GameHopping Proofs. Cryptology ePrint Archive, Report 2006/260. https://eprint.iacr.org/2006/260.
Acknowledgements
The authors would like to thank to anonymous reviewers for their valuable comments on the manuscript.
Funding
This work of Quan Zhou is supported by the National Key Research and Development Program of China (No. 2021YFA1000600). This work of Qiong Huang is supported by National Natural Science Foundation of China (61872152), Guangdong Major Project of Basic and Applied Basic Research (2019B030302008), and the Science and Technology Program of Guangzhou (201902010081). This work of Chunming Tang is supported by National Natural Science Foundation of China (61772147).
Author information
Affiliations
Contributions
Ningbin Yang put forward the main ideas and drafted the manuscript. Quan Zhou guided the research and participated in the discussion of the manuscript. Qiong Huang and Chunming Tang made suggestions for the article. All authors read and approve the final manuscript. All authors approve to be submitted in “Journal of Cloud ComputingAdvances Systems and Applications”.
Corresponding authors
Ethics declarations
Competing interests
The authors declare that they have no competing interests.
Additional information
Publisher’s Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article’s Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article’s Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.
About this article
Cite this article
Yang, N., Zhou, Q., Huang, Q. et al. MultiRecipient encryption with keyword search without pairing for cloud storage. J Cloud Comp 11, 10 (2022). https://doi.org/10.1186/s13677022002839
Received:
Accepted:
Published:
DOI: https://doi.org/10.1186/s13677022002839
Keywords
 Cloud storage
 MultiRecipient
 Public key encryption
 Keyword guessing attacks