 Research
 Open Access
 Published:
An improved secure designated server public key searchable encryption scheme with multiciphertext indistinguishability
Journal of Cloud Computing volume 11, Article number: 14 (2022)
Abstract
In the cloud, users prefer to store their sensitive data in encrypted form. Searching keywords over encrypted data without loss of data confidentiality is an important issue. In 2004, Boneh et al. proposed the first publickey searchable encryption scheme which allows users to search by the private key. However, most existing publickey searchable encryption schemes are vulnerable to keyword guessing attack and can not satisfy multiciphertext indistinguishability. In this paper, we construct a secure designated server publickey searchable encryption based on DiffieHellman problem. Our security analysis shows that our proposed scheme can resist against keyword guessing attack and provide multiciphertext indistinguishability for any adversity. Furthermore, the proposed scheme can achieve multitrapdoor privacy for external attackers. Moreover, the simulation results between our scheme and previous schemes demonstrate our new scheme is suitable for practical application.
Introduction
With the rapid development of cloud computing, a growing number of users and companies prefer to store data on the cloud. In such case, they encrypt the data before uploading in order to ensure data privacy. However, it is extremely difficult to retrieve keyword over encrypted data using traditional search mechanism. Searchable encryption has become a promising solution to ensure the security and availability of data.
In 2004, Boneh et al. [1] proposed the concept of Publickey Encryption with Keyword Search (PEKS) and gave a concrete scheme. However, in 2006, Byun et al. [2] put forward an offline keyword guessing attack(KGA) against Boneh et al. ’s scheme. Later, Baek et al. [3] presented a PEKS scheme without a secure channel in 2008. Then, Rhee et al. [4] introduced a new security concept of PEKS, trapdoor indistinguishability, They put forward a PEKS scheme under designated test server (dPEKS) which satisfies trapdoor indistinguishability.
Wang et al. [5] proposed that even if [4] satisfies the trapdoor indistinguishability, their dPEKS cannot resist inside KGA. Since keyword encryption algorithms are public in previous schemes, it will enable the internal attacker to generate the ciphertext of a candidate keyword by himself. That is, the malicious server can efficiently test whether the trapdoor is generated by the canditate keyword or not.
To resist keyword guessing attacks initiated by malicious servers, many researchers have proposed some variants of PEKS schemes. Tang et al. [6] introduced the concept of keyword registration, which requires the sender to register keywords with the receiver in advance and proposes registered keyword search public key encryption (PERKS). Chen et al. [7] put forward a solution using two servers that do not collide with each other, but it is too ideal. Later, Huang et al. [8] presented the concept of publickey authenticated encryption with keyword search (PAEKS) to resist the inside KGA. In their scheme, the data owner needs to use the secret key to authenticate the ciphertext of the keyword. The malicious cloud server will not generate keyword ciphertext for testing without the owner’s private key. Therefore, KGA does not succeed against their scheme.
Qin et al. [9] in 2020 introduced the new security concept called multiciphertext indistinguishability (MCI). That is, from two or more ciphertexts, the adversary can determine whether they are generated by a same keyword. And they constructed a new PAEKS that can guarantee MCI security but does not provide multitrapdoor privacy (MTP) security in which attacker is able to check two or more trapdoors contain a same keyword. In 2021, Pan and Li [10] put forward a new PAEKS scheme with MCI and MTP security. Later, Cheng and Meng [11] proved that Panr and Li’s scheme does not satisfy MTP security.
Motivations and contributions
In searchable encryption, the security goal is that the ciphertexts and trapdoors leak no information about keywords. So far, there is rarely publickey searchable encryption schemes achieve both MCI and MTP, and security against KGA. In this paper, our goal is to construct an enhanced secure designated server publickey searchable encryptionscheme with MCI and MTP. The contributions of our paper are summarized as follows:

1
We give a security analysis of Li et al.’s scheme [12] and show that their scheme does not satisfy trapdoor indistinguishability.

2
We propose a secure scheme that satisfies the requirement of testing the designated server. That is to say, no one can test except the designated server. Moreover, we prove that our scheme satisfies MCI security, MTP security for external adversaries, and designated testability.

3
We analyze our scheme’s implementation and communication cost by comparing it with previous other schemes. The result shows that our scheme has excellent advantages in keyword ciphertext and trapdoor algorithms, and the test algorithm is not inferior to other schemes. Moreover, our scheme provides stronger security for keyword privacy.
Related works
In 2004, Boneh et al. [1] first proposed the public key encryption scheme with keyword search, which started the research on publickey searchable encryption. Later, Abdalla et al. [13] presented a searchable encryption scheme based on identity. Byun et al. [2] put forward offline KGA against Abdalla et al.’s scheme. Baek et al. [3] suggested that a tester should be appointed to perform the test algorithm to hide the user’s search pattern, to ensure that only those who have the tester’s private key can conduct the test. Rhee et al. [4, 14] put forward a dPEKS model to reject outside KGA and constructed a general structure of dPEKS based on the designated tester. Fang et al. [15] presented a dPEKS scheme that is not based on a random prediction machine to resist outside KGA. Rhee et al. [16] construct an identitybased PEKS scheme with a designated tester. Emura et al. [17] presented a general structure of SCFPEKS based on anonymous identitybased encryption(IBE) and onetime signature. After that, many schemes [18–20] have made efforts to resist offline guessing attacks, but these schemes cannot resist inside KGA.
To resist inside KGA, Xu et al. [21] proposed a PEKS scheme with fuzzy keywords, reducing the security of inside KGA by ensuring that each trapdoor corresponds to multiple keywords. Wang et al. [22] gave a PEKS scheme with dual servers. In 2017, Huang et al. [8] proposed the concept of publickey authentication searchable encryption. After that, Huang et al.’s scheme has been extended to certificateless PAEKS [23–25] and identitybased PAEKS [12]. And in the field of Internet of Things, many PEAKS variants [26–28] have been proposed. In 2019, Lu et al. [29] presented a PEKS scheme without random prediction. Later, Noroozi et al. [30] proposed that Huang et al.’s scheme is insecure in the case of multiple receivers.
In 2020, Qin et al. [9] presented a new PAEKS that is claimed to provide multiciphertext indistinguishability but no multitrapdoor privacy. Recently, Li et al. [12] proposed a new PAEKS scheme under a designated server which still cannot guarantee MTP. Furthermore, almost PAEKS [8, 12] and their variants [9, 25, 31, 32] cannot provide MTP security and hide the search pattern of the user. Later, Qin et al. [33] proposed an improved security model and gave a specific scheme. Recently, Latticebased searchable encryption schemes [34, 35] have been proposed which are claimed to guarantee stronger security.
Paper organization
The rest of this paper is organized as follows. In section 2, we introduce some preliminary knowledge. Then we review Li et al.’s scheme and give a security analysis for it in section 3. The fourth section defines the enhanced scheme and its security model. Section 5 gives a concrete construction scheme and proves that it satisfies the designed testability, MTP security and MCI security. Then in section 6, we compare and analyze our scheme with others. In the last section, we give a summary and a prospect for the future.
Preliminaries
Bilinear pairing
We briefly describe the definition of bilinear mapping. (See more details in [36]). Let \(\hat {e}:\mathbb {G}_{1} \times \mathbb {G}_{1} \rightarrow \mathbb {G}_{2}\) be a computable bilinear pairing, where \(\mathbb {G}_{1}\) and \(\mathbb {G}_{2}\) are two cyclic groups of prime order p. The map \(\hat {e}\) has the following properties.

For any \(x,y \in \mathbb {Z}_{p}^{*}\), \(g,g_{1} \in \mathbb {G}_{1}\), the equation \(\hat {e}\left (g^{x}, g_{1}^{y}\right) = \hat {e}\left (g, g_{1}\right)^{xy}\) holds.

For any generator \(g \in \mathbb {G}_{1}\), \(\hat {e}(g,g)\) is a generator of \(\mathbb {G}_{2}\).

For any \(g,g_{1} \in \mathbb {G}_{1}\), there exists a PPT algorithm to compute \(\hat {e}(g_{1},g)\).
Complexity assumptions
In this subsection, \(\mathbb {G}_{1}\) and \(\mathbb {G}_{2}\) are two cyclic groups of prime order p, g is a generator of \(\mathbb {G}_{1}\) and \(\hat {e}:\mathbb {G}_{1} \times \mathbb {G}_{1} \rightarrow \mathbb {G}_{2}\) is a bilinear map. Decisional Diffie–Hellman assumption and Decisional bilinear Diffie–Hellman assumption are introduced as follows.
Definition 1
(Decisional Diffie–Hellman (DDH) assumption): Given g, g^{x}, \(g^{y} \in \mathbb {G}_{1}\), where \(x,y \in \mathbb {Z}_{q}^{*}\), there no exists polynomialtime algorithm to distinguish between (g,g^{x},g^{y},g^{xy}) and (g,g^{x},g^{y},Z), where \(Z \in _{R} \mathbb {G}_{1}\). The advantage of adversary \(\mathcal {A}\) is
DDH assumption holds if the advantage is negligible.
Definition 2
(Decisional bilinear Diffie–Hellman (DBDH) assumption) : Given g, g^{x}, g^{y}, \(g^{z} \in \mathbb {G}_{1}\), where \(x,y,z \in \mathbb {Z}_{q}^{*}\). The advantage of the adversary \(\mathcal {A}\) is \(Adv^{DBDH}_{\mathcal {A}}(\kappa) = \vert Pr\left [\mathcal {A}\left (g,g^{x},g^{y},g^{z},e(g,g)^{xyz}\right)\right ]  Pr\left [\mathcal {A}(g,g^{x},g^{y},g^{z},Z\right ] \vert \), where \(x,y,z \in _{R} \mathbb {Z}_{q}^{*}\) and \(Z \in _{R} \mathbb {G}_{2}\). DBDH assumption holds if the advantage is negligible.
System model
Our system framework is showed in Fig. 1. The system contains three entities: a cloud server, a data owner and a receiver. Moreover, the data owner wants to send confidential files to the cloud which are allowed the assigned receiver to access the data. The exact procedures are as follows: First, the data owner extracts a group of keywords from documents and builds an secure index including keyword ciphertexts and documents. Second, the data owner encrypts the files by symmetric encryption and uploads the encrypted file and keyword ciphertext index to the server. Third, the receiver generates a trapdoor for a query keyword and sends it to the server. Finally, after receiving the trapdoor, cloud server runs the test algorithm and outputs the search results.In Table 1, we summarize the notations used in this paper.
Cryptanalysis of li et al.’s scheme
In this section, we review an identitybased searchable authenticated encryption scheme under a designated server proposed by Li et al.. After analyzing their scheme, we propose that it cannot guarantee trapdoor indistinguishability.
Review of li et al.’s scheme
Li et al.’s scheme consists of the following polynomial algorithms:
Setup(κ): From the security parameter κ, it outputs a public parameter para= (\(\mathbb {G}_{1},\mathbb {G}_{2},\hat {e}, p, g, g_{1}, H, H_{1}\), mpk) and msk, where \(\mathbb {G}_{1}\) and \(\mathbb {G}_{2}\) are cyclic groups of prime order p. g and g_{1} are generators of \(\mathbb {G}_{1}\). \(\hat {e}:\mathbb {G}_{1} \times \mathbb {G}_{1} \rightarrow \mathbb {G}_{2}\) is an efficient bilinear map, and \(H:\mathbb {G}_{2} \times \{0,1\}^{*} \rightarrow \mathbb {G}_{1},H_{1}: \{0,1\}^{*} \rightarrow \mathbb {G}_{1}\), \(msk=\alpha \in \mathbb {Z}_{p}\), mpk=g^{α}.
KGen_{s}(para): With the parameters para, it outputs the public/secret key pairs (Pk_{S},Sk_{S})=(g^{z},z) of the server, where \(z \in _{R} \mathbb {Z}_{p}\).
KGen_{usr}(pp,msk,ID): Inputting (pp,msk,ID), it returns Sk_{ID}=H_{1}(ID)^{α}.
\(\phantom {\dot {i}\!}dIBAEKS(para,w,Pk_{S},Sk_{ID_{O}},ID_{O},ID_{R})\): With para, w, Pk_{s}, \(\phantom {\dot {i}\!}Sk_{ID_{O}}\), ID_{O} of a data owner and a receiver’s ID_{R}, it returns a keyword ciphertext C_{w}= (C_{1},C_{2},C_{3}), where C_{1} = \(\hat {e}\left (H(k,w),Pk_{S}^{s}\right)\), C_{2} = g^{s}, C_{3}=\( g_{1}^{s}\), \(s \in _{R} \mathbb {Z}_{p}\) and \(\phantom {\dot {i}\!}k = \hat {e}(Sk_{ID_{O}}, H_{1}(ID_{R}))\).
\(\phantom {\dot {i}\!}Tarpdoor(para,w,Pk_{S},Sk_{ID_{R}},ID_{O},ID_{R})\): It outputs a trapdoor \(T_{w} = (H(k,w) \cdot g_{1}^{r},g^{r})\), where \(\phantom {\dot {i}\!}k = \hat {e}(H_{1}(ID_{O}),Sk_{ID_{R}})\).
Test(para,Sk_{S},ID_{O},ID_{R},C_{W},T_{W}): It outputs 1 if
and 0 otherwise.
Cryptanalysis of their scheme
In [12], Li et al. claimed that their dlBAEKS scheme satisfies the trapdoor indistinguishability under the random prediction model. Although trapdoor contains a random number in dlBAKES, there is an efficient algorithm to ascertain whether two trapdoors encrypt the identical keyword or not. In fact, for any two trapdoors T_{w}=(T_{1},T_{2}) and \(\phantom {\dot {i}\!}T_{w^{\prime }} = \left (T_{1}^{\prime },T_{2}^{\prime }\right)\) containing unknown keywords w and w^{′}, respectively, the decision algorithm by adversary is as follows:
where k, g are both fixed values for the same owner and receiver. An attacker captures some tuples T_{w}=(T_{1},T_{2}) and \(\phantom {\dot {i}\!}T_{w^{\prime }} = (T_{1}^{\prime },T_{2}^{\prime })\). This distinguishing attack works as follows: if
then w=w^{′}, and w≠w^{′} otherwise. Thus, the dIBAEKS scheme in [12] is insecure for multitrapdoor privacy. This means that for the data owner sharing files to the receiver, the external attacker can effectively determine if multiple trapdoors generated by the receiver corresponds to the same keyword.
In addition, another scheme dIBAEKS3 proposed in [12] also has the similar vulnerability. The decision algorithm is as follows: \(\hat {e}(T_{1},g_{1})\cdot \hat {e}(T_{2},g)^{1} = \hat {e}(H(k,w),g_{1}) \). From two trapdoors: T_{w}=(T_{1},T_{2}) and \(\phantom {\dot {i}\!}T_{w^{\prime }}=(T_{1}^{\prime },T_{2}^{\prime })\), an attacker checks whether \(\hat {e}(T_{1},g_{1})\cdot \hat {e}(T_{2},g)^{1} = \hat {e}(T_{1}^{\prime },g_{1})\cdot \hat {e}(T_{2}^{\prime },g)^{1}\) holds. If it holds, these two trapdoors are generated by the same keyword. Thus, the dIBAEKS3 scheme is not able to provide multitrapdoor privacy.
Definitions and security model
Definition
Our scheme consists of seven (probabilistic) polynomialtime(PPT) algorithms as follows.

Setup(κ)→pp: Given a security parameter κ, it returns the global parameter pp.

KeyGen_{O}(pp)→(Pk_{O},Sk_{O}): Given the parameter pp, it returns the public/secret key pairs (Pk_{O},Sk_{O}) of the data owner.

KeyGen_{R}(pp)→(Pk_{R},Sk_{R}): With the parameter pp, it outputs the public/secret key pairs (Pk_{R},Sk_{R}) of the receiver.

KeyGen_{S}(pp)→(Pk_{S},Sk_{S}): Inputting pp, it calculates the public key and private key pairs (Pk_{S},Sk_{S}) of the server.

PEKS(pp,Pk_{S},Pk_{R},Sk_{O},w)→C_{w}: Given the parameter pp, Pk_{S} of server, Pk_{R} of receiver, Sk_{O} of data owner and a keyword w, it outputs the ciphertext C_{w}.

\(\phantom {\dot {i}\!}Trapdoor(pp, Pk_{O}, Sk_{R}, w^{\prime }) \rightarrow T_{w^{\prime }}\): With the parameter pp, the data owner’s Pk_{O}, Pk_{R} of a receiver and a keyword w^{′}, it computes the trapdoor \(\phantom {\dot {i}\!}T_{w^{\prime }}\) of w^{′}.

\(\phantom {\dot {i}\!}Test\left (pp, Sk_{S}, C_{w}, T_{w^{\prime }}\right) \rightarrow \beta \): With pp, Sk_{S}, C_{w} and \(\phantom {\dot {i}\!}T_{w^{\prime }}\), it outputs 1 if C_{w} and \(T_{w^{\prime }}\) contain a same keyword, 0 otherwise.
Security model
In order to prevent an adversary obtaining any useful inforamtion of keywords, we define three games between a challenger \(\mathcal {C}\) and an adversary \(\mathcal {A}\), namely, multiciphertext indistinguishability, multitrapdoor privacy and designated testability.
Game 1: Multiciphertext indistinguishability.
Setup: The challenger \(\mathcal {C}\) runs KeyGen_{S}, KeyGen_{O} and KeyGen_{R} algorithms with pp to generate (Pk_{S}, Sk_{S}), (Pk_{O},Sk_{O}) and (Pk_{R},Sk_{R}). It returns the tuple (pp,(Pk_{S},Sk_{S})) to \(\mathcal {A}\).
Phase 1: \(\mathcal {A}\) can issue the following two oracles for polynomial number times.

Ciphertext Oracle \(\mathcal {O}_{C}\): With (Pk_{O},Pk_{R},Pk_{S},w), \(\mathcal {C}\) computes the ciphertext C_{w} and sends it to \(\mathcal {A}\).

Trapdoor Oracle \(\mathcal {O}_{T}\): With (Pk_{O},Pk_{R},w), \(\mathcal {C}\) computes a trapdoor T_{w} of a keyword w and returns it to \(\mathcal {A}\).
Challenge: \(\mathcal {A}\) sends two tuples of challenge keywords \(\vec { w}_{0} = \left (w_{0,1}, \dots, w_{0,n}\right), \vec {w}_{1} = \left (w_{1,1}, \dots, w_{1,n}\right)\) to \(\mathcal {C}\). However, the attacker cannot query the challenge keyword in tuple \(\vec w_{0}\) or \(\vec w_{1}\) in advance. \(\mathcal {C}\) selects a random bit b∈{0,1}, computes C_{b,i}←PEKS(pp,Pk_{S},Pk_{R},Sk_{O},w_{b,i}), and returns a ciphertext set \(\vec C_{b} = \left (C_{b,1},\dots,C_{b,n}\right)\) to the adversary \(\mathcal {A}\).
Phase 2: The adversary \(\mathcal {A}\) can continue to query \(\mathcal {O}_{C}\) and/or \(\mathcal {O}_{T}\) for any keyword w except \(w \in \vec w_{0} \cup \vec w_{1} \).
Guess: The adversary \(\mathcal {A}\) sends its guess bit \(\hat {b^{\prime }}\) to \(\mathcal {C}\). Therefore, the condition that \(\mathcal {A}\) wins the game is b^{′}=b. The advantage of any PPT attacker \(\mathcal {A}\) who wins this game is defined as \(Adv_{\mathcal {A}}^{MCI}(\kappa) = \vert Pr[b^{\prime } = b]  \frac {1}{2} \vert \).
Game 2: Multitrapdoor privacy.
Setup: Same as Game 1, \(\mathcal {C}\) generates (Pk_{S},Sk_{S}), (Pk_{O},Sk_{O}) and (Pk_{R},Sk_{R}) and gives (pp,(Pk_{S},Sk_{S})) to \(\mathcal {A}\).
Phase 1: As in Game 1, an adversary can adaptively query the ciphertext oracle \(\mathcal {O}_{C}\) and trapdoor oracle \(\mathcal {O}_{T}\) in polynomial time.
Challenge: \(\mathcal {A}\) sends two challenge keywords tuples \(\vec w_{0} = \left (w_{0,1},\dots,w_{0,n}\right)\), \(\vec w_{1} = \left (w_{1,1},\dots, w_{1,n}\right)\) to \(\mathcal {C}\). However, the attacker cannot query the challenge key in tuple \(\vec w_{0}\) or \(\vec w_{1}\) in advance. \(\mathcal {C}\) computes and returns a trapdoor set \(\vec T_{b} = \left (T_{b,1},\dots,T_{b,n}\right)\) of a random bit b∈{0,1}.
Phase 2: As in Phase 1, \(\mathcal {A}\) can continue to query \(\mathcal {O}_{C}\) and/or \(\mathcal {O}_{T}\) for any keyword w except \(w \in \vec w_{0} \cup \vec w_{1} \).
Guess: \(\mathcal {A}\) sends its guess bit \(\hat {b^{\prime }}\) to \(\mathcal {C}\). Therefore, \(\mathcal {A}\) will win the game if b^{′}=b. The advantage of all PPT adversaries \(\mathcal {A}\) who win the game is defined as \(Adv_{\mathcal {A}}^{MTP}(\kappa) = \vert Pr[b^{\prime } = b]  \frac {1}{2} \vert \).
Game 3: Designated testability.
\(\mathcal {A}\) is an external adversary who can get the keyword ciphertext and the trapdoor by monitoring the public channel. However, \(\mathcal {A}\) cannot get the secret key of the server. Designated testability ensures that only a designated server who own the private key can search a keyword over ciphertexts.
Setup: \(\mathcal {C}\) runs KeyGen_{S}, KeyGen_{O} and KeyGen_{R} algorithms with pp to generate the public and private key pairs (Pk_{S},Sk_{S}), (Pk_{O},Sk_{O}) and (Pk_{R},Sk_{R}). It then sends the tuple (pp,Pk_{S}) to \(\mathcal {A}\).
Phase 1: There are two oracles as follows, which allow \(\mathcal {A}\) to query in polynomial time.

Ciphertext Oracle \(\mathcal {O}_{C}\): With (Pk_{O},Pk_{R},Pk_{S},w), \(\mathcal {C}\) computes and returns the ciphertext C_{w}.

Trapdoor Oracle \(\mathcal {O}_{T}\): Input a tuple (Pk_{O},Pk_{R},w), \(\mathcal {C}\) computes and outputs trapdoor T_{w}.
Challenge: \(\mathcal {A}\) sends two challenge keywords w_{0}, w_{1} to \(\mathcal {C}\), then \(\mathcal {C}\) calculates and outputs C_{b} of a random bit b∈{0,1}.
Phase 2: As in Phase 1, \(\mathcal {A}\) can carry on querying for any keyword w_{i} except w_{i}∈(w_{0},w_{1}).
Guess: The adversary \(\mathcal {A}\) sends its guess bit \(\hat {b^{\prime }}\) to \(\mathcal {C}\). Therefore, \(\mathcal {A}\) wins the game if b^{′}=b. The advantage for all PPT attackers who win the game is defined as \(Adv_{\mathcal {A}}^{DT}(\kappa) = \vert Pr[b^{\prime } = b]  \frac {1}{2} \vert \).
Proposed scheme
Construction
In this section, we propose a concrete construction of our scheme that can provide multiciphertext indistinguishability, multitrapdoor privacy and security against key guessing attack. The details of proposed scheme are described as follows.

Setup(κ): From κ, it chooses a bilinear pairing \(\hat {e}:{\mathbb {G}_{1} \times \mathbb {G}_{1} \rightarrow \mathbb {G}_{2}}\), where \(\mathbb {G}_{1},\mathbb {G}_{2}\) are cyclic groups of prime order q, and selects two random generators \(g,h \in \mathbb {G}_{1}\) and two cryptographic hash functions H_{1}: \(\mathbb {G}_{1} \rightarrow \mathbb {Z}_{q}^{*}\), H_{2}: \(\{0,1\}^{*} \rightarrow \mathbb {Z}_{q}^{*}\). It returns the public parameter \(pp = \left (\mathbb {G}_{1},\mathbb {G}_{2},q,g,h, \hat {e},H_{1},H_{2}\right)\).

KeyGen_{O}(pp): It takes a grobal pubilc parameter pp as inputs, selects x←Z_{p} randomly and defines Pk_{O}=g^{x} and Sk_{O}=x. It outputs the data owner’s public/secret key pairs (Pk_{O},Sk_{O}).

KeyGen_{R}(pp): From pp, it chooses a random y←Z_{p} and sets Pk_{R}=g^{y} and Sk_{R}=y then returns the receiver’s public/secret key pairs (Pk_{R},Sk_{R}).

KeyGen_{S}(pp): By a grobal pubilc parameter pp, it selects randomly z←Z_{p}, and defines Pk_{S}=h^{z} and Sk_{S}=z. Finally it returns the server’s public/secret key pairs (Pk_{S},Sk_{S}).

PEKS(pp,Pk_{S},Pk_{R},Sk_{O},w): Given the public parameter pp, Pk_{S}, Pk_{R}, Sk_{O} and a keyword w, a data owner performs the following steps:

Select a number \(r \in _{R} \mathbb {Z}_{q}^{*}\).

Calculate C_{1}=h^{r}, \( \kern0.3em {C}_2=\kern0.3em \hat{e}{\left(\kern0.3em P{k}_R,P{k}_S\kern0.3em \right)}^{rS{k}_O{H}_2(w)}\kern0.3em \) and C_{3}=g^{rk}, where \(\phantom {\dot {i}\!}k = H_{1}\left (Pk_{R}^{Sk_{O}}\right)\).

Output the ciphertext C_{w}=(C_{1},C_{2},C_{3}) of w.


Trapdoor(pp,Pk_{O},Sk_{R},w^{′}): From pp, Pk_{O} of data owner, Sk_{R} of receiver and a keyword w^{′}, a receiver executes the following steps:

Choose a number \(s \in _{R} \mathbb {Z}_{q}^{*}\).

Compute T_{1}=Pk_{S}^{s} and \(\phantom {\dot {i}\!}T_{2} = {{Pk_{O}}^{Sk_{R}H_{2}(w^{\prime })}} \cdot g^{sk}\), where \(\phantom {\dot {i}\!}k = H_{1}\left (Pk_{O}^{Sk_{R}}\right)\).

Return the trapdoor \(T_{w^{\prime }} = (T_{1},T_{2})\)


Test(pp,Sk_{S},C_{w},T_{w}): After receiving \(T_{w^{\prime }}\), the server searchs over keyword ciphertexts {C_{w}} by testing \(\phantom {\dot {i}\!}\hat {e}(T_{2},C_{1}^{Sk_{S}}) = \hat {e}(T_{1},C_{3}) \cdot C_{2}\) using his private key Sk_{S}. If the equation holds, it outputs 1; otherwise, it outputs 0.
Correctness: Assume that (Pk_{O},Sk_{O}), (Pk_{R},Sk_{R}) and (Pk_{S},Sk_{S}) be the data owner, the receiver and the server’s public/secret key pairs respectively. C_{w}=(C_{1},C_{2},C_{3}) is the ciphertext of a keyword w generated by the owner. \(T_{w^{\prime }} = (T_{1},T_{2})\) is a trapdoor of a keyword generated by the receiver. It follows that:
Thus, if w=w^{′}, then \(\phantom {\dot {i}\!}\hat {e}\left (T_{2},C_{1}^{Sk_{S}}\right) = \hat {e}\left (T_{1},C_{3}\right) \cdot C_{2}\) holds with probability 1; otherwise, it holds with overwhelming probability by the collision resistance of the hash function H_{2}.
Security proof
In this subsection, we prove that our scheme achieves the security of MCI, MTP and designated testability. Formally, we have the following theorems.
Theorem 1
Under the assumption of DBDH, our scheme satisfies multiciphertext indistinguishability.
Proof Assume that \(\mathcal {A}\) is an adversary who tries to destroy the MCI security. And the algorithm \(\mathcal {C}\) for solving DBDH problem is established. Given a instance of this problem, such as \(Y = \left (\mathbb {G}_{1},\mathbb {G}_{2},\hat {e},q,g,g^{x},g^{y},g^{z},Z_{1}\right)\), the algorithm \(\mathcal {C}\) works exactly as follows.
Setup: \(\mathcal {C}\) randomly selects two hash functions \(H_{1}:\mathbb {G}_{1} \rightarrow \mathbb {Z}_{q}^{*}\), \(H_{2}:\{0,1\}^{*} \rightarrow \mathbb {Z}_{q}^{*}\) and sets \(pp = \left (\mathbb {G}_{1}, \mathbb {G}_{2}, q, g, \hat {e}, h =g^{\alpha }, H_{1}, H_{2}\right)\), Pk_{O}=g^{x}, Pk_{R}=g^{y} and (Pk_{S},Sk_{S})=(h^{t},t). It then sends pp and (Pk_{S},Sk_{S}) to \(\mathcal {A}\).
Phase 1: We define several oracles as follows, which allow \(\mathcal {A}\) to query many times. We assume that \(\mathcal {A}\) cannot query the same oracle more than once.

Hash Oracle \(\phantom {\dot {i}\!}\mathcal {O}_{H_{1}}\): In response to the H_{1} query, the oracle maintains a tuple list \(\phantom {\dot {i}\!}L_{H_{1}}= \left \{< m_{i},a_{i}>\right \}\). We assume that \(\phantom {\dot {i}\!}\mathcal {O}_{H_{1}}\) can be asked by attackers for \(\phantom {\dot {i}\!}q_{H_{1}}\) times at most. For querying m_{i} to the oracle, it will perform the following operations: At first, if \(\hat {e}(g,m_{i}) = \hat {e}\left (g^{x},g^{y}\right)\), \(\mathcal {C}\) randomly returns a bit b^{′} and halts. Otherwise \(\mathcal {C}\) checks whether m_{i} exists in the tuple list. If so, \(\mathcal {C}\) takes out the corresponding tuple and returns a_{i} to \(\mathcal {A}\). Otherwise, it randomly chooses a new exponent a_{i}∈{0,1}^{κ}, stores <m_{i},a_{i}> in \(\phantom {\dot {i}\!}L_{H_{1}}\) and returns a_{i} to \(\mathcal {A}\).

Hash Oracle \(\phantom {\dot {i}\!}\mathcal {O}_{H_{2}}\): In response to the H_{2} query, the oracle maintains a tuple list \(\phantom {\dot {i}\!}L_{H_{2}}= \left \{< w_{i},b_{i}>\right \}\). We assume that \(\phantom {\dot {i}\!}\mathcal {O}_{H_{2}}\) can be asked by attackers for \(\phantom {\dot {i}\!}q_{H_{2}}\) times at most. When submitting the keywords w_{i} to the Oracle for query, it will perform the following operations: At first, it checks whether w_{i} exists in the tuple list. if it exists, \(\mathcal {C}\) will take out the corresponding tuple and return b_{i} to \(\mathcal {A}\). Otherwise, it randomly selects a new exponent b_{i}∈{0,1}^{κ}, stores <w_{i},b_{i}> in \(\phantom {\dot {i}\!}L_{H_{2}}\)and returns b_{i} to \(\mathcal {A}\).

Oracle \(\mathcal {O}_{E}\): It takes public key Pk_{i} as input. To response to the queries, the oracle maintains a tuple list L_{E}={<Pk_{i},c_{i},V_{i}>}, and it is assumed that \(\mathcal {O}_{E}\) can be asked by attackers for q_{E} times at most. When submitting Pk_{i} to the Oracle query, it will perform the following operations: At first, if Pk_{i}=g^{x} or Pk_{i}=g^{y}, \(\mathcal {C}\) randomly returns a bit b^{′} and halts. Otherwise \(\mathcal {C}\) tests whether exists Pk_{i} in the tuple list. If so, \(\mathcal {C}\) chooses the candidate tuple and returns c_{i} to \(\mathcal {A}\). Otherwise, it randomly selects a new exponent c_{i}∈{0,1}^{κ}, and computes \(\phantom {\dot {i}\!}V_{i} = {Pk_{i}}^{c_{i}}\). Finally, it stores <Pk_{i},c_{i},V_{i}> in L_{E} and outputs c_{i}.

Ciphertext Oracle \(\mathcal {O}_{Ciphertext}\): Input a tuple (pk_{O},Pk_{R},w_{i}), which w_{i}∈{0,1}^{∗}, it randomly chooses \(r_{i} \in \mathbb {Z}_{q}^{*}\), and computes \(C_{w_{i}} = \left (C_{1w_{i}},C_{2w_{i}},C_{2w_{i}}\right)\) as follows.

If (Pk_{O},Pk_{R})=(g^{x},g^{y}) or (Pk_{O},Pk_{R})=(g^{y},g^{x}), then it sets \(\phantom {\dot {i}\!}g^{z} = g^{\alpha r_{i}}\), and computes \(C_{1w_{i}} = g^{z}\), \(\phantom {\dot {i}\!}C_{2w_{i}} = Z_{1}^{tb_{i}}\), \(C_{3w_{i}} = g^{r_{i}a_{i}} \).

Otherwise, at least one Pk_{i} in (Pk_{O},Pk_{R}) is equal to g^{x} or g^{y}. It computes H_{2}(w_{i})=b_{i}, k=a_{i}, and returns to \(\mathcal {A}\) with \(C_{w_{i}} = \left (C_{1w_{i}},C_{2w_{i}},C_{3w_{i}}\right)\), where \(C_{1w_{i}} = h^{r_{i}}\), \(C_{2w_{i}}=\hat {e}(g^{y},h^{r_{i}})^{tc_{o}b_{i}}\) and \(C_{3w_{i}} = g^{r_{i}{a_{i}}}\).


Trapdoor Oracle \(\mathcal {O}_{Trapdoor}\): Input (Pk_{O},Pk_{R},w_{i}), where w_{i}∈{0,1}^{∗}, it randomly chooses \(s_{i} \in \mathbb {Z}_{q}^{*}\), and computes \(T_{w_{i}} = (T_{1w_{i}},T_{2w_{i}})\) as follows.

If (Pk_{O},Pk_{R})=(g^{x},g^{y}) or (Pk_{O},Pk_{R})=(g^{y},g^{x}), then it computes \(T_{1w_{i}} = g^{ts_{i}}\) and \(T_{2w_{j}i} = Z_{2}^{b_{i}}\cdot g^{{r_{i}a_{i}}}\).

Otherwise, at least one Pk_{i} in (Pk_{O},Pk_{R}) equals to g^{x} or g^{y}. It calculates H_{2}(w_{i})=b_{i}, k=a_{i}, and returns to \(\mathcal {A}\) with \(T_{w_{i}} = \left (T_{1w_{i}},T_{2w_{i}}\right)\), where \(T_{1w_{i}} = g^{ts_{i}} \), \(\phantom {\dot {i}\!}T_{2w_{i}}=(g^{x})^{c_{o}b_{i}}\cdot g^{{s_{i}a_{i}}}\).

Challenge: \(\mathcal {A}\) completes multiple queries on the above oracles. It selects two challenge keyword tuples \(\vec w_{0}^{*}\) and \(\vec w_{1}^{*}\), and sends them to \(\mathcal {C}\) with \(Pk_{O}^{*}\) and \(Pk_{R}^{*}\). \(\mathcal {C}\) randomly selects a random number r_{i} and a bit \(\hat {b} \in \{0,1\}\). then \(\mathcal {C}\) outputs a ciphertext tuple \(\vec C_{{{w_{\hat {b}}}}^{*}} = \left (C_{{w_{\hat {b},1}}^{*}},\dots,C_{{w_{\hat {b},n}}^{*}}\right)\) where \(C_{{1w_{\hat {b},i}}^{*}} = g^{z}\), \(\phantom {\dot {i}\!}C_{{2w_{\hat {b},i}}^{*}} = Z_{1}^{tb_{i}}\), \(\phantom {\dot {i}\!}C_{{3w_{\hat {b},i}}^{*}} = g^{za_{i}} \).
Phase 2: As with Phase 1 of operation, \(\mathcal {A}\) continue to enquire \(\mathcal {O}_{Ciphertext}\) and/or \(\mathcal {O}_{Trapdoor}\) for any keyword w_{i} except \(w_{i} \in \vec w_{0} \cup \vec w_{1} \).
Guess: The adversary\(\mathcal {A}\) sends its guess bit \(\hat {b^{\prime }}\) to \(\mathcal {C}\). Returns b^{′}=0 if \(\hat {b^{\prime }} = \hat {b}\), b^{′}=1 otherwise.
If the guess of the challenging public key is incorrect, \(\mathcal {C}\) will abort. This event is represented by E. If \(\mathcal {C}\) aborts, \(\mathcal {C}\) outputs a random bit. The termination probability of E is \(\frac {1}{q_{E}(q_{E} 1)}\), therefore, \(Pr[\overline {E}] = \frac {1}{q_{E}(q_{E} 1)}\).
Assume that algorithm \(\mathcal {C}\) is not aborted. If the simulation provided by algorithm \(\mathcal {C}\) is the same as scenario of \(\mathcal {A}\) in real attack and \(Z_{1} = \hat {e}(g,g)^{xyz}\), the adversary \(\mathcal {A}\) will win with \(Adv_{\mathcal {A}}^{MCI}(\kappa) + \frac {1}{2}\). If Z_{1} is randomly chosen from the group \(\mathbb {G}_{2}\), \(\phantom {\dot {i}\!}C_{{2w_{\hat {b},i}}^{*}} = Z_{1}^{Sk_{S}H_{2}(w)}\) is a random element of \(\mathbb {G}_{2}\). In this case, the trapdoor \(\vec T_{{w_{\hat {b}}}^{*}} \) and ciphertext \(\vec C_{{w_{\hat {b}}}^{*}}\) can be tested. When the keywords are consistent, test algorithm outputs 1. Therefore, \(\mathcal {A}\) has a 1/2 probability that he wins the Game 1. Thus, the advantage for \(\mathcal {C}\) in solving DBDH problem is
Theorem 2
Under the assumption of DDH, our scheme satisfies semantically MTP security.
Proof Assume that \(\mathcal {A}\) is an external opponent who tries to crack the Multitrapdoor Privacy. Moreover, the algorithm \(\mathcal {C}\) for solving the DDH problem is established. Given a instance of this problem, such as \(Y = \left (\mathbb {G}_{1},q,g,g^{x},g^{y},Z_{2}\right)\), the algorithm \(\mathcal {C}\) works exactly as follows.
Setup: \(\mathcal {C}\) randomly selects two hash functions \(H_{1}:\mathbb {G}_{1} \rightarrow \mathbb {Z}_{q}^{*}\), \(H_{2}:\{0,1\}^{*} \rightarrow \mathbb {Z}_{q}^{*}\) and sets \(pp = \left (\mathbb {G}_{1},\mathbb {G}_{2},q,g,h =g^{\alpha },H_{1},H_{2}\right)\), Pk_{O}=g^{x}, Pk_{R}=g^{y} and (Pk_{S},Sk_{S})=(h^{t},t). It then sends pp to \(\mathcal {A}\).
Phase 1: Same as in Theorem 1.
Challenge: \(\mathcal {A}\) completes multiple queries on the above research. It selects two challenge keyword tuples \(\vec w_{0}^{*}\) and \(\vec w_{1}^{*}\), and sends them to \(\mathcal {C}\) with \(Pk_{O}^{*}\) and \(Pk_{R}^{*}\). \(\mathcal {C}\) randomly select a number s_{i} and a bit \(\hat {b} \in \{0,1\}\). Then, \(\mathcal {C}\) returns a trapdoor set \(\vec T_{{w_{\hat {b}}}^{*}}= \left (T_{{w_{\hat {b},1}}^{*}},\dots, T_{{w_{\hat {b},n}}^{*}}\right)\) where \(T_{{1w_{\hat {b},i}}^{*}} = h^{ts_{i}}\), \(T_{{2w_{\hat {b},i}}^{*}} = Z_{2}^{b_{i}} \cdot g^{s_{i}a_{i}}\).
Phase 2: \(\mathcal {A}\) continue to enquire \(\mathcal {O}_{C}\) and/or \(\mathcal {O}_{T}\) for any keyword w_{i} except \(w_{i} \in \vec w_{0} \cup \vec w_{1} \).
Guess: The adversary \(\mathcal {A}\) sends its guess bit \(\hat {b^{\prime }}\) to \(\mathcal {C}\). He returns b^{′}=0 if \(\hat {b^{\prime }} = \hat {b}\), b^{′}=1 otherwise.
If the guess of challenging public key is incorrect, \(\mathcal {C}\) will abort. This event will be represented by E. If \(\mathcal {B} \) aborts, \(\mathcal {C}\) outputs a random bit. The probability that it being equal to b is 1/2. According to the random guess of b, the termination probability of E is \(\frac {1}{q_{E}\left (q_{E} 1 \right)}\), therefore, \(Pr[\overline {E}] = \frac {1}{q_{E}\left (q_{E} 1 \right)}\).
Othervise, \(\mathcal {C}\) does not abort. If the simulation provided by algorithm \(\mathcal {C}\) is the same as scenario of \(\mathcal {A}\) in real attack and Z_{2}=g^{xy}, an adversary \(\mathcal {A}\) will win the game with the probability of \(Adv_{\mathcal {A}}^{MTP}(\kappa) + \frac {1}{2}\). If Z_{2} is randomly chosen from the group \(\mathbb {G}_{2}\), \(T_{{2w_{\hat {b},i}}^{*}} = Z_{2}^{b_{i}} \cdot g^{s_{i}a_{i}}\) will be a random element of \(\mathbb {G}_{2}\). Therefore, the challenge trapdoor tuple hides \(\hat {b}\) completely. In this case, the adversary can test the trapdoor \(\vec T_{{w_{\hat {b}}}^{*}} \) and the ciphertext \(\vec C_{{w_{\hat {b}}}^{*}}\). When the keywords are equal, the test algorithm outputs 1. Thus, the advantage for \(\mathcal {C}\) in solving DDH problem is equal to the advantage in Theorem 1.
Theorem 3
Under the assumption of DBDH, our scheme satisfies designated testability.
Proof Assume that \(\mathcal {A}\) is an attacker who tries to crack the designated testability and the challenger \(\mathcal {C}\) wants to solve DBDH problem. Given a instance of this problem, such as \(Y = \left (\mathbb {G}_{1},\mathbb {G}_{2},\hat {e},q,h,h^{x},h^{y},h^{z},Z_{3}\right)\), the algorithm \(\mathcal {C}\) works as follows.
Setup: \(\mathcal {C}\) randomly selects two hash functions \(H_{1}:\mathbb {G}_{1} \rightarrow \mathbb {Z}_{q}^{*}\), \(H_{2}:\{0,1\}^{*} \rightarrow \mathbb {Z}_{q}^{*}\) and sets \(pp = (\mathbb {G}_{1}, \mathbb {G}_{2}, q\), \(\hat {e}\), h, H_{1}, H_{2}, g=h^{x}), (Pk_{O},Sk_{O})=(g^{s},s), (Pk_{R},Sk_{R})=(g^{t},t) and Pk_{S}=h^{z}. It then sends pp to \(\mathcal {A}\).
Phase 1: Hash Oracle \(\phantom {\dot {i}\!}\mathcal {O}_{H_{1}}\) and Hash Oracle \(\phantom {\dot {i}\!}\mathcal {O}_{H_{2}}\) are same in Theorem 1. We only define Exact Oracle \(\mathcal {O}_{E}\) as follows.

Exact Oracle \(\mathcal {O}_{E}\): Given Pk expect Pk_{S}, the algorithm \(\mathcal {C}\) returns Sk.
Frist \(\mathcal {A}\) performs multiple queries on the above oracle. It selects two challenge keywords \( w_{0}^{*}\) and \(w_{1}^{*}\). Then \(\mathcal {A}\) returns \((w_{0}^{*}, w_{1}^{*})\) to \(\mathcal {C}\) together with \(Pk_{O}^{*}\) and \(Pk_{R}^{*}\). \(\mathcal {C}\) selects a number \(y \in _{R} \mathbb {Z}_{q}\) and a bit \(\hat {b} \in _{R} \{0,1\}\), and outputs \(\phantom {\dot {i}\!}C_{{w_{\hat {b}}}^{*} }= \left (C_{{1w_{\hat {b}}}^{*}}, C_{{2w_{\hat {b}}}^{*}}, C_{{3w_{\hat {b}}}^{*}}\right)\) where \(C_{{1w_{\hat {b}}}^{*}} = h^{y}\), \(\phantom {\dot {i}\!}C_{{2w_{\hat {b}}}^{*}} = Z_{3}^{stb_{i}}\), \(\phantom {\dot {i}\!}C_{{3w_{\hat {b}}}^{*}} = g^{yk}\).
Phase 2: \(\mathcal {A}\) continue to enquire \(\mathcal {O}_{C}\) and/or \(\mathcal {O}_{T}\) for any keyword w_{i} except w_{i}∈{w_{0},w_{1}}.
Guess: The adversary \(\mathcal {A}\) transmits its guess bit \(\hat {b^{\prime }}\) to \(\mathcal {C}\). Returns b^{′}=0 if \(\hat {b^{\prime }} = \hat {b}\), b^{′}=1 otherwise. If the simulation provided by algorithm \(\mathcal {C}\) is the same as \(\mathcal {A}\) in real attack and \(Z = \hat {e}(h,h)^{xyz}\), \(\mathcal {A}\) will win the game with the probability of \(Adv_{\mathcal {A}}^{DT}(\kappa) + \frac {1}{2}\). If Z is randomly chosen from the group \(\mathbb {G}_{2}\), \(\phantom {\dot {i}\!}C_{{2w_{\hat {b},i}}^{*}} = Z^{Sk_{S}H_{2}(w)}\) is a well distributed challenge ciphertext. And \(\mathcal {A}\) has a 1/2 probability of winning the game. Thus, \(\mathcal {C}\)’s advantage in solving DBDH problem is
Perfomance analysis
In this section, we analyze the performance of our scheme and the existing schemes(PAKES scheme [8], dIBAEKS scheme [12], SCFPEKS scheme [3], dPEKS scheme [4] and PanLi’s scheme [10]) in terms of computational and communication overheads. Moreover, we analyze the security between these PEKS schemes in MCI, MTP and security against KGA.
To evaluate the efficiency, we implemented the operations in our schemes using the MRACL library [37] on a personal notebook computer with an I78750H 2.20GHz processor, 16 GB memory, and Window 10 operating system.
First, we give the elapsed time of main operations used in searchable encryption schemes in Table 2. Main operations are pairing operation P, Hashtopoint operation H_{p}, modular exponentiation E and multiplication operation M in G_{1}, where P≈H_{p}>M>E≫H. The general hash operation takes less time than the above operations in Table 2. Thus, it is ignored in our computation analysis.
From Table 3, we give a theoretical efficiency comparison in computational time and communication complexity of PEKS algorithm, Trapdoor algorithm, and Test algorithm of our scheme and previous schemes [3, 4, 8, 10, 12]. In terms of computational efficiency, compared with other algorithms, PEKS and trapdoor algorithms are more efficient without using hashtopoint operation. Among the Test algorithms, our scheme is slightly weaker than other schemes, because it adds the designated testability to ensure that only the specified server can perform search operations. In terms of communication efficiency, our efficiency is basically the same as other schemes. Figs. 2, 3 and 4 demonstrate the practical performance of PEKS algorithm, Trapdoor algorithm, and Test algorithm, respectively.
As shown in Fig. 2, the computation cost to encrypt the keywords is lower than the three schemes [3, 4, 12] and is similar to that of Huang et al.’s scheme [8] and Pan and Li’s scheme [10]. For the efficiency of trapdoor algorithm, Fig. 3 illustrates that the trapdoor algorithm in our scheme runs much faster than that in all schemes [3, 4, 8, 10, 12] because our trapdoor algorithm performs no pairing and Hashtopoint operations. In Fig. 4, the computation complexity in our scheme is higher than Baek et al.’s scheme [3] and is not worse than other four schemes. To ensure that the userside algorithms (Trapdoor and PEKS algorithms) have higher security and efficiency, we add the server’s private key to the test algorithm for stronger security, thus the efficiency of the server’s Test algorithm is compromised.
Moreover, Table 4 illustrates the security comparison including MCI security, MTP security, Inside KGA, and Requirement for the secure channel between our scheme and these existing schemes. As shown in Table 4, Huang et al.’ s scheme [8] can resist inside KGA, but it needs a secure channel and cannot provide MCI security. Li et al.’s scheme [12], Baek et al.’s scheme [3] and Rhee et al.’s scheme [4] can provide MCI security but not guarantee MTP and security against KGA. Pan and Li’s scheme [10] is able to resist inside KGA and have MTP security but cannot satisfy MCI security. Our scheme satisfies MCI, MTP and security against inside KGA.
Conclusion
In this paper, we first analyze the security of Li et al.’s scheme and propose a multitrapdoor attack against it. Next, we construct a secure publickey searchable encryption scheme with designated server based on DiffieHellman problem. It is proved that our scheme can provide multiciphertext indistinguishability, multitrapdoor privacy security and designated testability. Then we compare our scheme with others in terms of communication cost and computational cost. The results show that our scheme is more efficient in keyword ciphertext and trapdoor algorithms. However, our scheme can not prevent the server from executing the multitrapdoor attack since the server can construct a certain equation by his private key to obtain the relationship of multiple trapdoors. As our future work, we will explore achieving multitrapdoor privacy of keywords for the inside servers.
Availability of data and materials
The datasets used during the current study are available from the corresponding author on reasonable request.
References
Boneh D, Di Crescenzo G, Ostrovsky R, Persiano G (2004) Public Key Encryption with Keyword Search. Springer, Heidelberg.
Byun JW, Rhee HS, Park HA, Lee DH (2006) Offline Keyword Guessing Attacks on Recent Keyword Search Schemes over Encrypted Data. Springer, Heidelberg.
Baek J, SafaviNaini R, Susilo W (2008) Public Key Encryption with Keyword Search Revisited. Springer, Heidelberg.
Rhee HS, Park JH, Susilo W, Lee DH (2010) Trapdoor security in a searchable publickey encryption scheme with a designated tester. J Syst Softw 83(5):763–771. https://doi.org/10.1016/j.jss.2009.11.726.
BingJian W, TzungHer C, FuhGwo J (2011) Security improvement against malicious server’s attack for a dpeks scheme. Int J Inf Educ Technol 1(4):350–353.
Tang Q, Chen L (2009) Publickey Encryption with Registered Keyword Search. Springer, Heidelberg.
Chen R, Mu Y, Yang G, Guo F, Wang X (2015) Dualserver publickey encryption with keyword search for secure cloud storage. IEEE Trans Inf Forensic Secur 11(4):789–798. https://doi.org/10.1109/TIFS.2015.2510822.
Huang Q, Li H (2017) An efficient publickey searchable encryption scheme secure against inside keyword guessing attacks. Inf Sci 403:1–14. https://doi.org/10.1016/j.ins.2017.03.038.
Qin B, Chen Y, Huang Q, Liu X, Zheng D (2020) Publickey authenticated encryption with keyword search revisited: Security model and constructions. Inf Sci 516:515–528. https://doi.org/10.1016/j.ins.2019.12.063.
Pan X, Li F (2021) Publickey authenticated encryption with keyword search achieving both multiciphertext and multitrapdoor indistinguishability. J Syst Archit 115:102075. https://doi.org/10.1016/j.sysarc.2021.102075.
Cheng L, Meng F (2021) Security analysis of pan et al.’s “publickey authenticated encryption with keyword search achieving both multiciphertext and multitrapdoor indistinguishability”. J Syst Archit 119:102248. https://doi.org/10.1016/j.sysarc.2021.102248.
Li H, Huang Q, Shen J, Yang G, Susilo W (2019) Designatedserver identitybased authenticated encryption with keyword search for encrypted emails. Inf Sci 481:330–343. https://doi.org/10.1016/j.ins.2019.01.004.
Abdalla M, Bellare M, Catalano D, Kiltz E, Kohno T, Lange T, MaloneLee J, Neven G, Paillier P, Shi H (2005) Searchable encryption revisited: Consistency properties, relation to anonymous ibe, and extensions In: Annual International Cryptology Conference, 205–222.. Springer, Berlin, Heidelberg.
Rhee HS, Susilo W, Kim HJ (2009) Secure searchable public key encryption scheme against keyword guessing attacks. IEICE Electron Express 6(5):237–243. https://doi.org/10.1587/elex.6.237.
Fang L, Susilo W, Ge C, Wang J (2013) Public key encryption with keyword search secure against keyword guessing attacks without random oracle. Inf Sci 238:221–241. https://doi.org/10.1016/j.ins.2013.03.008.
Rhee HS, Park JH, Lee DH (2012) Generic construction of designated tester publickey encryption with keyword search. Inf Sci 205:93–109. https://doi.org/10.1016/j.ins.2012.03.020.
Emura K, Miyaji A, Rahman MS, Omote K (2015) Generic constructions of securechannel free searchable encryption with adaptive security. Secur Commun Netw 8(8):1547–1560. https://doi.org/10.1002/sec.1103.
Chen R, Mu Y, Yang G, Guo F, Huang X, Wang X, Wang Y (2016) Serveraided public key encryption with keyword search. IEEE Trans Inf Forensic Secur 11(12):2833–2842. https://doi.org/10.1109/TIFS.2016.2599293.
Zhou Y, Xu G, Wang Y, Wang X (2016) Chaotic mapbased timeaware multikeyword search scheme with designated server. Wirel Commun Mob Comput 16(13):1851–1858. https://doi.org/10.1002/wcm.2656.
Chen YC (2015) Speks: Secure serverdesignation public key encryption with keyword search against keyword guessing attacks. Comput J 58(4):922–933.
Xu P, Jin H, Wu Q, Wang W (2012) Publickey encryption with fuzzy keyword search: A provably secure scheme under keyword guessing attack. IEEE Trans Comput 62(11):2266–2277. https://doi.org/10.1109/TC.2012.215.
Wang Ch, Tu Ty (2014) Keyword search encryption scheme resistant against keywordguessing attack by the untrusted server. J Shanghai Jiaotong Univ (Sci) 19(4):440–442. https://doi.org/10.1007/s1220401415226.
He D, Ma M, Zeadally S, Kumar N, Liang K (2017) Certificateless public key authenticated encryption with keyword search for industrial internet of things. IEEE Trans Ind Inform 14(8):3618–3627. https://doi.org/10.1109/TII.2017.2771382.
Wu L, Zhang Y, Ma M, Kumar N, He D (2019) Certificateless searchable public key authenticated encryption with designated tester for cloudassisted medical internet of things. Ann Telecommun 74(7):423–434. https://doi.org/10.1007/s12243018007017.
Chen X (2020) Publickey authenticate encryption with keyword search revised: ∖probabilistic trapgen algorithm. IACR Cryptol ePrint Arch 2020:1211.
He D, Ma M, Zeadally S, Kumar N, Liang K (2017) Certificateless public key authenticated encryption with keyword search for industrial internet of things. IEEE Trans Ind Inform 14(8):3618–3627. https://doi.org/10.1109/TII.2017.2771382.
Wu L, Zhang Y, Ma M, Kumar N, He D (2019) Certificateless searchable public key authenticated encryption with designated tester for cloudassisted medical internet of things. Ann Telecommun 74(7):423–434. https://doi.org/10.1007/s12243018007017.
Pakniat N, Shiraly D, Eslami Z (2020) Certificateless authenticated encryption with keyword search: Enhanced security model and a concrete construction for industrial iot. J Inf Secur Appl 53:102525. https://doi.org/10.1016/j.jisa.2020.102525.
Lu Y, Wang G, Li J (2019) Keyword guessing attacks on a public key encryption with keyword search scheme without random oracle and its improvement. Inf Sci 479:270–276. https://doi.org/10.1016/j.ins.2018.12.004.
Noroozi M, Eslami Z (2019) Public key authenticated encryption with keyword search: revisited. IET Inf Secur 13(4):336–342. https://doi.org/10.1049/ietifs.2018.5315.
Wu L, Chen B, Zeadally S, He D (2018) An efficient and secure searchable public key encryption scheme with privacy protection for cloud storage. Soft Comput 22(23):7685–7696. https://doi.org/10.1007/s0050001832248.
Chen X (2020) Certificateless publickey authenticate encryption with keyword search revised: Mci and mtp. IACR Cryptol ePrint Arch 2020:1230.
Qin B, Cui H, Zheng X, Zheng D (2021) Improved security model for publickey authenticated encryption with keyword search In: International Conference on Provable Security, 19–38.. Springer, Cham.
Wang P, Xiang T, Li X, Xiang H (2020) Public key encryption with conjunctive keyword search on lattice. J Inf Secur Appl 51:102433. https://doi.org/10.1016/j.jisa.2019.102433.
Zhang X, Tang Y, Wang H, Xu C, Miao Y, Cheng H (2019) Latticebased proxyoriented identitybased encryption with keyword search for cloud storage. Inf Sci 494:193–207. https://doi.org/10.1016/j.ins.2019.04.051.
Blake IF, Seroussi G, Smart NP (2005) Advances in Elliptic Curve Cryptography vol. 317. Cambridge University Press, Cambridge.
MIRACL (2021) The MIRACL Core Cryptographic Library. https://github.com/miracl/core/. Accessed 28 Nov 2021.
Acknowledgements
The authors would like to thank the anonymous reviewers for their insightful comments and suggestions on improving this paper.
Funding
This work is supported by the National Natural Science Foundation of China(No.61702153, No.61972124) and the Natural Science Foundation of Zhejiang Province (No.LY19F020021).
Author information
Authors and Affiliations
Contributions
Authors’ contributions
This research paper was completed by the joint efforts of five authors. Therefore, any author participates in every part of the paper. But the basic roles of each author are summarized as follows: J.G. is the designer of the proposed model and method. L.H. is the corresponding author and the coordinator of the group, assisting J.G. in model design. G.Y. is the implementer and tester of the algorithm. X.L. is the main reviewer of this paper. C.T. is responsible for the experiment of the proposed method. All authors have read and agreed to the published version of the manuscript.
Authors’ information
Junling Guo is a postgraduate in Cyberspace Security at School of Information Science and Technology, Hangzhou Normal University, China. His research interests include searchable encryption and public key cryptography.
Lidong Han received his Ph.D. degree from school of mathematics in Shandong university in 2010. Currently, he is working at Key Laboratory of Cryptography Technology of Zhejiang Province, and School of Information Science and Technology, Hangzhou Normal University. His research interests include cryptography, cloud computing, and remote user authentication.
Guang Yang is a postgraduate in Cyberspace Security at School of Information Science and Technology, Hangzhou Normal University, China. His research interests include data integrity, searchable encryption and publickey cryptography.
Xuejiao Liu received the BS, MS and PhD degrees in computer science from Huazhong Normal University, Wuhan, China. Now she is an associate professor in Hangzhou Normal University, Hangzhou, China. Her research interests cover network security, cloud security, security of Internet of vehicle and etc.
Chengliang Tian received the B.S. and M.S. degrees in mathematics from Northwest University, Xi’an, China, in 2006 and 2009, respectively, and the Ph.D. degree in information security from Shandong University, Jinan, China, in 2013. He held a postdoctoral position with the State Key Laboratory of Information Security, Institute of Information Engineering, Chinese Academy of Sciences, Beijing. He is currently with the College of Computer Science and Technology, Qingdao University, as an Associate Professor. His research interests include latticebased cryptography, cloud computing security and privacypreserving technology.
Corresponding author
Ethics declarations
Ethics approval and consent to participate
Not applicable.
Consent for publication
Not applicable.
Competing interests
The authors declare that they have no competing interests.
Additional information
Publisher’s Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
Open Access This article is licensed under a Creative Commons Attribution 4.0 International License, which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons licence, and indicate if changes were made. The images or other third party material in this article are included in the article’s Creative Commons licence, unless indicated otherwise in a credit line to the material. If material is not included in the article’s Creative Commons licence and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder. To view a copy of this licence, visit http://creativecommons.org/licenses/by/4.0/.
About this article
Cite this article
Guo, J., Han, L., Yang, G. et al. An improved secure designated server public key searchable encryption scheme with multiciphertext indistinguishability. J Cloud Comp 11, 14 (2022). https://doi.org/10.1186/s13677022002875
Received:
Accepted:
Published:
DOI: https://doi.org/10.1186/s13677022002875
Keywords
 Searchable encryption
 Keyword guessing attack
 Multiciphertext indistinguishability
 DiffieHellman problem
 Multitrapdoor privacy