Hierarchical Identity-Based Authenticated Encryption with Keyword Search over encrypted cloud data

With the rapid development of cloud computing technology, cloud storage services are becoming more and more mature. However, the storage of sensitive data on remote servers poses privacy risks and is presently a source of concern. Searchable Encryption (SE) is an effective method for protecting sensitive data while preserving server-side searchability. Hierarchical Public key Encryption with Keyword Search (HPEKS), a new variant of SE, allows users with higher access permission to search over encrypted data sent to lower-level users. To the best of our knowledge, there exist only four HPEKS schemes in the literature. Two of them are in traditional public-key setting, and the remaining ones are identity-based public key cryptosystems. Unfortunately, all of the four existing HPEKS schemes are vulnerable against inside Keyword Guessing Attacks (KGAs). Moreover, all of the existing HPEKS schemes are based on the computationally expensive bilinear pairing operation which dramatically increases the computational costs. To overcome these issues, in this paper, we introduce the notion of Hierarchical Identity-Based Authenticated Encryption with Keyword Search (HIBAEKS). We formulate a security model for HIBAEKS and propose an efficient pairing-free HIBAEKS scheme. We then prove that the proposed HIBAEKS scheme is secure under the defined security model and is resistant against KGAs. Finally, we compare our proposed scheme with related constructions regarding security requirements, computational and communication costs to indicate the overall superiority of our proposed scheme.


Introduction
Cloud storage technology has received extensive attention in recent years due to advantages like unlimited storage space, data shareability, low cost, and high service availability.Consequently, many enterprises and individual users prefer to store their data on the cloud storage server over the internet.Upon outsourcing over cloud, users naturally lose their complete control over data, and consequently, the security and privacy of their outsourced data become dependent on the cloud server's security.However, a cloud server can not be completely trusted and additional steps must be taken to guarantee the privacy of users' data.A naive approach towards achieving privacy would be to apply some form of encryption before uploading.However, this technique would bring up search complications on ciphered data.In order to circumvent this problem, the notion of Searchable Encryption (SE) can be used, which simultaneously enables search over encrypted data and protects data confidentiality [1].An SE scheme involves three types of entity in its basic setup, data senders, data receivers, and cloud server.A data sender needs to outsource a collection of documents and related keywords to the cloud server.To do so, it produces ciphertext and searchable ciphertexts for each document and its keywords, respectively, and outsources them to the server.A data receiver, aiming to retrieve documents containing a specific keyword, creates a trapdoor for the keyword and submits it to the server.Upon receipt of a trapdoor, the cloud server conducts a search operation on the data receiver's searchable ciphertexts to find documents that contain the corresponding keyword.Figure 1 shows a typical network architecture of a SE scheme.

Related works
To incorporate keyword search functionality in the asymmetric cryptography setting Boneh et al. [2] defined the concept of Public key Encryption with Keyword Search (PEKS) and proposed a PEKS scheme.In 2008, Baek et al. [3] discovered that the PEKS model proposed by Boneh et al. requires a secure communication channel for transmitting search trapdoors.To address this issue, the authors introduced the concept of Secure Channel-Free PEKS (SCF-PEKS).Byun et al. [4] noticed that in practical applications the keyword space is typically small and introduced a new attack named Keyword Guessing Attack (KGA).In a KGA, after obtaining a trapdoor, an adversary produces searchable ciphertexts corresponding to each potential keyword.Subsequently, the adversary verifies these ciphertexts against the provided trapdoor using the publicly available Test algorithm.Consequently, through the execution of this attack, an adversary may accurately obtain the corresponding keyword to the given trapdoor uniquely.In 2010, to achieve security against KGA, Rhee et al. [5] introduced the concept of designated-server PEKS (dPEKS) and proposed the first dPEKS scheme.The authors also introduced the concept of trapdoor-indistinguishability and proved that trapdoor-indistinguishability is a sufficient condition for thwarting KGAs.Roughly speaking, trapdoor-indistinguishability means that it should be infeasible for any Probabilistic Polynomial-Time (PPT) attacker to differentiate between the trapdoors associated with two different keywords.Afterwards, many dPEKS schemes have been proposed in the literature [6,7]; unfortunately, these schemes are unable to withstand KGA launched by inside adversaries.In order to prevent this type of KGA, Li et al. [8] presented a chaos-based PEKS scheme by employing the key establishment in PEKS.However, Noroozi et al. [9] showed that an inside adversary is able to perform a KGA against Li et al. 's PEKS scheme.After that, in [10], Huang and Li defined the concept of Public key Authenticated Encryption with Keyword Search (PAEKS) by formalizing the idea of [8].In contrast to a dPEKS scheme, in a PAEKS scheme, a data sender is equipped with a pair of public and private keys and generates the searchable ciphertexts using the data receiver's public key and his own private key.The data receiver also employs Fig. 1 A typical network architecture of SE his private key and data sender's public key for trapdoor generation.Therefore, this concept guarantees that neither inside nor outside adversaries can generate searchable ciphertexts corresponding to the guessed keywords, thereby preventing the launch of KGAs.The authors of [11] observed that Huang and Li's security model is not suitable for multi-user environments and defined an improved security model.Recently, Qin et al. [12] further improved the PAEKS's security model presented in [11] and proposed a new PAEKS scheme secure in their proposed model.In the subsequent works [13][14][15], many other PAEKS schemes have been proposed.
The above-mentioned PEKS schemes have all been deployed on PKI, and thus suffer from the complicated certificate management problem.To tackle this matter, Abdalla et al. [16] defined the concept of Identity-Based Encryption with Keyword Search (IBEKS).Several IBEKS schemes have been proposed [17,18] inspired by the work of [16].However, these schemes require a secure channel for transmitting search trapdoors, and consequently they are not secure against outside KGA.To resist outside KGA on IBEKS, Wu et al. [19] introduced the concept of designated-tester IBEKS (dIBEKS) and proposed the first dIBEKS scheme.Later, [20,21] proposed two other dIBEKS schemes; however, Noroozi et al. [22] proved that none of these three schemes provide ciphertext-indistinguishability against inside adversaries.To resist inside KGA on IBEKS, Li et al. [23] expanded PAEKS into the identity-based setting and proposed an Identity-Based Authenticated Encryption with Keyword Search (IBAEKS) scheme.Afterwards, some other PEKS schemes are proposed in the identity-based cryptography and related settings.The intersested reader is referred to [24][25][26][27][28][29][30][31][32] for more details.
Unfortunately, the PEKS frameworks mentioned above become impractical in the large multi-receiver setups which are organized via a hierarchical structure among their users.In this structure, a user with higher access permission (according to his corresponding role and responsibility) should be able to monitor data used by its lower-level users in the hierarchy.To add support for such access permissions in PEKS, Wang et al. [33] defined the concept of Hierarchical IBEKS (HIBEKS).They also proposed a HIBEKS scheme and claimed that it provides the security against offline KGAs launched by outside adversaries.However, it can be easily proven that their scheme can not resist outside offline KGAs. 1n 2020, Li et al. [34] defined the concept of designatedserver Hierarchical PEKS (dHPEKS) based on a multiway tree of the users' hierarchical structure called the public key tree.Then, they defined a security model for dHPEKS and presented a dHPEKS scheme with provable security under their model.In 2021, Liu et al. [35] used a distributed Two-Trapdoor Public-key cryptosystem [36] to construct another dHPEKS scheme which also utilizes a public key tree structure to enable the monitoring function for the data receivers.Nevertheless, these dHPEKS schemes are built on PKI, and therefore face the intractable certificate management problem.To overcome these limitations, recently, Shiraly et al. [37] introduced the concept of designated-tester Hierarchical IBEKS (dHI-BEKS) and defined a security model for dHIBEKS.They have additionally put forth a dHIBEKS scheme and have provided a proof of its security under the defined model.In a dHIBEKS scheme, the identity of a user is represented as a hierarchical tree structure and a user with IDtuple which has higher access permission than the data receiver with IDtuple (ID 1 , • • • , ID t ) , is able to compute the data receiver's private key and therefore search over the data receiver's ciphertexts.

Motivation and contribution
The large multi-receiver setups which gain the greatest advantages from searchable encryption technology, often support a hierarchical structure among their users.Examples include office automation systems within enterprises or governments that generate a substantial volume of messages on a daily basis.In this hierarchical structure, higher-layer users should possess the privilege to monitor lower-layer users to ascertain compliance with established regulations.To add support for such access permissions in PEKS, several HPEKS schemes have been proposed in the literature.As explained in prvious section, there exist only two dHPEKS schemes (i.e., [34] and [35]), one HIBEKS scheme (i.e., [33]), and one dHIBEKS scheme (i.e., [37]) in the literature.However, the same as other PEKS/dPEKS schemes, none of these schemes provide security against KGAs launched by the inside adversaries.
Another drawback of the existing PEKS schemes in the hierarchical setting is that they are based on computationally expensive bilinear pairing operations, resulting in a significant decrease in the efficiency of these schemes.To address these issues, in this paper: -We define the notion of Hierarchical Identity-Based Authenticated Encryption with Keyword Search (HIBAEKS).-We present the security model of HIBAEKS.
-We propose a concrete pairing-free HIBAEKS scheme.-We prove the security of the proposed scheme in the given security model under the intractability assumption of GDH problem.-We conduct a comparison between the proposed scheme with the related ones to demonstrate its overall superiority.

Paper organization
In Preliminaries section, we review the preliminary materials of the paper.In Definition and security model of HIBAEKS section we define the concept of HIBAEKS and its security model.The proposed HIBAEKS scheme is provided in The proposed HIBAEKS scheme section.
We prove the security of the proposed HIBAEKS scheme in Security analysis section and analyze its performance in Performance analysis section.We provide the paper's conclusion in Conclusion and future works section.

Preliminaries
In this section, we present concise overview of some preliminary materials.Let G denote an additive cyclic group of prime order q, and P denote a generator of G.With this setup, the CDH, DDH, and GDH problems are defined as follows: Definition 1 Computational Diffie-Hellman (CDH) problem: Given P, xP, yP , where x, y are selected from Z * q at random, compute C = xyP.
Definition 2 Decisional Diffie-Hellman (DDH) problem: Given P, xP, yP, zP , where x, y, z are selected from Z * q at random, determine whether z is equal to xy ∈ Z * q or is a random element of Z * q .
Definition 3 Gap Diffie-Hellman (GDH) problem: Given P, xP, yP , where x, y are selected from Z * q at random, compute C = xyP with the help of O DDH which denotes an oracle that solves DDH (i.e., on input of (aP, bP, C) , O DDH outputs 1 if C = abP and 0 otherwise) [38].

Definition and security model of HIBAEKS
In this section, we define the system model and security requirements of a HIBAEKS scheme.The general architecture of the hierarchical structure among the system users in a HIBAEKS scheme is depicted in Fig. 2. Here, users have a hierarchical structure according to their corresponding identities.At the top of the hierarchy, the root PKG generates the private key of the users in the first layer of hierarchy and send it to them.Each other user of the hierarchy would generate the private keys of their child users (if there is any) by using its private key and send the results to them.

The definition
Formally, a HIBAEKS scheme includes five PPT algorithms as follows.
-Setup: The root PKG performs this algorithm.On input of a security parameter , it outputs the public parameters prms, which will be an implicit input to other algorithms, and the master secret key msk.-KeyGen: The root PKG or a lower-level PKG with ID-tuple and the private key s ID| t of the ancestor of ID| t+1 (if t = 1 , then s ID| t = msk ) as input, it outputs s ID| t+1 as the private key of the user with ID-tuple ID| t+1 .-HIBAEKS: The data owner with ID-tuple Taking ID-tuple ID| t and the private key s ID| t of the data owner, the data receiver's ID-tuple and a keyword w as input, this algorithm outputs a searchable ciphertext C w .
-Trapdoor: The data receiver with ID-tuple or one of his ancestors performs this algorithm.Taking ID-tuple ID ′ | t ′ and the private key of the receiver or his ancestor that runs this algorithm of the data owner and a key- word w ′ as input, this algorithm outputs a trapdoor T w ′.
-Test: The server performs this algorithm.Taking IDtuple the data receiver, a searchable ciphertext C w , and a trapdoor T w ′ as input, this algorithm outputs ⊤ if w = w ′ and ⊥ otherwise.

The security model
A security model of HIBAEKS should consider the indistinguishability of both the ciphertexts and the trapdoors.The followings show the details of the provided security model for HIBAEKS schemes.

Ciphertext-Indistinguishability
Let be a HIBAEKS scheme.The following game formally defines ciphertext-indistinguishability of against a PPT adversary A. -

The advantage of A is defined as
Fig. 2 The general hierarchical structure of a HIBAEKS scheme (for simplicity, we assume that each user has m child users)

Definition 4 A HIBAEKS scheme satisfies ciphertext-indistinguishability if for any PPT attacker A , Adv indC
A, is negligible.

Trapdoor-indistinguishability
Let be a HIBAEKS scheme.The following game formally defines trapdoor-indistinguishability of against a PPT adversary A.
Game II: The Game II, conducted between A and the challenger C , comprises the following phases:

Remark 1
As it is proven in [5], the notion of trapdoor-indistinguishability is a sufficient condition for thwarting KGAs.

The proposed HIBAEKS scheme
In the following, we present our proposed HIBAEKS scheme.
-Setup: Given a security parameter , the root PKG: 1. Chooses a cyclic group G with prime order q > 2 .

Chooses four cryptographic hash functions
q as the master secret key, and computes P pub = sP as the master public key.4. Secures s and publishes the system parameters prms = G, q, P, P pub , h, h 1 , h 2 , h 3 which also will be an implicit input to all other algorithms.
-KeyGen (or Lower-level Setup): Through this algorithm and on input of the ID-tuple ) and the private key of the ancestor of ID| t+1 , i.e., s ID| t (note that if t = 1 , then s ID| t = s ), the root PKG or a lower-level PKG: 1. Computes 2. Sends s ID| t+1 , R ID| t+1 securely to the user with ID-tuple ID| t+1 .
-HIBAEKS: Through this algorithm and on input of the data owner's ID-tuple and his secret key s ID| t , the receiver's ID-tuple and a keyword w, the data owner: 1. Chooses r ∈ Z * q at random and computes C 1 = rP.

Computes
The hash functions utilized in our paper can be generated from any cryptographically secure hash function.Let H represent a cryptographically secure hash function (e.g., SHA) that takes variable length binary strings as input and outputs binary strings of length l bits, where 2 l < q .Under these assumptions, the hash functions employed in our scheme can be easily instantiated from H by converting the various components of their inputs into binary strings, concatenating them together to form the inputs of H , and utilizing the output of H as an integer modulo q as their respective out- puts.
-Trapdoor: Through this algorithm and on input of the data owner's ID-tuple , the ID-tuple correspond- ing to the receiver or one of his ancestors i and the corresponding secret key s ID ′ | i , and a keyword w, the data receiver or that ancestor of him who performs this algorithm: 1.If the receiver is not the one that performs this algorithm, then uses s ID ′ | i step by step down and com- putes s ID ′ | t ′ as specified in the KeyGen algorithm.

Computes K
Sends the trapdoor T to the server.
-Test: The server outputs ⊤ if the following equation holds; else, ⊥ .
In the following, we show that the proposed HIBAEKS scheme works correctly.
Theorem 1 Assume that C = (C 1 , C 2 ) is the searchable ciphertext of the keywords w and let T be the trapdoor for w ′ .Then, w = w ′ , the output of the Test algorithm on C and T would be ⊤.

Proof
To prove this theorem, first note that Now, we show that if w = w ′ then, C 2 = h 2 (T , C 1 )C 1 and as a consequence, the Test algorithm outputs ⊤ on input of C and T.

Instantiation of the scheme
Consider a scenario wherein a data sender with ID-tuple ID| 2 = (ID 1 , ID 2 ) at level 2 wants to send a document to the data receiver with ID-tuple at level 2 situated in a different branch of the user's hierarchy.To do so, for each keyword w of the document, the data sender chooses r ∈ Z * q at random and computes C 1 = rP .It computes )P , and sends the searchable ciphertext C = (C 1 , C 2 ) to the server.
On the other side, the data receiver with ID-tuple or its parent with ID-tuple ID ′ | 1 = (ID ′ 1 ) in the user's hierarchy wants to genetate a valid trapdoor for a keyword w ′ .The data receiver or its parent com- putes ) , and sends it to the server.Finally, the server returns ⊤ if the equation C 2 = h 2 (T , C 1 )C 1 holds; otherwise, it returns ⊥ .The parent of the data receiver (i.e., the user with identity ) ) could also search over its child documents by first computing the secret key and then pro- ceeding in the same way as its child.

Security analysis
Let =(Setup, KeyGen, HIBAEKS, Trapdoor, Test) be the scheme of The proposed HIBAEKS scheme section.In what follows, we provide Theorems 2 and 3 to prove that preserves ciphertext and trapdoor-indistinguishability as defined in Definitions 4 and 5. Based on Theorem 3 in this paper and Theorem 5 in [5], we can conclude that our proposed scheme provides security against KGAs launched by both outside/inside adversaries.This is stated in Theorem 4.

Proof Assume the existence of an adversary A against , capa- ble of winning game I by a non-negligible advantage ǫ (i.e., Adv indC
A,� = ǫ ).We show how a PPT algorithm B can use A to solve GDH problem with an advantage , where A can makes q h queries to the oracle h on different ID-tuples and l is the maximum hierarchical level.As a result, we can conclude that ǫ should be negligible.
Given a GDH problem instance P, xP, yP , B operates as follows.
Initialization.B executes Setup( ) as specified in the proposed scheme with the exception of setting P pub = xP .For i ∈ [1, 2, . . . ,l] , B randomly selects indices l i , l ′ i ≤ q (l i = l ′ i ) corresponding to the chal- lenge ID-tuple of data owner and data receiver, respectively.Then, B sends prms to A. Phase 1. Below is a description of the queries that A can make and how B responds to them.B must maintain the following initial empty lists in order to consistently answer to queries: L, L 1 , L 2 , L 3 and L key .
-Queries to h: On input of R ID| i , ID| i to this ora- cle, B searches L to find the entry ID| i , R ID| i , h and returns h if such a tuple exists.Otherwise, it chooses h ∈ Z * q randomly, inserts ID| i , R ID| i , h to L and returns h to A.
-Queries to h 1 : On input of ID| t , K ′ , ID ′ t ′ , K , g, w to this oracle, B checks the output of DDH oracle on xP, yP, g .If the DDH oracle outputs 1, it returns g as the solution of the GDH problem and concludes its execution.Otherwise, it searches L 1 for the entry ID| t , K ′ , ID ′ | t ′ , K , g, w, h 1 .If no such a tuple exists, B selects h 1 ∈ Z * q randomly and adds ID| t , K ′ , ID ′ | t ′ , K , g, w, h 1 to L 1 .In both cases, B outputs h 1 .
-Queries to h 2 : On input of (T , C 1 ) to this oracle, B searches L 2 for the entry (T , C 1 , h 2 ) .If no such a tuple exists, it selects h 2 ∈ Z * q randomly and adds (T , C 1 , h 2 ) to L 2 .It returns h 2 in both cases.
-Queries to h 3 : On input of s ID| t−1 , ID| t to this ora- cle, B searches L 3 for the entry s ID| t−1 , ID| t , h 3 .If no such an entry is found, it chooses h 3 ∈ Z * q randomly and adds s ID| t−1 , ID| t , h 3 to L 3 .In both cases, it returns h 3 .
-Queries to ExtSK: On input of (ID| t ) to this oracle, B searches L key to find the tuple 2. searches L key to find the entry with the maximum value of n j .If no such a tuple exists, searches L to find the entry Then, it adds and ⊥, ID| j , ⊥ to L key , L and L 3 , respec- tively.
it chooses h, s ID| j ∈ Z * q randomly and computes R ID|j = s ID|j P − hxP .Then, it adds the tuples q randomly and computes R ID| j = yP − hyP .Then, it adds the tuples q randomly and computes R ID| j = s ID| j P − hyP .Then, it adds ID| j , R ID| j , h and ⊥, ID| j , ⊥ to L key , L and L 3 , respectively.
• If at least one of the inequalities -Queries to HIBAEKS: On input of ID| t , ID ′ | t ′ , w to this oracle, B • obtains q randomly and sets C 1 = rP .
• If ) respectively, and sets If no such a tuple is found, it chooses h 1 ∈ Z * q randomly and adds -Queries to Trapdoor: The same as what we have in the proof of Theorem 2, here too B can correctly guesses a challenge owner ID- tuple and a challenge data receiver's ID-tuple with probability l 2 q h (q h − l) . Due to that h 1 is viewed as a random oracle, it can be deduced that the advantage of A in guessing b would be negligible except if

Theorem 4
The HIBAEKS scheme proposed in The proposed HIBAEKS scheme section provides security against KGA launched by both outside and inside adversaries.

Proof
Theorem 3 proves that the HIBAEKS scheme proposed in The proposed HIBAEKS scheme section ensures trapdoor-indistinguishability against both outside and inside adversaries.Moreover, Theorem 5 of [5] indicates that trapdoor-indistinguishability is a sufficient condition for thwarting keyword-guessing attacks.Therefore, combining these results, we can conclude that our proposed scheme provides security against KGAs launched by both outside/inside adversaries.This concludes the proof.

Performance analysis
We compare the proposed HIBAEKS scheme with the related PEKS constructions (i.e., the schemes of [20,21,23,[33][34][35]37]).Table 1 considers a comparison regarding the security and functionality.As it can be seen from the results, our proposed scheme along with the schemes of [33][34][35]37] are the only existing PEKS schemes that support hierarchical access permission.Among them, the schemes of [34] and [35] are in PKI setting and consequently, they suffer from the complex certificate management problem.Moreover, the same as all other existing dPEKS schemes, these schemes are insecure against KGAs launched by inside adversaries.The schemes of [33,37] don't suffer from certificate management problems; however, while the scheme of [37] suffers from KGAs launched by inside attackers, the scheme of [33] suffers from KGAs performed by the outside and inside adversaries.Therefore, we can conclude that our proposed scheme is the only PEKS scheme that supports hierarchical access permission, doesn't suffer from complex certificate management problem, and is secure against KGAs.Table 2 considers a comparison regarding the computational costs.Note that to simplify comparisons, less time-consuming operations are ignored in the comparisons.To further simplify comparisons, we use the reported executing times of the operations in [39]: T H = 4.362 millisecond (ms), T sm1 = 1.631 ms , T bp = 4.154 ms , T sm = 0.509 ms , where T H , T sm1 , T sm , and T bp denote the execution times for a Hash-to- point operation, a scalar multiplication operation over the bilinear group G 1 , a scalar multiplication operation over the elliptic curve group G, and a bilinear pairing operation, respectively.These results are obtained by use of a tablet computer with 4GB RAM and an Intel Corei5-4210U CPU@1.7 GHz running Ubuntu 16.04 while employing the open-source cryptography library MIRACL [40].(For simplicity, we let the hierarchical level of the data receiver t = 3 , and the maximum hierarchical level l = 10 ) As it can be seen from Fig. 3 and Table 2, the execution times for Table 1 Security and property comparison a The security analysis of the dHPEKS of [35] is provided in Appendix B

Ciphertext indistinguishability
Outside KGA security

Inside KGA security
No Certificate management burden Hierarchical keyword search support key generation, trapdoor generation, ciphertext generation, and test algorithms of our HIBAEKS scheme are significantly lower compared to the corresponding algorithms of [20,21,23,[33][34][35]37]. Figure 4 and Table 3 consider a comparison regarding the communication costs.To simplify comparisons, we utilize the bit length sizes reported in [39] 2 and Fig. 4 demonstrate that the proposed scheme has much lower bit length size of the searchable ciphertext and the trapdoor than those in the related schemes [20,21,23,[33][34][35]37].
One important scenario that should be considered when analysing the performance of PEKS schemes in hierarchical settings is where a data sender wants to send a searchable ciphertext to multiple data receivers.In such situations, it is conceivable that the data receivers are located in different branches in the hierarchical structure.Figures 5 and 6 compare the computational costs of ciphertext generation and the ciphertext size of our HIBAEKS scheme and the related ones along with increasing the number of the data receivers' branches in Game I: The Game I, conducted between A and the challenger C , comprises the following phases:-Initialization.C creates the public parameters prms and the master secret key msk by executing Setup( ).Then, it gives prms to A. -Phase 1. C responds to the following queries posed adaptively by A for polynomially many times:

: 3 h
= 160 , |G| = 320 , |G 1 | = 512 , and |G 2 | = 1024 , where |G|, |G i | , and h denote the bit length size of each element of the elliptic curve group G, each element of the bilinear group G i (i = 1, 2) , and the output of an ordinary hash function, respectively.The results shown in Table

Fig. 4 Fig. 5 Fig. 6
Fig. 4 Communication cost comparison ExtSK (ID| t ) : On input of a user's ID-tuple ID| t , C generates the corresponding secret key s ID| t and returns the result.-Queries to HIBAEKS ID| t , ID ′ | t ′ , w : On input of a data owner's ID-tuple ID| t , a data receiver's ID- tuple ID ′ | t ′ , and a keyword w, C generates a search- able ciphertext C w and returns the result.-Queries to Trapdoor ID| t , ID ′ | t | t nor ExtSK ID R * | t ′ are queried by A during Phase 1 or Phase 2. -Trapdoor ID S * | t , ID R * | t ′ , w i for i = 0, 1 are not queried by A during Phase 1 or Phase 2.
′ , w : On input of a data owner's ID-tuple ID| t , a data receiver's ID- tuple ID ′ | t ′ , and a keyword w, C generates a trap- door T w and returns the result.-Challenge.A outputs a data owner's ID-tuple ID S * | t , a data receiver's ID-tuple ID R * | t ′ , and two different challenge keywords w 0 and w 1 .Now, C chooses a bit b at random and performs HIBAEKS ID S * | t , s ID S * |t , ID R * | t ′ , w b to generate the target searchable ciphertext C. It sends C as the challenge searchable ciphertext to A. -Phase 2. In this phase, A is able to probe C as Phase 1. -Guess.A returns a guess b ′ ∈ {0, 1} and is declared the winner if b = b ′ , subject to the following:-Neither ExtSK ID S * creates the public parameters prms and the master secret key msk by executing Setup( ).Then, it gives prms to A. -Phase 1. Same as those in Game I. -Challenge.A outputs a data owner's ID-tuple ID S * | t , a data receiver's ID-tuple ID R * | t ′ , and two different challenge keywords w 0 and w 1 .Now, C chooses a bit b at random and performs Trapdoor ID S * | t , ID R -HIBAEKS ID S * | t , ID R * | t ′ , w i for i = 0, 1 are not queried by A during Phase 1 or Phase 2.
* | t ′ , s ID R * | t ′ , w b to generate the target trapdoor T. It sends T as the challenge trapdoor to A. -Phase 2. A is able to probe C as in Phase 1. -Guess.A returns a guess b ′ ∈ {0, 1} and is declared the winner if b = b ′ , subject to the following: -Neither ExtSK ID S * | t nor ExtSK ID R * | t ′ are queried by A during Phase 1 or Phase 2.
xyP, w b , h 1 appears on L 1 .If this tuple appears on L 1 , the GDH problem can definitely be solved by B .Moreover, B has asked at most q h 1 queries to O DDH .