Multi-Recipient encryption with keyword search without pairing for cloud storage

With the rapid development of cloud computing technology and communication technology, cloud storage has become a tool used by people in daily life. Cloud storage service enables users to outsource data to cloud servers and retrieve desired document efficiently. Individual privacy in outsource data are very sensitive and should be prevented from any leakage. Public-key encryption with keyword search (PEKS) scheme resolves this tension, while public-key authentication encryption with keyword search (PAEKS) scheme improve its keyword guessing attacks problem potentially. Whereas, the loss of keyword privacy, the limitation of single user interaction and low efficiency make PEKS/PAEKS schemes far from enough in practical applications.In this paper, we develop a multi-recipient public key encryption scheme with keyword search without pairing (MREKS) for cloud storage under public key infrastructure. The proposed scheme has the merits of supporting multi-recipient keyword search way as well as requiring no expensively bilinear pairing operations under standard model. We present a concrete and efficient construction of MREKS, and prove its security based on discrete logarithm assumptions. Furthermore, we embed the algorithm of data plaintext encryption and decryption into the scheme, which makes the scheme more practical. We show that our scheme enjoys much more efficiency than previous PEKS/PAEKS scheme in the simulation experiment, especially the keyword encryption is optimized by 79.5%.


Introduction
In recent years, the amount of electronic data generated on various platforms such as the internet has seen an explosive growth. From the view of government, enterprises or individual, the increasing amount of data creates data management issues. To store this data, the user needs to maintain the hardware, software and systems for the data storage locally. It caused great overhead on the user's server, which has seriously affected the efficiency and flexibility of the user to utilize the data.
Cloud storage services in cloud computing technology alleviate this tension, which means users can obtain and *Correspondence: zhouqq@gzhu.edu.cn 1 School of Mathematics and Information Science, Guangzhou University, Guangzhou, China Full list of author information is available at the end of the article pay for the server resources provided by cloud server without interaction largely and only need management work slightly. Due to the convenience and flexible of cloud service and varied charging properties, users are willing to store their local data in the cloud server. People can upload their data, such as email address, personal health record and financial data, into the cloud for sharing with other person or using it by themselves in anywhere. Moreover, cloud storage services are widely used in medical institutions, enterprises, schools and other application scenarios.
However, cloud storage has an inevitable drawback: users share or store data in the cloud server, so the ownership of the data is held by the cloud server. As a result, the cloud server can inadvertently obtain the data uploaded by users, leading to the divulge of sensitive privacy data without user's authority. To avoid this case, users can only encrypt and upload document to the cloud. However, if users want to acquire target document, they download all the ciphertext data and decrypt it locally necessarily. It is unfriendly to users with large data storage capacity, which will result in huge resource waste and computing overhead. Moreover, this approach is hardly applicable to users with low broadband networks.
To address the above issue, the concept of searchable encryption has been proposed. As depicted in Fig. 1, a searchable encryption scheme works.
Based on previous studies by researchers, searchable encryption divide into symmetric and asymmetric searchable encryption (SE). The work of Song et al. [1] is pioneering in constructing a symmetric SE scheme in 2000. His ideas were groundbreaking, but there were inevitable efficiency problems because the efficiency of finding the target document is linear length. Boneh et al. [2] constructed public-key encryption with keyword search, denoted by BDOP-PEKS. It is a branch of SE that keeps the confidentiality of the encrypted data. The BDOP-PEKS scheme is mainly applied in the mail routing scenario, in which three participants, namely the sender, the recipient and the mail server. The sender encrypts the message and keyword corresponding to the message via recipient's public key, and the recipient generates the search trapdoor via private key by himself. Finally, the mail server performs data retrieval and returns the message ciphertext with corresponding keyword to recipient.
Later, Baek et al. [3] found flaws in PEKS scheme and developed a secure channel free public key encryption with keyword search based on the BDOP-PEKS scheme, denoted by BSS-PKE/PEKS, which solved the issue of supplying secure channel when delivering keywords to the server. BSS-PKE/PEKS scheme performs via public channel, but it's still subject to a connatural security restriction: suffering off-line keyword guessing attacks (KGA). Specifically, given a keyword trapdoor, an adversary encrypts whole keyword candidates by using the recipient's public key and identifies the ciphertext which matches the targeted trapdoor, this enables the adversary to recover the keyword hidden in keyword trapdoor to invade the users' privacy. Public key authentication encryption with keyword search (PAEKS) was first proposed by Huang et al. [9], in which the sender's secret key is presented into the keyword encryption, so as to achieve the keyword trapdoor privacy and resist the keyword guessing attacks. Soon afterwards, Huang's scheme was proposed that it could not ensure the keyword ciphertext indistinguishability.
In such an architecture, previous PEKS and PAEKS schemes have been based on bilinear pairings operation, which can greatly restrict efficiency when running on devices with limited communication and computing capacity.
Traditional PEKS schemes for mail routing take into account single-user interactions, especially PAEKS scheme, where sharing data requires generating search trapdoor for the uniform keywords for each receiver. In fact, it will greatly reduce the desire of enterprise prac- tical application, since it still consumes a lot of storage resources to meet this search requirement. At present, the security of most PEKS schemes is not good enough to resist KGA. One reason is that the low-entropy feature of the keywords leads to KGA. Therefore, we initiated the proposal of MREKS scheme to address the defects mentioned above.

Contribution
In this paper, we put forward a multi-recipient encryption with keyword search scheme without pairing for cloud storage based on public key infrastructure in virtue of the idea of Lu et al. [10](see related work). The proposed scheme not only supports multi-recipient authentication keyword search function, but also does not use the expensively bilinear pairing. We formally define the system model and security for the proposed MREKS and demonstrate the security of its under standard model. More specifically, our contributions are summarized as below: Functionality: We construct a new multi-recipient PAEKS scheme without pairing for cloud storage under public key infrastructure. Let's consider a scenario where a user (i.e., a data sender) gathers transaction data and shares them with multiple recipients (e.g., a group of colleague in the company). Most PEKS and PAEKS schemes [2,3,9,11,12] merely support single recipient. The user has to generate a search trapdoor of same keyword for each recipient individually by using the above scheme. In this case, it will be inefficient and inconvenient awfully. To address the above issues, we create a single keyword encryption for a set of authorized recipients with high efficiency communication and computation.
Practicality: We embed message encryption and decryption to make MREKS scheme more practical. Most of PEKS and PAEKS schemes hardly support message encryption and decryption. In this case, the scheme are incompletely. In consequence, we adds this algorithm to keep the transmission of symmetric key confidentiality in the public channel and avoid transmitting the symmetric key via security channel. It is amicable for us to decrypt ciphertext commodiously. Moreover, the message decryption must match the corresponding keyword to decrypt it, which ensures the privacy of message and keyword in the transmission.
Security: The proposed of MREKS scheme provides privacy-preserving keyword search and data encryption. We prove the scheme prevent keyword guessing from attack successfully under standard model and plaintext privacy security. It is worth noting that we embed the recipient's private key in the keyword encryption process to avoid the possibility of outside adversary attack. Without the ability to produce valid ciphertext, the adversary is not able to carry out a successful keyword guessing attack.
In this way, our scheme provides to resist attacks from adversary.
Efficiency: Our scheme avoids the expensively bilinear pairing. In various application scenarios, the computations are often performed on smart devices with constrained resources, such as telephone or handheld terminals. Most of the previous PEKS and PAEKS schemes [2,3,9,13] were built with the bilinear pairing. If we use the without pairing scheme, the efficiency will be greatly improved. Also, it has more practical significance in the use of equipment with limited communication and computing capacity. We analyze the running overhead of MREKS theoretically and implement it utilizing C language and PBC library [14]. The analysis and experiment results show that our scheme has more efficiency running overhead with previous PEKS and PAEKS schemes.

Related work
The first asymmetric SE is presented by Boneh et al. [2] in 2004. Baek et al. addresses the Boneh's problem of working via security channel in 2008. Soon afterwards, with kinds of functions of PEKS scheme have been proposed. The working of Byun et al. [15] and Yau et al. [16] clearly that the current PEKS program are suffering from a novel attack, calls off-line keyword guessing attack. In their research, the previous program could not resist off-line keyword guessing attacks from the cloud servers. Based on Baek et al's work, Fang et al. [5] enhance security property and ensure the keyword security of the scheme under standard model. While the work of Fang et al. seems perfect, there are still keyword privacy problems. Therefore, the privacy of keywords in public key encryption with keyword search scheme has become an issue to be addressed by researchers.
The idea of "Trapdoor Indistinguishability" is proposed by Rhee et al. [6]. In their work, trapdoor indistinguishability is a sufficient condition under keyword security. Therefore, KGA under different assumption context is whether the success of determines the security of scheme. Based on various scenarios, we classify attackers as internal attackers or external attackers. In other words, an external adversary's attacks can be considered online KGA, since the adversary can produce the keyword ciphertext to guess in testing process by intercepting the user's search trapdoor. Similarly, an internal adversary's attacks (denotes semi-honest cloud server) can be considered off-line KGA, since the adversary is able to carry out test algorithm. The authority of the semi-honest cloud servers is power than the external attacker due to the cloud servers' testing executive capability.
Later, Huang et al. [9] constructed a new public key authentication encryption with keyword search to against inside adversary's attack. Ma et al. [17] put forward to certificateless public key encryption with keyword search in the internet of thing (denote IOT) environment. Lu et al. [18] introduced a search trapdoor via key agreement between sender and receiver, which can resist the known KGA. Later, Ma et al. [19] constructed the scheme of SCF-CLSPE to achieve IND-CKA security for smart healthcare. Noroozi et al. [20] put forward to a generic construction secure against online and offline KGA scheme. Qin et al. [13] aimed at the revisited of the scheme proposed by Huang et al. [9], and introduced that the keyword privacy of Huang et al. 's scheme was insufficient, that is, it could not meet the multi-keyword ciphertext guessing attack securely. A verifiable public key SE was proposed after its improvement, which can achieving multi-keyword ciphertext indistinguishability. Pan et al. [11] has improved the work of Qin et al., and proposed to simultaneously ensure the multi-keyword ciphertext indistinguishability and multi-keyword trapdoor security. Whereafter, Cheng et al. [12] point out the work of Pan et al. a serious mistake in the security proof and Qin et al. [21] improved their multi-keyword ciphertext indistinguishability security model [13]. Chen et al. [22] brought up with a new type of publickey SE that can resist inside adversary's off-line keyword guessing attacks, namely server-aid public-key SE. In this scheme, blind keyword signature is provided by the server and returned to the user for keyword encryption. The key of blind signature of the server has the merit of key update for each sub-server, which makes the scheme more flexible. Zhang et al. [23] promoted the public key searchable encryption scheme based on the blockchain-based public chain application and was able to resist keyword guessing attacks. He et al. [24] and Li et al. [25] came up with PAEKS into certificateless keyword search and identity based encryption settings, respectively. Li et al. [26] put forward to a new public key searchable encryption scheme for single-user to multi-user interaction under the hierarchical identity mechanism and attribute encryption mechanism, and this scheme designed a public key searchable encryption scheme that supports transparent user access control. The scheme not only protects the privacy of keyword search, but also supports the users with private key to search ciphertext. Lu et al. [10] presented a new multi-recipient cetificateless public key searchable encryption scheme for IIOT, which supporting muti-user interaction function and no costly computation. Based on this contribution, we introduce this contribution into our scheme to better apply to cloud storage in PKI.
In addition to keyword searching, some schemes of public key cryptosystem in PEKS variants are also studied, including fuzzy keyword search [27], verifiable keyword search [28], lattice-based encryption with keyword search [29] and attribute-based keyword search [30].

Definition 1.(Discrete Logarithm(DL) assumption [31])
Let G be a cyclic group of prime order q with a generator g. Select a ∈ Z q , for every arbitrary probability ε with a polynomial time t, there exists an algorithm Definition 2. (Hash Diffie-Hellman(HDH) problem [32]) Let G be a cyclic group of prime q and g be a where l is a binary number. Given hash function H and Definition 3. (Computational Diffie-Hellman (CDH) Problem [32]) Let G be a cyclic group of prime q and g be a generator of G. Given a binary tuple (g a , g b ) ∈ G 2 for unknown integers a, b ∈ Z * q , the CDH problem in the group G is to calculate g ab .

System model of mREKS
The proposed of MREKS model display in Fig. 2, including six polynomial time algorithms: 1) GlobalSetup(λ): Input a security parameter λ, and output global parameter GP.
2) KeyGen(GP): Input global parameter GP, and output a secret/public key pair (sk u , pk u ) for user.
3) Encrypt(GP, sk S , (pk 1 , pk 2 , ..., pk n ) R , w, M): Input GP, sk S , multi-recipient's public key (pk 1 , pk 2 , ..., pk n ) R , a keyword w and a message M, where n is number of recipient. Outputs ciphertext C = (C w , C M ), where C w is keyword ciphertext and C M is message ciphertext. 4) Trapdoor(GP, sk R , pk S , w ): Input GP, sk R , pk S , and a search keyword w , and output a keyword trapdoor T w . 5) Test(GP, C w , T w ): Input GP, C w , T w , and output a symbol "1" if w = w or "0" otherwise. 6) Decrypt(GP, w , C M , pk S , sk R ): Input GP, C M , a keyword w , pk S and sk R . Output plaintext message M.

Security definition
This section we introduce the security definition of our proposed MREKS scheme. The security definition of ciphertext indistinguishability MREKS under the chosen keyword guessing attacks (denote CMREKS-CKA), trapdoor indistinguishability MREKS under the chosen keyword guessing attacks (denote TMREKS-CKA) and plaintext privacy MREKS against chosen plaintext attacks (denote PP-MREKS-CPA) are as follow:

CMREKS-CKA game
This game is simulated between A and a challenger B, where A is inside or outside adversary. GlobalSetup: Given security parameters λ, B produces global parameters GP, a sender and recipients' secret/public key pair (sk S , pk S ) and (sk R , pk R ), and sends pk S , pk R and GP to A. Query Phase 1: A does O Ciphertext , O Trapdoor and O Test to B adaptively, then B simulates the corresponding algorithm in MREKS scheme and return the results.
Challenge: A submits two keywords (w 0 , w 1 ) to B, which he/she has not submit to O Ciphertext in above Query phase 1. Finally, B returns a keyword ciphertext Query Phase 2: A continues to ask for B adaptively, but with the restrictions that A can not queries w 0 or w 1 in ciphertext or trapdoor.
The advantage of A in CMREKS-CKA Game is defined as follows:

TMREKS-CKA game
This game is simulated between A and a challenger B, where A is inside or outside adversary.
GlobalSetup: Same as that in CMREKS-CKA Game. Query Phase 1: Same as that in CMREKS-CKA Game. Challenge: A submits two keywords (w 0 , w 1 ) to B, which he/she has not submit to O Ciphertext in above Query phase 1. Finally, B returns a keyword trapdoor Query Phase 2: A continues to ask for B adaptively, but with the restrictions that A can not queries w 0 or w 1 in ciphertext or trapdoor.
Guess: A returns b ∈ {0, 1} and A wins in this game, if b = b .
The advantage of A in TMREKS-CKA Game is defined as follows: can obtain a non-negligible advantage in TMREKS-CKA game.

PP-MREKS-CPA game
This game is simulated between A and a challenger B.

The proposed mREKS scheme
This section we introduce our MREKS scheme. The scheme is described as follows.
1) GlobalSetup(λ): Given the security parameter 1 λ , trusted servers picks a q-order cyclic group G. Let g is the generator of G. Furthermore, it selects four hash functions H 1 : 2) KeyGen(GP): Takes GP as input. The user (including sender and recipients) generates its secret/public key as follow.
• Computes η = g(s i ) and K = C 1 ⊕ H 1 (pk η S 2 ), then returns plaintext M, where M = AESDec K (C 2 ). Remark. The decryption algorithm cannot be performed until the cloud server has passed the test algorithm and returned ciphertext C to the recipient. Otherwise, the decryption algorithm is not performed.
If the target keyword w = w , then the above equation are equal. Thus, our scheme is correct.

Security proof
This section we analysis the security of MREKS via game hopping [33].
Lemma 1(Difference Lemma [33]) Let E be some "error event" such that S 1 |¬E occurs if and only if S 2 |¬E occurs. Then Proof 1: Suppose that A is an internal or external adversary against the security of the proposed CMREKS-CKA game in polynomial time, A H is the adversary of the hash function and A HDH is the adversary of breaking the HDH assumption.
We prove the theorem 1 via five sub-game programs Game-j(j = 0, 1, 2, 3, 4), and define Y j are the events of A guessing correctly, that is b = b . Therefore, the game-hopping proof of CMREKS-CKA is as follow: Game-0: Game-0 is the original attack CMREKS-CKA game, so A have Adv(λ) A = | Pr[ Y 0 ] −1/2|. Game-1: In this sub-game, B picks sk S 2 , sk iR 2 , a, c i ∈ Z * q randomly to calculate pk S = (g a , g sk S 2 ) and pk iR = (g c i , g sk iR 2 ) for each the number of recipients i = 1, 2, ..., n, where g is the generator of group G. Other parameters is the same as Game-0. Obviously, Game-0 and Game-1 are indistinguishable from A. So, two sub-game is equal with the advantage of Pr

Game-2:
Game-2 is similar to Game-1, except that B transforms to the respond queries and challenge pattern. B does the following queries: -O Ciphertext : A submits a keyword w to B, then B picks a random integer r ∈ Z * q and returns C = (C 1 , C 2 , ..., C 7 ) to A.
-O Trapdoor : A submits a keyword w to B, and returns Challenge: A submits two different keywords (w 0 , w 1 ), where w 0 or w 1 are not challenged in previous phase. B chooses r * ∈ R Z * q and b ∈ R {0, 1} and performs as follow: . c) Selects random integers s * 1 , s * 2 , ..., s * n , η * , γ * ∈ Z * q and define two polynomial .., C * 7 to A. Therefore, the challenge ciphertext C * = (C * 1 , ..., C * 7 ) is the effective ciphertext of the keyword w b .
Game-1 and Game-2 will be uniform, if B asks for queries and challenge correctly. It means that A guesses correctly in both sub-game with the advantage of Pr[ Game-3: Game-3 is the same as Game-2, except that B will abort the sub-game, if the following events occur.
Event E 1 : A submits w to B in O Ciphertext , including the keyword's input satisfies w = w b , but .., s * n , η * ∈ Z * q , the keyword ciphertext cannot be matched in the cloud server.
Obviously, Game-2 and Game-3 are indistinguishable to A unless the event E 1 ∨ E 2 occurs. Due to Difference Lemma, we have Furthermore, it will be have A H , if the event E 1 occurs. Therefore, A H has the advantage of winning, if where n is the number of recipient and q is random number of Z * q . Similarly, it will be have A H , if the event E 2 occurs. Therefore, A H has the advantage of winning, if Therefore, we induce the equation

Game-4:
Game-4 is the same as Game-3, except that B picks a random element Z ∈ {0, 1} l instead of H 1 (g ac i ) when generating the challenge of ciphertext. Obviously, B responds queries and chanllenge via HDH tuples (H 1 , g, g a , g c i , Z) without revealing the integer of a and c i . In consequence, Game-3 is equivalent to Game-4. A HDH distinguish the element of μ i = H 1 (g ac i ) (for i = 1, 2, ..., n) and Z with non-negligible advantage, if the HDH problem is addressed. Hence, A HDH has the advantage to win Game-4 with Z is a random integer of G, so A has the advantage of winning with Pr[ Y 4 ] = 1/2.
Next, A can guess correctly in the above sub-games with the advantage Based on the triangle inequality, the above sub-games induce as follow: The collision resistance property of the hash function H and the complication of HDH problem is complicated so that Adv(λ) A is negligible in theorem 1. Theorem 2. The MERKS scheme realizes TMREKS-CKA game security under standard model, if H 1 ∼ H 4 is the collision resistance hash function and HDH assumption is intractable.
Proof 2: Suppose that A is an internal or external adversary against the security of the proposed TMREKS-CKA game in polynomial time, A H is the adversary of the hash function and A HDH is the adversary of breaking the HDH problem.
We prove the theorem 2 via five sub-game programs Game-j(j = 0, 1, 2, 3, 4), and define Y j are the events of A guessing correctly, that is b = b . Therefore, the game-hopping proof of TMREKS-CKA is as follow: Game-1: This sub-game is the same as the Game-1 of theorem 1.
Game-2: Game-2 is similar to Game-1, except that B transforms to the respond queries and challenge pattern. B does the following queries: -O Ciphertext : A submits a keyword w to B, then B picks a integer r ∈ R Z * q and returns C = (C 1 , C 2 , ..., C 7 ) to A. -O Trapdoor : A submits a keyword w to B, and returns Challenge: A submits two different keywords (w 0 , w 1 ) to B, where w 0 and w 1 are not challenged in previous phase. B chooses b ∈ {0, 1} randomly for a keyword trap- . And then returns them to A.
Therefore, the challenge trapdoor is the effective trapdoor of the keyword w b .
Game-1 and Game-2 will be uniform, if B asks for queries and challenge correctly. It means that A guesses correctly in both sub-game with the same advantage Game-3: This sub-game is the same as the Game-3 of theorem 1.
Therefore, we induce the equation

Game-4:
This sub-game is the same as the Game-4 of theorem 1.
Therefore, A has the advantage of winning with Pr[ Y 4 ] = 1/2. Next, A can guess correctly in the above game with the advantage Based on the triangle inequality, the above sub-games induce as follow: The collision resistance property of the hash function H and the complication of HDH problem is complicated so that Adv(λ) A is negligible in theorem 2.
Theorem 3: The MREKS scheme realizes PP-MREKS-CPA game secure if AES encryption is IND-CPA secure and the CDH and DL assumptions holds.
Proof 3: The MREKS scheme leverages the AES to encrypt the plaintext M and hides the session key K into C 1 . Hence, if C 1 does not divulge any information about the encryption key K, security of our MREKS will be based on AES. As long as we ensure the security of η is equivalent to ensuring the security of K, that is, we need to keep the keyword's security, if the hash function is collision resistant. The following game is played between a PPT adversary A and the challenger B. Given a DL instances (G, g, g a ) and CDH instances (H 1 , g, g a , g η ), where a, η ∈ Z * q , B works as follows. GlobalSetup: B initializes the system to produce GP = {q, g, G, H 1 , H 2 , H 3 , H 4 }. B sends GP, the public key of senders and recipients pk S = (g sk S 1 , g sk S 2 ) = (g sk S 1 , g a ) and pk iR = (g sk iR 1 , g sk iR 2 ) to A, where g is the generator of group G and each recipient denotes i = 1, 2, ..., n. -O H 1 : Given an element g * ∈ G, it returns l-bit random number h * as the hash value H 1 (g * ).
-O H 3 : Given an element g ∈ G, it returns a random number h ∈ Z * q as the hash value H 3 (g ). -O Ciphertext : A submits a keyword w and a plaintext M to B, then B picks a random integer r ∈ Z * q and returns C = (C 1 , C 2 , ..., C 7 ) to A.
Challenge: A submits to B its keyword w and two plaintexts (M 0 , M 1 ). B generates a ciphertext C b , where the random bit b decides which plaintext is encrypted in this ciphertext. B chooses r * ∈ Z * q , b ∈ {0, 1} randomly and performs as follow: iR 2 ) and define two polynomial to A. Phase 2: A still can issue queries to the oracles same as in phase 1 except that the ciphertext C b cannot appears in the decrypt oracle O D .
Guess: A returns a bit b and wins the game if b = b. We define event E 1 and E 2 .
In case E 1 happens, the challenger B solves the CDH problem via computing g * = g aη .
In case E 2 happens, the challenger B solves the DL problem via computing g (H 2 (w ||θ i )−r) = g 1 a . If the DL and CDH assumption holds, E 1 and E 2 happens with a negligible probability. That is where t is a (polynomial) upper bound on the number of queries.
In another case, E 1 and E 2 does not happen, the ciphertext C is random in A's view and the session key K can be revealed with a negligible probability. That is Therefore, A's wining advantage is equal to or less than a negligible probability if AES encryption is IND-CPA secure and the DL and CDH assumption holds in this game.
Notice. We deduce that the computation of η is approximately the computation g η , since the computation of s i in the polynomial g(x) is to solve the DL assumption.

Performance analysis
This section we evaluates the efficiency computation and communication cost of our scheme. Now we present the following notions for basic operations in Table 1: t h : the cost for computing a map-to-point hash. To give a more intuitive comparison, we test the time cost of the compared schemes by employing the PBC library on a laptop running Ubuntu 16.04 with Interl Core i5-4210U CPU @1.7-GHz and 11-GB RAM memory. A Type-A pairing was chosen and used to initialize the system, which owns the same security level as a 1024-bit RSA encryption.
The schemes proposed in [2,3,9,13] are the based on bilinear pairing operation. Let G × G → G T , where G T is the bilinear map group.
The computation cost of the keyword encryption algorithm, trapdoor algorithm and test algorithm in MREKS and schemes [2,3,9,13]. See Fig. 3 and Table 2. We run the keyword encryption algorithm 100 times for one keyword and recipient in our scheme's average is about 1.594 ms. When the number of recipients increases to 10, our scheme costs about 15.42 ms. Compared to scheme [9], the computation cost of MREKS is reduced by 79.5% in keyword encryption phase. If the number of recipients is infinite, the keyword encryption efficiency of MREKS scheme will be more excellent than other PEKS schemes.
In addition, the time cost of trapdoor in our scheme is fast than previous PEKS scheme. We set the recipients is 10 and the time cost of keyword testing in MREKS scheme is about 1.53 ms, while that in [2,3,9,13] is about 2.1 ms, 3.1 ms, 2.9 ms and 2.13 ms, respectively.
Remark. In order to prevent indeterminate and affected by the length of the plaintext as well as making a better comparison with PEKS schemes, the encryption and decryption of AES algorithm are not included in the ciphertext computation and communication.

Communication cost
To visually display the comparison of storage length between different schemes based on PBC library's parameters, we now describle communication costs in Table 3 with the following notations:  |G|: the 512 bit-size of an element in G. |G T |: the 1024 bit-size of element in G T . |Z * q |: the 128 bit-size of integer in Z * q . h: the 256 bit-size of a hash value. n: the number of recipients. We clearly have that MREKS scheme is less than the PEKS and PAEKS schemes [2,3,9,13] in the size of keyword encryption algorithm. Especially as the number of recipients n increases, our scheme is relatively more efficient. Furthermore, the size of trapdoor in MREKS scheme is smaller than schemes [2,3,9,13].

Conclusion
PAEKS scheme is a useful cryptographic paradigm that supplies a feasible solution to the issue of encrypted data retrieval for cloud storage. MREKS techniques are used to simultaneously provide authentication, no costly bilinear pairing operations as well as multi-recipient keyword search function. Furthermore, we embed the encryption of message to our scheme, and the decryption needs to match the corresponding keyword information, which ensures the privacy of message and keywords. We formally prove that it ensures keyword security without random oracles and plaintext security. Moreover, we evaluate the performance of the proposed of our scheme with the previous PEKS and PAEKS scheme. The results demonstrate that our scheme is much more efficient than the previous schemes, especially on the computation efficiency. It is expedite for user to search over encrypted data for cloud storage due to the feature.