Security analysis and secure channel-free certificateless searchable public key authenticated encryption for a cloud-based Internet of things

With the rapid development of informatization, an increasing number of industries and organizations outsource their data to cloud servers, to avoid the cost of local data management and to share data. For example, industrial Internet of things systems and mobile healthcare systems rely on cloud computing’s powerful data storage and processing capabilities to address the storage, provision, and maintenance of massive amounts of industrial and medical data. One of the major challenges facing cloud-based storage environments is how to ensure the confidentiality and security of outsourced sensitive data. To mitigate these issues, He et al. and Ma et al. have recently independently proposed two certificateless public key searchable encryption schemes. In this paper, we analyze the security of these two schemes and show that the reduction proof of He et al.’s CLPAEKS scheme is incorrect, and that Ma et al.’s CLPEKS scheme is not secure against keyword guessing attacks. We then propose a channel-free certificateless searchable public key authenticated encryption (dCLPAEKS) scheme and prove that it is secure against inside keyword guessing attacks under the enhanced security model. Compared with other certificateless public key searchable encryption schemes, this scheme has higher security and comparable efficiency.


Introduction
The Internet of things (IoT) [1][2][3] is a new model that has rapidly become popular in wireless communication scenarios. The basic idea of this concept is that all items-such as actuators, radio-frequency identification tags-are connected to the Internet through information sensing devices, to exchange information. That is, objects are interconnected, to realize intelligent identification and management. IoT has opened new avenues for technology connectivity and business upgrading in industry, healthcare, and transportation, of which the industrial Internet of things (IIoT) and mobile healthcare systems (MHSs) are the most successful applications.

PLOS ONE
PLOS ONE | https://doi.org/10.1371/journal.pone.0230722 April 9, 2020 1 / 24 a1111111111 a1111111111 a1111111111 a1111111111 a1111111111 keyword guessing attacks (KGAs). The KGAs is attributed to the fact that keyword space is very small and users usually use common keywords for retrieval, which provides a "shortcut" for an attacker to obtain data privacy information by using only dictionary attacks. Specifically, with a given trapdoor, the attacker tests every possible keyword off-line. If the test is successful, the attacker can know the potential keywords in the trapdoor. From the server's reply, he also knows which encrypted files contain the keywords encapsulated in the trapdoor. In short, by running this off-line KGAs, malicious (inside or outside) attackers can obtain information about encrypted files and invade the user's data privacy. Constructing a scheme to resist KGAs has attracted the attention of many researchers [30][31][32][33][34][35][36][37].
Recently, He et al. [38] proposed a new scheme, CLPAEKS, for IIoT, and Ma et al. [39] proposed a scheme, CLPEKS, for MHSs. Their schemes are both certificateless public key searchable encryption schemes, which effectively solve the problem of searching over encrypted data stored in the cloud and avoid the problems of certificate management and key escrow.
In this paper, through careful analysis, we describe security vulnerabilities that we found in the two schemes mentioned above. The security reduction of He et al.'s CLPAEKS scheme is actually incorrect for two types of adversaries. That is, an adversary cannot solve the computational bilinear Diffie-Hellman problem by using adversary A I (A II ), which attacks the security of the CLPAEKS scheme, as a subroutine. Ma et al.'s CLPEKS scheme is not secure against offline KGAs. Furthermore, in both CLPAEKS and CLPEKS, anyone can run test operations, which makes it easy to identify whether two search queries are generated from the same keyword; that is, the search patterns of users can be revealed to anyone. The potential risks of search pattern leakage have been studied in the literature [40]: adversaries may use searching frequency to obtain information about the plaintext.

Our contributions
• We note the security vulnerabilities of the CLPAEKS scheme proposed by He et al. and the CLPEKS scheme proposed by Ma et al.
• To protect the privacy and security of data stored in the cloud in the Internet of Things environment, we propose a dCLPAEKS scheme, which is a channel-free certificateless searchable public key encryption scheme, and present a security model for dCLPAEKS to remedy the problem mentioned above.
• Under the enhanced security model, we prove that the dCLPAEKS scheme is secure against inside keyword guessing attacks for two types of adversaries. Specifically, we formally prove that the scheme satisfies ciphertext indistinguishability and trapdoor indistinguishability. Furthermore, we prove that the scheme satisfies the security of the designated tester (specifically, only the server can perform test operations).
• We compare our scheme with other CLPEKS schemes in terms of security, computational complexity and communication overhead. We also evaluate its efficiency in experiments, and the results show that our scheme has higher security and efficiency.

Related works
In 2004, Boneh et al. first proposed the concept of public key searchable encryption [18] and proposed the construction scheme of PEKS based on anonymous identity-based cryptosystems. This scheme has been applied in a mail system to solve the mail routing problem of untrustworthy servers. In 2008, Baek et al. [23] pointed out that the scheme in [18] must be built on a secure channel. To overcome this limitation, they proposed a public key searchable encryption scheme without a secure channel by introducing a designated tester. In 2006, Bynn et al. [30] found that the scheme proposed in [18] was susceptible to off-line KGAs because keywords are selected from a much smaller space than keys and users usually use common keywords; hence, an attacker can easily crack the PEKS system through KGAs.
To protect against KGAs, Rhee et al. [32] proposed a trapdoor secure dPEKS scheme, but Wang et al. [41] later pointed out that the scheme suffered from an inherent insecurity, namely, vulnerability to inside KGAs (IKGAs). Roughly speaking, given a trapdoor, a malicious server can generate the PEKS ciphertext for any keyword it chooses, and then the server can run a test operation to determine whether the keywords being guessed are the keywords underlying the trapdoor. In 2013, Xu et al. [34] proposed a fuzzy keyword public key searchable encryption scheme against IKGAs. In their scheme, the server can only perform fuzzy matching search, and accurate matching search is executed locally, so an attacker cannot obtain an accurate search trapdoor, thus ensuring the security of the scheme. In 2016, Chen et al. [35] proposed a dual-server public-key searchable encryption scheme that can resist IKGAs from malicious servers by dividing the test algorithm into two parts and letting two independent servers execute it. However, all of the schemes mentioned above encounter certificate management or key escrow problems. To address this problem, ALpiyami et al. [42] defined the concept of certificateless public key cryptography (CLPKC). Users' private keys in certificateless public key cryptosystems consist of two parts: one is generated by the key generation center and the other is generated by users. Peng [43] proposed the first certificateless public key encryption with keyword search (CLPEKS) scheme. Subsequently, other improved certificateless public key searchable encryption schemes were proposed [44,39]. He et al. [38] demonstrated that these schemes are vulnerable to IKGAs and proposed a certificateless public key authenticated encryption scheme with keyword search that can resist IKGAs.

Paper organization
The rest of this paper is organized as follows. In section 2, we present some preliminaries. In section 3, we review Ha et al's scheme and Ma et al's scheme and then point out the disadvantages of their schemes. In section 4, we introduce a new notion, dCLPAEKS, and give its security model. We construct a concrete dCLPAEKS scheme and prove its security in enhanced security models in section 5. In section 6, we present the performance analysis of our proposed scheme. Finally, we conclude the paper in section 7.

Computational bilinear diffie-hellman problem
where a; b; c 2 Z � p are unknown numbers, the goal is to compute the value ofêðg; gÞ abc .
, where x, y, z are randomly chosen from Z � p , let η be a bit such that η = 1 if Z is randomly selected from G 2 , and η = 0 if Z ¼êðg; gÞ xyz . The DBDH problem is to determine the value of η.
Definition 2 (DBDH Assumption [46,47]) The DBDH assumption is that for any probabilistic polynomial-time (PPT) algorithm A, the following holds: where the probability is taken over the random choice of x; y; z 2 Z � p , g 2 G 1 , Z 2 G 2 .

Review and security analysis of the CLPAEKS and CLPEKS schemes
In this section, we briefly review the CLPAEKS scheme of He et al. [38] and the CLPEKS scheme of Ma et al. [39], and give the security cryptanalysis of the two schemes.

Review and security analysis of He et al.'s CLPAEKS scheme
Description of He et al.'s scheme. The CLPAEKS scheme can be described as follows: • Setup: Input a security parameter l. The KGC selects two cyclic groups G 1 , G 2 with the same prime order q and a bilinear pairingê : G 1 � G 1 ! G 2 . Let P be a generator of G 1 ; The KGC chooses a random number s 2 Z � q as the master key and computes P pub = sP. The KGC selects three different hash functions: Then, the KGC publishes the system parameters prms ¼ fl; G 1 ; G 2 ;ê; P; P pub ; h 1 ; H 2 ; h 3 g.
• Extract-Partial-Private-Key: Input the sender's identity ID S 2 {0, 1} � . The KGC selects a random number r ID S 2 Z � q and computes R ID S ¼ r ID S P, a ID S ¼ h 1 ðID S ; R ID S Þ and d ID S ¼ r ID S þ sa ID S ðmod qÞ. Then, the KGC returns ðd ID S and R ID S Þ to the sender. In parallel, the partial private key ðd ID R , R ID R Þ of the receiver is calculated in the same way.
• Set-Secret-Value: This takes ID S , ID R 2 {0, 1} � as input. The sender and the receiver choose random numbers x ID S and x ID R as their secret values, respectively.
• Set-Private-Key: This sets the sender's private key and the receiver's private key as SK ID S ¼ ðx ID S ; d ID S Þ and SK ID R ¼ ðx ID R ; d ID R Þ, respectively.
• Set-Public-Key: The sender computes P ID S ¼ x ID S P and sets PK ID S ¼ ðP ID S ; R ID S Þ as its public key. The receiver computes P ID R ¼ x ID R P and sets PK ID R ¼ ðP ID R ; R ID R Þ as its public key.
• CLPAEKS: This takes prms; ID S ; ID R ; SK ID S ; PK ID R as input. The sender encrypts the keyword w as follows: 1. The sender chooses a random number r 2 Z � q .

The sender computes
The final ciphertext for the keyword is C = (C 1 , C 2 ).
• Trapdoor: This takes prms; ID S ; ID R ; SK ID R ; PK ID S as input. The data receiver runs the following steps to compute the trapdoor T w : • Test: Take prms, the trapdoor T w and ciphertext C as input. The cloud server checks whether T wê ðC 2 ; PÞ ¼êðC 1 ; b ID R P ID R þ R ID R þ a ID R P pub Þ holds. If it holds, then the server outputs 1. Otherwise, it outputs 0.

Security analysis.
In the random oracle model, the semantic security of the CLPAEKS scheme against IKGAs is reduced to solve the CBDH problem [38]. Here, we show that the security reduction for the CLPAEKS scheme is in fact incorrect for two types of adversaries. We use a reductionist proof for a type 1 adversary as an example to illustrate.
Given an instance (P, aP, bP, cP) of the CBDH problem, assuming that adversary A I intends to break the CLPAEKS scheme, B makes use of the advantage of A I to compute the value ofêðP; PÞ abc . B simulates security games for adversary A I . After A I outputs a guess value in the guess stage, the simulator B calculatesêðP; PÞ abc as follows: The core part of computingêðP; PÞ abc is the left-hand side of the first equation. For ease of description, the numerator and denominator of the fraction in the first equation are abbreviated as follows: Let us see how B obtains M and N. N is calculated by B itself, while M is obtained by B using A I . However, B is unable to use the adversary A I to obtain the value of M. Specifically, in the reductionist proof for adversary A I , M is the value of the trapdoor of the challenge keywords under the challenge identities and E 5 denotes the event that A I does not ask the hash query for the value of the trapdoor of the challenge keywords, and we show that Pr [¬E 5 ] � 2ε, where ε denotes the advantage of A I breaking the CLPAEKS scheme. Thus, B aims to make use of the fact that A I has conducted a hash query on this trapdoor, namely, the value of M, with a non-negligible probability in the interactive game, and then randomly select one from the previous query history as M.
However, in the trapdoor algorithm design of the CLPAEKS scheme [38], no hashing operation is performed on the value of the trapdoor, that is, H i (T w ), for some hash function H i . Therefore, it is impossible for A I to make the hash query on the trapdoor of the challenge keyword. In addition, B has no other advantage in obtaining M from A I . In short, the reduction process shows that B is unable to solve the CBDH problem with A I as a subroutine.

Review and security analysis of Ma et al.'s CLPEKS scheme A description of Ma et al.'s scheme.
The CLPEKS scheme is as follows: • Setup: Input a security parameter k. The KGC selects two cyclic groups G 1 , G 2 with the same prime order q, a bilinear pairing e : Let P be a generator of G 1 ; the KGC chooses a random number s 2 Z � q as the master key and computes P pub ¼ sP 2 G 1 . The KGC selects four different hash functions: • Set-Secret-Value: Input U's identity ID. U chooses a random number x ID 2 Z � q as its secret value.
• Set-Private-Key: This sets U's private key as SK ID = (x ID , d ID ).
• Set-Public-Key: U computes P ID S ¼ x ID S P and sets PK ID = (P ID , T ID ) as its public key.
• CLPAEKS: Let W = {w i |i = 1, 2, � � �, m} be a set of keywords. Take prms, ID, PK ID as input. U encrypts the keyword w as follows: The final ciphertext for the keyword is • Trapdoor: This takes prms, ID, SK ID , PK ID as input. U runs the following steps to compute the trapdoor T w : • Test: Take prms, the trapdoor T w and ciphertext C as input. The cloud server checks whether h 4 (e(T w , U i )) = v i holds. If it holds, then the server outputs 1. Otherwise, it outputs 0.
Security vulnerability. In this subsection, we show that the scheme is vulnerable to an off-line keyword guessing attack. We prove that a malicious adversary can retrieve keywordspecific information from any query message captured by the protocol.

Lemma 1 Ma et al.'s scheme is susceptible to an off-line keyword guessing attack.
Proof 1 An attacker B performs the following steps.

B first captures a valid trapdoor T w . The goal of B is to recover w from T w . B guesses an
appropriate keyword w 0 , and computes H 3 (w 0 ), β ID = h 2 (ID, P ID , T ID ) and α ID = h 1 (ID, T ID ).
If the equation holds, the guessed keyword is a valid keyword, namely, w 0 = w. Otherwise, go to Step (1). Specifically, if w 0 = w, then

System model
We first describe the relationships and interactions among the four entities, namely, the cloud server, KGC, data sender and data receiver, in dCLPAEKS: The KGC generates the system parameters and part of the user's private key according to the user's identity. The sender extracts keywords from each data file and uses the sender's secret key Sk ID s , the receiver's public key Pk ID r and the server's public key Pk Csvr to encrypt keywords to form the dCLPAEKS ciphertext; then, it encrypts the file by using another encryption algorithm and sends it to the cloud server along with the keyword ciphertext. To search encrypted files, the receiver uses his secret key Sk ID r and the sender's public key Pk ID s to generate the trapdoor T w of the keywords and sends it to the cloud server. The cloud server uses its secret key to search and return the ciphertext files containing the target keywords.

Definition of dCLPAEKS
Our dCLPAEKS scheme consists of the following (probabilistic) polynomial-time algorithms.
• Setup (λ): Given a security parameter λ, this algorithm generates a master public/secret key pair (m pk , m sk ) and global parameter params.
• PPKGen (params, ID, m sk ): Given params, a master secret key m sk and a user's identity ID, it generates the user's partial private key, referred to as PPK ID .
• SVGen (params, ID): Given params and a user's identity ID, it generates a secret value, referred to as SV ID .
• SKGen (params, PPK ID , SV ID ): Given params, a partial private key PPK ID and a secret value SV ID , it generates the user's secret key, referred to as SK ID .
• PKGen (params, SV ID ): Given params and a secret value SV ID , it generates a public key PK ID for the identity ID.
• PEKS (params, w, PK Csvr , SK ID s , PK ID r , ID s , ID r ): Given params, a keyword w, PK Csvr , a sender's identity ID s and SK ID s , and a receiver's identity ID r and PK ID r , it generates a ciphertext C w .
• Trapdoor (params, w, SK ID r , PK ID s , ID r , ID s ): Given params, a keyword w, a receiver's identity ID r and SK ID r , and a sender's identity ID s and PK ID s , it generates a trapdoor T w .
• dTest (params, SK Csvr , C w , T w , ID s , ID r ): Given params, the server's secret key SK Csvr , a PEKS ciphertext C w , a trapdoor T w , the identity ID s of a sender and the ID r of a receiver, it outputs 1 if C w and T w contain the same keyword, and 0 otherwise.

Security models
There are two types of adversaries, i.e., a Type 1 adversary A I and a Type 2 adversary A II , in certificateless cryptography [43]. Adversary A I cannot access the master key. However, A I can extract partial private keys and secret keys, request public keys and replace public keys with any values he chooses. Adversary A II can access the system's master key, but cannot replace the user's public key. We define the following five games between the adversaries A I (A II ) and a challenger B to show that our scheme is semantically secure against IKGA.
For adversaries in Game 1 to Game 4, we set the following natural restrictions.
1. The adversary cannot extract the secret key for the challenge identities.
2. The adversary cannot make a ciphertext query and trapdoor query on the challenge keywords w � 0 , w � 1 for the challenge identity ID � s of a sender and ID � r of a receiver. Ciphertext indistinguishability. Game 1: Ciphertext indistinguishability for A I In this game, we set the semi-trusted cloud server as the adversary A I . Ciphertext indistinguishability ensures that the ciphertext reveals no information about the underlying keyword to the cloud server.
• Setup: Given a security parameter λ, the challenger B generates the system parameter params, the PKG's public/secret key (m pk , m sk ), and the server's public/secret key (PK Csvr , SK Csvr ). It then invokes A I on the input params and (PK Csvr , SK Csvr ).
• Phase 1: Adversary A I issues a sequence of queries adaptively polynomial-many times but is subject to the restrictions defined above.
• Partial Private Key Extraction: Given the user's identity ID, it returns the user's partial private key PPK ID to A I .
• Secret Key Queries: Given the user's identity ID, B returns the user's secret key SK ID to A I .
• Public Key Queries: Given the user's identity ID, B returns the user's public key PK ID to A I .
• Replace Public Key: A I can replace the public key with any value he chooses.
• Ciphertext Queries: Given a keyword w, identity ID s of a sender and identity ID r of a receiver, B computes the corresponding ciphertext C w and returns it to A I .
• Trapdoor Queries: Given a keyword w, identity ID s of a sender and identity ID r of a receiver, B computes the corresponding trapdoor T w and returns it to A I .
• Challenge: A I outputs two keywords w � 0 , w � 1 , the challenge identity ID � s of a sender and ID � r of a receiver, and B randomly chooses a bit b 2 {0, 1}, computes the challenge ciphertext C w � b and returns it to • Phase 2: Adversary A I continues to issue requests to B, as in phase 1.
• Guess: A I outputs a bit b 0 2 {0, 1}, and wins the game if and only if b 0 = b. The advantage of A I winning Game 1 is defined as Game 2: Ciphertext indistinguishability for A II In this game, we set the semi-trusted KGC as the adversary A II .
• Setup: B generates the system public parameter params, the PKG's public/secret key (m pk , m sk ), and the server's public/secret key (PK Csvr , SK Csvr ). Then, B returns params and m sk to A II .
• Phase 1: A II can adaptively issue a sequence of queries polynomial-many times but obeys the restrictions defined above.
• Secret Key Queries: Taking the identity ID as input, B outputs the secret key SK ID to A II .
• Public Key Queries: Taking the identity ID as input, B outputs the public key PK ID to A II .
• Ciphertext Queries: Given a keyword w, identity ID s of a sender and ID r of a receiver, B outputs the corresponding ciphertext C w to A II .
• Trapdoor Queries: Given a keyword w, identity ID s of a sender and ID r of a receiver, B outputs the corresponding trapdoor T w to A II .
• Challenge: A II outputs two keywords w � 0 and w � 1 and the challenge identity ID � s of a sender and ID � r of a receiver, and B randomly chooses a bit b 2 {0, 1}, computes the challenge ciphertext C w � b and returns it to A II , where • Phase 2: Adversary A II continues to issue queries to B as in phase 1.
• Guess: A II outputs a bit b 0 2 {0, 1}, and wins the game if and only if b 0 = b. The advantage of A II winning Game 2 is defined as Adv C A II ðlÞ ¼ jPr ½b 0 ¼b� À 1 2 j:

Definition 3 We say that a dCLPAEKS scheme satisfies ciphertext indistinguishability if, for any polynomial-time adversaries A i ði ¼ I; IIÞ, Adv C
A i ðlÞ is negligible. Trapdoor indistinguishability. Game 3: Trapdoor indistinguishability for A I Similar to Game 1, we set the semi-trusted cloud server as the adversary A I . Trapdoor indistinguishability guarantees that the cloud server cannot obtain any information about the keyword from a given trapdoor. This indicates that the server cannot forge valid ciphertext and cannot perform offline inside keyword guessing attacks (IKGAs) successfully.
• Setup: Same as in Game 1.
• Challenge: A I outputs two keywords w � 0 and w � 1 and the challenge identity ID � s of a sender and ID � r of a receiver, and B randomly chooses a bit b 2 {0, 1}, computes the challenge trapdoor T w � b and returns it to • Phase 2: Adversary A I continues to issue queries to B, as in phase 1.
• Guess: A I outputs a bit b 0 2 {0, 1}, if b 0 = b, we say A I wins the game. The advantage of A I in breaking trapdoor indistinguishability in a dCLPAEKS is defined as Adv T A I ¼ jPr ½b 0 ¼b� À 1 2 j: Game 4: Trapdoor indistinguishability for A II Game 4 is similar to Game 2; the difference is that B needs to generate a trapdoor of the challenge keywords for the challenge identity ID � s of a sender and ID � r of a receiver in Game 4.

Definition 4 We say that a dCLPAEKS scheme satisfies trapdoor indistinguishability if for any polynomial-time adversaries A i ði ¼ I; IIÞ, Adv T
A i ðlÞ is negligible. Designated testability. Game 5: In this game, we assume that A I is an outside adversary who is allowed to obtain any user's secret key. Designated testability aims to prevent adversaries from searching the ciphertexts while guaranteeing that only the designated server can.
• Setup: B generates the system public parameter params, the PKG's public/secret key (m pk , m sk ), and the server's public/secret key (PK Csvr , SK Csvr ). It invokes A I on input params and PK Csvr .
• Phase1: Adversary A I can adaptively issue a sequence of queries polynomial-many times.
• Secret Key Queries: Given a user's identity ID, B return the user's secret key SK ID to A I .
• Public Key Queries: Given a user's identity ID, B return the user's public key PK ID to A I .
• Challenge: A I outputs two keywords w � 0 and w � 1 and the challenge identity ID � s of a sender and ID � r of a receiver, and B randomly chooses a bit b 2 {0, 1}, computes the challenge ciphertext C w � b and returns it to A I , where • Phase 2: Adversary A I continues to issue queries to B as in phase 1.

Concrete dCLPAEKS scheme
Here, we present a concrete dCLPAEKS scheme, which is composed of nine polynomial-time algorithms.
• Setup (λ): Given a security parameter λ, this algorithm runs as follows: 1. Select two cyclic groups G 1 and G 2 with the same prime order p, a bilinear pairinĝ e : G 1 � G 1 ! G 2 , and a cryptographic hash function H 1 : f0; 1g � ! G 1 .
2. Select a random number a 2 Z � p as the master key m sk and set m pk = g α , where g is an arbitrary generator of G 1 .
4. Choose two additional cryptographic hash functions H : G 2 � f0; 1g � ! G 1 and The system parameters params ¼ ðG 1 ; G 2 ;ê; g; h; H; H 1 ; H 2 ; m pk Þ are publicly and authentically available, but only the KGC knows the master key m sk .
Steps (1) and (2) of the algorithm are run by the KGC.
• PPKGen (params, ID i , m sk ): Outputs the partial private key • SVGen (params, ID i ): Selects b ID i 2 Z � p randomly, and outputs the secret value • SKGen (params, PPK ID i , SV ID i ): Outputs the secret key • PKGen (params, SV ID ): Outputs the public key PK ID i ¼ g ab ID i .
• Trapdoor (params, w, SK ID r , PK ID s , ID r , ID s ): Selects r 2 Z � p randomly, and computes ID r , and outputs the trapdoor T w = (T 1 , T 2 ).

Security analysis
In this subsection, we analyze the security of the above concrete construction.
dCLPAEKS ciphertext indistinguishability. Theorem 1 Our dCLPAEKS scheme satisfies ciphertext indistinguishability under the assumption that DBDH is intractable.
This conclusion is derived from the following two lemmas.

Lemma 2 For any polynomial-time adversary A I , our dCLPAEKS scheme satisfies ciphertext indistinguishability in Game 1 under the random oracle model assuming DBDH is intractable.
Proof 2 Assume that A I is a semi-trusted server that tries to break the ciphertext indistinguishability of our dCLPAEKS scheme. We construct a simulator B to solve the DBDH problem. Given a random challenge ðG 1 ; G 2 ;ê; g; g x ; g y ; g z ; ZÞ, where Z is either equal toêðg; gÞ xyz or a random element of G 2 , B interacts with A I as follows: • Setup: B randomly chooses h from G 1 and n 2 Z � p and sets (PK Csvr , SK Csvr ) = (g ν , ν) and params ¼ ðG 1 ; G 2 ;ê; p; g; h; m pk ¼ g z Þ. B sends params and (PK Csvr , SK Csvr ) to A I . 1. If this is the i-th query, e.g., ID ¼ ID � s , B outputs H 1 (ID) = g x and adds < ID, g x , ? > to L H 1 .
2. If this is the j-th query, e.g., ID ¼ ID � r , B outputs H 1 (ID) = g y and adds < ID, g y , ? > to L H 1 .

3.
Otherwise, B chooses a random number m ID 2 Z � p , outputs H 1 ðIDÞ ¼ g m ID and adds < ID, H 1 (ID), μ ID > to L H 1 .
• H 2 Queries: Given a pair of identities (ID s , ID r ), B randomly chooses an element from G 1 as the output of H 2 (ID s , ID r ).
• Partial Private Key Extraction: When A I asks for the partial private key of the ID, if ID ¼ ID � s or ID ¼ ID � r , B outputs a random bit η 0 and aborts. Otherwise, it recovers the tuple < ID, H 1 (ID), μ ID > from L H 1 , and returns the partial private key PPK ID ¼ ðg z Þ m ID to A I .
• Secret Key Queries: B maintains a list L SK , which is initially empty. Taking ID as input, B performs the following actions: 1. If ID 6 ¼ ID � s and ID 6 ¼ ID � r , it recovers the tuple < ID, H 1 (ID), μ ID > from L H 1 and chooses a random number β ID as the secret value. Then, B returns the secret key SK ID ¼ ððg z Þ m ID ; b ID Þ to A I and adds < ID, SK ID > into L SK .
2. Otherwise, B randomly chooses an element b ID 2 Z � p as a secret value and adds < ID, ?, β ID > into L SK . Then, B outputs a random bit η 0 and aborts.
• Public Key Queries: B maintains a list L PK , which is initially empty. Given an identity ID, B retrieves the tuple < ID, SK ID > from L SK , computes the public key PK ID ¼ ðg z Þ b ID , and then returns it to A I and adds < ID, PK ID > into L PK .
• Replace Public Key: A I can replace the public key with any value he chooses.
• Ciphertext Queries: Taking (w, ID r , ID s ) as input, B randomly chooses s 2 Z � p and executes the following steps: 1. If at least one of ID r and ID s is not equal to ID � r or ID � s , without loss of generality, we assume that ID s = 2 fID � s ; ID � r g. B recovers < ID s ; H 1 ðID s Þ; m ID s > from L H 1 , < ID s ; SK ID s > from L SK , and < ID r ; PK ID r > from L PK , computes k ¼êðg z ; H 1 ðID r ÞÞ m ID s � eðH 2 ðID s ; ID r Þ; PK ID r Þ SK 2 ID s and returns C 1 ¼êðHðk; wÞ; PK Csvr Þ s , C 2 = g s , C 3 = h s .

2.
Otherwise, B outputs a random bit η 0 and aborts.
• Trapdoor Queries: Taking (w, ID r , ID s ) as input, B randomly chooses r 2 Z � p and responds as follows: 1. If at least one of ID r and ID s is not equal to ID � r or ID � s , without loss of generality, we assume that ID s = 2 fID � s ; ID � r g. B recovers < ID s ; H 1 ðID s Þ; m ID s > from L H 1 , < ID r ; SK ID r > from L SK , and < ID s ; PK ID s > from L PK , computes k ¼êðg z ; H 1 ðID r ÞÞ m ID s � eðH 2 ðID s ; ID r Þ; PK ID s Þ SK 2 ID r and returns T 1 = H(k, w) � h r , T 2 = g r .

2.
Otherwise, B outputs a random bit η 0 and aborts.
• Challenge: A I issues a challenge on two different keywords w � 0 , w � 1 , a sender's identity ID � s and a receiver's identity ID � r . B randomly selects a bit b 2 {0, 1} and an element s 2 Z � p , and com- • Phase 2: Simulator B responds as in phase 1. If B guesses that the challenge identities are incorrect, B aborts. Denote by abt the event that B aborts. The probability that event abt does not occur is 1=q H 1 � ðq H 1 À 1Þ.
Assume that B does not abort in the game. If Z ¼êðg; gÞ xyz , the view of A I is the same as in a real attack, and A I succeeds in the game with probability Adv C A I ¼ kPr ½b 0 ¼b� À 1 2 k. If Z is selected from G 2 randomly, then k is also a random element in G 1 , so A I wins Game 1 with probability at most 1 2   Proof 3 Assume that A II is a semi-trusted KGC that tries to break the ciphertext indistinguishability of our dCLPAEKS scheme. Given a DBDH instance ðG 1 ; G 2 ;ê; p; g; g x ; g y ; g z ; ZÞ, we will construct an algorithm B to solve the DBDH problem by using A II as a subroutine. B interacts with A II as follows: • Setup: B selects h from G 1 and a 2 Z � p randomly and sets params ¼ ðG 1 ; G 2 ;ê; p; g; h; m pk ¼ g a Þ and PK Csvr = g x . Then, B sends params, PK Csvr and m sk = α to A II .
• Phase 1: A II executes the following queries; assume that A II does not repeat its queries.
• H Queries: A list is maintained by B, referred to as L H , which is initially empty. Taking an element k and a keyword w as input, B randomly chooses m k;w 2 Z � p , returns Hðk; wÞ ¼ g y g m k;w to A II and adds < (k, w), H(k, w), μ k,w > into L H .
• H 1 Queries: Given an identity ID, B randomly selects an element from G 1 as the H 1 (ID) value and returns it to A II .
• H 2 Queries: Given a pair of identities (ID s , ID r ), B randomly chooses an element from G 1 as its H 2 (ID s , ID r ) value, and outputs it to A II .
• Secret Key Queries: B maintains a list L SK that is initially empty. Taking an identity ID as input, B selects a random number b ID 2 Z � p as the secret value and returns the secret key • Public Key Queries: B maintains a list L PK that is initially empty. Given an identity ID, B recovers the tuple < ID, H 1 (ID) α , β ID > from L SK , computes the public key PK ID ¼ ðg a Þ b ID , and returns it to A II . Then, < ID, PK ID > is added to L PK . • If there is no such tuple, B generates it as in previous queries. Then, it computes the challenge • Phase 2: Simulator B responds as in phase 1.
• Guess: A II outputs a bit b 0 ; if b 0 = b, B outputs η 0 = 0, and it outputs 1 otherwise.
If Z ¼êðg; gÞ xyz , then the challenge ciphertext is a correctly distributed verifiable ciphertext, so the view of A II is the same as in real attack, and A II succeeds in Game 2 with probability Adv C A II þ 1 2 . If Z is selected from G 2 randomly, then C � 1 is also a random element in G 1 ; hence, A II succeeds in the game with probability at most 1 2 . Therefore, the advantage of B in solving the DBDH problem is Proof 4 Assume that A II is a semi-trusted KGC that tries to break the trapdoor indistinguishability of our scheme. We construct a simulator B to solve the DBDH problem. Given a random challenge ðG 1 ; G 2 ;ê; p; g; g x ; g y ; g z ; ZÞ, B interacts with A II as follows: • Setup: B selects h from G 1 and n; a 2 Z � p randomly and sets params ¼ ðG 1 ; G 2 ;ê; p; g; h; m pk ¼ g a Þ and (PK Csvr , SK Csvr ) = (g ν , ν). B returns params, PK Csvr and m sk = α to A II .
• Phase 1: B responds to A II ' inquiry as follows, assuming that A II does not initiate repeated queries.
• H Queries: Given a keyword w and an element k, B randomly chooses an element from G 1 as the output of H(k, w).
• H 1 Queries: Given an identity ID, B picks a random number from G 1 and returns it to A II as the H 1 (ID) value of ID.
• H 2 Queries: Suppose that A II issues at most q H 2 queries. A list is maintained by B, referred to as L H 2 , which is initially empty. B randomly selects i 2 f1; 2; � � � ; q H 2 g and guesses that the two identities in the i-th inquiry are the sender's challenge identity ID � s and receiver's challenge identity ID � r , respectively. Taking a pair of identities (ID s , ID r ) as input, B responds as follows: 1. If this is the i-th query, e.g., ðID s ; ID r Þ ¼ ðID � s ; ID � r Þ, it returns H 2 (ID s , ID r ) = g z and adds < (ID s , ID r ), g z , ? > into L H 2 .
2. Otherwise, B randomly chooses m r;s 2 Z � p , returns H 2 ðID s ; ID r Þ ¼ g m r;s and adds < ðID s ; ID r Þ; g m r;s ; m r;s > into L H 2 .
• Guess: A I outputs a bit b 0 ; if b 0 = b, B outputs η 0 = 0, otherwise 1. If Z ¼êðg; gÞ xyz , the view of A I is the same as in a real attack, and A I succeeds in Game 5 with probability Adv D A I þ 1 2 . If Z is selected from G 2 randomly, then C � 1 is also a random element in G 1 ; hence, A I succeeds in the game with probability at most 1 2 . Therefore, the advantage of B in solving the DBDH problem is

Evaluation
In this section, we evaluate the security properties, computational complexity and communication overhead of our scheme, and compare it with the schemes proposed in [17,43,44], and [19]. Table 1 shows the comparison between these schemes and our dCLPAEKS scheme in terms of security. As shown by Table 1, our scheme provides security against inside keyword guessing attacks and against outside keyword guessing attacks without requiring a secure channel.
The communication overhead of the five schemes is given in Table 2. According to Table 2, the communication overhead of our dCLPAEKS scheme is almost the same as that of SCF-MCLPEKS + and CL-dPAEKS. The comparison of computational complexity is given in Table 3. We compare the computational costs of the PEKS, Trapdoor and Test algorithms of the schemes. The results show that our scheme is comparable with the other schemes.
We implemented our scheme, the SCF-MCLPEKS + scheme [17], the CL-dPAEKS scheme [19] and CLPEKS [43] on a laptop with a 3.10-GHz Intel i5 CPU with a 64-GB memory and an Ubuntu Linux operating system. We used the PBC library [48], in which Type-A pairing was chosen. The pairing operation is based on the curve y 2 = x 3 + x over the field F p . The parameter set is |G 1 | = |G 2 | = 128-bit.
To compare the computational efficiency of the four schemes, including our scheme in more detail, we tested the running time of the ciphertext algorithm and trapdoor algorithm. As shown in Fig 1, the ciphertext generation of our scheme has the highest computational efficiency compared with the other schemes. According to Fig 2, as the number of keywords increases, our scheme outperforms the other two schemes in computational efficiency.

Conclusions
In a cloud-based IoT environment, protecting the privacy and security of sensitive data stored in the cloud is a major concern. An effective method is certificateless public key searchable https://doi.org/10.1371/journal.pone.0230722.g002 encryption (CLPEKS), which both enables search over encrypted data and avoids the problems of certificate management and key escrow. In this paper, we demonstrated that the security reduction for the CLPAEKS scheme proposed by He et al. is incorrect under two types of adversaries, and Ma et al.'s CLPEKS scheme is susceptible to an off-line KGAs. We then proposed a new certificateless public key searchable encryption scheme, which overcomes a limitation of these two schemes-the need for a secure channel-and solves the security defect that the CLPEKS scheme cannot resist a KGAs. In addition, in comparison with the other recently proposed CLPEKS schemes, the performance analysis demonstrates that our scheme is more efficient and has higher security.