Security analysis and secure channel-free certificateless searchable public key authenticated encryption for a cloud-based Internet of things

Bin Wu; Caifen Wang; Hailong Yao

doi:10.1371/journal.pone.0230722

Abstract

With the rapid development of informatization, an increasing number of industries and organizations outsource their data to cloud servers, to avoid the cost of local data management and to share data. For example, industrial Internet of things systems and mobile healthcare systems rely on cloud computing’s powerful data storage and processing capabilities to address the storage, provision, and maintenance of massive amounts of industrial and medical data. One of the major challenges facing cloud-based storage environments is how to ensure the confidentiality and security of outsourced sensitive data. To mitigate these issues, He et al. and Ma et al. have recently independently proposed two certificateless public key searchable encryption schemes. In this paper, we analyze the security of these two schemes and show that the reduction proof of He et al.’s CLPAEKS scheme is incorrect, and that Ma et al.’s CLPEKS scheme is not secure against keyword guessing attacks. We then propose a channel-free certificateless searchable public key authenticated encryption (dCLPAEKS) scheme and prove that it is secure against inside keyword guessing attacks under the enhanced security model. Compared with other certificateless public key searchable encryption schemes, this scheme has higher security and comparable efficiency.

Citation: Wu B, Wang C, Yao H (2020) Security analysis and secure channel-free certificateless searchable public key authenticated encryption for a cloud-based Internet of things. PLoS ONE 15(4): e0230722. https://doi.org/10.1371/journal.pone.0230722

Editor: He Debiao, Wuhan University, CHINA

Received: December 17, 2019; Accepted: March 7, 2020; Published: April 9, 2020

Copyright: © 2020 Wu et al. This is an open access article distributed under the terms of the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original author and source are credited.

Data Availability: All relevant data are within the paper.

Funding: The author(s) received no specific funding for this work.

Competing interests: The authors have declared that no competing interests exist.

Introduction

The Internet of things (IoT) [1–3] is a new model that has rapidly become popular in wireless communication scenarios. The basic idea of this concept is that all items—such as actuators, radio-frequency identification tags—are connected to the Internet through information sensing devices, to exchange information. That is, objects are interconnected, to realize intelligent identification and management. IoT has opened new avenues for technology connectivity and business upgrading in industry, healthcare, and transportation, of which the industrial Internet of things (IIoT) and mobile healthcare systems (MHSs) are the most successful applications.

IIoT refers to the IoT environment applied in industrial systems. IIoT integrates various intelligent terminals and sensing devices through a ubiquitous network to efficiently and economically manage industrial production, not only improving manufacturing efficiency, but also reducing product costs, upgrading traditional industries to intelligent industries [4].

MHSs refers to the provision of medical applications and medical information at any time or place, based on the IoT [5, 6]. MHSs provide a wide range of services and applications, including patient monitoring, mobile telemedicine, real-time transmission, storage of (and access to) medical information, and customized and personalized medical service prescriptions.

Although the IIoT and MHSs have great development prospects and bring great convenience to people’s productivity and life, they still face a substantial challenge, namely, the storage and management of massive amounts of data (including both industrial and medical data).

In recent years, cloud computing technology has developed rapidly, and some typical cloud service products have been released and have received extensive attention; these include Dropbox [7], a cloud network storage tool, and Windows Azure [8], a cloud computing platform from Microsoft. Cloud computing is a business model that allows on-demand network access to configurable computing resources such as services, storage, networks, and applications. These resources can be quickly provided and released with minimal management work and interaction. The IoT generally contains small objects (things) with limited processing power and storage capabilities, whereas cloud computing has unlimited storage and processing power capabilities, which can play a supporting role in the IoT architecture, as explained in Ref. [9, 10]. Specifically, the IoT can benefit from the unlimited resources and capabilities of the cloud to make up for its technological constraints. A recent and continuing trend is the integration of the cloud and the IoT. The new model, called the cloud-based Internet of Things, has been extensively studied [11–14]. In a cloud-based IoT system, users upload data collected by various smart devices to cloud servers through the Internet, and other authorized users can retrieve data collected from different environments.

However, when outsourcing data to a cloud server, the security and privacy of the data cannot be guaranteed because the cloud server is considered honest but curious; it can fulfill its obligations, but is curious about the stored information. Before uploading sensitive data to the cloud server, the data owner needs to perform encryption to protect the privacy and confidentiality of the data. However, in this way, the existing plaintext-based keyword search technology is ineffective, because encryption usually hides the structure of the original data. To address this problem, searchable encryption (SE), which supports efficient search over ciphertext, has been widely applied, studied, and developed in recent years [15–29].

SE can be categorized into symmetric and asymmetric encryption. Symmetric searchable encryption has the characteristics of low computational overhead and high speed, but it is usually suitable for a single-user model; additionally, the encryption and decryption parties need to negotiate the key beforehand. To address this limitation, public key searchable encryption (PEKS) was first proposed by Boneh et al. [18]. It is very suitable for solving the searchable encryption problem in a multi-user system. In a PEKS system, without prior agreement between sender and receiver, the sender generates encrypted files, called PEKS ciphertext (including encrypted files body and encrypted keywords) using the receiver’s public key, and uploads the ciphertext to the cloud server. When the receiver needs to search the ciphertext for a certain keyword, it uses its own secret key to generate the search certificate of the keyword and sends it to the cloud server. The server then runs a test operation to select the ciphertext file containing the target keyword, and returns it to the receiver.

Although PEKS solves the problem of searching ciphertext, it still suffers from some privacy problems. Reference [24] pointed out that most PEKS schemes are susceptible to off-line keyword guessing attacks (KGAs). The KGAs is attributed to the fact that keyword space is very small and users usually use common keywords for retrieval, which provides a “shortcut” for an attacker to obtain data privacy information by using only dictionary attacks. Specifically, with a given trapdoor, the attacker tests every possible keyword off-line. If the test is successful, the attacker can know the potential keywords in the trapdoor. From the server’s reply, he also knows which encrypted files contain the keywords encapsulated in the trapdoor. In short, by running this off-line KGAs, malicious (inside or outside) attackers can obtain information about encrypted files and invade the user’s data privacy. Constructing a scheme to resist KGAs has attracted the attention of many researchers [30–37].

Recently, He et al. [38] proposed a new scheme, CLPAEKS, for IIoT, and Ma et al. [39] proposed a scheme, CLPEKS, for MHSs. Their schemes are both certificateless public key searchable encryption schemes, which effectively solve the problem of searching over encrypted data stored in the cloud and avoid the problems of certificate management and key escrow.

In this paper, through careful analysis, we describe security vulnerabilities that we found in the two schemes mentioned above. The security reduction of He et al.’s CLPAEKS scheme is actually incorrect for two types of adversaries. That is, an adversary cannot solve the computational bilinear Diffie-Hellman problem by using adversary (), which attacks the security of the CLPAEKS scheme, as a subroutine. Ma et al.’s CLPEKS scheme is not secure against off-line KGAs. Furthermore, in both CLPAEKS and CLPEKS, anyone can run test operations, which makes it easy to identify whether two search queries are generated from the same keyword; that is, the search patterns of users can be revealed to anyone. The potential risks of search pattern leakage have been studied in the literature [40]: adversaries may use searching frequency to obtain information about the plaintext.

Our contributions

We note the security vulnerabilities of the CLPAEKS scheme proposed by He et al. and the CLPEKS scheme proposed by Ma et al.
To protect the privacy and security of data stored in the cloud in the Internet of Things environment, we propose a dCLPAEKS scheme, which is a channel-free certificateless searchable public key encryption scheme, and present a security model for dCLPAEKS to remedy the problem mentioned above.
Under the enhanced security model, we prove that the dCLPAEKS scheme is secure against inside keyword guessing attacks for two types of adversaries. Specifically, we formally prove that the scheme satisfies ciphertext indistinguishability and trapdoor indistinguishability. Furthermore, we prove that the scheme satisfies the security of the designated tester (specifically, only the server can perform test operations).
We compare our scheme with other CLPEKS schemes in terms of security, computational complexity and communication overhead. We also evaluate its efficiency in experiments, and the results show that our scheme has higher security and efficiency.

Related works

In 2004, Boneh et al. first proposed the concept of public key searchable encryption [18] and proposed the construction scheme of PEKS based on anonymous identity-based cryptosystems. This scheme has been applied in a mail system to solve the mail routing problem of untrustworthy servers. In 2008, Baek et al. [23] pointed out that the scheme in [18] must be built on a secure channel. To overcome this limitation, they proposed a public key searchable encryption scheme without a secure channel by introducing a designated tester. In 2006, Bynn et al. [30] found that the scheme proposed in [18] was susceptible to off-line KGAs because keywords are selected from a much smaller space than keys and users usually use common keywords; hence, an attacker can easily crack the PEKS system through KGAs. To protect against KGAs, Rhee et al. [32] proposed a trapdoor secure dPEKS scheme, but Wang et al. [41] later pointed out that the scheme suffered from an inherent insecurity, namely, vulnerability to inside KGAs (IKGAs). Roughly speaking, given a trapdoor, a malicious server can generate the PEKS ciphertext for any keyword it chooses, and then the server can run a test operation to determine whether the keywords being guessed are the keywords underlying the trapdoor. In 2013, Xu et al. [34] proposed a fuzzy keyword public key searchable encryption scheme against IKGAs. In their scheme, the server can only perform fuzzy matching search, and accurate matching search is executed locally, so an attacker cannot obtain an accurate search trapdoor, thus ensuring the security of the scheme. In 2016, Chen et al. [35] proposed a dual-server public-key searchable encryption scheme that can resist IKGAs from malicious servers by dividing the test algorithm into two parts and letting two independent servers execute it. However, all of the schemes mentioned above encounter certificate management or key escrow problems. To address this problem, AL-piyami et al. [42] defined the concept of certificateless public key cryptography (CLPKC). Users’ private keys in certificateless public key cryptosystems consist of two parts: one is generated by the key generation center and the other is generated by users. Peng [43] proposed the first certificateless public key encryption with keyword search (CLPEKS) scheme. Subsequently, other improved certificateless public key searchable encryption schemes were proposed [44, 39]. He et al. [38] demonstrated that these schemes are vulnerable to IKGAs and proposed a certificateless public key authenticated encryption scheme with keyword search that can resist IKGAs.

Paper organization

The rest of this paper is organized as follows. In section 2, we present some preliminaries. In section 3, we review Ha et al’s scheme and Ma et al’s scheme and then point out the disadvantages of their schemes. In section 4, we introduce a new notion, dCLPAEKS, and give its security model. We construct a concrete dCLPAEKS scheme and prove its security in enhanced security models in section 5. In section 6, we present the performance analysis of our proposed scheme. Finally, we conclude the paper in section 7.

Preliminaries

Bilinear pairing

Bilinear pairing [45] plays an important role in constructing many cryptographic schemes, including our dCLPAKES scheme. Let be a set of integers. Set as a bilinear map, mapping groups and to , where , are cyclic groups with the same prime order p. This mapping satisfies the following properties:

Bilinearity: For any u, and g, , .
Non-degeneracy: If g is a generator of , then is a generator of .
Computability: For any g, , there is an efficient algorithm to calculate .

Computational bilinear diffie-hellman problem

Definition 1 (CBDH Problem) Let be a bilinear pairing. Given (g, g^a, g^b, g^c), where are unknown numbers, the goal is to compute the value of .

Decisional bilinear diffie-hellman assumption

The decisional bilinear Diffie-Hellman (DBDH) problem is described as follows.

Given , where x, y, z are randomly chosen from , let η be a bit such that η = 1 if Z is randomly selected from , and η = 0 if . The DBDH problem is to determine the value of η.

Definition 2 (DBDH Assumption [46, 47]) The DBDH assumption is that for any probabilistic polynomial-time (PPT) algorithm , the following holds: where the probability is taken over the random choice of , , .

Review and security analysis of the CLPAEKS and CLPEKS schemes

In this section, we briefly review the CLPAEKS scheme of He et al. [38] and the CLPEKS scheme of Ma et al. [39], and give the security cryptanalysis of the two schemes.

Review and security analysis of He et al.’s CLPAEKS scheme

Description of He et al.’s scheme.

The CLPAEKS scheme can be described as follows:

Setup: Input a security parameter l. The KGC selects two cyclic groups , with the same prime order q and a bilinear pairing . Let P be a generator of ; The KGC chooses a random number as the master key and computes P_pub = sP. The KGC selects three different hash functions: , and . Then, the KGC publishes the system parameters .
Extract-Partial-Private-Key: Input the sender’s identity ID_S ∈ {0, 1}*. The KGC selects a random number and computes , and . Then, the KGC returns and to the sender. In parallel, the partial private key , of the receiver is calculated in the same way.
Set-Secret-Value: This takes ID_S, ID_R ∈ {0, 1}* as input. The sender and the receiver choose random numbers and as their secret values, respectively.
Set-Private-Key: This sets the sender’s private key and the receiver’s private key as and , respectively.
Set-Public-Key: The sender computes and sets as its public key. The receiver computes and sets as its public key.
CLPAEKS: This takes as input. The sender encrypts the keyword w as follows:
1. The sender chooses a random number .
2. The sender computes , , , .
The final ciphertext for the keyword is C = (C₁, C₂).
Trapdoor: This takes as input. The data receiver runs the following steps to compute the trapdoor T_w:
1. Compute , .
2. Compute .
Test: Take prms, the trapdoor T_w and ciphertext C as input. The cloud server checks whether holds. If it holds, then the server outputs 1. Otherwise, it outputs 0.

Security analysis.

In the random oracle model, the semantic security of the CLPAEKS scheme against IKGAs is reduced to solve the CBDH problem [38]. Here, we show that the security reduction for the CLPAEKS scheme is in fact incorrect for two types of adversaries. We use a reductionist proof for a type 1 adversary as an example to illustrate.

Given an instance (P, aP, bP, cP) of the CBDH problem, assuming that adversary intends to break the CLPAEKS scheme, makes use of the advantage of to compute the value of . simulates security games for adversary . After outputs a guess value in the guess stage, the simulator calculates as follows: The core part of computing is the left-hand side of the first equation. For ease of description, the numerator and denominator of the fraction in the first equation are abbreviated as follows:

Let us see how obtains and .

is calculated by itself, while is obtained by using . However, is unable to use the adversary to obtain the value of . Specifically, in the reductionist proof for adversary , is the value of the trapdoor of the challenge keywords under the challenge identities and E₅ denotes the event that does not ask the hash query for the value of the trapdoor of the challenge keywords, and we show that Pr[¬E₅] ≥ 2ε, where ε denotes the advantage of breaking the CLPAEKS scheme. Thus, aims to make use of the fact that has conducted a hash query on this trapdoor, namely, the value of , with a non-negligible probability in the interactive game, and then randomly select one from the previous query history as .

However, in the trapdoor algorithm design of the CLPAEKS scheme [38], no hashing operation is performed on the value of the trapdoor, that is, H_i(T_w), for some hash function H_i. Therefore, it is impossible for to make the hash query on the trapdoor of the challenge keyword. In addition, has no other advantage in obtaining from . In short, the reduction process shows that is unable to solve the CBDH problem with as a subroutine.

Review and security analysis of Ma et al.’s CLPEKS scheme

A description of Ma et al.’s scheme.

The CLPEKS scheme is as follows:

Setup: Input a security parameter k. The KGC selects two cyclic groups , with the same prime order q, a bilinear pairing . Let P be a generator of ; the KGC chooses a random number as the master key and computes . The KGC selects four different hash functions: , , H₃: {0, 1}* → G₁ and . Then, the KGC publishes public parameters .
Extract-Partial-Private-Key: Input a user U’s identity ID ∈ {0, 1}*. The KGC selects a random number and computes T_ID = t_ID P, α_ID = h₁(ID, T_ID) and d_ID = t_ID + sα_ID(mod q). Then, the KGC sends (d_ID, T_ID) to U.
Set-Secret-Value: Input U’s identity ID. U chooses a random number as its secret value.
Set-Private-Key: This sets U’s private key as SK_ID = (x_ID, d_ID).
Set-Public-Key: U computes and sets PK_ID = (P_ID, T_ID) as its public key.
CLPAEKS: Let W = {w_i|i = 1, 2, ⋯, m} be a set of keywords. Take prms, ID, PK_ID as input. U encrypts the keyword w as follows:
1. Compute β_ID = h₂(ID, P_ID, T_ID), choose a random number and compute U_i = r_i P, Q_i = H₃(w_i).
2. Compute Γ_i = e(r_i Q_i, β_ID P_ID + T_ID + α_ID P_pub) and v_i = h₄(Γ_i).
The final ciphertext for the keyword is C = {C₁, C₂, ⋯, C_m}, where C_i = (U_i, v_i).
Trapdoor: This takes prms, ID, SK_ID, PK_ID as input. U runs the following steps to compute the trapdoor T_w:
1. Compute β_ID = h₂(ID, P_ID, T_ID) and Q = H₃(w).
2. Compute T_w = (d_ID + β_ID x_ID)Q.
Test: Take prms, the trapdoor T_w and ciphertext C as input. The cloud server checks whether h₄(e(T_w, U_i)) = v_i holds. If it holds, then the server outputs 1. Otherwise, it outputs 0.

Security vulnerability.

In this subsection, we show that the scheme is vulnerable to an off-line keyword guessing attack. We prove that a malicious adversary can retrieve keyword-specific information from any query message captured by the protocol.

Lemma 1 Ma et al.’s scheme is susceptible to an off-line keyword guessing attack.

Proof 1 An attacker performs the following steps.

first captures a valid trapdoor T_w. The goal of is to recover w from T_w. guesses an appropriate keyword w′, and computes H₃(w′), β_ID = h₂(ID, P_ID, T_ID) and α_ID = h₁(ID, T_ID).
checks whether e(T_w, P) = e(β_ID H₃(w′), P_ID) ⋅ e(H₃(w′), T_ID + α_ID P_pub). If the equation holds, the guessed keyword is a valid keyword, namely, w′ = w. Otherwise, go to Step (1). Specifically, if w′ = w, then

Definitions and system model

System model

We first describe the relationships and interactions among the four entities, namely, the cloud server, KGC, data sender and data receiver, in dCLPAEKS: The KGC generates the system parameters and part of the user’s private key according to the user’s identity. The sender extracts keywords from each data file and uses the sender’s secret key , the receiver’s public key and the server’s public key Pk_Csvr to encrypt keywords to form the dCLPAEKS ciphertext; then, it encrypts the file by using another encryption algorithm and sends it to the cloud server along with the keyword ciphertext. To search encrypted files, the receiver uses his secret key and the sender’s public key to generate the trapdoor T_w of the keywords and sends it to the cloud server. The cloud server uses its secret key to search and return the ciphertext files containing the target keywords.

Definition of dCLPAEKS

Our dCLPAEKS scheme consists of the following (probabilistic) polynomial-time algorithms.

Setup (λ): Given a security parameter λ, this algorithm generates a master public/secret key pair (m_pk, m_sk) and global parameter params.
KGen_Csvr (params): Given params, it generates a public/secret key pair (PK_Csvr, SK_Csvr) for the cloud server.
PPKGen (params, ID, m_sk): Given params, a master secret key m_sk and a user’s identity ID, it generates the user’s partial private key, referred to as PPK_ID.
SVGen (params, ID): Given params and a user’s identity ID, it generates a secret value, referred to as SV_ID.
SKGen (params, PPK_ID, SV_ID): Given params, a partial private key PPK_ID and a secret value SV_ID, it generates the user’s secret key, referred to as SK_ID.
PKGen (params, SV_ID): Given params and a secret value SV_ID, it generates a public key PK_ID for the identity ID.
PEKS (params, w, PK_Csvr, , , ID_s, ID_r): Given params, a keyword w, PK_Csvr, a sender’s identity ID_s and , and a receiver’s identity ID_r and , it generates a ciphertext C_w.
Trapdoor (params, w, , , ID_r, ID_s): Given params, a keyword w, a receiver’s identity ID_r and , and a sender’s identity ID_s and , it generates a trapdoor T_w.
dTest (params, SK_Csvr, C_w, T_w, ID_s, ID_r): Given params, the server’s secret key SK_Csvr, a PEKS ciphertext C_w, a trapdoor T_w, the identity ID_s of a sender and the ID_r of a receiver, it outputs 1 if C_w and T_w contain the same keyword, and 0 otherwise.

Security models

There are two types of adversaries, i.e., a Type 1 adversary and a Type 2 adversary , in certificateless cryptography [43]. Adversary cannot access the master key. However, can extract partial private keys and secret keys, request public keys and replace public keys with any values he chooses. Adversary can access the system’s master key, but cannot replace the user’s public key.

We define the following five games between the adversaries () and a challenger to show that our scheme is semantically secure against IKGA.

For adversaries in Game 1 to Game 4, we set the following natural restrictions.

The adversary cannot extract the secret key for the challenge identities.
The adversary cannot make a ciphertext query and trapdoor query on the challenge keywords , for the challenge identity of a sender and of a receiver.

Ciphertext indistinguishability.

Game 1: Ciphertext indistinguishability for

In this game, we set the semi-trusted cloud server as the adversary . Ciphertext indistinguishability ensures that the ciphertext reveals no information about the underlying keyword to the cloud server.

Setup: Given a security parameter λ, the challenger generates the system parameter params, the PKG’s public/secret key (m_pk, m_sk), and the server’s public/secret key (PK_Csvr, SK_Csvr). It then invokes on the input params and (PK_Csvr, SK_Csvr).
Phase 1: Adversary issues a sequence of queries adaptively polynomial-many times but is subject to the restrictions defined above.
- Partial Private Key Extraction: Given the user’s identity ID, it returns the user’s partial private key PPK_ID to .
- Secret Key Queries: Given the user’s identity ID, returns the user’s secret key SK_ID to .
- Public Key Queries: Given the user’s identity ID, returns the user’s public key PK_ID to .
- Replace Public Key: can replace the public key with any value he chooses.
- Ciphertext Queries: Given a keyword w, identity ID_s of a sender and identity ID_r of a receiver, computes the corresponding ciphertext C_w and returns it to .
- Trapdoor Queries: Given a keyword w, identity ID_s of a sender and identity ID_r of a receiver, computes the corresponding trapdoor T_w and returns it to .
Challenge: outputs two keywords , , the challenge identity of a sender and of a receiver, and randomly chooses a bit b ∈ {0, 1}, computes the challenge ciphertext and returns it to , where .
Phase 2: Adversary continues to issue requests to , as in phase 1.
Guess: outputs a bit b′ ∈ {0, 1}, and wins the game if and only if b′ = b.
The advantage of winning Game 1 is defined as

Game 2: Ciphertext indistinguishability for

In this game, we set the semi-trusted KGC as the adversary .

Setup: generates the system public parameter params, the PKG’s public/secret key (m_pk, m_sk), and the server’s public/secret key (PK_Csvr, SK_Csvr). Then, returns params and m_sk to .
Phase 1: can adaptively issue a sequence of queries polynomial-many times but obeys the restrictions defined above.
- Secret Key Queries: Taking the identity ID as input, outputs the secret key SK_ID to .
- Public Key Queries: Taking the identity ID as input, outputs the public key PK_ID to .
- Ciphertext Queries: Given a keyword w, identity ID_s of a sender and ID_r of a receiver, outputs the corresponding ciphertext C_w to .
- Trapdoor Queries: Given a keyword w, identity ID_s of a sender and ID_r of a receiver, outputs the corresponding trapdoor T_w to .
Challenge: outputs two keywords and and the challenge identity of a sender and of a receiver, and randomly chooses a bit b ∈ {0, 1}, computes the challenge ciphertext and returns it to , where .
Phase 2: Adversary continues to issue queries to as in phase 1.
Guess: outputs a bit b′ ∈ {0, 1}, and wins the game if and only if b′ = b.
The advantage of winning Game 2 is defined as

Definition 3 We say that a scheme satisfies ciphertext indistinguishability if, for any polynomial-time adversaries , is negligible.

Trapdoor indistinguishability.

Game 3: Trapdoor indistinguishability for

Similar to Game 1, we set the semi-trusted cloud server as the adversary . Trapdoor indistinguishability guarantees that the cloud server cannot obtain any information about the keyword from a given trapdoor. This indicates that the server cannot forge valid ciphertext and cannot perform offline inside keyword guessing attacks (IKGAs) successfully.

Setup: Same as in Game 1.
Phase 1: Same as in Game 1.
Challenge: outputs two keywords and and the challenge identity of a sender and of a receiver, and randomly chooses a bit b ∈ {0, 1}, computes the challenge trapdoor and returns it to , where .
Phase 2: Adversary continues to issue queries to , as in phase 1.
Guess: outputs a bit b′ ∈ {0, 1}, if b′ = b, we say wins the game. The advantage of in breaking trapdoor indistinguishability in a is defined as

Game 4: Trapdoor indistinguishability for

Game 4 is similar to Game 2; the difference is that needs to generate a trapdoor of the challenge keywords for the challenge identity of a sender and of a receiver in Game 4.

Definition 4 We say that a scheme satisfies trapdoor indistinguishability if for any polynomial-time adversaries , is negligible.

Designated testability.

Game 5: In this game, we assume that is an outside adversary who is allowed to obtain any user’s secret key. Designated testability aims to prevent adversaries from searching the ciphertexts while guaranteeing that only the designated server can.

Setup: generates the system public parameter params, the PKG’s public/secret key (m_pk, m_sk), and the server’s public/secret key (PK_Csvr, SK_Csvr). It invokes on input params and PK_Csvr.
Phase1: Adversary can adaptively issue a sequence of queries polynomial-many times.
- Secret Key Queries: Given a user’s identity ID, return the user’s secret key SK_ID to .
- Public Key Queries: Given a user’s identity ID, return the user’s public key PK_ID to .
Challenge: outputs two keywords and and the challenge identity of a sender and of a receiver, and randomly chooses a bit b ∈ {0, 1}, computes the challenge ciphertext and returns it to , where .
Phase 2: Adversary continues to issue queries to as in phase 1.
Guess: outputs a bit b′ ∈ {0, 1}, and if b′ = b, wins the game.
The advantage of winning Game 5 is defined as

Definition 5 We say that a scheme satisfies designated testability if for any polynomial-time adversary , is negligible.

A instantiation of dCLPAEKS

Concrete scheme

Here, we present a concrete scheme, which is composed of nine polynomial-time algorithms.

Setup (λ): Given a security parameter λ, this algorithm runs as follows:
1. Select two cyclic groups and with the same prime order p, a bilinear pairing , and a cryptographic hash function .
2. Select a random number as the master key m_sk and set m_pk = g^α, where g is an arbitrary generator of .
3. Choose another arbitrary generator .
4. Choose two additional cryptographic hash functions and .
The system parameters params are publicly and authentically available, but only the KGC knows the master key m_sk. Steps (1) and (2) of the algorithm are run by the KGC.
KGen_Csvr (params): Chooses randomly, and outputs the server’s public/secret key pair (PK_Csvr, SK_Csvr) = (g^ν, ν).
PPKGen (params, ID_i, m_sk): Outputs the partial private key .
SVGen (params, ID_i): Selects randomly, and outputs the secret value .
SKGen (params, , ): Outputs the secret key .
PKGen (params, SV_ID): Outputs the public key .
PEKS (params, w, PK_Csvr, , , ID_s, ID_r): Selects randomly and computes , C₂ = g^s, C₃ = h^s, where outputs the ciphertext C_w = (C₁, C₂, C₃).
Trapdoor (params, w, , , ID_r, ID_s): Selects randomly, and computes T₁ = H(k, w) ⋅ h^r, T₂ = g^r, where , and outputs the trapdoor T_w = (T₁, T₂).
dTest (params, SK_Csvr, C_w, T_w, ID_s, ID_r): Returns 1 if and 0 otherwise.

Security analysis

In this subsection, we analyze the security of the above concrete construction.

ciphertext indistinguishability.

Theorem 1 Our scheme satisfies ciphertext indistinguishability under the assumption that DBDH is intractable.

This conclusion is derived from the following two lemmas.

Lemma 2 For any polynomial-time adversary , our scheme satisfies ciphertext indistinguishability in Game 1 under the random oracle model assuming DBDH is intractable.

Proof 2 Assume that is a semi-trusted server that tries to break the ciphertext indistinguishability of our scheme. We construct a simulator to solve the DBDH problem. Given a random challenge , where Z is either equal to or a random element of , interacts with as follows:

Setup: randomly chooses h from and and sets (PK_Csvr, SK_Csvr) = (g^ν, ν) and params . sends params and (PK_Csvr, SK_Csvr) to .
Phase1: is allowed to issue queries to the following oracles simulated by . To simplify, let us make the following assumptions: the adversary does not initiate repeated queries, and the attacker does not use an identity to perform any calculations before initiating H₁ on the identity.
- H Queries: Upon receiving query on an element k and a keyword w, randomly chooses an element from as the output of H(k, w).
- H₁ Queries: Suppose that makes at most queries. A list is maintained by , referred to as . randomly chooses , and guesses that the i-th and the j-th H₁ queries initiated by correspond to the sender’s challenge identity and receiver’s challenge identity , respectively. When makes a H₁ query on identity ID, responds as follows:
  1. If this is the i-th query, e.g., , outputs H₁(ID) = g^x and adds < ID, g^x, ⊥ > to .
  2. If this is the j-th query, e.g., , outputs H₁(ID) = g^y and adds < ID, g^y, ⊥ > to .
  3. Otherwise, chooses a random number , outputs and adds < ID, H₁(ID), μ_ID > to .
- H₂ Queries: Given a pair of identities (ID_s, ID_r), randomly chooses an element from as the output of H₂(ID_s, ID_r).
- Partial Private Key Extraction: When asks for the partial private key of the ID, if or , outputs a random bit η′ and aborts. Otherwise, it recovers the tuple < ID, H₁(ID), μ_ID > from , and returns the partial private key to .
- Secret Key Queries: maintains a list L_SK, which is initially empty. Taking ID as input, performs the following actions:
  1. If and , it recovers the tuple < ID, H₁(ID), μ_ID > from and chooses a random number β_ID as the secret value. Then, returns the secret key to and adds < ID, SK_ID > into L_SK.
  2. Otherwise, randomly chooses an element as a secret value and adds < ID, ⊥, β_ID > into L_SK. Then, outputs a random bit η′ and aborts.
- Public Key Queries: maintains a list L_PK, which is initially empty. Given an identity ID, retrieves the tuple < ID, SK_ID > from L_SK, computes the public key , and then returns it to and adds < ID, PK_ID > into L_PK.
- Replace Public Key: can replace the public key with any value he chooses.
- Ciphertext Queries: Taking (w, ID_r, ID_s) as input, randomly chooses and executes the following steps:
  1. If at least one of ID_r and ID_s is not equal to or , without loss of generality, we assume that . recovers from , from L_SK, and from L_PK, computes and returns , C₂ = g^s, C₃ = h^s.
  2. Otherwise, outputs a random bit η′ and aborts.
- Trapdoor Queries: Taking (w, ID_r, ID_s) as input, randomly chooses and responds as follows:
  1. If at least one of ID_r and ID_s is not equal to or , without loss of generality, we assume that . recovers from , from L_SK, and from L_PK, computes and returns T₁ = H(k, w) ⋅ h^r, T₂ = g^r.
  2. Otherwise, outputs a random bit η′ and aborts.
Challenge: issues a challenge on two different keywords , , a sender’s identity and a receiver’s identity . randomly selects a bit b ∈ {0, 1} and an element , and computes the ciphertext , where and , .
Phase 2: Simulator responds as in phase 1.
Guess: outputs a bit b′ ∈ {0, 1}, and then outputs η′ = 0 if b′ = b and 1 otherwise.

If guesses that the challenge identities are incorrect, aborts. Denote by abt the event that aborts. The probability that event abt does not occur is .

Assume that does not abort in the game. If , the view of is the same as in a real attack, and succeeds in the game with probability . If Z is selected from randomly, then k is also a random element in , so wins Game 1 with probability at most . Hence, the advantage of in solving the DBDH problem is

If is not negligible, then is not negligible.

Lemma 3 For any polynomial-time adversary , our scheme satisfies ciphertext indistinguishability in Game 2 under the random oracle model, assuming DBDH is intractable.

Proof 3 Assume that is a semi-trusted KGC that tries to break the ciphertext indistinguishability of our scheme. Given a DBDH instance , we will construct an algorithm to solve the DBDH problem by using as a subroutine. interacts with as follows:

Setup: selects h from and randomly and sets params and PK_Csvr = g^x. Then, sends params, PK_Csvr and m_sk = α to .
Phase 1: executes the following queries; assume that does not repeat its queries.
- H Queries: A list is maintained by , referred to as L_H, which is initially empty. Taking an element k and a keyword w as input, randomly chooses , returns to and adds < (k, w), H(k, w), μ_k,w > into L_H.
- H₁ Queries: Given an identity ID, randomly selects an element from as the H₁(ID) value and returns it to .
- H₂ Queries: Given a pair of identities (ID_s, ID_r), randomly chooses an element from as its H₂(ID_s, ID_r) value, and outputs it to .
- Secret Key Queries: maintains a list L_SK that is initially empty. Taking an identity ID as input, selects a random number as the secret value and returns the secret key SK_ID = ((H₁(ID)^α, β_ID) to . Then, adds < ID, H₁(ID)^α, β_ID > into L_SK.
- Public Key Queries: maintains a list L_PK that is initially empty. Given an identity ID, recovers the tuple < ID, H₁(ID)^α, β_ID > from L_SK, computes the public key , and returns it to . Then, < ID, PK_ID > is added to L_PK.
- Ciphertext Queries: Taking (w, ID_r, ID_s) as input, recovers the tuple < (k, w), H(k, w), μ_k,w > from L_H, where . If there is no such tuple, generates it as in previous queries. Then, randomly chooses and computes the ciphertext C_w = (C₁, C₂, C₃), where and C₂ = g^s, C₃ = h^s.
- Trapdoor Queries: Taking (w, ID_r, ID_s) as input, recovers the tuple < (k, w), H(k, w), μ_k,w > from L_H, where . If there is no such tuple, generates it as in previous queries. Then, randomly chooses and computes trapdoor T_w = (T₁, T₂), where T₁ = H(k, w) ⋅ h^r, T₂ = g^r.
Challenge: submits two challenge keywords , , the sender’s challenge identity and the receiver’s challenge identity . chooses a random bit b ∈ {0, 1} and recovers the tuple , where . If there is no such tuple, generates it as in previous queries. Then, it computes the challenge ciphertext , where .
Phase 2: Simulator responds as in phase 1.
Guess: outputs a bit b′; if b′ = b, outputs η′ = 0, and it outputs 1 otherwise.

If , then the challenge ciphertext is a correctly distributed verifiable ciphertext, so the view of is the same as in real attack, and succeeds in Game 2 with probability . If Z is selected from randomly, then is also a random element in ; hence, succeeds in the game with probability at most . Therefore, the advantage of in solving the DBDH problem is If is not negligible, then is not negligible.

Trapdoor indistinguishability of .

Theorem 2 Our scheme satisfies trapdoor indistinguishability under the assumption that DBDH is intractable.

This conclusion is derived from the following two lemmas.

Lemma 4 For any polynomial-time adversary , our scheme satisfies trapdoor indistinguishability in Game 3 under the random oracle model, assuming DBDH is intractable.

The proof of Lemma 4 is similar to that of Lemma 2. The difference is that the simulator generates a challenge trapdoor in the challenge stage. We omit the proof details here.

Lemma 5 For any polynomial-time adversary , our scheme satisfies trapdoor indistinguishability in Game 4 under the random oracle model, assuming DBDH is intractable.

Proof 4 Assume that is a semi-trusted KGC that tries to break the trapdoor indistinguishability of our scheme. We construct a simulator to solve the DBDH problem. Given a random challenge , interacts with as follows:

Setup: selects h from and randomly and sets params and (PK_Csvr, SK_Csvr) = (g^ν, ν). returns params, PK_Csvr and m_sk = α to .
Phase 1: responds to ’ inquiry as follows, assuming that does not initiate repeated queries.
- H Queries: Given a keyword w and an element k, randomly chooses an element from as the output of H(k, w).
- H₁ Queries: Given an identity ID, picks a random number from and returns it to as the H₁(ID) value of ID.
- H₂ Queries: Suppose that issues at most queries. A list is maintained by , referred to as , which is initially empty. randomly selects and guesses that the two identities in the i-th inquiry are the sender’s challenge identity and receiver’s challenge identity , respectively. Taking a pair of identities (ID_s, ID_r) as input, responds as follows:
  1. If this is the i-th query, e.g., , it returns H₂(ID_s, ID_r) = g^z and adds < (ID_s, ID_r), g^z, ⊥ > into .
  2. Otherwise, randomly chooses , returns and adds into .
- Secret Key Queries: A list is maintained by , called L_SK. Given an identity ID, responds as follows:
  1. If , selects a random number as the secret value of the identity ID and returns the secret key SK_ID = (H₁(ID)^a, β_ID) to , then adds < ID, SK_ID > into L_SK.
  2. Otherwise, outputs a random bit η′ and aborts.
- Public Key Queries: maintains an initially empty list L_PK. Taking an identity ID as input, returns a value to according to the following conditions:
  1. If , it outputs PK_ID = (g^x)^α and adds < ID, (g^x)^α > into L_PK.
  2. If , it outputs PK_ID = (g^y)^α and adds < ID, (g^y)^α > into L_PK.
  3. Otherwise, retrieves the tuple < ID, H₁(ID)^a, β_ID > from L_SK and computes the public key . Then, returns PK_ID to and adds < ID, PK_ID > into L_PK.
- Ciphertext Queries: Taking (w, ID_r, ID_s) as input, randomly chooses and computes the ciphertext C_w = (C₁, C₂, C₃) as follows:
  1. If or , computes and C₂ = g^s, C₃ = h^s.
  2. Otherwise, at least one of ID_r and ID_s is not equal to or . Without loss of generality, we assume that . recovers from and from L_PK, computes and returns , C₂ = g^s, C₃ = h^s.
- Trapdoor Queries: Taking (w, ID_r, ID_s) as input, randomly chooses , and computes the trapdoor T_w = (T₁, T₂) as follows:
  1. If or , computes and T₂ = g^r.
  2. Otherwise, at least one of ID_r and ID_s is not equal to or . Without loss of generality, we assume that . recovers from and from L_PK, computes and returns T₁ = H(k, w) ⋅ h^r, T₂ = g^r.
Challenge: submits two challenge keywords , , the sender’s challenge identity and the receiver’s challenge identity . chooses a random bit b ∈ {0, 1} and an element , computes ciphertext , , and returns ciphertext to .
Phase2: responds as in phase 1.
Guess: outputs a bit b′ ∈ {0, 1}, and then outputs η′ = 0 if b′ = b and 1 otherwise.

If guesses that the challenge identities are incorrect, then aborts. Denote by abt the event that aborts. The probability that event abt does not occur is .

Assume that does not abort in the game. If , the view of is the same as in a real attack, and succeeds in the game with probability . If Z is chosen from randomly, then k is also a random element in ; hence, would win Game 4 with probability at most . Therefore, the advantage of in solving the DBDH problem is

If is not negligible, then .

Theorem 3 Our scheme satisfies designated testability under the assumption that DBDH is intractable.

Proof 5 Assume that outside adversary tries to break the designated testability of our scheme. We build an algorithm with as a subroutine to solve the DBDH problem. Given a DBDH instance , interacts with as follows:

Setup: selects h from and randomly and sets params and PK_Csvr = g^x. Then, sends params and PK_Csvr to .
Phase 1: answers inquiries as follows, assuming that does not repeat his inquiries.
- H₁ Queries: Given an identity ID, randomly chooses an element from as the H₁(ID) value and returns it to .
- H₂ Queries: Given a pair of identities (ID_s, ID_r), randomly selects an element from as the H₂(ID_s, ID_r) value, and outputs it.
- H Queries: A list L_H is maintained by that is initially empty. Taking an element k and a keyword w as input, randomly chooses , returns to and adds < (k, w), H(k, w), μ_k,w > into L_H.
- Secret Key Queries: maintains a list L_SK that is initially empty. Taking an identity ID as input, selects a random number β_ID ∈ Z_p as the secret value of identity ID and returns the secret key SK_ID = ((H₁(ID)^α, β_ID) to . Then, adds < ID, H₁(ID)^α, β_ID > into L_SK.
- Public Key Queries: maintains a list L_PK that is initially empty. Given an identity ID, recovers the tuple < ID, H₁(ID)^α, β_ID > from L_SK, computes the public key , and returns it to . Then, < ID, PK_ID > is added to L_PK.
Challenge: submits two different challenge keywords , , the sender’s identity and the receiver’s identity . chooses a random bit b ∈ {0, 1} and recovers the tuple , where . If there is no such tuple, generates it as in previous queries. Then, computes the challenge ciphertext , where .
Phase 2: The simulator responds as in phase 1.
Guess: outputs a bit b′; if b′ = b, B outputs η′ = 0, otherwise 1. If , the view of is the same as in a real attack, and succeeds in Game 5 with probability . If Z is selected from randomly, then is also a random element in ; hence, succeeds in the game with probability at most . Therefore, the advantage of in solving the DBDH problem is
If is not negligible, then .

Evaluation

In this section, we evaluate the security properties, computational complexity and communication overhead of our scheme, and compare it with the schemes proposed in [17, 43, 44], and [19]. Table 1 shows the comparison between these schemes and our dCLPAEKS scheme in terms of security. As shown by Table 1, our scheme provides security against inside keyword guessing attacks and against outside keyword guessing attacks without requiring a secure channel.

Download:

Table 1. Comparison of security.

https://doi.org/10.1371/journal.pone.0230722.t001

The communication overhead of the five schemes is given in Table 2. According to Table 2, the communication overhead of our dCLPAEKS scheme is almost the same as that of SCF-MCLPEKS⁺ and CL-dPAEKS.

Download:

Table 2. Comparison of communication overhead.

https://doi.org/10.1371/journal.pone.0230722.t002

The comparison of computational complexity is given in Table 3. We compare the computational costs of the PEKS, Trapdoor and Test algorithms of the schemes. The results show that our scheme is comparable with the other schemes.

Download:

Table 3. Computational efficiency comparison.

https://doi.org/10.1371/journal.pone.0230722.t003

We implemented our scheme, the SCF-MCLPEKS⁺ scheme [17], the CL-dPAEKS scheme [19] and CLPEKS [43] on a laptop with a 3.10-GHz Intel i5 CPU with a 64-GB memory and an Ubuntu Linux operating system. We used the PBC library [48], in which Type-A pairing was chosen. The pairing operation is based on the curve y² = x³ + x over the field F_p. The parameter set is |G₁| = |G₂| = 128-bit.

To compare the computational efficiency of the four schemes, including our scheme in more detail, we tested the running time of the ciphertext algorithm and trapdoor algorithm. As shown in Fig 1, the ciphertext generation of our scheme has the highest computational efficiency compared with the other schemes. According to Fig 2, as the number of keywords increases, our scheme outperforms the other two schemes in computational efficiency. Fig 1. Computation cost of ciphertext generation in different schemes. Fig 2. Computation cost of trapdoor generation in different schemes.

Download:

Fig 1.

https://doi.org/10.1371/journal.pone.0230722.g001

Download:

Fig 2.

https://doi.org/10.1371/journal.pone.0230722.g002

Conclusions

In a cloud-based IoT environment, protecting the privacy and security of sensitive data stored in the cloud is a major concern. An effective method is certificateless public key searchable encryption (CLPEKS), which both enables search over encrypted data and avoids the problems of certificate management and key escrow. In this paper, we demonstrated that the security reduction for the CLPAEKS scheme proposed by He et al. is incorrect under two types of adversaries, and Ma et al.’s CLPEKS scheme is susceptible to an off-line KGAs. We then proposed a new certificateless public key searchable encryption scheme, which overcomes a limitation of these two schemes—the need for a secure channel—and solves the security defect that the CLPEKS scheme cannot resist a KGAs. In addition, in comparison with the other recently proposed CLPEKS schemes, the performance analysis demonstrates that our scheme is more efficient and has higher security.

References

1. Atzori L, Iera A, Morabito G. The Internet of Things: A survey. COMPUT NETW. 2010, 54(15):2787–2805.
- View Article
- Google Scholar
2. Ray PP A survey on Internet of Things architectures. Journal of King Saud University–Computer and Information Sciences. 2018, 30(3):291–319.
- View Article
- Google Scholar
3. Ren H, Li H, Dai Y, Yang K, Lin X. Querying in Internet of Things with Privacy Preserving: Challenges, Solutions and Opportunities. IEEE Network. 2018, 32(6):144–151.
- View Article
- Google Scholar
4. Xu L, He W, Li S. Internet of Things in Industries: A Survey. IEEE Trans. Ind. Infor. 2014, 10(4)2233–2243.
- View Article
- Google Scholar
5. Doukas C, Pliakas T, Maglogiannis I. Mobile healthcare information management utilizing cloud computing and android OS. In: Proc. IEMBC 2010, LNCS, 2010, 6110:1–23.
- View Article
- Google Scholar
6. Li X, Huang X, Li C, et al. EdgeCare: Leveraging Edge Computing for Collaborative Data Management in Mobile Healthcare Systems. IEEE Access. 2019, 7:22011–22025.
- View Article
- Google Scholar
7. Dropbox. http://www.dropbox.com/.
8. Windows azure. http://www.microsoft.com/windowsazure/.
9. Babu SM, Lakshmi AJ, Rao BT et al. A study on cloud based Internet of Things: CloudIoT. In: Proc. GCCT 2015. 60–65.
- View Article
- Google Scholar
10. Conti M, Dehghantanhab A, Frankec K, Watsond S. Internet of Things security and forensics: Challenges and opportunities. Future Generation Computer Systems. 2018, 78:544–546.
- View Article
- Google Scholar
11. Ojha T, Misra S, Raghuwanshi RN, Poddar H. DVSP: Dynamic Virtual Sensor Provisioning in Sensor–Cloud-Based Internet of Things. IEEE Internet of Things Journal. 2019, 6(3):5265–5272.
- View Article
- Google Scholar
12. Pan W, Chai C. Structure-aware Mashup service Clustering for cloud-based Internet of Things using genetic algorithm based clustering algorithm. Future Generation Computer Systems. 2018, 87:267–277.
- View Article
- Google Scholar
13. Meerja KA, Naidu PV, Kalva S R K. Price Versus Performance of Big Data Analysis for Cloud Based Internet of Things Networks. Mobile Netw Appl. 2019, 24:1078–1094.
- View Article
- Google Scholar
14. Boveiri HR, Khayami R, Elhoseny M et al. An efficient Swarm-Intelligence approach for task scheduling in cloud-based internet of things applications. J Ambient Intell Human Comput. 2019, 10:3469–3479.
- View Article
- Google Scholar
15. Li H, Yang Y, Dai Y, et al. Achieving Secure and Efficient Dynamic Searchable Symmetric Encryption over Medical Cloud Data. IEEE T CLOUD COMPU. 2018, 1–1.
- View Article
- Google Scholar
16. Song D, Wagner D, Perrig A. Practical techniques for searches on encrypted data In: Proc. IEEE Symp Secur Privacy, Berkeley, CA, USA, 2000, 44-55.
17. Wu T, Chen C, Wang K. Security Analysis and Enhancement of a Certificateless Searchable Public Key Encryption Scheme for IIoT Environments. IEEE Access. 2019, 7:49232–49239.
- View Article
- Google Scholar
18. Boneh D, Crescenzo G, Ostrovsky R, Persiano G. Publickey encryption with keyword search. In: Proc. EUROCRYPT 2004. LNCS, 2004, 3027:506–522.
- View Article
- Google Scholar
19. Wu L, Zhang Y, Ma M, et al. Certificateless searchable public key authenticated encryption with designated tester for cloud-assisted medical Internet of Things. ANN TELECOMMUN. 2019, 74(7-8):423–434.
- View Article
- Google Scholar
20. Xu P, He S, Wang W, et al. Lightweight Searchable Public-key Encryption for Cloud-assisted Wireless Sensor Networks. IEEE T IND INFORM. 2018, 14(8):3712–3723.
- View Article
- Google Scholar
21. Khader D. Introduction to attribute based searchable encryption. In: Proc. CMS 2014. LNCS, 2014, 8735:131–135.
- View Article
- Google Scholar
22. Ning J, Xu J, Liang K, et al. Passive Attacks Against Searchable Encryption. IEEE T INF FOREN SEC. 2018, 14(3):789–802.
- View Article
- Google Scholar
23. Baek J, Safiavi-Naini R, Susilo W. Public key encryption with keyword search revisited. In: Proc. ICCSA 2008. 2008, 1249–1259.
- View Article
- Google Scholar
24. Huang Q, Li H. An efficient public-key searchable encryption scheme secure against inside keyword guessing attacks. Inf Sci. 2017, 403–404:1–14.
- View Article
- Google Scholar
25. Li H, Huang Q, Shen J, et al. Designated-server identity-based authenticated encryption with keyword search for encrypted emails. Inf Sci. 2019, 48:330–343.
- View Article
- Google Scholar
26. Xie R, Xu C, He C, Zhang X. Lattice-based searchable public-key encryption scheme for secure cloud storage. INT J WEB GRID SERV, 2018, 14(1)3–20.
- View Article
- Google Scholar
27. Zhang Y, Li Y, Wang Y. Conjunctive and disjunctive keyword search over encrypted mobile cloud data in public key system. MOB INF SYST. 2018, 2018:1–11.
- View Article
- Google Scholar
28. Zhang X, Tang Y, Wang H, Xu C, et al. Lattice-based proxy-oriented identity-based encryption with keyword search for cloud storage. Inf Sci. 2019, 494:193–207.
- View Article
- Google Scholar
29. Zhang X, Xu C, Wang H, Zhang Y, et al. FS-PEKS: Lattice-based Forward Secure Public-key Encryption with Keyword Search for Cloud-assisted Industrial Internet of Things. IEEE T DEPEND SECURE. 2019, 1–15.
- View Article
- Google Scholar
30. Byun JW, Rhee HS, Park HA, et al. Off-line keyword guessing attacks on recent keyword search schemes over encrypted data. In: Proc. SDM 2006. LNCS, 2006, 4165:75–83.
- View Article
- Google Scholar
31. Yau W C, Heng S H, Goi B M. Off-Line Keyword Guessing Attacks on Recent Public Key Encryption with Keyword Search Schemes. In: Proc. ATC 2008. LNCS, 2008, 5060:100–105.
- View Article
- Google Scholar
32. Rhee H, Park J, Susilo W, et al Trapdoor security in a searchable public-key encryption scheme with a designated tester. J SYST SOFTWARE. 2010, 83(5):763–771.
- View Article
- Google Scholar
33. Sun L, Xu C, Zhang M, Chen K, Li H. Secure searchable public key encryption against insider keyword guessing attacks from indistinguishability obfuscation. Sci China Inf Sci. 2018, 61(3) 038106.
- View Article
- Google Scholar
34. Xu P, Jin H, Wu Q, Wang W. Public-key encryption with fuzzy keyword search: A provably secure scheme under keyword guessing attack. IEEE T COMPUT. 2013, 62(11):2266–2277.
- View Article
- Google Scholar
35. Chen R, Mu Y, Yang G, et al. Dual-server public-key encryption with keyword search for secure cloud storage. IEEE T INF FOREN SEC. 2016, 11(4):789–798.
- View Article
- Google Scholar
36. Lu Y, Wang G, Li J. Keyword guessing attacks on a public key encryption with keyword search scheme without random oracle and its improvement. Inf Sci. 2019, 479:270–276.
- View Article
- Google Scholar
37. Xie R, He C, Xie D, et al. A secure ciphertext retrieval scheme against Insider KGAs for mobile devices in cloud storage. SECUR COMMUN NETW. 2018, 2018:1–7.
- View Article
- Google Scholar
38. He D, Ma M, Zeadally S. Certificateless public key authenticated encryption with keyword search for industrial internet of things. IEEE T IND INFORM. 2018, 14(8):3618–3627.
- View Article
- Google Scholar
39. Ma M, He D, Khan MK, et al. Certificateless searchable public key encryption scheme for mobile healthcare system. COMPUT ELECTR ENG. 2018, 65:413–424.
- View Article
- Google Scholar
40. Liu C, Zhu L, Wang W, Tan Y. pattern leakage in searchable encryption: attacks and new construction. Inf Sci. 2013, 265–188.
- View Article
- Google Scholar
41. Wang B, Chen T, Jeng F. Security improvement against malicious server’s attack for a dPEKS scheme. International Journal of Information and Education Technology. 2011, 1(4):350–353, 2011.
- View Article
- Google Scholar
42. Al-Riyami S S, Paterso KG. Certificateless public key cryptography. In: Proc. ASIACRYPT 2003. LNCS, 2003, 2894:452–473.
- View Article
- Google Scholar
43. Peng Y, Cui J, Ying Z. Certificateless public key encryption with keyword search. CHINA COMMUN. 2014, 11(11):100–113.
- View Article
- Google Scholar
44. Ma M, He D, Kumar N, et al. Certificateless searchable public key encryption scheme for industrial internet of things. IEEE T IND INFORM. 2018, 14(2):759–767.
- View Article
- Google Scholar
45. Boneh D, Franklin M. Identity-based encryption from the weil pairing. In: Proc. CRYPTO 2001. LNCS, 2001, 2139:213–229.
- View Article
- Google Scholar
46. Boyen X. The uber-assumption family. In: Proc. Pairing 2008, LNCS, 2008, 5209:39–56.
- View Article
- Google Scholar
47. He D. Chen Y, Joux JA. A one round protocol for tripartite Diffie-Hellman. In: Proc. ANTS 2000. LNCS, 2000, 1838:385–393.
- View Article
- Google Scholar
48. Lynn B, et al. Pairing-based crytography library. 2013, (https://crypto.stanford.edu/pbc/).

[ref1] 1. Atzori L, Iera A, Morabito G. The Internet of Things: A survey. COMPUT NETW. 2010, 54(15):2787–2805.
View Article
Google Scholar

[2] View Article

[3] Google Scholar

[ref2] 2. Ray PP A survey on Internet of Things architectures. Journal of King Saud University–Computer and Information Sciences. 2018, 30(3):291–319.
View Article
Google Scholar

[5] View Article

[6] Google Scholar

[ref3] 3. Ren H, Li H, Dai Y, Yang K, Lin X. Querying in Internet of Things with Privacy Preserving: Challenges, Solutions and Opportunities. IEEE Network. 2018, 32(6):144–151.
View Article
Google Scholar

[8] View Article

[9] Google Scholar

[ref4] 4. Xu L, He W, Li S. Internet of Things in Industries: A Survey. IEEE Trans. Ind. Infor. 2014, 10(4)2233–2243.
View Article
Google Scholar

[11] View Article

[12] Google Scholar

[ref5] 5. Doukas C, Pliakas T, Maglogiannis I. Mobile healthcare information management utilizing cloud computing and android OS. In: Proc. IEMBC 2010, LNCS, 2010, 6110:1–23.
View Article
Google Scholar

[14] View Article

[15] Google Scholar

[ref6] 6. Li X, Huang X, Li C, et al. EdgeCare: Leveraging Edge Computing for Collaborative Data Management in Mobile Healthcare Systems. IEEE Access. 2019, 7:22011–22025.
View Article
Google Scholar

[17] View Article

[18] Google Scholar

[ref7] 7. Dropbox. http://www.dropbox.com/.

[ref8] 8. Windows azure. http://www.microsoft.com/windowsazure/.

[ref9] 9. Babu SM, Lakshmi AJ, Rao BT et al. A study on cloud based Internet of Things: CloudIoT. In: Proc. GCCT 2015. 60–65.
View Article
Google Scholar

[22] View Article

[23] Google Scholar

[ref10] 10. Conti M, Dehghantanhab A, Frankec K, Watsond S. Internet of Things security and forensics: Challenges and opportunities. Future Generation Computer Systems. 2018, 78:544–546.
View Article
Google Scholar

[25] View Article

[26] Google Scholar

[ref11] 11. Ojha T, Misra S, Raghuwanshi RN, Poddar H. DVSP: Dynamic Virtual Sensor Provisioning in Sensor–Cloud-Based Internet of Things. IEEE Internet of Things Journal. 2019, 6(3):5265–5272.
View Article
Google Scholar

[28] View Article

[29] Google Scholar

[ref12] 12. Pan W, Chai C. Structure-aware Mashup service Clustering for cloud-based Internet of Things using genetic algorithm based clustering algorithm. Future Generation Computer Systems. 2018, 87:267–277.
View Article
Google Scholar

[31] View Article

[32] Google Scholar

[ref13] 13. Meerja KA, Naidu PV, Kalva S R K. Price Versus Performance of Big Data Analysis for Cloud Based Internet of Things Networks. Mobile Netw Appl. 2019, 24:1078–1094.
View Article
Google Scholar

[34] View Article

[35] Google Scholar

[ref14] 14. Boveiri HR, Khayami R, Elhoseny M et al. An efficient Swarm-Intelligence approach for task scheduling in cloud-based internet of things applications. J Ambient Intell Human Comput. 2019, 10:3469–3479.
View Article
Google Scholar

[37] View Article

[38] Google Scholar

[ref15] 15. Li H, Yang Y, Dai Y, et al. Achieving Secure and Efficient Dynamic Searchable Symmetric Encryption over Medical Cloud Data. IEEE T CLOUD COMPU. 2018, 1–1.
View Article
Google Scholar

[40] View Article

[41] Google Scholar

[ref16] 16. Song D, Wagner D, Perrig A. Practical techniques for searches on encrypted data In: Proc. IEEE Symp Secur Privacy, Berkeley, CA, USA, 2000, 44-55.

[ref17] 17. Wu T, Chen C, Wang K. Security Analysis and Enhancement of a Certificateless Searchable Public Key Encryption Scheme for IIoT Environments. IEEE Access. 2019, 7:49232–49239.
View Article
Google Scholar

[44] View Article

[45] Google Scholar

[ref18] 18. Boneh D, Crescenzo G, Ostrovsky R, Persiano G. Publickey encryption with keyword search. In: Proc. EUROCRYPT 2004. LNCS, 2004, 3027:506–522.
View Article
Google Scholar

[47] View Article

[48] Google Scholar

[ref19] 19. Wu L, Zhang Y, Ma M, et al. Certificateless searchable public key authenticated encryption with designated tester for cloud-assisted medical Internet of Things. ANN TELECOMMUN. 2019, 74(7-8):423–434.
View Article
Google Scholar

[50] View Article

[51] Google Scholar

[ref20] 20. Xu P, He S, Wang W, et al. Lightweight Searchable Public-key Encryption for Cloud-assisted Wireless Sensor Networks. IEEE T IND INFORM. 2018, 14(8):3712–3723.
View Article
Google Scholar

[53] View Article

[54] Google Scholar

[ref21] 21. Khader D. Introduction to attribute based searchable encryption. In: Proc. CMS 2014. LNCS, 2014, 8735:131–135.
View Article
Google Scholar

[56] View Article

[57] Google Scholar

[ref22] 22. Ning J, Xu J, Liang K, et al. Passive Attacks Against Searchable Encryption. IEEE T INF FOREN SEC. 2018, 14(3):789–802.
View Article
Google Scholar

[59] View Article

[60] Google Scholar

[ref23] 23. Baek J, Safiavi-Naini R, Susilo W. Public key encryption with keyword search revisited. In: Proc. ICCSA 2008. 2008, 1249–1259.
View Article
Google Scholar

[62] View Article

[63] Google Scholar

[ref24] 24. Huang Q, Li H. An efficient public-key searchable encryption scheme secure against inside keyword guessing attacks. Inf Sci. 2017, 403–404:1–14.
View Article
Google Scholar

[65] View Article

[66] Google Scholar

[ref25] 25. Li H, Huang Q, Shen J, et al. Designated-server identity-based authenticated encryption with keyword search for encrypted emails. Inf Sci. 2019, 48:330–343.
View Article
Google Scholar

[68] View Article

[69] Google Scholar

[ref26] 26. Xie R, Xu C, He C, Zhang X. Lattice-based searchable public-key encryption scheme for secure cloud storage. INT J WEB GRID SERV, 2018, 14(1)3–20.
View Article
Google Scholar

[71] View Article

[72] Google Scholar

[ref27] 27. Zhang Y, Li Y, Wang Y. Conjunctive and disjunctive keyword search over encrypted mobile cloud data in public key system. MOB INF SYST. 2018, 2018:1–11.
View Article
Google Scholar

[74] View Article

[75] Google Scholar

[ref28] 28. Zhang X, Tang Y, Wang H, Xu C, et al. Lattice-based proxy-oriented identity-based encryption with keyword search for cloud storage. Inf Sci. 2019, 494:193–207.
View Article
Google Scholar

[77] View Article

[78] Google Scholar

[ref29] 29. Zhang X, Xu C, Wang H, Zhang Y, et al. FS-PEKS: Lattice-based Forward Secure Public-key Encryption with Keyword Search for Cloud-assisted Industrial Internet of Things. IEEE T DEPEND SECURE. 2019, 1–15.
View Article
Google Scholar

[80] View Article

[81] Google Scholar

[ref30] 30. Byun JW, Rhee HS, Park HA, et al. Off-line keyword guessing attacks on recent keyword search schemes over encrypted data. In: Proc. SDM 2006. LNCS, 2006, 4165:75–83.
View Article
Google Scholar

[83] View Article

[84] Google Scholar

[ref31] 31. Yau W C, Heng S H, Goi B M. Off-Line Keyword Guessing Attacks on Recent Public Key Encryption with Keyword Search Schemes. In: Proc. ATC 2008. LNCS, 2008, 5060:100–105.
View Article
Google Scholar

[86] View Article

[87] Google Scholar

[ref32] 32. Rhee H, Park J, Susilo W, et al Trapdoor security in a searchable public-key encryption scheme with a designated tester. J SYST SOFTWARE. 2010, 83(5):763–771.
View Article
Google Scholar

[89] View Article

[90] Google Scholar

[ref33] 33. Sun L, Xu C, Zhang M, Chen K, Li H. Secure searchable public key encryption against insider keyword guessing attacks from indistinguishability obfuscation. Sci China Inf Sci. 2018, 61(3) 038106.
View Article
Google Scholar

[92] View Article

[93] Google Scholar

[ref34] 34. Xu P, Jin H, Wu Q, Wang W. Public-key encryption with fuzzy keyword search: A provably secure scheme under keyword guessing attack. IEEE T COMPUT. 2013, 62(11):2266–2277.
View Article
Google Scholar

[95] View Article

[96] Google Scholar

[ref35] 35. Chen R, Mu Y, Yang G, et al. Dual-server public-key encryption with keyword search for secure cloud storage. IEEE T INF FOREN SEC. 2016, 11(4):789–798.
View Article
Google Scholar

[98] View Article

[99] Google Scholar

[ref36] 36. Lu Y, Wang G, Li J. Keyword guessing attacks on a public key encryption with keyword search scheme without random oracle and its improvement. Inf Sci. 2019, 479:270–276.
View Article
Google Scholar

[101] View Article

[102] Google Scholar

[ref37] 37. Xie R, He C, Xie D, et al. A secure ciphertext retrieval scheme against Insider KGAs for mobile devices in cloud storage. SECUR COMMUN NETW. 2018, 2018:1–7.
View Article
Google Scholar

[104] View Article

[105] Google Scholar

[ref38] 38. He D, Ma M, Zeadally S. Certificateless public key authenticated encryption with keyword search for industrial internet of things. IEEE T IND INFORM. 2018, 14(8):3618–3627.
View Article
Google Scholar

[107] View Article

[108] Google Scholar

[ref39] 39. Ma M, He D, Khan MK, et al. Certificateless searchable public key encryption scheme for mobile healthcare system. COMPUT ELECTR ENG. 2018, 65:413–424.
View Article
Google Scholar

[110] View Article

[111] Google Scholar

[ref40] 40. Liu C, Zhu L, Wang W, Tan Y. pattern leakage in searchable encryption: attacks and new construction. Inf Sci. 2013, 265–188.
View Article
Google Scholar

[113] View Article

[114] Google Scholar

[ref41] 41. Wang B, Chen T, Jeng F. Security improvement against malicious server’s attack for a dPEKS scheme. International Journal of Information and Education Technology. 2011, 1(4):350–353, 2011.
View Article
Google Scholar

[116] View Article

[117] Google Scholar

[ref42] 42. Al-Riyami S S, Paterso KG. Certificateless public key cryptography. In: Proc. ASIACRYPT 2003. LNCS, 2003, 2894:452–473.
View Article
Google Scholar

[119] View Article

[120] Google Scholar

[ref43] 43. Peng Y, Cui J, Ying Z. Certificateless public key encryption with keyword search. CHINA COMMUN. 2014, 11(11):100–113.
View Article
Google Scholar

[122] View Article

[123] Google Scholar

[ref44] 44. Ma M, He D, Kumar N, et al. Certificateless searchable public key encryption scheme for industrial internet of things. IEEE T IND INFORM. 2018, 14(2):759–767.
View Article
Google Scholar

[125] View Article

[126] Google Scholar

[ref45] 45. Boneh D, Franklin M. Identity-based encryption from the weil pairing. In: Proc. CRYPTO 2001. LNCS, 2001, 2139:213–229.
View Article
Google Scholar

[128] View Article

[129] Google Scholar

[ref46] 46. Boyen X. The uber-assumption family. In: Proc. Pairing 2008, LNCS, 2008, 5209:39–56.
View Article
Google Scholar

[131] View Article

[132] Google Scholar

[ref47] 47. He D. Chen Y, Joux JA. A one round protocol for tripartite Diffie-Hellman. In: Proc. ANTS 2000. LNCS, 2000, 1838:385–393.
View Article
Google Scholar

[134] View Article

[135] Google Scholar

[ref48] 48. Lynn B, et al. Pairing-based crytography library. 2013, (https://crypto.stanford.edu/pbc/).

Figures

Abstract

Introduction

Our contributions

Related works

Paper organization

Preliminaries

Bilinear pairing

Computational bilinear diffie-hellman problem

Decisional bilinear diffie-hellman assumption

Review and security analysis of the CLPAEKS and CLPEKS schemes

Review and security analysis of He et al.’s CLPAEKS scheme

Description of He et al.’s scheme.

Security analysis.

Review and security analysis of Ma et al.’s CLPEKS scheme

A description of Ma et al.’s scheme.

Security vulnerability.

Definitions and system model

System model

Definition of dCLPAEKS

Security models

Ciphertext indistinguishability.

Trapdoor indistinguishability.

Designated testability.

A instantiation of dCLPAEKS

Concrete scheme

Security analysis

ciphertext indistinguishability.

Trapdoor indistinguishability of .

Evaluation

Conclusions

References