Certificateless searchable public key encryption scheme secure against keyword guessing attacks for smart healthcare

Journal of Information Security and Applications 50 (2020) 102429

Contents lists available at ScienceDirect

Journal of Information Security and Applications journal homepage: www.elsevier.com/locate/jisa

Certificateless searchable public key encryption scheme secure against keyword guessing attacks for smart healthcareR Mimi Ma a,b, Debiao He c,∗, Shuqin Fan a, Dengguo Feng a a

State Key Laboratory of Cryptology, Beijing, China College of Information Science and Engineering, Henan University of Technology, Zhengzhou, China c Key Laboratory of Aerospace Information Security and Trusted Computing, Ministry of Education, School of Cyber Science and Engineering, Wuhan University, Wuhan, China b

a r t i c l e

i n f o

Article history:

Keywords: Certificateless public key encryption Searchable encryption Privacy Smart healthcare

a b s t r a c t The smart healthcare system (SHS) provides a new information service mode. It greatly improves the diagnostic efficiency by monitoring patients’ signs information via various wearable devices. To ensure the confidentiality of sensitive information, the security and privacy issues have drawn wide attention. The searchable encryption technology is suitable for addressing these issues, because it supports search over encrypted data and provides data privacy protection. Recently, many searchable public-key encryption (SPE) schemes have been designed to balance security and efficiency. However, these SPE schemes face the challenge of certificate management or key escrow. This is because they are constructed based on public key infrastructure (PKI) or identity (ID) cryptosystem. Meanwhile, most of SPE schemes are subject to great security threats, such as keyword guessing attacks (KGA). To resolve the above problems, this paper designs a secure certificateless SPE scheme for SHS, and this scheme does not require the use of secure channels, i.e., a SCF-CLSPE scheme. We prove that this SCF-CLSPE scheme can resist KGA and chosen keyword attacks (CKA) under standard model. In addition, the results of performance analysis indicate that this SCF-CLSPE scheme can achieve better efficiency. © 2019 Published by Elsevier Ltd.

1. Introduction With Internet as core, the Internet of Things (IoT) embeds all objects in the network through various smart sensing devices, and provides an intelligent network integrating the technologies of intelligent identification, positioning, tracking and monitoring [1,2]. At present, the IoT technology has been gradually applied in many areas (e.g., intelligent logistics and smart healthcare), and has received widespread attention in academia and industry. In particular, the IoT has played a key role in healthcare industry, such as improving the quality of healthcare and realizing telemedicine, thus promoting the prosperous development of smart healthcare [3]. The SHS system relies on the advanced IoT technology to realize real-time interaction between patients, doctors and hospitals. It gradually becomes an information-based and intelligent medical service platform [4,5]. Compared to traditional healthcare system,

R The work was supported by the National Natural Science Foundation of China (Nos. 61902111, 61932016, 61972294) and the High-level talent Fund Project of Henan University of Technology (No. 31401164). ∗ Corresponding author. E-mail addresses: [email protected] (M. Ma), [email protected] (D. He), [email protected] (S. Fan), [email protected] (D. Feng).

https://doi.org/10.1016/j.jisa.2019.102429 2214-2126/© 2019 Published by Elsevier Ltd.

SHS provides more flexible and convenient medical services for patients, and has significant advantages such as higher accuracy and lower cost. In SHS, some wearable smart devices (e.g., smart bracelet) are used to track and monitor patients’ signs information (e.g., temperature and blood pressure) in real time, so that doctors can timely diagnose patients and effectively control the patients’ conditions. In addition, it can improve the utilization rate of medical resources, so as to reduce the phenomenon such as difficulty in seeing a doctor, tension between doctors and patients, and frequent medical accidents. However, as SHS matures, the amount of healthcare data it produces is also increasing rapidly [6]. How to deal with this big data becomes a challenge. What’s remarkable is that the cloud computing can quickly process cumbersome data [7]. Therefore, cloud computing can not only greatly promote the healthy development of SHS, but also provide a broader prospects for SHS: 1) it improves the ability of data computing and storage; 2) it provides a platform for precise medical treatment to help doctors better conduct remote diagnosis for patients; 3) the healthcare data can be collected more comprehensively, and doctors can share the latest data in real time. Fig. 1 is the architecture diagram of a cloud-based SHS. In cloud-based SHS system, the healthcare data is first collected through various smart sensing devices, and then

2

M. Ma, D. He and S. Fan et al. / Journal of Information Security and Applications 50 (2020) 102429

• Firstly, we design a new SCF-CLSPE scheme for SHS, and the proposed scheme avoids the use of secure channels by involving the server’s public/private key pair. • Secondly, we analyze the security of SCF-CLSPE, and the security analysis indicates that SCF-CLSPE could resist KGA and CKA attacks. • Finally, we test the efficiency of SCF-CLSPE from the aspects of computation cost and communication cost, and the test results demonstrate that SCF-CLSPE has lower computation/communication costs. 1.2. Organization of the rest paper

Fig. 1. The architecture of cloud-based SHS.

Below is the framework for the remainder of this paper. Section 2 summarizes some related work. Section 3 presents some preliminary knowledge including complexity assumptions and the system model for SCF-CLSPE. Section 4 gives a concrete instance of SCF-CLSPE. Section 5 defines the security model for SCF-CLSPE and presents the security analysis. The performance of SCF-CLSPE is analyzed in Section 6. Finally, Section 7 makes a summary for this paper. 2. Related literature

uploaded to the cloud, which can not only reduce overhead for hospitals, but also improve work efficiency. However, if this data is to be shared, the patients’ rights and privacy will be involved. To strengthen data management and enhance data security, users usually tend to encrypt data and then outsource ciphertext to the cloud. However, once the data is encrypted, its original structure will change, and the search algorithm designed for original plaintext will not work. To address this issue, the technology of searchable encryption (SE) is introduced [8]. SE allows encrypted data to be searched by keywords, and does not expose any information about original data. According to the different ways of secret key selection, SE can be divided into two forms, one is searchable public key encryption (SPE), and the other is searchable symmetric encryption (SSE) [9]. SSE schemes have high efficiency, but it cannot be well applied to the multi-user data sharing scenario due to the symmetry of its key [10]. In this paper, we focus on the SPE schemes. Recently, several SPE schemes have been constructed for protecting data privacy [11– 17]. The previously proposed SPE schemes provide different search functions and security guarantees for data privacy, however, these schemes cannot avoid the inherent burden of certificate management and key escrow. That is because they are constructed based on public key infrastructure (PKI) cryptosystem or identity (ID) cryptosystem. To address these issues that exist in PKI-based or ID-based schemes, a new definition of certificateless public key cryptography (CLPKC) is given by Al-Riyam et al. [18]. Recently, Peng et al. [19] proposed a certificateless searchable public key encryption (CLSPE) scheme. He et al. [20] proposed an authenticated CLSPE scheme. However, all of the existing CLSPE schemes are only proven secure under random oracle model, which only provides a heuristic argument. We therefore argue that it’s meaningful to design a CLSPE scheme without random oracle model, and we present a new system/security model for CLSPE scheme on the basis of scheme [17] in this paper.

1.1. Our contributions We construct a secure-channel free certificateless searchable public key encryption (SCF-CLSPE) scheme without random oracle model for SHS. Specifically, the main contributions are described as below:

Song et al. [8] gave the first SE scheme on the basis of symmetric cryptosystem, i.e., a SSE scheme, which only allows users with the secret key to search for encrypted data. However, their scheme cannot resist statistical attack. And in Song et al.’s scheme, the search complexity grows linearly with files’ size due to their construction is based on the idea of linear scanning. Later on, many SSE schemes have been designed to balance security and efficiency [21–24]. SSE is of high speed and easy to implement. However, it faces threats in secret-key distribution and management. To resolve above issues, a new cryptographic primitive called SPE was proposed by Boneh et al. [10]. They considered the email system and gave a concrete scheme of SPE. The SPE scheme contains three participants, namely a mail server, a data owner and a data receiver. The search process is performed as the following steps: 1) some keywords are extracted from each document; 2) the data owner uses receiver’s public-key to encrypt the extracted keywords, and then uploads all encrypted data to the mail server; 3) the receiver generates a trapdoor of the keywords to be retrieved using his/her own private-key, and transmits the generated trapdoor to the server; 4) the server tests the match between ciphertext and trapdoor, and feeds the test result back to the receiver. Abdalla et al. [25] analyzed that scheme [10] is computationally consistent, and then they designed a statistically consistent scheme. Baek et al. [26] found that the scheme [10] is inefficient and impractical because it cannot transmit the trapdoor between server and receiver via public channel. To resolve this issue, they constructed a SPE scheme with no secure channels, i.e., a SCF-SPE, which involved the server’s public/private keys. The test algorithm in SCF-SPE can only be executed by the designated server. Later, the security model of scheme [26] is improved by Rhee et al. [27]. And in [27], they constructed a new SCF-SPE instance under the improved security model. Byun et al. [28] observed that many SPE schemes [10,29] are vulnerable to KGA attack due to the following reasons: 1) the space that keywords chosen from is usually smaller; 2) users tend to search using some commonly keywords. Fang et al. [30] presented an efficient SCF-SPE scheme under the standard model, and stated that their scheme is secure against KGA attack. However, Shao et al. [31] analyzed that the scheme [30] cannot resist KGA attack if the attacker is the server. To enhance the security, they improved the security model of SCF-SPE, and constructed a modified SCF-SPE scheme. Recently, Lu et al. [17] analyzed schemes [30,31], and proved that neither

M. Ma, D. He and S. Fan et al. / Journal of Information Security and Applications 50 (2020) 102429

3

of them can resist KGA attacks. The former is insecure against outside KGA attack, and the latter is insecure against inside KGA attack. To resolve these security weaknesses, an improved scheme based on scheme [30] is designed in [17]. Chen et al. [32] constructed a dual-server SPE (DS-SPE) scheme and shown that their DS-SPE scheme is resistant to inside KGA. The operation of the search algorithm in DS-SPE must be coordinated by two servers. However, Huang et al. [11] pointed out that Chen et al.’s scheme encountered some attacks (i.g., KGA and CKA) and they designed a new DS-SPE to overcome these security flaws. In order to resist the KGA attacks, Xu et al. [12] constructed a novel SPE scheme, which is able to search for fuzzy keywords. In [12], each keyword corresponds to two trapdoors, that is, one is an exact trapdoor, and the other is a fuzzy trapdoor. The attacker cannot capture the exact trapdoor, thus it cannot run the test algorithm. Recently, Chen et al. [13] designed a forward secure lightweight SPE scheme. More SPE schemes have been constructed that focus on enhancing the functionality and practicality, see [14–16]. 3. Preliminaries Fig. 2. The system model for SCF-CLSPE.

3.1. Complexity assumptions We assume G1 , G2 and GT are three p-order cyclic groups in this paper, and let g ∈ G1 and g¯ ∈ G2 be generators. Definition 1. The mapping eˆ: G1 × G2 → GT is defined as a bilinear pairing if eˆ has the following properties • (Computable) eˆ(g, g¯ ) is computable in polynomial time. • (Nondegenerate) eˆ(g, g¯ ) = 1. • (Bilinear) ∀x, y ∈ Z∗p , eˆ(g, g¯ )xy = eˆ(gx , g¯y ). Definition 2. (The DBDH problem) Assume that eˆ: G1 × G2 → GT is a bilinear pairing, x, y, z ∈ Z∗p are unknown numbers. Given (g, gx , gy , gz ) ∈ G41 , (g¯, g¯x , g¯y , g¯z ) ∈ G42 , T ∈ GT , to decide the following two cases: 1) T is random; 2) or T = eˆ(g, g¯ )xyz . Definition 3. (The truncated (decision) q-ABDHE problem [33]) Assume that x, z ∈ Z∗p are unknown numbers. Given the points

(g, gx , gx , . . . , gx ) ∈ Gq1+1 , (g¯, g¯x , g¯x , . . . , g¯x , g¯z , g¯zx 2

q

2

q

q+2

) ∈ Gq2+3 and

T ∈ GT , to decide the following two cases: 1) T is random; 2) or q+1 T = eˆ(g, g¯ )zx .

• Setup(λ): Input a security parameter λ, output a master key s and public parameters GP . • Ext ract − Part ial − P rivate − Key(GP , s, IDi ): Input GP , s and the identity IDi (i ∈ {S, O, R}), output the corresponding partial private key di . • Set − Secret − V alue(GP , IDi ): Input GP and the participants’ identity IDi (i ∈ {S, O, R}), output the secret value xi . • Set − P rivate − Key(GP , di , xi ): Input GP , di , xi , output SKi as the participants’ private key. • Set − P ublic − Key(GP , xi ): Input GP , xi , output the participants’ public key PKi . • SC F − C LSP E (SKO , P KS , P KR , w ): Input SKO , PKS , PKR , and a keyword w, output a ciphertext Cw . • Trapdoor(SKR , PKO , PKS , w): Input SKR , PKO , PKS , and a keyword w, output the trapdoor Tw . • Test(PKS , SKS , Tw , Cw ): Input PKS , SKS , Tw , Cw , output “1” meaning Cw and Tw contain the same keywords; Otherwise, output “0”. 4. The construction of our scheme

3.2. One-Time signatures Definition 4. (One-Time signature [30]) There are three algorithms in a one-time signature sig, i.e., KeyGen, Sign and Verify. • KeyGen(λ): Input a security parameter λ, this algorithm returns a one-time key pair (ssk, svk). • Sign(ssk, m): Input the signature secret key ssk and the message m, this algorithm returns the corresponding signature σ . • Verify(svk, m, σ ): Input the verification key svk, the signature (m, σ ), this algorithm returns “1” if the signature is valid; Otherwise, returns “0”. 3.3. System model We present the definition of a SCF-CLSPE scheme in this subsection. Definition 5. (SCF-CLSPE) A SCF-CLSPE scheme consists of eight algorithms, and four participants, i.e., a KGC, a cloud server (S), a data owner (O), a data receiver (R). The interaction between these participants is shown in Fig. 2. The specific algorithms are described as below:

The proposed SCF-CLSPE scheme is constructed by the following eight algorithms. • Setup(λ): Given a security parameter λ, KGC chooses three p-order cyclic groups G1 , G2 , GT , and selects a bilinear mapping eˆ: G1 × G2 → GT . Let g and g¯ be generators of G1 and G2 , respectively. KGC chooses seven different cryptographic secure pseudo-random number generators (PRNGs) h0 : {0, 1}n × G1 → Z∗p , h1 : G1 → {0, 1}m , h2 : {0, 1}n+m → {0, 1}n , h3 : GT → Z∗p , h4 : {0, 1}n → Z∗p , h5 : {0, 1}n × G1 × G1 × G1 → Z∗p , h6 : {0, 1}n × {0, 1}n × G1 × G1 × G1 × G1 × G1 → Z∗p and picks a s ∈ Z∗p randomly as the system master key, computes Ppub = gs . In addition, KGC picks u¯ , v¯ ∈ G2 randomly and chooses a one-time signature scheme sig = (KeyGen, Sign, V eri f y ). Let GP = {G1 , G2 , GT , eˆ, p, g, g¯, Ppub , h0 , h1 , h2 , h3 , h4 , h5 , h6 }. KGC publishes GP and keeps s secretly. • Extract-Partial-Private-Key (GP , s, IDi ): Given an identity IDi ∈ {0, 1}∗ (i ∈ {S, O, R}), KGC chooses a number ti ∈ Z∗p randomly, computes Ti = gti , αi = h0 (IDi , Ti ), di = ti + sαi (mod p), and sends Ti , di via the secure channel to the participant with IDi . The participant can check the correctness of di by verifying ?

di P = Ti + αi Ppub .

4

M. Ma, D. He and S. Fan et al. / Journal of Information Security and Applications 50 (2020) 102429

• Set-Secret-Value(GP , IDi ): The user with the identity IDi (i ∈ {S, O, R}) chooses a random number xi ∈ Z∗p as its secret value. • Set-Private-Key(GP , di , xi ): Takes GP , di and xi (i ∈ {S, O, R}) as input, and outputs SKS = (xS , dS ), SKO = (xO , dO ). The receiver executes the following steps to generate its own private key. 1) Chooses n + 1 numbers e0 , e1 , . . . , en ∈ Z∗p randomly. 2) Computes hˆi = gei (i ∈ {0, 1, . . . , n} ) and sets h = (hˆ0 , hˆ1 , . . . , hˆn ) ∈ Gn+1 . 1

3) Assume that w = (w1 , w2 , . . . , wn ) ∈ {0, 1}n is a keyword string and H : {0, 1}n → G1 is a algebraic hash function, which is defined as

H (w ) = hˆ0

n 

and W = h2 (w, ψ ) = (W1 , W2 , . . . , Wn ). Then, the receiver runs the following operations to generate the trapdoor. 1) Selects sw ∈ Z∗p . 2) n  i=1

h (W )(z−sw )/(y−η )

dw = XS

Computes

,

here

h(W ) = e0 +

(eiWi ), η = h4 (W ).

3) Sets Tw = (dw , sw ). • Test(PKS , SKS , Tw , Cw ): The server operates as follows. 1) Checks

V eri f y(c0 , σ , (C1 , C2 , C3 , C4 , C5 )) = 1, ?

(1)

2) If the Eq. (1) is true, verifies the following two formulas

(hˆi )wi = gh(w) ,

?

eˆ(C1 , u¯ c0 v¯ ) = eˆ(g, C5 ).

i=1

where h(w ) = e0 + Z∗p

n  i=1

( ei wi ).

(2)

?

4) Selects y, z ∈ randomly, and computes Y¯ = g¯y , Z¯ = g¯z . 5) Sets SKR = (xR , dR , y, z, e0 , e1 , . . . , en ). • Set-Public-Key(GP , xi ): Takes GP and xi (i ∈ {S, O, R}) as input. The server generates its public key as follows. 1) Computes XS = gxS . 2) Selects a Q¯ ∈ G2 randomly. 3) Sets P KS = (XS , TS , Q¯ ). The data owner executes the following steps to generate its own public key. 1) Computes XO = gxO . 2) Set P KO = (XO , TO ). The receiver generates its public key as follows. 1) Computes XR = gxR . 2) Sets P KR = (TR , XR , Y¯ , Z¯ , hˆ0 , hˆ1 , . . . , hˆn ). • SCF-CLSPE(SKO , PKS , PKR , w): Takes SKO , PKS , PKR and a keyword w as input, the data owner computes

β = h6 (IDO , IDR , XO , XR , TO , TR , Ppub ),

eˆ(dw , C2t/xS )C3sw = C4 ,

(3)

here t = h3 (eˆ(C1 , Q¯ )(βS xS +dS ) ). 2) Outputs “1” if and only if both Eqs. (2) and (3) are true. Correctness:













t = h3 eˆ(C1 , Q¯ )(βS xS +dS )

 = h3 eˆ(gr , Q¯ )(βS xS +dS )  = h3 eˆ(g(βS xS +dS ) , Q¯ )r



β αS ¯ r = h3 eˆ(XS S TS Ppub ,Q)



eˆ(dw , (C2 )t/xS )C3sw



h (W )(z−sw ) y−η

= eˆ XS

t

rsw

, ((Y¯ g¯ (−η ) ) t ) xS · eˆ(H (W ), g¯ r

= eˆ(g, g¯ )h(W )r (z−sw ) eˆ(g, g¯ )h(W )rsw = eˆ(g, g¯ )h(W )rz = eˆ(H (W ), Z¯ )r

(xO αR ) ψ = h1 (XR(β xO +dO ) TRxO Ppub ).

= C4

Let W = h2 (w, ψ ). Then, the data owner generates the ciphertext for keyword as the following steps. 1) Generates a key pair (ssk, svk) ← KeyGen(λ) for the signature scheme sig, and sets c0 = svk. 2) Selects two numbers r, r from Z∗p randomly. 3) Calculates 

C1 = gr , C2 = (Y¯ g¯ (−η ) ) t ,

5. Security analysis This section presents the definition of indistinguishability of SCF-CLSPE against CKA attack (IND-CKA), i.e., given two keywords, and one of the two keywords is selected to encrypt. The adversary cannot distinguish which of the keywords corresponding to the ciphertext. Next, under the given security model, we analyze the security of SCF-CLSPE.

r

5.1. Security model

C3 = eˆ(H (W ), g¯ )r ,

A certificateless cryptosystem contains two types of adversaries, one can replace any user’s public key, denoted as A1 , and the other can access the system master key, denoted as A2 [18].

C4 = eˆ(H (W ), Z¯ )r , 

C5 = (u¯ svk v¯ )r ,

η = h4 (W ), h5 (IDS , XS , TS , Ppub ). here

β αS ¯ r t = h3 (eˆ(XS S TS Ppub , Q ) ),

4) Computes the signature

σ = Sign(ssk, (C1 , C2 , C3 , C4 , C5 )). 5) Sets Cw = (σ , c0 , C1 , C2 , C3 , C4 , C5 ). • Trapdoor(SKR , PKO , PKS , w): The receiver calculates

β = h6 (IDO , IDR , XO , XR , TO , TR , Ppub ), (xR αO ) ψ = h1 (XO(β xR +dR ) TOxR Ppub ),

βS =

Definition 6. (IND-CKA secure) A SCF-CLSPE scheme is called INDCKA secure, if and only if the probability of any adversary in polynomial time wins the following two games is negligible. Game1 . This game is simulated between A1 and a challenger C . • Setup: Given a security parameter λ, C produces the public parameters GP and participants i’s (i ∈ {S, O, R}) public/private keys, and sends GP to A1 . • Query phase 1: A1 can ask the following operations, that is, the Partial-Private-Key query, Secret-Value query, Request-PublicKey query, Trapdoor query and Test query, then C simulates the corresponding algorithm in SCF-CLSPE scheme and returns the simulation results.

M. Ma, D. He and S. Fan et al. / Journal of Information Security and Applications 50 (2020) 102429

• Challenge: When the above Query phase terminates, A1 chooses two challenge keywords (w0 , w1 ) and returns (w0 , w1 ) to C , but w0 , w1 cannot be asked for trapdoor queries in above Query phase 1. Then C randomly picks a b ∈ {0, 1} and generates C ∗ = SC F − C LSP E (SKO , P KS , P KR , wb ). Finally, C returns C∗ to A1 . • Query phase 2: The trapdoor and test queries for any keyword w and ciphertext C are allowed to continue asking by A1 , but (C, w) cannot equal to (C∗ , w0 ) and (C∗ , w1 ). • Guess: A1 returns b . If b = b, then A1 wins in Game1 , and C outputs “1”. Game2 . This game is simulated between C and A2 . • Setup: Given a security parameter λ, C produces the public parameters GP , master key s and participants i’s (i ∈ {S, O, R}) public/private keys, and sends (GP , s ) to A2 . • Query phase 1: A2 can submit any keyword w and ciphertext C for Trapdoor and Test queries, then C outputs a corresponding value. • Challenge: A2 selects two keywords (w0 , w1 ) that have not been asked for trapdoor queries in Query phase 1 as the challenge target. C chooses b ∈ {0, 1} randomly and transmits C ∗ = SCF − CLSP E (SKO , P KS , P KR , wb ) to A2 . • Query phase 2: The trapdoor and test queries for (w, C) are allowed to continue asking by A2 , except for (C, w ) = (C ∗ , w0 ) and (C, w ) = (C ∗ , w1 ). • Guess: A2 returns b . C outputs “1” if b = b, which implies A2 wins in Game2 . 5.2. Provable security Theorem 1. Assuming DBDH and q-ABDHE problems are hard to solve, the SCF-CLSPE scheme is IND-CKA secure. Theorem 1 can be proved by Lemmas 1 and 2. Lemma 1. Assuming the adversary A1 can attack the proposed scheme that described in section 4, then an algorithm C can be constructed to solve DBDH. Proof. Let eˆ: G1 × G2 → GT be a bilinear pairing, G1 , G2 , GT be cyclic groups of order p. Suppose g ∈ G1 and g¯ ∈ G2 are generators. Given a DBDH instance, i.e., (g, ga , gb , gc , g¯, g¯a , g¯b , g¯c , T ), the goal of C is to distinguish the following two cases: 1) T is a random point of GT ; 2) T is computed by eˆ(g, g¯ )abc . We firstly define an event EOTS and consider the probability that it will happen. Let C ∗ = (svk∗ , C1∗ , C2∗ , C3∗ , C4∗ , C5∗ , σ ∗ ) be the challenge ciphertext that is transmitted to A1 . Let EOTS denote that A1 asks the test query for the ciphertext C  = (svk∗ , C1 , C2 , C3 , C4 , C5 , σ  ), and the equation V eri f y(svk∗ , σ  , (C1 , C2 , C3 , C4 , C5 )) = 1 holds. Noting that A1 does not know any information about svk∗ in query phase 1, and the maximum probability of output svk∗ is 1/p, we have the probability of EOTS occurring in phase 1 is less than qk /p, where qk denotes the maximum number of test queries. In phase 2, if EOTS occurs, then it is equivalent to forging a strong one-time S signature. Since the advantage AdvOT A that A1 breaks a one-time 1

S AdvOT A1 .

signature is negligible, then P r[EOT S ] ≤ qk /p + In the following game, C terminates the simulation and outputs a random number if EOTS occurs. Next, we describe the simulation between C and A1 . The challenger C produces a signature key pair (ssk∗ , svk∗ ) ← KeyGen(λ), ∗ sets u¯ = (g¯b )k1 , v¯ = (g¯b )−k1 svk g¯k2 (k1 , k2 ∈ Z∗p are random numbers), and sends u¯ , v¯ to A1 . • Setup: Given a security parameter λ, C selects the parameters G1 , G2 , GT , g, g¯, eˆ. Specify seven secure PRNGs hi (0 ≤ i ≤ 6) and a signature sig= (KeyGen,Sign, Verify). C selects s ∈ Z∗p , sets

5

Ppub = gs , sends GP = {eˆ, G1 , G2 , GT , g, g¯, Ppub , sig, hi (0 ≤ i ≤ 6 )} to A1 , and keep s secretly. C selects di , αi ∈ Z∗p (i ∈ {S, O, R}) randomly, calculates Ti = gdi −sαi . C sets XS = ga , Q¯ = g¯b , P KS = (XS , TS , Q¯ ). C selects xO ∈ Z∗p , calculates XO = gxO , and sets P KO = (XO , TO ), SKO = (xO , dO ). C selects e0 , e1 , . . . , en ∈ Z∗p randomly, calculates hˆi = gei (0 ≤ i ≤ n), and sets h = (hˆ0 , hˆ1 , . . . , hˆn ) ∈ Gn1+1 . H : {0, 1}n → G1 is an algebraic hash function, and   H (w ) = hˆ0 n (hˆi )wi . Let h(w ) = e0 + n (ei wi ), then H (w ) = i=1

i=1

gh(w ) . C selects xR , y, z ∈ Z∗p randomly, calculates XR = gxR , Y¯ = g¯y , Z¯ = g¯z , sets P KR = (TR , XR , Y¯ , Z¯ , hˆ0 , hˆ1 , . . . , hˆn ), SKR = (xR , dR , y, z, e0 , . . . , en ). • Query phase 1: A1 does the following queries. Partial − P r ivate − Key query: When A1 asks the partial private key for IDi , C generates di as described in above, and outputs di . Secret − V alue query: When A1 asks the secret value for IDi , C generates xi randomly, and outputs xi . Request − P ublic − Key query: When A1 asks the public key for IDi , C generates PKi as described in above, and outputs PKi . Replace − P ublic − Key query: When A1 does this query for (IDi , PKi ), C sets PKi ← PKi . Trapdoor query: When A1 does the trapdoor query for keyword ( β x +d ) x ( x α ) w, C calculates ψ = h1 (XO R R TO R PpubR O ), W = h2 (w, ψ ),

η = h4 (W ). C selects a random sw ∈ Z∗p , calculates dw = h (W )(z−sw )/(y−η ) XS , returns Tw = (dw , sw ) to A1 .

Test query: A1 can submit any w and any C for test query. Here, we assume the ciphertext C  = (c0 (= svk ), C1 , C2 , C3 , C4 , C5 , σ  ). C queries the trapdoor of w and obtains Tw = (dw , sw ). Then C checks the following two formulas:

V eri f y(c0 , σ  , (C1 , C2 , C3 , C4 , C5 )) = 1, ?

(4)

and 

eˆ(C1 , u¯ c0 v¯ ) = eˆ(g, C5 ). ?

(5)

If both of the Eqs. (4) and (5) are true, then 1) Case1: If svk = svk∗ and (σ  , C1 , C2 , C3 , C4 , C5 ) = (σ ∗ , C1∗ , C2∗ , C3∗ , C4∗ , C5∗ ) (implying that EOTS occurs), then C ends the game.   2) Case2: If svk = svk∗ , then by the Eq. (5) and C5 = (u¯ svk v¯ )r = 





∗



(g¯br k1 (svk −svk )g¯k2 r ), C1 = gr , C can calculate



β αS ¯ r t = h3 eˆ(XS S TS Ppub ,Q)



= h3 eˆ(gaβS +dS , g¯b )r











= h3 eˆ(gaβS , g¯b )r eˆ(gdS , g¯b )r





  = h3 eˆ(ga , g¯br )βS eˆ(g, g¯br )dS

 

 ∗ = h3 ((eˆ(ga , C5 )/eˆ(C1k2 , g¯a ))βS /(k1 (svk −svk ))

(eˆ(g, C5 )/eˆ(C1k2 , g¯ ))dS /(k1 (svk −svk ) ). 

∗

C checks

eˆ(dw , C2t/xS )C3sw = C4 . ?

(6)

If the Eq. (6) is true, then outputs “1”; Otherwise returns “0”. • Challenge: A1 outputs (w0 , w1 ) as the challenge keywords. C selects a b ∈ {0, 1} randomly, and calculates ψ = (β xO +dO ) xO (xO h0 (IDR ,TR ))

), W ∗ = h2 (wb , ψ ), η∗ = h4 (W ∗ ). C sets c0∗ = svk∗ , C1∗ = gc , t ∗ = h3 (T βS eˆ(gc , g¯b )dS ), picks a numh1 (XR

TR Ppub

ber r from Z∗p randomly, and computes r ∗ C2∗ = (Y¯ g¯ (−η ) ) t ∗ ,

C3∗ = eˆ(H (W ∗ ), g¯ )r ,

6

M. Ma, D. He and S. Fan et al. / Journal of Information Security and Applications 50 (2020) 102429

h4 (W ∗ ). C chooses (ssk∗ , svk∗ ) ← KeyGen(λ), calculates swb = ∗ ∗ ∗ f (η∗ ), c0 = svk∗ , and dwb = (g( f (x )− f (η ))/(x−η ) )xS h(W ) .

C4∗ = eˆ(H (W ∗ ), Z¯ )r ,

C ∗

C5∗ = (u¯ svk v¯ )c = (g¯c )k2 ,

β

α



S h0 (IDS , TS ), βS = h5 (IDS , XS , TS , Ppub ), t = h3 (eˆ(XS S TS Ppub , Q¯ )r ).

C selects a polynomial of the degree (q + 1 )

and

σ ∗ = Sign(ssk∗ , (C1∗ , C2∗ , C3∗ , C4∗ , C5∗ )). C returns C ∗ = (σ ∗ , c0∗ , C1∗ , C2∗ , C3∗ , C4∗ , C5∗ ) to A1 . • Query phase 2: The trapdoor and test queries for any (w, C)(C = C∗ ) is allowed continue to performing by A1 , C outputs the results as described in above Query phase 1. • Guess: A1 returns b . C returns “1” if b = b (implying T = eˆ(g, g¯ )abc ), ; Otherwise, returns “0”. Analysis. Suppose that the advantage of A1 wins in the above game is ε . If EOTS does not occur, and T = eˆ(g, g¯ )abc , then we have |P r[b = b] − 1/2| ≥ ε . If the point T ∈ GT is random, then t ∗ = h3 (T βS eˆ(gc , g¯b )dS ) is also random. In addition, since r ∈ Z∗p is random, then C2∗ , C3∗ , C4∗ , C5∗ are random and P r[b = b] = 1/2. So, C will solve the DBDH assumption with the advantage AdvDBDH ≥ | ( 1/2 ± ε ) − 1/2| = ε .  C Lemma 2. Suppose the adversary A2 can attack the proposed scheme that described in section 4, then an algorithm C can be constructed to decide q-ABDHE assumption. Proof. Let qt be the number of trapdoor queries, and let q ≥ qt + 1. C selects a bilinear pairing eˆ: G1 × G2 → GT , where G1 , G2 , GT are three p-order cyclic groups. C picks two generators g ∈ G1 and g¯ ∈ G2 . Given a q-ABDHE instance, i.e., 2 q 2 q q+2 (g, gx , gx , . . . , gx , g¯, g¯x , g¯x , . . . , g¯x , g¯z , g¯zx , T ), the goal of C is to decide the following two cases: 1) T is random; 2) T is calculated q+1 by eˆ(g, g¯ )zx . • Setup: Given a security parameter λ, C selects (G1 , G2 , GT , g, g¯, eˆ). Specify seven secure PRNGs (h0 , h1 , h2 , h3 , h4 , h5 , h6 ) and a signature sig = (KeyGen, Sign, V eri f y ). C selects u¯ , v¯ ∈ G2 and s ∈ Z∗p randomly, computes Ppub = gs . C returns GP = {eˆ, G1 , G2 , GT , Ppub , g, g¯, hi (0 ≤ i ≤ 6 )} and s to A2 . C selects ti , xi ∈ Z∗p (i ∈ {S, O, R}) and Q¯ ∈ G2 randomly, calculates Ti = gti , di = ti + sh0 (IDi , Ti ), Xi = gxi . C sets P KS = (XS , TS , Q¯ ), SKS = (xS , dS ), PKO = (XO , TO ), SKO = (xO , dO ). C selects n + 1 numbers e0 , e1 , . . . , en ∈ Z∗p randomly, calculates hˆi = gei (0 ≤ i ≤ n), and lets h = (hˆ0 , hˆ1 , . . . , hˆn ) ∈ Gn+1 .

q+1

X q+2 − (η∗ )q+2 = (Fi X i ), ∗ X −η

F (X ) =

i=0

calculates

C2 = (g¯zx

q+2

(g¯z )(−η

C3 = (T Fq+1 eˆ(

q 

)

∗ q+2

)1/t ,

(gx )Fi , g¯z ))h(W ) , ∗

i

i=0 sw

C4 = eˆ(dwb , (C2 )t/xS )C3 b , 

∗

C5 = (u¯ svk v¯ )r , and

σ = Sign(ssk∗ , (C1 , C2 , C3 , C4 , C5 )). C outputs Cwb = (σ , c0 , C1 , C2 , C3 , C4 , C5 ). We assume that r = zF (x ). If T = eˆ(g, g¯ )zx zxq+2

C2 = (g¯

q+1

, it follows that

z (−η∗ )q+2 1/t

(g¯ )

)

z(xq+2 −(η∗ )q+2 ) 1/t

= (g¯ =



g¯

)

z(xq+2 −(η∗ )q+2 )(x−η∗ ) x−η∗

1/t

∗ = (g¯zF (x )(x−η ) )1/t

= (g¯ (x−η ) )r/t ∗ = (Y¯ g¯−η )r/t ∗





T Fq+1 eˆ

C3 =

h(W ∗ ) (gx )Fi , g¯z i

i=0

=

q 

eˆ(g, g¯ )

zxq+1



q 

eˆ g

i=0

Fi xi

h(W ∗ ) z

, g¯

1

{0, 1}n

H: → G1 is an algebraic hash function, and   H (w ) = hˆ0 ni=1 (hˆi )wi . Let h(w ) = e0 + ni=1 (ei wi ), then h ( w ) H (w ) = g . C selects a q-degree polynomial f(X), sets Y¯ = g¯x , Z¯ = g¯ f (x ) . Let P KR = (TR , XR , Y¯ , Z¯ , hˆ0 , hˆ1 , . . . , hˆn ), SKR = (xR , dR , x, f (x ), e0 , . . . , en ). C outputs PKi (i ∈ {S, O, R}). • Query phase 1: A2 can ask the following query operation. Trapdoor query: When the trapdoor of keyword w is queried by A2 , C calculates (β xR +dR ) xR (xR h0 (IDO ,TO )

ψ = h1 (XO

TO Ppub

),

and W = h2 (w, ψ ), η = h4 (W ). C calculates sw = f (η ),

dw = ( g



selects r  ∈ Z∗p randomly, and calculates C1 = gr , αS =

f ( x )− f ( η ) x−η

)xS h(W ) ,

and returns Tw = (dw , sw ) to A2 . Test query: A2 can submit the test query for any keyword w and any ciphertext Cw . Then, C performs the trapdoor query and obtains Tw . Finally, C runs test algorithm Test(Tw , Cw , PKS , SKS ), and returns the test result. • Challenge: A2 outputs the keywords (w0 , w1 ) as the challenge target. C selects b ∈ {0, 1} randomly, and calcu(β x +d ) x (x h (ID ,T )) lates ψ = h1 (XR O O TR O PpubO 0 R R ), W ∗ = h2 (wb , ψ ), η∗ =

∗ = eˆ(g, g¯ )zF (x )h(W )

= eˆ(H (W ∗ ), g¯ )r t

swb

C4 = eˆ(dwb , (C2 ) xS )C3



= eˆ g

xS h (W ∗ )( f (x )− f (η∗ )) x−η∗

r



, (Y¯ g¯−η ) xS eˆ(H (W ∗ ), g¯ )rswb ∗

∗ ∗ ∗ = eˆ(gh(W )( f (x )− f (η )) , g¯r )eˆ(H (W ∗ ), g¯ )r f (η )

∗ ∗ = eˆ(H (W ∗ ), g¯ )r ( f (x )− f (η )) eˆ(H (W ∗ , g¯ )r f (η )

= eˆ(H (W ∗ ), g¯ )r f (x ) = eˆ(H (W ∗ ), Z¯ )r • Query phase 2: A2 can continue to make the trapdoor and test queries for w (w ∈ {w0 , w1 } ). C outputs the value as described in Query phase 1. • Guess: A2 returns b . C returns “1” if b = b, implying T = q+1 eˆ(g, g¯ )zx ; Otherwise, returns “0”. q+1 Analysis. Suppose that T = eˆ(g, g¯ )zx , then A2 can guess cor rectly (i.e., b = b) with the advantage (1/2 + ε ). Otherwise (T is random), C2 and C3 are random. Since swb = f (η∗ ) (q ≥ qt + 1 ) is a uniformly number from A2 ’s view, and

M. Ma, D. He and S. Fan et al. / Journal of Information Security and Applications 50 (2020) 102429 Table 3 The comparison of communication costs (byte).

Table 1 The computational cost (ms).



t x



Notions

Running time

Schemes

|Ciphertext|

|Trapdoor|

tbp te−G1 te−G2 te−GT ts tv

43.5289 2.2809 4.2090 20.1695 6.4488 12.7268

Scheme [17] Scheme [27] SCF-CLSPE

|σ | + |svk| + |G1 |+ 2|G2 | + 2|GT | = 1184 |G1 | + |GT | = 448 |σ | + |svk| + |G1 |+ 2|G2 | + 2|GT | = 1184

|Z p | + |G1 | = 96 |G1 | = 64 ||Z p | + G1 | = 96

swb

C4 = eˆ dwb , C2 S C3



= eˆ g



= eˆ g

xS h (W ∗ )( f (x )− f (η∗ )) x−η∗

( f (x )− f (η∗ )) x−η∗



7

t x



swb

, C2 S C3



∗ f (η ∗ ) , C2th(W ) C3

f (x ) ∗ = eˆ g x−η∗ , C2th(W )





1 ∗ C3 /eˆ g x−η∗ , C2th(W )

 f (η∗ )

,

then C4 is indistinguishable from the points selected uniformly

1 ∗ randomly in GT if C3 = eˆ(g x−η∗ , C2th(W ) ) (the inequality holds



with the probability 1 − 1/p). C1 = gr is also uniformly random since r  ∈ Z∗p is random. Thus, A2 can guess correctly in the q−ABDHE

above game with the advantage AdvA2 ≤ AdvC

+ 1/p.



5.3. Other discussion In SCF-CLSPE scheme, the data owner’s private key is involved in the ciphertext, thus the adversary cannot obtain a valid ciphertext by guessing some candidate keywords and encrypting these candidate keywords. In addition, the test algorithm in SCF-CLSPE can only be performed by the designed server. Even though the adversary captures a trapdoor, it cannot execute the test algorithm correctly. Therefore, the SCF-CLSPE scheme could resist KGA attacks. 6. Performance analysis This section evaluates the efficiency of SCF-CLSPE, and compares it with the related schemes [17,27] from the aspects of computation cost and communication cost. For comparison, we select the standard ECDSA signature, where the bit-length of a signature is 512 bits and a verification key is 256 bits. In addition, to achieve λ = 128 bits security levels, the Barreto-Naehrig (BN) curve [34] over F256 is used for evaluation. Therefore, the bit-size of an element in |G1 |, |G2 |, |GT | and |Z p | are 64 bytes, 128 bytes, 384 bytes and 32 bytes, respectively. 6.1. Computation cost Now we present some notions for basic operations that have been used in the proposed scheme. Let te−G1 , te−G2 , te−GT be the computation cost of an exponential operation in groups G1 , G2 , GT , respectively, and let tbp be the computation cost of a bilinear pairing operation. By convention, the computation cost of the

Fig. 3. Comparison of the computation costs.

signature algorithm and the verification algorithm in a signature scheme are denoted as ts and tv respectively. To evaluate the performance, we utilize the MIRACL library [35] to test the runtime required for above operations. The test platform is described as follows: a Lenovo personal computer with 64 bits Win7 operating system, Intel Core I5-4210U 2.40GHz processor and 4.00 GB memory. Table 1 lists the running time of the evaluation results. The computation cost of the encryption algorithm and the test algorithm in SCF-CLSPE and schemes [17,27], see Table 2 and Fig. 3. The comparison results indicate that, in encryption phase and test phase, the computation cost of SCF-CLSPE is almost the same as scheme [17]. Compared to scheme [27], the computation cost of SCF-CLSPE is reduced by 43.65% in the encryption phase. In the test phase, the computation cost of SCF-CLSPE is higher than scheme [27]. However, the test algorithm is performed by the cloud, which has powerful computing ability. Thus, the SCF-CLSPE scheme is efficient. 6.2. Communication cost The communication cost required for SCF-CLSPE will be compared to the communication cost required for scheme [17] and scheme [27] in this subsection. For the sake of convenience in writing, some symbols are defined as below: • • • • •

|Ciphertext|: the bit-size of the encrypted data. |Trapdoor|: the bit-size of the trapdoor. |svk|: the bit-size of a verification key generated by a signature. |σ |: the bit-size of a signature. |Z p |: the bit-size of a number in Z p .

Table 2 Comparison of computation costs (ms). Schemes

Encryption

Test

Scheme [17] Scheme [27] SCF-CLSPE

3tbp + 2te−G1 + 4te−G2 + 3te−GT +ts ≈ 218.9418 9tbp + 2te−G1 ≈ 404.7399 3tbp + 6te−G1 + 4te−G2 + 3te−GT +ts ≈ 228.0654

4tbp + 2te−G2 + 2te−GT + tv ≈ 235.5994 tbp + te−G1 ≈ 54.2278 4tbp + 2te−G2 + 2te−GT + tv ≈ 235.5994

8

M. Ma, D. He and S. Fan et al. / Journal of Information Security and Applications 50 (2020) 102429

• |G1 |, |G2 |, |GT |: the bit-size of a point in G1 , G2 , GT . Table 3 presents the ciphertext and trapdoor communication costs of scheme SCF-CLSPE, schemes [17,27], and shows that the communication cost of SCF-CLSPE is the same as that of scheme [17]. In comparison with scheme [27], although the communication cost required for SCF-CLSPE is slightly higher, we avoid the issue of certificate management, and the security model of our scheme is stronger. 7. Conclusion With the booming of IoT and the widespread of smart terminal devices, the SHS system provides a brand-new information-based healthcare service platform. Compared to the traditional healthcare model, it has more advantages, such as realizing the sharing of medical resources and saving the waiting time for registration. SHS brings convenience to people in healthcare services, however, it also confused by data security and privacy. To address these issues, we design a SCF-CLSPE scheme secure against KGA attacks for SHS, and the SCF-CLSPE scheme can resist CKA attacks under standard model. Moreover, we evaluate the performance of the proposed SCF-CLSPE scheme. The performance analysis shows that our proposed scheme is almost the same as Lu et al.’s scheme, and our proposed scheme has high efficiency in encryption phase compared to Rhee et al.’s scheme. Although the performance of the proposed scheme in test phase is slightly lower than Lu et al.’s scheme, our scheme can achieve IND-CKA security without random oracle. Declaration of Competing Interest The authors declare that they have no conflicts of interest. References [1] Atzori L, Iera A, Morabito G. The internet of things: a survey. Comput Netw 2010;54(15):2787–805. [2] Firouzi F, Rahmani AM, Mankodiya K, Badaroglu M, Merrett GV, Wong P, Farahani B. Internet-of-things and big data for smarter healthcare: from device to architecture, applications and analytics. Future Gener Comput Syst 2018;78:583–6. [3] Manogaran G, Varatharajan R, Lopez D, Kumar PM, Sundarasekar R, Thota C. A new architecture of internet of things and big data ecosystem for secured smart healthcare monitoring and alerting system. Future Gener Comput Syst 2018;82:375–87. [4] Catarinucci L, De Donno D, Mainetti L, Palano L, Patrono L, Stefanizzi ML, Tarricone L. An IoT-aware architecture for smart healthcare systems. IEEE Internet Things J 2015;2(6):515–26. [5] He D, Ye R, Chan S, Guizani M, Xu Y. Privacy in the internet of things for smart healthcare. IEEE Commun Mag 2018;56(4):38–44. [6] Islam MM, Razzaque MA, Hassan MM, Ismail WN, Song B. Mobile cloud-based big healthcare data processing in smart cities. IEEE Access 2017;5:11887–99. [7] Muhammad G. Automatic speech recognition using interlaced derivative pattern for cloud based healthcare system. Cluster Comput 2015;18(2):795–802. [8] Song X, Wagner D, Perrig A. Practical techniques for searches on encrypted data. In: Security and privacy, 20 0 0. S&P 20 0 0. proceedings. 20 0 0 IEEE symposium on. IEEE; 20 0 0. p. 44–55. [9] Bösch C, Hartel P, Jonker W, Peter A. A survey of provably secure searchable encryption. ACM Comput Surv (CSUR) 2015;47(2):1–51. [10] Boneh D, Crescenzo G, Ostrovsky R, Persiano G. Public key encryption with keyword search. In: International conference on the theory and applications of cryptographic techniques. Springer; 2004. p. 506–22. [11] Huang K, Tso R. Provable secure dual-server public key encryption with keyword search. In: 2017 IEEE 2nd international verification and security workshop (IVSW). IEEE; 2017. p. 39–44. [12] Xu P, Jin H, Wu Q, Wang W. Public-key encryption with fuzzy keyword search: a provably secure scheme under keyword guessing attack. IEEE Trans Comput 2012;62(11):2266–77. [13] Chen B, Wu L, Kumar N, Choo K-KR, He D. Lightweight searchable public-key encryption with forward privacy over IIoT outsourced data. IEEE Trans Emerg Top Comput 2019. [14] Ameri MH, Delavar M, Mohajeri J, Salmasizadeh M. A key-policy attribute-based temporary keyword search scheme for secure cloud storage. IEEE Trans Cloud Comput 2018. [15] Xu P, Tang S, Xu P, Wu Q, Hu H, Susilo W. Practical multi-keyword and boolean search over encrypted e-mail in cloud server. IEEE Trans Serv Comput 2019.

[16] Miao Y, Liu X, Choo K-KR, Deng RH, Li J, Li H, Ma J. Privacy-preserving attribute-based keyword search in shared multi-owner setting. IEEE Trans Dependable Secure Comput 2019. [17] Lu Y, Wang G, Li J. Keyword guessing attacks on a public key encryption with keyword search scheme without random oracle and its improvement. Inf Sci 2019;479:270–6. [18] Al-Riyami SS, Paterso KG. Certificateless public key cryptography. In: International conference on the theory and application of cryptology and information security. Springer; 2003. p. 452–73. [19] Yanguo P, Jiangtao C, Changgen P, Zuobin Y. Certificateless public key encryption with keyword search. China Commun 2014;11(11):100–13. [20] He D, Ma M, Zeadally S, Kumar N, Liang K. Certificateless public key authenticated encryption with keyword search for industrial internet of things. IEEE Trans Ind Inf 2017;14(8):3618–27. [21] Goh E-J, et al. Secure indexes. In: IACR Cryptology ePrint Archive, 20 03; 20 03. p. 216. [22] Curtmola R, Garay J, Kamara S, Ostrovsky R. Searchable symmetric encryption: improved definitions and efficient constructions. J Comput Secur 2011;19(5):895–934. [23] Zuo C, Sun S-F, Liu JK, Shao J, Pieprzyk J. Dynamic searchable symmetric encryption schemes supporting range queries with forward (and backward) security. In: European symposium on research in computer security. Springer; 2018. p. 228–46. [24] Li J, Huang Y, Wei Y, Lv S, Liu Z, Dong C, Lou W. Searchable symmetric encryption with forward search privacy. IEEE Trans Dependable Secure Comput 2019. [25] Abdalla M, Bellare M, Catalano D, Kiltz E, Kohno T, Lange T, Malone-Lee J, Neven G, Paillier P, Shi H. Searchable encryption revisited: consistency properties, relation to anonymous IBE, and extensions. In: Annual international cryptology conference. Springer; 2005. p. 205–22. [26] Baek J, Safavi-Naini R, Susilo W. Public key encryption with keyword search revisited. In: International conference on computational science and its applications. Springer; 2008. p. 1249–59. [27] Rhee HS, Park JH, Susilo W, Lee DH. Improved searchable public key encryption with designated tester. In: Proceedings of the 4th international symposium on information, computer, and communications security. ACM; 2009. p. 376– 379. [28] Byun J, Rhee H, Park H-A, Lee D. Off-line keyword guessing attacks on recent keyword search schemes over encrypted data. Secure Data Manag 2006;LNCS 4165:75–83. [29] Park DJ, Kim K, Lee PJ. Public key encryption with conjunctive field keyword search. In: International workshop on information security applications. Springer; 2004. p. 73–86. [30] Fang L, Susilo W, Ge C, Wang J. Public key encryption with keyword search secure against keyword guessing attacks without random oracle. Inf Sci 2013;238:221–41. [31] Shao Z-Y, Yang B. On security against the server in designated tester public key encryption with keyword search. Inf Process Lett 2015;115(12):957–61. [32] Chen R, Mu Y, Yang G, Guo F, Wang X. Dual-server public-key encryption with keyword search for secure cloud storage. IEEE Trans Inf Forensics Secur 2015;11(4):789–98. [33] Gentry C. Practical identity-based encryption without random oracles. In: Annual international conference on the theory and applications of cryptographic techniques. Springer; 2006. p. 445–64. [34] Barreto PS, Naehrig M. Pairing-friendly elliptic curves of prime order. In: International workshop on selected areas in cryptography. Springer; 2005. p. 319–31. [35] Shamus software ltd., miracl library. http://www.shamus.ie/index.php?page= home; 2016. Mimi Ma received her Ph.D. degree in applied mathematics from School of Mathematics and Statistics, Wuhan University in 2018. She is currently a lecturer of the College of Information Science and Engineering, Henan University of Technology. Her main research interests include number theory and cryptography.

Debiao He received his Ph.D. degree in applied mathematics from School of Mathematics and Statistics, Wuhan University in 2009. He is currently a Professor of the School of Cyber Science and Engineering, Wuhan University. His main research interests include cryptography and information security, in particular, cryptographic protocols.

M. Ma, D. He and S. Fan et al. / Journal of Information Security and Applications 50 (2020) 102429 Shuqin Fan received her Ph.D. degree in cryptography from Information Engineering University in 2003. She is currently a Professor of the State Key Laboratory of Cryptology. Her main research interest is public key cryptography, in particular, lattice-based public key cryptography.

9

Dengguo Feng received his Ph.D. degree in communication engineering and information system from Xidian University in 1995. He is currently a Professor and Ph.D.supervisor. His main research interests include network and information security, trusted computing and information assurance.