TCA-PEKS: Trusted Certicateless Authentication Public-key Encryption with Keyword Search scheme in Cloud Storage
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
TCA-PEKS: Trusted Certi cateless Authentication Public-key Encryption with Keyword Search scheme in Cloud Storage Mu Han Jiangsu University Puyi Xu Jiangsu University Lei Xu Nanjing University of Science and Technology Chungen Xu ( hanmuktz888@gmail.com ) Nanjing University of Science and Technology Research Article Keywords: public-key searchable encryption, blockchain, smart contract, certi cateless cryptosystem Posted Date: June 1st, 2022 DOI: https://doi.org/10.21203/rs.3.rs-1694526/v1 License: This work is licensed under a Creative Commons Attribution 4.0 International License. Read Full License
Springer Nature 2021 LATEX template
TCA-PEKS: Trusted Certificateless
Authentication Public-key Encryption with
Keyword Search scheme in Cloud Storage
Mu Han1 , Puyi Xu1 , Lei Xu2 and Chungen Xu2*
1 School of Computer Science and Communication Engineering,
Jiangsu University, Zhenjiang, 212000, China.
2 School of Mathematics and Statistics, Nanjing University of
Science and Technology, Nanjing, 210000, China.
*Corresponding author(s). E-mail(s): hanmuktz888@gmail.com;
Contributing authors: hanmu@ujs.edu.cn; 464386016@qq.com;
leixu@njust.edu.cn;
Abstract
Public key encryption with keyword search (PEKS) technology achieves
accurate ciphertext retrieval while protecting data privacy. However,
curious or malicious semi-trusted cloud servers can cause privacy
breaches, which bring a trusted problem of ciphertext management
and searching. To address this problem, we present trusted certificate-
less authentication public-key encryption with keyword search scheme
in cloud storage(TCA-PEKS), which ensuring trusted retrieval, simul-
taneously resolve the problems of key escrow and certificate manage-
ment that exists in PEKS. In the scheme, the security of ciphertext
storage and verification is strengthened based on blockchain non-
tampering feature, which can assist users to verify the correctness
of the file. Especially, we construct an open and transparent smart
contract to limit the malicious behavior of cloud servers, in which
the user’s complete private key splits the secret value and the par-
tial private key, further guarantees the correctness of the retrieval
process. Finally, the scheme is proved to satisfy ciphertext and trap-
door indistinguishability under the random oracle model, and the
performance evaluation results show that the scheme is highly efficient.
Keywords: public-key searchable encryption, blockchain, smart contract,
certificateless cryptosystem
1
Springer Nature 2021 LATEX template
2 TCA-PEKS
Declarations
• Funding
This study was funded by the National Natural Science Foundation of China
(No. 62072240) and the Natural Science Foundation of Jiangsu Province
under Grant BK20210330.
• Competing interests
The authors have no competing interests to declare that are relevant to the
content of this article
Acknowledgments. This work was supported by the National Natural Sci-
ence Foundation of China (No. 62072240) and the Natural Science Foundation
of Jiangsu Province under Grant BK20210330.
1 Introduction
With the growing maturity of cloud storage technology, the users can signifi-
cantly reduce the local hardware storage overhead and improve the convenience
of data access by uploading data to remote cloud servers[1, 2]. But due to the
data storing in the cloud, it is out of the owners’ physical control and the cloud
servers may be unreliable, resulting in personal information leakage. There-
fore cloud data security has become an urgent problem in the development of
cloud storage.
Cryptography is currently the main means to protect data security. The
users through cryptographic algorithms to encrypt data and then upload it
to the cloud server for management, which makes malicious adversaries are
difficult to access the plaintext content of the data and effectively prevent user
privacy leakage[3, 4]. However, if a user wants to find a certain data file, he
will download a large number of ciphertexts and then decrypt them all, which
brings greatly computational resources waste by the high-frequency decryption
and files transfer operations. So the method is not applicable for a scale cloud
storage, it will destroy the searchability of data.
Searchable encryption(SE) that can accurately locate the encrypted data
by the user request, become a research hotspot in cloud storage tech-
nology. This technology generate unique encryption indexes, which enables
cryptographic files to be retrieved. The users can locate data files, by which
keyword ciphertexts matching with corresponding trapdoors. So it can balance
the retrieval and confidentiality of cloud data.
The searchable encryption is divided into symmetric searchable encryp-
tion (SSE) and public key encryption with keyword search (PEKS), in which
SSE mostly contains only hash functions or binary operations, exhibiting high
efficiency[5], but due to the complexity of key negotiation, it is generally used
for retrieval of personal encrypted data. In contrast, PEKS is more widely used
in multiuser scenarios because it can encrypt data using the receiver’s public
key without facing the insecurity of the key negotiation process[6].
Springer Nature 2021 LATEX template
TCA-PEKS 3
In PEKS, as the main entity for performing the search algorithm, the
third-party cloud server is credible or not, determining the correctness of the
user’s search results. In most scenarios cloud servers act as honest but curi-
ous entities, which will do not actively deviate from the scheduled retrieval
process. However, actually cloud servers are likely to be internal adversaries
to steal user privacy data and return incorrect results, because of lacking
effective supervision[7]. In recent years, blockchain technology has received
widespread attention, for the reason that it has decentralized and distributed
characteristics. Particularly, the immutability of blockchain and transparent of
smart contracts can establish a trusted ciphertext retrieval system, which con-
tribute to solve the problem of third-party semi-trustworthiness in searchable
encryption effectively[8].
Key security and multiuser retrieval burden also further affect the relia-
bility of the retrieval process. One reason, the public-key cryptosystem based
on Public Key Infrastructure (PKI) exit the problems of large-scale certifi-
cate management. The other reason, identity-Based Cryptography (IBC) can
reduce the complexity of key management and usage, whose public key use
identity information solving the problem of management of public keys, but at
the same time leading to insecurity of key escrow. To address these challenges,
certificateless public key cryptography (CL-PKC) are effective schemes[9–
13]. It is proposed based on IBC, whose the key consists of two parts: the
identification key extracted from the key generation center and the user’s
own private key, which can effectively reduces the complexity of key manage-
ment in PEKS scheme[14]. So in this paper, considering the immutability of
blockchain and the low overhead of CL-PKC, we proposed a trusted certifi-
cateless authentication public-key encryption with keyword search scheme in
cloud storage(TCA-PEKS).
1.1 Our Contributions
Most PEKS schemes assume cloud servers is credibility, given the lack
of consideration of security problems when the cloud servers is semi-
trustworthiness, so we propose a new notion called trusted certificateless
authentication public-key encryption with keyword search to solve the afore-
mentioned problem, which combined blockchain technology with CL-PKC to
limit the malicious behavior of cloud servers. In TCA-PEKS, the users’ pri-
vate key include two parts, a partial private key based on the user’s identity
information generated by the key generation center(KGC) and secret value.
So it assurance that the adversary can not forge a valid private key even mali-
cious KGC. After that the data owner upload encrypted files associated with
keywords, meanwhile the ciphertext and hash of the encrypted file stored in
the blockchain, which assisting in verifying the correctness and integrity. To
ensure a correct search process, the scheme use smart contracts to perform
retrieval algorithms instead of traditional cloud servers. Then the cloud server
sends the data file which containing file serial number. If a cloud server intend
Springer Nature 2021 LATEX template
4 TCA-PEKS
to forge a file, it can be captured, because of the recipient will compare the
hash value stored on blockchain to the retrieving file’s hash value.
We formally prove that TCA-PEKS scheme satisfies ciphertext indistin-
guishability and trapdoor indistinguishability based on two types of adversary
attacks under the random oracle model, and it is verified to resist Keyword
Guessing Attack(KGA). In addition, to further enhance the trapdoor security
in the trapdoor generation process, we not only use part of the user’s private
key and secret value, but also insert random value to ensure the differences
consisting of the same keywords.
We compare TCA-PEKS with other PEKS schemes in terms of compu-
tational complexity including encryption algorithm, trapdoor algorithm and
search algorithm, simultaneously simulate the actual performance of each
algorithm. The computational complexity and average time indicate that our
scheme is more efficient while ensuring security under adversary attacks and
confidence for user accessing to the files.
1.2 Related Work
Boneh et al. introduced the public key cryptosystem into searchable encryp-
tion and proposed the concept of PEKS[15], but exist problems such as low
retrieval efficiency and leakage of keyword information in the file, which restrict
the trapdoor transmission only on the secure channels. J.Baek improves the
security of trapdoor transmission by requesting server key pairs[16]. Rhee
et al. proposed the concept of trapdoor indistinguishability and designed
the first PEKS scheme for Keyword Guessing Attack (KGA)[17]. Fang et
al. proved a strong signature scheme that can resist both selective keyword
attack and ciphertext attack[18]. In recent years, Chen et al. used keyword
servers for assisting to generate live-board gates and ciphertexts, preventing
attackers from forging ciphertexts[19]. Xu et al. provide an encrypted data
search scheme with fine-grained access control by using a secure dynamic
searchable encryption[20]. Some schemes are also successively optimized and
proposed a more secure and efficient against the attacking from external
adversaries[21, 22].
By introducing blockchain smart contracts technology in traditional search-
able encryption, to some extent the semi-trustworthy problem of cloud servers
is solved[23]. Using smart contracts, the original cloud-based search process is
entrusted to the predefined smart contract, executing a trusted search with-
out the third party’s supervision. L Chen et al. proposed a blockchain-based
searchable encryption scheme for health records[24], using blockchain tech-
nology to ensure data integrity and traceability. Combined blockchain and
attribute based cryptosystems to design a searchable encryption data sharing
scheme[25], and Chen et al. designed a cloud-assisted public key searchable
encryption scheme with high efficiency based on the context of vehicular
networking[26].Springer Nature 2021 LATEX template
TCA-PEKS 5
Aimming at the current PEKS schemes face the problems of the complex
certificate management and key escrow. In 2014, Peng et al .proposed the con-
cept of certificatelenss encryption with keyword search based on certificateless
cryptosystems[27]. ISLAM et al. proposed a certificateless ciphertext retrieval
scheme for designated servers[28]. MA et al. proposed certificateless search-
able encryption schemes applied to industrial IoT environments and mobile
networks[29]. These certificateless searchable encryptions all default the cloud
server will not act as an internal adversary to obtain the keyword informa-
tion of the file. However, as an important data management and algorithm
operation carrier, it will cause more serious privacy security threats once
compromised or carried out Inside Keyword Guessing Attack (IKGA).
1.3 Paper origanization
The rest of the paper is organized as follows. We introduce the preliminary
knowledge and the security model of this scheme in sections 2. In sections 3,
we introduce the system model, and construct a concrete TCA-PEKS pro-
file. Given its concrete security proof in sections 4. In sections 5, compared
and analyzed the performance of the proposed scheme, and finally part is the
conclusion of the paper.
2 Preliminary
2.1 Bilinear Pairing
Suppose G1 ,G2 is a multiplicative cyclic group and the order is prime p, g is a
generating element of the group G1 , exists a bilinear pairing ê : G1 × G1 → G2
has the following three properties:
1.Bilinear: Given a, b ∈ Zq , ê(g a , g b ) = ê(g, g)ab are equal.
2.Computable: Given g ∈ G1 , there exists an efficient algorithm to make
ê(g, g) ∈ G2 .
3.Non-degenerate: Exists g ∈ G1 such that ê(g, g) 6= 1
2.2 Definition 1:DBDH (Decisional Bilinear
Diffie-Hellman Hypothesis)
Define the bilinear mapping ê : G1 × G1 → G2 , g is the generate element
of the group G1 , randomly selects (a, b, c, z) ∈ Zq , for the generated tuples
abc z
T1 (g, g a , g b , ê(g, g) ) and T2 (g, g a , g b , ê(g, g) ), adversary Adv DBDH cannot
distinguish T1 , T2 in polynomial time with a non-negligible advantage.
2.3 Definition 2:DDH (Decisional Diffie-Hellman
Hypothesis)
Let g be the generating element of the group G1 , randomly selects (a, b, z) ∈
Zq , for the generated tuples T1 (g, g a , g b , g ab ) and T2 (g, g a , g b , g z ), adversarySpringer Nature 2021 LATEX template
6 TCA-PEKS
Adv DDH cannot distinguish T1 , T2 in polynomial time with a non-negligible
advantage.
2.4 Definition 3:PBFT (Practical Byzantine fault
tolerance)
A consensus mechanism commonly used in block-chains. The master node
generates a sequence number for the message when client uploads a message to
the master node. Then performing storage operations when the master node
receives the number of verification credentials n ≥ 2f + 1 from slave node. (f
indicates the number of adversary nodes that can be accommodated, the total
number of nodes is n = 3f + 1)
2.5 IND-CKA Security Model
IND-CKA (Indistinguishability-Chosen Keyword Attack) is divided into
CIND-CKA (Ciphertext Indistinguishability under adaptive Chosen Keyword
Attack) and TIND-CKA (Trapdoor Indistinguishability under adaptive Cho-
sen Keyword Attack). If a scheme is going to against keyword guessing attacks,
it should satisfy both CIND-CKA and TIND-CKA. So we show that the
scheme is IND-CKA secure, which proof there is no adversary in any polyno-
mial time can win challenger C by a non-negligible advantage. There are two
types of adversaries AI and AII in TCA-PEKS, AI can replace the user’s pub-
lic key but cannot access the master key, AII cannot replace the user’s public
key but can access the master key. The scheme in this paper mainly proves
security in terms of CIND-CKA and TIND-CKA.
Game 1 CIND-CKA consists of the following algorithm, which is done by
the interaction between adversary AI and challenger C, to ensure that the
ciphertext does not reveal keyword information. The game is defined as follows:
Initialization Setup: C generate the master key SKm , and public parameter
P arams, AI cannot obtain the master key.
Phase 1: AI issues a sequence of queries adaptively polynomial-many times.
hash-query: AI execute hash-query algorithm, the challenger maintains the
mapping tuple and returns the corresponding value to the adversary.
Partial-Private-Key-Query: Given the identity IDi , C returns the corre-
sponding part of private key Di .
Private-Key-Query: Given the identity IDi , C returns the correspondings
secret value xi .
Public-Key-Query: Given the identity IDi , C runs the algorithm to com-
pute the public key P K, and returns it to AI .
Replace-Public-Key: AI can randomly replaces public key.
Encryption-Query: Input a keyword w and identity Information, C runs
the encryption algorithm and returns the corresponding ciphertext to AI .
Trapdoor-Query: Input a keyword w and identity Information, C runs the
trapdoor algorithm, and returns the corresponding trapdoor Tw to AI .Springer Nature 2021 LATEX template
TCA-PEKS 7
Challenge: AI selects two keywords w0 , w1 with equal length and identities
(IDo , IDu ), AI can replace the public key infomation for the given identities,
C generates the ciphertext C = {C1 , C2 , C3 } and random selects a bit b from
{0, 1}, then sends the corresponding ciphertext to AI .
Guess 1: AI selects and outputs b′ , wins the challenge if b′ = b.
In Game 1, we define the advantage of successfully distinguishing the
ciphertext of TCA-PEKS as
CIN D−CKA
AdvA I
= Pr[b = b′ ] − 1/2
Game 2 CIND-CKA consists of the following algorithm, which is done
by the interaction between adversary AII and challenger C, to ensure that
the ciphertext does not reveal keyword information. The game is defined as
follows:
Initialization Setup: C generate the master key SKm , and public parameter
P arams, AII obtain the master key but cannot replace public key.
Phase 1: AII is allowed to execute Hash-Query, Private-Key-Query, Public-
Key-Query in an adaptive manner.
Encryption-Query: Input a keyword w and identity Information, C runs
the encryption algorithm and returns the corresponding ciphertext to AII .
Trapdoor-Query: Input a keyword w and identity Information, C runs the
trapdoor algorithm and returns the corresponding trapdoor Tw to AII .
Challenge: AII selects two keywords w0 , w1 with equal length and identities
(IDo , IDu ), AII can computes the part of peivate key infomation for the given
identities, C generates the ciphertext {C1 , C2 , C3 , C4 } and randomly selects a
bit b from {0, 1}, then sends the corresponding ciphertext to AII .
Guess 1: AII selects and outputs b′ , wins the challenge if b′ = b.
In Game 2 ,we define the advantage of successfully distinguishing the
ciphertext of TCA-PEKS as
CIN D−CKA
AdvA II
= Pr[b = b′ ] − 1/2
Game 3 TIND-CKA consists of the following algorithm, which is done by
the interaction between adversary AI and challenger C, to ensure that the
trapdoor does not reveal keyword information. The game is defined as follows:
Initialization Setup: The process same as game 1.
Phase 1: The process same as game 1.
Challenge: AI selects two keywords w0 , w1 with equal length and identities
(IDo , IDu ), AI can replace the public key infomation for the given identities,
C generates trapdoor T ={T1 , T2 , T3 } and random selects a bit b from {0, 1},
then sends the corresponding trapdoor to AI .
Guess 1: AI selects and outputs b′ , wins the challenge if b′ = b.
In Game 3, we define the advantage of successfully distinguishing the
trapdoor of TCA-PEKS as
T IN D−CKA
AdvA I
= Pr[b = b′ ] − 1/2Springer Nature 2021 LATEX template
8 TCA-PEKS
Fig. 1 System model in TCA-PEKS.
Game 4 TIND-CKA consists of the following algorithm,which is done by
the interaction between adversary AII and challenger C, to ensure that the
trapdoor does not reveal keyword information. The game is defined as follows:
Initialization Setup: The process same as game 2.
Phase 1: AII is allowed to execute Hash-Query, Private-Key-Query, Public-
Key-Query, Encryption-Query and Trapdoor-Query in an adaptive manner.
Challenge 1: AII selects two keywords w0 , w1 with equal length and
identity(IDo , IDu ), AII can computes the part of peivate key infomation for
the given identities, C generates the encryption trapdoor T ={T1 , T2 , T3 } and
random selects a bit b from {0, 1},then sends the corresponding trapdoor to
AII .
Guess 1: AII selects and outputs b′ , wins the challenge if b′ = b.
In Game 4 ,we define the advantage of successfully distinguishing the
trapdoor of TCA-PEKS as
T IN D−CKA
AdvA II
= Pr[b = b′ ] − 1/2
3 Our scheme
3.1 Our system model
In this section, we show an architecture for the interaction in TCA-PEKS,
which consists of five main entities, data owner(DO), data user(DU), cloud
store server(CS), block-chain system(BCS), and key generation center(KGC),
all of which play different roles and perform different functions in the ciphertext
retrieval system.as shown in Figure 1.
KGC holds the master public key, and its assignment is that generating
the part of private keys according to identity information. The owner extractsSpringer Nature 2021 LATEX template
TCA-PEKS 9
the keywords of the data file he wants to encrypt, and then uses the private
key to generate the ciphertext with the keywords. DU is the receiver who are
authorized to access the encrypted data, he can generate a trapdoor with the
corresponding keyword when performing the ciphertext retrieve. CS is per-
formed by a third-party cloud service provideris, used to store the encryped
data file, specially it does not perform search operations in our scheme. BCS
mainly consists of data blocks and smart contracts which deployed on it. Smart
contracts perform matching operations between trapdoors and ciphertexts
based on predefined search algorithms, its open and transparent features
guarantees the correctness of results.
Overview, our system system is divided into 5 stages. First of all, KGC
deploys the cryptosystem to generate public parameters and the master keys, it
also process user registration requests, then generates a partial private key base
on user’s identity information. After that, if DO wants to upload an encrypted
data file to CS, he can extracts the keyword in the file and encrypts the key-
words using part of the private key and secret value to generate the ciphertext,
then the DO hash the data in files, uploaded hash value and the ciphertext to
the blockchain to assist in the verification process. When DU perform a search
query for a keyword, he can calculates the trapdoor based on complete private
key and then uploads trapdoor to BCS. Once the BCS receives the trapdoor,
the smart contract performs the matching operation with the ciphertext, then
sends the corresponding data file serial number to the cloud server, and returns
the DO upload hash value. Finally, DU utilizes the same hash algorithm for file
integrity verification, and once the cloud server performs a malicious operation,
it will be captured.
Our model consists of main advantages as follows:
(1) Reliability: If the trapdoor provided by the receiver is correct, he can
get the correct data file from the server. And the cloud server returns incorrect
results or deviates from the system, it can be captured.
(2) Confidentiality: It protects the ciphertext and trapdoor to reveal other
information. In addition, we provide forward privacy protection by introducing
random numbers, so that the adversary cannot know whether a newly added
ciphertext is related to a previously searched trapdoor.
(3) Distributability: Implemented through decentr-alized blockchains, we
can still return trustworthy results in the absence of a third-party trusted
search server, avoiding cloud servers from being attacked or compromised to
return incorrect results at some point.
3.2 Formal Definition
Our scheme consists following algorithms,which are formally defined as follows.
• Setup(1λ ) → (params, SKm ) Given a security parameter λ, randomly selects
s ∈ Zq , SKm = s as the system master key, it sets the public parameters
{q, G1 , G2 , g, g1 , ê, H1 , H2 , H3 , H4 }.
• GenKey(params, SKm , IDi )→(SKi , P Ki ) Given params, SKm , IDi , out-
puts public-private key pair.Springer Nature 2021 LATEX template
10 TCA-PEKS
Fig. 2 The block structure.
• Encrytion(params, wi , P Kdu/cs , Qdu , SKdo ,M ) → (C * , M ∗ ) Given params,
P Kdu , Qdu , P Kcs , SKdo , wi , M , outputs ciphertext list C * and encrypted file
list M ∗ = {n, CM }.
• Store(C ∗ , IDdo ) → Blockn Given the ciphertext list C * , encrypted Data list
M ∗ , C * is upload to the blockchain, and M ∗ is stored by the cloud server.
•Trapdoor(params, xdu , Qdu , wi , P Kdo )→Tw Given params, xdu , Qdu , P Kdo ,
wi , outputs the trapdoor Tw .
•Search(params, C, M ∗ , Tw )→n Given params, C * ,M * , and Tw , outputs the
file serial number n and encrypted data file CM .
3.3 TCA-PEKS scheme
Here,we propose the construction of TCA-PEKS, which is composed of six
polynomial-time algorithms.
1.Setup(1λ ) → (params, SKm ):Given a security parameter λ, G1 , G2 are
multiplicative cyclic groups of order q, ê : G1 × G1 → G2 is a bilinear map-
* *
ping, g is a generator of G1 .H1 : {0, 1} → G1 , H2 : {0, 1} → Zq , H3 : G1 ×G1
λ 2λ
→ {0, 1} , H4 : G2 → {0, 1} are cryptographic hash functions. it ran-
domly selects u, s ∈ Zq , computes g1 = g u and master secret key SKm =s,
outputs{q, G1 , G2 , g, g1 , ê, H1 , H2 , H3 , H4 }.
∗
2.GenKey(params,SKm , IDi ) → (SKi , P Ki ): Input IDdu ∈ {0, 1} , gen-
s
erates (Qdu , Ddu )=(H1 (IDdu ),H1 (IDdu ) ), selects secret value xdu ∈ Zq
randomly, outputs SKdu =(xdu , Ddu ) and P Kdu =g xdu .The generation process
of (SKdo/cs , P Kdo/cs ) as same.
3.Encrytion(params,wi ,P Kdu/cs ,Qdu ,SKdo ,M ) → (C * , M ∗ ): Randomly
selects r ∈ Zq , computes α=ê(Ddo , Qdu ), and ciphertext C={C1 , C2 , C3 }:
C1 = g r , C2 = H1 (IDdu )r
H (wkH4 (α)) r xdo
C3 = H4 (ê(g1 2 , P Kdu )) ⊕ H3 (P Kcs , gr )
The owner selects file serial number n, and hash the encrypted data
M to obtain MH , then construct CH =[n, MH ] and the ciphertext list
C * ={C, CH }, C * and IDdo sends to the blockchain nodes, the encrypted file
list M * ={n, CM } is upload to the cloud server.Springer Nature 2021 LATEX template
TCA-PEKS 11
4.Store(C ∗ , IDdo ) → Blockn : The blockchain nodes receives the list of
ciphertexts C * and data owner identity IDdo , constructs a pre-authentication
message per-m={C ∗ , IDdo , si ) where si is the message sequence value.
The master node execute PBFT algorithm, other nodes verify and sign
the message to get δ, C * and IDdo upload to the blockchain if legitimate
verification message number greater than 2f + 1.The block structure is shown
in Figure 2.
5.T rapdoor(params, xdu , Qdu , wi , P Kdo ) → Tw : Randomly selects t ∈ Zq ,
computes the trapdoor Tw = (T1 , T2 , T3 ) where β=ê(Qdo , Ddu )
x H2 (w′ kH4 (β)) t
Tw = T1 , T2 , T3 = (g t , g1 du · H1 (IDdu ) , P Kdo )
6.Search(params, C, M ∗ , Tw ) → n: Smart contract parse out T3 and inter-
act with CS, and the CS generation T3′ = T3xcs to return, computes C3′ =
C3 ⊕ H3 (T3′ , C1 ):
Returns 1 if
C3′ = H4 (ê(T2 , C1 )/ê(T1 , C2 ))
and 0 otherwise.
The corresponding serial number n is send to the cloud server. The cloud
server retrieves M * ={n, CM } which containing n. The receiver can capture
the cloud server for malicious operations because he has the file hash value in
the CH .
4 Proof of security
4.1 CIND-CKA.
Theorem 1 Under the random oracle model, the DBDH problem is defined
abc
as when a, b, c, z ∈ Zq the advantage of distinguish T0 (g, g a , g b , g c , ê(g, g) ),
a b c z
T1 (g, g , g , g , ê(g, g) ) for any polynomial-time adversary can be ignored.
lemma 1 Assuming the DBDH problem is intractable, our scheme
satisfies ciphertext indistinguishability for any polynomial adversary when
CIN D−CKA
AdvA I
≤ ξ(k).
Game 1 consists of the following processes:
Initialization Setup: Given a security parameter λ, C generate the mas-
ter public-private key pair SKm , P Km , public parameter P arams. AI cannot
obtain the master key .
Phase I: Adversary AI adaptively issues a sequence of queries which are
simulated by C.
H1 query: C randomly selected i, j ∈ {1, 2.....q1 } and suppose the most
queries are q1 , then guesses that the i-th and the j-th queries initiated by
correspond to the owner challenge identity IDo ∗ , and the receiver challenge
identity IDu ∗ , respectively. In response to the query, C initializes the empty
list LH1 , including (IDi , Qi , ni ), when AI issues queries about the identity:
1. If the query IDi is already in the list LH1 , indicating that the IDi has
been queried, returns the corresponding tuple (IDi , Qi , ni ).Springer Nature 2021 LATEX template
12 TCA-PEKS
2. When IDi =IDo ∗ or IDj =IDu ∗ , C randomly selects ni ∈ Zq , computes
Qi = g ani , records and returns the tuple (IDi , Qi , ni ).
3. Otherwise, C selects a random number k ∈ Zq , computed Qi = g k ,
records and returns the tuple (IDi , Qi , k).
H2 Query: C initialize the empty list LH2 , including(w, y, hi ), when AI
2λ
selects y ∈ {0, 1} and issues queries of the keyword:
1. If the tuple (w, y, hi ) of the list LH2 contains w, indicating that the w
has been queried , C returns the hi to AI .
2. Otherwise, C randomly selects hi ∈ Zq , adds (w, y, hi ) to LH2 , returns
the tuple(w, y, hi ) to AI .
Partial-Private-Key-Query: C initializes the empty list Lpsk , including
(IDi , ni , Di ), if AI issues queries of partial private key.
1. If the IDi is already in the list Lpsk , the corresponding tuple is returned.
2. When IDi =IDo∗ or IDi =IDu∗ , C randomly selects ni ∈ Zq and
computes Di = g ni , then returns the tuple (IDi , ni , Di ).
3. otherwise, C retrieves the list LH1 , randomly selects v ∈ Zq and out-
puts Di = g kv , then returns the tuple (IDi , v, Di ).
Private-Key-Query:Cinitializes the empty list LS , including
(IDi , xi , P Ki ), when AI issues queries of private key:
1. if IDi =IDu∗ or IDi =IDo∗ , C randomly selects ai ∈ Zq , returns the tuple
(IDi , ⊥, g ai ).
2. otherwise, selects a secret value xi ∈ Zq , returns the tuple (IDi , xi , g xi ).
Public-Key-Query: AI gives the identity IDi , C retrieves LH1 and LS ,
then returns tuple (IDi , Qi , P Ki ).
Replace-Public-Key: AI replaces (IDi , Qi , P Ki ) with (IDi , Qi , P Ki∗ ).
Encryption-Query: AI gives the keyword w and identities (w, IDi , IDj ),
we assume IDi ∈ / {IDo * , IDu * }, C retrieves LH1 ,Lpsk , LS , i, j denote the
corresponding retrieval values of data owner and receiver respectively(same
below). C randomly selects r ∈ Zq and computes α = ê(Di , Qj ) to generate:
C1 = g r , C2 = Qrj ,
H (wkH4 (α))
C3 = H4 (ê(g1 2 , P Kjr )) ⊕ H3 (g axi , g r )
Otherwise, outputs a random bit and aborts.
Trapdoor-Query: AI gives the keyword w and identities (w, IDi , IDj ),
we assume IDj ∈ / {IDo * , IDu * }, C retrieves LH1 , Lpsk , LS , randomly selects
t ∈ Zq and computes β=ê(Qi , Dj ) to generate Tw = (T1 , T2 , T3 ):
x H2 (w′ kH4 (β)) t
Tw = (g t , g1 j · H1 (IDj ) , P Ki )
Otherwise, outputs a random bit and aborts.
Challenge: AI gives two keywords and the challenge identities
(w0 , w1 , IDo∗ , IDu∗ ), C retrieves LH1 , Lpsk , LS , computes y = ê(g ni , Qj ), andSpringer Nature 2021 LATEX template
TCA-PEKS 13
randomly selects b ∈ {0, 1}, r ∈ Zq to generates:
C 1 = g r , C2 = Q u r
C3 = H4 (ê(g1 H2 (wb kH4 (y)) , P K r∗
u )) ⊕ H3 (g
axo
, gr )
Guess: AI outputs a bit b′ = {0, 1}, if b′ = b, AI wins the challenge
Assuming that the game of challenger C is not aborted and simulating the
complete attack process, the advantage of adversary AI breaking our scheme
is the same as the probability if the adversary winning the challenge.
abt denote abort if its guess of the challenge identities is not correct.The
probability that both the challenger and user identities in Encryption-Query
and Trapdoor-Query do match is 1 − 1/q1 (q1 − 1). if its complete game, sim-
ulates a random oracle model based on the hash query, which generates a
ciphertext for the adversary whose that representation matches the DBDH
tuple. Definition AI wins in this game with probalility:
1
Pr[b′ =b] −
2
1
=Pr[b′ =b|abt] · Pr[abt] + Pr[b′ =b|¬abt] · Pr[¬abt] −
2
=Pr[b′ =b|abt] · Pr[abt] + Pr[b′ =0|¬abt∧b=0] · Pr[b=0]
1
· Pr[¬abt] + Pr[b′ =1|¬abt∧b=1] · Pr[b=1] · Pr[¬abt] −
2
1 1
=Pr[b′ =b|abt] Pr[abt] + Pr[¬abt] ( + Adv DBDH ) −
2 2
1 1 DBDH 1
= · (1 − Pr[¬abt] ) + ( + Adv ) · Pr[¬abt] −
2 2 2
=Adv DBDH · Pr[¬abt] (1)
DBDH
If AdvA I
≤ ξ(k), this scheme satisfies the ciphertext indistinguishabil-
ity.
lemma 2 Assuming the DBDH problem is intractable, our scheme
satisfies ciphertext indistinguishability for any polynomial adversary when
CIN D−CKA
AdvA II
≤ ξ(k).
Game 2 consists of the following processes:
Initialization Setup: Given a security parameter λ, C generate the mas-
ter public-private key pair SKm , P Km , public parameter P arams. AII obtain
the master key but cannot replace public key.
Phase I: Adversary AII adaptively issues a sequence of queries which are
simulated by C.
H1 query: The process same as Game 1.
H2 query: The process same as Game 1.
Partial-Private-Key-Query: C initializes the empty list Lpsk including
(IDi , ni , Di ), when AII issues queries of partial private key, if the query IDi
is already in the list Lpsk , the corresponding tuple is returned. Otherwise,Springer Nature 2021 LATEX template
14 TCA-PEKS
retrieves the list LH1 , and it computed Di = g ks , records and returns the tuple
(IDi , Qi , Di ).
Private-Key-Query: The process same as Game 1.
Public-Key-Query: The process same as Game 1.
Encryption-Query: AII gives the keyword w and identities
(w, IDi , IDj ), if IDi ∈ / {IDo * , IDu * }, C retrieves LH1 ,Lpsk ,LS , and ran-
domly selects r ∈ Zq to generate C = {C1 , C2 , C3 }, and then returns to
AII . Otherwise, outputs a random bit and aborts.
Trapdoor-Query: AII gives the keyword w and identities (w, IDi , IDj ),
if IDj ∈ / {IDo * , IDu * }, randomly selects t ∈ Zq to generate Tw , then returns
to AII . Otherwise, outputs a random bit and aborts.
Challenge: AII gives two keywords and the challenge identities
(w0 , w1 , IDo∗ , IDu∗ ), C retrieves LH1 , Lpsk , LS , randomly selects b ∈ {0, 1} and
computes y = ê(g ks , Qj ) , r ∈ Zq to generate:
C1 = g r , C2 = Qru∗ ,
C3 = H4 (ê(g1 H2 (wb kH4 (y)) , P K ru )) ⊕ H3 (g axo , g r )
Guess: AII outputs a bit b′ = (0, 1), if b′ = b, AII wins the challenge.
The probability of qh = 1/q1 (q1 − 1) denote owner and receiver identities
not match in encryption-query and trapdoor-query .
Simulating the complete attack process, for the adversary, which cannot
H (W H (y))
access the random value in the ciphertext ê(g1 2 b 4 , g ai r ) = ê(g x , g ai r ) =
xai r
ê(g, g) , which satisfying the DBDH, the generated ciphertext can be seen
z
as a random element in G2 , which can be expressed as ê(g, g) in the tuple T0 .
′ DBDH
If Pr[b = b]-1/2=AdvAII ≤ ξ(k), the adversary cannot distinguish
the two tuple of the DBDH by a non-negligible advantage, then it can-
not distinguish the ciphertext sent by C, this scheme satisfies the ciphertext
indistinguishability.
4.2 TIND-CKA.
Theorem 2 Under the random oracle model, the DDH problem is defined
as when x, y, z ∈ Zq the advantage of distinguish T1 (g, g x , g y , g xy ),
T2 (g, g x , g y , g z ) for any polynomial-time adversary can be ignored.
lemma 3 Assuming the DDH problem is intractable, our scheme
satisfies trapdoor indistinguishability for any polynomial adversary when
T IN D−CKA
AdvA I
≤ ξ(k).
Game 3 consists of the following processes:
Initialization Setup: Same as Game 1.
Phase I: Adversary AI issues a sequence of queries adaptively polynomial-
many times.
H1 query:The process same as Game 1.
H2 query:The process same as Game 1.
Partial-Private-Key-Query: The query process is the same as Game 1.Springer Nature 2021 LATEX template
TCA-PEKS 15
Private-Key-Query: C initializes the empty list LS , including
(IDi , xi , c, P Ki ), when the AI issues queries, if the IDi in the list LS , the cor-
responding tuple is returned. Otherwise, it random selects xi ∈ Zq and marks
c = 1, returns the tuple (IDi , xi , c, g xi ).
Public-Key-Query: Given the identity IDi , C retrieves LH1 and LS
returns tuple (IDi , Qi , P Ki ).
Replace-Public-Key: AI replaces (IDi , Qi , P Ki ) with (IDi , Qi , P Ki∗ ).
Encryption-Query: The query process is the same as Game 1.
Trapdoor-Query: AI gives the keyword w and identity (w, IDi , IDj ),
C retrieves LH1 , Lpsk , LS , it selects t ∈ Zq and computes β=ê(g ki , g nj ) to
generate:
Tw = (T1 , T2 , T3 ) = (g t , g1 xj H2 (wkH4 (β)) · g kj t , g xi )
Challenge: AI gives two keywords and the challenge identities
(w0 , w1 , IDo∗ , IDu∗ ), for given keywords w0 , w1 , C performs H2 query and stop
the algorithm if c = 1 in LS . Otherwise continue retrieves LH1 ,Lpsk , compute
y = ê(g ku , g no ), selects b ∈ {0, 1} to generate the trapdoor:
x H2 (wb kH4 (y))
Twb = (T1 , T2 , T3 ) = (g t , g1 u · g ku t , P Ko∗ )
Guess: AI outputs a bit b′ = {0, 1}, if b′ = b, AI wins the challenge.
Simulating the complete attack process, if AI cannot obtain the informa-
tion of random values in the trapdoor, the generated trapdoor satisfying the
DDH tuple, which can be seen as a random element in G1 .
We denote the probability of the secret value be queried in the phase is
1/qs .
1
Pr[b′ =b] −
2
1
=Pr[b′ =b|abt] · Pr[abt] + Pr[b′ =b|¬abt] · Pr[¬abt] −
2
1 1 1
= · (1 − Pr[¬abt] ) + ( + Adv DDH ) · Pr[¬abt] −
2 2 2
DDH 1
=Adv · (1 − ) (2)
qs
DDH
If AdvA I
≤ ξ(k), this scheme to satisfy the trapdoor indistinguishability.
lemma 4 Assuming the DDH problem is intractable, our scheme
satisfies trapdoor indistinguishability for any polynomial adversary when
T IN D−CKA
AdvA II
≤ ξ(k).
Game 4 consists of the following processes:
Initialization Setup: Same as in Game 2.
Phase I: Adversary AII issues a sequence of queries adaptively polynomial-
many times.
H1 query: The process same as Game 1.
H2 query: The process same as Game 1.Springer Nature 2021 LATEX template
16 TCA-PEKS
Table 1 Comparison of computational complexity.
Scheme Encryption Trapdoor Test
Fang’s scheme[12] 7E+H+3P 2E 3E+4P+H
SCF-MCLPEKS[19] 4E+3H+3P E+H E+P+H
dIBAEKS[26] 3E+2H+2P 2E+H+P+M 2E+2P+M
dCLPAEKS[28] 3E+3H+3P 3E+3H+2P+M E+2P+M
Our scheme 5E+4H+2P 3E+2H+P+M 2H+2P+M
Private-Key-Query: AII gives the identity IDi , C random selects xi ∈
Zq , marks c = 1, return tuple (IDi , xi , c, g xi ).
Public-Key-Query: The process same as Game 1.
Encryption-Query: The process same as Game 1.
Trapdoor-Query: The query process is the same as Game 1, except
β=ê(g ki , g kj s ).
Challenge: AII gives two keywords and the challenge identities
(w0 , w1 , IDo∗ , IDu∗ ), for given keywords w0 , w1 , C performs H2 query
and stop the algorithm if c = 1 in LS . Otherwise, continue retrieves
LH1 , Lpsk , computes y = ê(g ki , g kj s ), and randomly selects b ∈ {0, 1} to gener-
ate the trapdoor:
x H2 (wb H4 (y))
Twb = (T1 , T2 , T3 ) = (g t , g1 u · g ku t , g x o )
Guess: AII outputs a bit b′ = {0, 1}, if b′ = b, AII wins the challenge.
Simulating the complete processes, the trapdoor can be shown as:
x H2 (wb H4 (y))
g1 j = g x j yi
The generated trapdoor satisfies the DDH tuple and can be seen as a
random element in the G1 , the probability of the secret value be queried in
the phase is 1/qs . The proof process is similar to Game 3.
5 Analysis and Evaluation
In this section, the performance of the TCA-PEKS is evaluated and compared
with similar schemes, which including Fang’s scheme[18], SCF-MCLPEKS[29],
dIBAEKS[10], and dCLPAEKS[13].The computational complexity of the five
schemes are compared as shown in Table 1.
P denotes the bilinear pairing operation, E denotes the evaluation of a
modular exponentiation of the elements on the G1 , and H denotes the evalu-
ation operation on the hash function, M denotes a multiplication operation,
compared the Encryption algorithm cost, trapdoor algorithm cost, and search
algorithm cost, respectively.
In order to make the experimental results more accurate, the experiment
execute on the Intel(R) Core(TM) i5-6500H CPU 3/60GHz processor, 8GB
RAM, Window7 operating system. The experimental simulations uses the
bilinear PBC (Pariring-Based Cryptography library).Springer Nature 2021 LATEX template
TCA-PEKS 17
Fig. 3 Running time of Encryption algorithm.
Fig. 4 Running time of Trapdoor algorithm.
Figures 3 and Figures 4 represent the time consumption of Encrypion algo-
rithm and Trapdoor algorithm, respectively, which the x-axis is the number of
keywords to be encrypted and the y-axis is the time required for the compu-
tation. Figure 5 shows the time consumption of Searching algorithm, and the
x-axis is the number of required ciphertexts.
Figures 6 shows the average running time of each schemes. Considering
the security of the trapdoor algorithm we introduce random numbers in the
process of trapdoor generation, so that the trapdoor is random for the same
keyword in each time. Although we need to perform an extra interaction for
the trusted retrieval operation, there is still has advantage in time consumption
when the ciphertexts are scaled. Overall, evaluation with similar schemes, our
scheme is compar-able in terms of performance.Springer Nature 2021 LATEX template 18 TCA-PEKS Fig. 5 Running time of Search algorithm. Fig. 6 Average running time of each schemes. 6 Conclusion We introduced the nation of trusted certificateless authentication public-key encryption with keyword search seheme, which provides a concrete solution to data privacy protection in a semi-trusted cloud environment. The designed scheme solves the problem of key escrow and certificate management through use the certificateless cryptosystem. In particular, our TCA-PEKS scheme have the property that the cloud servers does not act as executors of search opera- tions, and achieves verifiability of data files and transparency of the retrieval process through blockchain smart contracts technology. The scheme is proved security by using a sequence of secure arguments based on number-theoretic assumption. We will consider to construct a more flexible TCA-PEKS scheme in which the keyword can be fuzzy searched in the future work.
Springer Nature 2021 LATEX template
TCA-PEKS 19
Declarations
• Ethical Approval and Consent to participate.
the work has not been published before.
the work is not under consideration elsewhere.
copyright has not been breached in seeking its publication.
the publication has been approved by all co-authors and responsible author-
ities at the institute or organization where the work has been carried out.
The submitted work is original and the results/data/figures in this
manuscript have not been published elsewhere, nor are they under consid-
eration by another publisher.
Informed consent was obtained from all individual participants included in
the study.
• Human and Animal Ethics
Not applicable
• Consent for publication
The Author agrees to pubilcation of the article in English by Springer in
Springer’s corresponding English-language journal.
• Availability of supporting data
Not applicable
• Competing interests
The authors have no competing interests to declare that are relevant to the
content of this article.
• Funding
This study was funded by the National Natural Science Foundation of China
(No. 62072240) and the Natural Science Foundation of Jiangsu Province
under Grant BK20210330.
• Authors’ contributions
Mu Han: Conceptualization, Methodology, Data Curation. Puyi Xu: Writing
- Original Draft, Visualization,Formal analysis. Lei Xu: Writing - Review
and Editing. Chungen Xu: Supervision Writing - Review and Editing. All
authors reviewed the manuscript.
• Acknowledgements
This work was supported by the National Natural Science Foundation
of China (No. 62072240) and the Natural Science Foundation of Jiangsu
Province under Grant BK20210330.
• Authors’ informationSpringer Nature 2021 LATEX template 20 TCA-PEKS Mu Han received the Ph.D. degree in Computer Science from Nanjing Uni- versity of Science and Technology. She is an Associate Professor with the School of Computer Science and Communication Engineering, Jiangsu Uni- versity. Her primary research interests are in the areas of Cryptography, Security and Communication invehicle networks, the design of security pro- tocols forsmart cars and Information Security. Puyi Xu received the BE degree in software engineering from Jiangxi Uni- versity of Finance and Economics, China in 2020. He is a master student at Information Security Department, Jiangsu University. His main research focus on information security. Lei Xu is currently an Associate Professor at the school of Mathematics and Sta-tistics, Nanjing University of Science and Technology. Before that, he was a Postdoc at the Department of Computer Science, City University of Hong Kong, Hong Kong. He received his Ph.D. degree in Nanjing Uni- versity of Science and Technology, 2019. His main research interests focus on applied cryptography and information Security.In the past few years, his work has appeared in several international journals and conferences, such as IEEE TIFS, IEEE INFOCOM, IEEE TDSC, IEEE TETC. Chungen Xu is a Professor in the School of Mathematics and Statistics,
Springer Nature 2021 LATEX template
TCA-PEKS 21
Nanjing University of Science and Technology, China. He received the M.S.
degree from East China Normal University, Shanghai, China, in 1996 and the
Ph.D. degree from Nanjing University of Science and Technology in 2003. His
current interests are in the areas of computer and network security, applied
cryptography and coding. He has published more than 50 paper in interna-
tional conferences and journals. His research has been supported by multiple
research fund agencies, including National Natural Science Foundation of
China, National Key Research and Development Program of China, Natural
Science Foundation of Jiangsu Province, and Fundamental Research Funds
for the Central Universities, etc. He obtained the best paper award in the
8th International Conference on Artificial Intelligence and Security 2020.
References
[1] Mell, P., Grance, T.: The nist defifinition of cloud computing. Communi-
cations of the ACM. vol. 53(no. 6), 1–50 (2011)
[2] Wu, J., Ping, L., Ge, X., Wang, Y., Fu, J.: Cloud storage as the infrastruc-
ture of cloud computing. in Proc. of IEEE 2010 International Conference
on Intelligent Computing and Cognitive Informatics., 380–383 (2010)
[3] Kamara, S., Lauter, K.: Cryptographic cloud storage. Financial Cryptog-
raphy and Data Security- FC.2010 vol. 6054, 136–149 (2010)
[4] Song, D.X., Wagner, D., Perrig, A.: Practical techniques for searches
on encrypted data. in Proc. of IEEE 2000 Symposium on Security and
Privacy, 44–55 (2000)
[5] Boldyreva, A., Chenette, N.: Order-preserving symmetric encryption. in
Advances in Cryptology - EUROCRYPT 2009 vol. 5479, 224–241 (2009)
[6] Xie, R., Xu, C., He, C.: Lattice-based searchable public-key encryption
scheme for secure cloud storage. INT J WEB GRID SERV, 14–1320
(2018)
[7] Dong, Z., Tianze, Z., Rui, G.: Public key searchable encryption scheme in
blockchain-enabled multiuser environment[j]. Journal on Communications
42 (2021). https://doi.org/10.11959/j.issn.1000-436x.2021130
[8] Zhang, A., Lin, X.: Towards secure and privacy-preserving data sharing in
e-health systems via consortium blockchain[j]. Journal of medical systems
42(8), 140 (2018)
[9] Hongbo, L., Qiong, H., Shen, J., et al.: Designated-server identity-based
authenticated encryption with keyword search for encrypted emails[j].
Information Sciences 481, 330–343 (2019)Springer Nature 2021 LATEX template
22 TCA-PEKS
[10] Wu, L., Zhang, Y., Ma, M., et al.: Certificateless searchable public key
authenticated encryption with designated tester for cloud-assisted med-
ical internet of things. Annals of Telecommunications 74(7-8), 423–434
(2019)
[11] Bin, W., Caifen, W.: Security analysis and secure channel-free certifi-
cateless searchable public key authenticated encryption for a cloud-based
internet of things. PLOS ONE 15(4), 423–434 (2020)
[12] Shen, J., Zhou, T., Chen, X., Li, W. J.and Susilo: Anonymous and
traceable group data sharing in cloud computing. IEEE Transactions on
Information Forensics and Security 99 (2017). https://doi.org/10.1109/
TIFS.2017.2774439.
[13] Wu, T., Chen, C., Wang, K.: Security analysis and enhancement of a cer-
tificateless searchable public key encryption scheme for iiot environments.
IEEE Access 7, 49232–49239 (2019)
[14] Mimi, M., Debiao, H., KHAN, K. M, Jianhua, C.: Certificateless search-
able public key encryption scheme for mobile healthcare system[j].
Computers and Electrical Engineering 65, 413–424 (2018). https://doi.
org/10.1016/j.compeleceng.2017.05.014
[15] Boneh, D., Di Crescenzo, G., Ostrovsky, R., Persiano, G.: Public key
encryption with keyword search. in Advances in Cryptology - EURO-
CRYPT 2004 vol. 3027, 506–522 (2004)
[16] Baek, J., Naini, R.S., Susilo, W.: Public key encryption with keyword
search revisited. in Computational Science and Its Applications– ICCSA
2008 vol. 5072, 1249–1259 (2008)
[17] Rhee, H.S., Park, J.H., Susilo, W., et al.: Practical techniques for searches
on encrypted data. in Proc. of IEEE 2000 Symposium on Security and
Privacy, 44–55 (2000)
[18] Fang, L., Susilo, W.: Public key encryption with keyword search secure
against keyword guessing attacks without random oracle. Information
Sciences 238(7), 221–241 (2013)
[19] Chen, R., Mu, Y., Yang, G., Guo, F., Huang, X., Wang, X., Wang, Y.:
Server-aided public key encryption with keyword search. IEEE Transac-
tions on Information Forensics and Security 11(2), 1833–2842 (2016)
[20] Lei, X., Chungen, X., Joseph K, L., et al.: Building a dynamic searchable
encrypted medical database for multi-client[j]. Information Sciences 527,
394–405 (2020)Springer Nature 2021 LATEX template
TCA-PEKS 23
[21] Xu, P., Wu, Q., Wang, W., Susilo, W., Domingo-Ferrer, J., Jin, H.: Gen-
erating searchable public-key ciphertexts with hidden structures for fast
keyword search. IEEE Transactions on Information Forensics and Security
10(9) (2015)
[22] Huang, Q., Li, H.: An efficient public-key searchable encryption scheme
secure against inside keyword guessing attacks[j]. Information Sciences
1-14, 403–404 (2017)
[23] Chunguang, M., Jing, A., Wei, B., et al.: Smart contract in blockchain[j].
Netinfo Security 18(11), 8–17 (2018)
[24] Chen, L., Lee, W., et al.: Blockchain based searchable encryption for elec-
tronic health record sharing. Future Generation Computer Systems 95,
420–429 (2019)
[25] Shufen, N., Pingping, Y., et al.: Cloud-assisted ciphertext policy attribute
based eencryption data sharing encryption scheme based on blockchain.
Journal of Electronics and Information Technology (2021). https://doi.
org/10.11999/JEIT200124
[26] Chen, B., WU, L., et al.: A blockchain-based searchable public-key encryp-
tion with forward and backward privacy for cloud-assisted vehicular social
networks. IEEE transactions on vehicular technology 69(6) (2020)
[27] PENG, Y., CUI, J., PENG, C., et al.: Certificateless public key encryption
with keyword search[j]. China Communications 11(11), 100–113 (2014).
https://doi.org/10.1109/CC.2014.7004528
[28] ISLAM, S.H., OBAIDAT, M.S., RAJEEV, V., et al.: Design of a cer-
tificateless designated server based searchable public key encryption
scheme[c]. Springer. International Conference on Mathematics and Com-
puting 3-15 (2017)
[29] Mimi, M., Debiao, H., Neeraj, K., et al.: Certificateless searchable public
key encryption scheme for industrial internet of things[j]. IEEE Transac-
tions on Industrial Informatics 14(2), 759–767 (2018). https://doi.org/
10.1109/TII.2017.2703922You can also read
