An improved secure designated server public key searchable encryption scheme with multi-ciphertext indistinguishability

Abstract

In the cloud, users prefer to store their sensitive data in encrypted form. Searching keywords over encrypted data without loss of data confidentiality is an important issue. In 2004, Boneh et al. proposed the first public-key searchable encryption scheme which allows users to search by the private key. However, most existing public-key searchable encryption schemes are vulnerable to keyword guessing attack and can not satisfy multi-ciphertext indistinguishability. In this paper, we construct a secure designated server public-key searchable encryption based on Diffie-Hellman problem. Our security analysis shows that our proposed scheme can resist against keyword guessing attack and provide multi-ciphertext indistinguishability for any adversity. Furthermore, the proposed scheme can achieve multi-trapdoor privacy for external attackers. Moreover, the simulation results between our scheme and previous schemes demonstrate our new scheme is suitable for practical application.

Introduction

With the rapid development of cloud computing, a growing number of users and companies prefer to store data on the cloud. In such case, they encrypt the data before uploading in order to ensure data privacy. However, it is extremely difficult to retrieve keyword over encrypted data using traditional search mechanism. Searchable encryption has become a promising solution to ensure the security and availability of data.

In 2004, Boneh et al. [1] proposed the concept of Public-key Encryption with Keyword Search (PEKS) and gave a concrete scheme. However, in 2006, Byun et al. [2] put forward an offline keyword guessing attack(KGA) against Boneh et al. ’s scheme. Later, Baek et al. [3] presented a PEKS scheme without a secure channel in 2008. Then, Rhee et al. [4] introduced a new security concept of PEKS, trapdoor indistinguishability, They put forward a PEKS scheme under designated test server (dPEKS) which satisfies trapdoor indistinguishability.

Wang et al. [5] proposed that even if [4] satisfies the trapdoor indistinguishability, their dPEKS cannot resist inside KGA. Since keyword encryption algorithms are public in previous schemes, it will enable the internal attacker to generate the ciphertext of a candidate keyword by himself. That is, the malicious server can efficiently test whether the trapdoor is generated by the canditate keyword or not.

To resist keyword guessing attacks initiated by malicious servers, many researchers have proposed some variants of PEKS schemes. Tang et al. [6] introduced the concept of keyword registration, which requires the sender to register keywords with the receiver in advance and proposes registered keyword search public key encryption (PERKS). Chen et al. [7] put forward a solution using two servers that do not collide with each other, but it is too ideal. Later, Huang et al. [8] presented the concept of public-key authenticated encryption with keyword search (PAEKS) to resist the inside KGA. In their scheme, the data owner needs to use the secret key to authenticate the ciphertext of the keyword. The malicious cloud server will not generate keyword ciphertext for testing without the owner’s private key. Therefore, KGA does not succeed against their scheme.

Qin et al. [9] in 2020 introduced the new security concept called multi-ciphertext indistinguishability (MCI). That is, from two or more ciphertexts, the adversary can determine whether they are generated by a same keyword. And they constructed a new PAEKS that can guarantee MCI security but does not provide multi-trapdoor privacy (MTP) security in which attacker is able to check two or more trapdoors contain a same keyword. In 2021, Pan and Li [10] put forward a new PAEKS scheme with MCI and MTP security. Later, Cheng and Meng [11] proved that Panr and Li’s scheme does not satisfy MTP security.

Motivations and contributions

In searchable encryption, the security goal is that the ciphertexts and trapdoors leak no information about keywords. So far, there is rarely public-key searchable encryption schemes achieve both MCI and MTP, and security against KGA. In this paper, our goal is to construct an enhanced secure designated server public-key searchable encryptionscheme with MCI and MTP. The contributions of our paper are summarized as follows:

1. 1

   We give a security analysis of Li et al.’s scheme [12] and show that their scheme does not satisfy trapdoor indistinguishability.

2. 2

   We propose a secure scheme that satisfies the requirement of testing the designated server. That is to say, no one can test except the designated server. Moreover, we prove that our scheme satisfies MCI security, MTP security for external adversaries, and designated testability.

3. 3

   We analyze our scheme’s implementation and communication cost by comparing it with previous other schemes. The result shows that our scheme has excellent advantages in keyword ciphertext and trapdoor algorithms, and the test algorithm is not inferior to other schemes. Moreover, our scheme provides stronger security for keyword privacy.

Related works

In 2004, Boneh et al. [1] first proposed the public key encryption scheme with keyword search, which started the research on public-key searchable encryption. Later, Abdalla et al. [13] presented a searchable encryption scheme based on identity. Byun et al. [2] put forward offline KGA against Abdalla et al.’s scheme. Baek et al. [3] suggested that a tester should be appointed to perform the test algorithm to hide the user’s search pattern, to ensure that only those who have the tester’s private key can conduct the test. Rhee et al. [4, 14] put forward a dPEKS model to reject outside KGA and constructed a general structure of dPEKS based on the designated tester. Fang et al. [15] presented a dPEKS scheme that is not based on a random prediction machine to resist outside KGA. Rhee et al. [16] construct an identity-based PEKS scheme with a designated tester. Emura et al. [17] presented a general structure of SCF-PEKS based on anonymous identity-based encryption(IBE) and one-time signature. After that, many schemes [18–20] have made efforts to resist offline guessing attacks, but these schemes cannot resist inside KGA.

To resist inside KGA, Xu et al. [21] proposed a PEKS scheme with fuzzy keywords, reducing the security of inside KGA by ensuring that each trapdoor corresponds to multiple keywords. Wang et al. [22] gave a PEKS scheme with dual servers. In 2017, Huang et al. [8] proposed the concept of public-key authentication searchable encryption. After that, Huang et al.’s scheme has been extended to certificateless PAEKS [23–25] and identity-based PAEKS [12]. And in the field of Internet of Things, many PEAKS variants [26–28] have been proposed. In 2019, Lu et al. [29] presented a PEKS scheme without random prediction. Later, Noroozi et al. [30] proposed that Huang et al.’s scheme is insecure in the case of multiple receivers.

In 2020, Qin et al. [9] presented a new PAEKS that is claimed to provide multi-ciphertext indistinguishability but no multi-trapdoor privacy. Recently, Li et al. [12] proposed a new PAEKS scheme under a designated server which still cannot guarantee MTP. Furthermore, almost PAEKS [8, 12] and their variants [9, 25, 31, 32] cannot provide MTP security and hide the search pattern of the user. Later, Qin et al. [33] proposed an improved security model and gave a specific scheme. Recently, Lattice-based searchable encryption schemes [34, 35] have been proposed which are claimed to guarantee stronger security.

Paper organization

The rest of this paper is organized as follows. In section 2, we introduce some preliminary knowledge. Then we review Li et al.’s scheme and give a security analysis for it in section 3. The fourth section defines the enhanced scheme and its security model. Section 5 gives a concrete construction scheme and proves that it satisfies the designed testability, MTP security and MCI security. Then in section 6, we compare and analyze our scheme with others. In the last section, we give a summary and a prospect for the future.

Preliminaries

Bilinear pairing

We briefly describe the definition of bilinear mapping. (See more details in [36]). Let \(\hat {e}:\mathbb {G}_{1} \times \mathbb {G}_{1} \rightarrow \mathbb {G}_{2}\) be a computable bilinear pairing, where \(\mathbb {G}_{1}\) and \(\mathbb {G}_{2}\) are two cyclic groups of prime order p. The map \(\hat {e}\) has the following properties.

• For any \(x,y \in \mathbb {Z}_{p}^{*}\), \(g,g_{1} \in \mathbb {G}_{1}\), the equation \(\hat {e}\left (g^{x}, g_{1}^{y}\right) = \hat {e}\left (g, g_{1}\right)^{xy}\) holds.

• For any generator \(g \in \mathbb {G}_{1}\), \(\hat {e}(g,g)\) is a generator of \(\mathbb {G}_{2}\).

• For any \(g,g_{1} \in \mathbb {G}_{1}\), there exists a PPT algorithm to compute \(\hat {e}(g_{1},g)\).

Complexity assumptions

In this subsection, \(\mathbb {G}_{1}\) and \(\mathbb {G}_{2}\) are two cyclic groups of prime order p, g is a generator of \(\mathbb {G}_{1}\) and \(\hat {e}:\mathbb {G}_{1} \times \mathbb {G}_{1} \rightarrow \mathbb {G}_{2}\) is a bilinear map. Decisional Diffie–Hellman assumption and Decisional bilinear Diffie–Hellman assumption are introduced as follows.

Definition 1

(Decisional Diffie–Hellman (DDH) assumption): Given g, g^x, \(g^{y} \in \mathbb {G}_{1}\), where \(x,y \in \mathbb {Z}_{q}^{*}\), there no exists polynomial-time algorithm to distinguish between (g,g^x,g^y,g^xy) and (g,g^x,g^y,Z), where \(Z \in _{R} \mathbb {G}_{1}\). The advantage of adversary \(\mathcal {A}\) is

$$Adv^{DDH}_{\mathcal{A}}\!(\kappa)\! =\! \vert Pr[\mathcal{A}(g,g^{x},g^{y},g^{xy})]\! - \! Pr[\mathcal{A}(g,g^{x},g^{y},Z)] \vert$$

DDH assumption holds if the advantage is negligible.

Definition 2

(Decisional bilinear Diffie–Hellman (DBDH) assumption) : Given g, g^x, g^y, \(g^{z} \in \mathbb {G}_{1}\), where \(x,y,z \in \mathbb {Z}_{q}^{*}\). The advantage of the adversary \(\mathcal {A}\) is \(Adv^{DBDH}_{\mathcal {A}}(\kappa) = \vert Pr\left [\mathcal {A}\left (g,g^{x},g^{y},g^{z},e(g,g)^{xyz}\right)\right ] - Pr\left [\mathcal {A}(g,g^{x},g^{y},g^{z},Z\right ] \vert \), where \(x,y,z \in _{R} \mathbb {Z}_{q}^{*}\) and \(Z \in _{R} \mathbb {G}_{2}\). DBDH assumption holds if the advantage is negligible.

System model

Our system framework is showed in Fig. 1. The system contains three entities: a cloud server, a data owner and a receiver. Moreover, the data owner wants to send confidential files to the cloud which are allowed the assigned receiver to access the data. The exact procedures are as follows: First, the data owner extracts a group of keywords from documents and builds an secure index including keyword ciphertexts and documents. Second, the data owner encrypts the files by symmetric encryption and uploads the encrypted file and keyword ciphertext index to the server. Third, the receiver generates a trapdoor for a query keyword and sends it to the server. Finally, after receiving the trapdoor, cloud server runs the test algorithm and outputs the search results.In Table 1, we summarize the notations used in this paper.

Fig. 1

System Framework

Table 1 Notations

Cryptanalysis of li et al.’s scheme

In this section, we review an identity-based searchable authenticated encryption scheme under a designated server proposed by Li et al.. After analyzing their scheme, we propose that it cannot guarantee trapdoor indistinguishability.

Review of li et al.’s scheme

Li et al.’s scheme consists of the following polynomial algorithms:

Setup(κ): From the security parameter κ, it outputs a public parameter para= (\(\mathbb {G}_{1},\mathbb {G}_{2},\hat {e}, p, g, g_{1}, H, H_{1}\), mpk) and msk, where \(\mathbb {G}_{1}\) and \(\mathbb {G}_{2}\) are cyclic groups of prime order p. g and g₁ are generators of \(\mathbb {G}_{1}\). \(\hat {e}:\mathbb {G}_{1} \times \mathbb {G}_{1} \rightarrow \mathbb {G}_{2}\) is an efficient bilinear map, and \(H:\mathbb {G}_{2} \times \{0,1\}^{*} \rightarrow \mathbb {G}_{1},H_{1}: \{0,1\}^{*} \rightarrow \mathbb {G}_{1}\), \(msk=\alpha \in \mathbb {Z}_{p}\), mpk=g^α.

KGen_s(para): With the parameters para, it outputs the public/secret key pairs (Pk_S,Sk_S)=(g^z,z) of the server, where \(z \in _{R} \mathbb {Z}_{p}\).

KGen_usr(pp,msk,ID): Inputting (pp,msk,ID), it returns Sk_ID=H₁(ID)^α.

\(\phantom {\dot {i}\!}dIBAEKS(para,w,Pk_{S},Sk_{ID_{O}},ID_{O},ID_{R})\): With para, w, Pk_s, \(\phantom {\dot {i}\!}Sk_{ID_{O}}\), ID_O of a data owner and a receiver’s ID_R, it returns a keyword ciphertext C_w= (C₁,C₂,C₃), where C₁ = \(\hat {e}\left (H(k,w),Pk_{S}^{s}\right)\), C₂ = g^s, C₃=\( g_{1}^{s}\), \(s \in _{R} \mathbb {Z}_{p}\) and \(\phantom {\dot {i}\!}k = \hat {e}(Sk_{ID_{O}}, H_{1}(ID_{R}))\).

\(\phantom {\dot {i}\!}Tarpdoor(para,w,Pk_{S},Sk_{ID_{R}},ID_{O},ID_{R})\): It outputs a trapdoor \(T_{w} = (H(k,w) \cdot g_{1}^{r},g^{r})\), where \(\phantom {\dot {i}\!}k = \hat {e}(H_{1}(ID_{O}),Sk_{ID_{R}})\).

Test(para,Sk_S,ID_O,ID_R,C_W,T_W): It outputs 1 if

$$C_{1} \cdot \hat{e}\left(T_{2}^{Sk_{S}},C_{3}\right)=\hat{e}\left(T_{1}^{Sk_{S}},C_{2}\right),$$

and 0 otherwise.

Cryptanalysis of their scheme

In [12], Li et al. claimed that their dlBAEKS scheme satisfies the trapdoor indistinguishability under the random prediction model. Although trapdoor contains a random number in dlBAKES, there is an efficient algorithm to ascertain whether two trapdoors encrypt the identical keyword or not. In fact, for any two trapdoors T_w=(T₁,T₂) and \(\phantom {\dot {i}\!}T_{w^{\prime }} = \left (T_{1}^{\prime },T_{2}^{\prime }\right)\) containing unknown keywords w and w^′, respectively, the decision algorithm by adversary is as follows:

$$\begin{array}{*{20}l} &\quad \hat e (T_{1},g)\cdot e\left(g_{1},T_{2}\right)^{-1} \\ &= \hat e\left(g,H(k,w)\cdot g_{1}^{r}\right)\cdot e\left(g_{1},g^{r}\right)^{-1}\\ &=\hat e(g,H(k,w))e\left(g_{1},g^{r}\right)e\left(g_{1},g^{r}\right)^{-1}\\ &=\hat e(H(k,w),g) \end{array} $$

where k, g are both fixed values for the same owner and receiver. An attacker captures some tuples T_w=(T₁,T₂) and \(\phantom {\dot {i}\!}T_{w^{\prime }} = (T_{1}^{\prime },T_{2}^{\prime })\). This distinguishing attack works as follows: if

$$\hat e(T_{1},g) \cdot \hat e(g_{1},T_{2})^{-1} = \hat e(T_{1}^{\prime},g) \cdot \hat e(g_{1},T_{2}^{\prime})^{-1} $$

then w=w^′, and w≠w^′ otherwise. Thus, the dIBAEKS scheme in [12] is insecure for multi-trapdoor privacy. This means that for the data owner sharing files to the receiver, the external attacker can effectively determine if multiple trapdoors generated by the receiver corresponds to the same keyword.

In addition, another scheme dIBAEKS-3 proposed in [12] also has the similar vulnerability. The decision algorithm is as follows: \(\hat {e}(T_{1},g_{1})\cdot \hat {e}(T_{2},g)^{-1} = \hat {e}(H(k,w),g_{1}) \). From two trapdoors: T_w=(T₁,T₂) and \(\phantom {\dot {i}\!}T_{w^{\prime }}=(T_{1}^{\prime },T_{2}^{\prime })\), an attacker checks whether \(\hat {e}(T_{1},g_{1})\cdot \hat {e}(T_{2},g)^{-1} = \hat {e}(T_{1}^{\prime },g_{1})\cdot \hat {e}(T_{2}^{\prime },g)^{-1}\) holds. If it holds, these two trapdoors are generated by the same keyword. Thus, the dIBAEKS-3 scheme is not able to provide multi-trapdoor privacy.

Definitions and security model

Definition

Our scheme consists of seven (probabilistic) polynomial-time(PPT) algorithms as follows.

• Setup(κ)→pp: Given a security parameter κ, it returns the global parameter pp.

• KeyGen_O(pp)→(Pk_O,Sk_O): Given the parameter pp, it returns the public/secret key pairs (Pk_O,Sk_O) of the data owner.

• KeyGen_R(pp)→(Pk_R,Sk_R): With the parameter pp, it outputs the public/secret key pairs (Pk_R,Sk_R) of the receiver.

• KeyGen_S(pp)→(Pk_S,Sk_S): Inputting pp, it calculates the public key and private key pairs (Pk_S,Sk_S) of the server.

• PEKS(pp,Pk_S,Pk_R,Sk_O,w)→C_w: Given the parameter pp, Pk_S of server, Pk_R of receiver, Sk_O of data owner and a keyword w, it outputs the ciphertext C_w.

• \(\phantom {\dot {i}\!}Trapdoor(pp, Pk_{O}, Sk_{R}, w^{\prime }) \rightarrow T_{w^{\prime }}\): With the parameter pp, the data owner’s Pk_O, Pk_R of a receiver and a keyword w^′, it computes the trapdoor \(\phantom {\dot {i}\!}T_{w^{\prime }}\) of w^′.

• \(\phantom {\dot {i}\!}Test\left (pp, Sk_{S}, C_{w}, T_{w^{\prime }}\right) \rightarrow \beta \): With pp, Sk_S, C_w and \(\phantom {\dot {i}\!}T_{w^{\prime }}\), it outputs 1 if C_w and \(T_{w^{\prime }}\) contain a same keyword, 0 otherwise.

Security model

In order to prevent an adversary obtaining any useful inforamtion of keywords, we define three games between a challenger \(\mathcal {C}\) and an adversary \(\mathcal {A}\), namely, multi-ciphertext indistinguishability, multi-trapdoor privacy and designated testability.

Game 1: Multi-ciphertext indistinguishability.

Setup: The challenger \(\mathcal {C}\) runs KeyGen_S, KeyGen_O and KeyGen_R algorithms with pp to generate (Pk_S, Sk_S), (Pk_O,Sk_O) and (Pk_R,Sk_R). It returns the tuple (pp,(Pk_S,Sk_S)) to \(\mathcal {A}\).

Phase 1: \(\mathcal {A}\) can issue the following two oracles for polynomial number times.

• Ciphertext Oracle \(\mathcal {O}_{C}\): With (Pk_O,Pk_R,Pk_S,w), \(\mathcal {C}\) computes the ciphertext C_w and sends it to \(\mathcal {A}\).

• Trapdoor Oracle \(\mathcal {O}_{T}\): With (Pk_O,Pk_R,w), \(\mathcal {C}\) computes a trapdoor T_w of a keyword w and returns it to \(\mathcal {A}\).

Challenge: \(\mathcal {A}\) sends two tuples of challenge keywords \(\vec { w}_{0} = \left (w_{0,1}, \dots, w_{0,n}\right), \vec {w}_{1} = \left (w_{1,1}, \dots, w_{1,n}\right)\) to \(\mathcal {C}\). However, the attacker cannot query the challenge keyword in tuple \(\vec w_{0}\) or \(\vec w_{1}\) in advance. \(\mathcal {C}\) selects a random bit b∈{0,1}, computes C_b,i←PEKS(pp,Pk_S,Pk_R,Sk_O,w_b,i), and returns a ciphertext set \(\vec C_{b} = \left (C_{b,1},\dots,C_{b,n}\right)\) to the adversary \(\mathcal {A}\).

Phase 2: The adversary \(\mathcal {A}\) can continue to query \(\mathcal {O}_{C}\) and/or \(\mathcal {O}_{T}\) for any keyword w except \(w \in \vec w_{0} \cup \vec w_{1} \).

Guess: The adversary \(\mathcal {A}\) sends its guess bit \(\hat {b^{\prime }}\) to \(\mathcal {C}\). Therefore, the condition that \(\mathcal {A}\) wins the game is b^′=b. The advantage of any PPT attacker \(\mathcal {A}\) who wins this game is defined as \(Adv_{\mathcal {A}}^{MCI}(\kappa) = \vert Pr[b^{\prime } = b] - \frac {1}{2} \vert \).

Game 2: Multi-trapdoor privacy.

Setup: Same as Game 1, \(\mathcal {C}\) generates (Pk_S,Sk_S), (Pk_O,Sk_O) and (Pk_R,Sk_R) and gives (pp,(Pk_S,Sk_S)) to \(\mathcal {A}\).

Phase 1: As in Game 1, an adversary can adaptively query the ciphertext oracle \(\mathcal {O}_{C}\) and trapdoor oracle \(\mathcal {O}_{T}\) in polynomial time.

Challenge: \(\mathcal {A}\) sends two challenge keywords tuples \(\vec w_{0} = \left (w_{0,1},\dots,w_{0,n}\right)\), \(\vec w_{1} = \left (w_{1,1},\dots, w_{1,n}\right)\) to \(\mathcal {C}\). However, the attacker cannot query the challenge key in tuple \(\vec w_{0}\) or \(\vec w_{1}\) in advance. \(\mathcal {C}\) computes and returns a trapdoor set \(\vec T_{b} = \left (T_{b,1},\dots,T_{b,n}\right)\) of a random bit b∈{0,1}.

Phase 2: As in Phase 1, \(\mathcal {A}\) can continue to query \(\mathcal {O}_{C}\) and/or \(\mathcal {O}_{T}\) for any keyword w except \(w \in \vec w_{0} \cup \vec w_{1} \).

Guess: \(\mathcal {A}\) sends its guess bit \(\hat {b^{\prime }}\) to \(\mathcal {C}\). Therefore, \(\mathcal {A}\) will win the game if b^′=b. The advantage of all PPT adversaries \(\mathcal {A}\) who win the game is defined as \(Adv_{\mathcal {A}}^{MTP}(\kappa) = \vert Pr[b^{\prime } = b] - \frac {1}{2} \vert \).

Game 3: Designated testability.

\(\mathcal {A}\) is an external adversary who can get the keyword ciphertext and the trapdoor by monitoring the public channel. However, \(\mathcal {A}\) cannot get the secret key of the server. Designated testability ensures that only a designated server who own the private key can search a keyword over ciphertexts.

Setup: \(\mathcal {C}\) runs KeyGen_S, KeyGen_O and KeyGen_R algorithms with pp to generate the public and private key pairs (Pk_S,Sk_S), (Pk_O,Sk_O) and (Pk_R,Sk_R). It then sends the tuple (pp,Pk_S) to \(\mathcal {A}\).

Phase 1: There are two oracles as follows, which allow \(\mathcal {A}\) to query in polynomial time.

• Ciphertext Oracle \(\mathcal {O}_{C}\): With (Pk_O,Pk_R,Pk_S,w), \(\mathcal {C}\) computes and returns the ciphertext C_w.

• Trapdoor Oracle \(\mathcal {O}_{T}\): Input a tuple (Pk_O,Pk_R,w), \(\mathcal {C}\) computes and outputs trapdoor T_w.

Challenge: \(\mathcal {A}\) sends two challenge keywords w₀, w₁ to \(\mathcal {C}\), then \(\mathcal {C}\) calculates and outputs C_b of a random bit b∈{0,1}.

Phase 2: As in Phase 1, \(\mathcal {A}\) can carry on querying for any keyword w_i except w_i∈(w₀,w₁).

Guess: The adversary \(\mathcal {A}\) sends its guess bit \(\hat {b^{\prime }}\) to \(\mathcal {C}\). Therefore, \(\mathcal {A}\) wins the game if b^′=b. The advantage for all PPT attackers who win the game is defined as \(Adv_{\mathcal {A}}^{DT}(\kappa) = \vert Pr[b^{\prime } = b] - \frac {1}{2} \vert \).

Proposed scheme

Construction

In this section, we propose a concrete construction of our scheme that can provide multi-ciphertext indistinguishability, multi-trapdoor privacy and security against key guessing attack. The details of proposed scheme are described as follows.

• Setup(κ): From κ, it chooses a bilinear pairing \(\hat {e}:{\mathbb {G}_{1} \times \mathbb {G}_{1} \rightarrow \mathbb {G}_{2}}\), where \(\mathbb {G}_{1},\mathbb {G}_{2}\) are cyclic groups of prime order q, and selects two random generators \(g,h \in \mathbb {G}_{1}\) and two cryptographic hash functions H₁: \(\mathbb {G}_{1} \rightarrow \mathbb {Z}_{q}^{*}\), H₂: \(\{0,1\}^{*} \rightarrow \mathbb {Z}_{q}^{*}\). It returns the public parameter \(pp = \left (\mathbb {G}_{1},\mathbb {G}_{2},q,g,h, \hat {e},H_{1},H_{2}\right)\).

• KeyGen_O(pp): It takes a grobal pubilc parameter pp as inputs, selects x←Z_p randomly and defines Pk_O=g^x and Sk_O=x. It outputs the data owner’s public/secret key pairs (Pk_O,Sk_O).

• KeyGen_R(pp): From pp, it chooses a random y←Z_p and sets Pk_R=g^y and Sk_R=y then returns the receiver’s public/secret key pairs (Pk_R,Sk_R).

• KeyGen_S(pp): By a grobal pubilc parameter pp, it selects randomly z←Z_p, and defines Pk_S=h^z and Sk_S=z. Finally it returns the server’s public/secret key pairs (Pk_S,Sk_S).

• PEKS(pp,Pk_S,Pk_R,Sk_O,w): Given the public parameter pp, Pk_S, Pk_R, Sk_O and a keyword w, a data owner performs the following steps:

  • Select a number \(r \in _{R} \mathbb {Z}_{q}^{*}\).

  • Calculate C₁=h^r, \( \kern0.3em {C}_2=\kern0.3em \hat{e}{\left(\kern0.3em P{k}_R,P{k}_S\kern0.3em \right)}^{rS{k}_O{H}_2(w)}\kern0.3em \) and C₃=g^rk, where \(\phantom {\dot {i}\!}k = H_{1}\left (Pk_{R}^{Sk_{O}}\right)\).

  • Output the ciphertext C_w=(C₁,C₂,C₃) of w.

• Trapdoor(pp,Pk_O,Sk_R,w^′): From pp, Pk_O of data owner, Sk_R of receiver and a keyword w^′, a receiver executes the following steps:

  • Choose a number \(s \in _{R} \mathbb {Z}_{q}^{*}\).

  • Compute T₁=Pk_S^s and \(\phantom {\dot {i}\!}T_{2} = {{Pk_{O}}^{Sk_{R}H_{2}(w^{\prime })}} \cdot g^{sk}\), where \(\phantom {\dot {i}\!}k = H_{1}\left (Pk_{O}^{Sk_{R}}\right)\).

  • Return the trapdoor \(T_{w^{\prime }} = (T_{1},T_{2})\)

• Test(pp,Sk_S,C_w,T_w): After receiving \(T_{w^{\prime }}\), the server searchs over keyword ciphertexts {C_w} by testing \(\phantom {\dot {i}\!}\hat {e}(T_{2},C_{1}^{Sk_{S}}) = \hat {e}(T_{1},C_{3}) \cdot C_{2}\) using his private key Sk_S. If the equation holds, it outputs 1; otherwise, it outputs 0.

Correctness: Assume that (Pk_O,Sk_O), (Pk_R,Sk_R) and (Pk_S,Sk_S) be the data owner, the receiver and the server’s public/secret key pairs respectively. C_w=(C₁,C₂,C₃) is the ciphertext of a keyword w generated by the owner. \(T_{w^{\prime }} = (T_{1},T_{2})\) is a trapdoor of a keyword generated by the receiver. It follows that:

$$\begin{array}{*{20}l} \hat{e}(T_{2},C_{1}^{Sk_{S}}) &= \hat{e}\left({Pk_{O}}^{Sk_{R}H_{2}(w')+{rk}}, h^{{Sk_{S}}r} \right) \\ &= \hat{e}(g,h)^{rxyzH_{2}(w^{\prime}vv)} \cdot \hat{e}(g,h)^{rszk}.\\ \hat{e}(T_{1},C_{3}) \cdot C_{2} &= \hat{e}\left(h^{zs},g^{rk}\right) \cdot \hat{e}\left(g^{y},h^{z}\right)^{rxH_{2}(w)}\\ &= \hat{e}(g,h)^{rxyzH_{2}(w)} \cdot \hat{e}(g,h)^{rszk}. \end{array} $$

Thus, if w=w^′, then \(\phantom {\dot {i}\!}\hat {e}\left (T_{2},C_{1}^{Sk_{S}}\right) = \hat {e}\left (T_{1},C_{3}\right) \cdot C_{2}\) holds with probability 1; otherwise, it holds with overwhelming probability by the collision resistance of the hash function H₂.

Security proof

In this subsection, we prove that our scheme achieves the security of MCI, MTP and designated testability. Formally, we have the following theorems.

Theorem 1

Under the assumption of DBDH, our scheme satisfies multi-ciphertext indistinguishability.

Proof Assume that \(\mathcal {A}\) is an adversary who tries to destroy the MCI security. And the algorithm \(\mathcal {C}\) for solving DBDH problem is established. Given a instance of this problem, such as \(Y = \left (\mathbb {G}_{1},\mathbb {G}_{2},\hat {e},q,g,g^{x},g^{y},g^{z},Z_{1}\right)\), the algorithm \(\mathcal {C}\) works exactly as follows.

Setup: \(\mathcal {C}\) randomly selects two hash functions \(H_{1}:\mathbb {G}_{1} \rightarrow \mathbb {Z}_{q}^{*}\), \(H_{2}:\{0,1\}^{*} \rightarrow \mathbb {Z}_{q}^{*}\) and sets \(pp = \left (\mathbb {G}_{1}, \mathbb {G}_{2}, q, g, \hat {e}, h =g^{\alpha }, H_{1}, H_{2}\right)\), Pk_O=g^x, Pk_R=g^y and (Pk_S,Sk_S)=(h^t,t). It then sends pp and (Pk_S,Sk_S) to \(\mathcal {A}\).

Phase 1: We define several oracles as follows, which allow \(\mathcal {A}\) to query many times. We assume that \(\mathcal {A}\) cannot query the same oracle more than once.

• Hash Oracle \(\phantom {\dot {i}\!}\mathcal {O}_{H_{1}}\): In response to the H₁ query, the oracle maintains a tuple list \(\phantom {\dot {i}\!}L_{H_{1}}= \left \{< m_{i},a_{i}>\right \}\). We assume that \(\phantom {\dot {i}\!}\mathcal {O}_{H_{1}}\) can be asked by attackers for \(\phantom {\dot {i}\!}q_{H_{1}}\) times at most. For querying m_i to the oracle, it will perform the following operations: At first, if \(\hat {e}(g,m_{i}) = \hat {e}\left (g^{x},g^{y}\right)\), \(\mathcal {C}\) randomly returns a bit b^′ and halts. Otherwise \(\mathcal {C}\) checks whether m_i exists in the tuple list. If so, \(\mathcal {C}\) takes out the corresponding tuple and returns a_i to \(\mathcal {A}\). Otherwise, it randomly chooses a new exponent a_i∈{0,1}^κ, stores <m_i,a_i> in \(\phantom {\dot {i}\!}L_{H_{1}}\) and returns a_i to \(\mathcal {A}\).

• Hash Oracle \(\phantom {\dot {i}\!}\mathcal {O}_{H_{2}}\): In response to the H₂ query, the oracle maintains a tuple list \(\phantom {\dot {i}\!}L_{H_{2}}= \left \{< w_{i},b_{i}>\right \}\). We assume that \(\phantom {\dot {i}\!}\mathcal {O}_{H_{2}}\) can be asked by attackers for \(\phantom {\dot {i}\!}q_{H_{2}}\) times at most. When submitting the keywords w_i to the Oracle for query, it will perform the following operations: At first, it checks whether w_i exists in the tuple list. if it exists, \(\mathcal {C}\) will take out the corresponding tuple and return b_i to \(\mathcal {A}\). Otherwise, it randomly selects a new exponent b_i∈{0,1}^κ, stores <w_i,b_i> in \(\phantom {\dot {i}\!}L_{H_{2}}\)and returns b_i to \(\mathcal {A}\).

• Oracle \(\mathcal {O}_{E}\): It takes public key Pk_i as input. To response to the queries, the oracle maintains a tuple list L_E={<Pk_i,c_i,V_i>}, and it is assumed that \(\mathcal {O}_{E}\) can be asked by attackers for q_E times at most. When submitting Pk_i to the Oracle query, it will perform the following operations: At first, if Pk_i=g^x or Pk_i=g^y, \(\mathcal {C}\) randomly returns a bit b^′ and halts. Otherwise \(\mathcal {C}\) tests whether exists Pk_i in the tuple list. If so, \(\mathcal {C}\) chooses the candidate tuple and returns c_i to \(\mathcal {A}\). Otherwise, it randomly selects a new exponent c_i∈{0,1}^κ, and computes \(\phantom {\dot {i}\!}V_{i} = {Pk_{i}}^{c_{i}}\). Finally, it stores <Pk_i,c_i,V_i> in L_E and outputs c_i.

• Ciphertext Oracle \(\mathcal {O}_{Ciphertext}\): Input a tuple (pk_O,Pk_R,w_i), which w_i∈{0,1}^∗, it randomly chooses \(r_{i} \in \mathbb {Z}_{q}^{*}\), and computes \(C_{w_{i}} = \left (C_{1w_{i}},C_{2w_{i}},C_{2w_{i}}\right)\) as follows.

  • If (Pk_O,Pk_R)=(g^x,g^y) or (Pk_O,Pk_R)=(g^y,g^x), then it sets \(\phantom {\dot {i}\!}g^{z} = g^{\alpha r_{i}}\), and computes \(C_{1w_{i}} = g^{z}\), \(\phantom {\dot {i}\!}C_{2w_{i}} = Z_{1}^{tb_{i}}\), \(C_{3w_{i}} = g^{r_{i}a_{i}} \).

  • Otherwise, at least one Pk_i in (Pk_O,Pk_R) is equal to g^x or g^y. It computes H₂(w_i)=b_i, k=a_i, and returns to \(\mathcal {A}\) with \(C_{w_{i}} = \left (C_{1w_{i}},C_{2w_{i}},C_{3w_{i}}\right)\), where \(C_{1w_{i}} = h^{r_{i}}\), \(C_{2w_{i}}=\hat {e}(g^{y},h^{r_{i}})^{tc_{o}b_{i}}\) and \(C_{3w_{i}} = g^{r_{i}{a_{i}}}\).

• Trapdoor Oracle \(\mathcal {O}_{Trapdoor}\): Input (Pk_O,Pk_R,w_i), where w_i∈{0,1}^∗, it randomly chooses \(s_{i} \in \mathbb {Z}_{q}^{*}\), and computes \(T_{w_{i}} = (T_{1w_{i}},T_{2w_{i}})\) as follows.

  • If (Pk_O,Pk_R)=(g^x,g^y) or (Pk_O,Pk_R)=(g^y,g^x), then it computes \(T_{1w_{i}} = g^{ts_{i}}\) and \(T_{2w_{j}i} = Z_{2}^{b_{i}}\cdot g^{{r_{i}a_{i}}}\).

  • Otherwise, at least one Pk_i in (Pk_O,Pk_R) equals to g^x or g^y. It calculates H₂(w_i)=b_i, k=a_i, and returns to \(\mathcal {A}\) with \(T_{w_{i}} = \left (T_{1w_{i}},T_{2w_{i}}\right)\), where \(T_{1w_{i}} = g^{ts_{i}} \), \(\phantom {\dot {i}\!}T_{2w_{i}}=(g^{x})^{c_{o}b_{i}}\cdot g^{{s_{i}a_{i}}}\).

Challenge: \(\mathcal {A}\) completes multiple queries on the above oracles. It selects two challenge keyword tuples \(\vec w_{0}^{*}\) and \(\vec w_{1}^{*}\), and sends them to \(\mathcal {C}\) with \(Pk_{O}^{*}\) and \(Pk_{R}^{*}\). \(\mathcal {C}\) randomly selects a random number r_i and a bit \(\hat {b} \in \{0,1\}\). then \(\mathcal {C}\) outputs a ciphertext tuple \(\vec C_{{{w_{\hat {b}}}}^{*}} = \left (C_{{w_{\hat {b},1}}^{*}},\dots,C_{{w_{\hat {b},n}}^{*}}\right)\) where \(C_{{1w_{\hat {b},i}}^{*}} = g^{z}\), \(\phantom {\dot {i}\!}C_{{2w_{\hat {b},i}}^{*}} = Z_{1}^{tb_{i}}\), \(\phantom {\dot {i}\!}C_{{3w_{\hat {b},i}}^{*}} = g^{za_{i}} \).

Phase 2: As with Phase 1 of operation, \(\mathcal {A}\) continue to enquire \(\mathcal {O}_{Ciphertext}\) and/or \(\mathcal {O}_{Trapdoor}\) for any keyword w_i except \(w_{i} \in \vec w_{0} \cup \vec w_{1} \).

Guess: The adversary\(\mathcal {A}\) sends its guess bit \(\hat {b^{\prime }}\) to \(\mathcal {C}\). Returns b^′=0 if \(\hat {b^{\prime }} = \hat {b}\), b^′=1 otherwise.

If the guess of the challenging public key is incorrect, \(\mathcal {C}\) will abort. This event is represented by E. If \(\mathcal {C}\) aborts, \(\mathcal {C}\) outputs a random bit. The termination probability of E is \(\frac {1}{q_{E}(q_{E} -1)}\), therefore, \(Pr[\overline {E}] = \frac {1}{q_{E}(q_{E} -1)}\).

Assume that algorithm \(\mathcal {C}\) is not aborted. If the simulation provided by algorithm \(\mathcal {C}\) is the same as scenario of \(\mathcal {A}\) in real attack and \(Z_{1} = \hat {e}(g,g)^{xyz}\), the adversary \(\mathcal {A}\) will win with \(Adv_{\mathcal {A}}^{MCI}(\kappa) + \frac {1}{2}\). If Z₁ is randomly chosen from the group \(\mathbb {G}_{2}\), \(\phantom {\dot {i}\!}C_{{2w_{\hat {b},i}}^{*}} = Z_{1}^{Sk_{S}H_{2}(w)}\) is a random element of \(\mathbb {G}_{2}\). In this case, the trapdoor \(\vec T_{{w_{\hat {b}}}^{*}} \) and ciphertext \(\vec C_{{w_{\hat {b}}}^{*}}\) can be tested. When the keywords are consistent, test algorithm outputs 1. Therefore, \(\mathcal {A}\) has a 1/2 probability that he wins the Game 1. Thus, the advantage for \(\mathcal {C}\) in solving DBDH problem is

$$\begin{array}{*{20}l} &\quad Adv_{\mathcal{B}}^{DBDH}(\kappa)\\ &=\! \vert \!Pr[b^{\prime} = b\! \mid E]\! \cdot \!Pr[E] \!+ \!Pr[b^{\prime} = b\! \mid\! \overline{E}] \cdot\! Pr[\overline{E}]\! - \!\frac{1}{2} \vert\! \\ &= \!\vert\! \frac{1}{2} \!\cdot \!(1-\!Pr[\overline{E}])\! + \!\left(Pr[b^{\prime}\! =\! 0]\! \mid \!\overline{E}\!\cap\! b\! =\!0 \right)\!\cdot\! Pr[b\,=\,0]\!\\ & \qquad + Pr[b^{\prime} = 1 \mid \overline{E} \cap b = 1] \cdot Pr[\overline{E}] - \frac{1}{2} \vert\\ &\geq \vert Pr[\overline{E}] \cdot \left(\left(Adv_{\mathcal{A}}^{MCI} + \frac{1}{2}\right)\cdot \frac{1}{2} + \frac{1}{2} \cdot \frac{1}{2}\right) - \frac{1}{2} \end{array} $$

$$\begin{array}{*{20}l} & \qquad+\frac{1}{2} \cdot (1-Pr[\overline{E}]) + Pr[\overline{E}] \vert \\ &= \frac{1}{2}Pr[\overline{E}]Adv_{\mathcal{A}}^{MCI}(\kappa)\\ &= \frac{1}{2q_{E}(q_{E} - 1)} \cdot Adv_{\mathcal{A}}^{MCI}(\kappa). \end{array} $$

Theorem 2

Under the assumption of DDH, our scheme satisfies semantically MTP security.

Proof Assume that \(\mathcal {A}\) is an external opponent who tries to crack the Multi-trapdoor Privacy. Moreover, the algorithm \(\mathcal {C}\) for solving the DDH problem is established. Given a instance of this problem, such as \(Y = \left (\mathbb {G}_{1},q,g,g^{x},g^{y},Z_{2}\right)\), the algorithm \(\mathcal {C}\) works exactly as follows.

Setup: \(\mathcal {C}\) randomly selects two hash functions \(H_{1}:\mathbb {G}_{1} \rightarrow \mathbb {Z}_{q}^{*}\), \(H_{2}:\{0,1\}^{*} \rightarrow \mathbb {Z}_{q}^{*}\) and sets \(pp = \left (\mathbb {G}_{1},\mathbb {G}_{2},q,g,h =g^{\alpha },H_{1},H_{2}\right)\), Pk_O=g^x, Pk_R=g^y and (Pk_S,Sk_S)=(h^t,t). It then sends pp to \(\mathcal {A}\).

Phase 1: Same as in Theorem 1.

Challenge: \(\mathcal {A}\) completes multiple queries on the above research. It selects two challenge keyword tuples \(\vec w_{0}^{*}\) and \(\vec w_{1}^{*}\), and sends them to \(\mathcal {C}\) with \(Pk_{O}^{*}\) and \(Pk_{R}^{*}\). \(\mathcal {C}\) randomly select a number s_i and a bit \(\hat {b} \in \{0,1\}\). Then, \(\mathcal {C}\) returns a trapdoor set \(\vec T_{{w_{\hat {b}}}^{*}}= \left (T_{{w_{\hat {b},1}}^{*}},\dots, T_{{w_{\hat {b},n}}^{*}}\right)\) where \(T_{{1w_{\hat {b},i}}^{*}} = h^{ts_{i}}\), \(T_{{2w_{\hat {b},i}}^{*}} = Z_{2}^{b_{i}} \cdot g^{s_{i}a_{i}}\).

Phase 2: \(\mathcal {A}\) continue to enquire \(\mathcal {O}_{C}\) and/or \(\mathcal {O}_{T}\) for any keyword w_i except \(w_{i} \in \vec w_{0} \cup \vec w_{1} \).

Guess: The adversary \(\mathcal {A}\) sends its guess bit \(\hat {b^{\prime }}\) to \(\mathcal {C}\). He returns b^′=0 if \(\hat {b^{\prime }} = \hat {b}\), b^′=1 otherwise.

If the guess of challenging public key is incorrect, \(\mathcal {C}\) will abort. This event will be represented by E. If \(\mathcal {B} \) aborts, \(\mathcal {C}\) outputs a random bit. The probability that it being equal to b is 1/2. According to the random guess of b, the termination probability of E is \(\frac {1}{q_{E}\left (q_{E} -1 \right)}\), therefore, \(Pr[\overline {E}] = \frac {1}{q_{E}\left (q_{E} -1 \right)}\).

Othervise, \(\mathcal {C}\) does not abort. If the simulation provided by algorithm \(\mathcal {C}\) is the same as scenario of \(\mathcal {A}\) in real attack and Z₂=g^xy, an adversary \(\mathcal {A}\) will win the game with the probability of \(Adv_{\mathcal {A}}^{MTP}(\kappa) + \frac {1}{2}\). If Z₂ is randomly chosen from the group \(\mathbb {G}_{2}\), \(T_{{2w_{\hat {b},i}}^{*}} = Z_{2}^{b_{i}} \cdot g^{s_{i}a_{i}}\) will be a random element of \(\mathbb {G}_{2}\). Therefore, the challenge trapdoor tuple hides \(\hat {b}\) completely. In this case, the adversary can test the trapdoor \(\vec T_{{w_{\hat {b}}}^{*}} \) and the ciphertext \(\vec C_{{w_{\hat {b}}}^{*}}\). When the keywords are equal, the test algorithm outputs 1. Thus, the advantage for \(\mathcal {C}\) in solving DDH problem is equal to the advantage in Theorem 1.

Theorem 3

Under the assumption of DBDH, our scheme satisfies designated testability.

Proof Assume that \(\mathcal {A}\) is an attacker who tries to crack the designated testability and the challenger \(\mathcal {C}\) wants to solve DBDH problem. Given a instance of this problem, such as \(Y = \left (\mathbb {G}_{1},\mathbb {G}_{2},\hat {e},q,h,h^{x},h^{y},h^{z},Z_{3}\right)\), the algorithm \(\mathcal {C}\) works as follows.

Setup: \(\mathcal {C}\) randomly selects two hash functions \(H_{1}:\mathbb {G}_{1} \rightarrow \mathbb {Z}_{q}^{*}\), \(H_{2}:\{0,1\}^{*} \rightarrow \mathbb {Z}_{q}^{*}\) and sets \(pp = (\mathbb {G}_{1}, \mathbb {G}_{2}, q\), \(\hat {e}\), h, H₁, H₂, g=h^x), (Pk_O,Sk_O)=(g^s,s), (Pk_R,Sk_R)=(g^t,t) and Pk_S=h^z. It then sends pp to \(\mathcal {A}\).

Phase 1: Hash Oracle \(\phantom {\dot {i}\!}\mathcal {O}_{H_{1}}\) and Hash Oracle \(\phantom {\dot {i}\!}\mathcal {O}_{H_{2}}\) are same in Theorem 1. We only define Exact Oracle \(\mathcal {O}_{E}\) as follows.

• Exact Oracle \(\mathcal {O}_{E}\): Given Pk expect Pk_S, the algorithm \(\mathcal {C}\) returns Sk.

Frist \(\mathcal {A}\) performs multiple queries on the above oracle. It selects two challenge keywords \( w_{0}^{*}\) and \(w_{1}^{*}\). Then \(\mathcal {A}\) returns \((w_{0}^{*}, w_{1}^{*})\) to \(\mathcal {C}\) together with \(Pk_{O}^{*}\) and \(Pk_{R}^{*}\). \(\mathcal {C}\) selects a number \(y \in _{R} \mathbb {Z}_{q}\) and a bit \(\hat {b} \in _{R} \{0,1\}\), and outputs \(\phantom {\dot {i}\!}C_{{w_{\hat {b}}}^{*} }= \left (C_{{1w_{\hat {b}}}^{*}}, C_{{2w_{\hat {b}}}^{*}}, C_{{3w_{\hat {b}}}^{*}}\right)\) where \(C_{{1w_{\hat {b}}}^{*}} = h^{y}\), \(\phantom {\dot {i}\!}C_{{2w_{\hat {b}}}^{*}} = Z_{3}^{stb_{i}}\), \(\phantom {\dot {i}\!}C_{{3w_{\hat {b}}}^{*}} = g^{yk}\).

Phase 2: \(\mathcal {A}\) continue to enquire \(\mathcal {O}_{C}\) and/or \(\mathcal {O}_{T}\) for any keyword w_i except w_i∈{w₀,w₁}.

Guess: The adversary \(\mathcal {A}\) transmits its guess bit \(\hat {b^{\prime }}\) to \(\mathcal {C}\). Returns b^′=0 if \(\hat {b^{\prime }} = \hat {b}\), b^′=1 otherwise. If the simulation provided by algorithm \(\mathcal {C}\) is the same as \(\mathcal {A}\) in real attack and \(Z = \hat {e}(h,h)^{xyz}\), \(\mathcal {A}\) will win the game with the probability of \(Adv_{\mathcal {A}}^{DT}(\kappa) + \frac {1}{2}\). If Z is randomly chosen from the group \(\mathbb {G}_{2}\), \(\phantom {\dot {i}\!}C_{{2w_{\hat {b},i}}^{*}} = Z^{Sk_{S}H_{2}(w)}\) is a well distributed challenge ciphertext. And \(\mathcal {A}\) has a 1/2 probability of winning the game. Thus, \(\mathcal {C}\)’s advantage in solving DBDH problem is

$$\begin{array}{*{20}l} &Adv_{\mathcal{B}}^{DBDH}(\kappa) \\ &= \vert Pr[b^{\prime} = 1 \mid b = 1] \cdot Pr[b= 1] \\ & \qquad + Pr[b^{\prime} = 1 \mid b = 1] \cdot Pr[b= 1] - \frac{1}{2} \vert \\ &= \vert \frac{1}{2} \cdot \frac{1}{2} + \frac{1}{2}\cdot\left(Adv_{\mathcal{A}}^{DT}(\kappa) + \frac{1}{2}\right) - \frac{1}{2} \vert \\ &= \frac{1}{2}Adv_{\mathcal{A}}^{DT}(\kappa). \end{array} $$

Perfomance analysis

In this section, we analyze the performance of our scheme and the existing schemes(PAKES scheme [8], dIBAEKS scheme [12], SCF-PEKS scheme [3], dPEKS scheme [4] and Pan-Li’s scheme [10]) in terms of computational and communication overheads. Moreover, we analyze the security between these PEKS schemes in MCI, MTP and security against KGA.

To evaluate the efficiency, we implemented the operations in our schemes using the MRACL library [37] on a personal notebook computer with an I7-8750H 2.20GHz processor, 16 GB memory, and Window 10 operating system.

First, we give the elapsed time of main operations used in searchable encryption schemes in Table 2. Main operations are pairing operation P, Hash-to-point operation H_p, modular exponentiation E and multiplication operation M in G₁, where P≈H_p>M>E≫H. The general hash operation takes less time than the above operations in Table 2. Thus, it is ignored in our computation analysis.

Table 2 Symbols and execution times(ms)

From Table 3, we give a theoretical efficiency comparison in computational time and communication complexity of PEKS algorithm, Trapdoor algorithm, and Test algorithm of our scheme and previous schemes [3, 4, 8, 10, 12]. In terms of computational efficiency, compared with other algorithms, PEKS and trapdoor algorithms are more efficient without using hash-to-point operation. Among the Test algorithms, our scheme is slightly weaker than other schemes, because it adds the designated testability to ensure that only the specified server can perform search operations. In terms of communication efficiency, our efficiency is basically the same as other schemes. Figs. 2, 3 and 4 demonstrate the practical performance of PEKS algorithm, Trapdoor algorithm, and Test algorithm, respectively.

Fig. 2

Running Time of PEKS Algorithm

Fig. 3

Running Time of Trapdoor Algorithm

Fig. 4

Running Time of Test Algorithm

Table 3 Computation and Communcitaion efficiency comparison

As shown in Fig. 2, the computation cost to encrypt the keywords is lower than the three schemes [3, 4, 12] and is similar to that of Huang et al.’s scheme [8] and Pan and Li’s scheme [10]. For the efficiency of trapdoor algorithm, Fig. 3 illustrates that the trapdoor algorithm in our scheme runs much faster than that in all schemes [3, 4, 8, 10, 12] because our trapdoor algorithm performs no pairing and Hash-to-point operations. In Fig. 4, the computation complexity in our scheme is higher than Baek et al.’s scheme [3] and is not worse than other four schemes. To ensure that the user-side algorithms (Trapdoor and PEKS algorithms) have higher security and efficiency, we add the server’s private key to the test algorithm for stronger security, thus the efficiency of the server’s Test algorithm is compromised.

Moreover, Table 4 illustrates the security comparison including MCI security, MTP security, Inside KGA, and Requirement for the secure channel between our scheme and these existing schemes. As shown in Table 4, Huang et al.’ s scheme [8] can resist inside KGA, but it needs a secure channel and cannot provide MCI security. Li et al.’s scheme [12], Baek et al.’s scheme [3] and Rhee et al.’s scheme [4] can provide MCI security but not guarantee MTP and security against KGA. Pan and Li’s scheme [10] is able to resist inside KGA and have MTP security but cannot satisfy MCI security. Our scheme satisfies MCI, MTP and security against inside KGA.

Table 4 Security comparison

Conclusion

In this paper, we first analyze the security of Li et al.’s scheme and propose a multi-trapdoor attack against it. Next, we construct a secure public-key searchable encryption scheme with designated server based on Diffie-Hellman problem. It is proved that our scheme can provide multi-ciphertext indistinguishability, multi-trapdoor privacy security and designated testability. Then we compare our scheme with others in terms of communication cost and computational cost. The results show that our scheme is more efficient in keyword ciphertext and trapdoor algorithms. However, our scheme can not prevent the server from executing the multi-trapdoor attack since the server can construct a certain equation by his private key to obtain the relationship of multiple trapdoors. As our future work, we will explore achieving multi-trapdoor privacy of keywords for the inside servers.