A Secure and Efficient Data Sharing and Searching Scheme in Wireless Sensor Networks

Wireless sensor networks (WSN) generally utilize cloud computing to store and process sensing data in real time, namely, cloud-assisted WSN. However, the cloud-assisted WSN faces new security challenges, particularly outsourced data confidentiality. Data Encryption is a fundamental approach but it limits target data retrieval in massive encrypted data. Public key encryption with keyword search (PEKS) enables a data receiver to retrieve encrypted data containing some specific keyword in cloud-assisted WSN. However, the traditional PEKS schemes suffer from an inherent problem, namely, the keyword guessing attack (KGA). KGA includes off-line KGA and on-line KGA. To date, the existing literature on PEKS cannot simultaneously resist both off-line KGA and on-line KGA performed by an external adversary and an internal adversary. In this work, we propose a secure and efficient data sharing and searching scheme to address the aforementioned problem such that our scheme is secure against both off-line KGA and on-line KGA performed by external and internal adversaries. We would like to stress that our scheme simultaneously achieves document encryption/decryption and keyword search functions. We also prove our scheme achieves keyword security and document security. Furthermore, our scheme is more efficient than previous schemes by eliminating the pairing computation.


Introduction
Wireless sensor networks (WSN) and cloud computing have been widely deployed in daily life. WSN consists of small low-power sensors and lightweight mobile devices connected to the Internet [1,2]. These devices collect and exchange information in a variety of applications. Cloud computing has the advantages of unlimited capability in terms of both storage and computation. WSN is rapidly emerging, which is unprecedentedly driven by the assistance of cloud computing. As an emerging technology, WSN has utilized cloud computing to store and process data to reduce the burden of lightweight mobile devices.
More and more attention has been paid to using WSN technology as a crucial part of the Internet of Things (IoT) in various industries. IoT improves manufacturing efficiency and enables sustainable production [3][4][5][6][7]. As IoT and cloud-assisted WSN applications, enterprises and individuals have utilized cloud storage to complete the data storage and data sharing to reduce the burden of local storage. Security issues, such as users' confidence that their data will remain secure with nobody able to modify or observe the contents, will remain the stumbling block that hinders the adoption of cloud-assisted WSN. Generally, users encrypt the data prior to uploading it to the cloud server for protecting data confidentiality. Unfortunately, this approach eliminates the data search services provided by modern search engines, which inevitably makes the effective data search function a challenging research problem. There are two trivial solutions to solve the search problem in encrypted documents. The first one is that the data receiver downloads the encrypted data locally, then decrypts the data and searches for the keyword at the local end. However, this method is impractical since it requires huge communication consumption and occupies a huge local storage space in the WSN. Another way is for the data receiver to send the authorization key to the cloud server which enables it to decrypt the encrypted documents in the cloud and to perform a search operation. However, this approach exposes data privacy to the cloud server and contradicts the original intention of data encryption. Focusing on the aforementioned problem, searchable encryption was proposed [9]. Searchable encryption enables a data receiver to authorize the cloud server to search in encrypted documents and returns the associated encrypted files, where the encrypted documents do not need to be decrypted.
Searchable encryption can be divided into symmetric searchable encryption (SSE) and public key encryption with keyword search (PEKS). In SSE, a shared key is required to achieve a data sharing function. PEKS [10] was proposed to eliminate the shared key in SSE. The general PEKS system includes three participants, that is, data senders, a data receiver and a cloud server. Data senders encrypt the data file and keywords index using the data receiver's public key and then send ciphertexts to the cloud server. The data receiver uses its private key to generate a keyword trapdoor and transmits it to the cloud server. The cloud server uses the trapdoor to match the keyword ciphertext, if the keyword in the ciphertext and the keyword in the trapdoor are equal, it outputs equal; otherwise it outputs not equal.
Unfortunately, the traditional PEKS suffers from an inherent insecurity problem regarding trapdoor privacy. Anyone can use the data receiver's public key to generate the valid keyword ciphertext. If the channel between the data receiver and cloud server is public, then the trapdoor is also open. If the adversary can execute the test algorithm, then it can verify whether or not the trapdoor and the ciphertext are matched. When they are well matched, the keyword in the trapdoor is equal to the keyword in the ciphertext; otherwise, the adversary can continue to guess another keyword until the correct keyword is found since the keyword space has a much smaller size. This kind of attack is called an off-line keyword guessing attack (off-line KGA), as shown in Figure 2. The off-line KGA is divided into an external adversary's off-line KGA and an internal server adversary's off-line KGA, according to which the adversary is an external adversary or an internal server adversary. Besides, another inherent insecurity problem regarding trapdoor privacy exists in the traditional PEKS scheme. Since the keyword space has a much smaller size, a malicious data sender (including the external adversary) can generate a data file ciphertext and associated keyword ciphertext by guessing a keyword. If the channel between the data receiver and the cloud server is public, then the trapdoor to locate and return encrypted files is also open. After the cloud server performs the test matching operation, the related encrypted data files are returned. If the returned files have a encrypted data file generated by the malicious sender, the malicious data sender can determine the keyword associated with the encrypted data file, then the keyword in the trapdoor is also known to the malicious data sender. This kind of attack is called an on-line keyword guessing attack (on-line KGA), as shown in Figure 3. The difference between on-line KGA and off-line KGA mainly depends on whether the adversary attacks the scheme through the cloud server. For both types of attacks, a trivial solution is that we need a secure channel to share the secret between the data receiver and data senders. A secure channel between cloud server and the data receiver can avoid the off-line KGA initiated by the external adversary and the on-line KGA. But the cost of building a secure channel prevents a Wi-Fi or 4G method from being utilized in the practical application. Moreover, for an internal server adversary, the data receiver and every data sender should share the secret in a secure channel against the off-line KGA initiated by the internal cloud adversary, while this method breaks the asymmetry property of PEKS. Therefore, it is significant and essential to resist both off-line KGA and on-line KGA performed by external and internal adversaries.
Considering a specific scenario: Personal Health Records (PHRs) are confidential documents to anyone except the patient and the chief physician. In order to protect patients' PHR privacy, patients need to encrypt the PHR data prior to uploading it to the cloud server. We want to implement a search function, so a chief physician can search the PHR authorized information. We can use a PEKS scheme to solve the keyword search problem in encrypted PHR. However, the PEKS scheme suffers from an inherent problem, namely, the keyword guessing attack (KGA). In the process of searching, the adversary may obtain the keyword in the trapdoor, which exposes PHR data privacy to the adversary. Therefore, if we can design an efficient and secure data sharing and searching scheme to address the off-line KGA and on-line KGA problem, then data privacy will be guaranteed.

Our Contributions
In this paper, we study how to resist both off-line KGA and on-line KGA performed by external and internal adversaries in PEKS and propose a remedy to these problems. Specifically, our contributions are as follows: 1. We introduce a dating sharing and searching (DSS) frame that can effectively resist both off-line KGA and on-line KGA performed by an external adversary and an internal adversary. We also give a specific dual server DSS construction. The security of the scheme can achieve double ciphertext indistinguishability against the on-line KGA and indistinguishability against a chosen keyword attack (IND-CKA). We adopt the dual server method, which divides the cloud server into the forward server and backward server such that any single server cannot complete the test algorithm independently and any single server cannot get the correspondence between trapdoor and keyword ciphertext, therefore, the off-line KGA cannot be conducted successfully.
2. We add data file encryption/decryption to our scheme. In the traditional PEKS scheme, there is no algorithm for data file encryption/decryption. PEKS mainly focuses on the search process and omits the data file encryption/decryption process, which means there is only a keyword encryption algorithm in PEKS and it does not involve a data file encryption/decryption algorithm. However, in the actual application, a data file encryption/decryption is indispensable. The malicious data sender adversary may initiate an on-line KGA by observing the encrypted returned files. We adopt the re-encrypt technique, which the malicious data sender (including backward server) cannot get the correspondence between a trapdoor and encrypted data file, therefore, the on-line KGA cannot be conducted successfully.
3. Our scheme can simultaneously resist both off-line KGA and on-line KGA performed by external and internal adversaries. It does not require a secure channel and keeps the asymmetry property rather than a trivial solution. Compared to the previous schemes, our scheme also improves efficiency by eliminating the pairing computation and offers richer functionality by adding the data file encryption/decryption process.
Technical note: We choose PEKS as the starting point for the design of the scheme. For resisting KGA, we will discuss on-line KGA and off-line KGA. For an external adversary's off-line KGA, the scheme generates a key pair for the cloud server to prevent the external adversary from launching an off-line KGA after eavesdropping the trapdoor through the public channel. What we need to point out here is to generate a key pair for the server it cannot entirely resist an external adversary's off-line KGA. For example, Baek's scheme has a fixed trapdoor. By comparing two bilinear pairs, the adversary can guess a keyword. We also need the trapdoor to satisfy the trapdoor indistinguishability to overcome this external adversary's off-line KGA.
For an internal server adversary's off-line KGA, we can divide the cloud server into two servers, which are the forward server and the backward server. Any single server cannot complete the test algorithm independently. Then, any single server cannot get the correspondence between the trapdoor and the keyword ciphertext, so the off-line KGA cannot be initiated. Therefore, our frame can resist off-line KGA performed by external and internal adversaries.
For on-line KGA, since the attack is initiated by observing the returned data files, we need to consider the data file encryption/decryption. We use the encryption scheme to provide data file encryption/decryption. The malicious data sender observes whether including the returned data file ciphertext is generated by itself to judge the keyword in eavesdropping on the trapdoor. Since the cloud server has strong computing power, we let the forward server perform double encryption for the data file ciphertext. In this way, the generated double ciphertext can satisfy the ciphertext indistinguishability for a malicious data sender, and therefore the malicious data sender adversary cannot initiate on-line KGA.  [19] only satisfies the trapdoor security against on-line KGA and it also suffers from the off-line KGA. In 2016, Chen et al. proposed a two cloud server model [20] and any single server cannot complete the test operation so that it can resist the off-line KGA. However, in Chen et al.'s scheme [20], anyone who can generate a trapdoor and access the test query can create a security problem. It also cannot resist on-line KGA.

Related Works
In 2016, Chen et al. proposed a joint scheme combining PKE and PEKS [21]. This scheme achieved the IND-CCA security and the indistinguishability against a chosen keyword ciphertext attack security but it could not resist both off-line and on-line KGA. In 2009, Tang et al. proposed a PEKS scheme for resisting off-line KGA [22]. Tang et al.'s method is to share the previously registered keywords between the receiver and every data sender. In 2017, Satio et al. proposed a PEKS scheme of designed-senders [23]. As a designed data sender, it needs to obtain the receiver's authentication. Only the specified data sender can generate valid ciphertext and upload the shared encrypted data to the cloud server; therefore, the internal server adversary cannot generate valid ciphertext and cannot initiate the off-line KGA. In the same year, Huang et al. [24] and Jiang et al. [25] also used the idea of designed-senders. Only designed-senders can generate valid ciphertext so that it can resist the internal adversary's off-line KGA. In 2018, Wu et al. proposed an off-line KGA scheme against an internal server adversary [26]. It is a method for sharing a secret between the data receiver and every sender. However, all the above five schemes have broken the asymmetry property of PEKS and cannot resist on-line KGA. Zhu et al. proposed a PEKS with a public verifiability scheme [27]. It achieves the public verifiability of the search results, but it cannot resist the internal server's off-line KGA. Han et al. proposed a survey of keyword search schemes in recent years [28]. Many researchers also studied the keyword search problem [29,30].
After we finished our work, we found that Noroozi et al. concurrently presented a generalized PEKS structure against off-line KGA and on-line KGA for an external adversary [31]. It is a method to combine the PEKS with a designated server structure and the technique of re-randomizing ciphertexts. However, it is not enough for the PEKS scheme to resist this external adversary alone. The PEKS scheme still needs to resist an internal server adversary. In our work, we design a PEKS scheme that it simultaneously resists both external adversary and internal server adversary.
Noroozi et al. also considers that designing a PEKS scheme which is secure against off-line KGA and on-line KGA, even performed by the internal server adversary, remains a challenging problem.
We also found that this challenging problem still needs to be addressed. We designed a secure and efficient data sharing and searching (DSS) scheme against both off-line KGA and on-line KGA performed by external and internal adversaries.

Organization
The paper is organized as follows. The scheme definition and security model are described in Section 2. A secure and efficient data sharing and searching scheme against KGA (DSS against KGA) is proposed in Section 3. We analyze the security and efficiency of the proposed scheme in Section 3. The paper is concluded in Section 4.

System Model
The model of the dual server DSS against KGA scheme (Dual server DSS against KGA model) that we proposed is shown in Figure 4. There are four participants in this model including data senders, a receiver, cloud sever 1 and cloud server 2. The workflow is as follows: First of all, data senders encrypt the data file M using the data receiver's public key pk r and encryption algorithm Enc to form a data file ciphertext C 1 . Data senders also encrypt the corresponding keyword index using two servers' public keys pk s,1 , pk s,2 , the receiver's public key pk r and the encryption algorithm peks to form keyword ciphertext C 2 , then sends the ciphertext (C 1 , C 2 ) to cloud server 1. Secondly, cloud server 1 generates the double ciphertext C 1 by re-encrypting the data file ciphertext C 1 . Then, the data receiver uses its secret key sk r to generate a keyword trapdoor T w and transmits it to cloud server 1. Next, cloud server 1 uses the trapdoor T w and keyword ciphertext C 2 to compute the transitional ciphertext C T , and sends the C T to cloud server 2. Afterwards, cloud server 2 outputs the matching result. If the keyword in the ciphertext and the keyword in the trapdoor are equal, cloud server 2 sends the relevant encrypted data file C 1 to the data receiver. In the final step, to obtain the message M, the receiver decrypts the data file's double ciphertext C 1 using its secret key sk r .
Although our scheme uses the re-encryption technique, its computational efficiency is almost equal to that of Noroozi et al.'s re-randomizing ciphertexts technique. Of course, the re-encryption technique can also be easily replaced with a re-randomizing ciphertexts technique in our work.

Algorithm Definitions
Before defining our algorithms, we define a notations Table 1 for the mathematical symbols in the whole paper.

Notation Description
sp System parameter pk s,1 , sk s, 1 Public/secret key of the cloud server 1 pk s,2 , sk s, 2 Public/secret key of the cloud server 2 pk r , sk r Public/secret key of the receiver Encryption algorithm Enc for the data m peks(m) Encryption algorithm peks for the keyword w C 1 Message ciphertext C 2 Searchable ciphertext for keyword Trapdoor oracle for the keyword w More specifically, a scheme of DSS against KGA consists of the following algorithms: (1) sp ← SysGen(1 k ): on input a security parameter k and output a system parameter sp. KeyGen(sp): • (pk s,1 , sk s,1 ), (pk s,2 , sk s,2 ) ← KeyGen server 1,2 (sp): on input a system parameter sp and output two pairs of public and secret key (pk s,1 , sk s,1 ), (pk s,2 , sk s,2 ) for the cloud server 1 and cloud server 2, separately. • (pk r , sk r ) ← KeyGen receiver (sp): on input a system parameter sp and output a pair of public and secret key (pk r , sk r ) for the receiver.
(4) C 1 ← ReEnc(sp, pk r , C 1 ): on input a system parameter sp, the receiver public key pk r , the ciphertext C 1 , and output the double ciphertext C 1 .
T w ← Trapdoor(sp, sk r , w, pk s,1 , pk s,2 , pk r ): on input a system parameter sp, cloud server 1 public key pk s,1 , cloud server 2 public key pk s,2 , the receiver public key pk r , the receiver secret key sk r , the keyword w, and output the keyword search trapdoor T w . (6) C 1 or ⊥← Test(sp, T w , C 2 , sk s,1 , sk s,2 ): on input a system parameter sp, the cloud server 1 secret key sk s,1 , the cloud server 2 secret key sk s,2 , the keyword search trapdoor T w , the ciphertext (C 1 , C 2 ), and output ciphertext C 1 if the keyword search trapdoor T w matching the ciphertext C 2 , and ⊥ otherwise. The matching process as follows: • Test 1 (sp, T w , C 2 , sk s,1 ) → C T : the cloud server 1 inputs the trapdoor T w , the ciphertext C 2 , the cloud server 1 secret key sk s,1 , the system parameter sp, and outputs the transitional ciphertext C T . • Test 2 (sp, C T , sk s,2 ) → C 1 or ⊥: the cloud server 2 inputs the system parameter sp, the transitional ciphertext C T , the cloud server 2 secret key sk s,2 . If the transitional ciphertext satisfies the condition, it outputs the double ciphertext C 1 , and ⊥ otherwise.
M ← Dec(sp, sk r , C 1 ): on input a system parameter sp, the receiver secret key sk r , the ciphertext C 1 and output the message M.

Security Model
We define six security models, including the indistinguishability against a chosen keyword attack It should be noted that both cloud server 1 and cloud server 2 are "honest but curious" and they will not collude with each other. More specifically, the two servers strictly enforce the testing process of the algorithm but may be curious about the content of the keyword. It should be noted that these models implicitly define the security against external adversaries since the external adversary has less capability than the cloud server.
We define the keyword ciphertext's semantic security. Any adversary cannot distinguish the challenge ciphertext unless the trapdoor is available. Formally, we define security model IND-CKA 1 and IND-CKA 2 played between a challenger B and adversary A i , i = 1, 2.
For the IND-CKA 1 security model, as the Table 2, the challenger B generates three key pairs (pk s,1 , sk s,1 ), (pk s,2 , sk s,2 ), (pk r , sk r ). It sends public keys pk s,1 , pk s,2 , pk r and secret key sk s,1 to the cloud server 1 adversary A 1 . A 1 can access the trapdoor oracle O 1 (w) to get any keyword trapdoor w i and outputs two distinct challenge keywords and a message (w 0 , The challenger B generates challenge PEKS ciphertext (C 1 , C 2,b ) of (w b , M * ) with a random bit b and sends it to A 1 . During the game, the adversary can adaptively continue to query trapdoor oracle O 1 (w) unless the challenge keywords w 0 and w 1 . Finally, the adversary A 1 outputs b as its guess.
For the IND-CKA 2 security model, as the Table 3, the game is similar to IND-CKA 1. We define security model IND-CKA 2 played between a challenger B and adversary A 2 . We omit the details here. The definition is as follows: Definition 1 (IND-CKA). A scheme of DSS against the KGA is indistinguishable against a chosen keyword attack if no PPT adversaries A 1 can win game IND-CKA 1 and A 2 can win game IND-CKA 2 with a non-negligible advantage, where B is the challenger, A 1 is cloud server 1, A 2 is cloud server 2. Kset ←− φ (pk s,1 , sk s,1 , pk s,2 , sk s,2 , pk r , sk r ) ←− KeyGen(sp); (w 0 , w 1 , M * ) ←− A O 1 (sp, (pk s,1 , sk s,1 ), pk s,2 , pk r ); 1 , pk s,2 , pk r , sk r , w); return {T w } Table 3. IND-CKA 2.
Kset ←− φ (pk s,1 , sk s,1 , pk s,2 , sk s,2 , pk r , sk r ) ←− KeyGen(sp); (w 0 , w 1 , M * ) ←− A O 2 (sp, (pk s,2 , sk s,2 ), pk s,1 , pk r ); We define A i advantage as: Next, we define the keyword trapdoor semantic security. Any adversary cannot distinguish the challenge trapdoor, that is to say, the challenge trapdoor does not reveal any information about the keyword. Formally, we define security model IND-Trapdoor 1 and IND-Trapdoor 2 played between a challenger B and adversary A i , i = 3, 4.
The  Table 4, the challenger B generates three key pairs (pk s,1 , sk s,1 ), (pk s,2 , sk s,2 ), (pk r , sk r ). It sends public keys pk s,1 , pk s,2 , pk r and secret key sk s,1 to the cloud server 1 adversary A 3 . A 3 can access the trapdoor oracle O 1 (w) to get any keyword trapdoor w i and outputs two distinct challenge keywords (w 0 , w 1 ), which w b = w i , b ∈ {0, 1}. The challenger generates challenge trapdoor T w b of w b with a random bit b and sends it to A 3 . During the game, the adversary can adaptively continue to query trapdoor oracle O 1 (w) unless the challenge keywords w 0 and w 1 . Finally, the adversary A 3 outputs b as its guess.
For the IND-Trapdoor 2 security model, as the Table 5, the game is similar to IND-Trapdoor 1. We define security model IND-Trapdoor 2 played between a challenger B and adversary A 4 . We omit the details here. The definition is as follows:

[DSS]
Kset ←− φ (pk s,1 , sk s,1 , pk s,2 , sk s,2 , pk r , sk r ) ←− KeyGen(sp); (w 0 , w 1 ) ←− A O 4 (sp, pk s,1 , (pk s,2 , sk s,2 ), pk r ); We define A i advantage as: After that, we define the double ciphertext semantic security. Any adversary cannot distinguish the challenge double ciphertext. Formally, we define the IND-Double ciphertext security model, as the Table 6. The IND-Double ciphertext is similar to the IND-CKA 1. The adversary outputs two distinct challenge ciphertext (C 1,0 , C 1,1 ). The challenger generates double challenge ciphertext C 1,b of C 1,b with a random bit b and sends it to adversary. The adversary is given the challenge double ciphertext instead of the PEKS challenge ciphertext. Finally, the adversary outputs b as its guess.
We define A 5 advantage as: Finally, we define the transitional ciphertext semantic security. Any adversary can not distinguish the challenge transitional ciphertext unless the trapdoor is available. Formally, we define security model IND-CKA 3, as the Table 7. The IND-CKA 3 is similar to the IND-CKA 1. The adversary is given the challenge transitional ciphertext instead of the PEKS challenge ciphertext. We omit the details here.

Definition 4 (IND-CKA 3).
A scheme of DSS against the KGA is transitional ciphertext indistinguishability against chosen keyword attack if no PPT adversary A 6 can win the game IND-CKA 3 with non-negligible advantage, where B is the challenger and A 6 is an adversary (including the cloud server 2). Table 7. IND-CKA 3.

DSS against the KGA
In this section, we will propose a secure and efficient DSS scheme against the KGA. We use the Hashed Elgama scheme and a free channel PEKS scheme to construct the scheme.
• KeyGen receiver (sp): This algorithm inputs a system parameter sp. It chooses random number c ∈ Z * p and outputs a pair of public and secret key (pk r , sk r ) for the receiver, pk r = g c , sk r = c.
PEKS(sp, pk s,1 , pk s,2 , pk r , w, M): This algorithm inputs a system parameter sp, the cloud server public key pk s,1 , pk s,2 , the receiver public key pk r , the keyword w, the message M ∈ {0, 1} n , and chooses random number r 0 , r 1 ∈ Z * p . It outputs the message ciphertext C 1 = (C 11 , C 12 ), which It also outputs keyword ciphertext ReEnc(sp, pk r , C 1 ): This algorithm inputs a system parameter sp, the receiver public key pk r , the message ciphertext C 1 . It chooses random number r 2 ∈ Z * p and outputs the double message ciphertext C 1 = (C 11 , C 12 ), which C 11 = g r 2 , k = pk r 2 r , C 12 = H 3 (k) ⊕ C 11 C 12 .
Trapdoor(sp, pk s,1 , pk s,2 , pk r , sk r , w): This algorithm inputs a system parameter sp, the cloud server public key pk s,1 , pk s,2 , the receiver secret key sk r , the keyword w, and chooses random number r 3 ∈ Z * p . It outputs the keyword search trapdoor T w = [T 1 , T 2 , T 3 ], T 1 = g sk r r 3 1 , T 2 = g sk r r 3 2 , T 3 = pk sk r r 3 s,1 · pk sk r r 3 s,2 · pk −1 r · H −1 2 (w). Test(sp, T w , C 2 , sk s,1 , sk s,2 ): The cloud server 1 inputs the trapdoor T w , the ciphertext C 2 , the cloud server 1 secret key sk s,1 , the system parameter sp, and chooses random number d ∈ Z * p . It outputs the transitional ciphertext C T = (A * , B * , C * ), where T w · C 2 = (C I,1 , C I,2 , C I,3 ), • Test 2 (sp, C 1 , C T , sk s,2 ) → C 1 or ⊥: The cloud server 2 inputs the system parameter sp, the transitional ciphertext C T , the cloud server 2 secret key sk s,2 , and the double ciphertext Dec(sp, sk r , C 1 ): This algorithm inputs a system parameter sp, the receiver secret key sk r , the double message ciphertext C 1 and outputs the message Correctness: When assuming the correctly generated ciphertext C 2 = [A, B, C] for w i with a correct trapdoor T w = (T 1 , T 2 , T 3 ). Then we can verify the equation for correctness if w i = w as follows: T w C 2 = (C I,1 , C I,2 , C I,3 ), C I,1 = g r 1 +cr 3 1 , C I,2 = g r 1 +cr 3 2 , C I,3 = (g α 1 1 g α 2 2 ) r 1 +cr 3 (g

Proof
In the next theorems, we prove that our scheme satisfies indistinguishability against the chosen keyword attack and trapdoor indistinguishability against the off-line KGA, double ciphertext indistinguishability against the on-line KGA, transitional ciphertext indistinguishability against chosen keyword attack.
To prove our scheme security, we will use the widely accepted security reduction method. The security reduction is that if there is an adversary that can break our scheme, then the adversary can solve the hard mathematical problem. Mathematical hard problems are widely accepted and difficult to solve under existing computing ability. By the proof by contradiction, we can prove that our scheme is secure under the corresponding hard problem. By the security reduction, the scheme's evaluation and validation are guaranteed. Related hard problems can be seen in Reference [32].

Keyword Privacy
We prove that our scheme is secure following the Variant Decisional Diffie-Hellman Problem (Variant DDH) hard problem in Theorem 1 and Theorem 2.
The simulator B sends the public keys pk s,2 , pk r , pk s,1 , sk s,1 to adversary A 1 . B keeps the cloud 2's secret key and receiver's secret key for itself. Trapdoor Query. The adversary A 1 can query w i to trapdoor oracle. The simulator chooses random number r 3 ∈ Z * p and outputs the keyword search trapdoor Therefore, the simulator completed the trapdoor query. Challenge. The adversary A 1 gives two challenge words w 0 ,w 1 and the message m * to the simulator B, which w b = w i , b ∈ {0, 1}. The simulator returns a ciphertext (C 1 , C 2,b ). b ∈ {0, 1} is randomly chosen. The simulator chooses random number r 0 ∈ Z * p , and the ciphertext (C 1 , C 2,b ) is outputted as: Therefore, the challenge keyword ciphertext is a correct ciphertext. Trapdoor Query. The adversary A 1 adaptively makes trapdoor query on w i , w i = w 0 , w 1 . The simulator B computes trapdoor in the same way as above trapdoor query. Guess. The adversary A 1 outputs b as it's guess.
Through the above description, we have completed the simulation process of the scheme and the simulation is correct, since the responses for the trapdoor query and challenge ciphertext are correct. Next, we will discuss the indistinguishable simulation. Random numbers include α 1 , α 2 , β 1 , β 2 , c, r 3 , a 1 = a 2 .
All random numbers in simulation process are randomness. Therefore, the simulation with a 1 = a 2 is indistinguishable, where the adversary wins the game with a probability of 1/2 + ε 2 as the breaking assumption.
When the a 1 = a 2 , in the following we show the analysis, the adversary wins the game with a maximum probability of 1/2.
Let g 2 = g z 1 , the adversary knows z, α 1 , α 2 , α 1 + zα 2 , β 1 + zβ 2 , c from the public key. The adversary knows from the challenge ciphertext. Therefore, if α 1 , α 2 , β 1 , β 2 are known to the adversary, the adversary can guess the keyword w b correctly; else the the adversary cannot guess the keyword w b correctly. Since the adversary knows the α 1 , α 2 , but not knows β 1 , β 2 , the adversary has no advantage breaking the ciphertext. Therefore, the adversary wins the game with a probability of 1/2 by random guess.
Next, we will discuss the successful of the simulation, the simulator dose not abort the simulation in the trapdoor query and challenge phase. Therefore, the probability of successful simulation is P s = 1. Therefore, the advantage of the Variant DDH hard problem is (2) Suppose there is a cloud server 2 named adversary A 2 that can break our scheme in the IND-CKA 2 security model with advantage ε. In order to solve the Variant DDH hard problem, let's construct a simulator B with a problem instance (g 1 , g 2 , g a 1 1 , g a 2 2 ) over the cyclic group G 1 . Simulation process is as follows: Setup. Let sp = (G 1 , g, g 1 , g 2 , H 1 , H 2 , H 3 ). The simulator B chooses random elements α 1 , α 2 , β 1 , β 2 , c ∈ Z * p , and sets (pk s,1 , sk s,1 ) = (g α 1 1 g α 2 2 , (α 1 , α 2 )), (pk s,2 , sk s,2 ) = (g The simulator B sends the public key pk s,2 , sk s,2 , pk s,1 , pk r to adversary A 2 . B keeps the cloud 1's secret key and receiver's secret key for itself. Trapdoor Query. The adversary A 2 can query w i to trapdoor oracle. The simulator chooses random number r 3 ∈ Z * p and outputs the keyword search trapdoor Therefore, the simulator completed the trapdoor query. Challenge. The adversary A 2 gives two challenge words w 0 ,w 1 and the message m * to the simulator B, which w b = w i , b ∈ {0, 1}. The simulator returns a ciphertext (C 1 , C 2,b ). b ∈ {0, 1} is randomly chosen. The simulator chooses random number r 2 ∈ Z * p , and the ciphertext (C 1 , C 2,b ) is outputted as: which C 1 as the message encryption in the proposed scheme. It also outputs keyword ciphertext , g a 2 2 , (g a 1 1 ) α 1 +β 1 (g a 2 2 ) α 2 +β 2 g c H 2 (w b )].
Let r = a 1 . If a 1 = a 2 , we have Therefore, the challenge keyword ciphertext is correct. Trapdoor Query. The adversary A 2 adaptively makes trapdoor query on w i , w i = w 0 , w 1 . The simulator B computes trapdoor in the same way as above trapdoor query. Guess. The adversary A 2 outputs b as its guess.
As the entire indistinguishable analysis and probability analysis is similar to the above (1), we omit this process.
Therefore, the simulator solves the advantage of the Variant DDH hard problem The Theorem 1 is proven.
Because the cloud server has more powerful attack capabilities than the external adversary, the scheme is also secure to external adversaries (including the receiver) in Theorem 1.

Theorem 2.
Under Variant DDH hard problem, the DSS scheme satisfies trapdoor indistinguishability against the off-line KGA, where the security reduction loss is 2.
The simulator B sends the public key pk s,2 , pk r , pk s,1 , sk s,1 to adversary A 1 . B keeps the cloud 2's secret key and the receiver's secret key for itself. Trapdoor Query. The adversary A 3 can query w i to trapdoor oracle. The simulator chooses random number r 3 ∈ Z * p and outputs the keyword search trapdoor Therefore, the simulator completed the trapdoor query.
Challenge. The adversary A 3 gives two challenge words w 0 ,w 1 to the simulator B, which w b = w i , b ∈ {0, 1}. The simulator returns a challenge trapdoor T w b . b ∈ {0, 1} is randomly chosen. The ciphertext T w b is outputted as: Let r 3 = a 1 . If a 1 = a 2 , we have Therefore, the challenge keyword trapdoor is a correct trapdoor. Trapdoor Query. The adversary A 3 adaptively makes trapdoor query on w i , w i = w 0 , w 1 . The simulator B computes trapdoor in the same way as above trapdoor query. Guess. The adversary A 3 outputs b as it's guess.
As the entire indistinguishable analysis and probability analysis is similar to the above (1), we omit this process. Therefore, the simulator solving of the advantage of the Variant DDH hard problem is (2) Suppose there is a cloud server 2 named adversary A 4 that can break our scheme in IND-Trapdoor 2 security model with advantage ε. The entire simulation process, solution algorithm and indistinguishable analysis is similar to the above (1), so we omit this process. Therefore, the simulator solves the advantage of the Variant DDH hard problem Therefore, the Theorem 2 is proven.
Because the cloud server has more powerful attack capabilities than the external adversary, the scheme is also secure to external adversaries in Theorem 2.
We will prove that our scheme is secure following computational Diffie-Hellman (CDH) hard problem in Theorem 3. CDH Hard Problem [15]: Given the three tuple (g, g a , g b ), g, g a , g b ∈ G 1 , where G 1 is a general cyclic group of prime order p, all polynomial time algorithms compute the value g ab ∈ G 1 is intractable.

Theorem 3.
Under the CDH hard problem, the DSS scheme satisfies double ciphertext indistinguishability against on-line KGA in a random oracle model, where the security reduction loss is 1 Proof. Suppose there is an external adversary (including a cloud server 2) A 5 that can break our scheme in double ciphertext indistinguishability against on-line KGA security model with advantage ε. Suppose H 3 as a random oracle, in order to solve the CDH hard problem, let us construct simulator B with a problem instance (g, g a , g b ) over the cyclic group (G 1 , g, p). Our goal is to compute the value g ab . The entire simulation process is as follows: Setup. Let sp = (G 1 , g, g 1 , g 2 , H 1 , H 2 , H 3 ). The simulator B chooses random elements α 1 , α 2 , β 1 , β 2 , c ∈ Z * p , and sets (pk s,1 , sk s,1 ) = (g α 1 1 g α 2 2 , (α 1 , α 2 )), (pk s,2 , sk s,2 ) = (g β 1 1 g β 2 2 , (β 1 , β 2 )), pk r = g a , sk r = a. sk r is unknown to the simulator. The simulator B sends the public key (pk s,2 , sk s,2 ), pk s,1 , pk r to adversary A 5 and keeps the cloud 1 secret key for itself. H 3 -query: The H 3 list is initially empty. The adversary A 5 can query k i ∈ G 1 to H 3 . If there exists a (k i , X i ) in H 3 list, then the simulator B responds with H 3 (k i ) = X i ; otherwise, the simulator B randomly chooses a value X i ∈ {0, 1} log p 2 +n and sets H 1 (k i ) = X i . It returns to the adversary A 5 and adds the value to H 3 list. Challenge. The adversary A 5 gives two challenge ciphertext C 1,0 , C 1,1 to the simulator B. The simulator B returns ciphertext C 1,b 0 . b 0 ∈ {0, 1} is randomly chosen. The ciphertext C 1,b 0 is outputted as: Guess. The adversary A 5 outputs b 0 as its guess.
Z * is randomly chosen from {0, 1} d . When the adversary does not query g ab to the random oracle, the challenge ciphertext is correct. Through the above description, we have completed the simulation process of the scheme and the simulation is correct. Next we will discuss the indistinguishable simulation. Random numbers include X 1 , X 2 , ..., X q H 3 , a, b, α 1 , α 2 , β 1 , β 2 , c.
Therefore, the simulation of the scheme is indistinguishable. When the hash query is not a challenge hash query g ab , the challenge message ciphertext is randomness, therefore, the adversary wins the game with a advantage 0.
The number of hash query is q H 3 . A 5 can break our scheme with advantage ε as the breaking assumption. Therefore, from the H 3 (k) list, we may find the correct challenge hash query g ab .
The probability of finding the correct challenge hash query is P c = 1 q H 3 . The simulator does not abort the simulation, therefore, the successful probability of the simulation is P s = 1.
The simulator solves the advantage of the CDH hard problem as Therefore, the Theorem 3 is proven.
To secure against cloud server 1's on-line KGA, we can let cloud server 2 use a re-encryption technique or a randomizing ciphertexts technique, we omit here the details. Proof. Suppose there is a cloud server 2 named adversary A 6 that can break our scheme in IND-CKA 3 security model with advantage ε. In order to solve the Variant DDH hard problem, let us construct a simulator B with a problem instance (g 1 , g 2 , g a 1 1 , g a 2 2 ) over the cyclic group G 1 . The simulation process is as follows: Setup. Let sp = (G 1 , g, g 1 , g 2 , H 1 , H 2 , H 3 ). The simulator B chooses random elements α 1 , α 2 , β 1 , β 2 , c ∈ Z * p , and sets (pk s,1 , sk s,1 ) = (g α 1 1 g α 2 2 , (α 1 , α 2 )), (pk s,2 , sk s,2 ) = (g The simulator B sends the public key (pk s,2 , sk s,2 ), pk s,1 , pk r to adversary A 6 . B keeps the cloud 1's secret key and receiver's secret key for itself. Trapdoor Query. The adversary A 6 can query w i to trapdoor oracle. The simulator chooses random number r 3 ∈ Z * p and outputs the keyword search trapdoor The simulator completed the trapdoor query. Challenge. The adversary A 6 gives two challenge words w 0 , w 1 to the simulator B. w b 1 , w b 2 = w i , b 1 , b 2 ∈ {0, 1}. The simulator generates a ciphertext C 2,b 1 and trapdoor T w b 2 . b 1 , b 2 ∈ {0, 1} are randomly chosen. The ciphertext C 2,b 1 and the trapdoor T w b 2 as: , pk cr 3 s,1 · pk cr 3 s,2 · pk −1 r · H −1 2 (w b 2 )]. Let r 1 = a 1 . If a 1 = a 2 , we have , pk r 1 s,1 · pk r 1 s,2 · pk r · H 2 (w b 1 )].
Therefore, the transitional ciphertext is C T * = (A * , B * , C * ), where T w b 2 C 2,b 1 = (C I,1 , C I,2 , C I,3 ), A * = C d I,1 , B * = C d I,2 , Therefore, the transitional ciphertext is a correct ciphertext. Trapdoor Query. The adversary A 6 adaptively makes trapdoor query on w i , w i = w 0 , w 1 . The simulator B computes the trapdoor in the same way as above trapdoor query. Guess. The adversary A 6 outputs (b 1 , b 2 ) as it's guess. When a 1 = a 2 , the indistinguishable analysis is similar to Theorem 1, we omit this process. When the a 1 = a 2 , in the following we show the analysis, the adversary wins the game with probability of 1/2.
Therefore, if the d is known, the adversary will guess keywords (w b 1 , w b 2 ) correctly; else the (a 1 + cr 3 )dβ 1 + z(a 2 + cr 3 )dβ 2 + log (H(w b 1 )H −1 2 (w b 2 )) d g 1 hides the (w b 1 , w b 2 ). Since the adversary does not know the d, it also has no advantage in breaking the ciphertext.
Next, the successful simulation probability is P s = 1. The simulator solves the advantage of the Variant DDH hard problem as Therefore, the Theorem 4 is proven.

Message Privacy
Regarding the security of the message, the proof is similar to Theorem 3 and is based on the CDH hard problem in the random oracle model. Since it is too similar, we omit the proof here.

Analysis and Comparisons
We use Tables 8 and 9 to show two comparisons between our scheme and previous schemes. In this section, the word abbreviation Trap Ind, MCiph Ind, KCiph Ind, In-off-line KGA, Ex-off-line KGA, on-line KGA, MCiph, KCiph to denote trapdoor indistinguishability, message ciphertext indistinguishability, keyword ciphertext indistinguishability, off-line keyword guessing attack for internal attacker, off-line keyword guessing attack for external attacker, on-line keyword guessing attack, message ciphertext, keyword ciphertext. We use e, E 1 , E 1 , E 2 , h, I, PM to denote a pairing operation, an exponentiation operation in cyclic multiplicative group G 1 , an exponentiation operation in G 1 from paring, an exponentiation operation in G T from paring, a hash operation maps a string to an element of cyclic group, an inverse operation, a multiplication in G 1 from paring. We ignore other hash operations and multiplication.  To evaluate the efficiency of our scheme, we implemented theses schemes on a Core(TM) i7-6500U CPU at 2.50GHz and 4GB RAM (3.89GB is available) running Ubuntu 18.04. We used a Type-A pairing elliptic curve and implemented in the PBC library. For these four schemes, we tested the running time of keyword ciphertext generation, trapdoor generation and test algorithms, respectively. The comparison results are shown in Figures 5-7. From these three figures, we found that our scheme is the most efficient in terms of keyword ciphertext generation and trapdoor generation algorithms. Although our scheme's test algorithm is slightly less computationally efficient than BCOP [10] scheme. However, in comparison with other PEKS schemes, our efficiency remains high by eliminating the pairing computation and exponentiation operation in G 1 . Furthermore, our scheme also offers a stronger security guarantee for keyword security.

Research Method
In our paper, we researched the trapdoor security problem in a WSN environment in the following way, which is motivation ⇒ application scenario ⇒ technical rote ⇒ frame architecture ⇒ security model ⇒ concrete construction ⇒ security reduction ⇒ efficiency analysis and comparisons.

Conclusions
The combination of cloud computing and WSN provides a promising solution to handle massive data. Data security requirements have become a key challenge in cloud-assisted WSN. To address limitations inherent in data security problems, in this paper, we defined a secure and efficient DSS scheme that can resist both off-line KGA and on-line KGA performed by external adversary and internal adversary, and we proposed a specific construction. This construction can simultaneously resist both on-line KGA and off-line KGA in cloud-assisted WSN. Our scheme not only realizes the keyword search function in the cloud but also implements the data files encryption/decryption function. The performance analysis shows the computation overhead at lightweight mobile devices is significantly reduced. We also formally proved that our schemes are provably secure.