Certificateless Searchable Encryption Scheme in Multi-User Environment

Abstract

Searchable encryption technology enables users to access data that has been made publicly encrypted without divulging the original content. The majority of the currently available multi-user certificateless searchable encryption technologies are based on identity-based public key encryption as well as conventional public key cryptosystems. Thus, they are challenged to adapt to the security needs of today’s large-scale network computing environment. As a result, issues such as excessive overhead, poor security, and the inability to handle large-scale applications are unavoidable. In order to address the aforementioned issues, this paper uses the method of combining public key authentication encryption and searchable encryption to propose a certificateless searchable encryption scheme in multi-user circumstances. The stochastic prediction model demonstrates that the scheme can effectively fend off keyword guessing attacks. The proposed algorithm not only performs well in terms of computation but also significantly reduces the amount of computation in simulations.

1. Introduction

Contemporarily, the use of electronic devices is becoming more common in our daily lives [1]. However, there is a significant shortage of storage capacity and computing power for the regular use of these devices. As a result, cloud environments [2] have been developed. Cloud environments can be used by users for computing, storage, and management operations. However, user data may be accessed by cloud servers and unauthorized users without the user’s consent and used for illicit purposes. Therefore, users must encrypt their data before saving it on an untrusted server in order to ensure the security and privacy of their data. However, this poses a challenge for users to retrieve data on cloud servers. The solution to this problem is to download all the encrypted information from the cloud server and then run the data retrieval procedure. As a result, user expenditure and network transmission costs are quite high.

To address the aforementioned issue, Song et al. [3] proposed Searchable Symmetric Encryption (SSE) in 2000. The scheme, however, suffers from the key distribution problem and it is only compatible with one user model. Therefore, for the first time, Boneh et al. [4] developed a searchable encryption scheme called Public Key Encryption Scheme with Keyword Search (PEKS). This scheme is the first searchable encryption scheme that can support multi-user encryption. This model tests a single data receiver and mandates the use of secure channels to deliver trapdoors to the email gateway. Baek et al. [5] first proposed a searchable encryption scheme without a secure channel in 2008. Yong et al. [6] used the ensemble keyword search scheme to construct public key encryption and it was later extended to support multi-user encryption. However, Byun et al. [7] pointed out that the above schemes based on public-key encryption regimes are not resistant to keyword guessing attacks (KGA), and all PEKS schemes mostly have problems with key escrow or certificate management.

In 2003, AI-Riyam et al. [8] proposed a certificateless cryptography (CLC) scheme as a solution to this issue. In this scheme, the public and private keys are both composed of two parts, one by the Key Generation Center (KGC) and one by the user-selected secret value. After the user receives part of the private key, the full private key is calculated and generated according to the secret value selected. With the whole private key, the user can decrypt the ciphertext. The key escrow problem is resolved since KGC cannot compute and generate the user’s entire private key because it only has partial information about the user’s private key. The security of the ciphertext is ensured by the user’s exclusive possession of the entire private key, which is unavailable to other users.

The Certificateless Cryptography with Keyword Search (CLEKS) scheme was first proposed by Peng et al. [9] in 2014. Lu et al. [10] designed a CLEKS scheme that can guarantee user privacy without necessitating the advance pairing of operations with multi-receiver circumstances. Wu et al. [11] proposed a CLEKS scheme that can run on a specific server and that is resistant to internal keyword guessing attacks (IKGA). Yang et al. [12] developed a blockchain-based multi-keyword CLEKS scheme, which proved to be resistant to IKGA under a stochastic prediction machine model. In 2017, Ma et al. [13] proposed an adaptation of the Industrial Internet CLEKS scheme, but the scheme is susceptible to the IKGA.

CLEKS schemes are typically designed for single-receiver applications. To solve the problem, Curtmola et al.’s [14] solution to the issue was to directly extend the single-user scheme to allow multi-users to share the security key for searching files. However, direct application of the single-recipient encryption scheme to a multi-recipient scenario requires encrypting the same keyword associated with the information multiple times using each recipient’s public key separately. As a result, it causes great overhead. The multi-recipient CLEKS encryption scheme can minimize the cost and streamline such a laborious encryption process. Zhang et al. [15] proposed a certificateless certifiable encryption scheme tailored to a multi-user environment in 2020, but the scheme is slightly flawed in terms of efficiency. Recently, in a multi-user system, Mina et al. [16] developed an mCLEKS scheme. However, it is vulnerable to internal keyword guessing attacks, and sending trapdoors to the cloud server requires a secure channel.

The motive of this research is to graph a CLEKS scheme that is appropriate for multi-recipient circumstances without the usage of bilinear pairing. Most of the previous CLEKS schemes rely on pricey bilinear pairing, which is not only extremely ineffective but also considerably increases the overload of the system. A CLEKS scheme without bilinear pairing has a substantially reduced computational cost. In order to cater to multi-environment users, we designed an unpaired CLEKS scheme in this study.

The foremost contributions of this paper are as follows:

(1) A completely multi-user environment-based certificateless searchable encryption scheme is proposed.

(2) Using a random prediction model, it is demonstrated that the approach presented in this study is resistant to keyword guessing assaults.

(3) The results of an efficiency analysis conducted for both computing and communication performance show that the scheme described in this paper has clear advantages.

2. Related Knowledge

2.1. Elliptic Curve

In public key cryptography, elliptic curve groups [17] are of major research significance. Elliptic curve groups were first introduced into public key cryptography by Miller [18] in 1986. The Definition 1 and relevant operations are described as follows.

Let $F_q$ be a finite field of order $\mathit{q}$, where is a prime number, n is a positive integer, $\mathit{q}={\mathit{p}}^{\mathit{n}}$, and the algebraic closure on the finite field $F_q$ is $F_q$. The Weierstrass equation on the finite field $F_q$ is:

$$y^2+{\mathit{a}}_1\mathit{xy}+{\mathit{a}}_3\mathit{y}={\mathit{x}}^3+{\mathit{a}}_2{\mathit{x}}^2+{\mathit{a}}_4\mathit{x}+{\mathit{a}}_6$$

(1)

where ${\mathit{a}}_i\in F_q$ (i = 1, 2, 3, 4, 6). All solutions $\left(x,y\right)$satisfying the Weierstrass equation on $F_q$ and the infinity point $O\left(\infty ,\infty \right)$form a curve E. If the Wierstrass equation has three distinct solutions, E is said to be an elliptic curve [19].

Another variant of Equation (1) takes the form:

$$y^2=x^3+Ax+B$$

(2)

where $\mathit{A},\mathit{B}\in F_q,$ Equation (2) has three different solutions only when the discriminant Δ = 4$A^3$ + 27$B^2$ ≠ 0. Therefore, the elliptic curve group [19] can be formulated as:

$$\mathit{E}=\{\mathit{P}=\left(\mathit{x},\mathit{y}\right)|\mathrm{all}\left(\mathit{x},\mathit{y}\right)\in F_q\times F_q \mathrm{satisfies} \mathrm{equation} \left(2\right) \mathrm{and} \mathsf{\Delta }=4A^3+27B^2\ne 0\}\cup \left\{\infty ,\infty \right\}$$

(3)

2.2. Mathematically Difficult Problems

 Definition 1. 

($CDH$ problem) Suppose G is an elliptic curve group of order $q$ and $q$ is a prime number. P is a generating element of G. The binary group $(ap,bp)$, where $a,b\in Z_q^{*}$ are unknown random numbers, compute $abP\in G$.

3. Scheme Model

3.1. System Model

Figure 1 depicts the system model for the certificateless searchable encryption method based on a multi-user environment which contains four main subjects: data owner, multi-user, cloud server, and KGC.

Table 1. Main symbols and explanations.

Symbol	Interpretation
$\mathit{p},\mathit{q}$	Two large prime numbers
${\mathit{F}}_{\mathit{q}}$	A finite field of order q
$\mathrm{E}$	An elliptic curve on the finite domain ${\mathit{F}}_{\mathit{q}}$
$\mathrm{G}$	A group of elliptic curves of order q
P	A generator of G
$Z_q^{*}$	The field of integers modularly q
$H_i$	Secure hash functions
$\mathrm{A}$	An adversary against CLEKS
$\mathrm{B}$	An algorithm that solves the CDH problem
$\mathrm{Params}$	System parameters
$\mathrm{S}$	The master key
$I{D}_u$	The identity of User U
$PS{K}_u,PP{K}_u$	Part of the private key and part of the public key of user U
$S{K}_u,P{K}_u$	User U’s private and public keys
$S{K}_{ci},P{K}_{ci}$	The challenger’s private and public keys
$\mathrm{FSK},\mathrm{FPK}$	Pseudo-public and pseudo-private keys
$I{D}^{*}$	The identity of the challenger
$\mathrm{W}$	keywords
$T_w$	The keyword w trap
$C_w$	The keyword w is ciphertext

shows the main symbols and explanations in this scheme.

(1) Data owner: The users have permission to access the data after the keywords and data have been encrypted and transferred to the cloud server.

(2) Multi-user: Users that receive search authority can retrieve data in the cloud based on the corresponding keywords.

(3) Cloud server: accountable for storing the encrypted data that was uploaded by the owner of the data and performing complex ciphertext matching operations.

(4) KGC: Responsible for generating system parameters, system master key, and a portion of the user’s private key.

3.2. Algorithm Model

Formally, the CLEKS scheme in a multi-user environment is composed of the following six algorithms: the system parameter generation algorithm, partial key generation algorithm, user key generation algorithm, keyword encryption algorithm, trapdoor generation, and testing.

Setup: Input the security parameter $\mathsf{\lambda }$, and KGC generates the master key $\mathit{s}$ and public system parameter $\mathrm{Params}$.

Partial key generation: Input system parameter $\mathrm{Params}$, master key $\mathit{s}$, and user U’s identity ${\mathrm{ID}}_u$, and KGC generates the user’s partial private key ${\mathrm{PSK}}_u$ and partial public key ${\mathrm{PPK}}_u$.

User key generation: Enter system parameter $\mathrm{Params}$, consumer U’s identity ${\mathrm{ID}}_u$ and partial public and personal keys (${\mathrm{PPK}}_u$, ${\mathrm{PSK}}_u$) to generate a complete pair of public and private keys (${\mathrm{PK}}_u,{ \mathrm{SK}}_u$).

Keyword encryption: Input system parameter $\mathrm{Params}$, keyword $\mathit{w}$, multiple receiver identities and their public keys {${\mathrm{ID}}_i, {\mathrm{PK}}_i$} to generate keyword ciphertext C.

Trapdoor generation: Input system parameter $\mathrm{Params}$, keyword $\mathit{w}$, more than one receiver identities ${\mathrm{ID}}_i$ and private key ${\mathrm{PSK}}_i$, which will generate the corresponding keyword trapdoor $T_w$.

Test: Input system parameter $\mathrm{Params}$, keyword ciphertext $C_w$ and keyword trapdoor $T_{w\prime }$, if $C_w$ and $T_{w\prime }$ correspond to the same keyword, then output 1, otherwise output 0.

3.3. Security Model

In the protection definition of the certificateless cryptosystem [20], there are two kinds of adversaries: $A_1$, $A_2$.

The first kind of adversary, $A_1$, simulates a malicious user.$A_1$ can replace the user’s public key; however, it does not comprehend the system master key and part of the user’s private key.

The second kind of adversary, $A_2$, simulates a malicious KGC. $A_2$ has to obtain admission to the system master key and part of the user’s private key but does not have the right to replace the user’s public key.

The following defines the random oracles that may be used in the game and offers the protection model of the certificate-free searchable encryption scheme under two different types of adversary attacks. The model is carried out through a game between adversary A and challenger C.

Private-Key-Queries: Adversary $\mathrm{A}$ is allowed to interrogate the private key of identity ${\mathrm{ID}}_u$, and challenger C sends the private key $SKU$ of the generated pair to adversary A.

Partial-Private-Key-Queries: Allow adversary A to interrogate the partial personal key of identity ${\mathrm{ID}}_u$, and challenger C sends the generated partial private key ${\mathrm{PSK}}_u$ to adversary $\mathrm{A}$. The second type of adversary does not need to make this query.

Replace-Key-Queries: Allows adversary A to perform public key replacement operation. Rival A needs to provide a private key $\mathrm{FPK}$ that matches the pseudo-public key $\mathrm{FSK}$. Only adversaries of the first type can perform this query.

Trap-Door-Queries: Enter keyword w and user identity, and challenger C will respond by generating keyword trapdoor $T_w$. If adversary $\mathrm{A}$ has already performed public key substitution, challenger C will use the private key submitted by adversary A to generate keyword trapdoor $T_w$.

A CLEKS scheme based on a multi-user environment must be semantically impervious under an adaptive selection keyword attack (IND-CKA). IND-CKA security can be accomplished between challenger C and adversaries ($A_1, A_2$). This is shown as follows.

System establishment phase: Challenger C first enters a protection parameter λ. The system establishment algorithm is executed to generate the system parameter $\mathrm{Params}$ and the master key s. If the adversary is $A_1$, Params is sent to the adversary. If the adversary is $A_2$, both $\mathrm{Params}$ and are provided.

Phase 1: Adversary $A_1$ can make the following prophecy machine queries: Private-Key-Queries, Partial-Private-Key-Queries, Replace-Key-Queries, and Trap-Door-Queries. Adversary $A_2$ can make the following prophecy machine queries: Private-Key-Queries and Trap-Door-Queries.

Challenge phase: Adversary A submits two unqueried pairs of keywords (${\mathit{w}}_0,{ \mathit{w}}_1$), and challenger C chooses a random number $\theta \in \left\{0, 1\right\}$, computes, and returns the corresponding ciphertext.

Phase 2: The adversary can proceed to make repeated prediction machine queries as in Phase 1, and Challenger C replies to the adversary as in Phase 1.

Guessing phase: Ultimately, as in Phase 2, adversary A offers a guess, $\theta \in \left\{0, 1\right\}$, and if $\theta =\theta \prime$, then adversary A wins the game.

4. Specific Construction of the Scheme

4.1. Description of the Scenario

1.

Setup $\left(\mathsf{\lambda }\right)$: given a security parameter of $\mathit{k}$ as input, the algorithm works as follows.

(1)

Generate a cyclic group G of order q on an elliptic curve $\mathrm{E}\left(F_q\right)$.

(2)

P is chosen as the generating element of G.

(3)

Select $\mathit{x}\in Z_q^{*}$ uniformly and randomly and compute $P_{pub}=\mathit{xP}$.

(4)

Choose three collision-resistant cryptographic hash functions $H_1$, $H_2$: ${\left\{0, 1\right\}}^{*}\to {\mathit{Z}}_{\mathit{q}}^{*}$and $H_3$:$\mathit{G}\to {\mathit{Z}}_{\mathit{q}}^{*}$. The system parameters are {$params=\{\mathit{q}, \mathit{G}, \mathit{P}, P_{pub}, H_1,$ $H_2,H_3\}$ and master key s = x.

2.

Partial key generation: Given params, master key s and U’s identity ${\mathrm{ID}}_u$, the algorithm stochastic selects $y\in {\mathit{Z}}_{\mathit{q}}^{*}$ and calculates partial public key $PP{K}_u=\mathit{yP}$ and partial private key $PS{K}_u=\mathit{y}+\mathit{x}{H}_1\left({\mathit{ID}}_{\mathit{u}}\right)$.

3.

User key generation: Given params, user U’s identity ${\mathit{ID}}_{\mathit{u}}$, partial and partial private keys $PP{K}_u=\mathrm{y}+\mathrm{x}{H}_1\left({\mathrm{ID}}_{\mathit{u}}\right)$, the algorithm randomly selects $\mathit{z}\in {\mathit{Z}}_{\mathit{q}}^{*}$, generates private key $S{K}_u=(S{K}_{u1}, S{K}_{u2})=(\mathrm{y}+\mathrm{x}{H}_1\left({\mathit{ID}}_u\right), \mathrm{z}$), and generates public key$P{K}_u=\left(P{K}_{u1}, P{K}_{u2}\right)=\left(\mathit{yP}, \mathit{zP}\right)$.

4.

Keyword encryption: Given params, keyword $\mathrm{w}$, multiple receiver identities, and receiver’s public key ${\left\{I{D}_i, P{K}_i=\left(P{K}_{i1}, P{K}_{i2}\right)\right\}}_{1\le \mathrm{i}\le \mathrm{n}}$, the algorithm stochastic selects $\mathrm{r}\in {\mathrm{Z}}_{\mathrm{q}}^{*}$ and calculates ${\mathrm{C}}_{\mathit{w}1}=\mathrm{rP}$ and uses each recipient i’s identity and public key ${\left\{I{D}_i,P{K}_i=\left(P{K}_{i1},P{K}_{i2}\right)\right\}}_{1\le \mathrm{i}\le \mathrm{n}}$ to compute $C_{w2i}=H_3\left(\mathrm{r}{H}_2\left(\mathit{w}\right)\right)\left(P{K}_{i1}+P{K}_{i2}+H_1\left(I{D}_i\right){\mathrm{P}}_{\mathrm{pub}}\right)$, and the multi-user keyword ciphertext $C_w=\left(C_{w1}, {\left\{C_{w2i}\right\}}_{1\le \mathrm{i}\le \mathrm{n}}\right)$.

5.

Trapdoor generation: Given params, keyword w, U’s identity ${\mathrm{ID}}_u$ and his private key $S{K}_u=\left(S{K}_{u1}, S{K}_{u2}\right)$, the algorithm calculates keyword trapdoor $T_w=\left(S{K}_{u1}+S{K}_{u2}\right)H_2\left(\mathit{w}\right)$.

6.

Test: Given params, a keyword ciphertext $C_w=\left(C_{w1}, C_{w2i}\right)$ and a trapdoor $T_{w’}$, the algorithm checks whether $C_{w2i}=H_3(T_{w’}{C}_{w1})$ holds. If it holds, output 1; otherwise, output 0.

4.2. Proof of Correctness

 Proof. 

Suppose $\mathrm{w}=w^{\prime },$ the following proof of the correctness of the scheme.

$$\begin{array}{c}{H}_3\left(T_{w^{\prime }}{C}_{w1}\right)=H_3\left(\left(S{K}_{u1}+S{K}_{u2}\right)H_2\left(w^{\prime }\right)\mathit{rP}\right)\\ =H_3\left(\left(\mathrm{y}+\mathrm{x}{H}_1\left({\mathit{ID}}_{\mathit{i}}\right)+\mathrm{z}\right)H_2\left(w^{\prime }\right)\mathit{rP}\right)\\ =H_3\left(\mathit{r}{H}_2\left(w^{\prime }\right)\right)\left(P{K}_{i1}+P{K}_{i2}+H_1\left({\mathit{ID}}_{\mathit{i}}\right)P_{pub}\right)\end{array}$$

That is, $C_{w2i}=H_3(T_{w\prime }{C}_{w1}$), so the scheme is right. □

4.3. Proof of Security

 Theorem 1. 

The scheme achieves IND-CKA (indistinguishability under selective keyword attack) security if the CDH problem is tough under the stochastic predicator system.

Lemma 1 and Lemma 2 can be used to demonstrate the Theorem 1.

 Lemma 1. 

Assume that $H_1$, $H_2$, and $H_3$ are three random oracles. If the adversary $A_1$ is able to break the scheme by a margin of β, there exists an algorithm C that solves the $CDH$ problem with chance $\beta \prime \ge \frac{\beta }{q_3\left(q_{sk}+q_{psk}+q_T+1\right)}$.

 Proof. 

Algorithm B inputs a random instance of the CDH problem: given ($\mathit{q}, \mathit{P}, \mathit{G}, \mathrm{aP}, \mathrm{bP}$), the purpose of B is to calculate $\mathit{abP}$ by calling $A_1$ as a subroutine. □

System establishment phase: Algorithm B randomly selects an identity $I{D}_I$ as the challenge identity and sets $P_{pub}=\mathit{aP}$ and returns the parameter $\mathrm{Params}=\left(\mathrm{q}, \mathrm{G}, \mathrm{P}, P_{pub}, H_1, H_2, H_3\right)$to adversary $A_1$.

$H_1$ queries: $\mathrm{B}$ sustains a list $H_1{}^{list}$ consisting of tuples $\left(I{D}_i, h_{1i}\right)$ that are input and the query is responded to. If $I{D}_i$ is contained in the tuples$\left(I{D}_i, h_{1i}\right)$, $h_{1i}$ is output directly. If it does not exist, $h_{1i}\in {\mathrm{Z}}_{\mathrm{q}}^{*}$ is randomly selected and returned as the result, and $\left(I{D}_i, h_{1i}\right)$ is inserted into the list $H_1{}^{list}$.

$H_2$ queries: $\mathrm{B}$ sustains a list $H_2{}^{list}$ consisting of tuples $\left(w_i, h_{2i}\right)$. Input keyword $w_i$, respond to the query. If the keyword $w_i$ is contained in the tuple $\left(w_i, h_{2i}\right)$, then output $h_{2i}$ directly; if not, then $h_{2i}\in {\mathrm{Z}}_{\mathrm{q}}^{*}$ will be randomly selected and returned as the result, and $\left(w_i, h_{2i}\right)$ is inserted into the list $H_2{}^{list}$.

$H_3$ queries: $\mathrm{B}$ sustains a list $H_3{}^{list}$ consisting of tuples $\left(K_i, h_{3i}\right)$. Input $K_i$, respond to the query. If $K_i$ is contained in the tuple $\left(K_i, h_{3i}\right)$, output $h_{3i}$ directly; if not, $h_{3i}\in {\mathrm{Z}}_{\mathrm{q}}^{*}$ is randomly selected and returned as the result and $\left(K_i, h_{3i}\right)$ is inserted into the list $H_3{}^{list}$.

Phase 1:$A_1$ will perform the following queries:

(1) Partial-Private-Key-Queries: $\mathrm{B}$ maintains a list initialized as empty, which contains $\left(I{D}_i, P{K}_i, S{K}_i\right)$ in the user table. When $\mathrm{B}$ receives a query from adversary $A_1$ for $I{D}_i$, $\mathrm{B}$ looks up in the user table and then performs the following operations.

① If $I{D}_i=I{D}_I$, $\mathrm{B}$ terminates the simulation (this event is represented by $E_1$).

② Otherwise, $\mathrm{B}$ sends $PS{K}_{i1}$ (part of the private key generated by KGC).

(2) Private-Key-Queries: $\mathrm{B}$ sustains a list initialized as empty, and this user table contains $\left(I{D}_i, P{K}_i, S{K}_i, x_i\right)$ when $A_1$ performs private key interrogation on identity ${\mathrm{ID}}_{\mathrm{i}}$. The following operation is executed.

① If $I{D}_i=I{D}_I$, B terminates the simulation (this event is represented by $E_2$).

② Otherwise, B sends $S{K}_i$ to $A_1$.

(3) Replace-Key-Queries: When $\mathrm{B}$ receives the identity $I{D}_i$ and false public key $FP{K}_i$ from $A_1$, B records the replacement.

(4) Trap-Door-Queries: When $A_1$ performs trap-door interrogation on $\left(I{D}_i, w_i\right)$, perform the following operation.

① If $I{D}_i=I{D}_I$, $\mathrm{B}$ terminates the simulation (this event is represented by $E_3$).

② Otherwise, $I{D}_i\ne I{D}_I$, or $P{K}_i$ has been replaced. Algorithm $\mathrm{B}$ generates trapdoor $T_{wi}=(S{K}_{i1}+S{K}_{i2})H_2\left(w\right)$ and sends the trapdoor to $A_1$.

Challenge phase: $A_1$ outputs two different challenge keywords $w_0$,$w_1$ for the identity $I{D}^{*}$. B performs the following operations.

① If $I{D}^{*}=I{D}_I$, $\mathrm{B}$ terminates the simulation (this event is denoted by $E_4$).

② Otherwise, B stochastic selects $\theta \in \left\{0, 1\right\}$ and ${\mathit{C}}_{\mathit{w}\theta 2}\in {\mathit{Z}}_{\mathit{q}}^{*}$, sets ${\mathit{C}}_{\mathit{w}\theta 1}=\mathit{bP}$ and sets ${\mathit{C}}_{\mathit{w}\theta }=\left({\mathit{C}}_{\mathit{w}\theta 1}, {\mathit{C}}_{\mathit{w}\theta 2}\right)$ as the challenge ciphertext and sends $C_{w\mathsf{\theta }}$ to $A_1$, ${\mathit{PK}}_{\mathit{c}1}=aP$, and ${\mathit{PK}}_{\mathit{c}2}=yP$.

Phase 2: As in phase 1, $A_1$ continues to initiate a series of queries, and algorithm $\mathrm{B}$ answers as in phase 1.

Guessing: Ultimately, as in Phase 2, $\mathrm{B}$ outputs $\mathsf{\beta }\prime$ as its answer. If $\mathsf{\beta }\prime =\mathsf{\beta }$, then $A_1$ wins the game.

Let

$$\begin{array}{c}\mathit{K}=\mathit{b}{\mathit{H}}_2\left({\mathit{w}}_{\mathit{\theta }}\right)\left({\mathit{PK}}_{\mathit{c}1}+{\mathit{PK}}_{\mathit{c}2}+H_1\left(\mathit{I}{\mathit{D}}^{*}\right){\mathit{P}}_{\mathit{p}\mathit{u}\mathit{b}}\right)\\ {\mathit{PK}}_{\mathit{c}1}=\mathit{aP},{\mathit{PK}}_{\mathit{c}2}=\mathit{yP}\\ \mathit{Z}=H_2{\left({\mathit{w}}_{\theta }\right)}^{-1}\left(\mathit{K}-\mathit{y}{H}_2\left({\mathit{w}}_{\theta }\right)\mathit{bP}-x{H}_1\left(I{D}^{*}\right)\mathit{b}{H}_2\left({\mathit{w}}_{\theta }\right)\mathit{bP}\right)\end{array}$$

Then it is easy to introduce $\mathit{Z}=\mathit{abP}$.

Analyze B’s strengths in winning the aforementioned games.

$$\mathit{Pr}\left[\neg E_5\right]=\mathit{Pr}\left[\neg E_1\wedge \neg E_2\wedge \neg E_3\wedge \neg E_4\right]\ge \frac{\mathit{\beta }}{q_3\left(q_{sk}+q_{psk}+q_T+1\right)}$$

In the guessing phase, the probability that Algorithm $\mathrm{B}$ gets the correct tuple from the $H_3$ table is $\frac{1}{q_3}$, so

$$\beta \prime \ge \frac{\beta }{q_3\left(q_{sk}+q_{psk}+q_T+1\right)}$$

 Lemma 2. 

Suppose that $H_1$, $H_2$, and $H_3$ are three random oracles. If adversary A₂ is able to attack the solution by a margin of $\beta$, and there exists an algorithm B with probability $\beta \prime \ge \frac{\beta }{q_3\left(q_{sk}+q_T+1\right)}$ that solves the CDH problem by a margin.

 Proof. 

Algorithm B inputs a random occasion of the CDH problem: given $\left(\mathit{q}, \mathit{P}, \mathit{G}, \mathit{aP}, \mathit{bP}\right)$, the purpose of B is to calculate abP by calling $A_2$ as a subroutine. □

Phase 1:$A_2$ will perform the following queries.

(1) Private-Key-Queries: B maintains a list initialized as empty, which contains ($I{D}_i, P{K}_i, S{K}_i, x_i)$ in the user table when $A_2$ performs a private-key interrogation on identity ${\mathrm{ID}}_{\mathrm{i}}$. Perform the following operations.

① If $I{D}_i=I{D}_I$, B terminates the simulation.

② Otherwise, $\mathrm{B}$ sends $S{K}_i$ to $A_2$.

(2)Trap-Door-Queries: When $A_2$ performs trap-door interrogation on $\left(I{D}_i, w_i\right)$, perform the following operations.

① If $I{D}_i=I{D}_I$, $\mathrm{B}$ terminates the simulation.

② Otherwise, $I{D}_i\ne I{D}_I$ or $P{K}_i$ has been replaced. Algorithm B generates trapdoor $T_{wi}=(S{K}_{i1}+S{K}_{i2})H_2\left(w\right)$ and sends the trapdoor to $A_2$.

Challenge phase: As in phase 1, $A_2$ outputs two different challenge keywords $w_0$, $w_1$ to the identity $I{D}^{*}$. $\mathrm{B}$ do the following operations.

① If $I{D}^{*}=I{D}_I$, $\mathrm{B}$ terminates the simulation.

② Otherwise $\mathrm{B}$ stochastic selects $\mathsf{\theta }\in \left\{0, 1\right\}$ and ${\mathit{C}}_{\mathit{w}\theta 2}\in {\mathit{Z}}_{\mathit{q}}^{*}$, sets ${\mathit{C}}_{\mathit{w}\theta 1}=\mathit{bP}$ and sets ${\mathit{C}}_{\mathit{w}\theta }=\left({\mathit{C}}_{\mathit{w}\theta 1}, {\mathit{C}}_{w\theta 2}\right)$ as the challenge ciphertext and sends ${\mathit{C}}_{\mathit{w}\theta }$ to $A_2$. ${\mathit{PK}}_{\mathit{c}1}=\mathit{aP}$ and ${\mathit{PK}}_{\mathit{c}2}=\mathit{yP}$.

Conjecture

Let

$$\begin{array}{c}\mathit{K}=\mathit{b}{H}_2\left({\mathit{w}}_{\theta }\right)\left({\mathit{PK}}_{\mathit{c}1}+{\mathit{PK}}_{\mathit{c}2}+H_1\left(\mathit{I}{\mathit{D}}^{*}\right){\mathit{P}}_{\mathit{p}\mathit{u}\mathit{b}}\right)\\ {\mathit{PK}}_{\mathrm{c}1}=\mathit{aP},{\mathit{PK}}_{\mathit{c}2}=\mathit{yP}\\ \mathit{Z}=H_2{\left({\mathrm{w}}_{\theta }\right)}^{-1}\left(\mathit{K}-\mathit{y}{H}_2\left({\mathit{w}}_{\theta }\right)\mathit{bP}-\mathit{x}{H}_1\left(\mathit{I}{\mathit{D}}^{*}\right)\mathit{b}{H}_2\left({\mathit{w}}_{\theta }\right)\mathit{bP}\right)\end{array}$$

Then, we can effortlessly obtain $\mathit{Z}=\mathit{abP}$.

Likewise, we can derive

$$\beta \prime \ge \frac{\beta }{q_3\left(q_{sk}+q_T+1\right)}$$

5. Efficiency Analysis

In the section that follows, we analyze the effectivity in phrases of both computational price and communication cost, and we evaluate the scheme in this paper with the certificateless searchable encryption scheme based entirely on multi-user surroundings proposed in the literature [13,15].

The experimental environment used in this paper is a HUAWEI laptop with Intel-Core i5 processor, 1.60 GHz CPU, 16 GB RAM, and Windows 10 operation system. It relies on MIRACL library.

Table 2. Explanation of Notations.

Notation	Description
TBP	Time cost for computing a bilinear pairing
Th	General hash function runtime
TSM	The elapsed time of a scalar multiplication operation
TH	The hash function maps to the elapsed time of the points above the group
TMM	Calculate the run time of the multiplication
Tpa	The elapsed time of the point addition operation on the group
TMH	The Hash function maps to the run time of the point
|G1|	The size of the element in the G1
|G|	The size of the element in the elliptic curve group G

shows the explanation of Notations.

5.1. Computation Costs

The cost of all encryption operations is added together to determine the algorithm’s computational cost. The approach presented in this study, for instance, necessitates the computation of three scalar multiplications in G and one modulo multiplication in ${\mathrm{Z}}_{\mathrm{q}}^{*}$. Therefore, the spending in the encryption phase is 3T_SM + T_MM. Additionally, the measurement of the ciphertext is computed by calculating the whole range of contained group factors and the hash value. For instance, in the scheme of this paper, the ciphertext size consists of two factors in G. Therefore, its size is 2|G| bits.

The computational cost of the key creation, encryption, trapdoor generation, and checking out algorithms used in this paper’s approach as well as other schemes is shown in

Table 3. Computation costs of compared CLEKS schemes.

Scheme	Key Generation	Keyword Encryption	Trapdoor Generation	Test
[13]	2TH + 4TSM = 111.276	3TH + Th + 4TSM + 3TBP + 3Tpa = 223.2	TH + Tpa + TSM = 45.1	2TH + TSM + Th + 2Tpa + TBP = 101.4
[15]	2TH + 4TSM = 49.1384	TH + 3TSM + Tpa = 68.9	TH + Th + 2TSM + TBP + 2Tpa = 84.2	2TSM + 2Th + 4Tpa + 2TBP + TMM = 79.9
Ours	2TH + 4TSM = 49.243	3TSM + TMM = 14.94	TMM = 19.32	TSM = 22.1

. In this paper’s scheme, the key generation phase spends 49.243 ms, which is about 44% of that of scheme [13] compared with 111.276 ms of literature [13], and is slightly inferior though compared with 49.1384 ms of scheme [15]. However, in the encryption phase, the scheme in this paper spends about 14.94 ms, which is about 21% of scheme [13] and 6.6% of scheme [15] compared with 223.2 ms of scheme [13] and 68.9 ms of [15]. The spending of the scheme in this paper on trapdoor generation is about 19.32 ms compared with 45.1 ms in scheme [13] and 84.2 ms in scheme [15], which is about 42% of scheme [13] and 22% of scheme [15]. The spending of the scheme in this paper in the testing phase is about 22.1 ms, which is about 21% of scheme [13] and 27% of scheme [15] compared with 101.4 ms of scheme [13] and 79.9 ms of scheme [15]. The simulation effect can be seen in Figure 2, where it is evident that the multi-user environment-based CLEKS scheme in this research performs more effectively overall.

5.2. Communication Costs

In this paper, the communication cost in terms of both ciphertext (C) size and trapdoor (T) are compared with the other two scheme solutions, and the effects are proven in

Table 4. Communication costs of compared CLEKS schemes.

Scheme	Ciphertext Size	Trapdoor Size
[13]	4$\left|{\mathrm{G}}_1\right|$	3$\left|{\mathrm{G}}_1\right|$
[15]	2$\left|{\mathrm{G}}_1\right|$	4$\left|{\mathrm{G}}_1\right|$
Ours	2$\left|\mathrm{G}\right|$	$\left|{\mathrm{G}}_1\right|$

.

Table 4 shows that this paper’s scheme communication costs are lower and more effective.

6. Summary

This study provides an effective CLEKS scheme based on multi-user environment to satisfy multi-authorized users employing keywords for ciphertext retrieval and shows that this scheme has IND-CKA security under the random prediction model. Meanwhile, the scheme described in this study has significant computing and communication costs according to the efficiency analysis. Therefore, the scheme presented in this paper is more effective and secure.