blockchain-enabledpublickeyencryptionwithmulti-keyword

Research ArticleBlockchain-Enabled Public Key Encryption with Multi-KeywordSearch in Cloud Computing

Zhenwei Chen 1 Axin Wu 2 Yifei Li 1 Qixuan Xing 1 and Shengling Geng 34

1School of Cyberspace Security Xirsquoan University of Posts and Telecommunications Xirsquoan 710121 China2College of Cybersecurity Jinan University Guangzhou 510632 China3School of Computer Qinghai Normal University Xining Qinghai 810008 China4Institute of Plateau Science and Sustainable Development Xining Qinghai China

Correspondence should be addressed to Shengling Geng geng_sl126com

Received 3 November 2020 Revised 18 December 2020 Accepted 2 January 2021 Published 21 January 2021

Academic Editor Qi Li

Copyright copy 2021 Zhenwei Chen et al-is is an open access article distributed under the Creative Commons Attribution Licensewhich permits unrestricted use distribution and reproduction in any medium provided the original work is properly cited

-e emergence of the cloud storage has brought great convenience to peoplersquos life Many individuals and enterprises havedelivered a large amount of data to the third-party server for storage -us the privacy protection of data retrieved by the userneeds to be guaranteed Searchable encryption technology for the cloud environment is adopted to ensure that the user in-formation is secure with retrieving data However most schemes only support single-keyword search and do not support fileupdates which limit the flexibility of the scheme To eliminate these problems we propose a blockchain-enabled public keyencryption scheme with multi-keyword search (BPKEMS) and our scheme supports file updates In addition smart contract isused to ensure the fairness of transactions between data owner and user without introducing a third party At the data storagestage our scheme realizes the verifiability by numbering the files which ensures that the ciphertext received by the user iscomplete In terms of security and performance our scheme is secure against inside keyword guessing attacks (KGAs) and hasbetter computation overhead than other related schemes

1 Introduction

Cloud storage is a removable storage method that bringsgreat convenience to people -erefore the problem of datasecurity is increasingly important Generally speaking cloudstorage has three structures First public cloud storageservice provides a wealth of resources such as networkservices and storage and users can access these resourcesthrough the Internet at low prices Second internal cloudstorage is located inside the corporate firewall and usershave independent storage control rights -ird hybrid cloudstorage provides both public cloud services and internalcloud services -e core is to meet the visits required bycustomers While eliminating the userrsquos local storagehardware and management overhead the data are out of theuserrsquos physical control so data security is greatly threatenedWhen users upload data to cloud storage media they need tosolve the security problem of the data and people often

upload it after encryption Secure search usually refers to theeffective search of encrypted data to solve the problem ofhow to use the server to complete the secure keyword searchwhen the encrypted data are stored in the cloud under thepremise of incomplete trust scholars proposed thesearchable encryption (SE) as the core technology of securesearch

SE is a new technology that supports users to search forkeywords in ciphertexts It mainly solves how to useuntrusted servers to implement secure keyword search in acloud storage environment so that users can securely searchdata in ciphertext state specifically search the keywordsaccording to the keywords of interest SE systems are dividedinto symmetric [1] and asymmetric [2ndash4] forms Althoughthe calculation amount of public key SE is greater than thatof symmetric SE data owners and users do not need to passthe key negotiation before searching which is more secureand has greater practical value

HindawiSecurity and Communication NetworksVolume 2021 Article ID 6619689 11 pageshttpsdoiorg10115520216619689

In terms of the usability of SE scheme multi-keywordsearch [4 5] is more in line with the userrsquos search experienceCompared with single-keyword search it can locate thesearch more accurately In the actual scenario the servermay be honest but curious and will want to obtain somesensitive information -erefore it is very important toverify the correctness of the results [6] However thisscheme is static and cannot operate data dynamically Al-though some SE schemes [7 8] support dynamic update offiles and verifiability of ciphertext they will bring a lot ofcomputational overhead -erefore the practical SE schemeneeds to be designed and proposed

In this paper we propose the BPKEMS scheme in theblockchain scenario the main contributions are as follows

(1) Multi-Keyword Search -e BPKEMS scheme hassome good features such as multi-keyword searchand file updates In addition the data owner and datauser can generate a shared key when encrypting filesBy using the DiffiendashHellman (DH) key exchangeprotocol they can get the shared key without anyinteraction

(2) Fairness In this scheme the blockchain mecha-nism is used to ensure the fairness of the trans-action between data owner and user without a thirdparty3Verifiability On the blockchain platform we usesmart contract to store index and trapdoor infor-mation and perform search services to ensure theaccuracy of search results In addition we numberthe files and the user can verify the ciphertext of thefile after receiving the result which can avoid somemalicious behavior of the cloud server

2 Related Work

In recent years cloud computing technology has beenrapidly developed and a series of studies have been done onsecurity issues In order to enhance the security of data onthe server Dawn et al [1] first proposed a symmetric SEscheme but it was in one-to-one mode which has triggeredpeoplersquos research on SE because the one-to-onemode cannotmeet peoplersquos needs For the many-to-one model Bonehet al [2] first proposed the public key SE scheme and gavethe concept of SE security based on public key encryption in2004 But in certain environments the many-to-one mode isnot practical In 2011 Curtmola et al [9] constructed a one-to-many SE model based on Naor broadcast encryptiontechnology [10] but the userrsquos key replacement in this modelrequires a great deal of overhead In a large-scale networkenvironment data transmission is complicated Wang et al[11] constructed a many-to-many mode encryption schemebased on Shamirrsquos secret sharing technology [12] and theidentity-based encryption technology in [2] to realize theinteraction retrieval of multiple users in the server In orderto effectively solve the problem of interactive retrieval whenthere are multiple recipients Yuan et al [13] proposed a one-to-many public key ciphertext time release searchable en-cryption cryptographic model In the one-to-many model

only authenticated users can enjoy the search service andthe queried keywords are specified and they can decrypt itwhen it knows that it will be released in the future Zhonget al [14] proposed a many-to-one homomorphic encryp-tion scheme which overcomes the limitations of traditionalone-to-one mode

In terms of the security of SE about the scheme [2]proposed by Boneh only the semantic security of indexciphertext can be achieved but it cannot resist KGAs In2009 Tang and Chen [15] put forward a public key SEscheme -e keywords should be registered before usingwhich can resist KGAs but the keywords must be registeredin advance which makes the performance of the scheme nothigh In 2013 Fang et al [16] presented the scheme be-longing to public key cryptography which can resist KGAsthe scheme defines a public key SE model and two importantsecurity concepts one is for inside attacks and the other isfor external attacks However a large number of bilinearpairing calculations result in a low efficiency of Fangrsquosscheme [16]

In recent years scholars have conducted a lot of researchon inside attacks In 2013 Xu et al [17] proposed a schemewith two trapdoors (fuzzy trapdoor and precision trapdoor)and claimed that the scheme can resist inside KGAs In thisscheme the adversary intelligently obtains the fuzzy trap-door but some keyword information about the trapdoor isnot known and it is restricted in terms of security andefficiency In 2015 Chen et al [18] introduced a newframework to prevent inside KGAs-ey used two servers torealize the scheme but the limitation is that the two serverscannot be associated However anyone can generate legaltrapdoors for keywords which will make data privacy issueseasy to discover Shao et al proposed a method [19] that canresist KGAs In the SE scheme of a designated tester thesecurity of the scheme is redefined as IND-KGA-SERVERIn the presence of a digital signature it can resist the serverrsquosKGAs In 2016 Chen et al [20] proposed a scheme using twoservers to resist inside KGAs and the scheme has highefficiency However due to the two assumptions that twocloud servers cannot be connected this is difficult to achievein practice In 2017 Huang and Li [21] proposed a public keyauthentication encryption scheme based on keyword search-e ciphertext generation process of this scheme requiresthe key of the data owner Although the scheme can resist theinside KGAs it cannot achieve the chosen keyword ci-phertext indistinguishability Kang and Liu [22] proposed acompletely secure public key encryption scheme composedof bilinear pairing and TFIDF algorithm -is schemeachieves security under static assumptions By comparingwith previous SE schemes their schemersquos performance issuperior to other schemes In terms of security this schemecan avoid revealing privacy due to the curiosity of the ad-versary In 2018 Wu et al [23] proposed an efficient andsecure public key SE scheme with privacy protection -isscheme uses a DH shared key and is proven to resist KGAs

In the Internet of -ings (IoT) environment Wu et al[24] proposed a certificateless searchable public key au-thentication encryption scheme which can resist KGAs atthe same time and also has a higher efficiency Ma et al [25]

2 Security and Communication Networks

designed a new multi-keyword certificateless public keyencryption scheme for IoT deployment Lu and Li [26]proposed a new PEKS scheme which not only can resist theexisting three types of KGAs but also improves the short-comings of the designated server With the development ofblockchain [27 28] the combination of searchable en-cryption technology and blockchain technology solves theproblem of trusted third party in traditional schemes andgreatly improves the practicability of searchable encryptionLi et al [30] proposed a searchable encryption system modelof blockchain and designed a practical scheme for the systemmodel In 2019 Li et al put forward a scheme [31] based on[30] which also improved enablement In order to besuitable for the electronic medical scene Chen et al [32]proposed a SE scheme suitable for this scene under theblockchain technology -is scheme also adopts symmetricencryption method and uses smart contract as the au-thoritative entity to ensure the credibility of the server in thescheme Zheng et al [6] proposed an SE scheme which canverify the correctness of the results but it cannot supportdata update operation-e SE scheme proposed by Sun et al[7] and Xia et al [8] can not only support dynamic updatebut also verify the results and it also has low computationalefficiency -erefore we are committed to solving theseproblems

3 Preliminaries

In this section we review the relevant background materialsrequired in understanding our scheme and introduce somenotations in Table 1

31 Bilinear Pairing Let G1 G2 be two multiplicative cyclegroups A map e G1 times G1⟶ G2 is called a symmetricbilinear pairing if it has the following properties

(1) Bilinear e(ua vb) e(u v)ab forallu v isin G1 andforalla b isin Zp

(2) Nondegenerate e(g g)ne 1 Let 1 isin G2 be the identityelement of G2 group

(3) Computable forallu v isin G1 e(u v) there is a polyno-mial time algorithm that can easily calculate e

32 Decisional DiffiendashHellman (DDH) Problem Given ageneratorg ofG1 then g ga gb gc1113864 1113865 isin G1 where a b c isin Zp-e DDH problem is to determine whether gc is equal tog ab Assuming that the DDH problem is difficult it meansthat no adversary can solve the problem with a probability thatcannot be ignored

33 Blockchain In this section let us briefly describe thesmart contract gas system system model threat model andsecurity model

331 Smart Contract Blockchain is important and has awide range of applications such as the Internet of -ingsand edge computing and blockchain can be used in 5G

handover authentication [33] -e smart contract (SC) isconsidered as the core technology of the second-generationblockchain which was proposed by Szabo [34] -e carrierof the SC is the blockchain and its essence is an auto-matically executed computer code -e code describes theterms of the agreement between the buyer and the sellerand is directly written into the code of the blockchainSatisfying the predetermined terms is the trigger conditionfor the code to be executed Since the execution of the codedoes not require human intervention it is called automaticexecution

As a computer program a SC is a part of applicationsoftware and a digitally represented program [35] Althoughit is a code representation of contract terms it is not acontract in the legal sense In addition the construction ofSC comes from the blockchain framework which is a publicbilling system which can carry out secure value transferwithout a trusted third party and the correctness of thecontract code execution is guaranteed by the consensusmechanism -erefore SC can be understood as a computerprotocol which can be executed automatically withouthuman intervention

332 Gas System In Ethereum once the SC is set it isforbidden to modify it In order to prevent malicious usersfrom setting up an infinite loop running contract Ethereumrequires users to pay for each step of the deploymentcontract-e basic unit of cost is gas Gas is equivalent to thefuel needed to deploy and execute SC Without fuel SCcannot be used -is mechanism maintains the operation ofthe economic system of Ethereum

In a gas system there are some important parametersGas price means that users need to pay for each unit of gasEach block has a gas limit that is the maximum amount ofgas allowed in a single block which can be used to determinehow many transactions can be packaged in a single blockBoth gas price and gas limit are set by the transaction senderitself If the total amount of gas consumed by the operation

Table 1 Main symbols

Symbol Meaningpko sko Publicsecret key pair of data ownerpku sku Publicsecret key pair of data userpks sks Publicsecret key pair of cloud serverK Shared key for data owner and data userNi Encrypted file indexNs Encrypted file index setF fi1113864 1113865iisin[1t] File index setFprime Returned file setC Ci1113864 1113865iisin[1t] Ciphertext set of F

Cprime Ciprime1113864 1113865iisin[1t] Packed ciphertext

W wi1113864 1113865iisin[1m] Keyword dictionaryI I0 I1 I2 Ij1113966 1113967

jisin[1m]Index set for F

σ2prime -e intermediate valueσ2 -e final valueWprime wi

prime1113864 1113865iisin[1l] Queried keyword setTWprime TW1prime TW2prime1113966 1113967 Trapdoor for WprimeL ρ1(τ)1113864 1113865τisin[1l] Location set of Wprime in W

Security and Communication Networks 3

exceeds gas limit the operation will be voided the trans-action is not packaged in the block and the transactionamount is refunded and the gas fee that has been performedwill still be charged [36] Only if the userrsquos current amount isgreater than gas limit times gas price the transaction will beexecuted successfully For gas price if the value is too highthe transaction may be executed first and if it is too low thetransaction speed will be slow

34 System Model In this section we introduce the systemmodel of the scheme as shown in Figure 1

(1) Data Owner (DO)-emain work of data owner is tocalculate the keyword index and the file ciphertextand then send the file ciphertext to the cloud serverand the keyword index to the smart contract

(2) Data User (DU) -e main work is to calculate thetrapdoor and upload it to the smart contract -endata user gets the corresponding file ciphertext fromcloud server and verifies it Finally data user de-crypts the file ciphertext

(3) Cloud Server (CS) -emain work of the cloud serveris to store the data uploaded by the data owner andreceive the file index from smart contract Next thecloud server forwards the corresponding file ci-phertext to the data user

(4) Smart Contract (SC) Smart contractrsquos main job is toreceive indexes and trapdoors to match and thensend the search result to the cloud server through atransaction

(5) Trusted Authority (TA) -e trusted authority isresponsible for generating publicprivate key pairsfor data owner data user and the cloud server

35 Algorithms in SystemModel Here we introduce the sixalgorithms in our scheme Setup KeyGen Enc Trap Searchand Verification and Decryption

(1) Setup (1λ) -e algorithm inputs a public parameterλ and outputs a global public parameter SP

(2) KeyGen (SP) -is algorithm takes SP as inputs andit outputs the DOrsquos public key pko and private keysko -e public and private keys of DU and CS aregenerated in a manner similar to DO

(3) Enc (SP pku sko F) -is algorithm inputs SP pkuand sko -en it outputs the keyword indexes I fileciphertext C packed ciphertext Cprime and encryptedfile index set Ns

(4) Trap (Wprime pks pko sku) -is algorithm takes que-ried keyword set Wprime CSrsquos public key pks DOrsquospublic key pko and DUrsquos private key sku as input andit outputs the corresponding trapdoor TWprime and lo-cation information L

(5) Search (I TWprime L sks) -is algorithm inputsI TWprime L the CSrsquos private key sks-en it outputs theencrypted file index set Ns Note that the searchprocess is run in the blockchain using the privacy

key of CS -erefore in the execution of smartcontract there will be an interaction with CS first

(6) Verification and Decryption (SP C Cprime Ns) -e al-gorithm takes SP Ns file ciphertext set C andpacked ciphertext Cprime as input and it outputs theverification results and file set Fprime

36 Dreat Model and Security Model In this scheme TA iscompletely trusted the DU is malicious and the CS issemitrusted For example the semitrusted CS may want tolearn the original file information or return partial searchresults DU may also maliciously accuse the CS not returningcorrect search results In the payment phase the CSmay wantto obtain the search fee from the DU without providing thesearch result In addition a malicious DUmay want to get thecorrect search results from the CS without paying the searchfee Next we introduce the security model of our scheme

We define that our scheme needs to satisfy two securitygoals one is trapdoor indistinguishability and the other isindex indistinguishability Two games are needed to provethem

(1) In Game 1 we assume the adversary A is a semi-trusted CS or a malicious DU -erefore A can getthe private key of CS or DU but he cannot performtrapdoor query on the selected challenge keywordsw0 w1 -e scheme does not get an effective trap-door which can ensure the indistinguishability of theindex if there is no adversary to distinguish the indexof the keyword w0 or w1

(2) In Game 2 A may be a semitrusted CS and A mayget the private key of CS-e trapdoor of the schemerequires that A cannot distinguish w0(W0) orw1(W1)

Definition 1 In Game 1 and Game 2 the scheme can resistinside KGAs if there is no adversary to break the indis-tinguishability of indexes and trapdoors with a nonignorableadvantage -e sequence of games is the interaction betweenchallenger C and adversary A pay attention to the semi-trusted CS acting as Arsquos role

4 Construction of the BPKEMS Scheme

41 Setup Input a security parameter λ and then TA runsthe Setup algorithm to generate the system parametersSP (g h H1) We set g as a generator of G1 and h and H1are two collision-resistant hash functions whereh 0 1 lowast ⟶ Zp H1 0 1 lowast times 0 1 lowast ⟶ 0 1 lowast -en TApublishes the public parameters SP

42KeyGeneration -e scheme runs the KeyGen algorithmto generate the publicprivate key pair for DO DU and CS-e detailed generation process is as follows

(1) KeyGeno randomly choose an element a isin Zp as theprivate key sko and then compute the public keypko ga


(2) KeyGenu pick an element b isin Zp as the DUrsquos privatekey sku and compute the public key e(g g)(1b) gb-e DUrsquos public key has two parts which we defineas pku pku1 pku21113864 1113865 where pku1 e(g g)(1b)pku2 gb

(3) KeyGens choose an element c isin Zp as the privatekey sks and then compute the CSrsquos public keypks gc

43 Ciphertext Generation Before generating a keywordindex DO first defines the reward offer to be paid per searchto himself and sends this setting to the SC Upon receivingthe file set F f1 ft1113864 1113865 we define the keyword dictio-nary as W w1 wn1113864 1113865 DO extracts the keywords in eachfile -e DO uses the Enc algorithm to output the indexes Ifile ciphertexts C and packed ciphertext Cprime

(1) First DO needs to generate keyword indexIi I0 I1 I2 Ij1113966 1113967 where i isin [1 t] DO randomlychooses an element r isin Zp Next he calculates theIi0 e(g g)r Ii1 (pku2)

r gbr Ii2 e(g

g)(arb) Iij gminus rh(wj) where j isin [1 n](2) Second DO encrypts each file fi isin F Here we use a

symmetric encryption algorithm when encryptingfiles -e difference is that we use the idea of DH keyexchange to share the key K for DO and DU and DOuses its own private key sko and DUrsquos public key pku2to calculate it where K pku

sko

2 gba -en foreach file fi Ci EncK(fi)

(3) -ird DO numbers the file fi encrypts the file indexi with the key K obtains the encrypted file indexNi EncK(i) stores the Ni and the ciphertext Ci

together and then performs a hash operation toobtain the result Mi H1(Ni Ci)

-e file indexes Ni Mi are packed as ciphertext Ciprime Next

upload the encrypted file index set Ns and ciphertext set C tothe CS-en send the packed ciphertext set Cprime and index setI to the SC for querying operation

44 Ciphertext Update In this part we describe how toupdate files for example modify insert and delete oper-ations For modification and insertion of files blockchainand encryption protect the index and encrypted files fromleaking sensitive information -e detailed file update op-erations are shown in Figure 2

(1) Modification Suppose a file mk needs to be changedtomkprime andDO needs to recalculate its ciphertext that

is ckprime EncK(mk

prime)(2) Insertion When adding a new file at the k-th po-

sition add the ciphertext at the corresponding po-sition with ck

prime(3) Deletion When a file needs to be deleted only the file

and index value need to be deleted from the CS

45 Trapdoor In this section the Trap algorithm was run byDU When a DU wants to query keywords Wprime w1prime 1113864

wlprime he needs to generate trapdoor TWprime for these keywords

-e trapdoor consists of two parts one is TWprime 1 and the otheris TWprime 2

(1) DU randomly selects an element φ isin Zp letTWprime1 φ

DUDO

2 File ciphertext file index

3 Keyword index packed ciphertext 4 Trapdoor user ID

6 Packed ciphertext

53

File

inde

xes

user

ID


CS

1 Key distribution 1Key distribution

1Ke

y di

strib

utio

n

TA

SC

51

e i

nter

med

iate

val

ue

52

Fin

al v

alue

Figure 1 -e system model


(2) DU computes TWprime 2 (pkminusφs pk(1b)

o )(1(bminus 1113936l

π1 h(wπprime)))

We need to record the keyword location L which ex-presses the location from Wprime to W We define a mappingfunction ρ wπprime wρ(π) After the user generates the trapdoorTWprime the user sets a time limit node T1 uploads the trapdoorwith the location L ρ(1) ρ(l)1113864 1113865 to the SC and per-forms the deposit operation from his account-en the usersends the trapdoor TWprime and the time limit node T1 to the SCNext he uploads his own identity ID to request the SC toperform the search service

46 Search -e Search algorithm is run by SC SC andblockchain are combined for search service Here we give thedefinition of some symbols owner and user represent therespective accounts of DO and DU userdeposit expresses thecurrent deposit in blockchain DU deposits his account balanceinto the blockchain system user -e price per unit of gasolineis denoted by gasprice -e total cost of each complete searchoperation is expressed as cost Gaslsrch and Gassrch re-spectively express the gas limit and the cost of calling thesearch algorithm After receiving the DUrsquos ID and requestingthe search service perform the following algorithm

(1) First check whether the current time T2 is less thanT1 If yes perform the following steps If no processis stopped

(2) Check whether userdeposit is greater thanGaslsrch times gasprice if yes the userrsquos current deposituserdeposit can complete the next search serviceand the SC starts to run If no stop it

(3) -e SC computes the intermediate value σ2prime IT

Wprime 1i0

-en σ2prime is sent to CS CS calculates the final valueσ2 σprimec2 and returns it to SC

(4) Compute σ1 e(Ii1 middotΠlτ1Iiρ(τ) TWprime 2) and σ3 Ii2

(5) Calculate whether equation σ1 middot σ2 σ3 is true If sooutput 1 to indicate that the search was successful-en the SC sends the search results to the CSOtherwise output 0 indicating failure and thesearch service will be stopped Finally the SC willrecord the encrypted file index Ni and then start thenext query until all files are retrieved Finally SCsends the file index set Ns to CS We describe thetransaction during search in Algorithm 1

47 Verification and Decryption Phase In this section DUperforms the verification and decryption algorithms -eSC sends file index set Ns and DUrsquos I D that satisfies thesearch request to CS -en CS transmits the file ciphertextset C and encrypted file index set Ns to the DU according toNi In Algorithm 1 we describe the search process for eachround

During the interaction between SC and DU the packedciphertext Ci

prime is obtained by the DU after the SC is suc-cessfully retrieved -en the user verifies NSC NCS whereNSC represents the file index sent by the SC and NCS rep-resents the file index sent by CS If above indexes are thesame it proves that the CS did not send wrong files and thenverify Mprime H1(Ni Ci) M

Mprime

If the file index Ni and ciphertext Ci are hashed and theresult is equal it proves that the CS has not tampered withthe ciphertext data Finally DU uses its own private key sku

and DOrsquos public key pko to generate the shared key K

pkskuo gab of the encrypted file and decrypts the file ci-

phertext Ci where fi DecK(Ci) Finally DU gets thedecrypted file set Fprime

48 Correctness Formula (1) indicates that the index andtrapdoor match successfully

File index 1 2 3 4 5 6 7 8 9

File index 1 2 3 4 10 6 7 8 9

File index 1 2 3 4 10 6 8 9

File index 1 2 4 10 6 11 8 97

711

m1 m2 m3 m4 m6 m7 m8 m9mprime5


m1 m2 m3 m4 m6 m7 m8 m9mprime5 mprime

m1 m2 m4 m6 m7 m8 m9mprime5 mprime

Modify m5 as mprime5

Insert mprime

Delete m3

Figure 2 -e update operations of files


e⎛⎝Ii1 middot 1113945l

τ1Iiρ(τ) TWprime 2

⎞⎠IcT

Wprime 1i0 e g

brmiddot 1113945

l

τ1g

minus vh wρ1(τ)1113872 1113873 g

(ab)g

c(minusφ)1113872 1113873

1 bminus1113936l

τ1 h wτprime( )( 1113857⎛⎝ ⎞⎠e(g g)

rcφ

e gr g

(abminus cφ)1113872 1113873e(g g)

rcφ e(g g)

(arbminusrcφ)e(g g)

rcφ e(g g)

(arb) Ii2

(1)

5 Security Analysis

In order to show that our scheme is practical in terms ofsecurity and performance we introduced the security andperformance analysis in detail

51 Fairness Because the blockchain interacts with eachentity on a transaction basis and each transaction istransparent it can be guaranteed that the results of eachquery are correct and there will be no malicious tamperingFairness is achieved through the use of SC In Ethereum alloperations or transactions are associated with gas and eachoperation will consume some of the gas on SC and theperson who provides the data (such as DO) will berewarded accordingly At the same time users also need topay for the files they retrieve Without the involvement of athird party the blockchain can ensure that users get correctand complete search results and malicious operations willbe detected In addition the user has determined a limitedtime to ensure the fairness of the transaction because thetransaction needs to be completed within the specified timenode If the time limit is exceeded the user will stop thesearch service

52 Credibility -e search results given by the blockchainmust be honest and credible -e operations on SC aretransparent and cannot be tampered so we can be confidentthat the results returned by the SC are credible At the sametime it effectively prevents malicious server from attackingthis scheme In addition the transparency of the blockchaincan ensure the correctness of the results and the verificationon the user side can also achieve the same effect Nothing canbe used as a malicious tamper with the search results En-tities connected to the blockchain can verify the actions ofother entities at any time

53 Confidentiality -is scheme can resist KGAs in theory-e security of this scheme should realize the indistin-guishability of index and trapdoor Note that in Game 1adversary A can query both the private key and trapdoorImportantly trapdoor queries need to exclude previouslydefined challenge keywords Corresponding to the definitionof Game 2 we can get that A can query the index ciphertextand CSrsquos private key the limitation is that A cannot querythe challenge keywords w0 and w1

Theorem 1 Drough the proof analysis under the randomoracle model we can see that if the adversary solves thecorresponding difficult problem with a negligible probabilityfor both Game 1 and Game 2 then our scheme can resistKGAs

Proof -e proof of theorem is supported by the followingtwo lemmas As long as their security requirements can besatisfied our scheme is secure in the description of theorem-e detailed process is as follows In Game 1 if the DDHassumption holds the scheme achieves index indistin-guishability In Game 2 the scheme can ensure that it canresist chosen keyword attacks under the random oraclemodel

(1) In Game 1 we analyze the symmetric key used toencrypt files between DO and DU which isgenerated through negotiation between the twoentities -e CS must obtain the private key of onebefore it can generate a shared key or intercept itduring the transmission of the public channelHowever our scheme does not require trans-mission -erefore the CS must obtain the privatekey of one of them to decrypt the ciphertext of thefile fi -erefore in our scheme the shared key K

is secure

(1) if T2 ltT1 and $userdeposit gt Gaslsrch times $gasprice + $offer then(2) Compute σ1 σ2 σ3(3) if σ1 middot σ2 is the same as σ3 then(4) Return the file indexes Ni to CS(5) else(6) Return 0(7) Set costoffer+Gassrch times gasprice(8) Send offer to owner -en send Gassrch times gasprice to executor of a deal(9) Finally set userdeposituserdeposit-cost(10) else(11) Send userdeposit to user(12) end

ALGORITHM 1 Ciphertexts retrieval


(2) -e security of our scheme can be analyzed from twoparts -e first is the generation of the index As-suming that a DU wants to query a keyword set WprimeCS must generate a valid index 1113957I 1113957Io 1113957I1 1113957I2 1113957Ij1113966 11139671113966 1113967CS first needs to obtain the private key sko a isin Zp

of DO -e private key of DO is kept secret CS canonly assume that it has obtained a private key 1113957a ofthe DU But the size of Zp is p which is a large primenumber -erefore the probability of selecting theright one is (1p) which is negligible On the otherhand CS assumes that the keyword setWprime w1prime wl

prime1113864 1113865 1113958Wprime 1113957w1 1113957wl1113864 1113865 selected byCS is equal to the keyword set that DU wants toquery which is equivalent to randomly selecting l

equal sets from n keywords with a probability of(1Cl

n) Assuming that the range of the key set n islarge enough the above probability is also smallenough In summary CS cannot perform insideKGAs

(3) In Game 2 given a valid index I I0 I1 I2 Ij1113966 11139671113966 1113967CS cannot generate a valid trapdoor for matching-e generation of the trapdoor requires the use ofthe private key sku of the DU We assume that theprivate key of the DU is sku b CS randomly selectsa element 1113957b isin Zp as the private key of the DU -eequal probability is (1p) so the probability can beignored -rough the above analysis our schemecan resist inside KGAs

Here we introduce the location privacy of keywords Inthe paper we use the location mapping function ρ(middot) -elocation privacy of queried keywords can be protected usingrandom mask technology for example pseudorandomfunctions -e pseudorandom function confuses the posi-tion of the real keyword so as not to riot the position of thereal keyword Try not to let users know more informationFor cloud server the index location is exposed but thekeywords are encrypted so the security of the scheme willnot be affected

6 Performance Analysis

In order to show that our scheme is effective in this part wecompare three schemes in terms of functions In additionwe discuss the computation overhead and communicationoverhead of our scheme with two other schemes Yangrsquosscheme [5] and Xursquos scheme [37]

First we compare the functions of the three schemes asshown in Table 2 We can see that by comparing thefunctions of the four aspects we can see the functionaldifferences between those schemes -e check mark meansthat this condition is satisfied and the wrong signmeans thatthe condition is not satisfied It is compared by whether itsupports multi-keyword retrieval whether it supports dy-namic update of files whether it supports blockchain andwhether it supports fair payment between users We can seethat our scheme supports the four functions scheme [37]

only supports multi-keyword search and scheme [5] onlydoes not support dynamic update of files -e dynamicupdate of files can ensure the flexibility of the scheme Byusing the blockchain you can take advantage of thetransparency immutability and traceability Especially theSC running on the blockchain can ensure fair paymentbetween users

61 Deoretical Analysis In Table 3 we compare the com-putation overhead of our scheme with the other two schemes[5 37] In terms of computation overhead we mainlyconsider some time-consuming operations TM represents amultiplication operationTH represents a hash operationTE

represents an exponential operation and TP represents apair operation In Table 4 we compare our scheme withother schemes [5 37] in terms of communication overheadWe define the element length of G1 G2 Zp as |G1| |G2| |Zp|In addition we define m to represent the number of key-words contained in each file and l to represent the number ofqueried keywords

Regarding the computation overhead we compare thecharacteristics of each scheme in Table 3 In the key gen-eration stage we can see that our scheme is in the middle ofthe three at this stage and the efficiency is higher than that ofscheme [5] and lower than that of scheme [37] In thekeyword encryption and trapdoor generation phases thecalculation amount of the three schemes increases linearlywith the number of encrypted keywords and queried key-words but our scheme is the most efficient among the threewhich are (3 + m)TE + mTH + TP and 3TE + lTH + TMrespectively In the search stage we set the number ofkeywords to be queried to 1 It can be seen from the table thatthe calculation amount of the three schemes is constant butour scheme has the highest efficiency -erefore based onthe above theoretical analysis our scheme has the highestefficiency

Regarding communication overhead we compare thepublic key size encryption size and trapdoor size with theother two schemes We can see from Table 4 that the size ofthe public key generated by the three schemes remainsunchanged In the encryption phase the size of the storage ofour scheme is almost the same as scheme [5] but is smallerthan the storage size of scheme [37] In the trapdoor gen-eration stage in scheme [37] the size of trapdoor increaseslinearly with the number of queried keywords and thereforeit will consume a lot of storage resources Our scheme and

Table 2 Functional comparison

Ourscheme Yangrsquos scheme [5] Xursquos scheme [37]

Multi-keyword Update times times

Blockchain times

Fair payment times


scheme [5] are constant and therefore have good storagecharacteristics

62 Empirical Analysis In this part we emulate our schemeYangrsquos scheme [5] and Xursquos scheme [37] We use the JavaPairing-Based Cryptography (JPBC) Library -e imple-mentation equipment of the scheme is a HP desktop computerwith a 300GHz Intel Core i5-8500 processor and 8GBmemory In the experiment we used the Type A elliptic curveWe analyzed three schemes by comparing Enc Trap andSearch algorithms In the Enc algorithm we set the number ofkeywords in steps of 10 increasing from 1 to 50 in turn In Trapand Search the number of keywords we set is also increasingfrom 10 to 50 in steps of 10 In each of the above experimentsafter 50 cycles the average value of the calculation cost iscalculated to ensure that the results are relatively valid It can beseen from Figures 3ndash5 that our scheme is the most effectiveBelow we briefly explain the content of the icon

In Figure 3 we can see that our scheme has the smallestslope which has great advantages compared with the othertwo schemes Due to the frequent hashing operations andexponential operations the coefficients of our scheme (mand 3 + m) are larger so the structure of the scheme issimpler With the increase of keywords the advantages willbecome more and more obvious

In Figure 4 we can find that the time consumed isconstant with the number of keywords that users query Inthe process of generating trapdoors of our scheme expo-nential operations and multiplication operations are con-stants and hash operations increase linearly with theincrease of keywords However you can see that in the othertwo schemes the slope of growth is much larger than that ofour scheme and it takes time to hash to Zp which is muchshorter than hashing to group G

In Figure 5 the efficiency gap between our scheme andthe other two schemes is not obvious Because of the pairoperation the number of operations of exponential oper-ation is almost constant For the operation after hashing thekeyword whether it is the aggregation of addition or theaggregation of multiplication the time consumed by a singleoperation is very small -erefore as the number of key-words increases the trend of time changes is not obviousBut judging from the change trend in Figure 5 our schemestill has some advantages

Table 3 Computation overhead

Our scheme Yangrsquos scheme [5] Xursquos scheme [37]KeyGen 4TE + Tp 2TH + 4TE 3TE

Enc (3 + m)TE + mTH + TP mTM + mTH + (2m + 3)TE mTM + 3mTH + (2m + 2)TE

Trapdoor 3TE + lTH + TM (l + 1)TM + lTH + (2l + 3)TE 3lTH + (2l + 1)TE

Search TM + TE + TP TM + 3TP TM + TE + 3TP

Table 4 Communication overhead

Our scheme Yangrsquos scheme [5] Xursquos scheme [37]pk size |G1| |G1| |G1|

Enc size (m + 1)|G1| + 2|G2| (m + 3)|G1| (m + 2)|G1| + m|Zp|

Trapdoor size |G1| + |Zp| 3|G1| 3|G1| + l|Zp|

0 10 20 30 40 50e number of keywords

0

500

1000

1500

2000

2500

3000

Enc t

ime (

ms)

Our schemeYangrsquos schemeXursquos scheme

Figure 3 -e computation overhead of Enc algorithm

10 20 30 40 50e number of queried keywords

0

500

1000

1500

2000

2500

3000

Trap

tim

e (m

s)


Figure 4 -e computation overhead of Trap algorithm


7 Conclusion

With the development of cloud computing a secure searchcryptography scheme is becoming increasingly importantIn this paper we present a BPKEMS scheme in the block-chain scenario which supports secure retrieval of con-junctive keywords dynamic update of files and verificationof ciphertext In addition our scheme can resist KGAs Interms of efficiency we implemented this scheme throughsimulation and compared it with other schemes [5 37] andit shows that our scheme is more practical

Data Availability

-e data used to support the findings of this study areavailable from the corresponding author upon request

Conflicts of Interest

-e authors declare that they have no conflicts of interest

Acknowledgments

-is study was supported by the National Key RampD Programof China (grant no 2017YFB0802000) the National NaturalScience Foundation of China (grant nos 61862055 and62072369) and the Major Research and DevelopmentProject of Qinghai (grant no 2020-SF-140)

References

[1] D X Song D W Wagner and A Perrig ldquoPractical Tech-niques for Searches on Encrypted Datardquo in Proceedings of the2000 IEEE Symposium on Security and Privacy pp 44ndash55Berkeley CA USA February 2000

[2] D Boneh G Di Crescenzo R Ostrovsky and G PersianoldquoPublic key encryption with keyword searchrdquo in Advances inCryptology-EUROCRYPT 2004 C Cachin andJ L Camenisch Eds pp 506ndash522 Springer Berlin Heidel-berg Berlin Heidelberg 2004

[3] T Chi B Qin and D Zheng ldquoAn efficient searchable public-key authenticated encryption for cloud-assisted medical in-ternet of thingsrdquo Wireless Communications and MobileComputing vol 2020 pp 1ndash11 Article ID 8816172 2020

[4] Y Miao X Liu K-K R Choo R H Deng H Wu and H LildquoFair and dynamic data sharing framework in cloud-assistedinternet of everythingrdquo IEEE Internet of Dings Journal vol 6no 4 pp 7201ndash7212 2019

[5] X Yang G Chen M Wang T Li and C Wang ldquoMulti-keyword certificateless searchable public key authenticatedencryption scheme based on blockchainrdquo IEEE Access vol 8pp 158765ndash158777 2020

[6] Q Zheng S Xu and G Ateniese ldquoVabks verifiable attribute-based keyword search over outsourced encrypted datardquo inProceedings of the IEEE INFOCOM 2014-IEEE Conference onComputer Communications pp 522ndash530 IEEE Toronto ONCanada May 2014

[7] W Sun X Liu W Lou Y T Hou and H Li ldquoCatch you ifyou lie to me efficient verifiable conjunctive keyword searchover large dynamic encrypted cloud datardquo in Proceedings ofthe 2015 IEEE Conference on Computer Communications(INFOCOM) pp 2110ndash2118 IEEE Kowloon HK USA May2015

[8] Z Xia XWang X Sun and QWang ldquoA secure and dynamicmulti-keyword ranked search scheme over encrypted clouddatardquo IEEE Transactions on Parallel and Distributed Systemsvol 27 no 2 pp 340ndash352 2015

[9] R Curtmola J Garay S Kamara and R OstrovskyldquoSearchable symmetric encryption improved definitions andefficient constructionsrdquo Journal of Computer Security vol 192011 httpswwwmicrosoftcomen-usresearchpublicationsearchable-symmetric-encryption-improved-definitions-and-efficient-constructions-2

[10] A Fiat and M Naor ldquoBroadcast encryptionrdquo in AnnualInternational Cryptology Conference pp 480ndash491 SpringerBerlin Germany 1993

[11] P Wang H Wang and J Pieprzyk ldquo-reshold privacypreserving keyword searchesrdquo in Proceedings of the Inter-national Conference on Current Trends in Deory and Practiceof Computer Science pp 646ndash658 Springer Novy SmokovecSL Europe January 2008

[12] A Shamir ldquoHow to share a secretrdquo Communications of theACM vol 22 no 11 pp 612-613 1979

[13] K Yuan Z Liu C Jia J Yang and S Lv ldquoPublic key timed-release searchable encryption in one-to-many scenariosrdquoActaElectronica Sinica vol 43 no 4 pp 760ndash768 2015

[14] H Zhong J Cui R Shi and C Xia ldquoMany-to-one homo-morphic encryption schemerdquo Security and CommunicationNetworks vol 9 no 10 pp 1007ndash1015 2016

[15] Q Tang and L Chen ldquoPublic-key encryption with registeredkeyword searchrdquo in Proceedings of the European Public KeyInfrastructure Workshop pp 163ndash178 Springer Pisa ItalySeptember 2009

[16] L FangW Susilo C Ge and J Wang ldquoPublic key encryptionwith keyword search secure against keyword guessing attackswithout random oraclerdquo Information Sciences vol 238pp 221ndash241 2013

[17] P Xu H Jin Q Wu and W Wang ldquoPublic-key encryptionwith fuzzy keyword search a provably secure scheme under


0

5

10

15

20

25

30

Sear

ch ti

me (

ms)


Figure 5 -e computation overhead of Search algorithm


keyword guessing attackrdquo IEEE Transactions on Computersvol 62 no 11 pp 2266ndash2277 2012

[18] R Chen Y Mu G Yang F Guo and X Wang ldquoA newgeneral framework for secure public key encryption withkeyword searchrdquo in Proceedings of the Australasian Confer-ence on Information Security and Privacy pp 59ndash76 SpringerBrisbane QLD Australia July 2015

[19] Z-Y Shao and B Yang ldquoOn security against the server indesignated tester public key encryption with keyword searchrdquoInformation Processing Letters vol 115 no 12 pp 957ndash9612015

[20] R Chen Y Mu G Yang F Guo and X Wang ldquoDual-serverpublic-key encryption with keyword search for secure cloudstoragerdquo IEEE Transactions on Information Forensics andSecurity vol 11 no 4 pp 789ndash798 2015

[21] Q Huang and H Li ldquoAn efficient public-key searchableencryption scheme secure against inside keyword guessingattacksrdquo Information Sciences vol 403 pp 1ndash14 2017

[22] Y Kang and Z Liu ldquoA fully secure verifiable and outsourceddecryption ranked searchable encryption scheme supportingsynonym queryrdquo in Proceedings of the 2017 IEEE SecondInternational Conference on Data Science in Cyberspace(DSC) pp 223ndash231 IEEE Shenzhen China June 2017

[23] L Wu B Chen S Zeadally and D He ldquoAn efficient andsecure searchable public key encryption scheme with privacyprotection for cloud storagerdquo Soft Computing vol 22 no 23pp 7685ndash7696 2018

[24] L Wu Y Zhang M Ma N Kumar and D He ldquoCertifi-cateless searchable public key authenticated encryption withdesignated tester for cloud-assisted medical internet ofthingsrdquo Annals of Telecommunications vol 74 no 7-8pp 423ndash434 2019

[25] M Ma D He N Kumar K-K R Choo and J ChenldquoCertificateless searchable public key encryption scheme forindustrial internet of thingsrdquo IEEE Transactions on IndustrialInformatics vol 14 no 2 pp 759ndash767 2017

[26] Y Lu and J Li ldquoEfficient searchable public key encryptionagainst keyword guessing attacks for cloud-based emr sys-temsrdquo Cluster Computing vol 22 no 1 pp 285ndash299 2019

[27] Y Zhang R Deng X Liu and D Zheng ldquoOutsourcingservice fair payment based on blockchain and its applicationsin cloud computingrdquo IEEE Transactions on Services Com-puting vol 123 pp 89ndash100 2018

[28] Y Zhang R H Deng X Liu and D Zheng ldquoBlockchainbased efficient and robust fair payment for outsourcing ser-vices in cloud computingrdquo Information Sciences vol 462pp 262ndash277 2018

[29] Y Zhang R H Deng J Shu K Yang and D Zheng ldquoTksetrustworthy keyword search over encrypted data with two-side verifiability via blockchainrdquo IEEE Access vol 6pp 31077ndash31087 2018

[30] H Li F Zhang J He and H Tian ldquoA searchable symmetricencryption scheme using blockchainrdquo 2017 httparxivorgabs171101030

[31] H Li H Tian F Zhang and J He ldquoBlockchain-basedsearchable symmetric encryption schemerdquo Computers ampElectrical Engineering vol 73 pp 32ndash45 2019

[32] L Chen W-K Lee C-C Chang K-K R Choo andN Zhang ldquoBlockchain based searchable encryption forelectronic health record sharingrdquo Future Generation Com-puter Systems vol 95 pp 420ndash429 2019

[33] Y Zhang R Deng E Bertino and D Zheng ldquorobust anduniversal seamless handover authentication in 5g Hetnetsrdquo

IEEE Transactions on Dependable and Secure Computingvol 99 2019

[34] N Szabo ldquoFormalizing and securing relationships on publicnetworksrdquo First Monday vol 2 no 9 1997

[35] A Miller Z Cai and S Jha ldquoSmart contracts and oppor-tunities for formal methodsrdquo in Proceedings of the Interna-tional Symposium on Leveraging Applications of FormalMethods pp 280ndash299 Springer Limassol Cyprus November2018

[36] S Hu C Cai Q Wang C Wang X Luo and K RenldquoSearching an encrypted cloud meets blockchain a decen-tralized reliable and fair realizationrdquo in Proceedings of theIEEE INFOCOM 2018-IEEE Conference on Computer Com-munications pp 792ndash800 IEEE Honolulu Hawaii USAApril 2018

[37] L Xu J Li X Chen W Li S Tang and H-T Wu ldquoTc-pedcks towards time controlled public key encryption withdelegatable conjunctive keyword search for internet ofthingsrdquo Journal of Network and Computer Applicationsvol 128 pp 11ndash20 2019


In terms of the usability of SE scheme multi-keywordsearch [4 5] is more in line with the userrsquos search experienceCompared with single-keyword search it can locate thesearch more accurately In the actual scenario the servermay be honest but curious and will want to obtain somesensitive information -erefore it is very important toverify the correctness of the results [6] However thisscheme is static and cannot operate data dynamically Al-though some SE schemes [7 8] support dynamic update offiles and verifiability of ciphertext they will bring a lot ofcomputational overhead -erefore the practical SE schemeneeds to be designed and proposed

In this paper we propose the BPKEMS scheme in theblockchain scenario the main contributions are as follows

(1) Multi-Keyword Search -e BPKEMS scheme hassome good features such as multi-keyword searchand file updates In addition the data owner and datauser can generate a shared key when encrypting filesBy using the DiffiendashHellman (DH) key exchangeprotocol they can get the shared key without anyinteraction

(2) Fairness In this scheme the blockchain mecha-nism is used to ensure the fairness of the trans-action between data owner and user without a thirdparty3Verifiability On the blockchain platform we usesmart contract to store index and trapdoor infor-mation and perform search services to ensure theaccuracy of search results In addition we numberthe files and the user can verify the ciphertext of thefile after receiving the result which can avoid somemalicious behavior of the cloud server

2 Related Work

In recent years cloud computing technology has beenrapidly developed and a series of studies have been done onsecurity issues In order to enhance the security of data onthe server Dawn et al [1] first proposed a symmetric SEscheme but it was in one-to-one mode which has triggeredpeoplersquos research on SE because the one-to-onemode cannotmeet peoplersquos needs For the many-to-one model Bonehet al [2] first proposed the public key SE scheme and gavethe concept of SE security based on public key encryption in2004 But in certain environments the many-to-one mode isnot practical In 2011 Curtmola et al [9] constructed a one-to-many SE model based on Naor broadcast encryptiontechnology [10] but the userrsquos key replacement in this modelrequires a great deal of overhead In a large-scale networkenvironment data transmission is complicated Wang et al[11] constructed a many-to-many mode encryption schemebased on Shamirrsquos secret sharing technology [12] and theidentity-based encryption technology in [2] to realize theinteraction retrieval of multiple users in the server In orderto effectively solve the problem of interactive retrieval whenthere are multiple recipients Yuan et al [13] proposed a one-to-many public key ciphertext time release searchable en-cryption cryptographic model In the one-to-many model

only authenticated users can enjoy the search service andthe queried keywords are specified and they can decrypt itwhen it knows that it will be released in the future Zhonget al [14] proposed a many-to-one homomorphic encryp-tion scheme which overcomes the limitations of traditionalone-to-one mode

In terms of the security of SE about the scheme [2]proposed by Boneh only the semantic security of indexciphertext can be achieved but it cannot resist KGAs In2009 Tang and Chen [15] put forward a public key SEscheme -e keywords should be registered before usingwhich can resist KGAs but the keywords must be registeredin advance which makes the performance of the scheme nothigh In 2013 Fang et al [16] presented the scheme be-longing to public key cryptography which can resist KGAsthe scheme defines a public key SE model and two importantsecurity concepts one is for inside attacks and the other isfor external attacks However a large number of bilinearpairing calculations result in a low efficiency of Fangrsquosscheme [16]

In recent years scholars have conducted a lot of researchon inside attacks In 2013 Xu et al [17] proposed a schemewith two trapdoors (fuzzy trapdoor and precision trapdoor)and claimed that the scheme can resist inside KGAs In thisscheme the adversary intelligently obtains the fuzzy trap-door but some keyword information about the trapdoor isnot known and it is restricted in terms of security andefficiency In 2015 Chen et al [18] introduced a newframework to prevent inside KGAs-ey used two servers torealize the scheme but the limitation is that the two serverscannot be associated However anyone can generate legaltrapdoors for keywords which will make data privacy issueseasy to discover Shao et al proposed a method [19] that canresist KGAs In the SE scheme of a designated tester thesecurity of the scheme is redefined as IND-KGA-SERVERIn the presence of a digital signature it can resist the serverrsquosKGAs In 2016 Chen et al [20] proposed a scheme using twoservers to resist inside KGAs and the scheme has highefficiency However due to the two assumptions that twocloud servers cannot be connected this is difficult to achievein practice In 2017 Huang and Li [21] proposed a public keyauthentication encryption scheme based on keyword search-e ciphertext generation process of this scheme requiresthe key of the data owner Although the scheme can resist theinside KGAs it cannot achieve the chosen keyword ci-phertext indistinguishability Kang and Liu [22] proposed acompletely secure public key encryption scheme composedof bilinear pairing and TFIDF algorithm -is schemeachieves security under static assumptions By comparingwith previous SE schemes their schemersquos performance issuperior to other schemes In terms of security this schemecan avoid revealing privacy due to the curiosity of the ad-versary In 2018 Wu et al [23] proposed an efficient andsecure public key SE scheme with privacy protection -isscheme uses a DH shared key and is proven to resist KGAs

In the Internet of -ings (IoT) environment Wu et al[24] proposed a certificateless searchable public key au-thentication encryption scheme which can resist KGAs atthe same time and also has a higher efficiency Ma et al [25]



3 Preliminaries


















































r gbr Ii2 e(g



sko








is ckprime EncK(mk









DUDO



6 Packed ciphertext

53

File

inde

xes

user

ID


CS


1Ke

y di

strib

utio

n

TA

SC

51

e i

nter

med

iate

val

ue

52

Fin

al v

alue




o )(1(bminus 1113936l

π1 h(wπprime)))






Wprime 1i0







Mprime






File index 1 2 3 4 5 6 7 8 9

File index 1 2 3 4 10 6 7 8 9

File index 1 2 3 4 10 6 8 9

File index 1 2 4 10 6 11 8 97

711






Insert mprime

Delete m3





⎞⎠IcT

Wprime 1i0 e g

brmiddot 1113945

l

τ1g

minus vh wρ1(τ)1113872 1113873 g

(ab)g

c(minusφ)1113872 1113873

1 bminus1113936l

τ1 h wτprime( )( 1113857⎛⎝ ⎞⎠e(g g)

rcφ

e gr g

(abminus cφ)1113872 1113873e(g g)

rcφ e(g g)


rcφ e(g g)

(arb) Ii2

(1)

5 Security Analysis








is secure






















Blockchain times

Fair payment times

















0

500

1000

1500

2000

2500

3000

Enc t

ime (

ms)




0

500

1000

1500

2000

2500

3000

Trap

tim

e (m

s)




7 Conclusion


Data Availability




Acknowledgments


References



















0

5

10

15

20

25

30

Sear

ch ti

me (

ms)




























3 Preliminaries


















































r gbr Ii2 e(g



sko








is ckprime EncK(mk









DUDO



6 Packed ciphertext

53

File

inde

xes

user

ID


CS


1Ke

y di

strib

utio

n

TA

SC

51

e i

nter

med

iate

val

ue

52

Fin

al v

alue




o )(1(bminus 1113936l

π1 h(wπprime)))






Wprime 1i0







Mprime






File index 1 2 3 4 5 6 7 8 9

File index 1 2 3 4 10 6 7 8 9

File index 1 2 3 4 10 6 8 9

File index 1 2 4 10 6 11 8 97

711






Insert mprime

Delete m3





⎞⎠IcT

Wprime 1i0 e g

brmiddot 1113945

l

τ1g

minus vh wρ1(τ)1113872 1113873 g

(ab)g

c(minusφ)1113872 1113873

1 bminus1113936l

τ1 h wτprime( )( 1113857⎛⎝ ⎞⎠e(g g)

rcφ

e gr g

(abminus cφ)1113872 1113873e(g g)

rcφ e(g g)


rcφ e(g g)

(arb) Ii2

(1)

5 Security Analysis








is secure






















Blockchain times

Fair payment times

















0

500

1000

1500

2000

2500

3000

Enc t

ime (

ms)




0

500

1000

1500

2000

2500

3000

Trap

tim

e (m

s)




7 Conclusion


Data Availability




Acknowledgments


References



















0

5

10

15

20

25

30

Sear

ch ti

me (

ms)
























































r gbr Ii2 e(g



sko








is ckprime EncK(mk









DUDO



6 Packed ciphertext

53

File

inde

xes

user

ID


CS


1Ke

y di

strib

utio

n

TA

SC

51

e i

nter

med

iate

val

ue

52

Fin

al v

alue




o )(1(bminus 1113936l

π1 h(wπprime)))






Wprime 1i0







Mprime






File index 1 2 3 4 5 6 7 8 9

File index 1 2 3 4 10 6 7 8 9

File index 1 2 3 4 10 6 8 9

File index 1 2 4 10 6 11 8 97

711






Insert mprime

Delete m3





⎞⎠IcT

Wprime 1i0 e g

brmiddot 1113945

l

τ1g

minus vh wρ1(τ)1113872 1113873 g

(ab)g

c(minusφ)1113872 1113873

1 bminus1113936l

τ1 h wτprime( )( 1113857⎛⎝ ⎞⎠e(g g)

rcφ

e gr g

(abminus cφ)1113872 1113873e(g g)

rcφ e(g g)


rcφ e(g g)

(arb) Ii2

(1)

5 Security Analysis








is secure






















Blockchain times

Fair payment times

















0

500

1000

1500

2000

2500

3000

Enc t

ime (

ms)




0

500

1000

1500

2000

2500

3000

Trap

tim

e (m

s)




7 Conclusion


Data Availability




Acknowledgments


References



















0

5

10

15

20

25

30

Sear

ch ti

me (

ms)




























o )(1(bminus 1113936l

π1 h(wπprime)))






Wprime 1i0







Mprime






File index 1 2 3 4 5 6 7 8 9

File index 1 2 3 4 10 6 7 8 9

File index 1 2 3 4 10 6 8 9

File index 1 2 4 10 6 11 8 97

711






Insert mprime

Delete m3





⎞⎠IcT

Wprime 1i0 e g

brmiddot 1113945

l

τ1g

minus vh wρ1(τ)1113872 1113873 g

(ab)g

c(minusφ)1113872 1113873

1 bminus1113936l

τ1 h wτprime( )( 1113857⎛⎝ ⎞⎠e(g g)

rcφ

e gr g

(abminus cφ)1113872 1113873e(g g)

rcφ e(g g)


rcφ e(g g)

(arb) Ii2

(1)

5 Security Analysis








is secure






















Blockchain times

Fair payment times

















0

500

1000

1500

2000

2500

3000

Enc t

ime (

ms)




0

500

1000

1500

2000

2500

3000

Trap

tim

e (m

s)




7 Conclusion


Data Availability




Acknowledgments


References



















0

5

10

15

20

25

30

Sear

ch ti

me (

ms)





























⎞⎠IcT

Wprime 1i0 e g

brmiddot 1113945

l

τ1g

minus vh wρ1(τ)1113872 1113873 g

(ab)g

c(minusφ)1113872 1113873

1 bminus1113936l

τ1 h wτprime( )( 1113857⎛⎝ ⎞⎠e(g g)

rcφ

e gr g

(abminus cφ)1113872 1113873e(g g)

rcφ e(g g)


rcφ e(g g)

(arb) Ii2

(1)

5 Security Analysis








is secure






















Blockchain times

Fair payment times

















0

500

1000

1500

2000

2500

3000

Enc t

ime (

ms)




0

500

1000

1500

2000

2500

3000

Trap

tim

e (m

s)




7 Conclusion


Data Availability




Acknowledgments


References



















0

5

10

15

20

25

30

Sear

ch ti

me (

ms)













































Blockchain times

Fair payment times

















0

500

1000

1500

2000

2500

3000

Enc t

ime (

ms)




0

500

1000

1500

2000

2500

3000

Trap

tim

e (m

s)




7 Conclusion


Data Availability




Acknowledgments


References



















0

5

10

15

20

25

30

Sear

ch ti

me (

ms)










































0

500

1000

1500

2000

2500

3000

Enc t

ime (

ms)




0

500

1000

1500

2000

2500

3000

Trap

tim

e (m

s)




7 Conclusion


Data Availability




Acknowledgments


References



















0

5

10

15

20

25

30

Sear

ch ti

me (

ms)



























7 Conclusion


Data Availability




Acknowledgments


References



















0

5

10

15

20

25

30

Sear

ch ti

me (

ms)



























blockchain-enabledpublickeyencryptionwithmulti-keyword

Documents