Introduction

With the increasing popularity of adopting cloud technologies, many health care providers tend to store electronic medical records (EMRs) in cloud storage [1013, 18, 14]. Health care practitioners can enjoy the benefit of accessing medical records from anywhere with internet connection. To protect privacy of the data, health care practitioners may need to encrypt their data before storing in cloud storage. There should be a mechanism for them to search on the encrypted data without compromising the privacy of patients [9]. In 2004, Boneh et al. [4] introduced the notion of public key encryption with keyword search (PEKS). A PEKS allows one to perform encrypted keyword search on ciphertexts without revealing the original message. This notion has many useful applications, for example, email routing [3, 4], cloud storage [22], electronic health record systems [31, 32], etc.

A PEKS scheme requires a secure channel to transmit a trapdoor from a receiver to a server. Otherwise, an attacker may easily identify which encrypted messages are related to the given trapdoor. Baek et al. [5] solved the secure channel problem by proposing a secure-channel free PEKS (SCF-PEKS) which encrypts keyword with both server’s and receiver’s public keys. This ensures that only a designated server can perform the search and prevents other party that is without server’s private key from determining the relation between keyword ciphertexts and trapdoors. An SCF-PEKS scheme is also known as a PEKS scheme with a designated tester (dPEKS) [2730]. Baek et al.’s SCF-PEKS scheme [5] is proven secure in the random oracle model. Fang et al. [19] later proposed an SCF-PEKS scheme which is secure in the standard model.

The problem of off-line keyword guessing attacks (KGA) was first addressed by Byun et al. [7]. Subsequently, Yau et al. [35] also showed KGA on Baek et al.’s SCF-PEKS scheme [5]. This attack works as the keyword space of keywords used in PEKS and SCF-PEKS schemes are small. Attackers exploit this weakness by exhaustively guessing some candidate keywords and check whether their guesses are correct or not. Rhee et al. [28] enhanced the security model of [5] as well as proposed the concept of trapdoor indistinguishability. They showed that trapdoor indistinguishability is a sufficient condition for ensuring the security against off-line keyword guessing attacks.

Emura et al. [15, 16] showed a generic construction of adaptive SCF-PEKS from anonymous identity-based encryption (IBE) . Subsequently, Emura and Rahman extended the work in [15] and constructed a more efficient adaptive SCF-PEKS using IBE with partitioned ciphertext structure [16, 17]. However, the schemes proposed in [1517] are not secure against keyword guessing attacks. Rhee et al. [29] also proposed two generic transformations to construct an SCF-PEKS scheme using two IBE schemes that are either combined in parallel or in sequence. Very recently, Fang et al. [20] proposed the strongest model in SCF-PEKS that is secure against chosen keyword and ciphertext attack (IND-SCF-CKCA) and against keyword guessing attack (IND-KGA). At the same time, they constructed an SCF-PEKS scheme which is proven secure in the standard model. The construction of Fang et al.’s SCF-PEKS scheme [20] is based on Gentry’s IBE scheme [21]. They used the method of identity’s construction in Waters’s IBE scheme [34] in order to achieve KGA resiliency. They also include the test query in their security model which makes it stronger than other SCF-PEKS’s security model in the literature. To secure against this security model, they applied strongly unforgeable one-time signatures on the ciphertext elements of their SCF-PEKS scheme.

Our contributions

In this paper, we propose a very efficient SCF-PEKS scheme that is secure against chosen keyword and ciphertext attack (IND-SCF-CKCA) and against off-line keyword guessing attacks (IND-KGA) without random oracles. Fang et al.’s SCF-PEKS scheme [20] applied strongly unforgeable one-time signature to secure against IND-SCF-CKCA. However, our proposed SCF-PEKS scheme uses the technique of [23] to resist the same attack but requires less computation overhead as well as shorter ciphertext length as compared to the SCF-PEKS scheme of [20]. The main technique used by Fang et al. [20] to resist off-line keyword guessing attacks (IND-KGA) is to use Waters’s hash function [34] to construct user’s key that protects the anonymity of keyword in the trapdoor. This, however, results large key size for user’s public and private keys. In contrast, we adopt the method of generating randomness for trapdoor to achieve IND-KGA secure as well as greatly reduce the key size of the proposed SCF-PEKS scheme. In terms of security proof, Fang et al.’s security proof [20] depends on a stronger q-ABDHE assumption which is related to the number of private key generation queries made by the adversary. While, the security proof of our proposed SCF-PEKS scheme is based on a weaker QDBDH assumption which does not has this constraint. This paper answers in the affirmative the question posed by Fang et al. [20] on how to construct a more efficient SCF-PEKS scheme without random oracles. Our proposed efficient and secure SCF-PEKS scheme is suitable to be used in medical cloud storage to protect the privacy of patients’ medical records.

Paper organization

The rest of this paper is organized as follows: Section “Preliminaries” reviews the definitions related to our proposed SCF-PEKS scheme, including the definitions of bilinear maps, and the underlying assumptions. Section “Secure-channel free public key encryption with keyword search (SCF-PEKS)” reviews the definition and security model of SCF-PEKS. Section “Proposed efficient SCF-PEKS scheme” presents our proposed SCF-PEKS scheme and gives the security proof in the standard model. Section “Application of SCF-PEKS for EMRs in medical cloud storage” describes the application of SCF-PEKS for EMRs in medical cloud storage. We conclude the paper in Section “Conclusion”.

Preliminaries

We first present some notations used throughout this paper. For a prime p, let \(\mathbb {Z}_{p}\) denote the set {0, 1, ⋯ , p−1}, and \(\mathbb {Z}_{p}^{*}\) denote \(\mathbb {Z}_{p}\backslash \{0\}\). For a finite set S, x R S means choosing an element x from S with a uniform distribution.

Bilinear forms

We write 𝔾1 = 〈g〉 to denote that g generates the group 𝔾1. Let GlobalSetup be an algorithm that, on input the security parameters k, outputs the parameters for a bilinear map as (p, g, 𝔾1, 𝔾2, e), where 𝔾1, 𝔾2 have prime order p and 〈g〉 = 𝔾1. The efficient mapping e : 𝔾1 × 𝔾1 → 𝔾2 is bilinear for all g ∈ 𝔾1 and a, b ∈ ℤ p , e(g a, g b) = e(g, g)ab; and non-degenerate, if g generates 𝔾1, then e(g, g) ≠ 1.

Complexity assumption

Definition 1

(Quotient Decisional Bilinear Diffie-Hellman (QDBDH) [2]) Let GlobalSetup(1k) → (p, g, 𝔾1, 𝔾2, e), where 〈g〉 = 𝔾1. For all PPT adversaries 𝓐, the following probability is strictly less than 1/2 + 1/p o l y(k) where p o l y(k) represents any polynomial function in k:

$$\begin{array}{@{}rcl@{}} &&|\mathtt{Pr}[\mathcal{A}(g, g^{a}, g^{b}, e(g,g)^{b/a}) = 1|a,b\in_{R}\mathbb{Z}^{*}_{p}]\\ &&~~~~~~~~~~~-\mathtt{Pr}[\mathcal{A}(g, g^{a}, g^{b}, e(g,g)^{z}) = 1|a,b,z\in_{R}\mathbb{Z}^{*}_{p}]|. \end{array} $$

Definition 2

(Decisional Bilinear Diffie-Hellman (DBDH) Assumption) Let e : 𝔾1 × 𝔾1 → 𝔾2 be a bilinear map. We define the advantage function

$$\mathtt{Adv}_{\mathbb{G}_{1}, \mathcal{A}}^{DBDH}(1^{k})$$

of an adversary 𝓐 as

$$\begin{array}{@{}rcl@{}} &&|\mathtt{Pr}[\mathcal{A}(g, g^{a}, g^{b}, g^{c}, e(g,g)^{abc}) = 1]\\ &&~~~~~~~~~~~-\mathtt{Pr}[\mathcal{A}(g, g^{a}, g^{b}, g^{c}, Q) = 1]|, \end{array} $$

where \(a,b,c\in \mathbb {Z}_{p}^{*}\), \(Q\in \mathbb {G}_{2}^{*}\) are randomly chosen. We say that the decisional bilinear Diffie Hellman assumption holds if \(Adv_{\mathbb {G}_{1}, \mathcal {A}}^{DBDH}(1^{k})\) is negligible for all probabilistic polynomial time (PPT) adversaries 𝓐.

Definition 3

(Hash Diffie-Hellman (HDH) Problem [1]) Let hLen be in ℕ and H : {0, 1} → {0, 1}hLen be a hash function. The HDH problem in 𝔾 is defined as follows: given (g, g a, g b, H(g c)) ∈ 𝔾3 × {0, 1}hLen and H : {0, 1} → {0, 1}hLen as inputs, outputs “yes” if ab = c and “no” otherwise. An algorithm 𝓐 that outputs b′ ∈ {0, 1} has an advantage 𝜖 in solving the HDH problem in 𝔾 if

$$\begin{array}{@{}rcl@{}} &&|\mathtt{Pr}[\mathcal{A}(g, g^{a}, g^{b}, H(g^{ab})) = ``yes": g\leftarrow \mathbb{G}, \\ &&~~~~~~~~~~~a, b\leftarrow \mathbb{Z}_{p}]-\mathtt{Pr}\left[\mathcal{A}(g, g^{a}, g^{b}, \eta) = ``yes": \right.\\ &&\left.~~~~~~~~~~~g\leftarrow \mathbb{G},\eta\leftarrow \{0, 1\}^{\mathtt{hLen}}, a, b\leftarrow \mathbb{Z}_{p}\right]|\geq \epsilon, \end{array} $$

where the probability is taken over the random choice of g ∈ 𝔾, the random choice of η ← {0, 1}hLen, the random bits of 𝓐. We say that the HDH assumption holds in 𝔾 if no t-time algorithm has an advantage at least 𝜖 in solving the HDH problem in 𝔾.

Secure-channel free public key encryption with keyword search (SCF-PEKS)

In this section, we review the definition and security model of SCF-PEKS as defined in [20].

Definition of SCF-PEKS

Definition 4

(SCF-PEKS) A secure-channel free public key encryption with keyword search scheme consists of the following algorithms:

  • GlobalSetup(1k): The algorithm inputs a security parameter k and outputs the global parameters params, which includes a description of keyword space \(\mathcal {KS}\).

  • (params): Given the global parameters params, the key generation algorithm outputs a public/private key pair (p k R , s k R ) of a receiver R.

  • (params): Given the global parameters params, the key generation algorithm outputs a public/private key pair (p k s , s k s ) of a server S.

  • (p a r a m s, p k R , p k s , w): On input the global parameters params, a receiver R’s public key p k R , a server’s public key p k s , a keyword \(w\in \mathcal {KS}\), outputs a keyword ciphertext CT of w.

  • dTrapdoor(p a r a m s, s k R , p k s , w): Given the global parameters params, a receiver R’s private key s k R , a server’s public key p k s and a keyword \(w\in \mathcal {KS}\), the trapdoor generation algorithm dTrapdoor outputs a trapdoor T w of the keyword w corresponding to the receiver R. This algorithm is performed by the private key’s owner, who will send the trapdoor to the server. Our scheme does not use secure channel when the user transmits the trapdoor to the server.

  • dTest(p a r a m s, C T, s k s , p k R , T w ): Given the global parameters params, a server’s private key s k s , a receiver’s public key p k R , a trapdoor T w , and a PEKS ciphertext C T = (p a r a m s, p k s , p k R , w′), the test algorithm dTest outputs “yes” if w = w′ or “no” otherwise.

Correctness

For all (p k R , s k R ) output by and (p k s , s k s ) output by , the following equation holds for a correctly generated SCF-PEKS ciphertext associated with keyword w:

$$\begin{array}{@{}rcl@{}} &&\mathtt{dTest}\left(\mathtt{PEKS}(params, pk_{R}, pk_{s}, w),sk_{s},pk_{R},\right.\\ &&\left.~~~~~~~~~~~\mathtt{dTrapdoor}(params, sk_{R}, pk_{s}, w)\right) = yes \end{array} $$

Consistency

Suppose there exists an adversary 𝓐 that wants to make consistency fail. The consistency is formally defined as follows [19]:

$$\begin{array}{@{}rcl@{}} &&\text{Experiment}\, Exp_{\mathcal{A}}^{cons}(1^{k})\\ &&(pk_{R}, sk_{R})\leftarrow \mathtt{KeyGen}_{\mathtt{R}}(1^{k}); (pk_{s}, sk_{s})\leftarrow \mathtt{KeyGen}_{\mathtt{S}}(1^{k});\\ &&(w, w^{\prime})\leftarrow \mathcal{A}(pk_{R}, pk_{s});\\ &&CT\leftarrow \mathtt{PEKS}(pk_{s}, pk_{R}, w);\\ &&T_{w^{\prime}}\leftarrow \mathtt{dTrapdoor}(pk_{s}, sk_{R}, w^{\prime});\\ &&\text{if} w\neq w^{\prime}\, \text{and} \,\mathtt{dTest}(T_{w^{\prime}}, sk_{s}, pk_{R}, CT) = ``\text{yes}".\\ &&\hskip 6mm \text{then return 1},\\ &&\hskip 6mm \text{else return 0}. \end{array} $$

We define the advantage of 𝓐 as:

$$\mathtt{Adv}_{\mathcal{A}}^{cons}(1^{k}) = \mathtt{Pr}[Exp_{\mathcal{A}}^{cons}(1^{k}) = 1].$$

The scheme is said to be computationally consistent if it is negligible for polynomial time adversaries 𝓐 to win the above experiment.

Security model of SCF-PEKS

In an SCF-PEKS scheme, we consider two types of adversary, namely, a malicious server and a malicious user. A malicious server should not be able to distinguish which keyword corresponds to a given keyword ciphertext without the trapdoor from a receiver. A malicious user (including the receiver) should not be able to distinguish which keyword corresponds to a target ciphertext without the server’s private key even s/he has the trapdoor of the keyword. We review the security model as defined in [20].

Definition 5

(IND-SCF-CKCA game) Let k be the security parameter and \(\mathcal {A}_{i}~(i=1,2)\) be the adversary. We consider the following two games between the adversary \(\mathcal {A}_{i}~(i=1,2)\) and the challenger ℬ.

  • Game Server : 𝓐1 is assumed to be a malicious server.

  • Setup. ℬ generates public parameters and gives 𝓐1. ℬ also runs (p a r a m s) → (p k R , s k R ), (p a r a m s) → (p k s , s k s ) and returns p k R and (p k s , s k s ) to 𝓐1.

  • Query Phase 1. 𝓐1 makes the following queries.

    • dTrapdoor oracle \(\mathcal {O}_{T_{w}}(w):\) 𝓐1 can adaptively ask ℬ for the trapdoor T w for any keyword w of his choice. ℬ responds the trapdoor T w = (p a r a m s, s k R , p k s , w) to 𝓐1.

    • dTest oracle \(\mathcal {O}_{T}(CT, w)\): 𝓐1 can adaptively asks ℬ for the Test query for any keyword w and any PEKS ciphertext CTof his choice. ℬ first makes a trapdoor query on w to get the trapdoor T w and responds the result of (p a r a m s, T w , p k s , s k s , C T) to 𝓐1.

  • Challenge. Once 𝓐1 decides that Query Phase 1 is over, it outputs two keywords (w 0, w 1) from the keyword space that has not been queried in Phase 1. ℬ randomly chooses a bit δ ∈ {0, 1} and returns the challenge PEKS ciphertext C T =(p a r a m s, p k R , p k s , w δ ) to 𝓐1.

  • Query Phase 2. 𝓐1 issues a number of queries from \(\mathcal {O}_{T_{w}}\) and \(\mathcal {O}_{T}\) as in Phase 1. The restriction here is that w 0 and w 1 are not allowed to be queried from \(\mathcal {O}_{T_{w}}\) and 〈C T, w〉 is not allowed to be queried from \(\mathcal {O}_{T}\) if 〈C T, w〉 = 〈C T , w 0〉 or 〈C T, w〉 = 〈C T , w 1〉.

  • Guess. 𝓐1 outputs the guess δ′. The adversary wins if δ′ = δ.

We define 𝓐1’s advantage in G a m e S e r v e r by

$$\mathtt{Adv}_{\mathcal{A}_{1}}^{Game_{Server}}(k) = |\mathtt{Pr}[\delta=\delta^{\prime} ]-1/2|.$$

  • Game Receiver :𝓐2 is assumed to be an outsider adversary (including a malicious receiver).

  • Setup. ℬ generates the server’s public and private key pair (p k s , s k s ) and the receiver’s public and private key pair (p k R , s k R ) and gives p k s , (p k R , s k R ) to 𝓐2.

  • Query Phase 1. 𝓐2 makes the following query:

    • dTest oracle \(\mathcal {O}_{T}(CT, w):\) On input (C T, w) by \(\mathcal {A}_{2}\), ℬ first makes a trapdoor query on w to get trapdoor T w and responds the result of (p a r a m s, T w , p k s , s k s , C T) to 𝓐2.

  • Challenge. 𝓐2 outputs a target keyword pair (w 0, w 1) from the keyword space. ℬ randomly chooses a bit δ ∈ {0, 1} and returns the challenge PEKS ciphertext C T =(p a r a m s, p k R , p k s , w δ ) to 𝓐2.

  • Query Phase 2. 𝓐1 issues a number of queries from \(\mathcal {O}_{T}\) as in Phase 1. The restriction here is that 〈C T, w〉 is not allowed to be queried from \(\mathcal {O}_{T}\) if 〈C T, w〉 = 〈C T , w 0〉 or 〈C T, w〉 = 〈C T , w 1〉.

  • Guess. 𝓐1 outputs the guess δ′. The adversary wins if δ′ = δ.

We define 𝓐1’s advantage in G a m e R e c e i v e r by

$$\mathtt{Adv}_{\mathcal{A}_{2}}^{Game_{Receiver}}(k) = |\mathtt{Pr}[\delta=\delta^{\prime}]-1/2|.$$

The SCF-PEKS scheme is said to be IND-SCF-CKCA secure if \(Adv_{\mathcal {A}_{i}}^{Game_{j}}(k)\), is negligible, where ((i = 1∧j = S e r v e r)∨(i = 1∧j = R e c e i v e r)).

SCF-PEKS secure against off-line keyword guessing attacks

Rhee et al. introduced the concept of trapdoor indistinguishability and showed that if an SCF-PEKS scheme satisfies trapdoor indistinguishability, the scheme can resist off-line keyword-guessing attacks [28]. Fang et al. [20] also proposed a similar notion of indistinguishability of SCF-PEKS against keyword guessing attacks (IND-KGA). In this subsection, we review the security against off-line keyword guessing attacks of SCF-PEKS as defined in [20].

Definition 6

(IND-KGA game) Let 𝓐3 be an outsider adversary (neither the server nor the receiver) that performs the off-line keyword guessing attack. Let k be the security parameter, the security game is defined as follows:

  • Setup. The global parameter generation algorithm, GlobalSetup(1k), the two key generation algorithms, (p a r a m s) and (p a r a m s), are run. params, p k R , p k s are given to 𝓐3 while s k R and s k s are kept secret from 𝓐3.

  • Query Phase 1. 𝓐3 makes the following query:

    • dTrapdoor oracle \(\mathcal {O}_{T_{w}}(w):\) 𝓐3 can adaptively ask ℬ for the trapdoor T w of any keyword w of his choice. ℬ responds the trapdoor T w = (p a r a m s, s k R , p k s , w) to 𝓐3.

  • Challenge. 𝓐3 gives ℬ two keywords w 0 and w 1, on which it wishes to be challenged. The restriction is that the corresponding trapdoors \(T_{w_{0}}\) and \(T_{w_{1}}\) have not been queried by the adversary in Phase 1. ℬ picks a random δ ∈ {0, 1} and returns the trapdoor \(T_{w_{\delta }}=\mathtt {dTrapdoor}(params, pk_{R}, pk_{s}, w_{\delta })\) to 𝓐3.

  • Query Phase 2. 𝓐3 issues a number of queries from \(\mathcal {O}_{T_{w}}\) as in Phase 1. The restriction here is that w 0 and w 1 are not allowed to be queried from \(\mathcal {O}_{T_{w}}\).

  • Guess. 𝓐3 outputs the guess δ′ ∈ {0, 1} and wins in the IND-KGA game, if δ′ = δ.

We define 𝓐3’s advantage in the IND-KGA game by

$$\mathtt{Adv}_{</p><p class="noindent">\mathcal{A}_{3}}^{IND-KGA}(1^{k}) = |\mathtt{Pr}[\delta=\delta^{\prime}]-1/2|.$$

The SCF-PEKS scheme is said to be IND-KGA attack secure if \(Adv_{\mathcal {A}_{3}}^{IND-KGA}(k)\) is negligible.

Proposed efficient SCF-PEKS scheme

Our construction

The description of our SCF-PEKS scheme is as follows.

  • GlobalSetup(1k): Let k be the security parameter and \((p, g, \mathbb {G}_{1}, \mathbb {G}_{2},e)\) be the bilinear map parameters. g 1, u, v, d, h are random generators in \(\mathbb {G}_{1}\). Select collision-resistant hash functions \(H: \mathbb {G}_{1}\rightarrow \mathbb {G}_{1}\), \(H_{1}: \mathbb {G}_{2}\longrightarrow \{0, 1\}^{k}\) and \(H_{2}: \mathbb {G}_{1} \times \{0, 1\}^{k}\longrightarrow \mathbb {Z}_{p}^{*}\). Output the public parameters params = \((p, \mathbb {G}_{1}, \mathbb {G}_{2}, e, g, g_{1}, u, v, d, h, H, H_{1}, H_{2}, \mathcal {KS})\), where 𝓚𝓢 is a description of keyword space.

  • n R (params): On input params, a receiver R selects a random \(x_{R}\in \mathbb {Z}_{p}^{*}\) and sets the public key as p k R = g xR and private key as s k R = x R .

  • n S (params): A server S selects a random \(x_{s}\in \mathbb {Z}_{p}^{*}\) and sets the public key as p k s = g xs and private key as s k s = x s .

  • (p a r a m s, p k R , p k s , w): On input a receiver R’s public key p k R , a server S’s public key p k s and a keyword w, a sender computes the keyword ciphertext as follows:

    1. 1.

      Pick \(r\in _{R} \mathbb {Z}_{p}^{*}\) and \(C_{1}=p{k_{R}^{r}}\). Compute \(T=e(pk_{s}, {g_{1}^{w}}h)^{r}\), C 2 = H 1(T).

    2. 2.

      Pick \(s\in _{R} \mathbb {Z}_{p}^{*}\) , compute h′ = H 2(C 1, C 2) and \(C_{3}=(u^{h^{\prime }}v^{s}d)^{r}\).

    3. 3.

      Output the PEKS ciphertext C T = (s, C 1, C 2, C 3).

  • dTrapdoor(p a r a m s, s k R , p k s , w): On input a receiver R’s private key s k R , a server’s public key p k s and a keyword w, the receiver R randomly selects \(r^{\prime }\in _{R} \mathbb {Z}_{p}^{*}\), computes \(T_{1}=g^{r^{\prime }}\) and \(T_{2}=({g_{1}^{w}}h)^{1/{sk_{R}}}\cdot H(pk_{s}^{r^{\prime }})\), outputs the trapdoor associated with the keyword w as T w = (T 1, T 2).

  • dTest(p a r a m s, C T, s k s , p k R , T w ): On input a server’s private key s k s = x s , a trapdoor T w = (T 1, T 2) and a ciphertext C T = (s, C 1, C 2, C 3), the server perform the following computation:

    Compute h′ = H 2(C 1, C 2) and test if equation

    $$ e(C_{1}, (u^{h^{\prime}}v^{s}d)) = e(pk_{R}, C_{3}) $$
    (1)

    is valid. If not, output ⊥. Otherwise, the server computes \(\mathcal {T}=T_{2}/H(T_{1}^{x_{s}})\), and checks if \(C_{2}=H_{1}(e(C_{1}, \mathcal {T}^{x_{s}}))\). If the equality is satisfied, then output “yes”; otherwise, output “no”.

Correctness

We show that a correctly generated PEKS ciphertext can be correctly tested by the server who has the correct trapdoor. Let a PEKS ciphertext C T = (s, C 1, C 2, C 3) associated with keyword w under the public key p k s and p k R . Let the trapdoor T w = (T 1, T 2), where \(T_{1}=g^{r^{\prime }}\) and \(T_{2}=({g_{1}^{w}}h)^{1/{x_{R}}}\cdot H(pk_{s}^{r^{\prime }})\). We have

$$\mathcal{T}=T_{2}/H(T_{1}^{x_{s}}) = \frac{({g_{1}^{w}}h)^{1/{x_{R}}}\cdot H(pk_{s}^{r^{\prime}})}{H({pk_{s}^{r^{\prime}}})}=({g_{1}^{w}}h)^{\frac{1}{x_{R}}},$$
$$\begin{array}{@{}rcl@{}} H_{1}(e(C_{1}, \mathcal{T}^{x_{s}}))&=& H_{1}(e(p{k_{R}^{r}}, ({g_{1}^{w}}h)^{\frac{x_{s}}{x_{R}}}))\\ &=& H_{1}(e(pk_{s}, {g_{1}^{w}}h)^{r})\\ &=&C_{2}.\\ \end{array} $$

Therefore, we have (p a r a m s, (p a r a m s, p k R , p k s , w),s k S , p k R , (p a r a m s, s k R , p k s , w)) = y e s.

Consistency

Let \(r, r^{\prime }\in _{R} \mathbb {Z}_{p}^{*}\) denote two values chosen randomly by the SCF-PEKS scheme. Let \(C_{1}=p{k_{R}^{r}}\), \(C_{2}=H_{1}(e(pk_{s}, {g_{1}^{w}}h)^{r})\) be the partial ciphertext associated with the keyword w. Let \(T_{w^{\prime }}=(T_{1}^{\prime }, T_{2}^{\prime })\) be the trapdoor associated with the keyword w′, where \(T_{1}^{\prime }=g^{r^{\prime }}\) and \(T_{2}^{\prime }=(g_{1}^{w^{\prime }}h)^{1/{x_{R}}}\cdot H(pk_{s}^{r^{\prime }})\).

If \(H_{1}(e(C_{1}, (T_{2}^{\prime }/H(T_{1}^{\prime x_{s}}))^{x_{s}})) = C_{2}\)

$$\begin{array}{@{}rcl@{}} &\Leftrightarrow& H_{1}(e(p{k_{R}^{r}}, (\frac{((g_{1}^{w^{\prime}}h)^{1/{x_{R}}}\cdot H(pk_{s}^{r^{\prime}}))}{H(pk_{s}^{r^{\prime}})})^{x_{s}})) = H_{1}(e(pk_{s}, {g_{1}^{w}}h)^{r})\\ &\Leftrightarrow& H_{1}(e(p{k_{R}^{r}}, (g_{1}^{w^{\prime}}h)^{\frac{x_{s}}{x_{R}}})) = H_{1}(e(pk_{s}, {g_{1}^{w}}h)^{r})\\ &\Leftrightarrow& H_{1}(e(pk_{s}, g_{1}^{w^{\prime}}h)^{r}) = H_{1}(e(pk_{s}, {g_{1}^{w}}h)^{r}). \end{array} $$

But ww′, and H 1 is a collision-resistant hash function. Therefore, it holds \(H_{1}(e(C_{1}, (T_{2}^{\prime }/H(T_{1}^{\prime x_{s}}))^{x_{s}})\neq C_{2}\) with a high probability.

Security of our SCF-PEKS scheme

In this subsection, we analyze the security of our SCF-PEKS scheme in the standard model. The analysis of G a m e S e r v e r and G a m e R e c e i v e r as follows.

Theorem 1

The above scheme is IND-SCF-CKCA secure in the standard model assuming that QDBDH problem and DBDH problem are intractable.

Lemma 1

Our scheme is semantically secure against a chosen keyword and ciphertext attacks in Game Server in the standard model assuming QDBDH problem is intractable.

Proof

We assume that 𝓐1 is a malicious server with an advantage 𝜖 in breaking the proposed scheme. We assume that H, H 1 and H 2 are target collision resistant. Then suppose that there exists an adversary 𝓐1 who can break the \((q_{T_{w}}, q_{T}, \epsilon )\)-IND-SCF-CKCA security of our SCF-PEKS scheme, where \(q_{T_{w}}\) denotes the times of trapdoor queries and q T denotes the times of test queries. We can construct an algorithm ℬ which can break the QDBDH assumption with 𝜖′ in \((\mathbb {G}_{1}, \mathbb {G}_{2})\) with \(\epsilon ^{\prime }\geq \frac {\epsilon }{e\cdot q_{T_{w}}}-Adv_{H}^{TCR}\).

Suppose algorithm ℬ is given a QDBDH instance \((g, A=g^{a}, B=g^{b}, Q)\in ({\mathbb {G}_{1}})^{3}\times \mathbb {G}_{2}\) with unknown \(a, b\in _{R} \mathbb {Z}_{p}^{*}\). ℬ′s goal is to decide whether Q = e(g, g)b/a. In the G a m e S e r v e r ℬ works by interacting with adversary 𝓐1 as follows:

  • Setup. ℬ chooses random \(x_{u}, x_{v}\in \mathbb {Z}_{p}\) and sets g 1 = B α0, h = B β, u = (g xu A α1), v = (g xv A α2), and d = A α3 for random \(\alpha _{0}, \beta , \alpha _{1}, \alpha _{2}, \alpha _{3}\in _{R} \mathbb {Z}_{p}^{*}\) and provides them to 𝓐1. ℬ picks \(x_{R}\in \mathbb {Z}_{p}^{*}\). Next, using the Corons technique [11], it flips a biased coin c i ∈ {0, 1} that yields 1 with probability θ and 0 otherwise. If c i = 1, it sets p k R = g xR; else p k R = A xR. Next, ℬ adds the tuple (p k R , x R , c i ) to L List. ℬ generates the server’s public and private key pair (p k s , s k s ), and returns p k R and (p k s , s k s ) to 𝓐1.

  • Query Phase 1. 𝓐1 issues a series of queries . ℬ maintains a list L list and answers these queries for 𝓐1 as follows:

    • dTrapdoor oracle \(\mathcal {O}_{T_{w}}(w)\): \(\mathcal {B}\) randomly selects \(r^{\prime }\in \mathbb {Z}_{p}^{*}\). If c i = 1, it means that s k R = x R , \(\mathcal {B}\) outputs T w = (T 1, T 2), where \(T_{1}=g^{r^{\prime }}\), \(T_{2}=({g_{1}^{w}}h)^{1/x_{R}}\cdot H(pk_{s}^{r^{\prime }})\). If c i = 0,\(\mathcal {B}\) outputs a random bit in {0, 1} and aborts.

    • dTest oracle \(\mathcal {O}_{T}(CT, w)\): \(\mathcal {A}_{1}\) asks \(\mathcal {B}\) for the test query of keyword w and PEKS ciphertext CT of his choice. \(\mathcal {B}\) computes h′ = H 2(C 1, C 2) and then tests if \(e(C_{1}, u^{h^{\prime }}v^{s}d) = e(pk_{R}, C_{3})\) holds. Then \(\mathcal {B}\) first query a trapdoor query on 〈w〉. If c i = 1, \(\mathcal {B}\) gets the trapdoor T w and then responds by sending the result of (p a r a m s, T w , s k s , p k R , C T) to \(\mathcal {A}_{1}\). If c i = 0, p k R = A xR. \(\mathcal {B}\) have \(C_{1}=p{k_{R}^{r}}=A^{x_{R}\cdot r}\), \(C_{3}=(u^{h^{\prime }}v^{s}d)^{r}=(g^{x_{u}h^{\prime }+x_{v}s}A^{\alpha _{1}h^{\prime }+\alpha _{2}s+\alpha _{3}})^{r}\). \(\mathcal {B}\) can deduce \(g^{r}=(\frac {C_{3}}{C_{1}^{\frac {\alpha _{1}h^{\prime }+\alpha _{2}s+\alpha _{3}}{x_{R}}}})^{\frac {1}{x_{u}h^{\prime }+x_{v}s}}\). \(\mathcal {B}\) checks if

      $$ H_{1}(e(g^{r},{g_{1}^{w}}h)^{x_{s}}) = C_{2} $$
      (2)

      is valid, because

      $$H_{1}(e(g^{r},{g_{1}^{w}}h)^{x_{s}}) = H_{1}(e(pk_{s},{g_{1}^{w}}h)^{r}) = C_{2}.$$

      Then \(\mathcal {B}\) responds by sending the result of (p a r a m s, T w , s k s , p k R , C T) to \(\mathcal {A}_{1}\).

  • Challenge. When Phase 1 is over, \(\mathcal {A}_{1}\) outputs a challenge tuple (p k R, w 0, w 1). \(\mathcal {B}\) responds as follows:

    1. 1.

      Recover tuple (p k R, x R, c i) from L list. If c i = 1,\(\mathcal {B}\) outputs a random bit in {0, 1} and aborts. Otherwise, it means that \(pk_{R^{*}}=A^{x_{R^{*}}}\) and \(\mathcal {B}\) proceeds to execute the rest of the steps.

    2. 2.

      Pick δ R {0, 1}, define \(C_{1}^{*}=g^{x_{R^{*}}}\) and compute T = Q xs(wδα0+β), \(C_{2}^{*}=H_{1}(T^{*})\). It sets \(h^{\prime *}=H_{2}(C_{1}^{*}, C_{2}^{*}),s^{*}=\frac {-x_{u}{h^{\prime *}}}{x_{v}}\) and compute \(C_{3}^{*}=g^{\alpha _{1}{h^{\prime *}+\alpha _{2}s^{*}+\alpha _{3}}}\). Finaly, \(\mathcal {B}\) returns \(CT^{*}=(s^{*}, C_{1}^{*},\) \( C_{2}^{*}, C_{3}^{*} )\) as the challenge ciphertext to \(\mathcal {A}_{1}\).

      If \(Q=e(g,g)^{\frac {b}{a}}\), C T is indeed a valid challenge PEKS ciphertext under public key p k R. To see this, let \(r^{*}=\frac {1}{a},\) we have

      $$\begin{array}{@{}rcl@{}} &&C_{1}^{*}=g^{x_{R^{*}}}=(g^{a})^{x_{R^{*}}\cdot \frac{1}{a}}=(A^{x_{R^{*}}})^{r^{*}}=pk_{R^{*}}^{r^{*}},\\ &&C_{2}^{*}= H_{1}(Q^{x_{s}(w_{\delta{\alpha_{0}}}+\beta)}) = H_{1}(e(pk_{s}, g^{(w_{\delta{\alpha_{0}+\beta)}} })^{\frac{b}{a}})\\ &&=H_{1}(e(pk_{s}, B^{({\alpha_{0}}{w_{\delta}}+\beta)})^{r^{*}}) = H_{1}(e(pk_{s}, (g_{1}^{w_{\delta}}h))^{r^{*}}),\\ &&C_{3}^{*}=g^{(\alpha_{1}{h^{\prime}}^{*}+\alpha_{2}s^{*}+\alpha_{3})}=(A^{\alpha_{1}{h^{\prime}}^{*}+\alpha_{2}s^{*}+\alpha_{3}})^{r^{*}}=\\ &&(g^{x_{u}{h^{\prime}}^{*}+x_{v}s^{*}}\cdot A^{\alpha_{1}{h^{\prime}}^{*}}\cdot A^{\alpha_{2}s^{*}}\cdot A^ {\alpha_{3}})^{r^{*}}=((g^{x_{u}}A^{\alpha_{1}})^{{h^{\prime}}^{*}}\cdot\\ &&(g^{x_{v}}A^{\alpha_{2}})^{s^{*}}\cdot A^{\alpha_{3}})^{r^{*}}= (u^{{h^{\prime}}^{*}}v^{s^{*}}d)^{r^{*}}. \end{array} $$

    On the other hand, when Q is uniform and independent in \(\mathbb {G}_{2}\), the challenge ciphertext ciphertext C T is independent of δ in the adversary’s view.

  • Query Phase 2. 𝓐1 continues making queries as in the Query Phase 1. The restriction is that w 0 and w 1 are not allowed to be queried from \(\mathcal {O}_{T_{w}}\) and 〈C T, w〉 are not queried from \(\mathcal {O}_{T}\) if 〈C T, w〉 = 〈C T , w 0〉 or 〈C T, w〉 = 〈C T , w 1〉. otherwise, ℬ returns ⊥ which is not in the trapdoor space.

  • Guess. Eventually, 𝓐1 returns a guess δ′ ∈ {0, 1}. If δ′ = δ, ℬ outputs 1 meaning \(Q=e(g, g)^{\frac {b}{a}}\); else, ℬ outputs 0 meaning Q = e(g, g)r.

Now we begin to analyze the probability. Let Abort denotes the event of ℬ’s aborting during the simulation of oracles \(\mathcal {O}_{T_{w}}\), \(\mathcal {O}_{T}\) or in challenge phase. We have \(\mathtt {Pr}[\neg Abort]\geq \theta ^{q_{T_{w}}}(1-\theta )\) which is maximized at \(\theta _{opt}=\frac {q_{T_{w}}}{1+q_{T_{w}}}\). Using θ o p t , the probability [¬A b o r t] is at least \(\frac {1}{e\cdot q_{T_{w}}}\). Therefore, we have \(\epsilon ^{\prime }\geq \frac {\epsilon }{e\cdot q_{T_{w}}}-Adv_{H}^{TCR}\), where e denotes the base of the natural algorithm. This completes the proof of lemma 1. □

Lemma 2

Our scheme is semantically secure against a chosen keyword attack in Game Receiver in the standard model assuming DBDH problem is intractable.

Proof

We assume that 𝓐2 is an outsider adversary (including the receiver) with an advantage 𝜖 in breaking the proposed scheme. We assume that H, H 1 and H 2 are target collision resistant. Then suppose that there exists an adversary 𝓐2 who can break the 𝜖-IND-CKA security of our PEKS scheme. We can construct an algorithm ℬ which can break the DBDH assumption with \(\epsilon ^{\prime }=(\epsilon -Adv_{H}^{TCR})\) in \((\mathbb {G}_{1}, \mathbb {G}_{2})\).

Suppose algorithm ℬ is given a DBDH instance \((g, A=g^{a}, B=g^{b}, C=g^{c}, Q)\in ({\mathbb {G}_{1}})^{3}\times \mathbb {G}_{2}\) with unknown \(a, b, c\in _{R} \mathbb {Z}_{p}^{*}\). ℬ′s goal is to decide whether Q = e(g, g)abc. ℬ works by interacting with adversary 𝓐2 in the IND-CKA game as follows:

  • Setup. ℬ provides 𝓐2 with public parameters g 1 = B = g b, h = B β, u = A α1, v = A α2, and d = g α3 for random \( \alpha _{1}, \alpha _{2}, \alpha _{3},\beta \in _{R} \mathbb {Z}_{p}^{*}\). Let p k s = A = g a be the server’s public key. ℬ randomly chooses \(x_{R}\in \mathbb {Z}_{p}^{*}\) and sets p k R = g xR and s k R = x R as the receiver’s public and private key respectively. ℬ sends (p k R , s k R ) to 𝓐2.

  • Query Phase 1. 𝓐2 queries the dTest oracle as follows:

    • dTest oracle \(\mathcal {O}_{T}(CT, w)\): 𝓐2 can adaptively ask ℬ for the test query of any keyword w and any PEKS ciphertext C T = (s, C 1, C 2, C 3) of his choice. ℬ computes h′ = H 2(C 1, C 2) and then tests if \(e(C_{1}, u^{h^{\prime }}v^{s}d) = e(pk_{R}, C_{3})\) holds. Since \(C_{1}=p{k_{R}^{r}}=(g^{r})^{x_{R}}\), \(C_{3}=(u^{h^{\prime }}v^{s}d)^{r}=(A^{\alpha _{1}h^{\prime }+\alpha _{2}s}g^{\alpha _{3}})^{r}\), we have \(g^{r}=C_{1}^{\frac {1}{x_{R}}}\) and \(A^{r}=(\frac {C_{3}}{C_{1}^{\frac {\alpha _{3}}{x_{R}}}})^{\frac {1}{\alpha _{1}h^{\prime }+\alpha _{2}s}}\). ℬ checks if

      $$H_{1}(e({g_{1}^{w}}h, A^{r})) = C_{2},$$

      because \(H_{1}(e({g_{1}^{w}}h, A^{r})) = H_{1}(e({g_{1}^{w}}h, pk_{s})^{r}) = C_{2}\). ℬ then randomly selects \(r^{\prime }\in \mathbb {Z}_{p}^{*}\), and computes T w = (T 1, T 2), where \(T_{1}=g^{r^{\prime }}\), \(T_{2}=({g_{1}^{w}}h)^{1/x_{R}}\cdot H(pk_{s}^{r^{\prime }})\). ℬ returns the result of (p a r a m s, T w , s k s , p k R , C T) to 𝓐2.

  • Challenge. When Phase 1 is over, 𝓐2 outputs a challenge tuple (p k R, w 0, w 1). ℬ responds by choosing a random δ ∈ {0, 1}. Let the challenge keyword be w =w δ , ℬ computes \(C_{1}^{*}=(g^{c})^{x_{R}^{*}}\), \(T^{*}=H_{1}(Q^{w^{*}+\beta })\), \({h^{\prime }}^{*}=H_{2}(C_{1}^{*}, C_{2}^{*})\), \(s^{*}=\frac {-\alpha _{1}{h^{\prime }}^{*}}{\alpha _{2}}\), and \(C_{3}^{*}=C^{\alpha _{3}}\). ℬ sends the challenge PEKS ciphertext \(C^{*}=(s^{*}, C_{1}^{*}, C_{2}^{*}, C_{3}^{*})\) to 𝓐2.

    If Q = e(g, g)abc, C T is indeed a valid challenge ciphertext under public key p k R. To see this, let r = c, we have

    $$\begin{array}{@{}rcl@{}} &&C_{1}^{*}=(g^{c})^{x_{R^{*}}}==(g^{x_{R^{*}}})^{r^{*}}=pk_{R^{*}}^{r^{*}},\\ &&C_{2}^{*}= H_{1}(Q^{(w^{*}+\beta)}) = H_{1}(e(g, g)^{abc(w^{*}+\beta)})\\ &&=H_{1}(e(g^{a}, g^{b(w^{*}+\beta)})^{c}) = H_{1}(e(pk_{s}, g_{1}^{w^{*}}h)^{r^{*}}),\\ &&C_{3}^{*}=(g^{c})^{\alpha_{3}}=(g^{\alpha_{3}})^{c}=(A^{\alpha_{1}{h^{\prime}}^{*}}\cdot A^{\alpha_{2} (\frac{-\alpha_{1}{h^{\prime}}^{*}}{\alpha_{2}})}\cdot \\ &&g^{\alpha_{3}})^{c}=(A^{\alpha_{1}{h^{\prime}}^{*}}\cdot A^{\alpha_{2} s^{*}}\cdot g^{\alpha_{3}})^{c}=(u^{{h^{\prime}}^{*}}v^{s^{*}}d)^{r^{*}}. \end{array} $$

  • Query Phase 2. 𝓐2 issues a number of queries from \(\mathcal {O}_{T}\) as in Phase 1. The restriction here is that 〈C T, w〉 is not allowed to be queried from \(\mathcal {O}_{T}\) if 〈C T, w〉 = 〈C T , w 0〉 or 〈C T, w〉 = 〈C T , w 1〉. Otherwise, ℬ returns ⊥.

  • Guess. Eventually, 𝓐2 returns a guess δ′ ∈ {0, 1}. If δ′ = δ, ℬ outputs 1 meaning Q = e(g, g)abc; else, ℬ outputs 0 meaning Q = e(g, g)r.

Off-line keyword guessing attack resiliency

Theorem 2

Our SCF-PEKS scheme is IND-KGA secure in the standard model, under the assumption that Hash Diffie-Hellman (HDH) is intractable.

Proof

Let 𝓐3 be an outsider adversary who makes at most \(q_{T_{w}}\) trapdoor queries. Assume that 𝓐3 has an advantage 𝜖 in breaking IND-KGA Game of the proposed scheme, we build an algorithm ℬ which has an advantage 𝜖′ = 𝜖 in solving the HDH problem in \(\mathbb {G}_{1}\). ℬ takes as input a random HDH instance \((g, A=g^{a}, B=g^{b}, \eta )\in \mathbb {G}_{1},\) and \(H: \{0, 1\}^{*}\rightarrow \mathbb {G}_{1}\), where H is a hash function and η is either H(g ab) or a random element of \(\mathbb {G}_{1}\).

  • Setup. Algorithm ℬ randomly chooses \(g_{1}\in \mathbb {G}_{1}\), \(x_{R}\in \mathbb {Z}_{p}^{*}\) and sets the receiver R’s private key s k R = x R and public key p k R = g xR. It chooses a random value \(l\in _{R} \mathbb {Z}_{p}^{*}\) and sets the server’s public key p k s = A l=(g a)l, where the private key of the server is implicitly defined as s k s = a l. ℬ sends (p k R , p k s ) to 𝓐3.

  • Query Phase 1.

    • dTrapdoor oracle \(\mathcal {O}_{T_{w}}(w)\): When 𝓐3 issues a query for a trapdoor that corresponds to the keyword w j , ℬ responds as follows:

      • ℬ randomly chooses \(r^{\prime }\in \mathbb {Z}_{p}^{*}\) and computes \(T_{1}=g^{r^{\prime }}, T_{2}=(g_{1}^{w_{j}}h)^{\frac {1}{x_{R}}}\cdot H(pk_{s}^{r^{\prime }})\).

      • ℬ responds to 𝓐3 with the trapdoor, \(T_{w_{j}}=(T_{1}, T_{2})\) of w j .

  • Challenge. 𝓐3 outputs two keywords w 0 and w 1 that she wishes to be challenged on. ℬ generates the challenge trapdoor \(T_{w_{\delta }}=(T_{1}^{*}, T_{2}^{*})\) as follows.

    • ℬ picks a random bit δ ∈ {0, 1} and sets \(T_{1}^{*}=B^{\frac {1}{l}}, T_{2}^{*}=(g_{1}^{w_{\delta }}h)^{\frac {1}{x_{R}}}\cdot \eta \) where \(l\in _{R} \mathbb {Z}_{p}^{*}\) is the value that is selected in the setup phase and η is a component of the HDH challenge.

    • ℬ responds with the challenge trapdoor \(T_{w_{\delta }}^{*}=(T_{1}^{*}, T_{2}^{*})\).

      If η = H(g ab),\(T_{w_{\delta }}^{*}=(T_{1}^{*}, T_{2}^{*})\) is a valid trapdoor under public key p k R . Let \(r^{\prime *}=\frac {b}{l},\) we have \(T_{1}^{*}=B^{\frac {1}{l}}=g^{r^{\prime *}},\) \(T_{2}^{*}= (g_{1}^{w_{\delta }}h)^{\frac {1}{x_{R}}}\cdot \eta =(g_{1}^{w_{\delta }}h)^{\frac {1}{sk_{R}}}\cdot H(g^{ab}) = (g_{1}^{w_{\delta }}h)^{\frac {1}{sk_{R}}}\cdot H(g^{al\cdot \frac {b}{l}}) = (g_{1}^{w_{\delta }}h)^{\frac {1}{sk_{R}}}\cdot H(pk_{s}^{r^{\prime *}})\).

  • Query Phase 2. 𝓐3 can issue trapdoor queries for the keyword w j . The restriction is that w j w 0, w 1. Algorithm ℬ responds to these queries as before.

  • Guess. Eventually, 𝓐3 outputs the guess δ′ ∈ {0, 1}, which indicates whether the challenge \(T_{w_{\delta }}^{*}\) is (p a r a m s, s k R , p k s , w 0) or (p a r a m s, s k R , p k s , w 1). If δ = δ′, then ℬ outputs 1, meaning η = H(g ab); otherwise, it outputs 0, meaning \(\eta \in _{R} \mathbb {G}_{1}\).

Performance evaluation

In Table 1, we compare our scheme with Fang et al. [20] (denoted by FS13) and Rhee et al. [28] (denoted by RP10) schemes. We use t p , t e , t s , t v to represent the computational cost of a bilinear pairing operation, an exponentiation, signing and verifying operations of a one-time signature respectively. “Length of pk” and “Length of sk” denote the length of a public key and a private key, respectively. n denotes the length of keyword space. “Without RO?” denotes whether or not the scheme uses random oracle model in the security proof.

Table 1 Comparisons between FS13, RP10 and our SCF-PEKS scheme
Full size table

To the best of our knowledge, our SCF-PEKS scheme and the one proposed by Fang et al. in [20] are the only two SCF-PEKS schemes which are proven secure without random oracles. However, our SCF-PEKS scheme only requires a very short key size as compared to Fang et al. scheme [20]. For example, the length of a public key is \(|\mathbb {G}_{1}|\) and the length of a secret key is p in our scheme but the length of a public key is \(2|\mathbb {G}_{1}|+(n+1)|\mathbb {G}_{1}|\) and a secret key is 2p+(n+1)p in [20]. Here \(n=160, p=2^{160}, |\mathbb {G}_{1}|=2^{512}\). Therefore, the key size of our proposed SCF-PEKS scheme is 99.4% shorter than the Fang et al.’s scheme [20].

We implemented our proposed SCF-PEKS scheme using JAVA programming language on a Dell Inspiron laptop that operates on Windows 8 (64-bit) with CPU of Intel Core i7-4500U, 1.8GHz and memory of 8GB DDR3L. We run each algorithm for 100 rounds to get an average run time as shown in Table 2. To further show that the SCF-PEKS scheme is feasible to run on a client platform with constrained resources, such as a tablet, we also conducted a preliminary experiment by running the dTrapdoor and PEKS algorithms on ASUS VivoTab Smart ME400C that operates on Windows 8 with processor of Intel Atom Z2760 Dual-core 1.8GHz and memory of 2GB. The average run time of dTrapdoor and PEKS is recorded as 0.38s and 0.48s, respectively.

Table 2 Average run time (ms) of each algorithm for our SCF-PEKS scheme
Full size table

Application of SCF-PEKS for EMRs in medical cloud storage

With the rapid development of cloud computing and mobile networking technologies, health care practitioners are able to access electronic medical records that stored on a medical cloud storage with mobile devices (e.g., tablets). Confidentiality of the stored contents is one of the major concerns of the patients [25, 26]. The property of confidentiality should also be maintained even if health care practitioners designate the storage provider to search and retrieve patients’ records associated with certain keywords.

Consider a medical cloud application that consists of a cloud service provider (CSP) and health care providers that store EMRs on the cloud storage. The health care practitioners encrypt all the stored EMRs to ensure the confidentiality of the contents. To retrieve encrypted EMRs related to a specific keyword by using the conventional approach, the health care practitioners have to download all the stored EMRs, decrypt, and perform their search on local systems. For example, if the medical cloud storage contains 1 gigabyte of EMRs, but only 1 megabyte of data is related to the specific keyword. It is required to retrieve all the 1 gigabyte of data which is inefficient.

To solve this problem, we consider the application of SCF-PEKS schemes for many-writer/single-reader (MWSR) setting [22], where a health care practitioner S (sender) who generates and stores the encrypted EMRs is different from another health care practitioner R (receiver) that requests CSP to search and retrieves it from the storage. As shown in Fig. 1, the health care practitioner S who uploads EMRs to the medical cloud storage will first encrypt EMRs with a conventional public key encryption scheme under the public key of the health care practitioner R. In addition, a keyword w associated with the EMRs is encrypted with SCF-PEKS scheme under the public key of both R and the CSP. The health care practitioner R who wants to selectively download certain EMRs that are only related to the keyword w will generate a trapdoor under his/her private key. This trapdoor is then sent to the CSP. Upon receiving this trapdoor, the CSP run the dTest algorithm to test the received trapdoor and keyword ciphertexts that stored in the medical cloud storage. It will then return those encrypted EMRs that are associated with w to R.

Fig. 1
figure 1

Applying SCF-PEKS for EMRs in medical cloud storage

Full size image

A complete implementation of such medical cloud application may incorporate other cryptographic primitives and techniques to either enhance its efficiency or functionalities. The complexity of search time for our proposed SCF-PEKS is O(n), where n is the number of encrypted EMRs stored in the medical cloud for a particular medical practitioner. To improve the search efficiency, we may incorporate the hybrid-indexed search method proposed in [33]. The hybrid index consists of a static index and a dynamic index. If a keyword is queried for the fist time, the hybrid-indexed search refers to the static index for searching the encrypted EMRs. While, the dynamic index is used for searching EMRS associated with a keyword that has been queried before. We note that the trapdoor which used as the dynamic index in [33] is deterministic. Therefore, the hybrid-indexed search method in [33] cannot be directly applied to our SCF-PEKS scheme that generates a probabilistic trapdoor. In addition, we may consider to apply the techniques proposed in [6, 14, 36, 37] to combine the public key encryption (PKE) of the EMRs with our SCF-PEKS. We plan to investigate on how to tweak all these techniques to suit our proposed SCF-PEKS scheme for implementing a real-life application in future.

Conclusion

In this paper, we proposed a very efficient SCF-PEKS scheme that is secure against chosen keyword and ciphertext attacks, and keyword guessing attacks based on the QDBDH, DBDH, and HDH assumptions in the standard model. Our proposed SCF-PEKS scheme is suitable to be used for searching encrypted EMRs in a medical cloud environment which involves mobile devices or client platforms with constrained system resources.

There are several open problems related to this research. First, the construction of both Fang et al. [20] and our proposed SCF-PEKS schemes require pairing operations, it would be good if an IND-KGA secure SCF-PEKS scheme can be constructed without using pairing operations. Second, it is worth to investigate on constructing an efficient SCF-PEKS scheme in a stronger security model, such as the malicious server generates her public key and secret key by herself in the security model.